Add clarifying comments on for IPsec forward policies
This change adds clarifying comments for the usage of the forward
policies in IPsec, and corrects a comment to properly specify the
permissions allowed.
Bug: 185495453
Test: Comment-only changes
Change-Id: I6d36522c344c41b0ebd90d46b216d115b678dd31
diff --git a/services/core/java/com/android/server/IpSecService.java b/services/core/java/com/android/server/IpSecService.java
index d574e74..d6ee951 100644
--- a/services/core/java/com/android/server/IpSecService.java
+++ b/services/core/java/com/android/server/IpSecService.java
@@ -1112,7 +1112,7 @@
case IpSecManager.DIRECTION_IN:
return;
case IpSecManager.DIRECTION_FWD:
- // Only NETWORK_STACK or PERMISSION_NETWORK_STACK allowed to use forward policies
+ // Only NETWORK_STACK or MAINLINE_NETWORK_STACK allowed to use forward policies
PermissionUtils.enforceNetworkStackPermission(mContext);
return;
}
@@ -1358,6 +1358,16 @@
ikey,
0xffffffff,
resourceId);
+
+ // Add a forwarding policy on the tunnel interface. In order to support forwarding
+ // the IpSecTunnelInterface must have a forwarding policy matching the incoming SA.
+ //
+ // Unless a IpSecTransform is also applied against this interface in DIRECTION_FWD,
+ // forwarding will be blocked by default (as would be the case if this policy was
+ // absent).
+ //
+ // This is necessary only on the tunnel interface, and not any the interface to
+ // which traffic will be forwarded to.
netd.ipSecAddSecurityPolicy(
callerUid,
selAddrFamily,