Your email got marked as spam. Too much HTML I guess.
On 05/30/2017 12:34 PM, Jeff Gray wrote:
Yes, it is one from the vaults... I wish I was in a position to
The iptables code in ConnMan is known to be not 100% correct on how
it creates the iptables. It seems to okay for modern kernels but
that is just luck. One way around this problem could be to replace
the ConnMan code which creates the iptables with calling iptables
Obviously there would be some forks involved but that would be the
simplest solution in your situation I suppose. I wouldn't recommend
to spend time figuring out what ConnMan is doing and what the kernel
expects. I spend far too many hours myself on this topic. That's why
I recommend to use the nftable implementation usally but that is
probably not going to fly with 2.6.
Thanks for the helpful suggestion. Has anyone else ever tried to do this?
Would you be able to point me in the right direction in terms of what
functional layer to insert iptables shell commands?
I can see that at __connman_iptables_insert() for example, I have a
fairly complete iptables parameter list already.
Should I just ifdef out the existing iptables API calls? The code is
fairly daunting to understand completely, so any help appreciated.
If you don't want to ifdef around I suggest to implement this API here:
struct firewall_context *__connman_firewall_create(void);
void __connman_firewall_destroy(struct firewall_context *ctx);
int __connman_firewall_enable_nat(struct firewall_context *ctx,
char *address, unsigned char prefixlen,
int __connman_firewall_disable_nat(struct firewall_context *ctx);
int __connman_firewall_enable_snat(struct firewall_context *ctx,
int index, const char *ifname,
const char *addr);
int __connman_firewall_disable_snat(struct firewall_context *ctx);
int __connman_firewall_enable_marking(struct firewall_context *ctx,
enum connman_session_id_type id_type,
char *id, uint32_t mark);
int __connman_firewall_disable_marking(struct firewall_context *ctx);
The iptables and nftable code do this. Just add a new file and hook it
up in the build process (Makefile.am). I think such a patch can be
easily maintained out of tree. Or if it is nicely done, I don't see a
real problem to accept it upstream.
The function names indicate what the implementation is supposed to do.
If you are just interested to get tethering working you need to
implement the NAT function, e.g. from firewall-iptables:
cmd = g_strdup_printf("-s %s/%d -o %s -j MASQUERADE",
address, prefixlen, interface);
firewall_add_rule(ctx, "nat", "POSTROUTING", cmd);
That roughly translates to
iptables -t nat -A POSTROUTING -s $addr/$mask \
-o $interface -j MASQUERADE
firewall-iptables.c does create additional custom chains called
'connman' but I don't think you really need it.