github.com/SagerNet/gvisor@v0.0.0-20210707092255-7731c139d75c/pkg/abi/linux/netfilter.go (about) 1 // Copyright 2019 The gVisor Authors. 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 package linux 16 17 import ( 18 "github.com/SagerNet/gvisor/pkg/marshal" 19 "github.com/SagerNet/gvisor/pkg/marshal/primitive" 20 ) 21 22 // This file contains structures required to support netfilter, specifically 23 // the iptables tool. 24 25 // Hooks into the network stack. These correspond to values in 26 // include/uapi/linux/netfilter.h. 27 const ( 28 NF_INET_PRE_ROUTING = 0 29 NF_INET_LOCAL_IN = 1 30 NF_INET_FORWARD = 2 31 NF_INET_LOCAL_OUT = 3 32 NF_INET_POST_ROUTING = 4 33 NF_INET_NUMHOOKS = 5 34 ) 35 36 // Verdicts that can be returned by targets. These correspond to values in 37 // include/uapi/linux/netfilter.h 38 const ( 39 NF_DROP = 0 40 NF_ACCEPT = 1 41 NF_STOLEN = 2 42 NF_QUEUE = 3 43 NF_REPEAT = 4 44 NF_STOP = 5 45 NF_MAX_VERDICT = NF_STOP 46 // NF_RETURN is defined in include/uapi/linux/netfilter/x_tables.h. 47 NF_RETURN = -NF_REPEAT - 1 48 ) 49 50 // VerdictStrings maps int verdicts to the strings they represent. It is used 51 // for debugging. 52 var VerdictStrings = map[int32]string{ 53 -NF_DROP - 1: "DROP", 54 -NF_ACCEPT - 1: "ACCEPT", 55 -NF_QUEUE - 1: "QUEUE", 56 NF_RETURN: "RETURN", 57 } 58 59 // Socket options for SOL_SOCKET. These correspond to values in 60 // include/uapi/linux/netfilter_ipv4/ip_tables.h. 61 const ( 62 IPT_BASE_CTL = 64 63 IPT_SO_SET_REPLACE = IPT_BASE_CTL 64 IPT_SO_SET_ADD_COUNTERS = IPT_BASE_CTL + 1 65 IPT_SO_SET_MAX = IPT_SO_SET_ADD_COUNTERS 66 67 IPT_SO_GET_INFO = IPT_BASE_CTL 68 IPT_SO_GET_ENTRIES = IPT_BASE_CTL + 1 69 IPT_SO_GET_REVISION_MATCH = IPT_BASE_CTL + 2 70 IPT_SO_GET_REVISION_TARGET = IPT_BASE_CTL + 3 71 IPT_SO_GET_MAX = IPT_SO_GET_REVISION_TARGET 72 ) 73 74 // Socket option for SOL_IP. This corresponds to the value in 75 // include/uapi/linux/netfilter_ipv4.h. 76 const ( 77 SO_ORIGINAL_DST = 80 78 ) 79 80 // Name lengths. These correspond to values in 81 // include/uapi/linux/netfilter/x_tables.h. 82 const ( 83 XT_FUNCTION_MAXNAMELEN = 30 84 XT_EXTENSION_MAXNAMELEN = 29 85 XT_TABLE_MAXNAMELEN = 32 86 ) 87 88 // IPTEntry is an iptable rule. It corresponds to struct ipt_entry in 89 // include/uapi/linux/netfilter_ipv4/ip_tables.h. 90 // 91 // +marshal 92 type IPTEntry struct { 93 // IP is used to filter packets based on the IP header. 94 IP IPTIP 95 96 // NFCache relates to kernel-internal caching and isn't used by 97 // userspace. 98 NFCache uint32 99 100 // TargetOffset is the byte offset from the beginning of this IPTEntry 101 // to the start of the entry's target. 102 TargetOffset uint16 103 104 // NextOffset is the byte offset from the beginning of this IPTEntry to 105 // the start of the next entry. It is thus also the size of the entry. 106 NextOffset uint16 107 108 // Comeback is a return pointer. It is not used by userspace. 109 Comeback uint32 110 111 // Counters holds the packet and byte counts for this rule. 112 Counters XTCounters 113 114 // Elems holds the data for all this rule's matches followed by the 115 // target. It is variable length -- users have to iterate over any 116 // matches and use TargetOffset and NextOffset to make sense of the 117 // data. 118 // 119 // Elems is omitted here because it would cause IPTEntry to be an extra 120 // byte larger (see http://www.catb.org/esr/structure-packing/). 121 // 122 // Elems [0]byte 123 } 124 125 // SizeOfIPTEntry is the size of an IPTEntry. 126 const SizeOfIPTEntry = 112 127 128 // KernelIPTEntry is identical to IPTEntry, but includes the Elems field. 129 // 130 // +marshal dynamic 131 type KernelIPTEntry struct { 132 Entry IPTEntry 133 134 // Elems holds the data for all this rule's matches followed by the 135 // target. It is variable length -- users have to iterate over any 136 // matches and use TargetOffset and NextOffset to make sense of the 137 // data. 138 Elems primitive.ByteSlice 139 } 140 141 // SizeBytes implements marshal.Marshallable.SizeBytes. 142 func (ke *KernelIPTEntry) SizeBytes() int { 143 return ke.Entry.SizeBytes() + ke.Elems.SizeBytes() 144 } 145 146 // MarshalBytes implements marshal.Marshallable.MarshalBytes. 147 func (ke *KernelIPTEntry) MarshalBytes(dst []byte) { 148 ke.Entry.MarshalUnsafe(dst) 149 ke.Elems.MarshalBytes(dst[ke.Entry.SizeBytes():]) 150 } 151 152 // UnmarshalBytes implements marshal.Marshallable.UnmarshalBytes. 153 func (ke *KernelIPTEntry) UnmarshalBytes(src []byte) { 154 ke.Entry.UnmarshalUnsafe(src) 155 ke.Elems.UnmarshalBytes(src[ke.Entry.SizeBytes():]) 156 } 157 158 var _ marshal.Marshallable = (*KernelIPTEntry)(nil) 159 160 // IPTIP contains information for matching a packet's IP header. 161 // It corresponds to struct ipt_ip in 162 // include/uapi/linux/netfilter_ipv4/ip_tables.h. 163 // 164 // +marshal 165 type IPTIP struct { 166 // Src is the source IP address. 167 Src InetAddr 168 169 // Dst is the destination IP address. 170 Dst InetAddr 171 172 // SrcMask is the source IP mask. 173 SrcMask InetAddr 174 175 // DstMask is the destination IP mask. 176 DstMask InetAddr 177 178 // InputInterface is the input network interface. 179 InputInterface [IFNAMSIZ]byte 180 181 // OutputInterface is the output network interface. 182 OutputInterface [IFNAMSIZ]byte 183 184 // InputInterfaceMask is the input interface mask. 185 InputInterfaceMask [IFNAMSIZ]byte 186 187 // OuputInterfaceMask is the output interface mask. 188 OutputInterfaceMask [IFNAMSIZ]byte 189 190 // Protocol is the transport protocol. 191 Protocol uint16 192 193 // Flags define matching behavior for the IP header. 194 Flags uint8 195 196 // InverseFlags invert the meaning of fields in struct IPTIP. See the 197 // IPT_INV_* flags. 198 InverseFlags uint8 199 } 200 201 // Flags in IPTIP.InverseFlags. Corresponding constants are in 202 // include/uapi/linux/netfilter_ipv4/ip_tables.h. 203 const ( 204 // Invert the meaning of InputInterface. 205 IPT_INV_VIA_IN = 0x01 206 // Invert the meaning of OutputInterface. 207 IPT_INV_VIA_OUT = 0x02 208 // Unclear what this is, as no references to it exist in the kernel. 209 IPT_INV_TOS = 0x04 210 // Invert the meaning of Src. 211 IPT_INV_SRCIP = 0x08 212 // Invert the meaning of Dst. 213 IPT_INV_DSTIP = 0x10 214 // Invert the meaning of the IPT_F_FRAG flag. 215 IPT_INV_FRAG = 0x20 216 // Invert the meaning of the Protocol field. 217 IPT_INV_PROTO = 0x40 218 // Enable all flags. 219 IPT_INV_MASK = 0x7F 220 ) 221 222 // SizeOfIPTIP is the size of an IPTIP. 223 const SizeOfIPTIP = 84 224 225 // XTCounters holds packet and byte counts for a rule. It corresponds to struct 226 // xt_counters in include/uapi/linux/netfilter/x_tables.h. 227 // 228 // +marshal 229 type XTCounters struct { 230 // Pcnt is the packet count. 231 Pcnt uint64 232 233 // Bcnt is the byte count. 234 Bcnt uint64 235 } 236 237 // SizeOfXTCounters is the size of an XTCounters. 238 const SizeOfXTCounters = 16 239 240 // XTEntryMatch holds a match for a rule. For example, a user using the 241 // addrtype iptables match extension would put the data for that match into an 242 // XTEntryMatch. iptables-extensions(8) has a list of possible matches. 243 // 244 // XTEntryMatch corresponds to struct xt_entry_match in 245 // include/uapi/linux/netfilter/x_tables.h. That struct contains a union 246 // exposing different data to the user and kernel, but this struct holds only 247 // the user data. 248 // 249 // +marshal 250 type XTEntryMatch struct { 251 MatchSize uint16 252 Name ExtensionName 253 Revision uint8 254 // Data is omitted here because it would cause XTEntryMatch to be an 255 // extra byte larger (see http://www.catb.org/esr/structure-packing/). 256 // Data [0]byte 257 } 258 259 // SizeOfXTEntryMatch is the size of an XTEntryMatch. 260 const SizeOfXTEntryMatch = 32 261 262 // KernelXTEntryMatch is identical to XTEntryMatch, but contains 263 // variable-length Data field. 264 type KernelXTEntryMatch struct { 265 XTEntryMatch 266 Data []byte 267 } 268 269 // XTGetRevision corresponds to xt_get_revision in 270 // include/uapi/linux/netfilter/x_tables.h 271 // 272 // +marshal 273 type XTGetRevision struct { 274 Name ExtensionName 275 Revision uint8 276 } 277 278 // SizeOfXTGetRevision is the size of an XTGetRevision. 279 const SizeOfXTGetRevision = 30 280 281 // XTEntryTarget holds a target for a rule. For example, it can specify that 282 // packets matching the rule should DROP, ACCEPT, or use an extension target. 283 // iptables-extension(8) has a list of possible targets. 284 // 285 // XTEntryTarget corresponds to struct xt_entry_target in 286 // include/uapi/linux/netfilter/x_tables.h. That struct contains a union 287 // exposing different data to the user and kernel, but this struct holds only 288 // the user data. 289 // 290 // +marshal 291 type XTEntryTarget struct { 292 TargetSize uint16 293 Name ExtensionName 294 Revision uint8 295 // Data is omitted here because it would cause XTEntryTarget to be an 296 // extra byte larger (see http://www.catb.org/esr/structure-packing/). 297 // Data [0]byte 298 } 299 300 // SizeOfXTEntryTarget is the size of an XTEntryTarget. 301 const SizeOfXTEntryTarget = 32 302 303 // KernelXTEntryTarget is identical to XTEntryTarget, but contains a 304 // variable-length Data field. 305 type KernelXTEntryTarget struct { 306 XTEntryTarget 307 Data []byte 308 } 309 310 // XTStandardTarget is a built-in target, one of ACCEPT, DROP, JUMP, QUEUE, 311 // RETURN, or jump. It corresponds to struct xt_standard_target in 312 // include/uapi/linux/netfilter/x_tables.h. 313 // 314 // +marshal 315 type XTStandardTarget struct { 316 Target XTEntryTarget 317 // A positive verdict indicates a jump, and is the offset from the 318 // start of the table to jump to. A negative value means one of the 319 // other built-in targets. 320 Verdict int32 321 _ [4]byte 322 } 323 324 // SizeOfXTStandardTarget is the size of an XTStandardTarget. 325 const SizeOfXTStandardTarget = 40 326 327 // XTErrorTarget triggers an error when reached. It is also used to mark the 328 // beginning of user-defined chains by putting the name of the chain in 329 // ErrorName. It corresponds to struct xt_error_target in 330 // include/uapi/linux/netfilter/x_tables.h. 331 // 332 // +marshal 333 type XTErrorTarget struct { 334 Target XTEntryTarget 335 Name ErrorName 336 _ [2]byte 337 } 338 339 // SizeOfXTErrorTarget is the size of an XTErrorTarget. 340 const SizeOfXTErrorTarget = 64 341 342 // Flag values for NfNATIPV4Range. The values indicate whether to map 343 // protocol specific part(ports) or IPs. It corresponds to values in 344 // include/uapi/linux/netfilter/nf_nat.h. 345 const ( 346 NF_NAT_RANGE_MAP_IPS = 1 << 0 347 NF_NAT_RANGE_PROTO_SPECIFIED = 1 << 1 348 NF_NAT_RANGE_PROTO_RANDOM = 1 << 2 349 NF_NAT_RANGE_PERSISTENT = 1 << 3 350 NF_NAT_RANGE_PROTO_RANDOM_FULLY = 1 << 4 351 NF_NAT_RANGE_PROTO_RANDOM_ALL = (NF_NAT_RANGE_PROTO_RANDOM | NF_NAT_RANGE_PROTO_RANDOM_FULLY) 352 NF_NAT_RANGE_MASK = (NF_NAT_RANGE_MAP_IPS | 353 NF_NAT_RANGE_PROTO_SPECIFIED | NF_NAT_RANGE_PROTO_RANDOM | 354 NF_NAT_RANGE_PERSISTENT | NF_NAT_RANGE_PROTO_RANDOM_FULLY) 355 ) 356 357 // NfNATIPV4Range corresponds to struct nf_nat_ipv4_range 358 // in include/uapi/linux/netfilter/nf_nat.h. The fields are in 359 // network byte order. 360 // 361 // +marshal 362 type NfNATIPV4Range struct { 363 Flags uint32 364 MinIP [4]byte 365 MaxIP [4]byte 366 MinPort uint16 367 MaxPort uint16 368 } 369 370 // NfNATIPV4MultiRangeCompat corresponds to struct 371 // nf_nat_ipv4_multi_range_compat in include/uapi/linux/netfilter/nf_nat.h. 372 // 373 // +marshal 374 type NfNATIPV4MultiRangeCompat struct { 375 RangeSize uint32 376 RangeIPV4 NfNATIPV4Range 377 } 378 379 // XTRedirectTarget triggers a redirect when reached. 380 // Adding 4 bytes of padding to make the struct 8 byte aligned. 381 // 382 // +marshal 383 type XTRedirectTarget struct { 384 Target XTEntryTarget 385 NfRange NfNATIPV4MultiRangeCompat 386 _ [4]byte 387 } 388 389 // SizeOfXTRedirectTarget is the size of an XTRedirectTarget. 390 const SizeOfXTRedirectTarget = 56 391 392 // XTSNATTarget triggers Source NAT when reached. 393 // Adding 4 bytes of padding to make the struct 8 byte aligned. 394 // 395 // +marshal 396 type XTSNATTarget struct { 397 Target XTEntryTarget 398 NfRange NfNATIPV4MultiRangeCompat 399 _ [4]byte 400 } 401 402 // SizeOfXTSNATTarget is the size of an XTSNATTarget. 403 const SizeOfXTSNATTarget = 56 404 405 // IPTGetinfo is the argument for the IPT_SO_GET_INFO sockopt. It corresponds 406 // to struct ipt_getinfo in include/uapi/linux/netfilter_ipv4/ip_tables.h. 407 // 408 // +marshal 409 type IPTGetinfo struct { 410 Name TableName 411 ValidHooks uint32 412 HookEntry [NF_INET_NUMHOOKS]uint32 413 Underflow [NF_INET_NUMHOOKS]uint32 414 NumEntries uint32 415 Size uint32 416 } 417 418 // SizeOfIPTGetinfo is the size of an IPTGetinfo. 419 const SizeOfIPTGetinfo = 84 420 421 // IPTGetEntries is the argument for the IPT_SO_GET_ENTRIES sockopt. It 422 // corresponds to struct ipt_get_entries in 423 // include/uapi/linux/netfilter_ipv4/ip_tables.h. 424 // 425 // +marshal 426 type IPTGetEntries struct { 427 Name TableName 428 Size uint32 429 _ [4]byte 430 // Entrytable is omitted here because it would cause IPTGetEntries to 431 // be an extra byte longer (see 432 // http://www.catb.org/esr/structure-packing/). 433 // Entrytable [0]IPTEntry 434 } 435 436 // SizeOfIPTGetEntries is the size of an IPTGetEntries. 437 const SizeOfIPTGetEntries = 40 438 439 // KernelIPTGetEntries is identical to IPTGetEntries, but includes the 440 // Entrytable field. 441 // 442 // +marshal dynamic 443 type KernelIPTGetEntries struct { 444 IPTGetEntries 445 Entrytable []KernelIPTEntry 446 } 447 448 // SizeBytes implements marshal.Marshallable.SizeBytes. 449 func (ke *KernelIPTGetEntries) SizeBytes() int { 450 res := ke.IPTGetEntries.SizeBytes() 451 for _, entry := range ke.Entrytable { 452 res += entry.SizeBytes() 453 } 454 return res 455 } 456 457 // MarshalBytes implements marshal.Marshallable.MarshalBytes. 458 func (ke *KernelIPTGetEntries) MarshalBytes(dst []byte) { 459 ke.IPTGetEntries.MarshalUnsafe(dst) 460 marshalledUntil := ke.IPTGetEntries.SizeBytes() 461 for i := range ke.Entrytable { 462 ke.Entrytable[i].MarshalBytes(dst[marshalledUntil:]) 463 marshalledUntil += ke.Entrytable[i].SizeBytes() 464 } 465 } 466 467 // UnmarshalBytes implements marshal.Marshallable.UnmarshalBytes. 468 func (ke *KernelIPTGetEntries) UnmarshalBytes(src []byte) { 469 ke.IPTGetEntries.UnmarshalUnsafe(src) 470 unmarshalledUntil := ke.IPTGetEntries.SizeBytes() 471 for i := range ke.Entrytable { 472 ke.Entrytable[i].UnmarshalBytes(src[unmarshalledUntil:]) 473 unmarshalledUntil += ke.Entrytable[i].SizeBytes() 474 } 475 } 476 477 var _ marshal.Marshallable = (*KernelIPTGetEntries)(nil) 478 479 // IPTReplace is the argument for the IPT_SO_SET_REPLACE sockopt. It 480 // corresponds to struct ipt_replace in 481 // include/uapi/linux/netfilter_ipv4/ip_tables.h. 482 // 483 // +marshal 484 type IPTReplace struct { 485 Name TableName 486 ValidHooks uint32 487 NumEntries uint32 488 Size uint32 489 HookEntry [NF_INET_NUMHOOKS]uint32 490 Underflow [NF_INET_NUMHOOKS]uint32 491 NumCounters uint32 492 Counters uint64 // This is really a *XTCounters. 493 // Entries is omitted here because it would cause IPTReplace to be an 494 // extra byte longer (see http://www.catb.org/esr/structure-packing/). 495 // Entries [0]IPTEntry 496 } 497 498 // SizeOfIPTReplace is the size of an IPTReplace. 499 const SizeOfIPTReplace = 96 500 501 // ExtensionName holds the name of a netfilter extension. 502 // 503 // +marshal 504 type ExtensionName [XT_EXTENSION_MAXNAMELEN]byte 505 506 // String implements fmt.Stringer. 507 func (en ExtensionName) String() string { 508 return goString(en[:]) 509 } 510 511 // TableName holds the name of a netfilter table. 512 // 513 // +marshal 514 type TableName [XT_TABLE_MAXNAMELEN]byte 515 516 // String implements fmt.Stringer. 517 func (tn TableName) String() string { 518 return goString(tn[:]) 519 } 520 521 // ErrorName holds the name of a netfilter error. These can also hold 522 // user-defined chains. 523 // 524 // +marshal 525 type ErrorName [XT_FUNCTION_MAXNAMELEN]byte 526 527 // String implements fmt.Stringer. 528 func (en ErrorName) String() string { 529 return goString(en[:]) 530 } 531 532 func goString(cstring []byte) string { 533 for i, c := range cstring { 534 if c == 0 { 535 return string(cstring[:i]) 536 } 537 } 538 return string(cstring) 539 } 540 541 // XTTCP holds data for matching TCP packets. It corresponds to struct xt_tcp 542 // in include/uapi/linux/netfilter/xt_tcpudp.h. 543 // 544 // +marshal 545 type XTTCP struct { 546 // SourcePortStart specifies the inclusive start of the range of source 547 // ports to which the matcher applies. 548 SourcePortStart uint16 549 550 // SourcePortEnd specifies the inclusive end of the range of source ports 551 // to which the matcher applies. 552 SourcePortEnd uint16 553 554 // DestinationPortStart specifies the start of the destination port 555 // range to which the matcher applies. 556 DestinationPortStart uint16 557 558 // DestinationPortEnd specifies the end of the destination port 559 // range to which the matcher applies. 560 DestinationPortEnd uint16 561 562 // Option specifies that a particular TCP option must be set. 563 Option uint8 564 565 // FlagMask masks TCP flags when comparing to the FlagCompare byte. It allows 566 // for specification of which flags are important to the matcher. 567 FlagMask uint8 568 569 // FlagCompare, in combination with FlagMask, is used to match only packets 570 // that have certain flags set. 571 FlagCompare uint8 572 573 // InverseFlags flips the meaning of certain fields. See the 574 // TX_TCP_INV_* flags. 575 InverseFlags uint8 576 } 577 578 // SizeOfXTTCP is the size of an XTTCP. 579 const SizeOfXTTCP = 12 580 581 // Flags in XTTCP.InverseFlags. Corresponding constants are in 582 // include/uapi/linux/netfilter/xt_tcpudp.h. 583 const ( 584 // Invert the meaning of SourcePortStart/End. 585 XT_TCP_INV_SRCPT = 0x01 586 // Invert the meaning of DestinationPortStart/End. 587 XT_TCP_INV_DSTPT = 0x02 588 // Invert the meaning of FlagCompare. 589 XT_TCP_INV_FLAGS = 0x04 590 // Invert the meaning of Option. 591 XT_TCP_INV_OPTION = 0x08 592 // Enable all flags. 593 XT_TCP_INV_MASK = 0x0F 594 ) 595 596 // XTUDP holds data for matching UDP packets. It corresponds to struct xt_udp 597 // in include/uapi/linux/netfilter/xt_tcpudp.h. 598 // 599 // +marshal 600 type XTUDP struct { 601 // SourcePortStart is the inclusive start of the range of source ports 602 // to which the matcher applies. 603 SourcePortStart uint16 604 605 // SourcePortEnd is the inclusive end of the range of source ports to 606 // which the matcher applies. 607 SourcePortEnd uint16 608 609 // DestinationPortStart is the inclusive start of the destination port 610 // range to which the matcher applies. 611 DestinationPortStart uint16 612 613 // DestinationPortEnd is the inclusive end of the destination port 614 // range to which the matcher applies. 615 DestinationPortEnd uint16 616 617 // InverseFlags flips the meaning of certain fields. See the 618 // TX_UDP_INV_* flags. 619 InverseFlags uint8 620 621 _ uint8 622 } 623 624 // SizeOfXTUDP is the size of an XTUDP. 625 const SizeOfXTUDP = 10 626 627 // Flags in XTUDP.InverseFlags. Corresponding constants are in 628 // include/uapi/linux/netfilter/xt_tcpudp.h. 629 const ( 630 // Invert the meaning of SourcePortStart/End. 631 XT_UDP_INV_SRCPT = 0x01 632 // Invert the meaning of DestinationPortStart/End. 633 XT_UDP_INV_DSTPT = 0x02 634 // Enable all flags. 635 XT_UDP_INV_MASK = 0x03 636 ) 637 638 // IPTOwnerInfo holds data for matching packets with owner. It corresponds 639 // to struct ipt_owner_info in libxt_owner.c of iptables binary. 640 // 641 // +marshal 642 type IPTOwnerInfo struct { 643 // UID is user id which created the packet. 644 UID uint32 645 646 // GID is group id which created the packet. 647 GID uint32 648 649 // PID is process id of the process which created the packet. 650 PID uint32 651 652 // SID is session id which created the packet. 653 SID uint32 654 655 // Comm is the command name which created the packet. 656 Comm [16]byte 657 658 // Match is used to match UID/GID of the socket. See the 659 // XT_OWNER_* flags below. 660 Match uint8 661 662 // Invert flips the meaning of Match field. 663 Invert uint8 `marshal:"unaligned"` 664 } 665 666 // SizeOfIPTOwnerInfo is the size of an XTOwnerMatchInfo. 667 const SizeOfIPTOwnerInfo = 34 668 669 // Flags in IPTOwnerInfo.Match. Corresponding constants are in 670 // include/uapi/linux/netfilter/xt_owner.h. 671 const ( 672 // Match the UID of the packet. 673 XT_OWNER_UID = 1 << 0 674 // Match the GID of the packet. 675 XT_OWNER_GID = 1 << 1 676 // Match if the socket exists for the packet. Forwarded 677 // packets do not have an associated socket. 678 XT_OWNER_SOCKET = 1 << 2 679 )