build(deps): bump github.com/containernetworking/plugins

Bumps [github.com/containernetworking/plugins](https://github.com/containernetworking/plugins) from 1.1.1 to 1.9.1.
- [Release notes](https://github.com/containernetworking/plugins/releases)
- [Commits](https://github.com/containernetworking/plugins/compare/v1.1.1...v1.9.1)

---
updated-dependencies:
- dependency-name: github.com/containernetworking/plugins
  dependency-version: 1.9.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

go.mod

@@ -5,7 +5,7 @@ go 1.25.0
 require (
 	github.com/awalterschulze/gographviz v2.0.3+incompatible
 	github.com/containernetworking/cni v1.3.0
-	github.com/containernetworking/plugins v1.1.1
+	github.com/containernetworking/plugins v1.9.1
 	github.com/coreos/go-iptables v0.8.0
 	github.com/go-kit/kit v0.9.0
 	github.com/kylelemons/godebug v1.1.0
@@ -42,22 +42,23 @@ require (
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
-	github.com/josharian/native v0.0.0-20200817173448-b6b71def0850 // indirect
+	github.com/josharian/native v1.1.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mdlayher/genetlink v1.0.0 // indirect
 	github.com/mdlayher/netlink v1.4.1 // indirect
-	github.com/mdlayher/socket v0.0.0-20211102153432-57e3fa563ecb // indirect
+	github.com/mdlayher/socket v0.5.1 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/prometheus/client_model v0.6.2 // indirect
 	github.com/prometheus/common v0.66.1 // indirect
 	github.com/prometheus/procfs v0.16.1 // indirect
-	github.com/safchain/ethtool v0.0.0-20210803160452-9aa261dae9b1 // indirect
+	github.com/safchain/ethtool v0.6.2 // indirect
 	github.com/spf13/pflag v1.0.9 // indirect
 	github.com/vishvananda/netns v0.0.5 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
@@ -87,6 +88,7 @@ require (
 	k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 // indirect
 	sigs.k8s.io/controller-tools v0.14.0 // indirect
 	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
+	sigs.k8s.io/knftables v0.0.18 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
 	sigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect
 	sigs.k8s.io/yaml v1.6.0 // indirect

go.sum

@@ -22,8 +22,8 @@ github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XL
 github.com/cilium/ebpf v0.5.0/go.mod h1:4tRaxcgiL706VnOzHOdBlY8IEAIdxINsQBcU4xJJXRs=
 github.com/containernetworking/cni v1.3.0 h1:v6EpN8RznAZj9765HhXQrtXgX+ECGebEYEmnuFjskwo=
 github.com/containernetworking/cni v1.3.0/go.mod h1:Bs8glZjjFfGPHMw6hQu82RUgEPNGEaBb9KS5KtNMnJ4=
-github.com/containernetworking/plugins v1.1.1 h1:+AGfFigZ5TiQH00vhR8qPeSatj53eNGz0C1d3wVYlHE=
-github.com/containernetworking/plugins v1.1.1/go.mod h1:Sr5TH/eBsGLXK/h71HeLfX19sZPp3ry5uHSkI4LPxV8=
+github.com/containernetworking/plugins v1.9.1 h1:8oU6WsIsU3bpnNZuvHp74a6cE1MJwbj2P7s4/yTUNlA=
+github.com/containernetworking/plugins v1.9.1/go.mod h1:fj7kS55qg3o/RgS+WGsF3+ZxwIImMPusQZKzBpcSr4c=
 github.com/coreos/go-iptables v0.8.0 h1:MPc2P89IhuVpLI7ETL/2tx3XZ61VeICZjYqDEgNsPRc=
 github.com/coreos/go-iptables v0.8.0/go.mod h1:Qe8Bv2Xik5FyTXwgIbLAnv2sWSBmvWdFETJConOQ//Q=
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
@@ -79,16 +79,17 @@ github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 h1:BHT72Gu3keYf3ZEu2J0b1vyeLSOYI8bm5wbJM/8yDe8=
-github.com/google/pprof v0.0.0-20250403155104-27863c87afa6/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA=
+github.com/google/pprof v0.0.0-20250820193118-f64d9cf942d6 h1:EEHtgt9IwisQ2AZ4pIsMjahcegHh6rmhqxzIRQIyepY=
+github.com/google/pprof v0.0.0-20250820193118-f64d9cf942d6/go.mod h1:I6V7YzU0XDpsHqbsyrghnFZLO1gwK6NPTNvmetQIk9U=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
-github.com/josharian/native v0.0.0-20200817173448-b6b71def0850 h1:uhL5Gw7BINiiPAo24A2sxkcDI0Jt/sqp1v5xQCniEFA=
 github.com/josharian/native v0.0.0-20200817173448-b6b71def0850/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
+github.com/josharian/native v1.1.0 h1:uuaP0hAbW7Y4l0ZRQ6C9zfb7Mg1mbFKry/xzDAfmtLA=
+github.com/josharian/native v1.1.0/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
 github.com/jsimonetti/rtnetlink v0.0.0-20190606172950-9527aa82566a/go.mod h1:Oz+70psSo5OFh8DBl0Zv2ACw7Esh6pPUphlvZG9x7uw=
 github.com/jsimonetti/rtnetlink v0.0.0-20200117123717-f846d4f6c1f4/go.mod h1:WGuG/smIU4J/54PblvSbh+xvCZmpJnFgr3ds6Z55XMQ=
 github.com/jsimonetti/rtnetlink v0.0.0-20201009170750-9c6f07d100c1/go.mod h1:hqoO/u39cqLeBLebZ8fWdE96O7FxrAsRYhnVOdgHxok=
@@ -117,6 +118,8 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
+github.com/lithammer/dedent v1.1.0 h1:VNzHMVCBNG1j0fh3OrsFRkVUwStdDArbgBWoPAffktY=
+github.com/lithammer/dedent v1.1.0/go.mod h1:jrXYCQtgg0nJiN+StA2KgR7w6CiQNv9Fd/Z9BP0jIOc=
 github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
 github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
 github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
@@ -141,8 +144,9 @@ github.com/mdlayher/netlink v1.4.0/go.mod h1:dRJi5IABcZpBD2A3D0Mv/AiX8I9uDEu5oGk
 github.com/mdlayher/netlink v1.4.1 h1:I154BCU+mKlIf7BgcAJB2r7QjveNPty6uNY1g9ChVfI=
 github.com/mdlayher/netlink v1.4.1/go.mod h1:e4/KuJ+s8UhfUpO9z00/fDZZmhSrs+oxyqAS9cNgn6Q=
 github.com/mdlayher/socket v0.0.0-20210307095302-262dc9984e00/go.mod h1:GAFlyu4/XV68LkQKYzKhIo/WW7j3Zi0YRAz/BOoanUc=
-github.com/mdlayher/socket v0.0.0-20211102153432-57e3fa563ecb h1:2dC7L10LmTqlyMVzFJ00qM25lqESg9Z4u3GuEXN5iHY=
 github.com/mdlayher/socket v0.0.0-20211102153432-57e3fa563ecb/go.mod h1:nFZ1EtZYK8Gi/k6QNu7z7CgO20i/4ExeQswwWuPmG/g=
+github.com/mdlayher/socket v0.5.1 h1:VZaqt6RkGkt2OE9l3GcC6nZkqD3xKeQLyfleW/uBcos=
+github.com/mdlayher/socket v0.5.1/go.mod h1:TjPLHI1UgwEv5J1B5q0zTZq12A/6H7nKmtTanQE37IQ=
 github.com/metalmatze/signal v0.0.0-20210307161603-1c9aa721a97a h1:0usWxe5SGXKQovz3p+BiQ81Jy845xSMu2CWKuXsXuUM=
 github.com/metalmatze/signal v0.0.0-20210307161603-1c9aa721a97a/go.mod h1:3OETvrxfELvGsU2RoGGWercfeZ4bCL3+SOwzIWtJH/Q=
 github.com/mikioh/ipaddr v0.0.0-20190404000644-d465c8ab6721 h1:RlZweED6sbSArvlE924+mUcZuXKLBHA35U7LN621Bws=
@@ -170,6 +174,8 @@ github.com/onsi/gomega v1.38.2 h1:eZCjf2xjZAqe+LeWvKb5weQ+NcPwX84kqJ0cZNxok2A=
 github.com/onsi/gomega v1.38.2/go.mod h1:W2MJcYxRGV63b418Ai34Ud0hEdTVXq9NW9+Sx6uXf3k=
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
@@ -194,8 +200,8 @@ github.com/prometheus/procfs v0.16.1/go.mod h1:teAbpZRB1iIAJYREa1LsoWUXykVXA1KlT
 github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
 github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
-github.com/safchain/ethtool v0.0.0-20210803160452-9aa261dae9b1 h1:ZFfeKAhIQiiOrQaI3/znw0gOmYpO28Tcu1YaqMa/jtQ=
-github.com/safchain/ethtool v0.0.0-20210803160452-9aa261dae9b1/go.mod h1:Z0q5wiBQGYcxhMZ6gUqHn6pYNLypFAvaL3UvgZLR0U4=
+github.com/safchain/ethtool v0.6.2 h1:O3ZPFAKEUEfbtE6J/feEe2Ft7dIJ2Sy8t4SdMRiIMHY=
+github.com/safchain/ethtool v0.6.2/go.mod h1:VS7cn+bP3Px3rIq55xImBiZGHVLNyBh5dqG6dDQy8+I=
 github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
 github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
 github.com/spf13/cobra v1.10.2 h1:DMTTonx5m65Ic0GOoRY2c16WCbHxOOw6xxezuLaBpcU=
@@ -372,6 +378,8 @@ sigs.k8s.io/controller-tools v0.14.0 h1:rnNoCC5wSXlrNoBKKzL70LNJKIQKEzT6lloG6/LF
 sigs.k8s.io/controller-tools v0.14.0/go.mod h1:TV7uOtNNnnR72SpzhStvPkoS/U5ir0nMudrkrC4M9Sc=
 sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg=
 sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
+sigs.k8s.io/knftables v0.0.18 h1:6Duvmu0s/HwGifKrtl6G3AyAPYlWiZqTgS8bkVMiyaE=
+sigs.k8s.io/knftables v0.0.18/go.mod h1:f/5ZLKYEUPUhVjUCg6l80ACdL7CIIyeL0DxfgojGRTk=
 sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU=
 sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
 sigs.k8s.io/structured-merge-diff/v6 v6.3.0 h1:jTijUJbW353oVOd9oTlifJqOGEkUw2jB/fXCbTiQEco=

vendor/github.com/containernetworking/plugins/pkg/ip/addr_linux.go

@@ -20,6 +20,8 @@ import (
 	"time"
 
 	"github.com/vishvananda/netlink"
+
+	"github.com/containernetworking/plugins/pkg/netlinksafe"
 )
 
 const SETTLE_INTERVAL = 50 * time.Millisecond
@@ -29,15 +31,15 @@ const SETTLE_INTERVAL = 50 * time.Millisecond
 // There is no easy way to wait for this as an event, so just loop until the
 // addresses are no longer tentative.
 // If any addresses are still tentative after timeout seconds, then error.
-func SettleAddresses(ifName string, timeout int) error {
-	link, err := netlink.LinkByName(ifName)
+func SettleAddresses(ifName string, timeout time.Duration) error {
+	link, err := netlinksafe.LinkByName(ifName)
 	if err != nil {
 		return fmt.Errorf("failed to retrieve link: %v", err)
 	}
 
-	deadline := time.Now().Add(time.Duration(timeout) * time.Second)
+	deadline := time.Now().Add(timeout)
 	for {
-		addrs, err := netlink.AddrList(link, netlink.FAMILY_ALL)
+		addrs, err := netlinksafe.AddrList(link, netlink.FAMILY_V6)
 		if err != nil {
 			return fmt.Errorf("could not list addresses: %v", err)
 		}
@@ -48,7 +50,13 @@ func SettleAddresses(ifName string, timeout int) error {
 
 		ok := true
 		for _, addr := range addrs {
-			if addr.Flags&(syscall.IFA_F_TENTATIVE|syscall.IFA_F_DADFAILED) > 0 {
+			if addr.Flags&(syscall.IFA_F_DADFAILED) != 0 {
+				return fmt.Errorf("link %s has address %s in DADFAILED state",
+					ifName,
+					addr.IP.String())
+			}
+
+			if addr.Flags&(syscall.IFA_F_TENTATIVE) != 0 {
 				ok = false
 				break // Break out of the `range addrs`, not the `for`
 			}
@@ -58,9 +66,16 @@ func SettleAddresses(ifName string, timeout int) error {
 			return nil
 		}
 		if time.Now().After(deadline) {
-			return fmt.Errorf("link %s still has tentative addresses after %d seconds",
-				ifName,
-				timeout)
+			link, err := netlinksafe.LinkByName(ifName)
+			if err != nil {
+				return fmt.Errorf("failed to retrieve link: %v", err)
+			}
+			if link.Attrs().OperState == netlink.OperUp {
+				return fmt.Errorf("link %s still has tentative addresses after %d seconds",
+					ifName,
+					timeout)
+			}
+			return nil
 		}
 
 		time.Sleep(SETTLE_INTERVAL)

vendor/github.com/containernetworking/plugins/pkg/ip/cidr.go

@@ -19,43 +19,87 @@ import (
 	"net"
 )
 
-// NextIP returns IP incremented by 1
+// NextIP returns IP incremented by 1, if IP is invalid, return nil
 func NextIP(ip net.IP) net.IP {
-	i := ipToInt(ip)
-	return intToIP(i.Add(i, big.NewInt(1)))
+	normalizedIP := normalizeIP(ip)
+	if normalizedIP == nil {
+		return nil
+	}
+
+	i := ipToInt(normalizedIP)
+	return intToIP(i.Add(i, big.NewInt(1)), len(normalizedIP) == net.IPv6len)
 }
 
-// PrevIP returns IP decremented by 1
+// PrevIP returns IP decremented by 1, if IP is invalid, return nil
 func PrevIP(ip net.IP) net.IP {
-	i := ipToInt(ip)
-	return intToIP(i.Sub(i, big.NewInt(1)))
+	normalizedIP := normalizeIP(ip)
+	if normalizedIP == nil {
+		return nil
+	}
+
+	i := ipToInt(normalizedIP)
+	return intToIP(i.Sub(i, big.NewInt(1)), len(normalizedIP) == net.IPv6len)
 }
 
 // Cmp compares two IPs, returning the usual ordering:
 // a < b : -1
 // a == b : 0
 // a > b : 1
+// incomparable : -2
 func Cmp(a, b net.IP) int {
-	aa := ipToInt(a)
-	bb := ipToInt(b)
-	return aa.Cmp(bb)
+	normalizedA := normalizeIP(a)
+	normalizedB := normalizeIP(b)
+
+	if len(normalizedA) == len(normalizedB) && len(normalizedA) != 0 {
+		return ipToInt(normalizedA).Cmp(ipToInt(normalizedB))
+	}
+
+	return -2
 }
 
 func ipToInt(ip net.IP) *big.Int {
-	if v := ip.To4(); v != nil {
-		return big.NewInt(0).SetBytes(v)
+	return big.NewInt(0).SetBytes(ip)
+}
+
+func intToIP(i *big.Int, isIPv6 bool) net.IP {
+	intBytes := i.Bytes()
+
+	if len(intBytes) == net.IPv4len || len(intBytes) == net.IPv6len {
+		return intBytes
+	}
+
+	if isIPv6 {
+		return append(make([]byte, net.IPv6len-len(intBytes)), intBytes...)
 	}
-	return big.NewInt(0).SetBytes(ip.To16())
+
+	return append(make([]byte, net.IPv4len-len(intBytes)), intBytes...)
 }
 
-func intToIP(i *big.Int) net.IP {
-	return net.IP(i.Bytes())
+// normalizeIP will normalize IP by family,
+// IPv4 : 4-byte form
+// IPv6 : 16-byte form
+// others : nil
+func normalizeIP(ip net.IP) net.IP {
+	if ipTo4 := ip.To4(); ipTo4 != nil {
+		return ipTo4
+	}
+	return ip.To16()
 }
 
-// Network masks off the host portion of the IP
+// Network masks off the host portion of the IP, if IPNet is invalid,
+// return nil
 func Network(ipn *net.IPNet) *net.IPNet {
+	if ipn == nil {
+		return nil
+	}
+
+	maskedIP := ipn.IP.Mask(ipn.Mask)
+	if maskedIP == nil {
+		return nil
+	}
+
 	return &net.IPNet{
-		IP:   ipn.IP.Mask(ipn.Mask),
+		IP:   maskedIP,
 		Mask: ipn.Mask,
 	}
 }

vendor/github.com/containernetworking/plugins/pkg/ip/ip.go

@@ -47,13 +47,12 @@ func ParseIP(s string) *IP {
 			return nil
 		}
 		return newIP(ip, ipNet.Mask)
-	} else {
-		ip := net.ParseIP(s)
-		if ip == nil {
-			return nil
-		}
-		return newIP(ip, nil)
 	}
+	ip := net.ParseIP(s)
+	if ip == nil {
+		return nil
+	}
+	return newIP(ip, nil)
 }
 
 // ToIP will return a net.IP in standard form from this IP.

vendor/github.com/containernetworking/plugins/pkg/ip/ipforward_linux.go

@@ -16,7 +16,7 @@ package ip
 
 import (
 	"bytes"
-	"io/ioutil"
+	"os"
 
 	current "github.com/containernetworking/cni/pkg/types/100"
 )
@@ -53,10 +53,10 @@ func EnableForward(ips []*current.IPConfig) error {
 }
 
 func echo1(f string) error {
-	if content, err := ioutil.ReadFile(f); err == nil {
+	if content, err := os.ReadFile(f); err == nil {
 		if bytes.Equal(bytes.TrimSpace(content), []byte("1")) {
 			return nil
 		}
 	}
-	return ioutil.WriteFile(f, []byte("1"), 0644)
+	return os.WriteFile(f, []byte("1"), 0o644)
 }

vendor/github.com/containernetworking/plugins/pkg/ip/ipmasq_iptables_linux.go

@@ -0,0 +1,180 @@
+// Copyright 2015 CNI authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package ip
+
+import (
+	"errors"
+	"fmt"
+	"net"
+	"strings"
+
+	"github.com/coreos/go-iptables/iptables"
+
+	"github.com/containernetworking/cni/pkg/types"
+	"github.com/containernetworking/plugins/pkg/utils"
+)
+
+// setupIPMasqIPTables is the iptables-based implementation of SetupIPMasqForNetworks
+func setupIPMasqIPTables(ipns []*net.IPNet, network, _, containerID string) error {
+	// Note: for historical reasons, the iptables implementation ignores ifname.
+	chain := utils.FormatChainName(network, containerID)
+	comment := utils.FormatComment(network, containerID)
+	for _, ip := range ipns {
+		if err := SetupIPMasq(ip, chain, comment); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// SetupIPMasq installs iptables rules to masquerade traffic
+// coming from ip of ipn and going outside of ipn.
+// Deprecated: This function only supports iptables. Use SetupIPMasqForNetworks, which
+// supports both iptables and nftables.
+func SetupIPMasq(ipn *net.IPNet, chain string, comment string) error {
+	isV6 := ipn.IP.To4() == nil
+
+	var ipt *iptables.IPTables
+	var err error
+	var multicastNet string
+
+	if isV6 {
+		ipt, err = iptables.NewWithProtocol(iptables.ProtocolIPv6)
+		multicastNet = "ff00::/8"
+	} else {
+		ipt, err = iptables.NewWithProtocol(iptables.ProtocolIPv4)
+		multicastNet = "224.0.0.0/4"
+	}
+	if err != nil {
+		return fmt.Errorf("failed to locate iptables: %v", err)
+	}
+
+	// Create chain if doesn't exist
+	exists := false
+	chains, err := ipt.ListChains("nat")
+	if err != nil {
+		return fmt.Errorf("failed to list chains: %v", err)
+	}
+	for _, ch := range chains {
+		if ch == chain {
+			exists = true
+			break
+		}
+	}
+	if !exists {
+		if err = ipt.NewChain("nat", chain); err != nil {
+			return err
+		}
+	}
+
+	// Packets to this network should not be touched
+	if err := ipt.AppendUnique("nat", chain, "-d", ipn.String(), "-j", "ACCEPT", "-m", "comment", "--comment", comment); err != nil {
+		return err
+	}
+
+	// Don't masquerade multicast - pods should be able to talk to other pods
+	// on the local network via multicast.
+	if err := ipt.AppendUnique("nat", chain, "!", "-d", multicastNet, "-j", "MASQUERADE", "-m", "comment", "--comment", comment); err != nil {
+		return err
+	}
+
+	// Packets from the specific IP of this network will hit the chain
+	return ipt.AppendUnique("nat", "POSTROUTING", "-s", ipn.IP.String(), "-j", chain, "-m", "comment", "--comment", comment)
+}
+
+// teardownIPMasqIPTables is the iptables-based implementation of TeardownIPMasqForNetworks
+func teardownIPMasqIPTables(ipns []*net.IPNet, network, _, containerID string) error {
+	// Note: for historical reasons, the iptables implementation ignores ifname.
+	chain := utils.FormatChainName(network, containerID)
+	comment := utils.FormatComment(network, containerID)
+
+	var errs []string
+	for _, ipn := range ipns {
+		err := TeardownIPMasq(ipn, chain, comment)
+		if err != nil {
+			errs = append(errs, err.Error())
+		}
+	}
+
+	if errs == nil {
+		return nil
+	}
+	return errors.New(strings.Join(errs, "\n"))
+}
+
+// TeardownIPMasq undoes the effects of SetupIPMasq.
+// Deprecated: This function only supports iptables. Use TeardownIPMasqForNetworks, which
+// supports both iptables and nftables.
+func TeardownIPMasq(ipn *net.IPNet, chain string, comment string) error {
+	isV6 := ipn.IP.To4() == nil
+
+	var ipt *iptables.IPTables
+	var err error
+
+	if isV6 {
+		ipt, err = iptables.NewWithProtocol(iptables.ProtocolIPv6)
+	} else {
+		ipt, err = iptables.NewWithProtocol(iptables.ProtocolIPv4)
+	}
+	if err != nil {
+		return fmt.Errorf("failed to locate iptables: %v", err)
+	}
+
+	err = ipt.Delete("nat", "POSTROUTING", "-s", ipn.IP.String(), "-j", chain, "-m", "comment", "--comment", comment)
+	if err != nil && !isNotExist(err) {
+		return err
+	}
+
+	// for downward compatibility
+	err = ipt.Delete("nat", "POSTROUTING", "-s", ipn.String(), "-j", chain, "-m", "comment", "--comment", comment)
+	if err != nil && !isNotExist(err) {
+		return err
+	}
+
+	err = ipt.ClearChain("nat", chain)
+	if err != nil && !isNotExist(err) {
+		return err
+	}
+
+	err = ipt.DeleteChain("nat", chain)
+	if err != nil && !isNotExist(err) {
+		return err
+	}
+
+	return nil
+}
+
+// gcIPMasqIPTables is the iptables-based implementation of GCIPMasqForNetwork
+func gcIPMasqIPTables(_ string, _ []types.GCAttachment) error {
+	// FIXME: The iptables implementation does not support GC.
+	//
+	// (In theory, it _could_ backward-compatibly support it, by adding a no-op rule
+	// with a comment indicating the network to each chain it creates, so that it
+	// could later figure out which chains corresponded to which networks; older
+	// implementations would ignore the extra rule but would still correctly delete
+	// the chain on teardown (because they ClearChain() before doing DeleteChain()).
+
+	return nil
+}
+
+// isNotExist returnst true if the error is from iptables indicating
+// that the target does not exist.
+func isNotExist(err error) bool {
+	e, ok := err.(*iptables.Error)
+	if !ok {
+		return false
+	}
+	return e.IsNotExist()
+}

vendor/github.com/containernetworking/plugins/pkg/ip/ipmasq_linux.go

@@ -15,112 +15,78 @@
 package ip
 
 import (
+	"errors"
 	"fmt"
 	"net"
+	"strings"
 
-	"github.com/coreos/go-iptables/iptables"
+	"github.com/containernetworking/cni/pkg/types"
+	"github.com/containernetworking/plugins/pkg/utils"
 )
 
-// SetupIPMasq installs iptables rules to masquerade traffic
-// coming from ip of ipn and going outside of ipn
-func SetupIPMasq(ipn *net.IPNet, chain string, comment string) error {
-	isV6 := ipn.IP.To4() == nil
-
-	var ipt *iptables.IPTables
-	var err error
-	var multicastNet string
-
-	if isV6 {
-		ipt, err = iptables.NewWithProtocol(iptables.ProtocolIPv6)
-		multicastNet = "ff00::/8"
-	} else {
-		ipt, err = iptables.NewWithProtocol(iptables.ProtocolIPv4)
-		multicastNet = "224.0.0.0/4"
-	}
-	if err != nil {
-		return fmt.Errorf("failed to locate iptables: %v", err)
-	}
-
-	// Create chain if doesn't exist
-	exists := false
-	chains, err := ipt.ListChains("nat")
-	if err != nil {
-		return fmt.Errorf("failed to list chains: %v", err)
-	}
-	for _, ch := range chains {
-		if ch == chain {
-			exists = true
-			break
-		}
-	}
-	if !exists {
-		if err = ipt.NewChain("nat", chain); err != nil {
-			return err
+// SetupIPMasqForNetworks installs rules to masquerade traffic coming from ips of ipns and
+// going outside of ipns, using a chain name based on network, ifname, and containerID. The
+// backend can be either "iptables" or "nftables"; if it is nil, then a suitable default
+// implementation will be used.
+func SetupIPMasqForNetworks(backend *string, ipns []*net.IPNet, network, ifname, containerID string) error {
+	if backend == nil {
+		// Prefer iptables, unless only nftables is available
+		defaultBackend := "iptables"
+		if !utils.SupportsIPTables() && utils.SupportsNFTables() {
+			defaultBackend = "nftables"
 		}
+		backend = &defaultBackend
 	}
 
-	// Packets to this network should not be touched
-	if err := ipt.AppendUnique("nat", chain, "-d", ipn.String(), "-j", "ACCEPT", "-m", "comment", "--comment", comment); err != nil {
-		return err
+	switch *backend {
+	case "iptables":
+		return setupIPMasqIPTables(ipns, network, ifname, containerID)
+	case "nftables":
+		return setupIPMasqNFTables(ipns, network, ifname, containerID)
+	default:
+		return fmt.Errorf("unknown ipmasq backend %q", *backend)
 	}
-
-	// Don't masquerade multicast - pods should be able to talk to other pods
-	// on the local network via multicast.
-	if err := ipt.AppendUnique("nat", chain, "!", "-d", multicastNet, "-j", "MASQUERADE", "-m", "comment", "--comment", comment); err != nil {
-		return err
-	}
-
-	// Packets from the specific IP of this network will hit the chain
-	return ipt.AppendUnique("nat", "POSTROUTING", "-s", ipn.IP.String(), "-j", chain, "-m", "comment", "--comment", comment)
 }
 
-// TeardownIPMasq undoes the effects of SetupIPMasq
-func TeardownIPMasq(ipn *net.IPNet, chain string, comment string) error {
-	isV6 := ipn.IP.To4() == nil
+// TeardownIPMasqForNetworks undoes the effects of SetupIPMasqForNetworks
+func TeardownIPMasqForNetworks(ipns []*net.IPNet, network, ifname, containerID string) error {
+	var errs []string
 
-	var ipt *iptables.IPTables
-	var err error
+	// Do both the iptables and the nftables cleanup, since the pod may have been
+	// created with a different version of this plugin or a different configuration.
 
-	if isV6 {
-		ipt, err = iptables.NewWithProtocol(iptables.ProtocolIPv6)
-	} else {
-		ipt, err = iptables.NewWithProtocol(iptables.ProtocolIPv4)
-	}
-	if err != nil {
-		return fmt.Errorf("failed to locate iptables: %v", err)
+	err := teardownIPMasqIPTables(ipns, network, ifname, containerID)
+	if err != nil && utils.SupportsIPTables() {
+		errs = append(errs, err.Error())
 	}
 
-	err = ipt.Delete("nat", "POSTROUTING", "-s", ipn.IP.String(), "-j", chain, "-m", "comment", "--comment", comment)
-	if err != nil && !isNotExist(err) {
-		return err
+	err = teardownIPMasqNFTables(ipns, network, ifname, containerID)
+	if err != nil && utils.SupportsNFTables() {
+		errs = append(errs, err.Error())
 	}
 
-	// for downward compatibility
-	err = ipt.Delete("nat", "POSTROUTING", "-s", ipn.String(), "-j", chain, "-m", "comment", "--comment", comment)
-	if err != nil && !isNotExist(err) {
-		return err
+	if errs == nil {
+		return nil
 	}
+	return errors.New(strings.Join(errs, "\n"))
+}
 
-	err = ipt.ClearChain("nat", chain)
-	if err != nil && !isNotExist(err) {
-		return err
+// GCIPMasqForNetwork garbage collects stale IPMasq entries for network
+func GCIPMasqForNetwork(network string, attachments []types.GCAttachment) error {
+	var errs []string
 
+	err := gcIPMasqIPTables(network, attachments)
+	if err != nil && utils.SupportsIPTables() {
+		errs = append(errs, err.Error())
 	}
 
-	err = ipt.DeleteChain("nat", chain)
-	if err != nil && !isNotExist(err) {
-		return err
+	err = gcIPMasqNFTables(network, attachments)
+	if err != nil && utils.SupportsNFTables() {
+		errs = append(errs, err.Error())
 	}
 
-	return nil
-}
-
-// isNotExist returnst true if the error is from iptables indicating
-// that the target does not exist.
-func isNotExist(err error) bool {
-	e, ok := err.(*iptables.Error)
-	if !ok {
-		return false
+	if errs == nil {
+		return nil
 	}
-	return e.IsNotExist()
+	return errors.New(strings.Join(errs, "\n"))
 }

vendor/github.com/containernetworking/plugins/pkg/ip/ipmasq_nftables_linux.go

@@ -0,0 +1,231 @@
+// Copyright 2023 CNI authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package ip
+
+import (
+	"context"
+	"fmt"
+	"net"
+	"strings"
+
+	"sigs.k8s.io/knftables"
+
+	"github.com/containernetworking/cni/pkg/types"
+	"github.com/containernetworking/plugins/pkg/utils"
+)
+
+const (
+	ipMasqTableName = "cni_plugins_masquerade"
+	ipMasqChainName = "masq_checks"
+)
+
+// The nftables ipmasq implementation is mostly like the iptables implementation, with
+// minor updates to fix a bug (adding `ifname`) and to allow future GC support.
+//
+// We add a rule for each mapping, with a comment containing a hash of its identifiers,
+// so that we can later reliably delete the rules we want. (This is important because in
+// edge cases, it's possible the plugin might see "ADD container A with IP 192.168.1.3",
+// followed by "ADD container B with IP 192.168.1.3" followed by "DEL container A with IP
+// 192.168.1.3", and we need to make sure that the DEL causes us to delete the rule for
+// container A, and not the rule for container B.)
+//
+// It would be more nftables-y to have a chain with a single rule doing a lookup against a
+// set with an element per mapping, rather than having a chain with a rule per mapping.
+// But there's no easy, non-racy way to say "delete the element 192.168.1.3 from the set,
+// but only if it was added for container A, not if it was added for container B".
+
+// hashForNetwork returns a unique hash for this network
+func hashForNetwork(network string) string {
+	return utils.MustFormatHashWithPrefix(16, "", network)
+}
+
+// hashForInstance returns a unique hash identifying the rules for this
+// network/ifname/containerID
+func hashForInstance(network, ifname, containerID string) string {
+	return hashForNetwork(network) + "-" + utils.MustFormatHashWithPrefix(16, "", ifname+":"+containerID)
+}
+
+// commentForInstance returns a comment string that begins with a unique hash and
+// ends with a (possibly-truncated) human-readable description.
+func commentForInstance(network, ifname, containerID string) string {
+	comment := fmt.Sprintf("%s, net: %s, if: %s, id: %s",
+		hashForInstance(network, ifname, containerID),
+		strings.ReplaceAll(network, `"`, ``),
+		strings.ReplaceAll(ifname, `"`, ``),
+		strings.ReplaceAll(containerID, `"`, ``),
+	)
+	if len(comment) > knftables.CommentLengthMax {
+		comment = comment[:knftables.CommentLengthMax]
+	}
+	return comment
+}
+
+// setupIPMasqNFTables is the nftables-based implementation of SetupIPMasqForNetworks
+func setupIPMasqNFTables(ipns []*net.IPNet, network, ifname, containerID string) error {
+	nft, err := knftables.New(knftables.InetFamily, ipMasqTableName)
+	if err != nil {
+		return err
+	}
+	return setupIPMasqNFTablesWithInterface(nft, ipns, network, ifname, containerID)
+}
+
+func setupIPMasqNFTablesWithInterface(nft knftables.Interface, ipns []*net.IPNet, network, ifname, containerID string) error {
+	staleRules, err := findRules(nft, hashForInstance(network, ifname, containerID))
+	if err != nil {
+		return err
+	}
+
+	tx := nft.NewTransaction()
+
+	// Ensure that our table and chains exist.
+	tx.Add(&knftables.Table{
+		Comment: knftables.PtrTo("Masquerading for plugins from github.com/containernetworking/plugins"),
+	})
+	tx.Add(&knftables.Chain{
+		Name:    ipMasqChainName,
+		Comment: knftables.PtrTo("Masquerade traffic from certain IPs to any (non-multicast) IP outside their subnet"),
+	})
+
+	// Ensure that the postrouting chain exists and has the correct rules. (Has to be
+	// done after creating ipMasqChainName, so we can jump to it.)
+	tx.Add(&knftables.Chain{
+		Name:     "postrouting",
+		Type:     knftables.PtrTo(knftables.NATType),
+		Hook:     knftables.PtrTo(knftables.PostroutingHook),
+		Priority: knftables.PtrTo(knftables.SNATPriority),
+	})
+	tx.Flush(&knftables.Chain{
+		Name: "postrouting",
+	})
+	tx.Add(&knftables.Rule{
+		Chain: "postrouting",
+		Rule:  "ip daddr == 224.0.0.0/4  return",
+	})
+	tx.Add(&knftables.Rule{
+		Chain: "postrouting",
+		Rule:  "ip6 daddr == ff00::/8  return",
+	})
+	tx.Add(&knftables.Rule{
+		Chain: "postrouting",
+		Rule: knftables.Concat(
+			"goto", ipMasqChainName,
+		),
+	})
+
+	// Delete stale rules, add new rules to masquerade chain
+	for _, rule := range staleRules {
+		tx.Delete(rule)
+	}
+	for _, ipn := range ipns {
+		ip := "ip"
+		if ipn.IP.To4() == nil {
+			ip = "ip6"
+		}
+
+		// e.g. if ipn is "192.168.1.4/24", then dstNet is "192.168.1.0/24"
+		dstNet := &net.IPNet{IP: ipn.IP.Mask(ipn.Mask), Mask: ipn.Mask}
+
+		tx.Add(&knftables.Rule{
+			Chain: ipMasqChainName,
+			Rule: knftables.Concat(
+				ip, "saddr", "==", ipn.IP,
+				ip, "daddr", "!=", dstNet,
+				"masquerade",
+			),
+			Comment: knftables.PtrTo(commentForInstance(network, ifname, containerID)),
+		})
+	}
+
+	return nft.Run(context.TODO(), tx)
+}
+
+// teardownIPMasqNFTables is the nftables-based implementation of TeardownIPMasqForNetworks
+func teardownIPMasqNFTables(ipns []*net.IPNet, network, ifname, containerID string) error {
+	nft, err := knftables.New(knftables.InetFamily, ipMasqTableName)
+	if err != nil {
+		return err
+	}
+	return teardownIPMasqNFTablesWithInterface(nft, ipns, network, ifname, containerID)
+}
+
+func teardownIPMasqNFTablesWithInterface(nft knftables.Interface, _ []*net.IPNet, network, ifname, containerID string) error {
+	rules, err := findRules(nft, hashForInstance(network, ifname, containerID))
+	if err != nil {
+		return err
+	} else if len(rules) == 0 {
+		return nil
+	}
+
+	tx := nft.NewTransaction()
+	for _, rule := range rules {
+		tx.Delete(rule)
+	}
+	return nft.Run(context.TODO(), tx)
+}
+
+// gcIPMasqNFTables is the nftables-based implementation of GCIPMasqForNetwork
+func gcIPMasqNFTables(network string, attachments []types.GCAttachment) error {
+	nft, err := knftables.New(knftables.InetFamily, ipMasqTableName)
+	if err != nil {
+		return err
+	}
+	return gcIPMasqNFTablesWithInterface(nft, network, attachments)
+}
+
+func gcIPMasqNFTablesWithInterface(nft knftables.Interface, network string, attachments []types.GCAttachment) error {
+	// Find all rules for the network
+	rules, err := findRules(nft, hashForNetwork(network))
+	if err != nil {
+		return err
+	} else if len(rules) == 0 {
+		return nil
+	}
+
+	// Compute the comments for all elements of attachments
+	validAttachments := map[string]bool{}
+	for _, attachment := range attachments {
+		validAttachments[commentForInstance(network, attachment.IfName, attachment.ContainerID)] = true
+	}
+
+	// Delete anything in rules that isn't in validAttachments
+	tx := nft.NewTransaction()
+	for _, rule := range rules {
+		if !validAttachments[*rule.Comment] {
+			tx.Delete(rule)
+		}
+	}
+	return nft.Run(context.TODO(), tx)
+}
+
+// findRules finds rules with comments that start with commentPrefix.
+func findRules(nft knftables.Interface, commentPrefix string) ([]*knftables.Rule, error) {
+	rules, err := nft.ListRules(context.TODO(), ipMasqChainName)
+	if err != nil {
+		if knftables.IsNotFound(err) {
+			// If ipMasqChainName doesn't exist yet, that's fine
+			return nil, nil
+		}
+		return nil, err
+	}
+
+	matchingRules := make([]*knftables.Rule, 0, 1)
+	for _, rule := range rules {
+		if rule.Comment != nil && strings.HasPrefix(*rule.Comment, commentPrefix) {
+			matchingRules = append(matchingRules, rule)
+		}
+	}
+
+	return matchingRules, nil
+}

vendor/github.com/containernetworking/plugins/pkg/ip/link_linux.go

@@ -24,21 +24,21 @@ import (
 	"github.com/safchain/ethtool"
 	"github.com/vishvananda/netlink"
 
+	"github.com/containernetworking/plugins/pkg/netlinksafe"
 	"github.com/containernetworking/plugins/pkg/ns"
 	"github.com/containernetworking/plugins/pkg/utils/sysctl"
 )
 
-var (
-	ErrLinkNotFound = errors.New("link not found")
-)
+var ErrLinkNotFound = errors.New("link not found")
 
 // makeVethPair is called from within the container's network namespace
 func makeVethPair(name, peer string, mtu int, mac string, hostNS ns.NetNS) (netlink.Link, error) {
+	linkAttrs := netlink.NewLinkAttrs()
+	linkAttrs.Name = name
+	linkAttrs.MTU = mtu
+
 	veth := &netlink.Veth{
-		LinkAttrs: netlink.LinkAttrs{
-			Name: name,
-			MTU:  mtu,
-		},
+		LinkAttrs:     linkAttrs,
 		PeerName:      peer,
 		PeerNamespace: netlink.NsFd(int(hostNS.Fd())),
 	}
@@ -53,7 +53,7 @@ func makeVethPair(name, peer string, mtu int, mac string, hostNS ns.NetNS) (netl
 		return nil, err
 	}
 	// Re-fetch the container link to get its creation-time parameters, e.g. index and mac
-	veth2, err := netlink.LinkByName(name)
+	veth2, err := netlinksafe.LinkByName(name)
 	if err != nil {
 		netlink.LinkDel(veth) // try and clean up the link if possible.
 		return nil, err
@@ -63,44 +63,43 @@ func makeVethPair(name, peer string, mtu int, mac string, hostNS ns.NetNS) (netl
 }
 
 func peerExists(name string) bool {
-	if _, err := netlink.LinkByName(name); err != nil {
+	if _, err := netlinksafe.LinkByName(name); err != nil {
 		return false
 	}
 	return true
 }
 
-func makeVeth(name, vethPeerName string, mtu int, mac string, hostNS ns.NetNS) (peerName string, veth netlink.Link, err error) {
+func makeVeth(name, vethPeerName string, mtu int, mac string, hostNS ns.NetNS) (string, netlink.Link, error) {
+	var peerName string
+	var veth netlink.Link
+	var err error
 	for i := 0; i < 10; i++ {
 		if vethPeerName != "" {
 			peerName = vethPeerName
 		} else {
 			peerName, err = RandomVethName()
 			if err != nil {
-				return
+				return peerName, nil, err
 			}
 		}
 
 		veth, err = makeVethPair(name, peerName, mtu, mac, hostNS)
 		switch {
 		case err == nil:
-			return
+			return peerName, veth, nil
 
 		case os.IsExist(err):
 			if peerExists(peerName) && vethPeerName == "" {
 				continue
 			}
-			err = fmt.Errorf("container veth name provided (%v) already exists", name)
-			return
-
+			return peerName, veth, fmt.Errorf("container veth name (%q) peer provided (%q) already exists", name, peerName)
 		default:
-			err = fmt.Errorf("failed to make veth pair: %v", err)
-			return
+			return peerName, veth, fmt.Errorf("failed to make veth pair: %v", err)
 		}
 	}
 
 	// should really never be hit
-	err = fmt.Errorf("failed to find a unique veth name")
-	return
+	return peerName, nil, fmt.Errorf("failed to find a unique veth name")
 }
 
 // RandomVethName returns string "veth" with random prefix (hashed from entropy)
@@ -116,7 +115,7 @@ func RandomVethName() (string, error) {
 }
 
 func RenameLink(curName, newName string) error {
-	link, err := netlink.LinkByName(curName)
+	link, err := netlinksafe.LinkByName(curName)
 	if err == nil {
 		err = netlink.LinkSetName(link, newName)
 	}
@@ -147,7 +146,7 @@ func SetupVethWithName(contVethName, hostVethName string, mtu int, contVethMac s
 
 	var hostVeth netlink.Link
 	err = hostNS.Do(func(_ ns.NetNS) error {
-		hostVeth, err = netlink.LinkByName(hostVethName)
+		hostVeth, err = netlinksafe.LinkByName(hostVethName)
 		if err != nil {
 			return fmt.Errorf("failed to lookup %q in %q: %v", hostVethName, hostNS.Path(), err)
 		}
@@ -176,7 +175,7 @@ func SetupVeth(contVethName string, mtu int, contVethMac string, hostNS ns.NetNS
 
 // DelLinkByName removes an interface link.
 func DelLinkByName(ifName string) error {
-	iface, err := netlink.LinkByName(ifName)
+	iface, err := netlinksafe.LinkByName(ifName)
 	if err != nil {
 		if _, ok := err.(netlink.LinkNotFoundError); ok {
 			return ErrLinkNotFound
@@ -193,7 +192,7 @@ func DelLinkByName(ifName string) error {
 
 // DelLinkByNameAddr remove an interface and returns its addresses
 func DelLinkByNameAddr(ifName string) ([]*net.IPNet, error) {
-	iface, err := netlink.LinkByName(ifName)
+	iface, err := netlinksafe.LinkByName(ifName)
 	if err != nil {
 		if _, ok := err.(netlink.LinkNotFoundError); ok {
 			return nil, ErrLinkNotFound
@@ -201,7 +200,7 @@ func DelLinkByNameAddr(ifName string) ([]*net.IPNet, error) {
 		return nil, fmt.Errorf("failed to lookup %q: %v", ifName, err)
 	}
 
-	addrs, err := netlink.AddrList(iface, netlink.FAMILY_ALL)
+	addrs, err := netlinksafe.AddrList(iface, netlink.FAMILY_ALL)
 	if err != nil {
 		return nil, fmt.Errorf("failed to get IP addresses for %q: %v", ifName, err)
 	}
@@ -224,7 +223,7 @@ func DelLinkByNameAddr(ifName string) ([]*net.IPNet, error) {
 // veth, or an error. This peer ifindex will only be valid in the peer's
 // network namespace.
 func GetVethPeerIfindex(ifName string) (netlink.Link, int, error) {
-	link, err := netlink.LinkByName(ifName)
+	link, err := netlinksafe.LinkByName(ifName)
 	if err != nil {
 		return nil, -1, fmt.Errorf("could not look up %q: %v", ifName, err)
 	}

vendor/github.com/containernetworking/plugins/pkg/ip/route_linux.go

@@ -42,6 +42,24 @@ func AddHostRoute(ipn *net.IPNet, gw net.IP, dev netlink.Link) error {
 
 // AddDefaultRoute sets the default route on the given gateway.
 func AddDefaultRoute(gw net.IP, dev netlink.Link) error {
-	_, defNet, _ := net.ParseCIDR("0.0.0.0/0")
+	var defNet *net.IPNet
+	if gw.To4() != nil {
+		_, defNet, _ = net.ParseCIDR("0.0.0.0/0")
+	} else {
+		_, defNet, _ = net.ParseCIDR("::/0")
+	}
 	return AddRoute(defNet, gw, dev)
 }
+
+// IsIPNetZero check if the IPNet is "0.0.0.0/0" or "::/0"
+// This is needed as go-netlink replaces nil Dst with a '0' IPNet since
+// https://github.com/vishvananda/netlink/commit/acdc658b8613655ddb69f978e9fb4cf413e2b830
+func IsIPNetZero(ipnet *net.IPNet) bool {
+	if ipnet == nil {
+		return true
+	}
+	if ones, _ := ipnet.Mask.Size(); ones != 0 {
+		return false
+	}
+	return ipnet.IP.Equal(net.IPv4zero) || ipnet.IP.Equal(net.IPv6zero)
+}

vendor/github.com/containernetworking/plugins/pkg/ip/utils_linux.go

@@ -21,24 +21,25 @@ import (
 	"fmt"
 	"net"
 
+	"github.com/vishvananda/netlink"
+
 	"github.com/containernetworking/cni/pkg/types"
 	current "github.com/containernetworking/cni/pkg/types/100"
-	"github.com/vishvananda/netlink"
+	"github.com/containernetworking/plugins/pkg/netlinksafe"
 )
 
 func ValidateExpectedInterfaceIPs(ifName string, resultIPs []*current.IPConfig) error {
-
 	// Ensure ips
 	for _, ips := range resultIPs {
 		ourAddr := netlink.Addr{IPNet: &ips.Address}
 		match := false
 
-		link, err := netlink.LinkByName(ifName)
+		link, err := netlinksafe.LinkByName(ifName)
 		if err != nil {
 			return fmt.Errorf("Cannot find container link %v", ifName)
 		}
 
-		addrList, err := netlink.AddrList(link, netlink.FAMILY_ALL)
+		addrList, err := netlinksafe.AddrList(link, netlink.FAMILY_ALL)
 		if err != nil {
 			return fmt.Errorf("Cannot obtain List of IP Addresses")
 		}
@@ -49,12 +50,15 @@ func ValidateExpectedInterfaceIPs(ifName string, resultIPs []*current.IPConfig)
 				break
 			}
 		}
-		if match == false {
+		if !match {
 			return fmt.Errorf("Failed to match addr %v on interface %v", ourAddr, ifName)
 		}
 
 		// Convert the host/prefixlen to just prefix for route lookup.
 		_, ourPrefix, err := net.ParseCIDR(ourAddr.String())
+		if err != nil {
+			return err
+		}
 
 		findGwy := &netlink.Route{Dst: ourPrefix}
 		routeFilter := netlink.RT_FILTER_DST
@@ -64,7 +68,7 @@ func ValidateExpectedInterfaceIPs(ifName string, resultIPs []*current.IPConfig)
 			family = netlink.FAMILY_V4
 		}
 
-		gwy, err := netlink.RouteListFiltered(family, findGwy, routeFilter)
+		gwy, err := netlinksafe.RouteListFiltered(family, findGwy, routeFilter)
 		if err != nil {
 			return fmt.Errorf("Error %v trying to find Gateway %v for interface %v", err, ips.Gateway, ifName)
 		}
@@ -77,11 +81,13 @@ func ValidateExpectedInterfaceIPs(ifName string, resultIPs []*current.IPConfig)
 }
 
 func ValidateExpectedRoute(resultRoutes []*types.Route) error {
-
 	// Ensure that each static route in prevResults is found in the routing table
 	for _, route := range resultRoutes {
 		find := &netlink.Route{Dst: &route.Dst, Gw: route.GW}
-		routeFilter := netlink.RT_FILTER_DST | netlink.RT_FILTER_GW
+		routeFilter := netlink.RT_FILTER_DST
+		if route.GW != nil {
+			routeFilter |= netlink.RT_FILTER_GW
+		}
 		var family int
 
 		switch {
@@ -103,7 +109,7 @@ func ValidateExpectedRoute(resultRoutes []*types.Route) error {
 			return fmt.Errorf("Invalid static route found %v", route)
 		}
 
-		wasFound, err := netlink.RouteListFiltered(family, find, routeFilter)
+		wasFound, err := netlinksafe.RouteListFiltered(family, find, routeFilter)
 		if err != nil {
 			return fmt.Errorf("Expected Route %v not route table lookup error %v", route, err)
 		}

vendor/github.com/containernetworking/plugins/pkg/netlinksafe/netlink.go

@@ -0,0 +1,321 @@
+// Package netlinksafe wraps vishvandanda/netlink functions that may return EINTR.
+//
+// A Handle instantiated using [NewHandle] or [NewHandleAt] can be used in place
+// of a netlink.Handle, it's a wrapper that replaces methods that need to be
+// wrapped. Functions that use the package handle need to be called as "netlinksafe.X"
+// instead of "netlink.X".
+//
+// The wrapped functions currently return EINTR when NLM_F_DUMP_INTR flagged
+// in a netlink response, meaning something changed during the dump so results
+// may be incomplete or inconsistent.
+//
+// At present, the possibly incomplete/inconsistent results are not returned
+// by netlink functions along with the EINTR. So, it's not possible to do
+// anything but retry. After maxAttempts the EINTR will be returned to the
+// caller.
+package netlinksafe
+
+import (
+	"log"
+
+	"github.com/pkg/errors"
+	"github.com/vishvananda/netlink"
+	"github.com/vishvananda/netlink/nl"
+	"github.com/vishvananda/netns"
+)
+
+// Arbitrary limit on max attempts at netlink calls if they are repeatedly interrupted.
+const maxAttempts = 5
+
+type Handle struct {
+	*netlink.Handle
+}
+
+func NewHandle(nlFamilies ...int) (Handle, error) {
+	nlh, err := netlink.NewHandle(nlFamilies...)
+	if err != nil {
+		return Handle{}, err
+	}
+	return Handle{nlh}, nil
+}
+
+func NewHandleAt(ns netns.NsHandle, nlFamilies ...int) (Handle, error) {
+	nlh, err := netlink.NewHandleAt(ns, nlFamilies...)
+	if err != nil {
+		return Handle{}, err
+	}
+	return Handle{nlh}, nil
+}
+
+func (h Handle) Close() {
+	if h.Handle != nil {
+		h.Handle.Close()
+	}
+}
+
+func retryOnIntr(f func() error) {
+	for attempt := 0; attempt < maxAttempts; attempt++ {
+		if err := f(); !errors.Is(err, netlink.ErrDumpInterrupted) {
+			return
+		}
+	}
+	log.Printf("netlink call interrupted after %d attempts", maxAttempts)
+}
+
+func discardErrDumpInterrupted(err error) error {
+	if errors.Is(err, netlink.ErrDumpInterrupted) {
+		// The netlink function has returned possibly-inconsistent data along with the
+		// error. Discard the error and return the data. This restores the behaviour of
+		// the netlink package prior to v1.2.1, in which NLM_F_DUMP_INTR was ignored in
+		// the netlink response.
+		log.Printf("discarding ErrDumpInterrupted: %+v", errors.WithStack(err))
+		return nil
+	}
+	return err
+}
+
+// AddrList calls netlink.AddrList, retrying if necessary.
+func AddrList(link netlink.Link, family int) ([]netlink.Addr, error) {
+	var addrs []netlink.Addr
+	var err error
+	retryOnIntr(func() error {
+		addrs, err = netlink.AddrList(link, family) //nolint:forbidigo
+		return err
+	})
+	return addrs, discardErrDumpInterrupted(err)
+}
+
+// LinkByName calls h.Handle.LinkByName, retrying if necessary. The netlink function
+// doesn't normally ask the kernel for a dump of links. But, on an old kernel, it
+// will do as a fallback and that dump may get inconsistent results.
+func (h Handle) LinkByName(name string) (netlink.Link, error) {
+	var link netlink.Link
+	var err error
+	retryOnIntr(func() error {
+		link, err = h.Handle.LinkByName(name) //nolint:forbidigo
+		return err
+	})
+	return link, discardErrDumpInterrupted(err)
+}
+
+// LinkByName calls netlink.LinkByName, retrying if necessary. The netlink
+// function doesn't normally ask the kernel for a dump of links. But, on an old
+// kernel, it will do as a fallback and that dump may get inconsistent results.
+func LinkByName(name string) (netlink.Link, error) {
+	var link netlink.Link
+	var err error
+	retryOnIntr(func() error {
+		link, err = netlink.LinkByName(name) //nolint:forbidigo
+		return err
+	})
+	return link, discardErrDumpInterrupted(err)
+}
+
+// LinkList calls h.Handle.LinkList, retrying if necessary.
+func (h Handle) LinkList() ([]netlink.Link, error) {
+	var links []netlink.Link
+	var err error
+	retryOnIntr(func() error {
+		links, err = h.Handle.LinkList() //nolint:forbidigo
+		return err
+	})
+	return links, discardErrDumpInterrupted(err)
+}
+
+// LinkList calls netlink.Handle.LinkList, retrying if necessary.
+func LinkList() ([]netlink.Link, error) {
+	var links []netlink.Link
+	var err error
+	retryOnIntr(func() error {
+		links, err = netlink.LinkList() //nolint:forbidigo
+		return err
+	})
+	return links, discardErrDumpInterrupted(err)
+}
+
+// RouteList calls h.Handle.RouteList, retrying if necessary.
+func (h Handle) RouteList(link netlink.Link, family int) ([]netlink.Route, error) {
+	var routes []netlink.Route
+	var err error
+	retryOnIntr(func() error {
+		routes, err = h.Handle.RouteList(link, family) //nolint:forbidigo
+		return err
+	})
+	return routes, err
+}
+
+// RouteList calls netlink.RouteList, retrying if necessary.
+func RouteList(link netlink.Link, family int) ([]netlink.Route, error) {
+	var route []netlink.Route
+	var err error
+	retryOnIntr(func() error {
+		route, err = netlink.RouteList(link, family) //nolint:forbidigo
+		return err
+	})
+	return route, discardErrDumpInterrupted(err)
+}
+
+// BridgeVlanList calls netlink.BridgeVlanList, retrying if necessary.
+func BridgeVlanList() (map[int32][]*nl.BridgeVlanInfo, error) {
+	var err error
+	var info map[int32][]*nl.BridgeVlanInfo
+	retryOnIntr(func() error {
+		info, err = netlink.BridgeVlanList() //nolint:forbidigo
+		return err
+	})
+	return info, discardErrDumpInterrupted(err)
+}
+
+// RouteListFiltered calls h.Handle.RouteListFiltered, retrying if necessary.
+func (h Handle) RouteListFiltered(family int, filter *netlink.Route, filterMask uint64) ([]netlink.Route, error) {
+	var routes []netlink.Route
+	var err error
+	retryOnIntr(func() error {
+		routes, err = h.Handle.RouteListFiltered(family, filter, filterMask) //nolint:forbidigo
+		return err
+	})
+	return routes, err
+}
+
+// RouteListFiltered calls netlink.RouteListFiltered, retrying if necessary.
+func RouteListFiltered(family int, filter *netlink.Route, filterMask uint64) ([]netlink.Route, error) {
+	var route []netlink.Route
+	var err error
+	retryOnIntr(func() error {
+		route, err = netlink.RouteListFiltered(family, filter, filterMask) //nolint:forbidigo
+		return err
+	})
+	return route, discardErrDumpInterrupted(err)
+}
+
+// QdiscList calls netlink.QdiscList, retrying if necessary.
+func QdiscList(link netlink.Link) ([]netlink.Qdisc, error) {
+	var qdisc []netlink.Qdisc
+	var err error
+	retryOnIntr(func() error {
+		qdisc, err = netlink.QdiscList(link) //nolint:forbidigo
+		return err
+	})
+	return qdisc, discardErrDumpInterrupted(err)
+}
+
+// QdiscList calls h.Handle.QdiscList, retrying if necessary.
+func (h *Handle) QdiscList(link netlink.Link) ([]netlink.Qdisc, error) {
+	var qdisc []netlink.Qdisc
+	var err error
+	retryOnIntr(func() error {
+		qdisc, err = h.Handle.QdiscList(link) //nolint:forbidigo
+		return err
+	})
+	return qdisc, err
+}
+
+// LinkGetProtinfo calls netlink.LinkGetProtinfo, retrying if necessary.
+func LinkGetProtinfo(link netlink.Link) (netlink.Protinfo, error) {
+	var protinfo netlink.Protinfo
+	var err error
+	retryOnIntr(func() error {
+		protinfo, err = netlink.LinkGetProtinfo(link) //nolint:forbidigo
+		return err
+	})
+	return protinfo, discardErrDumpInterrupted(err)
+}
+
+// LinkGetProtinfo calls h.Handle.LinkGetProtinfo, retrying if necessary.
+func (h *Handle) LinkGetProtinfo(link netlink.Link) (netlink.Protinfo, error) {
+	var protinfo netlink.Protinfo
+	var err error
+	retryOnIntr(func() error {
+		protinfo, err = h.Handle.LinkGetProtinfo(link) //nolint:forbidigo
+		return err
+	})
+	return protinfo, err
+}
+
+// RuleListFiltered calls netlink.RuleListFiltered, retrying if necessary.
+func RuleListFiltered(family int, filter *netlink.Rule, filterMask uint64) ([]netlink.Rule, error) {
+	var rules []netlink.Rule
+	var err error
+	retryOnIntr(func() error {
+		rules, err = netlink.RuleListFiltered(family, filter, filterMask) //nolint:forbidigo
+		return err
+	})
+	return rules, discardErrDumpInterrupted(err)
+}
+
+// RuleListFiltered calls h.Handle.RuleListFiltered, retrying if necessary.
+func (h *Handle) RuleListFiltered(family int, filter *netlink.Rule, filterMask uint64) ([]netlink.Rule, error) {
+	var rules []netlink.Rule
+	var err error
+	retryOnIntr(func() error {
+		rules, err = h.Handle.RuleListFiltered(family, filter, filterMask) //nolint:forbidigo
+		return err
+	})
+	return rules, err
+}
+
+// FilterList calls netlink.FilterList, retrying if necessary.
+func FilterList(link netlink.Link, parent uint32) ([]netlink.Filter, error) {
+	var filters []netlink.Filter
+	var err error
+	retryOnIntr(func() error {
+		filters, err = netlink.FilterList(link, parent) //nolint:forbidigo
+		return err
+	})
+	return filters, discardErrDumpInterrupted(err)
+}
+
+// FilterList calls h.Handle.FilterList, retrying if necessary.
+func (h *Handle) FilterList(link netlink.Link, parent uint32) ([]netlink.Filter, error) {
+	var filters []netlink.Filter
+	var err error
+	retryOnIntr(func() error {
+		filters, err = h.Handle.FilterList(link, parent) //nolint:forbidigo
+		return err
+	})
+	return filters, err
+}
+
+// RuleList calls netlink.RuleList, retrying if necessary.
+func RuleList(family int) ([]netlink.Rule, error) {
+	var rules []netlink.Rule
+	var err error
+	retryOnIntr(func() error {
+		rules, err = netlink.RuleList(family) //nolint:forbidigo
+		return err
+	})
+	return rules, discardErrDumpInterrupted(err)
+}
+
+// RuleList calls h.Handle.RuleList, retrying if necessary.
+func (h *Handle) RuleList(family int) ([]netlink.Rule, error) {
+	var rules []netlink.Rule
+	var err error
+	retryOnIntr(func() error {
+		rules, err = h.Handle.RuleList(family) //nolint:forbidigo
+		return err
+	})
+	return rules, err
+}
+
+// ConntrackDeleteFilters calls netlink.ConntrackDeleteFilters, retrying if necessary.
+func ConntrackDeleteFilters(table netlink.ConntrackTableType, family netlink.InetFamily, filters ...netlink.CustomConntrackFilter) (uint, error) {
+	var deleted uint
+	var err error
+	retryOnIntr(func() error {
+		deleted, err = netlink.ConntrackDeleteFilters(table, family, filters...) //nolint:forbidigo
+		return err
+	})
+	return deleted, discardErrDumpInterrupted(err)
+}
+
+// ConntrackDeleteFilters calls h.Handle.ConntrackDeleteFilters, retrying if necessary.
+func (h *Handle) ConntrackDeleteFilters(table netlink.ConntrackTableType, family netlink.InetFamily, filters ...netlink.CustomConntrackFilter) (uint, error) {
+	var deleted uint
+	var err error
+	retryOnIntr(func() error {
+		deleted, err = h.Handle.ConntrackDeleteFilters(table, family, filters...) //nolint:forbidigo
+		return err
+	})
+	return deleted, err
+}

vendor/github.com/containernetworking/plugins/pkg/ns/README.md

@@ -13,10 +13,10 @@ The `ns.Do()` method provides **partial** control over network namespaces for yo
 
 ```go
 err = targetNs.Do(func(hostNs ns.NetNS) error {
+	linkAttrs := netlink.NewLinkAttrs()
+	linkAttrs.Name = "dummy0"
 	dummy := &netlink.Dummy{
-		LinkAttrs: netlink.LinkAttrs{
-			Name: "dummy0",
-		},
+		LinkAttrs: linkAttrs,
 	}
 	return netlink.LinkAdd(dummy)
 })

vendor/github.com/containernetworking/plugins/pkg/ns/ns_linux.go

@@ -31,6 +31,10 @@ func GetCurrentNS() (NetNS, error) {
 	// return an unexpected network namespace.
 	runtime.LockOSThread()
 	defer runtime.UnlockOSThread()
+	return getCurrentNSNoLock()
+}
+
+func getCurrentNSNoLock() (NetNS, error) {
 	return GetNS(getCurrentThreadNetNSPath())
 }
 
@@ -152,6 +156,54 @@ func GetNS(nspath string) (NetNS, error) {
 	return &netNS{file: fd}, nil
 }
 
+// Returns a new empty NetNS.
+// Calling Close() let the kernel garbage collect the network namespace.
+func TempNetNS() (NetNS, error) {
+	var tempNS NetNS
+	var err error
+	var wg sync.WaitGroup
+	wg.Add(1)
+
+	// Create the new namespace in a new goroutine so that if we later fail
+	// to switch the namespace back to the original one, we can safely
+	// leave the thread locked to die without a risk of the current thread
+	// left lingering with incorrect namespace.
+	go func() {
+		defer wg.Done()
+		runtime.LockOSThread()
+
+		var threadNS NetNS
+		// save a handle to current network namespace
+		threadNS, err = getCurrentNSNoLock()
+		if err != nil {
+			err = fmt.Errorf("failed to open current namespace: %v", err)
+			return
+		}
+		defer threadNS.Close()
+
+		// create the temporary network namespace
+		err = unix.Unshare(unix.CLONE_NEWNET)
+		if err != nil {
+			return
+		}
+
+		// get a handle to the temporary network namespace
+		tempNS, err = getCurrentNSNoLock()
+
+		err2 := threadNS.Set()
+		if err2 == nil {
+			// Unlock the current thread only when we successfully switched back
+			// to the original namespace; otherwise leave the thread locked which
+			// will force the runtime to scrap the current thread, that is maybe
+			// not as optimal but at least always safe to do.
+			runtime.UnlockOSThread()
+		}
+	}()
+
+	wg.Wait()
+	return tempNS, err
+}
+
 func (ns *netNS) Path() string {
 	return ns.file.Name()
 }
@@ -173,7 +225,7 @@ func (ns *netNS) Do(toRun func(NetNS) error) error {
 	}
 
 	containedCall := func(hostNS NetNS) error {
-		threadNS, err := GetCurrentNS()
+		threadNS, err := getCurrentNSNoLock()
 		if err != nil {
 			return fmt.Errorf("failed to open current netns: %v", err)
 		}

vendor/github.com/containernetworking/plugins/pkg/utils/conntrack.go

@@ -0,0 +1,75 @@
+// Copyright 2020 CNI authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package utils
+
+import (
+	"fmt"
+	"net"
+
+	"github.com/vishvananda/netlink"
+	"golang.org/x/sys/unix"
+
+	"github.com/containernetworking/plugins/pkg/netlinksafe"
+)
+
+// Assigned Internet Protocol Numbers
+// https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml
+const (
+	PROTOCOL_TCP  = 6
+	PROTOCOL_UDP  = 17
+	PROTOCOL_SCTP = 132
+)
+
+// getNetlinkFamily returns the Netlink IP family constant
+func getNetlinkFamily(isIPv6 bool) netlink.InetFamily {
+	if isIPv6 {
+		return unix.AF_INET6
+	}
+	return unix.AF_INET
+}
+
+// DeleteConntrackEntriesForDstIP delete the conntrack entries for the connections
+// specified by the given destination IP and protocol
+func DeleteConntrackEntriesForDstIP(dstIP string, protocol uint8) error {
+	ip := net.ParseIP(dstIP)
+	if ip == nil {
+		return fmt.Errorf("error deleting connection tracking state, bad IP %s", ip)
+	}
+	family := getNetlinkFamily(ip.To4() == nil)
+
+	filter := &netlink.ConntrackFilter{}
+	filter.AddIP(netlink.ConntrackOrigDstIP, ip)
+	filter.AddProtocol(protocol)
+
+	_, err := netlinksafe.ConntrackDeleteFilters(netlink.ConntrackTable, family, filter)
+	if err != nil {
+		return fmt.Errorf("error deleting connection tracking state for protocol: %d IP: %s, error: %v", protocol, ip, err)
+	}
+	return nil
+}
+
+// DeleteConntrackEntriesForDstPort delete the conntrack entries for the connections specified
+// by the given destination port, protocol and IP family
+func DeleteConntrackEntriesForDstPort(port uint16, protocol uint8, family netlink.InetFamily) error {
+	filter := &netlink.ConntrackFilter{}
+	filter.AddProtocol(protocol)
+	filter.AddPort(netlink.ConntrackOrigDstPort, port)
+
+	_, err := netlinksafe.ConntrackDeleteFilters(netlink.ConntrackTable, family, filter)
+	if err != nil {
+		return fmt.Errorf("error deleting connection tracking state for protocol: %d Port: %d, error: %v", protocol, port, err)
+	}
+	return nil
+}

vendor/github.com/containernetworking/plugins/pkg/utils/iptables.go

@@ -0,0 +1,120 @@
+// Copyright 2017 CNI authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package utils
+
+import (
+	"errors"
+	"fmt"
+
+	"github.com/coreos/go-iptables/iptables"
+)
+
+const statusChainExists = 1
+
+// EnsureChain idempotently creates the iptables chain. It does not
+// return an error if the chain already exists.
+func EnsureChain(ipt *iptables.IPTables, table, chain string) error {
+	if ipt == nil {
+		return errors.New("failed to ensure iptable chain: IPTables was nil")
+	}
+	exists, err := ipt.ChainExists(table, chain)
+	if err != nil {
+		return fmt.Errorf("failed to check iptables chain existence: %v", err)
+	}
+	if !exists {
+		err = ipt.NewChain(table, chain)
+		if err != nil {
+			eerr, eok := err.(*iptables.Error)
+			if eok && eerr.ExitStatus() != statusChainExists {
+				return err
+			}
+		}
+	}
+	return nil
+}
+
+// DeleteRule idempotently delete the iptables rule in the specified table/chain.
+// It does not return an error if the referring chain doesn't exist
+func DeleteRule(ipt *iptables.IPTables, table, chain string, rulespec ...string) error {
+	if ipt == nil {
+		return errors.New("failed to ensure iptable chain: IPTables was nil")
+	}
+	if err := ipt.Delete(table, chain, rulespec...); err != nil {
+		eerr, eok := err.(*iptables.Error)
+		switch {
+		case eok && eerr.IsNotExist():
+			// swallow here, the chain was already deleted
+			return nil
+		case eok && eerr.ExitStatus() == 2:
+			// swallow here, invalid command line parameter because the referring rule is missing
+			return nil
+		default:
+			return fmt.Errorf("Failed to delete referring rule %s %s: %v", table, chain, err)
+		}
+	}
+	return nil
+}
+
+// DeleteChain idempotently deletes the specified table/chain.
+// It does not return an errors if the chain does not exist
+func DeleteChain(ipt *iptables.IPTables, table, chain string) error {
+	if ipt == nil {
+		return errors.New("failed to ensure iptable chain: IPTables was nil")
+	}
+
+	err := ipt.DeleteChain(table, chain)
+	eerr, eok := err.(*iptables.Error)
+	switch {
+	case eok && eerr.IsNotExist():
+		// swallow here, the chain was already deleted
+		return nil
+	default:
+		return err
+	}
+}
+
+// ClearChain idempotently clear the iptables rules in the specified table/chain.
+// If the chain does not exist, a new one will be created
+func ClearChain(ipt *iptables.IPTables, table, chain string) error {
+	if ipt == nil {
+		return errors.New("failed to ensure iptable chain: IPTables was nil")
+	}
+	err := ipt.ClearChain(table, chain)
+	eerr, eok := err.(*iptables.Error)
+	switch {
+	case eok && eerr.IsNotExist():
+		// swallow here, the chain was already deleted
+		return EnsureChain(ipt, table, chain)
+	default:
+		return err
+	}
+}
+
+// InsertUnique will add a rule to a chain if it does not already exist.
+// By default the rule is appended, unless prepend is true.
+func InsertUnique(ipt *iptables.IPTables, table, chain string, prepend bool, rule []string) error {
+	exists, err := ipt.Exists(table, chain, rule...)
+	if err != nil {
+		return err
+	}
+	if exists {
+		return nil
+	}
+
+	if prepend {
+		return ipt.Insert(table, chain, 1, rule...)
+	}
+	return ipt.Append(table, chain, rule...)
+}

vendor/github.com/containernetworking/plugins/pkg/utils/netfilter.go

@@ -0,0 +1,46 @@
+// Copyright 2023 CNI authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package utils
+
+import (
+	"github.com/coreos/go-iptables/iptables"
+	"sigs.k8s.io/knftables"
+)
+
+// SupportsIPTables tests whether the system supports using netfilter via the iptables API
+// (whether via "iptables-legacy" or "iptables-nft"). (Note that this returns true if it
+// is *possible* to use iptables; it does not test whether any other components on the
+// system are *actually* using iptables.)
+func SupportsIPTables() bool {
+	ipt, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
+	if err != nil {
+		return false
+	}
+	// We don't care whether the chain actually exists, only whether we can *check*
+	// whether it exists.
+	_, err = ipt.ChainExists("filter", "INPUT")
+	return err == nil
+}
+
+// SupportsNFTables tests whether the system supports using netfilter via the nftables API
+// (ie, not via "iptables-nft"). (Note that this returns true if it is *possible* to use
+// nftables; it does not test whether any other components on the system are *actually*
+// using nftables.)
+func SupportsNFTables() bool {
+	// knftables.New() does sanity checks so we don't need any further test like in
+	// the iptables case.
+	_, err := knftables.New(knftables.IPv4Family, "supports_nftables_test")
+	return err == nil
+}

vendor/github.com/containernetworking/plugins/pkg/utils/sysctl/sysctl_linux.go

@@ -16,7 +16,7 @@ package sysctl
 
 import (
 	"fmt"
-	"io/ioutil"
+	"os"
 	"path/filepath"
 	"strings"
 )
@@ -36,7 +36,7 @@ func Sysctl(name string, params ...string) (string, error) {
 
 func getSysctl(name string) (string, error) {
 	fullName := filepath.Join("/proc/sys", toNormalName(name))
-	data, err := ioutil.ReadFile(fullName)
+	data, err := os.ReadFile(fullName)
 	if err != nil {
 		return "", err
 	}
@@ -46,7 +46,7 @@ func getSysctl(name string) (string, error) {
 
 func setSysctl(name, value string) (string, error) {
 	fullName := filepath.Join("/proc/sys", toNormalName(name))
-	if err := ioutil.WriteFile(fullName, []byte(value), 0644); err != nil {
+	if err := os.WriteFile(fullName, []byte(value), 0o644); err != nil {
 		return "", err
 	}
 

vendor/github.com/containernetworking/plugins/pkg/utils/utils.go

@@ -0,0 +1,60 @@
+// Copyright 2016 CNI authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package utils
+
+import (
+	"crypto/sha512"
+	"fmt"
+)
+
+const (
+	maxChainLength = 28
+	chainPrefix    = "CNI-"
+)
+
+// FormatChainName generates a chain name to be used
+// with iptables. Ensures that the generated chain
+// name is exactly maxChainLength chars in length.
+func FormatChainName(name string, id string) string {
+	return MustFormatChainNameWithPrefix(name, id, "")
+}
+
+// MustFormatChainNameWithPrefix generates a chain name similar
+// to FormatChainName, but adds a custom prefix between
+// chainPrefix and unique identifier. Ensures that the
+// generated chain name is exactly maxChainLength chars in length.
+// Panics if the given prefix is too long.
+func MustFormatChainNameWithPrefix(name string, id string, prefix string) string {
+	return MustFormatHashWithPrefix(maxChainLength, chainPrefix+prefix, name+id)
+}
+
+// FormatComment returns a comment used for easier
+// rule identification within iptables.
+func FormatComment(name string, id string) string {
+	return fmt.Sprintf("name: %q id: %q", name, id)
+}
+
+const MaxHashLen = sha512.Size * 2
+
+// MustFormatHashWithPrefix returns a string of given length that begins with the
+// given prefix. It is filled with entropy based on the given string toHash.
+func MustFormatHashWithPrefix(length int, prefix string, toHash string) string {
+	if len(prefix) >= length || length > MaxHashLen {
+		panic("invalid length")
+	}
+
+	output := sha512.Sum512([]byte(toHash))
+	return fmt.Sprintf("%s%x", prefix, output)[:length]
+}

vendor/github.com/containernetworking/plugins/plugins/ipam/host-local/backend/allocator/allocator.go

@@ -22,7 +22,6 @@ import (
 	"strconv"
 
 	current "github.com/containernetworking/cni/pkg/types/100"
-
 	"github.com/containernetworking/plugins/pkg/ip"
 	"github.com/containernetworking/plugins/plugins/ipam/host-local/backend"
 )
@@ -197,7 +196,7 @@ func (i *RangeIter) Next() (*net.IPNet, net.IP) {
 	// If we've reached the end of this range, we need to advance the range
 	// RangeEnd is inclusive as well
 	if i.cur.Equal(r.RangeEnd) {
-		i.rangeIdx += 1
+		i.rangeIdx++
 		i.rangeIdx %= len(*i.rangeset)
 		r = (*i.rangeset)[i.rangeIdx]
 

vendor/github.com/containernetworking/plugins/plugins/ipam/host-local/backend/allocator/config.go

@@ -21,7 +21,6 @@ import (
 
 	"github.com/containernetworking/cni/pkg/types"
 	"github.com/containernetworking/cni/pkg/version"
-
 	"github.com/containernetworking/plugins/pkg/ip"
 )
 
@@ -43,7 +42,7 @@ type Net struct {
 
 // IPAMConfig represents the IP related network configuration.
 // This nests Range because we initially only supported a single
-// range directly, and wish to preserve backwards compatability
+// range directly, and wish to preserve backwards compatibility
 type IPAMConfig struct {
 	*Range
 	Name       string

vendor/github.com/containernetworking/plugins/plugins/ipam/host-local/backend/allocator/range.go

@@ -125,7 +125,7 @@ func (r *Range) Contains(addr net.IP) bool {
 
 // Overlaps returns true if there is any overlap between ranges
 func (r *Range) Overlaps(r1 *Range) bool {
-	// different familes
+	// different families
 	if len(r.RangeStart) != len(r1.RangeStart) {
 		return false
 	}

vendor/github.com/containernetworking/plugins/plugins/ipam/host-local/backend/allocator/range_set.go

@@ -67,10 +67,8 @@ func (s *RangeSet) Canonicalize() error {
 		}
 		if i == 0 {
 			fam = len((*s)[i].RangeStart)
-		} else {
-			if fam != len((*s)[i].RangeStart) {
-				return fmt.Errorf("mixed address families")
-			}
+		} else if fam != len((*s)[i].RangeStart) {
+			return fmt.Errorf("mixed address families")
 		}
 	}
 

vendor/github.com/containernetworking/plugins/plugins/ipam/host-local/backend/store.go

@@ -22,7 +22,6 @@ type Store interface {
 	Close() error
 	Reserve(id string, ifname string, ip net.IP, rangeID string) (bool, error)
 	LastReservedIP(rangeID string) (net.IP, error)
-	Release(ip net.IP) error
 	ReleaseByID(id string, ifname string) error
 	GetByID(id string, ifname string) []net.IP
 }

vendor/github.com/josharian/native/endian_big.go

@@ -1,7 +1,14 @@
+//go:build mips || mips64 || ppc64 || s390x
 // +build mips mips64 ppc64 s390x
 
 package native
 
 import "encoding/binary"
 
+// Endian is the encoding/binary.ByteOrder implementation for the
+// current CPU's native byte order.
 var Endian = binary.BigEndian
+
+// IsBigEndian is whether the current CPU's native byte order is big
+// endian.
+const IsBigEndian = true

vendor/github.com/josharian/native/endian_generic.go

@@ -1,4 +1,5 @@
-// +build !mips,!mips64,!ppc64,!s390x,!amd64,!386,!arm,!arm64,!mipsle,!mips64le,!ppc64le,!riscv64,!wasm
+//go:build !mips && !mips64 && !ppc64 && !s390x && !amd64 && !386 && !arm && !arm64 && !loong64 && !mipsle && !mips64le && !ppc64le && !riscv64 && !wasm
+// +build !mips,!mips64,!ppc64,!s390x,!amd64,!386,!arm,!arm64,!loong64,!mipsle,!mips64le,!ppc64le,!riscv64,!wasm
 
 // This file is a fallback, so that package native doesn't break
 // the instant the Go project adds support for a new architecture.
@@ -15,12 +16,16 @@ import (
 
 var Endian binary.ByteOrder
 
+var IsBigEndian bool
+
 func init() {
 	b := uint16(0xff) // one byte
 	if *(*byte)(unsafe.Pointer(&b)) == 0 {
 		Endian = binary.BigEndian
+		IsBigEndian = true
 	} else {
 		Endian = binary.LittleEndian
+		IsBigEndian = false
 	}
 	log.Printf("github.com/josharian/native: unrecognized arch %v (%v), please file an issue", runtime.GOARCH, Endian)
 }

vendor/github.com/josharian/native/endian_little.go

@@ -1,7 +1,14 @@
-// +build amd64 386 arm arm64 mipsle mips64le ppc64le riscv64 wasm
+//go:build amd64 || 386 || arm || arm64 || loong64 || mipsle || mips64le || ppc64le || riscv64 || wasm
+// +build amd64 386 arm arm64 loong64 mipsle mips64le ppc64le riscv64 wasm
 
 package native
 
 import "encoding/binary"
 
+// Endian is the encoding/binary.ByteOrder implementation for the
+// current CPU's native byte order.
 var Endian = binary.LittleEndian
+
+// IsBigEndian is whether the current CPU's native byte order is big
+// endian.
+const IsBigEndian = false

vendor/github.com/mdlayher/socket/CHANGELOG.md

@@ -0,0 +1,94 @@
+# CHANGELOG
+
+## v0.5.1
+
+- [Improvement]: revert `go.mod` to Go 1.20 to [resolve an issue around Go
+  module version upgrades](https://github.com/mdlayher/socket/issues/13).
+
+## v0.5.0
+
+**This is the first release of package socket that only supports Go 1.21+.
+Users on older versions of Go must use v0.4.1.**
+
+- [Improvement]: drop support for older versions of Go.
+- [New API]: add `socket.Conn` wrappers for various `Getsockopt` and
+  `Setsockopt` system calls.
+
+## v0.4.1
+
+- [Bug Fix] [commit](https://github.com/mdlayher/socket/commit/2a14ceef4da279de1f957c5761fffcc6c87bbd3b):
+  ensure `socket.Conn` can be used with non-socket file descriptors by handling
+  `ENOTSOCK` in the constructor.
+
+## v0.4.0
+
+**This is the first release of package socket that only supports Go 1.18+.
+Users on older versions of Go must use v0.3.0.**
+
+- [Improvement]: drop support for older versions of Go so we can begin using
+  modern versions of `x/sys` and other dependencies.
+
+## v0.3.0
+
+**This is the last release of package socket that supports Go 1.17 and below.**
+
+- [New API/API change] [PR](https://github.com/mdlayher/socket/pull/8):
+  numerous `socket.Conn` methods now support context cancelation. Future
+  releases will continue adding support as needed.
+  - New `ReadContext` and `WriteContext` methods.
+  - `Connect`, `Recvfrom`, `Recvmsg`, `Sendmsg`, and `Sendto` methods now accept
+    a context.
+  - `Sendto` parameter order was also fixed to match the underlying syscall.
+
+## v0.2.3
+
+- [New API] [commit](https://github.com/mdlayher/socket/commit/a425d96e0f772c053164f8ce4c9c825380a98086):
+  `socket.Conn` has new `Pidfd*` methods for wrapping the `pidfd_*(2)` family of
+  system calls.
+
+## v0.2.2
+
+- [New API] [commit](https://github.com/mdlayher/socket/commit/a2429f1dfe8ec2586df5a09f50ead865276cd027):
+  `socket.Conn` has new `IoctlKCM*` methods for wrapping `ioctl(2)` for `AF_KCM`
+  operations.
+
+## v0.2.1
+
+- [New API] [commit](https://github.com/mdlayher/socket/commit/b18ddbe9caa0e34552b4409a3aa311cb460d2f99):
+  `socket.Conn` has a new `SetsockoptPacketMreq` method for wrapping
+  `setsockopt(2)` for `AF_PACKET` socket options.
+
+## v0.2.0
+
+- [New API] [commit](https://github.com/mdlayher/socket/commit/6e912a68523c45e5fd899239f4b46c402dd856da):
+  `socket.FileConn` can be used to create a `socket.Conn` from an existing
+  `os.File`, which may be provided by systemd socket activation or another
+  external mechanism.
+- [API change] [commit](https://github.com/mdlayher/socket/commit/66d61f565188c23fe02b24099ddc856d538bf1a7):
+  `socket.Conn.Connect` now returns the `unix.Sockaddr` value provided by
+  `getpeername(2)`, since we have to invoke that system call anyway to verify
+  that a connection to a remote peer was successfully established.
+- [Bug Fix] [commit](https://github.com/mdlayher/socket/commit/b60b2dbe0ac3caff2338446a150083bde8c5c19c):
+  check the correct error from `unix.GetsockoptInt` in the `socket.Conn.Connect`
+  method. Thanks @vcabbage!
+
+## v0.1.2
+
+- [Bug Fix]: `socket.Conn.Connect` now properly checks the `SO_ERROR` socket
+  option value after calling `connect(2)` to verify whether or not a connection
+  could successfully be established. This means that `Connect` should now report
+  an error for an `AF_INET` TCP connection refused or `AF_VSOCK` connection
+  reset by peer.
+- [New API]: add `socket.Conn.Getpeername` for use in `Connect`, but also for
+  use by external callers.
+
+## v0.1.1
+
+- [New API]: `socket.Conn` now has `CloseRead`, `CloseWrite`, and `Shutdown`
+  methods.
+- [Improvement]: internal rework to more robustly handle various errors.
+
+## v0.1.0
+
+- Initial unstable release. Most functionality has been developed and ported
+from package [`netlink`](https://github.com/mdlayher/netlink).

vendor/github.com/mdlayher/socket/README.md

@@ -12,3 +12,12 @@ used directly in end user applications.
 
 Any use of package socket should be guarded by build tags, as one would also
 use when importing the `syscall` or `golang.org/x/sys` packages.
+
+## Stability
+
+See the [CHANGELOG](./CHANGELOG.md) file for a description of changes between
+releases.
+
+This package only supports the two most recent major versions of Go, mirroring
+Go's own release policy. Older versions of Go may lack critical features and bug
+fixes which are necessary for this package to function correctly.

vendor/github.com/mdlayher/socket/conn.go

@@ -1,7 +1,11 @@
 package socket
 
 import (
+	"context"
+	"errors"
+	"io"
 	"os"
+	"sync"
 	"sync/atomic"
 	"syscall"
 	"time"
@@ -9,8 +13,22 @@ import (
 	"golang.org/x/sys/unix"
 )
 
+// Lock in an expected public interface for convenience.
+var _ interface {
+	io.ReadWriteCloser
+	syscall.Conn
+	SetDeadline(t time.Time) error
+	SetReadDeadline(t time.Time) error
+	SetWriteDeadline(t time.Time) error
+} = &Conn{}
+
 // A Conn is a low-level network connection which integrates with Go's runtime
 // network poller to provide asynchronous I/O and deadline support.
+//
+// Many of a Conn's blocking methods support net.Conn deadlines as well as
+// cancelation via context. Note that passing a context with a deadline set will
+// override any of the previous deadlines set by calls to the SetDeadline family
+// of methods.
 type Conn struct {
 	// Indicates whether or not Conn.Close has been called. Must be accessed
 	// atomically. Atomics definitions must come first in the Conn struct.
@@ -20,12 +38,50 @@ type Conn struct {
 	// descriptors such as those created by accept(2).
 	name string
 
+	// facts contains information we have determined about Conn to trigger
+	// alternate behavior in certain functions.
+	facts facts
+
 	// Provides access to the underlying file registered with the runtime
 	// network poller, and arbitrary raw I/O calls.
 	fd *os.File
 	rc syscall.RawConn
 }
 
+// facts contains facts about a Conn.
+type facts struct {
+	// isStream reports whether this is a streaming descriptor, as opposed to a
+	// packet-based descriptor like a UDP socket.
+	isStream bool
+
+	// zeroReadIsEOF reports Whether a zero byte read indicates EOF. This is
+	// false for a message based socket connection.
+	zeroReadIsEOF bool
+}
+
+// A Config contains options for a Conn.
+type Config struct {
+	// NetNS specifies the Linux network namespace the Conn will operate in.
+	// This option is unsupported on other operating systems.
+	//
+	// If set (non-zero), Conn will enter the specified network namespace and an
+	// error will occur in Socket if the operation fails.
+	//
+	// If not set (zero), a best-effort attempt will be made to enter the
+	// network namespace of the calling thread: this means that any changes made
+	// to the calling thread's network namespace will also be reflected in Conn.
+	// If this operation fails (due to lack of permissions or because network
+	// namespaces are disabled by kernel configuration), Socket will not return
+	// an error, and the Conn will operate in the default network namespace of
+	// the process. This enables non-privileged use of Conn in applications
+	// which do not require elevated privileges.
+	//
+	// Entering a network namespace is a privileged operation (root or
+	// CAP_SYS_ADMIN are required), and most applications should leave this set
+	// to 0.
+	NetNS int
+}
+
 // High-level methods which provide convenience over raw system calls.
 
 // Close closes the underlying file descriptor for the Conn, which also causes
@@ -46,14 +102,72 @@ func (c *Conn) Close() error {
 	return os.NewSyscallError("close", c.fd.Close())
 }
 
-// Read implements io.Reader by reading directly from the underlying file
-// descriptor.
+// CloseRead shuts down the reading side of the Conn. Most callers should just
+// use Close.
+func (c *Conn) CloseRead() error { return c.Shutdown(unix.SHUT_RD) }
+
+// CloseWrite shuts down the writing side of the Conn. Most callers should just
+// use Close.
+func (c *Conn) CloseWrite() error { return c.Shutdown(unix.SHUT_WR) }
+
+// Read reads directly from the underlying file descriptor.
 func (c *Conn) Read(b []byte) (int, error) { return c.fd.Read(b) }
 
-// Write implements io.Writer by writing directly to the underlying file
-// descriptor.
+// ReadContext reads from the underlying file descriptor with added support for
+// context cancelation.
+func (c *Conn) ReadContext(ctx context.Context, b []byte) (int, error) {
+	if c.facts.isStream && len(b) > maxRW {
+		b = b[:maxRW]
+	}
+
+	n, err := readT(c, ctx, "read", func(fd int) (int, error) {
+		return unix.Read(fd, b)
+	})
+	if n == 0 && err == nil && c.facts.zeroReadIsEOF {
+		return 0, io.EOF
+	}
+
+	return n, os.NewSyscallError("read", err)
+}
+
+// Write writes directly to the underlying file descriptor.
 func (c *Conn) Write(b []byte) (int, error) { return c.fd.Write(b) }
 
+// WriteContext writes to the underlying file descriptor with added support for
+// context cancelation.
+func (c *Conn) WriteContext(ctx context.Context, b []byte) (int, error) {
+	var (
+		n, nn int
+		err   error
+	)
+
+	doErr := c.write(ctx, "write", func(fd int) error {
+		max := len(b)
+		if c.facts.isStream && max-nn > maxRW {
+			max = nn + maxRW
+		}
+
+		n, err = unix.Write(fd, b[nn:max])
+		if n > 0 {
+			nn += n
+		}
+		if nn == len(b) {
+			return err
+		}
+		if n == 0 && err == nil {
+			err = io.ErrUnexpectedEOF
+			return nil
+		}
+
+		return err
+	})
+	if doErr != nil {
+		return 0, doErr
+	}
+
+	return nn, os.NewSyscallError("write", err)
+}
+
 // SetDeadline sets both the read and write deadlines associated with the Conn.
 func (c *Conn) SetDeadline(t time.Time) error { return c.fd.SetDeadline(t) }
 
@@ -114,10 +228,30 @@ func (c *Conn) SyscallConn() (syscall.RawConn, error) {
 // proto are passed directly to socket(2), and name should be a unique name for
 // the socket type such as "netlink" or "vsock".
 //
+// The cfg parameter specifies optional configuration for the Conn. If nil, no
+// additional configuration will be applied.
+//
 // If the operating system supports SOCK_CLOEXEC and SOCK_NONBLOCK, they are
 // automatically applied to typ to mirror the standard library's socket flag
 // behaviors.
-func Socket(domain, typ, proto int, name string) (*Conn, error) {
+func Socket(domain, typ, proto int, name string, cfg *Config) (*Conn, error) {
+	if cfg == nil {
+		cfg = &Config{}
+	}
+
+	if cfg.NetNS == 0 {
+		// Non-Linux or no network namespace.
+		return socket(domain, typ, proto, name)
+	}
+
+	// Linux only: create Conn in the specified network namespace.
+	return withNetNS(cfg.NetNS, func() (*Conn, error) {
+		return socket(domain, typ, proto, name)
+	})
+}
+
+// socket is the internal, cross-platform entry point for socket(2).
+func socket(domain, typ, proto int, name string) (*Conn, error) {
 	var (
 		fd  int
 		err error
@@ -133,7 +267,7 @@ func Socket(domain, typ, proto int, name string) (*Conn, error) {
 			}
 
 			// No error, prepare the Conn.
-			return newConn(fd, name)
+			return New(fd, name)
 		case !ready(err):
 			// System call interrupted or not ready, try again.
 			continue
@@ -153,12 +287,14 @@ func Socket(domain, typ, proto int, name string) (*Conn, error) {
 			// comment in syscall/exec_unix.go.
 			syscall.ForkLock.RLock()
 			fd, err = unix.Socket(domain, typ, proto)
-			if err == nil {
-				unix.CloseOnExec(fd)
+			if err != nil {
+				syscall.ForkLock.RUnlock()
+				return nil, os.NewSyscallError("socket", err)
 			}
+			unix.CloseOnExec(fd)
 			syscall.ForkLock.RUnlock()
 
-			return newConn(fd, name)
+			return New(fd, name)
 		default:
 			// Unhandled error.
 			return nil, os.NewSyscallError("socket", err)
@@ -166,11 +302,54 @@ func Socket(domain, typ, proto int, name string) (*Conn, error) {
 	}
 }
 
-// TODO(mdlayher): consider exporting newConn as New?
+// FileConn returns a copy of the network connection corresponding to the open
+// file. It is the caller's responsibility to close the file when finished.
+// Closing the Conn does not affect the File, and closing the File does not
+// affect the Conn.
+func FileConn(f *os.File, name string) (*Conn, error) {
+	// First we'll try to do fctnl(2) with F_DUPFD_CLOEXEC because we can dup
+	// the file descriptor and set the flag in one syscall.
+	fd, err := unix.FcntlInt(f.Fd(), unix.F_DUPFD_CLOEXEC, 0)
+	switch err {
+	case nil:
+		// OK, ready to set up non-blocking I/O.
+		return New(fd, name)
+	case unix.EINVAL:
+		// The kernel rejected our fcntl(2), fall back to separate dup(2) and
+		// setting close on exec.
+		//
+		// Mirror what the standard library does when creating file descriptors:
+		// avoid racing a fork/exec with the creation of new file descriptors,
+		// so that child processes do not inherit socket file descriptors
+		// unexpectedly.
+		syscall.ForkLock.RLock()
+		fd, err := unix.Dup(fd)
+		if err != nil {
+			syscall.ForkLock.RUnlock()
+			return nil, os.NewSyscallError("dup", err)
+		}
+		unix.CloseOnExec(fd)
+		syscall.ForkLock.RUnlock()
+
+		return New(fd, name)
+	default:
+		// Any other errors.
+		return nil, os.NewSyscallError("fcntl", err)
+	}
+}
 
-// newConn wraps an existing file descriptor to create a Conn. name should be a
+// New wraps an existing file descriptor to create a Conn. name should be a
 // unique name for the socket type such as "netlink" or "vsock".
-func newConn(fd int, name string) (*Conn, error) {
+//
+// Most callers should use Socket or FileConn to construct a Conn. New is
+// intended for integrating with specific system calls which provide a file
+// descriptor that supports asynchronous I/O. The file descriptor is immediately
+// set to nonblocking mode and registered with Go's runtime network poller for
+// future I/O operations.
+//
+// Unlike FileConn, New does not duplicate the existing file descriptor in any
+// way. The returned Conn takes ownership of the underlying file descriptor.
+func New(fd int, name string) (*Conn, error) {
 	// All Conn I/O is nonblocking for integration with Go's runtime network
 	// poller. Depending on the OS this might already be set but it can't hurt
 	// to set it again.
@@ -189,11 +368,32 @@ func newConn(fd int, name string) (*Conn, error) {
 		return nil, err
 	}
 
-	return &Conn{
+	c := &Conn{
 		name: name,
 		fd:   f,
 		rc:   rc,
-	}, nil
+	}
+
+	// Probe the file descriptor for socket settings.
+	sotype, err := c.GetsockoptInt(unix.SOL_SOCKET, unix.SO_TYPE)
+	switch {
+	case err == nil:
+		// File is a socket, check its properties.
+		c.facts = facts{
+			isStream:      sotype == unix.SOCK_STREAM,
+			zeroReadIsEOF: sotype != unix.SOCK_DGRAM && sotype != unix.SOCK_RAW,
+		}
+	case errors.Is(err, unix.ENOTSOCK):
+		// File is not a socket, treat it as a regular file.
+		c.facts = facts{
+			isStream:      true,
+			zeroReadIsEOF: true,
+		}
+	default:
+		return nil, err
+	}
+
+	return c, nil
 }
 
 // Low-level methods which provide raw system call access.
@@ -207,290 +407,488 @@ func newConn(fd int, name string) (*Conn, error) {
 //
 // If the operating system only supports accept(2) (which does not allow flags)
 // and flags is not zero, an error will be returned.
-func (c *Conn) Accept(flags int) (*Conn, unix.Sockaddr, error) {
-	var (
+//
+// Accept obeys context cancelation and uses the deadline set on the context to
+// cancel accepting the next connection. If a deadline is set on ctx, this
+// deadline will override any previous deadlines set using SetDeadline or
+// SetReadDeadline. Upon return, the read deadline is cleared.
+func (c *Conn) Accept(ctx context.Context, flags int) (*Conn, unix.Sockaddr, error) {
+	type ret struct {
 		nfd int
 		sa  unix.Sockaddr
-		err error
-	)
+	}
 
-	doErr := c.read(sysAccept, func(fd int) error {
+	r, err := readT(c, ctx, sysAccept, func(fd int) (ret, error) {
 		// Either accept(2) or accept4(2) depending on the OS.
-		nfd, sa, err = accept(fd, flags|socketFlags)
-		return err
+		nfd, sa, err := accept(fd, flags|socketFlags)
+		return ret{nfd, sa}, err
 	})
-	if doErr != nil {
-		return nil, nil, doErr
-	}
 	if err != nil {
-		// sysAccept is either "accept" or "accept4" depending on the OS.
-		return nil, nil, os.NewSyscallError(sysAccept, err)
+		// internal/poll, context error, or user function error.
+		return nil, nil, err
 	}
 
 	// Successfully accepted a connection, wrap it in a Conn for use by the
 	// caller.
-	ac, err := newConn(nfd, c.name)
+	ac, err := New(r.nfd, c.name)
 	if err != nil {
 		return nil, nil, err
 	}
 
-	return ac, sa, nil
+	return ac, r.sa, nil
 }
 
 // Bind wraps bind(2).
 func (c *Conn) Bind(sa unix.Sockaddr) error {
-	const op = "bind"
-
-	var err error
-	doErr := c.control(op, func(fd int) error {
-		err = unix.Bind(fd, sa)
-		return err
-	})
-	if doErr != nil {
-		return doErr
-	}
-
-	return os.NewSyscallError(op, err)
+	return c.control("bind", func(fd int) error { return unix.Bind(fd, sa) })
 }
 
-// Connect wraps connect(2).
-func (c *Conn) Connect(sa unix.Sockaddr) error {
+// Connect wraps connect(2). In order to verify that the underlying socket is
+// connected to a remote peer, Connect calls getpeername(2) and returns the
+// unix.Sockaddr from that call.
+//
+// Connect obeys context cancelation and uses the deadline set on the context to
+// cancel connecting to a remote peer. If a deadline is set on ctx, this
+// deadline will override any previous deadlines set using SetDeadline or
+// SetWriteDeadline. Upon return, the write deadline is cleared.
+func (c *Conn) Connect(ctx context.Context, sa unix.Sockaddr) (unix.Sockaddr, error) {
 	const op = "connect"
 
-	var err error
-	doErr := c.write(op, func(fd int) error {
-		err = unix.Connect(fd, sa)
-		return err
+	// TODO(mdlayher): it would seem that trying to connect to unbound vsock
+	// listeners by calling Connect multiple times results in ECONNRESET for the
+	// first and nil error for subsequent calls. Do we need to memoize the
+	// error? Check what the stdlib behavior is.
+
+	var (
+		// Track progress between invocations of the write closure. We don't
+		// have an explicit WaitWrite call like internal/poll does, so we have
+		// to wait until the runtime calls the closure again to indicate we can
+		// write.
+		progress uint32
+
+		// Capture closure sockaddr and error.
+		rsa unix.Sockaddr
+		err error
+	)
+
+	doErr := c.write(ctx, op, func(fd int) error {
+		if atomic.AddUint32(&progress, 1) == 1 {
+			// First call: initiate connect.
+			return unix.Connect(fd, sa)
+		}
+
+		// Subsequent calls: the runtime network poller indicates fd is
+		// writable. Check for errno.
+		errno, gerr := c.GetsockoptInt(unix.SOL_SOCKET, unix.SO_ERROR)
+		if gerr != nil {
+			return gerr
+		}
+		if errno != 0 {
+			// Connection is still not ready or failed. If errno indicates
+			// the socket is not ready, we will wait for the next write
+			// event. Otherwise we propagate this errno back to the as a
+			// permanent error.
+			uerr := unix.Errno(errno)
+			err = uerr
+			return uerr
+		}
+
+		// According to internal/poll, it's possible for the runtime network
+		// poller to spuriously wake us and return errno 0 for SO_ERROR.
+		// Make sure we are actually connected to a peer.
+		peer, err := c.Getpeername()
+		if err != nil {
+			// internal/poll unconditionally goes back to WaitWrite.
+			// Synthesize an error that will do the same for us.
+			return unix.EAGAIN
+		}
+
+		// Connection complete.
+		rsa = peer
+		return nil
 	})
 	if doErr != nil {
-		return doErr
+		// internal/poll or context error.
+		return nil, doErr
 	}
 
 	if err == unix.EISCONN {
-		// Darwin reports EISCONN if already connected, but the socket is
-		// established and we don't need to report an error.
-		return nil
+		// TODO(mdlayher): is this block obsolete with the addition of the
+		// getsockopt SO_ERROR check above?
+		//
+		// EISCONN is reported if the socket is already established and should
+		// not be treated as an error.
+		//  - Darwin reports this for at least TCP sockets
+		//  - Linux reports this for at least AF_VSOCK sockets
+		return rsa, nil
 	}
 
-	return os.NewSyscallError(op, err)
+	return rsa, os.NewSyscallError(op, err)
 }
 
 // Getsockname wraps getsockname(2).
 func (c *Conn) Getsockname() (unix.Sockaddr, error) {
-	const op = "getsockname"
+	return controlT(c, "getsockname", unix.Getsockname)
+}
 
-	var (
-		sa  unix.Sockaddr
-		err error
-	)
+// Getpeername wraps getpeername(2).
+func (c *Conn) Getpeername() (unix.Sockaddr, error) {
+	return controlT(c, "getpeername", unix.Getpeername)
+}
 
-	doErr := c.control(op, func(fd int) error {
-		sa, err = unix.Getsockname(fd)
-		return err
+// GetsockoptICMPv6Filter wraps getsockopt(2) for *unix.ICMPv6Filter values.
+func (c *Conn) GetsockoptICMPv6Filter(level, opt int) (*unix.ICMPv6Filter, error) {
+	return controlT(c, "getsockopt", func(fd int) (*unix.ICMPv6Filter, error) {
+		return unix.GetsockoptICMPv6Filter(fd, level, opt)
 	})
-	if doErr != nil {
-		return nil, doErr
-	}
-
-	return sa, os.NewSyscallError(op, err)
 }
 
 // GetsockoptInt wraps getsockopt(2) for integer values.
 func (c *Conn) GetsockoptInt(level, opt int) (int, error) {
-	const op = "getsockopt"
-
-	var (
-		value int
-		err   error
-	)
-
-	doErr := c.control(op, func(fd int) error {
-		value, err = unix.GetsockoptInt(fd, level, opt)
-		return err
+	return controlT(c, "getsockopt", func(fd int) (int, error) {
+		return unix.GetsockoptInt(fd, level, opt)
 	})
-	if doErr != nil {
-		return 0, doErr
-	}
+}
 
-	return value, os.NewSyscallError(op, err)
+// GetsockoptString wraps getsockopt(2) for string values.
+func (c *Conn) GetsockoptString(level, opt int) (string, error) {
+	return controlT(c, "getsockopt", func(fd int) (string, error) {
+		return unix.GetsockoptString(fd, level, opt)
+	})
 }
 
 // Listen wraps listen(2).
 func (c *Conn) Listen(n int) error {
-	const op = "listen"
-
-	var err error
-	doErr := c.control(op, func(fd int) error {
-		err = unix.Listen(fd, n)
-		return err
-	})
-	if doErr != nil {
-		return doErr
-	}
-
-	return os.NewSyscallError(op, err)
+	return c.control("listen", func(fd int) error { return unix.Listen(fd, n) })
 }
 
 // Recvmsg wraps recvmsg(2).
-func (c *Conn) Recvmsg(p, oob []byte, flags int) (int, int, int, unix.Sockaddr, error) {
-	const op = "recvmsg"
-
-	var (
+func (c *Conn) Recvmsg(ctx context.Context, p, oob []byte, flags int) (int, int, int, unix.Sockaddr, error) {
+	type ret struct {
 		n, oobn, recvflags int
 		from               unix.Sockaddr
-		err                error
-	)
+	}
 
-	doErr := c.read(op, func(fd int) error {
-		n, oobn, recvflags, from, err = unix.Recvmsg(fd, p, oob, flags)
-		return err
+	r, err := readT(c, ctx, "recvmsg", func(fd int) (ret, error) {
+		n, oobn, recvflags, from, err := unix.Recvmsg(fd, p, oob, flags)
+		return ret{n, oobn, recvflags, from}, err
 	})
-	if doErr != nil {
-		return 0, 0, 0, nil, doErr
+	if r.n == 0 && err == nil && c.facts.zeroReadIsEOF {
+		return 0, 0, 0, nil, io.EOF
 	}
 
-	return n, oobn, recvflags, from, os.NewSyscallError(op, err)
+	return r.n, r.oobn, r.recvflags, r.from, err
 }
 
-// Recvfrom wraps recvfrom(2)
-func (c *Conn) Recvfrom(p []byte, flags int) (int, unix.Sockaddr, error) {
-	const op = "recvfrom"
-
-	var (
+// Recvfrom wraps recvfrom(2).
+func (c *Conn) Recvfrom(ctx context.Context, p []byte, flags int) (int, unix.Sockaddr, error) {
+	type ret struct {
 		n    int
 		addr unix.Sockaddr
-		err  error
-	)
+	}
 
-	doErr := c.read(op, func(fd int) error {
-		n, addr, err = unix.Recvfrom(fd, p, flags)
-		return err
+	out, err := readT(c, ctx, "recvfrom", func(fd int) (ret, error) {
+		n, addr, err := unix.Recvfrom(fd, p, flags)
+		return ret{n, addr}, err
 	})
-	if doErr != nil {
-		return 0, nil, doErr
+	if out.n == 0 && err == nil && c.facts.zeroReadIsEOF {
+		return 0, nil, io.EOF
 	}
 
-	return n, addr, os.NewSyscallError(op, err)
+	return out.n, out.addr, err
 }
 
 // Sendmsg wraps sendmsg(2).
-func (c *Conn) Sendmsg(p, oob []byte, to unix.Sockaddr, flags int) error {
-	const op = "sendmsg"
-
-	var err error
-	doErr := c.write(op, func(fd int) error {
-		err = unix.Sendmsg(fd, p, oob, to, flags)
-		return err
+func (c *Conn) Sendmsg(ctx context.Context, p, oob []byte, to unix.Sockaddr, flags int) (int, error) {
+	return writeT(c, ctx, "sendmsg", func(fd int) (int, error) {
+		return unix.SendmsgN(fd, p, oob, to, flags)
 	})
-	if doErr != nil {
-		return doErr
-	}
-
-	return os.NewSyscallError(op, err)
 }
 
-// Sendto wraps Sendto(2).
-func (c *Conn) Sendto(b []byte, to unix.Sockaddr, flags int) error {
-	const op = "sendto"
-
-	var err error
-	doErr := c.write(op, func(fd int) error {
-		err = unix.Sendto(fd, b, flags, to)
-		return err
+// Sendto wraps sendto(2).
+func (c *Conn) Sendto(ctx context.Context, p []byte, flags int, to unix.Sockaddr) error {
+	return c.write(ctx, "sendto", func(fd int) error {
+		return unix.Sendto(fd, p, flags, to)
 	})
-	if doErr != nil {
-		return doErr
-	}
+}
 
-	return os.NewSyscallError(op, err)
+// SetsockoptICMPv6Filter wraps setsockopt(2) for *unix.ICMPv6Filter values.
+func (c *Conn) SetsockoptICMPv6Filter(level, opt int, filter *unix.ICMPv6Filter) error {
+	return c.control("setsockopt", func(fd int) error {
+		return unix.SetsockoptICMPv6Filter(fd, level, opt, filter)
+	})
 }
 
 // SetsockoptInt wraps setsockopt(2) for integer values.
 func (c *Conn) SetsockoptInt(level, opt, value int) error {
-	const op = "setsockopt"
+	return c.control("setsockopt", func(fd int) error {
+		return unix.SetsockoptInt(fd, level, opt, value)
+	})
+}
 
-	var err error
-	doErr := c.control(op, func(fd int) error {
-		err = unix.SetsockoptInt(fd, level, opt, value)
-		return err
+// SetsockoptString wraps setsockopt(2) for string values.
+func (c *Conn) SetsockoptString(level, opt int, value string) error {
+	return c.control("setsockopt", func(fd int) error {
+		return unix.SetsockoptString(fd, level, opt, value)
 	})
-	if doErr != nil {
-		return doErr
-	}
+}
 
-	return os.NewSyscallError(op, err)
+// Shutdown wraps shutdown(2).
+func (c *Conn) Shutdown(how int) error {
+	return c.control("shutdown", func(fd int) error { return unix.Shutdown(fd, how) })
 }
 
 // Conn low-level read/write/control functions. These functions mirror the
 // syscall.RawConn APIs but the input closures return errors rather than
-// booleans. Any syscalls invoked within f should return their error to allow
-// the Conn to check for readiness with the runtime network poller, or to retry
-// operations which may have been interrupted by EINTR or similar.
-//
-// Note that errors from the input closure functions are not propagated to the
-// error return values of read/write/control, and the caller is still
-// responsible for error handling.
+// booleans.
 
-// read executes f, a read function, against the associated file descriptor.
-// op is used to create an *os.SyscallError if the file descriptor is closed.
-func (c *Conn) read(op string, f func(fd int) error) error {
-	if atomic.LoadUint32(&c.closed) != 0 {
-		return os.NewSyscallError(op, unix.EBADF)
-	}
-
-	return c.rc.Read(func(fd uintptr) bool {
-		return ready(f(int(fd)))
+// read wraps readT to execute a function and capture its error result. This is
+// a convenience wrapper for functions which don't return any extra values.
+func (c *Conn) read(ctx context.Context, op string, f func(fd int) error) error {
+	_, err := readT(c, ctx, op, func(fd int) (struct{}, error) {
+		return struct{}{}, f(fd)
 	})
+	return err
 }
 
 // write executes f, a write function, against the associated file descriptor.
 // op is used to create an *os.SyscallError if the file descriptor is closed.
-func (c *Conn) write(op string, f func(fd int) error) error {
+func (c *Conn) write(ctx context.Context, op string, f func(fd int) error) error {
+	_, err := writeT(c, ctx, op, func(fd int) (struct{}, error) {
+		return struct{}{}, f(fd)
+	})
+	return err
+}
+
+// readT executes c.rc.Read for op using the input function, returning a newly
+// allocated result T.
+func readT[T any](c *Conn, ctx context.Context, op string, f func(fd int) (T, error)) (T, error) {
+	return rwT(c, rwContext[T]{
+		Context: ctx,
+		Type:    read,
+		Op:      op,
+		Do:      f,
+	})
+}
+
+// writeT executes c.rc.Write for op using the input function, returning a newly
+// allocated result T.
+func writeT[T any](c *Conn, ctx context.Context, op string, f func(fd int) (T, error)) (T, error) {
+	return rwT(c, rwContext[T]{
+		Context: ctx,
+		Type:    write,
+		Op:      op,
+		Do:      f,
+	})
+}
+
+// readWrite indicates if an operation intends to read or write.
+type readWrite bool
+
+// Possible readWrite values.
+const (
+	read  readWrite = false
+	write readWrite = true
+)
+
+// An rwContext provides arguments to rwT.
+type rwContext[T any] struct {
+	// The caller's context passed for cancelation.
+	Context context.Context
+
+	// The type of an operation: read or write.
+	Type readWrite
+
+	// The name of the operation used in errors.
+	Op string
+
+	// The actual function to perform.
+	Do func(fd int) (T, error)
+}
+
+// rwT executes c.rc.Read or c.rc.Write (depending on the value of rw.Type) for
+// rw.Op using the input function, returning a newly allocated result T.
+//
+// It obeys context cancelation and the rw.Context must not be nil.
+func rwT[T any](c *Conn, rw rwContext[T]) (T, error) {
 	if atomic.LoadUint32(&c.closed) != 0 {
-		return os.NewSyscallError(op, unix.EBADF)
+		// If the file descriptor is already closed, do nothing.
+		return *new(T), os.NewSyscallError(rw.Op, unix.EBADF)
+	}
+
+	if err := rw.Context.Err(); err != nil {
+		// Early exit due to context cancel.
+		return *new(T), os.NewSyscallError(rw.Op, err)
+	}
+
+	var (
+		// The read or write function used to access the runtime network poller.
+		poll func(func(uintptr) bool) error
+
+		// The read or write function used to set the matching deadline.
+		deadline func(time.Time) error
+	)
+
+	if rw.Type == write {
+		poll = c.rc.Write
+		deadline = c.SetWriteDeadline
+	} else {
+		poll = c.rc.Read
+		deadline = c.SetReadDeadline
+	}
+
+	var (
+		// Whether or not the context carried a deadline we are actively using
+		// for cancelation.
+		setDeadline bool
+
+		// Signals for the cancelation watcher goroutine.
+		wg    sync.WaitGroup
+		doneC = make(chan struct{})
+
+		// Atomic: reports whether we have to disarm the deadline.
+		needDisarm atomic.Bool
+	)
+
+	// On cancel, clean up the watcher.
+	defer func() {
+		close(doneC)
+		wg.Wait()
+	}()
+
+	if d, ok := rw.Context.Deadline(); ok {
+		// The context has an explicit deadline. We will use it for cancelation
+		// but disarm it after poll for the next call.
+		if err := deadline(d); err != nil {
+			return *new(T), err
+		}
+		setDeadline = true
+		needDisarm.Store(true)
+	} else {
+		// The context does not have an explicit deadline. We have to watch for
+		// cancelation so we can propagate that signal to immediately unblock
+		// the runtime network poller.
+		//
+		// TODO(mdlayher): is it possible to detect a background context vs a
+		// context with possible future cancel?
+		wg.Add(1)
+		go func() {
+			defer wg.Done()
+
+			select {
+			case <-rw.Context.Done():
+				// Cancel the operation. Make the caller disarm after poll
+				// returns.
+				needDisarm.Store(true)
+				_ = deadline(time.Unix(0, 1))
+			case <-doneC:
+				// Nothing to do.
+			}
+		}()
 	}
 
-	return c.rc.Write(func(fd uintptr) bool {
-		return ready(f(int(fd)))
+	var (
+		t   T
+		err error
+	)
+
+	pollErr := poll(func(fd uintptr) bool {
+		t, err = rw.Do(int(fd))
+		return ready(err)
 	})
+
+	if needDisarm.Load() {
+		_ = deadline(time.Time{})
+	}
+
+	if pollErr != nil {
+		if rw.Context.Err() != nil || (setDeadline && errors.Is(pollErr, os.ErrDeadlineExceeded)) {
+			// The caller canceled the operation or we set a deadline internally
+			// and it was reached.
+			//
+			// Unpack a plain context error. We wait for the context to be done
+			// to synchronize state externally. Otherwise we have noticed I/O
+			// timeout wakeups when we set a deadline but the context was not
+			// yet marked done.
+			<-rw.Context.Done()
+			return *new(T), os.NewSyscallError(rw.Op, rw.Context.Err())
+		}
+
+		// Error from syscall.RawConn methods. Conventionally the standard
+		// library does not wrap internal/poll errors in os.NewSyscallError.
+		return *new(T), pollErr
+	}
+
+	// Result from user function.
+	return t, os.NewSyscallError(rw.Op, err)
 }
 
-// control executes f, a control function, against the associated file
-// descriptor. op is used to create an *os.SyscallError if the file descriptor
-// is closed.
+// control executes Conn.control for op using the input function.
 func (c *Conn) control(op string, f func(fd int) error) error {
+	_, err := controlT(c, op, func(fd int) (struct{}, error) {
+		return struct{}{}, f(fd)
+	})
+	return err
+}
+
+// controlT executes c.rc.Control for op using the input function, returning a
+// newly allocated result T.
+func controlT[T any](c *Conn, op string, f func(fd int) (T, error)) (T, error) {
 	if atomic.LoadUint32(&c.closed) != 0 {
-		return os.NewSyscallError(op, unix.EBADF)
+		// If the file descriptor is already closed, do nothing.
+		return *new(T), os.NewSyscallError(op, unix.EBADF)
 	}
 
-	return c.rc.Control(func(fd uintptr) {
+	var (
+		t   T
+		err error
+	)
+
+	doErr := c.rc.Control(func(fd uintptr) {
 		// Repeatedly attempt the syscall(s) invoked by f until completion is
-		// indicated by the return value of ready.
+		// indicated by the return value of ready or the context is canceled.
+		//
+		// The last values for t and err are captured outside of the closure for
+		// use when the loop breaks.
 		for {
-			if ready(f(int(fd))) {
+			t, err = f(int(fd))
+			if ready(err) {
 				return
 			}
 		}
 	})
+	if doErr != nil {
+		// Error from syscall.RawConn methods. Conventionally the standard
+		// library does not wrap internal/poll errors in os.NewSyscallError.
+		return *new(T), doErr
+	}
+
+	// Result from user function.
+	return t, os.NewSyscallError(op, err)
 }
 
 // ready indicates readiness based on the value of err.
 func ready(err error) bool {
-	// When a socket is in non-blocking mode, we might see EAGAIN or
-	// EINPROGRESS. In that case, return false to let the poller wait for
-	// readiness. See the source code for internal/poll.FD.RawRead for more
-	// details.
-	//
-	// Starting in Go 1.14, goroutines are asynchronously preemptible. The 1.14
-	// release notes indicate that applications should expect to see EINTR more
-	// often on slow system calls (like recvmsg while waiting for input), so we
-	// must handle that case as well.
 	switch err {
-	case unix.EAGAIN, unix.EINTR, unix.EINPROGRESS:
-		// Not ready.
+	case unix.EAGAIN, unix.EINPROGRESS, unix.EINTR:
+		// When a socket is in non-blocking mode, we might see a variety of errors:
+		//  - EAGAIN: most common case for a socket read not being ready
+		//  - EINPROGRESS: reported by some sockets when first calling connect
+		//  - EINTR: system call interrupted, more frequently occurs in Go 1.14+
+		//    because goroutines can be asynchronously preempted
+		//
+		// Return false to let the poller wait for readiness. See the source code
+		// for internal/poll.FD.RawRead for more details.
 		return false
 	default:
 		// Ready regardless of whether there was an error or no error.
 		return true
 	}
 }
+
+// Darwin and FreeBSD can't read or write 2GB+ files at a time,
+// even on 64-bit systems.
+// The same is true of socket implementations on many systems.
+// See golang.org/issue/7812 and golang.org/issue/16266.
+// Use 1GB instead of, say, 2GB-1, to keep subsequent reads aligned.
+const maxRW = 1 << 30

vendor/github.com/mdlayher/socket/conn_linux.go

@@ -4,6 +4,7 @@
 package socket
 
 import (
+	"context"
 	"os"
 	"unsafe"
 
@@ -11,6 +12,54 @@ import (
 	"golang.org/x/sys/unix"
 )
 
+// IoctlKCMClone wraps ioctl(2) for unix.KCMClone values, but returns a Conn
+// rather than a raw file descriptor.
+func (c *Conn) IoctlKCMClone() (*Conn, error) {
+	info, err := controlT(c, "ioctl", unix.IoctlKCMClone)
+	if err != nil {
+		return nil, err
+	}
+
+	// Successful clone, wrap in a Conn for use by the caller.
+	return New(int(info.Fd), c.name)
+}
+
+// IoctlKCMAttach wraps ioctl(2) for unix.KCMAttach values.
+func (c *Conn) IoctlKCMAttach(info unix.KCMAttach) error {
+	return c.control("ioctl", func(fd int) error {
+		return unix.IoctlKCMAttach(fd, info)
+	})
+}
+
+// IoctlKCMUnattach wraps ioctl(2) for unix.KCMUnattach values.
+func (c *Conn) IoctlKCMUnattach(info unix.KCMUnattach) error {
+	return c.control("ioctl", func(fd int) error {
+		return unix.IoctlKCMUnattach(fd, info)
+	})
+}
+
+// PidfdGetfd wraps pidfd_getfd(2) for a Conn which wraps a pidfd, but returns a
+// Conn rather than a raw file descriptor.
+func (c *Conn) PidfdGetfd(targetFD, flags int) (*Conn, error) {
+	outFD, err := controlT(c, "pidfd_getfd", func(fd int) (int, error) {
+		return unix.PidfdGetfd(fd, targetFD, flags)
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	// Successful getfd, wrap in a Conn for use by the caller.
+	return New(outFD, c.name)
+}
+
+// PidfdSendSignal wraps pidfd_send_signal(2) for a Conn which wraps a Linux
+// pidfd.
+func (c *Conn) PidfdSendSignal(sig unix.Signal, info *unix.Siginfo, flags int) error {
+	return c.control("pidfd_send_signal", func(fd int) error {
+		return unix.PidfdSendSignal(fd, sig, info, flags)
+	})
+}
+
 // SetBPF attaches an assembled BPF program to a Conn.
 func (c *Conn) SetBPF(filter []bpf.RawInstruction) error {
 	// We can't point to the first instruction in the array if no instructions
@@ -33,56 +82,37 @@ func (c *Conn) RemoveBPF() error {
 	return c.SetsockoptInt(unix.SOL_SOCKET, unix.SO_DETACH_FILTER, 0)
 }
 
+// SetsockoptPacketMreq wraps setsockopt(2) for unix.PacketMreq values.
+func (c *Conn) SetsockoptPacketMreq(level, opt int, mreq *unix.PacketMreq) error {
+	return c.control("setsockopt", func(fd int) error {
+		return unix.SetsockoptPacketMreq(fd, level, opt, mreq)
+	})
+}
+
 // SetsockoptSockFprog wraps setsockopt(2) for unix.SockFprog values.
 func (c *Conn) SetsockoptSockFprog(level, opt int, fprog *unix.SockFprog) error {
-	const op = "setsockopt"
-
-	var err error
-	doErr := c.control(op, func(fd int) error {
-		err = unix.SetsockoptSockFprog(fd, level, opt, fprog)
-		return err
+	return c.control("setsockopt", func(fd int) error {
+		return unix.SetsockoptSockFprog(fd, level, opt, fprog)
 	})
-	if doErr != nil {
-		return doErr
-	}
-
-	return os.NewSyscallError(op, err)
 }
 
-// GetSockoptTpacketStats wraps getsockopt(2) for getting TpacketStats
-func (c *Conn) GetSockoptTpacketStats(level, name int) (*unix.TpacketStats, error) {
-	const op = "getsockopt"
-
-	var (
-		stats *unix.TpacketStats
-		err   error
-	)
-
-	doErr := c.control(op, func(fd int) error {
-		stats, err = unix.GetsockoptTpacketStats(fd, level, name)
-		return err
+// GetsockoptTpacketStats wraps getsockopt(2) for unix.TpacketStats values.
+func (c *Conn) GetsockoptTpacketStats(level, name int) (*unix.TpacketStats, error) {
+	return controlT(c, "getsockopt", func(fd int) (*unix.TpacketStats, error) {
+		return unix.GetsockoptTpacketStats(fd, level, name)
 	})
-	if doErr != nil {
-		return stats, doErr
-	}
-	return stats, os.NewSyscallError(op, err)
 }
 
-// GetSockoptTpacketStatsV3 wraps getsockopt(2) for getting TpacketStatsV3
-func (c *Conn) GetSockoptTpacketStatsV3(level, name int) (*unix.TpacketStatsV3, error) {
-	const op = "getsockopt"
-
-	var (
-		stats *unix.TpacketStatsV3
-		err   error
-	)
+// GetsockoptTpacketStatsV3 wraps getsockopt(2) for unix.TpacketStatsV3 values.
+func (c *Conn) GetsockoptTpacketStatsV3(level, name int) (*unix.TpacketStatsV3, error) {
+	return controlT(c, "getsockopt", func(fd int) (*unix.TpacketStatsV3, error) {
+		return unix.GetsockoptTpacketStatsV3(fd, level, name)
+	})
+}
 
-	doErr := c.control(op, func(fd int) error {
-		stats, err = unix.GetsockoptTpacketStatsV3(fd, level, name)
-		return err
+// Waitid wraps waitid(2).
+func (c *Conn) Waitid(idType int, info *unix.Siginfo, options int, rusage *unix.Rusage) error {
+	return c.read(context.Background(), "waitid", func(fd int) error {
+		return unix.Waitid(idType, fd, info, options, rusage)
 	})
-	if doErr != nil {
-		return stats, doErr
-	}
-	return stats, os.NewSyscallError(op, err)
 }

vendor/github.com/mdlayher/socket/netns_linux.go

@@ -0,0 +1,150 @@
+//go:build linux
+// +build linux
+
+package socket
+
+import (
+	"errors"
+	"fmt"
+	"os"
+	"runtime"
+
+	"golang.org/x/sync/errgroup"
+	"golang.org/x/sys/unix"
+)
+
+// errNetNSDisabled is returned when network namespaces are unavailable on
+// a given system.
+var errNetNSDisabled = errors.New("socket: Linux network namespaces are not enabled on this system")
+
+// withNetNS invokes fn within the context of the network namespace specified by
+// fd, while also managing the logic required to safely do so by manipulating
+// thread-local state.
+func withNetNS(fd int, fn func() (*Conn, error)) (*Conn, error) {
+	var (
+		eg   errgroup.Group
+		conn *Conn
+	)
+
+	eg.Go(func() error {
+		// Retrieve and store the calling OS thread's network namespace so the
+		// thread can be reassigned to it after creating a socket in another network
+		// namespace.
+		runtime.LockOSThread()
+
+		ns, err := threadNetNS()
+		if err != nil {
+			// No thread-local manipulation, unlock.
+			runtime.UnlockOSThread()
+			return err
+		}
+		defer ns.Close()
+
+		// Beyond this point, the thread's network namespace is poisoned. Do not
+		// unlock the OS thread until all network namespace manipulation completes
+		// to avoid returning to the caller with altered thread-local state.
+
+		// Assign the current OS thread the goroutine is locked to to the given
+		// network namespace.
+		if err := ns.Set(fd); err != nil {
+			return err
+		}
+
+		// Attempt Conn creation and unconditionally restore the original namespace.
+		c, err := fn()
+		if nerr := ns.Restore(); nerr != nil {
+			// Failed to restore original namespace. Return an error and allow the
+			// runtime to terminate the thread.
+			if err == nil {
+				_ = c.Close()
+			}
+
+			return nerr
+		}
+
+		// No more thread-local state manipulation; return the new Conn.
+		runtime.UnlockOSThread()
+		conn = c
+		return nil
+	})
+
+	if err := eg.Wait(); err != nil {
+		return nil, err
+	}
+
+	return conn, nil
+}
+
+// A netNS is a handle that can manipulate network namespaces.
+//
+// Operations performed on a netNS must use runtime.LockOSThread before
+// manipulating any network namespaces.
+type netNS struct {
+	// The handle to a network namespace.
+	f *os.File
+
+	// Indicates if network namespaces are disabled on this system, and thus
+	// operations should become a no-op or return errors.
+	disabled bool
+}
+
+// threadNetNS constructs a netNS using the network namespace of the calling
+// thread. If the namespace is not the default namespace, runtime.LockOSThread
+// should be invoked first.
+func threadNetNS() (*netNS, error) {
+	return fileNetNS(fmt.Sprintf("/proc/self/task/%d/ns/net", unix.Gettid()))
+}
+
+// fileNetNS opens file and creates a netNS. fileNetNS should only be called
+// directly in tests.
+func fileNetNS(file string) (*netNS, error) {
+	f, err := os.Open(file)
+	switch {
+	case err == nil:
+		return &netNS{f: f}, nil
+	case os.IsNotExist(err):
+		// Network namespaces are not enabled on this system. Use this signal
+		// to return errors elsewhere if the caller explicitly asks for a
+		// network namespace to be set.
+		return &netNS{disabled: true}, nil
+	default:
+		return nil, err
+	}
+}
+
+// Close releases the handle to a network namespace.
+func (n *netNS) Close() error {
+	return n.do(func() error { return n.f.Close() })
+}
+
+// FD returns a file descriptor which represents the network namespace.
+func (n *netNS) FD() int {
+	if n.disabled {
+		// No reasonable file descriptor value in this case, so specify a
+		// non-existent one.
+		return -1
+	}
+
+	return int(n.f.Fd())
+}
+
+// Restore restores the original network namespace for the calling thread.
+func (n *netNS) Restore() error {
+	return n.do(func() error { return n.Set(n.FD()) })
+}
+
+// Set sets a new network namespace for the current thread using fd.
+func (n *netNS) Set(fd int) error {
+	return n.do(func() error {
+		return os.NewSyscallError("setns", unix.Setns(fd, unix.CLONE_NEWNET))
+	})
+}
+
+// do runs fn if network namespaces are enabled on this system.
+func (n *netNS) do(fn func() error) error {
+	if n.disabled {
+		return errNetNSDisabled
+	}
+
+	return fn()
+}

vendor/github.com/mdlayher/socket/netns_others.go

@@ -0,0 +1,14 @@
+//go:build !linux
+// +build !linux
+
+package socket
+
+import (
+	"fmt"
+	"runtime"
+)
+
+// withNetNS returns an error on non-Linux systems.
+func withNetNS(_ int, _ func() (*Conn, error)) (*Conn, error) {
+	return nil, fmt.Errorf("socket: Linux network namespace support is not available on %s", runtime.GOOS)
+}

vendor/github.com/pkg/errors/.gitignore

@@ -0,0 +1,24 @@
+# Compiled Object files, Static and Dynamic libs (Shared Objects)
+*.o
+*.a
+*.so
+
+# Folders
+_obj
+_test
+
+# Architecture specific extensions/prefixes
+*.[568vq]
+[568vq].out
+
+*.cgo1.go
+*.cgo2.c
+_cgo_defun.c
+_cgo_gotypes.go
+_cgo_export.*
+
+_testmain.go
+
+*.exe
+*.test
+*.prof

vendor/github.com/pkg/errors/.travis.yml

@@ -0,0 +1,10 @@
+language: go
+go_import_path: github.com/pkg/errors
+go:
+  - 1.11.x
+  - 1.12.x
+  - 1.13.x
+  - tip
+
+script:
+  - make check

vendor/github.com/pkg/errors/LICENSE

@@ -0,0 +1,23 @@
+Copyright (c) 2015, Dave Cheney <dave@cheney.net>
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+* Redistributions of source code must retain the above copyright notice, this
+  list of conditions and the following disclaimer.
+
+* Redistributions in binary form must reproduce the above copyright notice,
+  this list of conditions and the following disclaimer in the documentation
+  and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

vendor/github.com/pkg/errors/Makefile

@@ -0,0 +1,44 @@
+PKGS := github.com/pkg/errors
+SRCDIRS := $(shell go list -f '{{.Dir}}' $(PKGS))
+GO := go
+
+check: test vet gofmt misspell unconvert staticcheck ineffassign unparam
+
+test: 
+	$(GO) test $(PKGS)
+
+vet: | test
+	$(GO) vet $(PKGS)
+
+staticcheck:
+	$(GO) get honnef.co/go/tools/cmd/staticcheck
+	staticcheck -checks all $(PKGS)
+
+misspell:
+	$(GO) get github.com/client9/misspell/cmd/misspell
+	misspell \
+		-locale GB \
+		-error \
+		*.md *.go
+
+unconvert:
+	$(GO) get github.com/mdempsky/unconvert
+	unconvert -v $(PKGS)
+
+ineffassign:
+	$(GO) get github.com/gordonklaus/ineffassign
+	find $(SRCDIRS) -name '*.go' | xargs ineffassign
+
+pedantic: check errcheck
+
+unparam:
+	$(GO) get mvdan.cc/unparam
+	unparam ./...
+
+errcheck:
+	$(GO) get github.com/kisielk/errcheck
+	errcheck $(PKGS)
+
+gofmt:  
+	@echo Checking code is gofmted
+	@test -z "$(shell gofmt -s -l -d -e $(SRCDIRS) | tee /dev/stderr)"

vendor/github.com/pkg/errors/README.md

@@ -0,0 +1,59 @@
+# errors [![Travis-CI](https://travis-ci.org/pkg/errors.svg)](https://travis-ci.org/pkg/errors) [![AppVeyor](https://ci.appveyor.com/api/projects/status/b98mptawhudj53ep/branch/master?svg=true)](https://ci.appveyor.com/project/davecheney/errors/branch/master) [![GoDoc](https://godoc.org/github.com/pkg/errors?status.svg)](http://godoc.org/github.com/pkg/errors) [![Report card](https://goreportcard.com/badge/github.com/pkg/errors)](https://goreportcard.com/report/github.com/pkg/errors) [![Sourcegraph](https://sourcegraph.com/github.com/pkg/errors/-/badge.svg)](https://sourcegraph.com/github.com/pkg/errors?badge)
+
+Package errors provides simple error handling primitives.
+
+`go get github.com/pkg/errors`
+
+The traditional error handling idiom in Go is roughly akin to
+```go
+if err != nil {
+        return err
+}
+```
+which applied recursively up the call stack results in error reports without context or debugging information. The errors package allows programmers to add context to the failure path in their code in a way that does not destroy the original value of the error.
+
+## Adding context to an error
+
+The errors.Wrap function returns a new error that adds context to the original error. For example
+```go
+_, err := ioutil.ReadAll(r)
+if err != nil {
+        return errors.Wrap(err, "read failed")
+}
+```
+## Retrieving the cause of an error
+
+Using `errors.Wrap` constructs a stack of errors, adding context to the preceding error. Depending on the nature of the error it may be necessary to reverse the operation of errors.Wrap to retrieve the original error for inspection. Any error value which implements this interface can be inspected by `errors.Cause`.
+```go
+type causer interface {
+        Cause() error
+}
+```
+`errors.Cause` will recursively retrieve the topmost error which does not implement `causer`, which is assumed to be the original cause. For example:
+```go
+switch err := errors.Cause(err).(type) {
+case *MyError:
+        // handle specifically
+default:
+        // unknown error
+}
+```
+
+[Read the package documentation for more information](https://godoc.org/github.com/pkg/errors).
+
+## Roadmap
+
+With the upcoming [Go2 error proposals](https://go.googlesource.com/proposal/+/master/design/go2draft.md) this package is moving into maintenance mode. The roadmap for a 1.0 release is as follows:
+
+- 0.9. Remove pre Go 1.9 and Go 1.10 support, address outstanding pull requests (if possible)
+- 1.0. Final release.
+
+## Contributing
+
+Because of the Go2 errors changes, this package is not accepting proposals for new functionality. With that said, we welcome pull requests, bug fixes and issue reports. 
+
+Before sending a PR, please discuss your change by raising an issue.
+
+## License
+
+BSD-2-Clause

vendor/github.com/pkg/errors/appveyor.yml

@@ -0,0 +1,32 @@
+version: build-{build}.{branch}
+
+clone_folder: C:\gopath\src\github.com\pkg\errors
+shallow_clone: true # for startup speed
+
+environment:
+  GOPATH: C:\gopath
+
+platform:
+  - x64
+
+# http://www.appveyor.com/docs/installed-software
+install:
+  # some helpful output for debugging builds
+  - go version
+  - go env
+  # pre-installed MinGW at C:\MinGW is 32bit only
+  # but MSYS2 at C:\msys64 has mingw64
+  - set PATH=C:\msys64\mingw64\bin;%PATH%
+  - gcc --version
+  - g++ --version
+
+build_script:
+  - go install -v ./...
+
+test_script:
+  - set PATH=C:\gopath\bin;%PATH%
+  - go test -v ./...
+
+#artifacts:
+#  - path: '%GOPATH%\bin\*.exe'
+deploy: off

vendor/github.com/pkg/errors/errors.go

@@ -0,0 +1,288 @@
+// Package errors provides simple error handling primitives.
+//
+// The traditional error handling idiom in Go is roughly akin to
+//
+//     if err != nil {
+//             return err
+//     }
+//
+// which when applied recursively up the call stack results in error reports
+// without context or debugging information. The errors package allows
+// programmers to add context to the failure path in their code in a way
+// that does not destroy the original value of the error.
+//
+// Adding context to an error
+//
+// The errors.Wrap function returns a new error that adds context to the
+// original error by recording a stack trace at the point Wrap is called,
+// together with the supplied message. For example
+//
+//     _, err := ioutil.ReadAll(r)
+//     if err != nil {
+//             return errors.Wrap(err, "read failed")
+//     }
+//
+// If additional control is required, the errors.WithStack and
+// errors.WithMessage functions destructure errors.Wrap into its component
+// operations: annotating an error with a stack trace and with a message,
+// respectively.
+//
+// Retrieving the cause of an error
+//
+// Using errors.Wrap constructs a stack of errors, adding context to the
+// preceding error. Depending on the nature of the error it may be necessary
+// to reverse the operation of errors.Wrap to retrieve the original error
+// for inspection. Any error value which implements this interface
+//
+//     type causer interface {
+//             Cause() error
+//     }
+//
+// can be inspected by errors.Cause. errors.Cause will recursively retrieve
+// the topmost error that does not implement causer, which is assumed to be
+// the original cause. For example:
+//
+//     switch err := errors.Cause(err).(type) {
+//     case *MyError:
+//             // handle specifically
+//     default:
+//             // unknown error
+//     }
+//
+// Although the causer interface is not exported by this package, it is
+// considered a part of its stable public interface.
+//
+// Formatted printing of errors
+//
+// All error values returned from this package implement fmt.Formatter and can
+// be formatted by the fmt package. The following verbs are supported:
+//
+//     %s    print the error. If the error has a Cause it will be
+//           printed recursively.
+//     %v    see %s
+//     %+v   extended format. Each Frame of the error's StackTrace will
+//           be printed in detail.
+//
+// Retrieving the stack trace of an error or wrapper
+//
+// New, Errorf, Wrap, and Wrapf record a stack trace at the point they are
+// invoked. This information can be retrieved with the following interface:
+//
+//     type stackTracer interface {
+//             StackTrace() errors.StackTrace
+//     }
+//
+// The returned errors.StackTrace type is defined as
+//
+//     type StackTrace []Frame
+//
+// The Frame type represents a call site in the stack trace. Frame supports
+// the fmt.Formatter interface that can be used for printing information about
+// the stack trace of this error. For example:
+//
+//     if err, ok := err.(stackTracer); ok {
+//             for _, f := range err.StackTrace() {
+//                     fmt.Printf("%+s:%d\n", f, f)
+//             }
+//     }
+//
+// Although the stackTracer interface is not exported by this package, it is
+// considered a part of its stable public interface.
+//
+// See the documentation for Frame.Format for more details.
+package errors
+
+import (
+	"fmt"
+	"io"
+)
+
+// New returns an error with the supplied message.
+// New also records the stack trace at the point it was called.
+func New(message string) error {
+	return &fundamental{
+		msg:   message,
+		stack: callers(),
+	}
+}
+
+// Errorf formats according to a format specifier and returns the string
+// as a value that satisfies error.
+// Errorf also records the stack trace at the point it was called.
+func Errorf(format string, args ...interface{}) error {
+	return &fundamental{
+		msg:   fmt.Sprintf(format, args...),
+		stack: callers(),
+	}
+}
+
+// fundamental is an error that has a message and a stack, but no caller.
+type fundamental struct {
+	msg string
+	*stack
+}
+
+func (f *fundamental) Error() string { return f.msg }
+
+func (f *fundamental) Format(s fmt.State, verb rune) {
+	switch verb {
+	case 'v':
+		if s.Flag('+') {
+			io.WriteString(s, f.msg)
+			f.stack.Format(s, verb)
+			return
+		}
+		fallthrough
+	case 's':
+		io.WriteString(s, f.msg)
+	case 'q':
+		fmt.Fprintf(s, "%q", f.msg)
+	}
+}
+
+// WithStack annotates err with a stack trace at the point WithStack was called.
+// If err is nil, WithStack returns nil.
+func WithStack(err error) error {
+	if err == nil {
+		return nil
+	}
+	return &withStack{
+		err,
+		callers(),
+	}
+}
+
+type withStack struct {
+	error
+	*stack
+}
+
+func (w *withStack) Cause() error { return w.error }
+
+// Unwrap provides compatibility for Go 1.13 error chains.
+func (w *withStack) Unwrap() error { return w.error }
+
+func (w *withStack) Format(s fmt.State, verb rune) {
+	switch verb {
+	case 'v':
+		if s.Flag('+') {
+			fmt.Fprintf(s, "%+v", w.Cause())
+			w.stack.Format(s, verb)
+			return
+		}
+		fallthrough
+	case 's':
+		io.WriteString(s, w.Error())
+	case 'q':
+		fmt.Fprintf(s, "%q", w.Error())
+	}
+}
+
+// Wrap returns an error annotating err with a stack trace
+// at the point Wrap is called, and the supplied message.
+// If err is nil, Wrap returns nil.
+func Wrap(err error, message string) error {
+	if err == nil {
+		return nil
+	}
+	err = &withMessage{
+		cause: err,
+		msg:   message,
+	}
+	return &withStack{
+		err,
+		callers(),
+	}
+}
+
+// Wrapf returns an error annotating err with a stack trace
+// at the point Wrapf is called, and the format specifier.
+// If err is nil, Wrapf returns nil.
+func Wrapf(err error, format string, args ...interface{}) error {
+	if err == nil {
+		return nil
+	}
+	err = &withMessage{
+		cause: err,
+		msg:   fmt.Sprintf(format, args...),
+	}
+	return &withStack{
+		err,
+		callers(),
+	}
+}
+
+// WithMessage annotates err with a new message.
+// If err is nil, WithMessage returns nil.
+func WithMessage(err error, message string) error {
+	if err == nil {
+		return nil
+	}
+	return &withMessage{
+		cause: err,
+		msg:   message,
+	}
+}
+
+// WithMessagef annotates err with the format specifier.
+// If err is nil, WithMessagef returns nil.
+func WithMessagef(err error, format string, args ...interface{}) error {
+	if err == nil {
+		return nil
+	}
+	return &withMessage{
+		cause: err,
+		msg:   fmt.Sprintf(format, args...),
+	}
+}
+
+type withMessage struct {
+	cause error
+	msg   string
+}
+
+func (w *withMessage) Error() string { return w.msg + ": " + w.cause.Error() }
+func (w *withMessage) Cause() error  { return w.cause }
+
+// Unwrap provides compatibility for Go 1.13 error chains.
+func (w *withMessage) Unwrap() error { return w.cause }
+
+func (w *withMessage) Format(s fmt.State, verb rune) {
+	switch verb {
+	case 'v':
+		if s.Flag('+') {
+			fmt.Fprintf(s, "%+v\n", w.Cause())
+			io.WriteString(s, w.msg)
+			return
+		}
+		fallthrough
+	case 's', 'q':
+		io.WriteString(s, w.Error())
+	}
+}
+
+// Cause returns the underlying cause of the error, if possible.
+// An error value has a cause if it implements the following
+// interface:
+//
+//     type causer interface {
+//            Cause() error
+//     }
+//
+// If the error does not implement Cause, the original error will
+// be returned. If the error is nil, nil will be returned without further
+// investigation.
+func Cause(err error) error {
+	type causer interface {
+		Cause() error
+	}
+
+	for err != nil {
+		cause, ok := err.(causer)
+		if !ok {
+			break
+		}
+		err = cause.Cause()
+	}
+	return err
+}

vendor/github.com/pkg/errors/go113.go

@@ -0,0 +1,38 @@
+// +build go1.13
+
+package errors
+
+import (
+	stderrors "errors"
+)
+
+// Is reports whether any error in err's chain matches target.
+//
+// The chain consists of err itself followed by the sequence of errors obtained by
+// repeatedly calling Unwrap.
+//
+// An error is considered to match a target if it is equal to that target or if
+// it implements a method Is(error) bool such that Is(target) returns true.
+func Is(err, target error) bool { return stderrors.Is(err, target) }
+
+// As finds the first error in err's chain that matches target, and if so, sets
+// target to that error value and returns true.
+//
+// The chain consists of err itself followed by the sequence of errors obtained by
+// repeatedly calling Unwrap.
+//
+// An error matches target if the error's concrete value is assignable to the value
+// pointed to by target, or if the error has a method As(interface{}) bool such that
+// As(target) returns true. In the latter case, the As method is responsible for
+// setting target.
+//
+// As will panic if target is not a non-nil pointer to either a type that implements
+// error, or to any interface type. As returns false if err is nil.
+func As(err error, target interface{}) bool { return stderrors.As(err, target) }
+
+// Unwrap returns the result of calling the Unwrap method on err, if err's
+// type contains an Unwrap method returning error.
+// Otherwise, Unwrap returns nil.
+func Unwrap(err error) error {
+	return stderrors.Unwrap(err)
+}

vendor/github.com/pkg/errors/stack.go

@@ -0,0 +1,177 @@
+package errors
+
+import (
+	"fmt"
+	"io"
+	"path"
+	"runtime"
+	"strconv"
+	"strings"
+)
+
+// Frame represents a program counter inside a stack frame.
+// For historical reasons if Frame is interpreted as a uintptr
+// its value represents the program counter + 1.
+type Frame uintptr
+
+// pc returns the program counter for this frame;
+// multiple frames may have the same PC value.
+func (f Frame) pc() uintptr { return uintptr(f) - 1 }
+
+// file returns the full path to the file that contains the
+// function for this Frame's pc.
+func (f Frame) file() string {
+	fn := runtime.FuncForPC(f.pc())
+	if fn == nil {
+		return "unknown"
+	}
+	file, _ := fn.FileLine(f.pc())
+	return file
+}
+
+// line returns the line number of source code of the
+// function for this Frame's pc.
+func (f Frame) line() int {
+	fn := runtime.FuncForPC(f.pc())
+	if fn == nil {
+		return 0
+	}
+	_, line := fn.FileLine(f.pc())
+	return line
+}
+
+// name returns the name of this function, if known.
+func (f Frame) name() string {
+	fn := runtime.FuncForPC(f.pc())
+	if fn == nil {
+		return "unknown"
+	}
+	return fn.Name()
+}
+
+// Format formats the frame according to the fmt.Formatter interface.
+//
+//    %s    source file
+//    %d    source line
+//    %n    function name
+//    %v    equivalent to %s:%d
+//
+// Format accepts flags that alter the printing of some verbs, as follows:
+//
+//    %+s   function name and path of source file relative to the compile time
+//          GOPATH separated by \n\t (<funcname>\n\t<path>)
+//    %+v   equivalent to %+s:%d
+func (f Frame) Format(s fmt.State, verb rune) {
+	switch verb {
+	case 's':
+		switch {
+		case s.Flag('+'):
+			io.WriteString(s, f.name())
+			io.WriteString(s, "\n\t")
+			io.WriteString(s, f.file())
+		default:
+			io.WriteString(s, path.Base(f.file()))
+		}
+	case 'd':
+		io.WriteString(s, strconv.Itoa(f.line()))
+	case 'n':
+		io.WriteString(s, funcname(f.name()))
+	case 'v':
+		f.Format(s, 's')
+		io.WriteString(s, ":")
+		f.Format(s, 'd')
+	}
+}
+
+// MarshalText formats a stacktrace Frame as a text string. The output is the
+// same as that of fmt.Sprintf("%+v", f), but without newlines or tabs.
+func (f Frame) MarshalText() ([]byte, error) {
+	name := f.name()
+	if name == "unknown" {
+		return []byte(name), nil
+	}
+	return []byte(fmt.Sprintf("%s %s:%d", name, f.file(), f.line())), nil
+}
+
+// StackTrace is stack of Frames from innermost (newest) to outermost (oldest).
+type StackTrace []Frame
+
+// Format formats the stack of Frames according to the fmt.Formatter interface.
+//
+//    %s	lists source files for each Frame in the stack
+//    %v	lists the source file and line number for each Frame in the stack
+//
+// Format accepts flags that alter the printing of some verbs, as follows:
+//
+//    %+v   Prints filename, function, and line number for each Frame in the stack.
+func (st StackTrace) Format(s fmt.State, verb rune) {
+	switch verb {
+	case 'v':
+		switch {
+		case s.Flag('+'):
+			for _, f := range st {
+				io.WriteString(s, "\n")
+				f.Format(s, verb)
+			}
+		case s.Flag('#'):
+			fmt.Fprintf(s, "%#v", []Frame(st))
+		default:
+			st.formatSlice(s, verb)
+		}
+	case 's':
+		st.formatSlice(s, verb)
+	}
+}
+
+// formatSlice will format this StackTrace into the given buffer as a slice of
+// Frame, only valid when called with '%s' or '%v'.
+func (st StackTrace) formatSlice(s fmt.State, verb rune) {
+	io.WriteString(s, "[")
+	for i, f := range st {
+		if i > 0 {
+			io.WriteString(s, " ")
+		}
+		f.Format(s, verb)
+	}
+	io.WriteString(s, "]")
+}
+
+// stack represents a stack of program counters.
+type stack []uintptr
+
+func (s *stack) Format(st fmt.State, verb rune) {
+	switch verb {
+	case 'v':
+		switch {
+		case st.Flag('+'):
+			for _, pc := range *s {
+				f := Frame(pc)
+				fmt.Fprintf(st, "\n%+v", f)
+			}
+		}
+	}
+}
+
+func (s *stack) StackTrace() StackTrace {
+	f := make([]Frame, len(*s))
+	for i := 0; i < len(f); i++ {
+		f[i] = Frame((*s)[i])
+	}
+	return f
+}
+
+func callers() *stack {
+	const depth = 32
+	var pcs [depth]uintptr
+	n := runtime.Callers(3, pcs[:])
+	var st stack = pcs[0:n]
+	return &st
+}
+
+// funcname removes the path prefix component of a function's name reported by func.Name().
+func funcname(name string) string {
+	i := strings.LastIndex(name, "/")
+	name = name[i+1:]
+	i = strings.Index(name, ".")
+	return name[i+1:]
+}

vendor/github.com/safchain/ethtool/.golangci.yml

@@ -0,0 +1,35 @@
+version: "2"
+linters:
+  enable:
+    - gocritic
+    - misspell
+    - staticcheck
+    - errcheck
+  exclusions:
+    generated: lax
+    presets:
+      - comments
+      - common-false-positives
+      - legacy
+      - std-error-handling
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
+formatters:
+  enable:
+    - gci
+    - gofmt
+    - goimports
+  settings:
+    gci:
+      sections:
+        - standard
+        - default
+        - prefix(github.com/safchain/ethtool)
+  exclusions:
+    generated: lax
+    paths:
+      - third_party$
+      - builtin$
+      - examples$

vendor/github.com/safchain/ethtool/.travis.yml

@@ -1,7 +0,0 @@
-arch:
-  - amd64
-  - ppc64le
-language: go
-
-before_script:
-  - go get golang.org/x/sys/unix

vendor/github.com/safchain/ethtool/.yamllint

@@ -0,0 +1,8 @@
+---
+extends: default
+
+rules:
+  document-start: disable
+  line-length: disable
+  truthy:
+    check-keys: false

vendor/github.com/safchain/ethtool/LICENSE

@@ -186,7 +186,7 @@
       same "printed page" as the copyright notice for easier
       identification within third-party archives.
 
-   Copyright {yyyy} {name of copyright owner}
+   Copyright (c) 2015 The Ethtool Authors
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.

vendor/github.com/safchain/ethtool/Makefile

@@ -2,3 +2,4 @@ all: build
 
 build:
 	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build
+	CGO_ENABLED=0 GOOS=darwin GOARCH=amd64 go build

vendor/github.com/safchain/ethtool/README.md

@@ -1,23 +1,18 @@
 # ethtool go package #
 
-[![Build Status](https://travis-ci.org/safchain/ethtool.png?branch=master)](https://travis-ci.org/safchain/ethtool)
+![Build Status](https://github.com/safchain/ethtool/actions/workflows/unittests.yml/badge.svg)
 [![GoDoc](https://godoc.org/github.com/safchain/ethtool?status.svg)](https://godoc.org/github.com/safchain/ethtool)
 
-The ethtool package aims to provide a library giving a simple access to the Linux SIOCETHTOOL ioctl operations. It can be used to retrieve informations from a network device like statistics, driver related informations or even the peer of a VETH interface.
 
-## Build and Test ##
+The ethtool package aims to provide a library that provides easy access to the Linux SIOCETHTOOL ioctl operations. It can be used to retrieve information from a network device such as statistics, driver related information or even the peer of a VETH interface.
 
-go get command:
+# Installation
 
-    go get github.com/safchain/ethtool
-
-Testing
-
-In order to run te
-
-    go test github.com/safchain/ethtool
+```shell
+go get github.com/safchain/ethtool
+```
 
-## Examples ##
+# How to use
 
 ```go
 package main

vendor/github.com/safchain/ethtool/ethtool.go

@@ -19,17 +19,18 @@
  *
  */
 
-// Package ethtool  aims to provide a library giving a simple access to the
-// Linux SIOCETHTOOL ioctl operations. It can be used to retrieve informations
-// from a network device like statistics, driver related informations or
-// even the peer of a VETH interface.
+// The ethtool package aims to provide a library that provides easy access
+// to the Linux SIOCETHTOOL ioctl operations. It can be used to retrieve information
+// from a network device such as statistics, driver related information or even
+// the peer of a VETH interface.
 package ethtool
 
 import (
 	"bytes"
 	"encoding/hex"
 	"fmt"
-	"strings"
+	"sync"
+	"time"
 	"unsafe"
 
 	"golang.org/x/sys/unix"
@@ -47,41 +48,118 @@ const (
 
 // ethtool stats related constants.
 const (
-	ETH_GSTRING_LEN  = 32
-	ETH_SS_STATS     = 1
-	ETH_SS_FEATURES  = 4
-	ETHTOOL_GDRVINFO = 0x00000003
-	ETHTOOL_GSTRINGS = 0x0000001b
-	ETHTOOL_GSTATS   = 0x0000001d
-	// other CMDs from ethtool-copy.h of ethtool-3.5 package
-	ETHTOOL_GSET      = 0x00000001 /* Get settings. */
-	ETHTOOL_SSET      = 0x00000002 /* Set settings. */
-	ETHTOOL_GMSGLVL   = 0x00000007 /* Get driver message level */
-	ETHTOOL_SMSGLVL   = 0x00000008 /* Set driver msg level. */
-	ETHTOOL_GCHANNELS = 0x0000003c /* Get no of channels */
-	ETHTOOL_SCHANNELS = 0x0000003d /* Set no of channels */
-	ETHTOOL_GCOALESCE = 0x0000000e /* Get coalesce config */
-	/* Get link status for host, i.e. whether the interface *and* the
-	 * physical port (if there is one) are up (ethtool_value). */
-	ETHTOOL_GLINK         = 0x0000000a
-	ETHTOOL_GMODULEINFO   = 0x00000042 /* Get plug-in module information */
-	ETHTOOL_GMODULEEEPROM = 0x00000043 /* Get plug-in module eeprom */
-	ETHTOOL_GPERMADDR     = 0x00000020
-	ETHTOOL_GFEATURES     = 0x0000003a /* Get device offload settings */
-	ETHTOOL_SFEATURES     = 0x0000003b /* Change device offload settings */
-	ETHTOOL_GFLAGS        = 0x00000025 /* Get flags bitmap(ethtool_value) */
-	ETHTOOL_GSSET_INFO    = 0x00000037 /* Get string set info */
+	ETH_GSTRING_LEN   = 32
+	ETH_SS_STATS      = 1
+	ETH_SS_PRIV_FLAGS = 2
+	ETH_SS_FEATURES   = 4
+
+	// CMD supported
+	ETHTOOL_GSET          = 0x00000001                 /* Get settings. */
+	ETHTOOL_SSET          = 0x00000002                 /* Set settings. */
+	ETHTOOL_GWOL          = 0x00000005                 /* Get wake-on-lan options. */
+	ETHTOOL_SWOL          = 0x00000006                 /* Set wake-on-lan options. */
+	ETHTOOL_GDRVINFO      = 0x00000003                 /* Get driver info. */
+	ETHTOOL_GMSGLVL       = 0x00000007                 /* Get driver message level */
+	ETHTOOL_SMSGLVL       = 0x00000008                 /* Set driver msg level. */
+	ETHTOOL_GLINKSETTINGS = unix.ETHTOOL_GLINKSETTINGS // 0x4c
+	ETHTOOL_SLINKSETTINGS = unix.ETHTOOL_SLINKSETTINGS // 0x4d
+
+	// Get link status for host, i.e. whether the interface *and* the
+	// physical port (if there is one) are up (ethtool_value).
+	ETHTOOL_GLINK            = 0x0000000a
+	ETHTOOL_GCOALESCE        = 0x0000000e /* Get coalesce config */
+	ETHTOOL_SCOALESCE        = 0x0000000f /* Set coalesce config */
+	ETHTOOL_GRINGPARAM       = 0x00000010 /* Get ring parameters */
+	ETHTOOL_SRINGPARAM       = 0x00000011 /* Set ring parameters. */
+	ETHTOOL_GPAUSEPARAM      = 0x00000012 /* Get pause parameters */
+	ETHTOOL_SPAUSEPARAM      = 0x00000013 /* Set pause parameters. */
+	ETHTOOL_GSTRINGS         = 0x0000001b /* Get specified string set */
+	ETHTOOL_PHYS_ID          = 0x0000001c /* Identify the NIC */
+	ETHTOOL_GSTATS           = 0x0000001d /* Get NIC-specific statistics */
+	ETHTOOL_GPERMADDR        = 0x00000020 /* Get permanent hardware address */
+	ETHTOOL_GFLAGS           = 0x00000025 /* Get flags bitmap(ethtool_value) */
+	ETHTOOL_GPFLAGS          = 0x00000027 /* Get driver-private flags bitmap */
+	ETHTOOL_SPFLAGS          = 0x00000028 /* Set driver-private flags bitmap */
+	ETHTOOL_GSSET_INFO       = 0x00000037 /* Get string set info */
+	ETHTOOL_GFEATURES        = 0x0000003a /* Get device offload settings */
+	ETHTOOL_SFEATURES        = 0x0000003b /* Change device offload settings */
+	ETHTOOL_GCHANNELS        = 0x0000003c /* Get no of channels */
+	ETHTOOL_SCHANNELS        = 0x0000003d /* Set no of channels */
+	ETHTOOL_GET_TS_INFO      = 0x00000041 /* Get time stamping and PHC info */
+	ETHTOOL_GMODULEINFO      = 0x00000042 /* Get plug-in module information */
+	ETHTOOL_GMODULEEEPROM    = 0x00000043 /* Get plug-in module eeprom */
+	ETHTOOL_GRXFHINDIR       = 0x00000038 /* Get RX flow hash indir'n table */
+	ETHTOOL_SRXFHINDIR       = 0x00000039 /* Set RX flow hash indir'n table */
+	ETH_RXFH_INDIR_NO_CHANGE = 0xFFFFFFFF
+
+	// Speed and Duplex unknowns/constants (Manually defined based on <linux/ethtool.h>)
+	SPEED_UNKNOWN  = 0xffffffff // ((__u32)-1) SPEED_UNKNOWN
+	DUPLEX_HALF    = 0x00       // DUPLEX_HALF
+	DUPLEX_FULL    = 0x01       // DUPLEX_FULL
+	DUPLEX_UNKNOWN = 0xff       // DUPLEX_UNKNOWN
+
+	// Port types (Manually defined based on <linux/ethtool.h>)
+	PORT_TP    = 0x00 // PORT_TP
+	PORT_AUI   = 0x01 // PORT_AUI
+	PORT_MII   = 0x02 // PORT_MII
+	PORT_FIBRE = 0x03 // PORT_FIBRE
+	PORT_BNC   = 0x04 // PORT_BNC
+	PORT_DA    = 0x05 // PORT_DA
+	PORT_NONE  = 0xef // PORT_NONE
+	PORT_OTHER = 0xff // PORT_OTHER
+
+	// Autoneg settings (Manually defined based on <linux/ethtool.h>)
+	AUTONEG_DISABLE = 0x00 // AUTONEG_DISABLE
+	AUTONEG_ENABLE  = 0x01 // AUTONEG_ENABLE
+
+	// MDIX states (Manually defined based on <linux/ethtool.h>)
+	ETH_TP_MDI_INVALID = 0x00 // ETH_TP_MDI_INVALID
+	ETH_TP_MDI         = 0x01 // ETH_TP_MDI
+	ETH_TP_MDI_X       = 0x02 // ETH_TP_MDI_X
+	ETH_TP_MDI_AUTO    = 0x03 // Control value ETH_TP_MDI_AUTO
+
+	// Link mode mask bits count (Manually defined based on ethtool.h)
+	ETHTOOL_LINK_MODE_MASK_NBITS = 92 // __ETHTOOL_LINK_MODE_MASK_NBITS
+
+	// Calculate max nwords based on NBITS using the manually defined constant
+	MAX_LINK_MODE_MASK_NWORDS = (ETHTOOL_LINK_MODE_MASK_NBITS + 31) / 32 // = 3
 )
 
 // MAX_GSTRINGS maximum number of stats entries that ethtool can
 // retrieve currently.
 const (
-	MAX_GSTRINGS       = 16384
+	MAX_GSTRINGS       = 32768
 	MAX_FEATURE_BLOCKS = (MAX_GSTRINGS + 32 - 1) / 32
 	EEPROM_LEN         = 640
 	PERMADDR_LEN       = 32
 )
 
+// ethtool sset_info related constants
+const (
+	MAX_SSET_INFO = 64
+)
+
+const (
+	DEFAULT_BLINK_DURATION = 60 * time.Second
+)
+
+var (
+	gstringsPool = sync.Pool{
+		New: func() interface{} {
+			// new() will allocate and zero-initialize the struct.
+			// The large data array within ethtoolGStrings will be zeroed.
+			return new(EthtoolGStrings)
+		},
+	}
+	statsPool = sync.Pool{
+		New: func() interface{} {
+			// new() will allocate and zero-initialize the struct.
+			// The large data array within ethtoolStats will be zeroed.
+			return new(EthtoolStats)
+		},
+	}
+)
+
 type ifreq struct {
 	ifr_name [IFNAMSIZ]byte
 	ifr_data uintptr
@@ -91,8 +169,8 @@ type ifreq struct {
 type ethtoolSsetInfo struct {
 	cmd       uint32
 	reserved  uint32
-	sset_mask uint32
-	data      uintptr
+	sset_mask uint64
+	data      [MAX_SSET_INFO]uint32
 }
 
 type ethtoolGetFeaturesBlock struct {
@@ -191,14 +269,135 @@ type Coalesce struct {
 	RateSampleInterval       uint32
 }
 
-type ethtoolGStrings struct {
+// IdentityConf is an identity config for an interface
+type IdentityConf struct {
+	Cmd      uint32
+	Duration uint32
+}
+
+// WoL options
+const (
+	WAKE_PHY         = 1 << 0
+	WAKE_UCAST       = 1 << 1
+	WAKE_MCAST       = 1 << 2
+	WAKE_BCAST       = 1 << 3
+	WAKE_ARP         = 1 << 4
+	WAKE_MAGIC       = 1 << 5
+	WAKE_MAGICSECURE = 1 << 6 // only meaningful if WAKE_MAGIC
+)
+
+var WoLMap = map[uint32]string{
+	WAKE_PHY:         "p", // Wake on PHY activity
+	WAKE_UCAST:       "u", // Wake on unicast messages
+	WAKE_MCAST:       "m", // Wake on multicast messages
+	WAKE_BCAST:       "b", // Wake on broadcast messages
+	WAKE_ARP:         "a", // Wake on ARP
+	WAKE_MAGIC:       "g", // Wake on MagicPacket™
+	WAKE_MAGICSECURE: "s", // Enable SecureOn™ password for MagicPacket™
+	// f Wake on filter(s)
+	// d Disable (wake on  nothing). This option clears all previous options.
+}
+
+// WakeOnLan contains WoL config for an interface
+type WakeOnLan struct {
+	Cmd       uint32 // ETHTOOL_GWOL or ETHTOOL_SWOL
+	Supported uint32 // r/o bitmask of WAKE_* flags for supported WoL modes
+	Opts      uint32 // Bitmask of WAKE_* flags for enabled WoL modes
+}
+
+// Timestamping options
+// see: https://www.kernel.org/doc/Documentation/networking/timestamping.txt
+const (
+	SOF_TIMESTAMPING_TX_HARDWARE  = (1 << 0)  /* Request tx timestamps generated by the network adapter. */
+	SOF_TIMESTAMPING_TX_SOFTWARE  = (1 << 1)  /* Request tx timestamps when data leaves the kernel. */
+	SOF_TIMESTAMPING_RX_HARDWARE  = (1 << 2)  /* Request rx timestamps generated by the network adapter. */
+	SOF_TIMESTAMPING_RX_SOFTWARE  = (1 << 3)  /* Request rx timestamps when data enters the kernel. */
+	SOF_TIMESTAMPING_SOFTWARE     = (1 << 4)  /* Report any software timestamps when available. */
+	SOF_TIMESTAMPING_SYS_HARDWARE = (1 << 5)  /* This option is deprecated and ignored. */
+	SOF_TIMESTAMPING_RAW_HARDWARE = (1 << 6)  /* Report hardware timestamps. */
+	SOF_TIMESTAMPING_OPT_ID       = (1 << 7)  /* Generate a unique identifier along with each packet. */
+	SOF_TIMESTAMPING_TX_SCHED     = (1 << 8)  /* Request tx timestamps prior to entering the packet scheduler. */
+	SOF_TIMESTAMPING_TX_ACK       = (1 << 9)  /* Request tx timestamps when all data in the send buffer has been acknowledged. */
+	SOF_TIMESTAMPING_OPT_CMSG     = (1 << 10) /* Support recv() cmsg for all timestamped packets. */
+	SOF_TIMESTAMPING_OPT_TSONLY   = (1 << 11) /* Applies to transmit timestamps only. */
+	SOF_TIMESTAMPING_OPT_STATS    = (1 << 12) /* Optional stats that are obtained along with the transmit timestamps. */
+	SOF_TIMESTAMPING_OPT_PKTINFO  = (1 << 13) /* Enable the SCM_TIMESTAMPING_PKTINFO control message for incoming packets with hardware timestamps. */
+	SOF_TIMESTAMPING_OPT_TX_SWHW  = (1 << 14) /* Request both hardware and software timestamps for outgoing packets when SOF_TIMESTAMPING_TX_HARDWARE and SOF_TIMESTAMPING_TX_SOFTWARE are enabled at the same time. */
+	SOF_TIMESTAMPING_BIND_PHC     = (1 << 15) /* Bind the socket to a specific PTP Hardware Clock. */
+)
+
+const (
+	/*
+	 * No outgoing packet will need hardware time stamping;
+	 * should a packet arrive which asks for it, no hardware
+	 * time stamping will be done.
+	 */
+	HWTSTAMP_TX_OFF = iota
+
+	/*
+	 * Enables hardware time stamping for outgoing packets;
+	 * the sender of the packet decides which are to be
+	 * time stamped by setting %SOF_TIMESTAMPING_TX_SOFTWARE
+	 * before sending the packet.
+	 */
+	HWTSTAMP_TX_ON
+
+	/*
+	 * Enables time stamping for outgoing packets just as
+	 * HWTSTAMP_TX_ON does, but also enables time stamp insertion
+	 * directly into Sync packets. In this case, transmitted Sync
+	 * packets will not received a time stamp via the socket error
+	 * queue.
+	 */
+	HWTSTAMP_TX_ONESTEP_SYNC
+
+	/*
+	 * Same as HWTSTAMP_TX_ONESTEP_SYNC, but also enables time
+	 * stamp insertion directly into PDelay_Resp packets. In this
+	 * case, neither transmitted Sync nor PDelay_Resp packets will
+	 * receive a time stamp via the socket error queue.
+	 */
+	HWTSTAMP_TX_ONESTEP_P2P
+)
+
+const (
+	HWTSTAMP_FILTER_NONE                = iota /* time stamp no incoming packet at all */
+	HWTSTAMP_FILTER_ALL                        /* time stamp any incoming packet */
+	HWTSTAMP_FILTER_SOME                       /* return value: time stamp all packets requested plus some others */
+	HWTSTAMP_FILTER_PTP_V1_L4_EVENT            /* PTP v1, UDP, any kind of event packet */
+	HWTSTAMP_FILTER_PTP_V1_L4_SYNC             /* PTP v1, UDP, Sync packet */
+	HWTSTAMP_FILTER_PTP_V1_L4_DELAY_REQ        /* PTP v1, UDP, Delay_req packet */
+	HWTSTAMP_FILTER_PTP_V2_L4_EVENT            /* PTP v2, UDP, any kind of event packet */
+	HWTSTAMP_FILTER_PTP_V2_L4_SYNC             /* PTP v2, UDP, Sync packet */
+	HWTSTAMP_FILTER_PTP_V2_L4_DELAY_REQ        /* PTP v2, UDP, Delay_req packet */
+	HWTSTAMP_FILTER_PTP_V2_L2_EVENT            /* 802.AS1, Ethernet, any kind of event packet */
+	HWTSTAMP_FILTER_PTP_V2_L2_SYNC             /* 802.AS1, Ethernet, Sync packet */
+	HWTSTAMP_FILTER_PTP_V2_L2_DELAY_REQ        /* 802.AS1, Ethernet, Delay_req packet */
+	HWTSTAMP_FILTER_PTP_V2_EVENT               /* PTP v2/802.AS1, any layer, any kind of event packet */
+	HWTSTAMP_FILTER_PTP_V2_SYNC                /* PTP v2/802.AS1, any layer, Sync packet */
+	HWTSTAMP_FILTER_PTP_V2_DELAY_REQ           /* PTP v2/802.AS1, any layer, Delay_req packet */
+	HWTSTAMP_FILTER_NTP_ALL                    /* NTP, UDP, all versions and packet modes */
+)
+
+// TimestampingInformation contains PTP timetstapming information
+type TimestampingInformation struct {
+	Cmd            uint32
+	SoTimestamping uint32 /* SOF_TIMESTAMPING_* bitmask */
+	PhcIndex       int32
+	TxTypes        uint32 /* HWTSTAMP_TX_* */
+	txReserved     [3]uint32
+	RxFilters      uint32 /* HWTSTAMP_FILTER_ */
+	rxReserved     [3]uint32
+}
+
+type EthtoolGStrings struct {
 	cmd        uint32
 	string_set uint32
 	len        uint32
 	data       [MAX_GSTRINGS * ETH_GSTRING_LEN]byte
 }
 
-type ethtoolStats struct {
+type EthtoolStats struct {
 	cmd     uint32
 	n_stats uint32
 	data    [MAX_GSTRINGS]uint64
@@ -230,17 +429,64 @@ type ethtoolPermAddr struct {
 	data [PERMADDR_LEN]byte
 }
 
+// Ring is a ring config for an interface
+type Ring struct {
+	Cmd               uint32
+	RxMaxPending      uint32
+	RxMiniMaxPending  uint32
+	RxJumboMaxPending uint32
+	TxMaxPending      uint32
+	RxPending         uint32
+	RxMiniPending     uint32
+	RxJumboPending    uint32
+	TxPending         uint32
+}
+
+// Pause is a pause config for an interface
+type Pause struct {
+	Cmd     uint32
+	Autoneg uint32
+	RxPause uint32
+	TxPause uint32
+}
+
+// Ethtool is a struct that contains the file descriptor for the ethtool
 type Ethtool struct {
 	fd int
 }
 
+// max values for my setup dont know how to make this dynamic
+const MAX_INDIR_SIZE = 256
+const MAX_CORES = 32
+
+type Indir struct {
+	Cmd       uint32
+	Size      uint32
+	RingIndex [MAX_INDIR_SIZE]uint32 // statically definded otherwise crash
+
+}
+
+type SetIndir struct {
+	Equal  uint8    // used to set number of cores
+	Weight []uint32 // used to select cores
+}
+
+// Convert zero-terminated array of chars (string in C) to a Go string.
+func goString(s []byte) string {
+	strEnd := bytes.IndexByte(s, 0)
+	if strEnd == -1 {
+		return string(s)
+	}
+	return string(s[:strEnd])
+}
+
 // DriverName returns the driver name of the given interface name.
 func (e *Ethtool) DriverName(intf string) (string, error) {
 	info, err := e.getDriverInfo(intf)
 	if err != nil {
 		return "", err
 	}
-	return string(bytes.Trim(info.driver[:], "\x00")), nil
+	return goString(info.driver[:]), nil
 }
 
 // BusInfo returns the bus information of the given interface name.
@@ -249,7 +495,7 @@ func (e *Ethtool) BusInfo(intf string) (string, error) {
 	if err != nil {
 		return "", err
 	}
-	return string(bytes.Trim(info.bus_info[:], "\x00")), nil
+	return goString(info.bus_info[:]), nil
 }
 
 // ModuleEeprom returns Eeprom information of the given interface name.
@@ -262,7 +508,7 @@ func (e *Ethtool) ModuleEeprom(intf string) ([]byte, error) {
 	return eeprom.data[:eeprom.len], nil
 }
 
-// ModuleEeprom returns Eeprom information of the given interface name.
+// ModuleEepromHex returns Eeprom information as hexadecimal string
 func (e *Ethtool) ModuleEepromHex(intf string) (string, error) {
 	eeprom, _, err := e.getModuleEeprom(intf)
 	if err != nil {
@@ -281,12 +527,12 @@ func (e *Ethtool) DriverInfo(intf string) (DrvInfo, error) {
 
 	drvInfo := DrvInfo{
 		Cmd:         i.cmd,
-		Driver:      string(bytes.Trim(i.driver[:], "\x00")),
-		Version:     string(bytes.Trim(i.version[:], "\x00")),
-		FwVersion:   string(bytes.Trim(i.fw_version[:], "\x00")),
-		BusInfo:     string(bytes.Trim(i.bus_info[:], "\x00")),
-		EromVersion: string(bytes.Trim(i.erom_version[:], "\x00")),
-		Reserved2:   string(bytes.Trim(i.reserved2[:], "\x00")),
+		Driver:      goString(i.driver[:]),
+		Version:     goString(i.version[:]),
+		FwVersion:   goString(i.fw_version[:]),
+		BusInfo:     goString(i.bus_info[:]),
+		EromVersion: goString(i.erom_version[:]),
+		Reserved2:   goString(i.reserved2[:]),
 		NPrivFlags:  i.n_priv_flags,
 		NStats:      i.n_stats,
 		TestInfoLen: i.testinfo_len,
@@ -297,6 +543,36 @@ func (e *Ethtool) DriverInfo(intf string) (DrvInfo, error) {
 	return drvInfo, nil
 }
 
+// GetIndir retrieves the indirection table of the given interface name.
+func (e *Ethtool) GetIndir(intf string) (Indir, error) {
+	indir, err := e.getIndir(intf)
+	if err != nil {
+		return Indir{}, err
+	}
+
+	return indir, nil
+}
+
+// SetIndir sets the indirection table of the given interface from the SetIndir struct
+func (e *Ethtool) SetIndir(intf string, setIndir SetIndir) (Indir, error) {
+
+	if setIndir.Equal != 0 && setIndir.Weight != nil {
+		return Indir{}, fmt.Errorf("equal and weight options are mutually exclusive")
+	}
+
+	indir, err := e.GetIndir(intf)
+	if err != nil {
+		return Indir{}, err
+	}
+
+	newindir, err := e.setIndir(intf, indir, setIndir)
+	if err != nil {
+		return Indir{}, err
+	}
+
+	return newindir, nil
+}
+
 // GetChannels returns the number of channels for the given interface name.
 func (e *Ethtool) GetChannels(intf string) (Channels, error) {
 	channels, err := e.getChannels(intf)
@@ -327,6 +603,24 @@ func (e *Ethtool) GetCoalesce(intf string) (Coalesce, error) {
 	return coalesce, nil
 }
 
+// SetCoalesce sets the coalesce config for the given interface name.
+func (e *Ethtool) SetCoalesce(intf string, coalesce Coalesce) (Coalesce, error) {
+	coalesce, err := e.setCoalesce(intf, coalesce)
+	if err != nil {
+		return Coalesce{}, err
+	}
+	return coalesce, nil
+}
+
+// GetTimestampingInformation returns the PTP timestamping information for the given interface name.
+func (e *Ethtool) GetTimestampingInformation(intf string) (TimestampingInformation, error) {
+	ts, err := e.getTimestampingInformation(intf)
+	if err != nil {
+		return TimestampingInformation{}, err
+	}
+	return ts, nil
+}
+
 // PermAddr returns permanent address of the given interface name.
 func (e *Ethtool) PermAddr(intf string) (string, error) {
 	permAddr, err := e.getPermAddr(intf)
@@ -350,6 +644,31 @@ func (e *Ethtool) PermAddr(intf string) (string, error) {
 	), nil
 }
 
+// GetWakeOnLan returns the WoL config for the given interface name.
+func (e *Ethtool) GetWakeOnLan(intf string) (WakeOnLan, error) {
+	wol := WakeOnLan{
+		Cmd: ETHTOOL_GWOL,
+	}
+
+	if err := e.ioctl(intf, uintptr(unsafe.Pointer(&wol))); err != nil {
+		return WakeOnLan{}, err
+	}
+
+	return wol, nil
+}
+
+// SetWakeOnLan sets the WoL config for the given interface name and
+// returns the new WoL config.
+func (e *Ethtool) SetWakeOnLan(intf string, wol WakeOnLan) (WakeOnLan, error) {
+	wol.Cmd = ETHTOOL_SWOL
+
+	if err := e.ioctl(intf, uintptr(unsafe.Pointer(&wol))); err != nil {
+		return WakeOnLan{}, err
+	}
+
+	return wol, nil
+}
+
 func (e *Ethtool) ioctl(intf string, data uintptr) error {
 	var name [IFNAMSIZ]byte
 	copy(name[:], []byte(intf))
@@ -379,6 +698,92 @@ func (e *Ethtool) getDriverInfo(intf string) (ethtoolDrvInfo, error) {
 	return drvinfo, nil
 }
 
+// parsing of do_grxfhindir from ethtool.c
+func (e *Ethtool) getIndir(intf string) (Indir, error) {
+	indir_head := Indir{
+		Cmd:  ETHTOOL_GRXFHINDIR,
+		Size: 0,
+	}
+
+	if err := e.ioctl(intf, uintptr(unsafe.Pointer(&indir_head))); err != nil {
+		return Indir{}, err
+	}
+
+	indir := Indir{
+		Cmd:  ETHTOOL_GRXFHINDIR,
+		Size: indir_head.Size,
+	}
+
+	if err := e.ioctl(intf, uintptr(unsafe.Pointer(&indir))); err != nil {
+		return Indir{}, err
+	}
+
+	return indir, nil
+}
+
+// parsing of do_srxfhindir from ethtool.c
+func (e *Ethtool) setIndir(intf string, indir Indir, setIndir SetIndir) (Indir, error) {
+
+	err := fillIndirTable(&indir.Size, indir.RingIndex[:], 0, 0, int(setIndir.Equal), setIndir.Weight, uint32(len(setIndir.Weight)))
+	if err != nil {
+		return Indir{}, err
+	}
+
+	if indir.Size == ETH_RXFH_INDIR_NO_CHANGE {
+		indir.Size = MAX_INDIR_SIZE
+		return indir, nil
+	}
+
+	indir.Cmd = ETHTOOL_SRXFHINDIR
+	if err := e.ioctl(intf, uintptr(unsafe.Pointer(&indir))); err != nil {
+		return Indir{}, err
+	}
+
+	return indir, nil
+}
+
+func fillIndirTable(indirSize *uint32, indir []uint32, rxfhindirDefault int,
+	rxfhindirStart int, rxfhindirEqual int, rxfhindirWeight []uint32,
+	numWeights uint32) error {
+
+	switch {
+	case rxfhindirEqual != 0:
+		for i := uint32(0); i < *indirSize; i++ {
+			indir[i] = uint32(rxfhindirStart) + (i % uint32(rxfhindirEqual))
+		}
+	case rxfhindirWeight != nil:
+		var sum, partial uint32 = 0, 0
+		var j, weight uint32
+		for j = range numWeights {
+			weight = rxfhindirWeight[j]
+			sum += weight
+		}
+
+		if sum == 0 {
+			return fmt.Errorf("at least one weight must be non-zero")
+		}
+
+		if sum > *indirSize {
+			return fmt.Errorf("total weight exceeds the size of the indirection table")
+		}
+
+		j = ^uint32(0) // equivalent to -1 for unsigned
+		for i := uint32(0); i < *indirSize; i++ {
+			for i >= (*indirSize*partial)/sum {
+				j++
+				weight = rxfhindirWeight[j]
+				partial += weight
+			}
+			indir[i] = uint32(rxfhindirStart) + j
+		}
+	case rxfhindirDefault != 0:
+		*indirSize = 0
+	default:
+		*indirSize = ETH_RXFH_INDIR_NO_CHANGE
+	}
+	return nil
+}
+
 func (e *Ethtool) getChannels(intf string) (Channels, error) {
 	channels := Channels{
 		Cmd: ETHTOOL_GCHANNELS,
@@ -413,6 +818,28 @@ func (e *Ethtool) getCoalesce(intf string) (Coalesce, error) {
 	return coalesce, nil
 }
 
+func (e *Ethtool) setCoalesce(intf string, coalesce Coalesce) (Coalesce, error) {
+	coalesce.Cmd = ETHTOOL_SCOALESCE
+
+	if err := e.ioctl(intf, uintptr(unsafe.Pointer(&coalesce))); err != nil {
+		return Coalesce{}, err
+	}
+
+	return coalesce, nil
+}
+
+func (e *Ethtool) getTimestampingInformation(intf string) (TimestampingInformation, error) {
+	ts := TimestampingInformation{
+		Cmd: ETHTOOL_GET_TS_INFO,
+	}
+
+	if err := e.ioctl(intf, uintptr(unsafe.Pointer(&ts))); err != nil {
+		return TimestampingInformation{}, err
+	}
+
+	return ts, nil
+}
+
 func (e *Ethtool) getPermAddr(intf string) (ethtoolPermAddr, error) {
 	permAddr := ethtoolPermAddr{
 		cmd:  ETHTOOL_GPERMADDR,
@@ -452,10 +879,75 @@ func (e *Ethtool) getModuleEeprom(intf string) (ethtoolEeprom, ethtoolModInfo, e
 	return eeprom, modInfo, nil
 }
 
+// GetRing retrieves ring parameters of the given interface name.
+func (e *Ethtool) GetRing(intf string) (Ring, error) {
+	ring := Ring{
+		Cmd: ETHTOOL_GRINGPARAM,
+	}
+
+	if err := e.ioctl(intf, uintptr(unsafe.Pointer(&ring))); err != nil {
+		return Ring{}, err
+	}
+
+	return ring, nil
+}
+
+// SetRing sets ring parameters of the given interface name.
+func (e *Ethtool) SetRing(intf string, ring Ring) (Ring, error) {
+	ring.Cmd = ETHTOOL_SRINGPARAM
+
+	if err := e.ioctl(intf, uintptr(unsafe.Pointer(&ring))); err != nil {
+		return Ring{}, err
+	}
+
+	return ring, nil
+}
+
+// GetPause retrieves pause parameters of the given interface name.
+func (e *Ethtool) GetPause(intf string) (Pause, error) {
+	pause := Pause{
+		Cmd: ETHTOOL_GPAUSEPARAM,
+	}
+
+	if err := e.ioctl(intf, uintptr(unsafe.Pointer(&pause))); err != nil {
+		return Pause{}, err
+	}
+
+	return pause, nil
+}
+
+// SetPause sets pause parameters of the given interface name.
+func (e *Ethtool) SetPause(intf string, pause Pause) (Pause, error) {
+	pause.Cmd = ETHTOOL_SPAUSEPARAM
+
+	if err := e.ioctl(intf, uintptr(unsafe.Pointer(&pause))); err != nil {
+		return Pause{}, err
+	}
+
+	return pause, nil
+}
+
 func isFeatureBitSet(blocks [MAX_FEATURE_BLOCKS]ethtoolGetFeaturesBlock, index uint) bool {
 	return (blocks)[index/32].active&(1<<(index%32)) != 0
 }
 
+// FeatureState contains the state of a feature.
+type FeatureState struct {
+	Available    bool
+	Requested    bool
+	Active       bool
+	NeverChanged bool
+}
+
+func getFeatureStateBits(blocks [MAX_FEATURE_BLOCKS]ethtoolGetFeaturesBlock, index uint) FeatureState {
+	return FeatureState{
+		Available:    (blocks)[index/32].available&(1<<(index%32)) != 0,
+		Requested:    (blocks)[index/32].requested&(1<<(index%32)) != 0,
+		Active:       (blocks)[index/32].active&(1<<(index%32)) != 0,
+		NeverChanged: (blocks)[index/32].never_changed&(1<<(index%32)) != 0,
+	}
+}
+
 func setFeatureBit(blocks *[MAX_FEATURE_BLOCKS]ethtoolSetFeaturesBlock, index uint, value bool) {
 	blockIndex, bitIndex := index/32, index%32
 
@@ -468,27 +960,28 @@ func setFeatureBit(blocks *[MAX_FEATURE_BLOCKS]ethtoolSetFeaturesBlock, index ui
 	}
 }
 
-// FeatureNames shows supported features by their name.
-func (e *Ethtool) FeatureNames(intf string) (map[string]uint, error) {
+func (e *Ethtool) getNames(intf string, mask int) (map[string]uint, error) {
 	ssetInfo := ethtoolSsetInfo{
 		cmd:       ETHTOOL_GSSET_INFO,
-		sset_mask: 1 << ETH_SS_FEATURES,
+		sset_mask: 1 << mask,
+		data:      [MAX_SSET_INFO]uint32{},
 	}
 
 	if err := e.ioctl(intf, uintptr(unsafe.Pointer(&ssetInfo))); err != nil {
 		return nil, err
 	}
 
-	length := uint32(ssetInfo.data)
+	/* we only read data on first index because single bit was set in sset_mask(0x10) */
+	length := ssetInfo.data[0]
 	if length == 0 {
 		return map[string]uint{}, nil
 	} else if length > MAX_GSTRINGS {
 		return nil, fmt.Errorf("ethtool currently doesn't support more than %d entries, received %d", MAX_GSTRINGS, length)
 	}
 
-	gstrings := ethtoolGStrings{
+	gstrings := EthtoolGStrings{
 		cmd:        ETHTOOL_GSTRINGS,
-		string_set: ETH_SS_FEATURES,
+		string_set: uint32(mask),
 		len:        length,
 		data:       [MAX_GSTRINGS * ETH_GSTRING_LEN]byte{},
 	}
@@ -497,10 +990,10 @@ func (e *Ethtool) FeatureNames(intf string) (map[string]uint, error) {
 		return nil, err
 	}
 
-	var result = make(map[string]uint)
+	result := make(map[string]uint)
 	for i := 0; i != int(length); i++ {
 		b := gstrings.data[i*ETH_GSTRING_LEN : i*ETH_GSTRING_LEN+ETH_GSTRING_LEN]
-		key := string(bytes.Trim(b, "\x00"))
+		key := goString(b)
 		if key != "" {
 			result[key] = uint(i)
 		}
@@ -509,6 +1002,11 @@ func (e *Ethtool) FeatureNames(intf string) (map[string]uint, error) {
 	return result, nil
 }
 
+// FeatureNames shows supported features by their name.
+func (e *Ethtool) FeatureNames(intf string) (map[string]uint, error) {
+	return e.getNames(intf, ETH_SS_FEATURES)
+}
+
 // Features retrieves features of the given interface name.
 func (e *Ethtool) Features(intf string) (map[string]bool, error) {
 	names, err := e.FeatureNames(intf)
@@ -530,7 +1028,7 @@ func (e *Ethtool) Features(intf string) (map[string]bool, error) {
 		return nil, err
 	}
 
-	var result = make(map[string]bool, length)
+	result := make(map[string]bool, length)
 	for key, index := range names {
 		result[key] = isFeatureBitSet(features.blocks, index)
 	}
@@ -538,6 +1036,36 @@ func (e *Ethtool) Features(intf string) (map[string]bool, error) {
 	return result, nil
 }
 
+// FeaturesWithState retrieves features of the given interface name,
+// with extra flags to explain if they can be enabled
+func (e *Ethtool) FeaturesWithState(intf string) (map[string]FeatureState, error) {
+	names, err := e.FeatureNames(intf)
+	if err != nil {
+		return nil, err
+	}
+
+	length := uint32(len(names))
+	if length == 0 {
+		return map[string]FeatureState{}, nil
+	}
+
+	features := ethtoolGfeatures{
+		cmd:  ETHTOOL_GFEATURES,
+		size: (length + 32 - 1) / 32,
+	}
+
+	if err := e.ioctl(intf, uintptr(unsafe.Pointer(&features))); err != nil {
+		return nil, err
+	}
+
+	var result = make(map[string]FeatureState, length)
+	for key, index := range names {
+		result[key] = getFeatureStateBits(features.blocks, index)
+	}
+
+	return result, nil
+}
+
 // Change requests a change in the given device's features.
 func (e *Ethtool) Change(intf string, config map[string]bool) error {
 	names, err := e.FeatureNames(intf)
@@ -563,7 +1091,69 @@ func (e *Ethtool) Change(intf string, config map[string]bool) error {
 	return e.ioctl(intf, uintptr(unsafe.Pointer(&features)))
 }
 
-// Get state of a link.
+// PrivFlagsNames shows supported private flags by their name.
+func (e *Ethtool) PrivFlagsNames(intf string) (map[string]uint, error) {
+	return e.getNames(intf, ETH_SS_PRIV_FLAGS)
+}
+
+// PrivFlags retrieves private flags of the given interface name.
+func (e *Ethtool) PrivFlags(intf string) (map[string]bool, error) {
+	names, err := e.PrivFlagsNames(intf)
+	if err != nil {
+		return nil, err
+	}
+
+	length := uint32(len(names))
+	if length == 0 {
+		return map[string]bool{}, nil
+	}
+
+	var val ethtoolLink
+	val.cmd = ETHTOOL_GPFLAGS
+	if err := e.ioctl(intf, uintptr(unsafe.Pointer(&val))); err != nil {
+		return nil, err
+	}
+
+	result := make(map[string]bool, length)
+	for name, mask := range names {
+		result[name] = val.data&(1<<mask) != 0
+	}
+
+	return result, nil
+}
+
+// UpdatePrivFlags requests a change in the given device's private flags.
+func (e *Ethtool) UpdatePrivFlags(intf string, config map[string]bool) error {
+	names, err := e.PrivFlagsNames(intf)
+	if err != nil {
+		return err
+	}
+
+	var curr ethtoolLink
+	curr.cmd = ETHTOOL_GPFLAGS
+	if err := e.ioctl(intf, uintptr(unsafe.Pointer(&curr))); err != nil {
+		return err
+	}
+
+	var update ethtoolLink
+	update.cmd = ETHTOOL_SPFLAGS
+	update.data = curr.data
+	for name, value := range config {
+		if index, ok := names[name]; ok {
+			if value {
+				update.data |= 1 << index
+			} else {
+				update.data &= ^(1 << index)
+			}
+		} else {
+			return fmt.Errorf("unsupported priv flag %q", name)
+		}
+	}
+
+	return e.ioctl(intf, uintptr(unsafe.Pointer(&update)))
+}
+
+// LinkState get the state of a link.
 func (e *Ethtool) LinkState(intf string) (uint32, error) {
 	x := ethtoolLink{
 		cmd: ETHTOOL_GLINK,
@@ -577,7 +1167,23 @@ func (e *Ethtool) LinkState(intf string) (uint32, error) {
 }
 
 // Stats retrieves stats of the given interface name.
+// This maintains backward compatibility with existing code.
 func (e *Ethtool) Stats(intf string) (map[string]uint64, error) {
+	// Create temporary buffers and delegate to StatsWithBuffer
+	gstrings := gstringsPool.Get().(*EthtoolGStrings)
+	stats := statsPool.Get().(*EthtoolStats)
+	defer func() {
+		gstringsPool.Put(gstrings)
+		statsPool.Put(stats)
+	}()
+
+	return e.StatsWithBuffer(intf, gstrings, stats)
+}
+
+// StatsWithBuffer retrieves stats of the given interface name using pre-allocated buffers.
+// This allows the caller to control where the large structures are allocated,
+// which can be useful to avoid heap allocations in Go 1.24+.
+func (e *Ethtool) StatsWithBuffer(intf string, gstringsPtr *EthtoolGStrings, statsPtr *EthtoolStats) (map[string]uint64, error) {
 	drvinfo := ethtoolDrvInfo{
 		cmd: ETHTOOL_GDRVINFO,
 	}
@@ -586,41 +1192,37 @@ func (e *Ethtool) Stats(intf string) (map[string]uint64, error) {
 		return nil, err
 	}
 
-	if drvinfo.n_stats*ETH_GSTRING_LEN > MAX_GSTRINGS*ETH_GSTRING_LEN {
+	if drvinfo.n_stats > MAX_GSTRINGS {
 		return nil, fmt.Errorf("ethtool currently doesn't support more than %d entries, received %d", MAX_GSTRINGS, drvinfo.n_stats)
 	}
 
-	gstrings := ethtoolGStrings{
-		cmd:        ETHTOOL_GSTRINGS,
-		string_set: ETH_SS_STATS,
-		len:        drvinfo.n_stats,
-		data:       [MAX_GSTRINGS * ETH_GSTRING_LEN]byte{},
-	}
+	gstringsPtr.cmd = ETHTOOL_GSTRINGS
+	gstringsPtr.string_set = ETH_SS_STATS
+	gstringsPtr.len = drvinfo.n_stats
 
-	if err := e.ioctl(intf, uintptr(unsafe.Pointer(&gstrings))); err != nil {
+	if err := e.ioctl(intf, uintptr(unsafe.Pointer(gstringsPtr))); err != nil {
 		return nil, err
 	}
 
-	stats := ethtoolStats{
-		cmd:     ETHTOOL_GSTATS,
-		n_stats: drvinfo.n_stats,
-		data:    [MAX_GSTRINGS]uint64{},
-	}
+	statsPtr.cmd = ETHTOOL_GSTATS
+	statsPtr.n_stats = drvinfo.n_stats
 
-	if err := e.ioctl(intf, uintptr(unsafe.Pointer(&stats))); err != nil {
+	if err := e.ioctl(intf, uintptr(unsafe.Pointer(statsPtr))); err != nil {
 		return nil, err
 	}
 
-	var result = make(map[string]uint64)
+	result := make(map[string]uint64, drvinfo.n_stats)
 	for i := 0; i != int(drvinfo.n_stats); i++ {
-		b := gstrings.data[i*ETH_GSTRING_LEN : i*ETH_GSTRING_LEN+ETH_GSTRING_LEN]
-		strEnd := strings.Index(string(b), "\x00")
+		b := gstringsPtr.data[i*ETH_GSTRING_LEN : (i+1)*ETH_GSTRING_LEN]
+
+		strEnd := bytes.IndexByte(b, 0)
 		if strEnd == -1 {
 			strEnd = ETH_GSTRING_LEN
 		}
 		key := string(b[:strEnd])
+
 		if len(key) != 0 {
-			result[key] = stats.data[i]
+			result[key] = statsPtr.data[i]
 		}
 	}
 
@@ -632,9 +1234,23 @@ func (e *Ethtool) Close() {
 	unix.Close(e.fd)
 }
 
+// Identity the nic with blink duration, if not specify blink for 60 seconds
+func (e *Ethtool) Identity(intf string, duration *time.Duration) error {
+	dur := uint32(DEFAULT_BLINK_DURATION.Seconds())
+	if duration != nil {
+		dur = uint32(duration.Seconds())
+	}
+	return e.identity(intf, IdentityConf{Duration: dur})
+}
+
+func (e *Ethtool) identity(intf string, identity IdentityConf) error {
+	identity.Cmd = ETHTOOL_PHYS_ID
+	return e.ioctl(intf, uintptr(unsafe.Pointer(&identity)))
+}
+
 // NewEthtool returns a new ethtool handler
 func NewEthtool() (*Ethtool, error) {
-	fd, err := unix.Socket(unix.AF_INET, unix.SOCK_DGRAM, unix.IPPROTO_IP)
+	fd, err := unix.Socket(unix.AF_INET, unix.SOCK_DGRAM|unix.SOCK_CLOEXEC, unix.IPPROTO_IP)
 	if err != nil {
 		return nil, err
 	}
@@ -683,3 +1299,46 @@ func PermAddr(intf string) (string, error) {
 	defer e.Close()
 	return e.PermAddr(intf)
 }
+
+// Identity the nic with blink duration, if not specify blink infinity
+func Identity(intf string, duration *time.Duration) error {
+	e, err := NewEthtool()
+	if err != nil {
+		return err
+	}
+	defer e.Close()
+	return e.Identity(intf, duration)
+}
+
+func supportedSpeeds(mask uint64) (ret []struct {
+	name  string
+	mask  uint64
+	speed uint64
+}) {
+	for _, mode := range supportedCapabilities {
+		if mode.speed > 0 && ((1<<mode.mask)&mask) != 0 {
+			ret = append(ret, mode)
+		}
+	}
+	return ret
+}
+
+// SupportedLinkModes returns the names of the link modes supported by the interface.
+func SupportedLinkModes(mask uint64) []string {
+	var ret []string
+	for _, mode := range supportedSpeeds(mask) {
+		ret = append(ret, mode.name)
+	}
+	return ret
+}
+
+// SupportedSpeed returns the maximum capacity of this interface.
+func SupportedSpeed(mask uint64) uint64 {
+	var ret uint64
+	for _, mode := range supportedSpeeds(mask) {
+		if mode.speed > ret {
+			ret = mode.speed
+		}
+	}
+	return ret
+}

vendor/github.com/safchain/ethtool/ethtool_cmd.go

@@ -33,7 +33,9 @@ import (
 	"golang.org/x/sys/unix"
 )
 
-type EthtoolCmd struct { /* ethtool.c: struct ethtool_cmd */
+// EthtoolCmd is the Go version of the Linux kerne ethtool_cmd struct
+// see ethtool.c
+type EthtoolCmd struct {
 	Cmd            uint32
 	Supported      uint32
 	Advertising    uint32
@@ -75,7 +77,7 @@ func (ecmd *EthtoolCmd) CmdSet(intf string) (uint32, error) {
 	return e.CmdSet(ecmd, intf)
 }
 
-func (f *EthtoolCmd) reflect(retv *map[string]uint64) {
+func (f *EthtoolCmd) reflect(retv map[string]uint64) {
 	val := reflect.ValueOf(f).Elem()
 
 	for i := 0; i < val.NumField(); i++ {
@@ -83,29 +85,22 @@ func (f *EthtoolCmd) reflect(retv *map[string]uint64) {
 		typeField := val.Type().Field(i)
 
 		t := valueField.Interface()
-		//tt := reflect.TypeOf(t)
-		//fmt.Printf(" t %T %v  tt %T %v\n", t, t, tt, tt)
-		switch t.(type) {
+		switch tt := t.(type) {
 		case uint32:
-			//fmt.Printf("    t is uint32\n")
-			(*retv)[typeField.Name] = uint64(t.(uint32))
+			retv[typeField.Name] = uint64(tt)
 		case uint16:
-			(*retv)[typeField.Name] = uint64(t.(uint16))
+			retv[typeField.Name] = uint64(tt)
 		case uint8:
-			(*retv)[typeField.Name] = uint64(t.(uint8))
+			retv[typeField.Name] = uint64(tt)
 		case int32:
-			(*retv)[typeField.Name] = uint64(t.(int32))
+			retv[typeField.Name] = uint64(tt)
 		case int16:
-			(*retv)[typeField.Name] = uint64(t.(int16))
+			retv[typeField.Name] = uint64(tt)
 		case int8:
-			(*retv)[typeField.Name] = uint64(t.(int8))
+			retv[typeField.Name] = uint64(tt)
 		default:
-			(*retv)[typeField.Name+"_unknown_type"] = 0
+			retv[typeField.Name+"_unknown_type"] = 0
 		}
-
-		//tag := typeField.Tag
-		//fmt.Printf("Field Name: %s,\t Field Value: %v,\t Tag Value: %s\n",
-		//	typeField.Name, valueField.Interface(), tag.Get("tag_name"))
 	}
 }
 
@@ -128,7 +123,7 @@ func (e *Ethtool) CmdGet(ecmd *EthtoolCmd, intf string) (uint32, error) {
 		return 0, ep
 	}
 
-	var speedval uint32 = (uint32(ecmd.Speed_hi) << 16) |
+	var speedval = (uint32(ecmd.Speed_hi) << 16) |
 		(uint32(ecmd.Speed) & 0xffff)
 	if speedval == math.MaxUint16 {
 		speedval = math.MaxUint32
@@ -156,7 +151,7 @@ func (e *Ethtool) CmdSet(ecmd *EthtoolCmd, intf string) (uint32, error) {
 		return 0, unix.Errno(ep)
 	}
 
-	var speedval uint32 = (uint32(ecmd.Speed_hi) << 16) |
+	var speedval = (uint32(ecmd.Speed_hi) << 16) |
 		(uint32(ecmd.Speed) & 0xffff)
 	if speedval == math.MaxUint16 {
 		speedval = math.MaxUint32
@@ -185,19 +180,20 @@ func (e *Ethtool) CmdGetMapped(intf string) (map[string]uint64, error) {
 		return nil, ep
 	}
 
-	var result = make(map[string]uint64)
+	result := make(map[string]uint64)
 
 	// ref https://gist.github.com/drewolson/4771479
 	// Golang Reflection Example
-	ecmd.reflect(&result)
+	ecmd.reflect(result)
 
-	var speedval uint32 = (uint32(ecmd.Speed_hi) << 16) |
+	var speedval = (uint32(ecmd.Speed_hi) << 16) |
 		(uint32(ecmd.Speed) & 0xffff)
 	result["speed"] = uint64(speedval)
 
 	return result, nil
 }
 
+// CmdGetMapped returns the interface settings in a map
 func CmdGetMapped(intf string) (map[string]uint64, error) {
 	e, err := NewEthtool()
 	if err != nil {

vendor/github.com/safchain/ethtool/ethtool_darwin.go

@@ -0,0 +1,30 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+
+package ethtool
+
+var supportedCapabilities = []struct {
+	name  string
+	mask  uint64
+	speed uint64
+}{
+	// no supported capabilities on darwin
+}

vendor/github.com/safchain/ethtool/ethtool_link_settings.go

@@ -0,0 +1,324 @@
+package ethtool
+
+import (
+	"errors"
+	"fmt"
+	"math"
+	"strings"
+	"syscall"
+	"unsafe"
+
+	"golang.org/x/sys/unix"
+)
+
+type LinkSettingSource string
+
+// Constants defining the source of the LinkSettings data
+const (
+	SourceGLinkSettings LinkSettingSource = "GLINKSETTINGS"
+	SourceGSet          LinkSettingSource = "GSET"
+)
+
+// EthtoolLinkSettingsFixed corresponds to struct ethtool_link_settings fixed part
+type EthtoolLinkSettingsFixed struct {
+	Cmd                 uint32
+	Speed               uint32
+	Duplex              uint8
+	Port                uint8
+	PhyAddress          uint8
+	Autoneg             uint8
+	MdixSupport         uint8 // Renamed from mdio_support
+	EthTpMdix           uint8
+	EthTpMdixCtrl       uint8
+	LinkModeMasksNwords int8
+	Transceiver         uint8
+	MasterSlaveCfg      uint8
+	MasterSlaveState    uint8
+	Reserved1           [1]byte
+	Reserved            [7]uint32
+	// Flexible array member link_mode_masks[0] starts here implicitly
+}
+
+// ethtoolLinkSettingsRequest includes space for the flexible array members
+type ethtoolLinkSettingsRequest struct {
+	Settings EthtoolLinkSettingsFixed
+	Masks    [3 * MAX_LINK_MODE_MASK_NWORDS]uint32 // Uses MAX_LINK_MODE_MASK_NWORDS constant from ethtool.go
+}
+
+// LinkSettings is the user-friendly representation returned by GetLinkSettings
+type LinkSettings struct {
+	Speed                uint32
+	Duplex               uint8
+	Port                 uint8
+	PhyAddress           uint8
+	Autoneg              uint8
+	MdixSupport          uint8
+	EthTpMdix            uint8
+	EthTpMdixCtrl        uint8
+	Transceiver          uint8
+	MasterSlaveCfg       uint8
+	MasterSlaveState     uint8
+	SupportedLinkModes   []string
+	AdvertisingLinkModes []string
+	LpAdvertisingModes   []string
+	Source               LinkSettingSource // "GSET" or "GLINKSETTINGS"
+}
+
+// GetLinkSettings retrieves link settings, preferring ETHTOOL_GLINKSETTINGS and falling back to ETHTOOL_GSET.
+// Uses a single ioctl call with the maximum expected buffer size.
+func (e *Ethtool) GetLinkSettings(intf string) (*LinkSettings, error) {
+	// 1. Attempt ETHTOOL_GLINKSETTINGS with max buffer size
+	var req ethtoolLinkSettingsRequest
+	req.Settings.Cmd = ETHTOOL_GLINKSETTINGS
+	// Provide the maximum expected nwords based on our constant
+	req.Settings.LinkModeMasksNwords = int8(MAX_LINK_MODE_MASK_NWORDS)
+
+	err := e.ioctl(intf, uintptr(unsafe.Pointer(&req)))
+	fallbackReason := ""
+
+	var errno syscall.Errno
+	switch {
+	case errors.As(err, &errno) && errors.Is(errno, unix.EOPNOTSUPP):
+		// Condition 1: ioctl returned EOPNOTSUPP
+		fallbackReason = "EOPNOTSUPP"
+	case err == nil:
+		// Condition 2: ioctl succeeded, but nwords might be invalid or buffer too small
+		nwords := int(req.Settings.LinkModeMasksNwords)
+		switch {
+		case nwords <= 0 || nwords > MAX_LINK_MODE_MASK_NWORDS:
+			// Sub-case 2a: Invalid nwords -> fallback
+			fmt.Printf("Warning: GLINKSETTINGS succeeded but returned invalid nwords (%d), attempting fallback to GSET\n", nwords)
+			fallbackReason = "invalid nwords from GLINKSETTINGS"
+		case 3*nwords > len(req.Masks):
+			// Sub-case 2b: Buffer too small -> error
+			return nil, fmt.Errorf("kernel requires %d words for GLINKSETTINGS, buffer only has space for %d (max %d)", nwords, len(req.Masks)/3, MAX_LINK_MODE_MASK_NWORDS)
+		default:
+			// Sub-case 2c: Success (nwords valid and buffer sufficient)
+			results := &LinkSettings{
+				Speed:                req.Settings.Speed,
+				Duplex:               req.Settings.Duplex,
+				Port:                 req.Settings.Port,
+				PhyAddress:           req.Settings.PhyAddress,
+				Autoneg:              req.Settings.Autoneg,
+				MdixSupport:          req.Settings.MdixSupport,
+				EthTpMdix:            req.Settings.EthTpMdix,
+				EthTpMdixCtrl:        req.Settings.EthTpMdixCtrl,
+				Transceiver:          req.Settings.Transceiver,
+				MasterSlaveCfg:       req.Settings.MasterSlaveCfg,
+				MasterSlaveState:     req.Settings.MasterSlaveState,
+				SupportedLinkModes:   parseLinkModeMasks(req.Masks[0*nwords : 1*nwords]),
+				AdvertisingLinkModes: parseLinkModeMasks(req.Masks[1*nwords : 2*nwords]),
+				LpAdvertisingModes:   parseLinkModeMasks(req.Masks[2*nwords : 3*nwords]),
+				Source:               SourceGLinkSettings,
+			}
+			return results, nil
+		}
+	default:
+		// Condition 3: ioctl failed with an error other than EOPNOTSUPP
+		// No fallback in this case.
+		return nil, fmt.Errorf("ETHTOOL_GLINKSETTINGS ioctl failed: %w", err)
+	}
+
+	// Fallback to ETHTOOL_GSET using e.CmdGet
+	var cmd EthtoolCmd
+	_, errGet := e.CmdGet(&cmd, intf)
+	if errGet != nil {
+		return nil, fmt.Errorf("ETHTOOL_GLINKSETTINGS failed (%s), fallback ETHTOOL_GSET (CmdGet) also failed: %w", fallbackReason, errGet)
+	}
+	results := convertCmdToLinkSettings(&cmd)
+	results.Source = SourceGSet
+	return results, nil
+}
+
+// SetLinkSettings applies link settings, determining whether to use ETHTOOL_SLINKSETTINGS or ETHTOOL_SSET.
+func (e *Ethtool) SetLinkSettings(intf string, settings *LinkSettings) error {
+	var checkReq ethtoolLinkSettingsRequest
+	checkReq.Settings.Cmd = ETHTOOL_GLINKSETTINGS
+	checkReq.Settings.LinkModeMasksNwords = int8(MAX_LINK_MODE_MASK_NWORDS)
+
+	errGLinkSettings := e.ioctl(intf, uintptr(unsafe.Pointer(&checkReq)))
+	canUseGLinkSettings := false
+	nwords := 0
+
+	if errGLinkSettings == nil {
+		nwords = int(checkReq.Settings.LinkModeMasksNwords)
+		if nwords <= 0 || nwords > MAX_LINK_MODE_MASK_NWORDS {
+			return fmt.Errorf("ETHTOOL_GLINKSETTINGS check succeeded but returned invalid nwords: %d", nwords)
+		}
+		canUseGLinkSettings = true
+	} else {
+		var errno syscall.Errno
+		if !errors.As(errGLinkSettings, &errno) || !errors.Is(errno, unix.EOPNOTSUPP) {
+			return fmt.Errorf("checking support via ETHTOOL_GLINKSETTINGS failed: %w", errGLinkSettings)
+		}
+	}
+
+	if canUseGLinkSettings {
+		var setReq ethtoolLinkSettingsRequest
+		if 3*nwords > len(setReq.Masks) {
+			return fmt.Errorf("internal error: required nwords (%d) exceeds allocated buffer (%d)", nwords, MAX_LINK_MODE_MASK_NWORDS)
+		}
+		setReq.Settings.Cmd = ETHTOOL_SLINKSETTINGS
+		setReq.Settings.Speed = settings.Speed
+		setReq.Settings.Duplex = settings.Duplex
+		setReq.Settings.Port = settings.Port
+		setReq.Settings.PhyAddress = settings.PhyAddress
+		setReq.Settings.Autoneg = settings.Autoneg
+		setReq.Settings.EthTpMdixCtrl = settings.EthTpMdixCtrl
+		setReq.Settings.MasterSlaveCfg = settings.MasterSlaveCfg
+		setReq.Settings.LinkModeMasksNwords = int8(nwords)
+
+		advertisingMask := buildLinkModeMask(settings.AdvertisingLinkModes, nwords)
+		if len(advertisingMask) != nwords {
+			return fmt.Errorf("failed to build advertising mask with correct size (%d != %d)", len(advertisingMask), nwords)
+		}
+		copy(setReq.Masks[nwords:2*nwords], advertisingMask)
+		zeroMaskSupported := make([]uint32, nwords)
+		zeroMaskLp := make([]uint32, nwords)
+		copy(setReq.Masks[0*nwords:1*nwords], zeroMaskSupported)
+		copy(setReq.Masks[2*nwords:3*nwords], zeroMaskLp)
+
+		if err := e.ioctl(intf, uintptr(unsafe.Pointer(&setReq))); err != nil {
+			return fmt.Errorf("ETHTOOL_SLINKSETTINGS ioctl failed: %w", err)
+		}
+		return nil
+
+	}
+	// Check if trying to set high bits when only SSET is available
+	advertisingMaskCheck := buildLinkModeMask(settings.AdvertisingLinkModes, MAX_LINK_MODE_MASK_NWORDS)
+	for i := 1; i < len(advertisingMaskCheck); i++ {
+		if advertisingMaskCheck[i] != 0 {
+			return fmt.Errorf("cannot set link modes beyond 32 bits using legacy ETHTOOL_SSET; device does not support ETHTOOL_SLINKSETTINGS")
+		}
+	}
+
+	// Fallback to SSET
+	cmd := convertLinkSettingsToCmd(settings)
+	_, errSet := e.CmdSet(cmd, intf)
+	if errSet != nil {
+		return fmt.Errorf("ETHTOOL_SLINKSETTINGS not supported, fallback ETHTOOL_SSET (CmdSet) failed: %w", errSet)
+	}
+	return nil
+}
+
+// parseLinkModeMasks converts a slice of uint32 bitmasks to a list of mode names.
+// It filters out non-speed/duplex modes (like TP, Autoneg, Pause).
+func parseLinkModeMasks(mask []uint32) []string {
+	modes := make([]string, 0, 8)
+	for _, capability := range supportedCapabilities {
+		// Only include capabilities that represent a speed/duplex mode
+		if capability.speed > 0 {
+			bitIndex := int(capability.mask)
+			wordIndex := bitIndex / 32
+			bitInWord := uint(bitIndex % 32)
+			if wordIndex < len(mask) && (mask[wordIndex]>>(bitInWord))&1 != 0 {
+				modes = append(modes, capability.name)
+			}
+		}
+	}
+	return modes
+}
+
+// buildLinkModeMask converts a list of mode names back into a uint32 bitmask slice.
+// It filters out non-speed/duplex modes.
+func buildLinkModeMask(modes []string, nwords int) []uint32 {
+	if nwords <= 0 || nwords > MAX_LINK_MODE_MASK_NWORDS {
+		return make([]uint32, 0)
+	}
+	mask := make([]uint32, nwords)
+	modeMap := make(map[string]struct {
+		bitIndex int
+		speed    uint64
+	})
+	for _, capability := range supportedCapabilities {
+		// Only consider capabilities that represent a speed/duplex mode
+		if capability.speed > 0 {
+			modeMap[capability.name] = struct {
+				bitIndex int
+				speed    uint64
+			}{bitIndex: int(capability.mask), speed: capability.speed}
+		}
+	}
+	for _, modeName := range modes {
+		if info, ok := modeMap[strings.TrimSpace(modeName)]; ok {
+			wordIndex := info.bitIndex / 32
+			bitInWord := uint(info.bitIndex % 32)
+			if wordIndex < nwords {
+				mask[wordIndex] |= 1 << bitInWord
+			} else {
+				fmt.Printf("Warning: Link mode '%s' (bit %d) exceeds device's mask size (%d words)\n", modeName, info.bitIndex, nwords)
+			}
+		} else {
+			// Check if the user provided a non-speed mode name - ignore it for the mask, maybe warn?
+			isKnownNonSpeed := false
+			for _, capability := range supportedCapabilities {
+				if capability.speed == 0 && capability.name == strings.TrimSpace(modeName) {
+					isKnownNonSpeed = true
+					break
+				}
+			}
+			if !isKnownNonSpeed {
+				fmt.Printf("Warning: Unknown link mode '%s' specified for mask building\n", modeName)
+			} // Silently ignore known non-speed modes like Autoneg, TP, Pause for the mask
+		}
+	}
+	return mask
+}
+
+// convertCmdToLinkSettings converts data from the legacy EthtoolCmd to the new LinkSettings format.
+func convertCmdToLinkSettings(cmd *EthtoolCmd) *LinkSettings {
+	ls := &LinkSettings{
+		Speed:                (uint32(cmd.Speed_hi) << 16) | uint32(cmd.Speed),
+		Duplex:               cmd.Duplex,
+		Port:                 cmd.Port,
+		PhyAddress:           cmd.Phy_address,
+		Autoneg:              cmd.Autoneg,
+		MdixSupport:          cmd.Mdio_support,
+		EthTpMdix:            cmd.Eth_tp_mdix,
+		EthTpMdixCtrl:        ETH_TP_MDI_INVALID,
+		Transceiver:          cmd.Transceiver,
+		MasterSlaveCfg:       0, // No equivalent in EthtoolCmd
+		MasterSlaveState:     0, // No equivalent in EthtoolCmd
+		SupportedLinkModes:   parseLegacyLinkModeMask(cmd.Supported),
+		AdvertisingLinkModes: parseLegacyLinkModeMask(cmd.Advertising),
+		LpAdvertisingModes:   parseLegacyLinkModeMask(cmd.Lp_advertising),
+	}
+	if cmd.Speed == math.MaxUint16 && cmd.Speed_hi == math.MaxUint16 {
+		ls.Speed = SPEED_UNKNOWN // GSET uses 0xFFFF/0xFFFF for unknown/auto
+	}
+	return ls
+}
+
+// parseLegacyLinkModeMask helper for converting single uint32 mask.
+func parseLegacyLinkModeMask(mask uint32) []string {
+	return parseLinkModeMasks([]uint32{mask})
+}
+
+// convertLinkSettingsToCmd converts new LinkSettings data back to the legacy EthtoolCmd format for SSET fallback.
+func convertLinkSettingsToCmd(ls *LinkSettings) *EthtoolCmd {
+	cmd := &EthtoolCmd{}
+	if ls.Speed == 0 || ls.Speed == SPEED_UNKNOWN {
+		cmd.Speed = math.MaxUint16
+		cmd.Speed_hi = math.MaxUint16
+	} else {
+		cmd.Speed = uint16(ls.Speed & 0xFFFF)
+		cmd.Speed_hi = uint16((ls.Speed >> 16) & 0xFFFF)
+	}
+	cmd.Duplex = ls.Duplex
+	cmd.Port = ls.Port
+	cmd.Phy_address = ls.PhyAddress
+	cmd.Autoneg = ls.Autoneg
+	// Cannot set EthTpMdixCtrl via EthtoolCmd
+	cmd.Transceiver = ls.Transceiver
+	cmd.Advertising = buildLegacyLinkModeMask(ls.AdvertisingLinkModes)
+	return cmd
+}
+
+// buildLegacyLinkModeMask helper for building single uint32 mask from names.
+func buildLegacyLinkModeMask(modes []string) uint32 {
+	maskSlice := buildLinkModeMask(modes, 1)
+	if len(maskSlice) > 0 {
+		return maskSlice[0]
+	}
+	return 0
+}

vendor/github.com/safchain/ethtool/ethtool_linux.go

@@ -0,0 +1,130 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+
+package ethtool
+
+import (
+	"golang.org/x/sys/unix"
+)
+
+// Updated supportedCapabilities including modes from ethtool.h enum ethtool_link_mode_bit_indices
+var supportedCapabilities = []struct {
+	name  string
+	mask  uint64 // Use uint64 to accommodate indices > 31
+	speed uint64 // Speed in bps, 0 for non-speed modes
+}{
+	// Existing entries (reordered slightly by bit index for clarity)
+	{"10baseT_Half", unix.ETHTOOL_LINK_MODE_10baseT_Half_BIT, 10_000_000},        // 0
+	{"10baseT_Full", unix.ETHTOOL_LINK_MODE_10baseT_Full_BIT, 10_000_000},        // 1
+	{"100baseT_Half", unix.ETHTOOL_LINK_MODE_100baseT_Half_BIT, 100_000_000},     // 2
+	{"100baseT_Full", unix.ETHTOOL_LINK_MODE_100baseT_Full_BIT, 100_000_000},     // 3
+	{"1000baseT_Half", unix.ETHTOOL_LINK_MODE_1000baseT_Half_BIT, 1_000_000_000}, // 4
+	{"1000baseT_Full", unix.ETHTOOL_LINK_MODE_1000baseT_Full_BIT, 1_000_000_000}, // 5
+	// Newly added or re-confirmed based on full enum
+	{"Autoneg", unix.ETHTOOL_LINK_MODE_Autoneg_BIT, 0},                                    // 6
+	{"TP", unix.ETHTOOL_LINK_MODE_TP_BIT, 0},                                              // 7 (Twisted Pair port)
+	{"AUI", unix.ETHTOOL_LINK_MODE_AUI_BIT, 0},                                            // 8 (AUI port)
+	{"MII", unix.ETHTOOL_LINK_MODE_MII_BIT, 0},                                            // 9 (MII port)
+	{"FIBRE", unix.ETHTOOL_LINK_MODE_FIBRE_BIT, 0},                                        // 10 (FIBRE port)
+	{"BNC", unix.ETHTOOL_LINK_MODE_BNC_BIT, 0},                                            // 11 (BNC port)
+	{"10000baseT_Full", unix.ETHTOOL_LINK_MODE_10000baseT_Full_BIT, 10_000_000_000},       // 12
+	{"Pause", unix.ETHTOOL_LINK_MODE_Pause_BIT, 0},                                        // 13
+	{"Asym_Pause", unix.ETHTOOL_LINK_MODE_Asym_Pause_BIT, 0},                              // 14
+	{"2500baseX_Full", unix.ETHTOOL_LINK_MODE_2500baseX_Full_BIT, 2_500_000_000},          // 15
+	{"Backplane", unix.ETHTOOL_LINK_MODE_Backplane_BIT, 0},                                // 16 (Backplane port)
+	{"1000baseKX_Full", unix.ETHTOOL_LINK_MODE_1000baseKX_Full_BIT, 1_000_000_000},        // 17
+	{"10000baseKX4_Full", unix.ETHTOOL_LINK_MODE_10000baseKX4_Full_BIT, 10_000_000_000},   // 18
+	{"10000baseKR_Full", unix.ETHTOOL_LINK_MODE_10000baseKR_Full_BIT, 10_000_000_000},     // 19
+	{"10000baseR_FEC", unix.ETHTOOL_LINK_MODE_10000baseR_FEC_BIT, 10_000_000_000},         // 20
+	{"20000baseMLD2_Full", unix.ETHTOOL_LINK_MODE_20000baseMLD2_Full_BIT, 20_000_000_000}, // 21
+	{"20000baseKR2_Full", unix.ETHTOOL_LINK_MODE_20000baseKR2_Full_BIT, 20_000_000_000},   // 22
+	{"40000baseKR4_Full", unix.ETHTOOL_LINK_MODE_40000baseKR4_Full_BIT, 40_000_000_000},   // 23
+	{"40000baseCR4_Full", unix.ETHTOOL_LINK_MODE_40000baseCR4_Full_BIT, 40_000_000_000},   // 24
+	{"40000baseSR4_Full", unix.ETHTOOL_LINK_MODE_40000baseSR4_Full_BIT, 40_000_000_000},   // 25
+	{"40000baseLR4_Full", unix.ETHTOOL_LINK_MODE_40000baseLR4_Full_BIT, 40_000_000_000},   // 26
+	{"56000baseKR4_Full", unix.ETHTOOL_LINK_MODE_56000baseKR4_Full_BIT, 56_000_000_000},   // 27
+	{"56000baseCR4_Full", unix.ETHTOOL_LINK_MODE_56000baseCR4_Full_BIT, 56_000_000_000},   // 28
+	{"56000baseSR4_Full", unix.ETHTOOL_LINK_MODE_56000baseSR4_Full_BIT, 56_000_000_000},   // 29
+	{"56000baseLR4_Full", unix.ETHTOOL_LINK_MODE_56000baseLR4_Full_BIT, 56_000_000_000},   // 30
+	{"25000baseCR_Full", unix.ETHTOOL_LINK_MODE_25000baseCR_Full_BIT, 25_000_000_000},     // 31
+	// Modes beyond bit 31 (require GLINKSETTINGS)
+	{"25000baseKR_Full", unix.ETHTOOL_LINK_MODE_25000baseKR_Full_BIT, 25_000_000_000},                      // 32
+	{"25000baseSR_Full", unix.ETHTOOL_LINK_MODE_25000baseSR_Full_BIT, 25_000_000_000},                      // 33
+	{"50000baseCR2_Full", unix.ETHTOOL_LINK_MODE_50000baseCR2_Full_BIT, 50_000_000_000},                    // 34
+	{"50000baseKR2_Full", unix.ETHTOOL_LINK_MODE_50000baseKR2_Full_BIT, 50_000_000_000},                    // 35
+	{"100000baseKR4_Full", unix.ETHTOOL_LINK_MODE_100000baseKR4_Full_BIT, 100_000_000_000},                 // 36
+	{"100000baseSR4_Full", unix.ETHTOOL_LINK_MODE_100000baseSR4_Full_BIT, 100_000_000_000},                 // 37
+	{"100000baseCR4_Full", unix.ETHTOOL_LINK_MODE_100000baseCR4_Full_BIT, 100_000_000_000},                 // 38
+	{"100000baseLR4_ER4_Full", unix.ETHTOOL_LINK_MODE_100000baseLR4_ER4_Full_BIT, 100_000_000_000},         // 39
+	{"50000baseSR2_Full", unix.ETHTOOL_LINK_MODE_50000baseSR2_Full_BIT, 50_000_000_000},                    // 40
+	{"1000baseX_Full", unix.ETHTOOL_LINK_MODE_1000baseX_Full_BIT, 1_000_000_000},                           // 41
+	{"10000baseCR_Full", unix.ETHTOOL_LINK_MODE_10000baseCR_Full_BIT, 10_000_000_000},                      // 42
+	{"10000baseSR_Full", unix.ETHTOOL_LINK_MODE_10000baseSR_Full_BIT, 10_000_000_000},                      // 43
+	{"10000baseLR_Full", unix.ETHTOOL_LINK_MODE_10000baseLR_Full_BIT, 10_000_000_000},                      // 44
+	{"10000baseLRM_Full", unix.ETHTOOL_LINK_MODE_10000baseLRM_Full_BIT, 10_000_000_000},                    // 45
+	{"10000baseER_Full", unix.ETHTOOL_LINK_MODE_10000baseER_Full_BIT, 10_000_000_000},                      // 46
+	{"2500baseT_Full", unix.ETHTOOL_LINK_MODE_2500baseT_Full_BIT, 2_500_000_000},                           // 47 (already present but reconfirmed)
+	{"5000baseT_Full", unix.ETHTOOL_LINK_MODE_5000baseT_Full_BIT, 5_000_000_000},                           // 48
+	{"FEC_NONE", unix.ETHTOOL_LINK_MODE_FEC_NONE_BIT, 0},                                                   // 49
+	{"FEC_RS", unix.ETHTOOL_LINK_MODE_FEC_RS_BIT, 0},                                                       // 50 (Reed-Solomon FEC)
+	{"FEC_BASER", unix.ETHTOOL_LINK_MODE_FEC_BASER_BIT, 0},                                                 // 51 (BaseR FEC)
+	{"50000baseKR_Full", unix.ETHTOOL_LINK_MODE_50000baseKR_Full_BIT, 50_000_000_000},                      // 52
+	{"50000baseSR_Full", unix.ETHTOOL_LINK_MODE_50000baseSR_Full_BIT, 50_000_000_000},                      // 53
+	{"50000baseCR_Full", unix.ETHTOOL_LINK_MODE_50000baseCR_Full_BIT, 50_000_000_000},                      // 54
+	{"50000baseLR_ER_FR_Full", unix.ETHTOOL_LINK_MODE_50000baseLR_ER_FR_Full_BIT, 50_000_000_000},          // 55
+	{"50000baseDR_Full", unix.ETHTOOL_LINK_MODE_50000baseDR_Full_BIT, 50_000_000_000},                      // 56
+	{"100000baseKR2_Full", unix.ETHTOOL_LINK_MODE_100000baseKR2_Full_BIT, 100_000_000_000},                 // 57
+	{"100000baseSR2_Full", unix.ETHTOOL_LINK_MODE_100000baseSR2_Full_BIT, 100_000_000_000},                 // 58
+	{"100000baseCR2_Full", unix.ETHTOOL_LINK_MODE_100000baseCR2_Full_BIT, 100_000_000_000},                 // 59
+	{"100000baseLR2_ER2_FR2_Full", unix.ETHTOOL_LINK_MODE_100000baseLR2_ER2_FR2_Full_BIT, 100_000_000_000}, // 60
+	{"100000baseDR2_Full", unix.ETHTOOL_LINK_MODE_100000baseDR2_Full_BIT, 100_000_000_000},                 // 61
+	{"200000baseKR4_Full", unix.ETHTOOL_LINK_MODE_200000baseKR4_Full_BIT, 200_000_000_000},                 // 62
+	{"200000baseSR4_Full", unix.ETHTOOL_LINK_MODE_200000baseSR4_Full_BIT, 200_000_000_000},                 // 63
+	{"200000baseLR4_ER4_FR4_Full", unix.ETHTOOL_LINK_MODE_200000baseLR4_ER4_FR4_Full_BIT, 200_000_000_000}, // 64
+	{"200000baseDR4_Full", unix.ETHTOOL_LINK_MODE_200000baseDR4_Full_BIT, 200_000_000_000},                 // 65
+	{"200000baseCR4_Full", unix.ETHTOOL_LINK_MODE_200000baseCR4_Full_BIT, 200_000_000_000},                 // 66
+	{"100baseT1_Full", unix.ETHTOOL_LINK_MODE_100baseT1_Full_BIT, 100_000_000},                             // 67 (Automotive/SPE)
+	{"1000baseT1_Full", unix.ETHTOOL_LINK_MODE_1000baseT1_Full_BIT, 1_000_000_000},                         // 68 (Automotive/SPE)
+	{"400000baseKR8_Full", unix.ETHTOOL_LINK_MODE_400000baseKR8_Full_BIT, 400_000_000_000},                 // 69
+	{"400000baseSR8_Full", unix.ETHTOOL_LINK_MODE_400000baseSR8_Full_BIT, 400_000_000_000},                 // 70
+	{"400000baseLR8_ER8_FR8_Full", unix.ETHTOOL_LINK_MODE_400000baseLR8_ER8_FR8_Full_BIT, 400_000_000_000}, // 71
+	{"400000baseDR8_Full", unix.ETHTOOL_LINK_MODE_400000baseDR8_Full_BIT, 400_000_000_000},                 // 72
+	{"400000baseCR8_Full", unix.ETHTOOL_LINK_MODE_400000baseCR8_Full_BIT, 400_000_000_000},                 // 73
+	{"FEC_LLRS", unix.ETHTOOL_LINK_MODE_FEC_LLRS_BIT, 0},                                                   // 74 (Low Latency Reed-Solomon FEC)
+	// PAM4 modes start here? Often indicated by lack of KR/CR/SR/LR or different naming
+	{"100000baseKR_Full", unix.ETHTOOL_LINK_MODE_100000baseKR_Full_BIT, 100_000_000_000},                   // 75 (Likely 100GBASE-KR1)
+	{"100000baseSR_Full", unix.ETHTOOL_LINK_MODE_100000baseSR_Full_BIT, 100_000_000_000},                   // 76 (Likely 100GBASE-SR1)
+	{"100000baseLR_ER_FR_Full", unix.ETHTOOL_LINK_MODE_100000baseLR_ER_FR_Full_BIT, 100_000_000_000},       // 77 (Likely 100GBASE-LR1/ER1/FR1)
+	{"100000baseCR_Full", unix.ETHTOOL_LINK_MODE_100000baseCR_Full_BIT, 100_000_000_000},                   // 78 (Likely 100GBASE-CR1)
+	{"100000baseDR_Full", unix.ETHTOOL_LINK_MODE_100000baseDR_Full_BIT, 100_000_000_000},                   // 79
+	{"200000baseKR2_Full", unix.ETHTOOL_LINK_MODE_200000baseKR2_Full_BIT, 200_000_000_000},                 // 80 (Likely 200GBASE-KR2)
+	{"200000baseSR2_Full", unix.ETHTOOL_LINK_MODE_200000baseSR2_Full_BIT, 200_000_000_000},                 // 81 (Likely 200GBASE-SR2)
+	{"200000baseLR2_ER2_FR2_Full", unix.ETHTOOL_LINK_MODE_200000baseLR2_ER2_FR2_Full_BIT, 200_000_000_000}, // 82 (Likely 200GBASE-LR2/etc)
+	{"200000baseDR2_Full", unix.ETHTOOL_LINK_MODE_200000baseDR2_Full_BIT, 200_000_000_000},                 // 83
+	{"200000baseCR2_Full", unix.ETHTOOL_LINK_MODE_200000baseCR2_Full_BIT, 200_000_000_000},                 // 84 (Likely 200GBASE-CR2)
+	{"400000baseKR4_Full", unix.ETHTOOL_LINK_MODE_400000baseKR4_Full_BIT, 400_000_000_000},                 // 85 (Likely 400GBASE-KR4)
+	{"400000baseSR4_Full", unix.ETHTOOL_LINK_MODE_400000baseSR4_Full_BIT, 400_000_000_000},                 // 86 (Likely 400GBASE-SR4)
+	{"400000baseLR4_ER4_FR4_Full", unix.ETHTOOL_LINK_MODE_400000baseLR4_ER4_FR4_Full_BIT, 400_000_000_000}, // 87 (Likely 400GBASE-LR4/etc)
+	{"400000baseDR4_Full", unix.ETHTOOL_LINK_MODE_400000baseDR4_Full_BIT, 400_000_000_000},                 // 88
+	{"400000baseCR4_Full", unix.ETHTOOL_LINK_MODE_400000baseCR4_Full_BIT, 400_000_000_000},                 // 89 (Likely 400GBASE-CR4)
+	{"100baseFX_Half", unix.ETHTOOL_LINK_MODE_100baseFX_Half_BIT, 100_000_000},                             // 90
+	{"100baseFX_Full", unix.ETHTOOL_LINK_MODE_100baseFX_Full_BIT, 100_000_000},                             // 91
+}

vendor/modules.txt

@@ -32,10 +32,12 @@ github.com/containernetworking/cni/pkg/types/create
 github.com/containernetworking/cni/pkg/types/internal
 github.com/containernetworking/cni/pkg/utils
 github.com/containernetworking/cni/pkg/version
-# github.com/containernetworking/plugins v1.1.1
-## explicit; go 1.17
+# github.com/containernetworking/plugins v1.9.1
+## explicit; go 1.24.2
 github.com/containernetworking/plugins/pkg/ip
+github.com/containernetworking/plugins/pkg/netlinksafe
 github.com/containernetworking/plugins/pkg/ns
+github.com/containernetworking/plugins/pkg/utils
 github.com/containernetworking/plugins/pkg/utils/sysctl
 github.com/containernetworking/plugins/plugins/ipam/host-local/backend
 github.com/containernetworking/plugins/plugins/ipam/host-local/backend/allocator
@@ -101,7 +103,7 @@ github.com/inconshreveable/mousetrap
 # github.com/josharian/intern v1.0.0
 ## explicit; go 1.5
 github.com/josharian/intern
-# github.com/josharian/native v0.0.0-20200817173448-b6b71def0850
+# github.com/josharian/native v1.1.0
 ## explicit; go 1.13
 github.com/josharian/native
 # github.com/json-iterator/go v1.1.12
@@ -129,8 +131,8 @@ github.com/mdlayher/genetlink
 ## explicit; go 1.12
 github.com/mdlayher/netlink
 github.com/mdlayher/netlink/nlenc
-# github.com/mdlayher/socket v0.0.0-20211102153432-57e3fa563ecb
-## explicit; go 1.17
+# github.com/mdlayher/socket v0.5.1
+## explicit; go 1.20
 github.com/mdlayher/socket
 # github.com/metalmatze/signal v0.0.0-20210307161603-1c9aa721a97a
 ## explicit; go 1.14
@@ -148,6 +150,9 @@ github.com/munnerz/goautoneg
 # github.com/oklog/run v1.2.0
 ## explicit; go 1.20
 github.com/oklog/run
+# github.com/pkg/errors v0.9.1
+## explicit
+github.com/pkg/errors
 # github.com/pmezard/go-difflib v1.0.0
 ## explicit
 github.com/pmezard/go-difflib/difflib
@@ -172,8 +177,8 @@ github.com/prometheus/common/model
 github.com/prometheus/procfs
 github.com/prometheus/procfs/internal/fs
 github.com/prometheus/procfs/internal/util
-# github.com/safchain/ethtool v0.0.0-20210803160452-9aa261dae9b1
-## explicit
+# github.com/safchain/ethtool v0.6.2
+## explicit; go 1.23.0
 github.com/safchain/ethtool
 # github.com/spf13/cobra v1.10.2
 ## explicit; go 1.15
@@ -732,6 +737,9 @@ sigs.k8s.io/controller-tools/pkg/webhook
 ## explicit; go 1.23
 sigs.k8s.io/json
 sigs.k8s.io/json/internal/golang/encoding/json
+# sigs.k8s.io/knftables v0.0.18
+## explicit; go 1.20
+sigs.k8s.io/knftables
 # sigs.k8s.io/randfill v1.0.0
 ## explicit; go 1.18
 sigs.k8s.io/randfill

vendor/sigs.k8s.io/knftables/.gitignore

@@ -0,0 +1,2 @@
+*~
+hack/bin/golangci-lint

vendor/sigs.k8s.io/knftables/CHANGELOG.md

@@ -0,0 +1,181 @@
+# ChangeLog
+
+## v0.0.18
+
+- Added locking to `Fake` to allow it to be safely used concurrently.
+  (`@npinaeva`)
+
+- Added a `Flowtable` object, and `Fake` support for correctly parsing
+  flowtable references. (`@aojea`)
+
+- Fixed a bug in `Fake.ParseDump`, which accidentally required the
+  table to have a comment. (`@danwinship`)
+
+## v0.0.17
+
+- `ListRules()` now accepts `""` for the chain name, meaning to list
+  all rules in the table. (`@caseydavenport`)
+
+- `ListElements()` now handles elements with prefix/CIDR values (e.g.,
+  `"192.168.0.0/16"`; these are represented specially in the JSON
+  format and the old code didn't handle them). (`@caseydavenport`)
+
+- Added `NumOperations()` to `Transaction` (which lets you figure out
+  belatedly whether you added anything to the transaction or not, and
+  could also be used for metrics). (`@fasaxc`)
+
+- `knftables.Interface` now reuses the same `bytes.Buffer` for each
+  call to `nft` rather than constructing a new one each time, saving
+  time and memory. (`@aroradaman`)
+
+- Fixed map element deletion in `knftables.Fake` to not mistakenly
+  require that you fill in the `.Value` of the element. (`@npinaeva`)
+
+- Added `Fake.LastTransaction`, to retrieve the most-recently-executed
+  transaction. (`@npinaeva`)
+
+## v0.0.16
+
+- Fixed a bug in `Fake.ParseDump()` when using IPv6. (`@npinaeva`)
+
+## v0.0.15
+
+- knftables now requires the nft binary to be v1.0.1 or later. This is
+  because earlier versions (a) had bugs that might cause them to crash
+  when parsing rules created by later versions of nft, and (b) always
+  parsed the entire ruleset at startup, even if you were only trying
+  to operate on a single table. The combination of those two factors
+  means that older versions of nft can't reliably be used from inside
+  a container. (`@danwinship`)
+
+- Fixed a bug that meant we were never setting comments on
+  tables/chains/sets/etc, even if nft and the kernel were both new
+  enough to support it. (`@tnqn`)
+
+- Added `Fake.ParseDump()`, to load a `Fake` from a `Fake.Dump()`
+  output. (`@npinaeva`)
+
+## v0.0.14
+
+- Renamed the package `"sigs.k8s.io/knftables"`, reflecting its new
+  home at https://github.com/kubernetes-sigs/knftables/
+
+- Improvements to `Fake`:
+
+    - `Fake.Run()` is now properly transactional, and will have no
+      side effects if an error occurs.
+
+    - `Fake.Dump()` now outputs all `add chain`, `add set`, and `add
+      table` commands before any `add rule` and `add element`
+      commands, to ensure that the dumped ruleset can be passed to
+      `nft -f` without errors.
+
+    - Conversely, `Fake.Run()` now does enough parsing of rules and
+      elements that it will notice rules that do lookups in
+      non-existent sets/maps, and rules/verdicts that jump to
+      non-existent chains, so it can error out in those cases.
+
+- Added `nft.Check()`, which is like `nft.Run()`, but using
+  `nft --check`.
+
+- Fixed support for ingress and egress hooks (by adding
+  `Chain.Device`).
+
+## v0.0.13
+
+- Fixed a bug in `Fake.Run` where it was not properly returning "not
+  found" / "already exists" errors.
+
+## v0.0.12
+
+- Renamed the package from `"github.com/danwinship/nftables"` to
+  `"github.com/danwinship/knftables"`, for less ambiguity.
+
+- Added `NameLengthMax` and `CommentLengthMax` constants.
+
+- Changed serialization of `Chain` to convert string-valued `Priority`
+  to numeric form, if possible.
+
+- (The `v0.0.11` tag exists but is not usable due to a bad `go.mod`)
+
+## v0.0.10
+
+- Dropped `Define`, because nft defines turned out to not work the way
+  I thought (in particular, you can't do "$IP daddr"), so they end up
+  not really being useful for our purposes.
+
+- Made `NewTransaction` a method on `Interface` rather than a
+  top-level function.
+
+- Added `Transaction.String()`, for debugging
+
+- Fixed serialization of set/map elements with timeouts
+
+- Added special treament for `"@"` to `Concat`
+
+- Changed `nftables.New()` to return an `error` (doing the work that
+  used to be done by `nft.Present()`.)
+
+- Add autodetection for "object comment" support, and have
+  serialization just ignore comments on `Table`/`Chain`/`Set`/`Map` if
+  nft or the kernel does not support them.
+
+- Renamed `Optional()` to `PtrTo()`
+
+## v0.0.9
+
+- Various tweaks to `Element`:
+
+    - Changed `Key` and `Value` from `string` to `[]string` to better
+      support concatenated types (and dropped the `Join()` and
+      `Split()` helper functions that were previously used to join and
+      split concatenated values).
+
+    - Split `Name` into separate `Set` and `Map` fields, which make it
+      clearer what is being named, and are more consistent with
+      `Rule.Chain`, and provide more redundancy for distinguishing set
+      elements from map elements.
+
+    - Fixed serialization of map elements with a comments.
+
+- Rewrote `ListElements` and `ListRules` to use `nft -j`, for easier /
+  more reliable parsing. But this meant that `ListRules` no longer
+  returns the actual text of the rule.
+
+## v0.0.8
+
+- Fixed `Fake.List` / `Fake.ListRules` / `Fake.ListElements` to return
+  errors that would be properly recognized by
+  `IsNotFound`/`IsAlreadyExists`.
+
+## v0.0.7
+
+- Implemented `tx.Create`, `tx.Insert`, `tx.Replace`
+
+- Replaced `tx.AddRule` with the `Concat` function
+
+## v0.0.6
+
+- Added `IsNotFound` and `IsAlreadyExists` error-checking functions
+
+## v0.0.5
+
+- Moved `Define` from `Transaction` to `Interface`
+
+## v0.0.3, v0.0.4
+
+- Improvements to `Fake` to handle `Rule` and `Element`
+  deletion/overwrite.
+
+- Added `ListRules` and `ListElements`
+
+- (The `v0.0.3` and `v0.0.4` tags are identical.)
+
+## v0.0.2
+
+- Made `Interface` be specific to a single family and table. (Before,
+  that was specified at the `Transaction` level.)
+
+## v0.0.1
+
+- Initial "release"

vendor/sigs.k8s.io/knftables/CONTRIBUTING.md

@@ -0,0 +1,28 @@
+# Contributing Guidelines
+
+Welcome to Kubernetes. We are excited about the prospect of you joining our [community](https://git.k8s.io/community)! The Kubernetes community abides by the CNCF [code of conduct](code-of-conduct.md). Here is an excerpt:
+
+_As contributors and maintainers of this project, and in the interest of fostering an open and welcoming community, we pledge to respect all people who contribute through reporting issues, posting feature requests, updating documentation, submitting pull requests or patches, and other activities._
+
+## Getting Started
+
+We have full documentation on how to get started contributing here:
+
+<!---
+If your repo has certain guidelines for contribution, put them here ahead of the general k8s resources
+-->
+
+- [Contributor License Agreement](https://git.k8s.io/community/CLA.md) - Kubernetes projects require that you sign a Contributor License Agreement (CLA) before we can accept your pull requests
+- [Kubernetes Contributor Guide](https://k8s.dev/guide) - Main contributor documentation, or you can just jump directly to the [contributing page](https://k8s.dev/docs/guide/contributing/)
+- [Contributor Cheat Sheet](https://k8s.dev/cheatsheet) - Common resources for existing developers
+
+## Mentorship
+
+- [Mentoring Initiatives](https://k8s.dev/community/mentoring) - We have a diverse set of mentorship programs available that are always looking for volunteers!
+
+## Contact Information
+
+knftables is maintained by [Kubernetes SIG Network](https://github.com/kubernetes/community/tree/master/sig-network).
+
+- [sig-network slack channel](https://kubernetes.slack.com/messages/sig-network)
+- [kubernetes-sig-network mailing list](https://groups.google.com/forum/#!forum/kubernetes-sig-network)

vendor/sigs.k8s.io/knftables/LICENSE

@@ -0,0 +1,201 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

vendor/sigs.k8s.io/knftables/Makefile

@@ -0,0 +1,32 @@
+# Copyright 2023 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+all build:
+	echo "Usage:"
+	echo "make test   - run unit tests"
+	echo "make update - run gofmt, etc"
+	echo "make verify - run golangci, etc"
+
+clean:
+
+test:
+	./hack/test.sh
+
+update:
+	./hack/update.sh
+
+verify:
+	./hack/verify.sh
+
+.PHONY: all build clean test update verify

vendor/sigs.k8s.io/knftables/OWNERS

@@ -0,0 +1,7 @@
+# See the OWNERS docs at https://go.k8s.io/owners
+
+reviewers:
+  - aojea
+  - danwinship
+approvers:
+  - danwinship

vendor/sigs.k8s.io/knftables/README.md

@@ -0,0 +1,279 @@
+# knftables: a golang nftables library
+
+This is a library for using nftables from Go.
+
+It is not intended to support arbitrary use cases, but instead
+specifically focuses on supporting Kubernetes components which are
+using nftables in the way that nftables is supposed to be used (as
+opposed to using nftables in a naively-translated-from-iptables way,
+or using nftables to do totally valid things that aren't the sorts of
+things Kubernetes components are likely to need to do; see the
+"[iptables porting](./docs/iptables-porting.md)" doc for more thoughts
+on porting old iptables-based components to nftables.)
+
+knftables is still under development and is not yet API stable. (See the
+section on "Possible future changes" below.)
+
+The library is implemented as a wrapper around the `nft` CLI, because
+the CLI API is the only well-documented interface to nftables.
+Although it would be possible to use netlink directly (and some other
+golang-based nftables libraries do this), that would result in an API
+that is quite different from all documented examples of nftables usage
+(e.g. the man pages and the [nftables wiki](http://wiki.nftables.org/))
+because there is no easy way to convert the "standard" representation
+of nftables rules into the netlink form.
+
+(Actually, it's not quite true that there's no other usable API: the
+`nft` CLI is just a thin wrapper around `libnftables`, and it would be
+possible for knftables to use cgo to invoke that library instead of
+using an external binary. However, this would be harder to build and
+ship, so I'm not bothering with that for now. But this could be done
+in the future without needing to change knftables's API.)
+
+knftables requires nft version 1.0.1 or later, because earlier
+versions would download and process the entire ruleset regardless of
+what you were doing, which, besides being pointlessly inefficient,
+means that in some cases, other people using new features in _their_
+tables could prevent you from modifying _your_ table. (In particular,
+a change in how some rules are generated starting in nft 1.0.3
+triggers a crash in nft 0.9.9 and earlier, _even if you aren't looking
+at the table containing that rule_.)
+
+## Usage
+
+Create an `Interface` object to manage operations on a single nftables
+table:
+
+```golang
+nft, err := knftables.New(knftables.IPv4Family, "my-table")
+if err != nil {
+        return fmt.Errorf("no nftables support: %v", err)
+}
+```
+
+(If you want to operate on multiple tables or multiple nftables
+families, you will need separate `Interface` objects for each. If you
+need to check whether the system supports an nftables feature as with
+`nft --check`, use `nft.Check()`, which works the same as `nft.Run()`
+below.)
+
+You can use the `List`, `ListRules`, and `ListElements` methods on the
+`Interface` to check if objects exist. `List` returns the names of
+`"chains"`, `"sets"`, or `"maps"` in the table, while `ListElements`
+returns `Element` objects and `ListRules` returns *partial* `Rule`
+objects.
+
+```golang
+chains, err := nft.List(ctx, "chains")
+if err != nil {
+        return fmt.Errorf("could not list chains: %v", err)
+}
+
+FIXME
+
+elements, err := nft.ListElements(ctx, "map", "mymap")
+if err != nil {
+        return fmt.Errorf("could not list map elements: %v", err)
+}
+
+FIXME
+```
+
+To make changes, create a `Transaction`, add the appropriate
+operations to the transaction, and then call `nft.Run` on it:
+
+```golang
+tx := nft.NewTransaction()
+
+tx.Add(&knftables.Chain{
+        Name:    "mychain",
+        Comment: knftables.PtrTo("this is my chain"),
+})
+tx.Flush(&knftables.Chain{
+        Name: "mychain",
+})
+
+var destIP net.IP
+var destPort uint16
+...
+tx.Add(&knftables.Rule{
+        Chain: "mychain",
+        Rule: knftables.Concat(
+                "ip daddr", destIP,
+                "ip protocol", "tcp",
+                "th port", destPort,
+                "jump", destChain,
+        )
+})
+
+err := nft.Run(context, tx)
+```
+
+If any operation in the transaction would fail, then `Run()` will
+return an error and the entire transaction will be ignored. You can
+use the `knftables.IsNotFound()` and `knftables.IsAlreadyExists()`
+methods to check for those well-known error types. In a large
+transaction, there is no supported way to determine exactly which
+operation failed.
+
+## `knftables.Transaction` operations
+
+`knftables.Transaction` operations correspond to the top-level commands
+in the `nft` binary. Currently-supported operations are:
+
+- `tx.Add()`: adds an object, which may already exist, as with `nft add`
+- `tx.Create()`: creates an object, which must not already exist, as with `nft create`
+- `tx.Flush()`: flushes the contents of a table/chain/set/map, as with `nft flush`
+- `tx.Delete()`: deletes an object, as with `nft delete`
+- `tx.Insert()`: inserts a rule before another rule, as with `nft insert rule`
+- `tx.Replace()`: replaces a rule, as with `nft replace rule`
+
+## Objects
+
+The `Transaction` methods take arguments of type `knftables.Object`.
+The currently-supported objects are:
+
+- `Table`
+- `Flowtable`
+- `Chain`
+- `Rule`
+- `Set`
+- `Map`
+- `Element`
+
+Optional fields in objects can be filled in with the help of the
+`PtrTo()` function, which just returns a pointer to its argument.
+
+`Concat()` can be used to concatenate a series of strings, `[]string`
+arrays, and other arguments (including numbers, `net.IP`s /
+`net.IPNet`s, and anything else that can be formatted usefully via
+`fmt.Sprintf("%s")`) together into a single string. This is often
+useful when constructing `Rule`s.
+
+## `knftables.Fake`
+
+There is a fake (in-memory) implementation of `knftables.Interface`
+for use in unit tests. Use `knftables.NewFake()` instead of
+`knftables.New()` to create it, and then it should work mostly the
+same. See `fake.go` for more details of the public APIs for examining
+the current state of the fake nftables database.
+
+## Missing APIs
+
+Various top-level object types are not yet supported (notably the
+"stateful objects" like `counter`).
+
+Most IPTables libraries have an API for "add this rule only if it
+doesn't already exist", but that does not seem as useful in nftables
+(or at least "in nftables as used by Kubernetes-ish components that
+aren't just blindly copying over old iptables APIs"), because chains
+tend to have static rules and dynamic sets/maps, rather than having
+dynamic rules. If you aren't sure if a chain has the correct rules,
+you can just `Flush` it and recreate all of the rules.
+
+The "destroy" (delete-without-ENOENT) command that exists in newer
+versions of `nft` is not currently supported because it would be
+unexpectedly heavyweight to emulate on systems that don't have it, so
+it is better (for now) to force callers to implement it by hand.
+
+`ListRules` returns `Rule` objects without the `Rule` field filled in,
+because it uses the JSON API to list the rules, but there is no easy
+way to convert the JSON rule representation back into plaintext form.
+This means that it is only useful when either (a) you know the order
+of the rules in the chain, but want to know their handles, or (b) you
+can recognize the rules you are looking for by their comments, rather
+than the rule bodies.
+
+## Possible future changes
+
+### `nft` output parsing
+
+`nft`'s output is documented and standardized, so it ought to be
+possible for us to extract better error messages in the event of a
+transaction failure.
+
+Additionally, if we used the `--echo` (`-e`) and `--handle` (`-a`)
+flags, we could learn the handles associated with newly-created
+objects in a transaction, and return these to the caller somehow.
+(E.g., by setting the `Handle` field in the object that had been
+passed to `tx.Add` when the transaction is run.)
+
+(For now, `ListRules` fills in the handles of the rules it returns, so
+it's possible to find out a rule's handle after the fact that way. For
+other supported object types, either handles don't exist (`Element`)
+or you don't really need to know their handles because it's possible
+to delete by name instead (`Table`, `Chain`, `Set`, `Map`).)
+
+### List APIs
+
+The fact that `List` works completely differently from `ListRules` and
+`ListElements` is a historical artifact.
+
+I would like to have a single function
+
+```golang
+List[T Object](ctx context.Context, template T) ([]T, error)
+```
+
+So you could say
+
+```golang
+elements, err := nft.List(ctx, &knftables.Element{Set: "myset"})
+```
+
+to list the elements of "myset". But this doesn't actually compile
+("`syntax error: method must have no type parameters`") because
+allowing that would apparently introduce extremely complicated edge
+cases in Go generics.
+
+### Set/map type representation
+
+There is currently an annoying asymmetry in the representation of
+concatenated types between `Set`/`Map` and `Element`, where the former
+uses a string containing `nft` syntax, and the latter uses an array:
+
+```golang
+tx.Add(&knftables.Set{
+        Name: "firewall",
+        Type: "ipv4_addr . inet_proto . inet_service",
+})
+tx.Add(&knftables.Element{
+        Set: "firewall",
+        Key: []string{"10.1.2.3", "tcp", "80"},
+})
+```
+
+This will probably be fixed at some point, which may result in a
+change to how the `type` vs `typeof` distinction is handled as well.
+
+### Optimization and rule representation
+
+We will need to optimize the performance of large transactions. One
+change that is likely is to avoid pre-concatenating rule elements in
+cases like:
+
+```golang
+tx.Add(&knftables.Rule{
+        Chain: "mychain",
+        Rule: knftables.Concat(
+                "ip daddr", destIP,
+                "ip protocol", "tcp",
+                "th port", destPort,
+                "jump", destChain,
+        )
+})
+```
+
+This will presumably require a change to `knftables.Rule` and/or
+`knftables.Concat()` but I'm not sure exactly what it will be.
+
+## Community, discussion, contribution, and support
+
+knftables is maintained by [Kubernetes SIG Network](https://github.com/kubernetes/community/tree/master/sig-network).
+
+- [sig-network slack channel](https://kubernetes.slack.com/messages/sig-network)
+- [kubernetes-sig-network mailing list](https://groups.google.com/forum/#!forum/kubernetes-sig-network)
+
+See [`CONTRIBUTING.md`](CONTRIBUTING.md) for more information about
+contributing. Participation in the Kubernetes community is governed by
+the [Kubernetes Code of Conduct](code-of-conduct.md).

vendor/sigs.k8s.io/knftables/SECURITY_CONTACTS

@@ -0,0 +1,13 @@
+# Defined below are the security contacts for this repo.
+#
+# They are the contact point for the Security Response Committee to reach out
+# to for triaging and handling of incoming issues.
+#
+# The below names agree to abide by the
+# [Embargo Policy](https://git.k8s.io/security/private-distributors-list.md#embargo-policy)
+# and will be removed and replaced if they violate that agreement.
+#
+# DO NOT REPORT SECURITY VULNERABILITIES DIRECTLY TO THESE NAMES, FOLLOW THE
+# INSTRUCTIONS AT https://kubernetes.io/security/
+
+danwinship

vendor/sigs.k8s.io/knftables/code-of-conduct.md

@@ -0,0 +1,3 @@
+# Kubernetes Community Code of Conduct
+
+Please refer to our [Kubernetes Community Code of Conduct](https://git.k8s.io/community/code-of-conduct.md)

vendor/sigs.k8s.io/knftables/error.go

@@ -0,0 +1,94 @@
+/*
+Copyright 2023 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package knftables
+
+import (
+	"errors"
+	"fmt"
+	"os/exec"
+	"strings"
+	"syscall"
+)
+
+type nftablesError struct {
+	wrapped error
+	msg     string
+	errno   syscall.Errno
+}
+
+// wrapError wraps an error resulting from running nft
+func wrapError(err error) error {
+	nerr := &nftablesError{wrapped: err, msg: err.Error()}
+	ee := &exec.ExitError{}
+	if errors.As(err, &ee) {
+		if len(ee.Stderr) > 0 {
+			nerr.msg = string(ee.Stderr)
+			eol := strings.Index(nerr.msg, "\n")
+			// The nft binary does not call setlocale() and so will return
+			// English error strings regardless of the locale.
+			enoent := strings.Index(nerr.msg, "No such file or directory")
+			eexist := strings.Index(nerr.msg, "File exists")
+			if enoent != -1 && (enoent < eol || eol == -1) {
+				nerr.errno = syscall.ENOENT
+			} else if eexist != -1 && (eexist < eol || eol == -1) {
+				nerr.errno = syscall.EEXIST
+			}
+		}
+	}
+	return nerr
+}
+
+// notFoundError returns an nftablesError with the given message for which IsNotFound will
+// return true.
+func notFoundError(format string, args ...interface{}) error {
+	return &nftablesError{msg: fmt.Sprintf(format, args...), errno: syscall.ENOENT}
+}
+
+// existsError returns an nftablesError with the given message for which IsAlreadyExists
+// will return true.
+func existsError(format string, args ...interface{}) error {
+	return &nftablesError{msg: fmt.Sprintf(format, args...), errno: syscall.EEXIST}
+}
+
+func (nerr *nftablesError) Error() string {
+	return nerr.msg
+}
+
+func (nerr *nftablesError) Unwrap() error {
+	return nerr.wrapped
+}
+
+// IsNotFound tests if err corresponds to an nftables "not found" error of any sort.
+// (e.g., in response to a "delete rule" command, this might indicate that the rule
+// doesn't exist, or the chain doesn't exist, or the table doesn't exist.)
+func IsNotFound(err error) bool {
+	var nerr *nftablesError
+	if errors.As(err, &nerr) {
+		return nerr.errno == syscall.ENOENT
+	}
+	return false
+}
+
+// IsAlreadyExists tests if err corresponds to an nftables "already exists" error (e.g.
+// when doing a "create" rather than an "add").
+func IsAlreadyExists(err error) bool {
+	var nerr *nftablesError
+	if errors.As(err, &nerr) {
+		return nerr.errno == syscall.EEXIST
+	}
+	return false
+}

vendor/sigs.k8s.io/knftables/exec.go

@@ -0,0 +1,48 @@
+/*
+Copyright 2023 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package knftables
+
+import (
+	"os/exec"
+)
+
+// execer is a mockable wrapper around os/exec.
+type execer interface {
+	// LookPath wraps exec.LookPath
+	LookPath(file string) (string, error)
+
+	// Run runs cmd as with cmd.Output(). If an error occurs, and the process outputs
+	// stderr, then that output will be returned in the error.
+	Run(cmd *exec.Cmd) (string, error)
+}
+
+// realExec implements execer by actually using os/exec
+type realExec struct{}
+
+// LookPath is part of execer
+func (realExec) LookPath(file string) (string, error) {
+	return exec.LookPath(file)
+}
+
+// Run is part of execer
+func (realExec) Run(cmd *exec.Cmd) (string, error) {
+	out, err := cmd.Output()
+	if err != nil {
+		err = wrapError(err)
+	}
+	return string(out), err
+}

vendor/sigs.k8s.io/knftables/fake.go

@@ -0,0 +1,744 @@
+/*
+Copyright 2023 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package knftables
+
+import (
+	"context"
+	"fmt"
+	"reflect"
+	"regexp"
+	"sort"
+	"strings"
+	"sync"
+)
+
+// Fake is a fake implementation of Interface
+type Fake struct {
+	nftContext
+	// mutex is used to protect Table and LastTransaction.
+	// When Table and LastTransaction are accessed directly, the caller must acquire Fake.RLock
+	// and release when finished.
+	sync.RWMutex
+
+	nextHandle int
+
+	// Table contains the Interface's table. This will be `nil` until you `tx.Add()`
+	// the table.
+	// Make sure to acquire Fake.RLock before accessing Table in a concurrent environment.
+	Table *FakeTable
+
+	// LastTransaction is the last transaction passed to Run(). It will remain set until the
+	// next time Run() is called. (It is not affected by Check().)
+	// Make sure to acquire Fake.RLock before accessing LastTransaction in a concurrent environment.
+	LastTransaction *Transaction
+}
+
+// FakeTable wraps Table for the Fake implementation
+type FakeTable struct {
+	Table
+
+	// Flowtables contains the table's flowtables, keyed by name
+	Flowtables map[string]*FakeFlowtable
+
+	// Chains contains the table's chains, keyed by name
+	Chains map[string]*FakeChain
+
+	// Sets contains the table's sets, keyed by name
+	Sets map[string]*FakeSet
+
+	// Maps contains the table's maps, keyed by name
+	Maps map[string]*FakeMap
+}
+
+// FakeFlowtable wraps Flowtable for the Fake implementation
+type FakeFlowtable struct {
+	Flowtable
+}
+
+// FakeChain wraps Chain for the Fake implementation
+type FakeChain struct {
+	Chain
+
+	// Rules contains the chain's rules, in order
+	Rules []*Rule
+}
+
+// FakeSet wraps Set for the Fake implementation
+type FakeSet struct {
+	Set
+
+	// Elements contains the set's elements. You can also use the FakeSet's
+	// FindElement() method to see if a particular element is present.
+	Elements []*Element
+}
+
+// FakeMap wraps Set for the Fake implementation
+type FakeMap struct {
+	Map
+
+	// Elements contains the map's elements. You can also use the FakeMap's
+	// FindElement() method to see if a particular element is present.
+	Elements []*Element
+}
+
+// NewFake creates a new fake Interface, for unit tests
+func NewFake(family Family, table string) *Fake {
+	return &Fake{
+		nftContext: nftContext{
+			family: family,
+			table:  table,
+		},
+	}
+}
+
+var _ Interface = &Fake{}
+
+// List is part of Interface.
+func (fake *Fake) List(_ context.Context, objectType string) ([]string, error) {
+	fake.RLock()
+	defer fake.RUnlock()
+	if fake.Table == nil {
+		return nil, notFoundError("no such table %q", fake.table)
+	}
+
+	var result []string
+
+	switch objectType {
+	case "flowtable", "flowtables":
+		for name := range fake.Table.Flowtables {
+			result = append(result, name)
+		}
+	case "chain", "chains":
+		for name := range fake.Table.Chains {
+			result = append(result, name)
+		}
+	case "set", "sets":
+		for name := range fake.Table.Sets {
+			result = append(result, name)
+		}
+	case "map", "maps":
+		for name := range fake.Table.Maps {
+			result = append(result, name)
+		}
+
+	default:
+		return nil, fmt.Errorf("unsupported object type %q", objectType)
+	}
+
+	return result, nil
+}
+
+// ListRules is part of Interface
+func (fake *Fake) ListRules(_ context.Context, chain string) ([]*Rule, error) {
+	fake.RLock()
+	defer fake.RUnlock()
+	if fake.Table == nil {
+		return nil, notFoundError("no such table %q", fake.table)
+	}
+
+	rules := []*Rule{}
+	if chain == "" {
+		// Include all rules across all chains.
+		for _, ch := range fake.Table.Chains {
+			rules = append(rules, ch.Rules...)
+		}
+	} else {
+		ch := fake.Table.Chains[chain]
+		if ch == nil {
+			return nil, notFoundError("no such chain %q", chain)
+		}
+		rules = append(rules, ch.Rules...)
+	}
+	return rules, nil
+}
+
+// ListElements is part of Interface
+func (fake *Fake) ListElements(_ context.Context, objectType, name string) ([]*Element, error) {
+	fake.RLock()
+	defer fake.RUnlock()
+	if fake.Table == nil {
+		return nil, notFoundError("no such %s %q", objectType, name)
+	}
+	if objectType == "set" {
+		s := fake.Table.Sets[name]
+		if s != nil {
+			return s.Elements, nil
+		}
+	} else if objectType == "map" {
+		m := fake.Table.Maps[name]
+		if m != nil {
+			return m.Elements, nil
+		}
+	}
+	return nil, notFoundError("no such %s %q", objectType, name)
+}
+
+// NewTransaction is part of Interface
+func (fake *Fake) NewTransaction() *Transaction {
+	return &Transaction{nftContext: &fake.nftContext}
+}
+
+// Run is part of Interface
+func (fake *Fake) Run(_ context.Context, tx *Transaction) error {
+	fake.Lock()
+	defer fake.Unlock()
+	fake.LastTransaction = tx
+	updatedTable, err := fake.run(tx)
+	if err == nil {
+		fake.Table = updatedTable
+	}
+	return err
+}
+
+// Check is part of Interface
+func (fake *Fake) Check(_ context.Context, tx *Transaction) error {
+	fake.RLock()
+	defer fake.RUnlock()
+	_, err := fake.run(tx)
+	return err
+}
+
+// must be called with fake.lock held
+func (fake *Fake) run(tx *Transaction) (*FakeTable, error) {
+	if tx.err != nil {
+		return nil, tx.err
+	}
+
+	updatedTable := fake.Table.copy()
+	for _, op := range tx.operations {
+		// If the table hasn't been created, and this isn't a Table operation, then fail
+		if updatedTable == nil {
+			if _, ok := op.obj.(*Table); !ok {
+				return nil, notFoundError("no such table \"%s %s\"", fake.family, fake.table)
+			}
+		}
+
+		if op.verb == addVerb || op.verb == createVerb || op.verb == insertVerb {
+			fake.nextHandle++
+		}
+
+		switch obj := op.obj.(type) {
+		case *Table:
+			err := checkExists(op.verb, "table", fake.table, updatedTable != nil)
+			if err != nil {
+				return nil, err
+			}
+			switch op.verb {
+			case flushVerb:
+				updatedTable = nil
+				fallthrough
+			case addVerb, createVerb:
+				if updatedTable != nil {
+					continue
+				}
+				table := *obj
+				table.Handle = PtrTo(fake.nextHandle)
+				updatedTable = &FakeTable{
+					Table:      table,
+					Flowtables: make(map[string]*FakeFlowtable),
+					Chains:     make(map[string]*FakeChain),
+					Sets:       make(map[string]*FakeSet),
+					Maps:       make(map[string]*FakeMap),
+				}
+			case deleteVerb:
+				updatedTable = nil
+			default:
+				return nil, fmt.Errorf("unhandled operation %q", op.verb)
+			}
+
+		case *Flowtable:
+			existingFlowtable := updatedTable.Flowtables[obj.Name]
+			err := checkExists(op.verb, "flowtable", obj.Name, existingFlowtable != nil)
+			if err != nil {
+				return nil, err
+			}
+			switch op.verb {
+			case addVerb, createVerb:
+				if existingFlowtable != nil {
+					continue
+				}
+				flowtable := *obj
+				flowtable.Handle = PtrTo(fake.nextHandle)
+				updatedTable.Flowtables[obj.Name] = &FakeFlowtable{
+					Flowtable: flowtable,
+				}
+			case deleteVerb:
+				// FIXME delete-by-handle
+				delete(updatedTable.Flowtables, obj.Name)
+			default:
+				return nil, fmt.Errorf("unhandled operation %q", op.verb)
+			}
+
+		case *Chain:
+			existingChain := updatedTable.Chains[obj.Name]
+			err := checkExists(op.verb, "chain", obj.Name, existingChain != nil)
+			if err != nil {
+				return nil, err
+			}
+			switch op.verb {
+			case addVerb, createVerb:
+				if existingChain != nil {
+					continue
+				}
+				chain := *obj
+				chain.Handle = PtrTo(fake.nextHandle)
+				updatedTable.Chains[obj.Name] = &FakeChain{
+					Chain: chain,
+				}
+			case flushVerb:
+				existingChain.Rules = nil
+			case deleteVerb:
+				// FIXME delete-by-handle
+				delete(updatedTable.Chains, obj.Name)
+			default:
+				return nil, fmt.Errorf("unhandled operation %q", op.verb)
+			}
+
+		case *Rule:
+			existingChain := updatedTable.Chains[obj.Chain]
+			if existingChain == nil {
+				return nil, notFoundError("no such chain %q", obj.Chain)
+			}
+			if op.verb == deleteVerb {
+				i := findRule(existingChain.Rules, *obj.Handle)
+				if i == -1 {
+					return nil, notFoundError("no rule with handle %d", *obj.Handle)
+				}
+				existingChain.Rules = append(existingChain.Rules[:i], existingChain.Rules[i+1:]...)
+				continue
+			}
+
+			rule := *obj
+			refRule := -1
+			if rule.Handle != nil {
+				refRule = findRule(existingChain.Rules, *obj.Handle)
+				if refRule == -1 {
+					return nil, notFoundError("no rule with handle %d", *obj.Handle)
+				}
+			} else if obj.Index != nil {
+				if *obj.Index >= len(existingChain.Rules) {
+					return nil, notFoundError("no rule with index %d", *obj.Index)
+				}
+				refRule = *obj.Index
+			}
+
+			if err := checkRuleRefs(obj, updatedTable); err != nil {
+				return nil, err
+			}
+
+			switch op.verb {
+			case addVerb:
+				if refRule == -1 {
+					existingChain.Rules = append(existingChain.Rules, &rule)
+				} else {
+					existingChain.Rules = append(existingChain.Rules[:refRule+1], append([]*Rule{&rule}, existingChain.Rules[refRule+1:]...)...)
+				}
+				rule.Handle = PtrTo(fake.nextHandle)
+			case insertVerb:
+				if refRule == -1 {
+					existingChain.Rules = append([]*Rule{&rule}, existingChain.Rules...)
+				} else {
+					existingChain.Rules = append(existingChain.Rules[:refRule], append([]*Rule{&rule}, existingChain.Rules[refRule:]...)...)
+				}
+				rule.Handle = PtrTo(fake.nextHandle)
+			case replaceVerb:
+				existingChain.Rules[refRule] = &rule
+			default:
+				return nil, fmt.Errorf("unhandled operation %q", op.verb)
+			}
+
+		case *Set:
+			existingSet := updatedTable.Sets[obj.Name]
+			err := checkExists(op.verb, "set", obj.Name, existingSet != nil)
+			if err != nil {
+				return nil, err
+			}
+			switch op.verb {
+			case addVerb, createVerb:
+				if existingSet != nil {
+					continue
+				}
+				set := *obj
+				set.Handle = PtrTo(fake.nextHandle)
+				updatedTable.Sets[obj.Name] = &FakeSet{
+					Set: set,
+				}
+			case flushVerb:
+				existingSet.Elements = nil
+			case deleteVerb:
+				// FIXME delete-by-handle
+				delete(updatedTable.Sets, obj.Name)
+			default:
+				return nil, fmt.Errorf("unhandled operation %q", op.verb)
+			}
+		case *Map:
+			existingMap := updatedTable.Maps[obj.Name]
+			err := checkExists(op.verb, "map", obj.Name, existingMap != nil)
+			if err != nil {
+				return nil, err
+			}
+			switch op.verb {
+			case addVerb:
+				if existingMap != nil {
+					continue
+				}
+				mapObj := *obj
+				mapObj.Handle = PtrTo(fake.nextHandle)
+				updatedTable.Maps[obj.Name] = &FakeMap{
+					Map: mapObj,
+				}
+			case flushVerb:
+				existingMap.Elements = nil
+			case deleteVerb:
+				// FIXME delete-by-handle
+				delete(updatedTable.Maps, obj.Name)
+			default:
+				return nil, fmt.Errorf("unhandled operation %q", op.verb)
+			}
+		case *Element:
+			if obj.Set != "" {
+				existingSet := updatedTable.Sets[obj.Set]
+				if existingSet == nil {
+					return nil, notFoundError("no such set %q", obj.Set)
+				}
+				switch op.verb {
+				case addVerb, createVerb:
+					element := *obj
+					if i := findElement(existingSet.Elements, element.Key); i != -1 {
+						if op.verb == createVerb {
+							return nil, existsError("element %q already exists", strings.Join(element.Key, " . "))
+						}
+						existingSet.Elements[i] = &element
+					} else {
+						existingSet.Elements = append(existingSet.Elements, &element)
+					}
+				case deleteVerb:
+					element := *obj
+					if i := findElement(existingSet.Elements, element.Key); i != -1 {
+						existingSet.Elements = append(existingSet.Elements[:i], existingSet.Elements[i+1:]...)
+					} else {
+						return nil, notFoundError("no such element %q", strings.Join(element.Key, " . "))
+					}
+				default:
+					return nil, fmt.Errorf("unhandled operation %q", op.verb)
+				}
+			} else {
+				existingMap := updatedTable.Maps[obj.Map]
+				if existingMap == nil {
+					return nil, notFoundError("no such map %q", obj.Map)
+				}
+				if err := checkElementRefs(obj, updatedTable); err != nil {
+					return nil, err
+				}
+				switch op.verb {
+				case addVerb, createVerb:
+					element := *obj
+					if i := findElement(existingMap.Elements, element.Key); i != -1 {
+						if op.verb == createVerb {
+							return nil, existsError("element %q already exists", strings.Join(element.Key, ". "))
+						}
+						existingMap.Elements[i] = &element
+					} else {
+						existingMap.Elements = append(existingMap.Elements, &element)
+					}
+				case deleteVerb:
+					element := *obj
+					if i := findElement(existingMap.Elements, element.Key); i != -1 {
+						existingMap.Elements = append(existingMap.Elements[:i], existingMap.Elements[i+1:]...)
+					} else {
+						return nil, notFoundError("no such element %q", strings.Join(element.Key, " . "))
+					}
+				default:
+					return nil, fmt.Errorf("unhandled operation %q", op.verb)
+				}
+			}
+		default:
+			return nil, fmt.Errorf("unhandled object type %T", op.obj)
+		}
+	}
+
+	return updatedTable, nil
+}
+
+func checkExists(verb verb, objectType, name string, exists bool) error {
+	switch verb {
+	case addVerb:
+		// It's fine if the object either exists or doesn't
+		return nil
+	case createVerb:
+		if exists {
+			return existsError("%s %q already exists", objectType, name)
+		}
+	default:
+		if !exists {
+			return notFoundError("no such %s %q", objectType, name)
+		}
+	}
+	return nil
+}
+
+// checkRuleRefs checks for chains, sets, and maps referenced by rule in table
+func checkRuleRefs(rule *Rule, table *FakeTable) error {
+	words := strings.Split(rule.Rule, " ")
+	for i, word := range words {
+		if strings.HasPrefix(word, "@") {
+			name := word[1:]
+			if i > 0 && (words[i-1] == "map" || words[i-1] == "vmap") {
+				if table.Maps[name] == nil {
+					return notFoundError("no such map %q", name)
+				}
+			} else if i > 0 && words[i-1] == "offload" {
+				if table.Flowtables[name] == nil {
+					return notFoundError("no such flowtable %q", name)
+				}
+			} else {
+				// recent nft lets you use a map in a set lookup
+				if table.Sets[name] == nil && table.Maps[name] == nil {
+					return notFoundError("no such set %q", name)
+				}
+			}
+		} else if (word == "goto" || word == "jump") && i < len(words)-1 {
+			name := words[i+1]
+			if table.Chains[name] == nil {
+				return notFoundError("no such chain %q", name)
+			}
+		}
+	}
+	return nil
+}
+
+// checkElementRefs checks for chains referenced by an element
+func checkElementRefs(element *Element, table *FakeTable) error {
+	if len(element.Value) != 1 {
+		return nil
+	}
+	words := strings.Split(element.Value[0], " ")
+	if len(words) == 2 && (words[0] == "goto" || words[0] == "jump") {
+		name := words[1]
+		if table.Chains[name] == nil {
+			return notFoundError("no such chain %q", name)
+		}
+	}
+	return nil
+}
+
+// Dump dumps the current contents of fake, in a way that looks like an nft transaction.
+func (fake *Fake) Dump() string {
+	fake.RLock()
+	defer fake.RUnlock()
+	if fake.Table == nil {
+		return ""
+	}
+
+	buf := &strings.Builder{}
+
+	table := fake.Table
+	flowtables := sortKeys(table.Flowtables)
+	chains := sortKeys(table.Chains)
+	sets := sortKeys(table.Sets)
+	maps := sortKeys(table.Maps)
+
+	// Write out all of the object adds first.
+
+	table.writeOperation(addVerb, &fake.nftContext, buf)
+	for _, fname := range flowtables {
+		ft := table.Flowtables[fname]
+		ft.writeOperation(addVerb, &fake.nftContext, buf)
+	}
+	for _, cname := range chains {
+		ch := table.Chains[cname]
+		ch.writeOperation(addVerb, &fake.nftContext, buf)
+	}
+	for _, sname := range sets {
+		s := table.Sets[sname]
+		s.writeOperation(addVerb, &fake.nftContext, buf)
+	}
+	for _, mname := range maps {
+		m := table.Maps[mname]
+		m.writeOperation(addVerb, &fake.nftContext, buf)
+	}
+
+	// Now write their contents.
+
+	for _, cname := range chains {
+		ch := table.Chains[cname]
+		for _, rule := range ch.Rules {
+			// Avoid outputing handles
+			dumpRule := *rule
+			dumpRule.Handle = nil
+			dumpRule.Index = nil
+			dumpRule.writeOperation(addVerb, &fake.nftContext, buf)
+		}
+	}
+	for _, sname := range sets {
+		s := table.Sets[sname]
+		for _, element := range s.Elements {
+			element.writeOperation(addVerb, &fake.nftContext, buf)
+		}
+	}
+	for _, mname := range maps {
+		m := table.Maps[mname]
+		for _, element := range m.Elements {
+			element.writeOperation(addVerb, &fake.nftContext, buf)
+		}
+	}
+
+	return buf.String()
+}
+
+// ParseDump can parse a dump for a given nft instance.
+// It expects fake's table name and family in all rules.
+// The best way to verify that everything important was properly parsed is to
+// compare given data with nft.Dump() output.
+func (fake *Fake) ParseDump(data string) (err error) {
+	lines := strings.Split(data, "\n")
+	var i int
+	var line string
+	parsingDone := false
+	defer func() {
+		if err != nil && !parsingDone {
+			err = fmt.Errorf("%w (at line %v: %s", err, i+1, line)
+		}
+	}()
+	tx := fake.NewTransaction()
+	commonRegexp := regexp.MustCompile(fmt.Sprintf(`add ([^ ]*) %s %s( (.*))?`, fake.family, fake.table))
+
+	for i, line = range lines {
+		line = strings.TrimSpace(line)
+		if line == "" || line[0] == '#' {
+			continue
+		}
+		match := commonRegexp.FindStringSubmatch(line)
+		if match == nil {
+			return fmt.Errorf("could not parse, or wrong table/family")
+		}
+		var obj Object
+		switch match[1] {
+		case "table":
+			obj = &Table{}
+		case "flowtable":
+			obj = &Flowtable{}
+		case "chain":
+			obj = &Chain{}
+		case "rule":
+			obj = &Rule{}
+		case "map":
+			obj = &Map{}
+		case "set":
+			obj = &Set{}
+		case "element":
+			obj = &Element{}
+		default:
+			return fmt.Errorf("unknown object %s", match[1])
+		}
+		err = obj.parse(match[3])
+		if err != nil {
+			return err
+		}
+		tx.Add(obj)
+	}
+	parsingDone = true
+	return fake.Run(context.Background(), tx)
+}
+
+func sortKeys[K ~string, V any](m map[K]V) []K {
+	keys := make([]K, 0, len(m))
+	for key := range m {
+		keys = append(keys, key)
+	}
+	sort.Slice(keys, func(i, j int) bool { return keys[i] < keys[j] })
+	return keys
+}
+
+func findRule(rules []*Rule, handle int) int {
+	for i := range rules {
+		if rules[i].Handle != nil && *rules[i].Handle == handle {
+			return i
+		}
+	}
+	return -1
+}
+
+func findElement(elements []*Element, key []string) int {
+	for i := range elements {
+		if reflect.DeepEqual(elements[i].Key, key) {
+			return i
+		}
+	}
+	return -1
+}
+
+// copy creates a copy of table with new arrays/maps so we can perform a transaction
+// on it without changing the original table.
+func (table *FakeTable) copy() *FakeTable {
+	if table == nil {
+		return nil
+	}
+
+	tcopy := &FakeTable{
+		Table:      table.Table,
+		Flowtables: make(map[string]*FakeFlowtable),
+		Chains:     make(map[string]*FakeChain),
+		Sets:       make(map[string]*FakeSet),
+		Maps:       make(map[string]*FakeMap),
+	}
+	for name, flowtable := range table.Flowtables {
+		tcopy.Flowtables[name] = &FakeFlowtable{
+			Flowtable: flowtable.Flowtable,
+		}
+	}
+	for name, chain := range table.Chains {
+		tcopy.Chains[name] = &FakeChain{
+			Chain: chain.Chain,
+			Rules: append([]*Rule{}, chain.Rules...),
+		}
+	}
+	for name, set := range table.Sets {
+		tcopy.Sets[name] = &FakeSet{
+			Set:      set.Set,
+			Elements: append([]*Element{}, set.Elements...),
+		}
+	}
+	for name, mapObj := range table.Maps {
+		tcopy.Maps[name] = &FakeMap{
+			Map:      mapObj.Map,
+			Elements: append([]*Element{}, mapObj.Elements...),
+		}
+	}
+
+	return tcopy
+}
+
+// FindElement finds an element of the set with the given key. If there is no matching
+// element, it returns nil.
+func (s *FakeSet) FindElement(key ...string) *Element {
+	index := findElement(s.Elements, key)
+	if index == -1 {
+		return nil
+	}
+	return s.Elements[index]
+}
+
+// FindElement finds an element of the map with the given key. If there is no matching
+// element, it returns nil.
+func (m *FakeMap) FindElement(key ...string) *Element {
+	index := findElement(m.Elements, key)
+	if index == -1 {
+		return nil
+	}
+	return m.Elements[index]
+}

vendor/sigs.k8s.io/knftables/nftables.go

@@ -0,0 +1,514 @@
+/*
+Copyright 2023 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package knftables
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"os/exec"
+	"strings"
+	"sync"
+)
+
+// Interface is an interface for running nftables commands against a given family and table.
+type Interface interface {
+	// NewTransaction returns a new (empty) Transaction
+	NewTransaction() *Transaction
+
+	// Run runs a Transaction and returns the result. The IsNotFound and
+	// IsAlreadyExists methods can be used to test the result.
+	Run(ctx context.Context, tx *Transaction) error
+
+	// Check does a dry-run of a Transaction (as with `nft --check`) and returns the
+	// result. The IsNotFound and IsAlreadyExists methods can be used to test the
+	// result.
+	Check(ctx context.Context, tx *Transaction) error
+
+	// List returns a list of the names of the objects of objectType ("chain", "set",
+	// or "map") in the table. If there are no such objects, this will return an empty
+	// list and no error.
+	List(ctx context.Context, objectType string) ([]string, error)
+
+	// ListRules returns a list of the rules in a chain, in order. If no chain name is
+	// specified, then all rules within the table will be returned. Note that at the
+	// present time, the Rule objects will have their `Comment` and `Handle` fields
+	// filled in, but *not* the actual `Rule` field. So this can only be used to find
+	// the handles of rules if they have unique comments to recognize them by, or if
+	// you know the order of the rules within the chain. If the chain exists but
+	// contains no rules, this will return an empty list and no error.
+	ListRules(ctx context.Context, chain string) ([]*Rule, error)
+
+	// ListElements returns a list of the elements in a set or map. (objectType should
+	// be "set" or "map".) If the set/map exists but contains no elements, this will
+	// return an empty list and no error.
+	ListElements(ctx context.Context, objectType, name string) ([]*Element, error)
+}
+
+type nftContext struct {
+	family Family
+	table  string
+
+	// noObjectComments is true if comments on Table/Chain/Set/Map are not supported.
+	// (Comments on Rule and Element are always supported.)
+	noObjectComments bool
+}
+
+// realNFTables is an implementation of Interface
+type realNFTables struct {
+	nftContext
+
+	bufferMutex sync.Mutex
+	buffer      *bytes.Buffer
+
+	exec execer
+	path string
+}
+
+// newInternal creates a new nftables.Interface for interacting with the given table; this
+// is split out from New() so it can be used from unit tests with a fakeExec.
+func newInternal(family Family, table string, execer execer) (Interface, error) {
+	var err error
+
+	nft := &realNFTables{
+		nftContext: nftContext{
+			family: family,
+			table:  table,
+		},
+		buffer: &bytes.Buffer{},
+		exec:   execer,
+	}
+
+	nft.path, err = nft.exec.LookPath("nft")
+	if err != nil {
+		return nil, fmt.Errorf("could not find nftables binary: %w", err)
+	}
+
+	cmd := exec.Command(nft.path, "--version")
+	out, err := nft.exec.Run(cmd)
+	if err != nil {
+		return nil, fmt.Errorf("could not run nftables command: %w", err)
+	}
+	if strings.HasPrefix(out, "nftables v0.") || strings.HasPrefix(out, "nftables v1.0.0 ") {
+		return nil, fmt.Errorf("nft version must be v1.0.1 or later (got %s)", strings.TrimSpace(out))
+	}
+
+	// Check that (a) nft works, (b) we have permission, (c) the kernel is new enough
+	// to support object comments.
+	tx := nft.NewTransaction()
+	tx.Add(&Table{
+		Comment: PtrTo("test"),
+	})
+	if err := nft.Check(context.TODO(), tx); err != nil {
+		// Try again, checking just that (a) nft works, (b) we have permission.
+		tx := nft.NewTransaction()
+		tx.Add(&Table{})
+		if err := nft.Check(context.TODO(), tx); err != nil {
+			return nil, fmt.Errorf("could not run nftables command: %w", err)
+		}
+
+		nft.noObjectComments = true
+	}
+
+	return nft, nil
+}
+
+// New creates a new nftables.Interface for interacting with the given table. If nftables
+// is not available/usable on the current host, it will return an error.
+func New(family Family, table string) (Interface, error) {
+	return newInternal(family, table, realExec{})
+}
+
+// NewTransaction is part of Interface
+func (nft *realNFTables) NewTransaction() *Transaction {
+	return &Transaction{nftContext: &nft.nftContext}
+}
+
+// Run is part of Interface
+func (nft *realNFTables) Run(ctx context.Context, tx *Transaction) error {
+	nft.bufferMutex.Lock()
+	defer nft.bufferMutex.Unlock()
+
+	if tx.err != nil {
+		return tx.err
+	}
+
+	nft.buffer.Reset()
+	err := tx.populateCommandBuf(nft.buffer)
+	if err != nil {
+		return err
+	}
+
+	cmd := exec.CommandContext(ctx, nft.path, "-f", "-")
+	cmd.Stdin = nft.buffer
+	_, err = nft.exec.Run(cmd)
+	return err
+}
+
+// Check is part of Interface
+func (nft *realNFTables) Check(ctx context.Context, tx *Transaction) error {
+	nft.bufferMutex.Lock()
+	defer nft.bufferMutex.Unlock()
+
+	if tx.err != nil {
+		return tx.err
+	}
+
+	nft.buffer.Reset()
+	err := tx.populateCommandBuf(nft.buffer)
+	if err != nil {
+		return err
+	}
+
+	cmd := exec.CommandContext(ctx, nft.path, "--check", "-f", "-")
+	cmd.Stdin = nft.buffer
+	_, err = nft.exec.Run(cmd)
+	return err
+}
+
+// jsonVal looks up key in json; if it exists and is of type T, it returns (json[key], true).
+// Otherwise it returns (_, false).
+func jsonVal[T any](json map[string]interface{}, key string) (T, bool) {
+	if ifVal, exists := json[key]; exists {
+		tVal, ok := ifVal.(T)
+		return tVal, ok
+	}
+	var zero T
+	return zero, false
+}
+
+// getJSONObjects takes the output of "nft -j list", validates it, and returns an array
+// of just the objects of objectType.
+func getJSONObjects(listOutput, objectType string) ([]map[string]interface{}, error) {
+	// listOutput should contain JSON looking like:
+	//
+	// {
+	//   "nftables": [
+	//     {
+	//       "metainfo": {
+	//         "json_schema_version": 1,
+	//         ...
+	//       }
+	//     },
+	//     {
+	//       "chain": {
+	//         "family": "ip",
+	//         "table": "kube-proxy",
+	//         "name": "KUBE-SERVICES",
+	//         "handle": 3
+	//       }
+	//     },
+	//     {
+	//       "chain": {
+	//         "family": "ip",
+	//         "table": "kube-proxy",
+	//         "name": "KUBE-NODEPORTS",
+	//         "handle": 4
+	//       }
+	//     },
+	//     ...
+	//   ]
+	// }
+	//
+	// In this case, given objectType "chain", we would return
+	//
+	// [
+	//   {
+	//     "family": "ip",
+	//     "table": "kube-proxy",
+	//     "name": "KUBE-SERVICES",
+	//     "handle": 3
+	//   },
+	//   {
+	//     "family": "ip",
+	//     "table": "kube-proxy",
+	//     "name": "KUBE-NODEPORTS",
+	//     "handle": 4
+	//   },
+	//   ...
+	// ]
+
+	jsonResult := map[string][]map[string]map[string]interface{}{}
+	if err := json.Unmarshal([]byte(listOutput), &jsonResult); err != nil {
+		return nil, fmt.Errorf("could not parse nft output: %w", err)
+	}
+
+	nftablesResult := jsonResult["nftables"]
+	if len(nftablesResult) == 0 {
+		return nil, fmt.Errorf("could not find result in nft output %q", listOutput)
+	}
+	metainfo := nftablesResult[0]["metainfo"]
+	if metainfo == nil {
+		return nil, fmt.Errorf("could not find metadata in nft output %q", listOutput)
+	}
+	// json_schema_version is an integer but `json.Unmarshal()` will have parsed it as
+	// a float64 since we didn't tell it otherwise.
+	if version, ok := jsonVal[float64](metainfo, "json_schema_version"); !ok || version != 1.0 {
+		return nil, fmt.Errorf("could not find supported json_schema_version in nft output %q", listOutput)
+	}
+
+	var objects []map[string]interface{}
+	for _, objContainer := range nftablesResult {
+		obj := objContainer[objectType]
+		if obj != nil {
+			objects = append(objects, obj)
+		}
+	}
+	return objects, nil
+}
+
+// List is part of Interface.
+func (nft *realNFTables) List(ctx context.Context, objectType string) ([]string, error) {
+	// All currently-existing nftables object types have plural forms that are just
+	// the singular form plus 's'.
+	var typeSingular, typePlural string
+	if objectType[len(objectType)-1] == 's' {
+		typeSingular = objectType[:len(objectType)-1]
+		typePlural = objectType
+	} else {
+		typeSingular = objectType
+		typePlural = objectType + "s"
+	}
+
+	cmd := exec.CommandContext(ctx, nft.path, "--json", "list", typePlural, string(nft.family))
+	out, err := nft.exec.Run(cmd)
+	if err != nil {
+		return nil, fmt.Errorf("failed to run nft: %w", err)
+	}
+
+	objects, err := getJSONObjects(out, typeSingular)
+	if err != nil {
+		return nil, err
+	}
+
+	var result []string
+	for _, obj := range objects {
+		objTable, _ := jsonVal[string](obj, "table")
+		if objTable != nft.table {
+			continue
+		}
+
+		if name, ok := jsonVal[string](obj, "name"); ok {
+			result = append(result, name)
+		}
+	}
+	return result, nil
+}
+
+// ListRules is part of Interface
+func (nft *realNFTables) ListRules(ctx context.Context, chain string) ([]*Rule, error) {
+	// If no chain is given, return all rules from within the table.
+	var cmd *exec.Cmd
+	if chain == "" {
+		cmd = exec.CommandContext(ctx, nft.path, "--json", "list", "table", string(nft.family), nft.table)
+	} else {
+		cmd = exec.CommandContext(ctx, nft.path, "--json", "list", "chain", string(nft.family), nft.table, chain)
+	}
+	out, err := nft.exec.Run(cmd)
+	if err != nil {
+		return nil, fmt.Errorf("failed to run nft: %w", err)
+	}
+
+	jsonRules, err := getJSONObjects(out, "rule")
+	if err != nil {
+		return nil, fmt.Errorf("unable to parse JSON output: %w", err)
+	}
+
+	rules := make([]*Rule, 0, len(jsonRules))
+	for _, jsonRule := range jsonRules {
+		parentChain, ok := jsonVal[string](jsonRule, "chain")
+		if !ok {
+			return nil, fmt.Errorf("unexpected JSON output from nft (rule with no chain)")
+		}
+		rule := &Rule{
+			Chain: parentChain,
+		}
+
+		// handle is written as an integer in nft's output, but json.Unmarshal
+		// will have parsed it as a float64. (Handles are uint64s, but they are
+		// assigned consecutively starting from 1, so as long as fewer than 2**53
+		// nftables objects have been created since boot time, we won't run into
+		// float64-vs-uint64 precision issues.)
+		if handle, ok := jsonVal[float64](jsonRule, "handle"); ok {
+			rule.Handle = PtrTo(int(handle))
+		}
+		if comment, ok := jsonVal[string](jsonRule, "comment"); ok {
+			rule.Comment = &comment
+		}
+
+		rules = append(rules, rule)
+	}
+	return rules, nil
+}
+
+// ListElements is part of Interface
+func (nft *realNFTables) ListElements(ctx context.Context, objectType, name string) ([]*Element, error) {
+	cmd := exec.CommandContext(ctx, nft.path, "--json", "list", objectType, string(nft.family), nft.table, name)
+	out, err := nft.exec.Run(cmd)
+	if err != nil {
+		return nil, fmt.Errorf("failed to run nft: %w", err)
+	}
+
+	jsonSetsOrMaps, err := getJSONObjects(out, objectType)
+	if err != nil {
+		return nil, fmt.Errorf("unable to parse JSON output: %w", err)
+	}
+	if len(jsonSetsOrMaps) != 1 {
+		return nil, fmt.Errorf("unexpected JSON output from nft (multiple results)")
+	}
+
+	jsonElements, _ := jsonVal[[]interface{}](jsonSetsOrMaps[0], "elem")
+	elements := make([]*Element, 0, len(jsonElements))
+	for _, jsonElement := range jsonElements {
+		var key, value interface{}
+
+		elem := &Element{}
+		if objectType == "set" {
+			elem.Set = name
+			key = jsonElement
+		} else {
+			elem.Map = name
+			tuple, ok := jsonElement.([]interface{})
+			if !ok || len(tuple) != 2 {
+				return nil, fmt.Errorf("unexpected JSON output from nft (elem is not [key,val]: %q)", jsonElement)
+			}
+			key, value = tuple[0], tuple[1]
+		}
+
+		// If the element has a comment, then key will be a compound object like:
+		//
+		//   {
+		//     "elem": {
+		//       "val": "192.168.0.1",
+		//       "comment": "this is a comment"
+		//     }
+		//   }
+		//
+		// (Where "val" contains the value that key would have held if there was no
+		// comment.)
+		if obj, ok := key.(map[string]interface{}); ok {
+			if compoundElem, ok := jsonVal[map[string]interface{}](obj, "elem"); ok {
+				if key, ok = jsonVal[interface{}](compoundElem, "val"); !ok {
+					return nil, fmt.Errorf("unexpected JSON output from nft (elem with no val: %q)", jsonElement)
+				}
+				if comment, ok := jsonVal[string](compoundElem, "comment"); ok {
+					elem.Comment = &comment
+				}
+			}
+		}
+
+		elem.Key, err = parseElementValue(key)
+		if err != nil {
+			return nil, err
+		}
+		if value != nil {
+			elem.Value, err = parseElementValue(value)
+			if err != nil {
+				return nil, err
+			}
+		}
+
+		elements = append(elements, elem)
+	}
+	return elements, nil
+}
+
+// parseElementValue parses a JSON element key/value, handling concatenations, prefixes, and
+// converting numeric or "verdict" values to strings.
+func parseElementValue(json interface{}) ([]string, error) {
+	// json can be:
+	//
+	//   - a single string, e.g. "192.168.1.3"
+	//
+	//   - a single number, e.g. 80
+	//
+	//   - a prefix, expressed as an object:
+	//     {
+	//       "prefix": {
+	//         "addr": "192.168.0.0",
+	//         "len": 16,
+	//       }
+	//     }
+	//
+	//   - a concatenation, expressed as an object containing an array of simple
+	//     values:
+	//        {
+	//          "concat": [
+	//            "192.168.1.3",
+	//            "tcp",
+	//            80
+	//          ]
+	//        }
+	//
+	//   - a verdict (for a vmap value), expressed as an object:
+	//        {
+	//          "drop": null
+	//        }
+	//
+	//        {
+	//          "goto": {
+	//            "target": "destchain"
+	//          }
+	//        }
+
+	switch val := json.(type) {
+	case string:
+		return []string{val}, nil
+	case float64:
+		return []string{fmt.Sprintf("%d", int(val))}, nil
+	case map[string]interface{}:
+		if concat, _ := jsonVal[[]interface{}](val, "concat"); concat != nil {
+			vals := make([]string, len(concat))
+			for i := range concat {
+				if str, ok := concat[i].(string); ok {
+					vals[i] = str
+				} else if num, ok := concat[i].(float64); ok {
+					vals[i] = fmt.Sprintf("%d", int(num))
+				} else {
+					return nil, fmt.Errorf("could not parse element value %q", concat[i])
+				}
+			}
+			return vals, nil
+		} else if prefix, _ := jsonVal[map[string]interface{}](val, "prefix"); prefix != nil {
+			// For prefix-type elements, return the element in CIDR representation.
+			addr, ok := jsonVal[string](prefix, "addr")
+			if !ok {
+				return nil, fmt.Errorf("could not parse 'addr' value as string: %q", prefix)
+			}
+			length, ok := jsonVal[float64](prefix, "len")
+			if !ok {
+				return nil, fmt.Errorf("could not parse 'len' value as number: %q", prefix)
+			}
+			return []string{fmt.Sprintf("%s/%d", addr, int(length))}, nil
+		} else if len(val) == 1 {
+			var verdict string
+			// We just checked that len(val) == 1, so this loop body will only
+			// run once
+			for k, v := range val {
+				if v == nil {
+					verdict = k
+				} else if target, ok := v.(map[string]interface{}); ok {
+					verdict = fmt.Sprintf("%s %s", k, target["target"])
+				}
+			}
+			return []string{verdict}, nil
+		}
+	}
+
+	return nil, fmt.Errorf("could not parse element value %q", json)
+}

vendor/sigs.k8s.io/knftables/objects.go

@@ -0,0 +1,658 @@
+/*
+Copyright 2023 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package knftables
+
+import (
+	"fmt"
+	"io"
+	"regexp"
+	"strconv"
+	"strings"
+	"time"
+)
+
+func parseInt(numbersOnly string) *int {
+	i64, _ := strconv.ParseInt(numbersOnly, 10, 64)
+	i := int(i64)
+	return &i
+}
+
+func parseUint(numbersOnly string) *uint64 {
+	ui64, _ := strconv.ParseUint(numbersOnly, 10, 64)
+	return &ui64
+}
+
+// getComment parses a match for the commentGroup regexp (below). To distinguish between empty comment and no comment,
+// we capture comment with double quotes.
+func getComment(commentGroup string) *string {
+	if commentGroup == "" {
+		return nil
+	}
+	noQuotes := strings.Trim(commentGroup, "\"")
+	return &noQuotes
+}
+
+var commentGroup = `(".*")`
+var noSpaceGroup = `([^ ]*)`
+var numberGroup = `([0-9]*)`
+
+// Object implementation for Table
+func (table *Table) validate(verb verb) error {
+	switch verb {
+	case addVerb, createVerb, flushVerb:
+		if table.Handle != nil {
+			return fmt.Errorf("cannot specify Handle in %s operation", verb)
+		}
+	case deleteVerb:
+		// Handle can be nil or non-nil
+	default:
+		return fmt.Errorf("%s is not implemented for tables", verb)
+	}
+
+	return nil
+}
+
+func (table *Table) writeOperation(verb verb, ctx *nftContext, writer io.Writer) {
+	// Special case for delete-by-handle
+	if verb == deleteVerb && table.Handle != nil {
+		fmt.Fprintf(writer, "delete table %s handle %d", ctx.family, *table.Handle)
+		return
+	}
+
+	// All other cases refer to the table by name
+	fmt.Fprintf(writer, "%s table %s %s", verb, ctx.family, ctx.table)
+	if verb == addVerb || verb == createVerb {
+		if table.Comment != nil && !ctx.noObjectComments {
+			fmt.Fprintf(writer, " { comment %q ; }", *table.Comment)
+		}
+	}
+	fmt.Fprintf(writer, "\n")
+}
+
+var tableRegexp = regexp.MustCompile(fmt.Sprintf(
+	`(?:{ comment %s ; })?`, commentGroup))
+
+func (table *Table) parse(line string) error {
+	match := tableRegexp.FindStringSubmatch(line)
+	if match == nil {
+		return fmt.Errorf("failed parsing table add command")
+	}
+	table.Comment = getComment(match[1])
+	return nil
+}
+
+// Object implementation for Chain
+func (chain *Chain) validate(verb verb) error {
+	if chain.Hook == nil {
+		if chain.Type != nil || chain.Priority != nil {
+			return fmt.Errorf("regular chain %q must not specify Type or Priority", chain.Name)
+		}
+		if chain.Device != nil {
+			return fmt.Errorf("regular chain %q must not specify Device", chain.Name)
+		}
+	} else {
+		if chain.Type == nil || chain.Priority == nil {
+			return fmt.Errorf("base chain %q must specify Type and Priority", chain.Name)
+		}
+	}
+
+	switch verb {
+	case addVerb, createVerb, flushVerb:
+		if chain.Name == "" {
+			return fmt.Errorf("no name specified for chain")
+		}
+		if chain.Handle != nil {
+			return fmt.Errorf("cannot specify Handle in %s operation", verb)
+		}
+	case deleteVerb:
+		if chain.Name == "" && chain.Handle == nil {
+			return fmt.Errorf("must specify either name or handle")
+		}
+	default:
+		return fmt.Errorf("%s is not implemented for chains", verb)
+	}
+
+	return nil
+}
+
+func (chain *Chain) writeOperation(verb verb, ctx *nftContext, writer io.Writer) {
+	// Special case for delete-by-handle
+	if verb == deleteVerb && chain.Handle != nil {
+		fmt.Fprintf(writer, "delete chain %s %s handle %d", ctx.family, ctx.table, *chain.Handle)
+		return
+	}
+
+	fmt.Fprintf(writer, "%s chain %s %s %s", verb, ctx.family, ctx.table, chain.Name)
+	if verb == addVerb || verb == createVerb {
+		if chain.Type != nil || (chain.Comment != nil && !ctx.noObjectComments) {
+			fmt.Fprintf(writer, " {")
+
+			if chain.Type != nil {
+				fmt.Fprintf(writer, " type %s hook %s", *chain.Type, *chain.Hook)
+				if chain.Device != nil {
+					fmt.Fprintf(writer, " device %q", *chain.Device)
+				}
+
+				// Parse the priority to a number if we can, because older
+				// versions of nft don't accept certain named priorities
+				// in all contexts (eg, "dstnat" priority in the "output"
+				// hook).
+				if priority, err := ParsePriority(ctx.family, string(*chain.Priority)); err == nil {
+					fmt.Fprintf(writer, " priority %d ;", priority)
+				} else {
+					fmt.Fprintf(writer, " priority %s ;", *chain.Priority)
+				}
+			}
+			if chain.Comment != nil && !ctx.noObjectComments {
+				fmt.Fprintf(writer, " comment %q ;", *chain.Comment)
+			}
+
+			fmt.Fprintf(writer, " }")
+		}
+	}
+
+	fmt.Fprintf(writer, "\n")
+}
+
+// groups in []: [1]%s(?: {(?: type [2]%s hook [3]%s(?: device "[4]%s")(?: priority [5]%s ;))(?: comment [6]%s ;) })
+var chainRegexp = regexp.MustCompile(fmt.Sprintf(
+	`%s(?: {(?: type %s hook %s(?: device "%s")?(?: priority %s ;))?(?: comment %s ;)? })?`,
+	noSpaceGroup, noSpaceGroup, noSpaceGroup, noSpaceGroup, noSpaceGroup, commentGroup))
+
+func (chain *Chain) parse(line string) error {
+	match := chainRegexp.FindStringSubmatch(line)
+	if match == nil {
+		return fmt.Errorf("failed parsing chain add command")
+	}
+	chain.Name = match[1]
+	chain.Comment = getComment(match[6])
+	if match[2] != "" {
+		chain.Type = (*BaseChainType)(&match[2])
+	}
+	if match[3] != "" {
+		chain.Hook = (*BaseChainHook)(&match[3])
+	}
+	if match[4] != "" {
+		chain.Device = &match[4]
+	}
+	if match[5] != "" {
+		chain.Priority = (*BaseChainPriority)(&match[5])
+	}
+	return nil
+}
+
+// Object implementation for Rule
+func (rule *Rule) validate(verb verb) error {
+	if rule.Chain == "" {
+		return fmt.Errorf("no chain name specified for rule")
+	}
+
+	if rule.Index != nil && rule.Handle != nil {
+		return fmt.Errorf("cannot specify both Index and Handle")
+	}
+
+	switch verb {
+	case addVerb, insertVerb:
+		if rule.Rule == "" {
+			return fmt.Errorf("no rule specified")
+		}
+	case replaceVerb:
+		if rule.Rule == "" {
+			return fmt.Errorf("no rule specified")
+		}
+		if rule.Handle == nil {
+			return fmt.Errorf("must specify Handle with %s", verb)
+		}
+	case deleteVerb:
+		if rule.Handle == nil {
+			return fmt.Errorf("must specify Handle with %s", verb)
+		}
+	default:
+		return fmt.Errorf("%s is not implemented for rules", verb)
+	}
+
+	return nil
+}
+
+func (rule *Rule) writeOperation(verb verb, ctx *nftContext, writer io.Writer) {
+	fmt.Fprintf(writer, "%s rule %s %s %s", verb, ctx.family, ctx.table, rule.Chain)
+	if rule.Index != nil {
+		fmt.Fprintf(writer, " index %d", *rule.Index)
+	} else if rule.Handle != nil {
+		fmt.Fprintf(writer, " handle %d", *rule.Handle)
+	}
+
+	switch verb {
+	case addVerb, insertVerb, replaceVerb:
+		fmt.Fprintf(writer, " %s", rule.Rule)
+
+		if rule.Comment != nil {
+			fmt.Fprintf(writer, " comment %q", *rule.Comment)
+		}
+	}
+
+	fmt.Fprintf(writer, "\n")
+}
+
+// groups in []: [1]%s(?: index [2]%s)?(?: handle [3]%s)? [4]([^"]*)(?: comment [5]%s)?$
+var ruleRegexp = regexp.MustCompile(fmt.Sprintf(
+	`%s(?: index %s)?(?: handle %s)? ([^"]*)(?: comment %s)?$`,
+	noSpaceGroup, numberGroup, numberGroup, commentGroup))
+
+func (rule *Rule) parse(line string) error {
+	match := ruleRegexp.FindStringSubmatch(line)
+	if match == nil {
+		return fmt.Errorf("failed parsing rule add command")
+	}
+	rule.Chain = match[1]
+	rule.Rule = match[4]
+	rule.Comment = getComment(match[5])
+	if match[2] != "" {
+		rule.Index = parseInt(match[2])
+	}
+	if match[3] != "" {
+		rule.Handle = parseInt(match[3])
+	}
+	return nil
+}
+
+// Object implementation for Set
+func (set *Set) validate(verb verb) error {
+	switch verb {
+	case addVerb, createVerb:
+		if (set.Type == "" && set.TypeOf == "") || (set.Type != "" && set.TypeOf != "") {
+			return fmt.Errorf("set must specify either Type or TypeOf")
+		}
+		if set.Handle != nil {
+			return fmt.Errorf("cannot specify Handle in %s operation", verb)
+		}
+		fallthrough
+	case flushVerb:
+		if set.Name == "" {
+			return fmt.Errorf("no name specified for set")
+		}
+	case deleteVerb:
+		if set.Name == "" && set.Handle == nil {
+			return fmt.Errorf("must specify either name or handle")
+		}
+	default:
+		return fmt.Errorf("%s is not implemented for sets", verb)
+	}
+
+	return nil
+}
+
+func (set *Set) writeOperation(verb verb, ctx *nftContext, writer io.Writer) {
+	// Special case for delete-by-handle
+	if verb == deleteVerb && set.Handle != nil {
+		fmt.Fprintf(writer, "delete set %s %s handle %d", ctx.family, ctx.table, *set.Handle)
+		return
+	}
+
+	fmt.Fprintf(writer, "%s set %s %s %s", verb, ctx.family, ctx.table, set.Name)
+	if verb == addVerb || verb == createVerb {
+		fmt.Fprintf(writer, " {")
+
+		if set.Type != "" {
+			fmt.Fprintf(writer, " type %s ;", set.Type)
+		} else {
+			fmt.Fprintf(writer, " typeof %s ;", set.TypeOf)
+		}
+
+		if len(set.Flags) != 0 {
+			fmt.Fprintf(writer, " flags ")
+			for i := range set.Flags {
+				if i > 0 {
+					fmt.Fprintf(writer, ",")
+				}
+				fmt.Fprintf(writer, "%s", set.Flags[i])
+			}
+			fmt.Fprintf(writer, " ;")
+		}
+
+		if set.Timeout != nil {
+			fmt.Fprintf(writer, " timeout %ds ;", int64(set.Timeout.Seconds()))
+		}
+		if set.GCInterval != nil {
+			fmt.Fprintf(writer, " gc-interval %ds ;", int64(set.GCInterval.Seconds()))
+		}
+		if set.Size != nil {
+			fmt.Fprintf(writer, " size %d ;", *set.Size)
+		}
+		if set.Policy != nil {
+			fmt.Fprintf(writer, " policy %s ;", *set.Policy)
+		}
+		if set.AutoMerge != nil && *set.AutoMerge {
+			fmt.Fprintf(writer, " auto-merge ;")
+		}
+
+		if set.Comment != nil && !ctx.noObjectComments {
+			fmt.Fprintf(writer, " comment %q ;", *set.Comment)
+		}
+
+		fmt.Fprintf(writer, " }")
+	}
+
+	fmt.Fprintf(writer, "\n")
+}
+
+func (set *Set) parse(line string) error {
+	match := setRegexp.FindStringSubmatch(line)
+	if match == nil {
+		return fmt.Errorf("failed parsing set add command")
+	}
+	set.Name, set.Type, set.TypeOf, set.Flags, set.Timeout, set.GCInterval,
+		set.Size, set.Policy, set.Comment, set.AutoMerge = parseMapAndSetProps(match)
+	return nil
+}
+
+// Object implementation for Map
+func (mapObj *Map) validate(verb verb) error {
+	switch verb {
+	case addVerb, createVerb:
+		if (mapObj.Type == "" && mapObj.TypeOf == "") || (mapObj.Type != "" && mapObj.TypeOf != "") {
+			return fmt.Errorf("map must specify either Type or TypeOf")
+		}
+		if mapObj.Handle != nil {
+			return fmt.Errorf("cannot specify Handle in %s operation", verb)
+		}
+		fallthrough
+	case flushVerb:
+		if mapObj.Name == "" {
+			return fmt.Errorf("no name specified for map")
+		}
+	case deleteVerb:
+		if mapObj.Name == "" && mapObj.Handle == nil {
+			return fmt.Errorf("must specify either name or handle")
+		}
+	default:
+		return fmt.Errorf("%s is not implemented for maps", verb)
+	}
+
+	return nil
+}
+
+func (mapObj *Map) writeOperation(verb verb, ctx *nftContext, writer io.Writer) {
+	// Special case for delete-by-handle
+	if verb == deleteVerb && mapObj.Handle != nil {
+		fmt.Fprintf(writer, "delete map %s %s handle %d", ctx.family, ctx.table, *mapObj.Handle)
+		return
+	}
+
+	fmt.Fprintf(writer, "%s map %s %s %s", verb, ctx.family, ctx.table, mapObj.Name)
+	if verb == addVerb || verb == createVerb {
+		fmt.Fprintf(writer, " {")
+
+		if mapObj.Type != "" {
+			fmt.Fprintf(writer, " type %s ;", mapObj.Type)
+		} else {
+			fmt.Fprintf(writer, " typeof %s ;", mapObj.TypeOf)
+		}
+
+		if len(mapObj.Flags) != 0 {
+			fmt.Fprintf(writer, " flags ")
+			for i := range mapObj.Flags {
+				if i > 0 {
+					fmt.Fprintf(writer, ",")
+				}
+				fmt.Fprintf(writer, "%s", mapObj.Flags[i])
+			}
+			fmt.Fprintf(writer, " ;")
+		}
+
+		if mapObj.Timeout != nil {
+			fmt.Fprintf(writer, " timeout %ds ;", int64(mapObj.Timeout.Seconds()))
+		}
+		if mapObj.GCInterval != nil {
+			fmt.Fprintf(writer, " gc-interval %ds ;", int64(mapObj.GCInterval.Seconds()))
+		}
+		if mapObj.Size != nil {
+			fmt.Fprintf(writer, " size %d ;", *mapObj.Size)
+		}
+		if mapObj.Policy != nil {
+			fmt.Fprintf(writer, " policy %s ;", *mapObj.Policy)
+		}
+
+		if mapObj.Comment != nil && !ctx.noObjectComments {
+			fmt.Fprintf(writer, " comment %q ;", *mapObj.Comment)
+		}
+
+		fmt.Fprintf(writer, " }")
+	}
+
+	fmt.Fprintf(writer, "\n")
+}
+
+func (mapObj *Map) parse(line string) error {
+	match := mapRegexp.FindStringSubmatch(line)
+	if match == nil {
+		return fmt.Errorf("failed parsing map add command")
+	}
+	mapObj.Name, mapObj.Type, mapObj.TypeOf, mapObj.Flags, mapObj.Timeout, mapObj.GCInterval,
+		mapObj.Size, mapObj.Policy, mapObj.Comment, _ = parseMapAndSetProps(match)
+	return nil
+}
+
+var autoMergeProp = `( auto-merge ;)?`
+
+// groups in []:  [1]%s {(?: [2](type|typeof) [3]([^;]*)) ;(?: flags [4]([^;]*) ;)?(?: timeout [5]%ss ;)?(?: gc-interval [6]%ss ;)?(?: size [7]%s ;)?(?: policy [8]%s ;)?[9]%s(?: comment [10]%s ;)? }
+var mapOrSet = `%s {(?: (type|typeof) ([^;]*)) ;(?: flags ([^;]*) ;)?(?: timeout %ss ;)?(?: gc-interval %ss ;)?(?: size %s ;)?(?: policy %s ;)?%s(?: comment %s ;)? }`
+var mapRegexp = regexp.MustCompile(fmt.Sprintf(mapOrSet, noSpaceGroup, numberGroup, numberGroup, noSpaceGroup, noSpaceGroup, "", commentGroup))
+var setRegexp = regexp.MustCompile(fmt.Sprintf(mapOrSet, noSpaceGroup, numberGroup, numberGroup, noSpaceGroup, noSpaceGroup, autoMergeProp, commentGroup))
+
+func parseMapAndSetProps(match []string) (name string, typeProp string, typeOf string, flags []SetFlag,
+	timeout *time.Duration, gcInterval *time.Duration, size *uint64, policy *SetPolicy, comment *string, autoMerge *bool) {
+	name = match[1]
+	// set and map have different number of match groups, but comment is always the last
+	comment = getComment(match[len(match)-1])
+	if match[2] == "type" {
+		typeProp = match[3]
+	} else {
+		typeOf = match[3]
+	}
+	if match[4] != "" {
+		flags = parseSetFlags(match[4])
+	}
+	if match[5] != "" {
+		timeoutObj, _ := time.ParseDuration(match[5] + "s")
+		timeout = &timeoutObj
+	}
+	if match[6] != "" {
+		gcIntervalObj, _ := time.ParseDuration(match[6] + "s")
+		gcInterval = &gcIntervalObj
+	}
+	if match[7] != "" {
+		size = parseUint(match[7])
+	}
+	if match[8] != "" {
+		policy = (*SetPolicy)(&match[8])
+	}
+	if len(match) > 10 {
+		// set
+		if match[9] != "" {
+			autoMergeObj := true
+			autoMerge = &autoMergeObj
+		}
+	}
+	return
+}
+
+func parseSetFlags(s string) []SetFlag {
+	var res []SetFlag
+	for _, flag := range strings.Split(s, ",") {
+		res = append(res, SetFlag(flag))
+	}
+	return res
+}
+
+// Object implementation for Element
+func (element *Element) validate(verb verb) error {
+	if element.Map == "" && element.Set == "" {
+		return fmt.Errorf("no set/map name specified for element")
+	} else if element.Set != "" && element.Map != "" {
+		return fmt.Errorf("element specifies both a set name and a map name")
+	}
+
+	if len(element.Key) == 0 {
+		return fmt.Errorf("no key specified for element")
+	}
+	if element.Set != "" && len(element.Value) != 0 {
+		return fmt.Errorf("map value specified for set element")
+	}
+
+	switch verb {
+	case addVerb, createVerb:
+		if element.Map != "" && len(element.Value) == 0 {
+			return fmt.Errorf("no map value specified for map element")
+		}
+	case deleteVerb:
+	default:
+		return fmt.Errorf("%s is not implemented for elements", verb)
+	}
+
+	return nil
+}
+
+func (element *Element) writeOperation(verb verb, ctx *nftContext, writer io.Writer) {
+	name := element.Set
+	if name == "" {
+		name = element.Map
+	}
+
+	fmt.Fprintf(writer, "%s element %s %s %s { %s", verb, ctx.family, ctx.table, name,
+		strings.Join(element.Key, " . "))
+
+	if verb == addVerb || verb == createVerb {
+		if element.Comment != nil {
+			fmt.Fprintf(writer, " comment %q", *element.Comment)
+		}
+
+		if len(element.Value) != 0 {
+			fmt.Fprintf(writer, " : %s", strings.Join(element.Value, " . "))
+		}
+	}
+
+	fmt.Fprintf(writer, " }\n")
+}
+
+// groups in []: [1]%s { [2]([^:"]*)(?: comment [3]%s)? : [4](.*) }
+var mapElementRegexp = regexp.MustCompile(fmt.Sprintf(
+	`%s { ([^"]*)(?: comment %s)? : (.*) }`, noSpaceGroup, commentGroup))
+
+// groups in []: [1]%s { [2]([^:"]*)(?: comment [3]%s)? }
+var setElementRegexp = regexp.MustCompile(fmt.Sprintf(
+	`%s { ([^"]*)(?: comment %s)? }`, noSpaceGroup, commentGroup))
+
+func (element *Element) parse(line string) error {
+	// try to match map element first, since it has more groups, and if it matches, then we can be sure
+	// this is map element.
+	match := mapElementRegexp.FindStringSubmatch(line)
+	if match == nil {
+		match = setElementRegexp.FindStringSubmatch(line)
+		if match == nil {
+			return fmt.Errorf("failed parsing element add command")
+		}
+	}
+	element.Comment = getComment(match[3])
+	mapOrSetName := match[1]
+	element.Key = append(element.Key, strings.Split(match[2], " . ")...)
+	if len(match) == 5 {
+		// map regex matched
+		element.Map = mapOrSetName
+		element.Value = append(element.Value, strings.Split(match[4], " . ")...)
+	} else {
+		element.Set = mapOrSetName
+	}
+	return nil
+}
+
+// Object implementation for Flowtable
+func (flowtable *Flowtable) validate(verb verb) error {
+	switch verb {
+	case addVerb, createVerb:
+		if flowtable.Name == "" {
+			return fmt.Errorf("no name specified for flowtable")
+		}
+		if flowtable.Handle != nil {
+			return fmt.Errorf("cannot specify Handle in %s operation", verb)
+		}
+	case deleteVerb:
+		if flowtable.Name == "" && flowtable.Handle == nil {
+			return fmt.Errorf("must specify either name or handle")
+		}
+	default:
+		return fmt.Errorf("%s is not implemented for flowtables", verb)
+	}
+
+	return nil
+}
+
+func (flowtable *Flowtable) writeOperation(verb verb, ctx *nftContext, writer io.Writer) {
+	// Special case for delete-by-handle
+	if verb == deleteVerb && flowtable.Handle != nil {
+		fmt.Fprintf(writer, "delete flowtable %s %s handle %d", ctx.family, ctx.table, *flowtable.Handle)
+		return
+	}
+
+	fmt.Fprintf(writer, "%s flowtable %s %s %s", verb, ctx.family, ctx.table, flowtable.Name)
+	if verb == addVerb || verb == createVerb {
+		fmt.Fprintf(writer, " {")
+
+		if flowtable.Priority != nil {
+			// since there is only one priority value allowed "filter" just use the value
+			// provided and not try to parse it.
+			fmt.Fprintf(writer, " hook ingress priority %s ;", *flowtable.Priority)
+		}
+
+		if len(flowtable.Devices) > 0 {
+			fmt.Fprintf(writer, " devices = { %s } ;", strings.Join(flowtable.Devices, ", "))
+		}
+
+		fmt.Fprintf(writer, " }")
+	}
+
+	fmt.Fprintf(writer, "\n")
+}
+
+// nft add flowtable inet example_table example_flowtable { hook ingress priority filter ; devices = { eth0 };  }
+var flowtableRegexp = regexp.MustCompile(fmt.Sprintf(
+	`%s(?: {(?: hook ingress priority %s ;)(?: devices = {(.*)} ;) })?`,
+	noSpaceGroup, noSpaceGroup))
+
+func (flowtable *Flowtable) parse(line string) error {
+	match := flowtableRegexp.FindStringSubmatch(line)
+	if match == nil {
+		return fmt.Errorf("failed parsing flowtableRegexp add command")
+	}
+	flowtable.Name = match[1]
+	if match[2] != "" {
+		flowtable.Priority = (*FlowtableIngressPriority)(&match[2])
+	}
+	// to avoid complex regular expressions the regex match everything between the brackets
+	// to match a single interface or a comma separated list of interfaces, and it is postprocessed
+	// here to remove the whitespaces.
+	if match[3] != "" {
+		devices := strings.Split(strings.TrimSpace(match[3]), ",")
+		for i := range devices {
+			devices[i] = strings.TrimSpace(devices[i])
+		}
+		if len(devices) > 0 {
+			flowtable.Devices = devices
+		}
+	}
+	return nil
+}

vendor/sigs.k8s.io/knftables/transaction.go

@@ -0,0 +1,141 @@
+/*
+Copyright 2023 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package knftables
+
+import (
+	"bytes"
+	"fmt"
+)
+
+// Transaction represents an nftables transaction
+type Transaction struct {
+	*nftContext
+
+	operations []operation
+	err        error
+}
+
+// operation contains a single nftables operation (eg "add table", "flush chain")
+type operation struct {
+	verb verb
+	obj  Object
+}
+
+// verb is used internally to represent the different "nft" verbs
+type verb string
+
+const (
+	addVerb     verb = "add"
+	createVerb  verb = "create"
+	insertVerb  verb = "insert"
+	replaceVerb verb = "replace"
+	deleteVerb  verb = "delete"
+	flushVerb   verb = "flush"
+)
+
+// populateCommandBuf populates the transaction as series of nft commands to the given bytes.Buffer.
+func (tx *Transaction) populateCommandBuf(buf *bytes.Buffer) error {
+	if tx.err != nil {
+		return tx.err
+	}
+
+	for _, op := range tx.operations {
+		op.obj.writeOperation(op.verb, tx.nftContext, buf)
+	}
+	return nil
+}
+
+// String returns the transaction as a string containing the nft commands; if there is
+// a pending error, it will be output as a comment at the end of the transaction.
+func (tx *Transaction) String() string {
+	buf := &bytes.Buffer{}
+	for _, op := range tx.operations {
+		op.obj.writeOperation(op.verb, tx.nftContext, buf)
+	}
+
+	if tx.err != nil {
+		fmt.Fprintf(buf, "# ERROR: %v", tx.err)
+	}
+
+	return buf.String()
+}
+
+// NumOperations returns the number of operations queued in the transaction.
+func (tx *Transaction) NumOperations() int {
+	return len(tx.operations)
+}
+
+func (tx *Transaction) operation(verb verb, obj Object) {
+	if tx.err != nil {
+		return
+	}
+	if tx.err = obj.validate(verb); tx.err != nil {
+		return
+	}
+
+	tx.operations = append(tx.operations, operation{verb: verb, obj: obj})
+}
+
+// Add adds an "nft add" operation to tx, ensuring that obj exists by creating it if it
+// did not already exist. (If obj is a Rule, it will be appended to the end of its chain,
+// or else added after the Rule indicated by this rule's Index or Handle.) The Add() call
+// always succeeds, but if obj is invalid, or inconsistent with the existing nftables
+// state, then an error will be returned when the transaction is Run.
+func (tx *Transaction) Add(obj Object) {
+	tx.operation(addVerb, obj)
+}
+
+// Create adds an "nft create" operation to tx, creating obj, which must not already
+// exist. (If obj is a Rule, it will be appended to the end of its chain, or else added
+// after the Rule indicated by this rule's Index or Handle.) The Create() call always
+// succeeds, but if obj is invalid, already exists, or is inconsistent with the existing
+// nftables state, then an error will be returned when the transaction is Run.
+func (tx *Transaction) Create(obj Object) {
+	tx.operation(createVerb, obj)
+}
+
+// Insert adds an "nft insert" operation to tx, inserting obj (which must be a Rule) at
+// the start of its chain, or before the other Rule indicated by this rule's Index or
+// Handle. The Insert() call always succeeds, but if obj is invalid or is inconsistent
+// with the existing nftables state, then an error will be returned when the transaction
+// is Run.
+func (tx *Transaction) Insert(obj Object) {
+	tx.operation(insertVerb, obj)
+}
+
+// Replace adds an "nft replace" operation to tx, replacing an existing rule with obj
+// (which must be a Rule). The Replace() call always succeeds, but if obj is invalid, does
+// not contain the Handle of an existing rule, or is inconsistent with the existing
+// nftables state, then an error will be returned when the transaction is Run.
+func (tx *Transaction) Replace(obj Object) {
+	tx.operation(replaceVerb, obj)
+}
+
+// Flush adds an "nft flush" operation to tx, clearing the contents of obj. The Flush()
+// call always succeeds, but if obj does not exist (or does not support flushing) then an
+// error will be returned when the transaction is Run.
+func (tx *Transaction) Flush(obj Object) {
+	tx.operation(flushVerb, obj)
+}
+
+// Delete adds an "nft delete" operation to tx, deleting obj. The Delete() call always
+// succeeds, but if obj does not exist or cannot be deleted based on the information
+// provided (eg, Handle is required but not set) then an error will be returned when the
+// transaction is Run.
+func (tx *Transaction) Delete(obj Object) {
+	tx.operation(deleteVerb, obj)
+}

vendor/sigs.k8s.io/knftables/types.go

@@ -0,0 +1,411 @@
+/*
+Copyright 2023 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package knftables
+
+import (
+	"io"
+	"time"
+)
+
+const (
+	// Maximum length of a table, chain, set, etc, name
+	NameLengthMax = 256
+
+	// Maximum length of a comment
+	CommentLengthMax = 128
+)
+
+// Object is the interface for an nftables object. All of the concrete object types
+// implement this interface.
+type Object interface {
+	// validate validates an object for an operation
+	validate(verb verb) error
+
+	// writeOperation writes out an "nft" operation involving the object. It assumes
+	// that the object has been validated.
+	writeOperation(verb verb, ctx *nftContext, writer io.Writer)
+
+	// parse is the opposite of writeOperation; it fills Object fields based on an "nft add"
+	// command. line is the part of the line after "nft add <type> <family> <tablename>"
+	// (so for most types it starts with the object name).
+	// If error is returned, Object's fields may be partially filled, therefore Object should not be used.
+	parse(line string) error
+}
+
+// Family is an nftables family
+type Family string
+
+const (
+	// IPv4Family represents the "ip" nftables family, for IPv4 rules.
+	IPv4Family Family = "ip"
+
+	// IPv6Family represents the "ip6" nftables family, for IPv6 rules.
+	IPv6Family Family = "ip6"
+
+	// InetFamily represents the "inet" nftables family, for mixed IPv4 and IPv6 rules.
+	InetFamily Family = "inet"
+
+	// ARPFamily represents the "arp" nftables family, for ARP rules.
+	ARPFamily Family = "arp"
+
+	// BridgeFamily represents the "bridge" nftables family, for rules operating
+	// on packets traversing a bridge.
+	BridgeFamily Family = "bridge"
+
+	// NetDevFamily represents the "netdev" nftables family, for rules operating on
+	// the device ingress/egress path.
+	NetDevFamily Family = "netdev"
+)
+
+// Table represents an nftables table.
+type Table struct {
+	// Comment is an optional comment for the table. (Requires kernel >= 5.10 and
+	// nft >= 0.9.7; otherwise this field will be silently ignored. Requires
+	// nft >= 1.0.8 to include comments in List() results.)
+	Comment *string
+
+	// Handle is an identifier that can be used to uniquely identify an object when
+	// deleting it. When adding a new object, this must be nil.
+	Handle *int
+}
+
+// BaseChainType represents the "type" of a "base chain" (ie, a chain that is attached to a hook).
+// See https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains#Base_chain_types
+type BaseChainType string
+
+const (
+	// FilterType is the chain type for basic packet filtering.
+	FilterType BaseChainType = "filter"
+
+	// NATType is the chain type for doing DNAT, SNAT, and masquerading.
+	// NAT operations are only available from certain hooks.
+	NATType BaseChainType = "nat"
+
+	// RouteType is the chain type for rules that change the routing of packets.
+	// Chains of this type can only be added to the "output" hook.
+	RouteType BaseChainType = "route"
+)
+
+// BaseChainHook represents the "hook" that a base chain is attached to.
+// See https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains#Base_chain_hooks
+// and https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks
+type BaseChainHook string
+
+const (
+	// PreroutingHook is the "prerouting" stage of packet processing, which is the
+	// first stage (after "ingress") for inbound ("input path" and "forward path")
+	// packets.
+	PreroutingHook BaseChainHook = "prerouting"
+
+	// InputHook is the "input" stage of packet processing, which happens after
+	// "prerouting" for inbound packets being delivered to an interface on this host,
+	// in this network namespace.
+	InputHook BaseChainHook = "input"
+
+	// ForwardHook is the "forward" stage of packet processing, which happens after
+	// "prerouting" for inbound packets destined for a non-local IP (i.e. on another
+	// host or in another network namespace)
+	ForwardHook BaseChainHook = "forward"
+
+	// OutputHook is the "output" stage of packet processing, which is the first stage
+	// for outbound packets, regardless of their final destination.
+	OutputHook BaseChainHook = "output"
+
+	// PostroutingHook is the "postrouting" stage of packet processing, which is the
+	// final stage (before "egress") for outbound ("forward path" and "output path")
+	// packets.
+	PostroutingHook BaseChainHook = "postrouting"
+
+	// IngressHook is the "ingress" stage of packet processing, in the "netdev" family
+	// or (with kernel >= 5.10 and nft >= 0.9.7) the "inet" family.
+	IngressHook BaseChainHook = "ingress"
+
+	// EgressHook is the "egress" stage of packet processing, in the "netdev" family
+	// (with kernel >= 5.16 and nft >= 1.0.1).
+	EgressHook BaseChainHook = "egress"
+)
+
+// BaseChainPriority represents the "priority" of a base chain. Lower values run earlier.
+// See https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains#Base_chain_priority
+// and https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks#Priority_within_hook
+//
+// In addition to the const values, you can also use a signed integer value, or an
+// arithmetic expression consisting of a const value followed by "+" or "-" and an
+// integer.
+type BaseChainPriority string
+
+const (
+	// RawPriority is the earliest named priority. In particular, it can be used for
+	// rules that need to run before conntrack. It is equivalent to the value -300 and
+	// can be used in the ip, ip6, and inet families.
+	RawPriority BaseChainPriority = "raw"
+
+	// ManglePriority is the standard priority for packet-rewriting operations. It is
+	// equivalent to the value -150 and can be used in the ip, ip6, and inet families.
+	ManglePriority BaseChainPriority = "mangle"
+
+	// DNATPriority is the standard priority for DNAT operations. In the ip, ip6, and
+	// inet families, it is equivalent to the value -100. In the bridge family it is
+	// equivalent to the value -300. In both cases it can only be used from the
+	// prerouting hook.
+	DNATPriority BaseChainPriority = "dstnat"
+
+	// FilterPriority is the standard priority for filtering operations. In the ip,
+	// ip6, inet, arp, and netdev families, it is equivalent to the value 0. In the
+	// bridge family it is equivalent to the value -200.
+	FilterPriority BaseChainPriority = "filter"
+
+	// OutPriority is FIXME. It is equivalent to the value 300 and can only be used in
+	// the bridge family.
+	OutPriority BaseChainPriority = "out"
+
+	// SecurityPriority is the standard priority for security operations ("where
+	// secmark can be set for example"). It is equivalent to the value 50 and can be
+	// used in the ip, ip6, and inet families.
+	SecurityPriority BaseChainPriority = "security"
+
+	// SNATPriority is the standard priority for SNAT operations. In the ip, ip6, and
+	// inet families, it is equivalent to the value 100. In the bridge family it is
+	// equivalent to the value 300. In both cases it can only be used from the
+	// postrouting hook.
+	SNATPriority BaseChainPriority = "srcnat"
+)
+
+// Chain represents an nftables chain; either a "base chain" (if Type, Hook, and Priority
+// are specified), or a "regular chain" (if they are not).
+type Chain struct {
+	// Name is the name of the chain.
+	Name string
+
+	// Type is the chain type; this must be set for a base chain and unset for a
+	// regular chain.
+	Type *BaseChainType
+	// Hook is the hook that the chain is connected to; this must be set for a base
+	// chain and unset for a regular chain.
+	Hook *BaseChainHook
+	// Priority is the chain priority; this must be set for a base chain and unset for
+	// a regular chain. You can call ParsePriority() to convert this to a number.
+	Priority *BaseChainPriority
+
+	// Device is the network interface that the chain is attached to; this must be set
+	// for a base chain connected to the "ingress" or "egress" hooks, and unset for
+	// all other chains.
+	Device *string
+
+	// Comment is an optional comment for the object.  (Requires kernel >= 5.10 and
+	// nft >= 0.9.7; otherwise this field will be silently ignored. Requires
+	// nft >= 1.0.8 to include comments in List() results.)
+	Comment *string
+
+	// Handle is an identifier that can be used to uniquely identify an object when
+	// deleting it. When adding a new object, this must be nil
+	Handle *int
+}
+
+// Rule represents a rule in a chain
+type Rule struct {
+	// Chain is the name of the chain that contains this rule
+	Chain string
+
+	// Rule is the rule in standard nftables syntax. (Should be empty on Delete, but
+	// is ignored if not.) Note that this does not include any rule comment, which is
+	// separate from the rule itself.
+	Rule string
+
+	// Comment is an optional comment for the rule.
+	Comment *string
+
+	// Index is the number of a rule (counting from 0) to Add this Rule after or
+	// Insert it before. Cannot be specified along with Handle. If neither Index
+	// nor Handle is specified then Add appends the rule the end of the chain and
+	// Insert prepends it to the beginning.
+	Index *int
+
+	// Handle is a rule handle. In Add or Insert, if set, this is the handle of
+	// existing rule to put the new rule after/before. In Delete or Replace, this
+	// indicates the existing rule to delete/replace, and is mandatory. In the result
+	// of a List, this will indicate the rule's handle that can then be used in a
+	// later operation.
+	Handle *int
+}
+
+// SetFlag represents a set or map flag
+type SetFlag string
+
+const (
+	// ConstantFlag is a flag indicating that the set/map is constant. FIXME UNDOCUMENTED
+	ConstantFlag SetFlag = "constant"
+
+	// DynamicFlag is a flag indicating that the set contains stateful objects
+	// (counters, quotas, or limits) that will be dynamically updated.
+	DynamicFlag SetFlag = "dynamic"
+
+	// IntervalFlag is a flag indicating that the set contains either CIDR elements or
+	// IP ranges.
+	IntervalFlag SetFlag = "interval"
+
+	// TimeoutFlag is a flag indicating that the set/map has a timeout after which
+	// dynamically added elements will be removed. (It is set automatically if the
+	// set/map has a Timeout.)
+	TimeoutFlag SetFlag = "timeout"
+)
+
+// SetPolicy represents a set or map storage policy
+type SetPolicy string
+
+const (
+	// PolicyPerformance FIXME
+	PerformancePolicy SetPolicy = "performance"
+
+	// PolicyMemory FIXME
+	MemoryPolicy SetPolicy = "memory"
+)
+
+// Set represents the definition of an nftables set (but not its elements)
+type Set struct {
+	// Name is the name of the set.
+	Name string
+
+	// Type is the type of the set key (eg "ipv4_addr"). Either Type or TypeOf, but
+	// not both, must be non-empty.
+	Type string
+
+	// TypeOf is the type of the set key as an nftables expression (eg "ip saddr").
+	// Either Type or TypeOf, but not both, must be non-empty. (Requires at least nft
+	// 0.9.4, and newer than that for some types.)
+	TypeOf string
+
+	// Flags are the set flags
+	Flags []SetFlag
+
+	// Timeout is the time that an element will stay in the set before being removed.
+	// (Optional; mandatory for sets that will be added to from the packet path)
+	Timeout *time.Duration
+
+	// GCInterval is the interval at which timed-out elements will be removed from the
+	// set. (Optional; FIXME DEFAULT)
+	GCInterval *time.Duration
+
+	// Size if the maximum numer of elements in the set.
+	// (Optional; mandatory for sets that will be added to from the packet path)
+	Size *uint64
+
+	// Policy is the FIXME
+	Policy *SetPolicy
+
+	// AutoMerge indicates that adjacent/overlapping set elements should be merged
+	// together (only for interval sets)
+	AutoMerge *bool
+
+	// Comment is an optional comment for the object.  (Requires kernel >= 5.10 and
+	// nft >= 0.9.7; otherwise this field will be silently ignored.)
+	Comment *string
+
+	// Handle is an identifier that can be used to uniquely identify an object when
+	// deleting it. When adding a new object, this must be nil
+	Handle *int
+}
+
+// Map represents the definition of an nftables map (but not its elements)
+type Map struct {
+	// Name is the name of the map.
+	Name string
+
+	// Type is the type of the map key and value (eg "ipv4_addr : verdict"). Either
+	// Type or TypeOf, but not both, must be non-empty.
+	Type string
+
+	// TypeOf is the type of the set key as an nftables expression (eg "ip saddr : verdict").
+	// Either Type or TypeOf, but not both, must be non-empty. (Requires at least nft 0.9.4,
+	// and newer than that for some types.)
+	TypeOf string
+
+	// Flags are the map flags
+	Flags []SetFlag
+
+	// Timeout is the time that an element will stay in the set before being removed.
+	// (Optional; mandatory for sets that will be added to from the packet path)
+	Timeout *time.Duration
+
+	// GCInterval is the interval at which timed-out elements will be removed from the
+	// set. (Optional; FIXME DEFAULT)
+	GCInterval *time.Duration
+
+	// Size if the maximum numer of elements in the set.
+	// (Optional; mandatory for sets that will be added to from the packet path)
+	Size *uint64
+
+	// Policy is the FIXME
+	Policy *SetPolicy
+
+	// Comment is an optional comment for the object.  (Requires kernel >= 5.10 and
+	// nft >= 0.9.7; otherwise this field will be silently ignored.)
+	Comment *string
+
+	// Handle is an identifier that can be used to uniquely identify an object when
+	// deleting it. When adding a new object, this must be nil
+	Handle *int
+}
+
+// Element represents a set or map element
+type Element struct {
+	// Set is the name of the set that contains this element (or the empty string if
+	// this is a map element.)
+	Set string
+
+	// Map is the name of the map that contains this element (or the empty string if
+	// this is a set element.)
+	Map string
+
+	// Key is the element key. (The list contains a single element for "simple" keys,
+	// or multiple elements for concatenations.)
+	Key []string
+
+	// Value is the map element value. As with Key, this may be a single value or
+	// multiple. For set elements, this must be nil.
+	Value []string
+
+	// Comment is an optional comment for the element
+	Comment *string
+}
+
+type FlowtableIngressPriority string
+
+const (
+	// FilterIngressPriority is the priority for the filter value in the Ingress hook
+	// that stands for 0.
+	FilterIngressPriority FlowtableIngressPriority = "filter"
+)
+
+// Flowtable represents an nftables flowtable.
+// https://wiki.nftables.org/wiki-nftables/index.php/Flowtables
+type Flowtable struct {
+	// Name is the name of the flowtable.
+	Name string
+
+	// The Priority can be a signed integer or FlowtableIngressPriority which stands for 0.
+	// Addition and subtraction can be used to set relative priority, e.g. filter + 5 equals to 5.
+	Priority *FlowtableIngressPriority
+
+	// The Devices are specified as iifname(s) of the input interface(s) of the traffic
+	// that should be offloaded.
+	Devices []string
+
+	// Handle is an identifier that can be used to uniquely identify an object when
+	// deleting it. When adding a new object, this must be nil
+	Handle *int
+}

vendor/sigs.k8s.io/knftables/util.go

@@ -0,0 +1,117 @@
+/*
+Copyright 2023 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package knftables
+
+import (
+	"fmt"
+	"strconv"
+	"strings"
+)
+
+// PtrTo can be used to fill in optional field values in objects
+func PtrTo[T any](val T) *T {
+	return &val
+}
+
+var numericPriorities = map[string]int{
+	"raw":      -300,
+	"mangle":   -150,
+	"dstnat":   -100,
+	"filter":   0,
+	"security": 50,
+	"srcnat":   100,
+}
+
+var bridgeNumericPriorities = map[string]int{
+	"dstnat": -300,
+	"filter": -200,
+	"out":    100,
+	"srcnat": 300,
+}
+
+// ParsePriority tries to convert the string form of a chain priority into a number
+func ParsePriority(family Family, priority string) (int, error) {
+	val, err := strconv.Atoi(priority)
+	if err == nil {
+		return val, nil
+	}
+
+	modVal := 0
+	if i := strings.IndexAny(priority, "+-"); i != -1 {
+		mod := priority[i:]
+		modVal, err = strconv.Atoi(mod)
+		if err != nil {
+			return 0, fmt.Errorf("could not parse modifier %q: %w", mod, err)
+		}
+		priority = priority[:i]
+	}
+
+	var found bool
+	if family == BridgeFamily {
+		val, found = bridgeNumericPriorities[priority]
+	} else {
+		val, found = numericPriorities[priority]
+	}
+	if !found {
+		return 0, fmt.Errorf("unknown priority %q", priority)
+	}
+
+	return val + modVal, nil
+}
+
+// Concat is a helper (primarily) for constructing Rule objects. It takes a series of
+// arguments and concatenates them together into a single string with spaces between the
+// arguments. Strings are output as-is, string arrays are output element by element,
+// numbers are output as with `fmt.Sprintf("%d")`, and all other types are output as with
+// `fmt.Sprintf("%s")`. To help with set/map lookup syntax, an argument of "@" will not
+// be followed by a space, so you can do, eg, `Concat("ip saddr", "@", setName)`.
+func Concat(args ...interface{}) string {
+	b := &strings.Builder{}
+	var needSpace, wroteAt bool
+	for _, arg := range args {
+		switch x := arg.(type) {
+		case string:
+			if needSpace {
+				b.WriteByte(' ')
+			}
+			b.WriteString(x)
+			wroteAt = (x == "@")
+		case []string:
+			for _, s := range x {
+				if needSpace {
+					b.WriteByte(' ')
+				}
+				b.WriteString(s)
+				wroteAt = (s == "@")
+				needSpace = b.Len() > 0 && !wroteAt
+			}
+		case int, uint, int16, uint16, int32, uint32, int64, uint64:
+			if needSpace {
+				b.WriteByte(' ')
+			}
+			fmt.Fprintf(b, "%d", x)
+		default:
+			if needSpace {
+				b.WriteByte(' ')
+			}
+			fmt.Fprintf(b, "%s", x)
+		}
+
+		needSpace = b.Len() > 0 && !wroteAt
+	}
+	return b.String()
+}