github.com/google/netstack@v0.0.0-20191123085552-55fcc16cd0eb/tcpip/iptables/iptables.go (about)

     1  // Copyright 2019 The gVisor authors.
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //     http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  // Package iptables supports packet filtering and manipulation via the iptables
    16  // tool.
    17  package iptables
    18  
    19  const (
    20  	tablenameNat    = "nat"
    21  	tablenameMangle = "mangle"
    22  )
    23  
    24  // Chain names as defined by net/ipv4/netfilter/ip_tables.c.
    25  const (
    26  	chainNamePrerouting  = "PREROUTING"
    27  	chainNameInput       = "INPUT"
    28  	chainNameForward     = "FORWARD"
    29  	chainNameOutput      = "OUTPUT"
    30  	chainNamePostrouting = "POSTROUTING"
    31  )
    32  
    33  // DefaultTables returns a default set of tables. Each chain is set to accept
    34  // all packets.
    35  func DefaultTables() IPTables {
    36  	return IPTables{
    37  		Tables: map[string]Table{
    38  			tablenameNat: Table{
    39  				BuiltinChains: map[Hook]Chain{
    40  					Prerouting:  unconditionalAcceptChain(chainNamePrerouting),
    41  					Input:       unconditionalAcceptChain(chainNameInput),
    42  					Output:      unconditionalAcceptChain(chainNameOutput),
    43  					Postrouting: unconditionalAcceptChain(chainNamePostrouting),
    44  				},
    45  				DefaultTargets: map[Hook]Target{
    46  					Prerouting:  UnconditionalAcceptTarget{},
    47  					Input:       UnconditionalAcceptTarget{},
    48  					Output:      UnconditionalAcceptTarget{},
    49  					Postrouting: UnconditionalAcceptTarget{},
    50  				},
    51  				UserChains: map[string]Chain{},
    52  			},
    53  			tablenameMangle: Table{
    54  				BuiltinChains: map[Hook]Chain{
    55  					Prerouting: unconditionalAcceptChain(chainNamePrerouting),
    56  					Output:     unconditionalAcceptChain(chainNameOutput),
    57  				},
    58  				DefaultTargets: map[Hook]Target{
    59  					Prerouting: UnconditionalAcceptTarget{},
    60  					Output:     UnconditionalAcceptTarget{},
    61  				},
    62  				UserChains: map[string]Chain{},
    63  			},
    64  		},
    65  		Priorities: map[Hook][]string{
    66  			Prerouting: []string{tablenameMangle, tablenameNat},
    67  			Output:     []string{tablenameMangle, tablenameNat},
    68  		},
    69  	}
    70  }
    71  
    72  func unconditionalAcceptChain(name string) Chain {
    73  	return Chain{
    74  		Name: name,
    75  		Rules: []Rule{
    76  			Rule{
    77  				Target: UnconditionalAcceptTarget{},
    78  			},
    79  		},
    80  	}
    81  }