Snap for 5339364 from 6938ab6bbf9d67c78f4221a866624ea3a8fdd38e to qt-releaseandroid-vts-10.0_r9android-vts-10.0_r8android-vts-10.0_r7android-vts-10.0_r6android-vts-10.0_r5android-vts-10.0_r4android-vts-10.0_r3android-vts-10.0_r2android-vts-10.0_r16android-vts-10.0_r15android-vts-10.0_r14android-vts-10.0_r13android-vts-10.0_r12android-vts-10.0_r11android-vts-10.0_r10android-vts-10.0_r1android-security-10.0.0_r75android-security-10.0.0_r74android-security-10.0.0_r73android-security-10.0.0_r72android-security-10.0.0_r71android-security-10.0.0_r70android-security-10.0.0_r69android-security-10.0.0_r68android-security-10.0.0_r67android-security-10.0.0_r66android-security-10.0.0_r65android-security-10.0.0_r64android-security-10.0.0_r63android-security-10.0.0_r62android-security-10.0.0_r61android-security-10.0.0_r60android-security-10.0.0_r59android-security-10.0.0_r58android-security-10.0.0_r57android-security-10.0.0_r56android-security-10.0.0_r55android-security-10.0.0_r54android-security-10.0.0_r53android-security-10.0.0_r52android-security-10.0.0_r51android-security-10.0.0_r50android-security-10.0.0_r49android-security-10.0.0_r48android-q-preview-6android-q-preview-5android-q-preview-4android-mainline-10.0.0_r3android-mainline-10.0.0_r2android-mainline-10.0.0_r1android-cts-10.0_r9android-cts-10.0_r8android-cts-10.0_r7android-cts-10.0_r6android-cts-10.0_r5android-cts-10.0_r4android-cts-10.0_r3android-cts-10.0_r2android-cts-10.0_r16android-cts-10.0_r15android-cts-10.0_r14android-cts-10.0_r13android-cts-10.0_r12android-cts-10.0_r11android-cts-10.0_r10android-cts-10.0_r1android-10.0.0_r6android-10.0.0_r5android-10.0.0_r47android-10.0.0_r46android-10.0.0_r4android-10.0.0_r3android-10.0.0_r2android-10.0.0_r17android-10.0.0_r11android-10.0.0_r10android-10.0.0_r1android10-tests-releaseandroid10-security-releaseandroid10-s3-releaseandroid10-s2-releaseandroid10-s1-releaseandroid10-releaseandroid10-mainline-releaseandroid10-mainline-a-releaseandroid10-gsi

Change-Id: Ia243ecd6f6308dc19312d81f233758e64cf364d6

6 files changed, 106 insertions, 14 deletions

diff --git a/extensions/libxt_connbytes.c b/extensions/libxt_connbytes.c
index ed2ad25d..b57f0fc0 100644
--- a/extensions/libxt_connbytes.c
+++ b/extensions/libxt_connbytes.c
@@ -156,6 +156,61 @@ static void connbytes_save(const void *ip, const struct xt_entry_match *match)
 	print_direction(sinfo);
 }
 
+
+static int connbytes_xlate(struct xt_xlate *xl,
+			   const struct xt_xlate_mt_params *params)
+{
+	const struct xt_connbytes_info *info = (void *)params->match->data;
+	unsigned long long from, to;
+	bool invert = false;
+
+	xt_xlate_add(xl, "ct ");
+
+	switch (info->direction) {
+	case XT_CONNBYTES_DIR_ORIGINAL:
+		xt_xlate_add(xl, "original ");
+		break;
+	case XT_CONNBYTES_DIR_REPLY:
+		xt_xlate_add(xl, "reply ");
+		break;
+	case XT_CONNBYTES_DIR_BOTH:
+		break;
+	default:
+		return 0;
+	}
+
+	switch (info->what) {
+	case XT_CONNBYTES_PKTS:
+		xt_xlate_add(xl, "packets ");
+		break;
+	case XT_CONNBYTES_BYTES:
+		xt_xlate_add(xl, "bytes ");
+		break;
+	case XT_CONNBYTES_AVGPKT:
+		xt_xlate_add(xl, "avgpkt ");
+		break;
+	default:
+		return 0;
+	}
+
+	if (info->count.from > info->count.to) {
+		invert = true;
+		from = info->count.to;
+		to = info->count.from;
+	} else {
+		to = info->count.to;
+		from = info->count.from;
+	}
+
+	if (from == to)
+		xt_xlate_add(xl, "%llu", from);
+	else if (to == UINT64_MAX)
+		xt_xlate_add(xl, "%s %llu", invert ? "lt" : "ge", from);
+	else
+		xt_xlate_add(xl, "%s%llu-%llu", invert ? "!= " : "", from, to);
+	return 1;
+}
+
 static struct xtables_match connbytes_match = {
 	.family		= NFPROTO_UNSPEC,
 	.name 		= "connbytes",
@@ -167,6 +222,7 @@ static struct xtables_match connbytes_match = {
 	.save 		= connbytes_save,
 	.x6_parse	= connbytes_parse,
 	.x6_options	= connbytes_opts,
+	.xlate		= connbytes_xlate,
 };
 
 void _init(void)
diff --git a/extensions/libxt_rpfilter.c b/extensions/libxt_rpfilter.c
index 168e703f..d166baa2 100644
--- a/extensions/libxt_rpfilter.c
+++ b/extensions/libxt_rpfilter.c
@@ -77,6 +77,31 @@ static void rpfilter_save(const void *ip, const struct xt_entry_match *match)
 	return rpfilter_print_prefix(ip, match->data, "--");
 }
 
+static int rpfilter_xlate(struct xt_xlate *xl,
+			  const struct xt_xlate_mt_params *params)
+{
+	const struct xt_rpfilter_info *info = (void *)params->match->data;
+	bool invert = info->flags & XT_RPFILTER_INVERT;
+
+	if (info->flags & XT_RPFILTER_ACCEPT_LOCAL) {
+		if (invert)
+			xt_xlate_add(xl, "fib saddr type != local ");
+		else
+			return 0;
+	}
+
+	xt_xlate_add(xl, "fib saddr ");
+
+	if (info->flags & XT_RPFILTER_VALID_MARK)
+		xt_xlate_add(xl, ". mark ");
+	if (!(info->flags & XT_RPFILTER_LOOSE))
+		xt_xlate_add(xl, ". iif ");
+
+	xt_xlate_add(xl, "oif %s0", invert ? "" : "!= ");
+
+	return 1;
+}
+
 static struct xtables_match rpfilter_match = {
 	.family		= NFPROTO_UNSPEC,
 	.name		= "rpfilter",
@@ -88,6 +113,7 @@ static struct xtables_match rpfilter_match = {
 	.save		= rpfilter_save,
 	.x6_parse	= rpfilter_parse,
 	.x6_options	= rpfilter_opts,
+	.xlate		= rpfilter_xlate,
 };
 
 void _init(void)
diff --git a/iptables/ip6tables-save.c b/iptables/ip6tables-save.c
index f35e921e..053413a9 100644
--- a/iptables/ip6tables-save.c
+++ b/iptables/ip6tables-save.c
@@ -35,10 +35,16 @@ static int for_each_table(int (*func)(const char *tablename))
 	int ret = 1;
 	FILE *procfile = NULL;
 	char tablename[XT_TABLE_MAXNAMELEN+1];
-
-	procfile = fopen("/proc/net/ip6_tables_names", "re");
-	if (!procfile)
-		return ret;
+	static const char filename[] = "/proc/net/ip6_tables_names";
+
+	procfile = fopen(filename, "re");
+	if (!procfile) {
+		if (errno == ENOENT)
+			return ret;
+		fprintf(stderr, "Failed to list table names in %s: %s\n",
+		        filename, strerror(errno));
+		exit(1);
+	}
 
 	while (fgets(tablename, sizeof(tablename), procfile)) {
 		if (tablename[strlen(tablename) - 1] != '\n')
diff --git a/iptables/iptables-save.c b/iptables/iptables-save.c
index 238f368e..e8ae9c6c 100644
--- a/iptables/iptables-save.c
+++ b/iptables/iptables-save.c
@@ -33,10 +33,16 @@ static int for_each_table(int (*func)(const char *tablename))
 	int ret = 1;
 	FILE *procfile = NULL;
 	char tablename[XT_TABLE_MAXNAMELEN+1];
-
-	procfile = fopen("/proc/net/ip_tables_names", "re");
-	if (!procfile)
-		return ret;
+	static const char filename[] = "/proc/net/ip_tables_names";
+
+	procfile = fopen(filename, "re");
+	if (!procfile) {
+		if (errno == ENOENT)
+			return ret;
+		fprintf(stderr, "Failed to list table names in %s: %s\n",
+		        filename, strerror(errno));
+		exit(1);
+	}
 
 	while (fgets(tablename, sizeof(tablename), procfile)) {
 		if (tablename[strlen(tablename) - 1] != '\n')
diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
index 52b1bed2..e5947a7c 100644
--- a/iptables/nft-ipv4.c
+++ b/iptables/nft-ipv4.c
@@ -489,12 +489,11 @@ static int nft_ipv4_xlate(const void *data, struct xt_xlate *xl)
 
 	/* Always add counters per rule, as in iptables */
 	xt_xlate_add(xl, "counter ");
+	ret = xlate_action(cs, !!(cs->fw.ip.flags & IPT_F_GOTO), xl);
 
 	comment = xt_xlate_get_comment(xl);
 	if (comment)
-		xt_xlate_add(xl, "comment %s", comment);
-
-	ret = xlate_action(cs, !!(cs->fw.ip.flags & IPT_F_GOTO), xl);
+		xt_xlate_add(xl, " comment %s", comment);
 
 	return ret;
 }
diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
index c475b8e9..9cf4058f 100644
--- a/iptables/nft-ipv6.c
+++ b/iptables/nft-ipv6.c
@@ -438,12 +438,11 @@ static int nft_ipv6_xlate(const void *data, struct xt_xlate *xl)
 
 	/* Always add counters per rule, as in iptables */
 	xt_xlate_add(xl, "counter ");
+	ret = xlate_action(cs, !!(cs->fw6.ipv6.flags & IP6T_F_GOTO), xl);
 
 	comment = xt_xlate_get_comment(xl);
 	if (comment)
-		xt_xlate_add(xl, "comment %s", comment);
-
-	ret = xlate_action(cs, !!(cs->fw6.ipv6.flags & IP6T_F_GOTO), xl);
+		xt_xlate_add(xl, " comment %s", comment);
 
 	return ret;
 }