2 * Copyright (C) 2014 The Android Open Source Project
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
17 #include "RouteController.h"
19 #include <arpa/inet.h>
22 #include <linux/fib_rules.h>
26 #include <private/android_filesystem_config.h>
31 #include "UidRanges.h"
32 #include "DummyNetwork.h"
34 #include "android-base/file.h"
35 #define LOG_TAG "Netd"
37 #include "logwrap/logwrap.h"
38 #include "netutils/ifc.h"
39 #include "resolv_netid.h"
41 using android::base::WriteStringToFile;
45 // BEGIN CONSTANTS --------------------------------------------------------------------------------
47 const uint32_t RULE_PRIORITY_VPN_OVERRIDE_SYSTEM = 10000;
48 const uint32_t RULE_PRIORITY_VPN_OVERRIDE_OIF = 10500;
49 const uint32_t RULE_PRIORITY_VPN_OUTPUT_TO_LOCAL = 11000;
50 const uint32_t RULE_PRIORITY_SECURE_VPN = 12000;
51 const uint32_t RULE_PRIORITY_PROHIBIT_NON_VPN = 12500;
52 const uint32_t RULE_PRIORITY_EXPLICIT_NETWORK = 13000;
53 const uint32_t RULE_PRIORITY_OUTPUT_INTERFACE = 14000;
54 const uint32_t RULE_PRIORITY_LEGACY_SYSTEM = 15000;
55 const uint32_t RULE_PRIORITY_LEGACY_NETWORK = 16000;
56 const uint32_t RULE_PRIORITY_LOCAL_NETWORK = 17000;
57 const uint32_t RULE_PRIORITY_TETHERING = 18000;
58 const uint32_t RULE_PRIORITY_IMPLICIT_NETWORK = 19000;
59 const uint32_t RULE_PRIORITY_BYPASSABLE_VPN = 20000;
60 const uint32_t RULE_PRIORITY_VPN_FALLTHROUGH = 21000;
61 const uint32_t RULE_PRIORITY_DEFAULT_NETWORK = 22000;
62 const uint32_t RULE_PRIORITY_DIRECTLY_CONNECTED = 23000;
63 const uint32_t RULE_PRIORITY_UNREACHABLE = 32000;
65 const uint32_t ROUTE_TABLE_LOCAL_NETWORK = 97;
66 const uint32_t ROUTE_TABLE_LEGACY_NETWORK = 98;
67 const uint32_t ROUTE_TABLE_LEGACY_SYSTEM = 99;
69 const char* const ROUTE_TABLE_NAME_LOCAL_NETWORK = "local_network";
70 const char* const ROUTE_TABLE_NAME_LEGACY_NETWORK = "legacy_network";
71 const char* const ROUTE_TABLE_NAME_LEGACY_SYSTEM = "legacy_system";
73 const char* const ROUTE_TABLE_NAME_LOCAL = "local";
74 const char* const ROUTE_TABLE_NAME_MAIN = "main";
76 // TODO: These values aren't defined by the Linux kernel, because our UID routing changes are not
77 // upstream (yet?), so we can't just pick them up from kernel headers. When (if?) the changes make
78 // it upstream, we'll remove this and rely on the kernel header values. For now, add a static assert
79 // that will warn us if upstream has given these values some other meaning.
80 const uint16_t FRA_UID_START = 18;
81 const uint16_t FRA_UID_END = 19;
82 static_assert(FRA_UID_START > FRA_MAX,
83 "Android-specific FRA_UID_{START,END} values also assigned in Linux uapi. "
84 "Check that these values match what the kernel does and then update this assertion.");
86 const uint16_t NETLINK_REQUEST_FLAGS = NLM_F_REQUEST | NLM_F_ACK;
87 const uint16_t NETLINK_CREATE_REQUEST_FLAGS = NETLINK_REQUEST_FLAGS | NLM_F_CREATE | NLM_F_EXCL;
89 const sockaddr_nl NETLINK_ADDRESS = {AF_NETLINK, 0, 0, 0};
91 const uint8_t AF_FAMILIES[] = {AF_INET, AF_INET6};
93 const char* const IP_VERSIONS[] = {"-4", "-6"};
95 const uid_t UID_ROOT = 0;
96 const char* const IIF_LOOPBACK = "lo";
97 const char* const IIF_NONE = NULL;
98 const char* const OIF_NONE = NULL;
99 const bool ACTION_ADD = true;
100 const bool ACTION_DEL = false;
101 const bool MODIFY_NON_UID_BASED_RULES = true;
103 const char* const RT_TABLES_PATH = "/data/misc/net/rt_tables";
104 const mode_t RT_TABLES_MODE = S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH; // mode 0644, rw-r--r--
106 const unsigned ROUTE_FLUSH_ATTEMPTS = 2;
108 // Avoids "non-constant-expression cannot be narrowed from type 'unsigned int' to 'unsigned short'"
109 // warnings when using RTA_LENGTH(x) inside static initializers (even when x is already uint16_t).
110 constexpr uint16_t U16_RTA_LENGTH(uint16_t x) {
111 return RTA_LENGTH(x);
114 // These are practically const, but can't be declared so, because they are used to initialize
115 // non-const pointers ("void* iov_base") in iovec arrays.
116 rtattr FRATTR_PRIORITY = { U16_RTA_LENGTH(sizeof(uint32_t)), FRA_PRIORITY };
117 rtattr FRATTR_TABLE = { U16_RTA_LENGTH(sizeof(uint32_t)), FRA_TABLE };
118 rtattr FRATTR_FWMARK = { U16_RTA_LENGTH(sizeof(uint32_t)), FRA_FWMARK };
119 rtattr FRATTR_FWMASK = { U16_RTA_LENGTH(sizeof(uint32_t)), FRA_FWMASK };
120 rtattr FRATTR_UID_START = { U16_RTA_LENGTH(sizeof(uid_t)), FRA_UID_START };
121 rtattr FRATTR_UID_END = { U16_RTA_LENGTH(sizeof(uid_t)), FRA_UID_END };
123 rtattr RTATTR_TABLE = { U16_RTA_LENGTH(sizeof(uint32_t)), RTA_TABLE };
124 rtattr RTATTR_OIF = { U16_RTA_LENGTH(sizeof(uint32_t)), RTA_OIF };
126 uint8_t PADDING_BUFFER[RTA_ALIGNTO] = {0, 0, 0, 0};
128 // END CONSTANTS ----------------------------------------------------------------------------------
130 // No locks needed because RouteController is accessed only from one thread (in CommandListener).
131 std::map<std::string, uint32_t> interfaceToTable;
133 uint32_t getRouteTableForInterface(const char* interface) {
134 uint32_t index = if_nametoindex(interface);
136 index += RouteController::ROUTE_TABLE_OFFSET_FROM_INDEX;
137 interfaceToTable[interface] = index;
140 // If the interface goes away if_nametoindex() will return 0 but we still need to know
141 // the index so we can remove the rules and routes.
142 auto iter = interfaceToTable.find(interface);
143 if (iter == interfaceToTable.end()) {
144 ALOGE("cannot find interface %s", interface);
145 return RT_TABLE_UNSPEC;
150 void addTableName(uint32_t table, const std::string& name, std::string* contents) {
151 char tableString[UINT32_STRLEN];
152 snprintf(tableString, sizeof(tableString), "%u", table);
153 *contents += tableString;
159 // Doesn't return success/failure as the file is optional; it's okay if we fail to update it.
160 void updateTableNamesFile() {
161 std::string contents;
163 addTableName(RT_TABLE_LOCAL, ROUTE_TABLE_NAME_LOCAL, &contents);
164 addTableName(RT_TABLE_MAIN, ROUTE_TABLE_NAME_MAIN, &contents);
166 addTableName(ROUTE_TABLE_LOCAL_NETWORK, ROUTE_TABLE_NAME_LOCAL_NETWORK, &contents);
167 addTableName(ROUTE_TABLE_LEGACY_NETWORK, ROUTE_TABLE_NAME_LEGACY_NETWORK, &contents);
168 addTableName(ROUTE_TABLE_LEGACY_SYSTEM, ROUTE_TABLE_NAME_LEGACY_SYSTEM, &contents);
170 for (const auto& entry : interfaceToTable) {
171 addTableName(entry.second, entry.first, &contents);
174 if (!WriteStringToFile(contents, RT_TABLES_PATH, RT_TABLES_MODE, AID_SYSTEM, AID_WIFI)) {
175 ALOGE("failed to write to %s (%s)", RT_TABLES_PATH, strerror(errno));
180 // Sends a netlink request and expects an ack.
181 // |iov| is an array of struct iovec that contains the netlink message payload.
182 // The netlink header is generated by this function based on |action| and |flags|.
183 // Returns -errno if there was an error or if the kernel reported an error.
185 // Disable optimizations in ASan build.
186 // ASan reports an out-of-bounds 32-bit(!) access in the first loop of the
187 // function (over iov[]).
189 #if __has_feature(address_sanitizer)
190 __attribute__((optnone))
193 WARN_UNUSED_RESULT int sendNetlinkRequest(uint16_t action, uint16_t flags, iovec* iov, int iovlen) {
195 .nlmsg_type = action,
196 .nlmsg_flags = flags,
198 iov[0].iov_base = &nlmsg;
199 iov[0].iov_len = sizeof(nlmsg);
200 for (int i = 0; i < iovlen; ++i) {
201 nlmsg.nlmsg_len += iov[i].iov_len;
210 int sock = socket(AF_NETLINK, SOCK_DGRAM | SOCK_CLOEXEC, NETLINK_ROUTE);
212 connect(sock, reinterpret_cast<const sockaddr*>(&NETLINK_ADDRESS),
213 sizeof(NETLINK_ADDRESS)) != -1 &&
214 writev(sock, iov, iovlen) != -1 &&
215 (ret = recv(sock, &response, sizeof(response), 0)) != -1) {
216 if (ret == sizeof(response)) {
217 ret = response.err.error; // Netlink errors are negative errno.
219 ALOGE("netlink response contains error (%s)", strerror(-ret));
222 ALOGE("bad netlink response message size (%d != %zu)", ret, sizeof(response));
226 ALOGE("netlink socket/connect/writev/recv failed (%s)", strerror(errno));
237 // Returns 0 on success or negative errno on failure.
238 int padInterfaceName(const char* input, char* name, size_t* length, uint16_t* padding) {
244 *length = strlcpy(name, input, IFNAMSIZ) + 1;
245 if (*length > IFNAMSIZ) {
246 ALOGE("interface name too long (%zu > %u)", *length, IFNAMSIZ);
247 return -ENAMETOOLONG;
249 *padding = RTA_SPACE(*length) - RTA_LENGTH(*length);
253 // Adds or removes a routing rule for IPv4 and IPv6.
255 // + If |table| is non-zero, the rule points at the specified routing table. Otherwise, the table is
256 // unspecified. An unspecified table is not allowed when creating an FR_ACT_TO_TBL rule.
257 // + If |mask| is non-zero, the rule matches the specified fwmark and mask. Otherwise, |fwmark| is
259 // + If |iif| is non-NULL, the rule matches the specified incoming interface.
260 // + If |oif| is non-NULL, the rule matches the specified outgoing interface.
261 // + If |uidStart| and |uidEnd| are not INVALID_UID, the rule matches packets from UIDs in that
262 // range (inclusive). Otherwise, the rule matches packets from all UIDs.
264 // Returns 0 on success or negative errno on failure.
265 WARN_UNUSED_RESULT int modifyIpRule(uint16_t action, uint32_t priority, uint8_t ruleType,
266 uint32_t table, uint32_t fwmark, uint32_t mask, const char* iif,
267 const char* oif, uid_t uidStart, uid_t uidEnd) {
268 // Ensure that if you set a bit in the fwmark, it's not being ignored by the mask.
269 if (fwmark & ~mask) {
270 ALOGE("mask 0x%x does not select all the bits set in fwmark 0x%x", mask, fwmark);
274 // Interface names must include exactly one terminating NULL and be properly padded, or older
275 // kernels will refuse to delete rules.
276 char iifName[IFNAMSIZ], oifName[IFNAMSIZ];
277 size_t iifLength, oifLength;
278 uint16_t iifPadding, oifPadding;
279 if (int ret = padInterfaceName(iif, iifName, &iifLength, &iifPadding)) {
282 if (int ret = padInterfaceName(oif, oifName, &oifLength, &oifPadding)) {
286 // Either both start and end UID must be specified, or neither.
287 if ((uidStart == INVALID_UID) != (uidEnd == INVALID_UID)) {
288 ALOGE("incompatible start and end UIDs (%u vs %u)", uidStart, uidEnd);
292 bool isUidRule = (uidStart != INVALID_UID);
294 // Assemble a rule request and put it in an array of iovec structures.
295 fib_rule_hdr rule = {
297 // Note that here we're implicitly setting rule.table to 0. When we want to specify a
298 // non-zero table, we do this via the FRATTR_TABLE attribute.
301 // Don't ever create a rule that looks up table 0, because table 0 is the local table.
302 // It's OK to specify a table ID of 0 when deleting a rule, because that doesn't actually select
303 // table 0, it's a wildcard that matches anything.
304 if (table == RT_TABLE_UNSPEC && rule.action == FR_ACT_TO_TBL && action != RTM_DELRULE) {
305 ALOGE("RT_TABLE_UNSPEC only allowed when deleting rules");
309 rtattr fraIifName = { U16_RTA_LENGTH(iifLength), FRA_IIFNAME };
310 rtattr fraOifName = { U16_RTA_LENGTH(oifLength), FRA_OIFNAME };
314 { &rule, sizeof(rule) },
315 { &FRATTR_PRIORITY, sizeof(FRATTR_PRIORITY) },
316 { &priority, sizeof(priority) },
317 { &FRATTR_TABLE, table != RT_TABLE_UNSPEC ? sizeof(FRATTR_TABLE) : 0 },
318 { &table, table != RT_TABLE_UNSPEC ? sizeof(table) : 0 },
319 { &FRATTR_FWMARK, mask ? sizeof(FRATTR_FWMARK) : 0 },
320 { &fwmark, mask ? sizeof(fwmark) : 0 },
321 { &FRATTR_FWMASK, mask ? sizeof(FRATTR_FWMASK) : 0 },
322 { &mask, mask ? sizeof(mask) : 0 },
323 { &FRATTR_UID_START, isUidRule ? sizeof(FRATTR_UID_START) : 0 },
324 { &uidStart, isUidRule ? sizeof(uidStart) : 0 },
325 { &FRATTR_UID_END, isUidRule ? sizeof(FRATTR_UID_END) : 0 },
326 { &uidEnd, isUidRule ? sizeof(uidEnd) : 0 },
327 { &fraIifName, iif != IIF_NONE ? sizeof(fraIifName) : 0 },
328 { iifName, iifLength },
329 { PADDING_BUFFER, iifPadding },
330 { &fraOifName, oif != OIF_NONE ? sizeof(fraOifName) : 0 },
331 { oifName, oifLength },
332 { PADDING_BUFFER, oifPadding },
335 uint16_t flags = (action == RTM_NEWRULE) ? NETLINK_CREATE_REQUEST_FLAGS : NETLINK_REQUEST_FLAGS;
336 for (size_t i = 0; i < ARRAY_SIZE(AF_FAMILIES); ++i) {
337 rule.family = AF_FAMILIES[i];
338 if (int ret = sendNetlinkRequest(action, flags, iov, ARRAY_SIZE(iov))) {
346 WARN_UNUSED_RESULT int modifyIpRule(uint16_t action, uint32_t priority, uint32_t table,
347 uint32_t fwmark, uint32_t mask, const char* iif,
348 const char* oif, uid_t uidStart, uid_t uidEnd) {
349 return modifyIpRule(action, priority, FR_ACT_TO_TBL, table, fwmark, mask, iif, oif, uidStart,
353 WARN_UNUSED_RESULT int modifyIpRule(uint16_t action, uint32_t priority, uint32_t table,
354 uint32_t fwmark, uint32_t mask) {
355 return modifyIpRule(action, priority, table, fwmark, mask, IIF_NONE, OIF_NONE, INVALID_UID,
359 // Adds or deletes an IPv4 or IPv6 route.
360 // Returns 0 on success or negative errno on failure.
361 WARN_UNUSED_RESULT int modifyIpRoute(uint16_t action, uint32_t table, const char* interface,
362 const char* destination, const char* nexthop) {
363 // At least the destination must be non-null.
365 ALOGE("null destination");
370 uint8_t rawAddress[sizeof(in6_addr)];
372 uint8_t prefixLength;
373 int rawLength = parsePrefix(destination, &family, rawAddress, sizeof(rawAddress),
376 ALOGE("parsePrefix failed for destination %s (%s)", destination, strerror(-rawLength));
380 if (static_cast<size_t>(rawLength) > sizeof(rawAddress)) {
381 ALOGE("impossible! address too long (%d vs %zu)", rawLength, sizeof(rawAddress));
382 return -ENOBUFS; // Cannot happen; parsePrefix only supports IPv4 and IPv6.
385 uint8_t type = RTN_UNICAST;
387 uint8_t rawNexthop[sizeof(in6_addr)];
389 if (nexthop && !strcmp(nexthop, "unreachable")) {
390 type = RTN_UNREACHABLE;
391 // 'interface' is likely non-NULL, as the caller (modifyRoute()) likely used it to lookup
392 // the table number. But it's an error to specify an interface ("dev ...") or a nexthop for
393 // unreachable routes, so nuke them. (IPv6 allows them to be specified; IPv4 doesn't.)
394 interface = OIF_NONE;
396 } else if (nexthop && !strcmp(nexthop, "throw")) {
398 interface = OIF_NONE;
401 // If an interface was specified, find the ifindex.
402 if (interface != OIF_NONE) {
403 ifindex = if_nametoindex(interface);
405 ALOGE("cannot find interface %s", interface);
410 // If a nexthop was specified, parse it as the same family as the prefix.
411 if (nexthop && inet_pton(family, nexthop, rawNexthop) <= 0) {
412 ALOGE("inet_pton failed for nexthop %s", nexthop);
417 // Assemble a rtmsg and put it in an array of iovec structures.
419 .rtm_protocol = RTPROT_STATIC,
421 .rtm_family = family,
422 .rtm_dst_len = prefixLength,
423 .rtm_scope = static_cast<uint8_t>(nexthop ? RT_SCOPE_UNIVERSE : RT_SCOPE_LINK),
426 rtattr rtaDst = { U16_RTA_LENGTH(rawLength), RTA_DST };
427 rtattr rtaGateway = { U16_RTA_LENGTH(rawLength), RTA_GATEWAY };
431 { &route, sizeof(route) },
432 { &RTATTR_TABLE, sizeof(RTATTR_TABLE) },
433 { &table, sizeof(table) },
434 { &rtaDst, sizeof(rtaDst) },
435 { rawAddress, static_cast<size_t>(rawLength) },
436 { &RTATTR_OIF, interface != OIF_NONE ? sizeof(RTATTR_OIF) : 0 },
437 { &ifindex, interface != OIF_NONE ? sizeof(ifindex) : 0 },
438 { &rtaGateway, nexthop ? sizeof(rtaGateway) : 0 },
439 { rawNexthop, nexthop ? static_cast<size_t>(rawLength) : 0 },
442 uint16_t flags = (action == RTM_NEWROUTE) ? NETLINK_CREATE_REQUEST_FLAGS :
443 NETLINK_REQUEST_FLAGS;
444 return sendNetlinkRequest(action, flags, iov, ARRAY_SIZE(iov));
447 // An iptables rule to mark incoming packets on a network with the netId of the network.
449 // This is so that the kernel can:
450 // + Use the right fwmark for (and thus correctly route) replies (e.g.: TCP RST, ICMP errors, ping
451 // replies, SYN-ACKs, etc).
452 // + Mark sockets that accept connections from this interface so that the connection stays on the
454 WARN_UNUSED_RESULT int modifyIncomingPacketMark(unsigned netId, const char* interface,
455 Permission permission, bool add) {
458 fwmark.netId = netId;
459 fwmark.explicitlySelected = true;
460 fwmark.protectedFromVpn = true;
461 fwmark.permission = permission;
463 char markString[UINT32_HEX_STRLEN];
464 snprintf(markString, sizeof(markString), "0x%x", fwmark.intValue);
466 if (execIptables(V4V6, "-t", "mangle", add ? "-A" : "-D", "INPUT", "-i", interface, "-j",
467 "MARK", "--set-mark", markString, NULL)) {
468 ALOGE("failed to change iptables rule that sets incoming packet mark");
475 // A rule to route responses to the local network forwarded via the VPN.
477 // When a VPN is in effect, packets from the local network to upstream networks are forwarded into
478 // the VPN's tunnel interface. When the VPN forwards the responses, they emerge out of the tunnel.
479 WARN_UNUSED_RESULT int modifyVpnOutputToLocalRule(const char* vpnInterface, bool add) {
480 return modifyIpRule(add ? RTM_NEWRULE : RTM_DELRULE, RULE_PRIORITY_VPN_OUTPUT_TO_LOCAL,
481 ROUTE_TABLE_LOCAL_NETWORK, MARK_UNSET, MARK_UNSET, vpnInterface, OIF_NONE,
482 INVALID_UID, INVALID_UID);
485 // A rule to route all traffic from a given set of UIDs to go over the VPN.
487 // Notice that this rule doesn't use the netId. I.e., no matter what netId the user's socket may
488 // have, if they are subject to this VPN, their traffic has to go through it. Allows the traffic to
489 // bypass the VPN if the protectedFromVpn bit is set.
490 WARN_UNUSED_RESULT int modifyVpnUidRangeRule(uint32_t table, uid_t uidStart, uid_t uidEnd,
491 bool secure, bool add) {
495 fwmark.protectedFromVpn = false;
496 mask.protectedFromVpn = true;
501 priority = RULE_PRIORITY_SECURE_VPN;
503 priority = RULE_PRIORITY_BYPASSABLE_VPN;
505 fwmark.explicitlySelected = false;
506 mask.explicitlySelected = true;
509 return modifyIpRule(add ? RTM_NEWRULE : RTM_DELRULE, priority, table, fwmark.intValue,
510 mask.intValue, IIF_LOOPBACK, OIF_NONE, uidStart, uidEnd);
513 // A rule to allow system apps to send traffic over this VPN even if they are not part of the target
516 // This is needed for DnsProxyListener to correctly resolve a request for a user who is in the
517 // target set, but where the DnsProxyListener itself is not.
518 WARN_UNUSED_RESULT int modifyVpnSystemPermissionRule(unsigned netId, uint32_t table, bool secure,
523 fwmark.netId = netId;
524 mask.netId = FWMARK_NET_ID_MASK;
526 fwmark.permission = PERMISSION_SYSTEM;
527 mask.permission = PERMISSION_SYSTEM;
529 uint32_t priority = secure ? RULE_PRIORITY_SECURE_VPN : RULE_PRIORITY_BYPASSABLE_VPN;
531 return modifyIpRule(add ? RTM_NEWRULE : RTM_DELRULE, priority, table, fwmark.intValue,
535 // A rule to route traffic based on an explicitly chosen network.
537 // Supports apps that use the multinetwork APIs to restrict their traffic to a network.
539 // Even though we check permissions at the time we set a netId into the fwmark of a socket, we need
540 // to check it again in the rules here, because a network's permissions may have been updated via
541 // modifyNetworkPermission().
542 WARN_UNUSED_RESULT int modifyExplicitNetworkRule(unsigned netId, uint32_t table,
543 Permission permission, uid_t uidStart,
544 uid_t uidEnd, bool add) {
548 fwmark.netId = netId;
549 mask.netId = FWMARK_NET_ID_MASK;
551 fwmark.explicitlySelected = true;
552 mask.explicitlySelected = true;
554 fwmark.permission = permission;
555 mask.permission = permission;
557 return modifyIpRule(add ? RTM_NEWRULE : RTM_DELRULE, RULE_PRIORITY_EXPLICIT_NETWORK, table,
558 fwmark.intValue, mask.intValue, IIF_NONE, OIF_NONE, uidStart, uidEnd);
561 // A rule to route traffic based on a chosen outgoing interface.
563 // Supports apps that use SO_BINDTODEVICE or IP_PKTINFO options and the kernel that already knows
564 // the outgoing interface (typically for link-local communications).
565 WARN_UNUSED_RESULT int modifyOutputInterfaceRules(const char* interface, uint32_t table,
566 Permission permission, uid_t uidStart,
567 uid_t uidEnd, bool add) {
571 fwmark.permission = permission;
572 mask.permission = permission;
574 // If this rule does not specify a UID range, then also add a corresponding high-priority rule
575 // for UID. This covers forwarded packets and system daemons such as the tethering DHCP server.
576 if (uidStart == INVALID_UID && uidEnd == INVALID_UID) {
577 if (int ret = modifyIpRule(add ? RTM_NEWRULE : RTM_DELRULE, RULE_PRIORITY_VPN_OVERRIDE_OIF,
578 table, fwmark.intValue, mask.intValue, IIF_NONE, interface,
579 UID_ROOT, UID_ROOT)) {
584 return modifyIpRule(add ? RTM_NEWRULE : RTM_DELRULE, RULE_PRIORITY_OUTPUT_INTERFACE, table,
585 fwmark.intValue, mask.intValue, IIF_NONE, interface, uidStart, uidEnd);
588 // A rule to route traffic based on the chosen network.
590 // This is for sockets that have not explicitly requested a particular network, but have been
591 // bound to one when they called connect(). This ensures that sockets connected on a particular
592 // network stay on that network even if the default network changes.
593 WARN_UNUSED_RESULT int modifyImplicitNetworkRule(unsigned netId, uint32_t table,
594 Permission permission, bool add) {
598 fwmark.netId = netId;
599 mask.netId = FWMARK_NET_ID_MASK;
601 fwmark.explicitlySelected = false;
602 mask.explicitlySelected = true;
604 fwmark.permission = permission;
605 mask.permission = permission;
607 return modifyIpRule(add ? RTM_NEWRULE : RTM_DELRULE, RULE_PRIORITY_IMPLICIT_NETWORK, table,
608 fwmark.intValue, mask.intValue);
611 // A rule to enable split tunnel VPNs.
613 // If a packet with a VPN's netId doesn't find a route in the VPN's routing table, it's allowed to
614 // go over the default network, provided it wasn't explicitly restricted to the VPN and has the
615 // permissions required by the default network.
616 WARN_UNUSED_RESULT int modifyVpnFallthroughRule(uint16_t action, unsigned vpnNetId,
617 const char* physicalInterface,
618 Permission permission) {
619 uint32_t table = getRouteTableForInterface(physicalInterface);
620 if (table == RT_TABLE_UNSPEC) {
627 fwmark.netId = vpnNetId;
628 mask.netId = FWMARK_NET_ID_MASK;
630 fwmark.explicitlySelected = false;
631 mask.explicitlySelected = true;
633 fwmark.permission = permission;
634 mask.permission = permission;
636 return modifyIpRule(action, RULE_PRIORITY_VPN_FALLTHROUGH, table, fwmark.intValue,
640 // Add rules to allow legacy routes added through the requestRouteToHost() API.
641 WARN_UNUSED_RESULT int addLegacyRouteRules() {
645 fwmark.explicitlySelected = false;
646 mask.explicitlySelected = true;
648 // Rules to allow legacy routes to override the default network.
649 if (int ret = modifyIpRule(RTM_NEWRULE, RULE_PRIORITY_LEGACY_SYSTEM, ROUTE_TABLE_LEGACY_SYSTEM,
650 fwmark.intValue, mask.intValue)) {
653 if (int ret = modifyIpRule(RTM_NEWRULE, RULE_PRIORITY_LEGACY_NETWORK,
654 ROUTE_TABLE_LEGACY_NETWORK, fwmark.intValue, mask.intValue)) {
658 fwmark.permission = PERMISSION_SYSTEM;
659 mask.permission = PERMISSION_SYSTEM;
661 // A rule to allow legacy routes from system apps to override VPNs.
662 return modifyIpRule(RTM_NEWRULE, RULE_PRIORITY_VPN_OVERRIDE_SYSTEM, ROUTE_TABLE_LEGACY_SYSTEM,
663 fwmark.intValue, mask.intValue);
666 // Add rules to lookup the local network when specified explicitly or otherwise.
667 WARN_UNUSED_RESULT int addLocalNetworkRules(unsigned localNetId) {
668 if (int ret = modifyExplicitNetworkRule(localNetId, ROUTE_TABLE_LOCAL_NETWORK, PERMISSION_NONE,
669 INVALID_UID, INVALID_UID, ACTION_ADD)) {
676 fwmark.explicitlySelected = false;
677 mask.explicitlySelected = true;
679 return modifyIpRule(RTM_NEWRULE, RULE_PRIORITY_LOCAL_NETWORK, ROUTE_TABLE_LOCAL_NETWORK,
680 fwmark.intValue, mask.intValue);
683 int configureDummyNetwork() {
684 const char *interface = DummyNetwork::INTERFACE_NAME;
685 uint32_t table = getRouteTableForInterface(interface);
686 if (table == RT_TABLE_UNSPEC) {
687 // getRouteTableForInterface has already looged an error.
692 int ret = ifc_up(interface);
695 ALOGE("Can't bring up %s: %s", interface, strerror(errno));
699 if ((ret = modifyOutputInterfaceRules(interface, table, PERMISSION_NONE,
700 INVALID_UID, INVALID_UID, ACTION_ADD))) {
701 ALOGE("Can't create oif rules for %s: %s", interface, strerror(-ret));
705 if ((ret = modifyIpRoute(RTM_NEWROUTE, table, interface, "0.0.0.0/0", NULL))) {
706 ALOGE("Can't add IPv4 default route to %s: %s", interface, strerror(-ret));
710 if ((ret = modifyIpRoute(RTM_NEWROUTE, table, interface, "::/0", NULL))) {
711 ALOGE("Can't add IPv6 default route to %s: %s", interface, strerror(-ret));
718 // Add a new rule to look up the 'main' table, with the same selectors as the "default network"
719 // rule, but with a lower priority. We will never create routes in the main table; it should only be
720 // used for directly-connected routes implicitly created by the kernel when adding IP addresses.
721 // This is necessary, for example, when adding a route through a directly-connected gateway: in
722 // order to add the route, there must already be a directly-connected route that covers the gateway.
723 WARN_UNUSED_RESULT int addDirectlyConnectedRule() {
727 fwmark.netId = NETID_UNSET;
728 mask.netId = FWMARK_NET_ID_MASK;
730 return modifyIpRule(RTM_NEWRULE, RULE_PRIORITY_DIRECTLY_CONNECTED, RT_TABLE_MAIN,
731 fwmark.intValue, mask.intValue, IIF_NONE, OIF_NONE, UID_ROOT, UID_ROOT);
734 // Add an explicit unreachable rule close to the end of the prioriy list to make it clear that
735 // relying on the kernel-default "from all lookup main" rule at priority 32766 is not intended
736 // behaviour. We do flush the kernel-default rules at startup, but having an explicit unreachable
737 // rule will hopefully make things even clearer.
738 WARN_UNUSED_RESULT int addUnreachableRule() {
739 return modifyIpRule(RTM_NEWRULE, RULE_PRIORITY_UNREACHABLE, FR_ACT_UNREACHABLE, RT_TABLE_UNSPEC,
740 MARK_UNSET, MARK_UNSET, IIF_NONE, OIF_NONE, INVALID_UID, INVALID_UID);
743 WARN_UNUSED_RESULT int modifyLocalNetwork(unsigned netId, const char* interface, bool add) {
744 if (int ret = modifyIncomingPacketMark(netId, interface, PERMISSION_NONE, add)) {
747 return modifyOutputInterfaceRules(interface, ROUTE_TABLE_LOCAL_NETWORK, PERMISSION_NONE,
748 INVALID_UID, INVALID_UID, add);
751 WARN_UNUSED_RESULT int modifyPhysicalNetwork(unsigned netId, const char* interface,
752 Permission permission, bool add) {
753 uint32_t table = getRouteTableForInterface(interface);
754 if (table == RT_TABLE_UNSPEC) {
758 if (int ret = modifyIncomingPacketMark(netId, interface, permission, add)) {
761 if (int ret = modifyExplicitNetworkRule(netId, table, permission, INVALID_UID, INVALID_UID,
765 if (int ret = modifyOutputInterfaceRules(interface, table, permission, INVALID_UID, INVALID_UID,
769 return modifyImplicitNetworkRule(netId, table, permission, add);
772 WARN_UNUSED_RESULT int modifyRejectNonSecureNetworkRule(const UidRanges& uidRanges, bool add) {
775 fwmark.protectedFromVpn = false;
776 mask.protectedFromVpn = true;
778 for (const UidRanges::Range& range : uidRanges.getRanges()) {
779 if (int ret = modifyIpRule(add ? RTM_NEWRULE : RTM_DELRULE,
780 RULE_PRIORITY_PROHIBIT_NON_VPN, FR_ACT_PROHIBIT, RT_TABLE_UNSPEC,
781 fwmark.intValue, mask.intValue, IIF_LOOPBACK, OIF_NONE,
782 range.first, range.second)) {
790 WARN_UNUSED_RESULT int modifyVirtualNetwork(unsigned netId, const char* interface,
791 const UidRanges& uidRanges, bool secure, bool add,
792 bool modifyNonUidBasedRules) {
793 uint32_t table = getRouteTableForInterface(interface);
794 if (table == RT_TABLE_UNSPEC) {
798 for (const UidRanges::Range& range : uidRanges.getRanges()) {
799 if (int ret = modifyVpnUidRangeRule(table, range.first, range.second, secure, add)) {
802 if (int ret = modifyExplicitNetworkRule(netId, table, PERMISSION_NONE, range.first,
803 range.second, add)) {
806 if (int ret = modifyOutputInterfaceRules(interface, table, PERMISSION_NONE, range.first,
807 range.second, add)) {
812 if (modifyNonUidBasedRules) {
813 if (int ret = modifyIncomingPacketMark(netId, interface, PERMISSION_NONE, add)) {
816 if (int ret = modifyVpnOutputToLocalRule(interface, add)) {
819 if (int ret = modifyVpnSystemPermissionRule(netId, table, secure, add)) {
822 return modifyExplicitNetworkRule(netId, table, PERMISSION_NONE, UID_ROOT, UID_ROOT, add);
828 WARN_UNUSED_RESULT int modifyDefaultNetwork(uint16_t action, const char* interface,
829 Permission permission) {
830 uint32_t table = getRouteTableForInterface(interface);
831 if (table == RT_TABLE_UNSPEC) {
838 fwmark.netId = NETID_UNSET;
839 mask.netId = FWMARK_NET_ID_MASK;
841 fwmark.permission = permission;
842 mask.permission = permission;
844 return modifyIpRule(action, RULE_PRIORITY_DEFAULT_NETWORK, table, fwmark.intValue,
848 WARN_UNUSED_RESULT int modifyTetheredNetwork(uint16_t action, const char* inputInterface,
849 const char* outputInterface) {
850 uint32_t table = getRouteTableForInterface(outputInterface);
851 if (table == RT_TABLE_UNSPEC) {
855 return modifyIpRule(action, RULE_PRIORITY_TETHERING, table, MARK_UNSET, MARK_UNSET,
856 inputInterface, OIF_NONE, INVALID_UID, INVALID_UID);
859 // Returns 0 on success or negative errno on failure.
860 WARN_UNUSED_RESULT int flushRules() {
861 for (size_t i = 0; i < ARRAY_SIZE(IP_VERSIONS); ++i) {
862 const char* argv[] = {
868 if (android_fork_execvp(ARRAY_SIZE(argv), const_cast<char**>(argv), NULL, false, false)) {
869 ALOGE("failed to flush rules");
876 // Adds or removes an IPv4 or IPv6 route to the specified table and, if it's a directly-connected
877 // route, to the main table as well.
878 // Returns 0 on success or negative errno on failure.
879 WARN_UNUSED_RESULT int modifyRoute(uint16_t action, const char* interface, const char* destination,
880 const char* nexthop, RouteController::TableType tableType) {
883 case RouteController::INTERFACE: {
884 table = getRouteTableForInterface(interface);
885 if (table == RT_TABLE_UNSPEC) {
890 case RouteController::LOCAL_NETWORK: {
891 table = ROUTE_TABLE_LOCAL_NETWORK;
894 case RouteController::LEGACY_NETWORK: {
895 table = ROUTE_TABLE_LEGACY_NETWORK;
898 case RouteController::LEGACY_SYSTEM: {
899 table = ROUTE_TABLE_LEGACY_SYSTEM;
904 int ret = modifyIpRoute(action, table, interface, destination, nexthop);
905 // Trying to add a route that already exists shouldn't cause an error.
906 if (ret && !(action == RTM_NEWROUTE && ret == -EEXIST)) {
913 // Returns 0 on success or negative errno on failure.
914 WARN_UNUSED_RESULT int flushRoutes(const char* interface) {
915 uint32_t table = getRouteTableForInterface(interface);
916 if (table == RT_TABLE_UNSPEC) {
920 char tableString[UINT32_STRLEN];
921 snprintf(tableString, sizeof(tableString), "%u", table);
924 for (size_t i = 0; i < ARRAY_SIZE(IP_VERSIONS); ++i) {
925 const char* argv[] = {
934 // A flush works by dumping routes and deleting each route as it's returned, and it can
935 // fail if something else deletes the route between the dump and the delete. This can
936 // happen, for example, if an interface goes down while we're trying to flush its routes.
937 // So try multiple times and only return an error if the last attempt fails.
939 // TODO: replace this with our own netlink code.
940 unsigned attempts = 0;
943 err = android_fork_execvp(ARRAY_SIZE(argv), const_cast<char**>(argv),
946 } while (err != 0 && attempts < ROUTE_FLUSH_ATTEMPTS);
948 ALOGE("failed to flush %s routes in table %s after %d attempts",
949 IP_VERSIONS[i], tableString, attempts);
954 // If we failed to flush routes, the caller may elect to keep this interface around, so keep
955 // track of its name.
957 interfaceToTable.erase(interface);
963 WARN_UNUSED_RESULT int clearTetheringRules(const char* inputInterface) {
966 ret = modifyIpRule(RTM_DELRULE, RULE_PRIORITY_TETHERING, 0, MARK_UNSET, MARK_UNSET,
967 inputInterface, OIF_NONE, INVALID_UID, INVALID_UID);
970 if (ret == -ENOENT) {
979 int RouteController::Init(unsigned localNetId) {
980 if (int ret = flushRules()) {
983 if (int ret = addLegacyRouteRules()) {
986 if (int ret = addLocalNetworkRules(localNetId)) {
989 if (int ret = addDirectlyConnectedRule()) {
992 if (int ret = addUnreachableRule()) {
995 // Don't complain if we can't add the dummy network, since not all devices support it.
996 configureDummyNetwork();
998 updateTableNamesFile();
1002 int RouteController::addInterfaceToLocalNetwork(unsigned netId, const char* interface) {
1003 return modifyLocalNetwork(netId, interface, ACTION_ADD);
1006 int RouteController::removeInterfaceFromLocalNetwork(unsigned netId, const char* interface) {
1007 return modifyLocalNetwork(netId, interface, ACTION_DEL);
1010 int RouteController::addInterfaceToPhysicalNetwork(unsigned netId, const char* interface,
1011 Permission permission) {
1012 if (int ret = modifyPhysicalNetwork(netId, interface, permission, ACTION_ADD)) {
1015 updateTableNamesFile();
1019 int RouteController::removeInterfaceFromPhysicalNetwork(unsigned netId, const char* interface,
1020 Permission permission) {
1021 if (int ret = modifyPhysicalNetwork(netId, interface, permission, ACTION_DEL)) {
1024 if (int ret = flushRoutes(interface)) {
1027 if (int ret = clearTetheringRules(interface)) {
1030 updateTableNamesFile();
1034 int RouteController::addInterfaceToVirtualNetwork(unsigned netId, const char* interface,
1035 bool secure, const UidRanges& uidRanges) {
1036 if (int ret = modifyVirtualNetwork(netId, interface, uidRanges, secure, ACTION_ADD,
1037 MODIFY_NON_UID_BASED_RULES)) {
1040 updateTableNamesFile();
1044 int RouteController::removeInterfaceFromVirtualNetwork(unsigned netId, const char* interface,
1045 bool secure, const UidRanges& uidRanges) {
1046 if (int ret = modifyVirtualNetwork(netId, interface, uidRanges, secure, ACTION_DEL,
1047 MODIFY_NON_UID_BASED_RULES)) {
1050 if (int ret = flushRoutes(interface)) {
1053 updateTableNamesFile();
1057 int RouteController::modifyPhysicalNetworkPermission(unsigned netId, const char* interface,
1058 Permission oldPermission,
1059 Permission newPermission) {
1060 // Add the new rules before deleting the old ones, to avoid race conditions.
1061 if (int ret = modifyPhysicalNetwork(netId, interface, newPermission, ACTION_ADD)) {
1064 return modifyPhysicalNetwork(netId, interface, oldPermission, ACTION_DEL);
1067 int RouteController::addUsersToRejectNonSecureNetworkRule(const UidRanges& uidRanges) {
1068 return modifyRejectNonSecureNetworkRule(uidRanges, true);
1071 int RouteController::removeUsersFromRejectNonSecureNetworkRule(const UidRanges& uidRanges) {
1072 return modifyRejectNonSecureNetworkRule(uidRanges, false);
1075 int RouteController::addUsersToVirtualNetwork(unsigned netId, const char* interface, bool secure,
1076 const UidRanges& uidRanges) {
1077 return modifyVirtualNetwork(netId, interface, uidRanges, secure, ACTION_ADD,
1078 !MODIFY_NON_UID_BASED_RULES);
1081 int RouteController::removeUsersFromVirtualNetwork(unsigned netId, const char* interface,
1082 bool secure, const UidRanges& uidRanges) {
1083 return modifyVirtualNetwork(netId, interface, uidRanges, secure, ACTION_DEL,
1084 !MODIFY_NON_UID_BASED_RULES);
1087 int RouteController::addInterfaceToDefaultNetwork(const char* interface, Permission permission) {
1088 return modifyDefaultNetwork(RTM_NEWRULE, interface, permission);
1091 int RouteController::removeInterfaceFromDefaultNetwork(const char* interface,
1092 Permission permission) {
1093 return modifyDefaultNetwork(RTM_DELRULE, interface, permission);
1096 int RouteController::addRoute(const char* interface, const char* destination, const char* nexthop,
1097 TableType tableType) {
1098 return modifyRoute(RTM_NEWROUTE, interface, destination, nexthop, tableType);
1101 int RouteController::removeRoute(const char* interface, const char* destination,
1102 const char* nexthop, TableType tableType) {
1103 return modifyRoute(RTM_DELROUTE, interface, destination, nexthop, tableType);
1106 int RouteController::enableTethering(const char* inputInterface, const char* outputInterface) {
1107 return modifyTetheredNetwork(RTM_NEWRULE, inputInterface, outputInterface);
1110 int RouteController::disableTethering(const char* inputInterface, const char* outputInterface) {
1111 return modifyTetheredNetwork(RTM_DELRULE, inputInterface, outputInterface);
1114 int RouteController::addVirtualNetworkFallthrough(unsigned vpnNetId, const char* physicalInterface,
1115 Permission permission) {
1116 return modifyVpnFallthroughRule(RTM_NEWRULE, vpnNetId, physicalInterface, permission);
1119 int RouteController::removeVirtualNetworkFallthrough(unsigned vpnNetId,
1120 const char* physicalInterface,
1121 Permission permission) {
1122 return modifyVpnFallthroughRule(RTM_DELRULE, vpnNetId, physicalInterface, permission);