Commits
Sreeram Ramachandran authored 1384605a897
Update VpnService API documentation. The goal of blocking an address family by default is to prevent unintended security holes. For example, a VPN that only deals with IPv4 doesn't know or care about IPv6 at all, so it doesn't do anything for IPv6. An app shouldn't be able to get around (bypass) the VPN by using IPv6. Therefore, it is not necessary to block an address family in removeAddress(). The VPN was clearly aware of the address family (since it had configured such an address before), so if it wants to block that family, it should add a default route for that family and explicitly drop/block/reject those packets. Bug: 15972465 Bug: 15409819 Change-Id: I845426fa90dc2358d3e11bc601db0b4bd5d3b7ac