5 * Copyright (C) 2013 BMW Car IT GmbH.
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License version 2 as
9 * published by the Free Software Foundation.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
29 #include <linux/netfilter_ipv4/ip_tables.h>
33 #define CHAIN_PREFIX "connman-"
35 static const char *builtin_chains[] = {
36 [NF_IP_PRE_ROUTING] = "PREROUTING",
37 [NF_IP_LOCAL_IN] = "INPUT",
38 [NF_IP_FORWARD] = "FORWARD",
39 [NF_IP_LOCAL_OUT] = "OUTPUT",
40 [NF_IP_POST_ROUTING] = "POSTROUTING",
43 struct connman_managed_table {
45 unsigned int chains[NF_INET_NUMHOOKS];
54 struct firewall_context {
58 static GSList *managed_tables;
60 static bool firewall_is_up;
62 static int chain_to_index(const char *chain_name)
64 if (!g_strcmp0(builtin_chains[NF_IP_PRE_ROUTING], chain_name))
65 return NF_IP_PRE_ROUTING;
66 if (!g_strcmp0(builtin_chains[NF_IP_LOCAL_IN], chain_name))
67 return NF_IP_LOCAL_IN;
68 if (!g_strcmp0(builtin_chains[NF_IP_FORWARD], chain_name))
70 if (!g_strcmp0(builtin_chains[NF_IP_LOCAL_OUT], chain_name))
71 return NF_IP_LOCAL_OUT;
72 if (!g_strcmp0(builtin_chains[NF_IP_POST_ROUTING], chain_name))
73 return NF_IP_POST_ROUTING;
78 static int managed_chain_to_index(const char *chain_name)
80 if (!g_str_has_prefix(chain_name, CHAIN_PREFIX))
83 return chain_to_index(chain_name + strlen(CHAIN_PREFIX));
86 static int insert_managed_chain(const char *table_name, int id)
88 char *rule, *managed_chain;
91 managed_chain = g_strdup_printf("%s%s", CHAIN_PREFIX,
94 err = __connman_iptables_new_chain(table_name, managed_chain);
98 rule = g_strdup_printf("-j %s", managed_chain);
99 err = __connman_iptables_insert(table_name, builtin_chains[id], rule);
102 __connman_iptables_delete_chain(table_name, managed_chain);
107 g_free(managed_chain);
112 static int delete_managed_chain(const char *table_name, int id)
114 char *rule, *managed_chain;
117 managed_chain = g_strdup_printf("%s%s", CHAIN_PREFIX,
120 rule = g_strdup_printf("-j %s", managed_chain);
121 err = __connman_iptables_delete(table_name, builtin_chains[id], rule);
127 err = __connman_iptables_delete_chain(table_name, managed_chain);
130 g_free(managed_chain);
135 static int insert_managed_rule(const char *table_name,
136 const char *chain_name,
137 const char *rule_spec)
139 struct connman_managed_table *mtable = NULL;
144 id = chain_to_index(chain_name);
146 /* This chain is not managed */
147 chain = g_strdup(chain_name);
151 for (list = managed_tables; list; list = list->next) {
154 if (g_strcmp0(mtable->name, table_name) == 0)
161 mtable = g_new0(struct connman_managed_table, 1);
162 mtable->name = g_strdup(table_name);
164 managed_tables = g_slist_prepend(managed_tables, mtable);
167 if (mtable->chains[id] == 0) {
168 DBG("table %s add managed chain for %s",
169 table_name, chain_name);
171 err = insert_managed_chain(table_name, id);
176 mtable->chains[id]++;
177 chain = g_strdup_printf("%s%s", CHAIN_PREFIX, chain_name);
180 err = __connman_iptables_append(table_name, chain, rule_spec);
187 static int delete_managed_rule(const char *table_name,
188 const char *chain_name,
189 const char *rule_spec)
191 struct connman_managed_table *mtable = NULL;
196 id = chain_to_index(chain_name);
198 /* This chain is not managed */
199 return __connman_iptables_delete(table_name, chain_name,
203 managed_chain = g_strdup_printf("%s%s", CHAIN_PREFIX, chain_name);
205 err = __connman_iptables_delete(table_name, managed_chain,
208 for (list = managed_tables; list; list = list->next) {
211 if (g_strcmp0(mtable->name, table_name) == 0)
222 mtable->chains[id]--;
223 if (mtable->chains[id] > 0)
226 DBG("table %s remove managed chain for %s",
227 table_name, chain_name);
229 err = delete_managed_chain(table_name, id);
232 g_free(managed_chain);
237 static void cleanup_managed_table(gpointer user_data)
239 struct connman_managed_table *table = user_data;
245 static void cleanup_fw_rule(gpointer user_data)
247 struct fw_rule *rule = user_data;
249 g_free(rule->rule_spec);
255 struct firewall_context *__connman_firewall_create(void)
257 struct firewall_context *ctx;
259 ctx = g_new0(struct firewall_context, 1);
264 void __connman_firewall_destroy(struct firewall_context *ctx)
266 g_list_free_full(ctx->rules, cleanup_fw_rule);
270 int __connman_firewall_add_rule(struct firewall_context *ctx,
273 const char *rule_fmt, ...)
277 struct fw_rule *rule;
279 va_start(args, rule_fmt);
281 rule_spec = g_strdup_vprintf(rule_fmt, args);
285 rule = g_new0(struct fw_rule, 1);
287 rule->table = g_strdup(table);
288 rule->chain = g_strdup(chain);
289 rule->rule_spec = rule_spec;
291 ctx->rules = g_list_append(ctx->rules, rule);
296 static int firewall_disable(GList *rules)
298 struct fw_rule *rule;
302 for (list = rules; list; list = g_list_previous(list)) {
305 err = delete_managed_rule(rule->table,
306 rule->chain, rule->rule_spec);
308 connman_error("Cannot remove previously installed "
309 "iptables rules: %s", strerror(-err));
313 err = __connman_iptables_commit(rule->table);
315 connman_error("Cannot remove previously installed "
316 "iptables rules: %s", strerror(-err));
324 int __connman_firewall_enable(struct firewall_context *ctx)
326 struct fw_rule *rule;
330 for (list = g_list_first(ctx->rules); list;
331 list = g_list_next(list)) {
334 DBG("%s %s %s", rule->table, rule->chain, rule->rule_spec);
336 err = insert_managed_rule(rule->table,
337 rule->chain, rule->rule_spec);
341 err = __connman_iptables_commit(rule->table);
346 firewall_is_up = true;
351 connman_warn("Failed to install iptables rules: %s", strerror(-err));
353 firewall_disable(g_list_previous(list));
358 int __connman_firewall_disable(struct firewall_context *ctx)
360 return firewall_disable(g_list_last(ctx->rules));
363 bool __connman_firewall_is_up(void)
365 return firewall_is_up;
368 static void iterate_chains_cb(const char *chain_name, void *user_data)
370 GSList **chains = user_data;
373 id = managed_chain_to_index(chain_name);
377 *chains = g_slist_prepend(*chains, GINT_TO_POINTER(id));
380 static void flush_table(const char *table_name)
382 GSList *chains = NULL, *list;
383 char *rule, *managed_chain;
386 __connman_iptables_iterate_chains(table_name, iterate_chains_cb,
389 for (list = chains; list; list = list->next) {
390 id = GPOINTER_TO_INT(list->data);
392 managed_chain = g_strdup_printf("%s%s", CHAIN_PREFIX,
395 rule = g_strdup_printf("-j %s", managed_chain);
396 err = __connman_iptables_delete(table_name,
397 builtin_chains[id], rule);
399 connman_warn("Failed to delete jump rule '%s': %s",
400 rule, strerror(-err));
404 err = __connman_iptables_flush_chain(table_name, managed_chain);
406 connman_warn("Failed to flush chain '%s': %s",
407 managed_chain, strerror(-err));
409 err = __connman_iptables_delete_chain(table_name, managed_chain);
411 connman_warn("Failed to delete chain '%s': %s",
412 managed_chain, strerror(-err));
415 g_free(managed_chain);
418 err = __connman_iptables_commit(table_name);
420 connman_warn("Failed to flush table '%s': %s",
421 table_name, strerror(-err));
424 g_slist_free(chains);
427 static void flush_all_tables(void)
429 /* Flush the tables ConnMan might have modified
430 * But do so if only ConnMan has done something with
433 if (!g_file_test("/proc/net/ip_tables_names",
434 G_FILE_TEST_EXISTS | G_FILE_TEST_IS_REGULAR)) {
435 firewall_is_up = false;
439 firewall_is_up = true;
441 flush_table("filter");
442 flush_table("mangle");
446 int __connman_firewall_init(void)
455 void __connman_firewall_cleanup(void)
459 g_slist_free_full(managed_tables, cleanup_managed_table);
projects / platform / upstream / connman.git / blob