Commit 9931c170 authored by Jussi Laakkonen's avatar Jussi Laakkonen

[connman] Improve firewall iptables rule parsing. JB#43924

This commit implements a better parser for all the supported iptables
rule (match) options. Moved the content of iptables rule validation from
firewall.c into iptables-validate.c. With this change the iptables rule
validation can be used with other functionality as well. For example, with

Each match option has to also have proper protocol and match set.
Protocols are checked also using their int representation.

A hash table based approach is used in checking whether the given option
in iptables rule can be used with the specified match or protocol. The
hash table containing the iptables_type_option structs is initialized at
iptables-validate.c init and destroyed at cleanup. The options are
searched with the given protocol and match (that are processed first) to
reduce search times. SCTP, DCCP and MH matches (-m) are not currently
working with iptables.c so options for these are disabled.

Some, such as TCP, DCCP and multiport require checking from two separate
categories as the match (in case of DCCP the protocol) supports also key
"port" options in addition to its own options.

Options for iptables matches that are processed:
 - tcp
 - mark
 - conntrack (address switches not supported)
 - ttl
 - pkttype
 - limit
 - helper (no parsing as iptables does not care about value)
 - enc
 - ah
 - esp
 - mh (match -m mh does not work in connman, ignored)
 - sctp (match -m sctp does not work in connman, ignored)
 - icmp
 - icmpv6 && ipv6-icmp
 - dccp

Added helpers for checking protocols (get_protocol_protoent()), checking
input parameter ranges of options (is_valid_range()), checking if the
parameter sequence is matching to criteria (is_valid_param_sequence()).
This makes code more readable.

Tests for iptables rule options are also added. All accepted options are
checked as well as invalid options are attempted to be used with the
parent 65fba7f0
......@@ -141,7 +141,7 @@ src_connmand_SOURCES = $(gdhcp_sources) $(gweb_sources) $(backtrace_sources) \
src/peer_service.c src/machine.c src/util.c \
src/wakeup_timer.c src/jolla-stats.c src/fsid.c \
src/access.c vpn/vpn-settings.c \
src/sailfish_iptables_ext.c src/iptables-validate.c
src_connmand_LDADD = gdbus/ $(builtin_libadd) \
......@@ -372,7 +372,8 @@ unit_test_firewall_CFLAGS = $(COVERAGE_OPT) $(AM_CFLAGS) @DBUS_CFLAGS@ \
unit_test_firewall_SOURCES = $(backtrace_sources) src/connman.h src/log.c \
src/inotify.c src/dbus.c src/error.c \
src/firewall.c unit/test-firewall.c
src/firewall.c src/iptables-validate.c \
unit_test_firewall_LDADD = @GLIB_LIBS@ @DBUS_LIBS@ -ldl
unit_test_iptables_CFLAGS = $(COVERAGE_OPT) $(AM_CFLAGS) @GLIB_CFLAGS@
......@@ -470,8 +471,8 @@ tools_iptables_unit_CFLAGS = @DBUS_CFLAGS@ @GLIB_CFLAGS@ @XTABLES_CFLAGS@ \
-DDEFAULT_STORAGE_ROOT=\""$(storageroot)\"" \
tools_iptables_unit_SOURCES = $(backtrace_sources) src/log.c src/storage.c \
src/inotify.c src/iptables.c src/firewall.c \
src/nat.c tools/iptables-unit.c
src/inotify.c src/iptables.c src/firewall.c src/nat.c \
src/iptables-validate.c tools/iptables-unit.c
tools_iptables_unit_LDADD = gdbus/ \
......@@ -984,6 +984,12 @@ int __connman_iptables_delete(int type,
int __connman_iptables_restore_all();
int __connman_iptables_save_all();
void __connman_iptables_validate_init(void);
void __connman_iptables_validate_cleanup(void);
bool __connman_iptables_validate_rule(int type, bool allow_dynamic,
const char *rule_spec);
typedef int (*connman_iptables_manage_cb_t)(int type, const char *table_name,
const char *chain, const char *rule_spec);
This diff is collapsed.
This diff is collapsed.
......@@ -863,6 +863,7 @@ int main(int argc, char *argv[])
__connman_device_init(option_device, option_nodevice);
......@@ -937,6 +938,7 @@ int main(int argc, char *argv[])
This diff is collapsed.
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment