summaryrefslogtreecommitdiffhomepage
path: root/pkg/tcpip/iptables
AgeCommit message (Collapse)Author
2020-03-16Merge pull request #1943 from kevinGC:ipt-filter-ipgVisor bot
PiperOrigin-RevId: 301197007
2020-03-06Add nat table support for iptables.Nayana Bidari
2020-02-28Add nat table support for iptables.Nayana Bidari
- Fix review comments.
2020-02-26Fix merge conflicts.Nayana Bidari
2020-02-26iptables: filter by IP address (and range)Kevin Krakauer
Enables commands such as: $ iptables -A INPUT -d 127.0.0.1 -j ACCEPT $ iptables -t nat -A PREROUTING ! -d 127.0.0.1 -j REDIRECT Also adds a bunch of REDIRECT+destination tests.
2020-02-25Merge branch 'master' into iptablesnybidari
2020-02-25Add nat table support for iptables.Nayana Bidari
- commit the changes for the comments.
2020-02-18Add nat table support for iptables.Nayana Bidari
Add nat table support for Prerouting hook with Redirect option. Add tests to check redirect of ports.
2020-02-13We can now create and jump in iptables. For example:Kevin Krakauer
$ iptables -N foochain $ iptables -A INPUT -j foochain
2020-02-12iptables: User chainsKevin Krakauer
- Adds creation of user chains via `-N <chainname>` - Adds `-j RETURN` support for built-in chains, which triggers the chain's underflow rule (usually the default policy). - Adds tests for chain creation, default policies, and `-j RETURN' from built-in chains.
2020-02-05Merge branch 'master' into tcp-matchers-submitKevin Krakauer
2020-02-04Merge pull request #1683 from kevinGC:ipt-udp-matchersgVisor bot
PiperOrigin-RevId: 293243342
2020-01-31iptables: enable TCP matching with "-m tcp".Kevin Krakauer
A couple other things that changed: - There's a proper extension registration system for matchers. Anyone adding another matcher can use tcp_matcher.go or udp_matcher.go as a template. - All logging and use of syserr.Error in the netfilter package happens at the highest possible level (public functions). Lower-level functions just return normal, descriptive golang errors.
2020-01-29Merge branch 'master' into ipt-udp-matchersKevin Krakauer
2020-01-27Fix licenses.Adin Scannell
The preferred Copyright holder is "The gVisor Authors". PiperOrigin-RevId: 291786657
2020-01-27More cleanup.Kevin Krakauer
2020-01-27Cleanup for GH review.Kevin Krakauer
2020-01-27Standardize on tools directory.Adin Scannell
PiperOrigin-RevId: 291745021
2020-01-24Merge branch 'master' into ipt-udp-matchersKevin Krakauer
2020-01-22Error marshalling the matcher.Kevin Krakauer
The iptables binary is looking for libxt_.so when it should be looking for libxt_udp.so, so it's having an issue reading the data in xt_match_entry. I think it may be an alignment issue. Trying to fix this is leading to me fighting with the metadata struct, so I'm gonna go kill that.
2020-01-22Address GitHub comments.Kevin Krakauer
2020-01-21Adding serialization.Kevin Krakauer
2020-01-21Passes all filter table UDP tests.Kevin Krakauer
2020-01-21Removed TCP work (saved in ipt-tcp-match).Kevin Krakauer
2020-01-21Add UDP matchers.Kevin Krakauer
2020-01-21Fixing stuffKevin Krakauer
2020-01-21Merge branch 'master' into iptables-write-filter-protoKevin Krakauer
2020-01-14Address Nic's comments.Kevin Krakauer
2020-01-13Protocol filtering works.Kevin Krakauer
2020-01-13Merge branch 'iptables-write-input-drop' into iptables-write-filter-protoKevin Krakauer
2020-01-13Merge branch 'master' into iptables-write-input-dropKevin Krakauer
2020-01-13Merge pull request #1528 from kevinGC:iptables-writegVisor bot
PiperOrigin-RevId: 289479774
2020-01-10I think INPUT works with protocolKevin Krakauer
2020-01-10Cleaned up logs.Kevin Krakauer
2020-01-09Confirmed that it works if I hardcode 17 in for pkt.Protocol. Need to ↵Kevin Krakauer
address parsing the packet early :(
2020-01-09Added a test that we don't pass yetKevin Krakauer
2020-01-08Working on filtering by protocol.Kevin Krakauer
2020-01-08Merge branch 'iptables-write' into iptables-write-input-dropKevin Krakauer
2020-01-08More GH comments.Kevin Krakauer
2020-01-08Getting a panic when running tests. For some reason the filter table isKevin Krakauer
ending up with the wrong chains and is indexing -1 into rules.
2020-01-08Built dead-simple traversal, but now getting depedency cycle error :'(Kevin Krakauer
2020-01-08Comment cleanup.Kevin Krakauer
2020-01-08Minor fixes to comments and loggingKevin Krakauer
2020-01-08Write simple ACCEPT rules to the filter table.Kevin Krakauer
This gets us closer to passing the iptables tests and opens up iptables so it can be worked on by multiple people. A few restrictions are enforced for security (i.e. we don't want to let users write a bunch of iptables rules and then just not enforce them): - Only the filter table is writable. - Only ACCEPT rules with no matching criteria can be added.
2019-10-14Reorder BUILD license and load functions in netstack.Kevin Krakauer
PiperOrigin-RevId: 274672346
2019-08-02Plumbing for iptables sockopts.Kevin Krakauer
PiperOrigin-RevId: 261413396
2019-07-02Merge pull request #279 from kevinGC:iptables-1-pkggVisor bot
PiperOrigin-RevId: 256231055
2019-06-10Address more comments.Kevin Krakauer
Change-Id: I83ae1079f3dcba6b018f59ab7898decab5c211d2
2019-06-07Address Ian's comments.Kevin Krakauer
Change-Id: I7445033b1970cbba3f2ed0682fe520dce02d8fad
2019-05-31Add basic iptables structures to netstack.Kevin Krakauer
Change-Id: Ib589906175a59dae315405a28f2d7f525ff8877f