From 56ac72641c7bb335b90979e6523da89c21792af6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20=C5=BBenczykowski?= Date: Mon, 13 Jun 2022 22:39:12 -0700 Subject: TcUtils.h - remove most of it - no longer used MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bug: 235778483 Test: TreeHugger Signed-off-by: Maciej Żenczykowski Change-Id: I515f5c25d7ef6d0aeed091852e912fc2a334d548 (cherry picked from commit da278449384fbe0ea898ff09cc90f0150d31d1a8) Merged-In: I515f5c25d7ef6d0aeed091852e912fc2a334d548 --- server/TcUtils.h | 52 ---------------------------------------------------- 1 file changed, 52 deletions(-) diff --git a/server/TcUtils.h b/server/TcUtils.h index d205c04b..4b1b2b9f 100644 --- a/server/TcUtils.h +++ b/server/TcUtils.h @@ -26,42 +26,10 @@ #include #include "bpf/BpfUtils.h" -#include "bpf_shared.h" namespace android { namespace net { -// For better code clarity - do not change values - used for booleans like -// with_ethernet_header or isEthernet. -constexpr bool RAWIP = false; -constexpr bool ETHER = true; - -// For better code clarity when used for 'bool ingress' parameter. -constexpr bool EGRESS = false; -constexpr bool INGRESS = true; - -// The priority of clat hook - must be after tethering. -constexpr uint16_t PRIO_CLAT = 4; - -inline base::Result isEthernet(const std::string& interface) { - bool result = false; - if (int error = ::android::isEthernet(interface.c_str(), result)) { - errno = error; - return ErrnoErrorf("isEthernet failed for interface {}", interface); - } - return result; -} - -inline int getClatEgress4MapFd(void) { - const int fd = bpf::mapRetrieveRW(CLAT_EGRESS4_MAP_PATH); - return (fd == -1) ? -errno : fd; -} - -inline int getClatIngress6MapFd(void) { - const int fd = bpf::mapRetrieveRW(CLAT_INGRESS6_MAP_PATH); - return (fd == -1) ? -errno : fd; -} - inline int tcQdiscAddDevClsact(int ifIndex) { return doTcQdiscClsact(ifIndex, RTM_NEWQDISC, NLM_F_EXCL | NLM_F_CREATE); } @@ -74,25 +42,5 @@ inline int tcQdiscDelDevClsact(int ifIndex) { return doTcQdiscClsact(ifIndex, RTM_DELQDISC, 0); } -// tc filter add dev .. ingress prio 4 protocol ipv6 bpf object-pinned /sys/fs/bpf/... direct-action -inline int tcFilterAddDevIngressClatIpv6(int ifIndex, const std::string& bpfProgPath) { - return tcAddBpfFilter(ifIndex, INGRESS, PRIO_CLAT, ETH_P_IPV6, bpfProgPath.c_str()); -} - -// tc filter add dev .. egress prio 4 protocol ip bpf object-pinned /sys/fs/bpf/... direct-action -inline int tcFilterAddDevEgressClatIpv4(int ifIndex, const std::string& bpfProgPath) { - return tcAddBpfFilter(ifIndex, EGRESS, PRIO_CLAT, ETH_P_IP, bpfProgPath.c_str()); -} - -// tc filter del dev .. ingress prio 4 protocol ipv6 -inline int tcFilterDelDevIngressClatIpv6(int ifIndex) { - return tcDeleteFilter(ifIndex, INGRESS, PRIO_CLAT, ETH_P_IPV6); -} - -// tc filter del dev .. egress prio 4 protocol ip -inline int tcFilterDelDevEgressClatIpv4(int ifIndex) { - return tcDeleteFilter(ifIndex, EGRESS, PRIO_CLAT, ETH_P_IP); -} - } // namespace net } // namespace android -- cgit v1.2.3 From 92d5157c6213aa16aa44eb68375c6cc14f111568 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20=C5=BBenczykowski?= Date: Tue, 14 Jun 2022 16:49:58 -0700 Subject: netd: make BandwidthController startup failures terminal MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bug: 235778483 Test: TreeHugger Signed-off-by: Maciej Żenczykowski Change-Id: Ic6ddf0ca1cda26c27be3bbdbebfde64b02dc2c83 (cherry picked from commit 38e049f7f434ace9f977a7a72e939558e5f373a9) Merged-In: Ic6ddf0ca1cda26c27be3bbdbebfde64b02dc2c83 --- server/Controllers.cpp | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/server/Controllers.cpp b/server/Controllers.cpp index 0df6b0ee..00ee186d 100644 --- a/server/Controllers.cpp +++ b/server/Controllers.cpp @@ -277,7 +277,15 @@ void Controllers::init() { initIptablesRules(); Stopwatch s; - bandwidthCtrl.enableBandwidthControl(); + if (int ret = bandwidthCtrl.enableBandwidthControl()) { + gLog.error("Failed to initialize BandwidthController (%s)", strerror(-ret)); + // A failure to init almost definitely means that iptables failed to load + // our static ruleset, which then basically means network accounting will not work. + // As such simply exit netd. This may crash loop the system, but by failing + // to bootup we will trigger rollback and thus this offers us protection against + // a mainline update breaking things. + exit(1); + } gLog.info("Enabling bandwidth control: %" PRId64 "us", s.getTimeAndResetUs()); if (int ret = RouteController::Init(NetworkController::LOCAL_NET_ID)) { -- cgit v1.2.3 From cb4554093b9c32854c7a5656409fe091ce8e5456 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20=C5=BBenczykowski?= Date: Mon, 13 Jun 2022 22:53:58 -0700 Subject: move definition of xt_bpf program pin locations to system/netd MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit As this ends up built in to the netd binary, and should thus not be pulling in mainline (and thus mutable) header files. We could technically export the path out of the netd_updatable.so, but there is no benefit to doing so. This is because the pin directory is determined by selinux access having to make these available to netd & iptables (netdutils_wrappers), and the entire structure of the iptables setup (ie. chains, etc) is already entirely left up to netd. Thus the only meaningful thing mainline could do here is rename the programs (while maintaining their behaviour) but that provides absolutely no value. (If the programs are missing, then bandwidth accounting fails, and there is no way to add additional programs) Bug: 235778483 Test: TreeHugger Signed-off-by: Maciej Żenczykowski Change-Id: I3c235d63b3695deb04564bb929913a9050b9fc10 (cherry picked from commit acfd2041ce52f25dd5c5a0cafaf4572d7a634f63) Merged-In: I3c235d63b3695deb04564bb929913a9050b9fc10 --- Android.bp | 2 ++ include/binder_utils/XtBpfProgLocations.h | 37 +++++++++++++++++++++++++++++++ server/Android.bp | 6 ++--- server/BandwidthControllerTest.cpp | 2 +- server/TetherController.h | 3 ++- tests/binder_test.cpp | 1 - 6 files changed, 45 insertions(+), 6 deletions(-) create mode 100644 include/binder_utils/XtBpfProgLocations.h diff --git a/Android.bp b/Android.bp index 88379109..e08494e8 100644 --- a/Android.bp +++ b/Android.bp @@ -29,7 +29,9 @@ cc_library_headers { apex_available: [ "//apex_available:platform", "com.android.resolv", + "com.android.tethering", ], + sdk_version: "29", min_sdk_version: "29", } diff --git a/include/binder_utils/XtBpfProgLocations.h b/include/binder_utils/XtBpfProgLocations.h new file mode 100644 index 00000000..95a5742c --- /dev/null +++ b/include/binder_utils/XtBpfProgLocations.h @@ -0,0 +1,37 @@ +/* + * Copyright (C) 2022 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#pragma once + +/* -=-=-=-=-= WARNING -=-=-=-=-=- + * + * DO *NOT* *EVER* CHANGE THESE - they *MUST* match what the Tethering mainline module provides! + * + * You cannot even change them in sync, since newer module must work on older Android T releases. + * + * You could with difficulty, uprevs of the bpfloader, api detection logic in mainline, etc, + * change this in Android U or later, but even that is a very bad idea and not worth the hassle. + * + * + * Mainline Tethering module on T+ is expected to make available to netd (for use by + * BandwidthController iptables initialization code) four xt_bpf programs at the following + * locations: + */ +#define XT_BPF_NETD(NAME) "/sys/fs/bpf/netd_shared/prog_netd_skfilter_" NAME "_xtbpf" +#define XT_BPF_ALLOWLIST_PROG_PATH XT_BPF_NETD("allowlist") +#define XT_BPF_DENYLIST_PROG_PATH XT_BPF_NETD("denylist") +#define XT_BPF_EGRESS_PROG_PATH XT_BPF_NETD("egress") +#define XT_BPF_INGRESS_PROG_PATH XT_BPF_NETD("ingress") diff --git a/server/Android.bp b/server/Android.bp index f29f6cfc..16252a46 100644 --- a/server/Android.bp +++ b/server/Android.bp @@ -42,7 +42,7 @@ cc_library_static { "system/netd/include", "system/netd/server/binder", ], - header_libs: ["bpf_connectivity_headers"], + header_libs: ["bpf_headers"], srcs: [ "BandwidthController.cpp", "Controllers.cpp", @@ -95,7 +95,7 @@ cc_binary { required: [ "bpfloader", ], - header_libs: ["bpf_connectivity_headers"], + header_libs: ["bpf_headers"], shared_libs: [ "android.system.net.netd@1.0", "android.system.net.netd@1.1", @@ -195,7 +195,7 @@ cc_test { "system/netd/server/binder", "system/netd/tests", ], - header_libs: ["bpf_connectivity_headers"], + header_libs: ["bpf_headers"], tidy_timeout_srcs: [ "BandwidthControllerTest.cpp", "InterfaceControllerTest.cpp", diff --git a/server/BandwidthControllerTest.cpp b/server/BandwidthControllerTest.cpp index e7d29d23..bf4c2e2a 100644 --- a/server/BandwidthControllerTest.cpp +++ b/server/BandwidthControllerTest.cpp @@ -34,7 +34,7 @@ #include "BandwidthController.h" #include "Fwmark.h" #include "IptablesBaseTest.h" -#include "bpf_shared.h" +#include "binder_utils/XtBpfProgLocations.h" #include "tun_interface.h" using ::testing::_; diff --git a/server/TetherController.h b/server/TetherController.h index b4472bd5..bbabcee4 100644 --- a/server/TetherController.h +++ b/server/TetherController.h @@ -28,10 +28,11 @@ #include "NetdConstants.h" #include "android-base/result.h" #include "bpf/BpfMap.h" -#include "bpf_shared.h" #include "android/net/TetherOffloadRuleParcel.h" +#include "binder_utils/XtBpfProgLocations.h" + namespace android { namespace net { diff --git a/tests/binder_test.cpp b/tests/binder_test.cpp index f423ea38..ddd25c50 100644 --- a/tests/binder_test.cpp +++ b/tests/binder_test.cpp @@ -54,7 +54,6 @@ #include #include #include -#include #include #include #include -- cgit v1.2.3 From e3ea09c60fdc7be99589299d12291d9f124d3f0c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20=C5=BBenczykowski?= Date: Wed, 15 Jun 2022 01:04:03 -0700 Subject: move XtBpfProgLocations.h into a new header library MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bug: 235778483 Test: TreeHugger Signed-off-by: Maciej Żenczykowski Change-Id: I6ad0a12ff14331809cbca97043bc5d5c9f8742b8 (cherry picked from commit d9fc54b55b58ef20dbd34e12699ae947912e7562) Merged-In: I6ad0a12ff14331809cbca97043bc5d5c9f8742b8 --- Android.bp | 9 ++++++++ include/binder_utils/XtBpfProgLocations.h | 37 ------------------------------- include/mainline/XtBpfProgLocations.h | 37 +++++++++++++++++++++++++++++++ server/BandwidthControllerTest.cpp | 2 +- server/TetherController.h | 2 +- 5 files changed, 48 insertions(+), 39 deletions(-) delete mode 100644 include/binder_utils/XtBpfProgLocations.h create mode 100644 include/mainline/XtBpfProgLocations.h diff --git a/Android.bp b/Android.bp index e08494e8..b654f76b 100644 --- a/Android.bp +++ b/Android.bp @@ -29,6 +29,15 @@ cc_library_headers { apex_available: [ "//apex_available:platform", "com.android.resolv", + ], + min_sdk_version: "29", +} + +cc_library_headers { + name: "netd_mainline_headers", + export_include_dirs: ["include/mainline"], + apex_available: [ + "//apex_available:platform", "com.android.tethering", ], sdk_version: "29", diff --git a/include/binder_utils/XtBpfProgLocations.h b/include/binder_utils/XtBpfProgLocations.h deleted file mode 100644 index 95a5742c..00000000 --- a/include/binder_utils/XtBpfProgLocations.h +++ /dev/null @@ -1,37 +0,0 @@ -/* - * Copyright (C) 2022 The Android Open Source Project - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#pragma once - -/* -=-=-=-=-= WARNING -=-=-=-=-=- - * - * DO *NOT* *EVER* CHANGE THESE - they *MUST* match what the Tethering mainline module provides! - * - * You cannot even change them in sync, since newer module must work on older Android T releases. - * - * You could with difficulty, uprevs of the bpfloader, api detection logic in mainline, etc, - * change this in Android U or later, but even that is a very bad idea and not worth the hassle. - * - * - * Mainline Tethering module on T+ is expected to make available to netd (for use by - * BandwidthController iptables initialization code) four xt_bpf programs at the following - * locations: - */ -#define XT_BPF_NETD(NAME) "/sys/fs/bpf/netd_shared/prog_netd_skfilter_" NAME "_xtbpf" -#define XT_BPF_ALLOWLIST_PROG_PATH XT_BPF_NETD("allowlist") -#define XT_BPF_DENYLIST_PROG_PATH XT_BPF_NETD("denylist") -#define XT_BPF_EGRESS_PROG_PATH XT_BPF_NETD("egress") -#define XT_BPF_INGRESS_PROG_PATH XT_BPF_NETD("ingress") diff --git a/include/mainline/XtBpfProgLocations.h b/include/mainline/XtBpfProgLocations.h new file mode 100644 index 00000000..95a5742c --- /dev/null +++ b/include/mainline/XtBpfProgLocations.h @@ -0,0 +1,37 @@ +/* + * Copyright (C) 2022 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#pragma once + +/* -=-=-=-=-= WARNING -=-=-=-=-=- + * + * DO *NOT* *EVER* CHANGE THESE - they *MUST* match what the Tethering mainline module provides! + * + * You cannot even change them in sync, since newer module must work on older Android T releases. + * + * You could with difficulty, uprevs of the bpfloader, api detection logic in mainline, etc, + * change this in Android U or later, but even that is a very bad idea and not worth the hassle. + * + * + * Mainline Tethering module on T+ is expected to make available to netd (for use by + * BandwidthController iptables initialization code) four xt_bpf programs at the following + * locations: + */ +#define XT_BPF_NETD(NAME) "/sys/fs/bpf/netd_shared/prog_netd_skfilter_" NAME "_xtbpf" +#define XT_BPF_ALLOWLIST_PROG_PATH XT_BPF_NETD("allowlist") +#define XT_BPF_DENYLIST_PROG_PATH XT_BPF_NETD("denylist") +#define XT_BPF_EGRESS_PROG_PATH XT_BPF_NETD("egress") +#define XT_BPF_INGRESS_PROG_PATH XT_BPF_NETD("ingress") diff --git a/server/BandwidthControllerTest.cpp b/server/BandwidthControllerTest.cpp index bf4c2e2a..844681d0 100644 --- a/server/BandwidthControllerTest.cpp +++ b/server/BandwidthControllerTest.cpp @@ -34,7 +34,7 @@ #include "BandwidthController.h" #include "Fwmark.h" #include "IptablesBaseTest.h" -#include "binder_utils/XtBpfProgLocations.h" +#include "mainline/XtBpfProgLocations.h" #include "tun_interface.h" using ::testing::_; diff --git a/server/TetherController.h b/server/TetherController.h index bbabcee4..d2195f23 100644 --- a/server/TetherController.h +++ b/server/TetherController.h @@ -31,7 +31,7 @@ #include "android/net/TetherOffloadRuleParcel.h" -#include "binder_utils/XtBpfProgLocations.h" +#include "mainline/XtBpfProgLocations.h" namespace android { namespace net { -- cgit v1.2.3 From 1c4e677ea830fe8e8ca680400a704b362b02db80 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20=C5=BBenczykowski?= Date: Wed, 15 Jun 2022 01:29:38 -0700 Subject: BandwidthController - remove an unused variable MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Test: TreeHugger, builds Signed-off-by: Maciej Żenczykowski Change-Id: I7ce0b2ec6c67f0f9b231736c37be151dad61a2a5 (cherry picked from commit f217576ca74ec05c93dd91d479843320ebc3eaef) Merged-In: I7ce0b2ec6c67f0f9b231736c37be151dad61a2a5 --- server/BandwidthController.cpp | 2 -- 1 file changed, 2 deletions(-) diff --git a/server/BandwidthController.cpp b/server/BandwidthController.cpp index 96a82e23..b076c875 100644 --- a/server/BandwidthController.cpp +++ b/server/BandwidthController.cpp @@ -147,8 +147,6 @@ const std::string NEW_CHAIN_COMMAND = "-N "; */ const std::string COMMIT_AND_CLOSE = "COMMIT\n"; -const std::string BPF_PENALTY_BOX_MATCH_DENYLIST_COMMAND = StringPrintf( - "-I bw_penalty_box -m bpf --object-pinned %s -j REJECT", XT_BPF_DENYLIST_PROG_PATH); static const std::vector IPT_FLUSH_COMMANDS = { /* -- cgit v1.2.3 From fbc85069c14474b6987f2699849e7a9db72c6e35 Mon Sep 17 00:00:00 2001 From: Ken Chen Date: Wed, 20 Apr 2022 15:10:31 +0800 Subject: Use netd_aidl_interface wrappers To avoid tediously update netd_aidl_interface-V*-cpp on all users, use wrappers instead of the one with a specific version. Bug: 220392885 Test: TH Change-Id: I15194e978557d687e87ec05ce401b4feff418a73 (cherry picked from commit b2d8888eb1db72d1c710f7f4e3c6ff78db416733) Merged-In: I15194e978557d687e87ec05ce401b4feff418a73 --- server/Android.bp | 24 ++++++++++++++++-------- tests/Android.bp | 12 ++++++++---- tests/benchmarks/Android.bp | 6 ++++-- 3 files changed, 28 insertions(+), 14 deletions(-) diff --git a/server/Android.bp b/server/Android.bp index 16252a46..06ea0bab 100644 --- a/server/Android.bp +++ b/server/Android.bp @@ -37,7 +37,10 @@ filegroup { // Modules common to both netd and netd_unit_test cc_library_static { name: "libnetd_server", - defaults: ["netd_defaults"], + defaults: [ + "netd_aidl_interface_lateststable_cpp_shared", + "netd_defaults", + ], include_dirs: [ "system/netd/include", "system/netd/server/binder", @@ -71,7 +74,6 @@ cc_library_static { "libpcap", "libssl", "libsysutils", - "netd_aidl_interface-V8-cpp", "netd_event_listener_interface-V1-cpp", ], static_libs: [ @@ -86,7 +88,10 @@ cc_library_static { cc_binary { name: "netd", - defaults: ["netd_defaults"], + defaults: [ + "netd_aidl_interface_lateststable_cpp_shared", + "netd_defaults", + ], include_dirs: [ "external/mdnsresponder/mDNSShared", "system/netd/include", @@ -116,7 +121,6 @@ cc_binary { "libsysutils", "libutils", "mdns_aidl_interface-V1-cpp", - "netd_aidl_interface-V8-cpp", "netd_event_listener_interface-V1-cpp", "oemnetd_aidl_interface-cpp", ], @@ -156,7 +160,10 @@ cc_binary { cc_binary { name: "ndc", - defaults: ["netd_defaults"], + defaults: [ + "netd_aidl_interface_lateststable_cpp_shared", + "netd_defaults", + ], include_dirs: [ "system/netd/include", ], @@ -172,7 +179,6 @@ cc_binary { "libutils", "libbinder", "dnsresolver_aidl_interface-V7-cpp", - "netd_aidl_interface-V8-cpp", ], srcs: [ "ndc.cpp", @@ -187,7 +193,10 @@ cc_binary { cc_test { name: "netd_unit_test", - defaults: ["netd_defaults"], + defaults: [ + "netd_aidl_interface_lateststable_cpp_static", + "netd_defaults", + ], test_suites: ["device-tests"], require_root: true, include_dirs: [ @@ -223,7 +232,6 @@ cc_test { "libnetd_server", "libnetd_test_tun_interface", "libtcutils", - "netd_aidl_interface-V8-cpp", "netd_event_listener_interface-V1-cpp", ], shared_libs: [ diff --git a/tests/Android.bp b/tests/Android.bp index 21830d6d..ff918cc1 100644 --- a/tests/Android.bp +++ b/tests/Android.bp @@ -37,7 +37,10 @@ cc_test_library { cc_test_library { name: "libnetd_test_unsol_service", - defaults: ["netd_defaults"], + defaults: [ + "netd_aidl_interface_lateststable_cpp_shared", + "netd_defaults", + ], srcs: [ "TestUnsolService.cpp" ], @@ -52,7 +55,6 @@ cc_test_library { "libnetutils", "libsysutils", "libutils", - "netd_aidl_interface-V8-cpp", ], } @@ -74,7 +76,10 @@ cc_test { "vts" ], require_root: true, - defaults: ["netd_defaults"], + defaults: [ + "netd_aidl_interface_lateststable_cpp_static", + "netd_defaults", + ], tidy: false, // cuts test build time by almost 1 minute srcs: [ ":netd_integration_test_shared", @@ -109,7 +114,6 @@ cc_test { "libnettestutils", "libtcutils", "mdns_aidl_interface-V1-cpp", - "netd_aidl_interface-V8-cpp", "netd_event_listener_interface-V1-cpp", "oemnetd_aidl_interface-cpp", ], diff --git a/tests/benchmarks/Android.bp b/tests/benchmarks/Android.bp index 95c00aa6..13c8105f 100644 --- a/tests/benchmarks/Android.bp +++ b/tests/benchmarks/Android.bp @@ -11,7 +11,10 @@ package { cc_benchmark { name: "netd_benchmark", - defaults: ["netd_defaults"], + defaults: [ + "netd_aidl_interface_lateststable_cpp_static", + "netd_defaults", + ], shared_libs: [ "libbase", "libbinder_ndk", @@ -23,7 +26,6 @@ cc_benchmark { static_libs: [ "libnetd_test_dnsresponder_ndk", "dnsresolver_aidl_interface-lateststable-ndk", - "netd_aidl_interface-lateststable-cpp", // system/netd/server/UidRanges.h "netd_aidl_interface-lateststable-ndk", "netd_event_listener_interface-lateststable-ndk", ], -- cgit v1.2.3 From d017856865a3b331e429727bec569ad03fbb04d7 Mon Sep 17 00:00:00 2001 From: Lorenzo Colitti Date: Thu, 16 Jun 2022 00:19:29 +0900 Subject: Use CLAT_MARK from the netd AIDL interface. Test: m Bug: 235778483 Change-Id: I8aa4a23bbf7ee81c0d2d11eb1854c91b2c39e9fb (cherry picked from commit 67a19cf8590077d5dcd3713b3dc656abfa11d80f) Merged-In: I8aa4a23bbf7ee81c0d2d11eb1854c91b2c39e9fb --- server/BandwidthController.cpp | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/server/BandwidthController.cpp b/server/BandwidthController.cpp index b076c875..8dba75a5 100644 --- a/server/BandwidthController.cpp +++ b/server/BandwidthController.cpp @@ -55,6 +55,7 @@ #include "FirewallController.h" /* For makeCriticalCommands */ #include "Fwmark.h" #include "NetdConstants.h" +#include "android/net/INetd.h" #include "bpf/BpfUtils.h" /* Alphabetical */ @@ -66,9 +67,6 @@ const char BandwidthController::LOCAL_RAW_PREROUTING[] = "bw_raw_PREROUTING"; const char BandwidthController::LOCAL_MANGLE_POSTROUTING[] = "bw_mangle_POSTROUTING"; const char BandwidthController::LOCAL_GLOBAL_ALERT[] = "bw_global_alert"; -// Sync from packages/modules/Connectivity/bpf_progs/clatd.c -#define CLAT_MARK 0xdeadc1a7 - auto BandwidthController::iptablesRestoreFunction = execIptablesRestoreWithOutput; using android::base::Join; @@ -76,6 +74,7 @@ using android::base::StartsWith; using android::base::StringAppendF; using android::base::StringPrintf; using android::net::FirewallController; +using android::net::INetd::CLAT_MARK; using android::netdutils::StatusOr; using android::netdutils::UniqueFile; -- cgit v1.2.3 From 771a9c4eeddee7cb5541492f66ae04d92eb0195c Mon Sep 17 00:00:00 2001 From: Hungming Chen Date: Tue, 26 Apr 2022 20:43:25 +0800 Subject: Remove NetdBinderTest#TetherOffload* tests Remove the test because TetherOffload* binder calls are deprecated. - TetherOffloadRule - TetherOffloadForwarding - DeprecatedTetherOffloadRuleAdd - DeprecatedTetherOffloadRuleRemove - DeprecatedTetherOffloadGetStats - DeprecatedTetherOffloadSetInterfaceQuota - DeprecatedTetherOffloadGetAndClearStats Bug: 212345928 Test: cd system/netd; atest Change-Id: Ie40bd51acc1297ff9ea326ac95a46057f8633017 (cherry picked from commit 84a71a4417ed62e0e187415a67240f0fac2ef32f) Merged-In: Ie40bd51acc1297ff9ea326ac95a46057f8633017 --- tests/binder_test.cpp | 303 -------------------------------------------------- 1 file changed, 303 deletions(-) diff --git a/tests/binder_test.cpp b/tests/binder_test.cpp index ddd25c50..bc1e7393 100644 --- a/tests/binder_test.cpp +++ b/tests/binder_test.cpp @@ -3768,275 +3768,6 @@ TEST_F(NetdBinderTest, GetFwmarkForNetwork) { EXPECT_TRUE(mNetd->networkDestroy(TEST_NETID1).isOk()); } -namespace { - -TetherOffloadRuleParcel makeTetherOffloadRule(int inputInterfaceIndex, int outputInterfaceIndex, - const std::vector& destination, - int prefixLength, - const std::vector& srcL2Address, - const std::vector& dstL2Address, int pmtu) { - android::net::TetherOffloadRuleParcel parcel; - parcel.inputInterfaceIndex = inputInterfaceIndex; - parcel.outputInterfaceIndex = outputInterfaceIndex; - parcel.destination = destination; - parcel.prefixLength = prefixLength; - parcel.srcL2Address = srcL2Address; - parcel.dstL2Address = dstL2Address; - parcel.pmtu = pmtu; - return parcel; -} - -} // namespace - -// TODO: probably remove the test because TetherOffload* binder calls are deprecated. -TEST_F(NetdBinderTest, DISABLED_TetherOffloadRule) { - // TODO: Perhaps verify invalid interface index once the netd handle the error in methods. - constexpr uint32_t kIfaceInt = 101; - constexpr uint32_t kIfaceExt = 102; - constexpr uint32_t kIfaceNonExistent = 103; - - const std::vector kAddr6 = {0x20, 0x01, 0x0d, 0xb8, 0xca, 0xfe, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x88, 0x88}; - const std::vector kSrcMac = {0x00, 0x00, 0x00, 0x00, 0x00, 0x0a}; - const std::vector kDstMac = {0x00, 0x00, 0x00, 0x00, 0x00, 0x0b}; - - const std::vector kInvalidAddr4 = {0xac, 0x0a, 0x0d, 0xb8}; // should be IPv6 address - const std::vector kInvalidMac = {0xde, 0xad, 0xbe, 0xef}; // should be 6-byte length - - // Invalid IP address, add rule - TetherOffloadRuleParcel rule = makeTetherOffloadRule( - kIfaceExt, kIfaceInt, kInvalidAddr4 /*bad*/, 128, kSrcMac, kDstMac, 1500); - auto status = mNetd->tetherOffloadRuleAdd(rule); - EXPECT_FALSE(status.isOk()); - EXPECT_EQ(EAFNOSUPPORT, status.serviceSpecificErrorCode()); - - // Invalid source L2 address, add rule - rule = makeTetherOffloadRule(kIfaceExt, kIfaceInt, kAddr6, 128, kInvalidMac /*bad*/, kDstMac, - 1500); - status = mNetd->tetherOffloadRuleAdd(rule); - EXPECT_FALSE(status.isOk()); - EXPECT_EQ(ENXIO, status.serviceSpecificErrorCode()); - - // Invalid destination L2 address, add rule - rule = makeTetherOffloadRule(kIfaceExt, kIfaceInt, kAddr6, 128, kSrcMac, kInvalidMac /*bad*/, - 1500); - status = mNetd->tetherOffloadRuleAdd(rule); - EXPECT_FALSE(status.isOk()); - EXPECT_EQ(ENXIO, status.serviceSpecificErrorCode()); - - // Invalid IP address, remove rule - rule = makeTetherOffloadRule(kIfaceExt, kIfaceInt, kInvalidAddr4 /*bad*/, 128, kSrcMac, kDstMac, - 1500); - status = mNetd->tetherOffloadRuleRemove(rule); - EXPECT_FALSE(status.isOk()); - EXPECT_EQ(EAFNOSUPPORT, status.serviceSpecificErrorCode()); - - // Invalid prefix length - rule = makeTetherOffloadRule(kIfaceExt, kIfaceInt, kAddr6, 64 /*bad*/, kSrcMac, kDstMac, 1500); - status = mNetd->tetherOffloadRuleAdd(rule); - EXPECT_FALSE(status.isOk()); - EXPECT_EQ(EINVAL, status.serviceSpecificErrorCode()); - status = mNetd->tetherOffloadRuleRemove(rule); - EXPECT_FALSE(status.isOk()); - EXPECT_EQ(EINVAL, status.serviceSpecificErrorCode()); - - // Invalid interface index - rule = makeTetherOffloadRule(kIfaceExt, 0, kAddr6, 128, kSrcMac, kDstMac, 1500); - status = mNetd->tetherOffloadRuleAdd(rule); - EXPECT_FALSE(status.isOk()); - EXPECT_EQ(ENODEV, status.serviceSpecificErrorCode()); - rule = makeTetherOffloadRule(0, kIfaceInt, kAddr6, 64, kSrcMac, kDstMac, 1500); - status = mNetd->tetherOffloadRuleRemove(rule); - EXPECT_FALSE(status.isOk()); - EXPECT_EQ(ENODEV, status.serviceSpecificErrorCode()); - - // Invalid pmtu (too low) - rule = makeTetherOffloadRule(kIfaceExt, kIfaceInt, kAddr6, 128, kSrcMac, kDstMac, 1279); - status = mNetd->tetherOffloadRuleAdd(rule); - EXPECT_FALSE(status.isOk()); - EXPECT_EQ(EINVAL, status.serviceSpecificErrorCode()); - - // Invalid pmtu (too high) - rule = makeTetherOffloadRule(kIfaceExt, kIfaceInt, kAddr6, 128, kSrcMac, kDstMac, 65536); - status = mNetd->tetherOffloadRuleAdd(rule); - EXPECT_FALSE(status.isOk()); - EXPECT_EQ(EINVAL, status.serviceSpecificErrorCode()); - - // Remove non existent rule. Expect that silently return success if the rule did not exist. - rule = makeTetherOffloadRule(kIfaceNonExistent, kIfaceInt, kAddr6, 128, kSrcMac, kDstMac, 1500); - EXPECT_TRUE(mNetd->tetherOffloadRuleRemove(rule).isOk()); - - // Add and remove rule normally. - rule = makeTetherOffloadRule(kIfaceExt, kIfaceInt, kAddr6, 128, kSrcMac, kDstMac, 1500); - EXPECT_TRUE(mNetd->tetherOffloadRuleAdd(rule).isOk()); - EXPECT_TRUE(mNetd->tetherOffloadRuleRemove(rule).isOk()); -} - -static bool expectPacket(int fd, uint8_t* ipPacket, ssize_t ipLen) { - constexpr bool kDebug = false; - - uint8_t buf[ETHER_HDR_LEN + 1500]; - - // Wait a bit to ensure that the packet we're interested in has arrived. - // TODO: speed this up. - usleep(100 * 1000); - - ssize_t bytesRead; - ssize_t expectedLen = ipLen + ETHER_HDR_LEN; - while ((bytesRead = read(fd, buf, sizeof(buf))) >= 0) { - if (kDebug) { - std::cerr << fmt::format( - "Expected: {:02x}\n Actual: {:02x}\n", - fmt::join(ipPacket, ipPacket + ipLen, " "), - fmt::join(buf + ETHER_HDR_LEN, buf + ETHER_HDR_LEN + ipLen, " ")); - } - - if (bytesRead != expectedLen) { - continue; - } - - if (!memcmp(ipPacket, buf + ETHER_HDR_LEN, ipLen)) { - return true; - } - } - - return false; -} - -static bool tcQdiscExists(const std::string& interface) { - std::string command = StringPrintf("tc qdisc show dev %s", interface.c_str()); - std::vector lines = runCommand(command); - for (const auto& line : lines) { - if (StartsWith(line, "qdisc clsact ffff:")) return true; - } - return false; -} - -static bool tcFilterExists(const std::string& interface) { - std::string command = StringPrintf("tc filter show dev %s ingress", interface.c_str()); - std::vector lines = runCommand(command); - const std::basic_regex regex("^filter .* bpf .* prog_offload_schedcls_tether_.*$"); - for (const auto& line : lines) { - if (std::regex_match(Trim(line), regex)) return true; - } - return false; -} - -// TODO: probably remove the test because TetherOffload* binder calls are deprecated. -TEST_F(NetdBinderTest, DISABLED_TetherOffloadForwarding) { - SKIP_IF_EXTENDED_BPF_NOT_SUPPORTED; - - constexpr const char* kDownstreamPrefix = "2001:db8:2::/64"; - - // 1500-byte packet. - constexpr unsigned short kPayloadLen = 1500 - sizeof(ipv6hdr); - struct packet { - ipv6hdr hdr; - char data[kPayloadLen]; - } __attribute__((packed)) pkt = { - .hdr = - { - .version = 6, - .payload_len = htons(kPayloadLen), - .nexthdr = 59, // No next header. - .hop_limit = 64, - .saddr = {{{0x20, 0x01, 0x0d, 0xb8, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}}}, - .daddr = {{{0x20, 0x01, 0x0d, 0xb8, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x0f, 0x00, 0xca, 0xfe}}}, - }, - }; - ASSERT_EQ(1500U, sizeof(pkt)); - - // Use one of the test's tun interfaces as upstream. - // It must be part of a network or it will not have the clsact attached. - const auto& config = makeNativeNetworkConfig(TEST_NETID1, NativeNetworkType::PHYSICAL, - INetd::PERMISSION_NONE, false, false); - EXPECT_TRUE(mNetd->networkCreate(config).isOk()); - EXPECT_TRUE(mNetd->networkAddInterface(TEST_NETID1, sTun.name()).isOk()); - int fd1 = sTun.getFdForTesting(); - EXPECT_TRUE(tcQdiscExists(sTun.name())); - - // Create our own tap as a downstream. - TunInterface tap; - ASSERT_EQ(0, tap.init(true /* isTap */)); - ASSERT_LE(tap.name().size(), static_cast(IFNAMSIZ)); - int fd2 = tap.getFdForTesting(); - - // Set it to nonblocking so that expectPacket can work. - int flags = fcntl(fd2, F_GETFL, 0); - fcntl(fd2, F_SETFL, flags | O_NONBLOCK); - - // Downstream interface setup. Add to local network, add directly-connected route, etc. - binder::Status status = mNetd->networkAddInterface(INetd::LOCAL_NET_ID, tap.name()); - EXPECT_TRUE(status.isOk()) << status.exceptionMessage(); - status = mNetd->tetherInterfaceAdd(tap.name()); - EXPECT_TRUE(status.isOk()) << status.exceptionMessage(); - expectTetherInterfaceConfigureForIPv6Router(tap.name()); - EXPECT_TRUE(tcQdiscExists(tap.name())); - - // Can't easily use INetd::NEXTHOP_NONE because it is a String16 constant. Use "" instead. - status = mNetd->networkAddRoute(INetd::LOCAL_NET_ID, tap.name(), kDownstreamPrefix, ""); - EXPECT_TRUE(status.isOk()) << status.exceptionMessage(); - - // Set up forwarding. All methods take intIface first and extIface second. - status = mNetd->tetherAddForward(tap.name(), sTun.name()); - EXPECT_TRUE(status.isOk()) << status.exceptionMessage(); - status = mNetd->ipfwdAddInterfaceForward(tap.name(), sTun.name()); - EXPECT_TRUE(status.isOk()) << status.exceptionMessage(); - EXPECT_TRUE(tcFilterExists(sTun.name())); - - std::vector kDummyMac = {02, 00, 00, 00, 00, 00}; - uint8_t* daddr = reinterpret_cast(&pkt.hdr.daddr); - std::vector dstAddr(daddr, daddr + sizeof(pkt.hdr.daddr)); - - TetherOffloadRuleParcel rule = makeTetherOffloadRule(sTun.ifindex(), tap.ifindex(), dstAddr, - 128, kDummyMac, kDummyMac, sizeof(pkt)); - status = mNetd->tetherOffloadRuleAdd(rule); - EXPECT_TRUE(status.isOk()) << status.exceptionMessage(); - - // Set data limit to one byte less than two packets. - // If you get rid of the '- 1' then the second packet will get forwarded - // and the EXPECT_FALSE(expectPacket(...)) a dozen lines down will fail. - status = mNetd->tetherOffloadSetInterfaceQuota(sTun.ifindex(), sizeof(pkt) * 2 - 1); - EXPECT_TRUE(status.isOk()) << status.exceptionMessage(); - - // Receive a packet on sTun. - EXPECT_EQ((ssize_t)sizeof(pkt), write(fd1, &pkt, sizeof(pkt))); - - // Expect a packet identical to pkt, except with a TTL of 63. - struct packet pkt2 = pkt; - ASSERT_EQ(1500U, sizeof(pkt2)); - pkt2.hdr.hop_limit = pkt.hdr.hop_limit - 1; - EXPECT_TRUE(expectPacket(fd2, (uint8_t*)&pkt2, sizeof(pkt2))); - - // Receive a second packet on sTun. - EXPECT_EQ((ssize_t)sizeof(pkt), write(fd1, &pkt, sizeof(pkt))); - - // Should fail to forward due to quota limit. - EXPECT_FALSE(expectPacket(fd2, (uint8_t*)&pkt2, sizeof(pkt2))); - - // Clean up. - EXPECT_TRUE(mNetd->tetherOffloadRuleRemove(rule).isOk()); - - TetherStatsParcel tetherStats; - EXPECT_TRUE(mNetd->tetherOffloadGetAndClearStats(sTun.ifindex(), &tetherStats).isOk()); - EXPECT_EQ("", tetherStats.iface); - EXPECT_EQ(static_cast(sizeof(pkt)), tetherStats.rxBytes); - EXPECT_EQ(1, tetherStats.rxPackets); - EXPECT_EQ(0, tetherStats.txBytes); - EXPECT_EQ(0, tetherStats.txPackets); - EXPECT_EQ(sTun.ifindex(), tetherStats.ifIndex); - - EXPECT_TRUE(mNetd->ipfwdRemoveInterfaceForward(tap.name(), sTun.name()).isOk()); - EXPECT_TRUE(mNetd->tetherRemoveForward(tap.name(), sTun.name()).isOk()); - EXPECT_TRUE(mNetd->networkRemoveRoute(INetd::LOCAL_NET_ID, tap.name(), kDownstreamPrefix, "") - .isOk()); - EXPECT_TRUE(mNetd->tetherInterfaceRemove(tap.name()).isOk()); - EXPECT_TRUE(mNetd->networkRemoveInterface(INetd::LOCAL_NET_ID, tap.name()).isOk()); - EXPECT_TRUE(mNetd->networkRemoveInterface(TEST_NETID1, sTun.name()).isOk()); -} - TEST_F(NetdBinderTest, TestServiceDump) { sp binder = INetd::asBinder(mNetd); ASSERT_NE(nullptr, binder); @@ -4118,40 +3849,6 @@ TEST_F(NetdBinderTest, TestServiceDump) { } } -TEST_F(NetdBinderTest, DeprecatedTetherOffloadRuleAdd) { - TetherOffloadRuleParcel emptyRule; - auto status = mNetd->tetherOffloadRuleAdd(emptyRule); - ASSERT_FALSE(status.isOk()); - ASSERT_EQ(status.exceptionCode(), binder::Status::EX_UNSUPPORTED_OPERATION); -} - -TEST_F(NetdBinderTest, DeprecatedTetherOffloadRuleRemove) { - TetherOffloadRuleParcel emptyRule; - auto status = mNetd->tetherOffloadRuleRemove(emptyRule); - ASSERT_FALSE(status.isOk()); - ASSERT_EQ(status.exceptionCode(), binder::Status::EX_UNSUPPORTED_OPERATION); -} - -TEST_F(NetdBinderTest, DeprecatedTetherOffloadGetStats) { - std::vector tetherStatsList; - auto status = mNetd->tetherOffloadGetStats(&tetherStatsList); - ASSERT_FALSE(status.isOk()); - ASSERT_EQ(status.exceptionCode(), binder::Status::EX_UNSUPPORTED_OPERATION); -} - -TEST_F(NetdBinderTest, DeprecatedTetherOffloadSetInterfaceQuota) { - auto status = mNetd->tetherOffloadSetInterfaceQuota(0 /* ifIndex */, 0 /* quotaBytes */); - ASSERT_FALSE(status.isOk()); - ASSERT_EQ(status.exceptionCode(), binder::Status::EX_UNSUPPORTED_OPERATION); -} - -TEST_F(NetdBinderTest, DeprecatedTetherOffloadGetAndClearStats) { - TetherStatsParcel tetherStats; - auto status = mNetd->tetherOffloadGetAndClearStats(0 /* ifIndex */, &tetherStats); - ASSERT_FALSE(status.isOk()); - ASSERT_EQ(status.exceptionCode(), binder::Status::EX_UNSUPPORTED_OPERATION); -} - namespace { // aliases for better reading -- cgit v1.2.3