Remove qtaguid support from bandwidth controller
The "--socket-exists" rules in BandwidthController are actually the
rules that enable xt_qtaguid accounting feature. For devices that use
ebpf for packet accounting, these rules need to be removed so that
devices that don't have that kernel module can still run properly.
This change also completely disable xt_qtaguid accounting on devices
that have both xt_qtaguid and eBPF.
Bug: 70945407
Test: device boots and iptables rules are loaded successfully.
Netd_unit_test passes.
Change-Id: I9c11259e38889b5bf4876cff91c97741d624a18d
diff --git a/server/BandwidthController.cpp b/server/BandwidthController.cpp
index fcbe266..4abbc61 100644
--- a/server/BandwidthController.cpp
+++ b/server/BandwidthController.cpp
@@ -222,14 +222,14 @@
"-A bw_INPUT -p esp -j RETURN",
StringPrintf("-A bw_INPUT -m mark --mark 0x%x/0x%x -j RETURN", uidBillingMask,
uidBillingMask),
- "-A bw_INPUT -m owner --socket-exists", /* This is a tracking rule. */
+ useBpf ? "" : "-A bw_INPUT -m owner --socket-exists",
StringPrintf("-A bw_INPUT -j MARK --or-mark 0x%x", uidBillingMask),
// Prevents IPSec double counting (Tunnel mode and Transport mode,
// respectively)
"-A bw_OUTPUT -o " IPSEC_IFACE_PREFIX "+ -j RETURN",
"-A bw_OUTPUT -m policy --pol ipsec --dir out -j RETURN",
- "-A bw_OUTPUT -m owner --socket-exists", /* This is a tracking rule. */
+ useBpf ? "" : "-A bw_OUTPUT -m owner --socket-exists",
"-A bw_costly_shared --jump bw_penalty_box",
useBpf ? BPF_PENALTY_BOX_MATCH_BLACKLIST_COMMAND : "",
@@ -243,10 +243,9 @@
// respectively)
"-A bw_raw_PREROUTING -i " IPSEC_IFACE_PREFIX "+ -j RETURN",
"-A bw_raw_PREROUTING -m policy --pol ipsec --dir in -j RETURN",
- "-A bw_raw_PREROUTING -m owner --socket-exists", /* This is a tracking rule. */
useBpf ? StringPrintf("-A bw_raw_PREROUTING -m bpf --object-pinned %s",
XT_BPF_INGRESS_PROG_PATH)
- : "",
+ : "-A bw_raw_PREROUTING -m owner --socket-exists",
"COMMIT",
"*mangle",
@@ -254,7 +253,7 @@
// respectively)
"-A bw_mangle_POSTROUTING -o " IPSEC_IFACE_PREFIX "+ -j RETURN",
"-A bw_mangle_POSTROUTING -m policy --pol ipsec --dir out -j RETURN",
- "-A bw_mangle_POSTROUTING -m owner --socket-exists", /* This is a tracking rule. */
+ useBpf ? "" : "-A bw_mangle_POSTROUTING -m owner --socket-exists",
StringPrintf("-A bw_mangle_POSTROUTING -j MARK --set-mark 0x0/0x%x",
uidBillingMask), // Clear the mark before sending this packet
useBpf ? StringPrintf("-A bw_mangle_POSTROUTING -m bpf --object-pinned %s",
@@ -271,11 +270,8 @@
} // namespace
-bool BandwidthController::getBpfStatus() {
- return (access(XT_BPF_INGRESS_PROG_PATH, F_OK) != -1) &&
- (access(XT_BPF_EGRESS_PROG_PATH, F_OK) != -1) &&
- (access(XT_BPF_WHITELIST_PROG_PATH, F_OK) != -1) &&
- (access(XT_BPF_BLACKLIST_PROG_PATH, F_OK) != -1);
+void BandwidthController::setBpfEnabled(bool isEnabled) {
+ mBpfSupported = isEnabled;
}
BandwidthController::BandwidthController() {
@@ -313,7 +309,6 @@
flushCleanTables(false);
- mBpfSupported = getBpfStatus();
std::string commands = Join(getBasicAccountingCommands(mBpfSupported), '\n');
return iptablesRestoreFunction(V4V6, commands, nullptr);
}