1 /* 2 * Copyright (C) 2012 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 #include <errno.h> 18 #include <stdio.h> 19 #include <stdlib.h> 20 #include <string.h> 21 22 #define LOG_TAG "FirewallController" 23 #define LOG_NDEBUG 0 24 25 #include <cutils/log.h> 26 27 #include "NetdConstants.h" 28 #include "FirewallController.h" 29 30 const char* FirewallController::LOCAL_INPUT = "fw_INPUT"; 31 const char* FirewallController::LOCAL_OUTPUT = "fw_OUTPUT"; 32 const char* FirewallController::LOCAL_FORWARD = "fw_FORWARD"; 33 34 FirewallController::FirewallController(void) { 35 } 36 37 int FirewallController::setupIptablesHooks(void) { 38 return 0; 39 } 40 41 int FirewallController::enableFirewall(void) { 42 int res = 0; 43 44 // flush any existing rules 45 disableFirewall(); 46 47 // create default rule to drop all traffic 48 res |= execIptables(V4V6, "-A", LOCAL_INPUT, "-j", "DROP", NULL); 49 res |= execIptables(V4V6, "-A", LOCAL_OUTPUT, "-j", "REJECT", NULL); 50 res |= execIptables(V4V6, "-A", LOCAL_FORWARD, "-j", "REJECT", NULL); 51 52 return res; 53 } 54 55 int FirewallController::disableFirewall(void) { 56 int res = 0; 57 58 // flush any existing rules 59 res |= execIptables(V4V6, "-F", LOCAL_INPUT, NULL); 60 res |= execIptables(V4V6, "-F", LOCAL_OUTPUT, NULL); 61 res |= execIptables(V4V6, "-F", LOCAL_FORWARD, NULL); 62 63 return res; 64 } 65 66 int FirewallController::isFirewallEnabled(void) { 67 // TODO: verify that rules are still in place near top 68 return -1; 69 } 70 71 int FirewallController::setInterfaceRule(const char* iface, FirewallRule rule) { 72 if (!isIfaceName(iface)) { 73 errno = ENOENT; 74 return -1; 75 } 76 77 const char* op; 78 if (rule == ALLOW) { 79 op = "-I"; 80 } else { 81 op = "-D"; 82 } 83 84 int res = 0; 85 res |= execIptables(V4V6, op, LOCAL_INPUT, "-i", iface, "-j", "RETURN", NULL); 86 res |= execIptables(V4V6, op, LOCAL_OUTPUT, "-o", iface, "-j", "RETURN", NULL); 87 return res; 88 } 89 90 int FirewallController::setEgressSourceRule(const char* addr, FirewallRule rule) { 91 IptablesTarget target = V4; 92 if (strchr(addr, ':')) { 93 target = V6; 94 } 95 96 const char* op; 97 if (rule == ALLOW) { 98 op = "-I"; 99 } else { 100 op = "-D"; 101 } 102 103 int res = 0; 104 res |= execIptables(target, op, LOCAL_INPUT, "-d", addr, "-j", "RETURN", NULL); 105 res |= execIptables(target, op, LOCAL_OUTPUT, "-s", addr, "-j", "RETURN", NULL); 106 return res; 107 } 108 109 int FirewallController::setEgressDestRule(const char* addr, int protocol, int port, 110 FirewallRule rule) { 111 IptablesTarget target = V4; 112 if (strchr(addr, ':')) { 113 target = V6; 114 } 115 116 char protocolStr[16]; 117 sprintf(protocolStr, "%d", protocol); 118 119 char portStr[16]; 120 sprintf(portStr, "%d", port); 121 122 const char* op; 123 if (rule == ALLOW) { 124 op = "-I"; 125 } else { 126 op = "-D"; 127 } 128 129 int res = 0; 130 res |= execIptables(target, op, LOCAL_INPUT, "-s", addr, "-p", protocolStr, 131 "--sport", portStr, "-j", "RETURN", NULL); 132 res |= execIptables(target, op, LOCAL_OUTPUT, "-d", addr, "-p", protocolStr, 133 "--dport", portStr, "-j", "RETURN", NULL); 134 return res; 135 } 136 137 int FirewallController::setUidRule(int uid, FirewallRule rule) { 138 char uidStr[16]; 139 sprintf(uidStr, "%d", uid); 140 141 const char* op; 142 if (rule == ALLOW) { 143 op = "-I"; 144 } else { 145 op = "-D"; 146 } 147 148 int res = 0; 149 res |= execIptables(V4V6, op, LOCAL_INPUT, "-m", "owner", "--uid-owner", uidStr, 150 "-j", "RETURN", NULL); 151 res |= execIptables(V4V6, op, LOCAL_OUTPUT, "-m", "owner", "--uid-owner", uidStr, 152 "-j", "RETURN", NULL); 153 return res; 154 } 155