From e95e1237650aa3e0e3a9a8f1cad968872ef49d52 Mon Sep 17 00:00:00 2001 From: taesub kim Date: Mon, 2 Apr 2018 18:02:59 +0900 Subject: [PATCH 01/16] Added dbus/cynara policy Change-Id: Ic6107087ddf2a21fcd874fd125e402a36988c0df Signed-off-by: Taesub Kim --- resources/dbus/stc-manager.conf | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/resources/dbus/stc-manager.conf b/resources/dbus/stc-manager.conf index 6732e96..385ce13 100755 --- a/resources/dbus/stc-manager.conf +++ b/resources/dbus/stc-manager.conf @@ -1,15 +1,17 @@ - - - - - - - - - - - + + + + + + + + + + + + + -- 2.7.4 From 425d447730625bc8d2ad31d4d6fc0b4fed57f11c Mon Sep 17 00:00:00 2001 From: hyunuktak Date: Thu, 5 Apr 2018 15:25:28 +0900 Subject: [PATCH 02/16] Added firewall feature Change-Id: I9c71bc7af199d145509cbe0c7e935d16e85dfd8d Signed-off-by: hyunuktak --- data/firewall_db.sql | 35 + include/stc-error.h | 6 +- include/stc-firewall.h | 104 ++ include/stc-manager-gdbus.h | 1 + include/stc-manager.h | 53 +- interfaces/CMakeLists.txt | 1 + interfaces/stcmanager-iface-firewall.xml | 53 + packaging/stc-manager.spec | 4 +- src/CMakeLists.txt | 1 + src/database/db-common.c | 3 + src/database/include/table-firewall.h | 49 + src/database/tables/table-firewall.c | 843 ++++++++++++++++ src/database/tables/table-statistics.c | 2 +- src/helper/helper-firewall.c | 716 ++++++++++++++ src/helper/helper-firewall.h | 82 ++ src/helper/helper-iptables.c | 2 +- src/helper/helper-iptables.h | 1 + src/helper/helper-nfacct-rule.c | 3 +- src/monitor/stc-default-connection.c | 2 + src/stc-firewall.c | 1551 ++++++++++++++++++++++++++++++ src/stc-manager-gdbus.c | 90 ++ src/stc-manager.c | 5 + src/stc-restriction.c | 2 + src/stc-statistics.c | 5 +- 24 files changed, 3604 insertions(+), 10 deletions(-) create mode 100644 data/firewall_db.sql create mode 100755 include/stc-firewall.h create mode 100644 interfaces/stcmanager-iface-firewall.xml create mode 100755 src/database/include/table-firewall.h create mode 100755 src/database/tables/table-firewall.c create mode 100755 src/helper/helper-firewall.c create mode 100755 src/helper/helper-firewall.h create mode 100755 src/stc-firewall.c diff --git a/data/firewall_db.sql b/data/firewall_db.sql new file mode 100644 index 0000000..9a0bfdb --- /dev/null +++ b/data/firewall_db.sql @@ -0,0 +1,35 @@ +CREATE TABLE IF NOT EXISTS fw_lock ( + name TEXT PRIMARY KEY, + state INT +); + +CREATE TABLE IF NOT EXISTS fw_chains ( + chain TEXT PRIMARY KEY, + target INT, + priority INT +); + +CREATE TABLE IF NOT EXISTS fw_rules ( + key BIGINT PRIMARY KEY, + chain TEXT NOT NULL, + direction INT, + s_ip_type INT, + d_ip_type INT, + s_port_type INT, + d_port_type INT, + protocol INT, + family INT, + s_ip1 TEXT NOT NULL, + s_ip2 TEXT NOT NULL, + d_ip1 TEXT NOT NULL, + d_ip2 TEXT NOT NULL, + s_port1 INT, + s_port2 INT, + d_port1 INT, + d_port2 INT, + ifname TEXT NOT NULL, + target INT, + identifier TEXT NOT NULL +); + +CREATE INDEX IF NOT EXISTS rules_index ON fw_rules (chain, target); diff --git a/include/stc-error.h b/include/stc-error.h index ecb4e68..6bf1c40 100755 --- a/include/stc-error.h +++ b/include/stc-error.h @@ -18,8 +18,10 @@ #define __STC_ERROR_H__ typedef enum { - STC_ERROR_NOTIMPL = -7, /**< Not implemented yet error */ - STC_ERROR_UNINITIALIZED = -6, /**< Cgroup doen't mounted or daemon not started */ + STC_ERROR_NOTIMPL = -9, /**< Not implemented yet error */ + STC_ERROR_PERMISSION_DENIED = -8, /**< Permission denied */ + STC_ERROR_UNINITIALIZED = -7, /**< Not initialized */ + STC_ERROR_ALREADY_DATA = -6, /**< Success, but already data */ STC_ERROR_NO_DATA = -5, /**< Success, but no data */ STC_ERROR_INVALID_PARAMETER = -4, /**< Invalid parameter */ STC_ERROR_OUT_OF_MEMORY = -3, /**< Out of memory */ diff --git a/include/stc-firewall.h b/include/stc-firewall.h new file mode 100755 index 0000000..c857f9b --- /dev/null +++ b/include/stc-firewall.h @@ -0,0 +1,104 @@ +/* + * Copyright (c) 2016 Samsung Electronics Co., Ltd. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef __STC_FIREWALL_H__ +#define __STC_FIREWALL_H__ + +#include +#include "stc-manager.h" +#include "stc-manager-gdbus.h" +#include "table-firewall.h" + +/***************************************************************************** + * Macros and Typedefs + *****************************************************************************/ + +typedef struct { + stc_fw_chain_target_e target; + uint64_t priority; + GSList *rules; +} stc_fw_data_s; + +/***************************************************************************** + * Functions Declaration + *****************************************************************************/ + +void stc_firewall_init(void); +void stc_firewall_update(void); +void stc_firewall_deinit(void); + +gboolean handle_firewall_lock(StcFirewall *object, + GDBusMethodInvocation *invocation, + void *user_data); + +gboolean handle_firewall_unlock(StcFirewall *object, + GDBusMethodInvocation *invocation, + void *user_data); + +gboolean handle_firewall_get_lock(StcFirewall *object, + GDBusMethodInvocation *invocation, + void *user_data); + +gboolean handle_firewall_add_chain(StcFirewall *object, + GDBusMethodInvocation *invocation, + gchar *chain, + void *user_data); + +gboolean handle_firewall_remove_chain(StcFirewall *object, + GDBusMethodInvocation *invocation, + gchar *chain, + void *user_data); + +gboolean handle_firewall_flush_chain(StcFirewall *object, + GDBusMethodInvocation *invocation, + gchar *chain, + void *user_data); + +gboolean handle_firewall_get_all_chain(StcFirewall *object, + GDBusMethodInvocation *invocation, + void *user_data); + +gboolean handle_firewall_set_chain(StcFirewall *object, + GDBusMethodInvocation *invocation, + gchar *chain, + unsigned int target, + void *user_data); + +gboolean handle_firewall_unset_chain(StcFirewall *object, + GDBusMethodInvocation *invocation, + gchar *chain, + void *user_data); + +gboolean handle_firewall_add_rule(StcFirewall *object, + GDBusMethodInvocation *invocation, + GVariant *parameters, + void *user_data); + +gboolean handle_firewall_remove_rule(StcFirewall *object, + GDBusMethodInvocation *invocation, + GVariant *parameters, + void *user_data); + +gboolean handle_firewall_update_rule(StcFirewall *object, + GDBusMethodInvocation *invocation, + GVariant *parameters, + void *user_data); + +gboolean handle_firewall_get_all_rule(StcFirewall *object, + GDBusMethodInvocation *invocation, + void *user_data); + +#endif /* __STC_FIREWALL_H__ */ diff --git a/include/stc-manager-gdbus.h b/include/stc-manager-gdbus.h index 7803c6b..4b6a50f 100755 --- a/include/stc-manager-gdbus.h +++ b/include/stc-manager-gdbus.h @@ -25,6 +25,7 @@ #define STC_DBUS_SERVICE_PATH "/net/stc" #define STC_DBUS_SERVICE_STATISTICS_PATH "/net/stc/statistics" #define STC_DBUS_SERVICE_RESTRICTION_PATH "/net/stc/restriction" +#define STC_DBUS_SERVICE_FIREWALL_PATH "/net/stc/firewall" #define STC_DBUS_SERVICE_MANAGER_PATH "/net/stc/manager" #define STC_DBUS_REPLY_ERROR_NONE(invocation) \ diff --git a/include/stc-manager.h b/include/stc-manager.h index 1a84f69..c6a8f8e 100755 --- a/include/stc-manager.h +++ b/include/stc-manager.h @@ -48,6 +48,56 @@ typedef enum { STC_CMD_MAX_ELEM } stc_cmd_type_e; +typedef enum { + STC_FW_DIRECTION_NONE, + STC_FW_DIRECTION_IN, + STC_FW_DIRECTION_OUT +} stc_fw_direction_e; + +typedef enum { + STC_FW_FAMILY_NONE, + STC_FW_FAMILY_V4, + STC_FW_FAMILY_V6 +} stc_fw_family_type_e; + +typedef enum { + STC_FW_IP_NONE, + STC_FW_IP_SINGLE, + STC_FW_IP_MASK, + STC_FW_IP_RANGE +} stc_fw_ip_type_e; + +typedef enum { + STC_FW_PORT_NONE, + STC_FW_PORT_SINGLE, + STC_FW_PORT_RANGE +} stc_fw_port_type_e; + +typedef enum { + STC_FW_PROTOCOL_NONE, + STC_FW_PROTOCOL_TCP, + STC_FW_PROTOCOL_UDP, + STC_FW_PROTOCOL_ICMP, + STC_FW_PROTOCOL_ESP, + STC_FW_PROTOCOL_AH, + STC_FW_PROTOCOL_SCTP, + STC_FW_PROTOCOL_MH, + STC_FW_PROTOCOL_ALL, +} stc_fw_protocol_type_e; + +typedef enum { + STC_FW_CHAIN_TARGET_NONE, + STC_FW_CHAIN_TARGET_INPUT, + STC_FW_CHAIN_TARGET_OUTPUT +} stc_fw_chain_target_e; + +typedef enum { + STC_FW_RULE_TARGET_NONE, + STC_FW_RULE_TARGET_ACCEPT, + STC_FW_RULE_TARGET_DROP, + STC_FW_RULE_TARGET_LOG, +} stc_fw_rule_target_e; + /** * @brief Monitored application types */ @@ -121,7 +171,7 @@ typedef enum { * @brief Hardware network protocol types */ typedef enum { - STC_PROTOCOL_NONE, /**< Network unknown */ + STC_PROTOCOL_UNKNOWN, /**< Network unknown */ STC_PROTOCOL_DATACALL_NOSVC, /**< Network no service */ STC_PROTOCOL_DATACALL_EMERGENCY, /**< Network emergency */ STC_PROTOCOL_DATACALL_SEARCH, /**< Network search 1900 */ @@ -173,6 +223,7 @@ typedef struct { gpointer statistics_obj; gpointer restriction_obj; + gpointer firewall_obj; gpointer manager_obj; GDBusObjectManagerServer *obj_mgr; diff --git a/interfaces/CMakeLists.txt b/interfaces/CMakeLists.txt index 2e61a9e..8f03ebf 100644 --- a/interfaces/CMakeLists.txt +++ b/interfaces/CMakeLists.txt @@ -9,6 +9,7 @@ ADD_CUSTOM_COMMAND( ${INTERFACES}/stcmanager-iface-manager.xml ${INTERFACES}/stcmanager-iface-restriction.xml ${INTERFACES}/stcmanager-iface-statistics.xml + ${INTERFACES}/stcmanager-iface-firewall.xml COMMENT "Generating GDBus .c/.h") ADD_CUSTOM_TARGET(GENERATED_DBUS_CODE DEPENDS dbus) diff --git a/interfaces/stcmanager-iface-firewall.xml b/interfaces/stcmanager-iface-firewall.xml new file mode 100644 index 0000000..d5817cf --- /dev/null +++ b/interfaces/stcmanager-iface-firewall.xml @@ -0,0 +1,53 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/packaging/stc-manager.spec b/packaging/stc-manager.spec index 7b9b87e..6dca357 100644 --- a/packaging/stc-manager.spec +++ b/packaging/stc-manager.spec @@ -1,6 +1,6 @@ Name: stc-manager Summary: STC(Smart Traffic Control) manager -Version: 0.0.54 +Version: 0.0.55 Release: 0 Group: Network & Connectivity/Other License: Apache-2.0 @@ -88,7 +88,9 @@ rm -rf %{buildroot} %if %{?enable_database} == YES mkdir -p %{buildroot}/opt/usr/dbspace sqlite3 %{buildroot}%{database_full_path} < %{buildroot}/usr/share/traffic_db.sql + sqlite3 %{buildroot}%{database_full_path} < %{buildroot}/usr/share/firewall_db.sql rm %{buildroot}/usr/share/traffic_db.sql + rm %{buildroot}/usr/share/firewall_db.sql %endif #Exceptions file diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index f01f292..809897a 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -69,6 +69,7 @@ IF("${ENABLE_DATABASE}" STREQUAL "YES") SET(SRCS ${SRCS} ${DATABASE_SRCS} ${DATABASE_TABLES_SRCS}) INSTALL(FILES ${DATA_DIR}/traffic_db.sql DESTINATION /usr/share) + INSTALL(FILES ${DATA_DIR}/firewall_db.sql DESTINATION /usr/share) ENDIF() IF(BUILD_GTESTS) diff --git a/src/database/db-common.c b/src/database/db-common.c index f5f1770..a4c2a3d 100755 --- a/src/database/db-common.c +++ b/src/database/db-common.c @@ -19,6 +19,7 @@ #include "table-statistics.h" #include "table-restrictions.h" #include "table-counters.h" +#include "table-firewall.h" #ifndef DATABASE_FULL_PATH #define DATABASE_FULL_PATH "/opt/usr/dbspace/.stc-manager-datausage.db" @@ -111,6 +112,7 @@ stc_error_e stc_db_initialize(void) EXEC(STC_ERROR_NONE, table_statistics_prepare(database)); EXEC(STC_ERROR_NONE, table_restrictions_prepare(database)); EXEC(STC_ERROR_NONE, table_counters_prepare(database)); + EXEC(STC_ERROR_NONE, table_firewall_prepare(database)); EXEC(STC_ERROR_NONE, stc_init_db_guard()); __STC_LOG_FUNC_EXIT__; @@ -133,6 +135,7 @@ gboolean stc_db_deinitialize(void) table_statistics_finalize(); table_restrictions_finalize(); table_counters_finalize(); + table_firewall_finalize(); sqlite3_close(database); __STC_LOG_FUNC_EXIT__; diff --git a/src/database/include/table-firewall.h b/src/database/include/table-firewall.h new file mode 100755 index 0000000..e15668f --- /dev/null +++ b/src/database/include/table-firewall.h @@ -0,0 +1,49 @@ +/* + * Copyright (c) 2016 Samsung Electronics Co., Ltd. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef __TABLE_FIREWALL_H__ +#define __TABLE_FIREWALL_H__ + +#include +#include "helper-firewall.h" + +typedef stc_cb_ret_e +(*firewall_chain_cb)(const firewall_chain_s *info, void *user_data); + +typedef stc_cb_ret_e +(*firewall_rule_cb)(const firewall_rule_s *info, void *user_data); + +stc_error_e table_firewall_insert_lock(char *name, int state); +stc_error_e table_firewall_update_lock(char *name, int state); +stc_error_e table_firewall_get_lock(char *name, int *state); + +stc_error_e table_firewall_insert_chain(firewall_chain_s *info); +stc_error_e table_firewall_delete_chain(firewall_chain_s *info); +stc_error_e table_firewall_flush_chain(firewall_chain_s *info); +stc_error_e table_firewall_update_chain(firewall_chain_s *info); +stc_error_e table_firewall_foreach_chain(firewall_chain_cb info_cb, + void *user_data); + +stc_error_e table_firewall_insert_rule(firewall_rule_s *info); +stc_error_e table_firewall_delete_rule(firewall_rule_s *info); +stc_error_e table_firewall_update_rule(firewall_rule_s *info); +stc_error_e table_firewall_foreach_rule(firewall_rule_cb info_cb, + void *user_data); + +stc_error_e table_firewall_prepare(sqlite3 *db); +void table_firewall_finalize(void); + +#endif /*__TABLE_FIREWALL_H__ */ diff --git a/src/database/tables/table-firewall.c b/src/database/tables/table-firewall.c new file mode 100755 index 0000000..3c811c7 --- /dev/null +++ b/src/database/tables/table-firewall.c @@ -0,0 +1,843 @@ +/* + * Copyright (c) 2016 Samsung Electronics Co., Ltd. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +/** + * This file implements restrictions entity handler methods. + * + * @file table-restrictions.c + */ + +#include "stc-db.h" +#include "db-internal.h" +#include "table-firewall.h" + +#define BUF_SIZE_FOR_IP 64 + +/* DELETE statements */ +#define DELETE_FIREWALL_CHAIN "DELETE FROM fw_chains " \ + "WHERE chain = ?" + +#define DELETE_FIREWALL_RULE "DELETE FROM fw_rules " \ + "WHERE key = ?" + +#define DELETE_FIREWALL_RULE_PER_CHAIN "DELETE FROM fw_rules " \ + "WHERE chain = ?" + +/* SELECT statements */ +#define SELECT_FIREWALL_LOCK "SELECT state FROM fw_lock " \ + "WHERE name = ?" + +#define SELECT_FIREWALL_CHAIN "SELECT chain, " \ + "target, priority FROM fw_chains" + +#define SELECT_FIREWALL_RULE "SELECT key, " \ + "chain, direction, s_ip_type, d_ip_type, s_port_type, " \ + "d_port_type, protocol, family, s_ip1, s_ip2, d_ip1, d_ip2, " \ + "s_port1, s_port2, d_port1, d_port2, ifname, target, identifier " \ + "FROM fw_rules" + +#define SELECT_FIREWALL_RULE_PER_CHAIN "SELECT key, " \ + "chain, direction, s_ip_type, d_ip_type, s_port_type, " \ + "d_port_type, protocol, family, s_ip1, s_ip2, d_ip1, d_ip2, " \ + "s_port1, s_port2, d_port1, d_port2, ifname, target, identifier " \ + "FROM fw_rules INDEXED BY rules_index " \ + "WHERE chain = ?" + +/* UPDATE statement */ +#define UPDATE_FIREWALL_LOCK "UPDATE fw_lock " \ + "SET state = ? WHERE name = ?" + +#define UPDATE_FIREWALL_CHAIN "UPDATE fw_chains " \ + "SET target = ?, priority = ? " \ + "WHERE chain = ?" + +#define UPDATE_FIREWALL_RULE "UPDATE fw_rules " \ + "SET chain = ?, direction = ?, s_ip_type = ?, d_ip_type = ?, " \ + "s_port_type = ?, d_port_type = ?, protocol = ?, family = ?, " \ + "s_ip1 = ?, s_ip2 = ?, d_ip1 = ?, d_ip2 = ?, s_port1 = ?, " \ + "s_port2 = ?, d_port1 = ?, d_port2 = ?, ifname = ?, " \ + "target = ?, identifier = ? " \ + "WHERE key = ?" + +/* INSERT statement */ +#define INSERT_FIREWALL_LOCK "INSERT INTO fw_lock " \ + "(name, state) VALUES (?, ?)" + +#define INSERT_FIREWALL_CHAIN "INSERT INTO fw_chains " \ + "(chain, target, priority) " \ + "VALUES (?, ?, ?)" + +#define INSERT_FIREWALL_RULE "INSERT INTO fw_rules " \ + "(key, chain, direction, s_ip_type, d_ip_type, s_port_type, " \ + "d_port_type, protocol, family, s_ip1, s_ip2, d_ip1, d_ip2, " \ + "s_port1, s_port2, d_port1, d_port2, ifname, target, identifier) " \ + "VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)" + +static void __finalize_delete(void); + +#define PREPARE_DELETE(stm, query) do { \ + rc = sqlite3_prepare_v2(db, query, -1, &stm, NULL); \ + if (rc != SQLITE_OK) { \ + stm = NULL; \ + __finalize_delete(); \ + STC_LOGE("Failed to prepare \"%s\" query" \ + , query); \ + return rc; \ + } \ +} while (0) + +static void __finalize_select(void); + +#define PREPARE_SELECT(stm, query) do { \ + rc = sqlite3_prepare_v2(db, query, -1, &stm, NULL); \ + if (rc != SQLITE_OK) { \ + stm = NULL; \ + __finalize_select(); \ + STC_LOGE("Failed to prepare \"%s\" query" \ + , query); \ + return rc; \ + } \ +} while (0) + +static void __finalize_update(void); + +#define PREPARE_UPDATE(stm, query) do { \ + rc = sqlite3_prepare_v2(db, query, -1, &stm, NULL); \ + if (rc != SQLITE_OK) { \ + stm = NULL; \ + __finalize_update(); \ + STC_LOGE("Failed to prepare \"%s\" query" \ + , query); \ + return rc; \ + } \ +} while (0) + +static void __finalize_insert(void); + +#define PREPARE_INSERT(stm, query) do { \ + rc = sqlite3_prepare_v2(db, query, -1, &stm, NULL); \ + if (rc != SQLITE_OK) { \ + stm = NULL; \ + __finalize_insert(); \ + STC_LOGE("Failed to prepare \"%s\" query" \ + , query); \ + return rc; \ + } \ +} while (0) + +#define FINALIZE(stm) do { \ + if (stm) { \ + sqlite3_finalize(stm); \ + stm = NULL; \ + } \ +} while (0) + +/* DELETE statements */ +static sqlite3_stmt *delete_fw_chain; +static sqlite3_stmt *delete_fw_rule; +static sqlite3_stmt *delete_fw_rule_per_chain; + +/* SELECT statements */ +static sqlite3_stmt *select_fw_lock; +static sqlite3_stmt *select_fw_chain; +static sqlite3_stmt *select_fw_rule; +static sqlite3_stmt *select_fw_rule_per_chain; + +/* UPDATE statements */ +static sqlite3_stmt *update_fw_lock; +static sqlite3_stmt *update_fw_chain; +static sqlite3_stmt *update_fw_rule; + +/* INSERT statements */ +static sqlite3_stmt *insert_fw_lock; +static sqlite3_stmt *insert_fw_chain; +static sqlite3_stmt *insert_fw_rule; + +static int __prepare_delete(sqlite3 *db) +{ + __STC_LOG_FUNC_ENTER__; + int rc; + static int initialized; + + if (initialized) { + __STC_LOG_FUNC_EXIT__; + return SQLITE_OK; + } + + PREPARE_DELETE(delete_fw_chain, DELETE_FIREWALL_CHAIN); + PREPARE_DELETE(delete_fw_rule, DELETE_FIREWALL_RULE); + PREPARE_DELETE(delete_fw_rule_per_chain, DELETE_FIREWALL_RULE_PER_CHAIN); + + initialized = 1; + __STC_LOG_FUNC_EXIT__; + return rc; +} + +static void __finalize_delete(void) +{ + __STC_LOG_FUNC_ENTER__; + + FINALIZE(delete_fw_chain); + FINALIZE(delete_fw_rule); + FINALIZE(delete_fw_rule_per_chain); + + __STC_LOG_FUNC_EXIT__; +} + +static int __prepare_select(sqlite3 *db) +{ + __STC_LOG_FUNC_ENTER__; + int rc; + static int initialized; + + if (initialized) { + __STC_LOG_FUNC_EXIT__; + return SQLITE_OK; + } + + PREPARE_SELECT(select_fw_lock, SELECT_FIREWALL_LOCK); + PREPARE_SELECT(select_fw_chain, SELECT_FIREWALL_CHAIN); + PREPARE_SELECT(select_fw_rule, SELECT_FIREWALL_RULE); + PREPARE_SELECT(select_fw_rule_per_chain, SELECT_FIREWALL_RULE_PER_CHAIN); + + initialized = 1; + __STC_LOG_FUNC_EXIT__; + return rc; +} + +static void __finalize_select(void) +{ + __STC_LOG_FUNC_ENTER__; + + FINALIZE(select_fw_lock); + FINALIZE(select_fw_chain); + FINALIZE(select_fw_rule); + FINALIZE(select_fw_rule_per_chain); + + __STC_LOG_FUNC_EXIT__; +} + +static int __prepare_update(sqlite3 *db) +{ + __STC_LOG_FUNC_ENTER__; + int rc; + static int initialized; + + if (initialized) { + __STC_LOG_FUNC_EXIT__; + return SQLITE_OK; + } + + PREPARE_UPDATE(update_fw_lock, UPDATE_FIREWALL_LOCK); + PREPARE_UPDATE(update_fw_chain, UPDATE_FIREWALL_CHAIN); + PREPARE_UPDATE(update_fw_rule, UPDATE_FIREWALL_RULE); + + initialized = 1; + __STC_LOG_FUNC_EXIT__; + return rc; +} + +static void __finalize_update(void) +{ + __STC_LOG_FUNC_ENTER__; + + FINALIZE(update_fw_lock); + FINALIZE(update_fw_chain); + FINALIZE(update_fw_rule); + + __STC_LOG_FUNC_EXIT__; +} + +static int __prepare_insert(sqlite3 *db) +{ + __STC_LOG_FUNC_ENTER__; + int rc; + static int initialized; + + if (initialized) { + __STC_LOG_FUNC_EXIT__; + return SQLITE_OK; + } + + PREPARE_INSERT(insert_fw_lock, INSERT_FIREWALL_LOCK); + PREPARE_INSERT(insert_fw_chain, INSERT_FIREWALL_CHAIN); + PREPARE_INSERT(insert_fw_rule, INSERT_FIREWALL_RULE); + + initialized = 1; + __STC_LOG_FUNC_EXIT__; + return rc; +} + +static void __finalize_insert(void) +{ + __STC_LOG_FUNC_ENTER__; + + FINALIZE(insert_fw_lock); + FINALIZE(insert_fw_chain); + FINALIZE(insert_fw_rule); + + __STC_LOG_FUNC_EXIT__; +} + +stc_error_e table_firewall_insert_lock(char *name, int state) +{ + stc_error_e error_code = STC_ERROR_NONE; + sqlite3_stmt *stmt = insert_fw_lock; + + DB_ACTION(sqlite3_bind_text(stmt, 1, name ? name : "", + -1, SQLITE_TRANSIENT)); + DB_ACTION(sqlite3_bind_int(stmt, 2, state)); + + if (sqlite3_step(stmt) != SQLITE_DONE) { + STC_LOGE("Failed to insert firewall lock state: %s\n", + sqlite3_errmsg(stc_db_get_database())); + + error_code = STC_ERROR_DB_FAILED; + goto handle_error; + } + + STC_LOGD("Firewall lock state inserted [%d]", state); + +handle_error: + sqlite3_reset(stmt); + return error_code; +} + +stc_error_e table_firewall_update_lock(char *name, int state) +{ + stc_error_e error_code = STC_ERROR_NONE; + sqlite3_stmt *stmt = update_fw_lock; + + DB_ACTION(sqlite3_bind_int(stmt, 1, state)); + DB_ACTION(sqlite3_bind_text(stmt, 2, name ? name : "", + -1, SQLITE_TRANSIENT)); + + if (sqlite3_step(stmt) != SQLITE_DONE) { + STC_LOGE("Failed to update firewall lock state: %s\n", + sqlite3_errmsg(stc_db_get_database())); + + error_code = STC_ERROR_DB_FAILED; + goto handle_error; + } + + STC_LOGD("Firewall lock state updated [%d]", state); + +handle_error: + sqlite3_reset(stmt); + return error_code; +} + +stc_error_e table_firewall_get_lock(char *name, int *state) +{ + int rc; + stc_error_e error_code = STC_ERROR_NONE; + sqlite3_stmt *stmt = select_fw_lock; + + if (!name) + return STC_ERROR_DB_FAILED; + + DB_ACTION(sqlite3_bind_text(stmt, 1, name, + -1, SQLITE_TRANSIENT)); + + rc = sqlite3_step(stmt); + + switch (rc) { + case SQLITE_DONE: + break; + case SQLITE_ROW: + *state = sqlite3_column_int(stmt, 0); + break; + case SQLITE_ERROR: + default: + STC_LOGE("Failed to get firewall lock state: %s\n", + sqlite3_errmsg(stc_db_get_database())); + + error_code = STC_ERROR_DB_FAILED; + goto handle_error; + } + + STC_LOGD("Firewall lock state [%d]", *state); + +handle_error: + sqlite3_reset(stmt); + return error_code; +} + +stc_error_e table_firewall_insert_chain(firewall_chain_s *info) +{ + stc_error_e error_code = STC_ERROR_NONE; + sqlite3_stmt *stmt = insert_fw_chain; + + if (!info) { + error_code = STC_ERROR_INVALID_PARAMETER; + goto handle_error; + } + + DB_ACTION(sqlite3_bind_text(stmt, 1, info->chain ? info->chain : "", + -1, SQLITE_TRANSIENT)); + DB_ACTION(sqlite3_bind_int(stmt, 2, info->target)); + DB_ACTION(sqlite3_bind_int(stmt, 3, info->priority)); + + if (sqlite3_step(stmt) != SQLITE_DONE) { + STC_LOGE("Failed to insert firewall chain: %s\n", + sqlite3_errmsg(stc_db_get_database())); + error_code = STC_ERROR_DB_FAILED; + goto handle_error; + } + + STC_LOGD("Firewall chain inserted [%s]", info->chain); + +handle_error: + sqlite3_reset(stmt); + return error_code; +} + +stc_error_e table_firewall_delete_chain(firewall_chain_s *info) +{ + stc_error_e error_code = STC_ERROR_NONE; + sqlite3_stmt *stmt = delete_fw_chain; + + if (!info) { + error_code = STC_ERROR_INVALID_PARAMETER; + goto handle_error; + } + + DB_ACTION(sqlite3_bind_text(stmt, 1, info->chain ? info->chain : "", + -1, SQLITE_TRANSIENT)); + + if (sqlite3_step(stmt) != SQLITE_DONE) { + STC_LOGE("Failed to delete firewall chain %s\n", + sqlite3_errmsg(stc_db_get_database())); + error_code = STC_ERROR_DB_FAILED; + goto handle_error; + } + + STC_LOGD("Firewall chain deleted [%s]", info->chain); + +handle_error: + + sqlite3_reset(stmt); + return error_code; +} + +stc_error_e table_firewall_flush_chain(firewall_chain_s *info) +{ + stc_error_e error_code = STC_ERROR_NONE; + sqlite3_stmt *stmt = delete_fw_rule_per_chain; + + if (!info) { + error_code = STC_ERROR_INVALID_PARAMETER; + goto handle_error; + } + + DB_ACTION(sqlite3_bind_text(stmt, 1, info->chain ? info->chain : "", + -1, SQLITE_TRANSIENT)); + + if (sqlite3_step(stmt) != SQLITE_DONE) { + STC_LOGE("Failed to flush firewall chain %s\n", + sqlite3_errmsg(stc_db_get_database())); + error_code = STC_ERROR_DB_FAILED; + goto handle_error; + } + + STC_LOGD("Firewall chain flushed [%s]", info->chain); + +handle_error: + + sqlite3_reset(stmt); + return error_code; +} + +stc_error_e table_firewall_update_chain(firewall_chain_s *info) +{ + stc_error_e error_code = STC_ERROR_NONE; + sqlite3_stmt *stmt = update_fw_chain; + + if (!info) { + error_code = STC_ERROR_INVALID_PARAMETER; + goto handle_error; + } + + DB_ACTION(sqlite3_bind_int(stmt, 1, info->target)); + DB_ACTION(sqlite3_bind_int(stmt, 2, info->priority)); + DB_ACTION(sqlite3_bind_text(stmt, 3, info->chain ? info->chain : "", + -1, SQLITE_TRANSIENT)); + + if (sqlite3_step(stmt) != SQLITE_DONE) { + STC_LOGE("Failed to update firewall chain: %s\n", + sqlite3_errmsg(stc_db_get_database())); + error_code = STC_ERROR_DB_FAILED; + goto handle_error; + } + + STC_LOGD("Firewall chain updated [%s]", info->chain); + +handle_error: + sqlite3_reset(stmt); + return error_code; +} + +stc_error_e table_firewall_foreach_chain(firewall_chain_cb info_cb, + void *user_data) +{ + firewall_chain_s info; + int rc; + stc_error_e error_code = STC_ERROR_NONE; + sqlite3_stmt *stmt = select_fw_chain; + + do { + rc = sqlite3_step(stmt); + + memset(&info, 0, sizeof(info)); + + switch (rc) { + case SQLITE_DONE: + break; + case SQLITE_ROW: + info.chain = (char *)sqlite3_column_text(stmt, 0); + info.target = sqlite3_column_int(stmt, 1); + info.priority = sqlite3_column_int(stmt, 2); + + if (info_cb(&info, user_data) == STC_CANCEL) + rc = SQLITE_DONE; + break; + case SQLITE_ERROR: + default: + STC_LOGE("Failed to enumerate firewall chains: %s\n", + sqlite3_errmsg(stc_db_get_database())); + + error_code = STC_ERROR_DB_FAILED; + } + } while (rc == SQLITE_ROW); + + sqlite3_reset(stmt); + return error_code; +} + +stc_error_e table_firewall_insert_rule(firewall_rule_s *info) +{ + stc_error_e error_code = STC_ERROR_NONE; + char buf[BUF_SIZE_FOR_IP]; + sqlite3_stmt *stmt = insert_fw_rule; + + if (!info) { + error_code = STC_ERROR_INVALID_PARAMETER; + goto handle_error; + } + + DB_ACTION(sqlite3_bind_int64(stmt, 1, info->key)); + DB_ACTION(sqlite3_bind_text(stmt, 2, info->chain ? info->chain : "", + -1, SQLITE_TRANSIENT)); + DB_ACTION(sqlite3_bind_int(stmt, 3, info->direction)); + DB_ACTION(sqlite3_bind_int(stmt, 4, info->s_ip_type)); + DB_ACTION(sqlite3_bind_int(stmt, 5, info->d_ip_type)); + DB_ACTION(sqlite3_bind_int(stmt, 6, info->s_port_type)); + DB_ACTION(sqlite3_bind_int(stmt, 7, info->d_port_type)); + DB_ACTION(sqlite3_bind_int(stmt, 8, info->protocol)); + DB_ACTION(sqlite3_bind_int(stmt, 9, info->family)); + if (info->family == STC_FW_FAMILY_V4) { + memset(buf, 0, sizeof(buf)); + snprintf(buf, sizeof(buf), "%08x", info->s_ip1.Ipv4.s_addr); + DB_ACTION(sqlite3_bind_text(stmt, 10, buf, -1, SQLITE_TRANSIENT)); + + memset(buf, 0, sizeof(buf)); + snprintf(buf, sizeof(buf), "%08x", info->s_ip2.Ipv4.s_addr); + DB_ACTION(sqlite3_bind_text(stmt, 11, buf, -1, SQLITE_TRANSIENT)); + + memset(buf, 0, sizeof(buf)); + snprintf(buf, sizeof(buf), "%08x", info->d_ip1.Ipv4.s_addr); + DB_ACTION(sqlite3_bind_text(stmt, 12, buf, -1, SQLITE_TRANSIENT)); + + memset(buf, 0, sizeof(buf)); + snprintf(buf, sizeof(buf), "%08x", info->d_ip2.Ipv4.s_addr); + DB_ACTION(sqlite3_bind_text(stmt, 13, buf, -1, SQLITE_TRANSIENT)); + } else if (info->family == STC_FW_FAMILY_V6) { + memset(buf, 0, sizeof(buf)); + snprintf(buf, sizeof(buf), "%08x:%08x:%08x:%08x", + info->s_ip1.Ipv6.s6_addr32[0], info->s_ip1.Ipv6.s6_addr32[1], + info->s_ip1.Ipv6.s6_addr32[2], info->s_ip1.Ipv6.s6_addr32[3]); + DB_ACTION(sqlite3_bind_text(stmt, 10, buf, -1, SQLITE_TRANSIENT)); + + memset(buf, 0, sizeof(buf)); + snprintf(buf, sizeof(buf), "%08x:%08x:%08x:%08x", + info->s_ip2.Ipv6.s6_addr32[0], info->s_ip2.Ipv6.s6_addr32[1], + info->s_ip2.Ipv6.s6_addr32[2], info->s_ip2.Ipv6.s6_addr32[3]); + DB_ACTION(sqlite3_bind_text(stmt, 11, buf, -1, SQLITE_TRANSIENT)); + + memset(buf, 0, sizeof(buf)); + snprintf(buf, sizeof(buf), "%08x:%08x:%08x:%08x", + info->d_ip1.Ipv6.s6_addr32[0], info->d_ip1.Ipv6.s6_addr32[1], + info->d_ip1.Ipv6.s6_addr32[2], info->d_ip1.Ipv6.s6_addr32[3]); + DB_ACTION(sqlite3_bind_text(stmt, 12, buf, -1, SQLITE_TRANSIENT)); + + memset(buf, 0, sizeof(buf)); + snprintf(buf, sizeof(buf), "%08x:%08x:%08x:%08x", + info->d_ip2.Ipv6.s6_addr32[0], info->d_ip2.Ipv6.s6_addr32[1], + info->d_ip2.Ipv6.s6_addr32[2], info->d_ip2.Ipv6.s6_addr32[3]); + DB_ACTION(sqlite3_bind_text(stmt, 13, buf, -1, SQLITE_TRANSIENT)); + } else { + DB_ACTION(sqlite3_bind_text(stmt, 10, "", -1, SQLITE_TRANSIENT)); + DB_ACTION(sqlite3_bind_text(stmt, 11, "", -1, SQLITE_TRANSIENT)); + DB_ACTION(sqlite3_bind_text(stmt, 12, "", -1, SQLITE_TRANSIENT)); + DB_ACTION(sqlite3_bind_text(stmt, 13, "", -1, SQLITE_TRANSIENT)); + } + DB_ACTION(sqlite3_bind_int(stmt, 14, info->s_port1)); + DB_ACTION(sqlite3_bind_int(stmt, 15, info->s_port2)); + DB_ACTION(sqlite3_bind_int(stmt, 16, info->d_port1)); + DB_ACTION(sqlite3_bind_int(stmt, 17, info->d_port2)); + DB_ACTION(sqlite3_bind_text(stmt, 18, info->ifname ? info->ifname : "", + -1, SQLITE_TRANSIENT)); + DB_ACTION(sqlite3_bind_int(stmt, 19, info->target)); + DB_ACTION(sqlite3_bind_text(stmt, 20, info->identifier ? info->identifier : "", + -1, SQLITE_TRANSIENT)); + + if (sqlite3_step(stmt) != SQLITE_DONE) { + STC_LOGE("Failed to insert firewall rule: %s\n", + sqlite3_errmsg(stc_db_get_database())); + error_code = STC_ERROR_DB_FAILED; + goto handle_error; + } + + STC_LOGD("Firewall rule inserted [%s]", info->chain); + +handle_error: + sqlite3_reset(stmt); + return error_code; +} + +stc_error_e table_firewall_delete_rule(firewall_rule_s *info) +{ + stc_error_e error_code = STC_ERROR_NONE; + sqlite3_stmt *stmt = delete_fw_rule; + + if (!info) { + error_code = STC_ERROR_INVALID_PARAMETER; + goto handle_error; + } + + DB_ACTION(sqlite3_bind_int64(stmt, 1, info->key)); + + if (sqlite3_step(stmt) != SQLITE_DONE) { + STC_LOGE("Failed to delete firewall rule %s\n", + sqlite3_errmsg(stc_db_get_database())); + error_code = STC_ERROR_DB_FAILED; + goto handle_error; + } + + STC_LOGD("Firewall rule deleted [%s]", info->chain); + +handle_error: + + sqlite3_reset(stmt); + return error_code; +} + +stc_error_e table_firewall_update_rule(firewall_rule_s *info) +{ + stc_error_e error_code = STC_ERROR_NONE; + char buf[BUF_SIZE_FOR_IP]; + sqlite3_stmt *stmt = update_fw_rule; + + if (!info) { + error_code = STC_ERROR_INVALID_PARAMETER; + goto handle_error; + } + + DB_ACTION(sqlite3_bind_text(stmt, 1, info->chain ? info->chain : "", + -1, SQLITE_TRANSIENT)); + DB_ACTION(sqlite3_bind_int(stmt, 2, info->direction)); + DB_ACTION(sqlite3_bind_int(stmt, 3, info->s_ip_type)); + DB_ACTION(sqlite3_bind_int(stmt, 4, info->d_ip_type)); + DB_ACTION(sqlite3_bind_int(stmt, 5, info->s_port_type)); + DB_ACTION(sqlite3_bind_int(stmt, 6, info->d_port_type)); + DB_ACTION(sqlite3_bind_int(stmt, 7, info->protocol)); + DB_ACTION(sqlite3_bind_int(stmt, 8, info->family)); + if (info->family == STC_FW_FAMILY_V4) { + memset(buf, 0, sizeof(buf)); + snprintf(buf, sizeof(buf), "%08x", info->s_ip1.Ipv4.s_addr); + DB_ACTION(sqlite3_bind_text(stmt, 9, buf, -1, SQLITE_TRANSIENT)); + + memset(buf, 0, sizeof(buf)); + snprintf(buf, sizeof(buf), "%08x", info->s_ip2.Ipv4.s_addr); + DB_ACTION(sqlite3_bind_text(stmt, 10, buf, -1, SQLITE_TRANSIENT)); + + memset(buf, 0, sizeof(buf)); + snprintf(buf, sizeof(buf), "%08x", info->d_ip1.Ipv4.s_addr); + DB_ACTION(sqlite3_bind_text(stmt, 11, buf, -1, SQLITE_TRANSIENT)); + + memset(buf, 0, sizeof(buf)); + snprintf(buf, sizeof(buf), "%08x", info->d_ip2.Ipv4.s_addr); + DB_ACTION(sqlite3_bind_text(stmt, 12, buf, -1, SQLITE_TRANSIENT)); + } else if (info->family == STC_FW_FAMILY_V6) { + memset(buf, 0, sizeof(buf)); + snprintf(buf, sizeof(buf), "%08x:%08x:%08x:%08x", + info->s_ip1.Ipv6.s6_addr32[0], info->s_ip1.Ipv6.s6_addr32[1], + info->s_ip1.Ipv6.s6_addr32[2], info->s_ip1.Ipv6.s6_addr32[3]); + DB_ACTION(sqlite3_bind_text(stmt, 9, buf, -1, SQLITE_TRANSIENT)); + + memset(buf, 0, sizeof(buf)); + snprintf(buf, sizeof(buf), "%08x:%08x:%08x:%08x", + info->s_ip2.Ipv6.s6_addr32[0], info->s_ip2.Ipv6.s6_addr32[1], + info->s_ip2.Ipv6.s6_addr32[2], info->s_ip2.Ipv6.s6_addr32[3]); + DB_ACTION(sqlite3_bind_text(stmt, 10, buf, -1, SQLITE_TRANSIENT)); + + memset(buf, 0, sizeof(buf)); + snprintf(buf, sizeof(buf), "%08x:%08x:%08x:%08x", + info->d_ip1.Ipv6.s6_addr32[0], info->d_ip1.Ipv6.s6_addr32[1], + info->d_ip1.Ipv6.s6_addr32[2], info->d_ip1.Ipv6.s6_addr32[3]); + DB_ACTION(sqlite3_bind_text(stmt, 11, buf, -1, SQLITE_TRANSIENT)); + + memset(buf, 0, sizeof(buf)); + snprintf(buf, sizeof(buf), "%08x:%08x:%08x:%08x", + info->d_ip2.Ipv6.s6_addr32[0], info->d_ip2.Ipv6.s6_addr32[1], + info->d_ip2.Ipv6.s6_addr32[2], info->d_ip2.Ipv6.s6_addr32[3]); + DB_ACTION(sqlite3_bind_text(stmt, 12, buf, -1, SQLITE_TRANSIENT)); + } else { + DB_ACTION(sqlite3_bind_text(stmt, 9, "", -1, SQLITE_TRANSIENT)); + DB_ACTION(sqlite3_bind_text(stmt, 10, "", -1, SQLITE_TRANSIENT)); + DB_ACTION(sqlite3_bind_text(stmt, 11, "", -1, SQLITE_TRANSIENT)); + DB_ACTION(sqlite3_bind_text(stmt, 12, "", -1, SQLITE_TRANSIENT)); + } + DB_ACTION(sqlite3_bind_int(stmt, 13, info->s_port1)); + DB_ACTION(sqlite3_bind_int(stmt, 14, info->s_port2)); + DB_ACTION(sqlite3_bind_int(stmt, 15, info->d_port1)); + DB_ACTION(sqlite3_bind_int(stmt, 16, info->d_port2)); + DB_ACTION(sqlite3_bind_text(stmt, 17, info->ifname ? info->ifname : "", + -1, SQLITE_TRANSIENT)); + DB_ACTION(sqlite3_bind_int(stmt, 18, info->target)); + DB_ACTION(sqlite3_bind_text(stmt, 19, info->identifier ? info->identifier : "", + -1, SQLITE_TRANSIENT)); + DB_ACTION(sqlite3_bind_int64(stmt, 20, info->key)); + + if (sqlite3_step(stmt) != SQLITE_DONE) { + STC_LOGE("Failed to update firewall rule %s\n", + sqlite3_errmsg(stc_db_get_database())); + error_code = STC_ERROR_DB_FAILED; + goto handle_error; + } + + STC_LOGD("Firewall rule updated [%s]", info->chain); + +handle_error: + + sqlite3_reset(stmt); + return error_code; +} + +stc_error_e table_firewall_foreach_rule(firewall_rule_cb info_cb, + void *user_data) +{ + firewall_rule_s info; + int rc; + stc_error_e error_code = STC_ERROR_NONE; + sqlite3_stmt *stmt = select_fw_rule; + + do { + rc = sqlite3_step(stmt); + + memset(&info, 0, sizeof(info)); + + switch (rc) { + case SQLITE_DONE: + break; + case SQLITE_ROW: + info.key = sqlite3_column_int64(stmt, 0); + info.chain = (char *)sqlite3_column_text(stmt, 1); + info.direction = sqlite3_column_int(stmt, 2); + info.s_ip_type = sqlite3_column_int(stmt, 3); + info.d_ip_type = sqlite3_column_int(stmt, 4); + info.s_port_type = sqlite3_column_int(stmt, 5); + info.d_port_type = sqlite3_column_int(stmt, 6); + info.protocol = sqlite3_column_int(stmt, 7); + info.family = sqlite3_column_int(stmt, 8); + if (info.family == STC_FW_FAMILY_V4) { + sscanf((char *)sqlite3_column_text(stmt, 9), "%08x", + &(info.s_ip1.Ipv4.s_addr)); + sscanf((char *)sqlite3_column_text(stmt, 10), "%08x", + &(info.s_ip2.Ipv4.s_addr)); + sscanf((char *)sqlite3_column_text(stmt, 11), "%08x", + &(info.d_ip1.Ipv4.s_addr)); + sscanf((char *)sqlite3_column_text(stmt, 12), "%08x", + &(info.d_ip2.Ipv4.s_addr)); + } else if (info.family == STC_FW_FAMILY_V6) { + sscanf((char *)sqlite3_column_text(stmt, 9), "%08x:%08x:%08x:%08x", + &(info.s_ip1.Ipv6.s6_addr32[0]), &(info.s_ip1.Ipv6.s6_addr32[1]), + &(info.s_ip1.Ipv6.s6_addr32[2]), &(info.s_ip1.Ipv6.s6_addr32[3])); + sscanf((char *)sqlite3_column_text(stmt, 10), "%08x:%08x:%08x:%08x", + &(info.s_ip2.Ipv6.s6_addr32[0]), &(info.s_ip2.Ipv6.s6_addr32[1]), + &(info.s_ip2.Ipv6.s6_addr32[2]), &(info.s_ip2.Ipv6.s6_addr32[3])); + sscanf((char *)sqlite3_column_text(stmt, 11), "%08x:%08x:%08x:%08x", + &(info.d_ip1.Ipv6.s6_addr32[0]), &(info.d_ip1.Ipv6.s6_addr32[1]), + &(info.d_ip1.Ipv6.s6_addr32[2]), &(info.d_ip1.Ipv6.s6_addr32[3])); + sscanf((char *)sqlite3_column_text(stmt, 12), "%08x:%08x:%08x:%08x", + &(info.d_ip2.Ipv6.s6_addr32[0]), &(info.d_ip2.Ipv6.s6_addr32[1]), + &(info.d_ip2.Ipv6.s6_addr32[2]), &(info.d_ip2.Ipv6.s6_addr32[3])); + } + info.s_port1 = sqlite3_column_int(stmt, 13); + info.s_port2 = sqlite3_column_int(stmt, 14); + info.d_port1 = sqlite3_column_int(stmt, 15); + info.d_port2 = sqlite3_column_int(stmt, 16); + info.ifname = (char *)sqlite3_column_text(stmt, 17); + info.target = sqlite3_column_int(stmt, 18); + info.identifier = (char *)sqlite3_column_text(stmt, 19); + + if (info_cb(&info, user_data) == STC_CANCEL) + rc = SQLITE_DONE; + break; + case SQLITE_ERROR: + default: + STC_LOGE("Failed to enumerate firewall rules: %s\n", + sqlite3_errmsg(stc_db_get_database())); + + error_code = STC_ERROR_DB_FAILED; + } + } while (rc == SQLITE_ROW); + + sqlite3_reset(stmt); + return error_code; +} + +stc_error_e table_firewall_prepare(sqlite3 *db) +{ + __STC_LOG_FUNC_ENTER__; + + stc_error_e error_code = STC_ERROR_NONE; + + if (db == NULL) { + __STC_LOG_FUNC_EXIT__; + return STC_ERROR_FAIL; + } + + DB_ACTION(__prepare_delete(db)); + DB_ACTION(__prepare_select(db)); + DB_ACTION(__prepare_update(db)); + DB_ACTION(__prepare_insert(db)); + +handle_error: + + __STC_LOG_FUNC_EXIT__; + return error_code; +} + +void table_firewall_finalize(void) +{ + __STC_LOG_FUNC_ENTER__; + __finalize_delete(); + __finalize_select(); + __finalize_update(); + __finalize_insert(); + __STC_LOG_FUNC_EXIT__; +} diff --git a/src/database/tables/table-statistics.c b/src/database/tables/table-statistics.c index 49856b4..6f2fe03 100755 --- a/src/database/tables/table-statistics.c +++ b/src/database/tables/table-statistics.c @@ -594,7 +594,7 @@ stc_error_e table_statistics_insert(stc_db_classid_iftype_key *stat_key, { stc_error_e error_code = STC_ERROR_NONE; sqlite3_stmt *stmt = update_statistics_query; - stc_hw_net_protocol_type_e hw_net_protocol_type = STC_PROTOCOL_NONE; + stc_hw_net_protocol_type_e hw_net_protocol_type = STC_PROTOCOL_UNKNOWN; if (!stat->rcv_count && !stat->snd_count) { error_code = STC_ERROR_INVALID_PARAMETER; diff --git a/src/helper/helper-firewall.c b/src/helper/helper-firewall.c new file mode 100755 index 0000000..aab377f --- /dev/null +++ b/src/helper/helper-firewall.c @@ -0,0 +1,716 @@ +/* + * Copyright (c) 2016 Samsung Electronics Co., Ltd. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "stc-manager-gdbus.h" +#include "helper-firewall.h" + +#define STC_FIREWALL_DBUS_SERVICE "net.stc.iptables" +#define STC_FIREWALL_DBUS_RULE_INTERFACE STC_FIREWALL_DBUS_SERVICE ".rule" +#define STC_FIREWALL_DBUS_CHAIN_INTERFACE STC_FIREWALL_DBUS_SERVICE ".chain" +#define STC_FIREWALL_DBUS_RULE_PATH "/net/stc/iptables/rule" +#define STC_FIREWALL_DBUS_CHAIN_PATH "/net/stc/iptables/chain" + +#define STC_FIREWALL_DBUS_METHOD_ADD_CHAIN "IptAddChain" +#define STC_FIREWALL_DBUS_METHOD_REMOVE_CHAIN "IptRemoveChain" +#define STC_FIREWALL_DBUS_METHOD_FLUSH_CHAIN "IptFlushChain" +#define STC_FIREWALL6_DBUS_METHOD_ADD_CHAIN "Ip6tAddChain" +#define STC_FIREWALL6_DBUS_METHOD_REMOVE_CHAIN "Ip6tRemoveChain" +#define STC_FIREWALL6_DBUS_METHOD_FLUSH_CHAIN "Ip6tFlushChain" + +#define STC_FIREWALL_DBUS_METHOD_ADD_RULE "IptAddRule" +#define STC_FIREWALL_DBUS_METHOD_REMOVE_RULE "IptRemoveRule" +#define STC_FIREWALL6_DBUS_METHOD_ADD_RULE "Ip6tAddRule" +#define STC_FIREWALL6_DBUS_METHOD_REMOVE_RULE "Ip6tRemoveRule" + +#define BUF_SIZE_FOR_IP 64 + +#define RULE_CHAIN "chain" +#define RULE_DIRECTION "type" +#define RULE_IFNAME "ifname" +#define RULE_PROTOCOL "protocol" +#define RULE_TARGET "target" + +#define RULE_FAMILY "family" +#define RULE_SIPTYPE "s_ip_type" +#define RULE_SIP1 "s_ip1" +#define RULE_SIP2 "s_ip2" +#define RULE_DIPTYPE "d_ip_type" +#define RULE_DIP1 "d_ip1" +#define RULE_DIP2 "d_ip2" +#define RULE_SPORTTYPE "s_port_type" +#define RULE_SPORT1 "s_port1" +#define RULE_SPORT2 "s_port2" +#define RULE_DPORTTYPE "d_port_type" +#define RULE_DPORT1 "d_port1" +#define RULE_DPORT2 "d_port2" + +static void __fw_add_rule_info_to_builder(GVariantBuilder *builder, + firewall_rule_s *rule) +{ + if (builder == NULL || rule == NULL) + return; + + g_variant_builder_add(builder, "{sv}", RULE_CHAIN, + g_variant_new_string(rule->chain)); + + if (rule->direction != STC_FW_DIRECTION_NONE) + g_variant_builder_add(builder, "{sv}", RULE_DIRECTION, + g_variant_new_uint16(rule->direction)); + + if (rule->s_ip_type != STC_FW_IP_NONE) + g_variant_builder_add(builder, "{sv}", RULE_SIPTYPE, + g_variant_new_uint16(rule->s_ip_type)); + + if (rule->d_ip_type != STC_FW_IP_NONE) + g_variant_builder_add(builder, "{sv}", RULE_DIPTYPE, + g_variant_new_uint16(rule->d_ip_type)); + + if (rule->s_port_type != STC_FW_PORT_NONE) + g_variant_builder_add(builder, "{sv}", RULE_SPORTTYPE, + g_variant_new_uint16(rule->s_port_type)); + + if (rule->d_port_type != STC_FW_PORT_NONE) + g_variant_builder_add(builder, "{sv}", RULE_DPORTTYPE, + g_variant_new_uint16(rule->d_port_type)); + + if (rule->protocol != STC_FW_PROTOCOL_NONE) + g_variant_builder_add(builder, "{sv}", RULE_PROTOCOL, + g_variant_new_uint16(rule->protocol)); + + switch (rule->family) { + case STC_FW_FAMILY_V4: + if (rule->s_ip1.Ipv4.s_addr) + g_variant_builder_add(builder, "{sv}", RULE_SIP1, + g_variant_new_uint32(rule->s_ip1.Ipv4.s_addr)); + + if (rule->s_ip2.Ipv4.s_addr) + g_variant_builder_add(builder, "{sv}", RULE_SIP2, + g_variant_new_uint32(rule->s_ip2.Ipv4.s_addr)); + + if (rule->d_ip1.Ipv4.s_addr) + g_variant_builder_add(builder, "{sv}", RULE_DIP1, + g_variant_new_uint32(rule->d_ip1.Ipv4.s_addr)); + + if (rule->d_ip2.Ipv4.s_addr) + g_variant_builder_add(builder, "{sv}", RULE_DIP2, + g_variant_new_uint32(rule->d_ip2.Ipv4.s_addr)); + + break; + case STC_FW_FAMILY_V6: + { + char buf[BUF_SIZE_FOR_IP]; + + if (rule->s_ip1.Ipv6.s6_addr32[0] || rule->s_ip1.Ipv6.s6_addr32[1] || + rule->s_ip1.Ipv6.s6_addr32[2] || rule->s_ip1.Ipv6.s6_addr32[3]) { + memset(buf, 0, sizeof(buf)); + snprintf(buf, sizeof(buf), "%08x:%08x:%08x:%08x", + rule->s_ip1.Ipv6.s6_addr32[0], rule->s_ip1.Ipv6.s6_addr32[1], + rule->s_ip1.Ipv6.s6_addr32[2], rule->s_ip1.Ipv6.s6_addr32[3]); + g_variant_builder_add(builder, "{sv}", RULE_SIP1, + g_variant_new_string(buf)); + } + + if (rule->s_ip2.Ipv6.s6_addr32[0] || rule->s_ip2.Ipv6.s6_addr32[1] || + rule->s_ip2.Ipv6.s6_addr32[2] || rule->s_ip2.Ipv6.s6_addr32[3]) { + memset(buf, 0, sizeof(buf)); + snprintf(buf, sizeof(buf), "%08x:%08x:%08x:%08x", + rule->s_ip2.Ipv6.s6_addr32[0], rule->s_ip2.Ipv6.s6_addr32[1], + rule->s_ip2.Ipv6.s6_addr32[2], rule->s_ip2.Ipv6.s6_addr32[3]); + g_variant_builder_add(builder, "{sv}", RULE_SIP2, + g_variant_new_string(buf)); + } + + if (rule->d_ip1.Ipv6.s6_addr32[0] || rule->d_ip1.Ipv6.s6_addr32[1] || + rule->d_ip1.Ipv6.s6_addr32[2] || rule->d_ip1.Ipv6.s6_addr32[3]) { + memset(buf, 0, sizeof(buf)); + snprintf(buf, sizeof(buf), "%08x:%08x:%08x:%08x", + rule->d_ip1.Ipv6.s6_addr32[0], rule->d_ip1.Ipv6.s6_addr32[1], + rule->d_ip1.Ipv6.s6_addr32[2], rule->d_ip1.Ipv6.s6_addr32[3]); + g_variant_builder_add(builder, "{sv}", RULE_DIP1, + g_variant_new_string(buf)); + } + + if (rule->d_ip2.Ipv6.s6_addr32[0] || rule->d_ip2.Ipv6.s6_addr32[1] || + rule->d_ip2.Ipv6.s6_addr32[2] || rule->d_ip2.Ipv6.s6_addr32[3]) { + memset(buf, 0, sizeof(buf)); + snprintf(buf, sizeof(buf), "%08x:%08x:%08x:%08x", + rule->d_ip2.Ipv6.s6_addr32[0], rule->d_ip2.Ipv6.s6_addr32[1], + rule->d_ip2.Ipv6.s6_addr32[2], rule->d_ip2.Ipv6.s6_addr32[3]); + g_variant_builder_add(builder, "{sv}", RULE_DIP2, + g_variant_new_string(buf)); + } + } + break; + default: + break; + } + + if (rule->s_port1) + g_variant_builder_add(builder, "{sv}", RULE_SPORT1, + g_variant_new_uint32(rule->s_port1)); + + if (rule->s_port2) + g_variant_builder_add(builder, "{sv}", RULE_SPORT2, + g_variant_new_uint32(rule->s_port2)); + + if (rule->d_port1) + g_variant_builder_add(builder, "{sv}", RULE_DPORT1, + g_variant_new_uint32(rule->d_port1)); + + if (rule->d_port2) + g_variant_builder_add(builder, "{sv}", RULE_DPORT2, + g_variant_new_uint32(rule->d_port2)); + + if (rule->ifname) + g_variant_builder_add(builder, "{sv}", RULE_IFNAME, + g_variant_new_string(rule->ifname)); + + if (rule->target_str) + g_variant_builder_add(builder, "{sv}", RULE_TARGET, + g_variant_new_string(rule->target_str)); +} + +static int __fw_add_chain(GDBusConnection *connection, + const char *chain) +{ + int result = 0; + GVariant *message = NULL; + + message = stc_manager_gdbus_call_sync(connection, + STC_FIREWALL_DBUS_SERVICE, + STC_FIREWALL_DBUS_CHAIN_PATH, + STC_FIREWALL_DBUS_CHAIN_INTERFACE, + STC_FIREWALL_DBUS_METHOD_ADD_CHAIN, + g_variant_new("(s)", chain)); + + if (message == NULL) { + STC_LOGE("Failed to invoke dbus method"); + return STC_ERROR_FAIL; + } + + g_variant_get(message, "(i)", &result); + STC_LOGD("Successfully added firewall chain [%d:%s]", result, chain); + g_variant_unref(message); + + return STC_ERROR_NONE; +} + +static int __fw6_add_chain(GDBusConnection *connection, + const char *chain) +{ + int result = 0; + GVariant *message = NULL; + + message = stc_manager_gdbus_call_sync(connection, + STC_FIREWALL_DBUS_SERVICE, + STC_FIREWALL_DBUS_CHAIN_PATH, + STC_FIREWALL_DBUS_CHAIN_INTERFACE, + STC_FIREWALL6_DBUS_METHOD_ADD_CHAIN, + g_variant_new("(s)", chain)); + + if (message == NULL) { + STC_LOGE("Failed to invoke dbus method"); + return STC_ERROR_FAIL; + } + + g_variant_get(message, "(i)", &result); + STC_LOGD("Successfully added firewall6 chain [%d:%s]", result, chain); + g_variant_unref(message); + + return STC_ERROR_NONE; +} + +static int __fw_remove_chain(GDBusConnection *connection, + const char *chain) +{ + int result = 0; + GVariant *message = NULL; + + message = stc_manager_gdbus_call_sync(connection, + STC_FIREWALL_DBUS_SERVICE, + STC_FIREWALL_DBUS_CHAIN_PATH, + STC_FIREWALL_DBUS_CHAIN_INTERFACE, + STC_FIREWALL_DBUS_METHOD_REMOVE_CHAIN, + g_variant_new("(s)", chain)); + + if (message == NULL) { + STC_LOGE("Failed to invoke dbus method"); + return STC_ERROR_FAIL; + } + + g_variant_get(message, "(i)", &result); + STC_LOGD("Successfully removed firewall chain [%d:%s]", result, chain); + g_variant_unref(message); + + return STC_ERROR_NONE; +} + +static int __fw6_remove_chain(GDBusConnection *connection, + const char *chain) +{ + int result = 0; + GVariant *message = NULL; + + message = stc_manager_gdbus_call_sync(connection, + STC_FIREWALL_DBUS_SERVICE, + STC_FIREWALL_DBUS_CHAIN_PATH, + STC_FIREWALL_DBUS_CHAIN_INTERFACE, + STC_FIREWALL6_DBUS_METHOD_REMOVE_CHAIN, + g_variant_new("(s)", chain)); + + if (message == NULL) { + STC_LOGE("Failed to invoke dbus method"); + return STC_ERROR_FAIL; + } + + g_variant_get(message, "(i)", &result); + STC_LOGD("Successfully removed firewall6 chain [%d:%s]", result, chain); + g_variant_unref(message); + + return STC_ERROR_NONE; +} + +static int __fw_flush_chain(GDBusConnection *connection, + const char *chain) +{ + int result = 0; + GVariant *message = NULL; + + message = stc_manager_gdbus_call_sync(connection, + STC_FIREWALL_DBUS_SERVICE, + STC_FIREWALL_DBUS_CHAIN_PATH, + STC_FIREWALL_DBUS_CHAIN_INTERFACE, + STC_FIREWALL_DBUS_METHOD_FLUSH_CHAIN, + g_variant_new("(s)", chain)); + + if (message == NULL) { + STC_LOGE("Failed to invoke dbus method"); + return STC_ERROR_FAIL; + } + + g_variant_get(message, "(i)", &result); + STC_LOGD("Successfully flushed firewall chain [%d:%s]", result, chain); + g_variant_unref(message); + + return STC_ERROR_NONE; +} + +static int __fw6_flush_chain(GDBusConnection *connection, + const char *chain) +{ + int result = 0; + GVariant *message = NULL; + + message = stc_manager_gdbus_call_sync(connection, + STC_FIREWALL_DBUS_SERVICE, + STC_FIREWALL_DBUS_CHAIN_PATH, + STC_FIREWALL_DBUS_CHAIN_INTERFACE, + STC_FIREWALL6_DBUS_METHOD_FLUSH_CHAIN, + g_variant_new("(s)", chain)); + + if (message == NULL) { + STC_LOGE("Failed to invoke dbus method"); + return STC_ERROR_FAIL; + } + + g_variant_get(message, "(i)", &result); + STC_LOGD("Successfully flushed firewall6 chain [%d:%s]", result, chain); + g_variant_unref(message); + + return STC_ERROR_NONE; +} + +static int __fw_set_chain(firewall_chain_s *chain) +{ + stc_error_e ret = STC_ERROR_NONE; + firewall_rule_s rule; + memset(&rule, 0, sizeof(firewall_rule_s)); + + switch (chain->target) { + case STC_FW_CHAIN_TARGET_INPUT: + rule.chain = g_strdup(FIREWALL_CHAIN_TARGET_IN); + break; + case STC_FW_CHAIN_TARGET_OUTPUT: + rule.chain = g_strdup(FIREWALL_CHAIN_TARGET_OUT); + break; + default: + return STC_ERROR_INVALID_PARAMETER; + } + + rule.target_str = g_strdup(chain->chain); + ret = firewall_rule_add(&rule); + + g_free(rule.chain); + g_free(rule.target_str); + + return ret; +} + +static int __fw_unset_chain(firewall_chain_s *chain) +{ + stc_error_e ret = STC_ERROR_NONE; + firewall_rule_s rule; + memset(&rule, 0, sizeof(firewall_rule_s)); + + switch (chain->target) { + case STC_FW_CHAIN_TARGET_INPUT: + rule.chain = g_strdup(FIREWALL_CHAIN_TARGET_IN); + break; + case STC_FW_CHAIN_TARGET_OUTPUT: + rule.chain = g_strdup(FIREWALL_CHAIN_TARGET_OUT); + break; + default: + return STC_ERROR_INVALID_PARAMETER; + } + + rule.target_str = g_strdup(chain->chain); + ret = firewall_rule_remove(&rule); + + g_free(rule.chain); + g_free(rule.target_str); + + return ret; +} + +static int __fw_add_rule(GDBusConnection *connection, + firewall_rule_s *rule) +{ + int result = 0; + GVariantBuilder *builder = NULL; + GVariant *params = NULL; + GVariant *message = NULL; + + builder = g_variant_builder_new(G_VARIANT_TYPE("a{sv}")); + __fw_add_rule_info_to_builder(builder, rule); + params = g_variant_new("(a{sv})", builder); + g_variant_builder_unref(builder); + + message = stc_manager_gdbus_call_sync(connection, + STC_FIREWALL_DBUS_SERVICE, + STC_FIREWALL_DBUS_RULE_PATH, + STC_FIREWALL_DBUS_RULE_INTERFACE, + STC_FIREWALL_DBUS_METHOD_ADD_RULE, + params); + + if (message == NULL) { + STC_LOGE("Failed to invoke dbus method"); + return STC_ERROR_FAIL; + } + + g_variant_get(message, "(i)", &result); + STC_LOGD("Successfully added firewall rule [%d:%s]", + result, rule->chain); + g_variant_unref(message); + + return STC_ERROR_NONE; +} + +static int __fw6_add_rule(GDBusConnection *connection, + firewall_rule_s *rule) +{ + int result = 0; + GVariantBuilder *builder = NULL; + GVariant *params = NULL; + GVariant *message = NULL; + + builder = g_variant_builder_new(G_VARIANT_TYPE("a{sv}")); + __fw_add_rule_info_to_builder(builder, rule); + params = g_variant_new("(a{sv})", builder); + g_variant_builder_unref(builder); + + message = stc_manager_gdbus_call_sync(connection, + STC_FIREWALL_DBUS_SERVICE, + STC_FIREWALL_DBUS_RULE_PATH, + STC_FIREWALL_DBUS_RULE_INTERFACE, + STC_FIREWALL6_DBUS_METHOD_ADD_RULE, + params); + + if (message == NULL) { + STC_LOGE("Failed to invoke dbus method"); + return STC_ERROR_FAIL; + } + + g_variant_get(message, "(i)", &result); + STC_LOGD("Successfully added firewall6 rule [%d:%s]", + result, rule->chain); + g_variant_unref(message); + + return STC_ERROR_NONE; +} + +static int __fw_remove_rule(GDBusConnection *connection, + firewall_rule_s *rule) +{ + int result = 0; + GVariantBuilder *builder = NULL; + GVariant *params = NULL; + GVariant *message = NULL; + + builder = g_variant_builder_new(G_VARIANT_TYPE("a{sv}")); + __fw_add_rule_info_to_builder(builder, rule); + params = g_variant_new("(a{sv})", builder); + g_variant_builder_unref(builder); + + message = stc_manager_gdbus_call_sync(connection, + STC_FIREWALL_DBUS_SERVICE, + STC_FIREWALL_DBUS_RULE_PATH, + STC_FIREWALL_DBUS_RULE_INTERFACE, + STC_FIREWALL_DBUS_METHOD_REMOVE_RULE, + params); + + if (message == NULL) { + STC_LOGE("Failed to invoke dbus method"); + return STC_ERROR_FAIL; + } + + g_variant_get(message, "(i)", &result); + STC_LOGD("Successfully removed firewall rule [%d:%s]", + result, rule->chain); + g_variant_unref(message); + + return STC_ERROR_NONE; +} + +static int __fw6_remove_rule(GDBusConnection *connection, + firewall_rule_s *rule) +{ + int result = 0; + GVariantBuilder *builder = NULL; + GVariant *params = NULL; + GVariant *message = NULL; + + builder = g_variant_builder_new(G_VARIANT_TYPE("a{sv}")); + __fw_add_rule_info_to_builder(builder, rule); + params = g_variant_new("(a{sv})", builder); + g_variant_builder_unref(builder); + + message = stc_manager_gdbus_call_sync(connection, + STC_FIREWALL_DBUS_SERVICE, + STC_FIREWALL_DBUS_RULE_PATH, + STC_FIREWALL_DBUS_RULE_INTERFACE, + STC_FIREWALL6_DBUS_METHOD_REMOVE_RULE, + params); + + if (message == NULL) { + STC_LOGE("Failed to invoke dbus method"); + return STC_ERROR_FAIL; + } + + g_variant_get(message, "(i)", &result); + STC_LOGD("Successfully removed firewall6 rule [%d:%s]", + result, rule->chain); + g_variant_unref(message); + + return STC_ERROR_NONE; +} + +stc_error_e firewall_chain_add(firewall_chain_s *chain) +{ + __STC_LOG_FUNC_ENTER__; + + stc_error_e ret = STC_ERROR_NONE; + stc_s *stc = stc_get_manager(); + + if (!stc || !stc->connection) { + __STC_LOG_FUNC_EXIT__; + return STC_ERROR_UNINITIALIZED; + } + + ret = __fw_add_chain(stc->connection, chain->chain); + if (ret != STC_ERROR_NONE) { + __STC_LOG_FUNC_EXIT__; + return ret; + } + + ret = __fw6_add_chain(stc->connection, chain->chain); + if (ret != STC_ERROR_NONE) { + __STC_LOG_FUNC_EXIT__; + return ret; + } + + __STC_LOG_FUNC_EXIT__; + return ret; +} + +stc_error_e firewall_chain_remove(firewall_chain_s *chain) +{ + __STC_LOG_FUNC_ENTER__; + + stc_error_e ret = STC_ERROR_NONE; + stc_s *stc = stc_get_manager(); + + if (!stc || !stc->connection) { + __STC_LOG_FUNC_EXIT__; + return STC_ERROR_UNINITIALIZED; + } + + ret = __fw_remove_chain(stc->connection, chain->chain); + if (ret != STC_ERROR_NONE) { + __STC_LOG_FUNC_EXIT__; + return ret; + } + + ret = __fw6_remove_chain(stc->connection, chain->chain); + if (ret != STC_ERROR_NONE) { + __STC_LOG_FUNC_EXIT__; + return ret; + } + + __STC_LOG_FUNC_EXIT__; + return ret; +} + +stc_error_e firewall_chain_flush(firewall_chain_s *chain) +{ + __STC_LOG_FUNC_ENTER__; + + stc_error_e ret = STC_ERROR_NONE; + stc_s *stc = stc_get_manager(); + + if (!stc || !stc->connection) { + __STC_LOG_FUNC_EXIT__; + return STC_ERROR_UNINITIALIZED; + } + + ret = __fw_flush_chain(stc->connection, chain->chain); + if (ret != STC_ERROR_NONE) { + __STC_LOG_FUNC_EXIT__; + return ret; + } + + ret = __fw6_flush_chain(stc->connection, chain->chain); + if (ret != STC_ERROR_NONE) { + __STC_LOG_FUNC_EXIT__; + return ret; + } + + __STC_LOG_FUNC_EXIT__; + return ret; +} + +stc_error_e firewall_chain_set(firewall_chain_s *chain) +{ + __STC_LOG_FUNC_ENTER__; + + stc_error_e ret = STC_ERROR_NONE; + ret = __fw_set_chain(chain); + + __STC_LOG_FUNC_EXIT__; + return ret; +} + +stc_error_e firewall_chain_unset(firewall_chain_s *chain) +{ + __STC_LOG_FUNC_ENTER__; + + stc_error_e ret = STC_ERROR_NONE; + ret = __fw_unset_chain(chain); + + __STC_LOG_FUNC_EXIT__; + return ret; +} + +stc_error_e firewall_rule_add(firewall_rule_s *rule) +{ + __STC_LOG_FUNC_ENTER__; + + stc_error_e ret = STC_ERROR_NONE; + stc_s *stc = stc_get_manager(); + + if (!stc || !stc->connection) { + __STC_LOG_FUNC_EXIT__; + return STC_ERROR_UNINITIALIZED; + } + + switch (rule->family) { + case STC_FW_FAMILY_V4: + ret = __fw_add_rule(stc->connection, rule); + if (ret != STC_ERROR_NONE) { + __STC_LOG_FUNC_EXIT__; + return ret; + } + break; + case STC_FW_FAMILY_V6: + ret = __fw6_add_rule(stc->connection, rule); + if (ret != STC_ERROR_NONE) { + __STC_LOG_FUNC_EXIT__; + return ret; + } + break; + default: + ret = __fw_add_rule(stc->connection, rule); + if (ret != STC_ERROR_NONE) { + __STC_LOG_FUNC_EXIT__; + return ret; + } + + ret = __fw6_add_rule(stc->connection, rule); + if (ret != STC_ERROR_NONE) { + __STC_LOG_FUNC_EXIT__; + return ret; + } + break; + } + + __STC_LOG_FUNC_EXIT__; + return ret; +} + +stc_error_e firewall_rule_remove(firewall_rule_s *rule) +{ + __STC_LOG_FUNC_ENTER__; + + stc_error_e ret = STC_ERROR_NONE; + stc_s *stc = stc_get_manager(); + + if (!stc || !stc->connection) { + __STC_LOG_FUNC_EXIT__; + return STC_ERROR_UNINITIALIZED; + } + + switch (rule->family) { + case STC_FW_FAMILY_V4: + ret = __fw_remove_rule(stc->connection, rule); + if (ret != STC_ERROR_NONE) { + __STC_LOG_FUNC_EXIT__; + return ret; + } + break; + case STC_FW_FAMILY_V6: + ret = __fw6_remove_rule(stc->connection, rule); + if (ret != STC_ERROR_NONE) { + __STC_LOG_FUNC_EXIT__; + return ret; + } + break; + default: + ret = __fw_remove_rule(stc->connection, rule); + if (ret != STC_ERROR_NONE) { + __STC_LOG_FUNC_EXIT__; + return ret; + } + + ret = __fw6_remove_rule(stc->connection, rule); + if (ret != STC_ERROR_NONE) { + __STC_LOG_FUNC_EXIT__; + return ret; + } + break; + } + + __STC_LOG_FUNC_EXIT__; + return ret; +} diff --git a/src/helper/helper-firewall.h b/src/helper/helper-firewall.h new file mode 100755 index 0000000..8a1dbea --- /dev/null +++ b/src/helper/helper-firewall.h @@ -0,0 +1,82 @@ +/* + * Copyright (c) 2016 Samsung Electronics Co., Ltd. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef __STC_HELPER_FIREWALL_H__ +#define __STC_HELPER_FIREWALL_H__ + +#include + +#include "stc-manager.h" +#include "stc-error.h" + +#define FIREWALL_CHAIN_TARGET_IN "STC_IN" +#define FIREWALL_CHAIN_TARGET_OUT "STC_OUT" + +#define FIREWALL_RULE_TARGET_ACCEPT "ACCEPT" +#define FIREWALL_RULE_TARGET_DROP "DROP" +#define FIREWALL_RULE_TARGET_LOG "LOG" + +typedef enum { + FIREWALL_UNKONWN, + FIREWALL_UNLOCKED, + FIREWALL_LOCKED +} firewall_lock_e; + +typedef union { + struct in_addr Ipv4; + struct in6_addr Ipv6; +} ip_addr_u; + +typedef struct { + char *chain; + stc_fw_chain_target_e target; + guint priority; +} firewall_chain_s; + +typedef struct { + guint key; + char *chain; + stc_fw_direction_e direction; + stc_fw_ip_type_e s_ip_type; + stc_fw_ip_type_e d_ip_type; + stc_fw_port_type_e s_port_type; + stc_fw_port_type_e d_port_type; + stc_fw_protocol_type_e protocol; + stc_fw_family_type_e family; + ip_addr_u s_ip1; + ip_addr_u s_ip2; + ip_addr_u d_ip1; + ip_addr_u d_ip2; + guint s_port1; + guint s_port2; + guint d_port1; + guint d_port2; + char *ifname; + stc_fw_rule_target_e target; + char *target_str; + char *identifier; +} firewall_rule_s; + +stc_error_e firewall_chain_add(firewall_chain_s *chain); +stc_error_e firewall_chain_remove(firewall_chain_s *chain); +stc_error_e firewall_chain_flush(firewall_chain_s *chain); +stc_error_e firewall_chain_set(firewall_chain_s *chain); +stc_error_e firewall_chain_unset(firewall_chain_s *chain); + +stc_error_e firewall_rule_add(firewall_rule_s *rule); +stc_error_e firewall_rule_remove(firewall_rule_s *rule); + +#endif /*__STC_HELPER_FIREWALL_H__*/ diff --git a/src/helper/helper-iptables.c b/src/helper/helper-iptables.c index 81cab4a..cfd8aaf 100755 --- a/src/helper/helper-iptables.c +++ b/src/helper/helper-iptables.c @@ -50,7 +50,7 @@ static void __add_rule_info_to_builder(GVariantBuilder *builder, g_variant_new_string(rule->chain)); g_variant_builder_add(builder, "{sv}", RULE_TYPE, - g_variant_new_uint32(rule->direction)); + g_variant_new_uint16(rule->direction)); if (rule->ifname) g_variant_builder_add(builder, "{sv}", RULE_IFNAME, diff --git a/src/helper/helper-iptables.h b/src/helper/helper-iptables.h index b73e29f..13db25b 100755 --- a/src/helper/helper-iptables.h +++ b/src/helper/helper-iptables.h @@ -25,6 +25,7 @@ #define STC_FRWD_CHAIN "STC_FRWD" typedef enum { + IPTABLES_DIRECTION_NONE, IPTABLES_DIRECTION_IN, IPTABLES_DIRECTION_OUT } iptables_rule_direction_e; diff --git a/src/helper/helper-nfacct-rule.c b/src/helper/helper-nfacct-rule.c index 4c12965..3923daf 100755 --- a/src/helper/helper-nfacct-rule.c +++ b/src/helper/helper-nfacct-rule.c @@ -456,7 +456,8 @@ static stc_error_e exec_iptables_cmd(nfacct_rule_s *rule) iptables_rule.target = g_strdup(get_iptables_jump(rule->jump)); iptables_rule.chain = g_strdup(get_iptables_chain(rule->iotype)); iptables_rule.classid = rule->classid; - iptables_rule.direction = (rule->iotype & NFACCT_COUNTER_IN) ? 0 : 1; + iptables_rule.direction = (rule->iotype & NFACCT_COUNTER_IN) ? + IPTABLES_DIRECTION_IN : IPTABLES_DIRECTION_OUT; iptype = (iptables_ip_type_e)rule->iptype; if (rule->action == NFACCT_ACTION_DELETE) { diff --git a/src/monitor/stc-default-connection.c b/src/monitor/stc-default-connection.c index 6128e02..9a359d4 100755 --- a/src/monitor/stc-default-connection.c +++ b/src/monitor/stc-default-connection.c @@ -18,6 +18,7 @@ #include #include "stc-monitor.h" +#include "stc-firewall.h" #include "stc-manager-gdbus.h" #include "stc-default-connection.h" @@ -414,6 +415,7 @@ static stc_error_e __get_default_profile(GDBusConnection *connection) __print_default_connection_info(); stc_monitor_update_rstn_by_default_connection(&g_default_connection); + stc_firewall_update(); return STC_ERROR_NONE; } diff --git a/src/stc-firewall.c b/src/stc-firewall.c new file mode 100755 index 0000000..b0a66bb --- /dev/null +++ b/src/stc-firewall.c @@ -0,0 +1,1551 @@ +/* + * Copyright (c) 2016 Samsung Electronics Co., Ltd. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "stc-db.h" +#include "table-firewall.h" +#include "helper-firewall.h" +#include "stc-firewall.h" +#include "stc-manager-gdbus.h" + +#define IDENTIFIER_LEN 512 + +#define LOCK_NAME "admin" + +#define CHAIN_NAME "chain" +#define CHAIN_TARGET "target" +#define CHAIN_PRIORITY "priority" + +#define RULE_CHAIN "chain" +#define RULE_DIRECTION "direction" +#define RULE_SIPTYPE "s_ip_type" +#define RULE_DIPTYPE "d_ip_type" +#define RULE_SPORTTYPE "s_port_type" +#define RULE_DPORTTYPE "d_port_type" +#define RULE_PROTOCOL "protocol" +#define RULE_FAMILY "family" +#define RULE_SIP1 "s_ip1" +#define RULE_SIP2 "s_ip2" +#define RULE_DIP1 "d_ip1" +#define RULE_DIP2 "d_ip2" +#define RULE_SPORT1 "s_port1" +#define RULE_SPORT2 "s_port2" +#define RULE_DPORT1 "d_port1" +#define RULE_DPORT2 "d_port2" +#define RULE_IFNAME "ifname" +#define RULE_TARGET "target" +#define RULE_IDENTIFIER "identifier" +#define RULE_KEY "key" + +#define RULE_TARGET_ACCEPT "ACCEPT" +#define RULE_TARGET_DROP "DROP" +#define RULE_TARGET_LOG "LOG" + +#define FIREWALL_DBUS_ERROR_NAME "net.stc.firewall.Error.Failed" + +#define STC_FIREWALL_DBUS_REPLY_ERROR(invocation, err_num) \ + g_dbus_method_invocation_return_dbus_error((invocation), \ + FIREWALL_DBUS_ERROR_NAME, \ + stc_err_strs[-(err_num)]) + +#define STC_FIREWALL_CHECK_LOCK_STATE(invocation) do { \ + if (g_lock_state == FIREWALL_LOCKED) { \ + STC_LOGD("Firewall is locked"); \ + STC_FIREWALL_DBUS_REPLY_ERROR(invocation, \ + STC_ERROR_PERMISSION_DENIED); \ + __STC_LOG_FUNC_EXIT__; \ + return TRUE; \ + } \ +} while (0) + +static const gchar *stc_err_strs[] = { + "ERROR_NONE", + "FAIL", + "DB_FAILED", + "OUT_OF_MEMORY", + "INVALID_PARAMETER", + "NO_DATA", + "ALREADY_DATA", + "UNINITIALIZED", + "PERMISSION_DENIED", + "NOTIMPL" +}; + +static GHashTable *g_firewalls = NULL; +static int g_lock_state = FIREWALL_UNKONWN; +static uint g_chain_priority = 0; + +static void __fw_rule_copy(firewall_rule_s *rule, + const firewall_rule_s *info) +{ + if (info->chain) { + FREE(rule->chain); + rule->chain = g_strdup(info->chain); + } + + rule->direction = info->direction; + rule->s_ip_type = info->s_ip_type; + rule->d_ip_type = info->d_ip_type; + rule->s_port_type = info->s_port_type; + rule->d_port_type = info->d_port_type; + rule->protocol = info->protocol; + rule->family = info->family; + + rule->s_ip1 = info->s_ip1; + rule->s_ip2 = info->s_ip2; + rule->d_ip1 = info->d_ip1; + rule->d_ip2 = info->d_ip2; + + rule->s_port1 = info->s_port1; + rule->s_port2 = info->s_port2; + rule->d_port1 = info->d_port1; + rule->d_port2 = info->d_port2; + + if (info->ifname) { + FREE(rule->ifname); + rule->ifname = g_strdup(info->ifname); + } + + rule->target = info->target; + + if (info->target_str) { + FREE(rule->target_str); + rule->target_str = g_strdup(info->target_str); + } + + if (info->identifier) { + FREE(rule->identifier); + rule->identifier = g_strdup(info->identifier); + } + + rule->key = info->key; +} + +static void __fw_rule_make_key(firewall_rule_s *rule, + firewall_rule_s *info) +{ + GString *str; + + if (!rule->chain) + return; + + str = g_string_sized_new(IDENTIFIER_LEN); + if (!str) + return; + + g_string_append_printf(str, "%s", rule->chain); + + g_string_append_printf(str, "_%u%u%u%u%u%u%u", rule->direction, + rule->s_ip_type, rule->d_ip_type, rule->s_port_type, + rule->d_port_type, rule->protocol, rule->family); + + if (rule->family == STC_FW_FAMILY_V4) { + g_string_append_printf(str, "_"); + g_string_append_printf(str, "%08x", rule->s_ip1.Ipv4.s_addr); + g_string_append_printf(str, "%08x", rule->s_ip2.Ipv4.s_addr); + + g_string_append_printf(str, "_"); + g_string_append_printf(str, "%08x", rule->d_ip1.Ipv4.s_addr); + g_string_append_printf(str, "%08x", rule->d_ip2.Ipv4.s_addr); + } else if (rule->family == STC_FW_FAMILY_V6) { + g_string_append_printf(str, "_"); + g_string_append_printf(str, "%08x", rule->s_ip1.Ipv6.s6_addr32[0]); + g_string_append_printf(str, "%08x", rule->s_ip1.Ipv6.s6_addr32[1]); + g_string_append_printf(str, "%08x", rule->s_ip1.Ipv6.s6_addr32[2]); + g_string_append_printf(str, "%08x", rule->s_ip1.Ipv6.s6_addr32[3]); + g_string_append_printf(str, "%08x", rule->s_ip2.Ipv6.s6_addr32[0]); + g_string_append_printf(str, "%08x", rule->s_ip2.Ipv6.s6_addr32[1]); + g_string_append_printf(str, "%08x", rule->s_ip2.Ipv6.s6_addr32[2]); + g_string_append_printf(str, "%08x", rule->s_ip2.Ipv6.s6_addr32[3]); + + g_string_append_printf(str, "_"); + g_string_append_printf(str, "%08x", rule->d_ip1.Ipv6.s6_addr32[0]); + g_string_append_printf(str, "%08x", rule->d_ip1.Ipv6.s6_addr32[1]); + g_string_append_printf(str, "%08x", rule->d_ip1.Ipv6.s6_addr32[2]); + g_string_append_printf(str, "%08x", rule->d_ip1.Ipv6.s6_addr32[3]); + g_string_append_printf(str, "%08x", rule->d_ip2.Ipv6.s6_addr32[0]); + g_string_append_printf(str, "%08x", rule->d_ip2.Ipv6.s6_addr32[1]); + g_string_append_printf(str, "%08x", rule->d_ip2.Ipv6.s6_addr32[2]); + g_string_append_printf(str, "%08x", rule->d_ip2.Ipv6.s6_addr32[3]); + } + + g_string_append_printf(str, "_%04x", rule->s_port1); + g_string_append_printf(str, "%04x", rule->s_port2); + + g_string_append_printf(str, "_%04x", rule->d_port1); + g_string_append_printf(str, "%04x", rule->d_port2); + + g_string_append_printf(str, "_%s", (rule->ifname) ? rule->ifname : ""); + g_string_append_printf(str, "_%u", rule->target); + + rule->identifier = g_string_free(str, FALSE); + rule->key = g_str_hash(rule->identifier); + + info->identifier = g_strdup(rule->identifier); + info->key = rule->key; + + STC_LOGD("Identifier [%s]", rule->identifier); + STC_LOGD("Key [%u]", rule->key); +} + +static void __fw_rule_free(void *data) +{ + firewall_rule_s *rule = (firewall_rule_s *)data; + + FREE(rule->chain); + FREE(rule->ifname); + FREE(rule->identifier); + FREE(rule); +} + +static void __fw_data_free(gpointer value) +{ + stc_fw_data_s *data = (stc_fw_data_s *)value; + + g_slist_free_full(data->rules, __fw_rule_free); + data->rules = NULL; + + FREE(data); +} + +static gint __fw_rule_comp(gconstpointer a, gconstpointer b) +{ + firewall_rule_s *data = (firewall_rule_s *)a; + firewall_rule_s *rule = (firewall_rule_s *)b; + + if ((data->key == rule->key) && + (g_strcmp0(data->identifier, rule->identifier) == 0)) + return 0; + + return -1; +} + +static stc_error_e __fw_chain_add(const char *chain) +{ + stc_fw_data_s *data; + stc_fw_data_s *lookup; + + ret_value_msg_if(g_firewalls == NULL, + STC_ERROR_FAIL, + "firewall is not initialized!"); + + lookup = g_hash_table_lookup(g_firewalls, chain); + if (lookup) { + STC_LOGD("chain already present"); + return STC_ERROR_ALREADY_DATA; + } + + data = MALLOC0(stc_fw_data_s, 1); + if (!data) { + STC_LOGE("data allocation failed"); + return STC_ERROR_OUT_OF_MEMORY; + } + + data->target = STC_FW_CHAIN_TARGET_NONE; + data->priority = 0; + data->rules = NULL; + + g_hash_table_insert(g_firewalls, g_strdup(chain), data); + + return STC_ERROR_NONE; +} + +static stc_error_e __fw_chain_remove(const char *chain) +{ + stc_fw_data_s *lookup; + + ret_value_msg_if(g_firewalls == NULL, + STC_ERROR_FAIL, + "firewall is not initialized!"); + + lookup = g_hash_table_lookup(g_firewalls, chain); + if (!lookup) { + STC_LOGE("chain not found"); + return STC_ERROR_NO_DATA; + } + + if (lookup->target != STC_FW_CHAIN_TARGET_NONE) { + STC_LOGE("can't be applied bcz chain is set"); + return STC_ERROR_INVALID_PARAMETER; + } + + g_slist_free_full(lookup->rules, __fw_rule_free); + lookup->rules = NULL; + + g_hash_table_remove(g_firewalls, chain); + + return STC_ERROR_NONE; +} + +static stc_error_e __fw_chain_flush(const char *chain) +{ + stc_fw_data_s *lookup; + + ret_value_msg_if(g_firewalls == NULL, + STC_ERROR_FAIL, + "firewall is not initialized!"); + + lookup = g_hash_table_lookup(g_firewalls, chain); + if (!lookup) { + STC_LOGE("chain not found"); + return STC_ERROR_NO_DATA; + } + + if (lookup->target != STC_FW_CHAIN_TARGET_NONE) { + STC_LOGE("can't be applied bcz chain is set"); + return STC_ERROR_INVALID_PARAMETER; + } + + g_slist_free_full(lookup->rules, __fw_rule_free); + lookup->rules = NULL; + + return STC_ERROR_NONE; +} + +static stc_error_e __fw_chain_set(const char *chain, stc_fw_data_s value) +{ + stc_fw_data_s *lookup; + + ret_value_msg_if(g_firewalls == NULL, + STC_ERROR_FAIL, + "firewall is not initialized!"); + + lookup = g_hash_table_lookup(g_firewalls, chain); + if (!lookup) { + STC_LOGE("chain not found"); + return STC_ERROR_NO_DATA; + } + + lookup->target = value.target; + lookup->priority = value.priority; + + return STC_ERROR_NONE; +} + +static stc_fw_data_s *__fw_chain_get(const char *chain) +{ + stc_fw_data_s *lookup; + + ret_value_msg_if(g_firewalls == NULL, NULL, + "firewall is not initialized!"); + + lookup = g_hash_table_lookup(g_firewalls, chain); + if (!lookup) { + STC_LOGE("chain not found"); + return NULL; + } + + return lookup; +} + +static stc_error_e __fw_chain_unset(const char *chain) +{ + stc_error_e ret = STC_ERROR_NONE; + stc_fw_data_s *lookup; + + ret_value_msg_if(g_firewalls == NULL, + STC_ERROR_FAIL, + "firewall is not initialized!"); + + lookup = g_hash_table_lookup(g_firewalls, chain); + if (!lookup) { + STC_LOGE("chain not found"); + return STC_ERROR_NO_DATA; + } + + lookup->target = STC_FW_CHAIN_TARGET_NONE; + lookup->priority = 0; + + return ret; +} + +static void __fw_chain_make_params(gpointer key, gpointer value, + gpointer user_data) +{ + char *chain = (char *)key; + stc_fw_data_s *data = (stc_fw_data_s *)value; + GVariantBuilder *builder = (GVariantBuilder *)user_data; + GVariantBuilder sub_builder; + + g_variant_builder_init(&sub_builder, G_VARIANT_TYPE("a{sv}")); + + g_variant_builder_add(&sub_builder, "{sv}", CHAIN_NAME, + g_variant_new_string(chain)); + + g_variant_builder_add(&sub_builder, "{sv}", CHAIN_PRIORITY, + g_variant_new_uint32(data->priority)); + + g_variant_builder_add(&sub_builder, "{sv}", CHAIN_TARGET, + g_variant_new_uint16(data->target)); + + g_variant_builder_add_value(builder, g_variant_builder_end(&sub_builder)); +} + +static void __fw_rule_make_params(gpointer data, gpointer user_data) +{ + firewall_rule_s *rule = (firewall_rule_s *)data; + GVariantBuilder *builder = (GVariantBuilder *)user_data; + GVariantBuilder sub_builder; + + g_variant_builder_init(&sub_builder, G_VARIANT_TYPE("a{sv}")); + + g_variant_builder_add(&sub_builder, "{sv}", RULE_CHAIN, + g_variant_new_string(rule->chain)); + + if (rule->direction != STC_FW_DIRECTION_NONE) + g_variant_builder_add(&sub_builder, "{sv}", RULE_DIRECTION, + g_variant_new_uint16(rule->direction)); + + if (rule->s_ip_type != STC_FW_IP_NONE) + g_variant_builder_add(&sub_builder, "{sv}", RULE_SIPTYPE, + g_variant_new_uint16(rule->s_ip_type)); + + if (rule->d_ip_type != STC_FW_IP_NONE) + g_variant_builder_add(&sub_builder, "{sv}", RULE_DIPTYPE, + g_variant_new_uint16(rule->d_ip_type)); + + if (rule->s_port_type != STC_FW_PORT_NONE) + g_variant_builder_add(&sub_builder, "{sv}", RULE_SPORTTYPE, + g_variant_new_uint16(rule->s_port_type)); + + if (rule->d_port_type != STC_FW_PORT_NONE) + g_variant_builder_add(&sub_builder, "{sv}", RULE_DPORTTYPE, + g_variant_new_uint16(rule->d_port_type)); + + if (rule->protocol != STC_FW_PROTOCOL_NONE) + g_variant_builder_add(&sub_builder, "{sv}", RULE_PROTOCOL, + g_variant_new_uint16(rule->protocol)); + + if (rule->family != STC_FW_FAMILY_NONE) + g_variant_builder_add(&sub_builder, "{sv}", RULE_FAMILY, + g_variant_new_uint16(rule->family)); + + if (rule->family == STC_FW_FAMILY_V4) { + char *addr = NULL; + + switch (rule->s_ip_type) { + case STC_FW_IP_RANGE: + case STC_FW_IP_MASK: + addr = g_try_malloc0(INET_ADDRSTRLEN); + if (addr) { + inet_ntop(AF_INET, &(rule->s_ip2.Ipv4), addr, INET_ADDRSTRLEN); + g_variant_builder_add(&sub_builder, "{sv}", RULE_SIP2, + g_variant_new_string(addr)); + FREE(addr); + } + case STC_FW_IP_SINGLE: + addr = g_try_malloc0(INET_ADDRSTRLEN); + if (addr) { + inet_ntop(AF_INET, &(rule->s_ip1.Ipv4), addr, INET_ADDRSTRLEN); + g_variant_builder_add(&sub_builder, "{sv}", RULE_SIP1, + g_variant_new_string(addr)); + FREE(addr); + } + break; + default: + break; + } + + switch (rule->d_ip_type) { + case STC_FW_IP_RANGE: + case STC_FW_IP_MASK: + addr = g_try_malloc0(INET_ADDRSTRLEN); + if (addr) { + inet_ntop(AF_INET, &(rule->d_ip2.Ipv4), addr, INET_ADDRSTRLEN); + g_variant_builder_add(&sub_builder, "{sv}", RULE_DIP2, + g_variant_new_string(addr)); + FREE(addr); + } + case STC_FW_IP_SINGLE: + addr = g_try_malloc0(INET_ADDRSTRLEN); + if (addr) { + inet_ntop(AF_INET, &(rule->d_ip1.Ipv4), addr, INET_ADDRSTRLEN); + g_variant_builder_add(&sub_builder, "{sv}", RULE_DIP1, + g_variant_new_string(addr)); + FREE(addr); + } + break; + default: + break; + } + } else if (rule->family == STC_FW_FAMILY_V6) { + char *addr = NULL; + + switch (rule->s_ip_type) { + case STC_FW_IP_RANGE: + case STC_FW_IP_MASK: + addr = g_try_malloc0(INET6_ADDRSTRLEN); + if (addr) { + inet_ntop(AF_INET6, &(rule->s_ip2.Ipv6), addr, INET6_ADDRSTRLEN); + g_variant_builder_add(&sub_builder, "{sv}", RULE_SIP2, + g_variant_new_string(addr)); + FREE(addr); + } + case STC_FW_IP_SINGLE: + addr = g_try_malloc0(INET6_ADDRSTRLEN); + if (addr) { + inet_ntop(AF_INET6, &(rule->s_ip1.Ipv6), addr, INET6_ADDRSTRLEN); + g_variant_builder_add(&sub_builder, "{sv}", RULE_SIP1, + g_variant_new_string(addr)); + FREE(addr); + } + break; + default: + break; + } + + switch (rule->d_ip_type) { + case STC_FW_IP_RANGE: + case STC_FW_IP_MASK: + addr = g_try_malloc0(INET6_ADDRSTRLEN); + if (addr) { + inet_ntop(AF_INET6, &(rule->d_ip2.Ipv6), addr, INET6_ADDRSTRLEN); + g_variant_builder_add(&sub_builder, "{sv}", RULE_DIP2, + g_variant_new_string(addr)); + FREE(addr); + } + case STC_FW_IP_SINGLE: + addr = g_try_malloc0(INET6_ADDRSTRLEN); + if (addr) { + inet_ntop(AF_INET6, &(rule->d_ip1.Ipv6), addr, INET6_ADDRSTRLEN); + g_variant_builder_add(&sub_builder, "{sv}", RULE_DIP1, + g_variant_new_string(addr)); + FREE(addr); + } + break; + default: + break; + } + } + + g_variant_builder_add(&sub_builder, "{sv}", RULE_SPORT1, + g_variant_new_uint32(rule->s_port1)); + + g_variant_builder_add(&sub_builder, "{sv}", RULE_SPORT2, + g_variant_new_uint32(rule->s_port2)); + + g_variant_builder_add(&sub_builder, "{sv}", RULE_DPORT1, + g_variant_new_uint32(rule->d_port1)); + + g_variant_builder_add(&sub_builder, "{sv}", RULE_DPORT2, + g_variant_new_uint32(rule->d_port2)); + + if (rule->ifname) + g_variant_builder_add(&sub_builder, "{sv}", RULE_IFNAME, + g_variant_new_string(rule->ifname)); + + if (rule->target != STC_FW_RULE_TARGET_NONE) + g_variant_builder_add(&sub_builder, "{sv}", RULE_TARGET, + g_variant_new_uint16(rule->target)); + + g_variant_builder_add(&sub_builder, "{sv}", RULE_IDENTIFIER, + g_variant_new_string(rule->identifier)); + + g_variant_builder_add(&sub_builder, "{sv}", RULE_KEY, + g_variant_new_uint32(rule->key)); + + g_variant_builder_add_value(builder, g_variant_builder_end(&sub_builder)); +} + +static void __fw_rule_set_to_chain(gpointer data, gpointer user_data) +{ + firewall_rule_s *info = (firewall_rule_s *)data; + char *chain = (char *)user_data; + firewall_rule_s rule; + + if (chain && (g_strcmp0(info->chain, chain) != 0)) + return; + + memset(&rule, 0, sizeof(firewall_rule_s)); + memcpy(&rule, info, sizeof(firewall_rule_s)); + rule.chain = g_strdup(info->chain); + rule.ifname = g_strdup(info->ifname); + switch (rule.target) { + case STC_FW_RULE_TARGET_ACCEPT: + rule.target_str = g_strdup(FIREWALL_RULE_TARGET_ACCEPT); + break; + case STC_FW_RULE_TARGET_DROP: + rule.target_str = g_strdup(FIREWALL_RULE_TARGET_DROP); + break; + case STC_FW_RULE_TARGET_LOG: + rule.target_str = g_strdup(FIREWALL_RULE_TARGET_LOG); + break; + default: + break; + } + + firewall_rule_add(&rule); + + FREE(rule.chain); + FREE(rule.ifname); + FREE(rule.target_str); +} + +static void __fw_foreach_to_make_rule_param(gpointer key, gpointer value, + gpointer user_data) +{ + stc_fw_data_s *data = (stc_fw_data_s *)value; + + g_slist_foreach(data->rules, __fw_rule_make_params, user_data); +} + +static void __fw_foreach_to_set_rule_to_chain(gpointer key, gpointer value, + gpointer user_data) +{ + stc_fw_data_s *data = (stc_fw_data_s *)value; + char *chain = (char *)user_data; + + if (chain || (data->target != STC_FW_CHAIN_TARGET_NONE)) + g_slist_foreach(data->rules, __fw_rule_set_to_chain, user_data); +} + +static void __fw_foreach_to_set_chain(gpointer key, gpointer value, + gpointer user_data) +{ + char *chain = (char *)key; + stc_fw_data_s *data = (stc_fw_data_s *)value; + + if (data->target != STC_FW_CHAIN_TARGET_NONE) { + firewall_chain_s info; + memset(&info, 0, sizeof(firewall_chain_s)); + info.chain = chain; + info.target = data->target; + info.priority = data->priority; + firewall_chain_set(&info); + } +} + +static void __fw_foreach_to_add_chain(gpointer key, gpointer value, + gpointer user_data) +{ + char *chain = (char *)key; + stc_fw_data_s *data = (stc_fw_data_s *)value; + + if (data->target != STC_FW_CHAIN_TARGET_NONE) { + firewall_chain_s info; + memset(&info, 0, sizeof(firewall_chain_s)); + info.chain = chain; + info.target = data->target; + info.priority = data->priority; + firewall_chain_add(&info); + } +} + +static void __fw_chain_foreach(GHFunc func, void *user_data) +{ + g_hash_table_foreach(g_firewalls, func, user_data); +} + +stc_cb_ret_e __fw_table_chain_info_cb(const firewall_chain_s *info, + void *user_data) +{ + stc_fw_data_s *data; + + data = MALLOC0(stc_fw_data_s, 1); + if (!data) { + STC_LOGE("data allocation failed"); + return STC_CONTINUE; + } + + data->target = info->target; + data->priority = info->priority; + data->rules = NULL; + + g_hash_table_insert(g_firewalls, g_strdup(info->chain), data); + + return STC_CONTINUE; +} + +stc_cb_ret_e __fw_table_rule_info_cb(const firewall_rule_s *info, + void *user_data) +{ + stc_fw_data_s *lookup; + firewall_rule_s *rule; + + lookup = g_hash_table_lookup(g_firewalls, info->chain); + if (!lookup) { + STC_LOGE("chain not found"); + return STC_CONTINUE; + } + + rule = MALLOC0(firewall_rule_s, 1); + if (!rule) { + STC_LOGE("rule allocation failed"); + return STC_CONTINUE; + } + + memset(rule, 0, sizeof(firewall_rule_s)); + __fw_rule_copy(rule, info); + + lookup->rules = g_slist_append(lookup->rules, rule); + + return STC_CONTINUE; +} + +static stc_error_e __fw_rule_add(firewall_rule_s *info) +{ + stc_fw_data_s *lookup; + firewall_rule_s *rule; + GSList *comp; + + ret_value_msg_if(g_firewalls == NULL, + STC_ERROR_FAIL, + "firewall is not initialized!"); + + lookup = g_hash_table_lookup(g_firewalls, info->chain); + if (!lookup) { + STC_LOGE("chain not found"); + return STC_ERROR_NO_DATA; + } + + if (lookup->target != STC_FW_CHAIN_TARGET_NONE) { + STC_LOGE("can't be applied bcz chain is set"); + return STC_ERROR_INVALID_PARAMETER; + } + + rule = MALLOC0(firewall_rule_s, 1); + if (!rule) { + STC_LOGE("rule allocation failed"); + return STC_ERROR_OUT_OF_MEMORY; + } + + memset(rule, 0, sizeof(firewall_rule_s)); + __fw_rule_copy(rule, info); + __fw_rule_make_key(rule, info); + + comp = g_slist_find_custom(lookup->rules, rule, __fw_rule_comp); + if (comp) { + STC_LOGD("rule already present"); + return STC_ERROR_ALREADY_DATA; + } + + lookup->rules = g_slist_append(lookup->rules, rule); + + return STC_ERROR_NONE; +} + +static stc_error_e __fw_rule_remove(const firewall_rule_s *info) +{ + stc_fw_data_s *lookup; + GSList *rule_list; + GSList *comp; + firewall_rule_s *rule; + + ret_value_msg_if(g_firewalls == NULL, + STC_ERROR_FAIL, + "firewall is not initialized!"); + + lookup = g_hash_table_lookup(g_firewalls, info->chain); + if (!lookup) { + STC_LOGE("chain not found"); + return STC_ERROR_NO_DATA; + } + + if (lookup->target != STC_FW_CHAIN_TARGET_NONE) { + STC_LOGE("can't be applied bcz chain is set"); + return STC_ERROR_INVALID_PARAMETER; + } + + rule_list = lookup->rules; + comp = g_slist_find_custom(rule_list, info, __fw_rule_comp); + if (!comp) { + STC_LOGD("rule not found"); + return STC_ERROR_NO_DATA; + } + + rule = comp->data; + lookup->rules = g_slist_remove(lookup->rules, rule); + __fw_rule_free(rule); + + return STC_ERROR_NONE; +} + +static stc_error_e __fw_rule_update(const firewall_rule_s *info) +{ + stc_fw_data_s *lookup; + GSList *rule_list; + GSList *comp; + firewall_rule_s *rule; + + ret_value_msg_if(g_firewalls == NULL, + STC_ERROR_FAIL, + "firewall is not initialized!"); + + lookup = g_hash_table_lookup(g_firewalls, info->chain); + if (!lookup) { + STC_LOGE("chain not found"); + return STC_ERROR_NO_DATA; + } + + if (lookup->target != STC_FW_CHAIN_TARGET_NONE) { + STC_LOGE("can't be applied bcz chain is set"); + return STC_ERROR_INVALID_PARAMETER; + } + + rule_list = lookup->rules; + comp = g_slist_find_custom(rule_list, info, __fw_rule_comp); + if (!comp) { + STC_LOGD("rule not found"); + return STC_ERROR_NO_DATA; + } + + rule = comp->data; + __fw_rule_copy(rule, info); + + return STC_ERROR_NONE; +} + +static void __fw_rule_extract(const char *key, GVariant *value, + void *user_data) +{ + __STC_LOG_FUNC_ENTER__; + + firewall_rule_s *rule = (firewall_rule_s *)user_data; + if (rule == NULL) { + __STC_LOG_FUNC_EXIT__; + return; + } + + if (g_strcmp0(key, RULE_CHAIN) == 0) { + guint str_length; + const gchar *str = g_variant_get_string(value, &str_length); + rule->chain = g_strdup(str); + STC_LOGD("%s: [%s]", RULE_CHAIN, rule->chain); + + } else if (g_strcmp0(key, RULE_DIRECTION) == 0) { + rule->direction = g_variant_get_uint16(value); + STC_LOGD("%s: [%u]", RULE_DIRECTION, rule->direction); + + } else if (g_strcmp0(key, RULE_SIPTYPE) == 0) { + rule->s_ip_type = g_variant_get_uint16(value); + STC_LOGD("%s: [%u]", RULE_SIPTYPE, rule->s_ip_type); + + } else if (g_strcmp0(key, RULE_DIPTYPE) == 0) { + rule->d_ip_type = g_variant_get_uint16(value); + STC_LOGD("%s: [%u]", RULE_DIPTYPE, rule->d_ip_type); + + } else if (g_strcmp0(key, RULE_SPORTTYPE) == 0) { + rule->s_port_type = g_variant_get_uint16(value); + STC_LOGD("%s: [%u]", RULE_SPORTTYPE, rule->s_port_type); + + } else if (g_strcmp0(key, RULE_DPORTTYPE) == 0) { + rule->d_port_type = g_variant_get_uint16(value); + STC_LOGD("%s: [%u]", RULE_DPORTTYPE, rule->d_port_type); + + } else if (g_strcmp0(key, RULE_PROTOCOL) == 0) { + rule->protocol = g_variant_get_uint16(value); + STC_LOGD("%s: [%u]", RULE_PROTOCOL, rule->protocol); + + } else if (g_strcmp0(key, RULE_FAMILY) == 0) { + rule->family = g_variant_get_uint16(value); + STC_LOGD("%s: [%u]", RULE_FAMILY, rule->family); + + } else if (g_strcmp0(key, RULE_SIP1) == 0) { + guint str_length; + const gchar *str = g_variant_get_string(value, &str_length); + if (rule->family == STC_FW_FAMILY_V4) { + inet_pton(AF_INET, str, &(rule->s_ip1.Ipv4)); + STC_LOGD("%s: [%08x]", RULE_SIP1, rule->s_ip1.Ipv4.s_addr); + } else if (rule->family == STC_FW_FAMILY_V6) { + inet_pton(AF_INET6, str, &(rule->s_ip1.Ipv6)); + STC_LOGD("%s: [%08x:%08x:%08x:%08x]", RULE_SIP1, + rule->s_ip1.Ipv6.s6_addr32[0], rule->s_ip1.Ipv6.s6_addr32[1], + rule->s_ip1.Ipv6.s6_addr32[2], rule->s_ip1.Ipv6.s6_addr32[3]); + } + + } else if (g_strcmp0(key, RULE_SIP2) == 0) { + guint str_length; + const gchar *str = g_variant_get_string(value, &str_length); + if (rule->family == STC_FW_FAMILY_V4) { + inet_pton(AF_INET, str, &(rule->s_ip2.Ipv4)); + STC_LOGD("%s: [%08x]", RULE_SIP2, rule->s_ip2.Ipv4.s_addr); + } else if (rule->family == STC_FW_FAMILY_V6) { + inet_pton(AF_INET6, str, &(rule->s_ip2.Ipv6)); + STC_LOGD("%s: [%08x:%08x:%08x:%08x]", RULE_SIP2, + rule->s_ip2.Ipv6.s6_addr32[0], rule->s_ip2.Ipv6.s6_addr32[1], + rule->s_ip2.Ipv6.s6_addr32[2], rule->s_ip2.Ipv6.s6_addr32[3]); + } + + } else if (g_strcmp0(key, RULE_DIP1) == 0) { + guint str_length; + const gchar *str = g_variant_get_string(value, &str_length); + if (rule->family == STC_FW_FAMILY_V4) { + inet_pton(AF_INET, str, &(rule->d_ip1.Ipv4)); + STC_LOGD("%s: [%08x]", RULE_DIP1, rule->d_ip1.Ipv4.s_addr); + } else if (rule->family == STC_FW_FAMILY_V6) { + inet_pton(AF_INET6, str, &(rule->d_ip1.Ipv6)); + STC_LOGD("%s: [%08x:%08x:%08x:%08x]", RULE_DIP1, + rule->d_ip1.Ipv6.s6_addr32[0], rule->d_ip1.Ipv6.s6_addr32[1], + rule->d_ip1.Ipv6.s6_addr32[2], rule->d_ip1.Ipv6.s6_addr32[3]); + } + + } else if (g_strcmp0(key, RULE_DIP2) == 0) { + guint str_length; + const gchar *str = g_variant_get_string(value, &str_length); + if (rule->family == STC_FW_FAMILY_V4) { + inet_pton(AF_INET, str, &(rule->d_ip2.Ipv4)); + STC_LOGD("%s: [%08x]", RULE_DIP2, rule->d_ip2.Ipv4.s_addr); + } else if (rule->family == STC_FW_FAMILY_V6) { + inet_pton(AF_INET6, str, &(rule->d_ip2.Ipv6)); + STC_LOGD("%s: [%08x:%08x:%08x:%08x]", RULE_DIP2, + rule->d_ip2.Ipv6.s6_addr32[0], rule->d_ip2.Ipv6.s6_addr32[1], + rule->d_ip2.Ipv6.s6_addr32[2], rule->d_ip2.Ipv6.s6_addr32[3]); + } + + } else if (g_strcmp0(key, RULE_SPORT1) == 0) { + rule->s_port1 = g_variant_get_uint32(value); + STC_LOGD("%s: [%04x]", RULE_SPORT1, rule->s_port1); + + } else if (g_strcmp0(key, RULE_SPORT2) == 0) { + rule->s_port2 = g_variant_get_uint32(value); + STC_LOGD("%s: [%04x]", RULE_SPORT2, rule->s_port2); + + } else if (g_strcmp0(key, RULE_DPORT1) == 0) { + rule->d_port1 = g_variant_get_uint32(value); + STC_LOGD("%s: [%04x]", RULE_DPORT1, rule->d_port1); + + } else if (g_strcmp0(key, RULE_DPORT2) == 0) { + rule->d_port2 = g_variant_get_uint32(value); + STC_LOGD("%s: [%04x]", RULE_DPORT2, rule->d_port2); + + } else if (g_strcmp0(key, RULE_IFNAME) == 0) { + guint str_length; + const gchar *str = g_variant_get_string(value, &str_length); + rule->ifname = g_strdup(str); + STC_LOGD("%s: [%s]", RULE_IFNAME, rule->ifname); + + } else if (g_strcmp0(key, RULE_TARGET) == 0) { + rule->target = g_variant_get_uint16(value); + STC_LOGD("%s: [%u]", RULE_TARGET, rule->target); + + } else if (g_strcmp0(key, RULE_IDENTIFIER) == 0) { + guint str_length; + const gchar *str = g_variant_get_string(value, &str_length); + rule->identifier = g_strdup(str); + STC_LOGD("%s: [%s]", RULE_IDENTIFIER, rule->identifier); + + } else if (g_strcmp0(key, RULE_KEY) == 0) { + rule->key = g_variant_get_uint32(value); + STC_LOGD("%s: [%u]", RULE_KEY, rule->key); + + } else { + STC_LOGD("Unknown rule [%s]", key); + } + + __STC_LOG_FUNC_EXIT__; +} + +gboolean __validate_fw_rule(firewall_rule_s *rule) +{ + __STC_LOG_FUNC_ENTER__; + + if (rule == NULL) { + __STC_LOG_FUNC_EXIT__; + return FALSE; + } + + if (rule->chain == NULL) { + __STC_LOG_FUNC_EXIT__; + return FALSE; + } + + if (rule->direction > STC_FW_DIRECTION_OUT) { + __STC_LOG_FUNC_EXIT__; + return FALSE; + } + + if (rule->s_ip_type > STC_FW_IP_RANGE) { + __STC_LOG_FUNC_EXIT__; + return FALSE; + } + + if (rule->d_ip_type > STC_FW_IP_RANGE) { + __STC_LOG_FUNC_EXIT__; + return FALSE; + } + + if (rule->s_port_type > STC_FW_PORT_RANGE) { + __STC_LOG_FUNC_EXIT__; + return FALSE; + } + + if (rule->d_port_type > STC_FW_PORT_RANGE) { + __STC_LOG_FUNC_EXIT__; + return FALSE; + } + + if (rule->protocol > STC_FW_PROTOCOL_ALL) { + __STC_LOG_FUNC_EXIT__; + return FALSE; + } + + if (rule->family > STC_FW_FAMILY_V6) { + __STC_LOG_FUNC_EXIT__; + return FALSE; + } + + __STC_LOG_FUNC_EXIT__; + return TRUE; +} + +void stc_firewall_init(void) +{ + int ret = STC_ERROR_NONE; + + g_firewalls = g_hash_table_new_full(g_str_hash, + g_str_equal, g_free, __fw_data_free); + + ret = table_firewall_get_lock(LOCK_NAME, &g_lock_state); + if (ret != STC_ERROR_NONE) + table_firewall_insert_lock(LOCK_NAME, FIREWALL_UNLOCKED); + + if (g_lock_state == FIREWALL_UNKONWN) + g_lock_state = FIREWALL_UNLOCKED; + + table_firewall_foreach_chain(__fw_table_chain_info_cb, NULL); + table_firewall_foreach_rule(__fw_table_rule_info_cb, NULL); +} + +void stc_firewall_update(void) +{ + __fw_chain_foreach(__fw_foreach_to_add_chain, NULL); + __fw_chain_foreach(__fw_foreach_to_set_rule_to_chain, NULL); + __fw_chain_foreach(__fw_foreach_to_set_chain, NULL); +} + +void stc_firewall_deinit(void) +{ + if (g_firewalls) { + g_hash_table_destroy(g_firewalls); + g_firewalls = NULL; + } +} + +gboolean handle_firewall_lock(StcFirewall *object, + GDBusMethodInvocation *invocation, + void *user_data) +{ + __STC_LOG_FUNC_ENTER__; + int ret = STC_ERROR_NONE; + + ret = table_firewall_update_lock(LOCK_NAME, FIREWALL_LOCKED); + if (ret != STC_ERROR_NONE) + table_firewall_insert_lock(LOCK_NAME, FIREWALL_LOCKED); + + g_lock_state = FIREWALL_LOCKED; + + STC_DBUS_REPLY_ERROR_NONE(invocation); + __STC_LOG_FUNC_EXIT__; + return TRUE; +} + +gboolean handle_firewall_unlock(StcFirewall *object, + GDBusMethodInvocation *invocation, + void *user_data) +{ + __STC_LOG_FUNC_ENTER__; + int ret = STC_ERROR_NONE; + + ret = table_firewall_update_lock(LOCK_NAME, FIREWALL_UNLOCKED); + if (ret != STC_ERROR_NONE) + table_firewall_insert_lock(LOCK_NAME, FIREWALL_UNLOCKED); + + g_lock_state = FIREWALL_UNLOCKED; + + STC_DBUS_REPLY_ERROR_NONE(invocation); + __STC_LOG_FUNC_EXIT__; + return TRUE; +} + +gboolean handle_firewall_get_lock(StcFirewall *object, + GDBusMethodInvocation *invocation, + void *user_data) +{ + __STC_LOG_FUNC_ENTER__; + int ret = STC_ERROR_NONE; + GVariant *return_parameters = NULL; + + if (g_lock_state == FIREWALL_UNKONWN) { + ret = table_firewall_get_lock(LOCK_NAME, &g_lock_state); + if (ret != STC_ERROR_NONE) + table_firewall_insert_lock(LOCK_NAME, FIREWALL_UNLOCKED); + + if (g_lock_state == FIREWALL_UNKONWN) + g_lock_state = FIREWALL_UNLOCKED; + } + + return_parameters = g_variant_new("(i)", g_lock_state); + STC_DBUS_REPLY(invocation, return_parameters); + __STC_LOG_FUNC_EXIT__; + return TRUE; +} + +gboolean handle_firewall_add_chain(StcFirewall *object, + GDBusMethodInvocation *invocation, + gchar *chain, + void *user_data) +{ + __STC_LOG_FUNC_ENTER__; + firewall_chain_s info; + int ret = STC_ERROR_NONE; + + STC_FIREWALL_CHECK_LOCK_STATE(invocation); + + if (chain == NULL) { + STC_FIREWALL_DBUS_REPLY_ERROR(invocation, + STC_ERROR_INVALID_PARAMETER); + __STC_LOG_FUNC_EXIT__; + return TRUE; + } + + ret = __fw_chain_add(chain); + if (ret == STC_ERROR_NONE) { + memset(&info, 0, sizeof(firewall_chain_s)); + info.chain = chain; + info.priority = 0; + info.target = STC_FW_CHAIN_TARGET_NONE; + table_firewall_insert_chain(&info); + } else { + STC_FIREWALL_DBUS_REPLY_ERROR(invocation, ret); + __STC_LOG_FUNC_EXIT__; + return TRUE; + } + + STC_DBUS_REPLY_ERROR_NONE(invocation); + __STC_LOG_FUNC_EXIT__; + return TRUE; +} + +gboolean handle_firewall_remove_chain(StcFirewall *object, + GDBusMethodInvocation *invocation, + gchar *chain, + void *user_data) +{ + __STC_LOG_FUNC_ENTER__; + firewall_chain_s info; + int ret = STC_ERROR_NONE; + + STC_FIREWALL_CHECK_LOCK_STATE(invocation); + + if (chain == NULL) { + STC_FIREWALL_DBUS_REPLY_ERROR(invocation, + STC_ERROR_INVALID_PARAMETER); + __STC_LOG_FUNC_EXIT__; + return TRUE; + } + + ret = __fw_chain_remove(chain); + if (ret == STC_ERROR_NONE) { + memset(&info, 0, sizeof(firewall_chain_s)); + info.chain = chain; + table_firewall_flush_chain(&info); + table_firewall_delete_chain(&info); + } else { + STC_FIREWALL_DBUS_REPLY_ERROR(invocation, ret); + __STC_LOG_FUNC_EXIT__; + return TRUE; + } + + STC_DBUS_REPLY_ERROR_NONE(invocation); + __STC_LOG_FUNC_EXIT__; + return TRUE; +} + +gboolean handle_firewall_flush_chain(StcFirewall *object, + GDBusMethodInvocation *invocation, + gchar *chain, + void *user_data) +{ + __STC_LOG_FUNC_ENTER__; + firewall_chain_s info; + int ret = STC_ERROR_NONE; + + STC_FIREWALL_CHECK_LOCK_STATE(invocation); + + if (chain == NULL) { + STC_FIREWALL_DBUS_REPLY_ERROR(invocation, + STC_ERROR_INVALID_PARAMETER); + __STC_LOG_FUNC_EXIT__; + return TRUE; + } + + ret = __fw_chain_flush(chain); + if (ret == STC_ERROR_NONE) { + memset(&info, 0, sizeof(firewall_chain_s)); + info.chain = chain; + table_firewall_flush_chain(&info); + } else { + STC_FIREWALL_DBUS_REPLY_ERROR(invocation, ret); + __STC_LOG_FUNC_EXIT__; + return TRUE; + } + + STC_DBUS_REPLY_ERROR_NONE(invocation); + __STC_LOG_FUNC_EXIT__; + return TRUE; +} + +gboolean handle_firewall_get_all_chain(StcFirewall *object, + GDBusMethodInvocation *invocation, + void *user_data) +{ + __STC_LOG_FUNC_ENTER__; + GVariantBuilder *builder = NULL; + GVariant *return_parameters = NULL; + + STC_FIREWALL_CHECK_LOCK_STATE(invocation); + + builder = g_variant_builder_new(G_VARIANT_TYPE("aa{sv}")); + + __fw_chain_foreach(__fw_chain_make_params, builder); + + return_parameters = g_variant_new("(aa{sv})", builder); + g_variant_builder_unref(builder); + + DEBUG_GDBUS_VARIANT("Return parameters: ", return_parameters); + STC_DBUS_REPLY(invocation, return_parameters); + __STC_LOG_FUNC_EXIT__; + return TRUE; +} + +gboolean handle_firewall_set_chain(StcFirewall *object, + GDBusMethodInvocation *invocation, + gchar *chain, + unsigned int target, + void *user_data) +{ + __STC_LOG_FUNC_ENTER__; + stc_fw_data_s *lookup = NULL; + stc_fw_data_s data; + firewall_chain_s info; + uint priority; + int ret = STC_ERROR_NONE; + + STC_FIREWALL_CHECK_LOCK_STATE(invocation); + + if (chain == NULL || + target > STC_FW_CHAIN_TARGET_OUTPUT) { + STC_FIREWALL_DBUS_REPLY_ERROR(invocation, + STC_ERROR_INVALID_PARAMETER); + __STC_LOG_FUNC_EXIT__; + return TRUE; + } + + lookup = __fw_chain_get(chain); + if (lookup == NULL) { + STC_FIREWALL_DBUS_REPLY_ERROR(invocation, + STC_ERROR_NO_DATA); + __STC_LOG_FUNC_EXIT__; + return TRUE; + } + + if (lookup->target != STC_FW_CHAIN_TARGET_NONE) { + STC_LOGE("chain is already set"); + STC_FIREWALL_DBUS_REPLY_ERROR(invocation, + STC_ERROR_INVALID_PARAMETER); + __STC_LOG_FUNC_EXIT__; + return TRUE; + } + + /* stc-iptables */ + memset(&info, 0, sizeof(firewall_chain_s)); + info.chain = chain; + info.target = target; + + ret = firewall_chain_add(&info); + if (ret != STC_ERROR_NONE) { + STC_FIREWALL_DBUS_REPLY_ERROR(invocation, ret); + __STC_LOG_FUNC_EXIT__; + return TRUE; + } + + __fw_chain_foreach(__fw_foreach_to_set_rule_to_chain, chain); + + ret = firewall_chain_set(&info); + if (ret != STC_ERROR_NONE) { + STC_FIREWALL_DBUS_REPLY_ERROR(invocation, ret); + __STC_LOG_FUNC_EXIT__; + return TRUE; + } + /* stc-iptables */ + + priority = g_chain_priority + 1; + + memset(&data, 0, sizeof(stc_fw_data_s)); + data.target = target; + data.priority = priority; + + ret = __fw_chain_set(chain, data); + if (ret == STC_ERROR_NONE) { + info.priority = priority; + table_firewall_update_chain(&info); + g_chain_priority = priority; + } else { + STC_FIREWALL_DBUS_REPLY_ERROR(invocation, ret); + __STC_LOG_FUNC_EXIT__; + return TRUE; + } + + STC_DBUS_REPLY_ERROR_NONE(invocation); + __STC_LOG_FUNC_EXIT__; + return TRUE; +} + +gboolean handle_firewall_unset_chain(StcFirewall *object, + GDBusMethodInvocation *invocation, + gchar *chain, + void *user_data) +{ + __STC_LOG_FUNC_ENTER__; + stc_fw_data_s *lookup = NULL; + firewall_chain_s info; + int ret = STC_ERROR_NONE; + + STC_FIREWALL_CHECK_LOCK_STATE(invocation); + + if (chain == NULL) { + STC_FIREWALL_DBUS_REPLY_ERROR(invocation, + STC_ERROR_INVALID_PARAMETER); + __STC_LOG_FUNC_EXIT__; + return TRUE; + } + + lookup = __fw_chain_get(chain); + if (lookup == NULL) { + STC_FIREWALL_DBUS_REPLY_ERROR(invocation, + STC_ERROR_NO_DATA); + __STC_LOG_FUNC_EXIT__; + return TRUE; + } + + if (lookup->target == STC_FW_CHAIN_TARGET_NONE) { + STC_LOGE("chain is not set"); + STC_FIREWALL_DBUS_REPLY_ERROR(invocation, + STC_ERROR_INVALID_PARAMETER); + __STC_LOG_FUNC_EXIT__; + return TRUE; + } + + /* stc-iptables */ + memset(&info, 0, sizeof(firewall_chain_s)); + info.chain = chain; + info.target = lookup->target; + + ret = firewall_chain_unset(&info); + if (ret != STC_ERROR_NONE) { + STC_FIREWALL_DBUS_REPLY_ERROR(invocation, ret); + __STC_LOG_FUNC_EXIT__; + return TRUE; + } + + ret = firewall_chain_remove(&info); + if (ret != STC_ERROR_NONE) { + STC_FIREWALL_DBUS_REPLY_ERROR(invocation, ret); + __STC_LOG_FUNC_EXIT__; + return TRUE; + } + /* stc-iptables */ + + ret = __fw_chain_unset(chain); + if (ret == STC_ERROR_NONE) { + info.target = STC_FW_CHAIN_TARGET_NONE; + info.priority = 0; + table_firewall_update_chain(&info); + } else { + STC_FIREWALL_DBUS_REPLY_ERROR(invocation, ret); + __STC_LOG_FUNC_EXIT__; + return TRUE; + } + + STC_DBUS_REPLY_ERROR_NONE(invocation); + __STC_LOG_FUNC_EXIT__; + return TRUE; +} + +gboolean handle_firewall_add_rule(StcFirewall *object, + GDBusMethodInvocation *invocation, + GVariant *parameters, + void *user_data) +{ + __STC_LOG_FUNC_ENTER__; + GVariantIter *iter = NULL; + firewall_rule_s *rule; + int ret = STC_ERROR_NONE; + + STC_FIREWALL_CHECK_LOCK_STATE(invocation); + + rule = MALLOC0(firewall_rule_s, 1); + if (!rule) { + STC_LOGE("rule allocation failed"); + return STC_ERROR_OUT_OF_MEMORY; + } + + memset(rule, 0, sizeof(firewall_rule_s)); + + g_variant_get(parameters, "a{sv}", &iter); + if (iter != NULL) { + stc_manager_gdbus_dict_foreach(iter, + __fw_rule_extract, + rule); + g_variant_iter_free(iter); + } + + if (__validate_fw_rule(rule) == FALSE) { + STC_FIREWALL_DBUS_REPLY_ERROR(invocation, + STC_ERROR_INVALID_PARAMETER); + __STC_LOG_FUNC_EXIT__; + return TRUE; + } + + ret = __fw_rule_add(rule); + if (ret == STC_ERROR_NONE) { + table_firewall_insert_rule(rule); + } else { + __fw_rule_free(rule); + STC_FIREWALL_DBUS_REPLY_ERROR(invocation, ret); + __STC_LOG_FUNC_EXIT__; + return TRUE; + } + + __fw_rule_free(rule); + STC_DBUS_REPLY_ERROR_NONE(invocation); + __STC_LOG_FUNC_EXIT__; + return TRUE; +} + +gboolean handle_firewall_remove_rule(StcFirewall *object, + GDBusMethodInvocation *invocation, + GVariant *parameters, + void *user_data) +{ + __STC_LOG_FUNC_ENTER__; + GVariantIter *iter = NULL; + firewall_rule_s *rule; + int ret = STC_ERROR_NONE; + + STC_FIREWALL_CHECK_LOCK_STATE(invocation); + + rule = MALLOC0(firewall_rule_s, 1); + if (!rule) { + STC_LOGE("rule allocation failed"); + return STC_ERROR_OUT_OF_MEMORY; + } + + memset(rule, 0, sizeof(firewall_rule_s)); + + g_variant_get(parameters, "a{sv}", &iter); + if (iter != NULL) { + stc_manager_gdbus_dict_foreach(iter, + __fw_rule_extract, + rule); + g_variant_iter_free(iter); + } + + if (__validate_fw_rule(rule) == FALSE) { + STC_FIREWALL_DBUS_REPLY_ERROR(invocation, + STC_ERROR_INVALID_PARAMETER); + __STC_LOG_FUNC_EXIT__; + return TRUE; + } + + ret = __fw_rule_remove(rule); + if (ret == STC_ERROR_NONE) { + table_firewall_delete_rule(rule); + } else { + __fw_rule_free(rule); + STC_FIREWALL_DBUS_REPLY_ERROR(invocation, ret); + __STC_LOG_FUNC_EXIT__; + return TRUE; + } + + __fw_rule_free(rule); + STC_DBUS_REPLY_ERROR_NONE(invocation); + __STC_LOG_FUNC_EXIT__; + return TRUE; +} + +gboolean handle_firewall_update_rule(StcFirewall *object, + GDBusMethodInvocation *invocation, + GVariant *parameters, + void *user_data) +{ + __STC_LOG_FUNC_ENTER__; + GVariantIter *iter = NULL; + firewall_rule_s *rule; + int ret = STC_ERROR_NONE; + + STC_FIREWALL_CHECK_LOCK_STATE(invocation); + + rule = MALLOC0(firewall_rule_s, 1); + if (!rule) { + STC_LOGE("rule allocation failed"); + return STC_ERROR_OUT_OF_MEMORY; + } + + memset(rule, 0, sizeof(firewall_rule_s)); + + g_variant_get(parameters, "a{sv}", &iter); + if (iter != NULL) { + stc_manager_gdbus_dict_foreach(iter, + __fw_rule_extract, + rule); + g_variant_iter_free(iter); + } + + if (__validate_fw_rule(rule) == FALSE) { + STC_FIREWALL_DBUS_REPLY_ERROR(invocation, + STC_ERROR_INVALID_PARAMETER); + __STC_LOG_FUNC_EXIT__; + return TRUE; + } + + ret = __fw_rule_update(rule); + if (ret == STC_ERROR_NONE) { + table_firewall_update_rule(rule); + } else { + __fw_rule_free(rule); + STC_FIREWALL_DBUS_REPLY_ERROR(invocation, ret); + __STC_LOG_FUNC_EXIT__; + return TRUE; + } + + __fw_rule_free(rule); + STC_DBUS_REPLY_ERROR_NONE(invocation); + __STC_LOG_FUNC_EXIT__; + return TRUE; +} + +gboolean handle_firewall_get_all_rule(StcFirewall *object, + GDBusMethodInvocation *invocation, + void *user_data) +{ + __STC_LOG_FUNC_ENTER__; + GVariantBuilder *builder = NULL; + GVariant *return_parameters = NULL; + + STC_FIREWALL_CHECK_LOCK_STATE(invocation); + + builder = g_variant_builder_new(G_VARIANT_TYPE("aa{sv}")); + + __fw_chain_foreach(__fw_foreach_to_make_rule_param, builder); + + return_parameters = g_variant_new("(aa{sv})", builder); + g_variant_builder_unref(builder); + + DEBUG_GDBUS_VARIANT("Return parameters: ", return_parameters); + STC_DBUS_REPLY(invocation, return_parameters); + __STC_LOG_FUNC_EXIT__; + return TRUE; +} diff --git a/src/stc-manager-gdbus.c b/src/stc-manager-gdbus.c index a321a4c..75b93b1 100755 --- a/src/stc-manager-gdbus.c +++ b/src/stc-manager-gdbus.c @@ -18,6 +18,7 @@ #include "stc-manager.h" #include "stc-statistics.h" #include "stc-restriction.h" +#include "stc-firewall.h" #include "stc-default-connection.h" #include "stc-manager-plugin-appstatus.h" #include "stc-manager-plugin-procfs.h" @@ -130,6 +131,89 @@ static gboolean __stc_manager_gdbus_restriction_init(stc_s *stc) return ret; } +static gboolean __stc_manager_gdbus_firewall_init(stc_s *stc) +{ + __STC_LOG_FUNC_ENTER__; + gboolean ret = TRUE; + gchar *s = NULL; + + StcObjectSkeleton *object = NULL; + StcFirewall *firewall = NULL; + s = g_strdup_printf(STC_DBUS_SERVICE_FIREWALL_PATH); + + /* Add interface to default object path */ + object = stc_object_skeleton_new(s); + g_free(s); + + firewall = stc_firewall_skeleton_new(); + stc_object_skeleton_set_firewall(object, firewall); + g_object_unref(firewall); + + /* Register for method callbacks as signal callbacks */ + + g_signal_connect(firewall, "handle-lock", + G_CALLBACK(handle_firewall_lock), + stc); + + g_signal_connect(firewall, "handle-unlock", + G_CALLBACK(handle_firewall_unlock), + stc); + + g_signal_connect(firewall, "handle-get-lock", + G_CALLBACK(handle_firewall_get_lock), + stc); + + g_signal_connect(firewall, "handle-add-chain", + G_CALLBACK(handle_firewall_add_chain), + stc); + + g_signal_connect(firewall, "handle-remove-chain", + G_CALLBACK(handle_firewall_remove_chain), + stc); + + g_signal_connect(firewall, "handle-flush-chain", + G_CALLBACK(handle_firewall_flush_chain), + stc); + + g_signal_connect(firewall, "handle-get-all-chain", + G_CALLBACK(handle_firewall_get_all_chain), + stc); + + g_signal_connect(firewall, "handle-set-chain", + G_CALLBACK(handle_firewall_set_chain), + stc); + + g_signal_connect(firewall, "handle-unset-chain", + G_CALLBACK(handle_firewall_unset_chain), + stc); + + g_signal_connect(firewall, "handle-add-rule", + G_CALLBACK(handle_firewall_add_rule), + stc); + + g_signal_connect(firewall, "handle-remove-rule", + G_CALLBACK(handle_firewall_remove_rule), + stc); + + g_signal_connect(firewall, "handle-update-rule", + G_CALLBACK(handle_firewall_update_rule), + stc); + + g_signal_connect(firewall, "handle-get-all-rule", + G_CALLBACK(handle_firewall_get_all_rule), + stc); + + /* Export the object (@manager takes its own reference to @object) */ + g_dbus_object_manager_server_export(stc->obj_mgr, + G_DBUS_OBJECT_SKELETON(object)); + g_object_unref(object); + + stc->firewall_obj = (gpointer)firewall; + + __STC_LOG_FUNC_EXIT__; + return ret; +} + static gboolean __stc_manager_gdbus_manager_init(stc_s *stc) { __STC_LOG_FUNC_ENTER__; @@ -184,6 +268,11 @@ static void __stc_manager_gdbus_on_bus_acquired(GDBusConnection *connection, /* Deinitialize and quit manager */ } + if (__stc_manager_gdbus_firewall_init(stc) == FALSE) { + STC_LOGE("Cannot signal connect to firewall"); //LCOV_EXCL_LINE + /* Deinitialize and quit manager */ + } + if (__stc_manager_gdbus_manager_init(stc) == FALSE) { STC_LOGE("Cannot signal connect to manager"); //LCOV_EXCL_LINE /* Deinitialize and quit manager */ @@ -246,6 +335,7 @@ void stc_manager_gdbus_deinit(gpointer stc_data) stc->statistics_obj = NULL; stc->restriction_obj = NULL; + stc->firewall_obj = NULL; stc->manager_obj = NULL; __STC_LOG_FUNC_EXIT__; } diff --git a/src/stc-manager.c b/src/stc-manager.c index 8317d4f..0da9bf4 100755 --- a/src/stc-manager.c +++ b/src/stc-manager.c @@ -25,6 +25,7 @@ #include "helper-nfacct-rule.h" #include "helper-iptables.h" #include "stc-monitor.h" +#include "stc-firewall.h" #include "stc-manager-plugin-appstatus.h" #include "stc-manager-plugin-exception.h" #include "stc-manager-plugin-procfs.h" @@ -65,6 +66,8 @@ static void __stc_manager_deinit(void) stc_manager_gdbus_deinit((gpointer)g_stc); + stc_firewall_deinit(); + stc_plugin_appstatus_deinit(); stc_plugin_exception_deinit(); stc_plugin_procfs_deinit(); @@ -97,6 +100,8 @@ static stc_s *__stc_manager_init(void) stc_plugin_exception_init(); stc_plugin_procfs_init(); + stc_firewall_init(); + err = stc_monitor_init(); if (err != STC_ERROR_NONE) goto handle_error; diff --git a/src/stc-restriction.c b/src/stc-restriction.c index cb3a382..e39575a 100755 --- a/src/stc-restriction.c +++ b/src/stc-restriction.c @@ -34,7 +34,9 @@ static const gchar *stc_err_strs[] = { "OUT_OF_MEMORY", "INVALID_PARAMETER", "NO_DATA", + "ALREADY_DATA", "UNINITIALIZED", + "PERMISSION_DENIED", "NOTIMPL" }; diff --git a/src/stc-statistics.c b/src/stc-statistics.c index 70cf48c..f2ff8e9 100755 --- a/src/stc-statistics.c +++ b/src/stc-statistics.c @@ -21,9 +21,6 @@ #define STATISTICS_DBUS_ERROR_NAME "net.stc.statistics.Error.Failed" -#define STC_DBUS_REPLY(invocation, parameters) \ - g_dbus_method_invocation_return_value((invocation), parameters); - #define STC_STATISTICS_DBUS_REPLY_ERROR(invocation, err_num) \ g_dbus_method_invocation_return_dbus_error((invocation), \ STATISTICS_DBUS_ERROR_NAME, \ @@ -36,7 +33,9 @@ static const gchar *stc_err_strs[] = { "OUT_OF_MEMORY", "INVALID_PARAMETER", "NO_DATA", + "ALREADY_DATA", "UNINITIALIZED", + "PERMISSION_DENIED", "NOTIMPL" }; -- 2.7.4 From d57d0ad0edf5d766390dd7b8e59f1f75f48a00f9 Mon Sep 17 00:00:00 2001 From: hyunuktak Date: Thu, 12 Apr 2018 15:36:05 +0900 Subject: [PATCH 03/16] Added dbus method to commit iptables Change-Id: I20c7623d92421a7d04c23e9a96ebc6708340f047 Signed-off-by: hyunuktak --- include/stc-manager-gdbus.h | 5 +++ include/stc-manager.h | 6 ++++ interfaces/stcmanager-iface-manager.xml | 6 ++++ packaging/stc-manager.spec | 2 +- src/stc-manager-gdbus.c | 57 +++++++++++++++++++++++++++++ src/stc-manager.c | 63 +++++++++++++++++++++++++++++++++ 6 files changed, 138 insertions(+), 1 deletion(-) diff --git a/include/stc-manager-gdbus.h b/include/stc-manager-gdbus.h index 4b6a50f..b422b62 100755 --- a/include/stc-manager-gdbus.h +++ b/include/stc-manager-gdbus.h @@ -83,4 +83,9 @@ gboolean stc_manager_dbus_emit_signal(GDBusConnection *connection, gboolean handle_manager_stop(StcManager *object, GDBusMethodInvocation *invocation); +gboolean handle_manager_commit_iptables(StcManager *object, + GDBusMethodInvocation *invocation, + const gchar *option, + void *user_data); + #endif /* __STC_MANAGER_GDBUS_H__ */ diff --git a/include/stc-manager.h b/include/stc-manager.h index c6a8f8e..e084037 100755 --- a/include/stc-manager.h +++ b/include/stc-manager.h @@ -31,6 +31,11 @@ #define STC_TOTAL_IPV4 "TOTAL_IPV4" #define STC_TOTAL_IPV6 "TOTAL_IPV6" +#define STC_IPTABLES "/usr/sbin/iptables" +#define STC_IP6TABLES "/usr/sbin/ip6tables" + +#define STC_CMD_SIZE 256 + #define STC_DEBUG_LOG (stc_util_get_debuglog()) typedef enum { @@ -236,5 +241,6 @@ typedef struct { stc_s *stc_get_manager(void); void stc_stop_manager(void); +int stc_commit_iptables(char *cmd, int *err_num, char **err_str); #endif /* __STC_MANAGER__ */ diff --git a/interfaces/stcmanager-iface-manager.xml b/interfaces/stcmanager-iface-manager.xml index f5a9167..33697b4 100644 --- a/interfaces/stcmanager-iface-manager.xml +++ b/interfaces/stcmanager-iface-manager.xml @@ -3,5 +3,11 @@ + + + + + + diff --git a/packaging/stc-manager.spec b/packaging/stc-manager.spec index 6dca357..6ce22de 100644 --- a/packaging/stc-manager.spec +++ b/packaging/stc-manager.spec @@ -1,6 +1,6 @@ Name: stc-manager Summary: STC(Smart Traffic Control) manager -Version: 0.0.55 +Version: 0.0.56 Release: 0 Group: Network & Connectivity/Other License: Apache-2.0 diff --git a/src/stc-manager-gdbus.c b/src/stc-manager-gdbus.c index 75b93b1..2abe2c1 100755 --- a/src/stc-manager-gdbus.c +++ b/src/stc-manager-gdbus.c @@ -20,10 +20,31 @@ #include "stc-restriction.h" #include "stc-firewall.h" #include "stc-default-connection.h" +#include "stc-manager-util.h" #include "stc-manager-plugin-appstatus.h" #include "stc-manager-plugin-procfs.h" #include "helper-iptables.h" +#define MANAGER_DBUS_ERROR_NAME "net.stc.manager.Error.Failed" + +#define STC_MANAGER_DBUS_REPLY_ERROR(invocation, err_num) \ + g_dbus_method_invocation_return_dbus_error((invocation), \ + MANAGER_DBUS_ERROR_NAME, \ + stc_err_strs[-(err_num)]) + +static const gchar *stc_err_strs[] = { + "ERROR_NONE", + "FAIL", + "DB_FAILED", + "OUT_OF_MEMORY", + "INVALID_PARAMETER", + "NO_DATA", + "ALREADY_DATA", + "UNINITIALIZED", + "PERMISSION_DENIED", + "NOTIMPL" +}; + static gboolean __stc_manager_gdbus_statistics_init(stc_s *stc) { __STC_LOG_FUNC_ENTER__; @@ -234,6 +255,9 @@ static gboolean __stc_manager_gdbus_manager_init(stc_s *stc) g_signal_connect(manager, "handle-stop", G_CALLBACK(handle_manager_stop), stc); + g_signal_connect(manager, "handle-commit-iptables", + G_CALLBACK(handle_manager_commit_iptables), stc); + g_dbus_object_manager_server_export(stc->obj_mgr, G_DBUS_OBJECT_SKELETON(object)); g_object_unref(object); @@ -494,3 +518,36 @@ gboolean handle_manager_stop(StcManager *object, __STC_LOG_FUNC_EXIT__; return TRUE; } + +gboolean handle_manager_commit_iptables(StcManager *object, + GDBusMethodInvocation *invocation, + const gchar *option, + void *user_data) +{ + __STC_LOG_FUNC_ENTER__; + GVariant *return_parameters = NULL; + int ret = STC_ERROR_NONE; + int err_num = 0; + char *err_str = NULL; + char cmd[STC_CMD_SIZE] = { 0, }; + + if (option == NULL) { + STC_MANAGER_DBUS_REPLY_ERROR(invocation, + STC_ERROR_INVALID_PARAMETER); + __STC_LOG_FUNC_EXIT__; + return TRUE; + } + + STC_LOGD("[%s]", option); + g_snprintf(cmd, STC_CMD_SIZE, "%s %s", STC_IPTABLES, option); + + ret = stc_commit_iptables(cmd, &err_num, &err_str); + + return_parameters = g_variant_new("(iis)", ret, err_num, err_str); + + DEBUG_GDBUS_VARIANT("Return parameters: ", return_parameters); + STC_DBUS_REPLY(invocation, return_parameters); + + __STC_LOG_FUNC_EXIT__; + return TRUE; +} diff --git a/src/stc-manager.c b/src/stc-manager.c index 0da9bf4..799839e 100755 --- a/src/stc-manager.c +++ b/src/stc-manager.c @@ -15,6 +15,8 @@ */ #include +#include +#include #include "stc-manager.h" #include "stc-emulator.h" #include "stc-manager-gdbus.h" @@ -30,6 +32,8 @@ #include "stc-manager-plugin-exception.h" #include "stc-manager-plugin-procfs.h" +#define BUF_SIZE_FOR_ERR 100 + static stc_s *g_stc = NULL; /* @@ -129,6 +133,65 @@ void stc_stop_manager(void) g_main_loop_quit(g_stc->main_loop); } +int stc_commit_iptables(char *cmd, int *err_num, char **err_str) +{ + pid_t pid = 0; + int status = 0; + int ret = 0; + char err_buf[BUF_SIZE_FOR_ERR] = { 0, }; + gchar **args = NULL; + + if (cmd == NULL) { + STC_LOGE("Invalid arguments"); + return STC_ERROR_INVALID_PARAMETER; + } + + args = g_strsplit_set(cmd, " ", -1); + + errno = 0; + pid = fork(); + + if (pid == 0) { + errno = 0; + if (execv(args[0], args) == -1) { + STC_LOGE("Failed to execute [%s]", err_str); + g_strfreev(args); + exit(-1); + } + } else if (pid > 0) { + if (waitpid(pid, &status, 0) == -1) + STC_LOGD("wait pid [%u] status [%d] ", pid, status); + + if (WIFEXITED(status)) { + ret = WEXITSTATUS(status); + STC_LOGD("exited, status [%d]", status); + } else if (WIFSIGNALED(status)) { + STC_LOGD("killed by signal [%d]", WTERMSIG(status)); + } else if (WIFSTOPPED(status)) { + STC_LOGD("stopped by signal [%d]", WSTOPSIG(status)); + } else if (WIFCONTINUED(status)) { + STC_LOGD("continued"); + } + + *err_num = ret; + *err_str = strerror_r(ret, err_buf, BUF_SIZE_FOR_ERR); + STC_LOGD("return err_num [%d] err_str [%s]", *err_num, *err_str); + + g_strfreev(args); + if (ret == 0) + return STC_ERROR_NONE; + else + return STC_ERROR_FAIL; + } + + *err_num = errno; + *err_str = strerror_r(errno, err_buf, BUF_SIZE_FOR_ERR); + STC_LOGD("Failed to fork [%d:%s]", *err_num, *err_str); + + g_strfreev(args); + return STC_ERROR_FAIL; +} + gint32 main(gint32 argc, gchar *argv[]) { GMainLoop *main_loop = NULL; -- 2.7.4 From ad1f412253fd6206aa1bd9ccb8f2a63c6e12365f Mon Sep 17 00:00:00 2001 From: hyunuktak Date: Wed, 18 Apr 2018 14:43:53 +0900 Subject: [PATCH 04/16] Fixed dbus/cynara policy Change-Id: I6949b1926c998302975eb21fe05270221ef21b88 Signed-off-by: hyunuktak --- packaging/stc-manager.spec | 2 +- resources/dbus/stc-manager.conf | 7 +++++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/packaging/stc-manager.spec b/packaging/stc-manager.spec index 6ce22de..3242bd4 100644 --- a/packaging/stc-manager.spec +++ b/packaging/stc-manager.spec @@ -1,6 +1,6 @@ Name: stc-manager Summary: STC(Smart Traffic Control) manager -Version: 0.0.56 +Version: 0.0.57 Release: 0 Group: Network & Connectivity/Other License: Apache-2.0 diff --git a/resources/dbus/stc-manager.conf b/resources/dbus/stc-manager.conf index 385ce13..9143506 100755 --- a/resources/dbus/stc-manager.conf +++ b/resources/dbus/stc-manager.conf @@ -4,12 +4,15 @@ - - + + + + + -- 2.7.4 From 3937fa06fa5d18d697e25e9ec71a06cf6fb782c3 Mon Sep 17 00:00:00 2001 From: hyunuktak Date: Thu, 19 Apr 2018 11:15:31 +0900 Subject: [PATCH 05/16] Fixed coverity issues for resource leak Change-Id: Ic47d2c90497432236c69595b3d0b20a8bbce5a96 Signed-off-by: hyunuktak --- src/stc-firewall.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/stc-firewall.c b/src/stc-firewall.c index b0a66bb..236169b 100755 --- a/src/stc-firewall.c +++ b/src/stc-firewall.c @@ -1403,6 +1403,7 @@ gboolean handle_firewall_add_rule(StcFirewall *object, } if (__validate_fw_rule(rule) == FALSE) { + __fw_rule_free(rule); STC_FIREWALL_DBUS_REPLY_ERROR(invocation, STC_ERROR_INVALID_PARAMETER); __STC_LOG_FUNC_EXIT__; @@ -1454,6 +1455,7 @@ gboolean handle_firewall_remove_rule(StcFirewall *object, } if (__validate_fw_rule(rule) == FALSE) { + __fw_rule_free(rule); STC_FIREWALL_DBUS_REPLY_ERROR(invocation, STC_ERROR_INVALID_PARAMETER); __STC_LOG_FUNC_EXIT__; @@ -1505,6 +1507,7 @@ gboolean handle_firewall_update_rule(StcFirewall *object, } if (__validate_fw_rule(rule) == FALSE) { + __fw_rule_free(rule); STC_FIREWALL_DBUS_REPLY_ERROR(invocation, STC_ERROR_INVALID_PARAMETER); __STC_LOG_FUNC_EXIT__; -- 2.7.4 From 8d39291058bd5e6c9c40fb81a7e51f75b7a091ca Mon Sep 17 00:00:00 2001 From: hyunuktak Date: Fri, 20 Apr 2018 13:55:23 +0900 Subject: [PATCH 06/16] Set debug log state in procfs Change-Id: Ie87afa1d649a3a4f4a029d5b76a3737eb1600afc Signed-off-by: hyunuktak --- plugin/procfs/stc-plugin-procfs.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/plugin/procfs/stc-plugin-procfs.c b/plugin/procfs/stc-plugin-procfs.c index 28c5c9f..df69301 100755 --- a/plugin/procfs/stc-plugin-procfs.c +++ b/plugin/procfs/stc-plugin-procfs.c @@ -166,8 +166,9 @@ static void __proc_tree_add(proc_key_s *key, return; } - STC_LOGD("cmdline [%s] pid[%s] ppid[%s]", value->cmdline, - value->status[PROC_STATUS_PID], value->status[PROC_STATUS_PPID]); + if (STC_DEBUG_LOG) + STC_LOGD("cmdline [%s] pid[%s] ppid[%s]", value->cmdline, + value->status[PROC_STATUS_PID], value->status[PROC_STATUS_PPID]); g_tree_insert(proc_tree, key, value); @@ -552,7 +553,7 @@ stc_error_e stc_plugin_procfs_status_changed(stc_cmd_type_e cmd, { stc_error_e ret = STC_ERROR_NONE; - if (pkg_id && app_id) + if ((pkg_id && app_id) && STC_DEBUG_LOG) STC_LOGD("cmd [%d] pkgid [%s] appid [%s] pid[%d] type [%d]", cmd, pkg_id, app_id, pid, app_type); -- 2.7.4 From a7c17169d5077788c3ce785cc144f827742642cb Mon Sep 17 00:00:00 2001 From: hyunuktak Date: Wed, 2 May 2018 15:28:54 +0900 Subject: [PATCH 07/16] Replaced type from state for restriction Change-Id: Ib2575dc03a4447a4dd1878625580f353b474c927 Signed-off-by: hyunuktak --- data/traffic_db.sql | 2 +- include/stc-manager.h | 14 +++--- include/stc-restriction.h | 12 ++--- interfaces/stcmanager-iface-firewall.xml | 1 + interfaces/stcmanager-iface-restriction.xml | 4 +- packaging/stc-manager.spec | 2 +- plugin/appstatus/stc-plugin-appstatus.c | 1 - src/database/include/table-restrictions.h | 10 ++-- src/database/tables/table-restrictions.c | 74 ++++++++++++++--------------- src/helper/helper-nfacct-rule.h | 4 +- src/monitor/include/stc-monitor.h | 4 +- src/monitor/stc-monitor.c | 44 ++++++++--------- src/stc-manager-gdbus.c | 4 +- src/stc-restriction.c | 22 ++++----- 14 files changed, 99 insertions(+), 99 deletions(-) diff --git a/data/traffic_db.sql b/data/traffic_db.sql index c305dbd..1444598 100644 --- a/data/traffic_db.sql +++ b/data/traffic_db.sql @@ -20,7 +20,7 @@ CREATE TABLE IF NOT EXISTS restrictions ( binpath TEXT, iftype INT, ifname TEXT, - rst_type INT, + rstn_type INT, roaming INT, subscriber_id TEXT NOT NULL, data_limit BIGINT, diff --git a/include/stc-manager.h b/include/stc-manager.h index e084037..f3cee74 100755 --- a/include/stc-manager.h +++ b/include/stc-manager.h @@ -131,19 +131,19 @@ typedef enum { * @brief Network restriction states */ typedef enum { - STC_RESTRICTION_UNKNOWN, - STC_RESTRICTION_ACTIVATED, /**< restriction has been activated */ - STC_RESTRICTION_DEACTIVATED, /**< restriction has been deactivated */ - STC_RESTRICTION_LAST_ELEM -} stc_restriction_state_e; + STC_RSTN_STATE_UNKNOWN, + STC_RSTN_STATE_ACTIVATED, + STC_RSTN_STATE_DEACTIVATED, + STC_RSTN_STATE_LAST_ELEM +} stc_rstn_state_e; /** * @brief Network restriction types */ typedef enum { STC_RSTN_TYPE_UNKNOWN, - STC_RSTN_TYPE_EXCLUDED, /**< exclusion */ - STC_RSTN_TYPE_BLOCKED, /**< block */ + STC_RSTN_TYPE_ACCEPT, + STC_RSTN_TYPE_DROP, STC_RSTN_TYPE_LAST_ELEM } stc_rstn_type_e; diff --git a/include/stc-restriction.h b/include/stc-restriction.h index e804e0f..9fcc7e3 100755 --- a/include/stc-restriction.h +++ b/include/stc-restriction.h @@ -52,6 +52,11 @@ gboolean handle_restriction_exclude(StcRestriction *object, GVariant *parameters, void *user_data); +gboolean handle_restriction_unset(StcRestriction *object, + GDBusMethodInvocation *invocation, + GVariant *parameters, + void *user_data); + gboolean handle_restriction_get(StcRestriction *object, GDBusMethodInvocation *invocation, const gchar *app_id, @@ -61,15 +66,10 @@ gboolean handle_restriction_get_all(StcRestriction *object, GDBusMethodInvocation *invocation, void *user_data); -gboolean handle_restriction_get_state(StcRestriction *object, +gboolean handle_restriction_get_type(StcRestriction *object, GDBusMethodInvocation *invocation, const gchar *app_id, int iftype, void *user_data); -gboolean handle_restriction_unset(StcRestriction *object, - GDBusMethodInvocation *invocation, - GVariant *parameters, - void *user_data); - #endif /* __STC_RESTRICTION_H__ */ diff --git a/interfaces/stcmanager-iface-firewall.xml b/interfaces/stcmanager-iface-firewall.xml index d5817cf..d74a7a4 100644 --- a/interfaces/stcmanager-iface-firewall.xml +++ b/interfaces/stcmanager-iface-firewall.xml @@ -6,6 +6,7 @@ + diff --git a/interfaces/stcmanager-iface-restriction.xml b/interfaces/stcmanager-iface-restriction.xml index 93b81af..3ecc542 100644 --- a/interfaces/stcmanager-iface-restriction.xml +++ b/interfaces/stcmanager-iface-restriction.xml @@ -21,11 +21,11 @@ - + - + diff --git a/packaging/stc-manager.spec b/packaging/stc-manager.spec index 3242bd4..afafa95 100644 --- a/packaging/stc-manager.spec +++ b/packaging/stc-manager.spec @@ -1,6 +1,6 @@ Name: stc-manager Summary: STC(Smart Traffic Control) manager -Version: 0.0.57 +Version: 0.0.58 Release: 0 Group: Network & Connectivity/Other License: Apache-2.0 diff --git a/plugin/appstatus/stc-plugin-appstatus.c b/plugin/appstatus/stc-plugin-appstatus.c index fb85dea..d9764b4 100755 --- a/plugin/appstatus/stc-plugin-appstatus.c +++ b/plugin/appstatus/stc-plugin-appstatus.c @@ -124,7 +124,6 @@ signal_map_s signal_map[] = { } }; - static stc_error_e __ground_status_monitor_init(stc_s *stc) { guint i = 0; diff --git a/src/database/include/table-restrictions.h b/src/database/include/table-restrictions.h index e006bdc..77793d1 100755 --- a/src/database/include/table-restrictions.h +++ b/src/database/include/table-restrictions.h @@ -22,7 +22,7 @@ typedef struct { char *ifname; char *subscriber_id; stc_iface_type_e iftype; - stc_rstn_type_e rst_type; + stc_rstn_type_e rstn_type; stc_roaming_type_e roaming; int64_t data_limit; int64_t data_warn_limit; @@ -41,14 +41,14 @@ stc_error_e table_restrictions_per_app(const gchar *app_id, void *user_data); -stc_error_e table_restrictions_get_restriction_state_subscriber_id(const char *app_id, +stc_error_e table_restrictions_get_restriction_type_subscriber_id(const char *app_id, stc_iface_type_e iftype, const char *subscriber_id, - stc_restriction_state_e *state); + stc_rstn_type_e *type); -stc_error_e table_restrictions_get_restriction_state(const char *app_id, +stc_error_e table_restrictions_get_restriction_type(const char *app_id, stc_iface_type_e iftype, - stc_restriction_state_e *state); + stc_rstn_type_e *type); stc_error_e table_restrictions_update(table_restrictions_info *info); diff --git a/src/database/tables/table-restrictions.c b/src/database/tables/table-restrictions.c index 8452926..5c7e4ee 100755 --- a/src/database/tables/table-restrictions.c +++ b/src/database/tables/table-restrictions.c @@ -30,20 +30,20 @@ /* SELECT statements */ #define SELECT_RESTRICTIONS "SELECT binpath, data_limit, " \ - " iftype, rst_type, roaming, ifname, subscriber_id, " \ + " iftype, rstn_type, roaming, ifname, subscriber_id, " \ " data_warn_limit, restriction_id FROM restrictions" #define SELECT_RESTRICTIONS_PER_APP "SELECT binpath, data_limit, " \ - " iftype, rst_type, roaming, ifname, subscriber_id, " \ + " iftype, rstn_type, roaming, ifname, subscriber_id, " \ " data_warn_limit, restriction_id " \ " FROM restrictions INDEXED BY restrictions_index " \ " WHERE binpath = ?" -#define SELECT_RESTRICTION_STATE "SELECT rst_type " \ +#define SELECT_RESTRICTION_TYPE "SELECT rstn_type " \ " FROM restrictions INDEXED BY restrictions_index " \ " WHERE binpath = ? AND iftype = ?" -#define SELECT_RESTRICTION_STATE_SUBSCRIBER_ID "SELECT rst_type " \ +#define SELECT_RESTRICTION_TYPE_SUBSCRIBER_ID "SELECT rstn_type " \ " FROM restrictions INDEXED BY restrictions_index " \ " WHERE binpath = ? AND iftype = ? AND subscriber_id = ?" @@ -53,13 +53,13 @@ /* UPDATE statement */ #define UPDATE_NET_RESTRICTIONS "UPDATE restrictions " \ - " SET binpath = ?, data_limit = ?, iftype = ?, rst_type = ?, " \ + " SET binpath = ?, data_limit = ?, iftype = ?, rstn_type = ?, " \ " roaming = ?, ifname = ?, subscriber_id = ?, data_warn_limit = ? " \ " WHERE restriction_id = ?" /* INSERT statement */ #define INSERT_NET_RESTRICTIONS "INSERT INTO restrictions " \ - " (binpath, data_limit, iftype, rst_type, " \ + " (binpath, data_limit, iftype, rstn_type, " \ " roaming, ifname, subscriber_id, data_warn_limit) " \ " VALUES (?, ?, ?, ?, ?, ?, ?, ?)" @@ -128,8 +128,8 @@ static sqlite3_stmt *delete_restrictions; /* SELECT statements */ static sqlite3_stmt *select_restriction; static sqlite3_stmt *select_restriction_per_app; -static sqlite3_stmt *select_restriction_state; -static sqlite3_stmt *select_restriction_state_subscriber_id; +static sqlite3_stmt *select_restriction_type; +static sqlite3_stmt *select_restriction_type_subscriber_id; static sqlite3_stmt *select_restriction_id; /* REPLACE statements */ @@ -178,8 +178,8 @@ static int __prepare_select(sqlite3 *db) PREPARE_SELECT(select_restriction, SELECT_RESTRICTIONS); PREPARE_SELECT(select_restriction_per_app, SELECT_RESTRICTIONS_PER_APP); - PREPARE_SELECT(select_restriction_state, SELECT_RESTRICTION_STATE); - PREPARE_SELECT(select_restriction_state_subscriber_id, SELECT_RESTRICTION_STATE_SUBSCRIBER_ID); + PREPARE_SELECT(select_restriction_type, SELECT_RESTRICTION_TYPE); + PREPARE_SELECT(select_restriction_type_subscriber_id, SELECT_RESTRICTION_TYPE_SUBSCRIBER_ID); PREPARE_SELECT(select_restriction_id, SELECT_RESTRICTION_ID); initialized = 1; @@ -193,8 +193,8 @@ static void __finalize_select(void) FINALIZE(select_restriction); FINALIZE(select_restriction_per_app); - FINALIZE(select_restriction_state); - FINALIZE(select_restriction_state_subscriber_id); + FINALIZE(select_restriction_type); + FINALIZE(select_restriction_type_subscriber_id); FINALIZE(select_restriction_id); __STC_LOG_FUNC_EXIT__; @@ -285,7 +285,7 @@ stc_error_e table_restrictions_per_app(const gchar* app_id, data.app_id = (char *)sqlite3_column_text(stmt, 0); data.data_limit = sqlite3_column_int64(stmt, 1); data.iftype = (stc_iface_type_e)sqlite3_column_int(stmt, 2); - data.rst_type = + data.rstn_type = (stc_rstn_type_e)sqlite3_column_int(stmt, 3); data.roaming = sqlite3_column_int(stmt, 4); data.ifname = (char *)sqlite3_column_text(stmt, 5); @@ -333,7 +333,7 @@ stc_error_e table_restrictions_foreach(const table_restrictions_info_cb restrict data.app_id = (char *)sqlite3_column_text(stmt, 0); data.data_limit = sqlite3_column_int64(stmt, 1); data.iftype = (stc_iface_type_e)sqlite3_column_int(stmt, 2); - data.rst_type = + data.rstn_type = (stc_rstn_type_e)sqlite3_column_int(stmt, 3); data.roaming = sqlite3_column_int(stmt, 4); data.ifname = (char *)sqlite3_column_text(stmt, 5); @@ -359,44 +359,44 @@ stc_error_e table_restrictions_foreach(const table_restrictions_info_cb restrict return error_code; } -stc_error_e table_restrictions_get_restriction_state_subscriber_id(const char *app_id, +stc_error_e table_restrictions_get_restriction_type_subscriber_id(const char *app_id, stc_iface_type_e iftype, const char *subscriber_id, - stc_restriction_state_e *state) + stc_rstn_type_e *type) { __STC_LOG_FUNC_ENTER__; int error_code = STC_ERROR_NONE; int ret; bool state_subscriber_id = 0; - if (state == NULL) { + if (type == NULL) { STC_LOGE("Please provide valid argument!"); //LCOV_EXCL_LINE __STC_LOG_FUNC_EXIT__; //LCOV_EXCL_LINE return STC_ERROR_INVALID_PARAMETER; //LCOV_EXCL_LINE } - *state = STC_RESTRICTION_UNKNOWN; - sqlite3_reset(select_restriction_state_subscriber_id); - sqlite3_reset(select_restriction_state); + *type = STC_RSTN_TYPE_UNKNOWN; + sqlite3_reset(select_restriction_type_subscriber_id); + sqlite3_reset(select_restriction_type); if (subscriber_id == NULL) { state_subscriber_id = 0; - DB_ACTION(sqlite3_bind_text(select_restriction_state, 1, + DB_ACTION(sqlite3_bind_text(select_restriction_type, 1, app_id ? app_id : "", -1, SQLITE_STATIC)); - DB_ACTION(sqlite3_bind_int(select_restriction_state, 2, + DB_ACTION(sqlite3_bind_int(select_restriction_type, 2, iftype)); - ret = sqlite3_step(select_restriction_state); + ret = sqlite3_step(select_restriction_type); } else { state_subscriber_id = 1; - DB_ACTION(sqlite3_bind_text(select_restriction_state_subscriber_id, 1, + DB_ACTION(sqlite3_bind_text(select_restriction_type_subscriber_id, 1, app_id ? app_id : "", -1, SQLITE_STATIC)); - DB_ACTION(sqlite3_bind_int(select_restriction_state_subscriber_id, 2, + DB_ACTION(sqlite3_bind_int(select_restriction_type_subscriber_id, 2, iftype)); - DB_ACTION(sqlite3_bind_text(select_restriction_state_subscriber_id, 3, + DB_ACTION(sqlite3_bind_text(select_restriction_type_subscriber_id, 3, subscriber_id, -1, SQLITE_STATIC)); - ret = sqlite3_step(select_restriction_state_subscriber_id); + ret = sqlite3_step(select_restriction_type_subscriber_id); } switch (ret) { @@ -404,32 +404,32 @@ stc_error_e table_restrictions_get_restriction_state_subscriber_id(const char *a break; case SQLITE_ROW: if (state_subscriber_id) - *state = (stc_restriction_state_e)sqlite3_column_int(select_restriction_state_subscriber_id, 0); + *type = (stc_rstn_type_e)sqlite3_column_int(select_restriction_type_subscriber_id, 0); else - *state = (stc_restriction_state_e)sqlite3_column_int(select_restriction_state, 0); + *type = (stc_rstn_type_e)sqlite3_column_int(select_restriction_type, 0); break; case SQLITE_ERROR: default: STC_LOGE("Can't perform sql query: %s \n%s", //LCOV_EXCL_LINE - SELECT_RESTRICTION_STATE, + SELECT_RESTRICTION_TYPE, sqlite3_errmsg(stc_db_get_database())); error_code = STC_ERROR_DB_FAILED; //LCOV_EXCL_LINE } handle_error: - sqlite3_reset(select_restriction_state); - sqlite3_reset(select_restriction_state_subscriber_id); + sqlite3_reset(select_restriction_type); + sqlite3_reset(select_restriction_type_subscriber_id); return error_code; } -stc_error_e table_restrictions_get_restriction_state(const char *app_id, +stc_error_e table_restrictions_get_restriction_type(const char *app_id, stc_iface_type_e iftype, - stc_restriction_state_e *state) + stc_rstn_type_e *type) { __STC_LOG_FUNC_ENTER__; __STC_LOG_FUNC_EXIT__; - return table_restrictions_get_restriction_state_subscriber_id(app_id, iftype, - NULL, state); + return table_restrictions_get_restriction_type_subscriber_id(app_id, iftype, + NULL, type); } stc_error_e table_restrictions_delete(const char *app_id, @@ -518,7 +518,7 @@ stc_error_e table_restrictions_update(table_restrictions_info *info) -1, SQLITE_TRANSIENT)); DB_ACTION(sqlite3_bind_int64(stmt, 2, info->data_limit)); DB_ACTION(sqlite3_bind_int(stmt, 3, info->iftype)); - DB_ACTION(sqlite3_bind_int(stmt, 4, info->rst_type)); + DB_ACTION(sqlite3_bind_int(stmt, 4, info->rstn_type)); DB_ACTION(sqlite3_bind_int(stmt, 5, info->roaming)); DB_ACTION(sqlite3_bind_text(stmt, 6, info->ifname ? info->ifname : "", -1, SQLITE_TRANSIENT)); diff --git a/src/helper/helper-nfacct-rule.h b/src/helper/helper-nfacct-rule.h index c305246..9d80afb 100755 --- a/src/helper/helper-nfacct-rule.h +++ b/src/helper/helper-nfacct-rule.h @@ -80,7 +80,7 @@ enum nfnl_acct_flags { * * and inherited nfacct_rule_counter and nfacct_rule_restriction * with additional field: - * quota, quota_id, roaming, rst_state + * quota, quota_id, roaming, rstn_state * * But ANSI C doesn't support inheritance. */ @@ -95,7 +95,7 @@ struct nfacct_rule { nfacct_rule_direction iotype; nfacct_rule_intend intend; nfacct_rule_jump jump; /* in most cases jump is evalutation based on intend, but not always */ - stc_restriction_state_e rst_state; + stc_rstn_state_e rstn_state; nfacct_rule_iptype iptype; struct counter_arg *carg; diff --git a/src/monitor/include/stc-monitor.h b/src/monitor/include/stc-monitor.h index 3437637..a102ea3 100755 --- a/src/monitor/include/stc-monitor.h +++ b/src/monitor/include/stc-monitor.h @@ -78,8 +78,8 @@ typedef struct { typedef struct { uint64_t restriction_id; uint32_t classid; - stc_restriction_state_e rst_state; - stc_rstn_type_e rst_type; + stc_rstn_state_e rstn_state; + stc_rstn_type_e rstn_type; int64_t data_limit; int64_t data_warn_limit; int64_t data_counter; diff --git a/src/monitor/stc-monitor.c b/src/monitor/stc-monitor.c index 83d64d0..b73a889 100755 --- a/src/monitor/stc-monitor.c +++ b/src/monitor/stc-monitor.c @@ -462,14 +462,14 @@ static void __print_rstn(stc_rstn_key_s *rstn_key, stc_rstn_value_s *rstn_value) { STC_LOGI("rstn info => rstn_id [%llu], " "app_id [%s], classid [%lu], ifname [%s], " - "iftype [%d], rst_state [%d], rst_type [%d], " + "iftype [%d], rstn_state [%d], rstn_type [%d], " "limit [ (%lld) bytes], " "warn_limit [ (%lld) bytes], " "counter [ (%lld) bytes], " "roaming [%d], subscriber_id [%s]", rstn_value->restriction_id, rstn_key->app_id, rstn_value->classid , rstn_key->ifname, - rstn_key->iftype, rstn_value->rst_state, rstn_value->rst_type, + rstn_key->iftype, rstn_value->rstn_state, rstn_value->rstn_type, rstn_value->data_limit, rstn_value->data_warn_limit, rstn_value->data_counter, @@ -550,7 +550,7 @@ static void __del_iptables_rule(int64_t classid, nfacct_rule_intend intend, __del_ip6tables_out(&counter); } -static void __process_restriction(enum traffic_restriction_type rst_type, +static void __process_restriction(enum traffic_restriction_type rstn_type, stc_rstn_key_s *rstn_key, stc_rstn_value_s *rstn_value, void *data) { @@ -579,7 +579,7 @@ static void __process_restriction(enum traffic_restriction_type rst_type, effective_data_limit = rstn_value->data_limit; effective_data_warn_limit = rstn_value->data_warn_limit; - if (rst_type == RST_SET) { + if (rstn_type == RST_SET) { /* TODO: Change this to runtime memory */ table_counters_info info; @@ -605,27 +605,27 @@ static void __process_restriction(enum traffic_restriction_type rst_type, rstn_value->restriction_id, effective_data_limit, effective_data_warn_limit); - switch (rst_type) { + switch (rstn_type) { case RST_SET: if (effective_data_limit <= 0) __add_iptables_rule(rstn_value->classid, NFACCT_BLOCK, rstn_key->iftype); - rstn_value->rst_state = STC_RESTRICTION_ACTIVATED; + rstn_value->rstn_state = STC_RSTN_STATE_ACTIVATED; rstn_value->data_limit_reached = FALSE; break; case RST_EXCLUDE: __add_iptables_rule(rstn_value->classid, NFACCT_ALLOW, rstn_key->iftype); - rstn_value->rst_state = STC_RESTRICTION_ACTIVATED; + rstn_value->rstn_state = STC_RSTN_STATE_ACTIVATED; rstn_value->data_limit_reached = TRUE; break; case RST_UNSET: - __del_iptables_rule(rstn_value->classid, rstn_value->rst_type, + __del_iptables_rule(rstn_value->classid, rstn_value->rstn_type, rstn_key->iftype); - rstn_value->rst_state = STC_RESTRICTION_DEACTIVATED; + rstn_value->rstn_state = STC_RSTN_STATE_DEACTIVATED; rstn_value->data_limit_reached = FALSE; break; default: @@ -651,7 +651,7 @@ static gboolean __remove_rstns_foreach_application(gpointer key, goto out; /* rstn rule is already removed */ - if (rstn_value->rst_state == STC_RESTRICTION_DEACTIVATED) + if (rstn_value->rstn_state == STC_RSTN_STATE_DEACTIVATED) goto out; /* remove restriction from system */ @@ -1275,10 +1275,10 @@ static gboolean __add_restriction_debug(gpointer key, gpointer value, stc_rstn_value_s *rstn_value = (stc_rstn_value_s *)value; /* rstn rule is activated */ - if (rstn_value->rst_state == STC_RESTRICTION_ACTIVATED) + if (rstn_value->rstn_state == STC_RSTN_STATE_ACTIVATED) return FALSE; - if (rstn_value->rst_type == STC_RSTN_TYPE_EXCLUDED) + if (rstn_value->rstn_type == STC_RSTN_TYPE_ACCEPT) __process_restriction(RST_EXCLUDE, rstn_key, rstn_value, data); else __process_restriction(RST_SET, rstn_key, rstn_value, data); @@ -1295,10 +1295,10 @@ static gboolean __add_restriction(gpointer key, gpointer value, gpointer data) stc_rstn_value_s *rstn_value = (stc_rstn_value_s *)value; /* rstn rule is activated */ - if (rstn_value->rst_state == STC_RESTRICTION_ACTIVATED) + if (rstn_value->rstn_state == STC_RSTN_STATE_ACTIVATED) return FALSE; - if (rstn_value->rst_type == STC_RSTN_TYPE_EXCLUDED) + if (rstn_value->rstn_type == STC_RSTN_TYPE_ACCEPT) __process_restriction(RST_EXCLUDE, rstn_key, rstn_value, data); else __process_restriction(RST_SET, rstn_key, rstn_value, data); @@ -1366,8 +1366,8 @@ static stc_error_e __rstn_tree_add(stc_rstn_key_s *key, g_tree_insert(g_system->rstns, rstn_key, rstn_value); rstn_value->restriction_id = value->restriction_id; - rstn_value->rst_state = value->rst_state; - rstn_value->rst_type = value->rst_type; + rstn_value->rstn_state = value->rstn_state; + rstn_value->rstn_type = value->rstn_type; rstn_value->classid = value->classid; rstn_value->data_limit = value->data_limit; rstn_value->data_warn_limit = value->data_warn_limit; @@ -1401,8 +1401,8 @@ static stc_cb_ret_e __insert_restriction_cb(const table_restrictions_info *info, key.iftype = info->iftype; key.roaming = info->roaming; - value.rst_type = info->rst_type; - value.rst_state = STC_RESTRICTION_UNKNOWN; + value.rstn_type = info->rstn_type; + value.rstn_state = STC_RSTN_STATE_UNKNOWN; value.restriction_id = info->restriction_id; if (info->app_id) @@ -1447,11 +1447,11 @@ static gboolean __add_rstn_foreach_application(gpointer key, goto out; /* rstn rule is already applied */ - if (rstn_value->rst_state == STC_RESTRICTION_ACTIVATED) + if (rstn_value->rstn_state == STC_RSTN_STATE_ACTIVATED) goto out; /* add restriction to system */ - if (rstn_value->rst_type == STC_RSTN_TYPE_EXCLUDED) + if (rstn_value->rstn_type == STC_RSTN_TYPE_ACCEPT) __process_restriction(RST_EXCLUDE, rstn_key, rstn_value, NULL); else __process_restriction(RST_SET, rstn_key, rstn_value, NULL); @@ -1891,8 +1891,8 @@ stc_error_e stc_monitor_rstns_tree_add(const table_restrictions_info *info) key.iftype = info->iftype; key.roaming = info->roaming; - value.rst_type = info->rst_type; - value.rst_state = STC_RESTRICTION_UNKNOWN; + value.rstn_type = info->rstn_type; + value.rstn_state = STC_RSTN_STATE_UNKNOWN; value.restriction_id = info->restriction_id; if (info->app_id) diff --git a/src/stc-manager-gdbus.c b/src/stc-manager-gdbus.c index 2abe2c1..3170c42 100755 --- a/src/stc-manager-gdbus.c +++ b/src/stc-manager-gdbus.c @@ -134,8 +134,8 @@ static gboolean __stc_manager_gdbus_restriction_init(stc_s *stc) g_signal_connect(restriction, "handle-get-all", G_CALLBACK(handle_restriction_get_all), stc); - g_signal_connect(restriction, "handle-get-state", - G_CALLBACK(handle_restriction_get_state), + g_signal_connect(restriction, "handle-get-type", + G_CALLBACK(handle_restriction_get_type), stc); g_signal_connect(restriction, "handle-unset", diff --git a/src/stc-restriction.c b/src/stc-restriction.c index e39575a..05d7544 100755 --- a/src/stc-restriction.c +++ b/src/stc-restriction.c @@ -45,7 +45,7 @@ void __initialize_rstn_rule(table_restrictions_info *rule) rule->app_id = NULL; rule->ifname = NULL; rule->iftype = STC_IFACE_ALL; - rule->rst_type = STC_RSTN_TYPE_UNKNOWN; + rule->rstn_type = STC_RSTN_TYPE_UNKNOWN; rule->data_limit = 0; rule->data_warn_limit = 0; rule->roaming = STC_ROAMING_DISABLE; @@ -53,7 +53,7 @@ void __initialize_rstn_rule(table_restrictions_info *rule) } gboolean __validate_rstn_rule(table_restrictions_info *rule, - enum traffic_restriction_type rst_type) + enum traffic_restriction_type rstn_type) { __STC_LOG_FUNC_ENTER__; @@ -62,7 +62,7 @@ gboolean __validate_rstn_rule(table_restrictions_info *rule, return FALSE; //LCOV_EXCL_LINE } - if (rst_type <= RST_UNDEFINDED || rst_type >= RST_MAX_VALUE) { + if (rstn_type <= RST_UNDEFINDED || rstn_type >= RST_MAX_VALUE) { __STC_LOG_FUNC_EXIT__; //LCOV_EXCL_LINE return FALSE; //LCOV_EXCL_LINE } @@ -111,8 +111,8 @@ void __stc_restriction_app_info_builder_add(GVariantBuilder *builder, g_variant_builder_add(builder, "{sv}", "iftype", g_variant_new_uint16(info->iftype)); - g_variant_builder_add(builder, "{sv}", "rst_type", - g_variant_new_uint16(info->rst_type)); + g_variant_builder_add(builder, "{sv}", "rstn_type", + g_variant_new_uint16(info->rstn_type)); g_variant_builder_add(builder, "{sv}", "data_limit", g_variant_new_int64(info->data_limit)); @@ -241,7 +241,7 @@ gboolean handle_restriction_set(StcRestriction *object, g_variant_iter_free(iter); } - rule.rst_type = STC_RSTN_TYPE_BLOCKED; + rule.rstn_type = STC_RSTN_TYPE_DROP; if (__validate_rstn_rule(&rule, RST_SET) == FALSE) { STC_RESTRICTION_DBUS_REPLY_ERROR(invocation, //LCOV_EXCL_LINE @@ -279,7 +279,7 @@ gboolean handle_restriction_exclude(StcRestriction *object, g_variant_iter_free(iter); } - rule.rst_type = STC_RSTN_TYPE_EXCLUDED; + rule.rstn_type = STC_RSTN_TYPE_ACCEPT; if (__validate_rstn_rule(&rule, RST_EXCLUDE) == FALSE) { STC_RESTRICTION_DBUS_REPLY_ERROR(invocation, //LCOV_EXCL_LINE @@ -393,7 +393,7 @@ gboolean handle_restriction_get_all(StcRestriction *object, return TRUE; } -gboolean handle_restriction_get_state(StcRestriction *object, +gboolean handle_restriction_get_type(StcRestriction *object, GDBusMethodInvocation *invocation, const gchar *app_id, int iftype, @@ -401,17 +401,17 @@ gboolean handle_restriction_get_state(StcRestriction *object, { __STC_LOG_FUNC_ENTER__; GVariant *return_parameters = NULL; - stc_restriction_state_e state = STC_RESTRICTION_UNKNOWN; + stc_rstn_type_e type = STC_RSTN_TYPE_UNKNOWN; stc_error_e ret; - ret = table_restrictions_get_restriction_state(app_id, iftype, &state); + ret = table_restrictions_get_restriction_type(app_id, iftype, &type); if (ret < STC_ERROR_NONE) { STC_RESTRICTION_DBUS_REPLY_ERROR(invocation, ret); //LCOV_EXCL_LINE __STC_LOG_FUNC_EXIT__; //LCOV_EXCL_LINE return TRUE; } - return_parameters = g_variant_new("(ii)", STC_ERROR_NONE, state); + return_parameters = g_variant_new("(ii)", STC_ERROR_NONE, type); STC_DBUS_REPLY(invocation, return_parameters); __STC_LOG_FUNC_EXIT__; return TRUE; -- 2.7.4 From 1793fa4cbbdb014706bdbdc58e84c400c5f52a2b Mon Sep 17 00:00:00 2001 From: hyunuktak Date: Wed, 2 May 2018 17:05:10 +0900 Subject: [PATCH 08/16] Removed exclude restriction method Change-Id: Id61aa10111a725ce19197896a982496c4ad0f75e --- include/stc-restriction.h | 5 --- interfaces/stcmanager-iface-restriction.xml | 5 --- packaging/stc-manager.spec | 2 +- src/stc-manager-gdbus.c | 3 -- src/stc-restriction.c | 56 ++++------------------------- 5 files changed, 8 insertions(+), 63 deletions(-) diff --git a/include/stc-restriction.h b/include/stc-restriction.h index 9fcc7e3..9f5560a 100755 --- a/include/stc-restriction.h +++ b/include/stc-restriction.h @@ -47,11 +47,6 @@ gboolean handle_restriction_set(StcRestriction *object, GVariant *parameters, void *user_data); -gboolean handle_restriction_exclude(StcRestriction *object, - GDBusMethodInvocation *invocation, - GVariant *parameters, - void *user_data); - gboolean handle_restriction_unset(StcRestriction *object, GDBusMethodInvocation *invocation, GVariant *parameters, diff --git a/interfaces/stcmanager-iface-restriction.xml b/interfaces/stcmanager-iface-restriction.xml index 3ecc542..1fbfc3f 100644 --- a/interfaces/stcmanager-iface-restriction.xml +++ b/interfaces/stcmanager-iface-restriction.xml @@ -5,11 +5,6 @@ - - - - - diff --git a/packaging/stc-manager.spec b/packaging/stc-manager.spec index afafa95..65d6175 100644 --- a/packaging/stc-manager.spec +++ b/packaging/stc-manager.spec @@ -1,6 +1,6 @@ Name: stc-manager Summary: STC(Smart Traffic Control) manager -Version: 0.0.58 +Version: 0.0.59 Release: 0 Group: Network & Connectivity/Other License: Apache-2.0 diff --git a/src/stc-manager-gdbus.c b/src/stc-manager-gdbus.c index 3170c42..a31deb0 100755 --- a/src/stc-manager-gdbus.c +++ b/src/stc-manager-gdbus.c @@ -125,9 +125,6 @@ static gboolean __stc_manager_gdbus_restriction_init(stc_s *stc) g_signal_connect(restriction, "handle-set", G_CALLBACK(handle_restriction_set), stc); - g_signal_connect(restriction, "handle-exclude", - G_CALLBACK(handle_restriction_exclude), stc); - g_signal_connect(restriction, "handle-get", G_CALLBACK(handle_restriction_get), stc); diff --git a/src/stc-restriction.c b/src/stc-restriction.c index 05d7544..242cdcb 100755 --- a/src/stc-restriction.c +++ b/src/stc-restriction.c @@ -52,8 +52,7 @@ void __initialize_rstn_rule(table_restrictions_info *rule) rule->subscriber_id = NULL; } -gboolean __validate_rstn_rule(table_restrictions_info *rule, - enum traffic_restriction_type rstn_type) +gboolean __validate_rstn_rule(table_restrictions_info *rule) { __STC_LOG_FUNC_ENTER__; @@ -62,11 +61,6 @@ gboolean __validate_rstn_rule(table_restrictions_info *rule, return FALSE; //LCOV_EXCL_LINE } - if (rstn_type <= RST_UNDEFINDED || rstn_type >= RST_MAX_VALUE) { - __STC_LOG_FUNC_EXIT__; //LCOV_EXCL_LINE - return FALSE; //LCOV_EXCL_LINE - } - if (rule->iftype <= STC_IFACE_UNKNOWN || rule->iftype >= STC_IFACE_LAST_ELEM) { __STC_LOG_FUNC_EXIT__; //LCOV_EXCL_LINE @@ -214,6 +208,10 @@ static void __stc_extract_restriction_rule(const char *key, GVariant *value, rule->subscriber_id = g_strdup(str); STC_LOGD("subscriber_id: [%s]", rule->subscriber_id); + } else if (!g_strcmp0(key, "type")) { + rule->rstn_type = g_variant_get_uint16(value); + STC_LOGD("type: [%u]", (unsigned int) rule->rstn_type); + } else { STC_LOGD("Unknown select rule"); //LCOV_EXCL_LINE } @@ -241,47 +239,7 @@ gboolean handle_restriction_set(StcRestriction *object, g_variant_iter_free(iter); } - rule.rstn_type = STC_RSTN_TYPE_DROP; - - if (__validate_rstn_rule(&rule, RST_SET) == FALSE) { - STC_RESTRICTION_DBUS_REPLY_ERROR(invocation, //LCOV_EXCL_LINE - STC_ERROR_INVALID_PARAMETER); - __STC_LOG_FUNC_EXIT__; //LCOV_EXCL_LINE - return TRUE; - } - - table_restrictions_update(&rule); - /* update restriction rule in runtime structure */ - stc_monitor_rstns_tree_add(&rule); - - STC_DBUS_REPLY_ERROR_NONE(invocation); - __STC_LOG_FUNC_EXIT__; - return TRUE; -} - -gboolean handle_restriction_exclude(StcRestriction *object, - GDBusMethodInvocation *invocation, - GVariant *parameters, - void *user_data) -{ - __STC_LOG_FUNC_ENTER__; - GVariantIter *iter = NULL; - table_restrictions_info rule; - - memset(&rule, 0, sizeof(table_restrictions_info)); - __initialize_rstn_rule(&rule); - - g_variant_get(parameters, "a{sv}", &iter); - if (iter != NULL) { - stc_manager_gdbus_dict_foreach(iter, - __stc_extract_restriction_rule, - &rule); - g_variant_iter_free(iter); - } - - rule.rstn_type = STC_RSTN_TYPE_ACCEPT; - - if (__validate_rstn_rule(&rule, RST_EXCLUDE) == FALSE) { + if (__validate_rstn_rule(&rule) == FALSE) { STC_RESTRICTION_DBUS_REPLY_ERROR(invocation, //LCOV_EXCL_LINE STC_ERROR_INVALID_PARAMETER); __STC_LOG_FUNC_EXIT__; //LCOV_EXCL_LINE @@ -317,7 +275,7 @@ gboolean handle_restriction_unset(StcRestriction *object, g_variant_iter_free(iter); } - if (__validate_rstn_rule(&rule, RST_UNSET) == FALSE) { + if (__validate_rstn_rule(&rule) == FALSE) { STC_RESTRICTION_DBUS_REPLY_ERROR(invocation, //LCOV_EXCL_LINE STC_ERROR_INVALID_PARAMETER); __STC_LOG_FUNC_EXIT__; //LCOV_EXCL_LINE -- 2.7.4 From 2456ee39ff1f11990fc371f51d9e6a0de505bbb6 Mon Sep 17 00:00:00 2001 From: hyunuktak Date: Fri, 4 May 2018 13:09:03 +0900 Subject: [PATCH 09/16] Replaced rule type to direction Change-Id: Ia158c9e54167d1da971d79d14940c6464b97abd3 Signed-off-by: hyunuktak --- packaging/stc-manager.spec | 2 +- src/helper/helper-firewall.c | 2 +- src/helper/helper-iptables.c | 14 +++++++------- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/packaging/stc-manager.spec b/packaging/stc-manager.spec index 65d6175..b85d523 100644 --- a/packaging/stc-manager.spec +++ b/packaging/stc-manager.spec @@ -1,6 +1,6 @@ Name: stc-manager Summary: STC(Smart Traffic Control) manager -Version: 0.0.59 +Version: 0.0.60 Release: 0 Group: Network & Connectivity/Other License: Apache-2.0 diff --git a/src/helper/helper-firewall.c b/src/helper/helper-firewall.c index aab377f..1df9621 100755 --- a/src/helper/helper-firewall.c +++ b/src/helper/helper-firewall.c @@ -38,7 +38,7 @@ #define BUF_SIZE_FOR_IP 64 #define RULE_CHAIN "chain" -#define RULE_DIRECTION "type" +#define RULE_DIRECTION "direction" #define RULE_IFNAME "ifname" #define RULE_PROTOCOL "protocol" #define RULE_TARGET "target" diff --git a/src/helper/helper-iptables.c b/src/helper/helper-iptables.c index cfd8aaf..b1ca634 100755 --- a/src/helper/helper-iptables.c +++ b/src/helper/helper-iptables.c @@ -33,12 +33,12 @@ #define STC_IPTABLES_DBUS_METHOD_IP6T_ADD_RULE "Ip6tAddRule" #define STC_IPTABLES_DBUS_METHOD_IP6T_REMOVE_RULE "Ip6tRemoveRule" -#define RULE_CHAIN "chain" -#define RULE_TYPE "type" -#define RULE_IFNAME "ifname" -#define RULE_CGROUP "cgroup" -#define RULE_NFACCT "nfacct" -#define RULE_TARGET "target" +#define RULE_CHAIN "chain" +#define RULE_DIRECTION "direction" +#define RULE_IFNAME "ifname" +#define RULE_CGROUP "cgroup" +#define RULE_NFACCT "nfacct" +#define RULE_TARGET "target" static void __add_rule_info_to_builder(GVariantBuilder *builder, iptables_rule_s *rule) @@ -49,7 +49,7 @@ static void __add_rule_info_to_builder(GVariantBuilder *builder, g_variant_builder_add(builder, "{sv}", RULE_CHAIN, g_variant_new_string(rule->chain)); - g_variant_builder_add(builder, "{sv}", RULE_TYPE, + g_variant_builder_add(builder, "{sv}", RULE_DIRECTION, g_variant_new_uint16(rule->direction)); if (rule->ifname) -- 2.7.4 From ed321635cef7090eda3fdd32bced083c2e6b8d05 Mon Sep 17 00:00:00 2001 From: hyunuktak Date: Wed, 9 May 2018 17:33:45 +0900 Subject: [PATCH 10/16] Added dbus method to commit ip6tables Change-Id: Ic446d4575fc9fc901f7a609377475f1be64657ea Signed-off-by: hyunuktak --- include/stc-manager-gdbus.h | 4 ++++ interfaces/stcmanager-iface-manager.xml | 6 ++++++ src/helper/helper-iptables.c | 12 +++++++---- src/stc-manager-gdbus.c | 38 ++++++++++++++++++++++++++++++++- 4 files changed, 55 insertions(+), 5 deletions(-) diff --git a/include/stc-manager-gdbus.h b/include/stc-manager-gdbus.h index b422b62..860b766 100755 --- a/include/stc-manager-gdbus.h +++ b/include/stc-manager-gdbus.h @@ -87,5 +87,9 @@ gboolean handle_manager_commit_iptables(StcManager *object, GDBusMethodInvocation *invocation, const gchar *option, void *user_data); +gboolean handle_manager_commit_ip6tables(StcManager *object, + GDBusMethodInvocation *invocation, + const gchar *option, + void *user_data); #endif /* __STC_MANAGER_GDBUS_H__ */ diff --git a/interfaces/stcmanager-iface-manager.xml b/interfaces/stcmanager-iface-manager.xml index 33697b4..6ac32d3 100644 --- a/interfaces/stcmanager-iface-manager.xml +++ b/interfaces/stcmanager-iface-manager.xml @@ -9,5 +9,11 @@ + + + + + + diff --git a/src/helper/helper-iptables.c b/src/helper/helper-iptables.c index b1ca634..6ca96af 100755 --- a/src/helper/helper-iptables.c +++ b/src/helper/helper-iptables.c @@ -96,7 +96,8 @@ static int __iptables_rule_add(GDBusConnection *connection, } g_variant_get(message, "(i)", &result); - STC_LOGD("Successfully Add Rule [%d:%s]", result, rule->nfacct_name); + if (STC_DEBUG_LOG) + STC_LOGD("Successfully Add Rule [%d:%s]", result, rule->nfacct_name); g_variant_unref(message); return STC_ERROR_NONE; @@ -128,7 +129,8 @@ static int __iptables_rule_remove(GDBusConnection *connection, } g_variant_get(message, "(i)", &result); - STC_LOGD("Successfully Remove Rule [%d:%s]", result, rule->nfacct_name); + if (STC_DEBUG_LOG) + STC_LOGD("Successfully Remove Rule [%d:%s]", result, rule->nfacct_name); g_variant_unref(message); return STC_ERROR_NONE; @@ -160,7 +162,8 @@ static int __ip6tables_rule_add(GDBusConnection *connection, } g_variant_get(message, "(i)", &result); - STC_LOGD("Successfully Add 6 Rule [%d:%s]", result, rule->nfacct_name); + if (STC_DEBUG_LOG) + STC_LOGD("Successfully Add 6 Rule [%d:%s]", result, rule->nfacct_name); g_variant_unref(message); return STC_ERROR_NONE; @@ -192,7 +195,8 @@ static int __ip6tables_rule_remove(GDBusConnection *connection, } g_variant_get(message, "(i)", &result); - STC_LOGD("Successfully Remove 6 Rule [%d:%s]", result, rule->nfacct_name); + if (STC_DEBUG_LOG) + STC_LOGD("Successfully Remove 6 Rule [%d:%s]", result, rule->nfacct_name); g_variant_unref(message); return STC_ERROR_NONE; diff --git a/src/stc-manager-gdbus.c b/src/stc-manager-gdbus.c index a31deb0..ddad1ef 100755 --- a/src/stc-manager-gdbus.c +++ b/src/stc-manager-gdbus.c @@ -255,6 +255,9 @@ static gboolean __stc_manager_gdbus_manager_init(stc_s *stc) g_signal_connect(manager, "handle-commit-iptables", G_CALLBACK(handle_manager_commit_iptables), stc); + g_signal_connect(manager, "handle-commit-ip6tables", + G_CALLBACK(handle_manager_commit_ip6tables), stc); + g_dbus_object_manager_server_export(stc->obj_mgr, G_DBUS_OBJECT_SKELETON(object)); g_object_unref(object); @@ -389,7 +392,7 @@ GVariant *stc_manager_gdbus_call_sync(GDBusConnection *connection, if (reply == NULL) { if (error != NULL) { STC_LOGE("g_dbus_connection_call_sync() failed" //LCOV_EXCL_LINE - "error [%d: %s]", error->code, error->message); + " error [%d: %s]", error->code, error->message); g_error_free(error); //LCOV_EXCL_LINE } else { STC_LOGE("g_dbus_connection_call_sync() failed"); //LCOV_EXCL_LINE @@ -548,3 +551,36 @@ gboolean handle_manager_commit_iptables(StcManager *object, __STC_LOG_FUNC_EXIT__; return TRUE; } + +gboolean handle_manager_commit_ip6tables(StcManager *object, + GDBusMethodInvocation *invocation, + const gchar *option, + void *user_data) +{ + __STC_LOG_FUNC_ENTER__; + GVariant *return_parameters = NULL; + int ret = STC_ERROR_NONE; + int err_num = 0; + char *err_str = NULL; + char cmd[STC_CMD_SIZE] = { 0, }; + + if (option == NULL) { + STC_MANAGER_DBUS_REPLY_ERROR(invocation, + STC_ERROR_INVALID_PARAMETER); + __STC_LOG_FUNC_EXIT__; + return TRUE; + } + + STC_LOGD("[%s]", option); + g_snprintf(cmd, STC_CMD_SIZE, "%s %s", STC_IP6TABLES, option); + + ret = stc_commit_iptables(cmd, &err_num, &err_str); + + return_parameters = g_variant_new("(iis)", ret, err_num, err_str); + + DEBUG_GDBUS_VARIANT("Return parameters: ", return_parameters); + STC_DBUS_REPLY(invocation, return_parameters); + + __STC_LOG_FUNC_EXIT__; + return TRUE; +} -- 2.7.4 From 0fe1e778742b3d158666e144254fcfb70b65a29e Mon Sep 17 00:00:00 2001 From: hyunuktak Date: Thu, 10 May 2018 16:00:48 +0900 Subject: [PATCH 11/16] Updated enum value for app state Change-Id: I9cd032ac4482968f43678fdb8c4773ef2253cdbb Signed-off-by: hyunuktak --- include/stc-manager.h | 8 ++++---- packaging/stc-manager.spec | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/include/stc-manager.h b/include/stc-manager.h index f3cee74..f43c92d 100755 --- a/include/stc-manager.h +++ b/include/stc-manager.h @@ -121,10 +121,10 @@ typedef enum { * @brief State of the statisticsed process */ typedef enum { - STC_APP_STATE_UNKNOWN = 0, - STC_APP_STATE_FOREGROUND = 1 << 1, /** < foreground state */ - STC_APP_STATE_BACKGROUND = 1 << 2, /** < background state */ - STC_APP_STATE_LAST_ELEM = 1 << 3 + STC_APP_STATE_UNKNOWN, + STC_APP_STATE_FOREGROUND, /** < foreground state */ + STC_APP_STATE_BACKGROUND, /** < background state */ + STC_APP_STATE_LAST_ELEM } stc_app_state_e; /** diff --git a/packaging/stc-manager.spec b/packaging/stc-manager.spec index b85d523..95ff39a 100644 --- a/packaging/stc-manager.spec +++ b/packaging/stc-manager.spec @@ -1,6 +1,6 @@ Name: stc-manager Summary: STC(Smart Traffic Control) manager -Version: 0.0.60 +Version: 0.0.61 Release: 0 Group: Network & Connectivity/Other License: Apache-2.0 -- 2.7.4 From faa15ef08b6a44305108696f98e44c4db1674f5c Mon Sep 17 00:00:00 2001 From: Milind Murhekar Date: Fri, 4 May 2018 15:48:28 +0530 Subject: [PATCH 12/16] Add support for Tethering data monitoring and data restriction rules Description: This patch applies the tethering interface monitoring, when Hotspot is enabled/disabled, Also it supports data restriction rules for tethering interface including default network connection. Change-Id: I2b79de433abde7b5ae46d1fb9d7b537975398dab Signed-off-by: Milind Murhekar --- include/stc-manager.h | 3 + packaging/stc-manager.spec | 2 +- src/helper/helper-net-cls.c | 3 + src/monitor/include/stc-default-connection.h | 19 ++++ src/monitor/stc-default-connection.c | 88 +++++++++++++++++++ src/monitor/stc-monitor.c | 126 ++++++++++++++++++++++----- 6 files changed, 220 insertions(+), 21 deletions(-) diff --git a/include/stc-manager.h b/include/stc-manager.h index f43c92d..14d5cc6 100755 --- a/include/stc-manager.h +++ b/include/stc-manager.h @@ -30,6 +30,7 @@ #define STC_TOTAL_BLUETOOTH "TOTAL_BLUETOOTH" #define STC_TOTAL_IPV4 "TOTAL_IPV4" #define STC_TOTAL_IPV6 "TOTAL_IPV6" +#define STC_TOTAL_TETHERING "TOTAL_TETHERING" #define STC_IPTABLES "/usr/sbin/iptables" #define STC_IP6TABLES "/usr/sbin/ip6tables" @@ -158,6 +159,8 @@ typedef enum { STC_IFACE_BLUETOOTH, /**< bluetooth interface */ STC_IFACE_IPV4, /**< ipv4 interface */ STC_IFACE_IPV6, /**< ipv6 interface */ + STC_IFACE_USB, /**< usb interface */ + STC_IFACE_P2P, /**< p2p interface */ STC_IFACE_ALL, /**< enumerate all network interface types */ STC_IFACE_LAST_ELEM } stc_iface_type_e; diff --git a/packaging/stc-manager.spec b/packaging/stc-manager.spec index 95ff39a..bb6a9c1 100644 --- a/packaging/stc-manager.spec +++ b/packaging/stc-manager.spec @@ -1,6 +1,6 @@ Name: stc-manager Summary: STC(Smart Traffic Control) manager -Version: 0.0.61 +Version: 0.0.63 Release: 0 Group: Network & Connectivity/Other License: Apache-2.0 diff --git a/src/helper/helper-net-cls.c b/src/helper/helper-net-cls.c index c1460dc..e13c729 100755 --- a/src/helper/helper-net-cls.c +++ b/src/helper/helper-net-cls.c @@ -132,6 +132,9 @@ uint32_t get_classid_by_app_id(const char *app_id, int create) if (!strcmp(app_id, STC_TOTAL_IPV6)) return STC_TOTAL_IPV6_CLASSID; + if (!strcmp(app_id, STC_TOTAL_TETHERING)) + return STC_TETHERING_APP_CLASSID; + if (strstr(app_id, STC_BACKGROUND_APP_SUFFIX)) path_to_net_cgroup_dir = BACKGROUND_CGROUP_NETWORK; else diff --git a/src/monitor/include/stc-default-connection.h b/src/monitor/include/stc-default-connection.h index 230671b..222e77b 100755 --- a/src/monitor/include/stc-default-connection.h +++ b/src/monitor/include/stc-default-connection.h @@ -25,6 +25,19 @@ #define IMSI_LENGTH 16 #define SHA256_DIGEST_LENGTH 32 +#define TETHERING_USB_IF "usb0" +#define TETHERING_WIFI_IF "wlan0" +#define TETHERING_BT_IF "bnep0" +#define TETHERING_P2P_IF "p2p0" + +/** + * @brief Tethering interface info + */ +typedef struct { + gchar *ifname; + stc_iface_type_e type; +} tether_iface_s; + /** * @brief default connection information will be fetched from net-config */ @@ -44,6 +57,12 @@ typedef struct { /* hardware network protocol type */ stc_hw_net_protocol_type_e hw_net_protocol_type; + + /* tethering status */ + gboolean tether_state; + + /* tethering interface */ + tether_iface_s tether_iface; } default_connection_s; stc_error_e stc_default_connection_monitor_init(stc_s *stc); diff --git a/src/monitor/stc-default-connection.c b/src/monitor/stc-default-connection.c index 9a359d4..244a8b9 100755 --- a/src/monitor/stc-default-connection.c +++ b/src/monitor/stc-default-connection.c @@ -193,12 +193,24 @@ static void __print_default_connection_info(void) STC_LOGI("=================================================="); } +static void __print_tether_connection_info(void) +{ + STC_LOGI("============= tethering connection info ============"); + STC_LOGI("mode [%u]", g_default_connection.tether_state ? TRUE : FALSE); + STC_LOGI("type [%d]", g_default_connection.tether_iface.type); + STC_LOGI("ifname [%s]", g_default_connection.tether_iface.ifname); + STC_LOGI("===================================================="); +} + static void __reset_default_connection_data(void) { FREE(g_default_connection.path); FREE(g_default_connection.ifname); + FREE(g_default_connection.tether_iface.ifname); g_default_connection.type = STC_IFACE_UNKNOWN; g_default_connection.roaming = FALSE; + g_default_connection.tether_iface.type = STC_IFACE_UNKNOWN; + g_default_connection.tether_state = FALSE; } static gboolean __is_cellular_internet_profile(const char *profile) @@ -482,8 +494,80 @@ done: return; } +static void __vconf_key_callback(keynode_t *node, void *user_data) +{ + int vconf_key; + + if (node == NULL) { + STC_LOGE("Invalid parameter"); + return; + } + + if (vconf_keynode_get_type(node) != VCONF_TYPE_INT) { + STC_LOGE("Invalid vconf key type"); + return; + } + + vconf_key = vconf_keynode_get_int(node); + + /* Check the tethering type */ + switch (vconf_key) { + case VCONFKEY_MOBILE_HOTSPOT_MODE_USB: + STC_LOGI("Hotspot mode USB type !"); + g_default_connection.tether_state = TRUE; + g_default_connection.tether_iface.ifname = g_strdup(TETHERING_USB_IF); + g_default_connection.tether_iface.type = STC_IFACE_USB; + break; + case VCONFKEY_MOBILE_HOTSPOT_MODE_WIFI: + STC_LOGI("Hotspot mode Wi-Fi type !"); + g_default_connection.tether_state = TRUE; + g_default_connection.tether_iface.ifname = g_strdup(TETHERING_WIFI_IF); + g_default_connection.tether_iface.type = STC_IFACE_WIFI; + break; + case VCONFKEY_MOBILE_HOTSPOT_MODE_BT: + STC_LOGI("Hotspot mode Bluetooth type !"); + g_default_connection.tether_state = TRUE; + g_default_connection.tether_iface.ifname = g_strdup(TETHERING_BT_IF); + g_default_connection.tether_iface.type = STC_IFACE_BLUETOOTH; + break; + case VCONFKEY_MOBILE_HOTSPOT_MODE_P2P: + STC_LOGI("Hotspot mode P2P type !"); + g_default_connection.tether_state = TRUE; + g_default_connection.tether_iface.ifname = g_strdup(TETHERING_P2P_IF); + g_default_connection.tether_iface.type = STC_IFACE_P2P; + break; + case VCONFKEY_MOBILE_HOTSPOT_MODE_NONE: + STC_LOGI("Hotspot mode none"); + g_default_connection.tether_state = FALSE; + break; + default: + STC_LOGE("Unknown Hotspot mode type !"); + break; + } + + /* add monitoring for tethering if active found */ + if (g_default_connection.tether_state == TRUE && g_default_connection.tether_iface.ifname) { + __print_tether_connection_info(); + stc_monitor_update_rstn_by_default_connection(&g_default_connection); + stc_firewall_update(); + STC_LOGI("Data monitoring started for tethering iface !"); + return; + } + + /* remove monitoring for tethering if in-active found */ + if (g_default_connection.tether_state == FALSE && g_default_connection.tether_iface.ifname) { + stc_monitor_update_rstn_by_default_connection(&g_default_connection); + g_free(g_default_connection.tether_iface.ifname); + g_default_connection.tether_iface.ifname = NULL; + g_default_connection.tether_iface.type = STC_IFACE_UNKNOWN; + STC_LOGI("Data monitoring stopped for tethering iface !"); + return; + } +} + stc_error_e stc_default_connection_monitor_init(stc_s *stc) { + int ret; ret_value_msg_if(stc == NULL, STC_ERROR_INVALID_PARAMETER, "failed to get stc data"); __get_default_profile(stc->connection); @@ -497,6 +581,10 @@ stc_error_e stc_default_connection_monitor_init(stc_s *stc) _service_signal_cb, NULL, NULL); + ret = vconf_notify_key_changed(VCONFKEY_MOBILE_HOTSPOT_MODE, __vconf_key_callback, NULL); + if (ret < 0) + STC_LOGE("vconf_notify_key_changed failed: %d", ret); + STC_LOGI("Successfully subscribed connman [%s] signal", CONNMAN_SIGNAL_PROPERTY_CHANGED); return STC_ERROR_NONE; } diff --git a/src/monitor/stc-monitor.c b/src/monitor/stc-monitor.c index b73a889..62a0c20 100755 --- a/src/monitor/stc-monitor.c +++ b/src/monitor/stc-monitor.c @@ -403,8 +403,16 @@ static gboolean __add_application_monitor(gpointer key, gpointer value, counter.carg = stc->carg; counter.classid = app_value->classid; counter.intend = NFACCT_COUNTER; - counter.iftype = connection->type; - g_strlcpy(counter.ifname, connection->ifname, MAX_IFACE_LENGTH); + + if (connection->tether_state == TRUE && + connection->tether_iface.ifname != NULL && + app_value->classid == STC_TETHERING_APP_CLASSID) { + counter.iftype = connection->tether_iface.type; + g_strlcpy(counter.ifname, connection->tether_iface.ifname, MAX_IFACE_LENGTH); + } else { + counter.iftype = connection->type; + g_strlcpy(counter.ifname, connection->ifname, MAX_IFACE_LENGTH); + } if (app_value->classid == STC_TOTAL_IPV4_CLASSID) { __add_iptables_in(&counter); @@ -446,8 +454,16 @@ static gboolean __remove_application_monitor(gpointer key, gpointer value, counter.carg = stc->carg; counter.classid = app_value->classid; counter.intend = NFACCT_COUNTER; - counter.iftype = connection->type; - g_strlcpy(counter.ifname, connection->ifname, MAX_IFACE_LENGTH); + + if (connection->tether_state == FALSE && + connection->tether_iface.ifname != NULL && + app_value->classid == STC_TETHERING_APP_CLASSID) { + counter.iftype = connection->tether_iface.type; + g_strlcpy(counter.ifname, connection->tether_iface.ifname, MAX_IFACE_LENGTH); + } else { + counter.iftype = connection->type; + g_strlcpy(counter.ifname, connection->ifname, MAX_IFACE_LENGTH); + } __del_iptables_in(&counter); __del_iptables_out(&counter); @@ -480,6 +496,7 @@ static void __add_iptables_rule(int64_t classid, nfacct_rule_intend intend, stc_iface_type_e iftype) { char *default_ifname = stc_default_connection_get_ifname(); + default_connection_s *connection = stc_get_default_connection(); struct nfacct_rule counter; stc_s *stc = stc_get_manager(); if (!stc) { @@ -500,8 +517,16 @@ static void __add_iptables_rule(int64_t classid, nfacct_rule_intend intend, counter.carg = stc->carg; counter.classid = classid; counter.intend = intend; - counter.iftype = iftype; - g_strlcpy(counter.ifname, default_ifname, MAX_IFACE_LENGTH); + + if (connection && connection->tether_iface.ifname != NULL && + classid == STC_TETHERING_APP_CLASSID) { + counter.iftype = connection->tether_iface.type; + g_strlcpy(counter.ifname, connection->tether_iface.ifname, MAX_IFACE_LENGTH); + } else { + counter.iftype = iftype; + g_strlcpy(counter.ifname, default_ifname, MAX_IFACE_LENGTH); + } + g_free(default_ifname); /* iptables rule */ @@ -517,6 +542,7 @@ static void __del_iptables_rule(int64_t classid, nfacct_rule_intend intend, stc_iface_type_e iftype) { char *default_ifname = stc_default_connection_get_ifname(); + default_connection_s *connection = stc_get_default_connection(); struct nfacct_rule counter; stc_s *stc = stc_get_manager(); if (!stc) { @@ -537,8 +563,16 @@ static void __del_iptables_rule(int64_t classid, nfacct_rule_intend intend, counter.carg = stc->carg; counter.classid = classid; counter.intend = intend; - counter.iftype = iftype; - g_strlcpy(counter.ifname, default_ifname, MAX_IFACE_LENGTH); + + if (connection && connection->tether_iface.ifname != NULL && + classid == STC_TETHERING_APP_CLASSID) { + counter.iftype = connection->tether_iface.type; + g_strlcpy(counter.ifname, connection->tether_iface.ifname, MAX_IFACE_LENGTH); + } else { + counter.iftype = iftype; + g_strlcpy(counter.ifname, default_ifname, MAX_IFACE_LENGTH); + } + g_free(default_ifname); /* iptables rule */ @@ -569,7 +603,8 @@ static void __process_restriction(enum traffic_restriction_type rstn_type, /* rstn not applicable for this interface */ if (rstn_key->ifname != NULL && g_strcmp0("", rstn_key->ifname) != 0 && - g_strcmp0(connection->ifname, rstn_key->ifname) != 0) + (g_strcmp0(connection->ifname, rstn_key->ifname) != 0) && + (g_strcmp0(connection->tether_iface.ifname, rstn_key->ifname) != 0)) return; /* classid is invalid */ @@ -622,8 +657,12 @@ static void __process_restriction(enum traffic_restriction_type rstn_type, rstn_value->data_limit_reached = TRUE; break; case RST_UNSET: - __del_iptables_rule(rstn_value->classid, rstn_value->rstn_type, - rstn_key->iftype); + if (rstn_value->classid == STC_TETHERING_APP_CLASSID) + __del_iptables_rule(rstn_value->classid, NFACCT_BLOCK, + rstn_key->iftype); + else + __del_iptables_rule(rstn_value->classid, rstn_value->rstn_type, + rstn_key->iftype); rstn_value->rstn_state = STC_RSTN_STATE_DEACTIVATED; rstn_value->data_limit_reached = FALSE; @@ -848,11 +887,19 @@ static gboolean __interface_rstn_counter_update(stc_rstn_key_s *rstn_key, classid_bytes_context_s *context) { if ((rstn_value->classid == STC_TOTAL_DATACALL_CLASSID && - context->counter->iftype == STC_IFACE_DATACALL) || - (rstn_value->classid == STC_TOTAL_WIFI_CLASSID && - context->counter->iftype == STC_IFACE_WIFI) || - (rstn_value->classid == STC_TOTAL_BLUETOOTH_CLASSID && - context->counter->iftype == STC_IFACE_BLUETOOTH)) { + context->counter->iftype == STC_IFACE_DATACALL) || + (rstn_value->classid == STC_TOTAL_WIFI_CLASSID && + context->counter->iftype == STC_IFACE_WIFI) || + (rstn_value->classid == STC_TOTAL_BLUETOOTH_CLASSID && + context->counter->iftype == STC_IFACE_BLUETOOTH) || + (rstn_value->classid == STC_TETHERING_APP_CLASSID && + context->counter->iftype == STC_IFACE_WIFI) || + (rstn_value->classid == STC_TETHERING_APP_CLASSID && + context->counter->iftype == STC_IFACE_BLUETOOTH) || + (rstn_value->classid == STC_TETHERING_APP_CLASSID && + context->counter->iftype == STC_IFACE_USB) || + (rstn_value->classid == STC_TETHERING_APP_CLASSID && + context->counter->iftype == STC_IFACE_P2P)) { context->counter->classid = rstn_value->classid; return __rstn_counter_update(rstn_key, rstn_value, context); } @@ -905,16 +952,40 @@ static gboolean __update_app_statistics(gpointer key, gpointer value, memset(&stat_key, 0, sizeof(stc_db_classid_iftype_key)); memset(&stat, 0 , sizeof(stc_db_app_stats)); + /* Do not update statistics for Tethering + * if tethering is in-active found */ + if (default_connection && + default_connection->tether_state == FALSE && + !strcmp(app_key->app_id, STC_TOTAL_TETHERING)) + return FALSE; + + /* Do not update statistics for Wi-Fi + * if tethering is active on wlan0 iface */ + if (default_connection && default_connection->tether_state && + default_connection->tether_iface.type == STC_IFACE_WIFI && + !strcmp(app_key->app_id, STC_TOTAL_WIFI)) + return FALSE; + stat_key.classid = app_value->classid; - stat_key.iftype = default_connection->type; + + if (app_value->classid == STC_TETHERING_APP_CLASSID && + default_connection->tether_state == TRUE) + stat_key.iftype = default_connection->tether_iface.type; + else + stat_key.iftype = default_connection->type; if (STC_IFACE_DATACALL == stat_key.iftype) stat_key.subscriber_id = g_strdup(default_connection->subscriber_id); else stat_key.subscriber_id = g_strdup("none_subid"); //LCOV_EXCL_LINE - g_strlcpy(stat_key.ifname, default_connection->ifname, - MAX_IFACE_LENGTH); + if (app_value->classid == STC_TETHERING_APP_CLASSID && + default_connection->tether_state == TRUE) + g_strlcpy(stat_key.ifname, default_connection->tether_iface.ifname, + MAX_IFACE_LENGTH); + else + g_strlcpy(stat_key.ifname, default_connection->ifname, + MAX_IFACE_LENGTH); stat.app_id = g_strdup(app_key->app_id); stat.snd_count = app_value->counter.out_bytes; @@ -1028,7 +1099,15 @@ static void __interface_counter_update(stc_app_key_s *app_key, (app_value->classid == STC_TOTAL_WIFI_CLASSID && context->counter->iftype == STC_IFACE_WIFI) || (app_value->classid == STC_TOTAL_BLUETOOTH_CLASSID && - context->counter->iftype == STC_IFACE_BLUETOOTH)) + context->counter->iftype == STC_IFACE_BLUETOOTH) || + (app_value->classid == STC_TETHERING_APP_CLASSID && + context->counter->iftype == STC_IFACE_WIFI) || + (app_value->classid == STC_TETHERING_APP_CLASSID && + context->counter->iftype == STC_IFACE_BLUETOOTH) || + (app_value->classid == STC_TETHERING_APP_CLASSID && + context->counter->iftype == STC_IFACE_USB) || + (app_value->classid == STC_TETHERING_APP_CLASSID && + context->counter->iftype == STC_IFACE_P2P)) __app_counter_update(app_key, app_value, context); } @@ -1617,6 +1696,7 @@ stc_error_e stc_monitor_init(void) __add_application_by_interface(STC_TOTAL_BLUETOOTH); __add_application_by_interface(STC_TOTAL_IPV4); __add_application_by_interface(STC_TOTAL_IPV6); + __add_application_by_interface(STC_TOTAL_TETHERING); /* creating restriction rules tree */ __update_contr_cb(NULL); @@ -1855,8 +1935,11 @@ void stc_monitor_update_rstn_by_default_connection(void *data) FREE(old_connection.path); FREE(old_connection.ifname); + FREE(old_connection.tether_iface.ifname); old_connection.type = 0; old_connection.roaming = 0; + old_connection.tether_state = FALSE; + old_connection.tether_iface.type = 0; if (new_connection != NULL && new_connection->path != NULL) { if (g_system->apps) @@ -1870,8 +1953,11 @@ void stc_monitor_update_rstn_by_default_connection(void *data) old_connection.path = g_strdup(new_connection->path); old_connection.ifname = g_strdup(new_connection->ifname); + old_connection.tether_iface.ifname = g_strdup(new_connection->tether_iface.ifname); old_connection.type = new_connection->type; old_connection.roaming = new_connection->roaming; + old_connection.tether_state = new_connection->tether_state; + old_connection.tether_iface.type = new_connection->tether_iface.type; } } -- 2.7.4 From 2a3073365d410df5aa0d6d5a16e0b7a6f4ae5782 Mon Sep 17 00:00:00 2001 From: Nishant Chaprana Date: Thu, 17 May 2018 18:19:39 +0530 Subject: [PATCH 13/16] [Wformat] Fix Wformat build error Change-Id: I418e75c7f403d1ee1d54f8236b39f20977513aab Signed-off-by: Nishant Chaprana --- packaging/stc-manager.spec | 2 +- plugin/exception/stc-plugin-exception.c | 3 ++- plugin/procfs/stc-plugin-procfs.c | 2 +- src/monitor/stc-monitor.c | 6 +++--- src/stc-restriction.c | 2 +- 5 files changed, 8 insertions(+), 7 deletions(-) diff --git a/packaging/stc-manager.spec b/packaging/stc-manager.spec index bb6a9c1..de1f0c8 100644 --- a/packaging/stc-manager.spec +++ b/packaging/stc-manager.spec @@ -1,6 +1,6 @@ Name: stc-manager Summary: STC(Smart Traffic Control) manager -Version: 0.0.63 +Version: 0.0.64 Release: 0 Group: Network & Connectivity/Other License: Apache-2.0 diff --git a/plugin/exception/stc-plugin-exception.c b/plugin/exception/stc-plugin-exception.c index 783bc4f..db22b2f 100755 --- a/plugin/exception/stc-plugin-exception.c +++ b/plugin/exception/stc-plugin-exception.c @@ -205,7 +205,8 @@ static stc_error_e table_exceptions_foreach(const stc_exceptions_info_cb excepti char buf[EXCEPTION_BUF_MAX] = {0, }; fp = fopen(EXCEPTION_STORAGE, "r"); - ret_value_msg_if(!fp, STC_ERROR_FAIL, "Failed to open %s file"); + ret_value_msg_if(!fp, STC_ERROR_FAIL, "Failed to open %s file", + EXCEPTION_STORAGE); while (fgets(buf, sizeof(buf), fp) != NULL) { char *process_name, *exe_type; diff --git a/plugin/procfs/stc-plugin-procfs.c b/plugin/procfs/stc-plugin-procfs.c index df69301..df2c195 100755 --- a/plugin/procfs/stc-plugin-procfs.c +++ b/plugin/procfs/stc-plugin-procfs.c @@ -406,7 +406,7 @@ static gboolean __process_nl_connector_message(GIOChannel *source, /* G_IO_ERR/G_IO_HUP/G_IO_NVAL received */ STC_LOGE("Netlink Connector socket received G_IO event, closing" - " socket. G_IO_ERR [%d], G_IO_HUP [%d], G_IO_NVAL [%s]", + " socket. G_IO_ERR [%u], G_IO_HUP [%u], G_IO_NVAL [%u]", (condition & G_IO_ERR), (condition & G_IO_HUP), (condition & G_IO_NVAL)); __reopen_nl_connector_sock(); diff --git a/src/monitor/stc-monitor.c b/src/monitor/stc-monitor.c index 62a0c20..adb79a2 100755 --- a/src/monitor/stc-monitor.c +++ b/src/monitor/stc-monitor.c @@ -477,7 +477,7 @@ static gboolean __remove_application_monitor(gpointer key, gpointer value, static void __print_rstn(stc_rstn_key_s *rstn_key, stc_rstn_value_s *rstn_value) { STC_LOGI("rstn info => rstn_id [%llu], " - "app_id [%s], classid [%lu], ifname [%s], " + "app_id [%s], classid [%u], ifname [%s], " "iftype [%d], rstn_state [%d], rstn_type [%d], " "limit [ (%lld) bytes], " "warn_limit [ (%lld) bytes], " @@ -1158,7 +1158,7 @@ static void __fill_nfacct_result(char *cnt_name, int64_t bytes, return; //LCOV_EXCL_LINE } - STC_LOGI("classid %lu, iftype %u, iotype %d, intend %d, ifname %s, bytes %lld", + STC_LOGI("classid %u, iftype %u, iotype %d, intend %d, ifname %s, bytes %lld", context.counter->classid, context.counter->iftype, context.counter->iotype, context.counter->intend, context.counter->ifname, context.bytes); @@ -1248,7 +1248,7 @@ static gboolean __process_contr_reply(GIOChannel *source, /* G_IO_ERR/G_IO_HUP/G_IO_NVAL received */ STC_LOGE("Counter socket received G_IO event, closing socket." //LCOV_EXCL_LINE - "G_IO_ERR [%d], G_IO_HUP [%d], G_IO_NVAL [%s]", + "G_IO_ERR [%u], G_IO_HUP [%u], G_IO_NVAL [%u]", (condition & G_IO_ERR), (condition & G_IO_HUP), (condition & G_IO_NVAL)); __close_and_reopen_contr_sock(g_system); //LCOV_EXCL_LINE diff --git a/src/stc-restriction.c b/src/stc-restriction.c index 242cdcb..d4353ea 100755 --- a/src/stc-restriction.c +++ b/src/stc-restriction.c @@ -178,7 +178,7 @@ static void __stc_extract_restriction_rule(const char *key, GVariant *value, guint str_length; const gchar *str = g_variant_get_string(value, &str_length); rule->app_id = g_strdup(str); - STC_LOGD("app_id: [%s]", (unsigned int) rule->app_id); + STC_LOGD("app_id: [%s]", rule->app_id); } else if (!g_strcmp0(key, "ifname")) { guint str_length; -- 2.7.4 From ba9186f949073543fcecf5f1d517a21b5141e7f0 Mon Sep 17 00:00:00 2001 From: Nishant Chaprana Date: Thu, 3 May 2018 20:20:30 +0530 Subject: [PATCH 14/16] Corrected file permissions Change-Id: Ic0392ac48d765bf5f7c9291bac4f573c84d78a1b Signed-off-by: Nishant Chaprana --- include/stc-error.h | 0 include/stc-firewall.h | 0 include/stc-manager-gdbus.h | 0 include/stc-manager-plugin-appstatus.h | 0 include/stc-manager-plugin-exception.h | 0 include/stc-manager-plugin-procfs.h | 0 include/stc-manager-util.h | 0 include/stc-manager.h | 0 include/stc-restriction.h | 0 include/stc-statistics.h | 0 include/transmission.h | 0 plugin/CMakeLists.txt | 0 plugin/appstatus/CMakeLists.txt | 0 plugin/appstatus/data/stc_noti_datausage.png | Bin plugin/appstatus/include/stc-plugin-appstatus.h | 0 plugin/appstatus/stc-plugin-appstatus.c | 0 plugin/exception/CMakeLists.txt | 0 plugin/exception/include/stc-plugin-exception.h | 0 plugin/exception/stc-plugin-exception.c | 0 plugin/procfs/CMakeLists.txt | 0 plugin/procfs/include/stc-plugin-procfs.h | 0 plugin/procfs/stc-plugin-procfs.c | 0 resources/systemd/stc-manager.service | 0 src/configure/include/configure_stub.h | 0 src/configure/include/counter.h | 0 src/database/db-common.c | 0 src/database/db-guard.c | 0 src/database/include/db-internal.h | 0 src/database/include/stc-db.h | 0 src/database/include/table-counters.h | 0 src/database/include/table-firewall.h | 0 src/database/include/table-restrictions.h | 0 src/database/include/table-statistics.h | 0 src/database/tables/table-counters.c | 0 src/database/tables/table-firewall.c | 0 src/database/tables/table-restrictions.c | 0 src/database/tables/table-statistics.c | 0 src/helper/helper-cgroup.c | 0 src/helper/helper-cgroup.h | 0 src/helper/helper-file.c | 0 src/helper/helper-file.h | 0 src/helper/helper-firewall.c | 0 src/helper/helper-firewall.h | 0 src/helper/helper-iptables.c | 0 src/helper/helper-iptables.h | 0 src/helper/helper-net-cls.c | 0 src/helper/helper-net-cls.h | 0 src/helper/helper-nfacct-rule.c | 0 src/helper/helper-nfacct-rule.h | 0 src/helper/helper-nl.c | 0 src/helper/helper-nl.h | 0 src/helper/helper-procfs.c | 0 src/helper/helper-procfs.h | 0 src/monitor/include/stc-default-connection.h | 0 src/monitor/include/stc-emulator.h | 0 src/monitor/include/stc-monitor.h | 0 src/monitor/stc-default-connection.c | 0 src/monitor/stc-emulator.c | 0 src/monitor/stc-monitor.c | 0 src/stc-firewall.c | 0 src/stc-manager-gdbus.c | 0 src/stc-manager-plugin-appstatus.c | 0 src/stc-manager-plugin-exception.c | 0 src/stc-manager-plugin-procfs.c | 0 src/stc-manager-util.c | 0 src/stc-manager.c | 0 src/stc-restriction.c | 0 src/stc-statistics.c | 0 src/utils/net-cls-release.c | 0 unittest/CMakeLists.txt | 0 unittest/gdbus.h | 0 unittest/manager.h | 0 unittest/restriction.h | 0 unittest/statistics.h | 0 unittest/stcmgr.h | 0 unittest/unittest.h | 0 76 files changed, 0 insertions(+), 0 deletions(-) mode change 100755 => 100644 include/stc-error.h mode change 100755 => 100644 include/stc-firewall.h mode change 100755 => 100644 include/stc-manager-gdbus.h mode change 100755 => 100644 include/stc-manager-plugin-appstatus.h mode change 100755 => 100644 include/stc-manager-plugin-exception.h mode change 100755 => 100644 include/stc-manager-plugin-procfs.h mode change 100755 => 100644 include/stc-manager-util.h mode change 100755 => 100644 include/stc-manager.h mode change 100755 => 100644 include/stc-restriction.h mode change 100755 => 100644 include/stc-statistics.h mode change 100755 => 100644 include/transmission.h mode change 100755 => 100644 plugin/CMakeLists.txt mode change 100755 => 100644 plugin/appstatus/CMakeLists.txt mode change 100755 => 100644 plugin/appstatus/data/stc_noti_datausage.png mode change 100755 => 100644 plugin/appstatus/include/stc-plugin-appstatus.h mode change 100755 => 100644 plugin/appstatus/stc-plugin-appstatus.c mode change 100755 => 100644 plugin/exception/CMakeLists.txt mode change 100755 => 100644 plugin/exception/include/stc-plugin-exception.h mode change 100755 => 100644 plugin/exception/stc-plugin-exception.c mode change 100755 => 100644 plugin/procfs/CMakeLists.txt mode change 100755 => 100644 plugin/procfs/include/stc-plugin-procfs.h mode change 100755 => 100644 plugin/procfs/stc-plugin-procfs.c mode change 100755 => 100644 resources/systemd/stc-manager.service mode change 100755 => 100644 src/configure/include/configure_stub.h mode change 100755 => 100644 src/configure/include/counter.h mode change 100755 => 100644 src/database/db-common.c mode change 100755 => 100644 src/database/db-guard.c mode change 100755 => 100644 src/database/include/db-internal.h mode change 100755 => 100644 src/database/include/stc-db.h mode change 100755 => 100644 src/database/include/table-counters.h mode change 100755 => 100644 src/database/include/table-firewall.h mode change 100755 => 100644 src/database/include/table-restrictions.h mode change 100755 => 100644 src/database/include/table-statistics.h mode change 100755 => 100644 src/database/tables/table-counters.c mode change 100755 => 100644 src/database/tables/table-firewall.c mode change 100755 => 100644 src/database/tables/table-restrictions.c mode change 100755 => 100644 src/database/tables/table-statistics.c mode change 100755 => 100644 src/helper/helper-cgroup.c mode change 100755 => 100644 src/helper/helper-cgroup.h mode change 100755 => 100644 src/helper/helper-file.c mode change 100755 => 100644 src/helper/helper-file.h mode change 100755 => 100644 src/helper/helper-firewall.c mode change 100755 => 100644 src/helper/helper-firewall.h mode change 100755 => 100644 src/helper/helper-iptables.c mode change 100755 => 100644 src/helper/helper-iptables.h mode change 100755 => 100644 src/helper/helper-net-cls.c mode change 100755 => 100644 src/helper/helper-net-cls.h mode change 100755 => 100644 src/helper/helper-nfacct-rule.c mode change 100755 => 100644 src/helper/helper-nfacct-rule.h mode change 100755 => 100644 src/helper/helper-nl.c mode change 100755 => 100644 src/helper/helper-nl.h mode change 100755 => 100644 src/helper/helper-procfs.c mode change 100755 => 100644 src/helper/helper-procfs.h mode change 100755 => 100644 src/monitor/include/stc-default-connection.h mode change 100755 => 100644 src/monitor/include/stc-emulator.h mode change 100755 => 100644 src/monitor/include/stc-monitor.h mode change 100755 => 100644 src/monitor/stc-default-connection.c mode change 100755 => 100644 src/monitor/stc-emulator.c mode change 100755 => 100644 src/monitor/stc-monitor.c mode change 100755 => 100644 src/stc-firewall.c mode change 100755 => 100644 src/stc-manager-gdbus.c mode change 100755 => 100644 src/stc-manager-plugin-appstatus.c mode change 100755 => 100644 src/stc-manager-plugin-exception.c mode change 100755 => 100644 src/stc-manager-plugin-procfs.c mode change 100755 => 100644 src/stc-manager-util.c mode change 100755 => 100644 src/stc-manager.c mode change 100755 => 100644 src/stc-restriction.c mode change 100755 => 100644 src/stc-statistics.c mode change 100755 => 100644 src/utils/net-cls-release.c mode change 100755 => 100644 unittest/CMakeLists.txt mode change 100755 => 100644 unittest/gdbus.h mode change 100755 => 100644 unittest/manager.h mode change 100755 => 100644 unittest/restriction.h mode change 100755 => 100644 unittest/statistics.h mode change 100755 => 100644 unittest/stcmgr.h mode change 100755 => 100644 unittest/unittest.h diff --git a/include/stc-error.h b/include/stc-error.h old mode 100755 new mode 100644 diff --git a/include/stc-firewall.h b/include/stc-firewall.h old mode 100755 new mode 100644 diff --git a/include/stc-manager-gdbus.h b/include/stc-manager-gdbus.h old mode 100755 new mode 100644 diff --git a/include/stc-manager-plugin-appstatus.h b/include/stc-manager-plugin-appstatus.h old mode 100755 new mode 100644 diff --git a/include/stc-manager-plugin-exception.h b/include/stc-manager-plugin-exception.h old mode 100755 new mode 100644 diff --git a/include/stc-manager-plugin-procfs.h b/include/stc-manager-plugin-procfs.h old mode 100755 new mode 100644 diff --git a/include/stc-manager-util.h b/include/stc-manager-util.h old mode 100755 new mode 100644 diff --git a/include/stc-manager.h b/include/stc-manager.h old mode 100755 new mode 100644 diff --git a/include/stc-restriction.h b/include/stc-restriction.h old mode 100755 new mode 100644 diff --git a/include/stc-statistics.h b/include/stc-statistics.h old mode 100755 new mode 100644 diff --git a/include/transmission.h b/include/transmission.h old mode 100755 new mode 100644 diff --git a/plugin/CMakeLists.txt b/plugin/CMakeLists.txt old mode 100755 new mode 100644 diff --git a/plugin/appstatus/CMakeLists.txt b/plugin/appstatus/CMakeLists.txt old mode 100755 new mode 100644 diff --git a/plugin/appstatus/data/stc_noti_datausage.png b/plugin/appstatus/data/stc_noti_datausage.png old mode 100755 new mode 100644 diff --git a/plugin/appstatus/include/stc-plugin-appstatus.h b/plugin/appstatus/include/stc-plugin-appstatus.h old mode 100755 new mode 100644 diff --git a/plugin/appstatus/stc-plugin-appstatus.c b/plugin/appstatus/stc-plugin-appstatus.c old mode 100755 new mode 100644 diff --git a/plugin/exception/CMakeLists.txt b/plugin/exception/CMakeLists.txt old mode 100755 new mode 100644 diff --git a/plugin/exception/include/stc-plugin-exception.h b/plugin/exception/include/stc-plugin-exception.h old mode 100755 new mode 100644 diff --git a/plugin/exception/stc-plugin-exception.c b/plugin/exception/stc-plugin-exception.c old mode 100755 new mode 100644 diff --git a/plugin/procfs/CMakeLists.txt b/plugin/procfs/CMakeLists.txt old mode 100755 new mode 100644 diff --git a/plugin/procfs/include/stc-plugin-procfs.h b/plugin/procfs/include/stc-plugin-procfs.h old mode 100755 new mode 100644 diff --git a/plugin/procfs/stc-plugin-procfs.c b/plugin/procfs/stc-plugin-procfs.c old mode 100755 new mode 100644 diff --git a/resources/systemd/stc-manager.service b/resources/systemd/stc-manager.service old mode 100755 new mode 100644 diff --git a/src/configure/include/configure_stub.h b/src/configure/include/configure_stub.h old mode 100755 new mode 100644 diff --git a/src/configure/include/counter.h b/src/configure/include/counter.h old mode 100755 new mode 100644 diff --git a/src/database/db-common.c b/src/database/db-common.c old mode 100755 new mode 100644 diff --git a/src/database/db-guard.c b/src/database/db-guard.c old mode 100755 new mode 100644 diff --git a/src/database/include/db-internal.h b/src/database/include/db-internal.h old mode 100755 new mode 100644 diff --git a/src/database/include/stc-db.h b/src/database/include/stc-db.h old mode 100755 new mode 100644 diff --git a/src/database/include/table-counters.h b/src/database/include/table-counters.h old mode 100755 new mode 100644 diff --git a/src/database/include/table-firewall.h b/src/database/include/table-firewall.h old mode 100755 new mode 100644 diff --git a/src/database/include/table-restrictions.h b/src/database/include/table-restrictions.h old mode 100755 new mode 100644 diff --git a/src/database/include/table-statistics.h b/src/database/include/table-statistics.h old mode 100755 new mode 100644 diff --git a/src/database/tables/table-counters.c b/src/database/tables/table-counters.c old mode 100755 new mode 100644 diff --git a/src/database/tables/table-firewall.c b/src/database/tables/table-firewall.c old mode 100755 new mode 100644 diff --git a/src/database/tables/table-restrictions.c b/src/database/tables/table-restrictions.c old mode 100755 new mode 100644 diff --git a/src/database/tables/table-statistics.c b/src/database/tables/table-statistics.c old mode 100755 new mode 100644 diff --git a/src/helper/helper-cgroup.c b/src/helper/helper-cgroup.c old mode 100755 new mode 100644 diff --git a/src/helper/helper-cgroup.h b/src/helper/helper-cgroup.h old mode 100755 new mode 100644 diff --git a/src/helper/helper-file.c b/src/helper/helper-file.c old mode 100755 new mode 100644 diff --git a/src/helper/helper-file.h b/src/helper/helper-file.h old mode 100755 new mode 100644 diff --git a/src/helper/helper-firewall.c b/src/helper/helper-firewall.c old mode 100755 new mode 100644 diff --git a/src/helper/helper-firewall.h b/src/helper/helper-firewall.h old mode 100755 new mode 100644 diff --git a/src/helper/helper-iptables.c b/src/helper/helper-iptables.c old mode 100755 new mode 100644 diff --git a/src/helper/helper-iptables.h b/src/helper/helper-iptables.h old mode 100755 new mode 100644 diff --git a/src/helper/helper-net-cls.c b/src/helper/helper-net-cls.c old mode 100755 new mode 100644 diff --git a/src/helper/helper-net-cls.h b/src/helper/helper-net-cls.h old mode 100755 new mode 100644 diff --git a/src/helper/helper-nfacct-rule.c b/src/helper/helper-nfacct-rule.c old mode 100755 new mode 100644 diff --git a/src/helper/helper-nfacct-rule.h b/src/helper/helper-nfacct-rule.h old mode 100755 new mode 100644 diff --git a/src/helper/helper-nl.c b/src/helper/helper-nl.c old mode 100755 new mode 100644 diff --git a/src/helper/helper-nl.h b/src/helper/helper-nl.h old mode 100755 new mode 100644 diff --git a/src/helper/helper-procfs.c b/src/helper/helper-procfs.c old mode 100755 new mode 100644 diff --git a/src/helper/helper-procfs.h b/src/helper/helper-procfs.h old mode 100755 new mode 100644 diff --git a/src/monitor/include/stc-default-connection.h b/src/monitor/include/stc-default-connection.h old mode 100755 new mode 100644 diff --git a/src/monitor/include/stc-emulator.h b/src/monitor/include/stc-emulator.h old mode 100755 new mode 100644 diff --git a/src/monitor/include/stc-monitor.h b/src/monitor/include/stc-monitor.h old mode 100755 new mode 100644 diff --git a/src/monitor/stc-default-connection.c b/src/monitor/stc-default-connection.c old mode 100755 new mode 100644 diff --git a/src/monitor/stc-emulator.c b/src/monitor/stc-emulator.c old mode 100755 new mode 100644 diff --git a/src/monitor/stc-monitor.c b/src/monitor/stc-monitor.c old mode 100755 new mode 100644 diff --git a/src/stc-firewall.c b/src/stc-firewall.c old mode 100755 new mode 100644 diff --git a/src/stc-manager-gdbus.c b/src/stc-manager-gdbus.c old mode 100755 new mode 100644 diff --git a/src/stc-manager-plugin-appstatus.c b/src/stc-manager-plugin-appstatus.c old mode 100755 new mode 100644 diff --git a/src/stc-manager-plugin-exception.c b/src/stc-manager-plugin-exception.c old mode 100755 new mode 100644 diff --git a/src/stc-manager-plugin-procfs.c b/src/stc-manager-plugin-procfs.c old mode 100755 new mode 100644 diff --git a/src/stc-manager-util.c b/src/stc-manager-util.c old mode 100755 new mode 100644 diff --git a/src/stc-manager.c b/src/stc-manager.c old mode 100755 new mode 100644 diff --git a/src/stc-restriction.c b/src/stc-restriction.c old mode 100755 new mode 100644 diff --git a/src/stc-statistics.c b/src/stc-statistics.c old mode 100755 new mode 100644 diff --git a/src/utils/net-cls-release.c b/src/utils/net-cls-release.c old mode 100755 new mode 100644 diff --git a/unittest/CMakeLists.txt b/unittest/CMakeLists.txt old mode 100755 new mode 100644 diff --git a/unittest/gdbus.h b/unittest/gdbus.h old mode 100755 new mode 100644 diff --git a/unittest/manager.h b/unittest/manager.h old mode 100755 new mode 100644 diff --git a/unittest/restriction.h b/unittest/restriction.h old mode 100755 new mode 100644 diff --git a/unittest/statistics.h b/unittest/statistics.h old mode 100755 new mode 100644 diff --git a/unittest/stcmgr.h b/unittest/stcmgr.h old mode 100755 new mode 100644 diff --git a/unittest/unittest.h b/unittest/unittest.h old mode 100755 new mode 100644 -- 2.7.4 From ccdf22a5861f7ce5b4b72810c03e632e1e2e5e92 Mon Sep 17 00:00:00 2001 From: Nishant Chaprana Date: Fri, 18 May 2018 20:18:09 +0530 Subject: [PATCH 15/16] Fix: Malloc only when making process entry in tree Description: For some processes both FORK and EXEC events are emitted, however we were allocating mamory in both methods, but not unallocating the memory in failure case when entry was already present. So we should malloc only when we are creating an entry in process tree. Change-Id: Iedc3c10eabb41ad4da854ab8d0cf45759bbedcc7 Signed-off-by: Nishant Chaprana --- packaging/stc-manager.spec | 2 +- plugin/procfs/stc-plugin-procfs.c | 110 +++++++++++++++++++++----------------- 2 files changed, 62 insertions(+), 50 deletions(-) diff --git a/packaging/stc-manager.spec b/packaging/stc-manager.spec index de1f0c8..f01d2a5 100644 --- a/packaging/stc-manager.spec +++ b/packaging/stc-manager.spec @@ -1,6 +1,6 @@ Name: stc-manager Summary: STC(Smart Traffic Control) manager -Version: 0.0.64 +Version: 0.0.65 Release: 0 Group: Network & Connectivity/Other License: Apache-2.0 diff --git a/plugin/procfs/stc-plugin-procfs.c b/plugin/procfs/stc-plugin-procfs.c index df2c195..36b8f78 100644 --- a/plugin/procfs/stc-plugin-procfs.c +++ b/plugin/procfs/stc-plugin-procfs.c @@ -145,8 +145,7 @@ static proc_value_s * __proc_tree_find_parent(proc_value_s *value) return parent; } -static void __proc_tree_add(proc_key_s *key, - proc_value_s *value) +static void __proc_tree_add(proc_key_s *key, proc_value_s *value) { proc_value_s *lookup; proc_value_s *parent; @@ -156,32 +155,54 @@ static void __proc_tree_add(proc_key_s *key, return; } + if (key == NULL || value == NULL) { + if (STC_DEBUG_LOG) + STC_LOGE("invalid parameters"); + return; + } + lookup = g_tree_lookup(proc_tree, key); if (lookup) { if (STC_DEBUG_LOG) STC_LOGD("LOOKUP: tgid[\033[1;33m%s\033[0;m] pid[%s] ppid[\033[1;35m%s\033[0;m] " - "cmdline[\033[0;34m%s\033[0;m] name[%s]", lookup->status[PROC_STATUS_TGID], - lookup->status[PROC_STATUS_PID], lookup->status[PROC_STATUS_PPID], - lookup->cmdline, lookup->status[PROC_STATUS_NAME]); + "cmdline[\033[0;34m%s\033[0;m] name[%s]", lookup->status[PROC_STATUS_TGID], + lookup->status[PROC_STATUS_PID], lookup->status[PROC_STATUS_PPID], + lookup->cmdline, lookup->status[PROC_STATUS_NAME]); return; } + proc_key_s *proc_key = MALLOC0(proc_key_s, 1); + if (proc_key == NULL) { + STC_LOGE("memory allocation failed"); + return; + } + + proc_value_s *proc_value = MALLOC0(proc_value_s, 1); + if (proc_value == NULL) { + STC_LOGE("memory allocation failed"); + FREE(proc_key); + return; + } + + memcpy(proc_key, key, sizeof(proc_key_s)); + memcpy(proc_value, value, sizeof(proc_value_s)); + if (STC_DEBUG_LOG) STC_LOGD("cmdline [%s] pid[%s] ppid[%s]", value->cmdline, - value->status[PROC_STATUS_PID], value->status[PROC_STATUS_PPID]); + value->status[PROC_STATUS_PID], value->status[PROC_STATUS_PPID]); - g_tree_insert(proc_tree, key, value); + g_tree_insert(proc_tree, proc_key, proc_value); if (STC_DEBUG_LOG) __proc_tree_printall(); - parent = __proc_tree_find_parent(value); + parent = __proc_tree_find_parent(proc_value); if (parent != NULL) - stc_plugin_procfs_status_changed(STC_CMD_SET_SERVICE_LAUNCHED, key->pid, + stc_plugin_procfs_status_changed(STC_CMD_SET_SERVICE_LAUNCHED, proc_key->pid, parent->cmdline, parent->cmdline, STC_APP_TYPE_SERVICE); else - stc_plugin_procfs_status_changed(STC_CMD_SET_SERVICE_LAUNCHED, key->pid, - value->cmdline, value->cmdline, STC_APP_TYPE_SERVICE); + stc_plugin_procfs_status_changed(STC_CMD_SET_SERVICE_LAUNCHED, proc_key->pid, + proc_value->cmdline, proc_value->cmdline, STC_APP_TYPE_SERVICE); } static void __proc_tree_remove(const proc_key_s *key) @@ -278,6 +299,10 @@ static void __process_event_fork(int tgid, int pid) char cmdline[PROC_NAME_MAX] = {0, }; char status[PROC_STATUS_CNT][PROC_BUF_MAX]; + /* TODO: Add newly created thread to the process tasks */ + if (tgid != pid) + return; + memset(status, 0x0, sizeof(status)); if (STC_ERROR_NONE == proc_get_cmdline(pid, cmdline) && @@ -290,26 +315,16 @@ static void __process_event_fork(int tgid, int pid) } unsigned int i; - proc_key_s *key; - proc_value_s *value; - - key = MALLOC0(proc_key_s, 1); - if (key == NULL) { - STC_LOGE("memory allocation failed"); - return; - } + proc_key_s key; + proc_value_s value; - value = MALLOC0(proc_value_s, 1); - if (value == NULL) { - STC_LOGE("memory allocation failed"); - FREE(key); - return; - } + memset(&key, 0x0, sizeof(proc_key_s)); + memset(&value, 0x0, sizeof(proc_value_s)); - key->pid = tgid; + key.pid = tgid; for (i = 0; i < PROC_STATUS_CNT; ++i) - g_strlcpy(value->status[i], status[i], sizeof(value->status[i])); - g_strlcpy(value->cmdline, cmdline, sizeof(value->cmdline)); + g_strlcpy(value.status[i], status[i], sizeof(value.status[i])); + g_strlcpy(value.cmdline, cmdline, sizeof(value.cmdline)); if (STC_DEBUG_LOG) { STC_LOGD("\033[1;34mFORK\033[0;m: tgid[\033[1;33m%d\033[0;m] ppid=[\033[1;35m%s\033[0;m] " @@ -319,7 +334,7 @@ static void __process_event_fork(int tgid, int pid) status[PROC_STATUS_NAME], status[PROC_STATUS_STATE], status[PROC_STATUS_TRACERPID]); } - __proc_tree_add(key, value); + __proc_tree_add(&key, &value); } } @@ -328,6 +343,10 @@ static void __process_event_exec(int tgid, int pid) char cmdline[PROC_NAME_MAX] = {0, }; char status[PROC_STATUS_CNT][PROC_BUF_MAX]; + /* TODO: Add newly created thread to the process tasks */ + if (tgid != pid) + return; + memset(status, 0x0, sizeof(status)); if (STC_ERROR_NONE == proc_get_cmdline(pid, cmdline) && @@ -340,26 +359,17 @@ static void __process_event_exec(int tgid, int pid) } unsigned int i; - proc_key_s *key; - proc_value_s *value; - - key = MALLOC0(proc_key_s, 1); - if (key == NULL) { - STC_LOGE("memory allocation failed"); - return; - } + proc_key_s key; + proc_value_s value; - value = MALLOC0(proc_value_s, 1); - if (value == NULL) { - STC_LOGE("memory allocation failed"); - FREE(key); - return; - } + memset(&key, 0x0, sizeof(proc_key_s)); + memset(&value, 0x0, sizeof(proc_value_s)); - key->pid = tgid; + key.pid = tgid; for (i = 0; i < PROC_STATUS_CNT; ++i) - g_strlcpy(value->status[i], status[i], sizeof(value->status[i])); - g_strlcpy(value->cmdline, cmdline, sizeof(value->cmdline)); + g_strlcpy(value.status[i], status[i], + sizeof(value.status[i])); + g_strlcpy(value.cmdline, cmdline, sizeof(value.cmdline)); if (STC_DEBUG_LOG) { STC_LOGD("\033[1;32mEXEC\033[0;m: tgid[\033[1;33m%d\033[0;m] ppid=[\033[1;35m%s\033[0;m] " @@ -369,7 +379,7 @@ static void __process_event_exec(int tgid, int pid) status[PROC_STATUS_NAME], status[PROC_STATUS_STATE], status[PROC_STATUS_TRACERPID]); } - __proc_tree_add(key, value); + __proc_tree_add(&key, &value); } } @@ -548,8 +558,10 @@ int stc_plugin_procfs_deinitialize(void) return STC_ERROR_NONE; } -stc_error_e stc_plugin_procfs_status_changed(stc_cmd_type_e cmd, - pid_t pid, const gchar *app_id, const gchar *pkg_id, stc_app_type_e app_type) +stc_error_e stc_plugin_procfs_status_changed(stc_cmd_type_e cmd, pid_t pid, + const gchar *app_id, + const gchar *pkg_id, + stc_app_type_e app_type) { stc_error_e ret = STC_ERROR_NONE; -- 2.7.4 From 3fe2d2fa0830c3abc50a913934100592d9c745fb Mon Sep 17 00:00:00 2001 From: hyunuktak Date: Wed, 23 May 2018 13:20:27 +0900 Subject: [PATCH 16/16] Removed secure dlog for sql query Change-Id: I1505bd691ed8a28e6e552eda033e864b4012b592 Signed-off-by: hyunuktak --- packaging/stc-manager.spec | 2 +- src/database/tables/table-restrictions.c | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-) mode change 100644 => 100755 src/database/tables/table-restrictions.c diff --git a/packaging/stc-manager.spec b/packaging/stc-manager.spec index f01d2a5..7d6decf 100644 --- a/packaging/stc-manager.spec +++ b/packaging/stc-manager.spec @@ -1,6 +1,6 @@ Name: stc-manager Summary: STC(Smart Traffic Control) manager -Version: 0.0.65 +Version: 0.0.66 Release: 0 Group: Network & Connectivity/Other License: Apache-2.0 diff --git a/src/database/tables/table-restrictions.c b/src/database/tables/table-restrictions.c old mode 100644 new mode 100755 index 5c7e4ee..12fa67d --- a/src/database/tables/table-restrictions.c +++ b/src/database/tables/table-restrictions.c @@ -410,8 +410,7 @@ stc_error_e table_restrictions_get_restriction_type_subscriber_id(const char *ap break; case SQLITE_ERROR: default: - STC_LOGE("Can't perform sql query: %s \n%s", //LCOV_EXCL_LINE - SELECT_RESTRICTION_TYPE, + STC_LOGE("Can't perform sql query: %s\n", //LCOV_EXCL_LINE sqlite3_errmsg(stc_db_get_database())); error_code = STC_ERROR_DB_FAILED; //LCOV_EXCL_LINE } -- 2.7.4