]>
Commit | Line | Data |
---|---|---|
4b3590c3 TM |
1 | /* SPDX-License-Identifier: LGPL-2.1-or-later */ |
2 | ||
3 | #include "escape.h" | |
4 | #include "netlink-util.h" | |
5 | #include "networkd-address.h" | |
6 | #include "networkd-link.h" | |
7 | #include "networkd-manager.h" | |
8 | #include "networkd-netlabel.h" | |
9 | #include "networkd-network.h" | |
10 | ||
11 | static int netlabel_handler(sd_netlink *rtnl, sd_netlink_message *m, Link *link) { | |
12 | int r; | |
13 | ||
14 | assert_se(rtnl); | |
15 | assert_se(m); | |
16 | assert_se(link); | |
17 | ||
18 | r = sd_netlink_message_get_errno(m); | |
19 | if (r < 0) { | |
20 | log_link_message_warning_errno(link, m, r, "NetLabel operation failed, ignoring"); | |
21 | return 1; | |
22 | } | |
23 | ||
24 | log_link_debug(link, "NetLabel operation successful"); | |
25 | ||
26 | return 1; | |
27 | } | |
28 | ||
29 | static int netlabel_command(uint16_t command, const char *label, const Address *address) { | |
30 | _cleanup_(sd_netlink_message_unrefp) sd_netlink_message *m = NULL; | |
31 | int r; | |
32 | ||
33 | assert(command != NLBL_UNLABEL_C_UNSPEC && command < __NLBL_UNLABEL_C_MAX); | |
34 | assert(address); | |
35 | assert(address->link); | |
36 | assert(address->link->ifname); | |
37 | assert(address->link->manager); | |
38 | assert(address->link->manager->genl); | |
39 | assert(IN_SET(address->family, AF_INET, AF_INET6)); | |
40 | ||
41 | r = sd_genl_message_new(address->link->manager->genl, NETLBL_NLTYPE_UNLABELED_NAME, command, &m); | |
42 | if (r < 0) | |
43 | return r; | |
44 | ||
45 | r = sd_netlink_message_append_string(m, NLBL_UNLABEL_A_IFACE, address->link->ifname); | |
46 | if (r < 0) | |
47 | return r; | |
48 | ||
49 | if (command == NLBL_UNLABEL_C_STATICADD) { | |
50 | assert(label); | |
51 | r = sd_netlink_message_append_string(m, NLBL_UNLABEL_A_SECCTX, label); | |
52 | if (r < 0) | |
53 | return r; | |
54 | } | |
55 | ||
56 | union in_addr_union netmask, masked_addr; | |
57 | r = in_addr_prefixlen_to_netmask(address->family, &netmask, address->prefixlen); | |
58 | if (r < 0) | |
59 | return r; | |
60 | ||
61 | /* | |
62 | * When adding rules, kernel adds the address to its hash table _applying also the netmask_, but on | |
63 | * removal, an exact match is required _without netmask applied_, so apply the mask on both | |
64 | * operations. | |
65 | */ | |
66 | masked_addr = address->in_addr; | |
67 | r = in_addr_mask(address->family, &masked_addr, address->prefixlen); | |
68 | if (r < 0) | |
69 | return r; | |
70 | ||
71 | if (address->family == AF_INET) { | |
72 | r = sd_netlink_message_append_in_addr(m, NLBL_UNLABEL_A_IPV4ADDR, &masked_addr.in); | |
73 | if (r < 0) | |
74 | return r; | |
75 | ||
76 | r = sd_netlink_message_append_in_addr(m, NLBL_UNLABEL_A_IPV4MASK, &netmask.in); | |
77 | } else if (address->family == AF_INET6) { | |
78 | r = sd_netlink_message_append_in6_addr(m, NLBL_UNLABEL_A_IPV6ADDR, &masked_addr.in6); | |
79 | if (r < 0) | |
80 | return r; | |
81 | ||
82 | r = sd_netlink_message_append_in6_addr(m, NLBL_UNLABEL_A_IPV6MASK, &netmask.in6); | |
83 | } | |
84 | if (r < 0) | |
85 | return r; | |
86 | ||
87 | r = netlink_call_async(address->link->manager->genl, NULL, m, netlabel_handler, link_netlink_destroy_callback, | |
88 | address->link); | |
89 | if (r < 0) | |
90 | return r; | |
91 | ||
92 | link_ref(address->link); | |
93 | return 0; | |
94 | } | |
95 | ||
96 | void address_add_netlabel(const Address *address) { | |
97 | int r; | |
98 | ||
99 | assert(address); | |
100 | ||
101 | if (!address->netlabel) | |
102 | return; | |
103 | ||
104 | r = netlabel_command(NLBL_UNLABEL_C_STATICADD, address->netlabel, address); | |
105 | if (r < 0) | |
106 | log_link_warning_errno(address->link, r, "Adding NetLabel %s for IP address %s failed, ignoring", address->netlabel, | |
107 | IN_ADDR_PREFIX_TO_STRING(address->family, &address->in_addr, address->prefixlen)); | |
108 | else | |
109 | log_link_debug(address->link, "Adding NetLabel %s for IP address %s", address->netlabel, | |
110 | IN_ADDR_PREFIX_TO_STRING(address->family, &address->in_addr, address->prefixlen)); | |
111 | } | |
112 | ||
113 | void address_del_netlabel(const Address *address) { | |
114 | int r; | |
115 | ||
116 | assert(address); | |
117 | ||
118 | if (!address->netlabel) | |
119 | return; | |
120 | ||
121 | r = netlabel_command(NLBL_UNLABEL_C_STATICREMOVE, address->netlabel, address); | |
122 | if (r < 0) | |
123 | log_link_warning_errno(address->link, r, "Deleting NetLabel %s for IP address %s failed, ignoring", address->netlabel, | |
124 | IN_ADDR_PREFIX_TO_STRING(address->family, &address->in_addr, address->prefixlen)); | |
125 | else | |
126 | log_link_debug(address->link, "Deleting NetLabel %s for IP address %s", address->netlabel, | |
127 | IN_ADDR_PREFIX_TO_STRING(address->family, &address->in_addr, address->prefixlen)); | |
128 | } |