iptables: Cannot flush all rules without API to set them

Currently there exists no API where iptables rules can be set. The flush
code does not touch the default chain policy at the moment. Any pre-
existing iptables rules setting default policy to reject and relying on
individual iptables rules allowing packets going through will prevent
all IP communication. Removing all iptables rules on startup can expose
the device to unwanted traffic as well.

For the time being disable iptables flush on init. Please be careful
with iptables rules and the masquerading ones ConnMan sets when
tethering.

diff --git a/src/iptables.c b/src/iptables.c
index 83612b9..8fa3687 100644 (file)
--- a/src/iptables.c
+++ b/src/iptables.c
@@ -36,6 +36,7 @@
 
 #include "connman.h"
 
+void flush_table(const char *name);
 
 /*
  * Some comments on how the iptables API works (some of them from the
@@ -2243,7 +2244,7 @@ static int flush_table_cb(struct ipt_entry *entry, int builtin,
        return 0;
 }
 
-static void flush_table(const char *name)
+void flush_table(const char *name)
 {
        GSList *chains = NULL, *list;
        struct connman_iptables *table;
@@ -2269,13 +2270,6 @@ static void flush_table(const char *name)
        g_slist_free_full(chains, g_free);
 }
 
-static void flush_all_chains(void)
-{
-       flush_table("filter");
-       flush_table("mangle");
-       flush_table("nat");
-}
-
 int __connman_iptables_init(void)
 {
        DBG("");
@@ -2288,8 +2282,6 @@ int __connman_iptables_init(void)
 
        xtables_init_all(&iptables_globals, NFPROTO_IPV4);
 
-       flush_all_chains();
-
        return 0;
 }