diff options
author | Daniel Wagner <daniel.wagner@bmw-carit.de> | 2016-08-18 11:06:14 +0200 |
---|---|---|
committer | Patrik Flykt <patrik.flykt@linux.intel.com> | 2016-09-02 16:24:31 +0300 |
commit | 58a763e6ec5467ab671fde8f4dc17c591e2d5dcb (patch) | |
tree | a42c7fce419007ba7781d3c1339bdf03fe996e8e /tools | |
parent | 2c0116a686c92d75f842c3c653af33245f79ef9a (diff) | |
download | connman-58a763e6ec5467ab671fde8f4dc17c591e2d5dcb.tar.gz |
firewall: Add explicit feature API
Instead heaving a generic firewall API, we use an just provide
a few features such as NAT, SNAT or MARK. That allows
us to push down all the code into firewall.c.
There are only two different users in ConnMan for this API:
enabling global NAT or for session handling.
Fortunately, the NAT handling is pretty simple. We just have one
global table and we either have it enabled or disabled.
The session handling is slightly more tricky. There are
three different rule sets. The first one enables one global rule
for CONNMARK save/restore. This one will be installed only when the
first session calls __connman_firewall_enable_marking(). For this we
use a global context and enable disable it only if there is a session
using it.
The SNAT rules are shared between sessions and there exists only one
per output device. The session tracking is done in session.c. Note
the SNAT rules have also their own struct firewall_context.
The third set of rule for MARK is owned by the session, that is the
rules are tracked it the session->fw context.
Due to the separation of the struct firewall_context usage we can
git rid of any special tracking. Either we enable all or disable all
in one go. We don't have enable indiviual rules anymore with the
FW_ALL_RULES. And we are all happy again.
Diffstat (limited to 'tools')
-rw-r--r-- | tools/iptables-unit.c | 112 |
1 files changed, 0 insertions, 112 deletions
diff --git a/tools/iptables-unit.c b/tools/iptables-unit.c index e919aa53..426631a0 100644 --- a/tools/iptables-unit.c +++ b/tools/iptables-unit.c @@ -406,112 +406,6 @@ static void test_nat_basic1(void) g_free(service); } -static void test_firewall_basic0(void) -{ - struct firewall_context *ctx; - int err; - - ctx = __connman_firewall_create(); - g_assert(ctx); - - err = __connman_firewall_add_rule(ctx, "filter", "INPUT", - "-m mark --mark 999 -j LOG"); - g_assert(err >= 0); - - err = __connman_firewall_enable(ctx); - g_assert(err == 0); - - assert_rule_exists("filter", ":connman-INPUT - [0:0]"); - assert_rule_exists("filter", "-A INPUT -j connman-INPUT"); - assert_rule_exists("filter", "-A connman-INPUT -m mark --mark 0x3e7 -j LOG"); - - err = __connman_firewall_disable(ctx); - g_assert(err == 0); - - assert_rule_not_exists("filter", ":connman-INPUT - [0:0]"); - assert_rule_not_exists("filter", "-A INPUT -j connman-INPUT"); - assert_rule_not_exists("filter", "-A connman-INPUT -m mark --mark 0x3e7 -j LOG"); - - __connman_firewall_destroy(ctx); -} - -static void test_firewall_basic1(void) -{ - struct firewall_context *ctx; - int err; - - ctx = __connman_firewall_create(); - g_assert(ctx); - - err = __connman_firewall_add_rule(ctx, "filter", "INPUT", - "-m mark --mark 999 -j LOG"); - g_assert(err >= 0); - - err = __connman_firewall_add_rule(ctx, "filter", "OUTPUT", - "-m mark --mark 999 -j LOG"); - g_assert(err >= 0); - - err = __connman_firewall_enable(ctx); - g_assert(err == 0); - - err = __connman_firewall_disable(ctx); - g_assert(err == 0); - - __connman_firewall_destroy(ctx); -} - -static void test_firewall_basic2(void) -{ - struct firewall_context *ctx; - int err; - - ctx = __connman_firewall_create(); - g_assert(ctx); - - err = __connman_firewall_add_rule(ctx, "mangle", "INPUT", - "-j CONNMARK --restore-mark"); - g_assert(err >= 0); - - err = __connman_firewall_add_rule(ctx, "mangle", "POSTROUTING", - "-j CONNMARK --save-mark"); - g_assert(err >= 0); - - err = __connman_firewall_enable(ctx); - g_assert(err == 0); - - err = __connman_firewall_disable(ctx); - g_assert(err == 0); - - __connman_firewall_destroy(ctx); -} - -static void test_firewall_basic3(void) -{ - struct firewall_context *ctx; - int err, id; - - ctx = __connman_firewall_create(); - g_assert(ctx); - - id = __connman_firewall_add_rule(ctx, "mangle", "INPUT", - "-j CONNMARK --restore-mark"); - g_assert(id >= 0); - - err = __connman_firewall_enable_rule(ctx, id); - g_assert(err == 0); - - err = __connman_firewall_disable_rule(ctx, id); - g_assert(err == 0); - - err = __connman_firewall_remove_rule(ctx, id); - g_assert(err == 0); - - err = __connman_firewall_disable(ctx); - g_assert(err == -ENOENT); - - __connman_firewall_destroy(ctx); -} - static gchar *option_debug = NULL; static bool parse_debug(const char *key, const char *value, @@ -558,7 +452,6 @@ int main(int argc, char *argv[]) "Unit Tests Connection Manager", VERSION); __connman_iptables_init(); - __connman_firewall_init(); __connman_nat_init(); g_test_add_func("/iptables/chain0", test_iptables_chain0); @@ -571,15 +464,10 @@ int main(int argc, char *argv[]) g_test_add_func("/iptables/target0", test_iptables_target0); g_test_add_func("/nat/basic0", test_nat_basic0); g_test_add_func("/nat/basic1", test_nat_basic1); - g_test_add_func("/firewall/basic0", test_firewall_basic0); - g_test_add_func("/firewall/basic1", test_firewall_basic1); - g_test_add_func("/firewall/basic2", test_firewall_basic2); - g_test_add_func("/firewall/basic3", test_firewall_basic3); err = g_test_run(); __connman_nat_cleanup(); - __connman_firewall_cleanup(); __connman_iptables_cleanup(); g_free(option_debug); |