iptables.h revision 40653d0e058ff0f7908b28874224bbb085e99905 
1// Copyright 2014 The Chromium OS Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5#ifndef FIREWALLD_IPTABLES_H_
6#define FIREWALLD_IPTABLES_H_
7
8#include <stdint.h>
9
10#include <set>
11#include <string>
12#include <utility>
13#include <vector>
14
15#include <base/macros.h>
16#include <chromeos/errors/error.h>
17
18#include "firewalld/dbus_adaptor/org.chromium.Firewalld.h"
19
20namespace firewalld {
21
22enum ProtocolEnum { kProtocolTcp, kProtocolUdp };
23
24class IpTables : public org::chromium::FirewalldInterface {
25 public:
26  typedef std::pair<uint16_t, std::string> Hole;
27
28  IpTables();
29  ~IpTables();
30
31  // D-Bus methods.
32  bool PunchTcpHole(uint16_t in_port, const std::string& in_interface) override;
33  bool PunchUdpHole(uint16_t in_port, const std::string& in_interface) override;
34  bool PlugTcpHole(uint16_t in_port, const std::string& in_interface) override;
35  bool PlugUdpHole(uint16_t in_port, const std::string& in_interface) override;
36
37  bool RequestVpnSetup(const std::vector<std::string>& usernames,
38                       const std::string& interface) override;
39  bool RemoveVpnSetup(const std::vector<std::string>& usernames,
40                      const std::string& interface) override;
41
42 protected:
43  // Test-only.
44  explicit IpTables(const std::string& ip4_path, const std::string& ip6_path);
45
46 private:
47  friend class IpTablesTest;
48
49  bool PunchHole(uint16_t port,
50                 const std::string& interface,
51                 std::set<Hole>* holes,
52                 ProtocolEnum protocol);
53  bool PlugHole(uint16_t port,
54                const std::string& interface,
55                std::set<Hole>* holes,
56                ProtocolEnum protocol);
57
58  void PlugAllHoles();
59
60  bool AddAcceptRules(ProtocolEnum protocol,
61                      uint16_t port,
62                      const std::string& interface);
63  bool DeleteAcceptRules(ProtocolEnum protocol,
64                         uint16_t port,
65                         const std::string& interface);
66  bool AddAcceptRule(const std::string& executable_path,
67                     ProtocolEnum protocol,
68                     uint16_t port,
69                     const std::string& interface);
70  bool DeleteAcceptRule(const std::string& executable_path,
71                        ProtocolEnum protocol,
72                        uint16_t port,
73                        const std::string& interface);
74
75  bool ApplyVpnSetup(const std::vector<std::string>& usernames,
76                     const std::string& interface,
77                     bool add);
78
79  bool ApplyMasquerade(const std::string& interface,
80                       bool add);
81
82  bool ApplyMarkForUserTraffic(const std::string& user_name,
83                               bool add);
84
85  bool ApplyRuleForUserTraffic(bool add);
86
87  std::string ip4_exec_path_;
88  std::string ip6_exec_path_;
89
90  // Keep track of firewall holes to avoid adding redundant firewall rules.
91  std::set<Hole> tcp_holes_;
92  std::set<Hole> udp_holes_;
93
94  DISALLOW_COPY_AND_ASSIGN(IpTables);
95};
96
97}  // namespace firewalld
98
99#endif  // FIREWALLD_IPTABLES_H_
100