1. 30 Nov, 2018 4 commits
    • Jussi Laakkonen's avatar
      [connman] Do not change iptables policy if firewall fails. JB#43998 · 97d96313
      Jussi Laakkonen authored
      This changes the firewall loading by setting first the rules for general
      firewall and to enable default chain policies only if it succeeds. This
      will prevent the device becoming a brick in sense of no networking in or
      even out (as the DNS will be prevented) if a single rule in the configs
      is wrong.
      97d96313
    • Jussi Laakkonen's avatar
      [connman] Increase list of non-supported iptables mathces. JB#43926 · 77cb270a
      Jussi Laakkonen authored
      This commit blacklists following iptables matches defined with -m:
       - IPv4: iprange, recent, owner
       - IPv6: iprange, recent, owner, ttl
      
      These will cause crash or errors that are not recoverable. The match -m
      owner can be supported but requires more checks. It requires at least
      one of --uid-owner, --gid-owner or --socket-exists additional switches.
      There may be more to investigate on that -m owner.
      
      Re-enabled IPv6 multiport which seems to work ok.
      77cb270a
    • Jussi Laakkonen's avatar
      [connman] Improve firewall rule parsing. Contributes to JB#43926 · 4b73036e
      Jussi Laakkonen authored
      Improved parsing of iptables rules to check that the protocols defined
      with -p and -m match, there is no -m protocol -m multiport used and -m
      protocol does not exist without -p protocol.
      
      Otherwise by defining these iptables either reports error or crashes
      ConnMan.
      4b73036e
    • Slava Monich's avatar
      [wifi] Handle multiple set_tethering calls better. Fixes JB#43984 · aa04b57c
      Slava Monich authored
      If two net.connman.Technology.SetProperty("Tethering", true) D-Bus calls
      are received in quick succession, GSupplicantInterface can be NULL when
      the second call is received (because we are still switching from infra to
      AP mode).
      aa04b57c
  2. 29 Nov, 2018 9 commits
    • Slava Monich's avatar
      Ignore ip6tables-test · cab2e5c3
      Slava Monich authored
      cab2e5c3
    • Slava Monich's avatar
      [wifi] Report -EOPNOTSUPP is tethering is not supported · ec062628
      Slava Monich authored
      That's what upstream does and that's what core expects.
      
      Also, handle the case if wifi_plugin_set_tethering is called
      again before tethering is still being turned on.
      ec062628
    • Jussi Laakkonen's avatar
      [wifi] Report no error in tethering if GSupplicant is missing. JB#42927 · 485ee64e
      Jussi Laakkonen authored
      If there is no GSupplicantInterface set for any of the WiFi devices do
      not report tethering enabling as EOPNOTSUPP which causes a disabling
      notification for tethering. It will tear down the firewall set for the
      tethering. Instead, do nothing and return 0. Tethering will be
      intitiated by src/tethering.c: __connman_tethering_set_enabled().
      
      Also fix iptables test. -m udp -m multiport passes checks now but is
      wrong and iptables calls exit().
      485ee64e
    • Jussi Laakkonen's avatar
      Revert "[wifi] Check AP mode using GSupplicant and GSupplicantInterface. JB#42927" · c1d8cf91
      Jussi Laakkonen authored
      This reverts commit 801d3092. Breaks
      tethering on some devices. Better to fix differently.
      c1d8cf91
    • Jussi Laakkonen's avatar
      [connman] Implement firewall failsafe mechanism. Contributes to JB#43998 · 328e19f0
      Jussi Laakkonen authored
      This commit adds a failsafe mechanism to set policies of all chains to
      ACCEPT in case the setup of dynamic rules fails due to iptables error.
      It will cleanup and initialize iptables.c before setting the policies.
      
      Also added a pre-cleanup for firewall. It sets the policies to defaults
      before the iptables content is saved. This would prevent network
      blocking in case of downgrading to version where the rules are not set.
      The saved filter.v4 table then has not got DROP as default INPUT chain
      policy.
      328e19f0
    • Jussi Laakkonen's avatar
      [connman] Ignore rule adding errors with managed firewall rules. JB#43998 · 2b89fd8c
      Jussi Laakkonen authored
      Changed firewall rule enabling to report the last error and not to stop
      when one error is encountered while enabling all rules.
      2b89fd8c
    • Jussi Laakkonen's avatar
      [connman] Iptables rule: disable IPv6 -m multiport, support 2 x -m. JB#43992 · 48c1e54a
      Jussi Laakkonen authored
      This commit disables IPv6 match multiport as it does not seem to work
      (iptables calls exit() on ConnMan).
      
      Allowing to use two (2) matches (-m) in a rule which seems to be usual
      maximum of the matches.
      48c1e54a
    • Jussi Laakkonen's avatar
      [wifi] Check AP mode using GSupplicant and GSupplicantInterface. JB#42927 · 801d3092
      Jussi Laakkonen authored
      Check if either GSupplicant or GSupplicantInterface of the device has AP
      capabilities.
      801d3092
    • Jussi Laakkonen's avatar
      [connman] Dynamic firewall rules for tethering. JB#43927 JB#43928 · b938908e
      Jussi Laakkonen authored
      This commit adds use of dynamic rules for tethering. When tethering is
      enabled notifier calls tethering_changed which firewall.c reacts by
      enabling firewall rules to allow from the tethering interface:
       - Wifi: existing rules set for the group "tethering", all if none set
       - All others (e.g., usb tethering uses gadget type): All traffic
      
      Added a configuration group "tethering" which is identical to any other
      device in the configuration, same rules apply. These rules are enabled
      only for WiFi hotspot and used alone if they have been set. Empty
      "tethering" group rules results in the default rules (all traffic). The
      chain used does not matter, if there is at least only one rule, only
      that one is applied.
      
      If tethering ident is not set, plain "tethering_default" is used as
      identifier to save the firewall context into the dynamic rules.
      
      If tethering firewall cannot be created or enabled tethering is set off
      by calling connman_technology_tethering_notify() that generates a proper
      notification for UI to catch.
      
      Changed to use plain interface name (ifname) when cloning or setting
      interface info instead of struct connman_service. This way same
      functions can be used with other than service state changing notifier
      function. The ifname has to be passed as char* even though it is
      duplicated for each rule that is affected because of glib list traversal
      functions.
      b938908e
  3. 28 Nov, 2018 1 commit
  4. 26 Nov, 2018 1 commit
  5. 23 Nov, 2018 2 commits
    • Jussi Laakkonen's avatar
      [connman] Iptables restore, commit rules one by one. Fixes JB#43925 · f5447bd5
      Jussi Laakkonen authored
      Change to commit individual rules one by one to reduce the probability
      of crashes. Policies are set with iptc library functions so they are not
      to be committed with __connman_iptables_commit().
      
      This way each read rule is instantly restored to iptables instead of
      adding all of them in a row and committing after last. Crash may occur
      if something else is called via glib main that alters iptables between
      each call to iptables_parse_rule().
      f5447bd5
    • Jussi Laakkonen's avatar
      [connman] Check that iptables table exists before flush. Fixes JB#43931 · c907a917
      Jussi Laakkonen authored
      This commit introduces checking of the iptables table name from the
      iptables table names file before flushing. It works for IPv4 and IPv6.
      If table does not exist in the file, it is not flushed.
      
      The files to check are "/proc/net/ip_tables_names" for IPv4 and
      "/proc/net/ip6_tables_names" for IPv6. The tables that are flushed are
      kept as the same.
      c907a917
  6. 22 Nov, 2018 6 commits
    • Jussi Laakkonen's avatar
      [connman] Add tests for managed iptables rules. JB#42675 · e600ba71
      Jussi Laakkonen authored
      Tests for the managed iptables rules read from firewall.conf are added
      in this commit. The tests include installing a new set of rules using a
      temporary firewall.conf (set in /tmp/connman_test), checking that rules
      exist, checking that rules are added and removed when services go up and
      down and that iptables is cleaned up properly after shutting down
      (cleanup calls to iptables.c and firewall.c).
      
      Also some invalid rules are checked. This list could be expanded later.
      
      The temporary firewall.conf and the directory will be after tests
      finish.
      e600ba71
    • Jussi Laakkonen's avatar
      [connman] Add service specific dynamic iptables rules. JB#42675 · 5864fb03
      Jussi Laakkonen authored
      This commit changes the service type based dynamic rules to be service
      identifier specific. Each service can have own ruleset, that is based on
      the iptables rules set for the service type in firewall.conf.
      
      All services of the same type have identical rules from the configuration.
      The main reason of this is to accommodate the requirement of having two
      simultaneous connections of same type to be online at the same time.
      
      When a service is being connected for the first time a deep clone of the
      firewall rule set for the service type is created. This firewall rule
      set is removed from the internal current_dynamic_rules only when the
      service is removed. When the service is disconnected the rules are
      only removed from iptables, they remain in the firewall context of the
      service for later use. The firewall rule id will be kept the same if the
      firewall rule set is reused. Only thing that can change is the interface
      to be used with the rule.
      
      For an easier (and faster) check of whether the firewall is enabled a
      new bool value is added to struct firewall_context. This is enabled when
      firewall rules are added without error and id FW_ALL_RULES is given. It
      is faster to check from this instead of going through all the rules
      without any change to them if they are already enabled/disabled.
      
      Added checks if the rules is valid UTF8 (if not, ignore). If the rule
      starts with # character the rule is interpreted as commented out and is
      not added. Rule must add with a '-' character as required by iptables,
      otherwise the rule is ignored.
      5864fb03
    • Jussi Laakkonen's avatar
      [connman] Add dynamic and general firewall rule processing. JB#42675 · ff57f580
      Jussi Laakkonen authored
      This commit introduces a support for general and dynamic firewall rules.
      The rules are read from CONFDIR/firewall.conf. Additional configurations
      are also supported, which must be put into CONFIGDIR/firewall.d/ and each
      has to have "firewall.conf" suffix, e.g., 10-devmode-firewall.conf.
      
      The rules in the configuration files are added to the specified
      technology type rules or to general rules. The last config in the
      directory can override the "General" section default policies for INPUT,
      OUTPUT and FORWARD chains of filter table.
      
      Managed chains are used so changes to content of filter table chains
      INPUT, FORWARD, OUTPUT (neither for IPv4 or IPv6) are not done, except
      for the policy. The format of the rules is the same as with iptables
      rules, with exceptions detailed later in this message. The chain name
      and policy name can be omitted in the config file.
      
      Rules can be defined for IPv4 chains using INPUT, OUTPUT and FORWARD
      keys in key config file. Rules for IPv6 chains can be set using
      INPUT_IPv6, OUTPUT_IPv6 and FORWARD_IPv6. Default filter table policies
      can be set only in General section and follow similar naming. IPv4
      iptables default policies are set with keys that have a suffix "_POLICY"
      added to the chain name. With IPv6 ip6tables policies the suffix is
      "_POLICY_IPv6".
      
      There can be general rules that are added to managed chains using
      firewall.c functionality at firewall initialization and cleared at
      firewall cleanup. General rules include defining policies for the default
      filter table chains. The general rules section format (rules are
      separated with semicolon ";" because comma "," is a separator for ports
      in iptables rules):
      
      INPUT = -p tcp -m tcp --dport 22 -j ACCEPT; -p udp -m udp -j ACCEPT
      INPUT_IPv6 = -p tcp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
      FORWARD =
      OUTPUT = -p tcp -m multiport --sports 1024:65000 -j ACCEPT
      INPUT_POLICY = DROP
      OUTPUT_POLICY = ACCEPT
      FORWARD_POLICY = ACCEPT
      INPUT_POLICY_IPv6 = ACCEPT
      
      After ConnMan is shut down the policies on each default chain in filter
      table are being set to ACCEPT. By adding the rules via firewall.c the
      managed tables are also cleared at shutdown.
      
      Each technology connman supports can have own dynamic rules set in the
      same firewall.conf file. These rules are enabled and disabled when a
      service comes up (READY, CONNETED) or goes down (DISCONNECT, FAILURE,
      IDLE) and the interface the service is using is applied into the rule.
      The format for the dynamic rules is same, for example cellular:
      
      INPUT = -p tcp -m multiport --dports 1:1024 -j DROP
      OUTPUT = -p udp -m udp --dport 23 -j DROP; -p tcp -j ACCEPT
      INPUT_IPv6 = -p tcp -m ssh -j ACCEPT; -p udp -m udp -j DROP
      
      In chain INPUT -i <interface> is added, in chain FORWARD -o <interface>
      is added and in chain OUTPUT -o <interface> is added. For this
      particular reason -i and -o switches are forbidden in the rules.
      
      The following switches (and their longer equivalents) are not allowed in
      rules (rules having one of these are ignored):
       - Chain management switches (-A, -D, -X, -F, -I, -P, -E, -R, -Z)
       - Interface definitions (-i, -o), expcept for group General
       - IP address switches (-s, -d, --to-destination, --from-destination)
       - State modifiers -m comment and -m state (and -m conntrack with IPv6)
      
      All regular targets (ACCEPT, DROP, REJECT, LOG, QUEUE) are allowed. In
      these rules adding chains is not allowed so additional targets cannot be
      used, hence the managed tables.
      
      The protocols defined in iptables manual pages are allowed: tcp, udp,
      udplite, icmp, icmpv6, ipv6-icmp, esp, ah, sctp, mh and the special
      keyword all.
      
      If -m multiport switch is used it has to have some of the default port
      switches. If a port switch is used port numbers can be used or service
      names. Ports have to be separated with commas (set) or semicolons
      (range) as iptables rules format defines.
      ff57f580
    • Jussi Laakkonen's avatar
    • Jussi Laakkonen's avatar
      [connman] Accommodate IPv6 changes in sailfish iptables ext. JB#42674 · 063261bc
      Jussi Laakkonen authored
      Add the type variable into each iptables.c function that was changed
      when implementing IPv6 support.
      063261bc
    • Jussi Laakkonen's avatar
      [connman] Do not clear connman- prefixed iptables chains. JB#42674 · 51aa719f
      Jussi Laakkonen authored
      All chains that have "connman-" prefix should be skipped by the iptables
      extension. These are meant for internal use only.
      51aa719f
  7. 12 Nov, 2018 4 commits
    • Jussi Laakkonen's avatar
      [connman] Handle -j REJECT --reject-with in iptables saving. JB#42674 · 83e8d007
      Jussi Laakkonen authored
      This commit adds handling of iptables rules that have REJECT target set.
      Each -j REJECT has --reject-with "type" (e.g., icmp-unreachable, that is
      the default) when applying rules from saved iptables files.
      
      This is similar to the comment handling and same code is utilized in
      this also.
      83e8d007
    • Jussi Laakkonen's avatar
      test: Add tests and test tool for IPv6 parts of iptables.c. · 5e43f72b
      Jussi Laakkonen authored
      This commit adds tests for IPv6 enabled iptables. The tests are
      identical to the existing iptables tests, except IPv6 "nat" table rules
      are not tested as IPv6 NAT is not enabled.
      
      Also a test tool for IPv6 iptables (ip6tables-test) has been added,
      which is a clone of iptables-test. iptables-test.c has been modified to
      support the changes in iptables.c.
      
      Added ip6tables-save program to configure.ac and use of it in
      Makefile.am for the updated iptables-unit test.
      
      [connman] Apply our test changes on top of upstream change. JB#42674
      
      Tests for ICMP rules for both IPv4 and IPv6 are added.
      
      Tests for using firewall are retained in our fork as our firewall.c
      differs from the upstream one in many ways.
      5e43f72b
    • Jussi Laakkonen's avatar
      [connman] Introduce IPv6 support for firewall. Contributes to JB#42674 · 3a6db779
      Jussi Laakkonen authored
      This commit adds IPv6 support to firewall.c. Two new functions are added
      to connman.h which allow to add and remove rules using IPv6
      functionality that was added to iptables.c. This commit does not change
      functionality of firewall.c, new functions are:
       - __connman_firewall_add_ipv6_rule()
       - __connman_firewall_remove_ipv6_rule()
      
      The firewall functions operate on higher level than the iptables.c
      functions so a clear separation of rule adding and removal is decided to
      be implemented for IPv4 and IPv6. This abstracts the use of iptables and
      for internal functionality this kind of separation of concerns here is
      clarifying things instead of having to give a specific type for each
      firewall function call.
      3a6db779
    • Jussi Laakkonen's avatar
      iptables: Introduce IPv6 iptables management. · 01d9e260
      Jussi Laakkonen authored
      This commit adds iptables management for IPv6 addresses. Existing
      src/iptables.c is used as base and the functionality to support IPv6
      iptables is included into existing code for the most part. Managing
      iptables using IPv6 addresses does not differ much from IPv4 use, only
      new structures of setting/getting rules have to be adapted into use. For
      each existing __connman_iptables_*() a type variable (int) has been
      added to indicate which address family (AF_INET/AF_INET6) is to be used.
      
      Functionality remains the same as with iptables.c, only the function
      parse_ipv6_and_mask() is rewritten comply with IPv6 address structures.
      Functions is_same_ipt_entry() and iptables_blob() are copied to use
      ip6t_* type structures.
      
      The internal structures connman_iptables_entry and connman_iptables
      were amended to include the iptables IPv6 structures and the address
      family type. In order to avoid copying of large amounts of existing code
      and to be able to use both IPv4 and IPv6 structures many existing
      functions are changed from using struct ipt_entry/ipt_ip/ipt_replace
      into using structures that contain pointers to both IPv4 and IPv6
      structures.
      
      Two new structures are introduced to act as containers for the IPv4 and
      IPv6 types of iptables structures:
       - struct iptables_ip contains ipt_ip and ip6t_ip + type
       - struct iptables_replace contains ipt_replace and ip6t_replace + type
       - struct connman_iptables_entry is used as container for ipt_entry and
      ip6t_entry
      
      Helper functions for getting content from struct connman_iptables were
      added to keep the code cleaner. Similarly for the struct
      iptables_replace helper functions were added. Helper functions were also
      added for getting content out of connman_iptables_entry struct.
      
      In order to operate both IPv4 and IPv6 iptables the initialization has
      to be done before each operation is executed if the IP type changes. For
      this setup_xtables() function was added to change the iptables type and
      to keep track of the current IP type to avoid unnecessary changes.
      01d9e260
  8. 08 Nov, 2018 2 commits
    • Jussi Laakkonen's avatar
      iptables: Replace ALIGN macro with XT_ALIGN macro. · a460850c
      Jussi Laakkonen authored
      XT_ALIGN macro should be used instead of explicit ALIGN macro to define
      struct alignments. In Linux kernel netfilter code it has been used for
      IPv6 structs (kernel commit 06e1374a7ed45f1788353a2944a20133adc55649)
      and the commonly used IPT_ALIGN(s) usually is defined to use XT_ALIGN
      as well and has been renamed as XT_ALIGN in iptables 1.4.11.
      
      XT_ALIGN is defined in linux/netfilter/x_tables.h, included via
      xtables.h.
      a460850c
    • Jussi Laakkonen's avatar
      iptables: Use xt_error_target when adding new rules and chains. · 78be0382
      Jussi Laakkonen authored
      This commit replaces iptables.c explicitely defined struct error_target
      with the xtables struct xt_error_target. It is better to use the struct
      defined in xtables to maintain compatibility.
      78be0382
  9. 26 Oct, 2018 2 commits
  10. 25 Oct, 2018 1 commit
    • Slava Monich's avatar
      [ofono] Revert commit 9b9b872e. Fixes JB#43567 · a80aa7d5
      Slava Monich authored
      Removing the service when SIM card goes away (e.g. during shutdown)
      kills autoconnect flag for mobile data. That's because mobile data
      is enabled/disabled at individual service level, as opposed to wifi
      where it's turned on and off at higher (technology) level.
      
      Need to find a better way to stop cellular services from piling up.
      a80aa7d5
  11. 23 Oct, 2018 1 commit
    • Jussi Laakkonen's avatar
      [vpn] Explicitely remove VPN service if provider removed. Fixes JB#42797 · 408d2627
      Jussi Laakkonen authored
      Remove VPN service from service.c service_list explicitely by using
      __connman_service_remove() when provider is to be removed. In our fork
      it is not enough to call unref() for the service as list has a weak
      reference for each. Because of thid difference explicit removal is
      required in order to remove the VPN completely instead of haunting in
      the service_list.
      408d2627
  12. 22 Oct, 2018 1 commit
  13. 21 Oct, 2018 5 commits
  14. 19 Oct, 2018 1 commit