iptables: remove check for NetworkHeader
This is no longer necessary, as we always set NetworkHeader before calling iptables.Check. PiperOrigin-RevId: 321461978
This commit is contained in:
parent
bdbab2702a
commit
e92f38ff0c
|
@ -292,10 +292,9 @@ func (it *IPTables) startReaper(interval time.Duration) {
|
||||||
// CheckPackets runs pkts through the rules for hook and returns a map of packets that
|
// CheckPackets runs pkts through the rules for hook and returns a map of packets that
|
||||||
// should not go forward.
|
// should not go forward.
|
||||||
//
|
//
|
||||||
// Precondition: pkt is a IPv4 packet of at least length header.IPv4MinimumSize.
|
// Preconditions:
|
||||||
//
|
// - pkt is a IPv4 packet of at least length header.IPv4MinimumSize.
|
||||||
// TODO(gvisor.dev/issue/170): pk.NetworkHeader will always be set as a
|
// - pkt.NetworkHeader is not nil.
|
||||||
// precondition.
|
|
||||||
//
|
//
|
||||||
// NOTE: unlike the Check API the returned map contains packets that should be
|
// NOTE: unlike the Check API the returned map contains packets that should be
|
||||||
// dropped.
|
// dropped.
|
||||||
|
@ -319,9 +318,9 @@ func (it *IPTables) CheckPackets(hook Hook, pkts PacketBufferList, gso *GSO, r *
|
||||||
return drop, natPkts
|
return drop, natPkts
|
||||||
}
|
}
|
||||||
|
|
||||||
// Precondition: pkt is a IPv4 packet of at least length header.IPv4MinimumSize.
|
// Preconditions:
|
||||||
// TODO(gvisor.dev/issue/170): pkt.NetworkHeader will always be set as a
|
// - pkt is a IPv4 packet of at least length header.IPv4MinimumSize.
|
||||||
// precondition.
|
// - pkt.NetworkHeader is not nil.
|
||||||
func (it *IPTables) checkChain(hook Hook, pkt *PacketBuffer, table Table, ruleIdx int, gso *GSO, r *Route, address tcpip.Address, nicName string) chainVerdict {
|
func (it *IPTables) checkChain(hook Hook, pkt *PacketBuffer, table Table, ruleIdx int, gso *GSO, r *Route, address tcpip.Address, nicName string) chainVerdict {
|
||||||
// Start from ruleIdx and walk the list of rules until a rule gives us
|
// Start from ruleIdx and walk the list of rules until a rule gives us
|
||||||
// a verdict.
|
// a verdict.
|
||||||
|
@ -366,23 +365,12 @@ func (it *IPTables) checkChain(hook Hook, pkt *PacketBuffer, table Table, ruleId
|
||||||
return chainDrop
|
return chainDrop
|
||||||
}
|
}
|
||||||
|
|
||||||
// Precondition: pkt is a IPv4 packet of at least length header.IPv4MinimumSize.
|
// Preconditions:
|
||||||
// TODO(gvisor.dev/issue/170): pkt.NetworkHeader will always be set as a
|
// - pkt is a IPv4 packet of at least length header.IPv4MinimumSize.
|
||||||
// precondition.
|
// - pkt.NetworkHeader is not nil.
|
||||||
func (it *IPTables) checkRule(hook Hook, pkt *PacketBuffer, table Table, ruleIdx int, gso *GSO, r *Route, address tcpip.Address, nicName string) (RuleVerdict, int) {
|
func (it *IPTables) checkRule(hook Hook, pkt *PacketBuffer, table Table, ruleIdx int, gso *GSO, r *Route, address tcpip.Address, nicName string) (RuleVerdict, int) {
|
||||||
rule := table.Rules[ruleIdx]
|
rule := table.Rules[ruleIdx]
|
||||||
|
|
||||||
// If pkt.NetworkHeader hasn't been set yet, it will be contained in
|
|
||||||
// pkt.Data.
|
|
||||||
if pkt.NetworkHeader == nil {
|
|
||||||
var ok bool
|
|
||||||
pkt.NetworkHeader, ok = pkt.Data.PullUp(header.IPv4MinimumSize)
|
|
||||||
if !ok {
|
|
||||||
// Precondition has been violated.
|
|
||||||
panic(fmt.Sprintf("iptables checks require IPv4 headers of at least %d bytes", header.IPv4MinimumSize))
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// Check whether the packet matches the IP header filter.
|
// Check whether the packet matches the IP header filter.
|
||||||
if !rule.Filter.match(header.IPv4(pkt.NetworkHeader), hook, nicName) {
|
if !rule.Filter.match(header.IPv4(pkt.NetworkHeader), hook, nicName) {
|
||||||
// Continue on to the next rule.
|
// Continue on to the next rule.
|
||||||
|
|
Loading…
Reference in New Issue