Skip adding ingress discard rule to OEM VPN
OEM VPNs might need to receive packets to VPN address via
non-VPN interface.
Bug: 352424251
Test: CsIngressDiscardRuleTest
Change-Id: Ia9000bcbb5b3b9e1e0d396ba78946be36e2fc5ba
diff --git a/service/src/com/android/server/ConnectivityService.java b/service/src/com/android/server/ConnectivityService.java
index dc855c1..0fe24a2 100755
--- a/service/src/com/android/server/ConnectivityService.java
+++ b/service/src/com/android/server/ConnectivityService.java
@@ -9672,10 +9672,10 @@
* interfaces.
* Ingress discard rule is added to the address iff
* 1. The address is not a link local address
- * 2. The address is used by a single non-Legacy VPN interface and not used by any other
- * interfaces even non-VPN ones
- * Ingress discard rule is not be added to Legacy VPN since some Legacy VPNs need to receive
- * packet to VPN address via non-VPN interface.
+ * 2. The address is used by a single interface of VPN whose VPN type is not TYPE_VPN_LEGACY
+ * or TYPE_VPN_OEM and the address is not used by any other interfaces even non-VPN ones
+ * Ingress discard rule is not be added to TYPE_VPN_LEGACY or TYPE_VPN_OEM VPN since these VPNs
+ * might need to receive packet to VPN address via non-VPN interface.
* This method can be called during network disconnects, when nai has already been removed from
* mNetworkAgentInfos.
*
@@ -9710,8 +9710,10 @@
// for different network.
final Set<Pair<InetAddress, String>> ingressDiscardRules = new ArraySet<>();
for (final NetworkAgentInfo agent : nais) {
+ final int vpnType = getVpnType(agent);
if (!agent.isVPN() || agent.isDestroyed()
- || getVpnType(agent) == VpnManager.TYPE_VPN_LEGACY) {
+ || vpnType == VpnManager.TYPE_VPN_LEGACY
+ || vpnType == VpnManager.TYPE_VPN_OEM) {
continue;
}
final LinkProperties agentLp = (nai == agent) ? lp : agent.linkProperties;
diff --git a/tests/unit/java/com/android/server/connectivityservice/CSIngressDiscardRuleTests.kt b/tests/unit/java/com/android/server/connectivityservice/CSIngressDiscardRuleTests.kt
index 1ae77e5..77b06b2 100644
--- a/tests/unit/java/com/android/server/connectivityservice/CSIngressDiscardRuleTests.kt
+++ b/tests/unit/java/com/android/server/connectivityservice/CSIngressDiscardRuleTests.kt
@@ -26,6 +26,7 @@
import android.net.NetworkCapabilities.TRANSPORT_VPN
import android.net.NetworkCapabilities.TRANSPORT_WIFI
import android.net.NetworkRequest
+import android.net.VpnManager.TYPE_VPN_OEM
import android.net.VpnManager.TYPE_VPN_SERVICE
import android.net.VpnManager.TYPE_VPN_LEGACY
import android.net.VpnTransportInfo
@@ -50,11 +51,10 @@
private const val TIMEOUT_MS = 1_000L
private const val LONG_TIMEOUT_MS = 5_000
-private fun vpnNc(legacyVpn: Boolean = false) = NetworkCapabilities.Builder().apply {
+private fun vpnNc(vpnType: Int = TYPE_VPN_SERVICE) = NetworkCapabilities.Builder().apply {
addTransportType(TRANSPORT_VPN)
removeCapability(NET_CAPABILITY_NOT_VPN)
addCapability(NET_CAPABILITY_NOT_VCN_MANAGED)
- val vpnType = if (legacyVpn) { TYPE_VPN_LEGACY } else { TYPE_VPN_SERVICE }
setTransportInfo(
VpnTransportInfo(
vpnType,
@@ -313,18 +313,37 @@
verify(bpfNetMaps, never()).setIngressDiscardRule(any(), any())
}
- @Test
- fun testVpnIngressDiscardRule_LegacyVpn() {
+ fun doTestVpnIngressDiscardRule_VpnType(vpnType: Int, expectAddRule: Boolean) {
val nr = nr(TRANSPORT_VPN)
val cb = TestableNetworkCallback()
cm.registerNetworkCallback(nr, cb)
- val nc = vpnNc(legacyVpn = true)
+ val nc = vpnNc(vpnType)
val lp = lp(VPN_IFNAME, IPV6_LINK_ADDRESS, LOCAL_IPV6_LINK_ADDRRESS)
val agent = Agent(nc = nc, lp = lp)
agent.connect()
cb.expectAvailableCallbacks(agent.network, validated = false)
+ if (expectAddRule) {
+ verify(bpfNetMaps).setIngressDiscardRule(IPV6_ADDRESS, VPN_IFNAME)
+ } else {
+ verify(bpfNetMaps, never()).setIngressDiscardRule(any(), any())
+ }
+ }
+
+ @Test
+ fun testVpnIngressDiscardRule_ServiceVpn() {
+ doTestVpnIngressDiscardRule_VpnType(TYPE_VPN_SERVICE, expectAddRule = true)
+ }
+
+ @Test
+ fun testVpnIngressDiscardRule_LegacyVpn() {
// IngressDiscardRule should not be added to Legacy VPN
- verify(bpfNetMaps, never()).setIngressDiscardRule(any(), any())
+ doTestVpnIngressDiscardRule_VpnType(TYPE_VPN_LEGACY, expectAddRule = false)
+ }
+
+ @Test
+ fun testVpnIngressDiscardRule_OemVpn() {
+ // IngressDiscardRule should not be added to OEM VPN
+ doTestVpnIngressDiscardRule_VpnType(TYPE_VPN_OEM, expectAddRule = false)
}
}