Cross Reference: /system/netd/server/RouteController.cpp

History log of /system/netd/server/RouteController.cpp
Revision	Date	Author	Comments (<<< Hide modified files) (Show modified files >>>)
4662e16686954dd3ca80938efe6650227877fe44	08-Sep-2017	Lorenzo Colitti <lorenzo@google.com>	Invalidate dst caches when changing network permissions. Bug: 64103722 Test: builds Test: connected socket UDP traffic switches to wifi when cell goes into background Change-Id: I22e618be40d61be6d5f56a6fc4e5a71e1606c2f8 /system/netd/server/RouteController.cpp
6bd4a48ed735c7fc5c1143bf0b2f06b8a2879e61	06-Sep-2017	Lorenzo Colitti <lorenzo@google.com>	Don't allow seamless handover to networks requiring permissions. Currently, implicitly-marked sockets continue to work when the network changes permission. This makes it so that UDP sockets connected on a foreground network will continue to work even if the network moves into the background (e.g., when the linger timer fires on cell data with mobile data always on). Instead, make it so that sockets implicitly marked to a network become unroutable when the network starts requiring permissions. Explicitly-marked sockets will continue to be routed on the network, as usual. This is consistent with what we do for TCP: when a network changes permissions, all implicitly-marked sockets on that network are closed using SOCK_DESTROY. This change should not affect any other behaviour because: - Netd only ever implicitly marks sockets to the default network or to a bypassable VPN that applies to the caller. - In both cases, at the time of marking, the network does not require permissions because: - VPNs don't support permissions. - The default network never requires any permissions: - ConnectivityService's mDefaultRequest specifies NOT_RESTRICTED. - The only case where a NOT_RESTRICTED network can require a permission is if it's a background network, and the default network is, by definition, never a background network. - VPNs can't change permissions. - If the network is still the default network, the lack of this implicit rule doesn't matter. Therefore, the only case where this rule can alter routing is if a socket is implicitly marked on the default network and that network, after ceasing to be the default, changes permissions. Bug: 64103722 Test: builds Test: manually observed IP rules while changing network permissions Change-Id: I255a9d216c50aa47bb951be9bd6cce59a12c6165 /system/netd/server/RouteController.cpp
d78843eb11fdde1611598fd27d347912070c0555	26-Mar-2017	Lorenzo Colitti <lorenzo@google.com>	Clear incoming packet mark rules on netd startup. Currently, we put the incoming packet mark rules directly into the INPUT chain of the mangle table, which is not cleared on netd start. Move these rules to their own chain. This makes them consistent with all the other iptables rules and makes it easy to clear them on startup using the existing mechanisms. Bug: 28362720 Test: bullhead builds, boots Test: netd_{unit,integration}_test pass Test: watch -n1 "adb shell iptables -v -n -t mangle -L INPUT" while switching networks Test: rules are cleared on netd restart Change-Id: I9130f997a96dcfdfdfdd950520a76f8473b5f603 /system/netd/server/RouteController.cpp
22c24ebd283d6e8fb782b34975417308839d4ad7	10-Jan-2017	Lorenzo Colitti <lorenzo@google.com>	Use new-style UID routing. Kernel prebuilts for OC devices have been updated, so the legacy attributes are not being used. Use the new attributes only. This will ensure that devices aren't using the old code by mistake, as any such devices will fail the VPN CTS tests. (cherry picked from commit 882e467ff7b83de868fa0b9a9beb9036bf14aede) Cherry-picking this to AOSP now that most external kernels have been updated as well. Bug: 16355602 Test: bullhead builds, boots Test: netd_{unit,integration}_test pass Test: has been running in internal master for several weeks. Change-Id: I1c4e8c9281a843417a3a52294a1b7d3e6502bee6 /system/netd/server/RouteController.cpp
c1306ea230c95ef0268d4d20a213911799982671	26-Mar-2017	Lorenzo Colitti <lorenzo@google.com>	Use iptables-restore to set the incoming packet mark rule. This speeds up network switching because one rule needs to be added/removed per interface. Bug: 28362720 Test: bullhead builds, boots Test: netd_{unit,integration}_test pass Test: watch -n1 "adb shell iptables -v -n -t mangle -L INPUT" while switching networks Change-Id: Ie536db6a50d018c88bb03c5f069965e99e0d162e /system/netd/server/RouteController.cpp
60367db98fe9cca5b46210a5db8d8bfc638ce094	13-Feb-2017	Lorenzo Colitti <lorenzo@google.com>	Add a test for RouteController. Test: netd_{unit,integration}_test pass. Change-Id: I19416fd8a79354303dabec042d090f7ae6962b1b /system/netd/server/RouteController.cpp
f3e299a7c2a0136a84b58652b69e60a22bb0e708	14-Feb-2017	Lorenzo Colitti <lorenzo@google.com>	Use our netlink code to flush routes as well. Most of the CL is refactoring the rule flush code to be more generic and move it and various callback definitions to NetlinkCommands. After that, flushing routes is very simple. Test: bullhead builds, boots Test: netd_{unit,integration}_test pass Bug: 34873832 Change-Id: I0613d525f043d0a8b234a89982281b909011c7e5 /system/netd/server/RouteController.cpp
220ca739ad863fcd40c9ca107f6e0f68f7a45d14	14-Feb-2017	Lorenzo Colitti <lorenzo@google.com>	Don't complain when deleting non-existent tethering rules. clearTetheringRules ignores errors when deleting rules, because tethering rules don't exist unless tethering was enabled on the interface. sendNetlinkRequest shouldn't log an error in this case, since the caller is ignoring that error. Bug: 34873832 Test: bullhead builds, boots, spurious error messages gone Change-Id: Ib327e8a3aecd3a38d624baa8bf320da87e6c4f7c /system/netd/server/RouteController.cpp
bbcd81d2e5103bbf465d69c6d0f958d3e740dd6e	14-Feb-2017	Lorenzo Colitti <lorenzo@google.com>	Don't call NetlinkCallbacks with nullptr on NLMSG_DONE. No real callback uses this, and even the test code doesn't seem to use it for anything useful. Bug: 34873832 Test: bullhead builds, boots, rules flushed on netd restart Test: netd_{unit,integration}_test pass Change-Id: I195dd388864e9e596af9f4d08aee7b8ade078fb5 /system/netd/server/RouteController.cpp
219f328b7c2f99ef27f89206bdbf1260fa7ad2e4	10-Feb-2017	Lorenzo Colitti <lorenzo@google.com>	Use netlink code to flush rules. This removes two calls to /sbin/ip on netd startup, which saves about 70ms. In the future we will be able to use this to flush routes as well, which will provide similar time savings on every network destroy operation. Bug: 34873832 Test: bullhead builds, boots Test: rules flushed correctly when netd is killed Change-Id: I4875ac7fec1a92dc5fa2cb68f8fab2a903348c20 /system/netd/server/RouteController.cpp
1ef549de8a21612ab61861ff0035877a4b76184d	13-Feb-2017	Lorenzo Colitti <lorenzo@google.com>	Move the netlink command code to a new NetlinkCommands file. Test: bullhead builds, netd boots Test: netd_{unit,integration}_test pass Bug: 34873832 Change-Id: Ia6fcde63e1092a62cad1c5238bbb9a91a9f39080 /system/netd/server/RouteController.cpp
7035f228d17e925116b1b64a7c917b3196ab8818	13-Feb-2017	Lorenzo Colitti <lorenzo@google.com>	Put most of netd into the android::net namespace. Test: netd_{unit,integration}_test pass Test: bullhead builds, boots Bug: 34873832 Change-Id: I0a252328041b342f9c03cd08c11a69d452b045b3 /system/netd/server/RouteController.cpp
0b073fbc366ca9f5e7eaa0ae8072445404da88eb	09-Feb-2017	Lorenzo Colitti <lorenzo@google.com>	Simplify and improve error logging in sendNetlinkRequest. Bug: 32323979 Test: bullhead builds, boots, new error messages appear Test: unit tests continue to pass Change-Id: Ie60ed3a71fbd26b7a8a1d2f7fb8083b1b6b9626a /system/netd/server/RouteController.cpp
2b078678aafceeefea6a70e96ab8ddefe515d027	16-Dec-2016	Lorenzo Colitti <lorenzo@google.com>	Set both legacy and new UID routing attributes. This should work on kernels that support either, as long as they are older than 4.8. Test: netd_integration_test passes with updated iproute and kernel Test: netd_integration_test passes with existing iproute and kernel Test: ConnectivityManagerTest and HostsideVpnTests pass on existing kernel Test: ConnectivityManagerTest and HostsideVpnTests pass on updated kernel Bug: 16355602 Change-Id: I9a2ef08ba2782587f43ea7d0609f5f07f6c3adb0 /system/netd/server/RouteController.cpp
dc0d578a69cc5a57167a508207e2198590142d51	20-Jul-2016	Robin Lee <rgl@google.com>	UidRanges: use class instead of pair<uid_t, uid_t> Reuse the UidRange that was introduced in 7.0 (NYC) to ease transition from CommandListener to binder which supports this as a parcelable type. There is a small difference in behaviour: UidRange uses signed int32_t vs. uid_t being unsigned and potentially a different size. This should not be a problem as all of the java-side code is converting from int. Updating to use int64_t in future would be a large effort and involve changing the java-side UidRange class to use longs, and not fixing the native side would cause unit tests to fail, so it shouldn't be possible to overlook if that happens. Committing this early with an appropriately loud warning so that it can get soak time over the next year. Test: runtest -x netd_integration_test.cpp Change-Id: I6c217b347724ba5bfe2df28d6142a4343cb06353 /system/netd/server/RouteController.cpp
5bbe13bdc4470d0af2786fc62ad40a8ba8ff5830	17-May-2016	Robin Lee <rgl@google.com>	Merge "Drop PROHIBIT_NON_VPN priority 11500 -> 12500" into nyc-dev
6c84ef62d953eae93c36ffa831e9b451560afba0	03-May-2016	Robin Lee <rgl@google.com>	Drop PROHIBIT_NON_VPN priority 11500 -> 12500 So that the rule can be kept up 100% of the time instead of dropping it when VPN comes on. Bug: 26694104 Change-Id: I1df6b8f588e54d72e34dbcbd15492513e07fac3d /system/netd/server/RouteController.cpp
c125fe43c194128167db7a2a82b736b1357945d8	02-May-2016	Robin Lee <rgl@google.com>	Restore ACT_UNREACHABLE This got lost in between I7d9752e86fa1a4564c622152a5be6ce2c1eda150 and If23df0760c6eb0ad137fc26c5124e48edf23b722. Which broke creating the UNREACHABLE network, also breaking the dummy network which should be created after it. Fix: 28304838 Change-Id: I31c4ca9c3f53d6162b50e5bc46e27cfcd1b6a314 /system/netd/server/RouteController.cpp
b8087363143050d214d48e5620a330776ca95a69	30-Mar-2016	Robin Lee <rgl@google.com>	Server API to only allow networking by VPN apps Secure virtual networks already create rules to route all traffic into theirselves. This depends on the secure network already existing. API creates an ip rule at a priority level below SECURE_VPN which can catch traffic before VPN comes up, if it is a requirement that no traffic ever leaves without first going through VPN. Bug: 26694104 Bug: 26354134 Change-Id: If23df0760c6eb0ad137fc26c5124e48edf23b722 /system/netd/server/RouteController.cpp
4ef94642636182e68495f606a65c00f8a830aad4	01-Apr-2016	Robin Lee <rgl@google.com>	Have modifyIpRule take an explicit action Instead of inferring from the priority what the action should be. Bug: 26694104 Change-Id: I7d9752e86fa1a4564c622152a5be6ce2c1eda150 /system/netd/server/RouteController.cpp
f65122c81c824940ba93666d961c8d3fd76f3a9c	12-Feb-2016	Evgenii Stepanov <eugenis@google.com>	Workaround ASan false positive in RouteController. Bug: 27037723 Change-Id: I40e7f0d07652aeb6484de5f963a7698b6805d582 (cherry picked from commit dfde1d6c6c397e437adf937a1718784d9cb2c0cf) /system/netd/server/RouteController.cpp
bbd5626b3d0994ff0ecbfceac75f6dc4abfb55c6	05-Dec-2015	Elliott Hughes <enh@google.com>	Track rename from base/ to android-base/. Change-Id: Ice6d43c0f9b16b8fb441158a0f7344dfbf969dea /system/netd/server/RouteController.cpp
5407e14fd3d81bb76f94221b4a359faa2806de65	16-Mar-2015	Dan Albert <danalbert@google.com>	Revert "Revert "Update for libbase."" This reverts commit 4a0ab5ff4a87cfc4a987da99546b01e44875a2e5. (cherry picked from commit 3e87c785434fdfed2fb00496cb391c411a426bdd) Change-Id: I042f485f3cc84206766298853491ddd26dbba13f /system/netd/server/RouteController.cpp
e298ded6ade9744f2a79cae045b5c324886262f4	16-Mar-2015	Nicolas Geoffray <ngeoffray@google.com>	resolved conflicts for merge of 6066d418 to master Change-Id: I2aa9721365e96c363648dd8e9e15718ed50e3c12
4a0ab5ff4a87cfc4a987da99546b01e44875a2e5	16-Mar-2015	Nicolas Geoffray <ngeoffray@google.com>	Revert "Update for libbase." Breaks internal master. This reverts commit b67219a71d1d896bcb34c4a7a797824b88515b2c. Change-Id: I43145f0724ad2d669b65d20b6fd6ccc44b8f0a4f /system/netd/server/RouteController.cpp
a4614fe5bfaafd0ff6be60ddb6fd135f99f5a5a5	16-Mar-2015	Vinit Deshpande <vinitd@google.com>	Merge remote-tracking branch 'goog/mirror-m-wireless-internal-release' Change-Id: I51337014e2851f47dd5e183c4bfdf39bafa59942
b67219a71d1d896bcb34c4a7a797824b88515b2c	14-Mar-2015	Dan Albert <danalbert@google.com>	Update for libbase. StringPrintf and the string based file I/O are being moved to libbase. Change-Id: I765d9e53f65a76d318d9d0d9503403fc092254d5 /system/netd/server/RouteController.cpp
6b6f25fa4c135d477bcaf0bb50305a5d9aee92e3	03-Mar-2015	Lorenzo Colitti <lorenzo@google.com>	Flush tethering rules on interface remove. Bug: 19500693 Change-Id: I25b7942784ec026d30c60273c9e13e34d082d25a /system/netd/server/RouteController.cpp
57947f02c00bb03651e3f9427c880211c689db7f	27-Feb-2015	Lorenzo Colitti <lorenzo@google.com>	Add oif rules that allow UID 0 to bypass the VPN. This is needed for wifi calling so that the kernel (which does not set marks) can tee packets towards the modem. It also fixes things like not being able to reply to DHCP requests from tethered clients when a VPN is up. System apps can already bypass the VPN using explicit marks, so allowing UID 0 to do so does not create additional bypass VPN issues. Bug: 19500693 Change-Id: Ie324026893637e9bd8e7aa65a37579569390e7b7 /system/netd/server/RouteController.cpp
5ad4e98f7b566ffde39491ee4e80d4a15507f053	26-Feb-2015	Lorenzo Colitti <lorenzo@google.com>	Make the VPN rule only to originated, not forwarded, traffic. Currently the VPN rule for the primary user will match every forwarded packet on the system, because it specifies a UID range that includes 0, and forwarded packets have UID 0. Use "iif lo" to limit the rule match to locally-originated traffic. This requires a kernel that sets the loopback ifindex. when originating packets. Anything based on 3.10 is fine, but devices using 3.4 will need a one-line change for IPv6. Bug: 19500693 Change-Id: Iaab88bed62716dc1cea33b45c4e258f6b3bfc9d0 /system/netd/server/RouteController.cpp
3667936aadcabddc708797ac38ce1ffb2f992cb3	25-Feb-2015	Lorenzo Colitti <lorenzo@google.com>	Add a dummy network that discards all packets. Bug: 19500693 Change-Id: Ic25f2d8c481f1528e887e43ca3fa868189582110 /system/netd/server/RouteController.cpp
bd37832f1843ed78f64604e5627cf952ac9614ba	04-Feb-2015	Elliott Hughes <enh@google.com>	Switch writing to <utils/file.h>. Change-Id: Idb2de24414f4dd8e926e625b62e4d12152dc4527 /system/netd/server/RouteController.cpp
53ea9cadf6cc5f8be1c16b5b6b660cd7366fd3f0	31-Jan-2015	Nick Kralevich <nnk@google.com>	Avoid leaking file descriptors Add O_CLOEXEC on open() calls, and SOCK_CLOEXEC on socket calls. This avoids leaking file descriptors across execs. Addresses the following SELinux denial: audit(1422740213.283:8): avc: denied { read write } for pid=2597 comm="clatd" path="socket:[6709]" dev="sockfs" ino=6709 scontext=u:r:clatd:s0 tcontext=u:r:netd:s0 tclass=netlink_socket and allows the removal of some other SELinux rules which were inappropriately added because of leaking file descriptors. Change-Id: I9c180488ea1969d610e488f967a7276a672bb477 /system/netd/server/RouteController.cpp
0321315d4e94dacd5ef2e0de217059cbc72d803d	30-Oct-2014	Sreeram Ramachandran <sreeram@google.com>	Don't fail when trying to add routes that already exist. Previously, we suppressed failures for the special case of requestRouteToHost() being called multiple times. Turns out that other parts of the system also try to add duplicate routes, so just suppress EEXIST errors in general (as far as adding routes is concerned). For example, this happens when the WiFi P2P DHCP client renews its lease and blindly requests to add a route that it had already added before. (cherry picked from commit 64166e7666e3cc7f4b9c715f2b4e19d28ae44c5a) Bug: 17205769 Change-Id: I11d50052f616cb48a912d647b8024ccef01b736d /system/netd/server/RouteController.cpp
aa1be2b3d24d99f3ccb98ff4fbb2a81b63587eff	06-Jan-2015	Dan Albert <danalbert@google.com>	Fix missing errno.h includes after libc cleanup. These issues hadn't been found yet because a libc++ header was unconditionally pulling in errno.h. I've fixed the libc++ header now. Change-Id: Ib096634cdd231fc75bf7548e4b99babc7442dc53 /system/netd/server/RouteController.cpp
64166e7666e3cc7f4b9c715f2b4e19d28ae44c5a	30-Oct-2014	Sreeram Ramachandran <sreeram@google.com>	Don't fail when trying to add routes that already exist. Previously, we suppressed failures for the special case of requestRouteToHost() being called multiple times. Turns out that other parts of the system also try to add duplicate routes, so just suppress EEXIST errors in general (as far as adding routes is concerned). For example, this happens when the WiFi P2P DHCP client renews its lease and blindly requests to add a route that it had already added before. Bug: 17205769 Change-Id: I3de557ddb82c95899623aa31b4b3ec7c955f5609 /system/netd/server/RouteController.cpp
4c95a125e0930c112555437589f7620575482095	18-Sep-2014	Lorenzo Colitti <lorenzo@google.com>	Support manipulating throw routes. We already supported unreachable routes. Throw routes are necessary so we can exempt the VPN endpoint from being routed through the VPN in legacy VPN modes that do not pass traffic through a tun or ppp interface but just directly appply IPsec transformations to outgoing packets. Bug: 17462989 Change-Id: I8635472ca3e96ec2866af2de48e6260ab2da13fb /system/netd/server/RouteController.cpp
99286fe1ef6fc325c28dd10b651b5adedd549495	12-Aug-2014	Lorenzo Colitti <lorenzo@google.com>	Make destroying networks more robust. 1. Retry route flushes if they fail. 2. Make destroyNetwork ignore (but return) errors. Bug: 16944962 Change-Id: I26301613437d7cc373ff64955fd44d716e9982b9 /system/netd/server/RouteController.cpp
db74dba7ccfe9e9504e0acd440a23fed96682842	29-Jul-2014	Lorenzo Colitti <lorenzo@google.com>	Stop copying directly-connected routes to the main table, #2. For a long time we have thought that copying directly-connected routes to the main table was necessary to add gatewayed routes to other routing tables. However, this is not necessary when the directly-connected routes are properly created with "scope link" as we do in http://ag/513100 . Delete the copying code, but don't delete the rule that looks up the main table or the code that dumps it. The main table is used for things like cell networking, because the RIL emulates cell networks, which are actually point-to-point, as directly connected broadcast subnets (e.g., a /30 or a /27) with a fake default gateway. The directly-connected route that covers the fake default gateway is implicitly created by adding the IP address, but it's in the main table, so we can't add the default route without looking up the main table. Change-Id: I93bd4764ac75fdcc98fa4206c601524100d53fc3 /system/netd/server/RouteController.cpp
a2c230520be5fdafce8bbc0b6ee52262f981f75a	29-Jul-2014	Lorenzo Colitti <lorenzo@google.com>	Revert "Stop copying directly-connected routes to the main table." This reverts commit 2f5ea0e99e9a436cd43901b1772b77a410a62f8d. Change-Id: I1fe1df0249714cb650a34fae56476236ac0108e3 /system/netd/server/RouteController.cpp
2f5ea0e99e9a436cd43901b1772b77a410a62f8d	29-Jul-2014	Lorenzo Colitti <lorenzo@google.com>	Stop copying directly-connected routes to the main table. For a long time we have thought that copying directly-connected routes to the main table was necessary to add gatewayed routes to other routing tables. However, this is not necessary when the directly-connected routes are properly created with "scope link" as we do in http://ag/513100 . Delete the copying code, but keep dumping the main table in bugreports, so we can see if third-party code such as RIL daemons is putting anything in it. Change-Id: Iddd531daaf9881ffd82f0a4b4f6cc857ce8788fd /system/netd/server/RouteController.cpp
2bff72e0cf091f4d71af0c81cfc74e8ebd8c6644	18-Jul-2014	Sreeram Ramachandran <sreeram@google.com>	Add "scope link" when adding routes without a nexthop. This is consistent with what /sbin/ip does, and it makes recursive lookups on secondary tables work even when the main table is empty. This was originally proposed by Sreeram as http://ag/506456 to fix a VPN issue, but then abandoned because it did not fix that particular problem. Bug: 16628572 Change-Id: I85753389c683ae2127b21af722463a35a33b60eb /system/netd/server/RouteController.cpp
060d855a00cb94e8903fd1551c9bf040f42b57d1	28-Jul-2014	Sreeram Ramachandran <sreeram@google.com>	Merge "Prohibit address families by default unless a VPN explicitly allows them." into lmp-dev
de5d5df753dd35d852ac47a6174b06eacd0d5523	27-Jul-2014	Sreeram Ramachandran <sreeram@google.com>	Prohibit address families by default unless a VPN explicitly allows them. Bug: 15972465 Change-Id: I3278d94536fefacc86390c1ba4231680f7be8589 /system/netd/server/RouteController.cpp
95684ba176a9fe5ea59207d7202e47fa12bbfdbe	23-Jul-2014	Sreeram Ramachandran <sreeram@google.com>	Implement support for bypassable VPNs. Bypassable VPNs grab all traffic by default (just like secure VPNs), but: + They allow all apps to choose other networks using the multinetwork APIs. If these other networks are insecure ("untrusted"), they will enforce that the app holds the necessary permissions, such as CHANGE_NETWORK_STATE. + They support consistent routing. If an app has an existing connection over some other network when the bypassable VPN comes up, it's not interrupted. Bug: 15347374 Change-Id: Iaee9c6f6fa8103215738570d2b65d3fcf10343f3 /system/netd/server/RouteController.cpp
48e19b037e7e20674048ef76bf31ce65c741347c	23-Jul-2014	Sreeram Ramachandran <sreeram@google.com>	Implement the fallthrough rule to support split tunnel VPNs. Change-Id: Ibc48caedb5954c6b12bfa553d978bab56c4b09aa /system/netd/server/RouteController.cpp
111bec203e82bdc9fb2c27df7c232465dffeee5f	23-Jul-2014	Sreeram Ramachandran <sreeram@google.com>	Implement the rule to forward traffic to local networks via VPNs. Change-Id: I4bffb2ce854a6fa7d4c0d35b97f123d91c6a84d6 /system/netd/server/RouteController.cpp
fa9f4dcd79dcfd24af276263159c5315abb06df6	23-Jul-2014	Sreeram Ramachandran <sreeram@google.com>	Cosmetic: Move some functions around to match rule priority order. Change-Id: I81af639b66ac66272e0fae2d53119de1bfa12e69 /system/netd/server/RouteController.cpp
182a26ff95515179b1a7e62a806f90279cdcd9b3	23-Jul-2014	Sreeram Ramachandran <sreeram@google.com>	Remove the oif=iface clause when tethering. The rule is meant to be "iif=inputIface => lookup <table_for_outputIface>", not "iif=foo oif=bar => lookup <table_for_bar>" (the latter would never match because packets coming in on the input interface will not have any output interface binding). Bug: 16242255 Change-Id: I98a2a8ab90765aee833134297b58d4f7a212036f /system/netd/server/RouteController.cpp
b717e74df3571951890cf36ee8bd559501d7fdc4	19-Jul-2014	Sreeram Ramachandran <sreeram@google.com>	Flush routing rules and add an "unreachable" rule on Init(). Without the flush, rules accumulate duplicates when netd is restarted due to a runtime restart. Nothing functionally wrong with having duplicates; it just makes the output of "ip rule" look as though something went wrong in the system. Time to add the unreachable rule, to suss out issues with corner cases. With the flush, there's no more a naked "from main" rule that we need to protect by adding the unreachable rule. But it's a good idea to add the unreachable rule anyway, in case somebody comes along and adds a rule below it later. Change-Id: I975b2221868b7f5366bd7cf60937a82fb4b75913 /system/netd/server/RouteController.cpp
87475a1471373b72ffc9f81f17dfd7884723fa86	16-Jul-2014	Sreeram Ramachandran <sreeram@google.com>	Fix WiFi-Direct and Tethering. A LocalNetwork object now always exists in the NetworkController, with a fixed NetId that's guaranteed not to collide with NetIds created by the framework. When routes are added on an interface tracked by the LocalNetwork, they are added to a fixed "local_network" table. When NAT is enabled, we add a special "iif -> oif" tethering rule. Bug: 15413694 Bug: 15413741 Change-Id: I36effc438d5ac193a77174493bf196cb68a5b97a /system/netd/server/RouteController.cpp
b31e085466c95e5e89de6e06ebc3547c85e98242	12-Jul-2014	Sreeram Ramachandran <sreeram@google.com>	Merge "Add default routing tables to rt_tables."
bb40d5198943df0e2a88514cbcd82a23a5b0cd97	11-Jul-2014	Sreeram Ramachandran <sreeram@google.com>	Add default routing tables to rt_tables. This is so that these tables also get dumped by bugreport / dumpstate. Change-Id: Ia5ed8a23911d7b34ba964934dec42849f4a73824 /system/netd/server/RouteController.cpp
6a773534e7f8541f221f27fb8063af079b1a5936	11-Jul-2014	Sreeram Ramachandran <sreeram@google.com>	Fix tethering in the case of a regular upstream connection. Fixes tethering via Ethernet, Bluetooth and WiFi (hotspot). Tethering when the upstream has a DUN-specific APN is likely still broken (untested). For now, assign a fixed NetId (a hack) until we can change the framework to create a valid NetworkAgent and all that jazz. Bug: 15968336 Bug: 14988803 Change-Id: Idcf4d492d9329a9c87913e27be6dd835a792bea2 /system/netd/server/RouteController.cpp
c7d804c1d22db40ac79fde46a032cd359e975f5b	09-Jul-2014	Sreeram Ramachandran <sreeram@google.com>	Cosmetic: Move constants into file scope. Change-Id: Ic1398a5867693bb8f1e588e727869ec6a4574432 /system/netd/server/RouteController.cpp
4acd34a8e95b1191318216ebad409ec5e1b3d5f0	08-Jul-2014	Sreeram Ramachandran <sreeram@google.com>	Add symbolic table names for routing table numbers. This makes the output from "ip rule" much more readable. Companion changes are in AOSP. Change-Id: I69deb1a64d5d6647470823405bf0cc55b24b22de /system/netd/server/RouteController.cpp
e09b20aee85f1dfd8c18c3d8581ac875d939ba70	06-Jul-2014	Sreeram Ramachandran <sreeram@google.com>	Add full support for UIDs in VPNs. Major: + Implement the functions mentioned in http://go/android-multinetwork-routing correctly, including handling accept(), connect(), setNetworkForSocket() and protect() and supporting functions like canUserSelectNetwork(). + Eliminate the old code path of getting/setting UID ranges through SecondaryTableController (which is currently unused) and mUidMap. Minor: + Rename some methods/variables for clarity and consistency. + Moved some methods in .cpp files to match declaration order in the .h files. Bug: 15409918 Change-Id: Ic6ce3646c58cf645db0d9a53cbeefdd7ffafff93 /system/netd/server/RouteController.cpp
5009d5ef3fbcdc69d772b528fd22184b7d605afa	03-Jul-2014	Sreeram Ramachandran <sreeram@google.com>	Update routing rules. As per the latest changes to: http://go/android-multinetwork-routing Functional changes: + Add explicit=NO to the implicit network rules, though it's a no-op. + Remove most of the UID=0 (kernel access) rules since they are no longer needed, except in one case to allow access to a VPN. + Add the explicit, protect and permissions bits to the incoming packet mark. + VPNs now don't need an implicit network rule. + Modifying network permissions now modifies the incoming packet mark as well. Cosmetic changes: + Renamed the legacy tables to match their permissions (SYSTEM and NETWORK). + Renamed most functions and methods for clarity and consistency. + Renamed and adjusted some ule priorities. + Move most rule modifications into their own functions, to prevent brittle reliance on the previous state of the fwmark/mask variables. Change-Id: I958a7e158ee918d5254de606fcfa55fe23327438 /system/netd/server/RouteController.cpp
ed4bd1f7d219f9f5f56763ea02cf4947e78397f6	05-Jul-2014	Sreeram Ramachandran <sreeram@google.com>	Fix permissions handling. + Rename the permissions as per: http://go/android-multinetwork-routing + Make the SYSTEM permission explicitly include NETWORK. + Grant the SYSTEM permission to system UIDs by default, but allow the framework to override them if necessary. + Move the "string to permission" parsing to CommandListener.cpp, thus allowing us to get rid of Permission.cpp. + There's no need to support multiple permissions string arguments, so tighten that up. Change-Id: I73d51b5e2f44a97e6d5ab5943ff198cebfbcc0c4 /system/netd/server/RouteController.cpp
72999d6cfc1df23cd911b85730f1f532fb62bed4	03-Jul-2014	Sreeram Ramachandran <sreeram@google.com>	Fix regressions in flushRoutes(). http://ag/486276 left out a comma, causing the command to be "routeflush" (which is invalid), instead of the correct "route flush". http://ag/495068 changed the order, causing the interface to be removed from the interfaceToIndex map before we are done using it in modifyPerNetworkRules(). Change-Id: I65af0b5763b13e47b48e7e2b81d243dc19e1a03b /system/netd/server/RouteController.cpp
eb27b7ec10faf47a93fbc2863092cc667b05e252	01-Jul-2014	Sreeram Ramachandran <sreeram@google.com>	Fix routing rules. Fix the rules in RouteController as per the latest iteration of the routing design: http://go/android-multinetwork-routing. Changes include: + The legacy tables have to be global. So remove the UID being passed in to modifyRoute() and remove the associated TODOs. + Add UID=0 rules to let the kernel access routes on privileged networks. + Add a UID=0 clause to the directly-connected hack, thus fixing the TODO. + Add the privileged_legacy table just above the legacy table, when overriding the default network. (The same table remains added at the top of the rule chain, to override VPNs, but only for CONNECTIVITY_INTERNAL-privileged apps). Other cosmetic changes: + Update the names and values of the rule priorities. + Move the legacy table IDs to the .h file in anticipation of using them from bugreport / dump commands. + Make 'action' the first parameter consistently. Change-Id: I6634a19ddc8062b2ef55d926c7892fff8c586106 /system/netd/server/RouteController.cpp
cf891383224e420d99996f7e63728a7cc902415e	02-Jul-2014	Sreeram Ramachandran <sreeram@google.com>	Don't use %zu for uid_t. It's always unsigned int, so %u is correct. Change-Id: I5be1d479b524495037c2aedc8336c794d2698914 /system/netd/server/RouteController.cpp
1201e84ebda52d8d82e5385644e9de0923e61aa3	02-Jul-2014	Sreeram Ramachandran <sreeram@google.com>	Use %zu to printf size_t correctly on both 32-bit and 64-bit platforms. Change-Id: I5223e574084fca47606b844d74a99a642c7d66be /system/netd/server/RouteController.cpp
b1425cc09f8a29350520db0d4f489331df5a689b	24-Jun-2014	Sreeram Ramachandran <sreeram@google.com>	Add UID range support to VPNs. This adds the necessary routing rules. Future CLs will add the ability to select the right netId for connect(), setNetworkForSocket(), DNS resolutions, etc. Bug: 15409918 Change-Id: I88a67660d49cecda834dd72ab947fbfed250f09d /system/netd/server/RouteController.cpp
4043f01f8e25f24246efadc710ad7440aab75529	23-Jun-2014	Sreeram Ramachandran <sreeram@google.com>	Introduce VPN support. This change sets up the basic routing rules for VPNs. It doesn't yet handle UID ranges (that are meant to apply to the VPN) correctly. That's forthcoming in other CLs. Bug: 15409918 Change-Id: I284de04f176dcf6ba702361de6a614266256d04e /system/netd/server/RouteController.cpp
f4f6c8de3f091be4b91a5a9d7f14e8882ec6d502	23-Jun-2014	Sreeram Ramachandran <sreeram@google.com>	Refactor: Encapsulate permissions and interfaces into a Network class. Currently, there's a lot of logic in NetworkController surrounding events such as interface addition/removal, network creation/destruction and default network change, because these events are interwined. For example, adding an interface means also adding a corresponding default network rule if the interface is being added to the current default network. When we introduce VPNs into this mix, things will get hairy real quick for all this logic in NetworkController. In this refactor, we introduce an abstract base class Network which supports adding and removing interfaces. The main concrete implementation of this is PhysicalNetwork, which allows setting permissions and "default network" state. Since we've moved network permissions into the above class, and user permissions into NetworkController, PermissionsController is unused and has been removed. Also fix a few bugs in RouteController: + Use uidEnd correctly. + Check for all error cases in inet_pton. + Check the return value of android_fork_execvp() correctly. + The "return cmd1() && cmd2()" pattern is wrong. Rewrite that code. Also (non-functional changes): + Remove instantiations of RouteController. It has static methods only. + Reorder some blocks in CommandListener so that the most frequent commands are checked first. + Remove unused paramError() and clearNetworkPreference(). + Change all return codes to int (negative errno) wherever applicable. + Add WARN_UNUSED_RESULT everywhere. + Cleanup some style in RouteController and NetworkController. + Use uid_t instead of unsigned for user IDs. + Add clearer log messages at the source of failures. + Add a check for when fwmark bits are set without corresponding mask bits. Bug: 15409918 Change-Id: Ibba78b0850160f9f3d17d476f16331a6db0025d1 /system/netd/server/RouteController.cpp
1077d298655efa7755925e788d49a73e9db10afc	27-Jun-2014	Sreeram Ramachandran <sreeram@google.com>	Don't fail when adding a duplicate legacy route. This only affects calls to requestRouteToHost() by apps. We still fail if the framework itself tries to add a non-legacy duplicate route, since the framework should know better (we can consider relaxing that too in the future). Bug: 15925532 Change-Id: I9ee434277e462d570f88e6fe63a096e5ae41eee9 /system/netd/server/RouteController.cpp
72723683be57b6d562dc96cde30cc33cc96b3e82	26-Jun-2014	Lorenzo Colitti <lorenzo@google.com>	Convert rta_* and fra_* variable names to camelCase. Change-Id: I0ca539ac4c54bb71b033f288fb4229afd71b7989 /system/netd/server/RouteController.cpp
5965651602fb8373b75b6ae2d59c6a4d753f2f49	24-Jun-2014	Lorenzo Colitti <lorenzo@google.com>	Support adding and removing UID rules via netlink. Change-Id: Idae13bceda869261689260759084b8d6ef1ff639 /system/netd/server/RouteController.cpp
96f261e8b28048b8cb48f5a4e81822c73bb813f4	23-Jun-2014	Lorenzo Colitti <lorenzo@google.com>	Pass rule modification errors back to CommandListener. Change-Id: If01334dccad8b6230648713a57fd58be180ac66b /system/netd/server/RouteController.cpp
4753afd79e130d5f1c888f549c36b4da92dbe680	20-Jun-2014	Lorenzo Colitti <lorenzo@google.com>	Use netlink to add/delete rules as well as routes. Also change the indentation of the rtattrs used in modifyIpRoute to make it easier to see what attributes are being used and in what sequence. This change does not yet pass the errors back to CommandListener; that is done in the next change in the series. Change-Id: Ib2e174386c63cb0647d838d9c7d731cd6df39c4f /system/netd/server/RouteController.cpp
7f972fb1cd3c26af76779a7a3220b9cf5fb63a0a	25-Jun-2014	Sreeram Ramachandran <sreeram@google.com>	Unrevert the 'revert the "talk to netlink directly" change.' http://ag/486277 was reverted in http://ag/491263 and is being unreverted in this change. The bug in the original CL was a typo ("interface" instead of the desired "ifindex"), which is now fixed. Bug: 15840054 Change-Id: If66987c74cc86e9ba4f7a35d36f0a39afe939a68 /system/netd/server/RouteController.cpp
ab359feb1a4d3a1898e32a7da47dcde3da4c1ed6	25-Jun-2014	Sreeram Ramachandran <sreeram@google.com>	Temporarily revert the "talk to netlink directly" change. The change being reverted is http://ag/486277. Instead, use /sbin/ip again. The code to talk to netlink fails on volantis. I.e., instead of this: $ ip route show table 1006 default via 100.110.191.254 dev wlan0 100.110.128.0/18 dev wlan0 scope link we end up with this: $ ip route show table 1006 default dev wlan0 proto static 100.110.128.0/18 dev wlan0 proto static Notice the lack of the nexthop and the addition of "proto static". I think the netlink message is somehow not properly aligned on volantis, causing the kernel to misinterpret it. Bug: 15840054 Change-Id: Ief60473e337410f7cb35890de0a5a74a21723a41 /system/netd/server/RouteController.cpp
f7fc8eccb0a6a4fbca4cafdf53f5c167c8f1d755	17-Jun-2014	Lorenzo Colitti <lorenzo@google.com>	Pass route add/delete errors back to CommandListener. Change-Id: Id1d6d578963080e141f71bc1303801fc53bce40a /system/netd/server/RouteController.cpp
ba25df989b48f36b784ad39307a49a4fd9c3fd66	17-Jun-2014	Lorenzo Colitti <lorenzo@google.com>	Use native netlink code instead of /sbin/ip to manipulate routes Shelling out to /sbin/ip is slow, and more importantly it does not preserve the error messages returned by the kernel when adding or deleting a route fails. Instead, use netlink directly. This change does not yet pass the errors back to CommandListener; that is done in the next change in the series. Change-Id: I5ad3c8583580857be6386a620ff5c4f3872d685b /system/netd/server/RouteController.cpp
357e5629bb4c745296ab40340ec8679372337155	17-Jun-2014	Lorenzo Colitti <lorenzo@google.com>	Flush both IPv4 and IPv6 routes. The current code unintentionally flushes only IPv4 routes because it reuses a function that is normally used to add and remove routes (where the IP version is implicitly specified by the route to add or remove). Instead of fixing the runIpRouteCommand function, add a new flushIpRoutes function because runIpRouteCommand will be replaced by a netlink implementation in an upcoming CL. Change-Id: Ie96ae4124baca3edb8e0d0841e7abadb6b3ee9ab /system/netd/server/RouteController.cpp
a561e121c724e9163b2e256e15eef660e3a326da	12-Jun-2014	Paul Jensen <pauljensen@google.com>	Cache interface indices in case interfaces go away. Without caching them netd will fail to remove rules and routes, for example, when the Bluetooth reverse-tether interface ("bt-pan") goes away. bug:15407087 Change-Id: I99fcf00f9645a0b029455516a705b70110f62ff6 /system/netd/server/RouteController.cpp
ac19883dd50d5310d1fddf996ee227075a103ecb	31-May-2014	Sreeram Ramachandran <sreeram@google.com>	Fix build. Change-Id: If170e46ff92c6a972bc1c2d838b1ac0eea6e23de /system/netd/server/RouteController.cpp
9a4c1128b274ee2a6ffab3d50d08aaf0bc2fb2ff	30-May-2014	Sreeram Ramachandran <sreeram@google.com>	am 82eab785: Support legacy routes added by apps via ensureRouteToHost(). * commit '82eab785bd5cb2eff0a263f5b0dcde13e9139588': Support legacy routes added by apps via ensureRouteToHost().
82eab785bd5cb2eff0a263f5b0dcde13e9139588	22-May-2014	Sreeram Ramachandran <sreeram@google.com>	Support legacy routes added by apps via ensureRouteToHost(). This adds the routes to two fixed tables: + LEGACY, which has higher priority than other non-explicit lookup tables (per-network and default network). + PRIVILEGED_LEGACY, available only to system apps and has higher priority than VPNs (system apps are those with the CONNECTIVITY_INTERNAL permission). This will be changed to per-UID tables once the kernel supports UID-based routing, so that these legacy routes are scoped to each app and not global. Also, fix a TODO: The framework (as of http://ag/471599) will not set the gateway argument if it's actually a direct-connected route. Change-Id: I0ee1ca89fdc859d75a89021ca8c1902811b1e4a9 (cherry picked from commit 38b7af1f2cb9579895465fabc37865f5dadcac25) /system/netd/server/RouteController.cpp
56afacf838d24cf8e54d2cf0d8ab9182ab704125	29-May-2014	Sreeram Ramachandran <sreeram@google.com>	Turn on C++11 and make all warnings into errors. As a consequence: + Comment out the names of all unused parameters. + Remove all unused variables and functions. In server/Android.mk, there are a couple of non-trivial changes: + Use libcxx instead of stlport. This is needed to fix a bunch of errors due to specifying -std=c++11. + LOCAL_SHARED_LIBRARIES is sorted. Technically, the order in which libraries are listed has an effect on linking, but nobody should be doing such brittle things anyway. Change-Id: I0aff5b745e04609da23144d0e8be4c5694321b8b /system/netd/server/RouteController.cpp
38b7af1f2cb9579895465fabc37865f5dadcac25	22-May-2014	Sreeram Ramachandran <sreeram@google.com>	Support legacy routes added by apps via ensureRouteToHost(). This adds the routes to two fixed tables: + LEGACY, which has higher priority than other non-explicit lookup tables (per-network and default network). + PRIVILEGED_LEGACY, available only to system apps and has higher priority than VPNs (system apps are those with the CONNECTIVITY_INTERNAL permission). This will be changed to per-UID tables once the kernel supports UID-based routing, so that these legacy routes are scoped to each app and not global. Also, fix a TODO: The framework (as of http://ag/471599) will not set the gateway argument if it's actually a direct-connected route. Change-Id: I0ee1ca89fdc859d75a89021ca8c1902811b1e4a9 /system/netd/server/RouteController.cpp
72604075e74af459fb4637404fbf030422c6b6b6	21-May-2014	Sreeram Ramachandran <sreeram@google.com>	Rework the determination of a "valid network". + isNetIdValid() doesn't make much sense. What we want is whether the netId has actually been created (via createNetwork()). + It isn't an error to call deleteNetwork() or setDefaultNetwork() even when there are no interfaces assigned to the network. + Secure all accesses to the maps in PermissionsController with locks; they are called from many threads (CommandListener, DnsProxyListener and FwmarkServer). + Remove the redundant mIfaceNetidMap. + Minor cosmetic changes to things such as #includes and log messages. Change-Id: Ieb154589b24f00ba8067eaaec4def3534aec4923 /system/netd/server/RouteController.cpp
f4cfad361175a7f9ccf4d41e76a9b289c3c3da22	21-May-2014	Sreeram Ramachandran <sreeram@google.com>	Move netd_client into netd. Change-Id: Ie4b6b303225c93f2448a503d6ea9cebb552cbad5 /system/netd/server/RouteController.cpp