Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / system / netd / 703798e54455589145c3292fb090e4dffd264054^! / . / server / BandwidthController.cpp
commit703798e54455589145c3292fb090e4dffd264054[log] [tgz]
authorChenbo Feng <fengc@google.com>Fri Jun 15 17:07:59 2018 -0700
committerChenbo Feng <fengc@google.com>Mon Aug 06 15:04:40 2018 -0700
tree98edefb60bb5181bb39aa2edd2008a689da59f4f
parent9f01eae4bda44fa563f66013ac07ed852ba34dfa [diff] [blame]
Merge all uid owner match map into one

The bpf maps used for storing the uid owner match information are using
the same key value pairs and the duplication can be reduced by using one
single value to store all the match information for a given uid and use
a configuration map to store the chain that is currently enabled. This
migration can save some kernel memory space and simplify the owner match
process.

Bug: 79781072
Test: netd_unit_test,
      com.android.cts.net.HostsideRestrictBackgroundNetworkTests

Change-Id: I9658321e9d4a87eaa724231d33a474113dd75019

diff --git a/server/BandwidthController.cpp b/server/BandwidthController.cpp
index a01ad41..fcbe266 100644
--- a/server/BandwidthController.cpp
+++ b/server/BandwidthController.cpp

@@ -152,13 +152,12 @@
  */
 
 const std::string COMMIT_AND_CLOSE = "COMMIT\n";
-const std::string HAPPY_BOX_WHITELIST_COMMAND = StringPrintf(
-    "-I bw_happy_box -m owner --uid-owner %d-%d --jump RETURN", 0, MAX_SYSTEM_UID);
-const std::string BPF_HAPPY_BOX_WHITELIST_COMMAND =
-    StringPrintf("-I bw_happy_box -m bpf --object-pinned %s -j RETURN", XT_BPF_WHITELIST_PROG_PATH);
-const std::string BPF_PENALTY_BOX_BLACKLIST_COMMAND =
-    StringPrintf("-I bw_penalty_box -m bpf --object-pinned %s -j REJECT",
-                 XT_BPF_BLACKLIST_PROG_PATH);
+const std::string HAPPY_BOX_MATCH_WHITELIST_COMMAND =
+        StringPrintf("-I bw_happy_box -m owner --uid-owner %d-%d --jump RETURN", 0, MAX_SYSTEM_UID);
+const std::string BPF_HAPPY_BOX_MATCH_WHITELIST_COMMAND = StringPrintf(
+        "-I bw_happy_box -m bpf --object-pinned %s -j RETURN", XT_BPF_WHITELIST_PROG_PATH);
+const std::string BPF_PENALTY_BOX_MATCH_BLACKLIST_COMMAND = StringPrintf(
+        "-I bw_penalty_box -m bpf --object-pinned %s -j REJECT", XT_BPF_BLACKLIST_PROG_PATH);
 
 static const std::vector<std::string> IPT_FLUSH_COMMANDS = {
     /*
@@ -218,50 +217,50 @@
 
 const std::vector<std::string> getBasicAccountingCommands(const bool useBpf) {
     const std::vector<std::string> ipt_basic_accounting_commands = {
-        "*filter",
-        // Prevents IPSec double counting (ESP and UDP-encap-ESP respectively)
-        "-A bw_INPUT -p esp -j RETURN",
-        StringPrintf("-A bw_INPUT -m mark --mark 0x%x/0x%x -j RETURN",
-                     uidBillingMask, uidBillingMask),
-        "-A bw_INPUT -m owner --socket-exists", /* This is a tracking rule. */
-        StringPrintf("-A bw_INPUT -j MARK --or-mark 0x%x", uidBillingMask),
+            "*filter",
+            // Prevents IPSec double counting (ESP and UDP-encap-ESP respectively)
+            "-A bw_INPUT -p esp -j RETURN",
+            StringPrintf("-A bw_INPUT -m mark --mark 0x%x/0x%x -j RETURN", uidBillingMask,
+                         uidBillingMask),
+            "-A bw_INPUT -m owner --socket-exists", /* This is a tracking rule. */
+            StringPrintf("-A bw_INPUT -j MARK --or-mark 0x%x", uidBillingMask),
 
-        // Prevents IPSec double counting (Tunnel mode and Transport mode,
-        // respectively)
-        "-A bw_OUTPUT -o " IPSEC_IFACE_PREFIX "+ -j RETURN",
-        "-A bw_OUTPUT -m policy --pol ipsec --dir out -j RETURN",
-        "-A bw_OUTPUT -m owner --socket-exists", /* This is a tracking rule. */
+            // Prevents IPSec double counting (Tunnel mode and Transport mode,
+            // respectively)
+            "-A bw_OUTPUT -o " IPSEC_IFACE_PREFIX "+ -j RETURN",
+            "-A bw_OUTPUT -m policy --pol ipsec --dir out -j RETURN",
+            "-A bw_OUTPUT -m owner --socket-exists", /* This is a tracking rule. */
 
-        "-A bw_costly_shared --jump bw_penalty_box",
-        useBpf ? BPF_PENALTY_BOX_BLACKLIST_COMMAND : "",
-        "-A bw_penalty_box --jump bw_happy_box",
-        "-A bw_happy_box --jump bw_data_saver",
-        "-A bw_data_saver -j RETURN",
-        useBpf ? BPF_HAPPY_BOX_WHITELIST_COMMAND : HAPPY_BOX_WHITELIST_COMMAND,
-        "COMMIT",
+            "-A bw_costly_shared --jump bw_penalty_box",
+            useBpf ? BPF_PENALTY_BOX_MATCH_BLACKLIST_COMMAND : "",
+            "-A bw_penalty_box --jump bw_happy_box", "-A bw_happy_box --jump bw_data_saver",
+            "-A bw_data_saver -j RETURN",
+            useBpf ? BPF_HAPPY_BOX_MATCH_WHITELIST_COMMAND : HAPPY_BOX_MATCH_WHITELIST_COMMAND,
+            "COMMIT",
 
-        "*raw",
-        // Prevents IPSec double counting (Tunnel mode and Transport mode,
-        // respectively)
-        "-A bw_raw_PREROUTING -i " IPSEC_IFACE_PREFIX "+ -j RETURN",
-        "-A bw_raw_PREROUTING -m policy --pol ipsec --dir in -j RETURN",
-        "-A bw_raw_PREROUTING -m owner --socket-exists", /* This is a tracking rule. */
-        useBpf ? StringPrintf("-A bw_raw_PREROUTING -m bpf --object-pinned %s",
-                              XT_BPF_INGRESS_PROG_PATH) : "",
-        "COMMIT",
+            "*raw",
+            // Prevents IPSec double counting (Tunnel mode and Transport mode,
+            // respectively)
+            "-A bw_raw_PREROUTING -i " IPSEC_IFACE_PREFIX "+ -j RETURN",
+            "-A bw_raw_PREROUTING -m policy --pol ipsec --dir in -j RETURN",
+            "-A bw_raw_PREROUTING -m owner --socket-exists", /* This is a tracking rule. */
+            useBpf ? StringPrintf("-A bw_raw_PREROUTING -m bpf --object-pinned %s",
+                                  XT_BPF_INGRESS_PROG_PATH)
+                   : "",
+            "COMMIT",
 
-        "*mangle",
-        // Prevents IPSec double counting (Tunnel mode and Transport mode,
-        // respectively)
-        "-A bw_mangle_POSTROUTING -o " IPSEC_IFACE_PREFIX "+ -j RETURN",
-        "-A bw_mangle_POSTROUTING -m policy --pol ipsec --dir out -j RETURN",
-        "-A bw_mangle_POSTROUTING -m owner --socket-exists", /* This is a tracking rule. */
-        StringPrintf("-A bw_mangle_POSTROUTING -j MARK --set-mark 0x0/0x%x",
-                     uidBillingMask), // Clear the mark before sending this packet
-        useBpf ? StringPrintf("-A bw_mangle_POSTROUTING -m bpf --object-pinned %s",
-                              XT_BPF_EGRESS_PROG_PATH) : "",
-        COMMIT_AND_CLOSE
-    };
+            "*mangle",
+            // Prevents IPSec double counting (Tunnel mode and Transport mode,
+            // respectively)
+            "-A bw_mangle_POSTROUTING -o " IPSEC_IFACE_PREFIX "+ -j RETURN",
+            "-A bw_mangle_POSTROUTING -m policy --pol ipsec --dir out -j RETURN",
+            "-A bw_mangle_POSTROUTING -m owner --socket-exists", /* This is a tracking rule. */
+            StringPrintf("-A bw_mangle_POSTROUTING -j MARK --set-mark 0x0/0x%x",
+                         uidBillingMask),  // Clear the mark before sending this packet
+            useBpf ? StringPrintf("-A bw_mangle_POSTROUTING -m bpf --object-pinned %s",
+                                  XT_BPF_EGRESS_PROG_PATH)
+                   : "",
+            COMMIT_AND_CLOSE};
     return ipt_basic_accounting_commands;
 }
 
@@ -370,9 +369,9 @@
                                                const std::string& chain, IptJumpOp jumpHandling,
                                                IptOp op) {
     if (mBpfSupported) {
-      Status status = gCtls->trafficCtrl.updateBandwidthUidMap(appStrUids, jumpHandling, op);
-      if (!isOk(status)) {
-          ALOGE("unable to update the Bandwidth Uid Map: %s", toString(status).c_str());
+        Status status = gCtls->trafficCtrl.updateUidOwnerMap(appStrUids, jumpHandling, op);
+        if (!isOk(status)) {
+            ALOGE("unable to update the Bandwidth Uid Map: %s", toString(status).c_str());
       }
       return status.code();
     }