Clear incoming packet mark rules on netd startup.
Currently, we put the incoming packet mark rules directly into
the INPUT chain of the mangle table, which is not cleared on netd
start. Move these rules to their own chain. This makes them
consistent with all the other iptables rules and makes it easy to
clear them on startup using the existing mechanisms.
Bug: 28362720
Test: bullhead builds, boots
Test: netd_{unit,integration}_test pass
Test: watch -n1 "adb shell iptables -v -n -t mangle -L INPUT" while switching networks
Test: rules are cleared on netd restart
Change-Id: I9130f997a96dcfdfdfdd950520a76f8473b5f603
diff --git a/server/Controllers.cpp b/server/Controllers.cpp
index 1dccec8..84f719b 100644
--- a/server/Controllers.cpp
+++ b/server/Controllers.cpp
@@ -72,6 +72,11 @@
NULL,
};
+static const char* MANGLE_INPUT[] = {
+ RouteController::LOCAL_MANGLE_INPUT,
+ NULL,
+};
+
static const char* MANGLE_FORWARD[] = {
NatController::LOCAL_MANGLE_FORWARD,
NULL,
@@ -141,6 +146,7 @@
createChildChains(V4V6, "raw", "PREROUTING", RAW_PREROUTING, true);
createChildChains(V4V6, "mangle", "POSTROUTING", MANGLE_POSTROUTING, false);
createChildChains(V4V6, "mangle", "FORWARD", MANGLE_FORWARD, true);
+ createChildChains(V4V6, "mangle", "INPUT", MANGLE_INPUT, true);
createChildChains(V4, "nat", "PREROUTING", NAT_PREROUTING, true);
createChildChains(V4, "nat", "POSTROUTING", NAT_POSTROUTING, true);
ALOGI("Creating child chains: %.1fms", s.getTimeAndReset());
diff --git a/server/RouteController.cpp b/server/RouteController.cpp
index f2894cb..aeed3e9 100644
--- a/server/RouteController.cpp
+++ b/server/RouteController.cpp
@@ -81,6 +81,8 @@
const char* const ROUTE_TABLE_NAME_LOCAL = "local";
const char* const ROUTE_TABLE_NAME_MAIN = "main";
+const char* const RouteController::LOCAL_MANGLE_INPUT = "routectrl_mangle_INPUT";
+
// These values are upstream, but not yet in our headers.
// TODO: delete these definitions when updating the headers.
const uint16_t FRA_UID_RANGE = 20;
@@ -422,8 +424,9 @@
fwmark.protectedFromVpn = true;
fwmark.permission = permission;
- std::string cmd = StringPrintf("%s INPUT -i %s -j MARK --set-mark 0x%x",
- add ? "-A" : "-D", interface, fwmark.intValue);
+ std::string cmd = StringPrintf("%s %s -i %s -j MARK --set-mark 0x%x",
+ add ? "-A" : "-D", RouteController::LOCAL_MANGLE_INPUT,
+ interface, fwmark.intValue);
if (RouteController::iptablesRestoreCommandFunction(V4V6, "mangle", cmd, nullptr) != 0) {
ALOGE("failed to change iptables rule that sets incoming packet mark");
return -EREMOTEIO;
diff --git a/server/RouteController.h b/server/RouteController.h
index 579cfe2..d13ea58 100644
--- a/server/RouteController.h
+++ b/server/RouteController.h
@@ -40,6 +40,8 @@
static const int ROUTE_TABLE_OFFSET_FROM_INDEX = 1000;
+ static const char* const LOCAL_MANGLE_INPUT;
+
static int Init(unsigned localNetId) WARN_UNUSED_RESULT;
static int addInterfaceToLocalNetwork(unsigned netId, const char* interface) WARN_UNUSED_RESULT;
diff --git a/server/RouteControllerTest.cpp b/server/RouteControllerTest.cpp
index a8468a6..090b383 100644
--- a/server/RouteControllerTest.cpp
+++ b/server/RouteControllerTest.cpp
@@ -87,10 +87,12 @@
TEST_F(RouteControllerTest, TestModifyIncomingPacketMark) {
static constexpr int TEST_NETID = 30;
EXPECT_EQ(0, modifyIncomingPacketMark(TEST_NETID, "netdtest0", PERMISSION_NONE, true));
- expectIptablesRestoreCommands({ "-t mangle -A INPUT -i netdtest0 -j MARK --set-mark 0x3001e" });
+ expectIptablesRestoreCommands({
+ "-t mangle -A routectrl_mangle_INPUT -i netdtest0 -j MARK --set-mark 0x3001e" });
EXPECT_EQ(0, modifyIncomingPacketMark(TEST_NETID, "netdtest0", PERMISSION_NONE, false));
- expectIptablesRestoreCommands({ "-t mangle -D INPUT -i netdtest0 -j MARK --set-mark 0x3001e" });
+ expectIptablesRestoreCommands({
+ "-t mangle -D routectrl_mangle_INPUT -i netdtest0 -j MARK --set-mark 0x3001e" });
}
} // namespace net