diff options
author | gVisor bot <gvisor-bot@google.com> | 2020-01-23 14:48:39 -0800 |
---|---|---|
committer | gVisor bot <gvisor-bot@google.com> | 2020-01-23 14:48:39 -0800 |
commit | 3d10edc9423789342047f8fcf3b6054bb71ea392 (patch) | |
tree | 20cdcf677ae33aa7bd5447734d586103bb6aad57 /pkg/tcpip/iptables/iptables.go | |
parent | 14d2ed1ad7785a54b35ef7ee949d3cf89a87e66d (diff) | |
parent | 747137c120bca27aeb259817d30ef60e01521621 (diff) |
Merge pull request #1617 from kevinGC:iptables-write-filter-proto
PiperOrigin-RevId: 291249314
Diffstat (limited to 'pkg/tcpip/iptables/iptables.go')
-rw-r--r-- | pkg/tcpip/iptables/iptables.go | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/pkg/tcpip/iptables/iptables.go b/pkg/tcpip/iptables/iptables.go index 605a71679..fc06b5b87 100644 --- a/pkg/tcpip/iptables/iptables.go +++ b/pkg/tcpip/iptables/iptables.go @@ -20,6 +20,7 @@ import ( "fmt" "gvisor.dev/gvisor/pkg/tcpip" + "gvisor.dev/gvisor/pkg/tcpip/header" ) // Table names. @@ -184,8 +185,16 @@ func (it *IPTables) checkTable(hook Hook, pkt tcpip.PacketBuffer, tablename stri panic(fmt.Sprintf("Traversed past the entire list of iptables rules in table %q.", tablename)) } +// Precondition: pk.NetworkHeader is set. func (it *IPTables) checkRule(hook Hook, pkt tcpip.PacketBuffer, table Table, ruleIdx int) Verdict { rule := table.Rules[ruleIdx] + + // First check whether the packet matches the IP header filter. + // TODO(gvisor.dev/issue/170): Support other fields of the filter. + if rule.Filter.Protocol != 0 && rule.Filter.Protocol != header.IPv4(pkt.NetworkHeader).TransportProtocol() { + return Continue + } + // Go through each rule matcher. If they all match, run // the rule target. for _, matcher := range rule.Matchers { |