IPACM: add TCP SYN/FIN/RST flt rules
Add TCP SYN/FIN/RST filtering rules on both UL and DL pipes.
Change-Id: I0498c76c02d54f91f8e4bd2c0ca5e4d45977a5fa
diff --git a/ipacm/inc/IPACM_Iface.h b/ipacm/inc/IPACM_Iface.h
index 278ed24..efcaa63 100644
--- a/ipacm/inc/IPACM_Iface.h
+++ b/ipacm/inc/IPACM_Iface.h
@@ -57,7 +57,13 @@
#define MAX_DEFAULT_v4_ROUTE_RULES 1
#define MAX_DEFAULT_v6_ROUTE_RULES 2
#define IPV4_DEFAULT_FILTERTING_RULES 3
+
+#ifdef FEATURE_IPA_ANDROID
+#define IPV6_DEFAULT_FILTERTING_RULES 6
+#else
#define IPV6_DEFAULT_FILTERTING_RULES 3
+#endif
+
#define IPV6_DEFAULT_LAN_FILTERTING_RULES 1
#define IPV6_NUM_ADDR 3
#define MAX_SOFTWAREROUTING_FILTERTING_RULES 2
diff --git a/ipacm/inc/IPACM_Wan.h b/ipacm/inc/IPACM_Wan.h
index 0b839f0..f8be65c 100644
--- a/ipacm/inc/IPACM_Wan.h
+++ b/ipacm/inc/IPACM_Wan.h
@@ -51,7 +51,12 @@
#define IPA_NUM_DEFAULT_WAN_FILTER_RULES 3 /*1 for v4, 2 for v6*/
#define IPA_V2_NUM_DEFAULT_WAN_FILTER_RULE_IPV4 2
+
+#ifdef FEATURE_IPA_ANDROID
+#define IPA_V2_NUM_DEFAULT_WAN_FILTER_RULE_IPV6 6
+#else
#define IPA_V2_NUM_DEFAULT_WAN_FILTER_RULE_IPV6 3
+#endif
typedef struct _wan_client_rt_hdl
{
diff --git a/ipacm/src/IPACM_Iface.cpp b/ipacm/src/IPACM_Iface.cpp
index 6f0848f..cbf1502 100644
--- a/ipacm/src/IPACM_Iface.cpp
+++ b/ipacm/src/IPACM_Iface.cpp
@@ -853,7 +853,53 @@
flt_rule_entry.rule.attrib.u.v6.dst_addr[3] = 0X00000000;
memcpy(&(m_pFilteringTable->rules[2]), &flt_rule_entry, sizeof(struct ipa_flt_rule_add));
+#ifdef FEATURE_IPA_ANDROID
+ IPACMDBG_H("Add TCP ctrl rules: total num %d\n", IPV6_DEFAULT_FILTERTING_RULES);
+ memset(&flt_rule_entry, 0, sizeof(struct ipa_flt_rule_add));
+ flt_rule_entry.at_rear = true;
+ flt_rule_entry.flt_rule_hdl = -1;
+ flt_rule_entry.status = -1;
+
+ flt_rule_entry.rule.retain_hdr = 1;
+ flt_rule_entry.rule.to_uc = 0;
+ flt_rule_entry.rule.action = IPA_PASS_TO_EXCEPTION;
+ flt_rule_entry.rule.eq_attrib_type = 1;
+
+ flt_rule_entry.rule.eq_attrib.rule_eq_bitmap = 0;
+
+ if(rx_prop->rx[0].attrib.attrib_mask & IPA_FLT_META_DATA)
+ {
+ flt_rule_entry.rule.eq_attrib.rule_eq_bitmap |= (1<<14);
+ flt_rule_entry.rule.eq_attrib.metadata_meq32_present = 1;
+ flt_rule_entry.rule.eq_attrib.metadata_meq32.offset = 0;
+ flt_rule_entry.rule.eq_attrib.metadata_meq32.value = rx_prop->rx[0].attrib.meta_data;
+ flt_rule_entry.rule.eq_attrib.metadata_meq32.mask = rx_prop->rx[0].attrib.meta_data_mask;
+ }
+
+ flt_rule_entry.rule.eq_attrib.rule_eq_bitmap |= (1<<1);
+ flt_rule_entry.rule.eq_attrib.protocol_eq_present = 1;
+ flt_rule_entry.rule.eq_attrib.protocol_eq = IPACM_FIREWALL_IPPROTO_TCP;
+
+ flt_rule_entry.rule.eq_attrib.rule_eq_bitmap |= (1<<8);
+ flt_rule_entry.rule.eq_attrib.num_ihl_offset_meq_32 = 1;
+ flt_rule_entry.rule.eq_attrib.ihl_offset_meq_32[0].offset = 12;
+
+ /* add TCP FIN rule*/
+ flt_rule_entry.rule.eq_attrib.ihl_offset_meq_32[0].value = (((uint32_t)1)<<TCP_FIN_SHIFT);
+ flt_rule_entry.rule.eq_attrib.ihl_offset_meq_32[0].mask = (((uint32_t)1)<<TCP_FIN_SHIFT);
+ memcpy(&(m_pFilteringTable->rules[3]), &flt_rule_entry, sizeof(struct ipa_flt_rule_add));
+
+ /* add TCP SYN rule*/
+ flt_rule_entry.rule.eq_attrib.ihl_offset_meq_32[0].value = (((uint32_t)1)<<TCP_SYN_SHIFT);
+ flt_rule_entry.rule.eq_attrib.ihl_offset_meq_32[0].mask = (((uint32_t)1)<<TCP_SYN_SHIFT);
+ memcpy(&(m_pFilteringTable->rules[4]), &flt_rule_entry, sizeof(struct ipa_flt_rule_add));
+
+ /* add TCP RST rule*/
+ flt_rule_entry.rule.eq_attrib.ihl_offset_meq_32[0].value = (((uint32_t)1)<<TCP_RST_SHIFT);
+ flt_rule_entry.rule.eq_attrib.ihl_offset_meq_32[0].mask = (((uint32_t)1)<<TCP_RST_SHIFT);
+ memcpy(&(m_pFilteringTable->rules[5]), &flt_rule_entry, sizeof(struct ipa_flt_rule_add));
+#endif
if (m_filtering.AddFilteringRule(m_pFilteringTable) == false)
{
IPACMERR("Error Adding Filtering rule, aborting...\n");
diff --git a/ipacm/src/IPACM_Wan.cpp b/ipacm/src/IPACM_Wan.cpp
index 51f9bc3..8949043 100644
--- a/ipacm/src/IPACM_Wan.cpp
+++ b/ipacm/src/IPACM_Wan.cpp
@@ -3374,6 +3374,46 @@
memcpy(&(rules[rule_offset + 2]), &flt_rule_entry, sizeof(struct ipa_flt_rule_add));
+#ifdef FEATURE_IPA_ANDROID
+ IPACMDBG_H("Add TCP ctrl rules: total num %d\n", IPA_V2_NUM_DEFAULT_WAN_FILTER_RULE_IPV6);
+ memset(&flt_rule_entry, 0, sizeof(struct ipa_flt_rule_add));
+
+ flt_rule_entry.at_rear = true;
+ flt_rule_entry.flt_rule_hdl = -1;
+ flt_rule_entry.status = -1;
+
+ flt_rule_entry.rule.retain_hdr = 1;
+ flt_rule_entry.rule.to_uc = 0;
+ flt_rule_entry.rule.action = IPA_PASS_TO_ROUTING;
+ flt_rule_entry.rule.rt_tbl_idx = rt_tbl_idx.idx;
+ flt_rule_entry.rule.eq_attrib_type = 1;
+
+ flt_rule_entry.rule.eq_attrib.rule_eq_bitmap = 0;
+
+ flt_rule_entry.rule.eq_attrib.rule_eq_bitmap |= (1<<1);
+ flt_rule_entry.rule.eq_attrib.protocol_eq_present = 1;
+ flt_rule_entry.rule.eq_attrib.protocol_eq = IPACM_FIREWALL_IPPROTO_TCP;
+
+ flt_rule_entry.rule.eq_attrib.rule_eq_bitmap |= (1<<8);
+ flt_rule_entry.rule.eq_attrib.num_ihl_offset_meq_32 = 1;
+ flt_rule_entry.rule.eq_attrib.ihl_offset_meq_32[0].offset = 12;
+
+ /* add TCP FIN rule*/
+ flt_rule_entry.rule.eq_attrib.ihl_offset_meq_32[0].value = (((uint32_t)1)<<TCP_FIN_SHIFT);
+ flt_rule_entry.rule.eq_attrib.ihl_offset_meq_32[0].mask = (((uint32_t)1)<<TCP_FIN_SHIFT);
+ memcpy(&(rules[rule_offset + 3]), &flt_rule_entry, sizeof(struct ipa_flt_rule_add));
+
+ /* add TCP SYN rule*/
+ flt_rule_entry.rule.eq_attrib.ihl_offset_meq_32[0].value = (((uint32_t)1)<<TCP_SYN_SHIFT);
+ flt_rule_entry.rule.eq_attrib.ihl_offset_meq_32[0].mask = (((uint32_t)1)<<TCP_SYN_SHIFT);
+ memcpy(&(rules[rule_offset + 4]), &flt_rule_entry, sizeof(struct ipa_flt_rule_add));
+
+ /* add TCP RST rule*/
+ flt_rule_entry.rule.eq_attrib.ihl_offset_meq_32[0].value = (((uint32_t)1)<<TCP_RST_SHIFT);
+ flt_rule_entry.rule.eq_attrib.ihl_offset_meq_32[0].mask = (((uint32_t)1)<<TCP_RST_SHIFT);
+ memcpy(&(rules[rule_offset + 5]), &flt_rule_entry, sizeof(struct ipa_flt_rule_add));
+#endif
+
IPACM_Wan::num_v6_flt_rule += IPA_V2_NUM_DEFAULT_WAN_FILTER_RULE_IPV6;
IPACMDBG_H("Constructed %d default filtering rules for ip type %d\n", IPA_V2_NUM_DEFAULT_WAN_FILTER_RULE_IPV6, iptype);
}
diff --git a/ipacm/src/IPACM_Wlan.cpp b/ipacm/src/IPACM_Wlan.cpp
index e58345a..2c4d1e2 100644
--- a/ipacm/src/IPACM_Wlan.cpp
+++ b/ipacm/src/IPACM_Wlan.cpp
@@ -1129,6 +1129,54 @@
flt_rule.rule_hdl = IPACM_Wlan::dummy_flt_rule_hdl_v6[offset+2];
memcpy(&(pFilteringTable->rules[2]), &flt_rule, sizeof(struct ipa_flt_rule_mdfy));
+#ifdef FEATURE_IPA_ANDROID
+ memset(&flt_rule, 0, sizeof(struct ipa_flt_rule_mdfy));
+
+ flt_rule.status = -1;
+
+ flt_rule.rule.retain_hdr = 1;
+ flt_rule.rule.to_uc = 0;
+ flt_rule.rule.action = IPA_PASS_TO_EXCEPTION;
+ flt_rule.rule.eq_attrib_type = 1;
+
+ flt_rule.rule.eq_attrib.rule_eq_bitmap = 0;
+
+ if(rx_prop->rx[0].attrib.attrib_mask & IPA_FLT_META_DATA)
+ {
+ flt_rule.rule.eq_attrib.rule_eq_bitmap |= (1<<14);
+ flt_rule.rule.eq_attrib.metadata_meq32_present = 1;
+ flt_rule.rule.eq_attrib.metadata_meq32.offset = 0;
+ flt_rule.rule.eq_attrib.metadata_meq32.value = rx_prop->rx[0].attrib.meta_data;
+ flt_rule.rule.eq_attrib.metadata_meq32.mask = rx_prop->rx[0].attrib.meta_data_mask;
+ }
+
+ flt_rule.rule.eq_attrib.rule_eq_bitmap |= (1<<1);
+ flt_rule.rule.eq_attrib.protocol_eq_present = 1;
+ flt_rule.rule.eq_attrib.protocol_eq = IPACM_FIREWALL_IPPROTO_TCP;
+
+ flt_rule.rule.eq_attrib.rule_eq_bitmap |= (1<<8);
+ flt_rule.rule.eq_attrib.num_ihl_offset_meq_32 = 1;
+ flt_rule.rule.eq_attrib.ihl_offset_meq_32[0].offset = 12;
+
+ /* add TCP FIN rule*/
+ flt_rule.rule.eq_attrib.ihl_offset_meq_32[0].value = (((uint32_t)1)<<TCP_FIN_SHIFT);
+ flt_rule.rule.eq_attrib.ihl_offset_meq_32[0].mask = (((uint32_t)1)<<TCP_FIN_SHIFT);
+ flt_rule.rule_hdl = IPACM_Wlan::dummy_flt_rule_hdl_v6[offset+3];
+ memcpy(&(pFilteringTable->rules[3]), &flt_rule, sizeof(struct ipa_flt_rule_mdfy));
+
+ /* add TCP SYN rule*/
+ flt_rule.rule.eq_attrib.ihl_offset_meq_32[0].value = (((uint32_t)1)<<TCP_SYN_SHIFT);
+ flt_rule.rule.eq_attrib.ihl_offset_meq_32[0].mask = (((uint32_t)1)<<TCP_SYN_SHIFT);
+ flt_rule.rule_hdl = IPACM_Wlan::dummy_flt_rule_hdl_v6[offset+4];
+ memcpy(&(pFilteringTable->rules[4]), &flt_rule, sizeof(struct ipa_flt_rule_mdfy));
+
+ /* add TCP RST rule*/
+ flt_rule.rule.eq_attrib.ihl_offset_meq_32[0].value = (((uint32_t)1)<<TCP_RST_SHIFT);
+ flt_rule.rule.eq_attrib.ihl_offset_meq_32[0].mask = (((uint32_t)1)<<TCP_RST_SHIFT);
+ flt_rule.rule_hdl = IPACM_Wlan::dummy_flt_rule_hdl_v6[offset+5];
+ memcpy(&(pFilteringTable->rules[5]), &flt_rule, sizeof(struct ipa_flt_rule_mdfy));
+#endif
+
if (m_filtering.ModifyFilteringRule(pFilteringTable) == false)
{
IPACMERR("Failed to modify default ipv6 filtering rules.\n");