3450b662e8adbff215aa05fdc3c8e3167819c672 |
|
26-Sep-2017 |
Lorenzo Colitti <lorenzo@google.com> |
Allow connectivity-critical packets in data saver mode. This makes IPv6 work on metered wifi networks. Without this: 1. We reject incoming RAs, so we lose connectivity when the RA parameters expire. 2. We reject incoming NAs, so we get NUD failures. Bug: 66015813 Test: angler builds, boots Test: netd_{unit,integration}_test pass Test: CtsHostsideNetworkTests tests pass Change-Id: I033040ef0b91c22035e29c636123cd41ab1967ec Merged-In: I033040ef0b91c22035e29c636123cd41ab1967ec
/system/netd/server/FirewallController.h
|
1411d45669a31c2fad5c3bd1f67bad7c1808c173 |
|
17-Jul-2017 |
Lorenzo Colitti <lorenzo@google.com> |
Convert last FirewallController command to iptables-restore. This code currently has no callers, but it is the only remaining user of iptables in FirewallController. Move it to iptables-restore and delete support for iptables commands from the class. Bug: 28362720 Test: unit tests pass Test: adb shell ndc firewall set_interface_rule rmnet_data0 <allow|deny> Change-Id: I0a934283ca4479f870139d1ecf90096ae59eb19d
/system/netd/server/FirewallController.h
|
15c6ad989fc6767ad930b91c1b4da0c24c36b640 |
|
10-Mar-2017 |
Robin Lee <rgl@google.com> |
Remove unused CommandListener egress firewall cmds These are gone from NetworkManagementService now Test: grep -sHRIF 'set_egress_' master # no results Test: make full -j30 # still builds Bug: 33159037 Change-Id: If8e3bfe3aecbadc4ead9643f907b62c45fbb91a0
/system/netd/server/FirewallController.h
|
03b23fe8f8af40194572b3ce37f79bece35e092c |
|
03-Feb-2017 |
Lorenzo Colitti <lorenzo@google.com> |
Speed up FirewallController startup. FirewallController::createChain runs iptables commands to remove the newly-created chain from fw_INPUT. This is not necessary, because createChain is only called from setupIptablesHooks, which is only called immediately after initIptablesRules, which clears fw_INPUT. So there is nothing to delete. Removing these unnecessary commands speeds up netd startup by ~150ms. Before: 02-03 18:51:40.075 492 492 I Netd : Setting up FirewallController hooks: 159.9ms After: 02-03 18:45:22.005 489 489 I Netd : Setting up FirewallController hooks: 11.3ms Bug: 34873832 Test: unit tests continue to pass Change-Id: I651d96a71c98d6aba989927cd23036d5cc371dd7
/system/netd/server/FirewallController.h
|
f157caf303ab397b3d350b33c842f79902058d16 |
|
13-May-2016 |
Lorenzo Colitti <lorenzo@google.com> |
Make firewallReplaceUidChain match the behaviour of createChain. The behaviour of the firewallReplaceUidChain was incorrect in several ways: 1. It was missing the "always allow TCP RST packets" rules which were added in http://ag/963000 . 2. It included a RETURN statement at the end of blacklist chains, which is superfluous since all user-defined chains implicitly return, and became incorrect when http://ag/963000 switched the behaviour of blacklist chains from inserting new rules at the beginning to appending them at the end. 3. It was missing the rules to allow the types of ICMPv6 packets that are critical in maintaining connectivity. By itself, this change is a no-op since nothing currently calls firewallReplaceUidRule. Bug: 26675191 Change-Id: I985e6861812908cbe7eaf0f54ca0ad39c22bbfeb
/system/netd/server/FirewallController.h
|
932c44c9bd875060219df7f2ad78769e65adbaca |
|
24-Apr-2016 |
Lorenzo Colitti <lorenzo@google.com> |
Allow TCP RSTs to make it through firewall rules. This allows us to cleanly close apps' TCP connections when we remove their network connectivity. Bug: 27824851 Change-Id: I69ae0e860536139d30d14d580a36c82f79dc2f82
/system/netd/server/FirewallController.h
|
0434d459827861734d1228736a426b14b01595ab |
|
02-Mar-2016 |
Lorenzo Colitti <lorenzo@google.com> |
Merge changes I2dc1a074,Ic83d8160,I246696c4 into nyc-dev * changes: Move SockDiagTest into system/netd/server. Add an RPC to replace a UID firewall rule. Allow finer-grained locking, and use it in FirewallCmd.
|
89faa349525ad1110b6fa3f2149e6ef825c65662 |
|
26-Feb-2016 |
Lorenzo Colitti <lorenzo@google.com> |
Add an RPC to replace a UID firewall rule. Also add a binder_test that exercises binder RPCs to the real netd service running on the device Bug: 21725996 Bug: 27239233 Change-Id: Ic83d81605021a0578d6cd32f889290be61d76125
/system/netd/server/FirewallController.h
|
ddf2d5bc87fe6de7cae2b73a17dbaf35033565ca |
|
26-Feb-2016 |
Lorenzo Colitti <lorenzo@google.com> |
Allow finer-grained locking, and use it in FirewallCmd. FirewallController is stateless and FirewallCmd does not access any other controllers, so it is safe not to take the big netd lock. Bug: 27239233 Change-Id: I246696c4b17fa005c7d6b38ecd627747aa608831
/system/netd/server/FirewallController.h
|
3f62434145c43e85436b86ed9b95a550bbdf486b |
|
11-Feb-2016 |
Felipe Leme <felipeal@google.com> |
Created a firewall chain for power save mode. When power-save mode was first implemented, there were no firewall rules on netd, so the solution was to make all network interface metered and re-use the bw_penalty_box chain. This change removes that workaround by creating a explicit fw_powersave chain, whose behavior is similar to fw_dozable (in fact, it reuses some of its code); such change not only makes network restrictions on power-save mode simpler, but it also allows to optimze how the restrict network rules are changed. BUG: 27127112 Change-Id: I52aee49d80386594e3a52fea9667d580d2d944a1
/system/netd/server/FirewallController.h
|
c8683d7eb9bb95de2090431e8daaa45d92b45e38 |
|
01-Sep-2015 |
Lorenzo Colitti <lorenzo@google.com> |
Don't break IPv6 connectivity when in doze mode. Working IPv6 connectivity relies on the kernel being able to receive certain ICMPv6 packets (router advertisements, neighbour solicitations, neighbour advertisements) at all times. Allow these packets when in doze mode. This is not necessary for IPv4 because in IPv4 these functions use ARP, which is invisible to iptables. Bug: 23158230 Change-Id: I29ed77561db9688486cf58cd14ac3bce7fce4b40
/system/netd/server/FirewallController.h
|
1cdfa9adfa584029cb6d9ac13a2896786001b3a1 |
|
09-Jun-2015 |
Xiaohui Chen <xiaohuic@google.com> |
netd: add two child chains to firewall This is an attempt to speed up getting out of device idle. It groups uid firewall rules in these child chains so we can attach/detach a whole chain instead of individual uid rules. BUG:21446713 Change-Id: I61dc7d14110e633c5994e466481b9cac633a7a4f
/system/netd/server/FirewallController.h
|
390e4ea8106f9e741bc80fb962aaee94d5b28cbb |
|
26-Apr-2015 |
Amith Yamasani <yamasani@google.com> |
Blacklist uids for network access FirewallController can now be in blacklist mode (aka disabled) or whitelist mode (aka enabled). Some of the methods don't do anything when in blacklist mode. Uid rules updated to allow dropping packets to uids that shouldn't get any network access, usually for idle apps. Added a wait option to iptables calls to make sure it doesn't fail if there's contention. Fixes a flakiness I was seeing in removing rules. Bug: 20066058 Change-Id: I815bcb45aa06d04020e902df8c67bb3894e98f40
/system/netd/server/FirewallController.h
|
f4cfad361175a7f9ccf4d41e76a9b289c3c3da22 |
|
21-May-2014 |
Sreeram Ramachandran <sreeram@google.com> |
Move netd_client into netd. Change-Id: Ie4b6b303225c93f2448a503d6ea9cebb552cbad5
/system/netd/server/FirewallController.h
|