Switch BandwidthController per-UID commands to iptables-restore

(cherry picked from commit 6849001bc61f965896a2d0fa42b3915879ee0b5b) Bug: 32073253 Test: bullhead builds and boots Test: netd_{unit,integration}_test pass Test: Turning datasaver on/off changes rules as expected Test: Modifying datasaver whitelist changes rules as expected when datasaver is on Test: Adding and removing cell data limits changes rules as expected Test: No IptablesRestoreController methods in normal usage Change-Id: I83723db6a539b641308ef0f74ac30b4db304295c Merged-In: I83723db6a539b641308ef0f74ac30b4db304295c
author: Lorenzo Colitti <lorenzo@google.com> 2017-04-28 14:34:01 +0900
committer: Lorenzo Colitti <lorenzo@google.com> 2017-04-28 23:40:33 +0900
commit: 2b6ea767f094b960211a3bfa0c53b8766c7347fb (patch)
tree: 283d5082a61b8a039279005c988bf6f0d129acc6
parent: 00802cba1b93637631ab3d204398d99d05b97350 (diff)
download: netd-2b6ea767f094b960211a3bfa0c53b8766c7347fb.tar.gz
2 files changed, 31 insertions, 75 deletions
diff --git a/server/BandwidthController.cpp b/server/BandwidthController.cpp
index 828ef3ad..52604872 100644
--- a/server/BandwidthController.cpp
+++ b/server/BandwidthController.cpp
@@ -148,7 +148,6 @@ const std::string GET_TETHER_STATS_COMMAND = StringPrintf(
  */
 
 const std::string COMMIT_AND_CLOSE = "COMMIT\n";
-const std::string DATA_SAVER_ENABLE_COMMAND = "-R bw_data_saver 1";
 const std::string HAPPY_BOX_WHITELIST_COMMAND = StringPrintf(
     "-I bw_happy_box -m owner --uid-owner %d-%d --jump RETURN", 0, MAX_SYSTEM_UID);
 
@@ -301,8 +300,11 @@ int BandwidthController::disableBandwidthControl(void) {
 }
 
 int BandwidthController::enableDataSaver(bool enable) {
-    return runIpxtablesCmd(DATA_SAVER_ENABLE_COMMAND.c_str(),
-                           enable ? IptJumpReject : IptJumpReturn, IptFailShow);
+    std::string cmd = StringPrintf(
+        "*filter\n"
+        "-R bw_data_saver 1%s\n"
+        "COMMIT\n", jumpToString(enable ? IptJumpReject : IptJumpReturn));
+    return iptablesRestoreFunction(V4V6, cmd, nullptr);
 }
 
 int BandwidthController::runCommands(int numCommands, const char *commands[],
@@ -321,25 +323,6 @@ int BandwidthController::runCommands(int numCommands, const char *commands[],
     return 0;
 }
 
-std::string BandwidthController::makeIptablesSpecialAppCmd(IptOp op, int uid, const char *chain) {
-    std::string res;
-    char *buff;
-    const char *opFlag;
-
-    switch (op) {
-    case IptOpInsert:
-        opFlag = "-I";
-        break;
-    case IptOpDelete:
-        opFlag = "-D";
-        break;
-    }
-    asprintf(&buff, "%s %s -m owner --uid-owner %d", opFlag, chain, uid);
-    res = buff;
-    free(buff);
-    return res;
-}
-
 int BandwidthController::addNaughtyApps(int numUids, char *appUids[]) {
     return manipulateNaughtyApps(numUids, appUids, IptOpInsert);
 }
@@ -364,51 +347,16 @@ int BandwidthController::manipulateNiceApps(int numUids, char *appStrUids[], Ipt
     return manipulateSpecialApps(numUids, appStrUids, "bw_happy_box", IptJumpReturn, op);
 }
 
-
 int BandwidthController::manipulateSpecialApps(int numUids, char *appStrUids[],
                                                const char *chain,
                                                IptJumpOp jumpHandling, IptOp op) {
-
-    int uidNum;
-    const char *failLogTemplate;
-    int appUids[numUids];
-    std::string iptCmd;
-
-    switch (op) {
-    case IptOpInsert:
-        failLogTemplate = "Failed to add app uid %s(%d) to %s.";
-        break;
-    case IptOpDelete:
-        failLogTemplate = "Failed to delete app uid %s(%d) from %s box.";
-        break;
+    std::string cmd = "*filter\n";
+    for (int uidNum = 0; uidNum < numUids; uidNum++) {
+        StringAppendF(&cmd, "%s %s -m owner --uid-owner %s%s\n", opToString(op), chain,
+                      appStrUids[uidNum], jumpToString(jumpHandling));
     }
-
-    for (uidNum = 0; uidNum < numUids; uidNum++) {
-        char *end;
-        appUids[uidNum] = strtoul(appStrUids[uidNum], &end, 0);
-        if (*end || !*appStrUids[uidNum]) {
-            ALOGE(failLogTemplate, appStrUids[uidNum], appUids[uidNum], chain);
-            goto fail_parse;
-        }
-    }
-
-    for (uidNum = 0; uidNum < numUids; uidNum++) {
-        int uid = appUids[uidNum];
-
-        iptCmd = makeIptablesSpecialAppCmd(op, uid, chain);
-        if (runIpxtablesCmd(iptCmd.c_str(), jumpHandling)) {
-            ALOGE(failLogTemplate, appStrUids[uidNum], uid, chain);
-            goto fail_with_uidNum;
-        }
-    }
-    return 0;
-
-fail_with_uidNum:
-    /* Try to remove the uid that failed in any case*/
-    iptCmd = makeIptablesSpecialAppCmd(IptOpDelete, appUids[uidNum], chain);
-    runIpxtablesCmd(iptCmd.c_str(), jumpHandling);
-fail_parse:
-    return -1;
+    StringAppendF(&cmd, "COMMIT\n");
+    return iptablesRestoreFunction(V4V6, cmd, nullptr);
 }
 
 std::string BandwidthController::makeIptablesQuotaCmd(IptFullOp op, const char *costName, int64_t quota) {
diff --git a/server/BandwidthControllerTest.cpp b/server/BandwidthControllerTest.cpp
index ad4745cc..954db575 100644
--- a/server/BandwidthControllerTest.cpp
+++ b/server/BandwidthControllerTest.cpp
@@ -190,15 +190,19 @@ TEST_F(BandwidthControllerTest, TestDisableBandwidthControl) {
 TEST_F(BandwidthControllerTest, TestEnableDataSaver) {
     mBw.enableDataSaver(true);
     std::vector<std::string> expected = {
-        "-R bw_data_saver 1 --jump REJECT",
+        "*filter\n"
+        "-R bw_data_saver 1 --jump REJECT\n"
+        "COMMIT\n"
     };
-    expectIptablesCommands(expected);
+    expectIptablesRestoreCommands(expected);
 
     mBw.enableDataSaver(false);
     expected = {
-        "-R bw_data_saver 1 --jump RETURN",
+        "*filter\n"
+        "-R bw_data_saver 1 --jump RETURN\n"
+        "COMMIT\n"
     };
-    expectIptablesCommands(expected);
+    expectIptablesRestoreCommands(expected);
 }
 
 std::string kIPv4TetherCounters = android::base::Join(std::vector<std::string> {
@@ -441,18 +445,22 @@ TEST_F(BandwidthControllerTest, ManipulateSpecialApps) {
     std::vector<const char *> appUids = { "1000", "1001", "10012" };
 
     std::vector<std::string> expected = {
-        "-I bw_happy_box -m owner --uid-owner 1000 --jump RETURN",
-        "-I bw_happy_box -m owner --uid-owner 1001 --jump RETURN",
-        "-I bw_happy_box -m owner --uid-owner 10012 --jump RETURN",
+        "*filter\n"
+        "-I bw_happy_box -m owner --uid-owner 1000 --jump RETURN\n"
+        "-I bw_happy_box -m owner --uid-owner 1001 --jump RETURN\n"
+        "-I bw_happy_box -m owner --uid-owner 10012 --jump RETURN\n"
+        "COMMIT\n"
     };
     EXPECT_EQ(0, mBw.addNiceApps(appUids.size(), const_cast<char**>(&appUids[0])));
-    expectIptablesCommands(expected);
+    expectIptablesRestoreCommands(expected);
 
     expected = {
-        "-D bw_penalty_box -m owner --uid-owner 1000 --jump REJECT",
-        "-D bw_penalty_box -m owner --uid-owner 1001 --jump REJECT",
-        "-D bw_penalty_box -m owner --uid-owner 10012 --jump REJECT",
+        "*filter\n"
+        "-D bw_penalty_box -m owner --uid-owner 1000 --jump REJECT\n"
+        "-D bw_penalty_box -m owner --uid-owner 1001 --jump REJECT\n"
+        "-D bw_penalty_box -m owner --uid-owner 10012 --jump REJECT\n"
+        "COMMIT\n"
     };
     EXPECT_EQ(0, mBw.removeNaughtyApps(appUids.size(), const_cast<char**>(&appUids[0])));
-    expectIptablesCommands(expected);
+    expectIptablesRestoreCommands(expected);
 }
author	Lorenzo Colitti <lorenzo@google.com>	2017-04-28 14:34:01 +0900
committer	Lorenzo Colitti <lorenzo@google.com>	2017-04-28 23:40:33 +0900
commit	2b6ea767f094b960211a3bfa0c53b8766c7347fb (patch)
tree	283d5082a61b8a039279005c988bf6f0d129acc6
parent	00802cba1b93637631ab3d204398d99d05b97350 (diff)
download	netd-2b6ea767f094b960211a3bfa0c53b8766c7347fb.tar.gz