• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (C) 2012 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #ifndef _FIREWALL_CONTROLLER_H
18 #define _FIREWALL_CONTROLLER_H
19 
20 #include <sys/types.h>
21 #include <mutex>
22 #include <set>
23 #include <string>
24 #include <vector>
25 
26 #include "NetdConstants.h"
27 
28 namespace android {
29 namespace net {
30 
31 /*
32  * Simple firewall that drops all packets except those matching explicitly
33  * defined ALLOW rules.
34  *
35  * Methods in this class must be called when holding a write lock on |lock|, and may not call
36  * any other controller without explicitly managing that controller's lock. There are currently
37  * no such methods.
38  */
39 class FirewallController {
40 public:
41   FirewallController();
42 
43   int setupIptablesHooks(void);
44 
45   int setFirewallType(FirewallType);
46   int resetFirewall(void);
47   int isFirewallEnabled(void);
48 
49   /* Match traffic going in/out over the given iface. */
50   int setInterfaceRule(const char*, FirewallRule);
51   /* Match traffic owned by given UID. This is specific to a particular chain. */
52   int setUidRule(ChildChain, int, FirewallRule);
53 
54   static std::string makeCriticalCommands(IptablesTarget target, const char* chainName);
55 
56   static const char* TABLE;
57 
58   static const char* LOCAL_INPUT;
59   static const char* LOCAL_OUTPUT;
60   static const char* LOCAL_FORWARD;
61 
62   static const char* ICMPV6_TYPES[];
63 
64   std::mutex lock;
65 
66 protected:
67   friend class FirewallControllerTest;
68   static int (*execIptablesRestore)(IptablesTarget target, const std::string& commands);
69 
70 private:
71   FirewallType mFirewallType;
72   std::set<std::string> mIfaceRules;
73   int flushRules(void);
74 };
75 
76 }  // namespace net
77 }  // namespace android
78 
79 #endif
80