2 * Copyright (C) 2008 The Android Open Source Project
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
21 #include <sys/socket.h>
25 #include <netinet/in.h>
26 #include <arpa/inet.h>
28 #include <cutils/properties.h>
30 #define LOG_TAG "NatController"
31 #include <cutils/log.h>
32 #include <logwrap/logwrap.h>
34 #include "NatController.h"
35 #include "NetdConstants.h"
36 #include "RouteController.h"
38 const char* NatController::LOCAL_FORWARD = "natctrl_FORWARD";
39 const char* NatController::LOCAL_MANGLE_FORWARD = "natctrl_mangle_FORWARD";
40 const char* NatController::LOCAL_NAT_POSTROUTING = "natctrl_nat_POSTROUTING";
41 const char* NatController::LOCAL_TETHER_COUNTERS_CHAIN = "natctrl_tether_counters";
43 auto NatController::execFunction = android_fork_execvp;
45 NatController::NatController() {
48 NatController::~NatController() {
51 struct CommandsAndArgs {
52 /* The array size doesn't really matter as the compiler will barf if too many initializers are specified. */
57 int NatController::runCmd(int argc, const char **argv) {
60 res = execFunction(argc, (char **)argv, NULL, false, false);
63 std::string full_cmd = argv[0];
66 * HACK: Sometimes runCmd() is called with a ridcously large value (32)
67 * and it works because the argv[] contains a NULL after the last
68 * true argv. So here we use the NULL argv[] to terminate when the argc
69 * is horribly wrong, and argc for the normal cases.
71 for (; argc && argv[0]; argc--, argv++) {
75 ALOGV("runCmd(%s) res=%d", full_cmd.c_str(), res);
80 int NatController::setupIptablesHooks() {
87 struct CommandsAndArgs defaultCommands[] = {
89 * This is for tethering counters.
90 * This chain is reached via --goto, and then RETURNS.
92 {{IPTABLES_PATH, "-w", "-F", LOCAL_TETHER_COUNTERS_CHAIN,}, 0},
93 {{IP6TABLES_PATH, "-w", "-F", LOCAL_TETHER_COUNTERS_CHAIN,}, 0},
94 {{IPTABLES_PATH, "-w", "-X", LOCAL_TETHER_COUNTERS_CHAIN,}, 0},
95 {{IP6TABLES_PATH, "-w", "-X", LOCAL_TETHER_COUNTERS_CHAIN,}, 0},
96 {{IPTABLES_PATH, "-w", "-N", LOCAL_TETHER_COUNTERS_CHAIN,}, 1},
97 {{IP6TABLES_PATH, "-w", "-N", LOCAL_TETHER_COUNTERS_CHAIN,}, 1},
100 * Second chain is used to limit downstream mss to the upstream pmtu
101 * so we don't end up fragmenting every large packet tethered devices
102 * send. Note this feature requires kernel support with flag
103 * CONFIG_NETFILTER_XT_TARGET_TCPMSS=y, which not all builds will have,
104 * so the final rule is allowed to fail.
105 * Bug 17629786 asks to make the failure more obvious, or even fatal
106 * so that all builds eventually gain the performance improvement.
108 {{IPTABLES_PATH, "-w", "-t", "mangle", "-A", LOCAL_MANGLE_FORWARD, "-p", "tcp",
109 "--tcp-flags", "SYN", "SYN", "-j", "TCPMSS", "--clamp-mss-to-pmtu"}, 0},
111 for (unsigned int cmdNum = 0; cmdNum < ARRAY_SIZE(defaultCommands); cmdNum++) {
112 if (runCmd(ARRAY_SIZE(defaultCommands[cmdNum].cmd), defaultCommands[cmdNum].cmd) &&
113 defaultCommands[cmdNum].checkRes) {
117 ifacePairList.clear();
122 int NatController::setDefaults() {
124 * The following only works because:
125 * - the defaultsCommands[].cmd array is padded with NULL, and
126 * - the 1st argc of runCmd() will just be the max for the CommandsAndArgs[].cmd, and
127 * - internally it will be memcopied to an array and terminated with a NULL.
129 struct CommandsAndArgs defaultCommands[] = {
130 {{IPTABLES_PATH, "-w", "-F", LOCAL_FORWARD,}, 1},
131 {{IP6TABLES_PATH, "-w", "-F", LOCAL_FORWARD,}, 1},
132 {{IPTABLES_PATH, "-w", "-A", LOCAL_FORWARD, "-j", "DROP"}, 1},
133 {{IPTABLES_PATH, "-w", "-t", "nat", "-F", LOCAL_NAT_POSTROUTING}, 1},
135 for (unsigned int cmdNum = 0; cmdNum < ARRAY_SIZE(defaultCommands); cmdNum++) {
136 if (runCmd(ARRAY_SIZE(defaultCommands[cmdNum].cmd), defaultCommands[cmdNum].cmd) &&
137 defaultCommands[cmdNum].checkRes) {
147 int NatController::enableNat(const char* intIface, const char* extIface) {
148 ALOGV("enableNat(intIface=<%s>, extIface=<%s>)",intIface, extIface);
150 if (!isIfaceName(intIface) || !isIfaceName(extIface)) {
155 /* Bug: b/9565268. "enableNat wlan0 wlan0". For now we fail until java-land is fixed */
156 if (!strcmp(intIface, extIface)) {
157 ALOGE("Duplicate interface specified: %s %s", intIface, extIface);
162 // add this if we are the first added nat
164 const char *v4Cmd[] = {
170 LOCAL_NAT_POSTROUTING,
178 * IPv6 tethering doesn't need the state-based conntrack rules, so
179 * it unconditionally jumps to the tether counters chain all the time.
181 const char *v6Cmd[] = {IP6TABLES_PATH, "-w", "-A", LOCAL_FORWARD,
182 "-g", LOCAL_TETHER_COUNTERS_CHAIN};
184 if (runCmd(ARRAY_SIZE(v4Cmd), v4Cmd) || runCmd(ARRAY_SIZE(v6Cmd), v6Cmd)) {
185 ALOGE("Error setting postroute rule: iface=%s", extIface);
186 // unwind what's been done, but don't care about success - what more could we do?
192 if (setForwardRules(true, intIface, extIface) != 0) {
193 ALOGE("Error setting forward rules");
201 /* Always make sure the drop rule is at the end */
202 const char *cmd1[] = {
210 runCmd(ARRAY_SIZE(cmd1), cmd1);
211 const char *cmd2[] = {
219 runCmd(ARRAY_SIZE(cmd2), cmd2);
225 bool NatController::checkTetherCountingRuleExist(const char *pair_name) {
226 std::list<std::string>::iterator it;
228 for (it = ifacePairList.begin(); it != ifacePairList.end(); it++) {
229 if (*it == pair_name) {
230 /* We already have this counter */
237 int NatController::setTetherCountingRules(bool add, const char *intIface, const char *extIface) {
239 /* We only ever add tethering quota rules so that they stick. */
244 asprintf(&pair_name, "%s_%s", intIface, extIface);
246 if (checkTetherCountingRuleExist(pair_name)) {
250 const char *cmd2b[] = {
252 "-w", "-A", LOCAL_TETHER_COUNTERS_CHAIN, "-i", intIface, "-o", extIface, "-j", "RETURN"
255 const char *cmd2c[] = {
257 "-w", "-A", LOCAL_TETHER_COUNTERS_CHAIN, "-i", intIface, "-o", extIface, "-j", "RETURN"
260 if (runCmd(ARRAY_SIZE(cmd2b), cmd2b) || runCmd(ARRAY_SIZE(cmd2c), cmd2c)) {
264 ifacePairList.push_front(pair_name);
267 asprintf(&pair_name, "%s_%s", extIface, intIface);
268 if (checkTetherCountingRuleExist(pair_name)) {
273 const char *cmd3b[] = {
275 "-w", "-A", LOCAL_TETHER_COUNTERS_CHAIN, "-i", extIface, "-o", intIface, "-j", "RETURN"
278 const char *cmd3c[] = {
280 "-w", "-A", LOCAL_TETHER_COUNTERS_CHAIN, "-i", extIface, "-o", intIface, "-j", "RETURN"
283 if (runCmd(ARRAY_SIZE(cmd3b), cmd3b) || runCmd(ARRAY_SIZE(cmd3c), cmd3c)) {
284 // unwind what's been done, but don't care about success - what more could we do?
288 ifacePairList.push_front(pair_name);
293 int NatController::setForwardRules(bool add, const char *intIface, const char *extIface) {
294 const char *cmd1[] = {
306 "ESTABLISHED,RELATED",
308 LOCAL_TETHER_COUNTERS_CHAIN
312 if (runCmd(ARRAY_SIZE(cmd1), cmd1) && add) {
316 const char *cmd2[] = {
333 const char *cmd3[] = {
343 LOCAL_TETHER_COUNTERS_CHAIN
346 if (runCmd(ARRAY_SIZE(cmd2), cmd2) && add) {
347 // bail on error, but only if adding
349 goto err_invalid_drop;
352 if (runCmd(ARRAY_SIZE(cmd3), cmd3) && add) {
353 // unwind what's been done, but don't care about success - what more could we do?
358 if (setTetherCountingRules(add, intIface, extIface) && add) {
367 runCmd(ARRAY_SIZE(cmd2), cmd2);
370 runCmd(ARRAY_SIZE(cmd1), cmd1);
374 int NatController::disableNat(const char* intIface, const char* extIface) {
375 if (!isIfaceName(intIface) || !isIfaceName(extIface)) {
380 setForwardRules(false, intIface, extIface);
381 if (--natCount <= 0) {
382 // handle decrement to 0 case (do reset to defaults) and erroneous dec below 0
OSDN Git Service
