Check filter table when forwarding IP packets

This change updates the forwarding path to perform the forwarding hook with iptables so that the filter table is consulted before a packet is forwarded Updates #170. Test: iptables_test.TestForwardingHook PiperOrigin-RevId: 373702359
author: Ghanan Gowripalan <ghanan@google.com> 2021-05-13 18:52:06 -0700
committer: gVisor bot <gvisor-bot@google.com> 2021-05-13 18:54:09 -0700
commit: 2b457d9ee9ba50da4a9208d957053fac2c77932d (patch)
tree: 8c711a691ef53a677083af1f884d664284f30f9c /pkg/tcpip/tcpip.go
parent: 7ea2dcbaece00b5c7310c74fcf99c1fb32e9ec28 (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/pkg/tcpip/tcpip.go b/pkg/tcpip/tcpip.go
index 7b9c8cd4f..797778e08 100644
--- a/pkg/tcpip/tcpip.go
+++ b/pkg/tcpip/tcpip.go
@@ -1571,6 +1571,10 @@ type IPStats struct {
 	// PacketsReceived is the number of IP packets received from the link layer.
 	PacketsReceived *StatCounter
 
+	// ValidPacketsReceived is the number of valid IP packets that reached the IP
+	// layer.
+	ValidPacketsReceived *StatCounter
+
 	// DisabledPacketsReceived is the number of IP packets received from the link
 	// layer when the IP layer is disabled.
 	DisabledPacketsReceived *StatCounter
@@ -1610,6 +1614,10 @@ type IPStats struct {
 	// chain.
 	IPTablesInputDropped *StatCounter
 
+	// IPTablesForwardDropped is the number of IP packets dropped in the Forward
+	// chain.
+	IPTablesForwardDropped *StatCounter
+
 	// IPTablesOutputDropped is the number of IP packets dropped in the Output
 	// chain.
 	IPTablesOutputDropped *StatCounter
author	Ghanan Gowripalan <ghanan@google.com>	2021-05-13 18:52:06 -0700
committer	gVisor bot <gvisor-bot@google.com>	2021-05-13 18:54:09 -0700
commit	2b457d9ee9ba50da4a9208d957053fac2c77932d (patch)
tree	8c711a691ef53a677083af1f884d664284f30f9c /pkg/tcpip/tcpip.go
parent	7ea2dcbaece00b5c7310c74fcf99c1fb32e9ec28 (diff)