static void test_firewall_basic0(void)
{
struct firewall_context *ctx;
int err;
ctx = __connman_firewall_create();
g_assert(ctx);
err = __connman_firewall_add_rule(ctx, "filter", "INPUT",
"-m mark --mark 999 -j LOG");
g_assert(err == 0);
err = __connman_firewall_enable(ctx);
g_assert(err == 0);
assert_rule_exists("filter", ":connman-INPUT - [0:0]");
assert_rule_exists("filter", "-A INPUT -j connman-INPUT");
assert_rule_exists("filter", "-A connman-INPUT -m mark --mark 0x3e7 -j LOG");
err = __connman_firewall_disable(ctx);
g_assert(err == 0);
assert_rule_not_exists("filter", ":connman-INPUT - [0:0]");
assert_rule_not_exists("filter", "-A INPUT -j connman-INPUT");
assert_rule_not_exists("filter", "-A connman-INPUT -m mark --mark 0x3e7 -j LOG");
__connman_firewall_destroy(ctx);
}
static int init_firewall(void)
{
struct firewall_context *fw;
int err;
if (global_firewall)
return 0;
fw = __connman_firewall_create();
err = __connman_firewall_add_rule(fw, "mangle", "INPUT",
"-j CONNMARK --restore-mark");
if (err < 0)
goto err;
err = __connman_firewall_add_rule(fw, "mangle", "POSTROUTING",
"-j CONNMARK --save-mark");
if (err < 0)
goto err;
err = __connman_firewall_enable(fw);
if (err < 0)
goto err;
global_firewall = fw;
return 0;
err:
__connman_firewall_destroy(fw);
return err;
}
static int fw_snat_create(struct connman_session *session,
int index, const char *ifname, const char *addr)
{
struct fw_snat *fw_snat;
int err;
fw_snat = g_new0(struct fw_snat, 1);
fw_snat->fw = __connman_firewall_create();
fw_snat->index = index;
fw_snat->addr = g_strdup(addr);
fw_snat->id = __connman_firewall_enable_snat(fw_snat->fw,
index, ifname, addr);
if (fw_snat->id < 0) {
err = fw_snat->id;
goto err;
}
fw_snat_list = g_slist_prepend(fw_snat_list, fw_snat);
fw_snat->sessions = g_slist_prepend(fw_snat->sessions, session);
return 0;
err:
__connman_firewall_destroy(fw_snat->fw);
g_free(fw_snat->addr);
g_free(fw_snat);
return err;
}
static void cleanup_firewall(void)
{
if (!global_firewall)
return;
__connman_firewall_disable(global_firewall);
__connman_firewall_destroy(global_firewall);
}
static void cleanup_nat(gpointer data)
{
struct connman_nat *nat = data;
__connman_firewall_destroy(nat->fw);
g_free(nat->address);
g_free(nat->interface);
g_free(nat);
}
static void cleanup_firewall_session(struct connman_session *session)
{
if (!session->fw)
return;
__connman_firewall_disable(session->fw);
__connman_firewall_destroy(session->fw);
session->fw = NULL;
}
static int init_firewall_session(struct connman_session *session)
{
struct firewall_context *fw;
int err;
if (session->policy_config->id_type == CONNMAN_SESSION_ID_TYPE_UNKNOWN)
return 0;
DBG("");
err = init_firewall();
if (err < 0)
return err;
fw = __connman_firewall_create();
if (!fw)
return -ENOMEM;
switch (session->policy_config->id_type) {
case CONNMAN_SESSION_ID_TYPE_UID:
err = __connman_firewall_add_rule(fw, "mangle", "OUTPUT",
"-m owner --uid-owner %s -j MARK --set-mark %d",
session->policy_config->id,
session->mark);
break;
case CONNMAN_SESSION_ID_TYPE_GID:
err = __connman_firewall_add_rule(fw, "mangle", "OUTPUT",
"-m owner --gid-owner %s -j MARK --set-mark %d",
session->policy_config->id,
session->mark);
break;
case CONNMAN_SESSION_ID_TYPE_LSM:
default:
err = -EINVAL;
}
if (err < 0)
goto err;
session->id_type = session->policy_config->id_type;
err = __connman_firewall_enable(fw);
if (err)
goto err;
session->fw = fw;
return 0;
err:
__connman_firewall_destroy(fw);
return err;
}
static void fw_snat_unref(struct connman_session *session,
struct fw_snat *fw_snat)
{
fw_snat->sessions = g_slist_remove(fw_snat->sessions, session);
if (fw_snat->sessions)
return;
fw_snat_list = g_slist_remove(fw_snat_list, fw_snat);
__connman_firewall_disable_snat(fw_snat->fw);
__connman_firewall_destroy(fw_snat->fw);
g_free(fw_snat);
}
static int init_firewall_session(struct connman_session *session)
{
struct firewall_context *fw;
int err;
struct connman_ipconfig *ipconfig = NULL;
const char *addr = NULL;
if (session->policy_config->id_type == CONNMAN_SESSION_ID_TYPE_UNKNOWN &&
!session->info->config.source_ip_rule)
return 0;
DBG("");
if (session->info->config.source_ip_rule) {
ipconfig = __connman_service_get_ip4config(session->service);
if (session->policy_config->id_type == CONNMAN_SESSION_ID_TYPE_UNKNOWN && !ipconfig)
return 0;
}
fw = __connman_firewall_create();
if (!fw)
return -ENOMEM;
if (session->info->config.source_ip_rule && ipconfig) {
addr = __connman_ipconfig_get_local(ipconfig);
}
err =__connman_firewall_enable_marking(fw,
session->policy_config->id_type,
session->policy_config->id,
addr, session->mark);
if (err < 0) {
__connman_firewall_destroy(fw);
return err;
}
session->id_type = session->policy_config->id_type;
session->fw = fw;
return 0;
}
int __connman_nat_enable(const char *name, const char *address,
unsigned char prefixlen)
{
struct connman_nat *nat;
int err;
if (g_hash_table_size(nat_hash) == 0) {
err = enable_ip_forward(true);
if (err < 0)
return err;
}
nat = g_try_new0(struct connman_nat, 1);
if (!nat)
goto err;
nat->fw = __connman_firewall_create();
if (!nat->fw)
goto err;
nat->address = g_strdup(address);
nat->prefixlen = prefixlen;
g_hash_table_replace(nat_hash, g_strdup(name), nat);
return enable_nat(nat);
err:
if (nat) {
if (nat->fw)
__connman_firewall_destroy(nat->fw);
g_free(nat);
}
if (g_hash_table_size(nat_hash) == 0)
enable_ip_forward(false);
return -ENOMEM;
}
static void test_firewall_basic2(void)
{
struct firewall_context *ctx;
int err;
ctx = __connman_firewall_create();
g_assert(ctx);
err = __connman_firewall_add_rule(ctx, "mangle", "INPUT",
"-j CONNMARK --restore-mark");
g_assert(err == 0);
err = __connman_firewall_add_rule(ctx, "mangle", "POSTROUTING",
"-j CONNMARK --save-mark");
g_assert(err == 0);
err = __connman_firewall_enable(ctx);
g_assert(err == 0);
err = __connman_firewall_disable(ctx);
g_assert(err == 0);
__connman_firewall_destroy(ctx);
}
static void test_firewall_basic1(void)
{
struct firewall_context *ctx;
int err;
ctx = __connman_firewall_create();
g_assert(ctx);
err = __connman_firewall_add_rule(ctx, "filter", "INPUT",
"-m mark --mark 999 -j LOG");
g_assert(err == 0);
err = __connman_firewall_add_rule(ctx, "filter", "OUTPUT",
"-m mark --mark 999 -j LOG");
g_assert(err == 0);
err = __connman_firewall_enable(ctx);
g_assert(err == 0);
err = __connman_firewall_disable(ctx);
g_assert(err == 0);
__connman_firewall_destroy(ctx);
}
