This patch moves the loading of iptables rules
after all subsystems have been initialized. In
case any of the subsystems fails, nether will
not leave any rules behind.
Change-Id: I86b63848d7864a684f2ed5d3f10c9e4419712617
using namespace std;
void showHelp(char *arg);
+void cleanupAndExit();
int main(int argc, char *argv[])
{
if(!manager.initialize())
{
LOGE("NetherManager failed to initialize, exiting");
- return (1);
+
+ cleanupAndExit();
}
if(netherConfig.daemonMode)
cout<< " -i,--iptables-restore-path=<path>\tPath to iptables-restore command (default:" << NETHER_IPTABLES_RESTORE_PATH << ")\n";
cout<< " -h,--help\t\t\t\tshow help information\n";
}
+
+void cleanupAndExit()
+{
+ exit (1);
+}
return (false);
}
- if(netherConfig.noRules == 0 && restoreRules() == false)
- {
- LOGE("Failed to setup iptables rules");
- return (false);
- }
-
#ifdef HAVE_AUDIT
if(netherConfig.enableAudit)
{
return (false);
}
+ /* Load the rules as last, in case we have a problem with any
+ above subsystems, we won't leave hanging useless rules */
+ if(netherConfig.noRules == 0 && restoreRules() == false)
+ {
+ LOGE("Failed to setup iptables rules");
+ return (false);
+ }
+
if((backendDescriptor = netherPrimaryPolicyBackend->getDescriptor()) == -1)
{
LOGI("Policy backend does not provide descriptor for select()");
}
+
return (true);
}
projects / platform / core / security / nether.git / commitdiff