For ipv6 we need 1 entry per client, so 64 seems like plenty,
while for ipv4 we need 1 entry per flow, so even 1024 seems
like it might not be enough, but it's much better than 64.
Nucca says:
# cat proc/sys/net/netfilter/nf_conntrack_buckets
65536
# cat proc/sys/net/netfilter/nf_conntrack_max
262144
per https://www.kernel.org/doc/Documentation/networking/nf_conntrack-sysctl.txt
the default “nf_conntrack_max” is “nf_conntrack_buckets * 4”.
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ib7d1d8c19bc688c442d842cf5c9f45cdf1241754
In S, there is a new overload that takes an attribution tag as
well. Don't use this method yet, and add a TODO to call it via
a shim.
Bug: 167645754
Test: m com.android.tethering
Ignore-AOSP-First: needed to sync mainline-prod with AOSP
Change-Id: Ib49a73aa28d3abfc1b8f1cdad84abb022c49efe8
Merged-In: Ib0ac49609e444a53a6fee4575f5078e15f364eef
As part of syncing the tethering code from AOSP to mainline-prod,
revert the changes to the build file that added the connectivity
jar and made the module no longer updatable.
The intent is to build and release the tethering module in
mainline-prod, from latest AOSP code, without including the
connectivity code, which depends on S APIs.
This reverts commit 2812f607a0.
Bug: 167645754
Test: m com.android.tethering
Ignore-AOSP-First: needed to sync mainline-prod with AOSP
Change-Id: Ic2491f04880ff66abc3b2d3aaee6168e18f6d68a
Merged-In: Ib0ac49609e444a53a6fee4575f5078e15f364eef
This CL merges rvc-qpr-dev-plus-aosp on top of sc-dev-plus-aosp
on top of mainline-prod. It picks up changes that were merged
into aosp/master before sc-dev-plus-aosp was on the path between
AOSP and master. One such very simple CL is aosp/1554765.
There were no merge conflicts.
Current diffstat with aosp/master is:
97 files changed, 2219 insertions(+), 84 deletions(-)
This includes 1800 lines of translations added in 72 files like
Tethering/res/values-*/strings.xml
Bug: 167645754
Test: no merge conflicts
Test: didn't even try to build
Ignore-AOSP-First: this is a merge from AOSP
Change-Id: I63af0b95e2d0e6bddc217c29014c03ea0dbda6ec
Merged-In: Ib0ac49609e444a53a6fee4575f5078e15f364eef
A caller can mostly already do this via forEach(), but having a
specific method is faster (since the code does not need to read
the value) and easier to use.
The semantics of this method (e.g., ignore ENOENT while deleting
a key, but throw on any other error) match those of the native
BpfMap::clear method.
Test: new unit tests
Change-Id: I5cd32efd0f87c823cd2d0a2fa3a95a83093fb6f9
The flag allows overriding the value of config_tether_upstream_automatic
on released R devices, as issues have been found on devices where an
overlay was used to set it to false.
The flag is only usable on R devices, as S devices can either not set
the setting to false, or fix the underlying issues.
Bug: 173068192
Test: atest TetheringCoverageTests
Change-Id: Id99638916e08e596fab21cedd7bfe39906ce2fe5
because it is not appropriate for use in XDP programs
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ibd5dac9676bae7aa5f10fbcfd777291f72bec819
and more importantly unconditionally. This requires less effort
on the part of the in-kernel bpf verifier.
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ibaa94bf096fc81c4d984dfabf515131b1c81ef09
Currently, this is the default so this is a no-op,
But the default is changing to true.
Bug: 180375550
Test: Treehugger
Change-Id: Ib841e474ab2b2ff2b54c160bb06c3bbbeea92675
We've backported the necessary support to all 4.14+ ACK kernels,
but we can't actually enforce that these changes will be picked
up by all devices. Thus we can only make the full featured
implementations optional on [4.14..5.8) kernels, with a tcp-only
version for those 4.14+ devices where the full featured version
fails to load.
Note: there's still a fair bit of implementation work left
in the do_forward4() function itself. This is really just
the skeleton.
Test: atest, TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: If78123e00d55a77f2ecd7da1547581797e23f9b2
This will facilitate providing a tcp-only version of the programs
which due to TCP's very long timeouts will not need to use the
Linux 5.8+ bpf_ktime_get_boot_ns() helpers.
Test: atest, TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I1e49b6758d3754782ac6f8820e0c15aa20e4c61d
As this is the actual version that is required,
ie. the version that supports bpf_ktime_get_boot_ns() helper.
Test: atest, TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I2ea4830597a0bed53950a5d0c483a47208959f35
The tethering module uses JNI in various classes, but only calls
System.loadLibrary in TetheringService#makeTethering. This means
that:
1. Any test that uses a class that uses JNI must load the
library itself.
2. Any code that runs before TetheringService#makeTethering could
potentially crash if it uses JNI. We may never have such code
though.
Instead, make every class that has a native method load the JNI
library itself at static initialization time. This guarantees
that the class will have the JNI code available in any context
(production, test, etc.)
System.loadLibrary is documented not to do anything if called
more than once with the same library name:
https://docs.oracle.com/javase/7/docs/api/java/lang/Runtime.html#loadLibrary(java.lang.String)
and the implementation has a lock so it is safe to call from
multiple threads concurrently.
Test: builds, boots, tethering starts
Test: atest TetheringCoverageTests
Change-Id: I9c0147ae9a28877f416aaff387b426d304ae552d
