Merge "Drop PROHIBIT_NON_VPN priority 11500 -> 12500" into nyc-dev

[android-x86/system-netd.git] / server / RouteController.cpp

diff --git a/server/RouteController.cpp b/server/RouteController.cpp
index a087a12..fa39c89 100644 (file)
--- a/server/RouteController.cpp
+++ b/server/RouteController.cpp
@@ -48,6 +48,7 @@ const uint32_t RULE_PRIORITY_VPN_OVERRIDE_SYSTEM = 10000;
 const uint32_t RULE_PRIORITY_VPN_OVERRIDE_OIF    = 10500;
 const uint32_t RULE_PRIORITY_VPN_OUTPUT_TO_LOCAL = 11000;
 const uint32_t RULE_PRIORITY_SECURE_VPN          = 12000;
+const uint32_t RULE_PRIORITY_PROHIBIT_NON_VPN    = 12500;
 const uint32_t RULE_PRIORITY_EXPLICIT_NETWORK    = 13000;
 const uint32_t RULE_PRIORITY_OUTPUT_INTERFACE    = 14000;
 const uint32_t RULE_PRIORITY_LEGACY_SYSTEM       = 15000;
@@ -735,8 +736,8 @@ WARN_UNUSED_RESULT int addDirectlyConnectedRule() {
 // behaviour. We do flush the kernel-default rules at startup, but having an explicit unreachable
 // rule will hopefully make things even clearer.
 WARN_UNUSED_RESULT int addUnreachableRule() {
-    return modifyIpRule(RTM_NEWRULE, RULE_PRIORITY_UNREACHABLE, RT_TABLE_UNSPEC, MARK_UNSET,
-                        MARK_UNSET);
+    return modifyIpRule(RTM_NEWRULE, RULE_PRIORITY_UNREACHABLE, FR_ACT_UNREACHABLE, RT_TABLE_UNSPEC,
+                        MARK_UNSET, MARK_UNSET, IIF_NONE, OIF_NONE, INVALID_UID, INVALID_UID);
 }
 
 WARN_UNUSED_RESULT int modifyLocalNetwork(unsigned netId, const char* interface, bool add) {
@@ -768,6 +769,24 @@ WARN_UNUSED_RESULT int modifyPhysicalNetwork(unsigned netId, const char* interfa
     return modifyImplicitNetworkRule(netId, table, permission, add);
 }
 
+WARN_UNUSED_RESULT int modifyRejectNonSecureNetworkRule(const UidRanges& uidRanges, bool add) {
+    Fwmark fwmark;
+    Fwmark mask;
+    fwmark.protectedFromVpn = false;
+    mask.protectedFromVpn = true;
+
+    for (const UidRanges::Range& range : uidRanges.getRanges()) {
+        if (int ret = modifyIpRule(add ? RTM_NEWRULE : RTM_DELRULE,
+                                   RULE_PRIORITY_PROHIBIT_NON_VPN, FR_ACT_PROHIBIT, RT_TABLE_UNSPEC,
+                                   fwmark.intValue, mask.intValue, IIF_LOOPBACK, OIF_NONE,
+                                   range.first, range.second)) {
+            return ret;
+        }
+    }
+
+    return 0;
+}
+
 WARN_UNUSED_RESULT int modifyVirtualNetwork(unsigned netId, const char* interface,
                                             const UidRanges& uidRanges, bool secure, bool add,
                                             bool modifyNonUidBasedRules) {
@@ -1045,6 +1064,14 @@ int RouteController::modifyPhysicalNetworkPermission(unsigned netId, const char*
     return modifyPhysicalNetwork(netId, interface, oldPermission, ACTION_DEL);
 }
 
+int RouteController::addUsersToRejectNonSecureNetworkRule(const UidRanges& uidRanges) {
+    return modifyRejectNonSecureNetworkRule(uidRanges, true);
+}
+
+int RouteController::removeUsersFromRejectNonSecureNetworkRule(const UidRanges& uidRanges) {
+    return modifyRejectNonSecureNetworkRule(uidRanges, false);
+}
+
 int RouteController::addUsersToVirtualNetwork(unsigned netId, const char* interface, bool secure,
                                               const UidRanges& uidRanges) {
     return modifyVirtualNetwork(netId, interface, uidRanges, secure, ACTION_ADD,