1 /* 2 * Copyright (C) 2014 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 #pragma once 18 19 #include "NetdConstants.h" // IptablesTarget 20 #include "Permission.h" 21 22 #include <android-base/thread_annotations.h> 23 24 #include <linux/netlink.h> 25 #include <sys/types.h> 26 #include <map> 27 #include <mutex> 28 29 namespace android::net { 30 31 class UidRanges; 32 33 class RouteController { 34 public: 35 // How the routing table number is determined for route modification requests. 36 enum TableType { 37 INTERFACE, // Compute the table number based on the interface index. 38 LOCAL_NETWORK, // A fixed table used for routes to directly-connected clients/peers. 39 LEGACY_NETWORK, // Use a fixed table that's used to override the default network. 40 LEGACY_SYSTEM, // A fixed table, only modifiable by system apps; overrides VPNs too. 41 }; 42 43 static const int ROUTE_TABLE_OFFSET_FROM_INDEX = 1000; 44 45 static const char* const LOCAL_MANGLE_INPUT; 46 47 [[nodiscard]] static int Init(unsigned localNetId); 48 49 // Returns an ifindex given the interface name, by looking up in sInterfaceToTable. 50 // This is currently only used by NetworkController::addInterfaceToNetwork 51 // and should probabaly be changed to passing the ifindex into RouteController instead. 52 // We do this instead of calling if_nametoindex because the same interface name can 53 // correspond to different interface indices over time. This way, even if the interface 54 // index has changed, we can still free any map entries indexed by the ifindex that was 55 // used to add them. 56 static uint32_t getIfIndex(const char* interface) EXCLUDES(sInterfaceToTableLock); 57 58 [[nodiscard]] static int addInterfaceToLocalNetwork(unsigned netId, const char* interface); 59 [[nodiscard]] static int removeInterfaceFromLocalNetwork(unsigned netId, const char* interface); 60 61 [[nodiscard]] static int addInterfaceToPhysicalNetwork(unsigned netId, const char* interface, 62 Permission permission); 63 [[nodiscard]] static int removeInterfaceFromPhysicalNetwork(unsigned netId, 64 const char* interface, 65 Permission permission); 66 67 [[nodiscard]] static int addInterfaceToVirtualNetwork(unsigned netId, const char* interface, 68 bool secure, const UidRanges& uidRanges); 69 [[nodiscard]] static int removeInterfaceFromVirtualNetwork(unsigned netId, 70 const char* interface, bool secure, 71 const UidRanges& uidRanges); 72 73 [[nodiscard]] static int modifyPhysicalNetworkPermission(unsigned netId, const char* interface, 74 Permission oldPermission, 75 Permission newPermission); 76 77 [[nodiscard]] static int addUsersToVirtualNetwork(unsigned netId, const char* interface, 78 bool secure, const UidRanges& uidRanges); 79 [[nodiscard]] static int removeUsersFromVirtualNetwork(unsigned netId, const char* interface, 80 bool secure, const UidRanges& uidRanges); 81 82 [[nodiscard]] static int addUsersToRejectNonSecureNetworkRule(const UidRanges& uidRanges); 83 [[nodiscard]] static int removeUsersFromRejectNonSecureNetworkRule(const UidRanges& uidRanges); 84 85 [[nodiscard]] static int addInterfaceToDefaultNetwork(const char* interface, 86 Permission permission); 87 [[nodiscard]] static int removeInterfaceFromDefaultNetwork(const char* interface, 88 Permission permission); 89 90 // |nexthop| can be NULL (to indicate a directly-connected route), "unreachable" (to indicate a 91 // route that's blocked), "throw" (to indicate the lack of a match), or a regular IP address. 92 [[nodiscard]] static int addRoute(const char* interface, const char* destination, 93 const char* nexthop, TableType tableType, int mtu); 94 [[nodiscard]] static int removeRoute(const char* interface, const char* destination, 95 const char* nexthop, TableType tableType); 96 [[nodiscard]] static int updateRoute(const char* interface, const char* destination, 97 const char* nexthop, TableType tableType, int mtu); 98 99 [[nodiscard]] static int enableTethering(const char* inputInterface, 100 const char* outputInterface); 101 [[nodiscard]] static int disableTethering(const char* inputInterface, 102 const char* outputInterface); 103 104 [[nodiscard]] static int addVirtualNetworkFallthrough(unsigned vpnNetId, 105 const char* physicalInterface, 106 Permission permission); 107 [[nodiscard]] static int removeVirtualNetworkFallthrough(unsigned vpnNetId, 108 const char* physicalInterface, 109 Permission permission); 110 111 // For testing. 112 static int (*iptablesRestoreCommandFunction)(IptablesTarget, const std::string&, 113 const std::string&, std::string *); 114 115 private: 116 friend class RouteControllerTest; 117 118 static std::mutex sInterfaceToTableLock; 119 static std::map<std::string, uint32_t> sInterfaceToTable GUARDED_BY(sInterfaceToTableLock); 120 121 static int configureDummyNetwork(); 122 [[nodiscard]] static int flushRoutes(const char* interface) EXCLUDES(sInterfaceToTableLock); 123 [[nodiscard]] static int flushRoutes(uint32_t table); 124 static uint32_t getRouteTableForInterfaceLocked(const char* interface) 125 REQUIRES(sInterfaceToTableLock); 126 static uint32_t getRouteTableForInterface(const char *interface) EXCLUDES(sInterfaceToTableLock); 127 static int modifyDefaultNetwork(uint16_t action, const char* interface, Permission permission); 128 static int modifyPhysicalNetwork(unsigned netId, const char* interface, Permission permission, 129 bool add); 130 static int modifyRoute(uint16_t action, uint16_t flags, const char* interface, 131 const char* destination, const char* nexthop, TableType tableType, 132 int mtu); 133 static int modifyTetheredNetwork(uint16_t action, const char* inputInterface, 134 const char* outputInterface); 135 static int modifyVpnFallthroughRule(uint16_t action, unsigned vpnNetId, 136 const char* physicalInterface, Permission permission); 137 static int modifyVirtualNetwork(unsigned netId, const char* interface, 138 const UidRanges& uidRanges, bool secure, bool add, 139 bool modifyNonUidBasedRules); 140 static void updateTableNamesFile() EXCLUDES(sInterfaceToTableLock); 141 }; 142 143 // Public because they are called by by RouteControllerTest.cpp. 144 // TODO: come up with a scheme of unit testing this code that does not rely on making all its 145 // functions public. 146 [[nodiscard]] int modifyIpRoute(uint16_t action, uint16_t flags, uint32_t table, 147 const char* interface, const char* destination, const char* nexthop, 148 uint32_t mtu); 149 uint32_t getRulePriority(const nlmsghdr *nlh); 150 [[nodiscard]] int modifyIncomingPacketMark(unsigned netId, const char* interface, 151 Permission permission, bool add); 152 153 } // namespace android::net 154