diff options
Diffstat (limited to 'pkg/tcpip/iptables')
| -rw-r--r-- | pkg/tcpip/iptables/BUILD | 6 | ||||
| -rw-r--r-- | pkg/tcpip/iptables/targets.go | 10 | ||||
| -rw-r--r-- | pkg/tcpip/iptables/types.go | 31 |
3 files changed, 19 insertions, 28 deletions
diff --git a/pkg/tcpip/iptables/BUILD b/pkg/tcpip/iptables/BUILD index 173f148da..fc9abbb55 100644 --- a/pkg/tcpip/iptables/BUILD +++ b/pkg/tcpip/iptables/BUILD @@ -1,6 +1,6 @@ package(licenses = ["notice"]) -load("//tools/go_stateify:defs.bzl", "go_library", "go_test") +load("//tools/go_stateify:defs.bzl", "go_library") go_library( name = "iptables", @@ -9,12 +9,10 @@ go_library( "targets.go", "types.go", ], - importpath = "gvisor.googlesource.com/gvisor/pkg/tcpip/iptables", + importpath = "gvisor.dev/gvisor/pkg/tcpip/iptables", visibility = ["//visibility:public"], deps = [ - "//pkg/state", "//pkg/tcpip", "//pkg/tcpip/buffer", - "//pkg/tcpip/header", ], ) diff --git a/pkg/tcpip/iptables/targets.go b/pkg/tcpip/iptables/targets.go index 028978e3a..19a7f77e3 100644 --- a/pkg/tcpip/iptables/targets.go +++ b/pkg/tcpip/iptables/targets.go @@ -12,17 +12,17 @@ // See the License for the specific language governing permissions and // limitations under the License. -package iptables +// This file contains various Targets. -import "gvisor.googlesource.com/gvisor/pkg/tcpip/buffer" +package iptables -// This file contains various Targets. +import "gvisor.dev/gvisor/pkg/tcpip/buffer" // UnconditionalAcceptTarget accepts all packets. type UnconditionalAcceptTarget struct{} // Action implements Target.Action. -func (_ UnconditionalAcceptTarget) Action(packet buffer.VectorisedView) (Verdict, string) { +func (UnconditionalAcceptTarget) Action(packet buffer.VectorisedView) (Verdict, string) { return Accept, "" } @@ -30,6 +30,6 @@ func (_ UnconditionalAcceptTarget) Action(packet buffer.VectorisedView) (Verdict type UnconditionalDropTarget struct{} // Action implements Target.Action. -func (_ UnconditionalDropTarget) Action(packet buffer.VectorisedView) (Verdict, string) { +func (UnconditionalDropTarget) Action(packet buffer.VectorisedView) (Verdict, string) { return Drop, "" } diff --git a/pkg/tcpip/iptables/types.go b/pkg/tcpip/iptables/types.go index cdfb6ba28..600bd9a10 100644 --- a/pkg/tcpip/iptables/types.go +++ b/pkg/tcpip/iptables/types.go @@ -15,13 +15,11 @@ package iptables import ( - "sync" - - "gvisor.googlesource.com/gvisor/pkg/tcpip" - "gvisor.googlesource.com/gvisor/pkg/tcpip/buffer" + "gvisor.dev/gvisor/pkg/tcpip" + "gvisor.dev/gvisor/pkg/tcpip/buffer" ) -// Hook specifies one of the hooks built into the network stack. +// A Hook specifies one of the hooks built into the network stack. // // Userspace app Userspace app // ^ | @@ -59,7 +57,7 @@ const ( NumHooks ) -// Verdict is returned by a rule's target to indicate how traversal of rules +// A Verdict is returned by a rule's target to indicate how traversal of rules // should (or should not) continue. type Verdict int @@ -98,9 +96,6 @@ const ( // IPTables holds all the tables for a netstack. type IPTables struct { - // Mu protects the entire struct. - Mu sync.RWMutex - // Tables maps table names to tables. User tables have arbitrary names. Tables map[string]Table @@ -110,7 +105,7 @@ type IPTables struct { Priorities map[Hook][]string } -// Table defines a set of chains and hooks into the network stack. The +// A Table defines a set of chains and hooks into the network stack. The // currently supported tables are: // * nat // * mangle @@ -129,15 +124,13 @@ type Table struct { UserChains map[string]Chain // Chains maps names to chains for both builtin and user-defined chains. - // Its entries point to Chains already either in BuiltinChains and + // Its entries point to Chains already either in BuiltinChains or // UserChains, and its purpose is to make looking up tables by name // fast. Chains map[string]*Chain } // ValidHooks returns a bitmap of the builtin hooks for the given table. -// -// Precondition: IPTables.mu must be locked for reading. func (table *Table) ValidHooks() (uint32, *tcpip.Error) { hooks := uint32(0) for hook, _ := range table.BuiltinChains { @@ -146,9 +139,9 @@ func (table *Table) ValidHooks() (uint32, *tcpip.Error) { return hooks, nil } -// Chain defines a list of rules for packet processing. When a packet traverses -// a chain, it is checked against each rule until either a rule returns a -// verdict or the chain ends. +// A Chain defines a list of rules for packet processing. When a packet +// traverses a chain, it is checked against each rule until either a rule +// returns a verdict or the chain ends. // // By convention, builtin chains end with a rule that matches everything and // returns either Accept or Drop. User-defined chains end with Return. These @@ -161,7 +154,7 @@ type Chain struct { Rules []Rule } -// Rule is a packet processing rule. It consists of two pieces. First it +// A Rule is a packet processing rule. It consists of two pieces. First it // contains zero or more matchers, each of which is a specification of which // packets this rule applies to. If there are no matchers in the rule, it // applies to any packet. @@ -173,7 +166,7 @@ type Rule struct { Target Target } -// Matcher is the interface for matching packets. +// A Matcher is the interface for matching packets. type Matcher interface { // Match returns whether the packet matches and whether the packet // should be "hotdropped", i.e. dropped immediately. This is usually @@ -181,7 +174,7 @@ type Matcher interface { Match(hook Hook, packet buffer.VectorisedView, interfaceName string) (matches bool, hotdrop bool) } -// Target is the interface for taking an action for a packet. +// A Target is the interface for taking an action for a packet. type Target interface { // Action takes an action on the packet and returns a verdict on how // traversal should (or should not) continue. If the return value is |