Drop duplicate clat ingress packets

As Maze@'s advice, we add a clat mark to clat packet in ingress bpf
and drop the duplicate packets in iptables via mark match.

Bug: 218407445
Test: atest BandwidthControllerTest
Test: manual test with unmerged aosp/1951099

0. Connect to IPv6-only wifi

1. Clatd test: ping 5 times and check that iptables drop 5 packets by
   mark 0xdeadc1a7.

$ adb shell ping 8.8.8.8
..
64 bytes from 8.8.8.8: icmp_seq=4 ttl=120 time=14.3 ms
64 bytes from 8.8.8.8: icmp_seq=5 ttl=120 time=67.4 ms

$ adb shell ip6tables -t raw -L bw_raw_PREROUTING -v
Chain bw_raw_PREROUTING (1 references)
 pkts bytes target     prot opt in     out     source               destination
    5   520 DROP       all      any    any     anywhere             anywhere             mark match 0xdeadc1a7
    0     0 RETURN     all      ipsec+ any     anywhere             anywhere
    0     0 RETURN     all      any    any     anywhere             anywhere             policy match dir in pol ipsec
 1661 1239K            all      any    any     anywhere             anywhere            match bpf pinned /sys/fs/bpf/prog_netd_skfilter_ingress_xtbpf

2. Bpf test: run iperf to an IPv4 server and iptables doesn't see
   offloaded packet with mark 0xdeadc1a7. Drop packet count (5) is
   unchanged.

$ adb shell iperf3 -4 -c 117.102.109.186 -t1
Connecting to host 117.102.109.186, port 5201
[  5] local 192.0.0.4 port 56242 connected to 117.102.109.186 port 5201
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  5]   0.00-1.00   sec   622 KBytes  5.09 Mbits/sec    0   44.0 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-1.00   sec   622 KBytes  5.09 Mbits/sec    0             sender
[  5]   0.00-1.00   sec   201 KBytes  1.64 Mbits/sec                  receiver

$ adb shell ip6tables -t raw -L bw_raw_PREROUTING -v
Chain bw_raw_PREROUTING (1 references)
 pkts bytes target     prot opt in     out     source               destination
    5   520 DROP       all      any    any     anywhere             anywhere             mark match 0xdeadc1a7
    0     0 RETURN     all      ipsec+ any     anywhere             anywhere
    0     0 RETURN     all      any    any     anywhere             anywhere             policy match dir in pol ipsec
 1804 1280K            all      any    any     anywhere             anywhere            match bpf pinned /sys/fs/bpf/prog_netd_skfilter_ingress_xtbpf

3. Enable USB tethering. Do ping and iperf on tethered client.

4. Clatd test: ping 5 times and check that iptables drop 5 packets
   (count from 5 to 10) by mark 0xdeadc1a7.

$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
..
64 bytes from 8.8.8.8: icmp_seq=4 ttl=119 time=13.7 ms
64 bytes from 8.8.8.8: icmp_seq=5 ttl=119 time=15.9 ms

$ adb shell ip6tables -t raw -L bw_raw_PREROUTING -v
Chain bw_raw_PREROUTING (1 references)
 pkts bytes target     prot opt in     out     source               destination
   10  1040 DROP       all      any    any     anywhere             anywhere             mark match 0xdeadc1a7
    0     0 RETURN     all      ipsec+ any     anywhere             anywhere
    0     0 RETURN     all      any    any     anywhere             anywhere             policy match dir in pol ipsec
 1900 1298K            all      any    any     anywhere             anywhere            match bpf pinned /sys/fs/bpf/prog_netd_skfilter_ingress_xtbpf

5. Bpf test: run iperf to an IPv4 server and iptables doesn't see
   offloaded packet with mark 0xdeadc1a7. Drop packet count (10) is
   unchanged.

$ iperf3 -4 -c 117.102.109.186 -t1
Connecting to host 117.102.109.186, port 5201
[  5] local 192.168.235.233 port 41602 connected to 117.102.109.186 port 5201
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  5]   0.00-1.00   sec  3.19 MBytes  26.8 Mbits/sec    0    369 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-1.00   sec  3.19 MBytes  26.8 Mbits/sec    0             sender
[  5]   0.00-1.00   sec  2.58 MBytes  21.7 Mbits/sec                  receiver

$ adb shell ip6tables -t raw -L bw_raw_PREROUTING -v
Chain bw_raw_PREROUTING (1 references)
 pkts bytes target     prot opt in     out     source               destination
   10  1040 DROP       all      any    any     anywhere             anywhere             mark match 0xdeadc1a7
    0     0 RETURN     all      ipsec+ any     anywhere             anywhere
    0     0 RETURN     all      any    any     anywhere             anywhere             policy match dir in pol ipsec
 1978 1320K            all      any    any     anywhere             anywhere            match bpf pinned /sys/fs/bpf/prog_netd_skfilter_ingress_xtbpf

Change-Id: I3bc6f542f6af692f79d464d085d971d2f2e60877

1 files changed, 1 insertions, 0 deletions

diff --git a/server/BandwidthControllerTest.cpp b/server/BandwidthControllerTest.cpp
index beb40fae..173ba3df 100644
--- a/server/BandwidthControllerTest.cpp
+++ b/server/BandwidthControllerTest.cpp
@@ -187,6 +187,7 @@ TEST_F(BandwidthControllerTest, TestEnableBandwidthControl) {
             "-I bw_happy_box -m bpf --object-pinned " XT_BPF_ALLOWLIST_PROG_PATH " -j RETURN\n"
             "COMMIT\n"
             "*raw\n"
+            "-A bw_raw_PREROUTING -m mark --mark 0xdeadc1a7 -j DROP\n"
             "-A bw_raw_PREROUTING -i ipsec+ -j RETURN\n"
             "-A bw_raw_PREROUTING -m policy --pol ipsec --dir in -j RETURN\n"
             "-A bw_raw_PREROUTING -m bpf --object-pinned " XT_BPF_INGRESS_PROG_PATH "\n"