patchpanel: add iface based forwarding for guest traffic
This patch adds FORWARD ACCEPT rules based on iif and oif interface
names for ARC++ like downstream guests (multinetwork) and Crosvm like
downstream guests (single network tracking). ConnectedNamespaces will be
migrated in a follow-up patch.
Note that these new rules are effectively not doing anything until the
current FORWARD -m match --mark 1/1 -j ACCEPT rule is maintained in the
system. Before relying on these new FORWARD rules, fwmark based routing
should be implemented first.
BUG=b:161507671
BUG=b:161508179
TEST=Unit tests. Flased rammus, checked ARC++ connectivity.
Change-Id: Iaafb5b6060d40fe7f08d223286dd4fa11eb3b273
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform2/+/2359937
Tested-by: Hugo Benichi <hugobenichi@google.com>
Commit-Queue: Hugo Benichi <hugobenichi@google.com>
Reviewed-by: Abhishek Kumar <kuabhs@chromium.org>
Reviewed-by: Taoyu Li <taoyl@chromium.org>
diff --git a/patchpanel/datapath_test.cc b/patchpanel/datapath_test.cc
index f850b78..5eb94f7 100644
--- a/patchpanel/datapath_test.cc
+++ b/patchpanel/datapath_test.cc
@@ -313,8 +313,12 @@
"--to-destination", "1.2.3.4", "-w"),
true, nullptr));
EXPECT_CALL(runner, iptables(StrEq("filter"),
- ElementsAre("-A", "FORWARD", "-o", "arc_eth0",
- "-j", "ACCEPT", "-w"),
+ ElementsAre("-A", "FORWARD", "-i", "eth0", "-o",
+ "arc_eth0", "-j", "ACCEPT", "-w"),
+ true, nullptr));
+ EXPECT_CALL(runner, iptables(StrEq("filter"),
+ ElementsAre("-A", "FORWARD", "-i", "arc_eth0",
+ "-o", "eth0", "-j", "ACCEPT", "-w"),
true, nullptr));
Datapath datapath(&runner, &firewall);
@@ -329,6 +333,10 @@
ElementsAre("-A", "FORWARD", "-o", "vmtap0",
"-j", "ACCEPT", "-w"),
true, nullptr));
+ EXPECT_CALL(runner, iptables(StrEq("filter"),
+ ElementsAre("-A", "FORWARD", "-i", "vmtap0",
+ "-j", "ACCEPT", "-w"),
+ true, nullptr));
Datapath datapath(&runner, &firewall);
datapath.StartRoutingDevice("", "vmtap0", Ipv4Addr(1, 2, 3, 4),
@@ -354,8 +362,12 @@
"--to-destination", "1.2.3.4", "-w"),
true, nullptr));
EXPECT_CALL(runner, iptables(StrEq("filter"),
- ElementsAre("-D", "FORWARD", "-o", "arc_eth0",
- "-j", "ACCEPT", "-w"),
+ ElementsAre("-D", "FORWARD", "-i", "eth0", "-o",
+ "arc_eth0", "-j", "ACCEPT", "-w"),
+ true, nullptr));
+ EXPECT_CALL(runner, iptables(StrEq("filter"),
+ ElementsAre("-D", "FORWARD", "-i", "arc_eth0",
+ "-o", "eth0", "-j", "ACCEPT", "-w"),
true, nullptr));
Datapath datapath(&runner, &firewall);
@@ -370,6 +382,10 @@
ElementsAre("-D", "FORWARD", "-o", "vmtap0",
"-j", "ACCEPT", "-w"),
true, nullptr));
+ EXPECT_CALL(runner, iptables(StrEq("filter"),
+ ElementsAre("-D", "FORWARD", "-i", "vmtap0",
+ "-j", "ACCEPT", "-w"),
+ true, nullptr));
Datapath datapath(&runner, &firewall);
datapath.StopRoutingDevice("", "vmtap0", Ipv4Addr(1, 2, 3, 4),