X-Git-Url: http://git.osdn.net/view?a=blobdiff_plain;f=server%2FNatController.cpp;h=b978358cd3ba7e0aaddf57ff301d4140fc801616;hb=05cfd25d3f22c71c2c6980d1880c01162d915665;hp=fba96ca6ec8bda5089e1ad7630b7e2d75b7d3003;hpb=7364b75ca058d34875eb3567a57bfd9c03628129;p=android-x86%2Fsystem-netd.git

diff --git a/server/NatController.cpp b/server/NatController.cpp
index fba96ca..b978358 100644
--- a/server/NatController.cpp
+++ b/server/NatController.cpp
@@ -86,9 +86,17 @@ int NatController::setupIptablesHooks() {
 
     struct CommandsAndArgs defaultCommands[] = {
         /*
-         * First chain is for tethering counters.
+         * This is for tethering counters.
          * This chain is reached via --goto, and then RETURNS.
-         *
+         */
+        {{IPTABLES_PATH, "-w", "-F", LOCAL_TETHER_COUNTERS_CHAIN,}, 0},
+        {{IP6TABLES_PATH, "-w", "-F", LOCAL_TETHER_COUNTERS_CHAIN,}, 0},
+        {{IPTABLES_PATH, "-w", "-X", LOCAL_TETHER_COUNTERS_CHAIN,}, 0},
+        {{IP6TABLES_PATH, "-w", "-X", LOCAL_TETHER_COUNTERS_CHAIN,}, 0},
+        {{IPTABLES_PATH, "-w", "-N", LOCAL_TETHER_COUNTERS_CHAIN,}, 1},
+        {{IP6TABLES_PATH, "-w", "-N", LOCAL_TETHER_COUNTERS_CHAIN,}, 1},
+
+        /*
          * Second chain is used to limit downstream mss to the upstream pmtu
          * so we don't end up fragmenting every large packet tethered devices
          * send.  Note this feature requires kernel support with flag
@@ -97,11 +105,8 @@ int NatController::setupIptablesHooks() {
          * Bug 17629786 asks to make the failure more obvious, or even fatal
          * so that all builds eventually gain the performance improvement.
          */
-        {{IPTABLES_PATH, "-w", "-F", LOCAL_TETHER_COUNTERS_CHAIN,}, 0},
-        {{IPTABLES_PATH, "-w", "-X", LOCAL_TETHER_COUNTERS_CHAIN,}, 0},
-        {{IPTABLES_PATH, "-w", "-N", LOCAL_TETHER_COUNTERS_CHAIN,}, 1},
-        {{IPTABLES_PATH, "-w", "-t", "mangle", "-A", LOCAL_MANGLE_FORWARD, "-p", "tcp", "--tcp-flags",
-                "SYN", "SYN", "-j", "TCPMSS", "--clamp-mss-to-pmtu"}, 0},
+        {{IPTABLES_PATH, "-w", "-t", "mangle", "-A", LOCAL_MANGLE_FORWARD, "-p", "tcp",
+                "--tcp-flags", "SYN", "SYN", "-j", "TCPMSS", "--clamp-mss-to-pmtu"}, 0},
     };
     for (unsigned int cmdNum = 0; cmdNum < ARRAY_SIZE(defaultCommands); cmdNum++) {
         if (runCmd(ARRAY_SIZE(defaultCommands[cmdNum].cmd), defaultCommands[cmdNum].cmd) &&
@@ -123,6 +128,7 @@ int NatController::setDefaults() {
      */
     struct CommandsAndArgs defaultCommands[] = {
         {{IPTABLES_PATH, "-w", "-F", LOCAL_FORWARD,}, 1},
+        {{IP6TABLES_PATH, "-w", "-F", LOCAL_FORWARD,}, 1},
         {{IPTABLES_PATH, "-w", "-A", LOCAL_FORWARD, "-j", "DROP"}, 1},
         {{IPTABLES_PATH, "-w", "-t", "nat", "-F", LOCAL_NAT_POSTROUTING}, 1},
     };
@@ -155,7 +161,7 @@ int NatController::enableNat(const char* intIface, const char* extIface) {
 
     // add this if we are the first added nat
     if (natCount == 0) {
-        const char *cmd[] = {
+        const char *v4Cmd[] = {
                 IPTABLES_PATH,
                 "-w",
                 "-t",
@@ -167,7 +173,15 @@ int NatController::enableNat(const char* intIface, const char* extIface) {
                 "-j",
                 "MASQUERADE"
         };
-        if (runCmd(ARRAY_SIZE(cmd), cmd)) {
+
+        /*
+         * IPv6 tethering doesn't need the state-based conntrack rules, so
+         * it unconditionally jumps to the tether counters chain all the time.
+         */
+        const char *v6Cmd[] = {IP6TABLES_PATH, "-w", "-A", LOCAL_FORWARD,
+                               "-g", LOCAL_TETHER_COUNTERS_CHAIN};
+
+        if (runCmd(ARRAY_SIZE(v4Cmd), v4Cmd) || runCmd(ARRAY_SIZE(v6Cmd), v6Cmd)) {
             ALOGE("Error setting postroute rule: iface=%s", extIface);
             // unwind what's been done, but don't care about success - what more could we do?
             setDefaults();
@@ -234,19 +248,16 @@ int NatController::setTetherCountingRules(bool add, const char *intIface, const
         return 0;
     }
     const char *cmd2b[] = {
-            IPTABLES_PATH,
-            "-w",
-            "-A",
-            LOCAL_TETHER_COUNTERS_CHAIN,
-            "-i",
-            intIface,
-            "-o",
-            extIface,
-            "-j",
-          "RETURN"
+        IPTABLES_PATH,
+        "-w", "-A", LOCAL_TETHER_COUNTERS_CHAIN, "-i", intIface, "-o", extIface, "-j", "RETURN"
     };
 
-    if (runCmd(ARRAY_SIZE(cmd2b), cmd2b) && add) {
+    const char *cmd2c[] = {
+        IP6TABLES_PATH,
+        "-w", "-A", LOCAL_TETHER_COUNTERS_CHAIN, "-i", intIface, "-o", extIface, "-j", "RETURN"
+    };
+
+    if (runCmd(ARRAY_SIZE(cmd2b), cmd2b) || runCmd(ARRAY_SIZE(cmd2c), cmd2c)) {
         free(pair_name);
         return -1;
     }
@@ -260,19 +271,16 @@ int NatController::setTetherCountingRules(bool add, const char *intIface, const
     }
 
     const char *cmd3b[] = {
-            IPTABLES_PATH,
-            "-w",
-            "-A",
-            LOCAL_TETHER_COUNTERS_CHAIN,
-            "-i",
-            extIface,
-            "-o",
-            intIface,
-            "-j",
-            "RETURN"
+        IPTABLES_PATH,
+        "-w", "-A", LOCAL_TETHER_COUNTERS_CHAIN, "-i", extIface, "-o", intIface, "-j", "RETURN"
+    };
+
+    const char *cmd3c[] = {
+        IP6TABLES_PATH,
+        "-w", "-A", LOCAL_TETHER_COUNTERS_CHAIN, "-i", extIface, "-o", intIface, "-j", "RETURN"
     };
 
-    if (runCmd(ARRAY_SIZE(cmd3b), cmd3b) && add) {
+    if (runCmd(ARRAY_SIZE(cmd3b), cmd3b) || runCmd(ARRAY_SIZE(cmd3c), cmd3c)) {
         // unwind what's been done, but don't care about success - what more could we do?
         free(pair_name);
         return -1;