Check filter table when forwarding IP packets

This change updates the forwarding path to perform the forwarding hook
with iptables so that the filter table is consulted before a packet is
forwarded

Updates #170.

Test: iptables_test.TestForwardingHook
PiperOrigin-RevId: 373702359

2 files changed, 13 insertions, 3 deletions

diff --git a/pkg/tcpip/stack/iptables.go b/pkg/tcpip/stack/iptables.go
index e2894c548..3670d5995 100644
--- a/pkg/tcpip/stack/iptables.go
+++ b/pkg/tcpip/stack/iptables.go
@@ -177,6 +177,7 @@ func DefaultTables() *IPTables {
 		priorities: [NumHooks][]TableID{
 			Prerouting:  {MangleID, NATID},
 			Input:       {NATID, FilterID},
+			Forward:     {FilterID},
 			Output:      {MangleID, NATID, FilterID},
 			Postrouting: {MangleID, NATID},
 		},
diff --git a/pkg/tcpip/stack/iptables_types.go b/pkg/tcpip/stack/iptables_types.go
index 4631ab93f..93592e7f5 100644
--- a/pkg/tcpip/stack/iptables_types.go
+++ b/pkg/tcpip/stack/iptables_types.go
@@ -280,9 +280,18 @@ func (fl IPHeaderFilter) match(pkt *PacketBuffer, hook Hook, inNicName, outNicNa
 		return matchIfName(inNicName, fl.InputInterface, fl.InputInterfaceInvert)
 	case Output:
 		return matchIfName(outNicName, fl.OutputInterface, fl.OutputInterfaceInvert)
-	case Forward, Postrouting:
-		// TODO(gvisor.dev/issue/170): Add the check for FORWARD and POSTROUTING
-		// hooks after supported.
+	case Forward:
+		if !matchIfName(inNicName, fl.InputInterface, fl.InputInterfaceInvert) {
+			return false
+		}
+
+		if !matchIfName(outNicName, fl.OutputInterface, fl.OutputInterfaceInvert) {
+			return false
+		}
+
+		return true
+	case Postrouting:
+		// TODO(gvisor.dev/issue/170): Add the check for POSTROUTING.
 		return true
 	default:
 		panic(fmt.Sprintf("unknown hook: %d", hook))