Currently, strict mode private DNS does not work on VPNs because
NetworkMonitor does not validate VPNs. When a VPN connects, it
immediately transitions to ValidatedState, skipping private DNS
hostname resolution.
This change makes NetworkMonitor perform private DNS hostname
resolution and evaluation even on VPNs.
In order to ensure that the system always immediately switches to
the VPN as soon as it connects, remove the unvalidated penalty
for VPN networks. This ensures that the VPN score is always 101
and the VPN always outscores other networks as soon as it
connects. Previously, it would only outscore other networks
when no-op validation completed.
Backport of 1a26465d92.
Bug: 122652057
Test: atest FrameworksNetTests
Test: manually ran a VPN with private DNS in strict mode
Test: atest android.net.cts.ConnectivityManagerTest com.android.cts.net.HostsideVpnTests
Change-Id: Iaa78a7edcf23755c89d7b354edbc28d37d74d891
Merged-In: Iaa78a7edcf23755c89d7b354edbc28d37d74d891
This reverts commit 8ddb8a2d84.
Reason for revert: Retargeted for June monthly release
Bug: 119129310
Change-Id: I9d543415c5707859cfa2a14a1a8ce5909aae7d11
Merged-In: Id0abc4d304bb096e92479a118168690ccce634ed
This reverts commit 5ffc7e609f.
Bug: 126245192
Reason for revert: This change can lead to a deadlock that was fixed in http://ag/6580635. However, platform PMs think that fixing this is risky enough as this is not a recent problem and has been in the field for 3/4 of the year.
Note: The merged-in tag is used to avoid this change from getting merged into pi-dev-plus-aosp. This is to avoid merge conflicts since we mostly work in aosp/master which merges into pi-dev-plus-aosp.
Change-Id: I3814bcec87efb059f50f00617406501aaeac3b4d
Merged-In: Id0abc4d304bb096e92479a118168690ccce634ed
NSS needed it for getting VpnInfo[], NetworkState[] and
activeLinkProperties which it used to query via ConnectivityManager.
For VpnInfo[], this was racy as NSS may ignore intermediate changes to a
VPN's underlying networks. See http://b/123961098 for more context.
It may also lead to deadlocks b/w ConnectivityService and
NetworkStatsService. See http://b/126245192 for more info.
This change will ensure that NSS is never contending on any of
ConnectivityService locks.
This change also is cherry-picking cleanup made to NSS in
http://aosp/628368.
Bug: 123961098
Bug: 126245192
Bug: 120145746
Test: atest FrameworksNetTests
Change-Id: Ia687845888434c8ddd24bdf44b4c70dfe80e03f5
Merged-In: I57e117bb4e9efe491b19d6b5a479f2d58d1c58e6
Previously, they were only updated when underlying network set was
non-null.
This change also ensures that all the calls b/w ConnectivityService and
Vpn that leads to updating capabilities are on ConnectivityService
handler thread.
Additionally, it also ensures that capabilities are propagated after VPN
enters connected state.
This change also updates VPN capabilities inline from
ConnectivityService handler thread. Previously, there was an additional
loop where Vpn would update capabilities via NetworkAgent thru
AsyncChannel which posts back to CS handler thread, which could
potentially lead to delays in updating VPN capabilities.
Bug: 119129310
Bug: 118856062
Bug: 124268198
Test: atest FrameworksNetTests
Test: manual - verified VPNs capabilities are getting updated and
DownloadManager is working correctly.
(cherry picked from commit 273f900b3b)
Change-Id: Iae5f2024b19df04c31938815b52687781d016cde
Merged-In: Id0abc4d304bb096e92479a118168690ccce634ed
In handleUpdateLinkProperties(), it will always assign newLp
to nai first. Then, the copied newLp would add some configurations
ex: private dns/clatd. This updated newLp wouldn't be assigned back to
nai when linkproperties is not changed.
Bug: 113637648
Test: - build, flash, booted
- atest FrameworksNetTests
- run CtsNetTestCases
Change-Id: I9e25e46718e076d4afa784ee5e1d3abbe0f11911
Rather than use the crufty config.xml list of upstream transport types,
use ConnectivityService's notion of the default network for the upstream.
In cases where a DUN network is required and the default network is
currently a mobile network, look for a DUN network (code in Tethering
is currently responsible for requesting one).
Test: as follows
- built, flashed, booted
- runtest frameworks-net
- tethered via mobile, joined captive portal network, maintained
laptop access via mobile until captive passed (then used wifi)
- disabled client mode wifi, disabled mobile data, plugged in
ethernet adapter, observed connectivity via ethernet
Bug: 32163131
Bug: 62648872
Bug: 63282480
Bug: 109786760
Bug: 110118584
Bug: 110260419
Change-Id: I925b75994e31df8046f3ef9916a2457b4210485e
updateLinkProperties copied the linkProperties in networkAgent,
but the clat fix-up function did not copy stacked link into new one.
This caused an incorrect clat iface removal, and the IPv4 network
to be unreachable.
Bug: 80261579
Test: 1. ping after ipv6 only data call with 2g voice call on/off
2. runtest frameworks-net
3. run cts -m CtsNetTestCases
Change-Id: Ide47a3b0680dddfcf3e2e759a59b19aee3605050
VPNs are not driven by NetworkRequests, so there's no risk of a
capability change on a VPN causing a connect/teardown loop.
Bug: 80439912
Test: builds, boots
Change-Id: Ic4c489ccc9fb97551d1ef440766f6cf6f99522db
...as opposed to after the async channel finished disconnecting.
Bug: 78308259
Test: runtest frameworks-net
also used a device with this patch over the weekend and
tried all I could think of
Change-Id: I77ad6d97abb20815b801a794eaa9685acf2d1173
This is a pinpoint fix against the bug listed below. While a client
is synchronously reading the LinkProperties of a network, the
ConnectivityServiceThread is updating its properties. Make sure
that update is done atomically.
This is a stopgap countermeasure against a problem that is
pervasive with usage of LinkProperties, but fixing the problem
itself will happen later.
Bug: 80077223
Test: runtest frameworks-net
Change-Id: I9302f8fb5303cb39aa82691d4f6d7f38707a41fa
Support keeping IpClient logs around and dumping them
during dumpsys. Previously we got this benefit for
wifi by virtue of WifiStateMachine's long-lived nature.
Now that this is changing we need to be sure we have
logs, and this method gets us Ethernet logs as well.
Bug: 62476366
Bug: 77999594
Test: as follows
- built
- flashed
- booted
- runtest frameworks-net passes
- dumpsys connmetrics [ipclient] works
Change-Id: I1136a83de8097fdb4130debe1eaf689be7132fe5
ApfFilter maintains separate counters for each reason why a packet was
passed or dropped by the filter logic.
There's also a total which should match the individual counters,
*unless* the APF interpreter aborted execution early due to an illegal
instruction or an out-of-bounds access.
Test: both on APFv2 and APFv4-capable device:
runtest -x tests/net/java/android/net/ip/IpClientTest.java
runtest -x tests/net/java/android/net/apf/ApfTest.java
manual tests connected to an AP
Bug: 73804303
Change-Id: I54b17fcbb95dfaea5db975d282314ce73d79d6ec
Bug: 77737389
Test: runtest framework-net
new test don't pass without the main code change, but they
do with it
Change-Id: I0cd83a935ab0b349aa47e065b830e5a43ab9a091
Relies on events sent from netd in aosp/578162.
Test: Added tests to ConnectivityServiceTest. Added a new test
class DnsManagerTest. Built a simple app that appears to
receive onLinkProperties events correctly upon manual changes
to the private DNS settings on a Pixel.
Bug: 71828272
Merged-In: I1e6c54ba016f6a165a302bd135a29d9332aaa235
Merged-In: I7705412803fb9aa707a18ae5a1c50292e084d851
Change-Id: I3223c1285a73d5d531c5051ce70007857caa57e3
(cherry picked from commit f4977499c4)
Moves this out of ConnectivityService and into each NetworkMonitor
(where it's more self-contained).
Test: as follows
- builds, flashes, boots
- runtest frameworks-net passes
- manual testing with working and non-working hostnames behaves
somewhat (but not entirely) as expected, and not always quickly
Bug: 64133961
Bug: 72345192
Bug: 73872000
Bug: 77140445
Merged-In: I5dc90ecfe6f6f10967b7501645ad8e030cb38982
Merged-In: Ida4967d22f0781524f0f269e30e653b8ec867258
Change-Id: Ic4322af3cb49149f2d975cb31f54b2ac7927f907
(cherry picked from commit 076bd3d8e3)
This change comprises the following parts:
[1] android.net.dns.ResolvUtil, containing methods that encapsulate the
use of the high bit in netids used in DNS resolution contexts.
[2] Updates to captive portal apps to call the ResolvUtil method that
enables DNS-over-TLS bypass for the captive portal app process.
Test: as follows
- builds
- flashes
- boots
- runtest frameworks-net passes
Bug: 64133961
Bug: 72345192
Merged-In: I0994b53d24ed25a2eb9e65429c61cf6fa87c7513
Merged-In: I4c49e23d8caa4d485df1c1d2f135a7282d439c0b
Change-Id: I2072c1f68d6978fa0d7e9d8693135a2c51bb0f87
(cherry picked from commit 95a39bec90)
Tethering currently wants access to complex isTetheringSupported
logic that is only available in ConnectivityService. Instead of
trying to access that via ConnectivityManager, pass this capability
in to Tethering directly, in the TetheringDependencies object.
Also:
- ConnectivityManager is only a source of static constants now,
so "import static" all the constants that are actually used.
Test: as follows
- built
- flashed
- booted
- runtest frameworks-net works
- manual USB towards WiFi tethering works
Bug: 68951715
Merged-In: Ifa121b057f9959ddb980edc940327929e48ea973
Merged-In: Iad6358dc2f1d10b322d22ec90543adc50882962d
Change-Id: Ia64faaadefb4a5d84a50da98bdebd544b6fda101
(cherry picked from commit b9f6f7e668)
Useful for clients such as BatteryStats which currently rely
on NetworkStatsFactory. Data at that stage is incomplete as
it does not account for tethering, VT data and corresponding
464xlat corrections.
Test: runtest frameworks-net, CTS tests pass.
Bug: b/72107146
Merged-In: I31c5b9b4a7c6e72910152415894a137f000a5858
Merged-In: I2527d95000c7500c824ede70f87ecb38e21ed323
(cherry picked from aosp 6f124c455f)
Change-Id: Ie80f1bb21124241f3414f9be77aceac9a44ec6d1
This will let ConnectivityService send the right callbacks to the
relevant apps.
Test: manual with apps
runtest frameworks-net
cts
new tests for this functionality
Bug: 67408339
Change-Id: I6f08efd9e73c7e191f833d7f307a3bf4c9e2f0b4
