Merge changes Id2a6bfdf,I5cab2b78
* changes:
Remove qtaguid support in NetworkStatsFactory
Refactor NetworkStatsFactoryTest
diff --git a/TEST_MAPPING b/TEST_MAPPING
index 4774866..1e8babf 100644
--- a/TEST_MAPPING
+++ b/TEST_MAPPING
@@ -36,6 +36,17 @@
},
// CTS tests that target older SDKs.
{
+ "name": "CtsNetTestCasesMaxTargetSdk30",
+ "options": [
+ {
+ "exclude-annotation": "com.android.testutils.SkipPresubmit"
+ },
+ {
+ "exclude-annotation": "androidx.test.filters.RequiresDevice"
+ }
+ ]
+ },
+ {
"name": "CtsNetTestCasesMaxTargetSdk31",
"options": [
{
@@ -103,6 +114,17 @@
]
},
{
+ "name": "CtsNetTestCasesMaxTargetSdk30[CaptivePortalLoginGoogle.apk+NetworkStackGoogle.apk+com.google.android.resolv.apex+com.google.android.tethering.apex]",
+ "options": [
+ {
+ "exclude-annotation": "com.android.testutils.SkipPresubmit"
+ },
+ {
+ "exclude-annotation": "androidx.test.filters.RequiresDevice"
+ }
+ ]
+ },
+ {
"name": "CtsNetTestCasesMaxTargetSdk31[CaptivePortalLoginGoogle.apk+NetworkStackGoogle.apk+com.google.android.resolv.apex+com.google.android.tethering.apex]",
"options": [
{
diff --git a/Tethering/apex/Android.bp b/Tethering/apex/Android.bp
index a7028b7..60b4e91 100644
--- a/Tethering/apex/Android.bp
+++ b/Tethering/apex/Android.bp
@@ -108,7 +108,10 @@
androidManifest: "AndroidManifest.xml",
- compat_configs: ["connectivity-platform-compat-config"],
+ compat_configs: [
+ "connectivity-platform-compat-config",
+ "connectivity-t-platform-compat-config",
+ ],
}
apex_key {
diff --git a/Tethering/tests/integration/src/android/net/EthernetTetheringTest.java b/Tethering/tests/integration/src/android/net/EthernetTetheringTest.java
index a2385c8..06586e2 100644
--- a/Tethering/tests/integration/src/android/net/EthernetTetheringTest.java
+++ b/Tethering/tests/integration/src/android/net/EthernetTetheringTest.java
@@ -86,7 +86,6 @@
import com.android.net.module.util.bpf.TetherStatsValue;
import com.android.net.module.util.structs.Ipv6Header;
import com.android.testutils.DevSdkIgnoreRule;
-import com.android.testutils.DevSdkIgnoreRule.IgnoreAfter;
import com.android.testutils.DevSdkIgnoreRule.IgnoreUpTo;
import com.android.testutils.DeviceInfoUtils;
import com.android.testutils.DumpTestUtils;
@@ -798,8 +797,7 @@
}
private void runPing6Test(TetheringTester tester) throws Exception {
- TetheredDevice tethered = tester.createTetheredDevice(MacAddress.fromString("1:2:3:4:5:6"),
- true /* hasIpv6 */);
+ TetheredDevice tethered = tester.createTetheredDevice(TEST_MAC, true /* hasIpv6 */);
Inet6Address remoteIp6Addr = (Inet6Address) parseNumericAddress("2400:222:222::222");
ByteBuffer request = Ipv6Utils.buildEchoRequestPacket(tethered.macAddr,
tethered.routerMacAddr, tethered.ipv6Addr, remoteIp6Addr);
@@ -839,12 +837,10 @@
private static final short ID = 27149;
private static final short FLAGS_AND_FRAGMENT_OFFSET = (short) 0x4000; // flags=DF, offset=0
private static final byte TIME_TO_LIVE = (byte) 0x40;
- private static final ByteBuffer PAYLOAD =
+ private static final ByteBuffer RX_PAYLOAD =
ByteBuffer.wrap(new byte[] { (byte) 0x12, (byte) 0x34 });
- private static final ByteBuffer PAYLOAD2 =
+ private static final ByteBuffer TX_PAYLOAD =
ByteBuffer.wrap(new byte[] { (byte) 0x56, (byte) 0x78 });
- private static final ByteBuffer PAYLOAD3 =
- ByteBuffer.wrap(new byte[] { (byte) 0x9a, (byte) 0xbc });
@NonNull
private ByteBuffer buildUdpPacket(
@@ -916,29 +912,43 @@
}
private void sendDownloadPacketUdp(@NonNull final InetAddress srcIp,
- @NonNull final InetAddress dstIp, @NonNull final TetheringTester tester)
- throws Exception {
- final ByteBuffer testPacket = buildUdpPacket(null /* srcMac */, null /* dstMac */,
- srcIp, dstIp, REMOTE_PORT /* srcPort */, LOCAL_PORT /* dstPort */, PAYLOAD);
+ @NonNull final InetAddress dstIp, @NonNull final TetheringTester tester,
+ boolean is6To4) throws Exception {
+ if (is6To4) {
+ assertFalse("CLAT download test must sends IPv6 packet", isAddressIpv4(srcIp, dstIp));
+ }
+ // Expected received UDP packet IP protocol. While testing CLAT (is6To4 = true), the packet
+ // on downstream must be IPv4. Otherwise, the IP protocol of test packet is the same on
+ // both downstream and upstream.
+ final boolean isIpv4 = is6To4 ? true : isAddressIpv4(srcIp, dstIp);
+
+ final ByteBuffer testPacket = buildUdpPacket(srcIp, dstIp, REMOTE_PORT /* srcPort */,
+ LOCAL_PORT /* dstPort */, RX_PAYLOAD);
tester.verifyDownload(testPacket, p -> {
Log.d(TAG, "Packet in downstream: " + dumpHexString(p));
- return isExpectedUdpPacket(p, true /* hasEther */, isAddressIpv4(srcIp, dstIp),
- PAYLOAD);
+ return isExpectedUdpPacket(p, true /* hasEther */, isIpv4, RX_PAYLOAD);
});
}
private void sendUploadPacketUdp(@NonNull final MacAddress srcMac,
@NonNull final MacAddress dstMac, @NonNull final InetAddress srcIp,
- @NonNull final InetAddress dstIp, @NonNull final TetheringTester tester)
- throws Exception {
- final ByteBuffer testPacket = buildUdpPacket(srcMac, dstMac, srcIp, dstIp,
- LOCAL_PORT /* srcPort */, REMOTE_PORT /* dstPort */, PAYLOAD2);
+ @NonNull final InetAddress dstIp, @NonNull final TetheringTester tester,
+ boolean is4To6) throws Exception {
+ if (is4To6) {
+ assertTrue("CLAT upload test must sends IPv4 packet", isAddressIpv4(srcIp, dstIp));
+ }
+ // Expected received UDP packet IP protocol. While testing CLAT (is4To6 = true), the packet
+ // on upstream must be IPv6. Otherwise, the IP protocol of test packet is the same on
+ // both downstream and upstream.
+ final boolean isIpv4 = is4To6 ? false : isAddressIpv4(srcIp, dstIp);
+
+ final ByteBuffer testPacket = buildUdpPacket(srcMac, dstMac, srcIp, dstIp,
+ LOCAL_PORT /* srcPort */, REMOTE_PORT /* dstPort */, TX_PAYLOAD);
tester.verifyUpload(testPacket, p -> {
Log.d(TAG, "Packet in upstream: " + dumpHexString(p));
- return isExpectedUdpPacket(p, false /* hasEther */, isAddressIpv4(srcIp, dstIp),
- PAYLOAD2);
+ return isExpectedUdpPacket(p, false /* hasEther */, isIpv4, TX_PAYLOAD);
});
}
@@ -948,8 +958,8 @@
toList(TEST_IP6_DNS));
final TetheredDevice tethered = tester.createTetheredDevice(TEST_MAC, true /* hasIpv6 */);
sendUploadPacketUdp(tethered.macAddr, tethered.routerMacAddr,
- tethered.ipv6Addr, REMOTE_IP6_ADDR, tester);
- sendDownloadPacketUdp(REMOTE_IP6_ADDR, tethered.ipv6Addr, tester);
+ tethered.ipv6Addr, REMOTE_IP6_ADDR, tester, false /* is4To6 */);
+ sendDownloadPacketUdp(REMOTE_IP6_ADDR, tethered.ipv6Addr, tester, false /* is6To4 */);
// TODO: test BPF offload maps {rule, stats}.
}
@@ -985,9 +995,10 @@
return null;
}
- private void runUdp4Test(TetheringTester tester, boolean usingBpf) throws Exception {
- final TetheredDevice tethered = tester.createTetheredDevice(MacAddress.fromString(
- "1:2:3:4:5:6"), false /* hasIpv6 */);
+ private void runUdp4Test(boolean verifyBpf) throws Exception {
+ final TetheringTester tester = initTetheringTester(toList(TEST_IP4_ADDR),
+ toList(TEST_IP4_DNS));
+ final TetheredDevice tethered = tester.createTetheredDevice(TEST_MAC, false /* hasIpv6 */);
// TODO: remove the connectivity verification for upstream connected notification race.
// Because async upstream connected notification can't guarantee the tethering routing is
@@ -997,27 +1008,15 @@
// refactors upstream connected notification from async to sync.
probeV4TetheringConnectivity(tester, tethered, false /* is4To6 */);
- // Send a UDP packet in original direction.
- final ByteBuffer originalPacket = buildUdpPacket(tethered.macAddr,
- tethered.routerMacAddr, tethered.ipv4Addr /* srcIp */,
- REMOTE_IP4_ADDR /* dstIp */, LOCAL_PORT /* srcPort */, REMOTE_PORT /* dstPort */,
- PAYLOAD /* payload */);
- tester.verifyUpload(originalPacket, p -> {
- Log.d(TAG, "Packet in upstream: " + dumpHexString(p));
- return isExpectedUdpPacket(p, false /* hasEther */, true /* isIpv4 */, PAYLOAD);
- });
+ final MacAddress srcMac = tethered.macAddr;
+ final MacAddress dstMac = tethered.routerMacAddr;
+ final InetAddress remoteIp = REMOTE_IP4_ADDR;
+ final InetAddress tetheringUpstreamIp = TEST_IP4_ADDR.getAddress();
+ final InetAddress clientIp = tethered.ipv4Addr;
+ sendUploadPacketUdp(srcMac, dstMac, clientIp, remoteIp, tester, false /* is4To6 */);
+ sendDownloadPacketUdp(remoteIp, tetheringUpstreamIp, tester, false /* is6To4 */);
- // Send a UDP packet in reply direction.
- final Inet4Address publicIp4Addr = (Inet4Address) TEST_IP4_ADDR.getAddress();
- final ByteBuffer replyPacket = buildUdpPacket(REMOTE_IP4_ADDR /* srcIp */,
- publicIp4Addr /* dstIp */, REMOTE_PORT /* srcPort */, LOCAL_PORT /* dstPort */,
- PAYLOAD2 /* payload */);
- tester.verifyDownload(replyPacket, p -> {
- Log.d(TAG, "Packet in downstream: " + dumpHexString(p));
- return isExpectedUdpPacket(p, true /* hasEther */, true /* isIpv4 */, PAYLOAD2);
- });
-
- if (usingBpf) {
+ if (verifyBpf) {
// Send second UDP packet in original direction.
// The BPF coordinator only offloads the ASSURED conntrack entry. The "request + reply"
// packets can make status IPS_SEEN_REPLY to be set. Need one more packet to make
@@ -1027,14 +1026,7 @@
// See kernel upstream commit b7b1d02fc43925a4d569ec221715db2dfa1ce4f5 and
// nf_conntrack_udp_packet in net/netfilter/nf_conntrack_proto_udp.c
Thread.sleep(UDP_STREAM_TS_MS);
- final ByteBuffer originalPacket2 = buildUdpPacket(tethered.macAddr,
- tethered.routerMacAddr, tethered.ipv4Addr /* srcIp */,
- REMOTE_IP4_ADDR /* dstIp */, LOCAL_PORT /* srcPort */,
- REMOTE_PORT /* dstPort */, PAYLOAD3 /* payload */);
- tester.verifyUpload(originalPacket2, p -> {
- Log.d(TAG, "Packet in upstream: " + dumpHexString(p));
- return isExpectedUdpPacket(p, false /* hasEther */, true /* isIpv4 */, PAYLOAD3);
- });
+ sendUploadPacketUdp(srcMac, dstMac, clientIp, remoteIp, tester, false /* is4To6 */);
// [1] Verify IPv4 upstream rule map.
final HashMap<Tether4Key, Tether4Value> upstreamMap = pollRawMapFromDump(
@@ -1053,7 +1045,7 @@
assertEquals(REMOTE_PORT, upstream4Key.dstPort);
final Tether4Value upstream4Value = rule.getValue();
- assertTrue(Arrays.equals(publicIp4Addr.getAddress(),
+ assertTrue(Arrays.equals(tetheringUpstreamIp.getAddress(),
InetAddress.getByAddress(upstream4Value.src46).getAddress()));
assertEquals(LOCAL_PORT, upstream4Value.srcPort);
assertTrue(Arrays.equals(REMOTE_IP4_ADDR.getAddress(),
@@ -1067,18 +1059,13 @@
// Send packets on original direction.
for (int i = 0; i < TX_UDP_PACKET_COUNT; i++) {
- tester.verifyUpload(originalPacket, p -> {
- Log.d(TAG, "Packet in upstream: " + dumpHexString(p));
- return isExpectedUdpPacket(p, false /* hasEther */, true /* isIpv4 */, PAYLOAD);
- });
+ sendUploadPacketUdp(srcMac, dstMac, clientIp, remoteIp, tester,
+ false /* is4To6 */);
}
// Send packets on reply direction.
for (int i = 0; i < RX_UDP_PACKET_COUNT; i++) {
- tester.verifyDownload(replyPacket, p -> {
- Log.d(TAG, "Packet in downstream: " + dumpHexString(p));
- return isExpectedUdpPacket(p, true /* hasEther */, true /* isIpv4 */, PAYLOAD2);
- });
+ sendDownloadPacketUdp(remoteIp, tetheringUpstreamIp, tester, false /* is6To4 */);
}
// Dump stats map to verify.
@@ -1137,13 +1124,6 @@
return new TetheringTester(mDownstreamReader, mUpstreamReader);
}
- @Test
- @IgnoreAfter(Build.VERSION_CODES.R)
- public void testTetherUdpV4UpToR() throws Exception {
- runUdp4Test(initTetheringTester(toList(TEST_IP4_ADDR), toList(TEST_IP4_DNS)),
- false /* usingBpf */);
- }
-
private static boolean isUdpOffloadSupportedByKernel(final String kernelVersion) {
final KVersion current = DeviceInfoUtils.getMajorMinorSubminorVersion(kernelVersion);
return current.isInRange(new KVersion(4, 14, 222), new KVersion(4, 19, 0))
@@ -1170,24 +1150,47 @@
assertTrue(isUdpOffloadSupportedByKernel("5.10.0"));
}
- // TODO: refactor test testTetherUdpV4* into IPv4 UDP non-offload and offload tests.
- // That can be easier to know which feature is verified from test results.
+ private static void assumeKernelSupportBpfOffloadUdpV4() {
+ final String kernelVersion = VintfRuntimeInfo.getKernelVersion();
+ assumeTrue("Kernel version " + kernelVersion + " doesn't support IPv4 UDP BPF offload",
+ isUdpOffloadSupportedByKernel(kernelVersion));
+ }
+
+ @Test
+ public void testKernelSupportBpfOffloadUdpV4() throws Exception {
+ assumeKernelSupportBpfOffloadUdpV4();
+ }
+
+ @Test
+ public void testTetherConfigBpfOffloadEnabled() throws Exception {
+ assumeTrue(isTetherConfigBpfOffloadEnabled());
+ }
+
+ /**
+ * Basic IPv4 UDP tethering test. Verify that UDP tethered packets are transferred no matter
+ * using which data path.
+ */
+ @Test
+ public void testTetherUdpV4() throws Exception {
+ runUdp4Test(false /* verifyBpf */);
+ }
+
+ /**
+ * BPF offload IPv4 UDP tethering test. Verify that UDP tethered packets are offloaded by BPF.
+ * Minimum test requirement:
+ * 1. S+ device.
+ * 2. Tethering config enables tethering BPF offload.
+ * 3. Kernel supports IPv4 UDP BPF offload. See #isUdpOffloadSupportedByKernel.
+ *
+ * TODO: consider enabling the test even tethering config disables BPF offload. See b/238288883
+ */
@Test
@IgnoreUpTo(Build.VERSION_CODES.R)
- public void testTetherUdpV4AfterR() throws Exception {
- final String kernelVersion = VintfRuntimeInfo.getKernelVersion();
- final boolean isUdpOffloadSupported = isUdpOffloadSupportedByKernel(kernelVersion);
- if (!isUdpOffloadSupported) {
- Log.i(TAG, "testTetherUdpV4AfterR will skip BPF offload test for kernel "
- + kernelVersion);
- }
- final boolean isTetherConfigBpfOffloadEnabled = isTetherConfigBpfOffloadEnabled();
- if (!isTetherConfigBpfOffloadEnabled) {
- Log.i(TAG, "testTetherUdpV4AfterR will skip BPF offload test "
- + "because tethering config doesn't enable BPF offload.");
- }
- runUdp4Test(initTetheringTester(toList(TEST_IP4_ADDR), toList(TEST_IP4_DNS)),
- isUdpOffloadSupported && isTetherConfigBpfOffloadEnabled);
+ public void testTetherUdpV4_VerifyBpf() throws Exception {
+ assumeTrue("Tethering config disabled BPF offload", isTetherConfigBpfOffloadEnabled());
+ assumeKernelSupportBpfOffloadUdpV4();
+
+ runUdp4Test(true /* verifyBpf */);
}
@Nullable
@@ -1287,33 +1290,23 @@
// sending out an IPv4 packet and extracting the source address from CLAT translated IPv6
// packet.
//
- private void runClatUdpTest(TetheringTester tester) throws Exception {
- final TetheredDevice tethered = tester.createTetheredDevice(MacAddress.fromString(
- "1:2:3:4:5:6"), true /* hasIpv6 */);
+ private void runClatUdpTest() throws Exception {
+ // CLAT only starts on IPv6 only network.
+ final TetheringTester tester = initTetheringTester(toList(TEST_IP6_ADDR),
+ toList(TEST_IP6_DNS));
+ final TetheredDevice tethered = tester.createTetheredDevice(TEST_MAC, true /* hasIpv6 */);
// Get CLAT IPv6 address.
- final Inet6Address clatAddr6 = getClatIpv6Address(tester, tethered);
+ final Inet6Address clatIp6 = getClatIpv6Address(tester, tethered);
// Send an IPv4 UDP packet in original direction.
// IPv4 packet -- CLAT translation --> IPv6 packet
- final ByteBuffer originalPacket = buildUdpPacket(tethered.macAddr,
- tethered.routerMacAddr, tethered.ipv4Addr /* srcIp */,
- REMOTE_IP4_ADDR /* dstIp */, LOCAL_PORT /* srcPort */, REMOTE_PORT /* dstPort */,
- PAYLOAD /* payload */);
- tester.verifyUpload(originalPacket, p -> {
- Log.d(TAG, "Packet in upstream: " + dumpHexString(p));
- return isExpectedUdpPacket(p, false /* hasEther */, false /* isIpv4 */, PAYLOAD);
- });
+ sendUploadPacketUdp(tethered.macAddr, tethered.routerMacAddr, tethered.ipv4Addr,
+ REMOTE_IP4_ADDR, tester, true /* is4To6 */);
// Send an IPv6 UDP packet in reply direction.
// IPv6 packet -- CLAT translation --> IPv4 packet
- final ByteBuffer replyPacket = buildUdpPacket(REMOTE_NAT64_ADDR /* srcIp */,
- clatAddr6 /* dstIp */, REMOTE_PORT /* srcPort */, LOCAL_PORT /* dstPort */,
- PAYLOAD2 /* payload */);
- tester.verifyDownload(replyPacket, p -> {
- Log.d(TAG, "Packet in downstream: " + dumpHexString(p));
- return isExpectedUdpPacket(p, true /* hasEther */, true /* isIpv4 */, PAYLOAD2);
- });
+ sendDownloadPacketUdp(REMOTE_NAT64_ADDR, clatIp6, tester, true /* is6To4 */);
// TODO: test CLAT bpf maps.
}
@@ -1321,8 +1314,7 @@
@Test
@IgnoreUpTo(Build.VERSION_CODES.R)
public void testTetherClatUdp() throws Exception {
- // CLAT only starts on IPv6 only network.
- runClatUdpTest(initTetheringTester(toList(TEST_IP6_ADDR), toList(TEST_IP6_DNS)));
+ runClatUdpTest();
}
private <T> List<T> toList(T... array) {
diff --git a/bpf_progs/Android.bp b/bpf_progs/Android.bp
index 2f4cbcd..8eb9cfd 100644
--- a/bpf_progs/Android.bp
+++ b/bpf_progs/Android.bp
@@ -51,6 +51,7 @@
"//packages/modules/Connectivity/Tethering",
"//packages/modules/Connectivity/service/native",
"//packages/modules/Connectivity/tests/native/connectivity_native_test",
+ "//packages/modules/Connectivity/tests/native/utilities",
"//packages/modules/Connectivity/service-t/native/libs/libnetworkstats",
"//packages/modules/Connectivity/tests/unit/jni",
"//system/netd/tests",
diff --git a/framework-t/Android.bp b/framework-t/Android.bp
index 80477f1..c76416f 100644
--- a/framework-t/Android.bp
+++ b/framework-t/Android.bp
@@ -142,3 +142,8 @@
"//packages/modules/Wifi/service/tests/wifitests",
],
}
+
+platform_compat_config {
+ name: "connectivity-t-platform-compat-config",
+ src: ":framework-connectivity-t",
+}
diff --git a/framework-t/src/android/net/nsd/NsdManager.java b/framework-t/src/android/net/nsd/NsdManager.java
index 3fcc11b..fb3b1d6 100644
--- a/framework-t/src/android/net/nsd/NsdManager.java
+++ b/framework-t/src/android/net/nsd/NsdManager.java
@@ -139,17 +139,21 @@
* The platform will only keep the daemon running as long as there are
* any legacy apps connected.
*
- * After Android 12, directly communicate with native daemon might not
- * work since the native damon won't always stay alive.
- * Use the NSD APIs from NsdManager as the replacement is recommended.
- * An another alternative could be bundling your own mdns solutions instead of
+ * After Android 12, direct communication with the native daemon might not work since the native
+ * daemon won't always stay alive. Using the NSD APIs from NsdManager as the replacement is
+ * recommended.
+ * Another alternative could be bundling your own mdns solutions instead of
* depending on the system mdns native daemon.
*
+ * This compatibility change applies to Android 13 and later only. To toggle behavior on
+ * Android 12 and Android 12L, use RUN_NATIVE_NSD_ONLY_IF_LEGACY_APPS.
+ *
* @hide
*/
@ChangeId
@EnabledSince(targetSdkVersion = android.os.Build.VERSION_CODES.S)
- public static final long RUN_NATIVE_NSD_ONLY_IF_LEGACY_APPS = 191844585L;
+ // This was a platform change ID with value 191844585L before T
+ public static final long RUN_NATIVE_NSD_ONLY_IF_LEGACY_APPS_T_AND_LATER = 235355681L;
/**
* Broadcast intent action to indicate whether network service discovery is
@@ -500,7 +504,7 @@
// Only proactively start the daemon if the target SDK < S, otherwise the internal service
// would automatically start/stop the native daemon as needed.
- if (!CompatChanges.isChangeEnabled(RUN_NATIVE_NSD_ONLY_IF_LEGACY_APPS)) {
+ if (!CompatChanges.isChangeEnabled(RUN_NATIVE_NSD_ONLY_IF_LEGACY_APPS_T_AND_LATER)) {
try {
mService.startDaemon();
} catch (RemoteException e) {
diff --git a/service/jni/com_android_server_BpfNetMaps.cpp b/service/jni/com_android_server_BpfNetMaps.cpp
index 49392e0..2780044 100644
--- a/service/jni/com_android_server_BpfNetMaps.cpp
+++ b/service/jni/com_android_server_BpfNetMaps.cpp
@@ -82,6 +82,13 @@
return (jint)status.code();
}
+static jint native_setChildChain(JNIEnv* env, jobject self, jint childChain, jboolean enable) {
+ auto chain = static_cast<ChildChain>(childChain);
+ int res = mTc.toggleUidOwnerMap(chain, enable);
+ if (res) ALOGE("%s failed, error code = %d", __func__, res);
+ return (jint)res;
+}
+
static jint native_replaceUidChain(JNIEnv* env, jobject self, jstring name, jboolean isAllowlist,
jintArray jUids) {
const ScopedUtfChars chainNameUtf8(env, name);
@@ -192,6 +199,8 @@
(void*)native_addNiceApp},
{"native_removeNiceApp", "(I)I",
(void*)native_removeNiceApp},
+ {"native_setChildChain", "(IZ)I",
+ (void*)native_setChildChain},
{"native_replaceUidChain", "(Ljava/lang/String;Z[I)I",
(void*)native_replaceUidChain},
{"native_setUidRule", "(III)I",
diff --git a/service/native/TrafficController.cpp b/service/native/TrafficController.cpp
index 9331548..4dc056d 100644
--- a/service/native/TrafficController.cpp
+++ b/service/native/TrafficController.cpp
@@ -451,6 +451,53 @@
return 0;
}
+int TrafficController::toggleUidOwnerMap(ChildChain chain, bool enable) {
+ std::lock_guard guard(mMutex);
+ uint32_t key = UID_RULES_CONFIGURATION_KEY;
+ auto oldConfigure = mConfigurationMap.readValue(key);
+ if (!oldConfigure.ok()) {
+ ALOGE("Cannot read the old configuration from map: %s",
+ oldConfigure.error().message().c_str());
+ return -oldConfigure.error().code();
+ }
+ uint32_t match;
+ switch (chain) {
+ case DOZABLE:
+ match = DOZABLE_MATCH;
+ break;
+ case STANDBY:
+ match = STANDBY_MATCH;
+ break;
+ case POWERSAVE:
+ match = POWERSAVE_MATCH;
+ break;
+ case RESTRICTED:
+ match = RESTRICTED_MATCH;
+ break;
+ case LOW_POWER_STANDBY:
+ match = LOW_POWER_STANDBY_MATCH;
+ break;
+ case OEM_DENY_1:
+ match = OEM_DENY_1_MATCH;
+ break;
+ case OEM_DENY_2:
+ match = OEM_DENY_2_MATCH;
+ break;
+ case OEM_DENY_3:
+ match = OEM_DENY_3_MATCH;
+ break;
+ default:
+ return -EINVAL;
+ }
+ BpfConfig newConfiguration =
+ enable ? (oldConfigure.value() | match) : (oldConfigure.value() & ~match);
+ Status res = mConfigurationMap.writeValue(key, newConfiguration, BPF_EXIST);
+ if (!isOk(res)) {
+ ALOGE("Failed to toggleUidOwnerMap(%d): %s", chain, res.msg().c_str());
+ }
+ return -res.code();
+}
+
Status TrafficController::swapActiveStatsMap() {
std::lock_guard guard(mMutex);
diff --git a/service/native/include/TrafficController.h b/service/native/include/TrafficController.h
index 14c5eaf..8512929 100644
--- a/service/native/include/TrafficController.h
+++ b/service/native/include/TrafficController.h
@@ -71,6 +71,8 @@
netdutils::Status updateUidOwnerMap(const uint32_t uid,
UidOwnerMatchType matchType, IptOp op) EXCLUDES(mMutex);
+ int toggleUidOwnerMap(ChildChain chain, bool enable) EXCLUDES(mMutex);
+
static netdutils::StatusOr<std::unique_ptr<netdutils::NetlinkListenerInterface>>
makeSkDestroyListener();
diff --git a/service/src/com/android/server/BpfNetMaps.java b/service/src/com/android/server/BpfNetMaps.java
index 3befd86..0270fc2 100644
--- a/service/src/com/android/server/BpfNetMaps.java
+++ b/service/src/com/android/server/BpfNetMaps.java
@@ -637,6 +637,7 @@
private native int native_addNiceApp(int uid);
@GuardedBy("sUidOwnerMap")
private native int native_removeNiceApp(int uid);
+ private native int native_setChildChain(int childChain, boolean enable);
@GuardedBy("sUidOwnerMap")
private native int native_replaceUidChain(String name, boolean isAllowlist, int[] uids);
@GuardedBy("sUidOwnerMap")
diff --git a/tests/cts/net/Android.bp b/tests/cts/net/Android.bp
index 62f37bb..a6179fc 100644
--- a/tests/cts/net/Android.bp
+++ b/tests/cts/net/Android.bp
@@ -128,3 +128,18 @@
],
}
+android_test {
+ name: "CtsNetTestCasesMaxTargetSdk30", // Must match CtsNetTestCasesMaxTargetSdk30 annotation.
+ defaults: [
+ "CtsNetTestCasesDefaults",
+ "CtsNetTestCasesApiStableDefaults",
+ ],
+ target_sdk_version: "30",
+ package_name: "android.net.cts.maxtargetsdk30", // CTS package names must be unique.
+ instrumentation_target_package: "android.net.cts.maxtargetsdk30",
+ test_suites: [
+ "cts",
+ "general-tests",
+ "mts-networking",
+ ],
+}
diff --git a/tests/cts/net/src/android/net/cts/ConnectivityManagerTest.java b/tests/cts/net/src/android/net/cts/ConnectivityManagerTest.java
index 64238b3..5edf727 100644
--- a/tests/cts/net/src/android/net/cts/ConnectivityManagerTest.java
+++ b/tests/cts/net/src/android/net/cts/ConnectivityManagerTest.java
@@ -189,6 +189,7 @@
import com.android.networkstack.apishim.NetworkInformationShimImpl;
import com.android.networkstack.apishim.common.ConnectivityManagerShim;
import com.android.testutils.CompatUtil;
+import com.android.testutils.ConnectivityModuleTest;
import com.android.testutils.DevSdkIgnoreRule;
import com.android.testutils.DevSdkIgnoreRule.IgnoreUpTo;
import com.android.testutils.DeviceInfoUtils;
@@ -3358,7 +3359,7 @@
}, NETWORK_SETTINGS);
}
- @Test @IgnoreUpTo(SC_V2)
+ @Test @IgnoreUpTo(SC_V2) @ConnectivityModuleTest
@AppModeFull(reason = "Socket cannot bind in instant app mode")
public void testFirewallBlocking() {
// ALLOWLIST means the firewall denies all by default, uids must be explicitly allowed
diff --git a/tests/cts/net/src/android/net/cts/NsdManagerTest.kt b/tests/cts/net/src/android/net/cts/NsdManagerTest.kt
index 64cc97d..a02be85 100644
--- a/tests/cts/net/src/android/net/cts/NsdManagerTest.kt
+++ b/tests/cts/net/src/android/net/cts/NsdManagerTest.kt
@@ -16,6 +16,7 @@
package android.net.cts
import android.Manifest.permission.MANAGE_TEST_NETWORKS
+import android.app.compat.CompatChanges
import android.net.ConnectivityManager
import android.net.ConnectivityManager.NetworkCallback
import android.net.LinkProperties
@@ -46,6 +47,7 @@
import android.net.nsd.NsdManager.RegistrationListener
import android.net.nsd.NsdManager.ResolveListener
import android.net.nsd.NsdServiceInfo
+import android.os.Build
import android.os.Handler
import android.os.HandlerThread
import android.os.Process.myTid
@@ -56,17 +58,23 @@
import com.android.net.module.util.ArrayTrackRecord
import com.android.net.module.util.TrackRecord
import com.android.networkstack.apishim.NsdShimImpl
+import com.android.testutils.ConnectivityModuleTest
+import com.android.testutils.DevSdkIgnoreRule
import com.android.testutils.TestableNetworkAgent
import com.android.testutils.TestableNetworkCallback
+import com.android.testutils.filters.CtsNetTestCasesMaxTargetSdk30
import com.android.testutils.runAsShell
import com.android.testutils.tryTest
import org.junit.After
import org.junit.Assert.assertArrayEquals
+import org.junit.Assert.assertFalse
import org.junit.Assert.assertTrue
import org.junit.Assume.assumeTrue
import org.junit.Before
+import org.junit.Rule
import org.junit.Test
import org.junit.runner.RunWith
+import java.io.File
import java.net.ServerSocket
import java.nio.charset.StandardCharsets
import java.util.Random
@@ -89,6 +97,10 @@
@AppModeFull(reason = "Socket cannot bind in instant app mode")
@RunWith(AndroidJUnit4::class)
class NsdManagerTest {
+ // Rule used to filter CtsNetTestCasesMaxTargetSdkXX
+ @get:Rule
+ val ignoreRule = DevSdkIgnoreRule()
+
private val context by lazy { InstrumentationRegistry.getInstrumentation().context }
private val nsdManager by lazy { context.getSystemService(NsdManager::class.java) }
@@ -692,6 +704,30 @@
}
}
+ @Test @CtsNetTestCasesMaxTargetSdk30("Socket is started with the service up to target SDK 30")
+ fun testManagerCreatesLegacySocket() {
+ nsdManager // Ensure the lazy-init member is initialized, so NsdManager is created
+ val socket = File("/dev/socket/mdnsd")
+ val timeout = System.currentTimeMillis() + TIMEOUT_MS
+ while (!socket.exists() && System.currentTimeMillis() < timeout) {
+ Thread.sleep(10)
+ }
+ assertTrue("$socket was not found after $TIMEOUT_MS ms", socket.exists())
+ }
+
+ // The compat change is part of a connectivity module update that applies to T+
+ @ConnectivityModuleTest @DevSdkIgnoreRule.IgnoreUpTo(Build.VERSION_CODES.S_V2)
+ @Test @CtsNetTestCasesMaxTargetSdk30("Socket is started with the service up to target SDK 30")
+ fun testManagerCreatesLegacySocket_CompatChange() {
+ // The socket may have been already created by some other app, or some other test, in which
+ // case this test cannot verify creation. At least verify that the compat change is
+ // disabled in a process with max SDK 30; unit tests already verify that start is requested
+ // when the compat change is disabled.
+ // Note that before T the compat constant had a different int value.
+ assertFalse(CompatChanges.isChangeEnabled(
+ NsdManager.RUN_NATIVE_NSD_ONLY_IF_LEGACY_APPS_T_AND_LATER))
+ }
+
/**
* Register a service and return its registration record.
*/
diff --git a/tests/native/utilities/Android.bp b/tests/native/utilities/Android.bp
new file mode 100644
index 0000000..7668cc1
--- /dev/null
+++ b/tests/native/utilities/Android.bp
@@ -0,0 +1,30 @@
+//
+// Copyright (C) 2022 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+cc_test_library {
+ name: "libconnectivity_native_test_utils",
+ defaults: [
+ "netd_defaults",
+ "resolv_test_defaults"
+ ],
+ srcs: [
+ "firewall.cpp",
+ ],
+ header_libs: [
+ "bpf_connectivity_headers",
+ ],
+ export_header_lib_headers: ["bpf_connectivity_headers"],
+ export_include_dirs: ["."],
+}
diff --git a/tests/native/utilities/firewall.cpp b/tests/native/utilities/firewall.cpp
new file mode 100644
index 0000000..e4669cb
--- /dev/null
+++ b/tests/native/utilities/firewall.cpp
@@ -0,0 +1,118 @@
+/*
+ * Copyright (C) 2022 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+#include "firewall.h"
+
+#include <android-base/result.h>
+#include <gtest/gtest.h>
+
+Firewall::Firewall() {
+ std::lock_guard guard(mMutex);
+ auto result = mConfigurationMap.init(CONFIGURATION_MAP_PATH);
+ EXPECT_RESULT_OK(result) << "init mConfigurationMap failed";
+
+ result = mUidOwnerMap.init(UID_OWNER_MAP_PATH);
+ EXPECT_RESULT_OK(result) << "init mUidOwnerMap failed";
+}
+
+Firewall* Firewall::getInstance() {
+ static Firewall instance;
+ return &instance;
+}
+
+Result<void> Firewall::toggleStandbyMatch(bool enable) {
+ std::lock_guard guard(mMutex);
+ uint32_t key = UID_RULES_CONFIGURATION_KEY;
+ auto oldConfiguration = mConfigurationMap.readValue(key);
+ if (!oldConfiguration.ok()) {
+ return Errorf("Cannot read the old configuration: {}", oldConfiguration.error().message());
+ }
+
+ BpfConfig newConfiguration = enable ? (oldConfiguration.value() | STANDBY_MATCH)
+ : (oldConfiguration.value() & (~STANDBY_MATCH));
+ auto res = mConfigurationMap.writeValue(key, newConfiguration, BPF_EXIST);
+ if (!res.ok()) return Errorf("Failed to toggle STANDBY_MATCH: {}", res.error().message());
+
+ return {};
+}
+
+Result<void> Firewall::addRule(uint32_t uid, UidOwnerMatchType match, uint32_t iif) {
+ // iif should be non-zero if and only if match == MATCH_IIF
+ if (match == IIF_MATCH && iif == 0) {
+ return Errorf("Interface match {} must have nonzero interface index", match);
+ } else if (match != IIF_MATCH && iif != 0) {
+ return Errorf("Non-interface match {} must have zero interface index", match);
+ }
+
+ std::lock_guard guard(mMutex);
+ auto oldMatch = mUidOwnerMap.readValue(uid);
+ if (oldMatch.ok()) {
+ UidOwnerValue newMatch = {
+ .iif = iif ? iif : oldMatch.value().iif,
+ .rule = static_cast<uint8_t>(oldMatch.value().rule | match),
+ };
+ auto res = mUidOwnerMap.writeValue(uid, newMatch, BPF_ANY);
+ if (!res.ok()) return Errorf("Failed to update rule: {}", res.error().message());
+ } else {
+ UidOwnerValue newMatch = {
+ .iif = iif,
+ .rule = static_cast<uint8_t>(match),
+ };
+ auto res = mUidOwnerMap.writeValue(uid, newMatch, BPF_ANY);
+ if (!res.ok()) return Errorf("Failed to add rule: {}", res.error().message());
+ }
+ return {};
+}
+
+Result<void> Firewall::removeRule(uint32_t uid, UidOwnerMatchType match) {
+ std::lock_guard guard(mMutex);
+ auto oldMatch = mUidOwnerMap.readValue(uid);
+ if (!oldMatch.ok()) return Errorf("uid: %u does not exist in map", uid);
+
+ UidOwnerValue newMatch = {
+ .iif = (match == IIF_MATCH) ? 0 : oldMatch.value().iif,
+ .rule = static_cast<uint8_t>(oldMatch.value().rule & ~match),
+ };
+ if (newMatch.rule == 0) {
+ auto res = mUidOwnerMap.deleteValue(uid);
+ if (!res.ok()) return Errorf("Failed to remove rule: {}", res.error().message());
+ } else {
+ auto res = mUidOwnerMap.writeValue(uid, newMatch, BPF_ANY);
+ if (!res.ok()) return Errorf("Failed to update rule: {}", res.error().message());
+ }
+ return {};
+}
+
+Result<void> Firewall::addUidInterfaceRules(const std::string& ifName,
+ const std::vector<int32_t>& uids) {
+ unsigned int iif = if_nametoindex(ifName.c_str());
+ if (!iif) return Errorf("Failed to get interface index: {}", ifName);
+
+ for (auto uid : uids) {
+ auto res = addRule(uid, IIF_MATCH, iif);
+ if (!res.ok()) return res;
+ }
+ return {};
+}
+
+Result<void> Firewall::removeUidInterfaceRules(const std::vector<int32_t>& uids) {
+ for (auto uid : uids) {
+ auto res = removeRule(uid, IIF_MATCH);
+ if (!res.ok()) return res;
+ }
+ return {};
+}
diff --git a/tests/native/utilities/firewall.h b/tests/native/utilities/firewall.h
new file mode 100644
index 0000000..185559b
--- /dev/null
+++ b/tests/native/utilities/firewall.h
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) 2022 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+#pragma once
+
+#include <android-base/thread_annotations.h>
+#include <bpf/BpfMap.h>
+#include <bpf_shared.h>
+
+using android::base::Result;
+using android::bpf::BpfMap;
+
+class Firewall {
+ public:
+ Firewall() EXCLUDES(mMutex);
+ static Firewall* getInstance();
+ Result<void> toggleStandbyMatch(bool enable) EXCLUDES(mMutex);
+ Result<void> addRule(uint32_t uid, UidOwnerMatchType match, uint32_t iif = 0) EXCLUDES(mMutex);
+ Result<void> removeRule(uint32_t uid, UidOwnerMatchType match) EXCLUDES(mMutex);
+ Result<void> addUidInterfaceRules(const std::string& ifName, const std::vector<int32_t>& uids);
+ Result<void> removeUidInterfaceRules(const std::vector<int32_t>& uids);
+
+ private:
+ BpfMap<uint32_t, uint32_t> mConfigurationMap GUARDED_BY(mMutex);
+ BpfMap<uint32_t, UidOwnerValue> mUidOwnerMap GUARDED_BY(mMutex);
+ std::mutex mMutex;
+};
diff --git a/tests/unit/java/android/net/nsd/NsdManagerTest.java b/tests/unit/java/android/net/nsd/NsdManagerTest.java
index 32274bc..e3dbb14 100644
--- a/tests/unit/java/android/net/nsd/NsdManagerTest.java
+++ b/tests/unit/java/android/net/nsd/NsdManagerTest.java
@@ -81,70 +81,70 @@
}
@Test
- @EnableCompatChanges(NsdManager.RUN_NATIVE_NSD_ONLY_IF_LEGACY_APPS)
+ @EnableCompatChanges(NsdManager.RUN_NATIVE_NSD_ONLY_IF_LEGACY_APPS_T_AND_LATER)
public void testResolveServiceS() throws Exception {
verify(mServiceConn, never()).startDaemon();
doTestResolveService();
}
@Test
- @DisableCompatChanges(NsdManager.RUN_NATIVE_NSD_ONLY_IF_LEGACY_APPS)
+ @DisableCompatChanges(NsdManager.RUN_NATIVE_NSD_ONLY_IF_LEGACY_APPS_T_AND_LATER)
public void testResolveServicePreS() throws Exception {
verify(mServiceConn).startDaemon();
doTestResolveService();
}
@Test
- @EnableCompatChanges(NsdManager.RUN_NATIVE_NSD_ONLY_IF_LEGACY_APPS)
+ @EnableCompatChanges(NsdManager.RUN_NATIVE_NSD_ONLY_IF_LEGACY_APPS_T_AND_LATER)
public void testDiscoverServiceS() throws Exception {
verify(mServiceConn, never()).startDaemon();
doTestDiscoverService();
}
@Test
- @DisableCompatChanges(NsdManager.RUN_NATIVE_NSD_ONLY_IF_LEGACY_APPS)
+ @DisableCompatChanges(NsdManager.RUN_NATIVE_NSD_ONLY_IF_LEGACY_APPS_T_AND_LATER)
public void testDiscoverServicePreS() throws Exception {
verify(mServiceConn).startDaemon();
doTestDiscoverService();
}
@Test
- @EnableCompatChanges(NsdManager.RUN_NATIVE_NSD_ONLY_IF_LEGACY_APPS)
+ @EnableCompatChanges(NsdManager.RUN_NATIVE_NSD_ONLY_IF_LEGACY_APPS_T_AND_LATER)
public void testParallelResolveServiceS() throws Exception {
verify(mServiceConn, never()).startDaemon();
doTestParallelResolveService();
}
@Test
- @DisableCompatChanges(NsdManager.RUN_NATIVE_NSD_ONLY_IF_LEGACY_APPS)
+ @DisableCompatChanges(NsdManager.RUN_NATIVE_NSD_ONLY_IF_LEGACY_APPS_T_AND_LATER)
public void testParallelResolveServicePreS() throws Exception {
verify(mServiceConn).startDaemon();
doTestParallelResolveService();
}
@Test
- @EnableCompatChanges(NsdManager.RUN_NATIVE_NSD_ONLY_IF_LEGACY_APPS)
+ @EnableCompatChanges(NsdManager.RUN_NATIVE_NSD_ONLY_IF_LEGACY_APPS_T_AND_LATER)
public void testInvalidCallsS() throws Exception {
verify(mServiceConn, never()).startDaemon();
doTestInvalidCalls();
}
@Test
- @DisableCompatChanges(NsdManager.RUN_NATIVE_NSD_ONLY_IF_LEGACY_APPS)
+ @DisableCompatChanges(NsdManager.RUN_NATIVE_NSD_ONLY_IF_LEGACY_APPS_T_AND_LATER)
public void testInvalidCallsPreS() throws Exception {
verify(mServiceConn).startDaemon();
doTestInvalidCalls();
}
@Test
- @EnableCompatChanges(NsdManager.RUN_NATIVE_NSD_ONLY_IF_LEGACY_APPS)
+ @EnableCompatChanges(NsdManager.RUN_NATIVE_NSD_ONLY_IF_LEGACY_APPS_T_AND_LATER)
public void testRegisterServiceS() throws Exception {
verify(mServiceConn, never()).startDaemon();
doTestRegisterService();
}
@Test
- @DisableCompatChanges(NsdManager.RUN_NATIVE_NSD_ONLY_IF_LEGACY_APPS)
+ @DisableCompatChanges(NsdManager.RUN_NATIVE_NSD_ONLY_IF_LEGACY_APPS_T_AND_LATER)
public void testRegisterServicePreS() throws Exception {
verify(mServiceConn).startDaemon();
doTestRegisterService();
diff --git a/tests/unit/java/com/android/server/NsdServiceTest.java b/tests/unit/java/com/android/server/NsdServiceTest.java
index 07884cf..1813393 100644
--- a/tests/unit/java/com/android/server/NsdServiceTest.java
+++ b/tests/unit/java/com/android/server/NsdServiceTest.java
@@ -159,7 +159,7 @@
}
@Test
- @DisableCompatChanges(NsdManager.RUN_NATIVE_NSD_ONLY_IF_LEGACY_APPS)
+ @DisableCompatChanges(NsdManager.RUN_NATIVE_NSD_ONLY_IF_LEGACY_APPS_T_AND_LATER)
public void testPreSClients() throws Exception {
// Pre S client connected, the daemon should be started.
connectClient(mService);
@@ -186,7 +186,7 @@
}
@Test
- @EnableCompatChanges(NsdManager.RUN_NATIVE_NSD_ONLY_IF_LEGACY_APPS)
+ @EnableCompatChanges(NsdManager.RUN_NATIVE_NSD_ONLY_IF_LEGACY_APPS_T_AND_LATER)
public void testNoDaemonStartedWhenClientsConnect() throws Exception {
// Creating an NsdManager will not cause daemon startup.
connectClient(mService);
@@ -220,7 +220,7 @@
}
@Test
- @EnableCompatChanges(NsdManager.RUN_NATIVE_NSD_ONLY_IF_LEGACY_APPS)
+ @EnableCompatChanges(NsdManager.RUN_NATIVE_NSD_ONLY_IF_LEGACY_APPS_T_AND_LATER)
public void testClientRequestsAreGCedAtDisconnection() throws Exception {
final NsdManager client = connectClient(mService);
final INsdManagerCallback cb1 = getCallback();
@@ -263,7 +263,7 @@
}
@Test
- @EnableCompatChanges(NsdManager.RUN_NATIVE_NSD_ONLY_IF_LEGACY_APPS)
+ @EnableCompatChanges(NsdManager.RUN_NATIVE_NSD_ONLY_IF_LEGACY_APPS_T_AND_LATER)
public void testCleanupDelayNoRequestActive() throws Exception {
final NsdManager client = connectClient(mService);