Merge "Remove @IgnoreUpTo(Q) annotation and isAtLeastR() check" into main
diff --git a/OWNERS b/OWNERS
index 649efda..b2176cc 100644
--- a/OWNERS
+++ b/OWNERS
@@ -1,3 +1,4 @@
+# Bug component: 31808
set noparent
file:platform/packages/modules/Connectivity:main:/OWNERS_core_networking
diff --git a/Tethering/tests/integration/base/android/net/EthernetTetheringTestBase.java b/Tethering/tests/integration/base/android/net/EthernetTetheringTestBase.java
index 0702aa7..1c4a662 100644
--- a/Tethering/tests/integration/base/android/net/EthernetTetheringTestBase.java
+++ b/Tethering/tests/integration/base/android/net/EthernetTetheringTestBase.java
@@ -366,6 +366,11 @@
private volatile Collection<TetheredClient> mClients = null;
private volatile Network mUpstream = null;
+ // The dnsmasq in R might block netd for 20 seconds, which can also block tethering
+ // enable/disable for 20 seconds. To fix this, changing the timeouts from 5 seconds to 30
+ // seconds. See b/289881008.
+ private static final int EXPANDED_TIMEOUT_MS = 30000;
+
MyTetheringEventCallback(TetheringManager tm, String iface) {
this(tm, iface, null);
mAcceptAnyUpstream = true;
@@ -424,13 +429,13 @@
}
public void awaitInterfaceTethered() throws Exception {
- assertTrue("Ethernet not tethered after " + TIMEOUT_MS + "ms",
- mTetheringStartedLatch.await(TIMEOUT_MS, TimeUnit.MILLISECONDS));
+ assertTrue("Ethernet not tethered after " + EXPANDED_TIMEOUT_MS + "ms",
+ mTetheringStartedLatch.await(EXPANDED_TIMEOUT_MS, TimeUnit.MILLISECONDS));
}
public void awaitInterfaceLocalOnly() throws Exception {
- assertTrue("Ethernet not local-only after " + TIMEOUT_MS + "ms",
- mLocalOnlyStartedLatch.await(TIMEOUT_MS, TimeUnit.MILLISECONDS));
+ assertTrue("Ethernet not local-only after " + EXPANDED_TIMEOUT_MS + "ms",
+ mLocalOnlyStartedLatch.await(EXPANDED_TIMEOUT_MS, TimeUnit.MILLISECONDS));
}
// Used to check if the callback has registered. When the callback is registered,
@@ -444,8 +449,9 @@
}
public void awaitCallbackRegistered() throws Exception {
- if (!mCallbackRegisteredLatch.await(TIMEOUT_MS, TimeUnit.MILLISECONDS)) {
- fail("Did not receive callback registered signal after " + TIMEOUT_MS + "ms");
+ if (!mCallbackRegisteredLatch.await(EXPANDED_TIMEOUT_MS, TimeUnit.MILLISECONDS)) {
+ fail("Did not receive callback registered signal after " + EXPANDED_TIMEOUT_MS
+ + "ms");
}
}
@@ -457,11 +463,11 @@
if (!mInterfaceWasTethered && !mInterfaceWasLocalOnly) return;
if (mInterfaceWasTethered) {
- assertTrue(mIface + " not untethered after " + TIMEOUT_MS + "ms",
- mTetheringStoppedLatch.await(TIMEOUT_MS, TimeUnit.MILLISECONDS));
+ assertTrue(mIface + " not untethered after " + EXPANDED_TIMEOUT_MS + "ms",
+ mTetheringStoppedLatch.await(EXPANDED_TIMEOUT_MS, TimeUnit.MILLISECONDS));
} else if (mInterfaceWasLocalOnly) {
- assertTrue(mIface + " not untethered after " + TIMEOUT_MS + "ms",
- mLocalOnlyStoppedLatch.await(TIMEOUT_MS, TimeUnit.MILLISECONDS));
+ assertTrue(mIface + " not untethered after " + EXPANDED_TIMEOUT_MS + "ms",
+ mLocalOnlyStoppedLatch.await(EXPANDED_TIMEOUT_MS, TimeUnit.MILLISECONDS));
} else {
fail(mIface + " cannot be both tethered and local-only. Update this test class.");
}
@@ -488,8 +494,9 @@
}
public Collection<TetheredClient> awaitClientConnected() throws Exception {
- assertTrue("Did not receive client connected callback after " + TIMEOUT_MS + "ms",
- mClientConnectedLatch.await(TIMEOUT_MS, TimeUnit.MILLISECONDS));
+ assertTrue("Did not receive client connected callback after "
+ + EXPANDED_TIMEOUT_MS + "ms",
+ mClientConnectedLatch.await(EXPANDED_TIMEOUT_MS, TimeUnit.MILLISECONDS));
return mClients;
}
@@ -506,10 +513,10 @@
}
public Network awaitUpstreamChanged(boolean throwTimeoutException) throws Exception {
- if (!mUpstreamLatch.await(TIMEOUT_MS, TimeUnit.MILLISECONDS)) {
+ if (!mUpstreamLatch.await(EXPANDED_TIMEOUT_MS, TimeUnit.MILLISECONDS)) {
final String errorMessage = "Did not receive upstream "
+ (mAcceptAnyUpstream ? "any" : mExpectedUpstream)
- + " callback after " + TIMEOUT_MS + "ms";
+ + " callback after " + EXPANDED_TIMEOUT_MS + "ms";
if (throwTimeoutException) {
throw new TimeoutException(errorMessage);
diff --git a/Tethering/tests/integration/src/android/net/EthernetTetheringTest.java b/Tethering/tests/integration/src/android/net/EthernetTetheringTest.java
index 076fde3..4949eaa 100644
--- a/Tethering/tests/integration/src/android/net/EthernetTetheringTest.java
+++ b/Tethering/tests/integration/src/android/net/EthernetTetheringTest.java
@@ -47,7 +47,7 @@
import android.util.Log;
import androidx.annotation.NonNull;
-import androidx.test.filters.MediumTest;
+import androidx.test.filters.LargeTest;
import androidx.test.runner.AndroidJUnit4;
import com.android.net.module.util.Ipv6Utils;
@@ -79,7 +79,7 @@
import java.util.concurrent.TimeoutException;
@RunWith(AndroidJUnit4.class)
-@MediumTest
+@LargeTest
public class EthernetTetheringTest extends EthernetTetheringTestBase {
@Rule
public final DevSdkIgnoreRule mIgnoreRule = new DevSdkIgnoreRule();
diff --git a/common/flags.aconfig b/common/flags.aconfig
index 7235202..0c46b48 100644
--- a/common/flags.aconfig
+++ b/common/flags.aconfig
@@ -27,3 +27,10 @@
description: "Set data saver through ConnectivityManager API"
bug: "297836825"
}
+
+flag {
+ name: "support_is_uid_networking_blocked"
+ namespace: "android_core_networking"
+ description: "This flag controls whether isUidNetworkingBlocked is supported"
+ bug: "297836825"
+}
diff --git a/common/src/com/android/net/module/util/bpf/IngressDiscardKey.java b/common/src/com/android/net/module/util/bpf/IngressDiscardKey.java
index eabcf3c..9fefb52 100644
--- a/common/src/com/android/net/module/util/bpf/IngressDiscardKey.java
+++ b/common/src/com/android/net/module/util/bpf/IngressDiscardKey.java
@@ -16,9 +16,12 @@
package com.android.net.module.util.bpf;
+import com.android.net.module.util.InetAddressUtils;
import com.android.net.module.util.Struct;
+import java.net.Inet4Address;
import java.net.Inet6Address;
+import java.net.InetAddress;
/** Key type for ingress discard map */
public class IngressDiscardKey extends Struct {
@@ -29,4 +32,14 @@
public IngressDiscardKey(final Inet6Address dstAddr) {
this.dstAddr = dstAddr;
}
+
+ private static Inet6Address getInet6Address(final InetAddress addr) {
+ return (addr instanceof Inet4Address)
+ ? InetAddressUtils.v4MappedV6Address((Inet4Address) addr)
+ : (Inet6Address) addr;
+ }
+
+ public IngressDiscardKey(final InetAddress dstAddr) {
+ this(getInet6Address(dstAddr));
+ }
}
diff --git a/framework/api/module-lib-current.txt b/framework/api/module-lib-current.txt
index 782e20a..4d55067 100644
--- a/framework/api/module-lib-current.txt
+++ b/framework/api/module-lib-current.txt
@@ -14,6 +14,7 @@
method @NonNull public static android.util.Range<java.lang.Integer> getIpSecNetIdRange();
method @Nullable @RequiresPermission(anyOf={android.net.NetworkStack.PERMISSION_MAINLINE_NETWORK_STACK, android.Manifest.permission.NETWORK_STACK, android.Manifest.permission.NETWORK_SETTINGS}) public android.net.LinkProperties getRedactedLinkPropertiesForPackage(@NonNull android.net.LinkProperties, int, @NonNull String);
method @Nullable @RequiresPermission(anyOf={android.net.NetworkStack.PERMISSION_MAINLINE_NETWORK_STACK, android.Manifest.permission.NETWORK_STACK, android.Manifest.permission.NETWORK_SETTINGS}) public android.net.NetworkCapabilities getRedactedNetworkCapabilitiesForPackage(@NonNull android.net.NetworkCapabilities, int, @NonNull String);
+ method @FlaggedApi("com.android.net.flags.support_is_uid_networking_blocked") @RequiresPermission(android.net.NetworkStack.PERMISSION_MAINLINE_NETWORK_STACK) public boolean isUidNetworkingBlocked(int, boolean);
method @RequiresPermission(anyOf={android.net.NetworkStack.PERMISSION_MAINLINE_NETWORK_STACK, android.Manifest.permission.NETWORK_SETTINGS}) public void registerDefaultNetworkCallbackForUid(int, @NonNull android.net.ConnectivityManager.NetworkCallback, @NonNull android.os.Handler);
method @RequiresPermission(anyOf={android.net.NetworkStack.PERMISSION_MAINLINE_NETWORK_STACK, android.Manifest.permission.NETWORK_SETTINGS, android.Manifest.permission.NETWORK_SETUP_WIZARD, android.Manifest.permission.CONNECTIVITY_USE_RESTRICTED_NETWORKS}) public void registerSystemDefaultNetworkCallback(@NonNull android.net.ConnectivityManager.NetworkCallback, @NonNull android.os.Handler);
method @RequiresPermission(anyOf={android.Manifest.permission.NETWORK_SETTINGS, android.Manifest.permission.NETWORK_STACK, android.net.NetworkStack.PERMISSION_MAINLINE_NETWORK_STACK}) public void removeUidFromMeteredNetworkAllowList(int);
diff --git a/framework/jarjar-excludes.txt b/framework/jarjar-excludes.txt
index bc3c8d1..bd513d2 100644
--- a/framework/jarjar-excludes.txt
+++ b/framework/jarjar-excludes.txt
@@ -37,9 +37,3 @@
# This is required since android.net.http contains api classes and hidden classes.
# TODO: Remove this after hidden classes are moved to different package
android\.net\.http\..+
-
-# TODO: OffloadServiceInfo is being added as an API, but wasn't an API yet in the first module
-# versions targeting U. Do not jarjar it such versions so that tests do not have to cover both
-# cases. This will be removed in an upcoming change marking it as API.
-android\.net\.nsd\.OffloadServiceInfo(\$.+)?
-android\.net\.nsd\.OffloadEngine(\$.+)?
diff --git a/framework/src/android/net/BpfNetMapsConstants.java b/framework/src/android/net/BpfNetMapsConstants.java
index 8086809..c784597 100644
--- a/framework/src/android/net/BpfNetMapsConstants.java
+++ b/framework/src/android/net/BpfNetMapsConstants.java
@@ -54,6 +54,8 @@
"/sys/fs/bpf/netd_shared/map_netd_cookie_tag_map";
public static final String DATA_SAVER_ENABLED_MAP_PATH =
"/sys/fs/bpf/netd_shared/map_netd_data_saver_enabled_map";
+ public static final String INGRESS_DISCARD_MAP_PATH =
+ "/sys/fs/bpf/netd_shared/map_netd_ingress_discard_map";
public static final Struct.S32 UID_RULES_CONFIGURATION_KEY = new Struct.S32(0);
public static final Struct.S32 CURRENT_STATS_MAP_CONFIGURATION_KEY = new Struct.S32(1);
public static final Struct.S32 DATA_SAVER_ENABLED_KEY = new Struct.S32(0);
diff --git a/framework/src/android/net/ConnectivityManager.java b/framework/src/android/net/ConnectivityManager.java
index f44fd0e..eb8f8c3 100644
--- a/framework/src/android/net/ConnectivityManager.java
+++ b/framework/src/android/net/ConnectivityManager.java
@@ -133,6 +133,8 @@
public static class Flags {
static final String SET_DATA_SAVER_VIA_CM =
"com.android.net.flags.set_data_saver_via_cm";
+ static final String SUPPORT_IS_UID_NETWORKING_BLOCKED =
+ "com.android.net.flags.support_is_uid_networking_blocked";
}
/**
@@ -6311,8 +6313,8 @@
// is provided by linux file group permission AID_NET_BW_ACCT and the
// selinux context fs_bpf_net*.
// Only the system server process and the network stack have access.
- // TODO: Expose api when ready.
- // @SystemApi(client = MODULE_LIBRARIES)
+ @FlaggedApi(Flags.SUPPORT_IS_UID_NETWORKING_BLOCKED)
+ @SystemApi(client = MODULE_LIBRARIES)
@RequiresApi(Build.VERSION_CODES.TIRAMISU) // BPF maps were only mainlined in T
@RequiresPermission(NetworkStack.PERMISSION_MAINLINE_NETWORK_STACK)
public boolean isUidNetworkingBlocked(int uid, boolean isNetworkMetered) {
diff --git a/service/src/com/android/server/BpfNetMaps.java b/service/src/com/android/server/BpfNetMaps.java
index 14ab2a1..f20159c 100644
--- a/service/src/com/android/server/BpfNetMaps.java
+++ b/service/src/com/android/server/BpfNetMaps.java
@@ -25,6 +25,7 @@
import static android.net.BpfNetMapsConstants.DATA_SAVER_ENABLED_MAP_PATH;
import static android.net.BpfNetMapsConstants.HAPPY_BOX_MATCH;
import static android.net.BpfNetMapsConstants.IIF_MATCH;
+import static android.net.BpfNetMapsConstants.INGRESS_DISCARD_MAP_PATH;
import static android.net.BpfNetMapsConstants.LOCKDOWN_VPN_MATCH;
import static android.net.BpfNetMapsConstants.PENALTY_BOX_MATCH;
import static android.net.BpfNetMapsConstants.UID_OWNER_MAP_PATH;
@@ -86,9 +87,12 @@
import com.android.net.module.util.Struct.U8;
import com.android.net.module.util.bpf.CookieTagMapKey;
import com.android.net.module.util.bpf.CookieTagMapValue;
+import com.android.net.module.util.bpf.IngressDiscardKey;
+import com.android.net.module.util.bpf.IngressDiscardValue;
import java.io.FileDescriptor;
import java.io.IOException;
+import java.net.InetAddress;
import java.util.Arrays;
import java.util.List;
import java.util.Set;
@@ -137,6 +141,7 @@
private static IBpfMap<CookieTagMapKey, CookieTagMapValue> sCookieTagMap = null;
// TODO: Add BOOL class and replace U8?
private static IBpfMap<S32, U8> sDataSaverEnabledMap = null;
+ private static IBpfMap<IngressDiscardKey, IngressDiscardValue> sIngressDiscardMap = null;
private static final List<Pair<Integer, String>> PERMISSION_LIST = Arrays.asList(
Pair.create(PERMISSION_INTERNET, "PERMISSION_INTERNET"),
@@ -192,6 +197,15 @@
sDataSaverEnabledMap = dataSaverEnabledMap;
}
+ /**
+ * Set ingressDiscardMap for test.
+ */
+ @VisibleForTesting
+ public static void setIngressDiscardMapForTest(
+ IBpfMap<IngressDiscardKey, IngressDiscardValue> ingressDiscardMap) {
+ sIngressDiscardMap = ingressDiscardMap;
+ }
+
private static IBpfMap<S32, U32> getConfigurationMap() {
try {
return new BpfMap<>(
@@ -237,6 +251,15 @@
}
}
+ private static IBpfMap<IngressDiscardKey, IngressDiscardValue> getIngressDiscardMap() {
+ try {
+ return new BpfMap<>(INGRESS_DISCARD_MAP_PATH, BpfMap.BPF_F_RDWR,
+ IngressDiscardKey.class, IngressDiscardValue.class);
+ } catch (ErrnoException e) {
+ throw new IllegalStateException("Cannot open ingress discard map", e);
+ }
+ }
+
private static void initBpfMaps() {
if (sConfigurationMap == null) {
sConfigurationMap = getConfigurationMap();
@@ -279,6 +302,15 @@
} catch (ErrnoException e) {
throw new IllegalStateException("Failed to initialize data saver configuration", e);
}
+
+ if (sIngressDiscardMap == null) {
+ sIngressDiscardMap = getIngressDiscardMap();
+ }
+ try {
+ sIngressDiscardMap.clear();
+ } catch (ErrnoException e) {
+ throw new IllegalStateException("Failed to initialize ingress discard map", e);
+ }
}
/**
@@ -316,6 +348,13 @@
}
/**
+ * Get interface name
+ */
+ public String getIfName(final int ifIndex) {
+ return Os.if_indextoname(ifIndex);
+ }
+
+ /**
* Call synchronize_rcu()
*/
public int synchronizeKernelRCU() {
@@ -553,7 +592,7 @@
private Set<Integer> asSet(final int[] uids) {
final Set<Integer> uidSet = new ArraySet<>();
- for (final int uid: uids) {
+ for (final int uid : uids) {
uidSet.add(uid);
}
return uidSet;
@@ -957,6 +996,45 @@
}
}
+ /**
+ * Set ingress discard rule
+ *
+ * @param address target address to set the ingress discard rule
+ * @param iface allowed interface
+ */
+ @RequiresApi(Build.VERSION_CODES.TIRAMISU)
+ public void setIngressDiscardRule(final InetAddress address, final String iface) {
+ throwIfPreT("setIngressDiscardRule is not available on pre-T devices");
+ final int ifIndex = mDeps.getIfIndex(iface);
+ if (ifIndex == 0) {
+ Log.e(TAG, "Failed to get if index, skip setting ingress discard rule for " + address
+ + "(" + iface + ")");
+ return;
+ }
+ try {
+ sIngressDiscardMap.updateEntry(new IngressDiscardKey(address),
+ new IngressDiscardValue(ifIndex, ifIndex));
+ } catch (ErrnoException e) {
+ Log.e(TAG, "Failed to set ingress discard rule for " + address + "("
+ + iface + "), " + e);
+ }
+ }
+
+ /**
+ * Remove ingress discard rule
+ *
+ * @param address target address to remove the ingress discard rule
+ */
+ @RequiresApi(Build.VERSION_CODES.TIRAMISU)
+ public void removeIngressDiscardRule(final InetAddress address) {
+ throwIfPreT("removeIngressDiscardRule is not available on pre-T devices");
+ try {
+ sIngressDiscardMap.deleteEntry(new IngressDiscardKey(address));
+ } catch (ErrnoException e) {
+ Log.e(TAG, "Failed to remove ingress discard rule for " + address + ", " + e);
+ }
+ }
+
/** Register callback for statsd to pull atom. */
@RequiresApi(Build.VERSION_CODES.TIRAMISU)
public void setPullAtomCallback(final Context context) {
@@ -1098,7 +1176,10 @@
});
BpfDump.dumpMap(sUidPermissionMap, pw, "sUidPermissionMap",
(uid, permission) -> uid.val + " " + permissionToString(permission.val));
-
+ BpfDump.dumpMap(sIngressDiscardMap, pw, "sIngressDiscardMap",
+ (key, value) -> "[" + key.dstAddr + "]: "
+ + value.iif1 + "(" + mDeps.getIfName(value.iif1) + "), "
+ + value.iif2 + "(" + mDeps.getIfName(value.iif2) + ")");
dumpDataSaverConfig(pw);
pw.decreaseIndent();
}
diff --git a/service/src/com/android/server/ConnectivityService.java b/service/src/com/android/server/ConnectivityService.java
index 3dc5692..50b4134 100755
--- a/service/src/com/android/server/ConnectivityService.java
+++ b/service/src/com/android/server/ConnectivityService.java
@@ -4183,7 +4183,7 @@
}
case NetworkAgent.EVENT_LOCAL_NETWORK_CONFIG_CHANGED: {
final LocalNetworkConfig config = (LocalNetworkConfig) arg.second;
- updateLocalNetworkConfig(nai, config);
+ updateLocalNetworkConfig(nai, nai.localNetworkConfig, config);
break;
}
case NetworkAgent.EVENT_NETWORK_SCORE_CHANGED: {
@@ -4944,6 +4944,17 @@
mDefaultInetConditionPublished = 0;
}
notifyIfacesChangedForNetworkStats();
+ // If this was a local network forwarded to some upstream, or if some local network was
+ // forwarded to this nai, then disable forwarding rules now.
+ maybeDisableForwardRulesForDisconnectingNai(nai);
+ // If this is a local network with an upstream selector, remove the associated network
+ // request.
+ if (nai.isLocalNetwork()) {
+ final NetworkRequest selector = nai.localNetworkConfig.getUpstreamSelector();
+ if (null != selector) {
+ handleRemoveNetworkRequest(mNetworkRequests.get(selector));
+ }
+ }
// TODO - we shouldn't send CALLBACK_LOST to requests that can be satisfied
// by other networks that are already connected. Perhaps that can be done by
// sending all CALLBACK_LOST messages (for requests, not listens) at the end
@@ -5057,6 +5068,48 @@
mNetIdManager.releaseNetId(nai.network.getNetId());
}
+ private void maybeDisableForwardRulesForDisconnectingNai(
+ @NonNull final NetworkAgentInfo disconnecting) {
+ // Step 1 : maybe this network was the upstream for one or more local networks.
+ for (final NetworkAgentInfo local : mNetworkAgentInfos) {
+ if (!local.isLocalNetwork()) continue;
+ final NetworkRequest selector = local.localNetworkConfig.getUpstreamSelector();
+ if (null == selector) continue;
+ final NetworkRequestInfo nri = mNetworkRequests.get(selector);
+ // null == nri can happen while disconnecting a network, because destroyNetwork() is
+ // called after removing all associated NRIs from mNetworkRequests.
+ if (null == nri) continue;
+ final NetworkAgentInfo satisfier = nri.getSatisfier();
+ if (disconnecting != satisfier) continue;
+ removeLocalNetworkUpstream(local, disconnecting);
+ }
+
+ // Step 2 : maybe this is a local network that had an upstream.
+ if (!disconnecting.isLocalNetwork()) return;
+ final NetworkRequest selector = disconnecting.localNetworkConfig.getUpstreamSelector();
+ if (null == selector) return;
+ final NetworkRequestInfo nri = mNetworkRequests.get(selector);
+ // As above null == nri can happen while disconnecting a network, because destroyNetwork()
+ // is called after removing all associated NRIs from mNetworkRequests.
+ if (null == nri) return;
+ final NetworkAgentInfo satisfier = nri.getSatisfier();
+ if (null == satisfier) return;
+ removeLocalNetworkUpstream(disconnecting, satisfier);
+ }
+
+ private void removeLocalNetworkUpstream(@NonNull final NetworkAgentInfo localAgent,
+ @NonNull final NetworkAgentInfo upstream) {
+ try {
+ mRoutingCoordinatorService.removeInterfaceForward(
+ localAgent.linkProperties.getInterfaceName(),
+ upstream.linkProperties.getInterfaceName());
+ } catch (RemoteException e) {
+ loge("Couldn't remove interface forward for "
+ + localAgent.linkProperties.getInterfaceName() + " to "
+ + upstream.linkProperties.getInterfaceName() + " while disconnecting");
+ }
+ }
+
private boolean createNativeNetwork(@NonNull NetworkAgentInfo nai) {
try {
// This should never fail. Specifying an already in use NetID will cause failure.
@@ -5071,10 +5124,9 @@
!nai.networkAgentConfig.allowBypass /* secure */,
getVpnType(nai), nai.networkAgentConfig.excludeLocalRouteVpn);
} else {
- final boolean hasLocalCap =
- nai.networkCapabilities.hasCapability(NET_CAPABILITY_LOCAL_NETWORK);
config = new NativeNetworkConfig(nai.network.getNetId(),
- hasLocalCap ? NativeNetworkType.PHYSICAL_LOCAL : NativeNetworkType.PHYSICAL,
+ nai.isLocalNetwork() ? NativeNetworkType.PHYSICAL_LOCAL
+ : NativeNetworkType.PHYSICAL,
getNetworkPermission(nai.networkCapabilities),
false /* secure */,
VpnManager.TYPE_VPN_NONE,
@@ -5095,6 +5147,9 @@
if (mDscpPolicyTracker != null) {
mDscpPolicyTracker.removeAllDscpPolicies(nai, false);
}
+ // Remove any forwarding rules to and from the interface for this network, since
+ // the interface is going to go away.
+ maybeDisableForwardRulesForDisconnectingNai(nai);
try {
mNetd.networkDestroy(nai.network.getNetId());
} catch (RemoteException | ServiceSpecificException e) {
@@ -8264,6 +8319,9 @@
e.rethrowAsRuntimeException();
}
+ if (nai.isLocalNetwork()) {
+ updateLocalNetworkConfig(nai, null /* oldConfig */, nai.localNetworkConfig);
+ }
nai.notifyRegistered();
NetworkInfo networkInfo = nai.networkInfo;
updateNetworkInfo(nai, networkInfo);
@@ -8929,14 +8987,67 @@
updateCapabilities(nai.getScore(), nai, nai.networkCapabilities);
}
+ // oldConfig is null iff this is the original registration of the local network config
private void updateLocalNetworkConfig(@NonNull final NetworkAgentInfo nai,
- @NonNull final LocalNetworkConfig config) {
- if (!nai.networkCapabilities.hasCapability(NET_CAPABILITY_LOCAL_NETWORK)) {
+ @Nullable final LocalNetworkConfig oldConfig,
+ @NonNull final LocalNetworkConfig newConfig) {
+ if (!nai.isLocalNetwork()) {
Log.wtf(TAG, "Ignoring update of a local network info on non-local network " + nai);
return;
}
- // TODO : actually apply the diff.
- nai.localNetworkConfig = config;
+
+ final LocalNetworkConfig.Builder configBuilder = new LocalNetworkConfig.Builder();
+ // TODO : apply the diff for multicast routing.
+ configBuilder.setUpstreamMulticastRoutingConfig(
+ newConfig.getUpstreamMulticastRoutingConfig());
+ configBuilder.setDownstreamMulticastRoutingConfig(
+ newConfig.getDownstreamMulticastRoutingConfig());
+
+ final NetworkRequest oldRequest =
+ (null == oldConfig) ? null : oldConfig.getUpstreamSelector();
+ final NetworkCapabilities oldCaps =
+ (null == oldRequest) ? null : oldRequest.networkCapabilities;
+ final NetworkRequestInfo oldNri =
+ null == oldRequest ? null : mNetworkRequests.get(oldRequest);
+ final NetworkAgentInfo oldSatisfier =
+ null == oldNri ? null : oldNri.getSatisfier();
+ final NetworkRequest newRequest = newConfig.getUpstreamSelector();
+ final NetworkCapabilities newCaps =
+ (null == newRequest) ? null : newRequest.networkCapabilities;
+ final boolean requestUpdated = !Objects.equals(newCaps, oldCaps);
+ if (null != oldRequest && requestUpdated) {
+ handleRemoveNetworkRequest(mNetworkRequests.get(oldRequest));
+ if (null == newRequest && null != oldSatisfier) {
+ // If there is an old satisfier, but no new request, then remove the old upstream.
+ removeLocalNetworkUpstream(nai, oldSatisfier);
+ nai.localNetworkConfig = configBuilder.build();
+ return;
+ }
+ }
+ if (null != newRequest && requestUpdated) {
+ // File the new request if :
+ // - it has changed (requestUpdated), or
+ // - it's the first time this local info (null == oldConfig)
+ // is updated and the request has not been filed yet.
+ // Requests for local info are always LISTEN_FOR_BEST, because they have at most one
+ // upstream (the best) but never request it to be brought up.
+ final NetworkRequest nr = new NetworkRequest(newCaps, ConnectivityManager.TYPE_NONE,
+ nextNetworkRequestId(), LISTEN_FOR_BEST);
+ configBuilder.setUpstreamSelector(nr);
+ final NetworkRequestInfo nri = new NetworkRequestInfo(
+ nai.creatorUid, nr, null /* messenger */, null /* binder */,
+ 0 /* callbackFlags */, null /* attributionTag */);
+ if (null != oldSatisfier) {
+ // Set the old satisfier in the new NRI so that the rematch will see any changes
+ nri.setSatisfier(oldSatisfier, nr);
+ }
+ nai.localNetworkConfig = configBuilder.build();
+ handleRegisterNetworkRequest(nri);
+ } else {
+ configBuilder.setUpstreamSelector(oldRequest);
+ nai.localNetworkConfig = configBuilder.build();
+ }
+
}
/**
@@ -9718,7 +9829,8 @@
if (VDBG) log("rematch for " + newSatisfier.toShortString());
if (null != previousRequest && null != previousSatisfier) {
if (VDBG || DDBG) {
- log(" accepting network in place of " + previousSatisfier.toShortString());
+ log(" accepting network in place of " + previousSatisfier.toShortString()
+ + " for " + newRequest);
}
previousSatisfier.removeRequest(previousRequest.requestId);
if (canSupportGracefulNetworkSwitch(previousSatisfier, newSatisfier)
@@ -9737,7 +9849,7 @@
previousSatisfier.lingerRequest(previousRequest.requestId, now);
}
} else {
- if (VDBG || DDBG) log(" accepting network in place of null");
+ if (VDBG || DDBG) log(" accepting network in place of null for " + newRequest);
}
// To prevent constantly CPU wake up for nascent timer, if a network comes up
@@ -9853,6 +9965,14 @@
}
}
+ private boolean hasSameInterfaceName(@Nullable final NetworkAgentInfo nai1,
+ @Nullable final NetworkAgentInfo nai2) {
+ if (null == nai1) return null == nai2;
+ if (null == nai2) return false;
+ return nai1.linkProperties.getInterfaceName()
+ .equals(nai2.linkProperties.getInterfaceName());
+ }
+
private void applyNetworkReassignment(@NonNull final NetworkReassignment changes,
final long now) {
final Collection<NetworkAgentInfo> nais = mNetworkAgentInfos;
@@ -9926,6 +10046,39 @@
notifyNetworkLosing(nai, now);
}
+ // Update forwarding rules for the upstreams of local networks. Do this after sending
+ // onAvailable so that clients understand what network this is about.
+ for (final NetworkAgentInfo nai : mNetworkAgentInfos) {
+ if (!nai.isLocalNetwork()) continue;
+ final NetworkRequest nr = nai.localNetworkConfig.getUpstreamSelector();
+ if (null == nr) continue; // No upstream for this local network
+ final NetworkRequestInfo nri = mNetworkRequests.get(nr);
+ final NetworkReassignment.RequestReassignment change = changes.getReassignment(nri);
+ if (null == change) continue; // No change in upstreams for this network
+ final String fromIface = nai.linkProperties.getInterfaceName();
+ if (!hasSameInterfaceName(change.mOldNetwork, change.mNewNetwork)
+ || change.mOldNetwork.isDestroyed()) {
+ // There can be a change with the same interface name if the new network is the
+ // replacement for the old network that was unregisteredAfterReplacement.
+ try {
+ if (null != change.mOldNetwork) {
+ mRoutingCoordinatorService.removeInterfaceForward(fromIface,
+ change.mOldNetwork.linkProperties.getInterfaceName());
+ }
+ // If the new upstream is already destroyed, there is no point in setting up
+ // a forward (in fact, it might forward to the interface for some new network !)
+ // Later when the upstream disconnects CS will try to remove the forward, which
+ // is ignored with a benign log by RoutingCoordinatorService.
+ if (null != change.mNewNetwork && !change.mNewNetwork.isDestroyed()) {
+ mRoutingCoordinatorService.addInterfaceForward(fromIface,
+ change.mNewNetwork.linkProperties.getInterfaceName());
+ }
+ } catch (final RemoteException e) {
+ loge("Can't update forwarding rules", e);
+ }
+ }
+ }
+
updateLegacyTypeTrackerAndVpnLockdownForRematch(changes, nais);
// Tear down all unneeded networks.
diff --git a/service/src/com/android/server/connectivity/NetworkAgentInfo.java b/service/src/com/android/server/connectivity/NetworkAgentInfo.java
index dacae20..7cd3cc8 100644
--- a/service/src/com/android/server/connectivity/NetworkAgentInfo.java
+++ b/service/src/com/android/server/connectivity/NetworkAgentInfo.java
@@ -1258,6 +1258,11 @@
return networkCapabilities.hasTransport(NetworkCapabilities.TRANSPORT_VPN);
}
+ /** Whether this network is a local network */
+ public boolean isLocalNetwork() {
+ return networkCapabilities.hasCapability(NET_CAPABILITY_LOCAL_NETWORK);
+ }
+
/**
* Whether this network should propagate the capabilities from its underlying networks.
* Currently only true for VPNs.
diff --git a/service/src/com/android/server/connectivity/RoutingCoordinatorService.java b/service/src/com/android/server/connectivity/RoutingCoordinatorService.java
index ede78ce..3350d2d 100644
--- a/service/src/com/android/server/connectivity/RoutingCoordinatorService.java
+++ b/service/src/com/android/server/connectivity/RoutingCoordinatorService.java
@@ -197,8 +197,16 @@
synchronized (mIfacesLock) {
final ForwardingPair fwp = new ForwardingPair(fromIface, toIface);
if (!mForwardedInterfaces.contains(fwp)) {
- throw new IllegalStateException("No forward set up between interfaces "
- + fromIface + " → " + toIface);
+ // This can happen when an upstream was unregisteredAfterReplacement. The forward
+ // is removed immediately when the upstream is destroyed, but later when the
+ // network actually disconnects CS does not know that and it asks for removal
+ // again.
+ // This can also happen if the network was destroyed before being set as an
+ // upstream, because then CS does not set up the forward rules seeing how the
+ // interface was removed anyway.
+ // Either way, this is benign.
+ Log.i(TAG, "No forward set up between interfaces " + fromIface + " → " + toIface);
+ return;
}
mForwardedInterfaces.remove(fwp);
try {
diff --git a/staticlibs/device/com/android/net/module/util/FeatureVersions.java b/staticlibs/device/com/android/net/module/util/FeatureVersions.java
index 149756c..d5f8124 100644
--- a/staticlibs/device/com/android/net/module/util/FeatureVersions.java
+++ b/staticlibs/device/com/android/net/module/util/FeatureVersions.java
@@ -42,4 +42,10 @@
// M-2023-Sept on July 3rd, 2023.
public static final long FEATURE_CLAT_ADDRESS_TRANSLATE =
NETWORK_STACK_MODULE_ID + 34_09_00_000L;
+
+ // IS_UID_NETWORKING_BLOCKED is a feature in ConnectivityManager,
+ // which provides an API to access BPF maps to check whether the networking is blocked
+ // by BPF for the given uid and conditions, introduced in version M-2024-Feb on Nov 6, 2023.
+ public static final long FEATURE_IS_UID_NETWORKING_BLOCKED =
+ CONNECTIVITY_MODULE_ID + 34_14_00_000L;
}
diff --git a/tests/cts/hostside/app/src/com/android/cts/net/hostside/AbstractRestrictBackgroundNetworkTestCase.java b/tests/cts/hostside/app/src/com/android/cts/net/hostside/AbstractRestrictBackgroundNetworkTestCase.java
index 5893de7..bb32052 100644
--- a/tests/cts/hostside/app/src/com/android/cts/net/hostside/AbstractRestrictBackgroundNetworkTestCase.java
+++ b/tests/cts/hostside/app/src/com/android/cts/net/hostside/AbstractRestrictBackgroundNetworkTestCase.java
@@ -37,6 +37,7 @@
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail;
+import android.annotation.NonNull;
import android.app.ActivityManager;
import android.app.Instrumentation;
import android.app.NotificationManager;
@@ -438,6 +439,42 @@
}
/**
+ * Asserts whether the network is blocked by accessing bpf maps if command-line tool supports.
+ */
+ void assertNetworkAccessBlockedByBpf(boolean expectBlocked, int uid, boolean metered) {
+ final String result;
+ try {
+ result = executeShellCommand(
+ "cmd network_stack is-uid-networking-blocked " + uid + " " + metered);
+ } catch (AssertionError e) {
+ // If NetworkStack is too old to support this command, ignore and continue
+ // this test to verify other parts.
+ if (e.getMessage().contains("No shell command implementation.")) {
+ return;
+ }
+ throw e;
+ }
+
+ // Tethering module is too old.
+ if (result.contains("API is unsupported")) {
+ return;
+ }
+
+ assertEquals(expectBlocked, parseBooleanOrThrow(result.trim()));
+ }
+
+ /**
+ * Similar to {@link Boolean#parseBoolean} but throws when the input
+ * is unexpected instead of returning false.
+ */
+ private static boolean parseBooleanOrThrow(@NonNull String s) {
+ // Don't use Boolean.parseBoolean
+ if ("true".equalsIgnoreCase(s)) return true;
+ if ("false".equalsIgnoreCase(s)) return false;
+ throw new IllegalArgumentException("Unexpected: " + s);
+ }
+
+ /**
* Checks whether the network is available as expected.
*
* @return error message with the mismatch (or empty if assertion passed).
diff --git a/tests/cts/hostside/app/src/com/android/cts/net/hostside/NetworkCallbackTest.java b/tests/cts/hostside/app/src/com/android/cts/net/hostside/NetworkCallbackTest.java
index 0715e32..ab3cf14 100644
--- a/tests/cts/hostside/app/src/com/android/cts/net/hostside/NetworkCallbackTest.java
+++ b/tests/cts/hostside/app/src/com/android/cts/net/hostside/NetworkCallbackTest.java
@@ -236,16 +236,19 @@
// Enable restrict background
setRestrictBackground(true);
assertBackgroundNetworkAccess(false);
+ assertNetworkAccessBlockedByBpf(true, mUid, true /* metered */);
mTestNetworkCallback.expectBlockedStatusCallbackEventually(mNetwork, true);
// Add to whitelist
addRestrictBackgroundWhitelist(mUid);
assertBackgroundNetworkAccess(true);
+ assertNetworkAccessBlockedByBpf(false, mUid, true /* metered */);
mTestNetworkCallback.expectBlockedStatusCallbackEventually(mNetwork, false);
// Remove from whitelist
removeRestrictBackgroundWhitelist(mUid);
assertBackgroundNetworkAccess(false);
+ assertNetworkAccessBlockedByBpf(true, mUid, true /* metered */);
mTestNetworkCallback.expectBlockedStatusCallbackEventually(mNetwork, true);
} finally {
mMeterednessConfiguration.resetNetworkMeteredness();
@@ -257,11 +260,13 @@
true /* hasCapability */, NET_CAPABILITY_NOT_METERED);
try {
assertBackgroundNetworkAccess(true);
+ assertNetworkAccessBlockedByBpf(false, mUid, false /* metered */);
mTestNetworkCallback.expectBlockedStatusCallbackEventually(mNetwork, false);
// Disable restrict background, should not trigger callback
setRestrictBackground(false);
assertBackgroundNetworkAccess(true);
+ assertNetworkAccessBlockedByBpf(false, mUid, false /* metered */);
} finally {
mMeterednessConfiguration.resetNetworkMeteredness();
}
@@ -275,11 +280,13 @@
setBatterySaverMode(true);
assertBackgroundNetworkAccess(false);
mTestNetworkCallback.expectBlockedStatusCallbackEventually(mNetwork, true);
+ assertNetworkAccessBlockedByBpf(true, mUid, true /* metered */);
// Disable Power Saver
setBatterySaverMode(false);
assertBackgroundNetworkAccess(true);
mTestNetworkCallback.expectBlockedStatusCallbackEventually(mNetwork, false);
+ assertNetworkAccessBlockedByBpf(false, mUid, true /* metered */);
} finally {
mMeterednessConfiguration.resetNetworkMeteredness();
}
@@ -293,11 +300,13 @@
setBatterySaverMode(true);
assertBackgroundNetworkAccess(false);
mTestNetworkCallback.expectBlockedStatusCallbackEventually(mNetwork, true);
+ assertNetworkAccessBlockedByBpf(true, mUid, false /* metered */);
// Disable Power Saver
setBatterySaverMode(false);
assertBackgroundNetworkAccess(true);
mTestNetworkCallback.expectBlockedStatusCallbackEventually(mNetwork, false);
+ assertNetworkAccessBlockedByBpf(false, mUid, false /* metered */);
} finally {
mMeterednessConfiguration.resetNetworkMeteredness();
}
diff --git a/tests/unit/java/com/android/server/BpfNetMapsTest.java b/tests/unit/java/com/android/server/BpfNetMapsTest.java
index 1dfc8c0..1e08fcc 100644
--- a/tests/unit/java/com/android/server/BpfNetMapsTest.java
+++ b/tests/unit/java/com/android/server/BpfNetMapsTest.java
@@ -71,6 +71,7 @@
import android.content.Context;
import android.net.BpfNetMapsUtils;
import android.net.INetd;
+import android.net.InetAddresses;
import android.net.UidOwnerValue;
import android.os.Build;
import android.os.ServiceSpecificException;
@@ -87,6 +88,8 @@
import com.android.net.module.util.Struct.U8;
import com.android.net.module.util.bpf.CookieTagMapKey;
import com.android.net.module.util.bpf.CookieTagMapValue;
+import com.android.net.module.util.bpf.IngressDiscardKey;
+import com.android.net.module.util.bpf.IngressDiscardValue;
import com.android.testutils.DevSdkIgnoreRule;
import com.android.testutils.DevSdkIgnoreRule.IgnoreAfter;
import com.android.testutils.DevSdkIgnoreRule.IgnoreUpTo;
@@ -102,6 +105,8 @@
import java.io.FileDescriptor;
import java.io.StringWriter;
+import java.net.Inet4Address;
+import java.net.Inet6Address;
import java.util.ArrayList;
import java.util.List;
@@ -120,6 +125,10 @@
private static final int TEST_IF_INDEX = 7;
private static final int NO_IIF = 0;
private static final int NULL_IIF = 0;
+ private static final Inet4Address TEST_V4_ADDRESS =
+ (Inet4Address) InetAddresses.parseNumericAddress("192.0.2.1");
+ private static final Inet6Address TEST_V6_ADDRESS =
+ (Inet6Address) InetAddresses.parseNumericAddress("2001:db8::1");
private static final String CHAINNAME = "fw_dozable";
private static final long STATS_SELECT_MAP_A = 0;
@@ -143,11 +152,14 @@
private final IBpfMap<CookieTagMapKey, CookieTagMapValue> mCookieTagMap =
spy(new TestBpfMap<>(CookieTagMapKey.class, CookieTagMapValue.class));
private final IBpfMap<S32, U8> mDataSaverEnabledMap = new TestBpfMap<>(S32.class, U8.class);
+ private final IBpfMap<IngressDiscardKey, IngressDiscardValue> mIngressDiscardMap =
+ new TestBpfMap<>(IngressDiscardKey.class, IngressDiscardValue.class);
@Before
public void setUp() throws Exception {
MockitoAnnotations.initMocks(this);
doReturn(TEST_IF_INDEX).when(mDeps).getIfIndex(TEST_IF_NAME);
+ doReturn(TEST_IF_NAME).when(mDeps).getIfName(TEST_IF_INDEX);
doReturn(0).when(mDeps).synchronizeKernelRCU();
BpfNetMaps.setEnableJavaBpfMapForTest(true /* enable */);
BpfNetMaps.setConfigurationMapForTest(mConfigurationMap);
@@ -159,6 +171,7 @@
BpfNetMaps.setCookieTagMapForTest(mCookieTagMap);
BpfNetMaps.setDataSaverEnabledMapForTest(mDataSaverEnabledMap);
mDataSaverEnabledMap.updateEntry(DATA_SAVER_ENABLED_KEY, new U8(DATA_SAVER_DISABLED));
+ BpfNetMaps.setIngressDiscardMapForTest(mIngressDiscardMap);
mBpfNetMaps = new BpfNetMaps(mContext, mNetd, mDeps);
}
@@ -1206,7 +1219,7 @@
@Test
@IgnoreAfter(Build.VERSION_CODES.S_V2)
public void testSetDataSaverEnabledBeforeT() {
- for (boolean enable : new boolean[] {true, false}) {
+ for (boolean enable : new boolean[]{true, false}) {
assertThrows(UnsupportedOperationException.class,
() -> mBpfNetMaps.setDataSaverEnabled(enable));
}
@@ -1215,10 +1228,60 @@
@Test
@IgnoreUpTo(Build.VERSION_CODES.S_V2)
public void testSetDataSaverEnabled() throws Exception {
- for (boolean enable : new boolean[] {true, false}) {
+ for (boolean enable : new boolean[]{true, false}) {
mBpfNetMaps.setDataSaverEnabled(enable);
assertEquals(enable ? DATA_SAVER_ENABLED : DATA_SAVER_DISABLED,
- mDataSaverEnabledMap.getValue(DATA_SAVER_ENABLED_KEY).val);
+ mDataSaverEnabledMap.getValue(DATA_SAVER_ENABLED_KEY).val);
}
}
+
+ @Test
+ @IgnoreUpTo(Build.VERSION_CODES.S_V2)
+ public void testSetIngressDiscardRule_V4address() throws Exception {
+ mBpfNetMaps.setIngressDiscardRule(TEST_V4_ADDRESS, TEST_IF_NAME);
+ final IngressDiscardValue val = mIngressDiscardMap.getValue(new IngressDiscardKey(
+ TEST_V4_ADDRESS));
+ assertEquals(TEST_IF_INDEX, val.iif1);
+ assertEquals(TEST_IF_INDEX, val.iif2);
+ }
+
+ @Test
+ @IgnoreUpTo(Build.VERSION_CODES.S_V2)
+ public void testSetIngressDiscardRule_V6address() throws Exception {
+ mBpfNetMaps.setIngressDiscardRule(TEST_V6_ADDRESS, TEST_IF_NAME);
+ final IngressDiscardValue val =
+ mIngressDiscardMap.getValue(new IngressDiscardKey(TEST_V6_ADDRESS));
+ assertEquals(TEST_IF_INDEX, val.iif1);
+ assertEquals(TEST_IF_INDEX, val.iif2);
+ }
+
+ @Test
+ @IgnoreUpTo(Build.VERSION_CODES.S_V2)
+ public void testRemoveIngressDiscardRule() throws Exception {
+ mBpfNetMaps.setIngressDiscardRule(TEST_V4_ADDRESS, TEST_IF_NAME);
+ mBpfNetMaps.setIngressDiscardRule(TEST_V6_ADDRESS, TEST_IF_NAME);
+ final IngressDiscardKey v4Key = new IngressDiscardKey(TEST_V4_ADDRESS);
+ final IngressDiscardKey v6Key = new IngressDiscardKey(TEST_V6_ADDRESS);
+ assertTrue(mIngressDiscardMap.containsKey(v4Key));
+ assertTrue(mIngressDiscardMap.containsKey(v6Key));
+
+ mBpfNetMaps.removeIngressDiscardRule(TEST_V4_ADDRESS);
+ assertFalse(mIngressDiscardMap.containsKey(v4Key));
+ assertTrue(mIngressDiscardMap.containsKey(v6Key));
+
+ mBpfNetMaps.removeIngressDiscardRule(TEST_V6_ADDRESS);
+ assertFalse(mIngressDiscardMap.containsKey(v4Key));
+ assertFalse(mIngressDiscardMap.containsKey(v6Key));
+ }
+
+ @Test
+ @IgnoreUpTo(Build.VERSION_CODES.S_V2)
+ public void testDumpIngressDiscardRule() throws Exception {
+ mBpfNetMaps.setIngressDiscardRule(TEST_V4_ADDRESS, TEST_IF_NAME);
+ mBpfNetMaps.setIngressDiscardRule(TEST_V6_ADDRESS, TEST_IF_NAME);
+ final String dump = getDump();
+ assertDumpContains(dump, TEST_V4_ADDRESS.getHostAddress());
+ assertDumpContains(dump, TEST_V6_ADDRESS.getHostAddress());
+ assertDumpContains(dump, TEST_IF_INDEX + "(" + TEST_IF_NAME + ")");
+ }
}
diff --git a/tests/unit/java/com/android/server/connectivityservice/CSLocalAgentTests.kt b/tests/unit/java/com/android/server/connectivityservice/CSLocalAgentTests.kt
index d9f7f9f..3a76ad0 100644
--- a/tests/unit/java/com/android/server/connectivityservice/CSLocalAgentTests.kt
+++ b/tests/unit/java/com/android/server/connectivityservice/CSLocalAgentTests.kt
@@ -21,13 +21,19 @@
import android.net.LinkProperties
import android.net.LocalNetworkConfig
import android.net.NetworkCapabilities
+import android.net.NetworkCapabilities.NET_CAPABILITY_DUN
+import android.net.NetworkCapabilities.NET_CAPABILITY_INTERNET
import android.net.NetworkCapabilities.NET_CAPABILITY_LOCAL_NETWORK
import android.net.NetworkCapabilities.NET_CAPABILITY_NOT_RESTRICTED
import android.net.NetworkCapabilities.NET_CAPABILITY_NOT_ROAMING
import android.net.NetworkCapabilities.NET_CAPABILITY_NOT_SUSPENDED
import android.net.NetworkCapabilities.NET_CAPABILITY_NOT_VCN_MANAGED
+import android.net.NetworkCapabilities.TRANSPORT_CELLULAR
import android.net.NetworkCapabilities.TRANSPORT_WIFI
import android.net.NetworkRequest
+import android.net.NetworkScore
+import android.net.NetworkScore.KEEP_CONNECTED_FOR_TEST
+import android.net.NetworkScore.KEEP_CONNECTED_LOCAL_NETWORK
import android.net.RouteInfo
import android.os.Build
import com.android.testutils.DevSdkIgnoreRule
@@ -40,8 +46,17 @@
import com.android.testutils.TestableNetworkCallback
import org.junit.Test
import org.junit.runner.RunWith
+import org.mockito.Mockito.clearInvocations
+import org.mockito.Mockito.inOrder
+import org.mockito.Mockito.never
+import org.mockito.Mockito.timeout
+import org.mockito.Mockito.verify
import kotlin.test.assertFailsWith
+private const val TIMEOUT_MS = 200L
+private const val MEDIUM_TIMEOUT_MS = 1_000L
+private const val LONG_TIMEOUT_MS = 5_000
+
private fun nc(transport: Int, vararg caps: Int) = NetworkCapabilities.Builder().apply {
addTransportType(transport)
caps.forEach {
@@ -60,6 +75,12 @@
addRoute(RouteInfo(IpPrefix("0.0.0.0/0"), null, null))
}
+// This allows keeping all the networks connected without having to file individual requests
+// for them.
+private fun keepScore() = FromS(
+ NetworkScore.Builder().setKeepConnectedReason(KEEP_CONNECTED_FOR_TEST).build()
+)
+
@RunWith(DevSdkIgnoreRunner::class)
@DevSdkIgnoreRule.IgnoreUpTo(Build.VERSION_CODES.TIRAMISU)
class CSLocalAgentTests : CSTest() {
@@ -125,7 +146,8 @@
cb)
// Set up a local agent that should forward its traffic to the best DUN upstream.
- val localAgent = Agent(nc = nc(TRANSPORT_WIFI, NET_CAPABILITY_LOCAL_NETWORK),
+ val localAgent = Agent(
+ nc = nc(TRANSPORT_WIFI, NET_CAPABILITY_LOCAL_NETWORK),
lp = lp("local0"),
lnc = LocalNetworkConfig.Builder().build(),
)
@@ -145,4 +167,242 @@
localAgent.disconnect()
}
+
+ @Test
+ fun testUnregisterUpstreamAfterReplacement_SameIfaceName() {
+ doTestUnregisterUpstreamAfterReplacement(true)
+ }
+
+ @Test
+ fun testUnregisterUpstreamAfterReplacement_DifferentIfaceName() {
+ doTestUnregisterUpstreamAfterReplacement(false)
+ }
+
+ fun doTestUnregisterUpstreamAfterReplacement(sameIfaceName: Boolean) {
+ deps.setBuildSdk(VERSION_V)
+ val cb = TestableNetworkCallback()
+ cm.registerNetworkCallback(NetworkRequest.Builder().clearCapabilities().build(), cb)
+
+ // Set up a local agent that should forward its traffic to the best wifi upstream.
+ val localAgent = Agent(nc = nc(TRANSPORT_WIFI, NET_CAPABILITY_LOCAL_NETWORK),
+ lp = lp("local0"),
+ lnc = LocalNetworkConfig.Builder()
+ .setUpstreamSelector(NetworkRequest.Builder()
+ .addTransportType(TRANSPORT_WIFI)
+ .build())
+ .build(),
+ score = FromS(NetworkScore.Builder()
+ .setKeepConnectedReason(KEEP_CONNECTED_LOCAL_NETWORK)
+ .build())
+ )
+ localAgent.connect()
+
+ cb.expectAvailableCallbacks(localAgent.network, validated = false)
+
+ val wifiAgent = Agent(lp = lp("wifi0"),
+ nc = nc(TRANSPORT_WIFI, NET_CAPABILITY_INTERNET))
+ wifiAgent.connect()
+
+ cb.expectAvailableCallbacks(wifiAgent.network, validated = false)
+
+ clearInvocations(netd)
+ val inOrder = inOrder(netd)
+ wifiAgent.unregisterAfterReplacement(LONG_TIMEOUT_MS)
+ waitForIdle()
+ inOrder.verify(netd).ipfwdRemoveInterfaceForward("local0", "wifi0")
+ inOrder.verify(netd).networkDestroy(wifiAgent.network.netId)
+
+ val wifiIface2 = if (sameIfaceName) "wifi0" else "wifi1"
+ val wifiAgent2 = Agent(lp = lp(wifiIface2),
+ nc = nc(TRANSPORT_WIFI, NET_CAPABILITY_INTERNET))
+ wifiAgent2.connect()
+
+ cb.expectAvailableCallbacks(wifiAgent2.network, validated = false)
+ cb.expect<Lost> { it.network == wifiAgent.network }
+
+ inOrder.verify(netd).ipfwdAddInterfaceForward("local0", wifiIface2)
+ if (sameIfaceName) {
+ inOrder.verify(netd, never()).ipfwdRemoveInterfaceForward(any(), any())
+ }
+ }
+
+ @Test
+ fun testUnregisterUpstreamAfterReplacement_neverReplaced() {
+ deps.setBuildSdk(VERSION_V)
+ val cb = TestableNetworkCallback()
+ cm.registerNetworkCallback(NetworkRequest.Builder().clearCapabilities().build(), cb)
+
+ // Set up a local agent that should forward its traffic to the best wifi upstream.
+ val localAgent = Agent(nc = nc(TRANSPORT_WIFI, NET_CAPABILITY_LOCAL_NETWORK),
+ lp = lp("local0"),
+ lnc = LocalNetworkConfig.Builder()
+ .setUpstreamSelector(NetworkRequest.Builder()
+ .addTransportType(TRANSPORT_WIFI)
+ .build())
+ .build(),
+ score = FromS(NetworkScore.Builder()
+ .setKeepConnectedReason(KEEP_CONNECTED_LOCAL_NETWORK)
+ .build())
+ )
+ localAgent.connect()
+
+ cb.expectAvailableCallbacks(localAgent.network, validated = false)
+
+ val wifiAgent = Agent(lp = lp("wifi0"),
+ nc = nc(TRANSPORT_WIFI, NET_CAPABILITY_INTERNET))
+ wifiAgent.connect()
+
+ cb.expectAvailableCallbacksUnvalidated(wifiAgent)
+
+ clearInvocations(netd)
+ wifiAgent.unregisterAfterReplacement(TIMEOUT_MS.toInt())
+ waitForIdle()
+ verify(netd).networkDestroy(wifiAgent.network.netId)
+ verify(netd).ipfwdRemoveInterfaceForward("local0", "wifi0")
+
+ cb.expect<Lost> { it.network == wifiAgent.network }
+ }
+
+ @Test
+ fun testUnregisterLocalAgentAfterReplacement() {
+ deps.setBuildSdk(VERSION_V)
+
+ val localCb = TestableNetworkCallback()
+ cm.requestNetwork(NetworkRequest.Builder().clearCapabilities()
+ .addCapability(NET_CAPABILITY_LOCAL_NETWORK)
+ .build(),
+ localCb)
+
+ val cb = TestableNetworkCallback()
+ cm.registerNetworkCallback(NetworkRequest.Builder().clearCapabilities().build(), cb)
+
+ val localNc = nc(TRANSPORT_WIFI, NET_CAPABILITY_LOCAL_NETWORK)
+ val lnc = LocalNetworkConfig.Builder()
+ .setUpstreamSelector(NetworkRequest.Builder()
+ .addTransportType(TRANSPORT_WIFI)
+ .build())
+ .build()
+ val localScore = FromS(NetworkScore.Builder().build())
+
+ // Set up a local agent that should forward its traffic to the best wifi upstream.
+ val localAgent = Agent(nc = localNc, lp = lp("local0"), lnc = lnc, score = localScore)
+ localAgent.connect()
+
+ localCb.expectAvailableCallbacks(localAgent.network, validated = false)
+ cb.expectAvailableCallbacks(localAgent.network, validated = false)
+
+ val wifiAgent = Agent(lp = lp("wifi0"), nc = nc(TRANSPORT_WIFI, NET_CAPABILITY_INTERNET))
+ wifiAgent.connect()
+
+ cb.expectAvailableCallbacksUnvalidated(wifiAgent)
+
+ verify(netd).ipfwdAddInterfaceForward("local0", "wifi0")
+
+ localAgent.unregisterAfterReplacement(LONG_TIMEOUT_MS)
+
+ val localAgent2 = Agent(nc = localNc, lp = lp("local0"), lnc = lnc, score = localScore)
+ localAgent2.connect()
+
+ localCb.expectAvailableCallbacks(localAgent2.network, validated = false)
+ cb.expectAvailableCallbacks(localAgent2.network, validated = false)
+ cb.expect<Lost> { it.network == localAgent.network }
+ }
+
+ @Test
+ fun testDestroyedNetworkAsSelectedUpstream() {
+ deps.setBuildSdk(VERSION_V)
+ val cb = TestableNetworkCallback()
+ cm.registerNetworkCallback(NetworkRequest.Builder().clearCapabilities().build(), cb)
+
+ val wifiAgent = Agent(lp = lp("wifi0"), nc = nc(TRANSPORT_WIFI, NET_CAPABILITY_INTERNET))
+ wifiAgent.connect()
+ cb.expectAvailableCallbacksUnvalidated(wifiAgent)
+
+ // Set up a local agent that should forward its traffic to the best wifi upstream.
+ val localAgent = Agent(nc = nc(TRANSPORT_WIFI, NET_CAPABILITY_LOCAL_NETWORK),
+ lp = lp("local0"),
+ lnc = LocalNetworkConfig.Builder()
+ .setUpstreamSelector(NetworkRequest.Builder()
+ .addTransportType(TRANSPORT_WIFI)
+ .build())
+ .build(),
+ score = FromS(NetworkScore.Builder()
+ .setKeepConnectedReason(KEEP_CONNECTED_LOCAL_NETWORK)
+ .build())
+ )
+
+ // ...but destroy the wifi agent before connecting it
+ wifiAgent.unregisterAfterReplacement(LONG_TIMEOUT_MS)
+
+ localAgent.connect()
+ cb.expectAvailableCallbacks(localAgent.network, validated = false)
+
+ verify(netd).ipfwdAddInterfaceForward("local0", "wifi0")
+ verify(netd).ipfwdRemoveInterfaceForward("local0", "wifi0")
+ }
+
+ @Test
+ fun testForwardingRules() {
+ deps.setBuildSdk(VERSION_V)
+ // Set up a local agent that should forward its traffic to the best DUN upstream.
+ val lnc = LocalNetworkConfig.Builder()
+ .setUpstreamSelector(NetworkRequest.Builder()
+ .addCapability(NET_CAPABILITY_DUN)
+ .build())
+ .build()
+ val localAgent = Agent(nc = nc(TRANSPORT_WIFI, NET_CAPABILITY_LOCAL_NETWORK),
+ lp = lp("local0"),
+ lnc = lnc,
+ score = FromS(NetworkScore.Builder()
+ .setKeepConnectedReason(KEEP_CONNECTED_LOCAL_NETWORK)
+ .build())
+ )
+ localAgent.connect()
+
+ val wifiAgent = Agent(score = keepScore(), lp = lp("wifi0"),
+ nc = nc(TRANSPORT_WIFI, NET_CAPABILITY_INTERNET))
+ val cellAgentDun = Agent(score = keepScore(), lp = lp("cell0"),
+ nc = nc(TRANSPORT_CELLULAR, NET_CAPABILITY_INTERNET, NET_CAPABILITY_DUN))
+ val wifiAgentDun = Agent(score = keepScore(), lp = lp("wifi1"),
+ nc = nc(TRANSPORT_WIFI, NET_CAPABILITY_INTERNET, NET_CAPABILITY_DUN))
+
+ val inOrder = inOrder(netd)
+ inOrder.verify(netd, never()).ipfwdAddInterfaceForward(any(), any())
+
+ wifiAgent.connect()
+ inOrder.verify(netd, never()).ipfwdAddInterfaceForward(any(), any())
+
+ cellAgentDun.connect()
+ inOrder.verify(netd).ipfwdEnableForwarding(any())
+ inOrder.verify(netd).ipfwdAddInterfaceForward("local0", "cell0")
+
+ wifiAgentDun.connect()
+ inOrder.verify(netd).ipfwdRemoveInterfaceForward("local0", "cell0")
+ inOrder.verify(netd).ipfwdAddInterfaceForward("local0", "wifi1")
+
+ // Make sure sending the same config again doesn't do anything
+ repeat(5) {
+ localAgent.sendLocalNetworkConfig(lnc)
+ }
+ inOrder.verifyNoMoreInteractions()
+
+ wifiAgentDun.disconnect()
+ inOrder.verify(netd).ipfwdRemoveInterfaceForward("local0", "wifi1")
+ // This can take a little bit of time because it needs to wait for the rematch
+ inOrder.verify(netd, timeout(MEDIUM_TIMEOUT_MS)).ipfwdAddInterfaceForward("local0", "cell0")
+
+ cellAgentDun.disconnect()
+ inOrder.verify(netd).ipfwdRemoveInterfaceForward("local0", "cell0")
+ inOrder.verify(netd).ipfwdDisableForwarding(any())
+
+ val wifiAgentDun2 = Agent(score = keepScore(), lp = lp("wifi2"),
+ nc = nc(TRANSPORT_WIFI, NET_CAPABILITY_INTERNET, NET_CAPABILITY_DUN))
+ wifiAgentDun2.connect()
+ inOrder.verify(netd).ipfwdEnableForwarding(any())
+ inOrder.verify(netd).ipfwdAddInterfaceForward("local0", "wifi2")
+
+ localAgent.disconnect()
+ inOrder.verify(netd).ipfwdRemoveInterfaceForward("local0", "wifi2")
+ inOrder.verify(netd).ipfwdDisableForwarding(any())
+ }
}
diff --git a/tests/unit/java/com/android/server/connectivityservice/base/CSAgentWrapper.kt b/tests/unit/java/com/android/server/connectivityservice/base/CSAgentWrapper.kt
index f903e51..013a749 100644
--- a/tests/unit/java/com/android/server/connectivityservice/base/CSAgentWrapper.kt
+++ b/tests/unit/java/com/android/server/connectivityservice/base/CSAgentWrapper.kt
@@ -168,6 +168,7 @@
}
fun unregisterAfterReplacement(timeoutMs: Int) = agent.unregisterAfterReplacement(timeoutMs)
+
fun sendLocalNetworkConfig(lnc: LocalNetworkConfig) = agent.sendLocalNetworkConfig(lnc)
fun sendNetworkCapabilities(nc: NetworkCapabilities) = agent.sendNetworkCapabilities(nc)
}