| /* |
| * |
| * Connection Manager |
| * |
| * Copyright (C) 2013,2015 BMW Car IT GmbH. |
| * |
| * This program is free software; you can redistribute it and/or modify |
| * it under the terms of the GNU General Public License version 2 as |
| * published by the Free Software Foundation. |
| * |
| * This program is distributed in the hope that it will be useful, |
| * but WITHOUT ANY WARRANTY; without even the implied warranty of |
| * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| * GNU General Public License for more details. |
| * |
| * You should have received a copy of the GNU General Public License |
| * along with this program; if not, write to the Free Software |
| * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA |
| * |
| */ |
| |
| #ifdef HAVE_CONFIG_H |
| #include <config.h> |
| #endif |
| |
| #include <errno.h> |
| |
| #include <xtables.h> |
| #include <linux/netfilter_ipv4/ip_tables.h> |
| |
| #include "connman.h" |
| |
| #define CHAIN_PREFIX "connman-" |
| |
| static const char *builtin_chains[] = { |
| [NF_IP_PRE_ROUTING] = "PREROUTING", |
| [NF_IP_LOCAL_IN] = "INPUT", |
| [NF_IP_FORWARD] = "FORWARD", |
| [NF_IP_LOCAL_OUT] = "OUTPUT", |
| [NF_IP_POST_ROUTING] = "POSTROUTING", |
| }; |
| |
| struct connman_managed_table { |
| char *name; |
| unsigned int chains[NF_INET_NUMHOOKS]; |
| }; |
| |
| struct fw_rule { |
| bool enabled; |
| char *table; |
| char *chain; |
| char *rule_spec; |
| }; |
| |
| struct firewall_context { |
| GList *rules; |
| }; |
| |
| static GSList *managed_tables; |
| static struct firewall_context *connmark_ctx; |
| static unsigned int connmark_ref; |
| |
| static int chain_to_index(const char *chain_name) |
| { |
| if (!g_strcmp0(builtin_chains[NF_IP_PRE_ROUTING], chain_name)) |
| return NF_IP_PRE_ROUTING; |
| if (!g_strcmp0(builtin_chains[NF_IP_LOCAL_IN], chain_name)) |
| return NF_IP_LOCAL_IN; |
| if (!g_strcmp0(builtin_chains[NF_IP_FORWARD], chain_name)) |
| return NF_IP_FORWARD; |
| if (!g_strcmp0(builtin_chains[NF_IP_LOCAL_OUT], chain_name)) |
| return NF_IP_LOCAL_OUT; |
| if (!g_strcmp0(builtin_chains[NF_IP_POST_ROUTING], chain_name)) |
| return NF_IP_POST_ROUTING; |
| |
| return -1; |
| } |
| |
| static int managed_chain_to_index(const char *chain_name) |
| { |
| if (!g_str_has_prefix(chain_name, CHAIN_PREFIX)) |
| return -1; |
| |
| return chain_to_index(chain_name + strlen(CHAIN_PREFIX)); |
| } |
| |
| static int insert_managed_chain(const char *table_name, int id) |
| { |
| char *rule, *managed_chain; |
| int err; |
| |
| managed_chain = g_strdup_printf("%s%s", CHAIN_PREFIX, |
| builtin_chains[id]); |
| |
| err = __connman_iptables_new_chain(table_name, managed_chain); |
| if (err < 0) |
| goto out; |
| |
| rule = g_strdup_printf("-j %s", managed_chain); |
| err = __connman_iptables_insert(table_name, builtin_chains[id], rule); |
| g_free(rule); |
| if (err < 0) { |
| __connman_iptables_delete_chain(table_name, managed_chain); |
| goto out; |
| } |
| |
| out: |
| g_free(managed_chain); |
| |
| return err; |
| } |
| |
| static int delete_managed_chain(const char *table_name, int id) |
| { |
| char *rule, *managed_chain; |
| int err; |
| |
| managed_chain = g_strdup_printf("%s%s", CHAIN_PREFIX, |
| builtin_chains[id]); |
| |
| rule = g_strdup_printf("-j %s", managed_chain); |
| err = __connman_iptables_delete(table_name, builtin_chains[id], rule); |
| g_free(rule); |
| |
| if (err < 0) |
| goto out; |
| |
| err = __connman_iptables_delete_chain(table_name, managed_chain); |
| |
| out: |
| g_free(managed_chain); |
| |
| return err; |
| } |
| |
| static int insert_managed_rule(const char *table_name, |
| const char *chain_name, |
| const char *rule_spec) |
| { |
| struct connman_managed_table *mtable = NULL; |
| GSList *list; |
| char *chain; |
| int id, err; |
| |
| id = chain_to_index(chain_name); |
| if (id < 0) { |
| /* This chain is not managed */ |
| chain = g_strdup(chain_name); |
| goto out; |
| } |
| |
| for (list = managed_tables; list; list = list->next) { |
| mtable = list->data; |
| |
| if (g_strcmp0(mtable->name, table_name) == 0) |
| break; |
| |
| mtable = NULL; |
| } |
| |
| if (!mtable) { |
| mtable = g_new0(struct connman_managed_table, 1); |
| mtable->name = g_strdup(table_name); |
| |
| managed_tables = g_slist_prepend(managed_tables, mtable); |
| } |
| |
| if (mtable->chains[id] == 0) { |
| DBG("table %s add managed chain for %s", |
| table_name, chain_name); |
| |
| err = insert_managed_chain(table_name, id); |
| if (err < 0) |
| return err; |
| } |
| |
| mtable->chains[id]++; |
| chain = g_strdup_printf("%s%s", CHAIN_PREFIX, chain_name); |
| |
| out: |
| err = __connman_iptables_append(table_name, chain, rule_spec); |
| |
| g_free(chain); |
| |
| return err; |
| } |
| |
| static int delete_managed_rule(const char *table_name, |
| const char *chain_name, |
| const char *rule_spec) |
| { |
| struct connman_managed_table *mtable = NULL; |
| GSList *list; |
| int id, err; |
| char *managed_chain; |
| |
| id = chain_to_index(chain_name); |
| if (id < 0) { |
| /* This chain is not managed */ |
| return __connman_iptables_delete(table_name, chain_name, |
| rule_spec); |
| } |
| |
| managed_chain = g_strdup_printf("%s%s", CHAIN_PREFIX, chain_name); |
| |
| err = __connman_iptables_delete(table_name, managed_chain, |
| rule_spec); |
| |
| for (list = managed_tables; list; list = list->next) { |
| mtable = list->data; |
| |
| if (g_strcmp0(mtable->name, table_name) == 0) |
| break; |
| |
| mtable = NULL; |
| } |
| |
| if (!mtable) { |
| err = -ENOENT; |
| goto out; |
| } |
| |
| mtable->chains[id]--; |
| if (mtable->chains[id] > 0) |
| goto out; |
| |
| DBG("table %s remove managed chain for %s", |
| table_name, chain_name); |
| |
| err = delete_managed_chain(table_name, id); |
| |
| out: |
| g_free(managed_chain); |
| |
| return err; |
| } |
| |
| static void cleanup_managed_table(gpointer user_data) |
| { |
| struct connman_managed_table *table = user_data; |
| |
| g_free(table->name); |
| g_free(table); |
| } |
| |
| static void cleanup_fw_rule(gpointer user_data) |
| { |
| struct fw_rule *rule = user_data; |
| |
| g_free(rule->rule_spec); |
| g_free(rule->chain); |
| g_free(rule->table); |
| g_free(rule); |
| } |
| |
| struct firewall_context *__connman_firewall_create(void) |
| { |
| struct firewall_context *ctx; |
| |
| ctx = g_new0(struct firewall_context, 1); |
| |
| return ctx; |
| } |
| |
| void __connman_firewall_destroy(struct firewall_context *ctx) |
| { |
| g_list_free_full(ctx->rules, cleanup_fw_rule); |
| g_free(ctx); |
| } |
| |
| static int enable_rule(struct fw_rule *rule) |
| { |
| int err; |
| |
| if (rule->enabled) |
| return -EALREADY; |
| |
| DBG("%s %s %s", rule->table, rule->chain, rule->rule_spec); |
| |
| err = insert_managed_rule(rule->table, rule->chain, rule->rule_spec); |
| if (err < 0) |
| return err; |
| |
| err = __connman_iptables_commit(rule->table); |
| if (err < 0) |
| return err; |
| |
| rule->enabled = true; |
| |
| return 0; |
| } |
| |
| static int disable_rule(struct fw_rule *rule) |
| { |
| int err; |
| |
| if (!rule->enabled) |
| return -EALREADY; |
| |
| err = delete_managed_rule(rule->table, rule->chain, rule->rule_spec); |
| if (err < 0) { |
| connman_error("Cannot remove previously installed " |
| "iptables rules: %s", strerror(-err)); |
| return err; |
| } |
| |
| err = __connman_iptables_commit(rule->table); |
| if (err < 0) { |
| connman_error("Cannot remove previously installed " |
| "iptables rules: %s", strerror(-err)); |
| return err; |
| } |
| |
| rule->enabled = false; |
| |
| return 0; |
| } |
| |
| static void firewall_add_rule(struct firewall_context *ctx, |
| const char *table, |
| const char *chain, |
| const char *rule_fmt, ...) |
| { |
| va_list args; |
| char *rule_spec; |
| struct fw_rule *rule; |
| |
| va_start(args, rule_fmt); |
| |
| rule_spec = g_strdup_vprintf(rule_fmt, args); |
| |
| va_end(args); |
| |
| rule = g_new0(struct fw_rule, 1); |
| |
| rule->enabled = false; |
| rule->table = g_strdup(table); |
| rule->chain = g_strdup(chain); |
| rule->rule_spec = rule_spec; |
| |
| ctx->rules = g_list_append(ctx->rules, rule); |
| } |
| |
| static void firewall_remove_rules(struct firewall_context *ctx) |
| { |
| struct fw_rule *rule; |
| GList *list; |
| |
| for (list = g_list_last(ctx->rules); list; |
| list = g_list_previous(list)) { |
| rule = list->data; |
| |
| ctx->rules = g_list_remove(ctx->rules, rule); |
| cleanup_fw_rule(rule); |
| } |
| } |
| |
| static int firewall_enable_rules(struct firewall_context *ctx) |
| { |
| struct fw_rule *rule; |
| GList *list; |
| int err = -ENOENT; |
| |
| for (list = g_list_first(ctx->rules); list; list = g_list_next(list)) { |
| rule = list->data; |
| |
| err = enable_rule(rule); |
| if (err < 0) |
| break; |
| } |
| |
| return err; |
| } |
| |
| static int firewall_disable_rules(struct firewall_context *ctx) |
| { |
| struct fw_rule *rule; |
| GList *list; |
| int e; |
| int err = -ENOENT; |
| |
| for (list = g_list_last(ctx->rules); list; |
| list = g_list_previous(list)) { |
| rule = list->data; |
| |
| e = disable_rule(rule); |
| |
| /* Report last error back */ |
| if (e == 0 && err == -ENOENT) |
| err = 0; |
| else if (e < 0) |
| err = e; |
| } |
| |
| return err; |
| } |
| |
| int __connman_firewall_enable_nat(struct firewall_context *ctx, |
| char *address, unsigned char prefixlen, |
| char *interface) |
| { |
| char *cmd; |
| int err; |
| |
| cmd = g_strdup_printf("-s %s/%d -o %s -j MASQUERADE", |
| address, prefixlen, interface); |
| |
| firewall_add_rule(ctx, "nat", "POSTROUTING", cmd); |
| g_free(cmd); |
| err = firewall_enable_rules(ctx); |
| if (err) |
| firewall_remove_rules(ctx); |
| return err; |
| } |
| |
| int __connman_firewall_disable_nat(struct firewall_context *ctx) |
| { |
| int err; |
| |
| err = firewall_disable_rules(ctx); |
| if (err < 0) { |
| DBG("could not disable NAT rule"); |
| return err; |
| } |
| |
| firewall_remove_rules(ctx); |
| return 0; |
| } |
| |
| int __connman_firewall_enable_snat(struct firewall_context *ctx, |
| int index, const char *ifname, |
| const char *addr) |
| { |
| int err; |
| |
| firewall_add_rule(ctx, "nat", "POSTROUTING", |
| "-o %s -j SNAT --to-source %s", |
| ifname, addr); |
| |
| err = firewall_enable_rules(ctx); |
| if (err) |
| firewall_remove_rules(ctx); |
| return err; |
| } |
| |
| int __connman_firewall_disable_snat(struct firewall_context *ctx) |
| { |
| int err; |
| |
| err = firewall_disable_rules(ctx); |
| if (err < 0) { |
| DBG("could not disable SNAT rule"); |
| return err; |
| } |
| |
| firewall_remove_rules(ctx); |
| return 0; |
| } |
| |
| static int firewall_enable_connmark(void) |
| { |
| int err; |
| |
| if (connmark_ref > 0) { |
| connmark_ref++; |
| return 0; |
| } |
| |
| connmark_ctx = __connman_firewall_create(); |
| |
| firewall_add_rule(connmark_ctx, "mangle", "INPUT", |
| "-j CONNMARK --restore-mark"); |
| firewall_add_rule(connmark_ctx, "mangle", "POSTROUTING", |
| "-j CONNMARK --save-mark"); |
| err = firewall_enable_rules(connmark_ctx); |
| if (err) { |
| __connman_firewall_destroy(connmark_ctx); |
| connmark_ctx = NULL; |
| return err; |
| } |
| connmark_ref++; |
| return 0; |
| } |
| |
| static void firewall_disable_connmark(void) |
| { |
| connmark_ref--; |
| if (connmark_ref > 0) |
| return; |
| |
| firewall_disable_rules(connmark_ctx); |
| __connman_firewall_destroy(connmark_ctx); |
| connmark_ctx = NULL; |
| } |
| |
| int __connman_firewall_enable_marking(struct firewall_context *ctx, |
| enum connman_session_id_type id_type, |
| char *id, const char *src_ip, |
| uint32_t mark) |
| { |
| int err; |
| |
| err = firewall_enable_connmark(); |
| if (err) |
| return err; |
| |
| switch (id_type) { |
| case CONNMAN_SESSION_ID_TYPE_UID: |
| firewall_add_rule(ctx, "mangle", "OUTPUT", |
| "-m owner --uid-owner %s -j MARK --set-mark %d", |
| id, mark); |
| break; |
| case CONNMAN_SESSION_ID_TYPE_GID: |
| firewall_add_rule(ctx, "mangle", "OUTPUT", |
| "-m owner --gid-owner %s -j MARK --set-mark %d", |
| id, mark); |
| break; |
| case CONNMAN_SESSION_ID_TYPE_UNKNOWN: |
| break; |
| case CONNMAN_SESSION_ID_TYPE_LSM: |
| default: |
| return -EINVAL; |
| } |
| |
| if (src_ip) { |
| firewall_add_rule(ctx, "mangle", "OUTPUT", |
| "-s %s -j MARK --set-mark %d", |
| src_ip, mark); |
| } |
| |
| return firewall_enable_rules(ctx); |
| } |
| |
| int __connman_firewall_disable_marking(struct firewall_context *ctx) |
| { |
| firewall_disable_connmark(); |
| return firewall_disable_rules(ctx); |
| } |
| |
| static void iterate_chains_cb(const char *chain_name, void *user_data) |
| { |
| GSList **chains = user_data; |
| int id; |
| |
| id = managed_chain_to_index(chain_name); |
| if (id < 0) |
| return; |
| |
| *chains = g_slist_prepend(*chains, GINT_TO_POINTER(id)); |
| } |
| |
| static void flush_table(const char *table_name) |
| { |
| GSList *chains = NULL, *list; |
| char *rule, *managed_chain; |
| int id, err; |
| |
| __connman_iptables_iterate_chains(table_name, iterate_chains_cb, |
| &chains); |
| |
| for (list = chains; list; list = list->next) { |
| id = GPOINTER_TO_INT(list->data); |
| |
| managed_chain = g_strdup_printf("%s%s", CHAIN_PREFIX, |
| builtin_chains[id]); |
| |
| rule = g_strdup_printf("-j %s", managed_chain); |
| err = __connman_iptables_delete(table_name, |
| builtin_chains[id], rule); |
| if (err < 0) { |
| connman_warn("Failed to delete jump rule '%s': %s", |
| rule, strerror(-err)); |
| } |
| g_free(rule); |
| |
| err = __connman_iptables_flush_chain(table_name, managed_chain); |
| if (err < 0) { |
| connman_warn("Failed to flush chain '%s': %s", |
| managed_chain, strerror(-err)); |
| } |
| err = __connman_iptables_delete_chain(table_name, managed_chain); |
| if (err < 0) { |
| connman_warn("Failed to delete chain '%s': %s", |
| managed_chain, strerror(-err)); |
| } |
| |
| g_free(managed_chain); |
| } |
| |
| err = __connman_iptables_commit(table_name); |
| if (err < 0) { |
| connman_warn("Failed to flush table '%s': %s", |
| table_name, strerror(-err)); |
| } |
| |
| g_slist_free(chains); |
| } |
| |
| static void flush_all_tables(void) |
| { |
| /* Flush the tables ConnMan might have modified |
| * But do so if only ConnMan has done something with |
| * iptables */ |
| |
| if (!g_file_test("/proc/net/ip_tables_names", |
| G_FILE_TEST_EXISTS | G_FILE_TEST_IS_REGULAR)) { |
| return; |
| } |
| |
| flush_table("filter"); |
| flush_table("mangle"); |
| flush_table("nat"); |
| } |
| |
| int __connman_firewall_init(void) |
| { |
| DBG(""); |
| |
| __connman_iptables_init(); |
| flush_all_tables(); |
| |
| return 0; |
| } |
| |
| void __connman_firewall_cleanup(void) |
| { |
| DBG(""); |
| |
| g_slist_free_full(managed_tables, cleanup_managed_table); |
| __connman_iptables_cleanup(); |
| } |