public class

FirewallRule

extends Object
implements Parcelable
java.lang.Object
   ↳ com.samsung.android.knox.net.firewall.FirewallRule

Class Overview

This class is used to encapsulate an IP rule that will be manipulated by the firewall.

Firewall Rules Types


For all Rule types the Firewall.AddressType of the rule must be specified at the constructor. Since MDM 5.6, ALLOW and DENY types have full support for IPV6 address type.

Allow rules - Firewall rules that allow the device to send traffic to or receive traffic from an specific network location, according to the rule created. This type of rule can be specified by:
  • IP Address
  • Port Number
  • Port Location
  • App Identity
  • Network Interface
  • Direction
  • Protocol

Deny rules - Firewall rules that block the device from sending traffic to or receive traffic from a specific network location, according to the rule created. Note that allow rules take precedence over deny rules.
This type of rule can be specified by:
  • IP Address
  • Port Number
  • Port Location
  • App Identity
  • Network Interface
  • Direction
  • Protocol
Redirect rules - Firewall rules that are used to redirect traffic destined to source addresses to a target address. A proxy server is an example of an alternate target destination.
This type of rule can be specified by:
  • Source IP Address
  • Source Port Number
  • Target IP Address
  • Target Port Number
  • App Identity
  • Network Interface
  • Protocol
Redirect exception rules - Firewall rules used to avoid traffic being redirected when using redirect rules. Note that redirect exceptions rules take precedence over redirect rules.
This type of rule can be specified by:
  • IP Address
  • Port Number
  • App Identity
  • Network Interface
  • Protocol

Since
API level 17
MDM 5.5

Summary

Nested Classes
enum FirewallRule.RuleType This constant is used to indicate the type of the rule. 
enum FirewallRule.Status This constant is used to indicate the status of the rule, the status is related with the state of the rule in the iptables. 
[Expand]
Inherited Constants
From interface android.os.Parcelable
Public Constructors
FirewallRule(FirewallRule.RuleType ruleType, Firewall.AddressType addressType)
Creates a FirewallRule instance.
Public Methods
Firewall.AddressType getAddressType()
Used to get the address type of the rule.
AppIdentity getApplication()
Used to get the AppIdentity of the rule.
Firewall.Direction getDirection()
Used to get the direction of the rule.
int getId()
Used to get the id of the rule.
String getIpAddress()
Used to get the IP address of the rule.
Firewall.NetworkInterface getNetworkInterface()
Used to get the network interface of the rule.
Firewall.PortLocation getPortLocation()
Used to get the port location of the rule.
String getPortNumber()
Used to get the port number of the rule.
Firewall.Protocol getProtocol()
Used to get the protocol of the rule.
FirewallRule.RuleType getRuleType()
Used to get the type of the rule.
FirewallRule.Status getStatus()
Used to get the status of the rule.
String getStrNetworkInterface()
Used to get the network interface of the rule.
String getTargetIpAddress()
Used to get the target IP address of the rule.
String getTargetPortNumber()
Used to get the target port number of the rule.
void setApplication(AppIdentity appIdentity)
Used to set the AppIdentity of the rule.
void setDirection(Firewall.Direction direction)
Used to set the direction of the rule.
void setIpAddress(String ipAddress)
Used to set the IP address of the rule.
void setNetworkInterface(Firewall.NetworkInterface networkInterface)
Used to set the network interface of the rule.
void setPortLocation(Firewall.PortLocation portLocation)
Used to set the port location of the rule.
void setPortNumber(String portNumber)
Used to set the port number of the rule.
void setProtocol(Firewall.Protocol protocol)
Used to set the protocol of the rule.
void setStrNetworkInterface(String networkInterface)
Used to set the network interface of the rule, e.g.
void setTargetIpAddress(String targetIpAddress)
Used to set the target IP address of the rule.
void setTargetPortNumber(String targetPortNumber)
Used to set the target port number of the rule.
[Expand]
Inherited Methods
From class java.lang.Object
From interface android.os.Parcelable

Public Constructors

public FirewallRule (FirewallRule.RuleType ruleType, Firewall.AddressType addressType)

Since: API level 17

Creates a FirewallRule instance. This constructor is used to create an instance of FirewallRule. After the creation the default values for each parameter are:

  • IP Address: "*" (All Addresses)
  • Port Number: "*" (All Ports)
  • Port Location: ALL
  • App Identity: AppIdentity object containing "*" as package name and null as signature.
  • Network Interface:ALL_NETWORKS
  • Direction: ALL
  • Protocol: ALL
  • Target IP Address: null
  • Target Port Number: null
Note: Target IP Address and Target Port Number are only valid for REDIRECT type and is a mandatory field that should be set for this type of rule.

Parameters
ruleType Type of the rule.
addressType AddressType of the rule.
Since
API level 17
MDM 5.5

Public Methods

public Firewall.AddressType getAddressType ()

Since: API level 17

Used to get the address type of the rule.

Returns
Usage
An administrator can use this API to get the address type of the rule.
Since
API level 17
MDM 5.5

public AppIdentity getApplication ()

Since: API level 19

Used to get the AppIdentity of the rule.

Returns
  • AppIdentity containing the package name and signature related to the rule. If not set, an AppIdentity object containing "*" as package name and null as signature will be returned.
Usage
An administrator can use this API to get the App Identity of the rule.
Since
API level 19
MDM 5.6

public Firewall.Direction getDirection ()

Since: API level 17

Used to get the direction of the rule.

Returns
Throws
UnsupportedOperationException In case this method is called in a FirewallRule with FirewallRule.RuleType different from ALLOW and DENY.
Usage
An administrator can use this API to get the direction of the rule.
Since
API level 17
MDM 5.5

public int getId ()

Since: API level 17

Used to get the id of the rule.

Returns
  • int id of the rule or -1 if not set.
Usage
An administrator can use this API to get the id of the rule.
Since
API level 17
MDM 5.5

public String getIpAddress ()

Since: API level 17

Used to get the IP address of the rule.

Returns
  • String containing the rule IP address or "*" if not set.
Usage
An administrator can use this API to get the IP address of the rule.
Since
API level 17
MDM 5.5

public Firewall.NetworkInterface getNetworkInterface ()

Since: API level 17

Used to get the network interface of the rule.

Returns
Usage
An administrator can use this API to get the network interface of the rule.
Since
API level 17
MDM 5.5

public Firewall.PortLocation getPortLocation ()

Since: API level 17

Used to get the port location of the rule.

Returns
Throws
UnsupportedOperationException In case this method is called in a FirewallRule with FirewallRule.RuleType different from ALLOW and DENY.
Usage
An administrator can use this API to get the port location of the rule.
Since
API level 17
MDM 5.5

public String getPortNumber ()

Since: API level 17

Used to get the port number of the rule.

Returns
  • String containing the rule port number or "*" if not set.
Usage
An administrator can use this API to get the port number of the rule.
Since
API level 17
MDM 5.5

public Firewall.Protocol getProtocol ()

Since: API level 17

Used to get the protocol of the rule.

Returns
Usage
An administrator can use this API to get the protocol of the rule.
Since
API level 17
MDM 5.5

public FirewallRule.RuleType getRuleType ()

Since: API level 17

Used to get the type of the rule.

Returns
Usage
An administrator can use this API to get the type of the rule.
Since
API level 17
MDM 5.5

public FirewallRule.Status getStatus ()

Since: API level 17

Used to get the status of the rule.

Returns
Usage
An administrator can use this API to get the status of the rule.
Since
API level 17
MDM 5.5

public String getStrNetworkInterface ()

Since: API level 32

Used to get the network interface of the rule.

Returns
  • String containing the rule network interface or null if not set.
Usage
An administrator can use this API to get the network interface set via setStrNetworkInterface(String).
Since
API level 32

public String getTargetIpAddress ()

Since: API level 17

Used to get the target IP address of the rule.

Returns
  • String containing the rule target IP address or null if not set.
Throws
UnsupportedOperationException In case this method is called in a FirewallRule with FirewallRule.RuleType different from REDIRECT.
Usage
An administrator can use this API to get the target IP address of the rule.
Since
API level 17
MDM 5.5

public String getTargetPortNumber ()

Since: API level 17

Used to get the target port number of the rule.

Returns
  • String containing the rule target port number or null if not set.
Throws
UnsupportedOperationException In case this method is called in a FirewallRule with FirewallRule.RuleType different from REDIRECT.
Usage
An administrator can use this API to get the target port number of the rule.
Since
API level 17
MDM 5.5

public void setApplication (AppIdentity appIdentity)

Since: API level 19

Used to set the AppIdentity of the rule. If * is passed as App Identity package name, the rule will take effect for all the applications in the user, in other words, it will take effect for the UID range of the user that the rule is being applied. For those cases, null should be passed as App Identity signature. For example, for owner (user id 0) the rule will be related to UID range 1001-99999 and for container (user id 100) the rule will be related to UID range 10001000-10099999.

NOTE: Due to limitations introduced in Android Q, applications will no longer be supported for INPUT direction. Therefore, when applying FirewallRule for INPUT direction do not call setApplication(AppIdentity) API.
NOTE: Do not call this API when rule Firewall.Direction is set to FORWARD.

Parameters
appIdentity the AppIdentity to be set.
Throws
InvalidParameterException In case App Identity is invalid or contains an invalid package name.
Usage
An administrator can use this API to set the App Identity of the rule.
Since
API level 19
MDM 5.6
See Also

public void setDirection (Firewall.Direction direction)

Since: API level 17

Used to set the direction of the rule.

Parameters
direction the direction to be set.
Throws
InvalidParameterException In case direction is null.
UnsupportedOperationException In case this method is called in a FirewallRule with FirewallRule.RuleType different from ALLOW and DENY.
Usage
An administrator can use this API to set the direction of the rule.
Since
API level 17
MDM 5.5
See Also

public void setIpAddress (String ipAddress)

Since: API level 17

Used to set the IP address of the rule.

Parameters
ipAddress the IP address or IP range to be set. The IP range must be in the format IP1-IP2 (i.e. 100.100.100.100-100.100.100.200).
Throws
InvalidParameterException In case ipAddress is an invalid IP address / IP range.
Usage
An administrator can use this API to set the IP address of the rule.
Since
API level 17
MDM 5.5
See Also

public void setNetworkInterface (Firewall.NetworkInterface networkInterface)

Since: API level 17

Used to set the network interface of the rule.

NOTE: Do not call this API when rule Firewall.Direction is set to FORWARD.

Parameters
networkInterface the network interface to be set.
Throws
InvalidParameterException In case networkInterface is null.
Usage
An administrator can use this API to set the network interface of the rule.
Since
API level 17
MDM 5.5

public void setPortLocation (Firewall.PortLocation portLocation)

Since: API level 17

Used to set the port location of the rule.

NOTE: Do not call this API when rule Firewall.Direction is set to FORWARD.

Parameters
portLocation the port location to be set.
Throws
InvalidParameterException In case portLocation is null.
UnsupportedOperationException In case this method is called in a FirewallRule with FirewallRule.RuleType different from ALLOW and DENY.
Usage
An administrator can use this API to set the port location of the rule.
Since
API level 17
MDM 5.5

public void setPortNumber (String portNumber)

Since: API level 17

Used to set the port number of the rule.

Parameters
portNumber the port number to be set. The portNumber range must be in the format Port1-Port2 (i.e. 70-90).
Throws
InvalidParameterException In case portNumber is an invalid port number / port number range.
Usage
An administrator can use this API to set the port number of the rule.
Since
API level 17
MDM 5.5
See Also

public void setProtocol (Firewall.Protocol protocol)

Since: API level 17

Used to set the protocol of the rule.

Parameters
protocol the protocol to be set.
Throws
InvalidParameterException In case protocol is null.
Usage
An administrator can use this API to set the protocol of the rule.
Since
API level 17
MDM 5.5
See Also

public void setStrNetworkInterface (String networkInterface)

Since: API level 32

Used to set the network interface of the rule, e.g. wlan0/wlan+, eth0/eth+ and so on.

Parameters
networkInterface the network interface to be set.
Usage
An administrator can use this API to set the network interface of the rule.
Since
API level 32

public void setTargetIpAddress (String targetIpAddress)

Since: API level 17

Used to set the target IP address of the rule.

Parameters
targetIpAddress the target IP address to be set.
Throws
InvalidParameterException In case targetIpAddress is an invalid IP address.
UnsupportedOperationException In case this method is called in a FirewallRule with FirewallRule.RuleType different from REDIRECT.
Usage
An administrator can use this API to set the target IP address of the rule.
Since
API level 17
MDM 5.5

public void setTargetPortNumber (String targetPortNumber)

Since: API level 17

Used to set the target port number of the rule.

Parameters
targetPortNumber the target port number to be set.
Throws
InvalidParameterException In case targetPortNumber is an invalid port number.
UnsupportedOperationException In case this method is called in a FirewallRule with FirewallRule.RuleType different from REDIRECT.
Usage
An administrator can use this API to set the target port number of the rule.
Since
API level 17
MDM 5.5