]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/network/networkd-routing-policy-rule.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge pull request #18007 from fw-strlen/ipv6_masq_and_dnat
[thirdparty/systemd.git] / src / network / networkd-routing-policy-rule.c
1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
2
3 #include <net/if.h>
4 #include <linux/fib_rules.h>
5
6 #include "af-list.h"
7 #include "alloc-util.h"
8 #include "conf-parser.h"
9 #include "fileio.h"
10 #include "format-util.h"
11 #include "hashmap.h"
12 #include "ip-protocol-list.h"
13 #include "netlink-util.h"
14 #include "networkd-manager.h"
15 #include "networkd-routing-policy-rule.h"
16 #include "networkd-util.h"
17 #include "parse-util.h"
18 #include "socket-util.h"
19 #include "string-table.h"
20 #include "string-util.h"
21 #include "strv.h"
22 #include "user-util.h"
23
24 static const char *const fr_act_type_table[__FR_ACT_MAX] = {
25 [FR_ACT_BLACKHOLE] = "blackhole",
26 [FR_ACT_UNREACHABLE] = "unreachable",
27 [FR_ACT_PROHIBIT] = "prohibit",
28 };
29
30 assert_cc(__FR_ACT_MAX <= UINT8_MAX);
31 DEFINE_PRIVATE_STRING_TABLE_LOOKUP_FROM_STRING(fr_act_type, int);
32
33 RoutingPolicyRule *routing_policy_rule_free(RoutingPolicyRule *rule) {
34 if (!rule)
35 return NULL;
36
37 if (rule->network) {
38 assert(rule->section);
39 hashmap_remove(rule->network->rules_by_section, rule->section);
40 }
41
42 if (rule->manager) {
43 set_remove(rule->manager->rules, rule);
44 set_remove(rule->manager->rules_foreign, rule);
45 }
46
47 network_config_section_free(rule->section);
48 free(rule->iif);
49 free(rule->oif);
50
51 return mfree(rule);
52 }
53
54 DEFINE_NETWORK_SECTION_FUNCTIONS(RoutingPolicyRule, routing_policy_rule_free);
55
56 static int routing_policy_rule_new(RoutingPolicyRule **ret) {
57 RoutingPolicyRule *rule;
58
59 rule = new(RoutingPolicyRule, 1);
60 if (!rule)
61 return -ENOMEM;
62
63 *rule = (RoutingPolicyRule) {
64 .table = RT_TABLE_MAIN,
65 .uid_range.start = UID_INVALID,
66 .uid_range.end = UID_INVALID,
67 .suppress_prefixlen = -1,
68 .protocol = RTPROT_UNSPEC,
69 .type = FR_ACT_TO_TBL,
70 };
71
72 *ret = rule;
73 return 0;
74 }
75
76 static int routing_policy_rule_new_static(Network *network, const char *filename, unsigned section_line, RoutingPolicyRule **ret) {
77 _cleanup_(routing_policy_rule_freep) RoutingPolicyRule *rule = NULL;
78 _cleanup_(network_config_section_freep) NetworkConfigSection *n = NULL;
79 int r;
80
81 assert(network);
82 assert(ret);
83 assert(filename);
84 assert(section_line > 0);
85
86 r = network_config_section_new(filename, section_line, &n);
87 if (r < 0)
88 return r;
89
90 rule = hashmap_get(network->rules_by_section, n);
91 if (rule) {
92 *ret = TAKE_PTR(rule);
93 return 0;
94 }
95
96 r = routing_policy_rule_new(&rule);
97 if (r < 0)
98 return r;
99
100 rule->network = network;
101 rule->section = TAKE_PTR(n);
102 rule->protocol = RTPROT_STATIC;
103
104 r = hashmap_ensure_put(&network->rules_by_section, &network_config_hash_ops, rule->section, rule);
105 if (r < 0)
106 return r;
107
108 *ret = TAKE_PTR(rule);
109 return 0;
110 }
111
112 static int routing_policy_rule_copy(RoutingPolicyRule *dest, const RoutingPolicyRule *src) {
113 _cleanup_free_ char *iif = NULL, *oif = NULL;
114
115 assert(dest);
116 assert(src);
117
118 if (src->iif) {
119 iif = strdup(src->iif);
120 if (!iif)
121 return -ENOMEM;
122 }
123
124 if (src->oif) {
125 oif = strdup(src->oif);
126 if (!oif)
127 return -ENOMEM;
128 }
129
130 dest->family = src->family;
131 dest->from = src->from;
132 dest->from_prefixlen = src->from_prefixlen;
133 dest->to = src->to;
134 dest->to_prefixlen = src->to_prefixlen;
135 dest->invert_rule = src->invert_rule;
136 dest->tos = src->tos;
137 dest->type = src->type;
138 dest->fwmark = src->fwmark;
139 dest->fwmask = src->fwmask;
140 dest->priority = src->priority;
141 dest->table = src->table;
142 dest->iif = TAKE_PTR(iif);
143 dest->oif = TAKE_PTR(oif);
144 dest->ipproto = src->ipproto;
145 dest->protocol = src->protocol;
146 dest->sport = src->sport;
147 dest->dport = src->dport;
148 dest->uid_range = src->uid_range;
149 dest->suppress_prefixlen = src->suppress_prefixlen;
150
151 return 0;
152 }
153
154 static void routing_policy_rule_hash_func(const RoutingPolicyRule *rule, struct siphash *state) {
155 assert(rule);
156
157 siphash24_compress(&rule->family, sizeof(rule->family), state);
158
159 switch (rule->family) {
160 case AF_INET:
161 case AF_INET6:
162 siphash24_compress(&rule->from, FAMILY_ADDRESS_SIZE(rule->family), state);
163 siphash24_compress(&rule->from_prefixlen, sizeof(rule->from_prefixlen), state);
164
165 siphash24_compress(&rule->to, FAMILY_ADDRESS_SIZE(rule->family), state);
166 siphash24_compress(&rule->to_prefixlen, sizeof(rule->to_prefixlen), state);
167
168 siphash24_compress_boolean(rule->invert_rule, state);
169
170 siphash24_compress(&rule->tos, sizeof(rule->tos), state);
171 siphash24_compress(&rule->type, sizeof(rule->type), state);
172 siphash24_compress(&rule->fwmark, sizeof(rule->fwmark), state);
173 siphash24_compress(&rule->fwmask, sizeof(rule->fwmask), state);
174 siphash24_compress(&rule->priority, sizeof(rule->priority), state);
175 siphash24_compress(&rule->table, sizeof(rule->table), state);
176 siphash24_compress(&rule->suppress_prefixlen, sizeof(rule->suppress_prefixlen), state);
177
178 siphash24_compress(&rule->ipproto, sizeof(rule->ipproto), state);
179 siphash24_compress(&rule->protocol, sizeof(rule->protocol), state);
180 siphash24_compress(&rule->sport, sizeof(rule->sport), state);
181 siphash24_compress(&rule->dport, sizeof(rule->dport), state);
182 siphash24_compress(&rule->uid_range, sizeof(rule->uid_range), state);
183
184 siphash24_compress_string(rule->iif, state);
185 siphash24_compress_string(rule->oif, state);
186
187 break;
188 default:
189 /* treat any other address family as AF_UNSPEC */
190 break;
191 }
192 }
193
194 static int routing_policy_rule_compare_func(const RoutingPolicyRule *a, const RoutingPolicyRule *b) {
195 int r;
196
197 r = CMP(a->family, b->family);
198 if (r != 0)
199 return r;
200
201 switch (a->family) {
202 case AF_INET:
203 case AF_INET6:
204 r = CMP(a->from_prefixlen, b->from_prefixlen);
205 if (r != 0)
206 return r;
207
208 r = memcmp(&a->from, &b->from, FAMILY_ADDRESS_SIZE(a->family));
209 if (r != 0)
210 return r;
211
212 r = CMP(a->to_prefixlen, b->to_prefixlen);
213 if (r != 0)
214 return r;
215
216 r = memcmp(&a->to, &b->to, FAMILY_ADDRESS_SIZE(a->family));
217 if (r != 0)
218 return r;
219
220 r = CMP(a->invert_rule, b->invert_rule);
221 if (r != 0)
222 return r;
223
224 r = CMP(a->tos, b->tos);
225 if (r != 0)
226 return r;
227
228 r = CMP(a->type, b->type);
229 if (r != 0)
230 return r;
231
232 r = CMP(a->fwmark, b->fwmark);
233 if (r != 0)
234 return r;
235
236 r = CMP(a->fwmask, b->fwmask);
237 if (r != 0)
238 return r;
239
240 r = CMP(a->priority, b->priority);
241 if (r != 0)
242 return r;
243
244 r = CMP(a->table, b->table);
245 if (r != 0)
246 return r;
247
248 r = CMP(a->suppress_prefixlen, b->suppress_prefixlen);
249 if (r != 0)
250 return r;
251
252 r = CMP(a->ipproto, b->ipproto);
253 if (r != 0)
254 return r;
255
256 r = CMP(a->protocol, b->protocol);
257 if (r != 0)
258 return r;
259
260 r = memcmp(&a->sport, &b->sport, sizeof(a->sport));
261 if (r != 0)
262 return r;
263
264 r = memcmp(&a->dport, &b->dport, sizeof(a->dport));
265 if (r != 0)
266 return r;
267
268 r = memcmp(&a->uid_range, &b->uid_range, sizeof(a->uid_range));
269 if (r != 0)
270 return r;
271
272 r = strcmp_ptr(a->iif, b->iif);
273 if (r != 0)
274 return r;
275
276 r = strcmp_ptr(a->oif, b->oif);
277 if (r != 0)
278 return r;
279
280 return 0;
281 default:
282 /* treat any other address family as AF_UNSPEC */
283 return 0;
284 }
285 }
286
287 static bool routing_policy_rule_equal(const RoutingPolicyRule *rule1, const RoutingPolicyRule *rule2) {
288 if (rule1 == rule2)
289 return true;
290
291 if (!rule1 || !rule2)
292 return false;
293
294 return routing_policy_rule_compare_func(rule1, rule2) == 0;
295 }
296
297 DEFINE_PRIVATE_HASH_OPS_WITH_KEY_DESTRUCTOR(
298 routing_policy_rule_hash_ops,
299 RoutingPolicyRule,
300 routing_policy_rule_hash_func,
301 routing_policy_rule_compare_func,
302 routing_policy_rule_free);
303
304 static int routing_policy_rule_get(Manager *m, const RoutingPolicyRule *rule, RoutingPolicyRule **ret) {
305 RoutingPolicyRule *existing;
306
307 assert(m);
308
309 existing = set_get(m->rules, rule);
310 if (existing) {
311 if (ret)
312 *ret = existing;
313 return 1;
314 }
315
316 existing = set_get(m->rules_foreign, rule);
317 if (existing) {
318 if (ret)
319 *ret = existing;
320 return 0;
321 }
322
323 return -ENOENT;
324 }
325
326 static int routing_policy_rule_add(Manager *m, const RoutingPolicyRule *in, int family, RoutingPolicyRule **ret) {
327 _cleanup_(routing_policy_rule_freep) RoutingPolicyRule *rule = NULL;
328 RoutingPolicyRule *existing;
329 bool is_new = false;
330 int r;
331
332 assert(m);
333 assert(in);
334 assert(IN_SET(family, AF_INET, AF_INET6));
335 assert(in->family == AF_UNSPEC || in->family == family);
336
337 r = routing_policy_rule_new(&rule);
338 if (r < 0)
339 return r;
340
341 r = routing_policy_rule_copy(rule, in);
342 if (r < 0)
343 return r;
344
345 rule->family = family;
346
347 r = routing_policy_rule_get(m, rule, &existing);
348 if (r == -ENOENT) {
349 /* Rule does not exist, use a new one. */
350 r = set_ensure_put(&m->rules, &routing_policy_rule_hash_ops, rule);
351 if (r < 0)
352 return r;
353 assert(r > 0);
354
355 rule->manager = m;
356 existing = TAKE_PTR(rule);
357 is_new = true;
358 } else if (r == 0) {
359 /* Take over a foreign rule. */
360 r = set_ensure_put(&m->rules, &routing_policy_rule_hash_ops, existing);
361 if (r < 0)
362 return r;
363 assert(r > 0);
364
365 set_remove(m->rules_foreign, existing);
366 } else if (r == 1) {
367 /* Already exists, do nothing. */
368 ;
369 } else
370 return r;
371
372 if (ret)
373 *ret = existing;
374 return is_new;
375 }
376
377 static int routing_policy_rule_consume_foreign(Manager *m, RoutingPolicyRule *rule) {
378 int r;
379
380 assert(m);
381 assert(rule);
382 assert(IN_SET(rule->family, AF_INET, AF_INET6));
383
384 r = set_ensure_consume(&m->rules_foreign, &routing_policy_rule_hash_ops, rule);
385 if (r <= 0)
386 return r;
387
388 rule->manager = m;
389
390 return 1;
391 }
392
393 static void log_routing_policy_rule_debug(const RoutingPolicyRule *rule, int family, const char *str, const Link *link, const Manager *m) {
394 assert(rule);
395 assert(IN_SET(family, AF_INET, AF_INET6));
396 assert(str);
397 assert(m);
398
399 /* link may be NULL. */
400
401 if (DEBUG_LOGGING) {
402 _cleanup_free_ char *from = NULL, *to = NULL, *table = NULL;
403
404 (void) in_addr_to_string(family, &rule->from, &from);
405 (void) in_addr_to_string(family, &rule->to, &to);
406 (void) manager_get_route_table_to_string(m, rule->table, &table);
407
408 log_link_debug(link,
409 "%s routing policy rule: priority: %"PRIu32", %s/%u -> %s/%u, iif: %s, oif: %s, table: %s",
410 str, rule->priority, strna(from), rule->from_prefixlen, strna(to), rule->to_prefixlen,
411 strna(rule->iif), strna(rule->oif), strna(table));
412 }
413 }
414
415 static int routing_policy_rule_set_netlink_message(const RoutingPolicyRule *rule, sd_netlink_message *m, Link *link) {
416 int r;
417
418 assert(rule);
419 assert(m);
420
421 /* link may be NULL. */
422
423 if (in_addr_is_null(rule->family, &rule->from) == 0) {
424 r = netlink_message_append_in_addr_union(m, FRA_SRC, rule->family, &rule->from);
425 if (r < 0)
426 return log_link_error_errno(link, r, "Could not append FRA_SRC attribute: %m");
427
428 r = sd_rtnl_message_routing_policy_rule_set_fib_src_prefixlen(m, rule->from_prefixlen);
429 if (r < 0)
430 return log_link_error_errno(link, r, "Could not set source prefix length: %m");
431 }
432
433 if (in_addr_is_null(rule->family, &rule->to) == 0) {
434 r = netlink_message_append_in_addr_union(m, FRA_DST, rule->family, &rule->to);
435 if (r < 0)
436 return log_link_error_errno(link, r, "Could not append FRA_DST attribute: %m");
437
438 r = sd_rtnl_message_routing_policy_rule_set_fib_dst_prefixlen(m, rule->to_prefixlen);
439 if (r < 0)
440 return log_link_error_errno(link, r, "Could not set destination prefix length: %m");
441 }
442
443 r = sd_netlink_message_append_u32(m, FRA_PRIORITY, rule->priority);
444 if (r < 0)
445 return log_link_error_errno(link, r, "Could not append FRA_PRIORITY attribute: %m");
446
447 if (rule->tos > 0) {
448 r = sd_rtnl_message_routing_policy_rule_set_tos(m, rule->tos);
449 if (r < 0)
450 return log_link_error_errno(link, r, "Could not set IP rule TOS: %m");
451 }
452
453 if (rule->table < 256) {
454 r = sd_rtnl_message_routing_policy_rule_set_table(m, rule->table);
455 if (r < 0)
456 return log_link_error_errno(link, r, "Could not set IP rule table: %m");
457 } else {
458 r = sd_rtnl_message_routing_policy_rule_set_table(m, RT_TABLE_UNSPEC);
459 if (r < 0)
460 return log_link_error_errno(link, r, "Could not set IP rule table: %m");
461
462 r = sd_netlink_message_append_u32(m, FRA_TABLE, rule->table);
463 if (r < 0)
464 return log_link_error_errno(link, r, "Could not append FRA_TABLE attribute: %m");
465 }
466
467 if (rule->fwmark > 0) {
468 r = sd_netlink_message_append_u32(m, FRA_FWMARK, rule->fwmark);
469 if (r < 0)
470 return log_link_error_errno(link, r, "Could not append FRA_FWMARK attribute: %m");
471
472 r = sd_netlink_message_append_u32(m, FRA_FWMASK, rule->fwmask);
473 if (r < 0)
474 return log_link_error_errno(link, r, "Could not append FRA_FWMASK attribute: %m");
475 }
476
477 if (rule->iif) {
478 r = sd_netlink_message_append_string(m, FRA_IIFNAME, rule->iif);
479 if (r < 0)
480 return log_link_error_errno(link, r, "Could not append FRA_IIFNAME attribute: %m");
481 }
482
483 if (rule->oif) {
484 r = sd_netlink_message_append_string(m, FRA_OIFNAME, rule->oif);
485 if (r < 0)
486 return log_link_error_errno(link, r, "Could not append FRA_OIFNAME attribute: %m");
487 }
488
489 r = sd_netlink_message_append_u8(m, FRA_IP_PROTO, rule->ipproto);
490 if (r < 0)
491 return log_link_error_errno(link, r, "Could not append FRA_IP_PROTO attribute: %m");
492
493 r = sd_netlink_message_append_u8(m, FRA_PROTOCOL, rule->protocol);
494 if (r < 0)
495 return log_link_error_errno(link, r, "Could not append FRA_PROTOCOL attribute: %m");
496
497 if (rule->sport.start != 0 || rule->sport.end != 0) {
498 r = sd_netlink_message_append_data(m, FRA_SPORT_RANGE, &rule->sport, sizeof(rule->sport));
499 if (r < 0)
500 return log_link_error_errno(link, r, "Could not append FRA_SPORT_RANGE attribute: %m");
501 }
502
503 if (rule->dport.start != 0 || rule->dport.end != 0) {
504 r = sd_netlink_message_append_data(m, FRA_DPORT_RANGE, &rule->dport, sizeof(rule->dport));
505 if (r < 0)
506 return log_link_error_errno(link, r, "Could not append FRA_DPORT_RANGE attribute: %m");
507 }
508
509 if (rule->uid_range.start != UID_INVALID && rule->uid_range.end != UID_INVALID) {
510 r = sd_netlink_message_append_data(m, FRA_UID_RANGE, &rule->uid_range, sizeof(rule->uid_range));
511 if (r < 0)
512 return log_link_error_errno(link, r, "Could not append FRA_UID_RANGE attribute: %m");
513 }
514
515 if (rule->invert_rule) {
516 r = sd_rtnl_message_routing_policy_rule_set_flags(m, FIB_RULE_INVERT);
517 if (r < 0)
518 return log_link_error_errno(link, r, "Could not append FIB_RULE_INVERT attribute: %m");
519 }
520
521 if (rule->suppress_prefixlen >= 0) {
522 r = sd_netlink_message_append_u32(m, FRA_SUPPRESS_PREFIXLEN, (uint32_t) rule->suppress_prefixlen);
523 if (r < 0)
524 return log_link_error_errno(link, r, "Could not append FRA_SUPPRESS_PREFIXLEN attribute: %m");
525 }
526
527 if (rule->type != FR_ACT_TO_TBL) {
528 r = sd_rtnl_message_routing_policy_rule_set_fib_type(m, rule->type);
529 if (r < 0)
530 return log_link_error_errno(link, r, "Could not append FIB rule type attribute: %m");
531 }
532
533 return 0;
534 }
535
536 static int routing_policy_rule_remove_handler(sd_netlink *rtnl, sd_netlink_message *m, void *userdata) {
537 int r;
538
539 assert(m);
540
541 r = sd_netlink_message_get_errno(m);
542 if (r < 0)
543 log_message_warning_errno(m, r, "Could not drop routing policy rule");
544
545 return 1;
546 }
547
548 static int routing_policy_rule_remove(const RoutingPolicyRule *rule, Manager *manager) {
549 _cleanup_(sd_netlink_message_unrefp) sd_netlink_message *m = NULL;
550 int r;
551
552 assert(rule);
553 assert(manager);
554 assert(manager->rtnl);
555 assert(IN_SET(rule->family, AF_INET, AF_INET6));
556
557 log_routing_policy_rule_debug(rule, rule->family, "Removing", NULL, manager);
558
559 r = sd_rtnl_message_new_routing_policy_rule(manager->rtnl, &m, RTM_DELRULE, rule->family);
560 if (r < 0)
561 return log_error_errno(r, "Could not allocate RTM_DELRULE message: %m");
562
563 r = routing_policy_rule_set_netlink_message(rule, m, NULL);
564 if (r < 0)
565 return r;
566
567 r = sd_netlink_call_async(manager->rtnl, NULL, m,
568 routing_policy_rule_remove_handler,
569 NULL, NULL, 0, __func__);
570 if (r < 0)
571 return log_error_errno(r, "Could not send rtnetlink message: %m");
572
573 return 0;
574 }
575
576 static int routing_policy_rule_handler(sd_netlink *rtnl, sd_netlink_message *m, Link *link) {
577 int r;
578
579 assert(rtnl);
580 assert(m);
581 assert(link);
582 assert(link->ifname);
583 assert(link->routing_policy_rule_messages > 0);
584
585 link->routing_policy_rule_messages--;
586
587 if (IN_SET(link->state, LINK_STATE_FAILED, LINK_STATE_LINGER))
588 return 1;
589
590 r = sd_netlink_message_get_errno(m);
591 if (r < 0 && r != -EEXIST) {
592 log_link_message_warning_errno(link, m, r, "Could not add routing policy rule");
593 link_enter_failed(link);
594 return 1;
595 }
596
597 if (link->routing_policy_rule_messages == 0) {
598 log_link_debug(link, "Routing policy rule configured");
599 link->routing_policy_rules_configured = true;
600 link_check_ready(link);
601 }
602
603 return 1;
604 }
605
606 static int routing_policy_rule_configure_internal(const RoutingPolicyRule *rule, int family, Link *link) {
607 _cleanup_(sd_netlink_message_unrefp) sd_netlink_message *m = NULL;
608 int r;
609
610 assert(rule);
611 assert(link);
612 assert(link->ifindex > 0);
613 assert(link->manager);
614 assert(link->manager->rtnl);
615
616 log_routing_policy_rule_debug(rule, family, "Configuring", link, link->manager);
617
618 r = sd_rtnl_message_new_routing_policy_rule(link->manager->rtnl, &m, RTM_NEWRULE, family);
619 if (r < 0)
620 return log_link_error_errno(link, r, "Could not allocate RTM_NEWRULE message: %m");
621
622 r = routing_policy_rule_set_netlink_message(rule, m, link);
623 if (r < 0)
624 return r;
625
626 r = netlink_call_async(link->manager->rtnl, NULL, m,
627 routing_policy_rule_handler,
628 link_netlink_destroy_callback, link);
629 if (r < 0)
630 return log_link_error_errno(link, r, "Could not send rtnetlink message: %m");
631
632 link_ref(link);
633 link->routing_policy_rule_messages++;
634
635 r = routing_policy_rule_add(link->manager, rule, family, NULL);
636 if (r < 0)
637 return log_link_error_errno(link, r, "Could not add rule: %m");
638
639 return r;
640 }
641
642 static int routing_policy_rule_configure(const RoutingPolicyRule *rule, Link *link) {
643 int r;
644
645 if (IN_SET(rule->family, AF_INET, AF_INET6))
646 return routing_policy_rule_configure_internal(rule, rule->family, link);
647
648 if (FLAGS_SET(rule->address_family, ADDRESS_FAMILY_IPV4)) {
649 r = routing_policy_rule_configure_internal(rule, AF_INET, link);
650 if (r < 0)
651 return r;
652 }
653
654 if (FLAGS_SET(rule->address_family, ADDRESS_FAMILY_IPV6)) {
655 r = routing_policy_rule_configure_internal(rule, AF_INET6, link);
656 if (r < 0)
657 return r;
658 }
659
660 return 0;
661 }
662
663 static int links_have_routing_policy_rule(const Manager *m, const RoutingPolicyRule *rule, const Link *except) {
664 Link *link;
665 int r;
666
667 assert(m);
668 assert(rule);
669
670 HASHMAP_FOREACH(link, m->links) {
671 RoutingPolicyRule *link_rule;
672
673 if (link == except)
674 continue;
675
676 if (!link->network)
677 continue;
678
679 HASHMAP_FOREACH(link_rule, link->network->rules_by_section)
680 if (IN_SET(link_rule->family, AF_INET, AF_INET6)) {
681 if (routing_policy_rule_equal(link_rule, rule))
682 return true;
683 } else {
684 /* The case Family=both. */
685 _cleanup_(routing_policy_rule_freep) RoutingPolicyRule *tmp = NULL;
686
687 r = routing_policy_rule_new(&tmp);
688 if (r < 0)
689 return r;
690
691 r = routing_policy_rule_copy(tmp, link_rule);
692 if (r < 0)
693 return r;
694
695 tmp->family = AF_INET;
696 if (routing_policy_rule_equal(tmp, rule))
697 return true;
698
699 tmp->family = AF_INET6;
700 if (routing_policy_rule_equal(tmp, rule))
701 return true;
702 }
703 }
704
705 return false;
706 }
707
708 int manager_drop_routing_policy_rules_internal(Manager *m, bool foreign, const Link *except) {
709 RoutingPolicyRule *rule;
710 int k, r = 0;
711 Set *rules;
712
713 assert(m);
714
715 rules = foreign ? m->rules_foreign : m->rules;
716 SET_FOREACH(rule, rules) {
717 /* Do not touch rules managed by kernel. */
718 if (rule->protocol == RTPROT_KERNEL)
719 continue;
720
721 /* The rule will be configured later, or already configured by a link. */
722 k = links_have_routing_policy_rule(m, rule, except);
723 if (k != 0) {
724 if (k < 0 && r >= 0)
725 r = k;
726 continue;
727 }
728
729 k = routing_policy_rule_remove(rule, m);
730 if (k < 0 && r >= 0)
731 r = k;
732 }
733
734 return r;
735 }
736
737 int link_set_routing_policy_rules(Link *link) {
738 RoutingPolicyRule *rule;
739 int r;
740
741 assert(link);
742 assert(link->network);
743
744 if (link->routing_policy_rule_messages != 0) {
745 log_link_debug(link, "Routing policy rules are configuring.");
746 return 0;
747 }
748
749 link->routing_policy_rules_configured = false;
750
751 HASHMAP_FOREACH(rule, link->network->rules_by_section) {
752 r = routing_policy_rule_configure(rule, link);
753 if (r < 0)
754 return log_link_warning_errno(link, r, "Could not set routing policy rule: %m");
755 }
756
757 if (link->routing_policy_rule_messages == 0)
758 link->routing_policy_rules_configured = true;
759 else {
760 log_link_debug(link, "Setting routing policy rules");
761 link_set_state(link, LINK_STATE_CONFIGURING);
762 }
763
764 return 0;
765 }
766
767 static const RoutingPolicyRule kernel_rules[] = {
768 { .family = AF_INET, .priority = 0, .table = RT_TABLE_LOCAL, .type = FR_ACT_TO_TBL, .uid_range.start = UID_INVALID, .uid_range.end = UID_INVALID, .suppress_prefixlen = -1, },
769 { .family = AF_INET, .priority = 32766, .table = RT_TABLE_MAIN, .type = FR_ACT_TO_TBL, .uid_range.start = UID_INVALID, .uid_range.end = UID_INVALID, .suppress_prefixlen = -1, },
770 { .family = AF_INET, .priority = 32767, .table = RT_TABLE_DEFAULT, .type = FR_ACT_TO_TBL, .uid_range.start = UID_INVALID, .uid_range.end = UID_INVALID, .suppress_prefixlen = -1, },
771 { .family = AF_INET6, .priority = 0, .table = RT_TABLE_LOCAL, .type = FR_ACT_TO_TBL, .uid_range.start = UID_INVALID, .uid_range.end = UID_INVALID, .suppress_prefixlen = -1, },
772 { .family = AF_INET6, .priority = 32766, .table = RT_TABLE_MAIN, .type = FR_ACT_TO_TBL, .uid_range.start = UID_INVALID, .uid_range.end = UID_INVALID, .suppress_prefixlen = -1, },
773 };
774
775 static bool routing_policy_rule_is_created_by_kernel(const RoutingPolicyRule *rule) {
776 assert(rule);
777
778 if (rule->l3mdev > 0)
779 /* Currently, [RoutingPolicyRule] does not explicitly set FRA_L3MDEV. So, if the flag
780 * is set, it is safe to treat the rule as created by kernel. */
781 return true;
782
783 for (size_t i = 0; i < ELEMENTSOF(kernel_rules); i++)
784 if (routing_policy_rule_equal(rule, &kernel_rules[i]))
785 return true;
786
787 return false;
788 }
789
790 int manager_rtnl_process_rule(sd_netlink *rtnl, sd_netlink_message *message, Manager *m) {
791 _cleanup_(routing_policy_rule_freep) RoutingPolicyRule *tmp = NULL;
792 RoutingPolicyRule *rule = NULL;
793 const char *iif = NULL, *oif = NULL;
794 bool adjust_protocol = false;
795 uint32_t suppress_prefixlen;
796 unsigned flags;
797 uint16_t type;
798 int r;
799
800 assert(rtnl);
801 assert(message);
802
803 if (sd_netlink_message_is_error(message)) {
804 r = sd_netlink_message_get_errno(message);
805 if (r < 0)
806 log_message_warning_errno(message, r, "rtnl: failed to receive rule message, ignoring");
807
808 return 0;
809 }
810
811 r = sd_netlink_message_get_type(message, &type);
812 if (r < 0) {
813 log_warning_errno(r, "rtnl: could not get message type, ignoring: %m");
814 return 0;
815 } else if (!IN_SET(type, RTM_NEWRULE, RTM_DELRULE)) {
816 log_warning("rtnl: received unexpected message type %u when processing rule, ignoring.", type);
817 return 0;
818 }
819
820 r = routing_policy_rule_new(&tmp);
821 if (r < 0) {
822 log_oom();
823 return 0;
824 }
825
826 r = sd_rtnl_message_get_family(message, &tmp->family);
827 if (r < 0) {
828 log_warning_errno(r, "rtnl: could not get rule family, ignoring: %m");
829 return 0;
830 } else if (!IN_SET(tmp->family, AF_INET, AF_INET6)) {
831 log_debug("rtnl: received rule message with invalid family %d, ignoring.", tmp->family);
832 return 0;
833 }
834
835 r = netlink_message_read_in_addr_union(message, FRA_SRC, tmp->family, &tmp->from);
836 if (r < 0 && r != -ENODATA) {
837 log_warning_errno(r, "rtnl: could not get FRA_SRC attribute, ignoring: %m");
838 return 0;
839 } else if (r >= 0) {
840 r = sd_rtnl_message_routing_policy_rule_get_fib_src_prefixlen(message, &tmp->from_prefixlen);
841 if (r < 0) {
842 log_warning_errno(r, "rtnl: received rule message without valid source prefix length, ignoring: %m");
843 return 0;
844 }
845 }
846
847 r = netlink_message_read_in_addr_union(message, FRA_DST, tmp->family, &tmp->to);
848 if (r < 0 && r != -ENODATA) {
849 log_warning_errno(r, "rtnl: could not get FRA_DST attribute, ignoring: %m");
850 return 0;
851 } else if (r >= 0) {
852 r = sd_rtnl_message_routing_policy_rule_get_fib_dst_prefixlen(message, &tmp->to_prefixlen);
853 if (r < 0) {
854 log_warning_errno(r, "rtnl: received rule message without valid destination prefix length, ignoring: %m");
855 return 0;
856 }
857 }
858
859 r = sd_rtnl_message_routing_policy_rule_get_flags(message, &flags);
860 if (r < 0) {
861 log_warning_errno(r, "rtnl: received rule message without valid flag, ignoring: %m");
862 return 0;
863 }
864 tmp->invert_rule = flags & FIB_RULE_INVERT;
865
866 r = sd_netlink_message_read_u32(message, FRA_FWMARK, &tmp->fwmark);
867 if (r < 0 && r != -ENODATA) {
868 log_warning_errno(r, "rtnl: could not get FRA_FWMARK attribute, ignoring: %m");
869 return 0;
870 }
871
872 r = sd_netlink_message_read_u32(message, FRA_FWMASK, &tmp->fwmask);
873 if (r < 0 && r != -ENODATA) {
874 log_warning_errno(r, "rtnl: could not get FRA_FWMASK attribute, ignoring: %m");
875 return 0;
876 }
877
878 r = sd_netlink_message_read_u32(message, FRA_PRIORITY, &tmp->priority);
879 if (r < 0 && r != -ENODATA) {
880 log_warning_errno(r, "rtnl: could not get FRA_PRIORITY attribute, ignoring: %m");
881 return 0;
882 }
883
884 r = sd_netlink_message_read_u32(message, FRA_TABLE, &tmp->table);
885 if (r < 0 && r != -ENODATA) {
886 log_warning_errno(r, "rtnl: could not get FRA_TABLE attribute, ignoring: %m");
887 return 0;
888 }
889
890 r = sd_rtnl_message_routing_policy_rule_get_tos(message, &tmp->tos);
891 if (r < 0 && r != -ENODATA) {
892 log_warning_errno(r, "rtnl: could not get FIB rule TOS, ignoring: %m");
893 return 0;
894 }
895
896 r = sd_rtnl_message_routing_policy_rule_get_fib_type(message, &tmp->type);
897 if (r < 0 && r != -ENODATA) {
898 log_warning_errno(r, "rtnl: could not get FIB rule type, ignoring: %m");
899 return 0;
900 }
901
902 r = sd_netlink_message_read_string(message, FRA_IIFNAME, &iif);
903 if (r < 0 && r != -ENODATA) {
904 log_warning_errno(r, "rtnl: could not get FRA_IIFNAME attribute, ignoring: %m");
905 return 0;
906 }
907 r = free_and_strdup(&tmp->iif, iif);
908 if (r < 0)
909 return log_oom();
910
911 r = sd_netlink_message_read_string(message, FRA_OIFNAME, &oif);
912 if (r < 0 && r != -ENODATA) {
913 log_warning_errno(r, "rtnl: could not get FRA_OIFNAME attribute, ignoring: %m");
914 return 0;
915 }
916 r = free_and_strdup(&tmp->oif, oif);
917 if (r < 0)
918 return log_oom();
919
920 r = sd_netlink_message_read_u8(message, FRA_IP_PROTO, &tmp->ipproto);
921 if (r < 0 && r != -ENODATA) {
922 log_warning_errno(r, "rtnl: could not get FRA_IP_PROTO attribute, ignoring: %m");
923 return 0;
924 }
925
926 r = sd_netlink_message_read_u8(message, FRA_PROTOCOL, &tmp->protocol);
927 if (r == -ENODATA)
928 /* If FRA_PROTOCOL is supported by kernel, then the attribute is always appended.
929 * When the received message does not have FRA_PROTOCOL, then we need to adjust the
930 * protocol of the rule later. */
931 adjust_protocol = true;
932 else if (r < 0) {
933 log_warning_errno(r, "rtnl: could not get FRA_PROTOCOL attribute, ignoring: %m");
934 return 0;
935 }
936
937 r = sd_netlink_message_read_u8(message, FRA_L3MDEV, &tmp->l3mdev);
938 if (r < 0 && r != -ENODATA) {
939 log_warning_errno(r, "rtnl: could not get FRA_L3MDEV attribute, ignoring: %m");
940 return 0;
941 }
942
943 r = sd_netlink_message_read(message, FRA_SPORT_RANGE, sizeof(tmp->sport), &tmp->sport);
944 if (r < 0 && r != -ENODATA) {
945 log_warning_errno(r, "rtnl: could not get FRA_SPORT_RANGE attribute, ignoring: %m");
946 return 0;
947 }
948
949 r = sd_netlink_message_read(message, FRA_DPORT_RANGE, sizeof(tmp->dport), &tmp->dport);
950 if (r < 0 && r != -ENODATA) {
951 log_warning_errno(r, "rtnl: could not get FRA_DPORT_RANGE attribute, ignoring: %m");
952 return 0;
953 }
954
955 r = sd_netlink_message_read(message, FRA_UID_RANGE, sizeof(tmp->uid_range), &tmp->uid_range);
956 if (r < 0 && r != -ENODATA) {
957 log_warning_errno(r, "rtnl: could not get FRA_UID_RANGE attribute, ignoring: %m");
958 return 0;
959 }
960
961 r = sd_netlink_message_read_u32(message, FRA_SUPPRESS_PREFIXLEN, &suppress_prefixlen);
962 if (r < 0 && r != -ENODATA) {
963 log_warning_errno(r, "rtnl: could not get FRA_SUPPRESS_PREFIXLEN attribute, ignoring: %m");
964 return 0;
965 }
966 if (r >= 0)
967 tmp->suppress_prefixlen = (int) suppress_prefixlen;
968
969 if (adjust_protocol)
970 /* As .network files does not have setting to specify protocol, we can assume the
971 * protocol of the received rule is RTPROT_KERNEL or RTPROT_STATIC. */
972 tmp->protocol = routing_policy_rule_is_created_by_kernel(tmp) ? RTPROT_KERNEL : RTPROT_STATIC;
973
974 (void) routing_policy_rule_get(m, tmp, &rule);
975
976 switch (type) {
977 case RTM_NEWRULE:
978 if (rule)
979 log_routing_policy_rule_debug(tmp, tmp->family, "Received remembered", NULL, m);
980 else {
981 log_routing_policy_rule_debug(tmp, tmp->family, "Remembering foreign", NULL, m);
982 r = routing_policy_rule_consume_foreign(m, TAKE_PTR(tmp));
983 if (r < 0)
984 log_warning_errno(r, "Could not remember foreign rule, ignoring: %m");
985 }
986 break;
987 case RTM_DELRULE:
988 if (rule) {
989 log_routing_policy_rule_debug(tmp, tmp->family, "Forgetting", NULL, m);
990 routing_policy_rule_free(rule);
991 } else
992 log_routing_policy_rule_debug(tmp, tmp->family, "Kernel removed unknown", NULL, m);
993 break;
994
995 default:
996 assert_not_reached("Received invalid RTNL message type");
997 }
998
999 return 1;
1000 }
1001
1002 static int parse_fwmark_fwmask(const char *s, uint32_t *ret_fwmark, uint32_t *ret_fwmask) {
1003 _cleanup_free_ char *fwmark_str = NULL;
1004 uint32_t fwmark, fwmask = 0;
1005 const char *slash;
1006 int r;
1007
1008 assert(s);
1009 assert(ret_fwmark);
1010 assert(ret_fwmask);
1011
1012 slash = strchr(s, '/');
1013 if (slash) {
1014 fwmark_str = strndup(s, slash - s);
1015 if (!fwmark_str)
1016 return -ENOMEM;
1017 }
1018
1019 r = safe_atou32(fwmark_str ?: s, &fwmark);
1020 if (r < 0)
1021 return r;
1022
1023 if (fwmark > 0) {
1024 if (slash) {
1025 r = safe_atou32(slash + 1, &fwmask);
1026 if (r < 0)
1027 return r;
1028 } else
1029 fwmask = UINT32_MAX;
1030 }
1031
1032 *ret_fwmark = fwmark;
1033 *ret_fwmask = fwmask;
1034
1035 return 0;
1036 }
1037
1038 int config_parse_routing_policy_rule_tos(
1039 const char *unit,
1040 const char *filename,
1041 unsigned line,
1042 const char *section,
1043 unsigned section_line,
1044 const char *lvalue,
1045 int ltype,
1046 const char *rvalue,
1047 void *data,
1048 void *userdata) {
1049
1050 _cleanup_(routing_policy_rule_free_or_set_invalidp) RoutingPolicyRule *n = NULL;
1051 Network *network = userdata;
1052 int r;
1053
1054 assert(filename);
1055 assert(section);
1056 assert(lvalue);
1057 assert(rvalue);
1058 assert(data);
1059
1060 r = routing_policy_rule_new_static(network, filename, section_line, &n);
1061 if (r < 0)
1062 return log_oom();
1063
1064 r = safe_atou8(rvalue, &n->tos);
1065 if (r < 0) {
1066 log_syntax(unit, LOG_WARNING, filename, line, r, "Failed to parse RPDB rule TOS, ignoring: %s", rvalue);
1067 return 0;
1068 }
1069
1070 TAKE_PTR(n);
1071 return 0;
1072 }
1073
1074 int config_parse_routing_policy_rule_priority(
1075 const char *unit,
1076 const char *filename,
1077 unsigned line,
1078 const char *section,
1079 unsigned section_line,
1080 const char *lvalue,
1081 int ltype,
1082 const char *rvalue,
1083 void *data,
1084 void *userdata) {
1085
1086 _cleanup_(routing_policy_rule_free_or_set_invalidp) RoutingPolicyRule *n = NULL;
1087 Network *network = userdata;
1088 int r;
1089
1090 assert(filename);
1091 assert(section);
1092 assert(lvalue);
1093 assert(rvalue);
1094 assert(data);
1095
1096 r = routing_policy_rule_new_static(network, filename, section_line, &n);
1097 if (r < 0)
1098 return log_oom();
1099
1100 r = safe_atou32(rvalue, &n->priority);
1101 if (r < 0) {
1102 log_syntax(unit, LOG_WARNING, filename, line, r, "Failed to parse RPDB rule priority, ignoring: %s", rvalue);
1103 return 0;
1104 }
1105
1106 TAKE_PTR(n);
1107 return 0;
1108 }
1109
1110 int config_parse_routing_policy_rule_table(
1111 const char *unit,
1112 const char *filename,
1113 unsigned line,
1114 const char *section,
1115 unsigned section_line,
1116 const char *lvalue,
1117 int ltype,
1118 const char *rvalue,
1119 void *data,
1120 void *userdata) {
1121
1122 _cleanup_(routing_policy_rule_free_or_set_invalidp) RoutingPolicyRule *n = NULL;
1123 Network *network = userdata;
1124 int r;
1125
1126 assert(filename);
1127 assert(section);
1128 assert(lvalue);
1129 assert(rvalue);
1130 assert(data);
1131
1132 r = routing_policy_rule_new_static(network, filename, section_line, &n);
1133 if (r < 0)
1134 return log_oom();
1135
1136 r = manager_get_route_table_from_string(network->manager, rvalue, &n->table);
1137 if (r < 0) {
1138 log_syntax(unit, LOG_WARNING, filename, line, r,
1139 "Could not parse RPDB rule route table number \"%s\", ignoring assignment: %m", rvalue);
1140 return 0;
1141 }
1142
1143 TAKE_PTR(n);
1144 return 0;
1145 }
1146
1147 int config_parse_routing_policy_rule_fwmark_mask(
1148 const char *unit,
1149 const char *filename,
1150 unsigned line,
1151 const char *section,
1152 unsigned section_line,
1153 const char *lvalue,
1154 int ltype,
1155 const char *rvalue,
1156 void *data,
1157 void *userdata) {
1158
1159 _cleanup_(routing_policy_rule_free_or_set_invalidp) RoutingPolicyRule *n = NULL;
1160 Network *network = userdata;
1161 int r;
1162
1163 assert(filename);
1164 assert(section);
1165 assert(lvalue);
1166 assert(rvalue);
1167 assert(data);
1168
1169 r = routing_policy_rule_new_static(network, filename, section_line, &n);
1170 if (r < 0)
1171 return log_oom();
1172
1173 r = parse_fwmark_fwmask(rvalue, &n->fwmark, &n->fwmask);
1174 if (r < 0) {
1175 log_syntax(unit, LOG_WARNING, filename, line, r, "Failed to parse RPDB rule firewall mark or mask, ignoring: %s", rvalue);
1176 return 0;
1177 }
1178
1179 TAKE_PTR(n);
1180 return 0;
1181 }
1182
1183 int config_parse_routing_policy_rule_prefix(
1184 const char *unit,
1185 const char *filename,
1186 unsigned line,
1187 const char *section,
1188 unsigned section_line,
1189 const char *lvalue,
1190 int ltype,
1191 const char *rvalue,
1192 void *data,
1193 void *userdata) {
1194
1195 _cleanup_(routing_policy_rule_free_or_set_invalidp) RoutingPolicyRule *n = NULL;
1196 Network *network = userdata;
1197 union in_addr_union *buffer;
1198 uint8_t *prefixlen;
1199 int r;
1200
1201 assert(filename);
1202 assert(section);
1203 assert(lvalue);
1204 assert(rvalue);
1205 assert(data);
1206
1207 r = routing_policy_rule_new_static(network, filename, section_line, &n);
1208 if (r < 0)
1209 return log_oom();
1210
1211 if (streq(lvalue, "To")) {
1212 buffer = &n->to;
1213 prefixlen = &n->to_prefixlen;
1214 } else {
1215 buffer = &n->from;
1216 prefixlen = &n->from_prefixlen;
1217 }
1218
1219 if (n->family == AF_UNSPEC)
1220 r = in_addr_prefix_from_string_auto(rvalue, &n->family, buffer, prefixlen);
1221 else
1222 r = in_addr_prefix_from_string(rvalue, n->family, buffer, prefixlen);
1223 if (r < 0) {
1224 log_syntax(unit, LOG_WARNING, filename, line, r, "RPDB rule prefix is invalid, ignoring assignment: %s", rvalue);
1225 return 0;
1226 }
1227
1228 TAKE_PTR(n);
1229 return 0;
1230 }
1231
1232 int config_parse_routing_policy_rule_device(
1233 const char *unit,
1234 const char *filename,
1235 unsigned line,
1236 const char *section,
1237 unsigned section_line,
1238 const char *lvalue,
1239 int ltype,
1240 const char *rvalue,
1241 void *data,
1242 void *userdata) {
1243
1244 _cleanup_(routing_policy_rule_free_or_set_invalidp) RoutingPolicyRule *n = NULL;
1245 Network *network = userdata;
1246 int r;
1247
1248 assert(filename);
1249 assert(section);
1250 assert(lvalue);
1251 assert(rvalue);
1252 assert(data);
1253
1254 r = routing_policy_rule_new_static(network, filename, section_line, &n);
1255 if (r < 0)
1256 return log_oom();
1257
1258 if (!ifname_valid(rvalue)) {
1259 log_syntax(unit, LOG_WARNING, filename, line, 0, "Failed to parse '%s' interface name, ignoring: %s", lvalue, rvalue);
1260 return 0;
1261 }
1262
1263 if (streq(lvalue, "IncomingInterface")) {
1264 r = free_and_strdup(&n->iif, rvalue);
1265 if (r < 0)
1266 return log_oom();
1267 } else {
1268 r = free_and_strdup(&n->oif, rvalue);
1269 if (r < 0)
1270 return log_oom();
1271 }
1272
1273 TAKE_PTR(n);
1274 return 0;
1275 }
1276
1277 int config_parse_routing_policy_rule_port_range(
1278 const char *unit,
1279 const char *filename,
1280 unsigned line,
1281 const char *section,
1282 unsigned section_line,
1283 const char *lvalue,
1284 int ltype,
1285 const char *rvalue,
1286 void *data,
1287 void *userdata) {
1288 _cleanup_(routing_policy_rule_free_or_set_invalidp) RoutingPolicyRule *n = NULL;
1289 Network *network = userdata;
1290 uint16_t low, high;
1291 int r;
1292
1293 assert(filename);
1294 assert(section);
1295 assert(lvalue);
1296 assert(rvalue);
1297 assert(data);
1298
1299 r = routing_policy_rule_new_static(network, filename, section_line, &n);
1300 if (r < 0)
1301 return log_oom();
1302
1303 r = parse_ip_port_range(rvalue, &low, &high);
1304 if (r < 0) {
1305 log_syntax(unit, LOG_WARNING, filename, line, r, "Failed to parse routing policy rule port range '%s'", rvalue);
1306 return 0;
1307 }
1308
1309 if (streq(lvalue, "SourcePort")) {
1310 n->sport.start = low;
1311 n->sport.end = high;
1312 } else {
1313 n->dport.start = low;
1314 n->dport.end = high;
1315 }
1316
1317 TAKE_PTR(n);
1318 return 0;
1319 }
1320
1321 int config_parse_routing_policy_rule_ip_protocol(
1322 const char *unit,
1323 const char *filename,
1324 unsigned line,
1325 const char *section,
1326 unsigned section_line,
1327 const char *lvalue,
1328 int ltype,
1329 const char *rvalue,
1330 void *data,
1331 void *userdata) {
1332
1333 _cleanup_(routing_policy_rule_free_or_set_invalidp) RoutingPolicyRule *n = NULL;
1334 Network *network = userdata;
1335 int r;
1336
1337 assert(filename);
1338 assert(section);
1339 assert(lvalue);
1340 assert(rvalue);
1341 assert(data);
1342
1343 r = routing_policy_rule_new_static(network, filename, section_line, &n);
1344 if (r < 0)
1345 return log_oom();
1346
1347 r = parse_ip_protocol(rvalue);
1348 if (r < 0) {
1349 log_syntax(unit, LOG_WARNING, filename, line, r, "Failed to parse IP protocol '%s' for routing policy rule, ignoring: %m", rvalue);
1350 return 0;
1351 }
1352
1353 n->ipproto = r;
1354
1355 TAKE_PTR(n);
1356 return 0;
1357 }
1358
1359 int config_parse_routing_policy_rule_invert(
1360 const char *unit,
1361 const char *filename,
1362 unsigned line,
1363 const char *section,
1364 unsigned section_line,
1365 const char *lvalue,
1366 int ltype,
1367 const char *rvalue,
1368 void *data,
1369 void *userdata) {
1370
1371 _cleanup_(routing_policy_rule_free_or_set_invalidp) RoutingPolicyRule *n = NULL;
1372 Network *network = userdata;
1373 int r;
1374
1375 assert(filename);
1376 assert(section);
1377 assert(lvalue);
1378 assert(rvalue);
1379 assert(data);
1380
1381 r = routing_policy_rule_new_static(network, filename, section_line, &n);
1382 if (r < 0)
1383 return log_oom();
1384
1385 r = parse_boolean(rvalue);
1386 if (r < 0) {
1387 log_syntax(unit, LOG_WARNING, filename, line, r, "Failed to parse RPDB rule invert, ignoring: %s", rvalue);
1388 return 0;
1389 }
1390
1391 n->invert_rule = r;
1392
1393 TAKE_PTR(n);
1394 return 0;
1395 }
1396
1397 int config_parse_routing_policy_rule_family(
1398 const char *unit,
1399 const char *filename,
1400 unsigned line,
1401 const char *section,
1402 unsigned section_line,
1403 const char *lvalue,
1404 int ltype,
1405 const char *rvalue,
1406 void *data,
1407 void *userdata) {
1408
1409 _cleanup_(routing_policy_rule_free_or_set_invalidp) RoutingPolicyRule *n = NULL;
1410 Network *network = userdata;
1411 AddressFamily a;
1412 int r;
1413
1414 assert(filename);
1415 assert(section);
1416 assert(lvalue);
1417 assert(rvalue);
1418 assert(data);
1419
1420 r = routing_policy_rule_new_static(network, filename, section_line, &n);
1421 if (r < 0)
1422 return log_oom();
1423
1424 a = routing_policy_rule_address_family_from_string(rvalue);
1425 if (a < 0) {
1426 log_syntax(unit, LOG_WARNING, filename, line, a,
1427 "Invalid address family '%s', ignoring.", rvalue);
1428 return 0;
1429 }
1430
1431 n->address_family = a;
1432
1433 TAKE_PTR(n);
1434 return 0;
1435 }
1436
1437 int config_parse_routing_policy_rule_uid_range(
1438 const char *unit,
1439 const char *filename,
1440 unsigned line,
1441 const char *section,
1442 unsigned section_line,
1443 const char *lvalue,
1444 int ltype,
1445 const char *rvalue,
1446 void *data,
1447 void *userdata) {
1448
1449 _cleanup_(routing_policy_rule_free_or_set_invalidp) RoutingPolicyRule *n = NULL;
1450 Network *network = userdata;
1451 uid_t start, end;
1452 int r;
1453
1454 assert(filename);
1455 assert(section);
1456 assert(lvalue);
1457 assert(rvalue);
1458 assert(data);
1459
1460 r = routing_policy_rule_new_static(network, filename, section_line, &n);
1461 if (r < 0)
1462 return log_oom();
1463
1464 r = get_user_creds(&rvalue, &start, NULL, NULL, NULL, 0);
1465 if (r >= 0)
1466 end = start;
1467 else {
1468 r = parse_uid_range(rvalue, &start, &end);
1469 if (r < 0) {
1470 log_syntax(unit, LOG_WARNING, filename, line, r,
1471 "Invalid uid or uid range '%s', ignoring: %m", rvalue);
1472 return 0;
1473 }
1474 }
1475
1476 n->uid_range.start = start;
1477 n->uid_range.end = end;
1478
1479 TAKE_PTR(n);
1480 return 0;
1481 }
1482
1483 int config_parse_routing_policy_rule_suppress_prefixlen(
1484 const char *unit,
1485 const char *filename,
1486 unsigned line,
1487 const char *section,
1488 unsigned section_line,
1489 const char *lvalue,
1490 int ltype,
1491 const char *rvalue,
1492 void *data,
1493 void *userdata) {
1494
1495 _cleanup_(routing_policy_rule_free_or_set_invalidp) RoutingPolicyRule *n = NULL;
1496 Network *network = userdata;
1497 int r;
1498
1499 assert(filename);
1500 assert(section);
1501 assert(lvalue);
1502 assert(rvalue);
1503 assert(data);
1504
1505 r = routing_policy_rule_new_static(network, filename, section_line, &n);
1506 if (r < 0)
1507 return log_oom();
1508
1509 r = parse_ip_prefix_length(rvalue, &n->suppress_prefixlen);
1510 if (r == -ERANGE) {
1511 log_syntax(unit, LOG_WARNING, filename, line, r, "Prefix length outside of valid range 0-128, ignoring: %s", rvalue);
1512 return 0;
1513 }
1514 if (r < 0) {
1515 log_syntax(unit, LOG_WARNING, filename, line, r, "Failed to parse RPDB rule suppress_prefixlen, ignoring: %s", rvalue);
1516 return 0;
1517 }
1518
1519 TAKE_PTR(n);
1520 return 0;
1521 }
1522
1523 int config_parse_routing_policy_rule_type(
1524 const char *unit,
1525 const char *filename,
1526 unsigned line,
1527 const char *section,
1528 unsigned section_line,
1529 const char *lvalue,
1530 int ltype,
1531 const char *rvalue,
1532 void *data,
1533 void *userdata) {
1534
1535 _cleanup_(routing_policy_rule_free_or_set_invalidp) RoutingPolicyRule *n = NULL;
1536 Network *network = userdata;
1537 int r, t;
1538
1539 assert(filename);
1540 assert(section);
1541 assert(lvalue);
1542 assert(rvalue);
1543 assert(data);
1544
1545 r = routing_policy_rule_new_static(network, filename, section_line, &n);
1546 if (r < 0)
1547 return log_oom();
1548
1549 t = fr_act_type_from_string(rvalue);
1550 if (t < 0) {
1551 log_syntax(unit, LOG_WARNING, filename, line, t,
1552 "Could not parse FIB rule type \"%s\", ignoring assignment: %m", rvalue);
1553 return 0;
1554 }
1555
1556 n->type = (uint8_t) t;
1557
1558 TAKE_PTR(n);
1559 return 0;
1560 }
1561
1562 static int routing_policy_rule_section_verify(RoutingPolicyRule *rule) {
1563 if (section_is_invalid(rule->section))
1564 return -EINVAL;
1565
1566 if ((rule->family == AF_INET && FLAGS_SET(rule->address_family, ADDRESS_FAMILY_IPV6)) ||
1567 (rule->family == AF_INET6 && FLAGS_SET(rule->address_family, ADDRESS_FAMILY_IPV4)))
1568 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
1569 "%s: address family specified by Family= conflicts with the address "
1570 "specified by To= or From=. Ignoring [RoutingPolicyRule] section from line %u.",
1571 rule->section->filename, rule->section->line);
1572
1573 if (rule->family == AF_UNSPEC) {
1574 if (IN_SET(rule->address_family, ADDRESS_FAMILY_IPV4, ADDRESS_FAMILY_NO))
1575 rule->family = AF_INET;
1576 else if (rule->address_family == ADDRESS_FAMILY_IPV6)
1577 rule->family = AF_INET6;
1578 /* rule->family can be AF_UNSPEC only when Family=both. */
1579 }
1580
1581 /* Currently, [RoutingPolicyRule] does not have a setting to set FRA_L3MDEV flag. Please also
1582 * update routing_policy_rule_is_created_by_kernel() when a new setting which sets the flag is
1583 * added in the future. */
1584 if (rule->l3mdev > 0)
1585 assert_not_reached("FRA_L3MDEV flag should not be configured.");
1586
1587 return 0;
1588 }
1589
1590 void network_drop_invalid_routing_policy_rules(Network *network) {
1591 RoutingPolicyRule *rule;
1592
1593 assert(network);
1594
1595 HASHMAP_FOREACH(rule, network->rules_by_section)
1596 if (routing_policy_rule_section_verify(rule) < 0)
1597 routing_policy_rule_free(rule);
1598 }
Unnamed repository; edit this file 'description' to name the repository.