The commit fixed the issue when a port with index 0 adding to a allow rule

will be mistakenly regarded as wild-card rule, so even a packet from a
diffrent port will be allowed passing by mistake. There are 2 changes in
this commit:
- update the iptables submodule pointing to the latest code base so interface
  parameter can be supported
- change the wild-card index from 0 to 0xffff for pcn-iptables service because
  id 0 could be conflicting with a regular port, and recover the original failed
  test case.

Signed-off-by: Jianwen Pi<jianwpi@gmail.com>

Author: goldenrye

src/components/iptables/iptables

@@ -88,6 +88,9 @@ class BaseCube : virtual public BaseCubeIface {
  protected:
   static const int _POLYCUBE_MAX_BPF_PROGRAMS = 64;
   static const int _POLYCUBE_MAX_PORTS = 128;
+  static_assert(_POLYCUBE_MAX_PORTS <= 0xffff,
+          "_POLYCUBE_MAX_PORTS shouldn't be great than 0xffff, "
+          "id 0xffff was used by iptables wild card index");
   static std::vector<std::string> cflags;
 
   virtual int load(ebpf::BPF &bpf, ProgramType type) = 0;

src/polycubed/src/base_cube.h

@@ -523,7 +523,7 @@ bool Chain::interfaceFromRulesToMap(
   if (interfaces.size() != 0 && dont_care_rules.size() != 0) {
     std::vector<uint64_t> bitVector(
         FROM_NRULES_TO_NELEMENTS(Iptables::max_rules_));
-    interfaces.insert(std::pair<uint16_t, std::vector<uint64_t>>(0, bitVector));
+    interfaces.insert(std::pair<uint16_t, std::vector<uint64_t>>(0xffff, bitVector));
     for (auto const &ruleNumber : dont_care_rules) {
       for (auto &interface : interfaces) {
         SET_BIT((interface.second)[ruleNumber / 63], ruleNumber % 63);

src/services/pcn-iptables/src/Utils.cpp

@@ -41,7 +41,7 @@ Iptables::InterfaceLookup::InterfaceLookup(
                             : ProgramType::INGRESS) {
   this->type_ = type;
 
-  auto it = ports.find(0);
+  auto it = ports.find(0xffff);
   if (it == ports.end()) {
     wildcard_rule_ = false;
     wildcard_string_ = "";