Imported Upstream connman version 1.38

[platform/upstream/connman.git] / src / firewall-nftables.c

diff --git a/src/firewall-nftables.c b/src/firewall-nftables.c
index 1febce4..d73d661 100644 (file)
--- a/src/firewall-nftables.c
+++ b/src/firewall-nftables.c
@@ -22,7 +22,7 @@
 /*
  * This file is based on the libnftnl examples:
  *   https://git.netfilter.org/libnftnl/tree/examples
- * by Pablo Neira Ayuso. and inspiration from systemd nft implemention
+ * by Pablo Neira Ayuso. and inspiration from systemd nft implementation
  *   https://github.com/zonque/systemd/blob/rfc-nftnl/src/shared/firewall-util.c
  * by Daniel Mack.
  */
@@ -67,7 +67,7 @@
 #define CONNMAN_CHAIN_NAT_POST "nat-postrouting"
 #define CONNMAN_CHAIN_ROUTE_OUTPUT "route-output"
 
-static bool debug_enabled = true;
+static bool debug_enabled = false;
 
 struct firewall_handle {
        uint64_t handle;
@@ -402,6 +402,8 @@ static int table_cmd(struct mnl_socket *nl, struct nftnl_table *t,
         uint32_t seq = 0;
         int err;
 
+       bzero(buf, sizeof(buf));
+
         batch = mnl_nlmsg_batch_start(buf, sizeof(buf));
         nftnl_batch_begin(mnl_nlmsg_batch_current(batch), seq++);
         mnl_nlmsg_batch_next(batch);
@@ -433,6 +435,8 @@ static int chain_cmd(struct mnl_socket *nl, struct nftnl_chain *chain,
         uint32_t seq = 0;
         int err;
 
+       bzero(buf, sizeof(buf));
+
         batch = mnl_nlmsg_batch_start(buf, sizeof(buf));
         nftnl_batch_begin(mnl_nlmsg_batch_current(batch), seq++);
         mnl_nlmsg_batch_next(batch);
@@ -465,6 +469,8 @@ static int rule_cmd(struct mnl_socket *nl, struct nftnl_rule *rule,
         uint32_t seq = 0;
         int err;
 
+       bzero(buf, sizeof(buf));
+
        debug_netlink_dump_rule(rule);
 
         batch = mnl_nlmsg_batch_start(buf, sizeof(buf));
@@ -501,8 +507,8 @@ static int rule_delete(struct firewall_handle *handle)
        if (!rule)
                return -ENOMEM;
 
-       nftnl_rule_set(rule, NFTNL_RULE_TABLE, CONNMAN_TABLE);
-       nftnl_rule_set(rule, NFTNL_RULE_CHAIN, handle->chain);
+       nftnl_rule_set_str(rule, NFTNL_RULE_TABLE, CONNMAN_TABLE);
+       nftnl_rule_set_str(rule, NFTNL_RULE_CHAIN, handle->chain);
        nftnl_rule_set_u64(rule, NFTNL_RULE_HANDLE, handle->handle);
 
        err = socket_open_and_bind(&nl);
@@ -562,8 +568,8 @@ static int build_rule_nat(const char *address, unsigned char prefixlen,
        if (!rule)
                return -ENOMEM;
 
-       nftnl_rule_set(rule, NFTNL_RULE_TABLE, CONNMAN_TABLE);
-       nftnl_rule_set(rule, NFTNL_RULE_CHAIN, CONNMAN_CHAIN_NAT_POST);
+       nftnl_rule_set_str(rule, NFTNL_RULE_TABLE, CONNMAN_TABLE);
+       nftnl_rule_set_str(rule, NFTNL_RULE_CHAIN, CONNMAN_CHAIN_NAT_POST);
 
        /* family ipv4 */
        nftnl_rule_set_u32(rule, NFTNL_RULE_FAMILY, NFPROTO_IPV4);
@@ -667,10 +673,10 @@ static int build_rule_snat(int index, const char *address,
        if (!rule)
                return -ENOMEM;
 
-       nftnl_rule_set(rule, NFTNL_RULE_TABLE, CONNMAN_TABLE);
-       nftnl_rule_set(rule, NFTNL_RULE_CHAIN, CONNMAN_CHAIN_NAT_POST);
+       nftnl_rule_set_str(rule, NFTNL_RULE_TABLE, CONNMAN_TABLE);
+       nftnl_rule_set_str(rule, NFTNL_RULE_CHAIN, CONNMAN_CHAIN_NAT_POST);
 
-       /* IOF */
+       /* OIF */
        expr = nftnl_expr_alloc("meta");
        if (!expr)
                goto err;
@@ -764,8 +770,8 @@ static int build_rule_marking(uid_t uid, uint32_t mark, struct nftnl_rule **res)
        if (!rule)
                return -ENOMEM;
 
-       nftnl_rule_set(rule, NFTNL_RULE_TABLE, CONNMAN_TABLE);
-       nftnl_rule_set(rule, NFTNL_RULE_CHAIN, CONNMAN_CHAIN_ROUTE_OUTPUT);
+       nftnl_rule_set_str(rule, NFTNL_RULE_TABLE, CONNMAN_TABLE);
+       nftnl_rule_set_str(rule, NFTNL_RULE_CHAIN, CONNMAN_CHAIN_ROUTE_OUTPUT);
 
        expr = nftnl_expr_alloc("meta");
        if (!expr)
@@ -820,8 +826,8 @@ static int build_rule_src_ip(const char *src_ip, uint32_t mark, struct nftnl_rul
        if (!rule)
                return -ENOMEM;
 
-       nftnl_rule_set(rule, NFTNL_RULE_TABLE, CONNMAN_TABLE);
-       nftnl_rule_set(rule, NFTNL_RULE_CHAIN, CONNMAN_CHAIN_ROUTE_OUTPUT);
+       nftnl_rule_set_str(rule, NFTNL_RULE_TABLE, CONNMAN_TABLE);
+       nftnl_rule_set_str(rule, NFTNL_RULE_CHAIN, CONNMAN_CHAIN_ROUTE_OUTPUT);
 
        /* family ipv4 */
        nftnl_rule_set_u32(rule, NFTNL_RULE_FAMILY, NFPROTO_IPV4);
@@ -948,8 +954,8 @@ static struct nftnl_chain *build_chain(const char *name, const char *table,
         if (!chain)
                 return NULL;
 
-        nftnl_chain_set(chain, NFTNL_CHAIN_TABLE, table);
-        nftnl_chain_set(chain, NFTNL_CHAIN_NAME, name);
+        nftnl_chain_set_str(chain, NFTNL_CHAIN_TABLE, table);
+        nftnl_chain_set_str(chain, NFTNL_CHAIN_NAME, name);
 
        if (type)
                nftnl_chain_set_str(chain, NFTNL_CHAIN_TYPE, type);
@@ -1003,7 +1009,7 @@ static int create_table_and_chains(struct nftables_info *nft_info)
 
        /*
         * # nft add chain connman nat-prerouting               \
-        *      { type nat hook prerouting priortiy 0 ; }
+        *      { type nat hook prerouting priority 0 ; }
         */
        chain = build_chain(CONNMAN_CHAIN_NAT_PRE, CONNMAN_TABLE,
                                "nat", NF_INET_PRE_ROUTING, 0);
@@ -1020,7 +1026,7 @@ static int create_table_and_chains(struct nftables_info *nft_info)
 
        /*
         * # nft add chain connman nat-postrouting              \
-        *      { type nat hook postrouting priortiy 0 ; }
+        *      { type nat hook postrouting priority 0 ; }
         */
        chain = build_chain(CONNMAN_CHAIN_NAT_POST, CONNMAN_TABLE,
                                "nat", NF_INET_POST_ROUTING, 0);