Merge pull request #1617 from kevinGC:iptables-write-filter-proto

PiperOrigin-RevId: 291249314
author: gVisor bot <gvisor-bot@google.com> 2020-01-23 14:48:39 -0800
committer: gVisor bot <gvisor-bot@google.com> 2020-01-23 14:48:39 -0800
commit: 3d10edc9423789342047f8fcf3b6054bb71ea392 (patch)
tree: 20cdcf677ae33aa7bd5447734d586103bb6aad57 /pkg/tcpip/network
parent: 14d2ed1ad7785a54b35ef7ee949d3cf89a87e66d (diff)
parent: 747137c120bca27aeb259817d30ef60e01521621 (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/pkg/tcpip/network/ipv4/ipv4.go b/pkg/tcpip/network/ipv4/ipv4.go
index 0a1453b31..85512f9b2 100644
--- a/pkg/tcpip/network/ipv4/ipv4.go
+++ b/pkg/tcpip/network/ipv4/ipv4.go
@@ -353,7 +353,8 @@ func (e *endpoint) HandlePacket(r *stack.Route, pkt tcpip.PacketBuffer) {
 	}
 	pkt.NetworkHeader = headerView[:h.HeaderLength()]
 
-	// iptables filtering.
+	// iptables filtering. All packets that reach here are intended for
+	// this machine and will not be forwarded.
 	ipt := e.stack.IPTables()
 	if ok := ipt.Check(iptables.Input, pkt); !ok {
 		// iptables is telling us to drop the packet.
author	gVisor bot <gvisor-bot@google.com>	2020-01-23 14:48:39 -0800
committer	gVisor bot <gvisor-bot@google.com>	2020-01-23 14:48:39 -0800
commit	3d10edc9423789342047f8fcf3b6054bb71ea392 (patch)
tree	20cdcf677ae33aa7bd5447734d586103bb6aad57 /pkg/tcpip/network
parent	14d2ed1ad7785a54b35ef7ee949d3cf89a87e66d (diff)
parent	747137c120bca27aeb259817d30ef60e01521621 (diff)