2 * Copyright (C) 2012 The Android Open Source Project
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
17 #ifndef _FIREWALL_CONTROLLER_H
18 #define _FIREWALL_CONTROLLER_H
23 #include <utils/RWLock.h>
25 enum FirewallRule { DENY, ALLOW };
27 // WHITELIST means the firewall denies all by default, uids must be explicitly ALLOWed
28 // BLACKLIST means the firewall allows all by default, uids must be explicitly DENYed
30 enum FirewallType { WHITELIST, BLACKLIST };
32 enum ChildChain { NONE, DOZABLE, STANDBY, POWERSAVE, INVALID_CHAIN };
34 #define PROTOCOL_TCP 6
35 #define PROTOCOL_UDP 17
38 * Simple firewall that drops all packets except those matching explicitly
39 * defined ALLOW rules.
41 * Methods in this class must be called when holding a write lock on |lock|, and may not call
42 * any other controller without explicitly managing that controller's lock. There are currently
45 class FirewallController {
49 int setupIptablesHooks(void);
51 int enableFirewall(FirewallType);
52 int disableFirewall(void);
53 int isFirewallEnabled(void);
55 /* Match traffic going in/out over the given iface. */
56 int setInterfaceRule(const char*, FirewallRule);
57 /* Match traffic coming-in-to or going-out-from given address. */
58 int setEgressSourceRule(const char*, FirewallRule);
59 /* Match traffic coming-in-from or going-out-to given address, port, and protocol. */
60 int setEgressDestRule(const char*, int, int, FirewallRule);
61 /* Match traffic owned by given UID. This is specific to a particular chain. */
62 int setUidRule(ChildChain, int, FirewallRule);
64 int enableChildChains(ChildChain, bool);
66 int replaceUidChain(const char*, bool, const std::vector<int32_t>&);
68 static const char* TABLE;
70 static const char* LOCAL_INPUT;
71 static const char* LOCAL_OUTPUT;
72 static const char* LOCAL_FORWARD;
74 static const char* LOCAL_DOZABLE;
75 static const char* LOCAL_STANDBY;
76 static const char* LOCAL_POWERSAVE;
78 static const char* ICMPV6_TYPES[];
83 friend class FirewallControllerTest;
84 std::string makeUidRules(const char *name, bool isWhitelist, const std::vector<int32_t>& uids);
87 FirewallType mFirewallType;
88 int attachChain(const char*, const char*);
89 int detachChain(const char*, const char*);
90 int createChain(const char*, const char*, FirewallType);
91 FirewallType getFirewallType(ChildChain);