static void test_firewall_basic0(void)
{
struct firewall_context *ctx;
int err;
ctx = __connman_firewall_create();
g_assert(ctx);
err = __connman_firewall_add_rule(ctx, "filter", "INPUT",
"-m mark --mark 999 -j LOG");
g_assert(err == 0);
err = __connman_firewall_enable(ctx);
g_assert(err == 0);
assert_rule_exists("filter", ":connman-INPUT - [0:0]");
assert_rule_exists("filter", "-A INPUT -j connman-INPUT");
assert_rule_exists("filter", "-A connman-INPUT -m mark --mark 0x3e7 -j LOG");
err = __connman_firewall_disable(ctx);
g_assert(err == 0);
assert_rule_not_exists("filter", ":connman-INPUT - [0:0]");
assert_rule_not_exists("filter", "-A INPUT -j connman-INPUT");
assert_rule_not_exists("filter", "-A connman-INPUT -m mark --mark 0x3e7 -j LOG");
__connman_firewall_destroy(ctx);
}
static int enable_nat(struct connman_nat *nat)
{
char *cmd;
int err;
g_free(nat->interface);
nat->interface = g_strdup(default_interface);
if (nat->interface == NULL)
return 0;
/* Enable masquerading */
cmd = g_strdup_printf("-s %s/%d -o %s -j MASQUERADE",
nat->address,
nat->prefixlen,
nat->interface);
err = __connman_firewall_add_rule(nat->fw, "nat",
"POSTROUTING", cmd);
g_free(cmd);
if (err < 0)
return err;
return __connman_firewall_enable(nat->fw);
}
static int init_firewall(void)
{
struct firewall_context *fw;
int err;
if (global_firewall)
return 0;
fw = __connman_firewall_create();
err = __connman_firewall_add_rule(fw, "mangle", "INPUT",
"-j CONNMARK --restore-mark");
if (err < 0)
goto err;
err = __connman_firewall_add_rule(fw, "mangle", "POSTROUTING",
"-j CONNMARK --save-mark");
if (err < 0)
goto err;
err = __connman_firewall_enable(fw);
if (err < 0)
goto err;
global_firewall = fw;
return 0;
err:
__connman_firewall_destroy(fw);
return err;
}
static int init_firewall_session(struct connman_session *session)
{
struct firewall_context *fw;
int err;
if (session->policy_config->id_type == CONNMAN_SESSION_ID_TYPE_UNKNOWN)
return 0;
DBG("");
err = init_firewall();
if (err < 0)
return err;
fw = __connman_firewall_create();
if (!fw)
return -ENOMEM;
switch (session->policy_config->id_type) {
case CONNMAN_SESSION_ID_TYPE_UID:
err = __connman_firewall_add_rule(fw, "mangle", "OUTPUT",
"-m owner --uid-owner %s -j MARK --set-mark %d",
session->policy_config->id,
session->mark);
break;
case CONNMAN_SESSION_ID_TYPE_GID:
err = __connman_firewall_add_rule(fw, "mangle", "OUTPUT",
"-m owner --gid-owner %s -j MARK --set-mark %d",
session->policy_config->id,
session->mark);
break;
case CONNMAN_SESSION_ID_TYPE_LSM:
default:
err = -EINVAL;
}
if (err < 0)
goto err;
session->id_type = session->policy_config->id_type;
err = __connman_firewall_enable(fw);
if (err)
goto err;
session->fw = fw;
return 0;
err:
__connman_firewall_destroy(fw);
return err;
}
static void test_firewall_basic2(void)
{
struct firewall_context *ctx;
int err;
ctx = __connman_firewall_create();
g_assert(ctx);
err = __connman_firewall_add_rule(ctx, "mangle", "INPUT",
"-j CONNMARK --restore-mark");
g_assert(err == 0);
err = __connman_firewall_add_rule(ctx, "mangle", "POSTROUTING",
"-j CONNMARK --save-mark");
g_assert(err == 0);
err = __connman_firewall_enable(ctx);
g_assert(err == 0);
err = __connman_firewall_disable(ctx);
g_assert(err == 0);
__connman_firewall_destroy(ctx);
}
static void test_firewall_basic1(void)
{
struct firewall_context *ctx;
int err;
ctx = __connman_firewall_create();
g_assert(ctx);
err = __connman_firewall_add_rule(ctx, "filter", "INPUT",
"-m mark --mark 999 -j LOG");
g_assert(err == 0);
err = __connman_firewall_add_rule(ctx, "filter", "OUTPUT",
"-m mark --mark 999 -j LOG");
g_assert(err == 0);
err = __connman_firewall_enable(ctx);
g_assert(err == 0);
err = __connman_firewall_disable(ctx);
g_assert(err == 0);
__connman_firewall_destroy(ctx);
}
