Merge "Drop duplicate clat ingress packets" am: b50e20abac am: b7473f837e am: 801e0efdce

Original change: https://android-review.googlesource.com/c/platform/system/netd/+/2052806 Change-Id: Ic368e273de6a09388028fc2c72faf8259a49a8d8 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
author: Treehugger Robot <treehugger-gerrit@google.com> 2022-04-07 16:04:31 +0000
committer: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> 2022-04-07 16:04:31 +0000
commit: 4558e571988bb8b66d055221c43bfdde49de28d5 (patch)
tree: 6b56c601b64fd05c68dfbc51af3397d00ebba074
parent: d0a74a3189b2047b42d9bd77e2fd660b3b6f804f (diff)
parent: 801e0efdcee22efca2fa499c730b87c2022b9a5f (diff)
download: netd-4558e571988bb8b66d055221c43bfdde49de28d5.tar.gz
2 files changed, 6 insertions, 0 deletions
diff --git a/server/BandwidthController.cpp b/server/BandwidthController.cpp
index b89aa7ff..27739418 100644
--- a/server/BandwidthController.cpp
+++ b/server/BandwidthController.cpp
@@ -66,6 +66,9 @@ const char BandwidthController::LOCAL_RAW_PREROUTING[] = "bw_raw_PREROUTING";
 const char BandwidthController::LOCAL_MANGLE_POSTROUTING[] = "bw_mangle_POSTROUTING";
 const char BandwidthController::LOCAL_GLOBAL_ALERT[] = "bw_global_alert";
 
+// Sync from packages/modules/Connectivity/bpf_progs/clatd.c
+#define CLAT_MARK 0xdeadc1a7
+
 auto BandwidthController::iptablesRestoreFunction = execIptablesRestoreWithOutput;
 
 using android::base::Join;
@@ -224,6 +227,8 @@ std::vector<std::string> getBasicAccountingCommands() {
             "COMMIT",
 
             "*raw",
+            // Drop duplicate ingress clat packets
+            StringPrintf("-A bw_raw_PREROUTING -m mark --mark 0x%x -j DROP", CLAT_MARK),
             // Prevents IPSec double counting (Tunnel mode and Transport mode,
             // respectively)
             ("-A bw_raw_PREROUTING -i " IPSEC_IFACE_PREFIX "+ -j RETURN"),
diff --git a/server/BandwidthControllerTest.cpp b/server/BandwidthControllerTest.cpp
index b503d3d3..e7d29d23 100644
--- a/server/BandwidthControllerTest.cpp
+++ b/server/BandwidthControllerTest.cpp
@@ -187,6 +187,7 @@ TEST_F(BandwidthControllerTest, TestEnableBandwidthControl) {
             "-I bw_happy_box -m bpf --object-pinned " XT_BPF_ALLOWLIST_PROG_PATH " -j RETURN\n"
             "COMMIT\n"
             "*raw\n"
+            "-A bw_raw_PREROUTING -m mark --mark 0xdeadc1a7 -j DROP\n"
             "-A bw_raw_PREROUTING -i ipsec+ -j RETURN\n"
             "-A bw_raw_PREROUTING -m policy --pol ipsec --dir in -j RETURN\n"
             "-A bw_raw_PREROUTING -m bpf --object-pinned " XT_BPF_INGRESS_PROG_PATH "\n"
author	Treehugger Robot <treehugger-gerrit@google.com>	2022-04-07 16:04:31 +0000
committer	Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2022-04-07 16:04:31 +0000
commit	4558e571988bb8b66d055221c43bfdde49de28d5 (patch)
tree	6b56c601b64fd05c68dfbc51af3397d00ebba074
parent	d0a74a3189b2047b42d9bd77e2fd660b3b6f804f (diff)
parent	801e0efdcee22efca2fa499c730b87c2022b9a5f (diff)
download	netd-4558e571988bb8b66d055221c43bfdde49de28d5.tar.gz