| f7635e290be7bf427736f3849981f12369dd5215 |
|
22-Mar-2014 |
Chad Brubaker <cbrubaker@google.com> |
Merge "Move VPN routing decisions from iptables to ip" into klp-dev
|
| 797ec7038c124b38a7559ab74b169b36ca4705ee |
|
06-Feb-2014 |
Chad Brubaker <cbrubaker@google.com> |
Move VPN routing decisions from iptables to ip
Routes are now encoded by ip rules that send connections to the Vpn
table if the connection is marked and the destination falls into a
route. This differs from the previous design where a mark meant that
the connection must go over the VPN, now a mark simply means that it
may.
Bug: 12549060
Change-Id: I9be7e27a0f46858f109d8bc5c5bced309b05201a
/system/netd/SecondaryTableController.h
|
| 2a390120a9e90ec414d347921039ff98724d0dda |
|
20-Feb-2014 |
Chad Brubaker <cbrubaker@google.com> |
Mark uids without rules with PROTECT_MARK
The default result for a uid without a mark should be MARK_PROTECT
because the service using the uid's mark may be covered by a VPN that
should not cover the user it is acting for.
Bug: 12608570
Change-Id: I2402cb86ddb2fe6e670d1793263ff6c2c31d32fe
/system/netd/SecondaryTableController.h
|
| 9440e7f994901ca123393844c95fe5caa6639a3b |
|
21-Nov-2013 |
JP Abgrall <jpa@google.com> |
SecondaryTableController: force the MSS to match pmtu on TCP SYN
Without this change, the VPN sets up a tun/ppp that needs a small
MTU, and during TCP SYN the MSS will end up matching the outgoing iface
MTU which is potentially too big.
This leads to connection flakiness. The wrong MSS is visible by
tcpdump-ing on the tun/ppp device.
With this change, the MSS now is correct.
It requires the kernel to be configured with
CONFIG_NETFILTER_XT_TARGET_TCPMSS=y
If kernel is not configured, it silently fails.
Bug: 11579326
Change-Id: I254d8c39435b92dff91931e461e1efb8b35f6b1e
/system/netd/SecondaryTableController.h
|
| 2349aa60771baae85b1f5fc96e653ac2ef95034b |
|
16-Jul-2013 |
Chad Brubaker <cbrubaker@google.com> |
Host exemption now handles premarked sockets
Host exemption now properly handles routing for sockets that were
already marked
Change-Id: I55d5c00754036a5ef49379170c37607d3e71a1e8
/system/netd/SecondaryTableController.h
|
| da7df7c8f009f014486343cfbbaaae2a766f3a2b |
|
11-Jul-2013 |
Chad Brubaker <cbrubaker@google.com> |
Add netd commands to get marks for routing
Add commands for fetching the mark associated with routing a uid and for
fetching the mark associated with avoiding the fwmark routing rules
Change-Id: I4accd1a9aecd91f6f0630eb1a5466a81e309eeac
/system/netd/SecondaryTableController.h
|
| 4a946095dad15548ae399665be111be9cb1d9aa6 |
|
10-Jul-2013 |
Chad Brubaker <cbrubaker@google.com> |
Add destination host exemption to VPN routing
requestRouteToHost requires the ability to punch holes in the VPN for
certain addresses, this adds support for this under mark based VPNs.
Change-Id: I9d890829048624d43c0f1efaec54563a860e850f
/system/netd/SecondaryTableController.h
|
| 2251c0fbcf24a9c8fd77b23851f60304087bab2b |
|
28-Jun-2013 |
Chad Brubaker <cbrubaker@google.com> |
Add support for fwmark split tunneling
Packets are now only marked for fwmark if their destination is in one of
the routes for the target interface.
Change-Id: Ided4ad992c4cf957d77ae11fa62ac4843a8592c7
/system/netd/SecondaryTableController.h
|
| d2617936acc15567fc5111bbdb4dde20845c3cba |
|
22-Jun-2013 |
Chad Brubaker <cbrubaker@google.com> |
Add netd support for uid based routing for DNS
DNSProxyListener now supports bionic changes for marking DNS requests
for routing DNS requests with the uid routing rules
Change-Id: Iac9aa1bb14834be6da5e512405f23c6a72dc71ed
/system/netd/SecondaryTableController.h
|
| 8830b94cf4824e5a6c738d39d3015c8eec976352 |
|
12-Jun-2013 |
Chad Brubaker <cbrubaker@google.com> |
Make uid marking rule's API consistent
Make the netd binds for adding uid iptables mark rules consistent with
the other per uid range binds.
Change-Id: I97d1576f4ac11368bf6ede866229e456a2ed24da
/system/netd/SecondaryTableController.h
|
| 7a6ce4bed8569745798bcc26f51d6f306ebdba94 |
|
07-Jun-2013 |
Chad Brubaker <cbrubaker@google.com> |
Add netd support for marked packet forwarding
Add binds in netd for setting up fwmark rules to be used with the per
uid marking to do per uid routing.
Change-Id: Id4f315dd1aec73f074e233c2e3f70eb24b4c537a
/system/netd/SecondaryTableController.h
|
| 9a50889a22c1d93c9e1a14873cde8fc1508f66fd |
|
01-Jun-2013 |
Chad Brubaker <cbrubaker@google.com> |
Add netd binds for UID based routing
Add methods for add per uid mark rules to push all traffic from specific
uids to specific interfaces.
Allows for per uid routing for per uid VPNs.
Change-Id: I8492c668e2c96010b0f74ea7e367f0b4471238ad
/system/netd/SecondaryTableController.h
|
| 001f0a436e9fe0353dccd98ee34b91095d9ed1a1 |
|
31-Jan-2013 |
Rom Lemarchand <romlem@google.com> |
Replace system_nosh call with android_fork_execvp
Replace the system_nosh call with the android_fork_execvp from
liblogwrap.
Change-Id: Idfbc6bcf0bef16d4ee90d6af6bd4b07bc79913bb
/system/netd/SecondaryTableController.h
|
| 970274a61800e047430d81269df977de9dbe45ef |
|
12-Sep-2012 |
Elliott Hughes <enh@google.com> |
Don't include <linux/...> header files directly.
These change from kernel release to release, and no longer contain some of
the stuff you need.
Change-Id: I3fc7176cf2246aebfc0aa2a833dfa04ea8d931fc
/system/netd/SecondaryTableController.h
|
| d14fd4f83ffeea4ad1cd559a41f775f6814565cc |
|
12-Jan-2012 |
Jaime A Lopez-Sollano <jaimel@quicinc.com> |
Increase the valid name of the iface to IFNAMSIZ
Define MAX_IFACE_LENGTH as IFNAMSIZ instead of 10, to
prevent netd from treating an interface name 'rmnet_sdio0'
as invalid.
Also fix an off-by-one error.
Change-Id: If6b2b27d2da6eb72f01c090cbe4f7dc2b9c296ae
/system/netd/SecondaryTableController.h
|
| c462177bd58e3bf0ac4f618934dae060569e3e0b |
|
31-Jan-2012 |
Robert Greenwalt <rgreenwalt@google.com> |
Keep better tabs on secondary tables.
We had some places (NatController) where routes were being set
but not accounted for in the number-of-routes talley so we
could end up thinking the table was empty and not clean up
after ourselves properly.
Also consolidated constants.
bug:5917475
Change-Id: I98a41d433e1d4b4ca6692fb2328e2c9afc828145
/system/netd/SecondaryTableController.h
|
| 063af322b48ab1bb0c3e09eb0b64915ba568275b |
|
19-Nov-2011 |
Robert Greenwalt <rgreenwalt@google.com> |
Fix some syntax issues with IP command.
Was not building secondary tables properly. Also IPv6 host routes
were failing.
bug:5615697
Change-Id: I0d5ad2ed7d13e4d5bd8c2f8ce15fc0ccb36a4690
/system/netd/SecondaryTableController.h
|
| fc97b82e02979f246d56a4bfd60e4aab8686d3f6 |
|
03-Nov-2011 |
Robert Greenwalt <rgreenwalt@google.com> |
Start using IP tool for advanced routing.
bug:5495862
bug:5396842
Change-Id: I51f21060947f57e63b18c4d35e9d49fac488d48a
/system/netd/SecondaryTableController.h
|