From 74a7d76c9777820fcd7bd6002481eb959f58e247 Mon Sep 17 00:00:00 2001
From: Kevin Krakauer <krakauer@google.com>
Date: Wed, 3 Jun 2020 19:57:39 -0700
Subject: iptables: loopback traffic skips prerouting chain

Loopback traffic is not affected by rules in the PREROUTING chain.

This change is also necessary for istio's envoy to talk to other
components in the same pod.
---
 pkg/tcpip/stack/nic.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'pkg/tcpip/stack')

diff --git a/pkg/tcpip/stack/nic.go b/pkg/tcpip/stack/nic.go
index ec8e3cb85..6664aea06 100644
--- a/pkg/tcpip/stack/nic.go
+++ b/pkg/tcpip/stack/nic.go
@@ -1229,7 +1229,8 @@ func (n *NIC) DeliverNetworkPacket(remote, local tcpip.LinkAddress, protocol tcp
 	}
 
 	// TODO(gvisor.dev/issue/170): Not supporting iptables for IPv6 yet.
-	if protocol == header.IPv4ProtocolNumber {
+	// Loopback traffic skips the prerouting chain.
+	if protocol == header.IPv4ProtocolNumber && !n.isLoopback() {
 		// iptables filtering.
 		ipt := n.stack.IPTables()
 		address := n.primaryAddress(protocol)
-- 
cgit v1.2.3