From ae060a63d9ad1bfb65b84a2ccbaf2893c5a50b76 Mon Sep 17 00:00:00 2001
From: Kevin Krakauer <krakauer@google.com>
Date: Wed, 8 Jan 2020 17:30:08 -0800
Subject: More GH comments.

---
 pkg/abi/linux/netfilter.go               |  6 +++---
 pkg/sentry/socket/netfilter/netfilter.go |  8 ++++----
 pkg/tcpip/iptables/BUILD                 |  5 ++++-
 pkg/tcpip/iptables/iptables.go           |  6 +++---
 pkg/tcpip/iptables/targets.go            | 16 +++++++++++-----
 5 files changed, 25 insertions(+), 16 deletions(-)

(limited to 'pkg')

diff --git a/pkg/abi/linux/netfilter.go b/pkg/abi/linux/netfilter.go
index c4f4ea0b1..33fcc6c95 100644
--- a/pkg/abi/linux/netfilter.go
+++ b/pkg/abi/linux/netfilter.go
@@ -298,7 +298,7 @@ type IPTReplace struct {
 	// Entries [0]IPTEntry
 }
 
-// KernelIPTEntry is identical to IPTReplace, but includes the Entries field.
+// KernelIPTReplace is identical to IPTReplace, but includes the Entries field.
 type KernelIPTReplace struct {
 	IPTReplace
 	Entries [0]IPTEntry
@@ -315,7 +315,7 @@ func (en ExtensionName) String() string {
 	return goString(en[:])
 }
 
-// ExtensionName holds the name of a netfilter table.
+// TableName holds the name of a netfilter table.
 type TableName [XT_TABLE_MAXNAMELEN]byte
 
 // String implements fmt.Stringer.
@@ -323,7 +323,7 @@ func (tn TableName) String() string {
 	return goString(tn[:])
 }
 
-// ExtensionName holds the name of a netfilter error. These can also hold
+// ErrorName holds the name of a netfilter error. These can also hold
 // user-defined chains.
 type ErrorName [XT_FUNCTION_MAXNAMELEN]byte
 
diff --git a/pkg/sentry/socket/netfilter/netfilter.go b/pkg/sentry/socket/netfilter/netfilter.go
index 799865b03..60bb30a9f 100644
--- a/pkg/sentry/socket/netfilter/netfilter.go
+++ b/pkg/sentry/socket/netfilter/netfilter.go
@@ -210,8 +210,8 @@ func marshalTarget(target iptables.Target) []byte {
 		return marshalStandardTarget(iptables.Accept)
 	case iptables.UnconditionalDropTarget:
 		return marshalStandardTarget(iptables.Drop)
-	case iptables.PanicTarget:
-		return marshalPanicTarget()
+	case iptables.ErrorTarget:
+		return marshalErrorTarget()
 	default:
 		panic(fmt.Errorf("unknown target of type %T", target))
 	}
@@ -230,7 +230,7 @@ func marshalStandardTarget(verdict iptables.Verdict) []byte {
 	return binary.Marshal(ret, usermem.ByteOrder, target)
 }
 
-func marshalPanicTarget() []byte {
+func marshalErrorTarget() []byte {
 	// This is an error target named error
 	target := linux.XTErrorTarget{
 		Target: linux.XTEntryTarget{
@@ -438,7 +438,7 @@ func parseTarget(optVal []byte) (iptables.Target, uint32, *syserr.Error) {
 		//   rules have an error with the name of the chain.
 		switch errorTarget.Name.String() {
 		case errorTargetName:
-			return iptables.PanicTarget{}, linux.SizeOfXTErrorTarget, nil
+			return iptables.ErrorTarget{}, linux.SizeOfXTErrorTarget, nil
 		default:
 			log.Infof("Unknown error target %q doesn't exist or isn't supported yet.", errorTarget.Name.String())
 			return nil, 0, syserr.ErrInvalidArgument
diff --git a/pkg/tcpip/iptables/BUILD b/pkg/tcpip/iptables/BUILD
index cc5f531e2..64769c333 100644
--- a/pkg/tcpip/iptables/BUILD
+++ b/pkg/tcpip/iptables/BUILD
@@ -11,5 +11,8 @@ go_library(
     ],
     importpath = "gvisor.dev/gvisor/pkg/tcpip/iptables",
     visibility = ["//visibility:public"],
-    deps = ["//pkg/tcpip/buffer"],
+    deps = [
+        "//pkg/log",
+        "//pkg/tcpip/buffer",
+    ],
 )
diff --git a/pkg/tcpip/iptables/iptables.go b/pkg/tcpip/iptables/iptables.go
index 9e7005374..db0450a21 100644
--- a/pkg/tcpip/iptables/iptables.go
+++ b/pkg/tcpip/iptables/iptables.go
@@ -45,7 +45,7 @@ func DefaultTables() IPTables {
 					Rule{Target: UnconditionalAcceptTarget{}},
 					Rule{Target: UnconditionalAcceptTarget{}},
 					Rule{Target: UnconditionalAcceptTarget{}},
-					Rule{Target: PanicTarget{}},
+					Rule{Target: ErrorTarget{}},
 				},
 				BuiltinChains: map[Hook]int{
 					Prerouting:  0,
@@ -65,7 +65,7 @@ func DefaultTables() IPTables {
 				Rules: []Rule{
 					Rule{Target: UnconditionalAcceptTarget{}},
 					Rule{Target: UnconditionalAcceptTarget{}},
-					Rule{Target: PanicTarget{}},
+					Rule{Target: ErrorTarget{}},
 				},
 				BuiltinChains: map[Hook]int{
 					Prerouting: 0,
@@ -82,7 +82,7 @@ func DefaultTables() IPTables {
 					Rule{Target: UnconditionalAcceptTarget{}},
 					Rule{Target: UnconditionalAcceptTarget{}},
 					Rule{Target: UnconditionalAcceptTarget{}},
-					Rule{Target: PanicTarget{}},
+					Rule{Target: ErrorTarget{}},
 				},
 				BuiltinChains: map[Hook]int{
 					Input:   0,
diff --git a/pkg/tcpip/iptables/targets.go b/pkg/tcpip/iptables/targets.go
index 2c3598e3d..d65ed8df5 100644
--- a/pkg/tcpip/iptables/targets.go
+++ b/pkg/tcpip/iptables/targets.go
@@ -16,7 +16,10 @@
 
 package iptables
 
-import "gvisor.dev/gvisor/pkg/tcpip/buffer"
+import (
+	"gvisor.dev/gvisor/pkg/log"
+	"gvisor.dev/gvisor/pkg/tcpip/buffer"
+)
 
 // UnconditionalAcceptTarget accepts all packets.
 type UnconditionalAcceptTarget struct{}
@@ -34,10 +37,13 @@ func (UnconditionalDropTarget) Action(packet buffer.VectorisedView) (Verdict, st
 	return Drop, ""
 }
 
-// PanicTarget just panics. It represents a target that should be unreachable.
-type PanicTarget struct{}
+// ErrorTarget logs an error and drops the packet. It represents a target that
+// should be unreachable.
+type ErrorTarget struct{}
 
 // Actions implements Target.Action.
-func (PanicTarget) Action(packet buffer.VectorisedView) (Verdict, string) {
-	panic("PanicTarget triggered.")
+func (ErrorTarget) Action(packet buffer.VectorisedView) (Verdict, string) {
+	log.Warningf("ErrorTarget triggered.")
+	return Drop, ""
+
 }
-- 
cgit v1.2.3