assert that xt_bpf programs match Android T netd's expectations
Bug: 235778483
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ic0029063e4dbbf1b2cce7d7ca86a017a1c56f072
(cherry picked from commit 1205737641d428c367fab896f41a905eee254c4c)
Merged-In: Ic0029063e4dbbf1b2cce7d7ca86a017a1c56f072
diff --git a/bpf_progs/netd.c b/bpf_progs/netd.c
index d754616..e0d67e9 100644
--- a/bpf_progs/netd.c
+++ b/bpf_progs/netd.c
@@ -326,6 +326,7 @@
return bpf_traffic_account(skb, BPF_EGRESS);
}
+// WARNING: Android T's non-updatable netd depends on the name of this program.
DEFINE_BPF_PROG("skfilter/egress/xtbpf", AID_ROOT, AID_NET_ADMIN, xt_bpf_egress_prog)
(struct __sk_buff* skb) {
// Clat daemon does not generate new traffic, all its traffic is accounted for already
@@ -345,6 +346,7 @@
return BPF_MATCH;
}
+// WARNING: Android T's non-updatable netd depends on the name of this program.
DEFINE_BPF_PROG("skfilter/ingress/xtbpf", AID_ROOT, AID_NET_ADMIN, xt_bpf_ingress_prog)
(struct __sk_buff* skb) {
// Clat daemon traffic is not accounted by virtue of iptables raw prerouting drop rule
@@ -367,6 +369,7 @@
return TC_ACT_UNSPEC;
}
+// WARNING: Android T's non-updatable netd depends on the name of this program.
DEFINE_BPF_PROG("skfilter/allowlist/xtbpf", AID_ROOT, AID_NET_ADMIN, xt_bpf_allowlist_prog)
(struct __sk_buff* skb) {
uint32_t sock_uid = bpf_get_socket_uid(skb);
@@ -384,6 +387,7 @@
return BPF_NOMATCH;
}
+// WARNING: Android T's non-updatable netd depends on the name of this program.
DEFINE_BPF_PROG("skfilter/denylist/xtbpf", AID_ROOT, AID_NET_ADMIN, xt_bpf_denylist_prog)
(struct __sk_buff* skb) {
uint32_t sock_uid = bpf_get_socket_uid(skb);