Android/frameworks_base
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge "Don't make lockdown VPN source firewall rules over-broad." into lmp-dev

Browse Source
This commit is contained in:
Lorenzo Colitti
2014-10-16 08:45:02 +00:00
committed by Android (Google) Code Review
parent 28dcf0345b 02c7abac85
commit 917c547beb
1 changed files with 10 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
services/core/java/com/android/server/net/LockdownVpnTracker.java
View File

@@ -190,7 +190,7 @@ public class LockdownVpnTracker {
mNetService.setFirewallInterfaceRule(iface, true);
for (LinkAddress addr : sourceAddrs) {
mNetService.setFirewallEgressSourceRule(addr.toString(), true);
setFirewallEgressSourceRule(addr, true);
}
mErrorCount = 0;
@@ -277,7 +277,7 @@ public class LockdownVpnTracker {
}
if (mAcceptedSourceAddr != null) {
for (LinkAddress addr : mAcceptedSourceAddr) {
mNetService.setFirewallEgressSourceRule(addr.toString(), false);
setFirewallEgressSourceRule(addr, false);
}
mAcceptedSourceAddr = null;
}
@@ -286,6 +286,14 @@ public class LockdownVpnTracker {
}
}
private void setFirewallEgressSourceRule(
LinkAddress address, boolean allow) throws RemoteException {
// Our source address based firewall rules must only cover our own source address, not the
// whole subnet
final String addrString = address.getAddress().getHostAddress();
mNetService.setFirewallEgressSourceRule(addrString, allow);
}
public void onNetworkInfoChanged() {
synchronized (mStateLock) {
handleStateChangedLocked();