| 2bf769bb24c2ecf2ffac37773c1656cc15b654dd |
|
10-Mar-2017 |
Lorenzo Colitti <lorenzo@google.com> |
Android-specific changes for upgrade to iptables-1.6.1.
The most important change here regards the iptables lock.
Upstream uses flock() to lock /run/xtables.lock, creating it if
it does not exist. Instead of putting the lock on a read-write
partition such as /data, which on some devices is mounted twice
during boot, add a zero-length file to /system/etc so we're
always locking the same file. strace shows that flock() succeeds
on this file even if /system is mounted readonly:
$ adb shell cat /proc/mounts | grep /system
/dev/block/platform/soc.0/f9824900.sdhci/by-name/system /system ext4 ro,seclabel,relatime,data=ordered,inode_readahead_blks=8 0 0
$ adb shell strace iptables -L -n -t nat 2>&1 | egrep "flock|xtables.lock"
openat(AT_FDCWD, "/system/etc/xtables.lock", O_RDONLY|O_CREAT, 0600) = 3
flock(3, LOCK_EX|LOCK_NB) = 0
Also:
1. Don't compile the xt_cgroup module. This doesn't exist in our
current version, and it doesn't build due to a redefinition of
O_PATH.
2. Set HAVE_LINUX_PROC_FS_H since we have it.
3. Update version number.
4. Include time.h from xshared.h. This fixes the warning:
external/iptables/iptables/xshared.h:89:36: error:
declaration of 'struct timeval' will not be visible
outside of this function [-Werror,-Wvisibility]
This CL only contains changes to Android code.
Bug: 36108349
Test: bullhead builds and boots
Test: netd_{unit,integration} test passes
Test: iptables rules on boot are the same before and after change stack
Change-Id: I9fc172c76b820a0cb11ac72b83fc2ddd5b222545
/external/iptables/config.h
|