static const char* RAW_PREROUTING[] = {
BandwidthController::LOCAL_RAW_PREROUTING,
IdletimerController::LOCAL_RAW_PREROUTING,
+ NatController::LOCAL_RAW_PREROUTING,
NULL,
};
const char* NatController::LOCAL_FORWARD = "natctrl_FORWARD";
const char* NatController::LOCAL_MANGLE_FORWARD = "natctrl_mangle_FORWARD";
const char* NatController::LOCAL_NAT_POSTROUTING = "natctrl_nat_POSTROUTING";
+const char* NatController::LOCAL_RAW_PREROUTING = "natctrl_raw_PREROUTING";
const char* NatController::LOCAL_TETHER_COUNTERS_CHAIN = "natctrl_tether_counters";
auto NatController::execFunction = android_fork_execvp;
{{IP6TABLES_PATH, "-w", "-F", LOCAL_FORWARD,}, 1},
{{IPTABLES_PATH, "-w", "-A", LOCAL_FORWARD, "-j", "DROP"}, 1},
{{IPTABLES_PATH, "-w", "-t", "nat", "-F", LOCAL_NAT_POSTROUTING}, 1},
+ {{IP6TABLES_PATH, "-w", "-t", "raw", "-F", LOCAL_RAW_PREROUTING}, 1},
};
for (unsigned int cmdNum = 0; cmdNum < ARRAY_SIZE(defaultCommands); cmdNum++) {
if (runCmd(ARRAY_SIZE(defaultCommands[cmdNum].cmd), defaultCommands[cmdNum].cmd) &&
LOCAL_TETHER_COUNTERS_CHAIN
};
+ const char *cmd4[] = {
+ IP6TABLES_PATH,
+ "-w",
+ "-t",
+ "raw",
+ add ? "-A" : "-D",
+ LOCAL_RAW_PREROUTING,
+ "-i",
+ intIface,
+ "-m",
+ "rpfilter",
+ "--invert",
+ "!",
+ "-s",
+ "fe80::/64",
+ "-j",
+ "DROP"
+ };
+
if (runCmd(ARRAY_SIZE(cmd2), cmd2) && add) {
// bail on error, but only if adding
rc = -1;
goto err_return;
}
+ // STOPSHIP: Make this an error.
+ if (runCmd(ARRAY_SIZE(cmd4), cmd4) && add && false /* STOPSHIP */) {
+ rc = -1;
+ goto err_rpfilter;
+ }
+
if (setTetherCountingRules(add, intIface, extIface) && add) {
rc = -1;
goto err_return;
return 0;
+err_rpfilter:
+ cmd3[2] = "-D";
+ runCmd(ARRAY_SIZE(cmd3), cmd3);
err_return:
cmd2[2] = "-D";
runCmd(ARRAY_SIZE(cmd2), cmd2);
static const char* LOCAL_FORWARD;
static const char* LOCAL_MANGLE_FORWARD;
static const char* LOCAL_NAT_POSTROUTING;
+ static const char* LOCAL_RAW_PREROUTING;
static const char* LOCAL_TETHER_COUNTERS_CHAIN;
// List of strings of interface pairs.
{ V4V6, "-F natctrl_FORWARD" },
{ V4, "-A natctrl_FORWARD -j DROP" },
{ V4, "-t nat -F natctrl_nat_POSTROUTING" },
+ { V6, "-t raw -F natctrl_raw_PREROUTING" },
};
const ExpectedIptablesCommands SETUP_COMMANDS = {
{ V4V6, "-F natctrl_FORWARD" },
{ V4, "-A natctrl_FORWARD -j DROP" },
{ V4, "-t nat -F natctrl_nat_POSTROUTING" },
+ { V6, "-t raw -F natctrl_raw_PREROUTING" },
{ V4V6, "-F natctrl_tether_counters" },
{ V4V6, "-X natctrl_tether_counters" },
{ V4V6, "-N natctrl_tether_counters" },
intIf, extIf) },
{ V4, StringPrintf("-A natctrl_FORWARD -i %s -o %s -g natctrl_tether_counters",
intIf, extIf) },
+ { V6, StringPrintf("-t raw -A natctrl_raw_PREROUTING -i %s -m rpfilter --invert"
+ " ! -s fe80::/64 -j DROP", intIf) },
{ V4V6, StringPrintf("-A natctrl_tether_counters -i %s -o %s -j RETURN",
intIf, extIf) },
{ V4V6, StringPrintf("-A natctrl_tether_counters -i %s -o %s -j RETURN",
intIf, extIf) },
{ V4, StringPrintf("-D natctrl_FORWARD -i %s -o %s -g natctrl_tether_counters",
intIf, extIf) },
+ { V6, StringPrintf("-t raw -D natctrl_raw_PREROUTING -i %s -m rpfilter --invert"
+ " ! -s fe80::/64 -j DROP", intIf) },
};
}
};
OSDN Git Service
