Move runIptablesAlert{,Fwd}Cmd to iptables-restore. This saves about 100ms on boot. (cherry picked from commit 546fe48d36859e1ef2a0df2ffc1067dc2916ba44) Bug: 37641280 Test: marlin builds and boots Test: netd_{unit,integration}_test pass Test: iptables rules look identical to other marlin running oc-release Test: Enabling/disabling tethering adds/removes the forward rule Change-Id: I8e15940565894d44a819b9cef25790d443b25df5 Merged-In: I56ce20a0efef8b1aba5f55bc823926447b21a614

commit: 3c27270c18eeb922342135fd119cc567689cd465 [log] [tgz]
author: Lorenzo Colitti <lorenzo@google.com> Wed Apr 26 15:48:13 2017 +0900
committer: Lorenzo Colitti <lorenzo@google.com> Fri Apr 28 00:11:44 2017 +0900
tree: 432d79ef662443c9b4ee57b0d33bf0694ee6d6a6
parent: e8b56e453605727daf4f037580f6616cc8fb8838 [diff]
diff --git a/server/BandwidthController.cpp b/server/BandwidthController.cpp
index 2a196f8..47fb823 100644
--- a/server/BandwidthController.cpp
+++ b/server/BandwidthController.cpp

@@ -57,7 +57,7 @@
 #include "ResponseCode.h"
 
 /* Alphabetical */
-#define ALERT_IPT_TEMPLATE "%s %s -m quota2 ! --quota %" PRId64" --name %s"
+#define ALERT_IPT_TEMPLATE "%s %s -m quota2 ! --quota %" PRId64" --name %s\n"
 const char* BandwidthController::LOCAL_INPUT = "bw_INPUT";
 const char* BandwidthController::LOCAL_FORWARD = "bw_FORWARD";
 const char* BandwidthController::LOCAL_OUTPUT = "bw_OUTPUT";
@@ -68,6 +68,9 @@
 auto BandwidthController::popenFunction = popen;
 auto BandwidthController::iptablesRestoreFunction = execIptablesRestoreWithOutput;
 
+using android::base::StringAppendF;
+using android::base::StringPrintf;
+
 namespace {
 
 const char ALERT_GLOBAL_NAME[] = "globalAlert";
@@ -76,7 +79,7 @@
 const int  MAX_IFACENAME_LEN = 64;
 const int  MAX_IPT_OUTPUT_LINE_LEN = 256;
 const std::string NEW_CHAIN_COMMAND = "-N ";
-const std::string GET_TETHER_STATS_COMMAND = android::base::StringPrintf(
+const std::string GET_TETHER_STATS_COMMAND = StringPrintf(
     "*filter\n"
     "-nvx -L %s\n"
     "COMMIT\n", NatController::LOCAL_TETHER_COUNTERS_CHAIN);
@@ -146,7 +149,7 @@
 
 const std::string COMMIT_AND_CLOSE = "COMMIT\n";
 const std::string DATA_SAVER_ENABLE_COMMAND = "-R bw_data_saver 1";
-const std::string HAPPY_BOX_WHITELIST_COMMAND = android::base::StringPrintf(
+const std::string HAPPY_BOX_WHITELIST_COMMAND = StringPrintf(
     "-I bw_happy_box -m owner --uid-owner %d-%d --jump RETURN", 0, MAX_SYSTEM_UID);
 
 static const std::vector<std::string> IPT_FLUSH_COMMANDS = {
@@ -828,7 +831,7 @@
 int BandwidthController::runIptablesAlertCmd(IptOp op, const char *alertName, int64_t bytes) {
     int res = 0;
     const char *opFlag;
-    char *alertQuotaCmd;
+    std::string alertQuotaCmd = "*filter\n";
 
     switch (op) {
     case IptOpInsert:
@@ -840,21 +843,19 @@
         break;
     }
 
-    asprintf(&alertQuotaCmd, ALERT_IPT_TEMPLATE, opFlag, "bw_INPUT",
-        bytes, alertName);
-    res |= runIpxtablesCmd(alertQuotaCmd, IptJumpNoAdd);
-    free(alertQuotaCmd);
-    asprintf(&alertQuotaCmd, ALERT_IPT_TEMPLATE, opFlag, "bw_OUTPUT",
-        bytes, alertName);
-    res |= runIpxtablesCmd(alertQuotaCmd, IptJumpNoAdd);
-    free(alertQuotaCmd);
+    // TODO: consider using an alternate template for the delete that does not include the --quota
+    // value. This code works because the --quota value is ignored by deletes
+    StringAppendF(&alertQuotaCmd, ALERT_IPT_TEMPLATE, opFlag, "bw_INPUT", bytes, alertName);
+    StringAppendF(&alertQuotaCmd, ALERT_IPT_TEMPLATE, opFlag, "bw_OUTPUT", bytes, alertName);
+    StringAppendF(&alertQuotaCmd, "COMMIT\n");
+
+    iptablesRestoreFunction(V4V6, alertQuotaCmd, nullptr);
     return res;
 }
 
 int BandwidthController::runIptablesAlertFwdCmd(IptOp op, const char *alertName, int64_t bytes) {
-    int res = 0;
     const char *opFlag;
-    char *alertQuotaCmd;
+    std::string alertQuotaCmd = "*filter\n";
 
     switch (op) {
     case IptOpInsert:
@@ -866,11 +867,10 @@
         break;
     }
 
-    asprintf(&alertQuotaCmd, ALERT_IPT_TEMPLATE, opFlag, "bw_FORWARD",
-        bytes, alertName);
-    res = runIpxtablesCmd(alertQuotaCmd, IptJumpNoAdd);
-    free(alertQuotaCmd);
-    return res;
+    StringAppendF(&alertQuotaCmd, ALERT_IPT_TEMPLATE, opFlag, "bw_FORWARD", bytes, alertName);
+    StringAppendF(&alertQuotaCmd, "COMMIT\n");
+
+    return iptablesRestoreFunction(V4V6, alertQuotaCmd, nullptr);
 }
 
 int BandwidthController::setGlobalAlert(int64_t bytes) {
@@ -1284,9 +1284,9 @@
             continue;
         }
 
-        clearCommands.push_back(android::base::StringPrintf(":%s -", chainName.c_str()));
+        clearCommands.push_back(StringPrintf(":%s -", chainName.c_str()));
         if (doRemove) {
-            clearCommands.push_back(android::base::StringPrintf("-X %s", chainName.c_str()));
+            clearCommands.push_back(StringPrintf("-X %s", chainName.c_str()));
         }
     }
 

diff --git a/server/BandwidthControllerTest.cpp b/server/BandwidthControllerTest.cpp
index 85c6b96..487b7d8 100644
--- a/server/BandwidthControllerTest.cpp
+++ b/server/BandwidthControllerTest.cpp

@@ -401,30 +401,38 @@
 
 TEST_F(BandwidthControllerTest, IptablesAlertCmd) {
     std::vector<std::string> expected = {
-        "-I bw_INPUT -m quota2 ! --quota 123456 --name MyWonderfulAlert",
-        "-I bw_OUTPUT -m quota2 ! --quota 123456 --name MyWonderfulAlert",
+        "*filter\n"
+        "-I bw_INPUT -m quota2 ! --quota 123456 --name MyWonderfulAlert\n"
+        "-I bw_OUTPUT -m quota2 ! --quota 123456 --name MyWonderfulAlert\n"
+        "COMMIT\n"
     };
     EXPECT_EQ(0, runIptablesAlertCmd(IptOp::IptOpInsert, "MyWonderfulAlert", 123456));
-    expectIptablesCommands(expected);
+    expectIptablesRestoreCommands(expected);
 
     expected = {
-        "-D bw_INPUT -m quota2 ! --quota 123456 --name MyWonderfulAlert",
-        "-D bw_OUTPUT -m quota2 ! --quota 123456 --name MyWonderfulAlert",
+        "*filter\n"
+        "-D bw_INPUT -m quota2 ! --quota 123456 --name MyWonderfulAlert\n"
+        "-D bw_OUTPUT -m quota2 ! --quota 123456 --name MyWonderfulAlert\n"
+        "COMMIT\n"
     };
     EXPECT_EQ(0, runIptablesAlertCmd(IptOp::IptOpDelete, "MyWonderfulAlert", 123456));
-    expectIptablesCommands(expected);
+    expectIptablesRestoreCommands(expected);
 }
 
 TEST_F(BandwidthControllerTest, IptablesAlertFwdCmd) {
     std::vector<std::string> expected = {
-        "-I bw_FORWARD -m quota2 ! --quota 123456 --name MyWonderfulAlert",
+        "*filter\n"
+        "-I bw_FORWARD -m quota2 ! --quota 123456 --name MyWonderfulAlert\n"
+        "COMMIT\n"
     };
     EXPECT_EQ(0, runIptablesAlertFwdCmd(IptOp::IptOpInsert, "MyWonderfulAlert", 123456));
-    expectIptablesCommands(expected);
+    expectIptablesRestoreCommands(expected);
 
     expected = {
-        "-D bw_FORWARD -m quota2 ! --quota 123456 --name MyWonderfulAlert",
+        "*filter\n"
+        "-D bw_FORWARD -m quota2 ! --quota 123456 --name MyWonderfulAlert\n"
+        "COMMIT\n"
     };
     EXPECT_EQ(0, runIptablesAlertFwdCmd(IptOp::IptOpDelete, "MyWonderfulAlert", 123456));
-    expectIptablesCommands(expected);
+    expectIptablesRestoreCommands(expected);
 }
commit	3c27270c18eeb922342135fd119cc567689cd465	[log] [tgz]
author	Lorenzo Colitti <lorenzo@google.com>	Wed Apr 26 15:48:13 2017 +0900
committer	Lorenzo Colitti <lorenzo@google.com>	Fri Apr 28 00:11:44 2017 +0900
tree	432d79ef662443c9b4ee57b0d33bf0694ee6d6a6
parent	e8b56e453605727daf4f037580f6616cc8fb8838 [diff]