diff options
author | Steven Barth <steven@midlink.org> | 2013-10-18 12:09:42 +0200 |
---|---|---|
committer | Steven Barth <steven@midlink.org> | 2013-10-18 12:09:42 +0200 |
commit | e93c42c036c4b4df1f65f261def31cf1a429e942 (patch) | |
tree | 2d92d5d871b10c542402d9d99b354daaf839b545 | |
parent | ddbd2cc51b3db14f6a8bd46ceebaee9097a50b78 (diff) |
Add source-restricted routes
-rwxr-xr-x | dummy/netifd-proto.sh | 6 | ||||
-rw-r--r-- | interface-ip.c | 125 | ||||
-rw-r--r-- | interface-ip.h | 11 | ||||
-rw-r--r-- | iprule.h | 3 | ||||
-rw-r--r-- | ubus.c | 6 |
5 files changed, 136 insertions, 15 deletions
diff --git a/dummy/netifd-proto.sh b/dummy/netifd-proto.sh index d8b540d..6f20de9 100755 --- a/dummy/netifd-proto.sh +++ b/dummy/netifd-proto.sh @@ -143,8 +143,9 @@ proto_add_ipv6_route() { local gw="$3" local metric="$4" local valid="$5" + local source="$6" - append PROTO_ROUTE6 "$target/$mask/$gw/$metric/$valid" + append PROTO_ROUTE6 "$target/$mask/$gw/$metric/$valid/$source" } proto_add_ipv6_prefix() { @@ -218,6 +219,8 @@ _proto_push_route() { local metric="${str%%/*}" str="${str#*/}" local valid="${str%%/*}" + str="${str#*/}" + local source="${str}" json_add_object "" json_add_string target "$target" @@ -225,6 +228,7 @@ _proto_push_route() { [ -n "$gw" ] && json_add_string gateway "$gw" [ -n "$metric" ] && json_add_int metric "$metric" [ -n "$valid" ] && json_add_int valid "$valid" + [ -n "$source" ] && json_add_string source "$source" json_close_object } diff --git a/interface-ip.c b/interface-ip.c index 185a9a7..60902f9 100644 --- a/interface-ip.c +++ b/interface-ip.c @@ -37,6 +37,7 @@ enum { ROUTE_MTU, ROUTE_VALID, ROUTE_TABLE, + ROUTE_SOURCE, __ROUTE_MAX }; @@ -49,6 +50,7 @@ static const struct blobmsg_policy route_attr[__ROUTE_MAX] = { [ROUTE_MTU] = { .name = "mtu", .type = BLOBMSG_TYPE_INT32 }, [ROUTE_TABLE] = { .name = "table", .type = BLOBMSG_TYPE_STRING }, [ROUTE_VALID] = { .name = "valid", .type = BLOBMSG_TYPE_INT32 }, + [ROUTE_SOURCE] = { .name = "source", .type = BLOBMSG_TYPE_STRING }, }; const struct uci_blob_param_list route_attr_list = { @@ -58,6 +60,7 @@ const struct uci_blob_param_list route_attr_list = { struct list_head prefixes = LIST_HEAD_INIT(prefixes); +static struct list_head source_tables = LIST_HEAD_INIT(source_tables); static struct device_prefix *ula_prefix = NULL; static struct uloop_timeout valid_until_timeout; @@ -92,7 +95,7 @@ match_if_addr(union if_addr *a1, union if_addr *a2, int mask) } static int set_ip_source_policy(bool add, bool v6, unsigned int priority, - const union if_addr *addr, uint8_t mask, struct interface *iface, + const union if_addr *addr, uint8_t mask, unsigned int table, struct interface *in_iface, const char *action) { struct iprule rule = { @@ -106,9 +109,9 @@ static int set_ip_source_policy(bool add, bool v6, unsigned int priority, rule.src_mask = mask; } - if (iface) { + if (table) { rule.flags |= IPRULE_LOOKUP; - rule.lookup = (v6) ? iface->ip6table : iface->ip4table; + rule.lookup = table; if (!rule.lookup) return 0; @@ -195,6 +198,72 @@ __find_ip_route_target(struct interface_ip_settings *ip, union if_addr *a, } } +static struct device_source_table* +find_source_table(const struct device_route *route) +{ + struct device_source_table key = { + .v6 = (route->flags & DEVADDR_FAMILY) == DEVADDR_INET6, + .addr = route->source, + .mask = route->sourcemask + }; + struct device_source_table *c; + list_for_each_entry(c, &source_tables, head) + if (!memcmp(&c->v6, &key.v6, sizeof(key) - + offsetof(struct device_source_table, v6))) + return c; + return NULL; +} + +static uint32_t +get_source_table(const struct device_route *route) +{ + if (route->table || route->sourcemask == 0) + return route->table; + + struct device_source_table *tbl = find_source_table(route); + + if (!tbl) { + tbl = calloc(1, sizeof(*tbl)); + tbl->addr = route->source; + tbl->mask = route->sourcemask; + tbl->v6 = (route->flags & DEVADDR_FAMILY) == DEVADDR_INET6; + tbl->table = IPRULE_PRIORITY_SOURCE | (((~tbl->mask) & 0x7f) << 20); + + struct list_head *before = NULL; + struct device_source_table *c; + list_for_each_entry(c, &source_tables, head) { + if (c->table > tbl->table) { + before = &c->head; + break; + } else if (c->table == tbl->table) { + ++tbl->table; + } + } + + if (!before) + before = &source_tables; + + list_add_tail(&tbl->head, before); + set_ip_source_policy(true, tbl->v6, tbl->table, &tbl->addr, + tbl->mask, tbl->table, NULL, NULL); + } + + ++tbl->refcount; + return tbl->table; +} + +static void +put_source_table(const struct device_route *route) +{ + struct device_source_table *tbl = find_source_table(route); + if (tbl && tbl->table == route->table && --tbl->refcount == 0) { + set_ip_source_policy(false, tbl->v6, tbl->table, &tbl->addr, + tbl->mask, tbl->table, NULL, NULL); + list_del(&tbl->head); + free(tbl); + } +} + static bool interface_ip_find_addr_target(struct interface *iface, union if_addr *a, bool v6) { @@ -329,7 +398,20 @@ interface_ip_add_route(struct interface *iface, struct blob_attr *attr, bool v6) } // Use source-based routing - if (is_proto_route) { + if ((cur = tb[ROUTE_SOURCE]) != NULL) { + char *saveptr, *source = alloca(blobmsg_data_len(cur)); + memcpy(source, blobmsg_data(cur), blobmsg_data_len(cur)); + + const char *addr = strtok_r(source, "/", &saveptr); + const char *mask = strtok_r(NULL, "/", &saveptr); + + if (inet_pton(af, addr, &route->source) < 1) { + DPRINTF("Failed to parse route source: %s\n", addr); + goto error; + } + + route->sourcemask = atoi(mask); + } else if (is_proto_route) { route->table = (v6) ? iface->ip6table : iface->ip4table; route->flags |= DEVROUTE_SRCTABLE; } @@ -351,6 +433,11 @@ interface_ip_add_route(struct interface *iface, struct blob_attr *attr, bool v6) route->valid_until = valid_until; } + if (route->sourcemask) { + route->table = get_source_table(route); + route->flags |= DEVROUTE_SRCTABLE; + } + vlist_add(&ip->route, &route->node, route); return; @@ -379,6 +466,13 @@ route_cmp(const void *k1, const void *k2, void *ptr) if (r1->flags != r2->flags) return r2->flags - r1->flags; + if (r1->sourcemask != r2->sourcemask) + return r1->sourcemask - r2->sourcemask; + + int maskcmp = memcmp(&r1->source, &r2->source, sizeof(r1->source)); + if (maskcmp) + return maskcmp; + return memcmp(&r1->addr, &r2->addr, sizeof(r1->addr)); } @@ -478,9 +572,10 @@ interface_update_proto_addr(struct vlist_tree *tree, //only the network-rule will cause packets to be routed through the //first matching network (source IP matches both masks). set_ip_source_policy(false, v6, IPRULE_PRIORITY_ADDR, &a_old->addr, - (v6) ? 128 : 32, iface, NULL, NULL); + (v6) ? 128 : 32, (v6) ? iface->ip6table : iface->ip4table, + NULL, NULL); set_ip_source_policy(false, v6, IPRULE_PRIORITY_NW, &a_old->addr, - a_old->mask, iface, NULL, NULL); + a_old->mask, (v6) ? iface->ip6table : iface->ip4table, NULL, NULL); system_del_address(dev, a_old); } @@ -497,9 +592,11 @@ interface_update_proto_addr(struct vlist_tree *tree, v6 = true; set_ip_source_policy(true, v6, IPRULE_PRIORITY_ADDR, &a_new->addr, - (v6) ? 128 : 32, iface, NULL, NULL); + (v6) ? 128 : 32, (v6) ? iface->ip6table : iface->ip4table, + NULL, NULL); set_ip_source_policy(true, v6, IPRULE_PRIORITY_NW, &a_new->addr, - a_new->mask, iface, NULL, NULL); + a_new->mask, (v6) ? iface->ip6table : iface->ip4table, + NULL, NULL); } if ((a_new->flags & DEVADDR_OFFLINK) || iface->metric) @@ -541,6 +638,8 @@ interface_update_proto_route(struct vlist_tree *tree, if (node_old) { if (!(route_old->flags & DEVADDR_EXTERNAL) && route_old->enabled && !keep) system_del_route(dev, route_old); + + put_source_table(route_old); free(route_old); } @@ -611,10 +710,10 @@ interface_set_prefix_address(struct device_prefix_assignment *assignment, system_add_address(l3_downlink, &addr); if (prefix->iface) { set_ip_source_policy(false, true, IPRULE_PRIORITY_NW, &addr.addr, - addr.mask, prefix->iface, iface, NULL); + addr.mask, prefix->iface->ip6table, iface, NULL); set_ip_source_policy(false, true, IPRULE_PRIORITY_REJECT, &addr.addr, - addr.mask, NULL, iface, "unreachable"); + addr.mask, 0, iface, "unreachable"); } assignment->enabled = false; @@ -622,10 +721,10 @@ interface_set_prefix_address(struct device_prefix_assignment *assignment, system_add_address(l3_downlink, &addr); if (prefix->iface && !assignment->enabled) { set_ip_source_policy(true, true, IPRULE_PRIORITY_REJECT, &addr.addr, - addr.mask, NULL, iface, "unreachable"); + addr.mask, 0, iface, "unreachable"); set_ip_source_policy(true, true, IPRULE_PRIORITY_NW, &addr.addr, - addr.mask, prefix->iface, iface, NULL); + addr.mask, prefix->iface->ip6table, iface, NULL); } if (uplink && uplink->l3_dev.dev) { int mtu = system_update_ipv6_mtu( @@ -1101,7 +1200,7 @@ void interface_ip_set_enabled(struct interface_ip_settings *ip, bool enabled) set_ip_lo_policy(enabled, false, ip->iface); set_ip_source_policy(enabled, true, IPRULE_PRIORITY_REJECT + ip->iface->l3_dev.dev->ifindex, - NULL, 0, NULL, ip->iface, "failed_policy"); + NULL, 0, 0, ip->iface, "failed_policy"); } } diff --git a/interface-ip.h b/interface-ip.h index c78a076..b36c515 100644 --- a/interface-ip.h +++ b/interface-ip.h @@ -108,6 +108,17 @@ struct device_route { int metric; // there can be multiple routes to the same target unsigned int table; unsigned int mask; + unsigned int sourcemask; + union if_addr addr; + union if_addr source; +}; + +struct device_source_table { + struct list_head head; + uint32_t table; + uint16_t refcount; + uint8_t v6; + uint8_t mask; union if_addr addr; }; @@ -19,7 +19,8 @@ #define IPRULE_PRIORITY_ADDR 80000 #define IPRULE_PRIORITY_NW 90000 -#define IPRULE_PRIORITY_REJECT 2000000000 +#define IPRULE_PRIORITY_SOURCE 4026531840 +#define IPRULE_PRIORITY_REJECT 4200000000 enum iprule_flags { /* address family for rule */ @@ -488,6 +488,11 @@ interface_ip_dump_route_list(struct interface_ip_settings *ip, bool enabled) if (route->valid_until) blobmsg_add_u32(&b, "valid", route->valid_until - now); + buf = blobmsg_alloc_string_buffer(&b, "source", buflen); + inet_ntop(af, &route->source, buf, buflen); + snprintf(buf + strlen(buf), 4, "/%u", route->sourcemask); + blobmsg_add_string_buffer(&b); + blobmsg_close_table(&b, r); } } @@ -727,6 +732,7 @@ netifd_handle_status(struct ubus_context *ctx, struct ubus_object *obj, return 0; } + static int netifd_handle_dump(struct ubus_context *ctx, struct ubus_object *obj, struct ubus_request_data *req, const char *method, |