Gitiles
Code Review Sign In
gerrit.openfyde.cn / chromium.googlesource.com / chromiumos / platform2 / 321f23bd09a39dc9f3c4f97286b45f58d05504f1^! / . / patchpanel / datapath_test.cc
commit321f23bd09a39dc9f3c4f97286b45f58d05504f1[log] [tgz]
authorHugo Benichi <hugobenichi@google.com>Fri Sep 25 15:42:05 2020 +0900
committerCommit Bot <commit-bot@chromium.org>Sat Sep 26 12:48:33 2020 +0000
tree664897662f65110609b63b7b551c85c2205e738c
parent60240f7340369151671c4438c9446f3b496163c5 [diff] [blame]
patchpanel: drop local traffic with src ip in 100.115.92.0/23

Some connectivity scenarios like webRTC can cause Chrome to send packets
to the physical network with incorrect source IPs. This happen when
Chrome incorrectly binds to one of the virtual interfaces used for ARC
or other VMs and ends up sending packets that get routed to the default
logical network through the catch-all routing rule set by shill.

On some networks like cellular networks, such traffic with incorrect
source IP addresses can cause the network to terminate the connection.

To avoid these disconnections this patch adds iptables DROP rules in
FILTER to drop any locally originated packet that would exit a physical
interface with an IPv4 source address in the subnet used for assigning
static IPv4 addresses to hosted VMs and containers.

BUG=chromium:898210
TEST=Deployed patchpanel, connected to remote Meet meeting from Chrome,
  - observed no traffic outgoing eth or wifi with an incorrect src ip,
  - observed that the iptables DROP rules in FILTER caught incorrect
    packets,
  - checked that Meet from Chrome works over eth, wifi, and an Android
    VPN connection.

Change-Id: I80a07770412a0be36e4512f7db085d418e087315
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform2/+/2428657
Reviewed-by: Taoyu Li <taoyl@chromium.org>
Reviewed-by: Garrick Evans <garrick@chromium.org>
Tested-by: Hugo Benichi <hugobenichi@google.com>
Commit-Queue: Hugo Benichi <hugobenichi@google.com>

diff --git a/patchpanel/datapath_test.cc b/patchpanel/datapath_test.cc
index fa85c95..2ccf949 100644
--- a/patchpanel/datapath_test.cc
+++ b/patchpanel/datapath_test.cc

@@ -294,6 +294,24 @@
   datapath.RemoveBridge("br");
 }
 
+TEST(DatapathTest, AddRemoveSourceIPv4DropRule) {
+  MockProcessRunner runner;
+  MockFirewall firewall;
+  EXPECT_CALL(runner,
+              iptables(StrEq("filter"),
+                       ElementsAre("-I", "OUTPUT", "-o", "eth+", "-s",
+                                   "100.115.92.0/24", "-j", "DROP", "-w"),
+                       true, nullptr));
+  EXPECT_CALL(runner,
+              iptables(StrEq("filter"),
+                       ElementsAre("-D", "OUTPUT", "-o", "eth+", "-s",
+                                   "100.115.92.0/24", "-j", "DROP", "-w"),
+                       true, nullptr));
+  Datapath datapath(&runner, &firewall);
+  datapath.AddSourceIPv4DropRule("eth+", "100.115.92.0/24");
+  datapath.RemoveSourceIPv4DropRule("eth+", "100.115.92.0/24");
+}
+
 TEST(DatapathTest, StartRoutingDevice_Arc) {
   MockProcessRunner runner;
   MockFirewall firewall;