From 47b528cfe730db6c8b904d3a56d99666e2b8189e Mon Sep 17 00:00:00 2001 From: Benedict Wong Date: Mon, 10 May 2021 18:26:02 -0700 Subject: [PATCH] Add clarifying comments on for IPsec forward policies This change adds clarifying comments for the usage of the forward policies in IPsec, and corrects a comment to properly specify the permissions allowed. Bug: 185495453 Test: Comment-only changes Change-Id: I6d36522c344c41b0ebd90d46b216d115b678dd31 --- .../core/java/com/android/server/IpSecService.java | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/services/core/java/com/android/server/IpSecService.java b/services/core/java/com/android/server/IpSecService.java index d574e74d39..d6ee95131e 100644 --- a/services/core/java/com/android/server/IpSecService.java +++ b/services/core/java/com/android/server/IpSecService.java @@ -1112,7 +1112,7 @@ public class IpSecService extends IIpSecService.Stub { case IpSecManager.DIRECTION_IN: return; case IpSecManager.DIRECTION_FWD: - // Only NETWORK_STACK or PERMISSION_NETWORK_STACK allowed to use forward policies + // Only NETWORK_STACK or MAINLINE_NETWORK_STACK allowed to use forward policies PermissionUtils.enforceNetworkStackPermission(mContext); return; } @@ -1358,6 +1358,16 @@ public class IpSecService extends IIpSecService.Stub { ikey, 0xffffffff, resourceId); + + // Add a forwarding policy on the tunnel interface. In order to support forwarding + // the IpSecTunnelInterface must have a forwarding policy matching the incoming SA. + // + // Unless a IpSecTransform is also applied against this interface in DIRECTION_FWD, + // forwarding will be blocked by default (as would be the case if this policy was + // absent). + // + // This is necessary only on the tunnel interface, and not any the interface to + // which traffic will be forwarded to. netd.ipSecAddSecurityPolicy( callerUid, selAddrFamily,