The comment added by:
https://android-review.git.corp.google.com/c/platform/packages/modules/Connectivity/+/2261966
'offload.c - make tether_error_map read only.'
mentions offload.o loading on T when it should talk about S+.
Tethering offload bpf code was mainlined in S.
(T mainlined all the other bpf code)
Bug: 254543135
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I10b89691082e451115e61dedbdc0dac7a58e499c
To quote: https://www.rfc-editor.org/rfc/rfc6145
4.1 Identification:
The low-order 16 bits copied from the Identification field in
the IPv4 header. The high-order 16 bits set to zero.
5.1.1 Identification:
Copied from the low-order 16 bits in the Identification field in
the Fragment Header.
The RFC does not mention endianness. But I'm assuming it thinks
of things as network, ie. big, endian.
This matches userspace external/android-clat/translate.c:214
ip_targ->id = htons(ntohl(frag_hdr->ip6f_ident) & 0xffff);
This takes the 3rd and 4th byte of the 32-bit ipv6 frag ident field:
see also line 195:
frag_hdr->ip6f_ident = htonl(ntohs(old_header->id));
and
packages/modules/Connectivity/bpf_progs/bpf_net_helpers.h
// Android only supports little endian architectures
#define htons(x) (__builtin_constant_p(x) ? ___constant_swab16(x) : __builtin_bswap16(x))
#define htonl(x) (__builtin_constant_p(x) ? ___constant_swab32(x) : __builtin_bswap32(x))
#define ntohs(x) htons(x)
#define ntohl(x) htonl(x)
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ie4eed30cfd0e3e3e4dfa6c1a54751dcae1f9972b
and get rid of some macros while we're at it.
This is just slightly easier to read.
(side note: this is all resolved at compile time!)
Bug: 259199087
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I7b38afd4b6f9d73b4f34a90040639f0780544ac8
This effectively reverts commit 6ed2ab9b57,
while ensuring that the program has the right permissions as
defined in r.android.com/2130014 :
oriole:/ # ls -lZ /sys/fs/bpf/netd_shared/prog_netd_cgroupsock_inet_create
-r--r----- 1 root root u:object_r:fs_bpf_netd_readonly:s0 0 2022-10-27 20:05 /sys/fs/bpf/netd_shared/prog_netd_cgroupsock_inet_create
Reason for revert: need to support 4.9 devices upgrading to T.
The only thing that cannot currently be supported on those
devices is the inet_create program which implements the
INTERNET permission.
Also, update bpf_existence_test so it does not check for the
existence of the program on pre-4.14 devices.
Bug: 254001921
Test: atest bpf_existence_test
Change-Id: I14f26cee5feeaae93b4d9710a7b9a2f835ff405f
Tested manually on a flame device connected to an ipv6-only wifi
network (GoogleGuest).
On server:
nc -4 -l -u -p 443
On client (phone):
adb shell nc -4 -u my.server 443
On client (phone):
adb shell tcpdump -l -ee -vv -s 1600 -i v4-wlan0
On client send something to server "Hi."
On server send something to client "Hey!"
You should see normal unfragmented IP packets.
Then on server send something really long (I used 57 copies of the 26 letter English alphabet). This should be long enough that fragmentation is required.
You should see tcpdump show 2 ipv4 fragments, and netcat
show the packet being delivered correctly.
(and previous versions of the code were buggy and were
resulting in corrupt packets and things not working)
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Iafbe718f7d6427b3e318c8f3f1ecfe2a13d47540
This is not used, and cannot be used: clat v4-* interfaces
are - by virtue of method of creation - always rawip.
This is because they are tun (not tap) devices.
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Iaafdd6e471c63668d7fe79b62257255bf98c4fb8
Devices with a large number of app uids, particularly those with
multiple work profiles or secondary users, may quietly experience
failures making adjustments to firewall rules, resulting in apps being
blocked from accessing the network when they should be allowed, and
becoming a noticeable problem when using Battery Saver mode.
The misleading "Argument list too long" error in logs signifies that
a BPF map (uid_owner_map in this case) has reached its maximum entries.
This patch doubles that to 4000. uid_permission_map is also affected,
and because uid_counterset_map involves uids too, we do the same there.
bpf_shared.h contains comments urging caution with regard to potential
kernel memory limits. Fortunately, BPF maps have been consolidated
since the comments were written, leaving enough room to easily make
this change without cause for concern. This patch effectively increases
the total size of BPF maps from 3643K to 4077K, which remains beneath
the 4930K used by the maps' pre-consolidation implementation.
Change-Id: I293f99ec498e4ccac98c39f298ba01ba554f2e33
be more consistent, and thus also less htons() calls
Test: TreeHugger, atest DscpPolicyTest
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ia331a33a615a598e061db53ae180fffaef7a4342
(these only affect boot time logging)
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I3f315c5eabe73d3378e6ca0059f05221df7bab5e
The utility currently contains a firewall class that is used by DNS
resolver tests to block DNS packets.
Bug: 227159929
Test: atest resolv_integration_test
Change-Id: I5c5bc0b263a677f57cd63f002057ff0812f15e64
Move sources of connectivity_native_test to a dedicated folder so that
other native tests or utilities can be added to p/m/c/tests/native/ as
well.
Bug: 227159929
Test: atest connectivity_native_test
Change-Id: I97217fbb03b26ed79f1f34932b92c4227a1ece4d
It is most definitely worthwhile to cache negative lookups as well!
Test: TreeHugger, atest DscpPolicyTest
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Iab1a57a2611a891642fef0c5897918c16e0ca540
(and merge the ipv4 and ipv6 caches into one,
as there really is no need for separate ones)
Test: TreeHugger, atest DscpPolicyTest
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ie62393ea428885076ef59af69ac3eafeeba2934f
The 'switch_comp_map' is never written to,
hence map A is always used anyway...
Additionally this is backwards - ie. the *wrong* maps were A/B:
it is not the cache that should be A/B but rather the policy map(s).
This simplification has the nice benefit of making the program
much simpler and thus presumably optimizing bpf verifier processing
and thus bpfloader runtime during boot.
The fact that these socket cache maps are never cleared from userspace
is a different bug that needs to be fixed.
Bug: 235559605
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ic2b0d20cd4e9e7290fb9fae38e1625ea1ed85a78
Use a single skb store bytes for IPv6 instead of 2 api
calls for 2 uint8_t values, use 1 for a single uint32_t value.
Bug: 234808633
Change-Id: I31ecc6d7036fd71b10c60d320c1dc5ebf0b86cca
The raw IP program was removed, so there is no need to support it
anymore in match_policy().
Test: TH
Bug: 235559605
Change-Id: I755a9a55e3ad33a210145b2cc09578fdf4d66c79
This program was only used for tests as WiFi interfaces should always
include an ethernet header. Since the test has moved from tun to tap,
this can be deleted.
Support for using this program was already removed in a previous CL.
Test: TH
Bug: 235559605
Change-Id: I2148bce60992070790ba237176b99a40597ee751
Underscore character may cause bpf prog/map naming collision. For
example, x.o with map y_z and x_y.o with map z both result in x_y_z
prog/map name, which should be prevented during compile-time.
aosp/2147825 will prohibit underscore character in bpf source name
(source name derives the obj name). Existing bpf modules with underscore
characters in source name need to be updated accordingly.
Bug: 236706995
Test: atest bpf_existence_test
Test: adb root; adb shell ls -l sys/fs/bpf/net_shared | grep dscpPolicy
Change-Id: Ibe98944d09d42bd11b78b5e9ae35ded48c70416d
InProcessTethering runs as system_server (uid/gid AID_SYSTEM)
instead of as the network_stack (uid/gid AID_NETWORK_STACK).
Additionally only the network_stack has access to the default
selinux context of /sys/fs/bpf/tethering, which is fs_bpf_tethering,
so we need to use 'fs_bpf_net_shared' instead.
Bug: 190523685
Bug: 236925089
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ibb6ae255dcd8a8e8049be112055f60c3b2cf7df0
