patchpanel: iptables setup can be rebuild after a crash
This patch makes patchpanel more robust if a crash or unordered
shutdown happens and patchpanel does not have the opportunity to
teardown its iptables setup.
To do so, patchpanel always starts by flushing all chains used for
routing traffic in general and forwarding traffic of hosted guests like
ARC. Chains used for permission_broker rules and traffic accounting are
not flushed.
This patch does not make patchpanel able to restore the ARC datapath
while in the middle of a session.
BUG=b:148033397
BUG=b:161060333
BUG=b:171764279
TEST=Flashed rammus, killed patchpanel in and out of session multiple
times and checked that the state of iptables can be rebuild
consistently.
Change-Id: I86428410bdf1ee0cdd923c94ca6efc79888b0508
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform2/+/2569569
Commit-Queue: Hugo Benichi <hugobenichi@google.com>
Tested-by: Hugo Benichi <hugobenichi@google.com>
Reviewed-by: Taoyu Li <taoyl@chromium.org>
diff --git a/patchpanel/datapath.cc b/patchpanel/datapath.cc
index 683fbc1..6a57df6 100644
--- a/patchpanel/datapath.cc
+++ b/patchpanel/datapath.cc
@@ -50,6 +50,7 @@
constexpr char kApplyLocalSourceMarkChain[] = "apply_local_source_mark";
constexpr char kApplyVpnMarkChain[] = "apply_vpn_mark";
constexpr char kCheckRoutingMarkChain[] = "check_routing_mark";
+constexpr char kDropGuestIpv4Prefix[] = "drop_guest_ipv4_prefix";
// Constant fwmark mask for matching local socket traffic that should be routed
// through a VPN connection. The traffic must not be part of an existing
@@ -94,6 +95,9 @@
}
void Datapath::Start() {
+ // Restart from a clean iptables state in case of an unordered shutdown.
+ ResetIptables();
+
// Enable IPv4 packet forwarding
if (process_runner_->sysctl_w("net.ipv4.ip_forward", "1") != 0)
LOG(ERROR) << "Failed to update net.ipv4.ip_forward."
@@ -124,6 +128,13 @@
// for VMs, containers, and connected namespaces This is needed to prevent
// packets leaking with an incorrect src IP when a local process binds to the
// wrong interface.
+ if (!ModifyChain(IpFamily::IPv4, "filter", "-N", kDropGuestIpv4Prefix))
+ LOG(ERROR) << "Failed to create " << kDropGuestIpv4Prefix
+ << " filter chain";
+ if (!ModifyIptables(IpFamily::IPv4, "filter",
+ {"-I", "OUTPUT", "-j", kDropGuestIpv4Prefix, "-w"}))
+ LOG(ERROR) << "Failed to set up jump rule from filter OUTPUT to "
+ << kDropGuestIpv4Prefix;
for (const auto& oif : kPhysicalIfnamePrefixes) {
if (!AddSourceIPv4DropRule(oif, kGuestIPv4Subnet))
LOG(WARNING) << "Failed to set up IPv4 drop rule for src ip "
@@ -163,10 +174,6 @@
if (!ModifyChain(IpFamily::Dual, "mangle", "-N", kApplyLocalSourceMarkChain))
LOG(ERROR) << "Failed to set up " << kApplyLocalSourceMarkChain
<< " mangle chain";
- // Ensure that the chain is empty if patchpanel is restarting after a crash.
- if (!ModifyChain(IpFamily::Dual, "mangle", "-F", kApplyLocalSourceMarkChain))
- LOG(ERROR) << "Failed to flush " << kApplyLocalSourceMarkChain
- << " mangle chain";
if (!ModifyIptables(IpFamily::Dual, "mangle",
{"-A", "OUTPUT", "-j", kApplyLocalSourceMarkChain, "-w"}))
LOG(ERROR) << "Failed to attach " << kApplyLocalSourceMarkChain
@@ -187,9 +194,6 @@
// traffic that should be routed through a VPN.
if (!ModifyChain(IpFamily::Dual, "mangle", "-N", kApplyVpnMarkChain))
LOG(ERROR) << "Failed to set up " << kApplyVpnMarkChain << " mangle chain";
- // Ensure that the chain is empty if patchpanel is restarting after a crash.
- if (!ModifyChain(IpFamily::Dual, "mangle", "-F", kApplyVpnMarkChain))
- LOG(ERROR) << "Failed to flush " << kApplyVpnMarkChain << " mangle chain";
// All local outgoing traffic eligible to VPN routing should traverse the VPN
// marking chain.
if (!ModifyFwmarkVpnJumpRule("OUTPUT", "-A", "" /*iif*/, kFwmarkRouteOnVpn,
@@ -208,11 +212,6 @@
if (!ModifyChain(IpFamily::Dual, "mangle", "-N", kCheckRoutingMarkChain))
LOG(ERROR) << "Failed to set up " << kCheckRoutingMarkChain
<< " mangle chain";
- // Ensure that the chain is empty if patchpanel is restarting after a crash.
- if (!ModifyChain(IpFamily::Dual, "mangle", "-F", kCheckRoutingMarkChain))
- LOG(ERROR) << "Failed to flush " << kCheckRoutingMarkChain
- << " mangle chain";
-
// b/177787823 If it already exists, the routing tag of any traffic exiting an
// interface (physical or VPN) must match the routing tag of that interface.
if (!ModifyIptables(IpFamily::Dual, "mangle",
@@ -240,20 +239,6 @@
}
void Datapath::Stop() {
- // Remove static IPv4 SNAT rules.
- RemoveOutboundIPv4SNATMark("vmtap+");
- process_runner_->iptables("filter",
- {"-D", "FORWARD", "-m", "state", "--state",
- "ESTABLISHED,RELATED", "-j", "ACCEPT", "-w"});
- process_runner_->iptables("nat", {"-D", "POSTROUTING", "-m", "mark", "--mark",
- "1/1", "-j", "MASQUERADE", "-w"});
- process_runner_->iptables(
- "filter", {"-D", "FORWARD", "-m", "mark", "--mark", "1/1", "-m", "state",
- "--state", "INVALID", "-j", "DROP", "-w"});
-
- for (const auto& oif : kPhysicalIfnamePrefixes)
- RemoveSourceIPv4DropRule(oif, kGuestIPv4Subnet);
-
// Restore original local port range.
// TODO(garrick): The original history behind this tweak is gone. Some
// investigation is needed to see if it is still applicable.
@@ -268,44 +253,53 @@
if (process_runner_->sysctl_w("net.ipv4.ip_forward", "0") != 0)
LOG(ERROR) << "Failed to restore net.ipv4.ip_forward.";
- // Detach the VPN marking mangle chain
- if (!ModifyFwmarkVpnJumpRule("OUTPUT", "-D", "" /*iif*/, kFwmarkRouteOnVpn,
- kFwmarkVpnMask))
- LOG(ERROR)
- << "Failed to remove from mangle OUTPUT chain jump rule to VPN chain";
+ ResetIptables();
+}
- // Detach apply_local_source_mark from mangle PREROUTING
- if (!ModifyIptables(IpFamily::Dual, "mangle",
- {"-D", "OUTPUT", "-j", kApplyLocalSourceMarkChain, "-w"}))
- LOG(ERROR) << "Failed to detach " << kApplyLocalSourceMarkChain
- << " from mangle OUTPUT";
+void Datapath::ResetIptables() {
+ // If it exists, remove jump rules from a built-in chain to a custom routing
+ // or tagging chain.
+ ModifyIptables(IpFamily::IPv4, "filter",
+ {"-D", "OUTPUT", "-j", kDropGuestIpv4Prefix, "-w"},
+ false /*log_failures*/);
- // Stops applying routing tags saved in conntrack for sockets created in the
- // host network namespace.
- if (!ModifyConnmarkRestore(IpFamily::Dual, "OUTPUT", "-D", "" /*iif*/,
- kFwmarkRoutingMask))
- LOG(ERROR) << "Failed to remove OUTPUT CONNMARK restore rule";
- if (!ModifyConnmarkRestore(IpFamily::Dual, "POSTROUTING", "-D", "",
- kFwmarkRoutingMask))
- LOG(ERROR) << "Failed to remove POSTROUTING CONNMARK restore rule";
+ // Flush chains used for routing and fwmark tagging. Also delete additional
+ // chains made by patchpanel. Chains used by permission broker (nat
+ // PREROUTING, filter INPUT) and chains used for traffic counters (mangle
+ // {rx,tx}_{<iface>, vpn}) are not flushed.
+ static struct {
+ IpFamily family;
+ std::string table;
+ std::string chain;
+ bool should_delete;
+ } resetOps[] = {
+ {IpFamily::Dual, "filter", "FORWARD", false},
+ {IpFamily::Dual, "mangle", "FORWARD", false},
+ {IpFamily::Dual, "mangle", "INPUT", false},
+ {IpFamily::Dual, "mangle", "OUTPUT", false},
+ {IpFamily::Dual, "mangle", "POSTROUTING", false},
+ {IpFamily::Dual, "mangle", "PREROUTING", false},
+ {IpFamily::Dual, "mangle", kApplyLocalSourceMarkChain, true},
+ {IpFamily::Dual, "mangle", kApplyVpnMarkChain, true},
+ {IpFamily::Dual, "mangle", kCheckRoutingMarkChain, true},
+ {IpFamily::IPv4, "filter", kDropGuestIpv4Prefix, true},
+ {IpFamily::IPv4, "nat", "POSTROUTING", false},
+ };
+ for (const auto& op : resetOps) {
+ // Chains to delete are custom chains and will not exist the first time
+ // patchpanel starts after boot. Skip flushing and delete these chains if
+ // they do not exist to avoid logging spurious error messages.
+ if (op.should_delete && !ModifyChain(op.family, op.table, "-L", op.chain,
+ false /*log_failures*/))
+ continue;
- // Delete the POSTROUTING jump rule to check_routing_mark chain holding
- // routing tag filter rules.
- if (!ModifyIptables(IpFamily::Dual, "mangle",
- {"-D", "POSTROUTING", "-m", "mark", "!", "--mark",
- "0x0/" + kFwmarkRoutingMask.ToString(), "-j",
- kCheckRoutingMarkChain, "-w"}))
- LOG(ERROR) << "Failed to remove POSTROUTING jump rule to "
- << kCheckRoutingMarkChain;
+ if (!ModifyChain(op.family, op.table, "-F", op.chain))
+ LOG(ERROR) << "Failed to flush " << op.chain << " chain in table "
+ << op.table;
- // Delete the mangle chains
- for (const auto* chain : {kApplyLocalSourceMarkChain, kApplyVpnMarkChain,
- kCheckRoutingMarkChain}) {
- if (!ModifyChain(IpFamily::Dual, "mangle", "-F", chain))
- LOG(ERROR) << "Failed to flush " << chain << " mangle chain";
-
- if (!ModifyChain(IpFamily::Dual, "mangle", "-X", chain))
- LOG(ERROR) << "Failed to delete " << chain << " mangle chain";
+ if (op.should_delete && !ModifyChain(op.family, op.table, "-X", op.chain))
+ LOG(ERROR) << "Failed to delete " << op.chain << " chain in table "
+ << op.table;
}
}
@@ -559,14 +553,16 @@
bool Datapath::AddSourceIPv4DropRule(const std::string& oif,
const std::string& src_ip) {
- return process_runner_->iptables("filter", {"-I", "OUTPUT", "-o", oif, "-s",
- src_ip, "-j", "DROP", "-w"}) == 0;
+ return process_runner_->iptables(
+ "filter", {"-I", kDropGuestIpv4Prefix, "-o", oif, "-s", src_ip,
+ "-j", "DROP", "-w"}) == 0;
}
bool Datapath::RemoveSourceIPv4DropRule(const std::string& oif,
const std::string& src_ip) {
- return process_runner_->iptables("filter", {"-D", "OUTPUT", "-o", oif, "-s",
- src_ip, "-j", "DROP", "-w"}) == 0;
+ return process_runner_->iptables(
+ "filter", {"-D", kDropGuestIpv4Prefix, "-o", oif, "-s", src_ip,
+ "-j", "DROP", "-w"}) == 0;
}
bool Datapath::StartRoutingNamespace(const ConnectedNamespace& nsinfo) {
diff --git a/patchpanel/datapath.h b/patchpanel/datapath.h
index 761eaa6..7738e4c 100644
--- a/patchpanel/datapath.h
+++ b/patchpanel/datapath.h
@@ -269,6 +269,10 @@
MinijailedProcessRunner& runner() const;
private:
+ // Attempts to flush all built-in iptables chains used by patchpanel, and to
+ // delete all additionals chains created by patchpanel for routing. Traffic
+ // accounting chains are not deleted.
+ void ResetIptables();
// Creates a virtual interface pair.
bool AddVirtualInterfacePair(const std::string& netns_name,
const std::string& veth_ifname,
diff --git a/patchpanel/datapath_test.cc b/patchpanel/datapath_test.cc
index ce018d0..e9b98fa 100644
--- a/patchpanel/datapath_test.cc
+++ b/patchpanel/datapath_test.cc
@@ -117,6 +117,124 @@
TEST(DatapathTest, Start) {
MockProcessRunner runner;
MockFirewall firewall;
+
+ // Asserts for iptables chain reset.
+ EXPECT_CALL(runner, iptables(StrEq("filter"),
+ ElementsAre("-D", "OUTPUT", "-j",
+ "drop_guest_ipv4_prefix", "-w"),
+ false, nullptr));
+ EXPECT_CALL(runner,
+ iptables(StrEq("filter"), ElementsAre("-F", "FORWARD", "-w"),
+ true, nullptr));
+ EXPECT_CALL(runner,
+ ip6tables(StrEq("filter"), ElementsAre("-F", "FORWARD", "-w"),
+ true, nullptr));
+ EXPECT_CALL(runner,
+ iptables(StrEq("mangle"), ElementsAre("-F", "FORWARD", "-w"),
+ true, nullptr));
+ EXPECT_CALL(runner,
+ ip6tables(StrEq("mangle"), ElementsAre("-F", "FORWARD", "-w"),
+ true, nullptr));
+ EXPECT_CALL(runner,
+ iptables(StrEq("mangle"), ElementsAre("-F", "INPUT", "-w"), true,
+ nullptr));
+ EXPECT_CALL(runner,
+ ip6tables(StrEq("mangle"), ElementsAre("-F", "INPUT", "-w"), true,
+ nullptr));
+ EXPECT_CALL(runner,
+ iptables(StrEq("mangle"), ElementsAre("-F", "OUTPUT", "-w"), true,
+ nullptr));
+ EXPECT_CALL(runner,
+ ip6tables(StrEq("mangle"), ElementsAre("-F", "OUTPUT", "-w"),
+ true, nullptr));
+ EXPECT_CALL(runner,
+ iptables(StrEq("mangle"), ElementsAre("-F", "POSTROUTING", "-w"),
+ true, nullptr));
+ EXPECT_CALL(runner,
+ ip6tables(StrEq("mangle"), ElementsAre("-F", "POSTROUTING", "-w"),
+ true, nullptr));
+ EXPECT_CALL(runner,
+ iptables(StrEq("mangle"), ElementsAre("-F", "PREROUTING", "-w"),
+ true, nullptr));
+ EXPECT_CALL(runner,
+ ip6tables(StrEq("mangle"), ElementsAre("-F", "PREROUTING", "-w"),
+ true, nullptr));
+ EXPECT_CALL(runner,
+ iptables(StrEq("mangle"),
+ ElementsAre("-L", "apply_local_source_mark", "-w"),
+ false, nullptr));
+ EXPECT_CALL(runner,
+ ip6tables(StrEq("mangle"),
+ ElementsAre("-L", "apply_local_source_mark", "-w"),
+ false, nullptr));
+ EXPECT_CALL(runner,
+ iptables(StrEq("mangle"),
+ ElementsAre("-F", "apply_local_source_mark", "-w"), true,
+ nullptr));
+ EXPECT_CALL(runner,
+ ip6tables(StrEq("mangle"),
+ ElementsAre("-F", "apply_local_source_mark", "-w"),
+ true, nullptr));
+ EXPECT_CALL(runner,
+ iptables(StrEq("mangle"),
+ ElementsAre("-X", "apply_local_source_mark", "-w"), true,
+ nullptr));
+ EXPECT_CALL(runner,
+ ip6tables(StrEq("mangle"),
+ ElementsAre("-X", "apply_local_source_mark", "-w"),
+ true, nullptr));
+ EXPECT_CALL(runner, iptables(StrEq("mangle"),
+ ElementsAre("-L", "apply_vpn_mark", "-w"), false,
+ nullptr));
+ EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
+ ElementsAre("-L", "apply_vpn_mark", "-w"),
+ false, nullptr));
+ EXPECT_CALL(runner, iptables(StrEq("mangle"),
+ ElementsAre("-F", "apply_vpn_mark", "-w"), true,
+ nullptr));
+ EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
+ ElementsAre("-F", "apply_vpn_mark", "-w"), true,
+ nullptr));
+ EXPECT_CALL(runner, iptables(StrEq("mangle"),
+ ElementsAre("-X", "apply_vpn_mark", "-w"), true,
+ nullptr));
+ EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
+ ElementsAre("-X", "apply_vpn_mark", "-w"), true,
+ nullptr));
+ EXPECT_CALL(runner, iptables(StrEq("mangle"),
+ ElementsAre("-L", "check_routing_mark", "-w"),
+ false, nullptr));
+ EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
+ ElementsAre("-L", "check_routing_mark", "-w"),
+ false, nullptr));
+ EXPECT_CALL(runner, iptables(StrEq("mangle"),
+ ElementsAre("-F", "check_routing_mark", "-w"),
+ true, nullptr));
+ EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
+ ElementsAre("-F", "check_routing_mark", "-w"),
+ true, nullptr));
+ EXPECT_CALL(runner, iptables(StrEq("mangle"),
+ ElementsAre("-X", "check_routing_mark", "-w"),
+ true, nullptr));
+ EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
+ ElementsAre("-X", "check_routing_mark", "-w"),
+ true, nullptr));
+ EXPECT_CALL(runner,
+ iptables(StrEq("filter"),
+ ElementsAre("-L", "drop_guest_ipv4_prefix", "-w"), false,
+ nullptr));
+ EXPECT_CALL(runner,
+ iptables(StrEq("filter"),
+ ElementsAre("-F", "drop_guest_ipv4_prefix", "-w"), true,
+ nullptr));
+ EXPECT_CALL(runner,
+ iptables(StrEq("filter"),
+ ElementsAre("-X", "drop_guest_ipv4_prefix", "-w"), true,
+ nullptr));
+ EXPECT_CALL(runner,
+ iptables(StrEq("nat"), ElementsAre("-F", "POSTROUTING", "-w"),
+ true, nullptr));
+
// Asserts for sysctl modifications
EXPECT_CALL(runner, sysctl_w(StrEq("net.ipv4.ip_forward"), StrEq("1"), true));
EXPECT_CALL(runner, sysctl_w(StrEq("net.ipv4.ip_local_port_range"),
@@ -144,34 +262,42 @@
// Asserts for AddSourceIPv4DropRule() calls.
EXPECT_CALL(runner,
iptables(StrEq("filter"),
- ElementsAre("-I", "OUTPUT", "-o", "eth+", "-s",
- "100.115.92.0/23", "-j", "DROP", "-w"),
- true, nullptr));
+ ElementsAre("-N", "drop_guest_ipv4_prefix", "-w"), true,
+ nullptr));
+ EXPECT_CALL(runner, iptables(StrEq("filter"),
+ ElementsAre("-I", "OUTPUT", "-j",
+ "drop_guest_ipv4_prefix", "-w"),
+ true, nullptr));
EXPECT_CALL(runner,
iptables(StrEq("filter"),
- ElementsAre("-I", "OUTPUT", "-o", "wlan+", "-s",
- "100.115.92.0/23", "-j", "DROP", "-w"),
+ ElementsAre("-I", "drop_guest_ipv4_prefix", "-o", "eth+",
+ "-s", "100.115.92.0/23", "-j", "DROP", "-w"),
true, nullptr));
+ EXPECT_CALL(runner, iptables(StrEq("filter"),
+ ElementsAre("-I", "drop_guest_ipv4_prefix", "-o",
+ "wlan+", "-s", "100.115.92.0/23",
+ "-j", "DROP", "-w"),
+ true, nullptr));
+ EXPECT_CALL(runner, iptables(StrEq("filter"),
+ ElementsAre("-I", "drop_guest_ipv4_prefix", "-o",
+ "mlan+", "-s", "100.115.92.0/23",
+ "-j", "DROP", "-w"),
+ true, nullptr));
EXPECT_CALL(runner,
iptables(StrEq("filter"),
- ElementsAre("-I", "OUTPUT", "-o", "mlan+", "-s",
- "100.115.92.0/23", "-j", "DROP", "-w"),
+ ElementsAre("-I", "drop_guest_ipv4_prefix", "-o", "usb+",
+ "-s", "100.115.92.0/23", "-j", "DROP", "-w"),
true, nullptr));
- EXPECT_CALL(runner,
- iptables(StrEq("filter"),
- ElementsAre("-I", "OUTPUT", "-o", "usb+", "-s",
- "100.115.92.0/23", "-j", "DROP", "-w"),
- true, nullptr));
- EXPECT_CALL(runner,
- iptables(StrEq("filter"),
- ElementsAre("-I", "OUTPUT", "-o", "wwan+", "-s",
- "100.115.92.0/23", "-j", "DROP", "-w"),
- true, nullptr));
- EXPECT_CALL(runner,
- iptables(StrEq("filter"),
- ElementsAre("-I", "OUTPUT", "-o", "rmnet+", "-s",
- "100.115.92.0/23", "-j", "DROP", "-w"),
- true, nullptr));
+ EXPECT_CALL(runner, iptables(StrEq("filter"),
+ ElementsAre("-I", "drop_guest_ipv4_prefix", "-o",
+ "wwan+", "-s", "100.115.92.0/23",
+ "-j", "DROP", "-w"),
+ true, nullptr));
+ EXPECT_CALL(runner, iptables(StrEq("filter"),
+ ElementsAre("-I", "drop_guest_ipv4_prefix", "-o",
+ "rmnet+", "-s", "100.115.92.0/23",
+ "-j", "DROP", "-w"),
+ true, nullptr));
// Asserts for AddOutboundIPv4SNATMark("vmtap+")
EXPECT_CALL(runner,
iptables(StrEq("mangle"),
@@ -243,10 +369,6 @@
iptables(StrEq("mangle"),
ElementsAre("-N", "apply_local_source_mark", "-w"), true,
nullptr));
- EXPECT_CALL(runner,
- iptables(StrEq("mangle"),
- ElementsAre("-F", "apply_local_source_mark", "-w"), true,
- nullptr));
EXPECT_CALL(runner, iptables(StrEq("mangle"),
ElementsAre("-A", "OUTPUT", "-j",
"apply_local_source_mark", "-w"),
@@ -330,10 +452,6 @@
ip6tables(StrEq("mangle"),
ElementsAre("-N", "apply_local_source_mark", "-w"),
true, nullptr));
- EXPECT_CALL(runner,
- ip6tables(StrEq("mangle"),
- ElementsAre("-F", "apply_local_source_mark", "-w"),
- true, nullptr));
EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
ElementsAre("-A", "OUTPUT", "-j",
"apply_local_source_mark", "-w"),
@@ -419,9 +537,6 @@
ElementsAre("-N", "apply_vpn_mark", "-w"), true,
nullptr));
EXPECT_CALL(runner, iptables(StrEq("mangle"),
- ElementsAre("-F", "apply_vpn_mark", "-w"), true,
- nullptr));
- EXPECT_CALL(runner, iptables(StrEq("mangle"),
ElementsAre("-A", "OUTPUT", "-m", "mark",
"--mark", "0x00008000/0x0000c000",
"-j", "apply_vpn_mark", "-w"),
@@ -435,9 +550,6 @@
ElementsAre("-N", "apply_vpn_mark", "-w"), true,
nullptr));
EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
- ElementsAre("-F", "apply_vpn_mark", "-w"), true,
- nullptr));
- EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
ElementsAre("-A", "OUTPUT", "-m", "mark",
"--mark", "0x00008000/0x0000c000",
"-j", "apply_vpn_mark", "-w"),
@@ -453,9 +565,6 @@
ElementsAre("-N", "check_routing_mark", "-w"),
true, nullptr));
EXPECT_CALL(runner, iptables(StrEq("mangle"),
- ElementsAre("-F", "check_routing_mark", "-w"),
- true, nullptr));
- EXPECT_CALL(runner, iptables(StrEq("mangle"),
ElementsAre("-A", "POSTROUTING", "-j",
"CONNMARK", "--restore-mark",
"--mask", "0xffff0000", "-w"),
@@ -469,9 +578,6 @@
ElementsAre("-N", "check_routing_mark", "-w"),
true, nullptr));
EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
- ElementsAre("-F", "check_routing_mark", "-w"),
- true, nullptr));
- EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
ElementsAre("-A", "POSTROUTING", "-j",
"CONNMARK", "--restore-mark",
"--mask", "0xffff0000", "-w"),
@@ -495,153 +601,122 @@
EXPECT_CALL(runner, sysctl_w(StrEq("net.ipv6.conf.all.forwarding"),
StrEq("0"), true));
EXPECT_CALL(runner, sysctl_w(StrEq("net.ipv4.ip_forward"), StrEq("0"), true));
- // Asserts for RemoveOutboundIPv4SNATMark("vmtap+")
+ // Asserts for iptables chain reset.
+ EXPECT_CALL(runner, iptables(StrEq("filter"),
+ ElementsAre("-D", "OUTPUT", "-j",
+ "drop_guest_ipv4_prefix", "-w"),
+ false, nullptr));
+ EXPECT_CALL(runner,
+ iptables(StrEq("filter"), ElementsAre("-F", "FORWARD", "-w"),
+ true, nullptr));
+ EXPECT_CALL(runner,
+ ip6tables(StrEq("filter"), ElementsAre("-F", "FORWARD", "-w"),
+ true, nullptr));
+ EXPECT_CALL(runner,
+ iptables(StrEq("mangle"), ElementsAre("-F", "FORWARD", "-w"),
+ true, nullptr));
+ EXPECT_CALL(runner,
+ ip6tables(StrEq("mangle"), ElementsAre("-F", "FORWARD", "-w"),
+ true, nullptr));
+ EXPECT_CALL(runner,
+ iptables(StrEq("mangle"), ElementsAre("-F", "INPUT", "-w"), true,
+ nullptr));
+ EXPECT_CALL(runner,
+ ip6tables(StrEq("mangle"), ElementsAre("-F", "INPUT", "-w"), true,
+ nullptr));
+ EXPECT_CALL(runner,
+ iptables(StrEq("mangle"), ElementsAre("-F", "OUTPUT", "-w"), true,
+ nullptr));
+ EXPECT_CALL(runner,
+ ip6tables(StrEq("mangle"), ElementsAre("-F", "OUTPUT", "-w"),
+ true, nullptr));
+ EXPECT_CALL(runner,
+ iptables(StrEq("mangle"), ElementsAre("-F", "POSTROUTING", "-w"),
+ true, nullptr));
+ EXPECT_CALL(runner,
+ ip6tables(StrEq("mangle"), ElementsAre("-F", "POSTROUTING", "-w"),
+ true, nullptr));
+ EXPECT_CALL(runner,
+ iptables(StrEq("mangle"), ElementsAre("-F", "PREROUTING", "-w"),
+ true, nullptr));
+ EXPECT_CALL(runner,
+ ip6tables(StrEq("mangle"), ElementsAre("-F", "PREROUTING", "-w"),
+ true, nullptr));
EXPECT_CALL(runner,
iptables(StrEq("mangle"),
- ElementsAre("-D", "PREROUTING", "-i", "vmtap+", "-j",
- "MARK", "--set-mark", "1/1", "-w"),
- true, nullptr));
- // Asserts for RemoveForwardEstablishedRule
+ ElementsAre("-L", "apply_local_source_mark", "-w"),
+ false, nullptr));
EXPECT_CALL(runner,
- iptables(StrEq("filter"),
- ElementsAre("-D", "FORWARD", "-m", "state", "--state",
- "ESTABLISHED,RELATED", "-j", "ACCEPT", "-w"),
- true, nullptr));
- // Asserts for SNAT rules.
- EXPECT_CALL(
- runner,
- iptables(StrEq("filter"),
- ElementsAre("-D", "FORWARD", "-m", "mark", "--mark", "1/1", "-m",
- "state", "--state", "INVALID", "-j", "DROP", "-w"),
- true, nullptr));
- EXPECT_CALL(runner,
- iptables(StrEq("nat"),
- ElementsAre("-D", "POSTROUTING", "-m", "mark", "--mark",
- "1/1", "-j", "MASQUERADE", "-w"),
- true, nullptr));
- // Asserts for RemoveSourceIPv4DropRule() calls.
- EXPECT_CALL(runner,
- iptables(StrEq("filter"),
- ElementsAre("-D", "OUTPUT", "-o", "eth+", "-s",
- "100.115.92.0/23", "-j", "DROP", "-w"),
- true, nullptr));
- EXPECT_CALL(runner,
- iptables(StrEq("filter"),
- ElementsAre("-D", "OUTPUT", "-o", "wlan+", "-s",
- "100.115.92.0/23", "-j", "DROP", "-w"),
- true, nullptr));
- EXPECT_CALL(runner,
- iptables(StrEq("filter"),
- ElementsAre("-D", "OUTPUT", "-o", "mlan+", "-s",
- "100.115.92.0/23", "-j", "DROP", "-w"),
- true, nullptr));
- EXPECT_CALL(runner,
- iptables(StrEq("filter"),
- ElementsAre("-D", "OUTPUT", "-o", "usb+", "-s",
- "100.115.92.0/23", "-j", "DROP", "-w"),
- true, nullptr));
- EXPECT_CALL(runner,
- iptables(StrEq("filter"),
- ElementsAre("-D", "OUTPUT", "-o", "wwan+", "-s",
- "100.115.92.0/23", "-j", "DROP", "-w"),
- true, nullptr));
- EXPECT_CALL(runner,
- iptables(StrEq("filter"),
- ElementsAre("-D", "OUTPUT", "-o", "rmnet+", "-s",
- "100.115.92.0/23", "-j", "DROP", "-w"),
- true, nullptr));
- // Asserts for apply_local_source_mark chain
- EXPECT_CALL(runner, iptables(StrEq("mangle"),
- ElementsAre("-D", "OUTPUT", "-j",
- "apply_local_source_mark", "-w"),
- true, nullptr));
- // Asserts for OUTPUT CONNMARK restore rule
- EXPECT_CALL(runner, iptables(StrEq("mangle"),
- ElementsAre("-D", "OUTPUT", "-j", "CONNMARK",
- "--restore-mark", "--mask",
- "0xffff0000", "-w"),
- true, nullptr));
- EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
- ElementsAre("-D", "OUTPUT", "-j", "CONNMARK",
- "--restore-mark", "--mask",
- "0xffff0000", "-w"),
- true, nullptr));
+ ip6tables(StrEq("mangle"),
+ ElementsAre("-L", "apply_local_source_mark", "-w"),
+ false, nullptr));
EXPECT_CALL(runner,
iptables(StrEq("mangle"),
ElementsAre("-F", "apply_local_source_mark", "-w"), true,
nullptr));
EXPECT_CALL(runner,
- iptables(StrEq("mangle"),
- ElementsAre("-X", "apply_local_source_mark", "-w"), true,
- nullptr));
- EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
- ElementsAre("-D", "OUTPUT", "-j",
- "apply_local_source_mark", "-w"),
- true, nullptr));
- EXPECT_CALL(runner,
ip6tables(StrEq("mangle"),
ElementsAre("-F", "apply_local_source_mark", "-w"),
true, nullptr));
EXPECT_CALL(runner,
+ iptables(StrEq("mangle"),
+ ElementsAre("-X", "apply_local_source_mark", "-w"), true,
+ nullptr));
+ EXPECT_CALL(runner,
ip6tables(StrEq("mangle"),
ElementsAre("-X", "apply_local_source_mark", "-w"),
true, nullptr));
- // Asserts for apply_vpn_mark chain
EXPECT_CALL(runner, iptables(StrEq("mangle"),
- ElementsAre("-D", "OUTPUT", "-m", "mark",
- "--mark", "0x00008000/0x0000c000",
- "-j", "apply_vpn_mark", "-w"),
- true, nullptr));
+ ElementsAre("-L", "apply_vpn_mark", "-w"), false,
+ nullptr));
+ EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
+ ElementsAre("-L", "apply_vpn_mark", "-w"),
+ false, nullptr));
EXPECT_CALL(runner, iptables(StrEq("mangle"),
ElementsAre("-F", "apply_vpn_mark", "-w"), true,
nullptr));
+ EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
+ ElementsAre("-F", "apply_vpn_mark", "-w"), true,
+ nullptr));
EXPECT_CALL(runner, iptables(StrEq("mangle"),
ElementsAre("-X", "apply_vpn_mark", "-w"), true,
nullptr));
EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
- ElementsAre("-D", "OUTPUT", "-m", "mark",
- "--mark", "0x00008000/0x0000c000",
- "-j", "apply_vpn_mark", "-w"),
- true, nullptr));
- EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
- ElementsAre("-F", "apply_vpn_mark", "-w"), true,
- nullptr));
- EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
ElementsAre("-X", "apply_vpn_mark", "-w"), true,
nullptr));
- // Asserts for check_routing_mark chain
EXPECT_CALL(runner, iptables(StrEq("mangle"),
- ElementsAre("-D", "POSTROUTING", "-j",
- "CONNMARK", "--restore-mark",
- "--mask", "0xffff0000", "-w"),
- true, nullptr));
- EXPECT_CALL(runner, iptables(StrEq("mangle"),
- ElementsAre("-D", "POSTROUTING", "-m", "mark",
- "!", "--mark", "0x0/0xffff0000",
- "-j", "check_routing_mark", "-w"),
- true, nullptr));
+ ElementsAre("-L", "check_routing_mark", "-w"),
+ false, nullptr));
+ EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
+ ElementsAre("-L", "check_routing_mark", "-w"),
+ false, nullptr));
EXPECT_CALL(runner, iptables(StrEq("mangle"),
ElementsAre("-F", "check_routing_mark", "-w"),
true, nullptr));
+ EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
+ ElementsAre("-F", "check_routing_mark", "-w"),
+ true, nullptr));
EXPECT_CALL(runner, iptables(StrEq("mangle"),
ElementsAre("-X", "check_routing_mark", "-w"),
true, nullptr));
EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
- ElementsAre("-D", "POSTROUTING", "-j",
- "CONNMARK", "--restore-mark",
- "--mask", "0xffff0000", "-w"),
- true, nullptr));
- EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
- ElementsAre("-D", "POSTROUTING", "-m", "mark",
- "!", "--mark", "0x0/0xffff0000",
- "-j", "check_routing_mark", "-w"),
- true, nullptr));
- EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
- ElementsAre("-F", "check_routing_mark", "-w"),
- true, nullptr));
- EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
ElementsAre("-X", "check_routing_mark", "-w"),
true, nullptr));
+ EXPECT_CALL(runner,
+ iptables(StrEq("filter"),
+ ElementsAre("-L", "drop_guest_ipv4_prefix", "-w"), false,
+ nullptr));
+ EXPECT_CALL(runner,
+ iptables(StrEq("filter"),
+ ElementsAre("-F", "drop_guest_ipv4_prefix", "-w"), true,
+ nullptr));
+ EXPECT_CALL(runner,
+ iptables(StrEq("filter"),
+ ElementsAre("-X", "drop_guest_ipv4_prefix", "-w"), true,
+ nullptr));
+ EXPECT_CALL(runner,
+ iptables(StrEq("nat"), ElementsAre("-F", "POSTROUTING", "-w"),
+ true, nullptr));
Datapath datapath(&runner, &firewall);
datapath.Stop();
@@ -835,13 +910,13 @@
MockFirewall firewall;
EXPECT_CALL(runner,
iptables(StrEq("filter"),
- ElementsAre("-I", "OUTPUT", "-o", "eth+", "-s",
- "100.115.92.0/24", "-j", "DROP", "-w"),
+ ElementsAre("-I", "drop_guest_ipv4_prefix", "-o", "eth+",
+ "-s", "100.115.92.0/24", "-j", "DROP", "-w"),
true, nullptr));
EXPECT_CALL(runner,
iptables(StrEq("filter"),
- ElementsAre("-D", "OUTPUT", "-o", "eth+", "-s",
- "100.115.92.0/24", "-j", "DROP", "-w"),
+ ElementsAre("-D", "drop_guest_ipv4_prefix", "-o", "eth+",
+ "-s", "100.115.92.0/24", "-j", "DROP", "-w"),
true, nullptr));
Datapath datapath(&runner, &firewall);
datapath.AddSourceIPv4DropRule("eth+", "100.115.92.0/24");