Home | History | Annotate | Download | only in ril 
      1 #!/system/bin/sh
      2 
      3 #### DESCRIPTION ####
      4 # This script sets up any static iptables rules required for the Wrigley.  For
      5 # this to work, we require hooks in system/netd/ to jump to a special "oem"
      6 # chain for any tables/chains we want to modify.
      7 
      8 # NOTE: This script is called every time the netd service is started.  To
      9 # handle the case where netd has crashed/stopped and is restarted, attempt to
     10 # flush any chains we create before adding to them; this will avoid duplicate
     11 # rules.  We don't attempt to delete our additions to the base "hook" chains,
     12 # because that's netd's job.  So, for each sub-chain we create in here, we do
     13 # -N (new) to handle the case where we've never been called before, and we do
     14 # -F (flush) to handle the case where we have been called before.  Both no-op
     15 # gracefully.
     16 
     17 # NOTE: The firewalling rules done in here for protecting specific ports from
     18 # unauthorized access are necessary for security, but should be replaced by a
     19 # connection-based authentication scheme instead.  By using iptables, we are
     20 # creating compatibility issues with Google's Ice Cream Sandwich, and are
     21 # adding unnecessary latency to all packets that go through Netfilter.  If it
     22 # were not for the current implementation, we would only need a hook in the
     23 # nat/PREROUTING chain, and the hooks in filter/OUTPUT & filter/FORWARD could
     24 # go away.
     25 # TODO: Implement a connection-based auth scheme for Wrigley control and
     26 # TODO: diagnostics ports.
     27 
     28 # NOTE: Our usage of the static 192.168.20.0/24 for the Wrigley IP address can
     29 # cause conflicts with DHCP-assigned WiFi addresses.  When coupled with the
     30 # firewall below, this ensures that WiFi will not work if we get assigned an
     31 # address in that range.
     32 # TODO: Find a way to blacklist the range above in the WiFi driver, so that we
     33 # TODO: reject attempts from a WiFi AP to assign anything in that range to us.
     34 
     35 IPTABLES="/system/bin/iptables"
     36 
     37 #### filter OUTPUT ####
     38 # Setup an explicit sub-chain for 192.168.20.2.  This way we only burden all
     39 # other packets with a single check for the IP address.
     40 $IPTABLES -F oem_out_wrigley # No-op on 1st inst of this script
     41 $IPTABLES -N oem_out_wrigley # No-op on 2nd-Nth inst of this script
     42 $IPTABLES -A oem_out -d 192.168.20.2 -j oem_out_wrigley
     43 
     44 # Setup diff rules for sensitive ports vs other ports.  There are more
     45 # non-sensitive than sensitive ports, and the non-sensitive list is fairly
     46 # dynamic.  So, do a blacklist instead of a whitelist.
     47 $IPTABLES -F oem_out_wrigley_sens # No-op on 1st inst of this script
     48 $IPTABLES -F oem_out_wrigley_other # No-op on 1st inst of this script
     49 $IPTABLES -N oem_out_wrigley_sens # No-op on 2nd-Nth inst of this script
     50 $IPTABLES -N oem_out_wrigley_other # No-op on 2nd-Nth inst of this script
     51 $IPTABLES -A oem_out_wrigley -p tcp --dport 3265 -j oem_out_wrigley_sens
     52 $IPTABLES -A oem_out_wrigley -p tcp --dport 3267 -j oem_out_wrigley_sens
     53 $IPTABLES -A oem_out_wrigley -p tcp --dport 11000 -j oem_out_wrigley_sens
     54 $IPTABLES -A oem_out_wrigley -j oem_out_wrigley_other
     55 
     56 # Sensitive ports only allow root and radio to access them.
     57 $IPTABLES -A oem_out_wrigley_sens -m owner --uid-owner 0 -j ACCEPT
     58 $IPTABLES -A oem_out_wrigley_sens -m owner --uid-owner 1001 -j ACCEPT
     59 $IPTABLES -A oem_out_wrigley_sens -j REJECT
     60 
     61 # Other ports allow root, radio, and shell to access them.
     62 $IPTABLES -A oem_out_wrigley_other -m owner --uid-owner 0 -j ACCEPT
     63 $IPTABLES -A oem_out_wrigley_other -m owner --uid-owner 1001 -j ACCEPT
     64 $IPTABLES -A oem_out_wrigley_other -m owner --uid-owner 2000 -j ACCEPT
     65 $IPTABLES -A oem_out_wrigley_other -j REJECT
     66 
     67 #### filter FORWARD ####
     68 # We only want forwarding in BP Tools Mode.
     69 case $(getprop ro.bootmode) in
     70 bp-tools)
     71     # Only allow forwarding on non-sensitive ports.  There are more
     72     # non-sensitive than sensitive ports, and the non-sensitive list is fairly
     73     # dynamic.  So, do a blacklist instead of a whitelist.
     74     $IPTABLES -F oem_fwd_wrigley # No-op on 1st inst of this script
     75     $IPTABLES -N oem_fwd_wrigley # No-op on 2nd-Nth inst of this script
     76     $IPTABLES -A oem_fwd -d 192.168.20.2 -j oem_fwd_wrigley
     77     $IPTABLES -A oem_fwd -s 192.168.20.2 -j oem_fwd_wrigley
     78     $IPTABLES -A oem_fwd_wrigley -p tcp --dport 3265 -j REJECT
     79     $IPTABLES -A oem_fwd_wrigley -p tcp --dport 3267 -j REJECT
     80     $IPTABLES -A oem_fwd_wrigley -p tcp --dport 11000 -j REJECT
     81     $IPTABLES -A oem_fwd_wrigley -j ACCEPT
     82     ;;
     83 *)
     84     $IPTABLES -A oem_fwd -d 192.168.20.2 -j REJECT
     85     ;;
     86 esac
     87 
     88 #### nat PREROUTING ####
     89 case $(getprop ro.bootmode) in
     90 bp-tools)
     91     # We must rewrite the destination address for our SUAPI logger port to the
     92     # address of the BLAN, because legacy tools (RTA/PST) rely on this.
     93     $IPTABLES -t nat -A oem_nat_pre -p tcp -d 192.168.16.2 --dport 11006 -j DNAT --to 192.168.20.2:11006
     94     ;;
     95 esac
     96