diff options
| author | gVisor bot <gvisor-bot@google.com> | 2020-03-16 18:17:16 +0000 |
|---|---|---|
| committer | gVisor bot <gvisor-bot@google.com> | 2020-03-16 18:17:16 +0000 |
| commit | f364c384715dba6d78df15b7d5229d7d6772ab34 (patch) | |
| tree | c1e1a6c473455e58eb3be7af60d799b4ee53b75e /pkg/sentry/socket | |
| parent | 92305e29a3911a29e94a1bc70d488a6f67011660 (diff) | |
| parent | 159a230b9b8483317bf7ac6cf3113d73a1dcf702 (diff) | |
Merge release-20200219.0-181-g159a230 (automated)
Diffstat (limited to 'pkg/sentry/socket')
| -rw-r--r-- | pkg/sentry/socket/netfilter/netfilter.go | 21 |
1 files changed, 15 insertions, 6 deletions
diff --git a/pkg/sentry/socket/netfilter/netfilter.go b/pkg/sentry/socket/netfilter/netfilter.go index e57ef02a1..b5b9be46f 100644 --- a/pkg/sentry/socket/netfilter/netfilter.go +++ b/pkg/sentry/socket/netfilter/netfilter.go @@ -703,25 +703,34 @@ func filterFromIPTIP(iptip linux.IPTIP) (iptables.IPHeaderFilter, error) { if containsUnsupportedFields(iptip) { return iptables.IPHeaderFilter{}, fmt.Errorf("unsupported fields in struct iptip: %+v", iptip) } + if len(iptip.Dst) != header.IPv4AddressSize || len(iptip.DstMask) != header.IPv4AddressSize { + return iptables.IPHeaderFilter{}, fmt.Errorf("incorrect length of destination (%d) and/or destination mask (%d) fields", len(iptip.Dst), len(iptip.DstMask)) + } return iptables.IPHeaderFilter{ - Protocol: tcpip.TransportProtocolNumber(iptip.Protocol), + Protocol: tcpip.TransportProtocolNumber(iptip.Protocol), + Dst: tcpip.Address(iptip.Dst[:]), + DstMask: tcpip.Address(iptip.DstMask[:]), + DstInvert: iptip.InverseFlags&linux.IPT_INV_DSTIP != 0, }, nil } func containsUnsupportedFields(iptip linux.IPTIP) bool { - // Currently we check that everything except protocol is zeroed. + // The following features are supported: + // - Protocol + // - Dst and DstMask + // - The inverse destination IP check flag var emptyInetAddr = linux.InetAddr{} var emptyInterface = [linux.IFNAMSIZ]byte{} - return iptip.Dst != emptyInetAddr || - iptip.Src != emptyInetAddr || + // Disable any supported inverse flags. + inverseMask := uint8(linux.IPT_INV_DSTIP) + return iptip.Src != emptyInetAddr || iptip.SrcMask != emptyInetAddr || - iptip.DstMask != emptyInetAddr || iptip.InputInterface != emptyInterface || iptip.OutputInterface != emptyInterface || iptip.InputInterfaceMask != emptyInterface || iptip.OutputInterfaceMask != emptyInterface || iptip.Flags != 0 || - iptip.InverseFlags != 0 + iptip.InverseFlags&^inverseMask != 0 } func validUnderflow(rule iptables.Rule) bool { |