summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--src/firewall.c107
1 files changed, 107 insertions, 0 deletions
diff --git a/src/firewall.c b/src/firewall.c
index e8b7e207..47a5c9d9 100644
--- a/src/firewall.c
+++ b/src/firewall.c
@@ -23,12 +23,119 @@
#include <config.h>
#endif
+#include <xtables.h>
+#include <linux/netfilter_ipv4/ip_tables.h>
+
#include "connman.h"
+#define CHAIN_PREFIX "connman-"
+
+static const char *builtin_chains[] = {
+ [NF_IP_PRE_ROUTING] = "PREROUTING",
+ [NF_IP_LOCAL_IN] = "INPUT",
+ [NF_IP_FORWARD] = "FORWARD",
+ [NF_IP_LOCAL_OUT] = "OUTPUT",
+ [NF_IP_POST_ROUTING] = "POSTROUTING",
+};
+
+static int chain_to_index(const char *chain_name)
+{
+ if (!g_strcmp0(builtin_chains[NF_IP_PRE_ROUTING], chain_name))
+ return NF_IP_PRE_ROUTING;
+ if (!g_strcmp0(builtin_chains[NF_IP_LOCAL_IN], chain_name))
+ return NF_IP_LOCAL_IN;
+ if (!g_strcmp0(builtin_chains[NF_IP_FORWARD], chain_name))
+ return NF_IP_FORWARD;
+ if (!g_strcmp0(builtin_chains[NF_IP_LOCAL_OUT], chain_name))
+ return NF_IP_LOCAL_OUT;
+ if (!g_strcmp0(builtin_chains[NF_IP_POST_ROUTING], chain_name))
+ return NF_IP_POST_ROUTING;
+
+ return -1;
+}
+
+static int managed_chain_to_index(const char *chain_name)
+{
+ if (g_str_has_prefix(chain_name, CHAIN_PREFIX) == FALSE)
+ return -1;
+
+ return chain_to_index(chain_name + strlen(CHAIN_PREFIX));
+}
+
+static void iterate_chains_cb(const char *chain_name, void *user_data)
+{
+ GSList **chains = user_data;
+ int id;
+
+ id = managed_chain_to_index(chain_name);
+ if (id < 0)
+ return;
+
+ *chains = g_slist_prepend(*chains, GINT_TO_POINTER(id));
+}
+
+static void flush_table(const char *table_name)
+{
+ GSList *chains = NULL, *list;
+ char *rule, *managed_chain;
+ int id, err;
+
+ __connman_iptables_iterate_chains(table_name, iterate_chains_cb,
+ &chains);
+
+ for (list = chains; list != NULL; list = list->next) {
+ id = GPOINTER_TO_INT(list->data);
+
+ managed_chain = g_strdup_printf("%s%s", CHAIN_PREFIX,
+ builtin_chains[id]);
+
+ rule = g_strdup_printf("-j %s", managed_chain);
+ err = __connman_iptables_delete(table_name,
+ builtin_chains[id], rule);
+ if (err < 0) {
+ connman_warn("Failed to delete jump rule '%s': %s",
+ rule, strerror(-err));
+ }
+ g_free(rule);
+
+ err = __connman_iptables_flush_chain(table_name, managed_chain);
+ if (err < 0) {
+ connman_warn("Failed to flush chain '%s': %s",
+ managed_chain, strerror(-err));
+ }
+ err = __connman_iptables_delete_chain(table_name, managed_chain);
+ if (err < 0) {
+ connman_warn("Failed to delete chain '%s': %s",
+ managed_chain, strerror(-err));
+ }
+
+ g_free(managed_chain);
+ }
+
+ err = __connman_iptables_commit(table_name);
+ if (err < 0) {
+ connman_warn("Failed to flush table '%s': %s",
+ table_name, strerror(-err));
+ }
+
+ g_slist_free(chains);
+}
+
+static void flush_all_tables(void)
+{
+ /* Flush the tables ConnMan might have modified */
+
+ flush_table("filter");
+ flush_table("mangle");
+ flush_table("nat");
+}
+
int __connman_firewall_init(void)
{
DBG("");
+ flush_all_tables();
+
return 0;
}