I think INPUT works with protocol
This commit is contained in:
parent
ff719159be
commit
d793677cd4
|
@ -25,6 +25,7 @@ import (
|
|||
"gvisor.dev/gvisor/pkg/sentry/kernel"
|
||||
"gvisor.dev/gvisor/pkg/sentry/usermem"
|
||||
"gvisor.dev/gvisor/pkg/syserr"
|
||||
"gvisor.dev/gvisor/pkg/tcpip"
|
||||
"gvisor.dev/gvisor/pkg/tcpip/iptables"
|
||||
"gvisor.dev/gvisor/pkg/tcpip/stack"
|
||||
)
|
||||
|
@ -455,7 +456,7 @@ func filterFromIPTIP(iptip linux.IPTIP) (iptables.IPHeaderFilter, *syserr.Error)
|
|||
return iptables.IPHeaderFilter{}, syserr.ErrInvalidArgument
|
||||
}
|
||||
return iptables.IPHeaderFilter{
|
||||
Protocol: iptip.Protocol,
|
||||
Protocol: tcpip.TransportProtocolNumber(iptip.Protocol),
|
||||
}, nil
|
||||
}
|
||||
|
||||
|
|
|
@ -14,5 +14,6 @@ go_library(
|
|||
deps = [
|
||||
"//pkg/log",
|
||||
"//pkg/tcpip",
|
||||
"//pkg/tcpip/header",
|
||||
],
|
||||
)
|
||||
|
|
|
@ -21,6 +21,7 @@ import (
|
|||
|
||||
"gvisor.dev/gvisor/pkg/log"
|
||||
"gvisor.dev/gvisor/pkg/tcpip"
|
||||
"gvisor.dev/gvisor/pkg/tcpip/header"
|
||||
)
|
||||
|
||||
const (
|
||||
|
@ -183,12 +184,13 @@ func (it *IPTables) checkTable(hook Hook, pkt tcpip.PacketBuffer, tablename stri
|
|||
panic(fmt.Sprintf("Traversed past the entire list of iptables rules in table %q.", tablename))
|
||||
}
|
||||
|
||||
// Precondition: pk.NetworkHeader is set.
|
||||
func (it *IPTables) checkRule(hook Hook, pkt tcpip.PacketBuffer, table Table, ruleIdx int) Verdict {
|
||||
rule := table.Rules[ruleIdx]
|
||||
|
||||
// First check whether the packet matches the IP header filter.
|
||||
// TODO(gvisor.dev/issue/170): Support other fields of the filter.
|
||||
if rule.Filter.Protocol != pkt.Protocol {
|
||||
if rule.Filter.Protocol != header.IPv4(pkt.NetworkHeader).TransportProtocol() {
|
||||
return Continue
|
||||
}
|
||||
|
||||
|
|
|
@ -173,7 +173,7 @@ type IPHeaderFilter struct {
|
|||
InputInterface string
|
||||
OutputInterfaceMask string
|
||||
InputInterfaceMask string
|
||||
Protocol uint16
|
||||
Protocol tcpip.TransportProtocolNumber
|
||||
Flags uint8
|
||||
InverseFlags uint8
|
||||
}
|
||||
|
|
|
@ -353,7 +353,8 @@ func (e *endpoint) HandlePacket(r *stack.Route, pkt tcpip.PacketBuffer) {
|
|||
}
|
||||
pkt.NetworkHeader = headerView[:h.HeaderLength()]
|
||||
|
||||
// iptables filtering.
|
||||
// iptables filtering. All packets that reach here are intended for
|
||||
// this machine and will not be forwarded.
|
||||
ipt := e.stack.IPTables()
|
||||
if ok := ipt.Check(iptables.Input, pkt); !ok {
|
||||
// iptables is telling us to drop the packet.
|
||||
|
|
|
@ -13,7 +13,9 @@
|
|||
|
||||
package tcpip
|
||||
|
||||
import "gvisor.dev/gvisor/pkg/tcpip/buffer"
|
||||
import (
|
||||
"gvisor.dev/gvisor/pkg/tcpip/buffer"
|
||||
)
|
||||
|
||||
// A PacketBuffer contains all the data of a network packet.
|
||||
//
|
||||
|
@ -65,3 +67,24 @@ func (pk PacketBuffer) Clone() PacketBuffer {
|
|||
pk.Data = pk.Data.Clone(nil)
|
||||
return pk
|
||||
}
|
||||
|
||||
//// TransportProtocol returns the transport protocol of pk.
|
||||
////
|
||||
//// Precondition: pk.NetworkHeader is set.
|
||||
//func (pk PacketBuffer) TransportProtocolIPv4() uint16 {
|
||||
// if pk.NetworkHeader == nil {
|
||||
// panic("This should only be called when pk.NetworkHeader is set.")
|
||||
// }
|
||||
// return header.IPv4(pk.NetworkHeader).TransportProtocol()
|
||||
//}
|
||||
|
||||
// func (pk Packet) findNetHeader() header.IPv4 {
|
||||
// // Inbound:
|
||||
// // Data holds everything, but may have had some headers shaved off.
|
||||
// // Figure out whether it's set or still somewhere in data and return
|
||||
// // appropriately.
|
||||
|
||||
// // Outbound:
|
||||
// // NetworkHeader will be set if we've added one. Otherwise there's no
|
||||
// // header.
|
||||
// }
|
||||
|
|
Loading…
Reference in New Issue