自 2025 年 3 月 27 日起,我们建议您使用 android-latest-release
而非 aosp-main
构建 AOSP 并为其做出贡献。如需了解详情,请参阅 AOSP 的变更。
网络栈配置工具
使用集合让一切井井有条
根据您的偏好保存内容并对其进行分类。
Android 操作系统中包含标准的 Linux 网络实用程序,如 ifconfig
、ip
和 ip6tables
。这些实用程序位于系统映像中,并支持对整个 Linux 网络堆栈进行配置。在搭载 Android 7.x 及更低版本的设备上,供应商代码可以直接调用此类二进制文件,这会导致出现以下问题:
- 由于网络实用程序在系统映像中更新,因此无法提供稳定的实现。
- 网络实用程序的范围非常广泛,因此难以在保证行为可预测的同时不断改进系统映像。
在搭载 Android 8.0 及更高版本的设备上,供应商分区会在系统分区接收更新时保持不变。为了实现这一点,Android 8.0 不仅提供了定义稳定的版本化接口的功能,同时还使用了 SELinux 限制,以便在供应商映像与系统映像之间保持已知的良好相互依赖关系。
供应商可以使用平台提供的网络配置实用程序来配置 Linux 网络栈,但这些实用程序尚未包含 HIDL 接口封装容器。为了定义此类接口,Android 8.0 中纳入了 netutils-wrapper-1.0
工具。
Netutils 封装容器
netutils
封装容器实用程序提供了一部分不受系统分区更新影响的 Linux 网络栈配置。Android 8.0 包含 1.0 版本的封装容器,借助它,您可以传递与所封装的实用程序(安装在系统分区的 /system/bin
中)相同的参数,如下所示:
u:object_r:system_file:s0 /system/bin/ip-wrapper-1.0 -> netutils-wrapper-1.0
u:object_r:system_file:s0 /system/bin/ip6tables-wrapper-1.0 -> netutils-wrapper-1.0
u:object_r:system_file:s0 /system/bin/iptables-wrapper-1.0 -> netutils-wrapper-1.0
u:object_r:system_file:s0 /system/bin/ndc-wrapper-1.0 -> netutils-wrapper-1.0
u:object_r:netutils_wrapper_exec:s0 /system/bin/netutils-wrapper-1.0
u:object_r:system_file:s0 /system/bin/tc-wrapper-1.0 -> netutils-wrapper-1.0
这些符号链接显示了 netutils
封装容器中封装的网络实用程序,其中包括:
ip
iptables
ip6tables
ndc
tc
如需在 Android 8.0 及更高版本中使用这些实用程序,供应商实现必须遵循以下规则:
- 供应商进程不得直接执行
/system/bin/netutils-wrapper-1.0
,否则会导致错误。
- 由
netutils-wrapper-1.0
封装的所有实用程序必须使用其符号链接启动。例如,将以前执行该操作的供应商代码 (/system/bin/ip <FOO> <BAR>
) 更改为 /system/bin/ip-wrapper-1.0 <FOO> <BAR>
。
- 平台 SELinux 政策禁止在未进行域转换的情况下执行封装容器。此规则不得更改,并会在 Android 兼容性测试套件 (CTS) 中进行测试。
- 平台 SELinux 政策还禁止直接从供应商进程执行实用程序(例如,
/system/bin/ip <FOO> <BAR>
)。此规则不得更改,并会在 CTS 中进行测试。
- 需要启动封装容器的所有供应商网域(进程)必须在 SELinux 政策中添加以下网域转换规则:
domain_auto_trans(VENDOR-DOMAIN-NAME, netutils_wrapper_exec,
netutils_wrapper)
。
Netutils 封装容器过滤器
封装的实用程序几乎可用于配置 Linux 网络堆栈的任何方面。不过,为了确保可以维护稳定的接口并允许对系统分区进行更新,只能执行某些命令行参数组合;其他命令将被拒绝。
供应商接口和链
封装容器有一个概念称为“供应商接口”。供应商接口通常是指由供应商代码管理的接口,例如移动数据网络接口。通常,其他类型的接口(如 Wi-Fi)由 HAL 和框架管理。封装容器按名称识别供应商接口(使用正则表达式),并允许供应商代码对其执行多种操作。目前,供应商接口包括:
- 名称结尾是“oem”后跟一个数字的接口,如
oem0
或 r_oem1234
。
- 由当前的 SOC 和 OEM 实现使用的接口,如
rmnet_data[0-9]
。
通常由框架管理的接口的名称(如 wlan0
)一律不是供应商接口。
封装容器还有一个类似的概念,即“供应商链”。供应商链在 iptables
命令中使用,也按名称识别。目前,供应商链包括:
- 以
oem_
开头的链。
- 由当前的 SOC 和 OEM 实现使用的链,例如以
nm_
或 qcom_
开头的链。
允许执行的命令
下面列出了当前允许执行的命令。系统通过一组正则表达式对执行的命令行实施限制。如需了解详情,请参阅 system/netd/netutils_wrappers/NetUtilsWrapper-1.0.cpp
。
ip
ip
命令用于配置 IP 地址、路由、IPsec 加密以及多种其他网络参数。封装容器允许执行以下命令:
- 从供应商管理的接口添加和移除 IP 地址。
- 配置 IPsec 加密。
iptables 和 ip6tables
iptables
和 ip6tables
命令用于配置防火墙、数据包修改、NAT 及其他对单个数据包的处理操作。封装容器允许执行以下命令:
- 添加和删除供应商链。
- 在引用进入 (
-i
) 或离开 (-o
) 供应商接口的数据包的任何链中添加和删除规则。
- 从其他任何链中的任意一点跳转到某个供应商链。
ndc
ndc
用于与在 Android 设备上执行大部分网络配置的 netd
守护程序通信。封装容器允许执行以下命令:
- 创建和销毁 OEM 网络 (
oemXX
)。
- 向 OEM 网络添加由供应商管理的接口。
- 向 OEM 网络添加路由。
- 在全局范围内和供应商接口上启用或停用 IP 转发。
tc
tc
命令用于配置供应商接口上的流量队列和调整。
本页面上的内容和代码示例受内容许可部分所述许可的限制。Java 和 OpenJDK 是 Oracle 和/或其关联公司的注册商标。
最后更新时间 (UTC):2025-07-29。
[null,null,["最后更新时间 (UTC):2025-07-29。"],[],[],null,["# Network stack configuration tools\n\nThe Android operating system contains standard Linux networking utilities\nsuch as `ifconfig`, `ip`, and `ip6tables`.\nThese utilities reside on the system image and enable configuration of the\nentire Linux networking stack. On devices running Android 7.x and lower,\nvendor code is allowed to call these binaries directly, which presents the\nfollowing problems:\n\n- Because network utilities are updated in the system image, they don't provide a stable implementation.\n- The scope of the networking utilities is so broad it is difficult to evolve the system image while guaranteeing predictable behaviour.\n\nOn devices running Android 8.0 and higher, the vendor partition remains the same\nwhile the system partition receives an update. To achieve this, Android 8.0\nprovides the ability to define a stable, versioned interface while also using\nSELinux restrictions to keep the interdependency of vendor and system image to a\nknown good set.\n\nVendors can use the platform-provided network configuration utilities to\nconfigure the Linux networking stack, but these utilities don't yet include a\nHIDL interface wrapper. To define such an interface, Android 8.0 includes the\n`netutils-wrapper-1.0` tool.\n\nNetutils wrapper\n----------------\n\nThe `netutils` wrapper utility provides a subset of the Linux\nnetwork stack configuration that isn't affected by system partition updates.\nAndroid 8.0 contains version 1.0 of the wrappers, which allows you to pass the\nsame arguments as the wrapped utilities, installed in the system partition at\n`/system/bin` as follows: \n\n```actionscript-3\nu:object_r:system_file:s0 /system/bin/ip-wrapper-1.0 -\u003e netutils-wrapper-1.0\nu:object_r:system_file:s0 /system/bin/ip6tables-wrapper-1.0 -\u003e netutils-wrapper-1.0\nu:object_r:system_file:s0 /system/bin/iptables-wrapper-1.0 -\u003e netutils-wrapper-1.0\nu:object_r:system_file:s0 /system/bin/ndc-wrapper-1.0 -\u003e netutils-wrapper-1.0\nu:object_r:netutils_wrapper_exec:s0 /system/bin/netutils-wrapper-1.0\nu:object_r:system_file:s0 /system/bin/tc-wrapper-1.0 -\u003e netutils-wrapper-1.0\n```\n\nSymlinks show the networking utilities wrapped by the `netutils`\nwrapper, which include:\n\n- `ip`\n- `iptables`\n- `ip6tables`\n- `ndc`\n- `tc`\n\nTo use these utilities in Android 8.0 and higher, vendor implementations must\nadhere to the following rules:\n\n- Vendor processes must not execute `/system/bin/netutils-wrapper-1.0` directly; attempts to do so results in error.\n- All utilities wrapped by `netutils-wrapper-1.0` must be launched using their symlinks. For example, change the vendor code that did this before (`/system/bin/ip \u003cFOO\u003e \u003cBAR\u003e`) to `/system/bin/ip-wrapper-1.0 \u003cFOO\u003e \u003cBAR\u003e`.\n- Executing the wrappers without domain transition is prohibited in platform SELinux policy. This rule must not be changed and is tested against in the [Android Compatibility Test Suite (CTS)](/docs/compatibility/cts).\n- Executing the utilities directly (e.g., `/system/bin/ip \u003cFOO\u003e \u003cBAR\u003e`) from the vendor processes is also prohibited in the platform SELinux policies. This rule must not be changed and is tested against in CTS.\n- Any vendor domain (process) that needs to launch a wrapper must add the following domain transition rule in the SELinux policy: `domain_auto_trans(`\u003cvar translate=\"no\"\u003eVENDOR-DOMAIN-NAME\u003c/var\u003e`, netutils_wrapper_exec,\n netutils_wrapper)`.\n\n| **Note:** For details on SELinux in Android 8.0 and higher, see [Customizing\n| SEPolicy in Android 8.0+](/docs/security/features/selinux/customize#android-o).\n\nNetutils wrapper filters\n------------------------\n\nWrapped utilities can be used to configure almost any aspect of the Linux\nnetworking stack. However, to ensure it is possible to maintain a stable\ninterface and allow updates to the system partition, only certain combinations\nof command line arguments are allowed; other commands are rejected.\n\n### Vendor interfaces and chains\n\nThe wrapper has a concept of *vendor interfaces*. These are interfaces\ntypically managed by vendor code, such as cellular data interfaces. Typically,\nother types of interfaces (such as Wi-Fi) are managed by the HALs and the\nframework. The wrapper recognizes vendor interfaces by name (using a regular\nexpression) and allows vendor code to perform many operations on them.\nCurrently, vendor interfaces are:\n\n- Interfaces whose names end in \"oem\" followed by a number, such as `oem0` or `r_oem1234`.\n- Interfaces used by current SOC and OEM implementations, such as `rmnet_data[0-9]`.\n\nNames of interfaces that are typically managed by the framework (such as\n`wlan0`) are never vendor interfaces.\n\nThe wrapper has a similar concept of *vendor chains* . These are used\nin `iptables` commands and are also recognized by name. Currently,\nvendor chains:\n\n- Start with `oem_`.\n- Are used by current SOC and OEM implementations, e.g., chains starting in `nm_` or `qcom_`.\n\n### Allowed commands\n\nCurrently allowed commands are listed below. Restrictions are implemented via\na set of regular expressions on the executed command lines. For details, refer\nto `system/netd/netutils_wrappers/NetUtilsWrapper-1.0.cpp`.\n\n#### ip\n\nThe `ip` command is used to configure IP addresses, routing, IPsec\nencryption, and a number of other network parameters. The wrapper allows the\nfollowing commands:\n\n- Add and remove IP addresses from vendor-managed interfaces.\n- Configure IPsec encryption.\n\n#### iptables and ip6tables\n\nThe `iptables` and `ip6tables` commands are used to\nconfigure firewalling, packet mangling, NAT, and other per-packet processing.\nThe wrapper allows the following commands:\n\n- Add and delete vendor chains.\n- Add and delete rules in any chain that refers to packets going into (`-i`) or out of (`-o`) a vendor interface.\n- Jump to a vendor chain from any point in any other chain.\n\n#### ndc\n\n`ndc` is used to communicate to the `netd` daemon that\nperforms most network configuration on Android. The wrapper allows the following\ncommands:\n\n- Create and destroy OEM networks (`oemXX`).\n- Add vendor-managed interfaces to OEM networks.\n- Add routes to OEM networks.\n- Enable or disable IP forwarding globally and on vendor interfaces.\n\n#### tc\n\nThe `tc` command is used to configure traffic queueing and shaping\non vendor interfaces."]]