Gitiles
Code Review Sign In
gerrit.openfyde.cn / chromium.googlesource.com / chromiumos / platform2 / 0eaf939f20371349191288340848db640929808b / . / patchpanel / init / patchpanel.conf
blob: f1005239d858d23922c0557cd70c1e23bbd13527 [file] [log] [blame]
Hidehiko Abe27bebae2018-01-30 16:12:53 +0900[diff] [blame]1# Copyright 2015 The Chromium OS Authors. All rights reserved.
2# Use of this source code is governed by a BSD-style license that can be
3# found in the LICENSE file.
4
Garrick Evans635a3f02020-04-22 08:02:02 +0900[diff] [blame]5description "Starts platform guest networking services"
Hidehiko Abe27bebae2018-01-30 16:12:53 +0900[diff] [blame]6author "chromium-os-dev@chromium.org"
7
Garrick Evans0eaf9392020-05-11 15:40:30 +0900[diff] [blame^]8start on starting system-services
9stop on stopping system-services
Hidehiko Abe27bebae2018-01-30 16:12:53 +0900[diff] [blame]10
Garrick Evans136c5ce2020-05-11 13:55:18 +0900[diff] [blame]11respawn
12respawn limit 3 10
13
Hidehiko Abe27bebae2018-01-30 16:12:53 +0900[diff] [blame]14pre-start script
Garrick Evans49879532018-12-03 13:15:36 +0900[diff] [blame]15{
Garrick Evans0eaf9392020-05-11 15:40:30 +0900[diff] [blame^]16 echo "Setting up NAT and IP forwarding"
17 sysctl net.ipv4.ip_forward=1
18
19 # Only packets marked with a 1 will be forwarded. A service depending on
20 # this should then set up a rule to mark its packets. For example, to mark
21 # all packets from interface br0:
22 # iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1 -w
23 #
24 # chromium:1050579: INVALID packets cannot be tracked by conntrack therefore
25 # need to be explicitly dropped.
26 iptables -A FORWARD -m mark --mark 1 -m state --state INVALID -j DROP -w
27 iptables -A FORWARD -m mark --mark 1 -j ACCEPT -w
28 iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT -w
29 iptables -t nat -A POSTROUTING -m mark --mark 1 -j MASQUERADE -w
30
31 # TODO(chromium:898210): Move interface-specific masquerading setup to shill;
32 # such that we can better set up the masquerade rules based on connection
33 # type rather than interface names.
34 iptables -t nat -A POSTROUTING -o wwan+ -j MASQUERADE -w
35
36 # This marks packets from _all_ interfaces starting with vmtap, since
37 # they all belong to termina, and will all want to be NAT'ed.
38 iptables -t mangle -A PREROUTING -i vmtap+ -j MARK --set-mark 1 -w
39
Garrick Evans635a3f02020-04-22 08:02:02 +0900[diff] [blame]40 echo "Starting patchpaneld"
Garrick Evans49879532018-12-03 13:15:36 +0900[diff] [blame]41} 2>&1 | logger -t "${UPSTART_JOB}"
Hidehiko Abe27bebae2018-01-30 16:12:53 +0900[diff] [blame]42end script # pre-start
43
Garrick Evans635a3f02020-04-22 08:02:02 +0900[diff] [blame]44exec /usr/bin/patchpaneld
Garrick Evans49879532018-12-03 13:15:36 +0900[diff] [blame]45
Hidehiko Abe27bebae2018-01-30 16:12:53 +0900[diff] [blame]46post-stop script
Garrick Evans49879532018-12-03 13:15:36 +0900[diff] [blame]47{
Garrick Evans0eaf9392020-05-11 15:40:30 +0900[diff] [blame^]48 echo "Stopped patchpaneld"
49 echo "Tearing down NAT and IP forwarding"
50 iptables -t mangle -D PREROUTING -i vmtap+ -j MARK --set-mark 1 -w
51
52 iptables -D FORWARD -m mark --mark 1 -j ACCEPT -w
53 iptables -D FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT -w
54 iptables -t nat -D POSTROUTING -m mark --mark 1 -j MASQUERADE -w
55
56 # TODO(chromium:898210): Move interface-specific masquerading setup to shill
57 # such that we can better set up the masquerade rules based on connection
58 # type rather than interface names.
59 iptables -t nat -D POSTROUTING -o wwan+ -j MASQUERADE -w
60
61 sysctl net.ipv4.ip_forward=0
Garrick Evans49879532018-12-03 13:15:36 +0900[diff] [blame]62} 2>&1 | logger -t "${UPSTART_JOB}"
Hidehiko Abe27bebae2018-01-30 16:12:53 +0900[diff] [blame]63end script # post-stop