Gitiles
Code Review Sign In
gerrit.openfyde.cn / chromium.googlesource.com / chromiumos / platform2 / ae5803da73f35c115c22da4df92e23407b5ff95d^! / . / patchpanel / counters_service.h
commitae5803da73f35c115c22da4df92e23407b5ff95d[log] [tgz]
authorHugo Benichi <hugobenichi@google.com>Tue Dec 08 10:49:48 2020 +0900
committerCommit Bot <commit-bot@chromium.org>Thu Dec 10 05:06:08 2020 +0000
tree5b430987c964ee76987e9449654f6cacfc2afd7b
parent8af93ee52873ffe6560686e6de355cd0359a14b3 [diff] [blame]
patchpanel: add catch-all traffic accounting rule

This patch adds a catch-all accounting rule on all accounting chains
tx_<iface> and rx_<iface> for counting any traffic that has not been
correctly tagged. Such traffic is counted with source UNKNOWN.

This patch also updates the general description of CountersService in
counters_service.h.

BUG=b:171764279
TEST=Flashed rammus. Manually removed accounting rules for cronos and
other sources, checked that counters for UNKNOWN goes up, checked output
  $ dbus-send --system --dest=org.chromium.PatchPanel --print-reply \
    /org/chromium/PatchPanel org.chromium.PatchPanel.GetTrafficCounters

Change-Id: I745d4d479440ca96fb4bf81e33d809e6344ca509
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform2/+/2581164
Tested-by: Hugo Benichi <hugobenichi@google.com>
Commit-Queue: Hugo Benichi <hugobenichi@google.com>
Reviewed-by: Jie Jiang <jiejiang@chromium.org>

diff --git a/patchpanel/counters_service.h b/patchpanel/counters_service.h
index 3e3460d..cd66647 100644
--- a/patchpanel/counters_service.h
+++ b/patchpanel/counters_service.h

@@ -33,20 +33,17 @@
 // and will not change the fate of a packet. When a new interface comes up, we
 // will create the following new rules/chains (using both iptables and
 // ip6tables):
-// - Four accounting chains:
-//   - For rx packets, `ingress_input_{ifname}` and `ingress_forward_{ifname}`
-//     for INPUT and FORWARD chain, respectively;
-//   - For tx packets, `egress_postrouting_{ifname}` and
-//     `egress_forward_{ifname}` for POSTROUTING and FORWARD chain,
-//     respectively. Note that we use `--socket-exists` in POSTROUTING chain to
-//     avoid packets from FORWARD being matched again here.
-// - One accounting rule in each accounting chain, which provides the actual
-//   counter for accounting. We will extend this to several rules when source
-//   marking is ready.
-// - One jumping rule for each accounting chain in the corresponding prebuilt
+// - Two accounting chains:
+//   - For rx packets, `rx_{ifname}` for INPUT and FORWARD chains;
+//   - For tx packets, `tx_{ifname}` for POSTROUTING chain.
+// - One accounting rule in each accounting chain for every source defined in
+//   RoutingService plus one final accounting rule for untagged traffic.
+// - Jumping rules for each accounting chain in the corresponding prebuilt
 //   chain, which matches packets with this new interface.
-// The above rules and chains will never be removed once created, so we will
-// check if one rule exists before creating it.
+// The above accounting rules and chains will never be removed once created, so
+// we will check if one rule exists before creating it. Jumping rules are added
+// and removed dynamically based on physical device and vpn device creation and
+// removal events.
 //
 // Query: Two commands (iptables and ip6tables) will be executed in the mangle
 // table to get all the chains and rules. And then we perform a text parsing on