summaryrefslogtreecommitdiffhomepage
path: root/pkg/tcpip/iptables
diff options
context:
space:
mode:
authorKevin Krakauer <krakauer@google.com>2020-01-13 16:06:29 -0800
committerKevin Krakauer <krakauer@google.com>2020-01-13 16:06:29 -0800
commitd51eaa59c020cca9b7bc27cec0338ead089f3ed6 (patch)
tree3b41776af9426496567573ed17698562daf39006 /pkg/tcpip/iptables
parentd793677cd424fef10ac0b080871d181db0bcdec0 (diff)
parent1c3d3c70b93d483894dd49fb444171347f0ca250 (diff)
Merge branch 'iptables-write-input-drop' into iptables-write-filter-proto
Diffstat (limited to 'pkg/tcpip/iptables')
-rw-r--r--pkg/tcpip/iptables/iptables.go27
-rw-r--r--pkg/tcpip/iptables/targets.go2
2 files changed, 13 insertions, 16 deletions
diff --git a/pkg/tcpip/iptables/iptables.go b/pkg/tcpip/iptables/iptables.go
index 3cff879a2..921546984 100644
--- a/pkg/tcpip/iptables/iptables.go
+++ b/pkg/tcpip/iptables/iptables.go
@@ -19,18 +19,17 @@ package iptables
import (
"fmt"
- "gvisor.dev/gvisor/pkg/log"
"gvisor.dev/gvisor/pkg/tcpip"
"gvisor.dev/gvisor/pkg/tcpip/header"
)
+// Table names.
const (
TablenameNat = "nat"
TablenameMangle = "mangle"
TablenameFilter = "filter"
)
-// TODO: Make this an iota? Faster! Do it.
// Chain names as defined by net/ipv4/netfilter/ip_tables.c.
const (
ChainNamePrerouting = "PREROUTING"
@@ -40,11 +39,15 @@ const (
ChainNamePostrouting = "POSTROUTING"
)
+// HookUnset indicates that there is no hook set for an entrypoint or
+// underflow.
const HookUnset = -1
// DefaultTables returns a default set of tables. Each chain is set to accept
// all packets.
func DefaultTables() IPTables {
+ // TODO(gvisor.dev/issue/170): We may be able to swap out some strings for
+ // iotas.
return IPTables{
Tables: map[string]Table{
TablenameNat: Table{
@@ -113,6 +116,8 @@ func DefaultTables() IPTables {
}
}
+// EmptyFilterTable returns a Table with no rules and the filter table chains
+// mapped to HookUnset.
func EmptyFilterTable() Table {
return Table{
Rules: []Rule{},
@@ -137,18 +142,15 @@ func (it *IPTables) Check(hook Hook, pkt tcpip.PacketBuffer) bool {
// TODO(gvisor.dev/issue/170): A lot of this is uncomplicated because
// we're missing features. Jumps, the call stack, etc. aren't checked
// for yet because we're yet to support them.
- log.Infof("kevin: iptables.IPTables: checking hook %v", hook)
// Go through each table containing the hook.
for _, tablename := range it.Priorities[hook] {
- verdict := it.checkTable(hook, pkt, tablename)
- switch verdict {
+ switch verdict := it.checkTable(hook, pkt, tablename); verdict {
// If the table returns Accept, move on to the next table.
case Accept:
continue
// The Drop verdict is final.
case Drop:
- log.Infof("kevin: Packet dropped")
return false
case Stolen, Queue, Repeat, None, Jump, Return, Continue:
panic(fmt.Sprintf("Unimplemented verdict %v.", verdict))
@@ -156,21 +158,16 @@ func (it *IPTables) Check(hook Hook, pkt tcpip.PacketBuffer) bool {
}
// Every table returned Accept.
- log.Infof("kevin: Packet accepted")
return true
}
func (it *IPTables) checkTable(hook Hook, pkt tcpip.PacketBuffer, tablename string) Verdict {
- log.Infof("kevin: iptables.IPTables: checking table %q", tablename)
+ // Start from ruleIdx and walk the list of rules until a rule gives us
+ // a verdict.
table := it.Tables[tablename]
- log.Infof("kevin: iptables.IPTables: table %+v", table)
-
- // Start from ruleIdx and go down until a rule gives us a verdict.
for ruleIdx := table.BuiltinChains[hook]; ruleIdx < len(table.Rules); ruleIdx++ {
- verdict := it.checkRule(hook, pkt, table, ruleIdx)
- switch verdict {
- // For either of these cases, this table is done with the
- // packet.
+ switch verdict := it.checkRule(hook, pkt, table, ruleIdx); verdict {
+ // In either of these cases, this table is done with the packet.
case Accept, Drop:
return verdict
// Continue traversing the rules of the table.
diff --git a/pkg/tcpip/iptables/targets.go b/pkg/tcpip/iptables/targets.go
index 8180dcefd..4dd281371 100644
--- a/pkg/tcpip/iptables/targets.go
+++ b/pkg/tcpip/iptables/targets.go
@@ -41,7 +41,7 @@ func (UnconditionalDropTarget) Action(packet tcpip.PacketBuffer) (Verdict, strin
// should be unreachable.
type ErrorTarget struct{}
-// Actions implements Target.Action.
+// Action implements Target.Action.
func (ErrorTarget) Action(packet tcpip.PacketBuffer) (Verdict, string) {
log.Warningf("ErrorTarget triggered.")
return Drop, ""