Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / system / netd / 083688fd5d5e49c44dd25a073e42154dbaf2d051^! / . / server / ClatdController.cpp
commit083688fd5d5e49c44dd25a073e42154dbaf2d051[log] [tgz]
authorMaciej Żenczykowski <maze@google.com>Mon Dec 23 14:43:09 2019 -0800
committerMaciej Żenczykowski <maze@google.com>Fri Dec 27 16:39:17 2019 +0000
treee420df28112937f1898f49faf69d02b40a8f5dee
parent9400524d0c8e8d83dbfee7ae1a348c348e0c0d5c [diff] [blame]
ClatdController - unconditionally ip6tables drop incoming 464xlat destined frames

Incoming 464xlat destined packets should either have been ebpf offloaded to
ipv4 prior to even making it to ip6tables, or will be picked up by clatd's
AF_PACKET raw socket, and thus do not need to hit the IPv6 stack either.

Making it unconditional should simplify things, and fixes a bug where these
packets can result in the IPv6 stack sending back errors or double delivering
to AF_INET6 UDP :: bound dualstack sockets (one IPv6 and one IPv4 copy).

Note: This potentially breaks traffic accounting.
But that's already broken, just in a different way.
We'll need to fix that as part of the linked bugs once we have decent tests,
so that we actually know *what* doesn't work.

Basically this patch - even though it might cause fallout - moves us in the
right direction.

Test: atest bpf_module_test clatd_test libbpf_android_test libnetdbpf_test
  netd_integration_test netd_unit_test netdutils_test resolv_integration_test
  resolv_unit_test
Related-Bug: 136696213
Bug: 65674744
Bug: 79546774
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I2f2769d8de4b6057782d565c96ed92d9f9e4ce30

diff --git a/server/ClatdController.cpp b/server/ClatdController.cpp
index ec64d29..aaa03c1 100644
--- a/server/ClatdController.cpp
+++ b/server/ClatdController.cpp

@@ -428,9 +428,7 @@
     // success
 }
 
-void ClatdController::maybeSetIptablesDropRule(bool add, const char* pfx96Str, const char* v6Str) {
-    if (mClatEbpfMode == ClatEbpfDisabled) return;
-
+void ClatdController::setIptablesDropRule(bool add, const char* pfx96Str, const char* v6Str) {
     std::string cmd = StringPrintf(
             "*raw\n"
             "%s %s -s %s/96 -d %s -j DROP\n"
@@ -649,8 +647,8 @@
         return -res;
     }
 
-    // 11. If necessary, add the drop rule for iptables.
-    maybeSetIptablesDropRule(true, tracker.pfx96String, tracker.v6Str);
+    // 11. add the drop rule for iptables.
+    setIptablesDropRule(true, tracker.pfx96String, tracker.v6Str);
 
     // 12. actually perform vfork/dup2/execve
     res = posix_spawn(&tracker.pid, kClatdPath, &fa, &attr, (char* const*)args, nullptr);
@@ -685,7 +683,7 @@
     kill(tracker->pid, SIGTERM);
     waitpid(tracker->pid, nullptr, 0);
 
-    maybeSetIptablesDropRule(false, tracker->pfx96String, tracker->v6Str);
+    setIptablesDropRule(false, tracker->pfx96String, tracker->v6Str);
     mClatdTrackers.erase(interface);
 
     ALOGD("clatd on %s stopped", interface.c_str());