Creating seperate chains[STC_IN, STC_OUT, STC_FRWD] for STC Framework's rules.

Change-Id: I74b9ce4d13fb9122c4e0ea05226a22a925d1a585
Signed-off-by: Nishant Chaprana <n.chaprana@samsung.com>

diff --git a/packaging/stc-manager.spec b/packaging/stc-manager.spec
index b67e5ea..bd37172 100644 (file)
--- a/packaging/stc-manager.spec
+++ b/packaging/stc-manager.spec
@@ -1,6 +1,6 @@
 Name:       stc-manager
 Summary:    STC(Smart Traffic Control) manager
-Version:    0.0.41
+Version:    0.0.42
 Release:    0
 Group:      Network & Connectivity/Other
 License:    Apache-2.0

diff --git a/src/helper/helper-iptables.c b/src/helper/helper-iptables.c
index 42fa6f6..96eacb8 100755 (executable)
--- a/src/helper/helper-iptables.c
+++ b/src/helper/helper-iptables.c
@@ -17,17 +17,19 @@
 #include "stc-manager-gdbus.h"
 #include "helper-iptables.h"
 
-#define STC_IPTABLES_DBUS_SERVICE               "net.stc.iptables"
-#define STC_IPTABLES_DBUS_RULE_INTERFACE        STC_IPTABLES_DBUS_SERVICE ".rule"
-#define STC_IPTABLES_DBUS_CHAIN_INTERFACE       STC_IPTABLES_DBUS_SERVICE ".chain"
-#define STC_IPTABLES_DBUS_RULE_PATH             "/net/stc/iptables/rule"
-#define STC_IPTABLES_DBUS_CHAIN_PATH            "/net/stc/iptables/chain"
-#define STC_IPTABLES_DBUS_METHOD_IPT_ADD_CHAIN      "IptAddChain"
-#define STC_IPTABLES_DBUS_METHOD_IPT_REMOVE_CHAIN   "IptRemoveChain"
+#define STC_IPTABLES_DBUS_SERVICE                    "net.stc.iptables"
+#define STC_IPTABLES_DBUS_RULE_INTERFACE             STC_IPTABLES_DBUS_SERVICE ".rule"
+#define STC_IPTABLES_DBUS_CHAIN_INTERFACE            STC_IPTABLES_DBUS_SERVICE ".chain"
+#define STC_IPTABLES_DBUS_RULE_PATH                  "/net/stc/iptables/rule"
+#define STC_IPTABLES_DBUS_CHAIN_PATH                 "/net/stc/iptables/chain"
+#define STC_IPTABLES_DBUS_METHOD_IPT_ADD_CHAIN       "IptAddChain"
+#define STC_IPTABLES_DBUS_METHOD_IPT_REMOVE_CHAIN    "IptRemoveChain"
+#define STC_IPTABLES_DBUS_METHOD_IPT_FLUSH_CHAIN     "IptFlushChain"
 #define STC_IPTABLES_DBUS_METHOD_IP6T_ADD_CHAIN      "Ip6tAddChain"
 #define STC_IPTABLES_DBUS_METHOD_IP6T_REMOVE_CHAIN   "Ip6tRemoveChain"
-#define STC_IPTABLES_DBUS_METHOD_IPT_ADD_RULE       "IptAddRule"
-#define STC_IPTABLES_DBUS_METHOD_IPT_REMOVE_RULE    "IptRemoveRule"
+#define STC_IPTABLES_DBUS_METHOD_IP6T_FLUSH_CHAIN    "Ip6tFlushChain"
+#define STC_IPTABLES_DBUS_METHOD_IPT_ADD_RULE        "IptAddRule"
+#define STC_IPTABLES_DBUS_METHOD_IPT_REMOVE_RULE     "IptRemoveRule"
 #define STC_IPTABLES_DBUS_METHOD_IP6T_ADD_RULE       "Ip6tAddRule"
 #define STC_IPTABLES_DBUS_METHOD_IP6T_REMOVE_RULE    "Ip6tRemoveRule"
 
@@ -196,6 +198,174 @@ static int __ip6tables_rule_remove(GDBusConnection *connection,
        return STC_ERROR_NONE;
 }
 
+static int __iptables_add_chain(GDBusConnection *connection,
+                               const char *chain)
+{
+       int result = 0;
+       GVariant *message = NULL;
+
+       message = stc_manager_gdbus_call_sync(connection,
+                                             STC_IPTABLES_DBUS_SERVICE,
+                                             STC_IPTABLES_DBUS_CHAIN_PATH,
+                                             STC_IPTABLES_DBUS_CHAIN_INTERFACE,
+                                             STC_IPTABLES_DBUS_METHOD_IPT_ADD_CHAIN,
+                                             g_variant_new("(s)", chain));
+
+       if (message == NULL) {
+               STC_LOGE("Failed to invoke dbus method");
+               return STC_ERROR_FAIL;
+       }
+
+       g_variant_get(message, "(i)", &result);
+       STC_LOGD("Successfully added ipv4 chain [%d]", result);
+       g_variant_unref(message);
+
+       return STC_ERROR_NONE;
+}
+
+static int __ip6tables_add_chain(GDBusConnection *connection,
+                                const char *chain)
+{
+       int result = 0;
+       GVariant *message = NULL;
+
+       message = stc_manager_gdbus_call_sync(connection,
+                                             STC_IPTABLES_DBUS_SERVICE,
+                                             STC_IPTABLES_DBUS_CHAIN_PATH,
+                                             STC_IPTABLES_DBUS_CHAIN_INTERFACE,
+                                             STC_IPTABLES_DBUS_METHOD_IP6T_ADD_CHAIN,
+                                             g_variant_new("(s)", chain));
+
+       if (message == NULL) {
+               STC_LOGE("Failed to invoke dbus method");
+               return STC_ERROR_FAIL;
+       }
+
+       g_variant_get(message, "(i)", &result);
+       STC_LOGD("Successfully added ipv6 chain [%d]", result);
+       g_variant_unref(message);
+
+       return STC_ERROR_NONE;
+}
+
+static int __iptables_remove_chain(GDBusConnection *connection,
+                                  const char *chain)
+{
+       int result = 0;
+       GVariant *message = NULL;
+
+       message = stc_manager_gdbus_call_sync(connection,
+                                             STC_IPTABLES_DBUS_SERVICE,
+                                             STC_IPTABLES_DBUS_CHAIN_PATH,
+                                             STC_IPTABLES_DBUS_CHAIN_INTERFACE,
+                                             STC_IPTABLES_DBUS_METHOD_IPT_REMOVE_CHAIN,
+                                             g_variant_new("(s)", chain));
+
+       if (message == NULL) {
+               STC_LOGE("Failed to invoke dbus method");
+               return STC_ERROR_FAIL;
+       }
+
+       g_variant_get(message, "(i)", &result);
+       STC_LOGD("Successfully removed ipv4 chain [%d]", result);
+       g_variant_unref(message);
+
+       return STC_ERROR_NONE;
+}
+
+static int __ip6tables_remove_chain(GDBusConnection *connection,
+                                   const char *chain)
+{
+       int result = 0;
+       GVariant *message = NULL;
+
+       message = stc_manager_gdbus_call_sync(connection,
+                                             STC_IPTABLES_DBUS_SERVICE,
+                                             STC_IPTABLES_DBUS_CHAIN_PATH,
+                                             STC_IPTABLES_DBUS_CHAIN_INTERFACE,
+                                             STC_IPTABLES_DBUS_METHOD_IP6T_REMOVE_CHAIN,
+                                             g_variant_new("(s)", chain));
+
+       if (message == NULL) {
+               STC_LOGE("Failed to invoke dbus method");
+               return STC_ERROR_FAIL;
+       }
+
+       g_variant_get(message, "(i)", &result);
+       STC_LOGD("Successfully removed ipv6 chain [%d]", result);
+       g_variant_unref(message);
+
+       return STC_ERROR_NONE;
+}
+
+static int __iptables_flush_chain(GDBusConnection *connection,
+                                 const char *chain)
+{
+       int result = 0;
+       GVariant *message = NULL;
+
+       message = stc_manager_gdbus_call_sync(connection,
+                                             STC_IPTABLES_DBUS_SERVICE,
+                                             STC_IPTABLES_DBUS_CHAIN_PATH,
+                                             STC_IPTABLES_DBUS_CHAIN_INTERFACE,
+                                             STC_IPTABLES_DBUS_METHOD_IPT_FLUSH_CHAIN,
+                                             g_variant_new("(s)", chain));
+
+       if (message == NULL) {
+               STC_LOGE("Failed to invoke dbus method");
+               return STC_ERROR_FAIL;
+       }
+
+       g_variant_get(message, "(i)", &result);
+       STC_LOGD("Successfully flushed ipv4 chain [%d]", result);
+       g_variant_unref(message);
+
+       return STC_ERROR_NONE;
+}
+
+static int __ip6tables_flush_chain(GDBusConnection *connection,
+                                  const char *chain)
+{
+       int result = 0;
+       GVariant *message = NULL;
+
+       message = stc_manager_gdbus_call_sync(connection,
+                                             STC_IPTABLES_DBUS_SERVICE,
+                                             STC_IPTABLES_DBUS_CHAIN_PATH,
+                                             STC_IPTABLES_DBUS_CHAIN_INTERFACE,
+                                             STC_IPTABLES_DBUS_METHOD_IP6T_FLUSH_CHAIN,
+                                             g_variant_new("(s)", chain));
+
+       if (message == NULL) {
+               STC_LOGE("Failed to invoke dbus method");
+               return STC_ERROR_FAIL;
+       }
+
+       g_variant_get(message, "(i)", &result);
+       STC_LOGD("Successfully flushed ipv6 chain [%d]", result);
+       g_variant_unref(message);
+
+       return STC_ERROR_NONE;
+}
+
+static int __iptables_add_chain_jump_rule(const char *chain,
+                                         const char *target)
+{
+       stc_error_e ret = STC_ERROR_NONE;
+       iptables_rule_s iptables_rule;
+       memset(&iptables_rule, 0, sizeof(iptables_rule_s));
+
+       iptables_rule.target = g_strdup(target);
+       iptables_rule.chain = g_strdup(chain);
+
+       ret = iptables_add(&iptables_rule);
+
+       g_free(iptables_rule.target);
+       g_free(iptables_rule.chain);
+
+       return ret;
+}
+
 stc_error_e iptables_add(iptables_rule_s *rule)
 {
        stc_error_e ret = STC_ERROR_NONE;
@@ -229,3 +399,148 @@ stc_error_e iptables_remove(iptables_rule_s *rule)
 done:
        return ret;
 }
+
+stc_error_e iptables_flush_chains(void)
+{
+       stc_error_e ret = STC_ERROR_NONE;
+       stc_s *stc = stc_get_manager();
+
+       if (!stc || !stc->connection)
+               return STC_ERROR_INVALID_PARAMETER;
+
+       ret = __iptables_flush_chain(stc->connection, STC_IN_CHAIN);
+       if (ret != STC_ERROR_NONE)
+               goto done;
+
+       ret = __iptables_flush_chain(stc->connection, STC_OUT_CHAIN);
+       if (ret != STC_ERROR_NONE)
+               goto done;
+
+       ret = __iptables_flush_chain(stc->connection, STC_FRWD_CHAIN);
+       if (ret != STC_ERROR_NONE)
+               goto done;
+
+       ret = __ip6tables_flush_chain(stc->connection, STC_IN_CHAIN);
+       if (ret != STC_ERROR_NONE)
+               goto done;
+
+       ret = __ip6tables_flush_chain(stc->connection, STC_OUT_CHAIN);
+       if (ret != STC_ERROR_NONE)
+               goto done;
+
+       ret = __ip6tables_flush_chain(stc->connection, STC_FRWD_CHAIN);
+done:
+       return ret;
+}
+
+stc_error_e iptables_init(void)
+{
+       __STC_LOG_FUNC_ENTER__;
+
+       stc_error_e ret = STC_ERROR_NONE;
+       stc_s *stc = stc_get_manager();
+
+       if (!stc || !stc->connection) {
+               __STC_LOG_FUNC_EXIT__;
+               return STC_ERROR_INVALID_PARAMETER;
+       }
+
+       ret = __iptables_add_chain(stc->connection, STC_IN_CHAIN);
+       if (ret != STC_ERROR_NONE) {
+               __STC_LOG_FUNC_EXIT__;
+               goto done;
+       }
+
+       ret = __iptables_add_chain(stc->connection, STC_OUT_CHAIN);
+       if (ret != STC_ERROR_NONE) {
+               __STC_LOG_FUNC_EXIT__;
+               goto done;
+       }
+
+       ret = __iptables_add_chain(stc->connection, STC_FRWD_CHAIN);
+       if (ret != STC_ERROR_NONE) {
+               __STC_LOG_FUNC_EXIT__;
+               goto done;
+       }
+
+       ret = __ip6tables_add_chain(stc->connection, STC_IN_CHAIN);
+       if (ret != STC_ERROR_NONE) {
+               __STC_LOG_FUNC_EXIT__;
+               goto done;
+       }
+
+       ret = __ip6tables_add_chain(stc->connection, STC_OUT_CHAIN);
+       if (ret != STC_ERROR_NONE) {
+               __STC_LOG_FUNC_EXIT__;
+               goto done;
+       }
+
+       ret = __ip6tables_add_chain(stc->connection, STC_FRWD_CHAIN);
+       if (ret != STC_ERROR_NONE) {
+               __STC_LOG_FUNC_EXIT__;
+               goto done;
+       }
+
+       ret = __iptables_add_chain_jump_rule("INPUT", STC_IN_CHAIN);
+       if (ret != STC_ERROR_NONE) {
+               __STC_LOG_FUNC_EXIT__;
+               goto done;
+       }
+
+       ret = __iptables_add_chain_jump_rule("OUTPUT", STC_OUT_CHAIN);
+       if (ret != STC_ERROR_NONE) {
+               __STC_LOG_FUNC_EXIT__;
+               goto done;
+       }
+
+       ret = __iptables_add_chain_jump_rule("FORWARD", STC_FRWD_CHAIN);
+done:
+       return ret;
+}
+
+stc_error_e iptables_deinit(void)
+{
+       __STC_LOG_FUNC_ENTER__;
+
+       stc_error_e ret = STC_ERROR_NONE;
+       stc_s *stc = stc_get_manager();
+
+       if (!stc || !stc->connection) {
+               __STC_LOG_FUNC_EXIT__;
+               return STC_ERROR_INVALID_PARAMETER;
+       }
+
+       ret = __iptables_remove_chain(stc->connection, STC_IN_CHAIN);
+       if (ret != STC_ERROR_NONE) {
+               __STC_LOG_FUNC_EXIT__;
+               goto done;
+       }
+
+       ret = __iptables_remove_chain(stc->connection, STC_OUT_CHAIN);
+       if (ret != STC_ERROR_NONE) {
+               __STC_LOG_FUNC_EXIT__;
+               goto done;
+       }
+
+       ret = __iptables_remove_chain(stc->connection, STC_FRWD_CHAIN);
+       if (ret != STC_ERROR_NONE) {
+               __STC_LOG_FUNC_EXIT__;
+               goto done;
+       }
+
+       ret = __ip6tables_remove_chain(stc->connection, STC_IN_CHAIN);
+       if (ret != STC_ERROR_NONE) {
+               __STC_LOG_FUNC_EXIT__;
+               goto done;
+       }
+
+       ret = __ip6tables_remove_chain(stc->connection, STC_OUT_CHAIN);
+       if (ret != STC_ERROR_NONE) {
+               __STC_LOG_FUNC_EXIT__;
+               goto done;
+       }
+
+       ret = __ip6tables_remove_chain(stc->connection, STC_FRWD_CHAIN);
+done:
+       return ret;
+}

diff --git a/src/helper/helper-iptables.h b/src/helper/helper-iptables.h
index fed7650..bdfedb1 100755 (executable)
--- a/src/helper/helper-iptables.h
+++ b/src/helper/helper-iptables.h
@@ -20,6 +20,10 @@
 #include "stc-manager.h"
 #include "stc-error.h"
 
+#define STC_IN_CHAIN     "STC_IN"
+#define STC_OUT_CHAIN    "STC_OUT"
+#define STC_FRWD_CHAIN    "STC_FRWD"
+
 typedef enum {
        IPTABLES_DIRECTION_IN,
        IPTABLES_DIRECTION_OUT
@@ -36,5 +40,8 @@ typedef struct {
 
 stc_error_e iptables_add(iptables_rule_s *rule);
 stc_error_e iptables_remove(iptables_rule_s *rule);
+stc_error_e iptables_flush_chains(void);
+stc_error_e iptables_init(void);
+stc_error_e iptables_deinit(void);
 
 #endif /*__STC_HELPER_IPTABLES_H__*/

diff --git a/src/helper/helper-nfacct-rule.c b/src/helper/helper-nfacct-rule.c
index 5b2cde4..374090a 100755 (executable)
--- a/src/helper/helper-nfacct-rule.c
+++ b/src/helper/helper-nfacct-rule.c
@@ -410,11 +410,11 @@ static char *get_iptables_cmd(const nfacct_rule_action action)
 static char *get_iptables_chain(const nfacct_rule_direction iotype)
 {
        if (iotype == NFACCT_COUNTER_IN)
-               return IN_RULE;
+               return STC_IN_CHAIN;
        else if (iotype == NFACCT_COUNTER_OUT)
-               return OUT_RULE;
+               return STC_OUT_CHAIN;
        else if (iotype == NFACCT_COUNTER_FORWARD)
-               return FORWARD_RULE;
+               return STC_FRWD_CHAIN;
 
        return "";
 }

diff --git a/src/monitor/stc-monitor.c b/src/monitor/stc-monitor.c
index 8b18657..268c5cf 100755 (executable)
--- a/src/monitor/stc-monitor.c
+++ b/src/monitor/stc-monitor.c
@@ -23,6 +23,7 @@
 #include "helper-nfacct-rule.h"
 #include "helper-net-cls.h"
 #include "helper-cgroup.h"
+#include "helper-iptables.h"
 #include "counter.h"
 #include "table-statistics.h"
 #include "table-counters.h"
@@ -526,6 +527,10 @@ static void __process_restriction(enum traffic_restriction_type rst_type,
                        char *default_ifname = stc_default_connection_get_ifname();
                        struct nfacct_rule counter;
                        stc_s *stc = stc_get_manager();
+                       if (!stc) {
+                               g_free(default_ifname);
+                               return;
+                       }
 
                        if (!stc->carg) {
                                stc->carg = MALLOC0(counter_arg_s, 1);
@@ -568,6 +573,10 @@ static void __process_restriction(enum traffic_restriction_type rst_type,
                        char *default_ifname = stc_default_connection_get_ifname();
                        struct nfacct_rule counter;
                        stc_s *stc = stc_get_manager();
+                       if (!stc) {
+                               g_free(default_ifname);
+                               return;
+                       }
 
                        if (!stc->carg) {
                                stc->carg = MALLOC0(counter_arg_s, 1);
@@ -1870,6 +1879,8 @@ void stc_monitor_update_rstn_by_default_connection(void *data)
                        g_tree_foreach(g_system->rstns,
                                       __remove_restriction,
                                       (gpointer)&old_connection);
+
+               iptables_flush_chains();
        }
 
        FREE(old_connection.path);

diff --git a/src/stc-manager-gdbus.c b/src/stc-manager-gdbus.c
index aee4c9e..bf556e6 100755 (executable)
--- a/src/stc-manager-gdbus.c
+++ b/src/stc-manager-gdbus.c
@@ -20,6 +20,7 @@
 #include "stc-default-connection.h"
 #include "stc-manager-plugin.h"
 #include "stc-app-lifecycle.h"
+#include "helper-iptables.h"
 
 static gboolean __stc_manager_gdbus_statistics_init(stc_s *stc)
 {
@@ -154,6 +155,7 @@ static void __stc_manager_gdbus_on_bus_acquired(GDBusConnection *connection,
        g_dbus_object_manager_server_set_connection(stc->obj_mgr,
                                                    stc->connection);
 
+       iptables_init();
        stc_default_connection_monitor_init(stc);
        stc_register_state_changed_cb(stc, stc_manager_app_status_changed, NULL);
 

diff --git a/src/stc-manager.c b/src/stc-manager.c
index 0e6eb8c..5e7ddd6 100755 (executable)
--- a/src/stc-manager.c
+++ b/src/stc-manager.c
@@ -23,6 +23,7 @@
 #include "table-restrictions.h"
 #include "helper-cgroup.h"
 #include "helper-nfacct-rule.h"
+#include "helper-iptables.h"
 #include "stc-monitor.h"
 #include "stc-manager-plugin.h"
 #include "stc-app-lifecycle.h"
@@ -58,6 +59,7 @@ static void __stc_manager_deinit(void)
        stc_deinit_db_guard();
        stc_db_deinitialize();
 
+       iptables_deinit();
        stc_manager_gdbus_deinit((gpointer)g_stc);
        stc_app_lifecycle_monitor_deinit();
        stc_manager_plugin_deinit();