diff options
author | Kevin Krakauer <krakauer@google.com> | 2020-01-13 16:06:29 -0800 |
---|---|---|
committer | Kevin Krakauer <krakauer@google.com> | 2020-01-13 16:06:29 -0800 |
commit | d51eaa59c020cca9b7bc27cec0338ead089f3ed6 (patch) | |
tree | 3b41776af9426496567573ed17698562daf39006 /pkg/tcpip/iptables | |
parent | d793677cd424fef10ac0b080871d181db0bcdec0 (diff) | |
parent | 1c3d3c70b93d483894dd49fb444171347f0ca250 (diff) |
Merge branch 'iptables-write-input-drop' into iptables-write-filter-proto
Diffstat (limited to 'pkg/tcpip/iptables')
-rw-r--r-- | pkg/tcpip/iptables/iptables.go | 27 | ||||
-rw-r--r-- | pkg/tcpip/iptables/targets.go | 2 |
2 files changed, 13 insertions, 16 deletions
diff --git a/pkg/tcpip/iptables/iptables.go b/pkg/tcpip/iptables/iptables.go index 3cff879a2..921546984 100644 --- a/pkg/tcpip/iptables/iptables.go +++ b/pkg/tcpip/iptables/iptables.go @@ -19,18 +19,17 @@ package iptables import ( "fmt" - "gvisor.dev/gvisor/pkg/log" "gvisor.dev/gvisor/pkg/tcpip" "gvisor.dev/gvisor/pkg/tcpip/header" ) +// Table names. const ( TablenameNat = "nat" TablenameMangle = "mangle" TablenameFilter = "filter" ) -// TODO: Make this an iota? Faster! Do it. // Chain names as defined by net/ipv4/netfilter/ip_tables.c. const ( ChainNamePrerouting = "PREROUTING" @@ -40,11 +39,15 @@ const ( ChainNamePostrouting = "POSTROUTING" ) +// HookUnset indicates that there is no hook set for an entrypoint or +// underflow. const HookUnset = -1 // DefaultTables returns a default set of tables. Each chain is set to accept // all packets. func DefaultTables() IPTables { + // TODO(gvisor.dev/issue/170): We may be able to swap out some strings for + // iotas. return IPTables{ Tables: map[string]Table{ TablenameNat: Table{ @@ -113,6 +116,8 @@ func DefaultTables() IPTables { } } +// EmptyFilterTable returns a Table with no rules and the filter table chains +// mapped to HookUnset. func EmptyFilterTable() Table { return Table{ Rules: []Rule{}, @@ -137,18 +142,15 @@ func (it *IPTables) Check(hook Hook, pkt tcpip.PacketBuffer) bool { // TODO(gvisor.dev/issue/170): A lot of this is uncomplicated because // we're missing features. Jumps, the call stack, etc. aren't checked // for yet because we're yet to support them. - log.Infof("kevin: iptables.IPTables: checking hook %v", hook) // Go through each table containing the hook. for _, tablename := range it.Priorities[hook] { - verdict := it.checkTable(hook, pkt, tablename) - switch verdict { + switch verdict := it.checkTable(hook, pkt, tablename); verdict { // If the table returns Accept, move on to the next table. case Accept: continue // The Drop verdict is final. case Drop: - log.Infof("kevin: Packet dropped") return false case Stolen, Queue, Repeat, None, Jump, Return, Continue: panic(fmt.Sprintf("Unimplemented verdict %v.", verdict)) @@ -156,21 +158,16 @@ func (it *IPTables) Check(hook Hook, pkt tcpip.PacketBuffer) bool { } // Every table returned Accept. - log.Infof("kevin: Packet accepted") return true } func (it *IPTables) checkTable(hook Hook, pkt tcpip.PacketBuffer, tablename string) Verdict { - log.Infof("kevin: iptables.IPTables: checking table %q", tablename) + // Start from ruleIdx and walk the list of rules until a rule gives us + // a verdict. table := it.Tables[tablename] - log.Infof("kevin: iptables.IPTables: table %+v", table) - - // Start from ruleIdx and go down until a rule gives us a verdict. for ruleIdx := table.BuiltinChains[hook]; ruleIdx < len(table.Rules); ruleIdx++ { - verdict := it.checkRule(hook, pkt, table, ruleIdx) - switch verdict { - // For either of these cases, this table is done with the - // packet. + switch verdict := it.checkRule(hook, pkt, table, ruleIdx); verdict { + // In either of these cases, this table is done with the packet. case Accept, Drop: return verdict // Continue traversing the rules of the table. diff --git a/pkg/tcpip/iptables/targets.go b/pkg/tcpip/iptables/targets.go index 8180dcefd..4dd281371 100644 --- a/pkg/tcpip/iptables/targets.go +++ b/pkg/tcpip/iptables/targets.go @@ -41,7 +41,7 @@ func (UnconditionalDropTarget) Action(packet tcpip.PacketBuffer) (Verdict, strin // should be unreachable. type ErrorTarget struct{} -// Actions implements Target.Action. +// Action implements Target.Action. func (ErrorTarget) Action(packet tcpip.PacketBuffer) (Verdict, string) { log.Warningf("ErrorTarget triggered.") return Drop, "" |