diff options
| author | Kevin Krakauer <krakauer@google.com> | 2020-10-29 14:26:48 -0700 |
|---|---|---|
| committer | gVisor bot <gvisor-bot@google.com> | 2020-10-29 14:28:56 -0700 |
| commit | 181fea0b58f2e13a469a34eb0b921b169d292a9d (patch) | |
| tree | f5a63da72ff07f333688599abeb420b7826c4123 /pkg/sentry | |
| parent | b9f18fe2f1ad0c8547e2bd66d1cd3bbbddfbddda (diff) | |
Make RedirectTarget thread safe
Fixes #4613.
PiperOrigin-RevId: 339746784
Diffstat (limited to 'pkg/sentry')
| -rw-r--r-- | pkg/sentry/socket/netfilter/netfilter.go | 2 | ||||
| -rw-r--r-- | pkg/sentry/socket/netfilter/targets.go | 24 |
2 files changed, 16 insertions, 10 deletions
diff --git a/pkg/sentry/socket/netfilter/netfilter.go b/pkg/sentry/socket/netfilter/netfilter.go index a237f8f6d..b283d7229 100644 --- a/pkg/sentry/socket/netfilter/netfilter.go +++ b/pkg/sentry/socket/netfilter/netfilter.go @@ -57,7 +57,7 @@ var nameToID = map[string]stack.TableID{ } // DefaultLinuxTables returns the rules of stack.DefaultTables() wrapped for -// compatability with netfilter extensions. +// compatibility with netfilter extensions. func DefaultLinuxTables() *stack.IPTables { tables := stack.DefaultTables() tables.VisitTargets(func(oldTarget stack.Target) stack.Target { diff --git a/pkg/sentry/socket/netfilter/targets.go b/pkg/sentry/socket/netfilter/targets.go index 2dea3b419..f2653d523 100644 --- a/pkg/sentry/socket/netfilter/targets.go +++ b/pkg/sentry/socket/netfilter/targets.go @@ -118,6 +118,10 @@ func (rt *returnTarget) id() targetID { type redirectTarget struct { stack.RedirectTarget + + // addr must be (un)marshalled when reading and writing the target to + // userspace, but does not affect behavior. + addr tcpip.Address } func (rt *redirectTarget) id() targetID { @@ -296,7 +300,7 @@ func (*redirectTargetMaker) unmarshal(buf []byte, filter stack.IPHeaderFilter) ( binary.Unmarshal(buf, usermem.ByteOrder, &rt) // Copy linux.XTRedirectTarget to stack.RedirectTarget. - target := redirectTarget{stack.RedirectTarget{ + target := redirectTarget{RedirectTarget: stack.RedirectTarget{ NetworkProtocol: filter.NetworkProtocol(), }} @@ -326,7 +330,7 @@ func (*redirectTargetMaker) unmarshal(buf []byte, filter stack.IPHeaderFilter) ( return nil, syserr.ErrInvalidArgument } - target.Addr = tcpip.Address(nfRange.RangeIPV4.MinIP[:]) + target.addr = tcpip.Address(nfRange.RangeIPV4.MinIP[:]) target.Port = ntohs(nfRange.RangeIPV4.MinPort) return &target, nil @@ -361,8 +365,8 @@ func (*nfNATTargetMaker) marshal(target target) []byte { }, } copy(nt.Target.Name[:], RedirectTargetName) - copy(nt.Range.MinAddr[:], rt.Addr) - copy(nt.Range.MaxAddr[:], rt.Addr) + copy(nt.Range.MinAddr[:], rt.addr) + copy(nt.Range.MaxAddr[:], rt.addr) nt.Range.MinProto = htons(rt.Port) nt.Range.MaxProto = nt.Range.MinProto @@ -403,11 +407,13 @@ func (*nfNATTargetMaker) unmarshal(buf []byte, filter stack.IPHeaderFilter) (tar return nil, syserr.ErrInvalidArgument } - target := redirectTarget{stack.RedirectTarget{ - NetworkProtocol: filter.NetworkProtocol(), - Addr: tcpip.Address(natRange.MinAddr[:]), - Port: ntohs(natRange.MinProto), - }} + target := redirectTarget{ + RedirectTarget: stack.RedirectTarget{ + NetworkProtocol: filter.NetworkProtocol(), + Port: ntohs(natRange.MinProto), + }, + addr: tcpip.Address(natRange.MinAddr[:]), + } return &target, nil } |