netstack3_core::filter

Enum Action

pub enum Action<I, DeviceClass, RuleInfo>
where
    I: IpExt,
{
    Accept,
    Drop,
    Jump(UninstalledRoutine<I, DeviceClass, RuleInfo>),
    Return,
    TransparentProxy(TransparentProxy<I>),
    Redirect {
        dst_port: Option<RangeInclusive<NonZero<u16>>>,
    },
    Masquerade {
        src_port: Option<RangeInclusive<NonZero<u16>>>,
    },
}
Expand description

The action to take on a packet.

Variants§

§

Accept

Accept the packet.

This is a terminal action for the current installed routine, i.e. no further rules will be evaluated for this packet in the installed routine (or any subroutines) in which this rule is installed. Subsequent routines installed on the same hook will still be evaluated.

§

Drop

Drop the packet.

This is a terminal action for the current hook, i.e. no further rules will be evaluated for this packet, even in other routines on the same hook.

§

Jump(UninstalledRoutine<I, DeviceClass, RuleInfo>)

Jump from the current routine to the specified uninstalled routine.

§

Return

Stop evaluation of the current routine and return to the calling routine (the routine from which the current routine was jumped), continuing evaluation at the next rule.

If invoked in an installed routine, equivalent to Accept, given packets are accepted by default in the absence of any matching rules.

§

TransparentProxy(TransparentProxy<I>)

Redirect the packet to a local socket without changing the packet header in any way.

This is a terminal action for the current hook, i.e. no further rules will be evaluated for this packet, even in other routines on the same hook. However, note that this does not preclude actions on other hooks from having an effect on this packet; for example, a packet that hits TransparentProxy in INGRESS could still be dropped in LOCAL_INGRESS.

This action is only valid in the INGRESS hook. This action is also only valid in a rule that ensures the presence of a TCP or UDP header by matching on the transport protocol, so that the packet can be properly dispatched.

Also note that transparently proxied packets will only be delivered to sockets with the transparent socket option enabled.

§

Redirect

A special case of destination NAT (DNAT) that redirects the packet to the local host.

This is a terminal action for all NAT routines on the current hook. The packet is redirected by rewriting the destination IP address to one owned by the ingress interface (if operating on incoming traffic in INGRESS) or the loopback address (if operating on locally-generated traffic in LOCAL_EGRESS). If this rule is installed on INGRESS and no IP address is assigned to the incoming interface, the packet is dropped.

As with all DNAT actions, this action is only valid in the INGRESS and LOCAL_EGRESS hooks. If a destination port is specified, this action is only valid in a rule that ensures the presence of a TCP or UDP header by matching on the transport protocol, so that the destination port can be rewritten.

This is analogous to the redirect statement in Netfilter.

Fields

§dst_port: Option<RangeInclusive<NonZero<u16>>>

The optional range of destination ports used to rewrite the packet.

If specified, the destination port of the packet will be rewritten to some randomly chosen port in the range. If absent, the destination port of the packet will not be rewritten.

§

Masquerade

A special case of source NAT (SNAT) that reassigns the source IP address of the packet to an address that is assigned to the outgoing interface.

This is a terminal action for all NAT routines on the current hook. If no address is assigned to the outgoing interface, the packet will be dropped.

This action is only valid in the EGRESS hook. If a source port range is specified, this action is only valid in a rule that ensures the presence of a TCP or UDP header by matching on the transport protocol, so that the source port can be rewritten.

This is analogous to the masquerade statement in Netfilter.

Fields

§src_port: Option<RangeInclusive<NonZero<u16>>>

The optional range of source ports used to rewrite the packet.

The source port will be rewritten if necessary to ensure the packet’s flow does not conflict with an existing tracked connection. Note that the source port may be rewritten whether or not this range is specified.

If specified, this overrides the default behavior and restricts the range of possible values to which the source port can be rewritten.

Trait Implementations§

§

impl<I, DeviceClass, RuleInfo> Clone for Action<I, DeviceClass, RuleInfo>
where I: IpExt, DeviceClass: Clone, RuleInfo: Clone,

§

fn clone(&self) -> Action<I, DeviceClass, RuleInfo>

Returns a copy of the value. Read more
1.0.0 · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
§

impl<I, DeviceClass, RuleInfo> Debug for Action<I, DeviceClass, RuleInfo>
where I: IpExt, DeviceClass: Debug,

§

fn fmt(&self, __f: &mut Formatter<'_>) -> Result<(), Error>

Formats the value using the given formatter. Read more
§

impl<I, DeviceClass> Inspectable for Action<I, DeviceClass, ()>
where I: IpExt, DeviceClass: Debug,

§

fn record<Inspector>(&self, inspector: &mut Inspector)
where Inspector: Inspector,

Records this value into inspector.

Auto Trait Implementations§

§

impl<I, DeviceClass, RuleInfo> Freeze for Action<I, DeviceClass, RuleInfo>
where <I as Ip>::Addr: Freeze,

§

impl<I, DeviceClass, RuleInfo> RefUnwindSafe for Action<I, DeviceClass, RuleInfo>
where <I as Ip>::Addr: RefUnwindSafe, RuleInfo: RefUnwindSafe, DeviceClass: RefUnwindSafe, <I as IpProtoExt>::Proto: RefUnwindSafe,

§

impl<I, DeviceClass, RuleInfo> Send for Action<I, DeviceClass, RuleInfo>
where RuleInfo: Sync + Send, DeviceClass: Sync + Send,

§

impl<I, DeviceClass, RuleInfo> Sync for Action<I, DeviceClass, RuleInfo>
where RuleInfo: Sync + Send, DeviceClass: Sync + Send,

§

impl<I, DeviceClass, RuleInfo> Unpin for Action<I, DeviceClass, RuleInfo>
where <I as Ip>::Addr: Unpin,

§

impl<I, DeviceClass, RuleInfo> UnwindSafe for Action<I, DeviceClass, RuleInfo>
where <I as Ip>::Addr: UnwindSafe + RefUnwindSafe, RuleInfo: RefUnwindSafe, DeviceClass: RefUnwindSafe, <I as IpProtoExt>::Proto: RefUnwindSafe,

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dst: *mut T)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dst. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<CC, BC, Meta> RecvFrameContext<Meta, BC> for CC
where Meta: ReceivableFrameMeta<CC, BC>,

Source§

fn receive_frame<B>(&mut self, bindings_ctx: &mut BC, metadata: Meta, frame: B)
where B: BufferMut + Debug,

Receive a frame. Read more
Source§

impl<T> Same for T

Source§

type Output = T

Should always be Self
Source§

impl<CC, BC, Meta> SendFrameContext<BC, Meta> for CC
where Meta: SendableFrameMeta<CC, BC>,

Source§

fn send_frame<S>( &mut self, bindings_ctx: &mut BC, metadata: Meta, frame: S, ) -> Result<(), ErrorAndSerializer<SendFrameErrorReason, S>>
where S: Serializer, <S as Serializer>::Buffer: BufferMut,

Send a frame. Read more
Source§

impl<Id, CC, BC> TimerHandler<BC, Id> for CC
where BC: TimerBindingsTypes, Id: HandleableTimer<CC, BC>,

Source§

fn handle_timer( &mut self, bindings_ctx: &mut BC, dispatch: Id, timer: <BC as TimerBindingsTypes>::UniqueTimerId, )

Handle a timer firing. Read more
Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
Source§

impl<L, T> UnlockedAccess<L> for T
where L: UnlockedAccessMarkerFor<T>,

Source§

type Data = <L as UnlockedAccessMarkerFor<T>>::Data

The type of state being accessed.
Source§

type Guard<'l> = &'l <L as UnlockedAccessMarkerFor<T>>::Data where T: 'l

A guard providing read access to the data.
Source§

fn access(&self) -> <T as UnlockedAccess<L>>::Guard<'_>

How to access the state.
§

impl<V, T> VZip<V> for T
where V: MultiLane<T>,

§

fn vzip(self) -> V

Source§

impl<B, A> LockBefore<B> for A
where B: LockAfter<A>,