Enum netstack3_core::filter::Action
pub enum Action<I, DeviceClass, RuleInfo>where
I: IpExt,{
Accept,
Drop,
Jump(UninstalledRoutine<I, DeviceClass, RuleInfo>),
Return,
TransparentProxy(TransparentProxy<I>),
Redirect {
dst_port: Option<RangeInclusive<NonZero<u16>>>,
},
Masquerade {
src_port: Option<RangeInclusive<NonZero<u16>>>,
},
}
Expand description
The action to take on a packet.
Variants§
Accept
Accept the packet.
This is a terminal action for the current installed routine, i.e. no further rules will be evaluated for this packet in the installed routine (or any subroutines) in which this rule is installed. Subsequent routines installed on the same hook will still be evaluated.
Drop
Drop the packet.
This is a terminal action for the current hook, i.e. no further rules will be evaluated for this packet, even in other routines on the same hook.
Jump(UninstalledRoutine<I, DeviceClass, RuleInfo>)
Jump from the current routine to the specified uninstalled routine.
Return
Stop evaluation of the current routine and return to the calling routine (the routine from which the current routine was jumped), continuing evaluation at the next rule.
If invoked in an installed routine, equivalent to Accept
, given
packets are accepted by default in the absence of any matching rules.
TransparentProxy(TransparentProxy<I>)
Redirect the packet to a local socket without changing the packet header in any way.
This is a terminal action for the current hook, i.e. no further rules will be evaluated for this packet, even in other routines on the same hook. However, note that this does not preclude actions on other hooks from having an effect on this packet; for example, a packet that hits TransparentProxy in INGRESS could still be dropped in LOCAL_INGRESS.
This action is only valid in the INGRESS hook. This action is also only valid in a rule that ensures the presence of a TCP or UDP header by matching on the transport protocol, so that the packet can be properly dispatched.
Also note that transparently proxied packets will only be delivered to sockets with the transparent socket option enabled.
Redirect
A special case of destination NAT (DNAT) that redirects the packet to the local host.
This is a terminal action for all NAT routines on the current hook. The packet is redirected by rewriting the destination IP address to one owned by the ingress interface (if operating on incoming traffic in INGRESS) or the loopback address (if operating on locally-generated traffic in LOCAL_EGRESS). If this rule is installed on INGRESS and no IP address is assigned to the incoming interface, the packet is dropped.
As with all DNAT actions, this action is only valid in the INGRESS and LOCAL_EGRESS hooks. If a destination port is specified, this action is only valid in a rule that ensures the presence of a TCP or UDP header by matching on the transport protocol, so that the destination port can be rewritten.
This is analogous to the redirect
statement in Netfilter.
Fields
dst_port: Option<RangeInclusive<NonZero<u16>>>
The optional range of destination ports used to rewrite the packet.
If specified, the destination port of the packet will be rewritten to some randomly chosen port in the range. If absent, the destination port of the packet will not be rewritten.
Masquerade
A special case of source NAT (SNAT) that reassigns the source IP address of the packet to an address that is assigned to the outgoing interface.
This is a terminal action for all NAT routines on the current hook. If no address is assigned to the outgoing interface, the packet will be dropped.
This action is only valid in the EGRESS hook. If a source port range is specified, this action is only valid in a rule that ensures the presence of a TCP or UDP header by matching on the transport protocol, so that the source port can be rewritten.
This is analogous to the masquerade
statement in Netfilter.
Fields
src_port: Option<RangeInclusive<NonZero<u16>>>
The optional range of source ports used to rewrite the packet.
The source port will be rewritten if necessary to ensure the packet’s flow does not conflict with an existing tracked connection. Note that the source port may be rewritten whether or not this range is specified.
If specified, this overrides the default behavior and restricts the range of possible values to which the source port can be rewritten.
Trait Implementations§
§impl<I, DeviceClass> Inspectable for Action<I, DeviceClass, ()>
impl<I, DeviceClass> Inspectable for Action<I, DeviceClass, ()>
§fn record<Inspector>(&self, inspector: &mut Inspector)where
Inspector: Inspector,
fn record<Inspector>(&self, inspector: &mut Inspector)where
Inspector: Inspector,
inspector
.Auto Trait Implementations§
impl<I, DeviceClass, RuleInfo> Freeze for Action<I, DeviceClass, RuleInfo>
impl<I, DeviceClass, RuleInfo> RefUnwindSafe for Action<I, DeviceClass, RuleInfo>where
<I as Ip>::Addr: RefUnwindSafe,
RuleInfo: RefUnwindSafe,
DeviceClass: RefUnwindSafe,
<I as IpProtoExt>::Proto: RefUnwindSafe,
impl<I, DeviceClass, RuleInfo> Send for Action<I, DeviceClass, RuleInfo>
impl<I, DeviceClass, RuleInfo> Sync for Action<I, DeviceClass, RuleInfo>
impl<I, DeviceClass, RuleInfo> Unpin for Action<I, DeviceClass, RuleInfo>
impl<I, DeviceClass, RuleInfo> UnwindSafe for Action<I, DeviceClass, RuleInfo>where
<I as Ip>::Addr: UnwindSafe + RefUnwindSafe,
RuleInfo: RefUnwindSafe,
DeviceClass: RefUnwindSafe,
<I as IpProtoExt>::Proto: RefUnwindSafe,
Blanket Implementations§
source§impl<T> BorrowMut<T> for Twhere
T: ?Sized,
impl<T> BorrowMut<T> for Twhere
T: ?Sized,
source§fn borrow_mut(&mut self) -> &mut T
fn borrow_mut(&mut self) -> &mut T
source§impl<T> CloneToUninit for Twhere
T: Clone,
impl<T> CloneToUninit for Twhere
T: Clone,
source§default unsafe fn clone_to_uninit(&self, dst: *mut T)
default unsafe fn clone_to_uninit(&self, dst: *mut T)
clone_to_uninit
)