Connman plugin that provides D-Bus API for controlling iptables rules.
The detailed API description is provided as D-Bus introspect XML file (in spec/sailfish_iptables_dbus_interface_description.xml) from which a docbook XML is generated for the docs-package (run make -C doc).
File contains descriptions for all the methods and parameters for each method.
A html page can be generated from the introspect XML with the script at doc/docbook_html. The script requires xsltproc, docbook, docbook-xsl, docbook-xsl-ns, and docbook5-xml in order to generate the file from docbook XML.
Plugin is loaded by Connection Manager at startup.
When loaded plugin registers its interface "org.sailfishos.connman.mdm.iptables" under "net.connman" with path "/org/sailfishos/connman/mdm/iptables". Plugin uses Connection Manager D-Bus functions to register itself to D-Bus.
After the plugin is loaded signal "Initialize" is sent over D-Bus indicating that the plugin is running. Then iptables filter table content is loaded from the default save path of connman iptables module for IPv4 rules. All previously created custom chains (prefixed with sfos_) are loaded at plugin startup (using iptables content returned by connman) into plugin's internal database.
When unloaded (by Connman at exit) iptables filter table is saved to connman's default save path, iptables content is cleared, custom chains are removed from the filter table and finally signal "Shutdown" is sent over D-Bus. Custom chains are saved by connman's sailfish iptables extension.
This plugin allows to:
- Add a rule to iptables filter table
- Remove a rule from iptables filter table
- Change policy of a filter table chain INPUT and OUTPUT
- Add a custom chain to filter table
- Clear iptables rules
- Clear iptables custom chains
- Get iptables filter table content
- Get version of plugin interface
- Register (and unregister) to listen for API change signals
Rules can be added to any chains found iptables filter table. Each rule can be added with any iptables target: ACCEPT, DENY, REJECT, QUEUE, LOG and custom chains can be used as targets too. Custom chains must be used with the name they are added, e.g., adding chain CUSTOM1 is added as sfos_CUSTOM1 and it has to be used without the prefix "sfos_" as CUSTOM1.
Following parameters are supported:
- Ip address or network
- Ip address or network with port
- Ip address or network with port range
- Ip address or network with service name
- Port with any address 0.0.0.0
- Port range with any address 0.0.0.0
- Service name with any address 0.0.0.0
Additionally ICMP rule adding is also supported. Parameters for this are:
- ICMP type and code
- IP address (optional, can be left as empty strings if not required)
Both source and destination parameters are supported for all. Either or both parameters (source or destination) must be set. They are added to iptables accordingly.
For more information refer to xml documentation of the D-Bus interface of this plugin (sailfish_iptables_dbus_interface_description.xml).
Access control prevents regular users from changing iptables content or to listen for signals emitted by API. Default configuration is provided by the installation and installed to /etc/connman/iptables_policy.conf. Configuration is loaded from this file, which follows libdbusaccess policy format (see https://git.merproject.org/mer-core/libdbusaccess/).
If a client wishes to get the signals (detailed later) client has to call method Register() successfully. Method use does not require use of Register() method. On each function call (except GetVersion()) the access is checked from D-Bus access policy (via libdbusaccess).
Three different properties are supported in the policy configuration file: full, manage and listen.
Allow everything, no restrictions on access. All signals can be received.
Make changes to iptables content (add/remove rules and custom chains). Clearing of iptables table with ClearIptablesTable() method is not allowed. All signals can be received.
Can only listen for D-Bus signals emitted by API after calling method Register().
The API emits following signals (further described in the D-Bus introspect XML/ HTML documentation):
Plugin is initialized and ready to be used.
Signal is sent to all.
Plugin is unloaded.
Signal is sent to all.
Iptables table has been cleared from all rules. Table name as string parameter.
Signal is sent to clients with at least listen() access.
Iptables table has been cleared from all custom chains. Table name as string parameter.
Signal is sent to clients with at least listen() access.
Iptables chain policy has been changed. Signal contains table and chain names as strings as well as the new policy.
Signal is sent to clients with at least listen() access.
A rule has been added to iptables. Ip address, port/port range and protocol are sent as string parameters along table, chain and target information.
Signal is sent to clients with at least listen() access.
A rule has been removed from iptables. Ip address, port/port range and protocol are sent as string parameters along table, chain and target information.
Signal is sent to clients with at least listen() access.
A chain was added to or removed from a table, or table was flushed in a table. Affected table and chain are sent as string parameter with operation type (ADD=0, REMOVE=1, FLUSH=2).
Signal is sent to clients with at least listen() access.
An ICMP rule has been added to iptables. ICMP type and code + IP address (empty if not set) are sent as parameters along table, chain and target information.
Signal is sent to clients with at least listen() access.
An ICMP rule has been removed from iptables. ICMP type and code + IP address (empty if not set) are sent as parameters along table, chain and target information.
Signal is sent to clients with at least listen() access.
The following examples use command "dbus-send".
dbus-send --system \
--type=method_call \
--print-reply \
--dest="net.connman" \
/org/sailfishos/connman/mdm/iptables \
org.sailfishos.connman.mdm.iptables.ChangePolicy \
string:"filter" \
string:"input" \
uint16:2
dbus-send --system \
--type=method_call \
--print-reply \
--dest="net.connman" \
/org/sailfishos/connman/mdm/iptables \
org.sailfishos.connman.mdm.iptables.RuleIp \
string:filter string:INPUT string:ACCEPT \
string:192.168.0.1 string: uint16:0
dbus-send --system \
--type=method_call \
--print-reply \
--dest="net.connman" \
/org/sailfishos/connman/mdm/iptables \
org.sailfishos.connman.mdm.iptables.RuleIp \
string:filter string:OUTPUT string:DROP \
string: string:192.168.0.2 uint16:0
dbus-send --system \
--type=method_call \
--print-reply \
--dest="net.connman" \
/org/sailfishos/connman/mdm/iptables \
org.sailfishos.connman.mdm.iptables.RulePortRange \
string:filter string:OUTPUT string:DROP \
uint16:8000 uint16:9000 uint16:0 uint16:0 \
uint32:6 uint16:0
dbus-send --system \
--type=method_call \
--print-reply \
--dest="net.connman" \
/org/sailfishos/connman/mdm/iptables \
org.sailfishos.connman.mdm.iptables.RulePortRange \
string:filter string:INPUT string:DROP \
uint16:0 uint16:0 uint16:8000 uint16:9000 \
uint32:17 uint16:0
dbus-send --system \
--type=method_call \
--print-reply \
--dest="net.connman" \
/org/sailfishos/connman/mdm/iptables \
org.sailfishos.connman.mdm.iptables.RuleIpWithService \
string:filter string:INPUT string:DROP \
string:192.168.0.2 string: string:ssh string: \
uint32:17 uint16:1
dbus-send --system \
--type=method_call \
--print-reply \
--dest="net.connman" \
/org/sailfishos/connman/mdm/iptables \
org.sailfishos.connman.mdm.iptables.ManageChain \
string:filter string:CUSTOM1 uint16:0
dbus-send --system \
--type=method_call \
--print-reply \
--dest="net.connman" \
/org/sailfishos/connman/mdm/iptables \
org.sailfishos.connman.mdm.iptables.RuleICMP \
string:filter string:OUTPUT string:"REJECT" \
string:192.168.1.1 string: uint16:8 uint16:0 uint16:0
Each method call results in a reply containing a return value (integer). The return values and their textual descriptions are as follows:
| Return value | Description |
|---|---|
| 0 | "Ok" |
| 1 | "Invalid IP" |
| 2 | "Invalid port" |
| 3 | "Invalid port range" |
| 4 | "Invalid service name" |
| 5 | "Invalid protocol" |
| 6 | "Invalid policy" |
| 7 | "Rule does not exist" |
| 8 | "Cannot process request" |
| 9 | "Cannot perform operation" |
| 10 | "Unauthorized, please try again" |
| 11 | "Unregister failed" |
| 12 | "Invalid chain name given. Chain name is reserved (add) or does not exist (remove)." |
| 13 | "Invalid table name given." |
| 14 | "Invalid target name given." |
| 15 | "Invalid ICMP type or code given." |
| 100 | "Access denied" |
In addition, GetIptablesContent will return two string arrays (if error these are empty arrays):
| Return value | Description |
|---|---|
| array [ string ] | Chains in filter table in format "CHAINNAME CHAINPOLICY" |
| array [ string ] | Rules in filter table in raw iptables format |