ClatdController - iptables drop including interface name
This is a very minor bug fix. Technically we could have duplicate
src/dst ip's on different interfaces and then we'd end up with the second
add failing and the first remove succeeding and there being nothing left
for the second remove...
Test: atest bpf_module_test clatd_test libbpf_android_test libnetdbpf_test
netd_integration_test netd_unit_test netdutils_test resolv_integration_test
resolv_unit_test
Related-Bug: 136696213
Bug: 65674744
Bug: 79546774
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I76a4b8de70e9d9df1e17bd7fb7461b3ec9eb898b
diff --git a/server/ClatdController.cpp b/server/ClatdController.cpp
index aaa03c1..d326f41 100644
--- a/server/ClatdController.cpp
+++ b/server/ClatdController.cpp
@@ -428,12 +428,13 @@
// success
}
-void ClatdController::setIptablesDropRule(bool add, const char* pfx96Str, const char* v6Str) {
+void ClatdController::setIptablesDropRule(bool add, const char* iface, const char* pfx96Str,
+ const char* v6Str) {
std::string cmd = StringPrintf(
"*raw\n"
- "%s %s -s %s/96 -d %s -j DROP\n"
+ "%s %s -i %s -s %s/96 -d %s -j DROP\n"
"COMMIT\n",
- (add ? "-A" : "-D"), LOCAL_RAW_PREROUTING, pfx96Str, v6Str);
+ (add ? "-A" : "-D"), LOCAL_RAW_PREROUTING, iface, pfx96Str, v6Str);
iptablesRestoreFunction(V6, cmd);
}
@@ -648,7 +649,7 @@
}
// 11. add the drop rule for iptables.
- setIptablesDropRule(true, tracker.pfx96String, tracker.v6Str);
+ setIptablesDropRule(true, tracker.iface, tracker.pfx96String, tracker.v6Str);
// 12. actually perform vfork/dup2/execve
res = posix_spawn(&tracker.pid, kClatdPath, &fa, &attr, (char* const*)args, nullptr);
@@ -683,7 +684,7 @@
kill(tracker->pid, SIGTERM);
waitpid(tracker->pid, nullptr, 0);
- setIptablesDropRule(false, tracker->pfx96String, tracker->v6Str);
+ setIptablesDropRule(false, tracker->iface, tracker->pfx96String, tracker->v6Str);
mClatdTrackers.erase(interface);
ALOGD("clatd on %s stopped", interface.c_str());