diff options
| author | Hans Dedecker <dedeckeh@gmail.com> | 2014-11-13 15:57:58 +0000 |
|---|---|---|
| committer | Steven Barth <steven@midlink.org> | 2014-11-19 09:30:28 +0100 |
| commit | f6f065d3997ccc8d42805529e4aad59b789579ad (patch) | |
| tree | 2bbd1f2d4c4c594888c69f956a90f16d31d37413 /system-linux.c | |
| parent | b3a698e7b6c099203dcb4227a21813948b176e3b (diff) | |
netifd: Add rpfilter config support
Reverse path filtering config support; possible values are:
0: no source validation
1|strict: strict mode as packet will be dropped if the
incoming interface is not the best reverse path
2|loose: loose mode as packet will be dropped if the
source address is not reachable via any interface
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Diffstat (limited to 'system-linux.c')
| -rw-r--r-- | system-linux.c | 41 |
1 files changed, 41 insertions, 0 deletions
diff --git a/system-linux.c b/system-linux.c index 01c3deb..bb7ccf9 100644 --- a/system-linux.c +++ b/system-linux.c @@ -265,6 +265,11 @@ static void system_set_disable_ipv6(struct device *dev, const char *val) system_set_dev_sysctl("/proc/sys/net/ipv6/conf/%s/disable_ipv6", dev->ifname, val); } +static void system_set_rpfilter(struct device *dev, const char *val) +{ + system_set_dev_sysctl("/proc/sys/net/ipv4/conf/%s/rp_filter", dev->ifname, val); +} + static int system_get_sysctl(const char *path, char *buf, const size_t buf_sz) { int fd = -1, ret = -1; @@ -299,6 +304,12 @@ static int system_get_disable_ipv6(struct device *dev, char *buf, const size_t b dev->ifname, buf, buf_sz); } +static int system_get_rpfilter(struct device *dev, char *buf, const size_t buf_sz) +{ + return system_get_dev_sysctl("/proc/sys/net/ipv4/conf/%s/rp_filter", + dev->ifname, buf, buf_sz); +} + // Evaluate netlink messages static int cb_rtnl_event(struct nl_msg *msg, void *arg) { @@ -953,6 +964,11 @@ system_if_get_settings(struct device *dev, struct device_settings *s) s->promisc = ifr.ifr_flags & IFF_PROMISC; s->flags |= DEV_OPT_PROMISC; } + + if (!system_get_rpfilter(dev, buf, sizeof(buf))) { + s->rpfilter = strtoul(buf, NULL, 0); + s->flags |= DEV_OPT_RPFILTER; + } } void @@ -988,6 +1004,12 @@ system_if_apply_settings(struct device *dev, struct device_settings *s, unsigned !s->promisc ? IFF_PROMISC : 0) < 0) s->flags &= ~DEV_OPT_PROMISC; } + if (s->flags & DEV_OPT_RPFILTER & apply_mask) { + char buf[2]; + + snprintf(buf, sizeof(buf), "%d", s->rpfilter); + system_set_rpfilter(dev, buf); + } } int system_if_up(struct device *dev) @@ -1506,6 +1528,25 @@ bool system_is_default_rt_table(unsigned int id) return (id == RT_TABLE_MAIN); } +bool system_resolve_rpfilter(const char *filter, unsigned int *id) +{ + char *e; + unsigned int n; + + if (!strcmp(filter, "strict")) + n = 1; + else if (!strcmp(filter, "loose")) + n = 2; + else { + n = strtoul(filter, &e, 0); + if (*e || e == filter || n > 2) + return false; + } + + *id = n; + return true; +} + static int system_iprule(struct iprule *rule, int cmd) { int alen = ((rule->flags & IPRULE_FAMILY) == IPRULE_INET4) ? 4 : 16; |