1/* 2 * Copyright (C) 2016 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17#include <android-base/stringprintf.h> 18 19#define LOG_TAG "Netd" 20#include <cutils/log.h> 21 22#include "Controllers.h" 23#include "IdletimerController.h" 24#include "NetworkController.h" 25#include "RouteController.h" 26#include "Stopwatch.h" 27#include "oem_iptables_hook.h" 28 29namespace android { 30namespace net { 31 32namespace { 33/** 34 * List of module chains to be created, along with explicit ordering. ORDERING 35 * IS CRITICAL, AND SHOULD BE TRIPLE-CHECKED WITH EACH CHANGE. 36 */ 37static const char* FILTER_INPUT[] = { 38 // Bandwidth should always be early in input chain, to make sure we 39 // correctly count incoming traffic against data plan. 40 BandwidthController::LOCAL_INPUT, 41 FirewallController::LOCAL_INPUT, 42 NULL, 43}; 44 45static const char* FILTER_FORWARD[] = { 46 OEM_IPTABLES_FILTER_FORWARD, 47 FirewallController::LOCAL_FORWARD, 48 BandwidthController::LOCAL_FORWARD, 49 NatController::LOCAL_FORWARD, 50 NULL, 51}; 52 53static const char* FILTER_OUTPUT[] = { 54 OEM_IPTABLES_FILTER_OUTPUT, 55 FirewallController::LOCAL_OUTPUT, 56 StrictController::LOCAL_OUTPUT, 57 BandwidthController::LOCAL_OUTPUT, 58 NULL, 59}; 60 61static const char* RAW_PREROUTING[] = { 62 BandwidthController::LOCAL_RAW_PREROUTING, 63 IdletimerController::LOCAL_RAW_PREROUTING, 64 NatController::LOCAL_RAW_PREROUTING, 65 NULL, 66}; 67 68static const char* MANGLE_POSTROUTING[] = { 69 OEM_IPTABLES_MANGLE_POSTROUTING, 70 BandwidthController::LOCAL_MANGLE_POSTROUTING, 71 IdletimerController::LOCAL_MANGLE_POSTROUTING, 72 NULL, 73}; 74 75static const char* MANGLE_FORWARD[] = { 76 NatController::LOCAL_MANGLE_FORWARD, 77 NULL, 78}; 79 80static const char* NAT_PREROUTING[] = { 81 OEM_IPTABLES_NAT_PREROUTING, 82 NULL, 83}; 84 85static const char* NAT_POSTROUTING[] = { 86 NatController::LOCAL_NAT_POSTROUTING, 87 NULL, 88}; 89 90static void createChildChains(IptablesTarget target, const char* table, const char* parentChain, 91 const char** childChains, bool exclusive) { 92 std::string command = android::base::StringPrintf("*%s\n", table); 93 94 // If we're the exclusive owner of this chain, clear it entirely. This saves us from having to 95 // run one execIptablesSilently command to delete each child chain. We can't use -D in 96 // iptables-restore because it's a fatal error if the rule doesn't exist. 97 // TODO: Make all chains exclusive once vendor code uses the oem_* rules. 98 if (exclusive) { 99 // Just running ":chain -" flushes user-defined chains, but not built-in chains like INPUT. 100 // Since at this point we don't know if parentChain is a built-in chain, do both. 101 command += android::base::StringPrintf(":%s -\n", parentChain); 102 command += android::base::StringPrintf("-F %s\n", parentChain); 103 } 104 105 const char** childChain = childChains; 106 do { 107 if (!exclusive) { 108 execIptablesSilently(target, "-t", table, "-D", parentChain, "-j", *childChain, NULL); 109 } 110 command += android::base::StringPrintf(":%s -\n", *childChain); 111 command += android::base::StringPrintf("-A %s -j %s\n", parentChain, *childChain); 112 } while (*(++childChain) != NULL); 113 command += "COMMIT\n\n"; 114 execIptablesRestore(target, command); 115} 116 117} // namespace 118 119Controllers::Controllers() : clatdCtrl(&netCtrl) { 120 InterfaceController::initializeAll(); 121} 122 123void Controllers::initIptablesRules() { 124 /* 125 * This is the only time we touch top-level chains in iptables; controllers 126 * should only mutate rules inside of their children chains, as created by 127 * the constants above. 128 * 129 * Modules should never ACCEPT packets (except in well-justified cases); 130 * they should instead defer to any remaining modules using RETURN, or 131 * otherwise DROP/REJECT. 132 */ 133 134 // Create chains for child modules. 135 // We cannot use createChildChainsFast for all chains because vendor code modifies filter OUTPUT 136 // and mangle POSTROUTING directly. 137 Stopwatch s; 138 createChildChains(V4V6, "filter", "INPUT", FILTER_INPUT, true); 139 createChildChains(V4V6, "filter", "FORWARD", FILTER_FORWARD, true); 140 createChildChains(V4V6, "filter", "OUTPUT", FILTER_OUTPUT, false); 141 createChildChains(V4V6, "raw", "PREROUTING", RAW_PREROUTING, true); 142 createChildChains(V4V6, "mangle", "POSTROUTING", MANGLE_POSTROUTING, false); 143 createChildChains(V4V6, "mangle", "FORWARD", MANGLE_FORWARD, true); 144 createChildChains(V4, "nat", "PREROUTING", NAT_PREROUTING, true); 145 createChildChains(V4, "nat", "POSTROUTING", NAT_POSTROUTING, true); 146 ALOGI("Creating child chains: %.1fms", s.getTimeAndReset()); 147 148 // Let each module setup their child chains 149 setupOemIptablesHook(); 150 ALOGI("Setting up OEM hooks: %.1fms", s.getTimeAndReset()); 151 152 /* When enabled, DROPs all packets except those matching rules. */ 153 firewallCtrl.setupIptablesHooks(); 154 ALOGI("Setting up FirewallController hooks: %.1fms", s.getTimeAndReset()); 155 156 /* Does DROPs in FORWARD by default */ 157 natCtrl.setupIptablesHooks(); 158 ALOGI("Setting up NatController hooks: %.1fms", s.getTimeAndReset()); 159 160 /* 161 * Does REJECT in INPUT, OUTPUT. Does counting also. 162 * No DROP/REJECT allowed later in netfilter-flow hook order. 163 */ 164 bandwidthCtrl.setupIptablesHooks(); 165 ALOGI("Setting up BandwidthController hooks: %.1fms", s.getTimeAndReset()); 166 167 /* 168 * Counts in nat: PREROUTING, POSTROUTING. 169 * No DROP/REJECT allowed later in netfilter-flow hook order. 170 */ 171 idletimerCtrl.setupIptablesHooks(); 172 ALOGI("Setting up IdletimerController hooks: %.1fms", s.getTimeAndReset()); 173} 174 175void Controllers::init() { 176 initIptablesRules(); 177 178 Stopwatch s; 179 bandwidthCtrl.enableBandwidthControl(false); 180 ALOGI("Disabling bandwidth control: %.1fms", s.getTimeAndReset()); 181 182 if (int ret = RouteController::Init(NetworkController::LOCAL_NET_ID)) { 183 ALOGE("failed to initialize RouteController (%s)", strerror(-ret)); 184 } 185 ALOGI("Initializing RouteController: %.1fms", s.getTimeAndReset()); 186} 187 188Controllers* gCtls = nullptr; 189 190} // namespace net 191} // namespace android 192