Send connman mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.01.org/mailman/listinfo/connman
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of connman digest..."
Today's Topics:
1. Re: [PATCHv2] iptables: Set protocol family in xtables setup.
(Jussi Laakkonen)
----------------------------------------------------------------------
Message: 1
Date: Mon, 17 Dec 2018 17:56:09 +0200
From: Jussi Laakkonen <[email protected]>
To: [email protected]
Subject: Re: [PATCHv2] iptables: Set protocol family in xtables setup.
Message-ID: <[email protected]>
Content-Type: text/plain; charset=utf-8; format=flowed
I noticed that this is actually wrong. Please feel free to ignore this.
The problem lies elsewhere. This would change the family for existing
matches as well which is not desired.
- Jussi
On 12/12/18 6:47 PM, Jussi Laakkonen wrote:
> When xtables loads a library for a match (-m) the protocol family is
> used to get a correct version loaded. If a change has been made using a
> match modifier in iptables rule with, e.g., IPv4 protocol family the
> global xtables_matches array holding xtables_match structures is not
> reset or changed (at least in iptables 1.6.1) to IPv6 when
> xtables_init_all() (or any of the initialization functions) is called.
>
> This commit fixes the issue of not being able to set some IPv6 rules
> after IPv4 rules with matches have been set (or the other way around).
> The family for the global variable xtables_matches has to be explicitely
> updated when changing between IP protocol families.
>
> Otherwise adding the following rules would result a failure, where
> iptables calls exit() on ConnMan on the IPv6 rule:
>
> __connman_firewall_add_rule(ctx, "filter", "INPUT", "-m conntrack
> --ctstate ESTABLISHED,RELATED -j ACCEPT");
> __connman_firewall_add_ipv6_rule(ctx, "filter", "INPUT", "-m conntrack
> --ctstate ESTABLISHED,RELATED -j ACCEPT");
>
> Depending on the match type, iptables may result in an error. The exit()
> is called if the required library for the match cannot be loaded. This
> change allows to avoid such situations.
> ---
> src/iptables.c | 8 ++++++++
> 1 file changed, 8 insertions(+)
>
> diff --git a/src/iptables.c b/src/iptables.c
> index 305a553f..a188f99a 100644
> --- a/src/iptables.c
> +++ b/src/iptables.c
> @@ -3330,6 +3330,7 @@ static int current_type = -1;
> static int setup_xtables(int type)
> {
> int err;
> + struct xtables_match *xt_m;
>
> DBG("%d", type);
>
> @@ -3351,6 +3352,13 @@ static int setup_xtables(int type)
> }
>
> if (!err) {
> + /*
> + * Set the match type, otherwise loading of matches in xtables
> + * will fail when IP protocol family has changed.
> + */
> + for (xt_m = xtables_matches; xt_m; xt_m = xt_m->next)
> + xt_m->family = type;
> +
> current_type = type;
> } else {
> connman_error("error initializing xtables");
>
------------------------------
Subject: Digest Footer
_______________________________________________
connman mailing list
[email protected]
https://lists.01.org/mailman/listinfo/connman
------------------------------
End of connman Digest, Vol 38, Issue 6
**************************************
