1. 23 Nov, 2018 1 commit
  2. 22 Nov, 2018 8 commits
    • Jussi Laakkonen's avatar
      Merge branch 'jb42675' into 'master' · 41d7652d
      Jussi Laakkonen authored
      Add dynamic firewall rules used per service.
      
      See merge request mer-core/connman!160
      41d7652d
    • Jussi Laakkonen's avatar
      [connman] Add tests for managed iptables rules. JB#42675 · e600ba71
      Jussi Laakkonen authored
      Tests for the managed iptables rules read from firewall.conf are added
      in this commit. The tests include installing a new set of rules using a
      temporary firewall.conf (set in /tmp/connman_test), checking that rules
      exist, checking that rules are added and removed when services go up and
      down and that iptables is cleaned up properly after shutting down
      (cleanup calls to iptables.c and firewall.c).
      
      Also some invalid rules are checked. This list could be expanded later.
      
      The temporary firewall.conf and the directory will be after tests
      finish.
      e600ba71
    • Jussi Laakkonen's avatar
      [connman] Add service specific dynamic iptables rules. JB#42675 · 5864fb03
      Jussi Laakkonen authored
      This commit changes the service type based dynamic rules to be service
      identifier specific. Each service can have own ruleset, that is based on
      the iptables rules set for the service type in firewall.conf.
      
      All services of the same type have identical rules from the configuration.
      The main reason of this is to accommodate the requirement of having two
      simultaneous connections of same type to be online at the same time.
      
      When a service is being connected for the first time a deep clone of the
      firewall rule set for the service type is created. This firewall rule
      set is removed from the internal current_dynamic_rules only when the
      service is removed. When the service is disconnected the rules are
      only removed from iptables, they remain in the firewall context of the
      service for later use. The firewall rule id will be kept the same if the
      firewall rule set is reused. Only thing that can change is the interface
      to be used with the rule.
      
      For an easier (and faster) check of whether the firewall is enabled a
      new bool value is added to struct firewall_context. This is enabled when
      firewall rules are added without error and id FW_ALL_RULES is given. It
      is faster to check from this instead of going through all the rules
      without any change to them if they are already enabled/disabled.
      
      Added checks if the rules is valid UTF8 (if not, ignore). If the rule
      starts with # character the rule is interpreted as commented out and is
      not added. Rule must add with a '-' character as required by iptables,
      otherwise the rule is ignored.
      5864fb03
    • Jussi Laakkonen's avatar
      [connman] Add dynamic and general firewall rule processing. JB#42675 · ff57f580
      Jussi Laakkonen authored
      This commit introduces a support for general and dynamic firewall rules.
      The rules are read from CONFDIR/firewall.conf. Additional configurations
      are also supported, which must be put into CONFIGDIR/firewall.d/ and each
      has to have "firewall.conf" suffix, e.g., 10-devmode-firewall.conf.
      
      The rules in the configuration files are added to the specified
      technology type rules or to general rules. The last config in the
      directory can override the "General" section default policies for INPUT,
      OUTPUT and FORWARD chains of filter table.
      
      Managed chains are used so changes to content of filter table chains
      INPUT, FORWARD, OUTPUT (neither for IPv4 or IPv6) are not done, except
      for the policy. The format of the rules is the same as with iptables
      rules, with exceptions detailed later in this message. The chain name
      and policy name can be omitted in the config file.
      
      Rules can be defined for IPv4 chains using INPUT, OUTPUT and FORWARD
      keys in key config file. Rules for IPv6 chains can be set using
      INPUT_IPv6, OUTPUT_IPv6 and FORWARD_IPv6. Default filter table policies
      can be set only in General section and follow similar naming. IPv4
      iptables default policies are set with keys that have a suffix "_POLICY"
      added to the chain name. With IPv6 ip6tables policies the suffix is
      "_POLICY_IPv6".
      
      There can be general rules that are added to managed chains using
      firewall.c functionality at firewall initialization and cleared at
      firewall cleanup. General rules include defining policies for the default
      filter table chains. The general rules section format (rules are
      separated with semicolon ";" because comma "," is a separator for ports
      in iptables rules):
      
      INPUT = -p tcp -m tcp --dport 22 -j ACCEPT; -p udp -m udp -j ACCEPT
      INPUT_IPv6 = -p tcp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
      FORWARD =
      OUTPUT = -p tcp -m multiport --sports 1024:65000 -j ACCEPT
      INPUT_POLICY = DROP
      OUTPUT_POLICY = ACCEPT
      FORWARD_POLICY = ACCEPT
      INPUT_POLICY_IPv6 = ACCEPT
      
      After ConnMan is shut down the policies on each default chain in filter
      table are being set to ACCEPT. By adding the rules via firewall.c the
      managed tables are also cleared at shutdown.
      
      Each technology connman supports can have own dynamic rules set in the
      same firewall.conf file. These rules are enabled and disabled when a
      service comes up (READY, CONNETED) or goes down (DISCONNECT, FAILURE,
      IDLE) and the interface the service is using is applied into the rule.
      The format for the dynamic rules is same, for example cellular:
      
      INPUT = -p tcp -m multiport --dports 1:1024 -j DROP
      OUTPUT = -p udp -m udp --dport 23 -j DROP; -p tcp -j ACCEPT
      INPUT_IPv6 = -p tcp -m ssh -j ACCEPT; -p udp -m udp -j DROP
      
      In chain INPUT -i <interface> is added, in chain FORWARD -o <interface>
      is added and in chain OUTPUT -o <interface> is added. For this
      particular reason -i and -o switches are forbidden in the rules.
      
      The following switches (and their longer equivalents) are not allowed in
      rules (rules having one of these are ignored):
       - Chain management switches (-A, -D, -X, -F, -I, -P, -E, -R, -Z)
       - Interface definitions (-i, -o), expcept for group General
       - IP address switches (-s, -d, --to-destination, --from-destination)
       - State modifiers -m comment and -m state (and -m conntrack with IPv6)
      
      All regular targets (ACCEPT, DROP, REJECT, LOG, QUEUE) are allowed. In
      these rules adding chains is not allowed so additional targets cannot be
      used, hence the managed tables.
      
      The protocols defined in iptables manual pages are allowed: tcp, udp,
      udplite, icmp, icmpv6, ipv6-icmp, esp, ah, sctp, mh and the special
      keyword all.
      
      If -m multiport switch is used it has to have some of the default port
      switches. If a port switch is used port numbers can be used or service
      names. Ports have to be separated with commas (set) or semicolons
      (range) as iptables rules format defines.
      ff57f580
    • Jussi Laakkonen's avatar
      Merge branch 'add_ip6tables' into 'master' · a1e641f0
      Jussi Laakkonen authored
      [connman] Improve IPv6 support. Add ICMP blocking. Fixes JB#42674
      
      See merge request mer-core/connman!158
      a1e641f0
    • Jussi Laakkonen's avatar
    • Jussi Laakkonen's avatar
      [connman] Accommodate IPv6 changes in sailfish iptables ext. JB#42674 · 063261bc
      Jussi Laakkonen authored
      Add the type variable into each iptables.c function that was changed
      when implementing IPv6 support.
      063261bc
    • Jussi Laakkonen's avatar
      [connman] Do not clear connman- prefixed iptables chains. JB#42674 · 51aa719f
      Jussi Laakkonen authored
      All chains that have "connman-" prefix should be skipped by the iptables
      extension. These are meant for internal use only.
      51aa719f
  3. 12 Nov, 2018 4 commits
    • Jussi Laakkonen's avatar
      [connman] Handle -j REJECT --reject-with in iptables saving. JB#42674 · 83e8d007
      Jussi Laakkonen authored
      This commit adds handling of iptables rules that have REJECT target set.
      Each -j REJECT has --reject-with "type" (e.g., icmp-unreachable, that is
      the default) when applying rules from saved iptables files.
      
      This is similar to the comment handling and same code is utilized in
      this also.
      83e8d007
    • Jussi Laakkonen's avatar
      test: Add tests and test tool for IPv6 parts of iptables.c. · 5e43f72b
      Jussi Laakkonen authored
      This commit adds tests for IPv6 enabled iptables. The tests are
      identical to the existing iptables tests, except IPv6 "nat" table rules
      are not tested as IPv6 NAT is not enabled.
      
      Also a test tool for IPv6 iptables (ip6tables-test) has been added,
      which is a clone of iptables-test. iptables-test.c has been modified to
      support the changes in iptables.c.
      
      Added ip6tables-save program to configure.ac and use of it in
      Makefile.am for the updated iptables-unit test.
      
      [connman] Apply our test changes on top of upstream change. JB#42674
      
      Tests for ICMP rules for both IPv4 and IPv6 are added.
      
      Tests for using firewall are retained in our fork as our firewall.c
      differs from the upstream one in many ways.
      5e43f72b
    • Jussi Laakkonen's avatar
      [connman] Introduce IPv6 support for firewall. Contributes to JB#42674 · 3a6db779
      Jussi Laakkonen authored
      This commit adds IPv6 support to firewall.c. Two new functions are added
      to connman.h which allow to add and remove rules using IPv6
      functionality that was added to iptables.c. This commit does not change
      functionality of firewall.c, new functions are:
       - __connman_firewall_add_ipv6_rule()
       - __connman_firewall_remove_ipv6_rule()
      
      The firewall functions operate on higher level than the iptables.c
      functions so a clear separation of rule adding and removal is decided to
      be implemented for IPv4 and IPv6. This abstracts the use of iptables and
      for internal functionality this kind of separation of concerns here is
      clarifying things instead of having to give a specific type for each
      firewall function call.
      3a6db779
    • Jussi Laakkonen's avatar
      iptables: Introduce IPv6 iptables management. · 01d9e260
      Jussi Laakkonen authored
      This commit adds iptables management for IPv6 addresses. Existing
      src/iptables.c is used as base and the functionality to support IPv6
      iptables is included into existing code for the most part. Managing
      iptables using IPv6 addresses does not differ much from IPv4 use, only
      new structures of setting/getting rules have to be adapted into use. For
      each existing __connman_iptables_*() a type variable (int) has been
      added to indicate which address family (AF_INET/AF_INET6) is to be used.
      
      Functionality remains the same as with iptables.c, only the function
      parse_ipv6_and_mask() is rewritten comply with IPv6 address structures.
      Functions is_same_ipt_entry() and iptables_blob() are copied to use
      ip6t_* type structures.
      
      The internal structures connman_iptables_entry and connman_iptables
      were amended to include the iptables IPv6 structures and the address
      family type. In order to avoid copying of large amounts of existing code
      and to be able to use both IPv4 and IPv6 structures many existing
      functions are changed from using struct ipt_entry/ipt_ip/ipt_replace
      into using structures that contain pointers to both IPv4 and IPv6
      structures.
      
      Two new structures are introduced to act as containers for the IPv4 and
      IPv6 types of iptables structures:
       - struct iptables_ip contains ipt_ip and ip6t_ip + type
       - struct iptables_replace contains ipt_replace and ip6t_replace + type
       - struct connman_iptables_entry is used as container for ipt_entry and
      ip6t_entry
      
      Helper functions for getting content from struct connman_iptables were
      added to keep the code cleaner. Similarly for the struct
      iptables_replace helper functions were added. Helper functions were also
      added for getting content out of connman_iptables_entry struct.
      
      In order to operate both IPv4 and IPv6 iptables the initialization has
      to be done before each operation is executed if the IP type changes. For
      this setup_xtables() function was added to change the iptables type and
      to keep track of the current IP type to avoid unnecessary changes.
      01d9e260
  4. 08 Nov, 2018 2 commits
    • Jussi Laakkonen's avatar
      iptables: Replace ALIGN macro with XT_ALIGN macro. · a460850c
      Jussi Laakkonen authored
      XT_ALIGN macro should be used instead of explicit ALIGN macro to define
      struct alignments. In Linux kernel netfilter code it has been used for
      IPv6 structs (kernel commit 06e1374a7ed45f1788353a2944a20133adc55649)
      and the commonly used IPT_ALIGN(s) usually is defined to use XT_ALIGN
      as well and has been renamed as XT_ALIGN in iptables 1.4.11.
      
      XT_ALIGN is defined in linux/netfilter/x_tables.h, included via
      xtables.h.
      a460850c
    • Jussi Laakkonen's avatar
      iptables: Use xt_error_target when adding new rules and chains. · 78be0382
      Jussi Laakkonen authored
      This commit replaces iptables.c explicitely defined struct error_target
      with the xtables struct xt_error_target. It is better to use the struct
      defined in xtables to maintain compatibility.
      78be0382
  5. 26 Oct, 2018 3 commits
  6. 25 Oct, 2018 1 commit
    • Slava Monich's avatar
      [ofono] Revert commit 9b9b872e. Fixes JB#43567 · a80aa7d5
      Slava Monich authored
      Removing the service when SIM card goes away (e.g. during shutdown)
      kills autoconnect flag for mobile data. That's because mobile data
      is enabled/disabled at individual service level, as opposed to wifi
      where it's turned on and off at higher (technology) level.
      
      Need to find a better way to stop cellular services from piling up.
      a80aa7d5
  7. 23 Oct, 2018 3 commits
  8. 22 Oct, 2018 1 commit
  9. 21 Oct, 2018 6 commits
  10. 19 Oct, 2018 1 commit
  11. 02 Oct, 2018 5 commits
  12. 01 Oct, 2018 1 commit
  13. 28 Sep, 2018 1 commit
  14. 27 Sep, 2018 3 commits