Count packets dropped by iptables in IPStats

PiperOrigin-RevId: 332486383
author: Kevin Krakauer <krakauer@google.com> 2020-09-18 11:06:53 -0700
committer: gVisor bot <gvisor-bot@google.com> 2020-09-18 11:13:19 -0700
commit: bd69afdcd1c9303602aadce9e59aecff3eb7b9c8 (patch)
tree: d5279f4dc8a4823e32de05630b393b98e9cf10b1 /pkg/tcpip/stack
parent: dedef439230eac64a98ef1ce2d3b213bb2865400 (diff)
2 files changed, 1 insertions, 2 deletions
diff --git a/pkg/tcpip/stack/iptables.go b/pkg/tcpip/stack/iptables.go
index b6ef04d32..4a521eca9 100644
--- a/pkg/tcpip/stack/iptables.go
+++ b/pkg/tcpip/stack/iptables.go
@@ -289,8 +289,6 @@ const (
 // which address and nicName can be gathered. Currently, address is only
 // needed for prerouting and nicName is only needed for output.
 //
-// TODO(gvisor.dev/issue/170): Dropped packets should be counted.
-//
 // Precondition: pkt.NetworkHeader is set.
 func (it *IPTables) Check(hook Hook, pkt *PacketBuffer, gso *GSO, r *Route, preroutingAddr tcpip.Address, nicName string) bool {
 	if pkt.NetworkProtocolNumber != header.IPv4ProtocolNumber && pkt.NetworkProtocolNumber != header.IPv6ProtocolNumber {
diff --git a/pkg/tcpip/stack/nic.go b/pkg/tcpip/stack/nic.go
index 821d3feb9..204bfc433 100644
--- a/pkg/tcpip/stack/nic.go
+++ b/pkg/tcpip/stack/nic.go
@@ -1289,6 +1289,7 @@ func (n *NIC) DeliverNetworkPacket(remote, local tcpip.LinkAddress, protocol tcp
 		address := n.primaryAddress(protocol)
 		if ok := ipt.Check(Prerouting, pkt, nil, nil, address.Address, ""); !ok {
 			// iptables is telling us to drop the packet.
+			n.stack.stats.IP.IPTablesPreroutingDropped.Increment()
 			return
 		}
 	}
author	Kevin Krakauer <krakauer@google.com>	2020-09-18 11:06:53 -0700
committer	gVisor bot <gvisor-bot@google.com>	2020-09-18 11:13:19 -0700
commit	bd69afdcd1c9303602aadce9e59aecff3eb7b9c8 (patch)
tree	d5279f4dc8a4823e32de05630b393b98e9cf10b1 /pkg/tcpip/stack
parent	dedef439230eac64a98ef1ce2d3b213bb2865400 (diff)