Merge "vpn: allow IPSec traffic through Always-on VPN"

am: 4d3b5c1d3b

Change-Id: I90fbe3ad3ec8b9d3b52e6036ae07dd8db814cb22

1 files changed, 14 insertions, 2 deletions

diff --git a/services/core/java/com/android/server/connectivity/Vpn.java b/services/core/java/com/android/server/connectivity/Vpn.java
index 2fda08e2a575..df94de2e52d1 100644
--- a/services/core/java/com/android/server/connectivity/Vpn.java
+++ b/services/core/java/com/android/server/connectivity/Vpn.java
@@ -100,8 +100,6 @@ import com.android.server.DeviceIdleController;
 import com.android.server.LocalServices;
 import com.android.server.net.BaseNetworkObserver;
 
-import libcore.io.IoUtils;
-
 import java.io.File;
 import java.io.IOException;
 import java.io.InputStream;
@@ -122,6 +120,8 @@ import java.util.SortedSet;
 import java.util.TreeSet;
 import java.util.concurrent.atomic.AtomicInteger;
 
+import libcore.io.IoUtils;
+
 /**
  * @hide
  */
@@ -1274,6 +1274,18 @@ public class Vpn {
                     /* allowedApplications */ null,
                     /* disallowedApplications */ exemptedPackages);
 
+            // The UID range of the first user (0-99999) would block the IPSec traffic, which comes
+            // directly from the kernel and is marked as uid=0. So we adjust the range to allow
+            // it through (b/69873852).
+            for (UidRange range : addedRanges) {
+                if (range.start == 0) {
+                    addedRanges.remove(range);
+                    if (range.stop != 0) {
+                        addedRanges.add(new UidRange(1, range.stop));
+                    }
+                }
+            }
+
             removedRanges.removeAll(addedRanges);
             addedRanges.removeAll(mBlockedUsers);
         }