1/*
2 * Copyright (c) 2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16#ifndef NET_FIREWALL_PARCEL_H
17#define NET_FIREWALL_PARCEL_H
18
19#include <string>
20#include <vector>
21#include <netinet/in.h>
22
23#include "parcel.h"
24
25namespace OHOS {
26namespace NetManagerStandard {
27// Intercept only one record per minute, with a buffer time of 60 seconds
28constexpr const int32_t INTERCEPT_BUFF_INTERVAL_SEC = 60;
29// Maximum number of rules per user
30constexpr int32_t FIREWALL_RULE_SIZE_MAX = 1000;
31// Maximum number of domain for all users
32constexpr int32_t FIREWALL_DOMAIN_RULE_SIZE_MAX = 2000;
33constexpr int32_t FIREWALL_IPC_IP_RULE_PAGE_SIZE = 300;
34constexpr int32_t FIREWALL_IPC_DOMAIN_RULE_PAGE_SIZE = 2000;
35constexpr uint8_t FAMILY_IPV4 = 1;
36constexpr uint8_t FAMILY_IPV6 = 2;
37constexpr uint8_t SINGLE_IP = 1;
38constexpr uint8_t MULTIPLE_IP = 2;
39constexpr int32_t IPV6_ARRAY_SIZE = 16;
40
41constexpr const char *COMMA = ",";
42constexpr const char *NET_FIREWALL_IS_OPEN = "isOpen";
43constexpr const char *NET_FIREWALL_IN_ACTION = "inAction";
44constexpr const char *NET_FIREWALL_OUT_ACTION = "outAction";
45
46namespace {
47const std::string NET_FIREWALL_RULE_ID = "id";
48const std::string NET_FIREWALL_RULE_NAME = "name";
49const std::string NET_FIREWALL_RULE_DESC = "description";
50const std::string NET_FIREWALL_RULE_DIR = "direction";
51const std::string NET_FIREWALL_RULE_ACTION = "action";
52const std::string NET_FIREWALL_RULE_TYPE = "type";
53const std::string NET_FIREWALL_IS_ENABLED = "isEnabled";
54const std::string NET_FIREWALL_APP_ID = "appUid";
55const std::string NET_FIREWALL_LOCAL_IP = "localIps";
56const std::string NET_FIREWALL_REMOTE_IP = "remoteIps";
57const std::string NET_FIREWALL_PROTOCOL = "protocol";
58const std::string NET_FIREWALL_LOCAL_PORT = "localPorts";
59const std::string NET_FIREWALL_REMOTE_PORT = "remotePorts";
60const std::string NET_FIREWALL_RULE_DOMAIN = "domains";
61const std::string NET_FIREWALL_DNS = "dns";
62const std::string NET_FIREWALL_USER_ID = "userId";
63const std::string NET_FIREWALL_IP_FAMILY = "family";
64const std::string NET_FIREWALL_IP_TYPE = "type";
65const std::string NET_FIREWALL_IP_ADDRESS = "address";
66const std::string NET_FIREWALL_IP_MASK = "mask";
67const std::string NET_FIREWALL_IP_START = "startIp";
68const std::string NET_FIREWALL_IP_END = "endIp";
69const std::string NET_FIREWALL_PORT_START = "startPort";
70const std::string NET_FIREWALL_PORT_END = "endPort";
71const std::string NET_FIREWALL_DOMAIN_IS_WILDCARD = "isWildcard";
72const std::string NET_FIREWALL_DOMAIN = "domain";
73const std::string NET_FIREWALL_DNS_PRIMARY = "primaryDns";
74const std::string NET_FIREWALL_DNS_STANDY = "standbyDns";
75const std::string NET_FIREWALL_RECORD_TIME = "time";
76const std::string NET_FIREWALL_RECORD_LOCAL_IP = "localIp";
77const std::string NET_FIREWALL_RECORD_REMOTE_IP = "remoteIp";
78const std::string NET_FIREWALL_RECORD_LOCAL_PORT = "localPort";
79const std::string NET_FIREWALL_RECORD_REMOTE_PORT = "remotePort";
80const std::string NET_FIREWALL_RECORD_PROTOCOL = "protocol";
81const std::string NET_FIREWALL_RECORD_UID = "appUid";
82
83const std::string EQUAL = "=";
84} // namespace
85
86// Firewall rule direction enumeration
87enum class NetFirewallRuleDirection {
88    RULE_IN = 1, // Inbound
89    RULE_OUT     // Outbound
90};
91
92// Firewall rule behavior enumeration
93enum class FirewallRuleAction {
94    RULE_INVALID = -1,
95    RULE_ALLOW = 0, // allow
96    RULE_DENY       // deny
97};
98
99// Firewall Rule Type
100enum class NetFirewallRuleType {
101    RULE_INVALID = -1, // TYPE INVALID
102    RULE_IP = 1,       // TYPE IP
103    RULE_DOMAIN,       // TYPE Domain
104    RULE_DNS,          // TYPE DNS
105    RULE_ALL           // TYPE ALL
106};
107
108// Network protocol, currently only supports the following enumeration. Please refer to the enumeration data for
109// details: https://learn.microsoft.com/en-us/graph/api/resources/securitynetworkprotocol?view=graph-rest-1.0
110enum class NetworkProtocol {
111    ICMP = 1,       // Internet Control Message Protocol.
112    TCP = 6,        // Transmission Control Protocol.
113    UDP = 17,       // User Datagram Protocol.
114    ICMPV6 = 58,    // Internet Control Message Protocol for ipv6.
115    GRE = 47,       // General Routing Encapsulation
116    IPSEC_ESP = 50, // Encap Security Payload [RFC2406]
117    IPSEC_AH = 51,  // Authentication Header [RFC2402]
118    L2TP = 115,     // Layer Two Tunneling Protocol [RFC2661]
119};
120
121// Firewall IP parameters
122struct NetFirewallIpParam : public Parcelable {
123    uint8_t family; // IPv4=1, IPv6=2, default IPv4, not currently supported for others, optional
124    uint8_t type;   // 1:IP address or subnet, when using a single IP, the mask is 32,2: IP segment. Optional
125    uint8_t mask;   // IPv4: subnet mask, IPv6: prefix. Optional
126    union {
127        struct {
128            in_addr startIp; // Store IP for single IP, and store starting IP for IP end
129            in_addr endIp;
130        } ipv4;
131        struct {
132            in6_addr startIp; // Store IP for single IP, and store starting IP for IP end
133            in6_addr endIp;
134        } ipv6;
135    };
136    virtual bool Marshalling(Parcel &parcel) const override;
137    static sptr<NetFirewallIpParam> Unmarshalling(Parcel &parcel);
138    std::string GetStartIp() const;
139    std::string GetEndIp() const;
140};
141
142// Firewall port parameters
143struct NetFirewallPortParam : public Parcelable {
144    uint16_t startPort; // When there is only one port, the starting port is the same as the ending port. Optional
145    uint16_t endPort;   // When there is only one end port, the start port is the same as the end port. Optional
146
147    virtual bool Marshalling(Parcel &parcel) const override;
148    static sptr<NetFirewallPortParam> Unmarshalling(Parcel &parcel);
149};
150
151// Firewall domain name parameters
152struct NetFirewallDomainParam : public Parcelable {
153    bool isWildcard;    // Is there a universal configuration rule? It is mandatory
154    std::string domain; // Domain, mandatory
155
156    virtual bool Marshalling(Parcel &parcel) const override;
157    static sptr<NetFirewallDomainParam> Unmarshalling(Parcel &parcel);
158};
159
160// Firewall DNS parameters
161struct NetFirewallDnsParam : public Parcelable {
162    std::string primaryDns; // Primary DNS, mandatory
163    std::string standbyDns; // Backup DNS, optional
164
165    virtual bool Marshalling(Parcel &parcel) const override;
166    static sptr<NetFirewallDnsParam> Unmarshalling(Parcel &parcel);
167};
168
169struct NetFirewallBaseRule : public Parcelable {
170    int32_t userId;
171    int32_t appUid;
172
173    virtual bool Marshalling(Parcel &parcel) const override;
174    static sptr<NetFirewallBaseRule> Unmarshalling(Parcel &parcel);
175    static bool UnmarshallingBase(Parcel &parcel, sptr<NetFirewallBaseRule> ptr);
176};
177
178struct NetFirewallDomainRule : public NetFirewallBaseRule {
179    FirewallRuleAction ruleAction;
180    std::vector<NetFirewallDomainParam> domains;
181
182    bool Marshalling(Parcel &parcel) const override;
183    static sptr<NetFirewallDomainRule> Unmarshalling(Parcel &parcel);
184};
185
186struct NetFirewallIpRule : public NetFirewallBaseRule {
187    NetFirewallRuleDirection ruleDirection;
188    FirewallRuleAction ruleAction;
189    NetworkProtocol protocol;
190    std::vector<NetFirewallIpParam> localIps;
191    std::vector<NetFirewallIpParam> remoteIps;
192    std::vector<NetFirewallPortParam> localPorts;
193    std::vector<NetFirewallPortParam> remotePorts;
194
195    static sptr<NetFirewallIpRule> Unmarshalling(Parcel &parcel);
196    bool Marshalling(Parcel &parcel) const override;
197};
198
199struct NetFirewallDnsRule : public NetFirewallBaseRule {
200    std::string primaryDns;
201    std::string standbyDns;
202
203    static sptr<NetFirewallDnsRule> Unmarshalling(Parcel &parcel);
204    bool Marshalling(Parcel &parcel) const override;
205};
206
207template <typename T> inline sptr<T> firewall_rule_cast(const sptr<NetFirewallBaseRule> &object)
208{
209    return static_cast<T *>(object.GetRefPtr());
210}
211
212// Firewall rules, external interfaces
213struct NetFirewallRule : public Parcelable {
214    int32_t ruleId;                                // Rule ID, optional
215    std::string ruleName;                          // Rule name, mandatory
216    std::string ruleDescription;                   // Rule description, optional
217    NetFirewallRuleDirection ruleDirection;        // Rule direction, inbound or outbound, mandatory
218    FirewallRuleAction ruleAction;                 // Behavior rules, mandatory
219    NetFirewallRuleType ruleType;                  // Rule type, mandatory
220    bool isEnabled;                                // Enable or not, required
221    int32_t appUid;                                // Application or service ID, optional
222    std::vector<NetFirewallIpParam> localIps;      // Local IP address, optional
223    std::vector<NetFirewallIpParam> remoteIps;     // Remote IP address, optional
224    NetworkProtocol protocol;                      // Protocol, TCP: 6, UDP: 17. Optional
225    std::vector<NetFirewallPortParam> localPorts;  // Local port, optional
226    std::vector<NetFirewallPortParam> remotePorts; // Remote port, optional
227    std::vector<NetFirewallDomainParam> domains;   // Domain name list, optional
228    NetFirewallDnsParam dns;                       // DNS, optional
229    int32_t userId;                                // User ID, mandatory
230
231    static sptr<NetFirewallRule> Unmarshalling(Parcel &parcel);
232    virtual bool Marshalling(Parcel &parcel) const override;
233    std::string ToString() const;
234};
235
236// Interception Record
237struct InterceptRecord : public Parcelable {
238    uint16_t localPort;   // Local Port
239    uint16_t remotePort;  // Destination Port
240    uint16_t protocol;    // Transport Layer Protocol
241    int32_t time;         // time stamp
242    std::string localIp;  // Local IP
243    std::string remoteIp; // Remote IP
244    int32_t appUid;       // Application or Service ID
245    std::string domain;   // domain name
246
247    virtual bool Marshalling(Parcel &parcel) const override;
248    static sptr<InterceptRecord> Unmarshalling(Parcel &parcel);
249};
250
251class NetFirewallUtils {
252public:
253    NetFirewallUtils() = default;
254    ~NetFirewallUtils() = default;
255    NetFirewallUtils(const NetFirewallUtils &) = delete;
256    NetFirewallUtils &operator = (const NetFirewallUtils &) = delete;
257    // String segmentation
258    static std::vector<std::string> split(const std::string &text, char delim = ',');
259    // Delete substring to obtain the remaining strings after deletion
260    static std::string erase(const std::string &src, const std::string &sub);
261
262    // Serialization&Deserialization List
263    template <typename T> static bool MarshallingList(const std::vector<T> &list, Parcel &parcel);
264    template <typename T> static bool UnmarshallingList(Parcel &parcel, std::vector<T> &list);
265};
266} // namespace NetManagerStandard
267} // namespace OHOS
268
269#endif // NET_FIREWALL_PARCEL_H