1 /*
2  * Copyright (C) 2012 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #ifndef _FIREWALL_CONTROLLER_H
18 #define _FIREWALL_CONTROLLER_H
19 
20 #include <string>
21 #include <vector>
22 
23 #include <utils/RWLock.h>
24 
25 #include "NetdConstants.h"
26 
27 enum FirewallRule { DENY, ALLOW };
28 
29 // WHITELIST means the firewall denies all by default, uids must be explicitly ALLOWed
30 // BLACKLIST means the firewall allows all by default, uids must be explicitly DENYed
31 
32 enum FirewallType { WHITELIST, BLACKLIST };
33 
34 enum ChildChain { NONE, DOZABLE, STANDBY, POWERSAVE, INVALID_CHAIN };
35 
36 #define PROTOCOL_TCP 6
37 #define PROTOCOL_UDP 17
38 
39 /*
40  * Simple firewall that drops all packets except those matching explicitly
41  * defined ALLOW rules.
42  *
43  * Methods in this class must be called when holding a write lock on |lock|, and may not call
44  * any other controller without explicitly managing that controller's lock. There are currently
45  * no such methods.
46  */
47 class FirewallController {
48 public:
49     FirewallController();
50 
51     int setupIptablesHooks(void);
52 
53     int enableFirewall(FirewallType);
54     int disableFirewall(void);
55     int isFirewallEnabled(void);
56 
57     /* Match traffic going in/out over the given iface. */
58     int setInterfaceRule(const char*, FirewallRule);
59     /* Match traffic coming-in-to or going-out-from given address. */
60     int setEgressSourceRule(const char*, FirewallRule);
61     /* Match traffic coming-in-from or going-out-to given address, port, and protocol. */
62     int setEgressDestRule(const char*, int, int, FirewallRule);
63     /* Match traffic owned by given UID. This is specific to a particular chain. */
64     int setUidRule(ChildChain, int, FirewallRule);
65 
66     int enableChildChains(ChildChain, bool);
67 
68     int replaceUidChain(const char*, bool, const std::vector<int32_t>&);
69 
70     static const char* TABLE;
71 
72     static const char* LOCAL_INPUT;
73     static const char* LOCAL_OUTPUT;
74     static const char* LOCAL_FORWARD;
75 
76     static const char* LOCAL_DOZABLE;
77     static const char* LOCAL_STANDBY;
78     static const char* LOCAL_POWERSAVE;
79 
80     static const char* ICMPV6_TYPES[];
81 
82     android::RWLock lock;
83 
84 protected:
85     friend class FirewallControllerTest;
86     std::string makeUidRules(IptablesTarget target, const char *name, bool isWhitelist,
87                              const std::vector<int32_t>& uids);
88     static int (*execIptables)(IptablesTarget target, ...);
89     static int (*execIptablesSilently)(IptablesTarget target, ...);
90     static int (*execIptablesRestore)(IptablesTarget target, const std::string& commands);
91 
92 private:
93     FirewallType mFirewallType;
94     int attachChain(const char*, const char*);
95     int detachChain(const char*, const char*);
96     int createChain(const char*, const char*, FirewallType);
97     FirewallType getFirewallType(ChildChain);
98 };
99 
100 #endif
101