diff options
| author | Alex Klyubin <klyubin@google.com> | 2015-02-12 00:47:52 +0000 |
|---|---|---|
| committer | Android Git Automerger <android-git-automerger@android.com> | 2015-02-12 00:47:52 +0000 |
| commit | 909757cfc276546652d8f6d433c56d644325af8c (patch) | |
| tree | 2e6faf54c6782b6355feca6b43faab1633c91b43 | |
| parent | 64b816bafcb735dd06f4ddf233ba2bad8fd08f47 (diff) | |
| parent | 7a269cb3916692b691c7f3a531f3eba78be7a366 (diff) | |
| download | netd-909757cfc276546652d8f6d433c56d644325af8c.tar.gz | |
am 7a269cb3: Merge "Store MARK/CONNMARK flags in a central location."
* commit '7a269cb3916692b691c7f3a531f3eba78be7a366':
Store MARK/CONNMARK flags in a central location.
| -rw-r--r-- | server/ConnmarkFlags.h | 30 | ||||
| -rw-r--r-- | server/StrictController.cpp | 35 |
2 files changed, 53 insertions, 12 deletions
diff --git a/server/ConnmarkFlags.h b/server/ConnmarkFlags.h new file mode 100644 index 00000000..2bbefc0f --- /dev/null +++ b/server/ConnmarkFlags.h @@ -0,0 +1,30 @@ +/* + * Copyright (C) 2015 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef _CONNMARK_FLAGS_H +#define _CONNMARK_FLAGS_H + +/* + * iptables CONNMARK flag values used by various controllers. These values + * need to be stored in one place to avoid clashes. + */ +class ConnmarkFlags { +public: + static const unsigned int STRICT_RESOLVED_ACCEPT = 0x01000000; + static const unsigned int STRICT_RESOLVED_REJECT = 0x02000000; +}; + +#endif diff --git a/server/StrictController.cpp b/server/StrictController.cpp index 20232ea7..a04124df 100644 --- a/server/StrictController.cpp +++ b/server/StrictController.cpp @@ -24,6 +24,7 @@ #include <cutils/log.h> +#include "ConnmarkFlags.h" #include "NetdConstants.h" #include "StrictController.h" @@ -37,24 +38,34 @@ StrictController::StrictController(void) { } int StrictController::enableStrict(void) { + char connmarkFlagAccept[16]; + char connmarkFlagReject[16]; + char connmarkFlagTestAccept[32]; + char connmarkFlagTestReject[32]; + sprintf(connmarkFlagAccept, "0x%x", ConnmarkFlags::STRICT_RESOLVED_ACCEPT); + sprintf(connmarkFlagReject, "0x%x", ConnmarkFlags::STRICT_RESOLVED_REJECT); + sprintf(connmarkFlagTestAccept, "0x%x/0x%x", + ConnmarkFlags::STRICT_RESOLVED_ACCEPT, + ConnmarkFlags::STRICT_RESOLVED_ACCEPT); + sprintf(connmarkFlagTestReject, "0x%x/0x%x", + ConnmarkFlags::STRICT_RESOLVED_REJECT, + ConnmarkFlags::STRICT_RESOLVED_REJECT); + int res = 0; disableStrict(); - // Mark 0x01 means resolved and ACCEPT - // Mark 0x02 means resolved and REJECT - // Chain triggered when cleartext socket detected and penalty is log res |= execIptables(V4V6, "-N", LOCAL_PENALTY_LOG, NULL); res |= execIptables(V4V6, "-A", LOCAL_PENALTY_LOG, - "-j", "CONNMARK", "--or-mark", "0x01000000", NULL); + "-j", "CONNMARK", "--or-mark", connmarkFlagAccept, NULL); res |= execIptables(V4V6, "-A", LOCAL_PENALTY_LOG, "-j", "NFLOG", "--nflog-group", "0", NULL); // Chain triggered when cleartext socket detected and penalty is reject res |= execIptables(V4V6, "-N", LOCAL_PENALTY_REJECT, NULL); res |= execIptables(V4V6, "-A", LOCAL_PENALTY_REJECT, - "-j", "CONNMARK", "--or-mark", "0x02000000", NULL); + "-j", "CONNMARK", "--or-mark", connmarkFlagReject, NULL); res |= execIptables(V4V6, "-A", LOCAL_PENALTY_REJECT, "-j", "NFLOG", "--nflog-group", "0", NULL); res |= execIptables(V4V6, "-A", LOCAL_PENALTY_REJECT, @@ -67,21 +78,21 @@ int StrictController::enableStrict(void) { // Quickly skip connections that we've already resolved res |= execIptables(V4V6, "-A", LOCAL_CLEAR_DETECT, - "-m", "connmark", "--mark", "0x02000000/0x02000000", + "-m", "connmark", "--mark", connmarkFlagTestReject, "-j", "REJECT", NULL); res |= execIptables(V4V6, "-A", LOCAL_CLEAR_DETECT, - "-m", "connmark", "--mark", "0x01000000/0x01000000", + "-m", "connmark", "--mark", connmarkFlagTestAccept, "-j", "RETURN", NULL); // Look for IPv4 TCP/UDP connections with TLS/DTLS header res |= execIptables(V4, "-A", LOCAL_CLEAR_DETECT, "-p", "tcp", "-m", "u32", "--u32", "0>>22&0x3C@ 12>>26&0x3C@ 0&0xFFFF0000=0x16030000 &&" "0>>22&0x3C@ 12>>26&0x3C@ 4&0x00FF0000=0x00010000", - "-j", "CONNMARK", "--or-mark", "0x01000000", NULL); + "-j", "CONNMARK", "--or-mark", connmarkFlagAccept, NULL); res |= execIptables(V4, "-A", LOCAL_CLEAR_DETECT, "-p", "udp", "-m", "u32", "--u32", "0>>22&0x3C@ 8&0xFFFF0000=0x16FE0000 &&" "0>>22&0x3C@ 20&0x00FF0000=0x00010000", - "-j", "CONNMARK", "--or-mark", "0x01000000", NULL); + "-j", "CONNMARK", "--or-mark", connmarkFlagAccept, NULL); // Look for IPv6 TCP/UDP connections with TLS/DTLS header. The IPv6 header // doesn't have an IHL field to shift with, so we have to manually add in @@ -89,15 +100,15 @@ int StrictController::enableStrict(void) { res |= execIptables(V6, "-A", LOCAL_CLEAR_DETECT, "-p", "tcp", "-m", "u32", "--u32", "52>>26&0x3C@ 40&0xFFFF0000=0x16030000 &&" "52>>26&0x3C@ 44&0x00FF0000=0x00010000", - "-j", "CONNMARK", "--or-mark", "0x01000000", NULL); + "-j", "CONNMARK", "--or-mark", connmarkFlagAccept, NULL); res |= execIptables(V6, "-A", LOCAL_CLEAR_DETECT, "-p", "udp", "-m", "u32", "--u32", "48&0xFFFF0000=0x16FE0000 &&" "60&0x00FF0000=0x00010000", - "-j", "CONNMARK", "--or-mark", "0x01000000", NULL); + "-j", "CONNMARK", "--or-mark", connmarkFlagAccept, NULL); // Skip newly classified connections from above res |= execIptables(V4V6, "-A", LOCAL_CLEAR_DETECT, - "-m", "connmark", "--mark", "0x01000000/0x01000000", + "-m", "connmark", "--mark", connmarkFlagTestAccept, "-j", "RETURN", NULL); // Handle TCP/UDP payloads that didn't match TLS/DTLS filters above, |