From 264d012d81d210c6d949554667c6fbf8e330587a Mon Sep 17 00:00:00 2001 From: Kevin Krakauer Date: Fri, 3 May 2019 13:04:46 -0700 Subject: Add netfilter ABI for iptables support. Change-Id: Ifbd2abf63ea8062a89b83e948d3e9735480d8216 PiperOrigin-RevId: 246559904 --- pkg/abi/linux/BUILD | 1 + pkg/abi/linux/netfilter.go | 240 +++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 241 insertions(+) create mode 100644 pkg/abi/linux/netfilter.go (limited to 'pkg/abi') diff --git a/pkg/abi/linux/BUILD b/pkg/abi/linux/BUILD index 7648c9469..fdf193873 100644 --- a/pkg/abi/linux/BUILD +++ b/pkg/abi/linux/BUILD @@ -32,6 +32,7 @@ go_library( "linux.go", "mm.go", "netdevice.go", + "netfilter.go", "netlink.go", "netlink_route.go", "poll.go", diff --git a/pkg/abi/linux/netfilter.go b/pkg/abi/linux/netfilter.go new file mode 100644 index 000000000..7f399142b --- /dev/null +++ b/pkg/abi/linux/netfilter.go @@ -0,0 +1,240 @@ +// Copyright 2019 The gVisor Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package linux + +// This file contains structures required to support netfilter, specifically +// the iptables tool. + +// Hooks into the network stack. These correspond to values in +// include/uapi/linux/netfilter.h. +const ( + NF_INET_PRE_ROUTING = 0 + NF_INET_LOCAL_IN = 1 + NF_INET_FORWARD = 2 + NF_INET_LOCAL_OUT = 3 + NF_INET_POST_ROUTING = 4 + NF_INET_NUMHOOKS = 5 +) + +// Verdicts that can be returned by targets. These correspond to values in +// include/uapi/linux/netfilter.h +const ( + NF_DROP = 0 + NF_ACCEPT = 1 + NF_STOLEN = 2 + NF_QUEUE = 3 + NF_REPEAT = 4 + NF_STOP = 5 + NF_MAX_VERDICT = NF_STOP + // NF_RETURN is defined in include/uapi/linux/netfilter/x_tables.h. + NF_RETURN = -NF_REPEAT - 1 +) + +// Socket options. These correspond to values in +// include/uapi/linux/netfilter_ipv4/ip_tables.h. +const ( + IPT_BASE_CTL = 64 + IPT_SO_SET_REPLACE = IPT_BASE_CTL + IPT_SO_SET_ADD_COUNTERS = IPT_BASE_CTL + 1 + IPT_SO_SET_MAX = IPT_SO_SET_ADD_COUNTERS + + IPT_SO_GET_INFO = IPT_BASE_CTL + IPT_SO_GET_ENTRIES = IPT_BASE_CTL + 1 + IPT_SO_GET_REVISION_MATCH = IPT_BASE_CTL + 2 + IPT_SO_GET_REVISION_TARGET = IPT_BASE_CTL + 3 + IPT_SO_GET_MAX = IPT_SO_GET_REVISION_TARGET +) + +// Name lengths. These correspond to values in +// include/uapi/linux/netfilter/x_tables.h. +const ( + XT_FUNCTION_MAXNAMELEN = 30 + XT_EXTENSION_MAXNAMELEN = 29 + XT_TABLE_MAXNAMELEN = 32 +) + +// IPTEntry is an iptable rule. It corresponds to struct ipt_entry in +// include/uapi/linux/netfilter_ipv4/ip_tables.h. +type IPTEntry struct { + // IP is used to filter packets based on the IP header. + IP IPTIP + + // NFCache relates to kernel-internal caching and isn't used by + // userspace. + NFCache uint32 + + // TargetOffset is the byte offset from the beginning of this IPTEntry + // to the start of the entry's target. + TargetOffset uint16 + + // NextOffset is the byte offset from the beginning of this IPTEntry to + // the start of the next entry. It is thus also the size of the entry. + NextOffset uint16 + + // Comeback is a return pointer. It is not used by userspace. + Comeback uint32 + + // Counters holds the packet and byte counts for this rule. + Counters XTCounters + + // Elems holds the data for all this rule's matches followed by the + // target. It is variable length -- users have to iterate over any + // matches and use TargetOffset and NextOffset to make sense of the + // data. + // + // Elems is omitted here because it would cause IPTEntry to be an extra + // byte larger (see http://www.catb.org/esr/structure-packing/). + // + // Elems [0]byte +} + +// IPTIP contains information for matching a packet's IP header. +// It corresponds to struct ipt_ip in +// include/uapi/linux/netfilter_ipv4/ip_tables.h. +type IPTIP struct { + // Src is the source IP address. + Src InetAddr + + // Dst is the destination IP address. + Dst InetAddr + + // SrcMask is the source IP mask. + SrcMask InetAddr + + // DstMask is the destination IP mask. + DstMask InetAddr + + // InputInterface is the input network interface. + InputInterface [IFNAMSIZ]byte + + // OutputInterface is the output network interface. + OutputInterface [IFNAMSIZ]byte + + // InputInterfaceMask is the intput interface mask. + InputInterfaceMast [IFNAMSIZ]byte + + // OuputInterfaceMask is the output interface mask. + OuputInterfaceMask [IFNAMSIZ]byte + + // Protocol is the transport protocol. + Protocol uint16 + + // Flags define matching behavior for the IP header. + Flags uint8 + + // InverseFlags invert the meaning of fields in struct IPTIP. + InverseFlags uint8 +} + +// XTCounters holds packet and byte counts for a rule. It corresponds to struct +// xt_counters in include/uapi/linux/netfilter/x_tables.h. +type XTCounters struct { + // Pcnt is the packet count. + Pcnt uint64 + + // Bcnt is the byte count. + Bcnt uint64 +} + +// XTEntryMatch holds a match for a rule. For example, a user using the +// addrtype iptables match extension would put the data for that match into an +// XTEntryMatch. iptables-extensions(8) has a list of possible matches. +// +// XTEntryMatch corresponds to struct xt_entry_match in +// include/uapi/linux/netfilter/x_tables.h. That struct contains a union +// exposing different data to the user and kernel, but this struct holds only +// the user data. +type XTEntryMatch struct { + MatchSize uint16 + Name [XT_EXTENSION_MAXNAMELEN]byte + Revision uint8 + // Data is omitted here because it would cause XTEntryTarget to be an + // extra byte larger (see http://www.catb.org/esr/structure-packing/). + // Data [0]byte +} + +// XTEntryTarget holds a target for a rule. For example, it can specify that +// packets matching the rule should DROP, ACCEPT, or use an extension target. +// iptables-extension(8) has a list of possible targets. +// +// XTEntryTarget corresponds to struct xt_entry_target in +// include/uapi/linux/netfilter/x_tables.h. That struct contains a union +// exposing different data to the user and kernel, but this struct holds only +// the user data. +type XTEntryTarget struct { + MatchSize uint16 + Name [XT_EXTENSION_MAXNAMELEN]byte + Revision uint8 + // Data is omitted here because it would cause XTEntryTarget to be an + // extra byte larger (see http://www.catb.org/esr/structure-packing/). + // Data [0]byte +} + +// XTStandardTarget is a builtin target, one of ACCEPT, DROP, JUMP, QUEUE, or +// RETURN. It corresponds to struct xt_standard_target in +// include/uapi/linux/netfilter/x_tables.h. +type XTStandardTarget struct { + Target XTEntryTarget + Verdict int32 +} + +// XTErrorTarget triggers an error when reached. It is also used to mark the +// beginning of user-defined chains by putting the name of the chain in +// ErrorName. It corresponds to struct xt_error_target in +// include/uapi/linux/netfilter/x_tables.h. +type XTErrorTarget struct { + Target XTEntryTarget + ErrorName [XT_FUNCTION_MAXNAMELEN]byte +} + +// IPTGetinfo is the argument for the IPT_SO_GET_INFO sockopt. It corresponds +// to struct ipt_getinfo in include/uapi/linux/netfilter_ipv4/ip_tables.h. +type IPTGetinfo struct { + Name [XT_TABLE_MAXNAMELEN]byte + ValidHooks uint32 + HookEntry [NF_INET_NUMHOOKS]uint32 + Underflow [NF_INET_NUMHOOKS]uint32 + NumEntries uint32 + Size uint32 +} + +// IPTGetEntries is the argument for the IPT_SO_GET_ENTRIES sockopt. It +// corresponds to struct ipt_get_entries in +// include/uapi/linux/netfilter_ipv4/ip_tables.h. +type IPTGetEntries struct { + Name [XT_TABLE_MAXNAMELEN]byte + Size uint32 + // Entrytable is omitted here because it would cause IPTGetEntries to + // be an extra byte longer (see + // http://www.catb.org/esr/structure-packing/). + // Entrytable [0]IPTEntry +} + +// IPTReplace is the argument for the IPT_SO_SET_REPLACE sockopt. It +// corresponds to struct ipt_replace in +// include/uapi/linux/netfilter_ipv4/ip_tables.h. +type IPTReplace struct { + Name [XT_TABLE_MAXNAMELEN]byte + ValidHooks uint32 + NumEntries uint32 + Size uint32 + HookEntry [NF_INET_NUMHOOKS]uint32 + Underflow [NF_INET_NUMHOOKS]uint32 + NumCounters uint32 + Counters *XTCounters + // Entries is omitted here because it would cause IPTReplace to be an + // extra byte longer (see http://www.catb.org/esr/structure-packing/). + // Entries [0]IPTEntry +} -- cgit v1.2.3