diff options
-rw-r--r-- | pkg/tcpip/iptables/iptables.go | 5 | ||||
-rw-r--r-- | pkg/tcpip/iptables/targets.go | 14 | ||||
-rw-r--r-- | pkg/tcpip/iptables/types.go | 2 |
3 files changed, 10 insertions, 11 deletions
diff --git a/pkg/tcpip/iptables/iptables.go b/pkg/tcpip/iptables/iptables.go index 80ddbd442..2ab9e0675 100644 --- a/pkg/tcpip/iptables/iptables.go +++ b/pkg/tcpip/iptables/iptables.go @@ -171,7 +171,6 @@ const ( chainReturn ) - // Check runs pkt through the rules for hook. It returns true when the packet // should continue traversing the network stack and false when it should be // dropped. @@ -242,7 +241,7 @@ func (it *IPTables) checkChain(hook Hook, pkt tcpip.PacketBuffer, table Table, r return chainDrop case chainReturn: ruleIdx++ - continue + continue default: panic(fmt.Sprintf("Unknown verdict: %d", verdict)) } @@ -289,5 +288,5 @@ func (it *IPTables) checkRule(hook Hook, pkt tcpip.PacketBuffer, table Table, ru } // All the matchers matched, so run the target. - return rule.Target.Action(pkt, rule.Filter) + return rule.Target.Action(pkt) } diff --git a/pkg/tcpip/iptables/targets.go b/pkg/tcpip/iptables/targets.go index 5dbb28145..96318118c 100644 --- a/pkg/tcpip/iptables/targets.go +++ b/pkg/tcpip/iptables/targets.go @@ -24,7 +24,7 @@ import ( type AcceptTarget struct{} // Action implements Target.Action. -func (AcceptTarget) Action(packet tcpip.PacketBuffer, filter IPHeaderFilter) (RuleVerdict, int) { +func (AcceptTarget) Action(packet tcpip.PacketBuffer) (RuleVerdict, int) { return RuleAccept, 0 } @@ -32,7 +32,7 @@ func (AcceptTarget) Action(packet tcpip.PacketBuffer, filter IPHeaderFilter) (Ru type DropTarget struct{} // Action implements Target.Action. -func (DropTarget) Action(packet tcpip.PacketBuffer, filter IPHeaderFilter) (RuleVerdict, int) { +func (DropTarget) Action(packet tcpip.PacketBuffer) (RuleVerdict, int) { return RuleDrop, 0 } @@ -41,7 +41,7 @@ func (DropTarget) Action(packet tcpip.PacketBuffer, filter IPHeaderFilter) (Rule type ErrorTarget struct{} // Action implements Target.Action. -func (ErrorTarget) Action(packet tcpip.PacketBuffer, filter IPHeaderFilter) (RuleVerdict, int) { +func (ErrorTarget) Action(packet tcpip.PacketBuffer) (RuleVerdict, int) { log.Debugf("ErrorTarget triggered.") return RuleDrop, 0 } @@ -52,7 +52,7 @@ type UserChainTarget struct { } // Action implements Target.Action. -func (UserChainTarget) Action(tcpip.PacketBuffer, IPHeaderFilter) (RuleVerdict, int) { +func (UserChainTarget) Action(tcpip.PacketBuffer) (RuleVerdict, int) { panic("UserChainTarget should never be called.") } @@ -61,7 +61,7 @@ func (UserChainTarget) Action(tcpip.PacketBuffer, IPHeaderFilter) (RuleVerdict, type ReturnTarget struct{} // Action implements Target.Action. -func (ReturnTarget) Action(tcpip.PacketBuffer, IPHeaderFilter) (RuleVerdict, int) { +func (ReturnTarget) Action(tcpip.PacketBuffer) (RuleVerdict, int) { return RuleReturn, 0 } @@ -86,7 +86,7 @@ type RedirectTarget struct { } // Action implements Target.Action. -func (rt RedirectTarget) Action(pkt tcpip.PacketBuffer, filter IPHeaderFilter) (RuleVerdict, int) { +func (rt RedirectTarget) Action(pkt tcpip.PacketBuffer) (RuleVerdict, int) { headerView := pkt.Data.First() // Network header should be set. @@ -99,7 +99,7 @@ func (rt RedirectTarget) Action(pkt tcpip.PacketBuffer, filter IPHeaderFilter) ( // we need to change dest address (for OUTPUT chain) or ports. hlen := int(netHeader.HeaderLength()) - switch protocol := filter.Protocol; protocol { + switch protocol := netHeader.TransportProtocol(); protocol { case header.UDPProtocolNumber: udp := header.UDP(headerView[hlen:]) udp.SetDestinationPort(rt.MinPort) diff --git a/pkg/tcpip/iptables/types.go b/pkg/tcpip/iptables/types.go index 8bd3a2c94..9c2ad2d46 100644 --- a/pkg/tcpip/iptables/types.go +++ b/pkg/tcpip/iptables/types.go @@ -164,5 +164,5 @@ type Target interface { // Action takes an action on the packet and returns a verdict on how // traversal should (or should not) continue. If the return value is // Jump, it also returns the name of the chain to jump to. - Action(packet tcpip.PacketBuffer, filter IPHeaderFilter) (RuleVerdict, int) + Action(packet tcpip.PacketBuffer) (RuleVerdict, int) } |