Exemplo n.º 1
0
static void test_firewall_basic0(void)
{
	struct firewall_context *ctx;
	int err;

	ctx = __connman_firewall_create();
	g_assert(ctx);

	err = __connman_firewall_add_rule(ctx, "filter", "INPUT",
					"-m mark --mark 999 -j LOG");
	g_assert(err == 0);

	err = __connman_firewall_enable(ctx);
	g_assert(err == 0);

	assert_rule_exists("filter", ":connman-INPUT - [0:0]");
	assert_rule_exists("filter", "-A INPUT -j connman-INPUT");
	assert_rule_exists("filter", "-A connman-INPUT -m mark --mark 0x3e7 -j LOG");

	err = __connman_firewall_disable(ctx);
	g_assert(err == 0);

	assert_rule_not_exists("filter", ":connman-INPUT - [0:0]");
	assert_rule_not_exists("filter", "-A INPUT -j connman-INPUT");
	assert_rule_not_exists("filter", "-A connman-INPUT -m mark --mark 0x3e7 -j LOG");

	__connman_firewall_destroy(ctx);
}
Exemplo n.º 2
0
static int init_firewall(void)
{
    struct firewall_context *fw;
    int err;

    if (global_firewall)
        return 0;

    fw = __connman_firewall_create();

    err = __connman_firewall_add_rule(fw, "mangle", "INPUT",
                                      "-j CONNMARK --restore-mark");
    if (err < 0)
        goto err;

    err = __connman_firewall_add_rule(fw, "mangle", "POSTROUTING",
                                      "-j CONNMARK --save-mark");
    if (err < 0)
        goto err;

    err = __connman_firewall_enable(fw);
    if (err < 0)
        goto err;

    global_firewall = fw;

    return 0;

err:
    __connman_firewall_destroy(fw);

    return err;
}
Exemplo n.º 3
0
static int fw_snat_create(struct connman_session *session,
				int index, const char *ifname, const char *addr)
{
	struct fw_snat *fw_snat;
	int err;

	fw_snat = g_new0(struct fw_snat, 1);

	fw_snat->fw = __connman_firewall_create();
	fw_snat->index = index;
	fw_snat->addr = g_strdup(addr);

	fw_snat->id = __connman_firewall_enable_snat(fw_snat->fw,
						index, ifname, addr);
	if (fw_snat->id < 0) {
		err = fw_snat->id;
		goto err;
	}

	fw_snat_list = g_slist_prepend(fw_snat_list, fw_snat);
	fw_snat->sessions = g_slist_prepend(fw_snat->sessions, session);

	return 0;
err:
	__connman_firewall_destroy(fw_snat->fw);
	g_free(fw_snat->addr);
	g_free(fw_snat);
	return err;
}
Exemplo n.º 4
0
static int init_firewall_session(struct connman_session *session)
{
    struct firewall_context *fw;
    int err;

    if (session->policy_config->id_type == CONNMAN_SESSION_ID_TYPE_UNKNOWN)
        return 0;

    DBG("");

    err = init_firewall();
    if (err < 0)
        return err;

    fw = __connman_firewall_create();
    if (!fw)
        return -ENOMEM;

    switch (session->policy_config->id_type) {
    case CONNMAN_SESSION_ID_TYPE_UID:
        err = __connman_firewall_add_rule(fw, "mangle", "OUTPUT",
                                          "-m owner --uid-owner %s -j MARK --set-mark %d",
                                          session->policy_config->id,
                                          session->mark);
        break;
    case CONNMAN_SESSION_ID_TYPE_GID:
        err = __connman_firewall_add_rule(fw, "mangle", "OUTPUT",
                                          "-m owner --gid-owner %s -j MARK --set-mark %d",
                                          session->policy_config->id,
                                          session->mark);
        break;
    case CONNMAN_SESSION_ID_TYPE_LSM:
    default:
        err = -EINVAL;
    }

    if (err < 0)
        goto err;

    session->id_type = session->policy_config->id_type;

    err = __connman_firewall_enable(fw);
    if (err)
        goto err;

    session->fw = fw;

    return 0;

err:
    __connman_firewall_destroy(fw);

    return err;
}
Exemplo n.º 5
0
static int init_firewall_session(struct connman_session *session)
{
	struct firewall_context *fw;
	int err;
	struct connman_ipconfig *ipconfig = NULL;
	const char *addr = NULL;

	if (session->policy_config->id_type == CONNMAN_SESSION_ID_TYPE_UNKNOWN &&
			!session->info->config.source_ip_rule)
		return 0;

	DBG("");

	if (session->info->config.source_ip_rule) {
		ipconfig = __connman_service_get_ip4config(session->service);
		if (session->policy_config->id_type == CONNMAN_SESSION_ID_TYPE_UNKNOWN && !ipconfig)
			return 0;
	}

	fw = __connman_firewall_create();
	if (!fw)
		return -ENOMEM;

	if (session->info->config.source_ip_rule && ipconfig) {
		addr = __connman_ipconfig_get_local(ipconfig);
	}

	err =__connman_firewall_enable_marking(fw,
					session->policy_config->id_type,
					session->policy_config->id,
					addr, session->mark);
	if (err < 0) {
		__connman_firewall_destroy(fw);
		return err;
	}
	session->id_type = session->policy_config->id_type;
	session->fw = fw;

	return 0;
}
Exemplo n.º 6
0
int __connman_nat_enable(const char *name, const char *address,
				unsigned char prefixlen)
{
	struct connman_nat *nat;
	int err;

	if (g_hash_table_size(nat_hash) == 0) {
		err = enable_ip_forward(true);
		if (err < 0)
			return err;
	}

	nat = g_try_new0(struct connman_nat, 1);
	if (!nat)
		goto err;

	nat->fw = __connman_firewall_create();
	if (!nat->fw)
		goto err;

	nat->address = g_strdup(address);
	nat->prefixlen = prefixlen;

	g_hash_table_replace(nat_hash, g_strdup(name), nat);

	return enable_nat(nat);

err:
	if (nat) {
		if (nat->fw)
			__connman_firewall_destroy(nat->fw);
		g_free(nat);
	}

	if (g_hash_table_size(nat_hash) == 0)
		enable_ip_forward(false);

	return -ENOMEM;
}
Exemplo n.º 7
0
static void test_firewall_basic2(void)
{
	struct firewall_context *ctx;
	int err;

	ctx = __connman_firewall_create();
	g_assert(ctx);

	err = __connman_firewall_add_rule(ctx, "mangle", "INPUT",
					"-j CONNMARK --restore-mark");
	g_assert(err == 0);

	err = __connman_firewall_add_rule(ctx, "mangle", "POSTROUTING",
					"-j CONNMARK --save-mark");
	g_assert(err == 0);

	err = __connman_firewall_enable(ctx);
	g_assert(err == 0);

	err = __connman_firewall_disable(ctx);
	g_assert(err == 0);

	__connman_firewall_destroy(ctx);
}
Exemplo n.º 8
0
static void test_firewall_basic1(void)
{
	struct firewall_context *ctx;
	int err;

	ctx = __connman_firewall_create();
	g_assert(ctx);

	err = __connman_firewall_add_rule(ctx, "filter", "INPUT",
					"-m mark --mark 999 -j LOG");
	g_assert(err == 0);

	err = __connman_firewall_add_rule(ctx, "filter", "OUTPUT",
					"-m mark --mark 999 -j LOG");
	g_assert(err == 0);

	err = __connman_firewall_enable(ctx);
	g_assert(err == 0);

	err = __connman_firewall_disable(ctx);
	g_assert(err == 0);

	__connman_firewall_destroy(ctx);
}