diff options
author | Treehugger Robot <treehugger-gerrit@google.com> | 2022-04-07 15:14:52 +0000 |
---|---|---|
committer | Gerrit Code Review <noreply-gerritcodereview@google.com> | 2022-04-07 15:14:52 +0000 |
commit | b50e20abac950175fc91c09256ebc8b15d1ce456 (patch) | |
tree | 6b56c601b64fd05c68dfbc51af3397d00ebba074 | |
parent | e983b370d58069be5f4110a81e1f1399a7f79f7b (diff) | |
parent | ba815950b8066a8518055682413311a5bfdff799 (diff) | |
download | netd-b50e20abac950175fc91c09256ebc8b15d1ce456.tar.gz |
Merge "Drop duplicate clat ingress packets"
-rw-r--r-- | server/BandwidthController.cpp | 5 | ||||
-rw-r--r-- | server/BandwidthControllerTest.cpp | 1 |
2 files changed, 6 insertions, 0 deletions
diff --git a/server/BandwidthController.cpp b/server/BandwidthController.cpp index b89aa7ff..27739418 100644 --- a/server/BandwidthController.cpp +++ b/server/BandwidthController.cpp @@ -66,6 +66,9 @@ const char BandwidthController::LOCAL_RAW_PREROUTING[] = "bw_raw_PREROUTING"; const char BandwidthController::LOCAL_MANGLE_POSTROUTING[] = "bw_mangle_POSTROUTING"; const char BandwidthController::LOCAL_GLOBAL_ALERT[] = "bw_global_alert"; +// Sync from packages/modules/Connectivity/bpf_progs/clatd.c +#define CLAT_MARK 0xdeadc1a7 + auto BandwidthController::iptablesRestoreFunction = execIptablesRestoreWithOutput; using android::base::Join; @@ -224,6 +227,8 @@ std::vector<std::string> getBasicAccountingCommands() { "COMMIT", "*raw", + // Drop duplicate ingress clat packets + StringPrintf("-A bw_raw_PREROUTING -m mark --mark 0x%x -j DROP", CLAT_MARK), // Prevents IPSec double counting (Tunnel mode and Transport mode, // respectively) ("-A bw_raw_PREROUTING -i " IPSEC_IFACE_PREFIX "+ -j RETURN"), diff --git a/server/BandwidthControllerTest.cpp b/server/BandwidthControllerTest.cpp index b503d3d3..e7d29d23 100644 --- a/server/BandwidthControllerTest.cpp +++ b/server/BandwidthControllerTest.cpp @@ -187,6 +187,7 @@ TEST_F(BandwidthControllerTest, TestEnableBandwidthControl) { "-I bw_happy_box -m bpf --object-pinned " XT_BPF_ALLOWLIST_PROG_PATH " -j RETURN\n" "COMMIT\n" "*raw\n" + "-A bw_raw_PREROUTING -m mark --mark 0xdeadc1a7 -j DROP\n" "-A bw_raw_PREROUTING -i ipsec+ -j RETURN\n" "-A bw_raw_PREROUTING -m policy --pol ipsec --dir in -j RETURN\n" "-A bw_raw_PREROUTING -m bpf --object-pinned " XT_BPF_INGRESS_PROG_PATH "\n" |