Commit ff57f580 authored by Jussi Laakkonen's avatar Jussi Laakkonen

[connman] Add dynamic and general firewall rule processing. JB#42675

This commit introduces a support for general and dynamic firewall rules.
The rules are read from CONFDIR/firewall.conf. Additional configurations
are also supported, which must be put into CONFIGDIR/firewall.d/ and each
has to have "firewall.conf" suffix, e.g., 10-devmode-firewall.conf.

The rules in the configuration files are added to the specified
technology type rules or to general rules. The last config in the
directory can override the "General" section default policies for INPUT,
OUTPUT and FORWARD chains of filter table.

Managed chains are used so changes to content of filter table chains
INPUT, FORWARD, OUTPUT (neither for IPv4 or IPv6) are not done, except
for the policy. The format of the rules is the same as with iptables
rules, with exceptions detailed later in this message. The chain name
and policy name can be omitted in the config file.

Rules can be defined for IPv4 chains using INPUT, OUTPUT and FORWARD
keys in key config file. Rules for IPv6 chains can be set using
INPUT_IPv6, OUTPUT_IPv6 and FORWARD_IPv6. Default filter table policies
can be set only in General section and follow similar naming. IPv4
iptables default policies are set with keys that have a suffix "_POLICY"
added to the chain name. With IPv6 ip6tables policies the suffix is

There can be general rules that are added to managed chains using
firewall.c functionality at firewall initialization and cleared at
firewall cleanup. General rules include defining policies for the default
filter table chains. The general rules section format (rules are
separated with semicolon ";" because comma "," is a separator for ports
in iptables rules):

INPUT = -p tcp -m tcp --dport 22 -j ACCEPT; -p udp -m udp -j ACCEPT
INPUT_IPv6 = -p tcp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
OUTPUT = -p tcp -m multiport --sports 1024:65000 -j ACCEPT

After ConnMan is shut down the policies on each default chain in filter
table are being set to ACCEPT. By adding the rules via firewall.c the
managed tables are also cleared at shutdown.

Each technology connman supports can have own dynamic rules set in the
same firewall.conf file. These rules are enabled and disabled when a
service comes up (READY, CONNETED) or goes down (DISCONNECT, FAILURE,
IDLE) and the interface the service is using is applied into the rule.
The format for the dynamic rules is same, for example cellular:

INPUT = -p tcp -m multiport --dports 1:1024 -j DROP
OUTPUT = -p udp -m udp --dport 23 -j DROP; -p tcp -j ACCEPT
INPUT_IPv6 = -p tcp -m ssh -j ACCEPT; -p udp -m udp -j DROP

In chain INPUT -i <interface> is added, in chain FORWARD -o <interface>
is added and in chain OUTPUT -o <interface> is added. For this
particular reason -i and -o switches are forbidden in the rules.

The following switches (and their longer equivalents) are not allowed in
rules (rules having one of these are ignored):
 - Chain management switches (-A, -D, -X, -F, -I, -P, -E, -R, -Z)
 - Interface definitions (-i, -o), expcept for group General
 - IP address switches (-s, -d, --to-destination, --from-destination)
 - State modifiers -m comment and -m state (and -m conntrack with IPv6)

All regular targets (ACCEPT, DROP, REJECT, LOG, QUEUE) are allowed. In
these rules adding chains is not allowed so additional targets cannot be
used, hence the managed tables.

The protocols defined in iptables manual pages are allowed: tcp, udp,
udplite, icmp, icmpv6, ipv6-icmp, esp, ah, sctp, mh and the special
keyword all.

If -m multiport switch is used it has to have some of the default port
switches. If a port switch is used port numbers can be used or service
names. Ports have to be separated with commas (set) or semicolons
(range) as iptables rules format defines.
parent a1e641f0
......@@ -419,7 +419,8 @@ tools_dbus_test_LDADD = gdbus/ @GLIB_LIBS@ @DBUS_LIBS@
tools_polkit_test_LDADD = @DBUS_LIBS@
tools_iptables_test_CFLAGS = -DDEFAULT_STORAGE_ROOT=\""$(storageroot)\"" @DBUS_CFLAGS@
tools_iptables_test_CFLAGS = -DDEFAULT_STORAGE_ROOT=\""$(storageroot)\"" \
tools_iptables_test_SOURCES = $(backtrace_sources) src/log.c src/storage.c \
src/inotify.c src/iptables.c tools/iptables-test.c
tools_iptables_test_LDADD = @GLIB_LIBS@ @XTABLES_LIBS@ @LIBIPTC_LIBS@ @DBUS_LIBS@ -ldl
......@@ -440,7 +441,8 @@ tools_session_test_LDADD = gdbus/ \
-DDEFAULT_STORAGE_ROOT=\""$(storageroot)\"" \
tools_iptables_unit_SOURCES = $(backtrace_sources) src/log.c src/storage.c \
src/inotify.c src/iptables.c src/firewall.c \
src/nat.c tools/iptables-unit.c
This diff is collapsed.
......@@ -28,6 +28,38 @@
#include "../src/connman.h"
enum connman_service_type connman_service_get_type(
struct connman_service *service)
return 0;
const char *__connman_service_type2string(enum connman_service_type type)
return "type";
enum connman_service_type __connman_service_string2type(const char *str)
return 0;
char *__connman_config_get_string(GKeyFile *key_file,
const char *group_name, const char *key, GError **error)
return NULL;
char **__connman_config_get_string_list(GKeyFile *key_file,
const char *group_name, const char *key, gsize *length, GError **error)
return NULL;
const char *__connman_service_get_name(struct connman_service *service) {
return NULL;
static bool assert_rule(int type, const char *table_name, const char *rule)
char *cmd, *output, **lines;
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment