stateless nat
This commit is contained in:
Alexis PIRES
parent
bf1de82879
commit
33734fa169
|
|
@ -22,7 +22,6 @@ import (
|
|||
type Notrack struct{}
|
||||
|
||||
func (e *Notrack) marshal() ([]byte, error) {
|
||||
|
||||
return netlink.MarshalAttributes([]netlink.Attribute{
|
||||
{Type: unix.NFTA_EXPR_NAME, Data: []byte("notrack\x00")},
|
||||
})
|
||||
|
|
|
|||
|
|
@ -23,6 +23,7 @@ import (
|
|||
)
|
||||
|
||||
type PayloadBase uint32
|
||||
type PayloadCsumType uint32
|
||||
|
||||
// Possible PayloadBase values.
|
||||
const (
|
||||
|
|
@ -31,20 +32,57 @@ const (
|
|||
PayloadBaseTransportHeader PayloadBase = unix.NFT_PAYLOAD_TRANSPORT_HEADER
|
||||
)
|
||||
|
||||
// Possible PayloadCsumType values.
|
||||
const (
|
||||
CsumTypeNone PayloadCsumType = unix.NFT_PAYLOAD_CSUM_NONE
|
||||
CsumTypeInet PayloadCsumType = unix.NFT_PAYLOAD_CSUM_INET
|
||||
)
|
||||
|
||||
type Payload struct {
|
||||
DestRegister uint32
|
||||
SourceRegister uint32
|
||||
Base PayloadBase
|
||||
Offset uint32
|
||||
Len uint32
|
||||
CsumType PayloadCsumType
|
||||
CsumOffset uint32
|
||||
CsumFlags uint32
|
||||
}
|
||||
|
||||
func (e *Payload) marshal() ([]byte, error) {
|
||||
data, err := netlink.MarshalAttributes([]netlink.Attribute{
|
||||
|
||||
var attrs []netlink.Attribute
|
||||
|
||||
if e.SourceRegister > 0 {
|
||||
attrs = []netlink.Attribute{
|
||||
{Type: unix.NFTA_PAYLOAD_SREG, Data: binaryutil.BigEndian.PutUint32(e.SourceRegister)},
|
||||
}
|
||||
} else {
|
||||
attrs = []netlink.Attribute{
|
||||
{Type: unix.NFTA_PAYLOAD_DREG, Data: binaryutil.BigEndian.PutUint32(e.DestRegister)},
|
||||
{Type: unix.NFTA_PAYLOAD_BASE, Data: binaryutil.BigEndian.PutUint32(uint32(e.Base))},
|
||||
{Type: unix.NFTA_PAYLOAD_OFFSET, Data: binaryutil.BigEndian.PutUint32(e.Offset)},
|
||||
{Type: unix.NFTA_PAYLOAD_LEN, Data: binaryutil.BigEndian.PutUint32(e.Len)},
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
attrs = append(attrs,
|
||||
netlink.Attribute{Type: unix.NFTA_PAYLOAD_BASE, Data: binaryutil.BigEndian.PutUint32(uint32(e.Base))},
|
||||
netlink.Attribute{Type: unix.NFTA_PAYLOAD_OFFSET, Data: binaryutil.BigEndian.PutUint32(e.Offset)},
|
||||
netlink.Attribute{Type: unix.NFTA_PAYLOAD_LEN, Data: binaryutil.BigEndian.PutUint32(e.Len)},
|
||||
)
|
||||
|
||||
if e.CsumType > 0 {
|
||||
attrs = append(attrs,
|
||||
netlink.Attribute{Type: unix.NFTA_PAYLOAD_CSUM_TYPE, Data: binaryutil.BigEndian.PutUint32(uint32(e.CsumType))},
|
||||
netlink.Attribute{Type: unix.NFTA_PAYLOAD_CSUM_OFFSET, Data: binaryutil.BigEndian.PutUint32(uint32(e.CsumOffset))},
|
||||
)
|
||||
if e.CsumFlags > 0 {
|
||||
attrs = append(attrs,
|
||||
netlink.Attribute{Type: unix.NFTA_PAYLOAD_CSUM_FLAGS, Data: binaryutil.BigEndian.PutUint32(e.CsumFlags)},
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
data, err := netlink.MarshalAttributes(attrs)
|
||||
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
|
@ -64,12 +102,20 @@ func (e *Payload) unmarshal(data []byte) error {
|
|||
switch ad.Type() {
|
||||
case unix.NFTA_PAYLOAD_DREG:
|
||||
e.DestRegister = ad.Uint32()
|
||||
case unix.NFTA_PAYLOAD_SREG:
|
||||
e.SourceRegister = ad.Uint32()
|
||||
case unix.NFTA_PAYLOAD_BASE:
|
||||
e.Base = PayloadBase(ad.Uint32())
|
||||
case unix.NFTA_PAYLOAD_OFFSET:
|
||||
e.Offset = ad.Uint32()
|
||||
case unix.NFTA_PAYLOAD_LEN:
|
||||
e.Len = ad.Uint32()
|
||||
case unix.NFTA_PAYLOAD_CSUM_TYPE:
|
||||
e.CsumType = PayloadCsumType(ad.Uint32())
|
||||
case unix.NFTA_PAYLOAD_CSUM_OFFSET:
|
||||
e.CsumOffset = ad.Uint32()
|
||||
case unix.NFTA_PAYLOAD_CSUM_FLAGS:
|
||||
e.CsumFlags = ad.Uint32()
|
||||
}
|
||||
}
|
||||
return ad.Err()
|
||||
|
|
|
|||
|
|
@ -3891,3 +3891,91 @@ func TestNotrack(t *testing.T) {
|
|||
t.Fatal(err)
|
||||
}
|
||||
}
|
||||
|
||||
func TestStatelessNAT(t *testing.T) {
|
||||
// The want byte sequences come from stracing nft(8), e.g.:
|
||||
// strace -f -v -x -s 2048 -eraw=sendto nft add rule filter prerouting mark set jhash ip saddr mod 2
|
||||
//
|
||||
// The nft(8) command sequence was taken from:
|
||||
// https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes#Tcp
|
||||
want := [][]byte{
|
||||
// batch begin
|
||||
[]byte("\x00\x00\x00\x0a"),
|
||||
// nft flush ruleset
|
||||
[]byte("\x00\x00\x00\x00"),
|
||||
// nft add table ip filter
|
||||
[]byte("\x02\x00\x00\x00\x0b\x00\x01\x00\x66\x69\x6c\x74\x65\x72\x00\x00\x08\x00\x02\x00\x00\x00\x00\x00"),
|
||||
// nft add chain ip filter base-chain { type filter hook prerouting priority 0 \; }
|
||||
[]byte("\x02\x00\x00\x00\x0b\x00\x01\x00\x66\x69\x6c\x74\x65\x72\x00\x00\x0f\x00\x03\x00\x62\x61\x73\x65\x2d\x63\x68\x61\x69\x6e\x00\x00\x14\x00\x04\x80\x08\x00\x01\x00\x00\x00\x00\x00\x08\x00\x02\x00\x00\x00\x00\x00\x0b\x00\x07\x00\x66\x69\x6c\x74\x65\x72\x00\x00"),
|
||||
// nft add rule ip filter base-chain ip daddr set 192.168.1.1 notrack
|
||||
[]byte("\x02\x00\x00\x00\x0b\x00\x01\x00\x66\x69\x6c\x74\x65\x72\x00\x00\x0f\x00\x02\x00\x62\x61\x73\x65\x2d\x63\x68\x61\x69\x6e\x00\x00\x8c\x00\x04\x80\x2c\x00\x01\x80\x0e\x00\x01\x00\x69\x6d\x6d\x65\x64\x69\x61\x74\x65\x00\x00\x00\x18\x00\x02\x80\x08\x00\x01\x00\x00\x00\x00\x01\x0c\x00\x02\x80\x08\x00\x01\x00\xc0\xa8\x01\x01\x4c\x00\x01\x80\x0c\x00\x01\x00\x70\x61\x79\x6c\x6f\x61\x64\x00\x3c\x00\x02\x80\x08\x00\x05\x00\x00\x00\x00\x01\x08\x00\x02\x00\x00\x00\x00\x01\x08\x00\x03\x00\x00\x00\x00\x10\x08\x00\x04\x00\x00\x00\x00\x04\x08\x00\x06\x00\x00\x00\x00\x01\x08\x00\x07\x00\x00\x00\x00\x0a\x08\x00\x08\x00\x00\x00\x00\x01\x10\x00\x01\x80\x0c\x00\x01\x00\x6e\x6f\x74\x72\x61\x63\x6b\x00"),
|
||||
// batch end
|
||||
[]byte("\x00\x00\x00\x0a"),
|
||||
}
|
||||
|
||||
c := &nftables.Conn{
|
||||
TestDial: func(req []netlink.Message) ([]netlink.Message, error) {
|
||||
for idx, msg := range req {
|
||||
b, err := msg.MarshalBinary()
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
if len(b) < 16 {
|
||||
continue
|
||||
}
|
||||
b = b[16:]
|
||||
if len(want) == 0 {
|
||||
t.Errorf("no want entry for message %d: %x", idx, b)
|
||||
continue
|
||||
}
|
||||
if got, want := b, want[0]; !bytes.Equal(got, want) {
|
||||
t.Errorf("message %d: %s", idx, linediff(nfdump(got), nfdump(want)))
|
||||
}
|
||||
want = want[1:]
|
||||
}
|
||||
return req, nil
|
||||
},
|
||||
}
|
||||
|
||||
c.FlushRuleset()
|
||||
|
||||
filter := c.AddTable(&nftables.Table{
|
||||
Family: nftables.TableFamilyIPv4,
|
||||
Name: "filter",
|
||||
})
|
||||
|
||||
forward := c.AddChain(&nftables.Chain{
|
||||
Name: "base-chain",
|
||||
Table: filter,
|
||||
Type: nftables.ChainTypeFilter,
|
||||
Hooknum: nftables.ChainHookPrerouting,
|
||||
Priority: nftables.ChainPriorityFilter,
|
||||
})
|
||||
|
||||
c.AddRule(&nftables.Rule{
|
||||
Table: filter,
|
||||
Chain: forward,
|
||||
Exprs: []expr.Any{
|
||||
&expr.Immediate{
|
||||
Register: 1,
|
||||
Data: net.ParseIP("192.168.1.1").To4(),
|
||||
},
|
||||
// [ payload write reg 1 => 4b @ network header + 16 csum_type 1 csum_off 10 csum_flags 0x1 ]
|
||||
&expr.Payload{
|
||||
SourceRegister: 1,
|
||||
Base: expr.PayloadBaseNetworkHeader,
|
||||
Offset: 16,
|
||||
Len: 4,
|
||||
CsumType: expr.CsumTypeInet,
|
||||
CsumOffset: 10,
|
||||
CsumFlags: unix.NFT_PAYLOAD_L4CSUM_PSEUDOHDR,
|
||||
},
|
||||
// [ notrack ]
|
||||
&expr.Notrack{},
|
||||
},
|
||||
})
|
||||
|
||||
if err := c.Flush(); err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue