/*
* Copyright (C) 2012 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include <ctype.h>
#include <errno.h>
#include <fcntl.h>
#include <netdb.h>
#include <net/if.h>
#include <netinet/in.h>
#include <stdlib.h>
#include <string.h>
#include <sys/wait.h>
#define LOG_TAG "Netd"
#include <android-base/stringprintf.h>
#include <cutils/log.h>
#include <logwrap/logwrap.h>
#include "Controllers.h"
#include "NetdConstants.h"
#include "IptablesRestoreController.h"
const char * const OEM_SCRIPT_PATH = "/system/bin/oem-iptables-init.sh";
const char * const IPTABLES_PATH = "/system/bin/iptables";
const char * const IP6TABLES_PATH = "/system/bin/ip6tables";
const char * const TC_PATH = "/system/bin/tc";
const char * const IP_PATH = "/system/bin/ip";
const char * const ADD = "add";
const char * const DEL = "del";
static void logExecError(const char* argv[], int res, int status) {
const char** argp = argv;
std::string args = "";
while (*argp) {
args += *argp;
args += ' ';
argp++;
}
ALOGE("exec() res=%d, status=%d for %s", res, status, args.c_str());
}
static int execIptablesCommand(int argc, const char *argv[], bool silent) {
int res;
int status;
res = android_fork_execvp(argc, (char **)argv, &status, false,
!silent);
if (res || !WIFEXITED(status) || WEXITSTATUS(status)) {
if (!silent) {
logExecError(argv, res, status);
}
if (res)
return res;
if (!WIFEXITED(status))
return ECHILD;
}
return WEXITSTATUS(status);
}
static int execIptables(IptablesTarget target, bool silent, va_list args) {
/* Read arguments from incoming va_list; we expect the list to be NULL terminated. */
std::list<const char*> argsList;
argsList.push_back(NULL);
const char* arg;
// Wait to avoid failure due to another process holding the lock
argsList.push_back("-w");
do {
arg = va_arg(args, const char *);
argsList.push_back(arg);
} while (arg);
int i = 0;
const char* argv[argsList.size()];
std::list<const char*>::iterator it;
for (it = argsList.begin(); it != argsList.end(); it++, i++) {
argv[i] = *it;
}
int res = 0;
if (target == V4 || target == V4V6) {
argv[0] = IPTABLES_PATH;
res |= execIptablesCommand(argsList.size(), argv, silent);
}
if (target == V6 || target == V4V6) {
argv[0] = IP6TABLES_PATH;
res |= execIptablesCommand(argsList.size(), argv, silent);
}
return res;
}
int execIptables(IptablesTarget target, ...) {
va_list args;
va_start(args, target);
int res = execIptables(target, false, args);
va_end(args);
return res;
}
int execIptablesSilently(IptablesTarget target, ...) {
va_list args;
va_start(args, target);
int res = execIptables(target, true, args);
va_end(args);
return res;
}
int execIptablesRestoreWithOutput(IptablesTarget target, const std::string& commands,
std::string *output) {
return android::net::gCtls->iptablesRestoreCtrl.execute(target, commands, output);
}
int execIptablesRestore(IptablesTarget target, const std::string& commands) {
return execIptablesRestoreWithOutput(target, commands, nullptr);
}
int execIptablesRestoreCommand(IptablesTarget target, const std::string& table,
const std::string& command, std::string *output) {
std::string fullCmd = android::base::StringPrintf("*%s\n%s\nCOMMIT\n", table.c_str(),
command.c_str());
return execIptablesRestoreWithOutput(target, fullCmd, output);
}
/*
* Check an interface name for plausibility. This should e.g. help against
* directory traversal.
*/
bool isIfaceName(const char *name) {
size_t i;
size_t name_len = strlen(name);
if ((name_len == 0) || (name_len > IFNAMSIZ)) {
return false;
}
/* First character must be alphanumeric */
if (!isalnum(name[0])) {
return false;
}
for (i = 1; i < name_len; i++) {
if (!isalnum(name[i]) && (name[i] != '_') && (name[i] != '-') && (name[i] != ':')) {
return false;
}
}
return true;
}
int parsePrefix(const char *prefix, uint8_t *family, void *address, int size, uint8_t *prefixlen) {
if (!prefix || !family || !address || !prefixlen) {
return -EFAULT;
}
// Find the '/' separating address from prefix length.
const char *slash = strchr(prefix, '/');
const char *prefixlenString = slash + 1;
if (!slash || !*prefixlenString)
return -EINVAL;
// Convert the prefix length to a uint8_t.
char *endptr;
unsigned templen;
templen = strtoul(prefixlenString, &endptr, 10);
if (*endptr || templen > 255) {
return -EINVAL;
}
*prefixlen = templen;
// Copy the address part of the prefix to a local buffer. We have to copy
// because inet_pton and getaddrinfo operate on null-terminated address
// strings, but prefix is const and has '/' after the address.
std::string addressString(prefix, slash - prefix);
// Parse the address.
addrinfo *res;
addrinfo hints = {
.ai_flags = AI_NUMERICHOST,
};
int ret = getaddrinfo(addressString.c_str(), NULL, &hints, &res);
if (ret || !res) {
return -EINVAL; // getaddrinfo return values are not errno values.
}
// Convert the address string to raw address bytes.
void *rawAddress;
int rawLength;
switch (res[0].ai_family) {
case AF_INET: {
if (*prefixlen > 32) {
return -EINVAL;
}
sockaddr_in *sin = (sockaddr_in *) res[0].ai_addr;
rawAddress = &sin->sin_addr;
rawLength = 4;
break;
}
case AF_INET6: {
if (*prefixlen > 128) {
return -EINVAL;
}
sockaddr_in6 *sin6 = (sockaddr_in6 *) res[0].ai_addr;
rawAddress = &sin6->sin6_addr;
rawLength = 16;
break;
}
default: {
freeaddrinfo(res);
return -EAFNOSUPPORT;
}
}
if (rawLength > size) {
freeaddrinfo(res);
return -ENOSPC;
}
*family = res[0].ai_family;
memcpy(address, rawAddress, rawLength);
freeaddrinfo(res);
return rawLength;
}
void blockSigpipe() {
sigset_t mask;
sigemptyset(&mask);
sigaddset(&mask, SIGPIPE);
if (sigprocmask(SIG_BLOCK, &mask, NULL) != 0)
ALOGW("WARNING: SIGPIPE not blocked\n");
}