(per request from Lorenzo)
We do bump block/clatd/dscp_policy requirements from 0.12 to 0.13,
but this effectively doesn't matter:
- Beta2 is too old either way (pre-0.12)
- Beta3 is new enough (0.13)
- versions in between are simply obsolete / unused / not important
- bpfloader 0.12 won't boot right anyway due to lack of netd maps/programs
(which cause a netd startup failure)
This allows us to have one less #define in the header files,
with a hard to write explanation about what exactly v0.12 is (or was).
Bug: 218408035
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I1ecf15f9d7abbb82ec6bd49848255fab6a41aed4
(cherry picked from commit f769952212)
Merged-In: I1ecf15f9d7abbb82ec6bd49848255fab6a41aed4
In practice this doesn't actually really matter, since older versions
of the bpfloader won't even look in the relevant directories:
BpfLoader v0.9 is the first one that looks into
'/apex/com.android.tethering/etc/bpf/net_shared',
but it is only v0.12 that pins the resulting programs and maps
correctly into
/sys/fs/bpf/net_shared/
hence the annotations for block/clatd/dscp_policy.
BpfLoader v0.13 is the first one that looks into
'/apex/com.android.tethering/etc/bpf/netd_shared'
subdirectory and pins into
/sys/fs/bpf/netd_shared/
hence the annotation for netd.
But it's best to explicitly document the intent.
Note that in practice the mainline module will fail spectacularly
on a T OS if it can't find the programs and maps
(presumably due to the bpfloader being too old)
but will work on S even though the bpfloader there is much older,
because these programs/maps are not required on pre-T OS.
This change is thus really only documentation.
Bug: 218408035
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I5ffa2faf83ca337b84e34b01df84436629989c58
(cherry picked from commit acebffb966)
Merged-In: I5ffa2faf83ca337b84e34b01df84436629989c58
In practice this function makes things readable and writable,
so use a less confusing name.
Test: TreeHugger, 'git grep try_make_readable' comes up empty
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I32faad148cc5714cf0ec7246620376ed4dd3d6d2
We now rely on the skb->mark = 0xDeadC1a7 setting side effect
for non offloadable packets, but for this to work reliably,
we *must* be able to read the ip header.
Test: TreeHugger, and on a gs101-based pixel
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ic2b15335099404047d136a92ce7aeeb1f11ccfa3
As Maze@'s advice, we add a clat mark to clat packet in ingress bpf
and drop the duplicate packets in iptables via mark match.
Bug: 218407445
Test: manual test with unmerged aosp/1951099
0. Connect to IPv6-only wifi
1. Clatd test: ping 5 times and check that iptables drop 5 packets by
mark 0xdeadc1a7.
$ adb shell ping 8.8.8.8
..
64 bytes from 8.8.8.8: icmp_seq=4 ttl=120 time=14.3 ms
64 bytes from 8.8.8.8: icmp_seq=5 ttl=120 time=67.4 ms
$ adb shell ip6tables -t raw -L bw_raw_PREROUTING -v
Chain bw_raw_PREROUTING (1 references)
pkts bytes target prot opt in out source destination
5 520 DROP all any any anywhere anywhere mark match 0xdeadc1a7
0 0 RETURN all ipsec+ any anywhere anywhere
0 0 RETURN all any any anywhere anywhere policy match dir in pol ipsec
1661 1239K all any any anywhere anywhere match bpf pinned /sys/fs/bpf/prog_netd_skfilter_ingress_xtbpf
2. Bpf test: run iperf to an IPv4 server and iptables doesn't see
offloaded packet with mark 0xdeadc1a7. Drop packet count (5) is
unchanged.
$ adb shell iperf3 -4 -c 117.102.109.186 -t1
Connecting to host 117.102.109.186, port 5201
[ 5] local 192.0.0.4 port 56242 connected to 117.102.109.186 port 5201
[ ID] Interval Transfer Bitrate Retr Cwnd
[ 5] 0.00-1.00 sec 622 KBytes 5.09 Mbits/sec 0 44.0 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-1.00 sec 622 KBytes 5.09 Mbits/sec 0 sender
[ 5] 0.00-1.00 sec 201 KBytes 1.64 Mbits/sec receiver
$ adb shell ip6tables -t raw -L bw_raw_PREROUTING -v
Chain bw_raw_PREROUTING (1 references)
pkts bytes target prot opt in out source destination
5 520 DROP all any any anywhere anywhere mark match 0xdeadc1a7
0 0 RETURN all ipsec+ any anywhere anywhere
0 0 RETURN all any any anywhere anywhere policy match dir in pol ipsec
1804 1280K all any any anywhere anywhere match bpf pinned /sys/fs/bpf/prog_netd_skfilter_ingress_xtbpf
3. Enable USB tethering. Do ping and iperf on tethered client.
4. Clatd test: ping 5 times and check that iptables drop 5 packets
(count from 5 to 10) by mark 0xdeadc1a7.
$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
..
64 bytes from 8.8.8.8: icmp_seq=4 ttl=119 time=13.7 ms
64 bytes from 8.8.8.8: icmp_seq=5 ttl=119 time=15.9 ms
$ adb shell ip6tables -t raw -L bw_raw_PREROUTING -v
Chain bw_raw_PREROUTING (1 references)
pkts bytes target prot opt in out source destination
10 1040 DROP all any any anywhere anywhere mark match 0xdeadc1a7
0 0 RETURN all ipsec+ any anywhere anywhere
0 0 RETURN all any any anywhere anywhere policy match dir in pol ipsec
1900 1298K all any any anywhere anywhere match bpf pinned /sys/fs/bpf/prog_netd_skfilter_ingress_xtbpf
5. Bpf test: run iperf to an IPv4 server and iptables doesn't see
offloaded packet with mark 0xdeadc1a7. Drop packet count (10) is
unchanged.
$ iperf3 -4 -c 117.102.109.186 -t1
Connecting to host 117.102.109.186, port 5201
[ 5] local 192.168.235.233 port 41602 connected to 117.102.109.186 port 5201
[ ID] Interval Transfer Bitrate Retr Cwnd
[ 5] 0.00-1.00 sec 3.19 MBytes 26.8 Mbits/sec 0 369 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-1.00 sec 3.19 MBytes 26.8 Mbits/sec 0 sender
[ 5] 0.00-1.00 sec 2.58 MBytes 21.7 Mbits/sec receiver
$ adb shell ip6tables -t raw -L bw_raw_PREROUTING -v
Chain bw_raw_PREROUTING (1 references)
pkts bytes target prot opt in out source destination
10 1040 DROP all any any anywhere anywhere mark match 0xdeadc1a7
0 0 RETURN all ipsec+ any anywhere anywhere
0 0 RETURN all any any anywhere anywhere policy match dir in pol ipsec
1978 1320K all any any anywhere anywhere match bpf pinned /sys/fs/bpf/prog_netd_skfilter_ingress_xtbpf
Change-Id: I180206bb15a1362c678f42fb980b60dfed6ce1ab
Maciej Żenczykowski
Hungming Chen