diff options
Diffstat (limited to 'server/FirewallController.cpp')
| -rw-r--r-- | server/FirewallController.cpp | 26 |
1 files changed, 15 insertions, 11 deletions
diff --git a/server/FirewallController.cpp b/server/FirewallController.cpp index 0a0f8d82..35fd1e20 100644 --- a/server/FirewallController.cpp +++ b/server/FirewallController.cpp @@ -90,7 +90,8 @@ FirewallController::FirewallController(void) : mMaxUid(discoverMaximumValidUid(k } int FirewallController::setupIptablesHooks(void) { - int res = 0; + int res = flushRules(); + // mUseBpfOwnerMatch should be removed, but it is still depended upon by test code. mUseBpfOwnerMatch = true; if (mUseBpfOwnerMatch) { @@ -126,21 +127,24 @@ int FirewallController::setFirewallType(FirewallType ftype) { return res ? -EREMOTEIO : 0; } -int FirewallController::resetFirewall(void) { - mFirewallType = ALLOWLIST; - mIfaceRules.clear(); - - // flush any existing rules +int FirewallController::flushRules() { std::string command = - "*filter\n" - ":fw_INPUT -\n" - ":fw_OUTPUT -\n" - ":fw_FORWARD -\n" - "COMMIT\n"; + "*filter\n" + ":fw_INPUT -\n" + ":fw_OUTPUT -\n" + ":fw_FORWARD -\n" + "-6 -A fw_OUTPUT ! -o lo -s ::1 -j DROP\n" + "COMMIT\n"; return (execIptablesRestore(V4V6, command.c_str()) == 0) ? 0 : -EREMOTEIO; } +int FirewallController::resetFirewall(void) { + mFirewallType = ALLOWLIST; + mIfaceRules.clear(); + return flushRules(); +} + int FirewallController::enableChildChains(ChildChain chain, bool enable) { int res = 0; const char* name; |