3450b662e8adbff215aa05fdc3c8e3167819c672 |
|
26-Sep-2017 |
Lorenzo Colitti <lorenzo@google.com> |
Allow connectivity-critical packets in data saver mode. This makes IPv6 work on metered wifi networks. Without this: 1. We reject incoming RAs, so we lose connectivity when the RA parameters expire. 2. We reject incoming NAs, so we get NUD failures. Bug: 66015813 Test: angler builds, boots Test: netd_{unit,integration}_test pass Test: CtsHostsideNetworkTests tests pass Change-Id: I033040ef0b91c22035e29c636123cd41ab1967ec Merged-In: I033040ef0b91c22035e29c636123cd41ab1967ec
/system/netd/server/FirewallController.cpp
|
1411d45669a31c2fad5c3bd1f67bad7c1808c173 |
|
17-Jul-2017 |
Lorenzo Colitti <lorenzo@google.com> |
Convert last FirewallController command to iptables-restore. This code currently has no callers, but it is the only remaining user of iptables in FirewallController. Move it to iptables-restore and delete support for iptables commands from the class. Bug: 28362720 Test: unit tests pass Test: adb shell ndc firewall set_interface_rule rmnet_data0 <allow|deny> Change-Id: I0a934283ca4479f870139d1ecf90096ae59eb19d
/system/netd/server/FirewallController.cpp
|
d351bea99bc46011dae9291a7dc68efbf0979a12 |
|
16-Jul-2017 |
Lorenzo Colitti <lorenzo@google.com> |
Convert {enable,disable}Firewall to iptables-restore Bug: 28362720 Test: netd_{unit,integration}_test pass Change-Id: I7c3ddf0812f40124ac83f36d3fd3a8c595ce5472
/system/netd/server/FirewallController.cpp
|
a1611964d39521e20d92f6622da6c06d3ce91fba |
|
26-Apr-2017 |
Lorenzo Colitti <lorenzo@google.com> |
Move enableChildChains to iptables-restore. This saves 100-200ms on boot. (cherry picked from commit 0b64071d1326214b83e7dfb90701a4ee14ab6036) Bug: 37641280 Test: marlin builds and boots Test: new unit test passes Test: netd_{unit,integration}_test pass Test: fw_dozable added/removed from fw_INPUT/fw_OUTPUT on "adb shell dumpsys deviceidle <force-idle|unforce>" Change-Id: Iaa8daba011cf187d07526b2b85f9e9aba83adf4f Merged-In: Iabd2fa6ea260495feee3335b1605f3699b1722c5
/system/netd/server/FirewallController.cpp
|
8bcb1f449de2b72da578530f2c16698c22afc316 |
|
24-Apr-2017 |
Lorenzo Colitti <lorenzo@google.com> |
Reorder the commands in whitelist chains. Currently FirewallController::replaceUidChain uses the same layout when building whitelist and blacklist chains: first it writes the exception rules (e.g., system apps, RST packets, ICMPv6 packets, etc.), and then the UIDs in the chain. This works, but it looks strange because unlike whitelist chains, insertion into whitelist chains always happens at the front of the chain. Make whitelist chains start with the UIDs, so that when UIDs are added at the beginning, they are contiguous to the UIDs that are already there. Bug: 32073253 Test: netd_{unit,integration}_test passes Test: bullhead builds, boots Test: fw_powersave chain looks sane Change-Id: I8a0ac7a33604455171b56e1d503cfe028a37a062
/system/netd/server/FirewallController.cpp
|
a73576568ec540edc247f9bb7ef80f0301d8b71b |
|
24-Apr-2017 |
Lorenzo Colitti <lorenzo@google.com> |
Use IptablesRestoreController for UID rule updates. Bug: 32073253 Test: netd_{unit,integration}_test passes Test: bullhead builds, boots Test: fw_powersave chain correctly updated when updating battery optimization whitelist Test: fw_powersave chain correctly updated when bringing apps into foreground Change-Id: I964b7664718f353057047c66e69351169b5cf453
/system/netd/server/FirewallController.cpp
|
018e4a94bd38c09dc8d5cb678ec114de32203fa2 |
|
22-Apr-2017 |
Robin Lee <rgl@google.com> |
Merge "Remove unused CommandListener egress firewall cmds"
|
50b198a4656cf11d92339e6c4ec5dafa19dcf625 |
|
29-Mar-2017 |
Lorenzo Colitti <lorenzo@google.com> |
Really always allow networking on loopback. https://android-review.googlesource.com/#/c/294359/ attempted to allow networking on loopback, but actually does not do anything because no packet has both -i lo and -o lo: loopback packets have -i lo in INPUT and -o lo in OUTPUT. Test: bullhead builds, boots Test: netd_{unit,integration}_test pass Test: loopback traffic is matched by new "-i lo" and "-o lo" rules Test: originated and received traffic is not matched by new rules Bug: 34444781 Change-Id: I090cbeafce5bbdcf36a7aecaafbf832feddc06e1
/system/netd/server/FirewallController.cpp
|
15c6ad989fc6767ad930b91c1b4da0c24c36b640 |
|
10-Mar-2017 |
Robin Lee <rgl@google.com> |
Remove unused CommandListener egress firewall cmds These are gone from NetworkManagementService now Test: grep -sHRIF 'set_egress_' master # no results Test: make full -j30 # still builds Bug: 33159037 Change-Id: If8e3bfe3aecbadc4ead9643f907b62c45fbb91a0
/system/netd/server/FirewallController.cpp
|
03b23fe8f8af40194572b3ce37f79bece35e092c |
|
03-Feb-2017 |
Lorenzo Colitti <lorenzo@google.com> |
Speed up FirewallController startup. FirewallController::createChain runs iptables commands to remove the newly-created chain from fw_INPUT. This is not necessary, because createChain is only called from setupIptablesHooks, which is only called immediately after initIptablesRules, which clears fw_INPUT. So there is nothing to delete. Removing these unnecessary commands speeds up netd startup by ~150ms. Before: 02-03 18:51:40.075 492 492 I Netd : Setting up FirewallController hooks: 159.9ms After: 02-03 18:45:22.005 489 489 I Netd : Setting up FirewallController hooks: 11.3ms Bug: 34873832 Test: unit tests continue to pass Change-Id: I651d96a71c98d6aba989927cd23036d5cc371dd7
/system/netd/server/FirewallController.cpp
|
238e81894de39fe7c5ed74f297c36a4798008247 |
|
26-Jul-2016 |
Lorenzo Colitti <lorenzo@google.com> |
Allow networking on loopback in doze, standby, and powersave. Restricting networking on loopback is needlessly restrictive because it doesn't have substantial power impact. Bug: 30186506 Change-Id: Ibe31aff7c43ae02821fdf4a00b600fb5f5f5bc30
/system/netd/server/FirewallController.cpp
|
62ffdb7549875bfb20a35b3e877099230e8dc8ac |
|
27-May-2016 |
Pierre Imai <imaipi@google.com> |
Silence spammy iptables rule at boot. BUG: 28529315 Change-Id: I4818b3833464502a44d9cdb92e3c59802882397b
/system/netd/server/FirewallController.cpp
|
a55388e3f3dd726e470e195770649a2797d7e02f |
|
13-May-2016 |
Lorenzo Colitti <lorenzo@google.com> |
Make FirewallController::createChain use replaceUidChain. This has two benefits: 1. It makes the behaviour of setting firewall chains via the firewallReplaceUidChain RPC match the behaviour of creating the chains on boot. (As a side effect, it reduces code duplication between the two.) 2. It makes creating firewall chains on boot use iptables-restore, which is substantially faster than running iptables commands one at a time. This CL will allow the framework to switch to using firewallReplaceUidChain when the framework starts, providing substantial speedups over the current behaviour of running two iptables commands for every app that is whitelisted or idle. Bug: 26675191 Change-Id: Ifbd15bf9143efd526570dde8f88effc79d164630
/system/netd/server/FirewallController.cpp
|
f157caf303ab397b3d350b33c842f79902058d16 |
|
13-May-2016 |
Lorenzo Colitti <lorenzo@google.com> |
Make firewallReplaceUidChain match the behaviour of createChain. The behaviour of the firewallReplaceUidChain was incorrect in several ways: 1. It was missing the "always allow TCP RST packets" rules which were added in http://ag/963000 . 2. It included a RETURN statement at the end of blacklist chains, which is superfluous since all user-defined chains implicitly return, and became incorrect when http://ag/963000 switched the behaviour of blacklist chains from inserting new rules at the beginning to appending them at the end. 3. It was missing the rules to allow the types of ICMPv6 packets that are critical in maintaining connectivity. By itself, this change is a no-op since nothing currently calls firewallReplaceUidRule. Bug: 26675191 Change-Id: I985e6861812908cbe7eaf0f54ca0ad39c22bbfeb
/system/netd/server/FirewallController.cpp
|
932c44c9bd875060219df7f2ad78769e65adbaca |
|
24-Apr-2016 |
Lorenzo Colitti <lorenzo@google.com> |
Allow TCP RSTs to make it through firewall rules. This allows us to cleanly close apps' TCP connections when we remove their network connectivity. Bug: 27824851 Change-Id: I69ae0e860536139d30d14d580a36c82f79dc2f82
/system/netd/server/FirewallController.cpp
|
5ebbbd83bb204b916a60f68221fa9ea9506e5769 |
|
07-Mar-2016 |
Felipe Leme <felipeal@google.com> |
Whitelist system apps when using bw_happy_box. BUG: 27506285 BUG: 26685616 Change-Id: I8352ebbab1778c85e0a1da79a0acede5aea144a1
/system/netd/server/FirewallController.cpp
|
0434d459827861734d1228736a426b14b01595ab |
|
02-Mar-2016 |
Lorenzo Colitti <lorenzo@google.com> |
Merge changes I2dc1a074,Ic83d8160,I246696c4 into nyc-dev * changes: Move SockDiagTest into system/netd/server. Add an RPC to replace a UID firewall rule. Allow finer-grained locking, and use it in FirewallCmd.
|
89faa349525ad1110b6fa3f2149e6ef825c65662 |
|
26-Feb-2016 |
Lorenzo Colitti <lorenzo@google.com> |
Add an RPC to replace a UID firewall rule. Also add a binder_test that exercises binder RPCs to the real netd service running on the device Bug: 21725996 Bug: 27239233 Change-Id: Ic83d81605021a0578d6cd32f889290be61d76125
/system/netd/server/FirewallController.cpp
|
3f62434145c43e85436b86ed9b95a550bbdf486b |
|
11-Feb-2016 |
Felipe Leme <felipeal@google.com> |
Created a firewall chain for power save mode. When power-save mode was first implemented, there were no firewall rules on netd, so the solution was to make all network interface metered and re-use the bw_penalty_box chain. This change removes that workaround by creating a explicit fw_powersave chain, whose behavior is similar to fw_dozable (in fact, it reuses some of its code); such change not only makes network restrictions on power-save mode simpler, but it also allows to optimze how the restrict network rules are changed. BUG: 27127112 Change-Id: I52aee49d80386594e3a52fea9667d580d2d944a1
/system/netd/server/FirewallController.cpp
|
c8683d7eb9bb95de2090431e8daaa45d92b45e38 |
|
01-Sep-2015 |
Lorenzo Colitti <lorenzo@google.com> |
Don't break IPv6 connectivity when in doze mode. Working IPv6 connectivity relies on the kernel being able to receive certain ICMPv6 packets (router advertisements, neighbour solicitations, neighbour advertisements) at all times. Allow these packets when in doze mode. This is not necessary for IPv4 because in IPv4 these functions use ARP, which is invisible to iptables. Bug: 23158230 Change-Id: I29ed77561db9688486cf58cd14ac3bce7fce4b40
/system/netd/server/FirewallController.cpp
|
feb2b61d3010d52e530357116c3b22c6d77da3cf |
|
26-Jun-2015 |
Xiaohui Chen <xiaohuic@google.com> |
netd: add default fw white list for system uids In uid firewall white list, we white list the system uid range by default to make sure system processes will always have network access. BUG:22094135 Change-Id: I8f472a98a9fd93591a2887982cec1458d7683613
/system/netd/server/FirewallController.cpp
|
1cdfa9adfa584029cb6d9ac13a2896786001b3a1 |
|
09-Jun-2015 |
Xiaohui Chen <xiaohuic@google.com> |
netd: add two child chains to firewall This is an attempt to speed up getting out of device idle. It groups uid firewall rules in these child chains so we can attach/detach a whole chain instead of individual uid rules. BUG:21446713 Change-Id: I61dc7d14110e633c5994e466481b9cac633a7a4f
/system/netd/server/FirewallController.cpp
|
390e4ea8106f9e741bc80fb962aaee94d5b28cbb |
|
26-Apr-2015 |
Amith Yamasani <yamasani@google.com> |
Blacklist uids for network access FirewallController can now be in blacklist mode (aka disabled) or whitelist mode (aka enabled). Some of the methods don't do anything when in blacklist mode. Uid rules updated to allow dropping packets to uids that shouldn't get any network access, usually for idle apps. Added a wait option to iptables calls to make sure it doesn't fail if there's contention. Fixes a flakiness I was seeing in removing rules. Bug: 20066058 Change-Id: I815bcb45aa06d04020e902df8c67bb3894e98f40
/system/netd/server/FirewallController.cpp
|
69261cb65186e27dfbdc1e3eec796437f9968ff9 |
|
20-Jun-2014 |
JP Abgrall <jpa@google.com> |
server: check interface names in RPC arguments for validity This patch introduces a method isIfaceName that checks interface names from various RPCs for validity before e.g. using them as part of iptables arguments or in filenames. All of these RPC calls can only be called from applications with at least the CONNECTIVITY_INTERNAL permission in recent Android versions, so the impact of the missing checks luckily isn't very high. Orig-Author: Jann Horn <jann@thejh.net> Change-Id: I80df8d745a3de99ad02d6649f0d10562c81f6b98 Signed-off-by: JP Abgrall <jpa@google.com>
/system/netd/server/FirewallController.cpp
|
f4cfad361175a7f9ccf4d41e76a9b289c3c3da22 |
|
21-May-2014 |
Sreeram Ramachandran <sreeram@google.com> |
Move netd_client into netd. Change-Id: Ie4b6b303225c93f2448a503d6ea9cebb552cbad5
/system/netd/server/FirewallController.cpp
|