Commit 113f670c authored by Jussi Laakkonen's avatar Jussi Laakkonen

[connman] Sailfish iptables API support. Contributes to JB#39338

Adds support for managing iptables content via ConnMan. The header to
include: iptables_ext.h, which is installed as part of devel package.

Functionalities implemented for plugins to use:
 - Chain management (new, delete, flush, find)
 - Iptables rule management (insert, append, delete)
 - Commit iptables changes
 - Change iptables policy
 - Save, load and clear iptables
    - Each table is saved to STORAREDIR/iptables/{tablename}.v4
    - Saving is done by connman at startup/shutdown.
    - Saving of iptables feature is adapted from iptables source.
 - Get iptables content

These functionalities do not restrict use of specific iptables table.
Except use of chains or targets with "connman-" in name is prevented.

Upgrade iptables' xtables library build requirement to >= 1.6.1.

Upgrade iptables install requirement to >= 1.6.1.
parent d9fb714c
......@@ -72,6 +72,7 @@ unit/test-access
unit/test-sailfish_access
unit/test-sailfish_wakeup_timer
unit/test-vpn-settings
unit/test-sailfish_iptables_ext
*.gcda
*.gcno
......
......@@ -12,10 +12,11 @@ include_HEADERS = include/log.h include/plugin.h \
include/storage.h include/provision.h \
include/session.h include/ipaddress.h include/agent.h \
include/inotify.h include/peer.h include/machine.h \
include/technology.h
include/technology.h include/iptables_ext.h \
include/dbus.h gdbus/gdbus.h
if VPN
include_HEADERS += include/task.h include/dbus.h include/setting.h \
include_HEADERS += include/task.h include/setting.h \
include/vpn-dbus.h
nobase_include_HEADERS = vpn/vpn-provider.h vpn/vpn-agent.h \
vpn/plugins/vpn.h
......@@ -134,11 +135,12 @@ src_connmand_SOURCES = $(gdhcp_sources) $(gweb_sources) $(backtrace_sources) \
src/inotify.c src/firewall.c src/ipv6pd.c src/peer.c \
src/peer_service.c src/machine.c src/util.c \
src/wakeup_timer.c src/jolla-stats.c src/fsid.c \
src/access.c vpn/vpn-settings.c
src/access.c vpn/vpn-settings.c \
src/sailfish_iptables_ext.c
src_connmand_LDADD = gdbus/libgdbus-internal.la $(builtin_libadd) \
@GLIB_LIBS@ @DBUS_LIBS@ @XTABLES_LIBS@ @GNUTLS_LIBS@ \
@IPHB_LIBS@ -lresolv -ldl -lrt
@IPHB_LIBS@ @LIBIPTC_LIBS@ -lresolv -ldl -lrt
src_connmand_LDFLAGS = -Wl,--export-dynamic \
-Wl,--version-script=$(srcdir)/src/connman.ver
......@@ -284,7 +286,8 @@ client_connmanctl_LDADD = gdbus/libgdbus-internal.la @DBUS_LIBS@ @GLIB_LIBS@ \
endif
noinst_PROGRAMS += unit/test-access unit/test-dnsproxy unit/test-ippool \
unit/test-sailfish_access unit/test-vpn-settings
unit/test-sailfish_access unit/test-vpn-settings \
unit/test-sailfish_iptables_ext
if TEST_COVERAGE
COVERAGE_OPT = --coverage
......@@ -318,8 +321,18 @@ unit_test_vpn_settings_SOURCES = $(backtrace_sources) unit/test-vpn-settings.c \
vpn/vpn-settings.c src/log.c
unit_test_vpn_settings_LDADD = @GLIB_LIBS@ -ldl
unit_test_sailfish_iptables_ext_CFLAGS = $(COVERAGE_OPT) $(AM_CFLAGS) @DBUS_CFLAGS@
unit_test_sailfish_iptables_ext_SOURCES = $(backtrace_sources) \
unit/test-sailfish_iptables_ext.c \
src/log.c src/storage.c src/inotify.c \
src/iptables.c src/firewall.c \
src/sailfish_iptables_ext.c
unit_test_sailfish_iptables_ext_LDADD = @GLIB_LIBS@ @XTABLES_LIBS@ \
@LIBIPTC_LIBS@ @DBUS_LIBS@ -ldl
TESTS = unit/test-access unit/test-ippool unit/test-dnsproxy \
unit/test-sailfish_access unit/test-vpn-settings
unit/test-sailfish_access unit/test-vpn-settings \
unit/test-sailfish_iptables_ext
if SAILFISH_WAKEUP_TIMER
unit_test_sailfish_wakeup_timer_CFLAGS = $(COVERAGE_OPT) $(AM_CFLAGS)
......@@ -378,8 +391,10 @@ tools_dbus_test_LDADD = gdbus/libgdbus-internal.la @GLIB_LIBS@ @DBUS_LIBS@
tools_polkit_test_LDADD = @DBUS_LIBS@
tools_iptables_test_SOURCES = $(backtrace_sources) src/log.c src/iptables.c tools/iptables-test.c
tools_iptables_test_LDADD = @GLIB_LIBS@ @XTABLES_LIBS@ -ldl
tools_iptables_test_CFLAGS = -DDEFAULT_STORAGE_ROOT=\""$(storageroot)\"" @DBUS_CFLAGS@
tools_iptables_test_SOURCES = $(backtrace_sources) src/log.c src/storage.c \
src/inotify.c src/iptables.c tools/iptables-test.c
tools_iptables_test_LDADD = @GLIB_LIBS@ @XTABLES_LIBS@ @LIBIPTC_LIBS@ @DBUS_LIBS@ -ldl
tools_private_network_test_LDADD = @GLIB_LIBS@ @DBUS_LIBS@
......@@ -390,11 +405,13 @@ tools_session_test_LDADD = gdbus/libgdbus-internal.la \
@GLIB_LIBS@ @DBUS_LIBS@ -ldl
tools_iptables_unit_CFLAGS = @DBUS_CFLAGS@ @GLIB_CFLAGS@ @XTABLES_CFLAGS@ \
-DIPTABLES_SAVE=\""${IPTABLES_SAVE}"\"
tools_iptables_unit_SOURCES = $(backtrace_sources) src/log.c \
src/iptables.c src/firewall.c src/nat.c tools/iptables-unit.c
-DIPTABLES_SAVE=\""${IPTABLES_SAVE}"\" \
-DDEFAULT_STORAGE_ROOT=\""$(storageroot)\""
tools_iptables_unit_SOURCES = $(backtrace_sources) src/log.c src/storage.c \
src/inotify.c src/iptables.c src/firewall.c \
src/nat.c tools/iptables-unit.c
tools_iptables_unit_LDADD = gdbus/libgdbus-internal.la \
@GLIB_LIBS@ @DBUS_LIBS@ @XTABLES_LIBS@ -ldl
@GLIB_LIBS@ @DBUS_LIBS@ @XTABLES_LIBS@ @LIBIPTC_LIBS@ -ldl
tools_dnsproxy_test_SOURCES = tools/dnsproxy-test.c
tools_dnsproxy_test_LDADD = @GLIB_LIBS@
......@@ -556,6 +573,10 @@ include/connman/%.h: $(abs_top_srcdir)/include/%.h
$(AM_V_at)$(MKDIR_P) include/connman
$(AM_V_GEN)$(LN_S) $< $@
include/connman/gdbus.h: $(abs_top_srcdir)/gdbus/gdbus.h
$(AM_V_at)$(MKDIR_P) include/connman
$(AM_V_GEN)$(LN_S) $< $@
include/connman/vpn/%.h: $(abs_top_srcdir)/vpn/%.h
$(AM_V_at)$(MKDIR_P) include/connman/vpn
$(AM_V_GEN)$(LN_S) $< $@
......
......@@ -107,6 +107,11 @@ CONNMAN_SERVICE_AFTER="dbus.socket oneshot-root.service"
AC_SUBST(CONNMAN_SERVICE_REQUIRES)
AC_SUBST(CONNMAN_SERVICE_AFTER)
PKG_CHECK_MODULES(LIBIPTC, libiptc >= 0.27.1, dummy=yes,
AC_MSG_ERROR(Libiptc library is required))
AC_SUBST(LIBIPTC_CFLAGS)
AC_SUBST(LIBIPTC_LIBS)
AC_ARG_WITH(openconnect, AC_HELP_STRING([--with-openconnect=PROGRAM],
[specify location of openconnect binary]), [path_openconnect=${withval}])
......
/*
*
* Connection Manager wrapper to expose iptables functions for SailfishOS MDM.
*
* Copyright (C) 2017-2018 Jolla Ltd. All rights reserved.
* Contact: Jussi Laakkonen <jussi.laakkonen@jolla.com>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
*
*/
#ifndef _CONNMAN_IPTABLES_EXTENSION_H
#define _CONNMAN_IPTABLES_EXTENSION_H
#include <glib.h>
#ifdef __cplusplus
extern "C" {
#endif
struct iptables_content {
gchar *table;
GList *chains;
GList *rules;
};
int connman_iptables_new_chain(const char *table_name,
const char *chain);
int connman_iptables_delete_chain(const char *table_name,
const char *chain);
int connman_iptables_flush_chain(const char *table_name,
const char *chain);
int connman_iptables_find_chain(const char *table_name,
const char *chain);
int connman_iptables_insert(const char *table_name,
const char *chain,
const char *rule_spec);
int connman_iptables_append(const char *table_name,
const char *chain,
const char *rule_spec);
int connman_iptables_delete(const char *table_name,
const char *chain,
const char *rule_spec);
int connman_iptables_commit(const char *table_name);
int connman_iptables_change_policy(const char *table_name,
const char *chain,
const char *policy);
int connman_iptables_clear(const char *table_name);
const char* connman_iptables_default_save_path(int ip_version);
struct iptables_content* connman_iptables_get_content(const char *table_name);
void connman_iptables_free_content(struct iptables_content *content);
#ifdef __cplusplus
}
#endif
#endif /* _CONNMAN_IPTABLES_EXTENSION_H */
......@@ -954,6 +954,8 @@ int __connman_iptables_delete_chain(const char *table_name,
const char *chain);
int __connman_iptables_flush_chain(const char *table_name,
const char *chain);
int __connman_iptables_find_chain(const char *table_name,
const char *chain);
int __connman_iptables_change_policy(const char *table_name,
const char *chain,
const char *policy);
......@@ -966,6 +968,9 @@ int __connman_iptables_insert(const char *table_name,
int __connman_iptables_delete(const char *table_name,
const char *chain,
const char *rule_spec);
int __connman_iptables_restore_all();
int __connman_iptables_save_all();
typedef void (*connman_iptables_iterate_chains_cb_t) (const char *chain_name,
void *user_data);
......
......@@ -2201,6 +2201,23 @@ int __connman_iptables_flush_chain(const char *table_name,
return iptables_flush_chain(table, chain);
}
int __connman_iptables_find_chain(const char *table_name,
const char *chain)
{
struct connman_iptables *table;
DBG("-t %s -F %s", table_name, chain);
table = get_table(table_name);
if (!table)
return -EINVAL;
if(!find_chain_head(table, chain))
return -ENOENT; // Not Found
return 0; // Found
}
int __connman_iptables_change_policy(const char *table_name,
const char *chain,
const char *policy)
......
......@@ -45,6 +45,7 @@
#endif
#include "connman.h"
#include "iptables_ext.h"
#define DEFAULT_INPUT_REQUEST_TIMEOUT (120 * 1000)
#define DEFAULT_BROWSER_LAUNCH_TIMEOUT (300 * 1000)
......@@ -848,6 +849,7 @@ int main(int argc, char *argv[])
__connman_ippool_init();
__connman_iptables_init();
__connman_iptables_restore_all();
__connman_firewall_init();
__connman_nat_init();
__connman_tethering_init();
......@@ -910,6 +912,8 @@ int main(int argc, char *argv[])
__connman_rtnl_cleanup();
__connman_resolver_cleanup();
__connman_iptables_save_all();
__connman_clock_cleanup();
__connman_stats_cleanup();
__connman_config_cleanup();
......
This diff is collapsed.
This diff is collapsed.
......@@ -13,6 +13,7 @@ Requires: ofono
Requires: pacrunner
Requires: connman-configs
Requires: systemd
Requires: iptables >= 1.6.1
Requires: libgofono >= 2.0.0
Requires: libglibutil >= 1.0.21
Requires: libdbusaccess >= 1.0.2
......@@ -20,7 +21,8 @@ Requires: libgsupplicant >= 1.0.4
Requires(preun): systemd
Requires(post): systemd
Requires(postun): systemd
BuildRequires: pkgconfig(xtables)
BuildRequires: pkgconfig(xtables) >= 1.6.1
BuildRequires: pkgconfig(libiptc)
BuildRequires: pkgconfig(glib-2.0) >= 2.28
BuildRequires: pkgconfig(gthread-2.0) >= 2.16
BuildRequires: pkgconfig(dbus-1) >= 1.4
......@@ -126,6 +128,7 @@ Documentation for connman.
--with-systemdunitdir=/%{_lib}/systemd/system \
--enable-systemd \
--with-tmpfilesdir=%{_libdir}/tmpfiles.d
make %{?_smp_mflags}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment