1*8542734aSAndroid Build Coastguard Worker /* 2*8542734aSAndroid Build Coastguard Worker * Copyright (C) 2012 The Android Open Source Project 3*8542734aSAndroid Build Coastguard Worker * 4*8542734aSAndroid Build Coastguard Worker * Licensed under the Apache License, Version 2.0 (the "License"); 5*8542734aSAndroid Build Coastguard Worker * you may not use this file except in compliance with the License. 6*8542734aSAndroid Build Coastguard Worker * You may obtain a copy of the License at 7*8542734aSAndroid Build Coastguard Worker * 8*8542734aSAndroid Build Coastguard Worker * http://www.apache.org/licenses/LICENSE-2.0 9*8542734aSAndroid Build Coastguard Worker * 10*8542734aSAndroid Build Coastguard Worker * Unless required by applicable law or agreed to in writing, software 11*8542734aSAndroid Build Coastguard Worker * distributed under the License is distributed on an "AS IS" BASIS, 12*8542734aSAndroid Build Coastguard Worker * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13*8542734aSAndroid Build Coastguard Worker * See the License for the specific language governing permissions and 14*8542734aSAndroid Build Coastguard Worker * limitations under the License. 15*8542734aSAndroid Build Coastguard Worker */ 16*8542734aSAndroid Build Coastguard Worker 17*8542734aSAndroid Build Coastguard Worker #ifndef _FIREWALL_CONTROLLER_H 18*8542734aSAndroid Build Coastguard Worker #define _FIREWALL_CONTROLLER_H 19*8542734aSAndroid Build Coastguard Worker 20*8542734aSAndroid Build Coastguard Worker #include <sys/types.h> 21*8542734aSAndroid Build Coastguard Worker #include <mutex> 22*8542734aSAndroid Build Coastguard Worker #include <set> 23*8542734aSAndroid Build Coastguard Worker #include <string> 24*8542734aSAndroid Build Coastguard Worker #include <vector> 25*8542734aSAndroid Build Coastguard Worker 26*8542734aSAndroid Build Coastguard Worker #include "NetdConstants.h" 27*8542734aSAndroid Build Coastguard Worker 28*8542734aSAndroid Build Coastguard Worker namespace android { 29*8542734aSAndroid Build Coastguard Worker namespace net { 30*8542734aSAndroid Build Coastguard Worker 31*8542734aSAndroid Build Coastguard Worker /* 32*8542734aSAndroid Build Coastguard Worker * Simple firewall that drops all packets except those matching explicitly 33*8542734aSAndroid Build Coastguard Worker * defined ALLOW rules. 34*8542734aSAndroid Build Coastguard Worker * 35*8542734aSAndroid Build Coastguard Worker * Methods in this class must be called when holding a write lock on |lock|, and may not call 36*8542734aSAndroid Build Coastguard Worker * any other controller without explicitly managing that controller's lock. There are currently 37*8542734aSAndroid Build Coastguard Worker * no such methods. 38*8542734aSAndroid Build Coastguard Worker */ 39*8542734aSAndroid Build Coastguard Worker class FirewallController { 40*8542734aSAndroid Build Coastguard Worker public: 41*8542734aSAndroid Build Coastguard Worker FirewallController(); 42*8542734aSAndroid Build Coastguard Worker 43*8542734aSAndroid Build Coastguard Worker int setupIptablesHooks(void); 44*8542734aSAndroid Build Coastguard Worker 45*8542734aSAndroid Build Coastguard Worker int setFirewallType(FirewallType); 46*8542734aSAndroid Build Coastguard Worker int resetFirewall(void); 47*8542734aSAndroid Build Coastguard Worker 48*8542734aSAndroid Build Coastguard Worker /* Match traffic going in/out over the given iface. */ 49*8542734aSAndroid Build Coastguard Worker int setInterfaceRule(const char*, FirewallRule); 50*8542734aSAndroid Build Coastguard Worker /* Match traffic owned by given UID. This is specific to a particular chain. */ 51*8542734aSAndroid Build Coastguard Worker int setUidRule(ChildChain, int, FirewallRule); 52*8542734aSAndroid Build Coastguard Worker 53*8542734aSAndroid Build Coastguard Worker static std::string makeCriticalCommands(IptablesTarget target, const char* chainName); 54*8542734aSAndroid Build Coastguard Worker 55*8542734aSAndroid Build Coastguard Worker static const char* TABLE; 56*8542734aSAndroid Build Coastguard Worker 57*8542734aSAndroid Build Coastguard Worker static const char* LOCAL_INPUT; 58*8542734aSAndroid Build Coastguard Worker static const char* LOCAL_OUTPUT; 59*8542734aSAndroid Build Coastguard Worker static const char* LOCAL_FORWARD; 60*8542734aSAndroid Build Coastguard Worker 61*8542734aSAndroid Build Coastguard Worker static const char* ICMPV6_TYPES[]; 62*8542734aSAndroid Build Coastguard Worker 63*8542734aSAndroid Build Coastguard Worker std::mutex lock; 64*8542734aSAndroid Build Coastguard Worker 65*8542734aSAndroid Build Coastguard Worker protected: 66*8542734aSAndroid Build Coastguard Worker friend class FirewallControllerTest; 67*8542734aSAndroid Build Coastguard Worker static int (*execIptablesRestore)(IptablesTarget target, const std::string& commands); 68*8542734aSAndroid Build Coastguard Worker 69*8542734aSAndroid Build Coastguard Worker private: 70*8542734aSAndroid Build Coastguard Worker FirewallType mFirewallType; 71*8542734aSAndroid Build Coastguard Worker std::set<std::string> mIfaceRules; 72*8542734aSAndroid Build Coastguard Worker int flushRules(void); 73*8542734aSAndroid Build Coastguard Worker }; 74*8542734aSAndroid Build Coastguard Worker 75*8542734aSAndroid Build Coastguard Worker } // namespace net 76*8542734aSAndroid Build Coastguard Worker } // namespace android 77*8542734aSAndroid Build Coastguard Worker 78*8542734aSAndroid Build Coastguard Worker #endif 79