static void test_firewall_basic0(void) { struct firewall_context *ctx; int err; ctx = __connman_firewall_create(); g_assert(ctx); err = __connman_firewall_add_rule(ctx, "filter", "INPUT", "-m mark --mark 999 -j LOG"); g_assert(err == 0); err = __connman_firewall_enable(ctx); g_assert(err == 0); assert_rule_exists("filter", ":connman-INPUT - [0:0]"); assert_rule_exists("filter", "-A INPUT -j connman-INPUT"); assert_rule_exists("filter", "-A connman-INPUT -m mark --mark 0x3e7 -j LOG"); err = __connman_firewall_disable(ctx); g_assert(err == 0); assert_rule_not_exists("filter", ":connman-INPUT - [0:0]"); assert_rule_not_exists("filter", "-A INPUT -j connman-INPUT"); assert_rule_not_exists("filter", "-A connman-INPUT -m mark --mark 0x3e7 -j LOG"); __connman_firewall_destroy(ctx); }
static int init_firewall(void) { struct firewall_context *fw; int err; if (global_firewall) return 0; fw = __connman_firewall_create(); err = __connman_firewall_add_rule(fw, "mangle", "INPUT", "-j CONNMARK --restore-mark"); if (err < 0) goto err; err = __connman_firewall_add_rule(fw, "mangle", "POSTROUTING", "-j CONNMARK --save-mark"); if (err < 0) goto err; err = __connman_firewall_enable(fw); if (err < 0) goto err; global_firewall = fw; return 0; err: __connman_firewall_destroy(fw); return err; }
static int fw_snat_create(struct connman_session *session, int index, const char *ifname, const char *addr) { struct fw_snat *fw_snat; int err; fw_snat = g_new0(struct fw_snat, 1); fw_snat->fw = __connman_firewall_create(); fw_snat->index = index; fw_snat->addr = g_strdup(addr); fw_snat->id = __connman_firewall_enable_snat(fw_snat->fw, index, ifname, addr); if (fw_snat->id < 0) { err = fw_snat->id; goto err; } fw_snat_list = g_slist_prepend(fw_snat_list, fw_snat); fw_snat->sessions = g_slist_prepend(fw_snat->sessions, session); return 0; err: __connman_firewall_destroy(fw_snat->fw); g_free(fw_snat->addr); g_free(fw_snat); return err; }
static int init_firewall_session(struct connman_session *session) { struct firewall_context *fw; int err; if (session->policy_config->id_type == CONNMAN_SESSION_ID_TYPE_UNKNOWN) return 0; DBG(""); err = init_firewall(); if (err < 0) return err; fw = __connman_firewall_create(); if (!fw) return -ENOMEM; switch (session->policy_config->id_type) { case CONNMAN_SESSION_ID_TYPE_UID: err = __connman_firewall_add_rule(fw, "mangle", "OUTPUT", "-m owner --uid-owner %s -j MARK --set-mark %d", session->policy_config->id, session->mark); break; case CONNMAN_SESSION_ID_TYPE_GID: err = __connman_firewall_add_rule(fw, "mangle", "OUTPUT", "-m owner --gid-owner %s -j MARK --set-mark %d", session->policy_config->id, session->mark); break; case CONNMAN_SESSION_ID_TYPE_LSM: default: err = -EINVAL; } if (err < 0) goto err; session->id_type = session->policy_config->id_type; err = __connman_firewall_enable(fw); if (err) goto err; session->fw = fw; return 0; err: __connman_firewall_destroy(fw); return err; }
static int init_firewall_session(struct connman_session *session) { struct firewall_context *fw; int err; struct connman_ipconfig *ipconfig = NULL; const char *addr = NULL; if (session->policy_config->id_type == CONNMAN_SESSION_ID_TYPE_UNKNOWN && !session->info->config.source_ip_rule) return 0; DBG(""); if (session->info->config.source_ip_rule) { ipconfig = __connman_service_get_ip4config(session->service); if (session->policy_config->id_type == CONNMAN_SESSION_ID_TYPE_UNKNOWN && !ipconfig) return 0; } fw = __connman_firewall_create(); if (!fw) return -ENOMEM; if (session->info->config.source_ip_rule && ipconfig) { addr = __connman_ipconfig_get_local(ipconfig); } err =__connman_firewall_enable_marking(fw, session->policy_config->id_type, session->policy_config->id, addr, session->mark); if (err < 0) { __connman_firewall_destroy(fw); return err; } session->id_type = session->policy_config->id_type; session->fw = fw; return 0; }
int __connman_nat_enable(const char *name, const char *address, unsigned char prefixlen) { struct connman_nat *nat; int err; if (g_hash_table_size(nat_hash) == 0) { err = enable_ip_forward(true); if (err < 0) return err; } nat = g_try_new0(struct connman_nat, 1); if (!nat) goto err; nat->fw = __connman_firewall_create(); if (!nat->fw) goto err; nat->address = g_strdup(address); nat->prefixlen = prefixlen; g_hash_table_replace(nat_hash, g_strdup(name), nat); return enable_nat(nat); err: if (nat) { if (nat->fw) __connman_firewall_destroy(nat->fw); g_free(nat); } if (g_hash_table_size(nat_hash) == 0) enable_ip_forward(false); return -ENOMEM; }
static void test_firewall_basic2(void) { struct firewall_context *ctx; int err; ctx = __connman_firewall_create(); g_assert(ctx); err = __connman_firewall_add_rule(ctx, "mangle", "INPUT", "-j CONNMARK --restore-mark"); g_assert(err == 0); err = __connman_firewall_add_rule(ctx, "mangle", "POSTROUTING", "-j CONNMARK --save-mark"); g_assert(err == 0); err = __connman_firewall_enable(ctx); g_assert(err == 0); err = __connman_firewall_disable(ctx); g_assert(err == 0); __connman_firewall_destroy(ctx); }
static void test_firewall_basic1(void) { struct firewall_context *ctx; int err; ctx = __connman_firewall_create(); g_assert(ctx); err = __connman_firewall_add_rule(ctx, "filter", "INPUT", "-m mark --mark 999 -j LOG"); g_assert(err == 0); err = __connman_firewall_add_rule(ctx, "filter", "OUTPUT", "-m mark --mark 999 -j LOG"); g_assert(err == 0); err = __connman_firewall_enable(ctx); g_assert(err == 0); err = __connman_firewall_disable(ctx); g_assert(err == 0); __connman_firewall_destroy(ctx); }