| // Copyright 2019 The ChromiumOS Authors |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| |
| syntax = "proto3"; |
| option optimize_for = LITE_RUNTIME; |
| |
| // This file defines the messages used by the patchpanel D-Bus API. It is |
| // strongly recommended to not use the patchpanel D-Bus API directly and to |
| // instead use the thin client defined at platform2/patchpanel/client.h that |
| // provides additional functionalities and abstracts the details of the wire |
| // format. Access control for clients is defined in platform2/patchpanel/dbus. |
| package patchpanel; |
| option go_package = "go.chromium.org/chromiumos/system_api/patchpanel_proto"; |
| |
| // Notification that the ARC++ container is starting up. |
| // This is informational. The ARC boot and setup sequences do not require |
| // any information or permission from networking to continue. |
| message ArcStartupRequest { |
| // The PID of the ARC++ container. |
| // Required. |
| int32 pid = 1; |
| } |
| |
| // This is an intentionally empty mesage. ARC++ startup does not require |
| // any information from networking to proceed. |
| message ArcStartupResponse {} |
| |
| // Notification that the ARC++ container is shutting down. |
| message ArcShutdownRequest { |
| // TODO(hugobenichi) Deprecate this unused argument. |
| // The PID of the ARC++ container; must match the PID that was sent at |
| // startup. |
| // Required. |
| int32 pid = 1; |
| } |
| |
| // This is an intentionally empty message. ARC++ startup does not require |
| // any information from networking to proceed. |
| message ArcShutdownResponse {} |
| |
| // Notification that the ARC VM is starting up. |
| // Unlike in the container case, Concierge needs to know which TAP devices |
| // it can use. |
| message ArcVmStartupRequest { |
| // The content ID of the VM. |
| uint32 cid = 1; |
| } |
| |
| // Represents an IPv4 subnet given a base address and prefix length. |
| message IPv4Subnet { |
| // The base address of the subnet, represented as 4 bytes in network order. |
| bytes addr = 3; |
| |
| // Deprecated, use addr instead. The base address in network order. |
| uint32 base_addr = 1 [deprecated = true]; |
| |
| // The prefix length of the subnet. |
| uint32 prefix_len = 2; |
| } |
| |
| // Represents an IPv4 or IPv6 CIDR address with a prefix length. |
| message IPAddrCIDR { |
| // The base address represented as 4 or 16 bytes in network order. |
| bytes addr = 1; |
| |
| // The prefix length. |
| int32 prefix_len = 2; |
| } |
| |
| // Represents a virtual network device created and managed by patchpanel and |
| // used for one of the hosted guest platforms. |
| message NetworkDevice { |
| // Identifies the guest for which the virtual device is used. |
| enum GuestType { |
| UNKNOWN = 0; |
| ARC = 1; |
| ARCVM = 2; |
| TERMINA_VM = 3; |
| PARALLELS_VM = 4; |
| }; |
| |
| // Identifies the technology of the underlying physical device of the virtual |
| // device reported. |
| enum TechnologyType { |
| UNKNOWN_TECHNOLOGY = 0; |
| CELLULAR = 1; |
| ETHERNET = 2; |
| WIFI = 3; |
| }; |
| |
| // The name of the main virtual interface created by patchpanel for carrying |
| // packets out of the guest environment and onto the host routing setup. For |
| // ARC this corresponds to the virtual bridge used for that virtual device. |
| // For other crosvm guests (Termina, Crostini, Parallels VM, etc) this |
| // corresponds to the tap device used by crosvm virtio net stack. |
| string ifname = 1; |
| |
| // The name of the physical interface to which the virtual device is mapped. |
| // This corresponds to the interface name used by the shill Network class and |
| // may be different from the shill "Interface" property of the DBus Device |
| // object associated with this physical interface, e.g., Cellular multiplexed |
| // PDN connections. Only valid for ARC virtual devices and otherwise empty for |
| // virtual devices tracking the default logical or physical networks. |
| // TODO(b/273744897): Replace the ifname here by the patchpanel Network id |
| // and/or add the DBus path of the shill Device tracked by this virtual |
| // Device. |
| string phys_ifname = 5; |
| |
| // The name of the interface inside the guest. Only available for ARC virtual |
| // devices, and otherwise empty for other crosvm guests. |
| string guest_ifname = 7; |
| |
| // The IPv4 address assigned to the guest, in network order. |
| uint32 ipv4_addr = 2; |
| |
| // The IPv4 address assigned to the host device interface, in network order. |
| // This corresponds to the next hop IPv4 address for the guest and should be |
| // used for the default IPv4 route of the guest. |
| uint32 host_ipv4_addr = 6; |
| |
| // The IPv4 subnet allocated for this virtual device. |
| IPv4Subnet ipv4_subnet = 3; |
| |
| // The type of guest to which the device is bound. |
| GuestType guest_type = 4; |
| |
| // The IPv4 and IPv6 addresses of the DNS proxy instance tied to the guest |
| // virtual device. Only available for ARC virtual devices with the GetDevices |
| // DBus method call. The addresses are represented in network order as a byte |
| // array of size 4 and 16 respectively for IPv4 and IPv6. |
| bytes dns_proxy_ipv4_addr = 8; |
| bytes dns_proxy_ipv6_addr = 9; |
| |
| // Technology of the underlying physical device of the virtual device. |
| // Only valid for ARC virtual devices, and otherwise empty for virtual devices |
| // tracking the default logical or physical networks. |
| TechnologyType technology_type = 10; |
| } |
| |
| // Request to obtain the list of virtual network devices that patchpanel |
| // manages for guest OSes. This does not include physical or virtual (e.g. VPN) |
| // devices managed by shill or virtual devices in connected namespaces. |
| message GetDevicesRequest {} |
| |
| message GetDevicesResponse { |
| // The list of devices under patchpanel's management/control. |
| repeated NetworkDevice devices = 1; |
| } |
| |
| // Information required by Concierge to continue the ARC VM startup process. |
| message ArcVmStartupResponse { |
| // The IPv4 address of the "arc0" legacy management interface, represented in |
| // network order as a byte array of size 4. |
| bytes arc0_ipv4_address = 1; |
| |
| // The initial list of TAP devices to be used in the VM. |
| repeated string tap_device_ifnames = 2; |
| } |
| |
| // Notification that the ARC VM is shutting down. |
| // This message should also be sent if the startup process fails so any |
| // allocated resources are properly freed. |
| message ArcVmShutdownRequest { |
| // The CID of the ARC VM; must match the CID that was sent at |
| // startup. |
| // Required. |
| uint32 cid = 1; |
| } |
| |
| // Intentionally empty response. |
| message ArcVmShutdownResponse {} |
| |
| // Notification that a Termina VM is starting up. |
| message TerminaVmStartupRequest { |
| // The content ID of the VM. |
| uint32 cid = 1; |
| } |
| |
| // Information required by Concierge to continue the Termina VM startup. |
| message TerminaVmStartupResponse { |
| // The TAP device to be used for the VM. |
| string tap_device_ifname = 1; |
| |
| // The IPv4 subnet assigned to the VM. |
| IPv4Subnet ipv4_subnet = 2; |
| |
| // The IPv4 address assigned to the VM, represented as 4 bytes in network |
| // order, contained inside |ipv4_subnet|. |
| bytes ipv4_address = 3; |
| |
| // The IPv4 next hop gateway address for the VM, represented as 4 bytes in |
| // network order, contained inside |ipv4_subnet|. |
| bytes gateway_ipv4_address = 4; |
| |
| // The container IPv4 subnet to be used for the LXD bridge. |
| IPv4Subnet container_ipv4_subnet = 5; |
| |
| // The container IPv4 address, contained inside |container_ipv4_subnet|. |
| bytes container_ipv4_address = 6; |
| }; |
| |
| // Notification that the Termina VM is shutting down. |
| // This message must also be sent if the startup process fails so any |
| // allocated resources, including the subnets, are properly freed. |
| message TerminaVmShutdownRequest { |
| // The CID of the Termina VM; must match the PID that was sent at |
| // startup. |
| // Required. |
| uint32 cid = 1; |
| } |
| |
| // Intentionally empty response. |
| message TerminaVmShutdownResponse {} |
| |
| // Notification that a Parallels VM is starting up. |
| message ParallelsVmStartupRequest { |
| // The unique ID of the VM. |
| uint64 id = 1; |
| |
| // The 1-based index of the desired subnet to allocate for use. |
| // Optional. |
| // TODO(b/236092161) Migrate to uint32. |
| int32 subnet_index = 2; |
| } |
| |
| // Information required by Concierge to continue the Parallels VM startup. |
| message ParallelsVmStartupResponse { |
| // The TAP device to be used for the VM. |
| string tap_device_ifname = 1; |
| |
| // The IPv4 subnet assigned to the VM. |
| IPv4Subnet ipv4_subnet = 2; |
| |
| // The IPv4 address assigned to the VM, represented as 4 bytes in network |
| // order, contained inside |ipv4_subnet|. |
| bytes ipv4_address = 3; |
| }; |
| |
| // Notification that the Parallels VM is shutting down. |
| // This message must also be sent if the startup process fails so any |
| // allocated resources, including the subnets, are properly freed. |
| message ParallelsVmShutdownRequest { |
| // The unique ID of the Parallels VM; must match what was sent at startup. |
| // Required. |
| uint64 id = 1; |
| } |
| |
| // Intentionally empty response. |
| message ParallelsVmShutdownResponse {} |
| |
| // Notification that a Bruschetta VM is starting up. |
| message BruschettaVmStartupRequest { |
| // The unique ID of the VM. |
| uint64 id = 1; |
| } |
| |
| // Information required by Concierge to continue the Bruschetta VM startup. |
| message BruschettaVmStartupResponse { |
| // The TAP device to be used for the VM. |
| string tap_device_ifname = 1; |
| |
| // The IPv4 subnet assigned to the VM. |
| IPv4Subnet ipv4_subnet = 2; |
| |
| // The IPv4 address assigned to the VM, represented as 4 bytes in network |
| // order, contained inside |ipv4_subnet|. |
| bytes ipv4_address = 3; |
| |
| // The IPv4 next hop gateway address for the VM, represented as 4 bytes in |
| // network order, contained inside |ipv4_subnet|. |
| bytes gateway_ipv4_address = 4; |
| }; |
| |
| // Notification that the Bruschetta VM is shutting down. |
| // This message must also be sent if the startup process fails so any |
| // allocated resources, including the subnets, are properly freed. |
| message BruschettaVmShutdownRequest { |
| // The unique ID of the Bruschetta VM; must match what was sent at startup. |
| // Required. |
| uint64 id = 1; |
| } |
| |
| // Intentionally empty response. |
| message BruschettaVmShutdownResponse {} |
| |
| // Notification that a Borealis VM is starting up. |
| message BorealisVmStartupRequest { |
| // The content ID of the VM. |
| uint32 id = 1; |
| } |
| |
| // Information required by Concierge to continue the Borealis VM startup. |
| message BorealisVmStartupResponse { |
| // The TAP device to be used for the VM. |
| string tap_device_ifname = 1; |
| |
| // The IPv4 subnet assigned to the VM. |
| IPv4Subnet ipv4_subnet = 2; |
| |
| // The IPv4 address assigned to the VM, represented as 4 bytes in network |
| // order, contained inside |ipv4_subnet|. |
| bytes ipv4_address = 3; |
| |
| // The IPv4 next hop gateway address for the VM, represented as 4 bytes in |
| // network order, contained inside |ipv4_subnet|. |
| bytes gateway_ipv4_address = 4; |
| } |
| |
| // Notification that the Borealis VM is shutting down. |
| // This message must also be sent if the startup process fails so any |
| // allocated resources, including the subnets, are properly freed. |
| message BorealisVmShutdownRequest { |
| // The CID of the Borealis VM; must match the PID that was sent at |
| // startup. |
| // Required. |
| uint32 id = 1; |
| } |
| |
| // Intentionally empty response. |
| message BorealisVmShutdownResponse {} |
| |
| // Request for connecting and routing a network namespace. The client must |
| // append a valid file descriptor immediately after the serialized |
| // ConnectNamespaceRequest proto. This file descriptor must remain valid for as |
| // long as the client namespace needs to remain connected. Invalidating the file |
| // descriptor explicitly by closing it or implicitly when the client exits will |
| // trigger the teardown of the routing setup, the veth setup, and the release |
| // of the IPv4 subnet assigned to the namespace. |
| message ConnectNamespaceRequest { |
| // The pid of the client network namespace. If set to -1, a new network |
| // namespace which is not associated with any process will be created. |
| int32 pid = 1; |
| |
| // If the client sets this field to the name of a physical or VPN network |
| // interface managed by shill, the namespace egress traffic routed outside the |
| // host will be routed using the routing table specific to that physical or |
| // VPN network interface . If left empty, the namespace will be routed through |
| // the system highest priority interface (physical or virtual). |
| // TODO(b/273744897): Replace this interface name by the patchpanel Network |
| // id. |
| string outbound_physical_device = 2; |
| |
| // If true, traffic originated from managed OSs (Termina VMs, ARC, Parallels |
| // VM) and from Chrome can be routed to this namespace, and traffic originated |
| // from this namespace can be routed to these other privilege domains. |
| bool allow_user_traffic = 3; |
| |
| // This field specifies the routing behavior to use when (1) |
| // |outbound_physical_device| is empty and (2) the system's highest priority |
| // network interface is a VPN. If true, egress traffic will be routed to the |
| // VPN; if false, it will be left on the underlying physical interface. |
| bool route_on_vpn = 4; |
| |
| // Specifies how the traffic flowing over the new virtual network should be |
| // accounted, if applicable. |
| // This field is required. The default behavior will be to treat unspecified |
| // and UNKNOWN sources as SYSTEM traffic for accounting purposes. |
| TrafficCounter.Source traffic_source = 5; |
| |
| // This field specifies whether IPv6 should be created statically behind NAT66 |
| // or through SLAAC. |
| bool static_ipv6 = 6; |
| } |
| |
| // Response to a ConnectNamespaceRequest. If the operation failed then all |
| // fields are left set to their default value (empty string or 0). |
| message ConnectNamespaceResponse { |
| // The subnet allocated to the client namespace. |
| IPv4Subnet ipv4_subnet = 1; |
| |
| // Name of the veth interface created in the client namespace. |
| string peer_ifname = 2; |
| |
| // The IPv4 address in network order assigned to the interface inside the |
| // client namespace. |
| uint32 peer_ipv4_address = 3; |
| |
| // Name of the veth interface created in the host namespace. |
| string host_ifname = 4; |
| |
| // The IPv4 address in network order assigned to the interface in the host |
| // namespace. |
| uint32 host_ipv4_address = 5; |
| |
| // Name of the netns attached or created. |
| string netns_name = 6; |
| } |
| |
| // Represents the traffic usage ({tx, rx} x {packets, bytes}) between a source |
| // and a shill device (interface), since the system (CrOS) is booted up. A |
| // counter will keep growing until the system (CrOS) shuts down. |
| // Used in TrafficCountersResponse. |
| message TrafficCounter { |
| // Possible traffic sources. The names of these entries are used in shill to |
| // associate storage keys for persisting traffic counter data. Changing the |
| // name of an existing entry or removing an entry should be accompanied with |
| // the appropriate data migration or cleanup code in shill::Service::Save(). |
| enum Source { |
| UNKNOWN = 0; |
| // Traffic associated with user chronos. |
| CHROME = 1; |
| // Traffic associated with user debugd, cups, and tlsdate, i.e., other user |
| // traffic except for that for user chronos. |
| USER = 2; |
| UPDATE_ENGINE = 3; |
| // Other system traffic. |
| SYSTEM = 4; |
| // As a source, VPN means traffic initiated by the VPN app/program and going |
| // to the underlying physical network (or from physical network to the VPN |
| // app/program). |
| VPN = 5; |
| // Traffic from ARC container or ARCVM. |
| ARC = 6; |
| // Traffic from a Borealis VM. |
| BOREALIS_VM = 7; |
| // Traffic from a Bruschetta VM. |
| BRUSCHETTA_VM = 8; |
| // Traffic from a Crostini VM. |
| CROSTINI_VM = 9; |
| // Traffic from a Parallels VM. |
| PARALLELS_VM = 10; |
| // Traffic from a tethered client. |
| TETHERING = 11; |
| // Traffic from a WiFi Direct client. This entry is defined for consistency |
| // with patchpanel's source enum but it is not expected to be used in |
| // traffic counters since WiFi Direct traffic should not be forwarded to any |
| // other Network. |
| WIFI_DIRECT = 12; |
| // Traffic from a WiFi local only hotspot client. This entry is defined for |
| // consistency with patchpanel's source enum but it is not expected to be |
| // used in traffic counters since WiFi local only hotspot traffic should not |
| // be forwarded to any other Network. |
| WIFI_LOHS = 13; |
| } |
| |
| // Possible IP address family numbers. |
| enum IpFamily { |
| NONE = 0; |
| IPV4 = 1; |
| IPV6 = 2; |
| } |
| |
| // Counter values need to be 64bits as 32bits is not enough to account for |
| // more than ~4GB of traffic. |
| uint64 rx_bytes = 1; |
| uint64 tx_bytes = 2; |
| uint64 rx_packets = 3; |
| uint64 tx_packets = 4; |
| |
| // The source that originated the traffic. |
| Source source = 5; |
| |
| // The shill device (interface) name (e.g., eth0) where the traffic leaves |
| // from or comes in. |
| string device = 6; |
| |
| // The IP family of the traffic. |
| IpFamily ip_family = 7; |
| } |
| |
| // Requests the traffic counters kept by patchpanel. |devices| is the set of |
| // interfaces for which counters should be returned, any unknown interfaces will |
| // be ignored. If |devices| is empty, counters for all known interfaces will be |
| // returned. Note that if an interface once appeared but does not exist now, |
| // counters for it will also be returned. |
| message TrafficCountersRequest { |
| repeated string devices = 1; |
| } |
| |
| // Response to a TrafficCountersRequest. |
| message TrafficCountersResponse { |
| repeated TrafficCounter counters = 1; |
| } |
| |
| // Request for opening and closing firewall port. If the request is valid, |
| // PatchPanel will run iptables commands following the request. |
| message ModifyPortRuleRequest { |
| enum Operation { |
| INVALID_OPERATION = 0; |
| CREATE = 1; |
| DELETE = 2; |
| } |
| |
| enum RuleType { |
| INVALID_RULE_TYPE = 0; |
| ACCESS = 1; // Equivalent of iptables 'ACCEPT' |
| LOCKDOWN = 2; // Equivalent of iptables 'DROP' |
| FORWARDING = 3; // Equivalent of iptables 'DNAT' |
| } |
| |
| enum Protocol { |
| INVALID_PROTOCOL = 0; |
| TCP = 1; |
| UDP = 2; |
| } |
| |
| // Arguments specifying the type of operation, rule and protocol. |
| Operation op = 1; |
| RuleType type = 2; |
| Protocol proto = 3; |
| |
| // A network interface name, or empty if unspecified. This is optional for |
| // ACCESS and FORWARDING, and is ignored for other rule types. |
| // b/273741099: Port rule requests are only allowed for WiFi and Ethernet |
| // networks. Multiplexed Cellular interfaces can be ignored. |
| // TODO(b/273744897): Replace this interface name argument by the patchpanel |
| // Network id. |
| string input_ifname = 4; |
| |
| // An IPv4 address, or empty if unspecified. This is optional for FORWARDING, |
| // and is ignored for other rule types. |
| string input_dst_ip = 5; |
| |
| // A port value in-between 1 and 65535. This is required for all rule types. |
| // TODO(b/236092161) Migrate to uint16. |
| uint32 input_dst_port = 6; |
| |
| // An IPv4 address, or empty if unspecified. This is required for FORWARDING, |
| // and is ignored for other rule types. |
| string dst_ip = 7; |
| |
| // A port value between 1 and 65535. This is required for FORWARDING, and is |
| // ignored for other rule types. |
| // TODO(b/236092161) Migrate to uint16. |
| uint32 dst_port = 8; |
| } |
| |
| // Response to a ModifyPortRuleRequest. |
| message ModifyPortRuleResponse { |
| bool success = 1; |
| } |
| |
| // Request to start or stop VPN lockdown. When VPN lockdown is enabled and no |
| // VPN connection exists, any non-ARC traffic that would be routed to a VPN |
| // connection is instead rejected. ARC traffic is ignored because Android |
| // already implements VPN lockdown. |
| message SetVpnLockdownRequest { |
| // true: start VPN lockdown. false: stop VPN lockdown. |
| bool enable_vpn_lockdown = 1; |
| } |
| |
| // Intentionally empty response to a SetVpnLockdownRequest. |
| message SetVpnLockdownResponse {} |
| |
| // Signal that is emitted when a device managed by patchpanel is added or |
| // removed. |
| message NetworkDeviceChangedSignal { |
| enum Event { |
| UNKNOWN_CHANGE = 0; |
| DEVICE_ADDED = 1; |
| DEVICE_REMOVED = 2; |
| }; |
| |
| NetworkDevice device = 1; |
| Event event = 2; |
| } |
| |
| // Signal for notifying an event about the layer 2 reachability of a neighbor |
| // monitored by NeighborLinkMonitor. |
| message NeighborReachabilityEventSignal { |
| // Possible roles of a neighbor in the corresponding ipconfig. |
| enum Role { |
| INVALID_ROLE = 0; |
| GATEWAY = 1; |
| DNS_SERVER = 2; |
| GATEWAY_AND_DNS_SERVER = 3; |
| }; |
| |
| // Possible event types. Two consecutive events for the same neighbor should |
| // have different types. Also see the class comment of NeighborLinkMonitor |
| // for more details about how these events are generated. |
| enum EventType { |
| INVALID_EVENT_TYPE = 0; |
| // Indicates a failure is detected for this neighbor. Note that the neighbor |
| // may still be unreachable even if this signal is not sent out. For |
| // example, sometimes we may lose track of a neighbor from the kernel. We |
| // will not send out a FAILED signal when that happens, since that does not |
| // always mean a link failure. |
| FAILED = 1; |
| // Indicates the bidirectional reachability has just been confirmed. |
| REACHABLE = 2; |
| }; |
| |
| // The interface index of the device that connects to this neighbor. |
| int32 ifindex = 1; |
| |
| // Neighbor properties. |
| string ip_addr = 2; |
| Role role = 3; |
| |
| EventType type = 4; |
| } |
| |
| // Request to start DNS traffic redirection when DNS proxy is running. The rules |
| // created depend on the type requested. The client must append a valid file |
| // descriptor immediately after the serialized SetDnsRedirectionRuleRequest |
| // proto. This file descriptor must remain valid for as long as the DNS traffic |
| // need to be redirected. Invalidating the file descriptor explicitly by closing |
| // it or implicitly when the client exits will trigger the teardown of the |
| // redirection rules. |
| message SetDnsRedirectionRuleRequest { |
| enum RuleType { |
| INVALID_RULE_TYPE = 0; |
| // Rules for traffic from guests that track the default network (e.g. |
| // Crostini, Parallels VMs). |
| DEFAULT = 1; |
| // Rules for traffic from ARC interfaces (e.g. arc_eth0, arc_wlan0). |
| ARC = 2; |
| // Rule for traffic associated with user traffic (e.g. chronos, cups). |
| USER = 3; |
| // Rules to exclude traffic that is not using the underlying network's |
| // name server. This is only used for user traffic. |
| EXCLUDE_DESTINATION = 4; |
| } |
| |
| RuleType type = 1; |
| |
| // Identifies from which network interface the traffic originates. |
| // This field is required for ARC and DEFAULT type. |
| string input_ifname = 2; |
| |
| // The IP address of the proxy. This field is required for ARC and |
| // USER type. |
| string proxy_address = 3; |
| |
| // Nameservers are only necessary for Chrome redirect (USER type). |
| repeated string nameservers = 4; |
| |
| // Name of the "local" veth interface visible in the host namespace. |
| string host_ifname = 5; |
| } |
| |
| // Response to a SetDnsRedirectionRuleRequest. |
| message SetDnsRedirectionRuleResponse { |
| bool success = 1; |
| } |
| |
| // Signal that is emitted when a network configuration change happens. |
| message NetworkConfigurationChangedSignal {} |
| |
| // IPv4 configuration for a L3 network created with CreateLocalOnlyNetwork or |
| // CreateTetheredNetwork. If DHCP is not used, clients must configure their own |
| // IPv4 configuration manually. In the case of tethering where the traffic is |
| // forwarded to an upstream network, SNAT is always implicitly used. |
| message IPv4Configuration { |
| // IPv4 prefix to use for configuring IPv4 connectivity. If empty, a random |
| // prefix will be picked in the Class B (172.16.0.0/12) or Class C |
| // (192.128.0.0/16) private network ranges with a typical /24 prefix length. |
| // This configuration can be static and applied manually by clients, or |
| // managed dynamically and automatically with DHCP in which case the DHCP |
| // address range is the full prefix. |
| optional IPv4Subnet ipv4_subnet = 1; |
| |
| // IPv4 address used by the DUT on the network, represented as 4 bytes in |
| // network order. This address will be used for the DHCP server if DHCP is |
| // used. This address will be used as the next hop and advertised through DHCP |
| // if DHCP is used. If empty, a random address in the chosen IPv4 subnet will |
| // be used. This address is always pingable for clients connected to the |
| // network and can be resolved with ARP. |
| optional bytes gateway_addr = 2; |
| |
| // If true, a DHCP service is started on the network. |
| bool use_dhcp = 3; |
| |
| // A DHCP option to advertise to clients. |
| message DhcpOption { |
| // DHCP option code. |
| uint32 code = 1; |
| |
| // DHCP option content. How to interpret the bytes is option specific. |
| bytes content = 2; |
| } |
| |
| // If DHCP is used, these additional options will be advertised by the DHCP |
| // service. |
| repeated DhcpOption options = 4; |
| |
| // The DHCP range represented as 4 bytes in network order. It should be set |
| // iff |use_dhcp| is true and |ipv4_subnet| is set. |
| optional bytes dhcp_start_addr = 5; |
| optional bytes dhcp_end_addr = 6; |
| |
| // The DNS servers for DHCP option number 6, represented as 4 bytes in network |
| // order. |
| repeated bytes dns_servers = 7; |
| |
| // The list of domain search for DHCP option number 119. |
| repeated string domain_searches = 8; |
| } |
| |
| // b/294287313: IPv6 configuration for a L3 network created with |
| // CreateTetheredNetwork. This message is only needed temporarily until |
| // patchpanel can track all Cellular Networks directly. |
| message UplinkIPv6Configuration { |
| // IPv6 address and prefix length of the Chromebook on the uplink network. |
| // Required. |
| optional IPAddrCIDR uplink_ipv6_cidr = 1; |
| |
| // The IPv6 addresses of the uplink DNS servers represented as 16 bytes in |
| // network order. |
| repeated bytes dns_servers = 2; |
| } |
| |
| // Describes possible errors when creating a downstream network for |
| // CreateTetheredNetwork or CreateLocalOnlyNetwork requests. |
| enum DownstreamNetworkResult { |
| // The request was successful. |
| SUCCESS = 0; |
| // The request was invalid. |
| INVALID_ARGUMENT = 1; |
| // The network interface specified for the downstream network is already in |
| // use. |
| INTERFACE_USED = 2; |
| // The request failed due to an internal error. |
| ERROR = 3; |
| // The DHCP server could not start successfully. |
| DHCP_SERVER_FAILURE = 4; |
| // The network interface specified for the upstream network is unknown |
| // (tethering only). |
| UPSTREAM_UNKNOWN = 5; |
| // The datapath could not be configured. |
| DATAPATH_ERROR = 6; |
| // The request could not be parsed. |
| INVALID_REQUEST = 7; |
| } |
| |
| message DownstreamNetwork { |
| // Name of the network interface on which the downstream L3 network was |
| // created. |
| string downstream_ifname = 1; |
| |
| // IPv4 subnet assigned to the downstream network. Undefined if the upstream |
| // network does not have IPv4 connectivity. |
| IPv4Subnet ipv4_subnet = 2; |
| |
| // IPv4 address represented as 4 bytes in network order that was assigned to |
| // the gateway of the created network. This is the address of the DUT on the |
| // network and the next hop address for remote clients connected to the |
| // network. Empty if the upstream network does not have IPv4 connectivity. |
| bytes ipv4_gateway_addr = 3; |
| } |
| |
| // Request to create a L3 logical network on a network interface and share |
| // Internet access from another upstream network with this network. In this |
| // configuration The DUT acts as a transparent router for remote clients |
| // connected on the downstream network and forward the traffic to the upstream |
| // network. The downstream network itself is not reachable from the DUT |
| // (exception: DHCP service, RA server, ARP, ND proxy). The traffic accounting |
| // source for traffic sent and received on the downstream network is always set |
| // to TETHER. Dynamic IP configuration services for IPv4 and IPv6 are |
| // automatically started depending on the configuration. The IPv4 configuration |
| // is explicitly specified by the caller. The IPv6 configuration is always the |
| // same as the upstream network if available. The client must append a valid |
| // file descriptor immediately after the serialized proto. This file descriptor |
| // must remain valid for as long as routing setup needs to persist. Invalidating |
| // the file descriptor explicitly by closing it or implicitly when the client |
| // process terminates will trigger the teardown of the routing setup and |
| // associated services. |
| message TetheredNetworkRequest { |
| // Required. Name of the network interface on which a L3 network should |
| // be created. It is assumed that no L3 connection is active on that |
| // interface and that shill has brought the interface up and prepared the link |
| // layer for accepting clients. |
| string ifname = 1; |
| |
| // Required. Name of the network interface of the upstream network. The |
| // caller is in charge of the necessary setup for creating an active L3 |
| // connection on this network interface. |
| string upstream_ifname = 2; |
| |
| // Link technology associated with the upstream network. |
| enum UpstreamTechnology { |
| UNKNOWN = 0; |
| CELLULAR = 1; |
| WIFI = 2; |
| ETHERNET = 3; |
| } |
| // Required. Link technology of the upstream network. |
| UpstreamTechnology upstream_technology = 3; |
| |
| // IPv4 configuration for this network. Optional if the upstream is an |
| // IPv6-only network. |
| optional IPv4Configuration ipv4_config = 4; |
| |
| // If true, IPv6 RAs from the upstream networks and IPv6 neighbor discovery |
| // packets are forwarded on the downstream network and IPv6 forwarding is |
| // enabled between the upstream and downstream networks. The implementation |
| // will automatically choose between NDProxy mode and RA server mode. |
| bool enable_ipv6 = 5; |
| |
| // b/294287313: if the tethering request specifies using for the uplink a |
| // Cellular multiplexed PDN, patchpanel has no knowledge of the associated |
| // Network as there are no shill Device associated with the Network that |
| // patchpanel can track. To support IPv6 tethering, shill must pass the IPv6 |
| // configuration of the multiplexed PDN explicitly in the tethering request. |
| // This field is only needed temporarily until patchpanel can track all |
| // Cellular Networks directly. |
| optional UplinkIPv6Configuration uplink_ipv6_config = 7; |
| |
| // The MTU of the upstream. Set the value when it is not the default value |
| // (i.e. 1500). When the value is set, we should: |
| // - configure it on the downstream interface |
| // - advertise through DHCP if DHCP is used |
| // - advertise through the RA server if RA server is used |
| optional int32 mtu = 6; |
| } |
| |
| // Response to a CreateTetheredNetwork call. |
| message TetheredNetworkResponse { |
| // Status of the request. |
| DownstreamNetworkResult response_code = 1; |
| } |
| |
| // Request to create an isolated L3 logical network on a network interface like |
| // a WiFi hotspot or a WiFi Direct connection in Group Owner mode. In this |
| // configuration the network will be reachable from Chrome, ARC, Crostini, etc |
| // for any connection initiated from the DUT. Remote clients connected to the |
| // network will be able to reach application listening on the DUT with the same |
| // semantics as on a physical network, i.e ARC inbound DNAT rules will be |
| // enabled by default, and port access/forwarding rules will apply. Dynamic IP |
| // configuration services for IPv4 is automatically started depending on the |
| // configuration. The IPv4 configuration is explicitly specified by the caller. |
| // IPv6 is currently not supported. The client must append a valid file |
| // descriptor immediately after the serialized proto. This file descriptor must |
| // remain valid for as long as routing setup needs to persist. Invalidating the |
| // file descriptor explicitly by closing it or implicitly when the client |
| // process terminates will trigger the teardown of the routing setup and |
| // associated services. |
| message LocalOnlyNetworkRequest { |
| // Required. Name of the network interface on which a L3 network should |
| // be created. It is assumed that no L3 connection is active on that |
| // interface and that shill is not actively using the network interface. |
| string ifname = 1; |
| |
| // Required. IPv4 configuration for this network. |
| IPv4Configuration ipv4_config = 2; |
| } |
| |
| // Response to a CreateLocalOnlyNetwork call. |
| message LocalOnlyNetworkResponse { |
| // Status of the request. |
| DownstreamNetworkResult response_code = 1; |
| } |
| |
| // GetDownstreamNetworkInfo request object to obtain the IP configuration of a |
| // network created with CreateLocalOnlyNetwork or CreateTetheredNetwork and |
| // to obtain available IP information of all connected clients. |
| message GetDownstreamNetworkInfoRequest { |
| // Required. Interface name on which a network was created with |
| // CreateTetheredNetwork or with CreateLocalOnlyNetwork call. |
| string downstream_ifname = 1; |
| } |
| |
| // Information about a client connected to a network created with the |
| // CreateTetheredNetwork or CreateLocalOnlyNetwork calls. |
| message NetworkClientInfo { |
| // The EUI-64 hardware address of the client represented as 8 bytes network |
| // order. For Ethernet or WiFi networks, the hardware address is always a |
| // EUI-48 identifier with the upper 2 bytes always set to 0. |
| bytes mac_addr = 1; |
| |
| // The IPv4 address assigned to the client in network order represented as 4 |
| // 4 bytes in network order. Empty if IPv4 was disabled on the network. |
| bytes ipv4_addr = 2; |
| |
| // All IPv6 addresses that have been seen used by the client (based on its |
| // hardware address). Addresses are always 16 bytes long and in network order. |
| repeated bytes ipv6_addresses = 3; |
| |
| // The Hostname of the client if it was advertised with the DHCP Client option |
| // 12 during DHCP lease acquisition. |
| string hostname = 4; |
| |
| // The Vendor-Class DHCP client option 60 if it was advertised by the client |
| // during DHCP lease acquisition. |
| string vendor_class = 5; |
| } |
| |
| // Response to a GetDownstreamNetworkInfo call. |
| message GetDownstreamNetworkInfoResponse { |
| // True if the request was valid and completed successfully. |
| bool success = 1; |
| |
| // Describes the downstream network. |
| DownstreamNetwork downstream_network = 2; |
| |
| // Describes clients connected to the network. |
| repeated NetworkClientInfo clients_info = 3; |
| } |
| |
| // Request to configure an IP network or modify the configuration of an existing |
| // IP network on a certain physical or VPN network interface corresponding to a |
| // shill Service. |
| message ConfigureNetworkRequest { |
| // Index of the interface used by the Network. |
| int32 ifindex = 1; |
| |
| // Name of the interface used by this Network. |
| string ifname = 2; |
| |
| // A bit flag indicating the field that should be configured. See detailed |
| // definition in NetworkApplier::Area. |
| uint32 area = 3; |
| |
| // A serialization of the net_base::NetworkConfig object, which contains the |
| // configuration that should be used to configure the Network. |
| NetworkConfig network_config = 4; |
| |
| // Technology of the Network. |
| NetworkTechnology technology = 5; |
| |
| // The priority of the Network, calculated by shill Manager. |
| NetworkPriority priority = 6; |
| } |
| |
| // ConfigureNetwork response object. |
| message ConfigureNetworkResponse { |
| // True if the Network was successfully configured. |
| bool success = 1; |
| } |
| |
| // Possible technologies for a Network created in patchpanel. |
| enum NetworkTechnology { |
| UNKNOWN = 0; |
| CELLULAR = 1; |
| ETHERNET = 2; |
| VPN = 3; |
| WIFI = 4; |
| } |
| |
| // A representation of shill SortServices() result. See |
| // net_base::NetworkPriority. |
| message NetworkPriority { |
| bool is_primary_logical = 1; |
| bool is_primary_physical = 2; |
| bool is_primary_for_dns = 3; |
| uint32 ranking_order = 4; |
| } |
| |
| // Mirroring of net_base::NetworkConfig. IP addresses are represented as bytes |
| // array of length 4 or 16 in network order. |
| message NetworkConfig { |
| optional IPAddrCIDR ipv4_address = 1; |
| optional bytes ipv4_broadcast = 2; |
| optional bytes ipv4_gateway = 3; |
| |
| repeated IPAddrCIDR ipv6_addresses = 4; |
| optional bytes ipv6_gateway = 5; |
| |
| bool ipv4_default_route = 6; |
| bool ipv6_blackhole_route = 7; |
| |
| repeated IPAddrCIDR excluded_route_prefixes = 8; |
| repeated IPAddrCIDR included_route_prefixes = 9; |
| repeated Route rfc3442_routes = 10; |
| |
| repeated bytes dns_servers = 11; |
| repeated string dns_search_domains = 12; |
| optional int32 mtu = 13; |
| |
| optional string captive_portal_uri = 14; |
| } |
| |
| // Representation of custom routes, in the form of destination prefix plus a |
| // gateway address. IP address are represented in network order byte arrays. |
| message Route { |
| IPAddrCIDR prefix = 1; |
| bytes gateway = 2; |
| } |
| |
| // Notification change in power state of ARC. |
| message NotifyAndroidInteractiveStateRequest { |
| bool interactive = 1; |
| } |
| |
| // Response to a NotifyAndroidInteractiveState call. |
| message NotifyAndroidInteractiveStateResponse {} |
| |
| // Notification change in whether Android WiFi multicast lock is held by any |
| // app in ARC. |
| message NotifyAndroidWifiMulticastLockChangeRequest { |
| bool held = 1; |
| } |
| |
| // Response to a NotifyAndroidWifiMulticastLockChange call. |
| message NotifyAndroidWifiMulticastLockChangeResponse {} |
| |
| // A socket connection event that contains socket information and QoS category |
| // of this socket. |
| message SocketConnectionEvent { |
| // IP protocol used in a socket connection. Currently we only care about TCP |
| // and UDP. |
| enum IpProtocol { |
| UNKNOWN_PROTO = 0; |
| TCP = 1; |
| UDP = 2; |
| } |
| |
| // Socket event suggesting whether this socket is opened or closed. |
| enum SocketEvent { |
| UNKNOWN_EVENT = 0; |
| OPEN = 1; |
| CLOSE = 2; |
| } |
| |
| // List of supported QoS categories, details can be found at |
| // go/cros-qos-dscp-classes-1p. |
| enum QosCategory { |
| UNKNOWN_CATEGORY = 0; |
| REALTIME_INTERACTIVE = 1; |
| MULTIMEDIA_CONFERENCING = 2; |
| } |
| |
| // Source address and port on local side, currently only used for local |
| // address in ARC before SNAT. |
| bytes saddr = 1; |
| int32 sport = 2; |
| |
| // Destination address and port on remote side. |
| bytes daddr = 3; |
| int32 dport = 4; |
| |
| // IP Protocol used in this socket connection. |
| IpProtocol proto = 5; |
| |
| // Whether socket is opened or closed. |
| SocketEvent event = 6; |
| |
| // The inferred QoS category of this connection. |
| QosCategory category = 7; |
| } |
| |
| // Notification for a socket connection event, currently only for socket |
| // connections in ARC. Patchpanel will apply proper QoS treatment for this |
| // connection. |
| message NotifySocketConnectionEventRequest { |
| SocketConnectionEvent msg = 1; |
| } |
| |
| // Response to a NotifySocketConnectionEvent call. |
| message NotifySocketConnectionEventResponse {} |
| |
| // Set feature enabled finch feature in patchpanel. |
| message SetFeatureFlagRequest { |
| enum FeatureFlag { |
| WIFI_QOS = 0; |
| CLAT = 1; |
| }; |
| |
| FeatureFlag flag = 1; |
| bool enabled = 2; |
| } |
| |
| // Response to a SetFeatureFlag call. |
| message SetFeatureFlagResponse { |
| // Value of the enabled flag before the call to SetFeatureFlag. |
| bool enabled = 1; |
| } |
| |
| // Notification for a socket connection event of an ARC VPN app. |
| // Currently used for ARC VPN traffic counting. |
| message NotifyARCVPNSocketConnectionEventRequest { |
| SocketConnectionEvent msg = 1; |
| } |
| |
| // Response to a NotifyARCVPNSocketConnectionEvent call. |
| message NotifyARCVPNSocketConnectionEventResponse {} |
| |
| // Request to tag a socket. The socket file descriptor must be immediately |
| // appended to the D-Bus message after the serialized TagSocketRequest message. |
| // The request must be sent before the socket is connected or used with listen() |
| // and only once for each socket. |
| // |
| // The network_id and vpn_policy can be used to change the routing behavior of a |
| // socket. |
| // Example usages: |
| // 1. The user traffic should be routed via a non-default network, but still be |
| // blocked when the device is in VPN lockdown mode and the VPN is not |
| // connected. |
| // - {network_id=non_default_network_id, vpn_policy=DEFAULT_ROUTING}; |
| // 2. The user traffic should be routed via a non-default network, and it still |
| // works when it's in VPN lockdown mode and the VPN is not connected. |
| // - {network_id=non_default_network_id, vpn_policy=BYPASS_VPN}; |
| // 3. There is a VPN connected, and the system traffic should be routed via VPN. |
| // - {network_id=NONE, vpn_policy=ROUTE_ON_VPN}; |
| message TagSocketRequest { |
| // The network which this socket should be bound to. If not set, the network |
| // will be selected automatically (depending on the traffic source and |
| // destination, VPN setup, etc.). Notes: |
| // - This won't bypass VPN lockdown mode -- user traffic will still be blocked |
| // if the lockdown mode is enabled and VPN is not connected. |
| // - The socket behavior will become undefined after the network bound by this |
| // API after the network has disconnected. |
| // |
| // TODO(b/322083502): Add a link/description to explain network_id. |
| optional int32 network_id = 1; |
| |
| // Possible policies for VPN routing. |
| enum VpnRoutingPolicy { |
| // Let the routing layer apply the default policy for the socket owner's |
| // uid. This is the default policy for newly created sockets. |
| DEFAULT_ROUTING = 0; |
| // The socket traffic is always routed through the VPN if there is one. Note |
| // that the traffic will still be routed through the physical network if the |
| // destination is not included in VPN routes. This should not be used |
| // together with network_id, and the API will return failure in this case. |
| ROUTE_ON_VPN = 1; |
| // The socket traffic is always routed through the physical network. |
| // Different from network_id, this will bypass VPN lockdown mode, so this |
| // can be set together with network_id if the caller wants the traffic to go |
| // to a specific non-VPN network no matter if the VPN lockdown is on or not. |
| BYPASS_VPN = 2; |
| } |
| |
| VpnRoutingPolicy vpn_policy = 2; |
| } |
| |
| // Response to a TagSocketRequest. Note that on failure, patchpanel may leave |
| // the socket in a partially setup state (i.e., won't do the cleanup). The |
| // caller should not rely on this socket for any further operation. |
| message TagSocketResponse { |
| bool success = 1; |
| } |