gvisor.dev/gvisor@v0.0.0-20240520182842-f9d4d51c7e0f/pkg/abi/linux/netfilter.go (about) 1 // Copyright 2019 The gVisor Authors. 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 package linux 16 17 import ( 18 "gvisor.dev/gvisor/pkg/marshal" 19 "gvisor.dev/gvisor/pkg/marshal/primitive" 20 ) 21 22 // This file contains structures required to support netfilter, specifically 23 // the iptables tool. 24 25 // Hooks into the network stack. These correspond to values in 26 // include/uapi/linux/netfilter.h. 27 const ( 28 NF_INET_PRE_ROUTING = 0 29 NF_INET_LOCAL_IN = 1 30 NF_INET_FORWARD = 2 31 NF_INET_LOCAL_OUT = 3 32 NF_INET_POST_ROUTING = 4 33 NF_INET_NUMHOOKS = 5 34 ) 35 36 // Verdicts that can be returned by targets. These correspond to values in 37 // include/uapi/linux/netfilter.h 38 const ( 39 NF_DROP = 0 40 NF_ACCEPT = 1 41 NF_STOLEN = 2 42 NF_QUEUE = 3 43 NF_REPEAT = 4 44 NF_STOP = 5 45 NF_MAX_VERDICT = NF_STOP 46 // NF_RETURN is defined in include/uapi/linux/netfilter/x_tables.h. 47 NF_RETURN = -NF_REPEAT - 1 48 ) 49 50 // VerdictStrings maps int verdicts to the strings they represent. It is used 51 // for debugging. 52 var VerdictStrings = map[int32]string{ 53 -NF_DROP - 1: "DROP", 54 -NF_ACCEPT - 1: "ACCEPT", 55 -NF_QUEUE - 1: "QUEUE", 56 NF_RETURN: "RETURN", 57 } 58 59 // Socket options for SOL_SOCKET. These correspond to values in 60 // include/uapi/linux/netfilter_ipv4/ip_tables.h. 61 const ( 62 IPT_BASE_CTL = 64 63 IPT_SO_SET_REPLACE = IPT_BASE_CTL 64 IPT_SO_SET_ADD_COUNTERS = IPT_BASE_CTL + 1 65 IPT_SO_SET_MAX = IPT_SO_SET_ADD_COUNTERS 66 67 IPT_SO_GET_INFO = IPT_BASE_CTL 68 IPT_SO_GET_ENTRIES = IPT_BASE_CTL + 1 69 IPT_SO_GET_REVISION_MATCH = IPT_BASE_CTL + 2 70 IPT_SO_GET_REVISION_TARGET = IPT_BASE_CTL + 3 71 IPT_SO_GET_MAX = IPT_SO_GET_REVISION_TARGET 72 ) 73 74 // Socket option for SOL_IP. This corresponds to the value in 75 // include/uapi/linux/netfilter_ipv4.h. 76 const ( 77 SO_ORIGINAL_DST = 80 78 ) 79 80 // Name lengths. These correspond to values in 81 // include/uapi/linux/netfilter/x_tables.h. 82 const ( 83 XT_FUNCTION_MAXNAMELEN = 30 84 XT_EXTENSION_MAXNAMELEN = 29 85 XT_TABLE_MAXNAMELEN = 32 86 ) 87 88 // IPTEntry is an iptable rule. It corresponds to struct ipt_entry in 89 // include/uapi/linux/netfilter_ipv4/ip_tables.h. 90 // 91 // +marshal 92 type IPTEntry struct { 93 // IP is used to filter packets based on the IP header. 94 IP IPTIP 95 96 // NFCache relates to kernel-internal caching and isn't used by 97 // userspace. 98 NFCache uint32 99 100 // TargetOffset is the byte offset from the beginning of this IPTEntry 101 // to the start of the entry's target. 102 TargetOffset uint16 103 104 // NextOffset is the byte offset from the beginning of this IPTEntry to 105 // the start of the next entry. It is thus also the size of the entry. 106 NextOffset uint16 107 108 // Comeback is a return pointer. It is not used by userspace. 109 Comeback uint32 110 111 // Counters holds the packet and byte counts for this rule. 112 Counters XTCounters 113 114 // Elems holds the data for all this rule's matches followed by the 115 // target. It is variable length -- users have to iterate over any 116 // matches and use TargetOffset and NextOffset to make sense of the 117 // data. 118 // 119 // Elems is omitted here because it would cause IPTEntry to be an extra 120 // byte larger (see http://www.catb.org/esr/structure-packing/). 121 // 122 // Elems [0]byte 123 } 124 125 // SizeOfIPTEntry is the size of an IPTEntry. 126 const SizeOfIPTEntry = 112 127 128 // KernelIPTEntry is identical to IPTEntry, but includes the Elems field. 129 // 130 // +marshal dynamic 131 type KernelIPTEntry struct { 132 Entry IPTEntry 133 134 // Elems holds the data for all this rule's matches followed by the 135 // target. It is variable length -- users have to iterate over any 136 // matches and use TargetOffset and NextOffset to make sense of the 137 // data. 138 Elems primitive.ByteSlice 139 } 140 141 // SizeBytes implements marshal.Marshallable.SizeBytes. 142 func (ke *KernelIPTEntry) SizeBytes() int { 143 return ke.Entry.SizeBytes() + ke.Elems.SizeBytes() 144 } 145 146 // MarshalBytes implements marshal.Marshallable.MarshalBytes. 147 func (ke *KernelIPTEntry) MarshalBytes(dst []byte) []byte { 148 dst = ke.Entry.MarshalUnsafe(dst) 149 return ke.Elems.MarshalBytes(dst) 150 } 151 152 // UnmarshalBytes implements marshal.Marshallable.UnmarshalBytes. 153 func (ke *KernelIPTEntry) UnmarshalBytes(src []byte) []byte { 154 src = ke.Entry.UnmarshalUnsafe(src) 155 return ke.Elems.UnmarshalBytes(src) 156 } 157 158 var _ marshal.Marshallable = (*KernelIPTEntry)(nil) 159 160 // IPTIP contains information for matching a packet's IP header. 161 // It corresponds to struct ipt_ip in 162 // include/uapi/linux/netfilter_ipv4/ip_tables.h. 163 // 164 // +marshal 165 type IPTIP struct { 166 // Src is the source IP address. 167 Src InetAddr 168 169 // Dst is the destination IP address. 170 Dst InetAddr 171 172 // SrcMask is the source IP mask. 173 SrcMask InetAddr 174 175 // DstMask is the destination IP mask. 176 DstMask InetAddr 177 178 // InputInterface is the input network interface. 179 InputInterface [IFNAMSIZ]byte 180 181 // OutputInterface is the output network interface. 182 OutputInterface [IFNAMSIZ]byte 183 184 // InputInterfaceMask is the input interface mask. 185 InputInterfaceMask [IFNAMSIZ]byte 186 187 // OuputInterfaceMask is the output interface mask. 188 OutputInterfaceMask [IFNAMSIZ]byte 189 190 // Protocol is the transport protocol. 191 Protocol uint16 192 193 // Flags define matching behavior for the IP header. 194 Flags uint8 195 196 // InverseFlags invert the meaning of fields in struct IPTIP. See the 197 // IPT_INV_* flags. 198 InverseFlags uint8 199 } 200 201 // Flags in IPTIP.InverseFlags. Corresponding constants are in 202 // include/uapi/linux/netfilter_ipv4/ip_tables.h. 203 const ( 204 // Invert the meaning of InputInterface. 205 IPT_INV_VIA_IN = 0x01 206 // Invert the meaning of OutputInterface. 207 IPT_INV_VIA_OUT = 0x02 208 // Unclear what this is, as no references to it exist in the kernel. 209 IPT_INV_TOS = 0x04 210 // Invert the meaning of Src. 211 IPT_INV_SRCIP = 0x08 212 // Invert the meaning of Dst. 213 IPT_INV_DSTIP = 0x10 214 // Invert the meaning of the IPT_F_FRAG flag. 215 IPT_INV_FRAG = 0x20 216 // Invert the meaning of the Protocol field. 217 IPT_INV_PROTO = 0x40 218 // Enable all flags. 219 IPT_INV_MASK = 0x7F 220 ) 221 222 // SizeOfIPTIP is the size of an IPTIP. 223 const SizeOfIPTIP = 84 224 225 // XTCounters holds packet and byte counts for a rule. It corresponds to struct 226 // xt_counters in include/uapi/linux/netfilter/x_tables.h. 227 // 228 // +marshal 229 type XTCounters struct { 230 // Pcnt is the packet count. 231 Pcnt uint64 232 233 // Bcnt is the byte count. 234 Bcnt uint64 235 } 236 237 // SizeOfXTCounters is the size of an XTCounters. 238 const SizeOfXTCounters = 16 239 240 // XTEntryMatch holds a match for a rule. For example, a user using the 241 // addrtype iptables match extension would put the data for that match into an 242 // XTEntryMatch. iptables-extensions(8) has a list of possible matches. 243 // 244 // XTEntryMatch corresponds to struct xt_entry_match in 245 // include/uapi/linux/netfilter/x_tables.h. That struct contains a union 246 // exposing different data to the user and kernel, but this struct holds only 247 // the user data. 248 // 249 // +marshal 250 type XTEntryMatch struct { 251 MatchSize uint16 252 Name ExtensionName 253 Revision uint8 254 // Data is omitted here because it would cause XTEntryMatch to be an 255 // extra byte larger (see http://www.catb.org/esr/structure-packing/). 256 // Data [0]byte 257 } 258 259 // SizeOfXTEntryMatch is the size of an XTEntryMatch. 260 const SizeOfXTEntryMatch = 32 261 262 // KernelXTEntryMatch is identical to XTEntryMatch, but contains 263 // variable-length Data field. 264 type KernelXTEntryMatch struct { 265 XTEntryMatch 266 Data []byte 267 } 268 269 // XTGetRevision corresponds to xt_get_revision in 270 // include/uapi/linux/netfilter/x_tables.h 271 // 272 // +marshal 273 type XTGetRevision struct { 274 Name ExtensionName 275 Revision uint8 276 } 277 278 // SizeOfXTGetRevision is the size of an XTGetRevision. 279 const SizeOfXTGetRevision = 30 280 281 // XTEntryTarget holds a target for a rule. For example, it can specify that 282 // packets matching the rule should DROP, ACCEPT, or use an extension target. 283 // iptables-extension(8) has a list of possible targets. 284 // 285 // XTEntryTarget corresponds to struct xt_entry_target in 286 // include/uapi/linux/netfilter/x_tables.h. That struct contains a union 287 // exposing different data to the user and kernel, but this struct holds only 288 // the user data. 289 // 290 // +marshal 291 type XTEntryTarget struct { 292 TargetSize uint16 293 Name ExtensionName 294 Revision uint8 295 // Data is omitted here because it would cause XTEntryTarget to be an 296 // extra byte larger (see http://www.catb.org/esr/structure-packing/). 297 // Data [0]byte 298 } 299 300 // SizeOfXTEntryTarget is the size of an XTEntryTarget. 301 const SizeOfXTEntryTarget = 32 302 303 // KernelXTEntryTarget is identical to XTEntryTarget, but contains a 304 // variable-length Data field. 305 type KernelXTEntryTarget struct { 306 XTEntryTarget 307 Data []byte 308 } 309 310 // XTStandardTarget is a built-in target, one of ACCEPT, DROP, JUMP, QUEUE, 311 // RETURN, or jump. It corresponds to struct xt_standard_target in 312 // include/uapi/linux/netfilter/x_tables.h. 313 // 314 // +marshal 315 type XTStandardTarget struct { 316 Target XTEntryTarget 317 // A positive verdict indicates a jump, and is the offset from the 318 // start of the table to jump to. A negative value means one of the 319 // other built-in targets. 320 Verdict int32 321 _ [4]byte 322 } 323 324 // SizeOfXTStandardTarget is the size of an XTStandardTarget. 325 const SizeOfXTStandardTarget = 40 326 327 // XTErrorTarget triggers an error when reached. It is also used to mark the 328 // beginning of user-defined chains by putting the name of the chain in 329 // ErrorName. It corresponds to struct xt_error_target in 330 // include/uapi/linux/netfilter/x_tables.h. 331 // 332 // +marshal 333 type XTErrorTarget struct { 334 Target XTEntryTarget 335 Name ErrorName 336 _ [2]byte 337 } 338 339 // SizeOfXTErrorTarget is the size of an XTErrorTarget. 340 const SizeOfXTErrorTarget = 64 341 342 // Flag values for NfNATIPV4Range. The values indicate whether to map 343 // protocol specific part(ports) or IPs. It corresponds to values in 344 // include/uapi/linux/netfilter/nf_nat.h. 345 const ( 346 NF_NAT_RANGE_MAP_IPS = 1 << 0 347 NF_NAT_RANGE_PROTO_SPECIFIED = 1 << 1 348 NF_NAT_RANGE_PROTO_RANDOM = 1 << 2 349 NF_NAT_RANGE_PERSISTENT = 1 << 3 350 NF_NAT_RANGE_PROTO_RANDOM_FULLY = 1 << 4 351 NF_NAT_RANGE_PROTO_RANDOM_ALL = (NF_NAT_RANGE_PROTO_RANDOM | NF_NAT_RANGE_PROTO_RANDOM_FULLY) 352 NF_NAT_RANGE_MASK = (NF_NAT_RANGE_MAP_IPS | 353 NF_NAT_RANGE_PROTO_SPECIFIED | NF_NAT_RANGE_PROTO_RANDOM | 354 NF_NAT_RANGE_PERSISTENT | NF_NAT_RANGE_PROTO_RANDOM_FULLY) 355 ) 356 357 // NfNATIPV4Range corresponds to struct nf_nat_ipv4_range 358 // in include/uapi/linux/netfilter/nf_nat.h. The fields are in 359 // network byte order. 360 // 361 // +marshal 362 type NfNATIPV4Range struct { 363 Flags uint32 364 MinIP [4]byte 365 MaxIP [4]byte 366 MinPort uint16 367 MaxPort uint16 368 } 369 370 // NfNATIPV4MultiRangeCompat corresponds to struct 371 // nf_nat_ipv4_multi_range_compat in include/uapi/linux/netfilter/nf_nat.h. 372 // 373 // +marshal 374 type NfNATIPV4MultiRangeCompat struct { 375 RangeSize uint32 376 RangeIPV4 NfNATIPV4Range 377 } 378 379 // XTRedirectTarget triggers a redirect when reached. 380 // Adding 4 bytes of padding to make the struct 8 byte aligned. 381 // 382 // +marshal 383 type XTRedirectTarget struct { 384 Target XTEntryTarget 385 NfRange NfNATIPV4MultiRangeCompat 386 _ [4]byte 387 } 388 389 // SizeOfXTRedirectTarget is the size of an XTRedirectTarget. 390 const SizeOfXTRedirectTarget = 56 391 392 // XTNATTargetV0 triggers NAT when reached. 393 // Adding 4 bytes of padding to make the struct 8 byte aligned. 394 // 395 // +marshal 396 type XTNATTargetV0 struct { 397 Target XTEntryTarget 398 NfRange NfNATIPV4MultiRangeCompat 399 _ [4]byte 400 } 401 402 // SizeOfXTNATTargetV0 is the size of an XTNATTargetV0. 403 const SizeOfXTNATTargetV0 = 56 404 405 // XTNATTargetV1 triggers NAT when reached. 406 // 407 // +marshal 408 type XTNATTargetV1 struct { 409 Target XTEntryTarget 410 Range NFNATRange 411 } 412 413 // SizeOfXTNATTargetV1 is the size of an XTNATTargetV1. 414 const SizeOfXTNATTargetV1 = SizeOfXTEntryTarget + SizeOfNFNATRange 415 416 // XTNATTargetV2 triggers NAT when reached. 417 // 418 // +marshal 419 type XTNATTargetV2 struct { 420 Target XTEntryTarget 421 Range NFNATRange2 422 } 423 424 // SizeOfXTNATTargetV2 is the size of an XTNATTargetV2. 425 const SizeOfXTNATTargetV2 = SizeOfXTEntryTarget + SizeOfNFNATRange2 426 427 // IPTGetinfo is the argument for the IPT_SO_GET_INFO sockopt. It corresponds 428 // to struct ipt_getinfo in include/uapi/linux/netfilter_ipv4/ip_tables.h. 429 // 430 // +marshal 431 type IPTGetinfo struct { 432 Name TableName 433 ValidHooks uint32 434 HookEntry [NF_INET_NUMHOOKS]uint32 435 Underflow [NF_INET_NUMHOOKS]uint32 436 NumEntries uint32 437 Size uint32 438 } 439 440 // SizeOfIPTGetinfo is the size of an IPTGetinfo. 441 const SizeOfIPTGetinfo = 84 442 443 // IPTGetEntries is the argument for the IPT_SO_GET_ENTRIES sockopt. It 444 // corresponds to struct ipt_get_entries in 445 // include/uapi/linux/netfilter_ipv4/ip_tables.h. 446 // 447 // +marshal 448 type IPTGetEntries struct { 449 Name TableName 450 Size uint32 451 _ [4]byte 452 // Entrytable is omitted here because it would cause IPTGetEntries to 453 // be an extra byte longer (see 454 // http://www.catb.org/esr/structure-packing/). 455 // Entrytable [0]IPTEntry 456 } 457 458 // SizeOfIPTGetEntries is the size of an IPTGetEntries. 459 const SizeOfIPTGetEntries = 40 460 461 // KernelIPTGetEntries is identical to IPTGetEntries, but includes the 462 // Entrytable field. 463 // 464 // +marshal dynamic 465 type KernelIPTGetEntries struct { 466 IPTGetEntries 467 Entrytable []KernelIPTEntry 468 } 469 470 // SizeBytes implements marshal.Marshallable.SizeBytes. 471 func (ke *KernelIPTGetEntries) SizeBytes() int { 472 res := ke.IPTGetEntries.SizeBytes() 473 for _, entry := range ke.Entrytable { 474 res += entry.SizeBytes() 475 } 476 return res 477 } 478 479 // MarshalBytes implements marshal.Marshallable.MarshalBytes. 480 func (ke *KernelIPTGetEntries) MarshalBytes(dst []byte) []byte { 481 dst = ke.IPTGetEntries.MarshalUnsafe(dst) 482 for i := range ke.Entrytable { 483 dst = ke.Entrytable[i].MarshalBytes(dst) 484 } 485 return dst 486 } 487 488 // UnmarshalBytes implements marshal.Marshallable.UnmarshalBytes. 489 func (ke *KernelIPTGetEntries) UnmarshalBytes(src []byte) []byte { 490 src = ke.IPTGetEntries.UnmarshalUnsafe(src) 491 for i := range ke.Entrytable { 492 src = ke.Entrytable[i].UnmarshalBytes(src) 493 } 494 return src 495 } 496 497 var _ marshal.Marshallable = (*KernelIPTGetEntries)(nil) 498 499 // IPTReplace is the argument for the IPT_SO_SET_REPLACE sockopt. It 500 // corresponds to struct ipt_replace in 501 // include/uapi/linux/netfilter_ipv4/ip_tables.h. 502 // 503 // +marshal 504 type IPTReplace struct { 505 Name TableName 506 ValidHooks uint32 507 NumEntries uint32 508 Size uint32 509 HookEntry [NF_INET_NUMHOOKS]uint32 510 Underflow [NF_INET_NUMHOOKS]uint32 511 NumCounters uint32 512 Counters uint64 // This is really a *XTCounters. 513 // Entries is omitted here because it would cause IPTReplace to be an 514 // extra byte longer (see http://www.catb.org/esr/structure-packing/). 515 // Entries [0]IPTEntry 516 } 517 518 // SizeOfIPTReplace is the size of an IPTReplace. 519 const SizeOfIPTReplace = 96 520 521 // ExtensionName holds the name of a netfilter extension. 522 // 523 // +marshal 524 type ExtensionName [XT_EXTENSION_MAXNAMELEN]byte 525 526 // String implements fmt.Stringer. 527 func (en ExtensionName) String() string { 528 return goString(en[:]) 529 } 530 531 // TableName holds the name of a netfilter table. 532 // 533 // +marshal 534 type TableName [XT_TABLE_MAXNAMELEN]byte 535 536 // String implements fmt.Stringer. 537 func (tn TableName) String() string { 538 return goString(tn[:]) 539 } 540 541 // ErrorName holds the name of a netfilter error. These can also hold 542 // user-defined chains. 543 // 544 // +marshal 545 type ErrorName [XT_FUNCTION_MAXNAMELEN]byte 546 547 // String implements fmt.Stringer. 548 func (en ErrorName) String() string { 549 return goString(en[:]) 550 } 551 552 func goString(cstring []byte) string { 553 for i, c := range cstring { 554 if c == 0 { 555 return string(cstring[:i]) 556 } 557 } 558 return string(cstring) 559 } 560 561 // XTTCP holds data for matching TCP packets. It corresponds to struct xt_tcp 562 // in include/uapi/linux/netfilter/xt_tcpudp.h. 563 // 564 // +marshal 565 type XTTCP struct { 566 // SourcePortStart specifies the inclusive start of the range of source 567 // ports to which the matcher applies. 568 SourcePortStart uint16 569 570 // SourcePortEnd specifies the inclusive end of the range of source ports 571 // to which the matcher applies. 572 SourcePortEnd uint16 573 574 // DestinationPortStart specifies the start of the destination port 575 // range to which the matcher applies. 576 DestinationPortStart uint16 577 578 // DestinationPortEnd specifies the end of the destination port 579 // range to which the matcher applies. 580 DestinationPortEnd uint16 581 582 // Option specifies that a particular TCP option must be set. 583 Option uint8 584 585 // FlagMask masks TCP flags when comparing to the FlagCompare byte. It allows 586 // for specification of which flags are important to the matcher. 587 FlagMask uint8 588 589 // FlagCompare, in combination with FlagMask, is used to match only packets 590 // that have certain flags set. 591 FlagCompare uint8 592 593 // InverseFlags flips the meaning of certain fields. See the 594 // TX_TCP_INV_* flags. 595 InverseFlags uint8 596 } 597 598 // SizeOfXTTCP is the size of an XTTCP. 599 const SizeOfXTTCP = 12 600 601 // Flags in XTTCP.InverseFlags. Corresponding constants are in 602 // include/uapi/linux/netfilter/xt_tcpudp.h. 603 const ( 604 // Invert the meaning of SourcePortStart/End. 605 XT_TCP_INV_SRCPT = 0x01 606 // Invert the meaning of DestinationPortStart/End. 607 XT_TCP_INV_DSTPT = 0x02 608 // Invert the meaning of FlagCompare. 609 XT_TCP_INV_FLAGS = 0x04 610 // Invert the meaning of Option. 611 XT_TCP_INV_OPTION = 0x08 612 // Enable all flags. 613 XT_TCP_INV_MASK = 0x0F 614 ) 615 616 // XTUDP holds data for matching UDP packets. It corresponds to struct xt_udp 617 // in include/uapi/linux/netfilter/xt_tcpudp.h. 618 // 619 // +marshal 620 type XTUDP struct { 621 // SourcePortStart is the inclusive start of the range of source ports 622 // to which the matcher applies. 623 SourcePortStart uint16 624 625 // SourcePortEnd is the inclusive end of the range of source ports to 626 // which the matcher applies. 627 SourcePortEnd uint16 628 629 // DestinationPortStart is the inclusive start of the destination port 630 // range to which the matcher applies. 631 DestinationPortStart uint16 632 633 // DestinationPortEnd is the inclusive end of the destination port 634 // range to which the matcher applies. 635 DestinationPortEnd uint16 636 637 // InverseFlags flips the meaning of certain fields. See the 638 // TX_UDP_INV_* flags. 639 InverseFlags uint8 640 641 _ uint8 642 } 643 644 // SizeOfXTUDP is the size of an XTUDP. 645 const SizeOfXTUDP = 10 646 647 // Flags in XTUDP.InverseFlags. Corresponding constants are in 648 // include/uapi/linux/netfilter/xt_tcpudp.h. 649 const ( 650 // Invert the meaning of SourcePortStart/End. 651 XT_UDP_INV_SRCPT = 0x01 652 // Invert the meaning of DestinationPortStart/End. 653 XT_UDP_INV_DSTPT = 0x02 654 // Enable all flags. 655 XT_UDP_INV_MASK = 0x03 656 ) 657 658 // IPTOwnerInfo holds data for matching packets with the owner v0 matcher. It 659 // corresponds to struct ipt_owner_info in libxt_owner.c of iptables binary. 660 // 661 // +marshal 662 type IPTOwnerInfo struct { 663 // UID is user id which created the packet. 664 UID uint32 665 666 // GID is group id which created the packet. 667 GID uint32 668 669 // PID is process id of the process which created the packet. 670 PID uint32 671 672 // SID is session id which created the packet. 673 SID uint32 674 675 // Comm is the command name which created the packet. 676 Comm [16]byte 677 678 // Match is used to match UID/GID of the socket. See the 679 // XT_OWNER_* flags below. 680 Match uint8 681 682 // Invert flips the meaning of Match field. 683 Invert uint8 `marshal:"unaligned"` 684 } 685 686 // SizeOfIPTOwnerInfo is the size of an IPTOwnerInfo. 687 const SizeOfIPTOwnerInfo = 34 688 689 // XTOwnerMatchInfo holds data for matching packets with the owner v1 matcher. 690 // It corresponds to struct xt_owner_match_info in 691 // include/uapi/linux/netfilter/xt_owner.h 692 // 693 // +marshal 694 type XTOwnerMatchInfo struct { 695 UIDMin uint32 696 UIDMax uint32 697 GIDMin uint32 698 GIDMax uint32 699 Match uint8 700 Invert uint8 701 _ [2]byte 702 } 703 704 // SizeOfXTOwnerMatchInfo is the size of an XTOwnerMatchInfo. 705 const SizeOfXTOwnerMatchInfo = 20 706 707 // Flags in IPTOwnerInfo.Match and XTOwnerMatchInfo.Match. Corresponding 708 // constants are in include/uapi/linux/netfilter/xt_owner.h. 709 const ( 710 // Match the UID of the packet. 711 XT_OWNER_UID = 1 << 0 712 // Match the GID of the packet. 713 XT_OWNER_GID = 1 << 1 714 // Match if the socket exists for the packet. Forwarded 715 // packets do not have an associated socket. 716 XT_OWNER_SOCKET = 1 << 2 717 )