Move runIptablesAlert{,Fwd}Cmd to iptables-restore.
This saves about 100ms on boot.
(cherry picked from commit 546fe48d36859e1ef2a0df2ffc1067dc2916ba44)
Bug: 37641280
Test: marlin builds and boots
Test: netd_{unit,integration}_test pass
Test: iptables rules look identical to other marlin running oc-release
Test: Enabling/disabling tethering adds/removes the forward rule
Change-Id: I8e15940565894d44a819b9cef25790d443b25df5
Merged-In: I56ce20a0efef8b1aba5f55bc823926447b21a614
diff --git a/server/BandwidthController.cpp b/server/BandwidthController.cpp
index 2a196f8..47fb823 100644
--- a/server/BandwidthController.cpp
+++ b/server/BandwidthController.cpp
@@ -57,7 +57,7 @@
#include "ResponseCode.h"
/* Alphabetical */
-#define ALERT_IPT_TEMPLATE "%s %s -m quota2 ! --quota %" PRId64" --name %s"
+#define ALERT_IPT_TEMPLATE "%s %s -m quota2 ! --quota %" PRId64" --name %s\n"
const char* BandwidthController::LOCAL_INPUT = "bw_INPUT";
const char* BandwidthController::LOCAL_FORWARD = "bw_FORWARD";
const char* BandwidthController::LOCAL_OUTPUT = "bw_OUTPUT";
@@ -68,6 +68,9 @@
auto BandwidthController::popenFunction = popen;
auto BandwidthController::iptablesRestoreFunction = execIptablesRestoreWithOutput;
+using android::base::StringAppendF;
+using android::base::StringPrintf;
+
namespace {
const char ALERT_GLOBAL_NAME[] = "globalAlert";
@@ -76,7 +79,7 @@
const int MAX_IFACENAME_LEN = 64;
const int MAX_IPT_OUTPUT_LINE_LEN = 256;
const std::string NEW_CHAIN_COMMAND = "-N ";
-const std::string GET_TETHER_STATS_COMMAND = android::base::StringPrintf(
+const std::string GET_TETHER_STATS_COMMAND = StringPrintf(
"*filter\n"
"-nvx -L %s\n"
"COMMIT\n", NatController::LOCAL_TETHER_COUNTERS_CHAIN);
@@ -146,7 +149,7 @@
const std::string COMMIT_AND_CLOSE = "COMMIT\n";
const std::string DATA_SAVER_ENABLE_COMMAND = "-R bw_data_saver 1";
-const std::string HAPPY_BOX_WHITELIST_COMMAND = android::base::StringPrintf(
+const std::string HAPPY_BOX_WHITELIST_COMMAND = StringPrintf(
"-I bw_happy_box -m owner --uid-owner %d-%d --jump RETURN", 0, MAX_SYSTEM_UID);
static const std::vector<std::string> IPT_FLUSH_COMMANDS = {
@@ -828,7 +831,7 @@
int BandwidthController::runIptablesAlertCmd(IptOp op, const char *alertName, int64_t bytes) {
int res = 0;
const char *opFlag;
- char *alertQuotaCmd;
+ std::string alertQuotaCmd = "*filter\n";
switch (op) {
case IptOpInsert:
@@ -840,21 +843,19 @@
break;
}
- asprintf(&alertQuotaCmd, ALERT_IPT_TEMPLATE, opFlag, "bw_INPUT",
- bytes, alertName);
- res |= runIpxtablesCmd(alertQuotaCmd, IptJumpNoAdd);
- free(alertQuotaCmd);
- asprintf(&alertQuotaCmd, ALERT_IPT_TEMPLATE, opFlag, "bw_OUTPUT",
- bytes, alertName);
- res |= runIpxtablesCmd(alertQuotaCmd, IptJumpNoAdd);
- free(alertQuotaCmd);
+ // TODO: consider using an alternate template for the delete that does not include the --quota
+ // value. This code works because the --quota value is ignored by deletes
+ StringAppendF(&alertQuotaCmd, ALERT_IPT_TEMPLATE, opFlag, "bw_INPUT", bytes, alertName);
+ StringAppendF(&alertQuotaCmd, ALERT_IPT_TEMPLATE, opFlag, "bw_OUTPUT", bytes, alertName);
+ StringAppendF(&alertQuotaCmd, "COMMIT\n");
+
+ iptablesRestoreFunction(V4V6, alertQuotaCmd, nullptr);
return res;
}
int BandwidthController::runIptablesAlertFwdCmd(IptOp op, const char *alertName, int64_t bytes) {
- int res = 0;
const char *opFlag;
- char *alertQuotaCmd;
+ std::string alertQuotaCmd = "*filter\n";
switch (op) {
case IptOpInsert:
@@ -866,11 +867,10 @@
break;
}
- asprintf(&alertQuotaCmd, ALERT_IPT_TEMPLATE, opFlag, "bw_FORWARD",
- bytes, alertName);
- res = runIpxtablesCmd(alertQuotaCmd, IptJumpNoAdd);
- free(alertQuotaCmd);
- return res;
+ StringAppendF(&alertQuotaCmd, ALERT_IPT_TEMPLATE, opFlag, "bw_FORWARD", bytes, alertName);
+ StringAppendF(&alertQuotaCmd, "COMMIT\n");
+
+ return iptablesRestoreFunction(V4V6, alertQuotaCmd, nullptr);
}
int BandwidthController::setGlobalAlert(int64_t bytes) {
@@ -1284,9 +1284,9 @@
continue;
}
- clearCommands.push_back(android::base::StringPrintf(":%s -", chainName.c_str()));
+ clearCommands.push_back(StringPrintf(":%s -", chainName.c_str()));
if (doRemove) {
- clearCommands.push_back(android::base::StringPrintf("-X %s", chainName.c_str()));
+ clearCommands.push_back(StringPrintf("-X %s", chainName.c_str()));
}
}
diff --git a/server/BandwidthControllerTest.cpp b/server/BandwidthControllerTest.cpp
index 85c6b96..487b7d8 100644
--- a/server/BandwidthControllerTest.cpp
+++ b/server/BandwidthControllerTest.cpp
@@ -401,30 +401,38 @@
TEST_F(BandwidthControllerTest, IptablesAlertCmd) {
std::vector<std::string> expected = {
- "-I bw_INPUT -m quota2 ! --quota 123456 --name MyWonderfulAlert",
- "-I bw_OUTPUT -m quota2 ! --quota 123456 --name MyWonderfulAlert",
+ "*filter\n"
+ "-I bw_INPUT -m quota2 ! --quota 123456 --name MyWonderfulAlert\n"
+ "-I bw_OUTPUT -m quota2 ! --quota 123456 --name MyWonderfulAlert\n"
+ "COMMIT\n"
};
EXPECT_EQ(0, runIptablesAlertCmd(IptOp::IptOpInsert, "MyWonderfulAlert", 123456));
- expectIptablesCommands(expected);
+ expectIptablesRestoreCommands(expected);
expected = {
- "-D bw_INPUT -m quota2 ! --quota 123456 --name MyWonderfulAlert",
- "-D bw_OUTPUT -m quota2 ! --quota 123456 --name MyWonderfulAlert",
+ "*filter\n"
+ "-D bw_INPUT -m quota2 ! --quota 123456 --name MyWonderfulAlert\n"
+ "-D bw_OUTPUT -m quota2 ! --quota 123456 --name MyWonderfulAlert\n"
+ "COMMIT\n"
};
EXPECT_EQ(0, runIptablesAlertCmd(IptOp::IptOpDelete, "MyWonderfulAlert", 123456));
- expectIptablesCommands(expected);
+ expectIptablesRestoreCommands(expected);
}
TEST_F(BandwidthControllerTest, IptablesAlertFwdCmd) {
std::vector<std::string> expected = {
- "-I bw_FORWARD -m quota2 ! --quota 123456 --name MyWonderfulAlert",
+ "*filter\n"
+ "-I bw_FORWARD -m quota2 ! --quota 123456 --name MyWonderfulAlert\n"
+ "COMMIT\n"
};
EXPECT_EQ(0, runIptablesAlertFwdCmd(IptOp::IptOpInsert, "MyWonderfulAlert", 123456));
- expectIptablesCommands(expected);
+ expectIptablesRestoreCommands(expected);
expected = {
- "-D bw_FORWARD -m quota2 ! --quota 123456 --name MyWonderfulAlert",
+ "*filter\n"
+ "-D bw_FORWARD -m quota2 ! --quota 123456 --name MyWonderfulAlert\n"
+ "COMMIT\n"
};
EXPECT_EQ(0, runIptablesAlertFwdCmd(IptOp::IptOpDelete, "MyWonderfulAlert", 123456));
- expectIptablesCommands(expected);
+ expectIptablesRestoreCommands(expected);
}