Home | History | Annotate | Download | only in firewalld
      1 // Copyright 2014 The Android Open Source Project
      2 //
      3 // Licensed under the Apache License, Version 2.0 (the "License");
      4 // you may not use this file except in compliance with the License.
      5 // You may obtain a copy of the License at
      6 //
      7 //      http://www.apache.org/licenses/LICENSE-2.0
      8 //
      9 // Unless required by applicable law or agreed to in writing, software
     10 // distributed under the License is distributed on an "AS IS" BASIS,
     11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
     12 // See the License for the specific language governing permissions and
     13 // limitations under the License.
     14 
     15 #ifndef FIREWALLD_IPTABLES_H_
     16 #define FIREWALLD_IPTABLES_H_
     17 
     18 #include <stdint.h>
     19 
     20 #include <set>
     21 #include <string>
     22 #include <utility>
     23 #include <vector>
     24 
     25 #include <base/macros.h>
     26 #include <brillo/errors/error.h>
     27 
     28 #include "dbus_bindings/org.chromium.Firewalld.h"
     29 
     30 namespace firewalld {
     31 
     32 enum ProtocolEnum { kProtocolTcp, kProtocolUdp };
     33 
     34 class IpTables : public org::chromium::FirewalldInterface {
     35  public:
     36   typedef std::pair<uint16_t, std::string> Hole;
     37 
     38   IpTables();
     39   ~IpTables();
     40 
     41   // D-Bus methods.
     42   bool PunchTcpHole(uint16_t in_port, const std::string& in_interface) override;
     43   bool PunchUdpHole(uint16_t in_port, const std::string& in_interface) override;
     44   bool PlugTcpHole(uint16_t in_port, const std::string& in_interface) override;
     45   bool PlugUdpHole(uint16_t in_port, const std::string& in_interface) override;
     46 
     47   bool RequestVpnSetup(const std::vector<std::string>& usernames,
     48                        const std::string& interface) override;
     49   bool RemoveVpnSetup(const std::vector<std::string>& usernames,
     50                       const std::string& interface) override;
     51 
     52   // Close all outstanding firewall holes.
     53   void PlugAllHoles();
     54 
     55  private:
     56   friend class IpTablesTest;
     57   FRIEND_TEST(IpTablesTest, ApplyVpnSetupAdd_Success);
     58   FRIEND_TEST(IpTablesTest, ApplyVpnSetupAdd_FailureInUsername);
     59   FRIEND_TEST(IpTablesTest, ApplyVpnSetupAdd_FailureInMasquerade);
     60   FRIEND_TEST(IpTablesTest, ApplyVpnSetupAdd_FailureInRuleForUserTraffic);
     61   FRIEND_TEST(IpTablesTest, ApplyVpnSetupRemove_Success);
     62   FRIEND_TEST(IpTablesTest, ApplyVpnSetupRemove_Failure);
     63 
     64   bool PunchHole(uint16_t port,
     65                  const std::string& interface,
     66                  std::set<Hole>* holes,
     67                  ProtocolEnum protocol);
     68   bool PlugHole(uint16_t port,
     69                 const std::string& interface,
     70                 std::set<Hole>* holes,
     71                 ProtocolEnum protocol);
     72 
     73   bool AddAcceptRules(ProtocolEnum protocol,
     74                       uint16_t port,
     75                       const std::string& interface);
     76   bool DeleteAcceptRules(ProtocolEnum protocol,
     77                          uint16_t port,
     78                          const std::string& interface);
     79 
     80   virtual bool AddAcceptRule(const std::string& executable_path,
     81                              ProtocolEnum protocol,
     82                              uint16_t port,
     83                              const std::string& interface);
     84   virtual bool DeleteAcceptRule(const std::string& executable_path,
     85                                 ProtocolEnum protocol,
     86                                 uint16_t port,
     87                                 const std::string& interface);
     88 
     89   bool ApplyVpnSetup(const std::vector<std::string>& usernames,
     90                      const std::string& interface,
     91                      bool add);
     92 
     93   virtual bool ApplyMasquerade(const std::string& interface, bool add);
     94   bool ApplyMasqueradeWithExecutable(const std::string& interface,
     95                                      const std::string& executable_path,
     96                                      bool add);
     97 
     98   virtual bool ApplyMarkForUserTraffic(const std::string& username, bool add);
     99   bool ApplyMarkForUserTrafficWithExecutable(const std::string& username,
    100                                              const std::string& executable_path,
    101                                              bool add);
    102 
    103   virtual bool ApplyRuleForUserTraffic(bool add);
    104   bool ApplyRuleForUserTrafficWithVersion(const std::string& ip_version,
    105                                           bool add);
    106 
    107   int ExecvNonRoot(const std::vector<std::string>& argv, uint64_t capmask);
    108 
    109   // Keep track of firewall holes to avoid adding redundant firewall rules.
    110   std::set<Hole> tcp_holes_;
    111   std::set<Hole> udp_holes_;
    112 
    113   // Tracks whether IPv6 filtering is enabled. If set to |true| (the default),
    114   // then it is required to be working. If |false|, then adding of IPv6 rules is
    115   // still attempted but not mandatory; however, if it is successful even once,
    116   // then it'll be changed to |true| and enforced thereafter.
    117   bool ip6_enabled_ = true;
    118 
    119   DISALLOW_COPY_AND_ASSIGN(IpTables);
    120 };
    121 
    122 }  // namespace firewalld
    123 
    124 #endif  // FIREWALLD_IPTABLES_H_
    125