| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2020-01-09 | Added a test that we don't pass yet | Kevin Krakauer | |
| 2020-01-08 | Working on filtering by protocol. | Kevin Krakauer | |
| 2020-01-08 | Built dead-simple traversal, but now getting depedency cycle error :'( | Kevin Krakauer | |
| 2020-01-08 | Added test for unconditional DROP on the filter INPUT chain | Kevin Krakauer | |
| 2020-01-08 | Newline | Kevin Krakauer | |
| 2020-01-08 | Revert filter_input change | Kevin Krakauer | |
| 2020-01-08 | Minor fixes to comments and logging | Kevin Krakauer | |
| 2020-01-08 | Write simple ACCEPT rules to the filter table. | Kevin Krakauer | |
| This gets us closer to passing the iptables tests and opens up iptables so it can be worked on by multiple people. A few restrictions are enforced for security (i.e. we don't want to let users write a bunch of iptables rules and then just not enforce them): - Only the filter table is writable. - Only ACCEPT rules with no matching criteria can be added. | |||
| 2020-01-06 | Fix readme formatting. | Kevin Krakauer | |
| PiperOrigin-RevId: 288402480 | |||
| 2019-12-17 | Internal change. | Kevin Krakauer | |
| PiperOrigin-RevId: 286083614 | |||
| 2019-12-12 | Add iptables testing framework. | Kevin Krakauer | |
| It would be preferrable to test iptables via syscall tests, but there are some problems with that approach: * We're limited to loopback-only, as syscall tests involve only a single container. Other link interfaces (e.g. fdbased) should be tested. * We'd have to shell out to call iptables anyways, as the iptables syscall interface itself is too large and complex to work with alone. * Running the Linux/native version of the syscall test will require root, which is a pain to configure, is inherently unsafe, and could leave host iptables misconfigured. Using the go_test target allows there to be no new test runner. PiperOrigin-RevId: 285274275 | |||
 |
index : gvisor | |
| Container Runtime Sandbox |
| summaryrefslogtreecommitdiffhomepage |