commit ad8fb7fce47829390a8c8e1852c3f35179b14b70
author Lorenzo Colitti <lorenzo@google.com> Fri Aug 20 03:24:09 2021 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Fri Aug 20 03:24:09 2021 +0000
tree 60d93826866ba660fb925e798a325c75f8e201ad
parent 1c603e7ec3376e39cf693d7928b1c176a365dbb8
parent bc8517843581eab82e01c937b1c627ee68c24ffd

Merge "bpf: don't offload IPv4 packets with TCP port 21 (ftp) and 1723 (pptp)"

Tethering/src/com/android/networkstack/tethering/BpfCoordinator.java

diff --git a/Tethering/src/com/android/networkstack/tethering/BpfCoordinator.java b/Tethering/src/com/android/networkstack/tethering/BpfCoordinator.java
index 5b39a23..de76e89 100644
--- a/Tethering/src/com/android/networkstack/tethering/BpfCoordinator.java
+++ b/Tethering/src/com/android/networkstack/tethering/BpfCoordinator.java
@@ -131,6 +131,11 @@
     @VisibleForTesting
     static final int NF_CONNTRACK_UDP_TIMEOUT_STREAM = 180;
 
+    // List of TCP port numbers which aren't offloaded because the packets require the netfilter
+    // conntrack helper. See also TetherController::setForwardRules in netd.
+    static final short [] NON_OFFLOADED_UPSTREAM_IPV4_TCP_PORTS = new short [] {
+            21 /* ftp */, 1723 /* pptp */};
+
     @VisibleForTesting
     enum StatsType {
         STATS_PER_IFACE,
@@ -1556,7 +1561,18 @@
                     0 /* lastUsed, filled by bpf prog only */);
         }
 
+        private boolean requireOffload(ConntrackEvent e) {
+            if (e.tupleOrig.protoNum != OsConstants.IPPROTO_TCP) return true;
+
+            for (final short port : NON_OFFLOADED_UPSTREAM_IPV4_TCP_PORTS) {
+                if (port == e.tupleOrig.dstPort) return false;
+            }
+            return true;
+        }
+
         public void accept(ConntrackEvent e) {
+            if (!requireOffload(e)) return;
+
             final ClientInfo tetherClient = getClientInfo(e.tupleOrig.srcIp);
             if (tetherClient == null) return;