Disable attempted updating of SA marks (ab80e1fb) · Commits · e / os / android_frameworks_base

core/java/android/net/IpSecConfig.java

+13 −1

Original line number	Diff line number	Diff line
		@@ -65,7 +65,7 @@ public final class IpSecConfig implements Parcelable {
		// An interval, in seconds between the NattKeepalive packets
		private int mNattKeepaliveInterval;

		// XFRM mark and mask
		// XFRM mark and mask; defaults to 0 (no mark/mask)
		private int mMarkValue;
		private int mMarkMask;

		@@ -125,10 +125,22 @@ public final class IpSecConfig implements Parcelable {
		mNattKeepaliveInterval = interval;
		}

		/**
		* Sets the mark value
		*
		* <p>Internal (System server) use only. Marks passed in by users will be overwritten or
		* ignored.
		*/
		public void setMarkValue(int mark) {
		mMarkValue = mark;
		}

		/**
		* Sets the mark mask
		*
		* <p>Internal (System server) use only. Marks passed in by users will be overwritten or
		* ignored.
		*/
		public void setMarkMask(int mask) {
		mMarkMask = mask;
		}

services/core/java/com/android/server/IpSecService.java

+15 −5

Original line number	Diff line number	Diff line
		@@ -24,6 +24,7 @@ import static android.system.OsConstants.AF_UNSPEC;
		import static android.system.OsConstants.EINVAL;
		import static android.system.OsConstants.IPPROTO_UDP;
		import static android.system.OsConstants.SOCK_DGRAM;

		import static com.android.internal.util.Preconditions.checkNotNull;

		import android.annotation.NonNull;
		@@ -62,6 +63,8 @@ import com.android.internal.annotations.GuardedBy;
		import com.android.internal.annotations.VisibleForTesting;
		import com.android.internal.util.Preconditions;

		import libcore.io.IoUtils;

		import java.io.FileDescriptor;
		import java.io.IOException;
		import java.io.PrintWriter;
		@@ -73,8 +76,6 @@ import java.net.UnknownHostException;
		import java.util.ArrayList;
		import java.util.List;

		import libcore.io.IoUtils;

		/**
		* A service to manage multiple clients that want to access the IpSec API. The service is
		* responsible for maintaining a list of clients and managing the resources (and related quotas)
		@@ -1523,6 +1524,9 @@ public class IpSecService extends IIpSecService.Stub {
		throw new IllegalArgumentException(
		"Invalid IpSecTransform.mode: " + config.getMode());
		}

		config.setMarkValue(0);
		config.setMarkMask(0);
		}

		private static final String TUNNEL_OP = AppOpsManager.OPSTR_MANAGE_IPSEC_TUNNELS;
		@@ -1740,8 +1744,14 @@ public class IpSecService extends IIpSecService.Stub {
		: tunnelInterfaceInfo.getIkey();

		try {
		c.setMarkValue(mark);
		c.setMarkMask(0xffffffff);
		// TODO: enable this when UPDSA supports updating marks. Adding kernel support upstream
		// (and backporting) would allow us to narrow the mark space, and ensure that the SA
		// and SPs have matching marks (as VTI are meant to be built).
		// Currently update does nothing with marks. Leave empty (defaulting to 0) to ensure the
		// config matches the actual allocated resources in the kernel.
		//
		// c.setMarkValue(mark);
		// c.setMarkMask(0xffffffff);

		if (direction == IpSecManager.DIRECTION_OUT) {
		// Set output mark via underlying network (output only)
		@@ -1758,7 +1768,7 @@ public class IpSecService extends IIpSecService.Stub {
		tunnelInterfaceInfo.getLocalAddress(),
		tunnelInterfaceInfo.getRemoteAddress(),
		transformInfo.getSpiRecord().getSpi(),
		mark,
		mark, // Must always set policy mark; ikey/okey for VTIs
		0xffffffff);
		}
		}