diff options
author | Chiachang Wang <chiachangwang@google.com> | 2022-04-20 11:36:21 +0000 |
---|---|---|
committer | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2022-04-20 11:36:21 +0000 |
commit | 99ab18cc87809e1940f5fe89a4c415f87bc7a114 (patch) | |
tree | c3e0ed0afe74a30341cef7ec46a6861de64668bf | |
parent | 77a98b1e430daee1b912c749e0a9001256c7efda (diff) | |
parent | 95e0b10a33389aa9f601c3891eb20ebaa6b3bc62 (diff) | |
download | netd-99ab18cc87809e1940f5fe89a4c415f87bc7a114.tar.gz |
Merge "Remove temporary hardcoded local exclusion routes" am: e120ec8c14 am: db32ff83b7 am: 70a7509ef4 am: aabd889807 am: 95e0b10a33
Original change: https://android-review.googlesource.com/c/platform/system/netd/+/2063246
Change-Id: I1f403019adc936fed5f31ee4d9fe77144167c759
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
-rw-r--r-- | server/RouteController.cpp | 61 | ||||
-rw-r--r-- | server/RouteController.h | 10 | ||||
-rw-r--r-- | tests/binder_test.cpp | 38 |
3 files changed, 3 insertions, 106 deletions
diff --git a/server/RouteController.cpp b/server/RouteController.cpp index 1e7d69a0..5ed33cdd 100644 --- a/server/RouteController.cpp +++ b/server/RouteController.cpp @@ -653,64 +653,9 @@ int RouteController::modifyVpnLocalExclusionRule(bool add, const char* physicalI fwmark.permission = PERMISSION_NONE; mask.permission = PERMISSION_NONE; - if (int ret = modifyIpRule(add ? RTM_NEWRULE : RTM_DELRULE, RULE_PRIORITY_LOCAL_ROUTES, table, - fwmark.intValue, mask.intValue, IIF_LOOPBACK, OIF_NONE, INVALID_UID, - INVALID_UID)) { - return ret; - } - return modifyVpnLocalExclusionRoutes(add, physicalInterface); -} - -// TODO: Update the local exclusion routes based on what actual subnet the network is. -int RouteController::modifyVpnLocalExclusionRoutes(bool add, const char* interface) { - for (size_t i = 0; i < ARRAY_SIZE(LOCAL_EXCLUSION_ROUTES_V4); ++i) { - if (int err = modifyVpnLocalExclusionRoute(add, interface, LOCAL_EXCLUSION_ROUTES_V4[i])) { - return err; - } - } - - // Stop setting v6 routes if the v6 is disabled on the interface. - std::string disable_ipv6; - if (int err = InterfaceController::getParameter("ipv6", "conf", interface, "disable_ipv6", - &disable_ipv6)) { - ALOGE("Error getting %s v6 route configuration: %s", interface, strerror(-err)); - } - - if (!disable_ipv6.compare("1")) { - return 0; - } - - for (size_t i = 0; i < ARRAY_SIZE(LOCAL_EXCLUSION_ROUTES_V6); ++i) { - if (int err = modifyVpnLocalExclusionRoute(add, interface, LOCAL_EXCLUSION_ROUTES_V6[i])) { - return err; - } - } - return 0; -} - -int RouteController::modifyVpnLocalExclusionRoute(bool add, const char* interface, - const char* destination) { - uint32_t table = getRouteTableForInterface(interface, true /* local */); - if (table == RT_TABLE_UNSPEC) { - return -ESRCH; - } - - if (int ret = modifyIpRoute(add ? RTM_NEWROUTE : RTM_DELROUTE, - add ? NETLINK_ROUTE_CREATE_FLAGS : NETLINK_REQUEST_FLAGS, table, - interface, destination, nullptr, 0 /* mtu */, 0 /* priority */)) { - // Trying to delete a route that already deleted or trying to remove route on a non-exist - // interface shouldn't cause an error. ENODEV happens in an IPv6 only network with clatd - // started. Clat will be stopped first before calling destroying network, so the clat - // interface is removed first before destroying the network. While trying to find the index - // from the interface for removing the route during network destroying process, it will - // cause an ENODEV since the interface has been removed already. This expected error should - // not fail the follow up routing clean up. - if (add || (ret != -ESRCH && ret != -ENODEV)) { - return ret; - } - } - - return 0; + return modifyIpRule(add ? RTM_NEWRULE : RTM_DELRULE, RULE_PRIORITY_LOCAL_ROUTES, table, + fwmark.intValue, mask.intValue, IIF_LOOPBACK, OIF_NONE, INVALID_UID, + INVALID_UID); } // A rule to enable split tunnel VPNs. diff --git a/server/RouteController.h b/server/RouteController.h index 6de07dd1..9b04cfd2 100644 --- a/server/RouteController.h +++ b/server/RouteController.h @@ -79,13 +79,6 @@ constexpr int32_t RULE_PRIORITY_DEFAULT_NETWORK = 30000; constexpr int32_t RULE_PRIORITY_UNREACHABLE = 32000; // clang-format on -constexpr const char* LOCAL_EXCLUSION_ROUTES_V4[] = { - "169.254.0.0/16", // Link-local, RFC3927 -}; -constexpr const char* LOCAL_EXCLUSION_ROUTES_V6[] = { - "fe80::/10" // Link-local, RFC-4291 -}; - class UidRanges; class RouteController { @@ -228,9 +221,6 @@ public: bool modifyNonUidBasedRules, bool excludeLocalRoutes); static void updateTableNamesFile() EXCLUDES(sInterfaceToTableLock); static int modifyVpnLocalExclusionRule(bool add, const char* physicalInterface); - static int modifyVpnLocalExclusionRoutes(bool add, const char* interface); - static int modifyVpnLocalExclusionRoute(bool add, const char* interface, - const char* destination); }; // Public because they are called by by RouteControllerTest.cpp. diff --git a/tests/binder_test.cpp b/tests/binder_test.cpp index bc0d37de..75b782e6 100644 --- a/tests/binder_test.cpp +++ b/tests/binder_test.cpp @@ -112,8 +112,6 @@ using android::binder::Status; using android::net::INetd; using android::net::InterfaceConfigurationParcel; using android::net::InterfaceController; -using android::net::LOCAL_EXCLUSION_ROUTES_V4; -using android::net::LOCAL_EXCLUSION_ROUTES_V6; using android::net::MarkMaskParcel; using android::net::NativeNetworkConfig; using android::net::NativeNetworkType; @@ -1456,16 +1454,6 @@ void expectNetworkRouteExistsWithMtu(const char* ipVersion, const std::string& i << "] in table " << table; } -bool ipRouteExists(const char* ipType, std::string& ipRoute, const std::string& tableName) { - std::vector<std::string> routes = listIpRoutes(ipType, tableName.c_str()); - for (const auto& route : routes) { - if (route.find(ipRoute) != std::string::npos) { - return true; - } - } - return false; -} - void expectVpnLocalExclusionRuleExists(const std::string& ifName, bool expectExists) { std::string tableName = std::string(ifName + "_local"); // Check if rule exists @@ -3552,30 +3540,6 @@ void expectVpnFallthroughRuleExists(const std::string& ifName, int vpnNetId) { } } -void expectVpnLocalExclusionRouteExists(const std::string& ifName) { - std::string tableName = std::string(ifName + "_local"); - // Check if routes exist - for (size_t i = 0; i < ARRAY_SIZE(LOCAL_EXCLUSION_ROUTES_V4); ++i) { - const auto& dst = LOCAL_EXCLUSION_ROUTES_V4[i]; - std::string vpnLocalExclusionRoute = - StringPrintf("%s dev %s proto static scope link", dst, ifName.c_str()); - EXPECT_TRUE(ipRouteExists(IP_RULE_V4, vpnLocalExclusionRoute, tableName)); - } - // expect no other rule - std::vector<std::string> routes = listIpRoutes(IP_RULE_V4, tableName.c_str()); - EXPECT_EQ(routes.size(), ARRAY_SIZE(LOCAL_EXCLUSION_ROUTES_V4)); - - for (size_t i = 0; i < ARRAY_SIZE(LOCAL_EXCLUSION_ROUTES_V6); ++i) { - const auto& dst = LOCAL_EXCLUSION_ROUTES_V6[i]; - std::string vpnLocalExclusionRoute = - StringPrintf("%s dev %s proto static", dst, ifName.c_str()); - EXPECT_TRUE(ipRouteExists(IP_RULE_V6, vpnLocalExclusionRoute, tableName)); - } - // expect no other rule - routes = listIpRoutes(IP_RULE_V6, tableName.c_str()); - EXPECT_EQ(routes.size(), ARRAY_SIZE(LOCAL_EXCLUSION_ROUTES_V6)); -} - void expectVpnFallthroughWorks(android::net::INetd* netdService, bool bypassable, uid_t uid, const TunInterface& fallthroughNetwork, const TunInterface& vpnNetwork, int vpnNetId = TEST_NETID2, @@ -3615,8 +3579,6 @@ void expectVpnFallthroughWorks(android::net::INetd* netdService, bool bypassable // Check if local exclusion rule exists expectVpnLocalExclusionRuleExists(fallthroughNetwork.name(), true); - // Check if local exclusion route exists - expectVpnLocalExclusionRouteExists(fallthroughNetwork.name()); // Expect fallthrough to default network // The fwmark differs depending on whether the VPN is bypassable or not. |