diff options
| author | Nilesh Poddar <npoddar@codeaurora.org> | 2014-12-19 10:43:30 -0800 |
|---|---|---|
| committer | Steve Kondik <steve@cyngn.com> | 2015-03-31 19:25:35 -0700 |
| commit | 4cf5826f5e514cd80a3fcccdda7f58584b4bdd24 (patch) | |
| tree | 2de8f4a5115b25b935e9c0bc1c5c8150ba7ee731 | |
| parent | 01df09d344d244a57c762763ff033e66068eedcf (diff) | |
| download | android_system_netd-stable/cm-12.1-YOG7D.tar.gz android_system_netd-stable/cm-12.1-YOG7D.tar.bz2 android_system_netd-stable/cm-12.1-YOG7D.zip | |
netd: Fix concurrency error for iptables commandstable/cm-12.1-YOG7Dstable/cm-12.1-YOG4Pstable/cm-12.1-YOG3Ccm-12.1
When multiple user space processes run the iptables
commands conncurrently, the iptables exits immediately
since it fails to acquire a lock.
CRs-Fixed: 747905
Change-Id: I77cb377eac885139b0b08b13bb5b5388a52e2ce3
| -rwxr-xr-x | server/CommandListener.cpp | 10 | ||||
| -rw-r--r-- | server/FirewallController.cpp | 28 | ||||
| -rw-r--r-- | server/RouteController.cpp | 2 |
3 files changed, 20 insertions, 20 deletions
diff --git a/server/CommandListener.cpp b/server/CommandListener.cpp index 0006c712..db5a129c 100755 --- a/server/CommandListener.cpp +++ b/server/CommandListener.cpp @@ -168,11 +168,11 @@ static void createChildChains(IptablesTarget target, const char* table, const ch // -N to create the chain // -A to append the chain to parent - execIptablesSilently(target, "-t", table, "-D", parentChain, "-j", *childChain, NULL); - execIptablesSilently(target, "-t", table, "-F", *childChain, NULL); - execIptablesSilently(target, "-t", table, "-X", *childChain, NULL); - execIptables(target, "-t", table, "-N", *childChain, NULL); - execIptables(target, "-t", table, "-A", parentChain, "-j", *childChain, NULL); + execIptablesSilently(target, "-w", "-t", table, "-D", parentChain, "-j", *childChain, NULL); + execIptablesSilently(target, "-w", "-t", table, "-F", *childChain, NULL); + execIptablesSilently(target, "-w", "-t", table, "-X", *childChain, NULL); + execIptables(target, "-w", "-t", table, "-N", *childChain, NULL); + execIptables(target, "-w", "-t", table, "-A", parentChain, "-j", *childChain, NULL); } while (*(++childChain) != NULL); } diff --git a/server/FirewallController.cpp b/server/FirewallController.cpp index 17c6da42..b3571d19 100644 --- a/server/FirewallController.cpp +++ b/server/FirewallController.cpp @@ -45,9 +45,9 @@ int FirewallController::enableFirewall(void) { disableFirewall(); // create default rule to drop all traffic - res |= execIptables(V4V6, "-A", LOCAL_INPUT, "-j", "DROP", NULL); - res |= execIptables(V4V6, "-A", LOCAL_OUTPUT, "-j", "REJECT", NULL); - res |= execIptables(V4V6, "-A", LOCAL_FORWARD, "-j", "REJECT", NULL); + res |= execIptables(V4V6, "-w", "-A", LOCAL_INPUT, "-j", "DROP", NULL); + res |= execIptables(V4V6, "-w", "-A", LOCAL_OUTPUT, "-j", "REJECT", NULL); + res |= execIptables(V4V6, "-w", "-A", LOCAL_FORWARD, "-j", "REJECT", NULL); return res; } @@ -56,9 +56,9 @@ int FirewallController::disableFirewall(void) { int res = 0; // flush any existing rules - res |= execIptables(V4V6, "-F", LOCAL_INPUT, NULL); - res |= execIptables(V4V6, "-F", LOCAL_OUTPUT, NULL); - res |= execIptables(V4V6, "-F", LOCAL_FORWARD, NULL); + res |= execIptables(V4V6, "-w", "-F", LOCAL_INPUT, NULL); + res |= execIptables(V4V6, "-w", "-F", LOCAL_OUTPUT, NULL); + res |= execIptables(V4V6, "-w", "-F", LOCAL_FORWARD, NULL); return res; } @@ -82,8 +82,8 @@ int FirewallController::setInterfaceRule(const char* iface, FirewallRule rule) { } int res = 0; - res |= execIptables(V4V6, op, LOCAL_INPUT, "-i", iface, "-j", "RETURN", NULL); - res |= execIptables(V4V6, op, LOCAL_OUTPUT, "-o", iface, "-j", "RETURN", NULL); + res |= execIptables(V4V6, "-w", op, LOCAL_INPUT, "-i", iface, "-j", "RETURN", NULL); + res |= execIptables(V4V6, "-w", op, LOCAL_OUTPUT, "-o", iface, "-j", "RETURN", NULL); return res; } @@ -101,8 +101,8 @@ int FirewallController::setEgressSourceRule(const char* addr, FirewallRule rule) } int res = 0; - res |= execIptables(target, op, LOCAL_INPUT, "-d", addr, "-j", "RETURN", NULL); - res |= execIptables(target, op, LOCAL_OUTPUT, "-s", addr, "-j", "RETURN", NULL); + res |= execIptables(target, "-w", op, LOCAL_INPUT, "-d", addr, "-j", "RETURN", NULL); + res |= execIptables(target, "-w", op, LOCAL_OUTPUT, "-s", addr, "-j", "RETURN", NULL); return res; } @@ -127,9 +127,9 @@ int FirewallController::setEgressDestRule(const char* addr, int protocol, int po } int res = 0; - res |= execIptables(target, op, LOCAL_INPUT, "-s", addr, "-p", protocolStr, + res |= execIptables(target, "-w", op, LOCAL_INPUT, "-s", addr, "-p", protocolStr, "--sport", portStr, "-j", "RETURN", NULL); - res |= execIptables(target, op, LOCAL_OUTPUT, "-d", addr, "-p", protocolStr, + res |= execIptables(target, "-w", op, LOCAL_OUTPUT, "-d", addr, "-p", protocolStr, "--dport", portStr, "-j", "RETURN", NULL); return res; } @@ -146,9 +146,9 @@ int FirewallController::setUidRule(int uid, FirewallRule rule) { } int res = 0; - res |= execIptables(V4V6, op, LOCAL_INPUT, "-m", "owner", "--uid-owner", uidStr, + res |= execIptables(V4V6, "-w", op, LOCAL_INPUT, "-m", "owner", "--uid-owner", uidStr, "-j", "RETURN", NULL); - res |= execIptables(V4V6, op, LOCAL_OUTPUT, "-m", "owner", "--uid-owner", uidStr, + res |= execIptables(V4V6, "-w", op, LOCAL_OUTPUT, "-m", "owner", "--uid-owner", uidStr, "-j", "RETURN", NULL); return res; } diff --git a/server/RouteController.cpp b/server/RouteController.cpp index adca0ea0..17aa1e03 100644 --- a/server/RouteController.cpp +++ b/server/RouteController.cpp @@ -437,7 +437,7 @@ WARN_UNUSED_RESULT int modifyIncomingPacketMark(unsigned netId, const char* inte char markString[UINT32_HEX_STRLEN]; snprintf(markString, sizeof(markString), "0x%x", fwmark.intValue); - if (execIptables(V4V6, "-t", "mangle", add ? "-A" : "-D", "INPUT", "-i", interface, "-j", + if (execIptables(V4V6, "-w", "-t", "mangle", add ? "-A" : "-D", "INPUT", "-i", interface, "-j", "MARK", "--set-mark", markString, NULL)) { ALOGE("failed to change iptables rule that sets incoming packet mark"); return -EREMOTEIO; |