2 * Copyright (C) 2012 The Android Open Source Project
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
22 #define LOG_TAG "FirewallController"
25 #include <cutils/log.h>
26 #include <private/android_filesystem_config.h>
28 #include "NetdConstants.h"
29 #include "FirewallController.h"
31 const char* FirewallController::TABLE = "filter";
33 const char* FirewallController::LOCAL_INPUT = "fw_INPUT";
34 const char* FirewallController::LOCAL_OUTPUT = "fw_OUTPUT";
35 const char* FirewallController::LOCAL_FORWARD = "fw_FORWARD";
37 const char* FirewallController::LOCAL_DOZABLE = "fw_dozable";
38 const char* FirewallController::LOCAL_STANDBY = "fw_standby";
40 FirewallController::FirewallController(void) {
41 // If no rules are set, it's in BLACKLIST mode
42 mFirewallType = BLACKLIST;
45 int FirewallController::setupIptablesHooks(void) {
47 // child chains are created but not attached, they will be attached explicitly.
48 FirewallType firewallType = getFirewallType(DOZABLE);
49 res |= createChain(LOCAL_DOZABLE, LOCAL_INPUT, firewallType);
51 firewallType = getFirewallType(STANDBY);
52 res |= createChain(LOCAL_STANDBY, LOCAL_INPUT, firewallType);
57 int FirewallController::enableFirewall(FirewallType ftype) {
59 if (mFirewallType != ftype) {
60 // flush any existing rules
63 if (ftype == WHITELIST) {
64 // create default rule to drop all traffic
65 res |= execIptables(V4V6, "-A", LOCAL_INPUT, "-j", "DROP", NULL);
66 res |= execIptables(V4V6, "-A", LOCAL_OUTPUT, "-j", "REJECT", NULL);
67 res |= execIptables(V4V6, "-A", LOCAL_FORWARD, "-j", "REJECT", NULL);
70 // Set this after calling disableFirewall(), since it defaults to WHITELIST there
71 mFirewallType = ftype;
76 int FirewallController::disableFirewall(void) {
79 mFirewallType = WHITELIST;
81 // flush any existing rules
82 res |= execIptables(V4V6, "-F", LOCAL_INPUT, NULL);
83 res |= execIptables(V4V6, "-F", LOCAL_OUTPUT, NULL);
84 res |= execIptables(V4V6, "-F", LOCAL_FORWARD, NULL);
89 int FirewallController::enableChildChains(ChildChain chain, bool enable) {
104 res |= attachChain(name, LOCAL_INPUT);
105 res |= attachChain(name, LOCAL_OUTPUT);
107 res |= detachChain(name, LOCAL_INPUT);
108 res |= detachChain(name, LOCAL_OUTPUT);
113 int FirewallController::isFirewallEnabled(void) {
114 // TODO: verify that rules are still in place near top
118 int FirewallController::setInterfaceRule(const char* iface, FirewallRule rule) {
119 if (mFirewallType == BLACKLIST) {
120 // Unsupported in BLACKLIST mode
124 if (!isIfaceName(iface)) {
137 res |= execIptables(V4V6, op, LOCAL_INPUT, "-i", iface, "-j", "RETURN", NULL);
138 res |= execIptables(V4V6, op, LOCAL_OUTPUT, "-o", iface, "-j", "RETURN", NULL);
142 int FirewallController::setEgressSourceRule(const char* addr, FirewallRule rule) {
143 if (mFirewallType == BLACKLIST) {
144 // Unsupported in BLACKLIST mode
148 IptablesTarget target = V4;
149 if (strchr(addr, ':')) {
161 res |= execIptables(target, op, LOCAL_INPUT, "-d", addr, "-j", "RETURN", NULL);
162 res |= execIptables(target, op, LOCAL_OUTPUT, "-s", addr, "-j", "RETURN", NULL);
166 int FirewallController::setEgressDestRule(const char* addr, int protocol, int port,
168 if (mFirewallType == BLACKLIST) {
169 // Unsupported in BLACKLIST mode
173 IptablesTarget target = V4;
174 if (strchr(addr, ':')) {
178 char protocolStr[16];
179 sprintf(protocolStr, "%d", protocol);
182 sprintf(portStr, "%d", port);
192 res |= execIptables(target, op, LOCAL_INPUT, "-s", addr, "-p", protocolStr,
193 "--sport", portStr, "-j", "RETURN", NULL);
194 res |= execIptables(target, op, LOCAL_OUTPUT, "-d", addr, "-p", protocolStr,
195 "--dport", portStr, "-j", "RETURN", NULL);
199 FirewallType FirewallController::getFirewallType(ChildChain chain) {
206 return mFirewallType;
212 int FirewallController::setUidRule(ChildChain chain, int uid, FirewallRule rule) {
214 sprintf(uidStr, "%d", uid);
218 FirewallType firewallType = getFirewallType(chain);
219 if (firewallType == WHITELIST) {
221 op = (rule == ALLOW)? "-I" : "-D";
222 } else { // BLACKLIST mode
224 op = (rule == DENY)? "-I" : "-D";
230 res |= execIptables(V4V6, op, LOCAL_DOZABLE, "-m", "owner", "--uid-owner",
231 uidStr, "-j", target, NULL);
234 res |= execIptables(V4V6, op, LOCAL_STANDBY, "-m", "owner", "--uid-owner",
235 uidStr, "-j", target, NULL);
238 res |= execIptables(V4V6, op, LOCAL_INPUT, "-m", "owner", "--uid-owner", uidStr,
240 res |= execIptables(V4V6, op, LOCAL_OUTPUT, "-m", "owner", "--uid-owner", uidStr,
244 ALOGW("Unknown child chain: %d", chain);
250 int FirewallController::attachChain(const char* childChain, const char* parentChain) {
251 return execIptables(V4V6, "-t", TABLE, "-A", parentChain, "-j", childChain, NULL);
254 int FirewallController::detachChain(const char* childChain, const char* parentChain) {
255 return execIptables(V4V6, "-t", TABLE, "-D", parentChain, "-j", childChain, NULL);
258 int FirewallController::createChain(const char* childChain,
259 const char* parentChain, FirewallType type) {
260 // Order is important, otherwise later steps may fail.
261 execIptablesSilently(V4V6, "-t", TABLE, "-D", parentChain, "-j", childChain, NULL);
262 execIptablesSilently(V4V6, "-t", TABLE, "-F", childChain, NULL);
263 execIptablesSilently(V4V6, "-t", TABLE, "-X", childChain, NULL);
265 res |= execIptables(V4V6, "-t", TABLE, "-N", childChain, NULL);
266 if (type == WHITELIST) {
267 // create default white list for system uid range
269 sprintf(uidStr, "0-%d", AID_APP - 1);
270 res |= execIptables(V4V6, "-A", childChain, "-m", "owner", "--uid-owner",
271 uidStr, "-j", "RETURN", NULL);
272 // create default rule to drop all traffic
273 res |= execIptables(V4V6, "-A", childChain, "-j", "DROP", NULL);