incorrect iptable rule deletion for session fwmarks
by Dragos Tatulea
Hi,
I'm playing around with connman 1.31 and sessions with user policies. I have
observed a case when deletion of iptable fwmark rules doesn't work as
expected. The wrong rule gets deleted.
With connman running, I create the following sessions:
#> ./connman/test/test-session create /foo session0
#> ./connman/test/test-session create /foo session1
#> iptables -t mangle -L
...
Chain connman-OUTPUT (1 references)
target prot opt source destination
MARK all -- anywhere anywhere owner UID match vagrant MARK set 0x100
MARK all -- anywhere anywhere owner UID match vagrant MARK set 0x101
...
#> ./connman/test/test-session destroy /foo session1
...
Chain connman-OUTPUT (1 references)
target prot opt source destination
MARK all -- anywhere anywhere owner UID match vagrant MARK set 0x101
...
I would expect that rule with mark 0x100 would be deleted. The commands
are being run as user vagrant. The policy file looks like this:
#> cat /usr/local/var/lib/connman/session_policy_local/vagrant.policy
[policy_vagrant]
uid = vagrant
ConnectionType = any
AllowedBearers = ethernet
As noticed from the path, I'm running connman in maintainer mode.
So, is this expected behavior? This might be harmless in general. I'm
working on having per session multipath routes installed. In that case,
getting the fwmark right is important.
Thank you
--
Dragos Tatulea
Software Developer @ Endocode AG
dragos(a)endocode.com
Endocode AG, Brückenstraße 5A, 10179 Berlin
+49 30 1206 4472 | info(a)endocode.com | www.endocode.com
Vorstandsvorsitzender: Mirko Boehm
Vorstände: Dr. Karl Beecher, Dr. Thomas Fricke, Sebastian Sucker
Aufsichtsratsvorsitzende: Alexandra Boehm
Registergericht: Amtsgericht Charlottenburg - HRB 150748 B
5 years
Extend DHCP request to query timezone
by Bertrand Jacquin
Hi all,
I've been looking on how to extend DHCP request to query additional
fields like option 101 (Timezone) via the config file, but it looks to
be somewhat hardcoded in the source code. In there any opportunies to
extend this ? I'm traveling quiet a bit in regions with different
timezone and as a lazy man I would like to avoid manually changing my
timezone.
Thanks!
--
Bertrand
5 years
ConnMan 1.31
by Patrik Flykt
ConnMan 1.31 was released Monday, December 28, 2015.
Thanks to Myléne Josserand, ConnMan 1.31 now properly exposes multiple
cellular contexts provided by oFono whenever supported by the cellular
subscription. In addition, ConnMan now writes its resolv.conf file to
[/var]/run/connmand with the provided tmpfiles.d and init script
creating the run-time directory and a symlink from /etc/resolv.conf. If
the run time directory does not exist, ConnMan falls back to
modifying /etc/resolv.conf as before.
With this release ConnMan also improves on systemd support. ConnMan now
provides connmand-wait-online which works exactly as its counterpart
systemd-networkd-wait-online. By default connmand-wait-online waits
until a service enters 'ready' state before reaching
network-online.target. In addition, capabilities not needed are removed
and with the resolv.conf handling improvements filesystems are mounted
read-only with access to /home and /run/user denied in the ConnMan
systemd .service file.
After difficulties with the mailing list, the list has been re-enabled
and is now up and running at its new address connman(a)lists.01.org.
The by now very ancient Bluez 4.x support will be removed with the next
ConnMan release. Bluez 4.x has been superseded by 5.x a long time ago
with a genrous upgrade time window for ConnMan users. With no new Bluez
4.x releases for years, we do not want to have dependencies on no longer
supported versions.
Other improvements and bug fixes include:
* Correctly enumerate Distributed Switch Architecture (DSA) interfaces
(Laurent Vaudoit)
* Fix documentation and implementation of ClearProperty D-Bus method
call (Naveen Singh, Patrik Flykt)
* Update and create missing man pages (Jaakko Hannikainen)
* Try to re-use the same IP subnet as previously used for tethering
(Patrik Flykt)
* Implement IPv6 timeserver support (Naveen Singh)
* Improved DNS search domain handling (Pasi Sjöholm)
* Fixes for DNS proxy (Frank Stevers), gsupplicant (Maneesh Jain), VPN
parameters (Jaakko Hannikainen), accidental disabling of IPv6 on all
interfaces (Abtin Keshavarzian), typedefs for strict compilers (Grant
Erickson), potential crash with Bluetooth (Harish Jenny K N), memory
leaks (Saurav Babu, Slava Monich), gdhcp and agent issues (Michael
Olbrich)
Thanks for all the hard work and bugfixes go to Abtin Keshavarzian,
Frank Stevers, Grant Erickson, Harish Jenny K N, Jaakko Hannikainen,
Jakub Pawlowski, Johan Hedberg, Laurent Vaudoit, Maneesh Jain, Marcel
Holtmann, Marcus Folkesson, Michael Olbrich, Myléne Josserand, Naveen
Singh, Pasi Sjöholm, Patrik Flykt, Philip Withnall, Saurav Babu, Slava
Monich, Collabora, Intel, Jolla, Nest and Samsung.
ConnMan 1.31 can be downloaded from:
http://www.kernel.org/pub/linux/network/connman/
ConnMan is available via git at:
git://git.kernel.org/pub/scm/network/connman/connman.git
Web interface to the git repository:
http://git.kernel.org/?p=network/connman/connman.git;a=summary
5 years
incorrect iptable rule deletion for session fwmarks
by Dragos Tatulea
Hi,
I'm playing around with connman 1.31 and sessions with user policies. I have
observed a case when deletion of iptable fwmark rules doesn't work as
expected. The wrong rule gets deleted.
With connman running, I create the following sessions:
#> ./connman/test/test-session create /foo session0
#> ./connman/test/test-session create /foo session1
#> iptables -t mangle -L
...
Chain connman-OUTPUT (1 references)
target prot opt source destination
MARK all -- anywhere anywhere owner UID match vagrant MARK set 0x100
MARK all -- anywhere anywhere owner UID match vagrant MARK set 0x101
...
#> ./connman/test/test-session destroy /foo session1
...
Chain connman-OUTPUT (1 references)
target prot opt source destination
MARK all -- anywhere anywhere owner UID match vagrant MARK set 0x101
...
I would expect that rule with mark 0x100 would be deleted. The commands
are being run as user vagrant. The policy file looks like this:
#> cat /usr/local/var/lib/connman/session_policy_local/vagrant.policy
[policy_vagrant]
uid = vagrant
ConnectionType = any
AllowedBearers = ethernet
As noticed from the path, I'm running connman in maintainer mode.
So, is this expected behavior? This might be harmless in general. I'm
working on having per session multipath routes installed. In that case,
getting the fwmark right is important.
Thank you
--
Dragos Tatulea
Software Developer @ Endocode AG
dragos(a)endocode.com
Endocode AG, Brückenstraße 5A, 10179 Berlin
+49 30 1206 4472 | info(a)endocode.com | www.endocode.com
Vorstandsvorsitzender: Mirko Boehm
Vorstände: Dr. Karl Beecher, Dr. Thomas Fricke, Sebastian Sucker
Aufsichtsratsvorsitzende: Alexandra Boehm
Registergericht: Amtsgericht Charlottenburg - HRB 150748 B
5 years
[PATCH] configure: check for execinfo.h
by Yann E. MORIN
Not all toolchains have execinfo.h. For example, support for it is
optional in uClibc, while it is entirely missing from musl.
Add a check in configure to look for it.
Since execinfo.h is /only/ used to dump a backtrace in case of failure,
just do nothing when execinfo.h is missing.
Signed-off-by: "Yann E. MORIN" <yann.morin.1998(a)free.fr>
---
configure.ac | 2 ++
src/log.c | 4 ++++
2 files changed, 6 insertions(+)
diff --git a/configure.ac b/configure.ac
index b51d6b3..28e657b 100644
--- a/configure.ac
+++ b/configure.ac
@@ -182,6 +182,8 @@ AC_CHECK_LIB(resolv, ns_initparse, dummy=yes, [
AC_MSG_ERROR(resolver library support is required))
])
+AC_CHECK_HEADERS([execinfo.h])
+
AC_CHECK_FUNC(signalfd, dummy=yes,
AC_MSG_ERROR(signalfd support is required))
diff --git a/src/log.c b/src/log.c
index a693bd0..76e10e7 100644
--- a/src/log.c
+++ b/src/log.c
@@ -30,7 +30,9 @@
#include <stdlib.h>
#include <string.h>
#include <syslog.h>
+#if defined(HAVE_EXECINFO_H)
#include <execinfo.h>
+#endif
#include <dlfcn.h>
#include "connman.h"
@@ -112,6 +114,7 @@ void connman_debug(const char *format, ...)
static void print_backtrace(unsigned int offset)
{
+#if defined(HAVE_EXECINFO_H)
void *frames[99];
size_t n_ptrs;
unsigned int i;
@@ -210,6 +213,7 @@ static void print_backtrace(unsigned int offset)
close(outfd[1]);
close(infd[0]);
+#endif /* HAVE_EXECINFO_H */
}
static void signal_handler(int signo)
--
1.9.1
5 years