iptables.h revision c20ed4ff74624300767ba77bc7deea8eb881527e
1// Copyright 2014 The Android Open Source Project 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15#ifndef FIREWALLD_IPTABLES_H_ 16#define FIREWALLD_IPTABLES_H_ 17 18#include <stdint.h> 19 20#include <set> 21#include <string> 22#include <utility> 23#include <vector> 24 25#include <base/macros.h> 26#include <chromeos/errors/error.h> 27 28#include "dbus_bindings/org.chromium.Firewalld.h" 29 30namespace firewalld { 31 32enum ProtocolEnum { kProtocolTcp, kProtocolUdp }; 33 34class IpTables : public org::chromium::FirewalldInterface { 35 public: 36 typedef std::pair<uint16_t, std::string> Hole; 37 38 IpTables(); 39 ~IpTables(); 40 41 // D-Bus methods. 42 bool PunchTcpHole(uint16_t in_port, const std::string& in_interface) override; 43 bool PunchUdpHole(uint16_t in_port, const std::string& in_interface) override; 44 bool PlugTcpHole(uint16_t in_port, const std::string& in_interface) override; 45 bool PlugUdpHole(uint16_t in_port, const std::string& in_interface) override; 46 47 bool RequestVpnSetup(const std::vector<std::string>& usernames, 48 const std::string& interface) override; 49 bool RemoveVpnSetup(const std::vector<std::string>& usernames, 50 const std::string& interface) override; 51 52 // Close all outstanding firewall holes. 53 void PlugAllHoles(); 54 55 private: 56 friend class IpTablesTest; 57 FRIEND_TEST(IpTablesTest, ApplyVpnSetupAddSuccess); 58 FRIEND_TEST(IpTablesTest, ApplyVpnSetupAddFailureInUsername); 59 FRIEND_TEST(IpTablesTest, ApplyVpnSetupAddFailureInMasquerade); 60 FRIEND_TEST(IpTablesTest, ApplyVpnSetupAddFailureInRuleForUserTraffic); 61 FRIEND_TEST(IpTablesTest, ApplyVpnSetupRemoveSuccess); 62 FRIEND_TEST(IpTablesTest, ApplyVpnSetupRemoveFailure); 63 64 bool PunchHole(uint16_t port, 65 const std::string& interface, 66 std::set<Hole>* holes, 67 ProtocolEnum protocol); 68 bool PlugHole(uint16_t port, 69 const std::string& interface, 70 std::set<Hole>* holes, 71 ProtocolEnum protocol); 72 73 bool AddAcceptRules(ProtocolEnum protocol, 74 uint16_t port, 75 const std::string& interface); 76 bool DeleteAcceptRules(ProtocolEnum protocol, 77 uint16_t port, 78 const std::string& interface); 79 80 virtual bool AddAcceptRule(const std::string& executable_path, 81 ProtocolEnum protocol, 82 uint16_t port, 83 const std::string& interface); 84 virtual bool DeleteAcceptRule(const std::string& executable_path, 85 ProtocolEnum protocol, 86 uint16_t port, 87 const std::string& interface); 88 89 bool ApplyVpnSetup(const std::vector<std::string>& usernames, 90 const std::string& interface, 91 bool add); 92 93 virtual bool ApplyMasquerade(const std::string& interface, bool add); 94 virtual bool ApplyMarkForUserTraffic(const std::string& user_name, bool add); 95 virtual bool ApplyRuleForUserTraffic(bool add); 96 97 int ExecvNonRoot(const std::vector<std::string>& argv, 98 uint64_t capmask); 99 100 // Keep track of firewall holes to avoid adding redundant firewall rules. 101 std::set<Hole> tcp_holes_; 102 std::set<Hole> udp_holes_; 103 104 // Tracks whether IPv6 filtering is enabled. If set to |true| (the default), 105 // then it is required to be working. If |false|, then adding of IPv6 rules is 106 // still attempted but not mandatory; however, if it is successful even once, 107 // then it'll be changed to |true| and enforced thereafter. 108 bool ip6_enabled_ = true; 109 110 DISALLOW_COPY_AND_ASSIGN(IpTables); 111}; 112 113} // namespace firewalld 114 115#endif // FIREWALLD_IPTABLES_H_ 116