static int init_firewall(void) { struct firewall_context *fw; int err; if (global_firewall) return 0; fw = __connman_firewall_create(); err = __connman_firewall_add_rule(fw, "mangle", "INPUT", "-j CONNMARK --restore-mark"); if (err < 0) goto err; err = __connman_firewall_add_rule(fw, "mangle", "POSTROUTING", "-j CONNMARK --save-mark"); if (err < 0) goto err; err = __connman_firewall_enable(fw); if (err < 0) goto err; global_firewall = fw; return 0; err: __connman_firewall_destroy(fw); return err; }
static int init_firewall_session(struct connman_session *session) { struct firewall_context *fw; int err; if (session->policy_config->id_type == CONNMAN_SESSION_ID_TYPE_UNKNOWN) return 0; DBG(""); err = init_firewall(); if (err < 0) return err; fw = __connman_firewall_create(); if (!fw) return -ENOMEM; switch (session->policy_config->id_type) { case CONNMAN_SESSION_ID_TYPE_UID: err = __connman_firewall_add_rule(fw, "mangle", "OUTPUT", "-m owner --uid-owner %s -j MARK --set-mark %d", session->policy_config->id, session->mark); break; case CONNMAN_SESSION_ID_TYPE_GID: err = __connman_firewall_add_rule(fw, "mangle", "OUTPUT", "-m owner --gid-owner %s -j MARK --set-mark %d", session->policy_config->id, session->mark); break; case CONNMAN_SESSION_ID_TYPE_LSM: default: err = -EINVAL; } if (err < 0) goto err; session->id_type = session->policy_config->id_type; err = __connman_firewall_enable(fw); if (err) goto err; session->fw = fw; return 0; err: __connman_firewall_destroy(fw); return err; }
static void test_firewall_basic0(void) { struct firewall_context *ctx; int err; ctx = __connman_firewall_create(); g_assert(ctx); err = __connman_firewall_add_rule(ctx, "filter", "INPUT", "-m mark --mark 999 -j LOG"); g_assert(err == 0); err = __connman_firewall_enable(ctx); g_assert(err == 0); assert_rule_exists("filter", ":connman-INPUT - [0:0]"); assert_rule_exists("filter", "-A INPUT -j connman-INPUT"); assert_rule_exists("filter", "-A connman-INPUT -m mark --mark 0x3e7 -j LOG"); err = __connman_firewall_disable(ctx); g_assert(err == 0); assert_rule_not_exists("filter", ":connman-INPUT - [0:0]"); assert_rule_not_exists("filter", "-A INPUT -j connman-INPUT"); assert_rule_not_exists("filter", "-A connman-INPUT -m mark --mark 0x3e7 -j LOG"); __connman_firewall_destroy(ctx); }
static int enable_nat(struct connman_nat *nat) { char *cmd; int err; g_free(nat->interface); nat->interface = g_strdup(default_interface); if (nat->interface == NULL) return 0; /* Enable masquerading */ cmd = g_strdup_printf("-s %s/%d -o %s -j MASQUERADE", nat->address, nat->prefixlen, nat->interface); err = __connman_firewall_add_rule(nat->fw, "nat", "POSTROUTING", cmd); g_free(cmd); if (err < 0) return err; return __connman_firewall_enable(nat->fw); }
static void add_nat_rules(struct connman_session *session) { struct connman_ipconfig *ipconfig; const char *addr; char *ifname; int index, id, err; if (!session->fw) return; DBG(""); ipconfig = __connman_service_get_ip4config(session->service); index = __connman_ipconfig_get_index(ipconfig); ifname = connman_inet_ifname(index); addr = __connman_ipconfig_get_local(ipconfig); id = __connman_firewall_add_rule(session->fw, "nat", "POSTROUTING", "-o %s -j SNAT --to-source %s", ifname, addr); g_free(ifname); if (id < 0) { DBG("failed to add SNAT rule"); return; } err = __connman_firewall_enable_rule(session->fw, id); if (err < 0) { DBG("could not enable SNAT rule"); __connman_firewall_remove_rule(session->fw, id); return; } session->snat_id = id; }
static void test_firewall_basic2(void) { struct firewall_context *ctx; int err; ctx = __connman_firewall_create(); g_assert(ctx); err = __connman_firewall_add_rule(ctx, "mangle", "INPUT", "-j CONNMARK --restore-mark"); g_assert(err == 0); err = __connman_firewall_add_rule(ctx, "mangle", "POSTROUTING", "-j CONNMARK --save-mark"); g_assert(err == 0); err = __connman_firewall_enable(ctx); g_assert(err == 0); err = __connman_firewall_disable(ctx); g_assert(err == 0); __connman_firewall_destroy(ctx); }
static void test_firewall_basic1(void) { struct firewall_context *ctx; int err; ctx = __connman_firewall_create(); g_assert(ctx); err = __connman_firewall_add_rule(ctx, "filter", "INPUT", "-m mark --mark 999 -j LOG"); g_assert(err == 0); err = __connman_firewall_add_rule(ctx, "filter", "OUTPUT", "-m mark --mark 999 -j LOG"); g_assert(err == 0); err = __connman_firewall_enable(ctx); g_assert(err == 0); err = __connman_firewall_disable(ctx); g_assert(err == 0); __connman_firewall_destroy(ctx); }