summaryrefslogtreecommitdiffhomepage
path: root/pkg/tcpip
diff options
context:
space:
mode:
authorgVisor bot <gvisor-bot@google.com>2021-01-12 20:47:44 +0000
committergVisor bot <gvisor-bot@google.com>2021-01-12 20:47:44 +0000
commitfbc3a3d984eb113f7487e38ba55e5f813fc72aec (patch)
treed22a96c80f5f9a35c71687740e35c0021475d428 /pkg/tcpip
parent1ea6658d24215e9fbcdb693b00884e1bdbdcc95d (diff)
parent4e03e87547853523d4ff941935a6ef1712518c61 (diff)
Merge release-20201216.0-87-g4e03e8754 (automated)
Diffstat (limited to 'pkg/tcpip')
-rw-r--r--pkg/tcpip/stack/conntrack.go14
-rw-r--r--pkg/tcpip/stack/iptables.go66
-rw-r--r--pkg/tcpip/stack/iptables_types.go10
3 files changed, 44 insertions, 46 deletions
diff --git a/pkg/tcpip/stack/conntrack.go b/pkg/tcpip/stack/conntrack.go
index 9a17efcba..5e649cca6 100644
--- a/pkg/tcpip/stack/conntrack.go
+++ b/pkg/tcpip/stack/conntrack.go
@@ -142,19 +142,19 @@ func (cn *conn) timedOut(now time.Time) bool {
// update the connection tracking state.
//
-// Precondition: ct.mu must be held.
-func (ct *conn) updateLocked(tcpHeader header.TCP, hook Hook) {
+// Precondition: cn.mu must be held.
+func (cn *conn) updateLocked(tcpHeader header.TCP, hook Hook) {
// Update the state of tcb. tcb assumes it's always initialized on the
// client. However, we only need to know whether the connection is
// established or not, so the client/server distinction isn't important.
// TODO(gvisor.dev/issue/170): Add support in tcpconntrack to handle
// other tcp states.
- if ct.tcb.IsEmpty() {
- ct.tcb.Init(tcpHeader)
- } else if hook == ct.tcbHook {
- ct.tcb.UpdateStateOutbound(tcpHeader)
+ if cn.tcb.IsEmpty() {
+ cn.tcb.Init(tcpHeader)
+ } else if hook == cn.tcbHook {
+ cn.tcb.UpdateStateOutbound(tcpHeader)
} else {
- ct.tcb.UpdateStateInbound(tcpHeader)
+ cn.tcb.UpdateStateInbound(tcpHeader)
}
}
diff --git a/pkg/tcpip/stack/iptables.go b/pkg/tcpip/stack/iptables.go
index 2d8c883cd..09c7811fa 100644
--- a/pkg/tcpip/stack/iptables.go
+++ b/pkg/tcpip/stack/iptables.go
@@ -45,13 +45,13 @@ const reaperDelay = 5 * time.Second
func DefaultTables() *IPTables {
return &IPTables{
v4Tables: [NumTables]Table{
- NATID: Table{
+ NATID: {
Rules: []Rule{
- Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}},
- Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}},
- Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}},
- Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}},
- Rule{Target: &ErrorTarget{NetworkProtocol: header.IPv4ProtocolNumber}},
+ {Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}},
+ {Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}},
+ {Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}},
+ {Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}},
+ {Target: &ErrorTarget{NetworkProtocol: header.IPv4ProtocolNumber}},
},
BuiltinChains: [NumHooks]int{
Prerouting: 0,
@@ -68,11 +68,11 @@ func DefaultTables() *IPTables {
Postrouting: 3,
},
},
- MangleID: Table{
+ MangleID: {
Rules: []Rule{
- Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}},
- Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}},
- Rule{Target: &ErrorTarget{NetworkProtocol: header.IPv4ProtocolNumber}},
+ {Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}},
+ {Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}},
+ {Target: &ErrorTarget{NetworkProtocol: header.IPv4ProtocolNumber}},
},
BuiltinChains: [NumHooks]int{
Prerouting: 0,
@@ -86,12 +86,12 @@ func DefaultTables() *IPTables {
Postrouting: HookUnset,
},
},
- FilterID: Table{
+ FilterID: {
Rules: []Rule{
- Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}},
- Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}},
- Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}},
- Rule{Target: &ErrorTarget{NetworkProtocol: header.IPv4ProtocolNumber}},
+ {Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}},
+ {Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}},
+ {Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}},
+ {Target: &ErrorTarget{NetworkProtocol: header.IPv4ProtocolNumber}},
},
BuiltinChains: [NumHooks]int{
Prerouting: HookUnset,
@@ -110,13 +110,13 @@ func DefaultTables() *IPTables {
},
},
v6Tables: [NumTables]Table{
- NATID: Table{
+ NATID: {
Rules: []Rule{
- Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}},
- Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}},
- Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}},
- Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}},
- Rule{Target: &ErrorTarget{NetworkProtocol: header.IPv6ProtocolNumber}},
+ {Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}},
+ {Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}},
+ {Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}},
+ {Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}},
+ {Target: &ErrorTarget{NetworkProtocol: header.IPv6ProtocolNumber}},
},
BuiltinChains: [NumHooks]int{
Prerouting: 0,
@@ -133,11 +133,11 @@ func DefaultTables() *IPTables {
Postrouting: 3,
},
},
- MangleID: Table{
+ MangleID: {
Rules: []Rule{
- Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}},
- Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}},
- Rule{Target: &ErrorTarget{NetworkProtocol: header.IPv6ProtocolNumber}},
+ {Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}},
+ {Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}},
+ {Target: &ErrorTarget{NetworkProtocol: header.IPv6ProtocolNumber}},
},
BuiltinChains: [NumHooks]int{
Prerouting: 0,
@@ -151,12 +151,12 @@ func DefaultTables() *IPTables {
Postrouting: HookUnset,
},
},
- FilterID: Table{
+ FilterID: {
Rules: []Rule{
- Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}},
- Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}},
- Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}},
- Rule{Target: &ErrorTarget{NetworkProtocol: header.IPv6ProtocolNumber}},
+ {Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}},
+ {Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}},
+ {Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}},
+ {Target: &ErrorTarget{NetworkProtocol: header.IPv6ProtocolNumber}},
},
BuiltinChains: [NumHooks]int{
Prerouting: HookUnset,
@@ -175,9 +175,9 @@ func DefaultTables() *IPTables {
},
},
priorities: [NumHooks][]TableID{
- Prerouting: []TableID{MangleID, NATID},
- Input: []TableID{NATID, FilterID},
- Output: []TableID{MangleID, NATID, FilterID},
+ Prerouting: {MangleID, NATID},
+ Input: {NATID, FilterID},
+ Output: {MangleID, NATID, FilterID},
},
connections: ConnTrack{
seed: generateRandUint32(),
diff --git a/pkg/tcpip/stack/iptables_types.go b/pkg/tcpip/stack/iptables_types.go
index 4b86c1be9..56a3e7861 100644
--- a/pkg/tcpip/stack/iptables_types.go
+++ b/pkg/tcpip/stack/iptables_types.go
@@ -56,7 +56,7 @@ const (
// Postrouting happens just before a packet goes out on the wire.
Postrouting
- // The total number of hooks.
+ // NumHooks is the total number of hooks.
NumHooks
)
@@ -273,14 +273,12 @@ func (fl IPHeaderFilter) match(pkt *PacketBuffer, hook Hook, nicName string) boo
return true
}
- // If the interface name ends with '+', any interface which begins
- // with the name should be matched.
+ // If the interface name ends with '+', any interface which
+ // begins with the name should be matched.
ifName := fl.OutputInterface
- matches := true
+ matches := nicName == ifName
if strings.HasSuffix(ifName, "+") {
matches = strings.HasPrefix(nicName, ifName[:n-1])
- } else {
- matches = nicName == ifName
}
return fl.OutputInterfaceInvert != matches
}