iptables.h revision d66fae25e69366d77c7b1db7e27aa23b6b393f55
1// Copyright 2014 The Chromium OS Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style license that can be 3// found in the LICENSE file. 4 5#ifndef FIREWALLD_IPTABLES_H_ 6#define FIREWALLD_IPTABLES_H_ 7 8#include <stdint.h> 9 10#include <set> 11#include <string> 12#include <utility> 13#include <vector> 14 15#include <base/macros.h> 16#include <chromeos/errors/error.h> 17 18#include "firewalld/dbus_adaptor/org.chromium.Firewalld.h" 19 20namespace firewalld { 21 22enum ProtocolEnum { kProtocolTcp, kProtocolUdp }; 23 24class IpTables : public org::chromium::FirewalldInterface { 25 public: 26 typedef std::pair<uint16_t, std::string> Hole; 27 28 IpTables(); 29 ~IpTables(); 30 31 // D-Bus methods. 32 bool PunchTcpHole(uint16_t in_port, const std::string& in_interface) override; 33 bool PunchUdpHole(uint16_t in_port, const std::string& in_interface) override; 34 bool PlugTcpHole(uint16_t in_port, const std::string& in_interface) override; 35 bool PlugUdpHole(uint16_t in_port, const std::string& in_interface) override; 36 37 bool RequestVpnSetup(const std::vector<std::string>& usernames, 38 const std::string& interface) override; 39 bool RemoveVpnSetup(const std::vector<std::string>& usernames, 40 const std::string& interface) override; 41 42 // Close all outstanding firewall holes. 43 void PlugAllHoles(); 44 45 protected: 46 // Test-only. 47 explicit IpTables(const std::string& ip4_path, const std::string& ip6_path); 48 49 private: 50 friend class IpTablesTest; 51 FRIEND_TEST(IpTablesTest, ApplyVpnSetupAddSuccess); 52 FRIEND_TEST(IpTablesTest, ApplyVpnSetupAddFailureInUsername); 53 FRIEND_TEST(IpTablesTest, ApplyVpnSetupAddFailureInMasquerade); 54 FRIEND_TEST(IpTablesTest, ApplyVpnSetupAddFailureInRuleForUserTraffic); 55 FRIEND_TEST(IpTablesTest, ApplyVpnSetupRemoveSuccess); 56 FRIEND_TEST(IpTablesTest, ApplyVpnSetupRemoveFailure); 57 58 bool PunchHole(uint16_t port, 59 const std::string& interface, 60 std::set<Hole>* holes, 61 ProtocolEnum protocol); 62 bool PlugHole(uint16_t port, 63 const std::string& interface, 64 std::set<Hole>* holes, 65 ProtocolEnum protocol); 66 67 bool AddAcceptRules(ProtocolEnum protocol, 68 uint16_t port, 69 const std::string& interface); 70 bool DeleteAcceptRules(ProtocolEnum protocol, 71 uint16_t port, 72 const std::string& interface); 73 bool AddAcceptRule(const std::string& executable_path, 74 ProtocolEnum protocol, 75 uint16_t port, 76 const std::string& interface); 77 bool DeleteAcceptRule(const std::string& executable_path, 78 ProtocolEnum protocol, 79 uint16_t port, 80 const std::string& interface); 81 82 bool ApplyVpnSetup(const std::vector<std::string>& usernames, 83 const std::string& interface, 84 bool add); 85 86 virtual bool ApplyMasquerade(const std::string& interface, 87 bool add); 88 89 virtual bool ApplyMarkForUserTraffic(const std::string& user_name, 90 bool add); 91 92 virtual bool ApplyRuleForUserTraffic(bool add); 93 94 std::string ip4_exec_path_; 95 std::string ip6_exec_path_; 96 97 // Keep track of firewall holes to avoid adding redundant firewall rules. 98 std::set<Hole> tcp_holes_; 99 std::set<Hole> udp_holes_; 100 101 DISALLOW_COPY_AND_ASSIGN(IpTables); 102}; 103 104} // namespace firewalld 105 106#endif // FIREWALLD_IPTABLES_H_ 107