iptables-(pci-review).md

@@ -59,57 +59,63 @@ Chain bw_FORWARD (1 references)
 target     prot opt source               destination         
 ```
 
+Only allow incoming packets from tcp and udp if the socket was already created by a device process.
 ```
 Chain bw_INPUT (1 references)
-target     prot opt source               destination         
-           all  --  anywhere             anywhere             ! quota globalAlert: 2097152 bytes 
+target     prot opt source               destination
            all  --  anywhere             anywhere             owner socket exists
 ```
-Allows incoming packets from tcp and udp ONLY if the socket was already created.
-Filter all high frequency packets to prevent overloads. 
 
-```
+Only allow outgoing packets from tcp and udp if the socket was already created by a device process.
+``````
 Chain bw_OUTPUT (1 references)
-target     prot opt source               destination         
-           all  --  anywhere             anywhere             ! quota globalAlert: 2097152 bytes 
+target     prot opt source               destination
            all  --  anywhere             anywhere             owner socket exists
 ```
-Allows outgoing packets from tcp and udp ONLY if the socket was already created.
-Filter all high frequency packets to prevent overloads. 
 
+### NOP: no packets in the bw_penalty_box filter criteria
 ```
 Chain bw_costly_shared (0 references)
 target     prot opt source               destination         
 bw_penalty_box  all  --  anywhere             anywhere            
 ```
 
+### NOP: no packets in the filter criteria
 ```
 Chain bw_happy_box (0 references)
 target     prot opt source               destination         
 ```
 
+### NOP: no packets in the filter criteria
 ```
 Chain bw_penalty_box (1 references)
 target     prot opt source               destination         
 ```
 
+### NOP: no packets in the filter criteria
 ```
 Chain fw_FORWARD (1 references)
 target     prot opt source               destination         
 ```
 
+### NOP: no packets in the fw_standby filter criteria
+
 ```
 Chain fw_INPUT (1 references)
 target     prot opt source               destination         
 fw_standby  all  --  anywhere             anywhere            
 ```
 
+### NOP: no packets in the filter criteria
 ```
 Chain fw_OUTPUT (1 references)
 target     prot opt source               destination         
 fw_standby  all  --  anywhere             anywhere            
 ```
 
+### NOT Referenced in INPUT/OUTPUT/FORWARD chains.  
+This is defined by Android, but it is not used to filter any packets.
+Affected by Doze settings. It would reject or drop packets if Dozing was enabled on our tablet
 ```
 Chain fw_dozable (0 references)
 target     prot opt source               destination         
@@ -117,42 +123,54 @@ RETURN     all  --  anywhere             anywhere             owner UID match 0-
 DROP       all  --  anywhere             anywhere            
 ```
 
+### NOP: no packets in the filter criteria
 ```
-Chain fw_standby (2 references)
-target     prot opt source               destination         
+Chain fw_standby (0 references)
+target     prot opt source               destination
 ```
 
+### DO NOT FORWARD packets from other devices
+DROP all packets forwarded from any device connected directly to the router via NAT
 ```
 Chain natctrl_FORWARD (1 references)
 target     prot opt source               destination         
 DROP       all  --  anywhere             anywhere            
 ```
 
+### NOP: no packets in the filter criteria
 ```
 Chain natctrl_tether_counters (0 references)
 target     prot opt source               destination         
 ```
 
+### NOP: no packets in the filter criteria
 ```
 Chain oem_fwd (1 references)
 target     prot opt source               destination         
 ```
 
+### NOP: no packets in the filter criteria
 ```
 Chain oem_out (1 references)
 target     prot opt source               destination         
 ```
 
+### NOP: no packets in the filter criteria
 ```
 Chain st_OUTPUT (1 references)
 target     prot opt source               destination         
 ```
 
+### Only allow tcp packets from sockets that have been created by a device process.
 ```
 Chain st_clear_caught (2 references)
 target     prot opt source               destination         
+st_clear_caught  tcp  --  anywhere             anywhere             state ESTABLISHED u32 "0x0>>0x16&0x3c@0xc>>0x1a&0x3c@0x0&0x0=0x0"
+st_clear_caught  udp  --  anywhere             anywhere            
 ```
 
+### NOT Referenced in INPUT/OUTPUT/FORWARD chains.  
+This is defined by Android, but it is not used to filter any packets.
 ```
 Chain st_clear_detect (0 references)
 target     prot opt source               destination         
@@ -161,10 +179,11 @@ RETURN     all  --  anywhere             anywhere             connmark match  0x
 CONNMARK   tcp  --  anywhere             anywhere             u32 "0x0>>0x16&0x3c@0xc>>0x1a&0x3c@0x0&0xffff0000=0x16030000&&0x0>>0x16&0x3c@0xc>>0x1a&0x3c@0x4&0xff0000=0x10000" CONNMARK or 0x1000000
 CONNMARK   udp  --  anywhere             anywhere             u32 "0x0>>0x16&0x3c@0x8&0xffff0000=0x16fe0000&&0x0>>0x16&0x3c@0x14&0xff0000=0x10000" CONNMARK or 0x1000000
 RETURN     all  --  anywhere             anywhere             connmark match  0x1000000/0x1000000
-st_clear_caught  tcp  --  anywhere             anywhere             state ESTABLISHED u32 "0x0>>0x16&0x3c@0xc>>0x1a&0x3c@0x0&0x0=0x0"
-st_clear_caught  udp  --  anywhere             anywhere            
+
 ```
 
+### NOT Referenced in INPUT/OUTPUT/FORWARD chains.  
+This is defined by Android, but it is not used to filter any packets.
 ```
 Chain st_penalty_log (0 references)
 target     prot opt source               destination         
@@ -172,6 +191,8 @@ CONNMARK   all  --  anywhere             anywhere             CONNMARK or 0x1000
 NFLOG      all  --  anywhere             anywhere            
 ```
 
+### NOT Referenced in INPUT/OUTPUT/FORWARD chains.  
+This is defined by Android, but it is not used to filter any packets.
 ```
 Chain st_penalty_reject (0 references)
 target     prot opt source               destination