github.com/flowerwrong/netstack@v0.0.0-20191009141956-e5848263af28/tcpip/iptables/types.go (about)

     1  // Copyright 2019 The gVisor authors.
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //     http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  package iptables
    16  
    17  import (
    18  	"github.com/FlowerWrong/netstack/tcpip/buffer"
    19  )
    20  
    21  // A Hook specifies one of the hooks built into the network stack.
    22  //
    23  //                      Userspace app          Userspace app
    24  //                            ^                      |
    25  //                            |                      v
    26  //                         [Input]               [Output]
    27  //                            ^                      |
    28  //                            |                      v
    29  //                            |                   routing
    30  //                            |                      |
    31  //                            |                      v
    32  // ----->[Prerouting]----->routing----->[Forward]---------[Postrouting]----->
    33  type Hook uint
    34  
    35  // These values correspond to values in include/uapi/linux/netfilter.h.
    36  const (
    37  	// Prerouting happens before a packet is routed to applications or to
    38  	// be forwarded.
    39  	Prerouting Hook = iota
    40  
    41  	// Input happens before a packet reaches an application.
    42  	Input
    43  
    44  	// Forward happens once it's decided that a packet should be forwarded
    45  	// to another host.
    46  	Forward
    47  
    48  	// Output happens after a packet is written by an application to be
    49  	// sent out.
    50  	Output
    51  
    52  	// Postrouting happens just before a packet goes out on the wire.
    53  	Postrouting
    54  
    55  	// The total number of hooks.
    56  	NumHooks
    57  )
    58  
    59  // A Verdict is returned by a rule's target to indicate how traversal of rules
    60  // should (or should not) continue.
    61  type Verdict int
    62  
    63  const (
    64  	// Accept indicates the packet should continue traversing netstack as
    65  	// normal.
    66  	Accept Verdict = iota
    67  
    68  	// Drop inicates the packet should be dropped, stopping traversing
    69  	// netstack.
    70  	Drop
    71  
    72  	// Stolen indicates the packet was co-opted by the target and should
    73  	// stop traversing netstack.
    74  	Stolen
    75  
    76  	// Queue indicates the packet should be queued for userspace processing.
    77  	Queue
    78  
    79  	// Repeat indicates the packet should re-traverse the chains for the
    80  	// current hook.
    81  	Repeat
    82  
    83  	// None indicates no verdict was reached.
    84  	None
    85  
    86  	// Jump indicates a jump to another chain.
    87  	Jump
    88  
    89  	// Continue indicates that traversal should continue at the next rule.
    90  	Continue
    91  
    92  	// Return indicates that traversal should return to the calling chain.
    93  	Return
    94  )
    95  
    96  // IPTables holds all the tables for a netstack.
    97  type IPTables struct {
    98  	// Tables maps table names to tables. User tables have arbitrary names.
    99  	Tables map[string]Table
   100  
   101  	// Priorities maps each hook to a list of table names. The order of the
   102  	// list is the order in which each table should be visited for that
   103  	// hook.
   104  	Priorities map[Hook][]string
   105  }
   106  
   107  // A Table defines a set of chains and hooks into the network stack. The
   108  // currently supported tables are:
   109  //   * nat
   110  //   * mangle
   111  type Table struct {
   112  	// BuiltinChains holds the un-deletable chains built into netstack. If
   113  	// a hook isn't present in the map, this table doesn't utilize that
   114  	// hook.
   115  	BuiltinChains map[Hook]Chain
   116  
   117  	// DefaultTargets holds a target for each hook that will be executed if
   118  	// chain traversal doesn't yield a verdict.
   119  	DefaultTargets map[Hook]Target
   120  
   121  	// UserChains holds user-defined chains for the keyed by name. Users
   122  	// can give their chains arbitrary names.
   123  	UserChains map[string]Chain
   124  
   125  	// Chains maps names to chains for both builtin and user-defined chains.
   126  	// Its entries point to Chains already either in BuiltinChains or
   127  	// UserChains, and its purpose is to make looking up tables by name
   128  	// fast.
   129  	Chains map[string]*Chain
   130  
   131  	// Metadata holds information about the Table that is useful to users
   132  	// of IPTables, but not to the netstack IPTables code itself.
   133  	metadata interface{}
   134  }
   135  
   136  // ValidHooks returns a bitmap of the builtin hooks for the given table.
   137  func (table *Table) ValidHooks() uint32 {
   138  	hooks := uint32(0)
   139  	for hook, _ := range table.BuiltinChains {
   140  		hooks |= 1 << hook
   141  	}
   142  	return hooks
   143  }
   144  
   145  // Metadata returns the metadata object stored in table.
   146  func (table *Table) Metadata() interface{} {
   147  	return table.metadata
   148  }
   149  
   150  // SetMetadata sets the metadata object stored in table.
   151  func (table *Table) SetMetadata(metadata interface{}) {
   152  	table.metadata = metadata
   153  }
   154  
   155  // A Chain defines a list of rules for packet processing. When a packet
   156  // traverses a chain, it is checked against each rule until either a rule
   157  // returns a verdict or the chain ends.
   158  //
   159  // By convention, builtin chains end with a rule that matches everything and
   160  // returns either Accept or Drop. User-defined chains end with Return. These
   161  // aren't strictly necessary here, but the iptables tool writes tables this way.
   162  type Chain struct {
   163  	// Name is the chain name.
   164  	Name string
   165  
   166  	// Rules is the list of rules to traverse.
   167  	Rules []Rule
   168  }
   169  
   170  // A Rule is a packet processing rule. It consists of two pieces. First it
   171  // contains zero or more matchers, each of which is a specification of which
   172  // packets this rule applies to. If there are no matchers in the rule, it
   173  // applies to any packet.
   174  type Rule struct {
   175  	// Matchers is the list of matchers for this rule.
   176  	Matchers []Matcher
   177  
   178  	// Target is the action to invoke if all the matchers match the packet.
   179  	Target Target
   180  }
   181  
   182  // A Matcher is the interface for matching packets.
   183  type Matcher interface {
   184  	// Match returns whether the packet matches and whether the packet
   185  	// should be "hotdropped", i.e. dropped immediately. This is usually
   186  	// used for suspicious packets.
   187  	Match(hook Hook, packet buffer.VectorisedView, interfaceName string) (matches bool, hotdrop bool)
   188  }
   189  
   190  // A Target is the interface for taking an action for a packet.
   191  type Target interface {
   192  	// Action takes an action on the packet and returns a verdict on how
   193  	// traversal should (or should not) continue. If the return value is
   194  	// Jump, it also returns the name of the chain to jump to.
   195  	Action(packet buffer.VectorisedView) (Verdict, string)
   196  }