go
/
gvisor
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

iptables: remove check for NetworkHeader 

This is no longer necessary, as we always set NetworkHeader before calling
iptables.Check.

PiperOrigin-RevId: 321461978
This commit is contained in:
Kevin Krakauer 2020-07-15 16:33:46 -07:00 committed by gVisor bot
parent bdbab2702a
commit e92f38ff0c
1 changed files with 9 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
pkg/tcpip/stack/iptables.go
View File

@ -292,10 +292,9 @@ func (it *IPTables) startReaper(interval time.Duration) {
// CheckPackets runs pkts through the rules for hook and returns a map of packets that // CheckPackets runs pkts through the rules for hook and returns a map of packets that
// should not go forward. // should not go forward.
// //
// Precondition: pkt is a IPv4 packet of at least length header.IPv4MinimumSize. // Preconditions:
// // - pkt is a IPv4 packet of at least length header.IPv4MinimumSize.
// TODO(gvisor.dev/issue/170): pk.NetworkHeader will always be set as a // - pkt.NetworkHeader is not nil.
// precondition.
// //
// NOTE: unlike the Check API the returned map contains packets that should be // NOTE: unlike the Check API the returned map contains packets that should be
// dropped. // dropped.
@ -319,9 +318,9 @@ func (it *IPTables) CheckPackets(hook Hook, pkts PacketBufferList, gso *GSO, r *
return drop, natPkts return drop, natPkts
} }
// Precondition: pkt is a IPv4 packet of at least length header.IPv4MinimumSize. // Preconditions:
// TODO(gvisor.dev/issue/170): pkt.NetworkHeader will always be set as a // - pkt is a IPv4 packet of at least length header.IPv4MinimumSize.
// precondition. // - pkt.NetworkHeader is not nil.
func (it *IPTables) checkChain(hook Hook, pkt *PacketBuffer, table Table, ruleIdx int, gso *GSO, r *Route, address tcpip.Address, nicName string) chainVerdict { func (it *IPTables) checkChain(hook Hook, pkt *PacketBuffer, table Table, ruleIdx int, gso *GSO, r *Route, address tcpip.Address, nicName string) chainVerdict {
// Start from ruleIdx and walk the list of rules until a rule gives us // Start from ruleIdx and walk the list of rules until a rule gives us
// a verdict. // a verdict.
@ -366,23 +365,12 @@ func (it *IPTables) checkChain(hook Hook, pkt *PacketBuffer, table Table, ruleId
return chainDrop return chainDrop
} }
// Precondition: pkt is a IPv4 packet of at least length header.IPv4MinimumSize. // Preconditions:
// TODO(gvisor.dev/issue/170): pkt.NetworkHeader will always be set as a // - pkt is a IPv4 packet of at least length header.IPv4MinimumSize.
// precondition. // - pkt.NetworkHeader is not nil.
func (it *IPTables) checkRule(hook Hook, pkt *PacketBuffer, table Table, ruleIdx int, gso *GSO, r *Route, address tcpip.Address, nicName string) (RuleVerdict, int) { func (it *IPTables) checkRule(hook Hook, pkt *PacketBuffer, table Table, ruleIdx int, gso *GSO, r *Route, address tcpip.Address, nicName string) (RuleVerdict, int) {
rule := table.Rules[ruleIdx] rule := table.Rules[ruleIdx]
// If pkt.NetworkHeader hasn't been set yet, it will be contained in
// pkt.Data.
if pkt.NetworkHeader == nil {
var ok bool
pkt.NetworkHeader, ok = pkt.Data.PullUp(header.IPv4MinimumSize)
if !ok {
// Precondition has been violated.
panic(fmt.Sprintf("iptables checks require IPv4 headers of at least %d bytes", header.IPv4MinimumSize))
}
}
// Check whether the packet matches the IP header filter. // Check whether the packet matches the IP header filter.
if !rule.Filter.match(header.IPv4(pkt.NetworkHeader), hook, nicName) { if !rule.Filter.match(header.IPv4(pkt.NetworkHeader), hook, nicName) {
// Continue on to the next rule. // Continue on to the next rule.