• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (C) 2012 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #ifndef _FIREWALL_CONTROLLER_H
18 #define _FIREWALL_CONTROLLER_H
19 
20 #include <sys/types.h>
21 #include <mutex>
22 #include <set>
23 #include <string>
24 #include <vector>
25 
26 #include "NetdConstants.h"
27 #include "bpf/BpfUtils.h"
28 
29 namespace android {
30 namespace net {
31 
32 /*
33  * Simple firewall that drops all packets except those matching explicitly
34  * defined ALLOW rules.
35  *
36  * Methods in this class must be called when holding a write lock on |lock|, and may not call
37  * any other controller without explicitly managing that controller's lock. There are currently
38  * no such methods.
39  */
40 class FirewallController {
41 public:
42   FirewallController();
43 
44   int setupIptablesHooks(void);
45 
46   int setFirewallType(FirewallType);
47   int resetFirewall(void);
48   int isFirewallEnabled(void);
49 
50   /* Match traffic going in/out over the given iface. */
51   int setInterfaceRule(const char*, FirewallRule);
52   /* Match traffic owned by given UID. This is specific to a particular chain. */
53   int setUidRule(ChildChain, int, FirewallRule);
54 
55   int enableChildChains(ChildChain, bool);
56 
57   static std::string makeCriticalCommands(IptablesTarget target, const char* chainName);
58 
59   static const char* TABLE;
60 
61   static const char* LOCAL_INPUT;
62   static const char* LOCAL_OUTPUT;
63   static const char* LOCAL_FORWARD;
64 
65   static const char* ICMPV6_TYPES[];
66 
67   std::mutex lock;
68 
69 protected:
70   friend class FirewallControllerTest;
71   static int (*execIptablesRestore)(IptablesTarget target, const std::string& commands);
72 
73 private:
74   FirewallType mFirewallType;
75   std::set<std::string> mIfaceRules;
76   int flushRules(void);
77 };
78 
79 }  // namespace net
80 }  // namespace android
81 
82 #endif
83