diff options
| author | Kevin Krakauer <krakauer@google.com> | 2020-01-13 14:14:49 -0800 |
|---|---|---|
| committer | Kevin Krakauer <krakauer@google.com> | 2020-01-13 14:14:49 -0800 |
| commit | 36641a21953b72d64d4378d4974ef467e901a5fe (patch) | |
| tree | b90165465d746d9013ba8f091a4f665286ea6e66 | |
| parent | 31e49f4b19309259baeeb63e7b6ef41f8edd6d35 (diff) | |
Only allow INPUT modifications.
| -rw-r--r-- | pkg/sentry/socket/netfilter/netfilter.go | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/pkg/sentry/socket/netfilter/netfilter.go b/pkg/sentry/socket/netfilter/netfilter.go index 37f726295..507a77483 100644 --- a/pkg/sentry/socket/netfilter/netfilter.go +++ b/pkg/sentry/socket/netfilter/netfilter.go @@ -365,9 +365,22 @@ func SetEntries(stack *stack.Stack, optVal []byte) *syserr.Error { } } + // TODO(gvisor.dev/issue/170): Support other chains. + // Since we only support modifying the INPUT chain right now, make sure + // all other chains point to ACCEPT rules. + for hook, ruleIdx := range table.BuiltinChains { + if hook != iptables.Input { + if _, ok := table.Rules[ruleIdx].Target.(iptables.UnconditionalAcceptTarget); !ok { + log.Warningf("Hook %d is unsupported.", hook) + return syserr.ErrInvalidArgument + } + } + } + // TODO(gvisor.dev/issue/170): Check the following conditions: // - There are no loops. // - There are no chains without an unconditional final rule. + // - There are no chains without an unconditional underflow rule. ipt := stack.IPTables() table.SetMetadata(metadata{ |