summaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
-rw-r--r--pkg/abi/linux/netfilter.go2
-rw-r--r--pkg/sentry/socket/netfilter/netfilter.go2
-rw-r--r--pkg/tcpip/iptables/types.go6
3 files changed, 5 insertions, 5 deletions
diff --git a/pkg/abi/linux/netfilter.go b/pkg/abi/linux/netfilter.go
index 0bcb232de..35d66d622 100644
--- a/pkg/abi/linux/netfilter.go
+++ b/pkg/abi/linux/netfilter.go
@@ -42,6 +42,8 @@ const (
NF_RETURN = -NF_REPEAT - 1
)
+// VerdictStrings maps int verdicts to the strings they represent. It is used
+// for debugging.
var VerdictStrings = map[int32]string{
-NF_DROP - 1: "DROP",
-NF_ACCEPT - 1: "ACCEPT",
diff --git a/pkg/sentry/socket/netfilter/netfilter.go b/pkg/sentry/socket/netfilter/netfilter.go
index b7867a576..347342f98 100644
--- a/pkg/sentry/socket/netfilter/netfilter.go
+++ b/pkg/sentry/socket/netfilter/netfilter.go
@@ -376,8 +376,6 @@ func SetEntries(stack *stack.Stack, optVal []byte) *syserr.Error {
Size: replace.Size,
})
ipt.Tables[replace.Name.String()] = table
- // TODO: Do we need to worry about locking? We could write rules while
- // packets traverse tables.
stack.SetIPTables(ipt)
return nil
diff --git a/pkg/tcpip/iptables/types.go b/pkg/tcpip/iptables/types.go
index fe0394a31..540f8c0b4 100644
--- a/pkg/tcpip/iptables/types.go
+++ b/pkg/tcpip/iptables/types.go
@@ -113,11 +113,11 @@ type Table struct {
// Rules holds the rules that make up the table.
Rules []Rule
- // BuiltinChains maps builtin chains to their entrypoints.
+ // BuiltinChains maps builtin chains to their entrypoint rule in Rules.
BuiltinChains map[Hook]int
- // Underflows maps builtin chains to their underflow point (i.e. the
- // rule to execute if the chain returns without a verdict).
+ // Underflows maps builtin chains to their underflow rule in Rules
+ // (i.e. the rule to execute if the chain returns without a verdict).
Underflows map[Hook]int
// UserChains holds user-defined chains for the keyed by name. Users