Android kernel netfilter upstreaming

Registered by John Stultz

Covers upstreaming changes to the netfilter code from the Android driver

Blueprint information

John Stultz
Needs approval
dmitry pervushin
Series goal:
Accepted for kernel-merge-window
Milestone target:
milestone icon backlog
Started by
John Stultz

Related branches



Headline: Android netfilter upstreamed
Acceptance: TODO

At kernel summit, upstream netfilter developers were curious as to what changes Android made to the netfilter code.

I plucked those changes (about ~11 patches) and sent them on. They said the first few looked fine, but the rest might need more discussion.

This blueprint is to just to leverage the community interest in order to try to get these patches reviewed and merged, or if not merged, better fleshed out what is needed to integrate this functionality

Currently the patches can be found here:;a=shortlog;h=refs/heads/dev/netfilter

netfilter: xt_IDLETIMER: Rename INTERFACE to LABEL...
netfilter: xt_qtaguid: start tracking iface rx/tx at...
netfilter: xt_IDLETIMER: Add new netlink msg type
netfilter: xt_qtaguid: fix ipv6 protocol lookup
netfilter: qtaguid: initialize a local var to keep...
netfilter: fixup the quota2, and enable.
netfilter: adding the original quota2 from xtables...
netfilter: add xt_qtaguid matching module
nf: xt_socket: export the fancy sock finder code
security: Add AID_NET_RAW and AID_NET_ADMIN capability...
Add android_aid.h

There are three chunks of functionality in the netfilter patches:
1) The xt_quota2 code from xtables_extras
2) The new xt_qtaguid code
3) The xt_IDLETIMER patches

The xt_quota2 code is taken from an external project (authored by Jan Engelhardt <email address hidden>), the other two are Google authored.

I contacted Jan and apparently the xtables_extras has had some difficulty getting upstreamed, so it may be hard to push that work.

The xt_qtaguid got some complex feedback when I RFCed it, so it may take some effort reworking the patch. Some proposed using a combination of existing netfilters to do the same, but I don't know if the Android devs are interested in that.

xt_IDLETIMER changes are likely the easiest to get upstream.

Public discussion on lkml about these patches from Sept 21st:

Started to submit IDLETIMER patches:

idletimer test submitted for internal review (will be in external/linaro-android-kernel-test/netfilter)

04/28/13: Feedback is available and


Work Items

Work items for 12.09:
Send patches to Pete Waskiewicz Jr for initial review(Sep 20): DONE
Send out patches as RFC to netdev and lkml(Sep 21): DONE

Work items for 13.03:
Review patch set and get familiar with the changes & requested modifications from lkml discussion above: DONE
Discuss feedback from initial submission with netfilter devs: DONE

Work items for 13.04:
Ping JP about using nfacct instead of qtaguid: DONE
Resend v2 of patches to lkml: DONE
Get quick internal review: DONE

Work items for 13.05:
Integrate feedback from maintainers into patches: INPROGRESS
Resend v3 of the patches to lkml: TODO

Dependency tree

* Blueprints in grey have been implemented.

This blueprint contains Public information 
Everyone can see this information.