• Jussi Laakkonen's avatar
    [connman] Improve firewall iptables rule parsing. JB#43924 · 9931c170
    Jussi Laakkonen authored
    This commit implements a better parser for all the supported iptables
    rule (match) options. Moved the content of iptables rule validation from
    firewall.c into iptables-validate.c. With this change the iptables rule
    validation can be used with other functionality as well. For example, with
    sailfish_iptables_ext.c.
    
    Each match option has to also have proper protocol and match set.
    Protocols are checked also using their int representation.
    
    A hash table based approach is used in checking whether the given option
    in iptables rule can be used with the specified match or protocol. The
    hash table containing the iptables_type_option structs is initialized at
    iptables-validate.c init and destroyed at cleanup. The options are
    searched with the given protocol and match (that are processed first) to
    reduce search times. SCTP, DCCP and MH matches (-m) are not currently
    working with iptables.c so options for these are disabled.
    
    Some, such as TCP, DCCP and multiport require checking from two separate
    categories as the match (in case of DCCP the protocol) supports also key
    "port" options in addition to its own options.
    
    Options for iptables matches that are processed:
     - tcp
     - mark
     - conntrack (address switches not supported)
     - ttl
     - pkttype
     - limit
     - helper (no parsing as iptables does not care about value)
     - enc
     - ah
     - esp
     - mh (match -m mh does not work in connman, ignored)
     - sctp (match -m sctp does not work in connman, ignored)
     - icmp
     - icmpv6 && ipv6-icmp
     - dccp
    
    Added helpers for checking protocols (get_protocol_protoent()), checking
    input parameter ranges of options (is_valid_range()), checking if the
    parameter sequence is matching to criteria (is_valid_param_sequence()).
    This makes code more readable.
    
    Tests for iptables rule options are also added. All accepted options are
    checked as well as invalid options are attempted to be used with the
    tests.
    9931c170
firewall.c 61 KB