patchpanel: add separate chains for permission_broker rules
This patch introduces additional filter chains for storing
permission_broker rules:
- ingress_port_firewall is attached to the INPUT chain and stores
permission_broker port access rules
- egress_port_firewall is attached to the OUTPUT chain and stores
permission_broker drop rules for Chrome localhost traffic.
BUG=b:197190975
TEST=unit tests. Flashed trogdor.
Cq-Depend: chromium:3284428
Change-Id: I57afbb1ead3feb59cb7401331c89fd0ff84d03c1
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform2/+/3143560
Tested-by: Hugo Benichi <hugobenichi@google.com>
Commit-Queue: Hugo Benichi <hugobenichi@google.com>
Reviewed-by: Taoyu Li <taoyl@chromium.org>
diff --git a/patchpanel/firewall.cc b/patchpanel/firewall.cc
index 70e1b84..d075635 100644
--- a/patchpanel/firewall.cc
+++ b/patchpanel/firewall.cc
@@ -20,6 +20,7 @@
#include <base/strings/string_util.h>
#include <base/strings/stringprintf.h>
+#include "patchpanel/datapath.h"
#include "patchpanel/net_util.h"
namespace {
@@ -199,7 +200,7 @@
std::vector<std::string> argv{
operation,
- "ingress_port_forwarding",
+ kIngressPortForwardingChain,
"-i",
interface,
"-p", // protocol
@@ -300,7 +301,7 @@
const std::string& interface) {
std::vector<std::string> argv{
"-I", // insert
- "INPUT",
+ kIngressPortFirewallChain,
"-p", // protocol
ProtocolName(protocol),
"--dport", // destination port
@@ -323,7 +324,7 @@
const std::string& interface) {
std::vector<std::string> argv{
"-D", // delete
- "INPUT",
+ kIngressPortFirewallChain,
"-p", // protocol
ProtocolName(protocol),
"--dport", // destination port
@@ -345,7 +346,7 @@
uint16_t port) {
std::vector<std::string> argv{
"-I", // insert
- "OUTPUT",
+ kEgressPortFirewallChain,
"-p", // protocol
ProtocolName(protocol),
"--dport", // destination port
@@ -370,7 +371,7 @@
uint16_t port) {
std::vector<std::string> argv{
"-D", // delete
- "OUTPUT",
+ kEgressPortFirewallChain,
"-p", // protocol
ProtocolName(protocol),
"--dport", // destination port