From be7bf38a3a3a15b18b5978757beca098afad3185 Mon Sep 17 00:00:00 2001 From: Thomas Haller Date: Tue, 27 Oct 2020 17:11:39 +0100 Subject: [PATCH] core: add nm_utils_share_rules_add_all_rules() for constructing iptables rules --- src/NetworkManagerUtils.c | 76 +++++++++++++++++++++++++++++++++++++++ src/NetworkManagerUtils.h | 5 +++ 2 files changed, 81 insertions(+) diff --git a/src/NetworkManagerUtils.c b/src/NetworkManagerUtils.c index a9d5d2ff9..3d1b3a448 100644 --- a/src/NetworkManagerUtils.c +++ b/src/NetworkManagerUtils.c @@ -1760,3 +1760,79 @@ next: } } } + +void +nm_utils_share_rules_add_all_rules(NMUtilsShareRules *self, + const char * ip_iface, + in_addr_t addr, + guint plen) +{ + in_addr_t netmask; + in_addr_t network; + char str_mask[NM_UTILS_INET_ADDRSTRLEN]; + char str_addr[NM_UTILS_INET_ADDRSTRLEN]; + + nm_assert(self); + + netmask = _nm_utils_ip4_prefix_to_netmask(plen); + _nm_utils_inet4_ntop(netmask, str_mask); + + network = addr & netmask; + _nm_utils_inet4_ntop(network, str_addr); + + nm_utils_share_rules_add_rule_v( + self, + "nat", + "POSTROUTING --source %s/%s ! --destination %s/%s --jump MASQUERADE", + str_addr, + str_mask, + str_addr, + str_mask); + nm_utils_share_rules_add_rule_v( + self, + "filter", + "FORWARD --destination %s/%s --out-interface %s --match state --state " + "ESTABLISHED,RELATED --jump ACCEPT", + str_addr, + str_mask, + ip_iface); + nm_utils_share_rules_add_rule_v(self, + "filter", + "FORWARD --source %s/%s --in-interface %s --jump ACCEPT", + str_addr, + str_mask, + ip_iface); + nm_utils_share_rules_add_rule_v(self, + "filter", + "FORWARD --in-interface %s --out-interface %s --jump ACCEPT", + ip_iface, + ip_iface); + nm_utils_share_rules_add_rule_v(self, + "filter", + "FORWARD --out-interface %s --jump REJECT", + ip_iface); + nm_utils_share_rules_add_rule_v(self, + "filter", + "FORWARD --in-interface %s --jump REJECT", + ip_iface); + nm_utils_share_rules_add_rule_v( + self, + "filter", + "INPUT --in-interface %s --protocol udp --destination-port 67 --jump ACCEPT", + ip_iface); + nm_utils_share_rules_add_rule_v( + self, + "filter", + "INPUT --in-interface %s --protocol tcp --destination-port 67 --jump ACCEPT", + ip_iface); + nm_utils_share_rules_add_rule_v( + self, + "filter", + "INPUT --in-interface %s --protocol udp --destination-port 53 --jump ACCEPT", + ip_iface); + nm_utils_share_rules_add_rule_v( + self, + "filter", + "INPUT --in-interface %s --protocol tcp --destination-port 53 --jump ACCEPT", + ip_iface); +} diff --git a/src/NetworkManagerUtils.h b/src/NetworkManagerUtils.h index adf364501..5373f9cea 100644 --- a/src/NetworkManagerUtils.h +++ b/src/NetworkManagerUtils.h @@ -242,6 +242,11 @@ nm_utils_share_rules_add_rule(NMUtilsShareRules *self, const char *table, const #define nm_utils_share_rules_add_rule_v(self, table, ...) \ nm_utils_share_rules_add_rule_take((self), (table), g_strdup_printf(__VA_ARGS__)) +void nm_utils_share_rules_add_all_rules(NMUtilsShareRules *self, + const char * ip_iface, + in_addr_t addr, + guint plen); + void nm_utils_share_rules_apply(NMUtilsShareRules *self, gboolean shared); /*****************************************************************************/