stack

package
v0.0.0-...-ff2c174 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 9, 2021 License: Apache-2.0, MIT Imports: 27 Imported by: 0

Documentation

Overview

Package stack provides the glue between networking protocols and the consumers of the networking stack.

For consumers, the only function of interest is New(), everything else is provided by the tcpip/public package.

Index

Constants

View Source 
const (
	// MinBufferSize is the smallest size of a receive or send buffer.
	MinBufferSize = 4 << 10 // 4 KiB

	// DefaultBufferSize is the default size of the send/recv buffer for a
	// transport endpoint.
	DefaultBufferSize = 212 << 10 // 212 KiB

	// DefaultMaxBufferSize is the default maximum permitted size of a
	// send/receive buffer.
	DefaultMaxBufferSize = 4 << 20 // 4 MiB

)
View Source 
const (

	// DefaultTOS is the default type of service value for network endpoints.
	DefaultTOS = 0
)
View Source 
const HookUnset = -1

HookUnset indicates that there is no hook set for an entrypoint or underflow.

View Source 
const SoftwareGSOMaxSize = (1 << 16)

SoftwareGSOMaxSize is a maximum allowed size of a software GSO segment. This isn't a hard limit, because it is never set into packet headers.

Variables

This section is empty.

Functions

func PayloadSince 

func PayloadSince(h PacketHeader) buffer.View

PayloadSince returns packet payload starting from and including a particular header.

The returned View is owned by the caller - its backing buffer is separate from the packet header's underlying packet buffer.

Types

type AcceptTarget 

type AcceptTarget struct {
	// NetworkProtocol is the network protocol the target is used with.
	NetworkProtocol tcpip.NetworkProtocolNumber
}

AcceptTarget accepts packets.

func (*AcceptTarget) Action 

func (*AcceptTarget) Action(*PacketBuffer, *ConnTrack, Hook, *Route, tcpip.Address) (RuleVerdict, int)

Action implements Target.Action.

type AddressConfigType 

type AddressConfigType int

AddressConfigType is the method used to add an address. 

const (
	// AddressConfigStatic is a statically configured address endpoint that was
	// added by some user-specified action (adding an explicit address, joining a
	// multicast group).
	AddressConfigStatic AddressConfigType = iota

	// AddressConfigSlaac is an address endpoint added by SLAAC, as per RFC 4862
	// section 5.5.3.
	AddressConfigSlaac

	// AddressConfigSlaacTemp is a temporary address endpoint added by SLAAC as
	// per RFC 4941. Temporary SLAAC addresses are short-lived and are not
	// to be valid (or preferred) forever; hence the term temporary.
	AddressConfigSlaacTemp
)

type AddressEndpoint 

type AddressEndpoint interface {
	AssignableAddressEndpoint

	// GetKind returns the address kind for this endpoint.
	GetKind() AddressKind

	// SetKind sets the address kind for this endpoint.
	SetKind(AddressKind)

	// ConfigType returns the method used to add the address.
	ConfigType() AddressConfigType

	// Deprecated returns whether or not this endpoint is deprecated.
	Deprecated() bool

	// SetDeprecated sets this endpoint's deprecated status.
	SetDeprecated(bool)
}

AddressEndpoint is an endpoint representing an address assigned to an AddressableEndpoint.

type AddressKind 

type AddressKind int

AddressKind is the kind of an address.

See the values of AddressKind for more details. 

const (
	// PermanentTentative is a permanent address endpoint that is not yet
	// considered to be fully bound to an interface in the traditional
	// sense. That is, the address is associated with a NIC, but packets
	// destined to the address MUST NOT be accepted and MUST be silently
	// dropped, and the address MUST NOT be used as a source address for
	// outgoing packets. For IPv6, addresses are of this kind until NDP's
	// Duplicate Address Detection (DAD) resolves. If DAD fails, the address
	// is removed.
	PermanentTentative AddressKind = iota

	// Permanent is a permanent endpoint (vs. a temporary one) assigned to the
	// NIC. Its reference count is biased by 1 to avoid removal when no route
	// holds a reference to it. It is removed by explicitly removing the address
	// from the NIC.
	Permanent

	// PermanentExpired is a permanent endpoint that had its address removed from
	// the NIC, and it is waiting to be removed once no references to it are held.
	//
	// If the address is re-added before the endpoint is removed, its type
	// changes back to Permanent.
	PermanentExpired

	// Temporary is an endpoint, created on a one-off basis to temporarily
	// consider the NIC bound an an address that it is not explictiy bound to
	// (such as a permanent address). Its reference count must not be biased by 1
	// so that the address is removed immediately when references to it are no
	// longer held.
	//
	// A temporary endpoint may be promoted to permanent if the address is added
	// permanently.
	Temporary
)

func (AddressKind) IsPermanent 

func (k AddressKind) IsPermanent() bool

IsPermanent returns true if the AddressKind represents a permanent address.

type AddressableEndpoint 

type AddressableEndpoint interface {
	// AddAndAcquirePermanentAddress adds the passed permanent address.
	//
	// Returns *tcpip.ErrDuplicateAddress if the address exists.
	//
	// Acquires and returns the AddressEndpoint for the added address.
	AddAndAcquirePermanentAddress(addr tcpip.AddressWithPrefix, peb PrimaryEndpointBehavior, configType AddressConfigType, deprecated bool) (AddressEndpoint, tcpip.Error)

	// RemovePermanentAddress removes the passed address if it is a permanent
	// address.
	//
	// Returns *tcpip.ErrBadLocalAddress if the endpoint does not have the passed
	// permanent address.
	RemovePermanentAddress(addr tcpip.Address) tcpip.Error

	// MainAddress returns the endpoint's primary permanent address.
	MainAddress() tcpip.AddressWithPrefix

	// AcquireAssignedAddress returns an address endpoint for the passed address
	// that is considered bound to the endpoint, optionally creating a temporary
	// endpoint if requested and no existing address exists.
	//
	// The returned endpoint's reference count is incremented.
	//
	// Returns nil if the specified address is not local to this endpoint.
	AcquireAssignedAddress(localAddr tcpip.Address, allowTemp bool, tempPEB PrimaryEndpointBehavior) AddressEndpoint

	// AcquireOutgoingPrimaryAddress returns a primary address that may be used as
	// a source address when sending packets to the passed remote address.
	//
	// If allowExpired is true, expired addresses may be returned.
	//
	// The returned endpoint's reference count is incremented.
	//
	// Returns nil if a primary address is not available.
	AcquireOutgoingPrimaryAddress(remoteAddr tcpip.Address, allowExpired bool) AddressEndpoint

	// PrimaryAddresses returns the primary addresses.
	PrimaryAddresses() []tcpip.AddressWithPrefix

	// PermanentAddresses returns all the permanent addresses.
	PermanentAddresses() []tcpip.AddressWithPrefix
}

AddressableEndpoint is an endpoint that supports addressing.

An endpoint is considered to support addressing when the endpoint may associate itself with an identifier (address).

type AddressableEndpointState 

type AddressableEndpointState struct {
	// contains filtered or unexported fields
}

AddressableEndpointState is an implementation of an AddressableEndpoint.

func (*AddressableEndpointState) AcquireAssignedAddress 

func (a *AddressableEndpointState) AcquireAssignedAddress(localAddr tcpip.Address, allowTemp bool, tempPEB PrimaryEndpointBehavior) AddressEndpoint

AcquireAssignedAddress implements AddressableEndpoint.

func (*AddressableEndpointState) AcquireAssignedAddressOrMatching 

func (a *AddressableEndpointState) AcquireAssignedAddressOrMatching(localAddr tcpip.Address, f func(AddressEndpoint) bool, allowTemp bool, tempPEB PrimaryEndpointBehavior) AddressEndpoint

AcquireAssignedAddressOrMatching returns an address endpoint that is considered assigned to the addressable endpoint.

If the address is an exact match with an existing address, that address is returned. Otherwise, if f is provided, f is called with each address and the address that f returns true for is returned.

If there is no matching address, a temporary address will be returned if allowTemp is true.

Regardless how the address was obtained, it will be acquired before it is returned.

func (*AddressableEndpointState) AcquireOutgoingPrimaryAddress 

func (a *AddressableEndpointState) AcquireOutgoingPrimaryAddress(remoteAddr tcpip.Address, allowExpired bool) AddressEndpoint

AcquireOutgoingPrimaryAddress implements AddressableEndpoint.

func (*AddressableEndpointState) AddAndAcquirePermanentAddress 

func (a *AddressableEndpointState) AddAndAcquirePermanentAddress(addr tcpip.AddressWithPrefix, peb PrimaryEndpointBehavior, configType AddressConfigType, deprecated bool) (AddressEndpoint, tcpip.Error)

AddAndAcquirePermanentAddress implements AddressableEndpoint.

func (*AddressableEndpointState) AddAndAcquireTemporaryAddress 

func (a *AddressableEndpointState) AddAndAcquireTemporaryAddress(addr tcpip.AddressWithPrefix, peb PrimaryEndpointBehavior) (AddressEndpoint, tcpip.Error)

AddAndAcquireTemporaryAddress adds a temporary address.

Returns *tcpip.ErrDuplicateAddress if the address exists.

The temporary address's endpoint is acquired and returned.

func (*AddressableEndpointState) Cleanup 

func (a *AddressableEndpointState) Cleanup()

Cleanup forcefully leaves all groups and removes all permanent addresses.

func (*AddressableEndpointState) ForEachEndpoint 

func (a *AddressableEndpointState) ForEachEndpoint(f func(AddressEndpoint) bool)

ForEachEndpoint calls f for each address.

Once f returns false, f will no longer be called.

func (*AddressableEndpointState) ForEachPrimaryEndpoint 

func (a *AddressableEndpointState) ForEachPrimaryEndpoint(f func(AddressEndpoint) bool)

ForEachPrimaryEndpoint calls f for each primary address.

Once f returns false, f will no longer be called.

func (*AddressableEndpointState) GetAddress 

func (a *AddressableEndpointState) GetAddress(addr tcpip.Address) AddressEndpoint

GetAddress returns the AddressEndpoint for the passed address.

GetAddress does not increment the address's reference count or check if the address is considered bound to the endpoint.

Returns nil if the passed address is not associated with the endpoint.

func (*AddressableEndpointState) Init 

func (a *AddressableEndpointState) Init(networkEndpoint NetworkEndpoint)

Init initializes the AddressableEndpointState with networkEndpoint.

Must be called before calling any other function on m.

func (*AddressableEndpointState) MainAddress 

func (a *AddressableEndpointState) MainAddress() tcpip.AddressWithPrefix

MainAddress implements AddressableEndpoint.

func (*AddressableEndpointState) PermanentAddresses 

func (a *AddressableEndpointState) PermanentAddresses() []tcpip.AddressWithPrefix

PermanentAddresses implements AddressableEndpoint.

func (*AddressableEndpointState) PrimaryAddresses 

func (a *AddressableEndpointState) PrimaryAddresses() []tcpip.AddressWithPrefix

PrimaryAddresses implements AddressableEndpoint.

func (*AddressableEndpointState) RemovePermanentAddress 

func (a *AddressableEndpointState) RemovePermanentAddress(addr tcpip.Address) tcpip.Error

RemovePermanentAddress implements AddressableEndpoint.

func (*AddressableEndpointState) RemovePermanentEndpoint 

func (a *AddressableEndpointState) RemovePermanentEndpoint(ep AddressEndpoint) tcpip.Error

RemovePermanentEndpoint removes the passed endpoint if it is associated with a and permanent.

type AssignableAddressEndpoint 

type AssignableAddressEndpoint interface {
	// AddressWithPrefix returns the endpoint's address.
	AddressWithPrefix() tcpip.AddressWithPrefix

	// Subnet returns the subnet of the endpoint's address.
	Subnet() tcpip.Subnet

	// IsAssigned returns whether or not the endpoint is considered bound
	// to its NetworkEndpoint.
	IsAssigned(allowExpired bool) bool

	// IncRef increments this endpoint's reference count.
	//
	// Returns true if it was successfully incremented. If it returns false, then
	// the endpoint is considered expired and should no longer be used.
	IncRef() bool

	// DecRef decrements this endpoint's reference count.
	DecRef()
}

AssignableAddressEndpoint is a reference counted address endpoint that may be assigned to a NetworkEndpoint.

type ConnTrack 

type ConnTrack struct {
	// contains filtered or unexported fields
}

ConnTrack tracks all connections created for NAT rules. Most users are expected to only call handlePacket, insertRedirectConn, and maybeInsertNoop.

ConnTrack keeps all connections in a slice of buckets, each of which holds a linked list of tuples. This gives us some desirable properties:

  • Each bucket has its own lock, lessening lock contention.
  • The slice is large enough that lists stay short (<10 elements on average). Thus traversal is fast.
  • During linked list traversal we reap expired connections. This amortizes the cost of reaping them and makes reapUnused faster.

Locks are ordered by their location in the buckets slice. That is, a goroutine that locks buckets[i] can only lock buckets[j] s.t. i < j.

+stateify savable

func (*ConnTrack) StateFields 

func (ct *ConnTrack) StateFields() []string

func (*ConnTrack) StateLoad 

func (ct *ConnTrack) StateLoad(stateSourceObject state.Source)

+checklocksignore

func (*ConnTrack) StateSave 

func (ct *ConnTrack) StateSave(stateSinkObject state.Sink)

+checklocksignore

func (*ConnTrack) StateTypeName 

func (ct *ConnTrack) StateTypeName() string

type DADAborted 

type DADAborted struct{}

DADAborted indicates DAD was aborted.

type DADCheckAddressDisposition 

type DADCheckAddressDisposition int

DADCheckAddressDisposition enumerates the possible return values from DAD.CheckDuplicateAddress. 

const (

	// DADDisabled indicates that DAD is disabled.
	DADDisabled DADCheckAddressDisposition

	// DADStarting indicates that DAD is starting for an address.
	DADStarting

	// DADAlreadyRunning indicates that DAD was already started for an address.
	DADAlreadyRunning
)

type DADCompletionHandler 

type DADCompletionHandler func(DADResult)

DADCompletionHandler is a handler for DAD completion.

type DADConfigurations 

type DADConfigurations struct {
	// The number of Neighbor Solicitation messages to send when doing
	// Duplicate Address Detection for a tentative address.
	//
	// Note, a value of zero effectively disables DAD.
	DupAddrDetectTransmits uint8

	// The amount of time to wait between sending Neighbor Solicitation
	// messages.
	//
	// Must be greater than or equal to 1ms.
	RetransmitTimer time.Duration
}

DADConfigurations holds configurations for duplicate address detection.

func DefaultDADConfigurations 

func DefaultDADConfigurations() DADConfigurations

DefaultDADConfigurations returns the default DAD configurations.

func (*DADConfigurations) Validate 

func (c *DADConfigurations) Validate()

Validate modifies the configuration with valid values. If invalid values are present in the configurations, the corresponding default values are used instead.

type DADDupAddrDetected 

type DADDupAddrDetected struct {
	// HolderLinkAddress is the link address of the node that holds the duplicate
	// address.
	HolderLinkAddress tcpip.LinkAddress
}

DADDupAddrDetected indicates DAD detected a duplicate address.

type DADError 

type DADError struct {
	Err tcpip.Error
}

DADError indicates DAD hit an error.

type DADResult 

type DADResult interface {
	// contains filtered or unexported methods
}

DADResult is a marker interface for the result of a duplicate address detection process.

type DADSucceeded 

type DADSucceeded struct{}

DADSucceeded indicates DAD completed without finding any duplicate addresses.

type DirectionStats 

type DirectionStats struct {
	Packets *tcpip.StatCounter
	Bytes   *tcpip.StatCounter
}

DirectionStats includes packet and byte counts.

type DropTarget 

type DropTarget struct {
	// NetworkProtocol is the network protocol the target is used with.
	NetworkProtocol tcpip.NetworkProtocolNumber
}

DropTarget drops packets.

func (*DropTarget) Action 

func (*DropTarget) Action(*PacketBuffer, *ConnTrack, Hook, *Route, tcpip.Address) (RuleVerdict, int)

Action implements Target.Action.

type DuplicateAddressDetector 

type DuplicateAddressDetector interface {
	// CheckDuplicateAddress checks if an address is assigned to a neighbor.
	//
	// If DAD is already being performed for the address, the handler will be
	// called with the result of the original DAD request.
	CheckDuplicateAddress(tcpip.Address, DADCompletionHandler) DADCheckAddressDisposition

	// SetDADConfiguations sets the configurations for DAD.
	SetDADConfigurations(c DADConfigurations)

	// DuplicateAddressProtocol returns the network protocol the receiver can
	// perform duplicate address detection for.
	DuplicateAddressProtocol() tcpip.NetworkProtocolNumber
}

DuplicateAddressDetector handles checking if an address is already assigned to some neighboring node on the link.

type ErrorTarget 

type ErrorTarget struct {
	// NetworkProtocol is the network protocol the target is used with.
	NetworkProtocol tcpip.NetworkProtocolNumber
}

ErrorTarget logs an error and drops the packet. It represents a target that should be unreachable.

func (*ErrorTarget) Action 

func (*ErrorTarget) Action(*PacketBuffer, *ConnTrack, Hook, *Route, tcpip.Address) (RuleVerdict, int)

Action implements Target.Action.

type ForwardingNetworkProtocol 

type ForwardingNetworkProtocol interface {
	NetworkProtocol

	// Forwarding returns the forwarding configuration.
	Forwarding() bool

	// SetForwarding sets the forwarding configuration.
	SetForwarding(bool)
}

ForwardingNetworkProtocol is a NetworkProtocol that may forward packets.

type GSO 

type GSO struct {
	// Type is one of GSONone, GSOTCPv4, etc.
	Type GSOType
	// NeedsCsum is set if the checksum offload is enabled.
	NeedsCsum bool
	// CsumOffset is offset after that to place checksum.
	CsumOffset uint16

	// Mss is maximum segment size.
	MSS uint16
	// L3Len is L3 (IP) header length.
	L3HdrLen uint16

	// MaxSize is maximum GSO packet size.
	MaxSize uint32
}

GSO contains generic segmentation offload properties.

+stateify savable

func (*GSO) StateFields 

func (g *GSO) StateFields() []string

func (*GSO) StateLoad 

func (g *GSO) StateLoad(stateSourceObject state.Source)

+checklocksignore

func (*GSO) StateSave 

func (g *GSO) StateSave(stateSinkObject state.Sink)

+checklocksignore

func (*GSO) StateTypeName 

func (g *GSO) StateTypeName() string

type GSOEndpoint 

type GSOEndpoint interface {
	// GSOMaxSize returns the maximum GSO packet size.
	GSOMaxSize() uint32

	// SupportedGSO returns the supported segmentation offloading.
	SupportedGSO() SupportedGSO
}

GSOEndpoint provides access to GSO properties.

type GSOType 

type GSOType int

GSOType is the type of GSO segments.

+stateify savable 

const (
	GSONone GSOType = iota

	// Hardware GSO types:
	GSOTCPv4
	GSOTCPv6

	// GSOSW is used for software GSO segments which have to be sent by
	// endpoint.WritePackets.
	GSOSW
)

Types of gso segments.

func (*GSOType) StateFields 

func (g *GSOType) StateFields() []string

func (*GSOType) StateTypeName 

func (g *GSOType) StateTypeName() string

type GroupAddressableEndpoint 

type GroupAddressableEndpoint interface {
	// JoinGroup joins the specified group.
	JoinGroup(group tcpip.Address) tcpip.Error

	// LeaveGroup attempts to leave the specified group.
	LeaveGroup(group tcpip.Address) tcpip.Error

	// IsInGroup returns true if the endpoint is a member of the specified group.
	IsInGroup(group tcpip.Address) bool
}

GroupAddressableEndpoint is an endpoint that supports group addressing.

An endpoint is considered to support group addressing when one or more endpoints may associate themselves with the same identifier (group address).

type Hook 

type Hook uint

A Hook specifies one of the hooks built into the network stack. 

Userspace app          Userspace app
      ^                      |
      |                      v
   [Input]               [Output]
      ^                      |
      |                      v
      |                   routing
      |                      |
      |                      v

----->[Prerouting]----->routing----->[Forward]---------Postrouting-----> 

const (
	// Prerouting happens before a packet is routed to applications or to
	// be forwarded.
	Prerouting Hook = iota

	// Input happens before a packet reaches an application.
	Input

	// Forward happens once it's decided that a packet should be forwarded
	// to another host.
	Forward

	// Output happens after a packet is written by an application to be
	// sent out.
	Output

	// Postrouting happens just before a packet goes out on the wire.
	Postrouting

	// NumHooks is the total number of hooks.
	NumHooks
)

func (Hook) String 

func (i Hook) String() string

type ICMPRateLimiter 

type ICMPRateLimiter struct {
	*rate.Limiter
}

ICMPRateLimiter is a global rate limiter that controls the generation of ICMP messages generated by the stack.

func NewICMPRateLimiter 

func NewICMPRateLimiter() *ICMPRateLimiter

NewICMPRateLimiter returns a global rate limiter for controlling the rate at which ICMP messages are generated by the stack.

type IPHeaderFilter 

type IPHeaderFilter struct {
	// Protocol matches the transport protocol.
	Protocol tcpip.TransportProtocolNumber

	// CheckProtocol determines whether the Protocol field should be
	// checked during matching.
	CheckProtocol bool

	// Dst matches the destination IP address.
	Dst tcpip.Address

	// DstMask masks bits of the destination IP address when comparing with
	// Dst.
	DstMask tcpip.Address

	// DstInvert inverts the meaning of the destination IP check, i.e. when
	// true the filter will match packets that fail the destination
	// comparison.
	DstInvert bool

	// Src matches the source IP address.
	Src tcpip.Address

	// SrcMask masks bits of the source IP address when comparing with Src.
	SrcMask tcpip.Address

	// SrcInvert inverts the meaning of the source IP check, i.e. when true the
	// filter will match packets that fail the source comparison.
	SrcInvert bool

	// InputInterface matches the name of the incoming interface for the packet.
	InputInterface string

	// InputInterfaceMask masks the characters of the interface name when
	// comparing with InputInterface.
	InputInterfaceMask string

	// InputInterfaceInvert inverts the meaning of incoming interface check,
	// i.e. when true the filter will match packets that fail the incoming
	// interface comparison.
	InputInterfaceInvert bool

	// OutputInterface matches the name of the outgoing interface for the packet.
	OutputInterface string

	// OutputInterfaceMask masks the characters of the interface name when
	// comparing with OutputInterface.
	OutputInterfaceMask string

	// OutputInterfaceInvert inverts the meaning of outgoing interface check,
	// i.e. when true the filter will match packets that fail the outgoing
	// interface comparison.
	OutputInterfaceInvert bool
}

IPHeaderFilter performs basic IP header matching common to every rule.

+stateify savable

func (IPHeaderFilter) NetworkProtocol 

func (fl IPHeaderFilter) NetworkProtocol() tcpip.NetworkProtocolNumber

NetworkProtocol returns the protocol (IPv4 or IPv6) on to which the header applies.

func (*IPHeaderFilter) StateFields 

func (fl *IPHeaderFilter) StateFields() []string

func (*IPHeaderFilter) StateLoad 

func (fl *IPHeaderFilter) StateLoad(stateSourceObject state.Source)

+checklocksignore

func (*IPHeaderFilter) StateSave 

func (fl *IPHeaderFilter) StateSave(stateSinkObject state.Sink)

+checklocksignore

func (*IPHeaderFilter) StateTypeName 

func (fl *IPHeaderFilter) StateTypeName() string

type IPNetworkEndpointStats 

type IPNetworkEndpointStats interface {
	NetworkEndpointStats

	// IPStats returns the IP statistics of a network endpoint.
	IPStats() *tcpip.IPStats
}

IPNetworkEndpointStats is a NetworkEndpointStats that tracks IP-related statistics.

type IPTables 

type IPTables struct {
	// contains filtered or unexported fields
}

IPTables holds all the tables for a netstack.

+stateify savable

func DefaultTables 

func DefaultTables() *IPTables

DefaultTables returns a default set of tables. Each chain is set to accept all packets.

func (*IPTables) Check 

func (it *IPTables) Check(hook Hook, pkt *PacketBuffer, r *Route, preroutingAddr tcpip.Address, inNicName, outNicName string) bool

Check runs pkt through the rules for hook. It returns true when the packet should continue traversing the network stack and false when it should be dropped.

TODO(gvisor.dev/issue/170): PacketBuffer should hold the route, from which address can be gathered. Currently, address is only needed for prerouting.

Precondition: pkt.NetworkHeader is set.

func (*IPTables) CheckPackets 

func (it *IPTables) CheckPackets(hook Hook, pkts PacketBufferList, r *Route, inNicName, outNicName string) (drop map[*PacketBuffer]struct{}, natPkts map[*PacketBuffer]struct{})

CheckPackets runs pkts through the rules for hook and returns a map of packets that should not go forward.

Preconditions: * pkt is a IPv4 packet of at least length header.IPv4MinimumSize. * pkt.NetworkHeader is not nil.

NOTE: unlike the Check API the returned map contains packets that should be dropped.

func (*IPTables) GetTable 

func (it *IPTables) GetTable(id TableID, ipv6 bool) Table

GetTable returns a table with the given id and IP version. It panics when an invalid id is provided.

func (*IPTables) OriginalDst 

func (it *IPTables) OriginalDst(epID TransportEndpointID, netProto tcpip.NetworkProtocolNumber) (tcpip.Address, uint16, tcpip.Error)

OriginalDst returns the original destination of redirected connections. It returns an error if the connection doesn't exist or isn't redirected.

func (*IPTables) ReplaceTable 

func (it *IPTables) ReplaceTable(id TableID, table Table, ipv6 bool) tcpip.Error

ReplaceTable replaces or inserts table by name. It panics when an invalid id is provided.

func (*IPTables) StateFields 

func (it *IPTables) StateFields() []string

func (*IPTables) StateLoad 

func (it *IPTables) StateLoad(stateSourceObject state.Source)

+checklocksignore

func (*IPTables) StateSave 

func (it *IPTables) StateSave(stateSinkObject state.Sink)

+checklocksignore

func (*IPTables) StateTypeName 

func (it *IPTables) StateTypeName() string

func (*IPTables) VisitTargets 

func (it *IPTables) VisitTargets(transform func(Target) Target)

VisitTargets traverses all the targets of all tables and replaces each with transform(target).

type InjectableLinkEndpoint 

type InjectableLinkEndpoint interface {
	LinkEndpoint

	// InjectInbound injects an inbound packet.
	InjectInbound(protocol tcpip.NetworkProtocolNumber, pkt *PacketBuffer)

	// InjectOutbound writes a fully formed outbound packet directly to the
	// link.
	//
	// dest is used by endpoints with multiple raw destinations.
	InjectOutbound(dest tcpip.Address, packet []byte) tcpip.Error
}

InjectableLinkEndpoint is a LinkEndpoint where inbound packets are delivered via the Inject method.

type LinkAddressResolver 

type LinkAddressResolver interface {
	// LinkAddressRequest sends a request for the link address of the target
	// address. The request is broadcasted on the local network if a remote link
	// address is not provided.
	LinkAddressRequest(targetAddr, localAddr tcpip.Address, remoteLinkAddr tcpip.LinkAddress) tcpip.Error

	// ResolveStaticAddress attempts to resolve address without sending
	// requests. It either resolves the name immediately or returns the
	// empty LinkAddress.
	//
	// It can be used to resolve broadcast addresses for example.
	ResolveStaticAddress(addr tcpip.Address) (tcpip.LinkAddress, bool)

	// LinkAddressProtocol returns the network protocol of the
	// addresses this resolver can resolve.
	LinkAddressProtocol() tcpip.NetworkProtocolNumber
}

LinkAddressResolver handles link address resolution for a network protocol.

type LinkEndpoint 

type LinkEndpoint interface {
	NetworkLinkEndpoint

	// Capabilities returns the set of capabilities supported by the
	// endpoint.
	Capabilities() LinkEndpointCapabilities

	// Attach attaches the data link layer endpoint to the network-layer
	// dispatcher of the stack.
	//
	// Attach is called with a nil dispatcher when the endpoint's NIC is being
	// removed.
	Attach(dispatcher NetworkDispatcher)

	// IsAttached returns whether a NetworkDispatcher is attached to the
	// endpoint.
	IsAttached() bool

	// Wait waits for any worker goroutines owned by the endpoint to stop.
	//
	// For now, requesting that an endpoint's worker goroutine(s) stop is
	// implementation specific.
	//
	// Wait will not block if the endpoint hasn't started any goroutines
	// yet, even if it might later.
	Wait()

	// ARPHardwareType returns the ARPHRD_TYPE of the link endpoint.
	//
	// See:
	// https://github.com/torvalds/linux/blob/aa0c9086b40c17a7ad94425b3b70dd1fdd7497bf/include/uapi/linux/if_arp.h#L30
	ARPHardwareType() header.ARPHardwareType

	// AddHeader adds a link layer header to pkt if required.
	AddHeader(local, remote tcpip.LinkAddress, protocol tcpip.NetworkProtocolNumber, pkt *PacketBuffer)

	// WritePacket writes a packet with the given protocol and route.
	//
	// WritePacket takes ownership of the packet buffer. The packet buffer's
	// network and transport header must be set.
	//
	// To participate in transparent bridging, a LinkEndpoint implementation
	// should call eth.Encode with header.EthernetFields.SrcAddr set to
	// r.LocalLinkAddress if it is provided.
	WritePacket(RouteInfo, tcpip.NetworkProtocolNumber, *PacketBuffer) tcpip.Error

	// WritePackets writes packets with the given protocol and route. Must not be
	// called with an empty list of packet buffers.
	//
	// WritePackets takes ownership of the packet buffers.
	//
	// Right now, WritePackets is used only when the software segmentation
	// offload is enabled. If it will be used for something else, syscall filters
	// may need to be updated.
	WritePackets(RouteInfo, PacketBufferList, tcpip.NetworkProtocolNumber) (int, tcpip.Error)
}

LinkEndpoint is the interface implemented by data link layer protocols (e.g., ethernet, loopback, raw) and used by network layer protocols to send packets out through the implementer's data link endpoint. When a link header exists, it sets each PacketBuffer's LinkHeader field before passing it up the stack.

type LinkEndpointCapabilities 

type LinkEndpointCapabilities uint

LinkEndpointCapabilities is the type associated with the capabilities supported by a link-layer endpoint. It is a set of bitfields. 

const (
	CapabilityNone LinkEndpointCapabilities = 0
	// CapabilityTXChecksumOffload indicates that the link endpoint supports
	// checksum computation for outgoing packets and the stack can skip
	// computing checksums when sending packets.
	CapabilityTXChecksumOffload LinkEndpointCapabilities = 1 << iota
	// CapabilityRXChecksumOffload indicates that the link endpoint supports
	// checksum verification on received packets and that it's safe for the
	// stack to skip checksum verification.
	CapabilityRXChecksumOffload
	CapabilityResolutionRequired
	CapabilitySaveRestore
	CapabilityDisconnectOk
	CapabilityLoopback
)

The following are the supported link endpoint capabilities.

type LinkResolutionResult 

type LinkResolutionResult struct {
	LinkAddress tcpip.LinkAddress
	Err         tcpip.Error
}

LinkResolutionResult is the result of a link address resolution attempt.

type LinkResolvableNetworkEndpoint 

type LinkResolvableNetworkEndpoint interface {
	// HandleLinkResolutionFailure is called when link resolution prevents the
	// argument from having been sent.
	HandleLinkResolutionFailure(*PacketBuffer)
}

LinkResolvableNetworkEndpoint handles link resolution events.

type Matcher 

type Matcher interface {
	// Match returns whether the packet matches and whether the packet
	// should be "hotdropped", i.e. dropped immediately. This is usually
	// used for suspicious packets.
	//
	// Precondition: packet.NetworkHeader is set.
	Match(hook Hook, packet *PacketBuffer, inputInterfaceName, outputInterfaceName string) (matches bool, hotdrop bool)
}

A Matcher is the interface for matching packets.

type NDPEndpoint 

type NDPEndpoint interface {
	NetworkEndpoint

	// InvalidateDefaultRouter invalidates a default router discovered through
	// NDP.
	InvalidateDefaultRouter(tcpip.Address)
}

NDPEndpoint is a network endpoint that supports NDP.

type NICContext 

type NICContext interface{}

NICContext is an opaque pointer used to store client-supplied NIC metadata.

type NICInfo 

type NICInfo struct {
	Name              string
	LinkAddress       tcpip.LinkAddress
	ProtocolAddresses []tcpip.ProtocolAddress

	// Flags indicate the state of the NIC.
	Flags NICStateFlags

	// MTU is the maximum transmission unit.
	MTU uint32

	Stats NICStats

	// NetworkStats holds the stats of each NetworkEndpoint bound to the NIC.
	NetworkStats map[tcpip.NetworkProtocolNumber]NetworkEndpointStats

	// Context is user-supplied data optionally supplied in CreateNICWithOptions.
	// See type NICOptions for more details.
	Context NICContext

	// ARPHardwareType holds the ARP Hardware type of the NIC. This is the
	// value sent in haType field of an ARP Request sent by this NIC and the
	// value expected in the haType field of an ARP response.
	ARPHardwareType header.ARPHardwareType
}

NICInfo captures the name and addresses assigned to a NIC.

type NICOptions 

type NICOptions struct {
	// Name specifies the name of the NIC.
	Name string

	// Disabled specifies whether to avoid calling Attach on the passed
	// LinkEndpoint.
	Disabled bool

	// Context specifies user-defined data that will be returned in stack.NICInfo
	// for the NIC. Clients of this library can use it to add metadata that
	// should be tracked alongside a NIC, to avoid having to keep a
	// map[tcpip.NICID]metadata mirroring stack.Stack's nic map.
	Context NICContext
}

NICOptions specifies the configuration of a NIC as it is being created. The zero value creates an enabled, unnamed NIC.

type NICStateFlags 

type NICStateFlags struct {
	// Up indicates whether the interface is running.
	Up bool

	// Running indicates whether resources are allocated.
	Running bool

	// Promiscuous indicates whether the interface is in promiscuous mode.
	Promiscuous bool

	// Loopback indicates whether the interface is a loopback.
	Loopback bool
}

NICStateFlags holds information about the state of an NIC.

type NICStats 

type NICStats struct {
	Tx DirectionStats
	Rx DirectionStats

	DisabledRx DirectionStats

	Neighbor NeighborStats
}

NICStats hold statistics for a NIC.

type NUDConfigurations 

type NUDConfigurations struct {
	// BaseReachableTime is the base duration for computing the random reachable
	// time.
	//
	// Reachable time is the duration for which a neighbor is considered
	// reachable after a positive reachability confirmation is received. It is a
	// function of uniformly distributed random value between minRandomFactor and
	// maxRandomFactor multiplied by baseReachableTime. Using a random component
	// eliminates the possibility that Neighbor Unreachability Detection messages
	// will synchronize with each other.
	//
	// After this time, a neighbor entry will transition from REACHABLE to STALE
	// state.
	//
	// Must be greater than 0.
	BaseReachableTime time.Duration

	// LearnBaseReachableTime enables learning BaseReachableTime during runtime
	// from the neighbor discovery protocol, if supported.
	//
	// TODO(gvisor.dev/issue/2240): Implement this NUD configuration option.
	LearnBaseReachableTime bool

	// MinRandomFactor is the minimum value of the random factor used for
	// computing reachable time.
	//
	// See BaseReachbleTime for more information on computing the reachable time.
	//
	// Must be greater than 0.
	MinRandomFactor float32

	// MaxRandomFactor is the maximum value of the random factor used for
	// computing reachabile time.
	//
	// See BaseReachbleTime for more information on computing the reachable time.
	//
	// Must be great than or equal to MinRandomFactor.
	MaxRandomFactor float32

	// RetransmitTimer is the duration between retransmission of reachability
	// probes in the PROBE state.
	RetransmitTimer time.Duration

	// LearnRetransmitTimer enables learning RetransmitTimer during runtime from
	// the neighbor discovery protocol, if supported.
	//
	// TODO(gvisor.dev/issue/2241): Implement this NUD configuration option.
	LearnRetransmitTimer bool

	// DelayFirstProbeTime is the duration to wait for a non-Neighbor-Discovery
	// related protocol to reconfirm reachability after entering the DELAY state.
	// After this time, a reachability probe will be sent and the entry will
	// transition to the PROBE state.
	//
	// Must be greater than 0.
	DelayFirstProbeTime time.Duration

	// MaxMulticastProbes is the number of reachability probes to send before
	// concluding negative reachability and deleting the neighbor entry from the
	// INCOMPLETE state.
	//
	// Must be greater than 0.
	MaxMulticastProbes uint32

	// MaxUnicastProbes is the number of reachability probes to send before
	// concluding retransmission from within the PROBE state should cease and
	// entry SHOULD be deleted.
	//
	// Must be greater than 0.
	MaxUnicastProbes uint32

	// MaxAnycastDelayTime is the time in which the stack SHOULD delay sending a
	// response for a random time between 0 and this time, if the target address
	// is an anycast address.
	//
	// TODO(gvisor.dev/issue/2242): Use this option when sending solicited
	// neighbor confirmations to anycast addresses and proxying neighbor
	// confirmations.
	MaxAnycastDelayTime time.Duration

	// MaxReachabilityConfirmations is the number of unsolicited reachability
	// confirmation messages a node MAY send to all-node multicast address when
	// it determines its link-layer address has changed.
	//
	// TODO(gvisor.dev/issue/2246): Discuss if implementation of this NUD
	// configuration option is necessary.
	MaxReachabilityConfirmations uint32
}

NUDConfigurations is the NUD configurations for the netstack. This is used by the neighbor cache to operate the NUD state machine on each device in the local network.

func DefaultNUDConfigurations 

func DefaultNUDConfigurations() NUDConfigurations

DefaultNUDConfigurations returns a NUDConfigurations populated with default values defined by RFC 4861 section 10.

type NUDDispatcher 

type NUDDispatcher interface {
	// OnNeighborAdded will be called when a new entry is added to a NIC's (with
	// ID nicID) neighbor table.
	//
	// This function is permitted to block indefinitely without interfering with
	// the stack's operation.
	//
	// May be called concurrently.
	OnNeighborAdded(tcpip.NICID, NeighborEntry)

	// OnNeighborChanged will be called when an entry in a NIC's (with ID nicID)
	// neighbor table changes state and/or link address.
	//
	// This function is permitted to block indefinitely without interfering with
	// the stack's operation.
	//
	// May be called concurrently.
	OnNeighborChanged(tcpip.NICID, NeighborEntry)

	// OnNeighborRemoved will be called when an entry is removed from a NIC's
	// (with ID nicID) neighbor table.
	//
	// This function is permitted to block indefinitely without interfering with
	// the stack's operation.
	//
	// May be called concurrently.
	OnNeighborRemoved(tcpip.NICID, NeighborEntry)
}

NUDDispatcher is the interface integrators of netstack must implement to receive and handle NUD related events.

type NUDState 

type NUDState struct {
	// contains filtered or unexported fields
}

NUDState stores states needed for calculating reachable time.

func NewNUDState 

func NewNUDState(c NUDConfigurations, rng Rand) *NUDState

NewNUDState returns new NUDState using c as configuration and the specified random number generator for use in recomputing ReachableTime.

func (*NUDState) Config 

func (s *NUDState) Config() NUDConfigurations

Config returns the NUD configuration.

func (*NUDState) ReachableTime 

func (s *NUDState) ReachableTime() time.Duration

ReachableTime returns the duration to wait for a REACHABLE entry to transition into STALE after inactivity. This value is recalculated for new values of BaseReachableTime, MinRandomFactor, and MaxRandomFactor using the algorithm defined in RFC 4861 section 6.3.2.

func (*NUDState) SetConfig 

func (s *NUDState) SetConfig(c NUDConfigurations)

SetConfig replaces the existing NUD configurations with c.

type NeighborEntry 

type NeighborEntry struct {
	Addr           tcpip.Address
	LinkAddr       tcpip.LinkAddress
	State          NeighborState
	UpdatedAtNanos int64
}

NeighborEntry describes a neighboring device in the local network.

type NeighborState 

type NeighborState uint8

NeighborState defines the state of a NeighborEntry within the Neighbor Unreachability Detection state machine, as per RFC 4861 section 7.3.2 and RFC 7048. 

const (
	// Unknown means reachability has not been verified yet. This is the initial
	// state of entries that have been created automatically by the Neighbor
	// Unreachability Detection state machine.
	Unknown NeighborState = iota
	// Incomplete means that there is an outstanding request to resolve the
	// address.
	Incomplete
	// Reachable means the path to the neighbor is functioning properly for both
	// receive and transmit paths.
	Reachable
	// Stale means reachability to the neighbor is unknown, but packets are still
	// able to be transmitted to the possibly stale link address.
	Stale
	// Delay means reachability to the neighbor is unknown and pending
	// confirmation from an upper-level protocol like TCP, but packets are still
	// able to be transmitted to the possibly stale link address.
	Delay
	// Probe means a reachability confirmation is actively being sought by
	// periodically retransmitting reachability probes until a reachability
	// confirmation is received, or until the maximum number of probes has been
	// sent.
	Probe
	// Static describes entries that have been explicitly added by the user. They
	// do not expire and are not deleted until explicitly removed.
	Static
	// Unreachable means reachability confirmation failed; the maximum number of
	// reachability probes has been sent and no replies have been received.
	//
	// TODO(gvisor.dev/issue/5472): Add the following sentence when we implement
	// RFC 7048: "Packets continue to be sent to the neighbor while
	// re-attempting to resolve the address."
	Unreachable
)

func (NeighborState) String 

func (i NeighborState) String() string

type NeighborStats 

type NeighborStats struct {
	// UnreachableEntryLookups counts the number of lookups performed on an
	// entry in Unreachable state.
	UnreachableEntryLookups *tcpip.StatCounter
}

NeighborStats holds metrics for the neighbor table.

type NetworkDispatcher 

type NetworkDispatcher interface {
	// DeliverNetworkPacket finds the appropriate network protocol endpoint
	// and hands the packet over for further processing.
	//
	// pkt.LinkHeader may or may not be set before calling
	// DeliverNetworkPacket. Some packets do not have link headers (e.g.
	// packets sent via loopback), and won't have the field set.
	//
	// DeliverNetworkPacket takes ownership of pkt.
	DeliverNetworkPacket(remote, local tcpip.LinkAddress, protocol tcpip.NetworkProtocolNumber, pkt *PacketBuffer)

	// DeliverOutboundPacket is called by link layer when a packet is being
	// sent out.
	//
	// pkt.LinkHeader may or may not be set before calling
	// DeliverOutboundPacket. Some packets do not have link headers (e.g.
	// packets sent via loopback), and won't have the field set.
	//
	// DeliverOutboundPacket takes ownership of pkt.
	DeliverOutboundPacket(remote, local tcpip.LinkAddress, protocol tcpip.NetworkProtocolNumber, pkt *PacketBuffer)
}

NetworkDispatcher contains the methods used by the network stack to deliver inbound/outbound packets to the appropriate network/packet(if any) endpoints.

type NetworkEndpoint 

type NetworkEndpoint interface {
	// Enable enables the endpoint.
	//
	// Must only be called when the stack is in a state that allows the endpoint
	// to send and receive packets.
	//
	// Returns *tcpip.ErrNotPermitted if the endpoint cannot be enabled.
	Enable() tcpip.Error

	// Enabled returns true if the endpoint is enabled.
	Enabled() bool

	// Disable disables the endpoint.
	Disable()

	// DefaultTTL is the default time-to-live value (or hop limit, in ipv6)
	// for this endpoint.
	DefaultTTL() uint8

	// MTU is the maximum transmission unit for this endpoint. This is
	// generally calculated as the MTU of the underlying data link endpoint
	// minus the network endpoint max header length.
	MTU() uint32

	// MaxHeaderLength returns the maximum size the network (and lower
	// level layers combined) headers can have. Higher levels use this
	// information to reserve space in the front of the packets they're
	// building.
	MaxHeaderLength() uint16

	// WritePacket writes a packet to the given destination address and
	// protocol. It takes ownership of pkt. pkt.TransportHeader must have
	// already been set.
	WritePacket(r *Route, params NetworkHeaderParams, pkt *PacketBuffer) tcpip.Error

	// WritePackets writes packets to the given destination address and
	// protocol. pkts must not be zero length. It takes ownership of pkts and
	// underlying packets.
	WritePackets(r *Route, pkts PacketBufferList, params NetworkHeaderParams) (int, tcpip.Error)

	// WriteHeaderIncludedPacket writes a packet that includes a network
	// header to the given destination address. It takes ownership of pkt.
	WriteHeaderIncludedPacket(r *Route, pkt *PacketBuffer) tcpip.Error

	// HandlePacket is called by the link layer when new packets arrive to
	// this network endpoint. It sets pkt.NetworkHeader.
	//
	// HandlePacket takes ownership of pkt.
	HandlePacket(pkt *PacketBuffer)

	// Close is called when the endpoint is reomved from a stack.
	Close()

	// NetworkProtocolNumber returns the tcpip.NetworkProtocolNumber for
	// this endpoint.
	NetworkProtocolNumber() tcpip.NetworkProtocolNumber

	// Stats returns a reference to the network endpoint stats.
	Stats() NetworkEndpointStats
}

NetworkEndpoint is the interface that needs to be implemented by endpoints of network layer protocols (e.g., ipv4, ipv6).

type NetworkEndpointID 

type NetworkEndpointID struct {
	LocalAddress tcpip.Address
}

NetworkEndpointID is the identifier of a network layer protocol endpoint. Currently the local address is sufficient because all supported protocols (i.e., IPv4 and IPv6) have different sizes for their addresses.

type NetworkEndpointStats 

type NetworkEndpointStats interface {
	// IsNetworkEndpointStats is an empty method to implement the
	// NetworkEndpointStats marker interface.
	IsNetworkEndpointStats()
}

NetworkEndpointStats is the interface implemented by each network endpoint stats struct.

type NetworkHeaderParams 

type NetworkHeaderParams struct {
	// Protocol refers to the transport protocol number.
	Protocol tcpip.TransportProtocolNumber

	// TTL refers to Time To Live field of the IP-header.
	TTL uint8

	// TOS refers to TypeOfService or TrafficClass field of the IP-header.
	TOS uint8
}

NetworkHeaderParams are the header parameters given as input by the transport endpoint to the network.

type NetworkInterface 

type NetworkInterface interface {
	NetworkLinkEndpoint

	// ID returns the interface's ID.
	ID() tcpip.NICID

	// IsLoopback returns true if the interface is a loopback interface.
	IsLoopback() bool

	// Name returns the name of the interface.
	//
	// May return an empty string if the interface is not configured with a name.
	Name() string

	// Enabled returns true if the interface is enabled.
	Enabled() bool

	// Promiscuous returns true if the interface is in promiscuous mode.
	//
	// When in promiscuous mode, the interface should accept all packets.
	Promiscuous() bool

	// Spoofing returns true if the interface is in spoofing mode.
	//
	// When in spoofing mode, the interface should consider all addresses as
	// assigned to it.
	Spoofing() bool

	// PrimaryAddress returns the primary address associated with the interface.
	//
	// PrimaryAddress will return the first non-deprecated address if such an
	// address exists. If no non-deprecated addresses exist, the first deprecated
	// address will be returned. If no deprecated addresses exist, the zero value
	// will be returned.
	PrimaryAddress(tcpip.NetworkProtocolNumber) (tcpip.AddressWithPrefix, tcpip.Error)

	// CheckLocalAddress returns true if the address exists on the interface.
	CheckLocalAddress(tcpip.NetworkProtocolNumber, tcpip.Address) bool

	// WritePacketToRemote writes the packet to the given remote link address.
	WritePacketToRemote(tcpip.LinkAddress, tcpip.NetworkProtocolNumber, *PacketBuffer) tcpip.Error

	// WritePacket writes a packet with the given protocol through the given
	// route.
	//
	// WritePacket takes ownership of the packet buffer. The packet buffer's
	// network and transport header must be set.
	WritePacket(*Route, tcpip.NetworkProtocolNumber, *PacketBuffer) tcpip.Error

	// WritePackets writes packets with the given protocol through the given
	// route. Must not be called with an empty list of packet buffers.
	//
	// WritePackets takes ownership of the packet buffers.
	//
	// Right now, WritePackets is used only when the software segmentation
	// offload is enabled. If it will be used for something else, syscall filters
	// may need to be updated.
	WritePackets(*Route, PacketBufferList, tcpip.NetworkProtocolNumber) (int, tcpip.Error)

	// HandleNeighborProbe processes an incoming neighbor probe (e.g. ARP
	// request or NDP Neighbor Solicitation).
	//
	// HandleNeighborProbe assumes that the probe is valid for the network
	// interface the probe was received on.
	HandleNeighborProbe(tcpip.NetworkProtocolNumber, tcpip.Address, tcpip.LinkAddress) tcpip.Error

	// HandleNeighborConfirmation processes an incoming neighbor confirmation
	// (e.g. ARP reply or NDP Neighbor Advertisement).
	HandleNeighborConfirmation(tcpip.NetworkProtocolNumber, tcpip.Address, tcpip.LinkAddress, ReachabilityConfirmationFlags) tcpip.Error
}

NetworkInterface is a network interface.

type NetworkLinkEndpoint 

type NetworkLinkEndpoint interface {
	// MTU is the maximum transmission unit for this endpoint. This is
	// usually dictated by the backing physical network; when such a
	// physical network doesn't exist, the limit is generally 64k, which
	// includes the maximum size of an IP packet.
	MTU() uint32

	// MaxHeaderLength returns the maximum size the data link (and
	// lower level layers combined) headers can have. Higher levels use this
	// information to reserve space in the front of the packets they're
	// building.
	MaxHeaderLength() uint16

	// LinkAddress returns the link address (typically a MAC) of the
	// endpoint.
	LinkAddress() tcpip.LinkAddress
}

NetworkLinkEndpoint is a data-link layer that supports sending network layer packets.

type NetworkPacketInfo 

type NetworkPacketInfo struct {
	// LocalAddressBroadcast is true if the packet's local address is a broadcast
	// address.
	LocalAddressBroadcast bool
}

NetworkPacketInfo holds information about a network layer packet.

type NetworkProtocol 

type NetworkProtocol interface {
	// Number returns the network protocol number.
	Number() tcpip.NetworkProtocolNumber

	// MinimumPacketSize returns the minimum valid packet size of this
	// network protocol. The stack automatically drops any packets smaller
	// than this targeted at this protocol.
	MinimumPacketSize() int

	// DefaultPrefixLen returns the protocol's default prefix length.
	DefaultPrefixLen() int

	// ParseAddresses returns the source and destination addresses stored in a
	// packet of this protocol.
	ParseAddresses(v buffer.View) (src, dst tcpip.Address)

	// NewEndpoint creates a new endpoint of this protocol.
	NewEndpoint(nic NetworkInterface, dispatcher TransportDispatcher) NetworkEndpoint

	// SetOption allows enabling/disabling protocol specific features.
	// SetOption returns an error if the option is not supported or the
	// provided option value is invalid.
	SetOption(option tcpip.SettableNetworkProtocolOption) tcpip.Error

	// Option allows retrieving protocol specific option values.
	// Option returns an error if the option is not supported or the
	// provided option value is invalid.
	Option(option tcpip.GettableNetworkProtocolOption) tcpip.Error

	// Close requests that any worker goroutines owned by the protocol
	// stop.
	Close()

	// Wait waits for any worker goroutines owned by the protocol to stop.
	Wait()

	// Parse sets pkt.NetworkHeader and trims pkt.Data appropriately. It
	// returns:
	// - The encapsulated protocol, if present.
	// - Whether there is an encapsulated transport protocol payload (e.g. ARP
	//   does not encapsulate anything).
	// - Whether pkt.Data was large enough to parse and set pkt.NetworkHeader.
	Parse(pkt *PacketBuffer) (proto tcpip.TransportProtocolNumber, hasTransportHdr bool, ok bool)
}

NetworkProtocol is the interface that needs to be implemented by network protocols (e.g., ipv4, ipv6) that want to be part of the networking stack.

type NetworkProtocolFactory 

type NetworkProtocolFactory func(*Stack) NetworkProtocol

NetworkProtocolFactory instantiates a network protocol.

NetworkProtocolFactory must not attempt to modify the stack, it may only query the stack.

type Options 

type Options struct {
	// NetworkProtocols lists the network protocols to enable.
	NetworkProtocols []NetworkProtocolFactory

	// TransportProtocols lists the transport protocols to enable.
	TransportProtocols []TransportProtocolFactory

	// Clock is an optional clock source used for timestampping packets.
	//
	// If no Clock is specified, the clock source will be time.Now.
	Clock tcpip.Clock

	// Stats are optional statistic counters.
	Stats tcpip.Stats

	// HandleLocal indicates whether packets destined to their source
	// should be handled by the stack internally (true) or outside the
	// stack (false).
	HandleLocal bool

	// UniqueID is an optional generator of unique identifiers.
	UniqueID UniqueID

	// NUDConfigs is the default NUD configurations used by interfaces.
	NUDConfigs NUDConfigurations

	// NUDDisp is the NUD event dispatcher that an integrator can provide to
	// receive NUD related events.
	NUDDisp NUDDispatcher

	// RawFactory produces raw endpoints. Raw endpoints are enabled only if
	// this is non-nil.
	RawFactory RawFactory

	// RandSource is an optional source to use to generate random
	// numbers. If omitted it defaults to a Source seeded by the data
	// returned by rand.Read().
	//
	// RandSource must be thread-safe.
	RandSource mathrand.Source

	// IPTables are the initial iptables rules. If nil, iptables will allow
	// all traffic.
	IPTables *IPTables

	// SecureRNG is a cryptographically secure random number generator.
	SecureRNG io.Reader
}

Options contains optional Stack configuration.

type PacketBuffer 

type PacketBuffer struct {

	// PacketBufferEntry is used to build an intrusive list of
	// PacketBuffers.
	PacketBufferEntry

	// NetworkProtocolNumber is only valid when NetworkHeader().View().IsEmpty()
	// returns false.
	// TODO(gvisor.dev/issue/3574): Remove the separately passed protocol
	// numbers in registration APIs that take a PacketBuffer.
	NetworkProtocolNumber tcpip.NetworkProtocolNumber

	// TransportProtocol is only valid if it is non zero.
	// TODO(gvisor.dev/issue/3810): This and the network protocol number should
	// be moved into the headerinfo. This should resolve the validity issue.
	TransportProtocolNumber tcpip.TransportProtocolNumber

	// Hash is the transport layer hash of this packet. A value of zero
	// indicates no valid hash has been set.
	Hash uint32

	// Owner is implemented by task to get the uid and gid.
	// Only set for locally generated packets.
	Owner tcpip.PacketOwner

	// The following fields are only set by the qdisc layer when the packet
	// is added to a queue.
	EgressRoute RouteInfo
	GSOOptions  GSO

	// NatDone indicates if the packet has been manipulated as per NAT
	// iptables rule.
	NatDone bool

	// PktType indicates the SockAddrLink.PacketType of the packet as defined in
	// https://www.man7.org/linux/man-pages/man7/packet.7.html.
	PktType tcpip.PacketType

	// NICID is the ID of the interface the network packet was received at.
	NICID tcpip.NICID

	// RXTransportChecksumValidated indicates that transport checksum verification
	// may be safely skipped.
	RXTransportChecksumValidated bool

	// NetworkPacketInfo holds an incoming packet's network-layer information.
	NetworkPacketInfo NetworkPacketInfo
	// contains filtered or unexported fields
}

A PacketBuffer contains all the data of a network packet.

As a PacketBuffer traverses up the stack, it may be necessary to pass it to multiple endpoints.

The whole packet is expected to be a series of bytes in the following order: LinkHeader, NetworkHeader, TransportHeader, and Data. Any of them can be empty. Use of PacketBuffer in any other order is unsupported.

PacketBuffer must be created with NewPacketBuffer.

func NewPacketBuffer 

func NewPacketBuffer(opts PacketBufferOptions) *PacketBuffer

NewPacketBuffer creates a new PacketBuffer with opts.

func (*PacketBuffer) AvailableHeaderBytes 

func (pk *PacketBuffer) AvailableHeaderBytes() int

AvailableHeaderBytes returns the number of bytes currently available for headers. This is relevant to PacketHeader.Push method only.

func (*PacketBuffer) Clone 

func (pk *PacketBuffer) Clone() *PacketBuffer

Clone makes a shallow copy of pk.

Clone should be called in such cases so that no modifications is done to underlying packet payload.

func (*PacketBuffer) CloneToInbound 

func (pk *PacketBuffer) CloneToInbound() *PacketBuffer

CloneToInbound makes a shallow copy of the packet buffer to be used as an inbound packet.

See PacketBuffer.Data for details about how a packet buffer holds an inbound packet.

func (*PacketBuffer) Data 

func (pk *PacketBuffer) Data() PacketData

Data returns the handle to data portion of pk.

func (*PacketBuffer) HeaderSize 

func (pk *PacketBuffer) HeaderSize() int

HeaderSize returns the total size of all headers in bytes.

func (*PacketBuffer) LinkHeader 

func (pk *PacketBuffer) LinkHeader() PacketHeader

LinkHeader returns the handle to link-layer header.

func (*PacketBuffer) MemSize 

func (pk *PacketBuffer) MemSize() int

MemSize returns the estimation size of the pk in memory, including backing buffer data.

func (*PacketBuffer) Network 

func (pk *PacketBuffer) Network() header.Network

Network returns the network header as a header.Network.

Network should only be called when NetworkHeader has been set.

func (*PacketBuffer) NetworkHeader 

func (pk *PacketBuffer) NetworkHeader() PacketHeader

NetworkHeader returns the handle to network-layer header.

func (*PacketBuffer) ReservedHeaderBytes 

func (pk *PacketBuffer) ReservedHeaderBytes() int

ReservedHeaderBytes returns the number of bytes initially reserved for headers.

func (*PacketBuffer) Size 

func (pk *PacketBuffer) Size() int

Size returns the size of packet in bytes.

func (*PacketBuffer) TransportHeader 

func (pk *PacketBuffer) TransportHeader() PacketHeader

TransportHeader returns the handle to transport-layer header.

func (*PacketBuffer) Views 

func (pk *PacketBuffer) Views() []buffer.View

Views returns the underlying storage of the whole packet.

type PacketBufferElementMapper 

type PacketBufferElementMapper struct{}

ElementMapper provides an identity mapping by default.

This can be replaced to provide a struct that maps elements to linker objects, if they are not the same. An ElementMapper is not typically required if: Linker is left as is, Element is left as is, or Linker and Element are the same type.

type PacketBufferEntry 

type PacketBufferEntry struct {
	// contains filtered or unexported fields
}

Entry is a default implementation of Linker. Users can add anonymous fields of this type to their structs to make them automatically implement the methods needed by List.

+stateify savable

func (*PacketBufferEntry) Next 

func (e *PacketBufferEntry) Next() *PacketBuffer

Next returns the entry that follows e in the list.

func (*PacketBufferEntry) Prev 

func (e *PacketBufferEntry) Prev() *PacketBuffer

Prev returns the entry that precedes e in the list.

func (*PacketBufferEntry) SetNext 

func (e *PacketBufferEntry) SetNext(elem *PacketBuffer)

SetNext assigns 'entry' as the entry that follows e in the list.

func (*PacketBufferEntry) SetPrev 

func (e *PacketBufferEntry) SetPrev(elem *PacketBuffer)

SetPrev assigns 'entry' as the entry that precedes e in the list.

func (*PacketBufferEntry) StateFields 

func (e *PacketBufferEntry) StateFields() []string

func (*PacketBufferEntry) StateLoad 

func (e *PacketBufferEntry) StateLoad(stateSourceObject state.Source)

+checklocksignore

func (*PacketBufferEntry) StateSave 

func (e *PacketBufferEntry) StateSave(stateSinkObject state.Sink)

+checklocksignore

func (*PacketBufferEntry) StateTypeName 

func (e *PacketBufferEntry) StateTypeName() string

type PacketBufferList 

type PacketBufferList struct {
	// contains filtered or unexported fields
}

List is an intrusive list. Entries can be added to or removed from the list in O(1) time and with no additional memory allocations.

The zero value for List is an empty list ready to use.

To iterate over a list (where l is a List): 

     for e := l.Front(); e != nil; e = e.Next() {
		// do something with e.
     }

+stateify savable

func (*PacketBufferList) Back 

func (l *PacketBufferList) Back() *PacketBuffer

Back returns the last element of list l or nil.

func (*PacketBufferList) Empty 

func (l *PacketBufferList) Empty() bool

Empty returns true iff the list is empty.

func (*PacketBufferList) Front 

func (l *PacketBufferList) Front() *PacketBuffer

Front returns the first element of list l or nil.

func (*PacketBufferList) InsertAfter 

func (l *PacketBufferList) InsertAfter(b, e *PacketBuffer)

InsertAfter inserts e after b.

func (*PacketBufferList) InsertBefore 

func (l *PacketBufferList) InsertBefore(a, e *PacketBuffer)

InsertBefore inserts e before a.

func (*PacketBufferList) Len 

func (l *PacketBufferList) Len() (count int)

Len returns the number of elements in the list.

NOTE: This is an O(n) operation.

func (*PacketBufferList) PushBack 

func (l *PacketBufferList) PushBack(e *PacketBuffer)

PushBack inserts the element e at the back of list l.

func (*PacketBufferList) PushBackList 

func (l *PacketBufferList) PushBackList(m *PacketBufferList)

PushBackList inserts list m at the end of list l, emptying m.

func (*PacketBufferList) PushFront 

func (l *PacketBufferList) PushFront(e *PacketBuffer)

PushFront inserts the element e at the front of list l.

func (*PacketBufferList) Remove 

func (l *PacketBufferList) Remove(e *PacketBuffer)

Remove removes e from l.

func (*PacketBufferList) Reset 

func (l *PacketBufferList) Reset()

Reset resets list l to the empty state.

func (*PacketBufferList) StateFields 

func (p *PacketBufferList) StateFields() []string

func (*PacketBufferList) StateLoad 

func (p *PacketBufferList) StateLoad(stateSourceObject state.Source)

+checklocksignore

func (*PacketBufferList) StateSave 

func (p *PacketBufferList) StateSave(stateSinkObject state.Sink)

+checklocksignore

func (*PacketBufferList) StateTypeName 

func (p *PacketBufferList) StateTypeName() string

type PacketBufferOptions 

type PacketBufferOptions struct {
	// ReserveHeaderBytes is the number of bytes to reserve for headers. Total
	// number of bytes pushed onto the headers must not exceed this value.
	ReserveHeaderBytes int

	// Data is the initial unparsed data for the new packet. If set, it will be
	// owned by the new packet.
	Data buffer.VectorisedView
}

PacketBufferOptions specifies options for PacketBuffer creation.

type PacketData 

type PacketData struct {
	// contains filtered or unexported fields
}

PacketData represents the data portion of a PacketBuffer.

func (PacketData) AppendView 

func (d PacketData) AppendView(v buffer.View)

AppendView appends v into d, taking the ownership of v.

func (PacketData) AsRange 

func (d PacketData) AsRange() Range

AsRange returns a Range representing the current data payload of the packet.

func (PacketData) CapLength 

func (d PacketData) CapLength(length int)

CapLength reduces d to at most length bytes.

func (PacketData) DeleteFront 

func (d PacketData) DeleteFront(count int)

DeleteFront removes count from the beginning of d. It panics if count > d.Size(). All backing storage references after the front of the d are invalidated.

func (PacketData) ExtractVV 

func (d PacketData) ExtractVV() buffer.VectorisedView

ExtractVV returns a VectorisedView of d. This method has the semantic to destruct the underlying packet, hence the packet cannot be used again.

This method exists for compatibility between PacketBuffer and VectorisedView. It may be removed later and should be used with care.

func (PacketData) PullUp 

func (d PacketData) PullUp(size int) (buffer.View, bool)

PullUp returns a contiguous view of size bytes from the beginning of d. Callers should not write to or keep the view for later use.

func (PacketData) ReadFromData 

func (d PacketData) ReadFromData(srcData PacketData, count int) int

ReadFromData moves at most count bytes from the beginning of srcData to the end of d and returns the number of bytes moved.

func (PacketData) ReadFromVV 

func (d PacketData) ReadFromVV(srcVV *buffer.VectorisedView, count int) int

ReadFromVV moves at most count bytes from the beginning of srcVV to the end of d and returns the number of bytes moved.

func (PacketData) Replace 

func (d PacketData) Replace(vv buffer.VectorisedView)

Replace replaces the data portion of the packet with vv, taking the ownership of vv.

This method exists for compatibility between PacketBuffer and VectorisedView. It may be removed later and should be used with care.

func (PacketData) Size 

func (d PacketData) Size() int

Size returns the number of bytes in the data payload of the packet.

func (PacketData) Views 

func (d PacketData) Views() []buffer.View

Views returns the underlying storage of d in a slice of Views. Caller should not modify the returned slice.

type PacketEndpoint 

type PacketEndpoint interface {
	// HandlePacket is called by the stack when new packets arrive that
	// match the endpoint.
	//
	// Implementers should treat packet as immutable and should copy it
	// before before modification.
	//
	// linkHeader may have a length of 0, in which case the PacketEndpoint
	// should construct its own ethernet header for applications.
	//
	// HandlePacket takes ownership of pkt.
	HandlePacket(nicID tcpip.NICID, addr tcpip.LinkAddress, netProto tcpip.NetworkProtocolNumber, pkt *PacketBuffer)
}

PacketEndpoint is the interface that needs to be implemented by packet transport protocol endpoints. These endpoints receive link layer headers in addition to whatever they contain (usually network and transport layer headers and a payload).

type PacketHeader 

type PacketHeader struct {
	// contains filtered or unexported fields
}

PacketHeader is a handle object to a header in the underlying packet.

func (PacketHeader) Consume 

func (h PacketHeader) Consume(size int) (v buffer.View, consumed bool)

Consume moves the first size bytes of the unparsed data portion in the packet to h, and returns the backing storage. In the case of data is shorter than size, consumed will be false, and the state of h will not be affected. Callers may only call one of Push or Consume once on each header in the lifetime of the underlying packet.

func (PacketHeader) Push 

func (h PacketHeader) Push(size int) buffer.View

Push pushes size bytes in the front of its residing packet, and returns the backing storage. Callers may only call one of Push or Consume once on each header in the lifetime of the underlying packet.

func (PacketHeader) View 

func (h PacketHeader) View() buffer.View

View returns the underlying storage of h.

type PacketLooping 

type PacketLooping byte

PacketLooping specifies where an outbound packet should be sent. 

const (
	// PacketOut indicates that the packet should be passed to the link
	// endpoint.
	PacketOut PacketLooping = 1 << iota

	// PacketLoop indicates that the packet should be handled locally.
	PacketLoop
)

type ParseResult 

type ParseResult int

ParseResult indicates the result of a parsing attempt. 

const (
	// ParsedOK indicates that a packet was successfully parsed.
	ParsedOK ParseResult = iota

	// UnknownTransportProtocol indicates that the transport protocol is unknown.
	UnknownTransportProtocol

	// TransportLayerParseError indicates that the transport packet was not
	// successfully parsed.
	TransportLayerParseError
)

type PrimaryEndpointBehavior 

type PrimaryEndpointBehavior int

PrimaryEndpointBehavior is an enumeration of an AddressEndpoint's primary behavior. 

const (
	// CanBePrimaryEndpoint indicates the endpoint can be used as a primary
	// endpoint for new connections with no local address. This is the
	// default when calling NIC.AddAddress.
	CanBePrimaryEndpoint PrimaryEndpointBehavior = iota

	// FirstPrimaryEndpoint indicates the endpoint should be the first
	// primary endpoint considered. If there are multiple endpoints with
	// this behavior, they are ordered by recency.
	FirstPrimaryEndpoint

	// NeverPrimaryEndpoint indicates the endpoint should never be a
	// primary endpoint.
	NeverPrimaryEndpoint
)

type Rand 

type Rand interface {
	// Float32 returns, as a float32, a pseudo-random number in [0.0,1.0).
	Float32() float32
}

A Rand is a source of random numbers.

type Range 

type Range struct {
	// contains filtered or unexported fields
}

Range represents a contiguous subportion of a PacketBuffer.

func (Range) AsView 

func (r Range) AsView() buffer.View

AsView returns the backing storage of r if possible. It will allocate a new View if r spans multiple pieces internally. Caller should not write to the returned View in any way.

func (Range) Capped 

func (r Range) Capped(max int) Range

Capped returns a new Range with the same starting point of r and length capped at max.

func (Range) Checksum 

func (r Range) Checksum() uint16

Checksum calculates the RFC 1071 checksum for the underlying bytes of r.

func (Range) Size 

func (r Range) Size() int

Size returns the number of bytes in r.

func (Range) SubRange 

func (r Range) SubRange(off int) Range

SubRange returns a new Range starting at off bytes of r. It returns an empty range if off is out-of-bounds.

func (Range) ToOwnedView 

func (r Range) ToOwnedView() buffer.View

ToOwnedView returns a owned copy of data in r.

type RawFactory 

type RawFactory interface {
	// NewUnassociatedEndpoint produces endpoints for writing packets not
	// associated with a particular transport protocol. Such endpoints can
	// be used to write arbitrary packets that include the network header.
	NewUnassociatedEndpoint(stack *Stack, netProto tcpip.NetworkProtocolNumber, transProto tcpip.TransportProtocolNumber, waiterQueue *waiter.Queue) (tcpip.Endpoint, tcpip.Error)

	// NewPacketEndpoint produces endpoints for reading and writing packets
	// that include network and (when cooked is false) link layer headers.
	NewPacketEndpoint(stack *Stack, cooked bool, netProto tcpip.NetworkProtocolNumber, waiterQueue *waiter.Queue) (tcpip.Endpoint, tcpip.Error)
}

RawFactory produces endpoints for writing various types of raw packets.

type RawTransportEndpoint 

type RawTransportEndpoint interface {
	// HandlePacket is called by the stack when new packets arrive to
	// this transport endpoint. The packet contains all data from the link
	// layer up.
	//
	// HandlePacket takes ownership of the packet.
	HandlePacket(*PacketBuffer)
}

RawTransportEndpoint is the interface that needs to be implemented by raw transport protocol endpoints. RawTransportEndpoints receive the entire packet - including the network and transport headers - as delivered to netstack.

type RcvBufAutoTuneParams 

type RcvBufAutoTuneParams struct {
	// MeasureTime is the time at which the current measurement was
	// started.
	MeasureTime time.Time `state:".(unixTime)"`

	// CopiedBytes is the number of bytes copied to user space since this
	// measure began.
	CopiedBytes int

	// PrevCopiedBytes is the number of bytes copied to userspace in the
	// previous RTT period.
	PrevCopiedBytes int

	// RcvBufSize is the auto tuned receive buffer size.
	RcvBufSize int

	// RTT is the smoothed RTT as measured by observing the time between
	// when a byte is first acknowledged and the receipt of data that is at
	// least one window beyond the sequence number that was acknowledged.
	RTT time.Duration

	// RTTVar is the "round-trip time variation" as defined in section 2 of
	// RFC6298.
	RTTVar time.Duration

	// RTTMeasureSeqNumber is the highest acceptable sequence number at the
	// time this RTT measurement period began.
	RTTMeasureSeqNumber seqnum.Value

	// RTTMeasureTime is the absolute time at which the current RTT
	// measurement period began.
	RTTMeasureTime time.Time `state:".(unixTime)"`

	// Disabled is true if an explicit receive buffer is set for the
	// endpoint.
	Disabled bool
}

RcvBufAutoTuneParams holds state related to TCP receive buffer auto-tuning.

+stateify savable

func (*RcvBufAutoTuneParams) StateFields 

func (r *RcvBufAutoTuneParams) StateFields() []string

func (*RcvBufAutoTuneParams) StateLoad 

func (r *RcvBufAutoTuneParams) StateLoad(stateSourceObject state.Source)

+checklocksignore

func (*RcvBufAutoTuneParams) StateSave 

func (r *RcvBufAutoTuneParams) StateSave(stateSinkObject state.Sink)

+checklocksignore

func (*RcvBufAutoTuneParams) StateTypeName 

func (r *RcvBufAutoTuneParams) StateTypeName() string

type ReachabilityConfirmationFlags 

type ReachabilityConfirmationFlags struct {
	// Solicited indicates that the advertisement was sent in response to a
	// reachability probe.
	Solicited bool

	// Override indicates that the reachability confirmation should override an
	// existing neighbor cache entry and update the cached link-layer address.
	// When Override is not set the confirmation will not update a cached
	// link-layer address, but will update an existing neighbor cache entry for
	// which no link-layer address is known.
	Override bool

	// IsRouter indicates that the sender is a router.
	IsRouter bool
}

ReachabilityConfirmationFlags describes the flags used within a reachability confirmation (e.g. ARP reply or Neighbor Advertisement for ARP or NDP, respectively).

type ReceiveBufferSizeOption 

type ReceiveBufferSizeOption struct {
	Min     int
	Default int
	Max     int
}

ReceiveBufferSizeOption is used by stack.(Stack*).Option/SetOption to get/set the default, min and max receive buffer sizes.

type RedirectTarget 

type RedirectTarget struct {
	// Port indicates port used to redirect. It is immutable.
	Port uint16

	// NetworkProtocol is the network protocol the target is used with. It
	// is immutable.
	NetworkProtocol tcpip.NetworkProtocolNumber
}

RedirectTarget redirects the packet to this machine by modifying the destination port/IP. Outgoing packets are redirected to the loopback device, and incoming packets are redirected to the incoming interface (rather than forwarded).

TODO(gvisor.dev/issue/170): Other flags need to be added after we support them.

func (*RedirectTarget) Action 

func (rt *RedirectTarget) Action(pkt *PacketBuffer, ct *ConnTrack, hook Hook, r *Route, address tcpip.Address) (RuleVerdict, int)

Action implements Target.Action. TODO(gvisor.dev/issue/170): Parse headers without copying. The current implementation only works for Prerouting and calls pkt.Clone(), neither of which should be the case.

type ResolvedFieldsResult 

type ResolvedFieldsResult struct {
	RouteInfo RouteInfo
	Err       tcpip.Error
}

ResolvedFieldsResult is the result of a route resolution attempt.

type ResumableEndpoint 

type ResumableEndpoint interface {
	// Resume resumes an endpoint after restore. This can be used to restart
	// background workers such as protocol goroutines. This must be called after
	// all indirect dependencies of the endpoint has been restored, which
	// generally implies at the end of the restore process.
	Resume(*Stack)
}

ResumableEndpoint is an endpoint that needs to be resumed after restore.

type ReturnTarget 

type ReturnTarget struct {
	// NetworkProtocol is the network protocol the target is used with.
	NetworkProtocol tcpip.NetworkProtocolNumber
}

ReturnTarget returns from the current chain. If the chain is a built-in, the hook's underflow should be called.

func (*ReturnTarget) Action 

func (*ReturnTarget) Action(*PacketBuffer, *ConnTrack, Hook, *Route, tcpip.Address) (RuleVerdict, int)

Action implements Target.Action.

type Route 

type Route struct {
	// contains filtered or unexported fields
}

Route represents a route through the networking stack to a given destination.

It is safe to call Route's methods from multiple goroutines.

func (*Route) Acquire 

func (r *Route) Acquire()

Acquire increments the reference counter of the resources associated with the route.

func (*Route) ConfirmReachable 

func (r *Route) ConfirmReachable()

ConfirmReachable informs the network/link layer that the neighbour used for the route is reachable.

"Reachable" is defined as having full-duplex communication between the local and remote ends of the route.

func (*Route) DefaultTTL 

func (r *Route) DefaultTTL() uint8

DefaultTTL returns the default TTL of the underlying network endpoint.

func (*Route) Fields 

func (r *Route) Fields() RouteInfo

Fields returns a RouteInfo with all of the known values for the route's fields.

If any fields are unknown (e.g. remote link address when it is waiting for link address resolution), they will be unset.

func (*Route) GSOMaxSize 

func (r *Route) GSOMaxSize() uint32

GSOMaxSize returns the maximum GSO packet size.

func (*Route) HasDisconncetOkCapability 

func (r *Route) HasDisconncetOkCapability() bool

HasDisconncetOkCapability returns true if the route supports disconnecting.

func (*Route) HasHardwareGSOCapability 

func (r *Route) HasHardwareGSOCapability() bool

HasHardwareGSOCapability returns true if the route supports hardware GSO.

func (*Route) HasSaveRestoreCapability 

func (r *Route) HasSaveRestoreCapability() bool

HasSaveRestoreCapability returns true if the route supports save/restore.

func (*Route) HasSoftwareGSOCapability 

func (r *Route) HasSoftwareGSOCapability() bool

HasSoftwareGSOCapability returns true if the route supports software GSO.

func (*Route) IsOutboundBroadcast 

func (r *Route) IsOutboundBroadcast() bool

IsOutboundBroadcast returns true if the route is for an outbound broadcast packet.

func (*Route) IsResolutionRequired 

func (r *Route) IsResolutionRequired() bool

IsResolutionRequired returns true if Resolve() must be called to resolve the link address before the route can be written to.

The NICs the route is associated with must not be locked.

func (*Route) LocalAddress 

func (r *Route) LocalAddress() tcpip.Address

LocalAddress returns the route's local address.

func (*Route) LocalLinkAddress 

func (r *Route) LocalLinkAddress() tcpip.LinkAddress

LocalLinkAddress returns the route's local link-layer address.

func (*Route) Loop 

func (r *Route) Loop() PacketLooping

Loop returns the route's required packet looping.

func (*Route) MTU 

func (r *Route) MTU() uint32

MTU returns the MTU of the underlying network endpoint.

func (*Route) MaxHeaderLength 

func (r *Route) MaxHeaderLength() uint16

MaxHeaderLength forwards the call to the network endpoint's implementation.

func (*Route) NICID 

func (r *Route) NICID() tcpip.NICID

NICID returns the id of the NIC from which this route originates.

func (*Route) NetProto 

func (r *Route) NetProto() tcpip.NetworkProtocolNumber

NetProto returns the route's network-layer protocol number.

func (*Route) NextHop 

func (r *Route) NextHop() tcpip.Address

NextHop returns the next node in the route's path to the destination.

func (*Route) PseudoHeaderChecksum 

func (r *Route) PseudoHeaderChecksum(protocol tcpip.TransportProtocolNumber, totalLen uint16) uint16

PseudoHeaderChecksum forwards the call to the network endpoint's implementation.

func (*Route) Release 

func (r *Route) Release()

Release decrements the reference counter of the resources associated with the route.

func (*Route) RemoteAddress 

func (r *Route) RemoteAddress() tcpip.Address

RemoteAddress returns the route's destination.

func (*Route) RemoteLinkAddress 

func (r *Route) RemoteLinkAddress() tcpip.LinkAddress

RemoteLinkAddress returns the link-layer (MAC) address of the next hop in the route.

func (*Route) RequiresTXTransportChecksum 

func (r *Route) RequiresTXTransportChecksum() bool

RequiresTXTransportChecksum returns false if the route does not require transport checksums to be populated.

func (*Route) ResolveWith 

func (r *Route) ResolveWith(addr tcpip.LinkAddress)

ResolveWith immediately resolves a route with the specified remote link address.

func (*Route) ResolvedFields 

func (r *Route) ResolvedFields(afterResolve func(ResolvedFieldsResult)) tcpip.Error

ResolvedFields attempts to resolve the remote link address if it is not known.

If a callback is provided, it will be called before ResolvedFields returns when address resolution is not required. If address resolution is required, the callback will be called once address resolution is complete, regardless of success or failure.

Note, the route will not cache the remote link address when address resolution completes.

func (*Route) Stack 

func (r *Route) Stack() *Stack

Stack returns the instance of the Stack that owns this route.

func (*Route) Stats 

func (r *Route) Stats() tcpip.Stats

Stats returns a mutable copy of current stats.

func (*Route) WriteHeaderIncludedPacket 

func (r *Route) WriteHeaderIncludedPacket(pkt *PacketBuffer) tcpip.Error

WriteHeaderIncludedPacket writes a packet already containing a network header through the given route.

func (*Route) WritePacket 

func (r *Route) WritePacket(params NetworkHeaderParams, pkt *PacketBuffer) tcpip.Error

WritePacket writes the packet through the given route.

func (*Route) WritePackets 

func (r *Route) WritePackets(pkts PacketBufferList, params NetworkHeaderParams) (int, tcpip.Error)

WritePackets writes a list of n packets through the given route and returns the number of packets written.

type RouteInfo 

type RouteInfo struct {

	// RemoteLinkAddress is the link-layer (MAC) address of the next hop in the
	// route.
	RemoteLinkAddress tcpip.LinkAddress
	// contains filtered or unexported fields
}

RouteInfo contains all of Route's exported fields.

type Rule 

type Rule struct {
	// Filter holds basic IP filtering fields common to every rule.
	Filter IPHeaderFilter

	// Matchers is the list of matchers for this rule.
	Matchers []Matcher

	// Target is the action to invoke if all the matchers match the packet.
	Target Target
}

A Rule is a packet processing rule. It consists of two pieces. First it contains zero or more matchers, each of which is a specification of which packets this rule applies to. If there are no matchers in the rule, it applies to any packet.

+stateify savable

func (*Rule) StateFields 

func (r *Rule) StateFields() []string

func (*Rule) StateLoad 

func (r *Rule) StateLoad(stateSourceObject state.Source)

+checklocksignore

func (*Rule) StateSave 

func (r *Rule) StateSave(stateSinkObject state.Sink)

+checklocksignore

func (*Rule) StateTypeName 

func (r *Rule) StateTypeName() string

type RuleVerdict 

type RuleVerdict int

A RuleVerdict is what a rule decides should be done with a packet. 

const (
	// RuleAccept indicates the packet should continue through netstack.
	RuleAccept RuleVerdict = iota

	// RuleDrop indicates the packet should be dropped.
	RuleDrop

	// RuleJump indicates the packet should jump to another chain.
	RuleJump

	// RuleReturn indicates the packet should return to the previous chain.
	RuleReturn
)

type SNATTarget 

type SNATTarget struct {
	Addr tcpip.Address
	Port uint16

	// NetworkProtocol is the network protocol the target is used with. It
	// is immutable.
	NetworkProtocol tcpip.NetworkProtocolNumber
}

SNATTarget modifies the source port/IP in the outgoing packets.

func (*SNATTarget) Action 

func (st *SNATTarget) Action(pkt *PacketBuffer, ct *ConnTrack, hook Hook, r *Route, address tcpip.Address) (RuleVerdict, int)

Action implements Target.Action.

type Stack 

type Stack struct {
	*ports.PortManager
	// contains filtered or unexported fields
}

Stack is a networking stack, with all supported protocols, NICs, and route table. 

var StackFromEnv *Stack

StackFromEnv is the global stack created in restore run. FIXME(b/36201077)

func New 

func New(opts Options) *Stack

New allocates a new networking stack with only the requested networking and transport protocols configured with default options.

Note, NDPConfigurations will be fixed before being used by the Stack. That is, if an invalid value was provided, it will be reset to the default value.

Protocol options can be changed by calling the SetNetworkProtocolOption/SetTransportProtocolOption methods provided by the stack. Please refer to individual protocol implementations as to what options are supported.

func (*Stack) AddAddress 

func (s *Stack) AddAddress(id tcpip.NICID, protocol tcpip.NetworkProtocolNumber, addr tcpip.Address) tcpip.Error

AddAddress adds a new network-layer address to the specified NIC.

func (*Stack) AddAddressWithOptions 

func (s *Stack) AddAddressWithOptions(id tcpip.NICID, protocol tcpip.NetworkProtocolNumber, addr tcpip.Address, peb PrimaryEndpointBehavior) tcpip.Error

AddAddressWithOptions is the same as AddAddress, but allows you to specify whether the new endpoint can be primary or not.

func (*Stack) AddAddressWithPrefix 

func (s *Stack) AddAddressWithPrefix(id tcpip.NICID, protocol tcpip.NetworkProtocolNumber, addr tcpip.AddressWithPrefix) tcpip.Error

AddAddressWithPrefix is the same as AddAddress, but allows you to specify the address prefix.

func (*Stack) AddProtocolAddress 

func (s *Stack) AddProtocolAddress(id tcpip.NICID, protocolAddress tcpip.ProtocolAddress) tcpip.Error

AddProtocolAddress adds a new network-layer protocol address to the specified NIC.

func (*Stack) AddProtocolAddressWithOptions 

func (s *Stack) AddProtocolAddressWithOptions(id tcpip.NICID, protocolAddress tcpip.ProtocolAddress, peb PrimaryEndpointBehavior) tcpip.Error

AddProtocolAddressWithOptions is the same as AddProtocolAddress, but allows you to specify whether the new endpoint can be primary or not.

func (*Stack) AddRoute 

func (s *Stack) AddRoute(route tcpip.Route)

AddRoute appends a route to the route table.

func (*Stack) AddStaticNeighbor 

func (s *Stack) AddStaticNeighbor(nicID tcpip.NICID, protocol tcpip.NetworkProtocolNumber, addr tcpip.Address, linkAddr tcpip.LinkAddress) tcpip.Error

AddStaticNeighbor statically associates an IP address to a MAC address.

func (*Stack) AddTCPProbe 

func (s *Stack) AddTCPProbe(probe TCPProbeFunc)

AddTCPProbe installs a probe function that will be invoked on every segment received by a given TCP endpoint. The probe function is passed a copy of the TCP endpoint state before and after processing of the segment.

NOTE: TCPProbe is added only to endpoints created after this call. Endpoints created prior to this call will not call the probe function.

Further, installing two different probes back to back can result in some endpoints calling the first one and some the second one. There is no guarantee provided on which probe will be invoked. Ideally this should only be called once per stack.

func (*Stack) AllAddresses 

func (s *Stack) AllAddresses() map[tcpip.NICID][]tcpip.ProtocolAddress

AllAddresses returns a map of NICIDs to their protocol addresses (primary and non-primary).

func (*Stack) AllowICMPMessage 

func (s *Stack) AllowICMPMessage() bool

AllowICMPMessage returns true if we the rate limiter allows at least one ICMP message to be sent at this instant.

func (*Stack) CheckDuplicateAddress 

func (s *Stack) CheckDuplicateAddress(nicID tcpip.NICID, protocol tcpip.NetworkProtocolNumber, addr tcpip.Address, h DADCompletionHandler) (DADCheckAddressDisposition, tcpip.Error)

CheckDuplicateAddress performs duplicate address detection for the address on the specified interface.

func (*Stack) CheckLocalAddress 

func (s *Stack) CheckLocalAddress(nicID tcpip.NICID, protocol tcpip.NetworkProtocolNumber, addr tcpip.Address) tcpip.NICID

CheckLocalAddress determines if the given local address exists, and if it does, returns the id of the NIC it's bound to. Returns 0 if the address does not exist.

func (*Stack) CheckNIC 

func (s *Stack) CheckNIC(id tcpip.NICID) bool

CheckNIC checks if a NIC is usable.

func (*Stack) CheckNetworkProtocol 

func (s *Stack) CheckNetworkProtocol(protocol tcpip.NetworkProtocolNumber) bool

CheckNetworkProtocol checks if a given network protocol is enabled in the stack.

func (*Stack) CheckRegisterTransportEndpoint 

func (s *Stack) CheckRegisterTransportEndpoint(netProtos []tcpip.NetworkProtocolNumber, protocol tcpip.TransportProtocolNumber, id TransportEndpointID, flags ports.Flags, bindToDevice tcpip.NICID) tcpip.Error

CheckRegisterTransportEndpoint checks if an endpoint can be registered with the stack transport dispatcher.

func (*Stack) CleanupEndpoints 

func (s *Stack) CleanupEndpoints() []TransportEndpoint

CleanupEndpoints returns endpoints currently in the cleanup state.

func (*Stack) ClearNeighbors 

func (s *Stack) ClearNeighbors(nicID tcpip.NICID, protocol tcpip.NetworkProtocolNumber) tcpip.Error

ClearNeighbors removes all IP to MAC address associations.

func (*Stack) Clock 

func (s *Stack) Clock() tcpip.Clock

Clock returns the Stack's clock for retrieving the current time and scheduling work.

func (*Stack) Close 

func (s *Stack) Close()

Close closes all currently registered transport endpoints.

Endpoints created or modified during this call may not get closed.

func (*Stack) CompleteTransportEndpointCleanup 

func (s *Stack) CompleteTransportEndpointCleanup(ep TransportEndpoint)

CompleteTransportEndpointCleanup removes the endpoint from the cleanup stage.

func (*Stack) CreateNIC 

func (s *Stack) CreateNIC(id tcpip.NICID, ep LinkEndpoint) tcpip.Error

CreateNIC creates a NIC with the provided id and LinkEndpoint and calls LinkEndpoint.Attach to bind ep with a NetworkDispatcher.

func (*Stack) CreateNICWithOptions 

func (s *Stack) CreateNICWithOptions(id tcpip.NICID, ep LinkEndpoint, opts NICOptions) tcpip.Error

CreateNICWithOptions creates a NIC with the provided id, LinkEndpoint, and NICOptions. See the documentation on type NICOptions for details on how NICs can be configured.

LinkEndpoint.Attach will be called to bind ep with a NetworkDispatcher.

func (*Stack) DisableNIC 

func (s *Stack) DisableNIC(id tcpip.NICID) tcpip.Error

DisableNIC disables the given NIC.

func (*Stack) EnableNIC 

func (s *Stack) EnableNIC(id tcpip.NICID) tcpip.Error

EnableNIC enables the given NIC so that the link-layer endpoint can start delivering packets to it.

func (*Stack) FindNICNameFromID 

func (s *Stack) FindNICNameFromID(id tcpip.NICID) string

FindNICNameFromID returns the name of the NIC for the given NICID.

func (*Stack) FindRoute 

func (s *Stack) FindRoute(id tcpip.NICID, localAddr, remoteAddr tcpip.Address, netProto tcpip.NetworkProtocolNumber, multicastLoop bool) (*Route, tcpip.Error)

FindRoute creates a route to the given destination address, leaving through the given NIC and local address (if provided).

If a NIC is not specified, the returned route will leave through the same NIC as the NIC that has the local address assigned when forwarding is disabled. If forwarding is enabled and the NIC is unspecified, the route may leave through any interface unless the route is link-local.

If no local address is provided, the stack will select a local address. If no remote address is provided, the stack wil use a remote address equal to the local address.

func (*Stack) FindTransportEndpoint 

func (s *Stack) FindTransportEndpoint(netProto tcpip.NetworkProtocolNumber, transProto tcpip.TransportProtocolNumber, id TransportEndpointID, nicID tcpip.NICID) TransportEndpoint

FindTransportEndpoint finds an endpoint that most closely matches the provided id. If no endpoint is found it returns nil.

func (*Stack) Forwarding 

func (s *Stack) Forwarding(protocolNum tcpip.NetworkProtocolNumber) bool

Forwarding returns true if packet forwarding between NICs is enabled for the passed protocol.

func (*Stack) GetLinkAddress 

func (s *Stack) GetLinkAddress(nicID tcpip.NICID, addr, localAddr tcpip.Address, protocol tcpip.NetworkProtocolNumber, onResolve func(LinkResolutionResult)) tcpip.Error

GetLinkAddress finds the link address corresponding to a network address.

Returns ErrNotSupported if the stack is not configured with a link address resolver for the specified network protocol.

Returns ErrWouldBlock if the link address is not readily available, along with a notification channel for the caller to block on. Triggers address resolution asynchronously.

onResolve will be called either immediately, if resolution is not required, or when address resolution is complete, with the resolved link address and whether resolution succeeded.

If specified, the local address must be an address local to the interface the neighbor cache belongs to. The local address is the source address of a packet prompting NUD/link address resolution.

func (*Stack) GetLinkEndpointByName 

func (s *Stack) GetLinkEndpointByName(name string) LinkEndpoint

GetLinkEndpointByName gets the link endpoint specified by name.

func (*Stack) GetMainNICAddress 

func (s *Stack) GetMainNICAddress(id tcpip.NICID, protocol tcpip.NetworkProtocolNumber) (tcpip.AddressWithPrefix, tcpip.Error)

GetMainNICAddress returns the first non-deprecated primary address and prefix for the given NIC and protocol. If no non-deprecated primary addresses exist, a deprecated address will be returned. If no deprecated addresses exist, the zero value will be returned.

func (*Stack) GetNetworkEndpoint 

func (s *Stack) GetNetworkEndpoint(nicID tcpip.NICID, proto tcpip.NetworkProtocolNumber) (NetworkEndpoint, tcpip.Error)

GetNetworkEndpoint returns the NetworkEndpoint with the specified protocol number installed on the specified NIC.

func (*Stack) GetRouteTable 

func (s *Stack) GetRouteTable() []tcpip.Route

GetRouteTable returns the route table which is currently in use.

func (*Stack) GetTCPProbe 

func (s *Stack) GetTCPProbe() TCPProbeFunc

GetTCPProbe returns the TCPProbeFunc if installed with AddTCPProbe, nil otherwise.

func (*Stack) HandleLocal 

func (s *Stack) HandleLocal() bool

HandleLocal returns true if non-loopback interfaces are allowed to loop packets.

func (*Stack) HasNIC 

func (s *Stack) HasNIC(id tcpip.NICID) bool

HasNIC returns true if the NICID is defined in the stack.

func (*Stack) ICMPBurst 

func (s *Stack) ICMPBurst() int

ICMPBurst returns the maximum number of ICMP messages that can be sent in a single burst.

func (*Stack) ICMPLimit 

func (s *Stack) ICMPLimit() rate.Limit

ICMPLimit returns the maximum number of ICMP messages that can be sent in one second.

func (*Stack) IPTables 

func (s *Stack) IPTables() *IPTables

IPTables returns the stack's iptables.

func (*Stack) IsInGroup 

func (s *Stack) IsInGroup(nicID tcpip.NICID, multicastAddr tcpip.Address) (bool, tcpip.Error)

IsInGroup returns true if the NIC with ID nicID has joined the multicast group multicastAddr.

func (*Stack) IsSubnetBroadcast 

func (s *Stack) IsSubnetBroadcast(nicID tcpip.NICID, protocol tcpip.NetworkProtocolNumber, addr tcpip.Address) bool

IsSubnetBroadcast returns true if the provided address is a subnet-local broadcast address on the specified NIC and protocol.

Returns false if the NIC is unknown or if the protocol is unknown or does not support addressing.

If the NIC is not specified, the stack will check all NICs.

func (*Stack) JoinGroup 

func (s *Stack) JoinGroup(protocol tcpip.NetworkProtocolNumber, nicID tcpip.NICID, multicastAddr tcpip.Address) tcpip.Error

JoinGroup joins the given multicast group on the given NIC.

func (*Stack) LeaveGroup 

func (s *Stack) LeaveGroup(protocol tcpip.NetworkProtocolNumber, nicID tcpip.NICID, multicastAddr tcpip.Address) tcpip.Error

LeaveGroup leaves the given multicast group on the given NIC.

func (*Stack) NICInfo 

func (s *Stack) NICInfo() map[tcpip.NICID]NICInfo

NICInfo returns a map of NICIDs to their associated information.

func (*Stack) NUDConfigurations 

func (s *Stack) NUDConfigurations(id tcpip.NICID, proto tcpip.NetworkProtocolNumber) (NUDConfigurations, tcpip.Error)

NUDConfigurations gets the per-interface NUD configurations.

func (*Stack) Neighbors 

func (s *Stack) Neighbors(nicID tcpip.NICID, protocol tcpip.NetworkProtocolNumber) ([]NeighborEntry, tcpip.Error)

Neighbors returns all IP to MAC address associations.

func (*Stack) NetworkProtocolInstance 

func (s *Stack) NetworkProtocolInstance(num tcpip.NetworkProtocolNumber) NetworkProtocol

NetworkProtocolInstance returns the protocol instance in the stack for the specified network protocol. This method is public for protocol implementers and tests to use.

func (*Stack) NetworkProtocolOption 

func (s *Stack) NetworkProtocolOption(network tcpip.NetworkProtocolNumber, option tcpip.GettableNetworkProtocolOption) tcpip.Error

NetworkProtocolOption allows retrieving individual protocol level option values. This method returns an error if the protocol is not supported or option is not supported by the protocol implementation. e.g. var v ipv4.MyOption err := s.NetworkProtocolOption(tcpip.IPv4ProtocolNumber, &v) 

if err != nil {
  ...
}

func (*Stack) NewEndpoint 

func (s *Stack) NewEndpoint(transport tcpip.TransportProtocolNumber, network tcpip.NetworkProtocolNumber, waiterQueue *waiter.Queue) (tcpip.Endpoint, tcpip.Error)

NewEndpoint creates a new transport layer endpoint of the given protocol.

func (*Stack) NewJob 

func (s *Stack) NewJob(l sync.Locker, f func()) *tcpip.Job

NewJob returns a new tcpip.Job using the stack's clock.

func (*Stack) NewPacketEndpoint 

func (s *Stack) NewPacketEndpoint(cooked bool, netProto tcpip.NetworkProtocolNumber, waiterQueue *waiter.Queue) (tcpip.Endpoint, tcpip.Error)

NewPacketEndpoint creates a new packet endpoint listening for the given netProto.

func (*Stack) NewRawEndpoint 

func (s *Stack) NewRawEndpoint(transport tcpip.TransportProtocolNumber, network tcpip.NetworkProtocolNumber, waiterQueue *waiter.Queue, associated bool) (tcpip.Endpoint, tcpip.Error)

NewRawEndpoint creates a new raw transport layer endpoint of the given protocol. Raw endpoints receive all traffic for a given protocol regardless of address.

func (*Stack) Option 

func (s *Stack) Option(option interface{}) tcpip.Error

Option allows retrieving stack wide options.

func (*Stack) ParsePacketBufferTransport 

func (s *Stack) ParsePacketBufferTransport(protocol tcpip.TransportProtocolNumber, pkt *PacketBuffer) ParseResult

ParsePacketBufferTransport parses the provided packet buffer's transport header.

func (*Stack) PortRange 

func (s *Stack) PortRange() (uint16, uint16)

PortRange returns the UDP and TCP inclusive range of ephemeral ports used in both IPv4 and IPv6.

func (*Stack) Rand 

func (s *Stack) Rand() *mathrand.Rand

Rand returns a reference to a pseudo random generator that can be used to generate random numbers as required.

func (*Stack) RegisterPacketEndpoint 

func (s *Stack) RegisterPacketEndpoint(nicID tcpip.NICID, netProto tcpip.NetworkProtocolNumber, ep PacketEndpoint) tcpip.Error

RegisterPacketEndpoint registers ep with the stack, causing it to receive all traffic of the specified netProto on the given NIC. If nicID is 0, it receives traffic from every NIC.

func (*Stack) RegisterRawTransportEndpoint 

func (s *Stack) RegisterRawTransportEndpoint(netProto tcpip.NetworkProtocolNumber, transProto tcpip.TransportProtocolNumber, ep RawTransportEndpoint) tcpip.Error

RegisterRawTransportEndpoint registers the given endpoint with the stack transport dispatcher. Received packets that match the provided transport protocol will be delivered to the given endpoint.

func (*Stack) RegisterRestoredEndpoint 

func (s *Stack) RegisterRestoredEndpoint(e ResumableEndpoint)

RegisterRestoredEndpoint records e as an endpoint that has been restored on this stack.

func (*Stack) RegisterTransportEndpoint 

func (s *Stack) RegisterTransportEndpoint(netProtos []tcpip.NetworkProtocolNumber, protocol tcpip.TransportProtocolNumber, id TransportEndpointID, ep TransportEndpoint, flags ports.Flags, bindToDevice tcpip.NICID) tcpip.Error

RegisterTransportEndpoint registers the given endpoint with the stack transport dispatcher. Received packets that match the provided id will be delivered to the given endpoint; specifying a nic is optional, but nic-specific IDs have precedence over global ones.

func (*Stack) RegisteredEndpoints 

func (s *Stack) RegisteredEndpoints() []TransportEndpoint

RegisteredEndpoints returns all endpoints which are currently registered.

func (*Stack) RemoveAddress 

func (s *Stack) RemoveAddress(id tcpip.NICID, addr tcpip.Address) tcpip.Error

RemoveAddress removes an existing network-layer address from the specified NIC.

func (*Stack) RemoveNIC 

func (s *Stack) RemoveNIC(id tcpip.NICID) tcpip.Error

RemoveNIC removes NIC and all related routes from the network stack.

func (*Stack) RemoveNeighbor 

func (s *Stack) RemoveNeighbor(nicID tcpip.NICID, protocol tcpip.NetworkProtocolNumber, addr tcpip.Address) tcpip.Error

RemoveNeighbor removes an IP to MAC address association previously created either automically or by AddStaticNeighbor. Returns ErrBadAddress if there is no association with the provided address.

func (*Stack) RemoveRoutes 

func (s *Stack) RemoveRoutes(match func(tcpip.Route) bool)

RemoveRoutes removes matching routes from the route table.

func (*Stack) RemoveTCPProbe 

func (s *Stack) RemoveTCPProbe()

RemoveTCPProbe removes an installed TCP probe.

NOTE: This only ensures that endpoints created after this call do not have a probe attached. Endpoints already created will continue to invoke TCP probe.

func (*Stack) RestoreCleanupEndpoints 

func (s *Stack) RestoreCleanupEndpoints(es []TransportEndpoint)

RestoreCleanupEndpoints adds endpoints to cleanup tracking. This is useful for restoring a stack after a save.

func (*Stack) Resume 

func (s *Stack) Resume()

Resume restarts the stack after a restore. This must be called after the entire system has been restored.

func (*Stack) SecureRNG 

func (s *Stack) SecureRNG() io.Reader

SecureRNG returns the stack's cryptographically secure random number generator.

func (*Stack) Seed 

func (s *Stack) Seed() uint32

Seed returns a 32 bit value that can be used as a seed value for port picking, ISN generation etc.

NOTE: The seed is generated once during stack initialization only.

func (*Stack) SetForwarding 

func (s *Stack) SetForwarding(protocolNum tcpip.NetworkProtocolNumber, enable bool) tcpip.Error

SetForwarding enables or disables packet forwarding between NICs for the passed protocol.

func (*Stack) SetICMPBurst 

func (s *Stack) SetICMPBurst(burst int)

SetICMPBurst sets the maximum number of ICMP messages that can be sent in a single burst.

func (*Stack) SetICMPLimit 

func (s *Stack) SetICMPLimit(newLimit rate.Limit)

SetICMPLimit sets the maximum number of ICMP messages that be sent in one second.

func (*Stack) SetNUDConfigurations 

func (s *Stack) SetNUDConfigurations(id tcpip.NICID, proto tcpip.NetworkProtocolNumber, c NUDConfigurations) tcpip.Error

SetNUDConfigurations sets the per-interface NUD configurations.

Note, if c contains invalid NUD configuration values, it will be fixed to use default values for the erroneous values.

func (*Stack) SetNetworkProtocolOption 

func (s *Stack) SetNetworkProtocolOption(network tcpip.NetworkProtocolNumber, option tcpip.SettableNetworkProtocolOption) tcpip.Error

SetNetworkProtocolOption allows configuring individual protocol level options. This method returns an error if the protocol is not supported or option is not supported by the protocol implementation or the provided value is incorrect.

func (*Stack) SetOption 

func (s *Stack) SetOption(option interface{}) tcpip.Error

SetOption allows setting stack wide options.

func (*Stack) SetPortRange 

func (s *Stack) SetPortRange(start uint16, end uint16) tcpip.Error

SetPortRange sets the UDP and TCP IPv4 and IPv6 ephemeral port range (inclusive).

func (*Stack) SetPromiscuousMode 

func (s *Stack) SetPromiscuousMode(nicID tcpip.NICID, enable bool) tcpip.Error

SetPromiscuousMode enables or disables promiscuous mode in the given NIC.

func (*Stack) SetRouteTable 

func (s *Stack) SetRouteTable(table []tcpip.Route)

SetRouteTable assigns the route table to be used by this stack. It specifies which NIC to use for given destination address ranges.

This method takes ownership of the table.

func (*Stack) SetSpoofing 

func (s *Stack) SetSpoofing(nicID tcpip.NICID, enable bool) tcpip.Error

SetSpoofing enables or disables address spoofing in the given NIC, allowing endpoints to bind to any address in the NIC.

func (*Stack) SetTransportProtocolHandler 

func (s *Stack) SetTransportProtocolHandler(p tcpip.TransportProtocolNumber, h func(TransportEndpointID, *PacketBuffer) bool)

SetTransportProtocolHandler sets the per-stack default handler for the given protocol.

It must be called only during initialization of the stack. Changing it as the stack is operating is not supported.

func (*Stack) SetTransportProtocolOption 

func (s *Stack) SetTransportProtocolOption(transport tcpip.TransportProtocolNumber, option tcpip.SettableTransportProtocolOption) tcpip.Error

SetTransportProtocolOption allows configuring individual protocol level options. This method returns an error if the protocol is not supported or option is not supported by the protocol implementation or the provided value is incorrect.

func (*Stack) StartTransportEndpointCleanup 

func (s *Stack) StartTransportEndpointCleanup(netProtos []tcpip.NetworkProtocolNumber, protocol tcpip.TransportProtocolNumber, id TransportEndpointID, ep TransportEndpoint, flags ports.Flags, bindToDevice tcpip.NICID)

StartTransportEndpointCleanup removes the endpoint with the given id from the stack transport dispatcher. It also transitions it to the cleanup stage.

func (*Stack) Stats 

func (s *Stack) Stats() tcpip.Stats

Stats returns a mutable copy of the current stats.

This is not generally exported via the public interface, but is available internally.

func (*Stack) TransportProtocolInstance 

func (s *Stack) TransportProtocolInstance(num tcpip.TransportProtocolNumber) TransportProtocol

TransportProtocolInstance returns the protocol instance in the stack for the specified transport protocol. This method is public for protocol implementers and tests to use.

func (*Stack) TransportProtocolOption 

func (s *Stack) TransportProtocolOption(transport tcpip.TransportProtocolNumber, option tcpip.GettableTransportProtocolOption) tcpip.Error

TransportProtocolOption allows retrieving individual protocol level option values. This method returns an error if the protocol is not supported or option is not supported by the protocol implementation. var v tcp.SACKEnabled 

if err := s.TransportProtocolOption(tcpip.TCPProtocolNumber, &v); err != nil {
  ...
}

func (*Stack) UniqueID 

func (s *Stack) UniqueID() uint64

UniqueID returns a unique identifier.

func (*Stack) UnregisterPacketEndpoint 

func (s *Stack) UnregisterPacketEndpoint(nicID tcpip.NICID, netProto tcpip.NetworkProtocolNumber, ep PacketEndpoint)

UnregisterPacketEndpoint unregisters ep for packets of the specified netProto from the specified NIC. If nicID is 0, ep is unregistered from all NICs.

func (*Stack) UnregisterRawTransportEndpoint 

func (s *Stack) UnregisterRawTransportEndpoint(netProto tcpip.NetworkProtocolNumber, transProto tcpip.TransportProtocolNumber, ep RawTransportEndpoint)

UnregisterRawTransportEndpoint removes the endpoint for the transport protocol from the stack transport dispatcher.

func (*Stack) UnregisterTransportEndpoint 

func (s *Stack) UnregisterTransportEndpoint(netProtos []tcpip.NetworkProtocolNumber, protocol tcpip.TransportProtocolNumber, id TransportEndpointID, ep TransportEndpoint, flags ports.Flags, bindToDevice tcpip.NICID)

UnregisterTransportEndpoint removes the endpoint with the given id from the stack transport dispatcher.

func (*Stack) Wait 

func (s *Stack) Wait()

Wait waits for all transport and link endpoints to halt their worker goroutines.

Endpoints created or modified during this call may not get waited on.

Note that link endpoints must be stopped via an implementation specific mechanism.

func (*Stack) WritePacketToRemote 

func (s *Stack) WritePacketToRemote(nicID tcpip.NICID, remote tcpip.LinkAddress, netProto tcpip.NetworkProtocolNumber, payload buffer.VectorisedView) tcpip.Error

WritePacketToRemote writes a payload on the specified NIC using the provided network protocol and remote link address.

type SupportedGSO 

type SupportedGSO int

SupportedGSO returns the type of segmentation offloading supported. 

const (
	// GSONotSupported indicates that segmentation offloading is not supported.
	GSONotSupported SupportedGSO = iota

	// HWGSOSupported indicates that segmentation offloading may be performed by
	// the hardware.
	HWGSOSupported

	// SWGSOSupported indicates that segmentation offloading may be performed in
	// software.
	SWGSOSupported
)

type TCPCubicState 

type TCPCubicState struct {
	// WLastMax is the previous wMax value.
	WLastMax float64

	// WMax is the value of the congestion window at the time of the last
	// congestion event.
	WMax float64

	// T is the time when the current congestion avoidance was entered.
	T time.Time `state:".(unixTime)"`

	// TimeSinceLastCongestion denotes the time since the current
	// congestion avoidance was entered.
	TimeSinceLastCongestion time.Duration

	// C is the cubic constant as specified in RFC8312, page 11.
	C float64

	// K is the time period (in seconds) that the above function takes to
	// increase the current window size to WMax if there are no further
	// congestion events and is calculated using the following equation:
	//
	// K = cubic_root(WMax*(1-beta_cubic)/C) (Eq. 2, page 5)
	K float64

	// Beta is the CUBIC multiplication decrease factor. That is, when a
	// congestion event is detected, CUBIC reduces its cwnd to
	// WC(0)=WMax*beta_cubic.
	Beta float64

	// WC is window computed by CUBIC at time TimeSinceLastCongestion. It's
	// calculated using the formula:
	//
	//  WC(TimeSinceLastCongestion) = C*(t-K)^3 + WMax (Eq. 1)
	WC float64

	// WEst is the window computed by CUBIC at time
	// TimeSinceLastCongestion+RTT i.e WC(TimeSinceLastCongestion+RTT).
	WEst float64
}

TCPCubicState is used to hold a copy of the internal cubic state when the TCPProbeFunc is invoked.

+stateify savable

func (*TCPCubicState) StateFields 

func (t *TCPCubicState) StateFields() []string

func (*TCPCubicState) StateLoad 

func (t *TCPCubicState) StateLoad(stateSourceObject state.Source)

+checklocksignore

func (*TCPCubicState) StateSave 

func (t *TCPCubicState) StateSave(stateSinkObject state.Sink)

+checklocksignore

func (*TCPCubicState) StateTypeName 

func (t *TCPCubicState) StateTypeName() string

type TCPEndpointID 

type TCPEndpointID struct {
	// LocalPort is the local port associated with the endpoint.
	LocalPort uint16

	// LocalAddress is the local [network layer] address associated with
	// the endpoint.
	LocalAddress tcpip.Address

	// RemotePort is the remote port associated with the endpoint.
	RemotePort uint16

	// RemoteAddress it the remote [network layer] address associated with
	// the endpoint.
	RemoteAddress tcpip.Address
}

TCPEndpointID is the unique 4 tuple that identifies a given endpoint.

+stateify savable

func (*TCPEndpointID) StateFields 

func (t *TCPEndpointID) StateFields() []string

func (*TCPEndpointID) StateLoad 

func (t *TCPEndpointID) StateLoad(stateSourceObject state.Source)

+checklocksignore

func (*TCPEndpointID) StateSave 

func (t *TCPEndpointID) StateSave(stateSinkObject state.Sink)

+checklocksignore

func (*TCPEndpointID) StateTypeName 

func (t *TCPEndpointID) StateTypeName() string

type TCPEndpointState 

type TCPEndpointState struct {
	// TCPEndpointStateInner contains the members of TCPEndpointState used
	// by the endpoint's internal implementation.
	TCPEndpointStateInner

	// ID is a copy of the TransportEndpointID for the endpoint.
	ID TCPEndpointID

	// SegTime denotes the absolute time when this segment was received.
	SegTime time.Time `state:".(unixTime)"`

	// RcvBufState contains information about the state of the endpoint's
	// receive socket buffer.
	RcvBufState TCPRcvBufState

	// SndBufState contains information about the state of the endpoint's
	// send socket buffer.
	SndBufState TCPSndBufState

	// SACK holds TCP SACK related information for this endpoint.
	SACK TCPSACKInfo

	// Receiver holds variables related to the TCP receiver for the
	// endpoint.
	Receiver TCPReceiverState

	// Sender holds state related to the TCP Sender for the endpoint.
	Sender TCPSenderState
}

TCPEndpointState is a copy of the internal state of a TCP endpoint.

+stateify savable

func (*TCPEndpointState) StateFields 

func (t *TCPEndpointState) StateFields() []string

func (*TCPEndpointState) StateLoad 

func (t *TCPEndpointState) StateLoad(stateSourceObject state.Source)

+checklocksignore

func (*TCPEndpointState) StateSave 

func (t *TCPEndpointState) StateSave(stateSinkObject state.Sink)

+checklocksignore

func (*TCPEndpointState) StateTypeName 

func (t *TCPEndpointState) StateTypeName() string

type TCPEndpointStateInner 

type TCPEndpointStateInner struct {
	// TSOffset is a randomized offset added to the value of the TSVal
	// field in the timestamp option.
	TSOffset uint32

	// SACKPermitted is set to true if the peer sends the TCPSACKPermitted
	// option in the SYN/SYN-ACK.
	SACKPermitted bool

	// SendTSOk is used to indicate when the TS Option has been negotiated.
	// When sendTSOk is true every non-RST segment should carry a TS as per
	// RFC7323#section-1.1.
	SendTSOk bool

	// RecentTS is the timestamp that should be sent in the TSEcr field of
	// the timestamp for future segments sent by the endpoint. This field
	// is updated if required when a new segment is received by this
	// endpoint.
	RecentTS uint32
}

TCPEndpointStateInner contains the members of TCPEndpointState used directly (that is, not within another containing struct) within the endpoint's internal implementation.

+stateify savable

func (*TCPEndpointStateInner) StateFields 

func (t *TCPEndpointStateInner) StateFields() []string

func (*TCPEndpointStateInner) StateLoad 

func (t *TCPEndpointStateInner) StateLoad(stateSourceObject state.Source)

+checklocksignore

func (*TCPEndpointStateInner) StateSave 

func (t *TCPEndpointStateInner) StateSave(stateSinkObject state.Sink)

+checklocksignore

func (*TCPEndpointStateInner) StateTypeName 

func (t *TCPEndpointStateInner) StateTypeName() string

type TCPFastRecoveryState 

type TCPFastRecoveryState struct {
	// Active if true indicates the endpoint is in fast recovery. The
	// following fields are only meaningful when Active is true.
	Active bool

	// First is the first unacknowledged sequence number being recovered.
	First seqnum.Value

	// Last is the 'recover' sequence number that indicates the point at
	// which we should exit recovery barring any timeouts etc.
	Last seqnum.Value

	// MaxCwnd is the maximum value we are permitted to grow the congestion
	// window during recovery. This is set at the time we enter recovery.
	// It exists to avoid attacks where the receiver intentionally sends
	// duplicate acks to artificially inflate the sender's cwnd.
	MaxCwnd int

	// HighRxt is the highest sequence number which has been retransmitted
	// during the current loss recovery phase.  See: RFC 6675 Section 2 for
	// details.
	HighRxt seqnum.Value

	// RescueRxt is the highest sequence number which has been
	// optimistically retransmitted to prevent stalling of the ACK clock
	// when there is loss at the end of the window and no new data is
	// available for transmission.  See: RFC 6675 Section 2 for details.
	RescueRxt seqnum.Value
}

TCPFastRecoveryState holds a copy of the internal fast recovery state of a TCP endpoint.

+stateify savable

func (*TCPFastRecoveryState) StateFields 

func (t *TCPFastRecoveryState) StateFields() []string

func (*TCPFastRecoveryState) StateLoad 

func (t *TCPFastRecoveryState) StateLoad(stateSourceObject state.Source)

+checklocksignore

func (*TCPFastRecoveryState) StateSave 

func (t *TCPFastRecoveryState) StateSave(stateSinkObject state.Sink)

+checklocksignore

func (*TCPFastRecoveryState) StateTypeName 

func (t *TCPFastRecoveryState) StateTypeName() string

type TCPInvalidRateLimitOption 

type TCPInvalidRateLimitOption time.Duration

TCPInvalidRateLimitOption is used by stack.(Stack*).Option/SetOption to get/set stack.tcpInvalidRateLimit.

type TCPProbeFunc 

type TCPProbeFunc func(s TCPEndpointState)

TCPProbeFunc is the expected function type for a TCP probe function to be passed to stack.AddTCPProbe.

type TCPRACKState 

type TCPRACKState struct {
	// XmitTime is the transmission timestamp of the most recent
	// acknowledged segment.
	XmitTime time.Time `state:".(unixTime)"`

	// EndSequence is the ending TCP sequence number of the most recent
	// acknowledged segment.
	EndSequence seqnum.Value

	// FACK is the highest selectively or cumulatively acknowledged
	// sequence.
	FACK seqnum.Value

	// RTT is the round trip time of the most recently delivered packet on
	// the connection (either cumulatively acknowledged or selectively
	// acknowledged) that was not marked invalid as a possible spurious
	// retransmission.
	RTT time.Duration

	// Reord is true iff reordering has been detected on this connection.
	Reord bool

	// DSACKSeen is true iff the connection has seen a DSACK.
	DSACKSeen bool

	// ReoWnd is the reordering window time used for recording packet
	// transmission times. It is used to defer the moment at which RACK
	// marks a packet lost.
	ReoWnd time.Duration

	// ReoWndIncr is the multiplier applied to adjust reorder window.
	ReoWndIncr uint8

	// ReoWndPersist is the number of loss recoveries before resetting
	// reorder window.
	ReoWndPersist int8

	// RTTSeq is the SND.NXT when RTT is updated.
	RTTSeq seqnum.Value
}

TCPRACKState is used to hold a copy of the internal RACK state when the TCPProbeFunc is invoked.

+stateify savable

func (*TCPRACKState) StateFields 

func (t *TCPRACKState) StateFields() []string

func (*TCPRACKState) StateLoad 

func (t *TCPRACKState) StateLoad(stateSourceObject state.Source)

+checklocksignore

func (*TCPRACKState) StateSave 

func (t *TCPRACKState) StateSave(stateSinkObject state.Sink)

+checklocksignore

func (*TCPRACKState) StateTypeName 

func (t *TCPRACKState) StateTypeName() string

type TCPRTTState 

type TCPRTTState struct {
	// SRTT is the smoothed round trip time defined in section 2 of RFC
	// 6298.
	SRTT time.Duration

	// RTTVar is the round-trip time variation as defined in section 2 of
	// RFC 6298.
	RTTVar time.Duration

	// SRTTInited if true indicates that a valid RTT measurement has been
	// completed.
	SRTTInited bool
}

TCPRTTState holds a copy of information about the endpoint's round trip time.

+stateify savable

func (*TCPRTTState) StateFields 

func (t *TCPRTTState) StateFields() []string

func (*TCPRTTState) StateLoad 

func (t *TCPRTTState) StateLoad(stateSourceObject state.Source)

+checklocksignore

func (*TCPRTTState) StateSave 

func (t *TCPRTTState) StateSave(stateSinkObject state.Sink)

+checklocksignore

func (*TCPRTTState) StateTypeName 

func (t *TCPRTTState) StateTypeName() string

type TCPRcvBufState 

type TCPRcvBufState struct {
	// RcvBufUsed is the amount of bytes actually held in the receive
	// socket buffer for the endpoint.
	RcvBufUsed int

	// RcvBufAutoTuneParams is used to hold state variables to compute the
	// auto tuned receive buffer size.
	RcvAutoParams RcvBufAutoTuneParams

	// RcvClosed if true, indicates the endpoint has been closed for
	// reading.
	RcvClosed bool
}

TCPRcvBufState contains information about the state of an endpoint's receive socket buffer.

+stateify savable

func (*TCPRcvBufState) StateFields 

func (t *TCPRcvBufState) StateFields() []string

func (*TCPRcvBufState) StateLoad 

func (t *TCPRcvBufState) StateLoad(stateSourceObject state.Source)

+checklocksignore

func (*TCPRcvBufState) StateSave 

func (t *TCPRcvBufState) StateSave(stateSinkObject state.Sink)

+checklocksignore

func (*TCPRcvBufState) StateTypeName 

func (t *TCPRcvBufState) StateTypeName() string

type TCPReceiverState 

type TCPReceiverState struct {
	// RcvNxt is the TCP variable RCV.NXT.
	RcvNxt seqnum.Value

	// RcvAcc is one beyond the last acceptable sequence number. That is,
	// the "largest" sequence value that the receiver has announced to its
	// peer that it's willing to accept. This may be different than RcvNxt
	// + (last advertised receive window) if the receive window is reduced;
	// in that case we have to reduce the window as we receive more data
	// instead of shrinking it.
	RcvAcc seqnum.Value

	// RcvWndScale is the window scaling to use for inbound segments.
	RcvWndScale uint8

	// PendingBufUsed is the number of bytes pending in the receive queue.
	PendingBufUsed int
}

TCPReceiverState holds a copy of the internal state of the receiver for a given TCP endpoint.

+stateify savable

func (*TCPReceiverState) StateFields 

func (t *TCPReceiverState) StateFields() []string

func (*TCPReceiverState) StateLoad 

func (t *TCPReceiverState) StateLoad(stateSourceObject state.Source)

+checklocksignore

func (*TCPReceiverState) StateSave 

func (t *TCPReceiverState) StateSave(stateSinkObject state.Sink)

+checklocksignore

func (*TCPReceiverState) StateTypeName 

func (t *TCPReceiverState) StateTypeName() string

type TCPSACKInfo 

type TCPSACKInfo struct {
	// Blocks is the list of SACK Blocks that identify the out of order
	// segments held by a given TCP endpoint.
	Blocks []header.SACKBlock

	// ReceivedBlocks are the SACK blocks received by this endpoint from
	// the peer endpoint.
	ReceivedBlocks []header.SACKBlock

	// MaxSACKED is the highest sequence number that has been SACKED by the
	// peer.
	MaxSACKED seqnum.Value
}

TCPSACKInfo holds TCP SACK related information for a given TCP endpoint.

+stateify savable

func (*TCPSACKInfo) StateFields 

func (t *TCPSACKInfo) StateFields() []string

func (*TCPSACKInfo) StateLoad 

func (t *TCPSACKInfo) StateLoad(stateSourceObject state.Source)

+checklocksignore

func (*TCPSACKInfo) StateSave 

func (t *TCPSACKInfo) StateSave(stateSinkObject state.Sink)

+checklocksignore

func (*TCPSACKInfo) StateTypeName 

func (t *TCPSACKInfo) StateTypeName() string

type TCPSenderState 

type TCPSenderState struct {
	// LastSendTime is the timestamp at which we sent the last segment.
	LastSendTime time.Time `state:".(unixTime)"`

	// DupAckCount is the number of Duplicate ACKs received. It is used for
	// fast retransmit.
	DupAckCount int

	// SndCwnd is the size of the sending congestion window in packets.
	SndCwnd int

	// Ssthresh is the threshold between slow start and congestion
	// avoidance.
	Ssthresh int

	// SndCAAckCount is the number of packets acknowledged during
	// congestion avoidance. When enough packets have been ack'd (typically
	// cwnd packets), the congestion window is incremented by one.
	SndCAAckCount int

	// Outstanding is the number of packets that have been sent but not yet
	// acknowledged.
	Outstanding int

	// SackedOut is the number of packets which have been selectively
	// acked.
	SackedOut int

	// SndWnd is the send window size in bytes.
	SndWnd seqnum.Size

	// SndUna is the next unacknowledged sequence number.
	SndUna seqnum.Value

	// SndNxt is the sequence number of the next segment to be sent.
	SndNxt seqnum.Value

	// RTTMeasureSeqNum is the sequence number being used for the latest
	// RTT measurement.
	RTTMeasureSeqNum seqnum.Value

	// RTTMeasureTime is the time when the RTTMeasureSeqNum was sent.
	RTTMeasureTime time.Time `state:".(unixTime)"`

	// Closed indicates that the caller has closed the endpoint for
	// sending.
	Closed bool

	// RTO is the retransmit timeout as defined in section of 2 of RFC
	// 6298.
	RTO time.Duration

	// RTTState holds information about the endpoint's round trip time.
	RTTState TCPRTTState

	// MaxPayloadSize is the maximum size of the payload of a given
	// segment.  It is initialized on demand.
	MaxPayloadSize int

	// SndWndScale is the number of bits to shift left when reading the
	// send window size from a segment.
	SndWndScale uint8

	// MaxSentAck is the highest acknowledgement number sent till now.
	MaxSentAck seqnum.Value

	// FastRecovery holds the fast recovery state for the endpoint.
	FastRecovery TCPFastRecoveryState

	// Cubic holds the state related to CUBIC congestion control.
	Cubic TCPCubicState

	// RACKState holds the state related to RACK loss detection algorithm.
	RACKState TCPRACKState
}

TCPSenderState holds a copy of the internal state of the sender for a given TCP Endpoint.

+stateify savable

func (*TCPSenderState) StateFields 

func (t *TCPSenderState) StateFields() []string

func (*TCPSenderState) StateLoad 

func (t *TCPSenderState) StateLoad(stateSourceObject state.Source)

+checklocksignore

func (*TCPSenderState) StateSave 

func (t *TCPSenderState) StateSave(stateSinkObject state.Sink)

+checklocksignore

func (*TCPSenderState) StateTypeName 

func (t *TCPSenderState) StateTypeName() string

type TCPSndBufState 

type TCPSndBufState struct {
	// SndBufSize is the size of the socket send buffer.
	SndBufSize int

	// SndBufUsed is the number of bytes held in the socket send buffer.
	SndBufUsed int

	// SndClosed indicates that the endpoint has been closed for sends.
	SndClosed bool

	// SndBufInQueue is the number of bytes in the send queue.
	SndBufInQueue seqnum.Size

	// PacketTooBigCount is used to notify the main protocol routine how
	// many times a "packet too big" control packet is received.
	PacketTooBigCount int

	// SndMTU is the smallest MTU seen in the control packets received.
	SndMTU int
}

TCPSndBufState contains information about the state of an endpoint's send socket buffer.

+stateify savable

func (*TCPSndBufState) StateFields 

func (t *TCPSndBufState) StateFields() []string

func (*TCPSndBufState) StateLoad 

func (t *TCPSndBufState) StateLoad(stateSourceObject state.Source)

+checklocksignore

func (*TCPSndBufState) StateSave 

func (t *TCPSndBufState) StateSave(stateSinkObject state.Sink)

+checklocksignore

func (*TCPSndBufState) StateTypeName 

func (t *TCPSndBufState) StateTypeName() string

type Table 

type Table struct {
	// Rules holds the rules that make up the table.
	Rules []Rule

	// BuiltinChains maps builtin chains to their entrypoint rule in Rules.
	BuiltinChains [NumHooks]int

	// Underflows maps builtin chains to their underflow rule in Rules
	// (i.e. the rule to execute if the chain returns without a verdict).
	Underflows [NumHooks]int
}

A Table defines a set of chains and hooks into the network stack.

It is a list of Rules, entry points (BuiltinChains), and error handlers (Underflows). As packets traverse netstack, they hit hooks. When a packet hits a hook, iptables compares it to Rules starting from that hook's entry point. So if a packet hits the Input hook, we look up the corresponding entry point in BuiltinChains and jump to that point.

If the Rule doesn't match the packet, iptables continues to the next Rule. If a Rule does match, it can issue a verdict on the packet (e.g. RuleAccept or RuleDrop) that causes the packet to stop traversing iptables. It can also jump to other rules or perform custom actions based on Rule.Target.

Underflow Rules are invoked when a chain returns without reaching a verdict.

+stateify savable

func EmptyFilterTable 

func EmptyFilterTable() Table

EmptyFilterTable returns a Table with no rules and the filter table chains mapped to HookUnset.

func EmptyNATTable 

func EmptyNATTable() Table

EmptyNATTable returns a Table with no rules and the filter table chains mapped to HookUnset.

func (*Table) StateFields 

func (table *Table) StateFields() []string

func (*Table) StateLoad 

func (table *Table) StateLoad(stateSourceObject state.Source)

+checklocksignore

func (*Table) StateSave 

func (table *Table) StateSave(stateSinkObject state.Sink)

+checklocksignore

func (*Table) StateTypeName 

func (table *Table) StateTypeName() string

func (*Table) ValidHooks 

func (table *Table) ValidHooks() uint32

ValidHooks returns a bitmap of the builtin hooks for the given table.

type TableID 

type TableID int

TableID identifies a specific table. 

const (
	NATID TableID = iota
	MangleID
	FilterID
	NumTables
)

Each value identifies a specific table.

type Target 

type Target interface {
	// Action takes an action on the packet and returns a verdict on how
	// traversal should (or should not) continue. If the return value is
	// Jump, it also returns the index of the rule to jump to.
	Action(*PacketBuffer, *ConnTrack, Hook, *Route, tcpip.Address) (RuleVerdict, int)
}

A Target is the interface for taking an action for a packet.

type TransportDispatcher 

type TransportDispatcher interface {
	// DeliverTransportPacket delivers packets to the appropriate
	// transport protocol endpoint.
	//
	// pkt.NetworkHeader must be set before calling DeliverTransportPacket.
	//
	// DeliverTransportPacket takes ownership of the packet.
	DeliverTransportPacket(tcpip.TransportProtocolNumber, *PacketBuffer) TransportPacketDisposition

	// DeliverTransportError delivers an error to the appropriate transport
	// endpoint.
	//
	// DeliverTransportError takes ownership of the packet buffer.
	DeliverTransportError(local, remote tcpip.Address, _ tcpip.NetworkProtocolNumber, _ tcpip.TransportProtocolNumber, _ TransportError, _ *PacketBuffer)
}

TransportDispatcher contains the methods used by the network stack to deliver packets to the appropriate transport endpoint after it has been handled by the network layer.

type TransportEndpoint 

type TransportEndpoint interface {
	// UniqueID returns an unique ID for this transport endpoint.
	UniqueID() uint64

	// HandlePacket is called by the stack when new packets arrive to this
	// transport endpoint. It sets the packet buffer's transport header.
	//
	// HandlePacket takes ownership of the packet.
	HandlePacket(TransportEndpointID, *PacketBuffer)

	// HandleError is called when the transport endpoint receives an error.
	//
	// HandleError takes ownership of the packet buffer.
	HandleError(TransportError, *PacketBuffer)

	// Abort initiates an expedited endpoint teardown. It puts the endpoint
	// in a closed state and frees all resources associated with it. This
	// cleanup may happen asynchronously. Wait can be used to block on this
	// asynchronous cleanup.
	Abort()

	// Wait waits for any worker goroutines owned by the endpoint to stop.
	//
	// An endpoint can be requested to stop its worker goroutines by calling
	// its Close method.
	//
	// Wait will not block if the endpoint hasn't started any goroutines
	// yet, even if it might later.
	Wait()
}

TransportEndpoint is the interface that needs to be implemented by transport protocol (e.g., tcp, udp) endpoints that can handle packets.

type TransportEndpointID 

type TransportEndpointID struct {
	// LocalPort is the local port associated with the endpoint.
	LocalPort uint16

	// LocalAddress is the local [network layer] address associated with
	// the endpoint.
	LocalAddress tcpip.Address

	// RemotePort is the remote port associated with the endpoint.
	RemotePort uint16

	// RemoteAddress it the remote [network layer] address associated with
	// the endpoint.
	RemoteAddress tcpip.Address
}

TransportEndpointID is the identifier of a transport layer protocol endpoint.

+stateify savable

func (*TransportEndpointID) StateFields 

func (t *TransportEndpointID) StateFields() []string

func (*TransportEndpointID) StateLoad 

func (t *TransportEndpointID) StateLoad(stateSourceObject state.Source)

+checklocksignore

func (*TransportEndpointID) StateSave 

func (t *TransportEndpointID) StateSave(stateSinkObject state.Sink)

+checklocksignore

func (*TransportEndpointID) StateTypeName 

func (t *TransportEndpointID) StateTypeName() string

type TransportEndpointInfo 

type TransportEndpointInfo struct {
	NetProto   tcpip.NetworkProtocolNumber
	TransProto tcpip.TransportProtocolNumber

	ID TransportEndpointID
	// BindNICID and bindAddr are set via calls to Bind(). They are used to
	// reject attempts to send data or connect via a different NIC or
	// address
	BindNICID tcpip.NICID
	BindAddr  tcpip.Address
	// RegisterNICID is the default NICID registered as a side-effect of
	// connect or datagram write.
	RegisterNICID tcpip.NICID
}

TransportEndpointInfo holds useful information about a transport endpoint which can be queried by monitoring tools.

+stateify savable

func (*TransportEndpointInfo) AddrNetProtoLocked 

func (t *TransportEndpointInfo) AddrNetProtoLocked(addr tcpip.FullAddress, v6only bool) (tcpip.FullAddress, tcpip.NetworkProtocolNumber, tcpip.Error)

AddrNetProtoLocked unwraps the specified address if it is a V4-mapped V6 address and returns the network protocol number to be used to communicate with the specified address. It returns an error if the passed address is incompatible with the receiver.

Preconditon: the parent endpoint mu must be held while calling this method.

func (*TransportEndpointInfo) IsEndpointInfo 

func (*TransportEndpointInfo) IsEndpointInfo()

IsEndpointInfo is an empty method to implement the tcpip.EndpointInfo marker interface.

func (*TransportEndpointInfo) StateFields 

func (t *TransportEndpointInfo) StateFields() []string

func (*TransportEndpointInfo) StateLoad 

func (t *TransportEndpointInfo) StateLoad(stateSourceObject state.Source)

+checklocksignore

func (*TransportEndpointInfo) StateSave 

func (t *TransportEndpointInfo) StateSave(stateSinkObject state.Sink)

+checklocksignore

func (*TransportEndpointInfo) StateTypeName 

func (t *TransportEndpointInfo) StateTypeName() string

type TransportError 

type TransportError interface {
	tcpip.SockErrorCause

	// Kind returns the type of the transport error.
	Kind() TransportErrorKind
}

TransportError is a marker interface for errors that may be handled by the transport layer.

type TransportErrorKind 

type TransportErrorKind int

TransportErrorKind enumerates error types that are handled by the transport layer. 

const (
	// PacketTooBigTransportError indicates that a packet did not reach its
	// destination because a link on the path to the destination had an MTU that
	// was too small to carry the packet.
	PacketTooBigTransportError TransportErrorKind = iota

	// DestinationHostUnreachableTransportError indicates that the destination
	// host was unreachable.
	DestinationHostUnreachableTransportError

	// DestinationPortUnreachableTransportError indicates that a packet reached
	// the destination host, but the transport protocol was not active on the
	// destination port.
	DestinationPortUnreachableTransportError

	// DestinationNetworkUnreachableTransportError indicates that the destination
	// network was unreachable.
	DestinationNetworkUnreachableTransportError
)

type TransportPacketDisposition 

type TransportPacketDisposition int

TransportPacketDisposition is the result from attempting to deliver a packet to the transport layer. 

const (
	// TransportPacketHandled indicates that a transport packet was handled by the
	// transport layer and callers need not take any further action.
	TransportPacketHandled TransportPacketDisposition = iota

	// TransportPacketProtocolUnreachable indicates that the transport
	// protocol requested in the packet is not supported.
	TransportPacketProtocolUnreachable

	// TransportPacketDestinationPortUnreachable indicates that there weren't any
	// listeners interested in the packet and the transport protocol has no means
	// to notify the sender.
	TransportPacketDestinationPortUnreachable
)

type TransportProtocol 

type TransportProtocol interface {
	// Number returns the transport protocol number.
	Number() tcpip.TransportProtocolNumber

	// NewEndpoint creates a new endpoint of the transport protocol.
	NewEndpoint(netProto tcpip.NetworkProtocolNumber, waitQueue *waiter.Queue) (tcpip.Endpoint, tcpip.Error)

	// NewRawEndpoint creates a new raw endpoint of the transport protocol.
	NewRawEndpoint(netProto tcpip.NetworkProtocolNumber, waitQueue *waiter.Queue) (tcpip.Endpoint, tcpip.Error)

	// MinimumPacketSize returns the minimum valid packet size of this
	// transport protocol. The stack automatically drops any packets smaller
	// than this targeted at this protocol.
	MinimumPacketSize() int

	// ParsePorts returns the source and destination ports stored in a
	// packet of this protocol.
	ParsePorts(v buffer.View) (src, dst uint16, err tcpip.Error)

	// HandleUnknownDestinationPacket handles packets targeted at this
	// protocol that don't match any existing endpoint. For example,
	// it is targeted at a port that has no listeners.
	//
	// HandleUnknownDestinationPacket takes ownership of the packet if it handles
	// the issue.
	HandleUnknownDestinationPacket(TransportEndpointID, *PacketBuffer) UnknownDestinationPacketDisposition

	// SetOption allows enabling/disabling protocol specific features.
	// SetOption returns an error if the option is not supported or the
	// provided option value is invalid.
	SetOption(option tcpip.SettableTransportProtocolOption) tcpip.Error

	// Option allows retrieving protocol specific option values.
	// Option returns an error if the option is not supported or the
	// provided option value is invalid.
	Option(option tcpip.GettableTransportProtocolOption) tcpip.Error

	// Close requests that any worker goroutines owned by the protocol
	// stop.
	Close()

	// Wait waits for any worker goroutines owned by the protocol to stop.
	Wait()

	// Parse sets pkt.TransportHeader and trims pkt.Data appropriately. It does
	// neither and returns false if pkt.Data is too small, i.e. pkt.Data.Size() <
	// MinimumPacketSize()
	Parse(pkt *PacketBuffer) (ok bool)
}

TransportProtocol is the interface that needs to be implemented by transport protocols (e.g., tcp, udp) that want to be part of the networking stack.

type TransportProtocolFactory 

type TransportProtocolFactory func(*Stack) TransportProtocol

TransportProtocolFactory instantiates a transport protocol.

TransportProtocolFactory must not attempt to modify the stack, it may only query the stack.

type UniqueID 

type UniqueID interface {
	UniqueID() uint64
}

UniqueID is an abstract generator of unique identifiers.

type UnknownDestinationPacketDisposition 

type UnknownDestinationPacketDisposition int

UnknownDestinationPacketDisposition enumerates the possible return values from HandleUnknownDestinationPacket(). 

const (
	// UnknownDestinationPacketMalformed denotes that the packet was malformed
	// and no further processing should be attempted other than updating
	// statistics.
	UnknownDestinationPacketMalformed UnknownDestinationPacketDisposition = iota

	// UnknownDestinationPacketUnhandled tells the caller that the packet was
	// well formed but that the issue was not handled and the stack should take
	// the default action.
	UnknownDestinationPacketUnhandled

	// UnknownDestinationPacketHandled tells the caller that it should do
	// no further processing.
	UnknownDestinationPacketHandled
)

type UserChainTarget 

type UserChainTarget struct {
	// Name is the chain name.
	Name string

	// NetworkProtocol is the network protocol the target is used with.
	NetworkProtocol tcpip.NetworkProtocolNumber
}

UserChainTarget marks a rule as the beginning of a user chain.

func (*UserChainTarget) Action 

func (*UserChainTarget) Action(*PacketBuffer, *ConnTrack, Hook, *Route, tcpip.Address) (RuleVerdict, int)

Action implements Target.Action.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.