Merge release-20200323.0-69-gfc99a7e (automated)

author: gVisor bot <gvisor-bot@google.com> 2020-04-04 01:39:59 +0000
committer: gVisor bot <gvisor-bot@google.com> 2020-04-04 01:39:59 +0000
commit: 078753e0fe85dbcc047aaa5607a2bbc209491672 (patch)
tree: 14790716c79a7318214f1dc9293b6158a47851c3 /pkg/tcpip/stack/iptables.go
parent: 818a047ab6deabe5a75a5452cdb950cc0e22d722 (diff)
parent: fc99a7ebf0c24b6f7b3cfd6351436373ed54548b (diff)
1 files changed, 17 insertions, 0 deletions
diff --git a/pkg/tcpip/stack/iptables.go b/pkg/tcpip/stack/iptables.go
index 37907ae24..6c0a4b24d 100755
--- a/pkg/tcpip/stack/iptables.go
+++ b/pkg/tcpip/stack/iptables.go
@@ -209,6 +209,23 @@ func (it *IPTables) Check(hook Hook, pkt PacketBuffer) bool {
 	return true
 }
 
+// CheckPackets runs pkts through the rules for hook and returns a map of packets that
+// should not go forward.
+//
+// NOTE: unlike the Check API the returned map contains packets that should be
+// dropped.
+func (it *IPTables) CheckPackets(hook Hook, pkts PacketBufferList) (drop map[*PacketBuffer]struct{}) {
+	for pkt := pkts.Front(); pkt != nil; pkt = pkt.Next() {
+		if ok := it.Check(hook, *pkt); !ok {
+			if drop == nil {
+				drop = make(map[*PacketBuffer]struct{})
+			}
+			drop[pkt] = struct{}{}
+		}
+	}
+	return drop
+}
+
 // Precondition: pkt.NetworkHeader is set.
 func (it *IPTables) checkChain(hook Hook, pkt PacketBuffer, table Table, ruleIdx int) chainVerdict {
 	// Start from ruleIdx and walk the list of rules until a rule gives us
author	gVisor bot <gvisor-bot@google.com>	2020-04-04 01:39:59 +0000
committer	gVisor bot <gvisor-bot@google.com>	2020-04-04 01:39:59 +0000
commit	078753e0fe85dbcc047aaa5607a2bbc209491672 (patch)
tree	14790716c79a7318214f1dc9293b6158a47851c3 /pkg/tcpip/stack/iptables.go
parent	818a047ab6deabe5a75a5452cdb950cc0e22d722 (diff)
parent	fc99a7ebf0c24b6f7b3cfd6351436373ed54548b (diff)