Use JBSMATCH opcode for ethernet address matching
This commit refactors the code to use the JBSMATCH opcode when possible
for ethernet address matching, improving code density.
Before:
03-21 14:43:07.523 28553 28566 I ApfFilterTest: all feature on, program size: 4503
After:
03-21 16:43:22.941 1490 1510 I ApfFilterTest: all feature on, program size: 4446
Test: TH
Change-Id: Id2f20bdfe2da579b3f1d8e441533532aaee2816d
diff --git a/src/android/net/apf/ApfFilter.java b/src/android/net/apf/ApfFilter.java
index 7c6692f..bde487e 100644
--- a/src/android/net/apf/ApfFilter.java
+++ b/src/android/net/apf/ApfFilter.java
@@ -1830,8 +1830,8 @@
// Pass if non-broadcast reply.
// This also accepts multicast arp, but we assume those don't exist.
- gen.addLoadImmediate(R0, ETH_DEST_ADDR_OFFSET);
- gen.addCountAndPassIfBytesAtR0NotEqual(ETHER_BROADCAST, PASSED_ARP_UNICAST_REPLY);
+ gen.addCountAndPassIfBytesAtOffsetNotEqual(ETH_DEST_ADDR_OFFSET, ETHER_BROADCAST,
+ PASSED_ARP_UNICAST_REPLY);
// It is a broadcast reply.
if (mIPv4Address == null) {
@@ -1897,8 +1897,8 @@
// the future, such packets will likely be dropped by multicast filters.
// Since the device may have packet forwarding enabled, APF needs to pass any received
// unicast IPv4 ping not destined for the device's IP address to the kernel.
- gen.addLoadImmediate(R0, ETHER_DST_ADDR_OFFSET)
- .addJumpIfBytesAtR0NotEqual(mHardwareAddress, skipIpv4PingFilter)
+ gen.addJumpIfBytesAtOffsetNotEqual(
+ ETH_DEST_ADDR_OFFSET, mHardwareAddress, skipIpv4PingFilter)
.addLoadImmediate(R0, IPV4_DEST_ADDR_OFFSET)
.addJumpIfBytesAtR0NotEqual(mIPv4Address, skipIpv4PingFilter);
@@ -1979,11 +1979,11 @@
// address for IPv4 mDNS packet) or the device's MAC address, skip filtering.
// We need to check both the mDNS multicast MAC address and the device's MAC address
// because multicast to unicast conversion might have occurred.
- gen.addLoadImmediate(R0, ETH_DEST_ADDR_OFFSET)
- .addJumpIfBytesAtR0EqualsNoneOf(
- List.of(mHardwareAddress, ETH_MULTICAST_MDNS_V4_MAC_ADDRESS),
- skipMdnsFilter
- );
+ gen.addJumpIfBytesAtOffsetEqualsNoneOf(
+ ETH_DEST_ADDR_OFFSET,
+ List.of(mHardwareAddress, ETH_MULTICAST_MDNS_V4_MAC_ADDRESS),
+ skipMdnsFilter
+ );
// Ignore packets with IPv4 options (header size not equal to 20) as they are rare.
gen.addLoadFromMemory(R0, MemorySlot.IPV4_HEADER_SIZE)
@@ -2185,8 +2185,8 @@
// Otherwise, this is an IPv4 unicast, pass
// If L2 broadcast packet, drop.
// TODO: can we invert this condition to fall through to the common pass case below?
- gen.addLoadImmediate(R0, ETH_DEST_ADDR_OFFSET);
- gen.addCountAndPassIfBytesAtR0NotEqual(ETHER_BROADCAST, PASSED_IPV4_UNICAST);
+ gen.addCountAndPassIfBytesAtOffsetNotEqual(ETH_DEST_ADDR_OFFSET, ETHER_BROADCAST,
+ PASSED_IPV4_UNICAST);
gen.addCountAndDrop(DROPPED_IPV4_L2_BROADCAST);
}
@@ -2329,8 +2329,8 @@
// used by processes other than clatd. This is because APF cannot reliably detect signal
// on when IPV6_{JOIN,LEAVE}_ANYCAST is triggered.
final List<byte[]> allMACs = getKnownMacAddresses();
- v6Gen.addLoadImmediate(R0, ETH_DEST_ADDR_OFFSET)
- .addCountAndDropIfBytesAtR0EqualsNoneOf(allMACs, DROPPED_IPV6_NS_OTHER_HOST);
+ v6Gen.addCountAndDropIfBytesAtOffsetEqualsNoneOf(ETH_DEST_ADDR_OFFSET, allMACs,
+ DROPPED_IPV6_NS_OTHER_HOST);
// Dst IPv6 address check:
final List<byte[]> allSuffixes = getSolicitedNodeMcastAddressSuffix(allIPv6Addrs);
@@ -2444,11 +2444,11 @@
// address for IPv6 mDNS packet) or the device's MAC address, skip filtering.
// We need to check both the mDNS multicast MAC address and the device's MAC address
// because multicast to unicast conversion might have occurred.
- gen.addLoadImmediate(R0, ETH_DEST_ADDR_OFFSET)
- .addJumpIfBytesAtR0EqualsNoneOf(
- List.of(mHardwareAddress, ETH_MULTICAST_MDNS_V6_MAC_ADDRESS),
- skipMdnsFilter
- );
+ gen.addJumpIfBytesAtOffsetEqualsNoneOf(
+ ETH_DEST_ADDR_OFFSET,
+ List.of(mHardwareAddress, ETH_MULTICAST_MDNS_V6_MAC_ADDRESS),
+ skipMdnsFilter
+ );
// Skip filtering if the packet is not an IPv6 UDP packet.
gen.addLoad8intoR0(IPV6_NEXT_HEADER_OFFSET)
@@ -2509,8 +2509,8 @@
true /* includeNonTentative */,
false /* includeTentative */,
false /* includeAnycast */);
- gen.addLoadImmediate(R0, ETHER_DST_ADDR_OFFSET)
- .addJumpIfBytesAtR0NotEqual(mHardwareAddress, skipPing6Offload)
+ gen.addJumpIfBytesAtOffsetNotEqual(
+ ETHER_DST_ADDR_OFFSET, mHardwareAddress, skipPing6Offload)
.addLoadImmediate(R0, IPV6_DEST_ADDR_OFFSET)
.addJumpIfBytesAtR0EqualsNoneOf(nonTentativeIPv6Addrs, skipPing6Offload);
@@ -3604,8 +3604,8 @@
// Pass unicast TDLS packet but drop non-unicast TDLS packet.
short skipTDLScheck = gen.getUniqueLabel();
gen.addJumpIfR0NotEquals(0x890DL, skipTDLScheck)
- .addLoadImmediate(R0, ETH_DEST_ADDR_OFFSET)
- .addCountAndDropIfBytesAtR0NotEqual(mHardwareAddress, DROPPED_NON_UNICAST_TDLS)
+ .addCountAndDropIfBytesAtOffsetNotEqual(
+ ETH_DEST_ADDR_OFFSET, mHardwareAddress, DROPPED_NON_UNICAST_TDLS)
.addCountAndPass(PASSED_NON_IP_UNICAST)
.defineLabel(skipTDLScheck);
@@ -3650,8 +3650,8 @@
gen.addJumpIfR0Equals(ETH_P_IPV6, ipv6FilterLabel);
// Drop non-IP non-ARP broadcasts, pass the rest
- gen.addLoadImmediate(R0, ETH_DEST_ADDR_OFFSET);
- gen.addCountAndPassIfBytesAtR0NotEqual(ETHER_BROADCAST, PASSED_NON_IP_UNICAST);
+ gen.addCountAndPassIfBytesAtOffsetNotEqual(ETH_DEST_ADDR_OFFSET, ETHER_BROADCAST,
+ PASSED_NON_IP_UNICAST);
gen.addCountAndDrop(DROPPED_ETH_BROADCAST);
// Add IPv6 filters:
@@ -3739,11 +3739,17 @@
}
void preloadData(ApfV61GeneratorBase<?> gen) throws IllegalInstructionException {
+ final List<byte[]> preloadedMacAddress = getKnownMacAddresses();
final List<byte[]> preloadedIPv6Address = getIpv6Addresses(true /* includeNonTentative */,
true /* includeTentative */, true /* includeAnycast */);
- final int preloadDataSize = preloadedIPv6Address.size() * 16;
+ final int preloadDataSize =
+ preloadedIPv6Address.size() * 16 + preloadedMacAddress.size() * 6;
final byte[] preloadData = new byte[preloadDataSize];
int offset = 0;
+ for (byte[] addr : preloadedMacAddress) {
+ System.arraycopy(addr, 0, preloadData, offset, 6);
+ offset += 6;
+ }
for (byte[] addr : preloadedIPv6Address) {
System.arraycopy(addr, 0, preloadData, offset, 16);
offset += 16;
diff --git a/src/android/net/apf/ApfV4GeneratorBase.java b/src/android/net/apf/ApfV4GeneratorBase.java
index f142e31..fb929dc 100644
--- a/src/android/net/apf/ApfV4GeneratorBase.java
+++ b/src/android/net/apf/ApfV4GeneratorBase.java
@@ -482,6 +482,17 @@
}
/**
+ * Add an instruction to the end of the program to jump to {@code tgt} if the bytes of the
+ * packet at an offset specified by {@code offset} don't match {@code bytes}.
+ * This method needs to be non-final because APFv4 and APFv6 share the same implementation,
+ * but in APFv6.1, this method will be overridden to use the JBSPTRMATCH instruction.
+ */
+ public Type addJumpIfBytesAtOffsetNotEqual(int offset, @NonNull byte[] bytes, short tgt)
+ throws IllegalInstructionException {
+ return addLoadImmediate(R0, offset).addJumpIfBytesAtR0NotEqual(bytes, tgt);
+ }
+
+ /**
* Add instructions to the end of the program to increase counter and drop packet if the
* bytes of the packet at an offset specified by register0 don't match {@code bytes}.
* WARNING: may modify R1
@@ -499,6 +510,28 @@
/**
* Add instructions to the end of the program to increase counter and drop packet if the
+ * bytes of the packet at an offset specified by {@code offset} don't match {@code bytes}.
+ * This method needs to be non-final because APFv4 and APFv6 share the same implementation,
+ * but in APFv6.1, this method will be overridden to use the JBSPTRMATCH instruction.
+ */
+ public Type addCountAndDropIfBytesAtOffsetNotEqual(int offset, byte[] bytes,
+ ApfCounterTracker.Counter cnt) throws IllegalInstructionException {
+ return addLoadImmediate(R0, offset).addCountAndDropIfBytesAtR0NotEqual(bytes, cnt);
+ }
+
+ /**
+ * Add instructions to the end of the program to increase counter and pass packet if the
+ * bytes of the packet at an offset specified by {@code offset} don't match {@code bytes}.
+ * This method needs to be non-final because APFv4 and APFv6 share the same implementation,
+ * but in APFv6.1, this method will be overridden to use the JBSPTRMATCH instruction.
+ */
+ public Type addCountAndPassIfBytesAtOffsetNotEqual(int offset, byte[] bytes,
+ ApfCounterTracker.Counter cnt) throws IllegalInstructionException {
+ return addLoadImmediate(R0, offset).addCountAndPassIfBytesAtR0NotEqual(bytes, cnt);
+ }
+
+ /**
+ * Add instructions to the end of the program to increase counter and drop packet if the
* bytes of the packet at an offset specified by register0 match {@code bytes}.
* WARNING: may modify R1
*/
diff --git a/src/android/net/apf/ApfV61GeneratorBase.java b/src/android/net/apf/ApfV61GeneratorBase.java
index 014d893..c686b71 100644
--- a/src/android/net/apf/ApfV61GeneratorBase.java
+++ b/src/android/net/apf/ApfV61GeneratorBase.java
@@ -325,6 +325,24 @@
return addJumpIfBytesAtOffsetEqualsNoneOf(offset, bytesList, cnt.getJumpPassLabel());
}
+ @Override
+ public Type addCountAndPassIfBytesAtOffsetNotEqual(int offset, byte[] bytes,
+ ApfCounterTracker.Counter cnt) throws IllegalInstructionException {
+ return addJumpIfBytesAtOffsetEqualsNoneOf(offset, List.of(bytes), cnt.getJumpPassLabel());
+ }
+
+ @Override
+ public Type addCountAndDropIfBytesAtOffsetNotEqual(int offset, byte[] bytes,
+ ApfCounterTracker.Counter cnt) throws IllegalInstructionException {
+ return addJumpIfBytesAtOffsetEqualsNoneOf(offset, List.of(bytes), cnt.getJumpDropLabel());
+ }
+
+ @Override
+ public Type addJumpIfBytesAtOffsetNotEqual(int offset, @NonNull byte[] bytes, short tgt)
+ throws IllegalInstructionException {
+ return addJumpIfBytesAtOffsetEqualsNoneOf(offset, List.of(bytes), tgt);
+ }
+
/**
* Appends a conditional jump instruction to the program: Jumps to {@code tgt} if the UDP
* payload's DNS questions contain the QNAMEs specified in {@code qnames} and qtype
diff --git a/src/android/net/apf/ApfV6Generator.java b/src/android/net/apf/ApfV6Generator.java
index 045423b..07bd191 100644
--- a/src/android/net/apf/ApfV6Generator.java
+++ b/src/android/net/apf/ApfV6Generator.java
@@ -262,6 +262,18 @@
}
@Override
+ public ApfV6Generator addJumpIfBytesAtOffsetEqualsAnyOf(int offset, List<byte[]> bytesList,
+ short tgt) throws IllegalInstructionException {
+ return addLoadImmediate(R0, offset).addJumpIfBytesAtR0EqualsAnyOf(bytesList, tgt);
+ }
+
+ @Override
+ public ApfV6Generator addJumpIfBytesAtOffsetEqualsNoneOf(int offset, List<byte[]> bytesList,
+ short tgt) throws IllegalInstructionException {
+ return addLoadImmediate(R0, offset).addJumpIfBytesAtR0EqualsNoneOf(bytesList, tgt);
+ }
+
+ @Override
public ApfV6Generator addCountAndDropIfR0IsNoneOf(@NonNull Set<Long> values,
ApfCounterTracker.Counter cnt) throws IllegalInstructionException {
if (values.isEmpty()) {
diff --git a/src/android/net/apf/ApfV6GeneratorBase.java b/src/android/net/apf/ApfV6GeneratorBase.java
index 68a29c5..90f0a28 100644
--- a/src/android/net/apf/ApfV6GeneratorBase.java
+++ b/src/android/net/apf/ApfV6GeneratorBase.java
@@ -552,6 +552,21 @@
return addJumpIfBytesAtR0EqualsHelper(bytesList, tgt, false /* jumpOnMatch */);
}
+ /**
+ * Add an instruction to the end of the program to jump to {@code tgt} if the bytes of the
+ * packet at an offset specified by {@code offset} match any of the elements in
+ * {@code bytesSet}.
+ */
+ public abstract Type addJumpIfBytesAtOffsetEqualsAnyOf(int offset,
+ @NonNull List<byte[]> bytesList, short tgt) throws IllegalInstructionException;
+
+ /**
+ * Add an instruction to the end of the program to jump to {@code tgt} if the bytes of the
+ * packet at an offset specified by {@code offset} match none of the elements in
+ * {@code bytesSet}.
+ */
+ public abstract Type addJumpIfBytesAtOffsetEqualsNoneOf(int offset,
+ @NonNull List<byte[]> bytesList, short tgt) throws IllegalInstructionException;
/**
* Check if the byte is valid dns character: A-Z,0-9,-,_,%,@
diff --git a/tests/unit/src/android/net/apf/ApfFilterTest.kt b/tests/unit/src/android/net/apf/ApfFilterTest.kt
index 2d20ed6..6fcf641 100644
--- a/tests/unit/src/android/net/apf/ApfFilterTest.kt
+++ b/tests/unit/src/android/net/apf/ApfFilterTest.kt
@@ -22,6 +22,8 @@
import android.net.MacAddress
import android.net.NattKeepalivePacketDataParcelable
import android.net.TcpKeepalivePacketDataParcelable
+import android.net.apf.ApfConstants.ETH_MULTICAST_MDNS_V4_MAC_ADDRESS
+import android.net.apf.ApfConstants.ETH_MULTICAST_MDNS_V6_MAC_ADDRESS
import android.net.apf.ApfCounterTracker.Counter.DROPPED_ARP_NON_IPV4
import android.net.apf.ApfCounterTracker.Counter.DROPPED_ARP_OTHER_HOST
import android.net.apf.ApfCounterTracker.Counter.DROPPED_ARP_REPLY_SPA_NO_HOST
@@ -240,6 +242,8 @@
intArrayOf(0x33, 0x33, 0xff, 0x55, 0x66, 0x77).map { it.toByte() }.toByteArray(),
// 33:33:ff:bb:cc:dd
intArrayOf(0x33, 0x33, 0xff, 0xbb, 0xcc, 0xdd).map { it.toByte() }.toByteArray(),
+ ETH_MULTICAST_MDNS_V4_MAC_ADDRESS,
+ ETH_MULTICAST_MDNS_V6_MAC_ADDRESS
)
// Using scapy to generate payload:
@@ -5797,7 +5801,8 @@
)
assertThat(program.size).isLessThan(apfRamSize + 1)
assertThat(program).isNotEqualTo(ByteArray(apfRamSize) { 0 })
- val step = Random.nextInt(1, 16)
+ // TODO: reduce after fixing 'Failed to receive adb shell test output within 66000 ms'
+ val step = Random.nextInt(1, 64)
apfRamSize += step
}
}
@@ -5817,7 +5822,8 @@
val availableRam = apfRamSize - ApfCounterTracker.Counter.totalSize()
assertThat(program.size).isLessThan(availableRam + 1)
assertThat(program).isNotEqualTo(ByteArray(availableRam) { 0 })
- val step = Random.nextInt(1, 16)
+ // TODO: reduce after fixing 'Failed to receive adb shell test output within 66000 ms'
+ val step = Random.nextInt(1, 64)
apfRamSize += step
}
}
@@ -5836,7 +5842,8 @@
val availableRam = apfRamSize - ApfCounterTracker.Counter.totalSize()
assertThat(program.size).isLessThan(availableRam + 1)
assertThat(program).isNotEqualTo(ByteArray(availableRam) { 0 })
- val step = Random.nextInt(1, 16)
+ // TODO: reduce after fixing 'Failed to receive adb shell test output within 66000 ms'
+ val step = Random.nextInt(1, 64)
apfRamSize += step
}
}
