1. 24 Jul, 2019 1 commit
  2. 04 Jul, 2019 4 commits
    • Jussi Laakkonen's avatar
      Add service_schedule_changed() proto before move_service() · f93b8475
      Jussi Laakkonen authored
      Get fork to build after including upstream commit, in fork:
      be165aa6 - in upstream:
    • Jussi Laakkonen's avatar
      service: Prevent sending D-Bus error reply twice with hidden networks · 1a49ce63
      Jussi Laakkonen authored
      When the input request has timed out or some other error has occurred do
      not allow to send duplicate D-Bus error replies. This would result in
      crashes when hidden network is first informed with ETIMEDOUT and error
      is returned and if the __connman_device_request_hidden_scan() reports an
      error or that it is already running (EALREADY) and then second error
      reply is sent.
      After each reply to pending D-Bus message (reply_pending()) the
      service->pending is set NULL but since request_input_cb() holds the
      reference to the pending D-Bus message (user_data) there will be a
      second reply.
      This fixes the issue by 1) recording the error also when D-Bus error is
      other than Canceled to prevent connecting attempt at done label and 2)
      skipping hidden network connect in such case as well.
    • Benoît Monin's avatar
      service: Signal when services are moved · be165aa6
      Benoît Monin authored
      When calling MoveBefore or MoveAfter on a service, no signal is emitted
      by ConnMan. This makes it impossible for a D-Bus client to maintain an
      ordered list of services in sync with ConnMan.
      This patch schedules the emission of the signal ServicesChanged from the
      function move_service(), so the new list will get published over D-Bus.
    • Daniel Wagner's avatar
      service: Return OperationAborted when agent gets Canceled · 2faa7972
      Daniel Wagner authored
      When the user decided to cancel the connect attempt, the agent sends
      net.connman.Agent.Error.Canceled. Currently, we return InvalidArgument
      for normal non-hidden networks and ConnectedAborted for hidden
      networks. Return OperationAborted also for non-hidden networks to
      avoid confusion on the user ends. That means the cancel operation was
      successful and nothing went wrong as invalid argument indicates.
      Reported by Vasyl Vavrychuk.
  3. 02 Jul, 2019 1 commit
  4. 27 Jun, 2019 2 commits
  5. 25 Jun, 2019 1 commit
  6. 24 Jun, 2019 1 commit
    • Jussi Laakkonen's avatar
      [connman] Save VPN service if autoconnect changes. Contributes to JB#45903 · ca72d6fa
      Jussi Laakkonen authored
      It is imperative to save the VPN service when autoconnect changes since
      otherwise the change is done only to run-time service settings and not
      written to disk if user has canceled VPN agent dialog, for example.
      Otherwise the data within connman and service file is out of sync, and
      next restart of connman will be a race between each VPNs that were
      attempted to connect but canceled by user.
  7. 13 Jun, 2019 1 commit
    • chriadam's avatar
      [connman] Initialise counter table entry before registering service counter.... · db0374b5
      chriadam authored
      [connman] Initialise counter table entry before registering service counter. Contributes to JB#45681
      __connman_service_counter_register() calls service_send_initial_stats()
      which calls __connman_counter_send_usage() which attempts to look
      up the counter entry in the global counter table.
      This commit ensures that the counter entry is inserted into the
      global counter table prior to calling
      __connman_service_counter_register() to ensure that the initial
      statistics are sent to the counter.
  8. 10 Jun, 2019 1 commit
  9. 04 Jun, 2019 1 commit
  10. 03 Jun, 2019 1 commit
    • flypig's avatar
      [connman] Add access control to connman-vpn dbus interface. Contributes to JB#45379 · 9c30b7d1
      flypig authored
      Currently access to the connman-vpn dbus interfaces (connection and
      manager) are controlled only by the policy config, which sets `<policy
      at_console="true">`, allowing access to all users.
      This change adds internal access control to the connection dbus
      interface, which is configurable using a similar plugin approach as the
      existing access method implemented for connman. It also adds a
      Sailfish-specific plugin that blocks access for non-privileged users
      base on a policy file installed at /etc/connman/vpn-dbus-access.conf.
      The exceptions are the GetProperties and GetConnections dbus methods
      which are available to all users (including nemo).
      This Sailfish configuration is needed for MDM, to prevent users from
      being able to connect to and disconnect from VPNs when this capability
      is being restricted by the MDM policy.
  11. 29 May, 2019 3 commits
  12. 22 May, 2019 1 commit
  13. 13 May, 2019 3 commits
    • Jussi Laakkonen's avatar
      [connman] Fix service preference check. Contributes to JB#43191 · 4959dc60
      Jussi Laakkonen authored
      Ignore VPN services in service preference check. VPNs are special case
      depending on other services as transport. They are never in preferred
      technologies lists.
      Use the preferred technology type list instead of using service_list. It
      was wrong to use service_list here as service_preferred_over() is called
      while sorting it and will result in undesirable results. This fixes the
      sorting by simply using the service types to get their position in the
      Service preference is based on the position of the service type in the
      preferred technology list. Lower index means that service type is
      preferred over the one having higher index in the list. If the service
      type is not in the preferred technology list, then the one being in that
      list is preferred. Function service_preferred_over() is changed to return:
       *  1 when service b is preferred over a
       * -1 when service a is preferred over b
       *  0 when preference sorting does not apply
      Connected VPNs are preferred over any other service. Non-connected VPNs
      should be left as last.
      Also reduce log noise on  __connman_service_is_default_route().
    • Jussi Laakkonen's avatar
      [connman] Revert 7b4e8094. Contributes to JB#43191 · 435e627b
      Jussi Laakkonen authored
      Revert "Do not update preferred order if VPN is as default."
      This reverts commit 7b4e8094. It seemed
      that this check caused more problems it was originally solving. Reason
      is that other parts have been fixed properly now (this was mainly for
    • Jussi Laakkonen's avatar
      [connman] Check preference for connected services. Contributes to JB#43191 · d62c1876
      Jussi Laakkonen authored
      It is unnecessary to do a service preference check for each service.
      This saves some processing time and reduces mem fragmentation as the
      list from preferred_tech_list_get() does not need to be free'd.
      The preference of services should be checked only for connected services
      when sorting service list. The services that are not connected will not
      be in the preferred technologies list. It might cause some confusion in
      the logs.
  14. 09 May, 2019 2 commits
  15. 07 May, 2019 1 commit
    • Jussi Laakkonen's avatar
      dnsproxy: Remove DNS servers of disconnected/idle service. · 3d1ddbb1
      Jussi Laakkonen authored
      This addresses the issue of having changing interface indexes with,
      e.g., VPNs that causes the DNS servers to accumulate in the list when
      the index of a VPN changes but the service and DNS server addresses
      remain the same. Reason for this is how find_server() behaves when
      adding new DNS servers.
      VPNs can change interface index more rapidly as they can be connected
      when the previous VPN connection is still disconnecting or cleaning up
      and the previous interface is up so new interface for the new VPN
      connection is brought up. The service, however, is still the same and so
      are the DNS servers.
      When such thing happens and the DNS servers do not change,
      "src/dnsproxy.c:ns_resolv() Cannot send message to server sock
      47 protocol 17 (Invalid argument/22)" is given as error. If there are
      no new DNS servers set by the new VPN connection DNS does not work until
      there is some other change triggering. Reason for this is that connected
      UDP sockets are used and when the error happens "netstat -un" displays
      bunch of connections with IP different to what is currently used.
      By adding this service state listener enabling removal of the DNS
      servers of the disconnecting/idle service the issue described is
      eliminated. Removal of the DNS servers is done using the index of the
      disconnecting service, allowing to remove the DNS servers of a service
      that has begun its disconnection process. As a result the DNS server
      list keeps clean and when the VPN is re-connected with new interface the
      DNS servers are added again but they have correct interfaces set and
      further DNS requests can be sent.
  16. 24 Apr, 2019 1 commit
  17. 23 Apr, 2019 3 commits
    • Jussi Laakkonen's avatar
      [connman] Forward service state change if connection succeeds. JB#43191 · c1309efc
      Jussi Laakkonen authored
      When the service connection succeeds immediately indicate the new
      state. Successful immediate connections of provider or network do not
      forward the state changes and this makes it impossible for, e.g,
      plugins/vpn.c to keep track of when the service/list/default changes.
      Same applies with service autoconnect and may result in improperly
      updated DNS servers.
      These issues happen usually when changing between different types of
      networks while having a VPN autoconnection set. In some cases VPN
      disconnection detection is not working or all of the DNS servers will
      remain disabled.
    • Jussi Laakkonen's avatar
      [connman] Update VPN dependency when default changes. JB#43191 · ae6d480a
      Jussi Laakkonen authored
      Update VPN dependency when the default service is changed. If VPN was
      already connected or connecting, it must be disconnected first.
    • Jussi Laakkonen's avatar
      [connman] Increase VPN autoconnect counter after connection check. JB#43191 · ba7ec3b1
      Jussi Laakkonen authored
      Increasing the counter for autoconnectable VPNs must be done after the
      connection check. Otherwise already connected VPNs may be attempted to
      reconnect and after the timer gets full, VPN gets disconnected and this
      thing starts again from the beginning.
      Also, use boolean to indicate if there is need for autoconnectable VPNs.
      Using increasing integer is unnecessary as there can be only one VPN per
      service (based on indexes, see connection.c).
  18. 08 Apr, 2019 1 commit
    • Jussi Laakkonen's avatar
      [connman] Fix firewall failsafe. Empty config is not error. Fixes JB#45308 · 25b654eb
      Jussi Laakkonen authored
      This commit fixes the firewall failsafe operation. The hash tables
      containing entries retrieved from iptables should not be freed within
      the same session where iptables is used. This seems to create more
      problems it helps to solve. In some cases the pointers to free'd content
      is returned by iptables when failsafe has triggered causing
      non-continuous entrytables with invalid offsets.
      Also, do not treat empty or missing firewall config as error triggering
      firewall failsafe. No config = no changes.
  19. 07 Apr, 2019 1 commit
  20. 22 Mar, 2019 1 commit
    • Jussi Laakkonen's avatar
      [connman] Explicitly set device managed status for notifications. JB#43928 · e9844547
      Jussi Laakkonen authored
      This commit changes the device status notify by removing the managed
      boolean from each notify call. Instead, the managed state is to be set
      explicitely for the device using connman_device_set_managed(). The
      managed state can be checked with connman_device_get_managed().
      When managed state changes a device status change notification is sent
      without any change in the device status (no transition). This is to
      indicate each registered component about the managed state change only.
      When the on/off status change is done the transition is indicated
      (connman_device_has_status_changed_to()). If the managed state changes
      when there is no status set for the device no notification will be sent.
      If status does not change connman_device_status_notify() does not
      forward notify. Identical status to previous is sent only when the
      managed status is changed.
      Developer mode plugin sets managed state to false when a appropriate
      device comes up. This state is not changed when removing the device.
      Ethernet plugin is changed to ignore status changes in managed mode.
      If the device is managed then only in case the device status is off
      it needs to be processed in order to remove the device from list. If
      there is no change and device is not managed, notify is ignored.
      Similarly to ethernet plugin the firewall reacts only to non-managed
      notifies with status change and in case the device is managed and is put
      Tests are also updated to use the new managed approach instead of
      passing it along with notifies.
  21. 12 Mar, 2019 2 commits
    • Jussi Laakkonen's avatar
      [connman] Enable firewall for device using status notification. JB#43928 · aa066d89
      Jussi Laakkonen authored
      This commit adds function to enable and disable firewall configuration
      for a device. Process is similar to tethering notification use. When
      notified via notifier.c the interface from the struct connman_device is
      used as hash table identifier as well as the interface for the rule.
      The firewall rules contain allow all rule for the interface (incoming
      traffic). Existing firewall for the device is reused if found, to reduce
      memory fragmentation.
      If the device is managed it is ignored. Rules for the managed devices
      come from firewall configuration.
    • Jussi Laakkonen's avatar
      [connman] Add device status changed notify functionality. JB#43928 · 33e0e816
      Jussi Laakkonen authored
      Add device status changed functionality to notifier. It is utilized by
      plugins via device.c function connman_device_status_notify().
      The booleans:
       - on = device is on (true) or off (false)
       - managed = device is managed by connman (true) or externally (false)
  22. 11 Mar, 2019 1 commit
    • Jussi Laakkonen's avatar
      [connman] Fix ordering of dynamic and tethering firewall rules. JB#43924 · 21dfad1d
      Jussi Laakkonen authored
      This fixes the ordering of the dynamic and tethering rules in firewall.c
      so the rules are setup in proper order in iptables. Rules for the
      services (dynamic) and tethering are inserted on top of iptables and
      they are thus, processed in order but added in reverse (3 rules, insert
      0, insert 1 and insert 2 changed to insert 2, insert 1, insert 0 so rule
      order is 0,1,2 in iptables). This changes the sorting in these cases to
      be reverse in comparison to appending, which is the default action. When
      dynamic or tethering rules are added, a reverse sorting function is
      This does not solve the issue of having the rules in improper order when
      new rules are added, rules are reloaded and taken into use for an
      service that is already on. The order is fixed after the service, e.g.,
      WiFi is re-connected.
      Changed the 'type' names into more descriptive 'family'. Changed to use
      GINT_TO_POINTER in firewall failsafe when iterating chains instead of
      const char*.
  23. 12 Feb, 2019 1 commit
  24. 11 Feb, 2019 1 commit
    • Jussi Laakkonen's avatar
      [connman] Enable and parse address options in firewall. JB#43924 JB#43926 · c616257b
      Jussi Laakkonen authored
      This commit adds parsing for addresses (IP and hostname) when used with
      source or destination options in iptables rules. IP address and hostname
      checks from inet.c are utilized. The IP addresses can have CIDR format
      or IP address format netmask and can be separeted with commas. Checks
      are different for IPV4 and IPv6. Hostname check in inet.c does not
      include DNS checking but checks only the format.
      Also the conntrack match options for setting source/destination
      origin/destinations are enabled. It is left for the iptables error
      parser to handle errors caused by duplicate use of conntrack switches.
      This is left as TODO.
      Tests are updated as well. A new test for the address options was
      required. Both IPv4 and IPv6 addresses are tested.
  25. 07 Feb, 2019 4 commits