Send connman mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.01.org/mailman/listinfo/connman
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of connman digest..."
Today's Topics:
1. Re: [PATCH] Remove old ip/gateway address if different
addresses are assigned during DHCP renewal to avoid two ip
addresses added to the interface. (wangfe-nestlabs)
2. Re: [PATCH] nat: fix build failure (Patrik Flykt)
3. Re: [PATCH] nat: fix build failure (Gustavo Zacarias)
4. [PATCH v2 0/6] Add nftables support (Daniel Wagner)
5. [PATCH v2 2/6] firewall: Initialize iptables directly from
firewall.c (Daniel Wagner)
6. [PATCH v2 1/6] session: Install SNAT rules only once per
device (Daniel Wagner)
7. [PATCH v2 5/6] firewall: Add nftables build infrastructure
(Daniel Wagner)
----------------------------------------------------------------------
Message: 1
Date: Thu, 21 Apr 2016 14:59:48 -0700
From: wangfe-nestlabs <[email protected]>
To: [email protected]
Subject: Re: [PATCH] Remove old ip/gateway address if different
addresses are assigned during DHCP renewal to avoid two ip addresses
added to the interface.
Message-ID: <[email protected]>
Content-Type: text/plain; charset=us-ascii
More detailed information about this bug.
At the beginning the DHCP server assigned IP address(192.168.1.100) to the
device. Then reconfigure the DHCP server to assign ip address from 200 instead
of 100 range. When the device renews its ip address, it got a NACK and it will
send discovery frame and finally 192.168.1.200 was assigned to the device. The
device adds the 192.168.1.200 to wifi interface but without removing old
ip(192.168.1.100). Thus there are 2 ip addresses assigned to the wifi
interface. if you ping 192.168.1.100/200, both reply ok. But when the device
sent packets to other devices, it is using the old ip address(192.168.1.100)
not the new ip address which is wrong.
The fix is very simple, removing the old ip address when new assigned ip
address is different from old one. The same logic applies to gateway ip
address too.
Thanks,
Feng
> On Apr 20, 2016, at 11:28 AM, Feng Wang <[email protected]> wrote:
>
> ---
> src/dhcp.c | 19 +++++++++++++------
> 1 file changed, 13 insertions(+), 6 deletions(-)
>
> diff --git a/src/dhcp.c b/src/dhcp.c
> index 1d2cd48..54d98db 100644
> --- a/src/dhcp.c
> +++ b/src/dhcp.c
> @@ -435,7 +435,7 @@ static void lease_available_cb(GDHCPClient *dhcp_client,
> gpointer user_data)
> char *address, *netmask = NULL, *gateway = NULL;
> const char *c_address, *c_gateway;
> unsigned char prefixlen, c_prefixlen;
> - bool ip_change;
> + bool ip_change = false;
>
> DBG("Lease available");
>
> @@ -467,14 +467,21 @@ static void lease_available_cb(GDHCPClient
> *dhcp_client, gpointer user_data)
>
> DBG("c_address %s", c_address);
>
> - if (g_strcmp0(address, c_address))
> + if (g_strcmp0(address, c_address)) {
> ip_change = true;
> - else if (g_strcmp0(gateway, c_gateway))
> + if (c_address) {
> + /* Remove old ip address */
> + __connman_ipconfig_address_remove(dhcp->ipconfig);
> + }
> + }
> + if (g_strcmp0(gateway, c_gateway)) {
> ip_change = true;
> - else if (prefixlen != c_prefixlen)
> + if (c_gateway) {
> + /* Remove gateway ip address */
> + __connman_ipconfig_gateway_remove(dhcp->ipconfig);
> + }
> + } else if (prefixlen != c_prefixlen)
> ip_change = true;
> - else
> - ip_change = false;
>
> __connman_ipconfig_set_method(dhcp->ipconfig,
> CONNMAN_IPCONFIG_METHOD_DHCP);
> --
> 2.8.0.rc3.226.g39d4020
>
------------------------------
Message: 2
Date: Fri, 22 Apr 2016 11:18:09 +0300
From: Patrik Flykt <[email protected]>
To: Gustavo Zacarias <[email protected]>, [email protected]
Subject: Re: [PATCH] nat: fix build failure
Message-ID: <[email protected]>
Content-Type: text/plain; charset="UTF-8"
On Tue, 2016-04-19 at 08:42 -0300, Gustavo Zacarias wrote:
> _GNU_SOURCE needs to be defined so that O_CLOEXEC symbols can be
> found in
> system header files.
On what libc and version? Works fine without on glibc.
> Signed-off-by: Gustavo Zacarias <[email protected]>
We haven't used Signed-off-bys in ConnMan, so I'd just scrape it off
the commit message anyway.
Cheers,
Patrik
> ---
> ?src/nat.c | 1 +
> ?1 file changed, 1 insertion(+)
>
> diff --git a/src/nat.c b/src/nat.c
> index 33ae6df..62e21d4 100644
> --- a/src/nat.c
> +++ b/src/nat.c
> @@ -24,6 +24,7 @@
> ?#include <config.h>
> ?#endif
> ?
> +#define _GNU_SOURCE
> ?#include <errno.h>
> ?#include <sys/types.h>
> ?#include <sys/stat.h>
------------------------------
Message: 3
Date: Fri, 22 Apr 2016 07:48:04 -0300
From: Gustavo Zacarias <[email protected]>
To: Patrik Flykt <[email protected]>, [email protected]
Subject: Re: [PATCH] nat: fix build failure
Message-ID: <[email protected]>
Content-Type: text/plain; charset=utf-8; format=flowed
On 22/04/16 05:18, Patrik Flykt wrote:
>> _GNU_SOURCE needs to be defined so that O_CLOEXEC symbols can be
>> found in
>> system header files.
>
> On what libc and version? Works fine without on glibc.
uClibc/uClibc-ng.
This happened before and was fixed in 42208683,
62e46276 and 61f8be7c.
Regards.
------------------------------
Message: 4
Date: Fri, 22 Apr 2016 14:34:33 +0200
From: Daniel Wagner <[email protected]>
To: [email protected]
Cc: Daniel Wagner <[email protected]>
Subject: [PATCH v2 0/6] Add nftables support
Message-ID: <[email protected]>
From: Daniel Wagner <[email protected]>
chagnes:
- rebased to current master
- fixed some error handling path (memory leak)
- fixed typo and error handling reported by dtatulea
- compiler complains
- issue no warning if table cleaning up was successful
cheers,
daniel
Daniel Wagner (6):
session: Install SNAT rules only once per device
firewall: Initialize iptables directly from firewall.c
firewall: Add explicit feature API
firewall: Rename firewall.c to firewall-iptables.c
firewall: Add nftables build infrastructure
firewall-nftables: Add nftable support for firewall
Makefile.am | 48 +-
configure.ac | 31 +-
src/connman.h | 22 +-
src/firewall-iptables.c | 622 +++++++++++++++++++++++++
src/firewall-nftables.c | 1154 +++++++++++++++++++++++++++++++++++++++++++++++
src/firewall.c | 542 ----------------------
src/main.c | 2 -
src/nat.c | 21 +-
src/session.c | 187 ++++----
tools/iptables-unit.c | 112 -----
10 files changed, 1941 insertions(+), 800 deletions(-)
create mode 100644 src/firewall-iptables.c
create mode 100644 src/firewall-nftables.c
delete mode 100644 src/firewall.c
--
2.5.5
------------------------------
Message: 5
Date: Fri, 22 Apr 2016 14:34:35 +0200
From: Daniel Wagner <[email protected]>
To: [email protected]
Cc: Daniel Wagner <[email protected]>
Subject: [PATCH v2 2/6] firewall: Initialize iptables directly from
firewall.c
Message-ID: <[email protected]>
From: Daniel Wagner <[email protected]>
The current firewall API implementation is depending on iptables. In order
to support a nftables implementation we move the init call from
main.c to firewall.c.
---
src/firewall.c | 2 ++
src/main.c | 2 --
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/firewall.c b/src/firewall.c
index c440df6..fed75a8 100644
--- a/src/firewall.c
+++ b/src/firewall.c
@@ -529,6 +529,7 @@ int __connman_firewall_init(void)
{
DBG("");
+ __connman_iptables_init();
flush_all_tables();
return 0;
@@ -539,4 +540,5 @@ void __connman_firewall_cleanup(void)
DBG("");
g_slist_free_full(managed_tables, cleanup_managed_table);
+ __connman_iptables_cleanup();
}
diff --git a/src/main.c b/src/main.c
index f44a2ed..fdb4f72 100644
--- a/src/main.c
+++ b/src/main.c
@@ -669,7 +669,6 @@ int main(int argc, char *argv[])
__connman_device_init(option_device, option_nodevice);
__connman_ippool_init();
- __connman_iptables_init();
__connman_firewall_init();
__connman_nat_init();
__connman_tethering_init();
@@ -732,7 +731,6 @@ int main(int argc, char *argv[])
__connman_tethering_cleanup();
__connman_nat_cleanup();
__connman_firewall_cleanup();
- __connman_iptables_cleanup();
__connman_peer_service_cleanup();
__connman_peer_cleanup();
__connman_ippool_cleanup();
--
2.5.5
------------------------------
Message: 6
Date: Fri, 22 Apr 2016 14:34:34 +0200
From: Daniel Wagner <[email protected]>
To: [email protected]
Cc: Daniel Wagner <[email protected]>
Subject: [PATCH v2 1/6] session: Install SNAT rules only once per
device
Message-ID: <[email protected]>
From: Daniel Wagner <[email protected]>
The marking rules are different from each session. The SNAT
routing rule is only needed once per devices. Therefore, we share the
rule between the session and should only install unique rules.
Note the live time management needs to track which session
installed/refd the rule to avoid removal from update_nat_rules()
on a session create event.
---
src/session.c | 148 +++++++++++++++++++++++++++++++++++++++++++++-------------
1 file changed, 115 insertions(+), 33 deletions(-)
diff --git a/src/session.c b/src/session.c
index 388aae7..1205935 100644
--- a/src/session.c
+++ b/src/session.c
@@ -69,7 +69,6 @@ struct connman_session {
enum connman_session_id_type id_type;
struct firewall_context *fw;
- int snat_id;
uint32_t mark;
int index;
char *gateway;
@@ -81,6 +80,15 @@ struct connman_service_info {
GSList *sessions;
};
+struct fw_snat {
+ GSList *sessions;
+ int id;
+ int index;
+ struct firewall_context *fw;
+};
+
+GSList *fw_snat_list;
+
static struct connman_session_policy *policy;
static void session_activate(struct connman_session *session);
static void session_deactivate(struct connman_session *session);
@@ -197,6 +205,87 @@ static char *service2bearer(enum connman_service_type type)
return "";
}
+static struct fw_snat *fw_snat_lookup(int index)
+{
+ struct fw_snat *fw_snat;
+ GSList *list;
+
+ for (list = fw_snat_list; list; list = list->next) {
+ fw_snat = list->data;
+
+ if (fw_snat->index == index)
+ return fw_snat;
+ }
+ return NULL;
+}
+
+static int fw_snat_create(struct connman_session *session,
+ int index, const char *ifname, const char *addr)
+{
+ struct fw_snat *fw_snat;
+ int err;
+
+ fw_snat = g_new0(struct fw_snat, 1);
+
+ fw_snat->fw = __connman_firewall_create();
+ fw_snat->index = index;
+
+ fw_snat->id = __connman_firewall_add_rule(fw_snat->fw,
+ "nat", "POSTROUTING",
+ "-o %s -j SNAT --to-source %s",
+ ifname, addr);
+ if (fw_snat->id < 0) {
+ err = fw_snat->id;
+ goto err;
+ }
+
+ err = __connman_firewall_enable_rule(fw_snat->fw, fw_snat->id);
+ if (err < 0) {
+ __connman_firewall_remove_rule(fw_snat->fw, fw_snat->id);
+ goto err;
+ }
+
+ fw_snat_list = g_slist_prepend(fw_snat_list, fw_snat);
+ fw_snat->sessions = g_slist_prepend(fw_snat->sessions, session);
+
+ return 0;
+err:
+ __connman_firewall_destroy(fw_snat->fw);
+ g_free(fw_snat);
+ return err;
+}
+
+static void fw_snat_ref(struct connman_session *session,
+ struct fw_snat *fw_snat)
+{
+ if (g_slist_find(fw_snat->sessions, session))
+ return;
+ fw_snat->sessions = g_slist_prepend(fw_snat->sessions, session);
+}
+
+static void fw_snat_unref(struct connman_session *session,
+ struct fw_snat *fw_snat)
+{
+ int err;
+
+ fw_snat->sessions = g_slist_remove(fw_snat->sessions, session);
+ if (fw_snat->sessions)
+ return;
+
+ fw_snat_list = g_slist_remove(fw_snat_list, fw_snat);
+
+ err = __connman_firewall_disable_rule(fw_snat->fw, fw_snat->id);
+ if (err < 0)
+ DBG("could not disable SNAT rule");
+
+ err = __connman_firewall_remove_rule(fw_snat->fw, fw_snat->id);
+ if (err < 0)
+ DBG("could not remove SNAT rule");
+
+ __connman_firewall_destroy(fw_snat->fw);
+ g_free(fw_snat);
+}
+
static int init_firewall(void)
{
struct firewall_context *fw;
@@ -368,59 +457,46 @@ static void add_default_route(struct connman_session
*session)
static void del_nat_rules(struct connman_session *session)
{
- int err;
+ struct fw_snat *fw_snat;
- if (!session->fw || session->snat_id == 0)
- return;
+ fw_snat = fw_snat_lookup(session->index);
- err = __connman_firewall_disable_rule(session->fw, session->snat_id);
- if (err < 0) {
- DBG("could not disable SNAT rule");
+ if (!fw_snat)
return;
- }
-
- err = __connman_firewall_remove_rule(session->fw, session->snat_id);
- if (err < 0)
- DBG("could not remove SNAT rule");
-
- session->snat_id = 0;
+ fw_snat_unref(session, fw_snat);
}
static void add_nat_rules(struct connman_session *session)
{
struct connman_ipconfig *ipconfig;
+ struct fw_snat *fw_snat;
const char *addr;
char *ifname;
- int index, id, err;
-
- if (!session->fw)
- return;
+ int index, err;
DBG("");
+ if (!session->service)
+ return;
+
ipconfig = __connman_service_get_ip4config(session->service);
index = __connman_ipconfig_get_index(ipconfig);
- ifname = connman_inet_ifname(index);
- addr = __connman_ipconfig_get_local(ipconfig);
- id = __connman_firewall_add_rule(session->fw, "nat", "POSTROUTING",
- "-o %s -j SNAT --to-source %s",
- ifname, addr);
- g_free(ifname);
- if (id < 0) {
- DBG("failed to add SNAT rule");
+ fw_snat = fw_snat_lookup(index);
+ if (fw_snat) {
+ fw_snat_ref(session, fw_snat);
return;
}
- err = __connman_firewall_enable_rule(session->fw, id);
- if (err < 0) {
- DBG("could not enable SNAT rule");
- __connman_firewall_remove_rule(session->fw, id);
- return;
- }
+ ifname = connman_inet_ifname(index);
+ addr = __connman_ipconfig_get_local(ipconfig);
+
+ err = fw_snat_create(session, index, ifname, addr);
+ if (err < 0)
+ DBG("failed to add SNAT rule");
- session->snat_id = id;
+ g_free(ifname);
}
static void cleanup_routing_table(struct connman_session *session)
@@ -445,6 +521,11 @@ static void update_routing_table(struct connman_session
*session)
add_default_route(session);
}
+static void cleanup_nat_rules(struct connman_session *session)
+{
+ del_nat_rules(session);
+}
+
static void update_nat_rules(struct connman_session *session)
{
del_nat_rules(session);
@@ -498,6 +579,7 @@ static void cleanup_session(gpointer user_data)
DBG("remove %s", session->session_path);
+ cleanup_nat_rules(session);
cleanup_routing_table(session);
cleanup_firewall_session(session);
--
2.5.5
------------------------------
Message: 7
Date: Fri, 22 Apr 2016 14:34:38 +0200
From: Daniel Wagner <[email protected]>
To: [email protected]
Cc: Daniel Wagner <[email protected]>
Subject: [PATCH v2 5/6] firewall: Add nftables build infrastructure
Message-ID: <[email protected]>
From: Daniel Wagner <[email protected]>
Introduce --with-firewall configuration flag which is on default
iptables. You can enable nftables by providing --with-firewall=nftables.
---
Makefile.am | 10 ++++++
configure.ac | 32 ++++++++++++++++---
src/firewall-nftables.c | 81 +++++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 118 insertions(+), 5 deletions(-)
create mode 100644 src/firewall-nftables.c
diff --git a/Makefile.am b/Makefile.am
index 48188f9..9c13630 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -142,6 +142,11 @@ src_connmand_SOURCES += src/iptables.c
src/firewall-iptables.c
src_connmand_LDADD += @XTABLES_LIBS@
endif
+if NFTABLES
+src_connmand_SOURCES += src/firewall-nftables.c
+src_connmand_LDADD += @NFTABLES_LIBS@
+endif
+
if VPN
vpn_plugin_LTLIBRARIES =
@@ -262,6 +267,11 @@ AM_CFLAGS += @XTABLES_CFLAGS@
src_connmand_CFLAGS += @XTABLES_CFLAGS@
endif
+if NFTABLES
+AM_CFLAGS += @NFTABLES_CFLAGS@
+src_connmand_CFLAGS += @NFTABLES_CFLAGS@
+endif
+
EXTRA_DIST += vpn/vpn-dbus.conf vpn/vpn-polkit.conf
script_DATA =
diff --git a/configure.ac b/configure.ac
index 4a46437..d70703b 100644
--- a/configure.ac
+++ b/configure.ac
@@ -265,11 +265,33 @@ if (test -n "${path_tmpfiles}"); then
AC_SUBST(SYSTEMD_TMPFILESDIR)
fi
-PKG_CHECK_MODULES(XTABLES, xtables >= 1.4.11, dummy=yes,
- AC_MSG_ERROR(Xtables library is required))
-AC_SUBST(XTABLES_CFLAGS)
-AC_SUBST(XTABLES_LIBS)
-AM_CONDITIONAL(XTABLES, test "${XTABLES}" != "no")
+AC_ARG_WITH(firewall, AC_HELP_STRING([--with-firewall=TYPE],
+ [specify which firewall type is used iptables or
nftables [default=iptables]]),
+ [firewall_type=${withval}],
+ [firewall_type="iptables"])
+
+if (test "${firewall_type}" != "iptables" -a \
+ "${firewall_type}" != "nftables"); then
+ AC_MSG_ERROR(neither nftables nor iptables support enabled)
+fi
+
+found_iptables="no"
+if (test "${firewall_type}" = "iptables"); then
+ PKG_CHECK_MODULES(XTABLES, xtables >= 1.4.11, [found_iptables="yes"],
+ AC_MSG_ERROR(Xtables library is required))
+ AC_SUBST(XTABLES_CFLAGS)
+ AC_SUBST(XTABLES_LIBS)
+fi
+AM_CONDITIONAL(XTABLES, test "${found_iptables}" != "no")
+
+found_nftables="no"
+if (test "${firewall_type}" = "nftables"); then
+ PKG_CHECK_MODULES(NFTABLES, [libnftnl >= 1.0.4 libmnl >= 1.0.0],
[found_nftables="yes"],
+ AC_MSG_ERROR([libnftnl >= 1.0.4 or libmnl >= 1.0.0 not found]))
+ AC_SUBST(NFTABLES_CFLAGS)
+ AC_SUBST(NFTABLES_LIBS)
+fi
+AM_CONDITIONAL(NFTABLES, test "${found_nftables}" != "no")
AC_ARG_ENABLE(test, AC_HELP_STRING([--enable-test],
[enable test/example scripts]), [enable_test=${enableval}])
diff --git a/src/firewall-nftables.c b/src/firewall-nftables.c
new file mode 100644
index 0000000..df578fa
--- /dev/null
+++ b/src/firewall-nftables.c
@@ -0,0 +1,81 @@
+/*
+ *
+ * Connection Manager
+ *
+ * Copyright (C) 2016 BMW Car IT GmbH.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ *
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <errno.h>
+
+#include "connman.h"
+
+struct firewall_context *__connman_firewall_create(void)
+{
+ return NULL;
+}
+
+void __connman_firewall_destroy(struct firewall_context *ctx)
+{
+}
+
+int __connman_firewall_enable_nat(struct firewall_context *ctx,
+ char *address, unsigned char prefixlen,
+ char *interface)
+{
+ return -EPROTONOSUPPORT;
+}
+
+int __connman_firewall_disable_nat(struct firewall_context *ctx)
+{
+ return -EPROTONOSUPPORT;
+}
+
+int __connman_firewall_enable_snat(struct firewall_context *ctx,
+ int index, const char *ifname, const char *addr)
+{
+ return -EPROTONOSUPPORT;
+}
+
+int __connman_firewall_disable_snat(struct firewall_context *ctx)
+{
+ return -EPROTONOSUPPORT;
+}
+
+int __connman_firewall_enable_marking(struct firewall_context *ctx,
+ enum connman_session_id_type id_type,
+ char *id, uint32_t mark)
+{
+ return -EPROTONOSUPPORT;
+}
+
+int __connman_firewall_disable_marking(struct firewall_context *ctx)
+{
+ return -EPROTONOSUPPORT;
+}
+
+int __connman_firewall_init(void)
+{
+ return 0;
+}
+
+void __connman_firewall_cleanup(void)
+{
+}
--
2.5.5
------------------------------
Subject: Digest Footer
_______________________________________________
connman mailing list
[email protected]
https://lists.01.org/mailman/listinfo/connman
------------------------------
End of connman Digest, Vol 6, Issue 16
**************************************
