iptables: refactor to make targets extendable

Like matchers, targets should use a module-like register/lookup system. This replaces the brittle switch statements we had before. The only behavior change is supporing IPT_GET_REVISION_TARGET. This makes it much easier to add IPv6 redirect in the next change. Updates #3549. PiperOrigin-RevId: 334469418
author: Kevin Krakauer <krakauer@google.com> 2020-09-29 15:00:55 -0700
committer: gVisor bot <gvisor-bot@google.com> 2020-09-29 15:02:25 -0700
commit: 7fbb45e8ed82c118338c38fb71e7ff50addaa653 (patch)
tree: 3c99df9f7afa58b66ce0c748697f9789b1551a67 /pkg/sentry/socket/netstack
parent: 1d88bce55e0c8ef77e31863d264b896493dce90f (diff)
1 files changed, 20 insertions, 0 deletions
diff --git a/pkg/sentry/socket/netstack/netstack.go b/pkg/sentry/socket/netstack/netstack.go
index 6fede181a..20f66fbf1 100644
--- a/pkg/sentry/socket/netstack/netstack.go
+++ b/pkg/sentry/socket/netstack/netstack.go
@@ -1719,6 +1719,26 @@ func getSockOptIP(t *kernel.Task, s socket.SocketOps, ep commonEndpoint, name in
 		}
 		return &entries, nil
 
+	case linux.IPT_SO_GET_REVISION_TARGET:
+		if outLen < linux.SizeOfXTGetRevision {
+			return nil, syserr.ErrInvalidArgument
+		}
+
+		// Only valid for raw IPv4 sockets.
+		if family, skType, _ := s.Type(); family != linux.AF_INET || skType != linux.SOCK_RAW {
+			return nil, syserr.ErrProtocolNotAvailable
+		}
+
+		stack := inet.StackFromContext(t)
+		if stack == nil {
+			return nil, syserr.ErrNoDevice
+		}
+		ret, err := netfilter.TargetRevision(t, outPtr, header.IPv4ProtocolNumber)
+		if err != nil {
+			return nil, err
+		}
+		return &ret, nil
+
 	default:
 		emitUnimplementedEventIP(t, name)
 	}
author	Kevin Krakauer <krakauer@google.com>	2020-09-29 15:00:55 -0700
committer	gVisor bot <gvisor-bot@google.com>	2020-09-29 15:02:25 -0700
commit	7fbb45e8ed82c118338c38fb71e7ff50addaa653 (patch)
tree	3c99df9f7afa58b66ce0c748697f9789b1551a67 /pkg/sentry/socket/netstack
parent	1d88bce55e0c8ef77e31863d264b896493dce90f (diff)