GitLab

am: 0452cb56

* commit '0452cb56':
  Do not configure more DNS servers than supported.

Change-Id: I0893649176126b46fc493d353e32fba38226dd8e

BUG: 28984564
Change-Id: I1b580d725f0aafe887db894e19971cc29adf8951

BUG: 28529315
Change-Id: I4818b3833464502a44d9cdb92e3c59802882397b

am: bdcba112

* commit 'bdcba112':
  Update wlutil path

Change-Id: Ieb82f51d47c33d10b32400e007322d35dc423b61

The path to wlutil changed to /system/vendor/xbin with ag/893600 .

Bug: 28850734
Change-Id: I101517e7d849c288cbe9877e874b8d7914fbc1e9

am: 5bbe13bd

* commit '5bbe13bd':
  Drop PROHIBIT_NON_VPN priority 11500 -> 12500

Change-Id: I22e4e178b25d579eabde255da1d5b1a6c954556d

am: 7ad3c888

* commit '7ad3c888':
  Make FirewallController::createChain use replaceUidChain.
  Make firewallReplaceUidChain match the behaviour of createChain.
  Don't crash the test if expecting more commands than were run.

Change-Id: Ib9dac62413187fc9b4978dfe14b7d29dbf328328

* changes:
  Make FirewallController::createChain use replaceUidChain.
  Make firewallReplaceUidChain match the behaviour of createChain.
  Don't crash the test if expecting more commands than were run.

This has two benefits:

1. It makes the behaviour of setting firewall chains via the
   firewallReplaceUidChain RPC match the behaviour of creating
   the chains on boot. (As a side effect, it reduces code
   duplication between the two.)
2. It makes creating firewall chains on boot use iptables-restore,
   which is substantially faster than running iptables commands
   one at a time.

This CL will allow the framework to switch to using
firewallReplaceUidChain when the framework starts, providing
substantial speedups over the current behaviour of running two
iptables commands for every app that is whitelisted or idle.

Bug: 26675191
Change-Id: Ifbd15bf9143efd526570dde8f88effc79d164630

The behaviour of the firewallReplaceUidChain was incorrect in
several ways:

1. It was missing the "always allow TCP RST packets" rules which
   were added in http://ag/963000 .
2. It included a RETURN statement at the end of blacklist chains,
   which is superfluous since all user-defined chains implicitly
   return, and became incorrect when http://ag/963000 switched the
   behaviour of blacklist chains from inserting new rules at the
   beginning to appending them at the end.
3. It was missing the rules to allow the types of ICMPv6 packets
   that are critical in maintaining connectivity.

By itself, this change is a no-op since nothing currently calls
firewallReplaceUidRule.

Bug: 26675191
Change-Id: I985e6861812908cbe7eaf0f54ca0ad39c22bbfeb

Bug: 26675191
Change-Id: I54860c7cf7b79bb6ace89c3130467ba7c0473e03

am: 4f882991

* commit '4f882991':
  Fix P2TP VPNs by adding an exception for VPN user.

Change-Id: Ic8528dd6d589f08324ecbc69a4024086e9054a7f

BUG: 27199751
Change-Id: I1144228febba0c4cce1333fb39ea186d2963ed10

am: f581017c

* commit 'f581017c':
  Increase the DNS TTL to 5s to fix netd_test.

Change-Id: Iffcb3527816269f1509df4f070d57742ee7a4f92

Under some rare, but repeatable, conditions, the cache would expire
before the second getaddrinfo() call in the test was executed, thus causing
superfluous queries that made the test fail. Increasing the TTL fixes
this.

BUG: 28252032

Change-Id: I82919c147ca9c1b7a92f963556b27fb72e3d2222

am: ee335ef2

* commit 'ee335ef2':
  Test that changing the DNS search paths works.

Change-Id: I4c1bd059f3345e4442463352c178b8d7bd8d0680

Add a test to verify that changing the DNS search paths on their own,
without also changing the DNS servers, works as expected.

BUG: 28437641

Change-Id: Ie3b6be119f5d33c7782c250a83d24f26c776825e
(cherry picked from commit 592303cf)

So that the rule can be kept up 100% of the time instead of dropping
it when VPN comes on.

Bug: 26694104
Change-Id: I1df6b8f588e54d72e34dbcbd15492513e07fac3d

am: c125fe43

* commit 'c125fe43':
  Restore ACT_UNREACHABLE

Change-Id: Ibdc6df61ba87951cabb278250d9a646b27f42315

This got lost in between
  I7d9752e86fa1a4564c622152a5be6ce2c1eda150 and
  If23df0760c6eb0ad137fc26c5124e48edf23b722.

Which broke creating the UNREACHABLE network, also breaking the dummy
network which should be created after it.

Fix: 28304838
Change-Id: I31c4ca9c3f53d6162b50e5bc46e27cfcd1b6a314

am: 3a272070

* commit '3a272070':
  Add dumpsys support to ResolverController

Change-Id: I61b0352be471f6631cf5b400fdce447cbf1f6526

am: beedec3b

* commit 'beedec3b':
  Add two Netd binder calls to set/get resolver config.

Change-Id: I32c2ee7d27207853a16ee110b712375d0446feb7

BUG: 25731675

Change-Id: I1c715368b1f2d5e732528cd226b3f69792b75321

setResolverConfiguration() sets the name servers, search domains,
and resolver parameters.
getResolverInfo() returns the configured information and also the
statistics for each server.
Also includes tests for the new functionality.

BUG: 25731675

Change-Id: Idde486f36bb731f9edd240d62dc1795f8e621fe6

am: 932c44c9

* commit '932c44c9':
  Allow TCP RSTs to make it through firewall rules.

Change-Id: I34b136804e7eb1a4fb27314e51c4967de21da486

am: 563d98b2

* commit '563d98b2':
  Add a binder IPC to close socket connections.

Change-Id: Idb7e6cf83e6134d390c3e505973e245c7dc718de

This allows us to cleanly close apps' TCP connections when we
remove their network connectivity.

Bug: 27824851
Change-Id: I69ae0e860536139d30d14d580a36c82f79dc2f82

Bug: 27824851
Bug: 27867653
Change-Id: I2e63ccfb268db763ec732594a73c2908838468b8

am: b8087363

* commit 'b8087363':
  Server API to only allow networking by VPN apps

Change-Id: I2dd017089226356eda452d6cc246f6e9b3e3166f

am: 4ef94642

* commit '4ef94642':
  Have modifyIpRule take an explicit action

Change-Id: I9836350a8042622ca440ffdc057d799de561f71f

am: 9f9aae91

* commit '9f9aae91':
  Move UidRange aidl to create a native cpp version

Change-Id: Idc705f22d3eeeb8de90a1133e42e05c184518e25

Secure virtual networks already create rules to route all traffic into
theirselves. This depends on the secure network already existing.

API creates an ip rule at a priority level below SECURE_VPN which
can catch traffic before VPN comes up, if it is a requirement that no
traffic ever leaves without first going through VPN.

Bug: 26694104
Bug: 26354134
Change-Id: If23df0760c6eb0ad137fc26c5124e48edf23b722

Instead of inferring from the priority what the action should be.

Bug: 26694104
Change-Id: I7d9752e86fa1a4564c622152a5be6ce2c1eda150

Moved from:
    //frameworks/base/core/java/android/net/
To:
    //system/netd/binder

Since frameworks/base depends on netd but not vice versa, it is cleaner
to keep the internal aidl in the same place as the native implementation
in netd.

Bug: 26694104
Change-Id: If21a72978ad5b93f0eed04c75143b55157c1a014

This CL defines a new IDnsEventListener interface and instruments
DnsProxyListener to send log events to it after every DNS query.

Bug: 28204408
Change-Id: I7ef09d8fac2a583fb3dc8e392c4fff5649258b28

Also implement TimedOperation by subclassing Stopwatch, since
it essentially does the same thing.

Change-Id: I68febcf1caa8a00b548790f9e3ccc10836877639

1. Change the SockDiag callback function to be a filter that
   returns a bool instead of a function that optionally kills a
   socket. All existing callbacks basically only existed to kill
   sockets under certain conditions, and making them return a
   boolean allows reusing the same callback function signature
   to filter sockets as well.
2. Add a new SockDiag method to kill sockets based on a UidRanges
   object (which contains a number of UID ranges) and a list of
   users to skip.
3. Add a new UIDRANGE mode to SockDiagTest to test the above.
4. When UID ranges are added or removed from the VPN, kill
   sockets in those UID ranges unless the socket UIDs are in
   mProtectableUsers and thus their creator might have set the
   protect bit on their mark.  Short of actually being
   able to see the socket mark on each socket and basing our
   decision on that, this is the best we can do.

Bug: 26976388
Change-Id: I53a30df3feb63254a6451a29fa6041c9b679f9bb