package netfilter
import "gvisor.dev/gvisor/pkg/sentry/socket/netfilter"
Package netfilter helps the sentry interact with netstack's netfilter capabilities.
Index ¶
- Constants
- func DefaultLinuxTables(clock tcpip.Clock, rand *rand.Rand) *stack.IPTables
- func GetEntries4(t *kernel.Task, stack *stack.Stack, outPtr hostarch.Addr, outLen int) (linux.KernelIPTGetEntries, *syserr.Error)
- func GetEntries6(t *kernel.Task, stack *stack.Stack, outPtr hostarch.Addr, outLen int) (linux.KernelIP6TGetEntries, *syserr.Error)
- func GetInfo(t *kernel.Task, stack *stack.Stack, outPtr hostarch.Addr, ipv6 bool) (linux.IPTGetinfo, *syserr.Error)
- func MatchRevision(t *kernel.Task, revPtr hostarch.Addr) (linux.XTGetRevision, *syserr.Error)
- func SetEntries(mapper IDMapper, stk *stack.Stack, optVal []byte, ipv6 bool) *syserr.Error
- func TargetRevision(t *kernel.Task, revPtr hostarch.Addr, netProto tcpip.NetworkProtocolNumber) (linux.XTGetRevision, *syserr.Error)
- type IDMapper
- type JumpTarget
- type OwnerMatcher
- type OwnerMatcherV1
- type TCPMatcher
- type UDPMatcher
Constants ¶
const DNATTargetName = "DNAT"
DNATTargetName is used to mark targets as DNAT targets. DNAT targets should be reached for only NAT table. These targets will change the source port and/or IP for packets.
const ErrorTargetName = "ERROR"
ErrorTargetName is used to mark targets as error targets. Error targets shouldn't be reached - an error has occurred if we fall through to one.
const RedirectTargetName = "REDIRECT"
RedirectTargetName is used to mark targets as redirect targets. Redirect targets should be reached for only NAT and Mangle tables. These targets will change the destination port and/or IP for packets.
const SNATTargetName = "SNAT"
SNATTargetName is used to mark targets as SNAT targets. SNAT targets should be reached for only NAT table. These targets will change the source port and/or IP for packets.
Functions ¶
func DefaultLinuxTables ¶
DefaultLinuxTables returns the rules of stack.DefaultTables() wrapped for compatibility with netfilter extensions.
func GetEntries4 ¶
func GetEntries4(t *kernel.Task, stack *stack.Stack, outPtr hostarch.Addr, outLen int) (linux.KernelIPTGetEntries, *syserr.Error)
GetEntries4 returns netstack's iptables rules.
func GetEntries6 ¶
func GetEntries6(t *kernel.Task, stack *stack.Stack, outPtr hostarch.Addr, outLen int) (linux.KernelIP6TGetEntries, *syserr.Error)
GetEntries6 returns netstack's ip6tables rules.
func GetInfo ¶
func GetInfo(t *kernel.Task, stack *stack.Stack, outPtr hostarch.Addr, ipv6 bool) (linux.IPTGetinfo, *syserr.Error)
GetInfo returns information about iptables.
func MatchRevision ¶
MatchRevision returns a "linux.XTGetRevision" for a given matcher. It sets "Revision" to the highest supported value, unless the provided revision number is higher.
func SetEntries ¶
SetEntries sets iptables rules for a single table. See net/ipv4/netfilter/ip_tables.c:translate_table for reference.
func TargetRevision ¶
func TargetRevision(t *kernel.Task, revPtr hostarch.Addr, netProto tcpip.NetworkProtocolNumber) (linux.XTGetRevision, *syserr.Error)
TargetRevision returns a linux.XTGetRevision for a given target. It sets Revision to the highest supported value, unless the provided revision number is larger.
Types ¶
type IDMapper ¶
An IDMapper maps UIDs and GIDs to KUIDs and KGIDs.
type JumpTarget ¶
type JumpTarget struct {
// Offset is the byte offset of the rule to jump to. It is used for
// marshaling and unmarshaling.
Offset uint32
// RuleNum is the rule to jump to.
RuleNum int
// NetworkProtocol is the network protocol the target is used with.
NetworkProtocol tcpip.NetworkProtocolNumber
}
JumpTarget implements stack.Target.
+stateify savable
func (*JumpTarget) Action ¶
func (jt *JumpTarget) Action(*stack.PacketBuffer, stack.Hook, *stack.Route, stack.AddressableEndpoint) (stack.RuleVerdict, int)
Action implements stack.Target.Action.
type OwnerMatcher ¶
type OwnerMatcher struct {
// contains filtered or unexported fields
}
OwnerMatcher matches against a UID and/or GID.
func (*OwnerMatcher) Match ¶
func (om *OwnerMatcher) Match(hook stack.Hook, pkt *stack.PacketBuffer, _, _ string) (bool, bool)
Match implements Matcher.Match.
type OwnerMatcherV1 ¶
type OwnerMatcherV1 struct {
// contains filtered or unexported fields
}
OwnerMatcherV1 matches against a UID and/or GID.
func (*OwnerMatcherV1) Match ¶
func (om *OwnerMatcherV1) Match(hook stack.Hook, pkt *stack.PacketBuffer, _, _ string) (bool, bool)
Match implements Matcher.Match.
type TCPMatcher ¶
type TCPMatcher struct {
// contains filtered or unexported fields
}
TCPMatcher matches TCP packets and their headers. It implements Matcher.
func (*TCPMatcher) Match ¶
func (tm *TCPMatcher) Match(hook stack.Hook, pkt *stack.PacketBuffer, _, _ string) (bool, bool)
Match implements Matcher.Match.
type UDPMatcher ¶
type UDPMatcher struct {
// contains filtered or unexported fields
}
UDPMatcher matches UDP packets and their headers. It implements Matcher.
func (*UDPMatcher) Match ¶
func (um *UDPMatcher) Match(hook stack.Hook, pkt *stack.PacketBuffer, _, _ string) (bool, bool)
Match implements Matcher.Match.
Source Files ¶
dnat.go extensions.go ipv4.go ipv6.go multiport_matcher.go multiport_matcher_v1.go netfilter.go owner_matcher.go owner_matcher_v1.go snat.go targets.go tcp_matcher.go udp_matcher.go
- Version
- v0.0.0-20250605235530-a6711d1e1dc6 (latest)
- Published
- Jun 5, 2025
- Platform
- linux/amd64
- Imports
- 16 packages
- Last checked
- 4 hours ago –
Tools for package owners.