diff options
author | Felipe Leme <felipeal@google.com> | 2016-02-10 18:12:39 -0800 |
---|---|---|
committer | Felipe Leme <felipeal@google.com> | 2016-02-10 18:12:39 -0800 |
commit | 3f62434145c43e85436b86ed9b95a550bbdf486b (patch) | |
tree | 48a1b77e86c7ece06c1db78ba8e7b4afe78c0237 /server/FirewallController.cpp | |
parent | 33fe73272684d9be6c124d67662e04d16045f8ff (diff) | |
download | netd-3f62434145c43e85436b86ed9b95a550bbdf486b.tar.gz |
Created a firewall chain for power save mode.
When power-save mode was first implemented, there were no firewall rules
on netd, so the solution was to make all network interface metered and
re-use the bw_penalty_box chain.
This change removes that workaround by creating a explicit fw_powersave
chain, whose behavior is similar to fw_dozable (in fact, it reuses some
of its code); such change not only makes network restrictions on
power-save mode simpler, but it also allows to optimze how the restrict
network rules are changed.
BUG: 27127112
Change-Id: I52aee49d80386594e3a52fea9667d580d2d944a1
Diffstat (limited to 'server/FirewallController.cpp')
-rw-r--r-- | server/FirewallController.cpp | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/server/FirewallController.cpp b/server/FirewallController.cpp index cf5a7de2..1aa56b0c 100644 --- a/server/FirewallController.cpp +++ b/server/FirewallController.cpp @@ -36,6 +36,7 @@ const char* FirewallController::LOCAL_FORWARD = "fw_FORWARD"; const char* FirewallController::LOCAL_DOZABLE = "fw_dozable"; const char* FirewallController::LOCAL_STANDBY = "fw_standby"; +const char* FirewallController::LOCAL_POWERSAVE = "fw_powersave"; // ICMPv6 types that are required for any form of IPv6 connectivity to work. Note that because the // fw_dozable chain is called from both INPUT and OUTPUT, this includes both packets that we need @@ -63,6 +64,9 @@ int FirewallController::setupIptablesHooks(void) { firewallType = getFirewallType(STANDBY); res |= createChain(LOCAL_STANDBY, LOCAL_INPUT, firewallType); + firewallType = getFirewallType(POWERSAVE); + res |= createChain(LOCAL_POWERSAVE, LOCAL_INPUT, firewallType); + return res; } @@ -108,6 +112,9 @@ int FirewallController::enableChildChains(ChildChain chain, bool enable) { case STANDBY: name = LOCAL_STANDBY; break; + case POWERSAVE: + name = LOCAL_POWERSAVE; + break; default: return res; } @@ -214,6 +221,8 @@ FirewallType FirewallController::getFirewallType(ChildChain chain) { return WHITELIST; case STANDBY: return BLACKLIST; + case POWERSAVE: + return WHITELIST; case NONE: return mFirewallType; default: @@ -246,6 +255,10 @@ int FirewallController::setUidRule(ChildChain chain, int uid, FirewallRule rule) res |= execIptables(V4V6, op, LOCAL_STANDBY, "-m", "owner", "--uid-owner", uidStr, "-j", target, NULL); break; + case POWERSAVE: + res |= execIptables(V4V6, op, LOCAL_POWERSAVE, "-m", "owner", "--uid-owner", + uidStr, "-j", target, NULL); + break; case NONE: res |= execIptables(V4V6, op, LOCAL_INPUT, "-m", "owner", "--uid-owner", uidStr, "-j", target, NULL); |