patchpanel: iptables setup can be rebuild after a crash
This patch makes patchpanel more robust if a crash or unordered
shutdown happens and patchpanel does not have the opportunity to
teardown its iptables setup.
To do so, patchpanel always starts by flushing all chains used for
routing traffic in general and forwarding traffic of hosted guests like
ARC. Chains used for permission_broker rules and traffic accounting are
not flushed.
This patch does not make patchpanel able to restore the ARC datapath
while in the middle of a session.
BUG=b:148033397
BUG=b:161060333
BUG=b:171764279
TEST=Flashed rammus, killed patchpanel in and out of session multiple
times and checked that the state of iptables can be rebuild
consistently.
Change-Id: I86428410bdf1ee0cdd923c94ca6efc79888b0508
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform2/+/2569569
Commit-Queue: Hugo Benichi <hugobenichi@google.com>
Tested-by: Hugo Benichi <hugobenichi@google.com>
Reviewed-by: Taoyu Li <taoyl@chromium.org>
diff --git a/patchpanel/datapath.h b/patchpanel/datapath.h
index 761eaa6..7738e4c 100644
--- a/patchpanel/datapath.h
+++ b/patchpanel/datapath.h
@@ -269,6 +269,10 @@
MinijailedProcessRunner& runner() const;
private:
+ // Attempts to flush all built-in iptables chains used by patchpanel, and to
+ // delete all additionals chains created by patchpanel for routing. Traffic
+ // accounting chains are not deleted.
+ void ResetIptables();
// Creates a virtual interface pair.
bool AddVirtualInterfacePair(const std::string& netns_name,
const std::string& veth_ifname,