JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 1 | /* |
| 2 | * Copyright (C) 2011 The Android Open Source Project |
| 3 | * |
| 4 | * Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | * you may not use this file except in compliance with the License. |
| 6 | * You may obtain a copy of the License at |
| 7 | * |
| 8 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | * |
| 10 | * Unless required by applicable law or agreed to in writing, software |
| 11 | * distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | * See the License for the specific language governing permissions and |
| 14 | * limitations under the License. |
| 15 | */ |
| 16 | |
| 17 | #include <stdlib.h> |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 18 | #include <fcntl.h> |
| 19 | #include <string.h> |
| 20 | |
| 21 | #include <sys/socket.h> |
| 22 | #include <sys/stat.h> |
| 23 | #include <sys/types.h> |
| 24 | #include <sys/wait.h> |
| 25 | |
| 26 | #include <linux/netlink.h> |
| 27 | #include <linux/rtnetlink.h> |
| 28 | #include <linux/pkt_sched.h> |
| 29 | |
| 30 | #define LOG_TAG "BandwidthController" |
| 31 | #include <cutils/log.h> |
| 32 | #include <cutils/properties.h> |
| 33 | |
| 34 | extern "C" int logwrap(int argc, const char **argv, int background); |
| 35 | |
| 36 | #include "BandwidthController.h" |
| 37 | |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 38 | const int BandwidthController::MAX_CMD_LEN = 1024; |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 39 | const int BandwidthController::MAX_IFACENAME_LEN = 64; |
| 40 | const int BandwidthController::MAX_CMD_ARGS = 32; |
| 41 | const char BandwidthController::IPTABLES_PATH[] = "/system/bin/iptables"; |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 42 | const char BandwidthController::IP6TABLES_PATH[] = "/system/bin/ip6tables"; |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 43 | |
| 44 | /** |
| 45 | * Some comments about the rules: |
| 46 | * * Ordering |
| 47 | * - when an interface is marked as costly it should be INSERTED into the INPUT/OUTPUT chains. |
| 48 | * E.g. "-I INPUT -i rmnet0 --goto costly" |
| 49 | * - quota'd rules in the costly chain should be before penalty_box lookups. |
| 50 | * |
| 51 | * * global quota vs per interface quota |
| 52 | * - global quota for all costly interfaces uses a single costly chain: |
| 53 | * . initial rules |
JP Abgrall | bfa7466 | 2011-06-29 19:23:04 -0700 | [diff] [blame^] | 54 | * iptables -N costly_shared |
| 55 | * iptables -I INPUT -i iface0 --goto costly_shared |
| 56 | * iptables -I OUTPUT -o iface0 --goto costly_shared |
| 57 | * iptables -I costly_shared -m quota \! --quota 500000 \ |
| 58 | * --jump REJECT --reject-with icmp-net-prohibited |
| 59 | * iptables -A costly_shared --jump penalty_box |
| 60 | * iptables -A costly_shared -m owner --socket-exists |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 61 | * . adding a new iface to this, E.g.: |
JP Abgrall | bfa7466 | 2011-06-29 19:23:04 -0700 | [diff] [blame^] | 62 | * iptables -I INPUT -i iface1 --goto costly_shared |
| 63 | * iptables -I OUTPUT -o iface1 --goto costly_shared |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 64 | * |
| 65 | * - quota per interface. This is achieve by having "costly" chains per quota. |
| 66 | * E.g. adding a new costly interface iface0 with its own quota: |
| 67 | * iptables -N costly_iface0 |
| 68 | * iptables -I INPUT -i iface0 --goto costly_iface0 |
| 69 | * iptables -I OUTPUT -o iface0 --goto costly_iface0 |
JP Abgrall | bfa7466 | 2011-06-29 19:23:04 -0700 | [diff] [blame^] | 70 | * iptables -A costly_iface0 -m quota \! --quota 500000 \ |
| 71 | * --jump REJECT --reject-with icmp-net-prohibited |
| 72 | * iptables -A costly_iface0 --jump penalty_box |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 73 | * iptables -A costly_iface0 -m owner --socket-exists |
| 74 | * |
| 75 | * * penalty_box handling: |
| 76 | * - only one penalty_box for all interfaces |
| 77 | * E.g Adding an app: |
JP Abgrall | bfa7466 | 2011-06-29 19:23:04 -0700 | [diff] [blame^] | 78 | * iptables -A penalty_box -m owner --uid-owner app_3 \ |
| 79 | * --jump REJECT --reject-with icmp-net-prohibited |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 80 | */ |
| 81 | const char *BandwidthController::cleanupCommands[] = { |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 82 | /* Cleanup rules. */ |
| 83 | "-F", |
| 84 | "-t raw -F", |
JP Abgrall | 39f8f24 | 2011-06-29 19:21:58 -0700 | [diff] [blame] | 85 | /* TODO: If at some point we need more user chains than here, then we will need |
| 86 | * a different cleanup approach. |
| 87 | */ |
JP Abgrall | bfa7466 | 2011-06-29 19:23:04 -0700 | [diff] [blame^] | 88 | "-X", /* Should normally only be costly_shared, penalty_box, and costly_<iface> */ |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 89 | }; |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 90 | |
| 91 | const char *BandwidthController::setupCommands[] = { |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 92 | /* Created needed chains. */ |
JP Abgrall | bfa7466 | 2011-06-29 19:23:04 -0700 | [diff] [blame^] | 93 | "-N costly_shared", |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 94 | "-N penalty_box", |
| 95 | }; |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 96 | |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 97 | const char *BandwidthController::basicAccountingCommands[] = { |
| 98 | "-F INPUT", |
| 99 | "-A INPUT -i lo --jump ACCEPT", |
| 100 | "-A INPUT -m owner --socket-exists", /* This is a tracking rule. */ |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 101 | |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 102 | "-F OUTPUT", |
| 103 | "-A OUTPUT -o lo --jump ACCEPT", |
| 104 | "-A OUTPUT -m owner --socket-exists", /* This is a tracking rule. */ |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 105 | |
JP Abgrall | bfa7466 | 2011-06-29 19:23:04 -0700 | [diff] [blame^] | 106 | "-F costly_shared", |
| 107 | "-A costly_shared --jump penalty_box", |
| 108 | "-A costly_shared -m owner --socket-exists", /* This is a tracking rule. */ |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 109 | /* TODO(jpa): Figure out why iptables doesn't correctly return from this |
| 110 | * chain. For now, hack the chain exit with an ACCEPT. |
| 111 | */ |
JP Abgrall | bfa7466 | 2011-06-29 19:23:04 -0700 | [diff] [blame^] | 112 | "-A costly_shared --jump ACCEPT", |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 113 | }; |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 114 | |
| 115 | BandwidthController::BandwidthController(void) { |
| 116 | |
| 117 | char value[PROPERTY_VALUE_MAX]; |
| 118 | |
| 119 | property_get("persist.bandwidth.enable", value, "0"); |
| 120 | if (!strcmp(value, "1")) { |
| 121 | enableBandwidthControl(); |
| 122 | } |
| 123 | |
| 124 | } |
| 125 | |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 126 | int BandwidthController::runIpxtablesCmd(const char *cmd, IptRejectOp rejectHandling) { |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 127 | int res = 0; |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 128 | LOGD("runIpxtablesCmd(cmd=%s)", cmd); |
| 129 | res |= runIptablesCmd(cmd, rejectHandling, IptIpV4); |
| 130 | res |= runIptablesCmd(cmd, rejectHandling, IptIpV6); |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 131 | return res; |
| 132 | } |
| 133 | |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 134 | int BandwidthController::StrncpyAndCheck(char *buffer, const char *src, size_t buffSize) { |
| 135 | |
| 136 | memset(buffer, '\0', buffSize); // strncpy() is not filling leftover with '\0' |
| 137 | strncpy(buffer, src, buffSize); |
| 138 | return buffer[buffSize - 1]; |
| 139 | } |
| 140 | |
| 141 | int BandwidthController::runIptablesCmd(const char *cmd, IptRejectOp rejectHandling, IptIpVer iptVer) { |
| 142 | char buffer[MAX_CMD_LEN]; |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 143 | const char *argv[MAX_CMD_ARGS]; |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 144 | int argc = 0; |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 145 | char *next = buffer; |
| 146 | char *tmp; |
| 147 | |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 148 | std::string fullCmd = cmd; |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 149 | |
| 150 | if (rejectHandling == IptRejectAdd) { |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 151 | fullCmd += " --jump REJECT --reject-with"; |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 152 | switch (iptVer) { |
| 153 | case IptIpV4: |
| 154 | fullCmd += " icmp-net-prohibited"; |
| 155 | break; |
| 156 | case IptIpV6: |
| 157 | fullCmd += " icmp6-adm-prohibited"; |
| 158 | break; |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 159 | } |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 160 | } |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 161 | |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 162 | argc = 0; |
| 163 | argv[argc++] = iptVer == IptIpV4 ? IPTABLES_PATH : IP6TABLES_PATH; |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 164 | |
JP Abgrall | a9f802c | 2011-06-29 15:46:45 -0700 | [diff] [blame] | 165 | LOGD("runIptablesCmd(): %s %s", argv[0], fullCmd.c_str()); |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 166 | if (StrncpyAndCheck(buffer, fullCmd.c_str(), sizeof(buffer))) { |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 167 | LOGE("iptables command too long"); |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 168 | return -1; |
| 169 | } |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 170 | |
| 171 | while ((tmp = strsep(&next, " "))) { |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 172 | argv[argc++] = tmp; |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 173 | if (argc >= MAX_CMD_ARGS) { |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 174 | LOGE("iptables argument overflow"); |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 175 | return -1; |
| 176 | } |
| 177 | } |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 178 | |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 179 | argv[argc] = NULL; |
| 180 | /* TODO(jpa): Once this stabilizes, remove logwrap() as it tends to wedge netd |
| 181 | * Then just talk directly to the kernel via rtnetlink. |
| 182 | */ |
| 183 | return logwrap(argc, argv, 0); |
| 184 | } |
| 185 | |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 186 | int BandwidthController::enableBandwidthControl(void) { |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 187 | int res; |
| 188 | /* Some of the initialCommands are allowed to fail */ |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 189 | runCommands(sizeof(cleanupCommands) / sizeof(char*), cleanupCommands, RunCmdFailureOk); |
| 190 | runCommands(sizeof(setupCommands) / sizeof(char*), setupCommands, RunCmdFailureOk); |
| 191 | res = runCommands(sizeof(basicAccountingCommands) / sizeof(char*), basicAccountingCommands, RunCmdFailureBad); |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 192 | return res; |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 193 | |
| 194 | } |
| 195 | |
| 196 | int BandwidthController::disableBandwidthControl(void) { |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 197 | /* The cleanupCommands are allowed to fail. */ |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 198 | runCommands(sizeof(cleanupCommands) / sizeof(char*), cleanupCommands, RunCmdFailureOk); |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 199 | return 0; |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 200 | } |
| 201 | |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 202 | int BandwidthController::runCommands(int numCommands, const char *commands[], RunCmdErrHandling cmdErrHandling) { |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 203 | int res = 0; |
| 204 | LOGD("runCommands(): %d commands", numCommands); |
| 205 | for (int cmdNum = 0; cmdNum < numCommands; cmdNum++) { |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 206 | res = runIpxtablesCmd(commands[cmdNum], IptRejectNoAdd); |
| 207 | if (res && cmdErrHandling != RunCmdFailureBad) |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 208 | return res; |
| 209 | } |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 210 | return cmdErrHandling == RunCmdFailureBad ? res : 0; |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 211 | } |
| 212 | |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 213 | std::string BandwidthController::makeIptablesNaughtyCmd(IptOp op, int uid) { |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 214 | std::string res; |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 215 | char *convBuff; |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 216 | |
| 217 | switch (op) { |
| 218 | case IptOpInsert: |
| 219 | res = "-I"; |
| 220 | break; |
| 221 | case IptOpReplace: |
| 222 | res = "-R"; |
| 223 | break; |
| 224 | default: |
| 225 | case IptOpDelete: |
| 226 | res = "-D"; |
| 227 | break; |
| 228 | } |
| 229 | res += " penalty_box"; |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 230 | asprintf(&convBuff, "%d", uid); |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 231 | res += " -m owner --uid-owner "; |
| 232 | res += convBuff; |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 233 | free(convBuff); |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 234 | return res; |
| 235 | } |
| 236 | |
| 237 | int BandwidthController::addNaughtyApps(int numUids, char *appUids[]) { |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 238 | return maninpulateNaughtyApps(numUids, appUids, NaughtyAppOpAdd); |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 239 | } |
| 240 | |
| 241 | int BandwidthController::removeNaughtyApps(int numUids, char *appUids[]) { |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 242 | return maninpulateNaughtyApps(numUids, appUids, NaughtyAppOpRemove); |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 243 | } |
| 244 | |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 245 | int BandwidthController::maninpulateNaughtyApps(int numUids, char *appStrUids[], NaughtyAppOp appOp) { |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 246 | char cmd[MAX_CMD_LEN]; |
| 247 | int uidNum; |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 248 | const char *failLogTemplate; |
| 249 | IptOp op; |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 250 | int appUids[numUids]; |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 251 | std::string naughtyCmd; |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 252 | switch (appOp) { |
| 253 | case NaughtyAppOpAdd: |
| 254 | op = IptOpInsert; |
| 255 | failLogTemplate = "Failed to add app uid %d to penalty box."; |
| 256 | break; |
| 257 | case NaughtyAppOpRemove: |
| 258 | op = IptOpDelete; |
| 259 | failLogTemplate = "Failed to delete app uid %d from penalty box."; |
| 260 | break; |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 261 | } |
| 262 | |
| 263 | for (uidNum = 0; uidNum < numUids; uidNum++) { |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 264 | appUids[uidNum] = atol(appStrUids[uidNum]); |
| 265 | if (appUids[uidNum] == 0) { |
| 266 | LOGE(failLogTemplate, appUids[uidNum]); |
| 267 | goto fail_parse; |
| 268 | } |
| 269 | } |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 270 | |
| 271 | for (uidNum = 0; uidNum < numUids; uidNum++) { |
| 272 | naughtyCmd = makeIptablesNaughtyCmd(op, appUids[uidNum]); |
| 273 | if (runIpxtablesCmd(naughtyCmd.c_str(), IptRejectAdd)) { |
| 274 | LOGE(failLogTemplate, appUids[uidNum]); |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 275 | goto fail_with_uidNum; |
| 276 | } |
| 277 | } |
| 278 | return 0; |
| 279 | |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 280 | fail_with_uidNum: |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 281 | /* Try to remove the uid that failed in any case*/ |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 282 | naughtyCmd = makeIptablesNaughtyCmd(IptOpDelete, appUids[uidNum]); |
| 283 | runIpxtablesCmd(naughtyCmd.c_str(), IptRejectAdd); |
| 284 | fail_parse: |
| 285 | return -1; |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 286 | } |
| 287 | |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 288 | std::string BandwidthController::makeIptablesQuotaCmd(IptOp op, const char *costName, int64_t quota) { |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 289 | std::string res; |
JP Abgrall | bfa7466 | 2011-06-29 19:23:04 -0700 | [diff] [blame^] | 290 | char *convBuff; |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 291 | |
| 292 | LOGD("makeIptablesQuotaCmd(%d, %llu)", op, quota); |
| 293 | |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 294 | switch (op) { |
| 295 | case IptOpInsert: |
| 296 | res = "-I"; |
| 297 | break; |
| 298 | case IptOpReplace: |
| 299 | res = "-R"; |
| 300 | break; |
| 301 | default: |
| 302 | case IptOpDelete: |
| 303 | res = "-D"; |
| 304 | break; |
| 305 | } |
JP Abgrall | bfa7466 | 2011-06-29 19:23:04 -0700 | [diff] [blame^] | 306 | res += " costly_"; |
| 307 | res += costName; |
| 308 | asprintf(&convBuff, "%lld", quota); |
| 309 | res += " -m quota2 --name "; |
| 310 | res += costName; |
| 311 | res += " ! --quota "; |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 312 | res += convBuff; |
JP Abgrall | bfa7466 | 2011-06-29 19:23:04 -0700 | [diff] [blame^] | 313 | free(convBuff); |
| 314 | // The requried IP version specific --jump REJECT ... will be added later. |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 315 | return res; |
| 316 | } |
| 317 | |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 318 | int BandwidthController::prepCostlyIface(const char *ifn, QuotaType quotaType) { |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 319 | char cmd[MAX_CMD_LEN]; |
| 320 | int res = 0; |
| 321 | std::string costString; |
| 322 | const char *costCString; |
| 323 | |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 324 | /* The "-N costly" is created upfront, no need to handle it here. */ |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 325 | switch (quotaType) { |
| 326 | case QuotaUnique: |
JP Abgrall | bfa7466 | 2011-06-29 19:23:04 -0700 | [diff] [blame^] | 327 | costString = "costly_"; |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 328 | costString += ifn; |
| 329 | costCString = costString.c_str(); |
| 330 | snprintf(cmd, sizeof(cmd), "-N %s", costCString); |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 331 | res |= runIpxtablesCmd(cmd, IptRejectNoAdd); |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 332 | snprintf(cmd, sizeof(cmd), "-A %s -j penalty_box", costCString); |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 333 | res |= runIpxtablesCmd(cmd, IptRejectNoAdd); |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 334 | snprintf(cmd, sizeof(cmd), "-A %s -m owner --socket-exists", costCString); |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 335 | res |= runIpxtablesCmd(cmd, IptRejectNoAdd); |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 336 | /* TODO(jpa): Figure out why iptables doesn't correctly return from this |
| 337 | * chain. For now, hack the chain exit with an ACCEPT. |
| 338 | */ |
| 339 | snprintf(cmd, sizeof(cmd), "-A %s --jump ACCEPT", costCString); |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 340 | res |= runIpxtablesCmd(cmd, IptRejectNoAdd); |
| 341 | break; |
| 342 | case QuotaShared: |
JP Abgrall | bfa7466 | 2011-06-29 19:23:04 -0700 | [diff] [blame^] | 343 | costCString = "costly_shared"; |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 344 | break; |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 345 | } |
| 346 | |
| 347 | snprintf(cmd, sizeof(cmd), "-I INPUT -i %s --goto %s", ifn, costCString); |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 348 | res |= runIpxtablesCmd(cmd, IptRejectNoAdd); |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 349 | snprintf(cmd, sizeof(cmd), "-I OUTPUT -o %s --goto %s", ifn, costCString); |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 350 | res |= runIpxtablesCmd(cmd, IptRejectNoAdd); |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 351 | return res; |
| 352 | } |
| 353 | |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 354 | int BandwidthController::cleanupCostlyIface(const char *ifn, QuotaType quotaType) { |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 355 | char cmd[MAX_CMD_LEN]; |
| 356 | int res = 0; |
| 357 | std::string costString; |
| 358 | const char *costCString; |
| 359 | |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 360 | switch (quotaType) { |
| 361 | case QuotaUnique: |
JP Abgrall | bfa7466 | 2011-06-29 19:23:04 -0700 | [diff] [blame^] | 362 | costString = "costly_"; |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 363 | costString += ifn; |
| 364 | costCString = costString.c_str(); |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 365 | break; |
| 366 | case QuotaShared: |
JP Abgrall | bfa7466 | 2011-06-29 19:23:04 -0700 | [diff] [blame^] | 367 | costCString = "costly_shared"; |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 368 | break; |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 369 | } |
| 370 | |
| 371 | snprintf(cmd, sizeof(cmd), "-D INPUT -i %s --goto %s", ifn, costCString); |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 372 | res |= runIpxtablesCmd(cmd, IptRejectNoAdd); |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 373 | snprintf(cmd, sizeof(cmd), "-D OUTPUT -o %s --goto %s", ifn, costCString); |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 374 | res |= runIpxtablesCmd(cmd, IptRejectNoAdd); |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 375 | |
JP Abgrall | bfa7466 | 2011-06-29 19:23:04 -0700 | [diff] [blame^] | 376 | /* The "-N costly_shared" is created upfront, no need to handle it here. */ |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 377 | if (quotaType == QuotaUnique) { |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 378 | snprintf(cmd, sizeof(cmd), "-F %s", costCString); |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 379 | res |= runIpxtablesCmd(cmd, IptRejectNoAdd); |
JP Abgrall | a9f802c | 2011-06-29 15:46:45 -0700 | [diff] [blame] | 380 | snprintf(cmd, sizeof(cmd), "-X %s", costCString); |
| 381 | res |= runIpxtablesCmd(cmd, IptRejectNoAdd); |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 382 | } |
| 383 | return res; |
| 384 | } |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 385 | |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 386 | int BandwidthController::setInterfaceSharedQuota(const char *iface, int64_t maxBytes) { |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 387 | char cmd[MAX_CMD_LEN]; |
| 388 | char ifn[MAX_IFACENAME_LEN]; |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 389 | int res = 0; |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 390 | std::string quotaCmd; |
| 391 | std::string ifaceName;; |
JP Abgrall | bfa7466 | 2011-06-29 19:23:04 -0700 | [diff] [blame^] | 392 | const char *costName = "shared"; |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 393 | std::list<std::string>::iterator it; |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 394 | |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 395 | if (StrncpyAndCheck(ifn, iface, sizeof(ifn))) { |
| 396 | LOGE("Interface name longer than %d", MAX_IFACENAME_LEN); |
| 397 | return -1; |
| 398 | } |
| 399 | ifaceName = ifn; |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 400 | |
| 401 | if (maxBytes == -1) { |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 402 | return removeInterfaceSharedQuota(ifn); |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 403 | } |
| 404 | |
| 405 | /* Insert ingress quota. */ |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 406 | for (it = sharedQuotaIfaces.begin(); it != sharedQuotaIfaces.end(); it++) { |
| 407 | if (*it == ifaceName) |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 408 | break; |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 409 | } |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 410 | |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 411 | if (it == sharedQuotaIfaces.end()) { |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 412 | res |= prepCostlyIface(ifn, QuotaShared); |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 413 | if (sharedQuotaIfaces.empty()) { |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 414 | quotaCmd = makeIptablesQuotaCmd(IptOpInsert, costName, maxBytes); |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 415 | res |= runIpxtablesCmd(quotaCmd.c_str(), IptRejectAdd); |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 416 | if (res) { |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 417 | LOGE("Failed set quota rule."); |
| 418 | goto fail; |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 419 | } |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 420 | sharedQuotaBytes = maxBytes; |
| 421 | } |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 422 | sharedQuotaIfaces.push_front(ifaceName); |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 423 | |
| 424 | } |
| 425 | |
| 426 | if (maxBytes != sharedQuotaBytes) { |
| 427 | /* Instead of replacing, which requires being aware of the rules in |
| 428 | * the kernel, we just add a new one, then delete the older one. |
| 429 | */ |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 430 | |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 431 | quotaCmd = makeIptablesQuotaCmd(IptOpInsert, costName, maxBytes); |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 432 | res |= runIpxtablesCmd(quotaCmd.c_str(), IptRejectAdd); |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 433 | |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 434 | quotaCmd = makeIptablesQuotaCmd(IptOpDelete, costName, sharedQuotaBytes); |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 435 | res |= runIpxtablesCmd(quotaCmd.c_str(), IptRejectAdd); |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 436 | |
| 437 | if (res) { |
| 438 | LOGE("Failed replace quota rule."); |
| 439 | goto fail; |
| 440 | } |
| 441 | sharedQuotaBytes = maxBytes; |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 442 | } |
| 443 | return 0; |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 444 | |
| 445 | fail: |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 446 | /* |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 447 | * TODO(jpa): once we get rid of iptables in favor of rtnetlink, reparse |
| 448 | * rules in the kernel to see which ones need cleaning up. |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 449 | * For now callers needs to choose if they want to "ndc bandwidth enable" |
| 450 | * which resets everything. |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 451 | */ |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 452 | removeInterfaceSharedQuota(ifn); |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 453 | return -1; |
| 454 | } |
| 455 | |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 456 | int BandwidthController::removeInterfaceSharedQuota(const char *iface) { |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 457 | char ifn[MAX_IFACENAME_LEN]; |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 458 | int res = 0; |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 459 | std::string ifaceName; |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 460 | std::list<std::string>::iterator it; |
JP Abgrall | bfa7466 | 2011-06-29 19:23:04 -0700 | [diff] [blame^] | 461 | const char *costName = "shared"; |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 462 | |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 463 | if(StrncpyAndCheck(ifn, iface, sizeof(ifn))) { |
| 464 | LOGE("Interface name longer than %d", MAX_IFACENAME_LEN); |
| 465 | return -1; |
| 466 | } |
| 467 | ifaceName =ifn; |
| 468 | |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 469 | for (it = sharedQuotaIfaces.begin(); it != sharedQuotaIfaces.end(); it++) { |
| 470 | if (*it == ifaceName) |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 471 | break; |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 472 | } |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 473 | if (it == sharedQuotaIfaces.end()) { |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 474 | LOGE("No such iface %s to delete.", ifn); |
| 475 | return -1; |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 476 | } |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 477 | |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 478 | res |= cleanupCostlyIface(ifn, QuotaShared); |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 479 | sharedQuotaIfaces.erase(it); |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 480 | |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 481 | if (sharedQuotaIfaces.empty()) { |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 482 | std::string quotaCmd; |
JP Abgrall | bfa7466 | 2011-06-29 19:23:04 -0700 | [diff] [blame^] | 483 | quotaCmd = makeIptablesQuotaCmd(IptOpDelete, costName, sharedQuotaBytes); |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 484 | res |= runIpxtablesCmd(quotaCmd.c_str(), IptRejectAdd); |
JP Abgrall | fa6f46d | 2011-06-17 23:17:28 -0700 | [diff] [blame] | 485 | sharedQuotaBytes = -1; |
| 486 | } |
| 487 | |
JP Abgrall | 4a5f5ca | 2011-06-15 18:37:39 -0700 | [diff] [blame] | 488 | return res; |
| 489 | } |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 490 | |
| 491 | int BandwidthController::setInterfaceQuota(const char *iface, int64_t maxBytes) { |
| 492 | char ifn[MAX_IFACENAME_LEN]; |
| 493 | int res = 0; |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 494 | std::string ifaceName; |
| 495 | const char *costName; |
| 496 | std::list<QuotaInfo>::iterator it; |
| 497 | std::string quotaCmd; |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 498 | |
| 499 | if (maxBytes == -1) { |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 500 | return removeInterfaceQuota(iface); |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 501 | } |
| 502 | |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 503 | if(StrncpyAndCheck(ifn, iface, sizeof(ifn))) { |
| 504 | LOGE("Interface name longer than %d", MAX_IFACENAME_LEN); |
| 505 | return -1; |
| 506 | } |
| 507 | ifaceName = ifn; |
| 508 | costName = iface; |
| 509 | |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 510 | |
| 511 | /* Insert ingress quota. */ |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 512 | for (it = quotaIfaces.begin(); it != quotaIfaces.end(); it++) { |
| 513 | if (it->first == ifaceName) |
| 514 | break; |
| 515 | } |
| 516 | |
| 517 | if (it == quotaIfaces.end()) { |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 518 | res |= prepCostlyIface(ifn, QuotaUnique); |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 519 | quotaCmd = makeIptablesQuotaCmd(IptOpInsert, costName, maxBytes); |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 520 | res |= runIpxtablesCmd(quotaCmd.c_str(), IptRejectAdd); |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 521 | if (res) { |
| 522 | LOGE("Failed set quota rule."); |
| 523 | goto fail; |
| 524 | } |
| 525 | |
| 526 | quotaIfaces.push_front(QuotaInfo(ifaceName, maxBytes)); |
| 527 | |
| 528 | } else { |
| 529 | /* Instead of replacing, which requires being aware of the rules in |
| 530 | * the kernel, we just add a new one, then delete the older one. |
| 531 | */ |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 532 | quotaCmd = makeIptablesQuotaCmd(IptOpInsert, costName, maxBytes); |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 533 | res |= runIpxtablesCmd(quotaCmd.c_str(), IptRejectAdd); |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 534 | |
| 535 | quotaCmd = makeIptablesQuotaCmd(IptOpDelete, costName, it->second); |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 536 | res |= runIpxtablesCmd(quotaCmd.c_str(), IptRejectAdd); |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 537 | |
| 538 | if (res) { |
| 539 | LOGE("Failed replace quota rule."); |
| 540 | goto fail; |
| 541 | } |
| 542 | it->second = maxBytes; |
| 543 | } |
| 544 | return 0; |
| 545 | |
| 546 | fail: |
| 547 | /* |
| 548 | * TODO(jpa): once we get rid of iptables in favor of rtnetlink, reparse |
| 549 | * rules in the kernel to see which ones need cleaning up. |
| 550 | * For now callers needs to choose if they want to "ndc bandwidth enable" |
| 551 | * which resets everything. |
| 552 | */ |
| 553 | removeInterfaceSharedQuota(ifn); |
| 554 | return -1; |
| 555 | } |
| 556 | |
| 557 | int BandwidthController::removeInterfaceQuota(const char *iface) { |
| 558 | |
| 559 | char ifn[MAX_IFACENAME_LEN]; |
| 560 | int res = 0; |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 561 | std::string ifaceName; |
| 562 | const char *costName; |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 563 | std::list<QuotaInfo>::iterator it; |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 564 | |
| 565 | if(StrncpyAndCheck(ifn, iface, sizeof(ifn))) { |
| 566 | LOGE("Interface name longer than %d", MAX_IFACENAME_LEN); |
| 567 | return -1; |
| 568 | } |
| 569 | ifaceName = ifn; |
| 570 | costName = iface; |
| 571 | |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 572 | for (it = quotaIfaces.begin(); it != quotaIfaces.end(); it++) { |
| 573 | if (it->first == ifaceName) |
| 574 | break; |
| 575 | } |
| 576 | |
| 577 | if (it == quotaIfaces.end()) { |
| 578 | LOGE("No such iface %s to delete.", ifn); |
| 579 | return -1; |
| 580 | } |
| 581 | |
| 582 | /* This also removes the quota command of CostlyIface chain. */ |
JP Abgrall | 26e0d49 | 2011-06-24 19:21:51 -0700 | [diff] [blame] | 583 | res |= cleanupCostlyIface(ifn, QuotaUnique); |
JP Abgrall | 0dad7c2 | 2011-06-24 11:58:14 -0700 | [diff] [blame] | 584 | |
| 585 | quotaIfaces.erase(it); |
| 586 | |
| 587 | return res; |
| 588 | } |