summaryrefslogtreecommitdiffhomepage
path: root/test/iptables
diff options
context:
space:
mode:
Diffstat (limited to 'test/iptables')
-rw-r--r--test/iptables/BUILD1
-rw-r--r--test/iptables/iptables_unsafe.go31
-rw-r--r--test/iptables/nat.go90
3 files changed, 62 insertions, 60 deletions
diff --git a/test/iptables/BUILD b/test/iptables/BUILD
index ae4bba847..94d4ca2d4 100644
--- a/test/iptables/BUILD
+++ b/test/iptables/BUILD
@@ -18,6 +18,7 @@ go_library(
"//pkg/binary",
"//pkg/test/testutil",
"//pkg/usermem",
+ "@org_golang_x_sys//unix:go_default_library",
],
)
diff --git a/test/iptables/iptables_unsafe.go b/test/iptables/iptables_unsafe.go
index bd85a8fea..dd1a1c082 100644
--- a/test/iptables/iptables_unsafe.go
+++ b/test/iptables/iptables_unsafe.go
@@ -16,12 +16,13 @@ package iptables
import (
"fmt"
- "syscall"
"unsafe"
+
+ "golang.org/x/sys/unix"
)
type originalDstError struct {
- errno syscall.Errno
+ errno unix.Errno
}
func (e originalDstError) Error() string {
@@ -32,27 +33,27 @@ func (e originalDstError) Error() string {
// getsockopt.
const SO_ORIGINAL_DST = 80
-func originalDestination4(connfd int) (syscall.RawSockaddrInet4, error) {
- var addr syscall.RawSockaddrInet4
- var addrLen uint32 = syscall.SizeofSockaddrInet4
- if errno := originalDestination(connfd, syscall.SOL_IP, unsafe.Pointer(&addr), &addrLen); errno != 0 {
- return syscall.RawSockaddrInet4{}, originalDstError{errno}
+func originalDestination4(connfd int) (unix.RawSockaddrInet4, error) {
+ var addr unix.RawSockaddrInet4
+ var addrLen uint32 = unix.SizeofSockaddrInet4
+ if errno := originalDestination(connfd, unix.SOL_IP, unsafe.Pointer(&addr), &addrLen); errno != 0 {
+ return unix.RawSockaddrInet4{}, originalDstError{errno}
}
return addr, nil
}
-func originalDestination6(connfd int) (syscall.RawSockaddrInet6, error) {
- var addr syscall.RawSockaddrInet6
- var addrLen uint32 = syscall.SizeofSockaddrInet6
- if errno := originalDestination(connfd, syscall.SOL_IPV6, unsafe.Pointer(&addr), &addrLen); errno != 0 {
- return syscall.RawSockaddrInet6{}, originalDstError{errno}
+func originalDestination6(connfd int) (unix.RawSockaddrInet6, error) {
+ var addr unix.RawSockaddrInet6
+ var addrLen uint32 = unix.SizeofSockaddrInet6
+ if errno := originalDestination(connfd, unix.SOL_IPV6, unsafe.Pointer(&addr), &addrLen); errno != 0 {
+ return unix.RawSockaddrInet6{}, originalDstError{errno}
}
return addr, nil
}
-func originalDestination(connfd int, level uintptr, optval unsafe.Pointer, optlen *uint32) syscall.Errno {
- _, _, errno := syscall.Syscall6(
- syscall.SYS_GETSOCKOPT,
+func originalDestination(connfd int, level uintptr, optval unsafe.Pointer, optlen *uint32) unix.Errno {
+ _, _, errno := unix.Syscall6(
+ unix.SYS_GETSOCKOPT,
uintptr(connfd),
level,
SO_ORIGINAL_DST,
diff --git a/test/iptables/nat.go b/test/iptables/nat.go
index 7f1d6d7ad..70d8a1832 100644
--- a/test/iptables/nat.go
+++ b/test/iptables/nat.go
@@ -19,8 +19,8 @@ import (
"errors"
"fmt"
"net"
- "syscall"
+ "golang.org/x/sys/unix"
"gvisor.dev/gvisor/pkg/binary"
"gvisor.dev/gvisor/pkg/usermem"
)
@@ -584,33 +584,33 @@ func listenForRedirectedConn(ctx context.Context, ipv6 bool, originalDsts []net.
// traditional syscalls.
// Create the listening socket, bind, listen, and accept.
- family := syscall.AF_INET
+ family := unix.AF_INET
if ipv6 {
- family = syscall.AF_INET6
+ family = unix.AF_INET6
}
- sockfd, err := syscall.Socket(family, syscall.SOCK_STREAM, 0)
+ sockfd, err := unix.Socket(family, unix.SOCK_STREAM, 0)
if err != nil {
return err
}
- defer syscall.Close(sockfd)
+ defer unix.Close(sockfd)
- var bindAddr syscall.Sockaddr
+ var bindAddr unix.Sockaddr
if ipv6 {
- bindAddr = &syscall.SockaddrInet6{
+ bindAddr = &unix.SockaddrInet6{
Port: acceptPort,
Addr: [16]byte{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}, // in6addr_any
}
} else {
- bindAddr = &syscall.SockaddrInet4{
+ bindAddr = &unix.SockaddrInet4{
Port: acceptPort,
Addr: [4]byte{0, 0, 0, 0}, // INADDR_ANY
}
}
- if err := syscall.Bind(sockfd, bindAddr); err != nil {
+ if err := unix.Bind(sockfd, bindAddr); err != nil {
return err
}
- if err := syscall.Listen(sockfd, 1); err != nil {
+ if err := unix.Listen(sockfd, 1); err != nil {
return err
}
@@ -619,8 +619,8 @@ func listenForRedirectedConn(ctx context.Context, ipv6 bool, originalDsts []net.
errCh := make(chan error)
go func() {
for {
- connFD, _, err := syscall.Accept(sockfd)
- if errors.Is(err, syscall.EINTR) {
+ connFD, _, err := unix.Accept(sockfd)
+ if errors.Is(err, unix.EINTR) {
continue
}
if err != nil {
@@ -641,7 +641,7 @@ func listenForRedirectedConn(ctx context.Context, ipv6 bool, originalDsts []net.
return err
case connFD = <-connCh:
}
- defer syscall.Close(connFD)
+ defer unix.Close(connFD)
// Verify that, despite listening on acceptPort, SO_ORIGINAL_DST
// indicates the packet was sent to originalDst:dropPort.
@@ -764,35 +764,35 @@ func recvWithRECVORIGDSTADDR(ctx context.Context, ipv6 bool, expectedDst *net.IP
// Create the listening socket.
var (
- family = syscall.AF_INET
- level = syscall.SOL_IP
- option = syscall.IP_RECVORIGDSTADDR
- bindAddr syscall.Sockaddr = &syscall.SockaddrInet4{
+ family = unix.AF_INET
+ level = unix.SOL_IP
+ option = unix.IP_RECVORIGDSTADDR
+ bindAddr unix.Sockaddr = &unix.SockaddrInet4{
Port: int(port),
Addr: [4]byte{0, 0, 0, 0}, // INADDR_ANY
}
)
if ipv6 {
- family = syscall.AF_INET6
- level = syscall.SOL_IPV6
+ family = unix.AF_INET6
+ level = unix.SOL_IPV6
option = 74 // IPV6_RECVORIGDSTADDR, which is missing from the syscall package.
- bindAddr = &syscall.SockaddrInet6{
+ bindAddr = &unix.SockaddrInet6{
Port: int(port),
Addr: [16]byte{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}, // in6addr_any
}
}
- sockfd, err := syscall.Socket(family, syscall.SOCK_DGRAM, 0)
+ sockfd, err := unix.Socket(family, unix.SOCK_DGRAM, 0)
if err != nil {
- return fmt.Errorf("failed Socket(%d, %d, 0): %w", family, syscall.SOCK_DGRAM, err)
+ return fmt.Errorf("failed Socket(%d, %d, 0): %w", family, unix.SOCK_DGRAM, err)
}
- defer syscall.Close(sockfd)
+ defer unix.Close(sockfd)
- if err := syscall.Bind(sockfd, bindAddr); err != nil {
+ if err := unix.Bind(sockfd, bindAddr); err != nil {
return fmt.Errorf("failed Bind(%d, %+v): %v", sockfd, bindAddr, err)
}
// Enable IP_RECVORIGDSTADDR.
- if err := syscall.SetsockoptInt(sockfd, level, option, 1); err != nil {
+ if err := unix.SetsockoptInt(sockfd, level, option, 1); err != nil {
return fmt.Errorf("failed SetsockoptByte(%d, %d, %d, 1): %v", sockfd, level, option, err)
}
@@ -837,41 +837,41 @@ func recvWithRECVORIGDSTADDR(ctx context.Context, ipv6 bool, expectedDst *net.IP
// Verify that the address has the post-NAT port and address.
if ipv6 {
- return addrMatches6(addr.(syscall.RawSockaddrInet6), localAddrs, redirectPort)
+ return addrMatches6(addr.(unix.RawSockaddrInet6), localAddrs, redirectPort)
}
- return addrMatches4(addr.(syscall.RawSockaddrInet4), localAddrs, redirectPort)
+ return addrMatches4(addr.(unix.RawSockaddrInet4), localAddrs, redirectPort)
}
-func recvOrigDstAddr4(sockfd int) (syscall.RawSockaddrInet4, error) {
- buf, err := recvOrigDstAddr(sockfd, syscall.SOL_IP, syscall.SizeofSockaddrInet4)
+func recvOrigDstAddr4(sockfd int) (unix.RawSockaddrInet4, error) {
+ buf, err := recvOrigDstAddr(sockfd, unix.SOL_IP, unix.SizeofSockaddrInet4)
if err != nil {
- return syscall.RawSockaddrInet4{}, err
+ return unix.RawSockaddrInet4{}, err
}
- var addr syscall.RawSockaddrInet4
+ var addr unix.RawSockaddrInet4
binary.Unmarshal(buf, usermem.ByteOrder, &addr)
return addr, nil
}
-func recvOrigDstAddr6(sockfd int) (syscall.RawSockaddrInet6, error) {
- buf, err := recvOrigDstAddr(sockfd, syscall.SOL_IP, syscall.SizeofSockaddrInet6)
+func recvOrigDstAddr6(sockfd int) (unix.RawSockaddrInet6, error) {
+ buf, err := recvOrigDstAddr(sockfd, unix.SOL_IP, unix.SizeofSockaddrInet6)
if err != nil {
- return syscall.RawSockaddrInet6{}, err
+ return unix.RawSockaddrInet6{}, err
}
- var addr syscall.RawSockaddrInet6
+ var addr unix.RawSockaddrInet6
binary.Unmarshal(buf, usermem.ByteOrder, &addr)
return addr, nil
}
func recvOrigDstAddr(sockfd int, level uintptr, addrSize int) ([]byte, error) {
buf := make([]byte, 64)
- oob := make([]byte, syscall.CmsgSpace(addrSize))
+ oob := make([]byte, unix.CmsgSpace(addrSize))
for {
- _, oobn, _, _, err := syscall.Recvmsg(
+ _, oobn, _, _, err := unix.Recvmsg(
sockfd,
buf, // Message buffer.
oob, // Out-of-band buffer.
0) // Flags.
- if errors.Is(err, syscall.EINTR) {
+ if errors.Is(err, unix.EINTR) {
continue
}
if err != nil {
@@ -880,7 +880,7 @@ func recvOrigDstAddr(sockfd int, level uintptr, addrSize int) ([]byte, error) {
oob = oob[:oobn]
// Parse out the control message.
- msgs, err := syscall.ParseSocketControlMessage(oob)
+ msgs, err := unix.ParseSocketControlMessage(oob)
if err != nil {
return nil, fmt.Errorf("failed to parse control message: %w", err)
}
@@ -888,10 +888,10 @@ func recvOrigDstAddr(sockfd int, level uintptr, addrSize int) ([]byte, error) {
}
}
-func addrMatches4(got syscall.RawSockaddrInet4, wantAddrs []net.IP, port uint16) error {
+func addrMatches4(got unix.RawSockaddrInet4, wantAddrs []net.IP, port uint16) error {
for _, wantAddr := range wantAddrs {
- want := syscall.RawSockaddrInet4{
- Family: syscall.AF_INET,
+ want := unix.RawSockaddrInet4{
+ Family: unix.AF_INET,
Port: htons(port),
}
copy(want.Addr[:], wantAddr.To4())
@@ -902,10 +902,10 @@ func addrMatches4(got syscall.RawSockaddrInet4, wantAddrs []net.IP, port uint16)
return fmt.Errorf("got %+v, but wanted one of %+v (note: port numbers are in network byte order)", got, wantAddrs)
}
-func addrMatches6(got syscall.RawSockaddrInet6, wantAddrs []net.IP, port uint16) error {
+func addrMatches6(got unix.RawSockaddrInet6, wantAddrs []net.IP, port uint16) error {
for _, wantAddr := range wantAddrs {
- want := syscall.RawSockaddrInet6{
- Family: syscall.AF_INET6,
+ want := unix.RawSockaddrInet6{
+ Family: unix.AF_INET6,
Port: htons(port),
}
copy(want.Addr[:], wantAddr.To16())