Commit b86ae5a1 authored by Jussi Laakkonen's avatar Jussi Laakkonen

[connman] Ignore non-protocol IPv6 iptables rule -m switch. JB#44205

This sets to ignore all IPv6 rules with -m switch other than one of the
supported protocols in firewall configs.

The reason is that iptables matches as of now cannot be used for both
IPv4 and IPv6. Reason for this is not clear. It may be that iptables is
not built for it, or some implementation is missing from connman.

In case of changing IP protocol in iptables.c when a same named match is
already loaded in iptables, the content of the previous IP protocol is
given with the function callbacks that understand only the previous IP
protocol. IP protocol family is set correctly but everything else is
not.

This should be reverted if iptables 1.8.1 brings any changes. Or some
new idea arises. This means that IPv6 INPUT policy can never be DROP.
parent fe2c7376
......@@ -1533,6 +1533,22 @@ static bool protocol_match_equals(const char *protocol, const char *match)
return false;
}
static bool is_supported_ipv6_match(const char *match)
{
int i;
if (!match)
return false;
/* Protocols are supported, nothing else */
for (i = 0; supported_protocols[i]; i++) {
if (!g_strcmp0(match, supported_protocols[i]))
return true;
}
return false;
}
static bool validate_iptables_rule(int type, const char *group,
const char *rule_spec)
{
......@@ -1578,6 +1594,17 @@ static bool validate_iptables_rule(int type, const char *group,
switch_type = IPTABLES_MATCH;
match = argv[i++];
/* TODO fix/remove this when match support is fixed */
if (type == AF_INET6 &&
!is_supported_ipv6_match(match)) {
DBG("iptables support for other than protocol "
"matches in "
"simultaneous use is "
"broken, ignore IPv6 "
"match %s", match);
goto out;
}
if (!match) {
DBG("trailing '-m' in rule \"%s\"", rule_spec);
goto out;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment