0e540ec038dfdbcf5cba3d5b9b2765e1dcec062b |
|
27-Aug-2013 |
JP Abgrall <jpa@google.com> |
BandwidthController: fix bad flushing for bw_costly_* tables. Some of the bw_costly_<iface> rules would not get correctly flushed and cleared on netd re-start, which would cause a failure when trying to setup the bw_penalty_box as bw_costly_<iface> would reference it. The resulting symptom would be that bandwidth could not be re-enabled. Bug: 10183445 Change-Id: I79a8a73ae52e18b3bff8a58e47ac1aea2454ae63
/system/netd/BandwidthController.h
|
e478873947f995e44e8c559342462c177a420ae0 |
|
03-Jul-2013 |
JP Abgrall <jpa@google.com> |
BandwidthController: add support for "nice apps" and the "happy box" * ndc bandwidth happybox (enable | disable) - enable . creates a an empty happy_box chain which rejects all traffic from all UIDs by default. . Uses the penalty_box as a hook. Any costly_interface automatically gets the happy_box as it has a penalty_box. . any app UID not in the happy_box will be treated as if it was in the penalty_box (i.e. addnaughtyapps) . penalty_box (addnaughtyapps) still applies. - disable . removes the happy box. * ndc bandwidth addniceapps <appUid> ... - similar to addnaughtyapps, but for the happy_box * ndc bandwidth removeniceapps <appUid> ... - similar to removenaughtyapps, but for the happy_box Bug: 6212480 Change-Id: I1f10e8c6fa1b230c7b3bb070d88508e437589705
/system/netd/BandwidthController.h
|
a9ba4cba3369e07aae05607f82424cc0075c9c34 |
|
03-Jul-2013 |
JP Abgrall <jpa@google.com> |
BandwidthController: switch to generic handling for naughty apps. Rename some stuff in preparation for nice apps and the "happy box". Bug: 6212480 Change-Id: I637c4283695ac619533999beab4f88968580d2e4
/system/netd/BandwidthController.h
|
baeccc455b293c2c83dbe6463f56b741177bd612 |
|
25-Jun-2013 |
JP Abgrall <jpa@google.com> |
netd: tethering stats: persistent + list-all support * Persistent stats Previously we would parse the iptables counters out of the FORWARD rules used for tethering. Those rules could come an go before they were parsed, which would cause us to incorrectly count traffic. Now we have separate counting rules (and quota2 counters) which persist beyond tethering. * Rename the iface0/iface1 Match NatControllers notions for tethering ifaces during enable. Detect weird call from userspace (until b/9565268 gets fixed), or else it leaves an ugly iptables state. * The commands affected: - ndc bandwidth gettetheringstats intIface extIface . no change from before: return a single stats line - ndc bandwidth gettetheringstats . return a list of results showing all tethered stats - ndc bandwidth gettetheringstats "" extIface - ndc bandwidth gettetheringstats intIface . return a list of results matching the tethering on the given interface. Bug: 9565268 Bug: 5868832 Change-Id: I8559d9a184abcffaf65998fb3cc8c9c50d46bf06
/system/netd/BandwidthController.h
|
109899bc63139c5260cb9a7dc409f92efaf2c4b7 |
|
13-Feb-2013 |
JP Abgrall <jpa@google.com> |
BandwidthController: fixup insertion pos in costly chain handling * Long time ago, setting an alert in a costly_<iface> chain required adding it just before the ACCEPT rule that was at the end. But since then the ACCEPT rule has been removed. This would cause the insert to pick the last position no matter what. Now we just append. * A naughty app in the penalty box could waste up quota on packets that would get dropped in the later penalty_box rule. Now we check the penalty_box before feeding it to the quota. Change-Id: Id4b6a7c020583f1cccc7dccde34c4b85d0fd9642
/system/netd/BandwidthController.h
|
14150215fcd9060c25a25930e85057df5904f6f6 |
|
24-Jan-2013 |
Rom Lemarchand <romlem@google.com> |
Replace custom logwrapper implementation with liblogwrap Use liblogwrap to provide logwrapper functionality instead of using netd's own implementation. Change-Id: I10e69aa95989f77c63b5b36825ee7c77fba48c88
/system/netd/BandwidthController.h
|
8e188ed5c989ddcc07f0f5e9839493c22d17e7b6 |
|
13-Jul-2012 |
Jeff Sharkey <jsharkey@android.com> |
Consolidate iptables chain management. Move creation and management of module iptables chains up into CommandListener, which gives better visibility into ordering. Change-Id: If0c94187c6e59a20840b035d7241057f45a0f74b
/system/netd/BandwidthController.h
|
1fb02dfc26e06b83e756ab3538b7ebc2136f535d |
|
25-Apr-2012 |
JP Abgrall <jpa@google.com> |
bandwidthcontroller: hide iptables errors when they don't matter Some commands are run to be able to recover after failures. Those cleanup commands are generally allowed to fail. But the lower level system commands would log an error. Now that error is hidden if nobody will care about the result. A "#define LOG_NDEBUG 0" will show those failing commands. Removed leftover LOG_NDEBUG in CommandListener. Bug: 6377175 Change-Id: I1205fb077f7d0496969bd2a0b5da42025bc5a8dc
/system/netd/BandwidthController.h
|
0031cead820149e2fe3ccb3cc2fe05758a3cb5c2 |
|
18-Apr-2012 |
JP Abgrall <jpa@google.com> |
netd: Idletimer vs Nat vs Bandwidth controllers * modified iptables users to work in controller specific custom chains. - each controller only works withing his own custom chains and not the top level ones (INPUT, OUTPUT, FORWARD, POSTROUTING,...) - CommandListener now invokes setupIptablesHooks() for each controller once. That is the only time they are allowed to access the top-level chains. * Added idletimer controller. From https://android-git.corp.google.com/g/#/c/180769/2 - supported commands . ndc idletimer enable . ndc idletimer add <iface> <timeout> . ndc idletimer remove <iface> <timeout_used_during_add> There is a framework change elsewhere that receives netlink messages. Signed-off-by: Ashish Sharma <ashishsharma@google.com> Signed-off-by: JP Abgrall <jpa@google.com> Change-Id: Ia57450c09166ce20f21d1e3b49047ef1e98f2a3d
/system/netd/BandwidthController.h
|
c2b26cb83d9bf3f91e986625efcc40fc8eb79a13 |
|
23-Feb-2012 |
Nick Kralevich <nnk@google.com> |
BandwidthController: fix format string bugs In 876666947664c718a8d0cae9bbddb06cc91f912c, a new %s was added to ALERT_IPT_TEMPLATE. Not all users of this string were updated. This change modifies ALERT_IPT_TEMPLATE to be a #define, which allows gcc's format string detection work. Add -Werror=format to error out on any string format warning. Testing: Code compiles. I don't know how to test this change properly. Bug: 5948299 Change-Id: I0ec307972e6bf50abd8ba099166c22069a6c6580
/system/netd/BandwidthController.h
|
a2a64f004f1677daf16b0b03d589d6572ec547c2 |
|
12-Nov-2011 |
JP Abgrall <jpa@google.com> |
netd: BandwidthController: return extra info on gettetherstats failure Use the error message string to report the raw parsed data in case of failure. Bug:5543131 Change-Id: If9f3bcea09fd3ab8a506955d8153b3430bfd239c
/system/netd/BandwidthController.h
|
c6c673496184bed6d62cf92a6fc7ed43fd94acd5 |
|
08-Oct-2011 |
JP Abgrall <jpa@google.com> |
netd: bandwidth: tethering global alert support Now, when nat is enabled/disabled it will let the bandwidthcontroller know that it might need to add/remove the matching global alert into the tethering rules in the FORWARD chain of iptables. Bug: 5336638 Change-Id: I1843f3f6601f371537f754a31db792e054b36a1d
/system/netd/BandwidthController.h
|
db7da58e8d2aa021060098057f944ef754be06e3 |
|
18-Sep-2011 |
JP Abgrall <jpa@google.com> |
netd: BandwidthController: support reading out tethering stats * Add ndc bandwidth gettetherstats <ifaceIn> <ifaceOut> which returns 221 ifaceIn ifaceOut rx_bytes rx_packets tx_bytes tx_packets If the iface pair is not found it will fail. 221 is the new response code for TetheringStatsResult. It gets the stats by looking at the iptables FORWARD chain's counters. * Fixed return handling after some of the responses. - no need for errorno - after ResponseCode >= 200, don't return another. * Correctly initialize the alert values on "bandwidth enable" Bug: 5244846,5230066 Change-Id: I81c941441525fa4055ae270d5cad05e6c42b8f72
/system/netd/BandwidthController.h
|
11b4e9b26fe7b878992162afb39f5a8acfd143ed |
|
12-Aug-2011 |
JP Abgrall <jpa@google.com> |
netd: all: use system() instead of logwrap() for now. The logwrapper uses a blocking read() which does not always correctly detect when the child process at the other end is gone. This is a quick workaround for http://b/5144246 A cleaner logwrapper parent() will follow. Add support for BandwidthController() to use either system() or logwrap(). It looks at "persist.bandwidth.uselogwrap" to be 0 or 1. Change-Id: I2d17732214f1a7fef6838eee05d827695b707ab0 Signed-off-by: JP Abgrall <jpa@google.com>
/system/netd/BandwidthController.h
|
8a93272255f1b7e3083a97e1e28ddf675c0c7fb0 |
|
14-Jul-2011 |
JP Abgrall <jpa@google.com> |
netd: bandwidthcontroler: add support for alerts via iptables' quota2 log messages * Fix quota2 updating. The old insert-new/delete-old scheme doesn't work as the kernel keeps the old counter assigned to the new rule. * Add support for setting dummy quotas used only for alerts. This needs: - new kernel with quota2 changes that support logging via NETLINK's NETLINK_NFLOG family. - NetlinkManager support for receiving the events. - java land handler for these new events. * new commands - add/remove a dummy quota to generate an alert after <bytes> are seen including loopback. alerts are only triggered once. . ndc bandwidth setglobalalert <bytes> calling it multiple times, just re-arms the alert for the specified number of bytes. Use "ndc bandwidth getiquota singleAlert" to get what is left. . ndc bandwidth removeglobalalert - add/remove alert on a shared quota (similar accounting as shared quota) . ndc bandwidth setsharedalert <bytes> Requires that a shared quota already exist. . ndc bandwidth removesharedalert Removing the last of the shared quotas will remove the matching alert. - add/remove alert on an interface (similar accounting as interface quota) . ndc bandwidth setinterfacealert <iface> <bytes> Requires that a interface quota already exist. . ndc bandwidth removeinterfacealert <iface> Removing the interface quota will remove the matching alert. - get the quotas and alert leftovers . ndc bandwidth getquota shared quota leftover . ndc bandwidth getiquota <quota_name_or_iface> iface specific quota leftover Can be used to read-out alerts. E.g. setglobalalert 12345 -> getiquota globalAlert setsharedalert 12345 -> getiquota sharedAlert setinterfacealert iface0 12345 -> getiquota iface0Alert Change-Id: Iea9698b9d20e713281755dac32b4772a6cf0e84e
/system/netd/BandwidthController.h
|
26e0d49fa743d7881104196a9eda733bd2aac92f |
|
25-Jun-2011 |
JP Abgrall <jpa@google.com> |
netd: bandwidthcontroller: cleanup bool usage for readability. replace stuff like: f(buff, true, false) -> f(buff, ActionA, CaseD) Change-Id: I8ff1d84f077d8f57263ecb7937b3f2caca86284b
/system/netd/BandwidthController.h
|
0dad7c2f1f6994fbe5e85b9e1fc72d29d6453211 |
|
24-Jun-2011 |
JP Abgrall <jpa@google.com> |
BandwidthController: cleanup ipv4/v6, set/remove multiple quotas. Regroup the ipv4/ipv6 choice deeper down to avoid copypasted code. Shared quota accross ifaces. Single quota per ifaces. Nothing preventing an iface from have a single and shared quota. Might be close to having a working combination. Added commands: - shared quota ndc bandwidth setquotas <quotaBytes> <iface> ... ndc bandwidth setquota <iface> <quotaBytes> ndc bandwidth removequota <iface> ndc bandwidth removequotas <iface> ... - quota per iface ndc bandwidth setiquota <iface> <quotaBytes> ndc bandwidth removeiquota <iface> Change-Id: I370d223da3c8b6e16e8d0a455309ae9e0756a721
/system/netd/BandwidthController.h
|
fa6f46d3370ae5475fc3bc8273bbe04ee7348d60 |
|
18-Jun-2011 |
JP Abgrall <jpa@google.com> |
netd:bandwidth: initial pass at app-rules, and some ipv6. Adds initial per-app penalty box rules, and prepares for handling per iface quota. The following commands work: * penalty box ndc bandwidth addnaughtyapps <uid> ... ndc bandwidth removenaughtyapps <uid> ... * Shared quota - add (updates the bytes, if they differ from last time) ndc bandwidth setquota <iface> <bytes> ndc bandwidth setquota <iface1> <bytes> ndc bandwidth setquota <iface2> <bytes> - remove ndc bandwidth removequota <iface> [ oldschool: ndc bandwidth setquota <iface> -1 ] Change-Id: Ibefc16e81c7713feb47577a9687dcd032dedf06e
/system/netd/BandwidthController.h
|
4a5f5ca3c9e07fc3e6feca2afde07f41a8a64f11 |
|
16-Jun-2011 |
JP Abgrall <jpa@google.com> |
system/netd: bandwidth management initial support (uid+tag stats) This is a minimalistic version to get accounting of data going through tagged socket per uid. When netd starts up the BandwidthController, it will look at the properties for persist.bandwidth.enable=1 and enabled it. It needs the kernel with the xt_qtaguid + iptables/netfilter goodness. stlport is ok to use. The "owner" netfilter module used is actually our xt_qtaguid that acts as it (just until we get around to talking directly the to kernel). Once "ndc bandwidth enable" is invoked all traffic is counted against the UIDs receiving/sending it. This allows BlockGuard.java to "tag" sockets and see stats for the tags. Data shows up in /proc/net/xt_qtaguid/stats /proc/net/xt_qtaguid/iface_stat/<iface>/ rx_packets_tcp rx_bytes_tcp ... There is no <uid>/... Supported commands: - "ndc bandwidth enable" will setup the needed iptable entries to track tag/uid. - "ndc bandwidth disable" will remove the iptable entries. - "ndc bandwidth setquota <iface> <value>" will set a quota on the iface. Once quota is reached, packets are rejected. With the correct kernel, rejects are turned in socket errors. TODO ---- * make bandwidth controller cooperate with tethering. - they both manipulate the iptables. Change-Id: Ieb9e7c60ef8c974e99828f7833065d59b2922bf3
/system/netd/BandwidthController.h
|