I think INPUT works with protocol

2020-01-10 18:07:15 -08:00 · 2020-01-10 18:07:15 -08:00 · d793677cd4
parent ff719159be
commit d793677cd4
6 changed files with 33 additions and 5 deletions
--- a/pkg/sentry/socket/netfilter/netfilter.go
+++ b/pkg/sentry/socket/netfilter/netfilter.go
@ -25,6 +25,7 @@ import (
 	"gvisor.dev/gvisor/pkg/sentry/kernel"
 	"gvisor.dev/gvisor/pkg/sentry/usermem"
 	"gvisor.dev/gvisor/pkg/syserr"
+	"gvisor.dev/gvisor/pkg/tcpip"
 	"gvisor.dev/gvisor/pkg/tcpip/iptables"
 	"gvisor.dev/gvisor/pkg/tcpip/stack"
 )
@ -455,7 +456,7 @@ func filterFromIPTIP(iptip linux.IPTIP) (iptables.IPHeaderFilter, *syserr.Error)
 		return iptables.IPHeaderFilter{}, syserr.ErrInvalidArgument
 	}
 	return iptables.IPHeaderFilter{
-		Protocol: iptip.Protocol,
+		Protocol: tcpip.TransportProtocolNumber(iptip.Protocol),
 	}, nil
 }

--- a/pkg/tcpip/iptables/BUILD
+++ b/pkg/tcpip/iptables/BUILD
@ -14,5 +14,6 @@ go_library(
    deps = [
        "//pkg/log",
        "//pkg/tcpip",
+        "//pkg/tcpip/header",
    ],
 )
--- a/pkg/tcpip/iptables/iptables.go
+++ b/pkg/tcpip/iptables/iptables.go
@ -21,6 +21,7 @@ import (

 	"gvisor.dev/gvisor/pkg/log"
 	"gvisor.dev/gvisor/pkg/tcpip"
+	"gvisor.dev/gvisor/pkg/tcpip/header"
 )

 const (
@ -183,12 +184,13 @@ func (it *IPTables) checkTable(hook Hook, pkt tcpip.PacketBuffer, tablename stri
 	panic(fmt.Sprintf("Traversed past the entire list of iptables rules in table %q.", tablename))
 }

+// Precondition: pk.NetworkHeader is set.
 func (it *IPTables) checkRule(hook Hook, pkt tcpip.PacketBuffer, table Table, ruleIdx int) Verdict {
 	rule := table.Rules[ruleIdx]

 	// First check whether the packet matches the IP header filter.
 	// TODO(gvisor.dev/issue/170): Support other fields of the filter.
-	if rule.Filter.Protocol != pkt.Protocol {
+	if rule.Filter.Protocol != header.IPv4(pkt.NetworkHeader).TransportProtocol() {
 		return Continue
 	}

--- a/pkg/tcpip/iptables/types.go
+++ b/pkg/tcpip/iptables/types.go
@ -173,7 +173,7 @@ type IPHeaderFilter struct {
 	InputInterface      string
 	OutputInterfaceMask string
 	InputInterfaceMask  string
-	Protocol            uint16
+	Protocol            tcpip.TransportProtocolNumber
 	Flags               uint8
 	InverseFlags        uint8
 }
--- a/pkg/tcpip/network/ipv4/ipv4.go
+++ b/pkg/tcpip/network/ipv4/ipv4.go
@ -353,7 +353,8 @@ func (e *endpoint) HandlePacket(r *stack.Route, pkt tcpip.PacketBuffer) {
 	}
 	pkt.NetworkHeader = headerView[:h.HeaderLength()]

-	// iptables filtering.
+	// iptables filtering. All packets that reach here are intended for
+	// this machine and will not be forwarded.
 	ipt := e.stack.IPTables()
 	if ok := ipt.Check(iptables.Input, pkt); !ok {
 		// iptables is telling us to drop the packet.
--- a/pkg/tcpip/packet_buffer.go
+++ b/pkg/tcpip/packet_buffer.go
@ -13,7 +13,9 @@

 package tcpip

-import "gvisor.dev/gvisor/pkg/tcpip/buffer"
+import (
+	"gvisor.dev/gvisor/pkg/tcpip/buffer"
+)

 // A PacketBuffer contains all the data of a network packet.
 //
@ -65,3 +67,24 @@ func (pk PacketBuffer) Clone() PacketBuffer {
 	pk.Data = pk.Data.Clone(nil)
 	return pk
 }
+
+//// TransportProtocol returns the transport protocol of pk.
+////
+//// Precondition: pk.NetworkHeader is set.
+//func (pk PacketBuffer) TransportProtocolIPv4() uint16 {
+//	if pk.NetworkHeader == nil {
+//		panic("This should only be called when pk.NetworkHeader is set.")
+//	}
+//	return header.IPv4(pk.NetworkHeader).TransportProtocol()
+//}
+
+// func (pk Packet) findNetHeader() header.IPv4 {
+// 	// Inbound:
+// 	// Data holds everything, but may have had some headers shaved off.
+// 	// Figure out whether it's set or still somewhere in data and return
+// 	// appropriately.
+
+// 	// Outbound:
+// 	// NetworkHeader will be set if we've added one. Otherwise there's no
+// 	// header.
+// }