Skip to content

GitLab

iptables (pci review) · Changes

Page history
Update iptables (pci review) authored by Mark Stevens's avatar Mark Stevens
Hide whitespace changes
Inline Side-by-side
Showing with 34 additions and 13 deletions
iptables-(pci-review).md
View page @ 1cd4a53c
......@@ -59,57 +59,63 @@ Chain bw_FORWARD (1 references)
target prot opt source destination
```
Only allow incoming packets from tcp and udp if the socket was already created by a device process.
```
Chain bw_INPUT (1 references)
target prot opt source destination
all -- anywhere anywhere ! quota globalAlert: 2097152 bytes
target prot opt source destination
all -- anywhere anywhere owner socket exists
```
Allows incoming packets from tcp and udp ONLY if the socket was already created.
Filter all high frequency packets to prevent overloads.
```
Only allow outgoing packets from tcp and udp if the socket was already created by a device process.
``````
Chain bw_OUTPUT (1 references)
target prot opt source destination
all -- anywhere anywhere ! quota globalAlert: 2097152 bytes
target prot opt source destination
all -- anywhere anywhere owner socket exists
```
Allows outgoing packets from tcp and udp ONLY if the socket was already created.
Filter all high frequency packets to prevent overloads.
### NOP: no packets in the bw_penalty_box filter criteria
```
Chain bw_costly_shared (0 references)
target prot opt source destination
bw_penalty_box all -- anywhere anywhere
```
### NOP: no packets in the filter criteria
```
Chain bw_happy_box (0 references)
target prot opt source destination
```
### NOP: no packets in the filter criteria
```
Chain bw_penalty_box (1 references)
target prot opt source destination
```
### NOP: no packets in the filter criteria
```
Chain fw_FORWARD (1 references)
target prot opt source destination
```
### NOP: no packets in the fw_standby filter criteria
```
Chain fw_INPUT (1 references)
target prot opt source destination
fw_standby all -- anywhere anywhere
```
### NOP: no packets in the filter criteria
```
Chain fw_OUTPUT (1 references)
target prot opt source destination
fw_standby all -- anywhere anywhere
```
### NOT Referenced in INPUT/OUTPUT/FORWARD chains.
This is defined by Android, but it is not used to filter any packets.
Affected by Doze settings. It would reject or drop packets if Dozing was enabled on our tablet
```
Chain fw_dozable (0 references)
target prot opt source destination
......@@ -117,42 +123,54 @@ RETURN all -- anywhere anywhere owner UID match 0-
DROP all -- anywhere anywhere
```
### NOP: no packets in the filter criteria
```
Chain fw_standby (2 references)
target prot opt source destination
Chain fw_standby (0 references)
target prot opt source destination
```
### DO NOT FORWARD packets from other devices
DROP all packets forwarded from any device connected directly to the router via NAT
```
Chain natctrl_FORWARD (1 references)
target prot opt source destination
DROP all -- anywhere anywhere
```
### NOP: no packets in the filter criteria
```
Chain natctrl_tether_counters (0 references)
target prot opt source destination
```
### NOP: no packets in the filter criteria
```
Chain oem_fwd (1 references)
target prot opt source destination
```
### NOP: no packets in the filter criteria
```
Chain oem_out (1 references)
target prot opt source destination
```
### NOP: no packets in the filter criteria
```
Chain st_OUTPUT (1 references)
target prot opt source destination
```
### Only allow tcp packets from sockets that have been created by a device process.
```
Chain st_clear_caught (2 references)
target prot opt source destination
st_clear_caught tcp -- anywhere anywhere state ESTABLISHED u32 "0x0>>0x16&0x3c@0xc>>0x1a&0x3c@0x0&0x0=0x0"
st_clear_caught udp -- anywhere anywhere
```
### NOT Referenced in INPUT/OUTPUT/FORWARD chains.
This is defined by Android, but it is not used to filter any packets.
```
Chain st_clear_detect (0 references)
target prot opt source destination
......@@ -161,10 +179,11 @@ RETURN all -- anywhere anywhere connmark match 0x
CONNMARK tcp -- anywhere anywhere u32 "0x0>>0x16&0x3c@0xc>>0x1a&0x3c@0x0&0xffff0000=0x16030000&&0x0>>0x16&0x3c@0xc>>0x1a&0x3c@0x4&0xff0000=0x10000" CONNMARK or 0x1000000
CONNMARK udp -- anywhere anywhere u32 "0x0>>0x16&0x3c@0x8&0xffff0000=0x16fe0000&&0x0>>0x16&0x3c@0x14&0xff0000=0x10000" CONNMARK or 0x1000000
RETURN all -- anywhere anywhere connmark match 0x1000000/0x1000000
st_clear_caught tcp -- anywhere anywhere state ESTABLISHED u32 "0x0>>0x16&0x3c@0xc>>0x1a&0x3c@0x0&0x0=0x0"
st_clear_caught udp -- anywhere anywhere
```
### NOT Referenced in INPUT/OUTPUT/FORWARD chains.
This is defined by Android, but it is not used to filter any packets.
```
Chain st_penalty_log (0 references)
target prot opt source destination
......@@ -172,6 +191,8 @@ CONNMARK all -- anywhere anywhere CONNMARK or 0x1000
NFLOG all -- anywhere anywhere
```
### NOT Referenced in INPUT/OUTPUT/FORWARD chains.
This is defined by Android, but it is not used to filter any packets.
```
Chain st_penalty_reject (0 references)
target prot opt source destination
......