Drop duplicate clat ingress packets

As Maze@'s advice, we add a clat mark to clat packet in ingress bpf
and drop the duplicate packets in iptables via mark match.

Bug: 218407445
Test: atest BandwidthControllerTest
Test: manual test with unmerged aosp/1951099

0. Connect to IPv6-only wifi

1. Clatd test: ping 5 times and check that iptables drop 5 packets by
   mark 0xdeadc1a7.

$ adb shell ping 8.8.8.8
..
64 bytes from 8.8.8.8: icmp_seq=4 ttl=120 time=14.3 ms
64 bytes from 8.8.8.8: icmp_seq=5 ttl=120 time=67.4 ms

$ adb shell ip6tables -t raw -L bw_raw_PREROUTING -v
Chain bw_raw_PREROUTING (1 references)
 pkts bytes target     prot opt in     out     source               destination
    5   520 DROP       all      any    any     anywhere             anywhere             mark match 0xdeadc1a7
    0     0 RETURN     all      ipsec+ any     anywhere             anywhere
    0     0 RETURN     all      any    any     anywhere             anywhere             policy match dir in pol ipsec
 1661 1239K            all      any    any     anywhere             anywhere            match bpf pinned /sys/fs/bpf/prog_netd_skfilter_ingress_xtbpf

2. Bpf test: run iperf to an IPv4 server and iptables doesn't see
   offloaded packet with mark 0xdeadc1a7. Drop packet count (5) is
   unchanged.

$ adb shell iperf3 -4 -c 117.102.109.186 -t1
Connecting to host 117.102.109.186, port 5201
[  5] local 192.0.0.4 port 56242 connected to 117.102.109.186 port 5201
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  5]   0.00-1.00   sec   622 KBytes  5.09 Mbits/sec    0   44.0 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-1.00   sec   622 KBytes  5.09 Mbits/sec    0             sender
[  5]   0.00-1.00   sec   201 KBytes  1.64 Mbits/sec                  receiver

$ adb shell ip6tables -t raw -L bw_raw_PREROUTING -v
Chain bw_raw_PREROUTING (1 references)
 pkts bytes target     prot opt in     out     source               destination
    5   520 DROP       all      any    any     anywhere             anywhere             mark match 0xdeadc1a7
    0     0 RETURN     all      ipsec+ any     anywhere             anywhere
    0     0 RETURN     all      any    any     anywhere             anywhere             policy match dir in pol ipsec
 1804 1280K            all      any    any     anywhere             anywhere            match bpf pinned /sys/fs/bpf/prog_netd_skfilter_ingress_xtbpf

3. Enable USB tethering. Do ping and iperf on tethered client.

4. Clatd test: ping 5 times and check that iptables drop 5 packets
   (count from 5 to 10) by mark 0xdeadc1a7.

$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
..
64 bytes from 8.8.8.8: icmp_seq=4 ttl=119 time=13.7 ms
64 bytes from 8.8.8.8: icmp_seq=5 ttl=119 time=15.9 ms

$ adb shell ip6tables -t raw -L bw_raw_PREROUTING -v
Chain bw_raw_PREROUTING (1 references)
 pkts bytes target     prot opt in     out     source               destination
   10  1040 DROP       all      any    any     anywhere             anywhere             mark match 0xdeadc1a7
    0     0 RETURN     all      ipsec+ any     anywhere             anywhere
    0     0 RETURN     all      any    any     anywhere             anywhere             policy match dir in pol ipsec
 1900 1298K            all      any    any     anywhere             anywhere            match bpf pinned /sys/fs/bpf/prog_netd_skfilter_ingress_xtbpf

5. Bpf test: run iperf to an IPv4 server and iptables doesn't see
   offloaded packet with mark 0xdeadc1a7. Drop packet count (10) is
   unchanged.

$ iperf3 -4 -c 117.102.109.186 -t1
Connecting to host 117.102.109.186, port 5201
[  5] local 192.168.235.233 port 41602 connected to 117.102.109.186 port 5201
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  5]   0.00-1.00   sec  3.19 MBytes  26.8 Mbits/sec    0    369 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-1.00   sec  3.19 MBytes  26.8 Mbits/sec    0             sender
[  5]   0.00-1.00   sec  2.58 MBytes  21.7 Mbits/sec                  receiver

$ adb shell ip6tables -t raw -L bw_raw_PREROUTING -v
Chain bw_raw_PREROUTING (1 references)
 pkts bytes target     prot opt in     out     source               destination
   10  1040 DROP       all      any    any     anywhere             anywhere             mark match 0xdeadc1a7
    0     0 RETURN     all      ipsec+ any     anywhere             anywhere
    0     0 RETURN     all      any    any     anywhere             anywhere             policy match dir in pol ipsec
 1978 1320K            all      any    any     anywhere             anywhere            match bpf pinned /sys/fs/bpf/prog_netd_skfilter_ingress_xtbpf

Change-Id: I3bc6f542f6af692f79d464d085d971d2f2e60877

1 files changed, 5 insertions, 0 deletions

diff --git a/server/BandwidthController.cpp b/server/BandwidthController.cpp
index 5918dbcb..786894b3 100644
--- a/server/BandwidthController.cpp
+++ b/server/BandwidthController.cpp
@@ -66,6 +66,9 @@ const char BandwidthController::LOCAL_RAW_PREROUTING[] = "bw_raw_PREROUTING";
 const char BandwidthController::LOCAL_MANGLE_POSTROUTING[] = "bw_mangle_POSTROUTING";
 const char BandwidthController::LOCAL_GLOBAL_ALERT[] = "bw_global_alert";
 
+// Sync from packages/modules/Connectivity/bpf_progs/clatd.c
+#define CLAT_MARK 0xdeadc1a7
+
 auto BandwidthController::iptablesRestoreFunction = execIptablesRestoreWithOutput;
 
 using android::base::Join;
@@ -224,6 +227,8 @@ std::vector<std::string> getBasicAccountingCommands() {
             "COMMIT",
 
             "*raw",
+            // Drop duplicate ingress clat packets
+            StringPrintf("-A bw_raw_PREROUTING -m mark --mark 0x%x -j DROP", CLAT_MARK),
             // Prevents IPSec double counting (Tunnel mode and Transport mode,
             // respectively)
             ("-A bw_raw_PREROUTING -i " IPSEC_IFACE_PREFIX "+ -j RETURN"),