Don't make lockdown VPN source firewall rules over-broad. (02c7abac) · Commits · e / os / android_frameworks_base

services/core/java/com/android/server/net/LockdownVpnTracker.java

+10 −2

Original line number	Diff line number	Diff line
		@@ -190,7 +190,7 @@ public class LockdownVpnTracker {

		mNetService.setFirewallInterfaceRule(iface, true);
		for (LinkAddress addr : sourceAddrs) {
		mNetService.setFirewallEgressSourceRule(addr.toString(), true);
		setFirewallEgressSourceRule(addr, true);
		}

		mErrorCount = 0;
		@@ -277,7 +277,7 @@ public class LockdownVpnTracker {
		}
		if (mAcceptedSourceAddr != null) {
		for (LinkAddress addr : mAcceptedSourceAddr) {
		mNetService.setFirewallEgressSourceRule(addr.toString(), false);
		setFirewallEgressSourceRule(addr, false);
		}
		mAcceptedSourceAddr = null;
		}
		@@ -286,6 +286,14 @@ public class LockdownVpnTracker {
		}
		}

		private void setFirewallEgressSourceRule(
		LinkAddress address, boolean allow) throws RemoteException {
		// Our source address based firewall rules must only cover our own source address, not the
		// whole subnet
		final String addrString = address.getAddress().getHostAddress();
		mNetService.setFirewallEgressSourceRule(addrString, allow);
		}

		public void onNetworkInfoChanged() {
		synchronized (mStateLock) {
		handleStateChangedLocked();