| 835d2c2d6f151059c4d70adbfdac9aca7b3f98c5 |
|
02-Feb-2016 |
Jorge Lucangeli Obes <jorgelo@google.com> |
Refactor IpTables class to remove duplication.
This CL tries to remove as much duplicated code from the IpTables class
as possible. The basic construct of running the same command with
different executables/options is extracted into a helper function.
Moreover, the unit tests are simplified by mocking one function call
higher and removing a lot of set-up duplication.
Bug: 26911013
Change-Id: Iecdacab2ef6ffa5631c877835bdfb0bf7191536c
/system/firewalld/iptables.h
|
| 2b2e047243cc1db7c5f0c744822db0fdbb7a95e0 |
|
01-Feb-2016 |
Jorge Lucangeli Obes <jorgelo@google.com> |
Run unit tests on Brillo.
Looks like IPv6 is working correctly, so re-enable that too.
Bug: 26911013
Change-Id: Iad0390e3a41a429460794b7c243ebca59cf64146
/system/firewalld/iptables.h
|
| 6c733cf77b78062afd7d70eb68f8832d77362086 |
|
23-Jan-2016 |
Kevin Cernekee <cernekee@google.com> |
Add rules to route IPv6 third party VPN traffic
Currently only IPv4 traffic is handled by third party VPNs. Extend
the UID_MATCH and route setup to IPv6.
Bug: chromium:522003
TEST=`FEATURES=test emerge-link firewalld`
TEST=manual
Change-Id: I9352506e98e1fdcace093d443e2fa2b95887d720
/system/firewalld/iptables.h
|
| e478a11fbfb297ce3bb3da1dc6ec16a0da6c997f |
|
13-Oct-2015 |
Alex Vakulenko <avakulenko@google.com> |
firewalld: Rename "chromeos" -> "brillo" in include paths and namespaces
libchromeos is transitioning to libbrillo and chromeos namespaces
and include directory is changing to brillo.
Bug: 24872993
Change-Id: Icc70ef99c10acc983a9c261faaa983e26536ad04
/system/firewalld/iptables.h
|
| c20ed4ff74624300767ba77bc7deea8eb881527e |
|
21-Aug-2015 |
Gilad Arnold <garnold@google.com> |
Unify DBus adaptor include paths.
Now the DBus header generation in AOSP has stabilized, we should resolve
these differences.
Bug: 23426296
Change-Id: I7de2d63efdc3a5f5d2479a3a9d6f08fc8ce9b7bb
/system/firewalld/iptables.h
|
| df78e333d29a83d97aefe07f84bd5c02f667d11b |
|
20-Aug-2015 |
Daniel Erat <derat@google.com> |
Use __ANDROID__ instead of __BRILLO__.
__ANDROID__ is defined automatically by the toolchain.
Bug: 23358460
Change-Id: I7487625802deb48ff31da8410125fa910a88ca74
/system/firewalld/iptables.h
|
| 6b8fa374cca2bedbb31afa8d3e484472112e3cff |
|
19-Aug-2015 |
Ying Wang <wangying@google.com> |
Update with new DBus generated adaptor header files.
Bug: 22608897
Change-Id: Ic9131ca64383a96cab47807daeb8257693e5eaa2
/system/firewalld/iptables.h
|
| 7db56bd4c91a516637995b9bf75241cb0c323bf9 |
|
06-Aug-2015 |
Gilad Arnold <garnold@google.com> |
Build firewalld in Android.
* Drop firewalld/ prefix from #include paths.
* Rename the DBus interface definition to have a .dbus.xml suffix;
needed for it to be picked up by the build infrastructure.
* Add __BRILLO__ preprocessor symbol for conditionally:
1) Removing support for Permission Broker (currently not available and
no concrete porting plan yet).
2) Disable dropping privileges in minijail invocations (yet to be
figured out).
3) Adapting DBus bindings header paths (slightly different).
4) Adapting helper utility paths (iptables, iproute2).
5) Making punching of IPv6 firewall rules optional and autodetected.
* Re-license everything to AOSP and add NOTICE and
MODULE_LICENSE_APACHE2.
* Added Android.mk for building all the targets we need, including
init.firewalld.rc with proper SELinux attributes (when supported).
Bug: 22827985
Change-Id: I05f74f80f95f689b4bbf60a2708e76ef5495b96e
/system/firewalld/iptables.h
|
| b8e5875f414afa642031e14a4b271927aaa8b250 |
|
09-May-2015 |
Jorge Lucangeli Obes <jorgelo@chromium.org> |
firewalld: Run 'iptables' as a regular user.
BUG=chromium:487019
TEST=Unit tests, platform_Firewall
CQ-DEPEND=CL:270621
Change-Id: Ic49e7d7912d96f9cec29cf2a3f34f50e71c02391
Reviewed-on: https://chromium-review.googlesource.com/270170
Trybot-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org>
Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Bartosz Fabianowski <bartfab@chromium.org>
Commit-Queue: Jorge Lucangeli Obes <jorgelo@chromium.org>
/system/firewalld/iptables.h
|
| 73cb183d526a3b6b9fc7aadaffde2da13a6cd371 |
|
09-May-2015 |
Jorge Lucangeli Obes <jorgelo@chromium.org> |
firewalld: Mock IpTables::{Add|Delete}AcceptRule methods.
This CL paves the way to launch 'ip(6)tables' using Minijail. We cannot
use the current approach of providing test-only binaries because Minijail
will not work when running as non-root (such as in unit tests). Therefore,
we need to mock {Add|Delete}Accept.
Also add an Exec() method to wrap the Minijail invocation in the future,
and clean up some of the unit tests.
BUG=chromium:487019
TEST=Existing unit tests.
Change-Id: I6ddf41bf5c2e8e7fa8f6369d08a3fb37ad2edeb6
Reviewed-on: https://chromium-review.googlesource.com/270341
Trybot-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org>
Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Bartosz Fabianowski <bartfab@chromium.org>
Commit-Queue: Jorge Lucangeli Obes <jorgelo@chromium.org>
/system/firewalld/iptables.h
|
| d66fae25e69366d77c7b1db7e27aa23b6b393f55 |
|
05-Mar-2015 |
Prabhu Kaliamoorthi <kaliamoorthi@chromium.org> |
firewalld: Add unit test for ApplyVpnSetup in IpTables
This CL adds unit test for ApplyVpnSetup routine added to firewalld
for supporting third party VPN in chrome OS.
BUG=chromium:460418
TEST=Ran the unit test
Change-Id: Ice71477f6c3ab9ee76de48ced94d535e015e00fb
Reviewed-on: https://chromium-review.googlesource.com/256302
Tested-by: Prabhu Kaliamoorthi <kaliamoorthi@chromium.org>
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Prabhu Kaliamoorthi <kaliamoorthi@chromium.org>
Commit-Queue: Prabhu Kaliamoorthi <kaliamoorthi@chromium.org>
/system/firewalld/iptables.h
|
| 650d229bfc31be30636c2ac62f242952e4f583d4 |
|
25-Feb-2015 |
Jorge Lucangeli Obes <jorgelo@chromium.org> |
firewalld: Monitor permission_broker lifetime.
If/when permission_broker exits, plug all firewall holes.
BUG=None
TEST=Manual: deploy to device, punch a hole.
TEST='restart permission_broker', holes are punched.
Change-Id: I3885b2338ad25f79c50a7f8c0aa4375e092ecceb
Reviewed-on: https://chromium-review.googlesource.com/253790
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Commit-Queue: Jorge Lucangeli Obes <jorgelo@chromium.org>
Trybot-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org>
Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
/system/firewalld/iptables.h
|
| 40653d0e058ff0f7908b28874224bbb085e99905 |
|
12-Feb-2015 |
Prabhu Kaliamoorthi <kaliamoorthi@chromium.org> |
firewalld: Add routines to firewalld to mark traffic and masquerade
This CL adds routines to firewalld that enable network traffic to
be marked based on user id and masquerading rules for network
interfaces.
BUG=chromium:458075
TEST=Manual testing
Change-Id: I81e08f1c20bf99887ac87c9970fcc2a58dcd2355
Reviewed-on: https://chromium-review.googlesource.com/249111
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Tested-by: Prabhu Kaliamoorthi <kaliamoorthi@chromium.org>
Commit-Queue: Prabhu Kaliamoorthi <kaliamoorthi@chromium.org>
/system/firewalld/iptables.h
|
| bef267fbda7fd62cc3b7d50b8980a0d073d5e089 |
|
14-Feb-2015 |
Jorge Lucangeli Obes <jorgelo@chromium.org> |
firewalld: Add IPv6 firewall rules.
BUG=brillo:252
TEST=Unit tests.
Change-Id: I784472ce5f0c7d0649b38e48bd23b3acba9ffbbc
Reviewed-on: https://chromium-review.googlesource.com/249982
Trybot-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org>
Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Alex Vakulenko <avakulenko@chromium.org>
Commit-Queue: Jorge Lucangeli Obes <jorgelo@chromium.org>
/system/firewalld/iptables.h
|
| eee27d2ce09514ff5d758f2e2b43b1b1f8832775 |
|
12-Feb-2015 |
Jorge Lucangeli Obes <jorgelo@chromium.org> |
firewalld, permission_broker: add initial support for interfaces.
This is the first patch in a two-patch series. It adds support for specifying
interfaces to firewalld. The next patch will make permission_broker use this
support.
BUG=brillo:185
TEST=unit tests
TEST=platform_Firewall
Change-Id: Ic3247a20a55427e85a4fb1ff4beadb813f8e9b7c
Reviewed-on: https://chromium-review.googlesource.com/249360
Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Zeping Qiu <zqiu@chromium.org>
Commit-Queue: Jorge Lucangeli Obes <jorgelo@chromium.org>
/system/firewalld/iptables.h
|
| 5affd8895f6879153fce488c3f92271349eeadc9 |
|
30-Jan-2015 |
Jorge Lucangeli Obes <jorgelo@chromium.org> |
firewalld: make D-Bus methods simple.
BUG=chromium:435400
TEST=unit tests
Change-Id: I4afa4264332ed3ef2eb0e4fafbbb7917e5c995ba
Reviewed-on: https://chromium-review.googlesource.com/244492
Commit-Queue: Jorge Lucangeli Obes <jorgelo@chromium.org>
Trybot-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org>
Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Chris Masone <cmasone@chromium.org>
/system/firewalld/iptables.h
|
| 0e7a658e0f72b0d2113f5c06136620236dde96f9 |
|
17-Jan-2015 |
Jorge Lucangeli Obes <jorgelo@chromium.org> |
firewalld: Plug all firewall holes on destruction.
Also, make {Add|Delete}AllowRule non-static since they always use
|executable_path_|.
BUG=chromium:435400
TEST=Add firewall hole via D-Bus, check 'iptables -S', see firewall hole.
TEST=Stop daemon, check 'iptables -S', firewall hole is gone.
Change-Id: Id6d0db376d34ba21997b29dc45aef435590b55fa
Reviewed-on: https://chromium-review.googlesource.com/241716
Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Commit-Queue: Jorge Lucangeli Obes <jorgelo@chromium.org>
/system/firewalld/iptables.h
|
| bfc594be31a695a78cf409374b2433d1af0f13d5 |
|
10-Dec-2014 |
Jorge Lucangeli Obes <jorgelo@chromium.org> |
firewalld: Implement UDP hole punching.
BUG=chromium:435400
TEST=New unit tests pass.
TEST=dbus-send --system --dest=org.chromium.firewalld --print-reply \
/org/chromium/firewalld \
org.chromium.firewalld.PunchUdpHole uint16:53 succeeds.
TEST='iptables -S' shows the new rule.
TEST=dbus-send --system --dest=org.chromium.firewalld --print-reply \
/org/chromium/firewalld \
org.chromium.firewalld.PlugUdpHole uint16:53 success.
TEST='iptables -S' no longer shows the new rule.
TEST=TCP 80 works as well.
Change-Id: I5a3d0b52038e2adba0b695471daeb06101eabcb1
Reviewed-on: https://chromium-review.googlesource.com/234433
Trybot-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org>
Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Commit-Queue: Jorge Lucangeli Obes <jorgelo@chromium.org>
/system/firewalld/iptables.h
|
| 8620868c44d58dc0632df3a7be7c48be1eb2421b |
|
06-Dec-2014 |
Jorge Lucangeli Obes <jorgelo@chromium.org> |
firewalld: add IpTables wrapper.
Implement firewall functionality.
Split up part of FirewallService's functionality into a class
that can be easily unit-tested.
TODO: allow punching holes for UDP ports as well.
BUG=chromium:435400
TEST=New unit tests pass.
TEST=dbus-send --system --dest=org.chromium.firewalld --print-reply \
/org/chromium/firewalld \
org.chromium.firewalld.PunchHole uint16:80 twice, success.
TEST='iptables -S' shows the new rule.
TEST=dbus-send --system --dest=org.chromium.firewalld --print-reply \
/org/chromium/firewalld \
org.chromium.firewalld.PlugHole uint16:80 once, success.
TEST='iptables -S' no longer shows the new rule.
TEST=Second time, error.
Change-Id: Ic8fc9d1fb3ac3deecde304922a709befa55015fb
Reviewed-on: https://chromium-review.googlesource.com/233723
Trybot-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org>
Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Commit-Queue: Jorge Lucangeli Obes <jorgelo@chromium.org>
/system/firewalld/iptables.h
|