Send connman mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.01.org/mailman/listinfo/connman
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of connman digest..."
Today's Topics:
1. [PATCH v4 5/8] session: Add source ip rule (Lukasz Nowak)
2. [PATCH v4 6/8] session: Remove old session rules and routes
after a config change (Lukasz Nowak)
3. [PATCH v4 7/8] client: Add session source ip rule (Lukasz Nowak)
4. [PATCH v4 8/8] doc: Session multi-interface routing (Lukasz Nowak)
5. Re: [PATCH] service: Add EnableOnlineCheck config option
(Lukasz Nowak)
6. [PATCH] service: Add EnableOnlineCheck config option
(Ingo Albrecht)
----------------------------------------------------------------------
Message: 1
Date: Tue, 31 Jan 2017 14:13:07 +0000
From: Lukasz Nowak <[email protected]>
To: [email protected]
Subject: [PATCH v4 5/8] session: Add source ip rule
Message-ID: <[email protected]>
From: Lukasz Nowak <[email protected]>
Implement an option for a session to enable packet filtering
based on interfce source ip address. This allows an application
to create a session, and direct traffic to a specific network
interface, on which the session is connected.
Applications can use bind before connect on a socket to specify
the source ip address.
This mechanism re-uses the routing table created by the session,
iproute fwmark rule, and adds a new iptables source ip rule.
---
include/session.h | 1 +
src/session.c | 76 ++++++++++++++++++++++++++++++++++++++++++++++++++-----
2 files changed, 71 insertions(+), 6 deletions(-)
diff --git a/include/session.h b/include/session.h
index e8d7e93..48f1510 100644
--- a/include/session.h
+++ b/include/session.h
@@ -66,6 +66,7 @@ struct connman_session_config {
bool ecall;
GSList *allowed_bearers;
char *allowed_interface;
+ bool source_ip_rule;
};
typedef int (* connman_session_config_func_t) (struct connman_session *session,
diff --git a/src/session.c b/src/session.c
index b7a2808..7ccf4ef 100644
--- a/src/session.c
+++ b/src/session.c
@@ -273,21 +273,33 @@ static int init_firewall_session(struct connman_session
*session)
{
struct firewall_context *fw;
int err;
+ struct connman_ipconfig *ipconfig = NULL;
+ const char *addr = NULL;
- if (session->policy_config->id_type == CONNMAN_SESSION_ID_TYPE_UNKNOWN)
+ if (session->policy_config->id_type == CONNMAN_SESSION_ID_TYPE_UNKNOWN
&&
+ !session->info->config.source_ip_rule)
return 0;
DBG("");
+ if (session->info->config.source_ip_rule) {
+ ipconfig = __connman_service_get_ip4config(session->service);
+ if (session->policy_config->id_type ==
CONNMAN_SESSION_ID_TYPE_UNKNOWN && !ipconfig)
+ return 0;
+ }
+
fw = __connman_firewall_create();
if (!fw)
return -ENOMEM;
+ if (session->info->config.source_ip_rule && ipconfig) {
+ addr = __connman_ipconfig_get_local(ipconfig);
+ }
+
err =__connman_firewall_enable_marking(fw,
session->policy_config->id_type,
session->policy_config->id,
- NULL,
- session->mark);
+ addr, session->mark);
if (err < 0) {
__connman_firewall_destroy(fw);
return err;
@@ -314,7 +326,11 @@ static int init_routing_table(struct connman_session
*session)
{
int err;
- if (session->policy_config->id_type == CONNMAN_SESSION_ID_TYPE_UNKNOWN)
+ if (session->policy_config->id_type == CONNMAN_SESSION_ID_TYPE_UNKNOWN
&&
+ !session->info->config.source_ip_rule)
+ return 0;
+
+ if (!session->service)
return 0;
DBG("");
@@ -432,9 +448,16 @@ static void cleanup_routing_table(struct connman_session
*session)
del_default_route(session);
}
+static void update_firewall(struct connman_session *session)
+{
+ cleanup_firewall_session(session);
+ init_firewall_session(session);
+}
+
static void update_routing_table(struct connman_session *session)
{
- del_default_route(session);
+ cleanup_routing_table(session);
+ init_routing_table(session);
add_default_route(session);
}
@@ -521,6 +544,7 @@ struct creation_data {
enum connman_session_type type;
GSList *allowed_bearers;
char *allowed_interface;
+ bool source_ip_rule;
};
static void cleanup_creation_data(struct creation_data *creation_data)
@@ -898,6 +922,17 @@ static void append_notify(DBusMessageIter *dict,
info_last->config.allowed_interface =
info->config.allowed_interface;
}
+ if (session->append_all ||
+ info->config.source_ip_rule !=
info_last->config.source_ip_rule) {
+ dbus_bool_t source_ip_rule = FALSE;
+ if (info->config.source_ip_rule)
+ source_ip_rule = TRUE;
+ connman_dbus_dict_append_basic(dict, "SourceIPRule",
+ DBUS_TYPE_BOOLEAN,
+ &source_ip_rule);
+ info_last->config.source_ip_rule = info->config.source_ip_rule;
+ }
+
session->append_all = false;
}
@@ -918,7 +953,8 @@ static bool compute_notifiable_changes(struct
connman_session *session)
if (info->config.allowed_bearers != info_last->config.allowed_bearers ||
info->config.type != info_last->config.type ||
- info->config.allowed_interface !=
info_last->config.allowed_interface)
+ info->config.allowed_interface !=
info_last->config.allowed_interface ||
+ info->config.source_ip_rule !=
info_last->config.source_ip_rule)
return true;
return false;
@@ -1166,6 +1202,17 @@ static DBusMessage *change_session(DBusConnection *conn,
goto err;
}
break;
+ case DBUS_TYPE_BOOLEAN:
+ if (g_str_equal(name, "SourceIPRule")) {
+ dbus_bool_t source_ip_rule;
+ dbus_message_iter_get_basic(&value, &source_ip_rule);
+
+ info->config.source_ip_rule = source_ip_rule;
+ update_session_state(session);
+ } else {
+ goto err;
+ }
+ break;
default:
goto err;
}
@@ -1267,6 +1314,7 @@ static int session_policy_config_cb(struct
connman_session *session,
goto err;
session->policy_config = config;
+ session->info->config.source_ip_rule = creation_data->source_ip_rule;
session->mark = session_mark++;
session->index = -1;
@@ -1332,6 +1380,7 @@ static int session_policy_config_cb(struct
connman_session *session,
info_last->config.roaming_policy = info->config.roaming_policy;
info_last->config.allowed_bearers = info->config.allowed_bearers;
info_last->config.allowed_interface = info->config.allowed_interface;
+ info_last->config.source_ip_rule = info->config.source_ip_rule;
session->append_all = true;
@@ -1426,7 +1475,21 @@ int __connman_session_create(DBusMessage *msg)
err = -EINVAL;
goto err;
}
+ break;
+ case DBUS_TYPE_BOOLEAN:
+ if (g_str_equal(key, "SourceIPRule")) {
+ dbus_bool_t source_ip_rule;
+ dbus_message_iter_get_basic(&value,
&source_ip_rule);
+ creation_data->source_ip_rule = source_ip_rule;
+ } else {
+ err = -EINVAL;
+ goto err;
+ }
+ break;
+ default:
+ goto err;
}
+
dbus_message_iter_next(&array);
}
@@ -1610,6 +1673,7 @@ static void update_session_state(struct connman_session
*session)
DBG("session %p state %s", session, state2string(state));
+ update_firewall(session);
update_routing_table(session);
update_nat_rules(session);
session_notify(session);
--
2.7.4
------------------------------
Message: 2
Date: Tue, 31 Jan 2017 14:13:08 +0000
From: Lukasz Nowak <[email protected]>
To: [email protected]
Subject: [PATCH v4 6/8] session: Remove old session rules and routes
after a config change
Message-ID: <[email protected]>
From: Lukasz Nowak <[email protected]>
When a session disconnects due to a config change:
- AllowedBearers does not contain a connected service
- AllowedInterface is not in a connected service
several objects created by the session's previous config do not
get removed:
- iproute2 fwmark/table rules
- firewall fwmark rules
- session's routing table
This change cleans up state of the session correctly on each config change.
---
src/session.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/session.c b/src/session.c
index 7ccf4ef..c6a160a 100644
--- a/src/session.c
+++ b/src/session.c
@@ -1158,6 +1158,7 @@ static DBusMessage *change_session(DBusConnection *conn,
session->active = false;
session_deactivate(session);
+ update_session_state(session);
g_slist_free(info->config.allowed_bearers);
session->user_allowed_bearers = allowed_bearers;
@@ -1185,6 +1186,7 @@ static DBusMessage *change_session(DBusConnection *conn,
session->active = false;
session_deactivate(session);
+ update_session_state(session);
g_free(session->user_allowed_interface);
/* empty string means allow any interface */
--
2.7.4
------------------------------
Message: 3
Date: Tue, 31 Jan 2017 14:13:09 +0000
From: Lukasz Nowak <[email protected]>
To: [email protected]
Subject: [PATCH v4 7/8] client: Add session source ip rule
Message-ID: <[email protected]>
From: Lukasz Nowak <[email protected]>
Add a session config field to enable/disable creation of the
source ip rule in iptables by a session.
---
client/commands.c | 25 +++++++++++++++++++++++++
1 file changed, 25 insertions(+)
diff --git a/client/commands.c b/client/commands.c
index c41e9b4..583095b 100644
--- a/client/commands.c
+++ b/client/commands.c
@@ -1897,6 +1897,7 @@ static int session_config(char *args[], int num,
struct config_append append;
char c;
char *ifname;
+ dbus_bool_t source_ip_rule;
while (index < num && args[index]) {
append.opts = &args[index];
@@ -1935,6 +1936,29 @@ static int session_config(char *args[], int num,
DBUS_TYPE_STRING, &ifname);
append.values = 2;
break;
+ case 's':
+ if (!args[index + 1]) {
+ res = -EINVAL;
+ break;
+ }
+ switch (parse_boolean(args[index + 1])) {
+ case 1:
+ source_ip_rule = TRUE;
+ break;
+ case 0:
+ source_ip_rule = FALSE;
+ break;
+ default:
+ res = -EINVAL;
+ break;
+ }
+
+ res = __connmanctl_dbus_session_change(connection,
+ session_path, session_config_return,
+ "SourceIPRule", "SourceIPRule",
+ DBUS_TYPE_BOOLEAN, &source_ip_rule);
+ append.values = 2;
+ break;
default:
res = -EINVAL;
@@ -2223,6 +2247,7 @@ static struct connman_option session_options[] = {
{"bearers", 'b', "<technology1> [<technology2> [...]]"},
{"type", 't', "local|internet|any"},
{"ifname", 'i', "[<interface_name>]"},
+ {"srciprule", 's', "yes|no"},
{ NULL, }
};
--
2.7.4
------------------------------
Message: 4
Date: Tue, 31 Jan 2017 14:13:10 +0000
From: Lukasz Nowak <[email protected]>
To: [email protected]
Subject: [PATCH v4 8/8] doc: Session multi-interface routing
Message-ID: <[email protected]>
From: Lukasz Nowak <[email protected]>
Update session overview and API documents to demonstrate how sessions
can be used to maintain multiple connections in parallel.
---
doc/session-api.txt | 23 +++++++++++++++++++++++
doc/session-overview.txt | 31 +++++++++++++++++++++++++++++++
2 files changed, 54 insertions(+)
diff --git a/doc/session-api.txt b/doc/session-api.txt
index 3aac535..e8da522 100644
--- a/doc/session-api.txt
+++ b/doc/session-api.txt
@@ -182,3 +182,26 @@ Settings string State [readonly]
(This setting will be removed when the unique process
identification problem is solved.)
+ string AllowedInterface [readwrite] [experimental]
+
+ This field is used to bind a session to a specific
+ network interface. If this field is empty, the first
+ interface from a list of available ones will be used.
+ Also "*" string matches any interface.
+
+ Only one interface may be specified.
+
+ If a specified network interface is not available
+ (e.g. because AllowedBearers filters it out), the
+ session will not go online.
+
+ boolean SourceIPRule [readwrite] [experimental]
+
+ If set to true the session will create source IP
+ address rule in the firewall, which redirects traffic
+ to that session's routing table.
+
+ Each session maintains a dedicated routing table, with
+ a default route. When the source IP rule is enabled,
+ an application can select which session/interface to
+ send traffic on, using bind-before-connect mechanism.
diff --git a/doc/session-overview.txt b/doc/session-overview.txt
index 2393167..976c351 100644
--- a/doc/session-overview.txt
+++ b/doc/session-overview.txt
@@ -92,3 +92,34 @@ The default session configuration does not enable the per
application
routing. Sessions are still useful in this setup, because the
notification of sessions is still available, e.g. the online/offline
notification.
+
+
+Multiple per-session routing tables
+===================================
+
+Sessions can be used in an environment with multiple network interfaces,
+where an application needs to direct outside traffic through a selected
+interface(s). ConnMan can maintain multiple sessions in a connected
+stated, and the application can dynamically, on a per-socket basis,
+select which session is used to route traffic.
+
+Example use cases are:
+- monitoring liveness of multiple connected interfaces, by sending
+ end-to-end heartbeat traffic on all of them in parallel.
+- prioritising traffic - e.g. sensitive data can be transferred over a slow,
+ but secure connection, while big, public downloads use a second session
+
+By default, ConnMan maintains only one online service. So it is impossible
+to send external traffic (routed through a gateway) on multiple interfaces.
+In order to enable this functionality, an application needs to issue the
+following API calls:
+- create multiple sessions, one for each interface to be used
+- set each session's AllowedInterface config field to the required interface
+ name (eth0, eth1, wlan0, ppp0, etc.)
+- set each session's SourceIPRule config field to true
+- connect each session (or the service it is using)
+
+That will instruct ConnMan to create multiple routing tables, with default
+routes in them. After that, the application can issue a bind() call on each
+socket, using required interface's source IP address. The bind() call must
+be made before a connect() call on a socket.
--
2.7.4
------------------------------
Message: 5
Date: Tue, 31 Jan 2017 15:30:23 +0000
From: Lukasz Nowak <[email protected]>
To: Daniel Wagner <[email protected]>
Cc: [email protected]
Subject: Re: [PATCH] service: Add EnableOnlineCheck config option
Message-ID: <[email protected]>
Content-Type: text/plain; charset=windows-1252
Hi Daniel,
On 31/01/17 07:48, Daniel Wagner wrote:
> Hi Lukasz,
>
> On Mon, Jan 30, 2017 at 02:55:53PM +0000, Lukasz Nowak wrote:
>> The --disable-wispr switch does not disable the online http check.
>> The src/wispr.c is executed unconditionally from service.c right now.
>
> I see. I think we should fix then the --disable-wispr instead adding
> an configuration option. Since we have already a wispr.c file I
> suggest to move the wispr code from service.c to wispr.c. So that we
> have something like:
>
> int __connman_service_ipconfig_indicate_state(...)
> {
>
> [...]
>
> case CONNMAN_SERVICE_STATE_READE:
> __connman_wispr_check_portal(service, type); /* a better name
> needed */
>
> [...]
>
> }
>
> and we either add wispr.c an version for --disable-wispr in a #ifdef
> block or maybe even better have a wispr-disabled.c (better name) which
> contains just the READY to ONLINE transistion. And the configure
> script just adds one or the other to the build.
If that's the decision, I can code it this way, no problem, in the next few
days.
>
> BTW, there are also couple more of the __connman_wispr_start() calls
> in the service.c file. That needs also to be addressed.
If we provide a new implementation of __connman_wispr_start() which always calls
__connman_service_ipconfig_indicate_state(CONNMAN_SERVICE_STATE_ONLINE)
all the cases will be handled.
As far as I can see there is only other scenario when __connman_wispr_start()
is called is when "Nameservers.Configuration" is changed.
There are also two other places, but they are really the same scenario:
- from redo_wispr() which can only happen when a previous
__connman_wispr_start() fails, which will not happen after the change
- from __connman_wpad_start(), which can only called in the same scenario, when
a service transitions to READY state
>
> Thanks,
> Daniel
>
------------------------------
Message: 6
Date: Tue, 31 Jan 2017 20:29:16 +0100
From: "Ingo Albrecht" <[email protected]>
To: [email protected]
Subject: [PATCH] service: Add EnableOnlineCheck config option
Message-ID:
<trinity-00239099-8226-4c6c-92be-76408e6cec18-1485890956596@3capp-gmx-bs23>
Content-Type: text/plain; charset=UTF-8
>Hi Lukasz,
>
>On 01/26/2017 06:51 PM, Lukasz Nowak wrote:
>> From: Lukasz Nowak <lnowak at tycoint.com>
>>
>> Global config option, which allows to enable/disable (enabled by default)
>> use of http get in wispr to transition a default service from READY to
>> ONLINE state.
>
>Isn't
>
> ./configure --disable-wispr
>
>good enough?
>
>Thanks,
>Daniel
Hi,
no it isn't.
In fact the online check as it is done so far (default enabled, no option to
turn it off, no mention of it in the manpage, no privacy policy available for
the nginx server replying on how it cycles logs) can quickly get this project
into trouble. The current implementation clearly violates privacy laws (EU-wide
for starters).
You clearly should not only implement a user-configurable option for it, but
also default it to off (default off gets you a consent of the user to the use
of the online check service).
I can give you more input on the why, if you require it. But this case is
_very_ clear.
Regards,
Ingo
------------------------------
Subject: Digest Footer
_______________________________________________
connman mailing list
[email protected]
https://lists.01.org/mailman/listinfo/connman
------------------------------
End of connman Digest, Vol 15, Issue 42
***************************************
