- 30 Nov, 2018 5 commits
-
-
Jussi Laakkonen authored
This changes the firewall loading by setting first the rules for general firewall and to enable default chain policies only if it succeeds. This will prevent the device becoming a brick in sense of no networking in or even out (as the DNS will be prevented) if a single rule in the configs is wrong.
-
Jussi Laakkonen authored
This commit blacklists following iptables matches defined with -m: - IPv4: iprange, recent, owner - IPv6: iprange, recent, owner, ttl These will cause crash or errors that are not recoverable. The match -m owner can be supported but requires more checks. It requires at least one of --uid-owner, --gid-owner or --socket-exists additional switches. There may be more to investigate on that -m owner. Re-enabled IPv6 multiport which seems to work ok.
-
Jussi Laakkonen authored
Improved parsing of iptables rules to check that the protocols defined with -p and -m match, there is no -m protocol -m multiport used and -m protocol does not exist without -p protocol. Otherwise by defining these iptables either reports error or crashes ConnMan.
-
Slava Monich authored
Handle multiple set_tethering calls better See merge request mer-core/connman!167
-
Slava Monich authored
If two net.connman.Technology.SetProperty("Tethering", true) D-Bus calls are received in quick succession, GSupplicantInterface can be NULL when the second call is received (because we are still switching from infra to AP mode).
-
- 29 Nov, 2018 11 commits
-
-
Slava Monich authored
-
Slava Monich authored
That's what upstream does and that's what core expects. Also, handle the case if wifi_plugin_set_tethering is called again before tethering is still being turned on.
-
Jussi Laakkonen authored
Revert check of both GSupplicant and GSupplicantInterface. Implement tethering fix. See merge request mer-core/connman!166
-
Jussi Laakkonen authored
If there is no GSupplicantInterface set for any of the WiFi devices do not report tethering enabling as EOPNOTSUPP which causes a disabling notification for tethering. It will tear down the firewall set for the tethering. Instead, do nothing and return 0. Tethering will be intitiated by src/tethering.c: __connman_tethering_set_enabled(). Also fix iptables test. -m udp -m multiport passes checks now but is wrong and iptables calls exit().
-
Jussi Laakkonen authored
This reverts commit 801d3092. Breaks tethering on some devices. Better to fix differently.
-
Jussi Laakkonen authored
Introduce dynamic rules for tethering. See merge request mer-core/connman!165
-
Jussi Laakkonen authored
This commit adds a failsafe mechanism to set policies of all chains to ACCEPT in case the setup of dynamic rules fails due to iptables error. It will cleanup and initialize iptables.c before setting the policies. Also added a pre-cleanup for firewall. It sets the policies to defaults before the iptables content is saved. This would prevent network blocking in case of downgrading to version where the rules are not set. The saved filter.v4 table then has not got DROP as default INPUT chain policy.
-
Jussi Laakkonen authored
Changed firewall rule enabling to report the last error and not to stop when one error is encountered while enabling all rules.
-
Jussi Laakkonen authored
This commit disables IPv6 match multiport as it does not seem to work (iptables calls exit() on ConnMan). Allowing to use two (2) matches (-m) in a rule which seems to be usual maximum of the matches.
-
Jussi Laakkonen authored
Check if either GSupplicant or GSupplicantInterface of the device has AP capabilities.
-
Jussi Laakkonen authored
This commit adds use of dynamic rules for tethering. When tethering is enabled notifier calls tethering_changed which firewall.c reacts by enabling firewall rules to allow from the tethering interface: - Wifi: existing rules set for the group "tethering", all if none set - All others (e.g., usb tethering uses gadget type): All traffic Added a configuration group "tethering" which is identical to any other device in the configuration, same rules apply. These rules are enabled only for WiFi hotspot and used alone if they have been set. Empty "tethering" group rules results in the default rules (all traffic). The chain used does not matter, if there is at least only one rule, only that one is applied. If tethering ident is not set, plain "tethering_default" is used as identifier to save the firewall context into the dynamic rules. If tethering firewall cannot be created or enabled tethering is set off by calling connman_technology_tethering_notify() that generates a proper notification for UI to catch. Changed to use plain interface name (ifname) when cloning or setting interface info instead of struct connman_service. This way same functions can be used with other than service state changing notifier function. The ifname has to be passed as char* even though it is duplicated for each rule that is affected because of glib list traversal functions.
-
- 28 Nov, 2018 1 commit
-
-
Jussi Laakkonen authored
Add a get function for struct connman_technology tethering_ident char variable and expose it internally. Add a get function for struct connman_technology type (enum connman_service_type).
-
- 26 Nov, 2018 1 commit
-
-
Slava Monich authored
Running tests with a null STORAGEDIR has a questionable value and is causing runtime asserts which may be fatal depending on the setup.
-
- 23 Nov, 2018 6 commits
-
-
Jussi Laakkonen authored
Commit each rule one by one in iptables restore to avoid crashing. See merge request mer-core/connman!163
-
Jussi Laakkonen authored
Change to commit individual rules one by one to reduce the probability of crashes. Policies are set with iptc library functions so they are not to be committed with __connman_iptables_commit(). This way each read rule is instantly restored to iptables instead of adding all of them in a row and committing after last. Crash may occur if something else is called via glib main that alters iptables between each call to iptables_parse_rule().
-
Jussi Laakkonen authored
[connman] Check that iptables table exists before flush. Fixes JB#43931 See merge request mer-core/connman!164
-
Jussi Laakkonen authored
This commit introduces checking of the iptables table name from the iptables table names file before flushing. It works for IPv4 and IPv6. If table does not exist in the file, it is not flushed. The files to check are "/proc/net/ip_tables_names" for IPv4 and "/proc/net/ip6_tables_names" for IPv6. The tables that are flushed are kept as the same.
-
Jussi Laakkonen authored
[connman] Require IPv6 iptables. Contributes to JB#42675 See merge request mer-core/connman!162
-
Jussi Laakkonen authored
This commit adds iptables-ipv6 requirement for connman. It is vital for IPv6 iptables operations.
-
- 22 Nov, 2018 8 commits
-
-
Jussi Laakkonen authored
Add dynamic firewall rules used per service. See merge request mer-core/connman!160
-
Jussi Laakkonen authored
Tests for the managed iptables rules read from firewall.conf are added in this commit. The tests include installing a new set of rules using a temporary firewall.conf (set in /tmp/connman_test), checking that rules exist, checking that rules are added and removed when services go up and down and that iptables is cleaned up properly after shutting down (cleanup calls to iptables.c and firewall.c). Also some invalid rules are checked. This list could be expanded later. The temporary firewall.conf and the directory will be after tests finish.
-
Jussi Laakkonen authored
This commit changes the service type based dynamic rules to be service identifier specific. Each service can have own ruleset, that is based on the iptables rules set for the service type in firewall.conf. All services of the same type have identical rules from the configuration. The main reason of this is to accommodate the requirement of having two simultaneous connections of same type to be online at the same time. When a service is being connected for the first time a deep clone of the firewall rule set for the service type is created. This firewall rule set is removed from the internal current_dynamic_rules only when the service is removed. When the service is disconnected the rules are only removed from iptables, they remain in the firewall context of the service for later use. The firewall rule id will be kept the same if the firewall rule set is reused. Only thing that can change is the interface to be used with the rule. For an easier (and faster) check of whether the firewall is enabled a new bool value is added to struct firewall_context. This is enabled when firewall rules are added without error and id FW_ALL_RULES is given. It is faster to check from this instead of going through all the rules without any change to them if they are already enabled/disabled. Added checks if the rules is valid UTF8 (if not, ignore). If the rule starts with # character the rule is interpreted as commented out and is not added. Rule must add with a '-' character as required by iptables, otherwise the rule is ignored.
-
Jussi Laakkonen authored
This commit introduces a support for general and dynamic firewall rules. The rules are read from CONFDIR/firewall.conf. Additional configurations are also supported, which must be put into CONFIGDIR/firewall.d/ and each has to have "firewall.conf" suffix, e.g., 10-devmode-firewall.conf. The rules in the configuration files are added to the specified technology type rules or to general rules. The last config in the directory can override the "General" section default policies for INPUT, OUTPUT and FORWARD chains of filter table. Managed chains are used so changes to content of filter table chains INPUT, FORWARD, OUTPUT (neither for IPv4 or IPv6) are not done, except for the policy. The format of the rules is the same as with iptables rules, with exceptions detailed later in this message. The chain name and policy name can be omitted in the config file. Rules can be defined for IPv4 chains using INPUT, OUTPUT and FORWARD keys in key config file. Rules for IPv6 chains can be set using INPUT_IPv6, OUTPUT_IPv6 and FORWARD_IPv6. Default filter table policies can be set only in General section and follow similar naming. IPv4 iptables default policies are set with keys that have a suffix "_POLICY" added to the chain name. With IPv6 ip6tables policies the suffix is "_POLICY_IPv6". There can be general rules that are added to managed chains using firewall.c functionality at firewall initialization and cleared at firewall cleanup. General rules include defining policies for the default filter table chains. The general rules section format (rules are separated with semicolon ";" because comma "," is a separator for ports in iptables rules): INPUT = -p tcp -m tcp --dport 22 -j ACCEPT; -p udp -m udp -j ACCEPT INPUT_IPv6 = -p tcp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT FORWARD = OUTPUT = -p tcp -m multiport --sports 1024:65000 -j ACCEPT INPUT_POLICY = DROP OUTPUT_POLICY = ACCEPT FORWARD_POLICY = ACCEPT INPUT_POLICY_IPv6 = ACCEPT After ConnMan is shut down the policies on each default chain in filter table are being set to ACCEPT. By adding the rules via firewall.c the managed tables are also cleared at shutdown. Each technology connman supports can have own dynamic rules set in the same firewall.conf file. These rules are enabled and disabled when a service comes up (READY, CONNETED) or goes down (DISCONNECT, FAILURE, IDLE) and the interface the service is using is applied into the rule. The format for the dynamic rules is same, for example cellular: INPUT = -p tcp -m multiport --dports 1:1024 -j DROP OUTPUT = -p udp -m udp --dport 23 -j DROP; -p tcp -j ACCEPT INPUT_IPv6 = -p tcp -m ssh -j ACCEPT; -p udp -m udp -j DROP In chain INPUT -i <interface> is added, in chain FORWARD -o <interface> is added and in chain OUTPUT -o <interface> is added. For this particular reason -i and -o switches are forbidden in the rules. The following switches (and their longer equivalents) are not allowed in rules (rules having one of these are ignored): - Chain management switches (-A, -D, -X, -F, -I, -P, -E, -R, -Z) - Interface definitions (-i, -o), expcept for group General - IP address switches (-s, -d, --to-destination, --from-destination) - State modifiers -m comment and -m state (and -m conntrack with IPv6) All regular targets (ACCEPT, DROP, REJECT, LOG, QUEUE) are allowed. In these rules adding chains is not allowed so additional targets cannot be used, hence the managed tables. The protocols defined in iptables manual pages are allowed: tcp, udp, udplite, icmp, icmpv6, ipv6-icmp, esp, ah, sctp, mh and the special keyword all. If -m multiport switch is used it has to have some of the default port switches. If a port switch is used port numbers can be used or service names. Ports have to be separated with commas (set) or semicolons (range) as iptables rules format defines.
-
Jussi Laakkonen authored
[connman] Improve IPv6 support. Add ICMP blocking. Fixes JB#42674 See merge request mer-core/connman!158
-
Jussi Laakkonen authored
-
Jussi Laakkonen authored
Add the type variable into each iptables.c function that was changed when implementing IPv6 support.
-
Jussi Laakkonen authored
All chains that have "connman-" prefix should be skipped by the iptables extension. These are meant for internal use only.
-
- 12 Nov, 2018 4 commits
-
-
Jussi Laakkonen authored
This commit adds handling of iptables rules that have REJECT target set. Each -j REJECT has --reject-with "type" (e.g., icmp-unreachable, that is the default) when applying rules from saved iptables files. This is similar to the comment handling and same code is utilized in this also.
-
Jussi Laakkonen authored
This commit adds tests for IPv6 enabled iptables. The tests are identical to the existing iptables tests, except IPv6 "nat" table rules are not tested as IPv6 NAT is not enabled. Also a test tool for IPv6 iptables (ip6tables-test) has been added, which is a clone of iptables-test. iptables-test.c has been modified to support the changes in iptables.c. Added ip6tables-save program to configure.ac and use of it in Makefile.am for the updated iptables-unit test. [connman] Apply our test changes on top of upstream change. JB#42674 Tests for ICMP rules for both IPv4 and IPv6 are added. Tests for using firewall are retained in our fork as our firewall.c differs from the upstream one in many ways.
-
Jussi Laakkonen authored
This commit adds IPv6 support to firewall.c. Two new functions are added to connman.h which allow to add and remove rules using IPv6 functionality that was added to iptables.c. This commit does not change functionality of firewall.c, new functions are: - __connman_firewall_add_ipv6_rule() - __connman_firewall_remove_ipv6_rule() The firewall functions operate on higher level than the iptables.c functions so a clear separation of rule adding and removal is decided to be implemented for IPv4 and IPv6. This abstracts the use of iptables and for internal functionality this kind of separation of concerns here is clarifying things instead of having to give a specific type for each firewall function call.
-
Jussi Laakkonen authored
This commit adds iptables management for IPv6 addresses. Existing src/iptables.c is used as base and the functionality to support IPv6 iptables is included into existing code for the most part. Managing iptables using IPv6 addresses does not differ much from IPv4 use, only new structures of setting/getting rules have to be adapted into use. For each existing __connman_iptables_*() a type variable (int) has been added to indicate which address family (AF_INET/AF_INET6) is to be used. Functionality remains the same as with iptables.c, only the function parse_ipv6_and_mask() is rewritten comply with IPv6 address structures. Functions is_same_ipt_entry() and iptables_blob() are copied to use ip6t_* type structures. The internal structures connman_iptables_entry and connman_iptables were amended to include the iptables IPv6 structures and the address family type. In order to avoid copying of large amounts of existing code and to be able to use both IPv4 and IPv6 structures many existing functions are changed from using struct ipt_entry/ipt_ip/ipt_replace into using structures that contain pointers to both IPv4 and IPv6 structures. Two new structures are introduced to act as containers for the IPv4 and IPv6 types of iptables structures: - struct iptables_ip contains ipt_ip and ip6t_ip + type - struct iptables_replace contains ipt_replace and ip6t_replace + type - struct connman_iptables_entry is used as container for ipt_entry and ip6t_entry Helper functions for getting content from struct connman_iptables were added to keep the code cleaner. Similarly for the struct iptables_replace helper functions were added. Helper functions were also added for getting content out of connman_iptables_entry struct. In order to operate both IPv4 and IPv6 iptables the initialization has to be done before each operation is executed if the IP type changes. For this setup_xtables() function was added to change the iptables type and to keep track of the current IP type to avoid unnecessary changes.
-
- 08 Nov, 2018 2 commits
-
-
Jussi Laakkonen authored
XT_ALIGN macro should be used instead of explicit ALIGN macro to define struct alignments. In Linux kernel netfilter code it has been used for IPv6 structs (kernel commit 06e1374a7ed45f1788353a2944a20133adc55649) and the commonly used IPT_ALIGN(s) usually is defined to use XT_ALIGN as well and has been renamed as XT_ALIGN in iptables 1.4.11. XT_ALIGN is defined in linux/netfilter/x_tables.h, included via xtables.h.
-
Jussi Laakkonen authored
This commit replaces iptables.c explicitely defined struct error_target with the xtables struct xt_error_target. It is better to use the struct defined in xtables to maintain compatibility.
-
- 26 Oct, 2018 2 commits
-
-
Daniel Wagner authored
nat: Set file offset back to 0 before writing ip_forward Kernel versions >= 4.5 have changed the default behavior[1] for file offset handling on crop/says fs to strict write position handling: Respect file position when writing sysctl strings. Multiple writes will append to the sysctl value buffer. Anything past the max length of the sysctl value buffer will be ignored. Writes to numeric sysctl entries must always be at file position 0 and the value must be fully contained in the buffer sent in the write syscall. We first read from /proc/sys/net/ipv4/ip_forward before writing to the file. Without the lseek to 0 first the write is silentenly ignored. Bug report from Neil MacLeod <neil@nmacleod.com>. [1] https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=41662f5cc55335807d39404371cfcbb1909304c4
-
Slava Monich authored
Don't skip cellular services in auto_connect_service() See merge request mer-core/connman!159
-