Bypass VPN lockdown for clat initialization
This allows clat to initialize properly when VPNs are configured
with "Block connections without VPN", rather than to error out with
"no IPv6 addresses were available for clat".
This issue primarily affects particular mobile networks configured
with NAT64 (without direct IPv4 connectivity).
Bug: 255040839
Change-Id: I4a8ee0295e0f5d1e330f7529856347b8bd10360c
diff --git a/service/native/libs/libclat/clatutils.cpp b/service/native/libs/libclat/clatutils.cpp
index 4a125ba..be86612 100644
--- a/service/native/libs/libclat/clatutils.cpp
+++ b/service/native/libs/libclat/clatutils.cpp
@@ -126,10 +126,19 @@
// Picks a random interface ID that is checksum neutral with the IPv4 address and the NAT64 prefix.
int generateIpv6Address(const char* iface, const in_addr v4, const in6_addr& nat64Prefix,
- in6_addr* v6) {
+ in6_addr* v6, uint32_t mark) {
int s = socket(AF_INET6, SOCK_DGRAM | SOCK_CLOEXEC, 0);
if (s == -1) return -errno;
+ // Socket's mark affects routing decisions (network selection)
+ // An fwmark is necessary for clat to bypass the VPN during initialization.
+ if ((mark != MARK_UNSET) && setsockopt(s, SOL_SOCKET, SO_MARK, &mark, sizeof(mark))) {
+ int ret = errno;
+ ALOGE("setsockopt(SOL_SOCKET, SO_MARK) failed: %s", strerror(errno));
+ close(s);
+ return -ret;
+ }
+
if (setsockopt(s, SOL_SOCKET, SO_BINDTODEVICE, iface, strlen(iface) + 1) == -1) {
close(s);
return -errno;