Remove explicitlySelected bit for vpn fallthrough rule
Previously, netd use explicitlySelected bit to ensure that
the VPN fallthrough rule does not match if a non-zero NetId was
explicitly specified. This is inconsistent with the normal case
of an application that is subject to the VPN, because in that case,
the fallthrough rule does match.
This commit removes the explicitlySelected bit and relax the guarantee.
This ensure that the behaviour of an app that selects the VPN network
is the same as the behaviour of an app that specifies no network but
is subject to the VPN.
VPN traffic will fallthrough default network if no route is hit in VPN
route table.
Assume vpn netId is 102, default network interface is wlan0 with no
permisiion. Below is the result of route rule before/after this commit.
Before:
21000: from all fwmark 0x10066/0x1ffff lookup wlan0
After:
21000: from all fwmark 0x66/0xffff lookup wlan0
Bug: 119216095
Test: built, flashed, booted
system/netd/tests/runtests.sh
Change-Id: I03411644dc82cabcaf1f3274a17f36ec4e173c2e
diff --git a/server/RouteController.cpp b/server/RouteController.cpp
index d993c85..3b9b7cb 100644
--- a/server/RouteController.cpp
+++ b/server/RouteController.cpp
@@ -610,8 +610,7 @@
// A rule to enable split tunnel VPNs.
//
// If a packet with a VPN's netId doesn't find a route in the VPN's routing table, it's allowed to
-// go over the default network, provided it wasn't explicitly restricted to the VPN and has the
-// permissions required by the default network.
+// go over the default network, provided it has the permissions required by the default network.
WARN_UNUSED_RESULT int RouteController::modifyVpnFallthroughRule(uint16_t action, unsigned vpnNetId,
const char* physicalInterface,
Permission permission) {
@@ -626,9 +625,6 @@
fwmark.netId = vpnNetId;
mask.netId = FWMARK_NET_ID_MASK;
- fwmark.explicitlySelected = false;
- mask.explicitlySelected = true;
-
fwmark.permission = permission;
mask.permission = permission;