| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When setting shared or interface quota, BandwidthController will
delete rules in bw_{FORWARD,INPUT,OUTPUT} before re-adding them.
These deletes are guaranteed to fail because the rules being
deleted only exist when bandwidth control is enabled and the
applicable interface is in mQuotaIfaces. Specifically, as long
as no intermediate iptables commands fail:
1. When bandwidth control is enabled or disabled, all the
bw_{FORWARD,INPUT,OUTPUT} chains are cleared by
flushCleanTables.
2. The rules that were being deleted are only added when
bandwidth control is enabled and an interface is added to
mQuotaIfaces.
3. Adding a quota is a no-op if the interface is already in
mQuotaIfaces (or mSharedQuotaIfaces for shared quotas).
4. When an interface is removed from mQuotaIfaces (or
mSharedQuotaIfaces), the rules are always deleted.
In the presence of intermediate iptables command failures this
change could make things worse, but an upcoming change will move
the quota commands to iptables-restore, which will ensure that
iptables commands in a quota operation either all succeed or all
fail.
In addition to removing the superfluous deletes, also change the
order of the commands that create a chain from "-F then -N" to
"-N then -F". This simplifies the code and the tests a bit.
Bug: 28362720
Test: bullhead builds, boots
Test: netd_{unit,integration}_test pass
Test: quota rules are added and removed when quotas are enabled/disabled
Change-Id: I64a0a2aa16066163c71f6d3ead36839b51c34620
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Continued incremental cleanup to simplify change to iptables restore.
Rename some data members and switch to better data structures.
Test: as follows
- built
- flashed
- booted
- "runtest -x .../netd_unit_test.cpp" passes
- "runtest -x .../netd_integration_test.cpp" passes
Bug: 28362720
Bug: 38143143
Change-Id: Iff231bf180f9195b01e09c5cb8c883c5d3f2852a
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Test: as follows
- built
- flashed
- booted
- "runtest -x .../netd_unit_test.cpp" passes
Bug: 28362720
Bug: 38143143
Change-Id: I0b962898f9e3d7e86d5c0d0d01b79b3e3543b5ee
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This change is preparation for removal of xt_quota2 in favor of NFLOG.
Note that the scope of changes is mostly limited to mechanical single
line changes from "const char*" to "const std::string&".
Test: as follows
- built
- flashed
- booted
- "runtest -x .../netd_unit_test.cpp" passes
- "runtest -x .../netd_integration_test.cpp" passes
Bug: 38143143
Bug: 28362720
Change-Id: I56ba810ff6fa2f409e32d86508cfdb1a81a50a4e
|
| |
|
|
|
|
|
|
|
|
|
| |
Bug: 32073253
Test: bullhead builds and boots
Test: netd_{unit,integration}_test pass
Test: Turning datasaver on/off changes rules as expected
Test: Modifying datasaver whitelist changes rules as expected when datasaver is on
Test: Adding and removing cell data limits changes rules as expected
Test: No IptablesRestoreController methods in normal usage
Change-Id: I83723db6a539b641308ef0f74ac30b4db304295c
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
1. Ensure that the code always uses all enum values. This
provides a clear compile-time error if a passed-in enum value
is not handled, and allows us to remove several default
case labels and unreachable error logging code.
2. Factor out to common functions the code that converts enum
values to parts of iptables command lines.
Bug: 32073253
Test: netd_{unit,integration}_test pass
Change-Id: I7136055100dc312fa7cb8bba5506fe86412b1f4d
|
| |
|
|
|
|
|
|
|
| |
(cherry picked from commit 7647305c6b13d0e448b055c8af9c09b34af79f5c)
Bug: 37641280
Test: netd_{unit,integration}_test pass
Change-Id: Ic2b692efae14c4c9ca19972bdd812edce1c39bb3
Merged-In: I36ef121ae0cfaa16032289fa6f8b0341e1a9ca20
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This saves about 100ms on boot.
(cherry picked from commit 546fe48d36859e1ef2a0df2ffc1067dc2916ba44)
Bug: 37641280
Test: marlin builds and boots
Test: netd_{unit,integration}_test pass
Test: iptables rules look identical to other marlin running oc-release
Test: Enabling/disabling tethering adds/removes the forward rule
Change-Id: I8e15940565894d44a819b9cef25790d443b25df5
Merged-In: I56ce20a0efef8b1aba5f55bc823926447b21a614
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Additionally, remove some unused code.
(cherry picked from commit 615df791ab6081921114369052ffcdba7b67eebe)
Bug: 37641280
Test: marlin builds and boots
Test: new unit test passes
Test: netd_{unit,integration}_test pass
Change-Id: I8224b4cc0382f5efe57723baa1513c693d42535b
Merged-In: I32072a2701fe1f52d5b3cfb0d57b3f296d7c37df
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Tested using:
adb shell ndc bandwidth gettetherstats
adb shell iptables -nvx -L natctrl_tether_counters
adb shell ip6tables -nvx -L natctrl_tether_counters
Results:
114 0 wlan0 rmnet_data0 272883 2976 8624804 6032
200 0 Tethering stats list completed
Chain natctrl_tether_counters (2 references)
pkts bytes target prot opt in out source destination
2688 179096 RETURN all -- wlan0 rmnet_data0 0.0.0.0/0 0.0.0.0/0
5713 8351999 RETURN all -- rmnet_data0 wlan0 0.0.0.0/0 0.0.0.0/0
Chain natctrl_tether_counters (1 references)
pkts bytes target prot opt in out source destination
288 93787 RETURN all wlan0 rmnet_data0 ::/0 ::/0
319 272805 RETURN all rmnet_data0 wlan0 ::/0 ::/0
Test: manual test described above
Test: data usage increases by 10MB when downloading 10MB file
Test: netd_unit_test passes
Bug: 34873832
Change-Id: I32c4e750a4d3c379074cc13ab1302d51421860d2
|
| |
|
|
|
|
|
|
|
|
|
| |
Most of BandwidthController startup is already using
iptables-restore, but some commands (notably listing the costly
chains so they can be flushed by flushCleanTables) still
use iptables. Move these to use execIptablesRestoreWithOutput.
Test: netd_unit_test passes
Bug: 34873832
Change-Id: Ib0741a99a2605cd6934186fd4e5364331a4eab5a
|
| |
|
|
|
| |
Bug: 9580643
Change-Id: Icbfd8c6480a4e14433004e90b71a104ae4da9c5d
|
| |
|
|
|
| |
Bug: 9580643
Change-Id: I11565cafbefbc06a7992d1ff18c707165d5b31ed
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This saves approximately 800ms on boot.
From the perspective of the rules, this change is a no-op. As the
unit test shows, the commands are the same, though some are in a
slightly different order because iptables-restore requires that
COMMIT be called between different tables (e.g., filter and
mangle).
For simplicity, enableBandwidthControl runs two iptables-restore
commands instead of one. This is not semantically different from
the previous code because the previous code just ran iptables
commands one by one, which provides no atomicity. Running two
commands is a bit slower than running one, but it's still much
faster than using iptables.
Using iptables-restore allows us to do things like ":<chain> -",
which both creates the chain (if it does not already exist) and
flushes it. This allows us to remove IPT_CLEANUP_COMMANDS and
IPT_SETUP_COMMANDS. Those two sets of commands, which basically
just did "-X bw_<foo>" and "-N bw_<foo>" were only necessary
because the preceding "-F bw_<foo>" command would not create
bw_<foo> if it did not already exist (e.g. in setupIptablesHooks,
which runs on netd startup).
Bug: 21725996
Change-Id: I6656aed4287dfcb2311c94800f430c143fb0b1a5
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The data saver refactoring change was incorrect in >= two ways:
1. It relied on the bw_costly_shared chain, which is currently
unused. NetworkManagementService just has a "TODO: support
quota shared across interfaces" comment about it. What
actually happens when setting quota is that each costly
interface chain (e.g., bw_costly_rmnet_data0) directly hooks
in the bw_penalty box chain.
2. Implementing app whitelisting using "RETURN" inside
bw_happy_box was pointless because if data saver was enabled,
there was a REJECT at the end of the bw_costly_shared chain
that it was returning to.
Instead, go back to the previous approach which hooked
bw_happy_box at the end of bw_penalty_box. Also, add an
additional bw_data_saver rule at the end of bw_happy_box.
bw_data_saver only contains one rule: RETURN if data saver is
enabled or REJECT if data saver is disabled.
That way:
1. If the app is blacklisted, bw_penalty_box REJECTs. If not:
2. If the app is whitelisted (system apps are always whitelisted)
bw_happy_box RETURNs to bw_costly_rmnet_data0, skipping
bw_data_saver.
3. If an app is neither blacklisted nor whitelisted, bw_happy_box
jumps to bw_data_saver. If data saver is enabled, it REJECTs
the packet, and if not, it RETURNs to bw_costly_rmnet_data0.
4. When we RETURN to bw_costly_rmnet_data0, either because the
app is whitelisted, or because data saver is off,
bw_costly_rmnet_data0 applies mobile data usage limits,
and then RETURNs to bw_OUTPUT, which calls xt_qtaguid, etc.
Bug: 26685616
Bug: 27506285
Change-Id: If15397afde6862d95827a1fdd30f60efd7fab66a
|
| |
|
|
|
|
| |
Bug: 26685616
Bug: 27506285
Change-Id: I4457abd43697a0425f167b81c1432d743800abb8
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
1. Make bw_costly_shared jump to bw_happy_box after
bw_penalty_box. This allows the framework to manipulate
whitelists and blacklists independently.
2. Make bw_happy box always whitelist system apps. Because
bw_penalty_box is consulted before bw_happy_box, the
framework can always blacklist certain system apps (e.g.,
the media server) by putting them in the blacklist.
3. Add a method to add/remove a reject at the end of
bw_costly_shared. This will allow the framework to
enable/disable data saver by changing only one rule.
Bug: 26685616
Bug: 27506285
Change-Id: I67bff7c3c9ff5eb3f84fb84550cdf49f153e1b68
|
| |
|
|
|
|
|
|
|
| |
This code is unused, and the plan is to have the happy box
enabled at all times.
Bug: 26685616
Bug: 27506285
Change-Id: Ie15b0775d535df7ca94547a7d8b8a5ed536e6dbd
|
| |
|
|
|
|
|
|
|
|
| |
Copies of this state are already kept in NetworkManagementService,
NetworkPolicyManagerService, and iptables rules. A third copy of
this state is not necessary.
Bug: 26685616
Bug: 27506285
Change-Id: I8dd9fc60a28804ec95660092b13a2895f7480f56
|
| |
|
|
|
|
| |
BUG: 27506285
BUG: 26685616
Change-Id: I8352ebbab1778c85e0a1da79a0acede5aea144a1
|
| |\
| |
| |
| |
| |
| |
| | |
am: 87732125ef
* commit '87732125ef05808bf958530c8319026e7a1efbce':
Remove unused costName variable
|
| | |
| |
| |
| |
| | |
Bug: 27432583
Change-Id: Ica6f8714eb6c40a4b6a94ac5e40144d0e781155e
|
| |/
|
|
|
|
|
|
|
| |
This adds a jump to bw_costly_<ifname> for traffic forwarded out
interface <ifname> to the bw_FORWARD chain, regardless of tethering
state (as having it safely in place is harmless).
Bug: 24497044
Change-Id: I165724c319051ddf29a2833912eb286368b0570d
|
| |\
| |
| |
| |
| | |
* commit '93e6f6a70c83b700aacaa16396449c3d9946b94c':
Make iptables -L and -S calls wait for xtables lock
|
| | |
| |
| |
| |
| | |
Bug:22802665
Change-Id: I95b83ec0a926208e20659ad4b5355cf8500821f5
|
| |/
|
|
|
|
|
|
|
|
| |
Without this wait iptables commands can fail with various unpleasant
consequences like Log.wtf() or missing iptables rules. The most
critical calls to iptables in NetdConstants.cpp already wait for the
lock.
Bug:22802665
Change-Id: I7d542c3d4f0e005618e368da674159b90d652c8a
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add O_CLOEXEC on open() calls, and SOCK_CLOEXEC on socket calls.
This avoids leaking file descriptors across execs.
Addresses the following SELinux denial:
audit(1422740213.283:8): avc: denied { read write } for pid=2597 comm="clatd" path="socket:[6709]" dev="sockfs" ino=6709 scontext=u:r:clatd:s0 tcontext=u:r:netd:s0 tclass=netlink_socket
and allows the removal of some other SELinux rules which were
inappropriately added because of leaking file descriptors.
Change-Id: I9c180488ea1969d610e488f967a7276a672bb477
|
| |
|
|
| |
Change-Id: I4268ea32cfb0ebd6ce5711e30865750dffa94e92
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch introduces a method isIfaceName that checks interface
names from various RPCs for validity before e.g. using them as
part of iptables arguments or in filenames.
All of these RPC calls can only be called from applications
with at least the CONNECTIVITY_INTERNAL permission in recent
Android versions, so the impact of the missing checks luckily
isn't very high.
Orig-Author: Jann Horn <jann@thejh.net>
Change-Id: I80df8d745a3de99ad02d6649f0d10562c81f6b98
Signed-off-by: JP Abgrall <jpa@google.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As a consequence:
+ Comment out the names of all unused parameters.
+ Remove all unused variables and functions.
In server/Android.mk, there are a couple of non-trivial changes:
+ Use libcxx instead of stlport. This is needed to fix a bunch of errors due to
specifying -std=c++11.
+ LOCAL_SHARED_LIBRARIES is sorted. Technically, the order in which libraries
are listed has an effect on linking, but nobody should be doing such brittle
things anyway.
Change-Id: I0aff5b745e04609da23144d0e8be4c5694321b8b
|
|
|
Change-Id: Ie4b6b303225c93f2448a503d6ea9cebb552cbad5
|
