diff options
author | gVisor bot <gvisor-bot@google.com> | 2021-01-12 20:47:44 +0000 |
---|---|---|
committer | gVisor bot <gvisor-bot@google.com> | 2021-01-12 20:47:44 +0000 |
commit | fbc3a3d984eb113f7487e38ba55e5f813fc72aec (patch) | |
tree | d22a96c80f5f9a35c71687740e35c0021475d428 /pkg/tcpip | |
parent | 1ea6658d24215e9fbcdb693b00884e1bdbdcc95d (diff) | |
parent | 4e03e87547853523d4ff941935a6ef1712518c61 (diff) |
Merge release-20201216.0-87-g4e03e8754 (automated)
Diffstat (limited to 'pkg/tcpip')
-rw-r--r-- | pkg/tcpip/stack/conntrack.go | 14 | ||||
-rw-r--r-- | pkg/tcpip/stack/iptables.go | 66 | ||||
-rw-r--r-- | pkg/tcpip/stack/iptables_types.go | 10 |
3 files changed, 44 insertions, 46 deletions
diff --git a/pkg/tcpip/stack/conntrack.go b/pkg/tcpip/stack/conntrack.go index 9a17efcba..5e649cca6 100644 --- a/pkg/tcpip/stack/conntrack.go +++ b/pkg/tcpip/stack/conntrack.go @@ -142,19 +142,19 @@ func (cn *conn) timedOut(now time.Time) bool { // update the connection tracking state. // -// Precondition: ct.mu must be held. -func (ct *conn) updateLocked(tcpHeader header.TCP, hook Hook) { +// Precondition: cn.mu must be held. +func (cn *conn) updateLocked(tcpHeader header.TCP, hook Hook) { // Update the state of tcb. tcb assumes it's always initialized on the // client. However, we only need to know whether the connection is // established or not, so the client/server distinction isn't important. // TODO(gvisor.dev/issue/170): Add support in tcpconntrack to handle // other tcp states. - if ct.tcb.IsEmpty() { - ct.tcb.Init(tcpHeader) - } else if hook == ct.tcbHook { - ct.tcb.UpdateStateOutbound(tcpHeader) + if cn.tcb.IsEmpty() { + cn.tcb.Init(tcpHeader) + } else if hook == cn.tcbHook { + cn.tcb.UpdateStateOutbound(tcpHeader) } else { - ct.tcb.UpdateStateInbound(tcpHeader) + cn.tcb.UpdateStateInbound(tcpHeader) } } diff --git a/pkg/tcpip/stack/iptables.go b/pkg/tcpip/stack/iptables.go index 2d8c883cd..09c7811fa 100644 --- a/pkg/tcpip/stack/iptables.go +++ b/pkg/tcpip/stack/iptables.go @@ -45,13 +45,13 @@ const reaperDelay = 5 * time.Second func DefaultTables() *IPTables { return &IPTables{ v4Tables: [NumTables]Table{ - NATID: Table{ + NATID: { Rules: []Rule{ - Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}}, - Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}}, - Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}}, - Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}}, - Rule{Target: &ErrorTarget{NetworkProtocol: header.IPv4ProtocolNumber}}, + {Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}}, + {Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}}, + {Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}}, + {Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}}, + {Target: &ErrorTarget{NetworkProtocol: header.IPv4ProtocolNumber}}, }, BuiltinChains: [NumHooks]int{ Prerouting: 0, @@ -68,11 +68,11 @@ func DefaultTables() *IPTables { Postrouting: 3, }, }, - MangleID: Table{ + MangleID: { Rules: []Rule{ - Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}}, - Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}}, - Rule{Target: &ErrorTarget{NetworkProtocol: header.IPv4ProtocolNumber}}, + {Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}}, + {Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}}, + {Target: &ErrorTarget{NetworkProtocol: header.IPv4ProtocolNumber}}, }, BuiltinChains: [NumHooks]int{ Prerouting: 0, @@ -86,12 +86,12 @@ func DefaultTables() *IPTables { Postrouting: HookUnset, }, }, - FilterID: Table{ + FilterID: { Rules: []Rule{ - Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}}, - Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}}, - Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}}, - Rule{Target: &ErrorTarget{NetworkProtocol: header.IPv4ProtocolNumber}}, + {Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}}, + {Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}}, + {Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}}, + {Target: &ErrorTarget{NetworkProtocol: header.IPv4ProtocolNumber}}, }, BuiltinChains: [NumHooks]int{ Prerouting: HookUnset, @@ -110,13 +110,13 @@ func DefaultTables() *IPTables { }, }, v6Tables: [NumTables]Table{ - NATID: Table{ + NATID: { Rules: []Rule{ - Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}}, - Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}}, - Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}}, - Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}}, - Rule{Target: &ErrorTarget{NetworkProtocol: header.IPv6ProtocolNumber}}, + {Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}}, + {Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}}, + {Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}}, + {Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}}, + {Target: &ErrorTarget{NetworkProtocol: header.IPv6ProtocolNumber}}, }, BuiltinChains: [NumHooks]int{ Prerouting: 0, @@ -133,11 +133,11 @@ func DefaultTables() *IPTables { Postrouting: 3, }, }, - MangleID: Table{ + MangleID: { Rules: []Rule{ - Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}}, - Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}}, - Rule{Target: &ErrorTarget{NetworkProtocol: header.IPv6ProtocolNumber}}, + {Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}}, + {Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}}, + {Target: &ErrorTarget{NetworkProtocol: header.IPv6ProtocolNumber}}, }, BuiltinChains: [NumHooks]int{ Prerouting: 0, @@ -151,12 +151,12 @@ func DefaultTables() *IPTables { Postrouting: HookUnset, }, }, - FilterID: Table{ + FilterID: { Rules: []Rule{ - Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}}, - Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}}, - Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}}, - Rule{Target: &ErrorTarget{NetworkProtocol: header.IPv6ProtocolNumber}}, + {Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}}, + {Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}}, + {Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}}, + {Target: &ErrorTarget{NetworkProtocol: header.IPv6ProtocolNumber}}, }, BuiltinChains: [NumHooks]int{ Prerouting: HookUnset, @@ -175,9 +175,9 @@ func DefaultTables() *IPTables { }, }, priorities: [NumHooks][]TableID{ - Prerouting: []TableID{MangleID, NATID}, - Input: []TableID{NATID, FilterID}, - Output: []TableID{MangleID, NATID, FilterID}, + Prerouting: {MangleID, NATID}, + Input: {NATID, FilterID}, + Output: {MangleID, NATID, FilterID}, }, connections: ConnTrack{ seed: generateRandUint32(), diff --git a/pkg/tcpip/stack/iptables_types.go b/pkg/tcpip/stack/iptables_types.go index 4b86c1be9..56a3e7861 100644 --- a/pkg/tcpip/stack/iptables_types.go +++ b/pkg/tcpip/stack/iptables_types.go @@ -56,7 +56,7 @@ const ( // Postrouting happens just before a packet goes out on the wire. Postrouting - // The total number of hooks. + // NumHooks is the total number of hooks. NumHooks ) @@ -273,14 +273,12 @@ func (fl IPHeaderFilter) match(pkt *PacketBuffer, hook Hook, nicName string) boo return true } - // If the interface name ends with '+', any interface which begins - // with the name should be matched. + // If the interface name ends with '+', any interface which + // begins with the name should be matched. ifName := fl.OutputInterface - matches := true + matches := nicName == ifName if strings.HasSuffix(ifName, "+") { matches = strings.HasPrefix(nicName, ifName[:n-1]) - } else { - matches = nicName == ifName } return fl.OutputInterfaceInvert != matches } |