| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |\
| |
| |
| |
| |
| | |
Android 13.0.0 Release 16 (TQ1A.221205.011)
Change-Id: I11c23ee1f0766b6c32efe2df223c9615a30752d2
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Require at least kernel 5.15. Feature is not required on older
kernels and may impact boot time unnecessarily.
Bug: 235559605
Change-Id: I2e4b509de1d8940fc63ae057a8326f13c0fd1420
(cherry picked from commit a8ca597aec0e5d288a00133b44a1509075b90d21)
Merged-In: I2e4b509de1d8940fc63ae057a8326f13c0fd1420
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Devices with a large number of app uids, particularly those with
multiple work profiles or secondary users, may quietly experience
failures making adjustments to firewall rules, resulting in apps being
blocked from accessing the network when they should be allowed, and
becoming a noticeable problem when using Battery Saver mode.
The misleading "Argument list too long" error in logs signifies that
a BPF map (uid_owner_map in this case) has reached its maximum entries.
This patch doubles that to 4000. uid_permission_map is also affected,
and because uid_counterset_map involves uids too, we do the same there.
bpf_shared.h contains comments urging caution with regard to potential
kernel memory limits. Fortunately, BPF maps have been consolidated
since the comments were written, leaving enough room to easily make
this change without cause for concern. This patch effectively increases
the total size of BPF maps from 3643K to 4077K, which remains beneath
the 4930K used by the maps' pre-consolidation implementation.
Issue: calyxos#1249
Change-Id: I293f99ec498e4ccac98c39f298ba01ba554f2e33
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Make use of new BpfLoader functionality: per-map/program selinux context
to further restrict access to mainline module shipped bpf maps and programs.
Note: minor fixup during cherrypick to deal with lack of the
require 4.14 patch in tm-dev.
Bug: 218408035
Test: booted on cuttlefish, TreeHugger
Change-Id: Iaa33754aaca8bfafef6539abfbdd30b4cdfc4727
Merged-In: Iaa33754aaca8bfafef6539abfbdd30b4cdfc4727
(cherry picked from commit cae181d7773f15d78ce49ec0e839690e39270465)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This eliminates the need for netd_updatable BpfHandler.cpp
to initialize the hash map with a zero.
On startup the map will be freshly initialized and thus zero.
On restart it might not be empty, but it doesn't matter to netd.
Furthermore the mainline component of the system server will
re-initialize it again anyway:
see service/native/TrafficController.cpp initMaps()
This does remove the ability to call deleteValue on a key,
since that would always return -EINVAL, but since we don't
currently do that, that's really a feature.
(It does suggest though that we should have a BpfMapNonNullable
class which is writeable, but without a deleteValue() function)
Additionally BpfMap arrays are more efficient for the kernel bpf jit
compiler, as - on newer kernels - it can optimize the read/write
into a simple memory access (as opposed to a bpf helper call).
Before:
$ adb shell ls -l /sys/fs/bpf/netd_shared/map_netd_configuration_map
-rw-rw---- 1 root net_bw_acct 0 2022-06-11 08:20 /sys/fs/bpf/netd_shared/ map_netd_configuration_map
After:
$ adbz shell ls -l /sys/fs/bpf/netd_shared/map_netd_configuration_map
-r--rw---- 1 root net_bw_acct 0 2022-06-16 15:03 /sys/fs/bpf/netd_shared/map_netd_configuration_map
Bug: 218408035
Bug: 235590615
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I21730e4fa22fbf0c94ab0ca5c5db03aa000b7680
(cherry picked from commit b10e055f4b63ef5ae12585069481558b93ecd87f)
Merged-In: I21730e4fa22fbf0c94ab0ca5c5db03aa000b7680
|
| |
|
|
|
|
|
|
|
| |
Bug: 235778483
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ife3ad35b2e5451727a3795a0e78dd820293c0eae
(cherry picked from commit ce9108f01a3713a11a1831d36f60aaa5d169cf11)
Merged-In: Ife3ad35b2e5451727a3795a0e78dd820293c0eae
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Per Lorenzo's request on:
https://android-review.googlesource.com/c/platform/packages/modules/Connectivity/+/2123888
Bug: 218408035
Bug: 235778483
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Id464fc2418efcb3764fae2a25c11fdda4439f411
(cherry picked from commit b909d8af557105c33501c9e3318b696da9445e11)
Merged-In: Id464fc2418efcb3764fae2a25c11fdda4439f411
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Before:
$ adb shell ls -l /sys/fs/bpf/netd_shared/map_netd_*
-rw-rw---- 1 root net_bw_acct 0 2022-06-11 08:17 /sys/fs/bpf/netd_shared/map_netd_app_uid_stats_map
-rw-rw---- 1 root net_bw_acct 0 2022-06-11 08:17 /sys/fs/bpf/netd_shared/map_netd_configuration_map
-rw-rw---- 1 root net_bw_acct 0 2022-06-11 08:17 /sys/fs/bpf/netd_shared/map_netd_cookie_tag_map
-rw-rw---- 1 root net_bw_acct 0 2022-06-11 08:17 /sys/fs/bpf/netd_shared/map_netd_iface_index_name_map
-rw-rw---- 1 root net_bw_acct 0 2022-06-11 08:17 /sys/fs/bpf/netd_shared/map_netd_iface_stats_map
-rw-rw---- 1 root net_bw_acct 0 2022-06-11 08:17 /sys/fs/bpf/netd_shared/map_netd_stats_map_A
-rw-rw---- 1 root net_bw_acct 0 2022-06-11 08:17 /sys/fs/bpf/netd_shared/map_netd_stats_map_B
-rw-rw---- 1 root net_bw_acct 0 2022-06-11 08:17 /sys/fs/bpf/netd_shared/map_netd_uid_counterset_map
-rw-rw---- 1 root net_bw_acct 0 2022-06-11 08:17 /sys/fs/bpf/netd_shared/map_netd_uid_owner_map
-rw-rw---- 1 root net_bw_acct 0 2022-06-11 08:17 /sys/fs/bpf/netd_shared/map_netd_uid_permission_map
After:
$ adb shell ls -l /sys/fs/bpf/netd_shared/map_netd_*
----rw---- 1 root net_bw_acct 0 2022-06-13 18:17 /sys/fs/bpf/netd_shared/map_netd_app_uid_stats_map
-rw-rw---- 1 root net_bw_acct 0 2022-06-13 18:17 /sys/fs/bpf/netd_shared/map_netd_configuration_map
-rw-rw---- 1 root net_bw_acct 0 2022-06-13 18:17 /sys/fs/bpf/netd_shared/map_netd_cookie_tag_map
----rw---- 1 root net_bw_acct 0 2022-06-13 18:17 /sys/fs/bpf/netd_shared/map_netd_iface_index_name_map
----rw---- 1 root net_bw_acct 0 2022-06-13 18:17 /sys/fs/bpf/netd_shared/map_netd_iface_stats_map
-rw-rw---- 1 root net_bw_acct 0 2022-06-13 18:17 /sys/fs/bpf/netd_shared/map_netd_stats_map_A
-r--rw---- 1 root net_bw_acct 0 2022-06-13 18:17 /sys/fs/bpf/netd_shared/map_netd_stats_map_B
----rw---- 1 root net_bw_acct 0 2022-06-13 18:17 /sys/fs/bpf/netd_shared/map_netd_uid_counterset_map
----rw---- 1 root net_bw_acct 0 2022-06-13 18:17 /sys/fs/bpf/netd_shared/map_netd_uid_owner_map
-rw-rw---- 1 root net_bw_acct 0 2022-06-13 18:17 /sys/fs/bpf/netd_shared/map_netd_uid_permission_map
Access required is based on list of maps at netd/BpfHandler.h:62
BpfMap<uint64_t, UidTagValue> mCookieTagMap;
BpfMap<StatsKey, StatsValue> mStatsMapA;
BpfMap<StatsKey, StatsValue> mStatsMapB;
BpfMap<uint32_t, uint32_t> mConfigurationMap;
BpfMap<uint32_t, uint8_t> mUidPermissionMap;
Note that this is still just a first stab at things.
The only one which should really be writable is mCookieTagMap,
but that's for follow ups as it gets real difficult to switch
due to the tests and BpfMap vs BpfMapRO inheritance inversion.
Additionally due to netd being root with CAP_DAC_OVERRIDE,
this change is really a no-op, and will be until we add
proper per map selinux contexts. So it is in a sense only
a documentation of intent change...
Bug: 218408035
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I86f3028251818c2025503839c7225d07a2943ed0
(cherry picked from commit a4a58a3be2b106043a096b069e8fbcec86cce7c7)
Merged-In: I86f3028251818c2025503839c7225d07a2943ed0
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(per request from Lorenzo)
We do bump block/clatd/dscp_policy requirements from 0.12 to 0.13,
but this effectively doesn't matter:
- Beta2 is too old either way (pre-0.12)
- Beta3 is new enough (0.13)
- versions in between are simply obsolete / unused / not important
- bpfloader 0.12 won't boot right anyway due to lack of netd maps/programs
(which cause a netd startup failure)
This allows us to have one less #define in the header files,
with a hard to write explanation about what exactly v0.12 is (or was).
Bug: 218408035
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I1ecf15f9d7abbb82ec6bd49848255fab6a41aed4
(cherry picked from commit f769952212aa081c9f9c77cb264dedaeefd5bcda)
Merged-In: I1ecf15f9d7abbb82ec6bd49848255fab6a41aed4
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Test: N/A
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: If472cdec22b04f605f40b680c907a3384dce3cdc
(cherry picked from commit fa2b1dc6b00bb22fb0869589b47ebe25a246c3ad)
Merged-In: If472cdec22b04f605f40b680c907a3384dce3cdc
|
| |/
|
|
|
|
|
|
|
| |
Bug: 235778483
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ia5e3c72e65cee17ef67907008d8fe6d4e47050de
(cherry picked from commit 200d372dc9c023c3fec69d260305f0079be8944b)
Merged-In: Ia5e3c72e65cee17ef67907008d8fe6d4e47050de
|
| |
|
|
|
|
|
|
|
| |
Bug: 235778483
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ic0029063e4dbbf1b2cce7d7ca86a017a1c56f072
(cherry picked from commit 1205737641d428c367fab896f41a905eee254c4c)
Merged-In: Ic0029063e4dbbf1b2cce7d7ca86a017a1c56f072
|
| |
|
|
|
|
|
|
|
| |
Bug: 235778483
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I3829ba49e453918bfcbae2e07dd2aea2b81e12bf
(cherry picked from commit 5f5d2e2c10e5e463fc0b111bc5dc4b273c7c6092)
Merged-In: I3829ba49e453918bfcbae2e07dd2aea2b81e12bf
|
| |
|
|
|
|
|
|
|
|
|
| |
Bug: 208371987
Test: atest
CtsNetTestCases:android.net.cts.ConnectivityManagerTest#testFirewallBlocking
ConnectivityServiceTest
Change-Id: Ib521fa02f6a19270cb88a3d85321bda822516c78
(cherry picked from commit 1d9054ba5fbbf86c821e0a74a5a2f9d3c9865e67)
Merged-In: Ib521fa02f6a19270cb88a3d85321bda822516c78
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Bug: 207773349
Bug: 208371987
Test: atest
CtsNetTestCases:android.net.cts.ConnectivityManagerTest#testFirewallBlocking
--iterations 50 && atest ConnectivityServiceTest --iterations 10
Change-Id: I60d5540821abcced03356f366775f16ee369d7f9
(cherry picked from commit d980149817948d11de0631caee8aee3172e4e159)
Merged-In: I60d5540821abcced03356f366775f16ee369d7f9
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the BPF code, per-UID network access (e.g., for doze mode,
standby, etc.) is stored in UidOwnerValue structures. Each of
these stores that UID's rules in a 32-bit bitmask of
UidOwnerMatchType values, so the code can support ~31 match
types.
However, which match types are enabled is stored in
configuration_map at index UID_RULES_CONFIGURATION_KEY, and
configuration_map only stores 8-bit values. So it's not
possible to define more than 7 match types.
Widen configuration_map to from 8 to 32 bits to match the width
of UidOwnerValue.rule. This doesn't impact memory because
configuration_map only has 2 entries.
Bug: 208371987
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I7e1eee2daedd66d27965a2dd4ce6b4c3667892f7
(cherry picked from commit 60cbed385dcf3c640674c48b7cd4d60967047cf0)
Merged-In: I7e1eee2daedd66d27965a2dd4ce6b4c3667892f7
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
block/clatd/dscp_policy/netd
In practice this doesn't actually really matter, since older versions
of the bpfloader won't even look in the relevant directories:
BpfLoader v0.9 is the first one that looks into
'/apex/com.android.tethering/etc/bpf/net_shared',
but it is only v0.12 that pins the resulting programs and maps
correctly into
/sys/fs/bpf/net_shared/
hence the annotations for block/clatd/dscp_policy.
BpfLoader v0.13 is the first one that looks into
'/apex/com.android.tethering/etc/bpf/netd_shared'
subdirectory and pins into
/sys/fs/bpf/netd_shared/
hence the annotation for netd.
But it's best to explicitly document the intent.
Note that in practice the mainline module will fail spectacularly
on a T OS if it can't find the programs and maps
(presumably due to the bpfloader being too old)
but will work on S even though the bpfloader there is much older,
because these programs/maps are not required on pre-T OS.
This change is thus really only documentation.
Bug: 218408035
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I5ffa2faf83ca337b84e34b01df84436629989c58
(cherry picked from commit acebffb966ddfedbc9e2a73f47940fefbdfeed73)
Merged-In: I5ffa2faf83ca337b84e34b01df84436629989c58
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(out of current /sys/fs/bpf/net_shared/...)
This will allow genfscon regexp changes in a followup selinux commit.
Note that this has a hard dependency on system/bpf change
'bpfloader: add support for netd_shared and net_private subdirs'
which also bumps bpfloader to v0.13.
This was merged May 12, 2022 (into both aosp/master and tm-dev)
and it is in Android T starting with Beta 3 release.
This isn't really an issue since amusingly T Beta 2 is already
incompatible with current mainline releases due to the snap
reverting a previous required bpfloader system/bpf change:
move net_shared bpf programs into net_shared subdirectory
See: http://b/232050459#comment14
So this doesn't break T Beta1/2, since they already don't work,
and Beta3 will work.
Bug: 218408035
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Id5f14d6e3f11cfe35d9d8a9496548a2bc4d022ec
(cherry picked from commit 6d116d0f38196625d205e8c76a17b01b61fff246)
Merged-In: Id5f14d6e3f11cfe35d9d8a9496548a2bc4d022ec
|
| |
|
|
|
|
|
|
|
|
|
| |
This is meant to optimize dscp_policy bpf verifier time at boot.
Bug: 230585250
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I1ecd61db80919e2fa1fcbac00348f10a80b77620
(cherry picked from commit 3fc472dd394c08bb05265bbdce964ec257229c10)
Merged-In: I1ecd61db80919e2fa1fcbac00348f10a80b77620
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, even when VPN Lockdown mode is enabled, incoming packets are
not dropped if VPN is not connected.
This commit fixed this issue.
After this commit, If VPN Lockdown mode is enabled, incoming packets
are dropped regardless of the VPN connectivity.
Bug: 206482423
Test: atest TrafficControllerTest ConnectivityServiceTest PermissionMonitorTest
Change-Id: If52ece613c8aac1073355e43b6fb9cb3fcc87d1d
(cherry picked from commit b08654ca0450d021da709a762ab509a8d4f87d40)
Merged-In: If52ece613c8aac1073355e43b6fb9cb3fcc87d1d
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Match type is also used in configuration_map at index
UID_RULES_CONFIGURATION_KEY.
However, this commit does not extend configuration_map and we can
not still use more than 8 match type in configuration_map.
Bug: 206482423
Test: m
Change-Id: I0f20cc8034551806b5cb3da322a0ea7861983095
(cherry picked from commit 42edc60627899989335dafa568f6bf724ea1a104)
Merged-In: I0f20cc8034551806b5cb3da322a0ea7861983095
|
| |
|
|
|
|
|
|
|
| |
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ifa1b254db3def23f06c0013182b6c6df627745e5
(cherry picked from commit 6e9ab78727cc229cb3f2b38e1d35e4f2fa61c115)
Bug: 232017472
Merged-In: Ifa1b254db3def23f06c0013182b6c6df627745e5
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
this hack is no longer needed now that duplicate target in system/netd
is no longer an issue due to automerger to sc-mainline-prod being
turned off
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Id2c1dfac3bc4e6a8f5376a41ca2d1432b838da38
(cherry picked from commit d72a5a7a7007e8b0004bb9d2c82ffed52659ddf2)
Bug: 232017472
Merged-In: Id2c1dfac3bc4e6a8f5376a41ca2d1432b838da38
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Mostly this is cut-and-paste of bottom half of do_forward4
function into a seperate function to force the compiler to
emit two differently optimized versions of the code based on
whether is_tcp is true or false.
Bug: 230359047
Test: TreeHugger, manually on flame
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I9e3e195ba601daaac2e0c9a70fad170a8fb4d921
(cherry picked from commit f72c8aa5c3f1c30c3329b6540f03f06cfa1b383d)
Merged-In: I9e3e195ba601daaac2e0c9a70fad170a8fb4d921
|
| |
|
|
|
|
|
|
|
|
| |
(this is safe because on pre-T none of these maps and programs are mainlined
and thus safe to access from mainline code anyway)
Test: TreeHugger, manual
Bug: 218408035
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I23e565d665247f33e084978890a1ee8ffe0fe568
|
| |\
| |
| |
| | |
Addresses"
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Add bpf functionality to handle IPv6 packets and apply
DSCP value.
Also support DSCP policy rules on multiple interfaces
simultaneously.
Test: atest DscpPolicyTest
Bug: 217166486
Change-Id: I452a87355fd0382a4c38b84aa3465505951d9bf0
|
| |/
|
|
|
|
|
|
|
| |
In practice this function makes things readable and writable,
so use a less confusing name.
Test: TreeHugger, 'git grep try_make_readable' comes up empty
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I32faad148cc5714cf0ec7246620376ed4dd3d6d2
|
| |
|
|
|
|
|
|
|
|
| |
We now rely on the skb->mark = 0xDeadC1a7 setting side effect
for non offloadable packets, but for this to work reliably,
we *must* be able to read the ip header.
Test: TreeHugger, and on a gs101-based pixel
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ic2b15335099404047d136a92ce7aeeb1f11ccfa3
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As Maze@'s advice, we add a clat mark to clat packet in ingress bpf
and drop the duplicate packets in iptables via mark match.
Bug: 218407445
Test: manual test with unmerged aosp/1951099
0. Connect to IPv6-only wifi
1. Clatd test: ping 5 times and check that iptables drop 5 packets by
mark 0xdeadc1a7.
$ adb shell ping 8.8.8.8
..
64 bytes from 8.8.8.8: icmp_seq=4 ttl=120 time=14.3 ms
64 bytes from 8.8.8.8: icmp_seq=5 ttl=120 time=67.4 ms
$ adb shell ip6tables -t raw -L bw_raw_PREROUTING -v
Chain bw_raw_PREROUTING (1 references)
pkts bytes target prot opt in out source destination
5 520 DROP all any any anywhere anywhere mark match 0xdeadc1a7
0 0 RETURN all ipsec+ any anywhere anywhere
0 0 RETURN all any any anywhere anywhere policy match dir in pol ipsec
1661 1239K all any any anywhere anywhere match bpf pinned /sys/fs/bpf/prog_netd_skfilter_ingress_xtbpf
2. Bpf test: run iperf to an IPv4 server and iptables doesn't see
offloaded packet with mark 0xdeadc1a7. Drop packet count (5) is
unchanged.
$ adb shell iperf3 -4 -c 117.102.109.186 -t1
Connecting to host 117.102.109.186, port 5201
[ 5] local 192.0.0.4 port 56242 connected to 117.102.109.186 port 5201
[ ID] Interval Transfer Bitrate Retr Cwnd
[ 5] 0.00-1.00 sec 622 KBytes 5.09 Mbits/sec 0 44.0 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-1.00 sec 622 KBytes 5.09 Mbits/sec 0 sender
[ 5] 0.00-1.00 sec 201 KBytes 1.64 Mbits/sec receiver
$ adb shell ip6tables -t raw -L bw_raw_PREROUTING -v
Chain bw_raw_PREROUTING (1 references)
pkts bytes target prot opt in out source destination
5 520 DROP all any any anywhere anywhere mark match 0xdeadc1a7
0 0 RETURN all ipsec+ any anywhere anywhere
0 0 RETURN all any any anywhere anywhere policy match dir in pol ipsec
1804 1280K all any any anywhere anywhere match bpf pinned /sys/fs/bpf/prog_netd_skfilter_ingress_xtbpf
3. Enable USB tethering. Do ping and iperf on tethered client.
4. Clatd test: ping 5 times and check that iptables drop 5 packets
(count from 5 to 10) by mark 0xdeadc1a7.
$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
..
64 bytes from 8.8.8.8: icmp_seq=4 ttl=119 time=13.7 ms
64 bytes from 8.8.8.8: icmp_seq=5 ttl=119 time=15.9 ms
$ adb shell ip6tables -t raw -L bw_raw_PREROUTING -v
Chain bw_raw_PREROUTING (1 references)
pkts bytes target prot opt in out source destination
10 1040 DROP all any any anywhere anywhere mark match 0xdeadc1a7
0 0 RETURN all ipsec+ any anywhere anywhere
0 0 RETURN all any any anywhere anywhere policy match dir in pol ipsec
1900 1298K all any any anywhere anywhere match bpf pinned /sys/fs/bpf/prog_netd_skfilter_ingress_xtbpf
5. Bpf test: run iperf to an IPv4 server and iptables doesn't see
offloaded packet with mark 0xdeadc1a7. Drop packet count (10) is
unchanged.
$ iperf3 -4 -c 117.102.109.186 -t1
Connecting to host 117.102.109.186, port 5201
[ 5] local 192.168.235.233 port 41602 connected to 117.102.109.186 port 5201
[ ID] Interval Transfer Bitrate Retr Cwnd
[ 5] 0.00-1.00 sec 3.19 MBytes 26.8 Mbits/sec 0 369 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-1.00 sec 3.19 MBytes 26.8 Mbits/sec 0 sender
[ 5] 0.00-1.00 sec 2.58 MBytes 21.7 Mbits/sec receiver
$ adb shell ip6tables -t raw -L bw_raw_PREROUTING -v
Chain bw_raw_PREROUTING (1 references)
pkts bytes target prot opt in out source destination
10 1040 DROP all any any anywhere anywhere mark match 0xdeadc1a7
0 0 RETURN all ipsec+ any anywhere anywhere
0 0 RETURN all any any anywhere anywhere policy match dir in pol ipsec
1978 1320K all any any anywhere anywhere match bpf pinned /sys/fs/bpf/prog_netd_skfilter_ingress_xtbpf
Change-Id: I180206bb15a1362c678f42fb980b60dfed6ce1ab
|
| |
|
|
|
|
|
|
|
| |
New Connectivity Service exposed to vendor for
restricting certain ports for use only in vendor.
Bug: 179733303
Change-Id: Iad9aff6924498ede5a08cfa5482082f094c0a90b
|
| |
|
|
|
| |
Test: builds && boots
Change-Id: I06c537dc1488e7f36e474760ab49dc299347003d
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Privileged test case for BpfBitmap.
Test: atest BpfBitmapTest
Bug: 179733303
Change-Id: I9c32d8843176815a725eccfd1f0400ec129cd94d
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Change gid BPF programs from AID_ROOT to AID_SYSTEM because
system_server needs to access them.
Bug: 202086915
Test: test in Ib0e935ee2b714ac61daceba6d13fa7a20f97f68f
Change-Id: I8c0019f141414994aad2986cc5dfdb7dd027a36a
|
| | |
| |
| |
| |
| |
| | |
Bug: 190822356
Test: atest NetworkManagementServiceTest
Change-Id: I664414fbb744a118d4d0fea4ed91680bb38efe07
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
1. Add libnetd_updatable.so in com.android.tethering. The library is
loaded by netd. Currently, it mainly targets on a few functions which
access BPF maps. The functionality may extend in the future.
2. Attach gcroup progs from libnetd_updatable.so.
3. Move (privileged)TagSocket and untagSocket implementation to mainline
module. Combine privilegedTagSocket and untagSocket into a single
function.
4. Split related unit tests from netd_unit_test to
libnetd_updatable_unit_test as well.
Bug: 202086915
Test: cd system/netd; atest
Test: atest TrafficStatsTest NetworkUsageStatsTest
Change-Id: Ib556458103a4cbb643c1342d9b689ac692160de0
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
New events to handle adding and removing of DSCP QoS policies.
Async indication sends status back to client if the policy
has been added, failed, or if the policy limit has been
reached.
Bug: 202871011
Change-Id: I7988d22ae625ad0dd415927d2943de4a749e6fb8
|
| |\ \
| | |
| | |
| | |
| | |
| | | |
* changes:
Rename libnetdbpf to libnetworkstats
Copy libnetdbpf from system/net to tethering module
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Two reason for renaming:
1. Avoid module name collision in sc-mainline-prod branch.
2. The libnetdbpf was misnamed before.
Bug: 202086915
Test: atest libnetworkstats_test FrameworksNetTests
ConnectivityCoverageTests FrameworksNetSmokeTests
CtsAppOpsTestCases
Change-Id: I87fcf4b1a9d58780a45743a9aa91b9b936e54266
|
| |\ \ \
| |/ /
|/| |
| | |
| | |
| | |
| | |
| | | |
* changes:
[CLATJ#20] ClatdCoordinator: stop bpf for clat
[CLATJ#19] ClatdCoordinator: configure bpf for clat
[CLATJ#18] libclat: move clat tc and bpf utilis from netd
[CLATJ#17] bpf_connectivity_headers visible to libclat
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Needed because ClatdController and clatd binary are moved
into apex. libclat is used for accessing BPF map.
Bug: 212345928
Test: build
Change-Id: I1be5d4c9cc2c9865ac99f2595443e54e7334c843
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Tethering module.
Delete tagSocket(), privilegedTagSocket() and untagSocket() since
they are moved out of TrafficController in aosp/1849156.
Bug: 202086915
Test: m; flash; boot;
Change-Id: Ifeaeb060fbf1add9f06748e7846b9e11e0345bda
|
| |/ /
| |
| |
| |
| |
| | |
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I7e88fcc34c21695e844d607836df4661790cba03
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a clean move. The content of netd.c is not changed. The object
name is still netd.o. But the module name is renamed to netd.o_mainline
to avoid name collision in sc-mainline-prod branch.
Modified Android.bp according to the file location. The sub_dir is
newly specified. The object file will be compiled to:
- apex/com.android.tethering/etc/bpf/net_shared/netd.o
The extracted programs and maps will be in:
- sys/fs/bpf/net_shared/
The netd.o will not be loaded in pre-T because the bpfloader before T
does not load objects from paths other than:
- apex/com.android.tethering/etc/bpf/
- /system/etc/bpf/
Bug: 202086915
Test: cd system/netd; atest
Test: atest TrafficStatsTest NetworkUsageStatsTest
Change-Id: I5281c851341f9258a37d8aad6da4196c06342940
|
| |
|
|
|
|
| |
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I5db6285add895edf9354e98d9dffc8343ee4b259
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The header file is referenced by the part going to be mainlined in Netd.
Note that some platform visibility is required with this commit, since
users of bpf_shared.h is currently located in platform. The visibility
can be removed when all users are moved out of platform.
Bug: 202086915
Test: m; flash; boot
Test: cd system/netd && atest
Test: cd packages/modules/Connectivity && atest
Test: atest FrameworksNetTests
Change-Id: I5c16511b6a2d4eb80dfd93157cbc98d5030bd5ac
|
|
|
The folder is currently used by tether offload only. Because we will
move netd.c and clatd.c to it, the folder should be moved to the upper
tier.
Also, rename bpf_tethering_headers to bpf_connectivity_headers so that
other connectivity code besides to tethering are justified to use it.
Bug: 202086915
Test: atest FrameworksNetTests
Change-Id: I95943c6e909f1fdca12604ef0c55d67c39ca686b
|
