diff options
Diffstat (limited to 'pkg/tcpip/iptables')
-rw-r--r-- | pkg/tcpip/iptables/iptables.go | 8 | ||||
-rw-r--r-- | pkg/tcpip/iptables/targets.go | 2 |
2 files changed, 8 insertions, 2 deletions
diff --git a/pkg/tcpip/iptables/iptables.go b/pkg/tcpip/iptables/iptables.go index db0450a21..647970133 100644 --- a/pkg/tcpip/iptables/iptables.go +++ b/pkg/tcpip/iptables/iptables.go @@ -16,13 +16,13 @@ // tool. package iptables +// Table names. const ( TablenameNat = "nat" TablenameMangle = "mangle" TablenameFilter = "filter" ) -// TODO: Make this an iota? Faster! Do it. // Chain names as defined by net/ipv4/netfilter/ip_tables.c. const ( ChainNamePrerouting = "PREROUTING" @@ -32,11 +32,15 @@ const ( ChainNamePostrouting = "POSTROUTING" ) +// HookUnset indicates that there is no hook set for an entrypoint or +// underflow. const HookUnset = -1 // DefaultTables returns a default set of tables. Each chain is set to accept // all packets. func DefaultTables() IPTables { + // TODO(gvisor.dev/issue/170): We may be able to swap out some strings for + // iotas. return IPTables{ Tables: map[string]Table{ TablenameNat: Table{ @@ -105,6 +109,8 @@ func DefaultTables() IPTables { } } +// EmptyFilterTable returns a Table with no rules and the filter table chains +// mapped to HookUnset. func EmptyFilterTable() Table { return Table{ Rules: []Rule{}, diff --git a/pkg/tcpip/iptables/targets.go b/pkg/tcpip/iptables/targets.go index d65ed8df5..b94a4c941 100644 --- a/pkg/tcpip/iptables/targets.go +++ b/pkg/tcpip/iptables/targets.go @@ -41,7 +41,7 @@ func (UnconditionalDropTarget) Action(packet buffer.VectorisedView) (Verdict, st // should be unreachable. type ErrorTarget struct{} -// Actions implements Target.Action. +// Action implements Target.Action. func (ErrorTarget) Action(packet buffer.VectorisedView) (Verdict, string) { log.Warningf("ErrorTarget triggered.") return Drop, "" |