package iptables

kubernetes – k8s.io/kubernetes/pkg/util/iptables Index | Files | Directories

package iptables

import "k8s.io/kubernetes/pkg/util/iptables"

Package iptables provides an interface and implementations for running iptables commands.

Index ¶

Constants
Variables
func GetChainsFromTable(save []byte) map[Chain]struct{}
func IsNotFoundError(err error) bool
func MakeChainLine(chain Chain) string
type Chain
type FlushFlag
type Interface

func New(exec utilexec.Interface, protocol Protocol) Interface

type LineData

func ExtractLines(lines []byte, line, count int) []LineData

type ParseError
type Protocol
type RestoreCountersFlag
type RulePosition
type Table

Constants ¶

const LockfilePath14x = "@xtables"

LockfilePath14x is the iptables 1.4.x lock file acquired by any process that's making any change in the iptable rule

const LockfilePath16x = "/run/xtables.lock"

LockfilePath16x is the iptables 1.6.x lock file acquired by any process that's making any change in the iptable rule

const WaitIntervalString = "-W"

WaitIntervalString a constant for specifying the wait interval flag

const WaitIntervalUsecondsValue = "100000"

WaitIntervalUsecondsValue a constant for specifying the default wait interval useconds

const WaitSecondsValue = "5"

WaitSecondsValue a constant for specifying the default wait seconds

const WaitString = "-w"

WaitString a constant for specifying the wait flag

Variables ¶

var MinCheckVersion = utilversion.MustParseGeneric("1.4.11")

MinCheckVersion minimum version to be checked Versions of iptables less than this do not support the -C / --check flag (test whether a rule exists).

var RandomFullyMinVersion = utilversion.MustParseGeneric("1.6.2")

RandomFullyMinVersion is the minimum version from which the --random-fully flag is supported, used for port mapping to be fully randomized

var WaitIntervalMinVersion = utilversion.MustParseGeneric("1.6.1")

WaitIntervalMinVersion a minimum iptables versions supporting the wait interval useconds

var WaitMinVersion = utilversion.MustParseGeneric("1.4.20")

WaitMinVersion a minimum iptables versions supporting the -w and -w<seconds> flags

var WaitRestoreMinVersion = utilversion.MustParseGeneric("1.6.2")

WaitRestoreMinVersion a minimum iptables versions supporting the wait restore seconds

var WaitSecondsMinVersion = utilversion.MustParseGeneric("1.4.22")

WaitSecondsMinVersion a minimum iptables versions supporting the wait seconds

Functions ¶

func GetChainsFromTable ¶

func GetChainsFromTable(save []byte) map[Chain]struct{}

GetChainsFromTable parses iptables-save data to find the chains that are defined. It assumes that save contains a single table's data, and returns a map with keys for every chain defined in that table.

func IsNotFoundError ¶

func IsNotFoundError(err error) bool

IsNotFoundError returns true if the error indicates "not found". It parses the error string looking for known values, which is imperfect; beware using this function for anything beyond deciding between logging or ignoring an error.

func MakeChainLine ¶

func MakeChainLine(chain Chain) string

MakeChainLine return an iptables-save/restore formatted chain line given a Chain

Types ¶

type Chain ¶

type Chain string

Chain represents the different rules

const (
	// ChainPostrouting used for source NAT in nat table
	ChainPostrouting Chain = "POSTROUTING"
	// ChainPrerouting used for DNAT (destination NAT) in nat table
	ChainPrerouting Chain = "PREROUTING"
	// ChainOutput used for the packets going out from local
	ChainOutput Chain = "OUTPUT"
	// ChainInput used for incoming packets
	ChainInput Chain = "INPUT"
	// ChainForward used for the packets for another NIC
	ChainForward Chain = "FORWARD"
)

type FlushFlag ¶

type FlushFlag bool

FlushFlag an option flag for Flush

const FlushTables FlushFlag = true

FlushTables a boolean true constant for option flag FlushFlag

const NoFlushTables FlushFlag = false

NoFlushTables a boolean false constant for option flag FlushFlag

type Interface ¶

type Interface interface {
	// EnsureChain checks if the specified chain exists and, if not, creates it.  If the chain existed, return true.
	EnsureChain(table Table, chain Chain) (bool, error)
	// FlushChain clears the specified chain.  If the chain did not exist, return error.
	FlushChain(table Table, chain Chain) error
	// DeleteChain deletes the specified chain.  If the chain did not exist, return error.
	DeleteChain(table Table, chain Chain) error
	// ChainExists tests whether the specified chain exists, returning an error if it
	// does not, or if it is unable to check.
	ChainExists(table Table, chain Chain) (bool, error)
	// EnsureRule checks if the specified rule is present and, if not, creates it.  If the rule existed, return true.
	EnsureRule(position RulePosition, table Table, chain Chain, args ...string) (bool, error)
	// DeleteRule checks if the specified rule is present and, if so, deletes it.
	DeleteRule(table Table, chain Chain, args ...string) error
	// IsIPv6 returns true if this is managing ipv6 tables.
	IsIPv6() bool
	// Protocol returns the IP family this instance is managing,
	Protocol() Protocol
	// SaveInto calls `iptables-save` for table and stores result in a given buffer.
	SaveInto(table Table, buffer *bytes.Buffer) error
	// Restore runs `iptables-restore` passing data through []byte.
	// table is the Table to restore
	// data should be formatted like the output of SaveInto()
	// flush sets the presence of the "--noflush" flag. see: FlushFlag
	// counters sets the "--counters" flag. see: RestoreCountersFlag
	Restore(table Table, data []byte, flush FlushFlag, counters RestoreCountersFlag) error
	// RestoreAll is the same as Restore except that no table is specified.
	RestoreAll(data []byte, flush FlushFlag, counters RestoreCountersFlag) error
	// Monitor detects when the given iptables tables have been flushed by an external
	// tool (e.g. a firewall reload) by creating canary chains and polling to see if
	// they have been deleted. (Specifically, it polls tables[0] every interval until
	// the canary has been deleted from there, then waits a short additional time for
	// the canaries to be deleted from the remaining tables as well. You can optimize
	// the polling by listing a relatively empty table in tables[0]). When a flush is
	// detected, this calls the reloadFunc so the caller can reload their own iptables
	// rules. If it is unable to create the canary chains (either initially or after
	// a reload) it will log an error and stop monitoring.
	// (This function should be called from a goroutine.)
	Monitor(canary Chain, tables []Table, reloadFunc func(), interval time.Duration, stopCh <-chan struct{})
	// HasRandomFully reveals whether `-j MASQUERADE` takes the
	// `--random-fully` option.  This is helpful to work around a
	// Linux kernel bug that sometimes causes multiple flows to get
	// mapped to the same IP:PORT and consequently some suffer packet
	// drops.
	HasRandomFully() bool

	// Present checks if the kernel supports the iptable interface
	Present() bool
}

Interface is an injectable interface for running iptables commands. Implementations must be goroutine-safe.

func New ¶

func New(exec utilexec.Interface, protocol Protocol) Interface

New returns a new Interface which will exec iptables.

type LineData ¶

type LineData struct {
	// Line holds the line number (the first line is 1).
	Line int
	// The data of the line.
	Data string
}

LineData represents a single numbered line of data.

func ExtractLines ¶

func ExtractLines(lines []byte, line, count int) []LineData

ExtractLines extracts the -count and +count data from the lineNum row of lines and return NOTE: lines start from line 1

type ParseError ¶

type ParseError interface {
	// Line returns the line number on which the parse error was reported.
	// NOTE: First line is 1.
	Line() int
	// Error returns the error message of the parse error, including line number.
	Error() string
}

ParseError records the payload when iptables reports an error parsing its input.

type Protocol ¶

type Protocol string

Protocol defines the ip protocol either ipv4 or ipv6

const (
	// ProtocolIPv4 represents ipv4 protocol in iptables
	ProtocolIPv4 Protocol = "IPv4"
	// ProtocolIPv6 represents ipv6 protocol in iptables
	ProtocolIPv6 Protocol = "IPv6"
)

type RestoreCountersFlag ¶

type RestoreCountersFlag bool

RestoreCountersFlag is an option flag for Restore

const NoRestoreCounters RestoreCountersFlag = false

NoRestoreCounters a boolean false constant for the option flag RestoreCountersFlag

const RestoreCounters RestoreCountersFlag = true

RestoreCounters a boolean true constant for the option flag RestoreCountersFlag

type RulePosition ¶

type RulePosition string

RulePosition holds the -I/-A flags for iptable

const (
	// Prepend is the insert flag for iptable
	Prepend RulePosition = "-I"
	// Append is the append flag for iptable
	Append RulePosition = "-A"
)

type Table ¶

type Table string

Table represents different iptable like filter,nat, mangle and raw

const (
	// TableNAT represents the built-in nat table
	TableNAT Table = "nat"
	// TableFilter represents the built-in filter table
	TableFilter Table = "filter"
	// TableMangle represents the built-in mangle table
	TableMangle Table = "mangle"
)

Source Files ¶

doc.go iptables.go iptables_linux.go save_restore.go

Directories ¶

Path	Synopsis
pkg/util/iptables/testing

Version: v1.27.11
Published: Feb 14, 2024
Platform: linux/amd64
Imports: 19 packages
Last checked: 13 minutes ago –

Tools for package owners.

?	: This menu
/	: Search site
f	: Jump to identifier
g then g	: Go to top of page
g then b	: Go to end of page
G	: Go to end of page
g then i	: Go to index
g then e	: Go to examples