diff options
| author | Maciej Żenczykowski <maze@google.com> | 2019-02-26 03:10:06 -0800 |
|---|---|---|
| committer | android-build-merger <android-build-merger@google.com> | 2019-02-26 03:10:06 -0800 |
| commit | 6938ab6bbf9d67c78f4221a866624ea3a8fdd38e (patch) | |
| tree | 738791d82e3df6348ac1fb68db5613aa44ce4c15 | |
| parent | e7652f48047962929b221ebc11fc57070b32291e (diff) | |
| parent | 780b095473f0d4c1251d87c5fb3b01e98080bf4c (diff) | |
| download | iptables-android10-d4-release.tar.gz | |
Merge "Merge iptables at v1.6.1 tag" am: 5bcb582c97 am: 73f3d9a7a1android-mainline-10.0.0_r9android-mainline-10.0.0_r7android-mainline-10.0.0_r5android-mainline-10.0.0_r4android-mainline-10.0.0_r10android-10.0.0_r9android-10.0.0_r8android-10.0.0_r7android-10.0.0_r45android-10.0.0_r44android-10.0.0_r43android-10.0.0_r42android-10.0.0_r41android-10.0.0_r40android-10.0.0_r39android-10.0.0_r38android-10.0.0_r37android-10.0.0_r36android-10.0.0_r35android-10.0.0_r34android-10.0.0_r33android-10.0.0_r32android-10.0.0_r31android-10.0.0_r30android-10.0.0_r29android-10.0.0_r28android-10.0.0_r27android-10.0.0_r26android-10.0.0_r25android-10.0.0_r24android-10.0.0_r23android-10.0.0_r22android-10.0.0_r21android-10.0.0_r20android-10.0.0_r19android-10.0.0_r18android-10.0.0_r16android-10.0.0_r15android-10.0.0_r14android-10.0.0_r13android-10.0.0_r12android10-qpr3-s1-releaseandroid10-qpr3-releaseandroid10-qpr2-s4-releaseandroid10-qpr2-s3-releaseandroid10-qpr2-s2-releaseandroid10-qpr2-s1-releaseandroid10-qpr2-releaseandroid10-qpr1-releaseandroid10-qpr1-mainline-releaseandroid10-qpr1-d-releaseandroid10-qpr1-c-s1-releaseandroid10-qpr1-c-releaseandroid10-qpr1-b-s1-releaseandroid10-qpr1-b-releaseandroid10-mainline-media-releaseandroid10-devandroid10-d4-s1-releaseandroid10-d4-releaseandroid10-c2f2-s2-releaseandroid10-c2f2-s1-releaseandroid10-c2f2-release
am: 780b095473
Change-Id: I14e012f548700b774b98ea30e9026c6c4c1e30b9
| -rw-r--r-- | extensions/libxt_connbytes.c | 56 | ||||
| -rw-r--r-- | extensions/libxt_rpfilter.c | 26 | ||||
| -rw-r--r-- | iptables/ip6tables-save.c | 14 | ||||
| -rw-r--r-- | iptables/iptables-save.c | 14 | ||||
| -rw-r--r-- | iptables/nft-ipv4.c | 5 | ||||
| -rw-r--r-- | iptables/nft-ipv6.c | 5 |
6 files changed, 106 insertions, 14 deletions
diff --git a/extensions/libxt_connbytes.c b/extensions/libxt_connbytes.c index ed2ad25d..b57f0fc0 100644 --- a/extensions/libxt_connbytes.c +++ b/extensions/libxt_connbytes.c @@ -156,6 +156,61 @@ static void connbytes_save(const void *ip, const struct xt_entry_match *match) print_direction(sinfo); } + +static int connbytes_xlate(struct xt_xlate *xl, + const struct xt_xlate_mt_params *params) +{ + const struct xt_connbytes_info *info = (void *)params->match->data; + unsigned long long from, to; + bool invert = false; + + xt_xlate_add(xl, "ct "); + + switch (info->direction) { + case XT_CONNBYTES_DIR_ORIGINAL: + xt_xlate_add(xl, "original "); + break; + case XT_CONNBYTES_DIR_REPLY: + xt_xlate_add(xl, "reply "); + break; + case XT_CONNBYTES_DIR_BOTH: + break; + default: + return 0; + } + + switch (info->what) { + case XT_CONNBYTES_PKTS: + xt_xlate_add(xl, "packets "); + break; + case XT_CONNBYTES_BYTES: + xt_xlate_add(xl, "bytes "); + break; + case XT_CONNBYTES_AVGPKT: + xt_xlate_add(xl, "avgpkt "); + break; + default: + return 0; + } + + if (info->count.from > info->count.to) { + invert = true; + from = info->count.to; + to = info->count.from; + } else { + to = info->count.to; + from = info->count.from; + } + + if (from == to) + xt_xlate_add(xl, "%llu", from); + else if (to == UINT64_MAX) + xt_xlate_add(xl, "%s %llu", invert ? "lt" : "ge", from); + else + xt_xlate_add(xl, "%s%llu-%llu", invert ? "!= " : "", from, to); + return 1; +} + static struct xtables_match connbytes_match = { .family = NFPROTO_UNSPEC, .name = "connbytes", @@ -167,6 +222,7 @@ static struct xtables_match connbytes_match = { .save = connbytes_save, .x6_parse = connbytes_parse, .x6_options = connbytes_opts, + .xlate = connbytes_xlate, }; void _init(void) diff --git a/extensions/libxt_rpfilter.c b/extensions/libxt_rpfilter.c index 168e703f..d166baa2 100644 --- a/extensions/libxt_rpfilter.c +++ b/extensions/libxt_rpfilter.c @@ -77,6 +77,31 @@ static void rpfilter_save(const void *ip, const struct xt_entry_match *match) return rpfilter_print_prefix(ip, match->data, "--"); } +static int rpfilter_xlate(struct xt_xlate *xl, + const struct xt_xlate_mt_params *params) +{ + const struct xt_rpfilter_info *info = (void *)params->match->data; + bool invert = info->flags & XT_RPFILTER_INVERT; + + if (info->flags & XT_RPFILTER_ACCEPT_LOCAL) { + if (invert) + xt_xlate_add(xl, "fib saddr type != local "); + else + return 0; + } + + xt_xlate_add(xl, "fib saddr "); + + if (info->flags & XT_RPFILTER_VALID_MARK) + xt_xlate_add(xl, ". mark "); + if (!(info->flags & XT_RPFILTER_LOOSE)) + xt_xlate_add(xl, ". iif "); + + xt_xlate_add(xl, "oif %s0", invert ? "" : "!= "); + + return 1; +} + static struct xtables_match rpfilter_match = { .family = NFPROTO_UNSPEC, .name = "rpfilter", @@ -88,6 +113,7 @@ static struct xtables_match rpfilter_match = { .save = rpfilter_save, .x6_parse = rpfilter_parse, .x6_options = rpfilter_opts, + .xlate = rpfilter_xlate, }; void _init(void) diff --git a/iptables/ip6tables-save.c b/iptables/ip6tables-save.c index f35e921e..053413a9 100644 --- a/iptables/ip6tables-save.c +++ b/iptables/ip6tables-save.c @@ -35,10 +35,16 @@ static int for_each_table(int (*func)(const char *tablename)) int ret = 1; FILE *procfile = NULL; char tablename[XT_TABLE_MAXNAMELEN+1]; - - procfile = fopen("/proc/net/ip6_tables_names", "re"); - if (!procfile) - return ret; + static const char filename[] = "/proc/net/ip6_tables_names"; + + procfile = fopen(filename, "re"); + if (!procfile) { + if (errno == ENOENT) + return ret; + fprintf(stderr, "Failed to list table names in %s: %s\n", + filename, strerror(errno)); + exit(1); + } while (fgets(tablename, sizeof(tablename), procfile)) { if (tablename[strlen(tablename) - 1] != '\n') diff --git a/iptables/iptables-save.c b/iptables/iptables-save.c index 238f368e..e8ae9c6c 100644 --- a/iptables/iptables-save.c +++ b/iptables/iptables-save.c @@ -33,10 +33,16 @@ static int for_each_table(int (*func)(const char *tablename)) int ret = 1; FILE *procfile = NULL; char tablename[XT_TABLE_MAXNAMELEN+1]; - - procfile = fopen("/proc/net/ip_tables_names", "re"); - if (!procfile) - return ret; + static const char filename[] = "/proc/net/ip_tables_names"; + + procfile = fopen(filename, "re"); + if (!procfile) { + if (errno == ENOENT) + return ret; + fprintf(stderr, "Failed to list table names in %s: %s\n", + filename, strerror(errno)); + exit(1); + } while (fgets(tablename, sizeof(tablename), procfile)) { if (tablename[strlen(tablename) - 1] != '\n') diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c index 52b1bed2..e5947a7c 100644 --- a/iptables/nft-ipv4.c +++ b/iptables/nft-ipv4.c @@ -489,12 +489,11 @@ static int nft_ipv4_xlate(const void *data, struct xt_xlate *xl) /* Always add counters per rule, as in iptables */ xt_xlate_add(xl, "counter "); + ret = xlate_action(cs, !!(cs->fw.ip.flags & IPT_F_GOTO), xl); comment = xt_xlate_get_comment(xl); if (comment) - xt_xlate_add(xl, "comment %s", comment); - - ret = xlate_action(cs, !!(cs->fw.ip.flags & IPT_F_GOTO), xl); + xt_xlate_add(xl, " comment %s", comment); return ret; } diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c index c475b8e9..9cf4058f 100644 --- a/iptables/nft-ipv6.c +++ b/iptables/nft-ipv6.c @@ -438,12 +438,11 @@ static int nft_ipv6_xlate(const void *data, struct xt_xlate *xl) /* Always add counters per rule, as in iptables */ xt_xlate_add(xl, "counter "); + ret = xlate_action(cs, !!(cs->fw6.ipv6.flags & IP6T_F_GOTO), xl); comment = xt_xlate_get_comment(xl); if (comment) - xt_xlate_add(xl, "comment %s", comment); - - ret = xlate_action(cs, !!(cs->fw6.ipv6.flags & IP6T_F_GOTO), xl); + xt_xlate_add(xl, " comment %s", comment); return ret; } |