Skip adding ingress discard rule to legacy VPN
Cherry-pick of aosp/3201971 to backport VPN security fix to non-mainline
U devices.
Some legacy VPNs need to receive packets to VPN address via
non-VPN interface.
Bug: 193031925
Test: TH
Merged-In: Iad06dc69c5bf5ccda476e89ed9b0fc1bc63d2ebe
Change-Id: If4f6b095a719a0abcb6254c522beac5d45110d4d
diff --git a/service/src/com/android/server/ConnectivityService.java b/service/src/com/android/server/ConnectivityService.java
index 0882870..523062c 100755
--- a/service/src/com/android/server/ConnectivityService.java
+++ b/service/src/com/android/server/ConnectivityService.java
@@ -8349,8 +8349,10 @@
* interfaces.
* Ingress discard rule is added to the address iff
* 1. The address is not a link local address
- * 2. The address is used by a single VPN interface and not used by any other
+ * 2. The address is used by a single non-Legacy VPN interface and not used by any other
* interfaces even non-VPN ones
+ * Ingress discard rule is not be added to Legacy VPN since some Legacy VPNs need to receive
+ * packet to VPN address via non-VPN interface.
* This method can be called during network disconnects, when nai has already been removed from
* mNetworkAgentInfos.
*
@@ -8385,7 +8387,8 @@
// for different network.
final Set<Pair<InetAddress, String>> ingressDiscardRules = new ArraySet<>();
for (final NetworkAgentInfo agent : nais) {
- if (!agent.isVPN() || agent.isDestroyed()) {
+ if (!agent.isVPN() || agent.isDestroyed()
+ || getVpnType(agent) == VpnManager.TYPE_VPN_LEGACY) {
continue;
}
final LinkProperties agentLp = (nai == agent) ? lp : agent.linkProperties;