summaryrefslogtreecommitdiff
path: root/src/firewall-iptables.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/firewall-iptables.c')
-rw-r--r--src/firewall-iptables.c631
1 files changed, 631 insertions, 0 deletions
diff --git a/src/firewall-iptables.c b/src/firewall-iptables.c
new file mode 100644
index 00000000..45943a82
--- /dev/null
+++ b/src/firewall-iptables.c
@@ -0,0 +1,631 @@
+/*
+ *
+ * Connection Manager
+ *
+ * Copyright (C) 2013,2015 BMW Car IT GmbH.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ *
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <errno.h>
+
+#include <xtables.h>
+#include <linux/netfilter_ipv4/ip_tables.h>
+
+#include "connman.h"
+
+#define CHAIN_PREFIX "connman-"
+
+static const char *builtin_chains[] = {
+ [NF_IP_PRE_ROUTING] = "PREROUTING",
+ [NF_IP_LOCAL_IN] = "INPUT",
+ [NF_IP_FORWARD] = "FORWARD",
+ [NF_IP_LOCAL_OUT] = "OUTPUT",
+ [NF_IP_POST_ROUTING] = "POSTROUTING",
+};
+
+struct connman_managed_table {
+ char *name;
+ unsigned int chains[NF_INET_NUMHOOKS];
+};
+
+struct fw_rule {
+ bool enabled;
+ char *table;
+ char *chain;
+ char *rule_spec;
+};
+
+struct firewall_context {
+ GList *rules;
+};
+
+static GSList *managed_tables;
+static struct firewall_context *connmark_ctx;
+static unsigned int connmark_ref;
+
+static int chain_to_index(const char *chain_name)
+{
+ if (!g_strcmp0(builtin_chains[NF_IP_PRE_ROUTING], chain_name))
+ return NF_IP_PRE_ROUTING;
+ if (!g_strcmp0(builtin_chains[NF_IP_LOCAL_IN], chain_name))
+ return NF_IP_LOCAL_IN;
+ if (!g_strcmp0(builtin_chains[NF_IP_FORWARD], chain_name))
+ return NF_IP_FORWARD;
+ if (!g_strcmp0(builtin_chains[NF_IP_LOCAL_OUT], chain_name))
+ return NF_IP_LOCAL_OUT;
+ if (!g_strcmp0(builtin_chains[NF_IP_POST_ROUTING], chain_name))
+ return NF_IP_POST_ROUTING;
+
+ return -1;
+}
+
+static int managed_chain_to_index(const char *chain_name)
+{
+ if (!g_str_has_prefix(chain_name, CHAIN_PREFIX))
+ return -1;
+
+ return chain_to_index(chain_name + strlen(CHAIN_PREFIX));
+}
+
+static int insert_managed_chain(const char *table_name, int id)
+{
+ char *rule, *managed_chain;
+ int err;
+
+ managed_chain = g_strdup_printf("%s%s", CHAIN_PREFIX,
+ builtin_chains[id]);
+
+ err = __connman_iptables_new_chain(table_name, managed_chain);
+ if (err < 0)
+ goto out;
+
+ rule = g_strdup_printf("-j %s", managed_chain);
+ err = __connman_iptables_insert(table_name, builtin_chains[id], rule);
+ g_free(rule);
+ if (err < 0) {
+ __connman_iptables_delete_chain(table_name, managed_chain);
+ goto out;
+ }
+
+out:
+ g_free(managed_chain);
+
+ return err;
+}
+
+static int delete_managed_chain(const char *table_name, int id)
+{
+ char *rule, *managed_chain;
+ int err;
+
+ managed_chain = g_strdup_printf("%s%s", CHAIN_PREFIX,
+ builtin_chains[id]);
+
+ rule = g_strdup_printf("-j %s", managed_chain);
+ err = __connman_iptables_delete(table_name, builtin_chains[id], rule);
+ g_free(rule);
+
+ if (err < 0)
+ goto out;
+
+ err = __connman_iptables_delete_chain(table_name, managed_chain);
+
+out:
+ g_free(managed_chain);
+
+ return err;
+}
+
+static int insert_managed_rule(const char *table_name,
+ const char *chain_name,
+ const char *rule_spec)
+{
+ struct connman_managed_table *mtable = NULL;
+ GSList *list;
+ char *chain;
+ int id, err;
+
+ id = chain_to_index(chain_name);
+ if (id < 0) {
+ /* This chain is not managed */
+ chain = g_strdup(chain_name);
+ goto out;
+ }
+
+ for (list = managed_tables; list; list = list->next) {
+ mtable = list->data;
+
+ if (g_strcmp0(mtable->name, table_name) == 0)
+ break;
+
+ mtable = NULL;
+ }
+
+ if (!mtable) {
+ mtable = g_new0(struct connman_managed_table, 1);
+ mtable->name = g_strdup(table_name);
+
+ managed_tables = g_slist_prepend(managed_tables, mtable);
+ }
+
+ if (mtable->chains[id] == 0) {
+ DBG("table %s add managed chain for %s",
+ table_name, chain_name);
+
+ err = insert_managed_chain(table_name, id);
+ if (err < 0)
+ return err;
+ }
+
+ mtable->chains[id]++;
+ chain = g_strdup_printf("%s%s", CHAIN_PREFIX, chain_name);
+
+out:
+ err = __connman_iptables_append(table_name, chain, rule_spec);
+
+ g_free(chain);
+
+ return err;
+ }
+
+static int delete_managed_rule(const char *table_name,
+ const char *chain_name,
+ const char *rule_spec)
+ {
+ struct connman_managed_table *mtable = NULL;
+ GSList *list;
+ int id, err;
+ char *managed_chain;
+
+ id = chain_to_index(chain_name);
+ if (id < 0) {
+ /* This chain is not managed */
+ return __connman_iptables_delete(table_name, chain_name,
+ rule_spec);
+ }
+
+ managed_chain = g_strdup_printf("%s%s", CHAIN_PREFIX, chain_name);
+
+ err = __connman_iptables_delete(table_name, managed_chain,
+ rule_spec);
+
+ for (list = managed_tables; list; list = list->next) {
+ mtable = list->data;
+
+ if (g_strcmp0(mtable->name, table_name) == 0)
+ break;
+
+ mtable = NULL;
+ }
+
+ if (!mtable) {
+ err = -ENOENT;
+ goto out;
+ }
+
+ mtable->chains[id]--;
+ if (mtable->chains[id] > 0)
+ goto out;
+
+ DBG("table %s remove managed chain for %s",
+ table_name, chain_name);
+
+ err = delete_managed_chain(table_name, id);
+
+ out:
+ g_free(managed_chain);
+
+ return err;
+}
+
+static void cleanup_managed_table(gpointer user_data)
+{
+ struct connman_managed_table *table = user_data;
+
+ g_free(table->name);
+ g_free(table);
+}
+
+static void cleanup_fw_rule(gpointer user_data)
+{
+ struct fw_rule *rule = user_data;
+
+ g_free(rule->rule_spec);
+ g_free(rule->chain);
+ g_free(rule->table);
+ g_free(rule);
+}
+
+struct firewall_context *__connman_firewall_create(void)
+{
+ struct firewall_context *ctx;
+
+ ctx = g_new0(struct firewall_context, 1);
+
+ return ctx;
+}
+
+void __connman_firewall_destroy(struct firewall_context *ctx)
+{
+ g_list_free_full(ctx->rules, cleanup_fw_rule);
+ g_free(ctx);
+}
+
+static int enable_rule(struct fw_rule *rule)
+{
+ int err;
+
+ if (rule->enabled)
+ return -EALREADY;
+
+ DBG("%s %s %s", rule->table, rule->chain, rule->rule_spec);
+
+ err = insert_managed_rule(rule->table, rule->chain, rule->rule_spec);
+ if (err < 0)
+ return err;
+
+ err = __connman_iptables_commit(rule->table);
+ if (err < 0)
+ return err;
+
+ rule->enabled = true;
+
+ return 0;
+}
+
+static int disable_rule(struct fw_rule *rule)
+{
+ int err;
+
+ if (!rule->enabled)
+ return -EALREADY;
+
+ err = delete_managed_rule(rule->table, rule->chain, rule->rule_spec);
+ if (err < 0) {
+ connman_error("Cannot remove previously installed "
+ "iptables rules: %s", strerror(-err));
+ return err;
+ }
+
+ err = __connman_iptables_commit(rule->table);
+ if (err < 0) {
+ connman_error("Cannot remove previously installed "
+ "iptables rules: %s", strerror(-err));
+ return err;
+ }
+
+ rule->enabled = false;
+
+ return 0;
+}
+
+static void firewall_add_rule(struct firewall_context *ctx,
+ const char *table,
+ const char *chain,
+ const char *rule_fmt, ...)
+{
+ va_list args;
+ char *rule_spec;
+ struct fw_rule *rule;
+
+ va_start(args, rule_fmt);
+
+ rule_spec = g_strdup_vprintf(rule_fmt, args);
+
+ va_end(args);
+
+ rule = g_new0(struct fw_rule, 1);
+
+ rule->enabled = false;
+ rule->table = g_strdup(table);
+ rule->chain = g_strdup(chain);
+ rule->rule_spec = rule_spec;
+
+ ctx->rules = g_list_append(ctx->rules, rule);
+}
+
+static void firewall_remove_rules(struct firewall_context *ctx)
+{
+ struct fw_rule *rule;
+ GList *list;
+
+ for (list = g_list_last(ctx->rules); list;
+ list = g_list_previous(list)) {
+ rule = list->data;
+
+ ctx->rules = g_list_remove(ctx->rules, rule);
+ cleanup_fw_rule(rule);
+ }
+}
+
+static int firewall_enable_rules(struct firewall_context *ctx)
+{
+ struct fw_rule *rule;
+ GList *list;
+ int err = -ENOENT;
+
+ for (list = g_list_first(ctx->rules); list; list = g_list_next(list)) {
+ rule = list->data;
+
+ err = enable_rule(rule);
+ if (err < 0)
+ break;
+ }
+
+ return err;
+}
+
+static int firewall_disable_rules(struct firewall_context *ctx)
+{
+ struct fw_rule *rule;
+ GList *list;
+ int e;
+ int err = -ENOENT;
+
+ for (list = g_list_last(ctx->rules); list;
+ list = g_list_previous(list)) {
+ rule = list->data;
+
+ e = disable_rule(rule);
+
+ /* Report last error back */
+ if (e == 0 && err == -ENOENT)
+ err = 0;
+ else if (e < 0)
+ err = e;
+ }
+
+ return err;
+}
+
+int __connman_firewall_enable_nat(struct firewall_context *ctx,
+ char *address, unsigned char prefixlen,
+ char *interface)
+{
+ char *cmd;
+ int err;
+
+ cmd = g_strdup_printf("-s %s/%d -o %s -j MASQUERADE",
+ address, prefixlen, interface);
+
+ firewall_add_rule(ctx, "nat", "POSTROUTING", cmd);
+ g_free(cmd);
+ err = firewall_enable_rules(ctx);
+ if (err)
+ firewall_remove_rules(ctx);
+ return err;
+}
+
+int __connman_firewall_disable_nat(struct firewall_context *ctx)
+{
+ int err;
+
+ err = firewall_disable_rules(ctx);
+ if (err < 0) {
+ DBG("could not disable NAT rule");
+ return err;
+ }
+
+ firewall_remove_rules(ctx);
+ return 0;
+}
+
+int __connman_firewall_enable_snat(struct firewall_context *ctx,
+ int index, const char *ifname,
+ const char *addr)
+{
+ int err;
+
+ firewall_add_rule(ctx, "nat", "POSTROUTING",
+ "-o %s -j SNAT --to-source %s",
+ ifname, addr);
+
+ err = firewall_enable_rules(ctx);
+ if (err)
+ firewall_remove_rules(ctx);
+ return err;
+}
+
+int __connman_firewall_disable_snat(struct firewall_context *ctx)
+{
+ int err;
+
+ err = firewall_disable_rules(ctx);
+ if (err < 0) {
+ DBG("could not disable SNAT rule");
+ return err;
+ }
+
+ firewall_remove_rules(ctx);
+ return 0;
+}
+
+static int firewall_enable_connmark(void)
+{
+ int err;
+
+ if (connmark_ref > 0) {
+ connmark_ref++;
+ return 0;
+ }
+
+ connmark_ctx = __connman_firewall_create();
+
+ firewall_add_rule(connmark_ctx, "mangle", "INPUT",
+ "-j CONNMARK --restore-mark");
+ firewall_add_rule(connmark_ctx, "mangle", "POSTROUTING",
+ "-j CONNMARK --save-mark");
+ err = firewall_enable_rules(connmark_ctx);
+ if (err) {
+ __connman_firewall_destroy(connmark_ctx);
+ connmark_ctx = NULL;
+ return err;
+ }
+ connmark_ref++;
+ return 0;
+}
+
+static void firewall_disable_connmark(void)
+{
+ connmark_ref--;
+ if (connmark_ref > 0)
+ return;
+
+ firewall_disable_rules(connmark_ctx);
+ __connman_firewall_destroy(connmark_ctx);
+ connmark_ctx = NULL;
+}
+
+int __connman_firewall_enable_marking(struct firewall_context *ctx,
+ enum connman_session_id_type id_type,
+ char *id, const char *src_ip,
+ uint32_t mark)
+{
+ int err;
+
+ err = firewall_enable_connmark();
+ if (err)
+ return err;
+
+ switch (id_type) {
+ case CONNMAN_SESSION_ID_TYPE_UID:
+ firewall_add_rule(ctx, "mangle", "OUTPUT",
+ "-m owner --uid-owner %s -j MARK --set-mark %d",
+ id, mark);
+ break;
+ case CONNMAN_SESSION_ID_TYPE_GID:
+ firewall_add_rule(ctx, "mangle", "OUTPUT",
+ "-m owner --gid-owner %s -j MARK --set-mark %d",
+ id, mark);
+ break;
+ case CONNMAN_SESSION_ID_TYPE_UNKNOWN:
+ break;
+ case CONNMAN_SESSION_ID_TYPE_LSM:
+ default:
+ return -EINVAL;
+ }
+
+ if (src_ip) {
+ firewall_add_rule(ctx, "mangle", "OUTPUT",
+ "-s %s -j MARK --set-mark %d",
+ src_ip, mark);
+ }
+
+ return firewall_enable_rules(ctx);
+}
+
+int __connman_firewall_disable_marking(struct firewall_context *ctx)
+{
+ firewall_disable_connmark();
+ return firewall_disable_rules(ctx);
+}
+
+static void iterate_chains_cb(const char *chain_name, void *user_data)
+{
+ GSList **chains = user_data;
+ int id;
+
+ id = managed_chain_to_index(chain_name);
+ if (id < 0)
+ return;
+
+ *chains = g_slist_prepend(*chains, GINT_TO_POINTER(id));
+}
+
+static void flush_table(const char *table_name)
+{
+ GSList *chains = NULL, *list;
+ char *rule, *managed_chain;
+ int id, err;
+
+ __connman_iptables_iterate_chains(table_name, iterate_chains_cb,
+ &chains);
+
+ for (list = chains; list; list = list->next) {
+ id = GPOINTER_TO_INT(list->data);
+
+ managed_chain = g_strdup_printf("%s%s", CHAIN_PREFIX,
+ builtin_chains[id]);
+
+ rule = g_strdup_printf("-j %s", managed_chain);
+ err = __connman_iptables_delete(table_name,
+ builtin_chains[id], rule);
+ if (err < 0) {
+ connman_warn("Failed to delete jump rule '%s': %s",
+ rule, strerror(-err));
+ }
+ g_free(rule);
+
+ err = __connman_iptables_flush_chain(table_name, managed_chain);
+ if (err < 0) {
+ connman_warn("Failed to flush chain '%s': %s",
+ managed_chain, strerror(-err));
+ }
+ err = __connman_iptables_delete_chain(table_name, managed_chain);
+ if (err < 0) {
+ connman_warn("Failed to delete chain '%s': %s",
+ managed_chain, strerror(-err));
+ }
+
+ g_free(managed_chain);
+ }
+
+ err = __connman_iptables_commit(table_name);
+ if (err < 0) {
+ connman_warn("Failed to flush table '%s': %s",
+ table_name, strerror(-err));
+ }
+
+ g_slist_free(chains);
+}
+
+static void flush_all_tables(void)
+{
+ /* Flush the tables ConnMan might have modified
+ * But do so if only ConnMan has done something with
+ * iptables */
+
+ if (!g_file_test("/proc/net/ip_tables_names",
+ G_FILE_TEST_EXISTS | G_FILE_TEST_IS_REGULAR)) {
+ return;
+ }
+
+ flush_table("filter");
+ flush_table("mangle");
+ flush_table("nat");
+}
+
+int __connman_firewall_init(void)
+{
+ DBG("");
+
+ __connman_iptables_init();
+ flush_all_tables();
+
+ return 0;
+}
+
+void __connman_firewall_cleanup(void)
+{
+ DBG("");
+
+ g_slist_free_full(managed_tables, cleanup_managed_table);
+ __connman_iptables_cleanup();
+}