summaryrefslogtreecommitdiff
path: root/server/RouteController.cpp
Commit message (Collapse)AuthorAgeFilesLines
...
| * Change RouteController from free functions/members to class functions.Lorenzo Colitti2017-11-241-27/+32
| | | | | | | | | | | | | | | | In a future change, this will make it more explicit which bits of state (e.g., locks) are part of the class and which are not. Test: netd_{unit,integration}_test passes Change-Id: Iff5a202cdcb26a7b6039dd95655cc2c26592fc36
* | [ipsec-qtaguid] Reserve mark, add ipsec bw exemptionsBenedict Wong2017-12-151-3/+5
| | | | | | | | | | | | | | | | | | | | | | | | This change reserves a mark denoting that a packet has already been accounted for, along with adding rules in BandwidthController to support IPSec packets being billed correctly. Bug: 62994731 Test: BandwidthControllerTest updated, passing. CTS tests also modified and passing Change-Id: I8b42975d1502a0d3b9e533bddc0892cfe1556bed
* | Don't create rules with NLM_F_EXCL.Lorenzo Colitti2017-11-301-3/+2
|/ | | | | | | | | | | | | | | | | | | | Some operations, such as changing a network's permissions, rely on make-before-break, and in some cases create rules that are identical to the ones that already exist. Starting around 4.9, the kernel fails these operations with EEXIST. We can't just ignore the EEXISTs because if we get EEXIST it means that the rule was not created, but we'll think it was, and later on we'll trip up trying to delete it. It would be possible to refactor the code to ensure that these no-op operations are never performed, but we would probably have to pass a lot more state around to deal with only a few corner cases. Fix: 69607866 Test: builds Change-Id: I1b563243b615daa73a2d9f527f77608df1f56251
* Don't look up the main table any more.Lorenzo Colitti2017-09-271-22/+1
| | | | | | | | | | | | | After https://android-review.googlesource.com/#/c/481397/ , directly-connected routes for all network types are added to the correct routing tables by ConnectivityService. So there should be no reason to look up the main table. Bug: 28825988 Test: bullhead builds, boots Test: netd_{unit,integration}_test pass Test: dual-stack wifi and IPv4-only mobile data work Change-Id: I64ba7dbf71478afcd9d2880440f93ef346116b6b
* Don't require permissions for high-priority oif rules.Lorenzo Colitti2017-09-261-2/+4
| | | | | | | | | | | | | | | The intent of the high-priority oif rules added in ag/644462 was to ensure that the kernel can send packets and forward packets to a given interface by specifying only the oif. However, if a network requires permissions, the high-priority oif rules we create require those permission bits in the firewall mark, which means the kernel cannot use them. Therefore, remove the permissions check. Test: builds Test: netd_{unit,integration}_test pass Change-Id: I73d7eb349c4c20d0d5efe05219a89cff5015a330
* Minor fixes in RouteController.Lorenzo Colitti2017-09-251-14/+2
| | | | | | | | | | - Remove the definition of fib_rule_uid_range, since it's now in the UAPI headers. - Fix the comment on PRIO_THROW, which is inaccurate. Test: bullhead builds, boots Test: netd_{unit,integration}_test pass Change-Id: I52ced26c4ea21925140d6ed86991e50cff7bd46a
* Invalidate dst caches when changing network permissions.Lorenzo Colitti2017-09-121-0/+13
| | | | | | | | | (cherry picked from commit 4662e16686954dd3ca80938efe6650227877fe44) Bug: 64103722 Test: builds Test: connected socket UDP traffic switches to wifi when cell goes into background Change-Id: I502575d51781cacace96e0c2d1edb6a5183aab70
* Don't allow seamless handover to networks requiring permissions.Lorenzo Colitti2017-09-121-5/+28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently, implicitly-marked sockets continue to work when the network changes permission. This makes it so that UDP sockets connected on a foreground network will continue to work even if the network moves into the background (e.g., when the linger timer fires on cell data with mobile data always on). Instead, make it so that sockets implicitly marked to a network become unroutable when the network starts requiring permissions. Explicitly-marked sockets will continue to be routed on the network, as usual. This is consistent with what we do for TCP: when a network changes permissions, all implicitly-marked sockets on that network are closed using SOCK_DESTROY. This change should not affect any other behaviour because: - Netd only ever implicitly marks sockets to the default network or to a bypassable VPN that applies to the caller. - In both cases, at the time of marking, the network does not require permissions because: - VPNs don't support permissions. - The default network never requires any permissions: - ConnectivityService's mDefaultRequest specifies NOT_RESTRICTED. - The only case where a NOT_RESTRICTED network can require a permission is if it's a background network, and the default network is, by definition, never a background network. - VPNs can't change permissions. - If the network is still the default network, the lack of this implicit rule doesn't matter. Therefore, the only case where this rule can alter routing is if a socket is implicitly marked on the default network and that network, after ceasing to be the default, changes permissions. (cherry picked from commit 6bd4a48ed735c7fc5c1143bf0b2f06b8a2879e61) Bug: 64103722 Test: builds Test: manually observed IP rules while changing network permissions Change-Id: I944df3a97c8062e7c3af00f72e18e693bee0a3a6
* Clear incoming packet mark rules on netd startup.Lorenzo Colitti2017-03-281-2/+5
| | | | | | | | | | | | | | | Currently, we put the incoming packet mark rules directly into the INPUT chain of the mangle table, which is not cleared on netd start. Move these rules to their own chain. This makes them consistent with all the other iptables rules and makes it easy to clear them on startup using the existing mechanisms. Bug: 28362720 Test: bullhead builds, boots Test: netd_{unit,integration}_test pass Test: watch -n1 "adb shell iptables -v -n -t mangle -L INPUT" while switching networks Test: rules are cleared on netd restart Change-Id: I9130f997a96dcfdfdfdd950520a76f8473b5f603
* Use new-style UID routing.Lorenzo Colitti2017-03-281-20/+0
| | | | | | | | | | | | | | | | | | Kernel prebuilts for OC devices have been updated, so the legacy attributes are not being used. Use the new attributes only. This will ensure that devices aren't using the old code by mistake, as any such devices will fail the VPN CTS tests. (cherry picked from commit 882e467ff7b83de868fa0b9a9beb9036bf14aede) Cherry-picking this to AOSP now that most external kernels have been updated as well. Bug: 16355602 Test: bullhead builds, boots Test: netd_{unit,integration}_test pass Test: has been running in internal master for several weeks. Change-Id: I1c4e8c9281a843417a3a52294a1b7d3e6502bee6
* Use iptables-restore to set the incoming packet mark rule.Lorenzo Colitti2017-03-271-5/+8
| | | | | | | | | | | This speeds up network switching because one rule needs to be added/removed per interface. Bug: 28362720 Test: bullhead builds, boots Test: netd_{unit,integration}_test pass Test: watch -n1 "adb shell iptables -v -n -t mangle -L INPUT" while switching networks Change-Id: Ie536db6a50d018c88bb03c5f069965e99e0d162e
* Add a test for RouteController.Lorenzo Colitti2017-02-161-4/+0
| | | | | Test: netd_{unit,integration}_test pass. Change-Id: I19416fd8a79354303dabec042d090f7ae6962b1b
* Use our netlink code to flush routes as well.Lorenzo Colitti2017-02-161-124/+42
| | | | | | | | | | | Most of the CL is refactoring the rule flush code to be more generic and move it and various callback definitions to NetlinkCommands. After that, flushing routes is very simple. Test: bullhead builds, boots Test: netd_{unit,integration}_test pass Bug: 34873832 Change-Id: I0613d525f043d0a8b234a89982281b909011c7e5
* Don't complain when deleting non-existent tethering rules.Lorenzo Colitti2017-02-141-2/+6
| | | | | | | | | | | clearTetheringRules ignores errors when deleting rules, because tethering rules don't exist unless tethering was enabled on the interface. sendNetlinkRequest shouldn't log an error in this case, since the caller is ignoring that error. Bug: 34873832 Test: bullhead builds, boots, spurious error messages gone Change-Id: Ib327e8a3aecd3a38d624baa8bf320da87e6c4f7c
* Don't call NetlinkCallbacks with nullptr on NLMSG_DONE.Lorenzo Colitti2017-02-141-1/+0
| | | | | | | | | | No real callback uses this, and even the test code doesn't seem to use it for anything useful. Bug: 34873832 Test: bullhead builds, boots, rules flushed on netd restart Test: netd_{unit,integration}_test pass Change-Id: I195dd388864e9e596af9f4d08aee7b8ade078fb5
* Use netlink code to flush rules.Lorenzo Colitti2017-02-141-10/+61
| | | | | | | | | | | | This removes two calls to /sbin/ip on netd startup, which saves about 70ms. In the future we will be able to use this to flush routes as well, which will provide similar time savings on every network destroy operation. Bug: 34873832 Test: bullhead builds, boots Test: rules flushed correctly when netd is killed Change-Id: I4875ac7fec1a92dc5fa2cb68f8fab2a903348c20
* Move the netlink command code to a new NetlinkCommands file.Lorenzo Colitti2017-02-141-66/+1
| | | | | | | Test: bullhead builds, netd boots Test: netd_{unit,integration}_test pass Bug: 34873832 Change-Id: Ia6fcde63e1092a62cad1c5238bbb9a91a9f39080
* Put most of netd into the android::net namespace.Lorenzo Colitti2017-02-141-1/+7
| | | | | | | Test: netd_{unit,integration}_test pass Test: bullhead builds, boots Bug: 34873832 Change-Id: I0a252328041b342f9c03cd08c11a69d452b045b3
* Simplify and improve error logging in sendNetlinkRequest.Lorenzo Colitti2017-02-131-17/+42
| | | | | | | Bug: 32323979 Test: bullhead builds, boots, new error messages appear Test: unit tests continue to pass Change-Id: Ie60ed3a71fbd26b7a8a1d2f7fb8083b1b6b9626a
* Set both legacy and new UID routing attributes.Lorenzo Colitti2016-12-191-15/+31
| | | | | | | | | | | | This should work on kernels that support either, as long as they are older than 4.8. Test: netd_integration_test passes with updated iproute and kernel Test: netd_integration_test passes with existing iproute and kernel Test: ConnectivityManagerTest and HostsideVpnTests pass on existing kernel Test: ConnectivityManagerTest and HostsideVpnTests pass on updated kernel Bug: 16355602 Change-Id: I9a2ef08ba2782587f43ea7d0609f5f07f6c3adb0
* UidRanges: use class instead of pair<uid_t, uid_t>Robin Lee2016-12-061-8/+10
| | | | | | | | | | | | | | | | | | | | Reuse the UidRange that was introduced in 7.0 (NYC) to ease transition from CommandListener to binder which supports this as a parcelable type. There is a small difference in behaviour: UidRange uses signed int32_t vs. uid_t being unsigned and potentially a different size. This should not be a problem as all of the java-side code is converting from int. Updating to use int64_t in future would be a large effort and involve changing the java-side UidRange class to use longs, and not fixing the native side would cause unit tests to fail, so it shouldn't be possible to overlook if that happens. Committing this early with an appropriately loud warning so that it can get soak time over the next year. Test: runtest -x netd_integration_test.cpp Change-Id: I6c217b347724ba5bfe2df28d6142a4343cb06353
* Merge "Drop PROHIBIT_NON_VPN priority 11500 -> 12500" into nyc-devRobin Lee2016-05-171-1/+1
|\
| * Drop PROHIBIT_NON_VPN priority 11500 -> 12500Robin Lee2016-05-031-1/+1
| | | | | | | | | | | | | | | | So that the rule can be kept up 100% of the time instead of dropping it when VPN comes on. Bug: 26694104 Change-Id: I1df6b8f588e54d72e34dbcbd15492513e07fac3d
* | Restore ACT_UNREACHABLERobin Lee2016-05-021-2/+2
|/ | | | | | | | | | | | This got lost in between I7d9752e86fa1a4564c622152a5be6ce2c1eda150 and If23df0760c6eb0ad137fc26c5124e48edf23b722. Which broke creating the UNREACHABLE network, also breaking the dummy network which should be created after it. Fix: 28304838 Change-Id: I31c4ca9c3f53d6162b50e5bc46e27cfcd1b6a314
* Server API to only allow networking by VPN appsRobin Lee2016-04-191-0/+27
| | | | | | | | | | | | | Secure virtual networks already create rules to route all traffic into theirselves. This depends on the secure network already existing. API creates an ip rule at a priority level below SECURE_VPN which can catch traffic before VPN comes up, if it is a requirement that no traffic ever leaves without first going through VPN. Bug: 26694104 Bug: 26354134 Change-Id: If23df0760c6eb0ad137fc26c5124e48edf23b722
* Have modifyIpRule take an explicit actionRobin Lee2016-04-191-7/+12
| | | | | | | Instead of inferring from the priority what the action should be. Bug: 26694104 Change-Id: I7d9752e86fa1a4564c622152a5be6ce2c1eda150
* Workaround ASan false positive in RouteController.Evgenii Stepanov2016-04-061-0/+9
| | | | | | | Bug: 27037723 Change-Id: I40e7f0d07652aeb6484de5f963a7698b6805d582 (cherry picked from commit dfde1d6c6c397e437adf937a1718784d9cb2c0cf)
* Track rename from base/ to android-base/.Elliott Hughes2015-12-041-1/+1
| | | | Change-Id: Ice6d43c0f9b16b8fb441158a0f7344dfbf969dea
* Revert "Revert "Update for libbase.""Dan Albert2015-03-161-2/+4
| | | | | | | | This reverts commit 4a0ab5ff4a87cfc4a987da99546b01e44875a2e5. (cherry picked from commit 3e87c785434fdfed2fb00496cb391c411a426bdd) Change-Id: I042f485f3cc84206766298853491ddd26dbba13f
* resolved conflicts for merge of 6066d418 to masterNicolas Geoffray2015-03-161-4/+2
|\ | | | | | | Change-Id: I2aa9721365e96c363648dd8e9e15718ed50e3c12
| * Revert "Update for libbase."Nicolas Geoffray2015-03-161-4/+2
| | | | | | | | | | | | | | | | Breaks internal master. This reverts commit b67219a71d1d896bcb34c4a7a797824b88515b2c. Change-Id: I43145f0724ad2d669b65d20b6fd6ccc44b8f0a4f
* | Merge remote-tracking branch 'goog/mirror-m-wireless-internal-release'Vinit Deshpande2015-03-161-13/+94
|\ \ | |/ |/| | | Change-Id: I51337014e2851f47dd5e183c4bfdf39bafa59942
| * Flush tethering rules on interface remove.Lorenzo Colitti2015-03-051-4/+33
| | | | | | | | | | Bug: 19500693 Change-Id: I25b7942784ec026d30c60273c9e13e34d082d25a
| * Add oif rules that allow UID 0 to bypass the VPN.Lorenzo Colitti2015-02-271-11/+22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | This is needed for wifi calling so that the kernel (which does not set marks) can tee packets towards the modem. It also fixes things like not being able to reply to DHCP requests from tethered clients when a VPN is up. System apps can already bypass the VPN using explicit marks, so allowing UID 0 to do so does not create additional bypass VPN issues. Bug: 19500693 Change-Id: Ie324026893637e9bd8e7aa65a37579569390e7b7
| * Make the VPN rule only to originated, not forwarded, traffic.Lorenzo Colitti2015-02-271-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently the VPN rule for the primary user will match every forwarded packet on the system, because it specifies a UID range that includes 0, and forwarded packets have UID 0. Use "iif lo" to limit the rule match to locally-originated traffic. This requires a kernel that sets the loopback ifindex. when originating packets. Anything based on 3.10 is fine, but devices using 3.4 will need a one-line change for IPv6. Bug: 19500693 Change-Id: Iaab88bed62716dc1cea33b45c4e258f6b3bfc9d0
| * Add a dummy network that discards all packets.Lorenzo Colitti2015-02-251-0/+40
| | | | | | | | | | Bug: 19500693 Change-Id: Ic25f2d8c481f1528e887e43ca3fa868189582110
| * Don't fail when trying to add routes that already exist.Sreeram Ramachandran2014-10-301-5/+2
| | | | | | | | | | | | | | | | | | | | | | Previously, we suppressed failures for the special case of requestRouteToHost() being called multiple times. Turns out that other parts of the system also try to add duplicate routes, so just suppress EEXIST errors in general (as far as adding routes is concerned). For example, this happens when the WiFi P2P DHCP client renews its lease and blindly requests to add a route that it had already added before. Bug: 17205769 Change-Id: I3de557ddb82c95899623aa31b4b3ec7c955f5609
* | Update for libbase.Dan Albert2015-03-141-2/+4
| | | | | | | | | | | | StringPrintf and the string based file I/O are being moved to libbase. Change-Id: I765d9e53f65a76d318d9d0d9503403fc092254d5
* | Switch writing to <utils/file.h>.Elliott Hughes2015-02-041-14/+5
| | | | | | | | Change-Id: Idb2de24414f4dd8e926e625b62e4d12152dc4527
* | Avoid leaking file descriptorsNick Kralevich2015-01-311-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Add O_CLOEXEC on open() calls, and SOCK_CLOEXEC on socket calls. This avoids leaking file descriptors across execs. Addresses the following SELinux denial: audit(1422740213.283:8): avc: denied { read write } for pid=2597 comm="clatd" path="socket:[6709]" dev="sockfs" ino=6709 scontext=u:r:clatd:s0 tcontext=u:r:netd:s0 tclass=netlink_socket and allows the removal of some other SELinux rules which were inappropriately added because of leaking file descriptors. Change-Id: I9c180488ea1969d610e488f967a7276a672bb477
* | Don't fail when trying to add routes that already exist.Sreeram Ramachandran2015-01-291-5/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Previously, we suppressed failures for the special case of requestRouteToHost() being called multiple times. Turns out that other parts of the system also try to add duplicate routes, so just suppress EEXIST errors in general (as far as adding routes is concerned). For example, this happens when the WiFi P2P DHCP client renews its lease and blindly requests to add a route that it had already added before. (cherry picked from commit 64166e7666e3cc7f4b9c715f2b4e19d28ae44c5a) Bug: 17205769 Change-Id: I11d50052f616cb48a912d647b8024ccef01b736d
* | Fix missing errno.h includes after libc cleanup.Dan Albert2015-01-061-7/+9
|/ | | | | | | These issues hadn't been found yet because a libc++ header was unconditionally pulling in errno.h. I've fixed the libc++ header now. Change-Id: Ib096634cdd231fc75bf7548e4b99babc7442dc53
* Support manipulating throw routes.Lorenzo Colitti2014-09-191-0/+4
| | | | | | | | | | | We already supported unreachable routes. Throw routes are necessary so we can exempt the VPN endpoint from being routed through the VPN in legacy VPN modes that do not pass traffic through a tun or ppp interface but just directly appply IPsec transformations to outgoing packets. Bug: 17462989 Change-Id: I8635472ca3e96ec2866af2de48e6260ab2da13fb
* Make destroying networks more robust.Lorenzo Colitti2014-08-141-5/+28
| | | | | | | | 1. Retry route flushes if they fail. 2. Make destroyNetwork ignore (but return) errors. Bug: 16944962 Change-Id: I26301613437d7cc373ff64955fd44d716e9982b9
* Stop copying directly-connected routes to the main table, #2.Lorenzo Colitti2014-07-291-19/+9
| | | | | | | | | | | | | | | | | | | | For a long time we have thought that copying directly-connected routes to the main table was necessary to add gatewayed routes to other routing tables. However, this is not necessary when the directly-connected routes are properly created with "scope link" as we do in http://ag/513100 . Delete the copying code, but don't delete the rule that looks up the main table or the code that dumps it. The main table is used for things like cell networking, because the RIL emulates cell networks, which are actually point-to-point, as directly connected broadcast subnets (e.g., a /30 or a /27) with a fake default gateway. The directly-connected route that covers the fake default gateway is implicitly created by adding the IP address, but it's in the main table, so we can't add the default route without looking up the main table. Change-Id: I93bd4764ac75fdcc98fa4206c601524100d53fc3
* Revert "Stop copying directly-connected routes to the main table."Lorenzo Colitti2014-07-291-5/+35
| | | | | | This reverts commit 2f5ea0e99e9a436cd43901b1772b77a410a62f8d. Change-Id: I1fe1df0249714cb650a34fae56476236ac0108e3
* Stop copying directly-connected routes to the main table.Lorenzo Colitti2014-07-291-35/+5
| | | | | | | | | | | | | | For a long time we have thought that copying directly-connected routes to the main table was necessary to add gatewayed routes to other routing tables. However, this is not necessary when the directly-connected routes are properly created with "scope link" as we do in http://ag/513100 . Delete the copying code, but keep dumping the main table in bugreports, so we can see if third-party code such as RIL daemons is putting anything in it. Change-Id: Iddd531daaf9881ffd82f0a4b4f6cc857ce8788fd
* Add "scope link" when adding routes without a nexthop.Sreeram Ramachandran2014-07-291-0/+1
| | | | | | | | | | | | | This is consistent with what /sbin/ip does, and it makes recursive lookups on secondary tables work even when the main table is empty. This was originally proposed by Sreeram as http://ag/506456 to fix a VPN issue, but then abandoned because it did not fix that particular problem. Bug: 16628572 Change-Id: I85753389c683ae2127b21af722463a35a33b60eb
* Merge "Prohibit address families by default unless a VPN explicitly allows ↵Sreeram Ramachandran2014-07-271-13/+24
|\ | | | | | | them." into lmp-dev
| * Prohibit address families by default unless a VPN explicitly allows them.Sreeram Ramachandran2014-07-281-13/+24
| | | | | | | | | | Bug: 15972465 Change-Id: I3278d94536fefacc86390c1ba4231680f7be8589
generated by cgit v1.2.3 (git 2.25.1) at 2025-12-20 10:10:33 +0000