netfilter

package
v0.0.0-202406181927 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 18, 2024 License: Apache-2.0, MIT Imports: 16 Imported by: 0

Documentation

Overview

Package netfilter helps the sentry interact with netstack's netfilter capabilities.

Index

Constants

View Source
const DNATTargetName = "DNAT"

DNATTargetName is used to mark targets as DNAT targets. DNAT targets should be reached for only NAT table. These targets will change the source port and/or IP for packets.

View Source
const ErrorTargetName = "ERROR"

ErrorTargetName is used to mark targets as error targets. Error targets shouldn't be reached - an error has occurred if we fall through to one.

View Source
const RedirectTargetName = "REDIRECT"

RedirectTargetName is used to mark targets as redirect targets. Redirect targets should be reached for only NAT and Mangle tables. These targets will change the destination port and/or IP for packets.

View Source
const SNATTargetName = "SNAT"

SNATTargetName is used to mark targets as SNAT targets. SNAT targets should be reached for only NAT table. These targets will change the source port and/or IP for packets.

Variables

This section is empty.

Functions

func DefaultLinuxTables

func DefaultLinuxTables(clock tcpip.Clock, rand *rand.Rand) *stack.IPTables

DefaultLinuxTables returns the rules of stack.DefaultTables() wrapped for compatibility with netfilter extensions.

func GetEntries4

func GetEntries4(t *kernel.Task, stack *stack.Stack, outPtr hostarch.Addr, outLen int) (linux.KernelIPTGetEntries, *syserr.Error)

GetEntries4 returns netstack's iptables rules.

func GetEntries6

func GetEntries6(t *kernel.Task, stack *stack.Stack, outPtr hostarch.Addr, outLen int) (linux.KernelIP6TGetEntries, *syserr.Error)

GetEntries6 returns netstack's ip6tables rules.

func GetInfo

func GetInfo(t *kernel.Task, stack *stack.Stack, outPtr hostarch.Addr, ipv6 bool) (linux.IPTGetinfo, *syserr.Error)

GetInfo returns information about iptables.

func SetEntries

func SetEntries(mapper IDMapper, stk *stack.Stack, optVal []byte, ipv6 bool) *syserr.Error

SetEntries sets iptables rules for a single table. See net/ipv4/netfilter/ip_tables.c:translate_table for reference.

func TargetRevision

func TargetRevision(t *kernel.Task, revPtr hostarch.Addr, netProto tcpip.NetworkProtocolNumber) (linux.XTGetRevision, *syserr.Error)

TargetRevision returns a linux.XTGetRevision for a given target. It sets Revision to the highest supported value, unless the provided revision number is larger.

Types

type IDMapper

type IDMapper interface {
	MapToKUID(uid auth.UID) auth.KUID
	MapToKGID(uid auth.GID) auth.KGID
}

An IDMapper maps UIDs and GIDs to KUIDs and KGIDs.

type JumpTarget

type JumpTarget struct {
	// Offset is the byte offset of the rule to jump to. It is used for
	// marshaling and unmarshaling.
	Offset uint32

	// RuleNum is the rule to jump to.
	RuleNum int

	// NetworkProtocol is the network protocol the target is used with.
	NetworkProtocol tcpip.NetworkProtocolNumber
}

JumpTarget implements stack.Target.

+stateify savable

func (*JumpTarget) Action

Action implements stack.Target.Action.

type OwnerMatcher

type OwnerMatcher struct {
	// contains filtered or unexported fields
}

OwnerMatcher matches against a UID and/or GID.

func (*OwnerMatcher) Match

func (om *OwnerMatcher) Match(hook stack.Hook, pkt *stack.PacketBuffer, _, _ string) (bool, bool)

Match implements Matcher.Match.

type OwnerMatcherV1

type OwnerMatcherV1 struct {
	// contains filtered or unexported fields
}

OwnerMatcherV1 matches against a UID and/or GID.

func (*OwnerMatcherV1) Match

func (om *OwnerMatcherV1) Match(hook stack.Hook, pkt *stack.PacketBuffer, _, _ string) (bool, bool)

Match implements Matcher.Match.

type TCPMatcher

type TCPMatcher struct {
	// contains filtered or unexported fields
}

TCPMatcher matches TCP packets and their headers. It implements Matcher.

func (*TCPMatcher) Match

func (tm *TCPMatcher) Match(hook stack.Hook, pkt *stack.PacketBuffer, _, _ string) (bool, bool)

Match implements Matcher.Match.

type UDPMatcher

type UDPMatcher struct {
	// contains filtered or unexported fields
}

UDPMatcher matches UDP packets and their headers. It implements Matcher.

func (*UDPMatcher) Match

func (um *UDPMatcher) Match(hook stack.Hook, pkt *stack.PacketBuffer, _, _ string) (bool, bool)

Match implements Matcher.Match.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL