| 0e540ec038dfdbcf5cba3d5b9b2765e1dcec062b |
|
27-Aug-2013 |
JP Abgrall <jpa@google.com> |
BandwidthController: fix bad flushing for bw_costly_* tables.
Some of the bw_costly_<iface> rules would not get correctly flushed and
cleared on netd re-start, which would cause a failure when trying to
setup the bw_penalty_box as bw_costly_<iface> would reference it.
The resulting symptom would be that bandwidth could not be re-enabled.
Bug: 10183445
Change-Id: I79a8a73ae52e18b3bff8a58e47ac1aea2454ae63
/system/netd/BandwidthController.h
|
| e478873947f995e44e8c559342462c177a420ae0 |
|
03-Jul-2013 |
JP Abgrall <jpa@google.com> |
BandwidthController: add support for "nice apps" and the "happy box"
* ndc bandwidth happybox (enable | disable)
- enable
. creates a an empty happy_box chain which rejects all traffic from all UIDs by default.
. Uses the penalty_box as a hook. Any costly_interface automatically gets the happy_box as it has a penalty_box.
. any app UID not in the happy_box will be treated as if it was in the penalty_box (i.e. addnaughtyapps)
. penalty_box (addnaughtyapps) still applies.
- disable
. removes the happy box.
* ndc bandwidth addniceapps <appUid> ...
- similar to addnaughtyapps, but for the happy_box
* ndc bandwidth removeniceapps <appUid> ...
- similar to removenaughtyapps, but for the happy_box
Bug: 6212480
Change-Id: I1f10e8c6fa1b230c7b3bb070d88508e437589705
/system/netd/BandwidthController.h
|
| a9ba4cba3369e07aae05607f82424cc0075c9c34 |
|
03-Jul-2013 |
JP Abgrall <jpa@google.com> |
BandwidthController: switch to generic handling for naughty apps.
Rename some stuff in preparation for nice apps and the "happy box".
Bug: 6212480
Change-Id: I637c4283695ac619533999beab4f88968580d2e4
/system/netd/BandwidthController.h
|
| baeccc455b293c2c83dbe6463f56b741177bd612 |
|
25-Jun-2013 |
JP Abgrall <jpa@google.com> |
netd: tethering stats: persistent + list-all support
* Persistent stats
Previously we would parse the iptables counters out of the FORWARD
rules used for tethering. Those rules could come an go before they
were parsed, which would cause us to incorrectly count traffic.
Now we have separate counting rules (and quota2 counters) which
persist beyond tethering.
* Rename the iface0/iface1
Match NatControllers notions for tethering ifaces during enable.
Detect weird call from userspace (until b/9565268 gets fixed),
or else it leaves an ugly iptables state.
* The commands affected:
- ndc bandwidth gettetheringstats intIface extIface
. no change from before: return a single stats line
- ndc bandwidth gettetheringstats
. return a list of results showing all tethered stats
- ndc bandwidth gettetheringstats "" extIface
- ndc bandwidth gettetheringstats intIface
. return a list of results matching the tethering on
the given interface.
Bug: 9565268
Bug: 5868832
Change-Id: I8559d9a184abcffaf65998fb3cc8c9c50d46bf06
/system/netd/BandwidthController.h
|
| 109899bc63139c5260cb9a7dc409f92efaf2c4b7 |
|
13-Feb-2013 |
JP Abgrall <jpa@google.com> |
BandwidthController: fixup insertion pos in costly chain handling
* Long time ago, setting an alert in a costly_<iface> chain required adding
it just before the ACCEPT rule that was at the end.
But since then the ACCEPT rule has been removed.
This would cause the insert to pick the last position no matter what.
Now we just append.
* A naughty app in the penalty box could waste up quota on packets that would
get dropped in the later penalty_box rule.
Now we check the penalty_box before feeding it to the quota.
Change-Id: Id4b6a7c020583f1cccc7dccde34c4b85d0fd9642
/system/netd/BandwidthController.h
|
| 14150215fcd9060c25a25930e85057df5904f6f6 |
|
24-Jan-2013 |
Rom Lemarchand <romlem@google.com> |
Replace custom logwrapper implementation with liblogwrap
Use liblogwrap to provide logwrapper functionality instead of
using netd's own implementation.
Change-Id: I10e69aa95989f77c63b5b36825ee7c77fba48c88
/system/netd/BandwidthController.h
|
| 8e188ed5c989ddcc07f0f5e9839493c22d17e7b6 |
|
13-Jul-2012 |
Jeff Sharkey <jsharkey@android.com> |
Consolidate iptables chain management.
Move creation and management of module iptables chains up into
CommandListener, which gives better visibility into ordering.
Change-Id: If0c94187c6e59a20840b035d7241057f45a0f74b
/system/netd/BandwidthController.h
|
| 1fb02dfc26e06b83e756ab3538b7ebc2136f535d |
|
25-Apr-2012 |
JP Abgrall <jpa@google.com> |
bandwidthcontroller: hide iptables errors when they don't matter
Some commands are run to be able to recover after failures.
Those cleanup commands are generally allowed to fail.
But the lower level system commands would log an error.
Now that error is hidden if nobody will care about the result.
A "#define LOG_NDEBUG 0" will show those failing commands.
Removed leftover LOG_NDEBUG in CommandListener.
Bug: 6377175
Change-Id: I1205fb077f7d0496969bd2a0b5da42025bc5a8dc
/system/netd/BandwidthController.h
|
| 0031cead820149e2fe3ccb3cc2fe05758a3cb5c2 |
|
18-Apr-2012 |
JP Abgrall <jpa@google.com> |
netd: Idletimer vs Nat vs Bandwidth controllers
* modified iptables users to work in controller specific custom chains.
- each controller only works withing his own custom chains and not the
top level ones (INPUT, OUTPUT, FORWARD, POSTROUTING,...)
- CommandListener now invokes setupIptablesHooks() for each controller
once. That is the only time they are allowed to access the top-level
chains.
* Added idletimer controller.
From https://android-git.corp.google.com/g/#/c/180769/2
- supported commands
. ndc idletimer enable
. ndc idletimer add <iface> <timeout>
. ndc idletimer remove <iface> <timeout_used_during_add>
There is a framework change elsewhere that receives netlink messages.
Signed-off-by: Ashish Sharma <ashishsharma@google.com>
Signed-off-by: JP Abgrall <jpa@google.com>
Change-Id: Ia57450c09166ce20f21d1e3b49047ef1e98f2a3d
/system/netd/BandwidthController.h
|
| c2b26cb83d9bf3f91e986625efcc40fc8eb79a13 |
|
23-Feb-2012 |
Nick Kralevich <nnk@google.com> |
BandwidthController: fix format string bugs
In 876666947664c718a8d0cae9bbddb06cc91f912c, a new %s
was added to ALERT_IPT_TEMPLATE. Not all users of this string
were updated.
This change modifies ALERT_IPT_TEMPLATE to be a #define, which
allows gcc's format string detection work.
Add -Werror=format to error out on any string format warning.
Testing: Code compiles. I don't know how to test this change
properly.
Bug: 5948299
Change-Id: I0ec307972e6bf50abd8ba099166c22069a6c6580
/system/netd/BandwidthController.h
|
| a2a64f004f1677daf16b0b03d589d6572ec547c2 |
|
12-Nov-2011 |
JP Abgrall <jpa@google.com> |
netd: BandwidthController: return extra info on gettetherstats failure
Use the error message string to report the raw parsed data in case of
failure.
Bug:5543131
Change-Id: If9f3bcea09fd3ab8a506955d8153b3430bfd239c
/system/netd/BandwidthController.h
|
| c6c673496184bed6d62cf92a6fc7ed43fd94acd5 |
|
08-Oct-2011 |
JP Abgrall <jpa@google.com> |
netd: bandwidth: tethering global alert support
Now, when nat is enabled/disabled it will let the bandwidthcontroller
know that it might need to add/remove the matching global alert into
the tethering rules in the FORWARD chain of iptables.
Bug: 5336638
Change-Id: I1843f3f6601f371537f754a31db792e054b36a1d
/system/netd/BandwidthController.h
|
| db7da58e8d2aa021060098057f944ef754be06e3 |
|
18-Sep-2011 |
JP Abgrall <jpa@google.com> |
netd: BandwidthController: support reading out tethering stats
* Add
ndc bandwidth gettetherstats <ifaceIn> <ifaceOut>
which returns
221 ifaceIn ifaceOut rx_bytes rx_packets tx_bytes tx_packets
If the iface pair is not found it will fail.
221 is the new response code for TetheringStatsResult.
It gets the stats by looking at the iptables FORWARD chain's counters.
* Fixed return handling after some of the responses.
- no need for errorno
- after ResponseCode >= 200, don't return another.
* Correctly initialize the alert values on "bandwidth enable"
Bug: 5244846,5230066
Change-Id: I81c941441525fa4055ae270d5cad05e6c42b8f72
/system/netd/BandwidthController.h
|
| 11b4e9b26fe7b878992162afb39f5a8acfd143ed |
|
12-Aug-2011 |
JP Abgrall <jpa@google.com> |
netd: all: use system() instead of logwrap() for now.
The logwrapper uses a blocking read() which does not always
correctly detect when the child process at the other end is gone.
This is a quick workaround for http://b/5144246
A cleaner logwrapper parent() will follow.
Add support for BandwidthController() to use either system() or
logwrap(). It looks at "persist.bandwidth.uselogwrap" to be 0 or 1.
Change-Id: I2d17732214f1a7fef6838eee05d827695b707ab0
Signed-off-by: JP Abgrall <jpa@google.com>
/system/netd/BandwidthController.h
|
| 8a93272255f1b7e3083a97e1e28ddf675c0c7fb0 |
|
14-Jul-2011 |
JP Abgrall <jpa@google.com> |
netd: bandwidthcontroler: add support for alerts via iptables' quota2 log messages
* Fix quota2 updating. The old insert-new/delete-old scheme doesn't work as the kernel
keeps the old counter assigned to the new rule.
* Add support for setting dummy quotas used only for alerts.
This needs:
- new kernel with quota2 changes that support logging via NETLINK's
NETLINK_NFLOG family.
- NetlinkManager support for receiving the events.
- java land handler for these new events.
* new commands
- add/remove a dummy quota to generate an alert after <bytes> are seen including loopback.
alerts are only triggered once.
. ndc bandwidth setglobalalert <bytes>
calling it multiple times, just re-arms the alert for the specified number of bytes.
Use "ndc bandwidth getiquota singleAlert" to get what is left.
. ndc bandwidth removeglobalalert
- add/remove alert on a shared quota (similar accounting as shared quota)
. ndc bandwidth setsharedalert <bytes>
Requires that a shared quota already exist.
. ndc bandwidth removesharedalert
Removing the last of the shared quotas will remove the matching alert.
- add/remove alert on an interface (similar accounting as interface quota)
. ndc bandwidth setinterfacealert <iface> <bytes>
Requires that a interface quota already exist.
. ndc bandwidth removeinterfacealert <iface>
Removing the interface quota will remove the matching alert.
- get the quotas and alert leftovers
. ndc bandwidth getquota
shared quota leftover
. ndc bandwidth getiquota <quota_name_or_iface>
iface specific quota leftover
Can be used to read-out alerts. E.g.
setglobalalert 12345 -> getiquota globalAlert
setsharedalert 12345 -> getiquota sharedAlert
setinterfacealert iface0 12345 -> getiquota iface0Alert
Change-Id: Iea9698b9d20e713281755dac32b4772a6cf0e84e
/system/netd/BandwidthController.h
|
| 26e0d49fa743d7881104196a9eda733bd2aac92f |
|
25-Jun-2011 |
JP Abgrall <jpa@google.com> |
netd: bandwidthcontroller: cleanup bool usage for readability.
replace stuff like:
f(buff, true, false) -> f(buff, ActionA, CaseD)
Change-Id: I8ff1d84f077d8f57263ecb7937b3f2caca86284b
/system/netd/BandwidthController.h
|
| 0dad7c2f1f6994fbe5e85b9e1fc72d29d6453211 |
|
24-Jun-2011 |
JP Abgrall <jpa@google.com> |
BandwidthController: cleanup ipv4/v6, set/remove multiple quotas.
Regroup the ipv4/ipv6 choice deeper down to avoid copypasted code.
Shared quota accross ifaces.
Single quota per ifaces.
Nothing preventing an iface from have a single and shared quota.
Might be close to having a working combination.
Added commands:
- shared quota
ndc bandwidth setquotas <quotaBytes> <iface> ...
ndc bandwidth setquota <iface> <quotaBytes>
ndc bandwidth removequota <iface>
ndc bandwidth removequotas <iface> ...
- quota per iface
ndc bandwidth setiquota <iface> <quotaBytes>
ndc bandwidth removeiquota <iface>
Change-Id: I370d223da3c8b6e16e8d0a455309ae9e0756a721
/system/netd/BandwidthController.h
|
| fa6f46d3370ae5475fc3bc8273bbe04ee7348d60 |
|
18-Jun-2011 |
JP Abgrall <jpa@google.com> |
netd:bandwidth: initial pass at app-rules, and some ipv6.
Adds initial per-app penalty box rules, and prepares for
handling per iface quota.
The following commands work:
* penalty box
ndc bandwidth addnaughtyapps <uid> ...
ndc bandwidth removenaughtyapps <uid> ...
* Shared quota
- add (updates the bytes, if they differ from last time)
ndc bandwidth setquota <iface> <bytes>
ndc bandwidth setquota <iface1> <bytes>
ndc bandwidth setquota <iface2> <bytes>
- remove
ndc bandwidth removequota <iface>
[ oldschool: ndc bandwidth setquota <iface> -1 ]
Change-Id: Ibefc16e81c7713feb47577a9687dcd032dedf06e
/system/netd/BandwidthController.h
|
| 4a5f5ca3c9e07fc3e6feca2afde07f41a8a64f11 |
|
16-Jun-2011 |
JP Abgrall <jpa@google.com> |
system/netd: bandwidth management initial support (uid+tag stats)
This is a minimalistic version to get accounting of data going
through tagged socket per uid.
When netd starts up the BandwidthController, it will look at the
properties for
persist.bandwidth.enable=1
and enabled it.
It needs the kernel with the xt_qtaguid + iptables/netfilter goodness.
stlport is ok to use.
The "owner" netfilter module used is actually our xt_qtaguid that acts as it
(just until we get around to talking directly the to kernel).
Once
"ndc bandwidth enable"
is invoked all traffic is counted against the UIDs receiving/sending it.
This allows BlockGuard.java to "tag" sockets and see stats for the tags.
Data shows up in
/proc/net/xt_qtaguid/stats
/proc/net/xt_qtaguid/iface_stat/<iface>/
rx_packets_tcp
rx_bytes_tcp
...
There is no <uid>/...
Supported commands:
- "ndc bandwidth enable"
will setup the needed iptable entries to track tag/uid.
- "ndc bandwidth disable"
will remove the iptable entries.
- "ndc bandwidth setquota <iface> <value>"
will set a quota on the iface.
Once quota is reached, packets are rejected.
With the correct kernel, rejects are turned in socket errors.
TODO
----
* make bandwidth controller cooperate with tethering.
- they both manipulate the iptables.
Change-Id: Ieb9e7c60ef8c974e99828f7833065d59b2922bf3
/system/netd/BandwidthController.h
|