From bd69afdcd1c9303602aadce9e59aecff3eb7b9c8 Mon Sep 17 00:00:00 2001
From: Kevin Krakauer <krakauer@google.com>
Date: Fri, 18 Sep 2020 11:06:53 -0700
Subject: Count packets dropped by iptables in IPStats

PiperOrigin-RevId: 332486383
---
 pkg/tcpip/stack/iptables.go | 2 --
 pkg/tcpip/stack/nic.go      | 1 +
 2 files changed, 1 insertion(+), 2 deletions(-)

(limited to 'pkg/tcpip/stack')

diff --git a/pkg/tcpip/stack/iptables.go b/pkg/tcpip/stack/iptables.go
index b6ef04d32..4a521eca9 100644
--- a/pkg/tcpip/stack/iptables.go
+++ b/pkg/tcpip/stack/iptables.go
@@ -289,8 +289,6 @@ const (
 // which address and nicName can be gathered. Currently, address is only
 // needed for prerouting and nicName is only needed for output.
 //
-// TODO(gvisor.dev/issue/170): Dropped packets should be counted.
-//
 // Precondition: pkt.NetworkHeader is set.
 func (it *IPTables) Check(hook Hook, pkt *PacketBuffer, gso *GSO, r *Route, preroutingAddr tcpip.Address, nicName string) bool {
 	if pkt.NetworkProtocolNumber != header.IPv4ProtocolNumber && pkt.NetworkProtocolNumber != header.IPv6ProtocolNumber {
diff --git a/pkg/tcpip/stack/nic.go b/pkg/tcpip/stack/nic.go
index 821d3feb9..204bfc433 100644
--- a/pkg/tcpip/stack/nic.go
+++ b/pkg/tcpip/stack/nic.go
@@ -1289,6 +1289,7 @@ func (n *NIC) DeliverNetworkPacket(remote, local tcpip.LinkAddress, protocol tcp
 		address := n.primaryAddress(protocol)
 		if ok := ipt.Check(Prerouting, pkt, nil, nil, address.Address, ""); !ok {
 			// iptables is telling us to drop the packet.
+			n.stack.stats.IP.IPTablesPreroutingDropped.Increment()
 			return
 		}
 	}
-- 
cgit v1.2.3