This doesn't do anything at this patchset, but the whole
pipe from the agent to ConnectivityService is built.

LocalNetworkInfo will be the name of the public information
sent in callbacks to clients.

Test: CSLocalAgentTests
Change-Id: I70e133031ef3b0aaf6c3e59ccc2ad895c66d339c

This patch does the following :
• When a network is local but the system doesn't support it,
  throw in registerNetworkAgent.
• When a network is local, tell netd about it.
• Add tests for the above, as well as a test for callbacks
  being sent correctly when the caps are set and not when
  they aren't and that the new keep connected flag is
  respected.

Telling netd about the network being local has it add two
routes that do not exist if the network is not local :
• One at PRIORITY_LOCAL_NETWORK matching unmarked sockets
  and looking up the table for the interface.
20000: from all fwmark 0x0/0x10000 lookup xxxx
• One at PRIORITY_EXPLICIT_NETWORK matching explicitly on
  network 99, so that dnsmasq traffic and any OEM traffic
  marked for network 99 flowing there.
16000: from all fwmark 0x10063/0x1ffff iif lo lookup xxxx
IMPLICIT_NETWORK and EXPLICIT_NETWORK rules are installed
by connectivity service as a matter of course whether the
network is local or not.

See commit If8729fc6f3716a580c936584b851bc38000b5de5 for
implementation details of this mechanic.

There is no need to implement anything in particular for the
new connected reason, as the current implementation will
already keep it connected. A new test makes sure of that.

Test: FrameworksNetTests
      CtsNetTestCases
      FrameworksNetIntegrationTests
      NetworkStackTests
      NetworkStaticLibTests
      TetheringTests
      MtsTetheringTestLatestSdk
      TetheringIntegrationTests
Change-Id: I6fb7dfe4c232eea8cac9ac268897ddb36bb794d1

Test: FrameworksNetTests
Change-Id: Ic490fee6ee70d74acff0a290199b2946817173d0

CSTest and CSAgentWrapper need to agree on what the current
version is

Test: CSTest*
Change-Id: If78047c36ce213a531207d25b410e870691fbb98

The created handler thread will stay there for a while until
all the tests are finished. This is considered as a leakage
which will take the resource from the devices. In low end
devices, this may possibly impact the performance. The created
threads should be closed explicitly.

Test: atest ConnectivityCoverageTests ConntrackSocketTest
Change-Id: Ic1beb2a210e7c8c80c66fc9e0727c47599150672

This is useful going forward in particular because there will
be a default forbidden capability for LOCAL_NETWORKS. This
means it will be useful to be able to remove it.

It is also generally useful and we have been wanting to open
this API to the public, so this is a good opportunity to do so.

Test: new tests for NetworkRequest
      NetworkCapabilitiesTest already has tests because it
      already was @SystemApi
Change-Id: Ibb8d33b799f2d274326fd9cd0b05a2c33a18032a

This has been sorely needed for a while. Instead of filing requests
for each of your networks in a CSTest, which is fiddly at best and
sometimes almost impossible (because you can't single out the network),
you can now add this flag and be done with it.

Test: CSKeepConnectedTest
Change-Id: Ie168fe1f3a17de035fdf05e3d6580d3262a3448e

• Make sure all Agents have a legacy type. This is necessary to
  avoid crashes in LegacyNetworkTracker
• Wait for LOST when disconnecting a network
• Make sure the test package sees its own permissions (importantly
  it can't see background networks otherwise, because it lacks
  CHANGE_NETWORKING_STATE)

Test: in the followup
Change-Id: I9f699b6372a8fe0d5bcd5310d8f35f72e48a6c61

Test: none needed
Change-Id: I7e409827adc86fc13975f394100889a6bf0f1e50

Test: in followup patches
Change-Id: I540ce2a455c92be52eb94fbd4b54a2081d04d25e

service-connectivity-mdns-standalone-build-test builds the mDNS
discovery and advertisement implementation against API level 21.
This stops the advertisement code from calling new NsdServiceInfo
public or private APIs which are required by Thread.

This commit removes the mDNS advertisement code from the standalone
build to loose the check given this will never be used by GMS Core.

Bug: 265095929
Test: verified that it can build with aosp/2608627
Change-Id: I32cfce7b994d51a4b4ec468e9f79ffc2be6635ff

Test: manual
Change-Id: Ib39dc4dbf534f14d94923bb0026f18e47edabba2

Test: comment-only change
Change-Id: I63bada891757d7e991cc7538c56e4fc50074ee5d

Bug: 255714762
Test: presubmit
Change-Id: If91e9af5409fed9d5ccdd13749a0f562c545d589

(in preparation for moving it into netbpfload)

The programs themselves (in bpf_progs/block.c) required a 5.4+ kernel.

We relax this restriction to 4.19+ as we don't have any 5.4 device coverage
(while the pixel 4a 5G / 5 / 5a are all 4.19 devices).

I believe we could relax it further to 4.14+ but Pixel 4/4xl/4a that
would exercise those code paths are EOL and probably have poor to
non existent test coverage, and we cannot do anything for 4.9 T devices
anyway.

Note: on <4.19 kernels (ie. T devices running 4.9/4.14, U running 4.14)
this results in ConnectivityNativeService going from null to initialized
(as the bpf map will exist).

This doesn't hurt as the set/clear port interfaces are only ever
called by vendor code on devices where the kernel doesn't support
the older mechanism.  And even if you call them it will just set/clear
the bits in the bpf bitmap, they just won't actually affect anything.

We could flag the map itself as being 4.19+ as well, but I think
I prefer the no-op map to exist...

Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I1085addd22f4f3b709e1875049633832c5dac836

Bug: 303299687
Test: atest
Change-Id: Iad740804a59599dd33add1ea85aa4771e0e4bd35

In testLegacyLockdownVpn, remove the fail check on IPv6 networks
and add coverage in VpnTest instead as this interaction relies
on the Vpn implementation, not ConnectivityService.

Bug: 230548427
Test: atest FrameworksNetTests
Change-Id: Ib24809ece2332c4c3d3e08c168e02ad859242eac

The test coverage of LockdownVpnTracker has been moved to a
separate unit test file. testLegacyLockdownVpn now calls the Vpn
methods directly instead of creating a new LockdownVpnTracker.
Note this removes calls to expectStopVpnRunnerPrivileged since
stopVpnRunnerPrivileged is now directly called in the test so it
is already guaranteed to be called.

The expected calls/behavior of LockdownVpnTracker can be seen in
LockdownVpnTrackerTest.

Bug: 230548427
Test: atest FrameworksNetTests
Change-Id: Id9d26435bf62ffef954f6c7fa0558ce99540de1f

This is written based on observation that
  testStartVpnProfileNoPreviousConsent()
appears to result in the right things happening when running
  adb logcat | egrep --color -i 'Switched from |protect'
ie. it results in:
  I netd    : networkSetProtectDeny(<ctsappuid>) <0.01ms>
  I Vpn     : Switched from android.net.cts to [Legacy VPN]
  I netd    : networkSetProtectAllow(1000) <0.00ms>

Which disallows the CTS uid, and allows AID_SYSTEM.

That in turn appears to be the 'default' state of things.

So this basically copies that logic into tearDown()

Test: atest android.net.cts.{Ikev2VpnTest,VpnServiceTest} --iterations 2
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ic9cca56097d78ae48157e808081de2ebb76635e8

For general internet access, a specialized slice is generally
not preferable to a non-specialized network.

Test: new test in this patch
Change-Id: I052ce923300566807999b2f20f5911181fb761dd

This is masking an exception in setUp() and makes debugging difficult

Test: treehugger
Change-Id: I8b5b80c4171d45076dd02bab5ff4b6dc81d98086

- Watches don't support VPN apps.
- The HostsideVpnTests CTS tests are already skipped on watches.
- The tests for VpnManager VPNs do run on watches, but there isn't
  actually a way to start a VpnManager VPN on a watch because there is
  no way to display the consent dialog to the user.
- The VpnService CTS tests verify the VpnService API on watches
  bypassing the consent dialogs.
- Because there is no way to start a VPN app on a watch, there's no
  point requiring the VPN CTS tests to pass.

This CL disables the remaining VPN CTS tests on watches. This allows
watches to disable the VPN service, reducing startup time and memory
usage.

Bug: 286240194
Test: atest CtsNetTestCases FrameworksNetTests
Change-Id: Idb7110232ae7e45cafc265cd4f955c2a6b22361c

Android's clat is for reaching the internet, which in general
never has an ipv4 L3 mtu higher than 1500.

(We could probably hit this on a jumboframe enabled IPv6-only
wifi network [ http://b/292057969#comment18

 ] where RA claims
MTU of 9K [9170])

Bug: 292057969
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I7a32455571458b8a3f1121ad980d54323b2ef06b

Network tracing was only available on userdebug and eng builds. This
change makes it available on all build types behind a flag.

Bug: 298197881
Test: flash & trace, toggle flag on/off
Change-Id: I75d854aee74adf7e23f7a970b20233790f9b0354

Test: FrameworksNetTests
      Note that carrierPrivilegeAuthenticatorTest is already
      an @Parameterized test with flag = on and off, so it
      already tests both.
Change-Id: I52fcfd3f21a13d7a39952ba828464ce6ef4085c2

This will be easier to read when this behavior is diverted
based on a flag

Test: FrameworksNetTests
Change-Id: Ifd7abd8ad82cb8307b1cd8535ac5fa82004404e6

Test: CarrierPrivilegeAuthenticatorTest
Change-Id: Ia28c6abca67866c1de953cb61953a0d2882cd7e2

This reverts commit cbe17558.

Reason for revert: we found the culprit for the flakiness and b/272147742 is fixed.

Change-Id: I672c42bb57184393588666b6196f3a316f8c99c7

The transaction id is a number that is used to identify a
specific query packet. But it's not necessary for probing
or announcing services, so the transaction id is not
currently used on advertising when creating a MdnsPacket or
decoding the response to a MdnsPacket. This means that it is not
possible to track which query packets have received
responses. Therefore, store the transaction id so that
it can be used for subsequent query packet changes.

Bug: 302269599
Test: atest FrameworksNetTests
Change-Id: I6734752b32b91678afb7df06e1fa51237cf70894

Do not avoid captive portal on wear proxy network; keep network agent
after detecting portal.

Bug: 291112432
Test: atest FrameworksNetTests:android.net.connectivity.com.android.server.ConnectivityServiceTest
Change-Id: I8f6669da62ebd76b6a46d2aec9b3ea563a08cb5e

Ikev2VpnProfile related shims are no longer needed since
downstream branch was moved to udc branch. This commit
also update the methods that are used to do the SDK check
because of the removal of shims.

Test: atest CtsNetTestCases
Change-Id: I4efe65f87ace02b1f1649bf15ccf0ba06fd90486

NetworkStatsManagerTest issues NetworkRequests but does not release
them. In addition, it performs blocking operations inside the
onAvailable() callback that runs on the shared ConnectivityThread
impacting tests that run later.

Test: TH
Bug: 272147742
Change-Id: Ide2f5ba0b12752099d7665deaa9050463cd7ebee

aosp/2724918 moved processing netd events for 464xlat to the
handler thread.

This CL makes 464xlat run the code that processes those events
inline. This simplifies the code and makes the ordering of events
more similar to what it was before.

Bug: 293965195
Fix: 302071735
Test: existing unit tests
Change-Id: I18b0d491aff94646b878a3d3488b5519fd42783c

Because the WifiManager can not be obtained in instant mode, the test
should only runs in AppModeFull.

Bug: 300219769
Test: TH
Change-Id: If5049a68dce23aafa3c9b8a59bf9a759c9532541

testFirewallCloseSocketAllowlistChainOtherUid sets the firewall rule on
myUid + 1 and confirms this does not affect the network access from
myUid.
This test failed when there is an existing firewall rule on myUid.
This CL cleans up the existing rule on myUid before running the test and
restores the existing state after the test.

Bug: 299898772
Test: atest CtsNetTestCases
Change-Id: I9083ac41a64a8b81a8b4616c0d57a25355f5d53c

The issue seems to be that some other network may become
available or change capabilities before Lost happens, as
can be the case with real networks like in CTS.

Test: TH
Bug: 289879931
Change-Id: I849f3b7d99f5d5195a3bbd3c39720923597a51d9

- Ability to mock enabled changes, which is necessary for
  requestNetwork
- Ability to disconnect an agent

Test: in aosp/2761506
Change-Id: If2701f1fff29453e74a4b388758c6ee3a16a5734

Although the launcher should be visible due to the <queries> declaration
in the manifest, there are sometimes flakes indicating that the access
to the package was blocked due to visibility rules.

Try adding QUERY_ALL_PACKAGES to see whether it resolves the flakes.

Bug: 286550950
Test: atest
Change-Id: I24dcf19c040b63fea55f82db412ffcd40670e6fc

Test that when a responder only responds with the exact records that
were queried, so only reply for PTR in discovery, only send SRV, TXT,
A, AAAA when asked explicitly, service resolve succeeds.

This ensures that the querier sends followup queries for each record.
See RFC6763 12., especially the last paragraph.

Bug: 267570781
Bug: 267371243
Test: atest NsdManagerTest
Change-Id: Ia392e80c1e27b479c6177d19f6b4be6032dcb1cd

The mDNS library need to be backported to some internal library which
support minSdk 21. Therefore, updated the build rules to add the linter
check.

Bug: 296175311
Test: TH
Change-Id: Iae0bffa315dc6de2339a05f595b13480fa7385ae