For ipv6 we need 1 entry per client, so 64 seems like plenty,
while for ipv4 we need 1 entry per flow, so even 1024 seems
like it might not be enough, but it's much better than 64.
Nucca says:
# cat proc/sys/net/netfilter/nf_conntrack_buckets
65536
# cat proc/sys/net/netfilter/nf_conntrack_max
262144
per https://www.kernel.org/doc/Documentation/networking/nf_conntrack-sysctl.txt
the default “nf_conntrack_max” is “nf_conntrack_buckets * 4”.
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ib7d1d8c19bc688c442d842cf5c9f45cdf1241754
A caller can mostly already do this via forEach(), but having a
specific method is faster (since the code does not need to read
the value) and easier to use.
The semantics of this method (e.g., ignore ENOENT while deleting
a key, but throw on any other error) match those of the native
BpfMap::clear method.
Test: new unit tests
Change-Id: I5cd32efd0f87c823cd2d0a2fa3a95a83093fb6f9
because it is not appropriate for use in XDP programs
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ibd5dac9676bae7aa5f10fbcfd777291f72bec819
and more importantly unconditionally. This requires less effort
on the part of the in-kernel bpf verifier.
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ibaa94bf096fc81c4d984dfabf515131b1c81ef09
Currently, this is the default so this is a no-op,
But the default is changing to true.
Bug: 180375550
Test: Treehugger
Change-Id: Ib841e474ab2b2ff2b54c160bb06c3bbbeea92675
We've backported the necessary support to all 4.14+ ACK kernels,
but we can't actually enforce that these changes will be picked
up by all devices. Thus we can only make the full featured
implementations optional on [4.14..5.8) kernels, with a tcp-only
version for those 4.14+ devices where the full featured version
fails to load.
Note: there's still a fair bit of implementation work left
in the do_forward4() function itself. This is really just
the skeleton.
Test: atest, TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: If78123e00d55a77f2ecd7da1547581797e23f9b2
This will facilitate providing a tcp-only version of the programs
which due to TCP's very long timeouts will not need to use the
Linux 5.8+ bpf_ktime_get_boot_ns() helpers.
Test: atest, TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I1e49b6758d3754782ac6f8820e0c15aa20e4c61d
As this is the actual version that is required,
ie. the version that supports bpf_ktime_get_boot_ns() helper.
Test: atest, TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I2ea4830597a0bed53950a5d0c483a47208959f35
The tethering module uses JNI in various classes, but only calls
System.loadLibrary in TetheringService#makeTethering. This means
that:
1. Any test that uses a class that uses JNI must load the
library itself.
2. Any code that runs before TetheringService#makeTethering could
potentially crash if it uses JNI. We may never have such code
though.
Instead, make every class that has a native method load the JNI
library itself at static initialization time. This guarantees
that the class will have the JNI code available in any context
(production, test, etc.)
System.loadLibrary is documented not to do anything if called
more than once with the same library name:
https://docs.oracle.com/javase/7/docs/api/java/lang/Runtime.html#loadLibrary(java.lang.String)
and the implementation has a lock so it is safe to call from
multiple threads concurrently.
Test: builds, boots, tethering starts
Test: atest TetheringCoverageTests
Change-Id: I9c0147ae9a28877f416aaff387b426d304ae552d
This CL adds the counters collected by the tethering programs to
the output of "dumpsys tethering bpf". The counter names are
fetched by JNI code at startup and then read by the debugging
code on demand.
Example from my device:
Forwarding errors:
TCP_CONTROL_PACKET: 67
NON_GLOBAL_SRC: 13
NON_GLOBAL_DST: 17
LOCAL_SRC_DST: 7
Test: manual (debug-only code)
Change-Id: I7ec7992612556a4bca5f1b6bb52c655d6d870201
Currently, the dump methods open BpfMap objects and never close
them. This leaks filedescriptors, and if dump is called often
enough, will crash the networkstack process.
Fix this by using try-with-resources statements that
automatically close the map when exiting the try block.
Change the signature of BpfMap#close from "throws Exception" to
"throws ErrnoException" since it does not throw any other type
of checked exceptions.
Test: "lsof | grep network_st" while running "dumpsys tethering bpf" in a loop
Change-Id: I66c407454c2715bf41bf3a2e81bd582f9ea5a905
