This prevents to load all iptables modules even though it will never be
used.
---
src/connman.h | 1 +
src/firewall.c | 21 ++++++++++++++++++++-
src/session.c | 21 ++++++++++++++-------
3 files changed, 35 insertions(+), 8 deletions(-)
diff --git a/src/connman.h b/src/connman.h
index 0e3ec47..5bb11eb 100644
--- a/src/connman.h
+++ b/src/connman.h
@@ -951,6 +951,7 @@ int __connman_firewall_add_rule(struct firewall_context
*ctx,
const char *rule_fmt, ...);
int __connman_firewall_enable(struct firewall_context *ctx);
int __connman_firewall_disable(struct firewall_context *ctx);
+bool __connman_firewall_is_up(void);
int __connman_firewall_init(void);
void __connman_firewall_cleanup(void);
diff --git a/src/firewall.c b/src/firewall.c
index e4443ea..90c3d3c 100644
--- a/src/firewall.c
+++ b/src/firewall.c
@@ -57,6 +57,8 @@ struct firewall_context {
static GSList *managed_tables;
+static bool firewall_is_up;
+
static int chain_to_index(const char *chain_name)
{
if (!g_strcmp0(builtin_chains[NF_IP_PRE_ROUTING], chain_name))
@@ -341,6 +343,8 @@ int __connman_firewall_enable(struct firewall_context *ctx)
goto err;
}
+ firewall_is_up = true;
+
return 0;
err:
@@ -356,6 +360,11 @@ int __connman_firewall_disable(struct firewall_context
*ctx)
return firewall_disable(g_list_last(ctx->rules));
}
+bool __connman_firewall_is_up(void)
+{
+ return firewall_is_up;
+}
+
static void iterate_chains_cb(const char *chain_name, void *user_data)
{
GSList **chains = user_data;
@@ -417,7 +426,17 @@ static void flush_table(const char *table_name)
static void flush_all_tables(void)
{
- /* Flush the tables ConnMan might have modified */
+ /* Flush the tables ConnMan might have modified
+ * But do so if only ConnMan has done something with
+ * iptables */
+
+ if (!g_file_test("/proc/net/ip_tables_names",
+ G_FILE_TEST_EXISTS | G_FILE_TEST_IS_REGULAR)) {
+ firewall_is_up = false;
+ return;
+ }
+
+ firewall_is_up = true;
flush_table("filter");
flush_table("mangle");
diff --git a/src/session.c b/src/session.c
index 3fca6d6..f80e168 100644
--- a/src/session.c
+++ b/src/session.c
@@ -37,7 +37,7 @@ static GHashTable *session_hash;
static struct connman_session *ecall_session;
static GSList *policy_list;
static uint32_t session_mark = 256;
-static struct firewall_context *global_firewall;
+static struct firewall_context *global_firewall = NULL;
enum connman_session_trigger {
CONNMAN_SESSION_TRIGGER_UNKNOWN = 0,
@@ -236,6 +236,9 @@ static int init_firewall(void)
struct firewall_context *fw;
int err;
+ if (global_firewall)
+ return 0;
+
fw = __connman_firewall_create();
err = __connman_firewall_add_rule(fw, "mangle", "INPUT",
@@ -281,6 +284,10 @@ static int init_firewall_session(struct connman_session
*session)
DBG("");
+ err = init_firewall();
+ if (err < 0)
+ return err;
+
fw = __connman_firewall_create();
if (!fw)
return -ENOMEM;
@@ -2212,10 +2219,6 @@ int __connman_session_init(void)
DBG("");
- err = init_firewall();
- if (err < 0)
- return err;
-
connection = connman_dbus_get_connection();
if (!connection)
return -1;
@@ -2223,14 +2226,18 @@ int __connman_session_init(void)
err = connman_notifier_register(&session_notifier);
if (err < 0) {
dbus_connection_unref(connection);
- cleanup_firewall();
return err;
}
session_hash = g_hash_table_new_full(g_str_hash, g_str_equal,
NULL, cleanup_session);
- __connman_nfacct_flush(session_nfacct_flush_cb, NULL);
+ if (__connman_firewall_is_up()) {
+ err = init_firewall();
+ if (err < 0)
+ return err;
+ __connman_nfacct_flush(session_nfacct_flush_cb, NULL);
+ }
return 0;
}
--
1.8.4.4
_______________________________________________
connman mailing list
connman@connman.net
https://lists.connman.net/mailman/listinfo/connman
