Google Git
Sign in
android / platform / system / firewalld / refs/heads/nougat-mr2-release / . / iptables.h
blob: 74b9acb6610242e90c47b4fd8866a750c58f1357 [file] [log] [blame]
Gilad Arnold7db56bd2015-08-05 15:26:02 -0700[diff] [blame]1// Copyright 2014 The Android Open Source Project
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7// http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
Jorge Lucangeli Obes86208682014-12-05 15:28:04 -0800[diff] [blame]14
15#ifndef FIREWALLD_IPTABLES_H_
16#define FIREWALLD_IPTABLES_H_
17
18#include <stdint.h>
19
Jorge Lucangeli Obeseee27d22015-02-12 11:49:38 -0800[diff] [blame]20#include <set>
Jorge Lucangeli Obes86208682014-12-05 15:28:04 -0800[diff] [blame]21#include <string>
Jorge Lucangeli Obeseee27d22015-02-12 11:49:38 -0800[diff] [blame]22#include <utility>
Prabhu Kaliamoorthi40653d02015-02-12 14:21:43 +0100[diff] [blame]23#include <vector>
Jorge Lucangeli Obes86208682014-12-05 15:28:04 -0800[diff] [blame]24
25#include <base/macros.h>
Alex Vakulenkoe478a112015-10-13 09:58:47 -0700[diff] [blame]26#include <brillo/errors/error.h>
Jorge Lucangeli Obes86208682014-12-05 15:28:04 -0800[diff] [blame]27
Gilad Arnoldc20ed4f2015-08-21 14:56:32 -0700[diff] [blame]28#include "dbus_bindings/org.chromium.Firewalld.h"
Jorge Lucangeli Obes86208682014-12-05 15:28:04 -0800[diff] [blame]29
30namespace firewalld {
31
Jorge Lucangeli Obesbfc594b2014-12-10 13:35:18 -0800[diff] [blame]32enum ProtocolEnum { kProtocolTcp, kProtocolUdp };
33
Jorge Lucangeli Obes86208682014-12-05 15:28:04 -0800[diff] [blame]34class IpTables : public org::chromium::FirewalldInterface {
35 public:
Jorge Lucangeli Obeseee27d22015-02-12 11:49:38 -0800[diff] [blame]36 typedef std::pair<uint16_t, std::string> Hole;
37
Gilad Arnold7db56bd2015-08-05 15:26:02 -0700[diff] [blame]38 IpTables();
Jorge Lucangeli Obes0e7a6582015-01-16 17:28:22 -0800[diff] [blame]39 ~IpTables();
Jorge Lucangeli Obes86208682014-12-05 15:28:04 -0800[diff] [blame]40
41 // D-Bus methods.
Jorge Lucangeli Obeseee27d22015-02-12 11:49:38 -0800[diff] [blame]42 bool PunchTcpHole(uint16_t in_port, const std::string& in_interface) override;
43 bool PunchUdpHole(uint16_t in_port, const std::string& in_interface) override;
44 bool PlugTcpHole(uint16_t in_port, const std::string& in_interface) override;
45 bool PlugUdpHole(uint16_t in_port, const std::string& in_interface) override;
Jorge Lucangeli Obes86208682014-12-05 15:28:04 -0800[diff] [blame]46
Prabhu Kaliamoorthi40653d02015-02-12 14:21:43 +0100[diff] [blame]47 bool RequestVpnSetup(const std::vector<std::string>& usernames,
48 const std::string& interface) override;
49 bool RemoveVpnSetup(const std::vector<std::string>& usernames,
50 const std::string& interface) override;
51
Jorge Lucangeli Obes650d2292015-02-25 14:14:29 -0800[diff] [blame]52 // Close all outstanding firewall holes.
53 void PlugAllHoles();
54
Jorge Lucangeli Obes86208682014-12-05 15:28:04 -0800[diff] [blame]55 private:
56 friend class IpTablesTest;
Jorge Lucangeli Obes2b2e0472016-02-01 12:27:03 -0800[diff] [blame]57 FRIEND_TEST(IpTablesTest, ApplyVpnSetupAdd_Success);
58 FRIEND_TEST(IpTablesTest, ApplyVpnSetupAdd_FailureInUsername);
59 FRIEND_TEST(IpTablesTest, ApplyVpnSetupAdd_FailureInMasquerade);
60 FRIEND_TEST(IpTablesTest, ApplyVpnSetupAdd_FailureInRuleForUserTraffic);
61 FRIEND_TEST(IpTablesTest, ApplyVpnSetupRemove_Success);
62 FRIEND_TEST(IpTablesTest, ApplyVpnSetupRemove_Failure);
Jorge Lucangeli Obes86208682014-12-05 15:28:04 -0800[diff] [blame]63
Jorge Lucangeli Obesbfc594b2014-12-10 13:35:18 -0800[diff] [blame]64 bool PunchHole(uint16_t port,
Jorge Lucangeli Obeseee27d22015-02-12 11:49:38 -0800[diff] [blame]65 const std::string& interface,
66 std::set<Hole>* holes,
Jorge Lucangeli Obesbef267f2015-02-13 17:06:27 -0800[diff] [blame]67 ProtocolEnum protocol);
Jorge Lucangeli Obesbfc594b2014-12-10 13:35:18 -0800[diff] [blame]68 bool PlugHole(uint16_t port,
Jorge Lucangeli Obeseee27d22015-02-12 11:49:38 -0800[diff] [blame]69 const std::string& interface,
70 std::set<Hole>* holes,
Jorge Lucangeli Obesbef267f2015-02-13 17:06:27 -0800[diff] [blame]71 ProtocolEnum protocol);
Jorge Lucangeli Obesbfc594b2014-12-10 13:35:18 -0800[diff] [blame]72
Jorge Lucangeli Obesbef267f2015-02-13 17:06:27 -0800[diff] [blame]73 bool AddAcceptRules(ProtocolEnum protocol,
74 uint16_t port,
75 const std::string& interface);
76 bool DeleteAcceptRules(ProtocolEnum protocol,
77 uint16_t port,
78 const std::string& interface);
Jorge Lucangeli Obes73cb1832015-05-08 16:16:59 -0700[diff] [blame]79
80 virtual bool AddAcceptRule(const std::string& executable_path,
81 ProtocolEnum protocol,
82 uint16_t port,
83 const std::string& interface);
84 virtual bool DeleteAcceptRule(const std::string& executable_path,
85 ProtocolEnum protocol,
86 uint16_t port,
87 const std::string& interface);
Jorge Lucangeli Obes0e7a6582015-01-16 17:28:22 -0800[diff] [blame]88
Prabhu Kaliamoorthi40653d02015-02-12 14:21:43 +0100[diff] [blame]89 bool ApplyVpnSetup(const std::vector<std::string>& usernames,
90 const std::string& interface,
91 bool add);
92
Jorge Lucangeli Obes835d2c22016-02-01 15:05:01 -0800[diff] [blame]93 virtual bool ApplyMasquerade(const std::string& interface, bool add);
94 bool ApplyMasqueradeWithExecutable(const std::string& interface,
95 const std::string& executable_path,
96 bool add);
Prabhu Kaliamoorthi40653d02015-02-12 14:21:43 +0100[diff] [blame]97
Jorge Lucangeli Obes835d2c22016-02-01 15:05:01 -0800[diff] [blame]98 virtual bool ApplyMarkForUserTraffic(const std::string& username, bool add);
99 bool ApplyMarkForUserTrafficWithExecutable(const std::string& username,
100 const std::string& executable_path,
101 bool add);
102
103 virtual bool ApplyRuleForUserTraffic(bool add);
104 bool ApplyRuleForUserTrafficWithVersion(const std::string& ip_version,
105 bool add);
106
107 int ExecvNonRoot(const std::vector<std::string>& argv, uint64_t capmask);
Jorge Lucangeli Obes86208682014-12-05 15:28:04 -0800[diff] [blame]108
109 // Keep track of firewall holes to avoid adding redundant firewall rules.
Jorge Lucangeli Obeseee27d22015-02-12 11:49:38 -0800[diff] [blame]110 std::set<Hole> tcp_holes_;
111 std::set<Hole> udp_holes_;
Jorge Lucangeli Obes86208682014-12-05 15:28:04 -0800[diff] [blame]112
Gilad Arnold7db56bd2015-08-05 15:26:02 -0700[diff] [blame]113 // Tracks whether IPv6 filtering is enabled. If set to |true| (the default),
114 // then it is required to be working. If |false|, then adding of IPv6 rules is
115 // still attempted but not mandatory; however, if it is successful even once,
116 // then it'll be changed to |true| and enforced thereafter.
117 bool ip6_enabled_ = true;
118
Jorge Lucangeli Obes86208682014-12-05 15:28:04 -0800[diff] [blame]119 DISALLOW_COPY_AND_ASSIGN(IpTables);
120};
121
122} // namespace firewalld
123
124#endif // FIREWALLD_IPTABLES_H_