1 /* 2 * Copyright (C) 2012 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 #include <ctype.h> 18 #include <errno.h> 19 #include <fcntl.h> 20 #include <netdb.h> 21 #include <net/if.h> 22 #include <netinet/in.h> 23 #include <stdlib.h> 24 #include <string.h> 25 #include <sys/wait.h> 26 27 #define LOG_TAG "Netd" 28 29 #include <cutils/log.h> 30 #include <logwrap/logwrap.h> 31 32 #include "NetdConstants.h" 33 34 const char * const OEM_SCRIPT_PATH = "/system/bin/oem-iptables-init.sh"; 35 const char * const IPTABLES_PATH = "/system/bin/iptables"; 36 const char * const IP6TABLES_PATH = "/system/bin/ip6tables"; 37 const char * const TC_PATH = "/system/bin/tc"; 38 const char * const IP_PATH = "/system/bin/ip"; 39 const char * const ADD = "add"; 40 const char * const DEL = "del"; 41 42 static void logExecError(const char* argv[], int res, int status) { 43 const char** argp = argv; 44 std::string args = ""; 45 while (*argp) { 46 args += *argp; 47 args += ' '; 48 argp++; 49 } 50 ALOGE("exec() res=%d, status=%d for %s", res, status, args.c_str()); 51 } 52 53 static int execIptablesCommand(int argc, const char *argv[], bool silent) { 54 int res; 55 int status; 56 57 res = android_fork_execvp(argc, (char **)argv, &status, false, 58 !silent); 59 if (res || !WIFEXITED(status) || WEXITSTATUS(status)) { 60 if (!silent) { 61 logExecError(argv, res, status); 62 } 63 if (res) 64 return res; 65 if (!WIFEXITED(status)) 66 return ECHILD; 67 } 68 return WEXITSTATUS(status); 69 } 70 71 static int execIptables(IptablesTarget target, bool silent, va_list args) { 72 /* Read arguments from incoming va_list; we expect the list to be NULL terminated. */ 73 std::list<const char*> argsList; 74 argsList.push_back(NULL); 75 const char* arg; 76 77 // Wait to avoid failure due to another process holding the lock 78 argsList.push_back("-w"); 79 80 do { 81 arg = va_arg(args, const char *); 82 argsList.push_back(arg); 83 } while (arg); 84 85 int i = 0; 86 const char* argv[argsList.size()]; 87 std::list<const char*>::iterator it; 88 for (it = argsList.begin(); it != argsList.end(); it++, i++) { 89 argv[i] = *it; 90 } 91 92 int res = 0; 93 if (target == V4 || target == V4V6) { 94 argv[0] = IPTABLES_PATH; 95 res |= execIptablesCommand(argsList.size(), argv, silent); 96 } 97 if (target == V6 || target == V4V6) { 98 argv[0] = IP6TABLES_PATH; 99 res |= execIptablesCommand(argsList.size(), argv, silent); 100 } 101 return res; 102 } 103 104 int execIptables(IptablesTarget target, ...) { 105 va_list args; 106 va_start(args, target); 107 int res = execIptables(target, false, args); 108 va_end(args); 109 return res; 110 } 111 112 int execIptablesSilently(IptablesTarget target, ...) { 113 va_list args; 114 va_start(args, target); 115 int res = execIptables(target, true, args); 116 va_end(args); 117 return res; 118 } 119 120 /* 121 * Check an interface name for plausibility. This should e.g. help against 122 * directory traversal. 123 */ 124 bool isIfaceName(const char *name) { 125 size_t i; 126 size_t name_len = strlen(name); 127 if ((name_len == 0) || (name_len > IFNAMSIZ)) { 128 return false; 129 } 130 131 /* First character must be alphanumeric */ 132 if (!isalnum(name[0])) { 133 return false; 134 } 135 136 for (i = 1; i < name_len; i++) { 137 if (!isalnum(name[i]) && (name[i] != '_') && (name[i] != '-') && (name[i] != ':')) { 138 return false; 139 } 140 } 141 142 return true; 143 } 144 145 int parsePrefix(const char *prefix, uint8_t *family, void *address, int size, uint8_t *prefixlen) { 146 if (!prefix || !family || !address || !prefixlen) { 147 return -EFAULT; 148 } 149 150 // Find the '/' separating address from prefix length. 151 const char *slash = strchr(prefix, '/'); 152 const char *prefixlenString = slash + 1; 153 if (!slash || !*prefixlenString) 154 return -EINVAL; 155 156 // Convert the prefix length to a uint8_t. 157 char *endptr; 158 unsigned templen; 159 templen = strtoul(prefixlenString, &endptr, 10); 160 if (*endptr || templen > 255) { 161 return -EINVAL; 162 } 163 *prefixlen = templen; 164 165 // Copy the address part of the prefix to a local buffer. We have to copy 166 // because inet_pton and getaddrinfo operate on null-terminated address 167 // strings, but prefix is const and has '/' after the address. 168 std::string addressString(prefix, slash - prefix); 169 170 // Parse the address. 171 addrinfo *res; 172 addrinfo hints = { 173 .ai_flags = AI_NUMERICHOST, 174 }; 175 int ret = getaddrinfo(addressString.c_str(), NULL, &hints, &res); 176 if (ret || !res) { 177 return -EINVAL; // getaddrinfo return values are not errno values. 178 } 179 180 // Convert the address string to raw address bytes. 181 void *rawAddress; 182 int rawLength; 183 switch (res[0].ai_family) { 184 case AF_INET: { 185 if (*prefixlen > 32) { 186 return -EINVAL; 187 } 188 sockaddr_in *sin = (sockaddr_in *) res[0].ai_addr; 189 rawAddress = &sin->sin_addr; 190 rawLength = 4; 191 break; 192 } 193 case AF_INET6: { 194 if (*prefixlen > 128) { 195 return -EINVAL; 196 } 197 sockaddr_in6 *sin6 = (sockaddr_in6 *) res[0].ai_addr; 198 rawAddress = &sin6->sin6_addr; 199 rawLength = 16; 200 break; 201 } 202 default: { 203 freeaddrinfo(res); 204 return -EAFNOSUPPORT; 205 } 206 } 207 208 if (rawLength > size) { 209 freeaddrinfo(res); 210 return -ENOSPC; 211 } 212 213 *family = res[0].ai_family; 214 memcpy(address, rawAddress, rawLength); 215 freeaddrinfo(res); 216 217 return rawLength; 218 } 219
