github.com/nicocha30/gvisor-ligolo@v0.0.0-20230726075806-989fa2c0a413/pkg/abi/linux/netfilter.go (about) 1 // Copyright 2019 The gVisor Authors. 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 package linux 16 17 import ( 18 "github.com/nicocha30/gvisor-ligolo/pkg/marshal" 19 "github.com/nicocha30/gvisor-ligolo/pkg/marshal/primitive" 20 ) 21 22 // This file contains structures required to support netfilter, specifically 23 // the iptables tool. 24 25 // Hooks into the network stack. These correspond to values in 26 // include/uapi/linux/netfilter.h. 27 const ( 28 NF_INET_PRE_ROUTING = 0 29 NF_INET_LOCAL_IN = 1 30 NF_INET_FORWARD = 2 31 NF_INET_LOCAL_OUT = 3 32 NF_INET_POST_ROUTING = 4 33 NF_INET_NUMHOOKS = 5 34 ) 35 36 // Verdicts that can be returned by targets. These correspond to values in 37 // include/uapi/linux/netfilter.h 38 const ( 39 NF_DROP = 0 40 NF_ACCEPT = 1 41 NF_STOLEN = 2 42 NF_QUEUE = 3 43 NF_REPEAT = 4 44 NF_STOP = 5 45 NF_MAX_VERDICT = NF_STOP 46 // NF_RETURN is defined in include/uapi/linux/netfilter/x_tables.h. 47 NF_RETURN = -NF_REPEAT - 1 48 ) 49 50 // VerdictStrings maps int verdicts to the strings they represent. It is used 51 // for debugging. 52 var VerdictStrings = map[int32]string{ 53 -NF_DROP - 1: "DROP", 54 -NF_ACCEPT - 1: "ACCEPT", 55 -NF_QUEUE - 1: "QUEUE", 56 NF_RETURN: "RETURN", 57 } 58 59 // Socket options for SOL_SOCKET. These correspond to values in 60 // include/uapi/linux/netfilter_ipv4/ip_tables.h. 61 const ( 62 IPT_BASE_CTL = 64 63 IPT_SO_SET_REPLACE = IPT_BASE_CTL 64 IPT_SO_SET_ADD_COUNTERS = IPT_BASE_CTL + 1 65 IPT_SO_SET_MAX = IPT_SO_SET_ADD_COUNTERS 66 67 IPT_SO_GET_INFO = IPT_BASE_CTL 68 IPT_SO_GET_ENTRIES = IPT_BASE_CTL + 1 69 IPT_SO_GET_REVISION_MATCH = IPT_BASE_CTL + 2 70 IPT_SO_GET_REVISION_TARGET = IPT_BASE_CTL + 3 71 IPT_SO_GET_MAX = IPT_SO_GET_REVISION_TARGET 72 ) 73 74 // Socket option for SOL_IP. This corresponds to the value in 75 // include/uapi/linux/netfilter_ipv4.h. 76 const ( 77 SO_ORIGINAL_DST = 80 78 ) 79 80 // Name lengths. These correspond to values in 81 // include/uapi/linux/netfilter/x_tables.h. 82 const ( 83 XT_FUNCTION_MAXNAMELEN = 30 84 XT_EXTENSION_MAXNAMELEN = 29 85 XT_TABLE_MAXNAMELEN = 32 86 ) 87 88 // IPTEntry is an iptable rule. It corresponds to struct ipt_entry in 89 // include/uapi/linux/netfilter_ipv4/ip_tables.h. 90 // 91 // +marshal 92 type IPTEntry struct { 93 // IP is used to filter packets based on the IP header. 94 IP IPTIP 95 96 // NFCache relates to kernel-internal caching and isn't used by 97 // userspace. 98 NFCache uint32 99 100 // TargetOffset is the byte offset from the beginning of this IPTEntry 101 // to the start of the entry's target. 102 TargetOffset uint16 103 104 // NextOffset is the byte offset from the beginning of this IPTEntry to 105 // the start of the next entry. It is thus also the size of the entry. 106 NextOffset uint16 107 108 // Comeback is a return pointer. It is not used by userspace. 109 Comeback uint32 110 111 // Counters holds the packet and byte counts for this rule. 112 Counters XTCounters 113 114 // Elems holds the data for all this rule's matches followed by the 115 // target. It is variable length -- users have to iterate over any 116 // matches and use TargetOffset and NextOffset to make sense of the 117 // data. 118 // 119 // Elems is omitted here because it would cause IPTEntry to be an extra 120 // byte larger (see http://www.catb.org/esr/structure-packing/). 121 // 122 // Elems [0]byte 123 } 124 125 // SizeOfIPTEntry is the size of an IPTEntry. 126 const SizeOfIPTEntry = 112 127 128 // KernelIPTEntry is identical to IPTEntry, but includes the Elems field. 129 // 130 // +marshal dynamic 131 type KernelIPTEntry struct { 132 Entry IPTEntry 133 134 // Elems holds the data for all this rule's matches followed by the 135 // target. It is variable length -- users have to iterate over any 136 // matches and use TargetOffset and NextOffset to make sense of the 137 // data. 138 Elems primitive.ByteSlice 139 } 140 141 // SizeBytes implements marshal.Marshallable.SizeBytes. 142 func (ke *KernelIPTEntry) SizeBytes() int { 143 return ke.Entry.SizeBytes() + ke.Elems.SizeBytes() 144 } 145 146 // MarshalBytes implements marshal.Marshallable.MarshalBytes. 147 func (ke *KernelIPTEntry) MarshalBytes(dst []byte) []byte { 148 dst = ke.Entry.MarshalUnsafe(dst) 149 return ke.Elems.MarshalBytes(dst) 150 } 151 152 // UnmarshalBytes implements marshal.Marshallable.UnmarshalBytes. 153 func (ke *KernelIPTEntry) UnmarshalBytes(src []byte) []byte { 154 src = ke.Entry.UnmarshalUnsafe(src) 155 return ke.Elems.UnmarshalBytes(src) 156 } 157 158 var _ marshal.Marshallable = (*KernelIPTEntry)(nil) 159 160 // IPTIP contains information for matching a packet's IP header. 161 // It corresponds to struct ipt_ip in 162 // include/uapi/linux/netfilter_ipv4/ip_tables.h. 163 // 164 // +marshal 165 type IPTIP struct { 166 // Src is the source IP address. 167 Src InetAddr 168 169 // Dst is the destination IP address. 170 Dst InetAddr 171 172 // SrcMask is the source IP mask. 173 SrcMask InetAddr 174 175 // DstMask is the destination IP mask. 176 DstMask InetAddr 177 178 // InputInterface is the input network interface. 179 InputInterface [IFNAMSIZ]byte 180 181 // OutputInterface is the output network interface. 182 OutputInterface [IFNAMSIZ]byte 183 184 // InputInterfaceMask is the input interface mask. 185 InputInterfaceMask [IFNAMSIZ]byte 186 187 // OuputInterfaceMask is the output interface mask. 188 OutputInterfaceMask [IFNAMSIZ]byte 189 190 // Protocol is the transport protocol. 191 Protocol uint16 192 193 // Flags define matching behavior for the IP header. 194 Flags uint8 195 196 // InverseFlags invert the meaning of fields in struct IPTIP. See the 197 // IPT_INV_* flags. 198 InverseFlags uint8 199 } 200 201 // Flags in IPTIP.InverseFlags. Corresponding constants are in 202 // include/uapi/linux/netfilter_ipv4/ip_tables.h. 203 const ( 204 // Invert the meaning of InputInterface. 205 IPT_INV_VIA_IN = 0x01 206 // Invert the meaning of OutputInterface. 207 IPT_INV_VIA_OUT = 0x02 208 // Unclear what this is, as no references to it exist in the kernel. 209 IPT_INV_TOS = 0x04 210 // Invert the meaning of Src. 211 IPT_INV_SRCIP = 0x08 212 // Invert the meaning of Dst. 213 IPT_INV_DSTIP = 0x10 214 // Invert the meaning of the IPT_F_FRAG flag. 215 IPT_INV_FRAG = 0x20 216 // Invert the meaning of the Protocol field. 217 IPT_INV_PROTO = 0x40 218 // Enable all flags. 219 IPT_INV_MASK = 0x7F 220 ) 221 222 // SizeOfIPTIP is the size of an IPTIP. 223 const SizeOfIPTIP = 84 224 225 // XTCounters holds packet and byte counts for a rule. It corresponds to struct 226 // xt_counters in include/uapi/linux/netfilter/x_tables.h. 227 // 228 // +marshal 229 type XTCounters struct { 230 // Pcnt is the packet count. 231 Pcnt uint64 232 233 // Bcnt is the byte count. 234 Bcnt uint64 235 } 236 237 // SizeOfXTCounters is the size of an XTCounters. 238 const SizeOfXTCounters = 16 239 240 // XTEntryMatch holds a match for a rule. For example, a user using the 241 // addrtype iptables match extension would put the data for that match into an 242 // XTEntryMatch. iptables-extensions(8) has a list of possible matches. 243 // 244 // XTEntryMatch corresponds to struct xt_entry_match in 245 // include/uapi/linux/netfilter/x_tables.h. That struct contains a union 246 // exposing different data to the user and kernel, but this struct holds only 247 // the user data. 248 // 249 // +marshal 250 type XTEntryMatch struct { 251 MatchSize uint16 252 Name ExtensionName 253 Revision uint8 254 // Data is omitted here because it would cause XTEntryMatch to be an 255 // extra byte larger (see http://www.catb.org/esr/structure-packing/). 256 // Data [0]byte 257 } 258 259 // SizeOfXTEntryMatch is the size of an XTEntryMatch. 260 const SizeOfXTEntryMatch = 32 261 262 // KernelXTEntryMatch is identical to XTEntryMatch, but contains 263 // variable-length Data field. 264 type KernelXTEntryMatch struct { 265 XTEntryMatch 266 Data []byte 267 } 268 269 // XTGetRevision corresponds to xt_get_revision in 270 // include/uapi/linux/netfilter/x_tables.h 271 // 272 // +marshal 273 type XTGetRevision struct { 274 Name ExtensionName 275 Revision uint8 276 } 277 278 // SizeOfXTGetRevision is the size of an XTGetRevision. 279 const SizeOfXTGetRevision = 30 280 281 // XTEntryTarget holds a target for a rule. For example, it can specify that 282 // packets matching the rule should DROP, ACCEPT, or use an extension target. 283 // iptables-extension(8) has a list of possible targets. 284 // 285 // XTEntryTarget corresponds to struct xt_entry_target in 286 // include/uapi/linux/netfilter/x_tables.h. That struct contains a union 287 // exposing different data to the user and kernel, but this struct holds only 288 // the user data. 289 // 290 // +marshal 291 type XTEntryTarget struct { 292 TargetSize uint16 293 Name ExtensionName 294 Revision uint8 295 // Data is omitted here because it would cause XTEntryTarget to be an 296 // extra byte larger (see http://www.catb.org/esr/structure-packing/). 297 // Data [0]byte 298 } 299 300 // SizeOfXTEntryTarget is the size of an XTEntryTarget. 301 const SizeOfXTEntryTarget = 32 302 303 // KernelXTEntryTarget is identical to XTEntryTarget, but contains a 304 // variable-length Data field. 305 type KernelXTEntryTarget struct { 306 XTEntryTarget 307 Data []byte 308 } 309 310 // XTStandardTarget is a built-in target, one of ACCEPT, DROP, JUMP, QUEUE, 311 // RETURN, or jump. It corresponds to struct xt_standard_target in 312 // include/uapi/linux/netfilter/x_tables.h. 313 // 314 // +marshal 315 type XTStandardTarget struct { 316 Target XTEntryTarget 317 // A positive verdict indicates a jump, and is the offset from the 318 // start of the table to jump to. A negative value means one of the 319 // other built-in targets. 320 Verdict int32 321 _ [4]byte 322 } 323 324 // SizeOfXTStandardTarget is the size of an XTStandardTarget. 325 const SizeOfXTStandardTarget = 40 326 327 // XTErrorTarget triggers an error when reached. It is also used to mark the 328 // beginning of user-defined chains by putting the name of the chain in 329 // ErrorName. It corresponds to struct xt_error_target in 330 // include/uapi/linux/netfilter/x_tables.h. 331 // 332 // +marshal 333 type XTErrorTarget struct { 334 Target XTEntryTarget 335 Name ErrorName 336 _ [2]byte 337 } 338 339 // SizeOfXTErrorTarget is the size of an XTErrorTarget. 340 const SizeOfXTErrorTarget = 64 341 342 // Flag values for NfNATIPV4Range. The values indicate whether to map 343 // protocol specific part(ports) or IPs. It corresponds to values in 344 // include/uapi/linux/netfilter/nf_nat.h. 345 const ( 346 NF_NAT_RANGE_MAP_IPS = 1 << 0 347 NF_NAT_RANGE_PROTO_SPECIFIED = 1 << 1 348 NF_NAT_RANGE_PROTO_RANDOM = 1 << 2 349 NF_NAT_RANGE_PERSISTENT = 1 << 3 350 NF_NAT_RANGE_PROTO_RANDOM_FULLY = 1 << 4 351 NF_NAT_RANGE_PROTO_RANDOM_ALL = (NF_NAT_RANGE_PROTO_RANDOM | NF_NAT_RANGE_PROTO_RANDOM_FULLY) 352 NF_NAT_RANGE_MASK = (NF_NAT_RANGE_MAP_IPS | 353 NF_NAT_RANGE_PROTO_SPECIFIED | NF_NAT_RANGE_PROTO_RANDOM | 354 NF_NAT_RANGE_PERSISTENT | NF_NAT_RANGE_PROTO_RANDOM_FULLY) 355 ) 356 357 // NfNATIPV4Range corresponds to struct nf_nat_ipv4_range 358 // in include/uapi/linux/netfilter/nf_nat.h. The fields are in 359 // network byte order. 360 // 361 // +marshal 362 type NfNATIPV4Range struct { 363 Flags uint32 364 MinIP [4]byte 365 MaxIP [4]byte 366 MinPort uint16 367 MaxPort uint16 368 } 369 370 // NfNATIPV4MultiRangeCompat corresponds to struct 371 // nf_nat_ipv4_multi_range_compat in include/uapi/linux/netfilter/nf_nat.h. 372 // 373 // +marshal 374 type NfNATIPV4MultiRangeCompat struct { 375 RangeSize uint32 376 RangeIPV4 NfNATIPV4Range 377 } 378 379 // XTRedirectTarget triggers a redirect when reached. 380 // Adding 4 bytes of padding to make the struct 8 byte aligned. 381 // 382 // +marshal 383 type XTRedirectTarget struct { 384 Target XTEntryTarget 385 NfRange NfNATIPV4MultiRangeCompat 386 _ [4]byte 387 } 388 389 // SizeOfXTRedirectTarget is the size of an XTRedirectTarget. 390 const SizeOfXTRedirectTarget = 56 391 392 // XTSNATTarget triggers Source NAT when reached. 393 // Adding 4 bytes of padding to make the struct 8 byte aligned. 394 // 395 // +marshal 396 type XTSNATTarget struct { 397 Target XTEntryTarget 398 NfRange NfNATIPV4MultiRangeCompat 399 _ [4]byte 400 } 401 402 // SizeOfXTSNATTarget is the size of an XTSNATTarget. 403 const SizeOfXTSNATTarget = 56 404 405 // IPTGetinfo is the argument for the IPT_SO_GET_INFO sockopt. It corresponds 406 // to struct ipt_getinfo in include/uapi/linux/netfilter_ipv4/ip_tables.h. 407 // 408 // +marshal 409 type IPTGetinfo struct { 410 Name TableName 411 ValidHooks uint32 412 HookEntry [NF_INET_NUMHOOKS]uint32 413 Underflow [NF_INET_NUMHOOKS]uint32 414 NumEntries uint32 415 Size uint32 416 } 417 418 // SizeOfIPTGetinfo is the size of an IPTGetinfo. 419 const SizeOfIPTGetinfo = 84 420 421 // IPTGetEntries is the argument for the IPT_SO_GET_ENTRIES sockopt. It 422 // corresponds to struct ipt_get_entries in 423 // include/uapi/linux/netfilter_ipv4/ip_tables.h. 424 // 425 // +marshal 426 type IPTGetEntries struct { 427 Name TableName 428 Size uint32 429 _ [4]byte 430 // Entrytable is omitted here because it would cause IPTGetEntries to 431 // be an extra byte longer (see 432 // http://www.catb.org/esr/structure-packing/). 433 // Entrytable [0]IPTEntry 434 } 435 436 // SizeOfIPTGetEntries is the size of an IPTGetEntries. 437 const SizeOfIPTGetEntries = 40 438 439 // KernelIPTGetEntries is identical to IPTGetEntries, but includes the 440 // Entrytable field. 441 // 442 // +marshal dynamic 443 type KernelIPTGetEntries struct { 444 IPTGetEntries 445 Entrytable []KernelIPTEntry 446 } 447 448 // SizeBytes implements marshal.Marshallable.SizeBytes. 449 func (ke *KernelIPTGetEntries) SizeBytes() int { 450 res := ke.IPTGetEntries.SizeBytes() 451 for _, entry := range ke.Entrytable { 452 res += entry.SizeBytes() 453 } 454 return res 455 } 456 457 // MarshalBytes implements marshal.Marshallable.MarshalBytes. 458 func (ke *KernelIPTGetEntries) MarshalBytes(dst []byte) []byte { 459 dst = ke.IPTGetEntries.MarshalUnsafe(dst) 460 for i := range ke.Entrytable { 461 dst = ke.Entrytable[i].MarshalBytes(dst) 462 } 463 return dst 464 } 465 466 // UnmarshalBytes implements marshal.Marshallable.UnmarshalBytes. 467 func (ke *KernelIPTGetEntries) UnmarshalBytes(src []byte) []byte { 468 src = ke.IPTGetEntries.UnmarshalUnsafe(src) 469 for i := range ke.Entrytable { 470 src = ke.Entrytable[i].UnmarshalBytes(src) 471 } 472 return src 473 } 474 475 var _ marshal.Marshallable = (*KernelIPTGetEntries)(nil) 476 477 // IPTReplace is the argument for the IPT_SO_SET_REPLACE sockopt. It 478 // corresponds to struct ipt_replace in 479 // include/uapi/linux/netfilter_ipv4/ip_tables.h. 480 // 481 // +marshal 482 type IPTReplace struct { 483 Name TableName 484 ValidHooks uint32 485 NumEntries uint32 486 Size uint32 487 HookEntry [NF_INET_NUMHOOKS]uint32 488 Underflow [NF_INET_NUMHOOKS]uint32 489 NumCounters uint32 490 Counters uint64 // This is really a *XTCounters. 491 // Entries is omitted here because it would cause IPTReplace to be an 492 // extra byte longer (see http://www.catb.org/esr/structure-packing/). 493 // Entries [0]IPTEntry 494 } 495 496 // SizeOfIPTReplace is the size of an IPTReplace. 497 const SizeOfIPTReplace = 96 498 499 // ExtensionName holds the name of a netfilter extension. 500 // 501 // +marshal 502 type ExtensionName [XT_EXTENSION_MAXNAMELEN]byte 503 504 // String implements fmt.Stringer. 505 func (en ExtensionName) String() string { 506 return goString(en[:]) 507 } 508 509 // TableName holds the name of a netfilter table. 510 // 511 // +marshal 512 type TableName [XT_TABLE_MAXNAMELEN]byte 513 514 // String implements fmt.Stringer. 515 func (tn TableName) String() string { 516 return goString(tn[:]) 517 } 518 519 // ErrorName holds the name of a netfilter error. These can also hold 520 // user-defined chains. 521 // 522 // +marshal 523 type ErrorName [XT_FUNCTION_MAXNAMELEN]byte 524 525 // String implements fmt.Stringer. 526 func (en ErrorName) String() string { 527 return goString(en[:]) 528 } 529 530 func goString(cstring []byte) string { 531 for i, c := range cstring { 532 if c == 0 { 533 return string(cstring[:i]) 534 } 535 } 536 return string(cstring) 537 } 538 539 // XTTCP holds data for matching TCP packets. It corresponds to struct xt_tcp 540 // in include/uapi/linux/netfilter/xt_tcpudp.h. 541 // 542 // +marshal 543 type XTTCP struct { 544 // SourcePortStart specifies the inclusive start of the range of source 545 // ports to which the matcher applies. 546 SourcePortStart uint16 547 548 // SourcePortEnd specifies the inclusive end of the range of source ports 549 // to which the matcher applies. 550 SourcePortEnd uint16 551 552 // DestinationPortStart specifies the start of the destination port 553 // range to which the matcher applies. 554 DestinationPortStart uint16 555 556 // DestinationPortEnd specifies the end of the destination port 557 // range to which the matcher applies. 558 DestinationPortEnd uint16 559 560 // Option specifies that a particular TCP option must be set. 561 Option uint8 562 563 // FlagMask masks TCP flags when comparing to the FlagCompare byte. It allows 564 // for specification of which flags are important to the matcher. 565 FlagMask uint8 566 567 // FlagCompare, in combination with FlagMask, is used to match only packets 568 // that have certain flags set. 569 FlagCompare uint8 570 571 // InverseFlags flips the meaning of certain fields. See the 572 // TX_TCP_INV_* flags. 573 InverseFlags uint8 574 } 575 576 // SizeOfXTTCP is the size of an XTTCP. 577 const SizeOfXTTCP = 12 578 579 // Flags in XTTCP.InverseFlags. Corresponding constants are in 580 // include/uapi/linux/netfilter/xt_tcpudp.h. 581 const ( 582 // Invert the meaning of SourcePortStart/End. 583 XT_TCP_INV_SRCPT = 0x01 584 // Invert the meaning of DestinationPortStart/End. 585 XT_TCP_INV_DSTPT = 0x02 586 // Invert the meaning of FlagCompare. 587 XT_TCP_INV_FLAGS = 0x04 588 // Invert the meaning of Option. 589 XT_TCP_INV_OPTION = 0x08 590 // Enable all flags. 591 XT_TCP_INV_MASK = 0x0F 592 ) 593 594 // XTUDP holds data for matching UDP packets. It corresponds to struct xt_udp 595 // in include/uapi/linux/netfilter/xt_tcpudp.h. 596 // 597 // +marshal 598 type XTUDP struct { 599 // SourcePortStart is the inclusive start of the range of source ports 600 // to which the matcher applies. 601 SourcePortStart uint16 602 603 // SourcePortEnd is the inclusive end of the range of source ports to 604 // which the matcher applies. 605 SourcePortEnd uint16 606 607 // DestinationPortStart is the inclusive start of the destination port 608 // range to which the matcher applies. 609 DestinationPortStart uint16 610 611 // DestinationPortEnd is the inclusive end of the destination port 612 // range to which the matcher applies. 613 DestinationPortEnd uint16 614 615 // InverseFlags flips the meaning of certain fields. See the 616 // TX_UDP_INV_* flags. 617 InverseFlags uint8 618 619 _ uint8 620 } 621 622 // SizeOfXTUDP is the size of an XTUDP. 623 const SizeOfXTUDP = 10 624 625 // Flags in XTUDP.InverseFlags. Corresponding constants are in 626 // include/uapi/linux/netfilter/xt_tcpudp.h. 627 const ( 628 // Invert the meaning of SourcePortStart/End. 629 XT_UDP_INV_SRCPT = 0x01 630 // Invert the meaning of DestinationPortStart/End. 631 XT_UDP_INV_DSTPT = 0x02 632 // Enable all flags. 633 XT_UDP_INV_MASK = 0x03 634 ) 635 636 // IPTOwnerInfo holds data for matching packets with owner. It corresponds 637 // to struct ipt_owner_info in libxt_owner.c of iptables binary. 638 // 639 // +marshal 640 type IPTOwnerInfo struct { 641 // UID is user id which created the packet. 642 UID uint32 643 644 // GID is group id which created the packet. 645 GID uint32 646 647 // PID is process id of the process which created the packet. 648 PID uint32 649 650 // SID is session id which created the packet. 651 SID uint32 652 653 // Comm is the command name which created the packet. 654 Comm [16]byte 655 656 // Match is used to match UID/GID of the socket. See the 657 // XT_OWNER_* flags below. 658 Match uint8 659 660 // Invert flips the meaning of Match field. 661 Invert uint8 `marshal:"unaligned"` 662 } 663 664 // SizeOfIPTOwnerInfo is the size of an XTOwnerMatchInfo. 665 const SizeOfIPTOwnerInfo = 34 666 667 // Flags in IPTOwnerInfo.Match. Corresponding constants are in 668 // include/uapi/linux/netfilter/xt_owner.h. 669 const ( 670 // Match the UID of the packet. 671 XT_OWNER_UID = 1 << 0 672 // Match the GID of the packet. 673 XT_OWNER_GID = 1 << 1 674 // Match if the socket exists for the packet. Forwarded 675 // packets do not have an associated socket. 676 XT_OWNER_SOCKET = 1 << 2 677 )