summaryrefslogtreecommitdiffhomepage
path: root/pkg/sentry/socket/netstack
diff options
context:
space:
mode:
authorKevin Krakauer <krakauer@google.com>2020-08-19 13:45:20 -0700
committerAndrei Vagin <avagin@gmail.com>2020-09-09 17:53:10 -0700
commit167b2efc94816b0ff823e12c22023c3ccbd16ae9 (patch)
treef14ba9b84d13027dd13c672ef53c24ce818e2d2b /pkg/sentry/socket/netstack
parent2915cc7f49ed03466badb0e940b765837afe64d2 (diff)
ip6tables: move ipv4-specific logic into its own file
A later change will introduce the equivalent IPv6 logic. #3549 PiperOrigin-RevId: 327499064
Diffstat (limited to 'pkg/sentry/socket/netstack')
-rw-r--r--pkg/sentry/socket/netstack/netstack.go13
-rw-r--r--pkg/sentry/socket/netstack/netstack_vfs2.go13
2 files changed, 22 insertions, 4 deletions
diff --git a/pkg/sentry/socket/netstack/netstack.go b/pkg/sentry/socket/netstack/netstack.go
index e4846bc0b..0e5913b60 100644
--- a/pkg/sentry/socket/netstack/netstack.go
+++ b/pkg/sentry/socket/netstack/netstack.go
@@ -949,6 +949,9 @@ func (s *SocketOperations) GetSockOpt(t *kernel.Task, level, name int, outPtr us
if outLen < linux.SizeOfIPTGetinfo {
return nil, syserr.ErrInvalidArgument
}
+ if s.family != linux.AF_INET {
+ return nil, syserr.ErrInvalidArgument
+ }
stack := inet.StackFromContext(t)
if stack == nil {
@@ -964,12 +967,15 @@ func (s *SocketOperations) GetSockOpt(t *kernel.Task, level, name int, outPtr us
if outLen < linux.SizeOfIPTGetEntries {
return nil, syserr.ErrInvalidArgument
}
+ if s.family != linux.AF_INET {
+ return nil, syserr.ErrInvalidArgument
+ }
stack := inet.StackFromContext(t)
if stack == nil {
return nil, syserr.ErrNoDevice
}
- entries, err := netfilter.GetEntries(t, stack.(*Stack).Stack, outPtr, outLen)
+ entries, err := netfilter.GetEntries4(t, stack.(*Stack).Stack, outPtr, outLen)
if err != nil {
return nil, err
}
@@ -1650,12 +1656,15 @@ func (s *SocketOperations) SetSockOpt(t *kernel.Task, level int, name int, optVa
return nil
}
- if s.skType == linux.SOCK_RAW && level == linux.IPPROTO_IP {
+ if s.skType == linux.SOCK_RAW && level == linux.SOL_IP {
switch name {
case linux.IPT_SO_SET_REPLACE:
if len(optVal) < linux.SizeOfIPTReplace {
return syserr.ErrInvalidArgument
}
+ if s.family != linux.AF_INET {
+ return syserr.ErrInvalidArgument
+ }
stack := inet.StackFromContext(t)
if stack == nil {
diff --git a/pkg/sentry/socket/netstack/netstack_vfs2.go b/pkg/sentry/socket/netstack/netstack_vfs2.go
index 3335e7430..1db8ae491 100644
--- a/pkg/sentry/socket/netstack/netstack_vfs2.go
+++ b/pkg/sentry/socket/netstack/netstack_vfs2.go
@@ -239,6 +239,9 @@ func (s *SocketVFS2) GetSockOpt(t *kernel.Task, level, name int, outPtr usermem.
if outLen < linux.SizeOfIPTGetinfo {
return nil, syserr.ErrInvalidArgument
}
+ if s.family != linux.AF_INET {
+ return nil, syserr.ErrInvalidArgument
+ }
stack := inet.StackFromContext(t)
if stack == nil {
@@ -254,12 +257,15 @@ func (s *SocketVFS2) GetSockOpt(t *kernel.Task, level, name int, outPtr usermem.
if outLen < linux.SizeOfIPTGetEntries {
return nil, syserr.ErrInvalidArgument
}
+ if s.family != linux.AF_INET {
+ return nil, syserr.ErrInvalidArgument
+ }
stack := inet.StackFromContext(t)
if stack == nil {
return nil, syserr.ErrNoDevice
}
- entries, err := netfilter.GetEntries(t, stack.(*Stack).Stack, outPtr, outLen)
+ entries, err := netfilter.GetEntries4(t, stack.(*Stack).Stack, outPtr, outLen)
if err != nil {
return nil, err
}
@@ -298,12 +304,15 @@ func (s *SocketVFS2) SetSockOpt(t *kernel.Task, level int, name int, optVal []by
return nil
}
- if s.skType == linux.SOCK_RAW && level == linux.IPPROTO_IP {
+ if s.skType == linux.SOCK_RAW && level == linux.SOL_IP {
switch name {
case linux.IPT_SO_SET_REPLACE:
if len(optVal) < linux.SizeOfIPTReplace {
return syserr.ErrInvalidArgument
}
+ if s.family != linux.AF_INET {
+ return syserr.ErrInvalidArgument
+ }
stack := inet.StackFromContext(t)
if stack == nil {