netifd: Do not add local/source policy rules multiple times

interface_ip_set_enabled() is usually called two times right after one another,
once to handle config_ip and once to handle proto_ip. As long as
ip->iface->l3_dev.dev is set, the local/source policy rules are updated.

This value is in several cases set on both config_ip and proto_ip, causing the
rules to be added multiple time. The reason is that the kernel does not respect
the NLM_F_* flag for rules. In other words, the rule state has to be managed by
the routing daemon.

Since the local/source policy rules are bound to iface, this commit solves the
problem by adding a flag to interface which stores the current rule state. The
flag follows the enabled-paramter passed to interface_ip_set_enabled(), similar
to route-> and addr->enabled. The flag breaks the alignment of the interface
struct, but based on earlier commits this seems to be ok.

I have tested the patch in different configurations and have not found any
regression.

Signed-off-by: Kristian Evensen <kristian.evensen@gmail.com>

1 files changed, 3 insertions, 1 deletions

diff --git a/interface-ip.c b/interface-ip.c
index 1e085bc..b96d98c 100644
--- a/interface-ip.c
+++ b/interface-ip.c
@@ -1289,12 +1289,14 @@ void interface_ip_set_enabled(struct interface_ip_settings *ip, bool enabled)
 			if (!strcmp(a->name, ip->iface->name))
 				interface_set_prefix_address(a, c, ip->iface, enabled);
 
-	if (ip->iface && ip->iface->l3_dev.dev) {
+	if (ip->iface && ip->iface->policy_rules_set != enabled &&
+	    ip->iface->l3_dev.dev) {
 		set_ip_lo_policy(enabled, true, ip->iface);
 		set_ip_lo_policy(enabled, false, ip->iface);
 
 		set_ip_source_policy(enabled, true, IPRULE_PRIORITY_REJECT + ip->iface->l3_dev.dev->ifindex,
 			NULL, 0, 0, ip->iface, "failed_policy");
+		ip->iface->policy_rules_set = enabled;
 	}
 }