tun: add diags mgr for network stall detection

hussainmohd-a · hussainmohd-a · commit 24e467c5fe21 · 2025-08-09T01:54:12.000+05:30
diff --git a/app/src/main/java/com/celzero/bravedns/service/BraveVPNService.kt b/app/src/main/java/com/celzero/bravedns/service/BraveVPNService.kt
@@ -194,7 +194,9 @@ class BraveVPNService : VpnService(), ConnectionMonitor.NetworkListener, Bridge,
     @Volatile
     private var tunUnderlyingNetworks: String? = null
     @Volatile
-    private var prevDns:  MutableSet<InetAddress> = mutableSetOf()
+    private var prevDns: MutableSet<InetAddress> = mutableSetOf()
+    @Volatile
+    private var lastFlowRealtime: Long = elapsedRealtime() // tracks last flow()
     private var testFd: AtomicInteger = AtomicInteger(-1)
 
     companion object {
@@ -240,6 +242,8 @@ class BraveVPNService : VpnService(), ConnectionMonitor.NetworkListener, Bridge,
 
         // win last connected threshold in milliseconds
         private const val WIN_LAST_CONNECTED_THRESHOLD_MS = 60 * 60 * 1000L // 60 minutes
+
+        private const val FLOW_STALL_THRESHOLD_MS = 30 * 1000L // 30 seconds
     }
 
     private var lastSubscriptionCheckTime: Long = 0
@@ -1233,6 +1237,9 @@ class BraveVPNService : VpnService(), ConnectionMonitor.NetworkListener, Bridge,
             // family must be either AF_INET (for IPv4) or AF_INET6 (for IPv6)
         }
 
+        // fixme: remove this when the issue is fixed
+        builder.allowBypass()
+
         val underlyingNws = getUnderlays()
         builder.setUnderlyingNetworks(underlyingNws)
         tunUnderlyingNetworks = underlyingNws?.joinToString()
@@ -1665,7 +1672,7 @@ class BraveVPNService : VpnService(), ConnectionMonitor.NetworkListener, Bridge,
         vpnScope.launch {
             Logger.i(LOG_TAG_VPN, "start restart manager flow with debounce")
             // create a state flow with debounce to avoid multiple calls in quick succession
-            // this should wait for 3 seconds before starting the restart manager flow
+            // this should wait for 1.5 seconds before starting the restart manager flow
             vpnRestartTrigger
                 .debounce(TimeUnit.MILLISECONDS.toMillis(1500))
                 .collect { reason ->
@@ -2690,6 +2697,19 @@ class BraveVPNService : VpnService(), ConnectionMonitor.NetworkListener, Bridge,
         signalStopService("nwRegFail", userInitiated = false)
     }
 
+    override suspend fun maybeNetworkStall() {
+        // these calls are not fool proof, just a mitigation mechanism
+        // see if there is no flow call for 30 seconds and this is called, then restart the vpn
+        val elapsed = elapsedRealtime()
+        if (elapsed >= lastFlowRealtime + FLOW_STALL_THRESHOLD_MS) {
+            Logger.w(LOG_TAG_VPN, "nwStall; no flow call for 30 seconds, restarting vpn")
+            val reason = "nwStall, time: $elapsed"
+            vpnRestartTrigger.value = reason
+        } else {
+            Logger.d(LOG_TAG_VPN, "nwStall; flow call recd, no restart needed")
+        }
+    }
+
     private fun getUnderlays(): Array<Network>? {
         val networks = underlyingNetworks
         val failOpenOnNoNetwork = persistentState.failOpenOnNoNetwork
@@ -3018,15 +3038,6 @@ class BraveVPNService : VpnService(), ConnectionMonitor.NetworkListener, Bridge,
         }
     }
 
-    private fun areDnsEqual(prevDns: Set<InetAddress>?, dnsServers: Set<InetAddress>): Boolean {
-        if (prevDns == null) {
-            return false
-        }
-
-        // ref: kotlinlang.org/docs/equality.html#structural-equality
-        return dnsServers == prevDns
-    }
-
     private fun isDefaultDnsNone(): Boolean {
         // if none is set then the url will either be empty or will not be one of the default dns
         return persistentState.defaultDnsUrl.isEmpty() ||
@@ -3038,7 +3049,7 @@ class BraveVPNService : VpnService(), ConnectionMonitor.NetworkListener, Bridge,
 
         Logger.i(LOG_TAG_VPN, "vpn lockdown mode change, restarting")
         io("lockdownSync") {
-            val reason = "lockdown: ${isLockdownEnabled}"
+            val reason = "lockdown: ${VpnController.isVpnLockdown()}"
             vpnRestartTrigger.value = reason
             vpnAdapter?.notifyLoopback()
         }
@@ -4356,6 +4367,8 @@ class BraveVPNService : VpnService(), ConnectionMonitor.NetworkListener, Bridge,
         logd("flow: $_uid, $src, $dest, $realIps, $d, $blocklists")
         handleVpnLockdownStateAsync()
 
+        lastFlowRealtime = elapsedRealtime()
+
         // in case of double loopback, all traffic will be part of rinr instead of just rethink's
         // own traffic. flip the doubleLoopback flag to true if we need that behavior
         val doubleLoopback = false
diff --git a/app/src/main/java/com/celzero/bravedns/service/ConnectionMonitor.kt b/app/src/main/java/com/celzero/bravedns/service/ConnectionMonitor.kt
@@ -26,11 +26,11 @@ import android.net.NetworkRequest
 import android.os.Handler
 import android.os.Looper
 import android.os.SystemClock
+import androidx.annotation.RequiresApi
 import com.celzero.bravedns.util.ConnectivityCheckHelper
-import com.celzero.bravedns.util.Daemons
-import com.celzero.bravedns.util.Factory
 import com.celzero.bravedns.util.InternetProtocol
 import com.celzero.bravedns.util.Utilities.isAtleastQ
+import com.celzero.bravedns.util.Utilities.isAtleastR
 import com.celzero.bravedns.util.Utilities.isAtleastS
 import com.celzero.bravedns.util.Utilities.isNetworkSame
 import com.google.common.collect.Sets
@@ -41,7 +41,6 @@ import kotlinx.coroutines.async
 import kotlinx.coroutines.channels.Channel
 import kotlinx.coroutines.delay
 import kotlinx.coroutines.launch
-import kotlinx.coroutines.withContext
 import org.koin.core.component.KoinComponent
 import org.koin.core.component.inject
 import java.net.Inet4Address
@@ -54,7 +53,7 @@ import kotlin.math.max
 import kotlin.math.min
 
 class ConnectionMonitor(private val networkListener: NetworkListener, private val serializer: CoroutineDispatcher, private val scope: CoroutineScope) :
-    ConnectivityManager.NetworkCallback(), KoinComponent {
+    ConnectivityManager.NetworkCallback(), KoinComponent, DiagnosticsManager.DiagnosticsListener {
 
     private val networkSet: MutableSet<Network> = ConcurrentHashMap.newKeySet()
 
@@ -64,17 +63,22 @@ class ConnectionMonitor(private val networkListener: NetworkListener, private va
     // add cellular, wifi, bluetooth, ethernet, vpn, wifi aware, low pan
     private val networkRequest: NetworkRequest =
         NetworkRequest.Builder()
+            // ref: github.com/celzero/rethink-app/issues/347
+            .apply { if (isAtleastR()) clearCapabilities() else removeCapability(NetworkCapabilities.NET_CAPABILITY_NOT_VPN) }
             .addCapability(NetworkCapabilities.NET_CAPABILITY_INTERNET)
             .apply { if (isAtleastS()) setIncludeOtherUidNetworks(true) }
             // api27: .addTransportType(NetworkCapabilities.TRANSPORT_WIFI_AWARE)
             // api26: .addTransportType(NetworkCapabilities.TRANSPORT_LOWPAN)
             .build()
 
+
     //private var serviceHandler: NetworkRequestHandler? = null
     private val persistentState by inject<PersistentState>()
 
     private lateinit var cm: ConnectivityManager
 
+    private var diagsMgr: DiagnosticsManager? = null
+
     companion object {
         // add active network as underlying vpn network
         const val MSG_ADD_ACTIVE_NETWORK = 1
@@ -145,6 +149,8 @@ class ConnectionMonitor(private val networkListener: NetworkListener, private va
         suspend fun onNetworkConnected(networks: UnderlyingNetworks)
 
         suspend fun onNetworkRegistrationFailed()
+
+        suspend fun maybeNetworkStall()
     }
 
     override fun onAvailable(network: Network) {
@@ -238,8 +244,7 @@ class ConnectionMonitor(private val networkListener: NetworkListener, private va
             }
 
             Logger.i(LOG_TAG_CONNECTION, "new vpn is created force update the network")
-            cm =
-                context.applicationContext.getSystemService(Context.CONNECTIVITY_SERVICE) as ConnectivityManager
+            cm = context.applicationContext.getSystemService(Context.CONNECTIVITY_SERVICE) as ConnectivityManager
 
             try {
                 // TODO: use a custom Looper(HandlerThread) to avoid blocking the main thread
@@ -249,6 +254,12 @@ class ConnectionMonitor(private val networkListener: NetworkListener, private va
                 networkListener.onNetworkRegistrationFailed()
                 return@async isNewVpn
             }
+
+            // register for diagnostics manager if the android version is R or above
+            if (isAtleastR()) {
+                registerDiags(context)
+            }
+
             channel = Channel(Channel.CONFLATED)
 
             scope.launch(CoroutineName("nwHdl") + serializer) {
@@ -282,6 +293,31 @@ class ConnectionMonitor(private val networkListener: NetworkListener, private va
         return deferred.await()
     }
 
+    @RequiresApi(30)
+    fun registerDiags(context: Context) {
+        if (isAtleastR()) {
+            try {
+                val diagnosticMgr = DiagnosticsManager(context, scope, this)
+                diagnosticMgr.register()
+            } catch (e: Exception) {
+                Logger.w(LOG_TAG_CONNECTION, "DiagnosticsManager; err while getting connectivity diagnostics manager")
+            }
+        }
+    }
+
+    @RequiresApi(30)
+    fun unregisterDiags() {
+        if (isAtleastR()) {
+            // unregister the diag network callback
+            try {
+                diagsMgr?.unregister()
+                diagsMgr = null
+            } catch (e: Exception) {
+                Logger.w(LOG_TAG_CONNECTION, "DiagnosticsManager; err while unregistering diag network callback", e)
+            }
+        }
+    }
+
 
     // Always called from the main thread
     suspend fun onVpnStop() {
@@ -292,13 +328,18 @@ class ConnectionMonitor(private val networkListener: NetworkListener, private va
                 if (::cm.isInitialized) {
                     cm.unregisterNetworkCallback(nwCallback)
                 }
+                if (isAtleastR()) {
+                    unregisterDiags()
+                }
                 networkSet.clear()
                 if (::channel.isInitialized) {
                     channel.close()
                 }
+
             } catch (e: Exception) {
                 Logger.w(LOG_TAG_CONNECTION, "err while unregistering", e)
             }
+
         }
     }
 
@@ -335,6 +376,11 @@ class ConnectionMonitor(private val networkListener: NetworkListener, private va
         return OpPrefs(what, networkSet.toSet(), isForceUpdate, testReachability, failOpenOnNoNetwork, useAutoConnectivityChecks)
     }
 
+    override suspend fun maybeNetworkStall() {
+        Logger.i(LOG_TAG_CONNECTION, "onNetworkStallDetected")
+        networkListener.maybeNetworkStall()
+    }
+
     data class NetworkProperties(
         val network: Network,
         val capabilities: NetworkCapabilities,
@@ -448,6 +494,7 @@ class ConnectionMonitor(private val networkListener: NetworkListener, private va
             val isNewNetwork = hasDifference(currentNetworks, newNetworks)
             val vpnRoutes = determineVpnProtos(opPrefs.networkSet)
             val isDnsChanged = hasNwDnsChanged(currentNetworks, newNetworks)
+            val isLinkAddressChanged = hasLinkAddrChanged(currentNetworks, newNetworks)
 
             Logger.i(LOG_TAG_CONNECTION, "process message MESSAGE_AVAILABLE_NETWORK, currNws: $currentNetworks ; new? $isNewNetwork, force? ${opPrefs.isForceUpdate}, test? ${opPrefs.testReachability}, cellular? $isActiveNetworkCellular, metered? $isActiveNetworkMetered")
             Logger.i(
@@ -458,19 +505,26 @@ class ConnectionMonitor(private val networkListener: NetworkListener, private va
                  "cellular? $isActiveNetworkCellular, metered? $isActiveNetworkMetered, dns-changed? $isDnsChanged"
             )
 
-            if (isNewNetwork || opPrefs.isForceUpdate || isDnsChanged) {
+            if (isNewNetwork || opPrefs.isForceUpdate || isDnsChanged || isLinkAddressChanged) {
                 currentNetworks = newNetworks
                 repopulateTrackedNetworks(opPrefs, currentNetworks)
                 informListener(true, isActiveNetworkMetered, isActiveNetworkCellular, vpnRoutes)
             }
         }
 
         private suspend fun hasNwDnsChanged(currNws: Set<NetworkProperties>, newNws: Set<NetworkProperties>): Boolean {
-            val currDnsServers = currNws.map { it.linkProperties }.mapNotNull { it?.dnsServers }.flatMap { it }.map { it.hostAddress }.toSet()
-            val newDnsServers = newNws.map { it.linkProperties }.mapNotNull { it?.dnsServers }.flatMap { it }.map { it.hostAddress }.toSet()
+            // check equality on addr bytes and not on string representation to avoid issues with IPv4-mapped IPv6 addresses
+            val currDnsServers = currNws.map { it.linkProperties }.mapNotNull { it?.dnsServers }.flatMap { it }.map { it.address }.toSet()
+            val newDnsServers = newNws.map { it.linkProperties }.mapNotNull { it?.dnsServers }.flatMap { it }.map { it.address }.toSet()
             return newDnsServers == currDnsServers
         }
 
+        private suspend fun hasLinkAddrChanged(currNws: Set<NetworkProperties>, newNws: Set<NetworkProperties>): Boolean {
+            val currLinkAddresses = currNws.map { it.linkProperties }.mapNotNull { it?.linkAddresses }.flatMap { it }.map { it.address.address }.toSet()
+            val newLinkAddresses = newNws.map { it.linkProperties }.mapNotNull { it?.linkAddresses }.flatMap { it }.map { it.address.address }.toSet()
+            return newLinkAddresses == currLinkAddresses
+        }
+
         /** Adds all the available network to the underlying network. */
         private suspend fun processAllNetworks(opPrefs: OpPrefs) {
             val newActiveNetwork = cm.activeNetwork
@@ -506,12 +560,12 @@ class ConnectionMonitor(private val networkListener: NetworkListener, private va
          *         Returns null if no VPN network is found in the provided set.
          */
         private suspend fun determineVpnProtos(nws: Set<Network?>): Pair<Boolean, Boolean>? {
-            var vpnNw = nws.firstOrNull { isVPN(it) == true }
-            if (vpnNw == null) {
+            val vpnNw = nws.firstOrNull { isVPN(it) == true }
+            /*if (vpnNw == null) {
                 // fallback to the active network if the vpn network is not found
                 val allNws = cm.allNetworks
                 vpnNw = allNws.firstOrNull { isVPN(it) == true }
-            }
+            }*/
             if (vpnNw == null) {
                 // vpn routes is just the suggestion to mitigate the discrepancy between
                 // actual vpn routes and the ones handled by BraveVpnService, in that case
diff --git a/app/src/main/java/com/celzero/bravedns/service/DiagnosticsManager.kt b/app/src/main/java/com/celzero/bravedns/service/DiagnosticsManager.kt
