Google Git
Sign in
fuchsia / fuchsia / refs/heads/sandbox/markdittmer/chunked-demand-paging / . / src / connectivity / network / netstack / filter
tree: 85f718fa2ba3ffe7554cf85e04d417dd48f7965f [path history] [tgz]
  1. endpoint.go
  2. errors.go
  3. fidlconv.go
  4. fidlconv_test.go
  5. filter.go
  6. filter_service.go
  7. filter_service_test.go
  8. filter_string.go
  9. filter_test.go
  10. nat_test.go
  11. packet_test.go
  12. rdr_test.go
  13. README.md
  14. rewrite_packet.go
  15. rewrite_packet_test.go
  16. ruleset.go
  17. ruleset_test.go
  18. seqnum.go
  19. state.go
  20. state_test.go
src/connectivity/network/netstack/filter/README.md

How Filter works

           Incoming                           Outgoing

 +--------------------------+        +--------------------------+
 |           IP             +<--+    |           IP             |
 +------------+-------------+   |    +------------+-------------+
              ^                 |                 |
              |                 |                 v
 +------------+-------------+   |    +------------+-------------+
 |    Filter Rule runner    |   |    |           NAT            |
 +--------------------------+   |    +--------------------------+
 +--------------------------+   |    +--------------------------+
 | Connection state tracker +---+    | Connection state tracker +---+
 +--------------------------+        +--------------------------+   |
 +--------------------------+        +--------------------------+   |
 |      RDR(redirector)     |        |    Filter Rule runner    |   |
 +------------+-------------+        +------------+-------------+   |
              ^                                   |                 |
              |                                   v                 |
 +------------+-------------+        +------------+-------------+   |
 |      NIC(interface)      |        |      NIC(interface)      +<--+
 +--------------------------+        +------------+-------------+
              ^                                   |
              |                                   v

  • For incoming packets

    • If filter is enabled on the NIC
      • Step 1: RDR(Redirector)
        • Try to match all RDR rules.
        • If any RDR rule is matched, the headers are rewritten accoring to the rule.
      • Step 2: Connection state tracker
        • Check if the packet is a part of existing connection.
        • If yes, skip Step 3.
      • Step 3: Filter Rule runner
        • Try to match every rule from top to bottom.
          • If matched with a rule with the quick flag, the action (pass, drop) is taken immediately.
          • If matched with a rule without the quick flag, remember it as the last matched rule, and move on to the next rule. When reached at the bottom, the action of the last matched rule is taken.
        • If the action is pass, the connection is registered to Connection state tracker, and the packet is passed to IP.

  • For outgoing packets

    • If filter is enabled on the NIC
      • Step 1: NAT
        • Try to match every NAT rule.
        • If any NAT rule is matched, the headers are rewritten accoring to the rule.
      • Step 2: Connection state tracker
        • Check if the packet is a part of existing connection.
        • If yes, skip Step 3.
      • Step 3: Filter Rule runner
        • Try to match every rule from top to bottom.
          • If matched with a rule with the quick flag, the action (pass, drop) is taken immediately.
          • If matched with a rule without the quick flag, remember it as the last matched rule, and move on to the next rule. When reached at the bottom, the action of the last matched rule is taken.
        • If the action is pass, the connection is registered to Connection state tracker, and the packet is passed to NIC.