1 /** 2 * Copyright (c) 2016, The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 package android.net; 18 19 import android.net.INetdUnsolicitedEventListener; 20 import android.net.InterfaceConfigurationParcel; 21 import android.net.MarkMaskParcel; 22 import android.net.NativeNetworkConfig; 23 import android.net.RouteInfoParcel; 24 import android.net.TetherConfigParcel; 25 import android.net.TetherOffloadRuleParcel; 26 import android.net.TetherStatsParcel; 27 import android.net.UidRangeParcel; 28 import android.net.netd.aidl.NativeUidRangeConfig; 29 30 /** {@hide} */ 31 interface INetd { 32 /** 33 * Returns true if the service is responding. 34 */ isAlive()35 boolean isAlive(); 36 37 /** 38 * Replaces the contents of the specified UID-based firewall chain. 39 * 40 * The chain may be an allowlist chain or a denylist chain. A denylist chain contains DROP 41 * rules for the specified UIDs and a RETURN rule at the end. An allowlist chain contains RETURN 42 * rules for the system UID range (0 to {@code UID_APP} - 1), RETURN rules for for the specified 43 * UIDs, and a DROP rule at the end. The chain will be created if it does not exist. 44 * 45 * @param chainName The name of the chain to replace. 46 * @param isAllowlist Whether this is an allowlist or denylist chain. 47 * @param uids The list of UIDs to allow/deny. 48 * @return true if the chain was successfully replaced, false otherwise. 49 */ firewallReplaceUidChain(in @tf8InCpp String chainName, boolean isAllowlist, in int[] uids)50 boolean firewallReplaceUidChain(in @utf8InCpp String chainName, 51 boolean isAllowlist, 52 in int[] uids); 53 54 /** 55 * Enables or disables data saver mode on costly network interfaces. 56 * 57 * - When disabled, all packets to/from apps in the penalty box chain are rejected on costly 58 * interfaces. Traffic to/from other apps or on other network interfaces is allowed. 59 * - When enabled, only apps that are in the happy box chain and not in the penalty box chain 60 * are allowed network connectivity on costly interfaces. All other packets on these 61 * interfaces are rejected. The happy box chain always contains all system UIDs; to disallow 62 * traffic from system UIDs, place them in the penalty box chain. 63 * 64 * By default, data saver mode is disabled. This command has no effect but might still return an 65 * error) if {@code enable} is the same as the current value. 66 * 67 * @param enable whether to enable or disable data saver mode. 68 * @return true if the if the operation was successful, false otherwise. 69 */ bandwidthEnableDataSaver(boolean enable)70 boolean bandwidthEnableDataSaver(boolean enable); 71 72 /** 73 * Creates a physical network (i.e., one containing physical interfaces. 74 * @deprecated use networkCreate() instead. 75 * 76 * @param netId the networkId to create. 77 * @param permission the permission necessary to use the network. Must be one of 78 * PERMISSION_NONE/PERMISSION_NETWORK/PERMISSION_SYSTEM. 79 * 80 * @throws ServiceSpecificException in case of failure, with an error code corresponding to the 81 * unix errno. 82 */ networkCreatePhysical(int netId, int permission)83 void networkCreatePhysical(int netId, int permission); 84 85 /** 86 * Creates a VPN network. 87 * @deprecated use networkCreate() instead. 88 * 89 * @param netId the network to create. 90 * @param secure whether unprivileged apps are allowed to bypass the VPN. 91 * 92 * @throws ServiceSpecificException in case of failure, with an error code corresponding to the 93 * unix errno. 94 */ networkCreateVpn(int netId, boolean secure)95 void networkCreateVpn(int netId, boolean secure); 96 97 /** 98 * Destroys a network. Any interfaces added to the network are removed, and the network ceases 99 * to be the default network. 100 * 101 * @param netId the network to destroy. 102 * 103 * @throws ServiceSpecificException in case of failure, with an error code corresponding to the 104 * unix errno. 105 */ networkDestroy(int netId)106 void networkDestroy(int netId); 107 108 /** 109 * Adds an interface to a network. The interface must not be assigned to any network, including 110 * the specified network. 111 * 112 * @param netId the network to add the interface to. 113 * @param interface the name of the interface to add. 114 * 115 * @throws ServiceSpecificException in case of failure, with an error code corresponding to the 116 * unix errno. 117 */ networkAddInterface(int netId, in @utf8InCpp String iface)118 void networkAddInterface(int netId, in @utf8InCpp String iface); 119 120 /** 121 * Adds an interface to a network. The interface must be assigned to the specified network. 122 * 123 * @param netId the network to remove the interface from. 124 * @param interface the name of the interface to remove. 125 * 126 * @throws ServiceSpecificException in case of failure, with an error code corresponding to the 127 * unix errno. 128 */ networkRemoveInterface(int netId, in @utf8InCpp String iface)129 void networkRemoveInterface(int netId, in @utf8InCpp String iface); 130 131 /** 132 * Adds the specified UID ranges to the specified network. The network can be physical or 133 * virtual. Traffic from the UID ranges will be routed to the network by default. 134 * 135 * @param netId the network ID of the network to add the ranges to. 136 * @param uidRanges a set of non-overlapping ranges of UIDs to add. These exact ranges 137 * must not overlap with existing ranges assigned to this network. 138 * 139 * @throws ServiceSpecificException in case of failure, with an error code corresponding to the 140 * unix errno. 141 */ networkAddUidRanges(int netId, in UidRangeParcel[] uidRanges)142 void networkAddUidRanges(int netId, in UidRangeParcel[] uidRanges); 143 144 /** 145 * Remove the specified UID ranges from the specified network. The network can be physical or 146 * virtual. Traffic from the UID ranges will no longer be routed to the network by default. 147 * 148 * @param netId the network ID of the network to remove the ranges from. 149 * @param uidRanges a set of non-overlapping ranges of UIDs to remove. These exact ranges 150 * must already be assigned to this network. 151 * 152 * @throws ServiceSpecificException in case of failure, with an error code corresponding to the 153 * unix errno. 154 */ networkRemoveUidRanges(int netId, in UidRangeParcel[] uidRanges)155 void networkRemoveUidRanges(int netId, in UidRangeParcel[] uidRanges); 156 157 /** 158 * Adds or removes one rule for each supplied UID range to prohibit all network activity outside 159 * of secure VPN. 160 * 161 * When a UID is covered by one of these rules, traffic sent through any socket that is not 162 * protected or explicitly overriden by the system will be rejected. The kernel will respond 163 * with an ICMP prohibit message. 164 * 165 * Initially, there are no such rules. Any rules that are added will only last until the next 166 * restart of netd or the device. 167 * 168 * @param add {@code true} if the specified UID ranges should be denied access to any network 169 * which is not secure VPN by adding rules, {@code false} to remove existing rules. 170 * @param uidRanges a set of non-overlapping, contiguous ranges of UIDs to which to apply or 171 * remove this restriction. 172 * <p> Added rules should not overlap with existing rules. Likewise, removed rules should 173 * each correspond to an existing rule. 174 * 175 * @throws ServiceSpecificException in case of failure, with an error code corresponding to the 176 * unix errno. 177 */ networkRejectNonSecureVpn(boolean add, in UidRangeParcel[] uidRanges)178 void networkRejectNonSecureVpn(boolean add, in UidRangeParcel[] uidRanges); 179 180 /** 181 * Administratively closes sockets belonging to the specified UIDs. 182 */ socketDestroy(in UidRangeParcel[] uidRanges, in int[] exemptUids)183 void socketDestroy(in UidRangeParcel[] uidRanges, in int[] exemptUids); 184 185 /** 186 * Instruct the tethering DNS server to reevaluated serving interfaces. 187 * This is needed to for the DNS server to observe changes in the set 188 * of potential listening IP addresses. (Listening on wildcard addresses 189 * can turn the device into an open resolver; b/7530468) 190 * 191 * TODO: Return something richer than just a boolean. 192 */ tetherApplyDnsInterfaces()193 boolean tetherApplyDnsInterfaces(); 194 195 /** 196 * Return tethering statistics. 197 * 198 * @return an array of TetherStatsParcel, where each entry contains the upstream interface 199 * name and its tethering statistics since netd startup. 200 * There will only ever be one entry for a given interface. 201 * @throws ServiceSpecificException in case of failure, with an error code indicating the 202 * cause of the failure. 203 */ tetherGetStats()204 TetherStatsParcel[] tetherGetStats(); 205 206 /** 207 * Add/Remove and IP address from an interface. 208 * 209 * @param ifName the interface name 210 * @param addrString the IP address to add/remove as a string literal 211 * @param prefixLength the prefix length associated with this IP address 212 * 213 * @throws ServiceSpecificException in case of failure, with an error code corresponding to the 214 * unix errno. 215 */ interfaceAddAddress(in @tf8InCpp String ifName, in @utf8InCpp String addrString, int prefixLength)216 void interfaceAddAddress(in @utf8InCpp String ifName, in @utf8InCpp String addrString, 217 int prefixLength); interfaceDelAddress(in @tf8InCpp String ifName, in @utf8InCpp String addrString, int prefixLength)218 void interfaceDelAddress(in @utf8InCpp String ifName, in @utf8InCpp String addrString, 219 int prefixLength); 220 221 /** 222 * Set and get /proc/sys/net interface configuration parameters. 223 * 224 * @param ipversion One of IPV4/IPV6 integers, indicating the desired IP version directory. 225 * @param which One of CONF/NEIGH integers, indicating the desired parameter category directory. 226 * @param ifname The interface name portion of the path; may also be "all" or "default". 227 * @param parameter The parameter name portion of the path. 228 * @param value The value string to be written into the assembled path. 229 * 230 * @throws ServiceSpecificException in case of failure, with an error code corresponding to the 231 * unix errno. 232 */ 233 234 const int IPV4 = 4; 235 const int IPV6 = 6; 236 const int CONF = 1; 237 const int NEIGH = 2; getProcSysNet(int ipversion, int which, in @utf8InCpp String ifname, in @utf8InCpp String parameter)238 @utf8InCpp String getProcSysNet(int ipversion, int which, in @utf8InCpp String ifname, 239 in @utf8InCpp String parameter); setProcSysNet(int ipversion, int which, in @utf8InCpp String ifname, in @utf8InCpp String parameter, in @utf8InCpp String value)240 void setProcSysNet(int ipversion, int which, in @utf8InCpp String ifname, 241 in @utf8InCpp String parameter, in @utf8InCpp String value); 242 243 /** 244 * Sets owner of socket ParcelFileDescriptor to the new UID, checking to ensure that the caller's 245 * uid is that of the old owner's, and that this is a UDP-encap socket 246 * 247 * @param ParcelFileDescriptor socket Socket file descriptor 248 * @param int newUid UID of the new socket fd owner 249 */ ipSecSetEncapSocketOwner(in ParcelFileDescriptor socket, int newUid)250 void ipSecSetEncapSocketOwner(in ParcelFileDescriptor socket, int newUid); 251 252 /** 253 * Reserve an SPI from the kernel 254 * 255 * @param transformId a unique identifier for allocated resources 256 * @param sourceAddress InetAddress as string for the sending endpoint 257 * @param destinationAddress InetAddress as string for the receiving endpoint 258 * @param spi a requested 32-bit unique ID or 0 to request random allocation 259 * @return the SPI that was allocated or 0 if failed 260 */ ipSecAllocateSpi( int transformId, in @utf8InCpp String sourceAddress, in @utf8InCpp String destinationAddress, int spi)261 int ipSecAllocateSpi( 262 int transformId, 263 in @utf8InCpp String sourceAddress, 264 in @utf8InCpp String destinationAddress, 265 int spi); 266 267 /** 268 * Create an IpSec Security Association describing how ip(v6) traffic will be encrypted 269 * or decrypted. 270 * 271 * @param transformId a unique identifier for allocated resources 272 * @param mode either Transport or Tunnel mode 273 * @param sourceAddress InetAddress as string for the sending endpoint 274 * @param destinationAddress InetAddress as string for the receiving endpoint 275 * @param underlyingNetId the netId of the network to which the SA is applied. Only accepted for 276 * tunnel mode SAs. 277 * @param spi a 32-bit unique ID allocated to the user 278 * @param markValue a 32-bit unique ID chosen by the user 279 * @param markMask a 32-bit mask chosen by the user 280 * @param authAlgo a string identifying the authentication algorithm to be used 281 * @param authKey a byte array containing the authentication key 282 * @param authTruncBits the truncation length of the MAC produced by the authentication algorithm 283 * @param cryptAlgo a string identifying the encryption algorithm to be used 284 * @param cryptKey a byte arrray containing the encryption key 285 * @param cryptTruncBits unused parameter 286 * @param aeadAlgo a string identifying the authenticated encryption algorithm to be used 287 * @param aeadKey a byte arrray containing the key to be used in authenticated encryption 288 * @param aeadIcvBits the truncation length of the ICV produced by the authentication algorithm 289 * (similar to authTruncBits in function) 290 * @param encapType encapsulation type used (if any) for the udp encap socket 291 * @param encapLocalPort the port number on the host to be used in encap packets 292 * @param encapRemotePort the port number of the remote to be used for encap packets 293 * @param interfaceId the identifier for the IPsec tunnel interface. 294 * Only accepted for tunnel mode SAs. 295 */ ipSecAddSecurityAssociation( int transformId, int mode, in @utf8InCpp String sourceAddress, in @utf8InCpp String destinationAddress, int underlyingNetId, int spi, int markValue, int markMask, in @utf8InCpp String authAlgo, in byte[] authKey, in int authTruncBits, in @utf8InCpp String cryptAlgo, in byte[] cryptKey, in int cryptTruncBits, in @utf8InCpp String aeadAlgo, in byte[] aeadKey, in int aeadIcvBits, int encapType, int encapLocalPort, int encapRemotePort, int interfaceId)296 void ipSecAddSecurityAssociation( 297 int transformId, 298 int mode, 299 in @utf8InCpp String sourceAddress, 300 in @utf8InCpp String destinationAddress, 301 int underlyingNetId, 302 int spi, 303 int markValue, 304 int markMask, 305 in @utf8InCpp String authAlgo, in byte[] authKey, in int authTruncBits, 306 in @utf8InCpp String cryptAlgo, in byte[] cryptKey, in int cryptTruncBits, 307 in @utf8InCpp String aeadAlgo, in byte[] aeadKey, in int aeadIcvBits, 308 int encapType, 309 int encapLocalPort, 310 int encapRemotePort, 311 int interfaceId); 312 313 /** 314 * Delete a previously created security association identified by the provided parameters 315 * 316 * @param transformId a unique identifier for allocated resources 317 * @param sourceAddress InetAddress as string for the sending endpoint 318 * @param destinationAddress InetAddress as string for the receiving endpoint 319 * @param spi a requested 32-bit unique ID allocated to the user 320 * @param markValue a 32-bit unique ID chosen by the user 321 * @param markMask a 32-bit mask chosen by the user 322 * @param interfaceId the identifier for the IPsec tunnel interface. 323 */ ipSecDeleteSecurityAssociation( int transformId, in @utf8InCpp String sourceAddress, in @utf8InCpp String destinationAddress, int spi, int markValue, int markMask, int interfaceId)324 void ipSecDeleteSecurityAssociation( 325 int transformId, 326 in @utf8InCpp String sourceAddress, 327 in @utf8InCpp String destinationAddress, 328 int spi, 329 int markValue, 330 int markMask, 331 int interfaceId); 332 333 /** 334 * Apply a previously created SA to a specified socket, starting IPsec on that socket 335 * 336 * @param socket a user-provided socket that will have IPsec applied 337 * @param transformId a unique identifier for allocated resources 338 * @param direction DIRECTION_IN or DIRECTION_OUT 339 * @param sourceAddress InetAddress as string for the sending endpoint 340 * @param destinationAddress InetAddress as string for the receiving endpoint 341 * @param spi a 32-bit unique ID allocated to the user (socket owner) 342 */ ipSecApplyTransportModeTransform( in ParcelFileDescriptor socket, int transformId, int direction, in @utf8InCpp String sourceAddress, in @utf8InCpp String destinationAddress, int spi)343 void ipSecApplyTransportModeTransform( 344 in ParcelFileDescriptor socket, 345 int transformId, 346 int direction, 347 in @utf8InCpp String sourceAddress, 348 in @utf8InCpp String destinationAddress, 349 int spi); 350 351 /** 352 * Remove an IPsec SA from a given socket. This will allow unencrypted traffic to flow 353 * on that socket if a transform had been previously applied. 354 * 355 * @param socket a user-provided socket from which to remove any IPsec configuration 356 */ ipSecRemoveTransportModeTransform( in ParcelFileDescriptor socket)357 void ipSecRemoveTransportModeTransform( 358 in ParcelFileDescriptor socket); 359 360 /** 361 * Adds an IPsec global policy. 362 * 363 * @param transformId a unique identifier for allocated resources 364 * @param selAddrFamily the address family identifier for the selector 365 * @param direction DIRECTION_IN or DIRECTION_OUT 366 * @param tmplSrcAddress InetAddress as string for the sending endpoint 367 * @param tmplDstAddress InetAddress as string for the receiving endpoint 368 * @param spi a 32-bit unique ID allocated to the user 369 * @param markValue a 32-bit unique ID chosen by the user 370 * @param markMask a 32-bit mask chosen by the user 371 * @param interfaceId the identifier for the IPsec tunnel interface. 372 */ ipSecAddSecurityPolicy( int transformId, int selAddrFamily, int direction, in @utf8InCpp String tmplSrcAddress, in @utf8InCpp String tmplDstAddress, int spi, int markValue, int markMask, int interfaceId)373 void ipSecAddSecurityPolicy( 374 int transformId, 375 int selAddrFamily, 376 int direction, 377 in @utf8InCpp String tmplSrcAddress, 378 in @utf8InCpp String tmplDstAddress, 379 int spi, 380 int markValue, 381 int markMask, 382 int interfaceId); 383 384 /** 385 * Updates an IPsec global policy. 386 * 387 * @param transformId a unique identifier for allocated resources 388 * @param selAddrFamily the address family identifier for the selector 389 * @param direction DIRECTION_IN or DIRECTION_OUT 390 * @param tmplSrcAddress InetAddress as string for the sending endpoint 391 * @param tmplDstAddress InetAddress as string for the receiving endpoint 392 * @param spi a 32-bit unique ID allocated to the user 393 * @param markValue a 32-bit unique ID chosen by the user 394 * @param markMask a 32-bit mask chosen by the user 395 * @param interfaceId the identifier for the IPsec tunnel interface. 396 */ ipSecUpdateSecurityPolicy( int transformId, int selAddrFamily, int direction, in @utf8InCpp String tmplSrcAddress, in @utf8InCpp String tmplDstAddress, int spi, int markValue, int markMask, int interfaceId)397 void ipSecUpdateSecurityPolicy( 398 int transformId, 399 int selAddrFamily, 400 int direction, 401 in @utf8InCpp String tmplSrcAddress, 402 in @utf8InCpp String tmplDstAddress, 403 int spi, 404 int markValue, 405 int markMask, 406 int interfaceId); 407 408 /** 409 * Deletes an IPsec global policy. 410 * 411 * Deletion of global policies does not do any matching based on the templates, thus 412 * template source/destination addresses are not needed (as opposed to add/update). 413 * 414 * @param transformId a unique identifier for allocated resources 415 * @param selAddrFamily the address family identifier for the selector 416 * @param direction DIRECTION_IN or DIRECTION_OUT 417 * @param markValue a 32-bit unique ID chosen by the user 418 * @param markMask a 32-bit mask chosen by the user 419 * @param interfaceId the identifier for the IPsec tunnel interface. 420 */ ipSecDeleteSecurityPolicy( int transformId, int selAddrFamily, int direction, int markValue, int markMask, int interfaceId)421 void ipSecDeleteSecurityPolicy( 422 int transformId, 423 int selAddrFamily, 424 int direction, 425 int markValue, 426 int markMask, 427 int interfaceId); 428 429 // This could not be declared as @uft8InCpp; thus, when used in native code it must be 430 // converted from a UTF-16 string to an ASCII string. 431 const String IPSEC_INTERFACE_PREFIX = "ipsec"; 432 433 /** 434 * Add a IPsec Tunnel Interface. 435 * 436 * @param devName a unique identifier that represents the name of the device 437 * @param localAddress InetAddress as string for the local endpoint 438 * @param remoteAddress InetAddress as string for the remote endpoint 439 * @param iKey, to match Policies and SAs for input packets. 440 * @param oKey, to match Policies and SAs for output packets. 441 * @param interfaceId the identifier for the IPsec tunnel interface. 442 */ ipSecAddTunnelInterface( in @tf8InCpp String deviceName, in @utf8InCpp String localAddress, in @utf8InCpp String remoteAddress, int iKey, int oKey, int interfaceId)443 void ipSecAddTunnelInterface( 444 in @utf8InCpp String deviceName, 445 in @utf8InCpp String localAddress, 446 in @utf8InCpp String remoteAddress, 447 int iKey, 448 int oKey, 449 int interfaceId); 450 451 /** 452 * Update a IPsec Tunnel Interface. 453 * 454 * @param devName a unique identifier that represents the name of the device 455 * @param localAddress InetAddress as string for the local endpoint 456 * @param remoteAddress InetAddress as string for the remote endpoint 457 * @param iKey, to match Policies and SAs for input packets. 458 * @param oKey, to match Policies and SAs for output packets. 459 * @param interfaceId the identifier for the IPsec tunnel interface. 460 */ ipSecUpdateTunnelInterface( in @tf8InCpp String deviceName, in @utf8InCpp String localAddress, in @utf8InCpp String remoteAddress, int iKey, int oKey, int interfaceId)461 void ipSecUpdateTunnelInterface( 462 in @utf8InCpp String deviceName, 463 in @utf8InCpp String localAddress, 464 in @utf8InCpp String remoteAddress, 465 int iKey, 466 int oKey, 467 int interfaceId); 468 469 /** 470 * Removes a IPsec Tunnel Interface. 471 * 472 * @param devName a unique identifier that represents the name of the device 473 */ ipSecRemoveTunnelInterface(in @tf8InCpp String deviceName)474 void ipSecRemoveTunnelInterface(in @utf8InCpp String deviceName); 475 476 /** 477 * Request notification of wakeup packets arriving on an interface. Notifications will be 478 * delivered to INetdEventListener.onWakeupEvent(). 479 * 480 * @param ifName the interface 481 * @param prefix arbitrary string used to identify wakeup sources in onWakeupEvent 482 */ wakeupAddInterface(in @tf8InCpp String ifName, in @utf8InCpp String prefix, int mark, int mask)483 void wakeupAddInterface(in @utf8InCpp String ifName, in @utf8InCpp String prefix, int mark, int mask); 484 485 /** 486 * Stop notification of wakeup packets arriving on an interface. 487 * 488 * @param ifName the interface 489 * @param prefix arbitrary string used to identify wakeup sources in onWakeupEvent 490 */ wakeupDelInterface(in @tf8InCpp String ifName, in @utf8InCpp String prefix, int mark, int mask)491 void wakeupDelInterface(in @utf8InCpp String ifName, in @utf8InCpp String prefix, int mark, int mask); 492 493 const int IPV6_ADDR_GEN_MODE_EUI64 = 0; 494 const int IPV6_ADDR_GEN_MODE_NONE = 1; 495 const int IPV6_ADDR_GEN_MODE_STABLE_PRIVACY = 2; 496 const int IPV6_ADDR_GEN_MODE_RANDOM = 3; 497 498 const int IPV6_ADDR_GEN_MODE_DEFAULT = 0; 499 /** 500 * Set IPv6 address generation mode. IPv6 should be disabled before changing mode. 501 * 502 * @param mode SLAAC address generation mechanism to use 503 */ setIPv6AddrGenMode(in @tf8InCpp String ifName, int mode)504 void setIPv6AddrGenMode(in @utf8InCpp String ifName, int mode); 505 506 /** 507 * Add idletimer for specific interface 508 * 509 * @param ifName Name of target interface 510 * @param timeout The time in seconds that will trigger idletimer 511 * @param classLabel The unique identifier for this idletimer 512 * @throws ServiceSpecificException in case of failure, with an error code indicating the 513 * cause of the failure. 514 */ idletimerAddInterface( in @tf8InCpp String ifName, int timeout, in @utf8InCpp String classLabel)515 void idletimerAddInterface( 516 in @utf8InCpp String ifName, 517 int timeout, 518 in @utf8InCpp String classLabel); 519 520 /** 521 * Remove idletimer for specific interface 522 * 523 * @param ifName Name of target interface 524 * @param timeout The time in seconds that will trigger idletimer 525 * @param classLabel The unique identifier for this idletimer 526 * @throws ServiceSpecificException in case of failure, with an error code indicating the 527 * cause of the failure. 528 */ idletimerRemoveInterface( in @tf8InCpp String ifName, int timeout, in @utf8InCpp String classLabel)529 void idletimerRemoveInterface( 530 in @utf8InCpp String ifName, 531 int timeout, 532 in @utf8InCpp String classLabel); 533 534 const int PENALTY_POLICY_ACCEPT = 1; 535 const int PENALTY_POLICY_LOG = 2; 536 const int PENALTY_POLICY_REJECT = 3; 537 538 /** 539 * Offers to detect sockets sending data not wrapped inside a layer of SSL/TLS encryption. 540 * 541 * @param uid Uid of the app 542 * @param policyPenalty The penalty policy of the app 543 * @throws ServiceSpecificException in case of failure, with an error code indicating the 544 * cause of the failure. 545 */ strictUidCleartextPenalty(int uid, int policyPenalty)546 void strictUidCleartextPenalty(int uid, int policyPenalty); 547 548 /** 549 * Start clatd 550 * 551 * @param ifName interface name to start clatd 552 * @param nat64Prefix the NAT64 prefix, e.g., "2001:db8:64::/96". 553 * @return a string, the IPv6 address that will be used for 464xlat. 554 * @throws ServiceSpecificException in case of failure, with an error code indicating the 555 * cause of the failure. 556 */ clatdStart(in @tf8InCpp String ifName, in @utf8InCpp String nat64Prefix)557 @utf8InCpp String clatdStart(in @utf8InCpp String ifName, in @utf8InCpp String nat64Prefix); 558 559 /** 560 * Stop clatd 561 * 562 * @param ifName interface name to stop clatd 563 * @throws ServiceSpecificException in case of failure, with an error code indicating the 564 * cause of the failure. 565 */ clatdStop(in @tf8InCpp String ifName)566 void clatdStop(in @utf8InCpp String ifName); 567 568 /** 569 * Get status of IP forwarding 570 * 571 * @return true if IP forwarding is enabled, false otherwise. 572 */ ipfwdEnabled()573 boolean ipfwdEnabled(); 574 575 /** 576 * Get requester list of IP forwarding 577 * 578 * @return An array of strings containing requester list of IP forwarding 579 */ ipfwdGetRequesterList()580 @utf8InCpp String[] ipfwdGetRequesterList(); 581 582 /** 583 * Enable IP forwarding for specific requester 584 * 585 * @param requester requester name to enable IP forwarding. It is a unique name which will be 586 * stored in Netd to make sure if any requester needs IP forwarding. 587 * @throws ServiceSpecificException in case of failure, with an error code indicating the 588 * cause of the failure. 589 */ ipfwdEnableForwarding(in @tf8InCpp String requester)590 void ipfwdEnableForwarding(in @utf8InCpp String requester); 591 592 /** 593 * Disable IP forwarding for specific requester 594 * 595 * @param requester requester name to disable IP forwarding. This name should match the 596 * names which are set by ipfwdEnableForwarding. 597 * IP forwarding would be disabled if it is the last requester. 598 * @throws ServiceSpecificException in case of failure, with an error code indicating the 599 * cause of the failure. 600 */ ipfwdDisableForwarding(in @tf8InCpp String requester)601 void ipfwdDisableForwarding(in @utf8InCpp String requester); 602 603 /** 604 * Add forwarding ip rule 605 * 606 * @param fromIface interface name to add forwarding ip rule 607 * @param toIface interface name to add forwarding ip rule 608 * @throws ServiceSpecificException in case of failure, with an error code indicating the 609 * cause of the failure. 610 */ ipfwdAddInterfaceForward(in @tf8InCpp String fromIface, in @utf8InCpp String toIface)611 void ipfwdAddInterfaceForward(in @utf8InCpp String fromIface, in @utf8InCpp String toIface); 612 613 /** 614 * Remove forwarding ip rule 615 * 616 * @param fromIface interface name to remove forwarding ip rule 617 * @param toIface interface name to remove forwarding ip rule 618 * @throws ServiceSpecificException in case of failure, with an error code indicating the 619 * cause of the failure. 620 */ ipfwdRemoveInterfaceForward(in @tf8InCpp String fromIface, in @utf8InCpp String toIface)621 void ipfwdRemoveInterfaceForward(in @utf8InCpp String fromIface, in @utf8InCpp String toIface); 622 623 /** 624 * Set quota for interface 625 * 626 * @param ifName Name of target interface 627 * @param bytes Quota value in bytes 628 * @throws ServiceSpecificException in case of failure, with an error code indicating the 629 * cause of the failure. 630 */ bandwidthSetInterfaceQuota(in @tf8InCpp String ifName, long bytes)631 void bandwidthSetInterfaceQuota(in @utf8InCpp String ifName, long bytes); 632 633 /** 634 * Remove quota for interface 635 * 636 * @param ifName Name of target interface 637 * @throws ServiceSpecificException in case of failure, with an error code indicating the 638 * cause of the failure. 639 */ bandwidthRemoveInterfaceQuota(in @tf8InCpp String ifName)640 void bandwidthRemoveInterfaceQuota(in @utf8InCpp String ifName); 641 642 /** 643 * Set alert for interface 644 * 645 * @param ifName Name of target interface 646 * @param bytes Alert value in bytes 647 * @throws ServiceSpecificException in case of failure, with an error code indicating the 648 * cause of the failure. 649 */ bandwidthSetInterfaceAlert(in @tf8InCpp String ifName, long bytes)650 void bandwidthSetInterfaceAlert(in @utf8InCpp String ifName, long bytes); 651 652 /** 653 * Remove alert for interface 654 * 655 * @param ifName Name of target interface 656 * @throws ServiceSpecificException in case of failure, with an error code indicating the 657 * cause of the failure. 658 */ bandwidthRemoveInterfaceAlert(in @tf8InCpp String ifName)659 void bandwidthRemoveInterfaceAlert(in @utf8InCpp String ifName); 660 661 /** 662 * Set global alert 663 * 664 * @param bytes Alert value in bytes 665 * @throws ServiceSpecificException in case of failure, with an error code indicating the 666 * cause of the failure. 667 */ bandwidthSetGlobalAlert(long bytes)668 void bandwidthSetGlobalAlert(long bytes); 669 670 /** 671 * Add naughty app bandwidth rule for specific app 672 * 673 * @param uid uid of target app 674 * @throws ServiceSpecificException in case of failure, with an error code indicating the 675 * cause of the failure. 676 */ bandwidthAddNaughtyApp(int uid)677 void bandwidthAddNaughtyApp(int uid); 678 679 /** 680 * Remove naughty app bandwidth rule for specific app 681 * 682 * @param uid uid of target app 683 * @throws ServiceSpecificException in case of failure, with an error code indicating the 684 * cause of the failure. 685 */ bandwidthRemoveNaughtyApp(int uid)686 void bandwidthRemoveNaughtyApp(int uid); 687 688 /** 689 * Add nice app bandwidth rule for specific app 690 * 691 * @param uid uid of target app 692 * @throws ServiceSpecificException in case of failure, with an error code indicating the 693 * cause of the failure. 694 */ bandwidthAddNiceApp(int uid)695 void bandwidthAddNiceApp(int uid); 696 697 /** 698 * Remove nice app bandwidth rule for specific app 699 * 700 * @param uid uid of target app 701 * @throws ServiceSpecificException in case of failure, with an error code indicating the 702 * cause of the failure. 703 */ bandwidthRemoveNiceApp(int uid)704 void bandwidthRemoveNiceApp(int uid); 705 706 /** 707 * Start tethering 708 * 709 * @param dhcpRanges dhcp ranges to set. 710 * dhcpRanges might contain many addresss {addr1, addr2, aadr3, addr4...} 711 * Netd splits them into ranges: addr1-addr2, addr3-addr4, etc. 712 * An odd number of addrs will fail. 713 * @throws ServiceSpecificException in case of failure, with an error code indicating the 714 * cause of the failure. 715 */ tetherStart(in @tf8InCpp String[] dhcpRanges)716 void tetherStart(in @utf8InCpp String[] dhcpRanges); 717 718 /** 719 * Stop tethering 720 * 721 * @throws ServiceSpecificException in case of failure, with an error code indicating the 722 * cause of the failure. 723 */ tetherStop()724 void tetherStop(); 725 726 /** 727 * Get status of tethering 728 * 729 * @return true if tethering is enabled, false otherwise. 730 */ tetherIsEnabled()731 boolean tetherIsEnabled(); 732 733 /** 734 * Setup interface for tethering 735 * 736 * @param ifName interface name to add 737 * @throws ServiceSpecificException in case of failure, with an error code indicating the 738 * cause of the failure. 739 */ tetherInterfaceAdd(in @tf8InCpp String ifName)740 void tetherInterfaceAdd(in @utf8InCpp String ifName); 741 742 /** 743 * Reset interface for tethering 744 * 745 * @param ifName interface name to remove 746 * @throws ServiceSpecificException in case of failure, with an error code indicating the 747 * cause of the failure. 748 */ tetherInterfaceRemove(in @tf8InCpp String ifName)749 void tetherInterfaceRemove(in @utf8InCpp String ifName); 750 751 /** 752 * Get the interface list which is stored in netd 753 * The list contains the interfaces managed by tetherInterfaceAdd/tetherInterfaceRemove 754 * 755 * @return An array of strings containing interface list result 756 */ tetherInterfaceList()757 @utf8InCpp String[] tetherInterfaceList(); 758 759 /** 760 * Set DNS forwarder server 761 * 762 * @param netId the upstream network to forward DNS queries to 763 * @param dnsAddrs DNS server address to set 764 * @throws ServiceSpecificException in case of failure, with an error code indicating the 765 * cause of the failure. 766 */ tetherDnsSet(int netId, in @utf8InCpp String[] dnsAddrs)767 void tetherDnsSet(int netId, in @utf8InCpp String[] dnsAddrs); 768 769 /** 770 * Return the DNS list set by tetherDnsSet 771 * 772 * @return An array of strings containing the list of DNS servers 773 */ tetherDnsList()774 @utf8InCpp String[] tetherDnsList(); 775 776 const int LOCAL_NET_ID = 99; 777 778 /** 779 * Constant net ID for the "dummy" network. 780 * 781 * The dummy network is used to blackhole or reject traffic. Any attempt to use it will 782 * either drop the packets or fail with ENETUNREACH. 783 */ 784 const int DUMMY_NET_ID = 51; 785 786 /** 787 * Constant net ID for the "unreachable" network. 788 * 789 * The unreachable network is used to reject traffic. Any attempt to use it will fail 790 * with ENETUNREACH. 791 */ 792 const int UNREACHABLE_NET_ID = 52; 793 794 // Route does not specify a next hop 795 const String NEXTHOP_NONE = ""; 796 // Route next hop is unreachable 797 const String NEXTHOP_UNREACHABLE = "unreachable"; 798 // Route next hop is throw 799 const String NEXTHOP_THROW = "throw"; 800 801 /** 802 * Add a route for specific network 803 * 804 * @param netId the network to add the route to 805 * @param ifName the name of interface of the route. 806 * This interface should be assigned to the netID. 807 * @param destination the destination of the route 808 * @param nextHop The route's next hop address, 809 * or it could be either NEXTHOP_NONE, NEXTHOP_UNREACHABLE, NEXTHOP_THROW. 810 * @throws ServiceSpecificException in case of failure, with an error code indicating the 811 * cause of the failure. 812 */ networkAddRoute( int netId, in @utf8InCpp String ifName, in @utf8InCpp String destination, in @utf8InCpp String nextHop)813 void networkAddRoute( 814 int netId, 815 in @utf8InCpp String ifName, 816 in @utf8InCpp String destination, 817 in @utf8InCpp String nextHop); 818 819 /** 820 * Remove a route for specific network 821 * 822 * @param netId the network to remove the route from 823 * @param ifName the name of interface of the route. 824 * This interface should be assigned to the netID. 825 * @param destination the destination of the route 826 * @param nextHop The route's next hop address, 827 * or it could be either NEXTHOP_NONE, NEXTHOP_UNREACHABLE, NEXTHOP_THROW. 828 * @throws ServiceSpecificException in case of failure, with an error code indicating the 829 * cause of the failure. 830 */ networkRemoveRoute( int netId, in @utf8InCpp String ifName, in @utf8InCpp String destination, in @utf8InCpp String nextHop)831 void networkRemoveRoute( 832 int netId, 833 in @utf8InCpp String ifName, 834 in @utf8InCpp String destination, 835 in @utf8InCpp String nextHop); 836 837 /** 838 * Add a route to legacy routing table for specific network 839 * 840 * @param netId the network to add the route to 841 * @param ifName the name of interface of the route. 842 * This interface should be assigned to the netID. 843 * @param destination the destination of the route 844 * @param nextHop The route's next hop address, 845 * or it could be either NEXTHOP_NONE, NEXTHOP_UNREACHABLE, NEXTHOP_THROW. 846 * @param uid uid of the user 847 * @throws ServiceSpecificException in case of failure, with an error code indicating the 848 * cause of the failure. 849 */ networkAddLegacyRoute( int netId, in @utf8InCpp String ifName, in @utf8InCpp String destination, in @utf8InCpp String nextHop, int uid)850 void networkAddLegacyRoute( 851 int netId, 852 in @utf8InCpp String ifName, 853 in @utf8InCpp String destination, 854 in @utf8InCpp String nextHop, 855 int uid); 856 857 /** 858 * Remove a route from legacy routing table for specific network 859 * 860 * @param netId the network to remove the route from 861 * @param ifName the name of interface of the route. 862 * This interface should be assigned to the netID. 863 * @param destination the destination of the route 864 * @param nextHop The route's next hop address, 865 * or it could be either NEXTHOP_NONE, NEXTHOP_UNREACHABLE, NEXTHOP_THROW. 866 * @param uid uid of the user 867 * @throws ServiceSpecificException in case of failure, with an error code indicating the 868 * cause of the failure. 869 */ networkRemoveLegacyRoute( int netId, in @utf8InCpp String ifName, in @utf8InCpp String destination, in @utf8InCpp String nextHop, int uid)870 void networkRemoveLegacyRoute( 871 int netId, 872 in @utf8InCpp String ifName, 873 in @utf8InCpp String destination, 874 in @utf8InCpp String nextHop, 875 int uid); 876 877 /** 878 * Get default network 879 * 880 * @return netId of default network 881 */ networkGetDefault()882 int networkGetDefault(); 883 884 /** 885 * Set network as default network 886 * 887 * @param netId the network to set as the default 888 * @throws ServiceSpecificException in case of failure, with an error code indicating the 889 * cause of the failure. 890 */ networkSetDefault(int netId)891 void networkSetDefault(int netId); 892 893 /** 894 * Clear default network 895 * 896 * @throws ServiceSpecificException in case of failure, with an error code indicating the 897 * cause of the failure. 898 */ networkClearDefault()899 void networkClearDefault(); 900 901 /** 902 * PERMISSION_NONE is used for regular networks and apps. TODO: use PERMISSION_INTERNET 903 * for this instead, and use PERMISSION_NONE to indicate no network permissions at all. 904 */ 905 const int PERMISSION_NONE = 0; 906 907 /** 908 * PERMISSION_NETWORK represents the CHANGE_NETWORK_STATE permission. 909 */ 910 const int PERMISSION_NETWORK = 1; 911 912 /** 913 * PERMISSION_SYSTEM represents the ability to use restricted networks. This is mostly 914 * equivalent to the CONNECTIVITY_USE_RESTRICTED_NETWORKS permission. 915 */ 916 const int PERMISSION_SYSTEM = 2; 917 918 /** 919 * NO_PERMISSIONS indicates that this app is installed and doesn't have either 920 * PERMISSION_INTERNET or PERMISSION_UPDATE_DEVICE_STATS. 921 * TODO: use PERMISSION_NONE to represent this case 922 */ 923 const int NO_PERMISSIONS = 0; 924 925 /** 926 * PERMISSION_INTERNET indicates that the app can create AF_INET and AF_INET6 sockets 927 */ 928 const int PERMISSION_INTERNET = 4; 929 930 /** 931 * PERMISSION_UPDATE_DEVICE_STATS is used for system UIDs and privileged apps 932 * that have the UPDATE_DEVICE_STATS permission 933 */ 934 const int PERMISSION_UPDATE_DEVICE_STATS = 8; 935 936 /** 937 * PERMISSION_UNINSTALLED is used when an app is uninstalled from the device. All internet 938 * related permissions need to be cleaned 939 */ 940 const int PERMISSION_UNINSTALLED = -1; 941 942 943 /** 944 * Sets the permission required to access a specific network. 945 * 946 * @param netId the network to set 947 * @param permission network permission to use 948 * @throws ServiceSpecificException in case of failure, with an error code indicating the 949 * cause of the failure. 950 */ networkSetPermissionForNetwork(int netId, int permission)951 void networkSetPermissionForNetwork(int netId, int permission); 952 953 /** 954 * Assigns network access permissions to the specified users. 955 * 956 * @param permission network permission to use 957 * @param uids uid of users to set permission 958 */ networkSetPermissionForUser(int permission, in int[] uids)959 void networkSetPermissionForUser(int permission, in int[] uids); 960 961 /** 962 * Clears network access permissions for the specified users. 963 * 964 * @param uids uid of users to clear permission 965 */ networkClearPermissionForUser(in int[] uids)966 void networkClearPermissionForUser(in int[] uids); 967 968 /** 969 * Assigns android.permission.INTERNET and/or android.permission.UPDATE_DEVICE_STATS to the uids 970 * specified. Or remove all permissions from the uids. 971 * 972 * @param permission The permission to grant, it could be either PERMISSION_INTERNET and/or 973 * PERMISSION_UPDATE_DEVICE_STATS. If the permission is NO_PERMISSIONS, then 974 * revoke all permissions for the uids. 975 * @param uids uid of users to grant permission 976 */ trafficSetNetPermForUids(int permission, in int[] uids)977 void trafficSetNetPermForUids(int permission, in int[] uids); 978 979 /** 980 * Gives the specified user permission to protect sockets from VPNs. 981 * Typically used by VPN apps themselves, to ensure that the sockets 982 * they use to communicate with the VPN server aren't routed through 983 * the VPN network. 984 * 985 * @param uid uid of user to set 986 */ networkSetProtectAllow(int uid)987 void networkSetProtectAllow(int uid); 988 989 /** 990 * Removes the permission to protect sockets from VPN. 991 * 992 * @param uid uid of user to set 993 */ networkSetProtectDeny(int uid)994 void networkSetProtectDeny(int uid); 995 996 /** 997 * Get the status of network protect for user 998 * 999 * @param uids uid of user 1000 * @return true if the user can protect sockets from VPN, false otherwise. 1001 */ networkCanProtect(int uid)1002 boolean networkCanProtect(int uid); 1003 1004 /** Only allows packets from specific UID/Interface. 1005 @deprecated use FIREWALL_ALLOWLIST. */ 1006 const int FIREWALL_WHITELIST = 0; 1007 1008 /** Only allows packets from specific UID/Interface. */ 1009 const int FIREWALL_ALLOWLIST = 0; 1010 1011 /** Blocks packets from specific UID/Interface. 1012 @deprecated use FIREWALL_DENYLIST. */ 1013 const int FIREWALL_BLACKLIST = 1; 1014 1015 /** Blocks packets from specific UID/Interface. */ 1016 const int FIREWALL_DENYLIST = 1; 1017 1018 /** 1019 * Set type of firewall 1020 * Type allowlist only allows packets from specific UID/Interface 1021 * Type denylist blocks packets from specific UID/Interface 1022 * 1023 * @param firewalltype type of firewall, either FIREWALL_ALLOWLIST or FIREWALL_DENYLIST 1024 * @throws ServiceSpecificException in case of failure, with an error code indicating the 1025 * cause of the failure. 1026 */ firewallSetFirewallType(int firewalltype)1027 void firewallSetFirewallType(int firewalltype); 1028 1029 // Specify allow Rule which allows packets 1030 const int FIREWALL_RULE_ALLOW = 1; 1031 // Specify deny Rule which drops packets 1032 const int FIREWALL_RULE_DENY = 2; 1033 1034 // No specific chain is chosen, use general firewall chain(fw_input, fw_output) 1035 const int FIREWALL_CHAIN_NONE = 0; 1036 // Specify DOZABLE chain(fw_dozable) which is used in dozable mode 1037 const int FIREWALL_CHAIN_DOZABLE = 1; 1038 // Specify STANDBY chain(fw_standby) which is used in standby mode 1039 const int FIREWALL_CHAIN_STANDBY = 2; 1040 // Specify POWERSAVE chain(fw_powersave) which is used in power save mode 1041 const int FIREWALL_CHAIN_POWERSAVE = 3; 1042 // Specify RESTRICTED chain(fw_restricted) which is used in restricted 1043 // networking mode 1044 const int FIREWALL_CHAIN_RESTRICTED = 4; 1045 1046 /** 1047 * Set firewall rule for interface 1048 * 1049 * @param ifName the interface to allow/deny 1050 * @param firewallRule either FIREWALL_RULE_ALLOW or FIREWALL_RULE_DENY 1051 * @throws ServiceSpecificException in case of failure, with an error code indicating the 1052 * cause of the failure. 1053 */ firewallSetInterfaceRule(in @tf8InCpp String ifName, int firewallRule)1054 void firewallSetInterfaceRule(in @utf8InCpp String ifName, int firewallRule); 1055 1056 /** 1057 * Set firewall rule for uid 1058 * 1059 * @param childChain target chain 1060 * @param uid uid to allow/deny 1061 * @param firewallRule either FIREWALL_RULE_ALLOW or FIREWALL_RULE_DENY 1062 * @throws ServiceSpecificException in case of failure, with an error code indicating the 1063 * cause of the failure. 1064 */ firewallSetUidRule(int childChain, int uid, int firewallRule)1065 void firewallSetUidRule(int childChain, int uid, int firewallRule); 1066 1067 /** 1068 * Enable/Disable target firewall child chain 1069 * 1070 * @param childChain target chain to enable 1071 * @param enable whether to enable or disable child chain. 1072 * @throws ServiceSpecificException in case of failure, with an error code indicating the 1073 * cause of the failure. 1074 */ firewallEnableChildChain(int childChain, boolean enable)1075 void firewallEnableChildChain(int childChain, boolean enable); 1076 1077 /** 1078 * Get interface list 1079 * 1080 * @return An array of strings containing all the interfaces on the system. 1081 * @throws ServiceSpecificException in case of failure, with an error code corresponding to the 1082 * unix errno. 1083 */ interfaceGetList()1084 @utf8InCpp String[] interfaceGetList(); 1085 1086 // Must be kept in sync with constant in InterfaceConfiguration.java 1087 const String IF_STATE_UP = "up"; 1088 const String IF_STATE_DOWN = "down"; 1089 1090 const String IF_FLAG_BROADCAST = "broadcast"; 1091 const String IF_FLAG_LOOPBACK = "loopback"; 1092 const String IF_FLAG_POINTOPOINT = "point-to-point"; 1093 const String IF_FLAG_RUNNING = "running"; 1094 const String IF_FLAG_MULTICAST = "multicast"; 1095 1096 /** 1097 * Get interface configuration 1098 * 1099 * @param ifName interface name 1100 * @return An InterfaceConfigurationParcel for the specified interface. 1101 * @throws ServiceSpecificException in case of failure, with an error code corresponding to the 1102 * unix errno. 1103 */ interfaceGetCfg(in @tf8InCpp String ifName)1104 InterfaceConfigurationParcel interfaceGetCfg(in @utf8InCpp String ifName); 1105 1106 /** 1107 * Set interface configuration 1108 * 1109 * @param cfg Interface configuration to set 1110 * @throws ServiceSpecificException in case of failure, with an error code corresponding to the 1111 * unix errno. 1112 */ interfaceSetCfg(in InterfaceConfigurationParcel cfg)1113 void interfaceSetCfg(in InterfaceConfigurationParcel cfg); 1114 1115 /** 1116 * Set interface IPv6 privacy extensions 1117 * 1118 * @param ifName interface name 1119 * @param enable whether to enable or disable this setting. 1120 * @throws ServiceSpecificException in case of failure, with an error code indicating the 1121 * cause of the failure. 1122 */ interfaceSetIPv6PrivacyExtensions(in @tf8InCpp String ifName, boolean enable)1123 void interfaceSetIPv6PrivacyExtensions(in @utf8InCpp String ifName, boolean enable); 1124 1125 /** 1126 * Clear all IP addresses on the given interface 1127 * 1128 * @param ifName interface name 1129 * @throws ServiceSpecificException in case of failure, with an error code corresponding to the 1130 * POSIX errno. 1131 */ interfaceClearAddrs(in @tf8InCpp String ifName)1132 void interfaceClearAddrs(in @utf8InCpp String ifName); 1133 1134 /** 1135 * Enable or disable IPv6 on the given interface 1136 * 1137 * @param ifName interface name 1138 * @param enable whether to enable or disable this setting. 1139 * @throws ServiceSpecificException in case of failure, with an error code indicating the 1140 * cause of the failure. 1141 */ interfaceSetEnableIPv6(in @tf8InCpp String ifName, boolean enable)1142 void interfaceSetEnableIPv6(in @utf8InCpp String ifName, boolean enable); 1143 1144 /** 1145 * Set interface MTU 1146 * 1147 * @param ifName interface name 1148 * @param mtu MTU value 1149 * @throws ServiceSpecificException in case of failure, with an error code indicating the 1150 * cause of the failure. 1151 */ interfaceSetMtu(in @tf8InCpp String ifName, int mtu)1152 void interfaceSetMtu(in @utf8InCpp String ifName, int mtu); 1153 1154 /** 1155 * Add forwarding rule/stats on given interface. 1156 * 1157 * @param intIface downstream interface 1158 * @param extIface upstream interface 1159 */ tetherAddForward(in @tf8InCpp String intIface, in @utf8InCpp String extIface)1160 void tetherAddForward(in @utf8InCpp String intIface, in @utf8InCpp String extIface); 1161 1162 /** 1163 * Remove forwarding rule/stats on given interface. 1164 * 1165 * @param intIface downstream interface 1166 * @param extIface upstream interface 1167 */ tetherRemoveForward(in @tf8InCpp String intIface, in @utf8InCpp String extIface)1168 void tetherRemoveForward(in @utf8InCpp String intIface, in @utf8InCpp String extIface); 1169 1170 /** 1171 * Set the values of tcp_{rmem,wmem}. 1172 * 1173 * @param rmemValues the target values of tcp_rmem, each value is separated by spaces 1174 * @param wmemValues the target values of tcp_wmem, each value is separated by spaces 1175 * @throws ServiceSpecificException in case of failure, with an error code indicating the 1176 * cause of the failure. 1177 */ setTcpRWmemorySize(in @tf8InCpp String rmemValues, in @utf8InCpp String wmemValues)1178 void setTcpRWmemorySize(in @utf8InCpp String rmemValues, in @utf8InCpp String wmemValues); 1179 1180 /** 1181 * Register unsolicited event listener 1182 * Netd supports multiple unsolicited event listeners. 1183 * 1184 * @param listener unsolicited event listener to register 1185 * @throws ServiceSpecificException in case of failure, with an error code indicating the 1186 * cause of the failure. 1187 */ registerUnsolicitedEventListener(INetdUnsolicitedEventListener listener)1188 void registerUnsolicitedEventListener(INetdUnsolicitedEventListener listener); 1189 1190 /** 1191 * Add ingress interface filtering rules to a list of UIDs 1192 * 1193 * For a given uid, once a filtering rule is added, the kernel will only allow packets from the 1194 * allowed interface and loopback to be sent to the list of UIDs. 1195 * 1196 * Calling this method on one or more UIDs with an existing filtering rule but a different 1197 * interface name will result in the filtering rule being updated to allow the new interface 1198 * instead. Otherwise calling this method will not affect existing rules set on other UIDs. 1199 * 1200 * @param ifName the name of the interface on which the filtering rules will allow packets to 1201 be received. 1202 * @param uids an array of UIDs which the filtering rules will be set 1203 * @throws ServiceSpecificException in case of failure, with an error code indicating the 1204 * cause of the failure. 1205 */ firewallAddUidInterfaceRules(in @tf8InCpp String ifName, in int[] uids)1206 void firewallAddUidInterfaceRules(in @utf8InCpp String ifName, in int[] uids); 1207 1208 /** 1209 * Remove ingress interface filtering rules from a list of UIDs 1210 * 1211 * Clear the ingress interface filtering rules from the list of UIDs which were previously set 1212 * by firewallAddUidInterfaceRules(). Ignore any uid which does not have filtering rule. 1213 * 1214 * @param uids an array of UIDs from which the filtering rules will be removed 1215 * @throws ServiceSpecificException in case of failure, with an error code indicating the 1216 * cause of the failure. 1217 */ firewallRemoveUidInterfaceRules(in int[] uids)1218 void firewallRemoveUidInterfaceRules(in int[] uids); 1219 1220 /** 1221 * Request netd to change the current active network stats map. 1222 * @throws ServiceSpecificException in case of failure, with an error code indicating the 1223 * cause of the failure. 1224 */ trafficSwapActiveStatsMap()1225 void trafficSwapActiveStatsMap(); 1226 1227 /** 1228 * Retrieves OEM netd listener interface 1229 * 1230 * @return a IBinder object, it could be casted to oem specific interface. 1231 */ getOemNetd()1232 IBinder getOemNetd(); 1233 1234 /** 1235 * Start tethering with given configuration 1236 * 1237 * @param config config to start tethering. 1238 * @throws ServiceSpecificException in case of failure, with an error code indicating the 1239 * cause of the failure. 1240 */ tetherStartWithConfiguration(in TetherConfigParcel config)1241 void tetherStartWithConfiguration(in TetherConfigParcel config); 1242 1243 1244 /** 1245 * Get the fwmark and its net id mask for the given network id. 1246 * 1247 * @param netId the network to get the fwmark and mask for. 1248 * @return A MarkMaskParcel of the given network id. 1249 */ getFwmarkForNetwork(int netId)1250 MarkMaskParcel getFwmarkForNetwork(int netId); 1251 1252 /** 1253 * Add a route for specific network 1254 * 1255 * @param netId the network to add the route to 1256 * @param routeInfo parcelable with route information 1257 * @throws ServiceSpecificException in case of failure, with an error code indicating the 1258 * cause of the failure. 1259 */ networkAddRouteParcel(int netId, in android.net.RouteInfoParcel routeInfo)1260 void networkAddRouteParcel(int netId, in android.net.RouteInfoParcel routeInfo); 1261 1262 /** 1263 * Update a route for specific network 1264 * 1265 * @param routeInfo parcelable with route information 1266 * @throws ServiceSpecificException in case of failure, with an error code indicating the 1267 * cause of the failure. 1268 */ networkUpdateRouteParcel(int netId, in android.net.RouteInfoParcel routeInfo)1269 void networkUpdateRouteParcel(int netId, in android.net.RouteInfoParcel routeInfo); 1270 1271 /** 1272 * Remove a route for specific network 1273 * 1274 * @param routeInfo parcelable with route information 1275 * @throws ServiceSpecificException in case of failure, with an error code indicating the 1276 * cause of the failure. 1277 */ networkRemoveRouteParcel(int netId, in android.net.RouteInfoParcel routeInfo)1278 void networkRemoveRouteParcel(int netId, in android.net.RouteInfoParcel routeInfo); 1279 1280 /** 1281 * Adds a tethering offload rule, or updates it if it already exists. 1282 * 1283 * Currently, only downstream /128 IPv6 entries are supported. An existing rule will be updated 1284 * if the input interface and destination prefix match. Otherwise, a new rule will be created. 1285 * 1286 * @param rule The rule to add or update. 1287 * @throws ServiceSpecificException in case of failure, with an error code indicating the 1288 * cause of the failure. 1289 */ tetherOffloadRuleAdd(in TetherOffloadRuleParcel rule)1290 void tetherOffloadRuleAdd(in TetherOffloadRuleParcel rule); 1291 1292 /** 1293 * Deletes a tethering offload rule. 1294 * 1295 * Currently, only downstream /128 IPv6 entries are supported. An existing rule will be deleted 1296 * if the destination IP address and the source interface match. It is not an error if there is 1297 * no matching rule to delete. 1298 * 1299 * @param rule The rule to delete. 1300 * @throws ServiceSpecificException in case of failure, with an error code indicating the 1301 * cause of the failure. 1302 */ tetherOffloadRuleRemove(in TetherOffloadRuleParcel rule)1303 void tetherOffloadRuleRemove(in TetherOffloadRuleParcel rule); 1304 1305 /** 1306 * Return BPF tethering offload statistics. 1307 * 1308 * @return an array of TetherStatsParcel's, where each entry contains the upstream interface 1309 * index and its tethering statistics since tethering was first started. 1310 * There will only ever be one entry for a given interface index. 1311 * @throws ServiceSpecificException in case of failure, with an error code indicating the 1312 * cause of the failure. 1313 */ tetherOffloadGetStats()1314 TetherStatsParcel[] tetherOffloadGetStats(); 1315 1316 /** 1317 * Set a per-interface quota for tethering offload. 1318 * 1319 * @param ifIndex Index of upstream interface 1320 * @param quotaBytes The quota defined as the number of bytes, starting from zero and counting 1321 * from *now*. A value of QUOTA_UNLIMITED (-1) indicates there is no limit. 1322 * @throws ServiceSpecificException in case of failure, with an error code indicating the 1323 * cause of the failure. 1324 */ tetherOffloadSetInterfaceQuota(int ifIndex, long quotaBytes)1325 void tetherOffloadSetInterfaceQuota(int ifIndex, long quotaBytes); 1326 1327 /** 1328 * Return BPF tethering offload statistics and clear the stats for a given upstream. 1329 * 1330 * Must only be called once all offload rules have already been deleted for the given upstream 1331 * interface. The existing stats will be fetched and returned. The stats and the limit for the 1332 * given upstream interface will be deleted as well. 1333 * 1334 * The stats and limit for a given upstream interface must be initialized (using 1335 * tetherOffloadSetInterfaceQuota) before any offload will occur on that interface. 1336 * 1337 * @param ifIndex Index of upstream interface. 1338 * @return TetherStatsParcel, which contains the given upstream interface index and its 1339 * tethering statistics since tethering was first started on that upstream interface. 1340 * @throws ServiceSpecificException in case of failure, with an error code indicating the 1341 * cause of the failure. 1342 */ tetherOffloadGetAndClearStats(int ifIndex)1343 TetherStatsParcel tetherOffloadGetAndClearStats(int ifIndex); 1344 1345 /** 1346 * Creates a network. 1347 * 1348 * @param config the configuration of network. 1349 * @throws ServiceSpecificException in case of failure, with an error code corresponding to the 1350 * unix errno. 1351 */ networkCreate(in NativeNetworkConfig config)1352 void networkCreate(in NativeNetworkConfig config); 1353 1354 /** 1355 * Adds the specified UID ranges to the specified network. The network can be physical or 1356 * virtual. Traffic from the UID ranges will be routed to the network by default. The possible 1357 * value of subsidiary priority for physical and unreachable networks is 0-999. 0 is the highest 1358 * priority. 0 is also the default value. Virtual network supports only the default value. 1359 * 1360 * @param NativeUidRangeConfig a parcel contains netId, UID ranges, subsidiary priority, etc. 1361 * 1362 * @throws ServiceSpecificException in case of failure, with an error code corresponding to the 1363 * unix errno. 1364 */ networkAddUidRangesParcel(in NativeUidRangeConfig uidRangesConfig)1365 void networkAddUidRangesParcel(in NativeUidRangeConfig uidRangesConfig); 1366 1367 /** 1368 * Removes the specified UID ranges from the specified network. The network can be physical or 1369 * virtual. Traffic from the UID ranges will no longer be routed to the network by default. The 1370 * possible value of subsidiary priority for physical and unreachable networks is 0-999. 0 is 1371 * the highest priority. 0 is also the default value. Virtual network supports only the default 1372 * value. 1373 * 1374 * @param NativeUidRangeConfig a parcel contains netId, UID ranges, subsidiary priority, etc. 1375 * 1376 * @throws ServiceSpecificException in case of failure, with an error code corresponding to the 1377 * unix errno. 1378 */ networkRemoveUidRangesParcel(in NativeUidRangeConfig uidRangesConfig)1379 void networkRemoveUidRangesParcel(in NativeUidRangeConfig uidRangesConfig); 1380 } 1381