Dobby/Netfilter_8h_source.html

 /*

 * If not stated otherwise in this file or this component's LICENSE file the

 * following copyright and licenses apply:

 *

 * Copyright 2019 Sky UK

 *

 * Licensed under the Apache License, Version 2.0 (the "License");

 * you may not use this file except in compliance with the License.

 * You may obtain a copy of the License at

 *

 * http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an "AS IS" BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 */

 /*

  * File:   Netfilter.h

  *

  */

 #ifndef NETFILTER_H

 #define NETFILTER_H


 #include <map>

 #include <list>

 #include <string>

 #include <mutex>


 // -----------------------------------------------------------------------------

 class Netfilter

 {

 public:

     Netfilter();

     ~Netfilter() = default;


 public:

     enum class TableType { Invalid, Raw, Nat, Mangle, Filter, Security };

     typedef std::map<TableType, std::list<std::string>> RuleSet;


     RuleSet rules(const int ipVersion) const;

     bool setRules(const RuleSet &ruleSet, const int ipVersion);


     enum class Operation { Append, Insert, Delete, Unchanged };


     bool addRules(RuleSet &ruleSet, const int ipVersion, Operation operation);


     bool createNewChain(TableType table, const std::string &name,

                         const int ipVersion);


     bool applyRules(const int ipVersion);


 private:

     bool forkExec(const std::string &file,

                   const std::list<std::string> &args,

                   int stdinFd, int stdoutFd, int stderrFd) const;


     bool writeString(int fd, const std::string &str) const;


     RuleSet getRuleSet(const int ipVersion) const;


     bool ruleInList(const std::string &rule,

                     const std::list<std::string> &rulesList) const;


     typedef struct RuleSets

     {

         RuleSet appendRuleSet;

         RuleSet insertRuleSet;

         RuleSet deleteRuleSet;

         RuleSet unchangedRuleSet;

     } RuleSets;


     RuleSets mIpv4RuleCache;

     RuleSets mIpv6RuleCache;


     void trimDuplicates(RuleSet &existing, RuleSet &newRuleSet,

                         Operation operation) const;

     bool checkDuplicates(RuleSets ruleCache, const int ipVersion) const;


     void dump(const RuleSet &ruleSet, const char *title = nullptr) const;


     typedef struct IptablesVersion

     {

         int major;

         int minor;

         int patch;

     } IptablesVersion;


     IptablesVersion getIptablesVersion() const;


 private:

     mutable std::mutex mLock;

     IptablesVersion mIptablesVersion;

 };


 #endif // !defined(NETFILTER_H)

Netfilter
Class that can read / write iptables rule sets.
Definition: Netfilter.h:45

Netfilter::writeString
bool writeString(int fd, const std::string &str) const
Writes the string into the supplied file descriptor.
Definition: Netfilter.cpp:681

Netfilter::ruleInList
bool ruleInList(const std::string &rule, const std::list< std::string > &rulesList) const
Returns true if the rule is in the rulesList.
Definition: Netfilter.cpp:728

Netfilter::addRules
bool addRules(RuleSet &ruleSet, const int ipVersion, Operation operation)
Adds rules to the internal rule caches.
Definition: Netfilter.cpp:763

Netfilter::forkExec
bool forkExec(const std::string &file, const std::list< std::string > &args, int stdinFd, int stdoutFd, int stderrFd) const
Performs a fork/exec operation and waits for the child to terminate.
Definition: Netfilter.cpp:105

Netfilter::getRuleSet
RuleSet getRuleSet(const int ipVersion) const
Uses the iptables-save tool to get the current rules.
Definition: Netfilter.cpp:240

Netfilter::createNewChain
bool createNewChain(TableType table, const std::string &name, const int ipVersion)
Creates a new IPTables chain with the given name and put it in the rule cache to write later.
Definition: Netfilter.cpp:828

Netfilter::checkDuplicates
bool checkDuplicates(RuleSets ruleCache, const int ipVersion) const
Checks all rulesets in a rule cache for duplicates to check which rules need to be applied.
Definition: Netfilter.cpp:434

Netfilter::applyRules
bool applyRules(const int ipVersion)
Uses the iptables-restore tool to apply the rules stored in mRulesets.
Definition: Netfilter.cpp:484

Netfilter::dump
void dump(const RuleSet &ruleSet, const char *title=nullptr) const
Debugging function to print out the supplied ruleset.
Definition: Netfilter.cpp:863

Netfilter::trimDuplicates
void trimDuplicates(RuleSet &existing, RuleSet &newRuleSet, Operation operation) const
Trims duplicates from mRuleSets based on the operation.
Definition: Netfilter.cpp:381

Netfilter::getIptablesVersion
IptablesVersion getIptablesVersion() const
Definition: Netfilter.cpp:892

Netfilter::rules
RuleSet rules(const int ipVersion) const
Returns the current iptables ruleset.
Definition: Netfilter.cpp:714

Netfilter::IptablesVersion
Definition: Netfilter.h:96

Netfilter::RuleSets
Definition: Netfilter.h:79