1 /*
2  * Copyright (c) 2024 Huawei Device Co., Ltd.
3  * Licensed under the Apache License, Version 2.0 (the "License");
4  * you may not use this file except in compliance with the License.
5  * You may obtain a copy of the License at
6  *
7  * http://www.apache.org/licenses/LICENSE-2.0
8  *
9  * Unless required by applicable law or agreed to in writing, software
10  * distributed under the License is distributed on an "AS IS" BASIS,
11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  * See the License for the specific language governing permissions and
13  * limitations under the License.
14  */
15 
16 #ifndef NET_FIREWALL_PARCEL_H
17 #define NET_FIREWALL_PARCEL_H
18 
19 #include <string>
20 #include <vector>
21 #include <netinet/in.h>
22 
23 #include "parcel.h"
24 
25 namespace OHOS {
26 namespace NetManagerStandard {
27 // Intercept only one record per minute, with a buffer time of 60 seconds
28 constexpr const int32_t INTERCEPT_BUFF_INTERVAL_SEC = 60;
29 // Maximum number of rules per user
30 constexpr int32_t FIREWALL_RULE_SIZE_MAX = 1000;
31 // Maximum number of domain for all users
32 constexpr int32_t FIREWALL_DOMAIN_RULE_SIZE_MAX = 2000;
33 constexpr int32_t FIREWALL_IPC_IP_RULE_PAGE_SIZE = 300;
34 constexpr int32_t FIREWALL_IPC_DOMAIN_RULE_PAGE_SIZE = 2000;
35 constexpr uint8_t FAMILY_IPV4 = 1;
36 constexpr uint8_t FAMILY_IPV6 = 2;
37 constexpr uint8_t SINGLE_IP = 1;
38 constexpr uint8_t MULTIPLE_IP = 2;
39 constexpr int32_t IPV6_ARRAY_SIZE = 16;
40 
41 constexpr const char *COMMA = ",";
42 constexpr const char *NET_FIREWALL_IS_OPEN = "isOpen";
43 constexpr const char *NET_FIREWALL_IN_ACTION = "inAction";
44 constexpr const char *NET_FIREWALL_OUT_ACTION = "outAction";
45 
46 namespace {
47 const std::string NET_FIREWALL_RULE_ID = "id";
48 const std::string NET_FIREWALL_RULE_NAME = "name";
49 const std::string NET_FIREWALL_RULE_DESC = "description";
50 const std::string NET_FIREWALL_RULE_DIR = "direction";
51 const std::string NET_FIREWALL_RULE_ACTION = "action";
52 const std::string NET_FIREWALL_RULE_TYPE = "type";
53 const std::string NET_FIREWALL_IS_ENABLED = "isEnabled";
54 const std::string NET_FIREWALL_APP_ID = "appUid";
55 const std::string NET_FIREWALL_LOCAL_IP = "localIps";
56 const std::string NET_FIREWALL_REMOTE_IP = "remoteIps";
57 const std::string NET_FIREWALL_PROTOCOL = "protocol";
58 const std::string NET_FIREWALL_LOCAL_PORT = "localPorts";
59 const std::string NET_FIREWALL_REMOTE_PORT = "remotePorts";
60 const std::string NET_FIREWALL_RULE_DOMAIN = "domains";
61 const std::string NET_FIREWALL_DNS = "dns";
62 const std::string NET_FIREWALL_USER_ID = "userId";
63 const std::string NET_FIREWALL_IP_FAMILY = "family";
64 const std::string NET_FIREWALL_IP_TYPE = "type";
65 const std::string NET_FIREWALL_IP_ADDRESS = "address";
66 const std::string NET_FIREWALL_IP_MASK = "mask";
67 const std::string NET_FIREWALL_IP_START = "startIp";
68 const std::string NET_FIREWALL_IP_END = "endIp";
69 const std::string NET_FIREWALL_PORT_START = "startPort";
70 const std::string NET_FIREWALL_PORT_END = "endPort";
71 const std::string NET_FIREWALL_DOMAIN_IS_WILDCARD = "isWildcard";
72 const std::string NET_FIREWALL_DOMAIN = "domain";
73 const std::string NET_FIREWALL_DNS_PRIMARY = "primaryDns";
74 const std::string NET_FIREWALL_DNS_STANDY = "standbyDns";
75 const std::string NET_FIREWALL_RECORD_TIME = "time";
76 const std::string NET_FIREWALL_RECORD_LOCAL_IP = "localIp";
77 const std::string NET_FIREWALL_RECORD_REMOTE_IP = "remoteIp";
78 const std::string NET_FIREWALL_RECORD_LOCAL_PORT = "localPort";
79 const std::string NET_FIREWALL_RECORD_REMOTE_PORT = "remotePort";
80 const std::string NET_FIREWALL_RECORD_PROTOCOL = "protocol";
81 const std::string NET_FIREWALL_RECORD_UID = "appUid";
82 
83 const std::string EQUAL = "=";
84 } // namespace
85 
86 // Firewall rule direction enumeration
87 enum class NetFirewallRuleDirection {
88     RULE_IN = 1, // Inbound
89     RULE_OUT     // Outbound
90 };
91 
92 // Firewall rule behavior enumeration
93 enum class FirewallRuleAction {
94     RULE_INVALID = -1,
95     RULE_ALLOW = 0, // allow
96     RULE_DENY       // deny
97 };
98 
99 // Firewall Rule Type
100 enum class NetFirewallRuleType {
101     RULE_INVALID = -1, // TYPE INVALID
102     RULE_IP = 1,       // TYPE IP
103     RULE_DOMAIN,       // TYPE Domain
104     RULE_DNS,          // TYPE DNS
105     RULE_ALL           // TYPE ALL
106 };
107 
108 // Network protocol, currently only supports the following enumeration. Please refer to the enumeration data for
109 // details: https://learn.microsoft.com/en-us/graph/api/resources/securitynetworkprotocol?view=graph-rest-1.0
110 enum class NetworkProtocol {
111     ICMP = 1,       // Internet Control Message Protocol.
112     TCP = 6,        // Transmission Control Protocol.
113     UDP = 17,       // User Datagram Protocol.
114     ICMPV6 = 58,    // Internet Control Message Protocol for ipv6.
115     GRE = 47,       // General Routing Encapsulation
116     IPSEC_ESP = 50, // Encap Security Payload [RFC2406]
117     IPSEC_AH = 51,  // Authentication Header [RFC2402]
118     L2TP = 115,     // Layer Two Tunneling Protocol [RFC2661]
119 };
120 
121 // Firewall IP parameters
122 struct NetFirewallIpParam : public Parcelable {
123     uint8_t family; // IPv4=1, IPv6=2, default IPv4, not currently supported for others, optional
124     uint8_t type;   // 1:IP address or subnet, when using a single IP, the mask is 32,2: IP segment. Optional
125     uint8_t mask;   // IPv4: subnet mask, IPv6: prefix. Optional
126     union {
127         struct {
128             in_addr startIp; // Store IP for single IP, and store starting IP for IP end
129             in_addr endIp;
130         } ipv4;
131         struct {
132             in6_addr startIp; // Store IP for single IP, and store starting IP for IP end
133             in6_addr endIp;
134         } ipv6;
135     };
136     virtual bool Marshalling(Parcel &parcel) const override;
137     static sptr<NetFirewallIpParam> Unmarshalling(Parcel &parcel);
138     std::string GetStartIp() const;
139     std::string GetEndIp() const;
140 };
141 
142 // Firewall port parameters
143 struct NetFirewallPortParam : public Parcelable {
144     uint16_t startPort; // When there is only one port, the starting port is the same as the ending port. Optional
145     uint16_t endPort;   // When there is only one end port, the start port is the same as the end port. Optional
146 
147     virtual bool Marshalling(Parcel &parcel) const override;
148     static sptr<NetFirewallPortParam> Unmarshalling(Parcel &parcel);
149 };
150 
151 // Firewall domain name parameters
152 struct NetFirewallDomainParam : public Parcelable {
153     bool isWildcard;    // Is there a universal configuration rule? It is mandatory
154     std::string domain; // Domain, mandatory
155 
156     virtual bool Marshalling(Parcel &parcel) const override;
157     static sptr<NetFirewallDomainParam> Unmarshalling(Parcel &parcel);
158 };
159 
160 // Firewall DNS parameters
161 struct NetFirewallDnsParam : public Parcelable {
162     std::string primaryDns; // Primary DNS, mandatory
163     std::string standbyDns; // Backup DNS, optional
164 
165     virtual bool Marshalling(Parcel &parcel) const override;
166     static sptr<NetFirewallDnsParam> Unmarshalling(Parcel &parcel);
167 };
168 
169 struct NetFirewallBaseRule : public Parcelable {
170     int32_t userId;
171     int32_t appUid;
172 
173     virtual bool Marshalling(Parcel &parcel) const override;
174     static sptr<NetFirewallBaseRule> Unmarshalling(Parcel &parcel);
175     static bool UnmarshallingBase(Parcel &parcel, sptr<NetFirewallBaseRule> ptr);
176 };
177 
178 struct NetFirewallDomainRule : public NetFirewallBaseRule {
179     FirewallRuleAction ruleAction;
180     std::vector<NetFirewallDomainParam> domains;
181 
182     bool Marshalling(Parcel &parcel) const override;
183     static sptr<NetFirewallDomainRule> Unmarshalling(Parcel &parcel);
184 };
185 
186 struct NetFirewallIpRule : public NetFirewallBaseRule {
187     NetFirewallRuleDirection ruleDirection;
188     FirewallRuleAction ruleAction;
189     NetworkProtocol protocol;
190     std::vector<NetFirewallIpParam> localIps;
191     std::vector<NetFirewallIpParam> remoteIps;
192     std::vector<NetFirewallPortParam> localPorts;
193     std::vector<NetFirewallPortParam> remotePorts;
194 
195     static sptr<NetFirewallIpRule> Unmarshalling(Parcel &parcel);
196     bool Marshalling(Parcel &parcel) const override;
197 };
198 
199 struct NetFirewallDnsRule : public NetFirewallBaseRule {
200     std::string primaryDns;
201     std::string standbyDns;
202 
203     static sptr<NetFirewallDnsRule> Unmarshalling(Parcel &parcel);
204     bool Marshalling(Parcel &parcel) const override;
205 };
206 
firewall_rule_cast(const sptr<NetFirewallBaseRule> & object)207 template <typename T> inline sptr<T> firewall_rule_cast(const sptr<NetFirewallBaseRule> &object)
208 {
209     return static_cast<T *>(object.GetRefPtr());
210 }
211 
212 // Firewall rules, external interfaces
213 struct NetFirewallRule : public Parcelable {
214     int32_t ruleId;                                // Rule ID, optional
215     std::string ruleName;                          // Rule name, mandatory
216     std::string ruleDescription;                   // Rule description, optional
217     NetFirewallRuleDirection ruleDirection;        // Rule direction, inbound or outbound, mandatory
218     FirewallRuleAction ruleAction;                 // Behavior rules, mandatory
219     NetFirewallRuleType ruleType;                  // Rule type, mandatory
220     bool isEnabled;                                // Enable or not, required
221     int32_t appUid;                                // Application or service ID, optional
222     std::vector<NetFirewallIpParam> localIps;      // Local IP address, optional
223     std::vector<NetFirewallIpParam> remoteIps;     // Remote IP address, optional
224     NetworkProtocol protocol;                      // Protocol, TCP: 6, UDP: 17. Optional
225     std::vector<NetFirewallPortParam> localPorts;  // Local port, optional
226     std::vector<NetFirewallPortParam> remotePorts; // Remote port, optional
227     std::vector<NetFirewallDomainParam> domains;   // Domain name list, optional
228     NetFirewallDnsParam dns;                       // DNS, optional
229     int32_t userId;                                // User ID, mandatory
230 
231     static sptr<NetFirewallRule> Unmarshalling(Parcel &parcel);
232     virtual bool Marshalling(Parcel &parcel) const override;
233     std::string ToString() const;
234 };
235 
236 // Interception Record
237 struct InterceptRecord : public Parcelable {
238     uint16_t localPort;   // Local Port
239     uint16_t remotePort;  // Destination Port
240     uint16_t protocol;    // Transport Layer Protocol
241     int32_t time;         // time stamp
242     std::string localIp;  // Local IP
243     std::string remoteIp; // Remote IP
244     int32_t appUid;       // Application or Service ID
245     std::string domain;   // domain name
246 
247     virtual bool Marshalling(Parcel &parcel) const override;
248     static sptr<InterceptRecord> Unmarshalling(Parcel &parcel);
249 };
250 
251 class NetFirewallUtils {
252 public:
253     NetFirewallUtils() = default;
254     ~NetFirewallUtils() = default;
255     NetFirewallUtils(const NetFirewallUtils &) = delete;
256     NetFirewallUtils &operator = (const NetFirewallUtils &) = delete;
257     // String segmentation
258     static std::vector<std::string> split(const std::string &text, char delim = ',');
259     // Delete substring to obtain the remaining strings after deletion
260     static std::string erase(const std::string &src, const std::string &sub);
261 
262     // Serialization&Deserialization List
263     template <typename T> static bool MarshallingList(const std::vector<T> &list, Parcel &parcel);
264     template <typename T> static bool UnmarshallingList(Parcel &parcel, std::vector<T> &list);
265 };
266 } // namespace NetManagerStandard
267 } // namespace OHOS
268 
269 #endif // NET_FIREWALL_PARCEL_H