Class that can read / write iptables rule sets. More...
#include <Netfilter.h>
Classes | |
| struct | IptablesVersion |
| struct | RuleSets |
Public Member Functions | |
| RuleSet | rules (const int ipVersion) const |
| Returns the current iptables ruleset. More... | |
| bool | setRules (const RuleSet &ruleSet, const int ipVersion) |
| bool | addRules (RuleSet &ruleSet, const int ipVersion, Operation operation) |
| Adds rules to the internal rule caches. More... | |
| bool | createNewChain (TableType table, const std::string &name, const int ipVersion) |
| Creates a new IPTables chain with the given name and put it in the rule cache to write later. More... | |
| bool | applyRules (const int ipVersion) |
| Uses the iptables-restore tool to apply the rules stored in mRulesets. More... | |
Private Types | |
| typedef struct Netfilter::RuleSets | RuleSets |
| typedef struct Netfilter::IptablesVersion | IptablesVersion |
Private Member Functions | |
| bool | forkExec (const std::string &file, const std::list< std::string > &args, int stdinFd, int stdoutFd, int stderrFd) const |
| Performs a fork/exec operation and waits for the child to terminate. More... | |
| bool | writeString (int fd, const std::string &str) const |
| Writes the string into the supplied file descriptor. More... | |
| RuleSet | getRuleSet (const int ipVersion) const |
| Uses the iptables-save tool to get the current rules. More... | |
| bool | ruleInList (const std::string &rule, const std::list< std::string > &rulesList) const |
| Returns true if the rule is in the rulesList. More... | |
| void | trimDuplicates (RuleSet &existing, RuleSet &newRuleSet, Operation operation) const |
| Trims duplicates from mRuleSets based on the operation. More... | |
| bool | checkDuplicates (RuleSets ruleCache, const int ipVersion) const |
| Checks all rulesets in a rule cache for duplicates to check which rules need to be applied. More... | |
| void | dump (const RuleSet &ruleSet, const char *title=nullptr) const |
| Debugging function to print out the supplied ruleset. | |
| IptablesVersion | getIptablesVersion () const |
Private Attributes | |
| RuleSets | mIpv4RuleCache |
| RuleSets | mIpv6RuleCache |
| std::mutex | mLock |
| IptablesVersion | mIptablesVersion |
Detailed Description
Class that can read / write iptables rule sets.
There is no programming API for iptables, so this class uses the iptables-save and iptables-restore cmdline tools for reading and writing the rules.
TODO: replace use of iptables-save and iptables-restore with libiptc
Member Function Documentation
◆ addRules()
| bool Netfilter::addRules | ( | RuleSet & | ruleSet, |
| const int | ipVersion, | ||
| Operation | operation | ||
| ) |
Adds rules to the internal rule caches.
The rules are added to the correct cache depending on the input ipVersion and operation type.
ipVersion is set to either AF_INET or AF_INET6 depending on whether the rule is an IPv4 rule for iptables or IPv6 rule for ip6tables.
The operation types match the following iptables/ip6tables options:
Netfilter::Append: -A Netfilter::Insert: -I Netfilter::Delete: -D Netfilter::Unchanged: not used in this method, @see createNewChain()
NB: The rules are not written into iptables until the Netfilter::applyRules() method is called.
- Parameters
-
[in] ruleSet The ruleset to apply. [in] ipVersion iptables version to use. [in] operation iptables operation to use for rules.
- Returns
- returns true on success, otherwise false.
◆ applyRules()
| bool Netfilter::applyRules | ( | const int | ipVersion | ) |
Uses the iptables-restore tool to apply the rules stored in mRulesets.
The method creates a pipe to feed in the rules to the iptables-restore cmdline app, it then writes all the rules from the ruleset correctly formatted.
Its publicly stated that iptables doesn't provide a stable C/C++ API for adding / removing rules, hence the reason we go to the extra pain of fork/exec. Running benchmark tests with an implementation of a libiptc wrapper resulted in slower results compared to using fork/exec [RDK-29283].
- Parameters
-
[in] ipVersion iptables version to use.
- Returns
- true on success, false on failure.
◆ checkDuplicates()
|
private |
Checks all rulesets in a rule cache for duplicates to check which rules need to be applied.
- Parameters
-
[in] ruleCache cache of rules to check for duplicates. [in] ipVersion iptables version to use.
- Returns
- true if there are any new rules to write, otherwise false.
◆ createNewChain()
| bool Netfilter::createNewChain | ( | TableType | table, |
| const std::string & | name, | ||
| const int | ipVersion | ||
| ) |
Creates a new IPTables chain with the given name and put it in the rule cache to write later.
The Netfilter::Unchanged operation type is used to add new chains.
This is equivalent to: iptables -t
N <name>
- Parameters
-
[in] table The table to add the new chain to. [in] name Name of the chain to add. [in] ipVersion iptables version to use.
- Returns
- always returns true.
◆ forkExec()
|
private |
Performs a fork/exec operation and waits for the child to terminate.
If any of the stdinFd, stdoutFd or stderrFd are less than 0 then the corresponding fd is redirected to /dev/null.
- Parameters
-
[in] execFile The path to the file to execute [in] args The args to supply to the exec call [in] stdinFd The fd to redirect stdin to [in] stdoutFd The fd to redirect stdout to [in] stderrFd The fd to redirect stderr to
- Returns
- true on success, false on failure.
◆ getIptablesVersion()
|
private |
Gets the version of iptables that's installed
- Returns
- iptables version
◆ getRuleSet()
|
private |
Uses the iptables-save tool to get the current rules.
A ruleset is just a list of strings containing the iptables rule formatted in the same form the iptables-save reports.
Each list of rules is grouped by the table they belong to.
- Parameters
-
[in] ipVersion iptables version to use.
- Returns
- an list of all the rules read (ruleset)
◆ ruleInList()
|
private |
Returns true if the rule is in the rulesList.
Both rule and the contents of rulesList are strings, however they are parsed as if they are command line args to the iptables tool.
- Returns
- true if the rule exists in the list, otherwise false.
◆ rules()
| Netfilter::RuleSet Netfilter::rules | ( | const int | ipVersion | ) | const |
Returns the current iptables ruleset.
- Parameters
-
[in] ipVersion iptables version to use.
- Returns
- an list of all the rules read (ruleset)
◆ trimDuplicates()
|
private |
Trims duplicates from mRuleSets based on the operation.
Rules with 'Delete' operation will be removed from mRuleSets if the rule is not found in iptables-save, so we avoid deleting rules that aren't there.
Conversely, any other rules are removed from mRuleSets if they are found in iptables-save, so we avoid adding duplicate rules.
- Parameters
-
[in] existing existing rules from iptables-save. [in] newRuleSet new ruleset to add from mRuleSets. [in] operation operation intended to be added for the ruleset.
◆ writeString()
|
private |
Writes the string into the supplied file descriptor.
Attempts to write the entire string until an error occurs.
- Parameters
-
[in] fd The fd to write to [in] str The string to write into the fd
- Returns
- true if the entire string was written, otherwise false.
The documentation for this class was generated from the following files:
- rdkPlugins/Networking/include/Netfilter.h
- rdkPlugins/Networking/source/Netfilter.cpp
