Skip adding ingress discard rule to legacy VPN

Cherry-pick of aosp/3201971 to backport VPN security fix to non-mainline
U devices.

Some legacy VPNs need to receive packets to VPN address via
non-VPN interface.

Bug: 193031925
Test: TH
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5441470a6a04f36369ec79c3eff3a72fc47ca9e3)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:717bb36e5963c2dc4c315b7d58f0c7b3d85fcf31)
Merged-In: If4f6b095a719a0abcb6254c522beac5d45110d4d
Change-Id: If4f6b095a719a0abcb6254c522beac5d45110d4d

Author: Motomu Utsumi

service/src/com/android/server/ConnectivityService.java

@@ -8349,8 +8349,10 @@ private void updateVpnFiltering(@NonNull LinkProperties newLp, @Nullable LinkPro
      * interfaces.
      * Ingress discard rule is added to the address iff
      *   1. The address is not a link local address
-     *   2. The address is used by a single VPN interface and not used by any other
+     *   2. The address is used by a single non-Legacy VPN interface and not used by any other
      *      interfaces even non-VPN ones
+     * Ingress discard rule is not be added to Legacy VPN since some Legacy VPNs need to receive
+     * packet to VPN address via non-VPN interface.
      * This method can be called during network disconnects, when nai has already been removed from
      * mNetworkAgentInfos.
      *
@@ -8385,7 +8387,8 @@ private Set<Pair<InetAddress, String>> generateIngressDiscardRules(
         // for different network.
         final Set<Pair<InetAddress, String>> ingressDiscardRules = new ArraySet<>();
         for (final NetworkAgentInfo agent : nais) {
-            if (!agent.isVPN() || agent.isDestroyed()) {
+            if (!agent.isVPN() || agent.isDestroyed()
+                    || getVpnType(agent) == VpnManager.TYPE_VPN_LEGACY) {
                 continue;
             }
             final LinkProperties agentLp = (nai == agent) ? lp : agent.linkProperties;