Mostly this is cut-and-paste of bottom half of do_forward4
function into a seperate function to force the compiler to
emit two differently optimized versions of the code based on
whether is_tcp is true or false.
Bug: 230359047
Test: TreeHugger, manually on flame
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I9e3e195ba601daaac2e0c9a70fad170a8fb4d921
(we avoid offload - for now - due to that being shipped to <T devices)
Before:
$ adbz shell ls -l /apex/com.android.tethering/etc/bpf/net_shared/*.o
-rw-r--r-- 1 system system 2848 1969-12-31 16:00 /apex/com.android.tethering/etc/bpf/net_shared/block.o
-rw-r--r-- 1 system system 10240 1969-12-31 16:00 /apex/com.android.tethering/etc/bpf/net_shared/clatd.o
-rw-r--r-- 1 system system 16144 1969-12-31 16:00 /apex/com.android.tethering/etc/bpf/net_shared/dscp_policy.o
-rw-r--r-- 1 system system 18840 1969-12-31 16:00 /apex/com.android.tethering/etc/bpf/net_shared/netd.o
After:
$ adbz shell ls -l /apex/com.android.tethering/etc/bpf/net_shared/*.o
-rw-r--r-- 1 system system 6192 1969-12-31 16:00 /apex/com.android.tethering/etc/bpf/net_shared/block.o
-rw-r--r-- 1 system system 19008 1969-12-31 16:00 /apex/com.android.tethering/etc/bpf/net_shared/clatd.o
-rw-r--r-- 1 system system 23960 1969-12-31 16:00 /apex/com.android.tethering/etc/bpf/net_shared/dscp_policy.o
-rw-r--r-- 1 system system 27112 1969-12-31 16:00 /apex/com.android.tethering/etc/bpf/net_shared/netd.o
So there is a minor increase in .o size, but this allows:
$ adbz shell cat /sys/fs/bpf/net_shared/map_netd_iface_index_name_map
# WARNING!! The output is for debug purpose only
# WARNING!! The output format will change
8: {['e','r','s','p','a','n','0',],}
1: {['l','o',],}
4: {['i','f','b','1',],}
2: {['d','u','m','m','y','0',],}
16: {['e','t','h','1',],}
5: {['t','u','n','l','0',],}
14: {['h','w','s','i','m','0',],}
17: {['w','l','a','n','0',],}
12: {['i','p','6','t','n','l','0',],}
18: {['w','l','a','n','1',],}
13: {['i','p','6','g','r','e','0',],}
3: {['i','f','b','0',],}
15: {['b','u','r','i','e','d','_','e','t','h','0',],}
9: {['i','p','_','v','t','i','0',],}
11: {['s','i','t','0',],}
10: {['i','p','6','_','v','t','i','0',],}
6: {['g','r','e','0',],}
7: {['g','r','e','t','a','p','0',],}
This is safe as the net_shared bpf programs are not loaded on pre-T devices,
and the T bpfloader is btf enabled.
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I2d480391b6d1a6e2ba99b0445281684d4a51d74b
this hack is no longer needed now that duplicate target in system/netd
is no longer an issue due to automerger to sc-mainline-prod being
turned off
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Id2c1dfac3bc4e6a8f5376a41ca2d1432b838da38
(this is safe because on pre-T none of these maps and programs are mainlined
and thus safe to access from mainline code anyway)
Test: TreeHugger, manual
Bug: 218408035
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I23e565d665247f33e084978890a1ee8ffe0fe568
In practice this function makes things readable and writable,
so use a less confusing name.
Test: TreeHugger, 'git grep try_make_readable' comes up empty
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I32faad148cc5714cf0ec7246620376ed4dd3d6d2
We now rely on the skb->mark = 0xDeadC1a7 setting side effect
for non offloadable packets, but for this to work reliably,
we *must* be able to read the ip header.
Test: TreeHugger, and on a gs101-based pixel
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ic2b15335099404047d136a92ce7aeeb1f11ccfa3
As Maze@'s advice, we add a clat mark to clat packet in ingress bpf
and drop the duplicate packets in iptables via mark match.
Bug: 218407445
Test: manual test with unmerged aosp/1951099
0. Connect to IPv6-only wifi
1. Clatd test: ping 5 times and check that iptables drop 5 packets by
mark 0xdeadc1a7.
$ adb shell ping 8.8.8.8
..
64 bytes from 8.8.8.8: icmp_seq=4 ttl=120 time=14.3 ms
64 bytes from 8.8.8.8: icmp_seq=5 ttl=120 time=67.4 ms
$ adb shell ip6tables -t raw -L bw_raw_PREROUTING -v
Chain bw_raw_PREROUTING (1 references)
pkts bytes target prot opt in out source destination
5 520 DROP all any any anywhere anywhere mark match 0xdeadc1a7
0 0 RETURN all ipsec+ any anywhere anywhere
0 0 RETURN all any any anywhere anywhere policy match dir in pol ipsec
1661 1239K all any any anywhere anywhere match bpf pinned /sys/fs/bpf/prog_netd_skfilter_ingress_xtbpf
2. Bpf test: run iperf to an IPv4 server and iptables doesn't see
offloaded packet with mark 0xdeadc1a7. Drop packet count (5) is
unchanged.
$ adb shell iperf3 -4 -c 117.102.109.186 -t1
Connecting to host 117.102.109.186, port 5201
[ 5] local 192.0.0.4 port 56242 connected to 117.102.109.186 port 5201
[ ID] Interval Transfer Bitrate Retr Cwnd
[ 5] 0.00-1.00 sec 622 KBytes 5.09 Mbits/sec 0 44.0 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-1.00 sec 622 KBytes 5.09 Mbits/sec 0 sender
[ 5] 0.00-1.00 sec 201 KBytes 1.64 Mbits/sec receiver
$ adb shell ip6tables -t raw -L bw_raw_PREROUTING -v
Chain bw_raw_PREROUTING (1 references)
pkts bytes target prot opt in out source destination
5 520 DROP all any any anywhere anywhere mark match 0xdeadc1a7
0 0 RETURN all ipsec+ any anywhere anywhere
0 0 RETURN all any any anywhere anywhere policy match dir in pol ipsec
1804 1280K all any any anywhere anywhere match bpf pinned /sys/fs/bpf/prog_netd_skfilter_ingress_xtbpf
3. Enable USB tethering. Do ping and iperf on tethered client.
4. Clatd test: ping 5 times and check that iptables drop 5 packets
(count from 5 to 10) by mark 0xdeadc1a7.
$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
..
64 bytes from 8.8.8.8: icmp_seq=4 ttl=119 time=13.7 ms
64 bytes from 8.8.8.8: icmp_seq=5 ttl=119 time=15.9 ms
$ adb shell ip6tables -t raw -L bw_raw_PREROUTING -v
Chain bw_raw_PREROUTING (1 references)
pkts bytes target prot opt in out source destination
10 1040 DROP all any any anywhere anywhere mark match 0xdeadc1a7
0 0 RETURN all ipsec+ any anywhere anywhere
0 0 RETURN all any any anywhere anywhere policy match dir in pol ipsec
1900 1298K all any any anywhere anywhere match bpf pinned /sys/fs/bpf/prog_netd_skfilter_ingress_xtbpf
5. Bpf test: run iperf to an IPv4 server and iptables doesn't see
offloaded packet with mark 0xdeadc1a7. Drop packet count (10) is
unchanged.
$ iperf3 -4 -c 117.102.109.186 -t1
Connecting to host 117.102.109.186, port 5201
[ 5] local 192.168.235.233 port 41602 connected to 117.102.109.186 port 5201
[ ID] Interval Transfer Bitrate Retr Cwnd
[ 5] 0.00-1.00 sec 3.19 MBytes 26.8 Mbits/sec 0 369 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-1.00 sec 3.19 MBytes 26.8 Mbits/sec 0 sender
[ 5] 0.00-1.00 sec 2.58 MBytes 21.7 Mbits/sec receiver
$ adb shell ip6tables -t raw -L bw_raw_PREROUTING -v
Chain bw_raw_PREROUTING (1 references)
pkts bytes target prot opt in out source destination
10 1040 DROP all any any anywhere anywhere mark match 0xdeadc1a7
0 0 RETURN all ipsec+ any anywhere anywhere
0 0 RETURN all any any anywhere anywhere policy match dir in pol ipsec
1978 1320K all any any anywhere anywhere match bpf pinned /sys/fs/bpf/prog_netd_skfilter_ingress_xtbpf
Change-Id: I180206bb15a1362c678f42fb980b60dfed6ce1ab
New Connectivity Service exposed to vendor for
restricting certain ports for use only in vendor.
Bug: 179733303
Change-Id: Iad9aff6924498ede5a08cfa5482082f094c0a90b
Change gid BPF programs from AID_ROOT to AID_SYSTEM because
system_server needs to access them.
Bug: 202086915
Test: test in Ib0e935ee2b714ac61daceba6d13fa7a20f97f68f
Change-Id: I8c0019f141414994aad2986cc5dfdb7dd027a36a
1. Add libnetd_updatable.so in com.android.tethering. The library is
loaded by netd. Currently, it mainly targets on a few functions which
access BPF maps. The functionality may extend in the future.
2. Attach gcroup progs from libnetd_updatable.so.
3. Move (privileged)TagSocket and untagSocket implementation to mainline
module. Combine privilegedTagSocket and untagSocket into a single
function.
4. Split related unit tests from netd_unit_test to
libnetd_updatable_unit_test as well.
Bug: 202086915
Test: cd system/netd; atest
Test: atest TrafficStatsTest NetworkUsageStatsTest
Change-Id: Ib556458103a4cbb643c1342d9b689ac692160de0
New events to handle adding and removing of DSCP QoS policies.
Async indication sends status back to client if the policy
has been added, failed, or if the policy limit has been
reached.
Bug: 202871011
Change-Id: I7988d22ae625ad0dd415927d2943de4a749e6fb8
Two reason for renaming:
1. Avoid module name collision in sc-mainline-prod branch.
2. The libnetdbpf was misnamed before.
Bug: 202086915
Test: atest libnetworkstats_test FrameworksNetTests
ConnectivityCoverageTests FrameworksNetSmokeTests
CtsAppOpsTestCases
Change-Id: I87fcf4b1a9d58780a45743a9aa91b9b936e54266
Needed because ClatdController and clatd binary are moved
into apex. libclat is used for accessing BPF map.
Bug: 212345928
Test: build
Change-Id: I1be5d4c9cc2c9865ac99f2595443e54e7334c843
Tethering module.
Delete tagSocket(), privilegedTagSocket() and untagSocket() since
they are moved out of TrafficController in aosp/1849156.
Bug: 202086915
Test: m; flash; boot;
Change-Id: Ifeaeb060fbf1add9f06748e7846b9e11e0345bda
This is a clean move. The content of netd.c is not changed. The object
name is still netd.o. But the module name is renamed to netd.o_mainline
to avoid name collision in sc-mainline-prod branch.
Modified Android.bp according to the file location. The sub_dir is
newly specified. The object file will be compiled to:
- apex/com.android.tethering/etc/bpf/net_shared/netd.o
The extracted programs and maps will be in:
- sys/fs/bpf/net_shared/
The netd.o will not be loaded in pre-T because the bpfloader before T
does not load objects from paths other than:
- apex/com.android.tethering/etc/bpf/
- /system/etc/bpf/
Bug: 202086915
Test: cd system/netd; atest
Test: atest TrafficStatsTest NetworkUsageStatsTest
Change-Id: I5281c851341f9258a37d8aad6da4196c06342940
The header file is referenced by the part going to be mainlined in Netd.
Note that some platform visibility is required with this commit, since
users of bpf_shared.h is currently located in platform. The visibility
can be removed when all users are moved out of platform.
Bug: 202086915
Test: m; flash; boot
Test: cd system/netd && atest
Test: cd packages/modules/Connectivity && atest
Test: atest FrameworksNetTests
Change-Id: I5c16511b6a2d4eb80dfd93157cbc98d5030bd5ac
The folder is currently used by tether offload only. Because we will
move netd.c and clatd.c to it, the folder should be moved to the upper
tier.
Also, rename bpf_tethering_headers to bpf_connectivity_headers so that
other connectivity code besides to tethering are justified to use it.
Bug: 202086915
Test: atest FrameworksNetTests
Change-Id: I95943c6e909f1fdca12604ef0c55d67c39ca686b
