netd: BandwidthController: exclude loopback in all alert rules.
Have the alerts explicitly request "not loopback".
Change-Id: I7a569292e630c2b8ec76489643741f53ab85b84e
diff --git a/BandwidthController.cpp b/BandwidthController.cpp
index 233c104..ed32d3d 100644
--- a/BandwidthController.cpp
+++ b/BandwidthController.cpp
@@ -41,7 +41,7 @@
const int BandwidthController::MAX_CMD_ARGS = 32;
const char BandwidthController::IPTABLES_PATH[] = "/system/bin/iptables";
const char BandwidthController::IP6TABLES_PATH[] = "/system/bin/ip6tables";
-const char BandwidthController::ALERT_IPT_TEMPLATE[] = "%s %s -m quota2 ! --quota %lld --name %s";
+const char BandwidthController::ALERT_IPT_TEMPLATE[] = "%s %s %s -m quota2 ! --quota %lld --name %s";
const int BandwidthController::ALERT_RULE_POS_IN_COSTLY_CHAIN = 4;
bool BandwidthController::useLogwrapCall = false;
@@ -650,6 +650,7 @@
int BandwidthController::runIptablesAlertCmd(IptOp op, const char *alertName, int64_t bytes) {
int res = 0;
const char *opFlag;
+ const char *ifaceLimiting;
char *alertQuotaCmd;
switch (op) {
@@ -665,10 +666,14 @@
break;
}
- asprintf(&alertQuotaCmd, ALERT_IPT_TEMPLATE, opFlag, "INPUT", bytes, alertName, alertName);
+ ifaceLimiting = "! -i lo+";
+ asprintf(&alertQuotaCmd, ALERT_IPT_TEMPLATE, ifaceLimiting, opFlag, "INPUT",
+ bytes, alertName, alertName);
res |= runIpxtablesCmd(alertQuotaCmd, IptRejectNoAdd);
free(alertQuotaCmd);
- asprintf(&alertQuotaCmd, ALERT_IPT_TEMPLATE, opFlag, "OUTPUT", bytes, alertName, alertName);
+ ifaceLimiting = "! -o lo+";
+ asprintf(&alertQuotaCmd, ALERT_IPT_TEMPLATE, ifaceLimiting, opFlag, "OUTPUT",
+ bytes, alertName, alertName);
res |= runIpxtablesCmd(alertQuotaCmd, IptRejectNoAdd);
free(alertQuotaCmd);
return res;