xt

package

v0.2.0 Latest Latest Go to latest Published: Mar 10, 2024 License: Apache-2.0 Imports: 5 Imported by: 9

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/google/nftables

Links

Open Source Insights

Documentation ¶

Overview ¶

Package xt implements dedicated types for (some) of the "Info" payload in Match and Target expressions that bridge between the nftables and xtables worlds.

Bridging between the more unified world of nftables and the slightly heterogenous world of xtables comes with some caveats. Unmarshalling the extension/translation information in Match and Target expressions requires information about the table family the information belongs to, as well as type and type revision information. In consequence, unmarshalling the Match and Target Info field payloads often (but not necessarily always) require the table family and revision information, so it gets passed to the type-specific unmarshallers.

To complicate things more, even marshalling requires knowledge about the enclosing table family. The NatRange/NatRange2 types are an example, where it is necessary to differentiate between IPv4 and IPv6 address marshalling. Due to Go's net.IP habit to normally store IPv4 addresses as IPv4-compatible IPv6 addresses (see also RFC 4291, section 2.5.5.1) marshalling must be handled differently in the context of an IPv6 table compared to an IPv4 table. In an IPv4 table, an IPv4-compatible IPv6 address must be marshalled as a 32bit address, whereas in an IPv6 table the IPv4 address must be marshalled as an 128bit IPv4-compatible IPv6 address. Not relying on heuristics here we avoid behavior unexpected and most probably unknown to our API users. The net.IP habit of storing IPv4 addresses in two different storage formats is already a source for trouble, especially when comparing net.IPs from different Go module sources. We won't add to this confusion. (...or maybe we can, because of it?)

An important property of all types of Info extension/translation payloads is that their marshalling and unmarshalling doesn't follow netlink's TLV (tag-length-value) architecture. Instead, Info payloads a basically plain binary blobs of their respective type-specific data structures, so host platform/architecture alignment and data type sizes apply. The alignedbuff package implements the different required data types alignments.

Please note that Info payloads are always padded at their end to the next uint64 alignment. Kernel code is checking for the padded payload size and will reject payloads not correctly padded at their ends.

Most of the time, we find explifcitly sized (unsigned integer) data types. However, there are notable exceptions where "unsigned int" is used: on 64bit platforms this mostly translates into 32bit(!). This differs from Go mapping uint to uint64 instead. This package currently clamps its mapping of C's "unsigned int" to Go's uint32 for marshalling and unmarshalling. If in the future 128bit platforms with a differently sized C unsigned int should come into production, then the alignedbuff package will need to be adapted accordingly, as it abstracts away this data type handling.

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func Marshal ¶

func Marshal(fam TableFamily, rev uint32, info InfoAny) ([]byte, error)

Marshal a Match or Target Info type into its binary representation.

Types ¶

type AddrType ¶

type AddrType struct {
	Source       uint16
	Dest         uint16
	InvertSource bool
	InvertDest   bool
}

Rev. 0, see https://elixir.bootlin.com/linux/v5.17.7/source/include/uapi/linux/netfilter/xt_addrtype.h#L38

type AddrTypeFlags ¶

type AddrTypeFlags uint32

const (
	AddrTypeUnspec AddrTypeFlags = 1 << iota
	AddrTypeUnicast
	AddrTypeLocal
	AddrTypeBroadcast
	AddrTypeAnycast
	AddrTypeMulticast
	AddrTypeBlackhole
	AddrTypeUnreachable
	AddrTypeProhibit
	AddrTypeThrow
	AddrTypeNat
	AddrTypeXresolve
)

type AddrTypeV1 ¶

type AddrTypeV1 struct {
	Source uint16
	Dest   uint16
	Flags  AddrTypeFlags
}

See https://elixir.bootlin.com/linux/v5.17.7/source/include/uapi/linux/netfilter/xt_addrtype.h#L31

type ConntrackFlags ¶

type ConntrackFlags uint16

const (
	ConntrackState ConntrackFlags = 1 << iota
	ConntrackProto
	ConntrackOrigSrc
	ConntrackOrigDst
	ConntrackReplSrc
	ConntrackReplDst
	ConntrackStatus
	ConntrackExpires
	ConntrackOrigSrcPort
	ConntrackOrigDstPort
	ConntrackReplSrcPort
	ConntrackReplDstPrt
	ConntrackDirection
	ConntrackStateAlias
)

type ConntrackMtinfo1 ¶

type ConntrackMtinfo1 struct {
	ConntrackMtinfoBase
	StateMask  uint8
	StatusMask uint8
}

See https://elixir.bootlin.com/linux/v5.17.7/source/include/uapi/linux/netfilter/xt_conntrack.h#L38

type ConntrackMtinfo2 ¶

type ConntrackMtinfo2 struct {
	ConntrackMtinfoBase
	StateMask  uint16
	StatusMask uint16
}

See https://elixir.bootlin.com/linux/v5.17.7/source/include/uapi/linux/netfilter/xt_conntrack.h#L51

type ConntrackMtinfo3 ¶

type ConntrackMtinfo3 struct {
	ConntrackMtinfo2
	OrigSrcPortHigh uint16
	OrigDstPortHigh uint16
	ReplSrcPortHigh uint16
	ReplDstPortHigh uint16
}

See https://elixir.bootlin.com/linux/v5.17.7/source/include/uapi/linux/netfilter/xt_conntrack.h#L64

type ConntrackMtinfoBase ¶

type ConntrackMtinfoBase struct {
	OrigSrcAddr net.IP
	OrigSrcMask net.IPMask
	OrigDstAddr net.IP
	OrigDstMask net.IPMask
	ReplSrcAddr net.IP
	ReplSrcMask net.IPMask
	ReplDstAddr net.IP
	ReplDstMask net.IPMask
	ExpiresMin  uint32
	ExpiresMax  uint32
	L4Proto     uint16
	OrigSrcPort uint16
	OrigDstPort uint16
	ReplSrcPort uint16
	ReplDstPort uint16
	MatchFlags  uint16
	InvertFlags uint16
}

type InfoAny ¶

type InfoAny interface {
	// contains filtered or unexported methods
}

InfoAny is a (un)marshaling implemented by any info type.

func Unmarshal ¶

func Unmarshal(name string, fam TableFamily, rev uint32, data []byte) (InfoAny, error)

Unmarshal Info binary payload into its corresponding dedicated type as indicated by the name argument. In several cases, unmarshalling depends on the specific table family the Target or Match expression with the info payload belongs to, as well as the specific info structure revision.

type NatIPv4MultiRangeCompat ¶

type NatIPv4MultiRangeCompat []NatIPv4Range

NatIPv4MultiRangeCompat despite being a slice of NAT IPv4 ranges is currently allowed to only hold exactly one element.

See https://elixir.bootlin.com/linux/v5.17.7/source/include/uapi/linux/netfilter/nf_nat.h#L33

type NatIPv4Range ¶

type NatIPv4Range struct {
	Flags   uint // sic!
	MinIP   net.IP
	MaxIP   net.IP
	MinPort uint16
	MaxPort uint16
}

See https://elixir.bootlin.com/linux/v5.17.7/source/include/uapi/linux/netfilter/nf_nat.h#L25

type NatRange ¶

type NatRange struct {
	Flags   uint   // sic! platform/arch/compiler-dependent uint size
	MinIP   net.IP // always taking up space for an IPv6 address
	MaxIP   net.IP // dito
	MinPort uint16
	MaxPort uint16
}

see: https://elixir.bootlin.com/linux/v5.17.7/source/include/uapi/linux/netfilter/nf_nat.h#L38

type NatRange2 ¶

type NatRange2 struct {
	NatRange
	BasePort uint16
}

see: https://elixir.bootlin.com/linux/v5.17.7/source/include/uapi/linux/netfilter/nf_nat.h#L46

type NatRangeFlags ¶

type NatRangeFlags uint

const (
	NatRangeMapIPs NatRangeFlags = (1 << iota)
	NatRangeProtoSpecified
	NatRangeProtoRandom
	NatRangePersistent
	NatRangeProtoRandomFully
	NatRangeProtoOffset
	NatRangeNetmap

	NatRangeMask NatRangeFlags = (1 << iota) - 1

	NatRangeProtoRandomAll = NatRangeProtoRandom | NatRangeProtoRandomFully
)

See: https://elixir.bootlin.com/linux/v5.17.7/source/include/uapi/linux/netfilter/nf_nat.h#L8

type TableFamily ¶

type TableFamily byte

TableFamily specifies the address family of the table Match or Target Info data is contained in. On purpose, we don't import the expr package here in order to keep the option open to import this package instead into expr.

type Tcp ¶

type Tcp struct {
	SrcPorts  [2]uint16     // min, max source port range
	DstPorts  [2]uint16     // min, max destination port range
	Option    uint8         // TCP option if non-zero
	FlagsMask uint8         // TCP flags mask
	FlagsCmp  uint8         // TCP flags compare
	InvFlags  TcpInvFlagset // Inverse flags
}

Tcp is the Match.Info payload for the tcp xtables extension (https://wiki.nftables.org/wiki-nftables/index.php/Supported_features_compared_to_xtables#tcp).

See https://elixir.bootlin.com/linux/v5.17.7/source/include/uapi/linux/netfilter/xt_tcpudp.h#L8

type TcpInvFlagset ¶

type TcpInvFlagset uint8

const (
	TcpInvSrcPorts TcpInvFlagset = 1 << iota
	TcpInvDestPorts
	TcpInvFlags
	TcpInvOption
	TcpInvMask TcpInvFlagset = (1 << iota) - 1
)

type Udp ¶

type Udp struct {
	SrcPorts [2]uint16     // min, max source port range
	DstPorts [2]uint16     // min, max destination port range
	InvFlags UdpInvFlagset // Inverse flags
}