Home | History | Annotate | Download | only in netd 
      1 /*
      2  * Copyright (C) 2012 The Android Open Source Project
      3  *
      4  * Licensed under the Apache License, Version 2.0 (the "License");
      5  * you may not use this file except in compliance with the License.
      6  * You may obtain a copy of the License at
      7  *
      8  *      http://www.apache.org/licenses/LICENSE-2.0
      9  *
     10  * Unless required by applicable law or agreed to in writing, software
     11  * distributed under the License is distributed on an "AS IS" BASIS,
     12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
     13  * See the License for the specific language governing permissions and
     14  * limitations under the License.
     15  */
     16 
     17 #include <errno.h>
     18 #include <stdio.h>
     19 #include <stdlib.h>
     20 #include <string.h>
     21 
     22 #define LOG_TAG "FirewallController"
     23 #define LOG_NDEBUG 0
     24 
     25 #include <cutils/log.h>
     26 
     27 #include "NetdConstants.h"
     28 #include "FirewallController.h"
     29 
     30 const char* FirewallController::LOCAL_INPUT = "fw_INPUT";
     31 const char* FirewallController::LOCAL_OUTPUT = "fw_OUTPUT";
     32 const char* FirewallController::LOCAL_FORWARD = "fw_FORWARD";
     33 
     34 FirewallController::FirewallController(void) {
     35 }
     36 
     37 int FirewallController::setupIptablesHooks(void) {
     38     return 0;
     39 }
     40 
     41 int FirewallController::enableFirewall(void) {
     42     int res = 0;
     43 
     44     // flush any existing rules
     45     disableFirewall();
     46 
     47     // create default rule to drop all traffic
     48     res |= execIptables(V4V6, "-A", LOCAL_INPUT, "-j", "DROP", NULL);
     49     res |= execIptables(V4V6, "-A", LOCAL_OUTPUT, "-j", "REJECT", NULL);
     50     res |= execIptables(V4V6, "-A", LOCAL_FORWARD, "-j", "REJECT", NULL);
     51 
     52     return res;
     53 }
     54 
     55 int FirewallController::disableFirewall(void) {
     56     int res = 0;
     57 
     58     // flush any existing rules
     59     res |= execIptables(V4V6, "-F", LOCAL_INPUT, NULL);
     60     res |= execIptables(V4V6, "-F", LOCAL_OUTPUT, NULL);
     61     res |= execIptables(V4V6, "-F", LOCAL_FORWARD, NULL);
     62 
     63     return res;
     64 }
     65 
     66 int FirewallController::isFirewallEnabled(void) {
     67     // TODO: verify that rules are still in place near top
     68     return -1;
     69 }
     70 
     71 int FirewallController::setInterfaceRule(const char* iface, FirewallRule rule) {
     72     const char* op;
     73     if (rule == ALLOW) {
     74         op = "-I";
     75     } else {
     76         op = "-D";
     77     }
     78 
     79     int res = 0;
     80     res |= execIptables(V4V6, op, LOCAL_INPUT, "-i", iface, "-j", "RETURN", NULL);
     81     res |= execIptables(V4V6, op, LOCAL_OUTPUT, "-o", iface, "-j", "RETURN", NULL);
     82     return res;
     83 }
     84 
     85 int FirewallController::setEgressSourceRule(const char* addr, FirewallRule rule) {
     86     IptablesTarget target = V4;
     87     if (strchr(addr, ':')) {
     88         target = V6;
     89     }
     90 
     91     const char* op;
     92     if (rule == ALLOW) {
     93         op = "-I";
     94     } else {
     95         op = "-D";
     96     }
     97 
     98     int res = 0;
     99     res |= execIptables(target, op, LOCAL_INPUT, "-d", addr, "-j", "RETURN", NULL);
    100     res |= execIptables(target, op, LOCAL_OUTPUT, "-s", addr, "-j", "RETURN", NULL);
    101     return res;
    102 }
    103 
    104 int FirewallController::setEgressDestRule(const char* addr, int protocol, int port,
    105         FirewallRule rule) {
    106     IptablesTarget target = V4;
    107     if (strchr(addr, ':')) {
    108         target = V6;
    109     }
    110 
    111     char protocolStr[16];
    112     sprintf(protocolStr, "%d", protocol);
    113 
    114     char portStr[16];
    115     sprintf(portStr, "%d", port);
    116 
    117     const char* op;
    118     if (rule == ALLOW) {
    119         op = "-I";
    120     } else {
    121         op = "-D";
    122     }
    123 
    124     int res = 0;
    125     res |= execIptables(target, op, LOCAL_INPUT, "-s", addr, "-p", protocolStr,
    126             "--sport", portStr, "-j", "RETURN", NULL);
    127     res |= execIptables(target, op, LOCAL_OUTPUT, "-d", addr, "-p", protocolStr,
    128             "--dport", portStr, "-j", "RETURN", NULL);
    129     return res;
    130 }
    131 
    132 int FirewallController::setUidRule(int uid, FirewallRule rule) {
    133     char uidStr[16];
    134     sprintf(uidStr, "%d", uid);
    135 
    136     const char* op;
    137     if (rule == ALLOW) {
    138         op = "-I";
    139     } else {
    140         op = "-D";
    141     }
    142 
    143     int res = 0;
    144     res |= execIptables(V4V6, op, LOCAL_INPUT, "-m", "owner", "--uid-owner", uidStr,
    145             "-j", "RETURN", NULL);
    146     res |= execIptables(V4V6, op, LOCAL_OUTPUT, "-m", "owner", "--uid-owner", uidStr,
    147             "-j", "RETURN", NULL);
    148     return res;
    149 }
    150