| acbb6b7bbea17c5653929ee5224bd4f8e16c0f69 |
|
27-Apr-2018 |
Rubin Xu <rubinxu@google.com> |
Do not destroy socket when VPN interface address is still in use
Normally when an IP address is removed, all sockets associated with the
addresses are destroyed. This patchset changes this behavior such that
if the address in question is still being used by another interface that
belongs to the same underlying virtual network, the destroy operation is
skipped. This change is needed to support VPN seamless handover where the
VPN app will establish a second TUN interface (with different config)
before tearing down the existing interface. The intention is that during
this handover existing socket connections should not be disturbed. There
is a companion change in the framework side to make sure during such
handover, the VPN netId remains unchanged so routing still works.
Bug: 64692591
Test: cts-tradefed run commandAndExit cts-dev -m CtsHostsideNetworkTests -t com.android.cts.net.HostsideVpnTests
Test: system/netd/tests/runtests.sh
Change-Id: I02c6b0db5f15cd1aef3e3fa6f0c36e86b4f427fd
/system/netd/server/RouteController.cpp
|
| dcb11893d76effcd0fdea1efc44610d64ea40f12 |
|
14-Mar-2018 |
Lorenzo Colitti <lorenzo@google.com> |
Add "iif lo" to all IP rules for originated traffic.
This ensures that these rules are not mistakenly used by
forwarded traffic. Forwarded traffic should only use rules that
specify an explicit iif.
The rules change as follows:
0: from all lookup local
10000: from all fwmark 0xc0000/0xd0000 lookup legacy_system
10500: from all {+iif lo+} oif dummy0 uidrange 0-0 lookup dummy0
10500: from all {+iif lo+} oif wlan0 uidrange 0-0 lookup wlan0
10500: from all {+iif lo+} oif v4-wlan0 uidrange 0-0 lookup v4-wlan0
10500: from all {+iif lo+} oif rmnet_data0 uidrange 0-0 lookup rmnet_data0
13000: from all fwmark 0x10063/0x1ffff {+iif lo+} lookup local_network
13000: from all fwmark 0x10065/0x1ffff {+iif lo+} lookup wlan0
13000: from all fwmark 0x10065/0x1ffff {+iif lo+} lookup v4-wlan0
13000: from all fwmark 0x50064/0x5ffff {+iif lo+} lookup rmnet_data0
14000: from all {+iif lo+} oif dummy0 lookup dummy0
14000: from all {+iif lo+} oif wlan0 lookup wlan0
14000: from all {+iif lo+} oif v4-wlan0 lookup v4-wlan0
14000: from all fwmark 0x40000/0x40000 {+iif lo+} oif rmnet_data0 lookup rmnet_data0
15000: from all fwmark 0x0/0x10000 lookup legacy_system
16000: from all fwmark 0x0/0x10000 lookup legacy_network
17000: from all fwmark 0x0/0x10000 lookup local_network
19000: from all fwmark 0x65/0x1ffff {+iif lo+} lookup wlan0
19000: from all fwmark 0x65/0x1ffff {+iif lo+} lookup v4-wlan0
22000: from all fwmark 0x0/0xffff {+iif lo+} lookup v4-wlan0
22000: from all fwmark 0x0/0xffff {+iif lo+} lookup wlan0
32000: from all unreachable
Bug: 64976379
Bug: 73642792
Bug: 73032258
Test: marlin builds, boots, networking works
Test: IPv4/v6 USB tethering works concurrently with httpurl --nethandle <foo>
Test: USB tethering correctly able to use non-default-network upstream
Test: T-Mobile wifi calling works on walleye internal build
Change-Id: I9383a7ea54c60b0f33db8de8c6331e2f820539e1
Merged-In: I92a8eaf3b18c94f96b342f5eb3aa69735762aa6e
/system/netd/server/RouteController.cpp
|
| d7dd1d3af4ebac422303370301f1d98c9a84a8ae |
|
10-Jan-2018 |
Lorenzo Colitti <lorenzo@google.com> |
Merge changes Icc35c917,I12899e03,Iff5a202c
* changes:
Tighten up locking in NetworkController.
Add locking to RouteController.
Change RouteController from free functions/members to class functions.
|
| b9baf26777415ce2791fd86f4dd359ac7aab596c |
|
04-Dec-2017 |
Benedict Wong <benedictwong@google.com> |
[ipsec-qtaguid] Reserve mark, add ipsec bw exemptions
This change reserves a mark denoting that a packet has already been
accounted for, along with adding rules in BandwidthController to support
IPSec packets being billed correctly.
Bug: 62994731
Test: BandwidthControllerTest updated, passing. CTS tests also modified
and passing
Change-Id: I8b42975d1502a0d3b9e533bddc0892cfe1556bed
/system/netd/server/RouteController.cpp
|
| 5c43799a4bc53d0db6f06e6b0a93914956428ca6 |
|
27-Nov-2017 |
Lorenzo Colitti <lorenzo@google.com> |
Don't create rules with NLM_F_EXCL.
Some operations, such as changing a network's permissions, rely
on make-before-break, and in some cases create rules that are
identical to the ones that already exist. Starting around 4.9,
the kernel fails these operations with EEXIST.
We can't just ignore the EEXISTs because if we get EEXIST it
means that the rule was not created, but we'll think it was,
and later on we'll trip up trying to delete it.
It would be possible to refactor the code to ensure that these
no-op operations are never performed, but we would probably have
to pass a lot more state around to deal with only a few corner
cases.
Fix: 69607866
Test: builds
Change-Id: I1b563243b615daa73a2d9f527f77608df1f56251
/system/netd/server/RouteController.cpp
|
| 107075a48973c18a087a5cb2ad2ad43e73f9909a |
|
30-Oct-2017 |
Lorenzo Colitti <lorenzo@google.com> |
Add locking to RouteController.
Test: netd_{unit,integration}_test passes
Change-Id: I12899e0304d266b25b0b021ae28f9073c8b42604
/system/netd/server/RouteController.cpp
|
| 02cb80a71afbbe89e3ced8b417b2abe7578dbc82 |
|
30-Oct-2017 |
Lorenzo Colitti <lorenzo@google.com> |
Change RouteController from free functions/members to class functions.
In a future change, this will make it more explicit which bits of
state (e.g., locks) are part of the class and which are not.
Test: netd_{unit,integration}_test passes
Change-Id: Iff5a202cdcb26a7b6039dd95655cc2c26592fc36
/system/netd/server/RouteController.cpp
|
| 92e8f96e43320efd5183d7452fb90883fd96415e |
|
26-Sep-2017 |
Lorenzo Colitti <lorenzo@google.com> |
Don't look up the main table any more.
After https://android-review.googlesource.com/#/c/481397/ ,
directly-connected routes for all network types are added to
the correct routing tables by ConnectivityService. So there
should be no reason to look up the main table.
Bug: 28825988
Test: bullhead builds, boots
Test: netd_{unit,integration}_test pass
Test: dual-stack wifi and IPv4-only mobile data work
Change-Id: I64ba7dbf71478afcd9d2880440f93ef346116b6b
/system/netd/server/RouteController.cpp
|
| 3093f5676227bd84cc61051d035a9e8dfcfa15c1 |
|
25-Sep-2017 |
Lorenzo Colitti <lorenzo@google.com> |
Don't require permissions for high-priority oif rules.
The intent of the high-priority oif rules added in ag/644462 was
to ensure that the kernel can send packets and forward packets to
a given interface by specifying only the oif. However, if a
network requires permissions, the high-priority oif rules we
create require those permission bits in the firewall mark, which
means the kernel cannot use them.
Therefore, remove the permissions check.
Test: builds
Test: netd_{unit,integration}_test pass
Change-Id: I73d7eb349c4c20d0d5efe05219a89cff5015a330
/system/netd/server/RouteController.cpp
|
| b5d19e9ca694af30226c83583005a583d441203e |
|
25-Sep-2017 |
Lorenzo Colitti <lorenzo@google.com> |
Minor fixes in RouteController.
- Remove the definition of fib_rule_uid_range, since it's now in
the UAPI headers.
- Fix the comment on PRIO_THROW, which is inaccurate.
Test: bullhead builds, boots
Test: netd_{unit,integration}_test pass
Change-Id: I52ced26c4ea21925140d6ed86991e50cff7bd46a
/system/netd/server/RouteController.cpp
|
| 5e03a893d999d04b7329ab8825782d75872d680f |
|
08-Sep-2017 |
Lorenzo Colitti <lorenzo@google.com> |
Invalidate dst caches when changing network permissions.
(cherry picked from commit 4662e16686954dd3ca80938efe6650227877fe44)
Bug: 64103722
Test: builds
Test: connected socket UDP traffic switches to wifi when cell goes into background
Change-Id: I502575d51781cacace96e0c2d1edb6a5183aab70
/system/netd/server/RouteController.cpp
|
| be0c7c3c7aae8c76a55e77fcdc3576475d1cc10e |
|
06-Sep-2017 |
Lorenzo Colitti <lorenzo@google.com> |
Don't allow seamless handover to networks requiring permissions.
Currently, implicitly-marked sockets continue to work when the
network changes permission. This makes it so that UDP sockets
connected on a foreground network will continue to work even if
the network moves into the background (e.g., when the linger
timer fires on cell data with mobile data always on).
Instead, make it so that sockets implicitly marked to a network
become unroutable when the network starts requiring permissions.
Explicitly-marked sockets will continue to be routed on the
network, as usual.
This is consistent with what we do for TCP: when a network
changes permissions, all implicitly-marked sockets on that
network are closed using SOCK_DESTROY.
This change should not affect any other behaviour because:
- Netd only ever implicitly marks sockets to the default network
or to a bypassable VPN that applies to the caller.
- In both cases, at the time of marking, the network does not
require permissions because:
- VPNs don't support permissions.
- The default network never requires any permissions:
- ConnectivityService's mDefaultRequest specifies
NOT_RESTRICTED.
- The only case where a NOT_RESTRICTED network can require a
permission is if it's a background network, and the default
network is, by definition, never a background network.
- VPNs can't change permissions.
- If the network is still the default network, the lack of this
implicit rule doesn't matter.
Therefore, the only case where this rule can alter routing is if
a socket is implicitly marked on the default network and that
network, after ceasing to be the default, changes permissions.
(cherry picked from commit 6bd4a48ed735c7fc5c1143bf0b2f06b8a2879e61)
Bug: 64103722
Test: builds
Test: manually observed IP rules while changing network permissions
Change-Id: I944df3a97c8062e7c3af00f72e18e693bee0a3a6
/system/netd/server/RouteController.cpp
|
| d78843eb11fdde1611598fd27d347912070c0555 |
|
26-Mar-2017 |
Lorenzo Colitti <lorenzo@google.com> |
Clear incoming packet mark rules on netd startup.
Currently, we put the incoming packet mark rules directly into
the INPUT chain of the mangle table, which is not cleared on netd
start. Move these rules to their own chain. This makes them
consistent with all the other iptables rules and makes it easy to
clear them on startup using the existing mechanisms.
Bug: 28362720
Test: bullhead builds, boots
Test: netd_{unit,integration}_test pass
Test: watch -n1 "adb shell iptables -v -n -t mangle -L INPUT" while switching networks
Test: rules are cleared on netd restart
Change-Id: I9130f997a96dcfdfdfdd950520a76f8473b5f603
/system/netd/server/RouteController.cpp
|
| 22c24ebd283d6e8fb782b34975417308839d4ad7 |
|
10-Jan-2017 |
Lorenzo Colitti <lorenzo@google.com> |
Use new-style UID routing.
Kernel prebuilts for OC devices have been updated, so the legacy
attributes are not being used. Use the new attributes only. This
will ensure that devices aren't using the old code by mistake, as
any such devices will fail the VPN CTS tests.
(cherry picked from commit 882e467ff7b83de868fa0b9a9beb9036bf14aede)
Cherry-picking this to AOSP now that most external kernels have
been updated as well.
Bug: 16355602
Test: bullhead builds, boots
Test: netd_{unit,integration}_test pass
Test: has been running in internal master for several weeks.
Change-Id: I1c4e8c9281a843417a3a52294a1b7d3e6502bee6
/system/netd/server/RouteController.cpp
|
| c1306ea230c95ef0268d4d20a213911799982671 |
|
26-Mar-2017 |
Lorenzo Colitti <lorenzo@google.com> |
Use iptables-restore to set the incoming packet mark rule.
This speeds up network switching because one rule needs to be
added/removed per interface.
Bug: 28362720
Test: bullhead builds, boots
Test: netd_{unit,integration}_test pass
Test: watch -n1 "adb shell iptables -v -n -t mangle -L INPUT" while switching networks
Change-Id: Ie536db6a50d018c88bb03c5f069965e99e0d162e
/system/netd/server/RouteController.cpp
|
| 60367db98fe9cca5b46210a5db8d8bfc638ce094 |
|
13-Feb-2017 |
Lorenzo Colitti <lorenzo@google.com> |
Add a test for RouteController.
Test: netd_{unit,integration}_test pass.
Change-Id: I19416fd8a79354303dabec042d090f7ae6962b1b
/system/netd/server/RouteController.cpp
|
| f3e299a7c2a0136a84b58652b69e60a22bb0e708 |
|
14-Feb-2017 |
Lorenzo Colitti <lorenzo@google.com> |
Use our netlink code to flush routes as well.
Most of the CL is refactoring the rule flush code to be more
generic and move it and various callback definitions to
NetlinkCommands. After that, flushing routes is very simple.
Test: bullhead builds, boots
Test: netd_{unit,integration}_test pass
Bug: 34873832
Change-Id: I0613d525f043d0a8b234a89982281b909011c7e5
/system/netd/server/RouteController.cpp
|
| 220ca739ad863fcd40c9ca107f6e0f68f7a45d14 |
|
14-Feb-2017 |
Lorenzo Colitti <lorenzo@google.com> |
Don't complain when deleting non-existent tethering rules.
clearTetheringRules ignores errors when deleting rules,
because tethering rules don't exist unless tethering was
enabled on the interface. sendNetlinkRequest shouldn't log an
error in this case, since the caller is ignoring that error.
Bug: 34873832
Test: bullhead builds, boots, spurious error messages gone
Change-Id: Ib327e8a3aecd3a38d624baa8bf320da87e6c4f7c
/system/netd/server/RouteController.cpp
|
| bbcd81d2e5103bbf465d69c6d0f958d3e740dd6e |
|
14-Feb-2017 |
Lorenzo Colitti <lorenzo@google.com> |
Don't call NetlinkCallbacks with nullptr on NLMSG_DONE.
No real callback uses this, and even the test code doesn't seem
to use it for anything useful.
Bug: 34873832
Test: bullhead builds, boots, rules flushed on netd restart
Test: netd_{unit,integration}_test pass
Change-Id: I195dd388864e9e596af9f4d08aee7b8ade078fb5
/system/netd/server/RouteController.cpp
|
| 219f328b7c2f99ef27f89206bdbf1260fa7ad2e4 |
|
10-Feb-2017 |
Lorenzo Colitti <lorenzo@google.com> |
Use netlink code to flush rules.
This removes two calls to /sbin/ip on netd startup, which saves
about 70ms. In the future we will be able to use this to flush
routes as well, which will provide similar time savings on every
network destroy operation.
Bug: 34873832
Test: bullhead builds, boots
Test: rules flushed correctly when netd is killed
Change-Id: I4875ac7fec1a92dc5fa2cb68f8fab2a903348c20
/system/netd/server/RouteController.cpp
|
| 1ef549de8a21612ab61861ff0035877a4b76184d |
|
13-Feb-2017 |
Lorenzo Colitti <lorenzo@google.com> |
Move the netlink command code to a new NetlinkCommands file.
Test: bullhead builds, netd boots
Test: netd_{unit,integration}_test pass
Bug: 34873832
Change-Id: Ia6fcde63e1092a62cad1c5238bbb9a91a9f39080
/system/netd/server/RouteController.cpp
|
| 7035f228d17e925116b1b64a7c917b3196ab8818 |
|
13-Feb-2017 |
Lorenzo Colitti <lorenzo@google.com> |
Put most of netd into the android::net namespace.
Test: netd_{unit,integration}_test pass
Test: bullhead builds, boots
Bug: 34873832
Change-Id: I0a252328041b342f9c03cd08c11a69d452b045b3
/system/netd/server/RouteController.cpp
|
| 0b073fbc366ca9f5e7eaa0ae8072445404da88eb |
|
09-Feb-2017 |
Lorenzo Colitti <lorenzo@google.com> |
Simplify and improve error logging in sendNetlinkRequest.
Bug: 32323979
Test: bullhead builds, boots, new error messages appear
Test: unit tests continue to pass
Change-Id: Ie60ed3a71fbd26b7a8a1d2f7fb8083b1b6b9626a
/system/netd/server/RouteController.cpp
|
| 2b078678aafceeefea6a70e96ab8ddefe515d027 |
|
16-Dec-2016 |
Lorenzo Colitti <lorenzo@google.com> |
Set both legacy and new UID routing attributes.
This should work on kernels that support either, as long as they
are older than 4.8.
Test: netd_integration_test passes with updated iproute and kernel
Test: netd_integration_test passes with existing iproute and kernel
Test: ConnectivityManagerTest and HostsideVpnTests pass on existing kernel
Test: ConnectivityManagerTest and HostsideVpnTests pass on updated kernel
Bug: 16355602
Change-Id: I9a2ef08ba2782587f43ea7d0609f5f07f6c3adb0
/system/netd/server/RouteController.cpp
|
| dc0d578a69cc5a57167a508207e2198590142d51 |
|
20-Jul-2016 |
Robin Lee <rgl@google.com> |
UidRanges: use class instead of pair<uid_t, uid_t>
Reuse the UidRange that was introduced in 7.0 (NYC) to ease transition
from CommandListener to binder which supports this as a parcelable type.
There is a small difference in behaviour: UidRange uses signed int32_t
vs. uid_t being unsigned and potentially a different size. This should
not be a problem as all of the java-side code is converting from int.
Updating to use int64_t in future would be a large effort and involve
changing the java-side UidRange class to use longs, and not fixing the
native side would cause unit tests to fail, so it shouldn't be possible
to overlook if that happens.
Committing this early with an appropriately loud warning so that it can
get soak time over the next year.
Test: runtest -x netd_integration_test.cpp
Change-Id: I6c217b347724ba5bfe2df28d6142a4343cb06353
/system/netd/server/RouteController.cpp
|
| 5bbe13bdc4470d0af2786fc62ad40a8ba8ff5830 |
|
17-May-2016 |
Robin Lee <rgl@google.com> |
Merge "Drop PROHIBIT_NON_VPN priority 11500 -> 12500" into nyc-dev
|
| 6c84ef62d953eae93c36ffa831e9b451560afba0 |
|
03-May-2016 |
Robin Lee <rgl@google.com> |
Drop PROHIBIT_NON_VPN priority 11500 -> 12500
So that the rule can be kept up 100% of the time instead of dropping
it when VPN comes on.
Bug: 26694104
Change-Id: I1df6b8f588e54d72e34dbcbd15492513e07fac3d
/system/netd/server/RouteController.cpp
|
| c125fe43c194128167db7a2a82b736b1357945d8 |
|
02-May-2016 |
Robin Lee <rgl@google.com> |
Restore ACT_UNREACHABLE
This got lost in between
I7d9752e86fa1a4564c622152a5be6ce2c1eda150 and
If23df0760c6eb0ad137fc26c5124e48edf23b722.
Which broke creating the UNREACHABLE network, also breaking the dummy
network which should be created after it.
Fix: 28304838
Change-Id: I31c4ca9c3f53d6162b50e5bc46e27cfcd1b6a314
/system/netd/server/RouteController.cpp
|
| b8087363143050d214d48e5620a330776ca95a69 |
|
30-Mar-2016 |
Robin Lee <rgl@google.com> |
Server API to only allow networking by VPN apps
Secure virtual networks already create rules to route all traffic into
theirselves. This depends on the secure network already existing.
API creates an ip rule at a priority level below SECURE_VPN which
can catch traffic before VPN comes up, if it is a requirement that no
traffic ever leaves without first going through VPN.
Bug: 26694104
Bug: 26354134
Change-Id: If23df0760c6eb0ad137fc26c5124e48edf23b722
/system/netd/server/RouteController.cpp
|
| 4ef94642636182e68495f606a65c00f8a830aad4 |
|
01-Apr-2016 |
Robin Lee <rgl@google.com> |
Have modifyIpRule take an explicit action
Instead of inferring from the priority what the action should be.
Bug: 26694104
Change-Id: I7d9752e86fa1a4564c622152a5be6ce2c1eda150
/system/netd/server/RouteController.cpp
|
| f65122c81c824940ba93666d961c8d3fd76f3a9c |
|
12-Feb-2016 |
Evgenii Stepanov <eugenis@google.com> |
Workaround ASan false positive in RouteController.
Bug: 27037723
Change-Id: I40e7f0d07652aeb6484de5f963a7698b6805d582
(cherry picked from commit dfde1d6c6c397e437adf937a1718784d9cb2c0cf)
/system/netd/server/RouteController.cpp
|
| bbd5626b3d0994ff0ecbfceac75f6dc4abfb55c6 |
|
05-Dec-2015 |
Elliott Hughes <enh@google.com> |
Track rename from base/ to android-base/.
Change-Id: Ice6d43c0f9b16b8fb441158a0f7344dfbf969dea
/system/netd/server/RouteController.cpp
|
| 5407e14fd3d81bb76f94221b4a359faa2806de65 |
|
16-Mar-2015 |
Dan Albert <danalbert@google.com> |
Revert "Revert "Update for libbase.""
This reverts commit 4a0ab5ff4a87cfc4a987da99546b01e44875a2e5.
(cherry picked from commit 3e87c785434fdfed2fb00496cb391c411a426bdd)
Change-Id: I042f485f3cc84206766298853491ddd26dbba13f
/system/netd/server/RouteController.cpp
|
| e298ded6ade9744f2a79cae045b5c324886262f4 |
|
16-Mar-2015 |
Nicolas Geoffray <ngeoffray@google.com> |
resolved conflicts for merge of 6066d418 to master
Change-Id: I2aa9721365e96c363648dd8e9e15718ed50e3c12
|
| 4a0ab5ff4a87cfc4a987da99546b01e44875a2e5 |
|
16-Mar-2015 |
Nicolas Geoffray <ngeoffray@google.com> |
Revert "Update for libbase."
Breaks internal master.
This reverts commit b67219a71d1d896bcb34c4a7a797824b88515b2c.
Change-Id: I43145f0724ad2d669b65d20b6fd6ccc44b8f0a4f
/system/netd/server/RouteController.cpp
|
| a4614fe5bfaafd0ff6be60ddb6fd135f99f5a5a5 |
|
16-Mar-2015 |
Vinit Deshpande <vinitd@google.com> |
Merge remote-tracking branch 'goog/mirror-m-wireless-internal-release'
Change-Id: I51337014e2851f47dd5e183c4bfdf39bafa59942
|
| b67219a71d1d896bcb34c4a7a797824b88515b2c |
|
14-Mar-2015 |
Dan Albert <danalbert@google.com> |
Update for libbase.
StringPrintf and the string based file I/O are being moved to libbase.
Change-Id: I765d9e53f65a76d318d9d0d9503403fc092254d5
/system/netd/server/RouteController.cpp
|
| 6b6f25fa4c135d477bcaf0bb50305a5d9aee92e3 |
|
03-Mar-2015 |
Lorenzo Colitti <lorenzo@google.com> |
Flush tethering rules on interface remove.
Bug: 19500693
Change-Id: I25b7942784ec026d30c60273c9e13e34d082d25a
/system/netd/server/RouteController.cpp
|
| 57947f02c00bb03651e3f9427c880211c689db7f |
|
27-Feb-2015 |
Lorenzo Colitti <lorenzo@google.com> |
Add oif rules that allow UID 0 to bypass the VPN.
This is needed for wifi calling so that the kernel (which does
not set marks) can tee packets towards the modem. It also fixes
things like not being able to reply to DHCP requests from
tethered clients when a VPN is up.
System apps can already bypass the VPN using explicit marks, so
allowing UID 0 to do so does not create additional bypass VPN
issues.
Bug: 19500693
Change-Id: Ie324026893637e9bd8e7aa65a37579569390e7b7
/system/netd/server/RouteController.cpp
|
| 5ad4e98f7b566ffde39491ee4e80d4a15507f053 |
|
26-Feb-2015 |
Lorenzo Colitti <lorenzo@google.com> |
Make the VPN rule only to originated, not forwarded, traffic.
Currently the VPN rule for the primary user will match every
forwarded packet on the system, because it specifies a UID range
that includes 0, and forwarded packets have UID 0.
Use "iif lo" to limit the rule match to locally-originated
traffic. This requires a kernel that sets the loopback ifindex.
when originating packets. Anything based on 3.10 is fine, but
devices using 3.4 will need a one-line change for IPv6.
Bug: 19500693
Change-Id: Iaab88bed62716dc1cea33b45c4e258f6b3bfc9d0
/system/netd/server/RouteController.cpp
|
| 3667936aadcabddc708797ac38ce1ffb2f992cb3 |
|
25-Feb-2015 |
Lorenzo Colitti <lorenzo@google.com> |
Add a dummy network that discards all packets.
Bug: 19500693
Change-Id: Ic25f2d8c481f1528e887e43ca3fa868189582110
/system/netd/server/RouteController.cpp
|
| bd37832f1843ed78f64604e5627cf952ac9614ba |
|
04-Feb-2015 |
Elliott Hughes <enh@google.com> |
Switch writing to <utils/file.h>.
Change-Id: Idb2de24414f4dd8e926e625b62e4d12152dc4527
/system/netd/server/RouteController.cpp
|
| 53ea9cadf6cc5f8be1c16b5b6b660cd7366fd3f0 |
|
31-Jan-2015 |
Nick Kralevich <nnk@google.com> |
Avoid leaking file descriptors
Add O_CLOEXEC on open() calls, and SOCK_CLOEXEC on socket calls.
This avoids leaking file descriptors across execs.
Addresses the following SELinux denial:
audit(1422740213.283:8): avc: denied { read write } for pid=2597 comm="clatd" path="socket:[6709]" dev="sockfs" ino=6709 scontext=u:r:clatd:s0 tcontext=u:r:netd:s0 tclass=netlink_socket
and allows the removal of some other SELinux rules which were
inappropriately added because of leaking file descriptors.
Change-Id: I9c180488ea1969d610e488f967a7276a672bb477
/system/netd/server/RouteController.cpp
|
| 0321315d4e94dacd5ef2e0de217059cbc72d803d |
|
30-Oct-2014 |
Sreeram Ramachandran <sreeram@google.com> |
Don't fail when trying to add routes that already exist.
Previously, we suppressed failures for the special case of
requestRouteToHost() being called multiple times. Turns out that other
parts of the system also try to add duplicate routes, so just suppress
EEXIST errors in general (as far as adding routes is concerned). For
example, this happens when the WiFi P2P DHCP client renews its lease
and blindly requests to add a route that it had already added before.
(cherry picked from commit 64166e7666e3cc7f4b9c715f2b4e19d28ae44c5a)
Bug: 17205769
Change-Id: I11d50052f616cb48a912d647b8024ccef01b736d
/system/netd/server/RouteController.cpp
|
| aa1be2b3d24d99f3ccb98ff4fbb2a81b63587eff |
|
06-Jan-2015 |
Dan Albert <danalbert@google.com> |
Fix missing errno.h includes after libc cleanup.
These issues hadn't been found yet because a libc++ header was
unconditionally pulling in errno.h. I've fixed the libc++ header now.
Change-Id: Ib096634cdd231fc75bf7548e4b99babc7442dc53
/system/netd/server/RouteController.cpp
|
| 64166e7666e3cc7f4b9c715f2b4e19d28ae44c5a |
|
30-Oct-2014 |
Sreeram Ramachandran <sreeram@google.com> |
Don't fail when trying to add routes that already exist.
Previously, we suppressed failures for the special case of
requestRouteToHost() being called multiple times. Turns out that other
parts of the system also try to add duplicate routes, so just suppress
EEXIST errors in general (as far as adding routes is concerned). For
example, this happens when the WiFi P2P DHCP client renews its lease
and blindly requests to add a route that it had already added before.
Bug: 17205769
Change-Id: I3de557ddb82c95899623aa31b4b3ec7c955f5609
/system/netd/server/RouteController.cpp
|
| 4c95a125e0930c112555437589f7620575482095 |
|
18-Sep-2014 |
Lorenzo Colitti <lorenzo@google.com> |
Support manipulating throw routes.
We already supported unreachable routes. Throw routes are
necessary so we can exempt the VPN endpoint from being routed
through the VPN in legacy VPN modes that do not pass traffic
through a tun or ppp interface but just directly appply IPsec
transformations to outgoing packets.
Bug: 17462989
Change-Id: I8635472ca3e96ec2866af2de48e6260ab2da13fb
/system/netd/server/RouteController.cpp
|
| 99286fe1ef6fc325c28dd10b651b5adedd549495 |
|
12-Aug-2014 |
Lorenzo Colitti <lorenzo@google.com> |
Make destroying networks more robust.
1. Retry route flushes if they fail.
2. Make destroyNetwork ignore (but return) errors.
Bug: 16944962
Change-Id: I26301613437d7cc373ff64955fd44d716e9982b9
/system/netd/server/RouteController.cpp
|
| db74dba7ccfe9e9504e0acd440a23fed96682842 |
|
29-Jul-2014 |
Lorenzo Colitti <lorenzo@google.com> |
Stop copying directly-connected routes to the main table, #2.
For a long time we have thought that copying directly-connected
routes to the main table was necessary to add gatewayed routes
to other routing tables. However, this is not necessary when the
directly-connected routes are properly created with "scope link"
as we do in http://ag/513100 .
Delete the copying code, but don't delete the rule that looks up
the main table or the code that dumps it. The main table is used
for things like cell networking, because the RIL emulates cell
networks, which are actually point-to-point, as directly
connected broadcast subnets (e.g., a /30 or a /27) with a fake
default gateway. The directly-connected route that covers the
fake default gateway is implicitly created by adding the IP
address, but it's in the main table, so we can't add the default
route without looking up the main table.
Change-Id: I93bd4764ac75fdcc98fa4206c601524100d53fc3
/system/netd/server/RouteController.cpp
|
| a2c230520be5fdafce8bbc0b6ee52262f981f75a |
|
29-Jul-2014 |
Lorenzo Colitti <lorenzo@google.com> |
Revert "Stop copying directly-connected routes to the main table."
This reverts commit 2f5ea0e99e9a436cd43901b1772b77a410a62f8d.
Change-Id: I1fe1df0249714cb650a34fae56476236ac0108e3
/system/netd/server/RouteController.cpp
|
| 2f5ea0e99e9a436cd43901b1772b77a410a62f8d |
|
29-Jul-2014 |
Lorenzo Colitti <lorenzo@google.com> |
Stop copying directly-connected routes to the main table.
For a long time we have thought that copying directly-connected
routes to the main table was necessary to add gatewayed routes
to other routing tables. However, this is not necessary when the
directly-connected routes are properly created with "scope link"
as we do in http://ag/513100 .
Delete the copying code, but keep dumping the main table in
bugreports, so we can see if third-party code such as RIL
daemons is putting anything in it.
Change-Id: Iddd531daaf9881ffd82f0a4b4f6cc857ce8788fd
/system/netd/server/RouteController.cpp
|
| 2bff72e0cf091f4d71af0c81cfc74e8ebd8c6644 |
|
18-Jul-2014 |
Sreeram Ramachandran <sreeram@google.com> |
Add "scope link" when adding routes without a nexthop.
This is consistent with what /sbin/ip does, and it makes
recursive lookups on secondary tables work even when the main
table is empty.
This was originally proposed by Sreeram as http://ag/506456 to
fix a VPN issue, but then abandoned because it did not fix that
particular problem.
Bug: 16628572
Change-Id: I85753389c683ae2127b21af722463a35a33b60eb
/system/netd/server/RouteController.cpp
|
| 060d855a00cb94e8903fd1551c9bf040f42b57d1 |
|
28-Jul-2014 |
Sreeram Ramachandran <sreeram@google.com> |
Merge "Prohibit address families by default unless a VPN explicitly allows them." into lmp-dev
|
| de5d5df753dd35d852ac47a6174b06eacd0d5523 |
|
27-Jul-2014 |
Sreeram Ramachandran <sreeram@google.com> |
Prohibit address families by default unless a VPN explicitly allows them.
Bug: 15972465
Change-Id: I3278d94536fefacc86390c1ba4231680f7be8589
/system/netd/server/RouteController.cpp
|
| 95684ba176a9fe5ea59207d7202e47fa12bbfdbe |
|
23-Jul-2014 |
Sreeram Ramachandran <sreeram@google.com> |
Implement support for bypassable VPNs.
Bypassable VPNs grab all traffic by default (just like secure VPNs), but:
+ They allow all apps to choose other networks using the multinetwork APIs.
If these other networks are insecure ("untrusted"), they will enforce that the
app holds the necessary permissions, such as CHANGE_NETWORK_STATE.
+ They support consistent routing. If an app has an existing connection over
some other network when the bypassable VPN comes up, it's not interrupted.
Bug: 15347374
Change-Id: Iaee9c6f6fa8103215738570d2b65d3fcf10343f3
/system/netd/server/RouteController.cpp
|
| 48e19b037e7e20674048ef76bf31ce65c741347c |
|
23-Jul-2014 |
Sreeram Ramachandran <sreeram@google.com> |
Implement the fallthrough rule to support split tunnel VPNs.
Change-Id: Ibc48caedb5954c6b12bfa553d978bab56c4b09aa
/system/netd/server/RouteController.cpp
|
| 111bec203e82bdc9fb2c27df7c232465dffeee5f |
|
23-Jul-2014 |
Sreeram Ramachandran <sreeram@google.com> |
Implement the rule to forward traffic to local networks via VPNs.
Change-Id: I4bffb2ce854a6fa7d4c0d35b97f123d91c6a84d6
/system/netd/server/RouteController.cpp
|
| fa9f4dcd79dcfd24af276263159c5315abb06df6 |
|
23-Jul-2014 |
Sreeram Ramachandran <sreeram@google.com> |
Cosmetic: Move some functions around to match rule priority order.
Change-Id: I81af639b66ac66272e0fae2d53119de1bfa12e69
/system/netd/server/RouteController.cpp
|
| 182a26ff95515179b1a7e62a806f90279cdcd9b3 |
|
23-Jul-2014 |
Sreeram Ramachandran <sreeram@google.com> |
Remove the oif=iface clause when tethering.
The rule is meant to be "iif=inputIface => lookup <table_for_outputIface>", not
"iif=foo oif=bar => lookup <table_for_bar>" (the latter would never match
because packets coming in on the input interface will not have any output
interface binding).
Bug: 16242255
Change-Id: I98a2a8ab90765aee833134297b58d4f7a212036f
/system/netd/server/RouteController.cpp
|
| b717e74df3571951890cf36ee8bd559501d7fdc4 |
|
19-Jul-2014 |
Sreeram Ramachandran <sreeram@google.com> |
Flush routing rules and add an "unreachable" rule on Init().
Without the flush, rules accumulate duplicates when netd is restarted due to a
runtime restart. Nothing functionally wrong with having duplicates; it just
makes the output of "ip rule" look as though something went wrong in the system.
Time to add the unreachable rule, to suss out issues with corner cases. With the
flush, there's no more a naked "from main" rule that we need to protect by
adding the unreachable rule. But it's a good idea to add the unreachable rule
anyway, in case somebody comes along and adds a rule below it later.
Change-Id: I975b2221868b7f5366bd7cf60937a82fb4b75913
/system/netd/server/RouteController.cpp
|
| 87475a1471373b72ffc9f81f17dfd7884723fa86 |
|
16-Jul-2014 |
Sreeram Ramachandran <sreeram@google.com> |
Fix WiFi-Direct and Tethering.
A LocalNetwork object now always exists in the NetworkController, with a fixed
NetId that's guaranteed not to collide with NetIds created by the framework.
When routes are added on an interface tracked by the LocalNetwork, they are
added to a fixed "local_network" table.
When NAT is enabled, we add a special "iif -> oif" tethering rule.
Bug: 15413694
Bug: 15413741
Change-Id: I36effc438d5ac193a77174493bf196cb68a5b97a
/system/netd/server/RouteController.cpp
|
| b31e085466c95e5e89de6e06ebc3547c85e98242 |
|
12-Jul-2014 |
Sreeram Ramachandran <sreeram@google.com> |
Merge "Add default routing tables to rt_tables."
|
| bb40d5198943df0e2a88514cbcd82a23a5b0cd97 |
|
11-Jul-2014 |
Sreeram Ramachandran <sreeram@google.com> |
Add default routing tables to rt_tables.
This is so that these tables also get dumped by bugreport / dumpstate.
Change-Id: Ia5ed8a23911d7b34ba964934dec42849f4a73824
/system/netd/server/RouteController.cpp
|
| 6a773534e7f8541f221f27fb8063af079b1a5936 |
|
11-Jul-2014 |
Sreeram Ramachandran <sreeram@google.com> |
Fix tethering in the case of a regular upstream connection.
Fixes tethering via Ethernet, Bluetooth and WiFi (hotspot).
Tethering when the upstream has a DUN-specific APN is likely still broken
(untested).
For now, assign a fixed NetId (a hack) until we can change the framework to
create a valid NetworkAgent and all that jazz.
Bug: 15968336
Bug: 14988803
Change-Id: Idcf4d492d9329a9c87913e27be6dd835a792bea2
/system/netd/server/RouteController.cpp
|
| c7d804c1d22db40ac79fde46a032cd359e975f5b |
|
09-Jul-2014 |
Sreeram Ramachandran <sreeram@google.com> |
Cosmetic: Move constants into file scope.
Change-Id: Ic1398a5867693bb8f1e588e727869ec6a4574432
/system/netd/server/RouteController.cpp
|
| 4acd34a8e95b1191318216ebad409ec5e1b3d5f0 |
|
08-Jul-2014 |
Sreeram Ramachandran <sreeram@google.com> |
Add symbolic table names for routing table numbers.
This makes the output from "ip rule" much more readable.
Companion changes are in AOSP.
Change-Id: I69deb1a64d5d6647470823405bf0cc55b24b22de
/system/netd/server/RouteController.cpp
|
| e09b20aee85f1dfd8c18c3d8581ac875d939ba70 |
|
06-Jul-2014 |
Sreeram Ramachandran <sreeram@google.com> |
Add full support for UIDs in VPNs.
Major:
+ Implement the functions mentioned in http://go/android-multinetwork-routing
correctly, including handling accept(), connect(), setNetworkForSocket()
and protect() and supporting functions like canUserSelectNetwork().
+ Eliminate the old code path of getting/setting UID ranges through
SecondaryTableController (which is currently unused) and mUidMap.
Minor:
+ Rename some methods/variables for clarity and consistency.
+ Moved some methods in .cpp files to match declaration order in the .h files.
Bug: 15409918
Change-Id: Ic6ce3646c58cf645db0d9a53cbeefdd7ffafff93
/system/netd/server/RouteController.cpp
|
| 5009d5ef3fbcdc69d772b528fd22184b7d605afa |
|
03-Jul-2014 |
Sreeram Ramachandran <sreeram@google.com> |
Update routing rules.
As per the latest changes to: http://go/android-multinetwork-routing
Functional changes:
+ Add explicit=NO to the implicit network rules, though it's a no-op.
+ Remove most of the UID=0 (kernel access) rules since they are no longer
needed, except in one case to allow access to a VPN.
+ Add the explicit, protect and permissions bits to the incoming packet mark.
+ VPNs now don't need an implicit network rule.
+ Modifying network permissions now modifies the incoming packet mark as well.
Cosmetic changes:
+ Renamed the legacy tables to match their permissions (SYSTEM and NETWORK).
+ Renamed most functions and methods for clarity and consistency.
+ Renamed and adjusted some ule priorities.
+ Move most rule modifications into their own functions, to prevent brittle
reliance on the previous state of the fwmark/mask variables.
Change-Id: I958a7e158ee918d5254de606fcfa55fe23327438
/system/netd/server/RouteController.cpp
|
| ed4bd1f7d219f9f5f56763ea02cf4947e78397f6 |
|
05-Jul-2014 |
Sreeram Ramachandran <sreeram@google.com> |
Fix permissions handling.
+ Rename the permissions as per: http://go/android-multinetwork-routing
+ Make the SYSTEM permission explicitly include NETWORK.
+ Grant the SYSTEM permission to system UIDs by default, but allow the framework
to override them if necessary.
+ Move the "string to permission" parsing to CommandListener.cpp, thus allowing
us to get rid of Permission.cpp.
+ There's no need to support multiple permissions string arguments, so tighten
that up.
Change-Id: I73d51b5e2f44a97e6d5ab5943ff198cebfbcc0c4
/system/netd/server/RouteController.cpp
|
| 72999d6cfc1df23cd911b85730f1f532fb62bed4 |
|
03-Jul-2014 |
Sreeram Ramachandran <sreeram@google.com> |
Fix regressions in flushRoutes().
http://ag/486276 left out a comma, causing the command to be "routeflush" (which
is invalid), instead of the correct "route flush".
http://ag/495068 changed the order, causing the interface to be removed from the
interfaceToIndex map before we are done using it in modifyPerNetworkRules().
Change-Id: I65af0b5763b13e47b48e7e2b81d243dc19e1a03b
/system/netd/server/RouteController.cpp
|
| eb27b7ec10faf47a93fbc2863092cc667b05e252 |
|
01-Jul-2014 |
Sreeram Ramachandran <sreeram@google.com> |
Fix routing rules.
Fix the rules in RouteController as per the latest iteration of the routing
design: http://go/android-multinetwork-routing. Changes include:
+ The legacy tables have to be global. So remove the UID being passed in to
modifyRoute() and remove the associated TODOs.
+ Add UID=0 rules to let the kernel access routes on privileged networks.
+ Add a UID=0 clause to the directly-connected hack, thus fixing the TODO.
+ Add the privileged_legacy table just above the legacy table, when overriding
the default network. (The same table remains added at the top of the rule
chain, to override VPNs, but only for CONNECTIVITY_INTERNAL-privileged apps).
Other cosmetic changes:
+ Update the names and values of the rule priorities.
+ Move the legacy table IDs to the .h file in anticipation of using them from
bugreport / dump commands.
+ Make 'action' the first parameter consistently.
Change-Id: I6634a19ddc8062b2ef55d926c7892fff8c586106
/system/netd/server/RouteController.cpp
|
| cf891383224e420d99996f7e63728a7cc902415e |
|
02-Jul-2014 |
Sreeram Ramachandran <sreeram@google.com> |
Don't use %zu for uid_t. It's always unsigned int, so %u is correct.
Change-Id: I5be1d479b524495037c2aedc8336c794d2698914
/system/netd/server/RouteController.cpp
|
| 1201e84ebda52d8d82e5385644e9de0923e61aa3 |
|
02-Jul-2014 |
Sreeram Ramachandran <sreeram@google.com> |
Use %zu to printf size_t correctly on both 32-bit and 64-bit platforms.
Change-Id: I5223e574084fca47606b844d74a99a642c7d66be
/system/netd/server/RouteController.cpp
|
| b1425cc09f8a29350520db0d4f489331df5a689b |
|
24-Jun-2014 |
Sreeram Ramachandran <sreeram@google.com> |
Add UID range support to VPNs.
This adds the necessary routing rules.
Future CLs will add the ability to select the right netId for connect(),
setNetworkForSocket(), DNS resolutions, etc.
Bug: 15409918
Change-Id: I88a67660d49cecda834dd72ab947fbfed250f09d
/system/netd/server/RouteController.cpp
|
| 4043f01f8e25f24246efadc710ad7440aab75529 |
|
23-Jun-2014 |
Sreeram Ramachandran <sreeram@google.com> |
Introduce VPN support.
This change sets up the basic routing rules for VPNs. It doesn't yet handle UID
ranges (that are meant to apply to the VPN) correctly. That's forthcoming in
other CLs.
Bug: 15409918
Change-Id: I284de04f176dcf6ba702361de6a614266256d04e
/system/netd/server/RouteController.cpp
|
| f4f6c8de3f091be4b91a5a9d7f14e8882ec6d502 |
|
23-Jun-2014 |
Sreeram Ramachandran <sreeram@google.com> |
Refactor: Encapsulate permissions and interfaces into a Network class.
Currently, there's a lot of logic in NetworkController surrounding events such
as interface addition/removal, network creation/destruction and default network
change, because these events are interwined. For example, adding an interface
means also adding a corresponding default network rule if the interface is being
added to the current default network.
When we introduce VPNs into this mix, things will get hairy real quick for all
this logic in NetworkController.
In this refactor, we introduce an abstract base class Network which supports
adding and removing interfaces. The main concrete implementation of this is
PhysicalNetwork, which allows setting permissions and "default network" state.
Since we've moved network permissions into the above class, and user permissions
into NetworkController, PermissionsController is unused and has been removed.
Also fix a few bugs in RouteController:
+ Use uidEnd correctly.
+ Check for all error cases in inet_pton.
+ Check the return value of android_fork_execvp() correctly.
+ The "return cmd1() && cmd2()" pattern is wrong. Rewrite that code.
Also (non-functional changes):
+ Remove instantiations of RouteController. It has static methods only.
+ Reorder some blocks in CommandListener so that the most frequent commands are
checked first.
+ Remove unused paramError() and clearNetworkPreference().
+ Change all return codes to int (negative errno) wherever applicable.
+ Add WARN_UNUSED_RESULT everywhere.
+ Cleanup some style in RouteController and NetworkController.
+ Use uid_t instead of unsigned for user IDs.
+ Add clearer log messages at the source of failures.
+ Add a check for when fwmark bits are set without corresponding mask bits.
Bug: 15409918
Change-Id: Ibba78b0850160f9f3d17d476f16331a6db0025d1
/system/netd/server/RouteController.cpp
|
| 1077d298655efa7755925e788d49a73e9db10afc |
|
27-Jun-2014 |
Sreeram Ramachandran <sreeram@google.com> |
Don't fail when adding a duplicate legacy route.
This only affects calls to requestRouteToHost() by apps. We still fail if the
framework itself tries to add a non-legacy duplicate route, since the framework
should know better (we can consider relaxing that too in the future).
Bug: 15925532
Change-Id: I9ee434277e462d570f88e6fe63a096e5ae41eee9
/system/netd/server/RouteController.cpp
|
| 72723683be57b6d562dc96cde30cc33cc96b3e82 |
|
26-Jun-2014 |
Lorenzo Colitti <lorenzo@google.com> |
Convert rta_* and fra_* variable names to camelCase.
Change-Id: I0ca539ac4c54bb71b033f288fb4229afd71b7989
/system/netd/server/RouteController.cpp
|
| 5965651602fb8373b75b6ae2d59c6a4d753f2f49 |
|
24-Jun-2014 |
Lorenzo Colitti <lorenzo@google.com> |
Support adding and removing UID rules via netlink.
Change-Id: Idae13bceda869261689260759084b8d6ef1ff639
/system/netd/server/RouteController.cpp
|
| 96f261e8b28048b8cb48f5a4e81822c73bb813f4 |
|
23-Jun-2014 |
Lorenzo Colitti <lorenzo@google.com> |
Pass rule modification errors back to CommandListener.
Change-Id: If01334dccad8b6230648713a57fd58be180ac66b
/system/netd/server/RouteController.cpp
|
| 4753afd79e130d5f1c888f549c36b4da92dbe680 |
|
20-Jun-2014 |
Lorenzo Colitti <lorenzo@google.com> |
Use netlink to add/delete rules as well as routes.
Also change the indentation of the rtattrs used in modifyIpRoute
to make it easier to see what attributes are being used and in
what sequence.
This change does not yet pass the errors back to CommandListener;
that is done in the next change in the series.
Change-Id: Ib2e174386c63cb0647d838d9c7d731cd6df39c4f
/system/netd/server/RouteController.cpp
|
| 7f972fb1cd3c26af76779a7a3220b9cf5fb63a0a |
|
25-Jun-2014 |
Sreeram Ramachandran <sreeram@google.com> |
Unrevert the 'revert the "talk to netlink directly" change.'
http://ag/486277 was reverted in http://ag/491263 and is being unreverted in
this change. The bug in the original CL was a typo ("interface" instead of the
desired "ifindex"), which is now fixed.
Bug: 15840054
Change-Id: If66987c74cc86e9ba4f7a35d36f0a39afe939a68
/system/netd/server/RouteController.cpp
|
| ab359feb1a4d3a1898e32a7da47dcde3da4c1ed6 |
|
25-Jun-2014 |
Sreeram Ramachandran <sreeram@google.com> |
Temporarily revert the "talk to netlink directly" change.
The change being reverted is http://ag/486277. Instead, use /sbin/ip again. The
code to talk to netlink fails on volantis. I.e., instead of this:
$ ip route show table 1006
default via 100.110.191.254 dev wlan0
100.110.128.0/18 dev wlan0 scope link
we end up with this:
$ ip route show table 1006
default dev wlan0 proto static
100.110.128.0/18 dev wlan0 proto static
Notice the lack of the nexthop and the addition of "proto static". I think the
netlink message is somehow not properly aligned on volantis, causing the kernel
to misinterpret it.
Bug: 15840054
Change-Id: Ief60473e337410f7cb35890de0a5a74a21723a41
/system/netd/server/RouteController.cpp
|
| f7fc8eccb0a6a4fbca4cafdf53f5c167c8f1d755 |
|
17-Jun-2014 |
Lorenzo Colitti <lorenzo@google.com> |
Pass route add/delete errors back to CommandListener.
Change-Id: Id1d6d578963080e141f71bc1303801fc53bce40a
/system/netd/server/RouteController.cpp
|
| ba25df989b48f36b784ad39307a49a4fd9c3fd66 |
|
17-Jun-2014 |
Lorenzo Colitti <lorenzo@google.com> |
Use native netlink code instead of /sbin/ip to manipulate routes
Shelling out to /sbin/ip is slow, and more importantly it does
not preserve the error messages returned by the kernel when
adding or deleting a route fails. Instead, use netlink directly.
This change does not yet pass the errors back to CommandListener;
that is done in the next change in the series.
Change-Id: I5ad3c8583580857be6386a620ff5c4f3872d685b
/system/netd/server/RouteController.cpp
|
| 357e5629bb4c745296ab40340ec8679372337155 |
|
17-Jun-2014 |
Lorenzo Colitti <lorenzo@google.com> |
Flush both IPv4 and IPv6 routes.
The current code unintentionally flushes only IPv4 routes
because it reuses a function that is normally used to add and
remove routes (where the IP version is implicitly specified by
the route to add or remove).
Instead of fixing the runIpRouteCommand function, add a new
flushIpRoutes function because runIpRouteCommand will be
replaced by a netlink implementation in an upcoming CL.
Change-Id: Ie96ae4124baca3edb8e0d0841e7abadb6b3ee9ab
/system/netd/server/RouteController.cpp
|
| a561e121c724e9163b2e256e15eef660e3a326da |
|
12-Jun-2014 |
Paul Jensen <pauljensen@google.com> |
Cache interface indices in case interfaces go away.
Without caching them netd will fail to remove rules and routes,
for example, when the Bluetooth reverse-tether interface ("bt-pan")
goes away.
bug:15407087
Change-Id: I99fcf00f9645a0b029455516a705b70110f62ff6
/system/netd/server/RouteController.cpp
|
| ac19883dd50d5310d1fddf996ee227075a103ecb |
|
31-May-2014 |
Sreeram Ramachandran <sreeram@google.com> |
Fix build.
Change-Id: If170e46ff92c6a972bc1c2d838b1ac0eea6e23de
/system/netd/server/RouteController.cpp
|
| 9a4c1128b274ee2a6ffab3d50d08aaf0bc2fb2ff |
|
30-May-2014 |
Sreeram Ramachandran <sreeram@google.com> |
am 82eab785: Support legacy routes added by apps via ensureRouteToHost().
* commit '82eab785bd5cb2eff0a263f5b0dcde13e9139588':
Support legacy routes added by apps via ensureRouteToHost().
|
| 82eab785bd5cb2eff0a263f5b0dcde13e9139588 |
|
22-May-2014 |
Sreeram Ramachandran <sreeram@google.com> |
Support legacy routes added by apps via ensureRouteToHost().
This adds the routes to two fixed tables:
+ LEGACY, which has higher priority than other non-explicit lookup tables
(per-network and default network).
+ PRIVILEGED_LEGACY, available only to system apps and has higher priority than
VPNs (system apps are those with the CONNECTIVITY_INTERNAL permission).
This will be changed to per-UID tables once the kernel supports UID-based
routing, so that these legacy routes are scoped to each app and not global.
Also, fix a TODO: The framework (as of http://ag/471599) will not set the
gateway argument if it's actually a direct-connected route.
Change-Id: I0ee1ca89fdc859d75a89021ca8c1902811b1e4a9
(cherry picked from commit 38b7af1f2cb9579895465fabc37865f5dadcac25)
/system/netd/server/RouteController.cpp
|
| 56afacf838d24cf8e54d2cf0d8ab9182ab704125 |
|
29-May-2014 |
Sreeram Ramachandran <sreeram@google.com> |
Turn on C++11 and make all warnings into errors.
As a consequence:
+ Comment out the names of all unused parameters.
+ Remove all unused variables and functions.
In server/Android.mk, there are a couple of non-trivial changes:
+ Use libcxx instead of stlport. This is needed to fix a bunch of errors due to
specifying -std=c++11.
+ LOCAL_SHARED_LIBRARIES is sorted. Technically, the order in which libraries
are listed has an effect on linking, but nobody should be doing such brittle
things anyway.
Change-Id: I0aff5b745e04609da23144d0e8be4c5694321b8b
/system/netd/server/RouteController.cpp
|
| 38b7af1f2cb9579895465fabc37865f5dadcac25 |
|
22-May-2014 |
Sreeram Ramachandran <sreeram@google.com> |
Support legacy routes added by apps via ensureRouteToHost().
This adds the routes to two fixed tables:
+ LEGACY, which has higher priority than other non-explicit lookup tables
(per-network and default network).
+ PRIVILEGED_LEGACY, available only to system apps and has higher priority than
VPNs (system apps are those with the CONNECTIVITY_INTERNAL permission).
This will be changed to per-UID tables once the kernel supports UID-based
routing, so that these legacy routes are scoped to each app and not global.
Also, fix a TODO: The framework (as of http://ag/471599) will not set the
gateway argument if it's actually a direct-connected route.
Change-Id: I0ee1ca89fdc859d75a89021ca8c1902811b1e4a9
/system/netd/server/RouteController.cpp
|
| 72604075e74af459fb4637404fbf030422c6b6b6 |
|
21-May-2014 |
Sreeram Ramachandran <sreeram@google.com> |
Rework the determination of a "valid network".
+ isNetIdValid() doesn't make much sense. What we want is whether the netId has
actually been created (via createNetwork()).
+ It isn't an error to call deleteNetwork() or setDefaultNetwork() even when
there are no interfaces assigned to the network.
+ Secure all accesses to the maps in PermissionsController with locks; they are
called from many threads (CommandListener, DnsProxyListener and FwmarkServer).
+ Remove the redundant mIfaceNetidMap.
+ Minor cosmetic changes to things such as #includes and log messages.
Change-Id: Ieb154589b24f00ba8067eaaec4def3534aec4923
/system/netd/server/RouteController.cpp
|
| f4cfad361175a7f9ccf4d41e76a9b289c3c3da22 |
|
21-May-2014 |
Sreeram Ramachandran <sreeram@google.com> |
Move netd_client into netd.
Change-Id: Ie4b6b303225c93f2448a503d6ea9cebb552cbad5
/system/netd/server/RouteController.cpp
|