Offer to detect non-SSL/TLS network traffic.

Introduces new module that provides network-related features for
the StrictMode developer API.  The first feature offers to detect
sockets sending data not wrapped inside a layer of SSL/TLS

This carefully only adds overhead to UIDs that have requested
detection, and it uses CONNMARK to quickly accept/reject packets
from streams that have already been inspected.  Detection is done
by looking for a well-known TLS handshake header; it's not future
proof, but it's a good start.  Handles both IPv4 and IPv6.

When requested, we also log the triggering packet through NFLOG and
back up to the framework to aid investigation.

Bug: 18335678
Change-Id: Ie8fab785139dfb55a71b6dc7a0f3c75a8408224b
10 files changed
tree: aceefeed8789d8a4145c4b467f98e10538d66f1a
  1. client/
  2. include/
  3. server/