Commit 5864fb03 authored by Jussi Laakkonen's avatar Jussi Laakkonen

[connman] Add service specific dynamic iptables rules. JB#42675

This commit changes the service type based dynamic rules to be service
identifier specific. Each service can have own ruleset, that is based on
the iptables rules set for the service type in firewall.conf.

All services of the same type have identical rules from the configuration.
The main reason of this is to accommodate the requirement of having two
simultaneous connections of same type to be online at the same time.

When a service is being connected for the first time a deep clone of the
firewall rule set for the service type is created. This firewall rule
set is removed from the internal current_dynamic_rules only when the
service is removed. When the service is disconnected the rules are
only removed from iptables, they remain in the firewall context of the
service for later use. The firewall rule id will be kept the same if the
firewall rule set is reused. Only thing that can change is the interface
to be used with the rule.

For an easier (and faster) check of whether the firewall is enabled a
new bool value is added to struct firewall_context. This is enabled when
firewall rules are added without error and id FW_ALL_RULES is given. It
is faster to check from this instead of going through all the rules
without any change to them if they are already enabled/disabled.

Added checks if the rules is valid UTF8 (if not, ignore). If the rule
starts with # character the rule is interpreted as commented out and is
not added. Rule must add with a '-' character as required by iptables,
otherwise the rule is ignored.
parent ff57f580
This diff is collapsed.
......@@ -60,6 +60,11 @@ const char *__connman_service_get_name(struct connman_service *service) {
return NULL;
const char *connman_service_get_identifier(struct connman_service *service)
return NULL;
static bool assert_rule(int type, const char *table_name, const char *rule)
char *cmd, *output, **lines;
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment