diff options
Diffstat (limited to 'pkg')
37 files changed, 145 insertions, 106 deletions
diff --git a/pkg/abi/linux/fadvise.go b/pkg/abi/linux/fadvise.go index b06ff9964..97e2e4532 100644 --- a/pkg/abi/linux/fadvise.go +++ b/pkg/abi/linux/fadvise.go @@ -14,6 +14,7 @@ package linux +// Fadvise constants. const ( POSIX_FADV_NORMAL = 0 POSIX_FADV_RANDOM = 1 diff --git a/pkg/abi/linux/ipc.go b/pkg/abi/linux/ipc.go index c6e65df62..f84144355 100644 --- a/pkg/abi/linux/ipc.go +++ b/pkg/abi/linux/ipc.go @@ -14,8 +14,9 @@ package linux -// Control commands used with semctl, shmctl, and msgctl. Source: -// include/uapi/linux/ipc.h. +// Control commands used with semctl, shmctl, and msgctl. +// +// Source: include/uapi/linux/ipc.h. const ( IPC_RMID = 0 IPC_SET = 1 @@ -23,14 +24,19 @@ const ( IPC_INFO = 3 ) -// resource get request flags. Source: include/uapi/linux/ipc.h +// Resource get request flags. +// +// Source: include/uapi/linux/ipc.h const ( IPC_CREAT = 00001000 IPC_EXCL = 00002000 IPC_NOWAIT = 00004000 ) -const IPC_PRIVATE = 0 +// IPC flags. +const ( + IPC_PRIVATE = 0 +) // In Linux, amd64 does not enable CONFIG_ARCH_WANT_IPC_PARSE_VERSION, so SysV // IPC unconditionally uses the "new" 64-bit structures that are needed for diff --git a/pkg/abi/linux/netfilter_ipv6.go b/pkg/abi/linux/netfilter_ipv6.go index 6d31eb5e3..bcb57642e 100644 --- a/pkg/abi/linux/netfilter_ipv6.go +++ b/pkg/abi/linux/netfilter_ipv6.go @@ -288,6 +288,7 @@ type IP6TIP struct { _ [3]byte } +// SizeOfIP6TIP is the size of an IP6 header. const SizeOfIP6TIP = 136 // Flags in IP6TIP.Flags. Corresponding constants are in diff --git a/pkg/abi/linux/sched.go b/pkg/abi/linux/sched.go index 70e820823..2a67921e6 100644 --- a/pkg/abi/linux/sched.go +++ b/pkg/abi/linux/sched.go @@ -29,6 +29,7 @@ const ( SCHED_RESET_ON_FORK = 0x40000000 ) +// Scheduling priority group selectors. const ( PRIO_PGRP = 0x1 PRIO_PROCESS = 0x0 diff --git a/pkg/abi/linux/seccomp.go b/pkg/abi/linux/seccomp.go index 5be3f10f9..e64501fac 100644 --- a/pkg/abi/linux/seccomp.go +++ b/pkg/abi/linux/seccomp.go @@ -30,8 +30,10 @@ const ( SECCOMP_GET_ACTION_AVAIL = 2 ) +// BPFAction is an action for a BPF filter. type BPFAction uint32 +// BPFAction definitions. const ( SECCOMP_RET_KILL_PROCESS BPFAction = 0x80000000 SECCOMP_RET_KILL_THREAD BPFAction = 0x00000000 diff --git a/pkg/abi/linux/sem.go b/pkg/abi/linux/sem.go index 2424884c1..bc7b4f0ee 100644 --- a/pkg/abi/linux/sem.go +++ b/pkg/abi/linux/sem.go @@ -49,7 +49,10 @@ const ( SEMUSZ = 20 ) -const SEM_UNDO = 0x1000 +// Semaphore flags. +const ( + SEM_UNDO = 0x1000 +) // Sembuf is equivalent to struct sembuf. // diff --git a/pkg/cpuid/cpuid_arm64.go b/pkg/cpuid/cpuid_arm64.go index ac7bb6774..98c6ec62f 100644 --- a/pkg/cpuid/cpuid_arm64.go +++ b/pkg/cpuid/cpuid_arm64.go @@ -267,7 +267,7 @@ func (fs *FeatureSet) UseXsave() bool { // FlagsString prints out supported CPU "flags" field in /proc/cpuinfo. func (fs *FeatureSet) FlagsString() string { var s []string - for f, _ := range arm64FeatureStrings { + for f := range arm64FeatureStrings { if fs.Set[f] { if fstr := f.flagString(); fstr != "" { s = append(s, fstr) @@ -296,7 +296,7 @@ func (fs FeatureSet) WriteCPUInfoTo(cpu uint, b *bytes.Buffer) { func HostFeatureSet() *FeatureSet { s := make(map[Feature]bool) - for f, _ := range arm64FeatureStrings { + for f := range arm64FeatureStrings { if hwCap&(1<<f) != 0 { s[f] = true } diff --git a/pkg/p9/client.go b/pkg/p9/client.go index eadea390a..3f4324ac1 100644 --- a/pkg/p9/client.go +++ b/pkg/p9/client.go @@ -241,7 +241,7 @@ func (c *Client) watch(socket *unet.Socket) { defer c.closedWg.Done() events := []unix.PollFd{ - unix.PollFd{ + { Fd: int32(socket.FD()), Events: unix.POLLHUP | unix.POLLRDHUP, }, diff --git a/pkg/seccomp/seccomp.go b/pkg/seccomp/seccomp.go index ec17ebc4d..daea51c4d 100644 --- a/pkg/seccomp/seccomp.go +++ b/pkg/seccomp/seccomp.go @@ -61,7 +61,7 @@ func Install(rules SyscallRules) error { log.Infof("Installing seccomp filters for %d syscalls (action=%v)", len(rules), defaultAction) instrs, err := BuildProgram([]RuleSet{ - RuleSet{ + { Rules: rules, Action: linux.SECCOMP_RET_ALLOW, }, @@ -160,7 +160,7 @@ func buildIndex(rules []RuleSet, program *bpf.ProgramBuilder) error { } } syscalls := make([]uintptr, 0, len(requiredSyscalls)) - for sysno, _ := range requiredSyscalls { + for sysno := range requiredSyscalls { syscalls = append(syscalls, sysno) } sort.Slice(syscalls, func(i, j int) bool { return syscalls[i] < syscalls[j] }) diff --git a/pkg/seccomp/seccomp_test.go b/pkg/seccomp/seccomp_test.go index e1444d18b..db06d1f1b 100644 --- a/pkg/seccomp/seccomp_test.go +++ b/pkg/seccomp/seccomp_test.go @@ -932,7 +932,7 @@ func TestRandom(t *testing.T) { t.Logf("Testing filters: %v", syscallRules) instrs, err := BuildProgram([]RuleSet{ - RuleSet{ + { Rules: syscallRules, Action: linux.SECCOMP_RET_ALLOW, }, diff --git a/pkg/segment/set.go b/pkg/segment/set.go index fbb31dbea..fae6c363d 100644 --- a/pkg/segment/set.go +++ b/pkg/segment/set.go @@ -1680,8 +1680,8 @@ type SegmentDataSlices struct { Values []Value } -// ExportSortedSlice returns a copy of all segments in the given set, in ascending -// key order. +// ExportSortedSlices returns a copy of all segments in the given set, in +// ascending key order. func (s *Set) ExportSortedSlices() *SegmentDataSlices { var sds SegmentDataSlices for seg := s.FirstSegment(); seg.Ok(); seg = seg.NextSegment() { @@ -1695,7 +1695,7 @@ func (s *Set) ExportSortedSlices() *SegmentDataSlices { return &sds } -// ImportSortedSlice initializes the given set from the given slice. +// ImportSortedSlices initializes the given set from the given slice. // // Preconditions: // * s must be empty. diff --git a/pkg/sentry/fs/fsutil/inode.go b/pkg/sentry/fs/fsutil/inode.go index 1922ff08c..85e7e35db 100644 --- a/pkg/sentry/fs/fsutil/inode.go +++ b/pkg/sentry/fs/fsutil/inode.go @@ -510,6 +510,7 @@ func (InodeDenyWriteChecker) Check(ctx context.Context, inode *fs.Inode, p fs.Pe //InodeNotAllocatable can be used by Inodes that do not support Allocate(). type InodeNotAllocatable struct{} +// Allocate implements fs.InodeOperations.Allocate. func (InodeNotAllocatable) Allocate(_ context.Context, _ *fs.Inode, _, _ int64) error { return syserror.EOPNOTSUPP } diff --git a/pkg/sentry/fs/inode.go b/pkg/sentry/fs/inode.go index 9b3d8166a..41a3c2047 100644 --- a/pkg/sentry/fs/inode.go +++ b/pkg/sentry/fs/inode.go @@ -367,6 +367,7 @@ func (i *Inode) Truncate(ctx context.Context, d *Dirent, size int64) error { return i.InodeOperations.Truncate(ctx, i, size) } +// Allocate calls i.InodeOperations.Allocate with i as the Inode. func (i *Inode) Allocate(ctx context.Context, d *Dirent, offset int64, length int64) error { if i.overlay != nil { return overlayAllocate(ctx, i.overlay, d, offset, length) diff --git a/pkg/sentry/fsimpl/testutil/kernel.go b/pkg/sentry/fsimpl/testutil/kernel.go index 205ad8192..807e4f44a 100644 --- a/pkg/sentry/fsimpl/testutil/kernel.go +++ b/pkg/sentry/fsimpl/testutil/kernel.go @@ -114,7 +114,7 @@ func Boot() (*kernel.Kernel, error) { return nil, err } tg := k.NewThreadGroup(nil, k.RootPIDNamespace(), kernel.NewSignalHandlers(), linux.SIGCHLD, ls) - k.TestOnly_SetGlobalInit(tg) + k.TestOnlySetGlobalInit(tg) return k, nil } diff --git a/pkg/sentry/kernel/auth/id.go b/pkg/sentry/kernel/auth/id.go index 4c32ee703..994486ea8 100644 --- a/pkg/sentry/kernel/auth/id.go +++ b/pkg/sentry/kernel/auth/id.go @@ -62,18 +62,28 @@ const ( // field is displayed as 4294967295 (-1 as an unsigned integer);" - // user_namespaces(7) OverflowUID = UID(65534) + + // OverflowGID is the group equivalent to OverflowUID. OverflowGID = GID(65534) // NobodyKUID is the user ID usually reserved for the least privileged user // "nobody". NobodyKUID = KUID(65534) + + // NobodyKGID is the group equivalent to NobodyKUID. NobodyKGID = KGID(65534) // RootKUID is the user ID usually used for the most privileged user "root". RootKUID = KUID(0) + + // RootKGID is the group equivalent to RootKUID. RootKGID = KGID(0) - RootUID = UID(0) - RootGID = GID(0) + + // RootUID is the root user. + RootUID = UID(0) + + // RootGID is the root group. + RootGID = GID(0) ) // Ok returns true if uid is not -1. diff --git a/pkg/sentry/kernel/kernel.go b/pkg/sentry/kernel/kernel.go index b8627a54f..303ae8056 100644 --- a/pkg/sentry/kernel/kernel.go +++ b/pkg/sentry/kernel/kernel.go @@ -1433,8 +1433,8 @@ func (k *Kernel) GlobalInit() *ThreadGroup { return k.globalInit } -// TestOnly_SetGlobalInit sets the thread group with ID 1 in the root PID namespace. -func (k *Kernel) TestOnly_SetGlobalInit(tg *ThreadGroup) { +// TestOnlySetGlobalInit sets the thread group with ID 1 in the root PID namespace. +func (k *Kernel) TestOnlySetGlobalInit(tg *ThreadGroup) { k.globalInit = tg } diff --git a/pkg/sentry/platform/ring0/kernel_amd64.go b/pkg/sentry/platform/ring0/kernel_amd64.go index b55dc29b3..36a60700e 100644 --- a/pkg/sentry/platform/ring0/kernel_amd64.go +++ b/pkg/sentry/platform/ring0/kernel_amd64.go @@ -65,6 +65,7 @@ func (k *Kernel) init(maxCPUs int) { } } +// EntryRegions returns the set of kernel entry regions (must be mapped). func (k *Kernel) EntryRegions() map[uintptr]uintptr { regions := make(map[uintptr]uintptr) diff --git a/pkg/sentry/socket/netfilter/netfilter.go b/pkg/sentry/socket/netfilter/netfilter.go index b283d7229..26bd1abd4 100644 --- a/pkg/sentry/socket/netfilter/netfilter.go +++ b/pkg/sentry/socket/netfilter/netfilter.go @@ -205,7 +205,7 @@ func SetEntries(stk *stack.Stack, optVal []byte, ipv6 bool) *syserr.Error { // Go through the list of supported hooks for this table and, for each // one, set the rule it corresponds to. - for hook, _ := range replace.HookEntry { + for hook := range replace.HookEntry { if table.ValidHooks()&(1<<hook) != 0 { hk := hookFromLinux(hook) table.BuiltinChains[hk] = stack.HookUnset diff --git a/pkg/sentry/socket/netfilter/owner_matcher.go b/pkg/sentry/socket/netfilter/owner_matcher.go index 1b4e0ad79..69d13745e 100644 --- a/pkg/sentry/socket/netfilter/owner_matcher.go +++ b/pkg/sentry/socket/netfilter/owner_matcher.go @@ -96,6 +96,7 @@ func (ownerMarshaler) unmarshal(buf []byte, filter stack.IPHeaderFilter) (stack. return &owner, nil } +// OwnerMatcher matches against a UID and/or GID. type OwnerMatcher struct { uid uint32 gid uint32 diff --git a/pkg/sentry/socket/unix/unix.go b/pkg/sentry/socket/unix/unix.go index c59297c80..6c4ec55b2 100644 --- a/pkg/sentry/socket/unix/unix.go +++ b/pkg/sentry/socket/unix/unix.go @@ -471,7 +471,7 @@ func (s *socketOpsCommon) SendMsg(t *kernel.Task, src usermem.IOSequence, to []b if len(to) > 0 { switch s.stype { case linux.SOCK_SEQPACKET: - to = nil + // to is ignored. case linux.SOCK_STREAM: if s.State() == linux.SS_CONNECTED { return 0, syserr.ErrAlreadyConnected diff --git a/pkg/sentry/syscalls/linux/sys_sync.go b/pkg/sentry/syscalls/linux/sys_sync.go index 048a21c6e..5ebd4461f 100644 --- a/pkg/sentry/syscalls/linux/sys_sync.go +++ b/pkg/sentry/syscalls/linux/sys_sync.go @@ -125,6 +125,7 @@ func SyncFileRange(t *kernel.Task, args arch.SyscallArguments) (uintptr, *kernel // // It should be safe to skipped this flag while nobody uses // SYNC_FILE_RANGE_WAIT_BEFORE. + _ = nbytes // SYNC_FILE_RANGE_WAIT_AFTER waits upon write-out of all pages in the // range after performing any write. diff --git a/pkg/sentry/vfs/inotify.go b/pkg/sentry/vfs/inotify.go index 107171b61..a48ac1cd6 100644 --- a/pkg/sentry/vfs/inotify.go +++ b/pkg/sentry/vfs/inotify.go @@ -738,7 +738,7 @@ func InotifyEventFromStatMask(mask uint32) uint32 { } else if mask&linux.STATX_ATIME != 0 { ev |= linux.IN_ACCESS } else if mask&linux.STATX_MTIME != 0 { - mask |= linux.IN_MODIFY + ev |= linux.IN_MODIFY } return ev } diff --git a/pkg/shim/v1/shim/api.go b/pkg/shim/v1/shim/api.go index 5dd8ff172..8200eb012 100644 --- a/pkg/shim/v1/shim/api.go +++ b/pkg/shim/v1/shim/api.go @@ -19,10 +19,23 @@ import ( "github.com/containerd/containerd/api/events" ) +// TaskCreate is an alias for events.TaskCreate. type TaskCreate = events.TaskCreate + +// TaskStart is an alias for events.TaskStart. type TaskStart = events.TaskStart + +// TaskOOM is an alias for events.TaskOOM. type TaskOOM = events.TaskOOM + +// TaskExit is an alias for events.TaskExit. type TaskExit = events.TaskExit + +// TaskDelete is an alias for events.TaskDelete. type TaskDelete = events.TaskDelete + +// TaskExecAdded is an alias for events.TaskExecAdded. type TaskExecAdded = events.TaskExecAdded + +// TaskExecStarted is an alias for events.TaskExecStarted. type TaskExecStarted = events.TaskExecStarted diff --git a/pkg/shim/v2/api.go b/pkg/shim/v2/api.go index dbe5c59f6..5a60a04db 100644 --- a/pkg/shim/v2/api.go +++ b/pkg/shim/v2/api.go @@ -19,4 +19,5 @@ import ( "github.com/containerd/containerd/api/events" ) +// TaskOOM is an alias for events.TaskOOM. type TaskOOM = events.TaskOOM diff --git a/pkg/tcpip/link/fdbased/endpoint_test.go b/pkg/tcpip/link/fdbased/endpoint_test.go index a87abc6d6..987a34226 100644 --- a/pkg/tcpip/link/fdbased/endpoint_test.go +++ b/pkg/tcpip/link/fdbased/endpoint_test.go @@ -501,7 +501,7 @@ func TestRecvMMsgDispatcherCapLength(t *testing.T) { msgHdrs: make([]rawfile.MMsgHdr, 1), } - for i, _ := range d.views { + for i := range d.views { d.views[i] = make([]buffer.View, len(c.config)) } for i := range d.iovecs { diff --git a/pkg/tcpip/network/ipv6/icmp_test.go b/pkg/tcpip/network/ipv6/icmp_test.go index 34a6a8446..bbce1ef78 100644 --- a/pkg/tcpip/network/ipv6/icmp_test.go +++ b/pkg/tcpip/network/ipv6/icmp_test.go @@ -1535,7 +1535,7 @@ func TestPacketQueing(t *testing.T) { } s.SetRouteTable([]tcpip.Route{ - tcpip.Route{ + { Destination: host1IPv6Addr.AddressWithPrefix.Subnet(), NIC: nicID, }, diff --git a/pkg/tcpip/network/ipv6/mld_test.go b/pkg/tcpip/network/ipv6/mld_test.go index e2778b656..f6ffa7133 100644 --- a/pkg/tcpip/network/ipv6/mld_test.go +++ b/pkg/tcpip/network/ipv6/mld_test.go @@ -267,7 +267,7 @@ func TestSendQueuedMLDReports(t *testing.T) { globalMulticastAddr: false, linkLocalAddrSNMC: false, } - for _ = range addrs { + for range addrs { p, ok := e.Read() if !ok { t.Fatalf("expected MLD report for %s and %s; addrs = %#v", globalMulticastAddr, linkLocalAddrSNMC, addrs) diff --git a/pkg/tcpip/network/ipv6/ndp_test.go b/pkg/tcpip/network/ipv6/ndp_test.go index 7ddb19c00..b1a5a5510 100644 --- a/pkg/tcpip/network/ipv6/ndp_test.go +++ b/pkg/tcpip/network/ipv6/ndp_test.go @@ -581,7 +581,7 @@ func TestNeighorSolicitationResponse(t *testing.T) { } s.SetRouteTable([]tcpip.Route{ - tcpip.Route{ + { Destination: header.IPv6EmptySubnet, NIC: 1, }, diff --git a/pkg/tcpip/network/multicast_group_test.go b/pkg/tcpip/network/multicast_group_test.go index 05d98a0a5..0f4f0e1e1 100644 --- a/pkg/tcpip/network/multicast_group_test.go +++ b/pkg/tcpip/network/multicast_group_test.go @@ -1095,7 +1095,7 @@ func TestMGPWithNICLifecycle(t *testing.T) { seen[a] = false } - for i, _ := range test.multicastAddrs { + for i := range test.multicastAddrs { p, ok := e.Read() if !ok { t.Fatalf("expected (%d-th) leave message to be sent", i) @@ -1122,7 +1122,7 @@ func TestMGPWithNICLifecycle(t *testing.T) { seen[a] = false } - for i, _ := range test.multicastAddrs { + for i := range test.multicastAddrs { p, ok := e.Read() if !ok { t.Fatalf("expected (%d-th) report message to be sent", i) @@ -1143,7 +1143,7 @@ func TestMGPWithNICLifecycle(t *testing.T) { if got := sentLeaveStat.Value(); got != leaveCounter { t.Errorf("got sentLeaveStat.Value() = %d, want = %d", got, leaveCounter) } - for i, _ := range test.multicastAddrs { + for i := range test.multicastAddrs { if _, ok := e.Read(); !ok { t.Fatalf("expected (%d-th) leave message to be sent", i) } diff --git a/pkg/tcpip/stack/conntrack.go b/pkg/tcpip/stack/conntrack.go index 9a17efcba..5e649cca6 100644 --- a/pkg/tcpip/stack/conntrack.go +++ b/pkg/tcpip/stack/conntrack.go @@ -142,19 +142,19 @@ func (cn *conn) timedOut(now time.Time) bool { // update the connection tracking state. // -// Precondition: ct.mu must be held. -func (ct *conn) updateLocked(tcpHeader header.TCP, hook Hook) { +// Precondition: cn.mu must be held. +func (cn *conn) updateLocked(tcpHeader header.TCP, hook Hook) { // Update the state of tcb. tcb assumes it's always initialized on the // client. However, we only need to know whether the connection is // established or not, so the client/server distinction isn't important. // TODO(gvisor.dev/issue/170): Add support in tcpconntrack to handle // other tcp states. - if ct.tcb.IsEmpty() { - ct.tcb.Init(tcpHeader) - } else if hook == ct.tcbHook { - ct.tcb.UpdateStateOutbound(tcpHeader) + if cn.tcb.IsEmpty() { + cn.tcb.Init(tcpHeader) + } else if hook == cn.tcbHook { + cn.tcb.UpdateStateOutbound(tcpHeader) } else { - ct.tcb.UpdateStateInbound(tcpHeader) + cn.tcb.UpdateStateInbound(tcpHeader) } } diff --git a/pkg/tcpip/stack/iptables.go b/pkg/tcpip/stack/iptables.go index 2d8c883cd..09c7811fa 100644 --- a/pkg/tcpip/stack/iptables.go +++ b/pkg/tcpip/stack/iptables.go @@ -45,13 +45,13 @@ const reaperDelay = 5 * time.Second func DefaultTables() *IPTables { return &IPTables{ v4Tables: [NumTables]Table{ - NATID: Table{ + NATID: { Rules: []Rule{ - Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}}, - Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}}, - Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}}, - Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}}, - Rule{Target: &ErrorTarget{NetworkProtocol: header.IPv4ProtocolNumber}}, + {Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}}, + {Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}}, + {Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}}, + {Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}}, + {Target: &ErrorTarget{NetworkProtocol: header.IPv4ProtocolNumber}}, }, BuiltinChains: [NumHooks]int{ Prerouting: 0, @@ -68,11 +68,11 @@ func DefaultTables() *IPTables { Postrouting: 3, }, }, - MangleID: Table{ + MangleID: { Rules: []Rule{ - Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}}, - Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}}, - Rule{Target: &ErrorTarget{NetworkProtocol: header.IPv4ProtocolNumber}}, + {Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}}, + {Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}}, + {Target: &ErrorTarget{NetworkProtocol: header.IPv4ProtocolNumber}}, }, BuiltinChains: [NumHooks]int{ Prerouting: 0, @@ -86,12 +86,12 @@ func DefaultTables() *IPTables { Postrouting: HookUnset, }, }, - FilterID: Table{ + FilterID: { Rules: []Rule{ - Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}}, - Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}}, - Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}}, - Rule{Target: &ErrorTarget{NetworkProtocol: header.IPv4ProtocolNumber}}, + {Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}}, + {Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}}, + {Target: &AcceptTarget{NetworkProtocol: header.IPv4ProtocolNumber}}, + {Target: &ErrorTarget{NetworkProtocol: header.IPv4ProtocolNumber}}, }, BuiltinChains: [NumHooks]int{ Prerouting: HookUnset, @@ -110,13 +110,13 @@ func DefaultTables() *IPTables { }, }, v6Tables: [NumTables]Table{ - NATID: Table{ + NATID: { Rules: []Rule{ - Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}}, - Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}}, - Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}}, - Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}}, - Rule{Target: &ErrorTarget{NetworkProtocol: header.IPv6ProtocolNumber}}, + {Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}}, + {Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}}, + {Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}}, + {Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}}, + {Target: &ErrorTarget{NetworkProtocol: header.IPv6ProtocolNumber}}, }, BuiltinChains: [NumHooks]int{ Prerouting: 0, @@ -133,11 +133,11 @@ func DefaultTables() *IPTables { Postrouting: 3, }, }, - MangleID: Table{ + MangleID: { Rules: []Rule{ - Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}}, - Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}}, - Rule{Target: &ErrorTarget{NetworkProtocol: header.IPv6ProtocolNumber}}, + {Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}}, + {Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}}, + {Target: &ErrorTarget{NetworkProtocol: header.IPv6ProtocolNumber}}, }, BuiltinChains: [NumHooks]int{ Prerouting: 0, @@ -151,12 +151,12 @@ func DefaultTables() *IPTables { Postrouting: HookUnset, }, }, - FilterID: Table{ + FilterID: { Rules: []Rule{ - Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}}, - Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}}, - Rule{Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}}, - Rule{Target: &ErrorTarget{NetworkProtocol: header.IPv6ProtocolNumber}}, + {Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}}, + {Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}}, + {Target: &AcceptTarget{NetworkProtocol: header.IPv6ProtocolNumber}}, + {Target: &ErrorTarget{NetworkProtocol: header.IPv6ProtocolNumber}}, }, BuiltinChains: [NumHooks]int{ Prerouting: HookUnset, @@ -175,9 +175,9 @@ func DefaultTables() *IPTables { }, }, priorities: [NumHooks][]TableID{ - Prerouting: []TableID{MangleID, NATID}, - Input: []TableID{NATID, FilterID}, - Output: []TableID{MangleID, NATID, FilterID}, + Prerouting: {MangleID, NATID}, + Input: {NATID, FilterID}, + Output: {MangleID, NATID, FilterID}, }, connections: ConnTrack{ seed: generateRandUint32(), diff --git a/pkg/tcpip/stack/iptables_types.go b/pkg/tcpip/stack/iptables_types.go index 4b86c1be9..56a3e7861 100644 --- a/pkg/tcpip/stack/iptables_types.go +++ b/pkg/tcpip/stack/iptables_types.go @@ -56,7 +56,7 @@ const ( // Postrouting happens just before a packet goes out on the wire. Postrouting - // The total number of hooks. + // NumHooks is the total number of hooks. NumHooks ) @@ -273,14 +273,12 @@ func (fl IPHeaderFilter) match(pkt *PacketBuffer, hook Hook, nicName string) boo return true } - // If the interface name ends with '+', any interface which begins - // with the name should be matched. + // If the interface name ends with '+', any interface which + // begins with the name should be matched. ifName := fl.OutputInterface - matches := true + matches := nicName == ifName if strings.HasSuffix(ifName, "+") { matches = strings.HasPrefix(nicName, ifName[:n-1]) - } else { - matches = nicName == ifName } return fl.OutputInterfaceInvert != matches } diff --git a/pkg/tcpip/tests/integration/forward_test.go b/pkg/tcpip/tests/integration/forward_test.go index 60054d6ef..4c2084d19 100644 --- a/pkg/tcpip/tests/integration/forward_test.go +++ b/pkg/tcpip/tests/integration/forward_test.go @@ -285,58 +285,58 @@ func TestForwarding(t *testing.T) { } host1Stack.SetRouteTable([]tcpip.Route{ - tcpip.Route{ + { Destination: host1IPv4Addr.AddressWithPrefix.Subnet(), NIC: host1NICID, }, - tcpip.Route{ + { Destination: host1IPv6Addr.AddressWithPrefix.Subnet(), NIC: host1NICID, }, - tcpip.Route{ + { Destination: host2IPv4Addr.AddressWithPrefix.Subnet(), Gateway: routerNIC1IPv4Addr.AddressWithPrefix.Address, NIC: host1NICID, }, - tcpip.Route{ + { Destination: host2IPv6Addr.AddressWithPrefix.Subnet(), Gateway: routerNIC1IPv6Addr.AddressWithPrefix.Address, NIC: host1NICID, }, }) routerStack.SetRouteTable([]tcpip.Route{ - tcpip.Route{ + { Destination: routerNIC1IPv4Addr.AddressWithPrefix.Subnet(), NIC: routerNICID1, }, - tcpip.Route{ + { Destination: routerNIC1IPv6Addr.AddressWithPrefix.Subnet(), NIC: routerNICID1, }, - tcpip.Route{ + { Destination: routerNIC2IPv4Addr.AddressWithPrefix.Subnet(), NIC: routerNICID2, }, - tcpip.Route{ + { Destination: routerNIC2IPv6Addr.AddressWithPrefix.Subnet(), NIC: routerNICID2, }, }) host2Stack.SetRouteTable([]tcpip.Route{ - tcpip.Route{ + { Destination: host2IPv4Addr.AddressWithPrefix.Subnet(), NIC: host2NICID, }, - tcpip.Route{ + { Destination: host2IPv6Addr.AddressWithPrefix.Subnet(), NIC: host2NICID, }, - tcpip.Route{ + { Destination: host1IPv4Addr.AddressWithPrefix.Subnet(), Gateway: routerNIC2IPv4Addr.AddressWithPrefix.Address, NIC: host2NICID, }, - tcpip.Route{ + { Destination: host1IPv6Addr.AddressWithPrefix.Subnet(), Gateway: routerNIC2IPv6Addr.AddressWithPrefix.Address, NIC: host2NICID, diff --git a/pkg/tcpip/tests/integration/link_resolution_test.go b/pkg/tcpip/tests/integration/link_resolution_test.go index 209da3903..b4bffaec1 100644 --- a/pkg/tcpip/tests/integration/link_resolution_test.go +++ b/pkg/tcpip/tests/integration/link_resolution_test.go @@ -154,21 +154,21 @@ func TestPing(t *testing.T) { } host1Stack.SetRouteTable([]tcpip.Route{ - tcpip.Route{ + { Destination: ipv4Addr1.AddressWithPrefix.Subnet(), NIC: host1NICID, }, - tcpip.Route{ + { Destination: ipv6Addr1.AddressWithPrefix.Subnet(), NIC: host1NICID, }, }) host2Stack.SetRouteTable([]tcpip.Route{ - tcpip.Route{ + { Destination: ipv4Addr2.AddressWithPrefix.Subnet(), NIC: host2NICID, }, - tcpip.Route{ + { Destination: ipv6Addr2.AddressWithPrefix.Subnet(), NIC: host2NICID, }, diff --git a/pkg/tcpip/tests/integration/loopback_test.go b/pkg/tcpip/tests/integration/loopback_test.go index cf9e86c3c..cb6169cfc 100644 --- a/pkg/tcpip/tests/integration/loopback_test.go +++ b/pkg/tcpip/tests/integration/loopback_test.go @@ -198,11 +198,11 @@ func TestLoopbackAcceptAllInSubnetUDP(t *testing.T) { t.Fatalf("AddProtocolAddress(%d, %+v): %s", nicID, test.addAddress, err) } s.SetRouteTable([]tcpip.Route{ - tcpip.Route{ + { Destination: header.IPv4EmptySubnet, NIC: nicID, }, - tcpip.Route{ + { Destination: header.IPv6EmptySubnet, NIC: nicID, }, @@ -291,7 +291,7 @@ func TestLoopbackSubnetLifetimeBoundToAddr(t *testing.T) { t.Fatalf("s.AddProtocolAddress(%d, %#v): %s", nicID, protoAddr, err) } s.SetRouteTable([]tcpip.Route{ - tcpip.Route{ + { Destination: header.IPv4EmptySubnet, NIC: nicID, }, @@ -429,11 +429,11 @@ func TestLoopbackAcceptAllInSubnetTCP(t *testing.T) { t.Fatalf("AddProtocolAddress(%d, %#v): %s", nicID, test.addAddress, err) } s.SetRouteTable([]tcpip.Route{ - tcpip.Route{ + { Destination: header.IPv4EmptySubnet, NIC: nicID, }, - tcpip.Route{ + { Destination: header.IPv6EmptySubnet, NIC: nicID, }, diff --git a/pkg/tcpip/tests/integration/multicast_broadcast_test.go b/pkg/tcpip/tests/integration/multicast_broadcast_test.go index fae6c256a..b42375695 100644 --- a/pkg/tcpip/tests/integration/multicast_broadcast_test.go +++ b/pkg/tcpip/tests/integration/multicast_broadcast_test.go @@ -166,11 +166,11 @@ func TestPingMulticastBroadcast(t *testing.T) { // Default routes for IPv4 and IPv6 so ICMP can find a route to the remote // node when attempting to send the ICMP Echo Reply. s.SetRouteTable([]tcpip.Route{ - tcpip.Route{ + { Destination: header.IPv6EmptySubnet, NIC: nicID, }, - tcpip.Route{ + { Destination: header.IPv4EmptySubnet, NIC: nicID, }, @@ -530,7 +530,7 @@ func TestReuseAddrAndBroadcast(t *testing.T) { } s.SetRouteTable([]tcpip.Route{ - tcpip.Route{ + { // We use the empty subnet instead of just the loopback subnet so we // also have a route to the IPv4 Broadcast address. Destination: header.IPv4EmptySubnet, @@ -699,11 +699,11 @@ func TestUDPAddRemoveMembershipSocketOption(t *testing.T) { // routable to the multicast address when the NIC isn't specified. if !subTest.specifyNICID && !subTest.specifyNICAddr { s.SetRouteTable([]tcpip.Route{ - tcpip.Route{ + { Destination: header.IPv6EmptySubnet, NIC: nicID, }, - tcpip.Route{ + { Destination: header.IPv4EmptySubnet, NIC: nicID, }, diff --git a/pkg/tcpip/transport/tcp/tcp_test.go b/pkg/tcpip/transport/tcp/tcp_test.go index 9fa4672d7..aeceee7e0 100644 --- a/pkg/tcpip/transport/tcp/tcp_test.go +++ b/pkg/tcpip/transport/tcp/tcp_test.go @@ -3461,7 +3461,7 @@ func TestRetransmitIPv4IDUniqueness(t *testing.T) { checker.TCPFlagsMatch(header.TCPFlagAck, ^uint8(header.TCPFlagPsh)), ), ) - idSet := map[uint16]struct{}{header.IPv4(pkt).ID(): struct{}{}} + idSet := map[uint16]struct{}{header.IPv4(pkt).ID(): {}} // Expect two retransmitted packets, and that all packets received have // unique IPv4 ID values. for i := 0; i <= 2; i++ { @@ -5698,16 +5698,14 @@ func TestListenBacklogFullSynCookieInUse(t *testing.T) { t.Fatalf("Bind failed: %s", err) } - // Test acceptance. // Start listening. listenBacklog := 1 - portOffset := uint16(0) if err := c.EP.Listen(listenBacklog); err != nil { t.Fatalf("Listen failed: %s", err) } - executeHandshake(t, c, context.TestPort+portOffset, false) - portOffset++ + executeHandshake(t, c, context.TestPort, false) + // Wait for this to be delivered to the accept queue. time.Sleep(50 * time.Millisecond) |