[connman] Improve firewall iptables rule parsing. JB#43924
This commit implements a better parser for all the supported iptables rule (match) options. Moved the content of iptables rule validation from firewall.c into iptables-validate.c. With this change the iptables rule validation can be used with other functionality as well. For example, with sailfish_iptables_ext.c. Each match option has to also have proper protocol and match set. Protocols are checked also using their int representation. A hash table based approach is used in checking whether the given option in iptables rule can be used with the specified match or protocol. The hash table containing the iptables_type_option structs is initialized at iptables-validate.c init and destroyed at cleanup. The options are searched with the given protocol and match (that are processed first) to reduce search times. SCTP, DCCP and MH matches (-m) are not currently working with iptables.c so options for these are disabled. Some, such as TCP, DCCP and multiport require checking from two separate categories as the match (in case of DCCP the protocol) supports also key "port" options in addition to its own options. Options for iptables matches that are processed: - tcp - mark - conntrack (address switches not supported) - ttl - pkttype - limit - helper (no parsing as iptables does not care about value) - enc - ah - esp - mh (match -m mh does not work in connman, ignored) - sctp (match -m sctp does not work in connman, ignored) - icmp - icmpv6 && ipv6-icmp - dccp Added helpers for checking protocols (get_protocol_protoent()), checking input parameter ranges of options (is_valid_range()), checking if the parameter sequence is matching to criteria (is_valid_param_sequence()). This makes code more readable. Tests for iptables rule options are also added. All accepted options are checked as well as invalid options are attempted to be used with the tests.
Showing with 2635 additions and 656 deletions