[connman] Add dynamic and general firewall rule processing. JB#42675
This commit introduces a support for general and dynamic firewall rules. The rules are read from CONFDIR/firewall.conf. Additional configurations are also supported, which must be put into CONFIGDIR/firewall.d/ and each has to have "firewall.conf" suffix, e.g., 10-devmode-firewall.conf. The rules in the configuration files are added to the specified technology type rules or to general rules. The last config in the directory can override the "General" section default policies for INPUT, OUTPUT and FORWARD chains of filter table. Managed chains are used so changes to content of filter table chains INPUT, FORWARD, OUTPUT (neither for IPv4 or IPv6) are not done, except for the policy. The format of the rules is the same as with iptables rules, with exceptions detailed later in this message. The chain name and policy name can be omitted in the config file. Rules can be defined for IPv4 chains using INPUT, OUTPUT and FORWARD keys in key config file. Rules for IPv6 chains can be set using INPUT_IPv6, OUTPUT_IPv6 and FORWARD_IPv6. Default filter table policies can be set only in General section and follow similar naming. IPv4 iptables default policies are set with keys that have a suffix "_POLICY" added to the chain name. With IPv6 ip6tables policies the suffix is "_POLICY_IPv6". There can be general rules that are added to managed chains using firewall.c functionality at firewall initialization and cleared at firewall cleanup. General rules include defining policies for the default filter table chains. The general rules section format (rules are separated with semicolon ";" because comma "," is a separator for ports in iptables rules): INPUT = -p tcp -m tcp --dport 22 -j ACCEPT; -p udp -m udp -j ACCEPT INPUT_IPv6 = -p tcp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT FORWARD = OUTPUT = -p tcp -m multiport --sports 1024:65000 -j ACCEPT INPUT_POLICY = DROP OUTPUT_POLICY = ACCEPT FORWARD_POLICY = ACCEPT INPUT_POLICY_IPv6 = ACCEPT After ConnMan is shut down the policies on each default chain in filter table are being set to ACCEPT. By adding the rules via firewall.c the managed tables are also cleared at shutdown. Each technology connman supports can have own dynamic rules set in the same firewall.conf file. These rules are enabled and disabled when a service comes up (READY, CONNETED) or goes down (DISCONNECT, FAILURE, IDLE) and the interface the service is using is applied into the rule. The format for the dynamic rules is same, for example cellular: INPUT = -p tcp -m multiport --dports 1:1024 -j DROP OUTPUT = -p udp -m udp --dport 23 -j DROP; -p tcp -j ACCEPT INPUT_IPv6 = -p tcp -m ssh -j ACCEPT; -p udp -m udp -j DROP In chain INPUT -i <interface> is added, in chain FORWARD -o <interface> is added and in chain OUTPUT -o <interface> is added. For this particular reason -i and -o switches are forbidden in the rules. The following switches (and their longer equivalents) are not allowed in rules (rules having one of these are ignored): - Chain management switches (-A, -D, -X, -F, -I, -P, -E, -R, -Z) - Interface definitions (-i, -o), expcept for group General - IP address switches (-s, -d, --to-destination, --from-destination) - State modifiers -m comment and -m state (and -m conntrack with IPv6) All regular targets (ACCEPT, DROP, REJECT, LOG, QUEUE) are allowed. In these rules adding chains is not allowed so additional targets cannot be used, hence the managed tables. The protocols defined in iptables manual pages are allowed: tcp, udp, udplite, icmp, icmpv6, ipv6-icmp, esp, ah, sctp, mh and the special keyword all. If -m multiport switch is used it has to have some of the default port switches. If a port switch is used port numbers can be used or service names. Ports have to be separated with commas (set) or semicolons (range) as iptables rules format defines.
Showing with 1538 additions and 14 deletions