| 835d2c2d6f151059c4d70adbfdac9aca7b3f98c5 |
|
02-Feb-2016 |
Jorge Lucangeli Obes <jorgelo@google.com> |
Refactor IpTables class to remove duplication.
This CL tries to remove as much duplicated code from the IpTables class
as possible. The basic construct of running the same command with
different executables/options is extracted into a helper function.
Moreover, the unit tests are simplified by mocking one function call
higher and removing a lot of set-up duplication.
Bug: 26911013
Change-Id: Iecdacab2ef6ffa5631c877835bdfb0bf7191536c
/system/firewalld/iptables.cc
|
| 2b2e047243cc1db7c5f0c744822db0fdbb7a95e0 |
|
01-Feb-2016 |
Jorge Lucangeli Obes <jorgelo@google.com> |
Run unit tests on Brillo.
Looks like IPv6 is working correctly, so re-enable that too.
Bug: 26911013
Change-Id: Iad0390e3a41a429460794b7c243ebca59cf64146
/system/firewalld/iptables.cc
|
| 6c733cf77b78062afd7d70eb68f8832d77362086 |
|
23-Jan-2016 |
Kevin Cernekee <cernekee@google.com> |
Add rules to route IPv6 third party VPN traffic
Currently only IPv4 traffic is handled by third party VPNs. Extend
the UID_MATCH and route setup to IPv6.
Bug: chromium:522003
TEST=`FEATURES=test emerge-link firewalld`
TEST=manual
Change-Id: I9352506e98e1fdcace093d443e2fa2b95887d720
/system/firewalld/iptables.cc
|
| 654b62ceb7abdf51c725e3f2ea129240a05ac14c |
|
20-Jan-2016 |
Alex Vakulenko <avakulenko@google.com> |
firewalld: Update libchrome APIs to r369476
The new libchrome has been ported from Chromium and some APIs have
changed. Make necessary changes at call sites.
Change-Id: Ib36ec8f828bfafcdaa57399cc1be12b00161b7ed
/system/firewalld/iptables.cc
|
| e478a11fbfb297ce3bb3da1dc6ec16a0da6c997f |
|
13-Oct-2015 |
Alex Vakulenko <avakulenko@google.com> |
firewalld: Rename "chromeos" -> "brillo" in include paths and namespaces
libchromeos is transitioning to libbrillo and chromeos namespaces
and include directory is changing to brillo.
Bug: 24872993
Change-Id: Icc70ef99c10acc983a9c261faaa983e26536ad04
/system/firewalld/iptables.cc
|
| 5e75ff179c9d5f3a209810ccfa30cefdf4524bc8 |
|
25-Sep-2015 |
Peter Qiu <zqiu@google.com> |
Allow interface name to contain periods
Interface name that starts or ends with period is still not allowed.
Bug: 24382217
TEST=Manual test using apmanager
TEST=Unittests on Chrome OS
Change-Id: Iac5a7febd8b365759c4a21ccb8dc60c1ded60bbb
/system/firewalld/iptables.cc
|
| df78e333d29a83d97aefe07f84bd5c02f667d11b |
|
20-Aug-2015 |
Daniel Erat <derat@google.com> |
Use __ANDROID__ instead of __BRILLO__.
__ANDROID__ is defined automatically by the toolchain.
Bug: 23358460
Change-Id: I7487625802deb48ff31da8410125fa910a88ca74
/system/firewalld/iptables.cc
|
| 7db56bd4c91a516637995b9bf75241cb0c323bf9 |
|
06-Aug-2015 |
Gilad Arnold <garnold@google.com> |
Build firewalld in Android.
* Drop firewalld/ prefix from #include paths.
* Rename the DBus interface definition to have a .dbus.xml suffix;
needed for it to be picked up by the build infrastructure.
* Add __BRILLO__ preprocessor symbol for conditionally:
1) Removing support for Permission Broker (currently not available and
no concrete porting plan yet).
2) Disable dropping privileges in minijail invocations (yet to be
figured out).
3) Adapting DBus bindings header paths (slightly different).
4) Adapting helper utility paths (iptables, iproute2).
5) Making punching of IPv6 firewall rules optional and autodetected.
* Re-license everything to AOSP and add NOTICE and
MODULE_LICENSE_APACHE2.
* Added Android.mk for building all the targets we need, including
init.firewalld.rc with proper SELinux attributes (when supported).
Bug: 22827985
Change-Id: I05f74f80f95f689b4bbf60a2708e76ef5495b96e
/system/firewalld/iptables.cc
|
| 398b5cf3626b312ed68d6fffc484daa6c6647415 |
|
14-Jul-2015 |
Alex Vakulenko <avakulenko@chromium.org> |
firewalld: Add -w option to invocation of `iptables` command
When multiple processes use `iptables` to modify the firewall, the
command grabs an exclusive lock for the table being modified. If the
lock cannot be obtained (another instance of iptables is running),
the current instance fails with an error.
By adding -w we make it wait for the other lock to be released before
proceeding.
BUG=brillo:1240
TEST=`FEATURES=test emerge-gizmo firewalld`
test_that -b gizmo <ip> security_Firewall
Change-Id: If147f6869d2df0e8f355323a265718f1cb8d617f
Reviewed-on: https://chromium-review.googlesource.com/285512
Reviewed-by: Vitaly Buka <vitalybuka@chromium.org>
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Tested-by: Alex Vakulenko <avakulenko@chromium.org>
Commit-Queue: Alex Vakulenko <avakulenko@chromium.org>
/system/firewalld/iptables.cc
|
| daf7ab162bfec3c79ec36e976bc9082179f022a0 |
|
15-Jun-2015 |
Alex Vakulenko <avakulenko@chromium.org> |
platform2: Fix issues with new version of libchrome
libchrome r334380 has the following breaking changes that need to be fixed:
- base::JSONWriter::Write() and base::JSONWriter::WriteWithOptions() take
"const base::Value&" instead of "const base::Value*"
- base::JSONReader::Read() and base::JSONReader::ReadAndReturnError()
return a scoped_ptr<base::Value> instead of base::Value*
- base/safe_strerror_posix.h is moved to base/posix/safe_strerror.h
- safe_strerror() is now in "base" namespace
- StartsWithASCII(), EndsWith(), StringToUpperASCII(), LowerCaseEqualsASCII()
are now in "base" namespace
- ObserverList<T> is now in "base" namespace
- base::PrintTo(base::FilePath) used in gtest is now moved to libchrome-test
library and as such, unit test runners need to link to this library now.
- crypto::RSAPrivateKey::CreateSensitive() is now removed from //crypto, so
some of tests in chromeos-login that used that function had to be changed
to use crypto::GenerateRSAKeyPairNSS() directly.
- UnixDomanSocket class is now in "base" namespace
- Pickle class is now in "base" namespace
BUG=chromium:496469
TEST=`./build_packages`
CQ-DEPEND=CL:277662
Change-Id: I36e5fbf2e36a92068873ffbd44020c862a3ed9e3
Reviewed-on: https://chromium-review.googlesource.com/277671
Reviewed-by: Alex Vakulenko <avakulenko@chromium.org>
Commit-Queue: Alex Vakulenko <avakulenko@chromium.org>
Trybot-Ready: Alex Vakulenko <avakulenko@chromium.org>
Tested-by: Alex Vakulenko <avakulenko@chromium.org>
/system/firewalld/iptables.cc
|
| b8e5875f414afa642031e14a4b271927aaa8b250 |
|
09-May-2015 |
Jorge Lucangeli Obes <jorgelo@chromium.org> |
firewalld: Run 'iptables' as a regular user.
BUG=chromium:487019
TEST=Unit tests, platform_Firewall
CQ-DEPEND=CL:270621
Change-Id: Ic49e7d7912d96f9cec29cf2a3f34f50e71c02391
Reviewed-on: https://chromium-review.googlesource.com/270170
Trybot-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org>
Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Bartosz Fabianowski <bartfab@chromium.org>
Commit-Queue: Jorge Lucangeli Obes <jorgelo@chromium.org>
/system/firewalld/iptables.cc
|
| 73cb183d526a3b6b9fc7aadaffde2da13a6cd371 |
|
09-May-2015 |
Jorge Lucangeli Obes <jorgelo@chromium.org> |
firewalld: Mock IpTables::{Add|Delete}AcceptRule methods.
This CL paves the way to launch 'ip(6)tables' using Minijail. We cannot
use the current approach of providing test-only binaries because Minijail
will not work when running as non-root (such as in unit tests). Therefore,
we need to mock {Add|Delete}Accept.
Also add an Exec() method to wrap the Minijail invocation in the future,
and clean up some of the unit tests.
BUG=chromium:487019
TEST=Existing unit tests.
Change-Id: I6ddf41bf5c2e8e7fa8f6369d08a3fb37ad2edeb6
Reviewed-on: https://chromium-review.googlesource.com/270341
Trybot-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org>
Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Bartosz Fabianowski <bartfab@chromium.org>
Commit-Queue: Jorge Lucangeli Obes <jorgelo@chromium.org>
/system/firewalld/iptables.cc
|
| 1bddb2cfdda68f99d27495a9f6b9f720db2a7144 |
|
02-Mar-2015 |
Aaron Kemp <kemp@google.com> |
firewalld: allow interface names containing '-'
Previously, interface names could only contain alphanumerics.
BUG=none
TEST=ran iptables unit tests
Change-Id: I19951389f7fef54f74568592f6988fd5da1b164b
Reviewed-on: https://chromium-review.googlesource.com/255152
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Tested-by: Aaron Kemp <kemp@google.com>
Commit-Queue: Aaron Kemp <kemp@google.com>
/system/firewalld/iptables.cc
|
| 40653d0e058ff0f7908b28874224bbb085e99905 |
|
12-Feb-2015 |
Prabhu Kaliamoorthi <kaliamoorthi@chromium.org> |
firewalld: Add routines to firewalld to mark traffic and masquerade
This CL adds routines to firewalld that enable network traffic to
be marked based on user id and masquerading rules for network
interfaces.
BUG=chromium:458075
TEST=Manual testing
Change-Id: I81e08f1c20bf99887ac87c9970fcc2a58dcd2355
Reviewed-on: https://chromium-review.googlesource.com/249111
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Tested-by: Prabhu Kaliamoorthi <kaliamoorthi@chromium.org>
Commit-Queue: Prabhu Kaliamoorthi <kaliamoorthi@chromium.org>
/system/firewalld/iptables.cc
|
| bef267fbda7fd62cc3b7d50b8980a0d073d5e089 |
|
14-Feb-2015 |
Jorge Lucangeli Obes <jorgelo@chromium.org> |
firewalld: Add IPv6 firewall rules.
BUG=brillo:252
TEST=Unit tests.
Change-Id: I784472ce5f0c7d0649b38e48bd23b3acba9ffbbc
Reviewed-on: https://chromium-review.googlesource.com/249982
Trybot-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org>
Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Alex Vakulenko <avakulenko@chromium.org>
Commit-Queue: Jorge Lucangeli Obes <jorgelo@chromium.org>
/system/firewalld/iptables.cc
|
| eee27d2ce09514ff5d758f2e2b43b1b1f8832775 |
|
12-Feb-2015 |
Jorge Lucangeli Obes <jorgelo@chromium.org> |
firewalld, permission_broker: add initial support for interfaces.
This is the first patch in a two-patch series. It adds support for specifying
interfaces to firewalld. The next patch will make permission_broker use this
support.
BUG=brillo:185
TEST=unit tests
TEST=platform_Firewall
Change-Id: Ic3247a20a55427e85a4fb1ff4beadb813f8e9b7c
Reviewed-on: https://chromium-review.googlesource.com/249360
Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Zeping Qiu <zqiu@chromium.org>
Commit-Queue: Jorge Lucangeli Obes <jorgelo@chromium.org>
/system/firewalld/iptables.cc
|
| 79fa6890ae9a88f4c0de422daf6839e5e1ed0cbe |
|
06-Feb-2015 |
Jorge Lucangeli Obes <jorgelo@chromium.org> |
firewalld: Use 'iptables -I'.
Some other rule on the system might drop the pacakges before the accept rule
gets to them, so insert the rule at the beginning of the chain.
BUG=chromium:435400
TEST=Unit tests pass, Autotest passes.
Change-Id: I16e61cbe4e3e53db1ab2b436dbbace7ebe26b1c7
Reviewed-on: https://chromium-review.googlesource.com/247141
Commit-Queue: Jorge Lucangeli Obes <jorgelo@chromium.org>
Trybot-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org>
Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Zeping Qiu <zqiu@chromium.org>
/system/firewalld/iptables.cc
|
| 5affd8895f6879153fce488c3f92271349eeadc9 |
|
30-Jan-2015 |
Jorge Lucangeli Obes <jorgelo@chromium.org> |
firewalld: make D-Bus methods simple.
BUG=chromium:435400
TEST=unit tests
Change-Id: I4afa4264332ed3ef2eb0e4fafbbb7917e5c995ba
Reviewed-on: https://chromium-review.googlesource.com/244492
Commit-Queue: Jorge Lucangeli Obes <jorgelo@chromium.org>
Trybot-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org>
Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Chris Masone <cmasone@chromium.org>
/system/firewalld/iptables.cc
|
| 0e7a658e0f72b0d2113f5c06136620236dde96f9 |
|
17-Jan-2015 |
Jorge Lucangeli Obes <jorgelo@chromium.org> |
firewalld: Plug all firewall holes on destruction.
Also, make {Add|Delete}AllowRule non-static since they always use
|executable_path_|.
BUG=chromium:435400
TEST=Add firewall hole via D-Bus, check 'iptables -S', see firewall hole.
TEST=Stop daemon, check 'iptables -S', firewall hole is gone.
Change-Id: Id6d0db376d34ba21997b29dc45aef435590b55fa
Reviewed-on: https://chromium-review.googlesource.com/241716
Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Commit-Queue: Jorge Lucangeli Obes <jorgelo@chromium.org>
/system/firewalld/iptables.cc
|
| bfc594be31a695a78cf409374b2433d1af0f13d5 |
|
10-Dec-2014 |
Jorge Lucangeli Obes <jorgelo@chromium.org> |
firewalld: Implement UDP hole punching.
BUG=chromium:435400
TEST=New unit tests pass.
TEST=dbus-send --system --dest=org.chromium.firewalld --print-reply \
/org/chromium/firewalld \
org.chromium.firewalld.PunchUdpHole uint16:53 succeeds.
TEST='iptables -S' shows the new rule.
TEST=dbus-send --system --dest=org.chromium.firewalld --print-reply \
/org/chromium/firewalld \
org.chromium.firewalld.PlugUdpHole uint16:53 success.
TEST='iptables -S' no longer shows the new rule.
TEST=TCP 80 works as well.
Change-Id: I5a3d0b52038e2adba0b695471daeb06101eabcb1
Reviewed-on: https://chromium-review.googlesource.com/234433
Trybot-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org>
Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Commit-Queue: Jorge Lucangeli Obes <jorgelo@chromium.org>
/system/firewalld/iptables.cc
|
| 8620868c44d58dc0632df3a7be7c48be1eb2421b |
|
06-Dec-2014 |
Jorge Lucangeli Obes <jorgelo@chromium.org> |
firewalld: add IpTables wrapper.
Implement firewall functionality.
Split up part of FirewallService's functionality into a class
that can be easily unit-tested.
TODO: allow punching holes for UDP ports as well.
BUG=chromium:435400
TEST=New unit tests pass.
TEST=dbus-send --system --dest=org.chromium.firewalld --print-reply \
/org/chromium/firewalld \
org.chromium.firewalld.PunchHole uint16:80 twice, success.
TEST='iptables -S' shows the new rule.
TEST=dbus-send --system --dest=org.chromium.firewalld --print-reply \
/org/chromium/firewalld \
org.chromium.firewalld.PlugHole uint16:80 once, success.
TEST='iptables -S' no longer shows the new rule.
TEST=Second time, error.
Change-Id: Ic8fc9d1fb3ac3deecde304922a709befa55015fb
Reviewed-on: https://chromium-review.googlesource.com/233723
Trybot-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org>
Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Commit-Queue: Jorge Lucangeli Obes <jorgelo@chromium.org>
/system/firewalld/iptables.cc
|