Disable attempted updating of SA marks
SA marks are never updated during the UPDSA call. This change disables the attempts to update the specified SAs, ensuring that the config stored in IpSecService matches that of the allocated kernel resources. Bug: 111854872 Test: Unit, CTS tests passing Change-Id: Ic1fb862c8021ffa260c3e262ec698d8af0a826d9
This commit is contained in:
Benedict Wong
@@ -65,7 +65,7 @@ public final class IpSecConfig implements Parcelable {
|
|||||||
// An interval, in seconds between the NattKeepalive packets
|
// An interval, in seconds between the NattKeepalive packets
|
||||||
private int mNattKeepaliveInterval;
|
private int mNattKeepaliveInterval;
|
||||||
|
|
||||||
// XFRM mark and mask
|
// XFRM mark and mask; defaults to 0 (no mark/mask)
|
||||||
private int mMarkValue;
|
private int mMarkValue;
|
||||||
private int mMarkMask;
|
private int mMarkMask;
|
||||||
|
|
||||||
@@ -125,10 +125,22 @@ public final class IpSecConfig implements Parcelable {
|
|||||||
mNattKeepaliveInterval = interval;
|
mNattKeepaliveInterval = interval;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Sets the mark value
|
||||||
|
*
|
||||||
|
* <p>Internal (System server) use only. Marks passed in by users will be overwritten or
|
||||||
|
* ignored.
|
||||||
|
*/
|
||||||
public void setMarkValue(int mark) {
|
public void setMarkValue(int mark) {
|
||||||
mMarkValue = mark;
|
mMarkValue = mark;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Sets the mark mask
|
||||||
|
*
|
||||||
|
* <p>Internal (System server) use only. Marks passed in by users will be overwritten or
|
||||||
|
* ignored.
|
||||||
|
*/
|
||||||
public void setMarkMask(int mask) {
|
public void setMarkMask(int mask) {
|
||||||
mMarkMask = mask;
|
mMarkMask = mask;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -24,6 +24,7 @@ import static android.system.OsConstants.AF_UNSPEC;
|
|||||||
import static android.system.OsConstants.EINVAL;
|
import static android.system.OsConstants.EINVAL;
|
||||||
import static android.system.OsConstants.IPPROTO_UDP;
|
import static android.system.OsConstants.IPPROTO_UDP;
|
||||||
import static android.system.OsConstants.SOCK_DGRAM;
|
import static android.system.OsConstants.SOCK_DGRAM;
|
||||||
|
|
||||||
import static com.android.internal.util.Preconditions.checkNotNull;
|
import static com.android.internal.util.Preconditions.checkNotNull;
|
||||||
|
|
||||||
import android.annotation.NonNull;
|
import android.annotation.NonNull;
|
||||||
@@ -62,6 +63,8 @@ import com.android.internal.annotations.GuardedBy;
|
|||||||
import com.android.internal.annotations.VisibleForTesting;
|
import com.android.internal.annotations.VisibleForTesting;
|
||||||
import com.android.internal.util.Preconditions;
|
import com.android.internal.util.Preconditions;
|
||||||
|
|
||||||
|
import libcore.io.IoUtils;
|
||||||
|
|
||||||
import java.io.FileDescriptor;
|
import java.io.FileDescriptor;
|
||||||
import java.io.IOException;
|
import java.io.IOException;
|
||||||
import java.io.PrintWriter;
|
import java.io.PrintWriter;
|
||||||
@@ -73,8 +76,6 @@ import java.net.UnknownHostException;
|
|||||||
import java.util.ArrayList;
|
import java.util.ArrayList;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
|
|
||||||
import libcore.io.IoUtils;
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* A service to manage multiple clients that want to access the IpSec API. The service is
|
* A service to manage multiple clients that want to access the IpSec API. The service is
|
||||||
* responsible for maintaining a list of clients and managing the resources (and related quotas)
|
* responsible for maintaining a list of clients and managing the resources (and related quotas)
|
||||||
@@ -1523,6 +1524,9 @@ public class IpSecService extends IIpSecService.Stub {
|
|||||||
throw new IllegalArgumentException(
|
throw new IllegalArgumentException(
|
||||||
"Invalid IpSecTransform.mode: " + config.getMode());
|
"Invalid IpSecTransform.mode: " + config.getMode());
|
||||||
}
|
}
|
||||||
|
|
||||||
|
config.setMarkValue(0);
|
||||||
|
config.setMarkMask(0);
|
||||||
}
|
}
|
||||||
|
|
||||||
private static final String TUNNEL_OP = AppOpsManager.OPSTR_MANAGE_IPSEC_TUNNELS;
|
private static final String TUNNEL_OP = AppOpsManager.OPSTR_MANAGE_IPSEC_TUNNELS;
|
||||||
@@ -1740,8 +1744,14 @@ public class IpSecService extends IIpSecService.Stub {
|
|||||||
: tunnelInterfaceInfo.getIkey();
|
: tunnelInterfaceInfo.getIkey();
|
||||||
|
|
||||||
try {
|
try {
|
||||||
c.setMarkValue(mark);
|
// TODO: enable this when UPDSA supports updating marks. Adding kernel support upstream
|
||||||
c.setMarkMask(0xffffffff);
|
// (and backporting) would allow us to narrow the mark space, and ensure that the SA
|
||||||
|
// and SPs have matching marks (as VTI are meant to be built).
|
||||||
|
// Currently update does nothing with marks. Leave empty (defaulting to 0) to ensure the
|
||||||
|
// config matches the actual allocated resources in the kernel.
|
||||||
|
//
|
||||||
|
// c.setMarkValue(mark);
|
||||||
|
// c.setMarkMask(0xffffffff);
|
||||||
|
|
||||||
if (direction == IpSecManager.DIRECTION_OUT) {
|
if (direction == IpSecManager.DIRECTION_OUT) {
|
||||||
// Set output mark via underlying network (output only)
|
// Set output mark via underlying network (output only)
|
||||||
@@ -1758,7 +1768,7 @@ public class IpSecService extends IIpSecService.Stub {
|
|||||||
tunnelInterfaceInfo.getLocalAddress(),
|
tunnelInterfaceInfo.getLocalAddress(),
|
||||||
tunnelInterfaceInfo.getRemoteAddress(),
|
tunnelInterfaceInfo.getRemoteAddress(),
|
||||||
transformInfo.getSpiRecord().getSpi(),
|
transformInfo.getSpiRecord().getSpi(),
|
||||||
mark,
|
mark, // Must always set policy mark; ikey/okey for VTIs
|
||||||
0xffffffff);
|
0xffffffff);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user