summaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorKevin Krakauer <krakauer@google.com>2020-01-27 16:40:46 -0800
committerKevin Krakauer <krakauer@google.com>2020-01-27 16:40:46 -0800
commitd6a2e01d3e57e0837c7e5cfda3b56c4dcfbb4627 (patch)
tree5f8486b4ece807f50ea18f767baa652c55b7b81b
parente889f95671a9b7b1c6f65cb6fbc1b865a896e827 (diff)
Address GH comments.
-rw-r--r--pkg/sentry/socket/netfilter/netfilter.go25
1 files changed, 12 insertions, 13 deletions
diff --git a/pkg/sentry/socket/netfilter/netfilter.go b/pkg/sentry/socket/netfilter/netfilter.go
index b8848f08a..a06562743 100644
--- a/pkg/sentry/socket/netfilter/netfilter.go
+++ b/pkg/sentry/socket/netfilter/netfilter.go
@@ -43,7 +43,7 @@ const (
// a metadata struct when the tables are written, and when they are read out we
// verify that certain fields are the same.
//
-// metadata is opaque to netstack.
+// metadata is used by this serialization/deserializing code, not netstack.
type metadata struct {
HookEntry [linux.NF_INET_NUMHOOKS]uint32
Underflow [linux.NF_INET_NUMHOOKS]uint32
@@ -51,14 +51,10 @@ type metadata struct {
Size uint32
}
-const enableDebug = false
-
// nflog logs messages related to the writing and reading of iptables, but only
// when enableDebug is true.
func nflog(format string, args ...interface{}) {
- if enableDebug {
- log.Infof("netfilter: "+format, args...)
- }
+ log.Infof("netfilter: "+format, args...)
}
// GetInfo returns information about iptables.
@@ -233,14 +229,12 @@ func convertNetstackToBinary(tablename string, table iptables.Table) (linux.Kern
return entries, meta, nil
}
-// TODO: SOMEHOW THIS IS NOT GETTING APPENDED!
func marshalMatcher(matcher iptables.Matcher) []byte {
switch m := matcher.(type) {
case *iptables.UDPMatcher:
return marshalUDPMatcher(m)
default:
- // TODO(gvisor.dev/issue/170): We don't support any matchers
- // yet, so any call to marshalMatcher will panic.
+ // TODO(gvisor.dev/issue/170): Support other matchers.
panic(fmt.Errorf("unknown matcher of type %T", matcher))
}
}
@@ -249,11 +243,11 @@ func marshalUDPMatcher(matcher *iptables.UDPMatcher) []byte {
nflog("convert to binary: marshalling UDP matcher: %+v", matcher)
// We have to pad this struct size to a multiple of 8 bytes.
- const size = linux.SizeOfXTEntryMatch + linux.SizeOfXTUDP + 6
+ size := alignUp(linux.SizeOfXTEntryMatch+linux.SizeOfXTUDP, 8)
linuxMatcher := linux.KernelXTEntryMatch{
XTEntryMatch: linux.XTEntryMatch{
- MatchSize: size,
+ MatchSize: uint16(size),
},
Data: make([]byte, 0, linux.SizeOfXTUDP),
}
@@ -270,7 +264,7 @@ func marshalUDPMatcher(matcher *iptables.UDPMatcher) []byte {
buf := make([]byte, 0, size)
buf = binary.Marshal(buf, usermem.ByteOrder, linuxMatcher)
- buf = append(buf, []byte{0, 0, 0, 0, 0, 0}...)
+ buf = append(buf, make([]byte, size-len(buf))...)
nflog("convert to binary: marshalled UDP matcher into %v", buf)
return buf[:]
}
@@ -410,7 +404,7 @@ func SetEntries(stack *stack.Stack, optVal []byte) *syserr.Error {
}
// TODO(gvisor.dev/issue/170): Matchers and targets can specify
- // that they only work for certiain protocols, hooks, tables.
+ // that they only work for certain protocols, hooks, tables.
// Get matchers.
matchersSize := entry.TargetOffset - linux.SizeOfIPTEntry
if len(optVal) < int(matchersSize) {
@@ -684,3 +678,8 @@ func hookFromLinux(hook int) iptables.Hook {
}
panic(fmt.Sprintf("Unknown hook %d does not correspond to a builtin chain", hook))
}
+
+// alignUp rounds a length up to an alignment. align must be a power of 2.
+func alignUp(length int, align uint) int {
+ return (length + int(align) - 1) & ^(int(align) - 1)
+}