Update dependencies

vendor/github.com/google/nftables/expr/bitwise.go

@@ -0,0 +1,102 @@
+// Copyright 2018 Google LLC. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package expr
+
+import (
+	"encoding/binary"
+
+	"github.com/google/nftables/binaryutil"
+	"github.com/mdlayher/netlink"
+	"golang.org/x/sys/unix"
+)
+
+type Bitwise struct {
+	SourceRegister uint32
+	DestRegister   uint32
+	Len            uint32
+	Mask           []byte
+	Xor            []byte
+}
+
+func (e *Bitwise) marshal(fam byte) ([]byte, error) {
+	mask, err := netlink.MarshalAttributes([]netlink.Attribute{
+		{Type: unix.NFTA_DATA_VALUE, Data: e.Mask},
+	})
+	if err != nil {
+		return nil, err
+	}
+	xor, err := netlink.MarshalAttributes([]netlink.Attribute{
+		{Type: unix.NFTA_DATA_VALUE, Data: e.Xor},
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	data, err := netlink.MarshalAttributes([]netlink.Attribute{
+		{Type: unix.NFTA_BITWISE_SREG, Data: binaryutil.BigEndian.PutUint32(e.SourceRegister)},
+		{Type: unix.NFTA_BITWISE_DREG, Data: binaryutil.BigEndian.PutUint32(e.DestRegister)},
+		{Type: unix.NFTA_BITWISE_LEN, Data: binaryutil.BigEndian.PutUint32(e.Len)},
+		{Type: unix.NLA_F_NESTED | unix.NFTA_BITWISE_MASK, Data: mask},
+		{Type: unix.NLA_F_NESTED | unix.NFTA_BITWISE_XOR, Data: xor},
+	})
+	if err != nil {
+		return nil, err
+	}
+	return netlink.MarshalAttributes([]netlink.Attribute{
+		{Type: unix.NFTA_EXPR_NAME, Data: []byte("bitwise\x00")},
+		{Type: unix.NLA_F_NESTED | unix.NFTA_EXPR_DATA, Data: data},
+	})
+}
+
+func (e *Bitwise) unmarshal(fam byte, data []byte) error {
+	ad, err := netlink.NewAttributeDecoder(data)
+	if err != nil {
+		return err
+	}
+	ad.ByteOrder = binary.BigEndian
+	for ad.Next() {
+		switch ad.Type() {
+		case unix.NFTA_BITWISE_SREG:
+			e.SourceRegister = ad.Uint32()
+		case unix.NFTA_BITWISE_DREG:
+			e.DestRegister = ad.Uint32()
+		case unix.NFTA_BITWISE_LEN:
+			e.Len = ad.Uint32()
+		case unix.NFTA_BITWISE_MASK:
+			// Since NFTA_BITWISE_MASK is nested, it requires additional decoding
+			ad.Nested(func(nad *netlink.AttributeDecoder) error {
+				for nad.Next() {
+					switch nad.Type() {
+					case unix.NFTA_DATA_VALUE:
+						e.Mask = nad.Bytes()
+					}
+				}
+				return nil
+			})
+		case unix.NFTA_BITWISE_XOR:
+			// Since NFTA_BITWISE_XOR is nested, it requires additional decoding
+			ad.Nested(func(nad *netlink.AttributeDecoder) error {
+				for nad.Next() {
+					switch nad.Type() {
+					case unix.NFTA_DATA_VALUE:
+						e.Xor = nad.Bytes()
+					}
+				}
+				return nil
+			})
+		}
+	}
+	return ad.Err()
+}

vendor/github.com/google/nftables/expr/byteorder.go

@@ -0,0 +1,59 @@
+// Copyright 2018 Google LLC. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package expr
+
+import (
+	"fmt"
+
+	"github.com/google/nftables/binaryutil"
+	"github.com/mdlayher/netlink"
+	"golang.org/x/sys/unix"
+)
+
+type ByteorderOp uint32
+
+const (
+	ByteorderNtoh ByteorderOp = unix.NFT_BYTEORDER_NTOH
+	ByteorderHton ByteorderOp = unix.NFT_BYTEORDER_HTON
+)
+
+type Byteorder struct {
+	SourceRegister uint32
+	DestRegister   uint32
+	Op             ByteorderOp
+	Len            uint32
+	Size           uint32
+}
+
+func (e *Byteorder) marshal(fam byte) ([]byte, error) {
+	data, err := netlink.MarshalAttributes([]netlink.Attribute{
+		{Type: unix.NFTA_BYTEORDER_SREG, Data: binaryutil.BigEndian.PutUint32(e.SourceRegister)},
+		{Type: unix.NFTA_BYTEORDER_DREG, Data: binaryutil.BigEndian.PutUint32(e.DestRegister)},
+		{Type: unix.NFTA_BYTEORDER_OP, Data: binaryutil.BigEndian.PutUint32(uint32(e.Op))},
+		{Type: unix.NFTA_BYTEORDER_LEN, Data: binaryutil.BigEndian.PutUint32(e.Len)},
+		{Type: unix.NFTA_BYTEORDER_SIZE, Data: binaryutil.BigEndian.PutUint32(e.Size)},
+	})
+	if err != nil {
+		return nil, err
+	}
+	return netlink.MarshalAttributes([]netlink.Attribute{
+		{Type: unix.NFTA_EXPR_NAME, Data: []byte("byteorder\x00")},
+		{Type: unix.NLA_F_NESTED | unix.NFTA_EXPR_DATA, Data: data},
+	})
+}
+
+func (e *Byteorder) unmarshal(fam byte, data []byte) error {
+	return fmt.Errorf("not yet implemented")
+}

vendor/github.com/google/nftables/expr/connlimit.go

@@ -0,0 +1,70 @@
+// Copyright 2019 Google LLC. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package expr
+
+import (
+	"encoding/binary"
+
+	"github.com/google/nftables/binaryutil"
+	"github.com/mdlayher/netlink"
+	"golang.org/x/sys/unix"
+)
+
+const (
+	// Per https://git.netfilter.org/libnftnl/tree/include/linux/netfilter/nf_tables.h?id=84d12cfacf8ddd857a09435f3d982ab6250d250c#n1167
+	NFTA_CONNLIMIT_UNSPEC = iota
+	NFTA_CONNLIMIT_COUNT
+	NFTA_CONNLIMIT_FLAGS
+	NFT_CONNLIMIT_F_INV = 1
+)
+
+// Per https://git.netfilter.org/libnftnl/tree/src/expr/connlimit.c?id=84d12cfacf8ddd857a09435f3d982ab6250d250c
+type Connlimit struct {
+	Count uint32
+	Flags uint32
+}
+
+func (e *Connlimit) marshal(fam byte) ([]byte, error) {
+	data, err := netlink.MarshalAttributes([]netlink.Attribute{
+		{Type: NFTA_CONNLIMIT_COUNT, Data: binaryutil.BigEndian.PutUint32(e.Count)},
+		{Type: NFTA_CONNLIMIT_FLAGS, Data: binaryutil.BigEndian.PutUint32(e.Flags)},
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	return netlink.MarshalAttributes([]netlink.Attribute{
+		{Type: unix.NFTA_EXPR_NAME, Data: []byte("connlimit\x00")},
+		{Type: unix.NLA_F_NESTED | unix.NFTA_EXPR_DATA, Data: data},
+	})
+}
+
+func (e *Connlimit) unmarshal(fam byte, data []byte) error {
+	ad, err := netlink.NewAttributeDecoder(data)
+	if err != nil {
+		return err
+	}
+
+	ad.ByteOrder = binary.BigEndian
+	for ad.Next() {
+		switch ad.Type() {
+		case NFTA_CONNLIMIT_COUNT:
+			e.Count = binaryutil.BigEndian.Uint32(ad.Bytes())
+		case NFTA_CONNLIMIT_FLAGS:
+			e.Flags = binaryutil.BigEndian.Uint32(ad.Bytes())
+		}
+	}
+	return ad.Err()
+}

vendor/github.com/google/nftables/expr/counter.go

@@ -0,0 +1,60 @@
+// Copyright 2018 Google LLC. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package expr
+
+import (
+	"encoding/binary"
+
+	"github.com/google/nftables/binaryutil"
+	"github.com/mdlayher/netlink"
+	"golang.org/x/sys/unix"
+)
+
+type Counter struct {
+	Bytes   uint64
+	Packets uint64
+}
+
+func (e *Counter) marshal(fam byte) ([]byte, error) {
+	data, err := netlink.MarshalAttributes([]netlink.Attribute{
+		{Type: unix.NFTA_COUNTER_BYTES, Data: binaryutil.BigEndian.PutUint64(e.Bytes)},
+		{Type: unix.NFTA_COUNTER_PACKETS, Data: binaryutil.BigEndian.PutUint64(e.Packets)},
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	return netlink.MarshalAttributes([]netlink.Attribute{
+		{Type: unix.NFTA_EXPR_NAME, Data: []byte("counter\x00")},
+		{Type: unix.NLA_F_NESTED | unix.NFTA_EXPR_DATA, Data: data},
+	})
+}
+
+func (e *Counter) unmarshal(fam byte, data []byte) error {
+	ad, err := netlink.NewAttributeDecoder(data)
+	if err != nil {
+		return err
+	}
+	ad.ByteOrder = binary.BigEndian
+	for ad.Next() {
+		switch ad.Type() {
+		case unix.NFTA_COUNTER_BYTES:
+			e.Bytes = ad.Uint64()
+		case unix.NFTA_COUNTER_PACKETS:
+			e.Packets = ad.Uint64()
+		}
+	}
+	return ad.Err()
+}

vendor/github.com/google/nftables/expr/ct.go

@@ -0,0 +1,115 @@
+// Copyright 2018 Google LLC. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package expr
+
+import (
+	"encoding/binary"
+
+	"github.com/google/nftables/binaryutil"
+	"github.com/mdlayher/netlink"
+	"golang.org/x/sys/unix"
+)
+
+// CtKey specifies which piece of conntrack information should be loaded. See
+// also https://wiki.nftables.org/wiki-nftables/index.php/Matching_connection_tracking_stateful_metainformation
+type CtKey uint32
+
+// Possible CtKey values.
+const (
+	CtKeySTATE      CtKey = unix.NFT_CT_STATE
+	CtKeyDIRECTION  CtKey = unix.NFT_CT_DIRECTION
+	CtKeySTATUS     CtKey = unix.NFT_CT_STATUS
+	CtKeyMARK       CtKey = unix.NFT_CT_MARK
+	CtKeySECMARK    CtKey = unix.NFT_CT_SECMARK
+	CtKeyEXPIRATION CtKey = unix.NFT_CT_EXPIRATION
+	CtKeyHELPER     CtKey = unix.NFT_CT_HELPER
+	CtKeyL3PROTOCOL CtKey = unix.NFT_CT_L3PROTOCOL
+	CtKeySRC        CtKey = unix.NFT_CT_SRC
+	CtKeyDST        CtKey = unix.NFT_CT_DST
+	CtKeyPROTOCOL   CtKey = unix.NFT_CT_PROTOCOL
+	CtKeyPROTOSRC   CtKey = unix.NFT_CT_PROTO_SRC
+	CtKeyPROTODST   CtKey = unix.NFT_CT_PROTO_DST
+	CtKeyLABELS     CtKey = unix.NFT_CT_LABELS
+	CtKeyPKTS       CtKey = unix.NFT_CT_PKTS
+	CtKeyBYTES      CtKey = unix.NFT_CT_BYTES
+	CtKeyAVGPKT     CtKey = unix.NFT_CT_AVGPKT
+	CtKeyZONE       CtKey = unix.NFT_CT_ZONE
+	CtKeyEVENTMASK  CtKey = unix.NFT_CT_EVENTMASK
+
+	// https://sources.debian.org/src//nftables/0.9.8-3/src/ct.c/?hl=39#L39
+	CtStateBitINVALID     uint32 = 1
+	CtStateBitESTABLISHED uint32 = 2
+	CtStateBitRELATED     uint32 = 4
+	CtStateBitNEW         uint32 = 8
+	CtStateBitUNTRACKED   uint32 = 64
+)
+
+// Ct defines type for NFT connection tracking
+type Ct struct {
+	Register       uint32
+	SourceRegister bool
+	Key            CtKey
+}
+
+func (e *Ct) marshal(fam byte) ([]byte, error) {
+	regData := []byte{}
+	exprData, err := netlink.MarshalAttributes(
+		[]netlink.Attribute{
+			{Type: unix.NFTA_CT_KEY, Data: binaryutil.BigEndian.PutUint32(uint32(e.Key))},
+		},
+	)
+	if err != nil {
+		return nil, err
+	}
+	if e.SourceRegister {
+		regData, err = netlink.MarshalAttributes(
+			[]netlink.Attribute{
+				{Type: unix.NFTA_CT_SREG, Data: binaryutil.BigEndian.PutUint32(e.Register)},
+			},
+		)
+	} else {
+		regData, err = netlink.MarshalAttributes(
+			[]netlink.Attribute{
+				{Type: unix.NFTA_CT_DREG, Data: binaryutil.BigEndian.PutUint32(e.Register)},
+			},
+		)
+	}
+	if err != nil {
+		return nil, err
+	}
+	exprData = append(exprData, regData...)
+
+	return netlink.MarshalAttributes([]netlink.Attribute{
+		{Type: unix.NFTA_EXPR_NAME, Data: []byte("ct\x00")},
+		{Type: unix.NLA_F_NESTED | unix.NFTA_EXPR_DATA, Data: exprData},
+	})
+}
+
+func (e *Ct) unmarshal(fam byte, data []byte) error {
+	ad, err := netlink.NewAttributeDecoder(data)
+	if err != nil {
+		return err
+	}
+	ad.ByteOrder = binary.BigEndian
+	for ad.Next() {
+		switch ad.Type() {
+		case unix.NFTA_CT_KEY:
+			e.Key = CtKey(ad.Uint32())
+		case unix.NFTA_CT_DREG:
+			e.Register = ad.Uint32()
+		}
+	}
+	return ad.Err()
+}

vendor/github.com/google/nftables/expr/dup.go

@@ -0,0 +1,67 @@
+// Copyright 2018 Google LLC. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package expr
+
+import (
+	"encoding/binary"
+
+	"github.com/google/nftables/binaryutil"
+	"github.com/mdlayher/netlink"
+	"golang.org/x/sys/unix"
+)
+
+type Dup struct {
+	RegAddr     uint32
+	RegDev      uint32
+	IsRegDevSet bool
+}
+
+func (e *Dup) marshal(fam byte) ([]byte, error) {
+	attrs := []netlink.Attribute{
+		{Type: unix.NFTA_DUP_SREG_ADDR, Data: binaryutil.BigEndian.PutUint32(e.RegAddr)},
+	}
+
+	if e.IsRegDevSet {
+		attrs = append(attrs, netlink.Attribute{Type: unix.NFTA_DUP_SREG_DEV, Data: binaryutil.BigEndian.PutUint32(e.RegDev)})
+	}
+
+	data, err := netlink.MarshalAttributes(attrs)
+
+	if err != nil {
+		return nil, err
+	}
+
+	return netlink.MarshalAttributes([]netlink.Attribute{
+		{Type: unix.NFTA_EXPR_NAME, Data: []byte("dup\x00")},
+		{Type: unix.NLA_F_NESTED | unix.NFTA_EXPR_DATA, Data: data},
+	})
+}
+
+func (e *Dup) unmarshal(fam byte, data []byte) error {
+	ad, err := netlink.NewAttributeDecoder(data)
+	if err != nil {
+		return err
+	}
+	ad.ByteOrder = binary.BigEndian
+	for ad.Next() {
+		switch ad.Type() {
+		case unix.NFTA_DUP_SREG_ADDR:
+			e.RegAddr = ad.Uint32()
+		case unix.NFTA_DUP_SREG_DEV:
+			e.RegDev = ad.Uint32()
+		}
+	}
+	return ad.Err()
+}

vendor/github.com/google/nftables/expr/dynset.go

@@ -0,0 +1,149 @@
+// Copyright 2020 Google LLC. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package expr
+
+import (
+	"encoding/binary"
+	"time"
+
+	"github.com/google/nftables/binaryutil"
+	"github.com/google/nftables/internal/parseexprfunc"
+	"github.com/mdlayher/netlink"
+	"golang.org/x/sys/unix"
+)
+
+// Not yet supported by unix package
+// https://cs.opensource.google/go/x/sys/+/c6bc011c:unix/ztypes_linux.go;l=2027-2036
+const (
+	NFTA_DYNSET_EXPRESSIONS = 0xa
+	NFT_DYNSET_F_EXPR       = (1 << 1)
+)
+
+// Dynset represent a rule dynamically adding or updating a set or a map based on an incoming packet.
+type Dynset struct {
+	SrcRegKey  uint32
+	SrcRegData uint32
+	SetID      uint32
+	SetName    string
+	Operation  uint32
+	Timeout    time.Duration
+	Invert     bool
+	Exprs      []Any
+}
+
+func (e *Dynset) marshal(fam byte) ([]byte, error) {
+	// See: https://git.netfilter.org/libnftnl/tree/src/expr/dynset.c
+	var opAttrs []netlink.Attribute
+	opAttrs = append(opAttrs, netlink.Attribute{Type: unix.NFTA_DYNSET_SREG_KEY, Data: binaryutil.BigEndian.PutUint32(e.SrcRegKey)})
+	if e.SrcRegData != 0 {
+		opAttrs = append(opAttrs, netlink.Attribute{Type: unix.NFTA_DYNSET_SREG_DATA, Data: binaryutil.BigEndian.PutUint32(e.SrcRegData)})
+	}
+	opAttrs = append(opAttrs, netlink.Attribute{Type: unix.NFTA_DYNSET_OP, Data: binaryutil.BigEndian.PutUint32(e.Operation)})
+	if e.Timeout != 0 {
+		opAttrs = append(opAttrs, netlink.Attribute{Type: unix.NFTA_DYNSET_TIMEOUT, Data: binaryutil.BigEndian.PutUint64(uint64(e.Timeout.Milliseconds()))})
+	}
+	var flags uint32
+	if e.Invert {
+		flags |= unix.NFT_DYNSET_F_INV
+	}
+
+	opAttrs = append(opAttrs,
+		netlink.Attribute{Type: unix.NFTA_DYNSET_SET_NAME, Data: []byte(e.SetName + "\x00")},
+		netlink.Attribute{Type: unix.NFTA_DYNSET_SET_ID, Data: binaryutil.BigEndian.PutUint32(e.SetID)})
+
+	// Per https://git.netfilter.org/libnftnl/tree/src/expr/dynset.c?id=84d12cfacf8ddd857a09435f3d982ab6250d250c#n170
+	if len(e.Exprs) > 0 {
+		flags |= NFT_DYNSET_F_EXPR
+		switch len(e.Exprs) {
+		case 1:
+			exprData, err := Marshal(fam, e.Exprs[0])
+			if err != nil {
+				return nil, err
+			}
+			opAttrs = append(opAttrs, netlink.Attribute{Type: unix.NFTA_DYNSET_EXPR, Data: exprData})
+		default:
+			var elemAttrs []netlink.Attribute
+			for _, ex := range e.Exprs {
+				exprData, err := Marshal(fam, ex)
+				if err != nil {
+					return nil, err
+				}
+				elemAttrs = append(elemAttrs, netlink.Attribute{Type: unix.NFTA_LIST_ELEM, Data: exprData})
+			}
+			elemData, err := netlink.MarshalAttributes(elemAttrs)
+			if err != nil {
+				return nil, err
+			}
+			opAttrs = append(opAttrs, netlink.Attribute{Type: NFTA_DYNSET_EXPRESSIONS, Data: elemData})
+		}
+	}
+	opAttrs = append(opAttrs, netlink.Attribute{Type: unix.NFTA_DYNSET_FLAGS, Data: binaryutil.BigEndian.PutUint32(flags)})
+
+	opData, err := netlink.MarshalAttributes(opAttrs)
+	if err != nil {
+		return nil, err
+	}
+
+	return netlink.MarshalAttributes([]netlink.Attribute{
+		{Type: unix.NFTA_EXPR_NAME, Data: []byte("dynset\x00")},
+		{Type: unix.NLA_F_NESTED | unix.NFTA_EXPR_DATA, Data: opData},
+	})
+}
+
+func (e *Dynset) unmarshal(fam byte, data []byte) error {
+	ad, err := netlink.NewAttributeDecoder(data)
+	if err != nil {
+		return err
+	}
+	ad.ByteOrder = binary.BigEndian
+	for ad.Next() {
+		switch ad.Type() {
+		case unix.NFTA_DYNSET_SET_NAME:
+			e.SetName = ad.String()
+		case unix.NFTA_DYNSET_SET_ID:
+			e.SetID = ad.Uint32()
+		case unix.NFTA_DYNSET_SREG_KEY:
+			e.SrcRegKey = ad.Uint32()
+		case unix.NFTA_DYNSET_SREG_DATA:
+			e.SrcRegData = ad.Uint32()
+		case unix.NFTA_DYNSET_OP:
+			e.Operation = ad.Uint32()
+		case unix.NFTA_DYNSET_TIMEOUT:
+			e.Timeout = time.Duration(time.Millisecond * time.Duration(ad.Uint64()))
+		case unix.NFTA_DYNSET_FLAGS:
+			e.Invert = (ad.Uint32() & unix.NFT_DYNSET_F_INV) != 0
+		case unix.NFTA_DYNSET_EXPR:
+			exprs, err := parseexprfunc.ParseExprBytesFunc(fam, ad, ad.Bytes())
+			if err != nil {
+				return err
+			}
+			e.setInterfaceExprs(exprs)
+		case NFTA_DYNSET_EXPRESSIONS:
+			exprs, err := parseexprfunc.ParseExprMsgFunc(fam, ad.Bytes())
+			if err != nil {
+				return err
+			}
+			e.setInterfaceExprs(exprs)
+		}
+	}
+	return ad.Err()
+}
+
+func (e *Dynset) setInterfaceExprs(exprs []interface{}) {
+	e.Exprs = make([]Any, len(exprs))
+	for i := range exprs {
+		e.Exprs[i] = exprs[i].(Any)
+	}
+}

vendor/github.com/google/nftables/expr/expr.go

@@ -0,0 +1,430 @@
+// Copyright 2018 Google LLC. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package expr provides nftables rule expressions.
+package expr
+
+import (
+	"encoding/binary"
+
+	"github.com/google/nftables/binaryutil"
+	"github.com/google/nftables/internal/parseexprfunc"
+	"github.com/mdlayher/netlink"
+	"golang.org/x/sys/unix"
+)
+
+func init() {
+	parseexprfunc.ParseExprBytesFunc = func(fam byte, ad *netlink.AttributeDecoder, b []byte) ([]interface{}, error) {
+		exprs, err := exprsFromBytes(fam, ad, b)
+		if err != nil {
+			return nil, err
+		}
+		result := make([]interface{}, len(exprs))
+		for idx, expr := range exprs {
+			result[idx] = expr
+		}
+		return result, nil
+	}
+	parseexprfunc.ParseExprMsgFunc = func(fam byte, b []byte) ([]interface{}, error) {
+		ad, err := netlink.NewAttributeDecoder(b)
+		if err != nil {
+			return nil, err
+		}
+		ad.ByteOrder = binary.BigEndian
+		var exprs []interface{}
+		for ad.Next() {
+			e, err := parseexprfunc.ParseExprBytesFunc(fam, ad, b)
+			if err != nil {
+				return e, err
+			}
+			exprs = append(exprs, e...)
+		}
+		return exprs, ad.Err()
+	}
+}
+
+// Marshal serializes the specified expression into a byte slice.
+func Marshal(fam byte, e Any) ([]byte, error) {
+	return e.marshal(fam)
+}
+
+// Unmarshal fills an expression from the specified byte slice.
+func Unmarshal(fam byte, data []byte, e Any) error {
+	return e.unmarshal(fam, data)
+}
+
+// exprsFromBytes parses nested raw expressions bytes
+// to construct nftables expressions
+func exprsFromBytes(fam byte, ad *netlink.AttributeDecoder, b []byte) ([]Any, error) {
+	var exprs []Any
+	ad.Do(func(b []byte) error {
+		ad, err := netlink.NewAttributeDecoder(b)
+		if err != nil {
+			return err
+		}
+		ad.ByteOrder = binary.BigEndian
+		var name string
+		for ad.Next() {
+			switch ad.Type() {
+			case unix.NFTA_EXPR_NAME:
+				name = ad.String()
+				if name == "notrack" {
+					e := &Notrack{}
+					exprs = append(exprs, e)
+				}
+			case unix.NFTA_EXPR_DATA:
+				var e Any
+				switch name {
+				case "ct":
+					e = &Ct{}
+				case "range":
+					e = &Range{}
+				case "meta":
+					e = &Meta{}
+				case "cmp":
+					e = &Cmp{}
+				case "counter":
+					e = &Counter{}
+				case "objref":
+					e = &Objref{}
+				case "payload":
+					e = &Payload{}
+				case "lookup":
+					e = &Lookup{}
+				case "immediate":
+					e = &Immediate{}
+				case "bitwise":
+					e = &Bitwise{}
+				case "redir":
+					e = &Redir{}
+				case "nat":
+					e = &NAT{}
+				case "limit":
+					e = &Limit{}
+				case "quota":
+					e = &Quota{}
+				case "dynset":
+					e = &Dynset{}
+				case "log":
+					e = &Log{}
+				case "exthdr":
+					e = &Exthdr{}
+				case "match":
+					e = &Match{}
+				case "target":
+					e = &Target{}
+				case "connlimit":
+					e = &Connlimit{}
+				case "queue":
+					e = &Queue{}
+				case "flow_offload":
+					e = &FlowOffload{}
+				case "reject":
+					e = &Reject{}
+				case "masq":
+					e = &Masq{}
+				case "hash":
+					e = &Hash{}
+				}
+				if e == nil {
+					// TODO: introduce an opaque expression type so that users know
+					// something is here.
+					continue // unsupported expression type
+				}
+
+				ad.Do(func(b []byte) error {
+					if err := Unmarshal(fam, b, e); err != nil {
+						return err
+					}
+					// Verdict expressions are a special-case of immediate expressions, so
+					// if the expression is an immediate writing nothing into the verdict
+					// register (invalid), re-parse it as a verdict expression.
+					if imm, isImmediate := e.(*Immediate); isImmediate && imm.Register == unix.NFT_REG_VERDICT && len(imm.Data) == 0 {
+						e = &Verdict{}
+						if err := Unmarshal(fam, b, e); err != nil {
+							return err
+						}
+					}
+					exprs = append(exprs, e)
+					return nil
+				})
+			}
+		}
+		return ad.Err()
+	})
+	return exprs, ad.Err()
+}
+
+// Any is an interface implemented by any expression type.
+type Any interface {
+	marshal(fam byte) ([]byte, error)
+	unmarshal(fam byte, data []byte) error
+}
+
+// MetaKey specifies which piece of meta information should be loaded. See also
+// https://wiki.nftables.org/wiki-nftables/index.php/Matching_packet_metainformation
+type MetaKey uint32
+
+// Possible MetaKey values.
+const (
+	MetaKeyLEN        MetaKey = unix.NFT_META_LEN
+	MetaKeyPROTOCOL   MetaKey = unix.NFT_META_PROTOCOL
+	MetaKeyPRIORITY   MetaKey = unix.NFT_META_PRIORITY
+	MetaKeyMARK       MetaKey = unix.NFT_META_MARK
+	MetaKeyIIF        MetaKey = unix.NFT_META_IIF
+	MetaKeyOIF        MetaKey = unix.NFT_META_OIF
+	MetaKeyIIFNAME    MetaKey = unix.NFT_META_IIFNAME
+	MetaKeyOIFNAME    MetaKey = unix.NFT_META_OIFNAME
+	MetaKeyIIFTYPE    MetaKey = unix.NFT_META_IIFTYPE
+	MetaKeyOIFTYPE    MetaKey = unix.NFT_META_OIFTYPE
+	MetaKeySKUID      MetaKey = unix.NFT_META_SKUID
+	MetaKeySKGID      MetaKey = unix.NFT_META_SKGID
+	MetaKeyNFTRACE    MetaKey = unix.NFT_META_NFTRACE
+	MetaKeyRTCLASSID  MetaKey = unix.NFT_META_RTCLASSID
+	MetaKeySECMARK    MetaKey = unix.NFT_META_SECMARK
+	MetaKeyNFPROTO    MetaKey = unix.NFT_META_NFPROTO
+	MetaKeyL4PROTO    MetaKey = unix.NFT_META_L4PROTO
+	MetaKeyBRIIIFNAME MetaKey = unix.NFT_META_BRI_IIFNAME
+	MetaKeyBRIOIFNAME MetaKey = unix.NFT_META_BRI_OIFNAME
+	MetaKeyPKTTYPE    MetaKey = unix.NFT_META_PKTTYPE
+	MetaKeyCPU        MetaKey = unix.NFT_META_CPU
+	MetaKeyIIFGROUP   MetaKey = unix.NFT_META_IIFGROUP
+	MetaKeyOIFGROUP   MetaKey = unix.NFT_META_OIFGROUP
+	MetaKeyCGROUP     MetaKey = unix.NFT_META_CGROUP
+	MetaKeyPRANDOM    MetaKey = unix.NFT_META_PRANDOM
+)
+
+// Meta loads packet meta information for later comparisons. See also
+// https://wiki.nftables.org/wiki-nftables/index.php/Matching_packet_metainformation
+type Meta struct {
+	Key            MetaKey
+	SourceRegister bool
+	Register       uint32
+}
+
+func (e *Meta) marshal(fam byte) ([]byte, error) {
+	regData := []byte{}
+	exprData, err := netlink.MarshalAttributes(
+		[]netlink.Attribute{
+			{Type: unix.NFTA_META_KEY, Data: binaryutil.BigEndian.PutUint32(uint32(e.Key))},
+		},
+	)
+	if err != nil {
+		return nil, err
+	}
+	if e.SourceRegister {
+		regData, err = netlink.MarshalAttributes(
+			[]netlink.Attribute{
+				{Type: unix.NFTA_META_SREG, Data: binaryutil.BigEndian.PutUint32(e.Register)},
+			},
+		)
+	} else {
+		regData, err = netlink.MarshalAttributes(
+			[]netlink.Attribute{
+				{Type: unix.NFTA_META_DREG, Data: binaryutil.BigEndian.PutUint32(e.Register)},
+			},
+		)
+	}
+	if err != nil {
+		return nil, err
+	}
+	exprData = append(exprData, regData...)
+
+	return netlink.MarshalAttributes([]netlink.Attribute{
+		{Type: unix.NFTA_EXPR_NAME, Data: []byte("meta\x00")},
+		{Type: unix.NLA_F_NESTED | unix.NFTA_EXPR_DATA, Data: exprData},
+	})
+}
+
+func (e *Meta) unmarshal(fam byte, data []byte) error {
+	ad, err := netlink.NewAttributeDecoder(data)
+	if err != nil {
+		return err
+	}
+	ad.ByteOrder = binary.BigEndian
+	for ad.Next() {
+		switch ad.Type() {
+		case unix.NFTA_META_SREG:
+			e.Register = ad.Uint32()
+			e.SourceRegister = true
+		case unix.NFTA_META_DREG:
+			e.Register = ad.Uint32()
+		case unix.NFTA_META_KEY:
+			e.Key = MetaKey(ad.Uint32())
+		}
+	}
+	return ad.Err()
+}
+
+// Masq (Masquerade) is a special case of SNAT, where the source address is
+// automagically set to the address of the output interface. See also
+// https://wiki.nftables.org/wiki-nftables/index.php/Performing_Network_Address_Translation_(NAT)#Masquerading
+type Masq struct {
+	Random      bool
+	FullyRandom bool
+	Persistent  bool
+	ToPorts     bool
+	RegProtoMin uint32
+	RegProtoMax uint32
+}
+
+const (
+	// NF_NAT_RANGE_PROTO_RANDOM defines flag for a random masquerade
+	NF_NAT_RANGE_PROTO_RANDOM = unix.NF_NAT_RANGE_PROTO_RANDOM
+	// NF_NAT_RANGE_PROTO_RANDOM_FULLY defines flag for a fully random masquerade
+	NF_NAT_RANGE_PROTO_RANDOM_FULLY = unix.NF_NAT_RANGE_PROTO_RANDOM_FULLY
+	// NF_NAT_RANGE_PERSISTENT defines flag for a persistent masquerade
+	NF_NAT_RANGE_PERSISTENT = unix.NF_NAT_RANGE_PERSISTENT
+	// NF_NAT_RANGE_PREFIX defines flag for a prefix masquerade
+	NF_NAT_RANGE_PREFIX = unix.NF_NAT_RANGE_NETMAP
+)
+
+func (e *Masq) marshal(fam byte) ([]byte, error) {
+	msgData := []byte{}
+	if !e.ToPorts {
+		flags := uint32(0)
+		if e.Random {
+			flags |= NF_NAT_RANGE_PROTO_RANDOM
+		}
+		if e.FullyRandom {
+			flags |= NF_NAT_RANGE_PROTO_RANDOM_FULLY
+		}
+		if e.Persistent {
+			flags |= NF_NAT_RANGE_PERSISTENT
+		}
+		if flags != 0 {
+			flagsData, err := netlink.MarshalAttributes([]netlink.Attribute{
+				{Type: unix.NFTA_MASQ_FLAGS, Data: binaryutil.BigEndian.PutUint32(flags)}})
+			if err != nil {
+				return nil, err
+			}
+			msgData = append(msgData, flagsData...)
+		}
+	} else {
+		regsData, err := netlink.MarshalAttributes([]netlink.Attribute{
+			{Type: unix.NFTA_MASQ_REG_PROTO_MIN, Data: binaryutil.BigEndian.PutUint32(e.RegProtoMin)}})
+		if err != nil {
+			return nil, err
+		}
+		msgData = append(msgData, regsData...)
+		if e.RegProtoMax != 0 {
+			regsData, err := netlink.MarshalAttributes([]netlink.Attribute{
+				{Type: unix.NFTA_MASQ_REG_PROTO_MAX, Data: binaryutil.BigEndian.PutUint32(e.RegProtoMax)}})
+			if err != nil {
+				return nil, err
+			}
+			msgData = append(msgData, regsData...)
+		}
+	}
+	return netlink.MarshalAttributes([]netlink.Attribute{
+		{Type: unix.NFTA_EXPR_NAME, Data: []byte("masq\x00")},
+		{Type: unix.NLA_F_NESTED | unix.NFTA_EXPR_DATA, Data: msgData},
+	})
+}
+
+func (e *Masq) unmarshal(fam byte, data []byte) error {
+	ad, err := netlink.NewAttributeDecoder(data)
+	if err != nil {
+		return err
+	}
+	ad.ByteOrder = binary.BigEndian
+	for ad.Next() {
+		switch ad.Type() {
+		case unix.NFTA_MASQ_REG_PROTO_MIN:
+			e.ToPorts = true
+			e.RegProtoMin = ad.Uint32()
+		case unix.NFTA_MASQ_REG_PROTO_MAX:
+			e.RegProtoMax = ad.Uint32()
+		case unix.NFTA_MASQ_FLAGS:
+			flags := ad.Uint32()
+			e.Persistent = (flags & NF_NAT_RANGE_PERSISTENT) != 0
+			e.Random = (flags & NF_NAT_RANGE_PROTO_RANDOM) != 0
+			e.FullyRandom = (flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY) != 0
+		}
+	}
+	return ad.Err()
+}
+
+// CmpOp specifies which type of comparison should be performed.
+type CmpOp uint32
+
+// Possible CmpOp values.
+const (
+	CmpOpEq  CmpOp = unix.NFT_CMP_EQ
+	CmpOpNeq CmpOp = unix.NFT_CMP_NEQ
+	CmpOpLt  CmpOp = unix.NFT_CMP_LT
+	CmpOpLte CmpOp = unix.NFT_CMP_LTE
+	CmpOpGt  CmpOp = unix.NFT_CMP_GT
+	CmpOpGte CmpOp = unix.NFT_CMP_GTE
+)
+
+// Cmp compares a register with the specified data.
+type Cmp struct {
+	Op       CmpOp
+	Register uint32
+	Data     []byte
+}
+
+func (e *Cmp) marshal(fam byte) ([]byte, error) {
+	cmpData, err := netlink.MarshalAttributes([]netlink.Attribute{
+		{Type: unix.NFTA_DATA_VALUE, Data: e.Data},
+	})
+	if err != nil {
+		return nil, err
+	}
+	exprData, err := netlink.MarshalAttributes([]netlink.Attribute{
+		{Type: unix.NFTA_CMP_SREG, Data: binaryutil.BigEndian.PutUint32(e.Register)},
+		{Type: unix.NFTA_CMP_OP, Data: binaryutil.BigEndian.PutUint32(uint32(e.Op))},
+		{Type: unix.NLA_F_NESTED | unix.NFTA_CMP_DATA, Data: cmpData},
+	})
+	if err != nil {
+		return nil, err
+	}
+	return netlink.MarshalAttributes([]netlink.Attribute{
+		{Type: unix.NFTA_EXPR_NAME, Data: []byte("cmp\x00")},
+		{Type: unix.NLA_F_NESTED | unix.NFTA_EXPR_DATA, Data: exprData},
+	})
+}
+
+func (e *Cmp) unmarshal(fam byte, data []byte) error {
+	ad, err := netlink.NewAttributeDecoder(data)
+	if err != nil {
+		return err
+	}
+	ad.ByteOrder = binary.BigEndian
+	for ad.Next() {
+		switch ad.Type() {
+		case unix.NFTA_CMP_SREG:
+			e.Register = ad.Uint32()
+		case unix.NFTA_CMP_OP:
+			e.Op = CmpOp(ad.Uint32())
+		case unix.NFTA_CMP_DATA:
+			ad.Do(func(b []byte) error {
+				ad, err := netlink.NewAttributeDecoder(b)
+				if err != nil {
+					return err
+				}
+				ad.ByteOrder = binary.BigEndian
+				if ad.Next() && ad.Type() == unix.NFTA_DATA_VALUE {
+					ad.Do(func(b []byte) error {
+						e.Data = b
+						return nil
+					})
+				}
+				return ad.Err()
+			})
+		}
+	}
+	return ad.Err()
+}

vendor/github.com/google/nftables/expr/exthdr.go

@@ -0,0 +1,102 @@
+// Copyright 2018 Google LLC. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package expr
+
+import (
+	"encoding/binary"
+
+	"github.com/google/nftables/binaryutil"
+	"github.com/mdlayher/netlink"
+	"golang.org/x/sys/unix"
+)
+
+type ExthdrOp uint32
+
+const (
+	ExthdrOpIpv6   ExthdrOp = unix.NFT_EXTHDR_OP_IPV6
+	ExthdrOpTcpopt ExthdrOp = unix.NFT_EXTHDR_OP_TCPOPT
+)
+
+type Exthdr struct {
+	DestRegister   uint32
+	Type           uint8
+	Offset         uint32
+	Len            uint32
+	Flags          uint32
+	Op             ExthdrOp
+	SourceRegister uint32
+}
+
+func (e *Exthdr) marshal(fam byte) ([]byte, error) {
+	var attr []netlink.Attribute
+
+	// Operations are differentiated by the Op and whether the SourceRegister
+	// or DestRegister is set. Mixing them results in EOPNOTSUPP.
+	if e.SourceRegister != 0 {
+		attr = []netlink.Attribute{
+			{Type: unix.NFTA_EXTHDR_SREG, Data: binaryutil.BigEndian.PutUint32(e.SourceRegister)}}
+	} else {
+		attr = []netlink.Attribute{
+			{Type: unix.NFTA_EXTHDR_DREG, Data: binaryutil.BigEndian.PutUint32(e.DestRegister)}}
+	}
+
+	attr = append(attr,
+		netlink.Attribute{Type: unix.NFTA_EXTHDR_TYPE, Data: []byte{e.Type}},
+		netlink.Attribute{Type: unix.NFTA_EXTHDR_OFFSET, Data: binaryutil.BigEndian.PutUint32(e.Offset)},
+		netlink.Attribute{Type: unix.NFTA_EXTHDR_LEN, Data: binaryutil.BigEndian.PutUint32(e.Len)},
+		netlink.Attribute{Type: unix.NFTA_EXTHDR_OP, Data: binaryutil.BigEndian.PutUint32(uint32(e.Op))})
+
+	// Flags is only set if DREG is set
+	if e.DestRegister != 0 {
+		attr = append(attr,
+			netlink.Attribute{Type: unix.NFTA_EXTHDR_FLAGS, Data: binaryutil.BigEndian.PutUint32(e.Flags)})
+	}
+
+	data, err := netlink.MarshalAttributes(attr)
+	if err != nil {
+		return nil, err
+	}
+	return netlink.MarshalAttributes([]netlink.Attribute{
+		{Type: unix.NFTA_EXPR_NAME, Data: []byte("exthdr\x00")},
+		{Type: unix.NLA_F_NESTED | unix.NFTA_EXPR_DATA, Data: data},
+	})
+}
+
+func (e *Exthdr) unmarshal(fam byte, data []byte) error {
+	ad, err := netlink.NewAttributeDecoder(data)
+	if err != nil {
+		return err
+	}
+	ad.ByteOrder = binary.BigEndian
+	for ad.Next() {
+		switch ad.Type() {
+		case unix.NFTA_EXTHDR_DREG:
+			e.DestRegister = ad.Uint32()
+		case unix.NFTA_EXTHDR_TYPE:
+			e.Type = ad.Uint8()
+		case unix.NFTA_EXTHDR_OFFSET:
+			e.Offset = ad.Uint32()
+		case unix.NFTA_EXTHDR_LEN:
+			e.Len = ad.Uint32()
+		case unix.NFTA_EXTHDR_FLAGS:
+			e.Flags = ad.Uint32()
+		case unix.NFTA_EXTHDR_OP:
+			e.Op = ExthdrOp(ad.Uint32())
+		case unix.NFTA_EXTHDR_SREG:
+			e.SourceRegister = ad.Uint32()
+		}
+	}
+	return ad.Err()
+}

vendor/github.com/google/nftables/expr/fib.go

@@ -0,0 +1,128 @@
+// Copyright 2018 Google LLC. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package expr
+
+import (
+	"encoding/binary"
+
+	"github.com/google/nftables/binaryutil"
+	"github.com/mdlayher/netlink"
+	"golang.org/x/sys/unix"
+)
+
+// Fib defines fib expression structure
+type Fib struct {
+	Register       uint32
+	ResultOIF      bool
+	ResultOIFNAME  bool
+	ResultADDRTYPE bool
+	FlagSADDR      bool
+	FlagDADDR      bool
+	FlagMARK       bool
+	FlagIIF        bool
+	FlagOIF        bool
+	FlagPRESENT    bool
+}
+
+func (e *Fib) marshal(fam byte) ([]byte, error) {
+	data := []byte{}
+	reg, err := netlink.MarshalAttributes([]netlink.Attribute{
+		{Type: unix.NFTA_FIB_DREG, Data: binaryutil.BigEndian.PutUint32(e.Register)},
+	})
+	if err != nil {
+		return nil, err
+	}
+	data = append(data, reg...)
+	flags := uint32(0)
+	if e.FlagSADDR {
+		flags |= unix.NFTA_FIB_F_SADDR
+	}
+	if e.FlagDADDR {
+		flags |= unix.NFTA_FIB_F_DADDR
+	}
+	if e.FlagMARK {
+		flags |= unix.NFTA_FIB_F_MARK
+	}
+	if e.FlagIIF {
+		flags |= unix.NFTA_FIB_F_IIF
+	}
+	if e.FlagOIF {
+		flags |= unix.NFTA_FIB_F_OIF
+	}
+	if e.FlagPRESENT {
+		flags |= unix.NFTA_FIB_F_PRESENT
+	}
+	if flags != 0 {
+		flg, err := netlink.MarshalAttributes([]netlink.Attribute{
+			{Type: unix.NFTA_FIB_FLAGS, Data: binaryutil.BigEndian.PutUint32(flags)},
+		})
+		if err != nil {
+			return nil, err
+		}
+		data = append(data, flg...)
+	}
+	results := uint32(0)
+	if e.ResultOIF {
+		results |= unix.NFT_FIB_RESULT_OIF
+	}
+	if e.ResultOIFNAME {
+		results |= unix.NFT_FIB_RESULT_OIFNAME
+	}
+	if e.ResultADDRTYPE {
+		results |= unix.NFT_FIB_RESULT_ADDRTYPE
+	}
+	if results != 0 {
+		rslt, err := netlink.MarshalAttributes([]netlink.Attribute{
+			{Type: unix.NFTA_FIB_RESULT, Data: binaryutil.BigEndian.PutUint32(results)},
+		})
+		if err != nil {
+			return nil, err
+		}
+		data = append(data, rslt...)
+	}
+
+	return netlink.MarshalAttributes([]netlink.Attribute{
+		{Type: unix.NFTA_EXPR_NAME, Data: []byte("fib\x00")},
+		{Type: unix.NLA_F_NESTED | unix.NFTA_EXPR_DATA, Data: data},
+	})
+}
+
+func (e *Fib) unmarshal(fam byte, data []byte) error {
+	ad, err := netlink.NewAttributeDecoder(data)
+	if err != nil {
+		return err
+	}
+	ad.ByteOrder = binary.BigEndian
+	for ad.Next() {
+		switch ad.Type() {
+		case unix.NFTA_FIB_DREG:
+			e.Register = ad.Uint32()
+		case unix.NFTA_FIB_RESULT:
+			result := ad.Uint32()
+			e.ResultOIF = (result & unix.NFT_FIB_RESULT_OIF) == 1
+			e.ResultOIFNAME = (result & unix.NFT_FIB_RESULT_OIFNAME) == 1
+			e.ResultADDRTYPE = (result & unix.NFT_FIB_RESULT_ADDRTYPE) == 1
+		case unix.NFTA_FIB_FLAGS:
+			flags := ad.Uint32()
+			e.FlagSADDR = (flags & unix.NFTA_FIB_F_SADDR) == 1
+			e.FlagDADDR = (flags & unix.NFTA_FIB_F_DADDR) == 1
+			e.FlagMARK = (flags & unix.NFTA_FIB_F_MARK) == 1
+			e.FlagIIF = (flags & unix.NFTA_FIB_F_IIF) == 1
+			e.FlagOIF = (flags & unix.NFTA_FIB_F_OIF) == 1
+			e.FlagPRESENT = (flags & unix.NFTA_FIB_F_PRESENT) == 1
+		}
+	}
+	return ad.Err()
+}

vendor/github.com/google/nftables/expr/flow_offload.go

@@ -0,0 +1,59 @@
+// Copyright 2018 Google LLC. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package expr
+
+import (
+	"encoding/binary"
+
+	"github.com/mdlayher/netlink"
+	"golang.org/x/sys/unix"
+)
+
+const NFTNL_EXPR_FLOW_TABLE_NAME = 1
+
+type FlowOffload struct {
+	Name string
+}
+
+func (e *FlowOffload) marshal(fam byte) ([]byte, error) {
+	data, err := netlink.MarshalAttributes([]netlink.Attribute{
+		{Type: NFTNL_EXPR_FLOW_TABLE_NAME, Data: []byte(e.Name)},
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	return netlink.MarshalAttributes([]netlink.Attribute{
+		{Type: unix.NFTA_EXPR_NAME, Data: []byte("flow_offload\x00")},
+		{Type: unix.NLA_F_NESTED | unix.NFTA_EXPR_DATA, Data: data},
+	})
+}
+
+func (e *FlowOffload) unmarshal(fam byte, data []byte) error {
+	ad, err := netlink.NewAttributeDecoder(data)
+	if err != nil {
+		return err
+	}
+
+	ad.ByteOrder = binary.BigEndian
+	for ad.Next() {
+		switch ad.Type() {
+		case NFTNL_EXPR_FLOW_TABLE_NAME:
+			e.Name = ad.String()
+		}
+	}
+
+	return ad.Err()
+}

vendor/github.com/google/nftables/expr/hash.go

@@ -0,0 +1,94 @@
+// Copyright 2018 Google LLC. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package expr
+
+import (
+	"encoding/binary"
+
+	"github.com/google/nftables/binaryutil"
+	"github.com/mdlayher/netlink"
+	"golang.org/x/sys/unix"
+)
+
+type HashType uint32
+
+const (
+	HashTypeJenkins HashType = unix.NFT_HASH_JENKINS
+	HashTypeSym     HashType = unix.NFT_HASH_SYM
+)
+
+// Hash defines type for nftables internal hashing functions
+type Hash struct {
+	SourceRegister uint32
+	DestRegister   uint32
+	Length         uint32
+	Modulus        uint32
+	Seed           uint32
+	Offset         uint32
+	Type           HashType
+}
+
+func (e *Hash) marshal(fam byte) ([]byte, error) {
+	hashAttrs := []netlink.Attribute{
+		{Type: unix.NFTA_HASH_SREG, Data: binaryutil.BigEndian.PutUint32(uint32(e.SourceRegister))},
+		{Type: unix.NFTA_HASH_DREG, Data: binaryutil.BigEndian.PutUint32(uint32(e.DestRegister))},
+		{Type: unix.NFTA_HASH_LEN, Data: binaryutil.BigEndian.PutUint32(uint32(e.Length))},
+		{Type: unix.NFTA_HASH_MODULUS, Data: binaryutil.BigEndian.PutUint32(uint32(e.Modulus))},
+	}
+	if e.Seed != 0 {
+		hashAttrs = append(hashAttrs, netlink.Attribute{
+			Type: unix.NFTA_HASH_SEED, Data: binaryutil.BigEndian.PutUint32(uint32(e.Seed)),
+		})
+	}
+	hashAttrs = append(hashAttrs, []netlink.Attribute{
+		{Type: unix.NFTA_HASH_OFFSET, Data: binaryutil.BigEndian.PutUint32(uint32(e.Offset))},
+		{Type: unix.NFTA_HASH_TYPE, Data: binaryutil.BigEndian.PutUint32(uint32(e.Type))},
+	}...)
+	data, err := netlink.MarshalAttributes(hashAttrs)
+	if err != nil {
+		return nil, err
+	}
+	return netlink.MarshalAttributes([]netlink.Attribute{
+		{Type: unix.NFTA_EXPR_NAME, Data: []byte("hash\x00")},
+		{Type: unix.NLA_F_NESTED | unix.NFTA_EXPR_DATA, Data: data},
+	})
+}
+
+func (e *Hash) unmarshal(fam byte, data []byte) error {
+	ad, err := netlink.NewAttributeDecoder(data)
+	if err != nil {
+		return err
+	}
+	ad.ByteOrder = binary.BigEndian
+	for ad.Next() {
+		switch ad.Type() {
+		case unix.NFTA_HASH_SREG:
+			e.SourceRegister = ad.Uint32()
+		case unix.NFTA_HASH_DREG:
+			e.DestRegister = ad.Uint32()
+		case unix.NFTA_HASH_LEN:
+			e.Length = ad.Uint32()
+		case unix.NFTA_HASH_MODULUS:
+			e.Modulus = ad.Uint32()
+		case unix.NFTA_HASH_SEED:
+			e.Seed = ad.Uint32()
+		case unix.NFTA_HASH_OFFSET:
+			e.Offset = ad.Uint32()
+		case unix.NFTA_HASH_TYPE:
+			e.Type = HashType(ad.Uint32())
+		}
+	}
+	return ad.Err()
+}

vendor/github.com/google/nftables/expr/immediate.go

@@ -0,0 +1,79 @@
+// Copyright 2018 Google LLC. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package expr
+
+import (
+	"encoding/binary"
+	"fmt"
+
+	"github.com/google/nftables/binaryutil"
+	"github.com/mdlayher/netlink"
+	"golang.org/x/sys/unix"
+)
+
+type Immediate struct {
+	Register uint32
+	Data     []byte
+}
+
+func (e *Immediate) marshal(fam byte) ([]byte, error) {
+	immData, err := netlink.MarshalAttributes([]netlink.Attribute{
+		{Type: unix.NFTA_DATA_VALUE, Data: e.Data},
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	data, err := netlink.MarshalAttributes([]netlink.Attribute{
+		{Type: unix.NFTA_IMMEDIATE_DREG, Data: binaryutil.BigEndian.PutUint32(e.Register)},
+		{Type: unix.NLA_F_NESTED | unix.NFTA_IMMEDIATE_DATA, Data: immData},
+	})
+	if err != nil {
+		return nil, err
+	}
+	return netlink.MarshalAttributes([]netlink.Attribute{
+		{Type: unix.NFTA_EXPR_NAME, Data: []byte("immediate\x00")},
+		{Type: unix.NLA_F_NESTED | unix.NFTA_EXPR_DATA, Data: data},
+	})
+}
+
+func (e *Immediate) unmarshal(fam byte, data []byte) error {
+	ad, err := netlink.NewAttributeDecoder(data)
+	if err != nil {
+		return err
+	}
+	ad.ByteOrder = binary.BigEndian
+	for ad.Next() {
+		switch ad.Type() {
+		case unix.NFTA_IMMEDIATE_DREG:
+			e.Register = ad.Uint32()
+		case unix.NFTA_IMMEDIATE_DATA:
+			nestedAD, err := netlink.NewAttributeDecoder(ad.Bytes())
+			if err != nil {
+				return fmt.Errorf("nested NewAttributeDecoder() failed: %v", err)
+			}
+			for nestedAD.Next() {
+				switch nestedAD.Type() {
+				case unix.NFTA_DATA_VALUE:
+					e.Data = nestedAD.Bytes()
+				}
+			}
+			if nestedAD.Err() != nil {
+				return fmt.Errorf("decoding immediate: %v", nestedAD.Err())
+			}
+		}
+	}
+	return ad.Err()
+}

vendor/github.com/google/nftables/expr/limit.go

@@ -0,0 +1,128 @@
+// Copyright 2018 Google LLC. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package expr
+
+import (
+	"encoding/binary"
+	"errors"
+	"fmt"
+
+	"github.com/google/nftables/binaryutil"
+	"github.com/mdlayher/netlink"
+	"golang.org/x/sys/unix"
+)
+
+// LimitType represents the type of the limit expression.
+type LimitType uint32
+
+// Imported from the nft_limit_type enum in netfilter/nf_tables.h.
+const (
+	LimitTypePkts     LimitType = unix.NFT_LIMIT_PKTS
+	LimitTypePktBytes LimitType = unix.NFT_LIMIT_PKT_BYTES
+)
+
+// LimitTime represents the limit unit.
+type LimitTime uint64
+
+// Possible limit unit values.
+const (
+	LimitTimeSecond LimitTime = 1
+	LimitTimeMinute LimitTime = 60
+	LimitTimeHour   LimitTime = 60 * 60
+	LimitTimeDay    LimitTime = 60 * 60 * 24
+	LimitTimeWeek   LimitTime = 60 * 60 * 24 * 7
+)
+
+func limitTime(value uint64) (LimitTime, error) {
+	switch LimitTime(value) {
+	case LimitTimeSecond:
+		return LimitTimeSecond, nil
+	case LimitTimeMinute:
+		return LimitTimeMinute, nil
+	case LimitTimeHour:
+		return LimitTimeHour, nil
+	case LimitTimeDay:
+		return LimitTimeDay, nil
+	case LimitTimeWeek:
+		return LimitTimeWeek, nil
+	default:
+		return 0, fmt.Errorf("expr: invalid limit unit value %d", value)
+	}
+}
+
+// Limit represents a rate limit expression.
+type Limit struct {
+	Type  LimitType
+	Rate  uint64
+	Over  bool
+	Unit  LimitTime
+	Burst uint32
+}
+
+func (l *Limit) marshal(fam byte) ([]byte, error) {
+	var flags uint32
+	if l.Over {
+		flags = unix.NFT_LIMIT_F_INV
+	}
+	attrs := []netlink.Attribute{
+		{Type: unix.NFTA_LIMIT_RATE, Data: binaryutil.BigEndian.PutUint64(l.Rate)},
+		{Type: unix.NFTA_LIMIT_UNIT, Data: binaryutil.BigEndian.PutUint64(uint64(l.Unit))},
+		{Type: unix.NFTA_LIMIT_BURST, Data: binaryutil.BigEndian.PutUint32(l.Burst)},
+		{Type: unix.NFTA_LIMIT_TYPE, Data: binaryutil.BigEndian.PutUint32(uint32(l.Type))},
+		{Type: unix.NFTA_LIMIT_FLAGS, Data: binaryutil.BigEndian.PutUint32(flags)},
+	}
+
+	data, err := netlink.MarshalAttributes(attrs)
+	if err != nil {
+		return nil, err
+	}
+
+	return netlink.MarshalAttributes([]netlink.Attribute{
+		{Type: unix.NFTA_EXPR_NAME, Data: []byte("limit\x00")},
+		{Type: unix.NLA_F_NESTED | unix.NFTA_EXPR_DATA, Data: data},
+	})
+}
+
+func (l *Limit) unmarshal(fam byte, data []byte) error {
+	ad, err := netlink.NewAttributeDecoder(data)
+	if err != nil {
+		return err
+	}
+
+	ad.ByteOrder = binary.BigEndian
+	for ad.Next() {
+		switch ad.Type() {
+		case unix.NFTA_LIMIT_RATE:
+			l.Rate = ad.Uint64()
+		case unix.NFTA_LIMIT_UNIT:
+			l.Unit, err = limitTime(ad.Uint64())
+			if err != nil {
+				return err
+			}
+		case unix.NFTA_LIMIT_BURST:
+			l.Burst = ad.Uint32()
+		case unix.NFTA_LIMIT_TYPE:
+			l.Type = LimitType(ad.Uint32())
+			if l.Type != LimitTypePkts && l.Type != LimitTypePktBytes {
+				return fmt.Errorf("expr: invalid limit type %d", l.Type)
+			}
+		case unix.NFTA_LIMIT_FLAGS:
+			l.Over = (ad.Uint32() & unix.NFT_LIMIT_F_INV) == 1
+		default:
+			return errors.New("expr: unhandled limit netlink attribute")
+		}
+	}
+	return ad.Err()
+}

vendor/github.com/google/nftables/expr/log.go

@@ -0,0 +1,150 @@
+// Copyright 2019 Google LLC. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package expr
+
+import (
+	"encoding/binary"
+
+	"github.com/google/nftables/binaryutil"
+	"github.com/mdlayher/netlink"
+	"golang.org/x/sys/unix"
+)
+
+type LogLevel uint32
+
+const (
+	// See https://git.netfilter.org/nftables/tree/include/linux/netfilter/nf_tables.h?id=5b364657a35f4e4cd5d220ba2a45303d729c8eca#n1226
+	LogLevelEmerg LogLevel = iota
+	LogLevelAlert
+	LogLevelCrit
+	LogLevelErr
+	LogLevelWarning
+	LogLevelNotice
+	LogLevelInfo
+	LogLevelDebug
+	LogLevelAudit
+)
+
+type LogFlags uint32
+
+const (
+	// See https://git.netfilter.org/nftables/tree/include/linux/netfilter/nf_log.h?id=5b364657a35f4e4cd5d220ba2a45303d729c8eca
+	LogFlagsTCPSeq LogFlags = 0x01 << iota
+	LogFlagsTCPOpt
+	LogFlagsIPOpt
+	LogFlagsUID
+	LogFlagsNFLog
+	LogFlagsMACDecode
+	LogFlagsMask LogFlags = 0x2f
+)
+
+// Log defines type for NFT logging
+// See https://git.netfilter.org/libnftnl/tree/src/expr/log.c?id=09456c720e9c00eecc08e41ac6b7c291b3821ee5#n25
+type Log struct {
+	Level LogLevel
+	// Refers to log flags (flags all, flags ip options, ...)
+	Flags LogFlags
+	// Equivalent to expression flags.
+	// Indicates that an option is set by setting a bit
+	// on index referred by the NFTA_LOG_* value.
+	// See https://cs.opensource.google/go/x/sys/+/3681064d:unix/ztypes_linux.go;l=2126;drc=3681064d51587c1db0324b3d5c23c2ddbcff6e8f
+	Key        uint32
+	Snaplen    uint32
+	Group      uint16
+	QThreshold uint16
+	// Log prefix string content
+	Data []byte
+}
+
+func (e *Log) marshal(fam byte) ([]byte, error) {
+	// Per https://git.netfilter.org/libnftnl/tree/src/expr/log.c?id=09456c720e9c00eecc08e41ac6b7c291b3821ee5#n129
+	attrs := make([]netlink.Attribute, 0)
+	if e.Key&(1<<unix.NFTA_LOG_GROUP) != 0 {
+		attrs = append(attrs, netlink.Attribute{
+			Type: unix.NFTA_LOG_GROUP,
+			Data: binaryutil.BigEndian.PutUint16(e.Group),
+		})
+	}
+	if e.Key&(1<<unix.NFTA_LOG_PREFIX) != 0 {
+		prefix := append(e.Data, '\x00')
+		attrs = append(attrs, netlink.Attribute{
+			Type: unix.NFTA_LOG_PREFIX,
+			Data: prefix,
+		})
+	}
+	if e.Key&(1<<unix.NFTA_LOG_SNAPLEN) != 0 {
+		attrs = append(attrs, netlink.Attribute{
+			Type: unix.NFTA_LOG_SNAPLEN,
+			Data: binaryutil.BigEndian.PutUint32(e.Snaplen),
+		})
+	}
+	if e.Key&(1<<unix.NFTA_LOG_QTHRESHOLD) != 0 {
+		attrs = append(attrs, netlink.Attribute{
+			Type: unix.NFTA_LOG_QTHRESHOLD,
+			Data: binaryutil.BigEndian.PutUint16(e.QThreshold),
+		})
+	}
+	if e.Key&(1<<unix.NFTA_LOG_LEVEL) != 0 {
+		attrs = append(attrs, netlink.Attribute{
+			Type: unix.NFTA_LOG_LEVEL,
+			Data: binaryutil.BigEndian.PutUint32(uint32(e.Level)),
+		})
+	}
+	if e.Key&(1<<unix.NFTA_LOG_FLAGS) != 0 {
+		attrs = append(attrs, netlink.Attribute{
+			Type: unix.NFTA_LOG_FLAGS,
+			Data: binaryutil.BigEndian.PutUint32(uint32(e.Flags)),
+		})
+	}
+
+	data, err := netlink.MarshalAttributes(attrs)
+	if err != nil {
+		return nil, err
+	}
+
+	return netlink.MarshalAttributes([]netlink.Attribute{
+		{Type: unix.NFTA_EXPR_NAME, Data: []byte("log\x00")},
+		{Type: unix.NLA_F_NESTED | unix.NFTA_EXPR_DATA, Data: data},
+	})
+}
+
+func (e *Log) unmarshal(fam byte, data []byte) error {
+	ad, err := netlink.NewAttributeDecoder(data)
+	if err != nil {
+		return err
+	}
+
+	ad.ByteOrder = binary.BigEndian
+	for ad.Next() {
+		e.Key |= 1 << uint32(ad.Type())
+		data := ad.Bytes()
+		switch ad.Type() {
+		case unix.NFTA_LOG_GROUP:
+			e.Group = binaryutil.BigEndian.Uint16(data)
+		case unix.NFTA_LOG_PREFIX:
+			// Getting rid of \x00 at the end of string
+			e.Data = data[:len(data)-1]
+		case unix.NFTA_LOG_SNAPLEN:
+			e.Snaplen = binaryutil.BigEndian.Uint32(data)
+		case unix.NFTA_LOG_QTHRESHOLD:
+			e.QThreshold = binaryutil.BigEndian.Uint16(data)
+		case unix.NFTA_LOG_LEVEL:
+			e.Level = LogLevel(binaryutil.BigEndian.Uint32(data))
+		case unix.NFTA_LOG_FLAGS:
+			e.Flags = LogFlags(binaryutil.BigEndian.Uint32(data))
+		}
+	}
+	return ad.Err()
+}

vendor/github.com/google/nftables/expr/lookup.go

@@ -0,0 +1,85 @@
+// Copyright 2018 Google LLC. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package expr
+
+import (
+	"encoding/binary"
+
+	"github.com/google/nftables/binaryutil"
+	"github.com/mdlayher/netlink"
+	"golang.org/x/sys/unix"
+)
+
+// Lookup represents a match against the contents of a set.
+type Lookup struct {
+	SourceRegister uint32
+	DestRegister   uint32
+	IsDestRegSet   bool
+
+	SetID   uint32
+	SetName string
+	Invert  bool
+}
+
+func (e *Lookup) marshal(fam byte) ([]byte, error) {
+	// See: https://git.netfilter.org/libnftnl/tree/src/expr/lookup.c?id=6dc1c3d8bb64077da7f3f28c7368fb087d10a492#n115
+	var opAttrs []netlink.Attribute
+	if e.SourceRegister != 0 {
+		opAttrs = append(opAttrs, netlink.Attribute{Type: unix.NFTA_LOOKUP_SREG, Data: binaryutil.BigEndian.PutUint32(e.SourceRegister)})
+	}
+	if e.IsDestRegSet {
+		opAttrs = append(opAttrs, netlink.Attribute{Type: unix.NFTA_LOOKUP_DREG, Data: binaryutil.BigEndian.PutUint32(e.DestRegister)})
+	}
+	if e.Invert {
+		opAttrs = append(opAttrs, netlink.Attribute{Type: unix.NFTA_LOOKUP_FLAGS, Data: binaryutil.BigEndian.PutUint32(unix.NFT_LOOKUP_F_INV)})
+	}
+	opAttrs = append(opAttrs,
+		netlink.Attribute{Type: unix.NFTA_LOOKUP_SET, Data: []byte(e.SetName + "\x00")},
+		netlink.Attribute{Type: unix.NFTA_LOOKUP_SET_ID, Data: binaryutil.BigEndian.PutUint32(e.SetID)},
+	)
+	opData, err := netlink.MarshalAttributes(opAttrs)
+	if err != nil {
+		return nil, err
+	}
+
+	return netlink.MarshalAttributes([]netlink.Attribute{
+		{Type: unix.NFTA_EXPR_NAME, Data: []byte("lookup\x00")},
+		{Type: unix.NLA_F_NESTED | unix.NFTA_EXPR_DATA, Data: opData},
+	})
+}
+
+func (e *Lookup) unmarshal(fam byte, data []byte) error {
+	ad, err := netlink.NewAttributeDecoder(data)
+	if err != nil {
+		return err
+	}
+	ad.ByteOrder = binary.BigEndian
+	for ad.Next() {
+		switch ad.Type() {
+		case unix.NFTA_LOOKUP_SET:
+			e.SetName = ad.String()
+		case unix.NFTA_LOOKUP_SET_ID:
+			e.SetID = ad.Uint32()
+		case unix.NFTA_LOOKUP_SREG:
+			e.SourceRegister = ad.Uint32()
+		case unix.NFTA_LOOKUP_DREG:
+			e.DestRegister = ad.Uint32()
+			e.IsDestRegSet = true
+		case unix.NFTA_LOOKUP_FLAGS:
+			e.Invert = (ad.Uint32() & unix.NFT_LOOKUP_F_INV) != 0
+		}
+	}
+	return ad.Err()
+}

vendor/github.com/google/nftables/expr/match.go

@@ -0,0 +1,75 @@
+package expr
+
+import (
+	"bytes"
+	"encoding/binary"
+
+	"github.com/google/nftables/binaryutil"
+	"github.com/google/nftables/xt"
+	"github.com/mdlayher/netlink"
+	"golang.org/x/sys/unix"
+)
+
+// See https://git.netfilter.org/libnftnl/tree/src/expr/match.c?id=09456c720e9c00eecc08e41ac6b7c291b3821ee5#n30
+type Match struct {
+	Name string
+	Rev  uint32
+	Info xt.InfoAny
+}
+
+func (e *Match) marshal(fam byte) ([]byte, error) {
+	// Per https://git.netfilter.org/libnftnl/tree/src/expr/match.c?id=09456c720e9c00eecc08e41ac6b7c291b3821ee5#n38
+	name := e.Name
+	// limit the extension name as (some) user-space tools do and leave room for
+	// trailing \x00
+	if len(name) >= /* sic! */ XTablesExtensionNameMaxLen {
+		name = name[:XTablesExtensionNameMaxLen-1] // leave room for trailing \x00.
+	}
+	// Marshalling assumes that the correct Info type for the particular table
+	// family and Match revision has been set.
+	info, err := xt.Marshal(xt.TableFamily(fam), e.Rev, e.Info)
+	if err != nil {
+		return nil, err
+	}
+	attrs := []netlink.Attribute{
+		{Type: unix.NFTA_MATCH_NAME, Data: []byte(name + "\x00")},
+		{Type: unix.NFTA_MATCH_REV, Data: binaryutil.BigEndian.PutUint32(e.Rev)},
+		{Type: unix.NFTA_MATCH_INFO, Data: info},
+	}
+	data, err := netlink.MarshalAttributes(attrs)
+	if err != nil {
+		return nil, err
+	}
+
+	return netlink.MarshalAttributes([]netlink.Attribute{
+		{Type: unix.NFTA_EXPR_NAME, Data: []byte("match\x00")},
+		{Type: unix.NLA_F_NESTED | unix.NFTA_EXPR_DATA, Data: data},
+	})
+}
+
+func (e *Match) unmarshal(fam byte, data []byte) error {
+	// Per https://git.netfilter.org/libnftnl/tree/src/expr/match.c?id=09456c720e9c00eecc08e41ac6b7c291b3821ee5#n65
+	ad, err := netlink.NewAttributeDecoder(data)
+	if err != nil {
+		return err
+	}
+
+	var info []byte
+	ad.ByteOrder = binary.BigEndian
+	for ad.Next() {
+		switch ad.Type() {
+		case unix.NFTA_MATCH_NAME:
+			// We are forgiving here, accepting any length and even missing terminating \x00.
+			e.Name = string(bytes.TrimRight(ad.Bytes(), "\x00"))
+		case unix.NFTA_MATCH_REV:
+			e.Rev = ad.Uint32()
+		case unix.NFTA_MATCH_INFO:
+			info = ad.Bytes()
+		}
+	}
+	if err = ad.Err(); err != nil {
+		return err
+	}
+	e.Info, err = xt.Unmarshal(e.Name, xt.TableFamily(fam), e.Rev, info)
+	return err
+}

vendor/github.com/google/nftables/expr/nat.go

@@ -0,0 +1,132 @@
+// Copyright 2018 Google LLC. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package expr
+
+import (
+	"encoding/binary"
+
+	"github.com/google/nftables/binaryutil"
+	"github.com/mdlayher/netlink"
+	"golang.org/x/sys/unix"
+)
+
+type NATType uint32
+
+// Possible NATType values.
+const (
+	NATTypeSourceNAT NATType = unix.NFT_NAT_SNAT
+	NATTypeDestNAT   NATType = unix.NFT_NAT_DNAT
+)
+
+type NAT struct {
+	Type        NATType
+	Family      uint32 // TODO: typed const
+	RegAddrMin  uint32
+	RegAddrMax  uint32
+	RegProtoMin uint32
+	RegProtoMax uint32
+	Random      bool
+	FullyRandom bool
+	Persistent  bool
+	Prefix      bool
+}
+
+// |00048|N-|00001|	|len |flags| type|
+// |00008|--|00001|	|len |flags| type|
+// | 6e 61 74 00  |	|      data      |	 n a t
+// |00036|N-|00002|	|len |flags| type|
+// |00008|--|00001|	|len |flags| type| NFTA_NAT_TYPE
+// | 00 00 00 01  |	|      data      |  NFT_NAT_DNAT
+// |00008|--|00002|	|len |flags| type| NFTA_NAT_FAMILY
+// | 00 00 00 02  |	|      data      |   NFPROTO_IPV4
+// |00008|--|00003|	|len |flags| type| NFTA_NAT_REG_ADDR_MIN
+// | 00 00 00 01  |	|      data      |  reg 1
+// |00008|--|00005|	|len |flags| type| NFTA_NAT_REG_PROTO_MIN
+// | 00 00 00 02  |	|      data      |  reg 2
+
+func (e *NAT) marshal(fam byte) ([]byte, error) {
+	attrs := []netlink.Attribute{
+		{Type: unix.NFTA_NAT_TYPE, Data: binaryutil.BigEndian.PutUint32(uint32(e.Type))},
+		{Type: unix.NFTA_NAT_FAMILY, Data: binaryutil.BigEndian.PutUint32(e.Family)},
+	}
+	if e.RegAddrMin != 0 {
+		attrs = append(attrs, netlink.Attribute{Type: unix.NFTA_NAT_REG_ADDR_MIN, Data: binaryutil.BigEndian.PutUint32(e.RegAddrMin)})
+		if e.RegAddrMax != 0 {
+			attrs = append(attrs, netlink.Attribute{Type: unix.NFTA_NAT_REG_ADDR_MAX, Data: binaryutil.BigEndian.PutUint32(e.RegAddrMax)})
+		}
+	}
+	if e.RegProtoMin != 0 {
+		attrs = append(attrs, netlink.Attribute{Type: unix.NFTA_NAT_REG_PROTO_MIN, Data: binaryutil.BigEndian.PutUint32(e.RegProtoMin)})
+		if e.RegProtoMax != 0 {
+			attrs = append(attrs, netlink.Attribute{Type: unix.NFTA_NAT_REG_PROTO_MAX, Data: binaryutil.BigEndian.PutUint32(e.RegProtoMax)})
+		}
+	}
+	flags := uint32(0)
+	if e.Random {
+		flags |= NF_NAT_RANGE_PROTO_RANDOM
+	}
+	if e.FullyRandom {
+		flags |= NF_NAT_RANGE_PROTO_RANDOM_FULLY
+	}
+	if e.Persistent {
+		flags |= NF_NAT_RANGE_PERSISTENT
+	}
+	if e.Prefix {
+		flags |= NF_NAT_RANGE_PREFIX
+	}
+	if flags != 0 {
+		attrs = append(attrs, netlink.Attribute{Type: unix.NFTA_NAT_FLAGS, Data: binaryutil.BigEndian.PutUint32(flags)})
+	}
+
+	data, err := netlink.MarshalAttributes(attrs)
+	if err != nil {
+		return nil, err
+	}
+	return netlink.MarshalAttributes([]netlink.Attribute{
+		{Type: unix.NFTA_EXPR_NAME, Data: []byte("nat\x00")},
+		{Type: unix.NLA_F_NESTED | unix.NFTA_EXPR_DATA, Data: data},
+	})
+}
+
+func (e *NAT) unmarshal(fam byte, data []byte) error {
+	ad, err := netlink.NewAttributeDecoder(data)
+	if err != nil {
+		return err
+	}
+	ad.ByteOrder = binary.BigEndian
+	for ad.Next() {
+		switch ad.Type() {
+		case unix.NFTA_NAT_TYPE:
+			e.Type = NATType(ad.Uint32())
+		case unix.NFTA_NAT_FAMILY:
+			e.Family = ad.Uint32()
+		case unix.NFTA_NAT_REG_ADDR_MIN:
+			e.RegAddrMin = ad.Uint32()
+		case unix.NFTA_NAT_REG_ADDR_MAX:
+			e.RegAddrMax = ad.Uint32()
+		case unix.NFTA_NAT_REG_PROTO_MIN:
+			e.RegProtoMin = ad.Uint32()
+		case unix.NFTA_NAT_REG_PROTO_MAX:
+			e.RegProtoMax = ad.Uint32()
+		case unix.NFTA_NAT_FLAGS:
+			flags := ad.Uint32()
+			e.Persistent = (flags & NF_NAT_RANGE_PERSISTENT) != 0
+			e.Random = (flags & NF_NAT_RANGE_PROTO_RANDOM) != 0
+			e.FullyRandom = (flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY) != 0
+			e.Prefix = (flags & NF_NAT_RANGE_PREFIX) != 0
+		}
+	}
+	return ad.Err()
+}

vendor/github.com/google/nftables/expr/notrack.go

@@ -0,0 +1,38 @@
+// Copyright 2019 Google LLC. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package expr
+
+import (
+	"github.com/mdlayher/netlink"
+	"golang.org/x/sys/unix"
+)
+
+type Notrack struct{}
+
+func (e *Notrack) marshal(fam byte) ([]byte, error) {
+	return netlink.MarshalAttributes([]netlink.Attribute{
+		{Type: unix.NFTA_EXPR_NAME, Data: []byte("notrack\x00")},
+	})
+}
+
+func (e *Notrack) unmarshal(fam byte, data []byte) error {
+	ad, err := netlink.NewAttributeDecoder(data)
+
+	if err != nil {
+		return err
+	}
+
+	return ad.Err()
+}

vendor/github.com/google/nftables/expr/numgen.go

@@ -0,0 +1,78 @@
+// Copyright 2018 Google LLC. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package expr
+
+import (
+	"encoding/binary"
+	"fmt"
+
+	"github.com/google/nftables/binaryutil"
+	"github.com/mdlayher/netlink"
+	"golang.org/x/sys/unix"
+)
+
+// Numgen defines Numgen expression structure
+type Numgen struct {
+	Register uint32
+	Modulus  uint32
+	Type     uint32
+	Offset   uint32
+}
+
+func (e *Numgen) marshal(fam byte) ([]byte, error) {
+	// Currently only two types are supported, failing if Type is not of two known types
+	switch e.Type {
+	case unix.NFT_NG_INCREMENTAL:
+	case unix.NFT_NG_RANDOM:
+	default:
+		return nil, fmt.Errorf("unsupported numgen type %d", e.Type)
+	}
+
+	data, err := netlink.MarshalAttributes([]netlink.Attribute{
+		{Type: unix.NFTA_NG_DREG, Data: binaryutil.BigEndian.PutUint32(e.Register)},
+		{Type: unix.NFTA_NG_MODULUS, Data: binaryutil.BigEndian.PutUint32(e.Modulus)},
+		{Type: unix.NFTA_NG_TYPE, Data: binaryutil.BigEndian.PutUint32(e.Type)},
+		{Type: unix.NFTA_NG_OFFSET, Data: binaryutil.BigEndian.PutUint32(e.Offset)},
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	return netlink.MarshalAttributes([]netlink.Attribute{
+		{Type: unix.NFTA_EXPR_NAME, Data: []byte("numgen\x00")},
+		{Type: unix.NLA_F_NESTED | unix.NFTA_EXPR_DATA, Data: data},
+	})
+}
+
+func (e *Numgen) unmarshal(fam byte, data []byte) error {
+	ad, err := netlink.NewAttributeDecoder(data)
+	if err != nil {
+		return err
+	}
+	ad.ByteOrder = binary.BigEndian
+	for ad.Next() {
+		switch ad.Type() {
+		case unix.NFTA_NG_DREG:
+			e.Register = ad.Uint32()
+		case unix.NFTA_NG_MODULUS:
+			e.Modulus = ad.Uint32()
+		case unix.NFTA_NG_TYPE:
+			e.Type = ad.Uint32()
+		case unix.NFTA_NG_OFFSET:
+			e.Offset = ad.Uint32()
+		}
+	}
+	return ad.Err()
+}

vendor/github.com/google/nftables/expr/objref.go

@@ -0,0 +1,60 @@
+// Copyright 2018 Google LLC. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package expr
+
+import (
+	"encoding/binary"
+
+	"github.com/google/nftables/binaryutil"
+	"github.com/mdlayher/netlink"
+	"golang.org/x/sys/unix"
+)
+
+type Objref struct {
+	Type int // TODO: enum
+	Name string
+}
+
+func (e *Objref) marshal(fam byte) ([]byte, error) {
+	data, err := netlink.MarshalAttributes([]netlink.Attribute{
+		{Type: unix.NFTA_OBJREF_IMM_TYPE, Data: binaryutil.BigEndian.PutUint32(uint32(e.Type))},
+		{Type: unix.NFTA_OBJREF_IMM_NAME, Data: []byte(e.Name)}, // NOT \x00-terminated?!
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	return netlink.MarshalAttributes([]netlink.Attribute{
+		{Type: unix.NFTA_EXPR_NAME, Data: []byte("objref\x00")},
+		{Type: unix.NLA_F_NESTED | unix.NFTA_EXPR_DATA, Data: data},
+	})
+}
+
+func (e *Objref) unmarshal(fam byte, data []byte) error {
+	ad, err := netlink.NewAttributeDecoder(data)
+	if err != nil {
+		return err
+	}
+	ad.ByteOrder = binary.BigEndian
+	for ad.Next() {
+		switch ad.Type() {
+		case unix.NFTA_OBJREF_IMM_TYPE:
+			e.Type = int(ad.Uint32())
+		case unix.NFTA_OBJREF_IMM_NAME:
+			e.Name = ad.String()
+		}
+	}
+	return ad.Err()
+}

vendor/github.com/google/nftables/expr/payload.go

@@ -0,0 +1,131 @@
+// Copyright 2018 Google LLC. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package expr
+
+import (
+	"encoding/binary"
+
+	"github.com/google/nftables/binaryutil"
+	"github.com/mdlayher/netlink"
+	"golang.org/x/sys/unix"
+)
+
+type PayloadBase uint32
+type PayloadCsumType uint32
+type PayloadOperationType uint32
+
+// Possible PayloadBase values.
+const (
+	PayloadBaseLLHeader        PayloadBase = unix.NFT_PAYLOAD_LL_HEADER
+	PayloadBaseNetworkHeader   PayloadBase = unix.NFT_PAYLOAD_NETWORK_HEADER
+	PayloadBaseTransportHeader PayloadBase = unix.NFT_PAYLOAD_TRANSPORT_HEADER
+)
+
+// Possible PayloadCsumType values.
+const (
+	CsumTypeNone PayloadCsumType = unix.NFT_PAYLOAD_CSUM_NONE
+	CsumTypeInet PayloadCsumType = unix.NFT_PAYLOAD_CSUM_INET
+)
+
+// Possible PayloadOperationType values.
+const (
+	PayloadLoad PayloadOperationType = iota
+	PayloadWrite
+)
+
+type Payload struct {
+	OperationType  PayloadOperationType
+	DestRegister   uint32
+	SourceRegister uint32
+	Base           PayloadBase
+	Offset         uint32
+	Len            uint32
+	CsumType       PayloadCsumType
+	CsumOffset     uint32
+	CsumFlags      uint32
+}
+
+func (e *Payload) marshal(fam byte) ([]byte, error) {
+
+	var attrs []netlink.Attribute
+
+	if e.OperationType == PayloadWrite {
+		attrs = []netlink.Attribute{
+			{Type: unix.NFTA_PAYLOAD_SREG, Data: binaryutil.BigEndian.PutUint32(e.SourceRegister)},
+		}
+	} else {
+		attrs = []netlink.Attribute{
+			{Type: unix.NFTA_PAYLOAD_DREG, Data: binaryutil.BigEndian.PutUint32(e.DestRegister)},
+		}
+	}
+
+	attrs = append(attrs,
+		netlink.Attribute{Type: unix.NFTA_PAYLOAD_BASE, Data: binaryutil.BigEndian.PutUint32(uint32(e.Base))},
+		netlink.Attribute{Type: unix.NFTA_PAYLOAD_OFFSET, Data: binaryutil.BigEndian.PutUint32(e.Offset)},
+		netlink.Attribute{Type: unix.NFTA_PAYLOAD_LEN, Data: binaryutil.BigEndian.PutUint32(e.Len)},
+	)
+
+	if e.CsumType > 0 {
+		attrs = append(attrs,
+			netlink.Attribute{Type: unix.NFTA_PAYLOAD_CSUM_TYPE, Data: binaryutil.BigEndian.PutUint32(uint32(e.CsumType))},
+			netlink.Attribute{Type: unix.NFTA_PAYLOAD_CSUM_OFFSET, Data: binaryutil.BigEndian.PutUint32(uint32(e.CsumOffset))},
+		)
+		if e.CsumFlags > 0 {
+			attrs = append(attrs,
+				netlink.Attribute{Type: unix.NFTA_PAYLOAD_CSUM_FLAGS, Data: binaryutil.BigEndian.PutUint32(e.CsumFlags)},
+			)
+		}
+	}
+
+	data, err := netlink.MarshalAttributes(attrs)
+
+	if err != nil {
+		return nil, err
+	}
+	return netlink.MarshalAttributes([]netlink.Attribute{
+		{Type: unix.NFTA_EXPR_NAME, Data: []byte("payload\x00")},
+		{Type: unix.NLA_F_NESTED | unix.NFTA_EXPR_DATA, Data: data},
+	})
+}
+
+func (e *Payload) unmarshal(fam byte, data []byte) error {
+	ad, err := netlink.NewAttributeDecoder(data)
+	if err != nil {
+		return err
+	}
+	ad.ByteOrder = binary.BigEndian
+	for ad.Next() {
+		switch ad.Type() {
+		case unix.NFTA_PAYLOAD_DREG:
+			e.DestRegister = ad.Uint32()
+		case unix.NFTA_PAYLOAD_SREG:
+			e.SourceRegister = ad.Uint32()
+			e.OperationType = PayloadWrite
+		case unix.NFTA_PAYLOAD_BASE:
+			e.Base = PayloadBase(ad.Uint32())
+		case unix.NFTA_PAYLOAD_OFFSET:
+			e.Offset = ad.Uint32()
+		case unix.NFTA_PAYLOAD_LEN:
+			e.Len = ad.Uint32()
+		case unix.NFTA_PAYLOAD_CSUM_TYPE:
+			e.CsumType = PayloadCsumType(ad.Uint32())
+		case unix.NFTA_PAYLOAD_CSUM_OFFSET:
+			e.CsumOffset = ad.Uint32()
+		case unix.NFTA_PAYLOAD_CSUM_FLAGS:
+			e.CsumFlags = ad.Uint32()
+		}
+	}
+	return ad.Err()
+}

vendor/github.com/google/nftables/expr/queue.go

@@ -0,0 +1,81 @@
+// Copyright 2018 Google LLC. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package expr
+
+import (
+	"encoding/binary"
+
+	"github.com/google/nftables/binaryutil"
+	"github.com/mdlayher/netlink"
+	"golang.org/x/sys/unix"
+)
+
+type QueueAttribute uint16
+
+type QueueFlag uint16
+
+// Possible QueueAttribute values
+const (
+	QueueNum   QueueAttribute = unix.NFTA_QUEUE_NUM
+	QueueTotal QueueAttribute = unix.NFTA_QUEUE_TOTAL
+	QueueFlags QueueAttribute = unix.NFTA_QUEUE_FLAGS
+
+	QueueFlagBypass QueueFlag = unix.NFT_QUEUE_FLAG_BYPASS
+	QueueFlagFanout QueueFlag = unix.NFT_QUEUE_FLAG_CPU_FANOUT
+	QueueFlagMask   QueueFlag = unix.NFT_QUEUE_FLAG_MASK
+)
+
+type Queue struct {
+	Num   uint16
+	Total uint16
+	Flag  QueueFlag
+}
+
+func (e *Queue) marshal(fam byte) ([]byte, error) {
+	if e.Total == 0 {
+		e.Total = 1 // The total default value is 1
+	}
+	data, err := netlink.MarshalAttributes([]netlink.Attribute{
+		{Type: unix.NFTA_QUEUE_NUM, Data: binaryutil.BigEndian.PutUint16(e.Num)},
+		{Type: unix.NFTA_QUEUE_TOTAL, Data: binaryutil.BigEndian.PutUint16(e.Total)},
+		{Type: unix.NFTA_QUEUE_FLAGS, Data: binaryutil.BigEndian.PutUint16(uint16(e.Flag))},
+	})
+	if err != nil {
+		return nil, err
+	}
+	return netlink.MarshalAttributes([]netlink.Attribute{
+		{Type: unix.NFTA_EXPR_NAME, Data: []byte("queue\x00")},
+		{Type: unix.NLA_F_NESTED | unix.NFTA_EXPR_DATA, Data: data},
+	})
+}
+
+func (e *Queue) unmarshal(fam byte, data []byte) error {
+	ad, err := netlink.NewAttributeDecoder(data)
+	if err != nil {
+		return err
+	}
+	ad.ByteOrder = binary.BigEndian
+	for ad.Next() {
+		switch ad.Type() {
+		case unix.NFTA_QUEUE_NUM:
+			e.Num = ad.Uint16()
+		case unix.NFTA_QUEUE_TOTAL:
+			e.Total = ad.Uint16()
+		case unix.NFTA_QUEUE_FLAGS:
+			e.Flag = QueueFlag(ad.Uint16())
+		}
+	}
+	return ad.Err()
+}

vendor/github.com/google/nftables/expr/quota.go

@@ -0,0 +1,76 @@
+// Copyright 2018 Google LLC. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package expr
+
+import (
+	"encoding/binary"
+
+	"github.com/google/nftables/binaryutil"
+	"github.com/mdlayher/netlink"
+	"golang.org/x/sys/unix"
+)
+
+// Quota defines a threshold against a number of bytes.
+type Quota struct {
+	Bytes    uint64
+	Consumed uint64
+	Over     bool
+}
+
+func (q *Quota) marshal(fam byte) ([]byte, error) {
+	attrs := []netlink.Attribute{
+		{Type: unix.NFTA_QUOTA_BYTES, Data: binaryutil.BigEndian.PutUint64(q.Bytes)},
+		{Type: unix.NFTA_QUOTA_CONSUMED, Data: binaryutil.BigEndian.PutUint64(q.Consumed)},
+	}
+
+	flags := uint32(0)
+	if q.Over {
+		flags = unix.NFT_QUOTA_F_INV
+	}
+	attrs = append(attrs, netlink.Attribute{
+		Type: unix.NFTA_QUOTA_FLAGS,
+		Data: binaryutil.BigEndian.PutUint32(flags),
+	})
+
+	data, err := netlink.MarshalAttributes(attrs)
+	if err != nil {
+		return nil, err
+	}
+
+	return netlink.MarshalAttributes([]netlink.Attribute{
+		{Type: unix.NFTA_EXPR_NAME, Data: []byte("quota\x00")},
+		{Type: unix.NLA_F_NESTED | unix.NFTA_EXPR_DATA, Data: data},
+	})
+}
+
+func (q *Quota) unmarshal(fam byte, data []byte) error {
+	ad, err := netlink.NewAttributeDecoder(data)
+	if err != nil {
+		return err
+	}
+
+	ad.ByteOrder = binary.BigEndian
+	for ad.Next() {
+		switch ad.Type() {
+		case unix.NFTA_QUOTA_BYTES:
+			q.Bytes = ad.Uint64()
+		case unix.NFTA_QUOTA_CONSUMED:
+			q.Consumed = ad.Uint64()
+		case unix.NFTA_QUOTA_FLAGS:
+			q.Over = (ad.Uint32() & unix.NFT_QUOTA_F_INV) == 1
+		}
+	}
+	return ad.Err()
+}

vendor/github.com/google/nftables/expr/range.go

@@ -0,0 +1,124 @@
+// Copyright 2019 Google LLC. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package expr
+
+import (
+	"encoding/binary"
+
+	"github.com/google/nftables/binaryutil"
+	"github.com/mdlayher/netlink"
+	"golang.org/x/sys/unix"
+)
+
+// Range implements range expression
+type Range struct {
+	Op       CmpOp
+	Register uint32
+	FromData []byte
+	ToData   []byte
+}
+
+func (e *Range) marshal(fam byte) ([]byte, error) {
+	var attrs []netlink.Attribute
+	var err error
+	var rangeFromData, rangeToData []byte
+
+	if e.Register > 0 {
+		attrs = append(attrs, netlink.Attribute{Type: unix.NFTA_RANGE_SREG, Data: binaryutil.BigEndian.PutUint32(e.Register)})
+	}
+	attrs = append(attrs, netlink.Attribute{Type: unix.NFTA_RANGE_OP, Data: binaryutil.BigEndian.PutUint32(uint32(e.Op))})
+	if len(e.FromData) > 0 {
+		rangeFromData, err = nestedAttr(e.FromData, unix.NFTA_RANGE_FROM_DATA)
+		if err != nil {
+			return nil, err
+		}
+	}
+	if len(e.ToData) > 0 {
+		rangeToData, err = nestedAttr(e.ToData, unix.NFTA_RANGE_TO_DATA)
+		if err != nil {
+			return nil, err
+		}
+	}
+	data, err := netlink.MarshalAttributes(attrs)
+	if err != nil {
+		return nil, err
+	}
+	data = append(data, rangeFromData...)
+	data = append(data, rangeToData...)
+
+	return netlink.MarshalAttributes([]netlink.Attribute{
+		{Type: unix.NFTA_EXPR_NAME, Data: []byte("range\x00")},
+		{Type: unix.NLA_F_NESTED | unix.NFTA_EXPR_DATA, Data: data},
+	})
+}
+
+func (e *Range) unmarshal(fam byte, data []byte) error {
+	ad, err := netlink.NewAttributeDecoder(data)
+	if err != nil {
+		return err
+	}
+	ad.ByteOrder = binary.BigEndian
+	for ad.Next() {
+		switch ad.Type() {
+		case unix.NFTA_RANGE_OP:
+			e.Op = CmpOp(ad.Uint32())
+		case unix.NFTA_RANGE_SREG:
+			e.Register = ad.Uint32()
+		case unix.NFTA_RANGE_FROM_DATA:
+			ad.Do(func(b []byte) error {
+				ad, err := netlink.NewAttributeDecoder(b)
+				if err != nil {
+					return err
+				}
+				ad.ByteOrder = binary.BigEndian
+				if ad.Next() && ad.Type() == unix.NFTA_DATA_VALUE {
+					ad.Do(func(b []byte) error {
+						e.FromData = b
+						return nil
+					})
+				}
+				return ad.Err()
+			})
+		case unix.NFTA_RANGE_TO_DATA:
+			ad.Do(func(b []byte) error {
+				ad, err := netlink.NewAttributeDecoder(b)
+				if err != nil {
+					return err
+				}
+				ad.ByteOrder = binary.BigEndian
+				if ad.Next() && ad.Type() == unix.NFTA_DATA_VALUE {
+					ad.Do(func(b []byte) error {
+						e.ToData = b
+						return nil
+					})
+				}
+				return ad.Err()
+			})
+		}
+	}
+	return ad.Err()
+}
+
+func nestedAttr(data []byte, attrType uint16) ([]byte, error) {
+	ae := netlink.NewAttributeEncoder()
+	ae.Do(unix.NLA_F_NESTED|attrType, func() ([]byte, error) {
+		nae := netlink.NewAttributeEncoder()
+		nae.ByteOrder = binary.BigEndian
+		nae.Bytes(unix.NFTA_DATA_VALUE, data)
+
+		return nae.Encode()
+	})
+	return ae.Encode()
+}

vendor/github.com/google/nftables/expr/redirect.go

@@ -0,0 +1,71 @@
+// Copyright 2018 Google LLC. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package expr
+
+import (
+	"encoding/binary"
+
+	"github.com/google/nftables/binaryutil"
+	"github.com/mdlayher/netlink"
+	"golang.org/x/sys/unix"
+)
+
+type Redir struct {
+	RegisterProtoMin uint32
+	RegisterProtoMax uint32
+	Flags            uint32
+}
+
+func (e *Redir) marshal(fam byte) ([]byte, error) {
+	var attrs []netlink.Attribute
+	if e.RegisterProtoMin > 0 {
+		attrs = append(attrs, netlink.Attribute{Type: unix.NFTA_REDIR_REG_PROTO_MIN, Data: binaryutil.BigEndian.PutUint32(e.RegisterProtoMin)})
+	}
+	if e.RegisterProtoMax > 0 {
+		attrs = append(attrs, netlink.Attribute{Type: unix.NFTA_REDIR_REG_PROTO_MAX, Data: binaryutil.BigEndian.PutUint32(e.RegisterProtoMax)})
+	}
+	if e.Flags > 0 {
+		attrs = append(attrs, netlink.Attribute{Type: unix.NFTA_REDIR_FLAGS, Data: binaryutil.BigEndian.PutUint32(e.Flags)})
+	}
+
+	data, err := netlink.MarshalAttributes(attrs)
+	if err != nil {
+		return nil, err
+	}
+
+	return netlink.MarshalAttributes([]netlink.Attribute{
+		{Type: unix.NFTA_EXPR_NAME, Data: []byte("redir\x00")},
+		{Type: unix.NLA_F_NESTED | unix.NFTA_EXPR_DATA, Data: data},
+	})
+}
+
+func (e *Redir) unmarshal(fam byte, data []byte) error {
+	ad, err := netlink.NewAttributeDecoder(data)
+	if err != nil {
+		return err
+	}
+	ad.ByteOrder = binary.BigEndian
+	for ad.Next() {
+		switch ad.Type() {
+		case unix.NFTA_REDIR_REG_PROTO_MIN:
+			e.RegisterProtoMin = ad.Uint32()
+		case unix.NFTA_REDIR_REG_PROTO_MAX:
+			e.RegisterProtoMax = ad.Uint32()
+		case unix.NFTA_REDIR_FLAGS:
+			e.Flags = ad.Uint32()
+		}
+	}
+	return ad.Err()
+}

vendor/github.com/google/nftables/expr/reject.go

@@ -0,0 +1,59 @@
+// Copyright 2018 Google LLC. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package expr
+
+import (
+	"encoding/binary"
+
+	"github.com/google/nftables/binaryutil"
+	"github.com/mdlayher/netlink"
+	"golang.org/x/sys/unix"
+)
+
+type Reject struct {
+	Type uint32
+	Code uint8
+}
+
+func (e *Reject) marshal(fam byte) ([]byte, error) {
+	data, err := netlink.MarshalAttributes([]netlink.Attribute{
+		{Type: unix.NFTA_REJECT_TYPE, Data: binaryutil.BigEndian.PutUint32(e.Type)},
+		{Type: unix.NFTA_REJECT_ICMP_CODE, Data: []byte{e.Code}},
+	})
+	if err != nil {
+		return nil, err
+	}
+	return netlink.MarshalAttributes([]netlink.Attribute{
+		{Type: unix.NFTA_EXPR_NAME, Data: []byte("reject\x00")},
+		{Type: unix.NLA_F_NESTED | unix.NFTA_EXPR_DATA, Data: data},
+	})
+}
+
+func (e *Reject) unmarshal(fam byte, data []byte) error {
+	ad, err := netlink.NewAttributeDecoder(data)
+	if err != nil {
+		return err
+	}
+	ad.ByteOrder = binary.BigEndian
+	for ad.Next() {
+		switch ad.Type() {
+		case unix.NFTA_REJECT_TYPE:
+			e.Type = ad.Uint32()
+		case unix.NFTA_REJECT_ICMP_CODE:
+			e.Code = ad.Uint8()
+		}
+	}
+	return ad.Err()
+}

vendor/github.com/google/nftables/expr/rt.go

@@ -0,0 +1,55 @@
+// Copyright 2018 Google LLC. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package expr
+
+import (
+	"fmt"
+
+	"github.com/google/nftables/binaryutil"
+	"github.com/mdlayher/netlink"
+	"golang.org/x/sys/unix"
+)
+
+type RtKey uint32
+
+const (
+	RtClassid  RtKey = unix.NFT_RT_CLASSID
+	RtNexthop4 RtKey = unix.NFT_RT_NEXTHOP4
+	RtNexthop6 RtKey = unix.NFT_RT_NEXTHOP6
+	RtTCPMSS   RtKey = unix.NFT_RT_TCPMSS
+)
+
+type Rt struct {
+	Register uint32
+	Key      RtKey
+}
+
+func (e *Rt) marshal(fam byte) ([]byte, error) {
+	data, err := netlink.MarshalAttributes([]netlink.Attribute{
+		{Type: unix.NFTA_RT_KEY, Data: binaryutil.BigEndian.PutUint32(uint32(e.Key))},
+		{Type: unix.NFTA_RT_DREG, Data: binaryutil.BigEndian.PutUint32(e.Register)},
+	})
+	if err != nil {
+		return nil, err
+	}
+	return netlink.MarshalAttributes([]netlink.Attribute{
+		{Type: unix.NFTA_EXPR_NAME, Data: []byte("rt\x00")},
+		{Type: unix.NLA_F_NESTED | unix.NFTA_EXPR_DATA, Data: data},
+	})
+}
+
+func (e *Rt) unmarshal(fam byte, data []byte) error {
+	return fmt.Errorf("not yet implemented")
+}

vendor/github.com/google/nftables/expr/socket.go

@@ -0,0 +1,89 @@
+// Copyright 2023 Google LLC. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package expr
+
+import (
+	"encoding/binary"
+
+	"golang.org/x/sys/unix"
+
+	"github.com/google/nftables/binaryutil"
+	"github.com/mdlayher/netlink"
+)
+
+type Socket struct {
+	Key      SocketKey
+	Level    uint32
+	Register uint32
+}
+
+type SocketKey uint32
+
+const (
+	// TODO, Once the constants below are available in golang.org/x/sys/unix, switch to use those.
+	NFTA_SOCKET_KEY   = 1
+	NFTA_SOCKET_DREG  = 2
+	NFTA_SOCKET_LEVEL = 3
+
+	NFT_SOCKET_TRANSPARENT = 0
+	NFT_SOCKET_MARK        = 1
+	NFT_SOCKET_WILDCARD    = 2
+	NFT_SOCKET_CGROUPV2    = 3
+
+	SocketKeyTransparent SocketKey = NFT_SOCKET_TRANSPARENT
+	SocketKeyMark        SocketKey = NFT_SOCKET_MARK
+	SocketKeyWildcard    SocketKey = NFT_SOCKET_WILDCARD
+	SocketKeyCgroupv2    SocketKey = NFT_SOCKET_CGROUPV2
+)
+
+func (e *Socket) marshal(fam byte) ([]byte, error) {
+	// NOTE: Socket.Level is only used when Socket.Key == SocketKeyCgroupv2. But `nft` always encoding it. Check link below:
+	// http://git.netfilter.org/nftables/tree/src/netlink_linearize.c?id=0583bac241ea18c9d7f61cb20ca04faa1e043b78#n319
+	exprData, err := netlink.MarshalAttributes(
+		[]netlink.Attribute{
+			{Type: NFTA_SOCKET_DREG, Data: binaryutil.BigEndian.PutUint32(e.Register)},
+			{Type: NFTA_SOCKET_KEY, Data: binaryutil.BigEndian.PutUint32(uint32(e.Key))},
+			{Type: NFTA_SOCKET_LEVEL, Data: binaryutil.BigEndian.PutUint32(uint32(e.Level))},
+		},
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	return netlink.MarshalAttributes([]netlink.Attribute{
+		{Type: unix.NFTA_EXPR_NAME, Data: []byte("socket\x00")},
+		{Type: unix.NLA_F_NESTED | unix.NFTA_EXPR_DATA, Data: exprData},
+	})
+}
+
+func (e *Socket) unmarshal(fam byte, data []byte) error {
+	ad, err := netlink.NewAttributeDecoder(data)
+	if err != nil {
+		return err
+	}
+
+	ad.ByteOrder = binary.BigEndian
+	for ad.Next() {
+		switch ad.Type() {
+		case NFTA_SOCKET_DREG:
+			e.Register = ad.Uint32()
+		case NFTA_SOCKET_KEY:
+			e.Key = SocketKey(ad.Uint32())
+		case NFTA_SOCKET_LEVEL:
+			e.Level = ad.Uint32()
+		}
+	}
+	return ad.Err()
+}

vendor/github.com/google/nftables/expr/target.go

@@ -0,0 +1,79 @@
+package expr
+
+import (
+	"bytes"
+	"encoding/binary"
+
+	"github.com/google/nftables/binaryutil"
+	"github.com/google/nftables/xt"
+	"github.com/mdlayher/netlink"
+	"golang.org/x/sys/unix"
+)
+
+// See https://git.netfilter.org/libnftnl/tree/src/expr/target.c?id=09456c720e9c00eecc08e41ac6b7c291b3821ee5#n28
+const XTablesExtensionNameMaxLen = 29
+
+// See https://git.netfilter.org/libnftnl/tree/src/expr/target.c?id=09456c720e9c00eecc08e41ac6b7c291b3821ee5#n30
+type Target struct {
+	Name string
+	Rev  uint32
+	Info xt.InfoAny
+}
+
+func (e *Target) marshal(fam byte) ([]byte, error) {
+	// Per https://git.netfilter.org/libnftnl/tree/src/expr/target.c?id=09456c720e9c00eecc08e41ac6b7c291b3821ee5#n38
+	name := e.Name
+	// limit the extension name as (some) user-space tools do and leave room for
+	// trailing \x00
+	if len(name) >= /* sic! */ XTablesExtensionNameMaxLen {
+		name = name[:XTablesExtensionNameMaxLen-1] // leave room for trailing \x00.
+	}
+	// Marshalling assumes that the correct Info type for the particular table
+	// family and Match revision has been set.
+	info, err := xt.Marshal(xt.TableFamily(fam), e.Rev, e.Info)
+	if err != nil {
+		return nil, err
+	}
+	attrs := []netlink.Attribute{
+		{Type: unix.NFTA_TARGET_NAME, Data: []byte(name + "\x00")},
+		{Type: unix.NFTA_TARGET_REV, Data: binaryutil.BigEndian.PutUint32(e.Rev)},
+		{Type: unix.NFTA_TARGET_INFO, Data: info},
+	}
+
+	data, err := netlink.MarshalAttributes(attrs)
+	if err != nil {
+		return nil, err
+	}
+
+	return netlink.MarshalAttributes([]netlink.Attribute{
+		{Type: unix.NFTA_EXPR_NAME, Data: []byte("target\x00")},
+		{Type: unix.NLA_F_NESTED | unix.NFTA_EXPR_DATA, Data: data},
+	})
+}
+
+func (e *Target) unmarshal(fam byte, data []byte) error {
+	// Per https://git.netfilter.org/libnftnl/tree/src/expr/target.c?id=09456c720e9c00eecc08e41ac6b7c291b3821ee5#n65
+	ad, err := netlink.NewAttributeDecoder(data)
+	if err != nil {
+		return err
+	}
+
+	var info []byte
+	ad.ByteOrder = binary.BigEndian
+	for ad.Next() {
+		switch ad.Type() {
+		case unix.NFTA_TARGET_NAME:
+			// We are forgiving here, accepting any length and even missing terminating \x00.
+			e.Name = string(bytes.TrimRight(ad.Bytes(), "\x00"))
+		case unix.NFTA_TARGET_REV:
+			e.Rev = ad.Uint32()
+		case unix.NFTA_TARGET_INFO:
+			info = ad.Bytes()
+		}
+	}
+	if err = ad.Err(); err != nil {
+		return err
+	}
+	e.Info, err = xt.Unmarshal(e.Name, xt.TableFamily(fam), e.Rev, info)
+	return err
+}

vendor/github.com/google/nftables/expr/tproxy.go

@@ -0,0 +1,82 @@
+// Copyright 2018 Google LLC. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package expr
+
+import (
+	"encoding/binary"
+
+	"github.com/google/nftables/binaryutil"
+	"github.com/mdlayher/netlink"
+	"golang.org/x/sys/unix"
+)
+
+const (
+	// NFTA_TPROXY_FAMILY defines attribute for a table family
+	NFTA_TPROXY_FAMILY = 0x01
+	// NFTA_TPROXY_REG_ADDR defines attribute for a register carrying redirection address value
+	NFTA_TPROXY_REG_ADDR = 0x02
+	// NFTA_TPROXY_REG_PORT defines attribute for a register carrying redirection port value
+	NFTA_TPROXY_REG_PORT = 0x03
+)
+
+// TProxy defines struct with parameters for the transparent proxy
+type TProxy struct {
+	Family      byte
+	TableFamily byte
+	RegAddr     uint32
+	RegPort     uint32
+}
+
+func (e *TProxy) marshal(fam byte) ([]byte, error) {
+	attrs := []netlink.Attribute{
+		{Type: NFTA_TPROXY_FAMILY, Data: binaryutil.BigEndian.PutUint32(uint32(e.Family))},
+		{Type: NFTA_TPROXY_REG_PORT, Data: binaryutil.BigEndian.PutUint32(e.RegPort)},
+	}
+
+	if e.RegAddr != 0 {
+		attrs = append(attrs, netlink.Attribute{
+			Type: NFTA_TPROXY_REG_ADDR,
+			Data: binaryutil.BigEndian.PutUint32(e.RegAddr),
+		})
+	}
+
+	data, err := netlink.MarshalAttributes(attrs)
+	if err != nil {
+		return nil, err
+	}
+	return netlink.MarshalAttributes([]netlink.Attribute{
+		{Type: unix.NFTA_EXPR_NAME, Data: []byte("tproxy\x00")},
+		{Type: unix.NLA_F_NESTED | unix.NFTA_EXPR_DATA, Data: data},
+	})
+}
+
+func (e *TProxy) unmarshal(fam byte, data []byte) error {
+	ad, err := netlink.NewAttributeDecoder(data)
+	if err != nil {
+		return err
+	}
+	ad.ByteOrder = binary.BigEndian
+	for ad.Next() {
+		switch ad.Type() {
+		case NFTA_TPROXY_FAMILY:
+			e.Family = ad.Uint8()
+		case NFTA_TPROXY_REG_PORT:
+			e.RegPort = ad.Uint32()
+		case NFTA_TPROXY_REG_ADDR:
+			e.RegAddr = ad.Uint32()
+		}
+	}
+	return ad.Err()
+}

vendor/github.com/google/nftables/expr/verdict.go

@@ -0,0 +1,128 @@
+// Copyright 2018 Google LLC. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package expr
+
+import (
+	"bytes"
+	"encoding/binary"
+	"fmt"
+
+	"github.com/google/nftables/binaryutil"
+	"github.com/mdlayher/netlink"
+	"golang.org/x/sys/unix"
+)
+
+// This code assembles the verdict structure, as expected by the
+// nftables netlink API.
+// For further information, consult:
+//  - netfilter.h (Linux kernel)
+//  - net/netfilter/nf_tables_api.c (Linux kernel)
+//  - src/expr/data_reg.c (linbnftnl)
+
+type Verdict struct {
+	Kind  VerdictKind
+	Chain string
+}
+
+type VerdictKind int64
+
+// Verdicts, as per netfilter.h and netfilter/nf_tables.h.
+const (
+	VerdictReturn VerdictKind = iota - 5
+	VerdictGoto
+	VerdictJump
+	VerdictBreak
+	VerdictContinue
+	VerdictDrop
+	VerdictAccept
+	VerdictStolen
+	VerdictQueue
+	VerdictRepeat
+	VerdictStop
+)
+
+func (e *Verdict) marshal(fam byte) ([]byte, error) {
+	// A verdict is a tree of netlink attributes structured as follows:
+	// NFTA_LIST_ELEM | NLA_F_NESTED {
+	//   NFTA_EXPR_NAME { "immediate\x00" }
+	//   NFTA_EXPR_DATA | NLA_F_NESTED {
+	//     NFTA_IMMEDIATE_DREG { NFT_REG_VERDICT }
+	//     NFTA_IMMEDIATE_DATA | NLA_F_NESTED {
+	//       the verdict code
+	//     }
+	//   }
+	// }
+
+	attrs := []netlink.Attribute{
+		{Type: unix.NFTA_VERDICT_CODE, Data: binaryutil.BigEndian.PutUint32(uint32(e.Kind))},
+	}
+	if e.Chain != "" {
+		attrs = append(attrs, netlink.Attribute{Type: unix.NFTA_VERDICT_CHAIN, Data: []byte(e.Chain + "\x00")})
+	}
+	codeData, err := netlink.MarshalAttributes(attrs)
+	if err != nil {
+		return nil, err
+	}
+
+	immData, err := netlink.MarshalAttributes([]netlink.Attribute{
+		{Type: unix.NLA_F_NESTED | unix.NFTA_DATA_VERDICT, Data: codeData},
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	data, err := netlink.MarshalAttributes([]netlink.Attribute{
+		{Type: unix.NFTA_IMMEDIATE_DREG, Data: binaryutil.BigEndian.PutUint32(unix.NFT_REG_VERDICT)},
+		{Type: unix.NLA_F_NESTED | unix.NFTA_IMMEDIATE_DATA, Data: immData},
+	})
+	if err != nil {
+		return nil, err
+	}
+	return netlink.MarshalAttributes([]netlink.Attribute{
+		{Type: unix.NFTA_EXPR_NAME, Data: []byte("immediate\x00")},
+		{Type: unix.NLA_F_NESTED | unix.NFTA_EXPR_DATA, Data: data},
+	})
+}
+
+func (e *Verdict) unmarshal(fam byte, data []byte) error {
+	ad, err := netlink.NewAttributeDecoder(data)
+	if err != nil {
+		return err
+	}
+
+	ad.ByteOrder = binary.BigEndian
+	for ad.Next() {
+		switch ad.Type() {
+		case unix.NFTA_IMMEDIATE_DATA:
+			nestedAD, err := netlink.NewAttributeDecoder(ad.Bytes())
+			if err != nil {
+				return fmt.Errorf("nested NewAttributeDecoder() failed: %v", err)
+			}
+			for nestedAD.Next() {
+				switch nestedAD.Type() {
+				case unix.NFTA_DATA_VERDICT:
+					e.Kind = VerdictKind(int32(binaryutil.BigEndian.Uint32(nestedAD.Bytes()[4:8])))
+					if len(nestedAD.Bytes()) > 12 {
+						e.Chain = string(bytes.Trim(nestedAD.Bytes()[12:], "\x00"))
+					}
+				}
+			}
+			if nestedAD.Err() != nil {
+				return fmt.Errorf("decoding immediate: %v", nestedAD.Err())
+			}
+		}
+	}
+	return ad.Err()
+}