1. 30 Nov, 2018 3 commits
    • Jussi Laakkonen's avatar
      [connman] Do not change iptables policy if firewall fails. JB#43998 · 97d96313
      Jussi Laakkonen authored
      This changes the firewall loading by setting first the rules for general
      firewall and to enable default chain policies only if it succeeds. This
      will prevent the device becoming a brick in sense of no networking in or
      even out (as the DNS will be prevented) if a single rule in the configs
      is wrong.
    • Jussi Laakkonen's avatar
      [connman] Increase list of non-supported iptables mathces. JB#43926 · 77cb270a
      Jussi Laakkonen authored
      This commit blacklists following iptables matches defined with -m:
       - IPv4: iprange, recent, owner
       - IPv6: iprange, recent, owner, ttl
      These will cause crash or errors that are not recoverable. The match -m
      owner can be supported but requires more checks. It requires at least
      one of --uid-owner, --gid-owner or --socket-exists additional switches.
      There may be more to investigate on that -m owner.
      Re-enabled IPv6 multiport which seems to work ok.
    • Jussi Laakkonen's avatar
      [connman] Improve firewall rule parsing. Contributes to JB#43926 · 4b73036e
      Jussi Laakkonen authored
      Improved parsing of iptables rules to check that the protocols defined
      with -p and -m match, there is no -m protocol -m multiport used and -m
      protocol does not exist without -p protocol.
      Otherwise by defining these iptables either reports error or crashes
  2. 29 Nov, 2018 4 commits
    • Jussi Laakkonen's avatar
      [connman] Implement firewall failsafe mechanism. Contributes to JB#43998 · 328e19f0
      Jussi Laakkonen authored
      This commit adds a failsafe mechanism to set policies of all chains to
      ACCEPT in case the setup of dynamic rules fails due to iptables error.
      It will cleanup and initialize iptables.c before setting the policies.
      Also added a pre-cleanup for firewall. It sets the policies to defaults
      before the iptables content is saved. This would prevent network
      blocking in case of downgrading to version where the rules are not set.
      The saved filter.v4 table then has not got DROP as default INPUT chain
    • Jussi Laakkonen's avatar
      [connman] Ignore rule adding errors with managed firewall rules. JB#43998 · 2b89fd8c
      Jussi Laakkonen authored
      Changed firewall rule enabling to report the last error and not to stop
      when one error is encountered while enabling all rules.
    • Jussi Laakkonen's avatar
      [connman] Iptables rule: disable IPv6 -m multiport, support 2 x -m. JB#43992 · 48c1e54a
      Jussi Laakkonen authored
      This commit disables IPv6 match multiport as it does not seem to work
      (iptables calls exit() on ConnMan).
      Allowing to use two (2) matches (-m) in a rule which seems to be usual
      maximum of the matches.
    • Jussi Laakkonen's avatar
      [connman] Dynamic firewall rules for tethering. JB#43927 JB#43928 · b938908e
      Jussi Laakkonen authored
      This commit adds use of dynamic rules for tethering. When tethering is
      enabled notifier calls tethering_changed which firewall.c reacts by
      enabling firewall rules to allow from the tethering interface:
       - Wifi: existing rules set for the group "tethering", all if none set
       - All others (e.g., usb tethering uses gadget type): All traffic
      Added a configuration group "tethering" which is identical to any other
      device in the configuration, same rules apply. These rules are enabled
      only for WiFi hotspot and used alone if they have been set. Empty
      "tethering" group rules results in the default rules (all traffic). The
      chain used does not matter, if there is at least only one rule, only
      that one is applied.
      If tethering ident is not set, plain "tethering_default" is used as
      identifier to save the firewall context into the dynamic rules.
      If tethering firewall cannot be created or enabled tethering is set off
      by calling connman_technology_tethering_notify() that generates a proper
      notification for UI to catch.
      Changed to use plain interface name (ifname) when cloning or setting
      interface info instead of struct connman_service. This way same
      functions can be used with other than service state changing notifier
      function. The ifname has to be passed as char* even though it is
      duplicated for each rule that is affected because of glib list traversal
  3. 23 Nov, 2018 1 commit
    • Jussi Laakkonen's avatar
      [connman] Check that iptables table exists before flush. Fixes JB#43931 · c907a917
      Jussi Laakkonen authored
      This commit introduces checking of the iptables table name from the
      iptables table names file before flushing. It works for IPv4 and IPv6.
      If table does not exist in the file, it is not flushed.
      The files to check are "/proc/net/ip_tables_names" for IPv4 and
      "/proc/net/ip6_tables_names" for IPv6. The tables that are flushed are
      kept as the same.
  4. 22 Nov, 2018 2 commits
    • Jussi Laakkonen's avatar
      [connman] Add service specific dynamic iptables rules. JB#42675 · 5864fb03
      Jussi Laakkonen authored
      This commit changes the service type based dynamic rules to be service
      identifier specific. Each service can have own ruleset, that is based on
      the iptables rules set for the service type in firewall.conf.
      All services of the same type have identical rules from the configuration.
      The main reason of this is to accommodate the requirement of having two
      simultaneous connections of same type to be online at the same time.
      When a service is being connected for the first time a deep clone of the
      firewall rule set for the service type is created. This firewall rule
      set is removed from the internal current_dynamic_rules only when the
      service is removed. When the service is disconnected the rules are
      only removed from iptables, they remain in the firewall context of the
      service for later use. The firewall rule id will be kept the same if the
      firewall rule set is reused. Only thing that can change is the interface
      to be used with the rule.
      For an easier (and faster) check of whether the firewall is enabled a
      new bool value is added to struct firewall_context. This is enabled when
      firewall rules are added without error and id FW_ALL_RULES is given. It
      is faster to check from this instead of going through all the rules
      without any change to them if they are already enabled/disabled.
      Added checks if the rules is valid UTF8 (if not, ignore). If the rule
      starts with # character the rule is interpreted as commented out and is
      not added. Rule must add with a '-' character as required by iptables,
      otherwise the rule is ignored.
    • Jussi Laakkonen's avatar
      [connman] Add dynamic and general firewall rule processing. JB#42675 · ff57f580
      Jussi Laakkonen authored
      This commit introduces a support for general and dynamic firewall rules.
      The rules are read from CONFDIR/firewall.conf. Additional configurations
      are also supported, which must be put into CONFIGDIR/firewall.d/ and each
      has to have "firewall.conf" suffix, e.g., 10-devmode-firewall.conf.
      The rules in the configuration files are added to the specified
      technology type rules or to general rules. The last config in the
      directory can override the "General" section default policies for INPUT,
      OUTPUT and FORWARD chains of filter table.
      Managed chains are used so changes to content of filter table chains
      INPUT, FORWARD, OUTPUT (neither for IPv4 or IPv6) are not done, except
      for the policy. The format of the rules is the same as with iptables
      rules, with exceptions detailed later in this message. The chain name
      and policy name can be omitted in the config file.
      Rules can be defined for IPv4 chains using INPUT, OUTPUT and FORWARD
      keys in key config file. Rules for IPv6 chains can be set using
      INPUT_IPv6, OUTPUT_IPv6 and FORWARD_IPv6. Default filter table policies
      can be set only in General section and follow similar naming. IPv4
      iptables default policies are set with keys that have a suffix "_POLICY"
      added to the chain name. With IPv6 ip6tables policies the suffix is
      There can be general rules that are added to managed chains using
      firewall.c functionality at firewall initialization and cleared at
      firewall cleanup. General rules include defining policies for the default
      filter table chains. The general rules section format (rules are
      separated with semicolon ";" because comma "," is a separator for ports
      in iptables rules):
      INPUT = -p tcp -m tcp --dport 22 -j ACCEPT; -p udp -m udp -j ACCEPT
      INPUT_IPv6 = -p tcp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
      FORWARD =
      OUTPUT = -p tcp -m multiport --sports 1024:65000 -j ACCEPT
      After ConnMan is shut down the policies on each default chain in filter
      table are being set to ACCEPT. By adding the rules via firewall.c the
      managed tables are also cleared at shutdown.
      Each technology connman supports can have own dynamic rules set in the
      same firewall.conf file. These rules are enabled and disabled when a
      service comes up (READY, CONNETED) or goes down (DISCONNECT, FAILURE,
      IDLE) and the interface the service is using is applied into the rule.
      The format for the dynamic rules is same, for example cellular:
      INPUT = -p tcp -m multiport --dports 1:1024 -j DROP
      OUTPUT = -p udp -m udp --dport 23 -j DROP; -p tcp -j ACCEPT
      INPUT_IPv6 = -p tcp -m ssh -j ACCEPT; -p udp -m udp -j DROP
      In chain INPUT -i <interface> is added, in chain FORWARD -o <interface>
      is added and in chain OUTPUT -o <interface> is added. For this
      particular reason -i and -o switches are forbidden in the rules.
      The following switches (and their longer equivalents) are not allowed in
      rules (rules having one of these are ignored):
       - Chain management switches (-A, -D, -X, -F, -I, -P, -E, -R, -Z)
       - Interface definitions (-i, -o), expcept for group General
       - IP address switches (-s, -d, --to-destination, --from-destination)
       - State modifiers -m comment and -m state (and -m conntrack with IPv6)
      All regular targets (ACCEPT, DROP, REJECT, LOG, QUEUE) are allowed. In
      these rules adding chains is not allowed so additional targets cannot be
      used, hence the managed tables.
      The protocols defined in iptables manual pages are allowed: tcp, udp,
      udplite, icmp, icmpv6, ipv6-icmp, esp, ah, sctp, mh and the special
      keyword all.
      If -m multiport switch is used it has to have some of the default port
      switches. If a port switch is used port numbers can be used or service
      names. Ports have to be separated with commas (set) or semicolons
      (range) as iptables rules format defines.
  5. 12 Nov, 2018 1 commit
    • Jussi Laakkonen's avatar
      [connman] Introduce IPv6 support for firewall. Contributes to JB#42674 · 3a6db779
      Jussi Laakkonen authored
      This commit adds IPv6 support to firewall.c. Two new functions are added
      to connman.h which allow to add and remove rules using IPv6
      functionality that was added to iptables.c. This commit does not change
      functionality of firewall.c, new functions are:
       - __connman_firewall_add_ipv6_rule()
       - __connman_firewall_remove_ipv6_rule()
      The firewall functions operate on higher level than the iptables.c
      functions so a clear separation of rule adding and removal is decided to
      be implemented for IPv4 and IPv6. This abstracts the use of iptables and
      for internal functionality this kind of separation of concerns here is
      clarifying things instead of having to give a specific type for each
      firewall function call.
  6. 13 Feb, 2018 1 commit
    • Slava Monich's avatar
      [firewall] Fixed use-after-free in __connman_firewall_remove_rule · a5b9ce65
      Slava Monich authored
      g_list_previous was accessing the pointer deallocated by g_list_remove:
      ==2161== Invalid read of size 4
      ==2161==    at 0xC6F6C: __connman_firewall_remove_rule (firewall.c:356)
      ==2161==    by 0xC720F: __connman_firewall_disable (firewall.c:442)
      ==2161==    by 0xAA8A3: cleanup_firewall (session.c:239)
      ==2161==    by 0xAE483: __connman_session_cleanup (session.c:1814)
      ==2161==    by 0x52427: main (main.c:902)
      ==2161==  Address 0x5321000 is 8 bytes inside a block of size 12 free'd
      ==2161==    at 0x4840B28: free (vg_replace_malloc.c:530)
      ==2161==    by 0x4C9FBB3: g_list_remove (glist.c:521)
      ==2161==    by 0xC6F33: __connman_firewall_remove_rule (firewall.c:360)
      ==2161==    by 0xC720F: __connman_firewall_disable (firewall.c:442)
      ==2161==    by 0xAA8A3: cleanup_firewall (session.c:239)
      ==2161==    by 0xAE483: __connman_session_cleanup (session.c:1814)
      ==2161==    by 0x52427: main (main.c:902)
      ==2161==  Block was alloc'd at
      ==2161==    at 0x483F3EC: malloc (vg_replace_malloc.c:299)
      ==2161==    by 0x4CA90DF: g_malloc (gmem.c:94)
      ==2161==    by 0x4CBEF51: g_slice_alloc (gslice.c:1025)
      ==2161==    by 0x4CA0077: g_list_append (glist.c:261)
      ==2161==    by 0xC6E97: __connman_firewall_add_rule (firewall.c:345)
      ==2161==    by 0xAA807: init_firewall (session.c:215)
      ==2161==    by 0xAE403: __connman_session_init (session.c:1799)
      ==2161==    by 0x522D7: main (main.c:864)
  7. 06 Feb, 2018 1 commit
    • Jose Blanquicet's avatar
      firewall: Remove old rules · 23c6d808
      Jose Blanquicet authored
      When a new service becomes ready or online, it is checked if its
      technology is more preferred than the one used by the currrent default
      gateway. If so, this new service becomes the new default gateway.
      When the tethering is enabled, a NAT rule is created to forward traffic
      between the interface playing the AP role and the interface connected
      to current default gateway. The problem comes out when the default
      gateway changes, because the NAT rule is disabled but not removed from
      the firewall rules list. Therefore, when the new rule is installed also
      the old rule is installed because it is still in the list. If it
      changes again, then three rules will be installed, and so on. They are
      never removed.
      This patch adds a deletion of all the rules from the firewall list
      exactly after they are disabled to avoid the described problem.
  8. 31 Aug, 2015 1 commit
    • Daniel Wagner's avatar
      firewall: Add support for single rule add/remove operations · 62b5f2fc
      Daniel Wagner authored
      We like to add and remove rules while the firewall is up and running.
      For example we need to insert per Session rule in the global NAT table.
      That could also be implemented destroying the whole table and recreate
      it when need but that is quite an overhead.
      Instead of taking down the whole table down we add an API to add and
      remove new rules during runtime.
  9. 12 Apr, 2014 1 commit
    • Lorn Potter's avatar
      Squashed 'connman/' changes from 075e1bb..97c3189 · c447d841
      Lorn Potter authored
      97c3189 Release 1.22
      86373b4 dnsproxy: Check split routing when creating a server
      27dba28 gdbus: Add g_dbus_client_set_ready_watch()
      8bc2a4e dnsproxy: Destroy list using g_list_free_full
      a33522d AUTHORS: Mention Maneesh's contributions
      5ecc2a1 doc: Add API documentation about WiFi P2P Peer
      48d43a8 test: Add method related to P2P services
      73f8579 gsupplicant: Fix WPS sync-up error with wpa_supplicant
      e5c6a34 session: Set state to disconnected when deactivating a session
      ee485f6 service: Use connect reason from the failed service
      90334bf session: Don't sent disconnects to sessions when updating
      9d727fd session: Disconnect on configuration or session change
      dd3492f session: Allow Session Connect and Disconnect be called multiple times
      3b6f9c2 client: Allow Session Connect and Disconnect be called multiple times
      e377722 session: Remove session, not service, from session list
      2dba966 session: Do not remove non existing policy routing tables
      aae5825 session: Do no create two instances of struct connman_service_info
      76cb209 session: Update active sessions only on Session Connect and Disconnect
      ddf176a nfacct: Remove support for NFACCT
      fa4176b session: Remove unused NFACCT rules
      32e260c session_policy_local: Do not use NULL as key to do a hash table lookup
      404c4a4 stats: Use bool type instead integer
      47b56b8 session: Update session state only after activation has been tried
      3cf2e18 session: Expand '*' to all bearer types
      027cbb0 AUTHORS: Mention Andrew's contributions
      844286e doc: Update connection managment algorithm
      4990bf7 test: Add a script to test P2P through wpa_supplicant DBus if
      a1d11b7 test: Remove useless supplicant's old DBus interface test script
      095a8f7 gdhcp: Refactor renew/rebind method
      cd2c5c5 gdbus: Replace g_timeout_add with g_idle_add
      c42a5f9 gdbus: Fix incorrect DBusConnection reference counting
      72cc087 gdbus: Fix memory leak
      12aad90 ntp: Exponential backoff when timeouting a sent message
      eef5afa ntp: Support Kiss-of-Death packet
      aed46d8 service: Check session policy before autoconnect is run.
      0f76471 session: Add session policy autoconnect support
      0e8b339 session: Make session policy global
      1f7f926 session: Assign a service to sessions
      d4cadd8 service: Disconnect on when last session is deactivated
      5280685 service: Add connect reason to debug out in auto connnect
      1a24280 service: Add connect reason to __connman_serice_auto_connect()
      afd8f2d service: Add connect reason to __connman_service_connect()
      88b837e session: Mark session active or inactive
      470013d session: Remove service selection implementation
      ec09003 Add Gadget session and weighting support.
      1a831b6 AUTHORS: Mention Glenn's and Jonathan's contributions
      996cbf1 src: Let systemd unmount remote filesystems before stopping connman
      a587af9 src: Add D-Bus autostart configuration file
      6ad4048 plugins: Add networking support to gadget plugin.
      c09371c src: Introduce define for CONNMAN_NETWORK_TYPE_GADGET.
      9abdf5f plugins: Refactor Gadget into separate plugin and file.
      1e4e965 AUTHORS: Mention Hannu's contributions
      30e16a1 ntp: Only accept NTP packets from the defined time server
      a29da8c wispr: Handle wispr redirect properly
      23fdeed inet: Eliminate misleading error logging
      cb88f96 AUTHORS: Mention Philippe's contributions
      089e52f README: Update recommended wpa_supplicant version and web page info
      3bb94d4 gdhcp: Factor out DHCP Request sending
      bd37ce0 Add REBOOTING state support for dhcp client
      289c7fc gsupplicant: Rely on wpa_supplicant retry mechanism
      9e59cc8 AUTHORS: Mention Alban's contributions
      82ad017 config: add ifb in NetworkInterfaceBlacklist default
      63aeaf6 src: Add Eduroam network .config file
      0d7ad08 doc: Fix formatting
      2ca6fb4 dnsproxy: Enable added DNS servers only for the default service
      4f04f75 service: Add helper function for detecting a default service index
      7b415b9 test: Add script for setting timezone
      fefd145 client: Add initial completion for config and session commands
      bd03493 client: Add support for monitor command completion
      12c6a7a client: Add completion for tether command
      f27040c client: Add on/off completion support for agent modes
      95d42a7 client: Complete only one service or technology where appropriate
      bee4ba8 client: Add helper function for ending readline completion
      27088b9 client: Remove extra string duplication when completing commands
      0f1dee2 client: Export command line word count function
      git-subtree-dir: connman
      git-subtree-split: 97c31890592867cc047154bc385d97620c3bb2f0
  10. 14 Mar, 2014 1 commit
    • Lorn Potter's avatar
      Squashed 'connman/' changes from eda292c..075e1bb · cbb12cfd
      Lorn Potter authored
      075e1bb Release 1.21
      8e5b064 device: Security should be provided when scanning for a hidden SSID
      9768e63 AUTHORS: Mention Sjoerd's contributions
      bdd3f1c gweb: Handle proxies as addresses and hostnames
      b601ede .mailmap: Capitalize Zhengguang's name
      7b7343b wifi: Remove WiFi.AgentPassphrase from the wifi plugin
      d087ff2 network: Remove WiFi.AgentPassphrase from network
      fb2d1c5 service: Remove duplicate EAP AgentPassphrase information
      2ea3cb6 network: Return error code instead of boolean
      68f0816 dnsproxy: Check if socket is valid before using it
      6228f41 gsupplicant: Remove useless NULL pointer checks
      557f99d tools: Ignore errors about deprecated g_test_trap_fork
      8465f78 AUTHORS: Mention Jaehyun's and Zhengguang's contributions
      df66c9c bluetooth: Fix failure when enabling Bluez 5.x adapter
      3bba8c7 build: Remove gtk-doc infrastructure
      08b9ffe gweb: Add checks to validate DNS buffer
      91913c4 gsupplicant: A network ssid of length 0 is valid, it's an hidden one
      8047f3d Release 1.20
      03a7957 AUTHORS: Mention Bastien's, Michael's and Mateusz' contributions
      cc63e68 service: Call disconnect notifier when leaving 'ready' or 'online' states.
      0e2ee70 bluetooth_legacy: Handle network removal in the middle of enabling
      363393c gsupplicant: Fix empty string test
      3412d72 gsupplicant: Remove useless NULL pointer check
      92472e8 gdhcp: Return proper error values
      8ae0c48 session: Warn if nfacct support is missing
      11f302a service: Call disconnect notifier only when connected
      984b911 service: Update nameservers after IP state check
      e174b78 service: Use only nameservers whose IP type is enabled
      8df91a1 gsupplicant: Fix invalid memory access when network interface is removed
      a05682b gsupplicant: Support function to call any pending callbacks
      cd27afe build: Undefine _FORTIFY_SOURCE before redefining it
      4e9355a network: Do not access pointer after testing its valitiy
      373e56a nat: Free all resources in error case
      8f48beb hh2serial-gps: Check error returns when during init()
      ed11856 l2tp: Close file descriptors after use
      377da67 iptables: Remove dead code
      af4419c ipconfig: Remove dead code
      155863b gdhcp: Remove dead code
      284c964 client: strerror expects positive error codes
      1987d61 6to4: Return error code when tunnel_create() fails
      9dfd3fc dnsproxy: Check return value of get_req_udp_socket()
      080bc05 provider: __connman_error_failed() expects positive error codes
      9f245e1 vpn-manager: __connman_error_failed() expects positive error codes
      e5cdf25 nfacct: Don't setup nfacct until it's relevant to do so
      14cd5fd firewall: Don't do anything with iptables until really necessary
      9774fa2 service: Return fallback nameservers when no other available
      4a08c3b ntp: Support NTPv3 protocol version
      f05ee18 dnsproxy-test: Close socket in error path
      e6c7b22 tap-test: Set device name with null termination
      f066853 wifi: Do not access unitialized timestamp
      e6390f5 ipv4ll: Initialize socket variable
      0457297 log: Do not access array out of bounds
      17a300a timezone: Null terminate pathname
      bd27133 rtnl: Do not access variables out of scope
      0390d2b inet: Initialize flags to 0
      b99a849 core: Set device name with null termination
      cf09d7c inet: Close socket when leaving function early
      2f00994 dbus: Initialize uid for error path
      b39dfae service: Enable split routing
      4da8143 bluetooth-legacy: Do not turn off hci device when ConnMan stops
      62f62af bluetooth: Do not turn off hci device when ConnMan stops
      496f513 device: Disable had too strict checks which can prevent disconnect
      e08c88a dnsproxy: name variable should be initialized
      7e2d1ec network: Remove adhoc check as it is not needed
      e08e8f5 wifi: Ignore adhoc networks
      4905dc1 wifi: Reset device retry count on failure
      70388d1 wifi: Remove redundant initialization of zero'd wifi_data
      e2703e2 dhcp: Add useful IPv4 ll debug information
      32c1abe dhcp: Stop IPv4 ll state machine properly
      a710cd3 gdbus: Fix trying to remove already removed sources
      a44997b session: Remove policy_probe()
      386f340 AUTHORS: Mention Chengyi's and Tysen's contributions
      0465d8a iptables: iptables_replace returns the wrong error code
      9f4185b ipconfig: Do not remember interface name
      bcb7f23 rtnl: Do not remember interface name
      8c7e5d0 technology: Do not use interface name when adding interface
      168b6d8 technology: Do not use interface name when removing interface
      1c81ca7 vpn: Removed unused interface name variable
      d06050d rtnl: Set service type to unknown if interface can not be found
      da0f632 network: Stop DHCP for a failed network
      39b0822 gweb: Fix memory leak in session address
      51fb2c8 scripts: Function prototype fixes when function has no parameters
      8fc31fe plugins: Function prototype fixes when function has no parameters
      5c7a37b vpn: Function prototype fixes when function has no parameters
      671c905 tools: Function prototype fixes when function has no parameters
      ded0e13 src: Function prototype fixes when function has no parameters
      278e0ce dnsproxy: Fix crash because cache is NULL
      489127f gdbus: Remove not needed check for NULL DBusPendingCall
      575de63 gdbus: Check for NULL DBusPendingCall in g_dbus_send_message_with_reply
      4f9d0f6 Release 1.19
      af6d530 main.conf: Update FallbackNameservers description
      56ca4ac service: Add fallback nameservers to the Nameservers property
      10fe61d resolver: Use fallback nameservers when none are otherwise supplied
      87919ec config: Set the list separator to be comma
      86c6980 wispr: Get the proper proxy address from the result
      38b75ab gweb: Properly proceed a request through a proxy when one is set
      aaafe0b service: Proxy should be reset when disconnecting
      3ddbe85 pacrunner: Let ConnMan autostart PACrunner when doing proxy lookup
      eb768d3 session: Remove struct service_entry
      4833fcf session: Remove connect reason from struct service_entry
      536367c service: Remove state argument from service_iterator_cb()
      5edc149 session: Use service state getter
      89ae11a service: Add getter for service state
      8ecefc4 session: Move service_entry to struct connman_session
      6715a43 session: Use a hash table to lookup sessions by service_entry
      3de0402 service: Remove service name in service_iterate_cb()
      8314cd2 session: Do not cache service name, type or bearer
      8bd49d8 service: Run autoconnect on service disconnects
      64fd6a0 device: Remove unused reconnect setting functions
      7963aad service: Remove reconnect functions
      98d2b81 service: Log only on service add and remove from network
      a632fc3 service: Reduce logging when appending properties
      1b87cd7 device: Do not cleanup already provisioned interfaces
      39a68b3 inet: Add function to return interface IPv4 address and netmask
      fd9f99e config: Add function to check if IP address is provisioned
      0e46b1c TODO: Fix formatting
      ee65cb1 TODO: Add VPNC and OpenVPN VPN Agent task
      f9e2b0f service: Load and save VPN autoconnect state
      49e739a service: Add VPN autoconnect
      e85f2f2 service: Update service list sorting
      909990b client: Add a no-op input handler
      b2199d0 client: Fix unintended Manager monitor messages
      3a92f7e vpn: Update error_code() signature change
      fb92c17 openconnect: Unset Cookie on login failed
      c4a0275 vpn: Add provider struct to error code function
      2cce14a service: Check for immutable VPN service properties
      f0455e2 provider: Add a provider-specific immutable flag
      3d3b374 service: Take ordering into account when comparing connected services
      664e9c0 service: Fix VPN and service list order
      b80cddd core: Make stats hash table static
      eba9a6e service: Simplify return code in connman_service_get_timeservers()
      8133c32 dhcp: Store host and domain name in service struct
      ba9ec13 service: Set host and domain names when default service changes
      94804e1 service: Add functions to set/get a host name per service
      aa5b7d3 gdbus/client: Use g_dbus_add_properties_watch to track properties
      b2e7c61 gdbus/client: Use g_dbus_add_signal_watch to track signals
      5350bac gdbus/client: Use g_dbus_add_service_watch to track services
      807509e gdbus/watch: Fix crash when disconnecting from D-Bus
      8996db2 gdbus/watch: Fix aborting when removing D-Bus filter
      b169ad9 gdbus/watch: Fix crash when g_dbus_remove_watch is called from connect callback
      a5238e7 TODO: Mark Session API implementation done
      ea838d8 notifier: Use MAX_CONNMAN_SERVICE_TYPES instead of MAX_TECHNOLOGIES
      ce9fcdb session: Remove pending functions
      0db0d38 service: Remove session reference counting functions
      ac73850 session: Remove service reference counting
      0d69def doc: Update SessionMode description
      34e6ffb manager: Remove implementation around SessionMode
      f863575 session: Only add and remove connected services
      ebe52c5 service: Add helper function for fetching the name of a service
      3ae61c3 session: Remove calls to service connect and disconnect
      0a9606e service: Use session information when autoconnecting
      fdcda5a session: Update autoconnect with active session service types
      3526fbf service: Add function counting number of sessions using a service type
      98473aa service: Reorganize service autoconnect function
      75ec8d2 service: Simplify autoconnect code
      c0a1d90 tools: Update session unit tests
      c71bd85 tools: Fix already exists test
      4121dbe TODO: Mark multiple agents task done
      ba87b99 agent: Make sure there is an agent before asking user
      6352c3f vpn: Make sure there is an agent before asking user
      c53b88e agent: Add multi agent support
      1b986e1 agent: API changes required for multi agent support
      b7b0d64 vpn: Unregister agent driver before removing provider
      1b0629f service: Unregister agent driver before removing service
      bfaa23f agent: Check that message exists before calling dbus
      cb25395 agent: Change the name of the agent struct
      3ca00a8 gdbus: Fix emitting PropertiesChanged twice
      0d86c21 gdbus: Avoid calling dbus_connection_send*
      31764f9 gdbus: Add g_dbus_send_message_with_reply
      202b74f gdbus: Fix sending ObjectManager/Properties signals out of order
      5619eb9 config: Allow omitting gateway from IPv4 and IPv6 setting
      7cc0b72 service: Change default service before updating service order
      2be7d77 service: Do not change default service if new default is not connected
      1ffe8aa service: Re-doing wispr check needs to increment service ref count
      b1741a0 service: Clear default service pointer when service is removed
      c9d8a0a service: More debug prints when default service is changed
      110abe3 ipconfig: Fix possible memory leak in ipconfig loading
      55ec085 ipconfig: Make sure IPv4 method is set before saving it
      21cace4 vpn-provider: ProtocolFamily is an int32
      d40329b ofono: Remove unused variable
      4dc3410 bluetooth: Leading whitespace fix
      d1665b4 bluetooth: Use dbus_bool_t when accessing a D-Bus boolean
      dda5546 dundee: 32bits boolean should be used due to dbus in relevant places
      1281e8b vpn: 32bits boolean should be used due to dbus in relevant places
      1997f45 ofono: 32bits boolean should be used due to dbus in relevant places
      13fe78c service: 32bits boolean should be used due to dbus in relevant places
      479c973 technology: 32bits boolean should be used due to dbus in relevant places
      cf064e9 Release 1.18
      a5d3817 TODO: Update command line client task
      33ebe58 service: Debug print caused segfault
      377c594 doc: Improve plugin documentation
      4215992 log: Replace timebased ratelimit function with one that prints once
      1ef0b07 service: Do not clear 802.1x credentials when connecting
      167dc80 loopback: Fix spelling of loopback
      719dcfb config: Return success after reading ethernet service section
      316cfc4 AUTHORS: Mention Luca's and Peter's contributions
      92cf003 vpn: Document that values in vpn-config-format.txt do not comprise whitespace
      4c66d75 vpn: Use function to trim trailing whitespace
      2d61b56 vpn: Add functions trimming trailing whitespace when reading config values
      a9c7ad1 doc: Document that values in config-format.txt do not comprise whitespace
      eb9da48 config: Use function to trim trailing whitespace when reading config files
      a380bb1 config: Add functions trimming trailing whitespace when reading config values
      24ed0b2 ipconfig: Accept correct spelling of preferred
      db95cff client: Display correct spelling of preferred in connmanctl usage text
      b33b5c2 doc: Fix typo of preferred
      8d2d14c doc: Fix typos in advanced-configuration.txt
      a996d84 client: Fix setting session state to disconnected
      0350fc3 wifi: Fix a memory leak when trying to connect a disconnecting network
      b872618 rtnl: Print out warning when WEXT newlink messages are seen
      95cde6f log: Add rate limiting warn message
      8e4b5d7 gsupplicant: Use uint32 instead of string for wep_tx_keyidx
      26ada06 client: Add Session configuration support
      0b0dfaf client: Add support functions for Session Update message creation
      b8c8540 client: Add Session notification printing and Release handling
      6150b8a client: Initial session support
      ed2d980 client: Add helper function for adding a D-Bus dict
      52ec323 client: Add append function to D-Bus method call helper
      c43d3a5 main: Use gboolean type in GOptionEntry
      115cb9c readme: Document kernel options needed by session
      ba4d4ed nfacct: Make sure nfacct is there before accessing it
      d482e18 iptables: Alignment fixes
      b5d9c25 client: Remove unnecessary printout
      2d1f9cd client: Rename command completion callback function
      892b803 client: Implement autocompletion for offline mode
      5a3c477 client: Fix service and technology completion while monitoring
      55f6589 client: Add completion for technologies
      0ef9b74 client: Add completion for services
      477173f Release 1.17
      8378438 tethering: Check failure if NAT cannot be enabled
      024c06d inet: Clarify the code by not casting the function pointer
      1dc0844 dhcpv6: Timeout timer was not cleared after receiving a reply
      eadec4e todo: Mark DHCPv6 DECLINE message support done
      e51c91f dhcpv6: Check if we need to do DAD
      c7fcf8f dhcpv6: Add DECLINE message support
      61be283 dhcpv6: Use different callback than DHCPv4
      ebd29dc gdhcp: Add DHCPv6 DECLINE message checks
      1da88d5 gdhcp: Add function that adds addresses to IA_NA or IA_TA options
      ca32a30 gdhcp: Add function to remove DHCPv6 options that should not be sent to server
      508526d dhcpv6: Added duplicate address detection calls
      06c892f service: Do not try to save if service is NULL
      7351d73 inet: Add function for IPv6 Duplicate Address Detection
      fd2c1d4 main: Ensure the end of service type list is set properly
      9857cd6 session: Use D-Bus owner to create unique paths for sessions
      d146379 session: Error function expects positive values
      d811fdb tools: Fix compilation warning on possible uninitialization
      65f1ff1 service: Do not send state changed signal if we are already in idle state
      6b64387 service: Newline cleanup
      38c1662 dhcpv6: Expire time was incorrectly calculated
      60ee35f ippool: IP address collision fix
      d2b3f4e ippool: Removed inclusion of getopt.h as it is not needed
      6185fd6 wifi: Postpone an hidden discovery if a scan is already running
      5786830 device: Let the scan function to decide on current status
      419c4c7 gsupplicant: Make sure it's possible to scan again when a scan is done
      600f186 openvpn: Don't set additional VPN network properties
      c96f0cc pptp: Don't set additional VPN network properties
      c871ca6 l2tp: Don't set additional VPN network properties
      312270a doc: Update Service API doc with provisioned and hidden WiFi
      444e084 doc: Change coding style for NULL pointer checks
      8e0b538 tools: Fix whitespace issue
      aa1e9fb shared: Fix whitespace issue
      7cc0e05 core: Fix overlong line
      0f418b4 gweb: Fix overlong line
      90cdfca gdhcp: Fix overlong line
      747f6ca client: Remove unnecessary braches
      72f711b client: Fix whitespace issues
      6764183 core: Do not compare expression against NULL
      313d102 vpn: Do not compare expression against NULL
      a0a24ba unit: Do not compare expression against NULL
      c879c4f tools: Do not compare expression against NULL
      bd99aaa core: Do not compare expression against NULL
      bc16b1a scripts: Do not compare expression against NULL
      9c779a4 plugins: Do not compare expression against NULL
      98cd55e gweb: Do not compare expression against NULL
      555a166 gsupplicant: Do not compare expression against NULL
      fae59f2 gdhcp: Do not compare expression against NULL
      b8311f9 client: Do not compare expression against NULL
      37472f1 ofono: Use dbus_bool_t for D-Bus functions
      68445cb dnsproxy: Possible socket leak if running out of memory
      d6a3a39 bluetooth: Check pointer for null before passing to strcmp()
      72fc5cf bluetooth: Address pointer might be null when creating nap
      c27e223 client: Avoid possible uninitialized memory access
      242bb5a dhcpv6: Check that prefix is in valid range
      5a46026 gdhcp: Remove obsolete dhcpv6 support functions
      4f3a601 gdhcp: Remove function to set the dhcpv6 expire time
      584fecd dhcpv6: Fix rebind when doing prefix delegation
      e513e25 dhcpv6: Start solicitation if addresses expired
      038c6fd dhcpv6: Fixing the renew and rebind logic
      f07141b dhcpv6: REBIND IA option was missing IP addresses
      f281d25 dhcpv6: REBIND was sent too late
      884babd dhcpv6: Do REBIND after T2
      305b607 client: Don't pretty-print hidden WiFi network as '<hidden>'
      6fd9e3f service: Always notify pending D-Bus clients of disconnect
      862159c doc: Document that unplugging Ethernet will remove the service
      e67f44e README: Add info how to create traces with timestamps
      8c99c24 dhcp: Add interface index to DHCP debug label
      a063238 gdhcp: Use REQUEST_TIMEOUT for renew request
      8bf42fc dhcp: Add a separate DHCP client for IPv4LL
      6feedae gdhcp: Report no lease found instead of starting IPv4LL
      0508254 AUTHORS: Mention Terry's contributions
      c562954 gdhcp: Fix byte order for send_discover()
      7a2d00e technology: Do not send any rfkill to kernel after receiving one
      10ce0a8 technology: Check hardblock when returning from offline mode
      7044545 gsupplicant: Only add interface when wpa_supplicant is in ready state
      507c98f dhcp: Pass in stdbool type values to the DHCP callback
      fd9e5c6 ofono: Fix bool type for D-Bus message
      40aa7a2 technology: Fix style issue caused by earlier coccinelle patch
      7026821 session-utils: Use g_test_add_vtable directly
      d4d6f5d vpnc: Use stdbool defines for true and false
      d4fa1ce main: Use stdbool defines for true and false
      fbf9f8d config: Use stdbool defines for true and false
      543dbfd connection: Use bool type instead of int
      d052eb3 TODO: Mark bool cleanup done
      86d2592 build: Remove unsued types.h header
      15d8db8 vpn: Whitespace cleanup
      817053d unit: Whitespace cleanup
      c75d61f tools: Whitespace cleanup
      8847596 core: Whitespace cleanup
      e1eedf1 scripts: Whitespace cleanup
      7918142 gsupplicant: Whitespace cleanup
      2f4c06d gdhcp: Whitespace cleanup
      571fdfd client: Whitespace cleanup
      ad7abb5 plugins: Whitespace cleanup
      b89fa6d vpn: Convert to stdbool with coccinelle
      0f3df75 unit: Convert to stdbool with coccinelle
      47e034b tools: Convert to stdbool with coccinelle
      a56c9f7 core: Convert to stdbool with coccinelle
      bf61588 scripts: Convert to stdbool with coccinelle
      304dfa9 plugins: Convert to stdbool with coccinelle
      30773ab include: Convert to stdbool with coccinelle
      8c2ca22 gweb: Convert to stdbool with coccinelle
      165eec0 gsupplicant: Convert to stdbool with coccinelle
      11ee4af gdhcp: Convert to stdbool with coccinelle
      df2ae22 client: Convert to stdbool with coccinelle
      0ca492b core: Included stdbool.h
      5d56021 plugins: Included stdbool.h
      5b87a18 tools: fix include
      5b4bbff gdhcp: Included stdbool.h
      1a8e8a3 gweb: Included stdbool.h
      e25fc73 vpn: Included stdbool.h
      22afaa9 include: Included stdbool.h
      a77455e vpn: Use dbus_bool_t with D-Bus functions
      14b4bba tools Use dbus_bool_t with D-Bus functions
      5d92b1e plugins: Use dbus_bool_t with D-Bus functions
      647ecc0 core: Use dbus_bool_t with D-Bus functions
      1f63c00 dnsproxy: Use boolean variables correctly
      c190e46 session-test: Pass in struct test_fix into tests
      adce56f session: Use GLib typedef for callback
      1daa424 timeserver: Fix ts_recheck() signature
      3cf33b7 readme: USB gadget tethering kernel options added
      be294f9 ethernet: Create USB gadget device driver
      ad79c1a technology: Return error if no devices can be found for a technology
      339f05f technology: Technology must have a name when saving its data
      9d1fbfe technology: USB gadget technology type had no name
      f020c1e wifi: Make sure we ref the network before using it in callback
      677b2d4 session: Do not delete invalid policy routing entry
      ae6afc2 build: Build a simpler version of libgdbus-internal
      42cf3ab build-sys: Use libgdbus-internal.la
      70e7b0d doc: Add information how Technologies can be controlled
      48dbff3 technology: Follow external rfkill events and act accordingly
      c3c35b8 technology: Checking offline mode separately when rfkill device is added
      f2a958c technology: Do not activate technology if returning from hardblock while in offline mode
      5378ab9 technology: Print information when technogy is switched on
      54f0d5c Release 1.16
      831028d AUTHORS: Mention Constantin's contributions
      8b1f599 inet: Check parameters before trying to clear IP address
      46bbe4e wifi: Memory leak when creating a supplicant scan request
      8b952da plugin: Remove NEED_THREADS
      5bd3965 service: Send state changed signal after downgrading state
      ea030b9 nat: Use managed iptables API for MASQUERADE rule
      db4dc1a dhcpv6: Update service DNS search domain list
      edcb7fa service: Add function to update the DNS search domain list
      bb06c47 gdhcp: Domain search list DHCPv6 option is checked
      df37290 dhcpv6: Do not send DNS options in CONFIRM message
      b3a7700 readme: Add bug reporting information
      31005cf build: Remove unused --enable-threads configure switch
      ffe6305 wifi: Interface creation callback might arise when it is not ready yet
      f62d6d6 nfacct: Use unsigned int for error codes
      c7e1574 shared/nfacct: Use unsigned int for error codes
      d534dc6 shared/netlink: Use unsigned int for error codes
      a727163 shared/util: Move cb_data_new() helpers to util header
      f3775eb readme: Clarify how the wpa_supplicant D-Bus autostart behaves
      a0786d8 client: Support openconnect Agent API fields
      2052499 openconnect: Add support for final VPN server
      0a99d79 openconnect: Use VPN string OpenConnect.ServerCert
      67df5dc openconnect: Use OpenConnect.ServerCert from the RequestInput reply
      45d6b58 openconnect: The --cafile argument is not needed for openconnect
      daadd1b openconnect: Drop cookie argument from run_connect()
      e4ce120 openconnect: Use oc_private_data instead of request_input_reply
      90dffd5 openconnect: Move code earlier in the file
      d758a7b openconnect: Request missing openconnect information
      70880bb doc: Document openconnect certificate and server options
      f101bba dhcpv6: Set addresses after we have checked the status code
      d79565c dhcpv6: Set addresses from CONFIRM reply if status is ok
      06b4396 dhcpv6: Most of the reply error handling was missing
      1f5c57d dhcpv6: Enable checking of reply error codes
      aa5413f tethering: Cleanup tethering when connman is shutting down
      30c0dbc inet: Remove unused gateway setting functions
      10a3beb connection: Use netlink functions to set default gateway
      8aae35a tethering: Use the prefix length from ippool instead of hard coded value
      f7b865e tethering: Add debug print so we notice restarts
      3ddffce nfacct: Do not fail in nfacct_flush_cb() when NFACCT is not supported
      17badd6 netlink-test: Use assertion to verify results
      a5f3d04 nfacct: netlink uses positive error codes
      83bb349 ipv6pd: Change PD status according to uplink IPv6 status
      416a2d6 ipv6pd: Check IPv6 support
      6b43ca3 ipconfig: Add support function to return ipconfig IPv6 status
      1243114 network: Set service disconnect state correctly
      3b98cf0 network: Function name was missing a proper prefix
      55f5273 tethering: Activate IPv6 prefix delegation support when tethering
      905c0e9 ipv6pd: IPv6 prefix delegation implementation logic
      55b7b2d dhcpv6: Add prefix delegation release support
      50c44d5 dhcpv6: Add prefix delegation renew support
      68bc0b7 dhcpv6: Initial IPv6 prefix delegation support
      73f1b79 ipconfig: Save and load delegated IPv6 prefixes
      24fc3de inet: Add functions to receive ICMPv6 router solicitation messages
      4b6daf1 inet: Add function to send ICMPv6 router advertisement message
      1744fd5 gdhcp: Print more error information if DHCPv6 message send failed
      a25b411 gdhcp: Get server DUID if we do not know it yet
      f59d373 gdhcp: Read only sub-option amount of data
      c88cd2e gdhcp: IPv6 prefix delegation support
      707f011 gdhcp: Pretty print DUID to the debug log
      9fe12b7 gdhcp: Ignore server DUID missing error
      3051ef6 gdhcp: Print debug information about sent requests
      d9a852d inet: Enhance debug print usefullness
      9d99f58 inet: Return errors correctly when setting multicast options
      932e1b9 inet: Add function to get the link local address attached to an interface
      3aa5313 inet: Fix IPCMv6 checksum calculation
      6520dc9 doc: Update Session overview
      462d368 netlink-test: Use open coded message creation instead of struct
      333f863 netlink-test: Fix printf format string for uint64_t
      be21997 nfacct: Fix DBG() format string for uint64_t
      41f3712 README: Add kernel config options for full Session support
      bd8cd2c session: Add routing and accounting iptables rules
      45c3bbd session: Add global firewall rules
      f48f9b9 session: Add policy routing table
      009171b session: Add NFACCT rules per session
      cd8a209 session: Flush all NFACCT rules on bootup
      36e2dcc session: Store creation related data into a struct
      21aa00b nfacct: Add helper function for managing several rules
      755217a nfacct: Add __connman_nfacct_flush()
      19ca578 netlink-test: Add NFACCT low level test
      41c54f5 nfacct: Add NFACCT
      fd71731 shared: Add a copy of the nfnetlink_acct.h kernel header
      030f578 netlink-test: Add test program for netlink
      d25b22c netlink: process_multi() should call handler on done
      d765b15 netlink: Port ELL's version of netlink
      32baa22 inet: Add function to remove default route from a routing table
      a4d3e1b inet: Add function to setup default route to a routing table
      cba24db inet: Add functions to setup fwmark to routing table
      1d64996 session_policy_local: Don't look up hash tables using NULL key
      e8344a9 session_policy_local: Add support for UID/GID only
      49671af session_policy_local: Call failed_create() with the real user pointer
      aeaeb4b gdbus: Remove proxies when client disconnects
      260608b wifi: Memory leak when tethering
      9286090 ippool: Memory leak
      fbe905a client: Fix passphrase handling
      cbc629f client: Implement VPN Agent API RequestInput method call
      66dcdec client: Add vpnagent command to register and unregister VPN Agent
      1ac8610 client: Implement support for queueing Agent messages
      01fe75b client: Add VPN Agent support for Release, Cancel and ReportError
      2e43802 client: Create agent data structure and pass it in function callbacks
      ba7f46b client: Don't handle Agent messages in monitor code
      ab78ab7 client: Fix DBUS_TYPE_UINT16 pretty-printing
      475a695 dhcpv6: Send domain list option to server
      05a3f47 unit: Multiple collisions with different pools
      e51fdfd unit: Test ippool collision differently
      35ccdc8 ippool: Clear allocated block pointer at cleanup
      5f5910b ippool: Private address check was incorrect
      58ec105 service: Send proxy properties when connected or disconnected
      b4f0e90 technology: Offlinemode could not be disabled if no technology was powered
      4c50210 TODO: Mark GSequence removal done
      02d4740 service: Use GList instead of GSequence for service list
      afa245f session: Use GList instead of GSequence for service list
      9342269 session: Use service iterator instead of match/creation callbacks
      2386b67 service: Initialize tech_data
      2476ce7 client: Avoid printing extra prompt on RequestInput
      db6ec6b client: Read D-Bus string type only if argument is 'Type'
      a6aa682 client: Pretty-print D-Bus signed integers
      9a048c1 client: Add VPN monitoring support
      ab7294a client: Add support for displaying VPN connections
      667f355 client: Add VPN connection helper function
      5186846 client: Add parameter to specify D-Bus service for method call
      032adc9 client: Add missing header file boilerplate
      77ade69 dhcpv6: Make sure release message is sent
      0515b22 build: Add session policy format document
      df1a4cb doc: Document session policy file format
      7eca790 session-test: Add tests for session_policy_local
      b553c5a session_policy_local: Set session identification method
      2ffa1d6 session: Add session identification method to config
      9c5cb53 session_policy_local: Retrieve UID/GID from session user
      42679c8 session_policy_local: Remove struct create_data
      f71ccc8 session_policy_local: Rework policy file handling
      f75c792 session_policy_local: Add some more debug information
      61ed5e2 session_policy_local: Update session before unref policy
      99249a4 session_policy_local: Refactor SELinux context parser
      3fb5619 session_policy_local: Do not handle small allocation
      d6f82bb session: Do not access stale entry pointers
      e329cc8 session: Add session argument to create_service_entry_cb
      32a8cf5 TODO: Support other time sources
      3b70a3d timeserver: Periodically wake up to recheck timeservers
      bac356f iptables: Fix memory leak when invoking xtables_find_match
      git-subtree-dir: connman
      git-subtree-split: 075e1bbdda5b2ba2bba6fc75e458684365e5c6e9