Make the VPN rule only to originated, not forwarded, traffic.

Currently the VPN rule for the primary user will match every
forwarded packet on the system, because it specifies a UID range
that includes 0, and forwarded packets have UID 0.

Use "iif lo" to limit the rule match to locally-originated
traffic. This requires a kernel that sets the loopback ifindex.
when originating packets. Anything based on 3.10 is fine, but
devices using 3.4 will need a one-line change for IPv6.

Bug: 19500693
Change-Id: Iaab88bed62716dc1cea33b45c4e258f6b3bfc9d0
diff --git a/server/RouteController.cpp b/server/RouteController.cpp
index a7d823b..6a6a470 100644
--- a/server/RouteController.cpp
+++ b/server/RouteController.cpp
@@ -84,6 +84,7 @@
 const char* const IP_VERSIONS[] = {"-4", "-6"};
 
 const uid_t UID_ROOT = 0;
+const char* const IIF_LOOPBACK = "lo";
 const char* const IIF_NONE = NULL;
 const char* const OIF_NONE = NULL;
 const bool ACTION_ADD = true;
@@ -483,7 +484,7 @@
     }
 
     return modifyIpRule(add ? RTM_NEWRULE : RTM_DELRULE, priority, table, fwmark.intValue,
-                        mask.intValue, IIF_NONE, OIF_NONE, uidStart, uidEnd);
+                        mask.intValue, IIF_LOOPBACK, OIF_NONE, uidStart, uidEnd);
 }
 
 // A rule to allow system apps to send traffic over this VPN even if they are not part of the target