Android T beta3/4 haven't been tested in ages,
and were really only tested for the transition to final T
nearly a year ago.
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I520e60026179c078859572231b86184796182142
This will make the code more legibble once we switch to using these.
Also moving them out of the .c files so we can share the same
constants across multiple files.
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I5cc9058cee8d1ea10d2f9e62a38313d0728f07d3
This is a repeat of:
https://android-review.git.corp.google.com/c/platform/packages/modules/Connectivity/+/2266447
which was reverted in:
https://android-review.git.corp.google.com/c/platform/packages/modules/Connectivity/+/2372509
This time with kver >= 4.14 protections of the bpf_skb_adjust_room()
bpf helper which isn't present on 4.9 T devices.
Original change comments:
Tested manually on a flame device connected to an ipv6-only wifi
network (GoogleGuest).
On server:
nc -4 -l -u -p 443
On client (phone):
adb shell nc -4 -u my.server 443
On client (phone):
adb shell tcpdump -l -ee -vv -s 1600 -i v4-wlan0
On client send something to server "Hi."
On server send something to client "Hey!"
You should see normal unfragmented IP packets.
Then on server send something really long (I used 57 copies of the 26 letter English alphabet). This should be long enough that fragmentation is required.
You should see tcpdump show 2 ipv4 fragments, and netcat
show the packet being delivered correctly.
(and previous versions of the code were buggy and were
resulting in corrupt packets and things not working)
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I6758e63d8133215edd26b4cd2d73a5b5f261ffd1
This reverts commit be9685c35c.
Reason for revert:
fails on 4.9 due to bpf_skb_adjust_room requiring a later kernel,
will need an alternative approach
Bug: 261818177
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I26535a96de80febc2fd54dcb564cde4f9ed7b3c9
To quote: https://www.rfc-editor.org/rfc/rfc6145
4.1 Identification:
The low-order 16 bits copied from the Identification field in
the IPv4 header. The high-order 16 bits set to zero.
5.1.1 Identification:
Copied from the low-order 16 bits in the Identification field in
the Fragment Header.
The RFC does not mention endianness. But I'm assuming it thinks
of things as network, ie. big, endian.
This matches userspace external/android-clat/translate.c:214
ip_targ->id = htons(ntohl(frag_hdr->ip6f_ident) & 0xffff);
This takes the 3rd and 4th byte of the 32-bit ipv6 frag ident field:
see also line 195:
frag_hdr->ip6f_ident = htonl(ntohs(old_header->id));
and
packages/modules/Connectivity/bpf_progs/bpf_net_helpers.h
// Android only supports little endian architectures
#define htons(x) (__builtin_constant_p(x) ? ___constant_swab16(x) : __builtin_bswap16(x))
#define htonl(x) (__builtin_constant_p(x) ? ___constant_swab32(x) : __builtin_bswap32(x))
#define ntohs(x) htons(x)
#define ntohl(x) htonl(x)
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ie4eed30cfd0e3e3e4dfa6c1a54751dcae1f9972b
Tested manually on a flame device connected to an ipv6-only wifi
network (GoogleGuest).
On server:
nc -4 -l -u -p 443
On client (phone):
adb shell nc -4 -u my.server 443
On client (phone):
adb shell tcpdump -l -ee -vv -s 1600 -i v4-wlan0
On client send something to server "Hi."
On server send something to client "Hey!"
You should see normal unfragmented IP packets.
Then on server send something really long (I used 57 copies of the 26 letter English alphabet). This should be long enough that fragmentation is required.
You should see tcpdump show 2 ipv4 fragments, and netcat
show the packet being delivered correctly.
(and previous versions of the code were buggy and were
resulting in corrupt packets and things not working)
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Iafbe718f7d6427b3e318c8f3f1ecfe2a13d47540
This is not used, and cannot be used: clat v4-* interfaces
are - by virtue of method of creation - always rawip.
This is because they are tun (not tap) devices.
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Iaafdd6e471c63668d7fe79b62257255bf98c4fb8
(these only affect boot time logging)
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I3f315c5eabe73d3378e6ca0059f05221df7bab5e
(per request from Lorenzo)
We do bump block/clatd/dscp_policy requirements from 0.12 to 0.13,
but this effectively doesn't matter:
- Beta2 is too old either way (pre-0.12)
- Beta3 is new enough (0.13)
- versions in between are simply obsolete / unused / not important
- bpfloader 0.12 won't boot right anyway due to lack of netd maps/programs
(which cause a netd startup failure)
This allows us to have one less #define in the header files,
with a hard to write explanation about what exactly v0.12 is (or was).
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I1ecf15f9d7abbb82ec6bd49848255fab6a41aed4
In practice this doesn't actually really matter, since older versions
of the bpfloader won't even look in the relevant directories:
BpfLoader v0.9 is the first one that looks into
'/apex/com.android.tethering/etc/bpf/net_shared',
but it is only v0.12 that pins the resulting programs and maps
correctly into
/sys/fs/bpf/net_shared/
hence the annotations for block/clatd/dscp_policy.
BpfLoader v0.13 is the first one that looks into
'/apex/com.android.tethering/etc/bpf/netd_shared'
subdirectory and pins into
/sys/fs/bpf/netd_shared/
hence the annotation for netd.
But it's best to explicitly document the intent.
Note that in practice the mainline module will fail spectacularly
on a T OS if it can't find the programs and maps
(presumably due to the bpfloader being too old)
but will work on S even though the bpfloader there is much older,
because these programs/maps are not required on pre-T OS.
This change is thus really only documentation.
Bug: 218408035
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I5ffa2faf83ca337b84e34b01df84436629989c58
In practice this function makes things readable and writable,
so use a less confusing name.
Test: TreeHugger, 'git grep try_make_readable' comes up empty
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I32faad148cc5714cf0ec7246620376ed4dd3d6d2
We now rely on the skb->mark = 0xDeadC1a7 setting side effect
for non offloadable packets, but for this to work reliably,
we *must* be able to read the ip header.
Test: TreeHugger, and on a gs101-based pixel
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ic2b15335099404047d136a92ce7aeeb1f11ccfa3
As Maze@'s advice, we add a clat mark to clat packet in ingress bpf
and drop the duplicate packets in iptables via mark match.
Bug: 218407445
Test: manual test with unmerged aosp/1951099
0. Connect to IPv6-only wifi
1. Clatd test: ping 5 times and check that iptables drop 5 packets by
mark 0xdeadc1a7.
$ adb shell ping 8.8.8.8
..
64 bytes from 8.8.8.8: icmp_seq=4 ttl=120 time=14.3 ms
64 bytes from 8.8.8.8: icmp_seq=5 ttl=120 time=67.4 ms
$ adb shell ip6tables -t raw -L bw_raw_PREROUTING -v
Chain bw_raw_PREROUTING (1 references)
pkts bytes target prot opt in out source destination
5 520 DROP all any any anywhere anywhere mark match 0xdeadc1a7
0 0 RETURN all ipsec+ any anywhere anywhere
0 0 RETURN all any any anywhere anywhere policy match dir in pol ipsec
1661 1239K all any any anywhere anywhere match bpf pinned /sys/fs/bpf/prog_netd_skfilter_ingress_xtbpf
2. Bpf test: run iperf to an IPv4 server and iptables doesn't see
offloaded packet with mark 0xdeadc1a7. Drop packet count (5) is
unchanged.
$ adb shell iperf3 -4 -c 117.102.109.186 -t1
Connecting to host 117.102.109.186, port 5201
[ 5] local 192.0.0.4 port 56242 connected to 117.102.109.186 port 5201
[ ID] Interval Transfer Bitrate Retr Cwnd
[ 5] 0.00-1.00 sec 622 KBytes 5.09 Mbits/sec 0 44.0 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-1.00 sec 622 KBytes 5.09 Mbits/sec 0 sender
[ 5] 0.00-1.00 sec 201 KBytes 1.64 Mbits/sec receiver
$ adb shell ip6tables -t raw -L bw_raw_PREROUTING -v
Chain bw_raw_PREROUTING (1 references)
pkts bytes target prot opt in out source destination
5 520 DROP all any any anywhere anywhere mark match 0xdeadc1a7
0 0 RETURN all ipsec+ any anywhere anywhere
0 0 RETURN all any any anywhere anywhere policy match dir in pol ipsec
1804 1280K all any any anywhere anywhere match bpf pinned /sys/fs/bpf/prog_netd_skfilter_ingress_xtbpf
3. Enable USB tethering. Do ping and iperf on tethered client.
4. Clatd test: ping 5 times and check that iptables drop 5 packets
(count from 5 to 10) by mark 0xdeadc1a7.
$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
..
64 bytes from 8.8.8.8: icmp_seq=4 ttl=119 time=13.7 ms
64 bytes from 8.8.8.8: icmp_seq=5 ttl=119 time=15.9 ms
$ adb shell ip6tables -t raw -L bw_raw_PREROUTING -v
Chain bw_raw_PREROUTING (1 references)
pkts bytes target prot opt in out source destination
10 1040 DROP all any any anywhere anywhere mark match 0xdeadc1a7
0 0 RETURN all ipsec+ any anywhere anywhere
0 0 RETURN all any any anywhere anywhere policy match dir in pol ipsec
1900 1298K all any any anywhere anywhere match bpf pinned /sys/fs/bpf/prog_netd_skfilter_ingress_xtbpf
5. Bpf test: run iperf to an IPv4 server and iptables doesn't see
offloaded packet with mark 0xdeadc1a7. Drop packet count (10) is
unchanged.
$ iperf3 -4 -c 117.102.109.186 -t1
Connecting to host 117.102.109.186, port 5201
[ 5] local 192.168.235.233 port 41602 connected to 117.102.109.186 port 5201
[ ID] Interval Transfer Bitrate Retr Cwnd
[ 5] 0.00-1.00 sec 3.19 MBytes 26.8 Mbits/sec 0 369 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-1.00 sec 3.19 MBytes 26.8 Mbits/sec 0 sender
[ 5] 0.00-1.00 sec 2.58 MBytes 21.7 Mbits/sec receiver
$ adb shell ip6tables -t raw -L bw_raw_PREROUTING -v
Chain bw_raw_PREROUTING (1 references)
pkts bytes target prot opt in out source destination
10 1040 DROP all any any anywhere anywhere mark match 0xdeadc1a7
0 0 RETURN all ipsec+ any anywhere anywhere
0 0 RETURN all any any anywhere anywhere policy match dir in pol ipsec
1978 1320K all any any anywhere anywhere match bpf pinned /sys/fs/bpf/prog_netd_skfilter_ingress_xtbpf
Change-Id: I180206bb15a1362c678f42fb980b60dfed6ce1ab
