Merge "kernel_test: remove cuttlefish exception for bpf-lsm" into main
diff --git a/server/Controllers.cpp b/server/Controllers.cpp
index 9765f16..48d0c50 100644
--- a/server/Controllers.cpp
+++ b/server/Controllers.cpp
@@ -60,6 +60,7 @@
static const std::vector<const char*> FILTER_INPUT = {
// Bandwidth should always be early in input chain, to make sure we
// correctly count incoming traffic against data plan.
+ OEM_IPTABLES_FILTER_INPUT,
BandwidthController::LOCAL_INPUT,
FirewallController::LOCAL_INPUT,
};
diff --git a/server/ControllersTest.cpp b/server/ControllersTest.cpp
index 05527d4..b6a28d3 100644
--- a/server/ControllersTest.cpp
+++ b/server/ControllersTest.cpp
@@ -74,6 +74,8 @@
"*filter\n"
":INPUT -\n"
"-F INPUT\n"
+ ":oem_in -\n"
+ "-A INPUT -j oem_in\n"
":bw_INPUT -\n"
"-A INPUT -j bw_INPUT\n"
":fw_INPUT -\n"
diff --git a/server/NetworkController.cpp b/server/NetworkController.cpp
index 85112bb..b236242 100644
--- a/server/NetworkController.cpp
+++ b/server/NetworkController.cpp
@@ -468,7 +468,7 @@
return -EEXIST;
}
- if (vpnType < NativeVpnType::SERVICE || NativeVpnType::OEM < vpnType) {
+ if (vpnType < NativeVpnType::SERVICE || NativeVpnType::OEM_LEGACY < vpnType) {
ALOGE("invalid vpnType %d", static_cast<int>(vpnType));
return -EINVAL;
}
diff --git a/server/oem_iptables_hook.cpp b/server/oem_iptables_hook.cpp
index 39a6285..1973d29 100644
--- a/server/oem_iptables_hook.cpp
+++ b/server/oem_iptables_hook.cpp
@@ -14,62 +14,5 @@
* limitations under the License.
*/
-#include <stdio.h>
-#include <stdlib.h>
-#include <sys/types.h>
-#include <sys/wait.h>
-#include <errno.h>
-#include <string.h>
-#include <unistd.h>
-
-#include <string>
-
-#define LOG_TAG "OemIptablesHook"
-#include <log/log.h>
-#include "NetdConstants.h"
-
-namespace {
-
-const char OEM_SCRIPT_PATH[] = "/system/bin/oem-iptables-init.sh";
-
-bool oemCleanupHooks() {
- static const std::string cmd4 =
- "*filter\n"
- ":oem_out -\n"
- ":oem_fwd -\n"
- "COMMIT\n"
- "*nat\n"
- ":oem_nat_pre -\n"
- "COMMIT\n";
-
- static const std::string cmd6 =
- "*filter\n"
- ":oem_out -\n"
- ":oem_fwd -\n"
- "COMMIT\n";
-
- return (execIptablesRestore(V4, cmd4) == 0 && execIptablesRestore(V6, cmd6) == 0);
-}
-
-bool oemInitChains() {
- int ret = system(OEM_SCRIPT_PATH); // NOLINT(cert-env33-c)
- if ((-1 == ret) || (0 != WEXITSTATUS(ret))) {
- ALOGE("%s failed: %s", OEM_SCRIPT_PATH, strerror(errno));
- oemCleanupHooks();
- return false;
- }
- return true;
-}
-
-} // namespace
-
void setupOemIptablesHook() {
- if (0 == access(OEM_SCRIPT_PATH, R_OK | X_OK)) {
- // The call to oemCleanupHooks() is superfluous when done on bootup,
- // but is needed for the case where netd has crashed/stopped and is
- // restarted.
- if (oemCleanupHooks() && oemInitChains()) {
- ALOGI("OEM iptable hook installed.");
- }
- }
}
diff --git a/server/oem_iptables_hook.h b/server/oem_iptables_hook.h
index 5297b38..fb239ac 100644
--- a/server/oem_iptables_hook.h
+++ b/server/oem_iptables_hook.h
@@ -17,6 +17,7 @@
#ifndef _OEM_IPTABLES_HOOK_H
#define _OEM_IPTABLES_HOOK_H
+#define OEM_IPTABLES_FILTER_INPUT "oem_in"
#define OEM_IPTABLES_FILTER_OUTPUT "oem_out"
#define OEM_IPTABLES_FILTER_FORWARD "oem_fwd"
#define OEM_IPTABLES_NAT_PREROUTING "oem_nat_pre"
diff --git a/tests/kernel_test.cpp b/tests/kernel_test.cpp
index fbee8c6..f607d13 100644
--- a/tests/kernel_test.cpp
+++ b/tests/kernel_test.cpp
@@ -190,6 +190,15 @@
ASSERT_TRUE(configVerifier.hasOption("CONFIG_BPF_LSM"));
}
+// https://source.android.com/docs/compatibility/15/android-15-cdd#7452_ipv6 C-0-6
+// MUST provide third-party applications with direct IPv6 connectivity to the
+// network when connected to an IPv6 network, without any form of address
+// or port translation happening locally on the device.
+TEST(KernelTest, TestNoIpv6Nat) {
+ KernelConfigVerifier configVerifier;
+ ASSERT_FALSE(configVerifier.hasOption("CONFIG_IP6_NF_NAT"));
+}
+
TEST(KernelTest, TestSupportsCommonUsbEthernetDongles) {
KernelConfigVerifier configVerifier;
if (!configVerifier.hasModule("CONFIG_USB")) GTEST_SKIP() << "Exempt without USB support.";
