iptables.h revision 6c733cf77b78062afd7d70eb68f8832d77362086
1// Copyright 2014 The Android Open Source Project 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15#ifndef FIREWALLD_IPTABLES_H_ 16#define FIREWALLD_IPTABLES_H_ 17 18#include <stdint.h> 19 20#include <set> 21#include <string> 22#include <utility> 23#include <vector> 24 25#include <base/macros.h> 26#include <brillo/errors/error.h> 27 28#include "dbus_bindings/org.chromium.Firewalld.h" 29 30namespace firewalld { 31 32enum ProtocolEnum { kProtocolTcp, kProtocolUdp }; 33enum IPVersionEnum { kIPv4, kIPv6 }; 34 35class IpTables : public org::chromium::FirewalldInterface { 36 public: 37 typedef std::pair<uint16_t, std::string> Hole; 38 39 IpTables(); 40 ~IpTables(); 41 42 // D-Bus methods. 43 bool PunchTcpHole(uint16_t in_port, const std::string& in_interface) override; 44 bool PunchUdpHole(uint16_t in_port, const std::string& in_interface) override; 45 bool PlugTcpHole(uint16_t in_port, const std::string& in_interface) override; 46 bool PlugUdpHole(uint16_t in_port, const std::string& in_interface) override; 47 48 bool RequestVpnSetup(const std::vector<std::string>& usernames, 49 const std::string& interface) override; 50 bool RemoveVpnSetup(const std::vector<std::string>& usernames, 51 const std::string& interface) override; 52 53 // Close all outstanding firewall holes. 54 void PlugAllHoles(); 55 56 private: 57 friend class IpTablesTest; 58 FRIEND_TEST(IpTablesTest, ApplyVpnSetupAddSuccess); 59 FRIEND_TEST(IpTablesTest, ApplyVpnSetupAddFailureInUsername); 60 FRIEND_TEST(IpTablesTest, ApplyVpnSetupAddFailureInMasquerade); 61 FRIEND_TEST(IpTablesTest, ApplyVpnSetupAddFailureInRuleForUserTraffic); 62 FRIEND_TEST(IpTablesTest, ApplyVpnSetupRemoveSuccess); 63 FRIEND_TEST(IpTablesTest, ApplyVpnSetupRemoveFailure); 64 65 bool PunchHole(uint16_t port, 66 const std::string& interface, 67 std::set<Hole>* holes, 68 ProtocolEnum protocol); 69 bool PlugHole(uint16_t port, 70 const std::string& interface, 71 std::set<Hole>* holes, 72 ProtocolEnum protocol); 73 74 bool AddAcceptRules(ProtocolEnum protocol, 75 uint16_t port, 76 const std::string& interface); 77 bool DeleteAcceptRules(ProtocolEnum protocol, 78 uint16_t port, 79 const std::string& interface); 80 81 virtual bool AddAcceptRule(const std::string& executable_path, 82 ProtocolEnum protocol, 83 uint16_t port, 84 const std::string& interface); 85 virtual bool DeleteAcceptRule(const std::string& executable_path, 86 ProtocolEnum protocol, 87 uint16_t port, 88 const std::string& interface); 89 90 bool ApplyVpnSetup(const std::vector<std::string>& usernames, 91 const std::string& interface, 92 bool add); 93 94 virtual bool ApplyMasquerade(const std::string& executable_path, 95 const std::string& interface, 96 bool add); 97 virtual bool ApplyMasquerade46(const std::string& interface, 98 bool add); 99 virtual bool ApplyMarkForUserTraffic(const std::string& executable_path, 100 const std::string& user_name, 101 bool add); 102 virtual bool ApplyMarkForUserTraffic46(const std::string& username, 103 bool add); 104 virtual bool ApplyRuleForUserTraffic(IPVersionEnum ip_version, 105 bool add); 106 107 int ExecvNonRoot(const std::vector<std::string>& argv, 108 uint64_t capmask); 109 110 // Keep track of firewall holes to avoid adding redundant firewall rules. 111 std::set<Hole> tcp_holes_; 112 std::set<Hole> udp_holes_; 113 114 // Tracks whether IPv6 filtering is enabled. If set to |true| (the default), 115 // then it is required to be working. If |false|, then adding of IPv6 rules is 116 // still attempted but not mandatory; however, if it is successful even once, 117 // then it'll be changed to |true| and enforced thereafter. 118 bool ip6_enabled_ = true; 119 120 DISALLOW_COPY_AND_ASSIGN(IpTables); 121}; 122 123} // namespace firewalld 124 125#endif // FIREWALLD_IPTABLES_H_ 126