This changes the firewall loading by setting first the rules for general
firewall and to enable default chain policies only if it succeeds. This
will prevent the device becoming a brick in sense of no networking in or
even out (as the DNS will be prevented) if a single rule in the configs
is wrong.

This commit blacklists following iptables matches defined with -m:
 - IPv4: iprange, recent, owner
 - IPv6: iprange, recent, owner, ttl

These will cause crash or errors that are not recoverable. The match -m
owner can be supported but requires more checks. It requires at least
one of --uid-owner, --gid-owner or --socket-exists additional switches.
There may be more to investigate on that -m owner.

Re-enabled IPv6 multiport which seems to work ok.

Improved parsing of iptables rules to check that the protocols defined
with -p and -m match, there is no -m protocol -m multiport used and -m
protocol does not exist without -p protocol.

Otherwise by defining these iptables either reports error or crashes
ConnMan.

Handle multiple set_tethering calls better

See merge request mer-core/connman!167

If two net.connman.Technology.SetProperty("Tethering", true) D-Bus calls
are received in quick succession, GSupplicantInterface can be NULL when
the second call is received (because we are still switching from infra to
AP mode).

That's what upstream does and that's what core expects.

Also, handle the case if wifi_plugin_set_tethering is called
again before tethering is still being turned on.

Revert check of both GSupplicant and GSupplicantInterface. Implement tethering fix.

See merge request mer-core/connman!166

If there is no GSupplicantInterface set for any of the WiFi devices do
not report tethering enabling as EOPNOTSUPP which causes a disabling
notification for tethering. It will tear down the firewall set for the
tethering. Instead, do nothing and return 0. Tethering will be
intitiated by src/tethering.c: __connman_tethering_set_enabled().

Also fix iptables test. -m udp -m multiport passes checks now but is
wrong and iptables calls exit().

This reverts commit 801d3092. Breaks
tethering on some devices. Better to fix differently.

Introduce dynamic rules for tethering.

See merge request mer-core/connman!165

This commit adds a failsafe mechanism to set policies of all chains to
ACCEPT in case the setup of dynamic rules fails due to iptables error.
It will cleanup and initialize iptables.c before setting the policies.

Also added a pre-cleanup for firewall. It sets the policies to defaults
before the iptables content is saved. This would prevent network
blocking in case of downgrading to version where the rules are not set.
The saved filter.v4 table then has not got DROP as default INPUT chain
policy.

Changed firewall rule enabling to report the last error and not to stop
when one error is encountered while enabling all rules.

This commit disables IPv6 match multiport as it does not seem to work
(iptables calls exit() on ConnMan).

Allowing to use two (2) matches (-m) in a rule which seems to be usual
maximum of the matches.

Check if either GSupplicant or GSupplicantInterface of the device has AP
capabilities.

This commit adds use of dynamic rules for tethering. When tethering is
enabled notifier calls tethering_changed which firewall.c reacts by
enabling firewall rules to allow from the tethering interface:
 - Wifi: existing rules set for the group "tethering", all if none set
 - All others (e.g., usb tethering uses gadget type): All traffic

Added a configuration group "tethering" which is identical to any other
device in the configuration, same rules apply. These rules are enabled
only for WiFi hotspot and used alone if they have been set. Empty
"tethering" group rules results in the default rules (all traffic). The
chain used does not matter, if there is at least only one rule, only
that one is applied.

If tethering ident is not set, plain "tethering_default" is used as
identifier to save the firewall context into the dynamic rules.

If tethering firewall cannot be created or enabled tethering is set off
by calling connman_technology_tethering_notify() that generates a proper
notification for UI to catch.

Changed to use plain interface name (ifname) when cloning or setting
interface info instead of struct connman_service. This way same
functions can be used with other than service state changing notifier
function. The ifname has to be passed as char* even though it is
duplicated for each rule that is affected because of glib list traversal
functions.

Add a get function for struct connman_technology tethering_ident char
variable and expose it internally.

Add a get function for struct connman_technology type (enum
connman_service_type).

Running tests with a null STORAGEDIR has a questionable value and is
causing runtime asserts which may be fatal depending on the setup.

Commit each rule one by one in iptables restore to avoid crashing.

See merge request mer-core/connman!163

Change to commit individual rules one by one to reduce the probability
of crashes. Policies are set with iptc library functions so they are not
to be committed with __connman_iptables_commit().

This way each read rule is instantly restored to iptables instead of
adding all of them in a row and committing after last. Crash may occur
if something else is called via glib main that alters iptables between
each call to iptables_parse_rule().

[connman] Check that iptables table exists before flush. Fixes JB#43931

See merge request mer-core/connman!164

This commit introduces checking of the iptables table name from the
iptables table names file before flushing. It works for IPv4 and IPv6.
If table does not exist in the file, it is not flushed.

The files to check are "/proc/net/ip_tables_names" for IPv4 and
"/proc/net/ip6_tables_names" for IPv6. The tables that are flushed are
kept as the same.

[connman] Require IPv6 iptables. Contributes to JB#42675

See merge request mer-core/connman!162

This commit adds iptables-ipv6 requirement for connman. It is vital for
IPv6 iptables operations.

Add dynamic firewall rules used per service.

See merge request mer-core/connman!160

Tests for the managed iptables rules read from firewall.conf are added
in this commit. The tests include installing a new set of rules using a
temporary firewall.conf (set in /tmp/connman_test), checking that rules
exist, checking that rules are added and removed when services go up and
down and that iptables is cleaned up properly after shutting down
(cleanup calls to iptables.c and firewall.c).

Also some invalid rules are checked. This list could be expanded later.

The temporary firewall.conf and the directory will be after tests
finish.

This commit changes the service type based dynamic rules to be service
identifier specific. Each service can have own ruleset, that is based on
the iptables rules set for the service type in firewall.conf.

All services of the same type have identical rules from the configuration.
The main reason of this is to accommodate the requirement of having two
simultaneous connections of same type to be online at the same time.

When a service is being connected for the first time a deep clone of the
firewall rule set for the service type is created. This firewall rule
set is removed from the internal current_dynamic_rules only when the
service is removed. When the service is disconnected the rules are
only removed from iptables, they remain in the firewall context of the
service for later use. The firewall rule id will be kept the same if the
firewall rule set is reused. Only thing that can change is the interface
to be used with the rule.

For an easier (and faster) check of whether the firewall is enabled a
new bool value is added to struct firewall_context. This is enabled when
firewall rules are added without error and id FW_ALL_RULES is given. It
is faster to check from this instead of going through all the rules
without any change to them if they are already enabled/disabled.

Added checks if the rules is valid UTF8 (if not, ignore). If the rule
starts with # character the rule is interpreted as commented out and is
not added. Rule must add with a '-' character as required by iptables,
otherwise the rule is ignored.

This commit introduces a support for general and dynamic firewall rules.
The rules are read from CONFDIR/firewall.conf. Additional configurations
are also supported, which must be put into CONFIGDIR/firewall.d/ and each
has to have "firewall.conf" suffix, e.g., 10-devmode-firewall.conf.

The rules in the configuration files are added to the specified
technology type rules or to general rules. The last config in the
directory can override the "General" section default policies for INPUT,
OUTPUT and FORWARD chains of filter table.

Managed chains are used so changes to content of filter table chains
INPUT, FORWARD, OUTPUT (neither for IPv4 or IPv6) are not done, except
for the policy. The format of the rules is the same as with iptables
rules, with exceptions detailed later in this message. The chain name
and policy name can be omitted in the config file.

Rules can be defined for IPv4 chains using INPUT, OUTPUT and FORWARD
keys in key config file. Rules for IPv6 chains can be set using
INPUT_IPv6, OUTPUT_IPv6 and FORWARD_IPv6. Default filter table policies
can be set only in General section and follow similar naming. IPv4
iptables default policies are set with keys that have a suffix "_POLICY"
added to the chain name. With IPv6 ip6tables policies the suffix is
"_POLICY_IPv6".

There can be general rules that are added to managed chains using
firewall.c functionality at firewall initialization and cleared at
firewall cleanup. General rules include defining policies for the default
filter table chains. The general rules section format (rules are
separated with semicolon ";" because comma "," is a separator for ports
in iptables rules):

INPUT = -p tcp -m tcp --dport 22 -j ACCEPT; -p udp -m udp -j ACCEPT
INPUT_IPv6 = -p tcp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
FORWARD =
OUTPUT = -p tcp -m multiport --sports 1024:65000 -j ACCEPT
INPUT_POLICY = DROP
OUTPUT_POLICY = ACCEPT
FORWARD_POLICY = ACCEPT
INPUT_POLICY_IPv6 = ACCEPT

After ConnMan is shut down the policies on each default chain in filter
table are being set to ACCEPT. By adding the rules via firewall.c the
managed tables are also cleared at shutdown.

Each technology connman supports can have own dynamic rules set in the
same firewall.conf file. These rules are enabled and disabled when a
service comes up (READY, CONNETED) or goes down (DISCONNECT, FAILURE,
IDLE) and the interface the service is using is applied into the rule.
The format for the dynamic rules is same, for example cellular:

INPUT = -p tcp -m multiport --dports 1:1024 -j DROP
OUTPUT = -p udp -m udp --dport 23 -j DROP; -p tcp -j ACCEPT
INPUT_IPv6 = -p tcp -m ssh -j ACCEPT; -p udp -m udp -j DROP

In chain INPUT -i <interface> is added, in chain FORWARD -o <interface>
is added and in chain OUTPUT -o <interface> is added. For this
particular reason -i and -o switches are forbidden in the rules.

The following switches (and their longer equivalents) are not allowed in
rules (rules having one of these are ignored):
 - Chain management switches (-A, -D, -X, -F, -I, -P, -E, -R, -Z)
 - Interface definitions (-i, -o), expcept for group General
 - IP address switches (-s, -d, --to-destination, --from-destination)
 - State modifiers -m comment and -m state (and -m conntrack with IPv6)

All regular targets (ACCEPT, DROP, REJECT, LOG, QUEUE) are allowed. In
these rules adding chains is not allowed so additional targets cannot be
used, hence the managed tables.

The protocols defined in iptables manual pages are allowed: tcp, udp,
udplite, icmp, icmpv6, ipv6-icmp, esp, ah, sctp, mh and the special
keyword all.

If -m multiport switch is used it has to have some of the default port
switches. If a port switch is used port numbers can be used or service
names. Ports have to be separated with commas (set) or semicolons
(range) as iptables rules format defines.

[connman] Improve IPv6 support. Add ICMP blocking. Fixes JB#42674

See merge request mer-core/connman!158

Add the type variable into each iptables.c function that was changed
when implementing IPv6 support.

All chains that have "connman-" prefix should be skipped by the iptables
extension. These are meant for internal use only.

This commit adds handling of iptables rules that have REJECT target set.
Each -j REJECT has --reject-with "type" (e.g., icmp-unreachable, that is
the default) when applying rules from saved iptables files.

This is similar to the comment handling and same code is utilized in
this also.

This commit adds tests for IPv6 enabled iptables. The tests are
identical to the existing iptables tests, except IPv6 "nat" table rules
are not tested as IPv6 NAT is not enabled.

Also a test tool for IPv6 iptables (ip6tables-test) has been added,
which is a clone of iptables-test. iptables-test.c has been modified to
support the changes in iptables.c.

Added ip6tables-save program to configure.ac and use of it in
Makefile.am for the updated iptables-unit test.

[connman] Apply our test changes on top of upstream change. JB#42674

Tests for ICMP rules for both IPv4 and IPv6 are added.

Tests for using firewall are retained in our fork as our firewall.c
differs from the upstream one in many ways.

This commit adds IPv6 support to firewall.c. Two new functions are added
to connman.h which allow to add and remove rules using IPv6
functionality that was added to iptables.c. This commit does not change
functionality of firewall.c, new functions are:
 - __connman_firewall_add_ipv6_rule()
 - __connman_firewall_remove_ipv6_rule()

The firewall functions operate on higher level than the iptables.c
functions so a clear separation of rule adding and removal is decided to
be implemented for IPv4 and IPv6. This abstracts the use of iptables and
for internal functionality this kind of separation of concerns here is
clarifying things instead of having to give a specific type for each
firewall function call.

This commit adds iptables management for IPv6 addresses. Existing
src/iptables.c is used as base and the functionality to support IPv6
iptables is included into existing code for the most part. Managing
iptables using IPv6 addresses does not differ much from IPv4 use, only
new structures of setting/getting rules have to be adapted into use. For
each existing __connman_iptables_*() a type variable (int) has been
added to indicate which address family (AF_INET/AF_INET6) is to be used.

Functionality remains the same as with iptables.c, only the function
parse_ipv6_and_mask() is rewritten comply with IPv6 address structures.
Functions is_same_ipt_entry() and iptables_blob() are copied to use
ip6t_* type structures.

The internal structures connman_iptables_entry and connman_iptables
were amended to include the iptables IPv6 structures and the address
family type. In order to avoid copying of large amounts of existing code
and to be able to use both IPv4 and IPv6 structures many existing
functions are changed from using struct ipt_entry/ipt_ip/ipt_replace
into using structures that contain pointers to both IPv4 and IPv6
structures.

Two new structures are introduced to act as containers for the IPv4 and
IPv6 types of iptables structures:
 - struct iptables_ip contains ipt_ip and ip6t_ip + type
 - struct iptables_replace contains ipt_replace and ip6t_replace + type
 - struct connman_iptables_entry is used as container for ipt_entry and
ip6t_entry

Helper functions for getting content from struct connman_iptables were
added to keep the code cleaner. Similarly for the struct
iptables_replace helper functions were added. Helper functions were also
added for getting content out of connman_iptables_entry struct.

In order to operate both IPv4 and IPv6 iptables the initialization has
to be done before each operation is executed if the IP type changes. For
this setup_xtables() function was added to change the iptables type and
to keep track of the current IP type to avoid unnecessary changes.

XT_ALIGN macro should be used instead of explicit ALIGN macro to define
struct alignments. In Linux kernel netfilter code it has been used for
IPv6 structs (kernel commit 06e1374a7ed45f1788353a2944a20133adc55649)
and the commonly used IPT_ALIGN(s) usually is defined to use XT_ALIGN
as well and has been renamed as XT_ALIGN in iptables 1.4.11.

XT_ALIGN is defined in linux/netfilter/x_tables.h, included via
xtables.h.

This commit replaces iptables.c explicitely defined struct error_target
with the xtables struct xt_error_target. It is better to use the struct
defined in xtables to maintain compatibility.

nat: Set file offset back to 0 before writing ip_forward

Kernel versions >= 4.5 have changed the default behavior[1] for file
offset handling on crop/says fs to strict write position handling:

  Respect file position when writing sysctl strings. Multiple writes
  will append to the sysctl value buffer. Anything past the max length
  of the sysctl value buffer will be ignored. Writes to numeric sysctl
  entries must always be at file position 0 and the value must be
  fully contained in the buffer sent in the write syscall.

We first read from /proc/sys/net/ipv4/ip_forward before writing to the
file. Without the lseek to 0 first the write is silentenly ignored.

Bug report from Neil MacLeod <neil@nmacleod.com>.

[1] https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=41662f5cc55335807d39404371cfcbb1909304c4

Don't skip cellular services in auto_connect_service()

See merge request mer-core/connman!159