Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 917c547b authored by Lorenzo Colitti's avatar Lorenzo Colitti Committed by Android (Google) Code Review
Browse files

Merge "Don't make lockdown VPN source firewall rules over-broad." into lmp-dev

parents 28dcf034 02c7abac

services/core/java/com/android/server/net/LockdownVpnTracker.java

+10 −2
Original line number Diff line number Diff line
@@ -190,7 +190,7 @@ public class LockdownVpnTracker { 


                mNetService.setFirewallInterfaceRule(iface, true);

                for (LinkAddress addr : sourceAddrs) {

                    mNetService.setFirewallEgressSourceRule(addr.toString(), true);

                    setFirewallEgressSourceRule(addr, true);

                }



                mErrorCount = 0;
@@ -277,7 +277,7 @@ public class LockdownVpnTracker { 
            }

            if (mAcceptedSourceAddr != null) {

                for (LinkAddress addr : mAcceptedSourceAddr) {

                    mNetService.setFirewallEgressSourceRule(addr.toString(), false);

                    setFirewallEgressSourceRule(addr, false);

                }

                mAcceptedSourceAddr = null;

            }
@@ -286,6 +286,14 @@ public class LockdownVpnTracker { 
        }

    }



    private void setFirewallEgressSourceRule(

            LinkAddress address, boolean allow) throws RemoteException {

        // Our source address based firewall rules must only cover our own source address, not the

        // whole subnet

        final String addrString = address.getAddress().getHostAddress();

        mNetService.setFirewallEgressSourceRule(addrString, allow);

    }



    public void onNetworkInfoChanged() {

        synchronized (mStateLock) {

            handleStateChangedLocked();