summaryrefslogtreecommitdiffhomepage
path: root/pkg/tcpip/iptables
diff options
context:
space:
mode:
authorKevin Krakauer <krakauer@google.com>2020-01-08 20:05:02 -0800
committerKevin Krakauer <krakauer@google.com>2020-01-08 20:05:02 -0800
commit06e2366e964e41ade24a699b6fd650512270b975 (patch)
tree7a8a1f9427caedb725ae6804c7c69cb9d606c519 /pkg/tcpip/iptables
parent0999ae8b34d83a4b2ea8342d0459c8131c35d6e1 (diff)
parentae060a63d9ad1bfb65b84a2ccbaf2893c5a50b76 (diff)
Merge branch 'iptables-write' into iptables-write-input-drop
Diffstat (limited to 'pkg/tcpip/iptables')
-rw-r--r--pkg/tcpip/iptables/iptables.go6
-rw-r--r--pkg/tcpip/iptables/targets.go15
2 files changed, 13 insertions, 8 deletions
diff --git a/pkg/tcpip/iptables/iptables.go b/pkg/tcpip/iptables/iptables.go
index aff8a680b..91abbbea8 100644
--- a/pkg/tcpip/iptables/iptables.go
+++ b/pkg/tcpip/iptables/iptables.go
@@ -52,7 +52,7 @@ func DefaultTables() IPTables {
Rule{Target: UnconditionalAcceptTarget{}},
Rule{Target: UnconditionalAcceptTarget{}},
Rule{Target: UnconditionalAcceptTarget{}},
- Rule{Target: PanicTarget{}},
+ Rule{Target: ErrorTarget{}},
},
BuiltinChains: map[Hook]int{
Prerouting: 0,
@@ -72,7 +72,7 @@ func DefaultTables() IPTables {
Rules: []Rule{
Rule{Target: UnconditionalAcceptTarget{}},
Rule{Target: UnconditionalAcceptTarget{}},
- Rule{Target: PanicTarget{}},
+ Rule{Target: ErrorTarget{}},
},
BuiltinChains: map[Hook]int{
Prerouting: 0,
@@ -89,7 +89,7 @@ func DefaultTables() IPTables {
Rule{Target: UnconditionalAcceptTarget{}},
Rule{Target: UnconditionalAcceptTarget{}},
Rule{Target: UnconditionalAcceptTarget{}},
- Rule{Target: PanicTarget{}},
+ Rule{Target: ErrorTarget{}},
},
BuiltinChains: map[Hook]int{
Input: 0,
diff --git a/pkg/tcpip/iptables/targets.go b/pkg/tcpip/iptables/targets.go
index cb3ac1aff..8180dcefd 100644
--- a/pkg/tcpip/iptables/targets.go
+++ b/pkg/tcpip/iptables/targets.go
@@ -16,7 +16,10 @@
package iptables
-import "gvisor.dev/gvisor/pkg/tcpip"
+import (
+ "gvisor.dev/gvisor/pkg/log"
+ "gvisor.dev/gvisor/pkg/tcpip"
+)
// UnconditionalAcceptTarget accepts all packets.
type UnconditionalAcceptTarget struct{}
@@ -34,10 +37,12 @@ func (UnconditionalDropTarget) Action(packet tcpip.PacketBuffer) (Verdict, strin
return Drop, ""
}
-// PanicTarget just panics. It represents a target that should be unreachable.
-type PanicTarget struct{}
+// ErrorTarget logs an error and drops the packet. It represents a target that
+// should be unreachable.
+type ErrorTarget struct{}
// Actions implements Target.Action.
-func (PanicTarget) Action(packet tcpip.PacketBuffer) (Verdict, string) {
- panic("PanicTarget triggered.")
+func (ErrorTarget) Action(packet tcpip.PacketBuffer) (Verdict, string) {
+ log.Warningf("ErrorTarget triggered.")
+ return Drop, ""
}