Added a test that we don't pass yet

author: Kevin Krakauer <krakauer@google.com> 2020-01-09 13:41:52 -0800
committer: Kevin Krakauer <krakauer@google.com> 2020-01-09 13:41:52 -0800
commit: 89d11b4d96b0c40e373f14ba72d570c9b894f976 (patch)
tree: 4a6c9e0c9463a12b0daf11f1c5bfe11a60e8dbe6 /pkg/tcpip/iptables/iptables.go
parent: aeb3a4017b9bc038ebe5630fe270d5ea8691d141 (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/pkg/tcpip/iptables/iptables.go b/pkg/tcpip/iptables/iptables.go
index 91abbbea8..b8d70ec1e 100644
--- a/pkg/tcpip/iptables/iptables.go
+++ b/pkg/tcpip/iptables/iptables.go
@@ -185,6 +185,13 @@ func (it *IPTables) checkTable(hook Hook, pkt tcpip.PacketBuffer, tablename stri
 
 func (it *IPTables) checkRule(hook Hook, pkt tcpip.PacketBuffer, table Table, ruleIdx int) Verdict {
 	rule := table.Rules[ruleIdx]
+
+	// First check whether the packet matches the IP header filter.
+	// TODO(gvisor.dev/issue/170): Support other fields of the filter.
+	// if rule.Filter.Protocol != pkt.Protocol {
+	// 	return Continue
+	// }
+
 	// Go through each rule matcher. If they all match, run
 	// the rule target.
 	for _, matcher := range rule.Matchers {
author	Kevin Krakauer <krakauer@google.com>	2020-01-09 13:41:52 -0800
committer	Kevin Krakauer <krakauer@google.com>	2020-01-09 13:41:52 -0800
commit	89d11b4d96b0c40e373f14ba72d570c9b894f976 (patch)
tree	4a6c9e0c9463a12b0daf11f1c5bfe11a60e8dbe6 /pkg/tcpip/iptables/iptables.go
parent	aeb3a4017b9bc038ebe5630fe270d5ea8691d141 (diff)