Gitiles
Code Review Sign In
gerrit.openfyde.cn / chromium.googlesource.com / chromiumos / platform2 / 11979531fb2aa674cc8c0eefd0bcbd4869531c9a / . / patchpanel / init / patchpanel.conf
blob: 64fe555c2300f90de3d685e75fdff2fd78c34c9f [file] [log] [blame]
Hidehiko Abe27bebae2018-01-30 16:12:53 +0900[diff] [blame]1# Copyright 2015 The Chromium OS Authors. All rights reserved.
2# Use of this source code is governed by a BSD-style license that can be
3# found in the LICENSE file.
4
Garrick Evans635a3f02020-04-22 08:02:02 +0900[diff] [blame]5description "Starts platform guest networking services"
Hidehiko Abe27bebae2018-01-30 16:12:53 +0900[diff] [blame]6author "chromium-os-dev@chromium.org"
7
Garrick Evans0eaf9392020-05-11 15:40:30 +0900[diff] [blame]8start on starting system-services
9stop on stopping system-services
Hidehiko Abe27bebae2018-01-30 16:12:53 +0900[diff] [blame]10
Garrick Evans136c5ce2020-05-11 13:55:18 +0900[diff] [blame]11respawn
12respawn limit 3 10
13
Garrick Evans11979532020-05-12 07:50:02 +0900[diff] [blame^]14# Killable for memory leaks.
15oom score -100
16# This limit is high to accommodate the adp-proxy child process which will
17# attempt to mmap over 200MB on first connect.
18limit as 400000000 unlimited
19
Hidehiko Abe27bebae2018-01-30 16:12:53 +0900[diff] [blame]20pre-start script
Garrick Evans49879532018-12-03 13:15:36 +0900[diff] [blame]21{
Garrick Evans0eaf9392020-05-11 15:40:30 +0900[diff] [blame]22 echo "Setting up NAT and IP forwarding"
23 sysctl net.ipv4.ip_forward=1
24
25 # Only packets marked with a 1 will be forwarded. A service depending on
26 # this should then set up a rule to mark its packets. For example, to mark
27 # all packets from interface br0:
28 # iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1 -w
29 #
30 # chromium:1050579: INVALID packets cannot be tracked by conntrack therefore
31 # need to be explicitly dropped.
32 iptables -A FORWARD -m mark --mark 1 -m state --state INVALID -j DROP -w
33 iptables -A FORWARD -m mark --mark 1 -j ACCEPT -w
34 iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT -w
35 iptables -t nat -A POSTROUTING -m mark --mark 1 -j MASQUERADE -w
36
37 # TODO(chromium:898210): Move interface-specific masquerading setup to shill;
38 # such that we can better set up the masquerade rules based on connection
39 # type rather than interface names.
40 iptables -t nat -A POSTROUTING -o wwan+ -j MASQUERADE -w
41
42 # This marks packets from _all_ interfaces starting with vmtap, since
43 # they all belong to termina, and will all want to be NAT'ed.
44 iptables -t mangle -A PREROUTING -i vmtap+ -j MARK --set-mark 1 -w
45
Garrick Evans635a3f02020-04-22 08:02:02 +0900[diff] [blame]46 echo "Starting patchpaneld"
Garrick Evans49879532018-12-03 13:15:36 +0900[diff] [blame]47} 2>&1 | logger -t "${UPSTART_JOB}"
Hidehiko Abe27bebae2018-01-30 16:12:53 +0900[diff] [blame]48end script # pre-start
49
Garrick Evans635a3f02020-04-22 08:02:02 +0900[diff] [blame]50exec /usr/bin/patchpaneld
Garrick Evans49879532018-12-03 13:15:36 +0900[diff] [blame]51
Hidehiko Abe27bebae2018-01-30 16:12:53 +0900[diff] [blame]52post-stop script
Garrick Evans49879532018-12-03 13:15:36 +0900[diff] [blame]53{
Garrick Evans0eaf9392020-05-11 15:40:30 +0900[diff] [blame]54 echo "Stopped patchpaneld"
55 echo "Tearing down NAT and IP forwarding"
56 iptables -t mangle -D PREROUTING -i vmtap+ -j MARK --set-mark 1 -w
57
58 iptables -D FORWARD -m mark --mark 1 -j ACCEPT -w
59 iptables -D FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT -w
60 iptables -t nat -D POSTROUTING -m mark --mark 1 -j MASQUERADE -w
61
62 # TODO(chromium:898210): Move interface-specific masquerading setup to shill
63 # such that we can better set up the masquerade rules based on connection
64 # type rather than interface names.
65 iptables -t nat -D POSTROUTING -o wwan+ -j MASQUERADE -w
66
67 sysctl net.ipv4.ip_forward=0
Garrick Evans49879532018-12-03 13:15:36 +0900[diff] [blame]68} 2>&1 | logger -t "${UPSTART_JOB}"
Hidehiko Abe27bebae2018-01-30 16:12:53 +0900[diff] [blame]69end script # post-stop