Move runIptablesAlert{,Fwd}Cmd to iptables-restore.

This saves about 100ms on boot. Bug: 37641280 Test: marlin builds and boots Test: netd_{unit,integration}_test pass Test: iptables rules look identical to other marlin running oc-release Test: Enabling/disabling tethering adds/removes the forward rule Change-Id: I56ce20a0efef8b1aba5f55bc823926447b21a614
author: Lorenzo Colitti <lorenzo@google.com> 2017-04-26 15:48:13 +0900
committer: Lorenzo Colitti <lorenzo@google.com> 2017-04-26 17:19:18 +0900
commit: 546fe48d36859e1ef2a0df2ffc1067dc2916ba44 (patch)
tree: 7b2d20259bd5385eb19217e06208ddd339a6baf1
parent: 615df791ab6081921114369052ffcdba7b67eebe (diff)
download: netd-546fe48d36859e1ef2a0df2ffc1067dc2916ba44.tar.gz
2 files changed, 39 insertions, 31 deletions
diff --git a/server/BandwidthController.cpp b/server/BandwidthController.cpp
index 2a196f86..47fb8230 100644
--- a/server/BandwidthController.cpp
+++ b/server/BandwidthController.cpp
@@ -57,7 +57,7 @@
 #include "ResponseCode.h"
 
 /* Alphabetical */
-#define ALERT_IPT_TEMPLATE "%s %s -m quota2 ! --quota %" PRId64" --name %s"
+#define ALERT_IPT_TEMPLATE "%s %s -m quota2 ! --quota %" PRId64" --name %s\n"
 const char* BandwidthController::LOCAL_INPUT = "bw_INPUT";
 const char* BandwidthController::LOCAL_FORWARD = "bw_FORWARD";
 const char* BandwidthController::LOCAL_OUTPUT = "bw_OUTPUT";
@@ -68,6 +68,9 @@ auto BandwidthController::execFunction = android_fork_execvp;
 auto BandwidthController::popenFunction = popen;
 auto BandwidthController::iptablesRestoreFunction = execIptablesRestoreWithOutput;
 
+using android::base::StringAppendF;
+using android::base::StringPrintf;
+
 namespace {
 
 const char ALERT_GLOBAL_NAME[] = "globalAlert";
@@ -76,7 +79,7 @@ const int  MAX_CMD_LEN = 1024;
 const int  MAX_IFACENAME_LEN = 64;
 const int  MAX_IPT_OUTPUT_LINE_LEN = 256;
 const std::string NEW_CHAIN_COMMAND = "-N ";
-const std::string GET_TETHER_STATS_COMMAND = android::base::StringPrintf(
+const std::string GET_TETHER_STATS_COMMAND = StringPrintf(
     "*filter\n"
     "-nvx -L %s\n"
     "COMMIT\n", NatController::LOCAL_TETHER_COUNTERS_CHAIN);
@@ -146,7 +149,7 @@ const std::string GET_TETHER_STATS_COMMAND = android::base::StringPrintf(
 
 const std::string COMMIT_AND_CLOSE = "COMMIT\n";
 const std::string DATA_SAVER_ENABLE_COMMAND = "-R bw_data_saver 1";
-const std::string HAPPY_BOX_WHITELIST_COMMAND = android::base::StringPrintf(
+const std::string HAPPY_BOX_WHITELIST_COMMAND = StringPrintf(
     "-I bw_happy_box -m owner --uid-owner %d-%d --jump RETURN", 0, MAX_SYSTEM_UID);
 
 static const std::vector<std::string> IPT_FLUSH_COMMANDS = {
@@ -828,7 +831,7 @@ int BandwidthController::updateQuota(const char *quotaName, int64_t bytes) {
 int BandwidthController::runIptablesAlertCmd(IptOp op, const char *alertName, int64_t bytes) {
     int res = 0;
     const char *opFlag;
-    char *alertQuotaCmd;
+    std::string alertQuotaCmd = "*filter\n";
 
     switch (op) {
     case IptOpInsert:
@@ -840,21 +843,19 @@ int BandwidthController::runIptablesAlertCmd(IptOp op, const char *alertName, in
         break;
     }
 
-    asprintf(&alertQuotaCmd, ALERT_IPT_TEMPLATE, opFlag, "bw_INPUT",
-        bytes, alertName);
-    res |= runIpxtablesCmd(alertQuotaCmd, IptJumpNoAdd);
-    free(alertQuotaCmd);
-    asprintf(&alertQuotaCmd, ALERT_IPT_TEMPLATE, opFlag, "bw_OUTPUT",
-        bytes, alertName);
-    res |= runIpxtablesCmd(alertQuotaCmd, IptJumpNoAdd);
-    free(alertQuotaCmd);
+    // TODO: consider using an alternate template for the delete that does not include the --quota
+    // value. This code works because the --quota value is ignored by deletes
+    StringAppendF(&alertQuotaCmd, ALERT_IPT_TEMPLATE, opFlag, "bw_INPUT", bytes, alertName);
+    StringAppendF(&alertQuotaCmd, ALERT_IPT_TEMPLATE, opFlag, "bw_OUTPUT", bytes, alertName);
+    StringAppendF(&alertQuotaCmd, "COMMIT\n");
+
+    iptablesRestoreFunction(V4V6, alertQuotaCmd, nullptr);
     return res;
 }
 
 int BandwidthController::runIptablesAlertFwdCmd(IptOp op, const char *alertName, int64_t bytes) {
-    int res = 0;
     const char *opFlag;
-    char *alertQuotaCmd;
+    std::string alertQuotaCmd = "*filter\n";
 
     switch (op) {
     case IptOpInsert:
@@ -866,11 +867,10 @@ int BandwidthController::runIptablesAlertFwdCmd(IptOp op, const char *alertName,
         break;
     }
 
-    asprintf(&alertQuotaCmd, ALERT_IPT_TEMPLATE, opFlag, "bw_FORWARD",
-        bytes, alertName);
-    res = runIpxtablesCmd(alertQuotaCmd, IptJumpNoAdd);
-    free(alertQuotaCmd);
-    return res;
+    StringAppendF(&alertQuotaCmd, ALERT_IPT_TEMPLATE, opFlag, "bw_FORWARD", bytes, alertName);
+    StringAppendF(&alertQuotaCmd, "COMMIT\n");
+
+    return iptablesRestoreFunction(V4V6, alertQuotaCmd, nullptr);
 }
 
 int BandwidthController::setGlobalAlert(int64_t bytes) {
@@ -1284,9 +1284,9 @@ void BandwidthController::parseAndFlushCostlyTables(const std::string& ruleList,
             continue;
         }
 
-        clearCommands.push_back(android::base::StringPrintf(":%s -", chainName.c_str()));
+        clearCommands.push_back(StringPrintf(":%s -", chainName.c_str()));
         if (doRemove) {
-            clearCommands.push_back(android::base::StringPrintf("-X %s", chainName.c_str()));
+            clearCommands.push_back(StringPrintf("-X %s", chainName.c_str()));
         }
     }
 
diff --git a/server/BandwidthControllerTest.cpp b/server/BandwidthControllerTest.cpp
index 85c6b969..487b7d8b 100644
--- a/server/BandwidthControllerTest.cpp
+++ b/server/BandwidthControllerTest.cpp
@@ -401,30 +401,38 @@ TEST_F(BandwidthControllerTest, TestSetInterfaceQuota) {
 
 TEST_F(BandwidthControllerTest, IptablesAlertCmd) {
     std::vector<std::string> expected = {
-        "-I bw_INPUT -m quota2 ! --quota 123456 --name MyWonderfulAlert",
-        "-I bw_OUTPUT -m quota2 ! --quota 123456 --name MyWonderfulAlert",
+        "*filter\n"
+        "-I bw_INPUT -m quota2 ! --quota 123456 --name MyWonderfulAlert\n"
+        "-I bw_OUTPUT -m quota2 ! --quota 123456 --name MyWonderfulAlert\n"
+        "COMMIT\n"
     };
     EXPECT_EQ(0, runIptablesAlertCmd(IptOp::IptOpInsert, "MyWonderfulAlert", 123456));
-    expectIptablesCommands(expected);
+    expectIptablesRestoreCommands(expected);
 
     expected = {
-        "-D bw_INPUT -m quota2 ! --quota 123456 --name MyWonderfulAlert",
-        "-D bw_OUTPUT -m quota2 ! --quota 123456 --name MyWonderfulAlert",
+        "*filter\n"
+        "-D bw_INPUT -m quota2 ! --quota 123456 --name MyWonderfulAlert\n"
+        "-D bw_OUTPUT -m quota2 ! --quota 123456 --name MyWonderfulAlert\n"
+        "COMMIT\n"
     };
     EXPECT_EQ(0, runIptablesAlertCmd(IptOp::IptOpDelete, "MyWonderfulAlert", 123456));
-    expectIptablesCommands(expected);
+    expectIptablesRestoreCommands(expected);
 }
 
 TEST_F(BandwidthControllerTest, IptablesAlertFwdCmd) {
     std::vector<std::string> expected = {
-        "-I bw_FORWARD -m quota2 ! --quota 123456 --name MyWonderfulAlert",
+        "*filter\n"
+        "-I bw_FORWARD -m quota2 ! --quota 123456 --name MyWonderfulAlert\n"
+        "COMMIT\n"
     };
     EXPECT_EQ(0, runIptablesAlertFwdCmd(IptOp::IptOpInsert, "MyWonderfulAlert", 123456));
-    expectIptablesCommands(expected);
+    expectIptablesRestoreCommands(expected);
 
     expected = {
-        "-D bw_FORWARD -m quota2 ! --quota 123456 --name MyWonderfulAlert",
+        "*filter\n"
+        "-D bw_FORWARD -m quota2 ! --quota 123456 --name MyWonderfulAlert\n"
+        "COMMIT\n"
     };
     EXPECT_EQ(0, runIptablesAlertFwdCmd(IptOp::IptOpDelete, "MyWonderfulAlert", 123456));
-    expectIptablesCommands(expected);
+    expectIptablesRestoreCommands(expected);
 }
author	Lorenzo Colitti <lorenzo@google.com>	2017-04-26 15:48:13 +0900
committer	Lorenzo Colitti <lorenzo@google.com>	2017-04-26 17:19:18 +0900
commit	546fe48d36859e1ef2a0df2ffc1067dc2916ba44 (patch)
tree	7b2d20259bd5385eb19217e06208ddd339a6baf1
parent	615df791ab6081921114369052ffcdba7b67eebe (diff)
download	netd-546fe48d36859e1ef2a0df2ffc1067dc2916ba44.tar.gz