From: Patrik Flykt Date: Mon, 18 Feb 2013 08:40:49 +0000 (+0200) Subject: iptables: Cannot flush all rules without API to set them X-Git-Tag: 1.12~96 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=d05bd25c5513887f462fcc2f0b18ead380f883da;p=platform%2Fupstream%2Fconnman.git iptables: Cannot flush all rules without API to set them Currently there exists no API where iptables rules can be set. The flush code does not touch the default chain policy at the moment. Any pre- existing iptables rules setting default policy to reject and relying on individual iptables rules allowing packets going through will prevent all IP communication. Removing all iptables rules on startup can expose the device to unwanted traffic as well. For the time being disable iptables flush on init. Please be careful with iptables rules and the masquerading ones ConnMan sets when tethering. --- diff --git a/src/iptables.c b/src/iptables.c index 83612b9..8fa3687 100644 --- a/src/iptables.c +++ b/src/iptables.c @@ -36,6 +36,7 @@ #include "connman.h" +void flush_table(const char *name); /* * Some comments on how the iptables API works (some of them from the @@ -2243,7 +2244,7 @@ static int flush_table_cb(struct ipt_entry *entry, int builtin, return 0; } -static void flush_table(const char *name) +void flush_table(const char *name) { GSList *chains = NULL, *list; struct connman_iptables *table; @@ -2269,13 +2270,6 @@ static void flush_table(const char *name) g_slist_free_full(chains, g_free); } -static void flush_all_chains(void) -{ - flush_table("filter"); - flush_table("mangle"); - flush_table("nat"); -} - int __connman_iptables_init(void) { DBG(""); @@ -2288,8 +2282,6 @@ int __connman_iptables_init(void) xtables_init_all(&iptables_globals, NFPROTO_IPV4); - flush_all_chains(); - return 0; }