func AddInterfaceFirewalld(intf string) error
AddInterfaceFirewalld adds the interface to the trusted zone. It is a no-op if firewalld is not running.
func DelInterfaceFirewalld(intf string) error
DelInterfaceFirewalld removes the interface from the trusted zone It is a no-op if firewalld is not running.
func DeleteConntrackEntries(nlh *netlink.Handle, ipv4List []net.IP, ipv6List []net.IP) error
DeleteConntrackEntries deletes all the conntrack connections on the host for the specified IP Returns the number of flows deleted for IPv4, IPv6 else error
func DeleteConntrackEntriesByPort(nlh *netlink.Handle, proto types.Protocol, ports []uint16) error
func OnReloaded(callback func())
OnReloaded add callback
func Passthrough(ipv IPV, args ...string) ([]byte, error)
Passthrough method simply passes args through to iptables/ip6tables
Action signifies the iptable action.
type Action string
const (
// Append appends the rule at the end of the chain.
Append Action = "-A"
// Delete deletes the rule from the chain.
Delete Action = "-D"
// Insert inserts the rule at the top of the chain.
Insert Action = "-I"
)
ChainError is returned to represent errors during ip table operation.
type ChainError struct {
Chain string
Output []byte
}
func (e ChainError) Error() string
ChainInfo defines the iptables chain.
type ChainInfo struct {
Name string
Table Table
HairpinMode bool
IPVersion IPVersion
}
func (c *ChainInfo) Forward(action Action, ip net.IP, port int, proto, destAddr string, destPort int, bridgeName string) error
Forward adds forwarding rule to 'filter' table and corresponding nat rule to 'nat' table.
func (c *ChainInfo) Link(action Action, ip1, ip2 net.IP, port int, proto string, bridgeName string) error
Link adds reciprocal ACCEPT rule for two supplied IP addresses. Traffic is allowed from ip1 to ip2 and vice-versa
func (c *ChainInfo) Output(action Action, args ...string) error
Output adds linking rule to an OUTPUT chain.
func (c *ChainInfo) Prerouting(action Action, args ...string) error
Prerouting adds linking rule to nat/PREROUTING chain.
func (c *ChainInfo) Remove() error
Remove removes the chain.
Conn is a connection to firewalld dbus endpoint.
type Conn struct {
// contains filtered or unexported fields
}
IPTable defines struct with IPVersion.
type IPTable struct {
// contains filtered or unexported fields
}
func GetIptable(version IPVersion) *IPTable
GetIptable returns an instance of IPTable with specified version (IPv4 or IPv6). It panics if an invalid IPVersion is provided.
func (iptable IPTable) AddReturnRule(chain string) error
AddReturnRule adds a return rule for the chain in the filter table
func (iptable IPTable) EnsureJumpRule(fromChain, toChain string) error
EnsureJumpRule ensures the jump rule is on top
func (iptable IPTable) ExistChain(chain string, table Table) bool
ExistChain checks if a chain exists
func (iptable IPTable) Exists(table Table, chain string, rule ...string) bool
Exists checks if a rule exists
func (iptable IPTable) ExistsNative(table Table, chain string, rule ...string) bool
ExistsNative behaves as Exists with the difference it will always invoke `iptables` binary.
func (iptable IPTable) NewChain(name string, table Table, hairpinMode bool) (*ChainInfo, error)
NewChain adds a new chain to ip table.
func (iptable IPTable) ProgramChain(c *ChainInfo, bridgeName string, hairpinMode, enable bool) error
ProgramChain is used to add rules to a chain
func (iptable IPTable) ProgramRule(table Table, chain string, action Action, args []string) error
ProgramRule adds the rule specified by args only if the rule is not already present in the chain. Reciprocally, it removes the rule only if present.
func (iptable IPTable) Raw(args ...string) ([]byte, error)
Raw calls 'iptables' system command, passing supplied arguments.
func (iptable IPTable) RawCombinedOutput(args ...string) error
RawCombinedOutput internally calls the Raw function and returns a non nil error if Raw returned a non nil error or a non empty output
func (iptable IPTable) RawCombinedOutputNative(args ...string) error
RawCombinedOutputNative behave as RawCombinedOutput with the difference it will always invoke `iptables` binary
func (iptable IPTable) RemoveExistingChain(name string, table Table) error
RemoveExistingChain removes existing chain from the table.
func (iptable IPTable) SetDefaultPolicy(table Table, chain string, policy Policy) error
SetDefaultPolicy sets the passed default policy for the table/chain
IPV defines the table string
type IPV string
const (
// Iptables point ipv4 table
Iptables IPV = "ipv4"
// IP6Tables point to ipv6 table
IP6Tables IPV = "ipv6"
)
IPVersion refers to IP version, v4 or v6
type IPVersion string
const (
// IPv4 is version 4.
IPv4 IPVersion = "IPV4"
// IPv6 is version 6.
IPv6 IPVersion = "IPV6"
)
Policy is the default iptable policies
type Policy string
const (
// Drop is the default iptables DROP policy.
Drop Policy = "DROP"
// Accept is the default iptables ACCEPT policy.
Accept Policy = "ACCEPT"
)
Table refers to Nat, Filter or Mangle.
type Table string
const (
// Nat table is used for nat translation rules.
Nat Table = "nat"
// Filter table is used for filter rules.
Filter Table = "filter"
// Mangle table is used for mangling the packet.
Mangle Table = "mangle"
)