From a47c3353cdf46b730f43198052c8f807e2bd313f Mon Sep 17 00:00:00 2001 From: Jo-Philipp Wich Date: Thu, 4 Apr 2013 14:41:39 +0200 Subject: [PATCH] Add support for ip rules --- CMakeLists.txt | 2 +- config.c | 33 +++++++ iprule.c | 255 +++++++++++++++++++++++++++++++++++++++++++++++++ iprule.h | 95 ++++++++++++++++++ system-dummy.c | 21 ++++ system-linux.c | 194 ++++++++++++++++++++++++++++++++++++- system.h | 7 ++ 7 files changed, 602 insertions(+), 5 deletions(-) create mode 100644 iprule.c create mode 100644 iprule.h diff --git a/CMakeLists.txt b/CMakeLists.txt index f7e9a04..ca201dc 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -13,7 +13,7 @@ ENDIF() SET(SOURCES main.c utils.c system.c tunnel.c interface.c interface-ip.c interface-event.c - proto.c proto-static.c proto-shell.c + iprule.c proto.c proto-static.c proto-shell.c config.c device.c bridge.c vlan.c alias.c ubus.c) diff --git a/config.c b/config.c index 3b44bce..f3e5f9d 100644 --- a/config.c +++ b/config.c @@ -20,6 +20,7 @@ #include "netifd.h" #include "interface.h" #include "interface-ip.h" +#include "iprule.h" #include "proto.h" #include "config.h" @@ -245,6 +246,18 @@ config_parse_route(struct uci_section *s, bool v6) interface_ip_add_route(NULL, blob_data(b.head), v6); } +static void +config_parse_rule(struct uci_section *s, bool v6) +{ + void *rule; + + blob_buf_init(&b, 0); + rule = blobmsg_open_array(&b, "rule"); + uci_to_blob(&b, s, &rule_attr_list); + blobmsg_close_array(&b, rule); + iprule_add(blob_data(b.head), v6); +} + static void config_init_devices(void) { @@ -435,6 +448,25 @@ config_init_routes(void) interface_ip_update_complete(&iface->config_ip); } +static void +config_init_rules(void) +{ + struct uci_element *e; + + iprule_update_start(); + + uci_foreach_element(&uci_network->sections, e) { + struct uci_section *s = uci_to_section(e); + + if (!strcmp(s->type, "rule")) + config_parse_rule(s, false); + else if (!strcmp(s->type, "rule6")) + config_parse_rule(s, true); + } + + iprule_update_complete(); +} + static void config_init_globals(void) { @@ -465,6 +497,7 @@ config_init_all(void) config_init_devices(); config_init_interfaces(); config_init_routes(); + config_init_rules(); config_init_globals(); config_init = false; diff --git a/iprule.c b/iprule.c new file mode 100644 index 0000000..7172f29 --- /dev/null +++ b/iprule.c @@ -0,0 +1,255 @@ +/* + * netifd - network interface daemon + * Copyright (C) 2012 Felix Fietkau + * Copyright (C) 2013 Jo-Philipp Wich + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + */ +#include +#include +#include +#include + +#include + +#include "netifd.h" +#include "device.h" +#include "interface.h" +#include "iprule.h" +#include "proto.h" +#include "ubus.h" +#include "system.h" + +struct vlist_tree iprules; +static bool iprules_flushed = false; + +enum { + RULE_INTERFACE_IN, + RULE_INTERFACE_OUT, + RULE_INVERT, + RULE_SRC, + RULE_DEST, + RULE_PRIORITY, + RULE_TOS, + RULE_FWMARK, + RULE_LOOKUP, + RULE_ACTION, + RULE_GOTO, + __RULE_MAX +}; + +static const struct blobmsg_policy rule_attr[__RULE_MAX] = { + [RULE_INTERFACE_IN] = { .name = "in", .type = BLOBMSG_TYPE_STRING }, + [RULE_INTERFACE_OUT] = { .name = "out", .type = BLOBMSG_TYPE_STRING }, + [RULE_INVERT] = { .name = "invert", .type = BLOBMSG_TYPE_BOOL }, + [RULE_SRC] = { .name = "src", .type = BLOBMSG_TYPE_STRING }, + [RULE_DEST] = { .name = "dest", .type = BLOBMSG_TYPE_STRING }, + [RULE_PRIORITY] = { .name = "priority", .type = BLOBMSG_TYPE_INT32 }, + [RULE_TOS] = { .name = "tos", .type = BLOBMSG_TYPE_INT32 }, + [RULE_FWMARK] = { .name = "mark", .type = BLOBMSG_TYPE_STRING }, + [RULE_LOOKUP] = { .name = "lookup", .type = BLOBMSG_TYPE_STRING }, + [RULE_ACTION] = { .name = "action", .type = BLOBMSG_TYPE_STRING }, + [RULE_GOTO] = { .name = "goto", .type = BLOBMSG_TYPE_INT32 }, +}; + +const struct config_param_list rule_attr_list = { + .n_params = __RULE_MAX, + .params = rule_attr, +}; + + +static bool +iprule_parse_mark(const char *mark, struct iprule *rule) +{ + char *s, *e; + unsigned int n; + + if ((s = strchr(mark, '/')) != NULL) + *s++ = 0; + + n = strtoul(mark, &e, 0); + + if (e == mark || *e) + return false; + + rule->fwmark = n; + rule->flags |= IPRULE_FWMARK; + + if (s) { + n = strtoul(s, &e, 0); + + if (e == s || *e) + return false; + + rule->fwmask = n; + rule->flags |= IPRULE_FWMASK; + } + + return true; +} + +void +iprule_add(struct blob_attr *attr, bool v6) +{ + struct interface *iif = NULL, *oif = NULL; + struct blob_attr *tb[__RULE_MAX], *cur; + struct interface *iface; + struct iprule *rule; + int af = v6 ? AF_INET6 : AF_INET; + + blobmsg_parse(rule_attr, __RULE_MAX, tb, blobmsg_data(attr), blobmsg_data_len(attr)); + + rule = calloc(1, sizeof(*rule)); + if (!rule) + return; + + rule->flags = v6 ? IPRULE_INET6 : IPRULE_INET4; + + if ((cur = tb[RULE_INVERT]) != NULL) + rule->invert = blobmsg_get_bool(cur); + + if ((cur = tb[RULE_INTERFACE_IN]) != NULL) { + iif = vlist_find(&interfaces, blobmsg_data(cur), iface, node); + + if (!iif || !iif->l3_dev.dev) { + DPRINTF("Failed to resolve device of network: %s\n", (char *) blobmsg_data(cur)); + goto error; + } + + memcpy(rule->in_dev, iif->l3_dev.dev->ifname, sizeof(rule->in_dev)); + rule->flags |= IPRULE_IN; + } + + if ((cur = tb[RULE_INTERFACE_OUT]) != NULL) { + oif = vlist_find(&interfaces, blobmsg_data(cur), iface, node); + + if (!oif || !oif->l3_dev.dev) { + DPRINTF("Failed to resolve device of network: %s\n", (char *) blobmsg_data(cur)); + goto error; + } + + memcpy(rule->out_dev, oif->l3_dev.dev->ifname, sizeof(rule->out_dev)); + rule->flags |= IPRULE_OUT; + } + + if ((cur = tb[RULE_SRC]) != NULL) { + if (!parse_ip_and_netmask(af, blobmsg_data(cur), &rule->src_addr, &rule->src_mask)) { + DPRINTF("Failed to parse rule source: %s\n", (char *) blobmsg_data(cur)); + goto error; + } + rule->flags |= IPRULE_SRC; + } + + if ((cur = tb[RULE_DEST]) != NULL) { + if (!parse_ip_and_netmask(af, blobmsg_data(cur), &rule->dest_addr, &rule->dest_mask)) { + DPRINTF("Failed to parse rule destination: %s\n", (char *) blobmsg_data(cur)); + goto error; + } + rule->flags |= IPRULE_DEST; + } + + if ((cur = tb[RULE_PRIORITY]) != NULL) { + rule->priority = blobmsg_get_u32(cur); + rule->flags |= IPRULE_PRIORITY; + } + + if ((cur = tb[RULE_TOS]) != NULL) { + if ((rule->tos = blobmsg_get_u32(cur)) > 255) { + DPRINTF("Invalid TOS value: %u\n", blobmsg_get_u32(cur)); + goto error; + } + rule->flags |= IPRULE_TOS; + } + + if ((cur = tb[RULE_FWMARK]) != NULL) { + if (!iprule_parse_mark(blobmsg_data(cur), rule)) { + DPRINTF("Failed to parse rule fwmark: %s\n", (char *) blobmsg_data(cur)); + goto error; + } + /* flags set by iprule_parse_mark() */ + } + + if ((cur = tb[RULE_LOOKUP]) != NULL) { + if (!system_resolve_rt_table(blobmsg_data(cur), &rule->lookup)) { + DPRINTF("Failed to parse rule lookup table: %s\n", (char *) blobmsg_data(cur)); + goto error; + } + rule->flags |= IPRULE_LOOKUP; + } + + if ((cur = tb[RULE_ACTION]) != NULL) { + if (!system_resolve_iprule_action(blobmsg_data(cur), &rule->action)) { + DPRINTF("Failed to parse rule action: %s\n", (char *) blobmsg_data(cur)); + goto error; + } + rule->flags |= IPRULE_ACTION; + } + + if ((cur = tb[RULE_GOTO]) != NULL) { + rule->gotoid = blobmsg_get_u32(cur); + rule->flags |= IPRULE_GOTO; + } + + /* trigger flush of existing rules when adding first uci rule the first time */ + if (!iprules_flushed) + { + system_flush_iprules(); + iprules_flushed = true; + } + + vlist_add(&iprules, &rule->node, &rule->flags); + return; + +error: + free(rule); +} + +void +iprule_update_start(void) +{ + vlist_update(&iprules); +} + +void +iprule_update_complete(void) +{ + vlist_flush(&iprules); +} + + +static int +rule_cmp(const void *k1, const void *k2, void *ptr) +{ + return memcmp(k1, k2, sizeof(struct iprule)-offsetof(struct iprule, flags)); +} + +static void +iprule_update_rule(struct vlist_tree *tree, + struct vlist_node *node_new, struct vlist_node *node_old) +{ + struct iprule *rule_old, *rule_new; + + rule_old = container_of(node_old, struct iprule, node); + rule_new = container_of(node_new, struct iprule, node); + + if (node_old) { + system_del_iprule(rule_old); + free(rule_old); + } + + if (node_new) + system_add_iprule(rule_new); +} + +static void __init +iprule_init_list(void) +{ + vlist_init(&iprules, rule_cmp, iprule_update_rule); +} diff --git a/iprule.h b/iprule.h new file mode 100644 index 0000000..75c6a2b --- /dev/null +++ b/iprule.h @@ -0,0 +1,95 @@ +/* + * netifd - network interface daemon + * Copyright (C) 2012 Felix Fietkau + * Copyright (C) 2013 Jo-Philipp Wich + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + */ +#ifndef __IPRULE_H +#define __IPRULE_H + +#include "interface-ip.h" + +enum iprule_flags { + /* address family for rule */ + IPRULE_INET4 = (0 << 0), + IPRULE_INET6 = (1 << 0), + IPRULE_FAMILY = IPRULE_INET4 | IPRULE_INET6, + + /* rule specifies input device */ + IPRULE_IN = (1 << 2), + + /* rule specifies output device */ + IPRULE_OUT = (1 << 3), + + /* rule specifies src */ + IPRULE_SRC = (1 << 4), + + /* rule specifies dest */ + IPRULE_DEST = (1 << 5), + + /* rule specifies priority */ + IPRULE_PRIORITY = (1 << 6), + + /* rule specifies diffserv/tos */ + IPRULE_TOS = (1 << 7), + + /* rule specifies fwmark */ + IPRULE_FWMARK = (1 << 8), + + /* rule specifies fwmask */ + IPRULE_FWMASK = (1 << 9), + + /* rule performs table lookup */ + IPRULE_LOOKUP = (1 << 10), + + /* rule performs routing action */ + IPRULE_ACTION = (1 << 11), + + /* rule is a goto */ + IPRULE_GOTO = (1 << 12), +}; + +struct iprule { + struct vlist_node node; + + /* everything below is used as avl tree key */ + enum iprule_flags flags; + + bool invert; + + char in_dev[IFNAMSIZ + 1]; + char out_dev[IFNAMSIZ + 1]; + + unsigned int src_mask; + union if_addr src_addr; + + unsigned int dest_mask; + union if_addr dest_addr; + + unsigned int priority; + unsigned int tos; + + unsigned int fwmark; + unsigned int fwmask; + + unsigned int lookup; + unsigned int action; + unsigned int gotoid; +}; + +extern struct vlist_tree iprules; +extern const struct config_param_list rule_attr_list; + +void iprule_add(struct blob_attr *attr, bool v6); +void iprule_update_start(void); +void iprule_update_complete(void); + +#endif diff --git a/system-dummy.c b/system-dummy.c index 2c15e2c..d692b79 100644 --- a/system-dummy.c +++ b/system-dummy.c @@ -196,6 +196,27 @@ int system_resolve_rt_table(const char *name, struct device_route *route) return 0; } +int system_add_iprule(struct iprule *rule) +{ + return 0; +} + +int system_del_iprule(struct iprule *rule) +{ + return 0; +} + +int system_flush_iprules(void) +{ + return 0; +} + +bool system_resolve_iprule_action(const char *action, unsigned int *id) +{ + *id = 0; + return true; +} + time_t system_get_rtime(void) { struct timeval tv; diff --git a/system-linux.c b/system-linux.c index d083580..ebab09c 100644 --- a/system-linux.c +++ b/system-linux.c @@ -1,6 +1,7 @@ /* * netifd - network interface daemon * Copyright (C) 2012 Felix Fietkau + * Copyright (C) 2013 Jo-Philipp Wich * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 @@ -31,6 +32,7 @@ #include #include #include +#include #include #include @@ -396,6 +398,11 @@ static bool check_route(struct nlmsghdr *hdr, int ifindex) return *(int *)RTA_DATA(tb[RTA_OIF]) == ifindex; } +static bool check_rule(struct nlmsghdr *hdr, int ifindex) +{ + return true; +} + static int cb_clear_event(struct nl_msg *msg, void *arg) { struct clear_data *clr = arg; @@ -418,16 +425,26 @@ static int cb_clear_event(struct nl_msg *msg, void *arg) cb = check_route; break; + case RTM_GETRULE: + type = RTM_DELRULE; + if (hdr->nlmsg_type != RTM_NEWRULE) + return NL_SKIP; + + cb = check_rule; + break; default: return NL_SKIP; } - if (!cb(hdr, clr->dev->ifindex)) + if (!cb(hdr, clr->dev ? clr->dev->ifindex : 0)) return NL_SKIP; - D(SYSTEM, "Remove %s from device %s\n", - type == RTM_DELADDR ? "an address" : "a route", - clr->dev->ifname); + if (type == RTM_DELRULE) + D(SYSTEM, "Remove a rule\n"); + else + D(SYSTEM, "Remove %s from device %s\n", + type == RTM_DELADDR ? "an address" : "a route", + clr->dev->ifname); memcpy(nlmsg_hdr(clr->msg), hdr, hdr->nlmsg_len); hdr = nlmsg_hdr(clr->msg); hdr->nlmsg_type = type; @@ -472,6 +489,7 @@ system_if_clear_entries(struct device *dev, int type, int af) clr.type = type; switch (type) { case RTM_GETADDR: + case RTM_GETRULE: clr.size = sizeof(struct rtgenmsg); break; case RTM_GETROUTE: @@ -1066,6 +1084,174 @@ bool system_resolve_rt_table(const char *name, unsigned int *id) return true; } +static int system_iprule(struct iprule *rule, int cmd) +{ + int alen = ((rule->flags & IPRULE_FAMILY) == IPRULE_INET4) ? 4 : 16; + + struct nl_msg *msg; + struct rtmsg rtm = { + .rtm_family = (alen == 4) ? AF_INET : AF_INET6, + .rtm_protocol = RTPROT_STATIC, + .rtm_scope = RT_SCOPE_UNIVERSE, + .rtm_table = RT_TABLE_UNSPEC, + .rtm_type = RTN_UNSPEC, + .rtm_flags = 0, + }; + + if (cmd == RTM_NEWRULE) { + rtm.rtm_type = RTN_UNICAST; + rtm.rtm_flags |= NLM_F_REPLACE | NLM_F_EXCL; + } + + if (rule->invert) + rtm.rtm_flags |= FIB_RULE_INVERT; + + if (rule->flags & IPRULE_SRC) + rtm.rtm_src_len = rule->src_mask; + + if (rule->flags & IPRULE_DEST) + rtm.rtm_dst_len = rule->dest_mask; + + if (rule->flags & IPRULE_TOS) + rtm.rtm_tos = rule->tos; + + if (rule->flags & IPRULE_LOOKUP) { + if (rule->lookup < 256) + rtm.rtm_table = rule->lookup; + } + + if (rule->flags & IPRULE_ACTION) + rtm.rtm_type = rule->action; + else if (rule->flags & IPRULE_GOTO) + rtm.rtm_type = FR_ACT_GOTO; + else if (!(rule->flags & (IPRULE_LOOKUP | IPRULE_ACTION | IPRULE_GOTO))) + rtm.rtm_type = FR_ACT_NOP; + + msg = nlmsg_alloc_simple(cmd, NLM_F_REQUEST); + + if (!msg) + return -1; + + nlmsg_append(msg, &rtm, sizeof(rtm), 0); + + if (rule->flags & IPRULE_IN) + nla_put(msg, FRA_IFNAME, strlen(rule->in_dev) + 1, rule->in_dev); + + if (rule->flags & IPRULE_OUT) + nla_put(msg, FRA_OIFNAME, strlen(rule->out_dev) + 1, rule->out_dev); + + if (rule->flags & IPRULE_SRC) + nla_put(msg, FRA_SRC, alen, &rule->src_addr); + + if (rule->flags & IPRULE_DEST) + nla_put(msg, FRA_DST, alen, &rule->dest_addr); + + if (rule->flags & IPRULE_PRIORITY) + nla_put_u32(msg, FRA_PRIORITY, rule->priority); + + if (rule->flags & IPRULE_FWMARK) + nla_put_u32(msg, FRA_FWMARK, rule->fwmark); + + if (rule->flags & IPRULE_FWMASK) + nla_put_u32(msg, FRA_FWMASK, rule->fwmask); + + if (rule->flags & IPRULE_LOOKUP) { + if (rule->lookup >= 256) + nla_put_u32(msg, FRA_TABLE, rule->lookup); + } + + if (rule->flags & IPRULE_GOTO) + nla_put_u32(msg, FRA_GOTO, rule->gotoid); + + return system_rtnl_call(msg); +} + +int system_add_iprule(struct iprule *rule) +{ + return system_iprule(rule, RTM_NEWRULE); +} + +int system_del_iprule(struct iprule *rule) +{ + return system_iprule(rule, RTM_DELRULE); +} + +int system_flush_iprules(void) +{ + int rv = 0; + struct iprule rule; + + system_if_clear_entries(NULL, RTM_GETRULE, AF_INET); + system_if_clear_entries(NULL, RTM_GETRULE, AF_INET6); + + memset(&rule, 0, sizeof(rule)); + + + rule.flags = IPRULE_INET4 | IPRULE_PRIORITY | IPRULE_LOOKUP; + + rule.priority = 0; + rule.lookup = RT_TABLE_LOCAL; + rv |= system_iprule(&rule, RTM_NEWRULE); + + rule.priority = 32766; + rule.lookup = RT_TABLE_MAIN; + rv |= system_iprule(&rule, RTM_NEWRULE); + + rule.priority = 32767; + rule.lookup = RT_TABLE_DEFAULT; + rv |= system_iprule(&rule, RTM_NEWRULE); + + + rule.flags = IPRULE_INET6 | IPRULE_PRIORITY | IPRULE_LOOKUP; + + rule.priority = 0; + rule.lookup = RT_TABLE_LOCAL; + rv |= system_iprule(&rule, RTM_NEWRULE); + + rule.priority = 32766; + rule.lookup = RT_TABLE_MAIN; + rv |= system_iprule(&rule, RTM_NEWRULE); + + return rv; +} + +bool system_resolve_iprule_action(const char *action, unsigned int *id) +{ + char *e; + unsigned int n; + + if (!strcmp(action, "local")) + n = RTN_LOCAL; + else if (!strcmp(action, "nat")) + n = RTN_NAT; + else if (!strcmp(action, "broadcast")) + n = RTN_BROADCAST; + else if (!strcmp(action, "anycast")) + n = RTN_ANYCAST; + else if (!strcmp(action, "multicast")) + n = RTN_MULTICAST; + else if (!strcmp(action, "prohibit")) + n = RTN_PROHIBIT; + else if (!strcmp(action, "unreachable")) + n = RTN_UNREACHABLE; + else if (!strcmp(action, "blackhole")) + n = RTN_BLACKHOLE; + else if (!strcmp(action, "xresolve")) + n = RTN_XRESOLVE; + else if (!strcmp(action, "unicast")) + n = RTN_UNICAST; + else if (!strcmp(action, "throw")) + n = RTN_THROW; + else { + n = strtoul(action, &e, 0); + if (!e || *e || e == action || n > 255) + return false; + } + + *id = n; + return true; +} + time_t system_get_rtime(void) { struct timespec ts; diff --git a/system.h b/system.h index b093371..9b555e8 100644 --- a/system.h +++ b/system.h @@ -19,6 +19,7 @@ #include #include "device.h" #include "interface-ip.h" +#include "iprule.h" enum tunnel_param { TUNNEL_ATTR_TYPE, @@ -99,6 +100,12 @@ bool system_resolve_rt_table(const char *name, unsigned int *id); int system_del_ip_tunnel(const char *name); int system_add_ip_tunnel(const char *name, struct blob_attr *attr); +int system_add_iprule(struct iprule *rule); +int system_del_iprule(struct iprule *rule); +int system_flush_iprules(void); + +bool system_resolve_iprule_action(const char *action, unsigned int *id); + time_t system_get_rtime(void); void system_fd_set_cloexec(int fd); -- 2.30.2