fdo-mirrors/NetworkManager
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/NetworkManager/NetworkManager.git synced 2026-05-04 22:18:13 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

firewall: set interface zone before IP configuration (rh #805405)

Browse source 
We need to set the interface's firewall zone before we kick off
any sort of IP configuration, so that rules for stuff like
DHCP are already handled by the time that these services are started.
This commit is contained in:
Dan Williams 2012-03-21 15:03:23 -05:00
parent 762df85234
commit 2290a70385
4 changed files with 60 additions and 88 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
src/firewall-manager/nm-firewall-manager.c
View file

@ -60,8 +60,7 @@ static guint signals[LAST_SIGNAL] = { 0 };
typedef struct {
char *iface;
FwAddToZoneFunc callback;
gpointer user_data1;
gpointer user_data2;
gpointer user_data;
} CBInfo;
static void
@ -77,7 +76,7 @@ add_or_change_cb (DBusGProxy *proxy, DBusGProxyCall *call_id, gpointer user_data
{
CBInfo *info = user_data;
GError *error = NULL;
char * zone = NULL;
char *zone = NULL;
if (!dbus_g_proxy_end_call (proxy, call_id, &error,
G_TYPE_STRING, &zone,
@ -87,7 +86,7 @@ add_or_change_cb (DBusGProxy *proxy, DBusGProxyCall *call_id, gpointer user_data
info->iface, error->code, error->message);
}
info->callback (error, info->user_data1, info->user_data2);
info->callback (error, info->user_data);
g_free (zone);
g_clear_error (&error);
@ -99,23 +98,21 @@ nm_firewall_manager_add_or_change_zone (NMFirewallManager *self,
const char *zone,
gboolean add, /* TRUE == add, FALSE == change */
FwAddToZoneFunc callback,
gpointer user_data1,
gpointer user_data2)
gpointer user_data)
{
NMFirewallManagerPrivate *priv = NM_FIREWALL_MANAGER_GET_PRIVATE (self);
CBInfo *info;
if (priv->running == FALSE) {
nm_log_dbg (LOGD_FIREWALL, "(%s) firewall zone add/change skipped (not running)", iface);
callback (NULL, user_data1, user_data2);
callback (NULL, user_data);
return NULL;
}
info = g_malloc0 (sizeof (*info));
info->iface = g_strdup (iface);
info->callback = callback;
info->user_data1 = user_data1;
info->user_data2 = user_data2;
info->user_data = user_data;
nm_log_dbg (LOGD_FIREWALL, "(%s) firewall zone %s -> %s", iface, add ? "add" : "change", zone);
return dbus_g_proxy_begin_call_with_timeout (priv->proxy,

7
src/firewall-manager/nm-firewall-manager.h
View file

@ -56,17 +56,14 @@ GType nm_firewall_manager_get_type (void);
NMFirewallManager *nm_firewall_manager_get (void);
typedef void (*FwAddToZoneFunc) (GError *error,
gpointer user_data1,
gpointer user_data2);
typedef void (*FwAddToZoneFunc) (GError *error, gpointer user_data);
gpointer nm_firewall_manager_add_or_change_zone (NMFirewallManager *mgr,
const char *iface,
const char *zone,
gboolean add,
FwAddToZoneFunc callback,
gpointer user_data1,
gpointer user_data2);
gpointer user_data);
gpointer nm_firewall_manager_remove_from_zone (NMFirewallManager *mgr,
const char *iface,
const char *zone);

114
src/nm-device.c
View file

@ -2302,6 +2302,24 @@ out:
}
static void
fw_add_to_zone_cb (GError *error, gpointer user_data)
{
NMDevice *self = NM_DEVICE (user_data);
NMDevicePrivate *priv = NM_DEVICE_GET_PRIVATE (self);
priv->fw_call = NULL;
if (error) {
/* FIXME: fail the device activation? */
}
activation_source_schedule (self, nm_device_activate_stage3_ip_config_start, 0);
nm_log_info (LOGD_DEVICE, "Activation (%s) Stage 3 of 5 (IP Configure Start) scheduled.",
nm_device_get_iface (self));
}
/*
* nm_device_activate_schedule_stage3_ip_config_start
*
@ -2311,16 +2329,33 @@ void
nm_device_activate_schedule_stage3_ip_config_start (NMDevice *self)
{
NMDevicePrivate *priv;
NMConnection *connection;
NMSettingConnection *s_con = NULL;
NMDeviceState state;
const char *zone;
g_return_if_fail (NM_IS_DEVICE (self));
priv = NM_DEVICE_GET_PRIVATE (self);
g_return_if_fail (priv->act_request);
activation_source_schedule (self, nm_device_activate_stage3_ip_config_start, 0);
state = nm_device_get_state (self);
g_warn_if_fail (state >= NM_DEVICE_STATE_PREPARE && state <= NM_DEVICE_STATE_NEED_AUTH);
nm_log_info (LOGD_DEVICE, "Activation (%s) Stage 3 of 5 (IP Configure Start) scheduled.",
nm_device_get_iface (self));
/* Add the interface to the specified firewall zone */
connection = nm_device_get_connection (self);
g_assert (connection);
s_con = nm_connection_get_setting_connection (connection);
zone = nm_setting_connection_get_zone (s_con);
nm_log_dbg (LOGD_DEVICE, "Activation (%s) setting firewall zone '%s'",
nm_device_get_iface (self), zone ? zone : "default");
priv->fw_call = nm_firewall_manager_add_or_change_zone (priv->fw_manager,
nm_device_get_ip_iface (self),
zone,
TRUE,
fw_add_to_zone_cb,
self);
}
static NMActStageReturn
@ -2690,67 +2725,6 @@ out:
return FALSE;
}
static void
fw_add_to_zone_cb (GError *error,
gpointer user_data1,
gpointer user_data2)
{
NMDevice *self = NM_DEVICE (user_data1);
NMDevicePrivate *priv = NM_DEVICE_GET_PRIVATE (self);
int family = GPOINTER_TO_INT (user_data2);
char ipver = 'x';
guint32 logd = LOGD_NONE;
priv->fw_call = NULL;
if (error) {
/* FIXME: fail the device activation? */
}
if (family == AF_INET) {
activation_source_schedule (self, nm_device_activate_ip4_config_commit, AF_INET);
ipver = '4';
logd = LOGD_IP4;
} else if (family == AF_INET6) {
activation_source_schedule (self, nm_device_activate_ip6_config_commit, AF_INET6);
ipver = '6';
logd = LOGD_IP6;
} else
g_assert_not_reached ();
nm_log_info (LOGD_DEVICE | logd,
"Activation (%s) Stage 5 of 5 (IPv%c Configure Commit) scheduled...",
nm_device_get_iface (self), ipver);
}
static void
fw_add_to_zone (NMDevice *self, int family)
{
NMDevicePrivate *priv = NM_DEVICE_GET_PRIVATE (self);
NMConnection *connection;
NMSettingConnection *s_con = NULL;
/* Only set the interface's zone if the device isn't yet activated. If
* already activated, the zone has already been set.
*/
if (nm_device_get_state (self) == NM_DEVICE_STATE_ACTIVATED) {
fw_add_to_zone_cb (NULL, self, GINT_TO_POINTER (family));
return;
}
/* Otherwise tell the firewall to add the interface to the specified zone */
connection = nm_device_get_connection (self);
g_assert (connection);
s_con = nm_connection_get_setting_connection (connection);
priv->fw_call = nm_firewall_manager_add_or_change_zone (priv->fw_manager,
nm_device_get_ip_iface (self),
nm_setting_connection_get_zone (s_con),
TRUE,
fw_add_to_zone_cb,
self,
GINT_TO_POINTER (family));
}
void
nm_device_activate_schedule_ip4_config_result (NMDevice *self, NMIP4Config *config)
{
@ -2771,7 +2745,11 @@ nm_device_activate_schedule_ip4_config_result (NMDevice *self, NMIP4Config *conf
g_object_ref (config),
g_object_unref);
fw_add_to_zone (self, AF_INET);
activation_source_schedule (self, nm_device_activate_ip4_config_commit, AF_INET);
nm_log_info (LOGD_DEVICE | LOGD_IP4,
"Activation (%s) Stage 5 of 5 (IPv4 Configure Commit) scheduled...",
nm_device_get_iface (self));
}
gboolean
@ -2859,7 +2837,11 @@ nm_device_activate_schedule_ip6_config_result (NMDevice *self, NMIP6Config *conf
g_object_ref (config),
g_object_unref);
fw_add_to_zone (self, AF_INET6);
activation_source_schedule (self, nm_device_activate_ip6_config_commit, AF_INET6);
nm_log_info (LOGD_DEVICE | LOGD_IP4,
"Activation (%s) Stage 5 of 5 (IPv6 Commit) scheduled...",
nm_device_get_iface (self));
}
gboolean

12
src/nm-policy.c
View file

@ -1251,11 +1251,9 @@ connections_loaded (NMSettings *settings, gpointer user_data)
}
static void
add_or_change_zone_cb (GError *error,
gpointer user_data1,
gpointer user_data2)
add_or_change_zone_cb (GError *error, gpointer user_data)
{
NMDevice *device = NM_DEVICE (user_data1);
NMDevice *device = NM_DEVICE (user_data);
if (error) {
/* FIXME: what do we do here? */
@ -1282,8 +1280,7 @@ firewall_update_zone (NMPolicy *policy, NMConnection *connection)
nm_setting_connection_get_zone (s_con),
FALSE, /* change zone */
add_or_change_zone_cb,
g_object_ref (dev),
NULL);
g_object_ref (dev));
}
}
}
@ -1310,8 +1307,7 @@ firewall_started (NMFirewallManager *manager,
nm_setting_connection_get_zone (s_con),
TRUE, /* add zone */
add_or_change_zone_cb,
g_object_ref (dev),
NULL);
g_object_ref (dev));
}
}
}