Commit 97d96313 authored by Jussi Laakkonen's avatar Jussi Laakkonen

[connman] Do not change iptables policy if firewall fails. JB#43998

This changes the firewall loading by setting first the rules for general
firewall and to enable default chain policies only if it succeeds. This
will prevent the device becoming a brick in sense of no networking in or
even out (as the DNS will be prevented) if a single rule in the configs
is wrong.
parent 77cb270a
......@@ -2177,6 +2177,27 @@ static int enable_general_firewall()
return -EINVAL;
}
if (!g_list_length(general_firewall->ctx->rules)) {
DBG("no general rules set, policies are not set");
/* No rules defined, no error */
return 0;
}
DBG("%d general rules", g_list_length(general_firewall->ctx->rules));
err = __connman_firewall_enable(general_firewall->ctx);
/*
* If there is a problem with general firewall, do not apply policies
* since it may result in blocking all incoming traffic and the device
* is not accessible.
*/
if (err) {
DBG("cannot enable general firewall, policies are not changed");
return err;
}
err = enable_general_firewall_policies(AF_INET,
general_firewall->policies);
......@@ -2189,17 +2210,8 @@ static int enable_general_firewall()
if (err)
DBG("cannot enable IPv6 iptables policies, err %d", err);
if (!g_list_length(general_firewall->ctx->rules)) {
DBG("no general rules set");
/* No rules defined, no error */
return 0;
} else {
DBG("%d general rules",
g_list_length(general_firewall->ctx->rules));
}
return err;
return __connman_firewall_enable(general_firewall->ctx);
}
static bool is_valid_policy(char *policy)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment