Make netd calls to iptables wait for xtables lock
Without this wait iptables commands can fail with various unpleasant
consequences like Log.wtf() or missing iptables rules. The most
critical calls to iptables in NetdConstants.cpp already wait for the
lock.
Bug:22802665
Change-Id: I7d542c3d4f0e005618e368da674159b90d652c8a
diff --git a/server/NatController.cpp b/server/NatController.cpp
index 5a15afa..19d19c7 100644
--- a/server/NatController.cpp
+++ b/server/NatController.cpp
@@ -95,10 +95,10 @@
* Bug 17629786 asks to make the failure more obvious, or even fatal
* so that all builds eventually gain the performance improvement.
*/
- {{IPTABLES_PATH, "-F", LOCAL_TETHER_COUNTERS_CHAIN,}, 0},
- {{IPTABLES_PATH, "-X", LOCAL_TETHER_COUNTERS_CHAIN,}, 0},
- {{IPTABLES_PATH, "-N", LOCAL_TETHER_COUNTERS_CHAIN,}, 1},
- {{IPTABLES_PATH, "-t", "mangle", "-A", LOCAL_MANGLE_FORWARD, "-p", "tcp", "--tcp-flags",
+ {{IPTABLES_PATH, "-w", "-F", LOCAL_TETHER_COUNTERS_CHAIN,}, 0},
+ {{IPTABLES_PATH, "-w", "-X", LOCAL_TETHER_COUNTERS_CHAIN,}, 0},
+ {{IPTABLES_PATH, "-w", "-N", LOCAL_TETHER_COUNTERS_CHAIN,}, 1},
+ {{IPTABLES_PATH, "-w", "-t", "mangle", "-A", LOCAL_MANGLE_FORWARD, "-p", "tcp", "--tcp-flags",
"SYN", "SYN", "-j", "TCPMSS", "--clamp-mss-to-pmtu"}, 0},
};
for (unsigned int cmdNum = 0; cmdNum < ARRAY_SIZE(defaultCommands); cmdNum++) {
@@ -120,9 +120,9 @@
* - internally it will be memcopied to an array and terminated with a NULL.
*/
struct CommandsAndArgs defaultCommands[] = {
- {{IPTABLES_PATH, "-F", LOCAL_FORWARD,}, 1},
- {{IPTABLES_PATH, "-A", LOCAL_FORWARD, "-j", "DROP"}, 1},
- {{IPTABLES_PATH, "-t", "nat", "-F", LOCAL_NAT_POSTROUTING}, 1},
+ {{IPTABLES_PATH, "-w", "-F", LOCAL_FORWARD,}, 1},
+ {{IPTABLES_PATH, "-w", "-A", LOCAL_FORWARD, "-j", "DROP"}, 1},
+ {{IPTABLES_PATH, "-w", "-t", "nat", "-F", LOCAL_NAT_POSTROUTING}, 1},
};
for (unsigned int cmdNum = 0; cmdNum < ARRAY_SIZE(defaultCommands); cmdNum++) {
if (runCmd(ARRAY_SIZE(defaultCommands[cmdNum].cmd), defaultCommands[cmdNum].cmd) &&
@@ -155,6 +155,7 @@
if (natCount == 0) {
const char *cmd[] = {
IPTABLES_PATH,
+ "-w",
"-t",
"nat",
"-A",
@@ -184,6 +185,7 @@
/* Always make sure the drop rule is at the end */
const char *cmd1[] = {
IPTABLES_PATH,
+ "-w",
"-D",
LOCAL_FORWARD,
"-j",
@@ -192,6 +194,7 @@
runCmd(ARRAY_SIZE(cmd1), cmd1);
const char *cmd2[] = {
IPTABLES_PATH,
+ "-w",
"-A",
LOCAL_FORWARD,
"-j",
@@ -230,6 +233,7 @@
}
const char *cmd2b[] = {
IPTABLES_PATH,
+ "-w",
"-A",
LOCAL_TETHER_COUNTERS_CHAIN,
"-i",
@@ -255,6 +259,7 @@
const char *cmd3b[] = {
IPTABLES_PATH,
+ "-w",
"-A",
LOCAL_TETHER_COUNTERS_CHAIN,
"-i",
@@ -278,6 +283,7 @@
int NatController::setForwardRules(bool add, const char *intIface, const char *extIface) {
const char *cmd1[] = {
IPTABLES_PATH,
+ "-w",
add ? "-A" : "-D",
LOCAL_FORWARD,
"-i",
@@ -299,6 +305,7 @@
const char *cmd2[] = {
IPTABLES_PATH,
+ "-w",
add ? "-A" : "-D",
LOCAL_FORWARD,
"-i",
@@ -315,6 +322,7 @@
const char *cmd3[] = {
IPTABLES_PATH,
+ "-w",
add ? "-A" : "-D",
LOCAL_FORWARD,
"-i",
@@ -345,10 +353,10 @@
return 0;
err_return:
- cmd2[1] = "-D";
+ cmd2[2] = "-D";
runCmd(ARRAY_SIZE(cmd2), cmd2);
err_invalid_drop:
- cmd1[1] = "-D";
+ cmd1[2] = "-D";
runCmd(ARRAY_SIZE(cmd1), cmd1);
return rc;
}