summaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorSteven Barth <steven@midlink.org>2013-10-18 12:09:42 +0200
committerSteven Barth <steven@midlink.org>2013-10-18 12:09:42 +0200
commite93c42c036c4b4df1f65f261def31cf1a429e942 (patch)
tree2d92d5d871b10c542402d9d99b354daaf839b545
parentddbd2cc51b3db14f6a8bd46ceebaee9097a50b78 (diff)
Add source-restricted routes
-rwxr-xr-xdummy/netifd-proto.sh6
-rw-r--r--interface-ip.c125
-rw-r--r--interface-ip.h11
-rw-r--r--iprule.h3
-rw-r--r--ubus.c6
5 files changed, 136 insertions, 15 deletions
diff --git a/dummy/netifd-proto.sh b/dummy/netifd-proto.sh
index d8b540d..6f20de9 100755
--- a/dummy/netifd-proto.sh
+++ b/dummy/netifd-proto.sh
@@ -143,8 +143,9 @@ proto_add_ipv6_route() {
local gw="$3"
local metric="$4"
local valid="$5"
+ local source="$6"
- append PROTO_ROUTE6 "$target/$mask/$gw/$metric/$valid"
+ append PROTO_ROUTE6 "$target/$mask/$gw/$metric/$valid/$source"
}
proto_add_ipv6_prefix() {
@@ -218,6 +219,8 @@ _proto_push_route() {
local metric="${str%%/*}"
str="${str#*/}"
local valid="${str%%/*}"
+ str="${str#*/}"
+ local source="${str}"
json_add_object ""
json_add_string target "$target"
@@ -225,6 +228,7 @@ _proto_push_route() {
[ -n "$gw" ] && json_add_string gateway "$gw"
[ -n "$metric" ] && json_add_int metric "$metric"
[ -n "$valid" ] && json_add_int valid "$valid"
+ [ -n "$source" ] && json_add_string source "$source"
json_close_object
}
diff --git a/interface-ip.c b/interface-ip.c
index 185a9a7..60902f9 100644
--- a/interface-ip.c
+++ b/interface-ip.c
@@ -37,6 +37,7 @@ enum {
ROUTE_MTU,
ROUTE_VALID,
ROUTE_TABLE,
+ ROUTE_SOURCE,
__ROUTE_MAX
};
@@ -49,6 +50,7 @@ static const struct blobmsg_policy route_attr[__ROUTE_MAX] = {
[ROUTE_MTU] = { .name = "mtu", .type = BLOBMSG_TYPE_INT32 },
[ROUTE_TABLE] = { .name = "table", .type = BLOBMSG_TYPE_STRING },
[ROUTE_VALID] = { .name = "valid", .type = BLOBMSG_TYPE_INT32 },
+ [ROUTE_SOURCE] = { .name = "source", .type = BLOBMSG_TYPE_STRING },
};
const struct uci_blob_param_list route_attr_list = {
@@ -58,6 +60,7 @@ const struct uci_blob_param_list route_attr_list = {
struct list_head prefixes = LIST_HEAD_INIT(prefixes);
+static struct list_head source_tables = LIST_HEAD_INIT(source_tables);
static struct device_prefix *ula_prefix = NULL;
static struct uloop_timeout valid_until_timeout;
@@ -92,7 +95,7 @@ match_if_addr(union if_addr *a1, union if_addr *a2, int mask)
}
static int set_ip_source_policy(bool add, bool v6, unsigned int priority,
- const union if_addr *addr, uint8_t mask, struct interface *iface,
+ const union if_addr *addr, uint8_t mask, unsigned int table,
struct interface *in_iface, const char *action)
{
struct iprule rule = {
@@ -106,9 +109,9 @@ static int set_ip_source_policy(bool add, bool v6, unsigned int priority,
rule.src_mask = mask;
}
- if (iface) {
+ if (table) {
rule.flags |= IPRULE_LOOKUP;
- rule.lookup = (v6) ? iface->ip6table : iface->ip4table;
+ rule.lookup = table;
if (!rule.lookup)
return 0;
@@ -195,6 +198,72 @@ __find_ip_route_target(struct interface_ip_settings *ip, union if_addr *a,
}
}
+static struct device_source_table*
+find_source_table(const struct device_route *route)
+{
+ struct device_source_table key = {
+ .v6 = (route->flags & DEVADDR_FAMILY) == DEVADDR_INET6,
+ .addr = route->source,
+ .mask = route->sourcemask
+ };
+ struct device_source_table *c;
+ list_for_each_entry(c, &source_tables, head)
+ if (!memcmp(&c->v6, &key.v6, sizeof(key) -
+ offsetof(struct device_source_table, v6)))
+ return c;
+ return NULL;
+}
+
+static uint32_t
+get_source_table(const struct device_route *route)
+{
+ if (route->table || route->sourcemask == 0)
+ return route->table;
+
+ struct device_source_table *tbl = find_source_table(route);
+
+ if (!tbl) {
+ tbl = calloc(1, sizeof(*tbl));
+ tbl->addr = route->source;
+ tbl->mask = route->sourcemask;
+ tbl->v6 = (route->flags & DEVADDR_FAMILY) == DEVADDR_INET6;
+ tbl->table = IPRULE_PRIORITY_SOURCE | (((~tbl->mask) & 0x7f) << 20);
+
+ struct list_head *before = NULL;
+ struct device_source_table *c;
+ list_for_each_entry(c, &source_tables, head) {
+ if (c->table > tbl->table) {
+ before = &c->head;
+ break;
+ } else if (c->table == tbl->table) {
+ ++tbl->table;
+ }
+ }
+
+ if (!before)
+ before = &source_tables;
+
+ list_add_tail(&tbl->head, before);
+ set_ip_source_policy(true, tbl->v6, tbl->table, &tbl->addr,
+ tbl->mask, tbl->table, NULL, NULL);
+ }
+
+ ++tbl->refcount;
+ return tbl->table;
+}
+
+static void
+put_source_table(const struct device_route *route)
+{
+ struct device_source_table *tbl = find_source_table(route);
+ if (tbl && tbl->table == route->table && --tbl->refcount == 0) {
+ set_ip_source_policy(false, tbl->v6, tbl->table, &tbl->addr,
+ tbl->mask, tbl->table, NULL, NULL);
+ list_del(&tbl->head);
+ free(tbl);
+ }
+}
+
static bool
interface_ip_find_addr_target(struct interface *iface, union if_addr *a, bool v6)
{
@@ -329,7 +398,20 @@ interface_ip_add_route(struct interface *iface, struct blob_attr *attr, bool v6)
}
// Use source-based routing
- if (is_proto_route) {
+ if ((cur = tb[ROUTE_SOURCE]) != NULL) {
+ char *saveptr, *source = alloca(blobmsg_data_len(cur));
+ memcpy(source, blobmsg_data(cur), blobmsg_data_len(cur));
+
+ const char *addr = strtok_r(source, "/", &saveptr);
+ const char *mask = strtok_r(NULL, "/", &saveptr);
+
+ if (inet_pton(af, addr, &route->source) < 1) {
+ DPRINTF("Failed to parse route source: %s\n", addr);
+ goto error;
+ }
+
+ route->sourcemask = atoi(mask);
+ } else if (is_proto_route) {
route->table = (v6) ? iface->ip6table : iface->ip4table;
route->flags |= DEVROUTE_SRCTABLE;
}
@@ -351,6 +433,11 @@ interface_ip_add_route(struct interface *iface, struct blob_attr *attr, bool v6)
route->valid_until = valid_until;
}
+ if (route->sourcemask) {
+ route->table = get_source_table(route);
+ route->flags |= DEVROUTE_SRCTABLE;
+ }
+
vlist_add(&ip->route, &route->node, route);
return;
@@ -379,6 +466,13 @@ route_cmp(const void *k1, const void *k2, void *ptr)
if (r1->flags != r2->flags)
return r2->flags - r1->flags;
+ if (r1->sourcemask != r2->sourcemask)
+ return r1->sourcemask - r2->sourcemask;
+
+ int maskcmp = memcmp(&r1->source, &r2->source, sizeof(r1->source));
+ if (maskcmp)
+ return maskcmp;
+
return memcmp(&r1->addr, &r2->addr, sizeof(r1->addr));
}
@@ -478,9 +572,10 @@ interface_update_proto_addr(struct vlist_tree *tree,
//only the network-rule will cause packets to be routed through the
//first matching network (source IP matches both masks).
set_ip_source_policy(false, v6, IPRULE_PRIORITY_ADDR, &a_old->addr,
- (v6) ? 128 : 32, iface, NULL, NULL);
+ (v6) ? 128 : 32, (v6) ? iface->ip6table : iface->ip4table,
+ NULL, NULL);
set_ip_source_policy(false, v6, IPRULE_PRIORITY_NW, &a_old->addr,
- a_old->mask, iface, NULL, NULL);
+ a_old->mask, (v6) ? iface->ip6table : iface->ip4table, NULL, NULL);
system_del_address(dev, a_old);
}
@@ -497,9 +592,11 @@ interface_update_proto_addr(struct vlist_tree *tree,
v6 = true;
set_ip_source_policy(true, v6, IPRULE_PRIORITY_ADDR, &a_new->addr,
- (v6) ? 128 : 32, iface, NULL, NULL);
+ (v6) ? 128 : 32, (v6) ? iface->ip6table : iface->ip4table,
+ NULL, NULL);
set_ip_source_policy(true, v6, IPRULE_PRIORITY_NW, &a_new->addr,
- a_new->mask, iface, NULL, NULL);
+ a_new->mask, (v6) ? iface->ip6table : iface->ip4table,
+ NULL, NULL);
}
if ((a_new->flags & DEVADDR_OFFLINK) || iface->metric)
@@ -541,6 +638,8 @@ interface_update_proto_route(struct vlist_tree *tree,
if (node_old) {
if (!(route_old->flags & DEVADDR_EXTERNAL) && route_old->enabled && !keep)
system_del_route(dev, route_old);
+
+ put_source_table(route_old);
free(route_old);
}
@@ -611,10 +710,10 @@ interface_set_prefix_address(struct device_prefix_assignment *assignment,
system_add_address(l3_downlink, &addr);
if (prefix->iface) {
set_ip_source_policy(false, true, IPRULE_PRIORITY_NW, &addr.addr,
- addr.mask, prefix->iface, iface, NULL);
+ addr.mask, prefix->iface->ip6table, iface, NULL);
set_ip_source_policy(false, true, IPRULE_PRIORITY_REJECT, &addr.addr,
- addr.mask, NULL, iface, "unreachable");
+ addr.mask, 0, iface, "unreachable");
}
assignment->enabled = false;
@@ -622,10 +721,10 @@ interface_set_prefix_address(struct device_prefix_assignment *assignment,
system_add_address(l3_downlink, &addr);
if (prefix->iface && !assignment->enabled) {
set_ip_source_policy(true, true, IPRULE_PRIORITY_REJECT, &addr.addr,
- addr.mask, NULL, iface, "unreachable");
+ addr.mask, 0, iface, "unreachable");
set_ip_source_policy(true, true, IPRULE_PRIORITY_NW, &addr.addr,
- addr.mask, prefix->iface, iface, NULL);
+ addr.mask, prefix->iface->ip6table, iface, NULL);
}
if (uplink && uplink->l3_dev.dev) {
int mtu = system_update_ipv6_mtu(
@@ -1101,7 +1200,7 @@ void interface_ip_set_enabled(struct interface_ip_settings *ip, bool enabled)
set_ip_lo_policy(enabled, false, ip->iface);
set_ip_source_policy(enabled, true, IPRULE_PRIORITY_REJECT + ip->iface->l3_dev.dev->ifindex,
- NULL, 0, NULL, ip->iface, "failed_policy");
+ NULL, 0, 0, ip->iface, "failed_policy");
}
}
diff --git a/interface-ip.h b/interface-ip.h
index c78a076..b36c515 100644
--- a/interface-ip.h
+++ b/interface-ip.h
@@ -108,6 +108,17 @@ struct device_route {
int metric; // there can be multiple routes to the same target
unsigned int table;
unsigned int mask;
+ unsigned int sourcemask;
+ union if_addr addr;
+ union if_addr source;
+};
+
+struct device_source_table {
+ struct list_head head;
+ uint32_t table;
+ uint16_t refcount;
+ uint8_t v6;
+ uint8_t mask;
union if_addr addr;
};
diff --git a/iprule.h b/iprule.h
index d6a8485..3381ae3 100644
--- a/iprule.h
+++ b/iprule.h
@@ -19,7 +19,8 @@
#define IPRULE_PRIORITY_ADDR 80000
#define IPRULE_PRIORITY_NW 90000
-#define IPRULE_PRIORITY_REJECT 2000000000
+#define IPRULE_PRIORITY_SOURCE 4026531840
+#define IPRULE_PRIORITY_REJECT 4200000000
enum iprule_flags {
/* address family for rule */
diff --git a/ubus.c b/ubus.c
index a26c3dd..513b40c 100644
--- a/ubus.c
+++ b/ubus.c
@@ -488,6 +488,11 @@ interface_ip_dump_route_list(struct interface_ip_settings *ip, bool enabled)
if (route->valid_until)
blobmsg_add_u32(&b, "valid", route->valid_until - now);
+ buf = blobmsg_alloc_string_buffer(&b, "source", buflen);
+ inet_ntop(af, &route->source, buf, buflen);
+ snprintf(buf + strlen(buf), 4, "/%u", route->sourcemask);
+ blobmsg_add_string_buffer(&b);
+
blobmsg_close_table(&b, r);
}
}
@@ -727,6 +732,7 @@ netifd_handle_status(struct ubus_context *ctx, struct ubus_object *obj,
return 0;
}
+
static int
netifd_handle_dump(struct ubus_context *ctx, struct ubus_object *obj,
struct ubus_request_data *req, const char *method,