7 files changed, 511 insertions, 183 deletions

diff --git a/pkg/abi/linux/netfilter.go b/pkg/abi/linux/netfilter.go
index 269ba5567..0bcb232de 100644
--- a/pkg/abi/linux/netfilter.go
+++ b/pkg/abi/linux/netfilter.go
@@ -42,6 +42,13 @@ const (
 	NF_RETURN = -NF_REPEAT - 1
 )
 
+var VerdictStrings = map[int32]string{
+	-NF_DROP - 1:   "DROP",
+	-NF_ACCEPT - 1: "ACCEPT",
+	-NF_QUEUE - 1:  "QUEUE",
+	NF_RETURN:      "RETURN",
+}
+
 // Socket options. These correspond to values in
 // include/uapi/linux/netfilter_ipv4/ip_tables.h.
 const (
@@ -179,7 +186,7 @@ const SizeOfXTCounters = 16
 // the user data.
 type XTEntryMatch struct {
 	MatchSize uint16
-	Name      [XT_EXTENSION_MAXNAMELEN]byte
+	Name      ExtensionName
 	Revision  uint8
 	// Data is omitted here because it would cause XTEntryMatch to be an
 	// extra byte larger (see http://www.catb.org/esr/structure-packing/).
@@ -199,7 +206,7 @@ const SizeOfXTEntryMatch = 32
 // the user data.
 type XTEntryTarget struct {
 	TargetSize uint16
-	Name       [XT_EXTENSION_MAXNAMELEN]byte
+	Name       ExtensionName
 	Revision   uint8
 	// Data is omitted here because it would cause XTEntryTarget to be an
 	// extra byte larger (see http://www.catb.org/esr/structure-packing/).
@@ -226,9 +233,9 @@ const SizeOfXTStandardTarget = 40
 // ErrorName. It corresponds to struct xt_error_target in
 // include/uapi/linux/netfilter/x_tables.h.
 type XTErrorTarget struct {
-	Target    XTEntryTarget
-	ErrorName [XT_FUNCTION_MAXNAMELEN]byte
-	_         [2]byte
+	Target XTEntryTarget
+	Name   ErrorName
+	_      [2]byte
 }
 
 // SizeOfXTErrorTarget is the size of an XTErrorTarget.
@@ -237,7 +244,7 @@ const SizeOfXTErrorTarget = 64
 // IPTGetinfo is the argument for the IPT_SO_GET_INFO sockopt. It corresponds
 // to struct ipt_getinfo in include/uapi/linux/netfilter_ipv4/ip_tables.h.
 type IPTGetinfo struct {
-	Name       [XT_TABLE_MAXNAMELEN]byte
+	Name       TableName
 	ValidHooks uint32
 	HookEntry  [NF_INET_NUMHOOKS]uint32
 	Underflow  [NF_INET_NUMHOOKS]uint32
@@ -248,16 +255,11 @@ type IPTGetinfo struct {
 // SizeOfIPTGetinfo is the size of an IPTGetinfo.
 const SizeOfIPTGetinfo = 84
 
-// TableName returns the table name.
-func (info *IPTGetinfo) TableName() string {
-	return tableName(info.Name[:])
-}
-
 // IPTGetEntries is the argument for the IPT_SO_GET_ENTRIES sockopt. It
 // corresponds to struct ipt_get_entries in
 // include/uapi/linux/netfilter_ipv4/ip_tables.h.
 type IPTGetEntries struct {
-	Name [XT_TABLE_MAXNAMELEN]byte
+	Name TableName
 	Size uint32
 	_    [4]byte
 	// Entrytable is omitted here because it would cause IPTGetEntries to
@@ -266,34 +268,22 @@ type IPTGetEntries struct {
 	// Entrytable [0]IPTEntry
 }
 
-// TableName returns the entries' table name.
-func (entries *IPTGetEntries) TableName() string {
-	return tableName(entries.Name[:])
-}
-
 // SizeOfIPTGetEntries is the size of an IPTGetEntries.
 const SizeOfIPTGetEntries = 40
 
-// KernelIPTGetEntries is identical to IPTEntry, but includes the Elems field.
-// This struct marshaled via the binary package to write an KernelIPTGetEntries
-// to userspace.
+// KernelIPTGetEntries is identical to IPTGetEntries, but includes the
+// Entrytable field. This struct marshaled via the binary package to write an
+// KernelIPTGetEntries to userspace.
 type KernelIPTGetEntries struct {
-	Name       [XT_TABLE_MAXNAMELEN]byte
-	Size       uint32
-	_          [4]byte
+	IPTGetEntries
 	Entrytable []KernelIPTEntry
 }
 
-// TableName returns the entries' table name.
-func (entries *KernelIPTGetEntries) TableName() string {
-	return tableName(entries.Name[:])
-}
-
 // IPTReplace is the argument for the IPT_SO_SET_REPLACE sockopt. It
 // corresponds to struct ipt_replace in
 // include/uapi/linux/netfilter_ipv4/ip_tables.h.
 type IPTReplace struct {
-	Name        [XT_TABLE_MAXNAMELEN]byte
+	Name        TableName
 	ValidHooks  uint32
 	NumEntries  uint32
 	Size        uint32
@@ -306,14 +296,40 @@ type IPTReplace struct {
 	// Entries [0]IPTEntry
 }
 
+type KernelIPTReplace struct {
+	IPTReplace
+	Entries [0]IPTEntry
+}
+
 // SizeOfIPTReplace is the size of an IPTReplace.
 const SizeOfIPTReplace = 96
 
-func tableName(name []byte) string {
-	for i, c := range name {
+type ExtensionName [XT_EXTENSION_MAXNAMELEN]byte
+
+// String implements fmt.Stringer.
+func (en ExtensionName) String() string {
+	return name(en[:])
+}
+
+type TableName [XT_TABLE_MAXNAMELEN]byte
+
+// String implements fmt.Stringer.
+func (tn TableName) String() string {
+	return name(tn[:])
+}
+
+type ErrorName [XT_FUNCTION_MAXNAMELEN]byte
+
+// String implements fmt.Stringer.
+func (fn ErrorName) String() string {
+	return name(fn[:])
+}
+
+func name(cstring []byte) string {
+	for i, c := range cstring {
 		if c == 0 {
-			return string(name[:i])
+			return string(cstring[:i])
 		}
 	}
-	return string(name)
+	return string(cstring)
 }
diff --git a/pkg/sentry/socket/netfilter/BUILD b/pkg/sentry/socket/netfilter/BUILD
index 5eb06bbf4..b70047d81 100644
--- a/pkg/sentry/socket/netfilter/BUILD
+++ b/pkg/sentry/socket/netfilter/BUILD
@@ -14,6 +14,7 @@ go_library(
     deps = [
         "//pkg/abi/linux",
         "//pkg/binary",
+        "//pkg/log",
         "//pkg/sentry/kernel",
         "//pkg/sentry/usermem",
         "//pkg/syserr",
diff --git a/pkg/sentry/socket/netfilter/netfilter.go b/pkg/sentry/socket/netfilter/netfilter.go
index 9f87c32f1..8c7f3c7fc 100644
--- a/pkg/sentry/socket/netfilter/netfilter.go
+++ b/pkg/sentry/socket/netfilter/netfilter.go
@@ -21,6 +21,7 @@ import (
 
 	"gvisor.dev/gvisor/pkg/abi/linux"
 	"gvisor.dev/gvisor/pkg/binary"
+	"gvisor.dev/gvisor/pkg/log"
 	"gvisor.dev/gvisor/pkg/sentry/kernel"
 	"gvisor.dev/gvisor/pkg/sentry/usermem"
 	"gvisor.dev/gvisor/pkg/syserr"
@@ -35,6 +36,7 @@ const errorTargetName = "ERROR"
 
 // metadata is opaque to netstack. It holds data that we need to translate
 // between Linux's and netstack's iptables representations.
+// TODO(gvisor.dev/issue/170): This might be removable.
 type metadata struct {
 	HookEntry  [linux.NF_INET_NUMHOOKS]uint32
 	Underflow  [linux.NF_INET_NUMHOOKS]uint32
@@ -51,7 +53,7 @@ func GetInfo(t *kernel.Task, ep tcpip.Endpoint, outPtr usermem.Addr) (linux.IPTG
 	}
 
 	// Find the appropriate table.
-	table, err := findTable(ep, info.TableName())
+	table, err := findTable(ep, info.Name.String())
 	if err != nil {
 		return linux.IPTGetinfo{}, err
 	}
@@ -82,18 +84,19 @@ func GetEntries(t *kernel.Task, ep tcpip.Endpoint, outPtr usermem.Addr, outLen i
 	}
 
 	// Find the appropriate table.
-	table, err := findTable(ep, userEntries.TableName())
+	table, err := findTable(ep, userEntries.Name.String())
 	if err != nil {
 		return linux.KernelIPTGetEntries{}, err
 	}
 
 	// Convert netstack's iptables rules to something that the iptables
 	// tool can understand.
-	entries, _, err := convertNetstackToBinary(userEntries.TableName(), table)
+	entries, _, err := convertNetstackToBinary(userEntries.Name.String(), table)
 	if err != nil {
 		return linux.KernelIPTGetEntries{}, err
 	}
 	if binary.Size(entries) > uintptr(outLen) {
+		log.Infof("Insufficient GetEntries output size: %d", uintptr(outLen))
 		return linux.KernelIPTGetEntries{}, syserr.ErrInvalidArgument
 	}
 
@@ -142,103 +145,63 @@ func convertNetstackToBinary(name string, table iptables.Table) (linux.KernelIPT
 
 	// The table name has to fit in the struct.
 	if linux.XT_TABLE_MAXNAMELEN < len(name) {
+		log.Infof("Table name too long.")
 		return linux.KernelIPTGetEntries{}, metadata{}, syserr.ErrInvalidArgument
 	}
 	copy(entries.Name[:], name)
 
-	// Deal with the built in chains first (INPUT, OUTPUT, etc.). Each of
-	// these chains ends with an unconditional policy entry.
-	for hook := iptables.Prerouting; hook < iptables.NumHooks; hook++ {
-		chain, ok := table.BuiltinChains[hook]
-		if !ok {
-			// This table doesn't support this hook.
-			continue
-		}
-
-		// Sanity check.
-		if len(chain.Rules) < 1 {
-			return linux.KernelIPTGetEntries{}, metadata{}, syserr.ErrInvalidArgument
-		}
-
-		for ruleIdx, rule := range chain.Rules {
-			// If this is the first rule of a builtin chain, set
-			// the metadata hook entry point.
-			if ruleIdx == 0 {
+	for ruleIdx, rule := range table.Rules {
+		// Is this a chain entry point?
+		for hook, hookRuleIdx := range table.BuiltinChains {
+			if hookRuleIdx == ruleIdx {
 				meta.HookEntry[hook] = entries.Size
 			}
-
-			// Each rule corresponds to an entry.
-			entry := linux.KernelIPTEntry{
-				IPTEntry: linux.IPTEntry{
-					NextOffset:   linux.SizeOfIPTEntry,
-					TargetOffset: linux.SizeOfIPTEntry,
-				},
+		}
+		// Is this a chain underflow point? The underflow rule is the last rule
+		// in the chain, and is an unconditional rule (i.e. it matches any
+		// packet). This is enforced when saving iptables.
+		for underflow, underflowRuleIdx := range table.Underflows {
+			if underflowRuleIdx == ruleIdx {
+				meta.Underflow[underflow] = entries.Size
 			}
+		}
 
-			for _, matcher := range rule.Matchers {
-				// Serialize the matcher and add it to the
-				// entry.
-				serialized := marshalMatcher(matcher)
-				entry.Elems = append(entry.Elems, serialized...)
-				entry.NextOffset += uint16(len(serialized))
-				entry.TargetOffset += uint16(len(serialized))
-			}
+		// Each rule corresponds to an entry.
+		entry := linux.KernelIPTEntry{
+			IPTEntry: linux.IPTEntry{
+				NextOffset:   linux.SizeOfIPTEntry,
+				TargetOffset: linux.SizeOfIPTEntry,
+			},
+		}
 
-			// Serialize and append the target.
-			serialized := marshalTarget(rule.Target)
+		for _, matcher := range rule.Matchers {
+			// Serialize the matcher and add it to the
+			// entry.
+			serialized := marshalMatcher(matcher)
 			entry.Elems = append(entry.Elems, serialized...)
 			entry.NextOffset += uint16(len(serialized))
-
-			// The underflow rule is the last rule in the chain,
-			// and is an unconditional rule (i.e. it matches any
-			// packet). This is enforced when saving iptables.
-			if ruleIdx == len(chain.Rules)-1 {
-				meta.Underflow[hook] = entries.Size
-			}
-
-			entries.Size += uint32(entry.NextOffset)
-			entries.Entrytable = append(entries.Entrytable, entry)
-			meta.NumEntries++
+			entry.TargetOffset += uint16(len(serialized))
 		}
 
-	}
+		// Serialize and append the target.
+		serialized := marshalTarget(rule.Target)
+		entry.Elems = append(entry.Elems, serialized...)
+		entry.NextOffset += uint16(len(serialized))
 
-	// TODO(gvisor.dev/issue/170): Deal with the user chains here. Each of
-	// these starts with an error node holding the chain's name and ends
-	// with an unconditional return.
-
-	// Lastly, each table ends with an unconditional error target rule as
-	// its final entry.
-	errorEntry := linux.KernelIPTEntry{
-		IPTEntry: linux.IPTEntry{
-			NextOffset:   linux.SizeOfIPTEntry,
-			TargetOffset: linux.SizeOfIPTEntry,
-		},
+		entries.Size += uint32(entry.NextOffset)
+		entries.Entrytable = append(entries.Entrytable, entry)
+		meta.NumEntries++
 	}
-	var errorTarget linux.XTErrorTarget
-	errorTarget.Target.TargetSize = linux.SizeOfXTErrorTarget
-	copy(errorTarget.ErrorName[:], errorTargetName)
-	copy(errorTarget.Target.Name[:], errorTargetName)
-
-	// Serialize and add it to the list of entries.
-	errorTargetBuf := make([]byte, 0, linux.SizeOfXTErrorTarget)
-	serializedErrorTarget := binary.Marshal(errorTargetBuf, usermem.ByteOrder, errorTarget)
-	errorEntry.Elems = append(errorEntry.Elems, serializedErrorTarget...)
-	errorEntry.NextOffset += uint16(len(serializedErrorTarget))
-
-	entries.Size += uint32(errorEntry.NextOffset)
-	entries.Entrytable = append(entries.Entrytable, errorEntry)
-	meta.NumEntries++
-	meta.Size = entries.Size
 
+	meta.Size = entries.Size
 	return entries, meta, nil
 }
 
 func marshalMatcher(matcher iptables.Matcher) []byte {
 	switch matcher.(type) {
 	default:
-		// TODO(gvisor.dev/issue/170): We don't support any matchers yet, so
-		// any call to marshalMatcher will panic.
+		// TODO(gvisor.dev/issue/170): We don't support any matchers
+		// yet, so any call to marshalMatcher will panic.
 		panic(fmt.Errorf("unknown matcher of type %T", matcher))
 	}
 }
@@ -246,28 +209,46 @@ func marshalMatcher(matcher iptables.Matcher) []byte {
 func marshalTarget(target iptables.Target) []byte {
 	switch target.(type) {
 	case iptables.UnconditionalAcceptTarget:
-		return marshalUnconditionalAcceptTarget()
+		return marshalStandardTarget(iptables.Accept)
+	case iptables.UnconditionalDropTarget:
+		return marshalStandardTarget(iptables.Drop)
+	case iptables.PanicTarget:
+		return marshalPanicTarget()
 	default:
 		panic(fmt.Errorf("unknown target of type %T", target))
 	}
 }
 
-func marshalUnconditionalAcceptTarget() []byte {
+func marshalStandardTarget(verdict iptables.Verdict) []byte {
 	// The target's name will be the empty string.
 	target := linux.XTStandardTarget{
 		Target: linux.XTEntryTarget{
 			TargetSize: linux.SizeOfXTStandardTarget,
 		},
-		Verdict: translateStandardVerdict(iptables.Accept),
+		Verdict: translateFromStandardVerdict(verdict),
 	}
 
 	ret := make([]byte, 0, linux.SizeOfXTStandardTarget)
 	return binary.Marshal(ret, usermem.ByteOrder, target)
 }
 
-// translateStandardVerdict translates verdicts the same way as the iptables
+func marshalPanicTarget() []byte {
+	// This is an error target named error
+	target := linux.XTErrorTarget{
+		Target: linux.XTEntryTarget{
+			TargetSize: linux.SizeOfXTErrorTarget,
+		},
+	}
+	copy(target.Name[:], errorTargetName)
+	copy(target.Target.Name[:], errorTargetName)
+
+	ret := make([]byte, 0, linux.SizeOfXTErrorTarget)
+	return binary.Marshal(ret, usermem.ByteOrder, target)
+}
+
+// translateFromStandardVerdict translates verdicts the same way as the iptables
 // tool.
-func translateStandardVerdict(verdict iptables.Verdict) int32 {
+func translateFromStandardVerdict(verdict iptables.Verdict) int32 {
 	switch verdict {
 	case iptables.Accept:
 		return -linux.NF_ACCEPT - 1
@@ -280,7 +261,269 @@ func translateStandardVerdict(verdict iptables.Verdict) int32 {
 	case iptables.Jump:
 		// TODO(gvisor.dev/issue/170): Support Jump.
 		panic("Jump isn't supported yet")
+	}
+	panic(fmt.Sprintf("unknown standard verdict: %d", verdict))
+}
+
+// translateToStandardVerdict translates from the value in a
+// linux.XTStandardTarget to an iptables.Verdict.
+func translateToStandardVerdict(val int32) (iptables.Verdict, *syserr.Error) {
+	// TODO(gvisor.dev/issue/170): Support other verdicts.
+	switch val {
+	case -linux.NF_ACCEPT - 1:
+		return iptables.Accept, nil
+	case -linux.NF_DROP - 1:
+		return iptables.Drop, nil
+	case -linux.NF_QUEUE - 1:
+		log.Infof("Unsupported iptables verdict QUEUE.")
+	case linux.NF_RETURN:
+		log.Infof("Unsupported iptables verdict RETURN.")
+	}
+	log.Infof("Unknown iptables verdict %d.", val)
+	return iptables.Invalid, syserr.ErrInvalidArgument
+}
+
+// SetEntries sets iptables rules for a single table. See
+// net/ipv4/netfilter/ip_tables.c:translate_table for reference.
+func SetEntries(stack *stack.Stack, optVal []byte) *syserr.Error {
+	printReplace(optVal)
+
+	// Get the basic rules data (struct ipt_replace).
+	if len(optVal) < linux.SizeOfIPTReplace {
+		return syserr.ErrInvalidArgument
+	}
+	var replace linux.IPTReplace
+	replaceBuf := optVal[:linux.SizeOfIPTReplace]
+	optVal = optVal[linux.SizeOfIPTReplace:]
+	binary.Unmarshal(replaceBuf, usermem.ByteOrder, &replace)
+
+	// TODO(gvisor.dev/issue/170): Support other tables.
+	var table iptables.Table
+	switch replace.Name.String() {
+	case iptables.TablenameFilter:
+		table = iptables.EmptyFilterTable()
 	default:
-		panic(fmt.Sprintf("unknown standard verdict: %d", verdict))
+		log.Infof(fmt.Sprintf("We don't yet support writing to the %q table (gvisor.dev/issue/170)", replace.Name.String()))
+		return syserr.ErrInvalidArgument
+	}
+
+	// Convert input into a list of rules and their offsets.
+	var offset uint32
+	var offsets []uint32
+	for entryIdx := uint32(0); entryIdx < replace.NumEntries; entryIdx++ {
+		// Get the struct ipt_entry.
+		if len(optVal) < linux.SizeOfIPTEntry {
+			return syserr.ErrInvalidArgument
+		}
+		var entry linux.IPTEntry
+		buf := optVal[:linux.SizeOfIPTEntry]
+		optVal = optVal[linux.SizeOfIPTEntry:]
+		binary.Unmarshal(buf, usermem.ByteOrder, &entry)
+		if entry.TargetOffset != linux.SizeOfIPTEntry {
+			// TODO(gvisor.dev/issue/170): Support matchers.
+			return syserr.ErrInvalidArgument
+		}
+
+		// TODO(gvisor.dev/issue/170): We should support IPTIP
+		// filtering. We reject any nonzero IPTIP values for now.
+		emptyIPTIP := linux.IPTIP{}
+		if entry.IP != emptyIPTIP {
+			return syserr.ErrInvalidArgument
+		}
+
+		// Get the target of the rule.
+		target, consumed, err := parseTarget(optVal)
+		if err != nil {
+			return err
+		}
+		optVal = optVal[consumed:]
+
+		table.Rules = append(table.Rules, iptables.Rule{Target: target})
+		offsets = append(offsets, offset)
+		offset += linux.SizeOfIPTEntry + consumed
+	}
+
+	// Go through the list of supported hooks for this table and, for each
+	// one, set the rule it corresponds to.
+	for hook, _ := range replace.HookEntry {
+		if table.ValidHooks()&uint32(hook) != 0 {
+			hk := hookFromLinux(hook)
+			for ruleIdx, offset := range offsets {
+				if offset == replace.HookEntry[hook] {
+					table.BuiltinChains[hk] = ruleIdx
+				}
+				if offset == replace.Underflow[hook] {
+					table.Underflows[hk] = ruleIdx
+				}
+			}
+			if ruleIdx := table.BuiltinChains[hk]; ruleIdx == iptables.HookUnset {
+				log.Infof("Hook %v is unset.", hk)
+				return syserr.ErrInvalidArgument
+			}
+			if ruleIdx := table.Underflows[hk]; ruleIdx == iptables.HookUnset {
+				log.Infof("Underflow %v is unset.", hk)
+				return syserr.ErrInvalidArgument
+			}
+		}
+	}
+
+	ipt := stack.IPTables()
+	table.SetMetadata(metadata{
+		HookEntry:  replace.HookEntry,
+		Underflow:  replace.Underflow,
+		NumEntries: replace.NumEntries,
+		Size:       replace.Size,
+	})
+	ipt.Tables[replace.Name.String()] = table
+	// TODO: Do we need to worry about locking? We could write rules while
+	// packets traverse tables.
+	stack.SetIPTables(ipt)
+
+	return nil
+}
+
+// parseTarget parses a target from the start of optVal and returns the target
+// along with the number of bytes it occupies in optVal.
+func parseTarget(optVal []byte) (iptables.Target, uint32, *syserr.Error) {
+	if len(optVal) < linux.SizeOfXTEntryTarget {
+		return nil, 0, syserr.ErrInvalidArgument
+	}
+	var target linux.XTEntryTarget
+	buf := optVal[:linux.SizeOfXTEntryTarget]
+	binary.Unmarshal(buf, usermem.ByteOrder, &target)
+	switch target.Name.String() {
+	case "":
+		// Standard target.
+		if len(optVal) < linux.SizeOfXTStandardTarget {
+			return nil, 0, syserr.ErrInvalidArgument
+		}
+		var target linux.XTStandardTarget
+		buf = optVal[:linux.SizeOfXTStandardTarget]
+		binary.Unmarshal(buf, usermem.ByteOrder, &target)
+
+		verdict, err := translateToStandardVerdict(target.Verdict)
+		if err != nil {
+			return nil, 0, err
+		}
+		switch verdict {
+		case iptables.Accept:
+			return iptables.UnconditionalAcceptTarget{}, linux.SizeOfXTStandardTarget, nil
+		case iptables.Drop:
+			// TODO(gvisor.dev/issue/170): Return an
+			// iptables.UnconditionalDropTarget to support DROP.
+			log.Infof("netfilter DROP is not supported yet.")
+			return nil, 0, syserr.ErrInvalidArgument
+		default:
+			panic(fmt.Sprintf("Unknown verdict: %v", verdict))
+		}
+
+	case errorTargetName:
+		// Error target.
+		if len(optVal) < linux.SizeOfXTErrorTarget {
+			return nil, 0, syserr.ErrInvalidArgument
+		}
+		var target linux.XTErrorTarget
+		buf = optVal[:linux.SizeOfXTErrorTarget]
+		binary.Unmarshal(buf, usermem.ByteOrder, &target)
+
+		// Error targets are used in 2 cases:
+		// * An actual error case. These rules have an error
+		//   named errorTargetName. The last entry of the table
+		//   is usually an error case to catch any packets that
+		//   somehow fall through every rule.
+		// * To mark the start of a user defined chain. These
+		//   rules have an error with the name of the chain.
+		switch target.Name.String() {
+		case errorTargetName:
+			return iptables.PanicTarget{}, linux.SizeOfXTErrorTarget, nil
+		default:
+			log.Infof("Unknown error target %q doesn't exist or isn't supported yet.", target.Name.String())
+			return nil, 0, syserr.ErrInvalidArgument
+		}
+	}
+
+	// Unknown target.
+	log.Infof("Unknown target %q doesn't exist or isn't supported yet.", target.Name.String())
+	return nil, 0, syserr.ErrInvalidArgument
+}
+
+func chainNameFromHook(hook int) string {
+	switch hook {
+	case linux.NF_INET_PRE_ROUTING:
+		return iptables.ChainNamePrerouting
+	case linux.NF_INET_LOCAL_IN:
+		return iptables.ChainNameInput
+	case linux.NF_INET_FORWARD:
+		return iptables.ChainNameForward
+	case linux.NF_INET_LOCAL_OUT:
+		return iptables.ChainNameOutput
+	case linux.NF_INET_POST_ROUTING:
+		return iptables.ChainNamePostrouting
+	}
+	panic(fmt.Sprintf("Unknown hook %d does not correspond to a builtin chain"))
+}
+
+func hookFromLinux(hook int) iptables.Hook {
+	switch hook {
+	case linux.NF_INET_PRE_ROUTING:
+		return iptables.Prerouting
+	case linux.NF_INET_LOCAL_IN:
+		return iptables.Input
+	case linux.NF_INET_FORWARD:
+		return iptables.Forward
+	case linux.NF_INET_LOCAL_OUT:
+		return iptables.Output
+	case linux.NF_INET_POST_ROUTING:
+		return iptables.Postrouting
+	}
+	panic(fmt.Sprintf("Unknown hook %d does not correspond to a builtin chain"))
+}
+
+// printReplace prints information about the struct ipt_replace in optVal. It
+// is only for debugging.
+func printReplace(optVal []byte) {
+	// Basic replace info.
+	var replace linux.IPTReplace
+	replaceBuf := optVal[:linux.SizeOfIPTReplace]
+	optVal = optVal[linux.SizeOfIPTReplace:]
+	binary.Unmarshal(replaceBuf, usermem.ByteOrder, &replace)
+	log.Infof("kevin: Replacing table %q: %+v", replace.Name.String(), replace)
+
+	// Read in the list of entries at the end of replace.
+	var totalOffset uint16
+	for entryIdx := uint32(0); entryIdx < replace.NumEntries; entryIdx++ {
+		var entry linux.IPTEntry
+		entryBuf := optVal[:linux.SizeOfIPTEntry]
+		binary.Unmarshal(entryBuf, usermem.ByteOrder, &entry)
+		log.Infof("kevin: Entry %d (total offset %d): %+v", entryIdx, totalOffset, entry)
+
+		totalOffset += entry.NextOffset
+		if entry.TargetOffset == linux.SizeOfIPTEntry {
+			log.Infof("kevin: Entry has no matches.")
+		} else {
+			log.Infof("kevin: Entry has matches.")
+		}
+
+		var target linux.XTEntryTarget
+		targetBuf := optVal[entry.TargetOffset : entry.TargetOffset+linux.SizeOfXTEntryTarget]
+		binary.Unmarshal(targetBuf, usermem.ByteOrder, &target)
+		log.Infof("kevin: Target named %q: %+v", target.Name.String(), target)
+
+		switch target.Name.String() {
+		case "":
+			var standardTarget linux.XTStandardTarget
+			stBuf := optVal[entry.TargetOffset : entry.TargetOffset+linux.SizeOfXTStandardTarget]
+			binary.Unmarshal(stBuf, usermem.ByteOrder, &standardTarget)
+			log.Infof("kevin: Standard target with verdict %q (%d).", linux.VerdictStrings[standardTarget.Verdict], standardTarget.Verdict)
+		case errorTargetName:
+			var errorTarget linux.XTErrorTarget
+			etBuf := optVal[entry.TargetOffset : entry.TargetOffset+linux.SizeOfXTErrorTarget]
+			binary.Unmarshal(etBuf, usermem.ByteOrder, &errorTarget)
+			log.Infof("kevin: Error target with name %q.", errorTarget.Name.String())
+		default:
+			log.Infof("kevin: Unknown target type.")
+		}
+
+		optVal = optVal[entry.NextOffset:]
 	}
 }
diff --git a/pkg/sentry/socket/netstack/netstack.go b/pkg/sentry/socket/netstack/netstack.go
index 140851c17..f7caa45b4 100644
--- a/pkg/sentry/socket/netstack/netstack.go
+++ b/pkg/sentry/socket/netstack/netstack.go
@@ -326,7 +326,7 @@ func AddressAndFamily(sfamily int, addr []byte, strict bool) (tcpip.FullAddress,
 	}
 
 	family := usermem.ByteOrder.Uint16(addr)
-	if family != uint16(sfamily) && (strict || family != linux.AF_UNSPEC) {
+	if family != uint16(sfamily) && (!strict && family != linux.AF_UNSPEC) {
 		return tcpip.FullAddress{}, family, syserr.ErrAddressFamilyNotSupported
 	}
 
@@ -1356,6 +1356,27 @@ func (s *SocketOperations) SetSockOpt(t *kernel.Task, level int, name int, optVa
 		return nil
 	}
 
+	if s.skType == linux.SOCK_RAW && level == linux.IPPROTO_IP {
+		if name == linux.IPT_SO_SET_REPLACE {
+			if len(optVal) < linux.SizeOfIPTReplace {
+				return syserr.ErrInvalidArgument
+			}
+
+			stack := inet.StackFromContext(t)
+			if stack == nil {
+				return syserr.ErrNoDevice
+			}
+			// Stack must be a netstack stack.
+			if err := netfilter.SetEntries(stack.(*Stack).Stack, optVal); err != nil {
+				return err
+			}
+			return nil
+		} else if name == linux.IPT_SO_SET_ADD_COUNTERS {
+			// TODO(gvisor.dev/issue/170): Counter support.
+			return nil
+		}
+	}
+
 	return SetSockOpt(t, s, s.Endpoint, level, name, optVal)
 }
 
diff --git a/pkg/tcpip/iptables/iptables.go b/pkg/tcpip/iptables/iptables.go
index 68c68d4aa..9e7005374 100644
--- a/pkg/tcpip/iptables/iptables.go
+++ b/pkg/tcpip/iptables/iptables.go
@@ -17,65 +17,107 @@
 package iptables
 
 const (
-	tablenameNat    = "nat"
-	tablenameMangle = "mangle"
+	TablenameNat    = "nat"
+	TablenameMangle = "mangle"
+	TablenameFilter = "filter"
 )
 
+// TODO: Make this an iota? Faster! Do it.
 // Chain names as defined by net/ipv4/netfilter/ip_tables.c.
 const (
-	chainNamePrerouting  = "PREROUTING"
-	chainNameInput       = "INPUT"
-	chainNameForward     = "FORWARD"
-	chainNameOutput      = "OUTPUT"
-	chainNamePostrouting = "POSTROUTING"
+	ChainNamePrerouting  = "PREROUTING"
+	ChainNameInput       = "INPUT"
+	ChainNameForward     = "FORWARD"
+	ChainNameOutput      = "OUTPUT"
+	ChainNamePostrouting = "POSTROUTING"
 )
 
+const HookUnset = -1
+
 // DefaultTables returns a default set of tables. Each chain is set to accept
 // all packets.
 func DefaultTables() IPTables {
 	return IPTables{
 		Tables: map[string]Table{
-			tablenameNat: Table{
-				BuiltinChains: map[Hook]Chain{
-					Prerouting:  unconditionalAcceptChain(chainNamePrerouting),
-					Input:       unconditionalAcceptChain(chainNameInput),
-					Output:      unconditionalAcceptChain(chainNameOutput),
-					Postrouting: unconditionalAcceptChain(chainNamePostrouting),
+			TablenameNat: Table{
+				Rules: []Rule{
+					Rule{Target: UnconditionalAcceptTarget{}},
+					Rule{Target: UnconditionalAcceptTarget{}},
+					Rule{Target: UnconditionalAcceptTarget{}},
+					Rule{Target: UnconditionalAcceptTarget{}},
+					Rule{Target: PanicTarget{}},
+				},
+				BuiltinChains: map[Hook]int{
+					Prerouting:  0,
+					Input:       1,
+					Output:      2,
+					Postrouting: 3,
 				},
-				DefaultTargets: map[Hook]Target{
-					Prerouting:  UnconditionalAcceptTarget{},
-					Input:       UnconditionalAcceptTarget{},
-					Output:      UnconditionalAcceptTarget{},
-					Postrouting: UnconditionalAcceptTarget{},
+				Underflows: map[Hook]int{
+					Prerouting:  0,
+					Input:       1,
+					Output:      2,
+					Postrouting: 3,
 				},
-				UserChains: map[string]Chain{},
+				UserChains: map[string]int{},
 			},
-			tablenameMangle: Table{
-				BuiltinChains: map[Hook]Chain{
-					Prerouting: unconditionalAcceptChain(chainNamePrerouting),
-					Output:     unconditionalAcceptChain(chainNameOutput),
+			TablenameMangle: Table{
+				Rules: []Rule{
+					Rule{Target: UnconditionalAcceptTarget{}},
+					Rule{Target: UnconditionalAcceptTarget{}},
+					Rule{Target: PanicTarget{}},
+				},
+				BuiltinChains: map[Hook]int{
+					Prerouting: 0,
+					Output:     1,
 				},
-				DefaultTargets: map[Hook]Target{
-					Prerouting: UnconditionalAcceptTarget{},
-					Output:     UnconditionalAcceptTarget{},
+				Underflows: map[Hook]int{
+					Prerouting: 0,
+					Output:     1,
 				},
-				UserChains: map[string]Chain{},
+				UserChains: map[string]int{},
+			},
+			TablenameFilter: Table{
+				Rules: []Rule{
+					Rule{Target: UnconditionalAcceptTarget{}},
+					Rule{Target: UnconditionalAcceptTarget{}},
+					Rule{Target: UnconditionalAcceptTarget{}},
+					Rule{Target: PanicTarget{}},
+				},
+				BuiltinChains: map[Hook]int{
+					Input:   0,
+					Forward: 1,
+					Output:  2,
+				},
+				Underflows: map[Hook]int{
+					Input:   0,
+					Forward: 1,
+					Output:  2,
+				},
+				UserChains: map[string]int{},
 			},
 		},
 		Priorities: map[Hook][]string{
-			Prerouting: []string{tablenameMangle, tablenameNat},
-			Output:     []string{tablenameMangle, tablenameNat},
+			Input:      []string{TablenameNat, TablenameFilter},
+			Prerouting: []string{TablenameMangle, TablenameNat},
+			Output:     []string{TablenameMangle, TablenameNat, TablenameFilter},
 		},
 	}
 }
 
-func unconditionalAcceptChain(name string) Chain {
-	return Chain{
-		Name: name,
-		Rules: []Rule{
-			Rule{
-				Target: UnconditionalAcceptTarget{},
-			},
+func EmptyFilterTable() Table {
+	return Table{
+		Rules: []Rule{},
+		BuiltinChains: map[Hook]int{
+			Input:   HookUnset,
+			Forward: HookUnset,
+			Output:  HookUnset,
+		},
+		Underflows: map[Hook]int{
+			Input:   HookUnset,
+			Forward: HookUnset,
+			Output:  HookUnset,
 		},
+		UserChains: map[string]int{},
 	}
 }
diff --git a/pkg/tcpip/iptables/targets.go b/pkg/tcpip/iptables/targets.go
index 19a7f77e3..03c9f19ff 100644
--- a/pkg/tcpip/iptables/targets.go
+++ b/pkg/tcpip/iptables/targets.go
@@ -33,3 +33,11 @@ type UnconditionalDropTarget struct{}
 func (UnconditionalDropTarget) Action(packet buffer.VectorisedView) (Verdict, string) {
 	return Drop, ""
 }
+
+// PanicTarget just panics.
+type PanicTarget struct{}
+
+// Actions implements Target.Action.
+func (PanicTarget) Action(packet buffer.VectorisedView) (Verdict, string) {
+	panic("PanicTarget triggered.")
+}
diff --git a/pkg/tcpip/iptables/types.go b/pkg/tcpip/iptables/types.go
index 42a79ef9f..76364ff1f 100644
--- a/pkg/tcpip/iptables/types.go
+++ b/pkg/tcpip/iptables/types.go
@@ -61,9 +61,12 @@ const (
 type Verdict int
 
 const (
+	// Invalid indicates an unkonwn or erroneous verdict.
+	Invalid Verdict = iota
+
 	// Accept indicates the packet should continue traversing netstack as
 	// normal.
-	Accept Verdict = iota
+	Accept
 
 	// Drop inicates the packet should be dropped, stopping traversing
 	// netstack.
@@ -109,24 +112,18 @@ type IPTables struct {
 //   * nat
 //   * mangle
 type Table struct {
-	// BuiltinChains holds the un-deletable chains built into netstack. If
-	// a hook isn't present in the map, this table doesn't utilize that
-	// hook.
-	BuiltinChains map[Hook]Chain
+	// A table is just a list of rules with some entrypoints.
+	Rules []Rule
+
+	BuiltinChains map[Hook]int
+
+	Underflows map[Hook]int
 
-	// DefaultTargets holds a target for each hook that will be executed if
-	// chain traversal doesn't yield a verdict.
-	DefaultTargets map[Hook]Target
+	// DefaultTargets map[Hook]int
 
 	// UserChains holds user-defined chains for the keyed by name. Users
 	// can give their chains arbitrary names.
-	UserChains map[string]Chain
-
-	// Chains maps names to chains for both builtin and user-defined chains.
-	// Its entries point to Chains already either in BuiltinChains or
-	// UserChains, and its purpose is to make looking up tables by name
-	// fast.
-	Chains map[string]*Chain
+	UserChains map[string]int
 
 	// Metadata holds information about the Table that is useful to users
 	// of IPTables, but not to the netstack IPTables code itself.
@@ -152,20 +149,20 @@ func (table *Table) SetMetadata(metadata interface{}) {
 	table.metadata = metadata
 }
 
-// A Chain defines a list of rules for packet processing. When a packet
-// traverses a chain, it is checked against each rule until either a rule
-// returns a verdict or the chain ends.
-//
-// By convention, builtin chains end with a rule that matches everything and
-// returns either Accept or Drop. User-defined chains end with Return. These
-// aren't strictly necessary here, but the iptables tool writes tables this way.
-type Chain struct {
-	// Name is the chain name.
-	Name string
-
-	// Rules is the list of rules to traverse.
-	Rules []Rule
-}
+//// A Chain defines a list of rules for packet processing. When a packet
+//// traverses a chain, it is checked against each rule until either a rule
+//// returns a verdict or the chain ends.
+////
+//// By convention, builtin chains end with a rule that matches everything and
+//// returns either Accept or Drop. User-defined chains end with Return. These
+//// aren't strictly necessary here, but the iptables tool writes tables this way.
+//type Chain struct {
+//	// Name is the chain name.
+//	Name string
+
+//	// Rules is the list of rules to traverse.
+//	Rules []Rule
+//}
 
 // A Rule is a packet processing rule. It consists of two pieces. First it
 // contains zero or more matchers, each of which is a specification of which