diff options
| author | Ghanan Gowripalan <ghanan@google.com> | 2021-10-07 15:30:09 -0700 |
|---|---|---|
| committer | gVisor bot <gvisor-bot@google.com> | 2021-10-07 15:32:42 -0700 |
| commit | 3517d070cc3128ad3439e10b8abb42b7df60c2b2 (patch) | |
| tree | 6d555e2e43248117bfc1975f621b5d2a82934ba6 | |
| parent | 113009f3d2766d099363822419ac9cf8d708a2d7 (diff) | |
Track UDP packets performing REDIRECT NAT
PiperOrigin-RevId: 401620449
| -rw-r--r-- | pkg/tcpip/stack/iptables_targets.go | 32 |
1 files changed, 4 insertions, 28 deletions
diff --git a/pkg/tcpip/stack/iptables_targets.go b/pkg/tcpip/stack/iptables_targets.go index 8b74677d0..7e5a1672a 100644 --- a/pkg/tcpip/stack/iptables_targets.go +++ b/pkg/tcpip/stack/iptables_targets.go @@ -132,36 +132,12 @@ func (rt *RedirectTarget) Action(pkt *PacketBuffer, hook Hook, r *Route, address panic("redirect target is supported only on output and prerouting hooks") } - switch protocol := pkt.TransportProtocolNumber; protocol { - case header.UDPProtocolNumber: - udpHeader := header.UDP(pkt.TransportHeader().View()) - - if hook == Output { - // Only calculate the checksum if offloading isn't supported. - requiresChecksum := r.RequiresTXTransportChecksum() - rewritePacket( - pkt.Network(), - udpHeader, - false, /* updateSRCFields */ - requiresChecksum, - requiresChecksum, - rt.Port, - address, - ) - } else { - udpHeader.SetDestinationPort(rt.Port) - } - - pkt.NatDone = true - case header.TCPProtocolNumber: - if t := pkt.tuple; t != nil { - t.conn.performNAT(pkt, hook, r, rt.Port, address, true /* dnat */) - } - default: - return RuleDrop, 0 + if t := pkt.tuple; t != nil { + t.conn.performNAT(pkt, hook, r, rt.Port, address, true /* dnat */) + return RuleAccept, 0 } - return RuleAccept, 0 + return RuleDrop, 0 } // SNATTarget modifies the source port/IP in the outgoing packets. |