iptables: loopback traffic skips prerouting chain

Loopback traffic is not affected by rules in the PREROUTING chain. This change is also necessary for istio's envoy to talk to other components in the same pod.
author: Kevin Krakauer <krakauer@google.com> 2020-06-03 19:57:39 -0700
committer: Kevin Krakauer <krakauer@google.com> 2020-06-05 16:43:50 -0700
commit: 74a7d76c9777820fcd7bd6002481eb959f58e247 (patch)
tree: e41c17d207f421e83b803abeee0d7e1717924e63 /pkg/tcpip/stack
parent: d3a8bffe04595910714ec67231585bc33dab2b5b (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/pkg/tcpip/stack/nic.go b/pkg/tcpip/stack/nic.go
index ec8e3cb85..6664aea06 100644
--- a/pkg/tcpip/stack/nic.go
+++ b/pkg/tcpip/stack/nic.go
@@ -1229,7 +1229,8 @@ func (n *NIC) DeliverNetworkPacket(remote, local tcpip.LinkAddress, protocol tcp
 	}
 
 	// TODO(gvisor.dev/issue/170): Not supporting iptables for IPv6 yet.
-	if protocol == header.IPv4ProtocolNumber {
+	// Loopback traffic skips the prerouting chain.
+	if protocol == header.IPv4ProtocolNumber && !n.isLoopback() {
 		// iptables filtering.
 		ipt := n.stack.IPTables()
 		address := n.primaryAddress(protocol)
author	Kevin Krakauer <krakauer@google.com>	2020-06-03 19:57:39 -0700
committer	Kevin Krakauer <krakauer@google.com>	2020-06-05 16:43:50 -0700
commit	74a7d76c9777820fcd7bd6002481eb959f58e247 (patch)
tree	e41c17d207f421e83b803abeee0d7e1717924e63 /pkg/tcpip/stack
parent	d3a8bffe04595910714ec67231585bc33dab2b5b (diff)