2 * Copyright (C) 2011 The Android Open Source Project
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
17 // #define LOG_NDEBUG 0
20 * The CommandListener, FrameworkListener don't allow for
21 * multiple calls in parallel to reach the BandwidthController.
22 * If they ever were to allow it, then netd/ would need some tweaking.
32 #define __STDC_FORMAT_MACROS 1
35 #include <sys/socket.h>
37 #include <sys/types.h>
40 #include <linux/netlink.h>
41 #include <linux/rtnetlink.h>
42 #include <linux/pkt_sched.h>
44 #define LOG_TAG "BandwidthController"
45 #include <cutils/log.h>
46 #include <cutils/properties.h>
47 #include <logwrap/logwrap.h>
49 #include "NetdConstants.h"
50 #include "BandwidthController.h"
51 #include "NatController.h" /* For LOCAL_TETHER_COUNTERS_CHAIN */
52 #include "ResponseCode.h"
55 #define ALERT_IPT_TEMPLATE "%s %s -m quota2 ! --quota %" PRId64" --name %s"
56 const char BandwidthController::ALERT_GLOBAL_NAME[] = "globalAlert";
57 const char* BandwidthController::LOCAL_INPUT = "bw_INPUT";
58 const char* BandwidthController::LOCAL_FORWARD = "bw_FORWARD";
59 const char* BandwidthController::LOCAL_OUTPUT = "bw_OUTPUT";
60 const char* BandwidthController::LOCAL_RAW_PREROUTING = "bw_raw_PREROUTING";
61 const char* BandwidthController::LOCAL_MANGLE_POSTROUTING = "bw_mangle_POSTROUTING";
62 const int BandwidthController::MAX_CMD_ARGS = 32;
63 const int BandwidthController::MAX_CMD_LEN = 1024;
64 const int BandwidthController::MAX_IFACENAME_LEN = 64;
65 const int BandwidthController::MAX_IPT_OUTPUT_LINE_LEN = 256;
68 * Some comments about the rules:
70 * - when an interface is marked as costly it should be INSERTED into the INPUT/OUTPUT chains.
71 * E.g. "-I bw_INPUT -i rmnet0 --jump costly"
72 * - quota'd rules in the costly chain should be before bw_penalty_box lookups.
73 * - bw_happy_box rejects everything by default.
74 * - the qtaguid counting is done at the end of the bw_INPUT/bw_OUTPUT user chains.
76 * * global quota vs per interface quota
77 * - global quota for all costly interfaces uses a single costly chain:
79 * iptables -N bw_costly_shared
80 * iptables -I bw_INPUT -i iface0 --jump bw_costly_shared
81 * iptables -I bw_OUTPUT -o iface0 --jump bw_costly_shared
82 * iptables -I bw_costly_shared -m quota \! --quota 500000 \
83 * --jump REJECT --reject-with icmp-net-prohibited
84 * iptables -A bw_costly_shared --jump bw_penalty_box
85 * If the happy box is enabled,
86 * iptables -A bw_penalty_box --jump bw_happy_box
88 * . adding a new iface to this, E.g.:
89 * iptables -I bw_INPUT -i iface1 --jump bw_costly_shared
90 * iptables -I bw_OUTPUT -o iface1 --jump bw_costly_shared
92 * - quota per interface. This is achieve by having "costly" chains per quota.
93 * E.g. adding a new costly interface iface0 with its own quota:
94 * iptables -N bw_costly_iface0
95 * iptables -I bw_INPUT -i iface0 --jump bw_costly_iface0
96 * iptables -I bw_OUTPUT -o iface0 --jump bw_costly_iface0
97 * iptables -A bw_costly_iface0 -m quota \! --quota 500000 \
98 * --jump REJECT --reject-with icmp-port-unreachable
99 * iptables -A bw_costly_iface0 --jump bw_penalty_box
101 * * bw_penalty_box handling:
102 * - only one bw_penalty_box for all interfaces
103 * E.g Adding an app, it has to preserve the appened bw_happy_box, so "-I":
104 * iptables -I bw_penalty_box -m owner --uid-owner app_3 \
105 * --jump REJECT --reject-with icmp-port-unreachable
107 * * bw_happy_box handling:
108 * - The bw_happy_box goes at the end of the penalty box.
109 * E.g Adding a happy app,
110 * iptables -I bw_happy_box -m owner --uid-owner app_3 \
113 const char *BandwidthController::IPT_FLUSH_COMMANDS[] = {
116 * Should normally include bw_costly_<iface>, but we rely on the way they are setup
117 * to allow coexistance.
124 "-F bw_costly_shared",
126 "-t raw -F bw_raw_PREROUTING",
127 "-t mangle -F bw_mangle_POSTROUTING",
130 /* The cleanup commands assume flushing has been done. */
131 const char *BandwidthController::IPT_CLEANUP_COMMANDS[] = {
134 "-X bw_costly_shared",
137 const char *BandwidthController::IPT_SETUP_COMMANDS[] = {
140 "-N bw_costly_shared",
143 const char *BandwidthController::IPT_BASIC_ACCOUNTING_COMMANDS[] = {
144 "-A bw_INPUT -m owner --socket-exists", /* This is a tracking rule. */
146 "-A bw_OUTPUT -m owner --socket-exists", /* This is a tracking rule. */
148 "-A bw_costly_shared --jump bw_penalty_box",
150 "-t raw -A bw_raw_PREROUTING -m owner --socket-exists", /* This is a tracking rule. */
151 "-t mangle -A bw_mangle_POSTROUTING -m owner --socket-exists", /* This is a tracking rule. */
154 BandwidthController::BandwidthController(void) {
157 int BandwidthController::runIpxtablesCmd(const char *cmd, IptJumpOp jumpHandling,
158 IptFailureLog failureHandling) {
161 ALOGV("runIpxtablesCmd(cmd=%s)", cmd);
162 res |= runIptablesCmd(cmd, jumpHandling, IptIpV4, failureHandling);
163 res |= runIptablesCmd(cmd, jumpHandling, IptIpV6, failureHandling);
167 int BandwidthController::StrncpyAndCheck(char *buffer, const char *src, size_t buffSize) {
169 memset(buffer, '\0', buffSize); // strncpy() is not filling leftover with '\0'
170 strncpy(buffer, src, buffSize);
171 return buffer[buffSize - 1];
174 int BandwidthController::runIptablesCmd(const char *cmd, IptJumpOp jumpHandling,
175 IptIpVer iptVer, IptFailureLog failureHandling) {
176 char buffer[MAX_CMD_LEN];
177 const char *argv[MAX_CMD_ARGS];
184 std::string fullCmd = cmd;
186 switch (jumpHandling) {
189 * Must be carefull what one rejects with, as uper layer protocols will just
190 * keep on hammering the device until the number of retries are done.
191 * For port-unreachable (default), TCP should consider as an abort (RFC1122).
193 fullCmd += " --jump REJECT";
196 fullCmd += " --jump RETURN";
202 fullCmd.insert(0, " -w ");
203 fullCmd.insert(0, iptVer == IptIpV4 ? IPTABLES_PATH : IP6TABLES_PATH);
205 if (StrncpyAndCheck(buffer, fullCmd.c_str(), sizeof(buffer))) {
206 ALOGE("iptables command too long");
211 while ((tmp = strsep(&next, " "))) {
213 if (argc >= MAX_CMD_ARGS) {
214 ALOGE("iptables argument overflow");
220 res = android_fork_execvp(argc, (char **)argv, &status, false,
221 failureHandling == IptFailShow);
222 res = res || !WIFEXITED(status) || WEXITSTATUS(status);
223 if (res && failureHandling == IptFailShow) {
224 ALOGE("runIptablesCmd(): res=%d status=%d failed %s", res, status,
230 void BandwidthController::flushCleanTables(bool doClean) {
231 /* Flush and remove the bw_costly_<iface> tables */
232 flushExistingCostlyTables(doClean);
234 /* Some of the initialCommands are allowed to fail */
235 runCommands(sizeof(IPT_FLUSH_COMMANDS) / sizeof(char*),
236 IPT_FLUSH_COMMANDS, RunCmdFailureOk);
239 runCommands(sizeof(IPT_CLEANUP_COMMANDS) / sizeof(char*),
240 IPT_CLEANUP_COMMANDS, RunCmdFailureOk);
244 int BandwidthController::setupIptablesHooks(void) {
246 /* flush+clean is allowed to fail */
247 flushCleanTables(true);
248 runCommands(sizeof(IPT_SETUP_COMMANDS) / sizeof(char*),
249 IPT_SETUP_COMMANDS, RunCmdFailureBad);
254 int BandwidthController::enableBandwidthControl(bool force) {
256 char value[PROPERTY_VALUE_MAX];
259 property_get("persist.bandwidth.enable", value, "1");
260 if (!strcmp(value, "0"))
264 /* Let's pretend we started from scratch ... */
265 sharedQuotaIfaces.clear();
267 globalAlertBytes = 0;
268 globalAlertTetherCount = 0;
269 sharedQuotaBytes = sharedAlertBytes = 0;
271 flushCleanTables(false);
272 res = runCommands(sizeof(IPT_BASIC_ACCOUNTING_COMMANDS) / sizeof(char*),
273 IPT_BASIC_ACCOUNTING_COMMANDS, RunCmdFailureBad);
279 int BandwidthController::disableBandwidthControl(void) {
281 flushCleanTables(false);
285 int BandwidthController::runCommands(int numCommands, const char *commands[],
286 RunCmdErrHandling cmdErrHandling) {
288 IptFailureLog failureLogging = IptFailShow;
289 if (cmdErrHandling == RunCmdFailureOk) {
290 failureLogging = IptFailHide;
292 ALOGV("runCommands(): %d commands", numCommands);
293 for (int cmdNum = 0; cmdNum < numCommands; cmdNum++) {
294 res = runIpxtablesCmd(commands[cmdNum], IptJumpNoAdd, failureLogging);
295 if (res && cmdErrHandling != RunCmdFailureOk)
301 std::string BandwidthController::makeIptablesSpecialAppCmd(IptOp op, int uid, const char *chain) {
311 ALOGE("Append op not supported for %s uids", chain);
323 asprintf(&buff, "%s %s -m owner --uid-owner %d", opFlag, chain, uid);
329 int BandwidthController::enableHappyBox(void) {
330 char cmd[MAX_CMD_LEN];
334 * We tentatively delete before adding, which helps recovering
335 * from bad states (e.g. netd died).
338 /* Should not exist, but ignore result if already there. */
339 snprintf(cmd, sizeof(cmd), "-N bw_happy_box");
340 runIpxtablesCmd(cmd, IptJumpNoAdd);
342 /* Should be empty, but clear in case something was wrong. */
343 snprintf(cmd, sizeof(cmd), "-F bw_happy_box");
344 res |= runIpxtablesCmd(cmd, IptJumpNoAdd);
346 snprintf(cmd, sizeof(cmd), "-D bw_penalty_box -j bw_happy_box");
347 runIpxtablesCmd(cmd, IptJumpNoAdd);
348 snprintf(cmd, sizeof(cmd), "-A bw_penalty_box -j bw_happy_box");
349 res |= runIpxtablesCmd(cmd, IptJumpNoAdd);
351 /* Whitelist all system apps. */
352 snprintf(cmd, sizeof(cmd),
353 "-A bw_happy_box -m owner --uid-owner %d-%d -j RETURN", 0, MAX_SYSTEM_UID);
354 res |= runIpxtablesCmd(cmd, IptJumpNoAdd);
356 /* Reject. Defaulting to prot-unreachable */
357 snprintf(cmd, sizeof(cmd), "-A bw_happy_box -j REJECT");
358 res |= runIpxtablesCmd(cmd, IptJumpNoAdd);
363 int BandwidthController::disableHappyBox(void) {
364 char cmd[MAX_CMD_LEN];
367 snprintf(cmd, sizeof(cmd), "-D bw_penalty_box -j bw_happy_box");
368 runIpxtablesCmd(cmd, IptJumpNoAdd);
369 snprintf(cmd, sizeof(cmd), "-F bw_happy_box");
370 runIpxtablesCmd(cmd, IptJumpNoAdd);
371 snprintf(cmd, sizeof(cmd), "-X bw_happy_box");
372 runIpxtablesCmd(cmd, IptJumpNoAdd);
377 int BandwidthController::addNaughtyApps(int numUids, char *appUids[]) {
378 return manipulateNaughtyApps(numUids, appUids, SpecialAppOpAdd);
381 int BandwidthController::removeNaughtyApps(int numUids, char *appUids[]) {
382 return manipulateNaughtyApps(numUids, appUids, SpecialAppOpRemove);
385 int BandwidthController::addNiceApps(int numUids, char *appUids[]) {
386 return manipulateNiceApps(numUids, appUids, SpecialAppOpAdd);
389 int BandwidthController::removeNiceApps(int numUids, char *appUids[]) {
390 return manipulateNiceApps(numUids, appUids, SpecialAppOpRemove);
393 int BandwidthController::manipulateNaughtyApps(int numUids, char *appStrUids[], SpecialAppOp appOp) {
394 return manipulateSpecialApps(numUids, appStrUids, "bw_penalty_box", IptJumpReject, appOp);
397 int BandwidthController::manipulateNiceApps(int numUids, char *appStrUids[], SpecialAppOp appOp) {
398 return manipulateSpecialApps(numUids, appStrUids, "bw_happy_box", IptJumpReturn, appOp);
402 int BandwidthController::manipulateSpecialApps(int numUids, char *appStrUids[],
404 IptJumpOp jumpHandling, SpecialAppOp appOp) {
407 const char *failLogTemplate;
409 int appUids[numUids];
413 case SpecialAppOpAdd:
415 failLogTemplate = "Failed to add app uid %s(%d) to %s.";
417 case SpecialAppOpRemove:
419 failLogTemplate = "Failed to delete app uid %s(%d) from %s box.";
422 ALOGE("Unexpected app Op %d", appOp);
426 for (uidNum = 0; uidNum < numUids; uidNum++) {
428 appUids[uidNum] = strtoul(appStrUids[uidNum], &end, 0);
429 if (*end || !*appStrUids[uidNum]) {
430 ALOGE(failLogTemplate, appStrUids[uidNum], appUids[uidNum], chain);
435 for (uidNum = 0; uidNum < numUids; uidNum++) {
436 int uid = appUids[uidNum];
438 iptCmd = makeIptablesSpecialAppCmd(op, uid, chain);
439 if (runIpxtablesCmd(iptCmd.c_str(), jumpHandling)) {
440 ALOGE(failLogTemplate, appStrUids[uidNum], uid, chain);
441 goto fail_with_uidNum;
447 /* Try to remove the uid that failed in any case*/
448 iptCmd = makeIptablesSpecialAppCmd(IptOpDelete, appUids[uidNum], chain);
449 runIpxtablesCmd(iptCmd.c_str(), jumpHandling);
454 std::string BandwidthController::makeIptablesQuotaCmd(IptOp op, const char *costName, int64_t quota) {
459 ALOGV("makeIptablesQuotaCmd(%d, %" PRId64")", op, quota);
477 // The requried IP version specific --jump REJECT ... will be added later.
478 asprintf(&buff, "%s bw_costly_%s -m quota2 ! --quota %" PRId64" --name %s", opFlag, costName, quota,
485 int BandwidthController::prepCostlyIface(const char *ifn, QuotaType quotaType) {
486 char cmd[MAX_CMD_LEN];
487 int res = 0, res1, res2;
488 int ruleInsertPos = 1;
489 std::string costString;
490 const char *costCString;
492 /* The "-N costly" is created upfront, no need to handle it here. */
495 costString = "bw_costly_";
497 costCString = costString.c_str();
499 * Flush the bw_costly_<iface> is allowed to fail in case it didn't exist.
500 * Creating a new one is allowed to fail in case it existed.
501 * This helps with netd restarts.
503 snprintf(cmd, sizeof(cmd), "-F %s", costCString);
504 res1 = runIpxtablesCmd(cmd, IptJumpNoAdd, IptFailHide);
505 snprintf(cmd, sizeof(cmd), "-N %s", costCString);
506 res2 = runIpxtablesCmd(cmd, IptJumpNoAdd, IptFailHide);
507 res = (res1 && res2) || (!res1 && !res2);
509 snprintf(cmd, sizeof(cmd), "-A %s -j bw_penalty_box", costCString);
510 res |= runIpxtablesCmd(cmd, IptJumpNoAdd);
513 costCString = "bw_costly_shared";
516 ALOGE("Unexpected quotatype %d", quotaType);
520 if (globalAlertBytes) {
521 /* The alert rule comes 1st */
525 snprintf(cmd, sizeof(cmd), "-D bw_INPUT -i %s --jump %s", ifn, costCString);
526 runIpxtablesCmd(cmd, IptJumpNoAdd, IptFailHide);
528 snprintf(cmd, sizeof(cmd), "-I bw_INPUT %d -i %s --jump %s", ruleInsertPos, ifn, costCString);
529 res |= runIpxtablesCmd(cmd, IptJumpNoAdd);
531 snprintf(cmd, sizeof(cmd), "-D bw_OUTPUT -o %s --jump %s", ifn, costCString);
532 runIpxtablesCmd(cmd, IptJumpNoAdd, IptFailHide);
534 snprintf(cmd, sizeof(cmd), "-I bw_OUTPUT %d -o %s --jump %s", ruleInsertPos, ifn, costCString);
535 res |= runIpxtablesCmd(cmd, IptJumpNoAdd);
537 snprintf(cmd, sizeof(cmd), "-D bw_FORWARD -o %s --jump %s", ifn, costCString);
538 runIpxtablesCmd(cmd, IptJumpNoAdd, IptFailHide);
539 snprintf(cmd, sizeof(cmd), "-A bw_FORWARD -o %s --jump %s", ifn, costCString);
540 res |= runIpxtablesCmd(cmd, IptJumpNoAdd);
545 int BandwidthController::cleanupCostlyIface(const char *ifn, QuotaType quotaType) {
546 char cmd[MAX_CMD_LEN];
548 std::string costString;
549 const char *costCString;
553 costString = "bw_costly_";
555 costCString = costString.c_str();
558 costCString = "bw_costly_shared";
561 ALOGE("Unexpected quotatype %d", quotaType);
565 snprintf(cmd, sizeof(cmd), "-D bw_INPUT -i %s --jump %s", ifn, costCString);
566 res |= runIpxtablesCmd(cmd, IptJumpNoAdd);
567 for (const auto tableName : {LOCAL_OUTPUT, LOCAL_FORWARD}) {
568 snprintf(cmd, sizeof(cmd), "-D %s -o %s --jump %s", tableName, ifn, costCString);
569 res |= runIpxtablesCmd(cmd, IptJumpNoAdd);
572 /* The "-N bw_costly_shared" is created upfront, no need to handle it here. */
573 if (quotaType == QuotaUnique) {
574 snprintf(cmd, sizeof(cmd), "-F %s", costCString);
575 res |= runIpxtablesCmd(cmd, IptJumpNoAdd);
576 snprintf(cmd, sizeof(cmd), "-X %s", costCString);
577 res |= runIpxtablesCmd(cmd, IptJumpNoAdd);
582 int BandwidthController::setInterfaceSharedQuota(const char *iface, int64_t maxBytes) {
583 char ifn[MAX_IFACENAME_LEN];
585 std::string quotaCmd;
586 std::string ifaceName;
588 const char *costName = "shared";
589 std::list<std::string>::iterator it;
592 /* Don't talk about -1, deprecate it. */
593 ALOGE("Invalid bytes value. 1..max_int64.");
596 if (!isIfaceName(iface))
598 if (StrncpyAndCheck(ifn, iface, sizeof(ifn))) {
599 ALOGE("Interface name longer than %d", MAX_IFACENAME_LEN);
604 if (maxBytes == -1) {
605 return removeInterfaceSharedQuota(ifn);
608 /* Insert ingress quota. */
609 for (it = sharedQuotaIfaces.begin(); it != sharedQuotaIfaces.end(); it++) {
610 if (*it == ifaceName)
614 if (it == sharedQuotaIfaces.end()) {
615 res |= prepCostlyIface(ifn, QuotaShared);
616 if (sharedQuotaIfaces.empty()) {
617 quotaCmd = makeIptablesQuotaCmd(IptOpInsert, costName, maxBytes);
618 res |= runIpxtablesCmd(quotaCmd.c_str(), IptJumpReject);
620 ALOGE("Failed set quota rule");
623 sharedQuotaBytes = maxBytes;
625 sharedQuotaIfaces.push_front(ifaceName);
629 if (maxBytes != sharedQuotaBytes) {
630 res |= updateQuota(costName, maxBytes);
632 ALOGE("Failed update quota for %s", costName);
635 sharedQuotaBytes = maxBytes;
641 * TODO(jpa): once we get rid of iptables in favor of rtnetlink, reparse
642 * rules in the kernel to see which ones need cleaning up.
643 * For now callers needs to choose if they want to "ndc bandwidth enable"
644 * which resets everything.
646 removeInterfaceSharedQuota(ifn);
650 /* It will also cleanup any shared alerts */
651 int BandwidthController::removeInterfaceSharedQuota(const char *iface) {
652 char ifn[MAX_IFACENAME_LEN];
654 std::string ifaceName;
655 std::list<std::string>::iterator it;
656 const char *costName = "shared";
658 if (!isIfaceName(iface))
660 if (StrncpyAndCheck(ifn, iface, sizeof(ifn))) {
661 ALOGE("Interface name longer than %d", MAX_IFACENAME_LEN);
666 for (it = sharedQuotaIfaces.begin(); it != sharedQuotaIfaces.end(); it++) {
667 if (*it == ifaceName)
670 if (it == sharedQuotaIfaces.end()) {
671 ALOGE("No such iface %s to delete", ifn);
675 res |= cleanupCostlyIface(ifn, QuotaShared);
676 sharedQuotaIfaces.erase(it);
678 if (sharedQuotaIfaces.empty()) {
679 std::string quotaCmd;
680 quotaCmd = makeIptablesQuotaCmd(IptOpDelete, costName, sharedQuotaBytes);
681 res |= runIpxtablesCmd(quotaCmd.c_str(), IptJumpReject);
682 sharedQuotaBytes = 0;
683 if (sharedAlertBytes) {
685 sharedAlertBytes = 0;
691 int BandwidthController::setInterfaceQuota(const char *iface, int64_t maxBytes) {
692 char ifn[MAX_IFACENAME_LEN];
694 std::string ifaceName;
695 const char *costName;
696 std::list<QuotaInfo>::iterator it;
697 std::string quotaCmd;
699 if (!isIfaceName(iface))
703 /* Don't talk about -1, deprecate it. */
704 ALOGE("Invalid bytes value. 1..max_int64.");
707 if (maxBytes == -1) {
708 return removeInterfaceQuota(iface);
711 if (StrncpyAndCheck(ifn, iface, sizeof(ifn))) {
712 ALOGE("Interface name longer than %d", MAX_IFACENAME_LEN);
718 /* Insert ingress quota. */
719 for (it = quotaIfaces.begin(); it != quotaIfaces.end(); it++) {
720 if (it->ifaceName == ifaceName)
724 if (it == quotaIfaces.end()) {
725 /* Preparing the iface adds a penalty/happy box check */
726 res |= prepCostlyIface(ifn, QuotaUnique);
728 * The rejecting quota limit should go after the penalty/happy box checks
729 * or else a naughty app could just eat up the quota.
732 quotaCmd = makeIptablesQuotaCmd(IptOpAppend, costName, maxBytes);
733 res |= runIpxtablesCmd(quotaCmd.c_str(), IptJumpReject);
735 ALOGE("Failed set quota rule");
739 quotaIfaces.push_front(QuotaInfo(ifaceName, maxBytes, 0));
742 res |= updateQuota(costName, maxBytes);
744 ALOGE("Failed update quota for %s", iface);
747 it->quota = maxBytes;
753 * TODO(jpa): once we get rid of iptables in favor of rtnetlink, reparse
754 * rules in the kernel to see which ones need cleaning up.
755 * For now callers needs to choose if they want to "ndc bandwidth enable"
756 * which resets everything.
758 removeInterfaceSharedQuota(ifn);
762 int BandwidthController::getInterfaceSharedQuota(int64_t *bytes) {
763 return getInterfaceQuota("shared", bytes);
766 int BandwidthController::getInterfaceQuota(const char *costName, int64_t *bytes) {
771 if (!isIfaceName(costName))
774 asprintf(&fname, "/proc/net/xt_quota/%s", costName);
775 fp = fopen(fname, "re");
778 ALOGE("Reading quota %s failed (%s)", costName, strerror(errno));
781 scanRes = fscanf(fp, "%" SCNd64, bytes);
782 ALOGV("Read quota res=%d bytes=%" PRId64, scanRes, *bytes);
784 return scanRes == 1 ? 0 : -1;
787 int BandwidthController::removeInterfaceQuota(const char *iface) {
789 char ifn[MAX_IFACENAME_LEN];
791 std::string ifaceName;
792 std::list<QuotaInfo>::iterator it;
794 if (!isIfaceName(iface))
796 if (StrncpyAndCheck(ifn, iface, sizeof(ifn))) {
797 ALOGE("Interface name longer than %d", MAX_IFACENAME_LEN);
802 for (it = quotaIfaces.begin(); it != quotaIfaces.end(); it++) {
803 if (it->ifaceName == ifaceName)
807 if (it == quotaIfaces.end()) {
808 ALOGE("No such iface %s to delete", ifn);
812 /* This also removes the quota command of CostlyIface chain. */
813 res |= cleanupCostlyIface(ifn, QuotaUnique);
815 quotaIfaces.erase(it);
820 int BandwidthController::updateQuota(const char *quotaName, int64_t bytes) {
824 if (!isIfaceName(quotaName)) {
825 ALOGE("updateQuota: Invalid quotaName \"%s\"", quotaName);
829 asprintf(&fname, "/proc/net/xt_quota/%s", quotaName);
830 fp = fopen(fname, "we");
833 ALOGE("Updating quota %s failed (%s)", quotaName, strerror(errno));
836 fprintf(fp, "%" PRId64"\n", bytes);
841 int BandwidthController::runIptablesAlertCmd(IptOp op, const char *alertName, int64_t bytes) {
862 asprintf(&alertQuotaCmd, ALERT_IPT_TEMPLATE, opFlag, "bw_INPUT",
864 res |= runIpxtablesCmd(alertQuotaCmd, IptJumpNoAdd);
866 asprintf(&alertQuotaCmd, ALERT_IPT_TEMPLATE, opFlag, "bw_OUTPUT",
868 res |= runIpxtablesCmd(alertQuotaCmd, IptJumpNoAdd);
873 int BandwidthController::runIptablesAlertFwdCmd(IptOp op, const char *alertName, int64_t bytes) {
894 asprintf(&alertQuotaCmd, ALERT_IPT_TEMPLATE, opFlag, "bw_FORWARD",
896 res = runIpxtablesCmd(alertQuotaCmd, IptJumpNoAdd);
901 int BandwidthController::setGlobalAlert(int64_t bytes) {
902 const char *alertName = ALERT_GLOBAL_NAME;
906 ALOGE("Invalid bytes value. 1..max_int64.");
909 if (globalAlertBytes) {
910 res = updateQuota(alertName, bytes);
912 res = runIptablesAlertCmd(IptOpInsert, alertName, bytes);
913 if (globalAlertTetherCount) {
914 ALOGV("setGlobalAlert for %d tether", globalAlertTetherCount);
915 res |= runIptablesAlertFwdCmd(IptOpInsert, alertName, bytes);
918 globalAlertBytes = bytes;
922 int BandwidthController::setGlobalAlertInForwardChain(void) {
923 const char *alertName = ALERT_GLOBAL_NAME;
926 globalAlertTetherCount++;
927 ALOGV("setGlobalAlertInForwardChain(): %d tether", globalAlertTetherCount);
930 * If there is no globalAlert active we are done.
931 * If there is an active globalAlert but this is not the 1st
932 * tether, we are also done.
934 if (!globalAlertBytes || globalAlertTetherCount != 1) {
938 /* We only add the rule if this was the 1st tether added. */
939 res = runIptablesAlertFwdCmd(IptOpInsert, alertName, globalAlertBytes);
943 int BandwidthController::removeGlobalAlert(void) {
945 const char *alertName = ALERT_GLOBAL_NAME;
948 if (!globalAlertBytes) {
949 ALOGE("No prior alert set");
952 res = runIptablesAlertCmd(IptOpDelete, alertName, globalAlertBytes);
953 if (globalAlertTetherCount) {
954 res |= runIptablesAlertFwdCmd(IptOpDelete, alertName, globalAlertBytes);
956 globalAlertBytes = 0;
960 int BandwidthController::removeGlobalAlertInForwardChain(void) {
962 const char *alertName = ALERT_GLOBAL_NAME;
964 if (!globalAlertTetherCount) {
965 ALOGE("No prior alert set");
969 globalAlertTetherCount--;
971 * If there is no globalAlert active we are done.
972 * If there is an active globalAlert but there are more
973 * tethers, we are also done.
975 if (!globalAlertBytes || globalAlertTetherCount >= 1) {
979 /* We only detete the rule if this was the last tether removed. */
980 res = runIptablesAlertFwdCmd(IptOpDelete, alertName, globalAlertBytes);
984 int BandwidthController::setSharedAlert(int64_t bytes) {
985 if (!sharedQuotaBytes) {
986 ALOGE("Need to have a prior shared quota set to set an alert");
990 ALOGE("Invalid bytes value. 1..max_int64.");
993 return setCostlyAlert("shared", bytes, &sharedAlertBytes);
996 int BandwidthController::removeSharedAlert(void) {
997 return removeCostlyAlert("shared", &sharedAlertBytes);
1000 int BandwidthController::setInterfaceAlert(const char *iface, int64_t bytes) {
1001 std::list<QuotaInfo>::iterator it;
1003 if (!isIfaceName(iface)) {
1004 ALOGE("setInterfaceAlert: Invalid iface \"%s\"", iface);
1009 ALOGE("Invalid bytes value. 1..max_int64.");
1012 for (it = quotaIfaces.begin(); it != quotaIfaces.end(); it++) {
1013 if (it->ifaceName == iface)
1017 if (it == quotaIfaces.end()) {
1018 ALOGE("Need to have a prior interface quota set to set an alert");
1022 return setCostlyAlert(iface, bytes, &it->alert);
1025 int BandwidthController::removeInterfaceAlert(const char *iface) {
1026 std::list<QuotaInfo>::iterator it;
1028 if (!isIfaceName(iface)) {
1029 ALOGE("removeInterfaceAlert: Invalid iface \"%s\"", iface);
1033 for (it = quotaIfaces.begin(); it != quotaIfaces.end(); it++) {
1034 if (it->ifaceName == iface)
1038 if (it == quotaIfaces.end()) {
1039 ALOGE("No prior alert set for interface %s", iface);
1043 return removeCostlyAlert(iface, &it->alert);
1046 int BandwidthController::setCostlyAlert(const char *costName, int64_t bytes, int64_t *alertBytes) {
1047 char *alertQuotaCmd;
1052 if (!isIfaceName(costName)) {
1053 ALOGE("setCostlyAlert: Invalid costName \"%s\"", costName);
1058 ALOGE("Invalid bytes value. 1..max_int64.");
1061 asprintf(&alertName, "%sAlert", costName);
1063 res = updateQuota(alertName, *alertBytes);
1065 asprintf(&chainName, "bw_costly_%s", costName);
1066 asprintf(&alertQuotaCmd, ALERT_IPT_TEMPLATE, "-A", chainName, bytes, alertName);
1067 res |= runIpxtablesCmd(alertQuotaCmd, IptJumpNoAdd);
1068 free(alertQuotaCmd);
1071 *alertBytes = bytes;
1076 int BandwidthController::removeCostlyAlert(const char *costName, int64_t *alertBytes) {
1077 char *alertQuotaCmd;
1082 if (!isIfaceName(costName)) {
1083 ALOGE("removeCostlyAlert: Invalid costName \"%s\"", costName);
1088 ALOGE("No prior alert set for %s alert", costName);
1092 asprintf(&alertName, "%sAlert", costName);
1093 asprintf(&chainName, "bw_costly_%s", costName);
1094 asprintf(&alertQuotaCmd, ALERT_IPT_TEMPLATE, "-D", chainName, *alertBytes, alertName);
1095 res |= runIpxtablesCmd(alertQuotaCmd, IptJumpNoAdd);
1096 free(alertQuotaCmd);
1105 * Parse the ptks and bytes out of:
1106 * Chain natctrl_tether_counters (4 references)
1107 * pkts bytes target prot opt in out source destination
1108 * 26 2373 RETURN all -- wlan0 rmnet0 0.0.0.0/0 0.0.0.0/0
1109 * 27 2002 RETURN all -- rmnet0 wlan0 0.0.0.0/0 0.0.0.0/0
1110 * 1040 107471 RETURN all -- bt-pan rmnet0 0.0.0.0/0 0.0.0.0/0
1111 * 1450 1708806 RETURN all -- rmnet0 bt-pan 0.0.0.0/0 0.0.0.0/0
1112 * It results in an error if invoked and no tethering counter rules exist. The constraint
1113 * helps detect complete parsing failure.
1115 int BandwidthController::parseForwardChainStats(SocketClient *cli, const TetherStats filter,
1116 FILE *fp, std::string &extraProcessingInfo) {
1118 char lineBuffer[MAX_IPT_OUTPUT_LINE_LEN];
1119 char iface0[MAX_IPT_OUTPUT_LINE_LEN];
1120 char iface1[MAX_IPT_OUTPUT_LINE_LEN];
1121 char rest[MAX_IPT_OUTPUT_LINE_LEN];
1125 int64_t packets, bytes;
1128 bool filterPair = filter.intIface[0] && filter.extIface[0];
1130 char *filterMsg = filter.getStatsLine();
1131 ALOGV("filter: %s", filterMsg);
1136 while (NULL != (buffPtr = fgets(lineBuffer, MAX_IPT_OUTPUT_LINE_LEN, fp))) {
1137 /* Clean up, so a failed parse can still print info */
1138 iface0[0] = iface1[0] = rest[0] = packets = bytes = 0;
1139 res = sscanf(buffPtr, "%" SCNd64" %" SCNd64" RETURN all -- %s %s 0.%s",
1140 &packets, &bytes, iface0, iface1, rest);
1141 ALOGV("parse res=%d iface0=<%s> iface1=<%s> pkts=%" PRId64" bytes=%" PRId64" rest=<%s> orig line=<%s>", res,
1142 iface0, iface1, packets, bytes, rest, buffPtr);
1143 extraProcessingInfo += buffPtr;
1149 * The following assumes that the 1st rule has in:extIface out:intIface,
1150 * which is what NatController sets up.
1151 * If not filtering, the 1st match rx, and sets up the pair for the tx side.
1153 if (filter.intIface[0] && filter.extIface[0]) {
1154 if (filter.intIface == iface0 && filter.extIface == iface1) {
1155 ALOGV("2Filter RX iface_in=%s iface_out=%s rx_bytes=%" PRId64" rx_packets=%" PRId64" ", iface0, iface1, bytes, packets);
1156 stats.rxPackets = packets;
1157 stats.rxBytes = bytes;
1158 } else if (filter.intIface == iface1 && filter.extIface == iface0) {
1159 ALOGV("2Filter TX iface_in=%s iface_out=%s rx_bytes=%" PRId64" rx_packets=%" PRId64" ", iface0, iface1, bytes, packets);
1160 stats.txPackets = packets;
1161 stats.txBytes = bytes;
1163 } else if (filter.intIface[0] || filter.extIface[0]) {
1164 if (filter.intIface == iface0 || filter.extIface == iface1) {
1165 ALOGV("1Filter RX iface_in=%s iface_out=%s rx_bytes=%" PRId64" rx_packets=%" PRId64" ", iface0, iface1, bytes, packets);
1166 stats.intIface = iface0;
1167 stats.extIface = iface1;
1168 stats.rxPackets = packets;
1169 stats.rxBytes = bytes;
1170 } else if (filter.intIface == iface1 || filter.extIface == iface0) {
1171 ALOGV("1Filter TX iface_in=%s iface_out=%s rx_bytes=%" PRId64" rx_packets=%" PRId64" ", iface0, iface1, bytes, packets);
1172 stats.intIface = iface1;
1173 stats.extIface = iface0;
1174 stats.txPackets = packets;
1175 stats.txBytes = bytes;
1177 } else /* if (!filter.intFace[0] && !filter.extIface[0]) */ {
1178 if (!stats.intIface[0]) {
1179 ALOGV("0Filter RX iface_in=%s iface_out=%s rx_bytes=%" PRId64" rx_packets=%" PRId64" ", iface0, iface1, bytes, packets);
1180 stats.intIface = iface0;
1181 stats.extIface = iface1;
1182 stats.rxPackets = packets;
1183 stats.rxBytes = bytes;
1184 } else if (stats.intIface == iface1 && stats.extIface == iface0) {
1185 ALOGV("0Filter TX iface_in=%s iface_out=%s rx_bytes=%" PRId64" rx_packets=%" PRId64" ", iface0, iface1, bytes, packets);
1186 stats.txPackets = packets;
1187 stats.txBytes = bytes;
1190 if (stats.rxBytes != -1 && stats.txBytes != -1) {
1191 ALOGV("rx_bytes=%" PRId64" tx_bytes=%" PRId64" filterPair=%d", stats.rxBytes, stats.txBytes, filterPair);
1192 /* Send out stats, and prep for the next if needed. */
1193 char *msg = stats.getStatsLine();
1195 cli->sendMsg(ResponseCode::TetheringStatsResult, msg, false);
1198 cli->sendMsg(ResponseCode::TetheringStatsListResult, msg, false);
1206 /* It is always an error to find only one side of the stats. */
1207 /* It is an error to find nothing when not filtering. */
1208 if (((stats.rxBytes == -1) != (stats.txBytes == -1)) ||
1209 (!statsFound && !filterPair)) {
1212 cli->sendMsg(ResponseCode::CommandOkay, "Tethering stats list completed", false);
1216 char *BandwidthController::TetherStats::getStatsLine(void) const {
1218 asprintf(&msg, "%s %s %" PRId64" %" PRId64" %" PRId64" %" PRId64, intIface.c_str(), extIface.c_str(),
1219 rxBytes, rxPackets, txBytes, txPackets);
1223 int BandwidthController::getTetherStats(SocketClient *cli, TetherStats &stats, std::string &extraProcessingInfo) {
1225 std::string fullCmd;
1229 * Why not use some kind of lib to talk to iptables?
1230 * Because the only libs are libiptc and libip6tc in iptables, and they are
1231 * not easy to use. They require the known iptables match modules to be
1232 * preloaded/linked, and require apparently a lot of wrapper code to get
1235 fullCmd = IPTABLES_PATH;
1236 fullCmd += " -nvx -w -L ";
1237 fullCmd += NatController::LOCAL_TETHER_COUNTERS_CHAIN;
1238 iptOutput = popen(fullCmd.c_str(), "r");
1240 ALOGE("Failed to run %s err=%s", fullCmd.c_str(), strerror(errno));
1241 extraProcessingInfo += "Failed to run iptables.";
1244 res = parseForwardChainStats(cli, stats, iptOutput, extraProcessingInfo);
1247 /* Currently NatController doesn't do ipv6 tethering, so we are done. */
1251 void BandwidthController::flushExistingCostlyTables(bool doClean) {
1252 std::string fullCmd;
1255 /* Only lookup ip4 table names as ip6 will have the same tables ... */
1256 fullCmd = IPTABLES_PATH;
1257 fullCmd += " -w -S";
1258 iptOutput = popen(fullCmd.c_str(), "r");
1260 ALOGE("Failed to run %s err=%s", fullCmd.c_str(), strerror(errno));
1263 /* ... then flush/clean both ip4 and ip6 iptables. */
1264 parseAndFlushCostlyTables(iptOutput, doClean);
1268 void BandwidthController::parseAndFlushCostlyTables(FILE *fp, bool doRemove) {
1270 char lineBuffer[MAX_IPT_OUTPUT_LINE_LEN];
1271 char costlyIfaceName[MAX_IPT_OUTPUT_LINE_LEN];
1272 char cmd[MAX_CMD_LEN];
1275 while (NULL != (buffPtr = fgets(lineBuffer, MAX_IPT_OUTPUT_LINE_LEN, fp))) {
1276 costlyIfaceName[0] = '\0'; /* So that debugging output always works */
1277 res = sscanf(buffPtr, "-N bw_costly_%s", costlyIfaceName);
1278 ALOGV("parse res=%d costly=<%s> orig line=<%s>", res,
1279 costlyIfaceName, buffPtr);
1283 /* Exclusions: "shared" is not an ifacename */
1284 if (!strcmp(costlyIfaceName, "shared")) {
1288 snprintf(cmd, sizeof(cmd), "-F bw_costly_%s", costlyIfaceName);
1289 runIpxtablesCmd(cmd, IptJumpNoAdd, IptFailHide);
1291 snprintf(cmd, sizeof(cmd), "-X bw_costly_%s", costlyIfaceName);
1292 runIpxtablesCmd(cmd, IptJumpNoAdd, IptFailHide);