patchpanel: Add MASQUERADE rule for traffic going into namespace
DNS proxy forwards traffic into a connected namespace, in order
for that to work a SNAT / MASQUERADE rule is necessary as the
namespace is unable to reach host's physical interface. This
patch adds the MASQUERADE rule.
The scenario where SNAT / MASQUERADE rule is necessary is as follows.
When a USER does a DNS query, it will have the destination IP of the
address inside /etc/resolv.conf (which is populated with the SYSTEM
DNS proxy's IP address inside its namespace). Because of this
destination IP, the source IP of the host's part of the namespace will
be used. DNS proxy will however do a DNAT, changing the destination IP
to the USER DNS proxy's IP address. This will cause a problem as the
source IP (host part of SYSTEM namespace) is not reachable from the
destination IP (inside of USER namespace) for it to give a reply.
MASQUERADE fixes this allowing the reply to go through.
The rule is not necessary for guests (e.g. Crostini and ARC)
because their addresses are reachable from inside a namespace.
BUG=b:202356802
TEST=root, chronos, cups, ARC, and Crostini can be
forwarded to a connected namespace.
Change-Id: I97e96cab2ffed719eb0ce88e3f8c24a4cc024275
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform2/+/3277612
Tested-by: Jason Jeremy Iman <jasongustaman@chromium.org>
Commit-Queue: Jason Jeremy Iman <jasongustaman@chromium.org>
Reviewed-by: Hugo Benichi <hugobenichi@google.com>
diff --git a/patchpanel/datapath.h b/patchpanel/datapath.h
index 8abcc0b..3543ea7 100644
--- a/patchpanel/datapath.h
+++ b/patchpanel/datapath.h
@@ -389,6 +389,9 @@
const std::string& protocol,
const std::string& ifname,
const std::string& dns_ipv4_addr);
+ bool ModifyDnsProxyMasquerade(IpFamily family,
+ const std::string& op,
+ const std::string& chain);
bool ModifyRedirectDnsJumpRule(IpFamily family,
const std::string& op,
const std::string& chain,