Gitiles
Code Review Sign In
gerrit.openfyde.cn / chromium.googlesource.com / chromiumos / platform2 / c6ae67cb15ea26b6a99a81fd7d86b41da9074fcb^! / . / patchpanel / datapath.cc
commitc6ae67cb15ea26b6a99a81fd7d86b41da9074fcb[log] [tgz]
authorHugo Benichi <hugobenichi@google.com>Fri Aug 14 15:02:13 2020 +0900
committerCommit Bot <commit-bot@chromium.org>Thu Sep 10 03:57:58 2020 +0000
tree4b1bd6bef46629a3770b44e9ff7c750799313bf5
parentd82d883e8d09bee5cfabde48abb6fc9572a8d48c [diff] [blame]
patchpanel: add iface based forwarding for guest traffic

This patch adds FORWARD ACCEPT rules based on iif and oif interface
names for ARC++ like downstream guests (multinetwork) and Crosvm like
downstream guests (single network tracking). ConnectedNamespaces will be
migrated in a follow-up patch.

Note that these new rules are effectively not doing anything until the
current FORWARD -m match --mark 1/1 -j ACCEPT rule is maintained in the
system. Before relying on these new FORWARD rules, fwmark based routing
should be implemented first.

BUG=b:161507671
BUG=b:161508179
TEST=Unit tests. Flased rammus, checked ARC++ connectivity.

Change-Id: Iaafb5b6060d40fe7f08d223286dd4fa11eb3b273
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform2/+/2359937
Tested-by: Hugo Benichi <hugobenichi@google.com>
Commit-Queue: Hugo Benichi <hugobenichi@google.com>
Reviewed-by: Abhishek Kumar <kuabhs@chromium.org>
Reviewed-by: Taoyu Li <taoyl@chromium.org>

diff --git a/patchpanel/datapath.cc b/patchpanel/datapath.cc
index 8e3b7a0..7eff599 100644
--- a/patchpanel/datapath.cc
+++ b/patchpanel/datapath.cc

@@ -332,16 +332,13 @@
     LOG(ERROR) << "Failed to configure ingress traffic rules for " << ext_ifname
                << "->" << int_ifname;
 
-  // TODO(b/161508179) Explicitly enable IPv4 forwarding for this pair of
-  // interfaces for the ingress direction.
-  if (!AddOutboundIPv4(int_ifname))
-    LOG(ERROR) << "Failed to configure egress traffic rules for " << ext_ifname
-               << "<-" << int_ifname;
+  if (StartIpForwarding(IpFamily::IPv4, ext_ifname, int_ifname))
+    LOG(ERROR) << "Failed to enable IP forwarding for " << ext_ifname << "->"
+               << int_ifname;
 
-  // TODO(b/161508179) Explicitly enable IPv4 forwarding for this pair of
-  // interfaces for the egress direction and stop relying on the traffic fwmark
-  // matching 1/1 once forwarded egress traffic is routed through the fwmark
-  // routing tag.
+  if (StartIpForwarding(IpFamily::IPv4, int_ifname, ext_ifname))
+    LOG(ERROR) << "Failed to enable IP forwarding for " << ext_ifname << "<-"
+               << int_ifname;
 
   // TODO(b/161507671) If ext_ifname is not null, mark egress traffic with the
   // fwmark routing tag corresponding to |ext_ifname|, and set up strong routing
@@ -360,9 +357,8 @@
                                  TrafficSource source) {
   if (!ext_ifname.empty())
     RemoveInboundIPv4DNAT(ext_ifname, IPv4AddressToString(int_ipv4_addr));
-  RemoveOutboundIPv4(int_ifname);
-
-  // TODO(b/161508179) Stops IPv4 forwarding for this pair of interfaces.
+  StopIpForwarding(IpFamily::IPv4, ext_ifname, int_ifname);
+  StopIpForwarding(IpFamily::IPv4, int_ifname, ext_ifname);
   // TODO(b/161508179) Remove source marking for egress traffic.
   // TODO(b/161507671) Remove routing tag marking for egress traffic.
 }
@@ -415,6 +411,8 @@
   StopIpForwarding(IpFamily::IPv4, "", ifname);
 }
 
+// TODO(b/161507671) Stop relying on the traffic fwmark 1/1 once forwarded
+// egress traffic is routed through the fwmark routing tag.
 bool Datapath::AddSNATMarkRules() {
   // chromium:1050579: INVALID packets cannot be tracked by conntrack therefore
   // need to be explicitly dropped.