prepare_netlink_msg(req, NFNL_MSG_ACCT_NEW, NLM_F_CREATE | NLM_F_ACK);
add_string_attr(req, counter->name, NFACCT_NAME);
- if (STC_DEBUG_LOG)
- STC_LOGD("counter name %s", counter->name); //LCOV_EXCL_LINE
-
/* padding */
add_uint64_attr(req, 0, NFACCT_PKTS);
add_uint64_attr(req, 0, NFACCT_BYTES);
return STC_ERROR_OUT_OF_MEMORY; //LCOV_EXCL_LINE
}
- if (STC_DEBUG_LOG)
- STC_LOGD("send remove request for %s", counter->name); //LCOV_EXCL_LINE
-
prepare_netlink_msg(req, NFNL_MSG_ACCT_DEL, NLM_F_ACK);
add_string_attr(req, counter->name, NFACCT_NAME);
static stc_iface_type_e convert_to_iftype(int type)
{
return (type < STC_IFACE_LAST_ELEM &&
- type > STC_IFACE_UNKNOWN) ? type : STC_IFACE_UNKNOWN;
+ type > STC_IFACE_UNKNOWN) ? type : STC_IFACE_UNKNOWN;
}
bool recreate_counter_by_name(char *cnt_name, nfacct_rule_s *cnt)
case 'r':
cnt->intend = NFACCT_BLOCK;
break;
+ case 'a':
+ cnt->intend = NFACCT_ALLOW;
+ break;
case 't':
cnt->intend = NFACCT_TETH_COUNTER; //LCOV_EXCL_LINE
break; //LCOV_EXCL_LINE
STRING_SAVE_COPY(cnt->name, cnt_name);
+#if 0
+ /* ========================================================
+ * NOTE:-
+ * Below parsing for tethering case is not in use
+ * stc-manager needs to ignore this for NFACCT_TETH_COUNTER
+ * this is disbaled for future use.
+ * =======================================================*/
+
//LCOV_EXCL_START
if (cnt->intend == NFACCT_TETH_COUNTER) {
char ifname_buf[MAX_IFACE_LENGTH];
return true;
}
//LCOV_EXCL_STOP
+#endif
io_part = strtok_r(name, "_", &save_ptr);
if (io_part != NULL)
iptables_rule.nfacct_name = g_strdup(rule->name);
iptables_rule.ifname = g_strdup(rule->ifname);
iptables_rule.target = g_strdup(get_iptables_jump(rule->jump));
- iptables_rule.chain = g_strdup(get_iptables_chain(rule->iotype));
+
+ /* In case of tehering rules use chain 'STC_TETHER' */
+ if (rule->intend == NFACCT_TETH_COUNTER ||
+ rule->intend == NFACCT_TETH_ALLOW ||
+ rule->intend == NFACCT_TETH_BLOCK)
+ iptables_rule.chain = g_strdup(STC_TETHER_CHAIN);
+ else
+ iptables_rule.chain = g_strdup(get_iptables_chain(rule->iotype));
+
iptables_rule.classid = rule->classid;
- iptables_rule.direction = (rule->iotype & NFACCT_COUNTER_IN) ? 0 : 1;
+ iptables_rule.direction = (rule->iotype & NFACCT_COUNTER_IN) ?
+ IPTABLES_DIRECTION_IN : IPTABLES_DIRECTION_OUT;
iptype = (iptables_ip_type_e)rule->iptype;
+ /* specify the ip range type for source and destination */
+ iptables_rule.s_iprange_type = rule->src_iprange_type;
+ iptables_rule.d_iprange_type = rule->dst_iprange_type;
+
+ /* specify source and destination ip address if any */
+ if (rule->src_ip1) {
+ if (!inet_aton(rule->src_ip1, &iptables_rule.s_ip1))
+ STC_LOGE("Failed to inet aton [%s]", rule->src_ip1);
+ }
+ if (rule->src_ip2) {
+ if (!inet_aton(rule->src_ip2, &iptables_rule.s_ip2))
+ STC_LOGE("Failed to inet aton [%s]", rule->src_ip2);
+ }
+ if (rule->dst_ip1) {
+ if (!inet_aton(rule->dst_ip1, &iptables_rule.d_ip1))
+ STC_LOGE("Failed to inet aton [%s]", rule->dst_ip1);
+ }
+ if (rule->dst_ip2) {
+ if (!inet_aton(rule->dst_ip2, &iptables_rule.d_ip2))
+ STC_LOGE("Failed to inet aton [%s]", rule->dst_ip2);
+ }
+
if (rule->action == NFACCT_ACTION_DELETE) {
/* delete interface rule */
ret = iptables_remove(&iptables_rule, iptype);
char *set_cmd = get_iptables_cmd(rule->action);
char *jump_cmd = get_iptables_jump(rule->jump);
char nfacct_buf[sizeof(NFACCT_NAME_MOD) +
- 3*MAX_DEC_SIZE(int) + 4];
+ 3*MAX_DEC_SIZE(int) + 4 + 1];
stc_error_e ret = STC_ERROR_NONE;
+ uint32_t classid = rule->classid;
/* income part */
if (rule->iotype & NFACCT_COUNTER_IN) {
ret_value_msg_if(ret > sizeof(nfacct_buf) || ret < 0,
STC_ERROR_FAIL, "Not enought buffer");
+ /* cgroup extention on FORWARD chain are not allowed
+ * remove classid info in case of tethering rules */
+ if (rule->intend == NFACCT_TETH_COUNTER ||
+ rule->intend == NFACCT_TETH_ALLOW ||
+ rule->intend == NFACCT_TETH_BLOCK) {
+ classid = rule->classid;
+ rule->classid = 0;
+ }
+
ret = exec_iptables_cmd(rule);
+
+ /* restore the classid info in case of tethering rule */
+ if (rule->intend == NFACCT_TETH_COUNTER ||
+ rule->intend == NFACCT_TETH_ALLOW ||
+ rule->intend == NFACCT_TETH_BLOCK)
+ rule->classid = classid;
+
ret_value_msg_if(ret != STC_ERROR_NONE, STC_ERROR_FAIL,
"Can't set conditional block for ingress"
" traffic, for classid %u, cmd %s, j %s",
ret_value_msg_if(ret > sizeof(nfacct_buf) || ret < 0,
STC_ERROR_FAIL, "Not enought buffer");
+ /* cgroup extention on FORWARD chain are not allowed
+ * remove classid info in case of tethering rules */
+ if (rule->intend == NFACCT_TETH_COUNTER ||
+ rule->intend == NFACCT_TETH_ALLOW ||
+ rule->intend == NFACCT_TETH_BLOCK) {
+ classid = rule->classid;
+ rule->classid = 0;
+ }
+
ret = exec_iptables_cmd(rule);
+
+ /* restore the classid info in case of tethering rule */
+ if (rule->intend == NFACCT_TETH_COUNTER ||
+ rule->intend == NFACCT_TETH_ALLOW ||
+ rule->intend == NFACCT_TETH_BLOCK)
+ rule->classid = classid;
+
ret_value_msg_if(ret != STC_ERROR_NONE, STC_ERROR_FAIL,
"Can't set conditional block for engress"
" traffic, for classid %u, cmd %s, j %s",
char *set_cmd = get_iptables_cmd(rule->action);
char *jump_cmd = get_iptables_jump(rule->jump);
char nfacct_buf[sizeof(NFACCT_NAME_MOD) +
- 3*MAX_DEC_SIZE(int) + 4];
+ 3*MAX_DEC_SIZE(int) + 4 + 1];
uint32_t classid = rule->classid;
stc_error_e ret;
STRING_SAVE_COPY(counter->ifname, iftype_name);
}
- if (counter->intend == NFACCT_WARN)
+ if (counter->intend == NFACCT_WARN ||
+ counter->intend == NFACCT_TETH_WARN)
warn_symbol = 'w';
- else if (counter->intend == NFACCT_BLOCK)
+ else if (counter->intend == NFACCT_BLOCK ||
+ counter->intend == NFACCT_TETH_BLOCK)
warn_symbol = 'r';
+ else if (counter->intend == NFACCT_ALLOW ||
+ counter->intend == NFACCT_TETH_ALLOW)
+ warn_symbol = 'a';
+ else if (counter->intend == NFACCT_TETH_COUNTER)
+ warn_symbol = 't';
snprintf(counter->name, NFACCT_NAME_MAX, "%c%d_%d_%d_%s",
warn_symbol, counter->iotype, counter->iftype,
counter->classid, counter->ifname);