Add address field for expr tproxy (#231)
* Add address field for expr tproxy Signed-off-by: black-desk <me@black-desk.cn> Co-authored-by: MrRedhat <Redhatminzhe@Gmail.com>
This commit is contained in:
black-desk
GitHub
parent
8f2d395e10
commit
8a10f68900
|
|
@ -25,22 +25,34 @@ import (
|
|||
const (
|
||||
// NFTA_TPROXY_FAMILY defines attribute for a table family
|
||||
NFTA_TPROXY_FAMILY = 0x01
|
||||
// NFTA_TPROXY_REG defines attribute for a register carrying redirection port value
|
||||
NFTA_TPROXY_REG = 0x03
|
||||
// NFTA_TPROXY_REG_ADDR defines attribute for a register carrying redirection address value
|
||||
NFTA_TPROXY_REG_ADDR = 0x02
|
||||
// NFTA_TPROXY_REG_PORT defines attribute for a register carrying redirection port value
|
||||
NFTA_TPROXY_REG_PORT = 0x03
|
||||
)
|
||||
|
||||
// TProxy defines struct with parameters for the transparent proxy
|
||||
type TProxy struct {
|
||||
Family byte
|
||||
TableFamily byte
|
||||
RegAddr uint32
|
||||
RegPort uint32
|
||||
}
|
||||
|
||||
func (e *TProxy) marshal(fam byte) ([]byte, error) {
|
||||
data, err := netlink.MarshalAttributes([]netlink.Attribute{
|
||||
attrs := []netlink.Attribute{
|
||||
{Type: NFTA_TPROXY_FAMILY, Data: binaryutil.BigEndian.PutUint32(uint32(e.Family))},
|
||||
{Type: NFTA_TPROXY_REG, Data: binaryutil.BigEndian.PutUint32(e.RegPort)},
|
||||
})
|
||||
{Type: NFTA_TPROXY_REG_PORT, Data: binaryutil.BigEndian.PutUint32(e.RegPort)},
|
||||
}
|
||||
|
||||
if e.RegAddr != 0 {
|
||||
attrs = append(attrs, netlink.Attribute{
|
||||
Type: NFTA_TPROXY_REG_ADDR,
|
||||
Data: binaryutil.BigEndian.PutUint32(e.RegAddr),
|
||||
})
|
||||
}
|
||||
|
||||
data, err := netlink.MarshalAttributes(attrs)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
|
@ -60,8 +72,10 @@ func (e *TProxy) unmarshal(fam byte, data []byte) error {
|
|||
switch ad.Type() {
|
||||
case NFTA_TPROXY_FAMILY:
|
||||
e.Family = ad.Uint8()
|
||||
case NFTA_TPROXY_REG:
|
||||
case NFTA_TPROXY_REG_PORT:
|
||||
e.RegPort = ad.Uint32()
|
||||
case NFTA_TPROXY_REG_ADDR:
|
||||
e.RegAddr = ad.Uint32()
|
||||
}
|
||||
}
|
||||
return ad.Err()
|
||||
|
|
|
|||
|
|
@ -1206,6 +1206,74 @@ func TestTProxy(t *testing.T) {
|
|||
}
|
||||
}
|
||||
|
||||
func TestTProxyWithAddrField(t *testing.T) {
|
||||
want := [][]byte{
|
||||
// batch begin
|
||||
[]byte("\x00\x00\x00\x0a"),
|
||||
// nft add rule filter divert ip protocol tcp tproxy to 10.10.72.1:50080
|
||||
[]byte("\x02\x00\x00\x00\x0b\x00\x01\x00\x66\x69\x6c\x74\x65\x72\x00\x00\x0b\x00\x02\x00\x64\x69\x76\x65\x72\x74\x00\x00\xe8\x00\x04\x80\x34\x00\x01\x80\x0c\x00\x01\x00\x70\x61\x79\x6c\x6f\x61\x64\x00\x24\x00\x02\x80\x08\x00\x01\x00\x00\x00\x00\x01\x08\x00\x02\x00\x00\x00\x00\x01\x08\x00\x03\x00\x00\x00\x00\x09\x08\x00\x04\x00\x00\x00\x00\x01\x2c\x00\x01\x80\x08\x00\x01\x00\x63\x6d\x70\x00\x20\x00\x02\x80\x08\x00\x01\x00\x00\x00\x00\x01\x08\x00\x02\x00\x00\x00\x00\x00\x0c\x00\x03\x80\x05\x00\x01\x00\x06\x00\x00\x00\x2c\x00\x01\x80\x0e\x00\x01\x00\x69\x6d\x6d\x65\x64\x69\x61\x74\x65\x00\x00\x00\x18\x00\x02\x80\x08\x00\x01\x00\x00\x00\x00\x01\x0c\x00\x02\x80\x08\x00\x01\x00\x0a\x0a\x48\x01\x2c\x00\x01\x80\x0e\x00\x01\x00\x69\x6d\x6d\x65\x64\x69\x61\x74\x65\x00\x00\x00\x18\x00\x02\x80\x08\x00\x01\x00\x00\x00\x00\x02\x0c\x00\x02\x80\x06\x00\x01\x00\xc3\xa0\x00\x00\x2c\x00\x01\x80\x0b\x00\x01\x00\x74\x70\x72\x6f\x78\x79\x00\x00\x1c\x00\x02\x80\x08\x00\x01\x00\x00\x00\x00\x02\x08\x00\x03\x00\x00\x00\x00\x02\x08\x00\x02\x00\x00\x00\x00\x01"),
|
||||
// batch end
|
||||
[]byte("\x00\x00\x00\x0a"),
|
||||
}
|
||||
|
||||
c, err := nftables.New(nftables.WithTestDial(
|
||||
func(req []netlink.Message) ([]netlink.Message, error) {
|
||||
for idx, msg := range req {
|
||||
b, err := msg.MarshalBinary()
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
if len(b) < 16 {
|
||||
continue
|
||||
}
|
||||
b = b[16:]
|
||||
if len(want) == 0 {
|
||||
t.Errorf("no want entry for message %d: %x", idx, b)
|
||||
continue
|
||||
}
|
||||
if got, want := b, want[0]; !bytes.Equal(got, want) {
|
||||
t.Errorf("message %d: %s", idx, linediff(nfdump(got), nfdump(want)))
|
||||
}
|
||||
want = want[1:]
|
||||
}
|
||||
return req, nil
|
||||
}))
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
c.AddRule(&nftables.Rule{
|
||||
Table: &nftables.Table{Name: "filter", Family: nftables.TableFamilyIPv4},
|
||||
Chain: &nftables.Chain{
|
||||
Name: "divert",
|
||||
Type: nftables.ChainTypeFilter,
|
||||
Hooknum: nftables.ChainHookPrerouting,
|
||||
Priority: nftables.ChainPriorityRef(-150),
|
||||
},
|
||||
Exprs: []expr.Any{
|
||||
// [ payload load 1b @ network header + 9 => reg 1 ]
|
||||
&expr.Payload{DestRegister: 1, Base: expr.PayloadBaseNetworkHeader, Offset: 9, Len: 1},
|
||||
// [ cmp eq reg 1 0x00000006 ]
|
||||
&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: []byte{unix.IPPROTO_TCP}},
|
||||
// [ immediate reg 1 0x01480a0a ]
|
||||
&expr.Immediate{Register: 1, Data: []byte("\x0a\x0a\x48\x01")},
|
||||
// [ immediate reg 2 0x0000a0c3 ]
|
||||
&expr.Immediate{Register: 2, Data: binaryutil.BigEndian.PutUint16(50080)},
|
||||
// [ tproxy ip addr reg 1 port reg 2 ]
|
||||
&expr.TProxy{
|
||||
Family: byte(nftables.TableFamilyIPv4),
|
||||
TableFamily: byte(nftables.TableFamilyIPv4),
|
||||
RegAddr: 1,
|
||||
RegPort: 2,
|
||||
},
|
||||
},
|
||||
})
|
||||
|
||||
if err := c.Flush(); err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
}
|
||||
|
||||
func TestCt(t *testing.T) {
|
||||
want := [][]byte{
|
||||
// batch begin
|
||||
|
|
|
|||
Loading…
Reference in New Issue