Gitiles
Code Review Sign In
gerrit.openfyde.cn / chromium.googlesource.com / chromiumos / platform2 / ad5947b18986525d0a1abc96c064d651434107d3^! / . / patchpanel / datapath.h
commitad5947b18986525d0a1abc96c064d651434107d3[log] [tgz]
authorHugo Benichi <hugobenichi@google.com>Fri Sep 03 16:56:40 2021 +0900
committerCommit Bot <commit-bot@chromium.org>Mon Nov 22 09:28:21 2021 +0000
treece48c6d92edacd1863a49436891501f867b936f2
parent4c449d2ae5830d7452413a21e6eb421fb1ec28c8 [diff] [blame]
patchpanel: add separate chains for permission_broker rules

This patch introduces additional filter chains for storing
permission_broker rules:
  - ingress_port_firewall is attached to the INPUT chain and stores
  permission_broker port access rules
  - egress_port_firewall is attached to the OUTPUT chain and stores
  permission_broker drop rules for Chrome localhost traffic.

BUG=b:197190975
TEST=unit tests. Flashed trogdor.

Cq-Depend: chromium:3284428
Change-Id: I57afbb1ead3feb59cb7401331c89fd0ff84d03c1
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform2/+/3143560
Tested-by: Hugo Benichi <hugobenichi@google.com>
Commit-Queue: Hugo Benichi <hugobenichi@google.com>
Reviewed-by: Taoyu Li <taoyl@chromium.org>

diff --git a/patchpanel/datapath.h b/patchpanel/datapath.h
index d491d5f..8abcc0b 100644
--- a/patchpanel/datapath.h
+++ b/patchpanel/datapath.h

@@ -29,6 +29,16 @@
 
 namespace patchpanel {
 
+// filter INPUT chain for ingress port access rules controlled by
+// permission_broker.
+constexpr char kIngressPortFirewallChain[] = "ingress_port_firewall";
+// filter OUTPUT chain for egress port restriction rules controlled by
+// permission_broker.
+constexpr char kEgressPortFirewallChain[] = "egress_port_firewall";
+// nat PREROUTING chain for ingress DNAT forwarding rules controlled by
+// permission_broker.
+constexpr char kIngressPortForwardingChain[] = "ingress_port_forwarding";
+
 // Struct holding parameters for Datapath::StartRoutingNamespace requests.
 struct ConnectedNamespace {
   // The special pid which indicates this namespace is not attached to an