]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/network/networkd-routing-policy-rule.c
projects / thirdparty / systemd.git / blob
? search:


886b4da8e0a774207d150254982177a6b17e8fe6
[thirdparty/systemd.git] / src / network / networkd-routing-policy-rule.c
1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
2
3 /* Make sure the net/if.h header is included before any linux/ one */
4 #include <net/if.h>
5 #include <linux/fib_rules.h>
6
7 #include "af-list.h"
8 #include "alloc-util.h"
9 #include "conf-parser.h"
10 #include "fileio.h"
11 #include "format-util.h"
12 #include "hashmap.h"
13 #include "ip-protocol-list.h"
14 #include "netlink-util.h"
15 #include "networkd-manager.h"
16 #include "networkd-queue.h"
17 #include "networkd-route-util.h"
18 #include "networkd-routing-policy-rule.h"
19 #include "networkd-util.h"
20 #include "parse-util.h"
21 #include "socket-util.h"
22 #include "string-table.h"
23 #include "string-util.h"
24 #include "strv.h"
25 #include "user-util.h"
26
27 static const char *const fr_act_type_table[__FR_ACT_MAX] = {
28 [FR_ACT_BLACKHOLE] = "blackhole",
29 [FR_ACT_UNREACHABLE] = "unreachable",
30 [FR_ACT_PROHIBIT] = "prohibit",
31 };
32
33 static const char *const fr_act_type_full_table[__FR_ACT_MAX] = {
34 [FR_ACT_TO_TBL] = "table",
35 [FR_ACT_GOTO] = "goto",
36 [FR_ACT_NOP] = "nop",
37 [FR_ACT_BLACKHOLE] = "blackhole",
38 [FR_ACT_UNREACHABLE] = "unreachable",
39 [FR_ACT_PROHIBIT] = "prohibit",
40 };
41
42 assert_cc(__FR_ACT_MAX <= UINT8_MAX);
43 DEFINE_PRIVATE_STRING_TABLE_LOOKUP_FROM_STRING(fr_act_type, int);
44 DEFINE_STRING_TABLE_LOOKUP_TO_STRING(fr_act_type_full, int);
45
46 RoutingPolicyRule *routing_policy_rule_free(RoutingPolicyRule *rule) {
47 if (!rule)
48 return NULL;
49
50 if (rule->network) {
51 assert(rule->section);
52 hashmap_remove(rule->network->rules_by_section, rule->section);
53 }
54
55 if (rule->manager)
56 set_remove(rule->manager->rules, rule);
57
58 config_section_free(rule->section);
59 free(rule->iif);
60 free(rule->oif);
61
62 return mfree(rule);
63 }
64
65 DEFINE_SECTION_CLEANUP_FUNCTIONS(RoutingPolicyRule, routing_policy_rule_free);
66
67 static int routing_policy_rule_new(RoutingPolicyRule **ret) {
68 RoutingPolicyRule *rule;
69
70 rule = new(RoutingPolicyRule, 1);
71 if (!rule)
72 return -ENOMEM;
73
74 *rule = (RoutingPolicyRule) {
75 .table = RT_TABLE_MAIN,
76 .uid_range.start = UID_INVALID,
77 .uid_range.end = UID_INVALID,
78 .suppress_prefixlen = -1,
79 .suppress_ifgroup = -1,
80 .protocol = RTPROT_UNSPEC,
81 .type = FR_ACT_TO_TBL,
82 };
83
84 *ret = rule;
85 return 0;
86 }
87
88 static int routing_policy_rule_new_static(Network *network, const char *filename, unsigned section_line, RoutingPolicyRule **ret) {
89 _cleanup_(routing_policy_rule_freep) RoutingPolicyRule *rule = NULL;
90 _cleanup_(config_section_freep) ConfigSection *n = NULL;
91 int r;
92
93 assert(network);
94 assert(ret);
95 assert(filename);
96 assert(section_line > 0);
97
98 r = config_section_new(filename, section_line, &n);
99 if (r < 0)
100 return r;
101
102 rule = hashmap_get(network->rules_by_section, n);
103 if (rule) {
104 *ret = TAKE_PTR(rule);
105 return 0;
106 }
107
108 r = routing_policy_rule_new(&rule);
109 if (r < 0)
110 return r;
111
112 rule->network = network;
113 rule->section = TAKE_PTR(n);
114 rule->source = NETWORK_CONFIG_SOURCE_STATIC;
115 rule->protocol = RTPROT_STATIC;
116
117 r = hashmap_ensure_put(&network->rules_by_section, &config_section_hash_ops, rule->section, rule);
118 if (r < 0)
119 return r;
120
121 *ret = TAKE_PTR(rule);
122 return 0;
123 }
124
125 static int routing_policy_rule_dup(const RoutingPolicyRule *src, RoutingPolicyRule **ret) {
126 _cleanup_(routing_policy_rule_freep) RoutingPolicyRule *dest = NULL;
127
128 assert(src);
129 assert(ret);
130
131 dest = newdup(RoutingPolicyRule, src, 1);
132 if (!dest)
133 return -ENOMEM;
134
135 /* Unset all pointers */
136 dest->manager = NULL;
137 dest->network = NULL;
138 dest->section = NULL;
139 dest->iif = dest->oif = NULL;
140
141 if (src->iif) {
142 dest->iif = strdup(src->iif);
143 if (!dest->iif)
144 return -ENOMEM;
145 }
146
147 if (src->oif) {
148 dest->oif = strdup(src->oif);
149 if (!dest->oif)
150 return -ENOMEM;
151 }
152
153 *ret = TAKE_PTR(dest);
154 return 0;
155 }
156
157 static void routing_policy_rule_hash_func(const RoutingPolicyRule *rule, struct siphash *state) {
158 assert(rule);
159
160 siphash24_compress_typesafe(rule->family, state);
161
162 switch (rule->family) {
163 case AF_INET:
164 case AF_INET6:
165 in_addr_hash_func(&rule->from, rule->family, state);
166 siphash24_compress_typesafe(rule->from_prefixlen, state);
167
168 siphash24_compress_boolean(rule->l3mdev, state);
169
170 in_addr_hash_func(&rule->to, rule->family, state);
171 siphash24_compress_typesafe(rule->to_prefixlen, state);
172
173 siphash24_compress_boolean(rule->invert_rule, state);
174
175 siphash24_compress_typesafe(rule->tos, state);
176 siphash24_compress_typesafe(rule->type, state);
177 siphash24_compress_typesafe(rule->fwmark, state);
178 siphash24_compress_typesafe(rule->fwmask, state);
179 siphash24_compress_typesafe(rule->priority, state);
180 siphash24_compress_typesafe(rule->table, state);
181 siphash24_compress_typesafe(rule->suppress_prefixlen, state);
182 siphash24_compress_typesafe(rule->suppress_ifgroup, state);
183
184 siphash24_compress_typesafe(rule->ipproto, state);
185 siphash24_compress_typesafe(rule->protocol, state);
186 siphash24_compress_typesafe(rule->sport, state);
187 siphash24_compress_typesafe(rule->dport, state);
188 siphash24_compress_typesafe(rule->uid_range, state);
189
190 siphash24_compress_string(rule->iif, state);
191 siphash24_compress_string(rule->oif, state);
192
193 break;
194 default:
195 /* treat any other address family as AF_UNSPEC */
196 break;
197 }
198 }
199
200 static int routing_policy_rule_compare_func(const RoutingPolicyRule *a, const RoutingPolicyRule *b) {
201 int r;
202
203 r = CMP(a->family, b->family);
204 if (r != 0)
205 return r;
206
207 switch (a->family) {
208 case AF_INET:
209 case AF_INET6:
210 r = CMP(a->from_prefixlen, b->from_prefixlen);
211 if (r != 0)
212 return r;
213
214 r = memcmp(&a->from, &b->from, FAMILY_ADDRESS_SIZE(a->family));
215 if (r != 0)
216 return r;
217
218 r = CMP(a->l3mdev, b->l3mdev);
219 if (r != 0)
220 return r;
221
222 r = CMP(a->to_prefixlen, b->to_prefixlen);
223 if (r != 0)
224 return r;
225
226 r = memcmp(&a->to, &b->to, FAMILY_ADDRESS_SIZE(a->family));
227 if (r != 0)
228 return r;
229
230 r = CMP(a->invert_rule, b->invert_rule);
231 if (r != 0)
232 return r;
233
234 r = CMP(a->tos, b->tos);
235 if (r != 0)
236 return r;
237
238 r = CMP(a->type, b->type);
239 if (r != 0)
240 return r;
241
242 r = CMP(a->fwmark, b->fwmark);
243 if (r != 0)
244 return r;
245
246 r = CMP(a->fwmask, b->fwmask);
247 if (r != 0)
248 return r;
249
250 r = CMP(a->priority, b->priority);
251 if (r != 0)
252 return r;
253
254 r = CMP(a->table, b->table);
255 if (r != 0)
256 return r;
257
258 r = CMP(a->suppress_prefixlen, b->suppress_prefixlen);
259 if (r != 0)
260 return r;
261
262 r = CMP(a->suppress_ifgroup, b->suppress_ifgroup);
263 if (r != 0)
264 return r;
265
266 r = CMP(a->ipproto, b->ipproto);
267 if (r != 0)
268 return r;
269
270 r = CMP(a->protocol, b->protocol);
271 if (r != 0)
272 return r;
273
274 r = memcmp(&a->sport, &b->sport, sizeof(a->sport));
275 if (r != 0)
276 return r;
277
278 r = memcmp(&a->dport, &b->dport, sizeof(a->dport));
279 if (r != 0)
280 return r;
281
282 r = memcmp(&a->uid_range, &b->uid_range, sizeof(a->uid_range));
283 if (r != 0)
284 return r;
285
286 r = strcmp_ptr(a->iif, b->iif);
287 if (r != 0)
288 return r;
289
290 r = strcmp_ptr(a->oif, b->oif);
291 if (r != 0)
292 return r;
293
294 return 0;
295 default:
296 /* treat any other address family as AF_UNSPEC */
297 return 0;
298 }
299 }
300
301 static bool routing_policy_rule_equal(const RoutingPolicyRule *rule1, const RoutingPolicyRule *rule2) {
302 if (rule1 == rule2)
303 return true;
304
305 if (!rule1 || !rule2)
306 return false;
307
308 return routing_policy_rule_compare_func(rule1, rule2) == 0;
309 }
310
311 DEFINE_PRIVATE_HASH_OPS_WITH_KEY_DESTRUCTOR(
312 routing_policy_rule_hash_ops,
313 RoutingPolicyRule,
314 routing_policy_rule_hash_func,
315 routing_policy_rule_compare_func,
316 routing_policy_rule_free);
317
318 static int routing_policy_rule_get(Manager *m, const RoutingPolicyRule *in, RoutingPolicyRule **ret) {
319 RoutingPolicyRule *rule;
320
321 assert(m);
322 assert(in);
323
324 rule = set_get(m->rules, in);
325 if (rule) {
326 if (ret)
327 *ret = rule;
328 return 0;
329 }
330
331 if (in->priority_set)
332 return -ENOENT;
333
334 /* Also find rules configured without priority. */
335 SET_FOREACH(rule, m->rules) {
336 uint32_t priority;
337 bool found;
338
339 if (rule->priority_set)
340 /* The rule is configured with priority. */
341 continue;
342
343 priority = rule->priority;
344 rule->priority = 0;
345 found = routing_policy_rule_equal(rule, in);
346 rule->priority = priority;
347
348 if (found) {
349 if (ret)
350 *ret = rule;
351 return 0;
352 }
353 }
354
355 return -ENOENT;
356 }
357
358 static int routing_policy_rule_add(Manager *m, RoutingPolicyRule *rule) {
359 int r;
360
361 assert(m);
362 assert(rule);
363 assert(IN_SET(rule->family, AF_INET, AF_INET6));
364
365 r = set_ensure_put(&m->rules, &routing_policy_rule_hash_ops, rule);
366 if (r < 0)
367 return r;
368 if (r == 0)
369 return -EEXIST;
370
371 rule->manager = m;
372 return 0;
373 }
374
375 static int routing_policy_rule_acquire_priority(Manager *manager, RoutingPolicyRule *rule) {
376 _cleanup_set_free_ Set *priorities = NULL;
377 RoutingPolicyRule *tmp;
378 uint32_t priority;
379 Network *network;
380 int r;
381
382 assert(manager);
383 assert(rule);
384 assert(IN_SET(rule->family, AF_INET, AF_INET6));
385
386 if (rule->priority_set)
387 return 0;
388
389 /* Find the highest unused priority. Note that 32766 is already used by kernel.
390 * See kernel_rules[] below. */
391
392 SET_FOREACH(tmp, manager->rules) {
393 if (tmp->family != rule->family)
394 continue;
395 if (tmp->priority == 0 || tmp->priority > 32765)
396 continue;
397 r = set_ensure_put(&priorities, NULL, UINT32_TO_PTR(tmp->priority));
398 if (r < 0)
399 return r;
400 }
401
402 ORDERED_HASHMAP_FOREACH(network, manager->networks)
403 HASHMAP_FOREACH(tmp, network->rules_by_section) {
404 if (tmp->family != AF_UNSPEC && tmp->family != rule->family)
405 continue;
406 if (!tmp->priority_set)
407 continue;
408 if (tmp->priority == 0 || tmp->priority > 32765)
409 continue;
410 r = set_ensure_put(&priorities, NULL, UINT32_TO_PTR(tmp->priority));
411 if (r < 0)
412 return r;
413 }
414
415 for (priority = 32765; priority > 0; priority--)
416 if (!set_contains(priorities, UINT32_TO_PTR(priority)))
417 break;
418
419 rule->priority = priority;
420 return 0;
421 }
422
423 static void log_routing_policy_rule_debug(const RoutingPolicyRule *rule, const char *str, const Link *link, const Manager *m) {
424 _cleanup_free_ char *state = NULL, *table = NULL;
425
426 assert(rule);
427 assert(IN_SET(rule->family, AF_INET, AF_INET6));
428 assert(str);
429 assert(m);
430
431 /* link may be NULL. */
432
433 if (!DEBUG_LOGGING)
434 return;
435
436 (void) network_config_state_to_string_alloc(rule->state, &state);
437 (void) manager_get_route_table_to_string(m, rule->table, /* append_num = */ true, &table);
438
439 log_link_debug(link,
440 "%s %s routing policy rule (%s): priority: %"PRIu32", %s -> %s, iif: %s, oif: %s, table: %s",
441 str, strna(network_config_source_to_string(rule->source)), strna(state),
442 rule->priority,
443 IN_ADDR_PREFIX_TO_STRING(rule->family, &rule->from, rule->from_prefixlen),
444 IN_ADDR_PREFIX_TO_STRING(rule->family, &rule->to, rule->to_prefixlen),
445 strna(rule->iif), strna(rule->oif), strna(table));
446 }
447
448 static int routing_policy_rule_set_netlink_message(const RoutingPolicyRule *rule, sd_netlink_message *m, Link *link) {
449 int r;
450
451 assert(rule);
452 assert(m);
453
454 /* link may be NULL. */
455
456 if (rule->from_prefixlen > 0) {
457 r = netlink_message_append_in_addr_union(m, FRA_SRC, rule->family, &rule->from);
458 if (r < 0)
459 return r;
460
461 r = sd_rtnl_message_routing_policy_rule_set_fib_src_prefixlen(m, rule->from_prefixlen);
462 if (r < 0)
463 return r;
464 }
465
466 if (rule->to_prefixlen > 0) {
467 r = netlink_message_append_in_addr_union(m, FRA_DST, rule->family, &rule->to);
468 if (r < 0)
469 return r;
470
471 r = sd_rtnl_message_routing_policy_rule_set_fib_dst_prefixlen(m, rule->to_prefixlen);
472 if (r < 0)
473 return r;
474 }
475
476 r = sd_netlink_message_append_u32(m, FRA_PRIORITY, rule->priority);
477 if (r < 0)
478 return r;
479
480 if (rule->tos > 0) {
481 r = sd_rtnl_message_routing_policy_rule_set_tos(m, rule->tos);
482 if (r < 0)
483 return r;
484 }
485
486 if (rule->l3mdev)
487 r = sd_rtnl_message_routing_policy_rule_set_table(m, RT_TABLE_UNSPEC);
488 else if (rule->table < 256)
489 r = sd_rtnl_message_routing_policy_rule_set_table(m, rule->table);
490 else {
491 r = sd_rtnl_message_routing_policy_rule_set_table(m, RT_TABLE_UNSPEC);
492 if (r < 0)
493 return r;
494
495 r = sd_netlink_message_append_u32(m, FRA_TABLE, rule->table);
496 }
497 if (r < 0)
498 return r;
499
500 if (rule->fwmark > 0) {
501 r = sd_netlink_message_append_u32(m, FRA_FWMARK, rule->fwmark);
502 if (r < 0)
503 return r;
504
505 r = sd_netlink_message_append_u32(m, FRA_FWMASK, rule->fwmask);
506 if (r < 0)
507 return r;
508 }
509
510 if (rule->iif) {
511 r = sd_netlink_message_append_string(m, FRA_IIFNAME, rule->iif);
512 if (r < 0)
513 return r;
514 }
515
516 if (rule->oif) {
517 r = sd_netlink_message_append_string(m, FRA_OIFNAME, rule->oif);
518 if (r < 0)
519 return r;
520 }
521
522 r = sd_netlink_message_append_u8(m, FRA_IP_PROTO, rule->ipproto);
523 if (r < 0)
524 return r;
525
526 r = sd_netlink_message_append_u8(m, FRA_PROTOCOL, rule->protocol);
527 if (r < 0)
528 return r;
529
530 if (rule->sport.start != 0 || rule->sport.end != 0) {
531 r = sd_netlink_message_append_data(m, FRA_SPORT_RANGE, &rule->sport, sizeof(rule->sport));
532 if (r < 0)
533 return r;
534 }
535
536 if (rule->dport.start != 0 || rule->dport.end != 0) {
537 r = sd_netlink_message_append_data(m, FRA_DPORT_RANGE, &rule->dport, sizeof(rule->dport));
538 if (r < 0)
539 return r;
540 }
541
542 if (rule->uid_range.start != UID_INVALID && rule->uid_range.end != UID_INVALID) {
543 r = sd_netlink_message_append_data(m, FRA_UID_RANGE, &rule->uid_range, sizeof(rule->uid_range));
544 if (r < 0)
545 return r;
546 }
547
548 if (rule->invert_rule) {
549 r = sd_rtnl_message_routing_policy_rule_set_flags(m, FIB_RULE_INVERT);
550 if (r < 0)
551 return r;
552 }
553
554 if (rule->l3mdev) {
555 r = sd_netlink_message_append_u8(m, FRA_L3MDEV, 1);
556 if (r < 0)
557 return r;
558 }
559
560 if (rule->suppress_prefixlen >= 0) {
561 r = sd_netlink_message_append_u32(m, FRA_SUPPRESS_PREFIXLEN, (uint32_t) rule->suppress_prefixlen);
562 if (r < 0)
563 return r;
564 }
565
566 if (rule->suppress_ifgroup >= 0) {
567 r = sd_netlink_message_append_u32(m, FRA_SUPPRESS_IFGROUP, (uint32_t) rule->suppress_ifgroup);
568 if (r < 0)
569 return r;
570 }
571
572 r = sd_rtnl_message_routing_policy_rule_set_fib_type(m, rule->type);
573 if (r < 0)
574 return r;
575
576 return 0;
577 }
578
579 static int routing_policy_rule_remove_handler(sd_netlink *rtnl, sd_netlink_message *m, void *userdata) {
580 int r;
581
582 assert(m);
583
584 r = sd_netlink_message_get_errno(m);
585 if (r < 0)
586 log_message_warning_errno(m, r, "Could not drop routing policy rule");
587
588 return 1;
589 }
590
591 static int routing_policy_rule_remove(RoutingPolicyRule *rule) {
592 _cleanup_(sd_netlink_message_unrefp) sd_netlink_message *m = NULL;
593 int r;
594
595 assert(rule);
596 assert(rule->manager);
597 assert(rule->manager->rtnl);
598 assert(IN_SET(rule->family, AF_INET, AF_INET6));
599
600 log_routing_policy_rule_debug(rule, "Removing", NULL, rule->manager);
601
602 r = sd_rtnl_message_new_routing_policy_rule(rule->manager->rtnl, &m, RTM_DELRULE, rule->family);
603 if (r < 0)
604 return log_warning_errno(r, "Could not allocate netlink message: %m");
605
606 r = routing_policy_rule_set_netlink_message(rule, m, NULL);
607 if (r < 0)
608 return log_warning_errno(r, "Could not create netlink message: %m");
609
610 r = netlink_call_async(rule->manager->rtnl, NULL, m,
611 routing_policy_rule_remove_handler,
612 NULL, NULL);
613 if (r < 0)
614 return log_warning_errno(r, "Could not send netlink message: %m");
615
616 routing_policy_rule_enter_removing(rule);
617 return 0;
618 }
619
620 static int routing_policy_rule_configure(RoutingPolicyRule *rule, Link *link, Request *req) {
621 _cleanup_(sd_netlink_message_unrefp) sd_netlink_message *m = NULL;
622 int r;
623
624 assert(rule);
625 assert(IN_SET(rule->family, AF_INET, AF_INET6));
626 assert(link);
627 assert(link->ifindex > 0);
628 assert(link->manager);
629 assert(link->manager->rtnl);
630 assert(req);
631
632 log_routing_policy_rule_debug(rule, "Configuring", link, link->manager);
633
634 r = sd_rtnl_message_new_routing_policy_rule(link->manager->rtnl, &m, RTM_NEWRULE, rule->family);
635 if (r < 0)
636 return r;
637
638 r = routing_policy_rule_set_netlink_message(rule, m, link);
639 if (r < 0)
640 return r;
641
642 return request_call_netlink_async(link->manager->rtnl, m, req);
643 }
644
645 static void manager_mark_routing_policy_rules(Manager *m, bool foreign, const Link *except) {
646 RoutingPolicyRule *rule;
647 Link *link;
648
649 assert(m);
650
651 /* First, mark all existing rules. */
652 SET_FOREACH(rule, m->rules) {
653 /* Do not touch rules managed by kernel. */
654 if (rule->protocol == RTPROT_KERNEL)
655 continue;
656
657 /* When 'foreign' is true, mark only foreign rules, and vice versa. */
658 if (rule->source != (foreign ? NETWORK_CONFIG_SOURCE_FOREIGN : NETWORK_CONFIG_SOURCE_STATIC))
659 continue;
660
661 /* Ignore rules not assigned yet or already removing. */
662 if (!routing_policy_rule_exists(rule))
663 continue;
664
665 routing_policy_rule_mark(rule);
666 }
667
668 /* Then, unmark all rules requested by active links. */
669 HASHMAP_FOREACH(link, m->links_by_index) {
670 if (link == except)
671 continue;
672
673 if (!IN_SET(link->state, LINK_STATE_CONFIGURING, LINK_STATE_CONFIGURED))
674 continue;
675
676 HASHMAP_FOREACH(rule, link->network->rules_by_section) {
677 RoutingPolicyRule *existing;
678
679 if (IN_SET(rule->family, AF_INET, AF_INET6)) {
680 if (routing_policy_rule_get(m, rule, &existing) >= 0)
681 routing_policy_rule_unmark(existing);
682 } else {
683 /* The case Family=both. */
684 rule->family = AF_INET;
685 if (routing_policy_rule_get(m, rule, &existing) >= 0)
686 routing_policy_rule_unmark(existing);
687
688 rule->family = AF_INET6;
689 if (routing_policy_rule_get(m, rule, &existing) >= 0)
690 routing_policy_rule_unmark(existing);
691
692 rule->family = AF_UNSPEC;
693 }
694 }
695 }
696 }
697
698 int manager_drop_routing_policy_rules_internal(Manager *m, bool foreign, const Link *except) {
699 RoutingPolicyRule *rule;
700 int r = 0;
701
702 assert(m);
703
704 manager_mark_routing_policy_rules(m, foreign, except);
705
706 SET_FOREACH(rule, m->rules) {
707 if (!routing_policy_rule_is_marked(rule))
708 continue;
709
710 RET_GATHER(r, routing_policy_rule_remove(rule));
711 }
712
713 return r;
714 }
715
716 void link_foreignize_routing_policy_rules(Link *link) {
717 RoutingPolicyRule *rule;
718
719 assert(link);
720 assert(link->manager);
721
722 manager_mark_routing_policy_rules(link->manager, /* foreign = */ false, link);
723
724 SET_FOREACH(rule, link->manager->rules) {
725 if (!routing_policy_rule_is_marked(rule))
726 continue;
727
728 rule->source = NETWORK_CONFIG_SOURCE_FOREIGN;
729 }
730 }
731
732 static int routing_policy_rule_process_request(Request *req, Link *link, RoutingPolicyRule *rule) {
733 int r;
734
735 assert(req);
736 assert(link);
737 assert(rule);
738
739 if (!link_is_ready_to_configure(link, false))
740 return 0;
741
742 r = routing_policy_rule_configure(rule, link, req);
743 if (r < 0)
744 return log_link_warning_errno(link, r, "Failed to configure routing policy rule: %m");
745
746 routing_policy_rule_enter_configuring(rule);
747 return 1;
748 }
749
750 static int static_routing_policy_rule_configure_handler(
751 sd_netlink *rtnl,
752 sd_netlink_message *m,
753 Request *req,
754 Link *link,
755 RoutingPolicyRule *rule) {
756
757 int r;
758
759 assert(m);
760 assert(link);
761
762 r = sd_netlink_message_get_errno(m);
763 if (r < 0 && r != -EEXIST) {
764 log_link_message_warning_errno(link, m, r, "Could not add routing policy rule");
765 link_enter_failed(link);
766 return 1;
767 }
768
769 if (link->static_routing_policy_rule_messages == 0) {
770 log_link_debug(link, "Routing policy rule configured");
771 link->static_routing_policy_rules_configured = true;
772 link_check_ready(link);
773 }
774
775 return 1;
776 }
777
778 static int link_request_routing_policy_rule(Link *link, RoutingPolicyRule *rule) {
779 RoutingPolicyRule *existing;
780 int r;
781
782 assert(link);
783 assert(link->manager);
784 assert(rule);
785 assert(rule->source != NETWORK_CONFIG_SOURCE_FOREIGN);
786
787 if (routing_policy_rule_get(link->manager, rule, &existing) < 0) {
788 _cleanup_(routing_policy_rule_freep) RoutingPolicyRule *tmp = NULL;
789
790 r = routing_policy_rule_dup(rule, &tmp);
791 if (r < 0)
792 return r;
793
794 r = routing_policy_rule_acquire_priority(link->manager, tmp);
795 if (r < 0)
796 return r;
797
798 r = routing_policy_rule_add(link->manager, tmp);
799 if (r < 0)
800 return r;
801
802 existing = TAKE_PTR(tmp);
803 } else
804 existing->source = rule->source;
805
806 log_routing_policy_rule_debug(existing, "Requesting", link, link->manager);
807 r = link_queue_request_safe(link, REQUEST_TYPE_ROUTING_POLICY_RULE,
808 existing, NULL,
809 routing_policy_rule_hash_func,
810 routing_policy_rule_compare_func,
811 routing_policy_rule_process_request,
812 &link->static_routing_policy_rule_messages,
813 static_routing_policy_rule_configure_handler,
814 NULL);
815 if (r <= 0)
816 return r;
817
818 routing_policy_rule_enter_requesting(existing);
819 return 1;
820 }
821
822 static int link_request_static_routing_policy_rule(Link *link, RoutingPolicyRule *rule) {
823 int r;
824
825 if (IN_SET(rule->family, AF_INET, AF_INET6))
826 return link_request_routing_policy_rule(link, rule);
827
828 rule->family = AF_INET;
829 r = link_request_routing_policy_rule(link, rule);
830 if (r < 0) {
831 rule->family = AF_UNSPEC;
832 return r;
833 }
834
835 rule->family = AF_INET6;
836 r = link_request_routing_policy_rule(link, rule);
837 rule->family = AF_UNSPEC;
838 return r;
839 }
840
841 int link_request_static_routing_policy_rules(Link *link) {
842 RoutingPolicyRule *rule;
843 int r;
844
845 assert(link);
846 assert(link->network);
847
848 link->static_routing_policy_rules_configured = false;
849
850 HASHMAP_FOREACH(rule, link->network->rules_by_section) {
851 r = link_request_static_routing_policy_rule(link, rule);
852 if (r < 0)
853 return log_link_warning_errno(link, r, "Could not request routing policy rule: %m");
854 }
855
856 if (link->static_routing_policy_rule_messages == 0) {
857 link->static_routing_policy_rules_configured = true;
858 link_check_ready(link);
859 } else {
860 log_link_debug(link, "Requesting routing policy rules");
861 link_set_state(link, LINK_STATE_CONFIGURING);
862 }
863
864 return 0;
865 }
866
867 static const RoutingPolicyRule kernel_rules[] = {
868 { .family = AF_INET, .priority_set = true, .priority = 0, .table = RT_TABLE_LOCAL, .type = FR_ACT_TO_TBL, .uid_range.start = UID_INVALID, .uid_range.end = UID_INVALID, .suppress_prefixlen = -1, .suppress_ifgroup = -1, },
869 { .family = AF_INET, .priority_set = true, .priority = 1000, .table = RT_TABLE_UNSPEC, .type = FR_ACT_TO_TBL, .uid_range.start = UID_INVALID, .uid_range.end = UID_INVALID, .suppress_prefixlen = -1, .suppress_ifgroup = -1, .l3mdev = true },
870 { .family = AF_INET, .priority_set = true, .priority = 32766, .table = RT_TABLE_MAIN, .type = FR_ACT_TO_TBL, .uid_range.start = UID_INVALID, .uid_range.end = UID_INVALID, .suppress_prefixlen = -1, .suppress_ifgroup = -1, },
871 { .family = AF_INET, .priority_set = true, .priority = 32767, .table = RT_TABLE_DEFAULT, .type = FR_ACT_TO_TBL, .uid_range.start = UID_INVALID, .uid_range.end = UID_INVALID, .suppress_prefixlen = -1, .suppress_ifgroup = -1, },
872 { .family = AF_INET6, .priority_set = true, .priority = 0, .table = RT_TABLE_LOCAL, .type = FR_ACT_TO_TBL, .uid_range.start = UID_INVALID, .uid_range.end = UID_INVALID, .suppress_prefixlen = -1, .suppress_ifgroup = -1, },
873 { .family = AF_INET6, .priority_set = true, .priority = 1000, .table = RT_TABLE_UNSPEC, .type = FR_ACT_TO_TBL, .uid_range.start = UID_INVALID, .uid_range.end = UID_INVALID, .suppress_prefixlen = -1, .suppress_ifgroup = -1, .l3mdev = true },
874 { .family = AF_INET6, .priority_set = true, .priority = 32766, .table = RT_TABLE_MAIN, .type = FR_ACT_TO_TBL, .uid_range.start = UID_INVALID, .uid_range.end = UID_INVALID, .suppress_prefixlen = -1, .suppress_ifgroup = -1, },
875 };
876
877 static bool routing_policy_rule_is_created_by_kernel(const RoutingPolicyRule *rule) {
878 assert(rule);
879
880 for (size_t i = 0; i < ELEMENTSOF(kernel_rules); i++)
881 if (routing_policy_rule_equal(rule, &kernel_rules[i]))
882 return true;
883
884 return false;
885 }
886
887 int manager_rtnl_process_rule(sd_netlink *rtnl, sd_netlink_message *message, Manager *m) {
888 _cleanup_(routing_policy_rule_freep) RoutingPolicyRule *tmp = NULL;
889 RoutingPolicyRule *rule = NULL;
890 bool adjust_protocol = false;
891 uint16_t type;
892 int r;
893
894 assert(rtnl);
895 assert(message);
896
897 if (sd_netlink_message_is_error(message)) {
898 r = sd_netlink_message_get_errno(message);
899 if (r < 0)
900 log_message_warning_errno(message, r, "rtnl: failed to receive rule message, ignoring");
901
902 return 0;
903 }
904
905 r = sd_netlink_message_get_type(message, &type);
906 if (r < 0) {
907 log_warning_errno(r, "rtnl: could not get message type, ignoring: %m");
908 return 0;
909 } else if (!IN_SET(type, RTM_NEWRULE, RTM_DELRULE)) {
910 log_warning("rtnl: received unexpected message type %u when processing rule, ignoring.", type);
911 return 0;
912 }
913
914 r = routing_policy_rule_new(&tmp);
915 if (r < 0) {
916 log_oom();
917 return 0;
918 }
919
920 r = sd_rtnl_message_get_family(message, &tmp->family);
921 if (r < 0) {
922 log_warning_errno(r, "rtnl: could not get rule family, ignoring: %m");
923 return 0;
924 } else if (!IN_SET(tmp->family, AF_INET, AF_INET6)) {
925 log_debug("rtnl: received rule message with invalid family %d, ignoring.", tmp->family);
926 return 0;
927 }
928
929 r = netlink_message_read_in_addr_union(message, FRA_SRC, tmp->family, &tmp->from);
930 if (r < 0 && r != -ENODATA) {
931 log_warning_errno(r, "rtnl: could not get FRA_SRC attribute, ignoring: %m");
932 return 0;
933 } else if (r >= 0) {
934 r = sd_rtnl_message_routing_policy_rule_get_fib_src_prefixlen(message, &tmp->from_prefixlen);
935 if (r < 0) {
936 log_warning_errno(r, "rtnl: received rule message without valid source prefix length, ignoring: %m");
937 return 0;
938 }
939 }
940
941 r = netlink_message_read_in_addr_union(message, FRA_DST, tmp->family, &tmp->to);
942 if (r < 0 && r != -ENODATA) {
943 log_warning_errno(r, "rtnl: could not get FRA_DST attribute, ignoring: %m");
944 return 0;
945 } else if (r >= 0) {
946 r = sd_rtnl_message_routing_policy_rule_get_fib_dst_prefixlen(message, &tmp->to_prefixlen);
947 if (r < 0) {
948 log_warning_errno(r, "rtnl: received rule message without valid destination prefix length, ignoring: %m");
949 return 0;
950 }
951 }
952
953 unsigned flags;
954 r = sd_rtnl_message_routing_policy_rule_get_flags(message, &flags);
955 if (r < 0) {
956 log_warning_errno(r, "rtnl: received rule message without valid flag, ignoring: %m");
957 return 0;
958 }
959 tmp->invert_rule = flags & FIB_RULE_INVERT;
960
961 r = sd_netlink_message_read_u32(message, FRA_FWMARK, &tmp->fwmark);
962 if (r < 0 && r != -ENODATA) {
963 log_warning_errno(r, "rtnl: could not get FRA_FWMARK attribute, ignoring: %m");
964 return 0;
965 }
966
967 r = sd_netlink_message_read_u32(message, FRA_FWMASK, &tmp->fwmask);
968 if (r < 0 && r != -ENODATA) {
969 log_warning_errno(r, "rtnl: could not get FRA_FWMASK attribute, ignoring: %m");
970 return 0;
971 }
972
973 r = sd_netlink_message_read_u32(message, FRA_PRIORITY, &tmp->priority);
974 if (r < 0 && r != -ENODATA) {
975 log_warning_errno(r, "rtnl: could not get FRA_PRIORITY attribute, ignoring: %m");
976 return 0;
977 }
978 /* The kernel does not send priority if priority is zero. So, the flag below must be always set
979 * even if the message does not contain FRA_PRIORITY. */
980 tmp->priority_set = true;
981
982 r = sd_netlink_message_read_u32(message, FRA_TABLE, &tmp->table);
983 if (r < 0 && r != -ENODATA) {
984 log_warning_errno(r, "rtnl: could not get FRA_TABLE attribute, ignoring: %m");
985 return 0;
986 }
987
988 r = sd_rtnl_message_routing_policy_rule_get_tos(message, &tmp->tos);
989 if (r < 0 && r != -ENODATA) {
990 log_warning_errno(r, "rtnl: could not get FIB rule TOS, ignoring: %m");
991 return 0;
992 }
993
994 r = sd_rtnl_message_routing_policy_rule_get_fib_type(message, &tmp->type);
995 if (r < 0 && r != -ENODATA) {
996 log_warning_errno(r, "rtnl: could not get FIB rule type, ignoring: %m");
997 return 0;
998 }
999
1000 r = sd_netlink_message_read_string_strdup(message, FRA_IIFNAME, &tmp->iif);
1001 if (r < 0 && r != -ENODATA) {
1002 log_warning_errno(r, "rtnl: could not get FRA_IIFNAME attribute, ignoring: %m");
1003 return 0;
1004 }
1005
1006 r = sd_netlink_message_read_string_strdup(message, FRA_OIFNAME, &tmp->oif);
1007 if (r < 0 && r != -ENODATA) {
1008 log_warning_errno(r, "rtnl: could not get FRA_OIFNAME attribute, ignoring: %m");
1009 return 0;
1010 }
1011
1012 r = sd_netlink_message_read_u8(message, FRA_IP_PROTO, &tmp->ipproto);
1013 if (r < 0 && r != -ENODATA) {
1014 log_warning_errno(r, "rtnl: could not get FRA_IP_PROTO attribute, ignoring: %m");
1015 return 0;
1016 }
1017
1018 r = sd_netlink_message_read_u8(message, FRA_PROTOCOL, &tmp->protocol);
1019 if (r == -ENODATA)
1020 /* If FRA_PROTOCOL is supported by kernel, then the attribute is always appended.
1021 * When the received message does not have FRA_PROTOCOL, then we need to adjust the
1022 * protocol of the rule later. */
1023 adjust_protocol = true;
1024 else if (r < 0) {
1025 log_warning_errno(r, "rtnl: could not get FRA_PROTOCOL attribute, ignoring: %m");
1026 return 0;
1027 }
1028
1029 uint8_t l3mdev = 0;
1030 r = sd_netlink_message_read_u8(message, FRA_L3MDEV, &l3mdev);
1031 if (r < 0 && r != -ENODATA) {
1032 log_warning_errno(r, "rtnl: could not get FRA_L3MDEV attribute, ignoring: %m");
1033 return 0;
1034 }
1035 tmp->l3mdev = l3mdev != 0;
1036
1037 r = sd_netlink_message_read(message, FRA_SPORT_RANGE, sizeof(tmp->sport), &tmp->sport);
1038 if (r < 0 && r != -ENODATA) {
1039 log_warning_errno(r, "rtnl: could not get FRA_SPORT_RANGE attribute, ignoring: %m");
1040 return 0;
1041 }
1042
1043 r = sd_netlink_message_read(message, FRA_DPORT_RANGE, sizeof(tmp->dport), &tmp->dport);
1044 if (r < 0 && r != -ENODATA) {
1045 log_warning_errno(r, "rtnl: could not get FRA_DPORT_RANGE attribute, ignoring: %m");
1046 return 0;
1047 }
1048
1049 r = sd_netlink_message_read(message, FRA_UID_RANGE, sizeof(tmp->uid_range), &tmp->uid_range);
1050 if (r < 0 && r != -ENODATA) {
1051 log_warning_errno(r, "rtnl: could not get FRA_UID_RANGE attribute, ignoring: %m");
1052 return 0;
1053 }
1054
1055 uint32_t suppress_prefixlen;
1056 r = sd_netlink_message_read_u32(message, FRA_SUPPRESS_PREFIXLEN, &suppress_prefixlen);
1057 if (r < 0 && r != -ENODATA) {
1058 log_warning_errno(r, "rtnl: could not get FRA_SUPPRESS_PREFIXLEN attribute, ignoring: %m");
1059 return 0;
1060 }
1061 if (r >= 0)
1062 tmp->suppress_prefixlen = (int32_t) suppress_prefixlen;
1063
1064 uint32_t suppress_ifgroup;
1065 r = sd_netlink_message_read_u32(message, FRA_SUPPRESS_IFGROUP, &suppress_ifgroup);
1066 if (r < 0 && r != -ENODATA) {
1067 log_warning_errno(r, "rtnl: could not get FRA_SUPPRESS_IFGROUP attribute, ignoring: %m");
1068 return 0;
1069 }
1070 if (r >= 0)
1071 tmp->suppress_ifgroup = (int32_t) suppress_ifgroup;
1072
1073 if (adjust_protocol)
1074 /* As .network files does not have setting to specify protocol, we can assume the
1075 * protocol of the received rule is RTPROT_KERNEL or RTPROT_STATIC. */
1076 tmp->protocol = routing_policy_rule_is_created_by_kernel(tmp) ? RTPROT_KERNEL : RTPROT_STATIC;
1077
1078 (void) routing_policy_rule_get(m, tmp, &rule);
1079
1080 switch (type) {
1081 case RTM_NEWRULE:
1082 if (rule) {
1083 routing_policy_rule_enter_configured(rule);
1084 log_routing_policy_rule_debug(rule, "Received remembered", NULL, m);
1085 } else if (!m->manage_foreign_rules) {
1086 routing_policy_rule_enter_configured(tmp);
1087 log_routing_policy_rule_debug(tmp, "Ignoring received", NULL, m);
1088 } else {
1089 routing_policy_rule_enter_configured(tmp);
1090 log_routing_policy_rule_debug(tmp, "Remembering", NULL, m);
1091 r = routing_policy_rule_add(m, tmp);
1092 if (r < 0) {
1093 log_warning_errno(r, "Could not remember foreign rule, ignoring: %m");
1094 return 0;
1095 }
1096 TAKE_PTR(tmp);
1097 }
1098 break;
1099 case RTM_DELRULE:
1100 if (rule) {
1101 routing_policy_rule_enter_removed(rule);
1102 if (rule->state == 0) {
1103 log_routing_policy_rule_debug(rule, "Forgetting", NULL, m);
1104 routing_policy_rule_free(rule);
1105 } else
1106 log_routing_policy_rule_debug(rule, "Removed", NULL, m);
1107 } else
1108 log_routing_policy_rule_debug(tmp, "Kernel removed unknown", NULL, m);
1109 break;
1110
1111 default:
1112 assert_not_reached();
1113 }
1114
1115 return 1;
1116 }
1117
1118 static int parse_fwmark_fwmask(const char *s, uint32_t *ret_fwmark, uint32_t *ret_fwmask) {
1119 _cleanup_free_ char *fwmark_str = NULL;
1120 uint32_t fwmark, fwmask = 0;
1121 const char *slash;
1122 int r;
1123
1124 assert(s);
1125 assert(ret_fwmark);
1126 assert(ret_fwmask);
1127
1128 slash = strchr(s, '/');
1129 if (slash) {
1130 fwmark_str = strndup(s, slash - s);
1131 if (!fwmark_str)
1132 return -ENOMEM;
1133 }
1134
1135 r = safe_atou32(fwmark_str ?: s, &fwmark);
1136 if (r < 0)
1137 return r;
1138
1139 if (fwmark > 0) {
1140 if (slash) {
1141 r = safe_atou32(slash + 1, &fwmask);
1142 if (r < 0)
1143 return r;
1144 } else
1145 fwmask = UINT32_MAX;
1146 }
1147
1148 *ret_fwmark = fwmark;
1149 *ret_fwmask = fwmask;
1150
1151 return 0;
1152 }
1153
1154 int config_parse_routing_policy_rule_tos(
1155 const char *unit,
1156 const char *filename,
1157 unsigned line,
1158 const char *section,
1159 unsigned section_line,
1160 const char *lvalue,
1161 int ltype,
1162 const char *rvalue,
1163 void *data,
1164 void *userdata) {
1165
1166 _cleanup_(routing_policy_rule_free_or_set_invalidp) RoutingPolicyRule *n = NULL;
1167 Network *network = userdata;
1168 int r;
1169
1170 assert(filename);
1171 assert(section);
1172 assert(lvalue);
1173 assert(rvalue);
1174 assert(data);
1175
1176 r = routing_policy_rule_new_static(network, filename, section_line, &n);
1177 if (r < 0)
1178 return log_oom();
1179
1180 r = safe_atou8(rvalue, &n->tos);
1181 if (r < 0) {
1182 log_syntax(unit, LOG_WARNING, filename, line, r, "Failed to parse RPDB rule TOS, ignoring: %s", rvalue);
1183 return 0;
1184 }
1185
1186 TAKE_PTR(n);
1187 return 0;
1188 }
1189
1190 int config_parse_routing_policy_rule_priority(
1191 const char *unit,
1192 const char *filename,
1193 unsigned line,
1194 const char *section,
1195 unsigned section_line,
1196 const char *lvalue,
1197 int ltype,
1198 const char *rvalue,
1199 void *data,
1200 void *userdata) {
1201
1202 _cleanup_(routing_policy_rule_free_or_set_invalidp) RoutingPolicyRule *n = NULL;
1203 Network *network = userdata;
1204 int r;
1205
1206 assert(filename);
1207 assert(section);
1208 assert(lvalue);
1209 assert(rvalue);
1210 assert(data);
1211
1212 r = routing_policy_rule_new_static(network, filename, section_line, &n);
1213 if (r < 0)
1214 return log_oom();
1215
1216 if (isempty(rvalue)) {
1217 n->priority = 0;
1218 n->priority_set = false;
1219 TAKE_PTR(n);
1220 return 0;
1221 }
1222
1223 r = safe_atou32(rvalue, &n->priority);
1224 if (r < 0) {
1225 log_syntax(unit, LOG_WARNING, filename, line, r, "Failed to parse RPDB rule priority, ignoring: %s", rvalue);
1226 return 0;
1227 }
1228 n->priority_set = true;
1229
1230 TAKE_PTR(n);
1231 return 0;
1232 }
1233
1234 int config_parse_routing_policy_rule_table(
1235 const char *unit,
1236 const char *filename,
1237 unsigned line,
1238 const char *section,
1239 unsigned section_line,
1240 const char *lvalue,
1241 int ltype,
1242 const char *rvalue,
1243 void *data,
1244 void *userdata) {
1245
1246 _cleanup_(routing_policy_rule_free_or_set_invalidp) RoutingPolicyRule *n = NULL;
1247 Network *network = userdata;
1248 int r;
1249
1250 assert(filename);
1251 assert(section);
1252 assert(lvalue);
1253 assert(rvalue);
1254 assert(data);
1255
1256 r = routing_policy_rule_new_static(network, filename, section_line, &n);
1257 if (r < 0)
1258 return log_oom();
1259
1260 r = manager_get_route_table_from_string(network->manager, rvalue, &n->table);
1261 if (r < 0) {
1262 log_syntax(unit, LOG_WARNING, filename, line, r,
1263 "Could not parse RPDB rule route table \"%s\", ignoring assignment: %m", rvalue);
1264 return 0;
1265 }
1266
1267 TAKE_PTR(n);
1268 return 0;
1269 }
1270
1271 int config_parse_routing_policy_rule_fwmark_mask(
1272 const char *unit,
1273 const char *filename,
1274 unsigned line,
1275 const char *section,
1276 unsigned section_line,
1277 const char *lvalue,
1278 int ltype,
1279 const char *rvalue,
1280 void *data,
1281 void *userdata) {
1282
1283 _cleanup_(routing_policy_rule_free_or_set_invalidp) RoutingPolicyRule *n = NULL;
1284 Network *network = userdata;
1285 int r;
1286
1287 assert(filename);
1288 assert(section);
1289 assert(lvalue);
1290 assert(rvalue);
1291 assert(data);
1292
1293 r = routing_policy_rule_new_static(network, filename, section_line, &n);
1294 if (r < 0)
1295 return log_oom();
1296
1297 r = parse_fwmark_fwmask(rvalue, &n->fwmark, &n->fwmask);
1298 if (r < 0) {
1299 log_syntax(unit, LOG_WARNING, filename, line, r, "Failed to parse RPDB rule firewall mark or mask, ignoring: %s", rvalue);
1300 return 0;
1301 }
1302
1303 TAKE_PTR(n);
1304 return 0;
1305 }
1306
1307 int config_parse_routing_policy_rule_prefix(
1308 const char *unit,
1309 const char *filename,
1310 unsigned line,
1311 const char *section,
1312 unsigned section_line,
1313 const char *lvalue,
1314 int ltype,
1315 const char *rvalue,
1316 void *data,
1317 void *userdata) {
1318
1319 _cleanup_(routing_policy_rule_free_or_set_invalidp) RoutingPolicyRule *n = NULL;
1320 Network *network = userdata;
1321 union in_addr_union *buffer;
1322 uint8_t *prefixlen;
1323 int r;
1324
1325 assert(filename);
1326 assert(section);
1327 assert(lvalue);
1328 assert(rvalue);
1329 assert(data);
1330
1331 r = routing_policy_rule_new_static(network, filename, section_line, &n);
1332 if (r < 0)
1333 return log_oom();
1334
1335 if (streq(lvalue, "To")) {
1336 buffer = &n->to;
1337 prefixlen = &n->to_prefixlen;
1338 } else {
1339 buffer = &n->from;
1340 prefixlen = &n->from_prefixlen;
1341 }
1342
1343 if (n->family == AF_UNSPEC)
1344 r = in_addr_prefix_from_string_auto(rvalue, &n->family, buffer, prefixlen);
1345 else
1346 r = in_addr_prefix_from_string(rvalue, n->family, buffer, prefixlen);
1347 if (r < 0) {
1348 log_syntax(unit, LOG_WARNING, filename, line, r, "RPDB rule prefix is invalid, ignoring assignment: %s", rvalue);
1349 return 0;
1350 }
1351
1352 TAKE_PTR(n);
1353 return 0;
1354 }
1355
1356 int config_parse_routing_policy_rule_device(
1357 const char *unit,
1358 const char *filename,
1359 unsigned line,
1360 const char *section,
1361 unsigned section_line,
1362 const char *lvalue,
1363 int ltype,
1364 const char *rvalue,
1365 void *data,
1366 void *userdata) {
1367
1368 _cleanup_(routing_policy_rule_free_or_set_invalidp) RoutingPolicyRule *n = NULL;
1369 Network *network = userdata;
1370 int r;
1371
1372 assert(filename);
1373 assert(section);
1374 assert(lvalue);
1375 assert(rvalue);
1376 assert(data);
1377
1378 r = routing_policy_rule_new_static(network, filename, section_line, &n);
1379 if (r < 0)
1380 return log_oom();
1381
1382 if (!ifname_valid(rvalue)) {
1383 log_syntax(unit, LOG_WARNING, filename, line, 0,
1384 "Invalid interface name '%s' in %s=, ignoring assignment.", rvalue, lvalue);
1385 return 0;
1386 }
1387
1388 r = free_and_strdup(streq(lvalue, "IncomingInterface") ? &n->iif : &n->oif, rvalue);
1389 if (r < 0)
1390 return log_oom();
1391
1392 TAKE_PTR(n);
1393 return 0;
1394 }
1395
1396 int config_parse_routing_policy_rule_port_range(
1397 const char *unit,
1398 const char *filename,
1399 unsigned line,
1400 const char *section,
1401 unsigned section_line,
1402 const char *lvalue,
1403 int ltype,
1404 const char *rvalue,
1405 void *data,
1406 void *userdata) {
1407
1408 _cleanup_(routing_policy_rule_free_or_set_invalidp) RoutingPolicyRule *n = NULL;
1409 Network *network = userdata;
1410 uint16_t low, high;
1411 int r;
1412
1413 assert(filename);
1414 assert(section);
1415 assert(lvalue);
1416 assert(rvalue);
1417 assert(data);
1418
1419 r = routing_policy_rule_new_static(network, filename, section_line, &n);
1420 if (r < 0)
1421 return log_oom();
1422
1423 r = parse_ip_port_range(rvalue, &low, &high, /* allow_zero = */ false);
1424 if (r < 0) {
1425 log_syntax(unit, LOG_WARNING, filename, line, r, "Failed to parse routing policy rule port range '%s'", rvalue);
1426 return 0;
1427 }
1428
1429 if (streq(lvalue, "SourcePort")) {
1430 n->sport.start = low;
1431 n->sport.end = high;
1432 } else {
1433 n->dport.start = low;
1434 n->dport.end = high;
1435 }
1436
1437 TAKE_PTR(n);
1438 return 0;
1439 }
1440
1441 int config_parse_routing_policy_rule_ip_protocol(
1442 const char *unit,
1443 const char *filename,
1444 unsigned line,
1445 const char *section,
1446 unsigned section_line,
1447 const char *lvalue,
1448 int ltype,
1449 const char *rvalue,
1450 void *data,
1451 void *userdata) {
1452
1453 _cleanup_(routing_policy_rule_free_or_set_invalidp) RoutingPolicyRule *n = NULL;
1454 Network *network = userdata;
1455 int r;
1456
1457 assert(filename);
1458 assert(section);
1459 assert(lvalue);
1460 assert(rvalue);
1461 assert(data);
1462
1463 r = routing_policy_rule_new_static(network, filename, section_line, &n);
1464 if (r < 0)
1465 return log_oom();
1466
1467 r = parse_ip_protocol(rvalue);
1468 if (r < 0) {
1469 log_syntax(unit, LOG_WARNING, filename, line, r, "Failed to parse IP protocol '%s' for routing policy rule, ignoring: %m", rvalue);
1470 return 0;
1471 }
1472
1473 n->ipproto = r;
1474
1475 TAKE_PTR(n);
1476 return 0;
1477 }
1478
1479 int config_parse_routing_policy_rule_invert(
1480 const char *unit,
1481 const char *filename,
1482 unsigned line,
1483 const char *section,
1484 unsigned section_line,
1485 const char *lvalue,
1486 int ltype,
1487 const char *rvalue,
1488 void *data,
1489 void *userdata) {
1490
1491 _cleanup_(routing_policy_rule_free_or_set_invalidp) RoutingPolicyRule *n = NULL;
1492 Network *network = userdata;
1493 int r;
1494
1495 assert(filename);
1496 assert(section);
1497 assert(lvalue);
1498 assert(rvalue);
1499 assert(data);
1500
1501 r = routing_policy_rule_new_static(network, filename, section_line, &n);
1502 if (r < 0)
1503 return log_oom();
1504
1505 r = parse_boolean(rvalue);
1506 if (r < 0) {
1507 log_syntax(unit, LOG_WARNING, filename, line, r, "Failed to parse RPDB rule invert, ignoring: %s", rvalue);
1508 return 0;
1509 }
1510
1511 n->invert_rule = r;
1512
1513 TAKE_PTR(n);
1514 return 0;
1515 }
1516
1517 int config_parse_routing_policy_rule_l3mdev(
1518 const char *unit,
1519 const char *filename,
1520 unsigned line,
1521 const char *section,
1522 unsigned section_line,
1523 const char *lvalue,
1524 int ltype,
1525 const char *rvalue,
1526 void *data,
1527 void *userdata) {
1528
1529 _cleanup_(routing_policy_rule_free_or_set_invalidp) RoutingPolicyRule *n = NULL;
1530 Network *network = userdata;
1531 int r;
1532
1533 assert(filename);
1534 assert(section);
1535 assert(lvalue);
1536 assert(rvalue);
1537 assert(data);
1538
1539 r = routing_policy_rule_new_static(network, filename, section_line, &n);
1540 if (r < 0)
1541 return log_oom();
1542
1543 r = parse_boolean(rvalue);
1544 if (r < 0) {
1545 log_syntax(unit, LOG_WARNING, filename, line, r, "Failed to parse RPDB rule l3mdev, ignoring: %s", rvalue);
1546 return 0;
1547 }
1548
1549 n->l3mdev = r;
1550
1551 TAKE_PTR(n);
1552 return 0;
1553 }
1554
1555 int config_parse_routing_policy_rule_family(
1556 const char *unit,
1557 const char *filename,
1558 unsigned line,
1559 const char *section,
1560 unsigned section_line,
1561 const char *lvalue,
1562 int ltype,
1563 const char *rvalue,
1564 void *data,
1565 void *userdata) {
1566
1567 _cleanup_(routing_policy_rule_free_or_set_invalidp) RoutingPolicyRule *n = NULL;
1568 Network *network = userdata;
1569 AddressFamily a;
1570 int r;
1571
1572 assert(filename);
1573 assert(section);
1574 assert(lvalue);
1575 assert(rvalue);
1576 assert(data);
1577
1578 r = routing_policy_rule_new_static(network, filename, section_line, &n);
1579 if (r < 0)
1580 return log_oom();
1581
1582 a = routing_policy_rule_address_family_from_string(rvalue);
1583 if (a < 0) {
1584 log_syntax(unit, LOG_WARNING, filename, line, a,
1585 "Invalid address family '%s', ignoring.", rvalue);
1586 return 0;
1587 }
1588
1589 n->address_family = a;
1590
1591 TAKE_PTR(n);
1592 return 0;
1593 }
1594
1595 int config_parse_routing_policy_rule_uid_range(
1596 const char *unit,
1597 const char *filename,
1598 unsigned line,
1599 const char *section,
1600 unsigned section_line,
1601 const char *lvalue,
1602 int ltype,
1603 const char *rvalue,
1604 void *data,
1605 void *userdata) {
1606
1607 _cleanup_(routing_policy_rule_free_or_set_invalidp) RoutingPolicyRule *n = NULL;
1608 Network *network = userdata;
1609 uid_t start, end;
1610 int r;
1611
1612 assert(filename);
1613 assert(section);
1614 assert(lvalue);
1615 assert(rvalue);
1616 assert(data);
1617
1618 r = routing_policy_rule_new_static(network, filename, section_line, &n);
1619 if (r < 0)
1620 return log_oom();
1621
1622 r = get_user_creds(&rvalue, &start, NULL, NULL, NULL, 0);
1623 if (r >= 0)
1624 end = start;
1625 else {
1626 r = parse_uid_range(rvalue, &start, &end);
1627 if (r < 0) {
1628 log_syntax(unit, LOG_WARNING, filename, line, r,
1629 "Invalid uid or uid range '%s', ignoring: %m", rvalue);
1630 return 0;
1631 }
1632 }
1633
1634 n->uid_range.start = start;
1635 n->uid_range.end = end;
1636
1637 TAKE_PTR(n);
1638 return 0;
1639 }
1640
1641 int config_parse_routing_policy_rule_suppress_prefixlen(
1642 const char *unit,
1643 const char *filename,
1644 unsigned line,
1645 const char *section,
1646 unsigned section_line,
1647 const char *lvalue,
1648 int ltype,
1649 const char *rvalue,
1650 void *data,
1651 void *userdata) {
1652
1653 _cleanup_(routing_policy_rule_free_or_set_invalidp) RoutingPolicyRule *n = NULL;
1654 Network *network = userdata;
1655 int r;
1656
1657 assert(filename);
1658 assert(section);
1659 assert(lvalue);
1660 assert(rvalue);
1661 assert(data);
1662
1663 r = routing_policy_rule_new_static(network, filename, section_line, &n);
1664 if (r < 0)
1665 return log_oom();
1666
1667 r = parse_ip_prefix_length(rvalue, &n->suppress_prefixlen);
1668 if (r == -ERANGE) {
1669 log_syntax(unit, LOG_WARNING, filename, line, r, "Prefix length outside of valid range 0-128, ignoring: %s", rvalue);
1670 return 0;
1671 }
1672 if (r < 0) {
1673 log_syntax(unit, LOG_WARNING, filename, line, r, "Failed to parse RPDB rule suppress_prefixlen, ignoring: %s", rvalue);
1674 return 0;
1675 }
1676
1677 TAKE_PTR(n);
1678 return 0;
1679 }
1680
1681 int config_parse_routing_policy_rule_suppress_ifgroup(
1682 const char *unit,
1683 const char *filename,
1684 unsigned line,
1685 const char *section,
1686 unsigned section_line,
1687 const char *lvalue,
1688 int ltype,
1689 const char *rvalue,
1690 void *data,
1691 void *userdata) {
1692
1693 _cleanup_(routing_policy_rule_free_or_set_invalidp) RoutingPolicyRule *n = NULL;
1694 Network *network = userdata;
1695 int32_t suppress_ifgroup;
1696 int r;
1697
1698 assert(filename);
1699 assert(section);
1700 assert(lvalue);
1701 assert(rvalue);
1702 assert(data);
1703
1704 r = routing_policy_rule_new_static(network, filename, section_line, &n);
1705 if (r < 0)
1706 return log_oom();
1707
1708 if (isempty(rvalue)) {
1709 n->suppress_ifgroup = -1;
1710 return 0;
1711 }
1712
1713 r = safe_atoi32(rvalue, &suppress_ifgroup);
1714 if (r < 0) {
1715 log_syntax(unit, LOG_WARNING, filename, line, r,
1716 "Failed to parse SuppressInterfaceGroup=, ignoring assignment: %s", rvalue);
1717 return 0;
1718 }
1719 if (suppress_ifgroup < 0) {
1720 log_syntax(unit, LOG_WARNING, filename, line, 0,
1721 "Value of SuppressInterfaceGroup= must be in the range 0…2147483647, ignoring assignment: %s", rvalue);
1722 return 0;
1723 }
1724 n->suppress_ifgroup = suppress_ifgroup;
1725 TAKE_PTR(n);
1726 return 0;
1727 }
1728
1729 int config_parse_routing_policy_rule_type(
1730 const char *unit,
1731 const char *filename,
1732 unsigned line,
1733 const char *section,
1734 unsigned section_line,
1735 const char *lvalue,
1736 int ltype,
1737 const char *rvalue,
1738 void *data,
1739 void *userdata) {
1740
1741 _cleanup_(routing_policy_rule_free_or_set_invalidp) RoutingPolicyRule *n = NULL;
1742 Network *network = userdata;
1743 int r, t;
1744
1745 assert(filename);
1746 assert(section);
1747 assert(lvalue);
1748 assert(rvalue);
1749 assert(data);
1750
1751 r = routing_policy_rule_new_static(network, filename, section_line, &n);
1752 if (r < 0)
1753 return log_oom();
1754
1755 t = fr_act_type_from_string(rvalue);
1756 if (t < 0) {
1757 log_syntax(unit, LOG_WARNING, filename, line, t,
1758 "Could not parse FIB rule type \"%s\", ignoring assignment: %m", rvalue);
1759 return 0;
1760 }
1761
1762 n->type = (uint8_t) t;
1763
1764 TAKE_PTR(n);
1765 return 0;
1766 }
1767
1768 static int routing_policy_rule_section_verify(RoutingPolicyRule *rule) {
1769 if (section_is_invalid(rule->section))
1770 return -EINVAL;
1771
1772 if ((rule->family == AF_INET && FLAGS_SET(rule->address_family, ADDRESS_FAMILY_IPV6)) ||
1773 (rule->family == AF_INET6 && FLAGS_SET(rule->address_family, ADDRESS_FAMILY_IPV4)))
1774 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
1775 "%s: address family specified by Family= conflicts with the address "
1776 "specified by To= or From=. Ignoring [RoutingPolicyRule] section from line %u.",
1777 rule->section->filename, rule->section->line);
1778
1779 if (rule->family == AF_UNSPEC) {
1780 if (IN_SET(rule->address_family, ADDRESS_FAMILY_IPV4, ADDRESS_FAMILY_NO))
1781 rule->family = AF_INET;
1782 else if (rule->address_family == ADDRESS_FAMILY_IPV6)
1783 rule->family = AF_INET6;
1784 /* rule->family can be AF_UNSPEC only when Family=both. */
1785 }
1786
1787 return 0;
1788 }
1789
1790 void network_drop_invalid_routing_policy_rules(Network *network) {
1791 RoutingPolicyRule *rule;
1792
1793 assert(network);
1794
1795 HASHMAP_FOREACH(rule, network->rules_by_section)
1796 if (routing_policy_rule_section_verify(rule) < 0)
1797 routing_policy_rule_free(rule);
1798 }
Unnamed repository; edit this file 'description' to name the repository.