Don't require permissions for high-priority oif rules.
The intent of the high-priority oif rules added in ag/644462 was
to ensure that the kernel can send packets and forward packets to
a given interface by specifying only the oif. However, if a
network requires permissions, the high-priority oif rules we
create require those permission bits in the firewall mark, which
means the kernel cannot use them.
Therefore, remove the permissions check.
Test: builds
Test: netd_{unit,integration}_test pass
Change-Id: I73d7eb349c4c20d0d5efe05219a89cff5015a330
diff --git a/server/RouteController.cpp b/server/RouteController.cpp
index 8e3a4a9..f6c0d47 100644
--- a/server/RouteController.cpp
+++ b/server/RouteController.cpp
@@ -90,6 +90,8 @@
const uint8_t AF_FAMILIES[] = {AF_INET, AF_INET6};
const uid_t UID_ROOT = 0;
+const uint32_t FWMARK_NONE = 0;
+const uint32_t MASK_NONE = 0;
const char* const IIF_LOOPBACK = "lo";
const char* const IIF_NONE = NULL;
const char* const OIF_NONE = NULL;
@@ -536,10 +538,10 @@
mask.permission = permission;
// If this rule does not specify a UID range, then also add a corresponding high-priority rule
- // for UID. This covers forwarded packets and system daemons such as the tethering DHCP server.
+ // for root. This covers forwarded packets and system daemons such as the tethering DHCP server.
if (uidStart == INVALID_UID && uidEnd == INVALID_UID) {
if (int ret = modifyIpRule(add ? RTM_NEWRULE : RTM_DELRULE, RULE_PRIORITY_VPN_OVERRIDE_OIF,
- table, fwmark.intValue, mask.intValue, IIF_NONE, interface,
+ table, FWMARK_NONE, MASK_NONE, IIF_NONE, interface,
UID_ROOT, UID_ROOT)) {
return ret;
}