From 89d11b4d96b0c40e373f14ba72d570c9b894f976 Mon Sep 17 00:00:00 2001
From: Kevin Krakauer <krakauer@google.com>
Date: Thu, 9 Jan 2020 13:41:52 -0800
Subject: Added a test that we don't pass yet

---
 pkg/tcpip/iptables/iptables.go | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'pkg/tcpip/iptables/iptables.go')

diff --git a/pkg/tcpip/iptables/iptables.go b/pkg/tcpip/iptables/iptables.go
index 91abbbea8..b8d70ec1e 100644
--- a/pkg/tcpip/iptables/iptables.go
+++ b/pkg/tcpip/iptables/iptables.go
@@ -185,6 +185,13 @@ func (it *IPTables) checkTable(hook Hook, pkt tcpip.PacketBuffer, tablename stri
 
 func (it *IPTables) checkRule(hook Hook, pkt tcpip.PacketBuffer, table Table, ruleIdx int) Verdict {
 	rule := table.Rules[ruleIdx]
+
+	// First check whether the packet matches the IP header filter.
+	// TODO(gvisor.dev/issue/170): Support other fields of the filter.
+	// if rule.Filter.Protocol != pkt.Protocol {
+	// 	return Continue
+	// }
+
 	// Go through each rule matcher. If they all match, run
 	// the rule target.
 	for _, matcher := range rule.Matchers {
-- 
cgit v1.2.3