Merge "Set up forwarding rules for local network agents" into main
diff --git a/OWNERS b/OWNERS
index 649efda..b2176cc 100644
--- a/OWNERS
+++ b/OWNERS
@@ -1,3 +1,4 @@
+# Bug component: 31808
set noparent
file:platform/packages/modules/Connectivity:main:/OWNERS_core_networking
diff --git a/common/flags.aconfig b/common/flags.aconfig
index 7235202..0c46b48 100644
--- a/common/flags.aconfig
+++ b/common/flags.aconfig
@@ -27,3 +27,10 @@
description: "Set data saver through ConnectivityManager API"
bug: "297836825"
}
+
+flag {
+ name: "support_is_uid_networking_blocked"
+ namespace: "android_core_networking"
+ description: "This flag controls whether isUidNetworkingBlocked is supported"
+ bug: "297836825"
+}
diff --git a/common/src/com/android/net/module/util/bpf/IngressDiscardKey.java b/common/src/com/android/net/module/util/bpf/IngressDiscardKey.java
index eabcf3c..9fefb52 100644
--- a/common/src/com/android/net/module/util/bpf/IngressDiscardKey.java
+++ b/common/src/com/android/net/module/util/bpf/IngressDiscardKey.java
@@ -16,9 +16,12 @@
package com.android.net.module.util.bpf;
+import com.android.net.module.util.InetAddressUtils;
import com.android.net.module.util.Struct;
+import java.net.Inet4Address;
import java.net.Inet6Address;
+import java.net.InetAddress;
/** Key type for ingress discard map */
public class IngressDiscardKey extends Struct {
@@ -29,4 +32,14 @@
public IngressDiscardKey(final Inet6Address dstAddr) {
this.dstAddr = dstAddr;
}
+
+ private static Inet6Address getInet6Address(final InetAddress addr) {
+ return (addr instanceof Inet4Address)
+ ? InetAddressUtils.v4MappedV6Address((Inet4Address) addr)
+ : (Inet6Address) addr;
+ }
+
+ public IngressDiscardKey(final InetAddress dstAddr) {
+ this(getInet6Address(dstAddr));
+ }
}
diff --git a/framework/api/module-lib-current.txt b/framework/api/module-lib-current.txt
index 782e20a..4d55067 100644
--- a/framework/api/module-lib-current.txt
+++ b/framework/api/module-lib-current.txt
@@ -14,6 +14,7 @@
method @NonNull public static android.util.Range<java.lang.Integer> getIpSecNetIdRange();
method @Nullable @RequiresPermission(anyOf={android.net.NetworkStack.PERMISSION_MAINLINE_NETWORK_STACK, android.Manifest.permission.NETWORK_STACK, android.Manifest.permission.NETWORK_SETTINGS}) public android.net.LinkProperties getRedactedLinkPropertiesForPackage(@NonNull android.net.LinkProperties, int, @NonNull String);
method @Nullable @RequiresPermission(anyOf={android.net.NetworkStack.PERMISSION_MAINLINE_NETWORK_STACK, android.Manifest.permission.NETWORK_STACK, android.Manifest.permission.NETWORK_SETTINGS}) public android.net.NetworkCapabilities getRedactedNetworkCapabilitiesForPackage(@NonNull android.net.NetworkCapabilities, int, @NonNull String);
+ method @FlaggedApi("com.android.net.flags.support_is_uid_networking_blocked") @RequiresPermission(android.net.NetworkStack.PERMISSION_MAINLINE_NETWORK_STACK) public boolean isUidNetworkingBlocked(int, boolean);
method @RequiresPermission(anyOf={android.net.NetworkStack.PERMISSION_MAINLINE_NETWORK_STACK, android.Manifest.permission.NETWORK_SETTINGS}) public void registerDefaultNetworkCallbackForUid(int, @NonNull android.net.ConnectivityManager.NetworkCallback, @NonNull android.os.Handler);
method @RequiresPermission(anyOf={android.net.NetworkStack.PERMISSION_MAINLINE_NETWORK_STACK, android.Manifest.permission.NETWORK_SETTINGS, android.Manifest.permission.NETWORK_SETUP_WIZARD, android.Manifest.permission.CONNECTIVITY_USE_RESTRICTED_NETWORKS}) public void registerSystemDefaultNetworkCallback(@NonNull android.net.ConnectivityManager.NetworkCallback, @NonNull android.os.Handler);
method @RequiresPermission(anyOf={android.Manifest.permission.NETWORK_SETTINGS, android.Manifest.permission.NETWORK_STACK, android.net.NetworkStack.PERMISSION_MAINLINE_NETWORK_STACK}) public void removeUidFromMeteredNetworkAllowList(int);
diff --git a/framework/src/android/net/BpfNetMapsConstants.java b/framework/src/android/net/BpfNetMapsConstants.java
index 8086809..c784597 100644
--- a/framework/src/android/net/BpfNetMapsConstants.java
+++ b/framework/src/android/net/BpfNetMapsConstants.java
@@ -54,6 +54,8 @@
"/sys/fs/bpf/netd_shared/map_netd_cookie_tag_map";
public static final String DATA_SAVER_ENABLED_MAP_PATH =
"/sys/fs/bpf/netd_shared/map_netd_data_saver_enabled_map";
+ public static final String INGRESS_DISCARD_MAP_PATH =
+ "/sys/fs/bpf/netd_shared/map_netd_ingress_discard_map";
public static final Struct.S32 UID_RULES_CONFIGURATION_KEY = new Struct.S32(0);
public static final Struct.S32 CURRENT_STATS_MAP_CONFIGURATION_KEY = new Struct.S32(1);
public static final Struct.S32 DATA_SAVER_ENABLED_KEY = new Struct.S32(0);
diff --git a/framework/src/android/net/ConnectivityManager.java b/framework/src/android/net/ConnectivityManager.java
index f44fd0e..eb8f8c3 100644
--- a/framework/src/android/net/ConnectivityManager.java
+++ b/framework/src/android/net/ConnectivityManager.java
@@ -133,6 +133,8 @@
public static class Flags {
static final String SET_DATA_SAVER_VIA_CM =
"com.android.net.flags.set_data_saver_via_cm";
+ static final String SUPPORT_IS_UID_NETWORKING_BLOCKED =
+ "com.android.net.flags.support_is_uid_networking_blocked";
}
/**
@@ -6311,8 +6313,8 @@
// is provided by linux file group permission AID_NET_BW_ACCT and the
// selinux context fs_bpf_net*.
// Only the system server process and the network stack have access.
- // TODO: Expose api when ready.
- // @SystemApi(client = MODULE_LIBRARIES)
+ @FlaggedApi(Flags.SUPPORT_IS_UID_NETWORKING_BLOCKED)
+ @SystemApi(client = MODULE_LIBRARIES)
@RequiresApi(Build.VERSION_CODES.TIRAMISU) // BPF maps were only mainlined in T
@RequiresPermission(NetworkStack.PERMISSION_MAINLINE_NETWORK_STACK)
public boolean isUidNetworkingBlocked(int uid, boolean isNetworkMetered) {
diff --git a/service/src/com/android/server/BpfNetMaps.java b/service/src/com/android/server/BpfNetMaps.java
index 14ab2a1..f20159c 100644
--- a/service/src/com/android/server/BpfNetMaps.java
+++ b/service/src/com/android/server/BpfNetMaps.java
@@ -25,6 +25,7 @@
import static android.net.BpfNetMapsConstants.DATA_SAVER_ENABLED_MAP_PATH;
import static android.net.BpfNetMapsConstants.HAPPY_BOX_MATCH;
import static android.net.BpfNetMapsConstants.IIF_MATCH;
+import static android.net.BpfNetMapsConstants.INGRESS_DISCARD_MAP_PATH;
import static android.net.BpfNetMapsConstants.LOCKDOWN_VPN_MATCH;
import static android.net.BpfNetMapsConstants.PENALTY_BOX_MATCH;
import static android.net.BpfNetMapsConstants.UID_OWNER_MAP_PATH;
@@ -86,9 +87,12 @@
import com.android.net.module.util.Struct.U8;
import com.android.net.module.util.bpf.CookieTagMapKey;
import com.android.net.module.util.bpf.CookieTagMapValue;
+import com.android.net.module.util.bpf.IngressDiscardKey;
+import com.android.net.module.util.bpf.IngressDiscardValue;
import java.io.FileDescriptor;
import java.io.IOException;
+import java.net.InetAddress;
import java.util.Arrays;
import java.util.List;
import java.util.Set;
@@ -137,6 +141,7 @@
private static IBpfMap<CookieTagMapKey, CookieTagMapValue> sCookieTagMap = null;
// TODO: Add BOOL class and replace U8?
private static IBpfMap<S32, U8> sDataSaverEnabledMap = null;
+ private static IBpfMap<IngressDiscardKey, IngressDiscardValue> sIngressDiscardMap = null;
private static final List<Pair<Integer, String>> PERMISSION_LIST = Arrays.asList(
Pair.create(PERMISSION_INTERNET, "PERMISSION_INTERNET"),
@@ -192,6 +197,15 @@
sDataSaverEnabledMap = dataSaverEnabledMap;
}
+ /**
+ * Set ingressDiscardMap for test.
+ */
+ @VisibleForTesting
+ public static void setIngressDiscardMapForTest(
+ IBpfMap<IngressDiscardKey, IngressDiscardValue> ingressDiscardMap) {
+ sIngressDiscardMap = ingressDiscardMap;
+ }
+
private static IBpfMap<S32, U32> getConfigurationMap() {
try {
return new BpfMap<>(
@@ -237,6 +251,15 @@
}
}
+ private static IBpfMap<IngressDiscardKey, IngressDiscardValue> getIngressDiscardMap() {
+ try {
+ return new BpfMap<>(INGRESS_DISCARD_MAP_PATH, BpfMap.BPF_F_RDWR,
+ IngressDiscardKey.class, IngressDiscardValue.class);
+ } catch (ErrnoException e) {
+ throw new IllegalStateException("Cannot open ingress discard map", e);
+ }
+ }
+
private static void initBpfMaps() {
if (sConfigurationMap == null) {
sConfigurationMap = getConfigurationMap();
@@ -279,6 +302,15 @@
} catch (ErrnoException e) {
throw new IllegalStateException("Failed to initialize data saver configuration", e);
}
+
+ if (sIngressDiscardMap == null) {
+ sIngressDiscardMap = getIngressDiscardMap();
+ }
+ try {
+ sIngressDiscardMap.clear();
+ } catch (ErrnoException e) {
+ throw new IllegalStateException("Failed to initialize ingress discard map", e);
+ }
}
/**
@@ -316,6 +348,13 @@
}
/**
+ * Get interface name
+ */
+ public String getIfName(final int ifIndex) {
+ return Os.if_indextoname(ifIndex);
+ }
+
+ /**
* Call synchronize_rcu()
*/
public int synchronizeKernelRCU() {
@@ -553,7 +592,7 @@
private Set<Integer> asSet(final int[] uids) {
final Set<Integer> uidSet = new ArraySet<>();
- for (final int uid: uids) {
+ for (final int uid : uids) {
uidSet.add(uid);
}
return uidSet;
@@ -957,6 +996,45 @@
}
}
+ /**
+ * Set ingress discard rule
+ *
+ * @param address target address to set the ingress discard rule
+ * @param iface allowed interface
+ */
+ @RequiresApi(Build.VERSION_CODES.TIRAMISU)
+ public void setIngressDiscardRule(final InetAddress address, final String iface) {
+ throwIfPreT("setIngressDiscardRule is not available on pre-T devices");
+ final int ifIndex = mDeps.getIfIndex(iface);
+ if (ifIndex == 0) {
+ Log.e(TAG, "Failed to get if index, skip setting ingress discard rule for " + address
+ + "(" + iface + ")");
+ return;
+ }
+ try {
+ sIngressDiscardMap.updateEntry(new IngressDiscardKey(address),
+ new IngressDiscardValue(ifIndex, ifIndex));
+ } catch (ErrnoException e) {
+ Log.e(TAG, "Failed to set ingress discard rule for " + address + "("
+ + iface + "), " + e);
+ }
+ }
+
+ /**
+ * Remove ingress discard rule
+ *
+ * @param address target address to remove the ingress discard rule
+ */
+ @RequiresApi(Build.VERSION_CODES.TIRAMISU)
+ public void removeIngressDiscardRule(final InetAddress address) {
+ throwIfPreT("removeIngressDiscardRule is not available on pre-T devices");
+ try {
+ sIngressDiscardMap.deleteEntry(new IngressDiscardKey(address));
+ } catch (ErrnoException e) {
+ Log.e(TAG, "Failed to remove ingress discard rule for " + address + ", " + e);
+ }
+ }
+
/** Register callback for statsd to pull atom. */
@RequiresApi(Build.VERSION_CODES.TIRAMISU)
public void setPullAtomCallback(final Context context) {
@@ -1098,7 +1176,10 @@
});
BpfDump.dumpMap(sUidPermissionMap, pw, "sUidPermissionMap",
(uid, permission) -> uid.val + " " + permissionToString(permission.val));
-
+ BpfDump.dumpMap(sIngressDiscardMap, pw, "sIngressDiscardMap",
+ (key, value) -> "[" + key.dstAddr + "]: "
+ + value.iif1 + "(" + mDeps.getIfName(value.iif1) + "), "
+ + value.iif2 + "(" + mDeps.getIfName(value.iif2) + ")");
dumpDataSaverConfig(pw);
pw.decreaseIndent();
}
diff --git a/staticlibs/device/com/android/net/module/util/FeatureVersions.java b/staticlibs/device/com/android/net/module/util/FeatureVersions.java
index 149756c..d5f8124 100644
--- a/staticlibs/device/com/android/net/module/util/FeatureVersions.java
+++ b/staticlibs/device/com/android/net/module/util/FeatureVersions.java
@@ -42,4 +42,10 @@
// M-2023-Sept on July 3rd, 2023.
public static final long FEATURE_CLAT_ADDRESS_TRANSLATE =
NETWORK_STACK_MODULE_ID + 34_09_00_000L;
+
+ // IS_UID_NETWORKING_BLOCKED is a feature in ConnectivityManager,
+ // which provides an API to access BPF maps to check whether the networking is blocked
+ // by BPF for the given uid and conditions, introduced in version M-2024-Feb on Nov 6, 2023.
+ public static final long FEATURE_IS_UID_NETWORKING_BLOCKED =
+ CONNECTIVITY_MODULE_ID + 34_14_00_000L;
}
diff --git a/tests/cts/hostside/app/src/com/android/cts/net/hostside/AbstractRestrictBackgroundNetworkTestCase.java b/tests/cts/hostside/app/src/com/android/cts/net/hostside/AbstractRestrictBackgroundNetworkTestCase.java
index 5893de7..bb32052 100644
--- a/tests/cts/hostside/app/src/com/android/cts/net/hostside/AbstractRestrictBackgroundNetworkTestCase.java
+++ b/tests/cts/hostside/app/src/com/android/cts/net/hostside/AbstractRestrictBackgroundNetworkTestCase.java
@@ -37,6 +37,7 @@
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail;
+import android.annotation.NonNull;
import android.app.ActivityManager;
import android.app.Instrumentation;
import android.app.NotificationManager;
@@ -438,6 +439,42 @@
}
/**
+ * Asserts whether the network is blocked by accessing bpf maps if command-line tool supports.
+ */
+ void assertNetworkAccessBlockedByBpf(boolean expectBlocked, int uid, boolean metered) {
+ final String result;
+ try {
+ result = executeShellCommand(
+ "cmd network_stack is-uid-networking-blocked " + uid + " " + metered);
+ } catch (AssertionError e) {
+ // If NetworkStack is too old to support this command, ignore and continue
+ // this test to verify other parts.
+ if (e.getMessage().contains("No shell command implementation.")) {
+ return;
+ }
+ throw e;
+ }
+
+ // Tethering module is too old.
+ if (result.contains("API is unsupported")) {
+ return;
+ }
+
+ assertEquals(expectBlocked, parseBooleanOrThrow(result.trim()));
+ }
+
+ /**
+ * Similar to {@link Boolean#parseBoolean} but throws when the input
+ * is unexpected instead of returning false.
+ */
+ private static boolean parseBooleanOrThrow(@NonNull String s) {
+ // Don't use Boolean.parseBoolean
+ if ("true".equalsIgnoreCase(s)) return true;
+ if ("false".equalsIgnoreCase(s)) return false;
+ throw new IllegalArgumentException("Unexpected: " + s);
+ }
+
+ /**
* Checks whether the network is available as expected.
*
* @return error message with the mismatch (or empty if assertion passed).
diff --git a/tests/cts/hostside/app/src/com/android/cts/net/hostside/NetworkCallbackTest.java b/tests/cts/hostside/app/src/com/android/cts/net/hostside/NetworkCallbackTest.java
index 0715e32..ab3cf14 100644
--- a/tests/cts/hostside/app/src/com/android/cts/net/hostside/NetworkCallbackTest.java
+++ b/tests/cts/hostside/app/src/com/android/cts/net/hostside/NetworkCallbackTest.java
@@ -236,16 +236,19 @@
// Enable restrict background
setRestrictBackground(true);
assertBackgroundNetworkAccess(false);
+ assertNetworkAccessBlockedByBpf(true, mUid, true /* metered */);
mTestNetworkCallback.expectBlockedStatusCallbackEventually(mNetwork, true);
// Add to whitelist
addRestrictBackgroundWhitelist(mUid);
assertBackgroundNetworkAccess(true);
+ assertNetworkAccessBlockedByBpf(false, mUid, true /* metered */);
mTestNetworkCallback.expectBlockedStatusCallbackEventually(mNetwork, false);
// Remove from whitelist
removeRestrictBackgroundWhitelist(mUid);
assertBackgroundNetworkAccess(false);
+ assertNetworkAccessBlockedByBpf(true, mUid, true /* metered */);
mTestNetworkCallback.expectBlockedStatusCallbackEventually(mNetwork, true);
} finally {
mMeterednessConfiguration.resetNetworkMeteredness();
@@ -257,11 +260,13 @@
true /* hasCapability */, NET_CAPABILITY_NOT_METERED);
try {
assertBackgroundNetworkAccess(true);
+ assertNetworkAccessBlockedByBpf(false, mUid, false /* metered */);
mTestNetworkCallback.expectBlockedStatusCallbackEventually(mNetwork, false);
// Disable restrict background, should not trigger callback
setRestrictBackground(false);
assertBackgroundNetworkAccess(true);
+ assertNetworkAccessBlockedByBpf(false, mUid, false /* metered */);
} finally {
mMeterednessConfiguration.resetNetworkMeteredness();
}
@@ -275,11 +280,13 @@
setBatterySaverMode(true);
assertBackgroundNetworkAccess(false);
mTestNetworkCallback.expectBlockedStatusCallbackEventually(mNetwork, true);
+ assertNetworkAccessBlockedByBpf(true, mUid, true /* metered */);
// Disable Power Saver
setBatterySaverMode(false);
assertBackgroundNetworkAccess(true);
mTestNetworkCallback.expectBlockedStatusCallbackEventually(mNetwork, false);
+ assertNetworkAccessBlockedByBpf(false, mUid, true /* metered */);
} finally {
mMeterednessConfiguration.resetNetworkMeteredness();
}
@@ -293,11 +300,13 @@
setBatterySaverMode(true);
assertBackgroundNetworkAccess(false);
mTestNetworkCallback.expectBlockedStatusCallbackEventually(mNetwork, true);
+ assertNetworkAccessBlockedByBpf(true, mUid, false /* metered */);
// Disable Power Saver
setBatterySaverMode(false);
assertBackgroundNetworkAccess(true);
mTestNetworkCallback.expectBlockedStatusCallbackEventually(mNetwork, false);
+ assertNetworkAccessBlockedByBpf(false, mUid, false /* metered */);
} finally {
mMeterednessConfiguration.resetNetworkMeteredness();
}
diff --git a/tests/unit/java/com/android/server/BpfNetMapsTest.java b/tests/unit/java/com/android/server/BpfNetMapsTest.java
index 1dfc8c0..1e08fcc 100644
--- a/tests/unit/java/com/android/server/BpfNetMapsTest.java
+++ b/tests/unit/java/com/android/server/BpfNetMapsTest.java
@@ -71,6 +71,7 @@
import android.content.Context;
import android.net.BpfNetMapsUtils;
import android.net.INetd;
+import android.net.InetAddresses;
import android.net.UidOwnerValue;
import android.os.Build;
import android.os.ServiceSpecificException;
@@ -87,6 +88,8 @@
import com.android.net.module.util.Struct.U8;
import com.android.net.module.util.bpf.CookieTagMapKey;
import com.android.net.module.util.bpf.CookieTagMapValue;
+import com.android.net.module.util.bpf.IngressDiscardKey;
+import com.android.net.module.util.bpf.IngressDiscardValue;
import com.android.testutils.DevSdkIgnoreRule;
import com.android.testutils.DevSdkIgnoreRule.IgnoreAfter;
import com.android.testutils.DevSdkIgnoreRule.IgnoreUpTo;
@@ -102,6 +105,8 @@
import java.io.FileDescriptor;
import java.io.StringWriter;
+import java.net.Inet4Address;
+import java.net.Inet6Address;
import java.util.ArrayList;
import java.util.List;
@@ -120,6 +125,10 @@
private static final int TEST_IF_INDEX = 7;
private static final int NO_IIF = 0;
private static final int NULL_IIF = 0;
+ private static final Inet4Address TEST_V4_ADDRESS =
+ (Inet4Address) InetAddresses.parseNumericAddress("192.0.2.1");
+ private static final Inet6Address TEST_V6_ADDRESS =
+ (Inet6Address) InetAddresses.parseNumericAddress("2001:db8::1");
private static final String CHAINNAME = "fw_dozable";
private static final long STATS_SELECT_MAP_A = 0;
@@ -143,11 +152,14 @@
private final IBpfMap<CookieTagMapKey, CookieTagMapValue> mCookieTagMap =
spy(new TestBpfMap<>(CookieTagMapKey.class, CookieTagMapValue.class));
private final IBpfMap<S32, U8> mDataSaverEnabledMap = new TestBpfMap<>(S32.class, U8.class);
+ private final IBpfMap<IngressDiscardKey, IngressDiscardValue> mIngressDiscardMap =
+ new TestBpfMap<>(IngressDiscardKey.class, IngressDiscardValue.class);
@Before
public void setUp() throws Exception {
MockitoAnnotations.initMocks(this);
doReturn(TEST_IF_INDEX).when(mDeps).getIfIndex(TEST_IF_NAME);
+ doReturn(TEST_IF_NAME).when(mDeps).getIfName(TEST_IF_INDEX);
doReturn(0).when(mDeps).synchronizeKernelRCU();
BpfNetMaps.setEnableJavaBpfMapForTest(true /* enable */);
BpfNetMaps.setConfigurationMapForTest(mConfigurationMap);
@@ -159,6 +171,7 @@
BpfNetMaps.setCookieTagMapForTest(mCookieTagMap);
BpfNetMaps.setDataSaverEnabledMapForTest(mDataSaverEnabledMap);
mDataSaverEnabledMap.updateEntry(DATA_SAVER_ENABLED_KEY, new U8(DATA_SAVER_DISABLED));
+ BpfNetMaps.setIngressDiscardMapForTest(mIngressDiscardMap);
mBpfNetMaps = new BpfNetMaps(mContext, mNetd, mDeps);
}
@@ -1206,7 +1219,7 @@
@Test
@IgnoreAfter(Build.VERSION_CODES.S_V2)
public void testSetDataSaverEnabledBeforeT() {
- for (boolean enable : new boolean[] {true, false}) {
+ for (boolean enable : new boolean[]{true, false}) {
assertThrows(UnsupportedOperationException.class,
() -> mBpfNetMaps.setDataSaverEnabled(enable));
}
@@ -1215,10 +1228,60 @@
@Test
@IgnoreUpTo(Build.VERSION_CODES.S_V2)
public void testSetDataSaverEnabled() throws Exception {
- for (boolean enable : new boolean[] {true, false}) {
+ for (boolean enable : new boolean[]{true, false}) {
mBpfNetMaps.setDataSaverEnabled(enable);
assertEquals(enable ? DATA_SAVER_ENABLED : DATA_SAVER_DISABLED,
- mDataSaverEnabledMap.getValue(DATA_SAVER_ENABLED_KEY).val);
+ mDataSaverEnabledMap.getValue(DATA_SAVER_ENABLED_KEY).val);
}
}
+
+ @Test
+ @IgnoreUpTo(Build.VERSION_CODES.S_V2)
+ public void testSetIngressDiscardRule_V4address() throws Exception {
+ mBpfNetMaps.setIngressDiscardRule(TEST_V4_ADDRESS, TEST_IF_NAME);
+ final IngressDiscardValue val = mIngressDiscardMap.getValue(new IngressDiscardKey(
+ TEST_V4_ADDRESS));
+ assertEquals(TEST_IF_INDEX, val.iif1);
+ assertEquals(TEST_IF_INDEX, val.iif2);
+ }
+
+ @Test
+ @IgnoreUpTo(Build.VERSION_CODES.S_V2)
+ public void testSetIngressDiscardRule_V6address() throws Exception {
+ mBpfNetMaps.setIngressDiscardRule(TEST_V6_ADDRESS, TEST_IF_NAME);
+ final IngressDiscardValue val =
+ mIngressDiscardMap.getValue(new IngressDiscardKey(TEST_V6_ADDRESS));
+ assertEquals(TEST_IF_INDEX, val.iif1);
+ assertEquals(TEST_IF_INDEX, val.iif2);
+ }
+
+ @Test
+ @IgnoreUpTo(Build.VERSION_CODES.S_V2)
+ public void testRemoveIngressDiscardRule() throws Exception {
+ mBpfNetMaps.setIngressDiscardRule(TEST_V4_ADDRESS, TEST_IF_NAME);
+ mBpfNetMaps.setIngressDiscardRule(TEST_V6_ADDRESS, TEST_IF_NAME);
+ final IngressDiscardKey v4Key = new IngressDiscardKey(TEST_V4_ADDRESS);
+ final IngressDiscardKey v6Key = new IngressDiscardKey(TEST_V6_ADDRESS);
+ assertTrue(mIngressDiscardMap.containsKey(v4Key));
+ assertTrue(mIngressDiscardMap.containsKey(v6Key));
+
+ mBpfNetMaps.removeIngressDiscardRule(TEST_V4_ADDRESS);
+ assertFalse(mIngressDiscardMap.containsKey(v4Key));
+ assertTrue(mIngressDiscardMap.containsKey(v6Key));
+
+ mBpfNetMaps.removeIngressDiscardRule(TEST_V6_ADDRESS);
+ assertFalse(mIngressDiscardMap.containsKey(v4Key));
+ assertFalse(mIngressDiscardMap.containsKey(v6Key));
+ }
+
+ @Test
+ @IgnoreUpTo(Build.VERSION_CODES.S_V2)
+ public void testDumpIngressDiscardRule() throws Exception {
+ mBpfNetMaps.setIngressDiscardRule(TEST_V4_ADDRESS, TEST_IF_NAME);
+ mBpfNetMaps.setIngressDiscardRule(TEST_V6_ADDRESS, TEST_IF_NAME);
+ final String dump = getDump();
+ assertDumpContains(dump, TEST_V4_ADDRESS.getHostAddress());
+ assertDumpContains(dump, TEST_V6_ADDRESS.getHostAddress());
+ assertDumpContains(dump, TEST_IF_INDEX + "(" + TEST_IF_NAME + ")");
+ }
}