iptables.h revision 6c733cf77b78062afd7d70eb68f8832d77362086 
1// Copyright 2014 The Android Open Source Project
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7//      http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
15#ifndef FIREWALLD_IPTABLES_H_
16#define FIREWALLD_IPTABLES_H_
17
18#include <stdint.h>
19
20#include <set>
21#include <string>
22#include <utility>
23#include <vector>
24
25#include <base/macros.h>
26#include <brillo/errors/error.h>
27
28#include "dbus_bindings/org.chromium.Firewalld.h"
29
30namespace firewalld {
31
32enum ProtocolEnum { kProtocolTcp, kProtocolUdp };
33enum IPVersionEnum { kIPv4, kIPv6 };
34
35class IpTables : public org::chromium::FirewalldInterface {
36 public:
37  typedef std::pair<uint16_t, std::string> Hole;
38
39  IpTables();
40  ~IpTables();
41
42  // D-Bus methods.
43  bool PunchTcpHole(uint16_t in_port, const std::string& in_interface) override;
44  bool PunchUdpHole(uint16_t in_port, const std::string& in_interface) override;
45  bool PlugTcpHole(uint16_t in_port, const std::string& in_interface) override;
46  bool PlugUdpHole(uint16_t in_port, const std::string& in_interface) override;
47
48  bool RequestVpnSetup(const std::vector<std::string>& usernames,
49                       const std::string& interface) override;
50  bool RemoveVpnSetup(const std::vector<std::string>& usernames,
51                      const std::string& interface) override;
52
53  // Close all outstanding firewall holes.
54  void PlugAllHoles();
55
56 private:
57  friend class IpTablesTest;
58  FRIEND_TEST(IpTablesTest, ApplyVpnSetupAddSuccess);
59  FRIEND_TEST(IpTablesTest, ApplyVpnSetupAddFailureInUsername);
60  FRIEND_TEST(IpTablesTest, ApplyVpnSetupAddFailureInMasquerade);
61  FRIEND_TEST(IpTablesTest, ApplyVpnSetupAddFailureInRuleForUserTraffic);
62  FRIEND_TEST(IpTablesTest, ApplyVpnSetupRemoveSuccess);
63  FRIEND_TEST(IpTablesTest, ApplyVpnSetupRemoveFailure);
64
65  bool PunchHole(uint16_t port,
66                 const std::string& interface,
67                 std::set<Hole>* holes,
68                 ProtocolEnum protocol);
69  bool PlugHole(uint16_t port,
70                const std::string& interface,
71                std::set<Hole>* holes,
72                ProtocolEnum protocol);
73
74  bool AddAcceptRules(ProtocolEnum protocol,
75                      uint16_t port,
76                      const std::string& interface);
77  bool DeleteAcceptRules(ProtocolEnum protocol,
78                         uint16_t port,
79                         const std::string& interface);
80
81  virtual bool AddAcceptRule(const std::string& executable_path,
82                             ProtocolEnum protocol,
83                             uint16_t port,
84                             const std::string& interface);
85  virtual bool DeleteAcceptRule(const std::string& executable_path,
86                                ProtocolEnum protocol,
87                                uint16_t port,
88                                const std::string& interface);
89
90  bool ApplyVpnSetup(const std::vector<std::string>& usernames,
91                     const std::string& interface,
92                     bool add);
93
94  virtual bool ApplyMasquerade(const std::string& executable_path,
95                               const std::string& interface,
96                               bool add);
97  virtual bool ApplyMasquerade46(const std::string& interface,
98                                 bool add);
99  virtual bool ApplyMarkForUserTraffic(const std::string& executable_path,
100                                       const std::string& user_name,
101                                       bool add);
102  virtual bool ApplyMarkForUserTraffic46(const std::string& username,
103                                         bool add);
104  virtual bool ApplyRuleForUserTraffic(IPVersionEnum ip_version,
105                                       bool add);
106
107  int ExecvNonRoot(const std::vector<std::string>& argv,
108                   uint64_t capmask);
109
110  // Keep track of firewall holes to avoid adding redundant firewall rules.
111  std::set<Hole> tcp_holes_;
112  std::set<Hole> udp_holes_;
113
114  // Tracks whether IPv6 filtering is enabled. If set to |true| (the default),
115  // then it is required to be working. If |false|, then adding of IPv6 rules is
116  // still attempted but not mandatory; however, if it is successful even once,
117  // then it'll be changed to |true| and enforced thereafter.
118  bool ip6_enabled_ = true;
119
120  DISALLOW_COPY_AND_ASSIGN(IpTables);
121};
122
123}  // namespace firewalld
124
125#endif  // FIREWALLD_IPTABLES_H_
126