platform_system_netd/server/XfrmController.cpp, branch master Unnamed repository; edit this file 'description' to name the repository. Reset firewall mark after IPsec decryption 2021-04-27T19:03:41+00:00 Benedict Wong benedictwong@google.com 2021-04-20T07:07:13+00:00 73119c28bb6c334c728536e0ff51ff988a8f08da This change ensures that the firewall marks post-decryption are reset, due to routing rules not handling decapsulated packets properly. At present, forwarding rules (and a few others) expect the inbound network to be clear, and not have a network explicitly selected. However, because IPsec traffic routes through the filter_INPUT chain before being decrypted, the input interface is stamped onto it for packet mirroring purposes (ICMP/TCP acks, etc), and no longer matches the relevant rules for forwarding decapsulated IPsec packets. Bug: 185495453 Test: atest FrameworksVcnTests Test: atest CtsNetTestCases:IpSecManagerTunnelTest Test: atest CtsNetTestCases:IpSecManagerTest Test: atest Ikev2VpnTest Test: atest CtsIkeTestCases Change-Id: Ib47d53c3e53295667a8d4645b8937eb834278026 
This change ensures that the firewall marks post-decryption are reset,
due to routing rules not handling decapsulated packets properly.

At present, forwarding rules (and a few others) expect the inbound
network to be clear, and not have a network explicitly selected.
However, because IPsec traffic routes through the filter_INPUT chain
before being decrypted, the input interface is stamped onto it for
packet mirroring purposes (ICMP/TCP acks, etc), and no longer matches
the relevant rules for forwarding decapsulated IPsec packets.

Bug: 185495453
Test: atest FrameworksVcnTests
Test: atest CtsNetTestCases:IpSecManagerTunnelTest
Test: atest CtsNetTestCases:IpSecManagerTest
Test: atest Ikev2VpnTest
Test: atest CtsIkeTestCases
Change-Id: Ib47d53c3e53295667a8d4645b8937eb834278026
Add XFRM_MIGRATE support in XfrmController 2021-03-15T18:00:10+00:00 Nathan Harold nharold@google.com 2021-02-05T23:30:47+00:00 471892107bda44baf6ced60bbe79e7f7656cafff This commit adds support for migrating an IPsec tunnel mode SA to a different source and destination address. Bug: 169170985 Test: verified in the following CL Change-Id: I35c8259104a39ce5b2272d561c2c0f1b3172535e 
This commit adds support for migrating an IPsec tunnel mode SA
to a different source and destination address.

Bug: 169170985
Test: verified in the following CL
Change-Id: I35c8259104a39ce5b2272d561c2c0f1b3172535e
Store XfrmDirection in XfrmSpInfo 2021-03-11T06:41:24+00:00 Nathan Harold nharold@google.com 2021-02-05T23:30:47+00:00 a5d6c9de20f8634ae1290dc85bb0baedc2fb2d88 XfrmDirection and XfrmSpInfo are always used together. This commit stores the XfrmDirection in XfrmSpInfo to make the code cleaner. This commit is also a preparation for the following CL to add XfrmMigrate support. Bug: 169170985 Test: atest netd_integration_test Change-Id: I4b9a6778fc09b3e473336d2f8b9053c98950bfd2 
XfrmDirection and XfrmSpInfo are always used together. This commit
stores the XfrmDirection in XfrmSpInfo to make the code cleaner.
This commit is also a preparation for the following CL to add
XfrmMigrate support.

Bug: 169170985
Test: atest netd_integration_test
Change-Id: I4b9a6778fc09b3e473336d2f8b9053c98950bfd2
Move Address Pair to Separate Struct 2021-03-11T06:41:15+00:00 Nathan Harold nharold@google.com 2021-02-05T23:12:49+00:00 df59bc0c1b84dd6f9eb14696ea93d6b4d6bf3e0e This will make it easier to build Xfrm Migrate Struct in the followup commit. Bug: 169170985 Test: atest netd_integration_test Change-Id: I2a249eaa6bfac8f67eaa814d45c35e03b1dbb556 
This will make it easier to build Xfrm Migrate Struct
in the followup commit.

Bug: 169170985
Test: atest netd_integration_test
Change-Id: I2a249eaa6bfac8f67eaa814d45c35e03b1dbb556
XfrmController - fix bugprone-sizeof-expression warning 2020-04-22T16:54:42+00:00 Maciej Żenczykowski maze@google.com 2020-04-22T16:44:19+00:00 322c9ee5fde89607c0b33aa9d765aed36ee4358a Fixes: system/netd/server/XfrmController.cpp:1280:12: warning: suspicious usage of 'sizeof(A*)'; pointer to aggregate [bugprone-sizeof-expression] Test: builds Bug: 153035880 Signed-off-by: Maciej Żenczykowski <maze@google.com> Change-Id: If3d37a22412b1a08e0356b7a36c038a37c946ed7 
Fixes:
  system/netd/server/XfrmController.cpp:1280:12: warning: suspicious usage of 'sizeof(A*)'; pointer to aggregate [bugprone-sizeof-expression]

Test: builds
Bug: 153035880
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: If3d37a22412b1a08e0356b7a36c038a37c946ed7
Use Linux default replay window for IPsec 2019-10-28T20:34:50+00:00 Benedict Wong benedictwong@google.com 2019-10-18T19:07:33+00:00 1969e53a7da6fcd999718fc76c3c3e3308a810c6 Replay window size allows for improved of an IPsec SA over L2 links that may experience out-of-order delivery. Relaxing the replay window size does NOT impact the security guarantees provided by IPsec, as it still rejects replayed packets. If an attacker has the keys to generate the older packets, they would likewise have the keys to generate newer packets. Impact of increasing the replay window size is primarily the memory usage required, and thus should not be increased too high. The Linux kernel uses 32 by default, and without a strong reason to clamp this down to 4 (which would make the SA more lossy), we should maintain the Linux default. Bug: 142967324 Test: Tests passing Change-Id: Iabebbf139ab73e52a9b8c9367f585f105d58689d 
Replay window size allows for improved of an IPsec SA over L2 links
that may experience out-of-order delivery.

Relaxing the replay window size does NOT impact the security guarantees
provided by IPsec, as it still rejects replayed packets. If an attacker
has the keys to generate the older packets, they would likewise have the
keys to generate newer packets.

Impact of increasing the replay window size is primarily the memory
usage required, and thus should not be increased too high.

The Linux kernel uses 32 by default, and without a strong reason to
clamp this down to 4 (which would make the SA more lossy), we should
maintain the Linux default.

Bug: 142967324
Test: Tests passing
Change-Id: Iabebbf139ab73e52a9b8c9367f585f105d58689d
Remove unused deps on liblogwrap 2019-06-05T07:22:44+00:00 Bernie Innocenti codewiz@google.com 2019-06-05T06:27:46+00:00 80ffd0f46ad9ebdfe9d401d58215d2c54ed3f88a Nothing seems to be calling into it, so it can probably go. Test: rebuild everything, then run atest Change-Id: I6e446f98decd708f59e5994fa10f77be4476d02f 
Nothing seems to be calling into it, so it can probably go.

Test: rebuild everything, then run atest
Change-Id: I6e446f98decd708f59e5994fa10f77be4476d02f
Move ResponseCode to libnetdutils 2019-04-02T12:49:23+00:00 Mike Yu yumike@google.com 2019-03-13T06:43:39+00:00 f0e019f6253b44b4d4c255030a06f95bd0dfb17f ResponseCode is necessary for libnetd_resolv, move it to libnetdutils to ease the cleanup of the include path system/netd/server for libnetd_resolv. Bug: 128662167 Test: system/netd/tests/runtests.sh passed Change-Id: Iae22cc6b4c642a190294fa4ce0ae406434e7ac3d 
ResponseCode is necessary for libnetd_resolv, move it to libnetdutils
to ease the cleanup of the include path system/netd/server for
libnetd_resolv.

Bug: 128662167
Test: system/netd/tests/runtests.sh passed

Change-Id: Iae22cc6b4c642a190294fa4ce0ae406434e7ac3d
Move DumpWriter to libnetdutils 2019-03-15T05:39:32+00:00 Luke Huang huangluke@google.com 2019-03-14T13:19:13+00:00 b257d61cd55c00a50d1eaaf4e7fcf436185c9a2c resolver related component in libnetd_resolv needs it to easily print dump log. Bug: 122564854 Test: built, flashed, booted system/netd/tests/runtests.sh pass adb shell dumpsys netd, worked fine Change-Id: Ic97d5f21b738fc3074e9308f4846191e744ed479 
resolver related component in libnetd_resolv
needs it to easily print dump log.

Bug: 122564854
Test: built, flashed, booted
      system/netd/tests/runtests.sh pass
      adb shell dumpsys netd, worked fine

Change-Id: Ic97d5f21b738fc3074e9308f4846191e744ed479
Use ParcelFileDescriptor instead of FileDescriptor in INetd.aidl 2018-12-03T03:25:26+00:00 Luke Huang huangluke@google.com 2018-11-23T03:47:28+00:00 e203a154cf1ae3d9b57bd18f672fc0865195a218 Stable aidl won't support FileDescriptor but ParcelFileDescriptor. In order to migrate to stable aidl, replace all FileDescriptor in INdetd.aidl. Test: built, flashed, booted system/netd/tests/runtests.sh passes Change-Id: I331626346959f127b4c1cb2ece33db37cb8dc550 
Stable aidl won't support FileDescriptor but ParcelFileDescriptor.
In order to migrate to stable aidl, replace all FileDescriptor in
INdetd.aidl.

Test: built, flashed, booted
      system/netd/tests/runtests.sh passes

Change-Id: I331626346959f127b4c1cb2ece33db37cb8dc550