Update dependencies

2024-11-01 17:33:34 +00:00
parent 033ac0b400
commit 5cdfab398d
3596 changed files with 1033483 additions and 259 deletions
--- a/vendor/github.com/google/nftables/xt/info.go
+++ b/vendor/github.com/google/nftables/xt/info.go
@@ -0,0 +1,94 @@
+package xt
+
+import (
+	"golang.org/x/sys/unix"
+)
+
+// TableFamily specifies the address family of the table Match or Target Info
+// data is contained in. On purpose, we don't import the expr package here in
+// order to keep the option open to import this package instead into expr.
+type TableFamily byte
+
+// InfoAny is a (un)marshaling implemented by any info type.
+type InfoAny interface {
+	marshal(fam TableFamily, rev uint32) ([]byte, error)
+	unmarshal(fam TableFamily, rev uint32, data []byte) error
+}
+
+// Marshal a Match or Target Info type into its binary representation.
+func Marshal(fam TableFamily, rev uint32, info InfoAny) ([]byte, error) {
+	return info.marshal(fam, rev)
+}
+
+// Unmarshal Info binary payload into its corresponding dedicated type as
+// indicated by the name argument. In several cases, unmarshalling depends on
+// the specific table family the Target or Match expression with the info
+// payload belongs to, as well as the specific info structure revision.
+func Unmarshal(name string, fam TableFamily, rev uint32, data []byte) (InfoAny, error) {
+	var i InfoAny
+	switch name {
+	case "addrtype":
+		switch rev {
+		case 0:
+			i = &AddrType{}
+		case 1:
+			i = &AddrTypeV1{}
+		}
+	case "conntrack":
+		switch rev {
+		case 1:
+			i = &ConntrackMtinfo1{}
+		case 2:
+			i = &ConntrackMtinfo2{}
+		case 3:
+			i = &ConntrackMtinfo3{}
+		}
+	case "tcp":
+		i = &Tcp{}
+	case "udp":
+		i = &Udp{}
+	case "SNAT":
+		if fam == unix.NFPROTO_IPV4 {
+			i = &NatIPv4MultiRangeCompat{}
+		}
+	case "DNAT":
+		switch fam {
+		case unix.NFPROTO_IPV4:
+			if rev == 0 {
+				i = &NatIPv4MultiRangeCompat{}
+				break
+			}
+			fallthrough
+		case unix.NFPROTO_IPV6:
+			switch rev {
+			case 1:
+				i = &NatRange{}
+			case 2:
+				i = &NatRange2{}
+			}
+		}
+	case "MASQUERADE":
+		switch fam {
+		case unix.NFPROTO_IPV4:
+			i = &NatIPv4MultiRangeCompat{}
+		}
+	case "REDIRECT":
+		switch fam {
+		case unix.NFPROTO_IPV4:
+			if rev == 0 {
+				i = &NatIPv4MultiRangeCompat{}
+				break
+			}
+			fallthrough
+		case unix.NFPROTO_IPV6:
+			i = &NatRange{}
+		}
+	}
+	if i == nil {
+		i = &Unknown{}
+	}
+	if err := i.unmarshal(fam, rev, data); err != nil {
+		return nil, err
+	}
+	return i, nil
+}
--- a/vendor/github.com/google/nftables/xt/match_addrtype.go
+++ b/vendor/github.com/google/nftables/xt/match_addrtype.go
@@ -0,0 +1,89 @@
+package xt
+
+import (
+	"github.com/google/nftables/alignedbuff"
+)
+
+// Rev. 0, see https://elixir.bootlin.com/linux/v5.17.7/source/include/uapi/linux/netfilter/xt_addrtype.h#L38
+type AddrType struct {
+	Source       uint16
+	Dest         uint16
+	InvertSource bool
+	InvertDest   bool
+}
+
+type AddrTypeFlags uint32
+
+const (
+	AddrTypeUnspec AddrTypeFlags = 1 << iota
+	AddrTypeUnicast
+	AddrTypeLocal
+	AddrTypeBroadcast
+	AddrTypeAnycast
+	AddrTypeMulticast
+	AddrTypeBlackhole
+	AddrTypeUnreachable
+	AddrTypeProhibit
+	AddrTypeThrow
+	AddrTypeNat
+	AddrTypeXresolve
+)
+
+// See https://elixir.bootlin.com/linux/v5.17.7/source/include/uapi/linux/netfilter/xt_addrtype.h#L31
+type AddrTypeV1 struct {
+	Source uint16
+	Dest   uint16
+	Flags  AddrTypeFlags
+}
+
+func (x *AddrType) marshal(fam TableFamily, rev uint32) ([]byte, error) {
+	ab := alignedbuff.New()
+	ab.PutUint16(x.Source)
+	ab.PutUint16(x.Dest)
+	putBool32(&ab, x.InvertSource)
+	putBool32(&ab, x.InvertDest)
+	return ab.Data(), nil
+}
+
+func (x *AddrType) unmarshal(fam TableFamily, rev uint32, data []byte) error {
+	ab := alignedbuff.NewWithData(data)
+	var err error
+	if x.Source, err = ab.Uint16(); err != nil {
+		return nil
+	}
+	if x.Dest, err = ab.Uint16(); err != nil {
+		return nil
+	}
+	if x.InvertSource, err = bool32(&ab); err != nil {
+		return nil
+	}
+	if x.InvertDest, err = bool32(&ab); err != nil {
+		return nil
+	}
+	return nil
+}
+
+func (x *AddrTypeV1) marshal(fam TableFamily, rev uint32) ([]byte, error) {
+	ab := alignedbuff.New()
+	ab.PutUint16(x.Source)
+	ab.PutUint16(x.Dest)
+	ab.PutUint32(uint32(x.Flags))
+	return ab.Data(), nil
+}
+
+func (x *AddrTypeV1) unmarshal(fam TableFamily, rev uint32, data []byte) error {
+	ab := alignedbuff.NewWithData(data)
+	var err error
+	if x.Source, err = ab.Uint16(); err != nil {
+		return nil
+	}
+	if x.Dest, err = ab.Uint16(); err != nil {
+		return nil
+	}
+	var flags uint32
+	if flags, err = ab.Uint32(); err != nil {
+		return nil
+	}
+	x.Flags = AddrTypeFlags(flags)
+	return nil
+}
--- a/vendor/github.com/google/nftables/xt/match_conntrack.go
+++ b/vendor/github.com/google/nftables/xt/match_conntrack.go
@@ -0,0 +1,260 @@
+package xt
+
+import (
+	"net"
+
+	"github.com/google/nftables/alignedbuff"
+)
+
+type ConntrackFlags uint16
+
+const (
+	ConntrackState ConntrackFlags = 1 << iota
+	ConntrackProto
+	ConntrackOrigSrc
+	ConntrackOrigDst
+	ConntrackReplSrc
+	ConntrackReplDst
+	ConntrackStatus
+	ConntrackExpires
+	ConntrackOrigSrcPort
+	ConntrackOrigDstPort
+	ConntrackReplSrcPort
+	ConntrackReplDstPrt
+	ConntrackDirection
+	ConntrackStateAlias
+)
+
+type ConntrackMtinfoBase struct {
+	OrigSrcAddr net.IP
+	OrigSrcMask net.IPMask
+	OrigDstAddr net.IP
+	OrigDstMask net.IPMask
+	ReplSrcAddr net.IP
+	ReplSrcMask net.IPMask
+	ReplDstAddr net.IP
+	ReplDstMask net.IPMask
+	ExpiresMin  uint32
+	ExpiresMax  uint32
+	L4Proto     uint16
+	OrigSrcPort uint16
+	OrigDstPort uint16
+	ReplSrcPort uint16
+	ReplDstPort uint16
+	MatchFlags  uint16
+	InvertFlags uint16
+}
+
+// See https://elixir.bootlin.com/linux/v5.17.7/source/include/uapi/linux/netfilter/xt_conntrack.h#L38
+type ConntrackMtinfo1 struct {
+	ConntrackMtinfoBase
+	StateMask  uint8
+	StatusMask uint8
+}
+
+// See https://elixir.bootlin.com/linux/v5.17.7/source/include/uapi/linux/netfilter/xt_conntrack.h#L51
+type ConntrackMtinfo2 struct {
+	ConntrackMtinfoBase
+	StateMask  uint16
+	StatusMask uint16
+}
+
+// See https://elixir.bootlin.com/linux/v5.17.7/source/include/uapi/linux/netfilter/xt_conntrack.h#L64
+type ConntrackMtinfo3 struct {
+	ConntrackMtinfo2
+	OrigSrcPortHigh uint16
+	OrigDstPortHigh uint16
+	ReplSrcPortHigh uint16
+	ReplDstPortHigh uint16
+}
+
+func (x *ConntrackMtinfoBase) marshalAB(fam TableFamily, rev uint32, ab *alignedbuff.AlignedBuff) error {
+	if err := putIPv46(ab, fam, x.OrigSrcAddr); err != nil {
+		return err
+	}
+	if err := putIPv46Mask(ab, fam, x.OrigSrcMask); err != nil {
+		return err
+	}
+	if err := putIPv46(ab, fam, x.OrigDstAddr); err != nil {
+		return err
+	}
+	if err := putIPv46Mask(ab, fam, x.OrigDstMask); err != nil {
+		return err
+	}
+	if err := putIPv46(ab, fam, x.ReplSrcAddr); err != nil {
+		return err
+	}
+	if err := putIPv46Mask(ab, fam, x.ReplSrcMask); err != nil {
+		return err
+	}
+	if err := putIPv46(ab, fam, x.ReplDstAddr); err != nil {
+		return err
+	}
+	if err := putIPv46Mask(ab, fam, x.ReplDstMask); err != nil {
+		return err
+	}
+	ab.PutUint32(x.ExpiresMin)
+	ab.PutUint32(x.ExpiresMax)
+	ab.PutUint16(x.L4Proto)
+	ab.PutUint16(x.OrigSrcPort)
+	ab.PutUint16(x.OrigDstPort)
+	ab.PutUint16(x.ReplSrcPort)
+	ab.PutUint16(x.ReplDstPort)
+	ab.PutUint16(x.MatchFlags)
+	ab.PutUint16(x.InvertFlags)
+	return nil
+}
+
+func (x *ConntrackMtinfoBase) unmarshalAB(fam TableFamily, rev uint32, ab *alignedbuff.AlignedBuff) error {
+	var err error
+	if x.OrigSrcAddr, err = iPv46(ab, fam); err != nil {
+		return err
+	}
+	if x.OrigSrcMask, err = iPv46Mask(ab, fam); err != nil {
+		return err
+	}
+	if x.OrigDstAddr, err = iPv46(ab, fam); err != nil {
+		return err
+	}
+	if x.OrigDstMask, err = iPv46Mask(ab, fam); err != nil {
+		return err
+	}
+	if x.ReplSrcAddr, err = iPv46(ab, fam); err != nil {
+		return err
+	}
+	if x.ReplSrcMask, err = iPv46Mask(ab, fam); err != nil {
+		return err
+	}
+	if x.ReplDstAddr, err = iPv46(ab, fam); err != nil {
+		return err
+	}
+	if x.ReplDstMask, err = iPv46Mask(ab, fam); err != nil {
+		return err
+	}
+	if x.ExpiresMin, err = ab.Uint32(); err != nil {
+		return err
+	}
+	if x.ExpiresMax, err = ab.Uint32(); err != nil {
+		return err
+	}
+	if x.L4Proto, err = ab.Uint16(); err != nil {
+		return err
+	}
+	if x.OrigSrcPort, err = ab.Uint16(); err != nil {
+		return err
+	}
+	if x.OrigDstPort, err = ab.Uint16(); err != nil {
+		return err
+	}
+	if x.ReplSrcPort, err = ab.Uint16(); err != nil {
+		return err
+	}
+	if x.ReplDstPort, err = ab.Uint16(); err != nil {
+		return err
+	}
+	if x.MatchFlags, err = ab.Uint16(); err != nil {
+		return err
+	}
+	if x.InvertFlags, err = ab.Uint16(); err != nil {
+		return err
+	}
+	return nil
+}
+
+func (x *ConntrackMtinfo1) marshal(fam TableFamily, rev uint32) ([]byte, error) {
+	ab := alignedbuff.New()
+	if err := x.ConntrackMtinfoBase.marshalAB(fam, rev, &ab); err != nil {
+		return nil, err
+	}
+	ab.PutUint8(x.StateMask)
+	ab.PutUint8(x.StatusMask)
+	return ab.Data(), nil
+}
+
+func (x *ConntrackMtinfo1) unmarshal(fam TableFamily, rev uint32, data []byte) error {
+	ab := alignedbuff.NewWithData(data)
+	var err error
+	if err = x.ConntrackMtinfoBase.unmarshalAB(fam, rev, &ab); err != nil {
+		return err
+	}
+	if x.StateMask, err = ab.Uint8(); err != nil {
+		return err
+	}
+	if x.StatusMask, err = ab.Uint8(); err != nil {
+		return err
+	}
+	return nil
+}
+
+func (x *ConntrackMtinfo2) marshalAB(fam TableFamily, rev uint32, ab *alignedbuff.AlignedBuff) error {
+	if err := x.ConntrackMtinfoBase.marshalAB(fam, rev, ab); err != nil {
+		return err
+	}
+	ab.PutUint16(x.StateMask)
+	ab.PutUint16(x.StatusMask)
+	return nil
+}
+
+func (x *ConntrackMtinfo2) marshal(fam TableFamily, rev uint32) ([]byte, error) {
+	ab := alignedbuff.New()
+	if err := x.marshalAB(fam, rev, &ab); err != nil {
+		return nil, err
+	}
+	return ab.Data(), nil
+}
+
+func (x *ConntrackMtinfo2) unmarshalAB(fam TableFamily, rev uint32, ab *alignedbuff.AlignedBuff) error {
+	var err error
+	if err = x.ConntrackMtinfoBase.unmarshalAB(fam, rev, ab); err != nil {
+		return err
+	}
+	if x.StateMask, err = ab.Uint16(); err != nil {
+		return err
+	}
+	if x.StatusMask, err = ab.Uint16(); err != nil {
+		return err
+	}
+	return nil
+}
+
+func (x *ConntrackMtinfo2) unmarshal(fam TableFamily, rev uint32, data []byte) error {
+	ab := alignedbuff.NewWithData(data)
+	var err error
+	if err = x.unmarshalAB(fam, rev, &ab); err != nil {
+		return err
+	}
+	return nil
+}
+
+func (x *ConntrackMtinfo3) marshal(fam TableFamily, rev uint32) ([]byte, error) {
+	ab := alignedbuff.New()
+	if err := x.ConntrackMtinfo2.marshalAB(fam, rev, &ab); err != nil {
+		return nil, err
+	}
+	ab.PutUint16(x.OrigSrcPortHigh)
+	ab.PutUint16(x.OrigDstPortHigh)
+	ab.PutUint16(x.ReplSrcPortHigh)
+	ab.PutUint16(x.ReplDstPortHigh)
+	return ab.Data(), nil
+}
+
+func (x *ConntrackMtinfo3) unmarshal(fam TableFamily, rev uint32, data []byte) error {
+	ab := alignedbuff.NewWithData(data)
+	var err error
+	if err = x.ConntrackMtinfo2.unmarshalAB(fam, rev, &ab); err != nil {
+		return err
+	}
+	if x.OrigSrcPortHigh, err = ab.Uint16(); err != nil {
+		return err
+	}
+	if x.OrigDstPortHigh, err = ab.Uint16(); err != nil {
+		return err
+	}
+	if x.ReplSrcPortHigh, err = ab.Uint16(); err != nil {
+		return err
+	}
+	if x.ReplDstPortHigh, err = ab.Uint16(); err != nil {
+		return err
+	}
+	return nil
+}
--- a/vendor/github.com/google/nftables/xt/match_tcp.go
+++ b/vendor/github.com/google/nftables/xt/match_tcp.go
@@ -0,0 +1,74 @@
+package xt
+
+import (
+	"github.com/google/nftables/alignedbuff"
+)
+
+// Tcp is the Match.Info payload for the tcp xtables extension
+// (https://wiki.nftables.org/wiki-nftables/index.php/Supported_features_compared_to_xtables#tcp).
+//
+// See
+// https://elixir.bootlin.com/linux/v5.17.7/source/include/uapi/linux/netfilter/xt_tcpudp.h#L8
+type Tcp struct {
+	SrcPorts  [2]uint16     // min, max source port range
+	DstPorts  [2]uint16     // min, max destination port range
+	Option    uint8         // TCP option if non-zero
+	FlagsMask uint8         // TCP flags mask
+	FlagsCmp  uint8         // TCP flags compare
+	InvFlags  TcpInvFlagset // Inverse flags
+}
+
+type TcpInvFlagset uint8
+
+const (
+	TcpInvSrcPorts TcpInvFlagset = 1 << iota
+	TcpInvDestPorts
+	TcpInvFlags
+	TcpInvOption
+	TcpInvMask TcpInvFlagset = (1 << iota) - 1
+)
+
+func (x *Tcp) marshal(fam TableFamily, rev uint32) ([]byte, error) {
+	ab := alignedbuff.New()
+	ab.PutUint16(x.SrcPorts[0])
+	ab.PutUint16(x.SrcPorts[1])
+	ab.PutUint16(x.DstPorts[0])
+	ab.PutUint16(x.DstPorts[1])
+	ab.PutUint8(x.Option)
+	ab.PutUint8(x.FlagsMask)
+	ab.PutUint8(x.FlagsCmp)
+	ab.PutUint8(byte(x.InvFlags))
+	return ab.Data(), nil
+}
+
+func (x *Tcp) unmarshal(fam TableFamily, rev uint32, data []byte) error {
+	ab := alignedbuff.NewWithData(data)
+	var err error
+	if x.SrcPorts[0], err = ab.Uint16(); err != nil {
+		return err
+	}
+	if x.SrcPorts[1], err = ab.Uint16(); err != nil {
+		return err
+	}
+	if x.DstPorts[0], err = ab.Uint16(); err != nil {
+		return err
+	}
+	if x.DstPorts[1], err = ab.Uint16(); err != nil {
+		return err
+	}
+	if x.Option, err = ab.Uint8(); err != nil {
+		return err
+	}
+	if x.FlagsMask, err = ab.Uint8(); err != nil {
+		return err
+	}
+	if x.FlagsCmp, err = ab.Uint8(); err != nil {
+		return err
+	}
+	var invFlags uint8
+	if invFlags, err = ab.Uint8(); err != nil {
+		return err
+	}
+	x.InvFlags = TcpInvFlagset(invFlags)
+	return nil
+}
--- a/vendor/github.com/google/nftables/xt/match_udp.go
+++ b/vendor/github.com/google/nftables/xt/match_udp.go
@@ -0,0 +1,57 @@
+package xt
+
+import (
+	"github.com/google/nftables/alignedbuff"
+)
+
+// Tcp is the Match.Info payload for the tcp xtables extension
+// (https://wiki.nftables.org/wiki-nftables/index.php/Supported_features_compared_to_xtables#tcp).
+//
+// See
+// https://elixir.bootlin.com/linux/v5.17.7/source/include/uapi/linux/netfilter/xt_tcpudp.h#L25
+type Udp struct {
+	SrcPorts [2]uint16     // min, max source port range
+	DstPorts [2]uint16     // min, max destination port range
+	InvFlags UdpInvFlagset // Inverse flags
+}
+
+type UdpInvFlagset uint8
+
+const (
+	UdpInvSrcPorts UdpInvFlagset = 1 << iota
+	UdpInvDestPorts
+	UdpInvMask UdpInvFlagset = (1 << iota) - 1
+)
+
+func (x *Udp) marshal(fam TableFamily, rev uint32) ([]byte, error) {
+	ab := alignedbuff.New()
+	ab.PutUint16(x.SrcPorts[0])
+	ab.PutUint16(x.SrcPorts[1])
+	ab.PutUint16(x.DstPorts[0])
+	ab.PutUint16(x.DstPorts[1])
+	ab.PutUint8(byte(x.InvFlags))
+	return ab.Data(), nil
+}
+
+func (x *Udp) unmarshal(fam TableFamily, rev uint32, data []byte) error {
+	ab := alignedbuff.NewWithData(data)
+	var err error
+	if x.SrcPorts[0], err = ab.Uint16(); err != nil {
+		return err
+	}
+	if x.SrcPorts[1], err = ab.Uint16(); err != nil {
+		return err
+	}
+	if x.DstPorts[0], err = ab.Uint16(); err != nil {
+		return err
+	}
+	if x.DstPorts[1], err = ab.Uint16(); err != nil {
+		return err
+	}
+	var invFlags uint8
+	if invFlags, err = ab.Uint8(); err != nil {
+		return err
+	}
+	x.InvFlags = UdpInvFlagset(invFlags)
+	return nil
+}
--- a/vendor/github.com/google/nftables/xt/target_dnat.go
+++ b/vendor/github.com/google/nftables/xt/target_dnat.go
@@ -0,0 +1,106 @@
+package xt
+
+import (
+	"net"
+
+	"github.com/google/nftables/alignedbuff"
+)
+
+type NatRangeFlags uint
+
+// See: https://elixir.bootlin.com/linux/v5.17.7/source/include/uapi/linux/netfilter/nf_nat.h#L8
+const (
+	NatRangeMapIPs NatRangeFlags = (1 << iota)
+	NatRangeProtoSpecified
+	NatRangeProtoRandom
+	NatRangePersistent
+	NatRangeProtoRandomFully
+	NatRangeProtoOffset
+	NatRangeNetmap
+
+	NatRangeMask NatRangeFlags = (1 << iota) - 1
+
+	NatRangeProtoRandomAll = NatRangeProtoRandom | NatRangeProtoRandomFully
+)
+
+// see: https://elixir.bootlin.com/linux/v5.17.7/source/include/uapi/linux/netfilter/nf_nat.h#L38
+type NatRange struct {
+	Flags   uint   // sic! platform/arch/compiler-dependent uint size
+	MinIP   net.IP // always taking up space for an IPv6 address
+	MaxIP   net.IP // dito
+	MinPort uint16
+	MaxPort uint16
+}
+
+// see: https://elixir.bootlin.com/linux/v5.17.7/source/include/uapi/linux/netfilter/nf_nat.h#L46
+type NatRange2 struct {
+	NatRange
+	BasePort uint16
+}
+
+func (x *NatRange) marshal(fam TableFamily, rev uint32) ([]byte, error) {
+	ab := alignedbuff.New()
+	if err := x.marshalAB(fam, rev, &ab); err != nil {
+		return nil, err
+	}
+	return ab.Data(), nil
+}
+
+func (x *NatRange) marshalAB(fam TableFamily, rev uint32, ab *alignedbuff.AlignedBuff) error {
+	ab.PutUint(x.Flags)
+	if err := putIPv46(ab, fam, x.MinIP); err != nil {
+		return err
+	}
+	if err := putIPv46(ab, fam, x.MaxIP); err != nil {
+		return err
+	}
+	ab.PutUint16BE(x.MinPort)
+	ab.PutUint16BE(x.MaxPort)
+	return nil
+}
+
+func (x *NatRange) unmarshal(fam TableFamily, rev uint32, data []byte) error {
+	ab := alignedbuff.NewWithData(data)
+	return x.unmarshalAB(fam, rev, &ab)
+}
+
+func (x *NatRange) unmarshalAB(fam TableFamily, rev uint32, ab *alignedbuff.AlignedBuff) error {
+	var err error
+	if x.Flags, err = ab.Uint(); err != nil {
+		return err
+	}
+	if x.MinIP, err = iPv46(ab, fam); err != nil {
+		return err
+	}
+	if x.MaxIP, err = iPv46(ab, fam); err != nil {
+		return err
+	}
+	if x.MinPort, err = ab.Uint16BE(); err != nil {
+		return err
+	}
+	if x.MaxPort, err = ab.Uint16BE(); err != nil {
+		return err
+	}
+	return nil
+}
+
+func (x *NatRange2) marshal(fam TableFamily, rev uint32) ([]byte, error) {
+	ab := alignedbuff.New()
+	if err := x.NatRange.marshalAB(fam, rev, &ab); err != nil {
+		return nil, err
+	}
+	ab.PutUint16BE(x.BasePort)
+	return ab.Data(), nil
+}
+
+func (x *NatRange2) unmarshal(fam TableFamily, rev uint32, data []byte) error {
+	ab := alignedbuff.NewWithData(data)
+	var err error
+	if err = x.NatRange.unmarshalAB(fam, rev, &ab); err != nil {
+		return err
+	}
+	if x.BasePort, err = ab.Uint16BE(); err != nil {
+		return err
+	}
+	return nil
+}
--- a/vendor/github.com/google/nftables/xt/target_masquerade_ip.go
+++ b/vendor/github.com/google/nftables/xt/target_masquerade_ip.go
@@ -0,0 +1,86 @@
+package xt
+
+import (
+	"errors"
+	"net"
+
+	"github.com/google/nftables/alignedbuff"
+)
+
+// See https://elixir.bootlin.com/linux/v5.17.7/source/include/uapi/linux/netfilter/nf_nat.h#L25
+type NatIPv4Range struct {
+	Flags   uint // sic!
+	MinIP   net.IP
+	MaxIP   net.IP
+	MinPort uint16
+	MaxPort uint16
+}
+
+// NatIPv4MultiRangeCompat despite being a slice of NAT IPv4 ranges is currently allowed to
+// only hold exactly one element.
+//
+// See https://elixir.bootlin.com/linux/v5.17.7/source/include/uapi/linux/netfilter/nf_nat.h#L33
+type NatIPv4MultiRangeCompat []NatIPv4Range
+
+func (x *NatIPv4MultiRangeCompat) marshal(fam TableFamily, rev uint32) ([]byte, error) {
+	ab := alignedbuff.New()
+	if len(*x) != 1 {
+		return nil, errors.New("MasqueradeIp must contain exactly one NatIPv4Range")
+	}
+	ab.PutUint(uint(len(*x)))
+	for _, nat := range *x {
+		if err := nat.marshalAB(fam, rev, &ab); err != nil {
+			return nil, err
+		}
+	}
+	return ab.Data(), nil
+}
+
+func (x *NatIPv4MultiRangeCompat) unmarshal(fam TableFamily, rev uint32, data []byte) error {
+	ab := alignedbuff.NewWithData(data)
+	l, err := ab.Uint()
+	if err != nil {
+		return err
+	}
+	nats := make(NatIPv4MultiRangeCompat, l)
+	for l > 0 {
+		l--
+		if err := nats[l].unmarshalAB(fam, rev, &ab); err != nil {
+			return err
+		}
+	}
+	*x = nats
+	return nil
+}
+
+func (x *NatIPv4Range) marshalAB(fam TableFamily, rev uint32, ab *alignedbuff.AlignedBuff) error {
+	ab.PutUint(x.Flags)
+	ab.PutBytesAligned32(x.MinIP.To4(), 4)
+	ab.PutBytesAligned32(x.MaxIP.To4(), 4)
+	ab.PutUint16BE(x.MinPort)
+	ab.PutUint16BE(x.MaxPort)
+	return nil
+}
+
+func (x *NatIPv4Range) unmarshalAB(fam TableFamily, rev uint32, ab *alignedbuff.AlignedBuff) error {
+	var err error
+	if x.Flags, err = ab.Uint(); err != nil {
+		return err
+	}
+	var ip []byte
+	if ip, err = ab.BytesAligned32(4); err != nil {
+		return err
+	}
+	x.MinIP = net.IP(ip)
+	if ip, err = ab.BytesAligned32(4); err != nil {
+		return err
+	}
+	x.MaxIP = net.IP(ip)
+	if x.MinPort, err = ab.Uint16BE(); err != nil {
+		return err
+	}
+	if x.MaxPort, err = ab.Uint16BE(); err != nil {
+		return err
+	}
+	return nil
+}
--- a/vendor/github.com/google/nftables/xt/unknown.go
+++ b/vendor/github.com/google/nftables/xt/unknown.go
@@ -0,0 +1,17 @@
+package xt
+
+// Unknown represents the bytes Info payload for unknown Info types where no
+// dedicated match/target info type has (yet) been defined.
+type Unknown []byte
+
+func (x *Unknown) marshal(fam TableFamily, rev uint32) ([]byte, error) {
+	// In case of unknown payload we assume its creator knows what she/he does
+	// and thus we don't do any alignment padding. Just take the payload "as
+	// is".
+	return *x, nil
+}
+
+func (x *Unknown) unmarshal(fam TableFamily, rev uint32, data []byte) error {
+	*x = data
+	return nil
+}
--- a/vendor/github.com/google/nftables/xt/util.go
+++ b/vendor/github.com/google/nftables/xt/util.go
@@ -0,0 +1,64 @@
+package xt
+
+import (
+	"fmt"
+	"net"
+
+	"github.com/google/nftables/alignedbuff"
+	"golang.org/x/sys/unix"
+)
+
+func bool32(ab *alignedbuff.AlignedBuff) (bool, error) {
+	v, err := ab.Uint32()
+	if err != nil {
+		return false, err
+	}
+	if v != 0 {
+		return true, nil
+	}
+	return false, nil
+}
+
+func putBool32(ab *alignedbuff.AlignedBuff, b bool) {
+	if b {
+		ab.PutUint32(1)
+		return
+	}
+	ab.PutUint32(0)
+}
+
+func iPv46(ab *alignedbuff.AlignedBuff, fam TableFamily) (net.IP, error) {
+	ip, err := ab.BytesAligned32(16)
+	if err != nil {
+		return nil, err
+	}
+	switch fam {
+	case unix.NFPROTO_IPV4:
+		return net.IP(ip[:4]), nil
+	case unix.NFPROTO_IPV6:
+		return net.IP(ip), nil
+	default:
+		return nil, fmt.Errorf("unmarshal IP: unsupported table family %d", fam)
+	}
+}
+
+func iPv46Mask(ab *alignedbuff.AlignedBuff, fam TableFamily) (net.IPMask, error) {
+	v, err := iPv46(ab, fam)
+	return net.IPMask(v), err
+}
+
+func putIPv46(ab *alignedbuff.AlignedBuff, fam TableFamily, ip net.IP) error {
+	switch fam {
+	case unix.NFPROTO_IPV4:
+		ab.PutBytesAligned32(ip.To4(), 16)
+	case unix.NFPROTO_IPV6:
+		ab.PutBytesAligned32(ip.To16(), 16)
+	default:
+		return fmt.Errorf("marshal IP: unsupported table family %d", fam)
+	}
+	return nil
+}
+
+func putIPv46Mask(ab *alignedbuff.AlignedBuff, fam TableFamily, mask net.IPMask) error {
+	return putIPv46(ab, fam, net.IP(mask))
+}
--- a/vendor/github.com/google/nftables/xt/xt.go
+++ b/vendor/github.com/google/nftables/xt/xt.go
@@ -0,0 +1,48 @@
+/*
+Package xt implements dedicated types for (some) of the "Info" payload in Match
+and Target expressions that bridge between the nftables and xtables worlds.
+
+Bridging between the more unified world of nftables and the slightly
+heterogenous world of xtables comes with some caveats. Unmarshalling the
+extension/translation information in Match and Target expressions requires
+information about the table family the information belongs to, as well as type
+and type revision information. In consequence, unmarshalling the Match and
+Target Info field payloads often (but not necessarily always) require the table
+family and revision information, so it gets passed to the type-specific
+unmarshallers.
+
+To complicate things more, even marshalling requires knowledge about the
+enclosing table family. The NatRange/NatRange2 types are an example, where it is
+necessary to differentiate between IPv4 and IPv6 address marshalling. Due to
+Go's net.IP habit to normally store IPv4 addresses as IPv4-compatible IPv6
+addresses (see also RFC 4291, section 2.5.5.1) marshalling must be handled
+differently in the context of an IPv6 table compared to an IPv4 table. In an
+IPv4 table, an IPv4-compatible IPv6 address must be marshalled as a 32bit
+address, whereas in an IPv6 table the IPv4 address must be marshalled as an
+128bit IPv4-compatible IPv6 address. Not relying on heuristics here we avoid
+behavior unexpected and most probably unknown to our API users. The net.IP habit
+of storing IPv4 addresses in two different storage formats is already a source
+for trouble, especially when comparing net.IPs from different Go module sources.
+We won't add to this confusion. (...or maybe we can, because of it?)
+
+An important property of all types of Info extension/translation payloads is
+that their marshalling and unmarshalling doesn't follow netlink's TLV
+(tag-length-value) architecture. Instead, Info payloads a basically plain binary
+blobs of their respective type-specific data structures, so host
+platform/architecture alignment and data type sizes apply. The alignedbuff
+package implements the different required data types alignments.
+
+Please note that Info payloads are always padded at their end to the next uint64
+alignment. Kernel code is checking for the padded payload size and will reject
+payloads not correctly padded at their ends.
+
+Most of the time, we find explifcitly sized (unsigned integer) data types.
+However, there are notable exceptions where "unsigned int" is used: on 64bit
+platforms this mostly translates into 32bit(!). This differs from Go mapping
+uint to uint64 instead. This package currently clamps its mapping of C's
+"unsigned int" to Go's uint32 for marshalling and unmarshalling. If in the
+future 128bit platforms with a differently sized C unsigned int should come into
+production, then the alignedbuff package will need to be adapted accordingly, as
+it abstracts away this data type handling.
+*/
+package xt