1 // Copyright 2014 The Android Open Source Project
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 //      http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14 
15 #ifndef FIREWALLD_IPTABLES_H_
16 #define FIREWALLD_IPTABLES_H_
17 
18 #include <stdint.h>
19 
20 #include <set>
21 #include <string>
22 #include <utility>
23 #include <vector>
24 
25 #include <base/macros.h>
26 #include <brillo/errors/error.h>
27 
28 #include "dbus_bindings/org.chromium.Firewalld.h"
29 
30 namespace firewalld {
31 
32 enum ProtocolEnum { kProtocolTcp, kProtocolUdp };
33 
34 class IpTables : public org::chromium::FirewalldInterface {
35  public:
36   typedef std::pair<uint16_t, std::string> Hole;
37 
38   IpTables();
39   ~IpTables();
40 
41   // D-Bus methods.
42   bool PunchTcpHole(uint16_t in_port, const std::string& in_interface) override;
43   bool PunchUdpHole(uint16_t in_port, const std::string& in_interface) override;
44   bool PlugTcpHole(uint16_t in_port, const std::string& in_interface) override;
45   bool PlugUdpHole(uint16_t in_port, const std::string& in_interface) override;
46 
47   bool RequestVpnSetup(const std::vector<std::string>& usernames,
48                        const std::string& interface) override;
49   bool RemoveVpnSetup(const std::vector<std::string>& usernames,
50                       const std::string& interface) override;
51 
52   // Close all outstanding firewall holes.
53   void PlugAllHoles();
54 
55  private:
56   friend class IpTablesTest;
57   FRIEND_TEST(IpTablesTest, ApplyVpnSetupAdd_Success);
58   FRIEND_TEST(IpTablesTest, ApplyVpnSetupAdd_FailureInUsername);
59   FRIEND_TEST(IpTablesTest, ApplyVpnSetupAdd_FailureInMasquerade);
60   FRIEND_TEST(IpTablesTest, ApplyVpnSetupAdd_FailureInRuleForUserTraffic);
61   FRIEND_TEST(IpTablesTest, ApplyVpnSetupRemove_Success);
62   FRIEND_TEST(IpTablesTest, ApplyVpnSetupRemove_Failure);
63 
64   bool PunchHole(uint16_t port,
65                  const std::string& interface,
66                  std::set<Hole>* holes,
67                  ProtocolEnum protocol);
68   bool PlugHole(uint16_t port,
69                 const std::string& interface,
70                 std::set<Hole>* holes,
71                 ProtocolEnum protocol);
72 
73   bool AddAcceptRules(ProtocolEnum protocol,
74                       uint16_t port,
75                       const std::string& interface);
76   bool DeleteAcceptRules(ProtocolEnum protocol,
77                          uint16_t port,
78                          const std::string& interface);
79 
80   virtual bool AddAcceptRule(const std::string& executable_path,
81                              ProtocolEnum protocol,
82                              uint16_t port,
83                              const std::string& interface);
84   virtual bool DeleteAcceptRule(const std::string& executable_path,
85                                 ProtocolEnum protocol,
86                                 uint16_t port,
87                                 const std::string& interface);
88 
89   bool ApplyVpnSetup(const std::vector<std::string>& usernames,
90                      const std::string& interface,
91                      bool add);
92 
93   virtual bool ApplyMasquerade(const std::string& interface, bool add);
94   bool ApplyMasqueradeWithExecutable(const std::string& interface,
95                                      const std::string& executable_path,
96                                      bool add);
97 
98   virtual bool ApplyMarkForUserTraffic(const std::string& username, bool add);
99   bool ApplyMarkForUserTrafficWithExecutable(const std::string& username,
100                                              const std::string& executable_path,
101                                              bool add);
102 
103   virtual bool ApplyRuleForUserTraffic(bool add);
104   bool ApplyRuleForUserTrafficWithVersion(const std::string& ip_version,
105                                           bool add);
106 
107   int ExecvNonRoot(const std::vector<std::string>& argv, uint64_t capmask);
108 
109   // Keep track of firewall holes to avoid adding redundant firewall rules.
110   std::set<Hole> tcp_holes_;
111   std::set<Hole> udp_holes_;
112 
113   // Tracks whether IPv6 filtering is enabled. If set to |true| (the default),
114   // then it is required to be working. If |false|, then adding of IPv6 rules is
115   // still attempted but not mandatory; however, if it is successful even once,
116   // then it'll be changed to |true| and enforced thereafter.
117   bool ip6_enabled_ = true;
118 
119   DISALLOW_COPY_AND_ASSIGN(IpTables);
120 };
121 
122 }  // namespace firewalld
123 
124 #endif  // FIREWALLD_IPTABLES_H_
125