diff options
| author | Maciej Żenczykowski <maze@google.com> | 2021-10-14 20:22:23 -0700 |
|---|---|---|
| committer | Maciej Żenczykowski <maze@google.com> | 2021-10-15 08:42:43 +0000 |
| commit | 344bb894d2dbdffcd1635685e6dce32bfd35206b (patch) | |
| tree | 8989500b52086b2908dbc0054097bbc3987dde5f /server/FirewallController.cpp | |
| parent | 2b0b5ec491178708a0da8550088ba57ebe4a9a88 (diff) | |
Never send packets with a source of ::1 on the wire.
Doing so is obviously invalid, and certain carriers will tear
down the connection if such packets are sent on their network.
This is done by adding an ip6tables rule to fw_OUTPUT that drops
all packets with a non-lo egress interface and a source of ::1.
Test: boot device, "adb root && adb shell ip6tables-save | egrep fw_OUTPUT"
Bug: 190368103
Bug: 198896920
Bug: 203096965
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ifb272d48705ba756ccd7bac806e4dc2dd7488cd5
Diffstat (limited to 'server/FirewallController.cpp')
| -rw-r--r-- | server/FirewallController.cpp | 26 |
1 files changed, 15 insertions, 11 deletions
diff --git a/server/FirewallController.cpp b/server/FirewallController.cpp index 0a0f8d82..35fd1e20 100644 --- a/server/FirewallController.cpp +++ b/server/FirewallController.cpp @@ -90,7 +90,8 @@ FirewallController::FirewallController(void) : mMaxUid(discoverMaximumValidUid(k } int FirewallController::setupIptablesHooks(void) { - int res = 0; + int res = flushRules(); + // mUseBpfOwnerMatch should be removed, but it is still depended upon by test code. mUseBpfOwnerMatch = true; if (mUseBpfOwnerMatch) { @@ -126,21 +127,24 @@ int FirewallController::setFirewallType(FirewallType ftype) { return res ? -EREMOTEIO : 0; } -int FirewallController::resetFirewall(void) { - mFirewallType = ALLOWLIST; - mIfaceRules.clear(); - - // flush any existing rules +int FirewallController::flushRules() { std::string command = - "*filter\n" - ":fw_INPUT -\n" - ":fw_OUTPUT -\n" - ":fw_FORWARD -\n" - "COMMIT\n"; + "*filter\n" + ":fw_INPUT -\n" + ":fw_OUTPUT -\n" + ":fw_FORWARD -\n" + "-6 -A fw_OUTPUT ! -o lo -s ::1 -j DROP\n" + "COMMIT\n"; return (execIptablesRestore(V4V6, command.c_str()) == 0) ? 0 : -EREMOTEIO; } +int FirewallController::resetFirewall(void) { + mFirewallType = ALLOWLIST; + mIfaceRules.clear(); + return flushRules(); +} + int FirewallController::enableChildChains(ChildChain chain, bool enable) { int res = 0; const char* name; |