From 7cebd77806d164a3baec52eaeb05662e8c404967 Mon Sep 17 00:00:00 2001
From: Kevin Krakauer <krakauer@google.com>
Date: Wed, 8 Jan 2020 12:43:46 -0800
Subject: First commit -- re-adding DROP

---
 pkg/sentry/socket/netfilter/netfilter.go | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

(limited to 'pkg/sentry')

diff --git a/pkg/sentry/socket/netfilter/netfilter.go b/pkg/sentry/socket/netfilter/netfilter.go
index 347342f98..e4c493141 100644
--- a/pkg/sentry/socket/netfilter/netfilter.go
+++ b/pkg/sentry/socket/netfilter/netfilter.go
@@ -410,10 +410,7 @@ func parseTarget(optVal []byte) (iptables.Target, uint32, *syserr.Error) {
 		case iptables.Accept:
 			return iptables.UnconditionalAcceptTarget{}, linux.SizeOfXTStandardTarget, nil
 		case iptables.Drop:
-			// TODO(gvisor.dev/issue/170): Return an
-			// iptables.UnconditionalDropTarget to support DROP.
-			log.Infof("netfilter DROP is not supported yet.")
-			return nil, 0, syserr.ErrInvalidArgument
+			return iptables.UnconditionalDropTarget{}, linux.SizeOfXTStandardTarget, nil
 		default:
 			panic(fmt.Sprintf("Unknown verdict: %v", verdict))
 		}
-- 
cgit v1.2.3