diff options
| author | Luke Huang <huangluke@google.com> | 2018-11-05 11:17:31 +0900 |
|---|---|---|
| committer | Luke Huang <huangluke@google.com> | 2018-11-19 09:28:41 +0000 |
| commit | ae038f8e16090ac2bf5b5d678cd6ccbe7aa9ec8a (patch) | |
| tree | eb3f3c52c6fbf7989a591f1ffc9ecf324a231f28 /server/BandwidthControllerTest.cpp | |
| parent | 19b49c534090e84f018d3be91f83c29594ee8f9b (diff) | |
Nat-related commands refine
We need this to ensure that the tethering IPCs don't need to grab the
lock in two different controllers
The idea is that always having a global_alert rule in bw_global_alert
chain.
TetherController will enable/disable the reference of bw_global_alert
chain.
[childchain order of filter FORWARD chain]
Chain FORWARD
nm_mdmprxy_iface_pkt_fwder
oem_fwd
fw_FORWARD
bw_FORWARD
tetherctrl_FORWARD
--Simple rule comparison--
[Before]
Chain bw_FORWARD
Alert rule
... other rules
Chain tetherctrl_FORWARD
... other rules
[After]
Chain bw_FORWARD
No Alert rule
... other rules
Chain tetherctrl_FORWARD
Jump to bw_global_alert
... other rules
Chain bw_global_alert
Alert rule
The exact rule comparison is shown in the bug.
Bug:119735985
Test: built, flashed, booted
system/netd/tests/runtests.sh passes
Change-Id: Ibf752d0c8de9170689fc74c89c0424d2642853ec
Diffstat (limited to 'server/BandwidthControllerTest.cpp')
| -rw-r--r-- | server/BandwidthControllerTest.cpp | 78 |
1 files changed, 29 insertions, 49 deletions
diff --git a/server/BandwidthControllerTest.cpp b/server/BandwidthControllerTest.cpp index dc67f6cb..febbe62e 100644 --- a/server/BandwidthControllerTest.cpp +++ b/server/BandwidthControllerTest.cpp @@ -53,10 +53,12 @@ using android::netdutils::UniqueFile; const std::string ACCOUNT_RULES_WITHOUT_BPF = "*filter\n" + "-A bw_INPUT -j bw_global_alert\n" "-A bw_INPUT -p esp -j RETURN\n" "-A bw_INPUT -m mark --mark 0x100000/0x100000 -j RETURN\n" "-A bw_INPUT -m owner --socket-exists\n" "-A bw_INPUT -j MARK --or-mark 0x100000\n" + "-A bw_OUTPUT -j bw_global_alert\n" "-A bw_OUTPUT -o ipsec+ -j RETURN\n" "-A bw_OUTPUT -m policy --pol ipsec --dir out -j RETURN\n" "-A bw_OUTPUT -m owner --socket-exists\n" @@ -82,10 +84,12 @@ const std::string ACCOUNT_RULES_WITHOUT_BPF = const std::string ACCOUNT_RULES_WITH_BPF = "*filter\n" + "-A bw_INPUT -j bw_global_alert\n" "-A bw_INPUT -p esp -j RETURN\n" "-A bw_INPUT -m mark --mark 0x100000/0x100000 -j RETURN\n" "\n" "-A bw_INPUT -j MARK --or-mark 0x100000\n" + "-A bw_OUTPUT -j bw_global_alert\n" "-A bw_OUTPUT -o ipsec+ -j RETURN\n" "-A bw_OUTPUT -m policy --pol ipsec --dir out -j RETURN\n" "\n" @@ -128,28 +132,30 @@ protected: mTun.destroy(); } - void expectSetupCommands(const std::string& expectedClean, std::string expectedAccounting) { + void expectSetupCommands(const std::string& expectedClean, + const std::string& expectedAccounting) { std::string expectedList = "*filter\n" "-S\n" "COMMIT\n"; std::string expectedFlush = - "*filter\n" - ":bw_INPUT -\n" - ":bw_OUTPUT -\n" - ":bw_FORWARD -\n" - ":bw_happy_box -\n" - ":bw_penalty_box -\n" - ":bw_data_saver -\n" - ":bw_costly_shared -\n" - "COMMIT\n" - "*raw\n" - ":bw_raw_PREROUTING -\n" - "COMMIT\n" - "*mangle\n" - ":bw_mangle_POSTROUTING -\n" - "COMMIT\n"; + "*filter\n" + ":bw_INPUT -\n" + ":bw_OUTPUT -\n" + ":bw_FORWARD -\n" + ":bw_happy_box -\n" + ":bw_penalty_box -\n" + ":bw_data_saver -\n" + ":bw_costly_shared -\n" + ":bw_global_alert -\n" + "COMMIT\n" + "*raw\n" + ":bw_raw_PREROUTING -\n" + "COMMIT\n" + "*mangle\n" + ":bw_mangle_POSTROUTING -\n" + "COMMIT\n"; ExpectedIptablesCommands expected = {{ V4, expectedList }}; if (expectedClean.size()) { @@ -165,14 +171,10 @@ protected: using IptOp = BandwidthController::IptOp; - int runIptablesAlertCmd(IptOp a, const char *b, int64_t c) { + int runIptablesAlertCmd(IptOp a, const char* b, int64_t c) { return mBw.runIptablesAlertCmd(a, b, c); } - int runIptablesAlertFwdCmd(IptOp a, const char *b, int64_t c) { - return mBw.runIptablesAlertFwdCmd(a, b, c); - } - int setCostlyAlert(const std::string& a, int64_t b, int64_t* c) { return mBw.setCostlyAlert(a, b, c); } @@ -467,42 +469,20 @@ TEST_F(BandwidthControllerTest, TestSetInterfaceSharedQuotaTwoInterfaces) { TEST_F(BandwidthControllerTest, IptablesAlertCmd) { std::vector<std::string> expected = { - "*filter\n" - "-I bw_INPUT -m quota2 ! --quota 123456 --name MyWonderfulAlert\n" - "-I bw_OUTPUT -m quota2 ! --quota 123456 --name MyWonderfulAlert\n" - "COMMIT\n" - }; + "*filter\n" + "-I bw_global_alert -m quota2 ! --quota 123456 --name MyWonderfulAlert\n" + "COMMIT\n"}; EXPECT_EQ(0, runIptablesAlertCmd(IptOp::IptOpInsert, "MyWonderfulAlert", 123456)); expectIptablesRestoreCommands(expected); expected = { - "*filter\n" - "-D bw_INPUT -m quota2 ! --quota 123456 --name MyWonderfulAlert\n" - "-D bw_OUTPUT -m quota2 ! --quota 123456 --name MyWonderfulAlert\n" - "COMMIT\n" - }; + "*filter\n" + "-D bw_global_alert -m quota2 ! --quota 123456 --name MyWonderfulAlert\n" + "COMMIT\n"}; EXPECT_EQ(0, runIptablesAlertCmd(IptOp::IptOpDelete, "MyWonderfulAlert", 123456)); expectIptablesRestoreCommands(expected); } -TEST_F(BandwidthControllerTest, IptablesAlertFwdCmd) { - std::vector<std::string> expected = { - "*filter\n" - "-I bw_FORWARD -m quota2 ! --quota 123456 --name MyWonderfulAlert\n" - "COMMIT\n" - }; - EXPECT_EQ(0, runIptablesAlertFwdCmd(IptOp::IptOpInsert, "MyWonderfulAlert", 123456)); - expectIptablesRestoreCommands(expected); - - expected = { - "*filter\n" - "-D bw_FORWARD -m quota2 ! --quota 123456 --name MyWonderfulAlert\n" - "COMMIT\n" - }; - EXPECT_EQ(0, runIptablesAlertFwdCmd(IptOp::IptOpDelete, "MyWonderfulAlert", 123456)); - expectIptablesRestoreCommands(expected); -} - TEST_F(BandwidthControllerTest, CostlyAlert) { const int64_t kQuota = 123456; int64_t alertBytes = 0; |