summaryrefslogtreecommitdiffhomepage
path: root/pkg/tcpip/iptables
diff options
context:
space:
mode:
Diffstat (limited to 'pkg/tcpip/iptables')
-rw-r--r--pkg/tcpip/iptables/iptables.go7
-rw-r--r--pkg/tcpip/iptables/types.go4
2 files changed, 9 insertions, 2 deletions
diff --git a/pkg/tcpip/iptables/iptables.go b/pkg/tcpip/iptables/iptables.go
index 91abbbea8..b8d70ec1e 100644
--- a/pkg/tcpip/iptables/iptables.go
+++ b/pkg/tcpip/iptables/iptables.go
@@ -185,6 +185,13 @@ func (it *IPTables) checkTable(hook Hook, pkt tcpip.PacketBuffer, tablename stri
func (it *IPTables) checkRule(hook Hook, pkt tcpip.PacketBuffer, table Table, ruleIdx int) Verdict {
rule := table.Rules[ruleIdx]
+
+ // First check whether the packet matches the IP header filter.
+ // TODO(gvisor.dev/issue/170): Support other fields of the filter.
+ // if rule.Filter.Protocol != pkt.Protocol {
+ // return Continue
+ // }
+
// Go through each rule matcher. If they all match, run
// the rule target.
for _, matcher := range rule.Matchers {
diff --git a/pkg/tcpip/iptables/types.go b/pkg/tcpip/iptables/types.go
index 4b2a9c294..4bedd9bc8 100644
--- a/pkg/tcpip/iptables/types.go
+++ b/pkg/tcpip/iptables/types.go
@@ -151,8 +151,8 @@ func (table *Table) SetMetadata(metadata interface{}) {
// packets this rule applies to. If there are no matchers in the rule, it
// applies to any packet.
type Rule struct {
- // IPHeaderFilters holds basic IP filtering fields common to every rule.
- IPHeaderFilter IPHeaderFilter
+ // IPHeaderFilter holds basic IP filtering fields common to every rule.
+ Filter IPHeaderFilter
// Matchers is the list of matchers for this rule.
Matchers []Matcher