Documentation
¶
Index ¶
- Constants
- type ForwarderAction
- type Manager
- func (m *Manager) AddNatRule(pair firewall.RouterPair) error
- func (m *Manager) AddPeerFiltering(ip net.IP, proto firewall.Protocol, sPort *firewall.Port, dPort *firewall.Port, ...) ([]firewall.Rule, error)
- func (m *Manager) AddRouteFiltering(sources []netip.Prefix, destination netip.Prefix, proto firewall.Protocol, ...) (firewall.Rule, error)
- func (m *Manager) AddUDPPacketHook(in bool, ip net.IP, dPort uint16, hook func([]byte) bool) string
- func (m *Manager) AllowNetbird() error
- func (m *Manager) DeletePeerRule(rule firewall.Rule) error
- func (m *Manager) DeleteRouteRule(rule firewall.Rule) error
- func (m *Manager) DisableRouting() error
- func (m *Manager) DropIncoming(packetData []byte) bool
- func (m *Manager) DropOutgoing(packetData []byte) bool
- func (m *Manager) EnableRouting() error
- func (m *Manager) Flush() error
- func (m *Manager) Init(*statemanager.Manager) error
- func (m *Manager) IsServerRouteSupported() bool
- func (m *Manager) RemoveNatRule(pair firewall.RouterPair) error
- func (m *Manager) RemovePacketHook(hookID string) error
- func (m *Manager) Reset(stateManager *statemanager.Manager) error
- func (m *Manager) SetLegacyManagement(isLegacy bool) error
- func (m *Manager) SetLogLevel(level log.Level)
- func (m *Manager) SetNetwork(network *net.IPNet)
- func (m *Manager) TracePacket(packetData []byte, direction fw.RuleDirection) *PacketTrace
- func (m *Manager) TracePacketFromBuilder(builder *PacketBuilder) (*PacketTrace, error)
- func (m *Manager) UpdateLocalIPs() error
- type PacketBuilder
- type PacketStage
- type PacketTrace
- type PeerRule
- type RouteRule
- type RouteRules
- type RuleSet
- type TCPState
- type TraceResult
Constants ¶
View Source
const ( // EnvDisableConntrack disables the stateful filter, replies to outbound traffic won't be allowed. EnvDisableConntrack = "NB_DISABLE_CONNTRACK" // EnvDisableUserspaceRouting disables userspace routing, to-be-routed packets will be dropped. EnvDisableUserspaceRouting = "NB_DISABLE_USERSPACE_ROUTING" // EnvForceUserspaceRouter forces userspace routing even if native routing is available. EnvForceUserspaceRouter = "NB_FORCE_USERSPACE_ROUTER" // EnvEnableNetstackLocalForwarding enables forwarding of local traffic to the native stack when running netstack // Leaving this on by default introduces a security risk as sockets on listening on localhost only will be accessible EnvEnableNetstackLocalForwarding = "NB_ENABLE_NETSTACK_LOCAL_FORWARDING" )
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type ForwarderAction ¶ added in v0.36.6
type Manager ¶
type Manager struct {
// contains filtered or unexported fields
}
Manager userspace firewall manager
func Create ¶
func Create(iface common.IFaceMapper, disableServerRoutes bool) (*Manager, error)
Create userspace firewall manager constructor
func CreateWithNativeFirewall ¶ added in v0.24.4
func (*Manager) AddNatRule ¶ added in v0.30.0
func (m *Manager) AddNatRule(pair firewall.RouterPair) error
func (*Manager) AddPeerFiltering ¶ added in v0.30.0
func (m *Manager) AddPeerFiltering( ip net.IP, proto firewall.Protocol, sPort *firewall.Port, dPort *firewall.Port, action firewall.Action, _ string, comment string, ) ([]firewall.Rule, error)
AddPeerFiltering rule to the firewall
If comment argument is empty firewall manager should set rule ID as comment for the rule
func (*Manager) AddRouteFiltering ¶ added in v0.30.0
func (*Manager) AddUDPPacketHook ¶ added in v0.21.2
func (m *Manager) AddUDPPacketHook( in bool, ip net.IP, dPort uint16, hook func([]byte) bool, ) string
AddUDPPacketHook calls hook when UDP packet from given direction matched
Hook function returns flag which indicates should be the matched package dropped or not
func (*Manager) AllowNetbird ¶ added in v0.23.0
AllowNetbird allows netbird interface traffic
func (*Manager) DeletePeerRule ¶ added in v0.30.0
DeletePeerRule from the firewall by rule definition
func (*Manager) DeleteRouteRule ¶ added in v0.30.0
func (*Manager) DisableRouting ¶ added in v0.36.6
func (*Manager) DropIncoming ¶
DropIncoming filter incoming packets
func (*Manager) DropOutgoing ¶
DropOutgoing filter outgoing packets
func (*Manager) EnableRouting ¶ added in v0.36.6
func (*Manager) IsServerRouteSupported ¶ added in v0.24.4
func (*Manager) RemoveNatRule ¶ added in v0.30.0
func (m *Manager) RemoveNatRule(pair firewall.RouterPair) error
RemoveNatRule removes a routing firewall rule
func (*Manager) RemovePacketHook ¶ added in v0.21.2
RemovePacketHook removes packet hook by given ID
func (*Manager) Reset ¶
func (m *Manager) Reset(stateManager *statemanager.Manager) error
Reset firewall to the default state
func (*Manager) SetLegacyManagement ¶ added in v0.30.0
SetLegacyManagement doesn't need to be implemented for this manager
func (*Manager) SetLogLevel ¶ added in v0.36.6
SetLogLevel sets the log level for the firewall manager
func (*Manager) SetNetwork ¶
SetNetwork of the wireguard interface to which filtering applied
func (*Manager) TracePacket ¶ added in v0.36.6
func (m *Manager) TracePacket(packetData []byte, direction fw.RuleDirection) *PacketTrace
func (*Manager) TracePacketFromBuilder ¶ added in v0.36.6
func (m *Manager) TracePacketFromBuilder(builder *PacketBuilder) (*PacketTrace, error)
func (*Manager) UpdateLocalIPs ¶ added in v0.36.6
UpdateLocalIPs updates the list of local IPs
type PacketBuilder ¶ added in v0.36.6
type PacketBuilder struct {
SrcIP net.IP
DstIP net.IP
Protocol fw.Protocol
SrcPort uint16
DstPort uint16
ICMPType uint8
ICMPCode uint8
Direction fw.RuleDirection
PayloadSize int
TCPState *TCPState
}
func (*PacketBuilder) Build ¶ added in v0.36.6
func (p *PacketBuilder) Build() ([]byte, error)
type PacketStage ¶ added in v0.36.6
type PacketStage int
const ( StageReceived PacketStage = iota StageConntrack StagePeerACL StageRouting StageRouteACL StageForwarding StageCompleted )
func (PacketStage) String ¶ added in v0.36.6
func (s PacketStage) String() string
type PacketTrace ¶ added in v0.36.6
type PacketTrace struct {
SourceIP net.IP
DestinationIP net.IP
Protocol string
SourcePort uint16
DestinationPort uint16
Direction fw.RuleDirection
Results []TraceResult
}
func (*PacketTrace) AddResult ¶ added in v0.36.6
func (t *PacketTrace) AddResult(stage PacketStage, message string, allowed bool)
func (*PacketTrace) AddResultWithForwarder ¶ added in v0.36.6
func (t *PacketTrace) AddResultWithForwarder(stage PacketStage, message string, allowed bool, action *ForwarderAction)
type PeerRule ¶ added in v0.36.6
type PeerRule struct {
// contains filtered or unexported fields
}
PeerRule to handle management of rules
type RouteRule ¶ added in v0.36.6
type RouteRule struct {
// contains filtered or unexported fields
}
type RouteRules ¶ added in v0.36.6
type RouteRules []RouteRule
func (RouteRules) Sort ¶ added in v0.36.6
func (r RouteRules) Sort()
type TraceResult ¶ added in v0.36.6
type TraceResult struct {
Timestamp time.Time
Stage PacketStage
Message string
Allowed bool
ForwarderAction *ForwarderAction
}
Source Files
Directories
Click to show internal directories.
Click to hide internal directories.