1 /*
2  * Copyright (C) 2012 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #ifndef _FIREWALL_CONTROLLER_H
18 #define _FIREWALL_CONTROLLER_H
19 
20 #include <sys/types.h>
21 #include <mutex>
22 #include <set>
23 #include <string>
24 #include <vector>
25 
26 #include "NetdConstants.h"
27 
28 namespace android {
29 namespace net {
30 
31 /*
32  * Simple firewall that drops all packets except those matching explicitly
33  * defined ALLOW rules.
34  *
35  * Methods in this class must be called when holding a write lock on |lock|, and may not call
36  * any other controller without explicitly managing that controller's lock. There are currently
37  * no such methods.
38  */
39 class FirewallController {
40 public:
41   FirewallController();
42 
43   int setupIptablesHooks(void);
44 
45   int setFirewallType(FirewallType);
46   int resetFirewall(void);
47 
48   /* Match traffic going in/out over the given iface. */
49   int setInterfaceRule(const char*, FirewallRule);
50   /* Match traffic owned by given UID. This is specific to a particular chain. */
51   int setUidRule(ChildChain, int, FirewallRule);
52 
53   static std::string makeCriticalCommands(IptablesTarget target, const char* chainName);
54 
55   static const char* TABLE;
56 
57   static const char* LOCAL_INPUT;
58   static const char* LOCAL_OUTPUT;
59   static const char* LOCAL_FORWARD;
60 
61   static const char* ICMPV6_TYPES[];
62 
63   std::mutex lock;
64 
65 protected:
66   friend class FirewallControllerTest;
67   static int (*execIptablesRestore)(IptablesTarget target, const std::string& commands);
68 
69 private:
70   FirewallType mFirewallType;
71   std::set<std::string> mIfaceRules;
72   int flushRules(void);
73 };
74 
75 }  // namespace net
76 }  // namespace android
77 
78 #endif
79