summaryrefslogtreecommitdiff
path: root/server/ControllersTest.cpp
Commit message (Collapse)AuthorAgeFilesLines
* remove specific clat iptables drop rulesMaciej Żenczykowski2022-04-111-2/+0
| | | | | | | | | | these are now obsoleted by the CLATMARK based ebpf + ip6tables logic (generated via removing clat_raw_PREROUTING and everything that referenced it) Test: builds, TreeHugger, flashed an oriole, observed ping 8.8.8.8 behaviour on GoogleGuest v6-only network Signed-off-by: Maciej Żenczykowski <maze@google.com> Change-Id: I1bccfed0dfa6bd7f211979294da29884142481dc
* move raw idletimer ahead of clatMaciej Żenczykowski2021-11-171-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This should make idletimer work better with received ipv6 packets which we will later translate via clatd to ipv4. Sample config from a bonito test device: *raw -A PREROUTING -j clat_raw_PREROUTING -A PREROUTING -j bw_raw_PREROUTING -A PREROUTING -j idletimer_raw_PREROUTING <-- moves up two lines -A PREROUTING -j tetherctrl_raw_PREROUTING -A bw_raw_PREROUTING -i ipsec+ -j RETURN -A bw_raw_PREROUTING -m policy --dir in --pol ipsec -j RETURN -A bw_raw_PREROUTING -m bpf --object-pinned /sys/fs/bpf/prog_netd_skfilter_ingress_xtbpf -A clat_raw_PREROUTING -s 64:ff9b::/96 -d 2a00:79e1:abc:1539:9c61:cc49:8607:d7b/128 -i wlan0 -j DROP -A idletimer_raw_PREROUTING -i wlan0 -j IDLETIMER --timeout 15 --label 1 --send_nl_msg Moving idletimer before clat is desirable, because we want the wakeup events generated, moving idletimer before bw_raw is a required side effect, as clat needs to be before bw_raw to make ingress accounting correct, since it has to drop the packets that clatd will process and the accounting will happen on the v4-* interface instead. Since both bw_raw and idletimer are non-terminal, there is no real difference to the behaviour with the new ordering between these two. Unfortunately this will not fix any packets which get offloaded by tc ebpf clat program, since they will never show up in ip6tables. This will be resolved either via adding additional idletimer rules to the v4-* interface, or by eliminating clatd and the v4-* interfaces entirely (ie. moving to a purely ebpf based clat solution) Test: TreeHugger Signed-off-by: Maciej Żenczykowski <maze@google.com> Change-Id: I7d856f74d1785d9a19d1f5faad95c8982f0a049a
* Drop packets to the clat address.Lorenzo Colitti2019-07-011-0/+2
| | | | | | | | | | | | | | | These packets are not needed for 464xlat to function because clatd reads packets from packet sockets, which run before iptables, and the TC action also happens before packet sockets. Their existence complicates data usage accounting, and in certain situations results in applications receiving duplicate UDP packets. Bug: 65674744 Bug: 136193260 Test: atest netd_unit_test Change-Id: I26bd8a1e7a54dbac86971b4e62f88f46ae5466f1
* Nat-related commands refineLuke Huang2018-11-191-115/+119
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We need this to ensure that the tethering IPCs don't need to grab the lock in two different controllers The idea is that always having a global_alert rule in bw_global_alert chain. TetherController will enable/disable the reference of bw_global_alert chain. [childchain order of filter FORWARD chain] Chain FORWARD nm_mdmprxy_iface_pkt_fwder oem_fwd fw_FORWARD bw_FORWARD tetherctrl_FORWARD --Simple rule comparison-- [Before] Chain bw_FORWARD Alert rule ... other rules Chain tetherctrl_FORWARD ... other rules [After] Chain bw_FORWARD No Alert rule ... other rules Chain tetherctrl_FORWARD Jump to bw_global_alert ... other rules Chain bw_global_alert Alert rule The exact rule comparison is shown in the bug. Bug:119735985 Test: built, flashed, booted system/netd/tests/runtests.sh passes Change-Id: Ibf752d0c8de9170689fc74c89c0424d2642853ec
* Rename natctrl_* iptables rules to tetherctrl_*Lorenzo Colitti2017-08-311-10/+10
| | | | | | | | Bug: 32163131 Bug: 64995262 Test: bullhead builds and boots Test: netd_{unit,integration}_test pass Change-Id: Ifd20920713b2b5b9c22f4c829ef037bbac024505
* Move all init code to iptables-restore.Lorenzo Colitti2017-08-151-37/+154
| | | | | | | | | | | This gets rid of one of the last few uses of iptables, and also reduces startup time from ~750ms to ~150ms. Bug: 28362720 Test: bullhead builds,boots Test: netd_{unit,integration}_test pass Test: rules after "killall netd" look identical Change-Id: Idf4d8dbc1292cb0017d4546976ad645a4ac7fa08
* Add test coverage for setting up initial iptables rules.Lorenzo Colitti2017-08-101-0/+150
Bug: 28362720 Test: bullhead builds, boots Test: netd_{unit,integration}_test pass Change-Id: I2ab9269d9bca3a7b8b168b801360d3fdb6119f05
generated by cgit v1.2.3 (git 2.25.1) at 2025-12-20 10:29:09 +0000