summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTreehugger Robot <treehugger-gerrit@google.com>2022-04-07 15:14:52 +0000
committerGerrit Code Review <noreply-gerritcodereview@google.com>2022-04-07 15:14:52 +0000
commitb50e20abac950175fc91c09256ebc8b15d1ce456 (patch)
tree6b56c601b64fd05c68dfbc51af3397d00ebba074
parente983b370d58069be5f4110a81e1f1399a7f79f7b (diff)
parentba815950b8066a8518055682413311a5bfdff799 (diff)
downloadnetd-b50e20abac950175fc91c09256ebc8b15d1ce456.tar.gz
Merge "Drop duplicate clat ingress packets"
-rw-r--r--server/BandwidthController.cpp5
-rw-r--r--server/BandwidthControllerTest.cpp1
2 files changed, 6 insertions, 0 deletions
diff --git a/server/BandwidthController.cpp b/server/BandwidthController.cpp
index b89aa7ff..27739418 100644
--- a/server/BandwidthController.cpp
+++ b/server/BandwidthController.cpp
@@ -66,6 +66,9 @@ const char BandwidthController::LOCAL_RAW_PREROUTING[] = "bw_raw_PREROUTING";
const char BandwidthController::LOCAL_MANGLE_POSTROUTING[] = "bw_mangle_POSTROUTING";
const char BandwidthController::LOCAL_GLOBAL_ALERT[] = "bw_global_alert";
+// Sync from packages/modules/Connectivity/bpf_progs/clatd.c
+#define CLAT_MARK 0xdeadc1a7
+
auto BandwidthController::iptablesRestoreFunction = execIptablesRestoreWithOutput;
using android::base::Join;
@@ -224,6 +227,8 @@ std::vector<std::string> getBasicAccountingCommands() {
"COMMIT",
"*raw",
+ // Drop duplicate ingress clat packets
+ StringPrintf("-A bw_raw_PREROUTING -m mark --mark 0x%x -j DROP", CLAT_MARK),
// Prevents IPSec double counting (Tunnel mode and Transport mode,
// respectively)
("-A bw_raw_PREROUTING -i " IPSEC_IFACE_PREFIX "+ -j RETURN"),
diff --git a/server/BandwidthControllerTest.cpp b/server/BandwidthControllerTest.cpp
index b503d3d3..e7d29d23 100644
--- a/server/BandwidthControllerTest.cpp
+++ b/server/BandwidthControllerTest.cpp
@@ -187,6 +187,7 @@ TEST_F(BandwidthControllerTest, TestEnableBandwidthControl) {
"-I bw_happy_box -m bpf --object-pinned " XT_BPF_ALLOWLIST_PROG_PATH " -j RETURN\n"
"COMMIT\n"
"*raw\n"
+ "-A bw_raw_PREROUTING -m mark --mark 0xdeadc1a7 -j DROP\n"
"-A bw_raw_PREROUTING -i ipsec+ -j RETURN\n"
"-A bw_raw_PREROUTING -m policy --pol ipsec --dir in -j RETURN\n"
"-A bw_raw_PREROUTING -m bpf --object-pinned " XT_BPF_INGRESS_PROG_PATH "\n"