gvisorgvisor.dev/gvisor/pkg/tcpip/nftables Index | Files

package nftables

import "gvisor.dev/gvisor/pkg/tcpip/nftables"

Package nftables provides the interface to process packets through a netfilter (nf) ruleset and maintain/modify the ruleset accordingly. The package implements a bytecode nftables interpreter that accepts an nf ruleset (with the accompanying assembly and/or machine code) outputted from the nftables binary, along with network packets (as a stack.PacketBuffer) to filter, modify, and evaluate packets. We support a subset of the functionality of the nftables binary. The package is not yet thread-safe.

To use the package, construct a ruleset using the official nft binary and then pass the ruleset as a string (with flag --debug=netlink on to get the assembly) to InterpretRuleset command. The interpreter has strict syntax and only accepts rulesets outputted directly from the nftables binary. Maintaining and modifying the ruleset is done through the other public functions (Add.., Flush.., etc).

To evaluate a packet through the ruleset, call the EvaluatePacket function with the packet and the hook to evaluate at. The EvaluatePacket function returns the verdict issued by the ruleset and the packet modified by the ruleset (if the verdict is not Drop).

Inner Headers and Tunneling Headers are not supported.

Finally, note that error checking for parameters/inputs is only guaranteed for public functions. Most private functions are assumed to have valid/prechecked inputs.

Index

Functions

func AFtoNetlinkAF 

func AFtoNetlinkAF(af uint8) (stack.AddressFamily, *syserr.Error)

AFtoNetlinkAF converts a generic address family to a netfilter address family. On error, we simply cast it to be a stack.AddressFamily and return an error to allow netfilter sockets to handle it accordingly if needed.

func AfProtocol 

func AfProtocol(f stack.AddressFamily) uint8

AfProtocol returns the protocol number for the address family.

func EnableNFTables 

func EnableNFTables()

EnableNFTables enables NFTables.

func InterpretBitwiseBool 

func InterpretBitwiseBool(line string, lnIdx int) (operation, *syserr.AnnotatedError)

InterpretBitwiseBool creates a new Comparison operation from the given string.

func InterpretByteorder 

func InterpretByteorder(line string, lnIdx int) (operation, *syserr.AnnotatedError)

InterpretByteorder creates a new Byteorder operation from the given string.

func InterpretComparison 

func InterpretComparison(line string, lnIdx int) (operation, *syserr.AnnotatedError)

InterpretComparison creates a new Comparison operation from the given string.

func InterpretCounter 

func InterpretCounter(line string, lnIdx int) (operation, *syserr.AnnotatedError)

InterpretCounter creates a new Counter operation from the given string.

func InterpretImmediate 

func InterpretImmediate(line string, lnIdx int) (operation, *syserr.AnnotatedError)

InterpretImmediate creates a new Immediate operation from the given string.

func InterpretMetaLoad 

func InterpretMetaLoad(line string, lnIdx int) (operation, *syserr.AnnotatedError)

InterpretMetaLoad creates a new MetaLoad operation from the given string.

func InterpretMetaSet 

func InterpretMetaSet(line string, lnIdx int) (operation, *syserr.AnnotatedError)

InterpretMetaSet creates a new MetaSet operation from the given string.

func InterpretOperation 

func InterpretOperation(line string, lnIdx int) (operation, *syserr.AnnotatedError)

InterpretOperation creates a new operation from the given operation string, assumed to be a single line of text surrounded in square brackets. Note: the operation string should be generated as output from the official nft binary (can be accomplished by using flag --debug=netlink).

func InterpretPayloadLoad 

func InterpretPayloadLoad(line string, lnIdx int) (operation, *syserr.AnnotatedError)

InterpretPayloadLoad creates a new PayloadLoad operation from the given string.

func InterpretPayloadSet 

func InterpretPayloadSet(line string, lnIdx int) (operation, *syserr.AnnotatedError)

InterpretPayloadSet creates a new PayloadSet operation from the given string.

func InterpretRoute 

func InterpretRoute(line string, lnIdx int) (operation, *syserr.AnnotatedError)

InterpretRoute creates a new Route operation from the given string.

func IsNFTablesEnabled 

func IsNFTablesEnabled() bool

IsNFTablesEnabled returns true if NFTables is enabled.

func StackHook 

func StackHook(family stack.AddressFamily, hook uint32) (stack.NFHook, *syserr.AnnotatedError)

StackHook returns the stack hook for the given linux hook.

func VC 

func VC(v int32) uint32

VC converts a numeric code to a uint32 number representing the verdict.

func ValidLinuxHook 

func ValidLinuxHook(family stack.AddressFamily, bcType BaseChainType, hook uint32) bool

ValidLinuxHook ensures the hook is within bounds and supported for the given address family and base chain type.

func VerdictCodeToString 

func VerdictCodeToString(v uint32) string

VerdictCodeToString prints names for the supported verdicts.

func VerdictString 

func VerdictString(v stack.NFVerdict) string

VerdictString returns a string representation of the verdict.

Types

type BaseChainInfo 

type BaseChainInfo struct {

	// BcType is the base chain type of the chain (filter, nat, route).
	BcType BaseChainType

	// Hook is the hook to attach the chain to in the netfilter pipeline
	Hook stack.NFHook

	// LinuxHookNum is the linux hook number for the hook. Used for filling out the information
	// for a retrieved base chain.
	LinuxHookNum uint32

	// Priority determines the order in which base chains with the same hook are
	// traversed. Each priority is associated with a signed integer priority value
	// which rank base chains in ascending order. See the Priority struct below
	// for more details.
	Priority Priority

	// Device is an optional parameter and is mainly relevant to the bridge and
	// netdev address families. It specifies the device associated with chain.
	Device string

	// PolicyDrop determines whether to change the chain's policy from Accept to
	// Drop. The policy of a chain is the verdict to issue when a packet is not
	// explicitly accepted or rejected by the rules. A chain's policy defaults to
	// Accept, but this can be used to specify otherwise.
	PolicyDrop bool
}

BaseChainInfo stores hook-related info for attaching a chain to the pipeline.

func NewBaseChainInfo 

func NewBaseChainInfo(bcType BaseChainType, hook stack.NFHook, priority Priority, device string, policyDrop bool) *BaseChainInfo

NewBaseChainInfo creates a new BaseChainInfo object with the given values. The device and policyDrop parameters are optional in the nft binary and should be set to empty string and false if not needed.

func (*BaseChainInfo) PolicyBoolToValue 

func (bc *BaseChainInfo) PolicyBoolToValue() uint8

PolicyBoolToValue converts the policy drop boolean to a uint8.

type BaseChainType 

type BaseChainType int

BaseChainType represents the supported chain types for base chains. 

const (
	// BaseChainTypeFilter type  is supported by all Hooks.
	BaseChainTypeFilter BaseChainType = iota

	// BaseChainTypeNat type     is supported by Prerouting, Input, Output, Postrouting Hooks.
	BaseChainTypeNat

	// BaseChainTypeRoute type   is supported by the Output Hook only.
	BaseChainTypeRoute

	// NumBaseChainTypes is the number of base chain types supported by nftables.
	NumBaseChainTypes
)

Constants for BaseChainType

func (BaseChainType) String 

func (bcType BaseChainType) String() string

String for BaseChainType returns the name of the base chain type.

type Chain 

type Chain struct {
	// contains filtered or unexported fields
}

Chain represents a single chain as a list of rules. A chain can be either a base chain or a regular chain. Base chains (aka hook functions) contain a hook which attaches it directly to the netfilter pipeline to be called whenever the hook is encountered. Regular chains have a nil hook and must be called by base chains for evaluation.

func (*Chain) GetAddressFamily 

func (c *Chain) GetAddressFamily() stack.AddressFamily

GetAddressFamily returns the address family of the chain.

func (*Chain) GetBaseChainInfo 

func (c *Chain) GetBaseChainInfo() *BaseChainInfo

GetBaseChainInfo returns the base chain info of the chain. Note: Returns nil if the chain is not a base chain.

func (*Chain) GetChainUse 

func (c *Chain) GetChainUse() uint32

GetChainUse returns the chain use value of the chain.

func (*Chain) GetComment 

func (c *Chain) GetComment() string

GetComment returns the comment of the chain.

func (*Chain) GetFlags 

func (c *Chain) GetFlags() uint8

GetFlags returns the flags of the chain.

func (*Chain) GetHandle 

func (c *Chain) GetHandle() uint64

GetHandle returns the handle of the chain.

func (*Chain) GetName 

func (c *Chain) GetName() string

GetName returns the name of the chain.

func (*Chain) GetRule 

func (c *Chain) GetRule(index int) (*Rule, *syserr.AnnotatedError)

GetRule returns the rule at the given index in the chain's rule list. Valid indices are -1 (last) and [0, len-1]. Errors on invalid index.

func (*Chain) GetRuleByHandle 

func (c *Chain) GetRuleByHandle(handle uint64) (*Rule, *syserr.AnnotatedError)

GetRuleByHandle returns the rule with the specified handle from the chain's rule list. Errors on rule not found.

func (*Chain) GetTable 

func (c *Chain) GetTable() *Table

GetTable returns the table that the chain belongs to.

func (*Chain) GetUserData 

func (c *Chain) GetUserData() []byte

GetUserData returns the user data of the chain.

func (*Chain) HasUserData 

func (c *Chain) HasUserData() bool

HasUserData returns whether the chain has user data.

func (*Chain) IsBaseChain 

func (c *Chain) IsBaseChain() bool

IsBaseChain returns whether the chain is a base chain.

func (*Chain) RegisterRule 

func (c *Chain) RegisterRule(rule *Rule, index int) *syserr.AnnotatedError

RegisterRule assigns the chain to the rule and adds the rule to the chain's rule list at the given index. Valid indices are -1 (append) and [0, len]. Errors on invalid index. This also checks that the operations in the rule comply with the chain. Checks done: - All jump and goto operations have a valid target chain. - Loop checking for jump and goto operations. - TODO(b/345684870): Add more checks as more operations are supported.

func (*Chain) RuleCount 

func (c *Chain) RuleCount() int

RuleCount returns the number of rules in the chain.

func (*Chain) SetBaseChainInfo 

func (c *Chain) SetBaseChainInfo(info *BaseChainInfo) *syserr.AnnotatedError

SetBaseChainInfo attaches the specified chain to the netfilter pipeline (and detaches the chain from the pipeline if it was previously attached to a different hook) by setting the base chain info for the chain, returning an error if the base chain info is invalid.

func (*Chain) SetComment 

func (c *Chain) SetComment(comment string)

SetComment sets the comment of the chain.

func (*Chain) SetFlags 

func (c *Chain) SetFlags(flags uint8)

SetFlags sets the flags of the chain.

func (*Chain) SetName 

func (c *Chain) SetName(name string) *syserr.AnnotatedError

SetName sets the name of the chain. This should only be called on a chain that is not yet attached to a table.

func (*Chain) SetUserData 

func (c *Chain) SetUserData(data []byte)

SetUserData sets the user data of the chain.

func (*Chain) UnregisterRuleByIndex 

func (c *Chain) UnregisterRuleByIndex(index int) (*Rule, *syserr.AnnotatedError)

UnregisterRuleByIndex removes the rule at the given index from the chain's rule list and unassigns the chain from the rule then returns the unregistered rule. Valid indices are -1 (pop) and [0, len-1]. Errors on invalid index. TODO: b/421437663 - Need to refactor or implement a function to remove by rule name.

type FamilyHookKey 

type FamilyHookKey struct {
	Family stack.AddressFamily
	Hook   uint32
}

FamilyHookKey is a struct that represents a stack.AddressFamily and linux hook pair.

type HookInfo 

type HookInfo struct {
	HookNum   uint32
	Priority  int32
	ChainType BaseChainType
}

HookInfo represents data retrieved from the NFTA_CHAIN_HOOK attribute.

type LogicError 

type LogicError struct {
	// contains filtered or unexported fields
}

LogicError is an interpretation error from modifying the NFTables state.

func (*LogicError) Error 

func (e *LogicError) Error() string

Error implements error interface for LogicError to return an error message.

type NFTables 

type NFTables struct {
	Mu nfTablesRWMutex // Mutex for tableHandles.
	// contains filtered or unexported fields
}

NFTables represents the nftables state for all address families. Note: unlike iptables, nftables doesn't start with any initialized tables.

func NewNFTables 

func NewNFTables(clock tcpip.Clock, rng rand.RNG) *NFTables

NewNFTables creates a new NFTables state object using the given clock for timing operations. Note: Expects random number generator to be initialized with a seed.

func (*NFTables) AddChain 

func (nf *NFTables) AddChain(family stack.AddressFamily, tableName string, chainName string, info *BaseChainInfo, comment string, errorOnDuplicate bool) (*Chain, *syserr.AnnotatedError)

AddChain makes a new chain for the corresponding table and adds it to the chain map and hook function list, returning an error if the address family is invalid or the table doesn't exist. Can return an error if a chain by the same name already exists if errorOnDuplicate is true. Can be used to get an existing chain by the same name if errorOnDuplicate is false. Note: if the chain already exists, the existing chain is returned without any modifications. Note: if the chain is not a base chain, info should be nil.

func (*NFTables) AddTable 

func (nf *NFTables) AddTable(family stack.AddressFamily, name string,
	errorOnDuplicate bool) (*Table, *syserr.AnnotatedError)

AddTable makes a new table for the specified address family, returning an error if the address family is invalid. Can return an error if a table by the same name already exists if errorOnDuplicate is true. Can be used to get an existing table by the same name if errorOnDuplicate is false. Note: if the table already exists, the existing table is returned without any modifications. Note: Table initialized as not dormant.

func (*NFTables) CheckEgress 

func (nf *NFTables) CheckEgress(pkt *stack.PacketBuffer, af stack.AddressFamily) bool

CheckEgress checks at the Egress hook if the packet should continue traversing the stack.

func (*NFTables) CheckForward 

func (nf *NFTables) CheckForward(pkt *stack.PacketBuffer, af stack.AddressFamily) bool

CheckForward checks at the Forward hook if the packet should continue traversing the stack.

func (*NFTables) CheckIngress 

func (nf *NFTables) CheckIngress(pkt *stack.PacketBuffer, af stack.AddressFamily) bool

CheckIngress checks at the Ingress hook if the packet should continue traversing the stack.

func (*NFTables) CheckInput 

func (nf *NFTables) CheckInput(pkt *stack.PacketBuffer, af stack.AddressFamily) bool

CheckInput checks at the Input hook if the packet should continue traversing the stack.

func (*NFTables) CheckOutput 

func (nf *NFTables) CheckOutput(pkt *stack.PacketBuffer, af stack.AddressFamily) bool

CheckOutput checks at the Output hook if the packet should continue traversing the stack.

func (*NFTables) CheckPostrouting 

func (nf *NFTables) CheckPostrouting(pkt *stack.PacketBuffer, af stack.AddressFamily) bool

CheckPostrouting checks at the Postrouting hook if the packet should continue traversing the stack.

func (*NFTables) CheckPrerouting 

func (nf *NFTables) CheckPrerouting(pkt *stack.PacketBuffer, af stack.AddressFamily) bool

CheckPrerouting checks at the Prerouting hook if the packet should continue traversing the stack.

func (*NFTables) CreateChain 

func (nf *NFTables) CreateChain(family stack.AddressFamily, tableName string, chainName string, info *BaseChainInfo, comment string) (*Chain, *syserr.AnnotatedError)

CreateChain makes a new chain for the corresponding table and adds it to the chain map and hook function list like AddChain but also returns an error if a chain by the same name already exists. Note: this interface mirrors the difference between the create and add commands within the nft binary.

func (*NFTables) CreateTable 

func (nf *NFTables) CreateTable(family stack.AddressFamily, name string) (*Table, *syserr.AnnotatedError)

CreateTable makes a new table for the specified address family like AddTable but also returns an error if a table by the same name already exists. Note: this interface mirrors the difference between the create and add commands within the nft binary.

func (*NFTables) DeleteChain 

func (nf *NFTables) DeleteChain(family stack.AddressFamily, tableName string, chainName string) (bool, *syserr.AnnotatedError)

DeleteChain deletes the specified chain from the NFTables object returning true if the chain was deleted and false if the chain doesn't exist. Returns an error if the address family is invalid or the table doesn't exist.

func (*NFTables) DeleteTable 

func (nf *NFTables) DeleteTable(family stack.AddressFamily, tableName string) (bool, *syserr.AnnotatedError)

DeleteTable deletes the specified table from the NFTables object returning true if the table was deleted and false if the table doesn't exist. Returns an error if the address family is invalid.

func (*NFTables) EvaluateHook 

func (nf *NFTables) EvaluateHook(family stack.AddressFamily, hook stack.NFHook, pkt *stack.PacketBuffer) (stack.NFVerdict, *syserr.AnnotatedError)

EvaluateHook evaluates a packet using the rules of the given hook for the given address family, returning a netfilter verdict and modifying the packet in place. Returns an error if address family or hook is invalid or they don't match. TODO(b/345684870): Consider removing error case if we never return an error.

func (*NFTables) Flush 

func (nf *NFTables) Flush(attrs map[uint16]nlmsg.BytesView, owner uint32)

Flush clears entire ruleset and all data for all address families except for the tables that are not owned by the given owner.

func (*NFTables) FlushAddressFamily 

func (nf *NFTables) FlushAddressFamily(family stack.AddressFamily) *syserr.AnnotatedError

FlushAddressFamily clears ruleset and all data for the given address family, returning an error if the address family is invalid.

func (*NFTables) GetChain 

func (nf *NFTables) GetChain(family stack.AddressFamily, tableName string, chainName string) (*Chain, *syserr.AnnotatedError)

GetChain validates the inputs and gets a chain if it exists, error otherwise.

func (*NFTables) GetTable 

func (nf *NFTables) GetTable(family stack.AddressFamily, tableName string, portID uint32) (*Table, *syserr.AnnotatedError)

GetTable validates the inputs and gets a table if it exists, error otherwise.

func (*NFTables) GetTableByHandle 

func (nf *NFTables) GetTableByHandle(family stack.AddressFamily, handle uint64, portID uint32) (*Table, *syserr.AnnotatedError)

GetTableByHandle validates the inputs and gets a table by its handle and family if it exists, error otherwise.

func (*NFTables) TableCount 

func (nf *NFTables) TableCount() int

TableCount returns the number of tables in the NFTables object.

type Priority 

type Priority struct {
	// contains filtered or unexported fields
}

Priority represents the priority of a base chain which specifies the order in which base chains with the same hook value are traversed. nftables allows for 2 types of priorities: 1) a simple signed integer value or 2) a predefined standard priority name (which is implicitly mapped to a signed integer value). Priorities are traversed in ascending order such that lower priority value have precedence. Use the respective NewIntPriority or NewStandardPriority to create new Priority objects.

func NewIntPriority 

func NewIntPriority(value int) Priority

NewIntPriority creates a new Priority object given a simple signed integer priority value.

func NewStandardPriority 

func NewStandardPriority(name string, family stack.AddressFamily, hook stack.NFHook) (Priority, *syserr.AnnotatedError)

NewStandardPriority creates a new Priority object given a standard priority name, returning an error if the standard priority name is not compatible with the given address family and hook.

func (Priority) GetStandardPriorityName 

func (p Priority) GetStandardPriorityName() string

GetStandardPriorityName returns the standard priority name for the Priority object. It panics if the priority is not a standard priority name.

func (Priority) GetValue 

func (p Priority) GetValue() int

GetValue returns the priority value for the Priority object.

func (Priority) IsStandardPriority 

func (p Priority) IsStandardPriority() bool

IsStandardPriority returns true if the priority is a standard priority name.

func (Priority) String 

func (p Priority) String() string

String for Priority returns the string representation of the Priority object.

type Rule 

type Rule struct {
	// contains filtered or unexported fields
}

Rule represents a single rule in a chain and is represented as a list of operations that are evaluated sequentially (on a packet). Rules must be registered to a chain to be used and evaluated, and rules that have been registered to a chain cannot be modified. Note: Empty rules should be created directly (via &Rule{}).

func InterpretRule 

func InterpretRule(ruleString string) (*Rule, *syserr.AnnotatedError)

InterpretRule creates a new Rule from the given rule string, assumed to be represented as a block of text with a single operation per line. Note: the rule string should be generated as output from the official nft binary (can be accomplished by using flag --debug=netlink).

type SyntaxError 

type SyntaxError struct {
	// contains filtered or unexported fields
}

SyntaxError is an interpretation error due to incorrect syntax.

func (*SyntaxError) Error 

func (e *SyntaxError) Error() string

Error implements error interface for SyntaxError to return an error message.

type Table 

type Table struct {
	// contains filtered or unexported fields
}

Table represents a single table as a collection of named chains. Note: as tables are simply collections of chains, evaluations aren't done on the table-level and instead are done on the chain- and hook- level.

func (*Table) AddChain 

func (t *Table) AddChain(name string, info *BaseChainInfo, comment string, errorOnDuplicate bool) (*Chain, *syserr.AnnotatedError)

AddChain makes a new chain for the table. Can return an error if a chain by the same name already exists if errorOnDuplicate is true.

func (*Table) ChainCount 

func (t *Table) ChainCount() int

ChainCount returns the number of chains in the table.

func (*Table) DeleteChain 

func (t *Table) DeleteChain(name string) bool

DeleteChain deletes the specified chain from the table returning true if the chain was deleted and false if the chain doesn't exist.

func (*Table) GetAddressFamily 

func (t *Table) GetAddressFamily() stack.AddressFamily

GetAddressFamily returns the address family of the table.

func (*Table) GetChain 

func (t *Table) GetChain(chainName string) (*Chain, *syserr.AnnotatedError)

GetChain returns the chain with the specified name if it exists, error otherwise.

func (*Table) GetChainByHandle 

func (t *Table) GetChainByHandle(chainHandle uint64) (*Chain, *syserr.AnnotatedError)

GetChainByHandle returns the chain with the specified handle if it exists, error otherwise.

func (*Table) GetHandle 

func (t *Table) GetHandle() uint64

GetHandle returns the handle of the table.

func (*Table) GetLinuxFlagSet 

func (t *Table) GetLinuxFlagSet() (uint32, *syserr.AnnotatedError)

GetLinuxFlagSet returns the flag set of the table. Although user flags map to uint8 space, internal flags could eventually be supported, which together map to a uint32 space.

func (*Table) GetLinuxUserFlagSet 

func (t *Table) GetLinuxUserFlagSet() (uint8, *syserr.AnnotatedError)

GetLinuxUserFlagSet returns the user flag set of the table.

func (*Table) GetName 

func (t *Table) GetName() string

GetName returns the name of the table.

func (*Table) GetOwner 

func (t *Table) GetOwner() uint32

GetOwner returns the owner of the table.

func (*Table) GetUserData 

func (t *Table) GetUserData() []byte

GetUserData returns the user data of the table.

func (*Table) HasOwner 

func (t *Table) HasOwner() bool

HasOwner returns whether the table has an owner.

func (*Table) HasUserData 

func (t *Table) HasUserData() bool

HasUserData returns whether the table has user data.

func (*Table) IsDormant 

func (t *Table) IsDormant() bool

IsDormant returns whether the table is dormant.

func (*Table) SetDormant 

func (t *Table) SetDormant(dormant bool)

SetDormant sets the dormant flag for the table.

func (*Table) SetOwner 

func (t *Table) SetOwner(nlpid uint32) *syserr.AnnotatedError

SetOwner sets the owner of the table. If the table already has an owner, it is not updated.

func (*Table) SetUserData 

func (t *Table) SetUserData(data []byte)

SetUserData sets the user data of the table.

type TableFlag 

type TableFlag int

TableFlag is a flag for a table as supported by the nftables binary. 

const (
	// TableFlagDormant is set if the table is dormant. Dormant tables are not
	// evaluated by the kernel.
	TableFlagDormant TableFlag = iota
	// TableFlagOwner is set if the table has an owner. The owner is the port
	// where the table is created.
	TableFlagOwner
)

type TableInfo 

type TableInfo struct {
	Name   string
	Handle uint64
}

TableInfo represents data between an AFfilter and a Table.

Source Files

nft_bitwise.go nft_byteorder.go nft_comparison.go nft_counter.go nft_immediate.go nft_last.go nft_metaload.go nft_metaset.go nft_payload_load.go nft_payload_set.go nft_ranged.go nft_route.go nftables.go nftables_types.go nftinterp.go

Version
v0.0.0-20250731213340-6cadfa6c8fe1 (latest)
Published
Jul 31, 2025
Platform
linux/amd64
Imports
19 packages
Last checked
10 hours ago

Tools for package owners.