Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / system / netd / 3f62434145c43e85436b86ed9b95a550bbdf486b^! / . / server / FirewallController.cpp
commit3f62434145c43e85436b86ed9b95a550bbdf486b[log] [tgz]
authorFelipe Leme <felipeal@google.com>Wed Feb 10 18:12:39 2016 -0800
committerFelipe Leme <felipeal@google.com>Wed Feb 10 18:12:39 2016 -0800
tree48a1b77e86c7ece06c1db78ba8e7b4afe78c0237
parent33fe73272684d9be6c124d67662e04d16045f8ff [diff] [blame]
Created a firewall chain for power save mode.

When power-save mode was first implemented, there were no firewall rules
on netd, so the solution was to make all network interface metered and
re-use the bw_penalty_box chain.

This change removes that workaround by creating a explicit fw_powersave
chain, whose behavior is similar to fw_dozable (in fact, it reuses some
of its code); such change not only makes network restrictions on
power-save mode simpler, but it also allows to optimze how the restrict
network rules are changed.

BUG: 27127112
Change-Id: I52aee49d80386594e3a52fea9667d580d2d944a1

diff --git a/server/FirewallController.cpp b/server/FirewallController.cpp
index cf5a7de..1aa56b0 100644
--- a/server/FirewallController.cpp
+++ b/server/FirewallController.cpp

@@ -36,6 +36,7 @@
 
 const char* FirewallController::LOCAL_DOZABLE = "fw_dozable";
 const char* FirewallController::LOCAL_STANDBY = "fw_standby";
+const char* FirewallController::LOCAL_POWERSAVE = "fw_powersave";
 
 // ICMPv6 types that are required for any form of IPv6 connectivity to work. Note that because the
 // fw_dozable chain is called from both INPUT and OUTPUT, this includes both packets that we need
@@ -63,6 +64,9 @@
     firewallType = getFirewallType(STANDBY);
     res |= createChain(LOCAL_STANDBY, LOCAL_INPUT, firewallType);
 
+    firewallType = getFirewallType(POWERSAVE);
+    res |= createChain(LOCAL_POWERSAVE, LOCAL_INPUT, firewallType);
+
     return res;
 }
 
@@ -108,6 +112,9 @@
         case STANDBY:
             name = LOCAL_STANDBY;
             break;
+        case POWERSAVE:
+            name = LOCAL_POWERSAVE;
+            break;
         default:
             return res;
     }
@@ -214,6 +221,8 @@
             return WHITELIST;
         case STANDBY:
             return BLACKLIST;
+        case POWERSAVE:
+            return WHITELIST;
         case NONE:
             return mFirewallType;
         default:
@@ -246,6 +255,10 @@
             res |= execIptables(V4V6, op, LOCAL_STANDBY, "-m", "owner", "--uid-owner",
                     uidStr, "-j", target, NULL);
             break;
+        case POWERSAVE:
+            res |= execIptables(V4V6, op, LOCAL_POWERSAVE, "-m", "owner", "--uid-owner",
+                    uidStr, "-j", target, NULL);
+            break;
         case NONE:
             res |= execIptables(V4V6, op, LOCAL_INPUT, "-m", "owner", "--uid-owner", uidStr,
                     "-j", target, NULL);