Currently there exists no API where iptables rules can be set. The flush
code does not change the default chain policy at the moment, so any
pre-existing iptables rules setting default policy to reject and relying
on individual iptables rules allowing packets going through will prevent
all IP communication.
For the time being disable iptables flush on init. Thus please be careful
with iptables rules.
---
src/iptables.c | 12 ++----------
1 file changed, 2 insertions(+), 10 deletions(-)
diff --git a/src/iptables.c b/src/iptables.c
index 83612b9..8fa3687 100644
--- a/src/iptables.c
+++ b/src/iptables.c
@@ -36,6 +36,7 @@
#include "connman.h"
+void flush_table(const char *name);
/*
* Some comments on how the iptables API works (some of them from the
@@ -2243,7 +2244,7 @@ static int flush_table_cb(struct ipt_entry *entry, int
builtin,
return 0;
}
-static void flush_table(const char *name)
+void flush_table(const char *name)
{
GSList *chains = NULL, *list;
struct connman_iptables *table;
@@ -2269,13 +2270,6 @@ static void flush_table(const char *name)
g_slist_free_full(chains, g_free);
}
-static void flush_all_chains(void)
-{
- flush_table("filter");
- flush_table("mangle");
- flush_table("nat");
-}
-
int __connman_iptables_init(void)
{
DBG("");
@@ -2288,8 +2282,6 @@ int __connman_iptables_init(void)
xtables_init_all(&iptables_globals, NFPROTO_IPV4);
- flush_all_chains();
-
return 0;
}
--
1.7.10.4
_______________________________________________
connman mailing list
connman@connman.net
http://lists.connman.net/listinfo/connman
