From 167b2efc94816b0ff823e12c22023c3ccbd16ae9 Mon Sep 17 00:00:00 2001 From: Kevin Krakauer Date: Wed, 19 Aug 2020 13:45:20 -0700 Subject: ip6tables: move ipv4-specific logic into its own file A later change will introduce the equivalent IPv6 logic. #3549 PiperOrigin-RevId: 327499064 --- pkg/sentry/socket/netstack/netstack_vfs2.go | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) (limited to 'pkg/sentry/socket/netstack/netstack_vfs2.go') diff --git a/pkg/sentry/socket/netstack/netstack_vfs2.go b/pkg/sentry/socket/netstack/netstack_vfs2.go index 3335e7430..1db8ae491 100644 --- a/pkg/sentry/socket/netstack/netstack_vfs2.go +++ b/pkg/sentry/socket/netstack/netstack_vfs2.go @@ -239,6 +239,9 @@ func (s *SocketVFS2) GetSockOpt(t *kernel.Task, level, name int, outPtr usermem. if outLen < linux.SizeOfIPTGetinfo { return nil, syserr.ErrInvalidArgument } + if s.family != linux.AF_INET { + return nil, syserr.ErrInvalidArgument + } stack := inet.StackFromContext(t) if stack == nil { @@ -254,12 +257,15 @@ func (s *SocketVFS2) GetSockOpt(t *kernel.Task, level, name int, outPtr usermem. if outLen < linux.SizeOfIPTGetEntries { return nil, syserr.ErrInvalidArgument } + if s.family != linux.AF_INET { + return nil, syserr.ErrInvalidArgument + } stack := inet.StackFromContext(t) if stack == nil { return nil, syserr.ErrNoDevice } - entries, err := netfilter.GetEntries(t, stack.(*Stack).Stack, outPtr, outLen) + entries, err := netfilter.GetEntries4(t, stack.(*Stack).Stack, outPtr, outLen) if err != nil { return nil, err } @@ -298,12 +304,15 @@ func (s *SocketVFS2) SetSockOpt(t *kernel.Task, level int, name int, optVal []by return nil } - if s.skType == linux.SOCK_RAW && level == linux.IPPROTO_IP { + if s.skType == linux.SOCK_RAW && level == linux.SOL_IP { switch name { case linux.IPT_SO_SET_REPLACE: if len(optVal) < linux.SizeOfIPTReplace { return syserr.ErrInvalidArgument } + if s.family != linux.AF_INET { + return syserr.ErrInvalidArgument + } stack := inet.StackFromContext(t) if stack == nil { -- cgit v1.2.3