Move enableChildChains to iptables-restore.
This saves 100-200ms on boot.
(cherry picked from commit 0b64071d1326214b83e7dfb90701a4ee14ab6036)
Bug: 37641280
Test: marlin builds and boots
Test: new unit test passes
Test: netd_{unit,integration}_test pass
Test: fw_dozable added/removed from fw_INPUT/fw_OUTPUT on "adb shell dumpsys deviceidle <force-idle|unforce>"
Change-Id: Iaa8daba011cf187d07526b2b85f9e9aba83adf4f
Merged-In: Iabd2fa6ea260495feee3335b1605f3699b1722c5
diff --git a/server/FirewallController.cpp b/server/FirewallController.cpp
index a33d92e..b235f91 100644
--- a/server/FirewallController.cpp
+++ b/server/FirewallController.cpp
@@ -118,14 +118,13 @@
return res;
}
- if (enable) {
- res |= attachChain(name, LOCAL_INPUT);
- res |= attachChain(name, LOCAL_OUTPUT);
- } else {
- res |= detachChain(name, LOCAL_INPUT);
- res |= detachChain(name, LOCAL_OUTPUT);
+ std::string command = "*filter\n";
+ for (const char *parent : { LOCAL_INPUT, LOCAL_OUTPUT }) {
+ StringAppendF(&command, "%s %s -j %s\n", (enable ? "-A" : "-D"), parent, name);
}
- return res;
+ StringAppendF(&command, "COMMIT\n");
+
+ return execIptablesRestore(V4V6, command);
}
int FirewallController::isFirewallEnabled(void) {
@@ -215,14 +214,6 @@
return execIptablesRestore(V4V6, command);
}
-int FirewallController::attachChain(const char* childChain, const char* parentChain) {
- return execIptables(V4V6, "-t", TABLE, "-A", parentChain, "-j", childChain, NULL);
-}
-
-int FirewallController::detachChain(const char* childChain, const char* parentChain) {
- return execIptables(V4V6, "-t", TABLE, "-D", parentChain, "-j", childChain, NULL);
-}
-
int FirewallController::createChain(const char* chain, FirewallType type) {
static const std::vector<int32_t> NO_UIDS;
return replaceUidChain(chain, type == WHITELIST, NO_UIDS);