Loading Android.bp +1 −0 Original line number Diff line number Diff line Loading @@ -230,6 +230,7 @@ cc_library { "libprotobuf-cpp-lite", "libstatslog_resolv", "libsysutils", "libutils", "netd_event_listener_interface-lateststable-ndk", "server_configurable_flags", "stats_proto", Loading Dns64Configuration.cpp +10 −7 Original line number Diff line number Diff line Loading @@ -24,6 +24,7 @@ #include <netdutils/DumpWriter.h> #include <netdutils/InternetAddresses.h> #include <netdutils/ThreadUtil.h> #include <utils/StrongPointer.h> #include <thread> #include <utility> Loading @@ -36,6 +37,7 @@ namespace android { using android::sp; using netdutils::DumpWriter; using netdutils::IPAddress; using netdutils::IPPrefix; Loading @@ -61,8 +63,9 @@ void Dns64Configuration::startPrefixDiscovery(unsigned netId) { // Emplace a copy of |cfg| in the map. mDns64Configs.emplace(std::make_pair(netId, cfg)); const sp<Dns64Configuration> thiz = sp<Dns64Configuration>::fromExisting(this); // Note that capturing |cfg| in this lambda creates a copy. std::thread discovery_thread([this, cfg, netId] { std::thread discovery_thread([thiz, cfg, netId] { setThreadName(fmt::format("Nat64Pfx_{}", netId)); // Make a mutable copy rather than mark the whole lambda mutable. Loading @@ -75,28 +78,28 @@ void Dns64Configuration::startPrefixDiscovery(unsigned netId) { .build(); while (true) { if (!this->shouldContinueDiscovery(evalCfg)) break; if (!thiz->shouldContinueDiscovery(evalCfg)) break; android_net_context netcontext{}; mGetNetworkContextCallback(evalCfg.netId, 0, &netcontext); thiz->mGetNetworkContextCallback(evalCfg.netId, 0, &netcontext); // Prefix discovery must bypass private DNS because in strict mode // the server generally won't know the NAT64 prefix. netcontext.flags |= NET_CONTEXT_FLAG_USE_LOCAL_NAMESERVERS; if (doRfc7050PrefixDiscovery(netcontext, &evalCfg)) { this->recordDns64Config(evalCfg); thiz->recordDns64Config(evalCfg); break; } if (!this->shouldContinueDiscovery(evalCfg)) break; if (!thiz->shouldContinueDiscovery(evalCfg)) break; if (!backoff.hasNextTimeout()) break; { std::unique_lock<std::mutex> cvGuard(mMutex); std::unique_lock<std::mutex> cvGuard(thiz->mMutex); // TODO: Consider some chrono math, combined with wait_until() // perhaps, to prevent early re-resolves from the removal of // other netids with IPv6-only nameservers. mCv.wait_for(cvGuard, backoff.getNextTimeout()); thiz->mCv.wait_for(cvGuard, backoff.getNextTimeout()); } } }); Loading Dns64Configuration.h +2 −1 Original line number Diff line number Diff line Loading @@ -27,6 +27,7 @@ #include <android-base/thread_annotations.h> #include <netdutils/DumpWriter.h> #include <netdutils/InternetAddresses.h> #include <utils/RefBase.h> struct android_net_context; Loading @@ -48,7 +49,7 @@ namespace net { * Thread-safety: All public methods in this class MUST be thread-safe. * (In other words: this class handles all its locking privately.) */ class Dns64Configuration { class Dns64Configuration : virtual public RefBase { public: // Simple data struct for passing back packet NAT64 prefix event information to the // Dns64PrefixCallback callback. Loading DnsProxyListener.cpp +4 −5 Original line number Diff line number Diff line Loading @@ -70,20 +70,19 @@ using std::span; namespace android { using netdutils::MAX_QUERIES_IN_TOTAL; using netdutils::MAX_QUERIES_PER_UID; using netdutils::ResponseCode; using netdutils::Stopwatch; namespace net { namespace { // Limits the number of outstanding DNS queries by client UID. constexpr int MAX_QUERIES_PER_UID = 256; android::netdutils::OperationLimiter<uid_t> queryLimiter(MAX_QUERIES_PER_UID); bool startQueryLimiter(uid_t uid) { const int globalLimit = android::net::Experiments::getInstance()->getFlag("max_queries_global", INT_MAX); const int globalLimit = android::net::Experiments::getInstance()->getFlag("max_queries_global", MAX_QUERIES_IN_TOTAL); return queryLimiter.start(uid, globalLimit); } Loading OperationLimiter.h +7 −2 Original line number Diff line number Diff line Loading @@ -28,6 +28,11 @@ namespace android { namespace netdutils { // Limits the number of outstanding DNS queries by client UID. constexpr int MAX_QUERIES_PER_UID = 256; // Limits the total number of outstanding DNS queries. constexpr int MAX_QUERIES_IN_TOTAL = 2500; // Tracks the number of operations in progress on behalf of a particular key or // ID, rejecting further attempts to start new operations after a configurable // limit has been reached. Loading Loading @@ -56,11 +61,11 @@ class OperationLimiter { // // Note: each successful start(key) must be matched by exactly one call to // finish(key). bool start(KeyType key, int globalLimit = INT_MAX) EXCLUDES(mMutex) { bool start(KeyType key, int globalLimit = MAX_QUERIES_IN_TOTAL) EXCLUDES(mMutex) { std::lock_guard lock(mMutex); if (globalLimit < mLimitPerKey) { LOG(ERROR) << "Misconfiguration on max_queries_global " << globalLimit; globalLimit = INT_MAX; globalLimit = MAX_QUERIES_IN_TOTAL; } if (mGlobalCounter >= globalLimit) { // Oh, no! Loading Loading
Android.bp +1 −0 Original line number Diff line number Diff line Loading @@ -230,6 +230,7 @@ cc_library { "libprotobuf-cpp-lite", "libstatslog_resolv", "libsysutils", "libutils", "netd_event_listener_interface-lateststable-ndk", "server_configurable_flags", "stats_proto", Loading
Dns64Configuration.cpp +10 −7 Original line number Diff line number Diff line Loading @@ -24,6 +24,7 @@ #include <netdutils/DumpWriter.h> #include <netdutils/InternetAddresses.h> #include <netdutils/ThreadUtil.h> #include <utils/StrongPointer.h> #include <thread> #include <utility> Loading @@ -36,6 +37,7 @@ namespace android { using android::sp; using netdutils::DumpWriter; using netdutils::IPAddress; using netdutils::IPPrefix; Loading @@ -61,8 +63,9 @@ void Dns64Configuration::startPrefixDiscovery(unsigned netId) { // Emplace a copy of |cfg| in the map. mDns64Configs.emplace(std::make_pair(netId, cfg)); const sp<Dns64Configuration> thiz = sp<Dns64Configuration>::fromExisting(this); // Note that capturing |cfg| in this lambda creates a copy. std::thread discovery_thread([this, cfg, netId] { std::thread discovery_thread([thiz, cfg, netId] { setThreadName(fmt::format("Nat64Pfx_{}", netId)); // Make a mutable copy rather than mark the whole lambda mutable. Loading @@ -75,28 +78,28 @@ void Dns64Configuration::startPrefixDiscovery(unsigned netId) { .build(); while (true) { if (!this->shouldContinueDiscovery(evalCfg)) break; if (!thiz->shouldContinueDiscovery(evalCfg)) break; android_net_context netcontext{}; mGetNetworkContextCallback(evalCfg.netId, 0, &netcontext); thiz->mGetNetworkContextCallback(evalCfg.netId, 0, &netcontext); // Prefix discovery must bypass private DNS because in strict mode // the server generally won't know the NAT64 prefix. netcontext.flags |= NET_CONTEXT_FLAG_USE_LOCAL_NAMESERVERS; if (doRfc7050PrefixDiscovery(netcontext, &evalCfg)) { this->recordDns64Config(evalCfg); thiz->recordDns64Config(evalCfg); break; } if (!this->shouldContinueDiscovery(evalCfg)) break; if (!thiz->shouldContinueDiscovery(evalCfg)) break; if (!backoff.hasNextTimeout()) break; { std::unique_lock<std::mutex> cvGuard(mMutex); std::unique_lock<std::mutex> cvGuard(thiz->mMutex); // TODO: Consider some chrono math, combined with wait_until() // perhaps, to prevent early re-resolves from the removal of // other netids with IPv6-only nameservers. mCv.wait_for(cvGuard, backoff.getNextTimeout()); thiz->mCv.wait_for(cvGuard, backoff.getNextTimeout()); } } }); Loading
Dns64Configuration.h +2 −1 Original line number Diff line number Diff line Loading @@ -27,6 +27,7 @@ #include <android-base/thread_annotations.h> #include <netdutils/DumpWriter.h> #include <netdutils/InternetAddresses.h> #include <utils/RefBase.h> struct android_net_context; Loading @@ -48,7 +49,7 @@ namespace net { * Thread-safety: All public methods in this class MUST be thread-safe. * (In other words: this class handles all its locking privately.) */ class Dns64Configuration { class Dns64Configuration : virtual public RefBase { public: // Simple data struct for passing back packet NAT64 prefix event information to the // Dns64PrefixCallback callback. Loading
DnsProxyListener.cpp +4 −5 Original line number Diff line number Diff line Loading @@ -70,20 +70,19 @@ using std::span; namespace android { using netdutils::MAX_QUERIES_IN_TOTAL; using netdutils::MAX_QUERIES_PER_UID; using netdutils::ResponseCode; using netdutils::Stopwatch; namespace net { namespace { // Limits the number of outstanding DNS queries by client UID. constexpr int MAX_QUERIES_PER_UID = 256; android::netdutils::OperationLimiter<uid_t> queryLimiter(MAX_QUERIES_PER_UID); bool startQueryLimiter(uid_t uid) { const int globalLimit = android::net::Experiments::getInstance()->getFlag("max_queries_global", INT_MAX); const int globalLimit = android::net::Experiments::getInstance()->getFlag("max_queries_global", MAX_QUERIES_IN_TOTAL); return queryLimiter.start(uid, globalLimit); } Loading
OperationLimiter.h +7 −2 Original line number Diff line number Diff line Loading @@ -28,6 +28,11 @@ namespace android { namespace netdutils { // Limits the number of outstanding DNS queries by client UID. constexpr int MAX_QUERIES_PER_UID = 256; // Limits the total number of outstanding DNS queries. constexpr int MAX_QUERIES_IN_TOTAL = 2500; // Tracks the number of operations in progress on behalf of a particular key or // ID, rejecting further attempts to start new operations after a configurable // limit has been reached. Loading Loading @@ -56,11 +61,11 @@ class OperationLimiter { // // Note: each successful start(key) must be matched by exactly one call to // finish(key). bool start(KeyType key, int globalLimit = INT_MAX) EXCLUDES(mMutex) { bool start(KeyType key, int globalLimit = MAX_QUERIES_IN_TOTAL) EXCLUDES(mMutex) { std::lock_guard lock(mMutex); if (globalLimit < mLimitPerKey) { LOG(ERROR) << "Misconfiguration on max_queries_global " << globalLimit; globalLimit = INT_MAX; globalLimit = MAX_QUERIES_IN_TOTAL; } if (mGlobalCounter >= globalLimit) { // Oh, no! Loading
