commit 341d3a04ae17da2cf5a6e9977ef7af0ea28bc14c
author Lorenzo Colitti <lorenzo@google.com> Tue Aug 08 17:31:35 2017 +0900
committer Lorenzo Colitti <lorenzo@google.com> Thu Aug 10 18:13:01 2017 +0900
tree bb23778cc47ae37e9180c39f0bd676cb74a97d66
parent 6ee2598e23e10a11ed98f4f23cf63638c8524104

Add test coverage for setting up initial iptables rules.

Bug: 28362720
Test: bullhead builds, boots
Test: netd_{unit,integration}_test pass
Change-Id: I2ab9269d9bca3a7b8b168b801360d3fdb6119f05

server/Controllers.cpp

diff --git a/server/Controllers.cpp b/server/Controllers.cpp
index ad77ee1..a25e05a 100644
--- a/server/Controllers.cpp
+++ b/server/Controllers.cpp
@@ -29,6 +29,9 @@
 namespace android {
 namespace net {
 
+auto Controllers::execIptablesRestore  = ::execIptablesRestore;
+auto Controllers::execIptablesSilently = ::execIptablesSilently;
+
 namespace {
 /**
  * List of module chains to be created, along with explicit ordering. ORDERING
@@ -93,8 +96,13 @@
         NULL,
 };
 
-static void createChildChains(IptablesTarget target, const char* table, const char* parentChain,
-        const char** childChains, bool exclusive) {
+}  // namespace
+
+/* static */
+void Controllers::createChildChains(IptablesTarget target, const char* table,
+                                    const char* parentChain,
+                                    const char** childChains,
+                                    bool exclusive) {
     std::string command = android::base::StringPrintf("*%s\n", table);
 
     // If we're the exclusive owner of this chain, clear it entirely. This saves us from having to
@@ -116,12 +124,10 @@
         command += android::base::StringPrintf(":%s -\n", *childChain);
         command += android::base::StringPrintf("-A %s -j %s\n", parentChain, *childChain);
     } while (*(++childChain) != NULL);
-    command += "COMMIT\n\n";
+    command += "COMMIT\n";
     execIptablesRestore(target, command);
 }
 
-}  // namespace
-
 Controllers::Controllers()
     : clatdCtrl(&netCtrl),
       wakeupCtrl(
@@ -137,7 +143,7 @@
     InterfaceController::initializeAll();
 }
 
-void Controllers::initIptablesRules() {
+void Controllers::initChildChains() {
     /*
      * This is the only time we touch top-level chains in iptables; controllers
      * should only mutate rules inside of their children chains, as created by
@@ -149,18 +155,23 @@
      */
 
     // Create chains for child modules.
-    // We cannot use createChildChainsFast for all chains because vendor code modifies filter OUTPUT
-    // and mangle POSTROUTING directly.
-    Stopwatch s;
     createChildChains(V4V6, "filter", "INPUT", FILTER_INPUT, true);
     createChildChains(V4V6, "filter", "FORWARD", FILTER_FORWARD, true);
-    createChildChains(V4V6, "filter", "OUTPUT", FILTER_OUTPUT, false);
     createChildChains(V4V6, "raw", "PREROUTING", RAW_PREROUTING, true);
-    createChildChains(V4V6, "mangle", "POSTROUTING", MANGLE_POSTROUTING, false);
     createChildChains(V4V6, "mangle", "FORWARD", MANGLE_FORWARD, true);
     createChildChains(V4V6, "mangle", "INPUT", MANGLE_INPUT, true);
     createChildChains(V4, "nat", "PREROUTING", NAT_PREROUTING, true);
     createChildChains(V4, "nat", "POSTROUTING", NAT_POSTROUTING, true);
+
+    // We cannot use createChildChainsFast for all chains because vendor code modifies filter OUTPUT
+    // and mangle POSTROUTING directly.
+    createChildChains(V4V6, "filter", "OUTPUT", FILTER_OUTPUT, false);
+    createChildChains(V4V6, "mangle", "POSTROUTING", MANGLE_POSTROUTING, false);
+}
+
+void Controllers::initIptablesRules() {
+    Stopwatch s;
+    initChildChains();
     ALOGI("Creating child chains: %.1fms", s.getTimeAndReset());
 
     // Let each module setup their child chains