diff options
| author | Ghanan Gowripalan <ghanan@google.com> | 2021-10-01 11:47:11 -0700 |
|---|---|---|
| committer | gVisor bot <gvisor-bot@google.com> | 2021-10-01 11:49:25 -0700 |
| commit | 788bbc2904983417efe430cc5c66b3af990d3bfe (patch) | |
| tree | 8ab6dd08b4da36bc3fea87d2b83748d120625fcc /pkg/tcpip/stack | |
| parent | 8073370009aeccaffa7885ab073e630f644fafe6 (diff) | |
Drop IPTables.checkPackets
...and have `CheckOutputPackets`, `CheckPostroutingPackets` call their
equivalent methods that operate on a single packet buffer directly.
This is so that the `Check{Output, Postrouting}Packets` methods may
leverage any hook-specific work that `Check{Output, Postrouting}`
may perform.
Note: Later changes will add hook-specific logic to the
`Check{Output, Postrouting}` methods.
PiperOrigin-RevId: 400255651
Diffstat (limited to 'pkg/tcpip/stack')
| -rw-r--r-- | pkg/tcpip/stack/iptables.go | 19 |
1 files changed, 8 insertions, 11 deletions
diff --git a/pkg/tcpip/stack/iptables.go b/pkg/tcpip/stack/iptables.go index c0ed65ece..dcba7eba6 100644 --- a/pkg/tcpip/stack/iptables.go +++ b/pkg/tcpip/stack/iptables.go @@ -431,7 +431,9 @@ func (it *IPTables) startReaper(interval time.Duration) { // // Precondition: The packets' network and transport header must be set. func (it *IPTables) CheckOutputPackets(pkts PacketBufferList, r *Route, outNicName string) (drop map[*PacketBuffer]struct{}, natPkts map[*PacketBuffer]struct{}) { - return it.checkPackets(Output, pkts, r, nil /* addressEP */, outNicName) + return checkPackets(pkts, func(pkt *PacketBuffer) bool { + return it.CheckOutput(pkt, r, outNicName) + }) } // CheckPostroutingPackets performs the postrouting hook on the packets. @@ -440,20 +442,15 @@ func (it *IPTables) CheckOutputPackets(pkts PacketBufferList, r *Route, outNicNa // // Precondition: The packets' network and transport header must be set. func (it *IPTables) CheckPostroutingPackets(pkts PacketBufferList, r *Route, addressEP AddressableEndpoint, outNicName string) (drop map[*PacketBuffer]struct{}, natPkts map[*PacketBuffer]struct{}) { - return it.checkPackets(Postrouting, pkts, r, addressEP, outNicName) + return checkPackets(pkts, func(pkt *PacketBuffer) bool { + return it.CheckPostrouting(pkt, r, addressEP, outNicName) + }) } -// checkPackets runs pkts through the rules for hook and returns a map of -// packets that should not go forward. -// -// NOTE: unlike the Check API the returned map contains packets that should be -// dropped. -// -// Precondition: The packets' network and transport header must be set. -func (it *IPTables) checkPackets(hook Hook, pkts PacketBufferList, r *Route, addressEP AddressableEndpoint, outNicName string) (drop map[*PacketBuffer]struct{}, natPkts map[*PacketBuffer]struct{}) { +func checkPackets(pkts PacketBufferList, f func(*PacketBuffer) bool) (drop map[*PacketBuffer]struct{}, natPkts map[*PacketBuffer]struct{}) { for pkt := pkts.Front(); pkt != nil; pkt = pkt.Next() { if !pkt.NatDone { - if ok := it.check(hook, pkt, r, addressEP, "" /* inNicName */, outNicName); !ok { + if ok := f(pkt); !ok { if drop == nil { drop = make(map[*PacketBuffer]struct{}) } |