• Jussi Laakkonen's avatar
    [connman] Add service specific dynamic iptables rules. JB#42675 · 5864fb03
    Jussi Laakkonen authored
    This commit changes the service type based dynamic rules to be service
    identifier specific. Each service can have own ruleset, that is based on
    the iptables rules set for the service type in firewall.conf.
    All services of the same type have identical rules from the configuration.
    The main reason of this is to accommodate the requirement of having two
    simultaneous connections of same type to be online at the same time.
    When a service is being connected for the first time a deep clone of the
    firewall rule set for the service type is created. This firewall rule
    set is removed from the internal current_dynamic_rules only when the
    service is removed. When the service is disconnected the rules are
    only removed from iptables, they remain in the firewall context of the
    service for later use. The firewall rule id will be kept the same if the
    firewall rule set is reused. Only thing that can change is the interface
    to be used with the rule.
    For an easier (and faster) check of whether the firewall is enabled a
    new bool value is added to struct firewall_context. This is enabled when
    firewall rules are added without error and id FW_ALL_RULES is given. It
    is faster to check from this instead of going through all the rules
    without any change to them if they are already enabled/disabled.
    Added checks if the rules is valid UTF8 (if not, ignore). If the rule
    starts with # character the rule is interpreted as commented out and is
    not added. Rule must add with a '-' character as required by iptables,
    otherwise the rule is ignored.
firewall.c 48.1 KB