Reset firewall mark after IPsec decryption
This change ensures that the firewall marks post-decryption are reset,
due to routing rules not handling decapsulated packets properly.
At present, forwarding rules (and a few others) expect the inbound
network to be clear, and not have a network explicitly selected.
However, because IPsec traffic routes through the filter_INPUT chain
before being decrypted, the input interface is stamped onto it for
packet mirroring purposes (ICMP/TCP acks, etc), and no longer matches
the relevant rules for forwarding decapsulated IPsec packets.
Bug: 185495453
Test: atest FrameworksVcnTests
Test: atest CtsNetTestCases:IpSecManagerTunnelTest
Test: atest CtsNetTestCases:IpSecManagerTest
Test: atest Ikev2VpnTest
Test: atest CtsIkeTestCases
Change-Id: Ib47d53c3e53295667a8d4645b8937eb834278026
2 files changed