Commit f60c37e9 authored by ballock's avatar ballock

Merge branch 'jb48869' into 'master'

[firewall] Fix tests and special cases. JB#48869

See merge request !275
parents 61934257 b38f30f3
.\" connman-firewall.config(5) manual page
.\"
.\" Copyright (C) 2018-2019 Jolla Ltd.
.\" Copyright (C) 2019 Open Mobile Platform LLC.
.\" Copyright (C) 2019-2020 Open Mobile Platform LLC.
.\"
.TH "connman-firewall.config" "5" "2019-12-16" ""
.TH "connman-firewall.config" "5" "2020-06-01" ""
.SH NAME
firewall.conf \- ConnMan firewall configuration file
.SH DESCRIPTION
......@@ -134,8 +134,27 @@ files (only allowed in General section) overrules all previous POLICY keys set
for the CHAIN with given PROTOCOL.
.SH RULE FORMAT
.P
Rules follow iptables rule format, for reference see:
.URL "https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html" "https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html"
Rules follow iptables rule format in general, with some notable exceptions, for
reference see
.UR https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html
the Iptables Tutorial
.UE
.SS
The most notable exceptions are:
.IP 1. 3
-p protocol does NOT imply -m protocol. -p protocol only implies the protocol
in the IP header. So e.g. to add a http port opening, you MUST use -m tcp:
IPv4.INPUT.RULES = -p tcp -m tcp --dport 80 -j ACCEPT
.IP 2. 3
The order is stricter - if a match relies on a specific protocol, -p must be
specified before -m on the commandline.
.IP 3. 3
No command abbrievations are allowed - it is not possible to use --dest as
short for --destination.
.P
Rules are separated with semicolons (;). All rules for a key must be on one
line.
......@@ -153,20 +172,40 @@ IPv4.INPUT.RULES = #-p udp -m udp --dport 23 -j ACCEPT; -p udp -m udp --dport 24
Will discard the first --dport 23 rule and use the second --dport 24 rule
.SS
Each rule:
.TP
Has to have one target (-j|--jump TARGET) or goto (-g|--goto TARGET) which is the bare minimum of the rule.
.TP
Can have 0...1 protocol matches (-p|--protocol protocol).
.TP
Can have 0...2 match speficiers (-m|--match match).
.TP
Can have 0...2 port switches with a protocol modifier (-m|--match protocol) OR
.TP
Can have 0...1 port switches with multiport modifier (-m|--match multiport)
.TP
Can have 0...2 destination specifiers (same direction cannot be used twice)
.TP
Can have 0...2 interface switches in [General] section (same direction cannot be used twice)
.IP - 2
Must have one target (-j|--jump TARGET) or goto (-g|--goto) which is the bare
minimum of the rule
E.g., to allow all traffic:
-j ACCEPT
.IP - 2
Can have 1 protocol selector (-p|--protocol protocol)
E.g., to block all ICMP traffic:
-p icmp -j DROP
.IP - 2
Can have an address specifier for each of traffic directions: --source/-s,
--destination/-d
E.g. to block all traffic to Google's public DNS servers:
-d 8.8.8.8 -d DROP
.IP - 2
Can have an interface switch for each directions in [General] section:
--in-interface/-i, --out-interface/-o
.IP - 2
Can have match speficiers (-m|--match match), restrictions apply per match.
E.g., to allow one attempt per second:
-m limit --limit 1/s --limit-burst 1 -j ACCEPT
.IP - 2
Any match that requires a specific set of options must include them after
the -m match for the rule to be approved.
.SS
Targets:
.P
......@@ -174,19 +213,81 @@ The targets (-j TARGET) are the same as with default iptables: ACCEPT, DROP, REJ
.SS
Protocols:
.P
Protocols (-p protocol) are the same as with iptables: tcp, udp, udplite, icmp, icmpv6, ipv6-icmp, esp, ah, sctp, mh, dccp and the special keyword all. These can be given in numeric format as well.
Protocols (-p protocol) are the same as with iptables. One can use any protocol
name that is resolvable through /etc/protocols, or use numerical values
directly. As an exception, protocol names "icmpv6", "ipv6-mh", "mh" and "all"
are also allowed.
.SS
Disabled switches:
.P
Following switches are disabled and if a rule contains any of them the rule will be ignored:
.IP
All chain modifiers, since rules are added to managed chains, following modifiers are disabled: --append, -A, --delete, -D, --delete-chain, -X, --flush, -F, --insert, -I, --new-chain, -N, --policy, -P, --rename-chain, -E, --replace, -R, --zero, -Z
.IP
Destination speficiers for DNAT are disabled : --to-destination, --from-destination
.IP
Some matches (with -m) are disabled (cause crash or commit errors). IPv4: comment, state, recent, sctp, dccp, mh, hashlimit, icmpv6, ipv6-icmp. IPv6: comment, state, recent, ttl, sctp, dccp, mh, hashlimit, frag, icmp
.P
Interface specifiers (--in-interface, -i, --out-interface, -o) are not allowed in tethering or service type sections:
Following switches are disabled and if a rule contains any of them the rule will
be ignored:
.IP - 2
All chain modifiers are disabled: --append, -A, --delete, -D, --delete-chain,
-X, --flush, -F, --insert, -I, --new-chain, -N, --policy, -P, --rename-chain,
-E, --replace, -R, --zero, -Z
.IP - 2
Destination speficiers for DNAT are disabled: --to-destination,
--from-destination
.IP - 2
Fragment: -f, --fragment
.IP - 2
IP family options: --ipv4, -4, --ipv6, -6
.IP - 2
Interface specifiers are not allowed in tethering or service type sections:
--in-interface, -i, --out-interface, -o
.IP - 2
Any match that is not supported by syntax parser will make the rule invalid.
See the next section for a list of supported matches. Note that ipv6-specific
matches are not supported in ipv4 and vice-versa.
.SH MATCH SPECIFIC OPTIONS
.P
Currently supported matches are:
- ah
- conntrack
- dccp
- ecn
- esp
- helper
- icmp
- icmp6, icmpv6, ipv6-icmp
- iprange
- limit
- mark
- mh
- multiport
- owner
- pkttype
- rpfilter
- sctp
- tcp
- ttl
- udp
.P
For match-specific options, please see "iptables -m $match --help".
.P
Port matches (--dport and/or --sport) are supported with -m protocol that
supports ports. These are:
- tcp
- udp
- dccp
- sctp
.P
Only one --dport and only one --sport is allowed.
.P
Multiport match requires a protocol that has ports. These are:
- tcp
- udp
- udplite
- dccp
- sctp
.P
Multiport match supports only one option, either --sports, or --dports.
However, it is possible to use multiple -m multiport specifiers to match both
directions, e.g.:
-p tcp -m multiport --dports 80 -m multiport --sports 1024:65535 -j ACCEPT
.SH CONFIGURATION: GENERAL SECTION
.P
General section contains the main static firewall rules. In this section both
......
......@@ -104,9 +104,20 @@ for the CHAIN with given PROTOCOL.
Rule formatting and exceptions
==============================
Rules follow iptables rule format, for reference see:
Rules follow iptables rule format in general, with some notable exceptions, for
reference see:
https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html
The most notable exceptions are:
1. -p protocol does NOT imply -m protocol. -p protocol only implies the
protocol in the IP header. So e.g. to add a http port opening, you MUST
use -m tcp:
"IPv4.INPUT.RULES = -p tcp -m tcp --dport 80 -j ACCEPT"
2. The order is stricter - if a match relies on a specific protocol, -p must
be specified before -m on the commandline.
3. No command abbrievations are allowed - it is not possible to use --dest as
short for --destination.
Rules are separated with semicolons (;). All rules for a key must be on one
line.
......@@ -116,23 +127,24 @@ there are missing/invalid values the rule is ignored. Negations in rules are
supported as with iptables command.
Each rule:
- Has to have one target (-j|--jump TARGET) or goto (-g|--goto) which is the
- Must have one target (-j|--jump TARGET) or goto (-g|--goto) which is the
bare minimum of the rule
- Can have 0...1 protocol matches (-p|--protocol protocol)
- Can have 0...2 match speficiers (-m|--match match),
- E.g., to allow one attempt per second to telnet:
-p udp -m udp --dport 23 -m limit --limit 1/s --limit-burst 1 -j ACCEPT
- Can have
- 0...2 port switches with a protocol modifier (-m|--match protocol):
--destination-port, --dport, --source-port, --sport
- 0...1 port switches with multiport modifier (-m|--match multiport):
--destination-ports, --dports, --source-ports, --sports, --port, --ports,
--destination-port, --dport, --source-port, --sport
- Can have 0...2 destination specifiers (same direction cannot be used twice)
--source, --src, -s, --destination, --dst, -d
- Can have 0...2 interface switches in [General] section (same direction cannot
be used twice):
--in-interface, -i, --out-interface, -o
- E.g., to allow all traffic:
-j ACCEPT
- Can have 1 protocol selector (-p|--protocol protocol)
- E.g., to block all ICMP traffic:
-p icmp -j DROP
- Can have an address specifier for each of traffic directions:
--source/-s, --destination/-d
- E.g. to block all traffic to Google's public DNS servers:
-d 8.8.8.8 -d DROP
- Can have an interface switch for each directions in [General] section:
--in-interface/-i, --out-interface/-o
- Can have match speficiers (-m|--match match), restrictions apply per match.
- E.g., to allow one attempt per second:
-m limit --limit 1/s --limit-burst 1 -j ACCEPT
- Any match that requires a specific set of options must include them after
the -m match for the rule to be approved.
Rules can be commented out with hash tag (#) as first character. Commented rules
are simply ignored. For example:
......@@ -145,28 +157,78 @@ Will discard the first --dport 23 rule and use the second --dport 24 rule.
The targets (-j TARGET) are the same as with default iptables: ACCEPT, DROP,
REJECT, LOG and QUEUE.
Protocols (-p protocol) are the same as with iptables: tcp, udp, udplite, icmp,
icmpv6, ipv6-icmp, esp, ah, sctp, mh, dccp and the special keyword all. These
can be given in numeric format as well.
Protocols (-p protocol) are the same as with iptables. One can use any protocol
name that is resolvable through /etc/protocols, or use numerical values
directly. As an exception, protocol names "icmpv6", "ipv6-mh", "mh" and "all"
are also allowed.
Following switches are disabled and if a rule contains any of them the rule will
be ignored:
- All chain modifiers, since rules are added to managed chains, all chain
modifiers are disabled: --append, -A, --delete, -D, --delete-chain, -X,
--flush, -F, --insert, -I, --new-chain, -N, --policy, -P, --rename-chain, -E,
--replace, -R, --zero, -Z
- Destination speficiers for DNAT are disabled : --to-destination,
- All chain modifiers are disabled: --append, -A, --delete, -D, --delete-chain,
-X, --flush, -F, --insert, -I, --new-chain, -N, --policy, -P, --rename-chain,
-E, --replace, -R, --zero, -Z
- Destination speficiers for DNAT are disabled: --to-destination,
--from-destination
- Fragment: -f, --fragment
- IP family options: --ipv4, -4, --ipv6, -6
- Some matches (with -m) are disabled (cause crash or commit errors):
- IPv4: comment, state, recent, sctp, dccp, mh, hashlimit,
icmpv6, ipv6-icmp
- IPv6: comment, state, recent, ttl, sctp, dccp, mh,
hashlimit, frag, icmp
- Interface specifiers are not allowed in tethering or service type sections:
--in-interface, -i, --out-interface, -o
- Any match that is not supported by syntax parser will make the rule invalid.
See the next section for a list of supported matches. Note that ipv6-specific
matches are not supported in ipv4 and vice-versa.
- Any match that is not supported by syntax parser is disabled. See next
section for a list of supported matches. Note that ipv6-specific matches
are not supported in ipv4 and vice-versa.
Match specific options
======================
Currently supported matches are:
- ah
- conntrack
- dccp
- ecn
- esp
- helper
- icmp
- icmp6, icmpv6, ipv6-icmp
- iprange
- limit
- mark
- mh
- multiport
- owner
- pkttype
- rpfilter
- sctp
- tcp
- ttl
- udp
For match-specific options, please see "iptables -m $match --help".
Port matches (--dport and/or --sport) are supported with -m protocol that
supports ports. These are:
- tcp
- udp
- dccp
- sctp
Only one --dport and only one --sport is allowed.
Multiport match requires a protocol that has ports. These are:
- tcp
- udp
- udplite
- dccp
- sctp
Multiport match supports only one option, either --sports, or --dports.
However, it is possible to use multiple -m multiport specifiers to match both
directions, e.g.:
-p tcp -m multiport --dports 80 -m multiport --sports 1024:65535 -j ACCEPT
General section [General]
=========================
......
......@@ -286,7 +286,7 @@ static bool is_valid_port_or_service_range(const char *protocol,
/* Range can have only two set */
if (g_strv_length(tokens) == 2) {
for (i = 0; i < 2 && tokens[i]; i++) {
for (i = 0; i < 2; i++) {
if (!is_valid_port_or_service(protocol, tokens[i],
&ports[i])) {
DBG("invalid port/service %s in %s", tokens[i],
......@@ -659,6 +659,7 @@ static bool handle_ports(struct validator_data *data, gchar **args)
struct protoent *p;
char *protoname = NULL;
gchar **tokens = NULL;
int token_count;
/* In iptables ports are separated with commas, ranges with colon. */
const char delimeter[] = ",";
......@@ -674,7 +675,11 @@ static bool handle_ports(struct validator_data *data, gchar **args)
if (!tokens)
return false;
for (i = 0; tokens[i]; i++) {
token_count = g_strv_length(tokens);
if (token_count < 1)
ret = false;
for (i = 0; i < token_count; i++) {
/*
* If ':' exists it is a range. Check that only one ':' exists
* and the port range is specified correctly
......@@ -1571,9 +1576,7 @@ static void clean_match_options(struct validator_data *data, gchar *match)
int i;
for (i = 0; known_matches[i].match_name; i++) {
if (!g_strcmp0(known_matches[i].match_name, match) &&
known_matches[i].family_dep == data->family) {
if (!g_strcmp0(known_matches[i].match_name, match)) {
remove_unique_ids_from_invoked(data,
known_matches[i].opts_enabled);
}
......
......@@ -1365,10 +1365,10 @@ bool connman_device_has_status_changed_to(struct connman_device *device,
#define CHAINS_GEN4 3
#define CHAINS_MANGLE_GEN4 5
#define RULES_GEN4 (CHAINS_GEN4 + 78 + CHAINS_MANGLE_GEN4 + 5)
#define RULES_GEN4 (CHAINS_GEN4 + 95 + CHAINS_MANGLE_GEN4 + 5)
#define CHAINS_GEN6 3
#define CHAINS_MANGLE_GEN6 5
#define RULES_GEN6 (CHAINS_GEN6 + 77 + CHAINS_MANGLE_GEN6 + 5)
#define RULES_GEN6 (CHAINS_GEN6 + 93 + CHAINS_MANGLE_GEN6 + 5)
#define RULES_ETH 17
#define RULES_CEL 4
#define RULES_TETH 7
......@@ -1389,6 +1389,10 @@ static const char *general_input[] = {
"-p all -j ACCEPT",
"-p udplite -j DROP",
"-p gre -j ACCEPT",
/* Protocol names are case-insesitive */
"-p TCP -j ACCEPT",
"-p TcP -j ACCEPT",
"-p tCp -j ACCEPT",
/* Port switches with protocols */
"-p tcp -m tcp --dport 80 -j ACCEPT",
"-p udp -m udp --sport 81 -j DROP",
......@@ -1434,7 +1438,9 @@ static const char *general_input[] = {
"#-p sctp --dport 69 -j REJECT",
/* owner match - should work in INPUT with NETFILTER_XT_MATCH_QTAGUID */
"-m owner --uid-owner 0 -j LOG",
"-m owner --uid-owner root -j LOG",
"-m owner --gid-owner 0-499 -j LOG",
"-m owner --gid-owner root -j LOG",
/* rpfilter */
"-m rpfilter --loose -j LOG",
"-m rpfilter --validmark -j LOG",
......@@ -1442,6 +1448,23 @@ static const char *general_input[] = {
"-m rpfilter --invert -j DROP",
"-p udp -m rpfilter --invert -j DROP",
"-m rpfilter --loose --validmark --accept-local -j LOG",
/* multiple -m matches on commandline */
"-p ah -m ah ! --ahspi 12 -m ah ! --ahspi 14 -j DROP",
"-m ttl ! --ttl-eq 60 -m ttl ! --ttl-eq 80 -j LOG",
"-p esp -m esp ! --espspi 14 -m esp ! --espspi 18 -j ACCEPT",
"-p dccp -m dccp ! --dport 8188 -m dccp ! --dport 8288 -j DROP",
"-p sctp -m sctp ! --dport 8188 -m sctp ! --dport 8288 -j DROP",
"-p tcp -m tcp ! --dport 8188 -m tcp ! --dport 8288 -j DROP",
"-p udp -m udp ! --dport 8188 -m udp ! --dport 8288 -j DROP",
"-p tcp -m ecn ! --ecn-ip-ect 0 -m ecn ! --ecn-ip-ect 3 "
"-j ACCEPT",
"-p icmp -m icmp ! --icmp-type 8/0 -m icmp ! --icmp-type 12 "
"-j ACCEPT",
"-p ipv6-icmp -m ipv6-icmp ! --icmpv6-type 128/0 -m ipv6-icmp "
"! --icmpv6-type 64/0 -j DROP",
"-m conntrack ! --ctproto 6 -m conntrack ! --ctproto 8 "
"-j ACCEPT",
"-m owner ! --uid-owner root -m owner ! --uid-owner 22 -j LOG",
NULL
};
static const char *general_output[] = {
......@@ -1467,6 +1490,7 @@ static const char *general_output[] = {
"-m owner --uid-owner 0-499 -j ACCEPT",
"-m owner --uid-owner 100-100 -j ACCEPT",
"-m owner --gid-owner 0 -j DROP",
"-m owner --gid-owner 1024 -j DROP",
"-m owner --socket-exists -j LOG",
NULL
};
......@@ -1665,8 +1689,8 @@ static const char *general_icmpv6[] = {
NULL
};
#define RULES_OPTIONS4 73 // +1 for chain
#define RULES_OPTIONS6 70 // +1 for chain
#define RULES_OPTIONS4 76 // +1 for chain
#define RULES_OPTIONS6 72 // +1 for chain
static const char *general_options[] = {
/* AH and ESP options */
......@@ -1699,6 +1723,7 @@ static const char *general_options[] = {
"-p tcp -m ttl --ttl-eq 10 -j DROP",
"-p tcp -m ttl --ttl-lt 20 -j DROP",
"-p tcp -m ttl --ttl-gt 30 -j DROP",
"-m ttl --ttl-gt 10 -m ttl --ttl-lt 30 -j ACCEPT",
/* dccp options */
"-p dccp -m dccp --dccp-types REQUEST -j ACCEPT",
"-p dccp -m dccp --dccp-types REQUEST,RESPONSE,DATA,ACK,DATAACK,"
......@@ -1726,6 +1751,7 @@ static const char *general_options[] = {
"-m conntrack --ctexpire 21:33 -j ACCEPT",
"-m conntrack --ctdir ORIGINAL -j DROP",
"-m conntrack --ctdir REPLY -j DROP",
"-p 10 -m conntrack --ctorigsrcport 40 -j ACCEPT",
/* mark options */
"-m mark --mark 1 -j ACCEPT",
"-m mark --mark 0x01 -j DROP",
......@@ -1758,11 +1784,13 @@ static const char *general_options[] = {
"-p tcp -m rpfilter --invert -j DROP",
"-p udp -m rpfilter --invert -j DROP",
"-p udplite -m rpfilter --invert -j DROP",
/* special correct options to trigger some coverage tests */
"-p tcp -m tcp ! --tcp-option 1 -m tcp ! --tcp-option 2 -j ACCEPT",
NULL
};
#define RULES_OPTIONS_ADDR4 23 // +1 chain
#define RULES_OPTIONS_ADDR6 15 // +1 chain
#define RULES_OPTIONS_ADDR6 16 // +1 chain
static const char *general_options_address4[] = {
/* Address options IPv4 */
......@@ -1809,6 +1837,8 @@ static const char *general_options_address6[] = {
"-m iprange --src-range fe80::3:2-fe80::4:1 -j LOG",
"-m iprange --src-range fe80::2-fe80::10:ff -j ACCEPT",
"-m iprange --dst-range fe80::11:00-fe80::12:ff -j ACCEPT",
/* IPv6 specific option in ah */
"-p ah -m ah --ahlen 289 -j ACCEPT", /* IPv6 only */
NULL
};
......@@ -2012,6 +2042,101 @@ static const char *invalid_general_options[] = {
"-m iprange --dst-range fe80::12:ff-fe80::11:00 -j ACCEPT",
"-m iprange --dst-range 1.1.1.1-fe80::11:00 -j ACCEPT",
"-m iprange --dst-range fe80::12:ff-2.2.2.2 -j ACCEPT",
/* special incorrect options to trigger some coverage tests */
"-p tcp ! -j ACCEPT",
"--source 192.168.0.1/101 -j ACCEPT",
"-m owner --uid-owner 0-184467440737095516167 -j DROP",
"-m owner --uid-owner 184467440737095516166-184467440737095516167 -j DROP",
"-i verylonginterface0 -j ACCEPT",
"-p icmp -m icmp --icmp-type 25513 -j DROP",
"-p tcp -m tcp --dport 40: -j ACCEPT",
"-m mark --mark 1/ -j ACCEPT",
"-p tcp -m multiport -m multiport --dport 80 -j ACCEPT",
"-m nonexistent -j ACCEPT",
/* special set of special cases - empty strings in options */
"-p tcp -m tcp --dport '' -j ACCEPT",
"-p tcp -m tcp --sport '' -j ACCEPT",
"-p tcp -m multiport --sports '' -j ACCEPT",
"-p tcp -m multiport --dports '' -j ACCEPT",
"-p tcp -m multiport --ports '' -j ACCEPT",
"-p tcp -m multiport --sports , -j ACCEPT",
"-p tcp -m multiport --dports , -j ACCEPT",
"-p tcp -m multiport --ports , -j ACCEPT",
"-p tcp -m multiport --sports :, -j ACCEPT",
"-p tcp -m multiport --dports ,: -j ACCEPT",
"-p tcp -m multiport --ports , -j ACCEPT",
"-p tcp -m tcp --tcp-flags '' '' -j ACCEPT",
"-p tcp -m tcp --tcp-option '' -j ACCEPT",
"-p tcp -m tcp --tcp-option '' -j ACCEPT",
"-m mark --mark '' -j ACCEPT",
"-m mark --mark / -j ACCEPT",
"-m mark --mark 2/ -j ACCEPT",
"-m mark --mark /2 -j ACCEPT",
"-m conntrack --ctstate '' -j ACCEPT",
"-m conntrack --ctproto '' -j ACCEPT",
"-m conntrack --ctorigsrc '' -j ACCEPT",
"-m conntrack --ctorigsrc / -j ACCEPT",
"-m conntrack --ctorigsrc 1.1.1.1/ -j ACCEPT",
"-m conntrack --ctorigsrc /16 -j ACCEPT",
"-m conntrack --ctorigdst '' -j ACCEPT",
"-m conntrack --ctreplsrc '' -j ACCEPT",
"-m conntrack --ctrepldst '' -j ACCEPT",
"-m conntrack --ctorigsrcport '' -j ACCEPT",
"-m conntrack --ctorigdstport '' -j ACCEPT",
"-m conntrack --ctreplsrcport '' -j ACCEPT",
"-m conntrack --ctrepldstport '' -j ACCEPT",
"-m conntrack --ctstatus '' -j ACCEPT",
"-m conntrack --ctexpire '' -j ACCEPT",
"-m conntrack --ctexpire : -j ACCEPT",
"-m conntrack --ctexpire 1: -j ACCEPT",
"-m conntrack --ctexpire :2 -j ACCEPT",
"-m conntrack --ctdir '' -j ACCEPT",
"-m ttl --ttl-eq '' -j ACCEPT",
"-m ttl --ttl-lt '' -j ACCEPT",
"-m ttl --ttl-gt '' -j ACCEPT",
"-m pkttype --pkt-type '' -j ACCEPT",
"-m limit --limit '' -j ACCEPT",
"-m limit --limit / -j ACCEPT",
"-m limit --limit-burst '' -j ACCEPT",
"-m ecn --ecn-ip-ect '' -j ACCEPT",
"-p ah -m ah --ahspi '' -j ACCEPT",
"-p ah -m ah --ahspi : -j ACCEPT",
"-p ah -m ah --ahspi 2: -j ACCEPT",
"-p ah -m ah --ahspi :2 -j ACCEPT",
"-p ah -m ah --ahlen '' -j ACCEPT",
"-p esp -m esp --espspi '' -j ACCEPT",
"-p esp -m esp --espspi : -j ACCEPT",
"-p mh -m mh --mh-type '' -j ACCEPT",
"-p mh -m mh --mh-type : -j ACCEPT",
"-p sctp -m sctp --chunk-types '' '' -j ACCEPT",
"-p icmp -m icmp --icmp-type '' -j ACCEPT",
"-p icmp -m icmp --icmp-type / -j ACCEPT",
"-p icmpv6 -m icmpv6 --icmpv6-type '' -j ACCEPT",
"-p icmpv6 -m icmpv6 --icmpv6-type / -j ACCEPT",
"-p dccp -m dccp --dccp-types '' -j ACCEPT",
"-p dccp -m dccp --dccp-types , -j ACCEPT",
"-p dccp -m dccp --dccp-types ,, -j ACCEPT",
"-p dccp -m dccp --dccp-option '' -j ACCEPT",
"-m owner --uid-owner '' -j ACCEPT",
"-m owner --uid-owner - -j ACCEPT",
"-m owner --gid-owner '' -j ACCEPT",
"-m owner --gid-owner - -j ACCEPT",
"-m iprange --src-range '' -j ACCEPT",
"-m iprange --src-range - -j ACCEPT",
"-m iprange --dst-range '' -j ACCEPT",
"-m iprange --dst-range - -j ACCEPT",
"-i '' -j ACCEPT",
"-i + -j ACCEPT",
"-o '' -j ACCEPT",
"-o + -j ACCEPT",
"-p '' -j ACCEPT",
"-s '' -j ACCEPT",
"-s / -j ACCEPT",
"-d '' -j ACCEPT",
"-d / -j ACCEPT",
"-m '' -j ACCEPT",
"-j ''",
"--goto ''",
NULL
};
......
......@@ -231,7 +231,7 @@ cp -a %{SOURCE2} %{buildroot}/%{_lib}/systemd/system/connman.service.d/
mkdir -p %{buildroot}/%{_docdir}/%{name}-%{version}
install -m0644 -t %{buildroot}/%{_docdir}/%{name}-%{version} \
AUTHORS ChangeLog README
AUTHORS ChangeLog README doc/*.txt
%preun
if [ "$1" -eq 0 ]; then
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment