commit 966ff7f82ae3f387ea6bd4be3c75b08ff76656f9
author Motomu Utsumi <motomuman@google.com> Wed May 11 05:56:26 2022 +0000
committer Motomu Utsumi <motomuman@google.com> Tue May 17 09:35:28 2022 +0000
tree 165cdaff7a5b866ad6668410aede1e4e234826ce
parent 6b21340fb332f69b5112e96753330522511add4a

Block incoming packets in VPN Lockdown mode.

Currently, even when VPN Lockdown mode is enabled, incoming packets are
not dropped if VPN is not connected.

This commit fixed this issue.
After this commit, If VPN Lockdown mode is enabled, incoming packets
are dropped regardless of the VPN connectivity.

Bug: 206482423
Test: atest TrafficControllerTest ConnectivityServiceTest PermissionMonitorTest
Change-Id: If52ece613c8aac1073355e43b6fb9cb3fcc87d1d
(cherry picked from commit b08654ca0450d021da709a762ab509a8d4f87d40)
Merged-In: If52ece613c8aac1073355e43b6fb9cb3fcc87d1d

bpf_progs/netd.c

diff --git a/bpf_progs/netd.c b/bpf_progs/netd.c
index f3f675f..76911f4 100644
--- a/bpf_progs/netd.c
+++ b/bpf_progs/netd.c
@@ -214,9 +214,16 @@
             return BPF_DROP;
         }
     }
-    if (direction == BPF_INGRESS && (uidRules & IIF_MATCH)) {
-        // Drops packets not coming from lo nor the allowlisted interface
-        if (allowed_iif && skb->ifindex != 1 && skb->ifindex != allowed_iif) {
+    if (direction == BPF_INGRESS && skb->ifindex != 1) {
+        if (uidRules & IIF_MATCH) {
+            if (allowed_iif && skb->ifindex != allowed_iif) {
+                // Drops packets not coming from lo nor the allowed interface
+                // allowed interface=0 is a wildcard and does not drop packets
+                return BPF_DROP_UNLESS_DNS;
+            }
+        } else if (uidRules & LOCKDOWN_VPN_MATCH) {
+            // Drops packets not coming from lo and rule does not have IIF_MATCH but has
+            // LOCKDOWN_VPN_MATCH
             return BPF_DROP_UNLESS_DNS;
         }
     }