1. 17 Jan, 2019 4 commits
  2. 15 Jan, 2019 1 commit
  3. 14 Jan, 2019 6 commits
    • Jussi Laakkonen's avatar
      [connman] Keep static general rules if notifier fails. JB#44205 · 5874b453
      Jussi Laakkonen authored
      Keep the general rules if the notifier fails. Notifier failing only
      prevents use of dynamic rules, which need to be removed. The general
      rules are removed at cleanup.
      5874b453
    • Jussi Laakkonen's avatar
      [connman] Fix firewall IP family protocol parsing. JB#44025 JB#43924 · 9efdd66d
      Jussi Laakkonen authored
      This separates the protocol (-p) switches to separate groups as some of
      them are not interoperable between different IP protocol families. The
      protocol "icmp" can be used only with IPv4, whereas "icmpv6",
      "ipv6-icmp" and "mh" (mobility header for IPv6) are for IPv6 only.
      
      Also some changes to make the is_supported() function more readable,
      rename restore_policies() input parameter and set to reset the policy
      variable at firewall initialization.
      
      + Cleanup of firewall.c to conform connman coding style.
      9efdd66d
    • Jussi Laakkonen's avatar
      [unit] Add unit test for firewall.c. Contributes to JB#44205 JB#43924 · 361e8e91
      Jussi Laakkonen authored
      This commit adds a unit test for the firewall.c that does not access
      filesystem to test firewall features or require access to iptables.
      
      The features that are tested are:
       - Rule validation from configs
       - Duplicate rule checking
       - Valid and invalid configuration files
       - Service notifications (on, off with 2 services)
       - Tethering with and without specified rules in configs
       - Adding, removal and reloading of configs when services are on/off
      
      The coverage of this test for firewall.c is so far:
      Lines:		1040	1148	90.8 %
      Functions:	74	74	100.0 %
      Branches:	754	1188	63.6 %
      361e8e91
    • Jussi Laakkonen's avatar
      [unit] Fix firewall unit test tool. JB#42675 JB#44071 · 9656c586
      Jussi Laakkonen authored
      Because of recent changes to firewall reloading and config files the
      unit test tool for iptables that involves firewall use was broken. This
      commit fixes the unit test tool.
      
      The changes were introduced with 39d02c6e and 10b56298
      9656c586
    • Jussi Laakkonen's avatar
      [connman] Require iptables 1.6.1+git2. Contributes to JB#44205 · 3f323cb3
      Jussi Laakkonen authored
      Set connman to require iptables 1.6.1+git2 as it contains the fix for
      simultaneous use of IPv4 and IPv6 iptables rules with matches that have
      different functionalities for the address families.
      
      Also a bit of cleanup for firewall.c.
      3f323cb3
    • Jussi Laakkonen's avatar
      [connman] Revert commit b86ae5a1, problem fixed by iptables. JB#42205 JB#43926 · 94b106f5
      Jussi Laakkonen authored
      This reverts the commit b86ae5a1 that
      disabled -m switch for IPv6 iptables rules.
      
      With iptables 1.6.1+git2 this issue is resolved.
      94b106f5
  4. 21 Dec, 2018 4 commits
  5. 20 Dec, 2018 2 commits
  6. 18 Dec, 2018 16 commits
    • Jussi Laakkonen's avatar
      Merge branch 'jb44205' into 'master' · a53a5981
      Jussi Laakkonen authored
      Prevent other than protocol -m switches in IPv6 and revert bad change.
      
      See merge request mer-core/connman!176
      a53a5981
    • Jussi Laakkonen's avatar
      Revert "iptables: Set protocol family in xtables setup." · 2362bd2e
      Jussi Laakkonen authored
      This reverts commit 6a62b7f4.
      2362bd2e
    • Jussi Laakkonen's avatar
      [connman] Ignore non-protocol IPv6 iptables rule -m switch. JB#44205 · b86ae5a1
      Jussi Laakkonen authored
      This sets to ignore all IPv6 rules with -m switch other than one of the
      supported protocols in firewall configs.
      
      The reason is that iptables matches as of now cannot be used for both
      IPv4 and IPv6. Reason for this is not clear. It may be that iptables is
      not built for it, or some implementation is missing from connman.
      
      In case of changing IP protocol in iptables.c when a same named match is
      already loaded in iptables, the content of the previous IP protocol is
      given with the function callbacks that understand only the previous IP
      protocol. IP protocol family is set correctly but everything else is
      not.
      
      This should be reverted if iptables 1.8.1 brings any changes. Or some
      new idea arises. This means that IPv6 INPUT policy can never be DROP.
      b86ae5a1
    • Jussi Laakkonen's avatar
      Merge branch 'jb44071' into 'master' · fe2c7376
      Jussi Laakkonen authored
      Install and remove firewall configurations over D-Bus and SystemD.
      
      See merge request mer-core/connman!173
      fe2c7376
    • Jussi Laakkonen's avatar
      [connman] Fix g_try_new0 use. Contributes to JB#44071 · 5c1f1968
      Jussi Laakkonen authored
      Use g_try_new0() properly by giving only the amount of the contents to
      be create.
      5c1f1968
    • Jussi Laakkonen's avatar
      [connman] Add dccp to firewall protocols. Fix max port. JB#44071 · 2b12563e
      Jussi Laakkonen authored
      Add dccp to supported protocols list. This is supported although
      iptables manual page does not mention it.
      
      Fix max port check to include also the max 16bit uint as accepted port
      number.
      2b12563e
    • Jussi Laakkonen's avatar
      [connman] Define iptables function with callback in firewall rules. JB#44071 · 5ba2778b
      Jussi Laakkonen authored
      This commit adds a possibility to set a iptables adding callback
      function for each firewall rule. The adding callback prototype is the
      same as __connman_iptables_append() and __connman_iptables_insert() and
      is defined as connman_iptables_manage_cb_t in connman.h.
      
      This is used with general, dynamic and tethering rules. With general
      rules the rules are appended to the end. With dynamic and tethering
      rules the rules are inserted on top of the managed chain. The logic
      behind this is that the general rules can be defined as the base rules
      and service specific rules override the general rules.
      5ba2778b
    • Jussi Laakkonen's avatar
      iptables: Recover from commit errors. · 294c6d93
      Jussi Laakkonen authored
      This commit changes the error handling in __connman_iptables_commit() if
      iptables_replace() fails. In order to be able to use iptables after
      committing invalid content it is safest to drop the table content and
      make iptable.c re-initialize when new changes are made.
      
      On some systems it may result in a situation where a single failure,
      e.g., ELOOP when removing a managed rule that still has rule references,
      prevents further changes to iptables. By resetting to previous state in
      case of error this can be avoided.
      294c6d93
    • Jussi Laakkonen's avatar
      [connman] Apply new firewall rules in reload for old services. JB#44071 · 7dfa91df
      Jussi Laakkonen authored
      This commit adds applying of new firewall rules for old services that
      did not previously have dynamic rules set and are online. The existing
      service_state_changed() is used here as it contains state checking for
      the service as well as it checks if the service has dynamic rules set.
      7dfa91df
    • Jussi Laakkonen's avatar
      [connman] Support removal of firewall configs with reload. JB#44071 · 129b7b40
      Jussi Laakkonen authored
      This adds support for removing the rules defined in firewall
      configurations. Each rule has a record of the configuration file it was
      loaded from and this change utilizes that to remove the rules from a
      removed configuration files from all generic, tethering, dynamic and
      currently used rules. The rules in generic, tethering and currently used
      lists are removed from iptables before complete removal from the lists.
      
      The configuration files that are stored when new configuration files are
      loaded are used to check which files have been removed. This list is
      cleaned up from the removed entries as well.
      129b7b40
    • Jussi Laakkonen's avatar
      [connman] Use config file name in firewall rule sorting. JB#44071 · 2298624d
      Jussi Laakkonen authored
      This adds sorting of firewall rules using the config file name as sort
      criteria. The rules are read from alphabetical list of configuration
      files at startup and were added in correct order. But when reloading the
      order must be kept and this commit, by adding each rule into sorted list
      of rules, guarantees that the order of the rules is always consistent.
      The rules that are added by the system (config_file is NULL) are sorted
      on top of the list.
      
      With currently active connections which have firewall enabled the rules
      are simply appended at the end. The order is effective after the service
      is reconnected.
      
      The default static rules are ordered but no change for these is made
      into iptables. The change of rule order is effective only after connman
      restart. This issue should be addressed in the future.
      2298624d
    • Jussi Laakkonen's avatar
      [connman] SystemD reload support for firewall reloading. JB#44071 · d8b03fec
      Jussi Laakkonen authored
      Call "Reload" method over D-Bus when reload is called by via systemd.
      d8b03fec
    • Jussi Laakkonen's avatar
      [connman] Ignore duplicate rules in firewall configs. JB#44071 · c058fdb0
      Jussi Laakkonen authored
      This commit adds check in all configurations for duplicate rules. The
      type, table, chain and rule itself must not be equal to one that is
      already in a firewall ruleset. Such rules that exist are simply ignored.
      c058fdb0
    • Jussi Laakkonen's avatar
      [connman] D-Bus method to reload firewall configurations. JB#44071 · 10b56298
      Jussi Laakkonen authored
      This commit adds a D-Bus method "Reload" to net.connman.Firewall
      interface using path "/". With this method call firewall.c is requested
      to load all new configurations from CONFIGDIR/firewall.d/. Access to the
      method is granted for root and privileged.
      
      The config files must have a firewall.conf suffix and if the file is read
      properly the rules will be taken into use immediatedly. This is done for
      all connected services also, which get the new rules added into their
      firewall and enabled in iptables. If a service is not connected
      (firewall is not enabled) the rules are just added to the end.
      
      No sorting of rules is done yet. The rules are read in firewall
      configuration file order (alphabetical) only when connman is (re)started.
      
      This also contains a change to read each firewall configuration file
      into a sorted list. This list is first used to check if the
      configuration file is already used or not. If configuration file is
      already read, it will not be re-read.
      10b56298
    • Jussi Laakkonen's avatar
      Merge branch 'firewall_doc' into 'master' · 279e86b2
      Jussi Laakkonen authored
      Add firewall configuration documentation.
      
      See merge request mer-core/connman!172
      279e86b2
    • Jussi Laakkonen's avatar
      [doc] Firewall configuration documentation. Contributes to JB#42675 · f414089c
      Jussi Laakkonen authored
      This adds documentation about the firewall configuration system
      implemented into ConnMan.
      
      Basic man page is also created with same information.
      f414089c
  7. 04 Dec, 2018 2 commits
    • Jussi Laakkonen's avatar
      Merge branch 'jb42675_3' into 'master' · c5ad713c
      Jussi Laakkonen authored
      Use protocol prefix with dot separator in firewall conf to maintain better consistency with connman configs.
      
      See merge request mer-core/connman!171
      c5ad713c
    • Jussi Laakkonen's avatar
      [connman] Use protocol prefix with dot separator in firewall conf. JB#42675 · 39d02c6e
      Jussi Laakkonen authored
      This commit makes firewall configuration a bit more closer to the rest
      of the connman configuration file formats to preserve consistency. This
      changes to use following format in the firewall configuration:
      
      Rules with key:
      PROTOCOL.CHAIN.RULES
      
      Policies with key:
      PROTOCOL.CHAIN.POLICY
      
      For example, IPv4 chain OUTPUT policy for DROP packets would be:
      IPv4.OUTPUT.POLICY = DROP
      
      And rules for the same chain:
      IPv4.OUTPUT.RULES = -p tcp -m tcp --dport 80 -j ACCEPT
      39d02c6e
  8. 03 Dec, 2018 2 commits
  9. 30 Nov, 2018 3 commits