GitLab

am: 932c44c9

* commit '932c44c9':
  Allow TCP RSTs to make it through firewall rules.

Change-Id: I34b136804e7eb1a4fb27314e51c4967de21da486

am: 563d98b2

* commit '563d98b2':
  Add a binder IPC to close socket connections.

Change-Id: Idb7e6cf83e6134d390c3e505973e245c7dc718de

This allows us to cleanly close apps' TCP connections when we
remove their network connectivity.

Bug: 27824851
Change-Id: I69ae0e860536139d30d14d580a36c82f79dc2f82

Bug: 27824851
Bug: 27867653
Change-Id: I2e63ccfb268db763ec732594a73c2908838468b8

am: b8087363

* commit 'b8087363':
  Server API to only allow networking by VPN apps

Change-Id: I2dd017089226356eda452d6cc246f6e9b3e3166f

am: 4ef94642

* commit '4ef94642':
  Have modifyIpRule take an explicit action

Change-Id: I9836350a8042622ca440ffdc057d799de561f71f

am: 9f9aae91

* commit '9f9aae91':
  Move UidRange aidl to create a native cpp version

Change-Id: Idc705f22d3eeeb8de90a1133e42e05c184518e25

Secure virtual networks already create rules to route all traffic into
theirselves. This depends on the secure network already existing.

API creates an ip rule at a priority level below SECURE_VPN which
can catch traffic before VPN comes up, if it is a requirement that no
traffic ever leaves without first going through VPN.

Bug: 26694104
Bug: 26354134
Change-Id: If23df0760c6eb0ad137fc26c5124e48edf23b722

Instead of inferring from the priority what the action should be.

Bug: 26694104
Change-Id: I7d9752e86fa1a4564c622152a5be6ce2c1eda150

Moved from:
    //frameworks/base/core/java/android/net/
To:
    //system/netd/binder

Since frameworks/base depends on netd but not vice versa, it is cleaner
to keep the internal aidl in the same place as the native implementation
in netd.

Bug: 26694104
Change-Id: If21a72978ad5b93f0eed04c75143b55157c1a014

This CL defines a new IDnsEventListener interface and instruments
DnsProxyListener to send log events to it after every DNS query.

Bug: 28204408
Change-Id: I7ef09d8fac2a583fb3dc8e392c4fff5649258b28

Also implement TimedOperation by subclassing Stopwatch, since
it essentially does the same thing.

Change-Id: I68febcf1caa8a00b548790f9e3ccc10836877639

1. Change the SockDiag callback function to be a filter that
   returns a bool instead of a function that optionally kills a
   socket. All existing callbacks basically only existed to kill
   sockets under certain conditions, and making them return a
   boolean allows reusing the same callback function signature
   to filter sockets as well.
2. Add a new SockDiag method to kill sockets based on a UidRanges
   object (which contains a number of UID ranges) and a list of
   users to skip.
3. Add a new UIDRANGE mode to SockDiagTest to test the above.
4. When UID ranges are added or removed from the VPN, kill
   sockets in those UID ranges unless the socket UIDs are in
   mProtectableUsers and thus their creator might have set the
   protect bit on their mark.  Short of actually being
   able to see the socket mark on each socket and basing our
   decision on that, this is the best we can do.

Bug: 26976388
Change-Id: I53a30df3feb63254a6451a29fa6041c9b679f9bb

Change-Id: Iba3ff9da55cbc709d12b12b9c65dbc565bbd2828

netd_integration_test already runs all the tests in netd_test.

Change-Id: I44c2ffaecded071a54af1c54c823856ffc6eb0cf

Bug: 27037723

Change-Id: I40e7f0d07652aeb6484de5f963a7698b6805d582
(cherry picked from commit dfde1d6c)

Change-Id: I117adc3c7e240597e7fd91c709898bbbbe988261

Also add more test for netd's resolver.

(cherry picked from commit 12f6baf1)

Change-Id: I446f11b3462522ec3a18c2a3ec9401ad6cf77e8b

Change-Id: I3e6560bbc46fd551d3501227250536cabeff4f71

I added binary value support. This changes the format of the
communication between the android framework and netd.

Bug: 27696905
Change-Id: I85122062d63f1047c618be0b16e6e95621790fd6

Bug: 21725996
Change-Id: I2c049a934189f3c87ee15f052abc07d35814f0c9

Bug: 21725996
Bug: 25691379
Change-Id: I24b838161eaf98dede2ae897157ba42414fc926f

Bug: 25691379
Bug: 21725996
Change-Id: Ia0598e60ad24714d53470e05849929831ba9dbf6

This saves approximately 800ms on boot.

From the perspective of the rules, this change is a no-op. As the
unit test shows, the commands are the same, though some are in a
slightly different order because iptables-restore requires that
COMMIT be called between different tables (e.g., filter and
mangle).

For simplicity, enableBandwidthControl runs two iptables-restore
commands instead of one. This is not semantically different from
the previous code because the previous code just ran iptables
commands one by one, which provides no atomicity. Running two
commands is a bit slower than running one, but it's still much
faster than using iptables.

Using iptables-restore allows us to do things like ":<chain> -",
which both creates the chain (if it does not already exist) and
flushes it. This allows us to remove IPT_CLEANUP_COMMANDS and
IPT_SETUP_COMMANDS. Those two sets of commands, which basically
just did "-X bw_<foo>" and "-N bw_<foo>" were only necessary
because the preceding "-F bw_<foo>" command would not create
bw_<foo> if it did not already exist (e.g. in setupIptablesHooks,
which runs on netd startup).

Bug: 21725996
Change-Id: I6656aed4287dfcb2311c94800f430c143fb0b1a5

Bug: 25691379
Bug: 21725996
Change-Id: I196f568221b3bad98ba2d60e019c2b24c59a9cbc

The data saver refactoring change was incorrect in >= two ways:

1. It relied on the bw_costly_shared chain, which is currently
   unused. NetworkManagementService just has a "TODO: support
   quota shared across interfaces" comment about it. What
   actually happens when setting quota is that each costly
   interface chain (e.g., bw_costly_rmnet_data0) directly hooks
   in the bw_penalty box chain.

2. Implementing app whitelisting using "RETURN" inside
   bw_happy_box was pointless because if data saver was enabled,
   there was a REJECT at the end of the bw_costly_shared chain
   that it was returning to.

Instead, go back to the previous approach which hooked
bw_happy_box at the end of bw_penalty_box. Also, add an
additional bw_data_saver rule at the end of bw_happy_box.
bw_data_saver only contains one rule: RETURN if data saver is
enabled or REJECT if data saver is disabled.

That way:

1. If the app is blacklisted, bw_penalty_box REJECTs. If not:
2. If the app is whitelisted (system apps are always whitelisted)
   bw_happy_box RETURNs to bw_costly_rmnet_data0, skipping
   bw_data_saver.
3. If an app is neither blacklisted nor whitelisted, bw_happy_box
   jumps to bw_data_saver. If data saver is enabled, it REJECTs
   the packet, and if not, it RETURNs to bw_costly_rmnet_data0.
4. When we RETURN to bw_costly_rmnet_data0, either because the
   app is whitelisted, or because data saver is off,
   bw_costly_rmnet_data0 applies mobile data usage limits,
   and then RETURNs to bw_OUTPUT, which calls xt_qtaguid, etc.

Bug: 26685616
Bug: 27506285
Change-Id: If15397afde6862d95827a1fdd30f60efd7fab66a

Bug: 27824851
Change-Id: Iab5ebfd1c3d463d60d3dbd3a271737c8bc824298

Bug: 27824851
Change-Id: I98fa7aefdd9d0acf0a352970e3ba236227182da6

Bug: 26685616
Bug: 27506285
Change-Id: Id11ee717cfc1c79070b6bbec397986c25947646c

* changes:
  Stop using SIOCKILLADDR in netd.
  Add a rudimentary unit test for BandwidthController.
  Slightly restructure the data saver iptables rules.
  Remove the ability to enable/disable the happy box.
  Don't keep naughty/nice app state in BandwidthController.

SOCK_DESTROY is now supported in all N device kernels.

Bug: 26976388
Change-Id: I149ccda56edacac28602daddb01b5fd0222d5fb0

Bug: 26685616
Bug: 27506285
Change-Id: I4457abd43697a0425f167b81c1432d743800abb8

1. Make bw_costly_shared jump to bw_happy_box after
   bw_penalty_box. This allows the framework to manipulate
   whitelists and blacklists independently.
2. Make bw_happy box always whitelist system apps. Because
   bw_penalty_box is consulted before bw_happy_box, the
   framework can always blacklist certain system apps (e.g.,
   the media server) by putting them in the blacklist.
3. Add a method to add/remove a reject at the end of
   bw_costly_shared. This will allow the framework to
   enable/disable data saver by changing only one rule.

Bug: 26685616
Bug: 27506285
Change-Id: I67bff7c3c9ff5eb3f84fb84550cdf49f153e1b68

This is called by "dumpsys netd".

Bug: 27239233
Change-Id: I27fb308f8067243ff241a6f8fd6a83f406087d2a

Some wlan solutions can not switch or do not need to switch FW.
In this case we don't want the function to fail and to prevent
Wifi to start in settings.

Bug: 27774657

Change-Id: I11f3cf709db6f17fc558454aa894e4a2211a9312
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>