Age | Commit message (Collapse) | Author | Files | Lines |
|
Both function reset the xtables library. So let's do this
at the same place.
|
|
And also use g_strv_length() to count the number of entries.
Thanks Tomasz!
|
|
We forgot to free the match rules.
|
|
The match or the target might be reused in the next invocation
of iptables and then xtables operates on this invalid pointer.
xt_t->t and xt_m->m are keept alive via the global variables
xtables_targets and xtables_matches.
|
|
xtables modifies the global parse table and allocates additional
memory. If that happens we need to free it afterwards.
|
|
|
|
|
|
|
|
|
|
|
|
Currently there exists no API where iptables rules can be set. The flush
code does not touch the default chain policy at the moment. Any pre-
existing iptables rules setting default policy to reject and relying on
individual iptables rules allowing packets going through will prevent
all IP communication. Removing all iptables rules on startup can expose
the device to unwanted traffic as well.
For the time being disable iptables flush on init. Please be careful
with iptables rules and the masquerading ones ConnMan sets when
tethering.
|
|
|
|
|
|
Important if you have a headless system.
|
|
The builtin value is only valid in the chain head entry and not
in any other entry. That means we need to lookup the head entry
and use that builtin value (== hook id) and then update all
references which follow that chain.
|
|
We need to verify that also the arguments are the same, e.g.
if we have two rules like
-t filter -A INPUT -m mark --mark 1 -j LOG
-t filter -A INPUT -m mark --mark 2 -j LOG
then the matcher and the target would be the same without looking
at '1' or '2'.
When deleting a rule, we would always remove the first
rule which matches the 'match' type and target type, so let's have a
look also on the arguments. iptables does it the same way.
|
|
|
|
|
|
|
|
Instead of having a pure string based API, we add two new
main functions, __connman_iptables_append() and
__connman_iptables_remove(). The missing commands will be added later.
To simplify the whole code, the __connman_iptables_command() code
is refactored into smaller pieces: parse_rule_spec() calls a few
functions such as clear_tables_flags() and parse_xt_modules()
which should make the reading of the main parser loop simpler.
Also added a few comments on the parser which is really tricky.
|
|
This is done in iptables.c directly.
|
|
The implementation is ugly but there is not much we can do about it, the
iptables API is being just plain stupid here.
|
|
If CONNMAN_IPTABLES_DEBUG is set, then print the table when it is loaded
and print it the table which will be written.
Also use DBG() instead of connman_info().
|
|
With removing the table argument the callback can now either
iterate over buffer we get from the kernel or the one we write
to the kernel.
|
|
|
|
Instead implement the iterator loop directly. Since both dump_entry()
and add_entry() have calculated 'builtin' and 'offset' let's pass in
them in as well.
In the next step we are able to remove also the table argument
which will allow us to unify the parsing the table we get
from IPT_SO_GET_ENTRIES and the table we will pass in to the kernel
via IPT_SO_SET_REPLACE.
|
|
That allows the parser to be reentrantable.
|
|
|
|
These are some random notes but should give the next person to debug
iptables some introduction.
|
|
|
|
When setting IP address information via D-Bus, first create a new ipconfig
structure to hold the values. If the values were validated correctly, update
the service ipconfig structure with the new values. In order to achieve
this, refactor the existing code.
Fixes BMC#25930
|
|
The caller has to set the created ipconfig into its data structures.
|
|
Also fine tune returned errors.
|
|
If we have already received gateway address via newroute rtnl
message, then do not overwrite it when receiving newaddr message.
Fixes BMC#25931
|
|
As tethering is enabled on the technology level, both the bluetooth and
the bluetooth_legacy plugin need to register technology drivers for
CONNMAN_SERVICE_TYPE_BLUETOOTH. Modify the technology code to create
a list of registered technology drivers instead of a single technology
driver pointer.
|
|
If NULL is returned, GDBus will call the registered function repeatedly.
|
|
Allowing more than one network driver to register the same network type
requires the network driver to properly identify which networks belong
to it in the network driver probe function.
|
|
In order to keep ConnMan devices in sync with Bluz 5 adapters, the
individual devices need to be enabled/disabled also when
unblocking/blocking them with rfkill. Thus enable devices after
unblocking and disable devices before blocking with rfkill.
|
|
|
|
Compare the technology driver pointer to the driver being unregistered
as the function is supposed to remove only the given driver.
Also check if the driver has a remove function before calling it.
|
|
|
|
|
|
Fixes BMC#25862
|
|
When enabling IPv6 ipconfig, we enable kernel IPv6 support too early.
The ipconfig might get unreffed which will disable ipconfig and
thus disable kernel IPv6 support. By moving kernel IPv6 enabling
after the ipconfig unref call, we make sure that IPv6 kernel support
is properly enabled.
This is related to fix in commit d479904ecaa2bd9
|
|
We set the answer count in host byte order instead of network
byte order when sending cached AAAA record. This problem is only
seen in special case when an AAAA record is generated by us when
there is IPv4 address in cache but no IPv6 address for the host.
|
|
When connecting a network, if it's related technology is disabled, this network
will raise an error through the agent. Leading to a possible retry request from
the user, then to a crash if the user does so.
Thus, we prevent any error to be raised in such situation and silently disconnect
the connecting network instead.
|
|
|
|
|
|
Disabling IPv6 in lower up causes problems in IPv6 connectivity.
The interface IPv6 status can stay in disabled state because of
races. So this patch reverts the commit 4ce90440a70abce7de537777
and lets service IPv6 state go to READY when we get an auto
configured address for the interface.
Fixes BMC#25929
|
|
When getting 1 service to online, and disonnecting it: Manager state
stays at 'ready'. This is due to service updating the notifier about
its state 'ready' 2 times. Once when connecting: idle -> ready, and
once when disconnecting: online -> ready.
|