Documentation ¶
Overview ¶
Package netfilter helps the sentry interact with netstack's netfilter capabilities.
Index ¶
- Constants
- func DefaultLinuxTables(clock tcpip.Clock, rand *rand.Rand) *stack.IPTables
- func GetEntries4(t *kernel.Task, stack *stack.Stack, outPtr hostarch.Addr, outLen int) (linux.KernelIPTGetEntries, *syserr.Error)
- func GetEntries6(t *kernel.Task, stack *stack.Stack, outPtr hostarch.Addr, outLen int) (linux.KernelIP6TGetEntries, *syserr.Error)
- func GetInfo(t *kernel.Task, stack *stack.Stack, outPtr hostarch.Addr, ipv6 bool) (linux.IPTGetinfo, *syserr.Error)
- func SetEntries(mapper IDMapper, stk *stack.Stack, optVal []byte, ipv6 bool) *syserr.Error
- func TargetRevision(t *kernel.Task, revPtr hostarch.Addr, netProto tcpip.NetworkProtocolNumber) (linux.XTGetRevision, *syserr.Error)
- type IDMapper
- type JumpTarget
- type OwnerMatcher
- type OwnerMatcherV1
- type TCPMatcher
- type UDPMatcher
Constants ¶
const DNATTargetName = "DNAT"
DNATTargetName is used to mark targets as DNAT targets. DNAT targets should be reached for only NAT table. These targets will change the source port and/or IP for packets.
const ErrorTargetName = "ERROR"
ErrorTargetName is used to mark targets as error targets. Error targets shouldn't be reached - an error has occurred if we fall through to one.
const RedirectTargetName = "REDIRECT"
RedirectTargetName is used to mark targets as redirect targets. Redirect targets should be reached for only NAT and Mangle tables. These targets will change the destination port and/or IP for packets.
const SNATTargetName = "SNAT"
SNATTargetName is used to mark targets as SNAT targets. SNAT targets should be reached for only NAT table. These targets will change the source port and/or IP for packets.
Variables ¶
This section is empty.
Functions ¶
func DefaultLinuxTables ¶
DefaultLinuxTables returns the rules of stack.DefaultTables() wrapped for compatibility with netfilter extensions.
func GetEntries4 ¶
func GetEntries4(t *kernel.Task, stack *stack.Stack, outPtr hostarch.Addr, outLen int) (linux.KernelIPTGetEntries, *syserr.Error)
GetEntries4 returns netstack's iptables rules.
func GetEntries6 ¶
func GetEntries6(t *kernel.Task, stack *stack.Stack, outPtr hostarch.Addr, outLen int) (linux.KernelIP6TGetEntries, *syserr.Error)
GetEntries6 returns netstack's ip6tables rules.
func GetInfo ¶
func GetInfo(t *kernel.Task, stack *stack.Stack, outPtr hostarch.Addr, ipv6 bool) (linux.IPTGetinfo, *syserr.Error)
GetInfo returns information about iptables.
func SetEntries ¶
SetEntries sets iptables rules for a single table. See net/ipv4/netfilter/ip_tables.c:translate_table for reference.
func TargetRevision ¶
func TargetRevision(t *kernel.Task, revPtr hostarch.Addr, netProto tcpip.NetworkProtocolNumber) (linux.XTGetRevision, *syserr.Error)
TargetRevision returns a linux.XTGetRevision for a given target. It sets Revision to the highest supported value, unless the provided revision number is larger.
Types ¶
type JumpTarget ¶
type JumpTarget struct { // Offset is the byte offset of the rule to jump to. It is used for // marshaling and unmarshaling. Offset uint32 // RuleNum is the rule to jump to. RuleNum int // NetworkProtocol is the network protocol the target is used with. NetworkProtocol tcpip.NetworkProtocolNumber }
JumpTarget implements stack.Target.
func (*JumpTarget) Action ¶
func (jt *JumpTarget) Action(*stack.PacketBuffer, stack.Hook, *stack.Route, stack.AddressableEndpoint) (stack.RuleVerdict, int)
Action implements stack.Target.Action.
type OwnerMatcher ¶
type OwnerMatcher struct {
// contains filtered or unexported fields
}
OwnerMatcher matches against a UID and/or GID.
func (*OwnerMatcher) Match ¶
func (om *OwnerMatcher) Match(hook stack.Hook, pkt *stack.PacketBuffer, _, _ string) (bool, bool)
Match implements Matcher.Match.
type OwnerMatcherV1 ¶
type OwnerMatcherV1 struct {
// contains filtered or unexported fields
}
OwnerMatcherV1 matches against a UID and/or GID.
func (*OwnerMatcherV1) Match ¶
func (om *OwnerMatcherV1) Match(hook stack.Hook, pkt *stack.PacketBuffer, _, _ string) (bool, bool)
Match implements Matcher.Match.
type TCPMatcher ¶
type TCPMatcher struct {
// contains filtered or unexported fields
}
TCPMatcher matches TCP packets and their headers. It implements Matcher.
func (*TCPMatcher) Match ¶
func (tm *TCPMatcher) Match(hook stack.Hook, pkt *stack.PacketBuffer, _, _ string) (bool, bool)
Match implements Matcher.Match.
type UDPMatcher ¶
type UDPMatcher struct {
// contains filtered or unexported fields
}
UDPMatcher matches UDP packets and their headers. It implements Matcher.
func (*UDPMatcher) Match ¶
func (um *UDPMatcher) Match(hook stack.Hook, pkt *stack.PacketBuffer, _, _ string) (bool, bool)
Match implements Matcher.Match.