netstack3_filter/
lib.rs

1// Copyright 2024 The Fuchsia Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5//! Packet filtering framework.
6
7#![no_std]
8#![warn(
9    missing_docs,
10    unreachable_patterns,
11    clippy::useless_conversion,
12    clippy::redundant_clone,
13    clippy::precedence
14)]
15
16extern crate fakealloc as alloc;
17
18mod actions;
19mod api;
20mod conntrack;
21mod context;
22mod logic;
23mod matchers;
24mod packets;
25mod state;
26
27use logic::nat::NatConfig;
28
29/// A connection as tracked by conntrack.
30pub type ConntrackConnection<I, A, BT> = conntrack::Connection<I, NatConfig<I, A>, BT>;
31
32pub use actions::MarkAction;
33pub use api::FilterApi;
34pub use conntrack::{
35    ConnectionDirection, Table, TransportProtocol, Tuple,
36    WeakConnection as WeakConntrackConnection, WeakConnectionError,
37};
38pub use context::{
39    FilterBindingsContext, FilterBindingsTypes, FilterContext, FilterIpContext, NatContext,
40    SocketEgressFilterResult, SocketIngressFilterResult, SocketOpsFilter,
41    SocketOpsFilterBindingContext,
42};
43pub use logic::{
44    FilterHandler, FilterImpl, FilterTimerId, IngressVerdict, ProofOfEgressCheck, Verdict,
45};
46pub use matchers::{
47    AddressMatcher, AddressMatcherType, InterfaceMatcher, InterfaceProperties, PacketMatcher,
48    PortMatcher, TransportProtocolMatcher,
49};
50pub use packets::{
51    FilterIpExt, ForwardedPacket, IcmpMessage, IpPacket, MaybeTransportPacket,
52    MaybeTransportPacketMut, RawIpBody, TransportPacketSerializer, TxPacket,
53};
54pub use state::validation::{ValidRoutines, ValidationError};
55pub use state::{
56    Action, FilterIpMetadata, FilterMarkMetadata, Hook, IpRoutines, NatRoutines, Routine, Routines,
57    Rule, State, TransparentProxy, UninstalledRoutine,
58};
59
60/// Testing-related utilities for use by other crates.
61#[cfg(any(test, feature = "testutils"))]
62pub mod testutil {
63    pub use crate::logic::testutil::NoopImpl;
64    pub use crate::packets::testutil::new_filter_egress_ip_packet;
65    use packet::FragmentedByteSlice;
66
67    use crate::{
68        FilterIpExt, IpPacket, SocketEgressFilterResult, SocketIngressFilterResult, SocketOpsFilter,
69    };
70    use netstack3_base::socket::SocketCookie;
71    use netstack3_base::{Marks, StrongDeviceIdentifier};
72
73    #[cfg(test)]
74    pub(crate) trait TestIpExt:
75        crate::context::testutil::TestIpExt + crate::packets::testutil::internal::TestIpExt
76    {
77    }
78
79    #[cfg(test)]
80    impl<I> TestIpExt for I where
81        I: crate::context::testutil::TestIpExt + crate::packets::testutil::internal::TestIpExt
82    {
83    }
84
85    /// No-op implementation of `SocketOpsFilter`.
86    pub struct NoOpSocketOpsFilter;
87
88    impl<D: StrongDeviceIdentifier, T> SocketOpsFilter<D, T> for NoOpSocketOpsFilter {
89        fn on_egress<I: FilterIpExt, P: IpPacket<I>>(
90            &self,
91            _packet: &P,
92            _device: &D,
93            _tx_metadata: &T,
94            _marks: &Marks,
95        ) -> SocketEgressFilterResult {
96            SocketEgressFilterResult::Pass { congestion: false }
97        }
98
99        fn on_ingress(
100            &self,
101            _packet: &FragmentedByteSlice<'_, &[u8]>,
102            _device: &D,
103            _cookie: SocketCookie,
104            _marks: &Marks,
105        ) -> SocketIngressFilterResult {
106            SocketIngressFilterResult::Accept
107        }
108    }
109}