Restructure code base into smaller files (google#15)

* Restrcture code base into smaller files

* Package level doc string

* Move ExprsFromMsg back from expr sub-module

* gofmt

Author: rwhelan

chain.go

@@ -0,0 +1,108 @@
+// Copyright 2018 Google LLC. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package nftables
+
+import (
+	"math"
+
+	"github.com/google/nftables/binaryutil"
+	"github.com/mdlayher/netlink"
+	"golang.org/x/sys/unix"
+)
+
+// ChainHook specifies at which step in packet processing the Chain should be
+// executed. See also
+// https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains#Base_chain_hooks
+type ChainHook uint32
+
+// Possible ChainHook values.
+const (
+	ChainHookPrerouting  ChainHook = unix.NF_INET_PRE_ROUTING
+	ChainHookInput       ChainHook = unix.NF_INET_LOCAL_IN
+	ChainHookForward     ChainHook = unix.NF_INET_FORWARD
+	ChainHookOutput      ChainHook = unix.NF_INET_LOCAL_OUT
+	ChainHookPostrouting ChainHook = unix.NF_INET_POST_ROUTING
+	ChainHookIngress     ChainHook = unix.NF_NETDEV_INGRESS
+)
+
+// ChainPriority orders the chain relative to Netfilter internal operations. See
+// also
+// https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains#Base_chain_priority
+type ChainPriority int32
+
+// Possible ChainPriority values.
+const ( // from /usr/include/linux/netfilter_ipv4.h
+	ChainPriorityFirst            ChainPriority = math.MinInt32
+	ChainPriorityConntrackDefrag  ChainPriority = -400
+	ChainPriorityRaw              ChainPriority = -300
+	ChainPrioritySELinuxFirst     ChainPriority = -225
+	ChainPriorityConntrack        ChainPriority = -200
+	ChainPriorityMangle           ChainPriority = -150
+	ChainPriorityNATDest          ChainPriority = -100
+	ChainPriorityFilter           ChainPriority = 0
+	ChainPrioritySecurity         ChainPriority = 50
+	ChainPriorityNATSource        ChainPriority = 100
+	ChainPrioritySELinuxLast      ChainPriority = 225
+	ChainPriorityConntrackHelper  ChainPriority = 300
+	ChainPriorityConntrackConfirm ChainPriority = math.MaxInt32
+	ChainPriorityLast             ChainPriority = math.MaxInt32
+)
+
+// ChainType defines what this chain will be used for. See also
+// https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains#Base_chain_types
+type ChainType string
+
+// Possible ChainType values.
+const (
+	ChainTypeFilter ChainType = "filter"
+	ChainTypeRoute  ChainType = "route"
+	ChainTypeNAT    ChainType = "nat"
+)
+
+// A Chain contains Rules. See also
+// https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains
+type Chain struct {
+	Name     string
+	Table    *Table
+	Hooknum  ChainHook
+	Priority ChainPriority
+	Type     ChainType
+}
+
+// AddChain adds the specified Chain. See also
+// https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains#Adding_base_chains
+func (cc *Conn) AddChain(c *Chain) *Chain {
+	chainHook := cc.marshalAttr([]netlink.Attribute{
+		{Type: unix.NFTA_HOOK_HOOKNUM, Data: binaryutil.BigEndian.PutUint32(uint32(c.Hooknum))},
+		{Type: unix.NFTA_HOOK_PRIORITY, Data: binaryutil.BigEndian.PutUint32(uint32(c.Priority))},
+	})
+
+	data := cc.marshalAttr([]netlink.Attribute{
+		{Type: unix.NFTA_CHAIN_TABLE, Data: []byte(c.Table.Name + "\x00")},
+		{Type: unix.NFTA_CHAIN_NAME, Data: []byte(c.Name + "\x00")},
+		{Type: unix.NLA_F_NESTED | unix.NFTA_CHAIN_HOOK, Data: chainHook},
+		{Type: unix.NFTA_CHAIN_TYPE, Data: []byte(c.Type + "\x00")},
+	})
+
+	cc.messages = append(cc.messages, netlink.Message{
+		Header: netlink.Header{
+			Type:  netlink.HeaderType((unix.NFNL_SUBSYS_NFTABLES << 8) | unix.NFT_MSG_NEWCHAIN),
+			Flags: netlink.Request | netlink.Acknowledge | netlink.Create,
+		},
+		Data: append(extraHeader(uint8(c.Table.Family), 0), data...),
+	})
+
+	return c
+}

conn.go

@@ -0,0 +1,130 @@
+// Copyright 2018 Google LLC. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package nftables
+
+import (
+	"fmt"
+
+	"github.com/google/nftables/expr"
+	"github.com/mdlayher/netlink"
+	"github.com/mdlayher/netlink/nltest"
+	"golang.org/x/sys/unix"
+)
+
+// A Conn represents a netlink connection of the nftables family.
+//
+// All methods return their input, so that variables can be defined from string
+// literals when desired.
+//
+// Commands are buffered. Flush sends all buffered commands in a single batch.
+type Conn struct {
+	TestDial nltest.Func // for testing only; passed to nltest.Dial
+	NetNS    int         // Network namespace netlink will interact with.
+	messages []netlink.Message
+	err      error
+}
+
+// Flush sends all buffered commands in a single batch to nftables.
+func (cc *Conn) Flush() error {
+	if cc.err != nil {
+		return cc.err // serialization error
+	}
+	conn, err := cc.dialNetlink()
+	if err != nil {
+		return err
+	}
+
+	defer conn.Close()
+
+	if _, err := conn.SendMessages(batch(cc.messages)); err != nil {
+		return fmt.Errorf("SendMessages: %v", err)
+	}
+
+	if _, err := conn.Receive(); err != nil {
+		return fmt.Errorf("Receive: %v", err)
+	}
+
+	cc.messages = nil
+
+	return nil
+}
+
+// FlushRuleset flushes the entire ruleset. See also
+// https://wiki.nftables.org/wiki-nftables/index.php/Operations_at_ruleset_level
+func (cc *Conn) FlushRuleset() {
+	cc.messages = append(cc.messages, netlink.Message{
+		Header: netlink.Header{
+			Type:  netlink.HeaderType((unix.NFNL_SUBSYS_NFTABLES << 8) | unix.NFT_MSG_DELTABLE),
+			Flags: netlink.Request | netlink.Acknowledge | netlink.Create,
+		},
+		Data: extraHeader(0, 0),
+	})
+}
+
+func (cc *Conn) dialNetlink() (*netlink.Conn, error) {
+	if cc.TestDial != nil {
+		return nltest.Dial(cc.TestDial), nil
+	}
+	return netlink.Dial(unix.NETLINK_NETFILTER, &netlink.Config{NetNS: cc.NetNS})
+}
+
+func (cc *Conn) setErr(err error) {
+	if cc.err != nil {
+		return
+	}
+	cc.err = err
+}
+
+func (cc *Conn) marshalAttr(attrs []netlink.Attribute) []byte {
+	b, err := netlink.MarshalAttributes(attrs)
+	if err != nil {
+		cc.setErr(err)
+		return nil
+	}
+	return b
+}
+
+func (cc *Conn) marshalExpr(e expr.Any) []byte {
+	b, err := expr.Marshal(e)
+	if err != nil {
+		cc.setErr(err)
+		return nil
+	}
+	return b
+}
+
+func batch(messages []netlink.Message) []netlink.Message {
+	batch := []netlink.Message{
+		{
+			Header: netlink.Header{
+				Type:  netlink.HeaderType(unix.NFNL_MSG_BATCH_BEGIN),
+				Flags: netlink.Request,
+			},
+			Data: extraHeader(0, unix.NFNL_SUBSYS_NFTABLES),
+		},
+	}
+
+	batch = append(batch, messages...)
+
+	batch = append(batch, netlink.Message{
+		Header: netlink.Header{
+			Type:  netlink.HeaderType(unix.NFNL_MSG_BATCH_END),
+			Flags: netlink.Request,
+		},
+		Data: extraHeader(0, unix.NFNL_SUBSYS_NFTABLES),
+	})
+
+	return batch
+}

counter.go

@@ -0,0 +1,66 @@
+// Copyright 2018 Google LLC. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package nftables
+
+import (
+	"github.com/google/nftables/binaryutil"
+	"github.com/mdlayher/netlink"
+	"golang.org/x/sys/unix"
+)
+
+// CounterObj implements Obj.
+type CounterObj struct {
+	Table *Table
+	Name  string // e.g. “fwded”
+
+	Bytes   uint64
+	Packets uint64
+}
+
+func (c *CounterObj) unmarshal(ad *netlink.AttributeDecoder) error {
+	for ad.Next() {
+		switch ad.Type() {
+		case unix.NFTA_COUNTER_BYTES:
+			c.Bytes = ad.Uint64()
+		case unix.NFTA_COUNTER_PACKETS:
+			c.Packets = ad.Uint64()
+		}
+	}
+	return ad.Err()
+}
+
+func (c *CounterObj) family() TableFamily {
+	return c.Table.Family
+}
+
+func (c *CounterObj) marshal(data bool) ([]byte, error) {
+	obj, err := netlink.MarshalAttributes([]netlink.Attribute{
+		{Type: unix.NFTA_COUNTER_BYTES, Data: binaryutil.BigEndian.PutUint64(c.Bytes)},
+		{Type: unix.NFTA_COUNTER_PACKETS, Data: binaryutil.BigEndian.PutUint64(c.Packets)},
+	})
+	if err != nil {
+		return nil, err
+	}
+	const NFT_OBJECT_COUNTER = 1 // TODO: get into x/sys/unix
+	attrs := []netlink.Attribute{
+		{Type: unix.NFTA_OBJ_TABLE, Data: []byte(c.Table.Name + "\x00")},
+		{Type: unix.NFTA_OBJ_NAME, Data: []byte(c.Name + "\x00")},
+		{Type: unix.NFTA_OBJ_TYPE, Data: binaryutil.BigEndian.PutUint32(NFT_OBJECT_COUNTER)},
+	}
+	if data {
+		attrs = append(attrs, netlink.Attribute{Type: unix.NLA_F_NESTED | unix.NFTA_OBJ_DATA, Data: obj})
+	}
+	return netlink.MarshalAttributes(attrs)
+}

doc.go

@@ -0,0 +1,16 @@
+// Copyright 2018 Google LLC. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package nftables manipulates Linux nftables (the iptables successor).
+package nftables