static void test_firewall_basic0(void) { struct firewall_context *ctx; int err; ctx = __connman_firewall_create(); g_assert(ctx); err = __connman_firewall_add_rule(ctx, "filter", "INPUT", "-m mark --mark 999 -j LOG"); g_assert(err == 0); err = __connman_firewall_enable(ctx); g_assert(err == 0); assert_rule_exists("filter", ":connman-INPUT - [0:0]"); assert_rule_exists("filter", "-A INPUT -j connman-INPUT"); assert_rule_exists("filter", "-A connman-INPUT -m mark --mark 0x3e7 -j LOG"); err = __connman_firewall_disable(ctx); g_assert(err == 0); assert_rule_not_exists("filter", ":connman-INPUT - [0:0]"); assert_rule_not_exists("filter", "-A INPUT -j connman-INPUT"); assert_rule_not_exists("filter", "-A connman-INPUT -m mark --mark 0x3e7 -j LOG"); __connman_firewall_destroy(ctx); }
static int enable_nat(struct connman_nat *nat) { char *cmd; int err; g_free(nat->interface); nat->interface = g_strdup(default_interface); if (nat->interface == NULL) return 0; /* Enable masquerading */ cmd = g_strdup_printf("-s %s/%d -o %s -j MASQUERADE", nat->address, nat->prefixlen, nat->interface); err = __connman_firewall_add_rule(nat->fw, "nat", "POSTROUTING", cmd); g_free(cmd); if (err < 0) return err; return __connman_firewall_enable(nat->fw); }
static int init_firewall(void) { struct firewall_context *fw; int err; if (global_firewall) return 0; fw = __connman_firewall_create(); err = __connman_firewall_add_rule(fw, "mangle", "INPUT", "-j CONNMARK --restore-mark"); if (err < 0) goto err; err = __connman_firewall_add_rule(fw, "mangle", "POSTROUTING", "-j CONNMARK --save-mark"); if (err < 0) goto err; err = __connman_firewall_enable(fw); if (err < 0) goto err; global_firewall = fw; return 0; err: __connman_firewall_destroy(fw); return err; }
static int init_firewall_session(struct connman_session *session) { struct firewall_context *fw; int err; if (session->policy_config->id_type == CONNMAN_SESSION_ID_TYPE_UNKNOWN) return 0; DBG(""); err = init_firewall(); if (err < 0) return err; fw = __connman_firewall_create(); if (!fw) return -ENOMEM; switch (session->policy_config->id_type) { case CONNMAN_SESSION_ID_TYPE_UID: err = __connman_firewall_add_rule(fw, "mangle", "OUTPUT", "-m owner --uid-owner %s -j MARK --set-mark %d", session->policy_config->id, session->mark); break; case CONNMAN_SESSION_ID_TYPE_GID: err = __connman_firewall_add_rule(fw, "mangle", "OUTPUT", "-m owner --gid-owner %s -j MARK --set-mark %d", session->policy_config->id, session->mark); break; case CONNMAN_SESSION_ID_TYPE_LSM: default: err = -EINVAL; } if (err < 0) goto err; session->id_type = session->policy_config->id_type; err = __connman_firewall_enable(fw); if (err) goto err; session->fw = fw; return 0; err: __connman_firewall_destroy(fw); return err; }
static void test_firewall_basic2(void) { struct firewall_context *ctx; int err; ctx = __connman_firewall_create(); g_assert(ctx); err = __connman_firewall_add_rule(ctx, "mangle", "INPUT", "-j CONNMARK --restore-mark"); g_assert(err == 0); err = __connman_firewall_add_rule(ctx, "mangle", "POSTROUTING", "-j CONNMARK --save-mark"); g_assert(err == 0); err = __connman_firewall_enable(ctx); g_assert(err == 0); err = __connman_firewall_disable(ctx); g_assert(err == 0); __connman_firewall_destroy(ctx); }
static void test_firewall_basic1(void) { struct firewall_context *ctx; int err; ctx = __connman_firewall_create(); g_assert(ctx); err = __connman_firewall_add_rule(ctx, "filter", "INPUT", "-m mark --mark 999 -j LOG"); g_assert(err == 0); err = __connman_firewall_add_rule(ctx, "filter", "OUTPUT", "-m mark --mark 999 -j LOG"); g_assert(err == 0); err = __connman_firewall_enable(ctx); g_assert(err == 0); err = __connman_firewall_disable(ctx); g_assert(err == 0); __connman_firewall_destroy(ctx); }