Don't break IPv6 connectivity when in doze mode.android-6.0.1_r9android-6.0.1_r81android-6.0.1_r80android-6.0.1_r8android-6.0.1_r79android-6.0.1_r78android-6.0.1_r77android-6.0.1_r74android-6.0.1_r73android-6.0.1_r72android-6.0.1_r70android-6.0.1_r7android-6.0.1_r69android-6.0.1_r68android-6.0.1_r67android-6.0.1_r66android-6.0.1_r65android-6.0.1_r63android-6.0.1_r62android-6.0.1_r61android-6.0.1_r60android-6.0.1_r59android-6.0.1_r58android-6.0.1_r57android-6.0.1_r56android-6.0.1_r55android-6.0.1_r54android-6.0.1_r53android-6.0.1_r52android-6.0.1_r51android-6.0.1_r50android-6.0.1_r5android-6.0.1_r49android-6.0.1_r48android-6.0.1_r47android-6.0.1_r46android-6.0.1_r45android-6.0.1_r43android-6.0.1_r42android-6.0.1_r41android-6.0.1_r40android-6.0.1_r4android-6.0.1_r33android-6.0.1_r32android-6.0.1_r31android-6.0.1_r30android-6.0.1_r3android-6.0.1_r28android-6.0.1_r27android-6.0.1_r26android-6.0.1_r25android-6.0.1_r24android-6.0.1_r22android-6.0.1_r21android-6.0.1_r20android-6.0.1_r18android-6.0.1_r17android-6.0.1_r16android-6.0.1_r13android-6.0.1_r12android-6.0.1_r11android-6.0.1_r10android-6.0.1_r1android-6.0.0_r41android-6.0.0_r26android-6.0.0_r25android-6.0.0_r24android-6.0.0_r23android-6.0.0_r13android-6.0.0_r12android-6.0.0_r11marshmallow-mr3-releasemarshmallow-mr2-releasemarshmallow-mr1-releasemarshmallow-mr1-devmarshmallow-dr1.6-releasemarshmallow-dr1.5-releasemarshmallow-dr-releasemarshmallow-dr-dragon-releasemarshmallow-dr-dev

Working IPv6 connectivity relies on the kernel being able to
receive certain ICMPv6 packets (router advertisements, neighbour
solicitations, neighbour advertisements) at all times. Allow
these packets when in doze mode.

This is not necessary for IPv4 because in IPv4 these functions
use ARP, which is invisible to iptables.

Bug: 23158230
Change-Id: I29ed77561db9688486cf58cd14ac3bce7fce4b40

2 files changed, 22 insertions, 0 deletions

diff --git a/server/FirewallController.cpp b/server/FirewallController.cpp
index bcf7524c..cf5a7de2 100644
--- a/server/FirewallController.cpp
+++ b/server/FirewallController.cpp
@@ -37,6 +37,18 @@ const char* FirewallController::LOCAL_FORWARD = "fw_FORWARD";
 const char* FirewallController::LOCAL_DOZABLE = "fw_dozable";
 const char* FirewallController::LOCAL_STANDBY = "fw_standby";
 
+// ICMPv6 types that are required for any form of IPv6 connectivity to work. Note that because the
+// fw_dozable chain is called from both INPUT and OUTPUT, this includes both packets that we need
+// to be able to send (e.g., RS, NS), and packets that we need to receive (e.g., RA, NA).
+const char* FirewallController::ICMPV6_TYPES[] = {
+    "packet-too-big",
+    "router-solicitation",
+    "router-advertisement",
+    "neighbour-solicitation",
+    "neighbour-advertisement",
+    "redirect",
+};
+
 FirewallController::FirewallController(void) {
     // If no rules are set, it's in BLACKLIST mode
     mFirewallType = BLACKLIST;
@@ -264,11 +276,18 @@ int FirewallController::createChain(const char* childChain,
     int res = 0;
     res |= execIptables(V4V6, "-t", TABLE, "-N", childChain, NULL);
     if (type == WHITELIST) {
+        // Allow ICMPv6 packets necessary to make IPv6 connectivity work. http://b/23158230 .
+        for (size_t i = 0; i < ARRAY_SIZE(ICMPV6_TYPES); i++) {
+            res |= execIptables(V6, "-A", childChain, "-p", "icmpv6", "--icmpv6-type",
+                    ICMPV6_TYPES[i], "-j", "RETURN", NULL);
+        }
+
         // create default white list for system uid range
         char uidStr[16];
         sprintf(uidStr, "0-%d", AID_APP - 1);
         res |= execIptables(V4V6, "-A", childChain, "-m", "owner", "--uid-owner",
                 uidStr, "-j", "RETURN", NULL);
+
         // create default rule to drop all traffic
         res |= execIptables(V4V6, "-A", childChain, "-j", "DROP", NULL);
     }
diff --git a/server/FirewallController.h b/server/FirewallController.h
index b32072e7..34a8b9ce 100644
--- a/server/FirewallController.h
+++ b/server/FirewallController.h
@@ -64,6 +64,9 @@ public:
 
     static const char* LOCAL_DOZABLE;
     static const char* LOCAL_STANDBY;
+
+    static const char* ICMPV6_TYPES[];
+
 private:
     FirewallType mFirewallType;
     int attachChain(const char*, const char*);