Merge changes I6025abba,I7788a6bb,I4fe381a2,Ib1ee183e,Ifb8843aa, ...

* changes:
  gn2bp: create one action per arch
  gn2bp: support multiple jni registration modules
  gn2bp: get rid of local_include_dir hacks
  gn2bp: remove jni_headers from jni_generator genrule
  gn2bp: add common header dependencies to defaults
  gn2bp: unconditionally remove -DANDROID for all host targets
diff --git a/bpf_progs/clatd.c b/bpf_progs/clatd.c
index b8c6131..22726ac 100644
--- a/bpf_progs/clatd.c
+++ b/bpf_progs/clatd.c
@@ -111,8 +111,8 @@
             return TC_ACT_PIPE;
         const struct frag_hdr *frag = (const struct frag_hdr *)(ip6 + 1);
         proto = frag->nexthdr;
-        // Trivial hash of 32-bit IPv6 ID field into 16-bit IPv4 field.
-        ip_id = (frag->identification) ^ (frag->identification >> 16);
+        // Per RFC6145 use bottom 16-bits of 32-bit IPv6 ID field for 16-bit IPv4 field.
+        ip_id = frag->identification;
         // Conversion of 16-bit IPv6 frag offset to 16-bit IPv4 frag offset field.
         // IPv6 is '13 bits of offset in multiples of 8' + 2 zero bits + more fragment bit
         // IPv4 is zero bit + don't frag bit + more frag bit + '13 bits of offset in multiples of 8'
diff --git a/bpf_progs/netd.c b/bpf_progs/netd.c
index f9484fc..4cbd751 100644
--- a/bpf_progs/netd.c
+++ b/bpf_progs/netd.c
@@ -79,6 +79,9 @@
 // only valid indexes are [0..CONFIGURATION_MAP_SIZE-1]
 DEFINE_BPF_MAP_RO_NETD(configuration_map, ARRAY, uint32_t, uint32_t, CONFIGURATION_MAP_SIZE)
 
+// TODO: consider whether we can merge some of these maps
+// for example it might be possible to merge 2 or 3 of:
+//   uid_counterset_map + uid_owner_map + uid_permission_map
 DEFINE_BPF_MAP_RW_NETD(cookie_tag_map, HASH, uint64_t, UidTagValue, COOKIE_UID_MAP_SIZE)
 DEFINE_BPF_MAP_NO_NETD(uid_counterset_map, HASH, uint32_t, uint8_t, UID_COUNTERSET_MAP_SIZE)
 DEFINE_BPF_MAP_NO_NETD(app_uid_stats_map, HASH, uint32_t, StatsValue, APP_STATS_MAP_SIZE)
@@ -198,6 +201,7 @@
 }
 
 static __always_inline inline bool skip_owner_match(struct __sk_buff* skb, bool is_4_19) {
+    uint32_t flag = 0;
     if (skb->protocol == htons(ETH_P_IP)) {
         uint8_t proto;
         // no need to check for success, proto will be zeroed if bpf_skb_load_bytes_net() fails
@@ -211,24 +215,22 @@
         // field will also fail, and that failure we already handle correctly
         // (we also don't check that ihl in [0x45,0x4F] nor that ipv4 header checksum is correct)
         (void)bpf_skb_load_bytes_net(skb, IPPROTO_IHL_OFF, &ihl, sizeof(ihl), is_4_19);
-        uint32_t flag;
         // if the read below fails, we'll just assume no TCP flags are set, which is fine.
         (void)bpf_skb_load_bytes_net(skb, (ihl & 0xF) * 4 + TCP_FLAG32_OFF,
                                      &flag, sizeof(flag), is_4_19);
-        return flag & TCP_FLAG_RST;  // false on read failure
     } else if (skb->protocol == htons(ETH_P_IPV6)) {
         uint8_t proto;
         // no need to check for success, proto will be zeroed if bpf_skb_load_bytes_net() fails
         (void)bpf_skb_load_bytes_net(skb, IPV6_PROTO_OFF, &proto, sizeof(proto), is_4_19);
         if (proto == IPPROTO_ESP) return true;
         if (proto != IPPROTO_TCP) return false;  // handles read failure above
-        uint32_t flag;
         // if the read below fails, we'll just assume no TCP flags are set, which is fine.
         (void)bpf_skb_load_bytes_net(skb, sizeof(struct ipv6hdr) + TCP_FLAG32_OFF,
                                      &flag, sizeof(flag), is_4_19);
-        return flag & TCP_FLAG_RST;  // false on read failure
+    } else {
+        return false;
     }
-    return false;
+    return flag & TCP_FLAG_RST;  // false on read failure
 }
 
 static __always_inline inline BpfConfig getConfig(uint32_t configKey) {