nm-firewall-manager.c 17.1 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
/* -*- Mode: C; tab-width: 4; indent-tabs-mode: t; c-basic-offset: 4 -*- */
/* NetworkManager -- Network link manager
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License along
 * with this program; if not, write to the Free Software Foundation, Inc.,
 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 *
18
 * Copyright (C) 2011 - 2015 Red Hat, Inc.
19 20
 */

21
#include "nm-default.h"
22

23
#include "nm-firewall-manager.h"
24

25
#include "NetworkManagerUtils.h"
26
#include "c-list/src/c-list.h"
27

28
/*****************************************************************************/
29 30

enum {
31
	STATE_CHANGED,
32
	LAST_SIGNAL
33 34
};

35 36
static guint signals[LAST_SIGNAL] = { 0 };

37
typedef struct {
38 39
	GDBusProxy     *proxy;
	GCancellable   *proxy_cancellable;
40

41
	CList           pending_calls;
42
	bool            running;
43 44
} NMFirewallManagerPrivate;

45 46 47 48
struct _NMFirewallManager {
	GObject parent;
	NMFirewallManagerPrivate _priv;
};
49

50 51
struct _NMFirewallManagerClass {
	GObjectClass parent;
52 53
};

54 55 56 57 58
G_DEFINE_TYPE (NMFirewallManager, nm_firewall_manager, G_TYPE_OBJECT)

#define NM_FIREWALL_MANAGER_GET_PRIVATE(self) _NM_GET_PRIVATE (self, NMFirewallManager, NM_IS_FIREWALL_MANAGER)

/*****************************************************************************/
59

60 61
NM_DEFINE_SINGLETON_GETTER (NMFirewallManager, nm_firewall_manager_get, NM_TYPE_FIREWALL_MANAGER);

62
/*****************************************************************************/
63

64 65 66 67 68
typedef enum {
	CB_INFO_OPS_ADD = 1,
	CB_INFO_OPS_CHANGE,
	CB_INFO_OPS_REMOVE,
} CBInfoOpsType;
69

70 71
typedef enum {
	CB_INFO_MODE_IDLE = 1,
72
	CB_INFO_MODE_DBUS_WAITING,
73 74 75 76 77
	CB_INFO_MODE_DBUS,
	CB_INFO_MODE_DBUS_COMPLETED,
} CBInfoMode;

struct _NMFirewallManagerCallId {
78
	CList lst;
79
	NMFirewallManager *self;
80
	CBInfoOpsType ops_type;
81 82 83 84
	union {
		const CBInfoMode mode;
		CBInfoMode mode_mutable;
	};
85
	char *iface;
86
	NMFirewallManagerAddRemoveCallback callback;
87
	gpointer user_data;
88

89 90 91
	union {
		struct {
			GCancellable *cancellable;
92
			GVariant *arg;
93 94 95 96 97 98 99
		} dbus;
		struct {
			guint id;
		} idle;
	};
};
typedef struct _NMFirewallManagerCallId CBInfo;
100

101
/*****************************************************************************/
102

103 104 105 106 107 108 109 110
static const char *
_ops_type_to_string (CBInfoOpsType ops_type)
{
	switch (ops_type) {
	case CB_INFO_OPS_ADD:    return "add";
	case CB_INFO_OPS_REMOVE: return "remove";
	case CB_INFO_OPS_CHANGE: return "change";
	default: g_return_val_if_reached ("unknown");
111
	}
112
}
113

114 115 116 117 118 119 120 121 122
#define _NMLOG_DOMAIN      LOGD_FIREWALL
#define _NMLOG_PREFIX_NAME "firewall"
#define _NMLOG(level, info, ...) \
    G_STMT_START { \
        if (nm_logging_enabled ((level), (_NMLOG_DOMAIN))) { \
            CBInfo *__info = (info); \
            char __prefix_name[30]; \
            char __prefix_info[64]; \
            \
123
            _nm_log ((level), (_NMLOG_DOMAIN), 0, NULL, NULL, \
124 125 126 127 128 129 130 131 132 133
                     "%s: %s" _NM_UTILS_MACRO_FIRST(__VA_ARGS__), \
                     (self) != singleton_instance \
                        ? ({ \
                                g_snprintf (__prefix_name, sizeof (__prefix_name), "%s[%p]", ""_NMLOG_PREFIX_NAME, (self)); \
                                __prefix_name; \
                           }) \
                        : _NMLOG_PREFIX_NAME, \
                     __info \
                        ? ({ \
                                g_snprintf (__prefix_info, sizeof (__prefix_info), "[%p,%s%s:%s%s%s]: ", __info, \
134
                                            _ops_type_to_string (__info->ops_type), __info->mode == CB_INFO_MODE_IDLE ? "*" : "", \
135 136 137 138 139 140 141
                                            NM_PRINT_FMT_QUOTE_STRING (__info->iface)); \
                                __prefix_info; \
                           }) \
                        : "" \
                     _NM_UTILS_MACRO_REST(__VA_ARGS__)); \
        } \
    } G_STMT_END
142

143
/*****************************************************************************/
144

145 146 147 148 149 150 151 152 153 154
gboolean
nm_firewall_manager_get_running (NMFirewallManager *self)
{
	g_return_val_if_fail (NM_IS_FIREWALL_MANAGER (self), FALSE);

	return NM_FIREWALL_MANAGER_GET_PRIVATE (self)->running;
}

/*****************************************************************************/

155
static CBInfo *
156 157 158
_cb_info_create (NMFirewallManager *self,
                 CBInfoOpsType ops_type,
                 const char *iface,
159
                 const char *zone,
160 161
                 NMFirewallManagerAddRemoveCallback callback,
                 gpointer user_data)
162
{
163
	NMFirewallManagerPrivate *priv = NM_FIREWALL_MANAGER_GET_PRIVATE (self);
164 165
	CBInfo *info;

166
	info = g_slice_new0 (CBInfo);
167
	info->self = g_object_ref (self);
168
	info->ops_type = ops_type;
169 170 171 172
	info->iface = g_strdup (iface);
	info->callback = callback;
	info->user_data = user_data;

173 174
	if (priv->running || priv->proxy_cancellable) {
		info->mode_mutable = CB_INFO_MODE_DBUS_WAITING;
175
		info->dbus.arg = g_variant_new ("(ss)", zone ?: "", iface);
176
	} else
177
		info->mode_mutable = CB_INFO_MODE_IDLE;
178

179
	c_list_link_tail (&priv->pending_calls, &info->lst);
180

181 182 183
	return info;
}

184 185 186
static void
_cb_info_free (CBInfo *info)
{
187
	c_list_unlink_stale (&info->lst);
188
	if (info->mode != CB_INFO_MODE_IDLE) {
189 190
		if (info->dbus.arg)
			g_variant_unref (info->dbus.arg);
191
		g_clear_object (&info->dbus.cancellable);
192
	}
193
	g_free (info->iface);
194
	if (info->self)
195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211
		g_object_unref (info->self);
	g_slice_free (CBInfo, info);
}

static void
_cb_info_callback (CBInfo *info,
                   GError *error)
{
	if (info->callback)
		info->callback (info->self, info, error, info->user_data);
}

static void
_cb_info_complete_normal (CBInfo *info, GError *error)
{
	NMFirewallManagerPrivate *priv = NM_FIREWALL_MANAGER_GET_PRIVATE (info->self);

212 213
	nm_assert (c_list_contains (&priv->pending_calls, &info->lst));

214
	c_list_unlink (&info->lst);
215 216 217 218 219

	_cb_info_callback (info, error);
	_cb_info_free (info);
}

220
static gboolean
221
_handle_idle (gpointer user_data)
222
{
223
	NMFirewallManager *self;
224 225
	CBInfo *info = user_data;

226 227 228 229 230 231 232
	nm_assert (info && NM_IS_FIREWALL_MANAGER (info->self));

	self = info->self;

	_LOGD (info, "complete: fake success");

	_cb_info_complete_normal (info, NULL);
233 234 235
	return G_SOURCE_REMOVE;
}

236
static void
237
_handle_dbus (GObject *proxy, GAsyncResult *result, gpointer user_data)
238
{
239
	NMFirewallManager *self;
240
	CBInfo *info = user_data;
241 242
	gs_free_error GError *error = NULL;
	gs_unref_variant GVariant *ret = NULL;
243

244 245 246 247 248 249 250
	if (info->mode != CB_INFO_MODE_DBUS) {
		_cb_info_free (info);
		return;
	}

	self = info->self;

251
	ret = g_dbus_proxy_call_finish (G_DBUS_PROXY (proxy), result, &error);
252 253 254 255 256 257 258 259 260 261 262 263 264 265 266

	if (error) {
		const char *non_error = NULL;

		g_dbus_error_strip_remote_error (error);

		switch (info->ops_type) {
		case CB_INFO_OPS_ADD:
		case CB_INFO_OPS_CHANGE:
			non_error = "ZONE_ALREADY_SET";
			break;
		case CB_INFO_OPS_REMOVE:
			non_error = "UNKNOWN_INTERFACE";
			break;
		}
267 268 269 270
		if (   error->message
		    && non_error
		    && g_str_has_prefix (error->message, non_error)
		    && NM_IN_SET (error->message[strlen (non_error)], '\0', ':')) {
271 272 273 274 275
			_LOGD (info, "complete: request failed with a non-error (%s)", error->message);

			/* The operation failed with an error reason that we don't want
			 * to propagate. Instead, signal success. */
			g_clear_error (&error);
276
		} else
277 278 279 280 281
			_LOGW (info, "complete: request failed (%s)", error->message);
	} else
		_LOGD (info, "complete: success");

	_cb_info_complete_normal (info, error);
282 283
}

284 285 286 287 288
static void
_handle_dbus_start (NMFirewallManager *self,
                    CBInfo *info)
{
	NMFirewallManagerPrivate *priv = NM_FIREWALL_MANAGER_GET_PRIVATE (self);
289
	const char *dbus_method = NULL;
290 291
	GVariant *arg;

292 293 294 295
	nm_assert (info);
	nm_assert (priv->running);
	nm_assert (info->mode == CB_INFO_MODE_DBUS_WAITING);

296 297 298 299 300 301 302 303 304 305 306
	switch (info->ops_type) {
	case CB_INFO_OPS_ADD:
		dbus_method = "addInterface";
		break;
	case CB_INFO_OPS_CHANGE:
		dbus_method = "changeZone";
		break;
	case CB_INFO_OPS_REMOVE:
		dbus_method = "removeInterface";
		break;
	}
307
	nm_assert (dbus_method);
308 309 310 311 312 313

	arg = info->dbus.arg;
	info->dbus.arg = NULL;

	nm_assert (arg && g_variant_is_floating (arg));

314 315 316
	info->mode_mutable = CB_INFO_MODE_DBUS;
	info->dbus.cancellable = g_cancellable_new ();

317 318 319 320 321 322 323 324 325
	g_dbus_proxy_call (priv->proxy,
	                   dbus_method,
	                   arg,
	                   G_DBUS_CALL_FLAGS_NONE, 10000,
	                   info->dbus.cancellable,
	                   _handle_dbus,
	                   info);
}

326 327 328 329 330 331 332
static NMFirewallManagerCallId
_start_request (NMFirewallManager *self,
                CBInfoOpsType ops_type,
                const char *iface,
                const char *zone,
                NMFirewallManagerAddRemoveCallback callback,
                gpointer user_data)
333
{
334
	NMFirewallManagerPrivate *priv;
335
	CBInfo *info;
336 337 338 339 340 341

	g_return_val_if_fail (NM_IS_FIREWALL_MANAGER (self), NULL);
	g_return_val_if_fail (iface && *iface, NULL);

	priv = NM_FIREWALL_MANAGER_GET_PRIVATE (self);

342
	info = _cb_info_create (self, ops_type, iface, zone, callback, user_data);
343 344 345 346 347

	_LOGD (info, "firewall zone %s %s:%s%s%s%s",
	       _ops_type_to_string (info->ops_type),
	       iface,
	       NM_PRINT_FMT_QUOTED (zone, "\"", zone, "\"", "default"),
348 349 350 351 352 353 354 355 356
	       info->mode == CB_INFO_MODE_IDLE
	         ? " (not running, simulate success)"
	         : (!priv->running
	              ? " (waiting to initialize)"
	              : ""));

	if (info->mode == CB_INFO_MODE_DBUS_WAITING) {
		if (priv->running)
			_handle_dbus_start (self, info);
357 358 359 360 361 362 363 364
		if (!info->callback) {
			/* if the user did not provide a callback, the call_id is useless.
			 * Especially, the user cannot use the call-id to cancel the request,
			 * because he cannot know whether the request is still pending.
			 *
			 * Hence, returning %NULL doesn't mean that the request could not be started
			 * (the request will always be started). */
			return NULL;
365
		}
366 367 368 369 370 371 372 373 374 375
	} else if (info->mode == CB_INFO_MODE_IDLE) {
		if (!info->callback) {
			/* if the user did not provide a callback and firewalld is not running,
			 * there is no point in scheduling an idle-request to fake success. Just
			 * return right away. */
			_LOGD (info, "complete: drop request simulating success");
			_cb_info_complete_normal (info, NULL);
			return NULL;
		} else
			info->idle.id = g_idle_add (_handle_idle, info);
376
	} else
377
		nm_assert_not_reached ();
378

379
	return info;
380 381
}

382 383 384 385 386 387 388
NMFirewallManagerCallId
nm_firewall_manager_add_or_change_zone (NMFirewallManager *self,
                                        const char *iface,
                                        const char *zone,
                                        gboolean add, /* TRUE == add, FALSE == change */
                                        NMFirewallManagerAddRemoveCallback callback,
                                        gpointer user_data)
389
{
390 391 392 393 394 395
	return _start_request (self,
	                       add ? CB_INFO_OPS_ADD : CB_INFO_OPS_CHANGE,
	                       iface,
	                       zone,
	                       callback,
	                       user_data);
396 397
}

398
NMFirewallManagerCallId
399 400
nm_firewall_manager_remove_from_zone (NMFirewallManager *self,
                                      const char *iface,
401 402 403
                                      const char *zone,
                                      NMFirewallManagerAddRemoveCallback callback,
                                      gpointer user_data)
404
{
405 406 407 408 409 410
	return _start_request (self,
	                       CB_INFO_OPS_REMOVE,
	                       iface,
	                       zone,
	                       callback,
	                       user_data);
411 412
}

413
void
414
nm_firewall_manager_cancel_call (NMFirewallManagerCallId call)
415
{
416
	NMFirewallManager *self;
417 418
	NMFirewallManagerPrivate *priv;
	CBInfo *info = call;
419
	gs_free_error GError *error = NULL;
420

421 422
	g_return_if_fail (info);
	g_return_if_fail (NM_IS_FIREWALL_MANAGER (info->self));
423

424 425
	self = info->self;
	priv = NM_FIREWALL_MANAGER_GET_PRIVATE (self);
426

427 428
	nm_assert (c_list_contains (&priv->pending_calls, &info->lst));

429
	c_list_unlink (&info->lst);
430

431 432 433 434 435 436
	nm_utils_error_set_cancelled (&error, FALSE, "NMFirewallManager");

	_LOGD (info, "complete: cancel (%s)", error->message);

	_cb_info_callback (info, error);

437 438 439
	if (info->mode == CB_INFO_MODE_DBUS_WAITING)
		_cb_info_free (info);
	else if (info->mode == CB_INFO_MODE_IDLE) {
440 441 442
		g_source_remove (info->idle.id);
		_cb_info_free (info);
	} else {
443
		info->mode_mutable = CB_INFO_MODE_DBUS_COMPLETED;
444 445 446
		g_cancellable_cancel (info->dbus.cancellable);
		g_clear_object (&info->self);
	}
447 448
}

449
/*****************************************************************************/
450

451
static gboolean
452
name_owner_changed (NMFirewallManager *self)
453
{
454
	NMFirewallManagerPrivate *priv = NM_FIREWALL_MANAGER_GET_PRIVATE (self);
455
	gs_free char *owner = NULL;
456
	gboolean now_running;
457

458
	owner = g_dbus_proxy_get_name_owner (priv->proxy);
459 460 461
	now_running = !!owner;

	if (now_running == priv->running)
462
		return FALSE;
463 464 465

	priv->running = now_running;
	_LOGD (NULL, "firewall %s", now_running ? "started" : "stopped");
466
	return TRUE;
467 468
}

469 470 471 472 473
static void
name_owner_changed_cb (GObject    *object,
                       GParamSpec *pspec,
                       gpointer    user_data)
{
474 475 476
	NMFirewallManager *self = user_data;

	nm_assert (NM_IS_FIREWALL_MANAGER (self));
477
	nm_assert (G_IS_DBUS_PROXY (object));
478
	nm_assert (NM_FIREWALL_MANAGER_GET_PRIVATE (self)->proxy == G_DBUS_PROXY (object));
479

480 481
	if (name_owner_changed (self))
		g_signal_emit (self, signals[STATE_CHANGED], 0, FALSE);
482 483 484 485 486 487 488 489 490 491 492
}

static void
_proxy_new_cb (GObject *source_object,
               GAsyncResult *result,
               gpointer user_data)
{
	NMFirewallManager *self;
	NMFirewallManagerPrivate *priv;
	GDBusProxy *proxy;
	gs_free_error GError *error = NULL;
493
	CBInfo *info;
494
	CList *iter;
495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513

	proxy = g_dbus_proxy_new_for_bus_finish (result, &error);
	if (   !proxy
	    && g_error_matches (error, G_IO_ERROR, G_IO_ERROR_CANCELLED))
		return;

	self = user_data;
	priv = NM_FIREWALL_MANAGER_GET_PRIVATE (self);
	g_clear_object (&priv->proxy_cancellable);

	if (!proxy) {
		_LOGW (NULL, "could not connect to system D-Bus (%s)", error->message);
		return;
	}

	priv->proxy = proxy;
	g_signal_connect (priv->proxy, "notify::g-name-owner",
	                  G_CALLBACK (name_owner_changed_cb), self);

514 515 516 517
	if (!name_owner_changed (self))
		_LOGD (NULL, "firewall %s", "initialized (not running)");

again:
518 519 520
	c_list_for_each (iter, &priv->pending_calls) {
		info = c_list_entry (iter, CBInfo, lst);

521 522 523 524 525 526 527
		if (info->mode != CB_INFO_MODE_DBUS_WAITING)
			continue;
		if (priv->running) {
			_LOGD (info, "make D-Bus call");
			_handle_dbus_start (self, info);
		} else {
			_LOGD (info, "complete: fake success");
528
			c_list_unlink (&info->lst);
529 530 531 532 533 534 535 536 537
			_cb_info_callback (info, NULL);
			_cb_info_free (info);
			goto again;
		}
	}

	/* we always emit a state-changed signal, even if the
	 * "running" property is still false. */
	g_signal_emit (self, signals[STATE_CHANGED], 0, TRUE);
538 539
}

540
/*****************************************************************************/
541 542 543 544 545

static void
nm_firewall_manager_init (NMFirewallManager * self)
{
	NMFirewallManagerPrivate *priv = NM_FIREWALL_MANAGER_GET_PRIVATE (self);
546

547
	c_list_init (&priv->pending_calls);
548 549 550 551 552 553 554
}

static void
constructed (GObject *object)
{
	NMFirewallManager *self = (NMFirewallManager *) object;
	NMFirewallManagerPrivate *priv = NM_FIREWALL_MANAGER_GET_PRIVATE (self);
555

556
	priv->proxy_cancellable = g_cancellable_new ();
557

558 559 560 561 562 563 564 565 566 567
	g_dbus_proxy_new_for_bus (G_BUS_TYPE_SYSTEM,
	                            G_DBUS_PROXY_FLAGS_DO_NOT_LOAD_PROPERTIES
	                          | G_DBUS_PROXY_FLAGS_DO_NOT_CONNECT_SIGNALS,
	                          NULL,
	                          FIREWALL_DBUS_SERVICE,
	                          FIREWALL_DBUS_PATH,
	                          FIREWALL_DBUS_INTERFACE_ZONE,
	                          priv->proxy_cancellable,
	                          _proxy_new_cb,
	                          self);
568

569
	G_OBJECT_CLASS (nm_firewall_manager_parent_class)->constructed (object);
570 571 572 573 574
}

static void
dispose (GObject *object)
{
575 576 577
	NMFirewallManager *self = NM_FIREWALL_MANAGER (object);
	NMFirewallManagerPrivate *priv = NM_FIREWALL_MANAGER_GET_PRIVATE (self);

578 579 580
	/* as every pending operation takes a reference to the manager,
	 * we don't expect pending operations at this point. */
	nm_assert (c_list_is_empty (&priv->pending_calls));
581

582
	nm_clear_g_cancellable (&priv->proxy_cancellable);
583
	g_clear_object (&priv->proxy);
584 585 586 587 588 589 590 591 592

	G_OBJECT_CLASS (nm_firewall_manager_parent_class)->dispose (object);
}

static void
nm_firewall_manager_class_init (NMFirewallManagerClass *klass)
{
	GObjectClass *object_class = G_OBJECT_CLASS (klass);

593
	object_class->constructed = constructed;
594 595
	object_class->dispose = dispose;

596 597
	signals[STATE_CHANGED] =
	    g_signal_new (NM_FIREWALL_MANAGER_STATE_CHANGED,
598 599
	                  G_OBJECT_CLASS_TYPE (object_class),
	                  G_SIGNAL_RUN_FIRST,
600
	                  0,
601
	                  NULL, NULL,
602 603 604
	                  g_cclosure_marshal_VOID__BOOLEAN,
	                  G_TYPE_NONE, 1,
	                  G_TYPE_BOOLEAN /* initialized_now */);
605
}