I think INPUT works with protocol

author: Kevin Krakauer <krakauer@google.com> 2020-01-10 18:07:15 -0800
committer: Kevin Krakauer <krakauer@google.com> 2020-01-10 18:07:15 -0800
commit: d793677cd424fef10ac0b080871d181db0bcdec0 (patch)
tree: 697f86dac1fc3ac7015582a9588684a74bb95d1d /pkg/tcpip/iptables/iptables.go
parent: ff719159befaee7d2abcfeb88905a7486cd34845 (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/pkg/tcpip/iptables/iptables.go b/pkg/tcpip/iptables/iptables.go
index 4e1700fdb..3cff879a2 100644
--- a/pkg/tcpip/iptables/iptables.go
+++ b/pkg/tcpip/iptables/iptables.go
@@ -21,6 +21,7 @@ import (
 
 	"gvisor.dev/gvisor/pkg/log"
 	"gvisor.dev/gvisor/pkg/tcpip"
+	"gvisor.dev/gvisor/pkg/tcpip/header"
 )
 
 const (
@@ -183,12 +184,13 @@ func (it *IPTables) checkTable(hook Hook, pkt tcpip.PacketBuffer, tablename stri
 	panic(fmt.Sprintf("Traversed past the entire list of iptables rules in table %q.", tablename))
 }
 
+// Precondition: pk.NetworkHeader is set.
 func (it *IPTables) checkRule(hook Hook, pkt tcpip.PacketBuffer, table Table, ruleIdx int) Verdict {
 	rule := table.Rules[ruleIdx]
 
 	// First check whether the packet matches the IP header filter.
 	// TODO(gvisor.dev/issue/170): Support other fields of the filter.
-	if rule.Filter.Protocol != pkt.Protocol {
+	if rule.Filter.Protocol != header.IPv4(pkt.NetworkHeader).TransportProtocol() {
 		return Continue
 	}
author	Kevin Krakauer <krakauer@google.com>	2020-01-10 18:07:15 -0800
committer	Kevin Krakauer <krakauer@google.com>	2020-01-10 18:07:15 -0800
commit	d793677cd424fef10ac0b080871d181db0bcdec0 (patch)
tree	697f86dac1fc3ac7015582a9588684a74bb95d1d /pkg/tcpip/iptables/iptables.go
parent	ff719159befaee7d2abcfeb88905a7486cd34845 (diff)