diff options
Diffstat (limited to 'test/iptables')
-rw-r--r-- | test/iptables/BUILD | 1 | ||||
-rw-r--r-- | test/iptables/iptables_unsafe.go | 31 | ||||
-rw-r--r-- | test/iptables/nat.go | 90 |
3 files changed, 62 insertions, 60 deletions
diff --git a/test/iptables/BUILD b/test/iptables/BUILD index ae4bba847..94d4ca2d4 100644 --- a/test/iptables/BUILD +++ b/test/iptables/BUILD @@ -18,6 +18,7 @@ go_library( "//pkg/binary", "//pkg/test/testutil", "//pkg/usermem", + "@org_golang_x_sys//unix:go_default_library", ], ) diff --git a/test/iptables/iptables_unsafe.go b/test/iptables/iptables_unsafe.go index bd85a8fea..dd1a1c082 100644 --- a/test/iptables/iptables_unsafe.go +++ b/test/iptables/iptables_unsafe.go @@ -16,12 +16,13 @@ package iptables import ( "fmt" - "syscall" "unsafe" + + "golang.org/x/sys/unix" ) type originalDstError struct { - errno syscall.Errno + errno unix.Errno } func (e originalDstError) Error() string { @@ -32,27 +33,27 @@ func (e originalDstError) Error() string { // getsockopt. const SO_ORIGINAL_DST = 80 -func originalDestination4(connfd int) (syscall.RawSockaddrInet4, error) { - var addr syscall.RawSockaddrInet4 - var addrLen uint32 = syscall.SizeofSockaddrInet4 - if errno := originalDestination(connfd, syscall.SOL_IP, unsafe.Pointer(&addr), &addrLen); errno != 0 { - return syscall.RawSockaddrInet4{}, originalDstError{errno} +func originalDestination4(connfd int) (unix.RawSockaddrInet4, error) { + var addr unix.RawSockaddrInet4 + var addrLen uint32 = unix.SizeofSockaddrInet4 + if errno := originalDestination(connfd, unix.SOL_IP, unsafe.Pointer(&addr), &addrLen); errno != 0 { + return unix.RawSockaddrInet4{}, originalDstError{errno} } return addr, nil } -func originalDestination6(connfd int) (syscall.RawSockaddrInet6, error) { - var addr syscall.RawSockaddrInet6 - var addrLen uint32 = syscall.SizeofSockaddrInet6 - if errno := originalDestination(connfd, syscall.SOL_IPV6, unsafe.Pointer(&addr), &addrLen); errno != 0 { - return syscall.RawSockaddrInet6{}, originalDstError{errno} +func originalDestination6(connfd int) (unix.RawSockaddrInet6, error) { + var addr unix.RawSockaddrInet6 + var addrLen uint32 = unix.SizeofSockaddrInet6 + if errno := originalDestination(connfd, unix.SOL_IPV6, unsafe.Pointer(&addr), &addrLen); errno != 0 { + return unix.RawSockaddrInet6{}, originalDstError{errno} } return addr, nil } -func originalDestination(connfd int, level uintptr, optval unsafe.Pointer, optlen *uint32) syscall.Errno { - _, _, errno := syscall.Syscall6( - syscall.SYS_GETSOCKOPT, +func originalDestination(connfd int, level uintptr, optval unsafe.Pointer, optlen *uint32) unix.Errno { + _, _, errno := unix.Syscall6( + unix.SYS_GETSOCKOPT, uintptr(connfd), level, SO_ORIGINAL_DST, diff --git a/test/iptables/nat.go b/test/iptables/nat.go index 7f1d6d7ad..70d8a1832 100644 --- a/test/iptables/nat.go +++ b/test/iptables/nat.go @@ -19,8 +19,8 @@ import ( "errors" "fmt" "net" - "syscall" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/binary" "gvisor.dev/gvisor/pkg/usermem" ) @@ -584,33 +584,33 @@ func listenForRedirectedConn(ctx context.Context, ipv6 bool, originalDsts []net. // traditional syscalls. // Create the listening socket, bind, listen, and accept. - family := syscall.AF_INET + family := unix.AF_INET if ipv6 { - family = syscall.AF_INET6 + family = unix.AF_INET6 } - sockfd, err := syscall.Socket(family, syscall.SOCK_STREAM, 0) + sockfd, err := unix.Socket(family, unix.SOCK_STREAM, 0) if err != nil { return err } - defer syscall.Close(sockfd) + defer unix.Close(sockfd) - var bindAddr syscall.Sockaddr + var bindAddr unix.Sockaddr if ipv6 { - bindAddr = &syscall.SockaddrInet6{ + bindAddr = &unix.SockaddrInet6{ Port: acceptPort, Addr: [16]byte{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}, // in6addr_any } } else { - bindAddr = &syscall.SockaddrInet4{ + bindAddr = &unix.SockaddrInet4{ Port: acceptPort, Addr: [4]byte{0, 0, 0, 0}, // INADDR_ANY } } - if err := syscall.Bind(sockfd, bindAddr); err != nil { + if err := unix.Bind(sockfd, bindAddr); err != nil { return err } - if err := syscall.Listen(sockfd, 1); err != nil { + if err := unix.Listen(sockfd, 1); err != nil { return err } @@ -619,8 +619,8 @@ func listenForRedirectedConn(ctx context.Context, ipv6 bool, originalDsts []net. errCh := make(chan error) go func() { for { - connFD, _, err := syscall.Accept(sockfd) - if errors.Is(err, syscall.EINTR) { + connFD, _, err := unix.Accept(sockfd) + if errors.Is(err, unix.EINTR) { continue } if err != nil { @@ -641,7 +641,7 @@ func listenForRedirectedConn(ctx context.Context, ipv6 bool, originalDsts []net. return err case connFD = <-connCh: } - defer syscall.Close(connFD) + defer unix.Close(connFD) // Verify that, despite listening on acceptPort, SO_ORIGINAL_DST // indicates the packet was sent to originalDst:dropPort. @@ -764,35 +764,35 @@ func recvWithRECVORIGDSTADDR(ctx context.Context, ipv6 bool, expectedDst *net.IP // Create the listening socket. var ( - family = syscall.AF_INET - level = syscall.SOL_IP - option = syscall.IP_RECVORIGDSTADDR - bindAddr syscall.Sockaddr = &syscall.SockaddrInet4{ + family = unix.AF_INET + level = unix.SOL_IP + option = unix.IP_RECVORIGDSTADDR + bindAddr unix.Sockaddr = &unix.SockaddrInet4{ Port: int(port), Addr: [4]byte{0, 0, 0, 0}, // INADDR_ANY } ) if ipv6 { - family = syscall.AF_INET6 - level = syscall.SOL_IPV6 + family = unix.AF_INET6 + level = unix.SOL_IPV6 option = 74 // IPV6_RECVORIGDSTADDR, which is missing from the syscall package. - bindAddr = &syscall.SockaddrInet6{ + bindAddr = &unix.SockaddrInet6{ Port: int(port), Addr: [16]byte{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}, // in6addr_any } } - sockfd, err := syscall.Socket(family, syscall.SOCK_DGRAM, 0) + sockfd, err := unix.Socket(family, unix.SOCK_DGRAM, 0) if err != nil { - return fmt.Errorf("failed Socket(%d, %d, 0): %w", family, syscall.SOCK_DGRAM, err) + return fmt.Errorf("failed Socket(%d, %d, 0): %w", family, unix.SOCK_DGRAM, err) } - defer syscall.Close(sockfd) + defer unix.Close(sockfd) - if err := syscall.Bind(sockfd, bindAddr); err != nil { + if err := unix.Bind(sockfd, bindAddr); err != nil { return fmt.Errorf("failed Bind(%d, %+v): %v", sockfd, bindAddr, err) } // Enable IP_RECVORIGDSTADDR. - if err := syscall.SetsockoptInt(sockfd, level, option, 1); err != nil { + if err := unix.SetsockoptInt(sockfd, level, option, 1); err != nil { return fmt.Errorf("failed SetsockoptByte(%d, %d, %d, 1): %v", sockfd, level, option, err) } @@ -837,41 +837,41 @@ func recvWithRECVORIGDSTADDR(ctx context.Context, ipv6 bool, expectedDst *net.IP // Verify that the address has the post-NAT port and address. if ipv6 { - return addrMatches6(addr.(syscall.RawSockaddrInet6), localAddrs, redirectPort) + return addrMatches6(addr.(unix.RawSockaddrInet6), localAddrs, redirectPort) } - return addrMatches4(addr.(syscall.RawSockaddrInet4), localAddrs, redirectPort) + return addrMatches4(addr.(unix.RawSockaddrInet4), localAddrs, redirectPort) } -func recvOrigDstAddr4(sockfd int) (syscall.RawSockaddrInet4, error) { - buf, err := recvOrigDstAddr(sockfd, syscall.SOL_IP, syscall.SizeofSockaddrInet4) +func recvOrigDstAddr4(sockfd int) (unix.RawSockaddrInet4, error) { + buf, err := recvOrigDstAddr(sockfd, unix.SOL_IP, unix.SizeofSockaddrInet4) if err != nil { - return syscall.RawSockaddrInet4{}, err + return unix.RawSockaddrInet4{}, err } - var addr syscall.RawSockaddrInet4 + var addr unix.RawSockaddrInet4 binary.Unmarshal(buf, usermem.ByteOrder, &addr) return addr, nil } -func recvOrigDstAddr6(sockfd int) (syscall.RawSockaddrInet6, error) { - buf, err := recvOrigDstAddr(sockfd, syscall.SOL_IP, syscall.SizeofSockaddrInet6) +func recvOrigDstAddr6(sockfd int) (unix.RawSockaddrInet6, error) { + buf, err := recvOrigDstAddr(sockfd, unix.SOL_IP, unix.SizeofSockaddrInet6) if err != nil { - return syscall.RawSockaddrInet6{}, err + return unix.RawSockaddrInet6{}, err } - var addr syscall.RawSockaddrInet6 + var addr unix.RawSockaddrInet6 binary.Unmarshal(buf, usermem.ByteOrder, &addr) return addr, nil } func recvOrigDstAddr(sockfd int, level uintptr, addrSize int) ([]byte, error) { buf := make([]byte, 64) - oob := make([]byte, syscall.CmsgSpace(addrSize)) + oob := make([]byte, unix.CmsgSpace(addrSize)) for { - _, oobn, _, _, err := syscall.Recvmsg( + _, oobn, _, _, err := unix.Recvmsg( sockfd, buf, // Message buffer. oob, // Out-of-band buffer. 0) // Flags. - if errors.Is(err, syscall.EINTR) { + if errors.Is(err, unix.EINTR) { continue } if err != nil { @@ -880,7 +880,7 @@ func recvOrigDstAddr(sockfd int, level uintptr, addrSize int) ([]byte, error) { oob = oob[:oobn] // Parse out the control message. - msgs, err := syscall.ParseSocketControlMessage(oob) + msgs, err := unix.ParseSocketControlMessage(oob) if err != nil { return nil, fmt.Errorf("failed to parse control message: %w", err) } @@ -888,10 +888,10 @@ func recvOrigDstAddr(sockfd int, level uintptr, addrSize int) ([]byte, error) { } } -func addrMatches4(got syscall.RawSockaddrInet4, wantAddrs []net.IP, port uint16) error { +func addrMatches4(got unix.RawSockaddrInet4, wantAddrs []net.IP, port uint16) error { for _, wantAddr := range wantAddrs { - want := syscall.RawSockaddrInet4{ - Family: syscall.AF_INET, + want := unix.RawSockaddrInet4{ + Family: unix.AF_INET, Port: htons(port), } copy(want.Addr[:], wantAddr.To4()) @@ -902,10 +902,10 @@ func addrMatches4(got syscall.RawSockaddrInet4, wantAddrs []net.IP, port uint16) return fmt.Errorf("got %+v, but wanted one of %+v (note: port numbers are in network byte order)", got, wantAddrs) } -func addrMatches6(got syscall.RawSockaddrInet6, wantAddrs []net.IP, port uint16) error { +func addrMatches6(got unix.RawSockaddrInet6, wantAddrs []net.IP, port uint16) error { for _, wantAddr := range wantAddrs { - want := syscall.RawSockaddrInet6{ - Family: syscall.AF_INET6, + want := unix.RawSockaddrInet6{ + Family: unix.AF_INET6, Port: htons(port), } copy(want.Addr[:], wantAddr.To16()) |