From fe9099834f313a0aa2b7cca9a322441e8152add4 Mon Sep 17 00:00:00 2001
From: Alex Klyubin <klyubin@google.com>
Date: Mon, 2 Feb 2015 11:30:27 -0800
Subject: Store MARK/CONNMARK flags in a central location.

MARK/CONNMARK values/tags are shared accross all controllers because
of the way the firewall works. To avoid accidental clashes, it's best
to store the values used in a central place.

Change-Id: I76aaba38cba6554704a5635b1e7297a144e6e2ff
---
 server/StrictController.cpp | 35 +++++++++++++++++++++++------------
 1 file changed, 23 insertions(+), 12 deletions(-)

(limited to 'server/StrictController.cpp')

diff --git a/server/StrictController.cpp b/server/StrictController.cpp
index 20232ea7a..a04124df7 100644
--- a/server/StrictController.cpp
+++ b/server/StrictController.cpp
@@ -24,6 +24,7 @@
 
 #include <cutils/log.h>
 
+#include "ConnmarkFlags.h"
 #include "NetdConstants.h"
 #include "StrictController.h"
 
@@ -37,24 +38,34 @@ StrictController::StrictController(void) {
 }
 
 int StrictController::enableStrict(void) {
+    char connmarkFlagAccept[16];
+    char connmarkFlagReject[16];
+    char connmarkFlagTestAccept[32];
+    char connmarkFlagTestReject[32];
+    sprintf(connmarkFlagAccept, "0x%x", ConnmarkFlags::STRICT_RESOLVED_ACCEPT);
+    sprintf(connmarkFlagReject, "0x%x", ConnmarkFlags::STRICT_RESOLVED_REJECT);
+    sprintf(connmarkFlagTestAccept, "0x%x/0x%x",
+            ConnmarkFlags::STRICT_RESOLVED_ACCEPT,
+            ConnmarkFlags::STRICT_RESOLVED_ACCEPT);
+    sprintf(connmarkFlagTestReject, "0x%x/0x%x",
+            ConnmarkFlags::STRICT_RESOLVED_REJECT,
+            ConnmarkFlags::STRICT_RESOLVED_REJECT);
+
     int res = 0;
 
     disableStrict();
 
-    // Mark 0x01 means resolved and ACCEPT
-    // Mark 0x02 means resolved and REJECT
-
     // Chain triggered when cleartext socket detected and penalty is log
     res |= execIptables(V4V6, "-N", LOCAL_PENALTY_LOG, NULL);
     res |= execIptables(V4V6, "-A", LOCAL_PENALTY_LOG,
-            "-j", "CONNMARK", "--or-mark", "0x01000000", NULL);
+            "-j", "CONNMARK", "--or-mark", connmarkFlagAccept, NULL);
     res |= execIptables(V4V6, "-A", LOCAL_PENALTY_LOG,
             "-j", "NFLOG", "--nflog-group", "0", NULL);
 
     // Chain triggered when cleartext socket detected and penalty is reject
     res |= execIptables(V4V6, "-N", LOCAL_PENALTY_REJECT, NULL);
     res |= execIptables(V4V6, "-A", LOCAL_PENALTY_REJECT,
-            "-j", "CONNMARK", "--or-mark", "0x02000000", NULL);
+            "-j", "CONNMARK", "--or-mark", connmarkFlagReject, NULL);
     res |= execIptables(V4V6, "-A", LOCAL_PENALTY_REJECT,
             "-j", "NFLOG", "--nflog-group", "0", NULL);
     res |= execIptables(V4V6, "-A", LOCAL_PENALTY_REJECT,
@@ -67,21 +78,21 @@ int StrictController::enableStrict(void) {
 
     // Quickly skip connections that we've already resolved
     res |= execIptables(V4V6, "-A", LOCAL_CLEAR_DETECT,
-            "-m", "connmark", "--mark", "0x02000000/0x02000000",
+            "-m", "connmark", "--mark", connmarkFlagTestReject,
             "-j", "REJECT", NULL);
     res |= execIptables(V4V6, "-A", LOCAL_CLEAR_DETECT,
-            "-m", "connmark", "--mark", "0x01000000/0x01000000",
+            "-m", "connmark", "--mark", connmarkFlagTestAccept,
             "-j", "RETURN", NULL);
 
     // Look for IPv4 TCP/UDP connections with TLS/DTLS header
     res |= execIptables(V4, "-A", LOCAL_CLEAR_DETECT, "-p", "tcp",
             "-m", "u32", "--u32", "0>>22&0x3C@ 12>>26&0x3C@ 0&0xFFFF0000=0x16030000 &&"
                                   "0>>22&0x3C@ 12>>26&0x3C@ 4&0x00FF0000=0x00010000",
-            "-j", "CONNMARK", "--or-mark", "0x01000000", NULL);
+            "-j", "CONNMARK", "--or-mark", connmarkFlagAccept, NULL);
     res |= execIptables(V4, "-A", LOCAL_CLEAR_DETECT, "-p", "udp",
             "-m", "u32", "--u32", "0>>22&0x3C@ 8&0xFFFF0000=0x16FE0000 &&"
                                   "0>>22&0x3C@ 20&0x00FF0000=0x00010000",
-            "-j", "CONNMARK", "--or-mark", "0x01000000", NULL);
+            "-j", "CONNMARK", "--or-mark", connmarkFlagAccept, NULL);
 
     // Look for IPv6 TCP/UDP connections with TLS/DTLS header.  The IPv6 header
     // doesn't have an IHL field to shift with, so we have to manually add in
@@ -89,15 +100,15 @@ int StrictController::enableStrict(void) {
     res |= execIptables(V6, "-A", LOCAL_CLEAR_DETECT, "-p", "tcp",
             "-m", "u32", "--u32", "52>>26&0x3C@ 40&0xFFFF0000=0x16030000 &&"
                                   "52>>26&0x3C@ 44&0x00FF0000=0x00010000",
-            "-j", "CONNMARK", "--or-mark", "0x01000000", NULL);
+            "-j", "CONNMARK", "--or-mark", connmarkFlagAccept, NULL);
     res |= execIptables(V6, "-A", LOCAL_CLEAR_DETECT, "-p", "udp",
             "-m", "u32", "--u32", "48&0xFFFF0000=0x16FE0000 &&"
                                   "60&0x00FF0000=0x00010000",
-            "-j", "CONNMARK", "--or-mark", "0x01000000", NULL);
+            "-j", "CONNMARK", "--or-mark", connmarkFlagAccept, NULL);
 
     // Skip newly classified connections from above
     res |= execIptables(V4V6, "-A", LOCAL_CLEAR_DETECT,
-            "-m", "connmark", "--mark", "0x01000000/0x01000000",
+            "-m", "connmark", "--mark", connmarkFlagTestAccept,
             "-j", "RETURN", NULL);
 
     // Handle TCP/UDP payloads that didn't match TLS/DTLS filters above,
-- 
cgit v1.2.3