1/*
2 * Copyright (C) 2016 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 *      http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17#include <android-base/stringprintf.h>
18
19#define LOG_TAG "Netd"
20#include <cutils/log.h>
21
22#include "Controllers.h"
23#include "IdletimerController.h"
24#include "NetworkController.h"
25#include "RouteController.h"
26#include "Stopwatch.h"
27#include "oem_iptables_hook.h"
28
29namespace android {
30namespace net {
31
32namespace {
33/**
34 * List of module chains to be created, along with explicit ordering. ORDERING
35 * IS CRITICAL, AND SHOULD BE TRIPLE-CHECKED WITH EACH CHANGE.
36 */
37static const char* FILTER_INPUT[] = {
38        // Bandwidth should always be early in input chain, to make sure we
39        // correctly count incoming traffic against data plan.
40        BandwidthController::LOCAL_INPUT,
41        FirewallController::LOCAL_INPUT,
42        NULL,
43};
44
45static const char* FILTER_FORWARD[] = {
46        OEM_IPTABLES_FILTER_FORWARD,
47        FirewallController::LOCAL_FORWARD,
48        BandwidthController::LOCAL_FORWARD,
49        NatController::LOCAL_FORWARD,
50        NULL,
51};
52
53static const char* FILTER_OUTPUT[] = {
54        OEM_IPTABLES_FILTER_OUTPUT,
55        FirewallController::LOCAL_OUTPUT,
56        StrictController::LOCAL_OUTPUT,
57        BandwidthController::LOCAL_OUTPUT,
58        NULL,
59};
60
61static const char* RAW_PREROUTING[] = {
62        BandwidthController::LOCAL_RAW_PREROUTING,
63        IdletimerController::LOCAL_RAW_PREROUTING,
64        NatController::LOCAL_RAW_PREROUTING,
65        NULL,
66};
67
68static const char* MANGLE_POSTROUTING[] = {
69        OEM_IPTABLES_MANGLE_POSTROUTING,
70        BandwidthController::LOCAL_MANGLE_POSTROUTING,
71        IdletimerController::LOCAL_MANGLE_POSTROUTING,
72        NULL,
73};
74
75static const char* MANGLE_FORWARD[] = {
76        NatController::LOCAL_MANGLE_FORWARD,
77        NULL,
78};
79
80static const char* NAT_PREROUTING[] = {
81        OEM_IPTABLES_NAT_PREROUTING,
82        NULL,
83};
84
85static const char* NAT_POSTROUTING[] = {
86        NatController::LOCAL_NAT_POSTROUTING,
87        NULL,
88};
89
90static void createChildChains(IptablesTarget target, const char* table, const char* parentChain,
91        const char** childChains, bool exclusive) {
92    std::string command = android::base::StringPrintf("*%s\n", table);
93
94    // If we're the exclusive owner of this chain, clear it entirely. This saves us from having to
95    // run one execIptablesSilently command to delete each child chain. We can't use -D in
96    // iptables-restore because it's a fatal error if the rule doesn't exist.
97    // TODO: Make all chains exclusive once vendor code uses the oem_* rules.
98    if (exclusive) {
99        // Just running ":chain -" flushes user-defined chains, but not built-in chains like INPUT.
100        // Since at this point we don't know if parentChain is a built-in chain, do both.
101        command += android::base::StringPrintf(":%s -\n", parentChain);
102        command += android::base::StringPrintf("-F %s\n", parentChain);
103    }
104
105    const char** childChain = childChains;
106    do {
107        if (!exclusive) {
108            execIptablesSilently(target, "-t", table, "-D", parentChain, "-j", *childChain, NULL);
109        }
110        command += android::base::StringPrintf(":%s -\n", *childChain);
111        command += android::base::StringPrintf("-A %s -j %s\n", parentChain, *childChain);
112    } while (*(++childChain) != NULL);
113    command += "COMMIT\n\n";
114    execIptablesRestore(target, command);
115}
116
117}  // namespace
118
119Controllers::Controllers() : clatdCtrl(&netCtrl) {
120    InterfaceController::initializeAll();
121}
122
123void Controllers::initIptablesRules() {
124    /*
125     * This is the only time we touch top-level chains in iptables; controllers
126     * should only mutate rules inside of their children chains, as created by
127     * the constants above.
128     *
129     * Modules should never ACCEPT packets (except in well-justified cases);
130     * they should instead defer to any remaining modules using RETURN, or
131     * otherwise DROP/REJECT.
132     */
133
134    // Create chains for child modules.
135    // We cannot use createChildChainsFast for all chains because vendor code modifies filter OUTPUT
136    // and mangle POSTROUTING directly.
137    Stopwatch s;
138    createChildChains(V4V6, "filter", "INPUT", FILTER_INPUT, true);
139    createChildChains(V4V6, "filter", "FORWARD", FILTER_FORWARD, true);
140    createChildChains(V4V6, "filter", "OUTPUT", FILTER_OUTPUT, false);
141    createChildChains(V4V6, "raw", "PREROUTING", RAW_PREROUTING, true);
142    createChildChains(V4V6, "mangle", "POSTROUTING", MANGLE_POSTROUTING, false);
143    createChildChains(V4V6, "mangle", "FORWARD", MANGLE_FORWARD, true);
144    createChildChains(V4, "nat", "PREROUTING", NAT_PREROUTING, true);
145    createChildChains(V4, "nat", "POSTROUTING", NAT_POSTROUTING, true);
146    ALOGI("Creating child chains: %.1fms", s.getTimeAndReset());
147
148    // Let each module setup their child chains
149    setupOemIptablesHook();
150    ALOGI("Setting up OEM hooks: %.1fms", s.getTimeAndReset());
151
152    /* When enabled, DROPs all packets except those matching rules. */
153    firewallCtrl.setupIptablesHooks();
154    ALOGI("Setting up FirewallController hooks: %.1fms", s.getTimeAndReset());
155
156    /* Does DROPs in FORWARD by default */
157    natCtrl.setupIptablesHooks();
158    ALOGI("Setting up NatController hooks: %.1fms", s.getTimeAndReset());
159
160    /*
161     * Does REJECT in INPUT, OUTPUT. Does counting also.
162     * No DROP/REJECT allowed later in netfilter-flow hook order.
163     */
164    bandwidthCtrl.setupIptablesHooks();
165    ALOGI("Setting up BandwidthController hooks: %.1fms", s.getTimeAndReset());
166
167    /*
168     * Counts in nat: PREROUTING, POSTROUTING.
169     * No DROP/REJECT allowed later in netfilter-flow hook order.
170     */
171    idletimerCtrl.setupIptablesHooks();
172    ALOGI("Setting up IdletimerController hooks: %.1fms", s.getTimeAndReset());
173}
174
175void Controllers::init() {
176    initIptablesRules();
177
178    Stopwatch s;
179    bandwidthCtrl.enableBandwidthControl(false);
180    ALOGI("Disabling bandwidth control: %.1fms", s.getTimeAndReset());
181
182    if (int ret = RouteController::Init(NetworkController::LOCAL_NET_ID)) {
183        ALOGE("failed to initialize RouteController (%s)", strerror(-ret));
184    }
185    ALOGI("Initializing RouteController: %.1fms", s.getTimeAndReset());
186}
187
188Controllers* gCtls = nullptr;
189
190}  // namespace net
191}  // namespace android
192