)]}' { "log": [ { "commit": "9ed91ab595f17441900755bf21cccd4f430914b2", "tree": "0df8c700eb3585e6d9e098d3d4335a0ecfbcb138", "parents": [ "eb3335da50c8afe85da02cec4124d189d7635c04" ], "author": { "name": "Tommy Webb", "email": "tommy@calyxinstitute.org", "time": "Tue Feb 28 10:46:05 2023 -0500" }, "committer": { "name": "Michael Bestas", "email": "mkbestas@lineageos.org", "time": "Sun Jun 15 20:03:21 2025 +0300" }, "message": "Firewall: Transport-based toggle support (2/3)\n\nNeeds corresponding fw/b and Connectivity changes.\n\nSquash of:\n\nAuthor: Tommy Webb \u003ctommy@calyxinstitute.org\u003e\nDate: Tue Feb 28 10:46:05 2023 -0500\n\n Do not add VPN local exclusion rules\n\n Prevent UIDs on a VPN from accessing the private IP ranges of networks\n that they are not allowed to access. Without this, when connected to a\n VPN, apps that are disallowed from accessing a Wi-Fi network will\n become able to access the Wi-Fi network\u0027s LAN despite not being able\n to access the Wi-Fi network whatsoever before connecting to a VPN.\n\n Stop adding the local exclusion rule that makes this bypass possible.\n\n Change-Id: I9975b5ab1306ee86863979d1fe73203799cce648\n\nAuthor: Tommy Webb \u003ctommy@calyxinstitute.org\u003e\nDate: Thu Apr 27 18:01:41 2023 -0400\n\n Stop setting netId for bypassable VPNs\n\n Code comments claim that a socket\u0027s netId needs to be specified for\n bypassable VPNs in order for them to have any traffic at all, but this\n does not appear to reflect reality today -- at least with our firewall\n changes -- as a simple test will show that such VPNs are still usable\n even when we don\u0027t set the netId to that of the bypassable VPN.\n (The comments and code were added in 2014 and may be out-of-date.)\n\n This change resolves an issue resulting from recent firewall changes\n that prevents UIDs of bypassable VPNs from accessing other networks,\n even when they are allowed to do so.\n\n Issue: calyxos#1650\n Change-Id: I18edc8659750044534c9bea5ed49eddbcea89378\n\nAuthor: Tommy Webb \u003ctommy@calyxinstitute.org\u003e\nDate: Thu Apr 27 15:57:54 2023 -0400\n\n Adjust IP rules to accommodate UID-based firewall\n\n * No default implicit network rule. We have UID-based implicit rules.\n * Can only use VPN fallthrough with system permission. It is not\n UID-based, and other rules fulfill our needs.\n * Binding to output interfaces arbitrarily requires system permission.\n Other rules cover this where it should be allowed for UIDs.\n\n The behavior resulting from these changes is *almost* identical to\n the recently-changed firewall behavior, but it resolves the issue of\n default network rules being unusable without system-level permission.\n\n Also includes squashed change:\n\n Author: Tommy Webb \u003ctommy@calyxinstitute.org\u003e\n Date: Mon Jul 10 12:27:01 2023 -0400\n\n fixup! Adjust IP rules to accommodate UID-based firewall\n\n * Require system permission for RULE_PRIORITY_DEFAULT_NETWORK rule.\n Default network access is already allowed for UIDs permitted on the\n network via RULE_PRIORITY_UID_DEFAULT_NETWORK rules.\n\n Change-Id: I8771b012fc90263b2aa7c68fdf3ccebde6670b79\n\n Change-Id: Icd64aa530e8d202abb97d8325160a5d4c0b4c490\n\nChange-Id: I1b89587a54c3178dcbf0a78927392bb8fb36294f\n" }, { "commit": "0a47ca4f15f5e66f3271fd214ecdd87fef4ae27a", "tree": "2998a7d0fbe8f97599d3057ca7d33a833672d589", "parents": [ "606d04f5492353b36ab6f4b698e49d4f9549b3b8" ], "author": { "name": "Maciej Żenczykowski", "email": "maze@google.com", "time": "Wed Nov 15 08:00:03 2023 +0000" }, "committer": { "name": "Maciej Żenczykowski", "email": "maze@google.com", "time": "Thu May 30 17:34:53 2024 +0000" }, "message": "do not clear ingress_cpu_wakeup\n\n(so that nettrace can see it)\n\nBug: 311120074\nSigned-off-by: Maciej Żenczykowski \u003cmaze@google.com\u003e\nChange-Id: Ibcc1009d93b87c0b204209903a9ddc0d18235f5e\n" }, { "commit": "107f0163d0fd7a13d8636056e1d2d7d4f8f15317", "tree": "d560c4b0f20af1f41c5bd2e26afb69f5909ac0a9", "parents": [ "2ef5f2dee6dc4499aa3a7441767e63e2762d835d" ], "author": { "name": "dongziqi", "email": "dongziqi1@xiaomi.corp-partner.google.com", "time": "Tue Oct 31 16:17:42 2023 +0800" }, "committer": { "name": "dongziqi", "email": "dongziqi1@xiaomi.corp-partner.google.com", "time": "Fri Nov 10 13:52:45 2023 +0800" }, "message": "fix DUTs local network table name display incorrectly\n\nBug:308535522\n\nWhen connected to a wifi AP. enable softap and then wlan2 interface will\nadd LocalNetwork.In this case turn on the data network.then netd\nupdateTableNamesFile hence the local network route table will be renamed\nto wlan2\n\nChange-Id: Id788cd5eed4860942cdd71372552a918a23142a4\nSigned-off-by: dongziqi \u003cdongziqi1@xiaomi.corp-partner.google.com\u003e\n" }, { "commit": "e479f31b991bd12634bfa199902af6719268490e", "tree": "1937cc9c9d97aff5bd025f995d21a492070c0168", "parents": [ "ad4f2f4faf45bdc5ca25466f2131e68ce1b85045" ], "author": { "name": "Chalard Jean", "email": "jchalard@google.com", "time": "Mon Dec 12 18:27:49 2022 +0900" }, "committer": { "name": "Chalard Jean", "email": "jchalard@google.com", "time": "Mon Dec 26 19:39:56 2022 +0900" }, "message": "Add local rules for local networks\n\nWhen a network is a local network, two new IP rules\nshould be installed :\n• A rule that keeps the traffic to directly connected IPs\n working when the catch-all local rule is removed. This\n rule has PRIORITY_LOCAL_NETWORK and matches on the\n explicit bit being off, because the explicit rule will\n be installed separately by ConnectivityService in a\n followup patch at priority EXPLICIT_NETWORK.\n20000: from all fwmark 0x0/0x10000 lookup xxxx\n• A rule that matches on LOCAL_NET_ID explicitly pointing\n to the same table to keep traffic to netId 99 working.\n This is necessary for the continued working of dnsmasq,\n and might be necessary to keep traffic sent to 99 by\n other means on OEM devices.\n16000: from all fwmark 0x10063/0x1ffff iif lo lookup xxxx\n\nTest: new tests in this patch\nChange-Id: If8729fc6f3716a580c936584b851bc38000b5de5\n" }, { "commit": "b7a6099aff35e8b2f7a88272e67a7feeb2b9f0c0", "tree": "c4cf801c637d63ff48569fd3a3997ecf571522f5", "parents": [ "9542a1e63336cb094afb54ae2cac16279210b2ef" ], "author": { "name": "chiachangwang", "email": "chiachangwang@google.com", "time": "Thu Aug 25 06:55:19 2022 +0000" }, "committer": { "name": "Cherrypicker Worker", "email": "android-build-cherrypicker-worker@google.com", "time": "Wed Sep 21 00:55:06 2022 +0000" }, "message": "Add IPv4 link-local multicast range to local routing tables\n\nThis commit allows local multicast traffic to be sent locally\ninstead of being sent through VPN when using a VPN automatic\nbypass for local traffic.\n\nCurrently, the local network that is considered in VPN local\nexclusion mode is the same subnet of the network assigned\naddress. If apps try to make some traffic to multicast range,\nit may be routed to VPN and block the traffic. E.g. If app\nconnect a UDP socket to multicast range(224.0.0.x) and sends\nfrom the socket, or app send to 224.0.0.x from an unconnected\nsocket. The traffic will send from VPN network. This traffic\nmay not be well-routed in VPN network. So the case should be\nalso considered to make the function work in the VPN bypass\nmode because it usually won\u0027t be the network assigned subnet\nrange. Add the multicast range as a fixed range in the local\nexclusion table.\n\nThe multicast range is 224.0.0.0/4 but only limit it to\n224.0.0.0/24 since the IPv4 definitions are not as precise as\nfor IPv6, it is the only range that the standards (RFC 2365\nand RFC 5771) specify is link-local and must not be forwarded.\n\nBug: 243200566\nTest: cd system/netd ; atest\nTest: connect to Wifi or cellular network and check the routing\nTest: manually test with chromecast with local routes exclusion\n enabled\nChange-Id: I79fe499fb02a88ec687fadf3fad461c204fe3e47\n(cherry picked from commit 5308c041c712b8cd2ecee04335c10d0aeb97d610)\nMerged-In: I79fe499fb02a88ec687fadf3fad461c204fe3e47\n" }, { "commit": "9542a1e63336cb094afb54ae2cac16279210b2ef", "tree": "98e390aab618a49c7b44c73f6e9693e0a7454344", "parents": [ "4c46c7ddc73f53ef32edbe1e9a5047fea7fc2fb9" ], "author": { "name": "chiachangwang", "email": "chiachangwang@google.com", "time": "Wed Jun 15 02:42:44 2022 +0000" }, "committer": { "name": "Cherrypicker Worker", "email": "android-build-cherrypicker-worker@google.com", "time": "Wed Sep 21 00:55:04 2022 +0000" }, "message": "Update methods naming\n\nUpdate some methods naming to better reflect what the methods\ndo as a clean up to address comments in previous commit.\n\nBug: 184750836\nTest: m\nChange-Id: I11861841b6099c82a5137c0ab045246fc15b859a\n(cherry picked from commit 2efd0ce2116a6f42474013b6271afb7852821592)\nMerged-In: I11861841b6099c82a5137c0ab045246fc15b859a\n" }, { "commit": "3aa56610449ec05da56bbb83ceafb15a52ebaa1b", "tree": "c9abb5e0345d4f93cb339b274019943c743905a0", "parents": [ "89e504e6c3bbcce06850100a99f5f9f2874ca36c" ], "author": { "name": "Chiachang", "email": "chiachangwang@google.com", "time": "Thu May 12 05:55:45 2022 +0000" }, "committer": { "name": "Cherrypicker Worker", "email": "android-build-cherrypicker-worker@google.com", "time": "Thu Jun 02 12:45:58 2022 +0000" }, "message": "Restrict the local network range\n\nIf the network assigns a range that is not a defined local\nnetwork range, it should not be considered as a local network\nrange. Thus, intersect the network assigned range with RFC1918/\nCGNAT/LINK LOCAL ranges to ensure it\u0027s an accepted local network\nrange.\n\nBug: 184750836\nTest: cd system/netd ; atest\nChange-Id: I3ac6bba439986b72dbddec99c6aca3394c6d3235\n(cherry picked from commit cff5e88c75a4d23d472544b7008a4e51af1381c4)\nMerged-In: I3ac6bba439986b72dbddec99c6aca3394c6d3235\n" }, { "commit": "89e504e6c3bbcce06850100a99f5f9f2874ca36c", "tree": "9651166523c7e22a206f1bedbedfb60b513003ec", "parents": [ "776b68cecb611abb16cce0bf7a02bb939d271e3a" ], "author": { "name": "Chiachang", "email": "chiachangwang@google.com", "time": "Thu May 12 05:21:20 2022 +0000" }, "committer": { "name": "Cherrypicker Worker", "email": "android-build-cherrypicker-worker@google.com", "time": "Thu Jun 02 12:45:57 2022 +0000" }, "message": "Update local routes based on network assigned range\n\nWhen the local routes are updated to netd, also update them to\nthe local table for VPN local exclusion. This is specified by\nverifying nexthop available in the specific route.\n\nBug: 184750836\nTest: cd system/netd ; atest\nChange-Id: I793dd2e5dbe9fca0c0772814f5114ec98536fb4f\n(cherry picked from commit f9e81ac2e0629754a03d331a2a6e339b814204a0)\nMerged-In: I793dd2e5dbe9fca0c0772814f5114ec98536fb4f\n" }, { "commit": "776b68cecb611abb16cce0bf7a02bb939d271e3a", "tree": "e073fef85d9e4fbf95235cbacd949ace1006bc49", "parents": [ "8a03faaefe4858b848102ccb596b906e0194ef96" ], "author": { "name": "chiachangwang", "email": "chiachangwang@google.com", "time": "Tue May 17 05:16:16 2022 +0000" }, "committer": { "name": "Cherrypicker Worker", "email": "android-build-cherrypicker-worker@google.com", "time": "Thu Jun 02 12:45:54 2022 +0000" }, "message": "Add app default local rule\n\nAdd an app default local rule prior to the VPN local route rule\nto route the per app default local traffic.\n\nIf the routes setting for system default and app default are\noverlapped with each other, the traffic may be routed\nunexpectedly becuase the VPN local rules do not contain the\nuid range information. The rule will match first before app\ndefault rule. Thus, add an default local rule piror to the\nVPN local route rule to address the issue.\n\nSample rule after applying the change:\n - App UID(99999)\n - Default(iface0), app default(iface1), vpn(tun0)\n\n 25000: ... 0x0/0x10000 iif lo uidrange 99998-99999 lookup iface1_local\n 26000: ... 0x0/0x10000 iif lo lookup iface0_local\n 27000: ... 0x0/0x30000 iif lo uidrange 99997-99998 lookup tun0\n 28000: ... 0xffdf/0xffff lookup iface0\n 29000: ... 0x0/0xffff iif lo uidrange 99998-99999 lookup iface1\n 30000: ... 0x0/0xffff iif lo lookup iface0\n\nBug: 184750836\nTest: cd system/netd ; atest\nChange-Id: Ic092398a0d89b0104afcee8e1f22dfa93fa408ae\n(cherry picked from commit 0d5ae9805b1dcad074dd171dca62d5e3893d6a72)\nMerged-In: Ic092398a0d89b0104afcee8e1f22dfa93fa408ae\n" }, { "commit": "8a03faaefe4858b848102ccb596b906e0194ef96", "tree": "bfabd61e9fca4b9967d1aa4934e4108e00f23bc2", "parents": [ "f7267cfcfc7db62b8365fcff621403c0dadcfd67" ], "author": { "name": "Chiachang", "email": "chiachangwang@google.com", "time": "Wed May 04 07:45:37 2022 +0000" }, "committer": { "name": "Cherrypicker Worker", "email": "android-build-cherrypicker-worker@google.com", "time": "Thu Jun 02 12:45:52 2022 +0000" }, "message": "Add local rule only for default network\n\nThe existing flow would add local rules for each physical\ninterface. The order of the rules in the routing table is\ndepending on the order that interfaces were added. It may\ncause non-deterministic routing depending on the racing of\nregistering networks. The rule should only be needed for\ndefault network, so update the flow to update rules with\nfall through rules updates while switching the default network.\n\nBug: 184750836\nTest: cd system/netd ; atest\nChange-Id: I632f249ead6b418df40fa9639104043a66726d23\n(cherry picked from commit 2271c127ad8e8e99c675b38b1414ffa092726d25)\nMerged-In: I632f249ead6b418df40fa9639104043a66726d23\n" }, { "commit": "31902a46f525d90c0de77e25c572abfe36bf1ec3", "tree": "5f0cbe18dd24089caabdf782d34e50dfb36555d7", "parents": [ "7219cfeeff4c49763c9458c3abd23584b4947936" ], "author": { "name": "chiachangwang", "email": "chiachangwang@google.com", "time": "Fri Apr 15 20:06:27 2022 +0800" }, "committer": { "name": "chiachangwang", "email": "chiachangwang@google.com", "time": "Tue Apr 19 13:26:18 2022 +0800" }, "message": "Remove temporary hardcoded local exclusion routes\n\nThe local routes should be configured in the right tables\ndepending on whether it\u0027s a \"local\" route or not based on\nthe assigned ip ranges. This is a leading commit to remove\nthe hardcoded ones on first for the following change.\n\nBug: 184750836\nTest: cd system/netd ; atest\nChange-Id: Ieead7f15f8d62166d2c101e5432ccc8b25555f55\n" }, { "commit": "5320c1a896d28d4a9076a16373f9f17903509657", "tree": "1cd55b6235135a6d57bc6b05fa071379604be7bd", "parents": [ "ab5b9c7c0ee30cfb4daa1626a3e40704ce267330" ], "author": { "name": "Chiachang Wang", "email": "chiachangwang@google.com", "time": "Mon Mar 07 19:19:33 2022 +0800" }, "committer": { "name": "Chiachang Wang", "email": "chiachangwang@google.com", "time": "Wed Mar 09 15:12:23 2022 +0800" }, "message": "Stop setting v6 routes if the v6 is disabled on the interface\n\nThe v6 local exclude routes were added in every physical\ninterface assigned to the network. For the clat interface, the\nv6 support is disabled, so setting a v6 route on the clat\ninterface will cause a permission denial. A v6 route should not\nbe set on those interfaces that disable v6 support.\n\nThe permission denial causes no failure since the error was\ntemporarily skipped, so remove the temporary workaround\naccordingly.\n\nSample error log:\nE netd : Error adding route fe80::/10 -\u003e (null) v4-wlan0 to table 1000000024: Permission denied\n\nBug: 184750836\nTest: cd system/netd ; atest\nTest: manually connect to v6 only wifi and check the log\nChange-Id: Id41fdad2593d80953f3202d91524e9742b5c2d4e\n" }, { "commit": "e39cc7554717519a889d16dac93771142ddf274a", "tree": "f632bd0e1e1aac7f03501a32a1a782e4ac8a457f", "parents": [ "028e7b052b3ef920fe832c316e22b1a5e6a37650" ], "author": { "name": "Chiachang Wang", "email": "chiachangwang@google.com", "time": "Tue Mar 01 17:35:31 2022 +0800" }, "committer": { "name": "Chiachang Wang", "email": "chiachangwang@google.com", "time": "Wed Mar 02 19:31:24 2022 +0800" }, "message": "Causing no error as removing routes on removed interface\n\nIn an IPv6 only network with clatd started, clatd will be stopped\nfirst before destroying the network. The clat interface will\nbe removed from kernel while clatd stops, but the clat interface\nwas added with the network in the netd. Destroy the network will\niterate the adding interfaces and try to remove all of them. The\nVPN local exclusion routes are added/removed with the existence\nof the interfaces. It will cause an ENODEV error while trying to\nfind the interface index of the clat interface since the clat\ninterface was removed. The failure was considered as an error\nand stop destroying the network. The routing will not be cleared\nas expected and cause the left over rules.\n\nBecause stopping clat is always before destroying the network, it\nis expected to get such error since the clat interface exists in\nConnectivityService if the network destroys with clat started.\nThus, stop considering this failure an error to finish all works\nnecessary for clearing interfaces in the network.\n\nSample issue rule:\n16000:\tfrom all fwmark 0x10063/0x1ffff iif lo lookup local_network\n16000:\tfrom all fwmark 0x10064/0x1ffff iif lo lookup wlan0\n16000:\tfrom all fwmark 0x10065/0x1ffff iif lo lookup wlan0\n16000:\tfrom all fwmark 0x10066/0x1ffff iif lo lookup wlan0\n17000:\tfrom all iif lo oif dummy0 lookup dummy0\n17000:\tfrom all iif lo oif wlan0 lookup wlan0\n17000:\tfrom all iif lo oif wlan0 lookup wlan0\n17000:\tfrom all iif lo oif wlan0 lookup wlan0\n18000:\tfrom all fwmark 0x0/0x10000 lookup legacy_system\n19000:\tfrom all fwmark 0x0/0x10000 lookup legacy_network\n20000:\tfrom all fwmark 0x0/0x10000 lookup local_network\n23000:\tfrom all fwmark 0x64/0x1ffff iif lo lookup wlan0\n23000:\tfrom all fwmark 0x65/0x1ffff iif lo lookup wlan0\n23000:\tfrom all fwmark 0x66/0x1ffff iif lo lookup wlan0\n\nBug: 184750836\nBug: 220997151\n\nTest: cd system/netd ; atest\nTest: Manually connect/disconnect IPv6 only WiFi and observe the\n routing is removed as expected\nChange-Id: Ia981535a61dcc18aa25e7f35133c0fd822239b67\n" }, { "commit": "3c365cb7846148475dac1d437888d63e8e75697d", "tree": "26f9118e5b9b794e5011ecef67d66d2355253adc", "parents": [ "822beb5c71ef68f7211fe41547c557c09056bc55" ], "author": { "name": "Yi Kong", "email": "yikong@google.com", "time": "Fri Feb 18 01:34:56 2022 +0800" }, "committer": { "name": "Yi Kong", "email": "yikong@google.com", "time": "Fri Feb 18 01:35:15 2022 +0800" }, "message": "Remove redundant \"using\" statements\n\nThey are already under the same namespace.\n\nTest: presubmit\nBug: 219872355\nChange-Id: I05f95ca05b164b193be4f58053fe670eebb8df19\n" }, { "commit": "4cb6fcc027d607c259212587af684bfff8323eee", "tree": "e54c553f53290a0593755c98cf71a9b2ab26e343", "parents": [ "627994cd275af11354c4b91285450955878302e4", "8b9cdd27dea02e13dd4b142b80bae9caebc515ae" ], "author": { "name": "Chiachang Wang", "email": "chiachangwang@google.com", "time": "Thu Jan 27 09:37:54 2022 +0000" }, "committer": { "name": "Gerrit Code Review", "email": "noreply-gerritcodereview@google.com", "time": "Thu Jan 27 09:37:54 2022 +0000" }, "message": "Merge \"[ELR#6] Add rules into local exclusion table\"" }, { "commit": "8b9cdd27dea02e13dd4b142b80bae9caebc515ae", "tree": "d0d770bc61c55c81ca3da6864e8eb284ecbfb9ff", "parents": [ "e7bf5f50cf05a2fa000654df4363905959270e37" ], "author": { "name": "Chiachang Wang", "email": "chiachangwang@google.com", "time": "Thu Jan 27 10:43:28 2022 +0800" }, "committer": { "name": "Chiachang Wang", "email": "chiachangwang@google.com", "time": "Thu Jan 27 10:43:56 2022 +0800" }, "message": "[ELR#6] Add rules into local exclusion table\n\nThe local table will match the locally connected routes. Add\nthose rules when the VPN network is created. The local connected\nrules are the link-local address for v6 and the link-local\n(169.254.0.0/16) for v4. These rules are hardcoded but it should\ndepend on what actual subnet the network is which will be\naddressed in the following patches.\n\nSample rule output:\n\n24000:\tfrom all fwmark 0xc0066/0xcffff lookup ipsec1\n25000:\tfrom all fwmark 0x0/0x10000 iif lo lookup wlan0_local\n27000:\tfrom all fwmark 0x66/0xffff lookup wlan0\n\n$ adb shell ip ro sh table wlan0_local\nadb shell ip ro sh table wlan0_local\n169.254.0.0/16 dev wlan0 proto static scope link\n\n$ adb shell ip -6 ro sh table wlan0_local\nfd00::/10 dev wlan0 proto static metric 1024 pref medium\n\nBug: 184750836\nTest: cd system/netd ; atest\nTest: atest HostsideVpnTests\nChange-Id: Idb2188b05c2568c72c155a39d3c9f1cb6e3fa150\n" }, { "commit": "627994cd275af11354c4b91285450955878302e4", "tree": "39bcd36350e5dc82630663ccb2fee5868fd58a7b", "parents": [ "a575c21d3bda223b8aa1a34657fcc5b3ab712c32", "e7bf5f50cf05a2fa000654df4363905959270e37" ], "author": { "name": "Chiachang Wang", "email": "chiachangwang@google.com", "time": "Wed Jan 26 04:37:32 2022 +0000" }, "committer": { "name": "Gerrit Code Review", "email": "noreply-gerritcodereview@google.com", "time": "Wed Jan 26 04:37:32 2022 +0000" }, "message": "Merge \"[ELR#4] Install/Remove local routes rules with the interfaces\"" }, { "commit": "e7bf5f50cf05a2fa000654df4363905959270e37", "tree": "fb92423189404110a8922ec6a282b4ca7ba5289b", "parents": [ "f79e35692e5b08b5ee95226cd48228ec52a4bba7" ], "author": { "name": "Chiachang Wang", "email": "chiachangwang@google.com", "time": "Mon Jan 17 11:37:39 2022 +0800" }, "committer": { "name": "Chiachang Wang", "email": "chiachangwang@google.com", "time": "Wed Jan 26 10:34:20 2022 +0800" }, "message": "[ELR#4] Install/Remove local routes rules with the interfaces\n\nInstall/Remove the local routes rules with the life time of the\ninterfaces. The default networks will break into two tables:\nthe original one and the one for placing the local rules.\nThe local routing table is still unfunctional since it\u0027s empty\nand no routes matched.\n\nSample routings(VPN connected with default network on WiFi):\n\n20000:\tfrom all fwmark 0x0/0x10000 lookup local_network\n23000:\tfrom all fwmark 0x64/0x1ffff iif lo lookup wlan0\n24000:\tfrom all fwmark 0x0/0x30000 iif lo uidrange 0-99999 lookup ipsec8\n24000:\tfrom all fwmark 0xc0066/0xcffff lookup ipsec8\n25000:\tfrom all fwmark 0x0/0x10000 lookup iif lo wlan0_local\n27000:\tfrom all fwmark 0x66/0xffff lookup wlan0\n\nBug: 184750836\nTest: cd system/netd ; atest\nChange-Id: Ia67ec04e8c133e832dd39c10977f542d9c5b9cda\n" }, { "commit": "e6f198c9c5042f4c59032b55170a61d274dc5491", "tree": "f21c70492c28f2e8d2d5682494bb23d996467960", "parents": [ "e2f1b5a25d3e079ef4d07a64925f5a8fc253c59d" ], "author": { "name": "Patrick Rohr", "email": "prohr@google.com", "time": "Tue Jan 25 13:50:31 2022 +0100" }, "committer": { "name": "Patrick Rohr", "email": "prohr@google.com", "time": "Wed Jan 26 00:09:22 2022 +0100" }, "message": "Add special subpriority that does not set default network for uids\n\nThis CL changes the valid subPriority range from 0-999 to 0-998 and uses\n999 as a special value that does not set the network as the default for\nthe given uids.\n\nWe have evaluated adding a boolean to the UidRangesParcel, but that\nwould require us to keep track of it in mUidRangeMap and separating\nNetwork::appliesToUser into two functions (isUsersDefaultNetwork and\ndoesUserHaveAccess). In addition, per uid deny rules are not supported,\nso there is really no benefit to the use of multiple subPriorities in\nexplicit and implicit rules.\n\nTest: atest PerAppNetworkPermissionsTest\nChange-Id: I7522de13e36f2bdc3d192264d78b96423d76c607\n" }, { "commit": "e2f1b5a25d3e079ef4d07a64925f5a8fc253c59d", "tree": "d41baa1df8904f69120b796bc0c6e65ab29722cd", "parents": [ "0b84bde09aae4d8c378e6821a724d18839945976" ], "author": { "name": "Patrick Rohr", "email": "prohr@google.com", "time": "Tue Jan 25 21:36:50 2022 +0100" }, "committer": { "name": "Patrick Rohr", "email": "prohr@google.com", "time": "Tue Jan 25 23:02:00 2022 +0100" }, "message": "rename subpriority constants to make more readable\n\nRename DEFAULT_SUB_PRIORITY to SUB_PRIORITY_HIGHEST and\nLOWEST_SUB_PRIORITY to SUB_PRIORITY_LOWEST.\n\nTest: builds\nChange-Id: Ic62ad37d8bb2fafa488589e2e25f8c890c5dd649\n" }, { "commit": "f79e35692e5b08b5ee95226cd48228ec52a4bba7", "tree": "f3788c2701b5e82ba4221081232687190947795d", "parents": [ "77d0ff62dfd6b76dcbdf731c03c560cafead6ff7" ], "author": { "name": "Chiachang Wang", "email": "chiachangwang@google.com", "time": "Sat Jan 15 13:31:04 2022 +0800" }, "committer": { "name": "Chiachang Wang", "email": "chiachangwang@google.com", "time": "Tue Jan 25 13:21:30 2022 +0800" }, "message": "[ELR#3] Create \u003ciface\u003e_local table to place the local routes\n\nThe new local exclusion rules for the VPN networks will be in\nthe new set of rules above BYPASSABLE_VPN_LOCAL_EXCLUSION for\nthe local exclusion VPN network. The rules for the local IP\nrules will need to be in new tables separated from the existing\ninterfaces tables. Create \u003ciface\u003e_local table based on the\nexisting interfaces.\n\nThe new routing table will only be written in the rt_tables\ninstead of open a new device in /dev since it\u0027s only required\nfor supporting routing, such as legacy_network or legacy_system\ntables. The new \u003ciface\u003e_local tables share the same life time\nof the specific interface tables which means these new tables\nwill also be removed when the specific interfaces tables are\ngone.\n\nThese new tables are unfunctional now but only created in the\nrt_tables for the mapping between interface name and the index.\n\nSample content in rt_table before the patch:\n 255 local\n 254 main\n 97 local_network\n 98 legacy_network\n 99 legacy_system\n 1003 dummy0\n 1010 rmnet_data0\n\nSample content in the rt_table after the patch:\n 255 local\n 254 main\n 97 local_network\n 98 legacy_network\n 99 legacy_system\n 1003 dummy0\n 1000000003 dummy0_local\n 1010 rmnet_data0\n 1000000010 rmnet_data0_local\n\nBug: 184750836\nTest: cd system/netd ; atest\nChange-Id: I13e1efa73a7145c22970880d8b72cbbd7366276c\n" }, { "commit": "2e9443fa515639c8a16ee46b071639b5fe61a1a6", "tree": "28b67af2f4bbd6f5bc4ac9bfb8f0a89b9ba91eb4", "parents": [ "3e5d07190e2b6c587170cd75ea2b077d1903d780" ], "author": { "name": "Chiachang Wang", "email": "chiachangwang@google.com", "time": "Fri Jan 14 22:55:36 2022 +0800" }, "committer": { "name": "Chiachang Wang", "email": "chiachangwang@google.com", "time": "Fri Jan 14 22:57:42 2022 +0800" }, "message": "[ELR#2] Split RULE_PRIORITY_BYPASSABLE_VPN\n\nSplit RULE_PRIORITY_BYPASSABLE_VPN into two depending on whether\nthe VPN excludes local routes:\nRULE_PRIORITY_BYPASSABLE_VPN_NO_LOCAL_EXCLUSION (24000) and\nRULE_PRIORITY_BYPASSABLE_VPN_LOCAL_EXCLUSION (26000).\n\nOnly one of them will exist at any given time determined by\nwhether the VPN excludes local routes. Local exclusion will not\nwork until the new priority rules for local routes are added.\n\nThe new sets of rules have priority above VPN_FALLTHROUGH, so\nupdate the rule priority of VPN_FALLTHROUGH and rules after it.\n\nBug: 184750836\nTest: cd system/netd ; atest\nChange-Id: I23caa68c61276c5e59dc4a85a60be054f1ccc15a\n" }, { "commit": "53360bf94ce9cb2cf8c8e90b0fa40259192c8356", "tree": "7514df761b08bf75bde53853d60bb75bed73b57c", "parents": [ "13a592453d95a63f64ca325931f645f9d9be1d68" ], "author": { "name": "Ken Chen", "email": "cken@google.com", "time": "Fri Dec 10 02:41:05 2021 +0800" }, "committer": { "name": "Ken Chen", "email": "cken@google.com", "time": "Mon Dec 13 21:43:38 2021 +0800" }, "message": "Keep subPriority in int\n\nSigned integer gives us flexibility to use negative number (like -1)\nfor special purposes in the future.\n\nBug: N/A\nTest: atest\nChange-Id: I1e930459c9ed9d3834613473430c9570dc1a302a\n" }, { "commit": "614223315a4d85844ad7999842e3b31ce9cea823", "tree": "e083820118be761ac20732e3b5c8ef9e9ad05c68", "parents": [ "97e83e5e7585dab0be1d0346520e43bf6e11540f", "35987ded2588e0c4605f35ec261f546749c662c9" ], "author": { "name": "Taras Antoshchuk", "email": "tantoshchuk@google.com", "time": "Tue Oct 19 08:21:52 2021 +0000" }, "committer": { "name": "Gerrit Code Review", "email": "noreply-gerritcodereview@google.com", "time": "Tue Oct 19 08:21:52 2021 +0000" }, "message": "Merge changes Idd57eb85,I4d457152\n\n* changes:\n Add \"throw\" and \"unreachable\" routes to NetdBinderTest\n Use route priority only for route cache invalidation\n" }, { "commit": "70d42501709936d2cd59e79107927ba4f9985561", "tree": "d36bb56402e81c2b1678cf738f7a08428d97dcce", "parents": [ "88071ddc0739cef9adc05f8bf3b3ce0161062337" ], "author": { "name": "Patrick Rohr", "email": "prohr@google.com", "time": "Tue Oct 12 18:24:10 2021 +0200" }, "committer": { "name": "Patrick Rohr", "email": "prohr@google.com", "time": "Fri Oct 15 11:46:40 2021 +0200" }, "message": "rename OffloadUtils to TcUtils\n\nTest: m\nChange-Id: I40082f7d56f4d3ba088ebcab9417b4d2da0d6ba2\n" }, { "commit": "0cceda2d51211a6d7ee3338dd8d8e89b8bf95385", "tree": "c23ac9f96967195c0db1ff23456157446fba4ca9", "parents": [ "2b0b5ec491178708a0da8550088ba57ebe4a9a88" ], "author": { "name": "Taras Antoshchuk", "email": "tantoshchuk@google.com", "time": "Fri Sep 24 18:40:03 2021 +0200" }, "committer": { "name": "Taras Antoshchuk", "email": "tantoshchuk@google.com", "time": "Mon Oct 11 14:22:55 2021 +0200" }, "message": "Use route priority only for route cache invalidation\n\nFor routes cache invalidation we add and remove default throw routes\nwith low priority. Initial implementation set low priority for all\ndefault throw routes, which didn\u0027t matter at the time, since throw\nroutes were not commonly used.\n\nNow, throw routes are going to become more common (e.g. used in VPN\nrouting tables). This CL makes sure we only set low priority on\ndefault throw routes if they are used for route cache invalidation.\n\nBug: 186082280\nTest: atest NetdBinderTest\nChange-Id: I4d457152c4177528ca9766a7909bc3ee51319a33\n" }, { "commit": "4ea88460c9a94fb0dc0b8bdee8fb5498ebcb38df", "tree": "3acf3084ed632b1b2d2e450c17e2bca7bde72d22", "parents": [ "ba36d2784d5d20dc88624cc3116c9d96aa328e0e" ], "author": { "name": "Ken Chen", "email": "cken@google.com", "time": "Sun May 23 14:56:43 2021 +0800" }, "committer": { "name": "Ken Chen", "email": "cken@google.com", "time": "Thu Jul 01 01:17:01 2021 +0800" }, "message": "Support subsidiary priority on UID ranges\n\nNetwork preference per-profile and OEM network preferences can\u0027t be set\nat the same time, because it is unclear what should happen if both\npreferences are active for one given UID. Therefore, it needs a\nparameter for ConnectivityService to specify which preference is prior\nto others.\n\nIn this commit:\n1. Adds a pair of methods with parcelable parameter, which currently\n includes netId, UID range array and subsidiary priority.\n\n2. The subsidiary priority will be used to adjust the original IP rule\n priority. UID ranges can applies to different network with different\n subsidiary priority. But a single UID should not apply to multiple\n networks with the same subsidiary priority.\n\n3. The possible value of subsidiary priority for physical and\n unreachable networks is 0-999. 0 is the highest priority. 0 is also\n the default value. Virtual network supports only the default value.\n\n4. Netd and its tests reference to latest AIDL version (unstable).\n\nBug: 182460808\nTest: m; flash; cd system/netd/; atest\nTest: atest FrameworksNetTests\nTest: atest HostsideVpnTests\nChange-Id: I94e8830d0a21ffcca17757fe4783a4be9438c8b4\n" }, { "commit": "4e8ef9b24e5f5c1f9760f593e2e022750c314f5e", "tree": "27b326d21ae707a076d24c7b3277d39dae9928c7", "parents": [ "b573648fce613ecd94dce54a8744e6e06544856c" ], "author": { "name": "Ken Chen", "email": "cken@google.com", "time": "Wed Mar 17 01:57:19 2021 +0800" }, "committer": { "name": "Ken Chen", "email": "cken@google.com", "time": "Fri Mar 26 10:32:49 2021 +0800" }, "message": "PANS - Support unreachable default network\n\nFramework provides several preferences in PANS feature. To meet those\npreferences, Netd needs to support two operations for framework:\n\n(1) Set OEM-paid network as default network for apps.\n(2) Prohibit apps to use default network if it is not explicitly\nselected.\n\nThe #1 is supported by previous commit already. This commit implements\nthe #2, which adds a new IP rule priority for unconnected socket, reuses\nexisting IP rule priorities in explicit and implicit network selection.\nRules are looks like:\n\n15000:\tfrom all fwmark 0x10034/0x1ffff iif lo uidrange x-y unreachable\n...\n22000:\tfrom all fwmark 0x34/0x1ffff iif lo uidrange x-y unreachable\n...\n27000:\tfrom all fwmark 0x0/0xffff iif lo uidrange x-y unreachable\n\nAn UNREACHABLE network (netId 52) is created for framework to specify\nthat the default network is unavailable for designated apps.\n\nBug: 181579204\nTest: atest\nChange-Id: I21530928a85870df673e2d1387fde130fe5a0104\n" }, { "commit": "a2206ecf5586ebe58902eda43cec1822589f02ea", "tree": "54140f77dd71b8c310235ab80b9c7376d979dc1a", "parents": [ "93a7800fc8d6eb32d57ad3cf0a175075e22e686f" ], "author": { "name": "Ken Chen", "email": "cken@google.com", "time": "Wed Mar 24 17:15:44 2021 +0800" }, "committer": { "name": "Ken Chen", "email": "cken@google.com", "time": "Thu Mar 25 01:11:11 2021 +0800" }, "message": "Unify similar functions\n\nThere are only slight differences between the implementations of\nmodifyUidExplicitNetworkRule and modifyUidImplicitNetworkRule. Unity\nthem into one function. No functionality changes.\n\nTest: atest netd_integration_test\nChange-Id: I552e870b32459ada24c84fb908fea188f47c510c\n" }, { "commit": "4674dea1a97b151f0f5c3d8d4843424ad4353743", "tree": "1e593e9c028c5f38853a07f7db0808c7840949e3", "parents": [ "2de481dae1fd786f91508a30ff291808e91ae42c", "8738e1c449f444ac037af6b9878506bcc588ed0d" ], "author": { "name": "Maciej Żenczykowski", "email": "maze@google.com", "time": "Fri Feb 05 02:38:42 2021 +0000" }, "committer": { "name": "Gerrit Code Review", "email": "noreply-gerritcodereview@google.com", "time": "Fri Feb 05 02:38:42 2021 +0000" }, "message": "Merge \"Configurable per application default network\"" }, { "commit": "8738e1c449f444ac037af6b9878506bcc588ed0d", "tree": "bf79c16768f3eb42a413de933799ad620e20b8ba", "parents": [ "68e99cd08fad35deb758a087f0b274c2af710e6a" ], "author": { "name": "Ken Chen", "email": "cken@google.com", "time": "Tue Nov 24 11:38:54 2020 +0800" }, "committer": { "name": "Ken Chen", "email": "cken@google.com", "time": "Tue Feb 02 06:12:23 2021 +0800" }, "message": "Configurable per application default network\n\nExtend networkAddUidRanges and networkRemoveUidRanges from\nvirtual-network-only to physical network. With this change, the\nConnectivityService can replace the default physical network for\nspecified applications without changing applications\u0027 code.\n\nBug: 176507580\nTest: cd system/netd; atest\nTest: atest HostsideVpnTests\nTest: atest FrameworksNetTests\nChange-Id: I556043f4401746bcf844a0c15a7d92aec12faad3\n" }, { "commit": "0e5d26f4820a84f31b353f4859dbb856e3b55e66", "tree": "f515911156069f0f7b679d5c9a6aab0d0f043443", "parents": [ "44159383b792cfe5c867dbcf8251f2f95bc47597" ], "author": { "name": "Maciej Żenczykowski", "email": "maze@google.com", "time": "Sun Jan 17 03:14:20 2021 -0800" }, "committer": { "name": "Maciej Żenczykowski", "email": "maze@google.com", "time": "Tue Jan 19 23:18:46 2021 -0800" }, "message": "bpf is always supported\n\nTest: builds, atest, TreeHugger\nBug: 167500195\nSigned-off-by: Maciej Żenczykowski \u003cmaze@google.com\u003e\nChange-Id: Ia1a45de523bb20d451df2041a9cc3fe9930f6686\n" }, { "commit": "69839afc4938fb67c2297b27233cded1e460f908", "tree": "6435e25e658ae2209a326962570e6ceb912ad55f", "parents": [ "7ad712fe84faa93b0a112fa210569c6e73115c86" ], "author": { "name": "Ken Chen", "email": "cken@google.com", "time": "Tue Jan 05 22:48:32 2021 +0800" }, "committer": { "name": "Maciej Żenczykowski", "email": "maze@google.com", "time": "Tue Jan 12 05:47:34 2021 +0000" }, "message": "Move IP rule priorities to header file\n\nMake constants visible for tests, rather than have copies.\n\nTest: atest\nChange-Id: Ibb70ae5c719e174ace4278d617564dfd48d1455d\n" }, { "commit": "3810c9733cf66b7471275d4a438a481ee50ac522", "tree": "ff2dfa34e9809b475522a74d88a9927879547c1a", "parents": [ "3676547e32eafff01e1ab069d89af19b1ff96a67" ], "author": { "name": "Lorenzo Colitti", "email": "lorenzo@google.com", "time": "Wed Jan 06 11:44:02 2021 +0900" }, "committer": { "name": "Lorenzo Colitti", "email": "lorenzo@google.com", "time": "Wed Jan 06 12:35:24 2021 +0900" }, "message": "Add clsact filters to local_network interfaces as well.\n\nThis is required for TC-BPF offload of upstream traffic.\n\nBug: 176857251\nTest: new tests in netd_integration_test\nTest: enabled wifi-to-wifi tethering\nTest: adb shell tc qdisc show 2\u003e\u00261 | grep clsact\nChange-Id: I091d183682170d1ddf19ab9f04aa88413769de79\n" }, { "commit": "b6dc40ac3d566d952d8445fc6ac796109c0cbc87", "tree": "56f6d3ea6b37d9123b1c8ab144f9717542462f09", "parents": [ "322c9ee5fde89607c0b33aa9d765aed36ee4358a" ], "author": { "name": "Lorenzo Colitti", "email": "lorenzo@google.com", "time": "Tue Mar 24 00:58:50 2020 +0900" }, "committer": { "name": "Lorenzo Colitti", "email": "lorenzo@google.com", "time": "Sun Apr 26 21:28:20 2020 +0900" }, "message": "Track local network ifindices in sInterfaceToTable as well.\n\nRouteController tracks in the sInterfaceToTable map the the\ninterface indices of every interface used in physical and virtual\nnetworks. This ensures that when an interface is removed from a\nnetwork (by passing in the interface name), the rules (which\nspecify interface indices) are correctly deleted even if the\ninterface has been deleted or has been deleted and re-added with\na new interface index.\n\nCurrently this does not happen for interfaces added to the local\nnetwork. That means that when those interfaces are deleted, the\nrules might not be deleted. It also results in spurious messages\nlogged by NetworkController such as:\n\n03-24 00:38:47.553 16612 16635 E Netd : getIfIndex: cannot find interface testtap1\n03-24 00:38:47.553 16612 16635 E Netd : inconceivable! added interface testtap1 with no index\n\nNote that since P this map is read by RouteController::getIfIndex\nand used by code that assumes this will always return an\ninterface index. In the case of an interface in the local\nnetwork, this is not possible because the map stores mappings\nbetween ifindex and routing table. In the case of the local\nnetwork, the routing table is always ROUTE_TABLE_LOCAL_NETWORK,\nso there is no way to get the interface index. Fix these callers\nso they do not attempt do to this.\n\nBug: 150644681\nTest: TetheringIntegrationTests:EthernetTetheringTest\nChange-Id: I8042e5b91bcb3175d9ad540526df396a139976f0\n" }, { "commit": "7f72543f4570259818d709fabc78c1b28296f783", "tree": "1754ab019d7519c547a07a8d8cda33c8df7865c4", "parents": [ "52db3916eee87be7aae1038f5eaac13b03576d0b" ], "author": { "name": "Hungming Chen", "email": "nuccachen@google.com", "time": "Fri Feb 07 17:47:23 2020 +0800" }, "committer": { "name": "Maciej Żenczykowski", "email": "maze@google.com", "time": "Mon Feb 17 20:31:54 2020 +0000" }, "message": "Move attaching and detaching clsact from ClatdController to RouteController\n\nThe clsact attaching and detaching control plane is moved to:\n RouteController::addInterfaceToPhysicalNetwork - add clsact\n RouteController::removeInterfaceFromPhysicalNetwork - del clsact\n\nThe above change implies that the clsact lifetime for each interface\nhas been extended from clat enabled time to interface lifetime.\n\nThe only exception is that attaching clsact to v4- tun interface\nstill lives in ClatdController. The reason is that clat is started\nbefore the v4- tun interface is added to the network and clat has\nalready needed to add the bpf filters.\n\nAfter all, keep attaching and detaching clat {in, e}gress bpf\nfilters in ClatdController.\n\nTest: manual clatd test\n1. Connect to IPv6-Only WiFi hotspot\n2. Browse 172.217.0.46 (google.com) successfully\n3. Disconnect from WiFi\nRepeat the above steps three times.\n\nChange-Id: I971e105484c7678ac304788e5ffff7cc709c400d\n" }, { "commit": "57d54681bd1e3549b1e94d26a8fbd5138b1614ed", "tree": "e3ebc5e42970d1ed8dbe68e302a385d5c43541f7", "parents": [ "1d9f35adf646928f221bb2b7b3cadc5b6c22e71d" ], "author": { "name": "Lorenzo Colitti", "email": "lorenzo@google.com", "time": "Fri Jan 24 09:18:13 2020 +0900" }, "committer": { "name": "Lorenzo Colitti", "email": "lorenzo@google.com", "time": "Fri Jan 24 10:20:35 2020 +0900" }, "message": "Tweak RTA_METRICS size calculation.\n\nUse the more correct RTA_SPACE macro instead of manually\ncalculating the size, and the more appropriate size_t type\ninstead of int.\n\nBug: 142892223\nTest: covered by existing unit tests\nChange-Id: I74dd5c912e2a13721e1bd6c90df4a579e826805f\n" }, { "commit": "fa94a2733c0aa535a3ccd779f96c1598552acbc1", "tree": "6f5e0a494b43b7bb940b71938faecd68de1cadcf", "parents": [ "7e1ee774e981a34832a44d6911b6fb5f61f4c901" ], "author": { "name": "Tyler Wear", "email": "twear@quicinc.com", "time": "Thu Dec 05 15:01:48 2019 -0800" }, "committer": { "name": "Lorenzo Colitti", "email": "lorenzo@google.com", "time": "Thu Jan 23 19:21:41 2020 +0900" }, "message": "netd: Route MTU\n\n- Route may include optional MTU parameter\n- Change route is added so routes don\u0027t need to be deleted then re-added\n- Add/Del/Change functions to pass route info as parcel\n\nBug: 142892223\nTest: new unit tests\nChange-Id: Idc32ecb0520b1f4136b3fe0e3f7b6800fb3005a6\n" }, { "commit": "6b35750fd5fe0066460c322374576b9c25ee967e", "tree": "d1ee378faec7fb65e7fd535f45ecb6a91442726c", "parents": [ "485a477dfe5ad0cbfea17c9f94b01364237a0732" ], "author": { "name": "Nick Desaulniers", "email": "ndesaulniers@google.com", "time": "Fri Oct 11 09:26:44 2019 -0700" }, "committer": { "name": "Nick Desaulniers", "email": "ndesaulniers@google.com", "time": "Fri Oct 11 09:28:14 2019 -0700" }, "message": "[netd] fix -Wreorder-init-list\n\nC++20 will require members in a designated initializer to be in order\nunlike C99.\n\nBug: 139945549\nTest: mm\nChange-Id: I4b856942f5c323898cf572dc60622d62c6ffed94\nSigned-off-by: Nick Desaulniers \u003cndesaulniers@google.com\u003e\n" }, { "commit": "762dcf48a2fef596d677d9e8d6ec655d58303211", "tree": "60beab7ae8e436cbd080f6492ca36739040f666f", "parents": [ "cf6f710b67a8a5f35d47b2b20fee61395f79236d" ], "author": { "name": "Bernie Innocenti", "email": "codewiz@google.com", "time": "Fri Jun 14 19:52:49 2019 +0900" }, "committer": { "name": "Bernie Innocenti", "email": "codewiz@google.com", "time": "Wed Aug 21 15:59:41 2019 +0900" }, "message": "Use C++17\u0027s [[nodiscard]] instead of WARN_UNUSED_RESULT\n\nNo functionality change. Also remove some header guards along the way.\n\nTest: m\nChange-Id: I1afdcaea95a3dd56f392c4e61d7670f43615792a\n" }, { "commit": "80ffd0f46ad9ebdfe9d401d58215d2c54ed3f88a", "tree": "ed7601b5d3f44dba32bca4c21e7c00db80fddc09", "parents": [ "8f578ff615b8463b4ff6299d6b81f6f48287b5fb" ], "author": { "name": "Bernie Innocenti", "email": "codewiz@google.com", "time": "Wed Jun 05 15:27:46 2019 +0900" }, "committer": { "name": "Bernie Innocenti", "email": "codewiz@google.com", "time": "Wed Jun 05 16:22:44 2019 +0900" }, "message": "Remove unused deps on liblogwrap\n\nNothing seems to be calling into it, so it can probably go.\n\nTest: rebuild everything, then run atest\nChange-Id: I6e446f98decd708f59e5994fa10f77be4476d02f\n" }, { "commit": "d286198c26c3d80bfaf5f53d6faeea5d0ce6faf5", "tree": "e952010ccae2c09808bbb0329c7de7bec45971f3", "parents": [ "b3a2bf094086b011c0ad91b25cbaf34ad6e0104f" ], "author": { "name": "Luke Huang", "email": "huangluke@google.com", "time": "Fri May 17 19:47:28 2019 +0800" }, "committer": { "name": "Luke Huang", "email": "huangluke@google.com", "time": "Thu May 23 14:49:59 2019 +0800" }, "message": "Remove explicitlySelected bit for vpn fallthrough rule\n\nPreviously, netd use explicitlySelected bit to ensure that\nthe VPN fallthrough rule does not match if a non-zero NetId was\nexplicitly specified. This is inconsistent with the normal case\nof an application that is subject to the VPN, because in that case,\nthe fallthrough rule does match.\nThis commit removes the explicitlySelected bit and relax the guarantee.\nThis ensure that the behaviour of an app that selects the VPN network\nis the same as the behaviour of an app that specifies no network but\nis subject to the VPN.\nVPN traffic will fallthrough default network if no route is hit in VPN\nroute table.\n\nAssume vpn netId is 102, default network interface is wlan0 with no\npermisiion. Below is the result of route rule before/after this commit.\nBefore:\n21000:\tfrom all fwmark 0x10066/0x1ffff lookup wlan0\n\nAfter:\n21000:\tfrom all fwmark 0x66/0xffff lookup wlan0\n\nBug: 119216095\nTest: built, flashed, booted\n system/netd/tests/runtests.sh\n\nChange-Id: I03411644dc82cabcaf1f3274a17f36ec4e173c2e\n" }, { "commit": "9f2913e261bcabf662ff69ba952e5d086bf74c63", "tree": "8d2dd8f2db07e8af0f23a75a04e7c7c123dcf5f3", "parents": [ "0255437c370aa8bee3d2cbd8d52516c12b2ca9be" ], "author": { "name": "mtk13799", "email": "xin.huang@mediatek.com", "time": "Mon Feb 25 19:39:36 2019 +0800" }, "committer": { "name": "JeiFeng Lee", "email": "linger.lee@mediatek.com", "time": "Tue Apr 02 03:02:21 2019 +0000" }, "message": "netd: reorder the operations in getRouteTableForInterfaceLocked.\n\nwhen network was switched quickly between wifi and cellular,\nnetd should always use old ifindex to delete ip rule/route,\nand new ifindex to add ip rule/route.\n\nBUG: 128805131\nTest: built, booted, datausage, Phone call, Internet under\nwifi and cellular data\nChange-Id: I2d88709a00d50e318b02362ffac543a1e7e40a81\n" }, { "commit": "ce9e5783ad1e6fd20bf38352ed9fdfcb8278f9f6", "tree": "5bd984e65c71469aa7c0d31f0defa071c4afe580", "parents": [ "58275707e9caa74f47c9eca21390a53715e295e6" ], "author": { "name": "Jimmy Chen", "email": "jimmycmchen@google.com", "time": "Fri Mar 08 16:12:55 2019 +0800" }, "committer": { "name": "Jimmy Chen", "email": "jimmycmchen@google.com", "time": "Fri Mar 08 16:39:28 2019 +0800" }, "message": "IPv6: allow the same prefix routing entries for link local\n\nAllowing creating multiple link-local routes in the same table, so we can make IPv6\nwork on all interfaces in the local_network table.\n\nBug: 126063997\nTest: * enable hotspot \u0026 usb tethering\n * use ping6 to verify link local in both side of hotspot/usb\n tethering\n\nChange-Id: Ibe897004bd72bc88744c4bbac44ca512c0482f3b\n" }, { "commit": "94658ac61e1c377251eb51f4e1c22e5140357fdb", "tree": "b0b8265a6b888a9db5f43dc63d87fe0623d06b47", "parents": [ "25b62a77695643ac232002a5a98f8f2a349bde11" ], "author": { "name": "Luke Huang", "email": "huangluke@google.com", "time": "Thu Oct 18 19:35:12 2018 +0900" }, "committer": { "name": "Luke Huang", "email": "huangluke@google.com", "time": "Thu Oct 25 13:32:55 2018 +0900" }, "message": "Refactor UidRange by using stable aidl structure\n\nUse stable aidl generated structure instead of UidRange\n\nTest: built, flashed, booted\n system/netd/tests/runtests.sh passes\n\nChange-Id: I136afcff167eac7d3c4774b9e60f607e086488bf\n" }, { "commit": "189eb5020bcffa7a7e601edf2fecb98008acfa9e", "tree": "5c15b5f5e8b201982cde0cf2ec9a5776cebc2bcf", "parents": [ "e03aed11e6ce5779873594c38694f72ca68c97e7" ], "author": { "name": "Bernie Innocenti", "email": "codewiz@google.com", "time": "Mon Oct 01 23:10:18 2018 +0900" }, "committer": { "name": "Bernie Innocenti", "email": "codewiz@google.com", "time": "Thu Oct 18 09:30:06 2018 +0000" }, "message": "Move resolver public headers to separate include path\n\nAdditionally rename functions and structs to eliminate those ugly\nunderscores from the public API (with the notable exception of\n__res_params, which will come in its own separate change to keep this\none from growing too large).\n\nTest: build, flash, then \u0027atest netd_integration_test\u0027\nChange-Id: I7e9b0ee6cdbec889e9c35b5a17b5daa65533686e\n" }, { "commit": "abf8a346f81f6e16a543892ba9ece6a4750ede9f", "tree": "ae063a7869402755bc894c154204ba970253b914", "parents": [ "9e81f67e0d29332fd8da26929bad22ecd712e61f" ], "author": { "name": "Bernie Innocenti", "email": "codewiz@google.com", "time": "Fri Aug 10 15:17:16 2018 +0900" }, "committer": { "name": "Bernie Innocenti", "email": "codewiz@google.com", "time": "Fri Aug 10 16:21:24 2018 +0900" }, "message": "Let lock_guard deduce its template argument\n\nNo functional change, this is a cleanup.\n\nWith C++17, it\u0027s no longer necessary to specify the teplate argument\nwhen it can be deduced from the types of constructor arguments. This\nallows de-cluttering our locking statements.\n\nTo avoid typos, this patch was mechanically generated:\n\n perl -p -i -e \u0027s/std::lock_guard\u003cstd::mutex\u003e/std::lock_guard/g\u0027 \\\n $(find . -name \u0027*.cpp\u0027 -o -name \u0027*.h\u0027)\n\nChange-Id: Ibb15d9a6c5b1c861d81353e47d25474eb1d4c2df\n" }, { "commit": "bdfd57e5a3a21ac340016a70ea425e4223f23b08", "tree": "baab5276b89048e9f327b93bc4a5de07325d8287", "parents": [ "50fdf5a544b2f475082978df035e137223e3d454" ], "author": { "name": "Yi Kong", "email": "yikong@google.com", "time": "Wed Jul 25 13:26:10 2018 -0700" }, "committer": { "name": "Yi Kong", "email": "yikong@google.com", "time": "Wed Jul 25 13:26:10 2018 -0700" }, "message": "Modernize codebase by replacing NULL with nullptr\n\nFixes -Wzero-as-null-pointer-constant warning.\n\nTest: m\nBug: 68236239\nChange-Id: I226a0599db4f7c3557e55cade7869d00bd314949\n" }, { "commit": "534980c8cd18af550e09373ad46d8b585d10049f", "tree": "065af8bdec28caf2cf67156d5385709571a3e0ee", "parents": [ "d1ee462e94c34193bf5e8eb2975fff61b82ab1fb" ], "author": { "name": "Luke Huang", "email": "huangluke@google.com", "time": "Fri Jul 06 17:50:11 2018 +0800" }, "committer": { "name": "Luke Huang", "email": "huangluke@google.com", "time": "Wed Jul 11 15:04:08 2018 +0800" }, "message": "Refine lock of RouteController and add annotations\n\nTest: built, flashed, booted\n system/netd/tests/runtests.sh passes\n\nChange-Id: I855e044a2b7c9aae795edbcee717d61f58a7a21d\n" }, { "commit": "d1ee462e94c34193bf5e8eb2975fff61b82ab1fb", "tree": "dd8ba06ec3939751c61f9f1a672b2474729f2e5f", "parents": [ "d4c0be8ed437ee2198a0d5d8561093ab23e51c2e" ], "author": { "name": "Luke Huang", "email": "huangluke@google.com", "time": "Fri Jun 29 13:49:58 2018 +0800" }, "committer": { "name": "Luke Huang", "email": "huangluke@google.com", "time": "Wed Jul 11 15:04:07 2018 +0800" }, "message": "Replace RW lock with mutex, shared_mutex\n\nTest: built, flashed, booted\n system/netd/tests/runtests.sh passes\nChange-Id: I42b52d815b6ba0ba6f93dc27e83a900d2abec715\n" }, { "commit": "6c00b61656da32ce3223a2fc711f5649b6b7b5ac", "tree": "3757ef63883c1e5916c0a635d329c9d77ab5280e", "parents": [ "18a257aecc1b4a380f6245134c74640b753bba87" ], "author": { "name": "Rubin Xu", "email": "rubinxu@google.com", "time": "Fri Apr 27 14:27:59 2018 +0100" }, "committer": { "name": "Rubin Xu", "email": "rubinxu@google.com", "time": "Thu Jun 07 08:12:24 2018 +0100" }, "message": "Do not destroy socket when VPN interface address is still in use\n\nNormally when an IP address is removed, all sockets associated with the\naddresses are destroyed. This patchset changes this behavior such that\nif the address in question is still being used by another interface that\nbelongs to the same underlying virtual network, the destroy operation is\nskipped. This change is needed to support VPN seamless handover where the\nVPN app will establish a second TUN interface (with different config)\nbefore tearing down the existing interface. The intention is that during\nthis handover existing socket connections should not be disturbed. There\nis a companion change in the framework side to make sure during such\nhandover, the VPN netId remains unchanged so routing still works.\n\nBug: 64692591\nTest: cts-tradefed run commandAndExit cts-dev -m CtsHostsideNetworkTests -t com.android.cts.net.HostsideVpnTests\nTest: system/netd/tests/runtests.sh\nChange-Id: I02c6b0db5f15cd1aef3e3fa6f0c36e86b4f427fd\nMerged-In: I02c6b0db5f15cd1aef3e3fa6f0c36e86b4f427fd\n(cherry picked from commit acbb6b7bbea17c5653929ee5224bd4f8e16c0f69)\n" }, { "commit": "758627c4d93392190b08e9aaea3bbbfb92a5f364", "tree": "b484dd15e8ca375b48630277dd2bd151aee998ee", "parents": [ "02b6d17b0a84e8df5b6101cf6d8b9aab17bac453" ], "author": { "name": "Lorenzo Colitti", "email": "lorenzo@google.com", "time": "Thu Mar 15 01:49:20 2018 +0900" }, "committer": { "name": "Lorenzo Colitti", "email": "lorenzo@google.com", "time": "Thu Mar 15 14:16:51 2018 +0900" }, "message": "Add \"iif lo\" to all IP rules for originated traffic.\n\nThis ensures that these rules are not mistakenly used by\nforwarded traffic. Forwarded traffic should only use rules that\nspecify an explicit iif.\n\nThe rules change as follows:\n\n0:\tfrom all lookup local\n10000:\tfrom all fwmark 0xc0000/0xd0000 lookup legacy_system\n10500:\tfrom all {+iif lo+} oif dummy0 uidrange 0-0 lookup dummy0\n10500:\tfrom all {+iif lo+} oif wlan0 uidrange 0-0 lookup wlan0\n10500:\tfrom all {+iif lo+} oif v4-wlan0 uidrange 0-0 lookup v4-wlan0\n10500:\tfrom all {+iif lo+} oif rmnet_data0 uidrange 0-0 lookup rmnet_data0\n13000:\tfrom all fwmark 0x10063/0x1ffff {+iif lo+} lookup local_network\n13000:\tfrom all fwmark 0x10065/0x1ffff {+iif lo+} lookup wlan0\n13000:\tfrom all fwmark 0x10065/0x1ffff {+iif lo+} lookup v4-wlan0\n13000:\tfrom all fwmark 0x50064/0x5ffff {+iif lo+} lookup rmnet_data0\n14000:\tfrom all {+iif lo+} oif dummy0 lookup dummy0\n14000:\tfrom all {+iif lo+} oif wlan0 lookup wlan0\n14000:\tfrom all {+iif lo+} oif v4-wlan0 lookup v4-wlan0\n14000:\tfrom all fwmark 0x40000/0x40000 {+iif lo+} oif rmnet_data0 lookup rmnet_data0\n15000:\tfrom all fwmark 0x0/0x10000 lookup legacy_system\n16000:\tfrom all fwmark 0x0/0x10000 lookup legacy_network\n17000:\tfrom all fwmark 0x0/0x10000 lookup local_network\n19000:\tfrom all fwmark 0x65/0x1ffff {+iif lo+} lookup wlan0\n19000:\tfrom all fwmark 0x65/0x1ffff {+iif lo+} lookup v4-wlan0\n22000:\tfrom all fwmark 0x0/0xffff {+iif lo+} lookup v4-wlan0\n22000:\tfrom all fwmark 0x0/0xffff {+iif lo+} lookup wlan0\n32000:\tfrom all unreachable\n\nBug: 64976379\nBug: 73642792\nBug: 73032258\nTest: marlin builds, boots, networking works\nTest: IPv4/v6 USB tethering works concurrently with httpurl --nethandle \u003cfoo\u003e\nTest: USB tethering correctly able to use non-default-network upstream\nTest: T-Mobile wifi calling works on walleye internal build\nChange-Id: I9383a7ea54c60b0f33db8de8c6331e2f820539e1\n" }, { "commit": "d7dd1d3af4ebac422303370301f1d98c9a84a8ae", "tree": "3b7e6f142e71195dca9fae9c36074760d3771985", "parents": [ "1349a08f61e10bcb85a26e0254bd74b95a015647", "bbd0aff37314af767b53481b26210461178a0013" ], "author": { "name": "Lorenzo Colitti", "email": "lorenzo@google.com", "time": "Wed Jan 10 13:11:46 2018 +0000" }, "committer": { "name": "Gerrit Code Review", "email": "noreply-gerritcodereview@google.com", "time": "Wed Jan 10 13:11:46 2018 +0000" }, "message": "Merge changes Icc35c917,I12899e03,Iff5a202c\n\n* changes:\n Tighten up locking in NetworkController.\n Add locking to RouteController.\n Change RouteController from free functions/members to class functions.\n" }, { "commit": "b9baf26777415ce2791fd86f4dd359ac7aab596c", "tree": "e157535d2f94873c1b6f18c3c4f589b70f1d9d9a", "parents": [ "d2cd467ab4b283378b52ae30f7d514b57d9b5194" ], "author": { "name": "Benedict Wong", "email": "benedictwong@google.com", "time": "Sun Dec 03 15:43:08 2017 -0800" }, "committer": { "name": "Lorenzo Colitti", "email": "lorenzo@google.com", "time": "Fri Dec 15 06:55:42 2017 +0000" }, "message": "[ipsec-qtaguid] Reserve mark, add ipsec bw exemptions\n\nThis change reserves a mark denoting that a packet has already been\naccounted for, along with adding rules in BandwidthController to support\nIPSec packets being billed correctly.\n\nBug: 62994731\nTest: BandwidthControllerTest updated, passing. CTS tests also modified\nand passing\n\nChange-Id: I8b42975d1502a0d3b9e533bddc0892cfe1556bed\n" }, { "commit": "5c43799a4bc53d0db6f06e6b0a93914956428ca6", "tree": "1cc83a8fd0b3dd6da062ed493a16ee2732ebbd39", "parents": [ "c2db59afb266f31e9657f8a21b9ec1a9d221cd2b" ], "author": { "name": "Lorenzo Colitti", "email": "lorenzo@google.com", "time": "Tue Nov 28 01:26:02 2017 +0900" }, "committer": { "name": "Lorenzo Colitti", "email": "lorenzo@google.com", "time": "Thu Nov 30 01:54:16 2017 +0000" }, "message": "Don\u0027t create rules with NLM_F_EXCL.\n\nSome operations, such as changing a network\u0027s permissions, rely\non make-before-break, and in some cases create rules that are\nidentical to the ones that already exist. Starting around 4.9,\nthe kernel fails these operations with EEXIST.\n\nWe can\u0027t just ignore the EEXISTs because if we get EEXIST it\nmeans that the rule was not created, but we\u0027ll think it was,\nand later on we\u0027ll trip up trying to delete it.\n\nIt would be possible to refactor the code to ensure that these\nno-op operations are never performed, but we would probably have\nto pass a lot more state around to deal with only a few corner\ncases.\n\nFix: 69607866\nTest: builds\nChange-Id: I1b563243b615daa73a2d9f527f77608df1f56251\n" }, { "commit": "107075a48973c18a087a5cb2ad2ad43e73f9909a", "tree": "0c323a718c937dea999dea0b932d2d44296171c8", "parents": [ "02cb80a71afbbe89e3ced8b417b2abe7578dbc82" ], "author": { "name": "Lorenzo Colitti", "email": "lorenzo@google.com", "time": "Mon Oct 30 19:24:46 2017 +0900" }, "committer": { "name": "Lorenzo Colitti", "email": "lorenzo@google.com", "time": "Fri Nov 24 17:01:50 2017 +0900" }, "message": "Add locking to RouteController.\n\nTest: netd_{unit,integration}_test passes\nChange-Id: I12899e0304d266b25b0b021ae28f9073c8b42604\n" }, { "commit": "02cb80a71afbbe89e3ced8b417b2abe7578dbc82", "tree": "f7c1f3c7ce79e82d4f13c0ded3b0d5afc34b6fa6", "parents": [ "c2db59afb266f31e9657f8a21b9ec1a9d221cd2b" ], "author": { "name": "Lorenzo Colitti", "email": "lorenzo@google.com", "time": "Mon Oct 30 19:21:06 2017 +0900" }, "committer": { "name": "Lorenzo Colitti", "email": "lorenzo@google.com", "time": "Fri Nov 24 17:01:50 2017 +0900" }, "message": "Change RouteController from free functions/members to class functions.\n\nIn a future change, this will make it more explicit which bits of\nstate (e.g., locks) are part of the class and which are not.\n\nTest: netd_{unit,integration}_test passes\nChange-Id: Iff5a202cdcb26a7b6039dd95655cc2c26592fc36\n" }, { "commit": "92e8f96e43320efd5183d7452fb90883fd96415e", "tree": "15ff98ad654842679ad7cf6466e920077cf62df1", "parents": [ "9a2b6aafa87a059628b34b03ae2decda19ae0695" ], "author": { "name": "Lorenzo Colitti", "email": "lorenzo@google.com", "time": "Tue Sep 26 19:13:50 2017 +0900" }, "committer": { "name": "Lorenzo Colitti", "email": "lorenzo@google.com", "time": "Wed Sep 27 12:53:07 2017 +0900" }, "message": "Don\u0027t look up the main table any more.\n\nAfter https://android-review.googlesource.com/#/c/481397/ ,\ndirectly-connected routes for all network types are added to\nthe correct routing tables by ConnectivityService. So there\nshould be no reason to look up the main table.\n\nBug: 28825988\nTest: bullhead builds, boots\nTest: netd_{unit,integration}_test pass\nTest: dual-stack wifi and IPv4-only mobile data work\nChange-Id: I64ba7dbf71478afcd9d2880440f93ef346116b6b\n" }, { "commit": "3093f5676227bd84cc61051d035a9e8dfcfa15c1", "tree": "7079f9410853da6d594c1fd66eb6111ace9df89d", "parents": [ "b5d19e9ca694af30226c83583005a583d441203e" ], "author": { "name": "Lorenzo Colitti", "email": "lorenzo@google.com", "time": "Mon Sep 25 14:17:38 2017 +0900" }, "committer": { "name": "Lorenzo Colitti", "email": "lorenzo@google.com", "time": "Tue Sep 26 11:38:21 2017 +0900" }, "message": "Don\u0027t require permissions for high-priority oif rules.\n\nThe intent of the high-priority oif rules added in ag/644462 was\nto ensure that the kernel can send packets and forward packets to\na given interface by specifying only the oif. However, if a\nnetwork requires permissions, the high-priority oif rules we\ncreate require those permission bits in the firewall mark, which\nmeans the kernel cannot use them.\n\nTherefore, remove the permissions check.\n\nTest: builds\nTest: netd_{unit,integration}_test pass\nChange-Id: I73d7eb349c4c20d0d5efe05219a89cff5015a330\n" }, { "commit": "b5d19e9ca694af30226c83583005a583d441203e", "tree": "46f1a493c17c745715cbf2bb11bd8f3a02146231", "parents": [ "defce53ada62ebdb67844549bf634f7df3f31779" ], "author": { "name": "Lorenzo Colitti", "email": "lorenzo@google.com", "time": "Mon Sep 25 18:39:33 2017 +0900" }, "committer": { "name": "Lorenzo Colitti", "email": "lorenzo@google.com", "time": "Mon Sep 25 18:41:54 2017 +0900" }, "message": "Minor fixes in RouteController.\n\n- Remove the definition of fib_rule_uid_range, since it\u0027s now in\n the UAPI headers.\n- Fix the comment on PRIO_THROW, which is inaccurate.\n\nTest: bullhead builds, boots\nTest: netd_{unit,integration}_test pass\nChange-Id: I52ced26c4ea21925140d6ed86991e50cff7bd46a\n" }, { "commit": "5e03a893d999d04b7329ab8825782d75872d680f", "tree": "f25965d97310edd4b69caf2007bafb6b45412eb3", "parents": [ "be0c7c3c7aae8c76a55e77fcdc3576475d1cc10e" ], "author": { "name": "Lorenzo Colitti", "email": "lorenzo@google.com", "time": "Fri Sep 08 11:31:59 2017 +0900" }, "committer": { "name": "Lorenzo Colitti", "email": "lorenzo@google.com", "time": "Tue Sep 12 05:59:05 2017 +0900" }, "message": "Invalidate dst caches when changing network permissions.\n\n(cherry picked from commit 4662e16686954dd3ca80938efe6650227877fe44)\n\nBug: 64103722\nTest: builds\nTest: connected socket UDP traffic switches to wifi when cell goes into background\nChange-Id: I502575d51781cacace96e0c2d1edb6a5183aab70\n" }, { "commit": "be0c7c3c7aae8c76a55e77fcdc3576475d1cc10e", "tree": "023aca8f6e636c3b0cacc3c30eeaa924220a513b", "parents": [ "268fef50181fee1720eb8cf9d309b9b3d3b88ef7" ], "author": { "name": "Lorenzo Colitti", "email": "lorenzo@google.com", "time": "Wed Sep 06 16:07:02 2017 +0900" }, "committer": { "name": "Lorenzo Colitti", "email": "lorenzo@google.com", "time": "Tue Sep 12 05:59:02 2017 +0900" }, "message": "Don\u0027t allow seamless handover to networks requiring permissions.\n\nCurrently, implicitly-marked sockets continue to work when the\nnetwork changes permission. This makes it so that UDP sockets\nconnected on a foreground network will continue to work even if\nthe network moves into the background (e.g., when the linger\ntimer fires on cell data with mobile data always on).\n\nInstead, make it so that sockets implicitly marked to a network\nbecome unroutable when the network starts requiring permissions.\nExplicitly-marked sockets will continue to be routed on the\nnetwork, as usual.\n\nThis is consistent with what we do for TCP: when a network\nchanges permissions, all implicitly-marked sockets on that\nnetwork are closed using SOCK_DESTROY.\n\nThis change should not affect any other behaviour because:\n\n- Netd only ever implicitly marks sockets to the default network\n or to a bypassable VPN that applies to the caller.\n- In both cases, at the time of marking, the network does not\n require permissions because:\n - VPNs don\u0027t support permissions.\n - The default network never requires any permissions:\n - ConnectivityService\u0027s mDefaultRequest specifies\n NOT_RESTRICTED.\n - The only case where a NOT_RESTRICTED network can require a\n permission is if it\u0027s a background network, and the default\n network is, by definition, never a background network.\n- VPNs can\u0027t change permissions.\n- If the network is still the default network, the lack of this\n implicit rule doesn\u0027t matter.\n\nTherefore, the only case where this rule can alter routing is if\na socket is implicitly marked on the default network and that\nnetwork, after ceasing to be the default, changes permissions.\n\n(cherry picked from commit 6bd4a48ed735c7fc5c1143bf0b2f06b8a2879e61)\n\nBug: 64103722\nTest: builds\nTest: manually observed IP rules while changing network permissions\nChange-Id: I944df3a97c8062e7c3af00f72e18e693bee0a3a6\n" }, { "commit": "d78843eb11fdde1611598fd27d347912070c0555", "tree": "ba0b7f0080ea6a0c0d1ea53d4ea8c601a58ef69a", "parents": [ "22c24ebd283d6e8fb782b34975417308839d4ad7" ], "author": { "name": "Lorenzo Colitti", "email": "lorenzo@google.com", "time": "Mon Mar 27 05:52:31 2017 +0900" }, "committer": { "name": "Lorenzo Colitti", "email": "lorenzo@google.com", "time": "Tue Mar 28 08:08:03 2017 +0900" }, "message": "Clear incoming packet mark rules on netd startup.\n\nCurrently, we put the incoming packet mark rules directly into\nthe INPUT chain of the mangle table, which is not cleared on netd\nstart. Move these rules to their own chain. This makes them\nconsistent with all the other iptables rules and makes it easy to\nclear them on startup using the existing mechanisms.\n\nBug: 28362720\nTest: bullhead builds, boots\nTest: netd_{unit,integration}_test pass\nTest: watch -n1 \"adb shell iptables -v -n -t mangle -L INPUT\" while switching networks\nTest: rules are cleared on netd restart\nChange-Id: I9130f997a96dcfdfdfdd950520a76f8473b5f603\n" }, { "commit": "22c24ebd283d6e8fb782b34975417308839d4ad7", "tree": "97af5d2f1983f6891cdae08b33d28978ed0a0b04", "parents": [ "fb98fa05e7745b72cf6c907794cde51f56ab05f8" ], "author": { "name": "Lorenzo Colitti", "email": "lorenzo@google.com", "time": "Tue Jan 10 18:48:45 2017 +0900" }, "committer": { "name": "Lorenzo Colitti", "email": "lorenzo@google.com", "time": "Tue Mar 28 08:07:45 2017 +0900" }, "message": "Use new-style UID routing.\n\nKernel prebuilts for OC devices have been updated, so the legacy\nattributes are not being used. Use the new attributes only. This\nwill ensure that devices aren\u0027t using the old code by mistake, as\nany such devices will fail the VPN CTS tests.\n\n(cherry picked from commit 882e467ff7b83de868fa0b9a9beb9036bf14aede)\n\nCherry-picking this to AOSP now that most external kernels have\nbeen updated as well.\n\nBug: 16355602\nTest: bullhead builds, boots\nTest: netd_{unit,integration}_test pass\nTest: has been running in internal master for several weeks.\nChange-Id: I1c4e8c9281a843417a3a52294a1b7d3e6502bee6\n" }, { "commit": "c1306ea230c95ef0268d4d20a213911799982671", "tree": "894faae30ed272b2339548578f44cf5fd4ea5990", "parents": [ "f91e8ed5c906483348b4f00eae234825821943b1" ], "author": { "name": "Lorenzo Colitti", "email": "lorenzo@google.com", "time": "Mon Mar 27 05:52:31 2017 +0900" }, "committer": { "name": "Lorenzo Colitti", "email": "lorenzo@google.com", "time": "Mon Mar 27 16:25:10 2017 +0900" }, "message": "Use iptables-restore to set the incoming packet mark rule.\n\nThis speeds up network switching because one rule needs to be\nadded/removed per interface.\n\nBug: 28362720\nTest: bullhead builds, boots\nTest: netd_{unit,integration}_test pass\nTest: watch -n1 \"adb shell iptables -v -n -t mangle -L INPUT\" while switching networks\nChange-Id: Ie536db6a50d018c88bb03c5f069965e99e0d162e\n" }, { "commit": "60367db98fe9cca5b46210a5db8d8bfc638ce094", "tree": "6c17a3dc77b2c18234129b68923792a3a0471d8d", "parents": [ "f3e299a7c2a0136a84b58652b69e60a22bb0e708" ], "author": { "name": "Lorenzo Colitti", "email": "lorenzo@google.com", "time": "Mon Feb 13 16:31:45 2017 +0900" }, "committer": { "name": "Lorenzo Colitti", "email": "lorenzo@google.com", "time": "Thu Feb 16 17:12:16 2017 +0900" }, "message": "Add a test for RouteController.\n\nTest: netd_{unit,integration}_test pass.\nChange-Id: I19416fd8a79354303dabec042d090f7ae6962b1b\n" }, { "commit": "f3e299a7c2a0136a84b58652b69e60a22bb0e708", "tree": "096e714d6d30e34ff85c8a3cafcebd876b55ef12", "parents": [ "4142d02b27793c9effb18ceb4c028e3ccaff7ebf" ], "author": { "name": "Lorenzo Colitti", "email": "lorenzo@google.com", "time": "Tue Feb 14 17:24:28 2017 +0900" }, "committer": { "name": "Lorenzo Colitti", "email": "lorenzo@google.com", "time": "Thu Feb 16 17:12:16 2017 +0900" }, "message": "Use our netlink code to flush routes as well.\n\nMost of the CL is refactoring the rule flush code to be more\ngeneric and move it and various callback definitions to\nNetlinkCommands. After that, flushing routes is very simple.\n\nTest: bullhead builds, boots\nTest: netd_{unit,integration}_test pass\nBug: 34873832\nChange-Id: I0613d525f043d0a8b234a89982281b909011c7e5\n" }, { "commit": "220ca739ad863fcd40c9ca107f6e0f68f7a45d14", "tree": "0952fcd2e0e1ec060903bc72b60207c5387148db", "parents": [ "bbcd81d2e5103bbf465d69c6d0f958d3e740dd6e" ], "author": { "name": "Lorenzo Colitti", "email": "lorenzo@google.com", "time": "Tue Feb 14 17:57:55 2017 +0900" }, "committer": { "name": "Lorenzo Colitti", "email": "lorenzo@google.com", "time": "Tue Feb 14 18:28:59 2017 +0900" }, "message": "Don\u0027t complain when deleting non-existent tethering rules.\n\nclearTetheringRules ignores errors when deleting rules,\nbecause tethering rules don\u0027t exist unless tethering was\nenabled on the interface. sendNetlinkRequest shouldn\u0027t log an\nerror in this case, since the caller is ignoring that error.\n\nBug: 34873832\nTest: bullhead builds, boots, spurious error messages gone\nChange-Id: Ib327e8a3aecd3a38d624baa8bf320da87e6c4f7c\n" }, { "commit": "bbcd81d2e5103bbf465d69c6d0f958d3e740dd6e", "tree": "56fc6e5092224e7e579b28fc37525eeb5881083d", "parents": [ "219f328b7c2f99ef27f89206bdbf1260fa7ad2e4" ], "author": { "name": "Lorenzo Colitti", "email": "lorenzo@google.com", "time": "Tue Feb 14 17:09:09 2017 +0900" }, "committer": { "name": "Lorenzo Colitti", "email": "lorenzo@google.com", "time": "Tue Feb 14 17:32:34 2017 +0900" }, "message": "Don\u0027t call NetlinkCallbacks with nullptr on NLMSG_DONE.\n\nNo real callback uses this, and even the test code doesn\u0027t seem\nto use it for anything useful.\n\nBug: 34873832\nTest: bullhead builds, boots, rules flushed on netd restart\nTest: netd_{unit,integration}_test pass\nChange-Id: I195dd388864e9e596af9f4d08aee7b8ade078fb5\n" }, { "commit": "219f328b7c2f99ef27f89206bdbf1260fa7ad2e4", "tree": "1b9705c3958736cda50f35810eb3e9d570649c67", "parents": [ "0b733e4407db9d198b75743727c5827daa65490e" ], "author": { "name": "Lorenzo Colitti", "email": "lorenzo@google.com", "time": "Fri Feb 10 10:02:49 2017 +0900" }, "committer": { "name": "Lorenzo Colitti", "email": "lorenzo@google.com", "time": "Tue Feb 14 17:32:34 2017 +0900" }, "message": "Use netlink code to flush rules.\n\nThis removes two calls to /sbin/ip on netd startup, which saves\nabout 70ms. In the future we will be able to use this to flush\nroutes as well, which will provide similar time savings on every\nnetwork destroy operation.\n\nBug: 34873832\nTest: bullhead builds, boots\nTest: rules flushed correctly when netd is killed\nChange-Id: I4875ac7fec1a92dc5fa2cb68f8fab2a903348c20\n" }, { "commit": "1ef549de8a21612ab61861ff0035877a4b76184d", "tree": "f5537d83fb34bcd5fbe8ec531201d34106465693", "parents": [ "7035f228d17e925116b1b64a7c917b3196ab8818" ], "author": { "name": "Lorenzo Colitti", "email": "lorenzo@google.com", "time": "Mon Feb 13 18:32:09 2017 +0900" }, "committer": { "name": "Lorenzo Colitti", "email": "lorenzo@google.com", "time": "Tue Feb 14 17:11:45 2017 +0900" }, "message": "Move the netlink command code to a new NetlinkCommands file.\n\nTest: bullhead builds, netd boots\nTest: netd_{unit,integration}_test pass\nBug: 34873832\nChange-Id: Ia6fcde63e1092a62cad1c5238bbb9a91a9f39080\n" }, { "commit": "7035f228d17e925116b1b64a7c917b3196ab8818", "tree": "9b9885872f05379d891a070e84b09b45c0afd37d", "parents": [ "1e1253aaaf196a76cfdd0bc5e94e6ad2ca4e7b25" ], "author": { "name": "Lorenzo Colitti", "email": "lorenzo@google.com", "time": "Mon Feb 13 18:29:00 2017 +0900" }, "committer": { "name": "Lorenzo Colitti", "email": "lorenzo@google.com", "time": "Tue Feb 14 12:46:43 2017 +0900" }, "message": "Put most of netd into the android::net namespace.\n\nTest: netd_{unit,integration}_test pass\nTest: bullhead builds, boots\nBug: 34873832\nChange-Id: I0a252328041b342f9c03cd08c11a69d452b045b3\n" }, { "commit": "0b073fbc366ca9f5e7eaa0ae8072445404da88eb", "tree": "d5154bee30835f26182dde76e82e81edb2dcdb5f", "parents": [ "73fa8347892077260fd7c2d00dca43cdc842b0f5" ], "author": { "name": "Lorenzo Colitti", "email": "lorenzo@google.com", "time": "Fri Feb 10 07:49:12 2017 +0900" }, "committer": { "name": "Lorenzo Colitti", "email": "lorenzo@google.com", "time": "Mon Feb 13 16:39:24 2017 +0900" }, "message": "Simplify and improve error logging in sendNetlinkRequest.\n\nBug: 32323979\nTest: bullhead builds, boots, new error messages appear\nTest: unit tests continue to pass\nChange-Id: Ie60ed3a71fbd26b7a8a1d2f7fb8083b1b6b9626a\n" }, { "commit": "2b078678aafceeefea6a70e96ab8ddefe515d027", "tree": "bb9338f5dc2945ed6dd5779f05182bca00f4f771", "parents": [ "3889ab680bb8c115f7f179be02675d7adf5017d8" ], "author": { "name": "Lorenzo Colitti", "email": "lorenzo@google.com", "time": "Fri Dec 16 18:45:03 2016 +0900" }, "committer": { "name": "Lorenzo Colitti", "email": "lorenzo@google.com", "time": "Mon Dec 19 14:28:05 2016 +0900" }, "message": "Set both legacy and new UID routing attributes.\n\nThis should work on kernels that support either, as long as they\nare older than 4.8.\n\nTest: netd_integration_test passes with updated iproute and kernel\nTest: netd_integration_test passes with existing iproute and kernel\nTest: ConnectivityManagerTest and HostsideVpnTests pass on existing kernel\nTest: ConnectivityManagerTest and HostsideVpnTests pass on updated kernel\nBug: 16355602\nChange-Id: I9a2ef08ba2782587f43ea7d0609f5f07f6c3adb0\n" }, { "commit": "dc0d578a69cc5a57167a508207e2198590142d51", "tree": "90ee148de47e433799c494e60b0d4e2eeb51adf1", "parents": [ "ff1587fc4ee0434129f6c2431eabeb291fdb0936" ], "author": { "name": "Robin Lee", "email": "rgl@google.com", "time": "Wed Jul 20 14:17:11 2016 +0100" }, "committer": { "name": "Robin Lee", "email": "rgl@google.com", "time": "Tue Dec 06 09:31:39 2016 +0000" }, "message": "UidRanges: use class instead of pair\u003cuid_t, uid_t\u003e\n\nReuse the UidRange that was introduced in 7.0 (NYC) to ease transition\nfrom CommandListener to binder which supports this as a parcelable type.\n\nThere is a small difference in behaviour: UidRange uses signed int32_t\nvs. uid_t being unsigned and potentially a different size. This should\nnot be a problem as all of the java-side code is converting from int.\n\nUpdating to use int64_t in future would be a large effort and involve\nchanging the java-side UidRange class to use longs, and not fixing the\nnative side would cause unit tests to fail, so it shouldn\u0027t be possible\nto overlook if that happens.\n\nCommitting this early with an appropriately loud warning so that it can\nget soak time over the next year.\n\nTest: runtest -x netd_integration_test.cpp\nChange-Id: I6c217b347724ba5bfe2df28d6142a4343cb06353\n" }, { "commit": "5bbe13bdc4470d0af2786fc62ad40a8ba8ff5830", "tree": "5f15c2d0cec942ae77bdaa83abf2ec57abe0df06", "parents": [ "7ad3c888e2781321cf44cb101cdf180a9671ca1e", "6c84ef62d953eae93c36ffa831e9b451560afba0" ], "author": { "name": "Robin Lee", "email": "rgl@google.com", "time": "Tue May 17 16:19:40 2016 +0000" }, "committer": { "name": "Android (Google) Code Review", "email": "android-gerrit@google.com", "time": "Tue May 17 16:19:40 2016 +0000" }, "message": "Merge \"Drop PROHIBIT_NON_VPN priority 11500 -\u003e 12500\" into nyc-dev" }, { "commit": "6c84ef62d953eae93c36ffa831e9b451560afba0", "tree": "db9a805035d895efe9306082e468f5b17fb73474", "parents": [ "3a272070fc318ef1a7a5a04e500483f1a7c629a8" ], "author": { "name": "Robin Lee", "email": "rgl@google.com", "time": "Tue May 03 13:17:58 2016 +0100" }, "committer": { "name": "Robin Lee", "email": "rgl@google.com", "time": "Tue May 03 13:17:58 2016 +0100" }, "message": "Drop PROHIBIT_NON_VPN priority 11500 -\u003e 12500\n\nSo that the rule can be kept up 100% of the time instead of dropping\nit when VPN comes on.\n\nBug: 26694104\nChange-Id: I1df6b8f588e54d72e34dbcbd15492513e07fac3d\n" }, { "commit": "c125fe43c194128167db7a2a82b736b1357945d8", "tree": "79507dd5a63ab758e74ffe74407fa0f0b79e7434", "parents": [ "3a272070fc318ef1a7a5a04e500483f1a7c629a8" ], "author": { "name": "Robin Lee", "email": "rgl@google.com", "time": "Mon May 02 08:53:34 2016 +0100" }, "committer": { "name": "Robin Lee", "email": "rgl@google.com", "time": "Mon May 02 09:34:11 2016 +0100" }, "message": "Restore ACT_UNREACHABLE\n\nThis got lost in between\n I7d9752e86fa1a4564c622152a5be6ce2c1eda150 and\n If23df0760c6eb0ad137fc26c5124e48edf23b722.\n\nWhich broke creating the UNREACHABLE network, also breaking the dummy\nnetwork which should be created after it.\n\nFix: 28304838\nChange-Id: I31c4ca9c3f53d6162b50e5bc46e27cfcd1b6a314\n" }, { "commit": "b8087363143050d214d48e5620a330776ca95a69", "tree": "72dd7eb2cc094cc7b92796ef37e1682ab108da37", "parents": [ "4ef94642636182e68495f606a65c00f8a830aad4" ], "author": { "name": "Robin Lee", "email": "rgl@google.com", "time": "Wed Mar 30 18:43:08 2016 +0100" }, "committer": { "name": "Robin Lee", "email": "rgl@google.com", "time": "Tue Apr 19 10:09:31 2016 +0100" }, "message": "Server API to only allow networking by VPN apps\n\nSecure virtual networks already create rules to route all traffic into\ntheirselves. This depends on the secure network already existing.\n\nAPI creates an ip rule at a priority level below SECURE_VPN which\ncan catch traffic before VPN comes up, if it is a requirement that no\ntraffic ever leaves without first going through VPN.\n\nBug: 26694104\nBug: 26354134\nChange-Id: If23df0760c6eb0ad137fc26c5124e48edf23b722\n" }, { "commit": "4ef94642636182e68495f606a65c00f8a830aad4", "tree": "e4ac151f92b025dd113b06d9b908535aa0ef9f23", "parents": [ "9f9aae9102f62f5f96ccec670170ee1fb262ef09" ], "author": { "name": "Robin Lee", "email": "rgl@google.com", "time": "Fri Apr 01 11:50:49 2016 +0100" }, "committer": { "name": "Robin Lee", "email": "rgl@google.com", "time": "Tue Apr 19 10:09:31 2016 +0100" }, "message": "Have modifyIpRule take an explicit action\n\nInstead of inferring from the priority what the action should be.\n\nBug: 26694104\nChange-Id: I7d9752e86fa1a4564c622152a5be6ce2c1eda150\n" }, { "commit": "f65122c81c824940ba93666d961c8d3fd76f3a9c", "tree": "3dec11a93d8fe827897610996766d07b93afaeb5", "parents": [ "31701a903560b165f8241d34b9d98c18b8aaad6a" ], "author": { "name": "Evgenii Stepanov", "email": "eugenis@google.com", "time": "Thu Feb 11 16:55:56 2016 -0800" }, "committer": { "name": "Jon Larimer", "email": "jlarimer@google.com", "time": "Wed Apr 06 20:18:01 2016 -0400" }, "message": "Workaround ASan false positive in RouteController.\n\nBug: 27037723\n\nChange-Id: I40e7f0d07652aeb6484de5f963a7698b6805d582\n(cherry picked from commit dfde1d6c6c397e437adf937a1718784d9cb2c0cf)\n" }, { "commit": "bbd5626b3d0994ff0ecbfceac75f6dc4abfb55c6", "tree": "c2233425eaacb6bca8a3d5e7744bfae41203b913", "parents": [ "b407c9b318b07c0f659444d0295380e7fd48ed77" ], "author": { "name": "Elliott Hughes", "email": "enh@google.com", "time": "Fri Dec 04 15:45:10 2015 -0800" }, "committer": { "name": "Elliott Hughes", "email": "enh@google.com", "time": "Fri Dec 04 15:45:10 2015 -0800" }, "message": "Track rename from base/ to android-base/.\n\nChange-Id: Ice6d43c0f9b16b8fb441158a0f7344dfbf969dea\n" }, { "commit": "5407e14fd3d81bb76f94221b4a359faa2806de65", "tree": "6ca19120267ce67ed67265dab49feac7e81825bc", "parents": [ "afd4037d7d7802d2ecc0494901ac17134a27aa1f" ], "author": { "name": "Dan Albert", "email": "danalbert@google.com", "time": "Mon Mar 16 10:05:59 2015 -0700" }, "committer": { "name": "Dan Albert", "email": "danalbert@google.com", "time": "Mon Mar 16 13:50:59 2015 -0700" }, "message": "Revert \"Revert \"Update for libbase.\"\"\n\nThis reverts commit 4a0ab5ff4a87cfc4a987da99546b01e44875a2e5.\n\n(cherry picked from commit 3e87c785434fdfed2fb00496cb391c411a426bdd)\n\nChange-Id: I042f485f3cc84206766298853491ddd26dbba13f\n" }, { "commit": "e298ded6ade9744f2a79cae045b5c324886262f4", "tree": "0b16bb0fe3430dd224dabf4b3c87176ba1b0f91c", "parents": [ "a4614fe5bfaafd0ff6be60ddb6fd135f99f5a5a5", "6066d41889ada93c5312e081d5bdff94fc1fd2af" ], "author": { "name": "Nicolas Geoffray", "email": "ngeoffray@google.com", "time": "Mon Mar 16 11:54:19 2015 +0000" }, "committer": { "name": "Nicolas Geoffray", "email": "ngeoffray@google.com", "time": "Mon Mar 16 11:54:19 2015 +0000" }, "message": "resolved conflicts for merge of 6066d418 to master\n\nChange-Id: I2aa9721365e96c363648dd8e9e15718ed50e3c12\n" }, { "commit": "4a0ab5ff4a87cfc4a987da99546b01e44875a2e5", "tree": "2e6faf54c6782b6355feca6b43faab1633c91b43", "parents": [ "b67219a71d1d896bcb34c4a7a797824b88515b2c" ], "author": { "name": "Nicolas Geoffray", "email": "ngeoffray@google.com", "time": "Mon Mar 16 10:28:37 2015 +0000" }, "committer": { "name": "Nicolas Geoffray", "email": "ngeoffray@google.com", "time": "Mon Mar 16 10:28:37 2015 +0000" }, "message": "Revert \"Update for libbase.\"\n\nBreaks internal master.\n\nThis reverts commit b67219a71d1d896bcb34c4a7a797824b88515b2c.\n\nChange-Id: I43145f0724ad2d669b65d20b6fd6ccc44b8f0a4f\n" }, { "commit": "a4614fe5bfaafd0ff6be60ddb6fd135f99f5a5a5", "tree": "e493bc44925cd955c5bd6947666c0004be5507b8", "parents": [ "6d631575749406ad4d69ce14f59910bf5f186deb", "8656c84dcab2800fd7c1d64bba307527619d7bdb" ], "author": { "name": "Vinit Deshpande", "email": "vinitd@google.com", "time": "Mon Mar 16 01:28:03 2015 -0700" }, "committer": { "name": "Vinit Deshpande", "email": "vinitd@google.com", "time": "Mon Mar 16 01:28:03 2015 -0700" }, "message": "Merge remote-tracking branch \u0027goog/mirror-m-wireless-internal-release\u0027\n\nChange-Id: I51337014e2851f47dd5e183c4bfdf39bafa59942\n" }, { "commit": "b67219a71d1d896bcb34c4a7a797824b88515b2c", "tree": "afb5171b6e804b87a0a0aedd0742f36283b3bd64", "parents": [ "909757cfc276546652d8f6d433c56d644325af8c" ], "author": { "name": "Dan Albert", "email": "danalbert@google.com", "time": "Fri Mar 13 22:35:27 2015 -0700" }, "committer": { "name": "Dan Albert", "email": "danalbert@google.com", "time": "Sat Mar 14 16:53:36 2015 -0700" }, "message": "Update for libbase.\n\nStringPrintf and the string based file I/O are being moved to libbase.\n\nChange-Id: I765d9e53f65a76d318d9d0d9503403fc092254d5\n" }, { "commit": "6b6f25fa4c135d477bcaf0bb50305a5d9aee92e3", "tree": "72e99c16b92789cf2c7935cfc540c35bf4c5e390", "parents": [ "57947f02c00bb03651e3f9427c880211c689db7f" ], "author": { "name": "Lorenzo Colitti", "email": "lorenzo@google.com", "time": "Tue Mar 03 17:22:57 2015 +0900" }, "committer": { "name": "Lorenzo Colitti", "email": "lorenzo@google.com", "time": "Thu Mar 05 13:37:21 2015 +0900" }, "message": "Flush tethering rules on interface remove.\n\nBug: 19500693\nChange-Id: I25b7942784ec026d30c60273c9e13e34d082d25a\n" }, { "commit": "57947f02c00bb03651e3f9427c880211c689db7f", "tree": "33b45eabd9dc617f8d3aa0bd3f0aa2f4116d536f", "parents": [ "32d768792bcd5860512998543f6904d91da1a9b7" ], "author": { "name": "Lorenzo Colitti", "email": "lorenzo@google.com", "time": "Fri Feb 27 16:45:55 2015 +0900" }, "committer": { "name": "Lorenzo Colitti", "email": "lorenzo@google.com", "time": "Fri Feb 27 16:45:55 2015 +0900" }, "message": "Add oif rules that allow UID 0 to bypass the VPN.\n\nThis is needed for wifi calling so that the kernel (which does\nnot set marks) can tee packets towards the modem. It also fixes\nthings like not being able to reply to DHCP requests from\ntethered clients when a VPN is up.\n\nSystem apps can already bypass the VPN using explicit marks, so\nallowing UID 0 to do so does not create additional bypass VPN\nissues.\n\nBug: 19500693\nChange-Id: Ie324026893637e9bd8e7aa65a37579569390e7b7\n" }, { "commit": "5ad4e98f7b566ffde39491ee4e80d4a15507f053", "tree": "f85bf1d8642cb805ca3e5232c68323b47a6eff8d", "parents": [ "3667936aadcabddc708797ac38ce1ffb2f992cb3" ], "author": { "name": "Lorenzo Colitti", "email": "lorenzo@google.com", "time": "Thu Feb 26 17:34:32 2015 +0900" }, "committer": { "name": "Lorenzo Colitti", "email": "lorenzo@google.com", "time": "Fri Feb 27 09:51:15 2015 +0900" }, "message": "Make the VPN rule only to originated, not forwarded, traffic.\n\nCurrently the VPN rule for the primary user will match every\nforwarded packet on the system, because it specifies a UID range\nthat includes 0, and forwarded packets have UID 0.\n\nUse \"iif lo\" to limit the rule match to locally-originated\ntraffic. This requires a kernel that sets the loopback ifindex.\nwhen originating packets. Anything based on 3.10 is fine, but\ndevices using 3.4 will need a one-line change for IPv6.\n\nBug: 19500693\nChange-Id: Iaab88bed62716dc1cea33b45c4e258f6b3bfc9d0\n" }, { "commit": "3667936aadcabddc708797ac38ce1ffb2f992cb3", "tree": "5b2945957c1f42dc3dbcfb68555dc524b49b4161", "parents": [ "799625cd5b0a2191632f5b042bf9ff559c18a848" ], "author": { "name": "Lorenzo Colitti", "email": "lorenzo@google.com", "time": "Wed Feb 25 10:26:19 2015 +0900" }, "committer": { "name": "Lorenzo Colitti", "email": "lorenzo@google.com", "time": "Wed Feb 25 13:50:49 2015 +0900" }, "message": "Add a dummy network that discards all packets.\n\nBug: 19500693\nChange-Id: Ic25f2d8c481f1528e887e43ca3fa868189582110\n" }, { "commit": "bd37832f1843ed78f64604e5627cf952ac9614ba", "tree": "4822622da30658fb1a67e592ef9c40720f884a6e", "parents": [ "50c6639a55b3208b64adc691b181a90e1e6de223" ], "author": { "name": "Elliott Hughes", "email": "enh@google.com", "time": "Wed Feb 04 13:25:14 2015 -0800" }, "committer": { "name": "Elliott Hughes", "email": "enh@google.com", "time": "Wed Feb 04 13:25:14 2015 -0800" }, "message": "Switch writing to \u003cutils/file.h\u003e.\n\nChange-Id: Idb2de24414f4dd8e926e625b62e4d12152dc4527\n" }, { "commit": "53ea9cadf6cc5f8be1c16b5b6b660cd7366fd3f0", "tree": "f9cbb3ae0ce8872d4982e145ac6abd646b3fa8fd", "parents": [ "aea68fddd979bf6852b8aef9bc718567f9da935a" ], "author": { "name": "Nick Kralevich", "email": "nnk@google.com", "time": "Sat Jan 31 13:54:00 2015 -0800" }, "committer": { "name": "Nick Kralevich", "email": "nnk@google.com", "time": "Sat Jan 31 13:54:00 2015 -0800" }, "message": "Avoid leaking file descriptors\n\nAdd O_CLOEXEC on open() calls, and SOCK_CLOEXEC on socket calls.\nThis avoids leaking file descriptors across execs.\n\nAddresses the following SELinux denial:\n\n audit(1422740213.283:8): avc: denied { read write } for pid\u003d2597 comm\u003d\"clatd\" path\u003d\"socket:[6709]\" dev\u003d\"sockfs\" ino\u003d6709 scontext\u003du:r:clatd:s0 tcontext\u003du:r:netd:s0 tclass\u003dnetlink_socket\n\nand allows the removal of some other SELinux rules which were\ninappropriately added because of leaking file descriptors.\n\nChange-Id: I9c180488ea1969d610e488f967a7276a672bb477\n" }, { "commit": "0321315d4e94dacd5ef2e0de217059cbc72d803d", "tree": "4d89277b199a7eaf09652b82c271cd777524926f", "parents": [ "6ef96c4862428e02a0c4aebbfa1ed0ccbf58b46e" ], "author": { "name": "Sreeram Ramachandran", "email": "sreeram@google.com", "time": "Thu Oct 30 10:01:07 2014 -0700" }, "committer": { "name": "Lorenzo Colitti", "email": "lorenzo@google.com", "time": "Thu Jan 29 17:40:04 2015 +0900" }, "message": "Don\u0027t fail when trying to add routes that already exist.\n\nPreviously, we suppressed failures for the special case of\nrequestRouteToHost() being called multiple times. Turns out that other\nparts of the system also try to add duplicate routes, so just suppress\nEEXIST errors in general (as far as adding routes is concerned). For\nexample, this happens when the WiFi P2P DHCP client renews its lease\nand blindly requests to add a route that it had already added before.\n\n(cherry picked from commit 64166e7666e3cc7f4b9c715f2b4e19d28ae44c5a)\n\nBug: 17205769\nChange-Id: I11d50052f616cb48a912d647b8024ccef01b736d\n" }, { "commit": "aa1be2b3d24d99f3ccb98ff4fbb2a81b63587eff", "tree": "46b13422c90088fde9da814b392a555b563c0bf9", "parents": [ "8a8b0c6af6ba45b549228ca4339277f18894f909" ], "author": { "name": "Dan Albert", "email": "danalbert@google.com", "time": "Tue Jan 06 09:36:17 2015 -0800" }, "committer": { "name": "Dan Albert", "email": "danalbert@google.com", "time": "Tue Jan 06 09:36:17 2015 -0800" }, "message": "Fix missing errno.h includes after libc cleanup.\n\nThese issues hadn\u0027t been found yet because a libc++ header was\nunconditionally pulling in errno.h. I\u0027ve fixed the libc++ header now.\n\nChange-Id: Ib096634cdd231fc75bf7548e4b99babc7442dc53\n" }, { "commit": "64166e7666e3cc7f4b9c715f2b4e19d28ae44c5a", "tree": "fe9c0bcdcc7839fac97cff453a8cbacc66fa0d93", "parents": [ "2b8d1ead4ea2ff8cb5af1ce88033a8ea0d691402" ], "author": { "name": "Sreeram Ramachandran", "email": "sreeram@google.com", "time": "Thu Oct 30 10:01:07 2014 -0700" }, "committer": { "name": "Sreeram Ramachandran", "email": "sreeram@google.com", "time": "Thu Oct 30 17:42:46 2014 +0000" }, "message": "Don\u0027t fail when trying to add routes that already exist.\n\nPreviously, we suppressed failures for the special case of\nrequestRouteToHost() being called multiple times. Turns out that other\nparts of the system also try to add duplicate routes, so just suppress\nEEXIST errors in general (as far as adding routes is concerned). For\nexample, this happens when the WiFi P2P DHCP client renews its lease\nand blindly requests to add a route that it had already added before.\n\nBug: 17205769\nChange-Id: I3de557ddb82c95899623aa31b4b3ec7c955f5609" }, { "commit": "4c95a125e0930c112555437589f7620575482095", "tree": "d7ea3681e0bb8d9036536279352ced736d80140c", "parents": [ "6a834abb5acca22e47b70ee88e55f394f909559b" ], "author": { "name": "Lorenzo Colitti", "email": "lorenzo@google.com", "time": "Thu Sep 18 16:01:50 2014 +0900" }, "committer": { "name": "Lorenzo Colitti", "email": "lorenzo@google.com", "time": "Fri Sep 19 10:56:29 2014 +0900" }, "message": "Support manipulating throw routes.\n\nWe already supported unreachable routes. Throw routes are\nnecessary so we can exempt the VPN endpoint from being routed\nthrough the VPN in legacy VPN modes that do not pass traffic\nthrough a tun or ppp interface but just directly appply IPsec\ntransformations to outgoing packets.\n\nBug: 17462989\nChange-Id: I8635472ca3e96ec2866af2de48e6260ab2da13fb\n" }, { "commit": "99286fe1ef6fc325c28dd10b651b5adedd549495", "tree": "490f67430aad333ef39a55a68a83bf5b11f75d5b", "parents": [ "6a46f3384b3f48e6ef77a83a5e058a47a2939a0d" ], "author": { "name": "Lorenzo Colitti", "email": "lorenzo@google.com", "time": "Tue Aug 12 15:08:00 2014 +0900" }, "committer": { "name": "Lorenzo Colitti", "email": "lorenzo@google.com", "time": "Thu Aug 14 14:00:23 2014 +0900" }, "message": "Make destroying networks more robust.\n\n1. Retry route flushes if they fail.\n2. Make destroyNetwork ignore (but return) errors.\n\nBug: 16944962\nChange-Id: I26301613437d7cc373ff64955fd44d716e9982b9\n" }, { "commit": "db74dba7ccfe9e9504e0acd440a23fed96682842", "tree": "ad6e4d180478c94419b51dc83e95dc0a628e004d", "parents": [ "a2c230520be5fdafce8bbc0b6ee52262f981f75a" ], "author": { "name": "Lorenzo Colitti", "email": "lorenzo@google.com", "time": "Tue Jul 29 18:26:21 2014 +0900" }, "committer": { "name": "Lorenzo Colitti", "email": "lorenzo@google.com", "time": "Tue Jul 29 18:46:31 2014 +0900" }, "message": "Stop copying directly-connected routes to the main table, #2.\n\nFor a long time we have thought that copying directly-connected\nroutes to the main table was necessary to add gatewayed routes\nto other routing tables. However, this is not necessary when the\ndirectly-connected routes are properly created with \"scope link\"\nas we do in http://ag/513100 .\n\nDelete the copying code, but don\u0027t delete the rule that looks up\nthe main table or the code that dumps it. The main table is used\nfor things like cell networking, because the RIL emulates cell\nnetworks, which are actually point-to-point, as directly\nconnected broadcast subnets (e.g., a /30 or a /27) with a fake\ndefault gateway. The directly-connected route that covers the\nfake default gateway is implicitly created by adding the IP\naddress, but it\u0027s in the main table, so we can\u0027t add the default\nroute without looking up the main table.\n\nChange-Id: I93bd4764ac75fdcc98fa4206c601524100d53fc3\n" }, { "commit": "a2c230520be5fdafce8bbc0b6ee52262f981f75a", "tree": "4a9b6ee2eec871b1b9edb3de92921516b27a0251", "parents": [ "2f5ea0e99e9a436cd43901b1772b77a410a62f8d" ], "author": { "name": "Lorenzo Colitti", "email": "lorenzo@google.com", "time": "Tue Jul 29 09:25:44 2014 +0000" }, "committer": { "name": "Lorenzo Colitti", "email": "lorenzo@google.com", "time": "Tue Jul 29 09:25:44 2014 +0000" }, "message": "Revert \"Stop copying directly-connected routes to the main table.\"\n\nThis reverts commit 2f5ea0e99e9a436cd43901b1772b77a410a62f8d.\n\nChange-Id: I1fe1df0249714cb650a34fae56476236ac0108e3\n" } ], "next": "2f5ea0e99e9a436cd43901b1772b77a410a62f8d" }