Adds ingress rate limiting functionality to ConnectivityService. The tc
rate limit is installed before we tell netd about the interface, and
removed after the network is removed from netd. When the setting
changes, the old rate limit needs to be removed before a new one can be
added (unfortunately, we cannot use NLM_F_REPLACE when configuring the
tc-police filter).
Currently, this functionality is always enabled, but may or may not work
based on kernel support.
Bug: 157552970
Test: atest FrameworksNetTests:ConnectivityServiceTest
Change-Id: I4e64b2c40490f061e42b40a1b1b3a6618c3d1a87
When the network is a VPN, NetworkMonitor needs to know whether
the VPN requests validation, and that information is stored in
NetworkAgentConfig. Pass it.
Test: FrameworksNetTests
Change-Id: I3616f0796b69ce054d92213aafdef43ba7041596
This reverts commit 13b96bc651.
Reason for revert:
- The reverted CL fixes a bootloop on Fi devices and must be submitted again for droidfood stability purposes.
- It's not clear whether the revert actually fixes the test that prompted it.
Change-Id: I68200501d1c587d1c6b3ad81053175c74961a440
This reverts commit a7d4766d0d.
Reason for revert: DroidMonitor: Potential culprit for Bug 218308105 - verifying through ABTD before revert submission. This is part of the standard investigation process, and does not mean your CL will be reverted.
Change-Id: Ia9953d023c1eb84846834f92d4f38a72fa14bd30
UIDs can't be sent to netd until the native network is created.
Also, it's possible that the interface disappears at any moment,
so in that case catch the ServiceSpecificException.
Test: FrameworksNetTests
Bug: 218100554
Change-Id: I79285166acf5d89aa34107e00dfff963ccc22d52
Passing one of RECEIVER_EXPORTED or RECEIVER_NOT_EXPORTED is
required for all code targeting T or above. The correct value
here is RECEIVER_NOT_EXPORTED because the receiver is being
registered in the system server and the broadcast comes from
the system server itself (same UID).
This does not need to be guarded by OS version because
CarrierPrivilegeAuthenticator is only used on T+.
Test: m
Fix: 217642082
Change-Id: I09840b17bd54352896607737b56c6a692ffbd2c2
* changes:
Use packBitList to prevent long-related mistakes
Introduce ensureListenableCapabilities
Accept accessUids from telephony when it's the carrier config app
Renamed from ensureValid, this is an easier to understand name.
It is also a lot clearer when requestable capabilities also
have to be listenable.
Also move the 2 functions together.
Test: FrameworksNetTests
Change-Id: I685f924a3720846d740837a4a0fee3d88a26725a
* changes:
Prevent native_init from starting TrafficController
Remove libutils dependency from libservice-connectivity
Merge libtraffic_controller_jni into libservice-connectivity
[NETD-TC#15] Make ConnectivityService and PermissionMonitor calls BpfNetMaps on T
calls BpfNetMaps on T
Since TrafficController moves to mainline module for T, so some netd binder
interfaces revelant to BPF are going to deprecated. Provide JNI APIs to
call TrafficController inside mainline module for T.
Bug: 209935649
Test: atest CtsHostsideNetworkTests
Change-Id: Ib3b43cf2840e02806395af9f1e019ca6fccd032e
For now, all entry points reject this. Followup changes
will allow the supported use cases.
Test: new unit tests and CTS for this in this patch
Change-Id: I7262811a2e46336d3bb63c80886fc0578a36da94
NetworkAgents send NetworkCapabilities to ConnectivityService but
there are limits to what exactly they can send. Going forward,
some of these checks will have to happen on the handler thread,
which is already the case when an agent updates its capabilities,
but not upon registration.
This patches moves the sanitization on the handler thread, after
the network monitor is created for a network agent.
Before this patch, upon registration of a new agent, the binder
thread would copy and sanitize the capabilities, then store them
in nai.networkCapabilities. It would store the original caps from
the agent in the NAI, mix in what is known from the network info,
process the LinkProperties, and then proceed to create the
network monitor, but not yet store the NAI in the internal
structures because its registration is not finalized, so other
methods should not see it yet. After the monitor is created in
the network stack process, the NAI is stored in the internal
structures which publishes it for all methods to see. After
that is done, the NAI calls to the network monitor to warn it
that it's registered, what its capabilities are, and that it's
time to start validation if applicable.
With this patch, the validation no longer happens on the binder
thread. Instead, the binder thread stores the capabilities and
link properties as is, before sanitization, in the NAI. This is
fine because no other method can access these until the
registration completes upon notification that the monitor has
been created ; this agent is only stored in the network monitor
callbacks in a self-destructing object precisely to make sure
that's the case.
When the monitor is created and CS receives notification of the
same, it will sanitize the capabilities before adding the NAI
to the internal structures, to protect the invariant that the
un-sanitized capabilities inside the NAI can't ever be seen by
any other method. After that's done, it will call to the
monitor to start validation as usual.
Test: FrameworksNetTests CtsNetTestsCases
Change-Id: I7d43ef0e25955e0349903b4801b9dfd8c3c92586
* changes:
Don't enable DscpPolicyTracker on pre-T devices.
Allow service JNI in FrameworksNetIntegrationTests.
Don't manually load the JNI library in DscpPolicyTracker.
Process DSCP QoS events for policies
Allow using BpfMap and TcUtils in unit tests.
The code cannot work before T because before T the tethering
module can only load BPF programs/maps into /sys/fs/tethering/bpf
and the system server cannot access that directory.
Additionally, this is causing unit tests to fail on pre-T devices
because on those devices the seccomp filter blocks the bpf
syscall from apps (including Java tests).
Test: revert aosp/1907693 and atest FrameworksNetTests:ConnectivityServiceTest
Change-Id: I6c398031dffb840da1d723b11ea4d0845ad6c6f2
This is not necessary because TcUtils already loads its library,
and unlike this code, it correctly loads it using JniUtils so
will succeed even when the code is jarjard in unit tests.
Test: atest ConnectivityServiceTest
Change-Id: I57eb46178d58777769f5497a0ea93cd037d598cb
New events to handle adding and removing of DSCP QoS policies.
Async indication sends status back to client if the policy
has been added, failed, or if the policy limit has been
reached.
Bug: 202871011
Change-Id: I7988d22ae625ad0dd415927d2943de4a749e6fb8
For those functions which return statusFromErrno() in TrafficController,
it would return positive errno so shouldn't construct with -errno.
Test: m
Change-Id: I94b9294c4e200c43e33f8280469dfad9e9fbf5ea
ParcelFileDescriptor rely on garbage collection to close handler.
When there is any error during starting clat or quick on/off
IPv6 only network, the file descriptor may not be able to be closed
before next clatStart is called. This may be problematic. For
example, the same v4- tun interface has not closed yet and clatStart
has been called again.
Test: connect/disconnect to IPv6 only network and ping 8.8.8.8
repeat 10 times
Change-Id: I8e1c66206dc221827a039213ecc86d5cbd777dff
provide clatd stop function which stops clatd by pid.
Bug: 212345928
Test: flash and boot
Run "atest ClatCoordinatorTest" in a follow commit.
Change-Id: Icd9c4f9038bf75113fbc5608f213145e58a061d9
launch clatd with the given cli arguments.
Bug: 212345928
Test: flash and boot
- run "atest ClatCoordinatorTest" in a follow commit.
- manual test
1. Connect to ipv6-only wifi.
2. Try IPv4 traffic.
$ ping 8.8.8.8
Change-Id: Ie57a7c7a9d3d77396e91fa9f94c02f1ad05487c1
This CL provides native methods to access BPF maps via a native library.
Bug: 202086915
Test: m; flash; boot;
Change-Id: I2e5d03d0c2e31ba11996d1b28ead9b552397fe29
Remove eBPF offload at clat stopping if possible.
Bug: 212345928
Test: build only
because need to test with clatd launched
Change-Id: I6ace77694c0e6fe68d16e80e3c8198aa41385fd2
BpfNetMaps provide interfaces and native methods for
manipulating BPF maps by calling jni library of traffic controller.
DO NOT TOUCH BpfNetMaps before aosp/1945136 and aosp/1948169 get merged.
Bug: 202086915
Test: build and flash
Change-Id: Iaff8ac71100b3f76b444f3b83616556d0ee6eadf
- rename JNI functions with prefix native_*
- throw exception while JNI function gets invalid address argument
- throw exception while JNI function returns invalid address
Bug: 212345928
Test: flash and boot
Run "atest ClatCoordinatorTest" in a followup commit
Change-Id: I6745a61525c6f72a61fbde0b21b3f7abcdf2446a
Update our packet socket filter to reflect the new 464xlat IP address
Bug: 212345928
Test: flash and boot
Run "atest ClatCoordinatorTest" in a followup commit
Change-Id: Ic50dc122731f311ad00ab8bff5472cb3bc41f5f1
Start translating packets to the new prefix.
Bug: 212345928
Test: flash and boot
Run "atest ClatCoordinatorTest" in a followup commit.
Change-Id: I38729c23fce72428919b33ac531ede9593337a0a
Move the raw socket initialization from netd to mainline because
mainline module is going to launch clatd. Need to provide raw
socket for writing local 464xlat IPv6 packets.
Bug: 212345928
Test: flash and boot
Run "atest ClatCoordinatorTest" in a followup commit.
Change-Id: I6d1da4f1b400eeed87771ae8197b0c58ec50804b
Move the packet socket initialization from netd to jni because
mainline module is going to launch clatd. Need to provide packet
socket for reading local 464xlat IPv6 packets.
Bug: 212345928
Test: flash and boot
Run "atest ClatCoordinatorTest" in a followup commit.
Change-Id: I1cef6e099403f883d668081fb5e917863f5a3c2a
Apply mtu and selected IPv4 address to tun interface.
Then, bring up the tun interface.
Bug: 212345928
Test: flash and boot
Run "atest ClatCoordinatorTest" in a followup commit.
Change-Id: I24a2a91e2b084be28820a7a63b265c5f56293334
Detect the available mtu for clat. The native mtu detect function
is moved from netd to libclat which is called by jni. The java
adjust mtu function is moved from netd native code.
Bug: 212345928
Test: flash and boot
Run "atest ClatCoordinatorTest" in a followup commit.
Change-Id: Icf5f57c7e7b947997b76152722e46acdd9d95c1a
Open the v4-... tun interface for clat. The native function
is moved from netd to jni.
Bug: 212345928
Test: flash and boot
Run "atest ClatCoordinatorTest" in a followup commit.
Change-Id: I3f3c587275125ce3fc7481006947211f17dbb2d4
Select a local 464xlat IPv6 address for clatd. The IPv6 address has
checksum-neutral IID. The native function is moved from netd to
libclat. Its test is moved from netd as well.
Bug: 212345928
Test: flash and boot
Run "atest ClatCoordinatorTest" in a followup commit.
Change-Id: I11520e5c086e475999847d829dd6341b14199b39
Introduce ClatCoordinator to replace netd/ClatdController.
This is a startup commit. Starting clatd needs to prepare local
464xlat ipv4 address, local 464xlat ipv6 address, tun interface,
clat read/write sockets. These will be implemented from this
and followup commits. This commit implements that prepare local
464xlat ipv4 address.
Bug: 212345928
Test: flash and boot
Run "atest ClatCoordinatorTest" in a followup commit.
Change-Id: I486db8aef0181ee1aedd7cd7702f95d5a1cef812
