Close open sockets when enabling firewall rules.
When enabling a firewall rule that will deny networking to apps,
first close any sockets opened by those apps. Just dropping an
app's packets without closing its connections has the following
problems:
1. The app has no way to know this has happened until a network
timeout occurs.
2. The app's connections stay open, so the other end of the
connection (e.g., a server) might continue to retransmit
packets. These packets will wake up the kernel and cause
battery drain, but we cannot respond to them because packets
on those connections are dropped by the kernel (since the app
is blackholed). So the other end might keep retransmitting.
3. Even though we think the connections are still open, the
other end of the connection, or any intermediate NATs or
firewalls, might time out and close the connection (e.g., by
sending a RST). Because the app is blackholed, we have no way
of knowing that this has happened, so when the app is granted
network access again, these connections might just get stuck.
Bug: 27824851
Bug: 27867653
Change-Id: Iaaad1b26954fc5f1ba5c9ed8bdee039282f5e249
1 file changed