summaryrefslogtreecommitdiffhomepage
path: root/pkg
diff options
context:
space:
mode:
authorKevin Krakauer <krakauer@google.com>2020-01-10 18:07:15 -0800
committerKevin Krakauer <krakauer@google.com>2020-01-10 18:07:15 -0800
commitd793677cd424fef10ac0b080871d181db0bcdec0 (patch)
tree697f86dac1fc3ac7015582a9588684a74bb95d1d /pkg
parentff719159befaee7d2abcfeb88905a7486cd34845 (diff)
I think INPUT works with protocol
Diffstat (limited to 'pkg')
-rw-r--r--pkg/sentry/socket/netfilter/netfilter.go3
-rw-r--r--pkg/tcpip/iptables/BUILD1
-rw-r--r--pkg/tcpip/iptables/iptables.go4
-rw-r--r--pkg/tcpip/iptables/types.go2
-rw-r--r--pkg/tcpip/network/ipv4/ipv4.go3
-rw-r--r--pkg/tcpip/packet_buffer.go25
6 files changed, 33 insertions, 5 deletions
diff --git a/pkg/sentry/socket/netfilter/netfilter.go b/pkg/sentry/socket/netfilter/netfilter.go
index f30461936..175466f19 100644
--- a/pkg/sentry/socket/netfilter/netfilter.go
+++ b/pkg/sentry/socket/netfilter/netfilter.go
@@ -25,6 +25,7 @@ import (
"gvisor.dev/gvisor/pkg/sentry/kernel"
"gvisor.dev/gvisor/pkg/sentry/usermem"
"gvisor.dev/gvisor/pkg/syserr"
+ "gvisor.dev/gvisor/pkg/tcpip"
"gvisor.dev/gvisor/pkg/tcpip/iptables"
"gvisor.dev/gvisor/pkg/tcpip/stack"
)
@@ -455,7 +456,7 @@ func filterFromIPTIP(iptip linux.IPTIP) (iptables.IPHeaderFilter, *syserr.Error)
return iptables.IPHeaderFilter{}, syserr.ErrInvalidArgument
}
return iptables.IPHeaderFilter{
- Protocol: iptip.Protocol,
+ Protocol: tcpip.TransportProtocolNumber(iptip.Protocol),
}, nil
}
diff --git a/pkg/tcpip/iptables/BUILD b/pkg/tcpip/iptables/BUILD
index 2893c80cd..297eaccaf 100644
--- a/pkg/tcpip/iptables/BUILD
+++ b/pkg/tcpip/iptables/BUILD
@@ -14,5 +14,6 @@ go_library(
deps = [
"//pkg/log",
"//pkg/tcpip",
+ "//pkg/tcpip/header",
],
)
diff --git a/pkg/tcpip/iptables/iptables.go b/pkg/tcpip/iptables/iptables.go
index 4e1700fdb..3cff879a2 100644
--- a/pkg/tcpip/iptables/iptables.go
+++ b/pkg/tcpip/iptables/iptables.go
@@ -21,6 +21,7 @@ import (
"gvisor.dev/gvisor/pkg/log"
"gvisor.dev/gvisor/pkg/tcpip"
+ "gvisor.dev/gvisor/pkg/tcpip/header"
)
const (
@@ -183,12 +184,13 @@ func (it *IPTables) checkTable(hook Hook, pkt tcpip.PacketBuffer, tablename stri
panic(fmt.Sprintf("Traversed past the entire list of iptables rules in table %q.", tablename))
}
+// Precondition: pk.NetworkHeader is set.
func (it *IPTables) checkRule(hook Hook, pkt tcpip.PacketBuffer, table Table, ruleIdx int) Verdict {
rule := table.Rules[ruleIdx]
// First check whether the packet matches the IP header filter.
// TODO(gvisor.dev/issue/170): Support other fields of the filter.
- if rule.Filter.Protocol != pkt.Protocol {
+ if rule.Filter.Protocol != header.IPv4(pkt.NetworkHeader).TransportProtocol() {
return Continue
}
diff --git a/pkg/tcpip/iptables/types.go b/pkg/tcpip/iptables/types.go
index 4bedd9bc8..4f2a4d65e 100644
--- a/pkg/tcpip/iptables/types.go
+++ b/pkg/tcpip/iptables/types.go
@@ -173,7 +173,7 @@ type IPHeaderFilter struct {
InputInterface string
OutputInterfaceMask string
InputInterfaceMask string
- Protocol uint16
+ Protocol tcpip.TransportProtocolNumber
Flags uint8
InverseFlags uint8
}
diff --git a/pkg/tcpip/network/ipv4/ipv4.go b/pkg/tcpip/network/ipv4/ipv4.go
index f856081e6..5388d2549 100644
--- a/pkg/tcpip/network/ipv4/ipv4.go
+++ b/pkg/tcpip/network/ipv4/ipv4.go
@@ -353,7 +353,8 @@ func (e *endpoint) HandlePacket(r *stack.Route, pkt tcpip.PacketBuffer) {
}
pkt.NetworkHeader = headerView[:h.HeaderLength()]
- // iptables filtering.
+ // iptables filtering. All packets that reach here are intended for
+ // this machine and will not be forwarded.
ipt := e.stack.IPTables()
if ok := ipt.Check(iptables.Input, pkt); !ok {
// iptables is telling us to drop the packet.
diff --git a/pkg/tcpip/packet_buffer.go b/pkg/tcpip/packet_buffer.go
index ab24372e7..7a036b93c 100644
--- a/pkg/tcpip/packet_buffer.go
+++ b/pkg/tcpip/packet_buffer.go
@@ -13,7 +13,9 @@
package tcpip
-import "gvisor.dev/gvisor/pkg/tcpip/buffer"
+import (
+ "gvisor.dev/gvisor/pkg/tcpip/buffer"
+)
// A PacketBuffer contains all the data of a network packet.
//
@@ -65,3 +67,24 @@ func (pk PacketBuffer) Clone() PacketBuffer {
pk.Data = pk.Data.Clone(nil)
return pk
}
+
+//// TransportProtocol returns the transport protocol of pk.
+////
+//// Precondition: pk.NetworkHeader is set.
+//func (pk PacketBuffer) TransportProtocolIPv4() uint16 {
+// if pk.NetworkHeader == nil {
+// panic("This should only be called when pk.NetworkHeader is set.")
+// }
+// return header.IPv4(pk.NetworkHeader).TransportProtocol()
+//}
+
+// func (pk Packet) findNetHeader() header.IPv4 {
+// // Inbound:
+// // Data holds everything, but may have had some headers shaved off.
+// // Figure out whether it's set or still somewhere in data and return
+// // appropriately.
+
+// // Outbound:
+// // NetworkHeader will be set if we've added one. Otherwise there's no
+// // header.
+// }