Cross Reference: /system/netd/server/FirewallController.h

History log of /system/netd/server/FirewallController.h
Revision	Date	Author	Comments (<<< Hide modified files) (Show modified files >>>)
3450b662e8adbff215aa05fdc3c8e3167819c672	26-Sep-2017	Lorenzo Colitti <lorenzo@google.com>	Allow connectivity-critical packets in data saver mode. This makes IPv6 work on metered wifi networks. Without this: 1. We reject incoming RAs, so we lose connectivity when the RA parameters expire. 2. We reject incoming NAs, so we get NUD failures. Bug: 66015813 Test: angler builds, boots Test: netd_{unit,integration}_test pass Test: CtsHostsideNetworkTests tests pass Change-Id: I033040ef0b91c22035e29c636123cd41ab1967ec Merged-In: I033040ef0b91c22035e29c636123cd41ab1967ec /system/netd/server/FirewallController.h
1411d45669a31c2fad5c3bd1f67bad7c1808c173	17-Jul-2017	Lorenzo Colitti <lorenzo@google.com>	Convert last FirewallController command to iptables-restore. This code currently has no callers, but it is the only remaining user of iptables in FirewallController. Move it to iptables-restore and delete support for iptables commands from the class. Bug: 28362720 Test: unit tests pass Test: adb shell ndc firewall set_interface_rule rmnet_data0 <allow\|deny> Change-Id: I0a934283ca4479f870139d1ecf90096ae59eb19d /system/netd/server/FirewallController.h
15c6ad989fc6767ad930b91c1b4da0c24c36b640	10-Mar-2017	Robin Lee <rgl@google.com>	Remove unused CommandListener egress firewall cmds These are gone from NetworkManagementService now Test: grep -sHRIF 'set_egress_' master # no results Test: make full -j30 # still builds Bug: 33159037 Change-Id: If8e3bfe3aecbadc4ead9643f907b62c45fbb91a0 /system/netd/server/FirewallController.h
03b23fe8f8af40194572b3ce37f79bece35e092c	03-Feb-2017	Lorenzo Colitti <lorenzo@google.com>	Speed up FirewallController startup. FirewallController::createChain runs iptables commands to remove the newly-created chain from fw_INPUT. This is not necessary, because createChain is only called from setupIptablesHooks, which is only called immediately after initIptablesRules, which clears fw_INPUT. So there is nothing to delete. Removing these unnecessary commands speeds up netd startup by ~150ms. Before: 02-03 18:51:40.075 492 492 I Netd : Setting up FirewallController hooks: 159.9ms After: 02-03 18:45:22.005 489 489 I Netd : Setting up FirewallController hooks: 11.3ms Bug: 34873832 Test: unit tests continue to pass Change-Id: I651d96a71c98d6aba989927cd23036d5cc371dd7 /system/netd/server/FirewallController.h
f157caf303ab397b3d350b33c842f79902058d16	13-May-2016	Lorenzo Colitti <lorenzo@google.com>	Make firewallReplaceUidChain match the behaviour of createChain. The behaviour of the firewallReplaceUidChain was incorrect in several ways: 1. It was missing the "always allow TCP RST packets" rules which were added in http://ag/963000 . 2. It included a RETURN statement at the end of blacklist chains, which is superfluous since all user-defined chains implicitly return, and became incorrect when http://ag/963000 switched the behaviour of blacklist chains from inserting new rules at the beginning to appending them at the end. 3. It was missing the rules to allow the types of ICMPv6 packets that are critical in maintaining connectivity. By itself, this change is a no-op since nothing currently calls firewallReplaceUidRule. Bug: 26675191 Change-Id: I985e6861812908cbe7eaf0f54ca0ad39c22bbfeb /system/netd/server/FirewallController.h
932c44c9bd875060219df7f2ad78769e65adbaca	24-Apr-2016	Lorenzo Colitti <lorenzo@google.com>	Allow TCP RSTs to make it through firewall rules. This allows us to cleanly close apps' TCP connections when we remove their network connectivity. Bug: 27824851 Change-Id: I69ae0e860536139d30d14d580a36c82f79dc2f82 /system/netd/server/FirewallController.h
0434d459827861734d1228736a426b14b01595ab	02-Mar-2016	Lorenzo Colitti <lorenzo@google.com>	Merge changes I2dc1a074,Ic83d8160,I246696c4 into nyc-dev * changes: Move SockDiagTest into system/netd/server. Add an RPC to replace a UID firewall rule. Allow finer-grained locking, and use it in FirewallCmd.
89faa349525ad1110b6fa3f2149e6ef825c65662	26-Feb-2016	Lorenzo Colitti <lorenzo@google.com>	Add an RPC to replace a UID firewall rule. Also add a binder_test that exercises binder RPCs to the real netd service running on the device Bug: 21725996 Bug: 27239233 Change-Id: Ic83d81605021a0578d6cd32f889290be61d76125 /system/netd/server/FirewallController.h
ddf2d5bc87fe6de7cae2b73a17dbaf35033565ca	26-Feb-2016	Lorenzo Colitti <lorenzo@google.com>	Allow finer-grained locking, and use it in FirewallCmd. FirewallController is stateless and FirewallCmd does not access any other controllers, so it is safe not to take the big netd lock. Bug: 27239233 Change-Id: I246696c4b17fa005c7d6b38ecd627747aa608831 /system/netd/server/FirewallController.h
3f62434145c43e85436b86ed9b95a550bbdf486b	11-Feb-2016	Felipe Leme <felipeal@google.com>	Created a firewall chain for power save mode. When power-save mode was first implemented, there were no firewall rules on netd, so the solution was to make all network interface metered and re-use the bw_penalty_box chain. This change removes that workaround by creating a explicit fw_powersave chain, whose behavior is similar to fw_dozable (in fact, it reuses some of its code); such change not only makes network restrictions on power-save mode simpler, but it also allows to optimze how the restrict network rules are changed. BUG: 27127112 Change-Id: I52aee49d80386594e3a52fea9667d580d2d944a1 /system/netd/server/FirewallController.h
c8683d7eb9bb95de2090431e8daaa45d92b45e38	01-Sep-2015	Lorenzo Colitti <lorenzo@google.com>	Don't break IPv6 connectivity when in doze mode. Working IPv6 connectivity relies on the kernel being able to receive certain ICMPv6 packets (router advertisements, neighbour solicitations, neighbour advertisements) at all times. Allow these packets when in doze mode. This is not necessary for IPv4 because in IPv4 these functions use ARP, which is invisible to iptables. Bug: 23158230 Change-Id: I29ed77561db9688486cf58cd14ac3bce7fce4b40 /system/netd/server/FirewallController.h
1cdfa9adfa584029cb6d9ac13a2896786001b3a1	09-Jun-2015	Xiaohui Chen <xiaohuic@google.com>	netd: add two child chains to firewall This is an attempt to speed up getting out of device idle. It groups uid firewall rules in these child chains so we can attach/detach a whole chain instead of individual uid rules. BUG:21446713 Change-Id: I61dc7d14110e633c5994e466481b9cac633a7a4f /system/netd/server/FirewallController.h
390e4ea8106f9e741bc80fb962aaee94d5b28cbb	26-Apr-2015	Amith Yamasani <yamasani@google.com>	Blacklist uids for network access FirewallController can now be in blacklist mode (aka disabled) or whitelist mode (aka enabled). Some of the methods don't do anything when in blacklist mode. Uid rules updated to allow dropping packets to uids that shouldn't get any network access, usually for idle apps. Added a wait option to iptables calls to make sure it doesn't fail if there's contention. Fixes a flakiness I was seeing in removing rules. Bug: 20066058 Change-Id: I815bcb45aa06d04020e902df8c67bb3894e98f40 /system/netd/server/FirewallController.h
f4cfad361175a7f9ccf4d41e76a9b289c3c3da22	21-May-2014	Sreeram Ramachandran <sreeram@google.com>	Move netd_client into netd. Change-Id: Ie4b6b303225c93f2448a503d6ea9cebb552cbad5 /system/netd/server/FirewallController.h