be more consistent, and thus also less htons() calls
Test: TreeHugger, atest DscpPolicyTest
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ia331a33a615a598e061db53ae180fffaef7a4342
(these only affect boot time logging)
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I3f315c5eabe73d3378e6ca0059f05221df7bab5e
The utility currently contains a firewall class that is used by DNS
resolver tests to block DNS packets.
Bug: 227159929
Test: atest resolv_integration_test
Change-Id: I5c5bc0b263a677f57cd63f002057ff0812f15e64
Move sources of connectivity_native_test to a dedicated folder so that
other native tests or utilities can be added to p/m/c/tests/native/ as
well.
Bug: 227159929
Test: atest connectivity_native_test
Change-Id: I97217fbb03b26ed79f1f34932b92c4227a1ece4d
It is most definitely worthwhile to cache negative lookups as well!
Test: TreeHugger, atest DscpPolicyTest
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Iab1a57a2611a891642fef0c5897918c16e0ca540
(and merge the ipv4 and ipv6 caches into one,
as there really is no need for separate ones)
Test: TreeHugger, atest DscpPolicyTest
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ie62393ea428885076ef59af69ac3eafeeba2934f
The 'switch_comp_map' is never written to,
hence map A is always used anyway...
Additionally this is backwards - ie. the *wrong* maps were A/B:
it is not the cache that should be A/B but rather the policy map(s).
This simplification has the nice benefit of making the program
much simpler and thus presumably optimizing bpf verifier processing
and thus bpfloader runtime during boot.
The fact that these socket cache maps are never cleared from userspace
is a different bug that needs to be fixed.
Bug: 235559605
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ic2b0d20cd4e9e7290fb9fae38e1625ea1ed85a78
Use a single skb store bytes for IPv6 instead of 2 api
calls for 2 uint8_t values, use 1 for a single uint32_t value.
Bug: 234808633
Change-Id: I31ecc6d7036fd71b10c60d320c1dc5ebf0b86cca
The raw IP program was removed, so there is no need to support it
anymore in match_policy().
Test: TH
Bug: 235559605
Change-Id: I755a9a55e3ad33a210145b2cc09578fdf4d66c79
This program was only used for tests as WiFi interfaces should always
include an ethernet header. Since the test has moved from tun to tap,
this can be deleted.
Support for using this program was already removed in a previous CL.
Test: TH
Bug: 235559605
Change-Id: I2148bce60992070790ba237176b99a40597ee751
Underscore character may cause bpf prog/map naming collision. For
example, x.o with map y_z and x_y.o with map z both result in x_y_z
prog/map name, which should be prevented during compile-time.
aosp/2147825 will prohibit underscore character in bpf source name
(source name derives the obj name). Existing bpf modules with underscore
characters in source name need to be updated accordingly.
Bug: 236706995
Test: atest bpf_existence_test
Test: adb root; adb shell ls -l sys/fs/bpf/net_shared | grep dscpPolicy
Change-Id: Ibe98944d09d42bd11b78b5e9ae35ded48c70416d
InProcessTethering runs as system_server (uid/gid AID_SYSTEM)
instead of as the network_stack (uid/gid AID_NETWORK_STACK).
Additionally only the network_stack has access to the default
selinux context of /sys/fs/bpf/tethering, which is fs_bpf_tethering,
so we need to use 'fs_bpf_net_shared' instead.
Bug: 190523685
Bug: 236925089
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ibb6ae255dcd8a8e8049be112055f60c3b2cf7df0
The objdump -x visible changes between old and new versions of the
mainline shipped .o files are really very minimal: just the inclusion
of a new .BTF section and changes/removals of some 'l' entries from
the symbol table. However, it turns out a change to symbol ordering
is incompatible with BpfLoader <v0.10 which doesn't know to skip
non-function symbols, and as such enabling btf requires a little
bit of gymnastics.
After:
$ adbz shell ls -l /apex/com.android.tethering/etc/bpf/*.o
-rw-r--r-- 1 system system 118352 1969-12-31 16:00 /apex/com.android.tethering/etc/bpf/offload.o
-rw-r--r-- 1 system system 123424 1969-12-31 16:00 /apex/com.android.tethering/etc/bpf/offload@btf.o
-rw-r--r-- 1 system system 2232 1969-12-31 16:00 /apex/com.android.tethering/etc/bpf/test.o
-rw-r--r-- 1 system system 6376 1969-12-31 16:00 /apex/com.android.tethering/etc/bpf/test@btf.o
$ adbz shell logcat -d | egrep offload.*[.]o
07-15 13:10:43.358 0 0 D LibBpfLoader: Loading critical for tethering ELF object /apex/com.android.tethering/etc/bpf/offload.o with license Apache 2.0
07-15 13:10:43.359 0 0 I LibBpfLoader: BpfLoader version 0x00019 ignoring ELF object /apex/com.android.tethering/etc/bpf/offload.o with max ver 0x00019
07-15 13:10:43.359 0 0 I bpfloader: Loaded object: /apex/com.android.tethering/etc/bpf/offload.o
07-15 13:10:43.374 0 0 D LibBpfLoader: Loading critical for tethering ELF object /apex/com.android.tethering/etc/bpf/offload@btf.o with license Apache 2.0
07-15 13:10:43.375 0 0 I LibBpfLoader: BpfLoader version 0x00019 processing ELF object /apex/com.android.tethering/etc/bpf/offload@btf.o with ver [0x00019,0x10000)
07-15 13:10:43.452 0 0 D LibBpfLoader: map_fd found at 0 is 6 in /apex/com.android.tethering/etc/bpf/offload@btf.o
...
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Id658818d1d42763358747523615b7918d312588e
Use the correct offset for the eth header when calculating the
checksum.
Store the DSCP value in BPF map for subsequent skb's instead
of the TOS so the calculation and checksum is correct.
Bug: 234808633
Change-Id: Ib40d4575455f34a8970eca8751b590319e2ee1ad
Require at least kernel 5.15. Feature is not required on older
kernels and may impact boot time unnecessarily.
Bug: 235559605
Change-Id: I2e4b509de1d8940fc63ae057a8326f13c0fd1420
This commit adds ConnectivityManager#getFirewallChainEnabled to read the
current firewall chain status
Bug: 208371987
Test: m
Change-Id: I1eadb69f953af5d031cd8dabde3e1f098cf0f4df
Make use of new BpfLoader functionality: per-map/program selinux context
to further restrict access to mainline module shipped bpf maps and programs.
Bug: 218408035
Test: booted on cuttlefish, TreeHugger
Change-Id: Iaa33754aaca8bfafef6539abfbdd30b4cdfc4727
This is a temporary thing for testing with framework/libs/net patch
that adds checks for V18 define.
This is very short term and will be reverted in the next topic,
that will make v0.18 the default.
Bug: 218408035
Test: booted on cuttlefish
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I22c414ebc64201db60eb872e0da0fea6c65eaede
This reverts the previous commit.
This is no longer required as v0.18 is now the default.
Test: Treehugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I9331f27cf20e7932f6ef0e3829c27b6684dece59
This eliminates the need for netd_updatable BpfHandler.cpp
to initialize the hash map with a zero.
On startup the map will be freshly initialized and thus zero.
On restart it might not be empty, but it doesn't matter to netd.
Furthermore the mainline component of the system server will
re-initialize it again anyway:
see service/native/TrafficController.cpp initMaps()
This does remove the ability to call deleteValue on a key,
since that would always return -EINVAL, but since we don't
currently do that, that's really a feature.
(It does suggest though that we should have a BpfMapNonNullable
class which is writeable, but without a deleteValue() function)
Additionally BpfMap arrays are more efficient for the kernel bpf jit
compiler, as - on newer kernels - it can optimize the read/write
into a simple memory access (as opposed to a bpf helper call).
Before:
$ adb shell ls -l /sys/fs/bpf/netd_shared/map_netd_configuration_map
-rw-rw---- 1 root net_bw_acct 0 2022-06-11 08:20 /sys/fs/bpf/netd_shared/ map_netd_configuration_map
After:
$ adbz shell ls -l /sys/fs/bpf/netd_shared/map_netd_configuration_map
-r--rw---- 1 root net_bw_acct 0 2022-06-16 15:03 /sys/fs/bpf/netd_shared/map_netd_configuration_map
Bug: 235590615
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I21730e4fa22fbf0c94ab0ca5c5db03aa000b7680
