Merge release-20200115.0-93-g3d10edc (automated)

author: gVisor bot <gvisor-bot@google.com> 2020-01-23 23:01:01 +0000
committer: gVisor bot <gvisor-bot@google.com> 2020-01-23 23:01:01 +0000
commit: 6d077471e9ab708625fbba3442b7b71e9d70564b (patch)
tree: 41a4b3012d9879e31d6dae2554bf248814cfff04 /pkg/tcpip/iptables/iptables.go
parent: decbfbc395af1840d6182aea27fc0e6cdcf4ce75 (diff)
parent: 3d10edc9423789342047f8fcf3b6054bb71ea392 (diff)
1 files changed, 9 insertions, 0 deletions
diff --git a/pkg/tcpip/iptables/iptables.go b/pkg/tcpip/iptables/iptables.go
index 605a71679..fc06b5b87 100644
--- a/pkg/tcpip/iptables/iptables.go
+++ b/pkg/tcpip/iptables/iptables.go
@@ -20,6 +20,7 @@ import (
 	"fmt"
 
 	"gvisor.dev/gvisor/pkg/tcpip"
+	"gvisor.dev/gvisor/pkg/tcpip/header"
 )
 
 // Table names.
@@ -184,8 +185,16 @@ func (it *IPTables) checkTable(hook Hook, pkt tcpip.PacketBuffer, tablename stri
 	panic(fmt.Sprintf("Traversed past the entire list of iptables rules in table %q.", tablename))
 }
 
+// Precondition: pk.NetworkHeader is set.
 func (it *IPTables) checkRule(hook Hook, pkt tcpip.PacketBuffer, table Table, ruleIdx int) Verdict {
 	rule := table.Rules[ruleIdx]
+
+	// First check whether the packet matches the IP header filter.
+	// TODO(gvisor.dev/issue/170): Support other fields of the filter.
+	if rule.Filter.Protocol != 0 && rule.Filter.Protocol != header.IPv4(pkt.NetworkHeader).TransportProtocol() {
+		return Continue
+	}
+
 	// Go through each rule matcher. If they all match, run
 	// the rule target.
 	for _, matcher := range rule.Matchers {
author	gVisor bot <gvisor-bot@google.com>	2020-01-23 23:01:01 +0000
committer	gVisor bot <gvisor-bot@google.com>	2020-01-23 23:01:01 +0000
commit	6d077471e9ab708625fbba3442b7b71e9d70564b (patch)
tree	41a4b3012d9879e31d6dae2554bf248814cfff04 /pkg/tcpip/iptables/iptables.go
parent	decbfbc395af1840d6182aea27fc0e6cdcf4ce75 (diff)
parent	3d10edc9423789342047f8fcf3b6054bb71ea392 (diff)