nftables/expr/ct.go

// Copyright 2018 Google LLC. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package expr

import (
	"encoding/binary"

	"github.com/google/nftables/binaryutil"
	"github.com/mdlayher/netlink"
	"golang.org/x/sys/unix"
)

// CtKey specifies which piece of conntrack information should be loaded. See
// also https://wiki.nftables.org/wiki-nftables/index.php/Matching_connection_tracking_stateful_metainformation
type CtKey uint32

// Possible CtKey values.
const (
	CtKeySTATE      CtKey = unix.NFT_CT_STATE
	CtKeyDIRECTION  CtKey = unix.NFT_CT_DIRECTION
	CtKeySTATUS     CtKey = unix.NFT_CT_STATUS
	CtKeyMARK       CtKey = unix.NFT_CT_MARK
	CtKeySECMARK    CtKey = unix.NFT_CT_SECMARK
	CtKeyEXPIRATION CtKey = unix.NFT_CT_EXPIRATION
	CtKeyHELPER     CtKey = unix.NFT_CT_HELPER
	CtKeyL3PROTOCOL CtKey = unix.NFT_CT_L3PROTOCOL
	CtKeySRC        CtKey = unix.NFT_CT_SRC
	CtKeyDST        CtKey = unix.NFT_CT_DST
	CtKeyPROTOCOL   CtKey = unix.NFT_CT_PROTOCOL
	CtKeyPROTOSRC   CtKey = unix.NFT_CT_PROTO_SRC
	CtKeyPROTODST   CtKey = unix.NFT_CT_PROTO_DST
	CtKeyLABELS     CtKey = unix.NFT_CT_LABELS
	CtKeyPKTS       CtKey = unix.NFT_CT_PKTS
	CtKeyBYTES      CtKey = unix.NFT_CT_BYTES
	CtKeyAVGPKT     CtKey = unix.NFT_CT_AVGPKT
	CtKeyZONE       CtKey = unix.NFT_CT_ZONE
	CtKeyEVENTMASK  CtKey = unix.NFT_CT_EVENTMASK

	// https://sources.debian.org/src//nftables/0.9.8-3/src/ct.c/?hl=39#L39
	CtStateBitINVALID     uint32 = 1
	CtStateBitESTABLISHED uint32 = 2
	CtStateBitRELATED     uint32 = 4
	CtStateBitNEW         uint32 = 8
	CtStateBitUNTRACKED   uint32 = 64
)

// Missing ct timeout consts
// https://git.netfilter.org/libnftnl/tree/include/linux/netfilter/nf_tables.h?id=be0bae0ad31b0adb506f96de083f52a2bd0d4fbf#n1592
const (
	NFTA_CT_TIMEOUT_L3PROTO = 0x01
	NFTA_CT_TIMEOUT_L4PROTO = 0x02
	NFTA_CT_TIMEOUT_DATA    = 0x03
)

type CtStatePolicyTimeout map[uint16]uint32

const (
	// https://git.netfilter.org/libnftnl/tree/src/obj/ct_timeout.c?id=116e95aa7b6358c917de8c69f6f173874030b46b#n24
	CtStateTCPSYNSENT = iota
	CtStateTCPSYNRECV
	CtStateTCPESTABLISHED
	CtStateTCPFINWAIT
	CtStateTCPCLOSEWAIT
	CtStateTCPLASTACK
	CtStateTCPTIMEWAIT
	CtStateTCPCLOSE
	CtStateTCPSYNSENT2
	CtStateTCPRETRANS
	CtStateTCPUNACK
)

// https://git.netfilter.org/libnftnl/tree/src/obj/ct_timeout.c?id=116e95aa7b6358c917de8c69f6f173874030b46b#n38
var CtStateTCPTimeoutDefaults CtStatePolicyTimeout = map[uint16]uint32{
	CtStateTCPSYNSENT:     120,
	CtStateTCPSYNRECV:     60,
	CtStateTCPESTABLISHED: 43200,
	CtStateTCPFINWAIT:     120,
	CtStateTCPCLOSEWAIT:   60,
	CtStateTCPLASTACK:     30,
	CtStateTCPTIMEWAIT:    120,
	CtStateTCPCLOSE:       10,
	CtStateTCPSYNSENT2:    120,
	CtStateTCPRETRANS:     300,
	CtStateTCPUNACK:       300,
}

const (
	// https://git.netfilter.org/libnftnl/tree/src/obj/ct_timeout.c?id=116e95aa7b6358c917de8c69f6f173874030b46b#n57
	CtStateUDPUNREPLIED = iota
	CtStateUDPREPLIED
)

// https://git.netfilter.org/libnftnl/tree/src/obj/ct_timeout.c?id=116e95aa7b6358c917de8c69f6f173874030b46b#n57
var CtStateUDPTimeoutDefaults CtStatePolicyTimeout = map[uint16]uint32{
	CtStateUDPUNREPLIED: 30,
	CtStateUDPREPLIED:   180,
}

// Ct defines type for NFT connection tracking
type Ct struct {
	Register       uint32
	SourceRegister bool
	Key            CtKey
	Direction      uint32
}

func (e *Ct) marshal(fam byte) ([]byte, error) {
	exprData, err := e.marshalData(fam)
	if err != nil {
		return nil, err
	}

	return netlink.MarshalAttributes([]netlink.Attribute{
		{Type: unix.NFTA_EXPR_NAME, Data: []byte("ct\x00")},
		{Type: unix.NLA_F_NESTED | unix.NFTA_EXPR_DATA, Data: exprData},
	})
}

func (e *Ct) marshalData(fam byte) ([]byte, error) {
	var regData []byte
	exprData, err := netlink.MarshalAttributes(
		[]netlink.Attribute{
			{Type: unix.NFTA_CT_KEY, Data: binaryutil.BigEndian.PutUint32(uint32(e.Key))},
		},
	)
	if err != nil {
		return nil, err
	}
	if e.SourceRegister {
		regData, err = netlink.MarshalAttributes(
			[]netlink.Attribute{
				{Type: unix.NFTA_CT_SREG, Data: binaryutil.BigEndian.PutUint32(e.Register)},
			},
		)
	} else {
		regData, err = netlink.MarshalAttributes(
			[]netlink.Attribute{
				{Type: unix.NFTA_CT_DREG, Data: binaryutil.BigEndian.PutUint32(e.Register)},
			},
		)
	}
	if err != nil {
		return nil, err
	}
	exprData = append(exprData, regData...)

	switch e.Key {
	case CtKeySRC, CtKeyDST, CtKeyPROTOSRC, CtKeyPROTODST:
		regData, err = netlink.MarshalAttributes(
			[]netlink.Attribute{
				{Type: unix.NFTA_CT_DIRECTION, Data: binaryutil.BigEndian.PutUint32(e.Direction)},
			},
		)
		if err != nil {
			return nil, err
		}
		exprData = append(exprData, regData...)
	}

	return exprData, nil
}

func (e *Ct) unmarshal(fam byte, data []byte) error {
	ad, err := netlink.NewAttributeDecoder(data)
	if err != nil {
		return err
	}
	ad.ByteOrder = binary.BigEndian
	for ad.Next() {
		switch ad.Type() {
		case unix.NFTA_CT_KEY:
			e.Key = CtKey(ad.Uint32())
		case unix.NFTA_CT_DREG:
			e.Register = ad.Uint32()
		case unix.NFTA_CT_DIRECTION:
			e.Direction = ad.Uint32()
		}
	}
	return ad.Err()
}

type CtHelper struct {
	Name    string
	L3Proto uint16
	L4Proto uint8
}

func (c *CtHelper) marshal(fam byte) ([]byte, error) {
	exprData, err := c.marshalData(fam)
	if err != nil {
		return nil, err
	}

	return netlink.MarshalAttributes([]netlink.Attribute{
		{Type: unix.NFTA_EXPR_NAME, Data: []byte("cthelper\x00")},
		{Type: unix.NLA_F_NESTED | unix.NFTA_EXPR_DATA, Data: exprData},
	})
}

func (c *CtHelper) marshalData(fam byte) ([]byte, error) {
	exprData := []netlink.Attribute{
		{Type: unix.NFTA_CT_HELPER_NAME, Data: []byte(c.Name)},
	}

	if c.L3Proto != 0 {
		exprData = append(exprData, netlink.Attribute{
			Type: unix.NFTA_CT_HELPER_L3PROTO, Data: binaryutil.BigEndian.PutUint16(c.L3Proto),
		})
	}
	if c.L4Proto != 0 {
		exprData = append(exprData, netlink.Attribute{
			Type: unix.NFTA_CT_HELPER_L4PROTO, Data: []byte{c.L4Proto},
		})
	}

	return netlink.MarshalAttributes(exprData)
}

func (c *CtHelper) unmarshal(fam byte, data []byte) error {
	ad, err := netlink.NewAttributeDecoder(data)
	if err != nil {
		return err
	}
	ad.ByteOrder = binary.BigEndian
	for ad.Next() {
		switch ad.Type() {
		case unix.NFTA_CT_HELPER_NAME:
			c.Name = ad.String()
		case unix.NFTA_CT_HELPER_L3PROTO:
			c.L3Proto = ad.Uint16()
		case unix.NFTA_CT_HELPER_L4PROTO:
			c.L4Proto = ad.Uint8()
		}
	}
	return ad.Err()
}

// From https://git.netfilter.org/libnftnl/tree/include/linux/netfilter/nf_tables.h?id=be0bae0ad31b0adb506f96de083f52a2bd0d4fbf#n1601
// Currently not available in sys/unix
const (
	NFTA_CT_EXPECT_L3PROTO = 0x01
	NFTA_CT_EXPECT_L4PROTO = 0x02
	NFTA_CT_EXPECT_DPORT   = 0x03
	NFTA_CT_EXPECT_TIMEOUT = 0x04
	NFTA_CT_EXPECT_SIZE    = 0x05
)

type CtExpect struct {
	L3Proto uint16
	L4Proto uint8
	DPort   uint16
	Timeout uint32
	Size    uint8
}

func (c *CtExpect) marshal(fam byte) ([]byte, error) {
	exprData, err := c.marshalData(fam)
	if err != nil {
		return nil, err
	}

	return netlink.MarshalAttributes([]netlink.Attribute{
		{Type: unix.NFTA_EXPR_NAME, Data: []byte("ctexpect\x00")},
		{Type: unix.NLA_F_NESTED | unix.NFTA_EXPR_DATA, Data: exprData},
	})
}

func (c *CtExpect) marshalData(fam byte) ([]byte, error) {
	// all elements except l3proto must be defined
	// per https://git.netfilter.org/nftables/tree/doc/stateful-objects.txt?id=db70959a5ccf2952b218f51c3d529e186a5a43bb#n119
	// from man page: l3proto is derived from the table family by default
	exprData := []netlink.Attribute{
		{Type: NFTA_CT_EXPECT_L4PROTO, Data: []byte{c.L4Proto}},
		{Type: NFTA_CT_EXPECT_DPORT, Data: binaryutil.BigEndian.PutUint16(c.DPort)},
		{Type: NFTA_CT_EXPECT_TIMEOUT, Data: binaryutil.BigEndian.PutUint32(c.Timeout)},
		{Type: NFTA_CT_EXPECT_SIZE, Data: []byte{c.Size}},
	}

	if c.L3Proto != 0 {
		attr := netlink.Attribute{Type: NFTA_CT_EXPECT_L3PROTO, Data: binaryutil.BigEndian.PutUint16(c.L3Proto)}
		exprData = append(exprData, attr)
	}
	return netlink.MarshalAttributes(exprData)
}

func (c *CtExpect) unmarshal(fam byte, data []byte) error {
	ad, err := netlink.NewAttributeDecoder(data)
	if err != nil {
		return err
	}
	ad.ByteOrder = binary.BigEndian
	for ad.Next() {
		switch ad.Type() {
		case NFTA_CT_EXPECT_L3PROTO:
			c.L3Proto = ad.Uint16()
		case NFTA_CT_EXPECT_L4PROTO:
			c.L4Proto = ad.Uint8()
		case NFTA_CT_EXPECT_DPORT:
			c.DPort = ad.Uint16()
		case NFTA_CT_EXPECT_TIMEOUT:
			c.Timeout = ad.Uint32()
		case NFTA_CT_EXPECT_SIZE:
			c.Size = ad.Uint8()
		}
	}
	return ad.Err()
}

type CtTimeout struct {
	L3Proto uint16
	L4Proto uint8
	Policy  CtStatePolicyTimeout
}

func (c *CtTimeout) marshal(fam byte) ([]byte, error) {
	exprData, err := c.marshalData(fam)
	if err != nil {
		return nil, err
	}

	return netlink.MarshalAttributes([]netlink.Attribute{
		{Type: unix.NFTA_EXPR_NAME, Data: []byte("cttimeout\x00")},
		{Type: unix.NLA_F_NESTED | unix.NFTA_EXPR_DATA, Data: exprData},
	})
}

func (c *CtTimeout) marshalData(fam byte) ([]byte, error) {
	var policy CtStatePolicyTimeout
	switch c.L4Proto {
	case unix.IPPROTO_UDP:
		policy = CtStateUDPTimeoutDefaults
	default:
		policy = CtStateTCPTimeoutDefaults
	}

	for k, v := range c.Policy {
		policy[k] = v
	}

	var policyAttrs []netlink.Attribute
	for k, v := range policy {
		policyAttrs = append(policyAttrs, netlink.Attribute{Type: k + 1, Data: binaryutil.BigEndian.PutUint32(v)})
	}
	policyData, err := netlink.MarshalAttributes(policyAttrs)
	if err != nil {
		return nil, err
	}

	exprData := []netlink.Attribute{
		{Type: NFTA_CT_TIMEOUT_L3PROTO, Data: binaryutil.BigEndian.PutUint16(c.L3Proto)},
		{Type: NFTA_CT_TIMEOUT_L4PROTO, Data: []byte{c.L4Proto}},
		{Type: unix.NLA_F_NESTED | NFTA_CT_TIMEOUT_DATA, Data: policyData},
	}

	return netlink.MarshalAttributes(exprData)
}

func (c *CtTimeout) unmarshal(fam byte, data []byte) error {
	ad, err := netlink.NewAttributeDecoder(data)
	if err != nil {
		return err
	}
	ad.ByteOrder = binary.BigEndian
	for ad.Next() {
		switch ad.Type() {
		case NFTA_CT_TIMEOUT_L3PROTO:
			c.L3Proto = ad.Uint16()
		case NFTA_CT_TIMEOUT_L4PROTO:
			c.L4Proto = ad.Uint8()
		case NFTA_CT_TIMEOUT_DATA:
			decoder, err := netlink.NewAttributeDecoder(ad.Bytes())
			decoder.ByteOrder = binary.BigEndian
			if err != nil {
				return err
			}
			for decoder.Next() {
				switch c.L4Proto {
				case unix.IPPROTO_UDP:
					c.Policy = CtStateUDPTimeoutDefaults
				default:
					c.Policy = CtStateTCPTimeoutDefaults
				}
				c.Policy[decoder.Type()-1] = decoder.Uint32()
			}
		}
	}
	return ad.Err()
}