Gitiles
Code Review Sign In
gerrit.openfyde.cn / chromium.googlesource.com / chromiumos / platform2 / 321f23bd09a39dc9f3c4f97286b45f58d05504f1^! / . / patchpanel / datapath.h
commit321f23bd09a39dc9f3c4f97286b45f58d05504f1[log] [tgz]
authorHugo Benichi <hugobenichi@google.com>Fri Sep 25 15:42:05 2020 +0900
committerCommit Bot <commit-bot@chromium.org>Sat Sep 26 12:48:33 2020 +0000
tree664897662f65110609b63b7b551c85c2205e738c
parent60240f7340369151671c4438c9446f3b496163c5 [diff] [blame]
patchpanel: drop local traffic with src ip in 100.115.92.0/23

Some connectivity scenarios like webRTC can cause Chrome to send packets
to the physical network with incorrect source IPs. This happen when
Chrome incorrectly binds to one of the virtual interfaces used for ARC
or other VMs and ends up sending packets that get routed to the default
logical network through the catch-all routing rule set by shill.

On some networks like cellular networks, such traffic with incorrect
source IP addresses can cause the network to terminate the connection.

To avoid these disconnections this patch adds iptables DROP rules in
FILTER to drop any locally originated packet that would exit a physical
interface with an IPv4 source address in the subnet used for assigning
static IPv4 addresses to hosted VMs and containers.

BUG=chromium:898210
TEST=Deployed patchpanel, connected to remote Meet meeting from Chrome,
  - observed no traffic outgoing eth or wifi with an incorrect src ip,
  - observed that the iptables DROP rules in FILTER caught incorrect
    packets,
  - checked that Meet from Chrome works over eth, wifi, and an Android
    VPN connection.

Change-Id: I80a07770412a0be36e4512f7db085d418e087315
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform2/+/2428657
Reviewed-by: Taoyu Li <taoyl@chromium.org>
Reviewed-by: Garrick Evans <garrick@chromium.org>
Tested-by: Hugo Benichi <hugobenichi@google.com>
Commit-Queue: Hugo Benichi <hugobenichi@google.com>

diff --git a/patchpanel/datapath.h b/patchpanel/datapath.h
index 7856075..9b6b498 100644
--- a/patchpanel/datapath.h
+++ b/patchpanel/datapath.h

@@ -119,6 +119,15 @@
 
   virtual void RemoveInterface(const std::string& ifname);
 
+  // Create (or delete) an OUTPUT DROP rule for any locally originated traffic
+  // whose src IPv4 matches |src_ip| and would exit |oif|. This is mainly used
+  // for dropping Chrome webRTC traffic incorrectly bound on ARC and other
+  // guests virtual interfaces (chromium:898210).
+  virtual bool AddSourceIPv4DropRule(const std::string& oif,
+                                     const std::string& src_ip);
+  virtual bool RemoveSourceIPv4DropRule(const std::string& oif,
+                                        const std::string& src_ip);
+
   // Sets up IPv4 SNAT, IP forwarding, and traffic marking for the given
   // virtual device |int_ifname| associated to |source|. if |ext_ifname| is
   // empty, the device is implicitly routed through the highest priority