Currently there exists no API where iptables rules can be set. The flush code does not change the default chain policy at the moment, so any pre-existing iptables rules setting default policy to reject and relying on individual iptables rules allowing packets going through will prevent all IP communication.
For the time being disable iptables flush on init. Thus please be careful with iptables rules. --- src/iptables.c | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/src/iptables.c b/src/iptables.c index 83612b9..8fa3687 100644 --- a/src/iptables.c +++ b/src/iptables.c @@ -36,6 +36,7 @@ #include "connman.h" +void flush_table(const char *name); /* * Some comments on how the iptables API works (some of them from the @@ -2243,7 +2244,7 @@ static int flush_table_cb(struct ipt_entry *entry, int builtin, return 0; } -static void flush_table(const char *name) +void flush_table(const char *name) { GSList *chains = NULL, *list; struct connman_iptables *table; @@ -2269,13 +2270,6 @@ static void flush_table(const char *name) g_slist_free_full(chains, g_free); } -static void flush_all_chains(void) -{ - flush_table("filter"); - flush_table("mangle"); - flush_table("nat"); -} - int __connman_iptables_init(void) { DBG(""); @@ -2288,8 +2282,6 @@ int __connman_iptables_init(void) xtables_init_all(&iptables_globals, NFPROTO_IPV4); - flush_all_chains(); - return 0; } -- 1.7.10.4 _______________________________________________ connman mailing list connman@connman.net http://lists.connman.net/listinfo/connman