Make the VPN rule only to originated, not forwarded, traffic.

Currently the VPN rule for the primary user will match every
forwarded packet on the system, because it specifies a UID range
that includes 0, and forwarded packets have UID 0.

Use "iif lo" to limit the rule match to locally-originated
traffic. This requires a kernel that sets the loopback ifindex.
when originating packets. Anything based on 3.10 is fine, but
devices using 3.4 will need a one-line change for IPv6.

Bug: 19500693
Change-Id: Iaab88bed62716dc1cea33b45c4e258f6b3bfc9d0
1 file changed
tree: f85bf1d8642cb805ca3e5232c68323b47a6eff8d
  1. client/
  2. include/
  3. server/