diff options
| author | gVisor bot <gvisor-bot@google.com> | 2021-10-01 18:53:35 +0000 |
|---|---|---|
| committer | gVisor bot <gvisor-bot@google.com> | 2021-10-01 18:53:35 +0000 |
| commit | 2975c4c6e8269685ca91c3cf97d63656fffaf5b6 (patch) | |
| tree | 5c4e8db2631b1d2224e81f7b02807120471d8c64 /pkg | |
| parent | f21e94dd8420e74576cdcc3501548e08c926ac52 (diff) | |
| parent | 788bbc2904983417efe430cc5c66b3af990d3bfe (diff) | |
Merge release-20210921.0-52-g788bbc290 (automated)
Diffstat (limited to 'pkg')
| -rw-r--r-- | pkg/tcpip/stack/iptables.go | 19 |
1 files changed, 8 insertions, 11 deletions
diff --git a/pkg/tcpip/stack/iptables.go b/pkg/tcpip/stack/iptables.go index c0ed65ece..dcba7eba6 100644 --- a/pkg/tcpip/stack/iptables.go +++ b/pkg/tcpip/stack/iptables.go @@ -431,7 +431,9 @@ func (it *IPTables) startReaper(interval time.Duration) { // // Precondition: The packets' network and transport header must be set. func (it *IPTables) CheckOutputPackets(pkts PacketBufferList, r *Route, outNicName string) (drop map[*PacketBuffer]struct{}, natPkts map[*PacketBuffer]struct{}) { - return it.checkPackets(Output, pkts, r, nil /* addressEP */, outNicName) + return checkPackets(pkts, func(pkt *PacketBuffer) bool { + return it.CheckOutput(pkt, r, outNicName) + }) } // CheckPostroutingPackets performs the postrouting hook on the packets. @@ -440,20 +442,15 @@ func (it *IPTables) CheckOutputPackets(pkts PacketBufferList, r *Route, outNicNa // // Precondition: The packets' network and transport header must be set. func (it *IPTables) CheckPostroutingPackets(pkts PacketBufferList, r *Route, addressEP AddressableEndpoint, outNicName string) (drop map[*PacketBuffer]struct{}, natPkts map[*PacketBuffer]struct{}) { - return it.checkPackets(Postrouting, pkts, r, addressEP, outNicName) + return checkPackets(pkts, func(pkt *PacketBuffer) bool { + return it.CheckPostrouting(pkt, r, addressEP, outNicName) + }) } -// checkPackets runs pkts through the rules for hook and returns a map of -// packets that should not go forward. -// -// NOTE: unlike the Check API the returned map contains packets that should be -// dropped. -// -// Precondition: The packets' network and transport header must be set. -func (it *IPTables) checkPackets(hook Hook, pkts PacketBufferList, r *Route, addressEP AddressableEndpoint, outNicName string) (drop map[*PacketBuffer]struct{}, natPkts map[*PacketBuffer]struct{}) { +func checkPackets(pkts PacketBufferList, f func(*PacketBuffer) bool) (drop map[*PacketBuffer]struct{}, natPkts map[*PacketBuffer]struct{}) { for pkt := pkts.Front(); pkt != nil; pkt = pkt.Next() { if !pkt.NatDone { - if ok := it.check(hook, pkt, r, addressEP, "" /* inNicName */, outNicName); !ok { + if ok := f(pkt); !ok { if drop == nil { drop = make(map[*PacketBuffer]struct{}) } |