1 /*
2 * Copyright (c) 2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #ifndef NET_FIREWALL_PARCEL_H
17 #define NET_FIREWALL_PARCEL_H
18
19 #include <string>
20 #include <vector>
21 #include <netinet/in.h>
22
23 #include "parcel.h"
24
25 namespace OHOS {
26 namespace NetManagerStandard {
27 // Intercept only one record per minute, with a buffer time of 60 seconds
28 constexpr const int32_t INTERCEPT_BUFF_INTERVAL_SEC = 60;
29 // Maximum number of rules per user
30 constexpr int32_t FIREWALL_RULE_SIZE_MAX = 1000;
31 // Maximum number of domain for all users
32 constexpr int32_t FIREWALL_DOMAIN_RULE_SIZE_MAX = 2000;
33 constexpr int32_t FIREWALL_IPC_IP_RULE_PAGE_SIZE = 300;
34 constexpr int32_t FIREWALL_IPC_DOMAIN_RULE_PAGE_SIZE = 2000;
35 constexpr uint8_t FAMILY_IPV4 = 1;
36 constexpr uint8_t FAMILY_IPV6 = 2;
37 constexpr uint8_t SINGLE_IP = 1;
38 constexpr uint8_t MULTIPLE_IP = 2;
39 constexpr int32_t IPV6_ARRAY_SIZE = 16;
40
41 constexpr const char *COMMA = ",";
42 constexpr const char *NET_FIREWALL_IS_OPEN = "isOpen";
43 constexpr const char *NET_FIREWALL_IN_ACTION = "inAction";
44 constexpr const char *NET_FIREWALL_OUT_ACTION = "outAction";
45
46 namespace {
47 const std::string NET_FIREWALL_RULE_ID = "id";
48 const std::string NET_FIREWALL_RULE_NAME = "name";
49 const std::string NET_FIREWALL_RULE_DESC = "description";
50 const std::string NET_FIREWALL_RULE_DIR = "direction";
51 const std::string NET_FIREWALL_RULE_ACTION = "action";
52 const std::string NET_FIREWALL_RULE_TYPE = "type";
53 const std::string NET_FIREWALL_IS_ENABLED = "isEnabled";
54 const std::string NET_FIREWALL_APP_ID = "appUid";
55 const std::string NET_FIREWALL_LOCAL_IP = "localIps";
56 const std::string NET_FIREWALL_REMOTE_IP = "remoteIps";
57 const std::string NET_FIREWALL_PROTOCOL = "protocol";
58 const std::string NET_FIREWALL_LOCAL_PORT = "localPorts";
59 const std::string NET_FIREWALL_REMOTE_PORT = "remotePorts";
60 const std::string NET_FIREWALL_RULE_DOMAIN = "domains";
61 const std::string NET_FIREWALL_DNS = "dns";
62 const std::string NET_FIREWALL_USER_ID = "userId";
63 const std::string NET_FIREWALL_IP_FAMILY = "family";
64 const std::string NET_FIREWALL_IP_TYPE = "type";
65 const std::string NET_FIREWALL_IP_ADDRESS = "address";
66 const std::string NET_FIREWALL_IP_MASK = "mask";
67 const std::string NET_FIREWALL_IP_START = "startIp";
68 const std::string NET_FIREWALL_IP_END = "endIp";
69 const std::string NET_FIREWALL_PORT_START = "startPort";
70 const std::string NET_FIREWALL_PORT_END = "endPort";
71 const std::string NET_FIREWALL_DOMAIN_IS_WILDCARD = "isWildcard";
72 const std::string NET_FIREWALL_DOMAIN = "domain";
73 const std::string NET_FIREWALL_DNS_PRIMARY = "primaryDns";
74 const std::string NET_FIREWALL_DNS_STANDY = "standbyDns";
75 const std::string NET_FIREWALL_RECORD_TIME = "time";
76 const std::string NET_FIREWALL_RECORD_LOCAL_IP = "localIp";
77 const std::string NET_FIREWALL_RECORD_REMOTE_IP = "remoteIp";
78 const std::string NET_FIREWALL_RECORD_LOCAL_PORT = "localPort";
79 const std::string NET_FIREWALL_RECORD_REMOTE_PORT = "remotePort";
80 const std::string NET_FIREWALL_RECORD_PROTOCOL = "protocol";
81 const std::string NET_FIREWALL_RECORD_UID = "appUid";
82
83 const std::string EQUAL = "=";
84 } // namespace
85
86 // Firewall rule direction enumeration
87 enum class NetFirewallRuleDirection {
88 RULE_IN = 1, // Inbound
89 RULE_OUT // Outbound
90 };
91
92 // Firewall rule behavior enumeration
93 enum class FirewallRuleAction {
94 RULE_INVALID = -1,
95 RULE_ALLOW = 0, // allow
96 RULE_DENY // deny
97 };
98
99 // Firewall Rule Type
100 enum class NetFirewallRuleType {
101 RULE_INVALID = -1, // TYPE INVALID
102 RULE_IP = 1, // TYPE IP
103 RULE_DOMAIN, // TYPE Domain
104 RULE_DNS, // TYPE DNS
105 RULE_DEFAULT_ACTION, //TYPE DEFAULT ACTION
106 RULE_ALL // TYPE ALL
107 };
108
109 // Network protocol, currently only supports the following enumeration. Please refer to the enumeration data for
110 // details: https://learn.microsoft.com/en-us/graph/api/resources/securitynetworkprotocol?view=graph-rest-1.0
111 enum class NetworkProtocol {
112 ICMP = 1, // Internet Control Message Protocol.
113 TCP = 6, // Transmission Control Protocol.
114 UDP = 17, // User Datagram Protocol.
115 ICMPV6 = 58, // Internet Control Message Protocol for ipv6.
116 GRE = 47, // General Routing Encapsulation
117 IPSEC_ESP = 50, // Encap Security Payload [RFC2406]
118 IPSEC_AH = 51, // Authentication Header [RFC2402]
119 L2TP = 115, // Layer Two Tunneling Protocol [RFC2661]
120 SAT_EXPAK = 64, // SATNET and Backroom EXPAK
121 };
122
123 // Firewall IP parameters
124 struct NetFirewallIpParam : public Parcelable {
125 uint8_t family; // IPv4=1, IPv6=2, default IPv4, not currently supported for others, optional
126 uint8_t type; // 1:IP address or subnet, when using a single IP, the mask is 32,2: IP segment. Optional
127 uint8_t mask; // IPv4: subnet mask, IPv6: prefix. Optional
128 union {
129 struct {
130 in_addr startIp; // Store IP for single IP, and store starting IP for IP end
131 in_addr endIp;
132 } ipv4;
133 struct {
134 in6_addr startIp; // Store IP for single IP, and store starting IP for IP end
135 in6_addr endIp;
136 } ipv6;
137 };
138 virtual bool Marshalling(Parcel &parcel) const override;
139 static sptr<NetFirewallIpParam> Unmarshalling(Parcel &parcel);
140 std::string GetStartIp() const;
141 std::string GetEndIp() const;
142 };
143
144 // Firewall port parameters
145 struct NetFirewallPortParam : public Parcelable {
146 uint16_t startPort; // When there is only one port, the starting port is the same as the ending port. Optional
147 uint16_t endPort; // When there is only one end port, the start port is the same as the end port. Optional
148
149 virtual bool Marshalling(Parcel &parcel) const override;
150 static sptr<NetFirewallPortParam> Unmarshalling(Parcel &parcel);
151 };
152
153 // Firewall domain name parameters
154 struct NetFirewallDomainParam : public Parcelable {
155 bool isWildcard; // Is there a universal configuration rule? It is mandatory
156 std::string domain; // Domain, mandatory
157
158 virtual bool Marshalling(Parcel &parcel) const override;
159 static sptr<NetFirewallDomainParam> Unmarshalling(Parcel &parcel);
160 };
161
162 // Firewall DNS parameters
163 struct NetFirewallDnsParam : public Parcelable {
164 std::string primaryDns; // Primary DNS, mandatory
165 std::string standbyDns; // Backup DNS, optional
166
167 virtual bool Marshalling(Parcel &parcel) const override;
168 static sptr<NetFirewallDnsParam> Unmarshalling(Parcel &parcel);
169 };
170
171 struct NetFirewallBaseRule : public Parcelable {
172 int32_t userId;
173 int32_t appUid;
174
175 virtual bool Marshalling(Parcel &parcel) const override;
176 static sptr<NetFirewallBaseRule> Unmarshalling(Parcel &parcel);
177 static bool UnmarshallingBase(Parcel &parcel, sptr<NetFirewallBaseRule> ptr);
178 };
179
180 struct NetFirewallDomainRule : public NetFirewallBaseRule {
181 FirewallRuleAction ruleAction;
182 std::vector<NetFirewallDomainParam> domains;
183
184 bool Marshalling(Parcel &parcel) const override;
185 static sptr<NetFirewallDomainRule> Unmarshalling(Parcel &parcel);
186 };
187
188 struct NetFirewallIpRule : public NetFirewallBaseRule {
189 NetFirewallRuleDirection ruleDirection;
190 FirewallRuleAction ruleAction;
191 NetworkProtocol protocol;
192 std::vector<NetFirewallIpParam> localIps;
193 std::vector<NetFirewallIpParam> remoteIps;
194 std::vector<NetFirewallPortParam> localPorts;
195 std::vector<NetFirewallPortParam> remotePorts;
196
197 static sptr<NetFirewallIpRule> Unmarshalling(Parcel &parcel);
198 bool Marshalling(Parcel &parcel) const override;
199 };
200
201 struct NetFirewallDnsRule : public NetFirewallBaseRule {
202 std::string primaryDns;
203 std::string standbyDns;
204
205 static sptr<NetFirewallDnsRule> Unmarshalling(Parcel &parcel);
206 bool Marshalling(Parcel &parcel) const override;
207 };
208
firewall_rule_cast(const sptr<NetFirewallBaseRule> & object)209 template <typename T> inline sptr<T> firewall_rule_cast(const sptr<NetFirewallBaseRule> &object)
210 {
211 return static_cast<T *>(object.GetRefPtr());
212 }
213
214 // Firewall rules, external interfaces
215 struct NetFirewallRule : public Parcelable {
216 int32_t ruleId; // Rule ID, optional
217 std::string ruleName; // Rule name, mandatory
218 std::string ruleDescription; // Rule description, optional
219 NetFirewallRuleDirection ruleDirection; // Rule direction, inbound or outbound, mandatory
220 FirewallRuleAction ruleAction; // Behavior rules, mandatory
221 NetFirewallRuleType ruleType; // Rule type, mandatory
222 bool isEnabled; // Enable or not, required
223 int32_t appUid; // Application or service ID, optional
224 std::vector<NetFirewallIpParam> localIps; // Local IP address, optional
225 std::vector<NetFirewallIpParam> remoteIps; // Remote IP address, optional
226 NetworkProtocol protocol; // Protocol, TCP: 6, UDP: 17. Optional
227 std::vector<NetFirewallPortParam> localPorts; // Local port, optional
228 std::vector<NetFirewallPortParam> remotePorts; // Remote port, optional
229 std::vector<NetFirewallDomainParam> domains; // Domain name list, optional
230 NetFirewallDnsParam dns; // DNS, optional
231 int32_t userId; // User ID, mandatory
232
233 static sptr<NetFirewallRule> Unmarshalling(Parcel &parcel);
234 virtual bool Marshalling(Parcel &parcel) const override;
235 std::string ToString() const;
236 };
237
238 // Interception Record
239 struct InterceptRecord : public Parcelable {
240 uint16_t localPort; // Local Port
241 uint16_t remotePort; // Destination Port
242 uint16_t protocol; // Transport Layer Protocol
243 int32_t time; // time stamp
244 std::string localIp; // Local IP
245 std::string remoteIp; // Remote IP
246 int32_t appUid; // Application or Service ID
247 std::string domain; // domain name
248
249 virtual bool Marshalling(Parcel &parcel) const override;
250 static sptr<InterceptRecord> Unmarshalling(Parcel &parcel);
251 };
252
253 class NetFirewallUtils {
254 public:
255 NetFirewallUtils() = default;
256 ~NetFirewallUtils() = default;
257 NetFirewallUtils(const NetFirewallUtils &) = delete;
258 NetFirewallUtils &operator = (const NetFirewallUtils &) = delete;
259 // String segmentation
260 static std::vector<std::string> split(const std::string &text, char delim = ',');
261 // Delete substring to obtain the remaining strings after deletion
262 static std::string erase(const std::string &src, const std::string &sub);
263
264 // Serialization&Deserialization List
265 template <typename T> static bool MarshallingList(const std::vector<T> &list, Parcel &parcel);
266 template <typename T> static bool UnmarshallingList(Parcel &parcel, std::vector<T> &list);
267 };
268 } // namespace NetManagerStandard
269 } // namespace OHOS
270
271 #endif // NET_FIREWALL_PARCEL_H