diff options
author | Kevin Krakauer <krakauer@google.com> | 2020-01-08 20:05:02 -0800 |
---|---|---|
committer | Kevin Krakauer <krakauer@google.com> | 2020-01-08 20:05:02 -0800 |
commit | 06e2366e964e41ade24a699b6fd650512270b975 (patch) | |
tree | 7a8a1f9427caedb725ae6804c7c69cb9d606c519 /pkg/tcpip/iptables | |
parent | 0999ae8b34d83a4b2ea8342d0459c8131c35d6e1 (diff) | |
parent | ae060a63d9ad1bfb65b84a2ccbaf2893c5a50b76 (diff) |
Merge branch 'iptables-write' into iptables-write-input-drop
Diffstat (limited to 'pkg/tcpip/iptables')
-rw-r--r-- | pkg/tcpip/iptables/iptables.go | 6 | ||||
-rw-r--r-- | pkg/tcpip/iptables/targets.go | 15 |
2 files changed, 13 insertions, 8 deletions
diff --git a/pkg/tcpip/iptables/iptables.go b/pkg/tcpip/iptables/iptables.go index aff8a680b..91abbbea8 100644 --- a/pkg/tcpip/iptables/iptables.go +++ b/pkg/tcpip/iptables/iptables.go @@ -52,7 +52,7 @@ func DefaultTables() IPTables { Rule{Target: UnconditionalAcceptTarget{}}, Rule{Target: UnconditionalAcceptTarget{}}, Rule{Target: UnconditionalAcceptTarget{}}, - Rule{Target: PanicTarget{}}, + Rule{Target: ErrorTarget{}}, }, BuiltinChains: map[Hook]int{ Prerouting: 0, @@ -72,7 +72,7 @@ func DefaultTables() IPTables { Rules: []Rule{ Rule{Target: UnconditionalAcceptTarget{}}, Rule{Target: UnconditionalAcceptTarget{}}, - Rule{Target: PanicTarget{}}, + Rule{Target: ErrorTarget{}}, }, BuiltinChains: map[Hook]int{ Prerouting: 0, @@ -89,7 +89,7 @@ func DefaultTables() IPTables { Rule{Target: UnconditionalAcceptTarget{}}, Rule{Target: UnconditionalAcceptTarget{}}, Rule{Target: UnconditionalAcceptTarget{}}, - Rule{Target: PanicTarget{}}, + Rule{Target: ErrorTarget{}}, }, BuiltinChains: map[Hook]int{ Input: 0, diff --git a/pkg/tcpip/iptables/targets.go b/pkg/tcpip/iptables/targets.go index cb3ac1aff..8180dcefd 100644 --- a/pkg/tcpip/iptables/targets.go +++ b/pkg/tcpip/iptables/targets.go @@ -16,7 +16,10 @@ package iptables -import "gvisor.dev/gvisor/pkg/tcpip" +import ( + "gvisor.dev/gvisor/pkg/log" + "gvisor.dev/gvisor/pkg/tcpip" +) // UnconditionalAcceptTarget accepts all packets. type UnconditionalAcceptTarget struct{} @@ -34,10 +37,12 @@ func (UnconditionalDropTarget) Action(packet tcpip.PacketBuffer) (Verdict, strin return Drop, "" } -// PanicTarget just panics. It represents a target that should be unreachable. -type PanicTarget struct{} +// ErrorTarget logs an error and drops the packet. It represents a target that +// should be unreachable. +type ErrorTarget struct{} // Actions implements Target.Action. -func (PanicTarget) Action(packet tcpip.PacketBuffer) (Verdict, string) { - panic("PanicTarget triggered.") +func (ErrorTarget) Action(packet tcpip.PacketBuffer) (Verdict, string) { + log.Warningf("ErrorTarget triggered.") + return Drop, "" } |