diff options
author | Lorenzo Colitti <lorenzo@google.com> | 2017-04-26 15:48:13 +0900 |
---|---|---|
committer | Lorenzo Colitti <lorenzo@google.com> | 2017-04-26 17:19:18 +0900 |
commit | 546fe48d36859e1ef2a0df2ffc1067dc2916ba44 (patch) | |
tree | 7b2d20259bd5385eb19217e06208ddd339a6baf1 | |
parent | 615df791ab6081921114369052ffcdba7b67eebe (diff) | |
download | netd-546fe48d36859e1ef2a0df2ffc1067dc2916ba44.tar.gz |
Move runIptablesAlert{,Fwd}Cmd to iptables-restore.
This saves about 100ms on boot.
Bug: 37641280
Test: marlin builds and boots
Test: netd_{unit,integration}_test pass
Test: iptables rules look identical to other marlin running oc-release
Test: Enabling/disabling tethering adds/removes the forward rule
Change-Id: I56ce20a0efef8b1aba5f55bc823926447b21a614
-rw-r--r-- | server/BandwidthController.cpp | 42 | ||||
-rw-r--r-- | server/BandwidthControllerTest.cpp | 28 |
2 files changed, 39 insertions, 31 deletions
diff --git a/server/BandwidthController.cpp b/server/BandwidthController.cpp index 2a196f86..47fb8230 100644 --- a/server/BandwidthController.cpp +++ b/server/BandwidthController.cpp @@ -57,7 +57,7 @@ #include "ResponseCode.h" /* Alphabetical */ -#define ALERT_IPT_TEMPLATE "%s %s -m quota2 ! --quota %" PRId64" --name %s" +#define ALERT_IPT_TEMPLATE "%s %s -m quota2 ! --quota %" PRId64" --name %s\n" const char* BandwidthController::LOCAL_INPUT = "bw_INPUT"; const char* BandwidthController::LOCAL_FORWARD = "bw_FORWARD"; const char* BandwidthController::LOCAL_OUTPUT = "bw_OUTPUT"; @@ -68,6 +68,9 @@ auto BandwidthController::execFunction = android_fork_execvp; auto BandwidthController::popenFunction = popen; auto BandwidthController::iptablesRestoreFunction = execIptablesRestoreWithOutput; +using android::base::StringAppendF; +using android::base::StringPrintf; + namespace { const char ALERT_GLOBAL_NAME[] = "globalAlert"; @@ -76,7 +79,7 @@ const int MAX_CMD_LEN = 1024; const int MAX_IFACENAME_LEN = 64; const int MAX_IPT_OUTPUT_LINE_LEN = 256; const std::string NEW_CHAIN_COMMAND = "-N "; -const std::string GET_TETHER_STATS_COMMAND = android::base::StringPrintf( +const std::string GET_TETHER_STATS_COMMAND = StringPrintf( "*filter\n" "-nvx -L %s\n" "COMMIT\n", NatController::LOCAL_TETHER_COUNTERS_CHAIN); @@ -146,7 +149,7 @@ const std::string GET_TETHER_STATS_COMMAND = android::base::StringPrintf( const std::string COMMIT_AND_CLOSE = "COMMIT\n"; const std::string DATA_SAVER_ENABLE_COMMAND = "-R bw_data_saver 1"; -const std::string HAPPY_BOX_WHITELIST_COMMAND = android::base::StringPrintf( +const std::string HAPPY_BOX_WHITELIST_COMMAND = StringPrintf( "-I bw_happy_box -m owner --uid-owner %d-%d --jump RETURN", 0, MAX_SYSTEM_UID); static const std::vector<std::string> IPT_FLUSH_COMMANDS = { @@ -828,7 +831,7 @@ int BandwidthController::updateQuota(const char *quotaName, int64_t bytes) { int BandwidthController::runIptablesAlertCmd(IptOp op, const char *alertName, int64_t bytes) { int res = 0; const char *opFlag; - char *alertQuotaCmd; + std::string alertQuotaCmd = "*filter\n"; switch (op) { case IptOpInsert: @@ -840,21 +843,19 @@ int BandwidthController::runIptablesAlertCmd(IptOp op, const char *alertName, in break; } - asprintf(&alertQuotaCmd, ALERT_IPT_TEMPLATE, opFlag, "bw_INPUT", - bytes, alertName); - res |= runIpxtablesCmd(alertQuotaCmd, IptJumpNoAdd); - free(alertQuotaCmd); - asprintf(&alertQuotaCmd, ALERT_IPT_TEMPLATE, opFlag, "bw_OUTPUT", - bytes, alertName); - res |= runIpxtablesCmd(alertQuotaCmd, IptJumpNoAdd); - free(alertQuotaCmd); + // TODO: consider using an alternate template for the delete that does not include the --quota + // value. This code works because the --quota value is ignored by deletes + StringAppendF(&alertQuotaCmd, ALERT_IPT_TEMPLATE, opFlag, "bw_INPUT", bytes, alertName); + StringAppendF(&alertQuotaCmd, ALERT_IPT_TEMPLATE, opFlag, "bw_OUTPUT", bytes, alertName); + StringAppendF(&alertQuotaCmd, "COMMIT\n"); + + iptablesRestoreFunction(V4V6, alertQuotaCmd, nullptr); return res; } int BandwidthController::runIptablesAlertFwdCmd(IptOp op, const char *alertName, int64_t bytes) { - int res = 0; const char *opFlag; - char *alertQuotaCmd; + std::string alertQuotaCmd = "*filter\n"; switch (op) { case IptOpInsert: @@ -866,11 +867,10 @@ int BandwidthController::runIptablesAlertFwdCmd(IptOp op, const char *alertName, break; } - asprintf(&alertQuotaCmd, ALERT_IPT_TEMPLATE, opFlag, "bw_FORWARD", - bytes, alertName); - res = runIpxtablesCmd(alertQuotaCmd, IptJumpNoAdd); - free(alertQuotaCmd); - return res; + StringAppendF(&alertQuotaCmd, ALERT_IPT_TEMPLATE, opFlag, "bw_FORWARD", bytes, alertName); + StringAppendF(&alertQuotaCmd, "COMMIT\n"); + + return iptablesRestoreFunction(V4V6, alertQuotaCmd, nullptr); } int BandwidthController::setGlobalAlert(int64_t bytes) { @@ -1284,9 +1284,9 @@ void BandwidthController::parseAndFlushCostlyTables(const std::string& ruleList, continue; } - clearCommands.push_back(android::base::StringPrintf(":%s -", chainName.c_str())); + clearCommands.push_back(StringPrintf(":%s -", chainName.c_str())); if (doRemove) { - clearCommands.push_back(android::base::StringPrintf("-X %s", chainName.c_str())); + clearCommands.push_back(StringPrintf("-X %s", chainName.c_str())); } } diff --git a/server/BandwidthControllerTest.cpp b/server/BandwidthControllerTest.cpp index 85c6b969..487b7d8b 100644 --- a/server/BandwidthControllerTest.cpp +++ b/server/BandwidthControllerTest.cpp @@ -401,30 +401,38 @@ TEST_F(BandwidthControllerTest, TestSetInterfaceQuota) { TEST_F(BandwidthControllerTest, IptablesAlertCmd) { std::vector<std::string> expected = { - "-I bw_INPUT -m quota2 ! --quota 123456 --name MyWonderfulAlert", - "-I bw_OUTPUT -m quota2 ! --quota 123456 --name MyWonderfulAlert", + "*filter\n" + "-I bw_INPUT -m quota2 ! --quota 123456 --name MyWonderfulAlert\n" + "-I bw_OUTPUT -m quota2 ! --quota 123456 --name MyWonderfulAlert\n" + "COMMIT\n" }; EXPECT_EQ(0, runIptablesAlertCmd(IptOp::IptOpInsert, "MyWonderfulAlert", 123456)); - expectIptablesCommands(expected); + expectIptablesRestoreCommands(expected); expected = { - "-D bw_INPUT -m quota2 ! --quota 123456 --name MyWonderfulAlert", - "-D bw_OUTPUT -m quota2 ! --quota 123456 --name MyWonderfulAlert", + "*filter\n" + "-D bw_INPUT -m quota2 ! --quota 123456 --name MyWonderfulAlert\n" + "-D bw_OUTPUT -m quota2 ! --quota 123456 --name MyWonderfulAlert\n" + "COMMIT\n" }; EXPECT_EQ(0, runIptablesAlertCmd(IptOp::IptOpDelete, "MyWonderfulAlert", 123456)); - expectIptablesCommands(expected); + expectIptablesRestoreCommands(expected); } TEST_F(BandwidthControllerTest, IptablesAlertFwdCmd) { std::vector<std::string> expected = { - "-I bw_FORWARD -m quota2 ! --quota 123456 --name MyWonderfulAlert", + "*filter\n" + "-I bw_FORWARD -m quota2 ! --quota 123456 --name MyWonderfulAlert\n" + "COMMIT\n" }; EXPECT_EQ(0, runIptablesAlertFwdCmd(IptOp::IptOpInsert, "MyWonderfulAlert", 123456)); - expectIptablesCommands(expected); + expectIptablesRestoreCommands(expected); expected = { - "-D bw_FORWARD -m quota2 ! --quota 123456 --name MyWonderfulAlert", + "*filter\n" + "-D bw_FORWARD -m quota2 ! --quota 123456 --name MyWonderfulAlert\n" + "COMMIT\n" }; EXPECT_EQ(0, runIptablesAlertFwdCmd(IptOp::IptOpDelete, "MyWonderfulAlert", 123456)); - expectIptablesCommands(expected); + expectIptablesRestoreCommands(expected); } |