diff options
| author | gVisor bot <gvisor-bot@google.com> | 2021-10-13 02:43:23 +0000 |
|---|---|---|
| committer | gVisor bot <gvisor-bot@google.com> | 2021-10-13 02:43:23 +0000 |
| commit | b2060fe76850dc6decf14ed932b960927f7b406a (patch) | |
| tree | d0dd763c6fdc328ee55cc6952597e03d21ab4d55 /pkg/tcpip/stack/conntrack.go | |
| parent | a9f38c9f9136635fa23540f2105060d202076d81 (diff) | |
| parent | 747cb92460bc30983263fcd85562a8586842d824 (diff) | |
Merge release-20210927.0-67-g747cb9246 (automated)
Diffstat (limited to 'pkg/tcpip/stack/conntrack.go')
| -rw-r--r-- | pkg/tcpip/stack/conntrack.go | 24 |
1 files changed, 16 insertions, 8 deletions
diff --git a/pkg/tcpip/stack/conntrack.go b/pkg/tcpip/stack/conntrack.go index 48f290187..c9a8e72a3 100644 --- a/pkg/tcpip/stack/conntrack.go +++ b/pkg/tcpip/stack/conntrack.go @@ -409,18 +409,19 @@ func (cn *conn) performNATIfNoop(port uint16, address tcpip.Address, dnat bool) } } -func (cn *conn) handlePacket(pkt *PacketBuffer, hook Hook, r *Route) { - if pkt.NatDone { - return - } - +// handlePacket attempts to handle a packet and perform NAT if the connection +// has had NAT performed on it. +// +// Returns true if the packet can skip the NAT table. +func (cn *conn) handlePacket(pkt *PacketBuffer, hook Hook, r *Route) bool { transportHeader, ok := getTransportHeader(pkt) if !ok { - return + return false } fullChecksum := false updatePseudoHeader := false + natDone := &pkt.SNATDone dnat := false switch hook { case Prerouting: @@ -429,11 +430,13 @@ func (cn *conn) handlePacket(pkt *PacketBuffer, hook Hook, r *Route) { fullChecksum = true updatePseudoHeader = true + natDone = &pkt.DNATDone dnat = true case Input: case Forward: panic("should not handle packet in the forwarding hook") case Output: + natDone = &pkt.DNATDone dnat = true fallthrough case Postrouting: @@ -447,6 +450,10 @@ func (cn *conn) handlePacket(pkt *PacketBuffer, hook Hook, r *Route) { panic(fmt.Sprintf("unrecognized hook = %d", hook)) } + if *natDone { + panic(fmt.Sprintf("packet already had NAT(dnat=%t) performed at hook=%s; pkt=%#v", dnat, hook, pkt)) + } + // TODO(gvisor.dev/issue/5748): TCP checksums on inbound packets should be // validated if checksum offloading is off. It may require IP defrag if the // packets are fragmented. @@ -490,7 +497,7 @@ func (cn *conn) handlePacket(pkt *PacketBuffer, hook Hook, r *Route) { return tuple.id(), true }() if !performManip { - return + return false } newPort := tid.dstPort @@ -510,7 +517,8 @@ func (cn *conn) handlePacket(pkt *PacketBuffer, hook Hook, r *Route) { newAddr, ) - pkt.NatDone = true + *natDone = true + return true } // bucket gets the conntrack bucket for a tupleID. |