Commit 97d96313 authored by Jussi Laakkonen's avatar Jussi Laakkonen

[connman] Do not change iptables policy if firewall fails. JB#43998

This changes the firewall loading by setting first the rules for general
firewall and to enable default chain policies only if it succeeds. This
will prevent the device becoming a brick in sense of no networking in or
even out (as the DNS will be prevented) if a single rule in the configs
is wrong.
parent 77cb270a
......@@ -2177,6 +2177,27 @@ static int enable_general_firewall()
return -EINVAL;
if (!g_list_length(general_firewall->ctx->rules)) {
DBG("no general rules set, policies are not set");
/* No rules defined, no error */
return 0;
DBG("%d general rules", g_list_length(general_firewall->ctx->rules));
err = __connman_firewall_enable(general_firewall->ctx);
* If there is a problem with general firewall, do not apply policies
* since it may result in blocking all incoming traffic and the device
* is not accessible.
if (err) {
DBG("cannot enable general firewall, policies are not changed");
return err;
err = enable_general_firewall_policies(AF_INET,
......@@ -2189,17 +2210,8 @@ static int enable_general_firewall()
if (err)
DBG("cannot enable IPv6 iptables policies, err %d", err);
if (!g_list_length(general_firewall->ctx->rules)) {
DBG("no general rules set");
/* No rules defined, no error */
return 0;
} else {
DBG("%d general rules",
return err;
return __connman_firewall_enable(general_firewall->ctx);
static bool is_valid_policy(char *policy)
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment