Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Skip to content
Commit 4cb4240b authored by Lorenzo Colitti's avatar Lorenzo Colitti
Browse files

Close open sockets when enabling firewall rules. 

When enabling a firewall rule that will deny networking to apps,
first close any sockets opened by those apps. Just dropping an
app's packets without closing its connections  has the following
problems:

1. The app has no way to know this has happened until a network
   timeout occurs.
2. The app's connections stay open, so the other end of the
   connection (e.g., a server) might continue to retransmit
   packets. These packets will wake up the kernel and cause
   battery drain, but we cannot respond to them because packets
   on those connections are dropped by the kernel (since the app
   is blackholed). So the other end might keep retransmitting.
3. Even though we think the connections are still open, the
   other end of the connection, or any intermediate NATs or
   firewalls, might time out and close the connection (e.g., by
   sending a RST). Because the app is blackholed, we have no way
   of knowing that this has happened, so when the app is granted
   network access again, these connections might just get stuck.

Bug: 27824851
Bug: 27867653
Change-Id: Iaaad1b26954fc5f1ba5c9ed8bdee039282f5e249
parent c0440e5f
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment