- Rename the conntrack destination port check function
- Use CollectionUtils.contains to check the denied ports
- Add tests for the streams with ftp and pptp tcp port are
not able to be offloaded
Bug: 195914327
Test: atest TetheringCoverageTests
Change-Id: I7e2591bea1f6db46271efb0c30970fb8d4efe1e4
The correct return code to keep on processing any further TC
attached programs is 'TC_ACT_PIPE' and not 'TC_ACT_OK' (which
is terminal).
Without this the ipv6 tether offload program causes termination
of processing and the ipv6 clatd offload program never actually
handles any packets (while tethering is active).
This results in lack of bpf xlat64 offloading for tethered ipv4
traffic on an ipv6-only (cellular) network.
This in turn means incoming TCP packets get GRO'ed, do not get
bpf offloaded, and get delivered to the clat daemon, which
due to them being bigger than the mtu (due to gro) cannot
handle them and discards them.
This results in poor performance, since tcp falls back to 1 mss/mtu
sized packet per rtt.
Tested via tethering a linux laptop on an ipv6-only cellular connection
and downloading the linux kernel from kernel.org via 'wget -6' and 'wget -4'.
Before:
IPv6: over 2MB/s, observed:
5805 packets, including 4 sackOK
IPv4: under 1MB/s, observed:
9300 packets, including 8 sackOK, 387 sack 1, 501 sack 2, 2310 sack 3
After:
IPv6: over 7MB/s, observed:
16702 packets, including 4 sackOK
IPv4: over 9MB/s, observed:
32755 packets, including 2 sackOK
Test: builds, TreeHugger, see above
Bug: 195624908
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I623dacb5a37dc689cea34499c3906c11fcaf946c
This test fails on devices where physical Ethernet interfaces are
available but marked restricted, like cuttlefish.
Bug: 197462993
Test: test-only change
Change-Id: I15c991b2e43e2d5e823dcdcfbd74adfd9b2f6f08
Bypass the IPv4 TCP packets with port 21 (ftp) and 1723 (pptp) from
BPF offload because these packets need the netfilter conntrack helper.
Bug: 195914327
Test: manual test as the follows
1. Connect to ftp.slackware.com with port 21 in active mode.
2. Check the PORT command success.
Command: PORT 192,168,62,128,174,17
Response: 200 PORT command successful.
3. Download a file.
Change-Id: I8e3b8d9323eb0e572f20c74442b55d4ee95abc2f
There are IpServerTest test case fail because the code check the wrong
code name for T pre-release builds.
Bug: 194812819
Test: atest TetheringTests
Change-Id: I73bf58c60b6e790fe0060b60c023c10f5d8cbfa8
Use exact alarm to fix entilement recheck delay problem while device
asleep.
Bug: 195370891
Test: atest TehteringTests
Change-Id: I409e603bf2b990657551e1140b50f69640c328d8
Needed because an invalid file descriptor should notify the caller to
stop using the object.
Bug: 190523685
Test: atest BpfMaptest
Change-Id: I70fb08b54b1c0caa4be4e3f07b59bf4f2397f39d
Using jarjar on intermediate libraries causes issues when they are
combined with other libraries that use different jarjar rules, as the
resulting binary may contain multiple incompatible copies of the
classes. Instead, jarjar should be used on the final artifact, after
combining the libraries.
Ensure NetworkStackJarJarRules is not applied on intermediate libraries
like TetheringIntegrationTestsLib, but instead apply it on
TetheringIntegrationTests or CtsTetheringTest.
Bug: 192535368
Test: atest TetheringCoverageTests TetheringIntegrationTests \
CtsTetheringTest
Change-Id: I248a533651984de81f676336c0e74e3788610bbb
Use CollectionUtils instead, which avoids using a hidden API.
Avoiding hidden API usage in tests is good in general, but this also
helps avoid jarjar problems where the com.android.internal.util package
is jarjared to some other package as some of its classes are included
in the module, and ArrayUtils cannot be found in the renamed package.
Bug: 192535368
Test: atest TetheringTest
Change-Id: I54dc8f6429d132a953ab1a674fe349fba4335936
b/145383354 is obsolete and this works as is (or we'd have found
out by now). Also min SDK version is set in the bp file and
would be overridden anyway.
Test: comment-only change
Change-Id: I6ad3263557ef67aa642672863eed82a312c2ab40
Also ignore DadProxyTest before S because it is only enabled from S.
To using ignore test rule, replace AndroidJunit with DevSdkIgnoreRunner.
It is fine because the we don't use the test UI (e.g. running test in UI
thread).
Test: atest TetheringPrivilegedTests
Change-Id: I701ee877520f78ded2394adbae1f4d9dd612d700
After moving all netlink-client stuff to frameworks/libs/net/common
and build it as an individual library, deprecate the netlink-client
lib and use net-utils-device-common-netlink instead.
Due to that the package name of netlink lib has changed, also update the
package name used in Tethering and ConnectivityService module.
Bug: 192535368
Test: atest TetheringTests TetheringIntegrationTests
Change-Id: Ic2078caf67a640836d98c5a2e4ca89939adcb896
Rather than adding throwErrnoException local function, using standard
jniThrowException in JNIHelp.h.
Also improve the readability:
1. Use throwIOException for
jniThrowExceptionFmt(env, "java/io/IOException", ...);
2. Use throwSoecktException for
jniThrowExceptionFmt(env, "java/net/SocketException", ...);
then the code can fit to one line.
Test: atest TetheringPrivilegedTests (ErrnoException is
test in BpfMapTest)
Change-Id: I396771e2c68e319f510d7a4ea5f263d18d7fad9d
This reverts commit a5c742be69.
Reason for revert:
Stop releasing this commit because it needs more test coverage.
Bug: 190783768
Bug: 192804833
Change-Id: I6e6b40b0f6207ed197d01bfabb616f1afa31fb70
Test: atest TetheringCoverageTests
This reverts commit 299a81157c.
Reason for revert:
Stop releasing this commit because it needs more test coverage.
Bug: 190783768
Bug: 192804833
Change-Id: I6a0d93e04814ae73e1ec7d6fd4df19e1d2787207
Test: atest TetheringCoverageTests
This reverts commit 118b5b578a.
Reason for revert:
Stop releasing this commit because it needs more test coverage.
Bug: 190783768
Bug: 192804833
Change-Id: Ie26f6e528999da42cfa66a5f6c1f187ad2276ae1
Test: atest TetheringCoverageTests
The version code in the manifest is only used for development
builds, as release builds dynamically replace it.
319999900 is appropriate as it indicates that the module is compatible
with S and earlier, and allows installing development versions on any
S build, which use 31xxxxxxx versions. It will also still allow installing
production T modules (32xxxxxxx) on a development S build. This is
convenient for local testing.
The same convention is also used for other modules including
NetworkStack.
Bug: 193853555
Test: m com.google.android.tethering, check version code
Change-Id: Ib8905a641780bed490a38327facee4a76e7770a3
The version code in the manifest is only used for development
builds, as release builds dynamically replace it.
Tethering should have been using 309999900 during S development. That
version was used in many downstream branches, so make it consistent so
it can be bumped for S in all branches.
Bug: 193853555
Test: m com.google.android.tethering, check version code
Merged-In: Ia3d5f2201ce67308df8e2689f6c99e28049a4877
Merged-In: I0d4bd06e79adedbf582d2fed551d9f1bde521fd1
Merged-In: Ie3a058b904cb2e3704c3a0725c8f720f81bb235e
Change-Id: I644f0d801efb491be45c3dc29fa1058476282772
Bpf offload do not support VCN network yet, don't start bpf offload
if the interface is ipsec*.
Bug: 191178945
Test: atest TetheringTests
Change-Id: I1ad8cededddec42f45b08aaa31d583c548d105f0
This is fixing post-FIN state (by disabling offload post-FIN).
Once the tcp state enters half-closing tcp state (fin wait,
close wait), delete the offload rules.
From this commit, we have done the short term solution for conntrack
tcp timeout issue. Here is what we have done so far.
- Stop updating tcp timeout to avoid updating wrong tcp state
timeout.
- Update the ESTABLISHED timeout
nf_conntrack_tcp_timeout_established (432000) after adding
bidirectional rules.
- Delete the tcp rules when the tcp state has left
"established".
Here is the long term solution and need to be addressed in follow up
commits.
- Parse the tcp state from netlink conntrack event.
- Build a mapping to trace the tcp state of the tcp conntrack event.
- Update tcp state timeout for {ESTABLISHED (432000), FIN_WAIT (120),
CLOSE_WAIT (60)}.
Bug: 190783768
Bug: 192804833
Test: atest TetheringCoverageTests
Manual test:
1. Browse on tethered device
2. Check conntrack tcp state is established.
$ cat /proc/net/nf_conntrack
ipv4 2 tcp 6 431995 ESTABLISHED src=192.168.207.9
dst=140.112.8.116 sport=50697 dport=443 ..
3. Check offload rules are added via dumpsys.
Upstream:
tcp .. 192.168.207.9:50697 -> 14(rmnet0) 10.224.1.247:50697
-> 140.112.8.116:443 ..
Downstream:
tcp .. 140.112.8.116:443 -> 30(30) 10.224.1.247:50697
-> 192.168.207.9:50697 ..
4. Stop browsing for a few seconds.
5. Check conntrack tcp state is half-closed.
$ cat /proc/net/nf_conntrack
ipv4 2 tcp 6 116 TIME_WAIT src=192.168.207.9
dst=140.112.8.116 sport=50697 dport=443 ..
5. Check offload rules are removed via dumpsys.
Upstream:
(not found)
Downstream:
(not found)
Change-Id: I07e27230bf8952acd7828d1f605167758b3bc490
Needed because a payload data packet may have gone through
non-offload path, before we added offload rules, and that this
may result in in-kernel conntrack state being in ESTABLISHED
but pending ACK (ie. UNACKED) state. But the in-kernel conntrack
might never see the ACK because we just added offload rules.
As such after adding the rules we need to force the timeout back
to the normal ESTABLISHED timeout of 5 days.
Issue: the timeout is set to unacknowledged 300s (countdwon to 298s)
$ adb shell cat /proc/net/nf_conntrack
ipv4 2 tcp 6 298 ESTABLISHED src=192.168.244.128
dst=140.112.8.116 sport=45694 dport=443 ..
Test: atest TetheringCoverageTests
Manual check:
$ adb shell cat /proc/net/nf_conntrack
ipv4 2 tcp 6 431988 ESTABLISHED src=192.168.40.162
dst=140.112.8.116 sport=40774 dport=443 ..
Bug: 190783768
Bug: 192804833
Change-Id: I8c34e85e26c9d976e5e2b85473db75ff46d8abd4
This is a preparation for only update the tcp timeout while
adding rules. Also add slack time for updating UDP timeout
interval.
Bug: 190783768
Bug: 192804833
Test: atest TetheringCoverageTests
Change-Id: I3151b531e6581e257f3cfa39ad2fcf1650358b3d
- Remove ipv4MappedAddressBytesToIpv4Address because it can be covered
by parseIPv4Address.
- Remove IllegalArgumentException from parseIPv4Address because it has
never happened
- Reverse the order of upstream and downstream timeout refreshing in
refreshAllConntrackTimeouts for readability because both source and
destination of the downstream are opposite direction to the
upstream.
Bug: 190783768
Bug: 192804833
Test: atest TetheringCoverageTests
Change-Id: I6a1e44777a4357dd3847c2e2bb1fc6c3cf01617c
registerSystemDefaultNetworkCallback no longer throws
UnsupportedApiLevelException as it has compatibility behavior down to Q,
so remove the catch clause for the checked exception.
The exception would previously not be thrown since the Tethering module
is only running on R+.
Bug: 182961265
Test: atest TetheringTests
Change-Id: I3c58235f3a59294995e5f32502fec6ccd17a3cf0
If config_tether_ncm_regexs is configured, load it to
tetherableUsbRegexs if ncm is used for TETHERING_USB. Load it to
tetherableNcmRegexs if ncm is used for TETHERING_NCM.
Bug: 185649441
Test: atest TetheringTests
Change-Id: I0c542560bd04e8c0a6a78d632da5a00a34d9a3fa
Before this change, usb IpServer would be created if corresponding
interface is available even there is no enable tethering attempt. And
usb IpServer only be disabled when interface is removed. Usb tethering
could not be stopped if interface is always avaialbe.
After this change, usb IpServer would be enabled and disabled according
to ACTION_USB_STATE.
Bug: 185649441
Test: atest TetheringCoverageTests
atest MtsTetheringTestLatestSdk
atest CtsTetheringTest
Change-Id: I8375e3f998d677dc658370b2553facaec0d5ff7c
