diff options
| author | Lorenzo Colitti <lorenzo@google.com> | 2017-02-03 18:46:53 +0900 |
|---|---|---|
| committer | Lorenzo Colitti <lorenzo@google.com> | 2017-02-10 11:41:14 +0900 |
| commit | 03b23fe8f8af40194572b3ce37f79bece35e092c (patch) | |
| tree | 24f4c6cc047ee31e7d6731c63c6944df50302cd1 /server/FirewallController.cpp | |
| parent | 4fcb4a0d90be5e00b16b558089bd69d3c414d382 (diff) | |
| download | netd-03b23fe8f8af40194572b3ce37f79bece35e092c.tar.gz | |
Speed up FirewallController startup.
FirewallController::createChain runs iptables commands to remove
the newly-created chain from fw_INPUT. This is not necessary,
because createChain is only called from setupIptablesHooks, which
is only called immediately after initIptablesRules, which clears
fw_INPUT. So there is nothing to delete.
Removing these unnecessary commands speeds up netd startup by
~150ms. Before:
02-03 18:51:40.075 492 492 I Netd : Setting up FirewallController hooks: 159.9ms
After:
02-03 18:45:22.005 489 489 I Netd : Setting up FirewallController hooks: 11.3ms
Bug: 34873832
Test: unit tests continue to pass
Change-Id: I651d96a71c98d6aba989927cd23036d5cc371dd7
Diffstat (limited to 'server/FirewallController.cpp')
| -rw-r--r-- | server/FirewallController.cpp | 23 |
1 files changed, 7 insertions, 16 deletions
diff --git a/server/FirewallController.cpp b/server/FirewallController.cpp index 826cf758..9cab90a8 100644 --- a/server/FirewallController.cpp +++ b/server/FirewallController.cpp @@ -63,16 +63,9 @@ FirewallController::FirewallController(void) { int FirewallController::setupIptablesHooks(void) { int res = 0; - // child chains are created but not attached, they will be attached explicitly. - FirewallType firewallType = getFirewallType(DOZABLE); - res |= createChain(LOCAL_DOZABLE, LOCAL_INPUT, firewallType); - - firewallType = getFirewallType(STANDBY); - res |= createChain(LOCAL_STANDBY, LOCAL_INPUT, firewallType); - - firewallType = getFirewallType(POWERSAVE); - res |= createChain(LOCAL_POWERSAVE, LOCAL_INPUT, firewallType); - + res |= createChain(LOCAL_DOZABLE, getFirewallType(DOZABLE)); + res |= createChain(LOCAL_STANDBY, getFirewallType(STANDBY)); + res |= createChain(LOCAL_POWERSAVE, getFirewallType(POWERSAVE)); return res; } @@ -288,11 +281,9 @@ int FirewallController::detachChain(const char* childChain, const char* parentCh return execIptables(V4V6, "-t", TABLE, "-D", parentChain, "-j", childChain, NULL); } -int FirewallController::createChain(const char* childChain, - const char* parentChain, FirewallType type) { - execIptablesSilently(V4V6, "-t", TABLE, "-D", parentChain, "-j", childChain, NULL); - std::vector<int32_t> uids; - return replaceUidChain(childChain, type == WHITELIST, uids); +int FirewallController::createChain(const char* chain, FirewallType type) { + static const std::vector<int32_t> NO_UIDS; + return replaceUidChain(chain, type == WHITELIST, NO_UIDS); } std::string FirewallController::makeUidRules(IptablesTarget target, const char *name, @@ -333,7 +324,7 @@ std::string FirewallController::makeUidRules(IptablesTarget target, const char * StringAppendF(&commands, "-A %s -j DROP\n", name); } - StringAppendF(&commands, "COMMIT\n\x04"); // EOT. + StringAppendF(&commands, "COMMIT\n"); return commands; } |