diff options
| author | Benedict Wong <benedictwong@google.com> | 2018-09-18 17:16:10 -0700 |
|---|---|---|
| committer | Benedict Wong <benedictwong@google.com> | 2018-11-22 03:39:54 +0000 |
| commit | d8b6a38997944e92eccbaa3071fe06f7034fd435 (patch) | |
| tree | 778ec4c9d1b312d4ae55f9ac281b97982b1cc8d6 /server/XfrmController.cpp | |
| parent | 0fba37baac4d439d557b7b54dcc67e67ac9af155 (diff) | |
| download | platform_system_netd-d8b6a38997944e92eccbaa3071fe06f7034fd435.tar.gz platform_system_netd-d8b6a38997944e92eccbaa3071fe06f7034fd435.tar.bz2 platform_system_netd-d8b6a38997944e92eccbaa3071fe06f7034fd435.zip | |
Always set additional fwmark bits in output mark
This change always selects the protectFromVpn explicitlySelected and
permission bits in the output mark of any tunnel mode SAs. This ensures
that IWLAN and other telephony traffic does not get funneled through
VPNs.
Bug: 116035464
Test: Binder, unit tests passing.
Change-Id: I873e287e0919c05772a39119c88bd358552232a1
Diffstat (limited to 'server/XfrmController.cpp')
| -rw-r--r-- | server/XfrmController.cpp | 37 |
1 files changed, 26 insertions, 11 deletions
diff --git a/server/XfrmController.cpp b/server/XfrmController.cpp index 4ac45c0a7..c27342e04 100644 --- a/server/XfrmController.cpp +++ b/server/XfrmController.cpp @@ -44,14 +44,6 @@ #include <linux/xfrm.h> #define LOG_TAG "XfrmController" -#include "InterfaceController.h" -#include "NetdConstants.h" -#include "NetlinkCommands.h" -#include "ResponseCode.h" -#include "XfrmController.h" -#include "netdutils/Fd.h" -#include "netdutils/Slice.h" -#include "netdutils/Syscalls.h" #include <android-base/properties.h> #include <android-base/stringprintf.h> #include <android-base/strings.h> @@ -61,6 +53,16 @@ #include <log/log.h> #include <log/log_properties.h> #include <logwrap/logwrap.h> +#include "Fwmark.h" +#include "InterfaceController.h" +#include "NetdConstants.h" +#include "NetlinkCommands.h" +#include "Permission.h" +#include "ResponseCode.h" +#include "XfrmController.h" +#include "netdutils/Fd.h" +#include "netdutils/Slice.h" +#include "netdutils/Syscalls.h" using android::net::INetd; using android::netdutils::Fd; @@ -1213,14 +1215,27 @@ int XfrmController::fillNlAttrXfrmMark(const XfrmCommonInfo& record, nlattr_xfrm return len; } -int XfrmController::fillNlAttrXfrmOutputMark(const __u32 output_mark_value, +// This function sets the output mark (or set-mark in newer kernels) to that of the underlying +// Network's netid. This allows outbound IPsec Tunnel mode packets to be correctly directed to a +// preselected underlying Network. Packet as marked as protected from VPNs and have a network +// explicitly selected to prevent interference or routing loops. Also set permission flag to +// PERMISSION_SYSTEM to ensure we can use background/restricted networks. +int XfrmController::fillNlAttrXfrmOutputMark(const __u32 underlyingNetId, nlattr_xfrm_output_mark* output_mark) { // Do not set if we were not given an output mark - if (output_mark_value == 0) { + if (underlyingNetId == 0) { return 0; } - output_mark->outputMark = output_mark_value; + Fwmark fwmark; + fwmark.netId = underlyingNetId; + + // TODO: Rework this to more accurately follow the underlying network + fwmark.permission = PERMISSION_SYSTEM; + fwmark.explicitlySelected = true; + fwmark.protectedFromVpn = true; + output_mark->outputMark = fwmark.intValue; + int len = NLA_HDRLEN + sizeof(__u32); fillXfrmNlaHdr(&output_mark->hdr, XFRMA_OUTPUT_MARK, len); return len; |