OSDN Git Service
Erik Kline [Thu, 25 May 2017 08:03:31 +0000 (17:03 +0900)]
Only set protectFromVpn if explicitlySelected is also true.
When a secure VPN is up, setting protectFromVpn=1 and explicitlySelected=0
causes the probe routing lookups used by _have_ipv4 and _have_ipv6 to skip
the VPN rule, instead selecting the default network.
This means that the address families for which we query DNS records are
determined by the address families of the the default network, not those of
the VPN.
If explicitlySelected==true, setting protectFromVpn=true (if the app can
protect its sockets) results in querying the address families from the
specified network, which is correct.
Test: as follows
- built
- flashed
- booted
- runtest -x netd_integration_test.cpp passes
- testing per bug discussion
Bug:
37131664
Bug:
37347238
Change-Id: I7cf322a047494fd70c3c4d8862d53d6a6dac66de
Lorenzo Colitti [Tue, 10 Jan 2017 09:48:45 +0000 (18:48 +0900)]
Use new-style UID routing.
Kernel prebuilts for OC devices have been updated, so the legacy
attributes are not being used. Use the new attributes only. This
will ensure that devices aren't using the old code by mistake, as
any such devices will fail the VPN CTS tests.
(cherry picked from commit
882e467ff7b83de868fa0b9a9beb9036bf14aede)
Cherry-picking this to AOSP now that most external kernels have
been updated as well.
Bug:
16355602
Test: bullhead builds, boots
Test: netd_{unit,integration}_test pass
Test: has been running in internal master for several weeks.
Change-Id: I1c4e8c9281a843417a3a52294a1b7d3e6502bee6
Lorenzo Colitti [Fri, 16 Dec 2016 09:45:03 +0000 (18:45 +0900)]
Set both legacy and new UID routing attributes.
This should work on kernels that support either, as long as they
are older than 4.8.
Test: netd_integration_test passes with updated iproute and kernel
Test: netd_integration_test passes with existing iproute and kernel
Test: ConnectivityManagerTest and HostsideVpnTests pass on existing kernel
Test: ConnectivityManagerTest and HostsideVpnTests pass on updated kernel
Bug:
16355602
Change-Id: I9a2ef08ba2782587f43ea7d0609f5f07f6c3adb0
Hugo Benichi [Mon, 31 Oct 2016 06:07:23 +0000 (15:07 +0900)]
DO NOT MERGE Add success/errno to connect() event reporting
Test: $ runtest -x system/netd/tests/netd_integration_test.cpp
Bug:
32198976
(cherry picked from commit
794c5c714a4d4cf169769ec956845a6fb24e7ebc)
Change-Id: I0a7990d7211d5355a48d941ee9659c16e38817ca
Hugo Benichi [Thu, 8 Dec 2016 06:37:05 +0000 (15:37 +0900)]
DO NOT MERGE onConnectEvent does not report udp connects
Test: manual test + $ runtest -x system/netd/test/netd_integration_test.cpp
Bug:
32198976
Bug:
29748723
Change-Id: I476ada792092db80c8fb27cb40d5d7ea0f26de46
Michal Karpinski [Fri, 2 Dec 2016 18:01:00 +0000 (18:01 +0000)]
DO NOT MERGE Comment out tests/benchmarks/Android.mk on nyc-mr2-dev
netd benchmark can't build on nyc-mr2-dev, because google-benchmark project is out of date
and won't be backported, and thus the content of this file is commented out to disable it.
In order to run netd benchmark locally you can uncomment the content of this file and follow
instructions in ag/
1673408 (checkout that commit and build external/google-benchmark and
system/netd locally and then run the benchmark locally)
Bug:
29748723
Change-Id: Iaa101f79f1b6b20fa856b7bf8ca95c55abe05f05
Michal Karpinski [Mon, 14 Nov 2016 09:29:03 +0000 (09:29 +0000)]
DO NOT MERGE Fix use-after-free of mClient member DnsProxyListener::GetHostByNameHandler::run().
Found by ASan.
Test: Flash ASan build, boot up and verify that system/netd does not
crash with AddressSanitizer induced errors.
Bug:
32810214
Bug:
29748723
(cherry picked from commit
f8bb7ecc72e7a18ff5528613f79316634e8f6885)
Change-Id: I8814756588b2bb4c78583a829e08d33305797642
Michal Karpinski [Wed, 26 Oct 2016 09:33:26 +0000 (10:33 +0100)]
DO NOT MERGE Add null check for hp in DnsProxyListener::GetHostByNameHandler
Bug:
32399924
Bug:
29748723
Test: runtest -x netd_integration_test.cpp
(cherry picked from commit
7a8a601190f948f18b1cc8c043f3a265c1ed183e)
Change-Id: I8e47c2461dc7e8bf34128a2d56ba936e2535c262
Michal Karpinski [Thu, 6 Oct 2016 18:33:55 +0000 (19:33 +0100)]
DO NOT MERGE Add connect event reporting
Adds reporting of connect events including netId, destination IP address,
destination port, uid and connect latency.
Also enables the relevant tests in the connect_benchmark.
Currently ignores the new data it receives, further work will be
done in the subsequent CLs.
Test: for now just the benchmarking, in the future CTS
Bug:
29748723
(cherry picked from commit
4b9b78aa02336de9291e5085401cef44c03c3bba)
Change-Id: I3ec05db3a9b914af38307282ede3f3439716b1ef
Michal Karpinski [Thu, 13 Oct 2016 09:04:36 +0000 (10:04 +0100)]
DO NOT MERGE Fixing the netd benchmark
Bug:
29748723
(cherry picked from commit
fe7f72b4709c2b735287d817b6f1277e2f40b11c)
Change-Id: I3de12cab6d93a1ec928d47c7b3656eac99a91fb6
Michal Karpinski [Thu, 6 Oct 2016 17:06:00 +0000 (18:06 +0100)]
DO NOT MERGE Extending DNS event reporting
This adds hostname, array of addresses, total count of IP addresses
and uid to the existing pipeline.
Currently ignores the new data it receives, further work will be
done in the subsequent CLs.
Test: for now just the benchmarking, in the future CTS
Bug:
29748723
(cherry picked from commit
36deff74215db202db9e29aa7ff1375ae5f2bc5d)
Change-Id: I16d690052fb01fc6d2bc3a57d4550f22236cd0fa
Robin Lee [Thu, 1 Dec 2016 19:03:33 +0000 (19:03 +0000)]
DO NOT MERGE Remove "if (auto ret = " treated as unused by some compilers
It's not good form to have a variable that's created and used only once
in the same line anyway, so the compilers that flag it are probably in
the right.
Test: netd_benchmark
Bug:
29748723
(cherry picked from commit
e65244b5a149fc8be8063ee0872f31b829bfa020)
Change-Id: I80b8c321087947c08d5d5b9cb6ca7b4987b2ac77
Michal Karpinski [Thu, 6 Oct 2016 15:56:04 +0000 (16:56 +0100)]
DO NOT MERGE Adding EventReporter class
This class stores the reporting level and can be used to get
the event listener service.
Bug:
29748723
(cherry picked from commit
be581e228bd1a97efd179edcdd3e744622fb99b8)
Change-Id: I825dbce5d40af6b781d177a611ab606853fc2e01
Robin Lee [Fri, 30 Sep 2016 20:31:53 +0000 (21:31 +0100)]
DO NOT MERGE [benchmark] remove unnecessary shared libs, fix apct
The continuous execution environment is not finding these and shouldn't
need access to them if instead we can just statically link as much as
possible.
Fixes the testrun on angler-userdebug which doesn't seem to have
libnetd_aidl or liblogwrap available by default
Test: mma -j30 netd_benchmark && ${OUT}/data/benchmarktest/netd_benchmark/netd_benchmark /data/netd_benchmark && adb shell /data/netd_benchmark
(cherry picked from commit
3cea1d5a7702568e6c4b11777f01661372bf5ad7)
Change-Id: Ib2fb9624a8aa2cdd81add575dfded1d6e6c07455
Robin Lee [Tue, 13 Sep 2016 09:55:42 +0000 (18:55 +0900)]
DO NOT MERGE Benchmarks for network metrics reporting
Bug:
29748723
Test: this is an APCT test.
(cherry picked from commit
484dac1d071c7476895c4a3184e8dbdd7b63e524)
Change-Id: I102aeb84c92716f5e022b50792c2fd1cde98e286
Robin Lee [Wed, 21 Sep 2016 07:31:33 +0000 (16:31 +0900)]
DO NOT MERGE Move Stopwatch into its own header
Bug:
29748723
Test: netd_integration_test
(cherry picked from commit
cc544162e08dd0df271cd77a3f2c85dbaaa461e2)
Change-Id: Icc2f633206b9f8052ca9ae2b775984b4f4be97b9
Robin Lee [Thu, 15 Sep 2016 01:55:25 +0000 (10:55 +0900)]
DO NOT MERGE Fix getaddrinfo test to use random mapping ids
This seems to have been intended but it's just using the loop index. In
fact the only thing the random index is used for is an assert to check
that it is a valid index.
Also stops the test segfaulting if num_queries > num_hosts
(cherry picked from commit
c4aba0ab2e9539a5e185e3800d47b3fcda9af779)
Change-Id: Iae2369676c08fa8f8110c3cdebb0e4294a60b4b2
Robin Lee [Fri, 3 Jun 2016 09:30:00 +0000 (10:30 +0100)]
DO NOT MERGE UidRange bounds-checking typo
This is from copy-pasting the line above and changing the assert
message but not the actual check.
(cherry picked from commit
927c40f40148880ce6f6bbe5335c2741b4195ad3)
Change-Id: I6ec2902ea4d1a4dc139b02cfeb9d6978af380a21
Michal Karpinski [Thu, 15 Sep 2016 08:05:36 +0000 (17:05 +0900)]
DO NOT MERGE Rename the DnsEventListenerService to NetdEventListenerService
The service will be extended to include listening for connect events as well
Test: this is just a renaming change
Bug:
29748723
(cherry picked from commit
5005134a6ab717c55a02a2684cfae42484b801aa)
Change-Id: I0402fec21fc60f3752fac23a73285c4987cee755
Lorenzo Colitti [Tue, 27 Sep 2016 03:57:20 +0000 (03:57 +0000)]
List network permissions in dumpsys netd.
am:
1f28b6403e
Change-Id: I5431c6597be1e2fb44ff394fd44cbbffa78a8312
Lorenzo Colitti [Mon, 26 Sep 2016 08:17:40 +0000 (17:17 +0900)]
List network permissions in dumpsys netd.
Bug:
23113288
Change-Id: Iea225ead1f6296ded29fcee2435a8c6aa2a67429
Lorenzo Colitti [Wed, 21 Sep 2016 14:38:55 +0000 (14:38 +0000)]
Close sockets when changing network permissions.
am:
c6201c3754
Change-Id: Ie43f762ccd173cadb0a1286137cc48dd2a19c528
Lorenzo Colitti [Tue, 13 Sep 2016 17:25:05 +0000 (02:25 +0900)]
Close sockets when changing network permissions.
Bug:
23113288
Change-Id: I8dcb02c79c81244e5b7288cb50770ac6a5867fcc
Lorenzo Colitti [Mon, 12 Sep 2016 10:34:38 +0000 (10:34 +0000)]
Merge "Don't start tethering if IPv6 RPF is not supported." into nyc-mr1-dev
am:
9232260ad1
Change-Id: I657c89e73431d409b3e849c36168507aa738514d
Lorenzo Colitti [Mon, 12 Sep 2016 10:34:38 +0000 (10:34 +0000)]
Don't start tethering if IPv6 RPF is not supported.
am:
bd96d9582e
Change-Id: Id10886059ef45352495495dac865ec7321166e50
Lorenzo Colitti [Mon, 12 Sep 2016 10:28:09 +0000 (10:28 +0000)]
Merge "Don't start tethering if IPv6 RPF is not supported." into nyc-mr1-dev
Erik Kline [Mon, 12 Sep 2016 08:15:30 +0000 (08:15 +0000)]
Add general /proc/sys/net/ipv[46]/{conf,neigh}/ interface
am:
b218a87e07
Change-Id: I4ec832204e6815e5fc12912cc70dc09352379a22
Erik Kline [Mon, 4 Jul 2016 00:57:18 +0000 (09:57 +0900)]
Add general /proc/sys/net/ipv[46]/{conf,neigh}/ interface
Bug:
21859053
Bug:
28135208
Change-Id: Ia3232706a697fd149ed87f74586efe3d434261f8
Erik Kline [Wed, 10 Aug 2016 00:49:34 +0000 (00:49 +0000)]
Disable DAD for downstream interfaces when tethering
am:
59d8c48cee
Change-Id: Ie34b5c31c67fc86e8d9bda977f2d6ba65efd0cbd
Erik Kline [Tue, 9 Aug 2016 06:28:42 +0000 (15:28 +0900)]
Disable DAD for downstream interfaces when tethering
Bug:
30298058
Change-Id: If4cd1f2e2b782ff08d667eb065138c06559b3394
Erik Kline [Tue, 9 Aug 2016 00:54:36 +0000 (00:54 +0000)]
Add tests for interface add/remove binder API
am:
46ae27cd20
Change-Id: Icddbc3dc8935e3454a9469fdccb3d8539cdbf85b
Erik Kline [Wed, 3 Aug 2016 02:24:27 +0000 (11:24 +0900)]
Add tests for interface add/remove binder API
Bug:
30298058
Change-Id: Ib16f02667cdae06688106bf064d17db693d60cd5
Erik Kline [Tue, 2 Aug 2016 15:31:49 +0000 (15:31 +0000)]
Support adding/removing IPv4 and IPv6 addresses on interfaces
am:
c296f098b6
Change-Id: I9b895c19319d7fbda6f30bf6f6ca1404b9845dea
Erik Kline [Tue, 2 Aug 2016 06:22:53 +0000 (15:22 +0900)]
Support adding/removing IPv4 and IPv6 addresses on interfaces
Bug:
30298058
Change-Id: Ic25cd165476d1a781595460b7d764e8df4707c65
Lorenzo Colitti [Mon, 1 Aug 2016 10:44:05 +0000 (10:44 +0000)]
Enable IPv6 reverse path filtering.
am:
8917e45f7f
Change-Id: I25dc8d202c7aa8ac6a8a1d01d8f04d6573a318e0
Lorenzo Colitti [Mon, 1 Aug 2016 09:14:31 +0000 (18:14 +0900)]
Don't start tethering if IPv6 RPF is not supported.
Bug:
9580643
Bug:
30298058
Change-Id: Ia2e81786527b5718ed7f9dd195a39ea1eb7eb2b4
Lorenzo Colitti [Mon, 1 Aug 2016 07:47:50 +0000 (16:47 +0900)]
Enable IPv6 reverse path filtering.
Bug:
9580643
Bug:
30298058
Change-Id: I45c1f46994a07f656434088cafe753d58731faa0
Lorenzo Colitti [Fri, 29 Jul 2016 12:07:54 +0000 (12:07 +0000)]
Allow networking on loopback in doze, standby, and powersave.
am:
238e81894d
Change-Id: I4990963474d5d42b9135a6aab4f2a9c26987a596
Lorenzo Colitti [Fri, 29 Jul 2016 11:18:21 +0000 (11:18 +0000)]
Don\'t close loopback sockets when a VPN connects or entering doze.
am:
0726fec828
Change-Id: Ibd3007206985311cb736566a684adbffffe320d3
Lorenzo Colitti [Thu, 28 Jul 2016 11:24:07 +0000 (11:24 +0000)]
Make the socketDestroy tests use a fake tun interface.
am:
549a0f7058
Change-Id: I9e65b849c0e57acfdd55b09152710b2195a4dee1
Lorenzo Colitti [Tue, 26 Jul 2016 08:59:41 +0000 (17:59 +0900)]
Allow networking on loopback in doze, standby, and powersave.
Restricting networking on loopback is needlessly restrictive
because it doesn't have substantial power impact.
Bug:
30186506
Change-Id: Ibe31aff7c43ae02821fdf4a00b600fb5f5f5bc30
Lorenzo Colitti [Tue, 26 Jul 2016 08:53:50 +0000 (17:53 +0900)]
Don't close loopback sockets when a VPN connects or entering doze.
Bug:
30186506
Change-Id: I8bae7b004c3bb9f6e9e0db99774a6ff6505578b4
Lorenzo Colitti [Wed, 27 Jul 2016 13:10:49 +0000 (22:10 +0900)]
Make the socketDestroy tests use a fake tun interface.
On real devices, we often don't want to destroy sockets that
are on loopback. This CL makes our integration tests use
sockets that don't look like they're on loopback, making it
possible to test code that does not destroy sockets that are
on loopback.
Bug:
30186506
Change-Id: I1ea56f069f528f25dddd5898b2269a638318f820
Erik Kline [Sun, 17 Jul 2016 19:02:07 +0000 (04:02 +0900)]
Add tetherApplyDnsInterfaces() binder interface.
Bug:
9580643
Change-Id: I781a422c969deb153bc8370edda4578612af6dc6
Lorenzo Colitti [Mon, 11 Jul 2016 02:36:25 +0000 (11:36 +0900)]
Parse IPv6 tethering counters.
Bug:
9580643
Change-Id: Icbfd8c6480a4e14433004e90b71a104ae4da9c5d
Lorenzo Colitti [Sun, 10 Jul 2016 14:15:46 +0000 (23:15 +0900)]
Add counters for IPv6 tethering.
Bug:
9580643
Change-Id: I60ff10cea8e8e90eeaf5412f1b6254696073506d
Lorenzo Colitti [Fri, 8 Jul 2016 09:24:53 +0000 (18:24 +0900)]
Refactor getTetherStats in preparation for IPv6 tether counters.
Bug:
9580643
Change-Id: I11565cafbefbc06a7992d1ff18c707165d5b31ed
Lorenzo Colitti [Mon, 11 Jul 2016 16:19:49 +0000 (01:19 +0900)]
More test coverage for tethering counter parsing.
Bug:
9580643
Change-Id: Ia2f273b518399f42bfa8efb98445f1ff043bc07e
Lorenzo Colitti [Sat, 9 Jul 2016 05:24:08 +0000 (14:24 +0900)]
Add a test for NatController.
Bug:
9580643
Change-Id: I6ac3b754ec0b720674c6221e3a776314e86fe58c
Lorenzo Colitti [Fri, 8 Jul 2016 09:24:26 +0000 (18:24 +0900)]
Add a test for getTetherStats.
Bug:
9580643
Change-Id: I26f7adb9639f1ddf4eda0c98bcc6cd3a83d3ba0b
Erik Kline [Wed, 8 Jun 2016 04:24:45 +0000 (13:24 +0900)]
Setup interfaces for IPv6 tethering
Including:
- set the interface for router mode (accept_ra = 0)
- reset the interface for client mode (accept_ra = 1)
- InterfaceController::setAcceptIPv6Ra()
- InterfaceController::setAcceptIPv6Dad()
- make InterfaceController static
- refactor for more modern C++ usage here and there
- sporadic style guide fixes
Bug:
9580643
Change-Id: Ia557c8770e18c58b12ad16d982c63b6ebd525516
Lorenzo Colitti [Wed, 22 Jun 2016 10:53:56 +0000 (10:53 +0000)]
Always use the default network DNS servers if a VPN does not set any.
am:
c63059c8a7
Change-Id: I2e7f91b5c50cee056c97e75b65b2683285582899
Lorenzo Colitti [Tue, 21 Jun 2016 14:54:12 +0000 (23:54 +0900)]
Always use the default network DNS servers if a VPN does not set any.
When a VPN provides no DNS servers, DNS lookups are usually sent
to the default network's DNS servers. However, if a DNS lookup
is explicitly made on the VPN (e.g., via Network#openConnection),
then it just fails.
This breaks system proxies which perform network traffic on VPNs
on behalf of other apps, e.g., the download manager.
Fix this by doing the query to the default DNS servers (via the
default network) instead. This is consistent with what we do with
DNS queries that do not specify a network. While this is a change
in behaviour, it shouldn't cause much breakage because the query
would previously just fail.
Bug:
29498052
Change-Id: Ie4002c9835bb1ff6d3d92c00c9c04e634fc3cda4
Bryse Flowers [Wed, 1 Jun 2016 20:00:12 +0000 (13:00 -0700)]
Listen to xt_quota2 kobject event for quota
Allow quota limit reached notification to originate from both
qlog and xt_quota2 subsystem. On 3.18 Kernel, modify xt_quota2
module to broadcast the Netlink notification via kobject.
Change-Id: Iaafe521e455d658ed8a2f95fb5114b029323d5ef
CRs-Fixed:
1008025
Bug:
24140541
Lorenzo Colitti [Thu, 9 Jun 2016 16:54:52 +0000 (01:54 +0900)]
Verify expectations better in SockDiagTest.
Currently SockDiagTest only checks for socket errors, it does not
check that the socket was closed via SOCK_DESTROY. This can cause
us to think that SOCK_DESTROY is working when it isn't.
Fix this by checking the error codes and expecting that at least
one socket was closed by SOCK_DESTROY.
Bug:
28508161
Change-Id: Iab423dba0aa30466481dd3a7304aa8f69c5cf605
Lorenzo Colitti [Thu, 9 Jun 2016 05:20:08 +0000 (14:20 +0900)]
Don't fail the test if the iptables lock is held.
Change-Id: Ib4db989fdb35df3f517ce4db1526e5c1f78ad4b5
Pierre Imai [Tue, 31 May 2016 00:57:19 +0000 (00:57 +0000)]
Do not configure more DNS servers than supported.
am:
0452cb569e
* commit '
0452cb569ebeface13f77c548afb35cdfcbe48d5':
Do not configure more DNS servers than supported.
Change-Id: I0893649176126b46fc493d353e32fba38226dd8e
Pierre Imai [Mon, 30 May 2016 07:42:34 +0000 (16:42 +0900)]
Do not configure more DNS servers than supported.
BUG:
28984564
Change-Id: I1b580d725f0aafe887db894e19971cc29adf8951
Pierre Imai [Fri, 27 May 2016 06:51:55 +0000 (15:51 +0900)]
Silence spammy iptables rule at boot.
BUG:
28529315
Change-Id: I4818b3833464502a44d9cdb92e3c59802882397b
Erik Kline [Thu, 26 May 2016 14:40:14 +0000 (14:40 +0000)]
Update wlutil path
am:
bdcba1127a
* commit '
bdcba1127a8709566fdec49bc303234e0e8ee924':
Update wlutil path
Change-Id: Ieb82f51d47c33d10b32400e007322d35dc423b61
Erik Kline [Thu, 26 May 2016 08:00:31 +0000 (17:00 +0900)]
Update wlutil path
The path to wlutil changed to /system/vendor/xbin with ag/893600 .
Bug:
28850734
Change-Id: I101517e7d849c288cbe9877e874b8d7914fbc1e9
Robin Lee [Tue, 17 May 2016 16:26:07 +0000 (16:26 +0000)]
Merge "Drop PROHIBIT_NON_VPN priority 11500 -> 12500" into nyc-dev
am:
5bbe13bdc4
* commit '
5bbe13bdc4470d0af2786fc62ad40a8ba8ff5830':
Drop PROHIBIT_NON_VPN priority 11500 -> 12500
Change-Id: I22e4e178b25d579eabde255da1d5b1a6c954556d
Robin Lee [Tue, 17 May 2016 16:19:40 +0000 (16:19 +0000)]
Merge "Drop PROHIBIT_NON_VPN priority 11500 -> 12500" into nyc-dev
Lorenzo Colitti [Mon, 16 May 2016 14:09:21 +0000 (14:09 +0000)]
Merge changes Ifbd15bf9,I985e6861,I54860c7c into nyc-dev
am:
7ad3c888e2
* commit '
7ad3c888e2781321cf44cb101cdf180a9671ca1e':
Make FirewallController::createChain use replaceUidChain.
Make firewallReplaceUidChain match the behaviour of createChain.
Don't crash the test if expecting more commands than were run.
Change-Id: Ib9dac62413187fc9b4978dfe14b7d29dbf328328
Lorenzo Colitti [Mon, 16 May 2016 14:02:00 +0000 (14:02 +0000)]
Merge changes Ifbd15bf9,I985e6861,I54860c7c into nyc-dev
* changes:
Make FirewallController::createChain use replaceUidChain.
Make firewallReplaceUidChain match the behaviour of createChain.
Don't crash the test if expecting more commands than were run.
Lorenzo Colitti [Fri, 13 May 2016 08:03:42 +0000 (17:03 +0900)]
Make FirewallController::createChain use replaceUidChain.
This has two benefits:
1. It makes the behaviour of setting firewall chains via the
firewallReplaceUidChain RPC match the behaviour of creating
the chains on boot. (As a side effect, it reduces code
duplication between the two.)
2. It makes creating firewall chains on boot use iptables-restore,
which is substantially faster than running iptables commands
one at a time.
This CL will allow the framework to switch to using
firewallReplaceUidChain when the framework starts, providing
substantial speedups over the current behaviour of running two
iptables commands for every app that is whitelisted or idle.
Bug:
26675191
Change-Id: Ifbd15bf9143efd526570dde8f88effc79d164630
Lorenzo Colitti [Fri, 13 May 2016 02:25:54 +0000 (11:25 +0900)]
Make firewallReplaceUidChain match the behaviour of createChain.
The behaviour of the firewallReplaceUidChain was incorrect in
several ways:
1. It was missing the "always allow TCP RST packets" rules which
were added in http://ag/963000 .
2. It included a RETURN statement at the end of blacklist chains,
which is superfluous since all user-defined chains implicitly
return, and became incorrect when http://ag/963000 switched the
behaviour of blacklist chains from inserting new rules at the
beginning to appending them at the end.
3. It was missing the rules to allow the types of ICMPv6 packets
that are critical in maintaining connectivity.
By itself, this change is a no-op since nothing currently calls
firewallReplaceUidRule.
Bug:
26675191
Change-Id: I985e6861812908cbe7eaf0f54ca0ad39c22bbfeb
Lorenzo Colitti [Fri, 13 May 2016 07:57:15 +0000 (16:57 +0900)]
Don't crash the test if expecting more commands than were run.
Bug:
26675191
Change-Id: I54860c7cf7b79bb6ace89c3130467ba7c0473e03
Pierre Imai [Mon, 16 May 2016 09:07:26 +0000 (09:07 +0000)]
Merge "Fix P2TP VPNs by adding an exception for VPN user." into nyc-dev
am:
4f88299120
* commit '
4f88299120b076dc068a67cf0f0343660a2777fa':
Fix P2TP VPNs by adding an exception for VPN user.
Change-Id: Ic8528dd6d589f08324ecbc69a4024086e9054a7f
TreeHugger Robot [Mon, 16 May 2016 09:02:17 +0000 (09:02 +0000)]
Merge "Fix P2TP VPNs by adding an exception for VPN user." into nyc-dev
Pierre Imai [Mon, 16 May 2016 07:32:17 +0000 (16:32 +0900)]
Fix P2TP VPNs by adding an exception for VPN user.
BUG:
27199751
Change-Id: I1144228febba0c4cce1333fb39ea186d2963ed10
Pierre Imai [Fri, 13 May 2016 09:00:58 +0000 (09:00 +0000)]
Increase the DNS TTL to 5s to fix netd_test.
am:
f581017c79
* commit '
f581017c7945ee024a2757925ff82861b34a069c':
Increase the DNS TTL to 5s to fix netd_test.
Change-Id: Iffcb3527816269f1509df4f070d57742ee7a4f92
Pierre Imai [Fri, 13 May 2016 07:28:28 +0000 (16:28 +0900)]
Increase the DNS TTL to 5s to fix netd_test.
Under some rare, but repeatable, conditions, the cache would expire
before the second getaddrinfo() call in the test was executed, thus causing
superfluous queries that made the test fail. Increasing the TTL fixes
this.
BUG:
28252032
Change-Id: I82919c147ca9c1b7a92f963556b27fb72e3d2222
Pierre Imai [Thu, 12 May 2016 07:54:46 +0000 (07:54 +0000)]
Test that changing the DNS search paths works.
am:
ee335ef233
* commit '
ee335ef2333aaa09290ed8cf4a65f8e6e8b21c46':
Test that changing the DNS search paths works.
Change-Id: I4c1bd059f3345e4442463352c178b8d7bd8d0680
Pierre Imai [Fri, 6 May 2016 02:56:45 +0000 (11:56 +0900)]
Test that changing the DNS search paths works.
Add a test to verify that changing the DNS search paths on their own,
without also changing the DNS servers, works as expected.
BUG:
28437641
Change-Id: Ie3b6be119f5d33c7782c250a83d24f26c776825e
(cherry picked from commit
592303cf22e1139ecb32fb7589abdc6bc6d14354)
Robin Lee [Tue, 3 May 2016 12:17:58 +0000 (13:17 +0100)]
Drop PROHIBIT_NON_VPN priority 11500 -> 12500
So that the rule can be kept up 100% of the time instead of dropping
it when VPN comes on.
Bug:
26694104
Change-Id: I1df6b8f588e54d72e34dbcbd15492513e07fac3d
Robin Lee [Mon, 2 May 2016 11:17:30 +0000 (11:17 +0000)]
Restore ACT_UNREACHABLE
am:
c125fe43c1
* commit '
c125fe43c194128167db7a2a82b736b1357945d8':
Restore ACT_UNREACHABLE
Change-Id: Ibdc6df61ba87951cabb278250d9a646b27f42315
Robin Lee [Mon, 2 May 2016 07:53:34 +0000 (08:53 +0100)]
Restore ACT_UNREACHABLE
This got lost in between
I7d9752e86fa1a4564c622152a5be6ce2c1eda150 and
If23df0760c6eb0ad137fc26c5124e48edf23b722.
Which broke creating the UNREACHABLE network, also breaking the dummy
network which should be created after it.
Fix:
28304838
Change-Id: I31c4ca9c3f53d6162b50e5bc46e27cfcd1b6a314
Pierre Imai [Thu, 28 Apr 2016 13:39:12 +0000 (13:39 +0000)]
Add dumpsys support to ResolverController
am:
3a27207
* commit '
3a272070fc318ef1a7a5a04e500483f1a7c629a8':
Add dumpsys support to ResolverController
Change-Id: I61b0352be471f6631cf5b400fdce447cbf1f6526
Pierre Imai [Thu, 28 Apr 2016 13:39:12 +0000 (13:39 +0000)]
Add two Netd binder calls to set/get resolver config.
am:
beedec3
* commit '
beedec3bc42d6f40a2c83a65522e85b5ff046f79':
Add two Netd binder calls to set/get resolver config.
Change-Id: I32c2ee7d27207853a16ee110b712375d0446feb7
Pierre Imai [Tue, 19 Apr 2016 07:17:07 +0000 (16:17 +0900)]
Add dumpsys support to ResolverController
BUG:
25731675
Change-Id: I1c715368b1f2d5e732528cd226b3f69792b75321
Pierre Imai [Tue, 12 Apr 2016 21:44:51 +0000 (06:44 +0900)]
Add two Netd binder calls to set/get resolver config.
setResolverConfiguration() sets the name servers, search domains,
and resolver parameters.
getResolverInfo() returns the configured information and also the
statistics for each server.
Also includes tests for the new functionality.
BUG:
25731675
Change-Id: Idde486f36bb731f9edd240d62dc1795f8e621fe6
Lorenzo Colitti [Tue, 26 Apr 2016 09:01:56 +0000 (09:01 +0000)]
Allow TCP RSTs to make it through firewall rules.
am:
932c44c
* commit '
932c44c9bd875060219df7f2ad78769e65adbaca':
Allow TCP RSTs to make it through firewall rules.
Change-Id: I34b136804e7eb1a4fb27314e51c4967de21da486
Lorenzo Colitti [Tue, 26 Apr 2016 09:01:55 +0000 (09:01 +0000)]
Add a binder IPC to close socket connections.
am:
563d98b
* commit '
563d98b27d02a1d694fc4ed82b5554fd534c9daf':
Add a binder IPC to close socket connections.
Change-Id: Idb7e6cf83e6134d390c3e505973e245c7dc718de
Lorenzo Colitti [Sun, 24 Apr 2016 07:58:02 +0000 (16:58 +0900)]
Allow TCP RSTs to make it through firewall rules.
This allows us to cleanly close apps' TCP connections when we
remove their network connectivity.
Bug:
27824851
Change-Id: I69ae0e860536139d30d14d580a36c82f79dc2f82
Lorenzo Colitti [Sun, 24 Apr 2016 04:13:14 +0000 (13:13 +0900)]
Add a binder IPC to close socket connections.
Bug:
27824851
Bug:
27867653
Change-Id: I2e63ccfb268db763ec732594a73c2908838468b8
Robin Lee [Tue, 19 Apr 2016 19:40:30 +0000 (19:40 +0000)]
Server API to only allow networking by VPN apps
am:
b808736
* commit '
b8087363143050d214d48e5620a330776ca95a69':
Server API to only allow networking by VPN apps
Change-Id: I2dd017089226356eda452d6cc246f6e9b3e3166f
Robin Lee [Tue, 19 Apr 2016 19:40:30 +0000 (19:40 +0000)]
Have modifyIpRule take an explicit action
am:
4ef9464
* commit '
4ef94642636182e68495f606a65c00f8a830aad4':
Have modifyIpRule take an explicit action
Change-Id: I9836350a8042622ca440ffdc057d799de561f71f
Robin Lee [Tue, 19 Apr 2016 19:40:30 +0000 (19:40 +0000)]
Move UidRange aidl to create a native cpp version
am:
9f9aae9
* commit '
9f9aae9102f62f5f96ccec670170ee1fb262ef09':
Move UidRange aidl to create a native cpp version
Change-Id: Idc705f22d3eeeb8de90a1133e42e05c184518e25
Robin Lee [Wed, 30 Mar 2016 17:43:08 +0000 (18:43 +0100)]
Server API to only allow networking by VPN apps
Secure virtual networks already create rules to route all traffic into
theirselves. This depends on the secure network already existing.
API creates an ip rule at a priority level below SECURE_VPN which
can catch traffic before VPN comes up, if it is a requirement that no
traffic ever leaves without first going through VPN.
Bug:
26694104
Bug:
26354134
Change-Id: If23df0760c6eb0ad137fc26c5124e48edf23b722
Robin Lee [Fri, 1 Apr 2016 10:50:49 +0000 (11:50 +0100)]
Have modifyIpRule take an explicit action
Instead of inferring from the priority what the action should be.
Bug:
26694104
Change-Id: I7d9752e86fa1a4564c622152a5be6ce2c1eda150
Robin Lee [Wed, 30 Mar 2016 17:33:07 +0000 (18:33 +0100)]
Move UidRange aidl to create a native cpp version
Moved from:
//frameworks/base/core/java/android/net/
To:
//system/netd/binder
Since frameworks/base depends on netd but not vice versa, it is cleaner
to keep the internal aidl in the same place as the native implementation
in netd.
Bug:
26694104
Change-Id: If21a72978ad5b93f0eed04c75143b55157c1a014
Lorenzo Colitti [Tue, 12 Apr 2016 14:28:50 +0000 (23:28 +0900)]
Netd metrics logging for DNS queries
This CL defines a new IDnsEventListener interface and instruments
DnsProxyListener to send log events to it after every DNS query.
Bug:
28204408
Change-Id: I7ef09d8fac2a583fb3dc8e392c4fff5649258b28
Lorenzo Colitti [Fri, 15 Apr 2016 01:22:37 +0000 (10:22 +0900)]
Move the Stopwatch class to NetdConstants.
Also implement TimedOperation by subclassing Stopwatch, since
it essentially does the same thing.
Change-Id: I68febcf1caa8a00b548790f9e3ccc10836877639
TreeHugger Robot [Thu, 14 Apr 2016 09:55:18 +0000 (09:55 +0000)]
Merge "Kill sockets when a VPN comes up." into nyc-dev
Lorenzo Colitti [Wed, 13 Apr 2016 15:56:01 +0000 (00:56 +0900)]
Kill sockets when a VPN comes up.
1. Change the SockDiag callback function to be a filter that
returns a bool instead of a function that optionally kills a
socket. All existing callbacks basically only existed to kill
sockets under certain conditions, and making them return a
boolean allows reusing the same callback function signature
to filter sockets as well.
2. Add a new SockDiag method to kill sockets based on a UidRanges
object (which contains a number of UID ranges) and a list of
users to skip.
3. Add a new UIDRANGE mode to SockDiagTest to test the above.
4. When UID ranges are added or removed from the VPN, kill
sockets in those UID ranges unless the socket UIDs are in
mProtectableUsers and thus their creator might have set the
protect bit on their mark. Short of actually being
able to see the socket mark on each socket and basing our
decision on that, this is the best we can do.
Bug:
26976388
Change-Id: I53a30df3feb63254a6451a29fa6041c9b679f9bb
Pierre Imai [Tue, 12 Apr 2016 02:35:47 +0000 (02:35 +0000)]
Merge "Fix netd_test by removing flush cache call." into nyc-dev
Jon Larimer [Mon, 11 Apr 2016 16:43:41 +0000 (16:43 +0000)]
Merge "Workaround ASan false positive in RouteController." into nyc-dev
Pierre Imai [Fri, 8 Apr 2016 04:15:27 +0000 (13:15 +0900)]
Fix netd_test by removing flush cache call.
Change-Id: Iba3ff9da55cbc709d12b12b9c65dbc565bbd2828
Lorenzo Colitti [Fri, 8 Apr 2016 04:33:38 +0000 (13:33 +0900)]
Deduplicate test targets.
netd_integration_test already runs all the tests in netd_test.
Change-Id: I44c2ffaecded071a54af1c54c823856ffc6eb0cf