Post on 10-May-2015
description
transcript
John Stultz & Mathieu Poirier, LCA14-503, Macau
Android Upstreaming:Netfilter, Status & Discussion
Overview
• Mathieu will cover his recent Netfilter work• General status on Android Upstreaming• Open discussion
Android Netfilter ChangesMathieu Poirier
Netfilter requirements for Android• Capture traffic per application and service• Distinguish between data streams (downloads,
video, chat, …)• Support the notion of quotas.• Allow 3rd party applications to track and collect
their own data.
Current solution:3 netfilter modules:
• xt_qtaguid (quota, tag, uid)• xt_quota2• xt_idletimer
xt_qtaguid• Quota, socket tagging, UID tracking• Tracks all ingress/egress packets• Tracks all interface statistics• Let applications tag and delegate their own
sockets• Count SKB against looked-up TAG+UID• Replaces “drivers/misc/uid_stats.c”
xt_quota2 and xt_IDLETIMERxt_quota2
• Imported from xtables-addons• Add quotas to iptable rules• Send uevent on quota hit
xt_IDLETIMER• Help ConnectivityService deal with quiet interfaces• Keeps track of interfaces coming online.• (I need to read more on this)
Why it can’t go upstream?• xt_qtaguid does a lot of things that should be
better handled in userspace.• xt_quota2 duplicates functionality already in
place in the nfaccounting framework.• xt_IDLETIMER may no longer be needed - need
to review when the above two are dealt with.
Suggested proposal• Use NFQUEUE to replace xt_qtaguid (JPA at
Google)• Initial concerns about efficiency but Eric Dumazet assured
it wouldn’t be a problem at Linux Plumbers in New Orleans last year.
• Extend xt_nfacct with quota capabilities to replace xt_quota2 (Linaro)
Work done at Linaro• Enhance xt_nfacct.c with quota capabilities• Enhance iptables with the capability to define
packet/byte quotas for “-m nfacct”• Port userspace tool “nfacct” from “libnfnl” to
“libnl2.0”.• Add a broadcast group to inform userspace of
quota attainment.
Where is the code?xt_nfacct enhancements:
http://marc.info/?l=netfilter-devel&m=139084250124821&w=2
iptables additions:https://git.linaro.org/people/mathieu.poirier/iptables.git
Port of nfacct application to libnl2.0:http://android.git.linaro.org/gitweb?p=platform/external/nfacct.git;a=summary (linaro)
Current Status (Linaro)• Port of nfacct to libnl2.0 is done and pushed to AOSP.• Iptables changes are considered done - may need minor
tweaks based on pending upstream merge of xt_nfacct changes.
• xt_nfacct is currently considered for review by the upstream community.
• Found a problem with nfnetlink accounting - fixing the issue may introduce a delay.
• Hopefully accepted in 3.15, 3.16 a more likely target.
• JP’s investigation has been stalled by internal project - we may have to pick up the work but reluctant based on heavy coupling with Android userspace.
• JP’s investigation on nfqueue has been stalled by internal projects (android64).
• The new full libnl2.0 doesn’t work with wpa_supplicant - something they need to look into.• Delays in getting xt_nfacct changes accepted doesn’t
matter because of this issue.• Integration of nfacct with BandwithController not started.
• Getting libnl2.0 working is top priority because is solves other issues with the current libnl.
Current Status (Google)
Android Upstreaming StatusJohn Stultz
Recent accomplishments3.12: key reset upstreaming completed
powersupply wakeup_source enablement mergedbinder type cleanups for 64bits
3.13: MMC power management improvements mergedRTC wakeup_source enablement merged
3.14: ION cleaned up and merged in staging
AOSP:binder 64bit abi rework
Community accomplishments3.14: Functionfs support for configfs
ongoing: dma-buf sync
And of course more...
Linaro.Android branch maintenance
Maintain the AOSP tree forward ported against Linus’ HEAD + a few extra fixes.
linaro.android-3.12-mergelinaro.android-3.13-mergelinaro.android-3.14-merge
Maintain linaro-specific fixes for LSKlinaro.android-3.10-lsk
Current delta (3.14-rc1)3.14-rc1 vs linaro.android-3.14-merge:
b/net/netfilter/xt_qtaguid.c | 3021 ++++++++++++++++++++++++b/drivers/usb/gadget/android.c | 1566 ++++++++++++b/arch/arm/common/fiq_debugger.c | 1376 ++++++++++b/drivers/cpufreq/cpufreq_interactive.c | 1343 ++++++++++b/drivers/usb/gadget/f_mtp.c | 1285 ++++++++++b/drivers/usb/gadget/f_accessory.c | 1180 +++++++++b/drivers/video/adf/adf.c | 1166 +++++++++b/drivers/video/adf/adf_fops.c | 957 +++++++b/drivers/staging/android/binder.c | 867 +++++-b/drivers/usb/gadget/f_audio_source.c | 828 ++++++b/drivers/video/adf/adf_client.c | 810 ++++++b/arch/arm/kernel/etm.c | 678 ++++-b/drivers/video/adf/adf_fbdev.c | 651 +++++b/net/netfilter/xt_qtaguid_print.c | 566 ++++...292 files changed, 30024 insertions(+), 1234 deletions(-)
3.10-stable vs android-3.10:354 files changed, 35472 insertions(+), 1422 deletions(-)
3.4-stable vs android-3.4:1265 files changed, 148684 insertions(+), 5934 deletions(-)
Current delta (3.14-rc1)3.14-rc1 vs linaro.android-3.14-merge:
b/net/netfilter/xt_qtaguid.c | 3021 ++++++++++++++++++++++++b/drivers/usb/gadget/android.c | 1566 ++++++++++++b/arch/arm/common/fiq_debugger.c | 1376 ++++++++++b/drivers/cpufreq/cpufreq_interactive.c | 1343 ++++++++++b/drivers/usb/gadget/f_mtp.c | 1285 ++++++++++b/drivers/usb/gadget/f_accessory.c | 1180 +++++++++b/drivers/video/adf/adf.c | 1166 +++++++++b/drivers/video/adf/adf_fops.c | 957 +++++++b/drivers/staging/android/binder.c | 867 +++++-b/drivers/usb/gadget/f_audio_source.c | 828 ++++++b/drivers/video/adf/adf_client.c | 810 ++++++b/arch/arm/kernel/etm.c | 678 ++++-b/drivers/video/adf/adf_fbdev.c | 651 +++++b/net/netfilter/xt_qtaguid_print.c | 566 ++++...292 files changed, 30024 insertions(+), 1234 deletions(-)
3.10-stable vs android-3.10:354 files changed, 35472 insertions(+), 1422 deletions(-)
3.4-stable vs android-3.4:1265 files changed, 148684 insertions(+), 5934 deletions(-)
Next areas of focus
• ETM/ETB• Android Gadget -> ConfigFS Gadget• FIQ_Debugger• ADF
Continuing work• Netfilter• ION / dmabuf allocation helpers• Volatile Ranges
• Get ashmem out of staging• Influence KDBUS development
• Unlikely to be a binder replacement as hoped• Try to find areas where code can be shared• Fair amount of memfd/ashmem overlap
• Continue to help with the Juice project• Aiding with helping Android userland take advantage of
upstreamed solutions• mempressure notifiers• sysrq-keyreset• etc
Thank yous!
• Takahiro Akashi• Serban Constantinescu• Ulf Hansson• Zoran Markovic• Mathieu Poirier• Jakub Pavelek
Open Discussion• Netfilter related questions?
• What are specific kernel related pain-points for Android device development?
• Is anyone looking at ADF for their devices yet?
• Any adjustments in focus we need?
• Extra resources?
More about Linaro Connect: http://connect.linaro.orgMore about Linaro: http://www.linaro.org/about/
More about Linaro engineering: http://www.linaro.org/engineering/Linaro members: www.linaro.org/members