From: Daniel Wagner <daniel.wag...@bmw-carit.de>
Flush only ConnMan's own rules and chains. The chains naming pattern is
"connman-[CHAIN NAME]". That makes it simple to find again.
---
src/iptables.c | 97 +++++++++++++++++++++++++++++++++++++++++++++++++++++++---
1 file changed, 92 insertions(+), 5 deletions(-)
diff --git a/src/iptables.c b/src/iptables.c
index 7a9d524..d095bbe 100644
--- a/src/iptables.c
+++ b/src/iptables.c
@@ -36,8 +36,6 @@
#include "connman.h"
-void flush_table(const char *name);
-
/*
* Some comments on how the iptables API works (some of them from the
* source code from iptables and the kernel):
@@ -136,6 +134,14 @@ static const char *hooknames[] = {
[NF_IP_POST_ROUTING] = "POSTROUTING",
};
+static const char *managed_hooknames[] = {
+ [NF_IP_PRE_ROUTING] = "connman-PREROUTING",
+ [NF_IP_LOCAL_IN] = "connman-INPUT",
+ [NF_IP_FORWARD] = "connman-FORWARD",
+ [NF_IP_LOCAL_OUT] = "connman-OUTPUT",
+ [NF_IP_POST_ROUTING] = "connman-POSTROUTING",
+};
+
#define LABEL_ACCEPT "ACCEPT"
#define LABEL_DROP "DROP"
#define LABEL_QUEUE "QUEUE"
@@ -287,6 +293,46 @@ static gboolean is_builtin_target(const char *target_name)
return FALSE;
}
+
+static int managed_chain_to_index(const char *chain_name)
+{
+ if (!strcmp(managed_hooknames[NF_IP_PRE_ROUTING], chain_name))
+ return 0;
+ if (!strcmp(managed_hooknames[NF_IP_LOCAL_IN], chain_name))
+ return 1;
+ if (!strcmp(managed_hooknames[NF_IP_FORWARD], chain_name))
+ return 2;
+ if (!strcmp(managed_hooknames[NF_IP_LOCAL_OUT], chain_name))
+ return 3;
+ if (!strcmp(managed_hooknames[NF_IP_POST_ROUTING], chain_name))
+ return 4;
+
+ return -1;
+
+}
+
+static gboolean is_managed_chain(const char *chain_name)
+{
+ int index;
+
+ index = managed_chain_to_index(chain_name);
+ if (index < 0)
+ return FALSE;
+
+ return TRUE;
+}
+
+static const char *managed_chain_to_builtin(const char *chain_name)
+{
+ int index;
+
+ index = managed_chain_to_index(chain_name);
+ if (index < 0)
+ return NULL;
+
+ return hooknames[index];
+}
+
static gboolean is_jump(struct ipt_entry *entry)
{
struct xt_entry_target *target;
@@ -2349,15 +2395,24 @@ static int flush_table_cb(struct ipt_entry *entry, int
builtin,
if (name == NULL)
return 0;
+ DBG("name %s", name);
+
+ if (is_managed_chain(name) == FALSE) {
+ g_free(name);
+ return 0;
+ }
+
*chains = g_slist_prepend(*chains, name);
return 0;
}
-void flush_table(const char *name)
+static void flush_table(const char *name)
{
GSList *chains = NULL, *list;
struct connman_iptables *table;
+ char *rule;
+ int err;
table = get_table(name);
if (table == NULL)
@@ -2382,13 +2437,43 @@ void flush_table(const char *name)
char *chain = list->data;
DBG("chain %s", chain);
- iptables_flush_chain(table, chain);
+
+ rule = g_strdup_printf("-j %s", chain);
+ err = __connman_iptables_delete(name,
+ managed_chain_to_builtin(chain), rule);
+ if (err < 0) {
+ connman_warn("Failed to delete jump rule '%s': %s",
+ rule, strerror(-err));
+ }
+ g_free(rule);
+
+ err = iptables_flush_chain(table, chain);
+ if (err < 0) {
+ connman_warn("Failed to flush chain '%s': %s",
+ chain, strerror(-err));
+ }
+ err = iptables_delete_chain(table, chain);
+ if (err < 0) {
+ connman_warn("Failed to delete chain '%s': %s",
+ chain, strerror(-err));
+ }
}
- __connman_iptables_commit(name);
+ err = __connman_iptables_commit(name);
+ if (err < 0) {
+ connman_warn("Commit for table %s failed: %s", name,
+ strerror(-err));
+ }
g_slist_free_full(chains, g_free);
}
+static void flush_all_tables(void)
+{
+ flush_table("filter");
+ flush_table("mangle");
+ flush_table("nat");
+}
+
#if XTABLES_VERSION_CODE > 5
static void print_xtables_version_code(void)
@@ -2419,6 +2504,8 @@ int __connman_iptables_init(void)
xtables_init_all(&iptables_globals, NFPROTO_IPV4);
+ flush_all_tables();
+
return 0;
}
--
1.8.1.3.566.gaa39828
_______________________________________________
connman mailing list
connman@connman.net
http://lists.connman.net/listinfo/connman
