1 /* 2 * Copyright (C) 2021-2022 Huawei Device Co., Ltd. 3 * Licensed under the Apache License, Version 2.0 (the "License"); 4 * you may not use this file except in compliance with the License. 5 * You may obtain a copy of the License at 6 * 7 * http://www.apache.org/licenses/LICENSE-2.0 8 * 9 * Unless required by applicable law or agreed to in writing, software 10 * distributed under the License is distributed on an "AS IS" BASIS, 11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 * See the License for the specific language governing permissions and 13 * limitations under the License. 14 */ 15 16 #ifndef INCLUDE_ROUTE_MANAGER_H 17 #define INCLUDE_ROUTE_MANAGER_H 18 19 #include <linux/netlink.h> 20 #include <map> 21 #include <netinet/in.h> 22 #include <cstdint> 23 24 #include "netlink_msg.h" 25 #include "network_permission.h" 26 #include "uid_range.h" 27 #include "route_type.h" 28 29 namespace OHOS { 30 namespace nmd { 31 constexpr uid_t INVALID_UID = static_cast<uid_t>(-1); 32 typedef struct RuleInfo { 33 uint32_t ruleTable; 34 uint32_t rulePriority; 35 uint32_t ruleFwmark; 36 uint32_t ruleMask; 37 std::string ruleIif; 38 std::string ruleOif; 39 std::string ruleSrcIp; 40 std::string ruleDstIp; 41 } RuleInfo; 42 43 typedef struct RouteInfo { 44 uint32_t routeTable; 45 std::string routeInterfaceName; 46 std::string routeDestinationName; 47 std::string routeNextHop; 48 bool isExcludedRoute = false; 49 } RouteInfo; 50 51 typedef struct InetAddr { 52 int32_t family; 53 int32_t bitlen; 54 int32_t prefixlen; 55 uint8_t data[sizeof(struct in6_addr)]; 56 } InetAddr; 57 58 class RouteManager { 59 public: 60 RouteManager(); 61 ~RouteManager() = default; 62 63 /** 64 * Route table type 65 * 66 */ 67 enum TableType { 68 INTERFACE, 69 VPN_NETWORK, 70 LOCAL_NETWORK, 71 INTERNAL_DEFAULT, 72 }; 73 74 /** 75 * The interface is add route table 76 * 77 * @param tableType Route table type.Must be one of INTERFACE/VPN_NETWORK/LOCAL_NETWORK. 78 * @param networkRouteInfo Route info 79 * @return Returns 0, add route table successfully, otherwise it will fail 80 */ 81 static int32_t AddRoute(TableType tableType, NetworkRouteInfo networkRouteInfo, bool& routeRepeat); 82 83 /** 84 * The interface is remove route table 85 * 86 * @param tableType Route table type.Must be one of INTERFACE/VPN_NETWORK/LOCAL_NETWORK. 87 * @param interfaceName Output network device name of the route item 88 * @param destinationName Destination address of route item 89 * @param nextHop Gateway address of the route item 90 * @return Returns 0, remove route table successfully, otherwise it will fail 91 */ 92 static int32_t RemoveRoute(TableType tableType, const std::string &interfaceName, 93 const std::string &destinationName, const std::string &nextHop); 94 95 /** 96 * The interface is update route table 97 * 98 * @param tableType Route table type.Must be one of INTERFACE/VPN_NETWORK/LOCAL_NETWORK. 99 * @param interfaceName Output network device name of the route item 100 * @param destinationName Destination address of route item 101 * @param nextHop Gateway address of the route item 102 * @return Returns 0, update route table successfully, otherwise it will fail 103 */ 104 static int32_t UpdateRoute(TableType tableType, const std::string &interfaceName, 105 const std::string &destinationName, const std::string &nextHop); 106 107 /** 108 * Add interface to default network 109 * 110 * @param interfaceName Output network device name of the route item 111 * @param permission Network permission. Must be one of 112 * PERMISSION_NONE/PERMISSION_NETWORK/PERMISSION_SYSTEM. 113 * @return Returns 0, add interface to default network successfully, otherwise it will fail 114 */ 115 static int32_t AddInterfaceToDefaultNetwork(const std::string &interfaceName, NetworkPermission permission); 116 117 /** 118 * Remove interface from default network 119 * 120 * @param interfaceName Output network device name of the route item 121 * @param permission Network permission. Must be one of 122 * PERMISSION_NONE/PERMISSION_NETWORK/PERMISSION_SYSTEM. 123 * @return Returns 0, remove interface from default network successfully, otherwise it will fail 124 */ 125 static int32_t RemoveInterfaceFromDefaultNetwork(const std::string &interfaceName, NetworkPermission permission); 126 127 /** 128 * Add interface to physical network 129 * 130 * @param netId Network number 131 * @param interfaceName Output network device name of the route item 132 * @param permission Network permission. Must be one of 133 * PERMISSION_NONE/PERMISSION_NETWORK/PERMISSION_SYSTEM. 134 * @return Returns 0, add interface to physical network successfully, otherwise it will fail 135 */ 136 static int32_t AddInterfaceToPhysicalNetwork(uint16_t netId, const std::string &interfaceName, 137 NetworkPermission permission); 138 139 /** 140 * Remove interface from physical network 141 * 142 * @param netId Network number 143 * @param interfaceName Output network device name of the route item 144 * @param permission Network permission. Must be one of 145 * PERMISSION_NONE/PERMISSION_NETWORK/PERMISSION_SYSTEM. 146 * @return Returns 0, remove interface from physical network successfully, otherwise it will fail 147 */ 148 static int32_t RemoveInterfaceFromPhysicalNetwork(uint16_t netId, const std::string &interfaceName, 149 NetworkPermission permission); 150 151 /** 152 * Modify physical network permission 153 * 154 * @param netId Network number 155 * @param interfaceName Output network device name of the route item 156 * @param oldPermission Old network permission. Must be one of 157 * PERMISSION_NONE/PERMISSION_NETWORK/PERMISSION_SYSTEM. 158 * @param newPermission New network permission. Must be one of 159 * PERMISSION_NONE/PERMISSION_NETWORK/PERMISSION_SYSTEM. 160 * @return Returns 0, modify physical network permission successfully, otherwise it will fail 161 */ 162 static int32_t ModifyPhysicalNetworkPermission(uint16_t netId, const std::string &interfaceName, 163 NetworkPermission oldPermission, NetworkPermission newPermission); 164 165 /** 166 * Add interface to virtual network 167 * 168 * @param netId Network number 169 * @param interfaceName Output network device name of the route item 170 * @return Returns 0, add interface to virtual network successfully, otherwise it will fail 171 */ 172 static int32_t AddInterfaceToVirtualNetwork(int32_t netId, const std::string &interfaceName); 173 174 /** 175 * Remove interface from virtual network 176 * 177 * @param netId Network number 178 * @param interfaceName Output network device name of the route item 179 * @return Returns 0, remove interface from virtual network successfully, otherwise it will fail 180 */ 181 static int32_t RemoveInterfaceFromVirtualNetwork(int32_t netId, const std::string &interfaceName); 182 183 static int32_t AddUsersToVirtualNetwork(int32_t netId, const std::string &interfaceName, 184 const std::vector<NetManagerStandard::UidRange> &uidRanges); 185 186 static int32_t RemoveUsersFromVirtualNetwork(int32_t netId, const std::string &interfaceName, 187 const std::vector<NetManagerStandard::UidRange> &uidRanges); 188 189 /** 190 * Add interface to local network 191 * 192 * @param netId Network number 193 * @param interfaceName Output network device name of the route item 194 * @return Returns 0, add interface to local network successfully, otherwise it will fail 195 */ 196 static int32_t AddInterfaceToLocalNetwork(uint16_t netId, const std::string &interfaceName); 197 198 /** 199 * Remove interface from local network 200 * 201 * @param netId Network number 202 * @param interfaceName Output network device name of the route item 203 * @return Returns 0, remove interface from local network successfully, otherwise it will fail 204 */ 205 static int32_t RemoveInterfaceFromLocalNetwork(uint16_t netId, const std::string &interfaceName); 206 207 /** 208 * Enable sharing network 209 * 210 * @param inputInterface Input network device name of the route item 211 * @param outputInterface Output network device name of the route item 212 * @return Returns 0, enable sharing network successfully, otherwise it will fail 213 */ 214 static int32_t EnableSharing(const std::string &inputInterface, const std::string &outputInterface); 215 216 /** 217 * Disable sharing network 218 * 219 * @param inputInterface Input network device name of the route item 220 * @param outputInterface Output network device name of the route item 221 * @return Returns 0, disable sharing network successfully, otherwise it will fail 222 */ 223 static int32_t DisableSharing(const std::string &inputInterface, const std::string &outputInterface); 224 225 /** 226 * Parse destination address 227 * 228 * @param addr Address to be parse 229 * @param res Parse result 230 * @return Returns 0, parse destination address successfully, otherwise it will fail 231 */ 232 static int32_t ReadAddr(const std::string &addr, InetAddr *res); 233 234 /** 235 * Parse gateway address 236 * 237 * @param addr Address to be parse 238 * @param res Parse result 239 * @return Returns 0, parse gateway address successfully, otherwise it will fail 240 */ 241 static int32_t ReadAddrGw(const std::string &addr, InetAddr *res); 242 243 /** 244 * Add rules for clat tun interface 245 * 246 * @param interfaceName Output network device name of the route item 247 * @param permission Network permission. Must be one of 248 * PERMISSION_NONE/PERMISSION_NETWORK/PERMISSION_SYSTEM. 249 * @return Returns 0, add rules successfully, otherwise it will fail 250 */ 251 static int32_t AddClatTunInterface(const std::string &interfaceName, const std::string &dstAddr, 252 const std::string &nxtHop); 253 254 /** 255 * Remove rules for clat tun interface 256 * 257 * @param interfaceName Output network device name of the route item 258 * @param permission Network permission. Must be one of 259 * PERMISSION_NONE/PERMISSION_NETWORK/PERMISSION_SYSTEM. 260 * @return Returns 0, remove rules successfully, otherwise it will fail 261 */ 262 static int32_t RemoveClatTunInterface(const std::string &interfaceName); 263 264 /** 265 * Update route for vnic interface 266 * 267 * @param interfaceName Output network device name of the route item 268 * @param destinationName Destination address of route item 269 * @param nextHop Gateway address of the route item 270 * @param add add or delete route 271 * @return Returns 0, Update route successfully, otherwise it will fail 272 */ 273 static int32_t UpdateVnicRoute(const std::string &interfaceName, const std::string &destinationName, 274 const std::string &nextHop, bool add); 275 276 /** 277 * Update uid ranges for vnic interface 278 * 279 * @param uidRanges uidRanges to update 280 * @param add add or delete uid ranges 281 * @return Returns 0, update UidRangesRules successfully, otherwise it will fail 282 */ 283 static int32_t UpdateVnicUidRangesRule(const std::vector<NetManagerStandard::UidRange> &uidRanges, bool add); 284 285 /** 286 * Enable distribute client net: create virnic and config route 287 * 288 * @param virNicAddr virnic addr 289 * @param iif iif name to config route 290 * @return Returns 0, enable successfully, otherwise it will fail 291 */ 292 static int32_t EnableDistributedClientNet(const std::string &virNicAddr, const std::string &iif); 293 294 /** 295 * Enable distribute client net: config route 296 * 297 * @param iif iif to config route 298 * @param devIface dev Iface name to config route 299 * @param dstAddr dstAddr to config route 300 * @return Returns 0, enable successfully, otherwise it will fail 301 */ 302 static int32_t EnableDistributedServerNet(const std::string &iif, const std::string &devIface, 303 const std::string &dstAddr); 304 305 /** 306 * Disable distribute net: del route 307 * 308 * @param isServer true:server, false:client 309 * @return Returns 0, disable successfully, otherwise it will fail 310 */ 311 static int32_t DisableDistributedNet(bool isServer); 312 313 #ifdef SUPPORT_SYSVPN 314 /** 315 * Set Vpn call mode 316 * 317 * @param message 1 is sysvpn, other extvpn 318 * @return Returns 0, disable successfully, otherwise it will fail 319 */ 320 static int32_t SetVpnCallMode(const std::string &message); 321 322 /** 323 * update vpn interface rules 324 * 325 * @param netId Network number 326 * @param interface interface name 327 * @param extMessages ext message 328 * @param add true add, false remove 329 * @return Returns 0, add network ip mark successfully, otherwise it will fail 330 */ 331 static int32_t UpdateVpnRules(uint16_t netId, const std::string &interface, 332 const std::vector<std::string> &extMessages, bool add); 333 #endif // SUPPORT_SYSVPN 334 335 #ifdef FEATURE_ENTERPRISE_ROUTE_CUSTOM 336 /** 337 * update enterprise route rules 338 * 339 * @param interfaceName Network if name 340 * @param uid app uid 341 * @param add true add, false remove 342 * @return Returns 0, update successfully, otherwise it will fail 343 */ 344 static int32_t UpdateEnterpriseRoute(const std::string &interfaceName, uint32_t uid, bool add); 345 #endif 346 347 private: 348 static std::mutex interfaceToTableLock_; 349 static std::map<std::string, uint32_t> interfaceToTable_; 350 #ifdef SUPPORT_SYSVPN 351 enum VpnRuleIdType { 352 VPN_OUTPUT_TO_LOCAL, 353 VPN_SECURE, 354 VPN_EXPLICIT_NETWORK, 355 VPN_OUTPUT_IFACE, 356 VPN_NETWORK_TABLE, 357 }; 358 359 static bool vpnSysCall_; 360 static std::string defauleNetWorkName_; 361 362 static bool CheckSysVpnCall(); 363 static bool CheckTunVpnCall(const std::string &vpnName); 364 static bool CheckMultiVpnCall(const std::string &vpnName); 365 366 static int32_t InitOutcomingPacketMark(); 367 static int32_t UpdateOutcomingIpMark(uint16_t netId, const std::string &addr, bool add); 368 static int32_t UpdateOutcomingUidMark(uint16_t netId, uid_t startUid, uid_t endUid, bool add); 369 static int32_t UpdateVpnOutPutPenetrationRule(int32_t netId, const std::string &interfaceName, 370 const std::string &ruleDstIp, bool add); 371 static uint32_t FindVpnIdByInterfacename(VpnRuleIdType type, const std::string &interfaceName); 372 static uint32_t GetVpnInterffaceToId(const std::string &ifName); 373 #endif // SUPPORT_SYSVPN 374 static uint16_t GetRuleFlag(uint32_t action); 375 static int32_t Init(); 376 static int32_t ClearRules(); 377 static int32_t ClearRoutes(const std::string &interfaceName, int32_t netId = 0); 378 static int32_t AddLocalNetworkRules(); 379 static int32_t UpdatePhysicalNetwork(uint16_t netId, const std::string &interfaceName, NetworkPermission permission, 380 bool add); 381 static int32_t UpdateVirtualNetwork(int32_t netId, const std::string &interfaceName, 382 const std::vector<NetManagerStandard::UidRange> &uidRanges, bool add); 383 static int32_t ModifyVirtualNetBasedRules(int32_t netId, const std::string &ifaceName, bool add); 384 385 static int32_t UpdateLocalNetwork(uint16_t netId, const std::string &interfaceName, bool add); 386 static int32_t UpdateIncomingPacketMark(uint16_t netId, const std::string &interfaceName, 387 NetworkPermission permission, bool add); 388 static int32_t UpdateExplicitNetworkRule(uint16_t netId, uint32_t table, NetworkPermission permission, bool add); 389 static int32_t UpdateOutputInterfaceRules(const std::string &interfaceName, uint32_t table, 390 NetworkPermission permission, bool add); 391 static int32_t UpdateSharingNetwork(uint16_t action, const std::string &inputInterface, 392 const std::string &outputInterface); 393 static int32_t UpdateVpnOutputToLocalRule(const std::string &interfaceName, bool add); 394 static int32_t UpdateVpnSystemPermissionRule(int32_t netId, uint32_t table, bool add, 395 const std::string &interfaceName = ""); 396 static int32_t UpdateVpnUidRangeRule(uint32_t table, uid_t uidStart, uid_t uidEnd, bool add, 397 const std::string &interfaceName = ""); 398 static int32_t UpdateExplicitNetworkRuleWithUid(int32_t netId, uint32_t table, NetworkPermission permission, 399 uid_t uidStart, uid_t uidEnd, bool add, 400 const std::string &interfaceName = ""); 401 static int32_t UpdateOutputInterfaceRulesWithUid(const std::string &interface, uint32_t table, 402 NetworkPermission permission, uid_t uidStart, uid_t uidEnd, 403 bool add); 404 static int32_t ClearSharingRules(const std::string &inputInterface); 405 static int32_t UpdateRuleInfo(uint32_t action, uint8_t ruleType, RuleInfo ruleInfo, uid_t uidStart = INVALID_UID, 406 uid_t uidEnd = INVALID_UID); 407 static int32_t UpdateDistributedRule(uint32_t action, uint8_t ruleType, RuleInfo ruleInfo, 408 uid_t uidStart, uid_t uidEnd); 409 static int32_t SendRuleToKernel(uint32_t action, uint8_t family, uint8_t ruleType, RuleInfo ruleInfo, 410 uid_t uidStart, uid_t uidEnd); 411 static int32_t SendRuleToKernelEx(uint32_t action, uint8_t family, uint8_t ruleType, RuleInfo ruleInfo, 412 uid_t uidStart, uid_t uidEnd); 413 static int32_t UpdateRouteRule(uint16_t action, uint16_t flags, RouteInfo routeInfo); 414 static int32_t SendRouteToKernel(uint16_t action, uint16_t routeFlag, rtmsg msg, RouteInfo routeInfo, 415 uint32_t index); 416 static uint32_t FindTableByInterfacename(const std::string &interfaceName, int32_t netId = 0); 417 static uint32_t GetRouteTableFromType(TableType tableType, const std::string &interfaceName); 418 static int32_t SetRouteInfo(TableType tableType, NetworkRouteInfo networkRouteInfo, RouteInfo &routeInfo); 419 static int32_t UpdateClatTunInterface(const std::string &interfaceName, 420 NetworkPermission permission, bool add); 421 static int32_t AddServerUplinkRoute(const std::string &UplinkIif, const std::string &devIface); 422 static int32_t AddServerDownlinkRoute(const std::string &UplinkIif, const std::string &dstAddr); 423 }; 424 } // namespace nmd 425 } // namespace OHOS 426 #endif // INCLUDE_ROUTE_MANAGER_H 427