JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 1 | /* |
| 2 | * Copyright (C) 2011 The Android Open Source Project |
| 3 | * |
| 4 | * Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | * you may not use this file except in compliance with the License. |
| 6 | * You may obtain a copy of the License at |
| 7 | * |
| 8 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | * |
| 10 | * Unless required by applicable law or agreed to in writing, software |
| 11 | * distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | * See the License for the specific language governing permissions and |
| 14 | * limitations under the License. |
| 15 | */ |
| 16 | |
JP Abgrall | db7da58 | 2011-09-18 12:57:32 -0700 | [diff] [blame] | 17 | // #define LOG_NDEBUG 0 |
| 18 | |
| 19 | /* |
| 20 | * The CommandListener, FrameworkListener don't allow for |
| 21 | * multiple calls in parallel to reach the BandwidthController. |
| 22 | * If they ever were to allow it, then netd/ would need some tweaking. |
| 23 | */ |
| 24 | |
JP Abgrall | 8a93272 | 2011-07-13 19:17:35 -0700 | [diff] [blame] | 25 | #include <errno.h> |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 26 | #include <fcntl.h> |
JP Abgrall | db7da58 | 2011-09-18 12:57:32 -0700 | [diff] [blame] | 27 | #include <stdio.h> |
JP Abgrall | 8a93272 | 2011-07-13 19:17:35 -0700 | [diff] [blame] | 28 | #include <stdlib.h> |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 29 | #include <string.h> |
| 30 | |
| 31 | #include <sys/socket.h> |
| 32 | #include <sys/stat.h> |
| 33 | #include <sys/types.h> |
| 34 | #include <sys/wait.h> |
| 35 | |
| 36 | #include <linux/netlink.h> |
| 37 | #include <linux/rtnetlink.h> |
| 38 | #include <linux/pkt_sched.h> |
| 39 | |
| 40 | #define LOG_TAG "BandwidthController" |
| 41 | #include <cutils/log.h> |
| 42 | #include <cutils/properties.h> |
| 43 | |
Glenn Kasten | c4bbfa2 | 2012-03-05 15:13:58 -0800 | [diff] [blame] | 44 | extern "C" int logwrap(int argc, const char **argv); |
JP Abgrall | 9e5e0ce | 2011-12-14 15:20:59 -0800 | [diff] [blame] | 45 | extern "C" int system_nosh(const char *command); |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 46 | |
JP Abgrall | 0031cea | 2012-04-17 16:38:23 -0700 | [diff] [blame] | 47 | #include "NetdConstants.h" |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 48 | #include "BandwidthController.h" |
| 49 | |
JP Abgrall | db7da58 | 2011-09-18 12:57:32 -0700 | [diff] [blame] | 50 | /* Alphabetical */ |
Nick Kralevich | c2b26cb | 2012-02-23 13:04:26 -0800 | [diff] [blame] | 51 | #define ALERT_IPT_TEMPLATE "%s %s %s -m quota2 ! --quota %lld --name %s" |
JP Abgrall | db7da58 | 2011-09-18 12:57:32 -0700 | [diff] [blame] | 52 | const int BandwidthController::ALERT_RULE_POS_IN_COSTLY_CHAIN = 4; |
JP Abgrall | c6c6734 | 2011-10-07 16:28:54 -0700 | [diff] [blame] | 53 | const char BandwidthController::ALERT_GLOBAL_NAME[] = "globalAlert"; |
JP Abgrall | db7da58 | 2011-09-18 12:57:32 -0700 | [diff] [blame] | 54 | const int BandwidthController::MAX_CMD_ARGS = 32; |
| 55 | const int BandwidthController::MAX_CMD_LEN = 1024; |
| 56 | const int BandwidthController::MAX_IFACENAME_LEN = 64; |
| 57 | const int BandwidthController::MAX_IPT_OUTPUT_LINE_LEN = 256; |
| 58 | |
JP Abgrall | 11b4e9b | 2011-08-11 15:34:49 -0700 | [diff] [blame] | 59 | bool BandwidthController::useLogwrapCall = false; |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 60 | |
| 61 | /** |
| 62 | * Some comments about the rules: |
| 63 | * * Ordering |
| 64 | * - when an interface is marked as costly it should be INSERTED into the INPUT/OUTPUT chains. |
JP Abgrall | 0031cea | 2012-04-17 16:38:23 -0700 | [diff] [blame] | 65 | * E.g. "-I INPUT -i rmnet0 --jump costly" |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 66 | * - quota'd rules in the costly chain should be before penalty_box lookups. |
| 67 | * |
| 68 | * * global quota vs per interface quota |
| 69 | * - global quota for all costly interfaces uses a single costly chain: |
| 70 | * . initial rules |
JP Abgrall | bfa7466 | 2011-06-29 19:23:04 -0700 | [diff] [blame] | 71 | * iptables -N costly_shared |
JP Abgrall | 0031cea | 2012-04-17 16:38:23 -0700 | [diff] [blame] | 72 | * iptables -I INPUT -i iface0 --jump costly_shared |
| 73 | * iptables -I OUTPUT -o iface0 --jump costly_shared |
JP Abgrall | bfa7466 | 2011-06-29 19:23:04 -0700 | [diff] [blame] | 74 | * iptables -I costly_shared -m quota \! --quota 500000 \ |
| 75 | * --jump REJECT --reject-with icmp-net-prohibited |
| 76 | * iptables -A costly_shared --jump penalty_box |
| 77 | * iptables -A costly_shared -m owner --socket-exists |
JP Abgrall | 8a93272 | 2011-07-13 19:17:35 -0700 | [diff] [blame] | 78 | * |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 79 | * . adding a new iface to this, E.g.: |
JP Abgrall | 0031cea | 2012-04-17 16:38:23 -0700 | [diff] [blame] | 80 | * iptables -I INPUT -i iface1 --jump costly_shared |
| 81 | * iptables -I OUTPUT -o iface1 --jump costly_shared |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 82 | * |
| 83 | * - quota per interface. This is achieve by having "costly" chains per quota. |
| 84 | * E.g. adding a new costly interface iface0 with its own quota: |
| 85 | * iptables -N costly_iface0 |
JP Abgrall | 0031cea | 2012-04-17 16:38:23 -0700 | [diff] [blame] | 86 | * iptables -I INPUT -i iface0 --jump costly_iface0 |
| 87 | * iptables -I OUTPUT -o iface0 --jump costly_iface0 |
JP Abgrall | bfa7466 | 2011-06-29 19:23:04 -0700 | [diff] [blame] | 88 | * iptables -A costly_iface0 -m quota \! --quota 500000 \ |
| 89 | * --jump REJECT --reject-with icmp-net-prohibited |
| 90 | * iptables -A costly_iface0 --jump penalty_box |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 91 | * iptables -A costly_iface0 -m owner --socket-exists |
| 92 | * |
| 93 | * * penalty_box handling: |
| 94 | * - only one penalty_box for all interfaces |
| 95 | * E.g Adding an app: |
JP Abgrall | bfa7466 | 2011-06-29 19:23:04 -0700 | [diff] [blame] | 96 | * iptables -A penalty_box -m owner --uid-owner app_3 \ |
| 97 | * --jump REJECT --reject-with icmp-net-prohibited |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 98 | */ |
JP Abgrall | 0031cea | 2012-04-17 16:38:23 -0700 | [diff] [blame] | 99 | const char *BandwidthController::IPT_FLUSH_COMMANDS[] = { |
| 100 | /* |
| 101 | * Cleanup rules. |
| 102 | * Should normally include costly_<iface>, but we rely on the way they are setup |
| 103 | * to allow coexistance. |
JP Abgrall | 39f8f24 | 2011-06-29 19:21:58 -0700 | [diff] [blame] | 104 | */ |
JP Abgrall | 0031cea | 2012-04-17 16:38:23 -0700 | [diff] [blame] | 105 | "-F bw_INPUT", |
| 106 | "-F bw_OUTPUT", |
| 107 | "-F bw_FORWARD", |
| 108 | "-F penalty_box", |
| 109 | "-F costly_shared", |
| 110 | }; |
| 111 | |
| 112 | /* The cleanup commands assume flushing has been done. */ |
| 113 | const char *BandwidthController::IPT_CLEANUP_COMMANDS[] = { |
| 114 | /* Delete hooks to custom chains. */ |
| 115 | "-D INPUT -j bw_INPUT", |
| 116 | "-D OUTPUT -j bw_OUTPUT", |
| 117 | "-D FORWARD -j bw_FORWARD", |
| 118 | "-X bw_INPUT", |
| 119 | "-X bw_OUTPUT", |
| 120 | "-X bw_FORWARD", |
| 121 | "-X penalty_box", |
| 122 | "-X costly_shared", |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 123 | }; |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 124 | |
JP Abgrall | db7da58 | 2011-09-18 12:57:32 -0700 | [diff] [blame] | 125 | const char *BandwidthController::IPT_SETUP_COMMANDS[] = { |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 126 | /* Created needed chains. */ |
JP Abgrall | 0031cea | 2012-04-17 16:38:23 -0700 | [diff] [blame] | 127 | "-N bw_INPUT", |
| 128 | "-A INPUT -j bw_INPUT", |
| 129 | |
| 130 | "-N bw_OUTPUT", |
| 131 | "-A OUTPUT -j bw_OUTPUT", |
| 132 | |
| 133 | "-N bw_FORWARD", |
| 134 | "-I FORWARD -j bw_FORWARD", |
| 135 | |
JP Abgrall | bfa7466 | 2011-06-29 19:23:04 -0700 | [diff] [blame] | 136 | "-N costly_shared", |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 137 | "-N penalty_box", |
| 138 | }; |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 139 | |
JP Abgrall | db7da58 | 2011-09-18 12:57:32 -0700 | [diff] [blame] | 140 | const char *BandwidthController::IPT_BASIC_ACCOUNTING_COMMANDS[] = { |
JP Abgrall | 0031cea | 2012-04-17 16:38:23 -0700 | [diff] [blame] | 141 | "-A bw_INPUT -i lo --jump RETURN", |
| 142 | "-A bw_INPUT -m owner --socket-exists", /* This is a tracking rule. */ |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 143 | |
JP Abgrall | 0031cea | 2012-04-17 16:38:23 -0700 | [diff] [blame] | 144 | "-A bw_OUTPUT -o lo --jump RETURN", |
| 145 | "-A bw_OUTPUT -m owner --socket-exists", /* This is a tracking rule. */ |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 146 | |
JP Abgrall | bfa7466 | 2011-06-29 19:23:04 -0700 | [diff] [blame] | 147 | "-A costly_shared --jump penalty_box", |
| 148 | "-A costly_shared -m owner --socket-exists", /* This is a tracking rule. */ |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 149 | }; |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 150 | |
| 151 | BandwidthController::BandwidthController(void) { |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 152 | char value[PROPERTY_VALUE_MAX]; |
| 153 | |
JP Abgrall | 11b4e9b | 2011-08-11 15:34:49 -0700 | [diff] [blame] | 154 | property_get("persist.bandwidth.uselogwrap", value, "0"); |
| 155 | useLogwrapCall = !strcmp(value, "1"); |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 156 | } |
| 157 | |
JP Abgrall | ad729ac | 2012-04-24 23:27:44 -0700 | [diff] [blame^] | 158 | int BandwidthController::runIpxtablesCmd(const char *cmd, IptRejectOp rejectHandling, |
| 159 | IptFailureLog failureHandling) { |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 160 | int res = 0; |
JP Abgrall | 8a93272 | 2011-07-13 19:17:35 -0700 | [diff] [blame] | 161 | |
Steve Block | 3fb42e0 | 2011-10-20 11:55:56 +0100 | [diff] [blame] | 162 | ALOGV("runIpxtablesCmd(cmd=%s)", cmd); |
JP Abgrall | ad729ac | 2012-04-24 23:27:44 -0700 | [diff] [blame^] | 163 | res |= runIptablesCmd(cmd, rejectHandling, IptIpV4, failureHandling); |
| 164 | res |= runIptablesCmd(cmd, rejectHandling, IptIpV6, failureHandling); |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 165 | return res; |
| 166 | } |
| 167 | |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 168 | int BandwidthController::StrncpyAndCheck(char *buffer, const char *src, size_t buffSize) { |
| 169 | |
| 170 | memset(buffer, '\0', buffSize); // strncpy() is not filling leftover with '\0' |
| 171 | strncpy(buffer, src, buffSize); |
| 172 | return buffer[buffSize - 1]; |
| 173 | } |
| 174 | |
JP Abgrall | 8a93272 | 2011-07-13 19:17:35 -0700 | [diff] [blame] | 175 | int BandwidthController::runIptablesCmd(const char *cmd, IptRejectOp rejectHandling, |
JP Abgrall | ad729ac | 2012-04-24 23:27:44 -0700 | [diff] [blame^] | 176 | IptIpVer iptVer, IptFailureLog failureHandling) { |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 177 | char buffer[MAX_CMD_LEN]; |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 178 | const char *argv[MAX_CMD_ARGS]; |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 179 | int argc = 0; |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 180 | char *next = buffer; |
| 181 | char *tmp; |
JP Abgrall | 11b4e9b | 2011-08-11 15:34:49 -0700 | [diff] [blame] | 182 | int res; |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 183 | |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 184 | std::string fullCmd = cmd; |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 185 | |
| 186 | if (rejectHandling == IptRejectAdd) { |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 187 | fullCmd += " --jump REJECT --reject-with"; |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 188 | switch (iptVer) { |
| 189 | case IptIpV4: |
JP Abgrall | 8a93272 | 2011-07-13 19:17:35 -0700 | [diff] [blame] | 190 | fullCmd += " icmp-net-prohibited"; |
| 191 | break; |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 192 | case IptIpV6: |
JP Abgrall | 8a93272 | 2011-07-13 19:17:35 -0700 | [diff] [blame] | 193 | fullCmd += " icmp6-adm-prohibited"; |
| 194 | break; |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 195 | } |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 196 | } |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 197 | |
JP Abgrall | 11b4e9b | 2011-08-11 15:34:49 -0700 | [diff] [blame] | 198 | fullCmd.insert(0, " "); |
| 199 | fullCmd.insert(0, iptVer == IptIpV4 ? IPTABLES_PATH : IP6TABLES_PATH); |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 200 | |
JP Abgrall | 11b4e9b | 2011-08-11 15:34:49 -0700 | [diff] [blame] | 201 | if (!useLogwrapCall) { |
JP Abgrall | 9e5e0ce | 2011-12-14 15:20:59 -0800 | [diff] [blame] | 202 | res = system_nosh(fullCmd.c_str()); |
JP Abgrall | 11b4e9b | 2011-08-11 15:34:49 -0700 | [diff] [blame] | 203 | } else { |
| 204 | if (StrncpyAndCheck(buffer, fullCmd.c_str(), sizeof(buffer))) { |
Steve Block | 5ea0c05 | 2012-01-06 19:18:11 +0000 | [diff] [blame] | 205 | ALOGE("iptables command too long"); |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 206 | return -1; |
| 207 | } |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 208 | |
JP Abgrall | 11b4e9b | 2011-08-11 15:34:49 -0700 | [diff] [blame] | 209 | argc = 0; |
| 210 | while ((tmp = strsep(&next, " "))) { |
| 211 | argv[argc++] = tmp; |
| 212 | if (argc >= MAX_CMD_ARGS) { |
Steve Block | 5ea0c05 | 2012-01-06 19:18:11 +0000 | [diff] [blame] | 213 | ALOGE("iptables argument overflow"); |
JP Abgrall | 11b4e9b | 2011-08-11 15:34:49 -0700 | [diff] [blame] | 214 | return -1; |
| 215 | } |
| 216 | } |
| 217 | |
| 218 | argv[argc] = NULL; |
Glenn Kasten | c4bbfa2 | 2012-03-05 15:13:58 -0800 | [diff] [blame] | 219 | res = logwrap(argc, argv); |
JP Abgrall | 11b4e9b | 2011-08-11 15:34:49 -0700 | [diff] [blame] | 220 | } |
JP Abgrall | ad729ac | 2012-04-24 23:27:44 -0700 | [diff] [blame^] | 221 | if (res && failureHandling == IptFailShow) { |
Steve Block | 5ea0c05 | 2012-01-06 19:18:11 +0000 | [diff] [blame] | 222 | ALOGE("runIptablesCmd(): failed %s res=%d", fullCmd.c_str(), res); |
JP Abgrall | 11b4e9b | 2011-08-11 15:34:49 -0700 | [diff] [blame] | 223 | } |
| 224 | return res; |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 225 | } |
| 226 | |
JP Abgrall | 0031cea | 2012-04-17 16:38:23 -0700 | [diff] [blame] | 227 | int BandwidthController::setupIptablesHooks(void) { |
| 228 | |
| 229 | /* Some of the initialCommands are allowed to fail */ |
| 230 | runCommands(sizeof(IPT_FLUSH_COMMANDS) / sizeof(char*), |
| 231 | IPT_FLUSH_COMMANDS, RunCmdFailureOk); |
| 232 | |
| 233 | runCommands(sizeof(IPT_CLEANUP_COMMANDS) / sizeof(char*), |
| 234 | IPT_CLEANUP_COMMANDS, RunCmdFailureOk); |
| 235 | |
| 236 | runCommands(sizeof(IPT_SETUP_COMMANDS) / sizeof(char*), |
| 237 | IPT_SETUP_COMMANDS, RunCmdFailureBad); |
| 238 | |
| 239 | return 0; |
| 240 | |
| 241 | } |
| 242 | |
| 243 | int BandwidthController::enableBandwidthControl(bool force) { |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 244 | int res; |
JP Abgrall | 0031cea | 2012-04-17 16:38:23 -0700 | [diff] [blame] | 245 | char value[PROPERTY_VALUE_MAX]; |
| 246 | |
| 247 | if (!force) { |
| 248 | property_get("persist.bandwidth.enable", value, "1"); |
| 249 | if (!strcmp(value, "0")) |
| 250 | return 0; |
| 251 | } |
JP Abgrall | 8a93272 | 2011-07-13 19:17:35 -0700 | [diff] [blame] | 252 | |
JP Abgrall | db7da58 | 2011-09-18 12:57:32 -0700 | [diff] [blame] | 253 | /* Let's pretend we started from scratch ... */ |
JP Abgrall | 8a93272 | 2011-07-13 19:17:35 -0700 | [diff] [blame] | 254 | sharedQuotaIfaces.clear(); |
| 255 | quotaIfaces.clear(); |
| 256 | naughtyAppUids.clear(); |
JP Abgrall | db7da58 | 2011-09-18 12:57:32 -0700 | [diff] [blame] | 257 | globalAlertBytes = 0; |
JP Abgrall | c6c6734 | 2011-10-07 16:28:54 -0700 | [diff] [blame] | 258 | globalAlertTetherCount = 0; |
JP Abgrall | db7da58 | 2011-09-18 12:57:32 -0700 | [diff] [blame] | 259 | sharedQuotaBytes = sharedAlertBytes = 0; |
| 260 | |
JP Abgrall | 0031cea | 2012-04-17 16:38:23 -0700 | [diff] [blame] | 261 | res = runCommands(sizeof(IPT_FLUSH_COMMANDS) / sizeof(char*), |
| 262 | IPT_FLUSH_COMMANDS, RunCmdFailureOk); |
JP Abgrall | db7da58 | 2011-09-18 12:57:32 -0700 | [diff] [blame] | 263 | |
JP Abgrall | 0031cea | 2012-04-17 16:38:23 -0700 | [diff] [blame] | 264 | res |= runCommands(sizeof(IPT_BASIC_ACCOUNTING_COMMANDS) / sizeof(char*), |
JP Abgrall | db7da58 | 2011-09-18 12:57:32 -0700 | [diff] [blame] | 265 | IPT_BASIC_ACCOUNTING_COMMANDS, RunCmdFailureBad); |
JP Abgrall | 8a93272 | 2011-07-13 19:17:35 -0700 | [diff] [blame] | 266 | |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 267 | return res; |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 268 | |
| 269 | } |
| 270 | |
| 271 | int BandwidthController::disableBandwidthControl(void) { |
JP Abgrall | 0031cea | 2012-04-17 16:38:23 -0700 | [diff] [blame] | 272 | runCommands(sizeof(IPT_FLUSH_COMMANDS) / sizeof(char*), |
| 273 | IPT_FLUSH_COMMANDS, RunCmdFailureOk); |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 274 | return 0; |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 275 | } |
| 276 | |
JP Abgrall | 8a93272 | 2011-07-13 19:17:35 -0700 | [diff] [blame] | 277 | int BandwidthController::runCommands(int numCommands, const char *commands[], |
| 278 | RunCmdErrHandling cmdErrHandling) { |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 279 | int res = 0; |
JP Abgrall | ad729ac | 2012-04-24 23:27:44 -0700 | [diff] [blame^] | 280 | IptFailureLog failureLogging = IptFailShow; |
| 281 | if (cmdErrHandling == RunCmdFailureOk) { |
| 282 | failureLogging = IptFailHide; |
| 283 | } |
Steve Block | 3fb42e0 | 2011-10-20 11:55:56 +0100 | [diff] [blame] | 284 | ALOGV("runCommands(): %d commands", numCommands); |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 285 | for (int cmdNum = 0; cmdNum < numCommands; cmdNum++) { |
JP Abgrall | ad729ac | 2012-04-24 23:27:44 -0700 | [diff] [blame^] | 286 | res = runIpxtablesCmd(commands[cmdNum], IptRejectNoAdd, failureLogging); |
JP Abgrall | 0031cea | 2012-04-17 16:38:23 -0700 | [diff] [blame] | 287 | if (res && cmdErrHandling != RunCmdFailureOk) |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 288 | return res; |
| 289 | } |
JP Abgrall | 0031cea | 2012-04-17 16:38:23 -0700 | [diff] [blame] | 290 | return 0; |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 291 | } |
| 292 | |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 293 | std::string BandwidthController::makeIptablesNaughtyCmd(IptOp op, int uid) { |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 294 | std::string res; |
JP Abgrall | 8a93272 | 2011-07-13 19:17:35 -0700 | [diff] [blame] | 295 | char *buff; |
| 296 | const char *opFlag; |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 297 | |
| 298 | switch (op) { |
JP Abgrall | 8a93272 | 2011-07-13 19:17:35 -0700 | [diff] [blame] | 299 | case IptOpInsert: |
| 300 | opFlag = "-I"; |
| 301 | break; |
| 302 | case IptOpReplace: |
| 303 | opFlag = "-R"; |
| 304 | break; |
| 305 | default: |
| 306 | case IptOpDelete: |
| 307 | opFlag = "-D"; |
| 308 | break; |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 309 | } |
JP Abgrall | 8a93272 | 2011-07-13 19:17:35 -0700 | [diff] [blame] | 310 | asprintf(&buff, "%s penalty_box -m owner --uid-owner %d", opFlag, uid); |
| 311 | res = buff; |
| 312 | free(buff); |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 313 | return res; |
| 314 | } |
| 315 | |
| 316 | int BandwidthController::addNaughtyApps(int numUids, char *appUids[]) { |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 317 | return maninpulateNaughtyApps(numUids, appUids, NaughtyAppOpAdd); |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 318 | } |
| 319 | |
| 320 | int BandwidthController::removeNaughtyApps(int numUids, char *appUids[]) { |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 321 | return maninpulateNaughtyApps(numUids, appUids, NaughtyAppOpRemove); |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 322 | } |
| 323 | |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 324 | int BandwidthController::maninpulateNaughtyApps(int numUids, char *appStrUids[], NaughtyAppOp appOp) { |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 325 | char cmd[MAX_CMD_LEN]; |
| 326 | int uidNum; |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 327 | const char *failLogTemplate; |
| 328 | IptOp op; |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 329 | int appUids[numUids]; |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 330 | std::string naughtyCmd; |
JP Abgrall | 8a93272 | 2011-07-13 19:17:35 -0700 | [diff] [blame] | 331 | |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 332 | switch (appOp) { |
| 333 | case NaughtyAppOpAdd: |
JP Abgrall | 8a93272 | 2011-07-13 19:17:35 -0700 | [diff] [blame] | 334 | op = IptOpInsert; |
| 335 | failLogTemplate = "Failed to add app uid %d to penalty box."; |
| 336 | break; |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 337 | case NaughtyAppOpRemove: |
JP Abgrall | 8a93272 | 2011-07-13 19:17:35 -0700 | [diff] [blame] | 338 | op = IptOpDelete; |
| 339 | failLogTemplate = "Failed to delete app uid %d from penalty box."; |
| 340 | break; |
JP Abgrall | 0031cea | 2012-04-17 16:38:23 -0700 | [diff] [blame] | 341 | default: |
| 342 | ALOGE("Unexpected app Op %d", appOp); |
| 343 | return -1; |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 344 | } |
| 345 | |
| 346 | for (uidNum = 0; uidNum < numUids; uidNum++) { |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 347 | appUids[uidNum] = atol(appStrUids[uidNum]); |
| 348 | if (appUids[uidNum] == 0) { |
Steve Block | 5ea0c05 | 2012-01-06 19:18:11 +0000 | [diff] [blame] | 349 | ALOGE(failLogTemplate, appUids[uidNum]); |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 350 | goto fail_parse; |
| 351 | } |
| 352 | } |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 353 | |
| 354 | for (uidNum = 0; uidNum < numUids; uidNum++) { |
| 355 | naughtyCmd = makeIptablesNaughtyCmd(op, appUids[uidNum]); |
| 356 | if (runIpxtablesCmd(naughtyCmd.c_str(), IptRejectAdd)) { |
Steve Block | 5ea0c05 | 2012-01-06 19:18:11 +0000 | [diff] [blame] | 357 | ALOGE(failLogTemplate, appUids[uidNum]); |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 358 | goto fail_with_uidNum; |
| 359 | } |
| 360 | } |
| 361 | return 0; |
| 362 | |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 363 | fail_with_uidNum: |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 364 | /* Try to remove the uid that failed in any case*/ |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 365 | naughtyCmd = makeIptablesNaughtyCmd(IptOpDelete, appUids[uidNum]); |
| 366 | runIpxtablesCmd(naughtyCmd.c_str(), IptRejectAdd); |
| 367 | fail_parse: |
| 368 | return -1; |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 369 | } |
| 370 | |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 371 | std::string BandwidthController::makeIptablesQuotaCmd(IptOp op, const char *costName, int64_t quota) { |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 372 | std::string res; |
JP Abgrall | 8a93272 | 2011-07-13 19:17:35 -0700 | [diff] [blame] | 373 | char *buff; |
| 374 | const char *opFlag; |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 375 | |
Steve Block | 3fb42e0 | 2011-10-20 11:55:56 +0100 | [diff] [blame] | 376 | ALOGV("makeIptablesQuotaCmd(%d, %lld)", op, quota); |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 377 | |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 378 | switch (op) { |
JP Abgrall | 8a93272 | 2011-07-13 19:17:35 -0700 | [diff] [blame] | 379 | case IptOpInsert: |
| 380 | opFlag = "-I"; |
| 381 | break; |
| 382 | case IptOpReplace: |
| 383 | opFlag = "-R"; |
| 384 | break; |
| 385 | default: |
| 386 | case IptOpDelete: |
| 387 | opFlag = "-D"; |
| 388 | break; |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 389 | } |
JP Abgrall | 8a93272 | 2011-07-13 19:17:35 -0700 | [diff] [blame] | 390 | |
JP Abgrall | bfa7466 | 2011-06-29 19:23:04 -0700 | [diff] [blame] | 391 | // The requried IP version specific --jump REJECT ... will be added later. |
JP Abgrall | 8a93272 | 2011-07-13 19:17:35 -0700 | [diff] [blame] | 392 | asprintf(&buff, "%s costly_%s -m quota2 ! --quota %lld --name %s", opFlag, costName, quota, |
| 393 | costName); |
| 394 | res = buff; |
| 395 | free(buff); |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 396 | return res; |
| 397 | } |
| 398 | |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 399 | int BandwidthController::prepCostlyIface(const char *ifn, QuotaType quotaType) { |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 400 | char cmd[MAX_CMD_LEN]; |
JP Abgrall | 0031cea | 2012-04-17 16:38:23 -0700 | [diff] [blame] | 401 | int res = 0, res1, res2; |
JP Abgrall | 8a93272 | 2011-07-13 19:17:35 -0700 | [diff] [blame] | 402 | int ruleInsertPos = 1; |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 403 | std::string costString; |
| 404 | const char *costCString; |
| 405 | |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 406 | /* The "-N costly" is created upfront, no need to handle it here. */ |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 407 | switch (quotaType) { |
| 408 | case QuotaUnique: |
JP Abgrall | bfa7466 | 2011-06-29 19:23:04 -0700 | [diff] [blame] | 409 | costString = "costly_"; |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 410 | costString += ifn; |
| 411 | costCString = costString.c_str(); |
JP Abgrall | 0031cea | 2012-04-17 16:38:23 -0700 | [diff] [blame] | 412 | /* |
| 413 | * Flush the costly_<iface> is allowed to fail in case it didn't exist. |
| 414 | * Creating a new one is allowed to fail in case it existed. |
| 415 | * This helps with netd restarts. |
| 416 | */ |
| 417 | snprintf(cmd, sizeof(cmd), "-F %s", costCString); |
JP Abgrall | ad729ac | 2012-04-24 23:27:44 -0700 | [diff] [blame^] | 418 | res1 = runIpxtablesCmd(cmd, IptRejectNoAdd, IptFailHide); |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 419 | snprintf(cmd, sizeof(cmd), "-N %s", costCString); |
JP Abgrall | ad729ac | 2012-04-24 23:27:44 -0700 | [diff] [blame^] | 420 | res2 = runIpxtablesCmd(cmd, IptRejectNoAdd, IptFailHide); |
JP Abgrall | 0031cea | 2012-04-17 16:38:23 -0700 | [diff] [blame] | 421 | res = (res1 && res2) || (!res1 && !res2); |
| 422 | |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 423 | snprintf(cmd, sizeof(cmd), "-A %s -j penalty_box", costCString); |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 424 | res |= runIpxtablesCmd(cmd, IptRejectNoAdd); |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 425 | snprintf(cmd, sizeof(cmd), "-A %s -m owner --socket-exists", costCString); |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 426 | res |= runIpxtablesCmd(cmd, IptRejectNoAdd); |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 427 | break; |
| 428 | case QuotaShared: |
JP Abgrall | bfa7466 | 2011-06-29 19:23:04 -0700 | [diff] [blame] | 429 | costCString = "costly_shared"; |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 430 | break; |
JP Abgrall | 0031cea | 2012-04-17 16:38:23 -0700 | [diff] [blame] | 431 | default: |
| 432 | ALOGE("Unexpected quotatype %d", quotaType); |
| 433 | return -1; |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 434 | } |
| 435 | |
JP Abgrall | 8a93272 | 2011-07-13 19:17:35 -0700 | [diff] [blame] | 436 | if (globalAlertBytes) { |
| 437 | /* The alert rule comes 1st */ |
| 438 | ruleInsertPos = 2; |
| 439 | } |
JP Abgrall | 0031cea | 2012-04-17 16:38:23 -0700 | [diff] [blame] | 440 | |
| 441 | snprintf(cmd, sizeof(cmd), "-D bw_INPUT -i %s --jump %s", ifn, costCString); |
JP Abgrall | ad729ac | 2012-04-24 23:27:44 -0700 | [diff] [blame^] | 442 | runIpxtablesCmd(cmd, IptRejectNoAdd, IptFailHide); |
JP Abgrall | 0031cea | 2012-04-17 16:38:23 -0700 | [diff] [blame] | 443 | |
| 444 | snprintf(cmd, sizeof(cmd), "-I bw_INPUT %d -i %s --jump %s", ruleInsertPos, ifn, costCString); |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 445 | res |= runIpxtablesCmd(cmd, IptRejectNoAdd); |
JP Abgrall | 0031cea | 2012-04-17 16:38:23 -0700 | [diff] [blame] | 446 | |
| 447 | snprintf(cmd, sizeof(cmd), "-D bw_OUTPUT -o %s --jump %s", ifn, costCString); |
JP Abgrall | ad729ac | 2012-04-24 23:27:44 -0700 | [diff] [blame^] | 448 | runIpxtablesCmd(cmd, IptRejectNoAdd, IptFailHide); |
JP Abgrall | 0031cea | 2012-04-17 16:38:23 -0700 | [diff] [blame] | 449 | |
| 450 | snprintf(cmd, sizeof(cmd), "-I bw_OUTPUT %d -o %s --jump %s", ruleInsertPos, ifn, costCString); |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 451 | res |= runIpxtablesCmd(cmd, IptRejectNoAdd); |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 452 | return res; |
| 453 | } |
| 454 | |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 455 | int BandwidthController::cleanupCostlyIface(const char *ifn, QuotaType quotaType) { |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 456 | char cmd[MAX_CMD_LEN]; |
| 457 | int res = 0; |
| 458 | std::string costString; |
| 459 | const char *costCString; |
| 460 | |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 461 | switch (quotaType) { |
| 462 | case QuotaUnique: |
JP Abgrall | bfa7466 | 2011-06-29 19:23:04 -0700 | [diff] [blame] | 463 | costString = "costly_"; |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 464 | costString += ifn; |
| 465 | costCString = costString.c_str(); |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 466 | break; |
| 467 | case QuotaShared: |
JP Abgrall | bfa7466 | 2011-06-29 19:23:04 -0700 | [diff] [blame] | 468 | costCString = "costly_shared"; |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 469 | break; |
JP Abgrall | 0031cea | 2012-04-17 16:38:23 -0700 | [diff] [blame] | 470 | default: |
| 471 | ALOGE("Unexpected quotatype %d", quotaType); |
| 472 | return -1; |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 473 | } |
| 474 | |
JP Abgrall | 0031cea | 2012-04-17 16:38:23 -0700 | [diff] [blame] | 475 | snprintf(cmd, sizeof(cmd), "-D bw_INPUT -i %s --jump %s", ifn, costCString); |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 476 | res |= runIpxtablesCmd(cmd, IptRejectNoAdd); |
JP Abgrall | 0031cea | 2012-04-17 16:38:23 -0700 | [diff] [blame] | 477 | snprintf(cmd, sizeof(cmd), "-D bw_OUTPUT -o %s --jump %s", ifn, costCString); |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 478 | res |= runIpxtablesCmd(cmd, IptRejectNoAdd); |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 479 | |
JP Abgrall | bfa7466 | 2011-06-29 19:23:04 -0700 | [diff] [blame] | 480 | /* The "-N costly_shared" is created upfront, no need to handle it here. */ |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 481 | if (quotaType == QuotaUnique) { |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 482 | snprintf(cmd, sizeof(cmd), "-F %s", costCString); |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 483 | res |= runIpxtablesCmd(cmd, IptRejectNoAdd); |
JP Abgrall | a9f802c | 2011-06-29 15:46:45 -0700 | [diff] [blame] | 484 | snprintf(cmd, sizeof(cmd), "-X %s", costCString); |
| 485 | res |= runIpxtablesCmd(cmd, IptRejectNoAdd); |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 486 | } |
| 487 | return res; |
| 488 | } |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 489 | |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 490 | int BandwidthController::setInterfaceSharedQuota(const char *iface, int64_t maxBytes) { |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 491 | char cmd[MAX_CMD_LEN]; |
| 492 | char ifn[MAX_IFACENAME_LEN]; |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 493 | int res = 0; |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 494 | std::string quotaCmd; |
JP Abgrall | 8a93272 | 2011-07-13 19:17:35 -0700 | [diff] [blame] | 495 | std::string ifaceName; |
| 496 | ; |
JP Abgrall | bfa7466 | 2011-06-29 19:23:04 -0700 | [diff] [blame] | 497 | const char *costName = "shared"; |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 498 | std::list<std::string>::iterator it; |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 499 | |
JP Abgrall | 8a93272 | 2011-07-13 19:17:35 -0700 | [diff] [blame] | 500 | if (!maxBytes) { |
| 501 | /* Don't talk about -1, deprecate it. */ |
Steve Block | 5ea0c05 | 2012-01-06 19:18:11 +0000 | [diff] [blame] | 502 | ALOGE("Invalid bytes value. 1..max_int64."); |
JP Abgrall | 8a93272 | 2011-07-13 19:17:35 -0700 | [diff] [blame] | 503 | return -1; |
| 504 | } |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 505 | if (StrncpyAndCheck(ifn, iface, sizeof(ifn))) { |
Steve Block | 5ea0c05 | 2012-01-06 19:18:11 +0000 | [diff] [blame] | 506 | ALOGE("Interface name longer than %d", MAX_IFACENAME_LEN); |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 507 | return -1; |
| 508 | } |
| 509 | ifaceName = ifn; |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 510 | |
| 511 | if (maxBytes == -1) { |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 512 | return removeInterfaceSharedQuota(ifn); |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 513 | } |
| 514 | |
| 515 | /* Insert ingress quota. */ |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 516 | for (it = sharedQuotaIfaces.begin(); it != sharedQuotaIfaces.end(); it++) { |
| 517 | if (*it == ifaceName) |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 518 | break; |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 519 | } |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 520 | |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 521 | if (it == sharedQuotaIfaces.end()) { |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 522 | res |= prepCostlyIface(ifn, QuotaShared); |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 523 | if (sharedQuotaIfaces.empty()) { |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 524 | quotaCmd = makeIptablesQuotaCmd(IptOpInsert, costName, maxBytes); |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 525 | res |= runIpxtablesCmd(quotaCmd.c_str(), IptRejectAdd); |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 526 | if (res) { |
Steve Block | 5ea0c05 | 2012-01-06 19:18:11 +0000 | [diff] [blame] | 527 | ALOGE("Failed set quota rule"); |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 528 | goto fail; |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 529 | } |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 530 | sharedQuotaBytes = maxBytes; |
| 531 | } |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 532 | sharedQuotaIfaces.push_front(ifaceName); |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 533 | |
| 534 | } |
| 535 | |
| 536 | if (maxBytes != sharedQuotaBytes) { |
JP Abgrall | 8a93272 | 2011-07-13 19:17:35 -0700 | [diff] [blame] | 537 | res |= updateQuota(costName, maxBytes); |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 538 | if (res) { |
Steve Block | 5ea0c05 | 2012-01-06 19:18:11 +0000 | [diff] [blame] | 539 | ALOGE("Failed update quota for %s", costName); |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 540 | goto fail; |
| 541 | } |
| 542 | sharedQuotaBytes = maxBytes; |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 543 | } |
| 544 | return 0; |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 545 | |
| 546 | fail: |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 547 | /* |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 548 | * TODO(jpa): once we get rid of iptables in favor of rtnetlink, reparse |
| 549 | * rules in the kernel to see which ones need cleaning up. |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 550 | * For now callers needs to choose if they want to "ndc bandwidth enable" |
| 551 | * which resets everything. |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 552 | */ |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 553 | removeInterfaceSharedQuota(ifn); |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 554 | return -1; |
| 555 | } |
| 556 | |
JP Abgrall | 8a93272 | 2011-07-13 19:17:35 -0700 | [diff] [blame] | 557 | /* It will also cleanup any shared alerts */ |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 558 | int BandwidthController::removeInterfaceSharedQuota(const char *iface) { |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 559 | char ifn[MAX_IFACENAME_LEN]; |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 560 | int res = 0; |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 561 | std::string ifaceName; |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 562 | std::list<std::string>::iterator it; |
JP Abgrall | bfa7466 | 2011-06-29 19:23:04 -0700 | [diff] [blame] | 563 | const char *costName = "shared"; |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 564 | |
JP Abgrall | 8a93272 | 2011-07-13 19:17:35 -0700 | [diff] [blame] | 565 | if (StrncpyAndCheck(ifn, iface, sizeof(ifn))) { |
Steve Block | 5ea0c05 | 2012-01-06 19:18:11 +0000 | [diff] [blame] | 566 | ALOGE("Interface name longer than %d", MAX_IFACENAME_LEN); |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 567 | return -1; |
| 568 | } |
JP Abgrall | 8a93272 | 2011-07-13 19:17:35 -0700 | [diff] [blame] | 569 | ifaceName = ifn; |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 570 | |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 571 | for (it = sharedQuotaIfaces.begin(); it != sharedQuotaIfaces.end(); it++) { |
| 572 | if (*it == ifaceName) |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 573 | break; |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 574 | } |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 575 | if (it == sharedQuotaIfaces.end()) { |
Steve Block | 5ea0c05 | 2012-01-06 19:18:11 +0000 | [diff] [blame] | 576 | ALOGE("No such iface %s to delete", ifn); |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 577 | return -1; |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 578 | } |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 579 | |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 580 | res |= cleanupCostlyIface(ifn, QuotaShared); |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 581 | sharedQuotaIfaces.erase(it); |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 582 | |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 583 | if (sharedQuotaIfaces.empty()) { |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 584 | std::string quotaCmd; |
JP Abgrall | bfa7466 | 2011-06-29 19:23:04 -0700 | [diff] [blame] | 585 | quotaCmd = makeIptablesQuotaCmd(IptOpDelete, costName, sharedQuotaBytes); |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 586 | res |= runIpxtablesCmd(quotaCmd.c_str(), IptRejectAdd); |
JP Abgrall | 8a93272 | 2011-07-13 19:17:35 -0700 | [diff] [blame] | 587 | sharedQuotaBytes = 0; |
| 588 | if (sharedAlertBytes) { |
| 589 | removeSharedAlert(); |
| 590 | sharedAlertBytes = 0; |
| 591 | } |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 592 | } |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 593 | return res; |
| 594 | } |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 595 | |
| 596 | int BandwidthController::setInterfaceQuota(const char *iface, int64_t maxBytes) { |
| 597 | char ifn[MAX_IFACENAME_LEN]; |
| 598 | int res = 0; |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 599 | std::string ifaceName; |
| 600 | const char *costName; |
| 601 | std::list<QuotaInfo>::iterator it; |
| 602 | std::string quotaCmd; |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 603 | |
JP Abgrall | 8a93272 | 2011-07-13 19:17:35 -0700 | [diff] [blame] | 604 | if (!maxBytes) { |
| 605 | /* Don't talk about -1, deprecate it. */ |
Steve Block | 5ea0c05 | 2012-01-06 19:18:11 +0000 | [diff] [blame] | 606 | ALOGE("Invalid bytes value. 1..max_int64."); |
JP Abgrall | 8a93272 | 2011-07-13 19:17:35 -0700 | [diff] [blame] | 607 | return -1; |
| 608 | } |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 609 | if (maxBytes == -1) { |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 610 | return removeInterfaceQuota(iface); |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 611 | } |
| 612 | |
JP Abgrall | 8a93272 | 2011-07-13 19:17:35 -0700 | [diff] [blame] | 613 | if (StrncpyAndCheck(ifn, iface, sizeof(ifn))) { |
Steve Block | 5ea0c05 | 2012-01-06 19:18:11 +0000 | [diff] [blame] | 614 | ALOGE("Interface name longer than %d", MAX_IFACENAME_LEN); |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 615 | return -1; |
| 616 | } |
| 617 | ifaceName = ifn; |
| 618 | costName = iface; |
| 619 | |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 620 | /* Insert ingress quota. */ |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 621 | for (it = quotaIfaces.begin(); it != quotaIfaces.end(); it++) { |
JP Abgrall | 8a93272 | 2011-07-13 19:17:35 -0700 | [diff] [blame] | 622 | if (it->ifaceName == ifaceName) |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 623 | break; |
| 624 | } |
| 625 | |
| 626 | if (it == quotaIfaces.end()) { |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 627 | res |= prepCostlyIface(ifn, QuotaUnique); |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 628 | quotaCmd = makeIptablesQuotaCmd(IptOpInsert, costName, maxBytes); |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 629 | res |= runIpxtablesCmd(quotaCmd.c_str(), IptRejectAdd); |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 630 | if (res) { |
Steve Block | 5ea0c05 | 2012-01-06 19:18:11 +0000 | [diff] [blame] | 631 | ALOGE("Failed set quota rule"); |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 632 | goto fail; |
| 633 | } |
| 634 | |
JP Abgrall | 8a93272 | 2011-07-13 19:17:35 -0700 | [diff] [blame] | 635 | quotaIfaces.push_front(QuotaInfo(ifaceName, maxBytes, 0)); |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 636 | |
| 637 | } else { |
JP Abgrall | 8a93272 | 2011-07-13 19:17:35 -0700 | [diff] [blame] | 638 | res |= updateQuota(costName, maxBytes); |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 639 | if (res) { |
Steve Block | 5ea0c05 | 2012-01-06 19:18:11 +0000 | [diff] [blame] | 640 | ALOGE("Failed update quota for %s", iface); |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 641 | goto fail; |
| 642 | } |
JP Abgrall | 8a93272 | 2011-07-13 19:17:35 -0700 | [diff] [blame] | 643 | it->quota = maxBytes; |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 644 | } |
| 645 | return 0; |
| 646 | |
| 647 | fail: |
| 648 | /* |
| 649 | * TODO(jpa): once we get rid of iptables in favor of rtnetlink, reparse |
| 650 | * rules in the kernel to see which ones need cleaning up. |
| 651 | * For now callers needs to choose if they want to "ndc bandwidth enable" |
| 652 | * which resets everything. |
| 653 | */ |
| 654 | removeInterfaceSharedQuota(ifn); |
| 655 | return -1; |
| 656 | } |
| 657 | |
JP Abgrall | 8a93272 | 2011-07-13 19:17:35 -0700 | [diff] [blame] | 658 | int BandwidthController::getInterfaceSharedQuota(int64_t *bytes) { |
| 659 | return getInterfaceQuota("shared", bytes); |
| 660 | } |
| 661 | |
| 662 | int BandwidthController::getInterfaceQuota(const char *costName, int64_t *bytes) { |
| 663 | FILE *fp; |
| 664 | char *fname; |
| 665 | int scanRes; |
| 666 | |
| 667 | asprintf(&fname, "/proc/net/xt_quota/%s", costName); |
| 668 | fp = fopen(fname, "r"); |
| 669 | free(fname); |
| 670 | if (!fp) { |
Steve Block | 5ea0c05 | 2012-01-06 19:18:11 +0000 | [diff] [blame] | 671 | ALOGE("Reading quota %s failed (%s)", costName, strerror(errno)); |
JP Abgrall | 8a93272 | 2011-07-13 19:17:35 -0700 | [diff] [blame] | 672 | return -1; |
| 673 | } |
| 674 | scanRes = fscanf(fp, "%lld", bytes); |
Steve Block | 3fb42e0 | 2011-10-20 11:55:56 +0100 | [diff] [blame] | 675 | ALOGV("Read quota res=%d bytes=%lld", scanRes, *bytes); |
JP Abgrall | 8a93272 | 2011-07-13 19:17:35 -0700 | [diff] [blame] | 676 | fclose(fp); |
| 677 | return scanRes == 1 ? 0 : -1; |
| 678 | } |
| 679 | |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 680 | int BandwidthController::removeInterfaceQuota(const char *iface) { |
| 681 | |
| 682 | char ifn[MAX_IFACENAME_LEN]; |
| 683 | int res = 0; |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 684 | std::string ifaceName; |
| 685 | const char *costName; |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 686 | std::list<QuotaInfo>::iterator it; |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 687 | |
JP Abgrall | 8a93272 | 2011-07-13 19:17:35 -0700 | [diff] [blame] | 688 | if (StrncpyAndCheck(ifn, iface, sizeof(ifn))) { |
Steve Block | 5ea0c05 | 2012-01-06 19:18:11 +0000 | [diff] [blame] | 689 | ALOGE("Interface name longer than %d", MAX_IFACENAME_LEN); |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 690 | return -1; |
| 691 | } |
| 692 | ifaceName = ifn; |
| 693 | costName = iface; |
| 694 | |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 695 | for (it = quotaIfaces.begin(); it != quotaIfaces.end(); it++) { |
JP Abgrall | 8a93272 | 2011-07-13 19:17:35 -0700 | [diff] [blame] | 696 | if (it->ifaceName == ifaceName) |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 697 | break; |
| 698 | } |
| 699 | |
| 700 | if (it == quotaIfaces.end()) { |
Steve Block | 5ea0c05 | 2012-01-06 19:18:11 +0000 | [diff] [blame] | 701 | ALOGE("No such iface %s to delete", ifn); |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 702 | return -1; |
| 703 | } |
| 704 | |
| 705 | /* This also removes the quota command of CostlyIface chain. */ |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 706 | res |= cleanupCostlyIface(ifn, QuotaUnique); |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 707 | |
| 708 | quotaIfaces.erase(it); |
| 709 | |
| 710 | return res; |
| 711 | } |
JP Abgrall | 8a93272 | 2011-07-13 19:17:35 -0700 | [diff] [blame] | 712 | |
| 713 | int BandwidthController::updateQuota(const char *quotaName, int64_t bytes) { |
| 714 | FILE *fp; |
| 715 | char *fname; |
| 716 | |
| 717 | asprintf(&fname, "/proc/net/xt_quota/%s", quotaName); |
| 718 | fp = fopen(fname, "w"); |
| 719 | free(fname); |
| 720 | if (!fp) { |
Steve Block | 5ea0c05 | 2012-01-06 19:18:11 +0000 | [diff] [blame] | 721 | ALOGE("Updating quota %s failed (%s)", quotaName, strerror(errno)); |
JP Abgrall | 8a93272 | 2011-07-13 19:17:35 -0700 | [diff] [blame] | 722 | return -1; |
| 723 | } |
| 724 | fprintf(fp, "%lld\n", bytes); |
| 725 | fclose(fp); |
| 726 | return 0; |
| 727 | } |
| 728 | |
| 729 | int BandwidthController::runIptablesAlertCmd(IptOp op, const char *alertName, int64_t bytes) { |
| 730 | int res = 0; |
| 731 | const char *opFlag; |
JP Abgrall | 8766669 | 2011-09-08 13:44:10 -0700 | [diff] [blame] | 732 | const char *ifaceLimiting; |
JP Abgrall | 8a93272 | 2011-07-13 19:17:35 -0700 | [diff] [blame] | 733 | char *alertQuotaCmd; |
| 734 | |
| 735 | switch (op) { |
| 736 | case IptOpInsert: |
| 737 | opFlag = "-I"; |
| 738 | break; |
| 739 | case IptOpReplace: |
| 740 | opFlag = "-R"; |
| 741 | break; |
| 742 | default: |
| 743 | case IptOpDelete: |
| 744 | opFlag = "-D"; |
| 745 | break; |
| 746 | } |
| 747 | |
JP Abgrall | 8766669 | 2011-09-08 13:44:10 -0700 | [diff] [blame] | 748 | ifaceLimiting = "! -i lo+"; |
JP Abgrall | 0031cea | 2012-04-17 16:38:23 -0700 | [diff] [blame] | 749 | asprintf(&alertQuotaCmd, ALERT_IPT_TEMPLATE, ifaceLimiting, opFlag, "bw_INPUT", |
Nick Kralevich | c2b26cb | 2012-02-23 13:04:26 -0800 | [diff] [blame] | 750 | bytes, alertName); |
JP Abgrall | 8a93272 | 2011-07-13 19:17:35 -0700 | [diff] [blame] | 751 | res |= runIpxtablesCmd(alertQuotaCmd, IptRejectNoAdd); |
| 752 | free(alertQuotaCmd); |
JP Abgrall | 8766669 | 2011-09-08 13:44:10 -0700 | [diff] [blame] | 753 | ifaceLimiting = "! -o lo+"; |
JP Abgrall | 0031cea | 2012-04-17 16:38:23 -0700 | [diff] [blame] | 754 | asprintf(&alertQuotaCmd, ALERT_IPT_TEMPLATE, ifaceLimiting, opFlag, "bw_OUTPUT", |
Nick Kralevich | c2b26cb | 2012-02-23 13:04:26 -0800 | [diff] [blame] | 755 | bytes, alertName); |
JP Abgrall | 8a93272 | 2011-07-13 19:17:35 -0700 | [diff] [blame] | 756 | res |= runIpxtablesCmd(alertQuotaCmd, IptRejectNoAdd); |
| 757 | free(alertQuotaCmd); |
| 758 | return res; |
| 759 | } |
| 760 | |
JP Abgrall | c6c6734 | 2011-10-07 16:28:54 -0700 | [diff] [blame] | 761 | int BandwidthController::runIptablesAlertFwdCmd(IptOp op, const char *alertName, int64_t bytes) { |
| 762 | int res = 0; |
| 763 | const char *opFlag; |
| 764 | const char *ifaceLimiting; |
JP Abgrall | 8a93272 | 2011-07-13 19:17:35 -0700 | [diff] [blame] | 765 | char *alertQuotaCmd; |
JP Abgrall | c6c6734 | 2011-10-07 16:28:54 -0700 | [diff] [blame] | 766 | |
| 767 | switch (op) { |
| 768 | case IptOpInsert: |
| 769 | opFlag = "-I"; |
| 770 | break; |
| 771 | case IptOpReplace: |
| 772 | opFlag = "-R"; |
| 773 | break; |
| 774 | default: |
| 775 | case IptOpDelete: |
| 776 | opFlag = "-D"; |
| 777 | break; |
| 778 | } |
| 779 | |
| 780 | ifaceLimiting = "! -i lo+"; |
JP Abgrall | 0031cea | 2012-04-17 16:38:23 -0700 | [diff] [blame] | 781 | asprintf(&alertQuotaCmd, ALERT_IPT_TEMPLATE, ifaceLimiting, opFlag, "bw_FORWARD", |
Nick Kralevich | c2b26cb | 2012-02-23 13:04:26 -0800 | [diff] [blame] | 782 | bytes, alertName); |
JP Abgrall | c6c6734 | 2011-10-07 16:28:54 -0700 | [diff] [blame] | 783 | res = runIpxtablesCmd(alertQuotaCmd, IptRejectNoAdd); |
| 784 | free(alertQuotaCmd); |
| 785 | return res; |
| 786 | } |
| 787 | |
| 788 | int BandwidthController::setGlobalAlert(int64_t bytes) { |
| 789 | const char *alertName = ALERT_GLOBAL_NAME; |
JP Abgrall | 8a93272 | 2011-07-13 19:17:35 -0700 | [diff] [blame] | 790 | int res = 0; |
| 791 | |
| 792 | if (!bytes) { |
Steve Block | 5ea0c05 | 2012-01-06 19:18:11 +0000 | [diff] [blame] | 793 | ALOGE("Invalid bytes value. 1..max_int64."); |
JP Abgrall | 8a93272 | 2011-07-13 19:17:35 -0700 | [diff] [blame] | 794 | return -1; |
| 795 | } |
| 796 | if (globalAlertBytes) { |
| 797 | res = updateQuota(alertName, bytes); |
| 798 | } else { |
| 799 | res = runIptablesAlertCmd(IptOpInsert, alertName, bytes); |
JP Abgrall | c6c6734 | 2011-10-07 16:28:54 -0700 | [diff] [blame] | 800 | if (globalAlertTetherCount) { |
Steve Block | 3fb42e0 | 2011-10-20 11:55:56 +0100 | [diff] [blame] | 801 | ALOGV("setGlobalAlert for %d tether", globalAlertTetherCount); |
JP Abgrall | c6c6734 | 2011-10-07 16:28:54 -0700 | [diff] [blame] | 802 | res |= runIptablesAlertFwdCmd(IptOpInsert, alertName, bytes); |
| 803 | } |
JP Abgrall | 8a93272 | 2011-07-13 19:17:35 -0700 | [diff] [blame] | 804 | } |
| 805 | globalAlertBytes = bytes; |
| 806 | return res; |
| 807 | } |
| 808 | |
JP Abgrall | c6c6734 | 2011-10-07 16:28:54 -0700 | [diff] [blame] | 809 | int BandwidthController::setGlobalAlertInForwardChain(void) { |
| 810 | const char *alertName = ALERT_GLOBAL_NAME; |
| 811 | int res = 0; |
JP Abgrall | 8a93272 | 2011-07-13 19:17:35 -0700 | [diff] [blame] | 812 | |
JP Abgrall | c6c6734 | 2011-10-07 16:28:54 -0700 | [diff] [blame] | 813 | globalAlertTetherCount++; |
Steve Block | 3fb42e0 | 2011-10-20 11:55:56 +0100 | [diff] [blame] | 814 | ALOGV("setGlobalAlertInForwardChain(): %d tether", globalAlertTetherCount); |
JP Abgrall | c6c6734 | 2011-10-07 16:28:54 -0700 | [diff] [blame] | 815 | |
| 816 | /* |
| 817 | * If there is no globalAlert active we are done. |
| 818 | * If there is an active globalAlert but this is not the 1st |
| 819 | * tether, we are also done. |
| 820 | */ |
| 821 | if (!globalAlertBytes || globalAlertTetherCount != 1) { |
| 822 | return 0; |
| 823 | } |
| 824 | |
| 825 | /* We only add the rule if this was the 1st tether added. */ |
| 826 | res = runIptablesAlertFwdCmd(IptOpInsert, alertName, globalAlertBytes); |
| 827 | return res; |
| 828 | } |
| 829 | |
| 830 | int BandwidthController::removeGlobalAlert(void) { |
| 831 | |
| 832 | const char *alertName = ALERT_GLOBAL_NAME; |
JP Abgrall | 8a93272 | 2011-07-13 19:17:35 -0700 | [diff] [blame] | 833 | int res = 0; |
| 834 | |
| 835 | if (!globalAlertBytes) { |
Steve Block | 5ea0c05 | 2012-01-06 19:18:11 +0000 | [diff] [blame] | 836 | ALOGE("No prior alert set"); |
JP Abgrall | 8a93272 | 2011-07-13 19:17:35 -0700 | [diff] [blame] | 837 | return -1; |
| 838 | } |
| 839 | res = runIptablesAlertCmd(IptOpDelete, alertName, globalAlertBytes); |
JP Abgrall | c6c6734 | 2011-10-07 16:28:54 -0700 | [diff] [blame] | 840 | if (globalAlertTetherCount) { |
| 841 | res |= runIptablesAlertFwdCmd(IptOpDelete, alertName, globalAlertBytes); |
| 842 | } |
JP Abgrall | 8a93272 | 2011-07-13 19:17:35 -0700 | [diff] [blame] | 843 | globalAlertBytes = 0; |
| 844 | return res; |
| 845 | } |
| 846 | |
JP Abgrall | c6c6734 | 2011-10-07 16:28:54 -0700 | [diff] [blame] | 847 | int BandwidthController::removeGlobalAlertInForwardChain(void) { |
| 848 | int res = 0; |
| 849 | const char *alertName = ALERT_GLOBAL_NAME; |
| 850 | |
| 851 | if (!globalAlertTetherCount) { |
Steve Block | 5ea0c05 | 2012-01-06 19:18:11 +0000 | [diff] [blame] | 852 | ALOGE("No prior alert set"); |
JP Abgrall | c6c6734 | 2011-10-07 16:28:54 -0700 | [diff] [blame] | 853 | return -1; |
| 854 | } |
| 855 | |
| 856 | globalAlertTetherCount--; |
| 857 | /* |
| 858 | * If there is no globalAlert active we are done. |
| 859 | * If there is an active globalAlert but there are more |
| 860 | * tethers, we are also done. |
| 861 | */ |
| 862 | if (!globalAlertBytes || globalAlertTetherCount >= 1) { |
| 863 | return 0; |
| 864 | } |
| 865 | |
| 866 | /* We only detete the rule if this was the last tether removed. */ |
| 867 | res = runIptablesAlertFwdCmd(IptOpDelete, alertName, globalAlertBytes); |
| 868 | return res; |
| 869 | } |
| 870 | |
JP Abgrall | 8a93272 | 2011-07-13 19:17:35 -0700 | [diff] [blame] | 871 | int BandwidthController::setSharedAlert(int64_t bytes) { |
| 872 | if (!sharedQuotaBytes) { |
Steve Block | 5ea0c05 | 2012-01-06 19:18:11 +0000 | [diff] [blame] | 873 | ALOGE("Need to have a prior shared quota set to set an alert"); |
JP Abgrall | 8a93272 | 2011-07-13 19:17:35 -0700 | [diff] [blame] | 874 | return -1; |
| 875 | } |
| 876 | if (!bytes) { |
Steve Block | 5ea0c05 | 2012-01-06 19:18:11 +0000 | [diff] [blame] | 877 | ALOGE("Invalid bytes value. 1..max_int64."); |
JP Abgrall | 8a93272 | 2011-07-13 19:17:35 -0700 | [diff] [blame] | 878 | return -1; |
| 879 | } |
| 880 | return setCostlyAlert("shared", bytes, &sharedAlertBytes); |
| 881 | } |
| 882 | |
| 883 | int BandwidthController::removeSharedAlert(void) { |
| 884 | return removeCostlyAlert("shared", &sharedAlertBytes); |
| 885 | } |
| 886 | |
| 887 | int BandwidthController::setInterfaceAlert(const char *iface, int64_t bytes) { |
| 888 | std::list<QuotaInfo>::iterator it; |
| 889 | |
| 890 | if (!bytes) { |
Steve Block | 5ea0c05 | 2012-01-06 19:18:11 +0000 | [diff] [blame] | 891 | ALOGE("Invalid bytes value. 1..max_int64."); |
JP Abgrall | 8a93272 | 2011-07-13 19:17:35 -0700 | [diff] [blame] | 892 | return -1; |
| 893 | } |
| 894 | for (it = quotaIfaces.begin(); it != quotaIfaces.end(); it++) { |
| 895 | if (it->ifaceName == iface) |
| 896 | break; |
| 897 | } |
| 898 | |
| 899 | if (it == quotaIfaces.end()) { |
Steve Block | 5ea0c05 | 2012-01-06 19:18:11 +0000 | [diff] [blame] | 900 | ALOGE("Need to have a prior interface quota set to set an alert"); |
JP Abgrall | 8a93272 | 2011-07-13 19:17:35 -0700 | [diff] [blame] | 901 | return -1; |
| 902 | } |
| 903 | |
| 904 | return setCostlyAlert(iface, bytes, &it->alert); |
| 905 | } |
| 906 | |
| 907 | int BandwidthController::removeInterfaceAlert(const char *iface) { |
| 908 | std::list<QuotaInfo>::iterator it; |
| 909 | |
| 910 | for (it = quotaIfaces.begin(); it != quotaIfaces.end(); it++) { |
| 911 | if (it->ifaceName == iface) |
| 912 | break; |
| 913 | } |
| 914 | |
| 915 | if (it == quotaIfaces.end()) { |
Steve Block | 5ea0c05 | 2012-01-06 19:18:11 +0000 | [diff] [blame] | 916 | ALOGE("No prior alert set for interface %s", iface); |
JP Abgrall | 8a93272 | 2011-07-13 19:17:35 -0700 | [diff] [blame] | 917 | return -1; |
| 918 | } |
| 919 | |
| 920 | return removeCostlyAlert(iface, &it->alert); |
| 921 | } |
| 922 | |
| 923 | int BandwidthController::setCostlyAlert(const char *costName, int64_t bytes, int64_t *alertBytes) { |
| 924 | char *alertQuotaCmd; |
| 925 | char *chainNameAndPos; |
| 926 | int res = 0; |
| 927 | char *alertName; |
| 928 | |
| 929 | if (!bytes) { |
Steve Block | 5ea0c05 | 2012-01-06 19:18:11 +0000 | [diff] [blame] | 930 | ALOGE("Invalid bytes value. 1..max_int64."); |
JP Abgrall | 8a93272 | 2011-07-13 19:17:35 -0700 | [diff] [blame] | 931 | return -1; |
| 932 | } |
| 933 | asprintf(&alertName, "%sAlert", costName); |
| 934 | if (*alertBytes) { |
| 935 | res = updateQuota(alertName, *alertBytes); |
| 936 | } else { |
| 937 | asprintf(&chainNameAndPos, "costly_%s %d", costName, ALERT_RULE_POS_IN_COSTLY_CHAIN); |
Nick Kralevich | c2b26cb | 2012-02-23 13:04:26 -0800 | [diff] [blame] | 938 | asprintf(&alertQuotaCmd, ALERT_IPT_TEMPLATE, "", "-I", chainNameAndPos, bytes, alertName); |
JP Abgrall | 8a93272 | 2011-07-13 19:17:35 -0700 | [diff] [blame] | 939 | res |= runIpxtablesCmd(alertQuotaCmd, IptRejectNoAdd); |
| 940 | free(alertQuotaCmd); |
| 941 | free(chainNameAndPos); |
| 942 | } |
| 943 | *alertBytes = bytes; |
| 944 | free(alertName); |
| 945 | return res; |
| 946 | } |
| 947 | |
| 948 | int BandwidthController::removeCostlyAlert(const char *costName, int64_t *alertBytes) { |
| 949 | char *alertQuotaCmd; |
| 950 | char *chainName; |
| 951 | char *alertName; |
| 952 | int res = 0; |
| 953 | |
| 954 | asprintf(&alertName, "%sAlert", costName); |
| 955 | if (!*alertBytes) { |
Steve Block | 5ea0c05 | 2012-01-06 19:18:11 +0000 | [diff] [blame] | 956 | ALOGE("No prior alert set for %s alert", costName); |
JP Abgrall | 8a93272 | 2011-07-13 19:17:35 -0700 | [diff] [blame] | 957 | return -1; |
| 958 | } |
| 959 | |
| 960 | asprintf(&chainName, "costly_%s", costName); |
Nick Kralevich | c2b26cb | 2012-02-23 13:04:26 -0800 | [diff] [blame] | 961 | asprintf(&alertQuotaCmd, ALERT_IPT_TEMPLATE, "", "-D", chainName, *alertBytes, alertName); |
JP Abgrall | 8a93272 | 2011-07-13 19:17:35 -0700 | [diff] [blame] | 962 | res |= runIpxtablesCmd(alertQuotaCmd, IptRejectNoAdd); |
| 963 | free(alertQuotaCmd); |
| 964 | free(chainName); |
| 965 | |
| 966 | *alertBytes = 0; |
| 967 | free(alertName); |
| 968 | return res; |
| 969 | } |
JP Abgrall | db7da58 | 2011-09-18 12:57:32 -0700 | [diff] [blame] | 970 | |
| 971 | /* |
| 972 | * Parse the ptks and bytes out of: |
JP Abgrall | 0031cea | 2012-04-17 16:38:23 -0700 | [diff] [blame] | 973 | * Chain FORWARD (policy RETURN 0 packets, 0 bytes) |
JP Abgrall | db7da58 | 2011-09-18 12:57:32 -0700 | [diff] [blame] | 974 | * pkts bytes target prot opt in out source destination |
JP Abgrall | 0031cea | 2012-04-17 16:38:23 -0700 | [diff] [blame] | 975 | * 0 0 RETURN all -- rmnet0 wlan0 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED |
JP Abgrall | db7da58 | 2011-09-18 12:57:32 -0700 | [diff] [blame] | 976 | * 0 0 DROP all -- wlan0 rmnet0 0.0.0.0/0 0.0.0.0/0 state INVALID |
JP Abgrall | 0031cea | 2012-04-17 16:38:23 -0700 | [diff] [blame] | 977 | * 0 0 RETURN all -- wlan0 rmnet0 0.0.0.0/0 0.0.0.0/0 |
JP Abgrall | db7da58 | 2011-09-18 12:57:32 -0700 | [diff] [blame] | 978 | * |
| 979 | */ |
JP Abgrall | a2a64f0 | 2011-11-11 20:36:16 -0800 | [diff] [blame] | 980 | int BandwidthController::parseForwardChainStats(TetherStats &stats, FILE *fp, |
| 981 | std::string &extraProcessingInfo) { |
JP Abgrall | db7da58 | 2011-09-18 12:57:32 -0700 | [diff] [blame] | 982 | int res; |
| 983 | char lineBuffer[MAX_IPT_OUTPUT_LINE_LEN]; |
| 984 | char iface0[MAX_IPT_OUTPUT_LINE_LEN]; |
| 985 | char iface1[MAX_IPT_OUTPUT_LINE_LEN]; |
| 986 | char rest[MAX_IPT_OUTPUT_LINE_LEN]; |
| 987 | |
| 988 | char *buffPtr; |
| 989 | int64_t packets, bytes; |
| 990 | |
| 991 | while (NULL != (buffPtr = fgets(lineBuffer, MAX_IPT_OUTPUT_LINE_LEN, fp))) { |
| 992 | /* Clean up, so a failed parse can still print info */ |
| 993 | iface0[0] = iface1[0] = rest[0] = packets = bytes = 0; |
JP Abgrall | 0031cea | 2012-04-17 16:38:23 -0700 | [diff] [blame] | 994 | res = sscanf(buffPtr, "%lld %lld RETURN all -- %s %s 0.%s", |
JP Abgrall | db7da58 | 2011-09-18 12:57:32 -0700 | [diff] [blame] | 995 | &packets, &bytes, iface0, iface1, rest); |
Steve Block | 3fb42e0 | 2011-10-20 11:55:56 +0100 | [diff] [blame] | 996 | ALOGV("parse res=%d iface0=<%s> iface1=<%s> pkts=%lld bytes=%lld rest=<%s> orig line=<%s>", res, |
JP Abgrall | db7da58 | 2011-09-18 12:57:32 -0700 | [diff] [blame] | 997 | iface0, iface1, packets, bytes, rest, buffPtr); |
JP Abgrall | a2a64f0 | 2011-11-11 20:36:16 -0800 | [diff] [blame] | 998 | extraProcessingInfo += buffPtr; |
| 999 | |
JP Abgrall | db7da58 | 2011-09-18 12:57:32 -0700 | [diff] [blame] | 1000 | if (res != 5) { |
| 1001 | continue; |
| 1002 | } |
| 1003 | if ((stats.ifaceIn == iface0) && (stats.ifaceOut == iface1)) { |
Steve Block | 3fb42e0 | 2011-10-20 11:55:56 +0100 | [diff] [blame] | 1004 | ALOGV("iface_in=%s iface_out=%s rx_bytes=%lld rx_packets=%lld ", iface0, iface1, bytes, packets); |
JP Abgrall | db7da58 | 2011-09-18 12:57:32 -0700 | [diff] [blame] | 1005 | stats.rxPackets = packets; |
| 1006 | stats.rxBytes = bytes; |
| 1007 | } else if ((stats.ifaceOut == iface0) && (stats.ifaceIn == iface1)) { |
Steve Block | 3fb42e0 | 2011-10-20 11:55:56 +0100 | [diff] [blame] | 1008 | ALOGV("iface_in=%s iface_out=%s tx_bytes=%lld tx_packets=%lld ", iface1, iface0, bytes, packets); |
JP Abgrall | db7da58 | 2011-09-18 12:57:32 -0700 | [diff] [blame] | 1009 | stats.txPackets = packets; |
| 1010 | stats.txBytes = bytes; |
| 1011 | } |
| 1012 | } |
| 1013 | /* Failure if rx or tx was not found */ |
| 1014 | return (stats.rxBytes == -1 || stats.txBytes == -1) ? -1 : 0; |
| 1015 | } |
| 1016 | |
| 1017 | |
| 1018 | char *BandwidthController::TetherStats::getStatsLine(void) { |
| 1019 | char *msg; |
| 1020 | asprintf(&msg, "%s %s %lld %lld %lld %lld", ifaceIn.c_str(), ifaceOut.c_str(), |
| 1021 | rxBytes, rxPackets, txBytes, txPackets); |
| 1022 | return msg; |
| 1023 | } |
| 1024 | |
JP Abgrall | a2a64f0 | 2011-11-11 20:36:16 -0800 | [diff] [blame] | 1025 | int BandwidthController::getTetherStats(TetherStats &stats, std::string &extraProcessingInfo) { |
JP Abgrall | db7da58 | 2011-09-18 12:57:32 -0700 | [diff] [blame] | 1026 | int res; |
| 1027 | std::string fullCmd; |
| 1028 | FILE *iptOutput; |
| 1029 | const char *cmd; |
| 1030 | |
| 1031 | if (stats.rxBytes != -1 || stats.txBytes != -1) { |
Steve Block | 5ea0c05 | 2012-01-06 19:18:11 +0000 | [diff] [blame] | 1032 | ALOGE("Unexpected input stats. Byte counts should be -1."); |
JP Abgrall | db7da58 | 2011-09-18 12:57:32 -0700 | [diff] [blame] | 1033 | return -1; |
| 1034 | } |
| 1035 | |
| 1036 | /* |
| 1037 | * Why not use some kind of lib to talk to iptables? |
| 1038 | * Because the only libs are libiptc and libip6tc in iptables, and they are |
| 1039 | * not easy to use. They require the known iptables match modules to be |
| 1040 | * preloaded/linked, and require apparently a lot of wrapper code to get |
| 1041 | * the wanted info. |
| 1042 | */ |
| 1043 | fullCmd = IPTABLES_PATH; |
JP Abgrall | 0031cea | 2012-04-17 16:38:23 -0700 | [diff] [blame] | 1044 | fullCmd += " -nvx -L natctrl_FORWARD"; |
JP Abgrall | db7da58 | 2011-09-18 12:57:32 -0700 | [diff] [blame] | 1045 | iptOutput = popen(fullCmd.c_str(), "r"); |
| 1046 | if (!iptOutput) { |
Steve Block | 5ea0c05 | 2012-01-06 19:18:11 +0000 | [diff] [blame] | 1047 | ALOGE("Failed to run %s err=%s", fullCmd.c_str(), strerror(errno)); |
JP Abgrall | a2a64f0 | 2011-11-11 20:36:16 -0800 | [diff] [blame] | 1048 | extraProcessingInfo += "Failed to run iptables."; |
JP Abgrall | db7da58 | 2011-09-18 12:57:32 -0700 | [diff] [blame] | 1049 | return -1; |
| 1050 | } |
JP Abgrall | a2a64f0 | 2011-11-11 20:36:16 -0800 | [diff] [blame] | 1051 | res = parseForwardChainStats(stats, iptOutput, extraProcessingInfo); |
JP Abgrall | db7da58 | 2011-09-18 12:57:32 -0700 | [diff] [blame] | 1052 | pclose(iptOutput); |
| 1053 | |
| 1054 | /* Currently NatController doesn't do ipv6 tethering, so we are done. */ |
| 1055 | return res; |
| 1056 | } |