From 2b457d9ee9ba50da4a9208d957053fac2c77932d Mon Sep 17 00:00:00 2001
From: Ghanan Gowripalan <ghanan@google.com>
Date: Thu, 13 May 2021 18:52:06 -0700
Subject: Check filter table when forwarding IP packets

This change updates the forwarding path to perform the forwarding hook
with iptables so that the filter table is consulted before a packet is
forwarded

Updates #170.

Test: iptables_test.TestForwardingHook
PiperOrigin-RevId: 373702359
---
 pkg/tcpip/tcpip.go | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'pkg/tcpip/tcpip.go')

diff --git a/pkg/tcpip/tcpip.go b/pkg/tcpip/tcpip.go
index 7b9c8cd4f..797778e08 100644
--- a/pkg/tcpip/tcpip.go
+++ b/pkg/tcpip/tcpip.go
@@ -1571,6 +1571,10 @@ type IPStats struct {
 	// PacketsReceived is the number of IP packets received from the link layer.
 	PacketsReceived *StatCounter
 
+	// ValidPacketsReceived is the number of valid IP packets that reached the IP
+	// layer.
+	ValidPacketsReceived *StatCounter
+
 	// DisabledPacketsReceived is the number of IP packets received from the link
 	// layer when the IP layer is disabled.
 	DisabledPacketsReceived *StatCounter
@@ -1610,6 +1614,10 @@ type IPStats struct {
 	// chain.
 	IPTablesInputDropped *StatCounter
 
+	// IPTablesForwardDropped is the number of IP packets dropped in the Forward
+	// chain.
+	IPTablesForwardDropped *StatCounter
+
 	// IPTablesOutputDropped is the number of IP packets dropped in the Output
 	// chain.
 	IPTablesOutputDropped *StatCounter
-- 
cgit v1.2.3