expr

package
v0.2.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 10, 2024 License: Apache-2.0 Imports: 10 Imported by: 73

Documentation

Overview

Package expr provides nftables rule expressions.

Index

Constants

View Source 
const (
	// Per https://git.netfilter.org/libnftnl/tree/include/linux/netfilter/nf_tables.h?id=84d12cfacf8ddd857a09435f3d982ab6250d250c#n1167
	NFTA_CONNLIMIT_UNSPEC = iota
	NFTA_CONNLIMIT_COUNT
	NFTA_CONNLIMIT_FLAGS
	NFT_CONNLIMIT_F_INV = 1
)
View Source 
const (
	CtKeySTATE      CtKey = unix.NFT_CT_STATE
	CtKeyDIRECTION  CtKey = unix.NFT_CT_DIRECTION
	CtKeySTATUS     CtKey = unix.NFT_CT_STATUS
	CtKeyMARK       CtKey = unix.NFT_CT_MARK
	CtKeySECMARK    CtKey = unix.NFT_CT_SECMARK
	CtKeyEXPIRATION CtKey = unix.NFT_CT_EXPIRATION
	CtKeyHELPER     CtKey = unix.NFT_CT_HELPER
	CtKeyL3PROTOCOL CtKey = unix.NFT_CT_L3PROTOCOL
	CtKeySRC        CtKey = unix.NFT_CT_SRC
	CtKeyDST        CtKey = unix.NFT_CT_DST
	CtKeyPROTOCOL   CtKey = unix.NFT_CT_PROTOCOL
	CtKeyPROTOSRC   CtKey = unix.NFT_CT_PROTO_SRC
	CtKeyPROTODST   CtKey = unix.NFT_CT_PROTO_DST
	CtKeyLABELS     CtKey = unix.NFT_CT_LABELS
	CtKeyPKTS       CtKey = unix.NFT_CT_PKTS
	CtKeyBYTES      CtKey = unix.NFT_CT_BYTES
	CtKeyAVGPKT     CtKey = unix.NFT_CT_AVGPKT
	CtKeyZONE       CtKey = unix.NFT_CT_ZONE
	CtKeyEVENTMASK  CtKey = unix.NFT_CT_EVENTMASK

	// https://sources.debian.org/src//nftables/0.9.8-3/src/ct.c/?hl=39#L39
	CtStateBitINVALID     uint32 = 1
	CtStateBitESTABLISHED uint32 = 2
	CtStateBitRELATED     uint32 = 4
	CtStateBitNEW         uint32 = 8
	CtStateBitUNTRACKED   uint32 = 64
)

Possible CtKey values.

View Source 
const (
	NFTA_DYNSET_EXPRESSIONS = 0xa
	NFT_DYNSET_F_EXPR       = (1 << 1)
)

Not yet supported by unix package https://cs.opensource.google/go/x/sys/+/c6bc011c:unix/ztypes_linux.go;l=2027-2036

View Source 
const (
	// NF_NAT_RANGE_PROTO_RANDOM defines flag for a random masquerade
	NF_NAT_RANGE_PROTO_RANDOM = 0x4
	// NF_NAT_RANGE_PROTO_RANDOM_FULLY defines flag for a fully random masquerade
	NF_NAT_RANGE_PROTO_RANDOM_FULLY = 0x10
	// NF_NAT_RANGE_PERSISTENT defines flag for a persistent masquerade
	NF_NAT_RANGE_PERSISTENT = 0x8
	// NF_NAT_RANGE_PREFIX defines flag for a prefix masquerade
	NF_NAT_RANGE_PREFIX = 0x40
)

TODO, Once the constants below are available in golang.org/x/sys/unix, switch to use those.

View Source 
const (
	QueueNum   QueueAttribute = unix.NFTA_QUEUE_NUM
	QueueTotal QueueAttribute = unix.NFTA_QUEUE_TOTAL
	QueueFlags QueueAttribute = unix.NFTA_QUEUE_FLAGS

	// TODO: get into x/sys/unix
	QueueFlagBypass QueueFlag = 0x01
	QueueFlagFanout QueueFlag = 0x02
	QueueFlagMask   QueueFlag = 0x03
)

Possible QueueAttribute values

View Source 
const (
	// TODO, Once the constants below are available in golang.org/x/sys/unix, switch to use those.
	NFTA_SOCKET_KEY   = 1
	NFTA_SOCKET_DREG  = 2
	NFTA_SOCKET_LEVEL = 3

	NFT_SOCKET_TRANSPARENT = 0
	NFT_SOCKET_MARK        = 1
	NFT_SOCKET_WILDCARD    = 2
	NFT_SOCKET_CGROUPV2    = 3

	SocketKeyTransparent SocketKey = NFT_SOCKET_TRANSPARENT
	SocketKeyMark        SocketKey = NFT_SOCKET_MARK
	SocketKeyWildcard    SocketKey = NFT_SOCKET_WILDCARD
	SocketKeyCgroupv2    SocketKey = NFT_SOCKET_CGROUPV2
)
View Source 
const (
	// NFTA_TPROXY_FAMILY defines attribute for a table family
	NFTA_TPROXY_FAMILY = 0x01
	// NFTA_TPROXY_REG_ADDR defines attribute for a register carrying redirection address value
	NFTA_TPROXY_REG_ADDR = 0x02
	// NFTA_TPROXY_REG_PORT defines attribute for a register carrying redirection port value
	NFTA_TPROXY_REG_PORT = 0x03
)
View Source 
const NFTNL_EXPR_FLOW_TABLE_NAME = 1
View Source 
const XTablesExtensionNameMaxLen = 29

See https://git.netfilter.org/libnftnl/tree/src/expr/target.c?id=09456c720e9c00eecc08e41ac6b7c291b3821ee5#n28

Variables

This section is empty.

Functions

func Marshal 

func Marshal(fam byte, e Any) ([]byte, error)

Marshal serializes the specified expression into a byte slice.

func Unmarshal 

func Unmarshal(fam byte, data []byte, e Any) error

Unmarshal fills an expression from the specified byte slice.

Types

type Any 

type Any interface {
	// contains filtered or unexported methods
}

Any is an interface implemented by any expression type.

type Bitwise 

type Bitwise struct {
	SourceRegister uint32
	DestRegister   uint32
	Len            uint32
	Mask           []byte
	Xor            []byte
}

type Byteorder 

type Byteorder struct {
	SourceRegister uint32
	DestRegister   uint32
	Op             ByteorderOp
	Len            uint32
	Size           uint32
}

type ByteorderOp 

type ByteorderOp uint32
const (
	ByteorderNtoh ByteorderOp = unix.NFT_BYTEORDER_NTOH
	ByteorderHton ByteorderOp = unix.NFT_BYTEORDER_HTON
)

type Cmp 

type Cmp struct {
	Op       CmpOp
	Register uint32
	Data     []byte
}

Cmp compares a register with the specified data.

type CmpOp 

type CmpOp uint32

CmpOp specifies which type of comparison should be performed. 

const (
	CmpOpEq  CmpOp = unix.NFT_CMP_EQ
	CmpOpNeq CmpOp = unix.NFT_CMP_NEQ
	CmpOpLt  CmpOp = unix.NFT_CMP_LT
	CmpOpLte CmpOp = unix.NFT_CMP_LTE
	CmpOpGt  CmpOp = unix.NFT_CMP_GT
	CmpOpGte CmpOp = unix.NFT_CMP_GTE
)

Possible CmpOp values.

type Connlimit 

type Connlimit struct {
	Count uint32
	Flags uint32
}

Per https://git.netfilter.org/libnftnl/tree/src/expr/connlimit.c?id=84d12cfacf8ddd857a09435f3d982ab6250d250c

type Counter 

type Counter struct {
	Bytes   uint64
	Packets uint64
}

type Ct 

type Ct struct {
	Register       uint32
	SourceRegister bool
	Key            CtKey
}

Ct defines type for NFT connection tracking

type CtKey 

type CtKey uint32

CtKey specifies which piece of conntrack information should be loaded. See also https://wiki.nftables.org/wiki-nftables/index.php/Matching_connection_tracking_stateful_metainformation

type Dup 

type Dup struct {
	RegAddr     uint32
	RegDev      uint32
	IsRegDevSet bool
}

type Dynset 

type Dynset struct {
	SrcRegKey  uint32
	SrcRegData uint32
	SetID      uint32
	SetName    string
	Operation  uint32
	Timeout    time.Duration
	Invert     bool
	Exprs      []Any
}

Dynset represent a rule dynamically adding or updating a set or a map based on an incoming packet.

type Exthdr 

type Exthdr struct {
	DestRegister   uint32
	Type           uint8
	Offset         uint32
	Len            uint32
	Flags          uint32
	Op             ExthdrOp
	SourceRegister uint32
}

type ExthdrOp 

type ExthdrOp uint32
const (
	ExthdrOpIpv6   ExthdrOp = unix.NFT_EXTHDR_OP_IPV6
	ExthdrOpTcpopt ExthdrOp = unix.NFT_EXTHDR_OP_TCPOPT
)

type Fib 

type Fib struct {
	Register       uint32
	ResultOIF      bool
	ResultOIFNAME  bool
	ResultADDRTYPE bool
	FlagSADDR      bool
	FlagDADDR      bool
	FlagMARK       bool
	FlagIIF        bool
	FlagOIF        bool
	FlagPRESENT    bool
}

Fib defines fib expression structure

type FlowOffload 

type FlowOffload struct {
	Name string
}

type Hash 

type Hash struct {
	SourceRegister uint32
	DestRegister   uint32
	Length         uint32
	Modulus        uint32
	Seed           uint32
	Offset         uint32
	Type           HashType
}

Hash defines type for nftables internal hashing functions

type HashType 

type HashType uint32
const (
	HashTypeJenkins HashType = unix.NFT_HASH_JENKINS
	HashTypeSym     HashType = unix.NFT_HASH_SYM
)

type Immediate 

type Immediate struct {
	Register uint32
	Data     []byte
}

type Limit 

type Limit struct {
	Type  LimitType
	Rate  uint64
	Over  bool
	Unit  LimitTime
	Burst uint32
}

Limit represents a rate limit expression.

type LimitTime 

type LimitTime uint64

LimitTime represents the limit unit. 

const (
	LimitTimeSecond LimitTime = 1
	LimitTimeMinute LimitTime = 60
	LimitTimeHour   LimitTime = 60 * 60
	LimitTimeDay    LimitTime = 60 * 60 * 24
	LimitTimeWeek   LimitTime = 60 * 60 * 24 * 7
)

Possible limit unit values.

type LimitType 

type LimitType uint32

LimitType represents the type of the limit expression. 

const (
	LimitTypePkts     LimitType = unix.NFT_LIMIT_PKTS
	LimitTypePktBytes LimitType = unix.NFT_LIMIT_PKT_BYTES
)

Imported from the nft_limit_type enum in netfilter/nf_tables.h.

type Log 

type Log struct {
	Level LogLevel
	// Refers to log flags (flags all, flags ip options, ...)
	Flags LogFlags
	// Equivalent to expression flags.
	// Indicates that an option is set by setting a bit
	// on index referred by the NFTA_LOG_* value.
	// See https://cs.opensource.google/go/x/sys/+/3681064d:unix/ztypes_linux.go;l=2126;drc=3681064d51587c1db0324b3d5c23c2ddbcff6e8f
	Key        uint32
	Snaplen    uint32
	Group      uint16
	QThreshold uint16
	// Log prefix string content
	Data []byte
}

Log defines type for NFT logging See https://git.netfilter.org/libnftnl/tree/src/expr/log.c?id=09456c720e9c00eecc08e41ac6b7c291b3821ee5#n25

type LogFlags 

type LogFlags uint32
const (
	// See https://git.netfilter.org/nftables/tree/include/linux/netfilter/nf_log.h?id=5b364657a35f4e4cd5d220ba2a45303d729c8eca
	LogFlagsTCPSeq LogFlags = 0x01 << iota
	LogFlagsTCPOpt
	LogFlagsIPOpt
	LogFlagsUID
	LogFlagsNFLog
	LogFlagsMACDecode
	LogFlagsMask LogFlags = 0x2f
)

type LogLevel 

type LogLevel uint32
const (
	// See https://git.netfilter.org/nftables/tree/include/linux/netfilter/nf_tables.h?id=5b364657a35f4e4cd5d220ba2a45303d729c8eca#n1226
	LogLevelEmerg LogLevel = iota
	LogLevelAlert
	LogLevelCrit
	LogLevelErr
	LogLevelWarning
	LogLevelNotice
	LogLevelInfo
	LogLevelDebug
	LogLevelAudit
)

type Lookup 

type Lookup struct {
	SourceRegister uint32
	DestRegister   uint32
	IsDestRegSet   bool

	SetID   uint32
	SetName string
	Invert  bool
}

Lookup represents a match against the contents of a set.

type Masq 

type Masq struct {
	Random      bool
	FullyRandom bool
	Persistent  bool
	ToPorts     bool
	RegProtoMin uint32
	RegProtoMax uint32
}

Masq (Masquerade) is a special case of SNAT, where the source address is automagically set to the address of the output interface. See also https://wiki.nftables.org/wiki-nftables/index.php/Performing_Network_Address_Translation_(NAT)#Masquerading

type Match 

type Match struct {
	Name string
	Rev  uint32
	Info xt.InfoAny
}

See https://git.netfilter.org/libnftnl/tree/src/expr/match.c?id=09456c720e9c00eecc08e41ac6b7c291b3821ee5#n30

type Meta 

type Meta struct {
	Key            MetaKey
	SourceRegister bool
	Register       uint32
}

Meta loads packet meta information for later comparisons. See also https://wiki.nftables.org/wiki-nftables/index.php/Matching_packet_metainformation

type MetaKey 

type MetaKey uint32

MetaKey specifies which piece of meta information should be loaded. See also https://wiki.nftables.org/wiki-nftables/index.php/Matching_packet_metainformation 

const (
	MetaKeyLEN        MetaKey = unix.NFT_META_LEN
	MetaKeyPROTOCOL   MetaKey = unix.NFT_META_PROTOCOL
	MetaKeyPRIORITY   MetaKey = unix.NFT_META_PRIORITY
	MetaKeyMARK       MetaKey = unix.NFT_META_MARK
	MetaKeyIIF        MetaKey = unix.NFT_META_IIF
	MetaKeyOIF        MetaKey = unix.NFT_META_OIF
	MetaKeyIIFNAME    MetaKey = unix.NFT_META_IIFNAME
	MetaKeyOIFNAME    MetaKey = unix.NFT_META_OIFNAME
	MetaKeyIIFTYPE    MetaKey = unix.NFT_META_IIFTYPE
	MetaKeyOIFTYPE    MetaKey = unix.NFT_META_OIFTYPE
	MetaKeySKUID      MetaKey = unix.NFT_META_SKUID
	MetaKeySKGID      MetaKey = unix.NFT_META_SKGID
	MetaKeyNFTRACE    MetaKey = unix.NFT_META_NFTRACE
	MetaKeyRTCLASSID  MetaKey = unix.NFT_META_RTCLASSID
	MetaKeySECMARK    MetaKey = unix.NFT_META_SECMARK
	MetaKeyNFPROTO    MetaKey = unix.NFT_META_NFPROTO
	MetaKeyL4PROTO    MetaKey = unix.NFT_META_L4PROTO
	MetaKeyBRIIIFNAME MetaKey = unix.NFT_META_BRI_IIFNAME
	MetaKeyBRIOIFNAME MetaKey = unix.NFT_META_BRI_OIFNAME
	MetaKeyPKTTYPE    MetaKey = unix.NFT_META_PKTTYPE
	MetaKeyCPU        MetaKey = unix.NFT_META_CPU
	MetaKeyIIFGROUP   MetaKey = unix.NFT_META_IIFGROUP
	MetaKeyOIFGROUP   MetaKey = unix.NFT_META_OIFGROUP
	MetaKeyCGROUP     MetaKey = unix.NFT_META_CGROUP
	MetaKeyPRANDOM    MetaKey = unix.NFT_META_PRANDOM
)

Possible MetaKey values.

type NAT 

type NAT struct {
	Type        NATType
	Family      uint32 // TODO: typed const
	RegAddrMin  uint32
	RegAddrMax  uint32
	RegProtoMin uint32
	RegProtoMax uint32
	Random      bool
	FullyRandom bool
	Persistent  bool
	Prefix      bool
}

type NATType 

type NATType uint32
const (
	NATTypeSourceNAT NATType = unix.NFT_NAT_SNAT
	NATTypeDestNAT   NATType = unix.NFT_NAT_DNAT
)

Possible NATType values.

type Notrack 

type Notrack struct{}

type Numgen 

type Numgen struct {
	Register uint32
	Modulus  uint32
	Type     uint32
	Offset   uint32
}

Numgen defines Numgen expression structure

type Objref 

type Objref struct {
	Type int // TODO: enum
	Name string
}

type Payload 

type Payload struct {
	OperationType  PayloadOperationType
	DestRegister   uint32
	SourceRegister uint32
	Base           PayloadBase
	Offset         uint32
	Len            uint32
	CsumType       PayloadCsumType
	CsumOffset     uint32
	CsumFlags      uint32
}

type PayloadBase 

type PayloadBase uint32
const (
	PayloadBaseLLHeader        PayloadBase = unix.NFT_PAYLOAD_LL_HEADER
	PayloadBaseNetworkHeader   PayloadBase = unix.NFT_PAYLOAD_NETWORK_HEADER
	PayloadBaseTransportHeader PayloadBase = unix.NFT_PAYLOAD_TRANSPORT_HEADER
)

Possible PayloadBase values.

type PayloadCsumType 

type PayloadCsumType uint32
const (
	CsumTypeNone PayloadCsumType = unix.NFT_PAYLOAD_CSUM_NONE
	CsumTypeInet PayloadCsumType = unix.NFT_PAYLOAD_CSUM_INET
)

Possible PayloadCsumType values.

type PayloadOperationType 

type PayloadOperationType uint32
const (
	PayloadLoad PayloadOperationType = iota
	PayloadWrite
)

Possible PayloadOperationType values.

type Queue 

type Queue struct {
	Num   uint16
	Total uint16
	Flag  QueueFlag
}

type QueueAttribute 

type QueueAttribute uint16

type QueueFlag 

type QueueFlag uint16

type Quota 

type Quota struct {
	Bytes    uint64
	Consumed uint64
	Over     bool
}

Quota defines a threshold against a number of bytes.

type Range 

type Range struct {
	Op       CmpOp
	Register uint32
	FromData []byte
	ToData   []byte
}

Range implements range expression

type Redir 

type Redir struct {
	RegisterProtoMin uint32
	RegisterProtoMax uint32
	Flags            uint32
}

type Reject 

type Reject struct {
	Type uint32
	Code uint8
}

type Rt 

type Rt struct {
	Register uint32
	Key      RtKey
}

type RtKey 

type RtKey uint32
const (
	RtClassid  RtKey = unix.NFT_RT_CLASSID
	RtNexthop4 RtKey = unix.NFT_RT_NEXTHOP4
	RtNexthop6 RtKey = unix.NFT_RT_NEXTHOP6
	RtTCPMSS   RtKey = unix.NFT_RT_TCPMSS
)

type Socket added in v0.2.0 

type Socket struct {
	Key      SocketKey
	Level    uint32
	Register uint32
}

type SocketKey added in v0.2.0 

type SocketKey uint32

type TProxy 

type TProxy struct {
	Family      byte
	TableFamily byte
	RegAddr     uint32
	RegPort     uint32
}

TProxy defines struct with parameters for the transparent proxy

type Target 

type Target struct {
	Name string
	Rev  uint32
	Info xt.InfoAny
}

See https://git.netfilter.org/libnftnl/tree/src/expr/target.c?id=09456c720e9c00eecc08e41ac6b7c291b3821ee5#n30

type Verdict 

type Verdict struct {
	Kind  VerdictKind
	Chain string
}

type VerdictKind 

type VerdictKind int64
const (
	VerdictReturn VerdictKind = iota - 5
	VerdictGoto
	VerdictJump
	VerdictBreak
	VerdictContinue
	VerdictDrop
	VerdictAccept
	VerdictStolen
	VerdictQueue
	VerdictRepeat
	VerdictStop
)

Verdicts, as per netfilter.h and netfilter/nf_tables.h.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.