int BandwidthController::disableBandwidthControl(void) {
/* The IPT_CLEANUP_COMMANDS are allowed to fail. */
runCommands(sizeof(IPT_CLEANUP_COMMANDS) / sizeof(char*),
IPT_CLEANUP_COMMANDS, RunCmdFailureOk);
setupOemIptablesHook();
return 0;
}
int NatController::setDefaults() {
if (runCmd(IPTABLES_PATH, "-P INPUT ACCEPT"))
return -1;
if (runCmd(IPTABLES_PATH, "-P OUTPUT ACCEPT"))
return -1;
if (runCmd(IPTABLES_PATH, "-P FORWARD DROP"))
return -1;
if (runCmd(IPTABLES_PATH, "-F FORWARD"))
return -1;
if (runCmd(IPTABLES_PATH, "-t nat -F"))
return -1;
// May not be supported by kernel, so don't worry about errors.
runCmd(IPTABLES_PATH, "-t mangle -F FORWARD");
runCmd(IP_PATH, "rule flush");
runCmd(IP_PATH, "-6 rule flush");
runCmd(IP_PATH, "rule add from all lookup default prio 32767");
runCmd(IP_PATH, "rule add from all lookup main prio 32766");
runCmd(IP_PATH, "-6 rule add from all lookup default prio 32767");
runCmd(IP_PATH, "-6 rule add from all lookup main prio 32766");
runCmd(IP_PATH, "route flush cache");
natCount = 0;
setupOemIptablesHook();
return 0;
}
int BandwidthController::enableBandwidthControl(void) {
int res;
/* Let's pretend we started from scratch ... */
sharedQuotaIfaces.clear();
quotaIfaces.clear();
naughtyAppUids.clear();
globalAlertBytes = 0;
globalAlertTetherCount = 0;
sharedQuotaBytes = sharedAlertBytes = 0;
/* Some of the initialCommands are allowed to fail */
runCommands(sizeof(IPT_CLEANUP_COMMANDS) / sizeof(char*),
IPT_CLEANUP_COMMANDS, RunCmdFailureOk);
runCommands(sizeof(IPT_SETUP_COMMANDS) / sizeof(char*),
IPT_SETUP_COMMANDS, RunCmdFailureOk);
res = runCommands(sizeof(IPT_BASIC_ACCOUNTING_COMMANDS) / sizeof(char*),
IPT_BASIC_ACCOUNTING_COMMANDS, RunCmdFailureBad);
setupOemIptablesHook();
return res;
}
CommandListener::CommandListener() :
FrameworkListener("netd", true) {
registerCmd(new InterfaceCmd());
registerCmd(new IpFwdCmd());
registerCmd(new TetherCmd());
registerCmd(new NatCmd());
registerCmd(new ListTtysCmd());
registerCmd(new PppdCmd());
registerCmd(new SoftapCmd());
registerCmd(new BandwidthControlCmd());
registerCmd(new IdletimerControlCmd());
registerCmd(new ResolverCmd());
registerCmd(new FirewallCmd());
if (!sSecondaryTableCtrl)
sSecondaryTableCtrl = new SecondaryTableController();
if (!sTetherCtrl)
sTetherCtrl = new TetherController();
if (!sNatCtrl)
sNatCtrl = new NatController(sSecondaryTableCtrl);
if (!sPppCtrl)
sPppCtrl = new PppController();
if (!sSoftapCtrl)
sSoftapCtrl = new SoftapController();
if (!sBandwidthCtrl)
sBandwidthCtrl = new BandwidthController();
if (!sIdletimerCtrl)
sIdletimerCtrl = new IdletimerController();
if (!sResolverCtrl)
sResolverCtrl = new ResolverController();
if (!sFirewallCtrl)
sFirewallCtrl = new FirewallController();
if (!sInterfaceCtrl)
sInterfaceCtrl = new InterfaceController();
/*
* This is the only time we touch top-level chains in iptables; controllers
* should only mutate rules inside of their children chains, as created by
* the constants above.
*
* Modules should never ACCEPT packets (except in well-justified cases);
* they should instead defer to any remaining modules using RETURN, or
* otherwise DROP/REJECT.
*/
// Create chains for children modules
createChildChains(V4V6, "filter", "INPUT", FILTER_INPUT);
createChildChains(V4V6, "filter", "FORWARD", FILTER_FORWARD);
createChildChains(V4V6, "filter", "OUTPUT", FILTER_OUTPUT);
createChildChains(V4V6, "raw", "PREROUTING", RAW_PREROUTING);
createChildChains(V4V6, "mangle", "POSTROUTING", MANGLE_POSTROUTING);
createChildChains(V4, "nat", "PREROUTING", NAT_PREROUTING);
createChildChains(V4, "nat", "POSTROUTING", NAT_POSTROUTING);
// Let each module setup their child chains
setupOemIptablesHook();
/* When enabled, DROPs all packets except those matching rules. */
sFirewallCtrl->setupIptablesHooks();
/* Does DROPs in FORWARD by default */
sNatCtrl->setupIptablesHooks();
/*
* Does REJECT in INPUT, OUTPUT. Does counting also.
* No DROP/REJECT allowed later in netfilter-flow hook order.
*/
sBandwidthCtrl->setupIptablesHooks();
/*
* Counts in nat: PREROUTING, POSTROUTING.
* No DROP/REJECT allowed later in netfilter-flow hook order.
*/
sIdletimerCtrl->setupIptablesHooks();
sBandwidthCtrl->enableBandwidthControl(false);
}
