diff options
| author | Lorenzo Colitti <lorenzo@google.com> | 2017-03-10 09:55:04 +0900 |
|---|---|---|
| committer | Lorenzo Colitti <lorenzo@google.com> | 2017-03-22 17:13:12 +0900 |
| commit | 2bf769bb24c2ecf2ffac37773c1656cc15b654dd (patch) | |
| tree | 4400fe0ba9baae676633293796954b4061726d5d | |
| parent | 1e95b6c9171061d950d0a76a1f39e1be3db6cb09 (diff) | |
| download | platform_external_iptables-2bf769bb24c2ecf2ffac37773c1656cc15b654dd.tar.gz platform_external_iptables-2bf769bb24c2ecf2ffac37773c1656cc15b654dd.tar.bz2 platform_external_iptables-2bf769bb24c2ecf2ffac37773c1656cc15b654dd.zip | |
Android-specific changes for upgrade to iptables-1.6.1.
The most important change here regards the iptables lock.
Upstream uses flock() to lock /run/xtables.lock, creating it if
it does not exist. Instead of putting the lock on a read-write
partition such as /data, which on some devices is mounted twice
during boot, add a zero-length file to /system/etc so we're
always locking the same file. strace shows that flock() succeeds
on this file even if /system is mounted readonly:
$ adb shell cat /proc/mounts | grep /system
/dev/block/platform/soc.0/f9824900.sdhci/by-name/system /system ext4 ro,seclabel,relatime,data=ordered,inode_readahead_blks=8 0 0
$ adb shell strace iptables -L -n -t nat 2>&1 | egrep "flock|xtables.lock"
openat(AT_FDCWD, "/system/etc/xtables.lock", O_RDONLY|O_CREAT, 0600) = 3
flock(3, LOCK_EX|LOCK_NB) = 0
Also:
1. Don't compile the xt_cgroup module. This doesn't exist in our
current version, and it doesn't build due to a redefinition of
O_PATH.
2. Set HAVE_LINUX_PROC_FS_H since we have it.
3. Update version number.
4. Include time.h from xshared.h. This fixes the warning:
external/iptables/iptables/xshared.h:89:36: error:
declaration of 'struct timeval' will not be visible
outside of this function [-Werror,-Wvisibility]
This CL only contains changes to Android code.
Bug: 36108349
Test: bullhead builds and boots
Test: netd_{unit,integration} test passes
Test: iptables rules on boot are the same before and after change stack
Change-Id: I9fc172c76b820a0cb11ac72b83fc2ddd5b222545
| -rw-r--r-- | Android.mk | 2 | ||||
| -rw-r--r-- | README.version | 6 | ||||
| -rw-r--r-- | config.h | 11 | ||||
| -rw-r--r-- | extensions/Android.mk | 5 | ||||
| -rw-r--r-- | include/iptables/internal.h | 2 | ||||
| -rw-r--r-- | iptables/Android.mk | 19 | ||||
| -rw-r--r-- | iptables/xshared.h | 1 | ||||
| -rw-r--r-- | iptables/xtables.lock | 0 |
8 files changed, 30 insertions, 16 deletions
@@ -1,5 +1,3 @@ -BUILD_IPTABLES_V14 := 1 - LOCAL_PATH:= $(call my-dir) include $(call all-subdir-makefiles) diff --git a/README.version b/README.version index 84584bd5..74c158a5 100644 --- a/README.version +++ b/README.version @@ -1,3 +1,3 @@ -URL: ftp://ftp.netfilter.org/pub/iptables/iptables-1.4.20.tar.bz2 -Version: 1.4.20 -BugComponent: 24950 +URL: git://git.netfilter.org/iptables +Version: 1.6.1 +BugComponent: 31808 @@ -20,7 +20,7 @@ #define HAVE_LINUX_MAGIC_H 1 /* Define to 1 if you have the <linux/proc_fs.h> header file. */ -/* #undef HAVE_LINUX_PROC_FS_H */ +#define HAVE_LINUX_PROC_FS_H 1 /* Define to 1 if you have the <memory.h> header file. */ #define HAVE_MEMORY_H 1 @@ -63,7 +63,7 @@ #define PACKAGE_NAME "iptables" /* Define to the full name and version of this package. */ -#define PACKAGE_STRING "iptables 1.4.20" +#define PACKAGE_STRING "iptables 1.6.1" /* Define to the one symbol short name of this package. */ #define PACKAGE_TARNAME "iptables" @@ -72,7 +72,7 @@ #define PACKAGE_URL "" /* Define to the version of this package. */ -#define PACKAGE_VERSION "1.4.20" +#define PACKAGE_VERSION "1.6.1" /* The size of `struct ip6_hdr', as computed by sizeof. */ #define SIZEOF_STRUCT_IP6_HDR 40 @@ -81,4 +81,7 @@ #define STDC_HEADERS 1 /* Version number of package */ -#define VERSION "1.4.20" +#define VERSION "1.6.1" + +/* Location of the iptables lock file */ +#define XT_LOCK_NAME "/system/etc/xtables.lock" diff --git a/extensions/Android.mk b/extensions/Android.mk index 2f949016..b41cf380 100644 --- a/extensions/Android.mk +++ b/extensions/Android.mk @@ -4,7 +4,7 @@ LOCAL_PATH:= $(call my-dir) MY_srcdir:=$(LOCAL_PATH) # Exclude some modules that are problematic to compile (types/header). -MY_excluded_modules:=TCPOPTSTRIP connlabel +MY_excluded_modules:=TCPOPTSTRIP connlabel cgroup MY_pfx_build_mod := $(patsubst ${MY_srcdir}/libxt_%.c,%,$(sort $(wildcard ${MY_srcdir}/libxt_*.c))) MY_pf4_build_mod := $(patsubst ${MY_srcdir}/libipt_%.c,%,$(sort $(wildcard ${MY_srcdir}/libipt_*.c))) @@ -19,7 +19,8 @@ MY_pf6_objs := $(patsubst %,libip6t_%.o,${MY_pf6_build_mod}) MY_warnings := \ -Wno-unused-parameter -Wno-missing-field-initializers \ -Wno-sign-compare -Wno-pointer-arith \ - -Wno-pointer-bool-conversion + -Wno-pointer-bool-conversion \ + -Wno-tautological-pointer-compare libext_suffix := libext_prefix := xt diff --git a/include/iptables/internal.h b/include/iptables/internal.h index 82b4c36c..3b9013ab 100644 --- a/include/iptables/internal.h +++ b/include/iptables/internal.h @@ -1,7 +1,7 @@ #ifndef IPTABLES_INTERNAL_H #define IPTABLES_INTERNAL_H 1 -#define IPTABLES_VERSION "1.4.20" +#define IPTABLES_VERSION "1.6.1" /** * Program's own name and version. diff --git a/iptables/Android.mk b/iptables/Android.mk index a6f2ae6f..52ecc21f 100644 --- a/iptables/Android.mk +++ b/iptables/Android.mk @@ -9,13 +9,24 @@ commonFlags:= \ -Werror #---------------------------------------------------------------- -# iptables +# The iptables lock file +include $(CLEAR_VARS) +LOCAL_MODULE := xtables.lock +LOCAL_MODULE_CLASS := ETC +LOCAL_MODULE_PATH := $(TARGET_OUT)/etc +LOCAL_SRC_FILES := $(LOCAL_MODULE) + +include $(BUILD_PREBUILT) + +#---------------------------------------------------------------- +# iptables include $(CLEAR_VARS) LOCAL_C_INCLUDES:= \ - $(LOCAL_PATH)/../include/ + $(LOCAL_PATH)/../include/ \ + $(LOCAL_PATH)/../ LOCAL_CFLAGS:=-DNO_SHARED_LIBS=1 LOCAL_CFLAGS+=-DALL_INCLUSIVE @@ -52,7 +63,8 @@ include $(BUILD_EXECUTABLE) include $(CLEAR_VARS) LOCAL_C_INCLUDES:= \ - $(LOCAL_PATH)/../include/ + $(LOCAL_PATH)/../include/ \ + $(LOCAL_PATH)/../ LOCAL_CFLAGS:=-DNO_SHARED_LIBS=1 LOCAL_CFLAGS+=-DALL_INCLUSIVE @@ -84,5 +96,4 @@ LOCAL_NOTICE_FILE := $(LOCAL_PATH)/../NOTICE include $(BUILD_EXECUTABLE) - #---------------------------------------------------------------- diff --git a/iptables/xshared.h b/iptables/xshared.h index 539e6c24..f8dc5278 100644 --- a/iptables/xshared.h +++ b/iptables/xshared.h @@ -6,6 +6,7 @@ #include <stdint.h> #include <netinet/in.h> #include <net/if.h> +#include <sys/time.h> #include <linux/netfilter_ipv4/ip_tables.h> #include <linux/netfilter_ipv6/ip6_tables.h> diff --git a/iptables/xtables.lock b/iptables/xtables.lock new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/iptables/xtables.lock |