1/* 2 * Copyright (C) 2014 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17#ifndef NETD_SERVER_ROUTE_CONTROLLER_H 18#define NETD_SERVER_ROUTE_CONTROLLER_H 19 20#include "NetdConstants.h" 21#include "Permission.h" 22 23#include <sys/types.h> 24#include <linux/netlink.h> 25 26namespace android { 27namespace net { 28 29class UidRanges; 30 31class RouteController { 32public: 33 // How the routing table number is determined for route modification requests. 34 enum TableType { 35 INTERFACE, // Compute the table number based on the interface index. 36 LOCAL_NETWORK, // A fixed table used for routes to directly-connected clients/peers. 37 LEGACY_NETWORK, // Use a fixed table that's used to override the default network. 38 LEGACY_SYSTEM, // A fixed table, only modifiable by system apps; overrides VPNs too. 39 }; 40 41 static const int ROUTE_TABLE_OFFSET_FROM_INDEX = 1000; 42 43 static const char* const LOCAL_MANGLE_INPUT; 44 45 static int Init(unsigned localNetId) WARN_UNUSED_RESULT; 46 47 static int addInterfaceToLocalNetwork(unsigned netId, const char* interface) WARN_UNUSED_RESULT; 48 static int removeInterfaceFromLocalNetwork(unsigned netId, 49 const char* interface) WARN_UNUSED_RESULT; 50 51 static int addInterfaceToPhysicalNetwork(unsigned netId, const char* interface, 52 Permission permission) WARN_UNUSED_RESULT; 53 static int removeInterfaceFromPhysicalNetwork(unsigned netId, const char* interface, 54 Permission permission) WARN_UNUSED_RESULT; 55 56 static int addInterfaceToVirtualNetwork(unsigned netId, const char* interface, bool secure, 57 const UidRanges& uidRanges) WARN_UNUSED_RESULT; 58 static int removeInterfaceFromVirtualNetwork(unsigned netId, const char* interface, bool secure, 59 const UidRanges& uidRanges) WARN_UNUSED_RESULT; 60 61 static int modifyPhysicalNetworkPermission(unsigned netId, const char* interface, 62 Permission oldPermission, 63 Permission newPermission) WARN_UNUSED_RESULT; 64 65 static int addUsersToVirtualNetwork(unsigned netId, const char* interface, bool secure, 66 const UidRanges& uidRanges) WARN_UNUSED_RESULT; 67 static int removeUsersFromVirtualNetwork(unsigned netId, const char* interface, bool secure, 68 const UidRanges& uidRanges) WARN_UNUSED_RESULT; 69 70 static int addUsersToRejectNonSecureNetworkRule(const UidRanges& uidRanges) 71 WARN_UNUSED_RESULT; 72 static int removeUsersFromRejectNonSecureNetworkRule(const UidRanges& uidRanges) 73 WARN_UNUSED_RESULT; 74 75 static int addInterfaceToDefaultNetwork(const char* interface, 76 Permission permission) WARN_UNUSED_RESULT; 77 static int removeInterfaceFromDefaultNetwork(const char* interface, 78 Permission permission) WARN_UNUSED_RESULT; 79 80 // |nexthop| can be NULL (to indicate a directly-connected route), "unreachable" (to indicate a 81 // route that's blocked), "throw" (to indicate the lack of a match), or a regular IP address. 82 static int addRoute(const char* interface, const char* destination, const char* nexthop, 83 TableType tableType) WARN_UNUSED_RESULT; 84 static int removeRoute(const char* interface, const char* destination, const char* nexthop, 85 TableType tableType) WARN_UNUSED_RESULT; 86 87 static int enableTethering(const char* inputInterface, 88 const char* outputInterface) WARN_UNUSED_RESULT; 89 static int disableTethering(const char* inputInterface, 90 const char* outputInterface) WARN_UNUSED_RESULT; 91 92 static int addVirtualNetworkFallthrough(unsigned vpnNetId, const char* physicalInterface, 93 Permission permission) WARN_UNUSED_RESULT; 94 static int removeVirtualNetworkFallthrough(unsigned vpnNetId, const char* physicalInterface, 95 Permission permission) WARN_UNUSED_RESULT; 96 97 // For testing. 98 static int (*iptablesRestoreCommandFunction)(IptablesTarget, const std::string&, 99 const std::string&, std::string *); 100}; 101 102// Public because they are called by by RouteControllerTest.cpp. 103// TODO: come up with a scheme of unit testing this code that does not rely on making all its 104// functions public. 105int modifyIpRoute(uint16_t action, uint32_t table, const char* interface, const char* destination, 106 const char* nexthop) WARN_UNUSED_RESULT; 107int flushRoutes(uint32_t table) WARN_UNUSED_RESULT; 108uint32_t getRulePriority(const nlmsghdr *nlh); 109WARN_UNUSED_RESULT int modifyIncomingPacketMark(unsigned netId, const char* interface, 110 Permission permission, bool add); 111 112} // namespace net 113} // namespace android 114 115#endif // NETD_SERVER_ROUTE_CONTROLLER_H 116