Crate netstack3_filter

source ·
Expand description

Packet filtering framework.


  • Testing-related utilities for use by other crates.


  • A matcher for IP addresses.
  • Data stored in [conntrack::Connection] that is only needed by filtering.
  • The filtering API.
  • The “production” implementation of packet filtering.
  • An incoming IP packet that is being forwarded.
  • A particular entry point for packet processing in which filtering routines are installed.
  • Routines that perform ordinary IP filtering.
  • Routines that can perform NAT.
  • A nested serializer whose inner serializer implements IpPacket.
  • Top-level matcher for IP packets.
  • A matcher for transport-layer port numbers.
  • A witness type to indicate that the egress filtering hook has been run.
  • A sequence of Rules.
  • IP version-specific filtering routine state.
  • A set of criteria (matchers) and a resultant action to take if a given packet matches.
  • An incoming IP packet that has been parsed into its constituent parts for either local delivery or forwarding.
  • IP version-specific filtering state.
  • A matcher for transport-layer protocol or port numbers.
  • An outgoing IP packet that has not yet been wrapped into an outer serializer type.
  • A handle to a Routine that is not installed in a particular hook, and therefore is only run if jumped to from another routine.
  • Witness type ensuring that the contained filtering state has been validated.



  • Trait aggregating functionality required from bindings.
  • Trait defining required types for filtering provided by bindings.
  • A context for mutably accessing all filtering state at once, to allow IPv4 and IPv6 filtering state to be modified atomically.
  • An implementation of packet filtering logic, providing entry points at various stages of packet processing.
  • The IP version-specific execution context for packet filtering.
  • A trait for interacting with the pieces of packet metadata that are important for filtering.
  • Allows filtering code to match on properties of an interface (ID, name, and device class) without Netstack3 Core (or Bindings, in the case of the device class) having to specifically expose that state.
  • An IP packet that provides header inspection.
  • A payload of an IP packet that may be a valid transport layer packet.
  • A serializer that may also be a valid transport layer packet.

Type Aliases§