Plumbing for iptables sockopts.
PiperOrigin-RevId: 261413396
This commit is contained in:
parent
b6a5b950d2
commit
810cc07aab
|
@ -31,6 +31,7 @@ go_library(
|
|||
"//pkg/sentry/kernel/time",
|
||||
"//pkg/sentry/safemem",
|
||||
"//pkg/sentry/socket",
|
||||
"//pkg/sentry/socket/netfilter",
|
||||
"//pkg/sentry/unimpl",
|
||||
"//pkg/sentry/usermem",
|
||||
"//pkg/syserr",
|
||||
|
@ -38,6 +39,7 @@ go_library(
|
|||
"//pkg/tcpip",
|
||||
"//pkg/tcpip/buffer",
|
||||
"//pkg/tcpip/header",
|
||||
"//pkg/tcpip/iptables",
|
||||
"//pkg/tcpip/network/ipv4",
|
||||
"//pkg/tcpip/network/ipv6",
|
||||
"//pkg/tcpip/stack",
|
||||
|
|
|
@ -43,6 +43,7 @@ import (
|
|||
ktime "gvisor.dev/gvisor/pkg/sentry/kernel/time"
|
||||
"gvisor.dev/gvisor/pkg/sentry/safemem"
|
||||
"gvisor.dev/gvisor/pkg/sentry/socket"
|
||||
"gvisor.dev/gvisor/pkg/sentry/socket/netfilter"
|
||||
"gvisor.dev/gvisor/pkg/sentry/unimpl"
|
||||
"gvisor.dev/gvisor/pkg/sentry/usermem"
|
||||
"gvisor.dev/gvisor/pkg/syserr"
|
||||
|
@ -624,7 +625,7 @@ func (s *SocketOperations) Shutdown(t *kernel.Task, how int) *syserr.Error {
|
|||
|
||||
// GetSockOpt implements the linux syscall getsockopt(2) for sockets backed by
|
||||
// tcpip.Endpoint.
|
||||
func (s *SocketOperations) GetSockOpt(t *kernel.Task, level, name, outLen int) (interface{}, *syserr.Error) {
|
||||
func (s *SocketOperations) GetSockOpt(t *kernel.Task, level, name int, outPtr usermem.Addr, outLen int) (interface{}, *syserr.Error) {
|
||||
// TODO(b/78348848): Unlike other socket options, SO_TIMESTAMP is
|
||||
// implemented specifically for epsocket.SocketOperations rather than
|
||||
// commonEndpoint. commonEndpoint should be extended to support socket
|
||||
|
@ -655,6 +656,33 @@ func (s *SocketOperations) GetSockOpt(t *kernel.Task, level, name, outLen int) (
|
|||
return val, nil
|
||||
}
|
||||
|
||||
if s.skType == linux.SOCK_RAW && level == linux.IPPROTO_IP {
|
||||
switch name {
|
||||
case linux.IPT_SO_GET_INFO:
|
||||
if outLen < linux.SizeOfIPTGetinfo {
|
||||
return nil, syserr.ErrInvalidArgument
|
||||
}
|
||||
|
||||
info, err := netfilter.GetInfo(t, s.Endpoint, outPtr)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return info, nil
|
||||
|
||||
case linux.IPT_SO_GET_ENTRIES:
|
||||
if outLen < linux.SizeOfIPTGetEntries {
|
||||
return nil, syserr.ErrInvalidArgument
|
||||
}
|
||||
|
||||
entries, err := netfilter.GetEntries(t, s.Endpoint, outPtr, outLen)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return entries, nil
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
return GetSockOpt(t, s, s.Endpoint, s.family, s.skType, level, name, outLen)
|
||||
}
|
||||
|
||||
|
|
|
@ -18,9 +18,11 @@ import (
|
|||
"gvisor.dev/gvisor/pkg/abi/linux"
|
||||
"gvisor.dev/gvisor/pkg/log"
|
||||
"gvisor.dev/gvisor/pkg/sentry/inet"
|
||||
"gvisor.dev/gvisor/pkg/sentry/socket/netfilter"
|
||||
"gvisor.dev/gvisor/pkg/syserr"
|
||||
"gvisor.dev/gvisor/pkg/tcpip"
|
||||
"gvisor.dev/gvisor/pkg/tcpip/header"
|
||||
"gvisor.dev/gvisor/pkg/tcpip/iptables"
|
||||
"gvisor.dev/gvisor/pkg/tcpip/network/ipv4"
|
||||
"gvisor.dev/gvisor/pkg/tcpip/network/ipv6"
|
||||
"gvisor.dev/gvisor/pkg/tcpip/stack"
|
||||
|
@ -188,3 +190,14 @@ func (s *Stack) RouteTable() []inet.Route {
|
|||
|
||||
return routeTable
|
||||
}
|
||||
|
||||
// IPTables returns the stack's iptables.
|
||||
func (s *Stack) IPTables() (iptables.IPTables, error) {
|
||||
return s.Stack.IPTables(), nil
|
||||
}
|
||||
|
||||
// FillDefaultIPTables sets the stack's iptables to the default tables, which
|
||||
// allow and do not modify all traffic.
|
||||
func (s *Stack) FillDefaultIPTables() error {
|
||||
return netfilter.FillDefaultIPTables(s.Stack)
|
||||
}
|
||||
|
|
|
@ -272,7 +272,7 @@ func (s *socketOperations) Shutdown(t *kernel.Task, how int) *syserr.Error {
|
|||
}
|
||||
|
||||
// GetSockOpt implements socket.Socket.GetSockOpt.
|
||||
func (s *socketOperations) GetSockOpt(t *kernel.Task, level int, name int, outLen int) (interface{}, *syserr.Error) {
|
||||
func (s *socketOperations) GetSockOpt(t *kernel.Task, level int, name int, outPtr usermem.Addr, outLen int) (interface{}, *syserr.Error) {
|
||||
if outLen < 0 {
|
||||
return nil, syserr.ErrInvalidArgument
|
||||
}
|
||||
|
|
|
@ -0,0 +1,23 @@
|
|||
package(licenses = ["notice"])
|
||||
|
||||
load("//tools/go_stateify:defs.bzl", "go_library")
|
||||
|
||||
go_library(
|
||||
name = "netfilter",
|
||||
srcs = [
|
||||
"netfilter.go",
|
||||
],
|
||||
importpath = "gvisor.dev/gvisor/pkg/sentry/socket/netfilter",
|
||||
# This target depends on netstack and should only be used by epsocket,
|
||||
# which is allowed to depend on netstack.
|
||||
visibility = ["//pkg/sentry:internal"],
|
||||
deps = [
|
||||
"//pkg/abi/linux",
|
||||
"//pkg/sentry/kernel",
|
||||
"//pkg/sentry/usermem",
|
||||
"//pkg/syserr",
|
||||
"//pkg/tcpip",
|
||||
"//pkg/tcpip/iptables",
|
||||
"//pkg/tcpip/stack",
|
||||
],
|
||||
)
|
|
@ -0,0 +1,46 @@
|
|||
// Copyright 2019 The gVisor Authors.
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
|
||||
// Package netfilter helps the sentry interact with netstack's netfilter
|
||||
// capabilities.
|
||||
package netfilter
|
||||
|
||||
import (
|
||||
"gvisor.dev/gvisor/pkg/abi/linux"
|
||||
"gvisor.dev/gvisor/pkg/sentry/kernel"
|
||||
"gvisor.dev/gvisor/pkg/sentry/usermem"
|
||||
"gvisor.dev/gvisor/pkg/syserr"
|
||||
"gvisor.dev/gvisor/pkg/tcpip"
|
||||
"gvisor.dev/gvisor/pkg/tcpip/iptables"
|
||||
"gvisor.dev/gvisor/pkg/tcpip/stack"
|
||||
)
|
||||
|
||||
// GetInfo returns information about iptables.
|
||||
func GetInfo(t *kernel.Task, ep tcpip.Endpoint, outPtr usermem.Addr) (linux.IPTGetinfo, *syserr.Error) {
|
||||
// TODO(b/129292233): Implement.
|
||||
return linux.IPTGetinfo{}, syserr.ErrInvalidArgument
|
||||
}
|
||||
|
||||
// GetEntries returns netstack's iptables rules encoded for the iptables tool.
|
||||
func GetEntries(t *kernel.Task, ep tcpip.Endpoint, outPtr usermem.Addr, outLen int) (linux.KernelIPTGetEntries, *syserr.Error) {
|
||||
// TODO(b/129292233): Implement.
|
||||
return linux.KernelIPTGetEntries{}, syserr.ErrInvalidArgument
|
||||
}
|
||||
|
||||
// FillDefaultIPTables sets stack's IPTables to the default tables and
|
||||
// populates them with metadata.
|
||||
func FillDefaultIPTables(stack *stack.Stack) error {
|
||||
stack.SetIPTables(iptables.DefaultTables())
|
||||
return nil
|
||||
}
|
|
@ -289,7 +289,7 @@ func (s *Socket) Shutdown(t *kernel.Task, how int) *syserr.Error {
|
|||
}
|
||||
|
||||
// GetSockOpt implements socket.Socket.GetSockOpt.
|
||||
func (s *Socket) GetSockOpt(t *kernel.Task, level int, name int, outLen int) (interface{}, *syserr.Error) {
|
||||
func (s *Socket) GetSockOpt(t *kernel.Task, level int, name int, outPtr usermem.Addr, outLen int) (interface{}, *syserr.Error) {
|
||||
switch level {
|
||||
case linux.SOL_SOCKET:
|
||||
switch name {
|
||||
|
|
|
@ -395,7 +395,7 @@ func (s *socketOperations) Shutdown(t *kernel.Task, how int) *syserr.Error {
|
|||
}
|
||||
|
||||
// GetSockOpt implements socket.Socket.GetSockOpt.
|
||||
func (s *socketOperations) GetSockOpt(t *kernel.Task, level int, name int, outLen int) (interface{}, *syserr.Error) {
|
||||
func (s *socketOperations) GetSockOpt(t *kernel.Task, level int, name int, outPtr usermem.Addr, outLen int) (interface{}, *syserr.Error) {
|
||||
// SO_RCVTIMEO and SO_SNDTIMEO are special because blocking is performed
|
||||
// within the sentry.
|
||||
if level == linux.SOL_SOCKET && name == linux.SO_RCVTIMEO {
|
||||
|
|
|
@ -64,7 +64,7 @@ type Socket interface {
|
|||
Shutdown(t *kernel.Task, how int) *syserr.Error
|
||||
|
||||
// GetSockOpt implements the getsockopt(2) linux syscall.
|
||||
GetSockOpt(t *kernel.Task, level int, name int, outLen int) (interface{}, *syserr.Error)
|
||||
GetSockOpt(t *kernel.Task, level int, name int, outPtr usermem.Addr, outLen int) (interface{}, *syserr.Error)
|
||||
|
||||
// SetSockOpt implements the setsockopt(2) linux syscall.
|
||||
SetSockOpt(t *kernel.Task, level int, name int, opt []byte) *syserr.Error
|
||||
|
|
|
@ -166,7 +166,7 @@ func (s *SocketOperations) Ioctl(ctx context.Context, _ *fs.File, io usermem.IO,
|
|||
|
||||
// GetSockOpt implements the linux syscall getsockopt(2) for sockets backed by
|
||||
// a transport.Endpoint.
|
||||
func (s *SocketOperations) GetSockOpt(t *kernel.Task, level, name, outLen int) (interface{}, *syserr.Error) {
|
||||
func (s *SocketOperations) GetSockOpt(t *kernel.Task, level, name int, outPtr usermem.Addr, outLen int) (interface{}, *syserr.Error) {
|
||||
return epsocket.GetSockOpt(t, s, s.ep, linux.AF_UNIX, s.ep.Type(), level, name, outLen)
|
||||
}
|
||||
|
||||
|
|
|
@ -460,7 +460,7 @@ func GetSockOpt(t *kernel.Task, args arch.SyscallArguments) (uintptr, *kernel.Sy
|
|||
}
|
||||
|
||||
// Call syscall implementation then copy both value and value len out.
|
||||
v, e := getSockOpt(t, s, int(level), int(name), int(optLen))
|
||||
v, e := getSockOpt(t, s, int(level), int(name), optValAddr, int(optLen))
|
||||
if e != nil {
|
||||
return 0, nil, e.ToError()
|
||||
}
|
||||
|
@ -483,7 +483,7 @@ func GetSockOpt(t *kernel.Task, args arch.SyscallArguments) (uintptr, *kernel.Sy
|
|||
|
||||
// getSockOpt tries to handle common socket options, or dispatches to a specific
|
||||
// socket implementation.
|
||||
func getSockOpt(t *kernel.Task, s socket.Socket, level, name, len int) (interface{}, *syserr.Error) {
|
||||
func getSockOpt(t *kernel.Task, s socket.Socket, level, name int, optValAddr usermem.Addr, len int) (interface{}, *syserr.Error) {
|
||||
if level == linux.SOL_SOCKET {
|
||||
switch name {
|
||||
case linux.SO_TYPE, linux.SO_DOMAIN, linux.SO_PROTOCOL:
|
||||
|
@ -505,7 +505,7 @@ func getSockOpt(t *kernel.Task, s socket.Socket, level, name, len int) (interfac
|
|||
}
|
||||
}
|
||||
|
||||
return s.GetSockOpt(t, level, name, len)
|
||||
return s.GetSockOpt(t, level, name, optValAddr, len)
|
||||
}
|
||||
|
||||
// SetSockOpt implements the linux syscall setsockopt(2).
|
||||
|
|
|
@ -12,6 +12,7 @@ go_library(
|
|||
visibility = ["//visibility:public"],
|
||||
deps = [
|
||||
"//pkg/tcpip/buffer",
|
||||
"//pkg/tcpip/iptables",
|
||||
"//pkg/waiter",
|
||||
],
|
||||
)
|
||||
|
|
|
@ -11,8 +11,5 @@ go_library(
|
|||
],
|
||||
importpath = "gvisor.dev/gvisor/pkg/tcpip/iptables",
|
||||
visibility = ["//visibility:public"],
|
||||
deps = [
|
||||
"//pkg/tcpip",
|
||||
"//pkg/tcpip/buffer",
|
||||
],
|
||||
deps = ["//pkg/tcpip/buffer"],
|
||||
)
|
||||
|
|
|
@ -32,8 +32,8 @@ const (
|
|||
|
||||
// DefaultTables returns a default set of tables. Each chain is set to accept
|
||||
// all packets.
|
||||
func DefaultTables() *IPTables {
|
||||
return &IPTables{
|
||||
func DefaultTables() IPTables {
|
||||
return IPTables{
|
||||
Tables: map[string]Table{
|
||||
tablenameNat: Table{
|
||||
BuiltinChains: map[Hook]Chain{
|
||||
|
|
|
@ -15,7 +15,6 @@
|
|||
package iptables
|
||||
|
||||
import (
|
||||
"gvisor.dev/gvisor/pkg/tcpip"
|
||||
"gvisor.dev/gvisor/pkg/tcpip/buffer"
|
||||
)
|
||||
|
||||
|
@ -128,15 +127,29 @@ type Table struct {
|
|||
// UserChains, and its purpose is to make looking up tables by name
|
||||
// fast.
|
||||
Chains map[string]*Chain
|
||||
|
||||
// Metadata holds information about the Table that is useful to users
|
||||
// of IPTables, but not to the netstack IPTables code itself.
|
||||
metadata interface{}
|
||||
}
|
||||
|
||||
// ValidHooks returns a bitmap of the builtin hooks for the given table.
|
||||
func (table *Table) ValidHooks() (uint32, *tcpip.Error) {
|
||||
func (table *Table) ValidHooks() uint32 {
|
||||
hooks := uint32(0)
|
||||
for hook, _ := range table.BuiltinChains {
|
||||
hooks |= 1 << hook
|
||||
}
|
||||
return hooks, nil
|
||||
return hooks
|
||||
}
|
||||
|
||||
// Metadata returns the metadata object stored in table.
|
||||
func (table *Table) Metadata() interface{} {
|
||||
return table.metadata
|
||||
}
|
||||
|
||||
// SetMetadata sets the metadata object stored in table.
|
||||
func (table *Table) SetMetadata(metadata interface{}) {
|
||||
table.metadata = metadata
|
||||
}
|
||||
|
||||
// A Chain defines a list of rules for packet processing. When a packet
|
||||
|
|
|
@ -24,6 +24,7 @@ go_library(
|
|||
"//pkg/tcpip/buffer",
|
||||
"//pkg/tcpip/hash/jenkins",
|
||||
"//pkg/tcpip/header",
|
||||
"//pkg/tcpip/iptables",
|
||||
"//pkg/tcpip/ports",
|
||||
"//pkg/tcpip/seqnum",
|
||||
"//pkg/waiter",
|
||||
|
@ -42,6 +43,7 @@ go_test(
|
|||
"//pkg/tcpip",
|
||||
"//pkg/tcpip/buffer",
|
||||
"//pkg/tcpip/header",
|
||||
"//pkg/tcpip/iptables",
|
||||
"//pkg/tcpip/link/channel",
|
||||
"//pkg/tcpip/link/loopback",
|
||||
"//pkg/waiter",
|
||||
|
|
|
@ -32,6 +32,7 @@ import (
|
|||
"gvisor.dev/gvisor/pkg/tcpip"
|
||||
"gvisor.dev/gvisor/pkg/tcpip/buffer"
|
||||
"gvisor.dev/gvisor/pkg/tcpip/header"
|
||||
"gvisor.dev/gvisor/pkg/tcpip/iptables"
|
||||
"gvisor.dev/gvisor/pkg/tcpip/ports"
|
||||
"gvisor.dev/gvisor/pkg/tcpip/seqnum"
|
||||
"gvisor.dev/gvisor/pkg/waiter"
|
||||
|
@ -372,6 +373,9 @@ type Stack struct {
|
|||
|
||||
// handleLocal allows non-loopback interfaces to loop packets.
|
||||
handleLocal bool
|
||||
|
||||
// tables are the iptables packet filtering and manipulation rules.
|
||||
tables iptables.IPTables
|
||||
}
|
||||
|
||||
// Options contains optional Stack configuration.
|
||||
|
@ -1166,3 +1170,13 @@ func (s *Stack) LeaveGroup(protocol tcpip.NetworkProtocolNumber, nicID tcpip.NIC
|
|||
}
|
||||
return tcpip.ErrUnknownNICID
|
||||
}
|
||||
|
||||
// IPTables returns the stack's iptables.
|
||||
func (s *Stack) IPTables() iptables.IPTables {
|
||||
return s.tables
|
||||
}
|
||||
|
||||
// SetIPTables sets the stack's iptables.
|
||||
func (s *Stack) SetIPTables(ipt iptables.IPTables) {
|
||||
s.tables = ipt
|
||||
}
|
||||
|
|
|
@ -19,6 +19,7 @@ import (
|
|||
|
||||
"gvisor.dev/gvisor/pkg/tcpip"
|
||||
"gvisor.dev/gvisor/pkg/tcpip/buffer"
|
||||
"gvisor.dev/gvisor/pkg/tcpip/iptables"
|
||||
"gvisor.dev/gvisor/pkg/tcpip/link/channel"
|
||||
"gvisor.dev/gvisor/pkg/tcpip/link/loopback"
|
||||
"gvisor.dev/gvisor/pkg/tcpip/stack"
|
||||
|
@ -200,6 +201,10 @@ func (f *fakeTransportEndpoint) State() uint32 {
|
|||
func (f *fakeTransportEndpoint) ModerateRecvBuf(copied int) {
|
||||
}
|
||||
|
||||
func (f *fakeTransportEndpoint) IPTables() (iptables.IPTables, error) {
|
||||
return iptables.IPTables{}, nil
|
||||
}
|
||||
|
||||
type fakeTransportGoodOption bool
|
||||
|
||||
type fakeTransportBadOption bool
|
||||
|
|
|
@ -39,6 +39,7 @@ import (
|
|||
"time"
|
||||
|
||||
"gvisor.dev/gvisor/pkg/tcpip/buffer"
|
||||
"gvisor.dev/gvisor/pkg/tcpip/iptables"
|
||||
"gvisor.dev/gvisor/pkg/waiter"
|
||||
)
|
||||
|
||||
|
@ -403,6 +404,9 @@ type Endpoint interface {
|
|||
//
|
||||
// NOTE: This method is a no-op for sockets other than TCP.
|
||||
ModerateRecvBuf(copied int)
|
||||
|
||||
// IPTables returns the iptables for this endpoint's stack.
|
||||
IPTables() (iptables.IPTables, error)
|
||||
}
|
||||
|
||||
// WriteOptions contains options for Endpoint.Write.
|
||||
|
|
|
@ -31,6 +31,7 @@ go_library(
|
|||
"//pkg/tcpip",
|
||||
"//pkg/tcpip/buffer",
|
||||
"//pkg/tcpip/header",
|
||||
"//pkg/tcpip/iptables",
|
||||
"//pkg/tcpip/stack",
|
||||
"//pkg/tcpip/transport/raw",
|
||||
"//pkg/tcpip/transport/tcp",
|
||||
|
|
|
@ -21,6 +21,7 @@ import (
|
|||
"gvisor.dev/gvisor/pkg/tcpip"
|
||||
"gvisor.dev/gvisor/pkg/tcpip/buffer"
|
||||
"gvisor.dev/gvisor/pkg/tcpip/header"
|
||||
"gvisor.dev/gvisor/pkg/tcpip/iptables"
|
||||
"gvisor.dev/gvisor/pkg/tcpip/stack"
|
||||
"gvisor.dev/gvisor/pkg/waiter"
|
||||
)
|
||||
|
@ -130,6 +131,11 @@ func (e *endpoint) Close() {
|
|||
// ModerateRecvBuf implements tcpip.Endpoint.ModerateRecvBuf.
|
||||
func (e *endpoint) ModerateRecvBuf(copied int) {}
|
||||
|
||||
// IPTables implements tcpip.Endpoint.IPTables.
|
||||
func (e *endpoint) IPTables() (iptables.IPTables, error) {
|
||||
return e.stack.IPTables(), nil
|
||||
}
|
||||
|
||||
// Read reads data from the endpoint. This method does not block if
|
||||
// there is no data pending.
|
||||
func (e *endpoint) Read(addr *tcpip.FullAddress) (buffer.View, tcpip.ControlMessages, *tcpip.Error) {
|
||||
|
|
|
@ -32,6 +32,7 @@ go_library(
|
|||
"//pkg/tcpip",
|
||||
"//pkg/tcpip/buffer",
|
||||
"//pkg/tcpip/header",
|
||||
"//pkg/tcpip/iptables",
|
||||
"//pkg/tcpip/stack",
|
||||
"//pkg/waiter",
|
||||
],
|
||||
|
|
|
@ -32,6 +32,7 @@ import (
|
|||
"gvisor.dev/gvisor/pkg/tcpip"
|
||||
"gvisor.dev/gvisor/pkg/tcpip/buffer"
|
||||
"gvisor.dev/gvisor/pkg/tcpip/header"
|
||||
"gvisor.dev/gvisor/pkg/tcpip/iptables"
|
||||
"gvisor.dev/gvisor/pkg/tcpip/stack"
|
||||
"gvisor.dev/gvisor/pkg/waiter"
|
||||
)
|
||||
|
@ -168,6 +169,11 @@ func (ep *endpoint) Close() {
|
|||
// ModerateRecvBuf implements tcpip.Endpoint.ModerateRecvBuf.
|
||||
func (ep *endpoint) ModerateRecvBuf(copied int) {}
|
||||
|
||||
// IPTables implements tcpip.Endpoint.IPTables.
|
||||
func (ep *endpoint) IPTables() (iptables.IPTables, error) {
|
||||
return ep.stack.IPTables(), nil
|
||||
}
|
||||
|
||||
// Read implements tcpip.Endpoint.Read.
|
||||
func (ep *endpoint) Read(addr *tcpip.FullAddress) (buffer.View, tcpip.ControlMessages, *tcpip.Error) {
|
||||
if !ep.associated {
|
||||
|
@ -484,7 +490,7 @@ func (ep *endpoint) Readiness(mask waiter.EventMask) waiter.EventMask {
|
|||
|
||||
// SetSockOpt implements tcpip.Endpoint.SetSockOpt.
|
||||
func (ep *endpoint) SetSockOpt(opt interface{}) *tcpip.Error {
|
||||
return nil
|
||||
return tcpip.ErrUnknownProtocolOption
|
||||
}
|
||||
|
||||
// GetSockOptInt implements tcpip.Endpoint.GetSockOptInt.
|
||||
|
|
|
@ -48,6 +48,7 @@ go_library(
|
|||
"//pkg/tcpip",
|
||||
"//pkg/tcpip/buffer",
|
||||
"//pkg/tcpip/header",
|
||||
"//pkg/tcpip/iptables",
|
||||
"//pkg/tcpip/seqnum",
|
||||
"//pkg/tcpip/stack",
|
||||
"//pkg/tcpip/transport/raw",
|
||||
|
|
|
@ -27,6 +27,7 @@ import (
|
|||
"gvisor.dev/gvisor/pkg/tcpip"
|
||||
"gvisor.dev/gvisor/pkg/tcpip/buffer"
|
||||
"gvisor.dev/gvisor/pkg/tcpip/header"
|
||||
"gvisor.dev/gvisor/pkg/tcpip/iptables"
|
||||
"gvisor.dev/gvisor/pkg/tcpip/seqnum"
|
||||
"gvisor.dev/gvisor/pkg/tcpip/stack"
|
||||
"gvisor.dev/gvisor/pkg/tmutex"
|
||||
|
@ -683,6 +684,11 @@ func (e *endpoint) ModerateRecvBuf(copied int) {
|
|||
e.rcvListMu.Unlock()
|
||||
}
|
||||
|
||||
// IPTables implements tcpip.Endpoint.IPTables.
|
||||
func (e *endpoint) IPTables() (iptables.IPTables, error) {
|
||||
return e.stack.IPTables(), nil
|
||||
}
|
||||
|
||||
// Read reads data from the endpoint.
|
||||
func (e *endpoint) Read(*tcpip.FullAddress) (buffer.View, tcpip.ControlMessages, *tcpip.Error) {
|
||||
e.mu.RLock()
|
||||
|
|
|
@ -32,6 +32,7 @@ go_library(
|
|||
"//pkg/tcpip",
|
||||
"//pkg/tcpip/buffer",
|
||||
"//pkg/tcpip/header",
|
||||
"//pkg/tcpip/iptables",
|
||||
"//pkg/tcpip/stack",
|
||||
"//pkg/tcpip/transport/raw",
|
||||
"//pkg/waiter",
|
||||
|
|
|
@ -21,6 +21,7 @@ import (
|
|||
"gvisor.dev/gvisor/pkg/tcpip"
|
||||
"gvisor.dev/gvisor/pkg/tcpip/buffer"
|
||||
"gvisor.dev/gvisor/pkg/tcpip/header"
|
||||
"gvisor.dev/gvisor/pkg/tcpip/iptables"
|
||||
"gvisor.dev/gvisor/pkg/tcpip/stack"
|
||||
"gvisor.dev/gvisor/pkg/waiter"
|
||||
)
|
||||
|
@ -172,6 +173,11 @@ func (e *endpoint) Close() {
|
|||
// ModerateRecvBuf implements tcpip.Endpoint.ModerateRecvBuf.
|
||||
func (e *endpoint) ModerateRecvBuf(copied int) {}
|
||||
|
||||
// IPTables implements tcpip.Endpoint.IPTables.
|
||||
func (e *endpoint) IPTables() (iptables.IPTables, error) {
|
||||
return e.stack.IPTables(), nil
|
||||
}
|
||||
|
||||
// Read reads data from the endpoint. This method does not block if
|
||||
// there is no data pending.
|
||||
func (e *endpoint) Read(addr *tcpip.FullAddress) (buffer.View, tcpip.ControlMessages, *tcpip.Error) {
|
||||
|
|
|
@ -933,6 +933,8 @@ func newEmptyNetworkStack(conf *Config, clock tcpip.Clock) (inet.Stack, error) {
|
|||
return nil, fmt.Errorf("SetTransportProtocolOption failed: %v", err)
|
||||
}
|
||||
|
||||
s.FillDefaultIPTables()
|
||||
|
||||
return &s, nil
|
||||
|
||||
default:
|
||||
|
|
Loading…
Reference in New Issue