summaryrefslogtreecommitdiffhomepage
path: root/pkg/sentry/socket
diff options
context:
space:
mode:
Diffstat (limited to 'pkg/sentry/socket')
-rw-r--r--pkg/sentry/socket/netfilter/netfilter.go29
1 files changed, 28 insertions, 1 deletions
diff --git a/pkg/sentry/socket/netfilter/netfilter.go b/pkg/sentry/socket/netfilter/netfilter.go
index f8ed1acbc..3caabca9a 100644
--- a/pkg/sentry/socket/netfilter/netfilter.go
+++ b/pkg/sentry/socket/netfilter/netfilter.go
@@ -196,7 +196,9 @@ func convertNetstackToBinary(tablename string, table iptables.Table) (linux.Kern
}
func marshalMatcher(matcher iptables.Matcher) []byte {
- switch matcher.(type) {
+ switch m := matcher.(type) {
+ case *iptables.UDPMatcher:
+ return marshalUDPMatcher(m)
default:
// TODO(gvisor.dev/issue/170): We don't support any matchers
// yet, so any call to marshalMatcher will panic.
@@ -204,6 +206,31 @@ func marshalMatcher(matcher iptables.Matcher) []byte {
}
}
+func marshalUDPMatcher(matcher *iptables.UDPMatcher) []byte {
+ type udpMatch struct {
+ linux.XTEntryMatch
+ linux.XTUDP
+ }
+ linuxMatcher := udpMatch{
+ XTEntryMatch: linux.XTEntryMatch{
+ MatchSize: linux.SizeOfXTEntryMatch + linux.SizeOfXTUDP,
+ // Name: "udp",
+ },
+ XTUDP: linux.XTUDP{
+ SourcePortStart: matcher.Data.SourcePortStart,
+ SourcePortEnd: matcher.Data.SourcePortEnd,
+ DestinationPortStart: matcher.Data.DestinationPortStart,
+ DestinationPortEnd: matcher.Data.DestinationPortEnd,
+ InverseFlags: matcher.Data.InverseFlags,
+ },
+ }
+ copy(linuxMatcher.Name[:], "udp")
+
+ var buf [linux.SizeOfXTEntryMatch + linux.SizeOfXTUDP]byte
+ binary.Marshal(buf[:], usermem.ByteOrder, linuxMatcher)
+ return buf[:]
+}
+
func marshalTarget(target iptables.Target) []byte {
switch target.(type) {
case iptables.UnconditionalAcceptTarget:
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-07 21:55:58 +0000