Send connman mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.01.org/mailman/listinfo/connman
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of connman digest..."
Today's Topics:
1. [PATCH] iptables: Set ip6t_ip6 flags if IPv6 rule protocol is
set. (Jussi Laakkonen)
2. Re: [PATCHv2] iptables: Set protocol family in xtables setup.
(Jussi Laakkonen)
----------------------------------------------------------------------
Message: 1
Date: Thu, 17 Jan 2019 16:01:41 +0200
From: Jussi Laakkonen <[email protected]>
To: [email protected]
Subject: [PATCH] iptables: Set ip6t_ip6 flags if IPv6 rule protocol is
set.
Message-ID: <[email protected]>
Flags is required to be set as IP6T_F_PROTO if protocol for IPv6 rule is
being set (INCLUDEDIR/linux/netfilter_ipv6/ip6_tables.h). Without this
being set, ICMPv6 rules, for example, are installed to ip6tables but no
packet matches the rule as protocol check is skipped in kernel.
---
src/iptables.c | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/src/iptables.c b/src/iptables.c
index 305a553f..a3581d22 100644
--- a/src/iptables.c
+++ b/src/iptables.c
@@ -2978,6 +2978,10 @@ static int parse_xt_modules(int c, bool invert,
ctx->proto = IPPROTO_IPV6;
fw6.ipv6.proto = ctx->proto;
+
+ /* Flags must be set for IPv6 if protocol is set. */
+ fw6.ipv6.flags |= IP6T_F_PROTO;
+
break;
default:
return 0;
@@ -3280,8 +3284,15 @@ static int parse_rule_spec(struct connman_iptables
*table,
if (ctx->type == AF_INET)
ctx->ip->proto = ctx->proto;
- if (ctx->type == AF_INET6)
+ if (ctx->type == AF_INET6) {
ctx->ipv6->proto = ctx->proto;
+
+ /*
+ * Flags must be set for IPv6 if
+ * protocol is set.
+ */
+ ctx->ipv6->flags |= IP6T_F_PROTO;
+ }
}
break;
case 'j':
--
2.19.2
------------------------------
Message: 2
Date: Thu, 17 Jan 2019 17:26:03 +0200
From: Jussi Laakkonen <[email protected]>
To: [email protected]
Subject: Re: [PATCHv2] iptables: Set protocol family in xtables setup.
Message-ID: <[email protected]>
Content-Type: text/plain; charset=utf-8; format=flowed
Hello all,
As it turned out, this problem existed because iptables does not fully
support changing between IP families when used within one session. We
use iptables 1.6.1 and needed to create a patch for our iptables:
https://git.merproject.org/mer-core/iptables/commit/2b90df004ab0e4e37cf60a2ab8b331a78d0e1f61#584c4bcf465ca193a1884af9ddb8b0880e242277
that explains the issue in full.
This required no changes to connman. Although an issue with ip6tables
protocol detection was noticed (and patch provided).
There is no fix for this issue in upstream iptables. It apparently
concerns use of iptables with shared libraries, as it is in our case.
That patch above could be submitted to iptables as well but in our use
case, testing with iptables 1.8.x is not feasible just yet.
So in summarum; if there are problems with iptables use in connman check
if above patch to iptables solves the issue.
Sincerely,
Jussi Laakkonen
On 12/17/18 5:56 PM, Jussi Laakkonen wrote:
> I noticed that this is actually wrong. Please feel free to ignore this.
>
> The problem lies elsewhere. This would change the family for existing
> matches as well which is not desired.
>
> ?- Jussi
>
> On 12/12/18 6:47 PM, Jussi Laakkonen wrote:
>> When xtables loads a library for a match (-m) the protocol family is
>> used to get a correct version loaded. If a change has been made using a
>> match modifier in iptables rule with, e.g., IPv4 protocol family the
>> global xtables_matches array holding xtables_match structures is not
>> reset or changed (at least in iptables 1.6.1) to IPv6 when
>> xtables_init_all() (or any of the initialization functions) is called.
>>
>> This commit fixes the issue of not being able to set some IPv6 rules
>> after IPv4 rules with matches have been set (or the other way around).
>> The family for the global variable xtables_matches has to be explicitely
>> updated when changing between IP protocol families.
>>
>> Otherwise adding the following rules would result a failure, where
>> iptables calls exit() on ConnMan on the IPv6 rule:
>>
>> __connman_firewall_add_rule(ctx, "filter", "INPUT", "-m conntrack
>> --ctstate ESTABLISHED,RELATED -j ACCEPT");
>> __connman_firewall_add_ipv6_rule(ctx, "filter", "INPUT", "-m conntrack
>> --ctstate ESTABLISHED,RELATED -j ACCEPT");
>>
>> Depending on the match type, iptables may result in an error. The exit()
>> is called if the required library for the match cannot be loaded. This
>> change allows to avoid such situations.
>> ---
>> ? src/iptables.c | 8 ++++++++
>> ? 1 file changed, 8 insertions(+)
>>
>> diff --git a/src/iptables.c b/src/iptables.c
>> index 305a553f..a188f99a 100644
>> --- a/src/iptables.c
>> +++ b/src/iptables.c
>> @@ -3330,6 +3330,7 @@ static int current_type = -1;
>> ? static int setup_xtables(int type)
>> ? {
>> ????? int err;
>> +??? struct xtables_match *xt_m;
>> ????? DBG("%d", type);
>> @@ -3351,6 +3352,13 @@ static int setup_xtables(int type)
>> ????? }
>>
>> ????? if (!err) {
>> +??????? /*
>> +???????? * Set the match type, otherwise loading of matches in xtables
>> +???????? * will fail when IP protocol family has changed.
>> +???????? */
>> +??????? for (xt_m = xtables_matches; xt_m; xt_m = xt_m->next)
>> +??????????? xt_m->family = type;
>> +
>> ????????? current_type = type;
>> ????? } else {
>> ????????? connman_error("error initializing xtables");
>>
> _______________________________________________
> connman mailing list
> [email protected]
> https://lists.01.org/mailman/listinfo/connman
------------------------------
Subject: Digest Footer
_______________________________________________
connman mailing list
[email protected]
https://lists.01.org/mailman/listinfo/connman
------------------------------
End of connman Digest, Vol 39, Issue 6
**************************************
