commit d7e71641f6ae7e372795c22fe293d63373a898d2
author Sreeram Ramachandran <sreeram@google.com> Wed Jul 09 23:01:30 2014 -0700
committer Sreeram Ramachandran <sreeram@google.com> Thu Jul 10 17:54:03 2014 +0000
tree 69014cfa9caa25303eb4c05ec3dfcf6ef42c5712
parent 81c295e1c843612408d0de26fe383cebc0a80313

Block address families by default in VpnService.

If a VpnService only configures IPv4 addresses, routes and DNS servers, block
IPv6 by default, and vice versa. Also add an API to unblock a family without
needing to add an address, route or DNS server.

New API with stub implementation to be filled out later.

Bug: 15972465
Change-Id: I70d4d5c30ee71802610f6e16f100db6cbccef42c

core/java/android/net/VpnService.java

diff --git a/core/java/android/net/VpnService.java b/core/java/android/net/VpnService.java
index 1bd5607..7c62bf6 100644
--- a/core/java/android/net/VpnService.java
+++ b/core/java/android/net/VpnService.java
@@ -16,6 +16,9 @@
 
 package android.net;
 
+import static android.system.OsConstants.AF_INET;
+import static android.system.OsConstants.AF_INET6;
+
 import android.app.Activity;
 import android.app.PendingIntent;
 import android.app.Service;
@@ -360,6 +363,9 @@
          * addresses are supported. At least one address must be set before
          * calling {@link #establish}.
          *
+         * Adding an address implicitly allows traffic from that address family
+         * (i.e., IPv4 or IPv6) to be routed over the VPN. @see #allowFamily
+         *
          * @throws IllegalArgumentException if the address is invalid.
          */
         public Builder addAddress(InetAddress address, int prefixLength) {
@@ -377,6 +383,9 @@
          * using a numeric address string. See {@link InetAddress} for the
          * definitions of numeric address formats.
          *
+         * Adding an address implicitly allows traffic from that address family
+         * (i.e., IPv4 or IPv6) to be routed over the VPN. @see #allowFamily
+         *
          * @throws IllegalArgumentException if the address is invalid.
          * @see #addAddress(InetAddress, int)
          */
@@ -388,6 +397,9 @@
          * Add a network route to the VPN interface. Both IPv4 and IPv6
          * routes are supported.
          *
+         * Adding a route implicitly allows traffic from that address family
+         * (i.e., IPv4 or IPv6) to be routed over the VPN. @see #allowFamily
+         *
          * @throws IllegalArgumentException if the route is invalid.
          */
         public Builder addRoute(InetAddress address, int prefixLength) {
@@ -411,6 +423,9 @@
          * using a numeric address string. See {@link InetAddress} for the
          * definitions of numeric address formats.
          *
+         * Adding a route implicitly allows traffic from that address family
+         * (i.e., IPv4 or IPv6) to be routed over the VPN. @see #allowFamily
+         *
          * @throws IllegalArgumentException if the route is invalid.
          * @see #addRoute(InetAddress, int)
          */
@@ -423,6 +438,9 @@
          * addresses are supported. If none is set, the DNS servers of
          * the default network will be used.
          *
+         * Adding a server implicitly allows traffic from that address family
+         * (i.e., IPv4 or IPv6) to be routed over the VPN. @see #allowFamily
+         *
          * @throws IllegalArgumentException if the address is invalid.
          */
         public Builder addDnsServer(InetAddress address) {
@@ -441,6 +459,9 @@
          * using a numeric address string. See {@link InetAddress} for the
          * definitions of numeric address formats.
          *
+         * Adding a server implicitly allows traffic from that address family
+         * (i.e., IPv4 or IPv6) to be routed over the VPN. @see #allowFamily
+         *
          * @throws IllegalArgumentException if the address is invalid.
          * @see #addDnsServer(InetAddress)
          */
@@ -460,6 +481,29 @@
         }
 
         /**
+         * Allows traffic from the specified address family.
+         *
+         * By default, if no address, route or DNS server of a specific family (IPv4 or IPv6) is
+         * added to this VPN, then all outgoing traffic of that family is blocked. If any address,
+         * route or DNS server is added, that family is allowed.
+         *
+         * This method allows an address family to be unblocked even without adding an address,
+         * route or DNS server of that family. Traffic of that family will then typically
+         * fall-through to the underlying network if it's supported.
+         *
+         * {@code family} must be either {@code AF_INET} (for IPv4) or {@code AF_INET6} (for IPv6).
+         * {@link IllegalArgumentException} is thrown if it's neither.
+         *
+         * @param family The address family ({@code AF_INET} or {@code AF_INET6}) to allow.
+         *
+         * @return this {@link Builder} object to facilitate chaining of method calls.
+         */
+        public Builder allowFamily(int family) {
+            // TODO
+            return this;
+        }
+
+        /**
          * Create a VPN interface using the parameters supplied to this
          * builder. The interface works on IP packets, and a file descriptor
          * is returned for the application to access them. Each read