2 * Copyright (C) 2008 The Android Open Source Project
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
17 // #define LOG_NDEBUG 0
21 #include <sys/socket.h>
24 #include <netinet/in.h>
25 #include <arpa/inet.h>
27 #include <cutils/properties.h>
29 #define LOG_TAG "NatController"
30 #include <cutils/log.h>
32 #include "NatController.h"
33 #include "SecondaryTableController.h"
34 #include "NetdConstants.h"
36 extern "C" int system_nosh(const char *command);
38 const char* NatController::LOCAL_FORWARD = "natctrl_FORWARD";
39 const char* NatController::LOCAL_NAT_POSTROUTING = "natctrl_nat_POSTROUTING";
41 NatController::NatController(SecondaryTableController *ctrl) {
42 secondaryTableCtrl = ctrl;
45 NatController::~NatController() {
48 int NatController::runCmd(const char *path, const char *cmd) {
50 size_t len = strnlen(cmd, 255);
54 ALOGE("command too long");
59 asprintf(&buffer, "%s %s", path, cmd);
60 res = system_nosh(buffer);
61 ALOGV("runCmd() buffer='%s' res=%d", buffer, res);
66 int NatController::setupIptablesHooks() {
71 int NatController::setDefaults() {
72 if (runCmd(IPTABLES_PATH, "-F natctrl_FORWARD"))
74 if (runCmd(IPTABLES_PATH, "-t nat -F natctrl_nat_POSTROUTING"))
77 runCmd(IP_PATH, "rule flush");
78 runCmd(IP_PATH, "-6 rule flush");
79 runCmd(IP_PATH, "rule add from all lookup default prio 32767");
80 runCmd(IP_PATH, "rule add from all lookup main prio 32766");
81 runCmd(IP_PATH, "-6 rule add from all lookup default prio 32767");
82 runCmd(IP_PATH, "-6 rule add from all lookup main prio 32766");
83 runCmd(IP_PATH, "route flush cache");
90 bool NatController::checkInterface(const char *iface) {
91 if (strlen(iface) > IFNAMSIZ) return false;
96 // nat enable intface extface addrcnt nated-ipaddr/prelength
97 int NatController::enableNat(const int argc, char **argv) {
100 int addrCount = atoi(argv[4]);
102 const char *intIface = argv[2];
103 const char *extIface = argv[3];
106 if (!checkInterface(intIface) || !checkInterface(extIface)) {
107 ALOGE("Invalid interface specified");
112 if (argc < 5 + addrCount) {
113 ALOGE("Missing Argument");
118 tableNumber = secondaryTableCtrl->findTableNumber(extIface);
119 if (tableNumber != -1) {
120 for(i = 0; i < addrCount; i++) {
121 ret |= secondaryTableCtrl->modifyFromRule(tableNumber, ADD, argv[5+i]);
123 ret |= secondaryTableCtrl->modifyLocalRoute(tableNumber, ADD, intIface, argv[5+i]);
125 runCmd(IP_PATH, "route flush cache");
128 if (ret != 0 || setForwardRules(true, intIface, extIface) != 0) {
129 if (tableNumber != -1) {
130 for (i = 0; i < addrCount; i++) {
131 secondaryTableCtrl->modifyLocalRoute(tableNumber, DEL, intIface, argv[5+i]);
133 secondaryTableCtrl->modifyFromRule(tableNumber, DEL, argv[5+i]);
135 runCmd(IP_PATH, "route flush cache");
137 ALOGE("Error setting forward rules");
142 /* Always make sure the drop rule is at the end */
143 snprintf(cmd, sizeof(cmd), "-D natctrl_FORWARD -j DROP");
144 runCmd(IPTABLES_PATH, cmd);
145 snprintf(cmd, sizeof(cmd), "-A natctrl_FORWARD -j DROP");
146 runCmd(IPTABLES_PATH, cmd);
150 // add this if we are the first added nat
152 snprintf(cmd, sizeof(cmd), "-t nat -A natctrl_nat_POSTROUTING -o %s -j MASQUERADE", extIface);
153 if (runCmd(IPTABLES_PATH, cmd)) {
154 ALOGE("Error seting postroute rule: %s", cmd);
155 // unwind what's been done, but don't care about success - what more could we do?
156 for (i = 0; i < addrCount; i++) {
157 secondaryTableCtrl->modifyLocalRoute(tableNumber, DEL, intIface, argv[5+i]);
159 secondaryTableCtrl->modifyFromRule(tableNumber, DEL, argv[5+i]);
169 int NatController::setForwardRules(bool add, const char *intIface, const char * extIface) {
172 snprintf(cmd, sizeof(cmd),
173 "-%s natctrl_FORWARD -i %s -o %s -m state --state ESTABLISHED,RELATED -j RETURN",
176 if (runCmd(IPTABLES_PATH, cmd) && add) {
180 snprintf(cmd, sizeof(cmd),
181 "-%s natctrl_FORWARD -i %s -o %s -m state --state INVALID -j DROP",
184 if (runCmd(IPTABLES_PATH, cmd) && add) {
185 // bail on error, but only if adding
186 snprintf(cmd, sizeof(cmd),
187 "-%s natctrl_FORWARD -i %s -o %s -m state --state ESTABLISHED,RELATED -j RETURN",
190 runCmd(IPTABLES_PATH, cmd);
194 snprintf(cmd, sizeof(cmd), "-%s natctrl_FORWARD -i %s -o %s -j RETURN", (add ? "A" : "D"),
196 if (runCmd(IPTABLES_PATH, cmd) && add) {
197 // unwind what's been done, but don't care about success - what more could we do?
198 snprintf(cmd, sizeof(cmd),
199 "-%s natctrl_FORWARD -i %s -o %s -m state --state INVALID -j DROP",
202 runCmd(IPTABLES_PATH, cmd);
204 snprintf(cmd, sizeof(cmd),
205 "-%s natctrl_FORWARD -i %s -o %s -m state --state ESTABLISHED,RELATED -j RETURN",
208 runCmd(IPTABLES_PATH, cmd);
215 // nat disable intface extface
217 // nat enable intface extface addrcnt nated-ipaddr/prelength
218 int NatController::disableNat(const int argc, char **argv) {
221 int addrCount = atoi(argv[4]);
222 const char *intIface = argv[2];
223 const char *extIface = argv[3];
226 if (!checkInterface(intIface) || !checkInterface(extIface)) {
227 ALOGE("Invalid interface specified");
232 if (argc < 5 + addrCount) {
233 ALOGE("Missing Argument");
238 setForwardRules(false, intIface, extIface);
240 tableNumber = secondaryTableCtrl->findTableNumber(extIface);
241 if (tableNumber != -1) {
242 for (i = 0; i < addrCount; i++) {
243 secondaryTableCtrl->modifyLocalRoute(tableNumber, DEL, intIface, argv[5+i]);
245 secondaryTableCtrl->modifyFromRule(tableNumber, DEL, argv[5+i]);
248 runCmd(IP_PATH, "route flush cache");
251 if (--natCount <= 0) {
252 // handle decrement to 0 case (do reset to defaults) and erroneous dec below 0