Dobby/Netfilter_8h_source.html

/*

* If not stated otherwise in this file or this component's LICENSE file the

* following copyright and licenses apply:

*

* Copyright 2019 Sky UK

*

* Licensed under the Apache License, Version 2.0 (the "License");

* you may not use this file except in compliance with the License.

* You may obtain a copy of the License at

*

* http://www.apache.org/licenses/LICENSE-2.0

*

* Unless required by applicable law or agreed to in writing, software

* distributed under the License is distributed on an "AS IS" BASIS,

* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

* See the License for the specific language governing permissions and

* limitations under the License.

*/

/*

 * File:   Netfilter.h

 *

 */

#ifndef NETFILTER_H

#define NETFILTER_H


#include <map>

#include <list>

#include <string>

#include <mutex>


// -----------------------------------------------------------------------------


class Netfilter

{

public:

    Netfilter();

    ~Netfilter() = default;


public:

    enum class TableType { Invalid, Raw, Nat, Mangle, Filter, Security };

    typedef std::map<TableType, std::list<std::string>> RuleSet;


    RuleSet rules(const int ipVersion) const;

    bool setRules(const RuleSet &ruleSet, const int ipVersion);


    enum class Operation { Append, Insert, Delete, Unchanged };


    bool addRules(RuleSet &ruleSet, const int ipVersion, Operation operation);


    bool createNewChain(TableType table, const std::string &name,

                        const int ipVersion);


    bool applyRules(const int ipVersion);


private:

    bool forkExec(const std::string &file,

                  const std::list<std::string> &args,

                  int stdinFd, int stdoutFd, int stderrFd) const;


    bool writeString(int fd, const std::string &str) const;


    RuleSet getRuleSet(const int ipVersion) const;


    bool ruleInList(const std::string &rule,

                    const std::list<std::string> &rulesList) const;


    typedef struct RuleSets

    {

        RuleSet appendRuleSet;

        RuleSet insertRuleSet;

        RuleSet deleteRuleSet;

        RuleSet unchangedRuleSet;

    } RuleSets;


    RuleSets mIpv4RuleCache;

    RuleSets mIpv6RuleCache;


    void trimDuplicates(RuleSet &existing, RuleSet &newRuleSet,

                        Operation operation) const;

    bool checkDuplicates(RuleSets ruleCache, const int ipVersion) const;


    void dump(const RuleSet &ruleSet, const char *title = nullptr) const;


    typedef struct IptablesVersion

    {

        int major;

        int minor;

        int patch;

    } IptablesVersion;


    IptablesVersion getIptablesVersion() const;


private:

    mutable std::mutex mLock;

    IptablesVersion mIptablesVersion;

};


#endif // !defined(NETFILTER_H)

Netfilter
Class that can read / write iptables rule sets.
Definition Netfilter.h:45

Netfilter::writeString
bool writeString(int fd, const std::string &str) const
Writes the string into the supplied file descriptor.
Definition Netfilter.cpp:681

Netfilter::ruleInList
bool ruleInList(const std::string &rule, const std::list< std::string > &rulesList) const
Returns true if the rule is in the rulesList.
Definition Netfilter.cpp:728

Netfilter::addRules
bool addRules(RuleSet &ruleSet, const int ipVersion, Operation operation)
Adds rules to the internal rule caches.
Definition Netfilter.cpp:763

Netfilter::forkExec
bool forkExec(const std::string &file, const std::list< std::string > &args, int stdinFd, int stdoutFd, int stderrFd) const
Performs a fork/exec operation and waits for the child to terminate.
Definition Netfilter.cpp:105

Netfilter::getRuleSet
RuleSet getRuleSet(const int ipVersion) const
Uses the iptables-save tool to get the current rules.
Definition Netfilter.cpp:240

Netfilter::createNewChain
bool createNewChain(TableType table, const std::string &name, const int ipVersion)
Creates a new IPTables chain with the given name and put it in the rule cache to write later.
Definition Netfilter.cpp:828

Netfilter::checkDuplicates
bool checkDuplicates(RuleSets ruleCache, const int ipVersion) const
Checks all rulesets in a rule cache for duplicates to check which rules need to be applied.
Definition Netfilter.cpp:434

Netfilter::applyRules
bool applyRules(const int ipVersion)
Uses the iptables-restore tool to apply the rules stored in mRulesets.
Definition Netfilter.cpp:484

Netfilter::dump
void dump(const RuleSet &ruleSet, const char *title=nullptr) const
Debugging function to print out the supplied ruleset.
Definition Netfilter.cpp:863

Netfilter::trimDuplicates
void trimDuplicates(RuleSet &existing, RuleSet &newRuleSet, Operation operation) const
Trims duplicates from mRuleSets based on the operation.
Definition Netfilter.cpp:381

Netfilter::getIptablesVersion
IptablesVersion getIptablesVersion() const
Definition Netfilter.cpp:892

Netfilter::rules
RuleSet rules(const int ipVersion) const
Returns the current iptables ruleset.
Definition Netfilter.cpp:714

Netfilter::IptablesVersion
Definition Netfilter.h:96

Netfilter::RuleSets
Definition Netfilter.h:79