• Jussi Laakkonen's avatar
    [connman] Add dynamic and general firewall rule processing. JB#42675 · ff57f580
    Jussi Laakkonen authored
    This commit introduces a support for general and dynamic firewall rules.
    The rules are read from CONFDIR/firewall.conf. Additional configurations
    are also supported, which must be put into CONFIGDIR/firewall.d/ and each
    has to have "firewall.conf" suffix, e.g., 10-devmode-firewall.conf.
    
    The rules in the configuration files are added to the specified
    technology type rules or to general rules. The last config in the
    directory can override the "General" section default policies for INPUT,
    OUTPUT and FORWARD chains of filter table.
    
    Managed chains are used so changes to content of filter table chains
    INPUT, FORWARD, OUTPUT (neither for IPv4 or IPv6) are not done, except
    for the policy. The format of the rules is the same as with iptables
    rules, with exceptions detailed later in this message. The chain name
    and policy name can be omitted in the config file.
    
    Rules can be defined for IPv4 chains using INPUT, OUTPUT and FORWARD
    keys in key config file. Rules for IPv6 chains can be set using
    INPUT_IPv6, OUTPUT_IPv6 and FORWARD_IPv6. Default filter table policies
    can be set only in General section and follow similar naming. IPv4
    iptables default policies are set with keys that have a suffix "_POLICY"
    added to the chain name. With IPv6 ip6tables policies the suffix is
    "_POLICY_IPv6".
    
    There can be general rules that are added to managed chains using
    firewall.c functionality at firewall initialization and cleared at
    firewall cleanup. General rules include defining policies for the default
    filter table chains. The general rules section format (rules are
    separated with semicolon ";" because comma "," is a separator for ports
    in iptables rules):
    
    INPUT = -p tcp -m tcp --dport 22 -j ACCEPT; -p udp -m udp -j ACCEPT
    INPUT_IPv6 = -p tcp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    FORWARD =
    OUTPUT = -p tcp -m multiport --sports 1024:65000 -j ACCEPT
    INPUT_POLICY = DROP
    OUTPUT_POLICY = ACCEPT
    FORWARD_POLICY = ACCEPT
    INPUT_POLICY_IPv6 = ACCEPT
    
    After ConnMan is shut down the policies on each default chain in filter
    table are being set to ACCEPT. By adding the rules via firewall.c the
    managed tables are also cleared at shutdown.
    
    Each technology connman supports can have own dynamic rules set in the
    same firewall.conf file. These rules are enabled and disabled when a
    service comes up (READY, CONNETED) or goes down (DISCONNECT, FAILURE,
    IDLE) and the interface the service is using is applied into the rule.
    The format for the dynamic rules is same, for example cellular:
    
    INPUT = -p tcp -m multiport --dports 1:1024 -j DROP
    OUTPUT = -p udp -m udp --dport 23 -j DROP; -p tcp -j ACCEPT
    INPUT_IPv6 = -p tcp -m ssh -j ACCEPT; -p udp -m udp -j DROP
    
    In chain INPUT -i <interface> is added, in chain FORWARD -o <interface>
    is added and in chain OUTPUT -o <interface> is added. For this
    particular reason -i and -o switches are forbidden in the rules.
    
    The following switches (and their longer equivalents) are not allowed in
    rules (rules having one of these are ignored):
     - Chain management switches (-A, -D, -X, -F, -I, -P, -E, -R, -Z)
     - Interface definitions (-i, -o), expcept for group General
     - IP address switches (-s, -d, --to-destination, --from-destination)
     - State modifiers -m comment and -m state (and -m conntrack with IPv6)
    
    All regular targets (ACCEPT, DROP, REJECT, LOG, QUEUE) are allowed. In
    these rules adding chains is not allowed so additional targets cannot be
    used, hence the managed tables.
    
    The protocols defined in iptables manual pages are allowed: tcp, udp,
    udplite, icmp, icmpv6, ipv6-icmp, esp, ah, sctp, mh and the special
    keyword all.
    
    If -m multiport switch is used it has to have some of the default port
    switches. If a port switch is used port numbers can be used or service
    names. Ports have to be separated with commas (set) or semicolons
    (range) as iptables rules format defines.
    ff57f580
firewall.c 44.8 KB