netstack2

package
v1.8.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 24, 2025 License: AGPL-3.0 Imports: 35 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type ICMPHandler 

type ICMPHandler struct {
	// contains filtered or unexported fields
}

ICMPHandler handles ICMP packets from netstack

func NewICMPHandler 

func NewICMPHandler(s *stack.Stack, ph *ProxyHandler) *ICMPHandler

NewICMPHandler creates a new ICMP handler

func (*ICMPHandler) InstallICMPHandler 

func (h *ICMPHandler) InstallICMPHandler() error

InstallICMPHandler installs the ICMP handler on the stack

type Net 

type Net netTun

func CreateNetTUN 

func CreateNetTUN(localAddresses, dnsServers []netip.Addr, mtu int) (tun.Device, *Net, error)

CreateNetTUN creates a new TUN device with netstack without proxying

func CreateNetTUNWithOptions 

func CreateNetTUNWithOptions(localAddresses, dnsServers []netip.Addr, mtu int, options NetTunOptions) (tun.Device, *Net, error)

CreateNetTUNWithOptions creates a new TUN device with netstack and optional TCP/UDP proxying

func (*Net) AddProxySubnetRule 

func (net *Net) AddProxySubnetRule(sourcePrefix, destPrefix netip.Prefix, rewriteTo string, portRanges []PortRange, disableIcmp bool)

AddProxySubnetRule adds a subnet rule to the proxy handler If portRanges is nil or empty, all ports are allowed for this subnet rewriteTo can be either an IP/CIDR (e.g., "192.168.1.1/32") or a domain name (e.g., "example.com")

func (*Net) Dial 

func (tnet *Net) Dial(network, address string) (net.Conn, error)

func (*Net) DialContext 

func (tnet *Net) DialContext(ctx context.Context, network, address string) (net.Conn, error)

func (*Net) DialContextTCP 

func (net *Net) DialContextTCP(ctx context.Context, addr *net.TCPAddr) (*gonet.TCPConn, error)

func (*Net) DialContextTCPAddrPort 

func (net *Net) DialContextTCPAddrPort(ctx context.Context, addr netip.AddrPort) (*gonet.TCPConn, error)

func (*Net) DialPing 

func (net *Net) DialPing(laddr, raddr *PingAddr) (*PingConn, error)

func (*Net) DialPingAddr 

func (net *Net) DialPingAddr(laddr, raddr netip.Addr) (*PingConn, error)

func (*Net) DialTCP 

func (net *Net) DialTCP(addr *net.TCPAddr) (*gonet.TCPConn, error)

func (*Net) DialTCPAddrPort 

func (net *Net) DialTCPAddrPort(addr netip.AddrPort) (*gonet.TCPConn, error)

func (*Net) DialUDP 

func (net *Net) DialUDP(laddr, raddr *net.UDPAddr) (*gonet.UDPConn, error)

func (*Net) DialUDPAddrPort 

func (net *Net) DialUDPAddrPort(laddr, raddr netip.AddrPort) (*gonet.UDPConn, error)

func (*Net) GetProxyHandler 

func (net *Net) GetProxyHandler() *ProxyHandler

GetProxyHandler returns the proxy handler (for advanced use cases) Returns nil if proxy is not enabled

func (*Net) ListenPing 

func (net *Net) ListenPing(laddr *PingAddr) (*PingConn, error)

func (*Net) ListenPingAddr 

func (net *Net) ListenPingAddr(laddr netip.Addr) (*PingConn, error)

func (*Net) ListenTCP 

func (net *Net) ListenTCP(addr *net.TCPAddr) (*gonet.TCPListener, error)

func (*Net) ListenTCPAddrPort 

func (net *Net) ListenTCPAddrPort(addr netip.AddrPort) (*gonet.TCPListener, error)

func (*Net) ListenUDP 

func (net *Net) ListenUDP(laddr *net.UDPAddr) (*gonet.UDPConn, error)

func (*Net) ListenUDPAddrPort 

func (net *Net) ListenUDPAddrPort(laddr netip.AddrPort) (*gonet.UDPConn, error)

func (*Net) LookupContextHost 

func (tnet *Net) LookupContextHost(ctx context.Context, host string) ([]string, error)

func (*Net) LookupHost 

func (net *Net) LookupHost(host string) (addrs []string, err error)

func (*Net) RemoveProxySubnetRule 

func (net *Net) RemoveProxySubnetRule(sourcePrefix, destPrefix netip.Prefix)

RemoveProxySubnetRule removes a subnet rule from the proxy handler

type NetTunOptions 

type NetTunOptions struct {
	EnableTCPProxy  bool
	EnableUDPProxy  bool
	EnableICMPProxy bool
}

NetTunOptions contains options for creating a NetTUN device

type PingAddr 

type PingAddr struct {
	// contains filtered or unexported fields
}

func PingAddrFromAddr 

func PingAddrFromAddr(addr netip.Addr) *PingAddr

func (PingAddr) Addr 

func (ia PingAddr) Addr() netip.Addr

func (PingAddr) Network 

func (ia PingAddr) Network() string

func (PingAddr) String 

func (ia PingAddr) String() string

type PingConn 

type PingConn struct {
	// contains filtered or unexported fields
}

func (*PingConn) Close 

func (pc *PingConn) Close() error

func (*PingConn) LocalAddr 

func (pc *PingConn) LocalAddr() net.Addr

func (*PingConn) Read 

func (pc *PingConn) Read(p []byte) (n int, err error)

func (*PingConn) ReadFrom 

func (pc *PingConn) ReadFrom(p []byte) (n int, addr net.Addr, err error)

func (*PingConn) RemoteAddr 

func (pc *PingConn) RemoteAddr() net.Addr

func (*PingConn) SetDeadline 

func (pc *PingConn) SetDeadline(t time.Time) error

func (*PingConn) SetReadDeadline 

func (pc *PingConn) SetReadDeadline(t time.Time) error

func (*PingConn) SetWriteDeadline 

func (pc *PingConn) SetWriteDeadline(t time.Time) error

func (*PingConn) Write 

func (pc *PingConn) Write(p []byte) (n int, err error)

func (*PingConn) WriteTo 

func (pc *PingConn) WriteTo(p []byte, addr net.Addr) (n int, err error)

type PortRange 

type PortRange struct {
	Min      uint16
	Max      uint16
	Protocol string // "tcp", "udp", or "" for both
}

PortRange represents an allowed range of ports (inclusive) with optional protocol filtering Protocol can be "tcp", "udp", or "" (empty string means both protocols)

type ProxyHandler 

type ProxyHandler struct {
	// contains filtered or unexported fields
}

ProxyHandler handles packet injection and extraction for promiscuous mode

func NewProxyHandler 

func NewProxyHandler(options ProxyHandlerOptions) (*ProxyHandler, error)

NewProxyHandler creates a new proxy handler for promiscuous mode

func (*ProxyHandler) AddSubnetRule 

func (p *ProxyHandler) AddSubnetRule(sourcePrefix, destPrefix netip.Prefix, rewriteTo string, portRanges []PortRange, disableIcmp bool)

AddSubnetRule adds a subnet with optional port restrictions to the proxy handler sourcePrefix: The IP prefix of the peer sending the data destPrefix: The IP prefix of the destination rewriteTo: Optional address to rewrite destination to - can be IP/CIDR or domain name If portRanges is nil or empty, all ports are allowed for this subnet

func (*ProxyHandler) Close 

func (p *ProxyHandler) Close() error

Close cleans up the proxy handler resources

func (*ProxyHandler) HandleIncomingPacket 

func (p *ProxyHandler) HandleIncomingPacket(packet []byte) bool

HandleIncomingPacket processes incoming packets and determines if they should be injected into the proxy stack

func (*ProxyHandler) Initialize 

func (p *ProxyHandler) Initialize(notifiable channel.Notification) error

Initialize sets up the promiscuous NIC with the netTun's notification system

func (*ProxyHandler) LookupDestinationRewrite 

func (p *ProxyHandler) LookupDestinationRewrite(srcIP, dstIP string, dstPort uint16, proto uint8) (netip.Addr, bool)

LookupDestinationRewrite looks up the rewritten destination for a connection This is used by TCP/UDP handlers to find the actual target address

func (*ProxyHandler) QueueICMPReply 

func (p *ProxyHandler) QueueICMPReply(packet []byte) bool

QueueICMPReply queues an ICMP reply packet to be sent back through the tunnel

func (*ProxyHandler) ReadOutgoingPacket 

func (p *ProxyHandler) ReadOutgoingPacket() *buffer.View

ReadOutgoingPacket reads packets from the proxy stack that need to be sent back through the tunnel

func (*ProxyHandler) RemoveSubnetRule 

func (p *ProxyHandler) RemoveSubnetRule(sourcePrefix, destPrefix netip.Prefix)

RemoveSubnetRule removes a subnet from the proxy handler

type ProxyHandlerOptions 

type ProxyHandlerOptions struct {
	EnableTCP  bool
	EnableUDP  bool
	EnableICMP bool
	MTU        int
}

ProxyHandlerOptions configures the proxy handler

type SubnetLookup 

type SubnetLookup struct {
	// contains filtered or unexported fields
}

SubnetLookup provides fast IP subnet and port matching with O(1) lookup performance

func NewSubnetLookup 

func NewSubnetLookup() *SubnetLookup

NewSubnetLookup creates a new subnet lookup table

func (*SubnetLookup) AddSubnet 

func (sl *SubnetLookup) AddSubnet(sourcePrefix, destPrefix netip.Prefix, rewriteTo string, portRanges []PortRange, disableIcmp bool)

AddSubnet adds a subnet rule with source and destination prefixes and optional port restrictions If portRanges is nil or empty, all ports are allowed for this subnet rewriteTo can be either an IP/CIDR (e.g., "192.168.1.1/32") or a domain name (e.g., "example.com")

func (*SubnetLookup) Match 

func (sl *SubnetLookup) Match(srcIP, dstIP netip.Addr, port uint16, proto tcpip.TransportProtocolNumber) *SubnetRule

Match checks if a source IP, destination IP, port, and protocol match any subnet rule Returns the matched rule if ALL of these conditions are met:

  • The source IP is in the rule's source prefix
  • The destination IP is in the rule's destination prefix
  • The port is in an allowed range (or no port restrictions exist)
  • The protocol matches (or the port range allows both protocols)

proto should be header.TCPProtocolNumber or header.UDPProtocolNumber Returns nil if no rule matches

func (*SubnetLookup) RemoveSubnet 

func (sl *SubnetLookup) RemoveSubnet(sourcePrefix, destPrefix netip.Prefix)

RemoveSubnet removes a subnet rule from the lookup table

type SubnetRule 

type SubnetRule struct {
	SourcePrefix netip.Prefix // Source IP prefix (who is sending)
	DestPrefix   netip.Prefix // Destination IP prefix (where it's going)
	DisableIcmp  bool         // If true, ICMP traffic is blocked for this subnet
	RewriteTo    string       // Optional rewrite address for DNAT - can be IP/CIDR or domain name
	PortRanges   []PortRange  // empty slice means all ports allowed
}

SubnetRule represents a subnet with optional port restrictions and source address When RewriteTo is set, DNAT (Destination Network Address Translation) is performed:

  • Incoming packets: destination IP is rewritten to the resolved RewriteTo address
  • Outgoing packets: source IP is rewritten back to the original destination

RewriteTo can be either:

  • An IP address with CIDR notation (e.g., "192.168.1.1/32")
  • A domain name (e.g., "example.com") which will be resolved at request time

This allows transparent proxying where traffic appears to come from the rewritten address

type TCPHandler 

type TCPHandler struct {
	// contains filtered or unexported fields
}

TCPHandler handles TCP connections from netstack

func NewTCPHandler 

func NewTCPHandler(s *stack.Stack, ph *ProxyHandler) *TCPHandler

NewTCPHandler creates a new TCP handler

func (*TCPHandler) InstallTCPHandler 

func (h *TCPHandler) InstallTCPHandler() error

InstallTCPHandler installs the TCP forwarder on the stack

type UDPHandler 

type UDPHandler struct {
	// contains filtered or unexported fields
}

UDPHandler handles UDP connections from netstack

func NewUDPHandler 

func NewUDPHandler(s *stack.Stack, ph *ProxyHandler) *UDPHandler

NewUDPHandler creates a new UDP handler

func (*UDPHandler) InstallUDPHandler 

func (h *UDPHandler) InstallUDPHandler() error

InstallUDPHandler installs the UDP forwarder on the stack

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.