| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
| |
Bug: 235778483
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I6ad0a12ff14331809cbca97043bc5d5c9f8742b8
(cherry picked from commit d9fc54b55b58ef20dbd34e12699ae947912e7562)
Merged-In: I6ad0a12ff14331809cbca97043bc5d5c9f8742b8
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As this ends up built in to the netd binary, and should thus
not be pulling in mainline (and thus mutable) header files.
We could technically export the path out of the netd_updatable.so,
but there is no benefit to doing so.
This is because the pin directory is determined by selinux access
having to make these available to netd & iptables (netdutils_wrappers),
and the entire structure of the iptables setup (ie. chains, etc) is
already entirely left up to netd.
Thus the only meaningful thing mainline could do here is rename
the programs (while maintaining their behaviour) but that provides
absolutely no value.
(If the programs are missing, then bandwidth accounting fails,
and there is no way to add additional programs)
Bug: 235778483
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I3c235d63b3695deb04564bb929913a9050b9fc10
(cherry picked from commit acfd2041ce52f25dd5c5a0cafaf4572d7a634f63)
Merged-In: I3c235d63b3695deb04564bb929913a9050b9fc10
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
As Maze@'s advice, we add a clat mark to clat packet in ingress bpf
and drop the duplicate packets in iptables via mark match.
Bug: 218407445
Test: atest BandwidthControllerTest
Test: manual test with unmerged aosp/1951099
0. Connect to IPv6-only wifi
1. Clatd test: ping 5 times and check that iptables drop 5 packets by
mark 0xdeadc1a7.
$ adb shell ping 8.8.8.8
..
64 bytes from 8.8.8.8: icmp_seq=4 ttl=120 time=14.3 ms
64 bytes from 8.8.8.8: icmp_seq=5 ttl=120 time=67.4 ms
$ adb shell ip6tables -t raw -L bw_raw_PREROUTING -v
Chain bw_raw_PREROUTING (1 references)
pkts bytes target prot opt in out source destination
5 520 DROP all any any anywhere anywhere mark match 0xdeadc1a7
0 0 RETURN all ipsec+ any anywhere anywhere
0 0 RETURN all any any anywhere anywhere policy match dir in pol ipsec
1661 1239K all any any anywhere anywhere match bpf pinned /sys/fs/bpf/prog_netd_skfilter_ingress_xtbpf
2. Bpf test: run iperf to an IPv4 server and iptables doesn't see
offloaded packet with mark 0xdeadc1a7. Drop packet count (5) is
unchanged.
$ adb shell iperf3 -4 -c 117.102.109.186 -t1
Connecting to host 117.102.109.186, port 5201
[ 5] local 192.0.0.4 port 56242 connected to 117.102.109.186 port 5201
[ ID] Interval Transfer Bitrate Retr Cwnd
[ 5] 0.00-1.00 sec 622 KBytes 5.09 Mbits/sec 0 44.0 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-1.00 sec 622 KBytes 5.09 Mbits/sec 0 sender
[ 5] 0.00-1.00 sec 201 KBytes 1.64 Mbits/sec receiver
$ adb shell ip6tables -t raw -L bw_raw_PREROUTING -v
Chain bw_raw_PREROUTING (1 references)
pkts bytes target prot opt in out source destination
5 520 DROP all any any anywhere anywhere mark match 0xdeadc1a7
0 0 RETURN all ipsec+ any anywhere anywhere
0 0 RETURN all any any anywhere anywhere policy match dir in pol ipsec
1804 1280K all any any anywhere anywhere match bpf pinned /sys/fs/bpf/prog_netd_skfilter_ingress_xtbpf
3. Enable USB tethering. Do ping and iperf on tethered client.
4. Clatd test: ping 5 times and check that iptables drop 5 packets
(count from 5 to 10) by mark 0xdeadc1a7.
$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
..
64 bytes from 8.8.8.8: icmp_seq=4 ttl=119 time=13.7 ms
64 bytes from 8.8.8.8: icmp_seq=5 ttl=119 time=15.9 ms
$ adb shell ip6tables -t raw -L bw_raw_PREROUTING -v
Chain bw_raw_PREROUTING (1 references)
pkts bytes target prot opt in out source destination
10 1040 DROP all any any anywhere anywhere mark match 0xdeadc1a7
0 0 RETURN all ipsec+ any anywhere anywhere
0 0 RETURN all any any anywhere anywhere policy match dir in pol ipsec
1900 1298K all any any anywhere anywhere match bpf pinned /sys/fs/bpf/prog_netd_skfilter_ingress_xtbpf
5. Bpf test: run iperf to an IPv4 server and iptables doesn't see
offloaded packet with mark 0xdeadc1a7. Drop packet count (10) is
unchanged.
$ iperf3 -4 -c 117.102.109.186 -t1
Connecting to host 117.102.109.186, port 5201
[ 5] local 192.168.235.233 port 41602 connected to 117.102.109.186 port 5201
[ ID] Interval Transfer Bitrate Retr Cwnd
[ 5] 0.00-1.00 sec 3.19 MBytes 26.8 Mbits/sec 0 369 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-1.00 sec 3.19 MBytes 26.8 Mbits/sec 0 sender
[ 5] 0.00-1.00 sec 2.58 MBytes 21.7 Mbits/sec receiver
$ adb shell ip6tables -t raw -L bw_raw_PREROUTING -v
Chain bw_raw_PREROUTING (1 references)
pkts bytes target prot opt in out source destination
10 1040 DROP all any any anywhere anywhere mark match 0xdeadc1a7
0 0 RETURN all ipsec+ any anywhere anywhere
0 0 RETURN all any any anywhere anywhere policy match dir in pol ipsec
1978 1320K all any any anywhere anywhere match bpf pinned /sys/fs/bpf/prog_netd_skfilter_ingress_xtbpf
Change-Id: I3bc6f542f6af692f79d464d085d971d2f2e60877
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Needed because the raw socket has not been created by clat daemon
anymore since the following commit:
external/android-clat
https://cs.android.com/android/_/android/platform/external/android-clat/+/6006d17eab888bcd2c91d975e005c862477b4787
Currently, the raw socket fd is passed to the clat daemon via cli.
The socket owner uid is not AID_CLAT anymore. Depends on who is the
clat daemon launcher, the socket owner uid is AID_ROOT (netd) for now
and going to be AID_SYSTEM (mainline module).
This ip6tables rule doesn't work after previous commit and the duplicate
clat daemon egress data usage accounting needs to be fixed in follow-up
commits.
Bug: 218407445
Test: atest netd_unit_test
Change-Id: Icded401b35ecb4c184f15251ed924127bc9920ab
|
| |
|
|
|
|
|
|
|
|
|
| |
The header file is referenced by the part going to be mainlined in Netd.
Bug: 202086915
Test: m; flash; boot
Test: cd system/netd && atest
Test: cd packages/modules/Connectivity && atest
Test: atest FrameworksNetTests
Change-Id: Ib36126f314d7a60ba1e1b3ece94a97dc24ae5c07
|
| |
|
|
|
|
| |
Test: atest netd_unit_test
Bug: 167500195
Change-Id: Ie359051cdb4de5aacd1d8b90fe1291a174e95a3c
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Rename these to allowlist and denylist.
This change is mostly automatically generated with:
sed -i 's/WHITE/ALLOW/g' server/*.{cpp,h} libnetdbpf/{*.cpp,/include/netdbpf/*.h} bpf_progs/*.[ch]
sed -i 's/white/allow/g' server/*.{cpp,h} libnetdbpf/{*.cpp,/include/netdbpf/*.h} bpf_progs/*.[ch]
sed -i 's/BLACK/DENY/g' server/*.{cpp,h} libnetdbpf/{*.cpp,/include/netdbpf/*.h} bpf_progs/*.[ch]
sed -i 's/black/deny/g' server/*.{cpp,h} libnetdbpf/{*.cpp,/include/netdbpf/*.h} bpf_progs/*.[ch]
sed -i 's/White/Allow/g' server/*.{cpp,h} libnetdbpf/{*.cpp,/include/netdbpf/*.h} bpf_progs/*.[ch]
sed -i 's/Black/Deny/g' server/*.{cpp,h} libnetdbpf/{*.cpp,/include/netdbpf/*.h} bpf_progs/*.[ch]
plus manual changes to FirewallController.h and NdcDispatcher.cpp
to make them continue to use INetd::FIREWALL_WHITELIST and
INetd::FIREWALL_BLACKLIST.
INetd (and FIREWALL_WHITELIST and FIREWALL_BLACKLIST) are not
being fixed in this change because doing so would require
changing frozen AIDL files, which is a more complex undertaking.
Also manually change occurrences in the test.
Finally, fix some formatting errors found by clang-format, and
some errors such as "a allowlist" (should be "an allowlist") or`
"allowspace" (should be "whitespace").
Bug: 161896447
Test: atest netd_unit_test netd_integration_test
Test: crosshatch builds, boots, no IptablesRestoreController errors in logs
Change-Id: I3f5b864686651134a50e90b28fc9914bfa3f9a8e
|
| |
|
|
|
|
|
| |
Test: atest
Bug: 150738490
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ibe2de1b04e5ff342d87aa47236c635b47f7ea11b
|
| |
|
|
|
|
|
| |
Test: rules actually load
Bug: 150738490
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I67ea962bb0ebd9b3b3ced23010e4fd8dfc8d6931
|
| |
|
|
|
|
|
|
|
| |
While we're at it we also add some hopefully useful comments.
Test: atest
Bug: 150738490
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: If20ff6949fd86591d882b63d012978db53737c7c
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There's already uses of -j in places, and that's the output from
iptables-save and it's shorter.
Generated via:
sed -i -r 's@--jump@-j@g' server/BandwidthControllerTest.cpp
sed -i -r 's@--jump@-j@g' server/BandwidthController.cpp
Test:
git grep '[-]-jump' -- now comes up empty
atest bpf_module_test clatd_test libbpf_android_test libnetdbpf_test
netd_integration_test netd_unit_test netdutils_test
resolv_integration_test resolv_unit_test
Bug: 136696213
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I06b8ea544f681911472c9b60336b31532c408a6f
|
| |
|
|
|
| |
Test: tests/runtests.sh
Change-Id: If59480cee6460847f5c1cef17e3ef036b8e75651
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We need this to ensure that the tethering IPCs don't need to grab the
lock in two different controllers
The idea is that always having a global_alert rule in bw_global_alert
chain.
TetherController will enable/disable the reference of bw_global_alert
chain.
[childchain order of filter FORWARD chain]
Chain FORWARD
nm_mdmprxy_iface_pkt_fwder
oem_fwd
fw_FORWARD
bw_FORWARD
tetherctrl_FORWARD
--Simple rule comparison--
[Before]
Chain bw_FORWARD
Alert rule
... other rules
Chain tetherctrl_FORWARD
... other rules
[After]
Chain bw_FORWARD
No Alert rule
... other rules
Chain tetherctrl_FORWARD
Jump to bw_global_alert
... other rules
Chain bw_global_alert
Alert rule
The exact rule comparison is shown in the bug.
Bug:119735985
Test: built, flashed, booted
system/netd/tests/runtests.sh passes
Change-Id: Ibf752d0c8de9170689fc74c89c0424d2642853ec
|
| |
|
|
|
|
|
|
|
|
| |
With the main bpf library moved into system/bpf, the rest of the netd
only bpf files are renamed into libnetdbpf. Fixed some dependency issue
on the new libbpf outside netd.
Test: BpfBasicTest libbpf_test netd_unit_test netd_integration_test
Bug: 112334572
Change-Id: I71f2c5285fee6fe96e0db55578dc618d16444d98
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The constant definitions of the pinned location of bpf programs and maps
are used by netd, bpfloader now and will be used by the bpf kernel c
program in the future. Move them into bpf_shared.h so they can be
properly included by kernel programs as well.
Bug: 112328133
Test: Build and flash devices, the programs and maps get pinned
properly.
Change-Id: I5fed66cd7e9c9a140fdf57835dc01b82b28e0ea7
|
| |
|
|
|
|
|
|
| |
Remove corresponding netd command, and default enable bandwidth
controller.
Test: The bindwith control start correctly on new devices.
Change-Id: I05e1bd365af1edfade28d445cec897cc6b6b2f08
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The "--socket-exists" rules in BandwidthController are actually the
rules that enable xt_qtaguid accounting feature. For devices that use
ebpf for packet accounting, these rules need to be removed so that
devices that don't have that kernel module can still run properly.
This change also completely disable xt_qtaguid accounting on devices
that have both xt_qtaguid and eBPF.
Bug: 70945407
Test: device boots and iptables rules are loaded successfully.
Netd_unit_test passes.
Change-Id: I9c11259e38889b5bf4876cff91c97741d624a18d
|
| |
|
|
|
| |
Test: tests/runtests.sh
Change-Id: Id06480fa3c1fc04f5669c42b87b263b46bf614fd
|
| |
|
|
|
|
|
|
|
|
|
| |
To completely move away from xt_qtaguid module, the bandwidth controller
should not using it for uid owner match any more. Instead, it can use a
eBPF map to store the uid need to be matched and use two eBPF program
running on the xt_bpf hooks to filter out the packet.
Bug: 80649292
Test: ./netd_unit_test
Change-Id: I8e9c7cb3371aae0c24ccc6f64e05e6cbd4f78aae
|
| |
|
|
|
|
|
|
|
|
|
| |
The BandwidthController unit test cannot directly use gCtrl->trafficCtrl
to check if the bpf stats feature is avaliable. Rewrite the
getBpfStatsStatus() function of BandwidthController so it is also
functioning when in BandwidthController unit tests.
Bug: 72111305
Test: ./netd_unit_test
Change-Id: Ie60ed384b7f8d42b8e1f3417949d46895bea6572
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This change reserves a mark denoting that a packet has already been
accounted for, along with adding rules in BandwidthController to support
IPSec packets being billed correctly.
Bug: 62994731
Test: BandwidthControllerTest updated, passing. CTS tests also modified
and passing
Change-Id: I8b42975d1502a0d3b9e533bddc0892cfe1556bed
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This makes IPv6 work on metered wifi networks. Without this:
1. We reject incoming RAs, so we lose connectivity when the RA
parameters expire.
2. We reject incoming NAs, so we get NUD failures.
Bug: 66015813
Test: angler builds, boots
Test: netd_{unit,integration}_test pass
Test: CtsHostsideNetworkTests tests pass
Change-Id: I033040ef0b91c22035e29c636123cd41ab1967ec
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Test: as follows
- built
- flashed
- booted
- runtest -x system/netd/tests/netd_integration_test.cpp passes
- runtest -x system/netd/server/netd_unit_test.cpp passes
Bug: 65654957
Change-Id: I62dbe387aaeecb362b2bc69de8f9ce66f163d929
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This includes the entirety of NatController and relevant
parts of BandwidthController (specifically, getTetherStats
and its dependencies).
This will make the code easier to understand and allow netd to
privide a simpler API to the framework (e.g., by providing
higher-level methods that perform what today are multiple
operations from the framework's point of view).
It will also reduce duplication of state (e.g., interface pairs
kept by NatController partially overlap with downstream
interfaces kept by TetherController) and avoid dependencies
between controllers.
This CL makes no functional changes. The only code changes are
the ones necessary for compilation. Specifically:
- Move some methods into IptablesBaseTest.cpp so they can be
used from two test classes.
- Change TetherController::iptablesRestoreFunction to the
three-argument used by the erstwhile BandwidthController
tests.
Where appropriate, variable names have been changed, but strings
that actually appear on device, such as iptables rule names, are
left as is and will be changed in a future CL.
Bug: 32163131
Bug: 64995262
Test: bullhead builds, boots
Test: netd_{unit,integration}_test pass
Change-Id: Idc80bfd424ce011826305f84b1cc98e741698601
|
| |
|
|
|
|
|
|
|
|
| |
Also move to binder_test.cpp some string constants that are used
only there.
Bug: 28362720
Test: bullhead builds,boots
Test: netd_{unit,integration}_test pass
Change-Id: I9eee599aafa696cbf3a1f65c3814a33ed99d65fc
|
| |
|
|
|
|
|
|
|
|
|
| |
Costly alerts appear to be currently unused, but they are the
last user of iptables commands in BandwidthController, so
migrating them to iptables-restore will allow us to delete
the iptables-specific code in BandwidthController.
Bug: 28362720
Test: netd_{unit,integration}_test pass
Change-Id: I07c6df6df347fd6485e6d0740b7d6165a423e34b
|
| |
|
|
|
|
| |
Bug: 28362720
Test: netd_{unit,integration}_test pass
Change-Id: I9c46564819f5ff5123203bbfd173876725f7b079
|
| |
|
|
|
|
|
|
| |
Bug: 28362720
Test: bullhead builds,boots
Test: netd_{unit,integration}_test pass
Test: quota rules are added and removed when quotas are enabled/disabled
Change-Id: Ib4df4f10a26c8bc206cc67671da09618fa4224ac
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When setting shared or interface quota, BandwidthController will
delete rules in bw_{FORWARD,INPUT,OUTPUT} before re-adding them.
These deletes are guaranteed to fail because the rules being
deleted only exist when bandwidth control is enabled and the
applicable interface is in mQuotaIfaces. Specifically, as long
as no intermediate iptables commands fail:
1. When bandwidth control is enabled or disabled, all the
bw_{FORWARD,INPUT,OUTPUT} chains are cleared by
flushCleanTables.
2. The rules that were being deleted are only added when
bandwidth control is enabled and an interface is added to
mQuotaIfaces.
3. Adding a quota is a no-op if the interface is already in
mQuotaIfaces (or mSharedQuotaIfaces for shared quotas).
4. When an interface is removed from mQuotaIfaces (or
mSharedQuotaIfaces), the rules are always deleted.
In the presence of intermediate iptables command failures this
change could make things worse, but an upcoming change will move
the quota commands to iptables-restore, which will ensure that
iptables commands in a quota operation either all succeed or all
fail.
In addition to removing the superfluous deletes, also change the
order of the commands that create a chain from "-F then -N" to
"-N then -F". This simplifies the code and the tests a bit.
Bug: 28362720
Test: bullhead builds, boots
Test: netd_{unit,integration}_test pass
Test: quota rules are added and removed when quotas are enabled/disabled
Change-Id: I64a0a2aa16066163c71f6d3ead36839b51c34620
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Test: as follows
- built
- flashed
- booted
- "runtest -x .../netd_unit_test.cpp" passes
Bug: 28362720
Bug: 38143143
Change-Id: I0b962898f9e3d7e86d5c0d0d01b79b3e3543b5ee
|
| |
|
|
|
|
|
|
|
|
|
| |
Bug: 32073253
Test: bullhead builds and boots
Test: netd_{unit,integration}_test pass
Test: Turning datasaver on/off changes rules as expected
Test: Modifying datasaver whitelist changes rules as expected when datasaver is on
Test: Adding and removing cell data limits changes rules as expected
Test: No IptablesRestoreController methods in normal usage
Change-Id: I83723db6a539b641308ef0f74ac30b4db304295c
|
| |
|
|
|
|
| |
Bug: 32073253
Test: netd_{unit,integration}_test pass
Change-Id: I55c6ffd39383f9bb974fa40985d9f03fddfafd7d
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This saves about 100ms on boot.
(cherry picked from commit 546fe48d36859e1ef2a0df2ffc1067dc2916ba44)
Bug: 37641280
Test: marlin builds and boots
Test: netd_{unit,integration}_test pass
Test: iptables rules look identical to other marlin running oc-release
Test: Enabling/disabling tethering adds/removes the forward rule
Change-Id: I8e15940565894d44a819b9cef25790d443b25df5
Merged-In: I56ce20a0efef8b1aba5f55bc823926447b21a614
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Additionally, remove some unused code.
(cherry picked from commit 615df791ab6081921114369052ffcdba7b67eebe)
Bug: 37641280
Test: marlin builds and boots
Test: new unit test passes
Test: netd_{unit,integration}_test pass
Change-Id: I8224b4cc0382f5efe57723baa1513c693d42535b
Merged-In: I32072a2701fe1f52d5b3cfb0d57b3f296d7c37df
|
| |
|
|
|
|
| |
Bug: 28362720
Test: test-only change.
Change-Id: I11d7c55afda4cfd72eb2f3de2362ecf3bf1d3b4e
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Tested using:
adb shell ndc bandwidth gettetherstats
adb shell iptables -nvx -L natctrl_tether_counters
adb shell ip6tables -nvx -L natctrl_tether_counters
Results:
114 0 wlan0 rmnet_data0 272883 2976 8624804 6032
200 0 Tethering stats list completed
Chain natctrl_tether_counters (2 references)
pkts bytes target prot opt in out source destination
2688 179096 RETURN all -- wlan0 rmnet_data0 0.0.0.0/0 0.0.0.0/0
5713 8351999 RETURN all -- rmnet_data0 wlan0 0.0.0.0/0 0.0.0.0/0
Chain natctrl_tether_counters (1 references)
pkts bytes target prot opt in out source destination
288 93787 RETURN all wlan0 rmnet_data0 ::/0 ::/0
319 272805 RETURN all rmnet_data0 wlan0 ::/0 ::/0
Test: manual test described above
Test: data usage increases by 10MB when downloading 10MB file
Test: netd_unit_test passes
Bug: 34873832
Change-Id: I32c4e750a4d3c379074cc13ab1302d51421860d2
|
| |
|
|
|
|
|
|
|
|
|
| |
Most of BandwidthController startup is already using
iptables-restore, but some commands (notably listing the costly
chains so they can be flushed by flushCleanTables) still
use iptables. Move these to use execIptablesRestoreWithOutput.
Test: netd_unit_test passes
Bug: 34873832
Change-Id: Ib0741a99a2605cd6934186fd4e5364331a4eab5a
|
| |
|
|
|
| |
Bug: 9580643
Change-Id: Icbfd8c6480a4e14433004e90b71a104ae4da9c5d
|
| |
|
|
|
| |
Bug: 9580643
Change-Id: Ia2f273b518399f42bfa8efb98445f1ff043bc07e
|
| |
|
|
|
| |
Bug: 9580643
Change-Id: I26f7adb9639f1ddf4eda0c98bcc6cd3a83d3ba0b
|
| |
|
|
|
|
| |
Bug: 25691379
Bug: 21725996
Change-Id: Ia0598e60ad24714d53470e05849929831ba9dbf6
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This saves approximately 800ms on boot.
From the perspective of the rules, this change is a no-op. As the
unit test shows, the commands are the same, though some are in a
slightly different order because iptables-restore requires that
COMMIT be called between different tables (e.g., filter and
mangle).
For simplicity, enableBandwidthControl runs two iptables-restore
commands instead of one. This is not semantically different from
the previous code because the previous code just ran iptables
commands one by one, which provides no atomicity. Running two
commands is a bit slower than running one, but it's still much
faster than using iptables.
Using iptables-restore allows us to do things like ":<chain> -",
which both creates the chain (if it does not already exist) and
flushes it. This allows us to remove IPT_CLEANUP_COMMANDS and
IPT_SETUP_COMMANDS. Those two sets of commands, which basically
just did "-X bw_<foo>" and "-N bw_<foo>" were only necessary
because the preceding "-F bw_<foo>" command would not create
bw_<foo> if it did not already exist (e.g. in setupIptablesHooks,
which runs on netd startup).
Bug: 21725996
Change-Id: I6656aed4287dfcb2311c94800f430c143fb0b1a5
|
| |
|
|
|
|
| |
Bug: 25691379
Bug: 21725996
Change-Id: I196f568221b3bad98ba2d60e019c2b24c59a9cbc
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The data saver refactoring change was incorrect in >= two ways:
1. It relied on the bw_costly_shared chain, which is currently
unused. NetworkManagementService just has a "TODO: support
quota shared across interfaces" comment about it. What
actually happens when setting quota is that each costly
interface chain (e.g., bw_costly_rmnet_data0) directly hooks
in the bw_penalty box chain.
2. Implementing app whitelisting using "RETURN" inside
bw_happy_box was pointless because if data saver was enabled,
there was a REJECT at the end of the bw_costly_shared chain
that it was returning to.
Instead, go back to the previous approach which hooked
bw_happy_box at the end of bw_penalty_box. Also, add an
additional bw_data_saver rule at the end of bw_happy_box.
bw_data_saver only contains one rule: RETURN if data saver is
enabled or REJECT if data saver is disabled.
That way:
1. If the app is blacklisted, bw_penalty_box REJECTs. If not:
2. If the app is whitelisted (system apps are always whitelisted)
bw_happy_box RETURNs to bw_costly_rmnet_data0, skipping
bw_data_saver.
3. If an app is neither blacklisted nor whitelisted, bw_happy_box
jumps to bw_data_saver. If data saver is enabled, it REJECTs
the packet, and if not, it RETURNs to bw_costly_rmnet_data0.
4. When we RETURN to bw_costly_rmnet_data0, either because the
app is whitelisted, or because data saver is off,
bw_costly_rmnet_data0 applies mobile data usage limits,
and then RETURNs to bw_OUTPUT, which calls xt_qtaguid, etc.
Bug: 26685616
Bug: 27506285
Change-Id: If15397afde6862d95827a1fdd30f60efd7fab66a
|
|
|
Bug: 26685616
Bug: 27506285
Change-Id: I4457abd43697a0425f167b81c1432d743800abb8
|
