]> git.ipfire.org Git - people/ms/strongswan.git/blame - src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c
projects / people / ms / strongswan.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
kernel-netlink: Allow setting firewall marks on routing rule
[people/ms/strongswan.git] / src / libhydra / plugins / kernel_netlink / kernel_netlink_net.c
CommitLineData
507f26f6 1/*
37873f99 2 * Copyright (C) 2008-2013 Tobias Brunner
ce5b1708 3 * Copyright (C) 2005-2008 Martin Willi
507f26f6
TB		 4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
507f26f6
TB		 15 */
16
d266e895
TE		 17/*
18 * Copyright (C) 2010 secunet Security Networks AG
19 * Copyright (C) 2010 Thomas Egerer
20 *
21 * Permission is hereby granted, free of charge, to any person obtaining a copy
22 * of this software and associated documentation files (the "Software"), to deal
23 * in the Software without restriction, including without limitation the rights
24 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
25 * copies of the Software, and to permit persons to whom the Software is
26 * furnished to do so, subject to the following conditions:
27 *
28 * The above copyright notice and this permission notice shall be included in
29 * all copies or substantial portions of the Software.
30 *
31 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
32 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
33 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
34 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
35 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
36 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
37 * THE SOFTWARE.
38 */
39
507f26f6 40#include <sys/socket.h>
7beb31aa 41#include <sys/utsname.h>
507f26f6
TB		 42#include <linux/netlink.h>
43#include <linux/rtnetlink.h>
507f26f6
TB		 44#include <unistd.h>
45#include <errno.h>
46#include <net/if.h>
51fefe46 47#include <linux/fib_rules.h>
507f26f6
TB		 48
49#include "kernel_netlink_net.h"
50#include "kernel_netlink_shared.h"
51
c5f7146b 52#include <hydra.h>
f05b4272 53#include <utils/debug.h>
eba64cef 54#include <threading/mutex.h>
a25d536e
TB		 55#include <threading/rwlock.h>
56#include <threading/rwlock_condvar.h>
4134108c 57#include <threading/spinlock.h>
12642a68
TB		 58#include <collections/hashtable.h>
59#include <collections/linked_list.h>
507f26f6 60#include <processing/jobs/callback_job.h>
507f26f6 61
ba26508d 62/** delay before firing roam events (ms) */
507f26f6
TB		 63#define ROAM_DELAY 100
64
f834249c
TB		 65/** delay before reinstalling routes (ms) */
66#define ROUTE_DELAY 100
67
cbd52e7d
TB		 68/** maximum recursion when searching for addresses in get_route() */
69#define MAX_ROUTE_RECURSION 2
70
0b9ce21b
TB		 71#ifndef ROUTING_TABLE
72#define ROUTING_TABLE 0
73#endif
74
75#ifndef ROUTING_TABLE_PRIO
76#define ROUTING_TABLE_PRIO 0
77#endif
78
507f26f6
TB		 79typedef struct addr_entry_t addr_entry_t;
80
81/**
c6b40158 82 * IP address in an iface_entry_t
507f26f6
TB		 83 */
84struct addr_entry_t {
7daf5226 85
c6b40158 86 /** the ip address */
507f26f6 87 host_t *ip;
7daf5226 88
507f26f6
TB		 89 /** scope of the address */
90 u_char scope;
7daf5226 91
e8e9048f 92 /** number of times this IP is used, if virtual (i.e. managed by us) */
507f26f6 93 u_int refcount;
c6b40158
TB		 94
95 /** TRUE once it is installed, if virtual */
96 bool installed;
507f26f6
TB		 97};
98
99/**
100 * destroy a addr_entry_t object
101 */
102static void addr_entry_destroy(addr_entry_t *this)
103{
104 this->ip->destroy(this->ip);
105 free(this);
106}
107
108typedef struct iface_entry_t iface_entry_t;
109
110/**
111 * A network interface on this system, containing addr_entry_t's
112 */
113struct iface_entry_t {
7daf5226 114
507f26f6
TB		 115 /** interface index */
116 int ifindex;
7daf5226 117
507f26f6
TB		 118 /** name of the interface */
119 char ifname[IFNAMSIZ];
7daf5226 120
507f26f6
TB		 121 /** interface flags, as in netdevice(7) SIOCGIFFLAGS */
122 u_int flags;
7daf5226 123
507f26f6
TB		 124 /** list of addresses as host_t */
125 linked_list_t *addrs;
940e1b0f
TB		 126
127 /** TRUE if usable by config */
128 bool usable;
507f26f6
TB		 129};
130
131/**
132 * destroy an interface entry
133 */
134static void iface_entry_destroy(iface_entry_t *this)
135{
136 this->addrs->destroy_function(this->addrs, (void*)addr_entry_destroy);
137 free(this);
138}
139
940e1b0f
TB		 140/**
141 * find an interface entry by index
142 */
143static bool iface_entry_by_index(iface_entry_t *this, int *ifindex)
144{
145 return this->ifindex == *ifindex;
146}
147
c6b40158
TB		 148/**
149 * find an interface entry by name
150 */
151static bool iface_entry_by_name(iface_entry_t *this, char *ifname)
152{
153 return streq(this->ifname, ifname);
154}
155
1f97e1aa
TB		 156/**
157 * check if an interface is up
158 */
159static inline bool iface_entry_up(iface_entry_t *iface)
160{
161 return (iface->flags & IFF_UP) == IFF_UP;
162}
163
940e1b0f
TB		 164/**
165 * check if an interface is up and usable
166 */
167static inline bool iface_entry_up_and_usable(iface_entry_t *iface)
168{
1f97e1aa
TB		 169 return iface->usable && iface_entry_up(iface);
170}
171
172typedef struct addr_map_entry_t addr_map_entry_t;
173
174/**
175 * Entry that maps an IP address to an interface entry
176 */
177struct addr_map_entry_t {
178 /** The IP address */
179 host_t *ip;
180
c6b40158
TB		 181 /** The address entry for this IP address */
182 addr_entry_t *addr;
183
1f97e1aa
TB		 184 /** The interface this address is installed on */
185 iface_entry_t *iface;
186};
187
188/**
189 * Hash a addr_map_entry_t object, all entries with the same IP address
190 * are stored in the same bucket
191 */
192static u_int addr_map_entry_hash(addr_map_entry_t *this)
193{
194 return chunk_hash(this->ip->get_address(this->ip));
195}
196
197/**
198 * Compare two addr_map_entry_t objects, two entries are equal if they are
199 * installed on the same interface
200 */
201static bool addr_map_entry_equals(addr_map_entry_t *a, addr_map_entry_t *b)
202{
203 return a->iface->ifindex == b->iface->ifindex &&
204 a->ip->ip_equals(a->ip, b->ip);
205}
206
207/**
208 * Used with get_match this finds an address entry if it is installed on
209 * an up and usable interface
210 */
211static bool addr_map_entry_match_up_and_usable(addr_map_entry_t *a,
212 addr_map_entry_t *b)
213{
214 return iface_entry_up_and_usable(b->iface) &&
215 a->ip->ip_equals(a->ip, b->ip);
216}
217
218/**
219 * Used with get_match this finds an address entry if it is installed on
220 * any active local interface
221 */
222static bool addr_map_entry_match_up(addr_map_entry_t *a, addr_map_entry_t *b)
223{
224 return iface_entry_up(b->iface) && a->ip->ip_equals(a->ip, b->ip);
940e1b0f
TB		 225}
226
c6b40158
TB		 227/**
228 * Used with get_match this finds an address entry if it is installed on
229 * any local interface
230 */
231static bool addr_map_entry_match(addr_map_entry_t *a, addr_map_entry_t *b)
232{
233 return a->ip->ip_equals(a->ip, b->ip);
234}
235
74ba22c9
TB		 236typedef struct route_entry_t route_entry_t;
237
238/**
239 * Installed routing entry
240 */
241struct route_entry_t {
242 /** Name of the interface the route is bound to */
243 char *if_name;
244
245 /** Source ip of the route */
246 host_t *src_ip;
247
248 /** Gateway for this route */
249 host_t *gateway;
250
251 /** Destination net */
252 chunk_t dst_net;
253
254 /** Destination net prefixlen */
255 u_int8_t prefixlen;
256};
257
258/**
259 * Clone a route_entry_t object.
260 */
261static route_entry_t *route_entry_clone(route_entry_t *this)
262{
263 route_entry_t *route;
264
265 INIT(route,
266 .if_name = strdup(this->if_name),
267 .src_ip = this->src_ip->clone(this->src_ip),
3cd7ba49 268 .gateway = this->gateway ? this->gateway->clone(this->gateway) : NULL,
74ba22c9
TB		 269 .dst_net = chunk_clone(this->dst_net),
270 .prefixlen = this->prefixlen,
271 );
272 return route;
273}
274
275/**
276 * Destroy a route_entry_t object
277 */
278static void route_entry_destroy(route_entry_t *this)
279{
280 free(this->if_name);
281 DESTROY_IF(this->src_ip);
282 DESTROY_IF(this->gateway);
283 chunk_free(&this->dst_net);
284 free(this);
285}
286
287/**
288 * Hash a route_entry_t object
289 */
290static u_int route_entry_hash(route_entry_t *this)
291{
292 return chunk_hash_inc(chunk_from_thing(this->prefixlen),
293 chunk_hash(this->dst_net));
294}
295
296/**
297 * Compare two route_entry_t objects
298 */
299static bool route_entry_equals(route_entry_t *a, route_entry_t *b)
300{
3cd7ba49
TB		 301 if (a->if_name && b->if_name && streq(a->if_name, b->if_name) &&
302 a->src_ip->ip_equals(a->src_ip, b->src_ip) &&
303 chunk_equals(a->dst_net, b->dst_net) && a->prefixlen == b->prefixlen)
304 {
305 return (!a->gateway && !b->gateway) || (a->gateway && b->gateway &&
306 a->gateway->ip_equals(a->gateway, b->gateway));
307 }
308 return FALSE;
74ba22c9
TB		 309}
310
f834249c
TB		 311typedef struct net_change_t net_change_t;
312
313/**
314 * Queued network changes
315 */
316struct net_change_t {
317 /** Name of the interface that got activated (or an IP appeared on) */
318 char *if_name;
f834249c
TB		 319};
320
321/**
322 * Destroy a net_change_t object
323 */
324static void net_change_destroy(net_change_t *this)
325{
f834249c
TB		 326 free(this->if_name);
327 free(this);
328}
329
330/**
331 * Hash a net_change_t object
332 */
333static u_int net_change_hash(net_change_t *this)
334{
f834249c
TB		 335 return chunk_hash(chunk_create(this->if_name, strlen(this->if_name)));
336}
337
338/**
339 * Compare two net_change_t objects
340 */
341static bool net_change_equals(net_change_t *a, net_change_t *b)
342{
c732e220 343 return streq(a->if_name, b->if_name);
f834249c
TB		 344}
345
507f26f6
TB		 346typedef struct private_kernel_netlink_net_t private_kernel_netlink_net_t;
347
348/**
349 * Private variables and functions of kernel_netlink_net class.
350 */
351struct private_kernel_netlink_net_t {
352 /**
353 * Public part of the kernel_netlink_net_t object.
354 */
355 kernel_netlink_net_t public;
7daf5226 356
507f26f6 357 /**
a25d536e 358 * lock to access various lists and maps
507f26f6 359 */
a25d536e 360 rwlock_t *lock;
7daf5226 361
507f26f6
TB		 362 /**
363 * condition variable to signal virtual IP add/removal
364 */
a25d536e 365 rwlock_condvar_t *condvar;
7daf5226 366
507f26f6
TB		 367 /**
368 * Cached list of interfaces and its addresses (iface_entry_t)
369 */
370 linked_list_t *ifaces;
7daf5226 371
1f97e1aa
TB		 372 /**
373 * Map for IP addresses to iface_entry_t objects (addr_map_entry_t)
374 */
375 hashtable_t *addrs;
376
c6b40158
TB		 377 /**
378 * Map for virtual IP addresses to iface_entry_t objects (addr_map_entry_t)
379 */
380 hashtable_t *vips;
381
507f26f6
TB		 382 /**
383 * netlink rt socket (routing)
384 */
385 netlink_socket_t *socket;
7daf5226 386
507f26f6
TB		 387 /**
388 * Netlink rt socket to receive address change events
389 */
390 int socket_events;
7daf5226 391
507f26f6 392 /**
4134108c 393 * earliest time of the next roam event
507f26f6 394 */
4134108c
TB		 395 timeval_t next_roam;
396
77d4a028
TB		 397 /**
398 * roam event due to address change
399 */
400 bool roam_address;
401
4134108c
TB		 402 /**
403 * lock to check and update roam event time
404 */
405 spinlock_t *roam_lock;
7daf5226 406
507f26f6
TB		 407 /**
408 * routing table to install routes
409 */
410 int routing_table;
7daf5226 411
507f26f6
TB		 412 /**
413 * priority of used routing table
414 */
415 int routing_table_prio;
7daf5226 416
74ba22c9
TB		 417 /**
418 * installed routes
419 */
420 hashtable_t *routes;
421
16d62305
TB		 422 /**
423 * mutex for routes
424 */
425 mutex_t *routes_lock;
426
f834249c 427 /**
c732e220 428 * interface changes which may trigger route reinstallation
f834249c
TB		 429 */
430 hashtable_t *net_changes;
431
432 /**
433 * mutex for route reinstallation triggers
434 */
435 mutex_t *net_changes_lock;
436
437 /**
438 * time of last route reinstallation
439 */
440 timeval_t last_route_reinstall;
441
507f26f6
TB		 442 /**
443 * whether to react to RTM_NEWROUTE or RTM_DELROUTE events
444 */
445 bool process_route;
7daf5226 446
37873f99
TB		 447 /**
448 * whether to trigger roam events
449 */
450 bool roam_events;
451
9474a0d9
MW		 452 /**
453 * whether to actually install virtual IPs
454 */
455 bool install_virtual_ip;
d266e895 456
e8e9048f
TB		 457 /**
458 * the name of the interface virtual IP addresses are installed on
459 */
460 char *install_virtual_ip_on;
461
7beb31aa
TB		 462 /**
463 * whether preferred source addresses can be specified for IPv6 routes
464 */
465 bool rta_prefsrc_for_ipv6;
466
d266e895
TE		 467 /**
468 * list with routing tables to be excluded from route lookup
469 */
470 linked_list_t *rt_exclude;
507f26f6
TB		 471};
472
f834249c
TB		 473/**
474 * Forward declaration
475 */
476static status_t manage_srcroute(private_kernel_netlink_net_t *this,
477 int nlmsg_type, int flags, chunk_t dst_net,
478 u_int8_t prefixlen, host_t *gateway,
479 host_t *src_ip, char *if_name);
480
481/**
482 * Clear the queued network changes.
483 */
484static void net_changes_clear(private_kernel_netlink_net_t *this)
485{
486 enumerator_t *enumerator;
487 net_change_t *change;
488
489 enumerator = this->net_changes->create_enumerator(this->net_changes);
490 while (enumerator->enumerate(enumerator, NULL, (void**)&change))
491 {
492 this->net_changes->remove_at(this->net_changes, enumerator);
493 net_change_destroy(change);
494 }
495 enumerator->destroy(enumerator);
496}
497
498/**
499 * Act upon queued network changes.
500 */
501static job_requeue_t reinstall_routes(private_kernel_netlink_net_t *this)
502{
503 enumerator_t *enumerator;
504 route_entry_t *route;
505
506 this->net_changes_lock->lock(this->net_changes_lock);
16d62305 507 this->routes_lock->lock(this->routes_lock);
f834249c
TB		 508
509 enumerator = this->routes->create_enumerator(this->routes);
510 while (enumerator->enumerate(enumerator, NULL, (void**)&route))
511 {
512 net_change_t *change, lookup = {
513 .if_name = route->if_name,
514 };
c732e220 515 /* check if a change for the outgoing interface is queued */
f834249c
TB		 516 change = this->net_changes->get(this->net_changes, &lookup);
517 if (!change)
c732e220 518 { /* in case src_ip is not on the outgoing interface */
9ba36c0f
TB		 519 if (this->public.interface.get_interface(&this->public.interface,
520 route->src_ip, &lookup.if_name))
c732e220 521 {
9ba36c0f
TB		 522 if (!streq(lookup.if_name, route->if_name))
523 {
524 change = this->net_changes->get(this->net_changes, &lookup);
525 }
526 free(lookup.if_name);
c732e220 527 }
f834249c
TB		 528 }
529 if (change)
530 {
531 manage_srcroute(this, RTM_NEWROUTE, NLM_F_CREATE | NLM_F_EXCL,
532 route->dst_net, route->prefixlen, route->gateway,
533 route->src_ip, route->if_name);
534 }
535 }
536 enumerator->destroy(enumerator);
16d62305 537 this->routes_lock->unlock(this->routes_lock);
f834249c
TB		 538
539 net_changes_clear(this);
540 this->net_changes_lock->unlock(this->net_changes_lock);
541 return JOB_REQUEUE_NONE;
542}
543
544/**
545 * Queue route reinstallation caused by network changes for a given interface.
f834249c
TB		 546 *
547 * The route reinstallation is delayed for a while and only done once for
548 * several calls during this delay, in order to avoid doing it too often.
c732e220 549 * The interface name is freed.
f834249c
TB		 550 */
551static void queue_route_reinstall(private_kernel_netlink_net_t *this,
c732e220 552 char *if_name)
f834249c
TB		 553{
554 net_change_t *update, *found;
555 timeval_t now;
556 job_t *job;
557
558 INIT(update,
c732e220 559 .if_name = if_name
f834249c
TB		 560 );
561
562 this->net_changes_lock->lock(this->net_changes_lock);
c732e220 563 found = this->net_changes->put(this->net_changes, update, update);
f834249c
TB		 564 if (found)
565 {
c732e220 566 net_change_destroy(found);
f834249c
TB		 567 }
568 time_monotonic(&now);
569 if (timercmp(&now, &this->last_route_reinstall, >))
570 {
eecd41e3 571 timeval_add_ms(&now, ROUTE_DELAY);
f834249c
TB		 572 this->last_route_reinstall = now;
573
574 job = (job_t*)callback_job_create((callback_job_cb_t)reinstall_routes,
575 this, NULL, NULL);
576 lib->scheduler->schedule_job_ms(lib->scheduler, job, ROUTE_DELAY);
577 }
578 this->net_changes_lock->unlock(this->net_changes_lock);
579}
580
507f26f6 581/**
c6b40158
TB		 582 * check if the given IP is known as virtual IP and currently installed
583 *
584 * this function will also return TRUE if the virtual IP entry disappeared.
585 * in that case the returned entry will be NULL.
586 *
a25d536e 587 * this->lock must be held when calling this function
507f26f6 588 */
c6b40158
TB		 589static bool is_vip_installed_or_gone(private_kernel_netlink_net_t *this,
590 host_t *ip, addr_map_entry_t **entry)
507f26f6 591{
c6b40158
TB		 592 addr_map_entry_t lookup = {
593 .ip = ip,
594 };
7daf5226 595
c6b40158
TB		 596 *entry = this->vips->get_match(this->vips, &lookup,
597 (void*)addr_map_entry_match);
598 if (*entry == NULL)
599 { /* the virtual IP disappeared */
600 return TRUE;
507f26f6 601 }
c6b40158
TB		 602 return (*entry)->addr->installed;
603}
7daf5226 604
c6b40158
TB		 605/**
606 * check if the given IP is known as virtual IP
607 *
a25d536e 608 * this->lock must be held when calling this function
c6b40158
TB		 609 */
610static bool is_known_vip(private_kernel_netlink_net_t *this, host_t *ip)
611{
612 addr_map_entry_t lookup = {
613 .ip = ip,
614 };
615
616 return this->vips->get_match(this->vips, &lookup,
617 (void*)addr_map_entry_match) != NULL;
507f26f6
TB		 618}
619
1f97e1aa
TB		 620/**
621 * Add an address map entry
622 */
c6b40158
TB		 623static void addr_map_entry_add(hashtable_t *map, addr_entry_t *addr,
624 iface_entry_t *iface)
1f97e1aa
TB		 625{
626 addr_map_entry_t *entry;
627
1f97e1aa
TB		 628 INIT(entry,
629 .ip = addr->ip,
c6b40158 630 .addr = addr,
1f97e1aa
TB		 631 .iface = iface,
632 );
c6b40158 633 entry = map->put(map, entry, entry);
1f97e1aa
TB		 634 free(entry);
635}
636
637/**
c6b40158 638 * Remove an address map entry
1f97e1aa 639 */
c6b40158
TB		 640static void addr_map_entry_remove(hashtable_t *map, addr_entry_t *addr,
641 iface_entry_t *iface)
1f97e1aa
TB		 642{
643 addr_map_entry_t *entry, lookup = {
644 .ip = addr->ip,
c6b40158 645 .addr = addr,
1f97e1aa
TB		 646 .iface = iface,
647 };
648
c6b40158 649 entry = map->remove(map, &lookup);
1f97e1aa
TB		 650 free(entry);
651}
652
29607690
TB		 653/**
654 * get the first non-virtual ip address on the given interface.
da6d86dd
TB		 655 * if a candidate address is given, we first search for that address and if not
656 * found return the address as above.
29607690 657 * returned host is a clone, has to be freed by caller.
a25d536e
TB		 658 *
659 * this->lock must be held when calling this function
29607690
TB		 660 */
661static host_t *get_interface_address(private_kernel_netlink_net_t *this,
da6d86dd 662 int ifindex, int family, host_t *candidate)
29607690 663{
29607690 664 iface_entry_t *iface;
c6b40158 665 enumerator_t *addrs;
29607690
TB		 666 addr_entry_t *addr;
667 host_t *ip = NULL;
668
c6b40158
TB		 669 if (this->ifaces->find_first(this->ifaces, (void*)iface_entry_by_index,
670 (void**)&iface, &ifindex) == SUCCESS)
29607690 671 {
c6b40158
TB		 672 if (iface->usable)
673 { /* only use interfaces not excluded by config */
29607690
TB		 674 addrs = iface->addrs->create_enumerator(iface->addrs);
675 while (addrs->enumerate(addrs, &addr))
676 {
c6b40158
TB		 677 if (addr->refcount)
678 { /* ignore virtual IP addresses */
da6d86dd
TB		 679 continue;
680 }
681 if (addr->ip->get_family(addr->ip) == family)
682 {
683 if (!candidate || candidate->ip_equals(candidate, addr->ip))
684 { /* stop at the first address if we don't search for a
685 * candidate or if the candidate matches */
686 ip = addr->ip;
687 break;
688 }
689 else if (!ip)
690 { /* store the first address as fallback if candidate is
691 * not found */
692 ip = addr->ip;
693 }
29607690
TB		 694 }
695 }
696 addrs->destroy(addrs);
29607690
TB		 697 }
698 }
a25d536e 699 return ip ? ip->clone(ip) : NULL;
29607690
TB		 700}
701
507f26f6 702/**
ba26508d 703 * callback function that raises the delayed roam event
507f26f6 704 */
77d4a028 705static job_requeue_t roam_event(private_kernel_netlink_net_t *this)
ba26508d 706{
77d4a028
TB		 707 bool address;
708
709 this->roam_lock->lock(this->roam_lock);
710 address = this->roam_address;
711 this->roam_address = FALSE;
712 this->roam_lock->unlock(this->roam_lock);
713 hydra->kernel_interface->roam(hydra->kernel_interface, address);
ba26508d
TB		 714 return JOB_REQUEUE_NONE;
715}
716
717/**
718 * fire a roaming event. we delay it for a bit and fire only one event
719 * for multiple calls. otherwise we would create too many events.
720 */
721static void fire_roam_event(private_kernel_netlink_net_t *this, bool address)
507f26f6 722{
de578445 723 timeval_t now;
ba26508d 724 job_t *job;
7daf5226 725
37873f99
TB		 726 if (!this->roam_events)
727 {
728 return;
729 }
730
de578445 731 time_monotonic(&now);
4134108c 732 this->roam_lock->lock(this->roam_lock);
11f46853 733 this->roam_address |= address;
4134108c 734 if (!timercmp(&now, &this->next_roam, >))
507f26f6 735 {
4134108c
TB		 736 this->roam_lock->unlock(this->roam_lock);
737 return;
507f26f6 738 }
eecd41e3 739 timeval_add_ms(&now, ROAM_DELAY);
4134108c
TB		 740 this->next_roam = now;
741 this->roam_lock->unlock(this->roam_lock);
742
743 job = (job_t*)callback_job_create((callback_job_cb_t)roam_event,
77d4a028 744 this, NULL, NULL);
4134108c 745 lib->scheduler->schedule_job_ms(lib->scheduler, job, ROAM_DELAY);
507f26f6
TB		 746}
747
940e1b0f
TB		 748/**
749 * check if an interface with a given index is up and usable
c6b40158 750 *
a25d536e 751 * this->lock must be locked when calling this function
940e1b0f
TB		 752 */
753static bool is_interface_up_and_usable(private_kernel_netlink_net_t *this,
754 int index)
755{
756 iface_entry_t *iface;
757
758 if (this->ifaces->find_first(this->ifaces, (void*)iface_entry_by_index,
759 (void**)&iface, &index) == SUCCESS)
760 {
761 return iface_entry_up_and_usable(iface);
762 }
763 return FALSE;
764}
765
c6b40158
TB		 766/**
767 * unregister the current addr_entry_t from the hashtable it is stored in
768 *
a25d536e 769 * this->lock must be locked when calling this function
c6b40158 770 */
e8e9048f 771static void addr_entry_unregister(addr_entry_t *addr, iface_entry_t *iface,
c6b40158
TB		 772 private_kernel_netlink_net_t *this)
773{
774 if (addr->refcount)
775 {
776 addr_map_entry_remove(this->vips, addr, iface);
777 this->condvar->broadcast(this->condvar);
778 return;
779 }
780 addr_map_entry_remove(this->addrs, addr, iface);
781}
782
507f26f6
TB		 783/**
784 * process RTM_NEWLINK/RTM_DELLINK from kernel
785 */
786static void process_link(private_kernel_netlink_net_t *this,
787 struct nlmsghdr *hdr, bool event)
788{
789 struct ifinfomsg* msg = (struct ifinfomsg*)(NLMSG_DATA(hdr));
790 struct rtattr *rta = IFLA_RTA(msg);
791 size_t rtasize = IFLA_PAYLOAD (hdr);
e13389a7 792 enumerator_t *enumerator;
507f26f6
TB		 793 iface_entry_t *current, *entry = NULL;
794 char *name = NULL;
f834249c 795 bool update = FALSE, update_routes = FALSE;
7daf5226 796
f834249c 797 while (RTA_OK(rta, rtasize))
507f26f6
TB		 798 {
799 switch (rta->rta_type)
800 {
801 case IFLA_IFNAME:
802 name = RTA_DATA(rta);
803 break;
804 }
805 rta = RTA_NEXT(rta, rtasize);
806 }
807 if (!name)
808 {
809 name = "(unknown)";
810 }
7daf5226 811
a25d536e 812 this->lock->write_lock(this->lock);
507f26f6
TB		 813 switch (hdr->nlmsg_type)
814 {
815 case RTM_NEWLINK:
816 {
c6b40158
TB		 817 if (this->ifaces->find_first(this->ifaces,
818 (void*)iface_entry_by_index, (void**)&entry,
819 &msg->ifi_index) != SUCCESS)
507f26f6 820 {
c6b40158
TB		 821 INIT(entry,
822 .ifindex = msg->ifi_index,
823 .addrs = linked_list_create(),
824 .usable = hydra->kernel_interface->is_interface_usable(
825 hydra->kernel_interface, name),
826 );
507f26f6
TB		 827 this->ifaces->insert_last(this->ifaces, entry);
828 }
f526b35c 829 strncpy(entry->ifname, name, IFNAMSIZ);
507f26f6 830 entry->ifname[IFNAMSIZ-1] = '\0';
940e1b0f 831 if (event && entry->usable)
507f26f6
TB		 832 {
833 if (!(entry->flags & IFF_UP) && (msg->ifi_flags & IFF_UP))
834 {
f834249c 835 update = update_routes = TRUE;
507f26f6
TB		 836 DBG1(DBG_KNL, "interface %s activated", name);
837 }
838 if ((entry->flags & IFF_UP) && !(msg->ifi_flags & IFF_UP))
839 {
840 update = TRUE;
841 DBG1(DBG_KNL, "interface %s deactivated", name);
842 }
843 }
844 entry->flags = msg->ifi_flags;
507f26f6
TB		 845 break;
846 }
847 case RTM_DELLINK:
848 {
e13389a7
MW		 849 enumerator = this->ifaces->create_enumerator(this->ifaces);
850 while (enumerator->enumerate(enumerator, &current))
507f26f6
TB		 851 {
852 if (current->ifindex == msg->ifi_index)
853 {
940e1b0f 854 if (event && current->usable)
7b218736
MP		 855 {
856 update = TRUE;
857 DBG1(DBG_KNL, "interface %s deleted", current->ifname);
858 }
c6b40158
TB		 859 /* TODO: move virtual IPs installed on this interface to
860 * another interface? */
7b218736 861 this->ifaces->remove_at(this->ifaces, enumerator);
1f97e1aa 862 current->addrs->invoke_function(current->addrs,
e8e9048f 863 (void*)addr_entry_unregister, current, this);
7b218736 864 iface_entry_destroy(current);
507f26f6
TB		 865 break;
866 }
867 }
e13389a7 868 enumerator->destroy(enumerator);
507f26f6
TB		 869 break;
870 }
871 }
a25d536e 872 this->lock->unlock(this->lock);
7daf5226 873
f834249c
TB		 874 if (update_routes && event)
875 {
c732e220 876 queue_route_reinstall(this, strdup(name));
f834249c
TB		 877 }
878
507f26f6
TB		 879 if (update && event)
880 {
ba26508d 881 fire_roam_event(this, TRUE);
507f26f6
TB		 882 }
883}
884
885/**
886 * process RTM_NEWADDR/RTM_DELADDR from kernel
887 */
888static void process_addr(private_kernel_netlink_net_t *this,
889 struct nlmsghdr *hdr, bool event)
890{
891 struct ifaddrmsg* msg = (struct ifaddrmsg*)(NLMSG_DATA(hdr));
892 struct rtattr *rta = IFA_RTA(msg);
893 size_t rtasize = IFA_PAYLOAD (hdr);
894 host_t *host = NULL;
507f26f6 895 iface_entry_t *iface;
507f26f6 896 chunk_t local = chunk_empty, address = chunk_empty;
f834249c 897 char *route_ifname = NULL;
507f26f6 898 bool update = FALSE, found = FALSE, changed = FALSE;
7daf5226 899
f834249c 900 while (RTA_OK(rta, rtasize))
507f26f6
TB		 901 {
902 switch (rta->rta_type)
903 {
904 case IFA_LOCAL:
905 local.ptr = RTA_DATA(rta);
906 local.len = RTA_PAYLOAD(rta);
907 break;
908 case IFA_ADDRESS:
909 address.ptr = RTA_DATA(rta);
910 address.len = RTA_PAYLOAD(rta);
911 break;
912 }
913 rta = RTA_NEXT(rta, rtasize);
914 }
7daf5226 915
507f26f6
TB		 916 /* For PPP interfaces, we need the IFA_LOCAL address,
917 * IFA_ADDRESS is the peers address. But IFA_LOCAL is
918 * not included in all cases (IPv6?), so fallback to IFA_ADDRESS. */
919 if (local.ptr)
920 {
921 host = host_create_from_chunk(msg->ifa_family, local, 0);
922 }
923 else if (address.ptr)
924 {
925 host = host_create_from_chunk(msg->ifa_family, address, 0);
926 }
7daf5226 927
507f26f6
TB		 928 if (host == NULL)
929 { /* bad family? */
930 return;
931 }
7daf5226 932
a25d536e 933 this->lock->write_lock(this->lock);
c6b40158
TB		 934 if (this->ifaces->find_first(this->ifaces, (void*)iface_entry_by_index,
935 (void**)&iface, &msg->ifa_index) == SUCCESS)
507f26f6 936 {
c6b40158
TB		 937 addr_map_entry_t *entry, lookup = {
938 .ip = host,
939 .iface = iface,
940 };
941 addr_entry_t *addr;
942
943 entry = this->vips->get(this->vips, &lookup);
944 if (entry)
507f26f6 945 {
c6b40158
TB		 946 if (hdr->nlmsg_type == RTM_NEWADDR)
947 { /* mark as installed and signal waiting threads */
948 entry->addr->installed = TRUE;
949 }
950 else
951 { /* the address was already marked as uninstalled */
952 addr = entry->addr;
953 iface->addrs->remove(iface->addrs, addr, NULL);
954 addr_map_entry_remove(this->vips, addr, iface);
955 addr_entry_destroy(addr);
956 }
957 /* no roam events etc. for virtual IPs */
958 this->condvar->broadcast(this->condvar);
a25d536e 959 this->lock->unlock(this->lock);
c6b40158
TB		 960 host->destroy(host);
961 return;
962 }
963 entry = this->addrs->get(this->addrs, &lookup);
964 if (entry)
965 {
966 if (hdr->nlmsg_type == RTM_DELADDR)
507f26f6 967 {
c6b40158
TB		 968 found = TRUE;
969 addr = entry->addr;
970 iface->addrs->remove(iface->addrs, addr, NULL);
971 if (iface->usable)
507f26f6 972 {
c6b40158
TB		 973 changed = TRUE;
974 DBG1(DBG_KNL, "%H disappeared from %s", host,
975 iface->ifname);
507f26f6 976 }
c6b40158
TB		 977 addr_map_entry_remove(this->addrs, addr, iface);
978 addr_entry_destroy(addr);
507f26f6 979 }
c6b40158
TB		 980 }
981 else
982 {
507f26f6
TB		 983 if (hdr->nlmsg_type == RTM_NEWADDR)
984 {
c6b40158
TB		 985 found = TRUE;
986 changed = TRUE;
987 route_ifname = strdup(iface->ifname);
988 INIT(addr,
989 .ip = host->clone(host),
990 .scope = msg->ifa_scope,
991 );
992 iface->addrs->insert_last(iface->addrs, addr);
993 addr_map_entry_add(this->addrs, addr, iface);
994 if (event && iface->usable)
507f26f6 995 {
c6b40158 996 DBG1(DBG_KNL, "%H appeared on %s", host, iface->ifname);
507f26f6
TB		 997 }
998 }
c6b40158
TB		 999 }
1000 if (found && (iface->flags & IFF_UP))
1001 {
1002 update = TRUE;
1003 }
1004 if (!iface->usable)
1005 { /* ignore events for interfaces excluded by config */
1006 update = changed = FALSE;
507f26f6
TB		 1007 }
1008 }
a25d536e 1009 this->lock->unlock(this->lock);
f834249c
TB		 1010
1011 if (update && event && route_ifname)
1012 {
c732e220 1013 queue_route_reinstall(this, route_ifname);
f834249c
TB		 1014 }
1015 else
1016 {
1017 free(route_ifname);
1018 }
507f26f6 1019 host->destroy(host);
7daf5226 1020
507f26f6
TB		 1021 /* send an update to all IKE_SAs */
1022 if (update && event && changed)
1023 {
ba26508d 1024 fire_roam_event(this, TRUE);
507f26f6
TB		 1025 }
1026}
1027
1028/**
1029 * process RTM_NEWROUTE and RTM_DELROUTE from kernel
1030 */
1031static void process_route(private_kernel_netlink_net_t *this, struct nlmsghdr *hdr)
1032{
1033 struct rtmsg* msg = (struct rtmsg*)(NLMSG_DATA(hdr));
1034 struct rtattr *rta = RTM_RTA(msg);
1035 size_t rtasize = RTM_PAYLOAD(hdr);
29607690 1036 u_int32_t rta_oif = 0;
507f26f6 1037 host_t *host = NULL;
7daf5226 1038
ec0c756d
TB		 1039 /* ignore routes added by us or in the local routing table (local addrs) */
1040 if (msg->rtm_table && (msg->rtm_table == this->routing_table ||
1041 msg->rtm_table == RT_TABLE_LOCAL))
85be7e5b
MW		 1042 {
1043 return;
1044 }
8ec51f83
TB		 1045 else if (msg->rtm_flags & RTM_F_CLONED)
1046 { /* ignore cached routes, seem to be created a lot for IPv6 */
1047 return;
1048 }
7daf5226 1049
507f26f6
TB		 1050 while (RTA_OK(rta, rtasize))
1051 {
1052 switch (rta->rta_type)
1053 {
1054 case RTA_PREFSRC:
862ef49f 1055 DESTROY_IF(host);
507f26f6
TB		 1056 host = host_create_from_chunk(msg->rtm_family,
1057 chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta)), 0);
1058 break;
29607690
TB		 1059 case RTA_OIF:
1060 if (RTA_PAYLOAD(rta) == sizeof(rta_oif))
1061 {
1062 rta_oif = *(u_int32_t*)RTA_DATA(rta);
1063 }
1064 break;
507f26f6
TB		 1065 }
1066 rta = RTA_NEXT(rta, rtasize);
1067 }
a25d536e 1068 this->lock->read_lock(this->lock);
940e1b0f
TB		 1069 if (rta_oif && !is_interface_up_and_usable(this, rta_oif))
1070 { /* ignore route changes for interfaces that are ignored or down */
a25d536e 1071 this->lock->unlock(this->lock);
940e1b0f
TB		 1072 DESTROY_IF(host);
1073 return;
1074 }
29607690
TB		 1075 if (!host && rta_oif)
1076 {
da6d86dd 1077 host = get_interface_address(this, rta_oif, msg->rtm_family, NULL);
29607690 1078 }
a25d536e
TB		 1079 if (!host || is_known_vip(this, host))
1080 { /* ignore routes added for virtual IPs */
1081 this->lock->unlock(this->lock);
1082 DESTROY_IF(host);
1083 return;
507f26f6 1084 }
a25d536e
TB		 1085 this->lock->unlock(this->lock);
1086 fire_roam_event(this, FALSE);
1087 host->destroy(host);
507f26f6
TB		 1088}
1089
1090/**
1091 * Receives events from kernel
1092 */
f4f77d74
MW		 1093static bool receive_events(private_kernel_netlink_net_t *this, int fd,
1094 watcher_event_t event)
507f26f6 1095{
ec331a7d 1096 char response[1536];
507f26f6
TB		 1097 struct nlmsghdr *hdr = (struct nlmsghdr*)response;
1098 struct sockaddr_nl addr;
1099 socklen_t addr_len = sizeof(addr);
4a5a5dd2 1100 int len;
7daf5226 1101
f4f77d74
MW		 1102 len = recvfrom(this->socket_events, response, sizeof(response),
1103 MSG_DONTWAIT, (struct sockaddr*)&addr, &addr_len);
507f26f6
TB		 1104 if (len < 0)
1105 {
1106 switch (errno)
1107 {
1108 case EINTR:
1109 /* interrupted, try again */
f4f77d74 1110 return TRUE;
507f26f6
TB		 1111 case EAGAIN:
1112 /* no data ready, select again */
f4f77d74 1113 return TRUE;
507f26f6
TB		 1114 default:
1115 DBG1(DBG_KNL, "unable to receive from rt event socket");
1116 sleep(1);
f4f77d74 1117 return TRUE;
507f26f6
TB		 1118 }
1119 }
7daf5226 1120
507f26f6
TB		 1121 if (addr.nl_pid != 0)
1122 { /* not from kernel. not interested, try another one */
f4f77d74 1123 return TRUE;
507f26f6 1124 }
7daf5226 1125
507f26f6
TB		 1126 while (NLMSG_OK(hdr, len))
1127 {
1128 /* looks good so far, dispatch netlink message */
1129 switch (hdr->nlmsg_type)
1130 {
1131 case RTM_NEWADDR:
1132 case RTM_DELADDR:
1133 process_addr(this, hdr, TRUE);
507f26f6
TB		 1134 break;
1135 case RTM_NEWLINK:
1136 case RTM_DELLINK:
1137 process_link(this, hdr, TRUE);
507f26f6
TB		 1138 break;
1139 case RTM_NEWROUTE:
1140 case RTM_DELROUTE:
1141 if (this->process_route)
1142 {
1143 process_route(this, hdr);
1144 }
1145 break;
1146 default:
1147 break;
1148 }
1149 hdr = NLMSG_NEXT(hdr, len);
1150 }
f4f77d74 1151 return TRUE;
507f26f6
TB		 1152}
1153
1154/** enumerator over addresses */
1155typedef struct {
1156 private_kernel_netlink_net_t* this;
4106aea8
TB		 1157 /** which addresses to enumerate */
1158 kernel_address_type_t which;
507f26f6
TB		 1159} address_enumerator_t;
1160
1161/**
1162 * cleanup function for address enumerator
1163 */
1164static void address_enumerator_destroy(address_enumerator_t *data)
1165{
a25d536e 1166 data->this->lock->unlock(data->this->lock);
507f26f6
TB		 1167 free(data);
1168}
1169
1170/**
1171 * filter for addresses
1172 */
887abfb1
MW		 1173static bool filter_addresses(address_enumerator_t *data,
1174 addr_entry_t** in, host_t** out)
507f26f6 1175{
c6b40158 1176 if (!(data->which & ADDR_TYPE_VIRTUAL) && (*in)->refcount)
507f26f6
TB		 1177 { /* skip virtual interfaces added by us */
1178 return FALSE;
1179 }
1a2a8bff
MW		 1180 if (!(data->which & ADDR_TYPE_REGULAR) && !(*in)->refcount)
1181 { /* address is regular, but not requested */
1182 return FALSE;
1183 }
507f26f6
TB		 1184 if ((*in)->scope >= RT_SCOPE_LINK)
1185 { /* skip addresses with a unusable scope */
1186 return FALSE;
1187 }
1188 *out = (*in)->ip;
1189 return TRUE;
1190}
1191
1192/**
1193 * enumerator constructor for interfaces
1194 */
887abfb1
MW		 1195static enumerator_t *create_iface_enumerator(iface_entry_t *iface,
1196 address_enumerator_t *data)
507f26f6 1197{
887abfb1
MW		 1198 return enumerator_create_filter(
1199 iface->addrs->create_enumerator(iface->addrs),
507f26f6
TB		 1200 (void*)filter_addresses, data, NULL);
1201}
1202
1203/**
1204 * filter for interfaces
1205 */
887abfb1
MW		 1206static bool filter_interfaces(address_enumerator_t *data, iface_entry_t** in,
1207 iface_entry_t** out)
507f26f6 1208{
4106aea8 1209 if (!(data->which & ADDR_TYPE_IGNORED) && !(*in)->usable)
940e1b0f
TB		 1210 { /* skip interfaces excluded by config */
1211 return FALSE;
1212 }
4106aea8 1213 if (!(data->which & ADDR_TYPE_LOOPBACK) && ((*in)->flags & IFF_LOOPBACK))
aed33805
TB		 1214 { /* ignore loopback devices */
1215 return FALSE;
1216 }
4106aea8 1217 if (!(data->which & ADDR_TYPE_DOWN) && !((*in)->flags & IFF_UP))
507f26f6
TB		 1218 { /* skip interfaces not up */
1219 return FALSE;
1220 }
1221 *out = *in;
1222 return TRUE;
1223}
1224
887abfb1 1225METHOD(kernel_net_t, create_address_enumerator, enumerator_t*,
4106aea8 1226 private_kernel_netlink_net_t *this, kernel_address_type_t which)
507f26f6 1227{
1a2a8bff
MW		 1228 address_enumerator_t *data;
1229
1230 INIT(data,
1231 .this = this,
1232 .which = which,
1233 );
7daf5226 1234
a25d536e 1235 this->lock->read_lock(this->lock);
507f26f6 1236 return enumerator_create_nested(
887abfb1
MW		 1237 enumerator_create_filter(
1238 this->ifaces->create_enumerator(this->ifaces),
1239 (void*)filter_interfaces, data, NULL),
1240 (void*)create_iface_enumerator, data,
1241 (void*)address_enumerator_destroy);
507f26f6
TB		 1242}
1243
9ba36c0f
TB		 1244METHOD(kernel_net_t, get_interface_name, bool,
1245 private_kernel_netlink_net_t *this, host_t* ip, char **name)
507f26f6 1246{
1f97e1aa
TB		 1247 addr_map_entry_t *entry, lookup = {
1248 .ip = ip,
1249 };
7daf5226 1250
645d7a5e
TB		 1251 if (ip->is_anyaddr(ip))
1252 {
1253 return FALSE;
1254 }
a25d536e 1255 this->lock->read_lock(this->lock);
1f97e1aa
TB		 1256 /* first try to find it on an up and usable interface */
1257 entry = this->addrs->get_match(this->addrs, &lookup,
1258 (void*)addr_map_entry_match_up_and_usable);
1259 if (entry)
507f26f6 1260 {
1f97e1aa 1261 if (name)
507f26f6 1262 {
1f97e1aa
TB		 1263 *name = strdup(entry->iface->ifname);
1264 DBG2(DBG_KNL, "%H is on interface %s", ip, *name);
507f26f6 1265 }
a25d536e 1266 this->lock->unlock(this->lock);
1f97e1aa 1267 return TRUE;
507f26f6 1268 }
544c2e3d
MW		 1269 /* in a second step, consider virtual IPs installed by us */
1270 entry = this->vips->get_match(this->vips, &lookup,
1271 (void*)addr_map_entry_match_up_and_usable);
1272 if (entry)
1273 {
1274 if (name)
1275 {
1276 *name = strdup(entry->iface->ifname);
5310f485 1277 DBG2(DBG_KNL, "virtual IP %H is on interface %s", ip, *name);
544c2e3d
MW		 1278 }
1279 this->lock->unlock(this->lock);
1280 return TRUE;
1281 }
1f97e1aa
TB		 1282 /* maybe it is installed on an ignored interface */
1283 entry = this->addrs->get_match(this->addrs, &lookup,
1284 (void*)addr_map_entry_match_up);
1285 if (!entry)
507f26f6 1286 {
1f97e1aa 1287 DBG2(DBG_KNL, "%H is not a local address or the interface is down", ip);
507f26f6 1288 }
a25d536e 1289 this->lock->unlock(this->lock);
1f97e1aa 1290 return FALSE;
507f26f6
TB		 1291}
1292
1293/**
1294 * get the index of an interface by name
1295 */
1296static int get_interface_index(private_kernel_netlink_net_t *this, char* name)
1297{
507f26f6
TB		 1298 iface_entry_t *iface;
1299 int ifindex = 0;
7daf5226 1300
507f26f6 1301 DBG2(DBG_KNL, "getting iface index for %s", name);
7daf5226 1302
a25d536e 1303 this->lock->read_lock(this->lock);
c6b40158
TB		 1304 if (this->ifaces->find_first(this->ifaces, (void*)iface_entry_by_name,
1305 (void**)&iface, name) == SUCCESS)
507f26f6 1306 {
c6b40158 1307 ifindex = iface->ifindex;
507f26f6 1308 }
a25d536e 1309 this->lock->unlock(this->lock);
507f26f6
TB		 1310
1311 if (ifindex == 0)
1312 {
1313 DBG1(DBG_KNL, "unable to get interface index for %s", name);
1314 }
1315 return ifindex;
1316}
1317
1318/**
1319 * check if an address (chunk) addr is in subnet (net with net_len net bits)
1320 */
1321static bool addr_in_subnet(chunk_t addr, chunk_t net, int net_len)
1322{
03d5f411
AS		 1323 static const u_char mask[] = { 0x00, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe };
1324 int byte = 0;
7daf5226 1325
d1769942
MW		 1326 if (net_len == 0)
1327 { /* any address matches a /0 network */
1328 return TRUE;
1329 }
03d5f411 1330 if (addr.len != net.len || net_len > 8 * net.len )
507f26f6
TB		 1331 {
1332 return FALSE;
1333 }
03d5f411
AS		 1334 /* scan through all bytes in network order */
1335 while (net_len > 0)
507f26f6 1336 {
03d5f411 1337 if (net_len < 8)
507f26f6 1338 {
03d5f411
AS		 1339 return (mask[net_len] & addr.ptr[byte]) == (mask[net_len] & net.ptr[byte]);
1340 }
1341 else
1342 {
1343 if (addr.ptr[byte] != net.ptr[byte])
507f26f6
TB		 1344 {
1345 return FALSE;
1346 }
03d5f411
AS		 1347 byte++;
1348 net_len -= 8;
507f26f6
TB		 1349 }
1350 }
1351 return TRUE;
1352}
1353
66253465
TB		 1354/**
1355 * Store information about a route retrieved via RTNETLINK
1356 */
1357typedef struct {
1358 chunk_t gtw;
1359 chunk_t src;
1360 chunk_t dst;
1361 host_t *src_host;
1362 u_int8_t dst_len;
1363 u_int32_t table;
1364 u_int32_t oif;
1365} rt_entry_t;
1366
1367/**
1368 * Free a route entry
1369 */
1370static void rt_entry_destroy(rt_entry_t *this)
1371{
1372 DESTROY_IF(this->src_host);
1373 free(this);
1374}
1375
1376/**
1377 * Parse route received with RTM_NEWROUTE. The given rt_entry_t object will be
1378 * reused if not NULL.
1379 *
1380 * Returned chunks point to internal data of the Netlink message.
1381 */
1382static rt_entry_t *parse_route(struct nlmsghdr *hdr, rt_entry_t *route)
1383{
1384 struct rtattr *rta;
1385 struct rtmsg *msg;
1386 size_t rtasize;
1387
1388 msg = (struct rtmsg*)(NLMSG_DATA(hdr));
1389 rta = RTM_RTA(msg);
1390 rtasize = RTM_PAYLOAD(hdr);
1391
1392 if (route)
1393 {
1394 route->gtw = chunk_empty;
1395 route->src = chunk_empty;
1396 route->dst = chunk_empty;
1397 route->dst_len = msg->rtm_dst_len;
1398 route->table = msg->rtm_table;
1399 route->oif = 0;
1400 }
1401 else
1402 {
1403 INIT(route,
1404 .dst_len = msg->rtm_dst_len,
1405 .table = msg->rtm_table,
1406 );
1407 }
1408
1409 while (RTA_OK(rta, rtasize))
1410 {
1411 switch (rta->rta_type)
1412 {
1413 case RTA_PREFSRC:
1414 route->src = chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta));
1415 break;
1416 case RTA_GATEWAY:
1417 route->gtw = chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta));
1418 break;
1419 case RTA_DST:
1420 route->dst = chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta));
1421 break;
1422 case RTA_OIF:
1423 if (RTA_PAYLOAD(rta) == sizeof(route->oif))
1424 {
1425 route->oif = *(u_int32_t*)RTA_DATA(rta);
1426 }
1427 break;
1428#ifdef HAVE_RTA_TABLE
1429 case RTA_TABLE:
1430 if (RTA_PAYLOAD(rta) == sizeof(route->table))
1431 {
1432 route->table = *(u_int32_t*)RTA_DATA(rta);
1433 }
1434 break;
1435#endif /* HAVE_RTA_TABLE*/
1436 }
1437 rta = RTA_NEXT(rta, rtasize);
1438 }
1439 return route;
1440}
1441
507f26f6
TB		 1442/**
1443 * Get a route: If "nexthop", the nexthop is returned. source addr otherwise.
1444 */
1445static host_t *get_route(private_kernel_netlink_net_t *this, host_t *dest,
cbd52e7d 1446 bool nexthop, host_t *candidate, u_int recursion)
507f26f6 1447{
21bf86f7 1448 netlink_buf_t request;
507f26f6
TB		 1449 struct nlmsghdr *hdr, *out, *current;
1450 struct rtmsg *msg;
1451 chunk_t chunk;
1452 size_t len;
66253465
TB		 1453 linked_list_t *routes;
1454 rt_entry_t *route = NULL, *best = NULL;
d266e895 1455 enumerator_t *enumerator;
66253465 1456 host_t *addr = NULL;
7daf5226 1457
cbd52e7d
TB		 1458 if (recursion > MAX_ROUTE_RECURSION)
1459 {
1460 return NULL;
1461 }
1462
507f26f6
TB		 1463 memset(&request, 0, sizeof(request));
1464
1465 hdr = (struct nlmsghdr*)request;
5be75c2c 1466 hdr->nlmsg_flags = NLM_F_REQUEST;
7beb31aa
TB		 1467 if (dest->get_family(dest) == AF_INET || this->rta_prefsrc_for_ipv6 ||
1468 this->routing_table)
1469 { /* kernels prior to 3.0 do not support RTA_PREFSRC for IPv6 routes.
1470 * as we want to ignore routes with virtual IPs we cannot use DUMP
1471 * if these routes are not installed in a separate table */
5c1332bf 1472 hdr->nlmsg_flags |= NLM_F_DUMP;
5be75c2c 1473 }
507f26f6
TB		 1474 hdr->nlmsg_type = RTM_GETROUTE;
1475 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg));
1476
1477 msg = (struct rtmsg*)NLMSG_DATA(hdr);
1478 msg->rtm_family = dest->get_family(dest);
ce5b1708
MW		 1479 if (candidate)
1480 {
1481 chunk = candidate->get_address(candidate);
1482 netlink_add_attribute(hdr, RTA_PREFSRC, chunk, sizeof(request));
1483 }
d1769942
MW		 1484 chunk = dest->get_address(dest);
1485 netlink_add_attribute(hdr, RTA_DST, chunk, sizeof(request));
7daf5226 1486
507f26f6
TB		 1487 if (this->socket->send(this->socket, hdr, &out, &len) != SUCCESS)
1488 {
66253465
TB		 1489 DBG2(DBG_KNL, "getting %s to reach %H failed",
1490 nexthop ? "nexthop" : "address", dest);
507f26f6
TB		 1491 return NULL;
1492 }
66253465 1493 routes = linked_list_create();
a25d536e 1494 this->lock->read_lock(this->lock);
36b7ba5e
MW		 1495
1496 for (current = out; NLMSG_OK(current, len);
1497 current = NLMSG_NEXT(current, len))
507f26f6
TB		 1498 {
1499 switch (current->nlmsg_type)
1500 {
1501 case NLMSG_DONE:
1502 break;
1503 case RTM_NEWROUTE:
1504 {
66253465 1505 rt_entry_t *other;
d266e895 1506 uintptr_t table;
7daf5226 1507
66253465
TB		 1508 route = parse_route(current, route);
1509
1510 table = (uintptr_t)route->table;
1511 if (this->rt_exclude->find_first(this->rt_exclude, NULL,
1512 (void**)&table) == SUCCESS)
1513 { /* route is from an excluded routing table */
d266e895
TE		 1514 continue;
1515 }
fb6c8591 1516 if (this->routing_table != 0 &&
66253465 1517 route->table == this->routing_table)
fb6c8591 1518 { /* route is from our own ipsec routing table */
36b7ba5e 1519 continue;
fb6c8591 1520 }
940e1b0f 1521 if (route->oif && !is_interface_up_and_usable(this, route->oif))
d1769942 1522 { /* interface is down */
36b7ba5e 1523 continue;
fb6c8591 1524 }
66253465 1525 if (!addr_in_subnet(chunk, route->dst, route->dst_len))
d1769942 1526 { /* route destination does not contain dest */
36b7ba5e 1527 continue;
fb6c8591 1528 }
66253465
TB		 1529 if (route->src.ptr)
1530 { /* verify source address, if any */
1531 host_t *src = host_create_from_chunk(msg->rtm_family,
1532 route->src, 0);
c6b40158 1533 if (src && is_known_vip(this, src))
66253465
TB		 1534 { /* ignore routes installed by us */
1535 src->destroy(src);
1536 continue;
507f26f6 1537 }
66253465 1538 route->src_host = src;
fb6c8591 1539 }
66253465
TB		 1540 /* insert route, sorted by decreasing network prefix */
1541 enumerator = routes->create_enumerator(routes);
1542 while (enumerator->enumerate(enumerator, &other))
1543 {
1544 if (route->dst_len > other->dst_len)
507f26f6 1545 {
66253465 1546 break;
507f26f6
TB		 1547 }
1548 }
66253465
TB		 1549 routes->insert_before(routes, enumerator, route);
1550 enumerator->destroy(enumerator);
1551 route = NULL;
36b7ba5e 1552 continue;
507f26f6
TB		 1553 }
1554 default:
507f26f6
TB		 1555 continue;
1556 }
1557 break;
1558 }
66253465
TB		 1559 if (route)
1560 {
1561 rt_entry_destroy(route);
1562 }
1563
1564 /* now we have a list of routes matching dest, sorted by net prefix.
1565 * we will look for source addresses for these routes and select the one
1566 * with the preferred source address, if possible */
1567 enumerator = routes->create_enumerator(routes);
1568 while (enumerator->enumerate(enumerator, &route))
1569 {
1570 if (route->src_host)
1571 { /* got a source address with the route, if no preferred source
1572 * is given or it matches we are done, as this is the best route */
1573 if (!candidate || candidate->ip_equals(candidate, route->src_host))
1574 {
1575 best = route;
1576 break;
1577 }
1578 else if (route->oif)
1579 { /* no match yet, maybe it is assigned to the same interface */
1580 host_t *src = get_interface_address(this, route->oif,
1581 msg->rtm_family, candidate);
1582 if (src && src->ip_equals(src, candidate))
1583 {
1584 route->src_host->destroy(route->src_host);
1585 route->src_host = src;
1586 best = route;
1587 break;
1588 }
1589 DESTROY_IF(src);
1590 }
1591 /* no luck yet with the source address. if this is the best (first)
1592 * route we store it as fallback in case we don't find a route with
1593 * the preferred source */
1594 best = best ?: route;
1595 continue;
1596 }
1597 if (route->oif)
1598 { /* no src, but an interface - get address from it */
1599 route->src_host = get_interface_address(this, route->oif,
1600 msg->rtm_family, candidate);
1601 if (route->src_host)
1602 { /* we handle this address the same as the one above */
1603 if (!candidate ||
1604 candidate->ip_equals(candidate, route->src_host))
1605 {
1606 best = route;
1607 break;
1608 }
1609 best = best ?: route;
1610 continue;
1611 }
1612 }
1613 if (route->gtw.ptr)
1614 { /* no src, no iface, but a gateway - lookup src to reach gtw */
1615 host_t *gtw;
1616
1617 gtw = host_create_from_chunk(msg->rtm_family, route->gtw, 0);
5be88ca6
TB		 1618 if (gtw && !gtw->ip_equals(gtw, dest))
1619 {
cbd52e7d
TB		 1620 route->src_host = get_route(this, gtw, FALSE, candidate,
1621 recursion + 1);
5be88ca6
TB		 1622 }
1623 DESTROY_IF(gtw);
66253465
TB		 1624 if (route->src_host)
1625 { /* more of the same */
1626 if (!candidate ||
1627 candidate->ip_equals(candidate, route->src_host))
1628 {
1629 best = route;
1630 break;
1631 }
1632 best = best ?: route;
1633 }
1634 }
1635 }
1636 enumerator->destroy(enumerator);
7daf5226 1637
507f26f6 1638 if (nexthop)
66253465
TB		 1639 { /* nexthop lookup, return gateway if any */
1640 if (best || routes->get_first(routes, (void**)&best) == SUCCESS)
1641 {
1642 addr = host_create_from_chunk(msg->rtm_family, best->gtw, 0);
1643 }
1644 addr = addr ?: dest->clone(dest);
1645 }
1646 else
507f26f6 1647 {
66253465 1648 if (best)
507f26f6 1649 {
66253465 1650 addr = best->src_host->clone(best->src_host);
507f26f6 1651 }
507f26f6 1652 }
a25d536e 1653 this->lock->unlock(this->lock);
66253465
TB		 1654 routes->destroy_function(routes, (void*)rt_entry_destroy);
1655 free(out);
1656
1657 if (addr)
1658 {
1659 DBG2(DBG_KNL, "using %H as %s to reach %H", addr,
1660 nexthop ? "nexthop" : "address", dest);
1661 }
cbd52e7d 1662 else if (!recursion)
66253465
TB		 1663 {
1664 DBG2(DBG_KNL, "no %s found to reach %H",
1665 nexthop ? "nexthop" : "address", dest);
1666 }
1667 return addr;
507f26f6
TB		 1668}
1669
887abfb1
MW		 1670METHOD(kernel_net_t, get_source_addr, host_t*,
1671 private_kernel_netlink_net_t *this, host_t *dest, host_t *src)
507f26f6 1672{
cbd52e7d 1673 return get_route(this, dest, FALSE, src, 0);
507f26f6
TB		 1674}
1675
887abfb1 1676METHOD(kernel_net_t, get_nexthop, host_t*,
dad6d904 1677 private_kernel_netlink_net_t *this, host_t *dest, host_t *src)
507f26f6 1678{
cbd52e7d 1679 return get_route(this, dest, TRUE, src, 0);
507f26f6
TB		 1680}
1681
1682/**
1683 * Manages the creation and deletion of ip addresses on an interface.
1684 * By setting the appropriate nlmsg_type, the ip will be set or unset.
1685 */
1686static status_t manage_ipaddr(private_kernel_netlink_net_t *this, int nlmsg_type,
50bd7558 1687 int flags, int if_index, host_t *ip, int prefix)
507f26f6 1688{
21bf86f7 1689 netlink_buf_t request;
507f26f6
TB		 1690 struct nlmsghdr *hdr;
1691 struct ifaddrmsg *msg;
1692 chunk_t chunk;
7daf5226 1693
507f26f6 1694 memset(&request, 0, sizeof(request));
7daf5226 1695
507f26f6 1696 chunk = ip->get_address(ip);
7daf5226 1697
323f9f99 1698 hdr = (struct nlmsghdr*)request;
507f26f6 1699 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
7daf5226 1700 hdr->nlmsg_type = nlmsg_type;
507f26f6 1701 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct ifaddrmsg));
7daf5226 1702
507f26f6 1703 msg = (struct ifaddrmsg*)NLMSG_DATA(hdr);
323f9f99
MW		 1704 msg->ifa_family = ip->get_family(ip);
1705 msg->ifa_flags = 0;
50bd7558 1706 msg->ifa_prefixlen = prefix < 0 ? chunk.len * 8 : prefix;
323f9f99
MW		 1707 msg->ifa_scope = RT_SCOPE_UNIVERSE;
1708 msg->ifa_index = if_index;
7daf5226 1709
507f26f6
TB		 1710 netlink_add_attribute(hdr, IFA_LOCAL, chunk, sizeof(request));
1711
1712 return this->socket->send_ack(this->socket, hdr);
1713}
1714
887abfb1 1715METHOD(kernel_net_t, add_ip, status_t,
50bd7558 1716 private_kernel_netlink_net_t *this, host_t *virtual_ip, int prefix,
b185cdd1 1717 char *iface_name)
507f26f6 1718{
c6b40158
TB		 1719 addr_map_entry_t *entry, lookup = {
1720 .ip = virtual_ip,
1721 };
e8e9048f 1722 iface_entry_t *iface = NULL;
7daf5226 1723
9474a0d9
MW		 1724 if (!this->install_virtual_ip)
1725 { /* disabled by config */
1726 return SUCCESS;
1727 }
7daf5226 1728
a25d536e 1729 this->lock->write_lock(this->lock);
c6b40158
TB		 1730 /* the virtual IP might actually be installed as regular IP, in which case
1731 * we don't track it as virtual IP */
1732 entry = this->addrs->get_match(this->addrs, &lookup,
1733 (void*)addr_map_entry_match);
1734 if (!entry)
1735 { /* otherwise it might already be installed as virtual IP */
1736 entry = this->vips->get_match(this->vips, &lookup,
1737 (void*)addr_map_entry_match);
1738 if (entry)
1739 { /* the vip we found can be in one of three states: 1) installed and
1740 * ready, 2) just added by another thread, but not yet confirmed to
1741 * be installed by the kernel, 3) just deleted, but not yet gone.
1742 * Then while we wait below, several things could happen (as we
a25d536e 1743 * release the lock). For instance, the interface could disappear,
e8e9048f 1744 * or the IP is finally deleted, and it reappears on a different
c6b40158
TB		 1745 * interface. All these cases are handled by the call below. */
1746 while (!is_vip_installed_or_gone(this, virtual_ip, &entry))
507f26f6 1747 {
a25d536e 1748 this->condvar->wait(this->condvar, this->lock);
507f26f6 1749 }
c6b40158 1750 if (entry)
507f26f6 1751 {
c6b40158 1752 entry->addr->refcount++;
507f26f6
TB		 1753 }
1754 }
c6b40158
TB		 1755 }
1756 if (entry)
1757 {
1758 DBG2(DBG_KNL, "virtual IP %H is already installed on %s", virtual_ip,
1759 entry->iface->ifname);
a25d536e 1760 this->lock->unlock(this->lock);
c6b40158
TB		 1761 return SUCCESS;
1762 }
e8e9048f
TB		 1763 /* try to find the target interface, either by config or via src ip */
1764 if (!this->install_virtual_ip_on ||
1765 this->ifaces->find_first(this->ifaces, (void*)iface_entry_by_name,
1766 (void**)&iface, this->install_virtual_ip_on) != SUCCESS)
1767 {
b185cdd1
MW		 1768 if (this->ifaces->find_first(this->ifaces, (void*)iface_entry_by_name,
1769 (void**)&iface, iface_name) != SUCCESS)
e8e9048f
TB		 1770 { /* if we don't find the requested interface we just use the first */
1771 this->ifaces->get_first(this->ifaces, (void**)&iface);
1772 }
c6b40158 1773 }
c6b40158
TB		 1774 if (iface)
1775 {
1776 addr_entry_t *addr;
7daf5226 1777
c6b40158
TB		 1778 INIT(addr,
1779 .ip = virtual_ip->clone(virtual_ip),
1780 .refcount = 1,
1781 .scope = RT_SCOPE_UNIVERSE,
1782 );
1783 iface->addrs->insert_last(iface->addrs, addr);
1784 addr_map_entry_add(this->vips, addr, iface);
1785 if (manage_ipaddr(this, RTM_NEWADDR, NLM_F_CREATE | NLM_F_EXCL,
50bd7558 1786 iface->ifindex, virtual_ip, prefix) == SUCCESS)
507f26f6 1787 {
c6b40158
TB		 1788 while (!is_vip_installed_or_gone(this, virtual_ip, &entry))
1789 { /* wait until address appears */
a25d536e 1790 this->condvar->wait(this->condvar, this->lock);
c6b40158
TB		 1791 }
1792 if (entry)
1793 { /* we fail if the interface got deleted in the meantime */
e8e9048f
TB		 1794 DBG2(DBG_KNL, "virtual IP %H installed on %s", virtual_ip,
1795 entry->iface->ifname);
a25d536e 1796 this->lock->unlock(this->lock);
3dc9d427
MW		 1797 /* during IKEv1 reauthentication, children get moved from
1798 * old the new SA before the virtual IP is available. This
1799 * kills the route for our virtual IP, reinstall. */
cf6a4ea0 1800 queue_route_reinstall(this, strdup(entry->iface->ifname));
507f26f6
TB		 1801 return SUCCESS;
1802 }
507f26f6 1803 }
a25d536e 1804 this->lock->unlock(this->lock);
c6b40158
TB		 1805 DBG1(DBG_KNL, "adding virtual IP %H failed", virtual_ip);
1806 return FAILED;
507f26f6 1807 }
a25d536e 1808 this->lock->unlock(this->lock);
c6b40158
TB		 1809 DBG1(DBG_KNL, "no interface available, unable to install virtual IP %H",
1810 virtual_ip);
507f26f6
TB		 1811 return FAILED;
1812}
1813
887abfb1 1814METHOD(kernel_net_t, del_ip, status_t,
d88597f0
MW		 1815 private_kernel_netlink_net_t *this, host_t *virtual_ip, int prefix,
1816 bool wait)
507f26f6 1817{
c6b40158
TB		 1818 addr_map_entry_t *entry, lookup = {
1819 .ip = virtual_ip,
1820 };
7daf5226 1821
9474a0d9
MW		 1822 if (!this->install_virtual_ip)
1823 { /* disabled by config */
1824 return SUCCESS;
1825 }
7daf5226 1826
507f26f6 1827 DBG2(DBG_KNL, "deleting virtual IP %H", virtual_ip);
7daf5226 1828
a25d536e 1829 this->lock->write_lock(this->lock);
c6b40158
TB		 1830 entry = this->vips->get_match(this->vips, &lookup,
1831 (void*)addr_map_entry_match);
1832 if (!entry)
1833 { /* we didn't install this IP as virtual IP */
1834 entry = this->addrs->get_match(this->addrs, &lookup,
1835 (void*)addr_map_entry_match);
1836 if (entry)
507f26f6 1837 {
c6b40158
TB		 1838 DBG2(DBG_KNL, "not deleting existing IP %H on %s", virtual_ip,
1839 entry->iface->ifname);
a25d536e 1840 this->lock->unlock(this->lock);
c6b40158
TB		 1841 return SUCCESS;
1842 }
1843 DBG2(DBG_KNL, "virtual IP %H not cached, unable to delete", virtual_ip);
a25d536e 1844 this->lock->unlock(this->lock);
c6b40158
TB		 1845 return FAILED;
1846 }
1847 if (entry->addr->refcount == 1)
1848 {
1849 status_t status;
1850
1851 /* we set this flag so that threads calling add_ip will block and wait
1852 * until the entry is gone, also so we can wait below */
1853 entry->addr->installed = FALSE;
1854 status = manage_ipaddr(this, RTM_DELADDR, 0, entry->iface->ifindex,
50bd7558 1855 virtual_ip, prefix);
d88597f0 1856 if (status == SUCCESS && wait)
c6b40158
TB		 1857 { /* wait until the address is really gone */
1858 while (is_known_vip(this, virtual_ip))
507f26f6 1859 {
a25d536e 1860 this->condvar->wait(this->condvar, this->lock);
507f26f6
TB		 1861 }
1862 }
a25d536e 1863 this->lock->unlock(this->lock);
c6b40158 1864 return status;
507f26f6 1865 }
c6b40158
TB		 1866 else
1867 {
1868 entry->addr->refcount--;
1869 }
1870 DBG2(DBG_KNL, "virtual IP %H used by other SAs, not deleting",
1871 virtual_ip);
a25d536e 1872 this->lock->unlock(this->lock);
c6b40158 1873 return SUCCESS;
507f26f6
TB		 1874}
1875
1876/**
1877 * Manages source routes in the routing table.
1878 * By setting the appropriate nlmsg_type, the route gets added or removed.
1879 */
74ba22c9
TB		 1880static status_t manage_srcroute(private_kernel_netlink_net_t *this,
1881 int nlmsg_type, int flags, chunk_t dst_net,
1882 u_int8_t prefixlen, host_t *gateway,
1883 host_t *src_ip, char *if_name)
507f26f6 1884{
21bf86f7 1885 netlink_buf_t request;
507f26f6
TB		 1886 struct nlmsghdr *hdr;
1887 struct rtmsg *msg;
1888 int ifindex;
1889 chunk_t chunk;
1890
1891 /* if route is 0.0.0.0/0, we can't install it, as it would
1892 * overwrite the default route. Instead, we add two routes:
1893 * 0.0.0.0/1 and 128.0.0.0/1 */
1894 if (this->routing_table == 0 && prefixlen == 0)
1895 {
1896 chunk_t half_net;
1897 u_int8_t half_prefixlen;
1898 status_t status;
7daf5226 1899
507f26f6
TB		 1900 half_net = chunk_alloca(dst_net.len);
1901 memset(half_net.ptr, 0, half_net.len);
1902 half_prefixlen = 1;
7daf5226 1903
507f26f6
TB		 1904 status = manage_srcroute(this, nlmsg_type, flags, half_net, half_prefixlen,
1905 gateway, src_ip, if_name);
1906 half_net.ptr[0] |= 0x80;
1907 status = manage_srcroute(this, nlmsg_type, flags, half_net, half_prefixlen,
1908 gateway, src_ip, if_name);
1909 return status;
1910 }
7daf5226 1911
507f26f6
TB		 1912 memset(&request, 0, sizeof(request));
1913
1914 hdr = (struct nlmsghdr*)request;
1915 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
1916 hdr->nlmsg_type = nlmsg_type;
1917 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg));
1918
1919 msg = (struct rtmsg*)NLMSG_DATA(hdr);
1920 msg->rtm_family = src_ip->get_family(src_ip);
1921 msg->rtm_dst_len = prefixlen;
1922 msg->rtm_table = this->routing_table;
1923 msg->rtm_protocol = RTPROT_STATIC;
1924 msg->rtm_type = RTN_UNICAST;
1925 msg->rtm_scope = RT_SCOPE_UNIVERSE;
7daf5226 1926
507f26f6
TB		 1927 netlink_add_attribute(hdr, RTA_DST, dst_net, sizeof(request));
1928 chunk = src_ip->get_address(src_ip);
1929 netlink_add_attribute(hdr, RTA_PREFSRC, chunk, sizeof(request));
5be75c2c
MW		 1930 if (gateway && gateway->get_family(gateway) == src_ip->get_family(src_ip))
1931 {
1932 chunk = gateway->get_address(gateway);
1933 netlink_add_attribute(hdr, RTA_GATEWAY, chunk, sizeof(request));
1934 }
507f26f6
TB		 1935 ifindex = get_interface_index(this, if_name);
1936 chunk.ptr = (char*)&ifindex;
1937 chunk.len = sizeof(ifindex);
1938 netlink_add_attribute(hdr, RTA_OIF, chunk, sizeof(request));
1939
1940 return this->socket->send_ack(this->socket, hdr);
1941}
1942
887abfb1
MW		 1943METHOD(kernel_net_t, add_route, status_t,
1944 private_kernel_netlink_net_t *this, chunk_t dst_net, u_int8_t prefixlen,
1945 host_t *gateway, host_t *src_ip, char *if_name)
507f26f6 1946{
74ba22c9
TB		 1947 status_t status;
1948 route_entry_t *found, route = {
1949 .dst_net = dst_net,
1950 .prefixlen = prefixlen,
1951 .gateway = gateway,
1952 .src_ip = src_ip,
1953 .if_name = if_name,
1954 };
1955
16d62305 1956 this->routes_lock->lock(this->routes_lock);
74ba22c9
TB		 1957 found = this->routes->get(this->routes, &route);
1958 if (found)
1959 {
16d62305 1960 this->routes_lock->unlock(this->routes_lock);
74ba22c9
TB		 1961 return ALREADY_DONE;
1962 }
1963 found = route_entry_clone(&route);
1964 this->routes->put(this->routes, found, found);
1965 status = manage_srcroute(this, RTM_NEWROUTE, NLM_F_CREATE | NLM_F_EXCL,
1966 dst_net, prefixlen, gateway, src_ip, if_name);
16d62305 1967 this->routes_lock->unlock(this->routes_lock);
74ba22c9 1968 return status;
507f26f6 1969}
7daf5226 1970
887abfb1
MW		 1971METHOD(kernel_net_t, del_route, status_t,
1972 private_kernel_netlink_net_t *this, chunk_t dst_net, u_int8_t prefixlen,
1973 host_t *gateway, host_t *src_ip, char *if_name)
507f26f6 1974{
74ba22c9
TB		 1975 status_t status;
1976 route_entry_t *found, route = {
1977 .dst_net = dst_net,
1978 .prefixlen = prefixlen,
1979 .gateway = gateway,
1980 .src_ip = src_ip,
1981 .if_name = if_name,
1982 };
1983
16d62305 1984 this->routes_lock->lock(this->routes_lock);
74ba22c9
TB		 1985 found = this->routes->get(this->routes, &route);
1986 if (!found)
1987 {
16d62305 1988 this->routes_lock->unlock(this->routes_lock);
74ba22c9
TB		 1989 return NOT_FOUND;
1990 }
1991 this->routes->remove(this->routes, found);
1992 route_entry_destroy(found);
1993 status = manage_srcroute(this, RTM_DELROUTE, 0, dst_net, prefixlen,
1994 gateway, src_ip, if_name);
16d62305 1995 this->routes_lock->unlock(this->routes_lock);
74ba22c9 1996 return status;
507f26f6
TB		 1997}
1998
1999/**
2000 * Initialize a list of local addresses.
2001 */
2002static status_t init_address_list(private_kernel_netlink_net_t *this)
2003{
21bf86f7 2004 netlink_buf_t request;
507f26f6
TB		 2005 struct nlmsghdr *out, *current, *in;
2006 struct rtgenmsg *msg;
2007 size_t len;
e13389a7 2008 enumerator_t *ifaces, *addrs;
507f26f6
TB		 2009 iface_entry_t *iface;
2010 addr_entry_t *addr;
7daf5226 2011
31a0e24b 2012 DBG2(DBG_KNL, "known interfaces and IP addresses:");
7daf5226 2013
507f26f6
TB		 2014 memset(&request, 0, sizeof(request));
2015
2016 in = (struct nlmsghdr*)&request;
2017 in->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtgenmsg));
2018 in->nlmsg_flags = NLM_F_REQUEST | NLM_F_MATCH | NLM_F_ROOT;
2019 msg = (struct rtgenmsg*)NLMSG_DATA(in);
2020 msg->rtgen_family = AF_UNSPEC;
7daf5226 2021
507f26f6
TB		 2022 /* get all links */
2023 in->nlmsg_type = RTM_GETLINK;
2024 if (this->socket->send(this->socket, in, &out, &len) != SUCCESS)
2025 {
2026 return FAILED;
2027 }
2028 current = out;
2029 while (NLMSG_OK(current, len))
2030 {
2031 switch (current->nlmsg_type)
2032 {
2033 case NLMSG_DONE:
2034 break;
2035 case RTM_NEWLINK:
2036 process_link(this, current, FALSE);
2037 /* fall through */
2038 default:
2039 current = NLMSG_NEXT(current, len);
2040 continue;
2041 }
2042 break;
2043 }
2044 free(out);
7daf5226 2045
507f26f6
TB		 2046 /* get all interface addresses */
2047 in->nlmsg_type = RTM_GETADDR;
2048 if (this->socket->send(this->socket, in, &out, &len) != SUCCESS)
2049 {
2050 return FAILED;
2051 }
2052 current = out;
2053 while (NLMSG_OK(current, len))
2054 {
2055 switch (current->nlmsg_type)
2056 {
2057 case NLMSG_DONE:
2058 break;
2059 case RTM_NEWADDR:
2060 process_addr(this, current, FALSE);
2061 /* fall through */
2062 default:
2063 current = NLMSG_NEXT(current, len);
2064 continue;
2065 }
2066 break;
2067 }
2068 free(out);
7daf5226 2069
a25d536e 2070 this->lock->read_lock(this->lock);
e13389a7
MW		 2071 ifaces = this->ifaces->create_enumerator(this->ifaces);
2072 while (ifaces->enumerate(ifaces, &iface))
507f26f6 2073 {
940e1b0f 2074 if (iface_entry_up_and_usable(iface))
507f26f6 2075 {
31a0e24b 2076 DBG2(DBG_KNL, " %s", iface->ifname);
e13389a7
MW		 2077 addrs = iface->addrs->create_enumerator(iface->addrs);
2078 while (addrs->enumerate(addrs, (void**)&addr))
507f26f6 2079 {
31a0e24b 2080 DBG2(DBG_KNL, " %H", addr->ip);
507f26f6
TB		 2081 }
2082 addrs->destroy(addrs);
2083 }
2084 }
2085 ifaces->destroy(ifaces);
a25d536e 2086 this->lock->unlock(this->lock);
507f26f6
TB		 2087 return SUCCESS;
2088}
2089
2090/**
2091 * create or delete a rule to use our routing table
2092 */
2093static status_t manage_rule(private_kernel_netlink_net_t *this, int nlmsg_type,
5be75c2c 2094 int family, u_int32_t table, u_int32_t prio)
507f26f6 2095{
21bf86f7 2096 netlink_buf_t request;
507f26f6
TB		 2097 struct nlmsghdr *hdr;
2098 struct rtmsg *msg;
2099 chunk_t chunk;
51fefe46
TB		 2100 char *fwmark;
2101 mark_t mark;
507f26f6 2102
7daf5226 2103 memset(&request, 0, sizeof(request));
507f26f6
TB		 2104 hdr = (struct nlmsghdr*)request;
2105 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
7daf5226 2106 hdr->nlmsg_type = nlmsg_type;
507f26f6
TB		 2107 if (nlmsg_type == RTM_NEWRULE)
2108 {
2109 hdr->nlmsg_flags |= NLM_F_CREATE | NLM_F_EXCL;
2110 }
2111 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg));
2112
2113 msg = (struct rtmsg*)NLMSG_DATA(hdr);
2114 msg->rtm_table = table;
5be75c2c 2115 msg->rtm_family = family;
507f26f6
TB		 2116 msg->rtm_protocol = RTPROT_BOOT;
2117 msg->rtm_scope = RT_SCOPE_UNIVERSE;
2118 msg->rtm_type = RTN_UNICAST;
2119
2120 chunk = chunk_from_thing(prio);
2121 netlink_add_attribute(hdr, RTA_PRIORITY, chunk, sizeof(request));
2122
51fefe46
TB		 2123 fwmark = lib->settings->get_str(lib->settings,
2124 "%s.plugins.kernel-netlink.fwmark", NULL, hydra->daemon);
2125 if (fwmark)
2126 {
2127 if (fwmark[0] == '!')
2128 {
2129 msg->rtm_flags |= FIB_RULE_INVERT;
2130 fwmark++;
2131 }
2132 if (mark_from_string(fwmark, &mark))
2133 {
2134 chunk = chunk_from_thing(mark.value);
2135 netlink_add_attribute(hdr, FRA_FWMARK, chunk, sizeof(request));
2136 chunk = chunk_from_thing(mark.mask);
2137 netlink_add_attribute(hdr, FRA_FWMASK, chunk, sizeof(request));
2138 }
2139 }
507f26f6
TB		 2140 return this->socket->send_ack(this->socket, hdr);
2141}
2142
7beb31aa
TB		 2143/**
2144 * check for kernel features (currently only via version number)
2145 */
2146static void check_kernel_features(private_kernel_netlink_net_t *this)
2147{
2148 struct utsname utsname;
2149 int a, b, c;
2150
2151 if (uname(&utsname) == 0)
2152 {
2153 switch(sscanf(utsname.release, "%d.%d.%d", &a, &b, &c))
2154 {
2155 case 3:
2156 if (a == 2)
2157 {
2158 DBG2(DBG_KNL, "detected Linux %d.%d.%d, no support for "
2159 "RTA_PREFSRC for IPv6 routes", a, b, c);
2160 break;
2161 }
2162 /* fall-through */
2163 case 2:
2164 /* only 3.x+ uses two part version numbers */
2165 this->rta_prefsrc_for_ipv6 = TRUE;
2166 break;
2167 default:
2168 break;
2169 }
2170 }
2171}
2172
c6b40158
TB		 2173/**
2174 * Destroy an address to iface map
2175 */
2176static void addr_map_destroy(hashtable_t *map)
2177{
2178 enumerator_t *enumerator;
2179 addr_map_entry_t *addr;
2180
2181 enumerator = map->create_enumerator(map);
2182 while (enumerator->enumerate(enumerator, NULL, (void**)&addr))
2183 {
2184 free(addr);
2185 }
2186 enumerator->destroy(enumerator);
2187 map->destroy(map);
2188}
2189
887abfb1
MW		 2190METHOD(kernel_net_t, destroy, void,
2191 private_kernel_netlink_net_t *this)
507f26f6 2192{
74ba22c9
TB		 2193 enumerator_t *enumerator;
2194 route_entry_t *route;
2195
507f26f6
TB		 2196 if (this->routing_table)
2197 {
5be75c2c
MW		 2198 manage_rule(this, RTM_DELRULE, AF_INET, this->routing_table,
2199 this->routing_table_prio);
2200 manage_rule(this, RTM_DELRULE, AF_INET6, this->routing_table,
507f26f6
TB		 2201 this->routing_table_prio);
2202 }
d6a27ec6
MW		 2203 if (this->socket_events > 0)
2204 {
f4f77d74 2205 lib->watcher->remove(lib->watcher, this->socket_events);
d6a27ec6
MW		 2206 close(this->socket_events);
2207 }
74ba22c9
TB		 2208 enumerator = this->routes->create_enumerator(this->routes);
2209 while (enumerator->enumerate(enumerator, NULL, (void**)&route))
2210 {
2211 manage_srcroute(this, RTM_DELROUTE, 0, route->dst_net, route->prefixlen,
2212 route->gateway, route->src_ip, route->if_name);
2213 route_entry_destroy(route);
2214 }
2215 enumerator->destroy(enumerator);
2216 this->routes->destroy(this->routes);
16d62305 2217 this->routes_lock->destroy(this->routes_lock);
9e19cb91 2218 DESTROY_IF(this->socket);
74ba22c9 2219
f834249c
TB		 2220 net_changes_clear(this);
2221 this->net_changes->destroy(this->net_changes);
2222 this->net_changes_lock->destroy(this->net_changes_lock);
2223
c6b40158
TB		 2224 addr_map_destroy(this->addrs);
2225 addr_map_destroy(this->vips);
1f97e1aa 2226
507f26f6 2227 this->ifaces->destroy_function(this->ifaces, (void*)iface_entry_destroy);
d266e895 2228 this->rt_exclude->destroy(this->rt_exclude);
4134108c 2229 this->roam_lock->destroy(this->roam_lock);
3ac5a0db 2230 this->condvar->destroy(this->condvar);
a25d536e 2231 this->lock->destroy(this->lock);
507f26f6
TB		 2232 free(this);
2233}
2234
2235/*
2236 * Described in header.
2237 */
2238kernel_netlink_net_t *kernel_netlink_net_create()
2239{
887abfb1 2240 private_kernel_netlink_net_t *this;
d266e895 2241 enumerator_t *enumerator;
05ca5655 2242 bool register_for_events = TRUE;
d266e895 2243 char *exclude;
7daf5226 2244
887abfb1
MW		 2245 INIT(this,
2246 .public = {
2247 .interface = {
2248 .get_interface = _get_interface_name,
2249 .create_address_enumerator = _create_address_enumerator,
2250 .get_source_addr = _get_source_addr,
2251 .get_nexthop = _get_nexthop,
2252 .add_ip = _add_ip,
2253 .del_ip = _del_ip,
2254 .add_route = _add_route,
2255 .del_route = _del_route,
2256 .destroy = _destroy,
2257 },
2258 },
2259 .socket = netlink_socket_create(NETLINK_ROUTE),
2260 .rt_exclude = linked_list_create(),
74ba22c9
TB		 2261 .routes = hashtable_create((hashtable_hash_t)route_entry_hash,
2262 (hashtable_equals_t)route_entry_equals, 16),
f834249c
TB		 2263 .net_changes = hashtable_create(
2264 (hashtable_hash_t)net_change_hash,
2265 (hashtable_equals_t)net_change_equals, 16),
1f97e1aa
TB		 2266 .addrs = hashtable_create(
2267 (hashtable_hash_t)addr_map_entry_hash,
2268 (hashtable_equals_t)addr_map_entry_equals, 16),
c6b40158
TB		 2269 .vips = hashtable_create((hashtable_hash_t)addr_map_entry_hash,
2270 (hashtable_equals_t)addr_map_entry_equals, 16),
16d62305 2271 .routes_lock = mutex_create(MUTEX_TYPE_DEFAULT),
f834249c 2272 .net_changes_lock = mutex_create(MUTEX_TYPE_DEFAULT),
887abfb1 2273 .ifaces = linked_list_create(),
a25d536e
TB		 2274 .lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
2275 .condvar = rwlock_condvar_create(),
4134108c 2276 .roam_lock = spinlock_create(),
887abfb1
MW		 2277 .routing_table = lib->settings->get_int(lib->settings,
2278 "%s.routing_table", ROUTING_TABLE, hydra->daemon),
2279 .routing_table_prio = lib->settings->get_int(lib->settings,
2280 "%s.routing_table_prio", ROUTING_TABLE_PRIO, hydra->daemon),
2281 .process_route = lib->settings->get_bool(lib->settings,
2282 "%s.process_route", TRUE, hydra->daemon),
2283 .install_virtual_ip = lib->settings->get_bool(lib->settings,
2284 "%s.install_virtual_ip", TRUE, hydra->daemon),
e8e9048f
TB		 2285 .install_virtual_ip_on = lib->settings->get_str(lib->settings,
2286 "%s.install_virtual_ip_on", NULL, hydra->daemon),
37873f99
TB		 2287 .roam_events = lib->settings->get_bool(lib->settings,
2288 "%s.plugins.kernel-netlink.roam_events", TRUE, hydra->daemon),
887abfb1 2289 );
f834249c 2290 timerclear(&this->last_route_reinstall);
4134108c 2291 timerclear(&this->next_roam);
887abfb1 2292
7beb31aa
TB		 2293 check_kernel_features(this);
2294
05ca5655
TB		 2295 if (streq(hydra->daemon, "starter"))
2296 { /* starter has no threads, so we do not register for kernel events */
2297 register_for_events = FALSE;
2298 }
2299
d266e895 2300 exclude = lib->settings->get_str(lib->settings,
06cdeac2 2301 "%s.ignore_routing_tables", NULL, hydra->daemon);
d266e895
TE		 2302 if (exclude)
2303 {
2304 char *token;
2305 uintptr_t table;
2306
2307 enumerator = enumerator_create_token(exclude, " ", " ");
2308 while (enumerator->enumerate(enumerator, &token))
2309 {
2310 errno = 0;
2311 table = strtoul(token, NULL, 10);
2312
2313 if (errno == 0)
2314 {
2315 this->rt_exclude->insert_last(this->rt_exclude, (void*)table);
2316 }
2317 }
2318 enumerator->destroy(enumerator);
2319 }
2320
05ca5655 2321 if (register_for_events)
507f26f6 2322 {
05ca5655
TB		 2323 struct sockaddr_nl addr;
2324
2325 memset(&addr, 0, sizeof(addr));
2326 addr.nl_family = AF_NETLINK;
7daf5226 2327
05ca5655
TB		 2328 /* create and bind RT socket for events (address/interface/route changes) */
2329 this->socket_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
2330 if (this->socket_events < 0)
2331 {
2332 DBG1(DBG_KNL, "unable to create RT event socket");
2333 destroy(this);
2334 return NULL;
2335 }
2336 addr.nl_groups = RTMGRP_IPV4_IFADDR | RTMGRP_IPV6_IFADDR |
2337 RTMGRP_IPV4_ROUTE | RTMGRP_IPV6_ROUTE | RTMGRP_LINK;
2338 if (bind(this->socket_events, (struct sockaddr*)&addr, sizeof(addr)))
2339 {
2340 DBG1(DBG_KNL, "unable to bind RT event socket");
2341 destroy(this);
2342 return NULL;
2343 }
2344
f4f77d74
MW		 2345 lib->watcher->add(lib->watcher, this->socket_events, WATCHER_READ,
2346 (watcher_cb_t)receive_events, this);
05ca5655 2347 }
7daf5226 2348
507f26f6
TB		 2349 if (init_address_list(this) != SUCCESS)
2350 {
d6a27ec6
MW		 2351 DBG1(DBG_KNL, "unable to get interface list");
2352 destroy(this);
2353 return NULL;
507f26f6 2354 }
7daf5226 2355
507f26f6
TB		 2356 if (this->routing_table)
2357 {
5be75c2c
MW		 2358 if (manage_rule(this, RTM_NEWRULE, AF_INET, this->routing_table,
2359 this->routing_table_prio) != SUCCESS)
2360 {
2361 DBG1(DBG_KNL, "unable to create IPv4 routing table rule");
2362 }
2363 if (manage_rule(this, RTM_NEWRULE, AF_INET6, this->routing_table,
507f26f6
TB		 2364 this->routing_table_prio) != SUCCESS)
2365 {
5be75c2c 2366 DBG1(DBG_KNL, "unable to create IPv6 routing table rule");
507f26f6
TB		 2367 }
2368 }
7daf5226 2369
507f26f6
TB		 2370 return &this->public;
2371}
Michael's strongswan development tree