5 * Copyright (C) 2013 BMW Car IT GmbH.
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License version 2 as
9 * published by the Free Software Foundation.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
27 #include <linux/netfilter_ipv4/ip_tables.h>
31 #define CHAIN_PREFIX "connman-"
33 static const char *builtin_chains[] = {
34 [NF_IP_PRE_ROUTING] = "PREROUTING",
35 [NF_IP_LOCAL_IN] = "INPUT",
36 [NF_IP_FORWARD] = "FORWARD",
37 [NF_IP_LOCAL_OUT] = "OUTPUT",
38 [NF_IP_POST_ROUTING] = "POSTROUTING",
47 struct firewall_context {
51 static int chain_to_index(const char *chain_name)
53 if (!g_strcmp0(builtin_chains[NF_IP_PRE_ROUTING], chain_name))
54 return NF_IP_PRE_ROUTING;
55 if (!g_strcmp0(builtin_chains[NF_IP_LOCAL_IN], chain_name))
56 return NF_IP_LOCAL_IN;
57 if (!g_strcmp0(builtin_chains[NF_IP_FORWARD], chain_name))
59 if (!g_strcmp0(builtin_chains[NF_IP_LOCAL_OUT], chain_name))
60 return NF_IP_LOCAL_OUT;
61 if (!g_strcmp0(builtin_chains[NF_IP_POST_ROUTING], chain_name))
62 return NF_IP_POST_ROUTING;
67 static int managed_chain_to_index(const char *chain_name)
69 if (g_str_has_prefix(chain_name, CHAIN_PREFIX) == FALSE)
72 return chain_to_index(chain_name + strlen(CHAIN_PREFIX));
75 static void cleanup_fw_rule(gpointer user_data)
77 struct fw_rule *rule = user_data;
79 g_free(rule->rule_spec);
85 struct firewall_context *__connman_firewall_create(void)
87 struct firewall_context *ctx;
89 ctx = g_new0(struct firewall_context, 1);
94 void __connman_firewall_destroy(struct firewall_context *ctx)
96 g_list_free_full(ctx->rules, cleanup_fw_rule);
100 int __connman_firewall_add_rule(struct firewall_context *ctx,
103 const char *rule_fmt, ...)
107 struct fw_rule *rule;
109 va_start(args, rule_fmt);
111 rule_spec = g_strdup_vprintf(rule_fmt, args);
115 rule = g_new0(struct fw_rule, 1);
117 rule->table = g_strdup(table);
118 rule->chain = g_strdup(chain);
119 rule->rule_spec = rule_spec;
121 ctx->rules = g_list_append(ctx->rules, rule);
126 static int firewall_disable(GList *rules)
128 struct fw_rule *rule;
132 for (list = rules; list != NULL; list = g_list_previous(list)) {
135 err = __connman_iptables_delete(rule->table,
139 connman_error("Cannot remove previously installed "
140 "iptables rules: %s", strerror(-err));
144 err = __connman_iptables_commit(rule->table);
146 connman_error("Cannot remove previously installed "
147 "iptables rules: %s", strerror(-err));
155 int __connman_firewall_enable(struct firewall_context *ctx)
157 struct fw_rule *rule;
161 for (list = g_list_first(ctx->rules); list != NULL;
162 list = g_list_next(list)) {
165 DBG("%s %s %s", rule->table, rule->chain, rule->rule_spec);
167 err = __connman_iptables_append(rule->table,
173 err = __connman_iptables_commit(rule->table);
181 connman_warn("Failed to install iptables rules: %s", strerror(-err));
183 firewall_disable(g_list_previous(list));
188 int __connman_firewall_disable(struct firewall_context *ctx)
190 return firewall_disable(g_list_last(ctx->rules));
193 static void iterate_chains_cb(const char *chain_name, void *user_data)
195 GSList **chains = user_data;
198 id = managed_chain_to_index(chain_name);
202 *chains = g_slist_prepend(*chains, GINT_TO_POINTER(id));
205 static void flush_table(const char *table_name)
207 GSList *chains = NULL, *list;
208 char *rule, *managed_chain;
211 __connman_iptables_iterate_chains(table_name, iterate_chains_cb,
214 for (list = chains; list != NULL; list = list->next) {
215 id = GPOINTER_TO_INT(list->data);
217 managed_chain = g_strdup_printf("%s%s", CHAIN_PREFIX,
220 rule = g_strdup_printf("-j %s", managed_chain);
221 err = __connman_iptables_delete(table_name,
222 builtin_chains[id], rule);
224 connman_warn("Failed to delete jump rule '%s': %s",
225 rule, strerror(-err));
229 err = __connman_iptables_flush_chain(table_name, managed_chain);
231 connman_warn("Failed to flush chain '%s': %s",
232 managed_chain, strerror(-err));
234 err = __connman_iptables_delete_chain(table_name, managed_chain);
236 connman_warn("Failed to delete chain '%s': %s",
237 managed_chain, strerror(-err));
240 g_free(managed_chain);
243 err = __connman_iptables_commit(table_name);
245 connman_warn("Failed to flush table '%s': %s",
246 table_name, strerror(-err));
249 g_slist_free(chains);
252 static void flush_all_tables(void)
254 /* Flush the tables ConnMan might have modified */
256 flush_table("filter");
257 flush_table("mangle");
261 int __connman_firewall_init(void)
270 void __connman_firewall_cleanup(void)