Commit 25b654eb authored by Jussi Laakkonen's avatar Jussi Laakkonen

[connman] Fix firewall failsafe. Empty config is not error. Fixes JB#45308

This commit fixes the firewall failsafe operation. The hash tables
containing entries retrieved from iptables should not be freed within
the same session where iptables is used. This seems to create more
problems it helps to solve. In some cases the pointers to free'd content
is returned by iptables when failsafe has triggered causing
non-continuous entrytables with invalid offsets.

Also, do not treat empty or missing firewall config as error triggering
firewall failsafe. No config = no changes.
parent c198d168
......@@ -1947,7 +1947,7 @@ static int enable_general_firewall()
if (!general_firewall || !general_firewall->ctx) {
DBG("no general firewall or firewall context set");
return -EINVAL;
return 0;
}
if (!g_list_length(general_firewall->ctx->rules)) {
......@@ -2863,8 +2863,6 @@ int __connman_firewall_init(void)
} else {
DBG("dynamic rules disabled, policy ACCEPT set for all chains");
connman_error("firewall initialization error, reset iptables");
__connman_iptables_cleanup();
__connman_iptables_init();
__connman_iptables_iterate_chains(AF_INET, "filter",
firewall_failsafe,
GINT_TO_POINTER(AF_INET));
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment