diff options
Diffstat (limited to 'pkg')
-rw-r--r-- | pkg/abi/linux/netfilter.go | 93 | ||||
-rwxr-xr-x | pkg/sentry/platform/ring0/defs_impl.go | 7 |
2 files changed, 89 insertions, 11 deletions
diff --git a/pkg/abi/linux/netfilter.go b/pkg/abi/linux/netfilter.go index 7f399142b..269ba5567 100644 --- a/pkg/abi/linux/netfilter.go +++ b/pkg/abi/linux/netfilter.go @@ -100,6 +100,21 @@ type IPTEntry struct { // Elems [0]byte } +// SizeOfIPTEntry is the size of an IPTEntry. +const SizeOfIPTEntry = 112 + +// KernelIPTEntry is identical to IPTEntry, but includes the Elems field. This +// struct marshaled via the binary package to write an IPTEntry to userspace. +type KernelIPTEntry struct { + IPTEntry + + // Elems holds the data for all this rule's matches followed by the + // target. It is variable length -- users have to iterate over any + // matches and use TargetOffset and NextOffset to make sense of the + // data. + Elems []byte +} + // IPTIP contains information for matching a packet's IP header. // It corresponds to struct ipt_ip in // include/uapi/linux/netfilter_ipv4/ip_tables.h. @@ -123,10 +138,10 @@ type IPTIP struct { OutputInterface [IFNAMSIZ]byte // InputInterfaceMask is the intput interface mask. - InputInterfaceMast [IFNAMSIZ]byte + InputInterfaceMask [IFNAMSIZ]byte // OuputInterfaceMask is the output interface mask. - OuputInterfaceMask [IFNAMSIZ]byte + OutputInterfaceMask [IFNAMSIZ]byte // Protocol is the transport protocol. Protocol uint16 @@ -138,6 +153,9 @@ type IPTIP struct { InverseFlags uint8 } +// SizeOfIPTIP is the size of an IPTIP. +const SizeOfIPTIP = 84 + // XTCounters holds packet and byte counts for a rule. It corresponds to struct // xt_counters in include/uapi/linux/netfilter/x_tables.h. type XTCounters struct { @@ -148,6 +166,9 @@ type XTCounters struct { Bcnt uint64 } +// SizeOfXTCounters is the size of an XTCounters. +const SizeOfXTCounters = 16 + // XTEntryMatch holds a match for a rule. For example, a user using the // addrtype iptables match extension would put the data for that match into an // XTEntryMatch. iptables-extensions(8) has a list of possible matches. @@ -160,11 +181,14 @@ type XTEntryMatch struct { MatchSize uint16 Name [XT_EXTENSION_MAXNAMELEN]byte Revision uint8 - // Data is omitted here because it would cause XTEntryTarget to be an + // Data is omitted here because it would cause XTEntryMatch to be an // extra byte larger (see http://www.catb.org/esr/structure-packing/). // Data [0]byte } +// SizeOfXTEntryMatch is the size of an XTEntryMatch. +const SizeOfXTEntryMatch = 32 + // XTEntryTarget holds a target for a rule. For example, it can specify that // packets matching the rule should DROP, ACCEPT, or use an extension target. // iptables-extension(8) has a list of possible targets. @@ -174,22 +198,29 @@ type XTEntryMatch struct { // exposing different data to the user and kernel, but this struct holds only // the user data. type XTEntryTarget struct { - MatchSize uint16 - Name [XT_EXTENSION_MAXNAMELEN]byte - Revision uint8 + TargetSize uint16 + Name [XT_EXTENSION_MAXNAMELEN]byte + Revision uint8 // Data is omitted here because it would cause XTEntryTarget to be an // extra byte larger (see http://www.catb.org/esr/structure-packing/). // Data [0]byte } +// SizeOfXTEntryTarget is the size of an XTEntryTarget. +const SizeOfXTEntryTarget = 32 + // XTStandardTarget is a builtin target, one of ACCEPT, DROP, JUMP, QUEUE, or // RETURN. It corresponds to struct xt_standard_target in // include/uapi/linux/netfilter/x_tables.h. type XTStandardTarget struct { Target XTEntryTarget Verdict int32 + _ [4]byte } +// SizeOfXTStandardTarget is the size of an XTStandardTarget. +const SizeOfXTStandardTarget = 40 + // XTErrorTarget triggers an error when reached. It is also used to mark the // beginning of user-defined chains by putting the name of the chain in // ErrorName. It corresponds to struct xt_error_target in @@ -197,8 +228,12 @@ type XTStandardTarget struct { type XTErrorTarget struct { Target XTEntryTarget ErrorName [XT_FUNCTION_MAXNAMELEN]byte + _ [2]byte } +// SizeOfXTErrorTarget is the size of an XTErrorTarget. +const SizeOfXTErrorTarget = 64 + // IPTGetinfo is the argument for the IPT_SO_GET_INFO sockopt. It corresponds // to struct ipt_getinfo in include/uapi/linux/netfilter_ipv4/ip_tables.h. type IPTGetinfo struct { @@ -210,18 +245,50 @@ type IPTGetinfo struct { Size uint32 } +// SizeOfIPTGetinfo is the size of an IPTGetinfo. +const SizeOfIPTGetinfo = 84 + +// TableName returns the table name. +func (info *IPTGetinfo) TableName() string { + return tableName(info.Name[:]) +} + // IPTGetEntries is the argument for the IPT_SO_GET_ENTRIES sockopt. It // corresponds to struct ipt_get_entries in // include/uapi/linux/netfilter_ipv4/ip_tables.h. type IPTGetEntries struct { Name [XT_TABLE_MAXNAMELEN]byte Size uint32 + _ [4]byte // Entrytable is omitted here because it would cause IPTGetEntries to // be an extra byte longer (see // http://www.catb.org/esr/structure-packing/). // Entrytable [0]IPTEntry } +// TableName returns the entries' table name. +func (entries *IPTGetEntries) TableName() string { + return tableName(entries.Name[:]) +} + +// SizeOfIPTGetEntries is the size of an IPTGetEntries. +const SizeOfIPTGetEntries = 40 + +// KernelIPTGetEntries is identical to IPTEntry, but includes the Elems field. +// This struct marshaled via the binary package to write an KernelIPTGetEntries +// to userspace. +type KernelIPTGetEntries struct { + Name [XT_TABLE_MAXNAMELEN]byte + Size uint32 + _ [4]byte + Entrytable []KernelIPTEntry +} + +// TableName returns the entries' table name. +func (entries *KernelIPTGetEntries) TableName() string { + return tableName(entries.Name[:]) +} + // IPTReplace is the argument for the IPT_SO_SET_REPLACE sockopt. It // corresponds to struct ipt_replace in // include/uapi/linux/netfilter_ipv4/ip_tables.h. @@ -233,8 +300,20 @@ type IPTReplace struct { HookEntry [NF_INET_NUMHOOKS]uint32 Underflow [NF_INET_NUMHOOKS]uint32 NumCounters uint32 - Counters *XTCounters + Counters uint64 // This is really a *XTCounters. // Entries is omitted here because it would cause IPTReplace to be an // extra byte longer (see http://www.catb.org/esr/structure-packing/). // Entries [0]IPTEntry } + +// SizeOfIPTReplace is the size of an IPTReplace. +const SizeOfIPTReplace = 96 + +func tableName(name []byte) string { + for i, c := range name { + if c == 0 { + return string(name[:i]) + } + } + return string(name) +} diff --git a/pkg/sentry/platform/ring0/defs_impl.go b/pkg/sentry/platform/ring0/defs_impl.go index a36a17e37..5032ac56e 100755 --- a/pkg/sentry/platform/ring0/defs_impl.go +++ b/pkg/sentry/platform/ring0/defs_impl.go @@ -1,14 +1,13 @@ package ring0 import ( - "gvisor.dev/gvisor/pkg/cpuid" - "reflect" - "syscall" - "fmt" + "gvisor.dev/gvisor/pkg/cpuid" "gvisor.dev/gvisor/pkg/sentry/platform/ring0/pagetables" "gvisor.dev/gvisor/pkg/sentry/usermem" "io" + "reflect" + "syscall" ) var ( |