5 * Copyright (C) 2013,2015 BMW Car IT GmbH.
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License version 2 as
9 * published by the Free Software Foundation.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
29 #include <linux/netfilter_ipv4/ip_tables.h>
33 #define CHAIN_PREFIX "connman-"
35 static const char *builtin_chains[] = {
36 [NF_IP_PRE_ROUTING] = "PREROUTING",
37 [NF_IP_LOCAL_IN] = "INPUT",
38 [NF_IP_FORWARD] = "FORWARD",
39 [NF_IP_LOCAL_OUT] = "OUTPUT",
40 [NF_IP_POST_ROUTING] = "POSTROUTING",
43 struct connman_managed_table {
45 unsigned int chains[NF_INET_NUMHOOKS];
55 struct firewall_context {
59 static GSList *managed_tables;
60 static struct firewall_context *connmark_ctx;
61 static unsigned int connmark_ref;
63 static int chain_to_index(const char *chain_name)
65 if (!g_strcmp0(builtin_chains[NF_IP_PRE_ROUTING], chain_name))
66 return NF_IP_PRE_ROUTING;
67 if (!g_strcmp0(builtin_chains[NF_IP_LOCAL_IN], chain_name))
68 return NF_IP_LOCAL_IN;
69 if (!g_strcmp0(builtin_chains[NF_IP_FORWARD], chain_name))
71 if (!g_strcmp0(builtin_chains[NF_IP_LOCAL_OUT], chain_name))
72 return NF_IP_LOCAL_OUT;
73 if (!g_strcmp0(builtin_chains[NF_IP_POST_ROUTING], chain_name))
74 return NF_IP_POST_ROUTING;
79 static int managed_chain_to_index(const char *chain_name)
81 if (!g_str_has_prefix(chain_name, CHAIN_PREFIX))
84 return chain_to_index(chain_name + strlen(CHAIN_PREFIX));
87 static int insert_managed_chain(const char *table_name, int id)
89 char *rule, *managed_chain;
92 managed_chain = g_strdup_printf("%s%s", CHAIN_PREFIX,
95 err = __connman_iptables_new_chain(table_name, managed_chain);
99 rule = g_strdup_printf("-j %s", managed_chain);
100 err = __connman_iptables_insert(table_name, builtin_chains[id], rule);
103 __connman_iptables_delete_chain(table_name, managed_chain);
108 g_free(managed_chain);
113 static int delete_managed_chain(const char *table_name, int id)
115 char *rule, *managed_chain;
118 managed_chain = g_strdup_printf("%s%s", CHAIN_PREFIX,
121 rule = g_strdup_printf("-j %s", managed_chain);
122 err = __connman_iptables_delete(table_name, builtin_chains[id], rule);
128 err = __connman_iptables_delete_chain(table_name, managed_chain);
131 g_free(managed_chain);
136 static int insert_managed_rule(const char *table_name,
137 const char *chain_name,
138 const char *rule_spec)
140 struct connman_managed_table *mtable = NULL;
145 id = chain_to_index(chain_name);
147 /* This chain is not managed */
148 chain = g_strdup(chain_name);
152 for (list = managed_tables; list; list = list->next) {
155 if (g_strcmp0(mtable->name, table_name) == 0)
162 mtable = g_new0(struct connman_managed_table, 1);
163 mtable->name = g_strdup(table_name);
165 managed_tables = g_slist_prepend(managed_tables, mtable);
168 if (mtable->chains[id] == 0) {
169 DBG("table %s add managed chain for %s",
170 table_name, chain_name);
172 err = insert_managed_chain(table_name, id);
177 mtable->chains[id]++;
178 chain = g_strdup_printf("%s%s", CHAIN_PREFIX, chain_name);
181 err = __connman_iptables_append(table_name, chain, rule_spec);
188 static int delete_managed_rule(const char *table_name,
189 const char *chain_name,
190 const char *rule_spec)
192 struct connman_managed_table *mtable = NULL;
197 id = chain_to_index(chain_name);
199 /* This chain is not managed */
200 return __connman_iptables_delete(table_name, chain_name,
204 managed_chain = g_strdup_printf("%s%s", CHAIN_PREFIX, chain_name);
206 err = __connman_iptables_delete(table_name, managed_chain,
209 for (list = managed_tables; list; list = list->next) {
212 if (g_strcmp0(mtable->name, table_name) == 0)
223 mtable->chains[id]--;
224 if (mtable->chains[id] > 0)
227 DBG("table %s remove managed chain for %s",
228 table_name, chain_name);
230 err = delete_managed_chain(table_name, id);
233 g_free(managed_chain);
238 static void cleanup_managed_table(gpointer user_data)
240 struct connman_managed_table *table = user_data;
246 static void cleanup_fw_rule(gpointer user_data)
248 struct fw_rule *rule = user_data;
250 g_free(rule->rule_spec);
256 struct firewall_context *__connman_firewall_create(void)
258 struct firewall_context *ctx;
260 ctx = g_new0(struct firewall_context, 1);
265 void __connman_firewall_destroy(struct firewall_context *ctx)
267 g_list_free_full(ctx->rules, cleanup_fw_rule);
271 static int enable_rule(struct fw_rule *rule)
278 DBG("%s %s %s", rule->table, rule->chain, rule->rule_spec);
280 err = insert_managed_rule(rule->table, rule->chain, rule->rule_spec);
284 err = __connman_iptables_commit(rule->table);
288 rule->enabled = true;
293 static int disable_rule(struct fw_rule *rule)
300 err = delete_managed_rule(rule->table, rule->chain, rule->rule_spec);
302 connman_error("Cannot remove previously installed "
303 "iptables rules: %s", strerror(-err));
307 err = __connman_iptables_commit(rule->table);
309 connman_error("Cannot remove previously installed "
310 "iptables rules: %s", strerror(-err));
314 rule->enabled = false;
319 static void firewall_add_rule(struct firewall_context *ctx,
322 const char *rule_fmt, ...)
326 struct fw_rule *rule;
328 va_start(args, rule_fmt);
330 rule_spec = g_strdup_vprintf(rule_fmt, args);
334 rule = g_new0(struct fw_rule, 1);
336 rule->enabled = false;
337 rule->table = g_strdup(table);
338 rule->chain = g_strdup(chain);
339 rule->rule_spec = rule_spec;
341 ctx->rules = g_list_append(ctx->rules, rule);
344 static void firewall_remove_rules(struct firewall_context *ctx)
346 struct fw_rule *rule;
349 for (list = g_list_last(ctx->rules); list;
350 list = g_list_previous(list)) {
353 ctx->rules = g_list_remove(ctx->rules, rule);
354 cleanup_fw_rule(rule);
358 static int firewall_enable_rules(struct firewall_context *ctx)
360 struct fw_rule *rule;
364 for (list = g_list_first(ctx->rules); list; list = g_list_next(list)) {
367 err = enable_rule(rule);
375 static int firewall_disable_rules(struct firewall_context *ctx)
377 struct fw_rule *rule;
382 for (list = g_list_last(ctx->rules); list;
383 list = g_list_previous(list)) {
386 e = disable_rule(rule);
388 /* Report last error back */
389 if (e == 0 && err == -ENOENT)
398 int __connman_firewall_enable_nat(struct firewall_context *ctx,
399 char *address, unsigned char prefixlen,
405 cmd = g_strdup_printf("-s %s/%d -o %s -j MASQUERADE",
406 address, prefixlen, interface);
408 firewall_add_rule(ctx, "nat", "POSTROUTING", cmd);
410 err = firewall_enable_rules(ctx);
412 firewall_remove_rules(ctx);
416 int __connman_firewall_disable_nat(struct firewall_context *ctx)
420 err = firewall_disable_rules(ctx);
422 DBG("could not disable NAT rule");
426 firewall_remove_rules(ctx);
430 int __connman_firewall_enable_snat(struct firewall_context *ctx,
431 int index, const char *ifname,
436 firewall_add_rule(ctx, "nat", "POSTROUTING",
437 "-o %s -j SNAT --to-source %s",
440 err = firewall_enable_rules(ctx);
442 firewall_remove_rules(ctx);
446 int __connman_firewall_disable_snat(struct firewall_context *ctx)
450 err = firewall_disable_rules(ctx);
452 DBG("could not disable SNAT rule");
456 firewall_remove_rules(ctx);
460 static int firewall_enable_connmark(void)
464 if (connmark_ref > 0) {
469 connmark_ctx = __connman_firewall_create();
471 firewall_add_rule(connmark_ctx, "mangle", "INPUT",
472 "-j CONNMARK --restore-mark");
473 firewall_add_rule(connmark_ctx, "mangle", "POSTROUTING",
474 "-j CONNMARK --save-mark");
475 err = firewall_enable_rules(connmark_ctx);
477 __connman_firewall_destroy(connmark_ctx);
485 static void firewall_disable_connmark(void)
488 if (connmark_ref > 0)
491 firewall_disable_rules(connmark_ctx);
492 __connman_firewall_destroy(connmark_ctx);
496 int __connman_firewall_enable_marking(struct firewall_context *ctx,
497 enum connman_session_id_type id_type,
498 char *id, const char *src_ip,
503 err = firewall_enable_connmark();
508 case CONNMAN_SESSION_ID_TYPE_UID:
509 firewall_add_rule(ctx, "mangle", "OUTPUT",
510 "-m owner --uid-owner %s -j MARK --set-mark %d",
513 case CONNMAN_SESSION_ID_TYPE_GID:
514 firewall_add_rule(ctx, "mangle", "OUTPUT",
515 "-m owner --gid-owner %s -j MARK --set-mark %d",
518 case CONNMAN_SESSION_ID_TYPE_UNKNOWN:
520 case CONNMAN_SESSION_ID_TYPE_LSM:
526 firewall_add_rule(ctx, "mangle", "OUTPUT",
527 "-s %s -j MARK --set-mark %d",
531 return firewall_enable_rules(ctx);
534 int __connman_firewall_disable_marking(struct firewall_context *ctx)
536 firewall_disable_connmark();
537 return firewall_disable_rules(ctx);
540 static void iterate_chains_cb(const char *chain_name, void *user_data)
542 GSList **chains = user_data;
545 id = managed_chain_to_index(chain_name);
549 *chains = g_slist_prepend(*chains, GINT_TO_POINTER(id));
552 static void flush_table(const char *table_name)
554 GSList *chains = NULL, *list;
555 char *rule, *managed_chain;
558 __connman_iptables_iterate_chains(table_name, iterate_chains_cb,
561 for (list = chains; list; list = list->next) {
562 id = GPOINTER_TO_INT(list->data);
564 managed_chain = g_strdup_printf("%s%s", CHAIN_PREFIX,
567 rule = g_strdup_printf("-j %s", managed_chain);
568 err = __connman_iptables_delete(table_name,
569 builtin_chains[id], rule);
571 connman_warn("Failed to delete jump rule '%s': %s",
572 rule, strerror(-err));
576 err = __connman_iptables_flush_chain(table_name, managed_chain);
578 connman_warn("Failed to flush chain '%s': %s",
579 managed_chain, strerror(-err));
581 err = __connman_iptables_delete_chain(table_name, managed_chain);
583 connman_warn("Failed to delete chain '%s': %s",
584 managed_chain, strerror(-err));
587 g_free(managed_chain);
590 err = __connman_iptables_commit(table_name);
592 connman_warn("Failed to flush table '%s': %s",
593 table_name, strerror(-err));
596 g_slist_free(chains);
599 static void flush_all_tables(void)
601 /* Flush the tables ConnMan might have modified
602 * But do so if only ConnMan has done something with
605 if (!g_file_test("/proc/net/ip_tables_names",
606 G_FILE_TEST_EXISTS | G_FILE_TEST_IS_REGULAR)) {
610 flush_table("filter");
611 flush_table("mangle");
615 int __connman_firewall_init(void)
619 __connman_iptables_init();
625 void __connman_firewall_cleanup(void)
629 g_slist_free_full(managed_tables, cleanup_managed_table);
630 __connman_iptables_cleanup();
projects / platform / upstream / connman.git / blob