ClatdController - unconditionally ip6tables drop incoming 464xlat destined frames

Incoming 464xlat destined packets should either have been ebpf offloaded to
ipv4 prior to even making it to ip6tables, or will be picked up by clatd's
AF_PACKET raw socket, and thus do not need to hit the IPv6 stack either.

Making it unconditional should simplify things, and fixes a bug where these
packets can result in the IPv6 stack sending back errors or double delivering
to AF_INET6 UDP :: bound dualstack sockets (one IPv6 and one IPv4 copy).

Note: This potentially breaks traffic accounting.
But that's already broken, just in a different way.
We'll need to fix that as part of the linked bugs once we have decent tests,
so that we actually know *what* doesn't work.

Basically this patch - even though it might cause fallout - moves us in the
right direction.

Test: atest bpf_module_test clatd_test libbpf_android_test libnetdbpf_test
  netd_integration_test netd_unit_test netdutils_test resolv_integration_test
  resolv_unit_test
Related-Bug: 136696213
Bug: 65674744
Bug: 79546774
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I2f2769d8de4b6057782d565c96ed92d9f9e4ce30

1 files changed, 11 insertions, 15 deletions

diff --git a/server/ClatdControllerTest.cpp b/server/ClatdControllerTest.cpp
index e90dd1a96..771bbab06 100644
--- a/server/ClatdControllerTest.cpp
+++ b/server/ClatdControllerTest.cpp
@@ -70,9 +70,9 @@ class ClatdControllerTest : public IptablesBaseTest {
   protected:
     ClatdController mClatdCtrl;
     bool isEbpfDisabled() { return mClatdCtrl.getEbpfMode() == ClatdController::ClatEbpfDisabled; }
-    void maybeSetIptablesDropRule(bool a, const char* b, const char* c) {
+    void setIptablesDropRule(bool a, const char* b, const char* c) {
         std::lock_guard guard(mClatdCtrl.mutex);
-        return mClatdCtrl.maybeSetIptablesDropRule(a, b, c);
+        return mClatdCtrl.setIptablesDropRule(a, b, c);
     }
     void setIpv4AddressFreeFunc(bool (*func)(in_addr_t)) {
         ClatdController::isIpv4AddressFreeFunc = func;
@@ -187,26 +187,22 @@ TEST_F(ClatdControllerTest, MakeChecksumNeutral) {
     EXPECT_GE(3210000, onebits);
 }
 
-TEST_F(ClatdControllerTest, AddRemoveIptablesRule) {
-    if (isEbpfDisabled()) return;
-
-    ExpectedIptablesCommands expected = {
+TEST_F(ClatdControllerTest, AddIptablesRule) {
+    setIptablesDropRule(true, "64:ff9b::", "2001:db8::1:2:3:4");
+    expectIptablesRestoreCommands((ExpectedIptablesCommands){
             {V6,
              "*raw\n"
              "-A clat_raw_PREROUTING -s 64:ff9b::/96 -d 2001:db8::1:2:3:4 -j DROP\n"
-             "COMMIT\n"},
-    };
-    maybeSetIptablesDropRule(true, "64:ff9b::", "2001:db8::1:2:3:4");
-    expectIptablesRestoreCommands(expected);
+             "COMMIT\n"}});
+}
 
-    expected = {
+TEST_F(ClatdControllerTest, RemoveIptablesRule) {
+    setIptablesDropRule(false, "64:ff9b::", "2001:db8::a:b:c:d");
+    expectIptablesRestoreCommands((ExpectedIptablesCommands){
             {V6,
              "*raw\n"
              "-D clat_raw_PREROUTING -s 64:ff9b::/96 -d 2001:db8::a:b:c:d -j DROP\n"
-             "COMMIT\n"},
-    };
-    maybeSetIptablesDropRule(false, "64:ff9b::", "2001:db8::a:b:c:d");
-    expectIptablesRestoreCommands(expected);
+             "COMMIT\n"}});
 }
 
 }  // namespace net