From d58eb9ce828fd7c831f30e922e01f1d2b84e462c Mon Sep 17 00:00:00 2001 From: Kevin Krakauer Date: Fri, 31 May 2019 16:14:04 -0700 Subject: Add basic iptables structures to netstack. Change-Id: Ib589906175a59dae315405a28f2d7f525ff8877f --- pkg/tcpip/iptables/iptables.go | 97 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 97 insertions(+) create mode 100644 pkg/tcpip/iptables/iptables.go (limited to 'pkg/tcpip/iptables/iptables.go') diff --git a/pkg/tcpip/iptables/iptables.go b/pkg/tcpip/iptables/iptables.go new file mode 100644 index 000000000..ee1ed4666 --- /dev/null +++ b/pkg/tcpip/iptables/iptables.go @@ -0,0 +1,97 @@ +// Copyright 2019 The gVisor authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Package iptables supports packet filtering and manipulation via the iptables +// tool. +package iptables + +const ( + tablenameNat = "nat" + tablenameMangle = "mangle" +) + +// Chain names as defined by net/ipv4/netfilter/ip_tables.c. +const ( + chainNamePrerouting = "PREROUTING" + chainNameInput = "INPUT" + chainNameForward = "FORWARD" + chainNameOutput = "OUTPUT" + chainNamePostrouting = "POSTROUTING" +) + +// DefaultTables returns a default set of tables. Each chain is set to accept +// all packets. +func DefaultTables() *IPTables { + tables := IPTables{ + Tables: map[string]*Table{ + tablenameNat: &Table{ + BuiltinChains: map[Hook]*Chain{ + Prerouting: unconditionalAcceptChain(chainNamePrerouting), + Input: unconditionalAcceptChain(chainNameInput), + Output: unconditionalAcceptChain(chainNameOutput), + Postrouting: unconditionalAcceptChain(chainNamePostrouting), + }, + DefaultTargets: map[Hook]Target{ + Prerouting: UnconditionalAcceptTarget{}, + Input: UnconditionalAcceptTarget{}, + Output: UnconditionalAcceptTarget{}, + Postrouting: UnconditionalAcceptTarget{}, + }, + UserChains: map[string]*Chain{}, + }, + tablenameMangle: &Table{ + BuiltinChains: map[Hook]*Chain{ + Prerouting: unconditionalAcceptChain(chainNamePrerouting), + Output: unconditionalAcceptChain(chainNameOutput), + }, + DefaultTargets: map[Hook]Target{ + Prerouting: UnconditionalAcceptTarget{}, + Output: UnconditionalAcceptTarget{}, + }, + UserChains: map[string]*Chain{}, + }, + }, + Priorities: map[Hook][]string{ + Prerouting: []string{tablenameMangle, tablenameNat}, + Output: []string{tablenameMangle, tablenameNat}, + }, + } + + // Initialize each table's Chains field. + tables.Tables[tablenameNat].Chains = map[string]*Chain{ + chainNamePrerouting: tables.Tables[tablenameNat].BuiltinChains[Prerouting], + chainNameInput: tables.Tables[tablenameNat].BuiltinChains[Input], + chainNameOutput: tables.Tables[tablenameNat].BuiltinChains[Output], + chainNamePostrouting: tables.Tables[tablenameNat].BuiltinChains[Postrouting], + } + tables.Tables[tablenameMangle].Chains = map[string]*Chain{ + chainNamePrerouting: tables.Tables[tablenameMangle].BuiltinChains[Prerouting], + chainNameInput: tables.Tables[tablenameMangle].BuiltinChains[Input], + chainNameOutput: tables.Tables[tablenameMangle].BuiltinChains[Output], + chainNamePostrouting: tables.Tables[tablenameMangle].BuiltinChains[Postrouting], + } + + return &tables +} + +func unconditionalAcceptChain(name string) *Chain { + return &Chain{ + Name: name, + Rules: []*Rule{ + &Rule{ + Target: UnconditionalAcceptTarget{}, + }, + }, + } +} -- cgit v1.2.3 From 8afbd974da2483d8f81e3abde5c9d689719263cb Mon Sep 17 00:00:00 2001 From: Kevin Krakauer Date: Fri, 7 Jun 2019 12:54:53 -0700 Subject: Address Ian's comments. Change-Id: I7445033b1970cbba3f2ed0682fe520dce02d8fad --- pkg/tcpip/iptables/iptables.go | 36 +++++++++++------------------------- pkg/tcpip/iptables/types.go | 12 ++++++------ 2 files changed, 17 insertions(+), 31 deletions(-) (limited to 'pkg/tcpip/iptables/iptables.go') diff --git a/pkg/tcpip/iptables/iptables.go b/pkg/tcpip/iptables/iptables.go index ee1ed4666..bd54ef5a6 100644 --- a/pkg/tcpip/iptables/iptables.go +++ b/pkg/tcpip/iptables/iptables.go @@ -34,9 +34,9 @@ const ( // all packets. func DefaultTables() *IPTables { tables := IPTables{ - Tables: map[string]*Table{ - tablenameNat: &Table{ - BuiltinChains: map[Hook]*Chain{ + Tables: map[string]Table{ + tablenameNat: Table{ + BuiltinChains: map[Hook]Chain{ Prerouting: unconditionalAcceptChain(chainNamePrerouting), Input: unconditionalAcceptChain(chainNameInput), Output: unconditionalAcceptChain(chainNameOutput), @@ -48,10 +48,10 @@ func DefaultTables() *IPTables { Output: UnconditionalAcceptTarget{}, Postrouting: UnconditionalAcceptTarget{}, }, - UserChains: map[string]*Chain{}, + UserChains: map[string]Chain{}, }, - tablenameMangle: &Table{ - BuiltinChains: map[Hook]*Chain{ + tablenameMangle: Table{ + BuiltinChains: map[Hook]Chain{ Prerouting: unconditionalAcceptChain(chainNamePrerouting), Output: unconditionalAcceptChain(chainNameOutput), }, @@ -59,7 +59,7 @@ func DefaultTables() *IPTables { Prerouting: UnconditionalAcceptTarget{}, Output: UnconditionalAcceptTarget{}, }, - UserChains: map[string]*Chain{}, + UserChains: map[string]Chain{}, }, }, Priorities: map[Hook][]string{ @@ -68,28 +68,14 @@ func DefaultTables() *IPTables { }, } - // Initialize each table's Chains field. - tables.Tables[tablenameNat].Chains = map[string]*Chain{ - chainNamePrerouting: tables.Tables[tablenameNat].BuiltinChains[Prerouting], - chainNameInput: tables.Tables[tablenameNat].BuiltinChains[Input], - chainNameOutput: tables.Tables[tablenameNat].BuiltinChains[Output], - chainNamePostrouting: tables.Tables[tablenameNat].BuiltinChains[Postrouting], - } - tables.Tables[tablenameMangle].Chains = map[string]*Chain{ - chainNamePrerouting: tables.Tables[tablenameMangle].BuiltinChains[Prerouting], - chainNameInput: tables.Tables[tablenameMangle].BuiltinChains[Input], - chainNameOutput: tables.Tables[tablenameMangle].BuiltinChains[Output], - chainNamePostrouting: tables.Tables[tablenameMangle].BuiltinChains[Postrouting], - } - return &tables } -func unconditionalAcceptChain(name string) *Chain { - return &Chain{ +func unconditionalAcceptChain(name string) Chain { + return Chain{ Name: name, - Rules: []*Rule{ - &Rule{ + Rules: []Rule{ + Rule{ Target: UnconditionalAcceptTarget{}, }, }, diff --git a/pkg/tcpip/iptables/types.go b/pkg/tcpip/iptables/types.go index 65bfc7b1d..cdfb6ba28 100644 --- a/pkg/tcpip/iptables/types.go +++ b/pkg/tcpip/iptables/types.go @@ -98,11 +98,11 @@ const ( // IPTables holds all the tables for a netstack. type IPTables struct { - // mu protects the entire struct. - mu sync.RWMutex + // Mu protects the entire struct. + Mu sync.RWMutex // Tables maps table names to tables. User tables have arbitrary names. - Tables map[string]*Table + Tables map[string]Table // Priorities maps each hook to a list of table names. The order of the // list is the order in which each table should be visited for that @@ -118,7 +118,7 @@ type Table struct { // BuiltinChains holds the un-deletable chains built into netstack. If // a hook isn't present in the map, this table doesn't utilize that // hook. - BuiltinChains map[Hook]*Chain + BuiltinChains map[Hook]Chain // DefaultTargets holds a target for each hook that will be executed if // chain traversal doesn't yield a verdict. @@ -126,7 +126,7 @@ type Table struct { // UserChains holds user-defined chains for the keyed by name. Users // can give their chains arbitrary names. - UserChains map[string]*Chain + UserChains map[string]Chain // Chains maps names to chains for both builtin and user-defined chains. // Its entries point to Chains already either in BuiltinChains and @@ -158,7 +158,7 @@ type Chain struct { Name string // Rules is the list of rules to traverse. - Rules []*Rule + Rules []Rule } // Rule is a packet processing rule. It consists of two pieces. First it -- cgit v1.2.3 From 06a83df533244dc2b3b8adfc1bf0608d3753c1d9 Mon Sep 17 00:00:00 2001 From: Kevin Krakauer Date: Mon, 10 Jun 2019 12:43:54 -0700 Subject: Address more comments. Change-Id: I83ae1079f3dcba6b018f59ab7898decab5c211d2 --- pkg/tcpip/iptables/iptables.go | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) (limited to 'pkg/tcpip/iptables/iptables.go') diff --git a/pkg/tcpip/iptables/iptables.go b/pkg/tcpip/iptables/iptables.go index bd54ef5a6..f1e1d1fad 100644 --- a/pkg/tcpip/iptables/iptables.go +++ b/pkg/tcpip/iptables/iptables.go @@ -33,7 +33,7 @@ const ( // DefaultTables returns a default set of tables. Each chain is set to accept // all packets. func DefaultTables() *IPTables { - tables := IPTables{ + return &IPTables{ Tables: map[string]Table{ tablenameNat: Table{ BuiltinChains: map[Hook]Chain{ @@ -67,8 +67,6 @@ func DefaultTables() *IPTables { Output: []string{tablenameMangle, tablenameNat}, }, } - - return &tables } func unconditionalAcceptChain(name string) Chain { -- cgit v1.2.3