Repo created

external/dist/iptables-patches/0001-iptables-correctly-reference-generated-file.patch

@@ -0,0 +1,33 @@
+From e693b5be1f4320c3db64ddb9f3a473de6bb6bc5f Mon Sep 17 00:00:00 2001
+From: Lutz Jaenicke <ljaenicke@innominate.com>
+Date: Wed, 7 Aug 2013 10:09:16 +0200
+Subject: [PATCH 1/7] iptables: correctly reference generated file
+
+Since (14bca55 iptables: use autoconf to process .in man pages),
+the file "iptables-extensions.8.tmpl" is generated from
+"iptables-extensions.8.tmpl.in" and is consequently no
+longer found in ${srcdir} but in the build directory.
+(Becomes visible with builddir != srcdir)
+
+Signed-off-by: Lutz Jaenicke <ljaenicke@innominate.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+ iptables/Makefile.am |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/iptables/Makefile.am b/iptables/Makefile.am
+index 46d2463..501e825 100644
+--- a/iptables/Makefile.am
++++ b/iptables/Makefile.am
+@@ -38,7 +38,7 @@ if ENABLE_IPV6
+ v6_sbin_links  = ip6tables ip6tables-restore ip6tables-save
+ endif
+ 
+-iptables-extensions.8: ${srcdir}/iptables-extensions.8.tmpl ../extensions/matches.man ../extensions/targets.man
++iptables-extensions.8: iptables-extensions.8.tmpl ../extensions/matches.man ../extensions/targets.man
+ 	${AM_VERBOSE_GEN} sed \
+ 		-e '/@MATCH@/ r ../extensions/matches.man' \
+ 		-e '/@TARGET@/ r ../extensions/targets.man' $< >$@;
+-- 
+1.7.9.5
+

external/dist/iptables-patches/0002-android-libiptc-Fix-socklen_t-type-mismatch-on-Andro.patch

@@ -0,0 +1,45 @@
+From faa4da018eccbf60bfd6e40bc764cae078e12b8d Mon Sep 17 00:00:00 2001
+From: Kevin Cernekee <cernekee@gmail.com>
+Date: Sat, 26 Oct 2013 10:35:06 -0700
+Subject: [PATCH 2/7] android: libiptc: Fix socklen_t type mismatch on Android
+
+Bionic defines socklen_t as a signed int, so redefining it as unsigned
+breaks the build.
+
+This change comes from AOSP.
+
+Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
+---
+ libiptc/libip4tc.c |    2 +-
+ libiptc/libip6tc.c |    2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libiptc/libip4tc.c b/libiptc/libip4tc.c
+index dd59951..2b029d4 100644
+--- a/libiptc/libip4tc.c
++++ b/libiptc/libip4tc.c
+@@ -22,7 +22,7 @@
+ #define inline
+ #endif
+ 
+-#if !defined(__GLIBC__) || (__GLIBC__ < 2)
++#if !defined(__ANDROID__) && (!defined(__GLIBC__) || (__GLIBC__ < 2))
+ typedef unsigned int socklen_t;
+ #endif
+ 
+diff --git a/libiptc/libip6tc.c b/libiptc/libip6tc.c
+index ca01bcb..4e47e69 100644
+--- a/libiptc/libip6tc.c
++++ b/libiptc/libip6tc.c
+@@ -23,7 +23,7 @@
+ #define inline
+ #endif
+ 
+-#if !defined(__GLIBC__) || (__GLIBC__ < 2)
++#if !defined(__ANDROID__) && (!defined(__GLIBC__) || (__GLIBC__ < 2))
+ typedef unsigned int socklen_t;
+ #endif
+ 
+-- 
+1.7.9.5
+

external/dist/iptables-patches/0003-android-Don-t-include-conflicting-headers.patch

@@ -0,0 +1,32 @@
+From 2f7755e416c284c3fd96248fcb5401c46a3ba6bf Mon Sep 17 00:00:00 2001
+From: Kevin Cernekee <cernekee@gmail.com>
+Date: Sat, 26 Oct 2013 10:42:55 -0700
+Subject: [PATCH 3/7] android: Don't include conflicting headers
+
+<netinet/ip.h> and <linux/ip.h> redefine a couple of structs, including
+iphdr.  Handle this the same way as on glibc, i.e. don't include
+<linux/ip.h>.
+
+This change comes from AOSP.
+
+Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
+---
+ include/libiptc/ipt_kernel_headers.h |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/libiptc/ipt_kernel_headers.h b/include/libiptc/ipt_kernel_headers.h
+index 18861fe..60c7998 100644
+--- a/include/libiptc/ipt_kernel_headers.h
++++ b/include/libiptc/ipt_kernel_headers.h
+@@ -5,7 +5,7 @@
+ 
+ #include <limits.h>
+ 
+-#if defined(__GLIBC__) && __GLIBC__ == 2
++#if defined(__ANDROID__) || (defined(__GLIBC__) && __GLIBC__ == 2)
+ #include <netinet/ip.h>
+ #include <netinet/in.h>
+ #include <netinet/ip_icmp.h>
+-- 
+1.7.9.5
+

external/dist/iptables-patches/0004-android-build-Blacklist-TCPOPTSTRIP-on-systems-that-.patch

@@ -0,0 +1,36 @@
+From 337d40956909c71c3bd527adf9ed6783de631303 Mon Sep 17 00:00:00 2001
+From: Kevin Cernekee <cernekee@gmail.com>
+Date: Sat, 26 Oct 2013 11:03:06 -0700
+Subject: [PATCH 4/7] android: build: Blacklist TCPOPTSTRIP on systems that
+ lack TCPOPT_*
+
+Bionic's <netinet/tcp.h> is missing constants needed to build this module,
+so have autoconf check for this condition before trying to build it.
+
+Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
+---
+ configure.ac |    8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/configure.ac b/configure.ac
+index f8affed..9607560 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -91,6 +91,14 @@ if test "$nfconntrack" -ne 1; then
+ 	echo "WARNING: libnetfilter_conntrack not found, connlabel match will not be built";
+ fi;
+ 
++AC_CHECK_DECL([TCPOPT_WINDOW], [tcpopt_ok=1], [tcpopt_ok=0],
++	[[#include <netinet/tcp.h>]])
++
++if test "$tcpopt_ok" -ne 1; then
++	blacklist_modules="$blacklist_modules TCPOPTSTRIP";
++	echo "WARNING: TCPOPT_* constants not found, TCPOPTSTRIP target will not be built";
++fi;
++
+ AC_SUBST([blacklist_modules])
+ AC_CHECK_SIZEOF([struct ip6_hdr], [], [#include <netinet/ip6.h>])
+ 
+-- 
+1.7.9.5
+

external/dist/iptables-patches/0005-Modify-iptables-to-talk-to-xt_IDLETIMER-version-1.patch

@@ -0,0 +1,113 @@
+From b790e5feab45ed0bcb68399bd270c13e83da6641 Mon Sep 17 00:00:00 2001
+From: Ashish Sharma <ashishsharma@google.com>
+Date: Thu, 29 Mar 2012 19:51:43 -0700
+Subject: [PATCH 5/7] Modify iptables to talk to xt_IDLETIMER version 1.
+
+Change-Id: Ib144c5289681cdff21b21be74173164d097710e7
+---
+ extensions/libxt_IDLETIMER.c           |    9 ++++++++-
+ extensions/libxt_IDLETIMER.man         |    4 ++++
+ include/linux/netfilter/xt_IDLETIMER.h |    8 ++++++++
+ 3 files changed, 20 insertions(+), 1 deletion(-)
+
+diff --git a/extensions/libxt_IDLETIMER.c b/extensions/libxt_IDLETIMER.c
+index 21004a4..5f1b9fe 100644
+--- a/extensions/libxt_IDLETIMER.c
++++ b/extensions/libxt_IDLETIMER.c
+@@ -27,6 +27,7 @@
+ enum {
+ 	O_TIMEOUT = 0,
+ 	O_LABEL,
++	O_NETLINK,
+ };
+ 
+ #define s struct idletimer_tg_info
+@@ -35,6 +36,8 @@ static const struct xt_option_entry idletimer_tg_opts[] = {
+ 	 .flags = XTOPT_MAND | XTOPT_PUT, XTOPT_POINTER(s, timeout)},
+ 	{.name = "label", .id = O_LABEL, .type = XTTYPE_STRING,
+ 	 .flags = XTOPT_MAND | XTOPT_PUT, XTOPT_POINTER(s, label)},
++	{.name = "send_nl_msg", .id = O_NETLINK, .type = XTTYPE_UINT8,
++	 .flags = XTOPT_PUT, XTOPT_POINTER(s, send_nl_msg)},
+ 	XTOPT_TABLEEND,
+ };
+ #undef s
+@@ -45,6 +48,8 @@ static void idletimer_tg_help(void)
+ "IDLETIMER target options:\n"
+ " --timeout time	Timeout until the notification is sent (in seconds)\n"
+ " --label string	Unique rule identifier\n"
++" --send_nl_msg		(0/1) Enable netlink messages,"
++			" and show remaining time in sysfs. Defaults to 0.\n"
+ "\n");
+ }
+ 
+@@ -57,6 +62,7 @@ static void idletimer_tg_print(const void *ip,
+ 
+ 	printf(" timeout:%u", info->timeout);
+ 	printf(" label:%s", info->label);
++	printf(" send_nl_msg:%u", info->send_nl_msg);
+ }
+ 
+ static void idletimer_tg_save(const void *ip,
+@@ -67,13 +73,14 @@ static void idletimer_tg_save(const void *ip,
+ 
+ 	printf(" --timeout %u", info->timeout);
+ 	printf(" --label %s", info->label);
++	printf(" --send_nl_msg %u", info->send_nl_msg);
+ }
+ 
+ static struct xtables_target idletimer_tg_reg = {
+ 	.family	       = NFPROTO_UNSPEC,
+ 	.name	       = "IDLETIMER",
+ 	.version       = XTABLES_VERSION,
+-	.revision      = 0,
++	.revision      = 1,
+ 	.size	       = XT_ALIGN(sizeof(struct idletimer_tg_info)),
+ 	.userspacesize = offsetof(struct idletimer_tg_info, timer),
+ 	.help	       = idletimer_tg_help,
+diff --git a/extensions/libxt_IDLETIMER.man b/extensions/libxt_IDLETIMER.man
+index e3c91ce..3b5188d 100644
+--- a/extensions/libxt_IDLETIMER.man
++++ b/extensions/libxt_IDLETIMER.man
+@@ -18,3 +18,7 @@ This is the time in seconds that will trigger the notification.
+ \fB\-\-label\fP \fIstring\fP
+ This is a unique identifier for the timer.  The maximum length for the
+ label string is 27 characters.
++.TP
++\fB\-\---send_nl_msg\fP \fI(0/1)\fP
++Send netlink messages in addition to sysfs notifications and show remaining
++time. Defaults to 0.
+diff --git a/include/linux/netfilter/xt_IDLETIMER.h b/include/linux/netfilter/xt_IDLETIMER.h
+index 208ae93..faaa28b 100644
+--- a/include/linux/netfilter/xt_IDLETIMER.h
++++ b/include/linux/netfilter/xt_IDLETIMER.h
+@@ -4,6 +4,7 @@
+  * Header file for Xtables timer target module.
+  *
+  * Copyright (C) 2004, 2010 Nokia Corporation
++ *
+  * Written by Timo Teras <ext-timo.teras@nokia.com>
+  *
+  * Converted to x_tables and forward-ported to 2.6.34
+@@ -32,12 +33,19 @@
+ #include <linux/types.h>
+ 
+ #define MAX_IDLETIMER_LABEL_SIZE 28
++#define NLMSG_MAX_SIZE 64
++
++#define NL_EVENT_TYPE_INACTIVE 0
++#define NL_EVENT_TYPE_ACTIVE 1
+ 
+ struct idletimer_tg_info {
+ 	__u32 timeout;
+ 
+ 	char label[MAX_IDLETIMER_LABEL_SIZE];
+ 
++	/* Use netlink messages for notification in addition to sysfs */
++	__u8 send_nl_msg;
++
+ 	/* for kernel module internal use only */
+ 	struct idletimer_tg *timer __attribute__((aligned(8)));
+ };
+-- 
+1.7.9.5
+

external/dist/iptables-patches/0006-ignore-SIGPIPES.patch

@@ -0,0 +1,39 @@
+From d0c05e88231609ddd8b1e8ab0698f3f22c4e9aff Mon Sep 17 00:00:00 2001
+From: JP Abgrall <jpa@google.com>
+Date: Mon, 12 Nov 2012 11:59:43 -0800
+Subject: [PATCH 6/7] ignore SIGPIPES
+
+During bugreports mostly, when adb goes away it leads to apps crashing
+because their output stream got closed.
+Let's just ignore it.
+
+Bug: 6447319
+Change-Id: I1b293ebef737014162edebd5fd9bf254345b2ce8
+---
+ iptables/iptables-standalone.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/iptables/iptables-standalone.c b/iptables/iptables-standalone.c
+index 4da1d7f..c60b4b7 100644
+--- a/iptables/iptables-standalone.c
++++ b/iptables/iptables-standalone.c
+@@ -34,6 +34,7 @@
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <errno.h>
++#include <signal.h>
+ #include <string.h>
+ #include <iptables.h>
+ #include "iptables-multi.h"
+@@ -45,6 +46,8 @@ iptables_main(int argc, char *argv[])
+ 	char *table = "filter";
+ 	struct xtc_handle *handle = NULL;
+ 
++	signal(SIGPIPE, SIG_IGN);
++
+ 	iptables_globals.program_name = "iptables";
+ 	ret = xtables_init_all(&iptables_globals, NFPROTO_IPV4);
+ 	if (ret < 0) {
+-- 
+1.7.9.5
+

external/dist/iptables-patches/0007-android-Import-latest-libxt_quota2-code-from-AOSP-4..patch

@@ -0,0 +1,252 @@
+From 81b9c73f49774ba820bb27c9eaa98b36ab8bdbc2 Mon Sep 17 00:00:00 2001
+From: Kevin Cernekee <cernekee@gmail.com>
+Date: Sat, 26 Oct 2013 12:04:25 -0700
+Subject: [PATCH 7/7] android: Import latest libxt_quota2 code from AOSP 4.2.2
+
+Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
+---
+ extensions/libxt_quota.c            |    1 +
+ extensions/libxt_quota2.c           |  141 +++++++++++++++++++++++++++++++++++
+ extensions/libxt_quota2.man         |   37 +++++++++
+ include/linux/netfilter/xt_quota2.h |   25 +++++++
+ 4 files changed, 204 insertions(+)
+ create mode 100644 extensions/libxt_quota2.c
+ create mode 100644 extensions/libxt_quota2.man
+ create mode 100644 include/linux/netfilter/xt_quota2.h
+
+diff --git a/extensions/libxt_quota.c b/extensions/libxt_quota.c
+index ff498da..26fba0b 100644
+--- a/extensions/libxt_quota.c
++++ b/extensions/libxt_quota.c
+@@ -48,6 +48,7 @@ static void quota_parse(struct xt_option_call *cb)
+ 	xtables_option_parse(cb);
+ 	if (cb->invert)
+ 		info->flags |= XT_QUOTA_INVERT;
++	info->quota = cb->val.u64;
+ }
+ 
+ static struct xtables_match quota_match = {
+diff --git a/extensions/libxt_quota2.c b/extensions/libxt_quota2.c
+new file mode 100644
+index 0000000..d004cca
+--- /dev/null
++++ b/extensions/libxt_quota2.c
+@@ -0,0 +1,141 @@
++/*
++ *	"quota2" match extension for iptables
++ *	Sam Johnston <samj [at] samj net>
++ *	Jan Engelhardt <jengelh [at] medozas de>, 2008
++ *
++ *	This program is free software; you can redistribute it and/or
++ *	modify it under the terms of the GNU General Public License; either
++ *	version 2 of the License, or any later version, as published by the
++ *	Free Software Foundation.
++ */
++#include <getopt.h>
++#include <stddef.h>
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++#include <xtables.h>
++#include <linux/netfilter/xt_quota2.h>
++
++enum {
++	FL_QUOTA     = 1 << 0,
++	FL_NAME      = 1 << 1,
++	FL_GROW      = 1 << 2,
++	FL_PACKET    = 1 << 3,
++	FL_NO_CHANGE = 1 << 4,
++};
++
++enum {
++	O_QUOTA     = 0,
++	O_NAME,
++	O_GROW,
++	O_PACKET,
++	O_NO_CHANGE,
++};
++
++
++static const struct xt_option_entry quota_mt2_opts[] = {
++	{.name = "grow", .id = O_GROW, .type = XTTYPE_NONE},
++	{.name = "no-change", .id = O_NO_CHANGE, .type = XTTYPE_NONE},
++	{.name = "name", .id = O_NAME, .type = XTTYPE_STRING,
++	 .flags = XTOPT_PUT, XTOPT_POINTER(struct xt_quota_mtinfo2, name)},
++	{.name = "quota", .id = O_QUOTA, .type = XTTYPE_UINT64,
++	 .flags = XTOPT_INVERT | XTOPT_PUT,
++	 XTOPT_POINTER(struct xt_quota_mtinfo2, quota)},
++	{.name = "packets", .id = O_PACKET, .type = XTTYPE_NONE},
++	XTOPT_TABLEEND,
++};
++
++static void quota_mt2_help(void)
++{
++	printf(
++	"quota match options:\n"
++	"    --grow           provide an increasing counter\n"
++	"    --no-change      never change counter/quota value for matching packets\n"
++	"    --name name      name for the file in sysfs\n"
++	"[!] --quota quota    initial quota (bytes or packets)\n"
++	"    --packets        count packets instead of bytes\n"
++	);
++}
++
++static void quota_mt2_parse(struct xt_option_call *cb)
++{
++	struct xt_quota_mtinfo2 *info = cb->data;
++
++	xtables_option_parse(cb);
++	switch (cb->entry->id) {
++	case O_GROW:
++		info->flags |= XT_QUOTA_GROW;
++		break;
++	case O_NO_CHANGE:
++		info->flags |= XT_QUOTA_NO_CHANGE;
++		break;
++	case O_NAME:
++		break;
++	case O_PACKET:
++		info->flags |= XT_QUOTA_PACKET;
++		break;
++	case O_QUOTA:
++		if (cb->invert)
++			info->flags |= XT_QUOTA_INVERT;
++		break;
++	}
++}
++
++static void
++quota_mt2_save(const void *ip, const struct xt_entry_match *match)
++{
++	const struct xt_quota_mtinfo2 *q = (void *)match->data;
++
++	if (q->flags & XT_QUOTA_INVERT)
++		printf(" !");
++	if (q->flags & XT_QUOTA_GROW)
++		printf(" --grow ");
++	if (q->flags & XT_QUOTA_NO_CHANGE)
++		printf(" --no-change ");
++	if (q->flags & XT_QUOTA_PACKET)
++		printf(" --packets ");
++	if (*q->name != '\0')
++		printf(" --name %s ", q->name);
++	printf(" --quota %llu ", (unsigned long long)q->quota);
++}
++
++static void quota_mt2_print(const void *ip, const struct xt_entry_match *match,
++                            int numeric)
++{
++	const struct xt_quota_mtinfo2 *q = (const void *)match->data;
++
++	if (q->flags & XT_QUOTA_INVERT)
++		printf(" !");
++	if (q->flags & XT_QUOTA_GROW)
++		printf(" counter");
++	else
++		printf(" quota");
++	if (*q->name != '\0')
++		printf(" %s:", q->name);
++	printf(" %llu ", (unsigned long long)q->quota);
++	if (q->flags & XT_QUOTA_PACKET)
++		printf("packets ");
++	else
++		printf("bytes ");
++	if (q->flags & XT_QUOTA_NO_CHANGE)
++		printf("(no-change mode) ");
++}
++
++static struct xtables_match quota_mt2_reg = {
++	.family        = NFPROTO_UNSPEC,
++	.revision      = 3,
++	.name          = "quota2",
++	.version       = XTABLES_VERSION,
++	.size          = XT_ALIGN(sizeof (struct xt_quota_mtinfo2)),
++	.userspacesize = offsetof(struct xt_quota_mtinfo2, quota),
++	.help          = quota_mt2_help,
++	.x6_parse      = quota_mt2_parse,
++	.print         = quota_mt2_print,
++	.save          = quota_mt2_save,
++	.x6_options    = quota_mt2_opts,
++};
++
++void _init(void)
++{
++	xtables_register_match(&quota_mt2_reg);
++}
+diff --git a/extensions/libxt_quota2.man b/extensions/libxt_quota2.man
+new file mode 100644
+index 0000000..c2e6b44
+--- /dev/null
++++ b/extensions/libxt_quota2.man
+@@ -0,0 +1,37 @@
++The "quota2" implements a named counter which can be increased or decreased
++on a per-match basis. Available modes are packet counting or byte counting.
++The value of the counter can be read and reset through procfs, thereby making
++this match a minimalist accounting tool.
++.PP
++When counting down from the initial quota, the counter will stop at 0 and
++the match will return false, just like the original "quota" match. In growing
++(upcounting) mode, it will always return true.
++.TP
++\fB\-\-grow\fP
++Count upwards instead of downwards.
++.TP
++\fB\-\-no\-change\fP
++Makes it so the counter or quota amount is never changed by packets matching
++this rule. This is only really useful in "quota" mode, as it will allow you to
++use complex prerouting rules in association with the quota system, without
++counting a packet twice.
++.TP
++\fB\-\-name\fP \fIname\fP
++Assign the counter a specific name. This option must be present, as an empty
++name is not allowed. Names starting with a dot or names containing a slash are
++prohibited.
++.TP
++[\fB!\fP] \fB\-\-quota\fP \fIiq\fP
++Specify the initial quota for this counter. If the counter already exists,
++it is not reset. An "!" may be used to invert the result of the match. The
++negation has no effect when \fB\-\-grow\fP is used.
++.TP
++\fB\-\-packets\fP
++Count packets instead of bytes that passed the quota2 match.
++.PP
++Because counters in quota2 can be shared, you can combine them for various
++purposes, for example, a bytebucket filter that only lets as much traffic go
++out as has come in:
++.PP
++\-A INPUT \-p tcp \-\-dport 6881 \-m quota \-\-name bt \-\-grow;
++\-A OUTPUT \-p tcp \-\-sport 6881 \-m quota \-\-name bt;
+diff --git a/include/linux/netfilter/xt_quota2.h b/include/linux/netfilter/xt_quota2.h
+new file mode 100644
+index 0000000..eadc690
+--- /dev/null
++++ b/include/linux/netfilter/xt_quota2.h
+@@ -0,0 +1,25 @@
++#ifndef _XT_QUOTA_H
++#define _XT_QUOTA_H
++
++enum xt_quota_flags {
++	XT_QUOTA_INVERT    = 1 << 0,
++	XT_QUOTA_GROW      = 1 << 1,
++	XT_QUOTA_PACKET    = 1 << 2,
++	XT_QUOTA_NO_CHANGE = 1 << 3,
++	XT_QUOTA_MASK      = 0x0F,
++};
++
++struct xt_quota_counter;
++
++struct xt_quota_mtinfo2 {
++	char name[15];
++	u_int8_t flags;
++
++	/* Comparison-invariant */
++	aligned_u64 quota;
++
++	/* Used internally by the kernel */
++	struct xt_quota_counter *master __attribute__((aligned(8)));
++};
++
++#endif /* _XT_QUOTA_H */
+-- 
+1.7.9.5
+

external/dist/iptables-patches/0008-android-Work-around-broken-Bionic-getaddrinfo.patch

@@ -0,0 +1,33 @@
+From 796e8ae853183e0361441b62f9995cb37e267f55 Mon Sep 17 00:00:00 2001
+From: Kevin Cernekee <cernekee@gmail.com>
+Date: Sun, 27 Oct 2013 11:27:27 -0700
+Subject: [PATCH 8/8] android: Work around broken Bionic getaddrinfo()
+
+The first argument to getaddrifo(), "hostname", is normally allowed
+to be NULL.  However, some Bionic implementations erroneously call
+strlen() on this parameter without first checking to see if it is
+NULL.  Work around this by passing in a hostname of "0.0.0.0".
+
+This problem was seen on the HTC One SV stock ROM, JB 4.1.2.
+
+Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
+---
+ libxtables/xtoptions.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c
+index 78e9abd..c206c1d 100644
+--- a/libxtables/xtoptions.c
++++ b/libxtables/xtoptions.c
+@@ -561,7 +561,7 @@ static int xtables_getportbyname(const char *name)
+ 	struct addrinfo *res = NULL, *p;
+ 	int ret;
+ 
+-	ret = getaddrinfo(NULL, name, NULL, &res);
++	ret = getaddrinfo("0.0.0.0", name, NULL, &res);
+ 	if (ret < 0)
+ 		return -1;
+ 	ret = -1;
+-- 
+1.7.9.5
+

external/dist/iptables-patches/0009-ip6tables-Use-consistent-exit-code-for-EAGAIN.patch

@@ -0,0 +1,33 @@
+From bb7abec605cf7bc3bb1b1d65e5cd9f57921fc020 Mon Sep 17 00:00:00 2001
+From: Kevin Cernekee <cernekee@gmail.com>
+Date: Fri, 1 Nov 2013 20:48:33 -0700
+Subject: [PATCH 9/9] ip6tables: Use consistent exit code for EAGAIN
+
+As of commit 056564f6a (Add new exit value to indicate concurrency
+issues), the IPv4 iptables binary returns exit status 4 to indicate that
+the kernel returned EAGAIN when trying to update a table.  But ip6tables
+still returns exit status 1 under the same circumstances.  Update
+ip6tables to bring it in line with iptables behavior.
+
+Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
+---
+ iptables/ip6tables-standalone.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/iptables/ip6tables-standalone.c b/iptables/ip6tables-standalone.c
+index 656e08d..4e20fe6 100644
+--- a/iptables/ip6tables-standalone.c
++++ b/iptables/ip6tables-standalone.c
+@@ -73,6 +73,9 @@ ip6tables_main(int argc, char *argv[])
+ 			fprintf(stderr, "ip6tables: %s.\n",
+ 				ip6tc_strerror(errno));
+ 		}
++		if (errno == EAGAIN) {
++			exit(RESOURCE_PROBLEM);
++		}
+ 	}
+ 
+ 	exit(!ret);
+-- 
+1.7.9.5
+