summaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
-rw-r--r--pkg/sentry/socket/netfilter/netfilter.go29
-rw-r--r--pkg/tcpip/iptables/udp_matcher.go14
2 files changed, 35 insertions, 8 deletions
diff --git a/pkg/sentry/socket/netfilter/netfilter.go b/pkg/sentry/socket/netfilter/netfilter.go
index f8ed1acbc..3caabca9a 100644
--- a/pkg/sentry/socket/netfilter/netfilter.go
+++ b/pkg/sentry/socket/netfilter/netfilter.go
@@ -196,7 +196,9 @@ func convertNetstackToBinary(tablename string, table iptables.Table) (linux.Kern
}
func marshalMatcher(matcher iptables.Matcher) []byte {
- switch matcher.(type) {
+ switch m := matcher.(type) {
+ case *iptables.UDPMatcher:
+ return marshalUDPMatcher(m)
default:
// TODO(gvisor.dev/issue/170): We don't support any matchers
// yet, so any call to marshalMatcher will panic.
@@ -204,6 +206,31 @@ func marshalMatcher(matcher iptables.Matcher) []byte {
}
}
+func marshalUDPMatcher(matcher *iptables.UDPMatcher) []byte {
+ type udpMatch struct {
+ linux.XTEntryMatch
+ linux.XTUDP
+ }
+ linuxMatcher := udpMatch{
+ XTEntryMatch: linux.XTEntryMatch{
+ MatchSize: linux.SizeOfXTEntryMatch + linux.SizeOfXTUDP,
+ // Name: "udp",
+ },
+ XTUDP: linux.XTUDP{
+ SourcePortStart: matcher.Data.SourcePortStart,
+ SourcePortEnd: matcher.Data.SourcePortEnd,
+ DestinationPortStart: matcher.Data.DestinationPortStart,
+ DestinationPortEnd: matcher.Data.DestinationPortEnd,
+ InverseFlags: matcher.Data.InverseFlags,
+ },
+ }
+ copy(linuxMatcher.Name[:], "udp")
+
+ var buf [linux.SizeOfXTEntryMatch + linux.SizeOfXTUDP]byte
+ binary.Marshal(buf[:], usermem.ByteOrder, linuxMatcher)
+ return buf[:]
+}
+
func marshalTarget(target iptables.Target) []byte {
switch target.(type) {
case iptables.UnconditionalAcceptTarget:
diff --git a/pkg/tcpip/iptables/udp_matcher.go b/pkg/tcpip/iptables/udp_matcher.go
index ce4368a3d..fca457199 100644
--- a/pkg/tcpip/iptables/udp_matcher.go
+++ b/pkg/tcpip/iptables/udp_matcher.go
@@ -24,7 +24,7 @@ import (
)
type UDPMatcher struct {
- data UDPMatcherData
+ Data UDPMatcherData
// tablename string
// unsigned int matchsize;
@@ -62,11 +62,11 @@ func NewUDPMatcher(filter IPHeaderFilter, data UDPMatcherData) (Matcher, error)
log.Warningf("UDP matching is only valid for protocol %d.", header.UDPProtocolNumber)
}
- return &UDPMatcher{data: data}, nil
+ return &UDPMatcher{Data: data}, nil
}
// TODO: Check xt_tcpudp.c. Need to check for same things (e.g. fragments).
-func (tm *UDPMatcher) Match(hook Hook, pkt tcpip.PacketBuffer, interfaceName string) (bool, bool) {
+func (um *UDPMatcher) Match(hook Hook, pkt tcpip.PacketBuffer, interfaceName string) (bool, bool) {
log.Infof("UDPMatcher called from: %s", string(debug.Stack()))
netHeader := header.IPv4(pkt.NetworkHeader)
@@ -114,12 +114,12 @@ func (tm *UDPMatcher) Match(hook Hook, pkt tcpip.PacketBuffer, interfaceName str
destinationPort := udpHeader.DestinationPort()
log.Infof("UDPMatcher: sport and dport are %d and %d. sports and dport start and end are (%d, %d) and (%d, %d)",
udpHeader.SourcePort(), udpHeader.DestinationPort(),
- tm.data.SourcePortStart, tm.data.SourcePortEnd,
- tm.data.DestinationPortStart, tm.data.DestinationPortEnd)
- if sourcePort < tm.data.SourcePortStart || tm.data.SourcePortEnd < sourcePort {
+ um.Data.SourcePortStart, um.Data.SourcePortEnd,
+ um.Data.DestinationPortStart, um.Data.DestinationPortEnd)
+ if sourcePort < um.Data.SourcePortStart || um.Data.SourcePortEnd < sourcePort {
return false, false
}
- if destinationPort < tm.data.DestinationPortStart || tm.data.DestinationPortEnd < destinationPort {
+ if destinationPort < um.Data.DestinationPortStart || um.Data.DestinationPortEnd < destinationPort {
return false, false
}