github.com/flowerwrong/netstack@v0.0.0-20191009141956-e5848263af28/tcpip/iptables/types.go (about) 1 // Copyright 2019 The gVisor authors. 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 package iptables 16 17 import ( 18 "github.com/FlowerWrong/netstack/tcpip/buffer" 19 ) 20 21 // A Hook specifies one of the hooks built into the network stack. 22 // 23 // Userspace app Userspace app 24 // ^ | 25 // | v 26 // [Input] [Output] 27 // ^ | 28 // | v 29 // | routing 30 // | | 31 // | v 32 // ----->[Prerouting]----->routing----->[Forward]---------[Postrouting]-----> 33 type Hook uint 34 35 // These values correspond to values in include/uapi/linux/netfilter.h. 36 const ( 37 // Prerouting happens before a packet is routed to applications or to 38 // be forwarded. 39 Prerouting Hook = iota 40 41 // Input happens before a packet reaches an application. 42 Input 43 44 // Forward happens once it's decided that a packet should be forwarded 45 // to another host. 46 Forward 47 48 // Output happens after a packet is written by an application to be 49 // sent out. 50 Output 51 52 // Postrouting happens just before a packet goes out on the wire. 53 Postrouting 54 55 // The total number of hooks. 56 NumHooks 57 ) 58 59 // A Verdict is returned by a rule's target to indicate how traversal of rules 60 // should (or should not) continue. 61 type Verdict int 62 63 const ( 64 // Accept indicates the packet should continue traversing netstack as 65 // normal. 66 Accept Verdict = iota 67 68 // Drop inicates the packet should be dropped, stopping traversing 69 // netstack. 70 Drop 71 72 // Stolen indicates the packet was co-opted by the target and should 73 // stop traversing netstack. 74 Stolen 75 76 // Queue indicates the packet should be queued for userspace processing. 77 Queue 78 79 // Repeat indicates the packet should re-traverse the chains for the 80 // current hook. 81 Repeat 82 83 // None indicates no verdict was reached. 84 None 85 86 // Jump indicates a jump to another chain. 87 Jump 88 89 // Continue indicates that traversal should continue at the next rule. 90 Continue 91 92 // Return indicates that traversal should return to the calling chain. 93 Return 94 ) 95 96 // IPTables holds all the tables for a netstack. 97 type IPTables struct { 98 // Tables maps table names to tables. User tables have arbitrary names. 99 Tables map[string]Table 100 101 // Priorities maps each hook to a list of table names. The order of the 102 // list is the order in which each table should be visited for that 103 // hook. 104 Priorities map[Hook][]string 105 } 106 107 // A Table defines a set of chains and hooks into the network stack. The 108 // currently supported tables are: 109 // * nat 110 // * mangle 111 type Table struct { 112 // BuiltinChains holds the un-deletable chains built into netstack. If 113 // a hook isn't present in the map, this table doesn't utilize that 114 // hook. 115 BuiltinChains map[Hook]Chain 116 117 // DefaultTargets holds a target for each hook that will be executed if 118 // chain traversal doesn't yield a verdict. 119 DefaultTargets map[Hook]Target 120 121 // UserChains holds user-defined chains for the keyed by name. Users 122 // can give their chains arbitrary names. 123 UserChains map[string]Chain 124 125 // Chains maps names to chains for both builtin and user-defined chains. 126 // Its entries point to Chains already either in BuiltinChains or 127 // UserChains, and its purpose is to make looking up tables by name 128 // fast. 129 Chains map[string]*Chain 130 131 // Metadata holds information about the Table that is useful to users 132 // of IPTables, but not to the netstack IPTables code itself. 133 metadata interface{} 134 } 135 136 // ValidHooks returns a bitmap of the builtin hooks for the given table. 137 func (table *Table) ValidHooks() uint32 { 138 hooks := uint32(0) 139 for hook, _ := range table.BuiltinChains { 140 hooks |= 1 << hook 141 } 142 return hooks 143 } 144 145 // Metadata returns the metadata object stored in table. 146 func (table *Table) Metadata() interface{} { 147 return table.metadata 148 } 149 150 // SetMetadata sets the metadata object stored in table. 151 func (table *Table) SetMetadata(metadata interface{}) { 152 table.metadata = metadata 153 } 154 155 // A Chain defines a list of rules for packet processing. When a packet 156 // traverses a chain, it is checked against each rule until either a rule 157 // returns a verdict or the chain ends. 158 // 159 // By convention, builtin chains end with a rule that matches everything and 160 // returns either Accept or Drop. User-defined chains end with Return. These 161 // aren't strictly necessary here, but the iptables tool writes tables this way. 162 type Chain struct { 163 // Name is the chain name. 164 Name string 165 166 // Rules is the list of rules to traverse. 167 Rules []Rule 168 } 169 170 // A Rule is a packet processing rule. It consists of two pieces. First it 171 // contains zero or more matchers, each of which is a specification of which 172 // packets this rule applies to. If there are no matchers in the rule, it 173 // applies to any packet. 174 type Rule struct { 175 // Matchers is the list of matchers for this rule. 176 Matchers []Matcher 177 178 // Target is the action to invoke if all the matchers match the packet. 179 Target Target 180 } 181 182 // A Matcher is the interface for matching packets. 183 type Matcher interface { 184 // Match returns whether the packet matches and whether the packet 185 // should be "hotdropped", i.e. dropped immediately. This is usually 186 // used for suspicious packets. 187 Match(hook Hook, packet buffer.VectorisedView, interfaceName string) (matches bool, hotdrop bool) 188 } 189 190 // A Target is the interface for taking an action for a packet. 191 type Target interface { 192 // Action takes an action on the packet and returns a verdict on how 193 // traversal should (or should not) continue. If the return value is 194 // Jump, it also returns the name of the chain to jump to. 195 Action(packet buffer.VectorisedView) (Verdict, string) 196 }