Movatterモバイル変換

[0]ホーム
URL:

linuxfw

package
v1.92.2Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest Published: Dec 10, 2025 License:BSD-3-ClauseImports:34Imported by:5

Details

Repository

github.com/tailscale/tailscale

Links

Documentation

Overview

Package linuxfw returns the kind of firewall being used by the kernel.

Index

Constants

This section is empty.

Variables

View Source
var ErrUnsupported =errors.New("linuxfw:unsupported")

ErrUnsupported is the error returned from all functions on non-Linuxplatforms.

Functions

funcCheckIPRuleSupportsV6added inv1.46.0

func CheckIPRuleSupportsV6(logflogger.Logf)error

funcCheckIPv6added inv1.62.1

func CheckIPv6(logflogger.Logf)error

checkIPv6 checks whether the system appears to have a working IPv6network stack. It returns an error explaining what looks wrong ormissing. It does not check that IPv6 is currently functional orthat there's a global address, just that the system would supportIPv6 if it were on an IPv6 network.

funcDebugIptables

func DebugIptables(logflogger.Logf)error

DebugNetfilter prints debug information about iptables rules to theprovided log function.

funcDebugNetfilter

func DebugNetfilter(logflogger.Logf)error

DebugNetfilter prints debug information about netfilter rules to theprovided log function.

funcIPTablesCleanUpadded inv1.64.0

func IPTablesCleanUp(logflogger.Logf)

IPTablesCleanUp removes all Tailscale added iptables rules.Any errors that occur are logged to the provided logf.

funcNfTablesCleanUpadded inv1.46.0

func NfTablesCleanUp(logflogger.Logf)

NfTablesCleanUp removes all Tailscale added nftables rules.Any errors that occur are logged to the provided logf.

Types

typeFWModeNotSupportedErroradded inv1.48.0

type FWModeNotSupportedError struct {ModeFirewallModeErrerror}

func (FWModeNotSupportedError)Erroradded inv1.48.0

func (FWModeNotSupportedError)Isadded inv1.48.0

func (FWModeNotSupportedError)Unwrapadded inv1.48.0

typeFakeNetfilterRunneradded inv1.84.0

type FakeNetfilterRunner struct {// contains filtered or unexported fields}

FakeNetfilterRunner is a fake netfilter runner for tests.

funcNewFakeNetfilterRunneradded inv1.84.0

func NewFakeNetfilterRunner() *FakeNetfilterRunner

NewFakeNetfilterRunner creates a new FakeNetfilterRunner.

func (*FakeNetfilterRunner)AddBaseadded inv1.84.0

func (f *FakeNetfilterRunner) AddBase(tunnamestring)error

func (*FakeNetfilterRunner)AddChainsadded inv1.84.0

func (f *FakeNetfilterRunner) AddChains()error

func (*FakeNetfilterRunner)AddDNATRuleadded inv1.84.0

func (f *FakeNetfilterRunner) AddDNATRule(origDst, dstnetip.Addr)error

func (*FakeNetfilterRunner)AddHooksadded inv1.84.0

func (f *FakeNetfilterRunner) AddHooks()error

func (*FakeNetfilterRunner)AddLoopbackRuleadded inv1.84.0

func (f *FakeNetfilterRunner) AddLoopbackRule(addrnetip.Addr)error

func (*FakeNetfilterRunner)AddMagicsockPortRuleadded inv1.84.0

func (f *FakeNetfilterRunner) AddMagicsockPortRule(portuint16, networkstring)error

func (*FakeNetfilterRunner)AddSNATRuleadded inv1.84.0

func (f *FakeNetfilterRunner) AddSNATRule()error

func (*FakeNetfilterRunner)AddStatefulRuleadded inv1.84.0

func (f *FakeNetfilterRunner) AddStatefulRule(tunnamestring)error

func (*FakeNetfilterRunner)ClampMSSToPMTUadded inv1.84.0

func (f *FakeNetfilterRunner) ClampMSSToPMTU(tunstring, addrnetip.Addr)error

func (*FakeNetfilterRunner)DNATNonTailscaleTrafficadded inv1.84.0

func (f *FakeNetfilterRunner) DNATNonTailscaleTraffic(tunstring, dstnetip.Addr)error

func (*FakeNetfilterRunner)DNATWithLoadBalanceradded inv1.84.0

func (f *FakeNetfilterRunner) DNATWithLoadBalancer(origDstnetip.Addr, dsts []netip.Addr)error

func (*FakeNetfilterRunner)DelBaseadded inv1.84.0

func (f *FakeNetfilterRunner) DelBase()error

func (*FakeNetfilterRunner)DelChainsadded inv1.84.0

func (f *FakeNetfilterRunner) DelChains()error

func (*FakeNetfilterRunner)DelHooksadded inv1.84.0

func (f *FakeNetfilterRunner) DelHooks(logflogger.Logf)error

func (*FakeNetfilterRunner)DelLoopbackRuleadded inv1.84.0

func (f *FakeNetfilterRunner) DelLoopbackRule(addrnetip.Addr)error

func (*FakeNetfilterRunner)DelMagicsockPortRuleadded inv1.84.0

func (f *FakeNetfilterRunner) DelMagicsockPortRule(portuint16, networkstring)error

func (*FakeNetfilterRunner)DelSNATRuleadded inv1.84.0

func (f *FakeNetfilterRunner) DelSNATRule()error

func (*FakeNetfilterRunner)DelStatefulRuleadded inv1.84.0

func (f *FakeNetfilterRunner) DelStatefulRule(tunnamestring)error

func (*FakeNetfilterRunner)DeleteDNATRuleForSvcadded inv1.84.0

func (f *FakeNetfilterRunner) DeleteDNATRuleForSvc(svcNamestring, origDst, dstnetip.Addr)error

func (*FakeNetfilterRunner)DeletePortMapRuleForSvcadded inv1.84.0

func (f *FakeNetfilterRunner) DeletePortMapRuleForSvc(svc, tunstring, targetIPnetip.Addr, pmPortMap)error

func (*FakeNetfilterRunner)DeleteSvcadded inv1.84.0

func (f *FakeNetfilterRunner) DeleteSvc(svc, tunstring, targetIPs []netip.Addr, pms []PortMap)error

func (*FakeNetfilterRunner)EnsureDNATRuleForSvcadded inv1.84.0

func (f *FakeNetfilterRunner) EnsureDNATRuleForSvc(svcNamestring, origDst, dstnetip.Addr)error

func (*FakeNetfilterRunner)EnsurePortMapRuleForSvcadded inv1.84.0

func (f *FakeNetfilterRunner) EnsurePortMapRuleForSvc(svc, tunstring, targetIPnetip.Addr, pmPortMap)error

func (*FakeNetfilterRunner)EnsureSNATForDstadded inv1.84.0

func (f *FakeNetfilterRunner) EnsureSNATForDst(src, dstnetip.Addr)error

func (*FakeNetfilterRunner)GetServiceStateadded inv1.84.0

func (f *FakeNetfilterRunner) GetServiceState() map[string]struct {TailscaleServiceIPnetip.AddrClusterIPnetip.Addr}

func (*FakeNetfilterRunner)HasIPV6added inv1.84.0

func (f *FakeNetfilterRunner) HasIPV6()bool

func (*FakeNetfilterRunner)HasIPV6Filteradded inv1.84.0

func (f *FakeNetfilterRunner) HasIPV6Filter()bool

func (*FakeNetfilterRunner)HasIPV6NATadded inv1.84.0

func (f *FakeNetfilterRunner) HasIPV6NAT()bool

typeFirewallModeadded inv1.48.0

type FirewallModestring
const (FirewallModeIPTablesFirewallMode = "iptables"FirewallModeNfTablesFirewallMode = "nftables")

typeMatchDecisionadded inv1.46.0

type MatchDecisionint

MatchDecision is the decision made by the firewall for a packet matched by a rule.It is used to decide whether to accept or masquerade a packet in addMatchSubnetRouteMarkRule.

const (AcceptMatchDecision =iotaMasq)

typeNetfilterRunneradded inv1.52.0

type NetfilterRunner interface {// AddLoopbackRule adds a rule to permit loopback traffic to addr. This rule// is added only if it does not already exist.AddLoopbackRule(addrnetip.Addr)error// DelLoopbackRule removes the rule added by AddLoopbackRule.DelLoopbackRule(addrnetip.Addr)error// AddHooks adds rules to conventional chains like "FORWARD", "INPUT" and// "POSTROUTING" to jump from those chains to tailscale chains.AddHooks()error// DelHooks deletes rules added by AddHooks.DelHooks(logflogger.Logf)error// AddChains creates custom Tailscale chains.AddChains()error// DelChains removes chains added by AddChains.DelChains()error// AddBase adds rules reused by different other rules.AddBase(tunnamestring)error// DelBase removes rules added by AddBase.DelBase()error// AddSNATRule adds the netfilter rule to SNAT incoming traffic over// the Tailscale interface destined for local subnets. An error is// returned if the rule already exists.AddSNATRule()error// DelSNATRule removes the rule added by AddSNATRule.DelSNATRule()error// AddStatefulRule adds a netfilter rule for stateful packet filtering// using conntrack.AddStatefulRule(tunnamestring)error// DelStatefulRule removes a netfilter rule for stateful packet filtering// using conntrack.DelStatefulRule(tunnamestring)error// HasIPV6 reports true if the system supports IPv6.HasIPV6()bool// HasIPV6NAT reports true if the system supports IPv6 NAT.HasIPV6NAT()bool// HasIPV6Filter reports true if the system supports IPv6 filter tables// This is only meaningful for iptables implementation, where hosts have// partial ipables support (i.e missing filter table). For nftables// implementation, this will default to the value of HasIPv6().HasIPV6Filter()bool// AddDNATRule adds a rule to the nat/PREROUTING chain to DNAT traffic// destined for the given original destination to the given new destination.// This is used to forward all traffic destined for the Tailscale interface// to the provided destination, as used in the Kubernetes ingress proxies.AddDNATRule(origDst, dstnetip.Addr)error// DNATWithLoadBalancer adds a rule to the nat/PREROUTING chain to DNAT// traffic destined for the given original destination to the given new// destination(s) using round robin to load balance if more than one// destination is provided. This is used to forward all traffic destined// for the Tailscale interface to the provided destination(s), as used// in the Kubernetes ingress proxies.DNATWithLoadBalancer(origDstnetip.Addr, dsts []netip.Addr)error// EnsureSNATForDst sets up firewall to mask the source for traffic destined for dst to src:// - creates a SNAT rule if it doesn't already exist// - deletes any pre-existing rules matching the destination// This is used to forward traffic destined for the local machine over// the Tailscale interface, as used in the Kubernetes egress proxies.EnsureSNATForDst(src, dstnetip.Addr)error// DNATNonTailscaleTraffic adds a rule to the nat/PREROUTING chain to DNAT// all traffic inbound from any interface except exemptInterface to dst.// This is used to forward traffic destined for the local machine over// the Tailscale interface, as used in the Kubernetes egress proxies.DNATNonTailscaleTraffic(exemptInterfacestring, dstnetip.Addr)errorEnsurePortMapRuleForSvc(svc, tunstring, targetIPnetip.Addr, pmPortMap)errorDeletePortMapRuleForSvc(svc, tunstring, targetIPnetip.Addr, pmPortMap)errorEnsureDNATRuleForSvc(svcNamestring, origDst, dstnetip.Addr)errorDeleteDNATRuleForSvc(svcNamestring, origDst, dstnetip.Addr)errorDeleteSvc(svc, tunstring, targetIPs []netip.Addr, pm []PortMap)error// ClampMSSToPMTU adds a rule to the mangle/FORWARD chain to clamp MSS for// traffic destined for the provided tun interface.ClampMSSToPMTU(tunstring, addrnetip.Addr)error// AddMagicsockPortRule adds a rule to the ts-input chain to accept// incoming traffic on the specified port, to allow magicsock to// communicate.AddMagicsockPortRule(portuint16, networkstring)error// DelMagicsockPortRule removes the rule created by AddMagicsockPortRule,// if it exists.DelMagicsockPortRule(portuint16, networkstring)error}

NetfilterRunner abstracts helpers to run netfilter commands. It isimplemented by linuxfw.IPTablesRunner and linuxfw.NfTablesRunner.

funcNewadded inv1.52.0

func New(logflogger.Logf, prefHintstring) (NetfilterRunner,error)

New creates a NetfilterRunner, auto-detecting whether to usenftables or iptables.As nftables is still experimental, iptables will be used unlesseither the TS_DEBUG_FIREWALL_MODE environment variable, or the prefHintparameter, is set to one of "nftables" or "auto".

funcNewFakeIPTablesRunneradded inv1.52.0

func NewFakeIPTablesRunner()NetfilterRunner

typePortMapadded inv1.76.0

type PortMap struct {// MatchPort is the local port to which the rule should apply.MatchPortuint16// TargetPort is the port to which the traffic should be forwarded.TargetPortuint16// Protocol is the protocol to match packets on. Only TCP and UDP are// supported.Protocolstring}

// PortMap is the port mapping for a service rule.

Source Files

View all Source files

Directories

PathSynopsis
Package linuxfwtest contains tests for the linuxfw package.
Package linuxfwtest contains tests for the linuxfw package.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f orF : Jump to
y orY : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic.Learn more.
[8]ページ先頭
©2009-2025 Movatter.jp