Add Functions to flush SADB, Policy DB, and Ifaces
-Add ipSecFlushState() which flushes the kernel's
SA DB and Policy DB.
-Add ipSecFlushInterfaces() which seeks and removes
any interfaces that have the prefix 'ipsec'
-Automatically call these functions when netd restarts
-Make XfrmController's methods static
-Add integration tests to verify flushing of policy
states, and interfaces
-Convert XfrmController functions to static for easier
test-ability
Bug: 74560705
Test: runtest ...netd_integration_test.cpp
Merged-In: Id60e7c29ff9aeee7f5ccd505b86c94cce858745f
Change-Id: Id60e7c29ff9aeee7f5ccd505b86c94cce858745f
(cherry picked from commit f5646cde551de44ba10b61c2d5cecb414847d454)
diff --git a/server/XfrmController.h b/server/XfrmController.h
index 298fae6..f21dfa1 100644
--- a/server/XfrmController.h
+++ b/server/XfrmController.h
@@ -125,14 +125,16 @@
public:
XfrmController();
- netdutils::Status ipSecSetEncapSocketOwner(const android::base::unique_fd& socket, int newUid,
- uid_t callerUid);
+ static netdutils::Status Init();
- netdutils::Status ipSecAllocateSpi(int32_t transformId, const std::string& localAddress,
- const std::string& remoteAddress, int32_t inSpi,
- int32_t* outSpi);
+ static netdutils::Status ipSecSetEncapSocketOwner(const android::base::unique_fd& socket,
+ int newUid, uid_t callerUid);
- netdutils::Status ipSecAddSecurityAssociation(
+ static netdutils::Status ipSecAllocateSpi(int32_t transformId, const std::string& localAddress,
+ const std::string& remoteAddress, int32_t inSpi,
+ int32_t* outSpi);
+
+ static netdutils::Status ipSecAddSecurityAssociation(
int32_t transformId, int32_t mode, const std::string& sourceAddress,
const std::string& destinationAddress, int32_t underlyingNetId, int32_t spi,
int32_t markValue, int32_t markMask, const std::string& authAlgo,
@@ -141,41 +143,43 @@
const std::vector<uint8_t>& aeadKey, int32_t aeadIcvBits, int32_t encapType,
int32_t encapLocalPort, int32_t encapRemotePort);
- netdutils::Status ipSecDeleteSecurityAssociation(int32_t transformId,
- const std::string& sourceAddress,
- const std::string& destinationAddress,
- int32_t spi, int32_t markValue,
- int32_t markMask);
+ static netdutils::Status ipSecDeleteSecurityAssociation(int32_t transformId,
+ const std::string& sourceAddress,
+ const std::string& destinationAddress,
+ int32_t spi, int32_t markValue,
+ int32_t markMask);
- netdutils::Status ipSecApplyTransportModeTransform(const android::base::unique_fd& socket,
- int32_t transformId, int32_t direction,
- const std::string& localAddress,
- const std::string& remoteAddress,
- int32_t spi);
+ static netdutils::Status
+ ipSecApplyTransportModeTransform(const android::base::unique_fd& socket, int32_t transformId,
+ int32_t direction, const std::string& localAddress,
+ const std::string& remoteAddress, int32_t spi);
- netdutils::Status ipSecRemoveTransportModeTransform(const android::base::unique_fd& socket);
+ static netdutils::Status
+ ipSecRemoveTransportModeTransform(const android::base::unique_fd& socket);
- netdutils::Status ipSecAddSecurityPolicy(int32_t transformId, int32_t direction,
- const std::string& sourceAddress,
- const std::string& destinationAddress, int32_t spi,
- int32_t markValue, int32_t markMask);
+ static netdutils::Status ipSecAddSecurityPolicy(int32_t transformId, int32_t direction,
+ const std::string& sourceAddress,
+ const std::string& destinationAddress,
+ int32_t spi, int32_t markValue,
+ int32_t markMask);
- netdutils::Status ipSecUpdateSecurityPolicy(int32_t transformId, int32_t direction,
- const std::string& sourceAddress,
- const std::string& destinationAddress, int32_t spi,
- int32_t markValue, int32_t markMask);
+ static netdutils::Status ipSecUpdateSecurityPolicy(int32_t transformId, int32_t direction,
+ const std::string& sourceAddress,
+ const std::string& destinationAddress,
+ int32_t spi, int32_t markValue,
+ int32_t markMask);
- netdutils::Status ipSecDeleteSecurityPolicy(int32_t transformId, int32_t direction,
- const std::string& sourceAddress,
- const std::string& destinationAddress,
- int32_t markValue, int32_t markMask);
+ static netdutils::Status ipSecDeleteSecurityPolicy(int32_t transformId, int32_t direction,
+ const std::string& sourceAddress,
+ const std::string& destinationAddress,
+ int32_t markValue, int32_t markMask);
- int addVirtualTunnelInterface(const std::string& deviceName,
- const std::string& localAddress,
- const std::string& remoteAddress,
- int32_t ikey, int32_t okey, bool isUpdate);
+ static int addVirtualTunnelInterface(const std::string& deviceName,
+ const std::string& localAddress,
+ const std::string& remoteAddress, int32_t ikey,
+ int32_t okey, bool isUpdate);
- int removeVirtualTunnelInterface(const std::string& deviceName);
+ static int removeVirtualTunnelInterface(const std::string& deviceName);
// Some XFRM netlink attributes comprise a header, a struct, and some data
// after the struct. We wrap all of those in one struct for easier
@@ -323,9 +327,9 @@
static netdutils::Status processSecurityPolicy(int32_t transformId, int32_t direction,
const std::string& localAddress,
- const std::string& remoteAddress,
- int32_t spi, int32_t markValue,
- int32_t markMask, int32_t msgType);
+ const std::string& remoteAddress, int32_t spi,
+ int32_t markValue, int32_t markMask,
+ int32_t msgType);
static netdutils::Status updateTunnelModeSecurityPolicy(const XfrmSaInfo& record,
const XfrmSocket& sock,
XfrmDirection direction,
@@ -333,6 +337,10 @@
static netdutils::Status deleteTunnelModeSecurityPolicy(const XfrmSaInfo& record,
const XfrmSocket& sock,
XfrmDirection direction);
+ static netdutils::Status flushInterfaces();
+ static netdutils::Status flushSaDb(const XfrmSocket& s);
+ static netdutils::Status flushPolicyDb(const XfrmSocket& s);
+
// END TODO(messagerefactor)
};