[PATCHv2] iptables: Set protocol family in xtables setup.

Jussi Laakkonen jussi.laakkonen at jolla.com
Thu Jan 17 07:26:03 PST 2019


Hello all,

As it turned out, this problem existed because iptables does not fully 
support changing between IP families when used within one session. We 
use iptables 1.6.1 and needed to create a patch for our iptables: 
https://git.merproject.org/mer-core/iptables/commit/2b90df004ab0e4e37cf60a2ab8b331a78d0e1f61#584c4bcf465ca193a1884af9ddb8b0880e242277 
that explains the issue in full.

This required no changes to connman. Although an issue with ip6tables 
protocol detection was noticed (and patch provided).

There is no fix for this issue in upstream iptables. It apparently 
concerns use of iptables with shared libraries, as it is in our case. 
That patch above could be submitted to iptables as well but in our use 
case, testing with iptables 1.8.x is not feasible just yet.

So in summarum; if there are problems with iptables use in connman check 
if above patch to iptables solves the issue.

Sincerely,
  Jussi Laakkonen



On 12/17/18 5:56 PM, Jussi Laakkonen wrote:
> I noticed that this is actually wrong. Please feel free to ignore this.
> 
> The problem lies elsewhere. This would change the family for existing 
> matches as well which is not desired.
> 
>   - Jussi
> 
> On 12/12/18 6:47 PM, Jussi Laakkonen wrote:
>> When xtables loads a library for a match (-m) the protocol family is
>> used to get a correct version loaded. If a change has been made using a
>> match modifier in iptables rule with, e.g., IPv4 protocol family the
>> global xtables_matches array holding xtables_match structures is not
>> reset or changed (at least in iptables 1.6.1) to IPv6 when
>> xtables_init_all() (or any of the initialization functions) is called.
>>
>> This commit fixes the issue of not being able to set some IPv6 rules
>> after IPv4 rules with matches have been set (or the other way around).
>> The family for the global variable xtables_matches has to be explicitely
>> updated when changing between IP protocol families.
>>
>> Otherwise adding the following rules would result a failure, where
>> iptables calls exit() on ConnMan on the IPv6 rule:
>>
>> __connman_firewall_add_rule(ctx, "filter", "INPUT", "-m conntrack
>> --ctstate ESTABLISHED,RELATED -j ACCEPT");
>> __connman_firewall_add_ipv6_rule(ctx, "filter", "INPUT", "-m conntrack
>> --ctstate ESTABLISHED,RELATED -j ACCEPT");
>>
>> Depending on the match type, iptables may result in an error. The exit()
>> is called if the required library for the match cannot be loaded. This
>> change allows to avoid such situations.
>> ---
>>   src/iptables.c | 8 ++++++++
>>   1 file changed, 8 insertions(+)
>>
>> diff --git a/src/iptables.c b/src/iptables.c
>> index 305a553f..a188f99a 100644
>> --- a/src/iptables.c
>> +++ b/src/iptables.c
>> @@ -3330,6 +3330,7 @@ static int current_type = -1;
>>   static int setup_xtables(int type)
>>   {
>>       int err;
>> +    struct xtables_match *xt_m;
>>       DBG("%d", type);
>> @@ -3351,6 +3352,13 @@ static int setup_xtables(int type)
>>       }
>>
>>       if (!err) {
>> +        /*
>> +         * Set the match type, otherwise loading of matches in xtables
>> +         * will fail when IP protocol family has changed.
>> +         */
>> +        for (xt_m = xtables_matches; xt_m; xt_m = xt_m->next)
>> +            xt_m->family = type;
>> +
>>           current_type = type;
>>       } else {
>>           connman_error("error initializing xtables");
>>
> _______________________________________________
> connman mailing list
> connman at lists.01.org
> https://lists.01.org/mailman/listinfo/connman


More information about the connman mailing list