platform_system_netd/server/IptablesRestoreController.cpp, branch master Unnamed repository; edit this file 'description' to name the repository. IptablesRestoreController - work around for ALOGE truncation 2020-05-29T23:59:06+00:00 Maciej Żenczykowski maze@google.com 2020-05-28T19:13:08+00:00 4c02060808cff28704e920da82fc454aaff2fd1e Test: builds, atest, log at logcat Bug: 157777758 Signed-off-by: Maciej Żenczykowski <maze@google.com> Change-Id: Ic9a4a8228028228020bea3101dca3d47be0e6ab5 
Test: builds, atest, log at logcat
Bug: 157777758
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ic9a4a8228028228020bea3101dca3d47be0e6ab5
Enable more clang-tidy checks and treat them as errors 2019-02-01T11:07:56+00:00 Bernie Innocenti codewiz@google.com 2019-01-30T13:40:53+00:00 a5161a006c572aeb82b012df5dd8bcf4533b64c7 Test: tests/runtests.sh Change-Id: If59480cee6460847f5c1cef17e3ef036b8e75651 
Test: tests/runtests.sh
Change-Id: If59480cee6460847f5c1cef17e3ef036b8e75651
Let lock_guard deduce its template argument 2018-08-10T07:21:24+00:00 Bernie Innocenti codewiz@google.com 2018-08-10T06:17:16+00:00 abf8a346f81f6e16a543892ba9ece6a4750ede9f No functional change, this is a cleanup. With C++17, it's no longer necessary to specify the teplate argument when it can be deduced from the types of constructor arguments. This allows de-cluttering our locking statements. To avoid typos, this patch was mechanically generated: perl -p -i -e 's/std::lock_guard<std::mutex>/std::lock_guard/g' \ $(find . -name '*.cpp' -o -name '*.h') Change-Id: Ibb15d9a6c5b1c861d81353e47d25474eb1d4c2df 
No functional change, this is a cleanup.

With C++17, it's no longer necessary to specify the teplate argument
when it can be deduced from the types of constructor arguments. This
allows de-cluttering our locking statements.

To avoid typos, this patch was mechanically generated:

  perl -p -i -e 's/std::lock_guard<std::mutex>/std::lock_guard/g' \
    $(find . -name '*.cpp' -o -name '*.h')

Change-Id: Ibb15d9a6c5b1c861d81353e47d25474eb1d4c2df
Open iptables-restore pipes with O_CLOEXEC. 2017-08-28T09:23:22+00:00 Lorenzo Colitti lorenzo@google.com 2017-08-28T09:17:56+00:00 cd0fa850d8cd05310be9b49750455dfd2e1802b0 This improves security and reliability, and also avoids keeping superflous fds open in iptables-restore processes: the pipe fds that are dup2()d are never closed. Bug: 28362720 Test: bullhead builds, boots Test: netd_{unit,integration}_test pass Change-Id: Ifb57082a6c711f0684fc37a254076e84ad097b6e 
This improves security and reliability, and also avoids keeping
superflous fds open in iptables-restore processes: the pipe fds
that are dup2()d are never closed.

Bug: 28362720
Test: bullhead builds, boots
Test: netd_{unit,integration}_test pass
Change-Id: Ifb57082a6c711f0684fc37a254076e84ad097b6e
Don't start iptables and ip6tables on parallel threads. 2017-08-28T05:12:44+00:00 Lorenzo Colitti lorenzo@google.com 2017-08-28T02:59:51+00:00 f9bae84e5faa86ce0cb6ffdfbeb04aec0c09631e This still ensures that the child processes initialize in parallel (which is the slow part of starting them, since forkAndExec itself is sub-millisecond), but it does not fork them in parallel. Forking them in parallel is incorrect because forkAndExec first creates pipes, then forks, then closes the pipes. If this is done in parallel on two threads, the following can happen: 1. Create pipes to subprocess A. 2. Create pipes to subprocess B. 3. Fork process A. 4. Fork process B. 5. Close child end of pipes to subprocess A. 6. Close child end of pipes to subprocess B. If this happens, then the subprocess B will inherit all the fds of the pipes to subprocess A in addition to its own. This includes the read end of the pipe that netd uses to send commands to subprocess A, and the write ends of the pipes that netd uses to receive subprocess A's stdout and stderr. Subprocess B never reads or writes to these fds because it never dup2()s them to stdin/stdout/stderr before calling exec(). However, it also never closes them. Therefore, if process A dies (e.g., due to an invalid command), then netd will never receive a POLLHUP on the read ends or a POLLERR on the write end of these pipes. This means that: 1. The invalid command to subprocess A will time out (imposing a 5-second delay) instead of failing fast. 2. Even though the timeout causes us to call stop() on subprocess A, and stop() causes processTerminated to be set to true, sendCommand does not check processTerminated, it only checks outputReady. Therefore, when we get told to send another command to subprocess A, if subprocess B is still around, outputReady will return true. The result is that we do not fork a new subprocess to replace subprocess A. These effects caused flakiness of TestRestartOnMalformedCommand and a latency hit to the first invalid command sent after boot. Bug: 28362720 Bug: 64687442 Test: bullhead builds, boots Test: netd_{unit,integration}_test pass Test: TestRestartOnMalformedCommand passes 100 times in a row Change-Id: I117359b9ca9c82dd676608100fed6957c9a93c92 
This still ensures that the child processes initialize in
parallel (which is the slow part of starting them, since
forkAndExec itself is sub-millisecond), but it does not fork them
in parallel.

Forking them in parallel is incorrect because forkAndExec first
creates pipes, then forks, then closes the pipes. If this is done
in parallel on two threads, the following can happen:

1. Create pipes to subprocess A.
2. Create pipes to subprocess B.
3. Fork process A.
4. Fork process B.
5. Close child end of pipes to subprocess A.
6. Close child end of pipes to subprocess B.

If this happens, then the subprocess B will inherit all the fds
of the pipes to subprocess A in addition to its own. This
includes the read end of the pipe that netd uses to send commands
to subprocess A, and the write ends of the pipes that netd uses
to receive subprocess A's stdout and stderr. Subprocess B never
reads or writes to these fds because it never dup2()s them to
stdin/stdout/stderr before calling exec(). However, it also never
closes them. Therefore, if process A dies (e.g., due to an
invalid command), then netd will never receive a POLLHUP on the
read ends or a POLLERR on the write end of these pipes.

This means that:

1. The invalid command to subprocess A will time out (imposing a
   5-second delay) instead of failing fast.
2. Even though the timeout causes us to call stop() on subprocess
   A, and stop() causes processTerminated to be set to true,
   sendCommand does not check processTerminated, it only checks
   outputReady. Therefore, when we get told to send another
   command to subprocess A, if subprocess B is still around,
   outputReady will return true. The result is that we do not
   fork a new subprocess to replace subprocess A.

These effects caused flakiness of TestRestartOnMalformedCommand
and a latency hit to the first invalid command sent after boot.

Bug: 28362720
Bug: 64687442
Test: bullhead builds, boots
Test: netd_{unit,integration}_test pass
Test: TestRestartOnMalformedCommand passes 100 times in a row
Change-Id: I117359b9ca9c82dd676608100fed6957c9a93c92
Test for races in IptablesRestoreController::Init. 2017-08-14T02:41:53+00:00 Lorenzo Colitti lorenzo@google.com 2017-08-14T02:38:18+00:00 2103b6ba8eb494e173b560c48319b4fba6821185 Bug: 28362720 Test: angler builds, boots Test: netd_{unit,integration}_test pass Change-Id: I73ed28c7e7edaeb65a3b346b89ec69f472fd5974 
Bug: 28362720
Test: angler builds, boots
Test: netd_{unit,integration}_test pass
Change-Id: I73ed28c7e7edaeb65a3b346b89ec69f472fd5974
Start the iptables and ip6tables processes in parallel. 2017-08-10T09:31:44+00:00 Lorenzo Colitti lorenzo@google.com 2017-08-09T07:45:19+00:00 4e9ffd6e15564a3d38a83361e336fe61bfa608ef This saves ~30ms on boot. There should be no races between the threads that start the and the main thread because pthread_join is documented to synchronize memory with respect to other threads. Bug: 28362720 Test: bullhead builds, boots Test: netd_{unit,integration}_test pass Change-Id: I24d83b880bd011bc801178f57f46d90f36621f9f 
This saves ~30ms on boot.

There should be no races between the threads that start the
and the main thread because pthread_join is documented to
synchronize memory with respect to other threads.

Bug: 28362720
Test: bullhead builds, boots
Test: netd_{unit,integration}_test pass
Change-Id: I24d83b880bd011bc801178f57f46d90f36621f9f
Improve iptables timeout behaviour. 2017-03-01T07:38:23+00:00 Lorenzo Colitti lorenzo@google.com 2017-02-27T16:47:11+00:00 a701afb86ea96820c1c916cc374619901927c61a 1. Increase the default timeout from 1s to 5s. This is necessary for as long as our version of iptables sleeps for 1 second at a time while the iptables lock is contended. 2. When a timeout occurs, kill the process to ensure that if it recovers, any output is not returned to subsequent commands. Add corresponding unit tests. While I'm at it: - Ensure that iptables commands that take an output string clear the output string before appending to it. Otherwise, callers that passed the same output string object to two separate iptables commands would think the second command returned both outputs. This does not affect any existing callers. - Delete some unused code. Bug: 35634318 Test: netd_{unit,integration}_test pass Change-Id: Ife3dfd328ea82f2e93fb903fcf3660a13078b7b5 
1. Increase the default timeout from 1s to 5s. This is necessary
   for as long as our version of iptables sleeps for 1 second at
   a time while the iptables lock is contended.
2. When a timeout occurs, kill the process to ensure that if it
   recovers, any output is not returned to subsequent commands.

Add corresponding unit tests.

While I'm at it:

- Ensure that iptables commands that take an output string clear
  the output string before appending to it. Otherwise, callers
  that passed the same output string object to two separate
  iptables commands would think the second command returned both
  outputs. This does not affect any existing callers.
- Delete some unused code.

Bug: 35634318
Test: netd_{unit,integration}_test pass
Change-Id: Ife3dfd328ea82f2e93fb903fcf3660a13078b7b5
Delete all EOTs in iptables commands and remove fixCommandString. 2017-02-10T02:41:27+00:00 Lorenzo Colitti lorenzo@google.com 2017-02-10T02:01:08+00:00 20b128bc0d3964b59a021043d028364ef8fa6011 Test: bullead builds and boots with no iptables errors Test: netd_{unit,integration}_test pass Bug: 32323979 Change-Id: I33ad04ee8f0562bcd4e14046352c934cd2039a5d 
Test: bullead builds and boots with no iptables errors
Test: netd_{unit,integration}_test pass
Bug: 32323979
Change-Id: I33ad04ee8f0562bcd4e14046352c934cd2039a5d
Improve IptablesRestoreController error logging. 2017-02-10T02:39:45+00:00 Lorenzo Colitti lorenzo@google.com 2017-02-03T07:05:28+00:00 2509142ad3092abd3256658d284c9339a549e234 - Switch tag from /system/bin/netd to IptablesController for consistency. - When a command fails, include the command that caused the error in addition to the error itself. Example output: 02-03 16:35:01.044 17129 17129 E IptablesRestoreController: iptables error: 02-03 16:35:01.044 17129 17129 E IptablesRestoreController: ------- COMMAND ------- 02-03 16:35:01.044 17129 17129 E IptablesRestoreController: *filter 02-03 16:35:01.044 17129 17129 E IptablesRestoreController: :natctrl_tether_counters - 02-03 16:35:01.044 17129 17129 E IptablesRestoreController: badbadbadbad 02-03 16:35:01.044 17129 17129 E IptablesRestoreController: COMMIT 02-03 16:35:01.044 17129 17129 E IptablesRestoreController: 02-03 16:35:01.044 17129 17129 E IptablesRestoreController: ------- ERROR ------- 02-03 16:35:01.044 17129 17129 E IptablesRestoreController: Bad argument `badbadbadbad' 02-03 16:35:01.044 17129 17129 E IptablesRestoreController: Error occurred at line: 112 02-03 16:35:01.044 17129 17129 E IptablesRestoreController: Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information. 02-03 16:35:01.044 17129 17129 E IptablesRestoreController: ---------------------- Test: added an invalid command to NatController, observed above log messages Bug: 32323979 Change-Id: I0c1c37464f5b19c64d6e043aef8704285df4c508 
- Switch tag from /system/bin/netd to IptablesController for
  consistency.
- When a command fails, include the command that caused the error
  in addition to the error itself.

Example output:

02-03 16:35:01.044 17129 17129 E IptablesRestoreController: iptables error:
02-03 16:35:01.044 17129 17129 E IptablesRestoreController: ------- COMMAND -------
02-03 16:35:01.044 17129 17129 E IptablesRestoreController: *filter
02-03 16:35:01.044 17129 17129 E IptablesRestoreController: :natctrl_tether_counters -
02-03 16:35:01.044 17129 17129 E IptablesRestoreController: badbadbadbad
02-03 16:35:01.044 17129 17129 E IptablesRestoreController: COMMIT
02-03 16:35:01.044 17129 17129 E IptablesRestoreController:
02-03 16:35:01.044 17129 17129 E IptablesRestoreController: ------- ERROR -------
02-03 16:35:01.044 17129 17129 E IptablesRestoreController: Bad argument `badbadbadbad'
02-03 16:35:01.044 17129 17129 E IptablesRestoreController: Error occurred at line: 112
02-03 16:35:01.044 17129 17129 E IptablesRestoreController: Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information.
02-03 16:35:01.044 17129 17129 E IptablesRestoreController: ----------------------

Test: added an invalid command to NatController, observed above log messages
Bug: 32323979
Change-Id: I0c1c37464f5b19c64d6e043aef8704285df4c508