Merge pull request #1528 from kevinGC:iptables-write

PiperOrigin-RevId: 289479774
author: gVisor bot <gvisor-bot@google.com> 2020-01-13 11:26:26 -0800
committer: gVisor bot <gvisor-bot@google.com> 2020-01-13 11:26:26 -0800
commit: b30cfb1df72e201c6caf576bbef8fcc968df2d41 (patch)
tree: 4e99dc335d774e201b42258eacacb01a40bf8a84 /pkg/sentry/socket/netstack
parent: f54b9c0ee6e02f9c8bf32aa268c9028ff741bf7c (diff)
parent: ae060a63d9ad1bfb65b84a2ccbaf2893c5a50b76 (diff)
1 files changed, 20 insertions, 0 deletions
diff --git a/pkg/sentry/socket/netstack/netstack.go b/pkg/sentry/socket/netstack/netstack.go
index 0affb8071..099319327 100644
--- a/pkg/sentry/socket/netstack/netstack.go
+++ b/pkg/sentry/socket/netstack/netstack.go
@@ -1377,6 +1377,26 @@ func (s *SocketOperations) SetSockOpt(t *kernel.Task, level int, name int, optVa
 		return nil
 	}
 
+	if s.skType == linux.SOCK_RAW && level == linux.IPPROTO_IP {
+		switch name {
+		case linux.IPT_SO_SET_REPLACE:
+			if len(optVal) < linux.SizeOfIPTReplace {
+				return syserr.ErrInvalidArgument
+			}
+
+			stack := inet.StackFromContext(t)
+			if stack == nil {
+				return syserr.ErrNoDevice
+			}
+			// Stack must be a netstack stack.
+			return netfilter.SetEntries(stack.(*Stack).Stack, optVal)
+
+		case linux.IPT_SO_SET_ADD_COUNTERS:
+			// TODO(gvisor.dev/issue/170): Counter support.
+			return nil
+		}
+	}
+
 	return SetSockOpt(t, s, s.Endpoint, level, name, optVal)
 }
author	gVisor bot <gvisor-bot@google.com>	2020-01-13 11:26:26 -0800
committer	gVisor bot <gvisor-bot@google.com>	2020-01-13 11:26:26 -0800
commit	b30cfb1df72e201c6caf576bbef8fcc968df2d41 (patch)
tree	4e99dc335d774e201b42258eacacb01a40bf8a84 /pkg/sentry/socket/netstack
parent	f54b9c0ee6e02f9c8bf32aa268c9028ff741bf7c (diff)
parent	ae060a63d9ad1bfb65b84a2ccbaf2893c5a50b76 (diff)