int BandwidthController::disableBandwidthControl(void) { /* The IPT_CLEANUP_COMMANDS are allowed to fail. */ runCommands(sizeof(IPT_CLEANUP_COMMANDS) / sizeof(char*), IPT_CLEANUP_COMMANDS, RunCmdFailureOk); setupOemIptablesHook(); return 0; }
int NatController::setDefaults() { if (runCmd(IPTABLES_PATH, "-P INPUT ACCEPT")) return -1; if (runCmd(IPTABLES_PATH, "-P OUTPUT ACCEPT")) return -1; if (runCmd(IPTABLES_PATH, "-P FORWARD DROP")) return -1; if (runCmd(IPTABLES_PATH, "-F FORWARD")) return -1; if (runCmd(IPTABLES_PATH, "-t nat -F")) return -1; // May not be supported by kernel, so don't worry about errors. runCmd(IPTABLES_PATH, "-t mangle -F FORWARD"); runCmd(IP_PATH, "rule flush"); runCmd(IP_PATH, "-6 rule flush"); runCmd(IP_PATH, "rule add from all lookup default prio 32767"); runCmd(IP_PATH, "rule add from all lookup main prio 32766"); runCmd(IP_PATH, "-6 rule add from all lookup default prio 32767"); runCmd(IP_PATH, "-6 rule add from all lookup main prio 32766"); runCmd(IP_PATH, "route flush cache"); natCount = 0; setupOemIptablesHook(); return 0; }
int BandwidthController::enableBandwidthControl(void) { int res; /* Let's pretend we started from scratch ... */ sharedQuotaIfaces.clear(); quotaIfaces.clear(); naughtyAppUids.clear(); globalAlertBytes = 0; globalAlertTetherCount = 0; sharedQuotaBytes = sharedAlertBytes = 0; /* Some of the initialCommands are allowed to fail */ runCommands(sizeof(IPT_CLEANUP_COMMANDS) / sizeof(char*), IPT_CLEANUP_COMMANDS, RunCmdFailureOk); runCommands(sizeof(IPT_SETUP_COMMANDS) / sizeof(char*), IPT_SETUP_COMMANDS, RunCmdFailureOk); res = runCommands(sizeof(IPT_BASIC_ACCOUNTING_COMMANDS) / sizeof(char*), IPT_BASIC_ACCOUNTING_COMMANDS, RunCmdFailureBad); setupOemIptablesHook(); return res; }
CommandListener::CommandListener() : FrameworkListener("netd", true) { registerCmd(new InterfaceCmd()); registerCmd(new IpFwdCmd()); registerCmd(new TetherCmd()); registerCmd(new NatCmd()); registerCmd(new ListTtysCmd()); registerCmd(new PppdCmd()); registerCmd(new SoftapCmd()); registerCmd(new BandwidthControlCmd()); registerCmd(new IdletimerControlCmd()); registerCmd(new ResolverCmd()); registerCmd(new FirewallCmd()); if (!sSecondaryTableCtrl) sSecondaryTableCtrl = new SecondaryTableController(); if (!sTetherCtrl) sTetherCtrl = new TetherController(); if (!sNatCtrl) sNatCtrl = new NatController(sSecondaryTableCtrl); if (!sPppCtrl) sPppCtrl = new PppController(); if (!sSoftapCtrl) sSoftapCtrl = new SoftapController(); if (!sBandwidthCtrl) sBandwidthCtrl = new BandwidthController(); if (!sIdletimerCtrl) sIdletimerCtrl = new IdletimerController(); if (!sResolverCtrl) sResolverCtrl = new ResolverController(); if (!sFirewallCtrl) sFirewallCtrl = new FirewallController(); if (!sInterfaceCtrl) sInterfaceCtrl = new InterfaceController(); /* * This is the only time we touch top-level chains in iptables; controllers * should only mutate rules inside of their children chains, as created by * the constants above. * * Modules should never ACCEPT packets (except in well-justified cases); * they should instead defer to any remaining modules using RETURN, or * otherwise DROP/REJECT. */ // Create chains for children modules createChildChains(V4V6, "filter", "INPUT", FILTER_INPUT); createChildChains(V4V6, "filter", "FORWARD", FILTER_FORWARD); createChildChains(V4V6, "filter", "OUTPUT", FILTER_OUTPUT); createChildChains(V4V6, "raw", "PREROUTING", RAW_PREROUTING); createChildChains(V4V6, "mangle", "POSTROUTING", MANGLE_POSTROUTING); createChildChains(V4, "nat", "PREROUTING", NAT_PREROUTING); createChildChains(V4, "nat", "POSTROUTING", NAT_POSTROUTING); // Let each module setup their child chains setupOemIptablesHook(); /* When enabled, DROPs all packets except those matching rules. */ sFirewallCtrl->setupIptablesHooks(); /* Does DROPs in FORWARD by default */ sNatCtrl->setupIptablesHooks(); /* * Does REJECT in INPUT, OUTPUT. Does counting also. * No DROP/REJECT allowed later in netfilter-flow hook order. */ sBandwidthCtrl->setupIptablesHooks(); /* * Counts in nat: PREROUTING, POSTROUTING. * No DROP/REJECT allowed later in netfilter-flow hook order. */ sIdletimerCtrl->setupIptablesHooks(); sBandwidthCtrl->enableBandwidthControl(false); }