summaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
-rw-r--r--pkg/sentry/socket/netfilter/netfilter.go3
-rw-r--r--pkg/tcpip/iptables/types.go21
-rw-r--r--pkg/tcpip/packet_buffer.go25
-rw-r--r--test/iptables/iptables_test.go47
4 files changed, 34 insertions, 62 deletions
diff --git a/pkg/sentry/socket/netfilter/netfilter.go b/pkg/sentry/socket/netfilter/netfilter.go
index 09a3276c7..4ef8123ac 100644
--- a/pkg/sentry/socket/netfilter/netfilter.go
+++ b/pkg/sentry/socket/netfilter/netfilter.go
@@ -164,6 +164,9 @@ func convertNetstackToBinary(tablename string, table iptables.Table) (linux.Kern
// Each rule corresponds to an entry.
entry := linux.KernelIPTEntry{
IPTEntry: linux.IPTEntry{
+ IP: linux.IPTIP{
+ Protocol: uint16(rule.Filter.Protocol),
+ },
NextOffset: linux.SizeOfIPTEntry,
TargetOffset: linux.SizeOfIPTEntry,
},
diff --git a/pkg/tcpip/iptables/types.go b/pkg/tcpip/iptables/types.go
index 4f2a4d65e..a0bfc8b41 100644
--- a/pkg/tcpip/iptables/types.go
+++ b/pkg/tcpip/iptables/types.go
@@ -14,7 +14,9 @@
package iptables
-import "gvisor.dev/gvisor/pkg/tcpip"
+import (
+ "gvisor.dev/gvisor/pkg/tcpip"
+)
// A Hook specifies one of the hooks built into the network stack.
//
@@ -161,21 +163,10 @@ type Rule struct {
Target Target
}
-// TODO: This is gross.
-// TODO: Save this in SetEntries.
-// TODO: Utilize this when traversing tables.
+// IPHeaderFilter holds basic IP filtering data common to every rule.
type IPHeaderFilter struct {
- Source [4]byte
- Destination [4]byte
- SourceMask [4]byte
- DestinationMask [4]byte
- OutputInterface string
- InputInterface string
- OutputInterfaceMask string
- InputInterfaceMask string
- Protocol tcpip.TransportProtocolNumber
- Flags uint8
- InverseFlags uint8
+ // Protocol matches the transport protocol.
+ Protocol tcpip.TransportProtocolNumber
}
// A Matcher is the interface for matching packets.
diff --git a/pkg/tcpip/packet_buffer.go b/pkg/tcpip/packet_buffer.go
index 7a036b93c..ab24372e7 100644
--- a/pkg/tcpip/packet_buffer.go
+++ b/pkg/tcpip/packet_buffer.go
@@ -13,9 +13,7 @@
package tcpip
-import (
- "gvisor.dev/gvisor/pkg/tcpip/buffer"
-)
+import "gvisor.dev/gvisor/pkg/tcpip/buffer"
// A PacketBuffer contains all the data of a network packet.
//
@@ -67,24 +65,3 @@ func (pk PacketBuffer) Clone() PacketBuffer {
pk.Data = pk.Data.Clone(nil)
return pk
}
-
-//// TransportProtocol returns the transport protocol of pk.
-////
-//// Precondition: pk.NetworkHeader is set.
-//func (pk PacketBuffer) TransportProtocolIPv4() uint16 {
-// if pk.NetworkHeader == nil {
-// panic("This should only be called when pk.NetworkHeader is set.")
-// }
-// return header.IPv4(pk.NetworkHeader).TransportProtocol()
-//}
-
-// func (pk Packet) findNetHeader() header.IPv4 {
-// // Inbound:
-// // Data holds everything, but may have had some headers shaved off.
-// // Figure out whether it's set or still somewhere in data and return
-// // appropriately.
-
-// // Outbound:
-// // NetworkHeader will be set if we've added one. Otherwise there's no
-// // header.
-// }
diff --git a/test/iptables/iptables_test.go b/test/iptables/iptables_test.go
index 63e691af6..150b44e42 100644
--- a/test/iptables/iptables_test.go
+++ b/test/iptables/iptables_test.go
@@ -23,6 +23,7 @@ import (
"time"
"flag"
+
"gvisor.dev/gvisor/pkg/log"
"gvisor.dev/gvisor/runsc/dockerutil"
"gvisor.dev/gvisor/runsc/testutil"
@@ -160,29 +161,29 @@ func logContainer(output string, err error) {
log.Infof(msg)
}
-// func TestFilterInputDropUDP(t *testing.T) {
-// if err := singleTest(FilterInputDropUDP{}); err != nil {
-// t.Fatal(err)
-// }
-// }
-
-// func TestFilterInputDropUDPPort(t *testing.T) {
-// if err := singleTest(FilterInputDropUDPPort{}); err != nil {
-// t.Fatal(err)
-// }
-// }
-
-// func TestFilterInputDropDifferentUDPPort(t *testing.T) {
-// if err := singleTest(FilterInputDropDifferentUDPPort{}); err != nil {
-// t.Fatal(err)
-// }
-// }
-
-// func TestFilterInputDropAll(t *testing.T) {
-// if err := singleTest(FilterInputDropAll{}); err != nil {
-// t.Fatal(err)
-// }
-// }
+func TestFilterInputDropUDP(t *testing.T) {
+ if err := singleTest(FilterInputDropUDP{}); err != nil {
+ t.Fatal(err)
+ }
+}
+
+func TestFilterInputDropUDPPort(t *testing.T) {
+ if err := singleTest(FilterInputDropUDPPort{}); err != nil {
+ t.Fatal(err)
+ }
+}
+
+func TestFilterInputDropDifferentUDPPort(t *testing.T) {
+ if err := singleTest(FilterInputDropDifferentUDPPort{}); err != nil {
+ t.Fatal(err)
+ }
+}
+
+func TestFilterInputDropAll(t *testing.T) {
+ if err := singleTest(FilterInputDropAll{}); err != nil {
+ t.Fatal(err)
+ }
+}
func TestFilterInputDropOnlyUDP(t *testing.T) {
if err := singleTest(FilterInputDropOnlyUDP{}); err != nil {