summaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
-rw-r--r--pkg/abi/linux/netfilter.go5
-rw-r--r--pkg/sentry/socket/netfilter/netfilter.go35
-rw-r--r--pkg/tcpip/iptables/udp_matcher.go2
3 files changed, 28 insertions, 14 deletions
diff --git a/pkg/abi/linux/netfilter.go b/pkg/abi/linux/netfilter.go
index f0e544f9c..effed7976 100644
--- a/pkg/abi/linux/netfilter.go
+++ b/pkg/abi/linux/netfilter.go
@@ -198,6 +198,11 @@ type XTEntryMatch struct {
// SizeOfXTEntryMatch is the size of an XTEntryMatch.
const SizeOfXTEntryMatch = 32
+type KernelXTEntryMatch struct {
+ XTEntryMatch
+ Data []byte
+}
+
// XTEntryTarget holds a target for a rule. For example, it can specify that
// packets matching the rule should DROP, ACCEPT, or use an extension target.
// iptables-extension(8) has a list of possible targets.
diff --git a/pkg/sentry/socket/netfilter/netfilter.go b/pkg/sentry/socket/netfilter/netfilter.go
index 3caabca9a..b49fe5b3e 100644
--- a/pkg/sentry/socket/netfilter/netfilter.go
+++ b/pkg/sentry/socket/netfilter/netfilter.go
@@ -207,26 +207,34 @@ func marshalMatcher(matcher iptables.Matcher) []byte {
}
func marshalUDPMatcher(matcher *iptables.UDPMatcher) []byte {
- type udpMatch struct {
- linux.XTEntryMatch
- linux.XTUDP
- }
- linuxMatcher := udpMatch{
+ linuxMatcher := linux.KernelXTEntryMatch{
XTEntryMatch: linux.XTEntryMatch{
MatchSize: linux.SizeOfXTEntryMatch + linux.SizeOfXTUDP,
// Name: "udp",
},
- XTUDP: linux.XTUDP{
- SourcePortStart: matcher.Data.SourcePortStart,
- SourcePortEnd: matcher.Data.SourcePortEnd,
- DestinationPortStart: matcher.Data.DestinationPortStart,
- DestinationPortEnd: matcher.Data.DestinationPortEnd,
- InverseFlags: matcher.Data.InverseFlags,
- },
+ Data: make([]byte, linux.SizeOfXTUDP+22),
}
+ // copy(linuxMatcher.Name[:], "udp")
copy(linuxMatcher.Name[:], "udp")
- var buf [linux.SizeOfXTEntryMatch + linux.SizeOfXTUDP]byte
+ // TODO: Must be aligned.
+ xtudp := linux.XTUDP{
+ SourcePortStart: matcher.Data.SourcePortStart,
+ SourcePortEnd: matcher.Data.SourcePortEnd,
+ DestinationPortStart: matcher.Data.DestinationPortStart,
+ DestinationPortEnd: matcher.Data.DestinationPortEnd,
+ InverseFlags: matcher.Data.InverseFlags,
+ }
+ binary.Marshal(linuxMatcher.Data[:linux.SizeOfXTUDP], usermem.ByteOrder, xtudp)
+
+ if binary.Size(linuxMatcher)%64 != 0 {
+ panic(fmt.Sprintf("size is actually: %d", binary.Size(linuxMatcher)))
+ }
+
+ var buf [linux.SizeOfXTEntryMatch + linux.SizeOfXTUDP + 22]byte
+ if len(buf)%64 != 0 {
+ panic(fmt.Sprintf("len is actually: %d", len(buf)))
+ }
binary.Marshal(buf[:], usermem.ByteOrder, linuxMatcher)
return buf[:]
}
@@ -245,6 +253,7 @@ func marshalTarget(target iptables.Target) []byte {
}
func marshalStandardTarget(verdict iptables.Verdict) []byte {
+ // TODO: Must be aligned.
// The target's name will be the empty string.
target := linux.XTStandardTarget{
Target: linux.XTEntryTarget{
diff --git a/pkg/tcpip/iptables/udp_matcher.go b/pkg/tcpip/iptables/udp_matcher.go
index fca457199..65ae7f9e0 100644
--- a/pkg/tcpip/iptables/udp_matcher.go
+++ b/pkg/tcpip/iptables/udp_matcher.go
@@ -59,7 +59,7 @@ func NewUDPMatcher(filter IPHeaderFilter, data UDPMatcherData) (Matcher, error)
}
if filter.Protocol != header.UDPProtocolNumber {
- log.Warningf("UDP matching is only valid for protocol %d.", header.UDPProtocolNumber)
+ return nil, fmt.Errorf("UDP matching is only valid for protocol %d.", header.UDPProtocolNumber)
}
return &UDPMatcher{Data: data}, nil