We only ever return DROP_UNLESS_DNS on ingress,
so the ordering doesn't actually matter.
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I742b85748433f5319d518bebc05d976d630b72e7
This adds the core BPF implementation of Android network packet tracing.
The new code looks into the skb to pull out various bits of information.
Both the program and the ring buffer are restricted to 5.8+ kernels and
userdebug or eng builds.
With the packet_info_config map defaulting to zero, userdebug and eng
builds won't run any of the tracing today. The only effect will be 32k
memory increase for the ringbuf and the check on the config array.
Bug: 246985031
Test: build & flash both userdebug and user
Change-Id: I144da2971c0738b565ad58abc17e456209f13bde
These all default to false, never ignoring the maps.
Bug: 246985031
Test: build connectivity module
Change-Id: I404d56dcb311b34587d56dd6edc292029c4ad83f
This change updates callers to include the new ignore_on and bpfloader
arguments as per the change in aosp/2374598.
Bug: 246985031
Test: tethering build & install, full platform build & install
Change-Id: Id940a6003ae4cb0bbfc65db8ff96590c4f3c847b
This is a repeat of:
https://android-review.git.corp.google.com/c/platform/packages/modules/Connectivity/+/2266447
which was reverted in:
https://android-review.git.corp.google.com/c/platform/packages/modules/Connectivity/+/2372509
This time with kver >= 4.14 protections of the bpf_skb_adjust_room()
bpf helper which isn't present on 4.9 T devices.
Original change comments:
Tested manually on a flame device connected to an ipv6-only wifi
network (GoogleGuest).
On server:
nc -4 -l -u -p 443
On client (phone):
adb shell nc -4 -u my.server 443
On client (phone):
adb shell tcpdump -l -ee -vv -s 1600 -i v4-wlan0
On client send something to server "Hi."
On server send something to client "Hey!"
You should see normal unfragmented IP packets.
Then on server send something really long (I used 57 copies of the 26 letter English alphabet). This should be long enough that fragmentation is required.
You should see tcpdump show 2 ipv4 fragments, and netcat
show the packet being delivered correctly.
(and previous versions of the code were buggy and were
resulting in corrupt packets and things not working)
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I6758e63d8133215edd26b4cd2d73a5b5f261ffd1
This reverts commit be9685c35c.
Reason for revert:
fails on 4.9 due to bpf_skb_adjust_room requiring a later kernel,
will need an alternative approach
Bug: 261818177
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I26535a96de80febc2fd54dcb564cde4f9ed7b3c9
will make it easier to extend this for 5.4+ behaviour as well
without having to introduce another is_5_4 boolean
Bug: 263884894
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Id4f6512d813dd460cb2b9a7ccb6a5f7b7e937575
easier on bpf verifier with no third case
Bug: 263884894
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I5076de6f83ba522ed4783bca0a9d7fca4024986a
The comment added by:
https://android-review.git.corp.google.com/c/platform/packages/modules/Connectivity/+/2261966
'offload.c - make tether_error_map read only.'
mentions offload.o loading on T when it should talk about S+.
Tethering offload bpf code was mainlined in S.
(T mainlined all the other bpf code)
Bug: 254543135
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I10b89691082e451115e61dedbdc0dac7a58e499c
To quote: https://www.rfc-editor.org/rfc/rfc6145
4.1 Identification:
The low-order 16 bits copied from the Identification field in
the IPv4 header. The high-order 16 bits set to zero.
5.1.1 Identification:
Copied from the low-order 16 bits in the Identification field in
the Fragment Header.
The RFC does not mention endianness. But I'm assuming it thinks
of things as network, ie. big, endian.
This matches userspace external/android-clat/translate.c:214
ip_targ->id = htons(ntohl(frag_hdr->ip6f_ident) & 0xffff);
This takes the 3rd and 4th byte of the 32-bit ipv6 frag ident field:
see also line 195:
frag_hdr->ip6f_ident = htonl(ntohs(old_header->id));
and
packages/modules/Connectivity/bpf_progs/bpf_net_helpers.h
// Android only supports little endian architectures
#define htons(x) (__builtin_constant_p(x) ? ___constant_swab16(x) : __builtin_bswap16(x))
#define htonl(x) (__builtin_constant_p(x) ? ___constant_swab32(x) : __builtin_bswap32(x))
#define ntohs(x) htons(x)
#define ntohl(x) htonl(x)
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ie4eed30cfd0e3e3e4dfa6c1a54751dcae1f9972b
and get rid of some macros while we're at it.
This is just slightly easier to read.
(side note: this is all resolved at compile time!)
Bug: 259199087
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I7b38afd4b6f9d73b4f34a90040639f0780544ac8
This effectively reverts commit 6ed2ab9b57,
while ensuring that the program has the right permissions as
defined in r.android.com/2130014 :
oriole:/ # ls -lZ /sys/fs/bpf/netd_shared/prog_netd_cgroupsock_inet_create
-r--r----- 1 root root u:object_r:fs_bpf_netd_readonly:s0 0 2022-10-27 20:05 /sys/fs/bpf/netd_shared/prog_netd_cgroupsock_inet_create
Reason for revert: need to support 4.9 devices upgrading to T.
The only thing that cannot currently be supported on those
devices is the inet_create program which implements the
INTERNET permission.
Also, update bpf_existence_test so it does not check for the
existence of the program on pre-4.14 devices.
Bug: 254001921
Test: atest bpf_existence_test
Change-Id: I14f26cee5feeaae93b4d9710a7b9a2f835ff405f
Tested manually on a flame device connected to an ipv6-only wifi
network (GoogleGuest).
On server:
nc -4 -l -u -p 443
On client (phone):
adb shell nc -4 -u my.server 443
On client (phone):
adb shell tcpdump -l -ee -vv -s 1600 -i v4-wlan0
On client send something to server "Hi."
On server send something to client "Hey!"
You should see normal unfragmented IP packets.
Then on server send something really long (I used 57 copies of the 26 letter English alphabet). This should be long enough that fragmentation is required.
You should see tcpdump show 2 ipv4 fragments, and netcat
show the packet being delivered correctly.
(and previous versions of the code were buggy and were
resulting in corrupt packets and things not working)
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Iafbe718f7d6427b3e318c8f3f1ecfe2a13d47540
This is not used, and cannot be used: clat v4-* interfaces
are - by virtue of method of creation - always rawip.
This is because they are tun (not tap) devices.
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Iaafdd6e471c63668d7fe79b62257255bf98c4fb8
Devices with a large number of app uids, particularly those with
multiple work profiles or secondary users, may quietly experience
failures making adjustments to firewall rules, resulting in apps being
blocked from accessing the network when they should be allowed, and
becoming a noticeable problem when using Battery Saver mode.
The misleading "Argument list too long" error in logs signifies that
a BPF map (uid_owner_map in this case) has reached its maximum entries.
This patch doubles that to 4000. uid_permission_map is also affected,
and because uid_counterset_map involves uids too, we do the same there.
bpf_shared.h contains comments urging caution with regard to potential
kernel memory limits. Fortunately, BPF maps have been consolidated
since the comments were written, leaving enough room to easily make
this change without cause for concern. This patch effectively increases
the total size of BPF maps from 3643K to 4077K, which remains beneath
the 4930K used by the maps' pre-consolidation implementation.
Change-Id: I293f99ec498e4ccac98c39f298ba01ba554f2e33
be more consistent, and thus also less htons() calls
Test: TreeHugger, atest DscpPolicyTest
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ia331a33a615a598e061db53ae180fffaef7a4342
(these only affect boot time logging)
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I3f315c5eabe73d3378e6ca0059f05221df7bab5e
