1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
|
/*
*
* Connection Manager
*
* Copyright (C) 2013 BMW Car IT GmbH.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
*
*/
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
#include <xtables.h>
#include <linux/netfilter_ipv4/ip_tables.h>
#include "connman.h"
#define CHAIN_PREFIX "connman-"
static const char *builtin_chains[] = {
[NF_IP_PRE_ROUTING] = "PREROUTING",
[NF_IP_LOCAL_IN] = "INPUT",
[NF_IP_FORWARD] = "FORWARD",
[NF_IP_LOCAL_OUT] = "OUTPUT",
[NF_IP_POST_ROUTING] = "POSTROUTING",
};
static int chain_to_index(const char *chain_name)
{
if (!g_strcmp0(builtin_chains[NF_IP_PRE_ROUTING], chain_name))
return NF_IP_PRE_ROUTING;
if (!g_strcmp0(builtin_chains[NF_IP_LOCAL_IN], chain_name))
return NF_IP_LOCAL_IN;
if (!g_strcmp0(builtin_chains[NF_IP_FORWARD], chain_name))
return NF_IP_FORWARD;
if (!g_strcmp0(builtin_chains[NF_IP_LOCAL_OUT], chain_name))
return NF_IP_LOCAL_OUT;
if (!g_strcmp0(builtin_chains[NF_IP_POST_ROUTING], chain_name))
return NF_IP_POST_ROUTING;
return -1;
}
static int managed_chain_to_index(const char *chain_name)
{
if (g_str_has_prefix(chain_name, CHAIN_PREFIX) == FALSE)
return -1;
return chain_to_index(chain_name + strlen(CHAIN_PREFIX));
}
static void iterate_chains_cb(const char *chain_name, void *user_data)
{
GSList **chains = user_data;
int id;
id = managed_chain_to_index(chain_name);
if (id < 0)
return;
*chains = g_slist_prepend(*chains, GINT_TO_POINTER(id));
}
static void flush_table(const char *table_name)
{
GSList *chains = NULL, *list;
char *rule, *managed_chain;
int id, err;
__connman_iptables_iterate_chains(table_name, iterate_chains_cb,
&chains);
for (list = chains; list != NULL; list = list->next) {
id = GPOINTER_TO_INT(list->data);
managed_chain = g_strdup_printf("%s%s", CHAIN_PREFIX,
builtin_chains[id]);
rule = g_strdup_printf("-j %s", managed_chain);
err = __connman_iptables_delete(table_name,
builtin_chains[id], rule);
if (err < 0) {
connman_warn("Failed to delete jump rule '%s': %s",
rule, strerror(-err));
}
g_free(rule);
err = __connman_iptables_flush_chain(table_name, managed_chain);
if (err < 0) {
connman_warn("Failed to flush chain '%s': %s",
managed_chain, strerror(-err));
}
err = __connman_iptables_delete_chain(table_name, managed_chain);
if (err < 0) {
connman_warn("Failed to delete chain '%s': %s",
managed_chain, strerror(-err));
}
g_free(managed_chain);
}
err = __connman_iptables_commit(table_name);
if (err < 0) {
connman_warn("Failed to flush table '%s': %s",
table_name, strerror(-err));
}
g_slist_free(chains);
}
static void flush_all_tables(void)
{
/* Flush the tables ConnMan might have modified */
flush_table("filter");
flush_table("mangle");
flush_table("nat");
}
int __connman_firewall_init(void)
{
DBG("");
flush_all_tables();
return 0;
}
void __connman_firewall_cleanup(void)
{
DBG("");
}
|
