Add XFRM_MIGRATE support and freeze INetd v12.
This commit updates netd_aidl_interface to support
migrating IPsec tunnel mode SA to different source
and destination addresses.
server/aidl_api/netd_aidl_interface/12/ are generated
by "m netd_aidl_interface-freeze-api"
Bug: 169170985
Test: atest netd_integration_test (new tests)
Change-Id: I89b54272c1528f12e6351819e0efe666af7a2946
diff --git a/staticlibs/netd/binder/android/net/INetd.aidl b/staticlibs/netd/binder/android/net/INetd.aidl
index 8bf8e5b..dff07c6 100644
--- a/staticlibs/netd/binder/android/net/INetd.aidl
+++ b/staticlibs/netd/binder/android/net/INetd.aidl
@@ -18,6 +18,7 @@
import android.net.INetdUnsolicitedEventListener;
import android.net.InterfaceConfigurationParcel;
+import android.net.IpSecMigrateInfoParcel;
import android.net.MarkMaskParcel;
import android.net.NativeNetworkConfig;
import android.net.RouteInfoParcel;
@@ -265,7 +266,7 @@
int spi);
/**
- * Create an IpSec Security Association describing how ip(v6) traffic will be encrypted
+ * Update an IPsec SA (xfrm_state) describing how ip(v6) traffic will be encrypted
* or decrypted.
*
* @param transformId a unique identifier for allocated resources
@@ -1396,4 +1397,27 @@
* unix errno.
*/
void networkRemoveUidRangesParcel(in NativeUidRangeConfig uidRangesConfig);
+
+ /**
+ * Migrate an existing IPsec tunnel mode SA to different addresses.
+ *
+ * If the underlying network also changes, caller must update it by
+ * calling ipSecAddSecurityAssociation.
+ *
+ * @param migrateInfo parcelable with migration info.
+ *
+ * @throws ServiceSpecificException in case of failure, with an error code indicating the
+ * cause of the failure.
+ */
+ void ipSecMigrate(in android.net.IpSecMigrateInfoParcel migrateInfo);
+
+ /**
+ * IPSEC_DIRECTION_IN is used for IPsec SAs or policies that direct traffic towards the host.
+ */
+ const int IPSEC_DIRECTION_IN = 0;
+
+ /**
+ * IPSEC_DIRECTION_OUT is used for IPsec SAs or policies that direct traffic away from the host.
+ */
+ const int IPSEC_DIRECTION_OUT = 1;
}
diff --git a/staticlibs/netd/binder/android/net/IpSecMigrateInfoParcel.aidl b/staticlibs/netd/binder/android/net/IpSecMigrateInfoParcel.aidl
new file mode 100644
index 0000000..e192d66
--- /dev/null
+++ b/staticlibs/netd/binder/android/net/IpSecMigrateInfoParcel.aidl
@@ -0,0 +1,50 @@
+/**
+ * Copyright (c) 2022, The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.net;
+
+@JavaOnlyImmutable
+parcelable IpSecMigrateInfoParcel {
+ /** The unique identifier for allocated resources. */
+ int requestId;
+ /**
+ * The address family identifier for the new selector. Can be AF_INET
+ * or AF_INET6.
+ */
+ int selAddrFamily;
+ /** IPSEC_DIRECTION_IN or IPSEC_DIRECTION_OUT. */
+ int direction;
+ /**
+ * The IP address for the current sending endpoint.
+ *
+ * The local address for an outbound SA and the remote address for an
+ * inbound SA.
+ */
+ @utf8InCpp String oldSourceAddress;
+ /**
+ * The IP address for the current receiving endpoint.
+ *
+ * The remote address for an outbound SA and the local address for an
+ * inbound SA.
+ */
+ @utf8InCpp String oldDestinationAddress;
+ /** The IP address for the new sending endpoint. */
+ @utf8InCpp String newSourceAddress;
+ /** The IP address for the new receiving endpoint. */
+ @utf8InCpp String newDestinationAddress;
+ /** The identifier for the XFRM interface. */
+ int interfaceId;
+}