4 * Copyright (c) 2000 - 2014 Samsung Electronics Co., Ltd. All rights reserved.
6 * Licensed under the Apache License, Version 2.0 (the "License");
7 * you may not use this file except in compliance with the License.
8 * You may obtain a copy of the License at
10 * http://www.apache.org/licenses/LICENSE-2.0
12 * Unless required by applicable law or agreed to in writing, software
13 * distributed under the License is distributed on an "AS IS" BASIS,
14 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15 * See the License for the specific language governing permissions and
16 * limitations under the License.
21 * @file nfacct-restriction.c
23 * @desc Implementation for set up/down restrictions.
25 * Copyright (c) 2014 Samsung Electronics Co., Ltd. All rights reserved.
30 #include "datausage-common.h"
33 #include "module-data.h"
34 #include "netlink-restriction.h"
35 #include "nfacct-rule.h"
36 #include "resourced.h"
39 static resourced_ret_c apply_net_restriction(struct nfacct_rule *rule,
40 const int send_limit, const int rcv_limit)
42 nfacct_rule_jump jump = rule->intend == NFACCT_WARN ? NFACCT_JUMP_ACCEPT :
45 return produce_net_rule(rule, send_limit, rcv_limit,
46 NFACCT_ACTION_APPEND, jump,
47 NFACCT_COUNTER_IN | NFACCT_COUNTER_OUT);
50 static resourced_ret_c revert_net_restriction(struct nfacct_rule *rule,
51 const int send_limit, const int rcv_limit)
53 nfacct_rule_jump jump = rule->intend == NFACCT_WARN ? NFACCT_JUMP_ACCEPT :
56 return produce_net_rule(rule, send_limit, rcv_limit,
57 NFACCT_ACTION_DELETE, jump,
58 NFACCT_COUNTER_IN | NFACCT_COUNTER_OUT);
62 static resourced_ret_c exclude_net_restriction(struct nfacct_rule *rule)
64 /* Idea to remove old counter and insert new one at first position
65 * iptables has following architecture: it gets all entries from kernel
66 * modifies this list and returns it back, without iptables it could be
67 * done for one step, but with iptables cmd 2 steps is necessary */
68 rule->intend = NFACCT_COUNTER;
69 resourced_ret_c ret = produce_net_rule(rule, 0, 0,
70 NFACCT_ACTION_DELETE, NFACCT_JUMP_UNKNOWN,
71 NFACCT_COUNTER_IN | NFACCT_COUNTER_OUT);
73 ret_value_msg_if(ret != RESOURCED_ERROR_NONE, ret, "Failed to delete");
75 return produce_net_rule(rule, 0, 0,
76 NFACCT_ACTION_INSERT, NFACCT_JUMP_ACCEPT,
77 NFACCT_COUNTER_IN | NFACCT_COUNTER_OUT);
80 resourced_ret_c send_net_restriction(const enum traffic_restriction_type rst_type,
81 const u_int32_t classid,
82 const resourced_iface_type iftype,
83 const int send_limit, const int rcv_limit,
84 const int snd_warning_threshold,
85 const int rcv_warning_threshold)
88 struct shared_modules_data *m_data = get_shared_modules_data();
89 struct counter_arg *carg;
90 struct nfacct_rule rule = {
96 ret_value_msg_if(m_data == NULL, RESOURCED_ERROR_FAIL, "Empty shared modules data");
99 ret_value_msg_if(carg == NULL, RESOURCED_ERROR_FAIL, "Empty counter");
102 rule.classid = classid;
103 rule.iftype = iftype;
106 if (rst_type == RST_SET) {
107 if (snd_warning_threshold ||
108 rcv_warning_threshold) {
109 rule.intend = NFACCT_WARN;
110 ret = apply_net_restriction(&rule,
111 snd_warning_threshold, rcv_warning_threshold);
112 ret_value_msg_if(ret != RESOURCED_ERROR_NONE, ret,
113 "Can't apply network restriction");
115 rule.intend = NFACCT_BLOCK;
116 ret = apply_net_restriction(&rule, send_limit, rcv_limit);
117 ret_value_msg_if(ret != RESOURCED_ERROR_NONE, ret,
118 "Can't apply network restriction");
119 } else if (rst_type == RST_UNSET) {
120 rule.intend = NFACCT_WARN;
121 ret = revert_net_restriction(&rule,
122 snd_warning_threshold, rcv_warning_threshold);
123 ret_value_msg_if(ret != RESOURCED_ERROR_NONE, ret,
124 "Can't revert network restriction");
125 rule.intend = NFACCT_BLOCK;
126 return revert_net_restriction(&rule, send_limit,
128 } else if (rst_type == RST_EXCLUDE)
129 return exclude_net_restriction(&rule);
131 return RESOURCED_ERROR_NONE;