Nat-related commands refine

We need this to ensure that the tethering IPCs don't need to grab the
lock in two different controllers

The idea is that always having a global_alert rule in bw_global_alert
chain.
TetherController will enable/disable the reference of bw_global_alert
chain.

[childchain order of filter FORWARD chain]
Chain FORWARD
   nm_mdmprxy_iface_pkt_fwder
   oem_fwd
   fw_FORWARD
   bw_FORWARD
   tetherctrl_FORWARD

--Simple rule comparison--
[Before]
Chain bw_FORWARD
    Alert rule
    ... other rules
Chain tetherctrl_FORWARD
    ... other rules
[After]
Chain bw_FORWARD
    No Alert rule
    ... other rules
Chain tetherctrl_FORWARD
    Jump to bw_global_alert
    ... other rules
Chain bw_global_alert
   Alert rule

The exact rule comparison is shown in the bug.

Bug:119735985
Test: built, flashed, booted
      system/netd/tests/runtests.sh passes

Change-Id: Ibf752d0c8de9170689fc74c89c0424d2642853ec

1 files changed, 62 insertions, 47 deletions

diff --git a/server/TetherControllerTest.cpp b/server/TetherControllerTest.cpp
index 7ccdc0c1..969cbcd4 100644
--- a/server/TetherControllerTest.cpp
+++ b/server/TetherControllerTest.cpp
@@ -56,42 +56,55 @@ protected:
     }
 
     const ExpectedIptablesCommands FLUSH_COMMANDS = {
-        { V4,   "*filter\n"
-                ":tetherctrl_FORWARD -\n"
-                "-A tetherctrl_FORWARD -j DROP\n"
-                "COMMIT\n"
-                "*nat\n"
-                ":tetherctrl_nat_POSTROUTING -\n"
-                "COMMIT\n" },
-        { V6,   "*filter\n"
-                ":tetherctrl_FORWARD -\n"
-                "COMMIT\n"
-                "*raw\n"
-                ":tetherctrl_raw_PREROUTING -\n"
-                "COMMIT\n" },
+            {V4,
+             "*filter\n"
+             ":tetherctrl_FORWARD -\n"
+             "-A tetherctrl_FORWARD -j DROP\n"
+             "COMMIT\n"
+             "*nat\n"
+             ":tetherctrl_nat_POSTROUTING -\n"
+             "COMMIT\n"},
+            {V6,
+             "*filter\n"
+             ":tetherctrl_FORWARD -\n"
+             "COMMIT\n"
+             "*raw\n"
+             ":tetherctrl_raw_PREROUTING -\n"
+             "COMMIT\n"},
     };
 
     const ExpectedIptablesCommands SETUP_COMMANDS = {
-        { V4,   "*filter\n"
-                ":tetherctrl_FORWARD -\n"
-                "-A tetherctrl_FORWARD -j DROP\n"
-                "COMMIT\n"
-                "*nat\n"
-                ":tetherctrl_nat_POSTROUTING -\n"
-                "COMMIT\n" },
-        { V6,   "*filter\n"
-                ":tetherctrl_FORWARD -\n"
-                "COMMIT\n"
-                "*raw\n"
-                ":tetherctrl_raw_PREROUTING -\n"
-                "COMMIT\n" },
-        { V4,   "*mangle\n"
-                "-A tetherctrl_mangle_FORWARD -p tcp --tcp-flags SYN SYN "
-                    "-j TCPMSS --clamp-mss-to-pmtu\n"
-                "COMMIT\n" },
-        { V4V6, "*filter\n"
-                ":tetherctrl_counters -\n"
-                "COMMIT\n" },
+            {V4,
+             "*filter\n"
+             ":tetherctrl_FORWARD -\n"
+             "-A tetherctrl_FORWARD -j DROP\n"
+             "COMMIT\n"
+             "*nat\n"
+             ":tetherctrl_nat_POSTROUTING -\n"
+             "COMMIT\n"},
+            {V6,
+             "*filter\n"
+             ":tetherctrl_FORWARD -\n"
+             "COMMIT\n"
+             "*raw\n"
+             ":tetherctrl_raw_PREROUTING -\n"
+             "COMMIT\n"},
+            {V4,
+             "*mangle\n"
+             "-A tetherctrl_mangle_FORWARD -p tcp --tcp-flags SYN SYN "
+             "-j TCPMSS --clamp-mss-to-pmtu\n"
+             "COMMIT\n"},
+            {V4V6,
+             "*filter\n"
+             ":tetherctrl_counters -\n"
+             "COMMIT\n"},
+    };
+
+    const ExpectedIptablesCommands ALERT_ADD_COMMAND = {
+            {V4V6,
+             "*filter\n"
+             "-I tetherctrl_FORWARD -j bw_global_alert\n"
+             "COMMIT\n"},
     };
 
     ExpectedIptablesCommands firstIPv4UpstreamCommands(const char *extIf) {
@@ -106,9 +119,9 @@ protected:
 
     ExpectedIptablesCommands firstIPv6UpstreamCommands() {
         std::string v6Cmd =
-            "*filter\n"
-            "-A tetherctrl_FORWARD -g tetherctrl_counters\n"
-            "COMMIT\n";
+                "*filter\n"
+                "-A tetherctrl_FORWARD -g tetherctrl_counters\n"
+                "COMMIT\n";
         return {
             { V6, v6Cmd },
         };
@@ -178,10 +191,9 @@ protected:
     constexpr static const bool NO_COUNTERS = false;
     constexpr static const bool WITH_IPV6 = true;
     constexpr static const bool NO_IPV6 = false;
-    ExpectedIptablesCommands allNewNatCommands(
-            const char *intIf, const char *extIf, bool withCounterChainRules,
-            bool withIPv6Upstream) {
-
+    ExpectedIptablesCommands allNewNatCommands(const char* intIf, const char* extIf,
+                                               bool withCounterChainRules, bool withIPv6Upstream,
+                                               bool firstEnableNat) {
         ExpectedIptablesCommands commands;
         ExpectedIptablesCommands setupFirstIPv4Commands = firstIPv4UpstreamCommands(extIf);
         ExpectedIptablesCommands startFirstNatCommands = startNatCommands(intIf, extIf,
@@ -192,6 +204,9 @@ protected:
             ExpectedIptablesCommands setupFirstIPv6Commands = firstIPv6UpstreamCommands();
             appendAll(commands, setupFirstIPv6Commands);
         }
+        if (firstEnableNat) {
+            appendAll(commands, ALERT_ADD_COMMAND);
+        }
         appendAll(commands, startFirstNatCommands);
 
         return commands;
@@ -243,8 +258,8 @@ TEST_F(TetherControllerTest, TestSetDefaults) {
 
 TEST_F(TetherControllerTest, TestAddAndRemoveNat) {
     // Start first NAT on first upstream interface. Expect the upstream and NAT rules to be created.
-    ExpectedIptablesCommands firstNat = allNewNatCommands(
-            "wlan0", "rmnet0", WITH_COUNTERS, WITH_IPV6);
+    ExpectedIptablesCommands firstNat =
+            allNewNatCommands("wlan0", "rmnet0", WITH_COUNTERS, WITH_IPV6, true);
     mTetherCtrl.enableNat("wlan0", "rmnet0");
     expectIptablesRestoreCommands(firstNat);
 
@@ -267,7 +282,7 @@ TEST_F(TetherControllerTest, TestAddAndRemoveNat) {
     expectIptablesRestoreCommands(stopLastNat);
 
     // Re-add a NAT removed previously: tetherctrl_counters chain rules are not re-added
-    firstNat = allNewNatCommands("wlan0", "rmnet0", NO_COUNTERS, WITH_IPV6);
+    firstNat = allNewNatCommands("wlan0", "rmnet0", NO_COUNTERS, WITH_IPV6, true);
     mTetherCtrl.enableNat("wlan0", "rmnet0");
     expectIptablesRestoreCommands(firstNat);
 
@@ -280,15 +295,15 @@ TEST_F(TetherControllerTest, TestAddAndRemoveNat) {
 
 TEST_F(TetherControllerTest, TestMultipleUpstreams) {
     // Start first NAT on first upstream interface. Expect the upstream and NAT rules to be created.
-    ExpectedIptablesCommands firstNat = allNewNatCommands(
-            "wlan0", "rmnet0", WITH_COUNTERS, WITH_IPV6);
+    ExpectedIptablesCommands firstNat =
+            allNewNatCommands("wlan0", "rmnet0", WITH_COUNTERS, WITH_IPV6, true);
     mTetherCtrl.enableNat("wlan0", "rmnet0");
     expectIptablesRestoreCommands(firstNat);
 
     // Start second NAT, on new upstream. Expect the upstream and NAT rules to be created for IPv4,
     // but no counter rules for IPv6.
-    ExpectedIptablesCommands secondNat = allNewNatCommands(
-            "wlan0", "v4-rmnet0", WITH_COUNTERS, NO_IPV6);
+    ExpectedIptablesCommands secondNat =
+            allNewNatCommands("wlan0", "v4-rmnet0", WITH_COUNTERS, NO_IPV6, false);
     mTetherCtrl.enableNat("wlan0", "v4-rmnet0");
     expectIptablesRestoreCommands(secondNat);