core

package
v0.1.21 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 15, 2026 License: MIT Imports: 10 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// nftables 里是chain type,iptables里是表类型
	CHAIN_TYPE_FILTER string = "filter"
	CHAIN_TYPE_NAT    string = "nat"
	// CHAIN_TYPE_ROUTE  string = "route" // nftables
	CHAIN_TYPE_DEF  string = CHAIN_TYPE_FILTER // default table/chain type
	DefTableName    string = CHAIN_TYPE_FILTER
	DefNatTableName string = CHAIN_TYPE_NAT
)

iptables, table是指filter, nat, route; 通常这些表是固定的,默认不能新建和自定义 chain是指FORWARD, INPUT, OUTPUT等, 这几个是主链,也不需要主动添加,本身就有,也可以添加新的自定义链

nftables, family refers to a one of the following table types: ip, arp, ip6, bridge, inet, netdev. It defaults to ip.

nftables.Chain.Type type refers to the kind of chain to be created. Possible types are: filter: Supported by arp, bridge, ip, ip6 and inet table families. route: Mark packets (like mangle for the output hook, for other hooks use the type filter instead), supported by ip and ip6. nat: In order to perform Network Address Translation, supported by ip and ip6.

nftables.Chain.Hook hook refers to an specific stage of the packet while it's being processed through the kernel. More info in Netfilter hooks. The hooks for ip, ip6 and inet families are: prerouting, input, forward, output, postrouting. The hooks for arp family are: input, output. The bridge family handles ethernet packets traversing bridge devices. The hooks for netdev are: ingress, egress.

View Source 
const (
	TARGET_ACCEPT     string = "ACCEPT"
	TARGET_DROP       string = "DROP"
	TARGET_REJECT     string = "REJECT"
	TARGET_MASQUERADE string = "MASQUERADE"

	CHAIN_FORWARD     string = "FORWARD"     //
	CHAIN_OUTPUT      string = "OUTPUT"      //
	CHAIN_INPUT       string = "INPUT"       //
	CHAIN_POSTROUTING string = "POSTROUTING" //
	CHAIN_PREROUTING  string = "PREROUTING"  //
	CHAIN_CUSTOM      string = "CUSTOM"      // customized
)
View Source 
const (
	RULE_OP_EQ  RULE_OP = "=="
	RULE_OP_NEQ RULE_OP = "!="
	RULE_OP_LTE RULE_OP = "<="
	RULE_OP_LT  RULE_OP = "<"
	RULE_OP_GTE RULE_OP = ">="
	RULE_OP_GT  RULE_OP = ">"

	RULE_LOGIC_AND     RULE_LOGIC = "and"
	RULE_LOGIC_OR      RULE_LOGIC = "or"
	RULE_LOGIC_BIT_AND RULE_LOGIC = "&"
	RULE_LOGIC_BIT_OR  RULE_LOGIC = "|"
)
View Source 
const (
	CTSTATE_S_NEW         string = "NEW"
	CTSTATE_S_ESTABLISHED string = "ESTABLISHED"
	CTSTATE_S_RELATED     string = "RELATED"
	CTSTATE_S_NON_NEW     string = "ESTABLISHED,RELATED"
)
View Source 
const (
	CTSTATE_NEW         byte = 0x04
	CTSTATE_ESTABLISHED byte = 0x01
	CTSTATE_RELATED     byte = 0x02
	CTSTATE_NON_NEW     byte = 0x03
)

Variables

This section is empty.

Functions

func ConvertCtState 

func ConvertCtState(ctState byte) string

func Equal added in v0.1.2 

func Equal[T comparable](a, b *T) bool

1. both nil 2. both non-nil but value equal

func EqualAndNotNil added in v0.1.2 

func EqualAndNotNil[T comparable](a, b *T) bool

both non-nil and the value equal

func EqualDateRange added in v0.1.4 

func EqualDateRange(a, b *RuleDateRange) bool

func EqualHourRange added in v0.1.2 

func EqualHourRange(a, b *RuleHourRange) bool

func EqualIPOption added in v0.1.2 

func EqualIPOption(a, b *IPOption) bool

func EqualIPRange added in v0.1.2 

func EqualIPRange(a, b *IPRange) bool

func EqualPortOption added in v0.1.2 

func EqualPortOption(a, b *PortOption) bool

func EqualPortRange added in v0.1.2 

func EqualPortRange(a, b *PortRange) bool

func EqualSlice added in v0.1.2 

func EqualSlice[T comparable](a, b []T) bool

func EqualTimeOption added in v0.1.2 

func EqualTimeOption(a, b *TimeOption) bool

func FmtHour added in v0.1.2 

func FmtHour(ts uint32) string

fmtHour, 00:00, hour:min, without second

func FmtHour2Second added in v0.1.11 

func FmtHour2Second(ts uint32) string

00:00:00

func FmtWeekDayShort added in v0.1.2 

func FmtWeekDayShort(day uint16) string

Sun,Mon,Tue,Wed,Thu,Fri,Sat

func FmtWeekDaysShort added in v0.1.2 

func FmtWeekDaysShort(days []uint16) string

func GetCtState 

func GetCtState(ctState string) byte

func IpRangeToStr added in v0.1.2 

func IpRangeToStr(ipRange *IPRange) string

192.168.1.1-192.168.1.5

func IsDefChain added in v0.1.9 

func IsDefChain(chainType string, chainName string) bool

func IsNotExistErr added in v0.1.2 

func IsNotExistErr(err error) bool

func ParseHourStr added in v0.1.2 

func ParseHourStr(str string) uint32

h:m "01:00" or 01:00 get seconds

func ParseIcmpType added in v0.1.2 

func ParseIcmpType(r *RuleOption, icmpType string) error

func ParseTimeRange added in v0.1.2 

func ParseTimeRange(value string) map[string]string

为了更完整,我们还可以添加一个专门处理时间格式的辅助函数 parseTimeRange 解析时间范围参数(可选)

func ParseUint16 added in v0.1.2 

func ParseUint16(val string) (uint16, error)

func PortRangeToStr added in v0.1.2 

func PortRangeToStr(portRange *PortRange) string

10000:20000

func PortRangeToStrW added in v0.1.2 

func PortRangeToStrW(portRange *PortRange, splitter string) string

10000X20000

func SplitTs added in v0.1.2 

func SplitTs(ts uint32) (h uint32, m uint32, s uint32)

ts is seconds

func StrEqual added in v0.1.2 

func StrEqual(a, b *string) bool

1. both nil, 2. nil and "" 3. both string and equal

func StrListToUInt16List added in v0.1.2 

func StrListToUInt16List(values []string) []uint16

func ToUInt16WeekDays added in v0.1.2 

func ToUInt16WeekDays(days []string) []uint16

short days

func TrimStr added in v0.1.2 

func TrimStr(str string) string

remove " from start and end

func Uint16ListToStr added in v0.1.2 

func Uint16ListToStr(values []uint16) string

1,2,3

func Uint16ListToStrList added in v0.1.2 

func Uint16ListToStrList(values []uint16) []string

Types

type ADD_RULE_DIR 

type ADD_RULE_DIR = uint8
const (
	ADD_RULE_DIR_DEF     ADD_RULE_DIR = 0 // 默认只是单向的rule
	ADD_RULE_DIR_REVERSE ADD_RULE_DIR = 1 // src & dst 互换
	ADD_RULE_DIR_BOTH    ADD_RULE_DIR = 2 // 两条rule,正常和互换各一条
)

type ChainCreator 

type ChainCreator func(chainType string, chainName string, tableType string, tableName string) (IIPTablesChain, error)

chainType is FORWARD/INPUT/OUTPUT... defPolicy IS ACCEPT/DROP chainType can be the same with chainName tableType can be the same with tableName

type IIPTablesChain 

type IIPTablesChain interface {
	SetLogger(logger types.ILogger)

	SetRuleDef(target string) error
	ListRules() ([]Rule, error)
	ListRulesByIface(iface string) ([]Rule, error)
	Clear() error
	ClearRulesByIface(iface string) error

	GetCachedRules() []Rule
	CacheRuleIndex(rule *Rule) int
	CacheRuleExist(rule *Rule) bool
	ClearCacheRule()
	DelCacheRule(rule *Rule) (old *Rule)
	AddCacheRule(rule *Rule) bool          // append
	AddCacheRuleUnique(rule *Rule) bool    // append if not exist
	InsertCacheRule(rule *Rule) bool       // insert
	InsertCacheRuleUnique(rule *Rule) bool // insert if not exist

	// tx mode
	BeginTx() IIPTablesChain // return self for chain access a.b().c() 链式访问
	ApplyTx() error

	RuleExist(opts ...RuleOptionFunc) (bool, *Rule, error) // check sys iptables, not check cache
	InsertRule(opts ...RuleOptionFunc) (*Rule, error)      // both sys iptables and cache
	AddRule(opts ...RuleOptionFunc) (*Rule, error)         // both sys iptables and cache
	DelRule(opts ...RuleOptionFunc) (*Rule, error)         // both sys iptables and cache
	DelRuleByHandle(handle uint64) error                   // both sys iptables and cache

	// ### gw1(agent1所在):
	// ##### 允许从 gw2 的子网(10.65.0.0/16)访问 agent1(10.64.0.2)的 ICMP(ping)
	// iptables -A FORWARD -s 10.65.0.0/16 -d 10.64.0.2 -p icmp --icmp-type echo-request -j ACCEPT
	// ##### 允许 agent1(10.64.0.2)回复 ICMP 到 gw2 的子网(10.65.0.0/16)
	// iptables -A FORWARD -s 10.64.0.2 -d 10.65.0.0/16 -p icmp --icmp-type echo-reply -j ACCEPT
	// gw1 上: AddPing("wg0", "eth", "10.65.0.0/16", "10.64.0.2")
	//
	// src/dst can be ip or network: 10.64.0.0/16
	InsertPing(inIface, outIface, dst, src string, opts ...RuleOptionFunc) ([]Rule, error)
	AddPing(inIface, outIface, dst, src string, opts ...RuleOptionFunc) ([]Rule, error)
	DelPing(inIface, outIface, dst, src string, opts ...RuleOptionFunc) ([]Rule, error)
	InsertPingReq(inIface, outIface, dst, src string, opts ...RuleOptionFunc) (*Rule, error)
	AddPingReq(inIface, outIface, dst, src string, opts ...RuleOptionFunc) (*Rule, error)
	DelPingReq(inIface, outIface, dst, src string, opts ...RuleOptionFunc) (*Rule, error)
	InsertPingReply(inIface, outIface, dst, src string, opts ...RuleOptionFunc) (*Rule, error)
	AddPingReply(inIface, outIface, dst, src string, opts ...RuleOptionFunc) (*Rule, error)
	DelPingReply(inIface, outIface, dst, src string, opts ...RuleOptionFunc) (*Rule, error)

	// iptables -A FORWARD -s 10.65.0.2 -d 10.64.0.2 -p tcp --dport 22 -j ACCEPT
	// iptables -A FORWARD -s 10.64.0.2 -d 10.65.0.2 -p tcp --sport 22 -j ACCEPT
	InsertProtocol(inIface, outIface, protocol string, dst string, dstPort uint16, src string, dir ADD_RULE_DIR, opts ...RuleOptionFunc) ([]Rule, error)
	AddProtocol(inIface, outIface, protocol string, dst string, dstPort uint16, src string, dir ADD_RULE_DIR, opts ...RuleOptionFunc) ([]Rule, error)
	DelProtocol(inIface, outIface, protocol string, dst string, dstPort uint16, src string, dir ADD_RULE_DIR, opts ...RuleOptionFunc) ([]Rule, error)
	InsertTcp(inIface, outIface string, dst string, dstPort uint16, src string, dir ADD_RULE_DIR, opts ...RuleOptionFunc) ([]Rule, error)
	AddTcp(inIface, outIface string, dst string, dstPort uint16, src string, dir ADD_RULE_DIR, opts ...RuleOptionFunc) ([]Rule, error)
	DelTcp(inIface, outIface string, dst string, dstPort uint16, src string, dir ADD_RULE_DIR, opts ...RuleOptionFunc) ([]Rule, error)
	InsertUdp(inIface, outIface string, dst string, dstPort uint16, src string, dir ADD_RULE_DIR, opts ...RuleOptionFunc) ([]Rule, error)
	AddUdp(inIface, outIface string, dst string, dstPort uint16, src string, dir ADD_RULE_DIR, opts ...RuleOptionFunc) ([]Rule, error)
	DelUdp(inIface, outIface string, dst string, dstPort uint16, src string, dir ADD_RULE_DIR, opts ...RuleOptionFunc) ([]Rule, error)

	// iptables -I FORWARD -s 10.64.0.5 -j DROP  # 禁止访问其他目标
	InsertDropSrc(inIface, outIface string, src string, opts ...RuleOptionFunc) (*Rule, error)
	AddDropSrc(inIface, outIface string, src string, opts ...RuleOptionFunc) (*Rule, error)
	DelDropSrc(inIface, outIface string, src string, opts ...RuleOptionFunc) (*Rule, error)
	// iptables -I FORWARD -d 10.64.0.5 -j DROP  # 禁止访问其他目标
	InsertDropDst(inIface, outIface string, dst string, opts ...RuleOptionFunc) (*Rule, error)
	AddDropDst(inIface, outIface string, dst string, opts ...RuleOptionFunc) (*Rule, error)
	DelDropDst(inIface, outIface string, dst string, opts ...RuleOptionFunc) (*Rule, error)

	// iptables -I FORWARD -s 10.64.0.5 -j ACCEPT  # 允许访问其他目标
	InsertAcceptSrc(inIface, outIface string, src string, opts ...RuleOptionFunc) (*Rule, error)
	AddAcceptSrc(inIface, outIface string, src string, opts ...RuleOptionFunc) (*Rule, error)
	DelAcceptSrc(inIface, outIface string, src string, opts ...RuleOptionFunc) (*Rule, error)
	// iptables -I FORWARD -d 10.64.0.5 -j ACCEPT  # 允许访问其他目标
	InsertAcceptDst(inIface, outIface string, dst string, opts ...RuleOptionFunc) (*Rule, error)
	AddAcceptDst(inIface, outIface string, dst string, opts ...RuleOptionFunc) (*Rule, error)
	DelAcceptDst(inIface, outIface string, dst string, opts ...RuleOptionFunc) (*Rule, error)

	InsertAccept(inIface, outIface string, dst string, src string, opts ...RuleOptionFunc) (*Rule, error)
	AddAccept(inIface, outIface string, dst string, src string, opts ...RuleOptionFunc) (*Rule, error)
	DelAccept(inIface, outIface string, dst string, src string, opts ...RuleOptionFunc) (*Rule, error)

	InsertDrop(inIface, outIface string, dst string, src string, opts ...RuleOptionFunc) (*Rule, error)
	AddDrop(inIface, outIface string, dst string, src string, opts ...RuleOptionFunc) (*Rule, error)
	DelDrop(inIface, outIface string, dst string, src string, opts ...RuleOptionFunc) (*Rule, error)

	SetRuleDefAccept() error
	SetRuleDefDrop() error
}

IIPTablesChain interface

type IIPTablesTable 

type IIPTablesTable interface {
	SetLogger(logger types.ILogger)

	ClearRules() error
	GetTableName() string
	GetTableType() string
	// input/output/forward是默认就有的chain,不需要我们去创建
	GetDefInputChain() (IIPTablesChain, error)
	GetDefOutputChain() (IIPTablesChain, error)
	GetDefForwardChain() (IIPTablesChain, error)
	// if chainName is empty, then use chainType
	GetChain(chainType string, chainName string) (IIPTablesChain, error)
	// customized chain, 需要创建, 它有类型吗?没有吧?
	//> sudo iptables -N USER_A
	//> sudo iptables -A USER_A -s 10.1.1.0/24 -j ACCEPT
	//> sudo iptables -A FORWARD -j USER_A
	GetCustomChain(chainName string) (IIPTablesChain, error)
	DelCustomChain(chainName string) error
}

type IIptablesService 

type IIptablesService interface {
	Init() error
	Apply() error

	GetDefTable() (IIPTablesTable, error)
	GetDefNatTable() (IIPTablesTable, error)
	GetTable(tableType string, table string) (IIPTablesTable, error)

	CreateTable(tableType string, table string) (IIPTablesTable, error)

	ClearAll() error
	Close() error
}

type IPOption added in v0.1.2 

type IPOption struct {
	IP    string
	Cidr  *ip_util.CidrIp //
	Range *IPRange        // 复杂的规则一般都是在--match/-m 里面定义的
	List  []string        // TODO: DstCidr dstList and dst 只能取其一,因为单个地址其实是可以放在list里面的,
}

以下四个选一个,

func (*IPOption) Equal added in v0.1.2 

func (a *IPOption) Equal(b *IPOption) bool

both a,b not nil

func (*IPOption) IsEmpty added in v0.1.4 

func (a *IPOption) IsEmpty() bool

func (*IPOption) SimpleIp added in v0.1.4 

func (a *IPOption) SimpleIp() string

type IPRange 

type IPRange struct {
	Min string
	Max string
}

func (*IPRange) Equal added in v0.1.2 

func (a *IPRange) Equal(b *IPRange) bool

type IPTablesBaseTable 

type IPTablesBaseTable struct {
	Logger types.ILogger

	TableType    string // TableType and Table can be the same
	Table        string
	ChainCreator ChainCreator
	Chains       map[string]IIPTablesChain // key is chainName
}

func NewIPTablesBaseTable 

func NewIPTablesBaseTable(logger types.ILogger, tableType string, table string, chainCreator ChainCreator) *IPTablesBaseTable

tableType should not be empty tableName can be empty, then use tableType as name

func (*IPTablesBaseTable) ClearRules 

func (s *IPTablesBaseTable) ClearRules() error

func (*IPTablesBaseTable) DelCustomChain added in v0.1.12 

func (s *IPTablesBaseTable) DelCustomChain(chainName string) error

func (*IPTablesBaseTable) GetChain 

func (s *IPTablesBaseTable) GetChain(chainType string, chainName string) (IIPTablesChain, error)

chainName if empty then use chainType as name

func (*IPTablesBaseTable) GetCustomChain added in v0.1.9 

func (s *IPTablesBaseTable) GetCustomChain(chainName string) (IIPTablesChain, error)

func (*IPTablesBaseTable) GetDefForwardChain 

func (s *IPTablesBaseTable) GetDefForwardChain() (IIPTablesChain, error)

func (*IPTablesBaseTable) GetDefInputChain 

func (s *IPTablesBaseTable) GetDefInputChain() (IIPTablesChain, error)

func (*IPTablesBaseTable) GetDefOutputChain 

func (s *IPTablesBaseTable) GetDefOutputChain() (IIPTablesChain, error)

func (*IPTablesBaseTable) GetTableName added in v0.1.4 

func (s *IPTablesBaseTable) GetTableName() string

func (*IPTablesBaseTable) GetTableType added in v0.1.4 

func (s *IPTablesBaseTable) GetTableType() string

func (*IPTablesBaseTable) SetLogger added in v0.1.17 

func (s *IPTablesBaseTable) SetLogger(logger types.ILogger)

type IPTablesChainBase 

type IPTablesChainBase struct {
	IIPTablesChain
	Logger types.ILogger

	TableType string // TableType and Table can be the same
	ChainType string // ChainType and Chain can be the same

	Table string
	Chain string

	Rules []Rule
	// contains filtered or unexported fields
}

func NewBaseChain 

func NewBaseChain(logger types.ILogger, chainType string, chain string, tableType string, table string) *IPTablesChainBase

func (*IPTablesChainBase) AddAccept 

func (s *IPTablesChainBase) AddAccept(inIface, outIface string, dst string, src string, opts ...RuleOptionFunc) (*Rule, error)

func (*IPTablesChainBase) AddAcceptDst 

func (s *IPTablesChainBase) AddAcceptDst(inIface, outIface string, dst string, opts ...RuleOptionFunc) (*Rule, error)

func (*IPTablesChainBase) AddAcceptSrc 

func (s *IPTablesChainBase) AddAcceptSrc(inIface, outIface string, src string, opts ...RuleOptionFunc) (*Rule, error)

func (*IPTablesChainBase) AddCacheRule added in v0.1.2 

func (s *IPTablesChainBase) AddCacheRule(rule *Rule) bool

append

func (*IPTablesChainBase) AddCacheRuleUnique added in v0.1.2 

func (s *IPTablesChainBase) AddCacheRuleUnique(rule *Rule) bool

append if not exist

func (*IPTablesChainBase) AddDrop 

func (s *IPTablesChainBase) AddDrop(inIface, outIface string, dst string, src string, opts ...RuleOptionFunc) (*Rule, error)

func (*IPTablesChainBase) AddDropDst 

func (s *IPTablesChainBase) AddDropDst(inIface, outIface string, dst string, opts ...RuleOptionFunc) (*Rule, error)

func (*IPTablesChainBase) AddDropSrc 

func (s *IPTablesChainBase) AddDropSrc(inIface, outIface string, src string, opts ...RuleOptionFunc) (*Rule, error)

func (*IPTablesChainBase) AddPing 

func (s *IPTablesChainBase) AddPing(inIface, outIface, dst, src string, opts ...RuleOptionFunc) ([]Rule, error)

AddPing

func (*IPTablesChainBase) AddPingReply 

func (s *IPTablesChainBase) AddPingReply(inIface, outIface, dst, src string, opts ...RuleOptionFunc) (*Rule, error)

AddPingReply

func (*IPTablesChainBase) AddPingReq 

func (s *IPTablesChainBase) AddPingReq(inIface, outIface, dst, src string, opts ...RuleOptionFunc) (*Rule, error)

AddPingReq

func (*IPTablesChainBase) AddProtocol 

func (s *IPTablesChainBase) AddProtocol(inIface, outIface, protocol string, dst string, dstPort uint16, src string, dir ADD_RULE_DIR, opts ...RuleOptionFunc) ([]Rule, error)

func (*IPTablesChainBase) AddRules 

func (e *IPTablesChainBase) AddRules(opts [][]RuleOptionFunc) ([]Rule, error)

func (*IPTablesChainBase) AddTcp 

func (s *IPTablesChainBase) AddTcp(inIface, outIface string, dst string, dstPort uint16, src string, dir ADD_RULE_DIR, opts ...RuleOptionFunc) ([]Rule, error)

func (*IPTablesChainBase) AddUdp 

func (s *IPTablesChainBase) AddUdp(inIface, outIface string, dst string, dstPort uint16, src string, dir ADD_RULE_DIR, opts ...RuleOptionFunc) ([]Rule, error)

func (*IPTablesChainBase) ApplyTx 

func (s *IPTablesChainBase) ApplyTx() error

apply

func (*IPTablesChainBase) BeginTx 

func (s *IPTablesChainBase) BeginTx() IIPTablesChain

return self for chain access a.b().c() 链式访问

func (*IPTablesChainBase) CacheRuleExist added in v0.1.2 

func (s *IPTablesChainBase) CacheRuleExist(rule *Rule) bool

func (*IPTablesChainBase) CacheRuleIndex added in v0.1.2 

func (s *IPTablesChainBase) CacheRuleIndex(rule *Rule) int

func (*IPTablesChainBase) ClearCacheRule added in v0.1.2 

func (s *IPTablesChainBase) ClearCacheRule()

func (*IPTablesChainBase) DelAccept 

func (s *IPTablesChainBase) DelAccept(inIface, outIface string, dst string, src string, opts ...RuleOptionFunc) (*Rule, error)

func (*IPTablesChainBase) DelAcceptDst 

func (s *IPTablesChainBase) DelAcceptDst(inIface, outIface string, dst string, opts ...RuleOptionFunc) (*Rule, error)

func (*IPTablesChainBase) DelAcceptSrc 

func (s *IPTablesChainBase) DelAcceptSrc(inIface, outIface string, src string, opts ...RuleOptionFunc) (*Rule, error)

func (*IPTablesChainBase) DelCacheRule added in v0.1.2 

func (s *IPTablesChainBase) DelCacheRule(rule *Rule) (old *Rule)

delete

func (*IPTablesChainBase) DelDrop 

func (s *IPTablesChainBase) DelDrop(inIface, outIface string, dst string, src string, opts ...RuleOptionFunc) (*Rule, error)

func (*IPTablesChainBase) DelDropDst 

func (s *IPTablesChainBase) DelDropDst(inIface, outIface string, dst string, opts ...RuleOptionFunc) (*Rule, error)

func (*IPTablesChainBase) DelDropSrc 

func (s *IPTablesChainBase) DelDropSrc(inIface, outIface string, src string, opts ...RuleOptionFunc) (*Rule, error)

func (*IPTablesChainBase) DelPing 

func (s *IPTablesChainBase) DelPing(inIface, outIface, dst, src string, opts ...RuleOptionFunc) ([]Rule, error)

DelPing

func (*IPTablesChainBase) DelPingReply 

func (s *IPTablesChainBase) DelPingReply(inIface, outIface, dst, src string, opts ...RuleOptionFunc) (*Rule, error)

DelPingReply

func (*IPTablesChainBase) DelPingReq 

func (s *IPTablesChainBase) DelPingReq(inIface, outIface, dst, src string, opts ...RuleOptionFunc) (*Rule, error)

DelPingReq

func (*IPTablesChainBase) DelProtocol 

func (s *IPTablesChainBase) DelProtocol(inIface, outIface, protocol string, dst string, dstPort uint16, src string, dir ADD_RULE_DIR, opts ...RuleOptionFunc) ([]Rule, error)

func (*IPTablesChainBase) DelRules 

func (e *IPTablesChainBase) DelRules(opts [][]RuleOptionFunc) ([]Rule, error)

func (*IPTablesChainBase) DelTcp 

func (s *IPTablesChainBase) DelTcp(inIface, outIface string, dst string, dstPort uint16, src string, dir ADD_RULE_DIR, opts ...RuleOptionFunc) ([]Rule, error)

func (*IPTablesChainBase) DelUdp 

func (s *IPTablesChainBase) DelUdp(inIface, outIface string, dst string, dstPort uint16, src string, dir ADD_RULE_DIR, opts ...RuleOptionFunc) ([]Rule, error)

func (*IPTablesChainBase) GetCachedRules added in v0.1.2 

func (s *IPTablesChainBase) GetCachedRules() []Rule

func (*IPTablesChainBase) InsertAccept 

func (s *IPTablesChainBase) InsertAccept(inIface, outIface string, dst string, src string, opts ...RuleOptionFunc) (*Rule, error)

func (*IPTablesChainBase) InsertAcceptDst 

func (s *IPTablesChainBase) InsertAcceptDst(inIface, outIface string, dst string, opts ...RuleOptionFunc) (*Rule, error)

iptables -I FORWARD -d 10.64.0.5 -j DROP # 禁止访问其他目标

func (*IPTablesChainBase) InsertAcceptSrc 

func (s *IPTablesChainBase) InsertAcceptSrc(inIface, outIface string, src string, opts ...RuleOptionFunc) (*Rule, error)

func (*IPTablesChainBase) InsertCacheRule added in v0.1.2 

func (s *IPTablesChainBase) InsertCacheRule(rule *Rule) bool

insert to rule list

func (*IPTablesChainBase) InsertCacheRuleUnique added in v0.1.2 

func (s *IPTablesChainBase) InsertCacheRuleUnique(rule *Rule) bool

insert to rule list if not exist

func (*IPTablesChainBase) InsertDrop 

func (s *IPTablesChainBase) InsertDrop(inIface, outIface string, dst string, src string, opts ...RuleOptionFunc) (*Rule, error)

func (*IPTablesChainBase) InsertDropDst 

func (s *IPTablesChainBase) InsertDropDst(inIface, outIface string, dst string, opts ...RuleOptionFunc) (*Rule, error)

iptables -I FORWARD -d 10.64.0.5 -j DROP # 禁止访问其他目标

func (*IPTablesChainBase) InsertDropSrc 

func (s *IPTablesChainBase) InsertDropSrc(inIface, outIface string, src string, opts ...RuleOptionFunc) (*Rule, error)

func (*IPTablesChainBase) InsertPing 

func (s *IPTablesChainBase) InsertPing(inIface, outIface, dst, src string, opts ...RuleOptionFunc) ([]Rule, error)

func (*IPTablesChainBase) InsertPingReply 

func (s *IPTablesChainBase) InsertPingReply(inIface, outIface, dst, src string, opts ...RuleOptionFunc) (*Rule, error)

InsertPingReply

func (*IPTablesChainBase) InsertPingReq 

func (s *IPTablesChainBase) InsertPingReq(inIface, outIface, dst, src string, opts ...RuleOptionFunc) (*Rule, error)

InsertPingReq

func (*IPTablesChainBase) InsertProtocol 

func (s *IPTablesChainBase) InsertProtocol(inIface, outIface, protocol string, dst string, dstPort uint16, src string, dir ADD_RULE_DIR, opts ...RuleOptionFunc) ([]Rule, error)

src(10.65.0.2) 访问 dst(10.64.0.2) 上的 tcp 服务, src 和 dst 所在的pop上 都做如下的设置 iptables -A FORWARD -s 10.65.0.2 -d 10.64.0.2 -p tcp --dport 22 -j ACCEPT iptables -A FORWARD -s 10.64.0.2 -d 10.65.0.2 -p tcp --sport 22 -j ACCEPT

func (*IPTablesChainBase) InsertRules 

func (e *IPTablesChainBase) InsertRules(opts [][]RuleOptionFunc) ([]Rule, error)

func (*IPTablesChainBase) InsertTcp 

func (s *IPTablesChainBase) InsertTcp(inIface, outIface string, dst string, dstPort uint16, src string, dir ADD_RULE_DIR, opts ...RuleOptionFunc) ([]Rule, error)

func (*IPTablesChainBase) InsertUdp 

func (s *IPTablesChainBase) InsertUdp(inIface, outIface string, dst string, dstPort uint16, src string, dir ADD_RULE_DIR, opts ...RuleOptionFunc) ([]Rule, error)

func (*IPTablesChainBase) SetLogger added in v0.1.17 

func (s *IPTablesChainBase) SetLogger(logger types.ILogger)

func (*IPTablesChainBase) SetRuleDefAccept 

func (s *IPTablesChainBase) SetRuleDefAccept() error

iptables -P FORWARD ACCEPT

func (*IPTablesChainBase) SetRuleDefDrop 

func (s *IPTablesChainBase) SetRuleDefDrop() error

func (*IPTablesChainBase) Wrap 

func (s *IPTablesChainBase) Wrap(_impl IIPTablesChain)

wrap

type IPTablesServiceBase 

type IPTablesServiceBase struct {
	IIptablesService
	Logger types.ILogger

	Tables map[string]IIPTablesTable
	// contains filtered or unexported fields
}

IPTablesServiceBase

func NewIPTablesServiceBase 

func NewIPTablesServiceBase(logger types.ILogger) *IPTablesServiceBase

NewIPTablesServiceBase

func (*IPTablesServiceBase) Apply 

func (s *IPTablesServiceBase) Apply() error

func (*IPTablesServiceBase) ClearAll 

func (s *IPTablesServiceBase) ClearAll() error

ClearAll

func (*IPTablesServiceBase) Close 

func (s *IPTablesServiceBase) Close() error

func (*IPTablesServiceBase) GetDefTable 

func (s *IPTablesServiceBase) GetDefTable() (IIPTablesTable, error)

GetDefTable

func (*IPTablesServiceBase) GetNatTable 

func (s *IPTablesServiceBase) GetNatTable() (IIPTablesTable, error)

GetNatTable

func (*IPTablesServiceBase) GetTable 

func (s *IPTablesServiceBase) GetTable(tableType string, table string) (IIPTablesTable, error)

GetTable

func (*IPTablesServiceBase) Init 

func (s *IPTablesServiceBase) Init() error

func (*IPTablesServiceBase) SetLogger added in v0.1.17 

func (s *IPTablesServiceBase) SetLogger(logger types.ILogger)

func (*IPTablesServiceBase) Wrap 

func (s *IPTablesServiceBase) Wrap(_impl IIptablesService)

type MatchModule added in v0.1.2 

type MatchModule struct {
	Name   string         `json:"name"`   // 模块名称,如state, multiport, conntrack等
	Params map[string]any `json:"params"` // 模块参数
}

MatchModule 表示匹配模块及其参数, 同一个模块(name)只能用一项,那么直接用类型,不用数组放Rule结构体里

type PortOption added in v0.1.2 

type PortOption struct {
	Port  uint16     // single port mode
	Range *PortRange //
	List  []uint16   //
}

Port and Ports, PortRange, 只能取其一(可以支持,但是感觉不必要)

func ParseMultipartPorts added in v0.1.2 

func ParseMultipartPorts(val string) (*PortOption, error)

1,2,3 10000:20000

func (*PortOption) Equal added in v0.1.2 

func (a *PortOption) Equal(b *PortOption) bool

both a,b not nil

func (*PortOption) IsEmpty added in v0.1.4 

func (a *PortOption) IsEmpty() bool

type PortRange 

type PortRange struct {
	Min uint16
	Max uint16
}

func (*PortRange) Equal added in v0.1.2 

func (a *PortRange) Equal(b *PortRange) bool

both a,b not nil

type RULE_LOGIC 

type RULE_LOGIC = string

type RULE_OP added in v0.0.2 

type RULE_OP = string

type RULE_OP_OR_LOGIC added in v0.0.2 

type RULE_OP_OR_LOGIC = string

type Rule 

type Rule struct {
	// Chain is the name of the chain that contains this rule
	Chain string

	// Rule is the rule in standard nftables syntax. (Should be empty on Delete, but
	// is ignored if not.) Note that this does not include any rule comment, which is
	// separate from the rule itself.
	Rule string

	// Comment is an optional comment for the rule.
	Comment *string

	// Index is the number of a rule (counting from 0) to Add this Rule after or
	// Insert it before. Cannot be specified along with Handle. If neither Index
	// nor Handle is specified then Add appends the rule the end of the chain and
	// Insert prepends it to the beginning.
	Index *uint64

	// Handle is a rule handle. In Add or Insert, if set, this is the handle of
	// existing rule to put the new rule after/before. In Delete or Replace, this
	// indicates the existing rule to delete/replace, and is mandatory. In the result
	// of a List, this will indicate the rule's handle that can then be used in a
	// later operation.
	Handle *uint64

	RuleOpts *RuleOption

	// MD5 ?
	RuleChecksum string
}

our define

func (*Rule) Equal added in v0.1.2 

func (r *Rule) Equal(other *Rule) bool

type RuleComplex 

type RuleComplex[T any] struct {
	Logic RULE_LOGIC // and/or
	Rules []T
}

type RuleDateRange added in v0.1.4 

type RuleDateRange struct {
	Min string //
	Max string //
}

func (*RuleDateRange) Equal added in v0.1.4 

func (a *RuleDateRange) Equal(b *RuleDateRange) bool

type RuleDay 

type RuleDay struct {
	Op    RULE_OP
	Value int16 // 0-6
}

type RuleDayComplex 

type RuleDayComplex RuleComplex[RuleDay]

type RuleHour 

type RuleHour struct {
	Op     RULE_OP
	Value  string // 17:00:01
	Ts     int64  // total seconds, parse to string
	Hour   int16  // 0-24
	Minute int16  // 0-59
	Second int16  // 0-59
}

value/ts/h 三个选一个, 优先级从前往后

type RuleHourComplex 

type RuleHourComplex RuleComplex[RuleHour]

type RuleHourRange added in v0.0.2 

type RuleHourRange struct {
	Min uint32 // seconds
	Max uint32 // seconds
}

func (*RuleHourRange) Equal added in v0.1.2 

func (a *RuleHourRange) Equal(b *RuleHourRange) bool

type RuleOption 

type RuleOption struct {
	IsDef bool // -P

	InIface  string
	OutIface string
	Protocol string
	Dst      *IPOption
	DstPort  *PortOption
	Src      *IPOption // single ip or cidrIp
	SrcPort  *PortOption
	CtState  byte // -m conntrack --ctstate ESTABLISHED,RELATED
	State    byte // -m state --state ESTABLISHED,RELATED
	Target   string

	// -p icmp --icmp-type echo-request
	ProtocolExtraStr  *string
	ProtocolExtraByte *byte

	// demo time/day/hour:
	// add rule ip filter input tcp dport 22 time hour >= 9 and time hour < 17 accept
	// nftables(v1.0.0+)​​ 中 ​不再强制要求 time 关键字,可以直接使用 day、hour、weekday 等字段。但仍然建议加上 time 以提高可读性,并确保兼容性。
	//
	// time < "2019-06-06 17:00" drop;
	// time < "2019-06-06 17:20:20" drop;
	// time < 12341234 drop;
	// day == "Saturday" drop;
	// day == 6 drop;
	// hour >= 17:00 drop;
	// hour >= "17:00:01" drop;
	// hour >= 63000 drop;
	//
	// integer: ns since epoch, or
	// string: date in ISO format.
	// When an integer is specified, it is assumed to be a UNIX timestamp.
	// "2019-06-06" = "2019-06-06 00:00" = "2019-06-06 00:00:00".
	//
	// integer: 0 = Sunday to 6 = Saturday, or
	// case-insensitive string: "Monday", "tuesday", etc. Unique abbreviations also work: "fri", "Sat".
	// 24-hour "HH:MM:SS", with seconds optional. 17:00 = 17:00:0
	//
	// iptables : --timestart 00:01,--timestop 00:01,--weekdays Sun,Mon
	Time *TimeOption

	// match fields(-m, --match)
	M_mac     map[string]any   //
	M_tcp_udp map[string]any   //
	M_limit   map[string]any   //
	M_other   []map[string]any //
	M_iprange map[string]any   // --src-range,--dst-range
}

func BuildCmdArgs 

func BuildCmdArgs(args []string, opts ...RuleOptionFunc) ([]string, *RuleOption)

如果单独命令行执行iptables 命令,不能用%i,因为不知道当前的iface,如果是配置在wireguard配置文件里,当然可以配置文件名就是iface name Placeholders: %i can be used as a placeholder for the interface name. Target=ACCEPT/REJECT/..., default is DROP

func BuildCmdArgsStr 

func BuildCmdArgsStr(args []string, chain string, opts ...RuleOptionFunc) (string, *RuleOption)

PostUp = iptables -A INPUT -i %i -p tcp --dport 3306 -j ACCEPT # 仅允许MySQL端口 PostDown = iptables -D INPUT -i %i -p tcp --dport 3306 -j ACCEPT

func ParseRule added in v0.1.2 

func ParseRule(rule string, chain string) (*RuleOption, error)

Rule is the rule in standard nftables syntax -P FORWARD ACCEPT -A INPUT -p icmp --icmp-type echo-request -j ACCEPT -A INPUT -i wg0 -o wg0 -p tcp --dport 3306 -j ACCEPT

func (*RuleOption) EnsureDst added in v0.1.2 

func (o *RuleOption) EnsureDst()

func (*RuleOption) EnsureDstPort added in v0.1.2 

func (o *RuleOption) EnsureDstPort()

func (*RuleOption) EnsureSrc added in v0.1.2 

func (o *RuleOption) EnsureSrc()

func (*RuleOption) EnsureSrcPort added in v0.1.2 

func (o *RuleOption) EnsureSrcPort()

func (*RuleOption) EnsureTime added in v0.1.2 

func (o *RuleOption) EnsureTime()

func (*RuleOption) Equal added in v0.1.2 

func (o *RuleOption) Equal(other *RuleOption) bool

Equal 比较两个RuleOption是否相等,检查所有字段值是否相同 返回true表示两个规则选项完全一致,false表示存在差异

type RuleOptionFunc 

type RuleOptionFunc func(*RuleOption)

func WithCtState 

func WithCtState(ctState byte) RuleOptionFunc

func WithCtStateNew 

func WithCtStateNew() RuleOptionFunc

func WithCtStateNoNew 

func WithCtStateNoNew() RuleOptionFunc

func WithDateRange added in v0.1.5 

func WithDateRange(val *RuleDateRange) RuleOptionFunc

WithDateRange

func WithDay 

func WithDay(day *RuleDay) RuleOptionFunc

todo

func WithDayComplex added in v0.0.2 

func WithDayComplex(dayComplex *RuleDayComplex) RuleOptionFunc

TODO: complex cases are not supported WithDayComplex 设置基于复杂日期条件的防火墙规则选项 dayComplex 参数指定了日期条件的复杂组合逻辑

func WithDst 

func WithDst(dst string) RuleOptionFunc

dst /////////////////////////////////////////////////////////////////////

func WithDstAndPort 

func WithDstAndPort(dst string, dstPort uint16) RuleOptionFunc

func WithDstCidr 

func WithDstCidr(dstCidr *ip_util.CidrIp) RuleOptionFunc

func WithDstList 

func WithDstList(dstList []string) RuleOptionFunc

func WithDstPort 

func WithDstPort(dstPort uint16) RuleOptionFunc

func WithDstPortRange 

func WithDstPortRange(dstPortRange *PortRange) RuleOptionFunc

func WithDstPorts 

func WithDstPorts(dstPorts []uint16) RuleOptionFunc

func WithDstRange 

func WithDstRange(dstRange *IPRange) RuleOptionFunc

func WithDstSrc 

func WithDstSrc(dst string, src string) RuleOptionFunc

src&dst /////////////////////////////////////////////////////////////////////

func WithDstSrcCidr 

func WithDstSrcCidr(dstCidr *ip_util.CidrIp, srcCidr *ip_util.CidrIp) RuleOptionFunc

func WithHour 

func WithHour(val *RuleHour) RuleOptionFunc

WithHour 设置规则生效的小时条件,接受一个RuleHour指针参数 该条件将应用于防火墙规则的时间匹配逻辑

func WithHourComplex added in v0.0.2 

func WithHourComplex(hourComplex *RuleHourComplex) RuleOptionFunc

TODO: complex cases are not supported

func WithHourRange added in v0.0.2 

func WithHourRange(val *RuleHourRange) RuleOptionFunc

WithHourRange

func WithIO 

func WithIO(inIface string, outIface string) RuleOptionFunc

func WithInIface 

func WithInIface(inIface string) RuleOptionFunc

func WithMonthDays added in v0.1.5 

func WithMonthDays(monthdays []uint16) RuleOptionFunc

func WithOutIface 

func WithOutIface(outIface string) RuleOptionFunc

func WithProtocol 

func WithProtocol(protocol string) RuleOptionFunc

func WithProtocolIcmp 

func WithProtocolIcmp(icmpType byte) RuleOptionFunc

func WithProtocolTcp 

func WithProtocolTcp() RuleOptionFunc

func WithProtocolUdp 

func WithProtocolUdp() RuleOptionFunc

func WithSrc 

func WithSrc(src string) RuleOptionFunc

src /////////////////////////////////////////////////////////////////////

func WithSrcAndPort 

func WithSrcAndPort(src string, srcPort uint16) RuleOptionFunc

func WithSrcCidr 

func WithSrcCidr(srcCidr *ip_util.CidrIp) RuleOptionFunc

func WithSrcList 

func WithSrcList(srcList []string) RuleOptionFunc

WithSrcList 设置源地址列表,列表会被自动排序。空列表会被忽略。

func WithSrcPort 

func WithSrcPort(srcPort uint16) RuleOptionFunc

func WithSrcPortRange 

func WithSrcPortRange(srcPortRange *PortRange) RuleOptionFunc

func WithSrcPorts 

func WithSrcPorts(srcPorts []uint16) RuleOptionFunc

WithSrcPorts 设置源端口列表,端口会自动排序。空列表会被忽略。

func WithSrcRange 

func WithSrcRange(srcRange *IPRange) RuleOptionFunc

WithSrcRange 设置源IP地址范围选项,用于匹配指定范围内的源IP地址

func WithTarget 

func WithTarget(target string) RuleOptionFunc

func WithTargetAccept 

func WithTargetAccept() RuleOptionFunc

func WithTargetDrop 

func WithTargetDrop() RuleOptionFunc

func WithTime 

func WithTime(val *RuleTime) RuleOptionFunc

TODO: time not supported WithTime 设置规则的时间条件,接受一个RuleTime指针作为参数

func WithTimeComplex added in v0.0.2 

func WithTimeComplex(timeComplex *RuleTimeComplex) RuleOptionFunc

TODO: complex cases are not supported WithTimeComplex 设置规则的时间复杂条件,接受一个 RuleTimeComplex 指针参数 该条件用于定义基于复杂时间逻辑(如时间段组合)的防火墙规则匹配条件

func WithUTC added in v0.1.15 

func WithUTC(utc bool) RuleOptionFunc

func WithWeekDays added in v0.1.5 

func WithWeekDays(weekdays []uint16) RuleOptionFunc

WithWeekDays 设置防火墙规则生效的星期列表,自动对星期进行排序 weekdays: 星期数组(0-6),空数组将被忽略

type RuleTime 

type RuleTime struct {
	Op    RULE_OP
	Value string // 2019-06-06 17:20:20
	Ts    int64  // unix timestamp
}

Value和ts选一个

type RuleTimeComplex 

type RuleTimeComplex RuleComplex[RuleTime]

type ServiceTool 

type ServiceTool struct {
	// contains filtered or unexported fields
}

func (*ServiceTool) AddForwardAll 

func (s *ServiceTool) AddForwardAll(wgIface, eth string) error

-p(protocol, if no, then all) -s(src ip); -d(dst ip); --sport(src port); --dport(dst port) -i(in from which iface); -o(out from which iface) -A 表示追加到最后一行 

# 增加iptables规则(如果需要从远程访问本地子网)

iptables -A FORWARD -i wg0 -j ACCEPT iptables -A FORWARD -o wg0 -j ACCEPT iptables -A -t nat POSTROUTING -o eth0 -j MASQUERADE

# 对应的删除命令 iptables -D FORWARD -i wg0 -j ACCEPT iptables -D FORWARD -o wg0 -j ACCEPT iptables -D -t nat POSTROUTING -o eth0 -j MASQUERADE

func (*ServiceTool) DelForwardAll 

func (s *ServiceTool) DelForwardAll(wgIface, eth string) error

wg iface is in, eth is out

type TableCreator 

type TableCreator func(tableType string, tableName string) (IIPTablesTable, error)

type TimeOption added in v0.1.2 

type TimeOption struct {
	UTC       *bool
	HourRange *RuleHourRange // seconds, 00:01, TimeStart/TimeStop
	DateRange *RuleDateRange // DateStart/DateStop
	// for nftables: Sunday=0, Saturday=6;
	// for iptables, Mon=1,Sun=7;
	// 字符格式两个都支持,但是iptables支持的字符格式严格
	// 1-6表示的是一样,区别是0/7, 也就是0=7=Sunday
	WeekDays  []uint16
	MonthDays []uint16 // iptables 支持,我们暂时不需要

	// TODO: BELLOWs, nftables may be support, but iptables not support
	Time        *RuleTime // uint64 // timestamp of packet reception,
	TimeComplex *RuleTimeComplex
	Day         *RuleDay         // day of week
	DayComplex  *RuleDayComplex  // TODO:
	Hour        *RuleHour        // uint16 // hour of day
	HourComplex *RuleHourComplex // TODO:
}

func (*TimeOption) EnsureDateRange added in v0.1.5 

func (o *TimeOption) EnsureDateRange()

func (*TimeOption) EnsureHourRange added in v0.1.5 

func (o *TimeOption) EnsureHourRange()

func (*TimeOption) Equal added in v0.1.2 

func (a *TimeOption) Equal(b *TimeOption) bool

both a,b not nil

func (*TimeOption) IsEmpty added in v0.1.4 

func (a *TimeOption) IsEmpty() bool

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.