Let Nether manage UDPLite traffic and local DNS queries

A netfilter rule has been added to let Nether manage UDPLite traffic for
outgoing connections. There are some kernel configurations that don't have
NF_CT_PROTO_UDPLITE option turned on. For these kernel images, the rule that
uses the conntrack module do not catch packets of the UDPLite protocol.
Special rules have been introduced to inspect DNS queries sent by an app
to the Connman service (running on localhost). The Connman service, which
works as a DNS proxy, sends the queries out of the box on behalf
of the app.

Change-Id: Ib41e61d8367b8c78eb814b3e98396e6c1e5fa4b1

diff --git a/conf/nether.rules b/conf/nether.rules
index da7bd7e..4ef668f 100644 (file)
--- a/conf/nether.rules
+++ b/conf/nether.rules
@@ -1,5 +1,5 @@
 #
-#  Copyright (c) 2015 Samsung Electronics Co., Ltd All Rights Reserved
+#  Copyright (c) 2015 - 2017 Samsung Electronics Co., Ltd All Rights Reserved
 #
 #  Contact: Roman Kubiak (r.kubiak@samsung.com)
 #
@@ -23,9 +23,14 @@
 :FORWARD ACCEPT
 :OUTPUT ACCEPT
 :POSTROUTING ACCEPT
+:CHECK-LOCALHOST -
 -A INPUT ! -i lo -j SECMARK --selctx System
--A OUTPUT -o lo -j ACCEPT
+-A OUTPUT -o lo -j CHECK-LOCALHOST
 -A OUTPUT -m conntrack --ctstate NEW ! --ctstatus CONFIRMED -j NFQUEUE --queue-num 0 --queue-bypass
+-A OUTPUT -p udplite -j NFQUEUE --queue-num 0 --queue-bypass
+-A CHECK-LOCALHOST -p udp --dport 53 -j RETURN
+-A CHECK-LOCALHOST -p tcp --dport 53 -j RETURN
+-A CHECK-LOCALHOST -j ACCEPT
 COMMIT
 *filter
 :INPUT ACCEPT
@@ -33,7 +38,6 @@ COMMIT
 :OUTPUT ACCEPT
 :NETHER-ALLOWLOG -
 :NETHER-DENY -
--A OUTPUT -o lo -j ACCEPT
 -A OUTPUT -m mark --mark 0x3 -j NETHER-DENY
 -A OUTPUT -m mark --mark 0x4 -j NETHER-ALLOWLOG
 -A NETHER-ALLOWLOG -j AUDIT --type accept