]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/network/networkd-routing-policy-rule.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Drop the text argument from assert_not_reached()
[thirdparty/systemd.git] / src / network / networkd-routing-policy-rule.c
1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
2
3 #include <net/if.h>
4 #include <linux/fib_rules.h>
5
6 #include "af-list.h"
7 #include "alloc-util.h"
8 #include "conf-parser.h"
9 #include "fileio.h"
10 #include "format-util.h"
11 #include "hashmap.h"
12 #include "ip-protocol-list.h"
13 #include "netlink-util.h"
14 #include "networkd-manager.h"
15 #include "networkd-queue.h"
16 #include "networkd-route.h"
17 #include "networkd-routing-policy-rule.h"
18 #include "networkd-util.h"
19 #include "parse-util.h"
20 #include "socket-util.h"
21 #include "string-table.h"
22 #include "string-util.h"
23 #include "strv.h"
24 #include "user-util.h"
25
26 static const char *const fr_act_type_table[__FR_ACT_MAX] = {
27 [FR_ACT_BLACKHOLE] = "blackhole",
28 [FR_ACT_UNREACHABLE] = "unreachable",
29 [FR_ACT_PROHIBIT] = "prohibit",
30 };
31
32 assert_cc(__FR_ACT_MAX <= UINT8_MAX);
33 DEFINE_PRIVATE_STRING_TABLE_LOOKUP_FROM_STRING(fr_act_type, int);
34
35 RoutingPolicyRule *routing_policy_rule_free(RoutingPolicyRule *rule) {
36 if (!rule)
37 return NULL;
38
39 if (rule->network) {
40 assert(rule->section);
41 hashmap_remove(rule->network->rules_by_section, rule->section);
42 }
43
44 if (rule->manager) {
45 set_remove(rule->manager->rules, rule);
46 set_remove(rule->manager->rules_foreign, rule);
47 }
48
49 network_config_section_free(rule->section);
50 free(rule->iif);
51 free(rule->oif);
52
53 return mfree(rule);
54 }
55
56 DEFINE_NETWORK_SECTION_FUNCTIONS(RoutingPolicyRule, routing_policy_rule_free);
57
58 static int routing_policy_rule_new(RoutingPolicyRule **ret) {
59 RoutingPolicyRule *rule;
60
61 rule = new(RoutingPolicyRule, 1);
62 if (!rule)
63 return -ENOMEM;
64
65 *rule = (RoutingPolicyRule) {
66 .table = RT_TABLE_MAIN,
67 .uid_range.start = UID_INVALID,
68 .uid_range.end = UID_INVALID,
69 .suppress_prefixlen = -1,
70 .protocol = RTPROT_UNSPEC,
71 .type = FR_ACT_TO_TBL,
72 };
73
74 *ret = rule;
75 return 0;
76 }
77
78 static int routing_policy_rule_new_static(Network *network, const char *filename, unsigned section_line, RoutingPolicyRule **ret) {
79 _cleanup_(routing_policy_rule_freep) RoutingPolicyRule *rule = NULL;
80 _cleanup_(network_config_section_freep) NetworkConfigSection *n = NULL;
81 int r;
82
83 assert(network);
84 assert(ret);
85 assert(filename);
86 assert(section_line > 0);
87
88 r = network_config_section_new(filename, section_line, &n);
89 if (r < 0)
90 return r;
91
92 rule = hashmap_get(network->rules_by_section, n);
93 if (rule) {
94 *ret = TAKE_PTR(rule);
95 return 0;
96 }
97
98 r = routing_policy_rule_new(&rule);
99 if (r < 0)
100 return r;
101
102 rule->network = network;
103 rule->section = TAKE_PTR(n);
104 rule->protocol = RTPROT_STATIC;
105
106 r = hashmap_ensure_put(&network->rules_by_section, &network_config_hash_ops, rule->section, rule);
107 if (r < 0)
108 return r;
109
110 *ret = TAKE_PTR(rule);
111 return 0;
112 }
113
114 static int routing_policy_rule_dup(const RoutingPolicyRule *src, RoutingPolicyRule **ret) {
115 _cleanup_(routing_policy_rule_freep) RoutingPolicyRule *dest = NULL;
116
117 assert(src);
118 assert(ret);
119
120 dest = newdup(RoutingPolicyRule, src, 1);
121 if (!dest)
122 return -ENOMEM;
123
124 /* Unset all pointers */
125 dest->manager = NULL;
126 dest->network = NULL;
127 dest->section = NULL;
128 dest->iif = dest->oif = NULL;
129
130 if (src->iif) {
131 dest->iif = strdup(src->iif);
132 if (!dest->iif)
133 return -ENOMEM;
134 }
135
136 if (src->oif) {
137 dest->oif = strdup(src->oif);
138 if (!dest->oif)
139 return -ENOMEM;
140 }
141
142 *ret = TAKE_PTR(dest);
143 return 0;
144 }
145
146 void routing_policy_rule_hash_func(const RoutingPolicyRule *rule, struct siphash *state) {
147 assert(rule);
148
149 siphash24_compress(&rule->family, sizeof(rule->family), state);
150
151 switch (rule->family) {
152 case AF_INET:
153 case AF_INET6:
154 siphash24_compress(&rule->from, FAMILY_ADDRESS_SIZE(rule->family), state);
155 siphash24_compress(&rule->from_prefixlen, sizeof(rule->from_prefixlen), state);
156
157 siphash24_compress(&rule->to, FAMILY_ADDRESS_SIZE(rule->family), state);
158 siphash24_compress(&rule->to_prefixlen, sizeof(rule->to_prefixlen), state);
159
160 siphash24_compress_boolean(rule->invert_rule, state);
161
162 siphash24_compress(&rule->tos, sizeof(rule->tos), state);
163 siphash24_compress(&rule->type, sizeof(rule->type), state);
164 siphash24_compress(&rule->fwmark, sizeof(rule->fwmark), state);
165 siphash24_compress(&rule->fwmask, sizeof(rule->fwmask), state);
166 siphash24_compress(&rule->priority, sizeof(rule->priority), state);
167 siphash24_compress(&rule->table, sizeof(rule->table), state);
168 siphash24_compress(&rule->suppress_prefixlen, sizeof(rule->suppress_prefixlen), state);
169
170 siphash24_compress(&rule->ipproto, sizeof(rule->ipproto), state);
171 siphash24_compress(&rule->protocol, sizeof(rule->protocol), state);
172 siphash24_compress(&rule->sport, sizeof(rule->sport), state);
173 siphash24_compress(&rule->dport, sizeof(rule->dport), state);
174 siphash24_compress(&rule->uid_range, sizeof(rule->uid_range), state);
175
176 siphash24_compress_string(rule->iif, state);
177 siphash24_compress_string(rule->oif, state);
178
179 break;
180 default:
181 /* treat any other address family as AF_UNSPEC */
182 break;
183 }
184 }
185
186 int routing_policy_rule_compare_func(const RoutingPolicyRule *a, const RoutingPolicyRule *b) {
187 int r;
188
189 r = CMP(a->family, b->family);
190 if (r != 0)
191 return r;
192
193 switch (a->family) {
194 case AF_INET:
195 case AF_INET6:
196 r = CMP(a->from_prefixlen, b->from_prefixlen);
197 if (r != 0)
198 return r;
199
200 r = memcmp(&a->from, &b->from, FAMILY_ADDRESS_SIZE(a->family));
201 if (r != 0)
202 return r;
203
204 r = CMP(a->to_prefixlen, b->to_prefixlen);
205 if (r != 0)
206 return r;
207
208 r = memcmp(&a->to, &b->to, FAMILY_ADDRESS_SIZE(a->family));
209 if (r != 0)
210 return r;
211
212 r = CMP(a->invert_rule, b->invert_rule);
213 if (r != 0)
214 return r;
215
216 r = CMP(a->tos, b->tos);
217 if (r != 0)
218 return r;
219
220 r = CMP(a->type, b->type);
221 if (r != 0)
222 return r;
223
224 r = CMP(a->fwmark, b->fwmark);
225 if (r != 0)
226 return r;
227
228 r = CMP(a->fwmask, b->fwmask);
229 if (r != 0)
230 return r;
231
232 r = CMP(a->priority, b->priority);
233 if (r != 0)
234 return r;
235
236 r = CMP(a->table, b->table);
237 if (r != 0)
238 return r;
239
240 r = CMP(a->suppress_prefixlen, b->suppress_prefixlen);
241 if (r != 0)
242 return r;
243
244 r = CMP(a->ipproto, b->ipproto);
245 if (r != 0)
246 return r;
247
248 r = CMP(a->protocol, b->protocol);
249 if (r != 0)
250 return r;
251
252 r = memcmp(&a->sport, &b->sport, sizeof(a->sport));
253 if (r != 0)
254 return r;
255
256 r = memcmp(&a->dport, &b->dport, sizeof(a->dport));
257 if (r != 0)
258 return r;
259
260 r = memcmp(&a->uid_range, &b->uid_range, sizeof(a->uid_range));
261 if (r != 0)
262 return r;
263
264 r = strcmp_ptr(a->iif, b->iif);
265 if (r != 0)
266 return r;
267
268 r = strcmp_ptr(a->oif, b->oif);
269 if (r != 0)
270 return r;
271
272 return 0;
273 default:
274 /* treat any other address family as AF_UNSPEC */
275 return 0;
276 }
277 }
278
279 static bool routing_policy_rule_equal(const RoutingPolicyRule *rule1, const RoutingPolicyRule *rule2) {
280 if (rule1 == rule2)
281 return true;
282
283 if (!rule1 || !rule2)
284 return false;
285
286 return routing_policy_rule_compare_func(rule1, rule2) == 0;
287 }
288
289 DEFINE_PRIVATE_HASH_OPS_WITH_KEY_DESTRUCTOR(
290 routing_policy_rule_hash_ops,
291 RoutingPolicyRule,
292 routing_policy_rule_hash_func,
293 routing_policy_rule_compare_func,
294 routing_policy_rule_free);
295
296 static int routing_policy_rule_get(Manager *m, const RoutingPolicyRule *rule, RoutingPolicyRule **ret) {
297 RoutingPolicyRule *existing;
298
299 assert(m);
300
301 existing = set_get(m->rules, rule);
302 if (existing) {
303 if (ret)
304 *ret = existing;
305 return 1;
306 }
307
308 existing = set_get(m->rules_foreign, rule);
309 if (existing) {
310 if (ret)
311 *ret = existing;
312 return 0;
313 }
314
315 return -ENOENT;
316 }
317
318 static int routing_policy_rule_add(Manager *m, const RoutingPolicyRule *in, RoutingPolicyRule **ret) {
319 _cleanup_(routing_policy_rule_freep) RoutingPolicyRule *rule = NULL;
320 RoutingPolicyRule *existing;
321 int r;
322
323 assert(m);
324 assert(in);
325 assert(IN_SET(in->family, AF_INET, AF_INET6));
326
327 r = routing_policy_rule_dup(in, &rule);
328 if (r < 0)
329 return r;
330
331 r = routing_policy_rule_get(m, rule, &existing);
332 if (r == -ENOENT) {
333 /* Rule does not exist, use a new one. */
334 r = set_ensure_put(&m->rules, &routing_policy_rule_hash_ops, rule);
335 if (r < 0)
336 return r;
337 assert(r > 0);
338
339 rule->manager = m;
340 existing = TAKE_PTR(rule);
341 } else if (r < 0)
342 return r;
343 else if (r == 0) {
344 /* Take over a foreign rule. */
345 r = set_ensure_put(&m->rules, &routing_policy_rule_hash_ops, existing);
346 if (r < 0)
347 return r;
348 assert(r > 0);
349
350 set_remove(m->rules_foreign, existing);
351 } /* else r > 0: already exists, do nothing. */
352
353 if (ret)
354 *ret = existing;
355 return 0;
356 }
357
358 static int routing_policy_rule_consume_foreign(Manager *m, RoutingPolicyRule *rule) {
359 int r;
360
361 assert(m);
362 assert(rule);
363 assert(IN_SET(rule->family, AF_INET, AF_INET6));
364
365 r = set_ensure_consume(&m->rules_foreign, &routing_policy_rule_hash_ops, rule);
366 if (r <= 0)
367 return r;
368
369 rule->manager = m;
370
371 return 1;
372 }
373
374 static void log_routing_policy_rule_debug(const RoutingPolicyRule *rule, const char *str, const Link *link, const Manager *m) {
375 _cleanup_free_ char *from = NULL, *to = NULL, *table = NULL;
376
377 assert(rule);
378 assert(IN_SET(rule->family, AF_INET, AF_INET6));
379 assert(str);
380 assert(m);
381
382 /* link may be NULL. */
383
384 if (!DEBUG_LOGGING)
385 return;
386
387 (void) in_addr_prefix_to_string(rule->family, &rule->from, rule->from_prefixlen, &from);
388 (void) in_addr_prefix_to_string(rule->family, &rule->to, rule->to_prefixlen, &to);
389 (void) manager_get_route_table_to_string(m, rule->table, &table);
390
391 log_link_debug(link,
392 "%s routing policy rule: priority: %"PRIu32", %s -> %s, iif: %s, oif: %s, table: %s",
393 str, rule->priority, strna(from), strna(to),
394 strna(rule->iif), strna(rule->oif), strna(table));
395 }
396
397 static int routing_policy_rule_set_netlink_message(const RoutingPolicyRule *rule, sd_netlink_message *m, Link *link) {
398 int r;
399
400 assert(rule);
401 assert(m);
402
403 /* link may be NULL. */
404
405 if (rule->from_prefixlen > 0) {
406 r = netlink_message_append_in_addr_union(m, FRA_SRC, rule->family, &rule->from);
407 if (r < 0)
408 return log_link_error_errno(link, r, "Could not append FRA_SRC attribute: %m");
409
410 r = sd_rtnl_message_routing_policy_rule_set_fib_src_prefixlen(m, rule->from_prefixlen);
411 if (r < 0)
412 return log_link_error_errno(link, r, "Could not set source prefix length: %m");
413 }
414
415 if (rule->to_prefixlen > 0) {
416 r = netlink_message_append_in_addr_union(m, FRA_DST, rule->family, &rule->to);
417 if (r < 0)
418 return log_link_error_errno(link, r, "Could not append FRA_DST attribute: %m");
419
420 r = sd_rtnl_message_routing_policy_rule_set_fib_dst_prefixlen(m, rule->to_prefixlen);
421 if (r < 0)
422 return log_link_error_errno(link, r, "Could not set destination prefix length: %m");
423 }
424
425 r = sd_netlink_message_append_u32(m, FRA_PRIORITY, rule->priority);
426 if (r < 0)
427 return log_link_error_errno(link, r, "Could not append FRA_PRIORITY attribute: %m");
428
429 if (rule->tos > 0) {
430 r = sd_rtnl_message_routing_policy_rule_set_tos(m, rule->tos);
431 if (r < 0)
432 return log_link_error_errno(link, r, "Could not set IP rule TOS: %m");
433 }
434
435 if (rule->table < 256) {
436 r = sd_rtnl_message_routing_policy_rule_set_table(m, rule->table);
437 if (r < 0)
438 return log_link_error_errno(link, r, "Could not set IP rule table: %m");
439 } else {
440 r = sd_rtnl_message_routing_policy_rule_set_table(m, RT_TABLE_UNSPEC);
441 if (r < 0)
442 return log_link_error_errno(link, r, "Could not set IP rule table: %m");
443
444 r = sd_netlink_message_append_u32(m, FRA_TABLE, rule->table);
445 if (r < 0)
446 return log_link_error_errno(link, r, "Could not append FRA_TABLE attribute: %m");
447 }
448
449 if (rule->fwmark > 0) {
450 r = sd_netlink_message_append_u32(m, FRA_FWMARK, rule->fwmark);
451 if (r < 0)
452 return log_link_error_errno(link, r, "Could not append FRA_FWMARK attribute: %m");
453
454 r = sd_netlink_message_append_u32(m, FRA_FWMASK, rule->fwmask);
455 if (r < 0)
456 return log_link_error_errno(link, r, "Could not append FRA_FWMASK attribute: %m");
457 }
458
459 if (rule->iif) {
460 r = sd_netlink_message_append_string(m, FRA_IIFNAME, rule->iif);
461 if (r < 0)
462 return log_link_error_errno(link, r, "Could not append FRA_IIFNAME attribute: %m");
463 }
464
465 if (rule->oif) {
466 r = sd_netlink_message_append_string(m, FRA_OIFNAME, rule->oif);
467 if (r < 0)
468 return log_link_error_errno(link, r, "Could not append FRA_OIFNAME attribute: %m");
469 }
470
471 r = sd_netlink_message_append_u8(m, FRA_IP_PROTO, rule->ipproto);
472 if (r < 0)
473 return log_link_error_errno(link, r, "Could not append FRA_IP_PROTO attribute: %m");
474
475 r = sd_netlink_message_append_u8(m, FRA_PROTOCOL, rule->protocol);
476 if (r < 0)
477 return log_link_error_errno(link, r, "Could not append FRA_PROTOCOL attribute: %m");
478
479 if (rule->sport.start != 0 || rule->sport.end != 0) {
480 r = sd_netlink_message_append_data(m, FRA_SPORT_RANGE, &rule->sport, sizeof(rule->sport));
481 if (r < 0)
482 return log_link_error_errno(link, r, "Could not append FRA_SPORT_RANGE attribute: %m");
483 }
484
485 if (rule->dport.start != 0 || rule->dport.end != 0) {
486 r = sd_netlink_message_append_data(m, FRA_DPORT_RANGE, &rule->dport, sizeof(rule->dport));
487 if (r < 0)
488 return log_link_error_errno(link, r, "Could not append FRA_DPORT_RANGE attribute: %m");
489 }
490
491 if (rule->uid_range.start != UID_INVALID && rule->uid_range.end != UID_INVALID) {
492 r = sd_netlink_message_append_data(m, FRA_UID_RANGE, &rule->uid_range, sizeof(rule->uid_range));
493 if (r < 0)
494 return log_link_error_errno(link, r, "Could not append FRA_UID_RANGE attribute: %m");
495 }
496
497 if (rule->invert_rule) {
498 r = sd_rtnl_message_routing_policy_rule_set_flags(m, FIB_RULE_INVERT);
499 if (r < 0)
500 return log_link_error_errno(link, r, "Could not append FIB_RULE_INVERT attribute: %m");
501 }
502
503 if (rule->suppress_prefixlen >= 0) {
504 r = sd_netlink_message_append_u32(m, FRA_SUPPRESS_PREFIXLEN, (uint32_t) rule->suppress_prefixlen);
505 if (r < 0)
506 return log_link_error_errno(link, r, "Could not append FRA_SUPPRESS_PREFIXLEN attribute: %m");
507 }
508
509 r = sd_rtnl_message_routing_policy_rule_set_fib_type(m, rule->type);
510 if (r < 0)
511 return log_link_error_errno(link, r, "Could not append FIB rule type attribute: %m");
512
513 return 0;
514 }
515
516 static int routing_policy_rule_remove_handler(sd_netlink *rtnl, sd_netlink_message *m, Manager *manager) {
517 int r;
518
519 assert(m);
520 assert(manager);
521 assert(manager->routing_policy_rule_remove_messages > 0);
522
523 manager->routing_policy_rule_remove_messages--;
524
525 r = sd_netlink_message_get_errno(m);
526 if (r < 0)
527 log_message_warning_errno(m, r, "Could not drop routing policy rule");
528
529 return 1;
530 }
531
532 static int routing_policy_rule_remove(const RoutingPolicyRule *rule, Manager *manager) {
533 _cleanup_(sd_netlink_message_unrefp) sd_netlink_message *m = NULL;
534 int r;
535
536 assert(rule);
537 assert(manager);
538 assert(manager->rtnl);
539 assert(IN_SET(rule->family, AF_INET, AF_INET6));
540
541 log_routing_policy_rule_debug(rule, "Removing", NULL, manager);
542
543 r = sd_rtnl_message_new_routing_policy_rule(manager->rtnl, &m, RTM_DELRULE, rule->family);
544 if (r < 0)
545 return log_error_errno(r, "Could not allocate RTM_DELRULE message: %m");
546
547 r = routing_policy_rule_set_netlink_message(rule, m, NULL);
548 if (r < 0)
549 return r;
550
551 r = netlink_call_async(manager->rtnl, NULL, m,
552 routing_policy_rule_remove_handler,
553 NULL, manager);
554 if (r < 0)
555 return log_error_errno(r, "Could not send rtnetlink message: %m");
556
557 manager->routing_policy_rule_remove_messages++;
558
559 return 0;
560 }
561
562 static int routing_policy_rule_configure(
563 const RoutingPolicyRule *rule,
564 Link *link,
565 link_netlink_message_handler_t callback,
566 RoutingPolicyRule **ret) {
567
568 _cleanup_(sd_netlink_message_unrefp) sd_netlink_message *m = NULL;
569 int r;
570
571 assert(rule);
572 assert(IN_SET(rule->family, AF_INET, AF_INET6));
573 assert(link);
574 assert(link->ifindex > 0);
575 assert(link->manager);
576 assert(link->manager->rtnl);
577 assert(callback);
578
579 log_routing_policy_rule_debug(rule, "Configuring", link, link->manager);
580
581 r = sd_rtnl_message_new_routing_policy_rule(link->manager->rtnl, &m, RTM_NEWRULE, rule->family);
582 if (r < 0)
583 return log_link_error_errno(link, r, "Could not allocate RTM_NEWRULE message: %m");
584
585 r = routing_policy_rule_set_netlink_message(rule, m, link);
586 if (r < 0)
587 return r;
588
589 r = routing_policy_rule_add(link->manager, rule, ret);
590 if (r < 0)
591 return log_link_error_errno(link, r, "Could not add rule: %m");
592
593 r = netlink_call_async(link->manager->rtnl, NULL, m, callback,
594 link_netlink_destroy_callback, link);
595 if (r < 0)
596 return log_link_error_errno(link, r, "Could not send rtnetlink message: %m");
597
598 link_ref(link);
599
600 return r;
601 }
602
603 static int links_have_routing_policy_rule(const Manager *m, const RoutingPolicyRule *rule, const Link *except) {
604 Link *link;
605 int r;
606
607 assert(m);
608 assert(rule);
609
610 HASHMAP_FOREACH(link, m->links_by_index) {
611 RoutingPolicyRule *link_rule;
612
613 if (link == except)
614 continue;
615
616 if (!link->network)
617 continue;
618
619 HASHMAP_FOREACH(link_rule, link->network->rules_by_section)
620 if (IN_SET(link_rule->family, AF_INET, AF_INET6)) {
621 if (routing_policy_rule_equal(link_rule, rule))
622 return true;
623 } else {
624 /* The case Family=both. */
625 _cleanup_(routing_policy_rule_freep) RoutingPolicyRule *tmp = NULL;
626
627 r = routing_policy_rule_dup(link_rule, &tmp);
628 if (r < 0)
629 return r;
630
631 tmp->family = AF_INET;
632 if (routing_policy_rule_equal(tmp, rule))
633 return true;
634
635 tmp->family = AF_INET6;
636 if (routing_policy_rule_equal(tmp, rule))
637 return true;
638 }
639 }
640
641 return false;
642 }
643
644 int manager_drop_routing_policy_rules_internal(Manager *m, bool foreign, const Link *except) {
645 RoutingPolicyRule *rule;
646 int k, r = 0;
647 Set *rules;
648
649 assert(m);
650
651 rules = foreign ? m->rules_foreign : m->rules;
652 SET_FOREACH(rule, rules) {
653 /* Do not touch rules managed by kernel. */
654 if (rule->protocol == RTPROT_KERNEL)
655 continue;
656
657 /* The rule will be configured later, or already configured by a link. */
658 k = links_have_routing_policy_rule(m, rule, except);
659 if (k != 0) {
660 if (k < 0 && r >= 0)
661 r = k;
662 continue;
663 }
664
665 k = routing_policy_rule_remove(rule, m);
666 if (k < 0 && r >= 0)
667 r = k;
668 }
669
670 return r;
671 }
672
673 static int static_routing_policy_rule_configure_handler(sd_netlink *rtnl, sd_netlink_message *m, Link *link) {
674 int r;
675
676 assert(rtnl);
677 assert(m);
678 assert(link);
679 assert(link->ifname);
680 assert(link->static_routing_policy_rule_messages > 0);
681
682 link->static_routing_policy_rule_messages--;
683
684 if (IN_SET(link->state, LINK_STATE_FAILED, LINK_STATE_LINGER))
685 return 1;
686
687 r = sd_netlink_message_get_errno(m);
688 if (r < 0 && r != -EEXIST) {
689 log_link_message_warning_errno(link, m, r, "Could not add routing policy rule");
690 link_enter_failed(link);
691 return 1;
692 }
693
694 if (link->static_routing_policy_rule_messages == 0) {
695 log_link_debug(link, "Routing policy rule configured");
696 link->static_routing_policy_rules_configured = true;
697 link_check_ready(link);
698 }
699
700 return 1;
701 }
702
703 static int link_request_routing_policy_rule(
704 Link *link,
705 RoutingPolicyRule *rule,
706 bool consume_object,
707 unsigned *message_counter,
708 link_netlink_message_handler_t netlink_handler,
709 Request **ret) {
710
711 assert(link);
712 assert(link->manager);
713 assert(rule);
714
715 log_routing_policy_rule_debug(rule, "Requesting", link, link->manager);
716 return link_queue_request(link, REQUEST_TYPE_ROUTING_POLICY_RULE, rule, consume_object,
717 message_counter, netlink_handler, ret);
718 }
719
720 static int link_request_static_routing_policy_rule(Link *link, RoutingPolicyRule *rule) {
721 int r;
722
723 if (IN_SET(rule->family, AF_INET, AF_INET6))
724 return link_request_routing_policy_rule(link, rule, false,
725 &link->static_routing_policy_rule_messages,
726 static_routing_policy_rule_configure_handler,
727 NULL);
728
729 if (FLAGS_SET(rule->address_family, ADDRESS_FAMILY_IPV4)) {
730 _cleanup_(routing_policy_rule_freep) RoutingPolicyRule *tmp = NULL;
731
732 r = routing_policy_rule_dup(rule, &tmp);
733 if (r < 0)
734 return r;
735
736 tmp->family = AF_INET;
737
738 r = link_request_routing_policy_rule(link, TAKE_PTR(tmp), true,
739 &link->static_routing_policy_rule_messages,
740 static_routing_policy_rule_configure_handler,
741 NULL);
742 if (r < 0)
743 return r;
744 }
745
746 if (FLAGS_SET(rule->address_family, ADDRESS_FAMILY_IPV6)) {
747 _cleanup_(routing_policy_rule_freep) RoutingPolicyRule *tmp = NULL;
748
749 r = routing_policy_rule_dup(rule, &tmp);
750 if (r < 0)
751 return r;
752
753 tmp->family = AF_INET6;
754
755 r = link_request_routing_policy_rule(link, TAKE_PTR(tmp), true,
756 &link->static_routing_policy_rule_messages,
757 static_routing_policy_rule_configure_handler,
758 NULL);
759 if (r < 0)
760 return r;
761 }
762
763 return 0;
764 }
765
766 int link_request_static_routing_policy_rules(Link *link) {
767 RoutingPolicyRule *rule;
768 int r;
769
770 assert(link);
771 assert(link->network);
772
773 link->static_routing_policy_rules_configured = false;
774
775 HASHMAP_FOREACH(rule, link->network->rules_by_section) {
776 r = link_request_static_routing_policy_rule(link, rule);
777 if (r < 0)
778 return log_link_warning_errno(link, r, "Could not request routing policy rule: %m");
779 }
780
781 if (link->static_routing_policy_rule_messages == 0) {
782 link->static_routing_policy_rules_configured = true;
783 link_check_ready(link);
784 } else {
785 log_link_debug(link, "Requesting routing policy rules");
786 link_set_state(link, LINK_STATE_CONFIGURING);
787 }
788
789 return 0;
790 }
791
792 int request_process_routing_policy_rule(Request *req) {
793 RoutingPolicyRule *ret = NULL; /* avoid false maybe-uninitialized warning */
794 int r;
795
796 assert(req);
797 assert(req->link);
798 assert(req->rule);
799 assert(req->type == REQUEST_TYPE_ROUTING_POLICY_RULE);
800
801 if (!link_is_ready_to_configure(req->link, false))
802 return 0;
803
804 if (req->link->manager->routing_policy_rule_remove_messages > 0)
805 return 0;
806
807 r = routing_policy_rule_configure(req->rule, req->link, req->netlink_handler, &ret);
808 if (r < 0)
809 return r;
810
811 /* To prevent a double decrement on failure in after_configure(). */
812 req->message_counter = NULL;
813
814 if (req->after_configure) {
815 r = req->after_configure(req, ret);
816 if (r < 0)
817 return r;
818 }
819
820 return 1;
821 }
822
823 static const RoutingPolicyRule kernel_rules[] = {
824 { .family = AF_INET, .priority = 0, .table = RT_TABLE_LOCAL, .type = FR_ACT_TO_TBL, .uid_range.start = UID_INVALID, .uid_range.end = UID_INVALID, .suppress_prefixlen = -1, },
825 { .family = AF_INET, .priority = 32766, .table = RT_TABLE_MAIN, .type = FR_ACT_TO_TBL, .uid_range.start = UID_INVALID, .uid_range.end = UID_INVALID, .suppress_prefixlen = -1, },
826 { .family = AF_INET, .priority = 32767, .table = RT_TABLE_DEFAULT, .type = FR_ACT_TO_TBL, .uid_range.start = UID_INVALID, .uid_range.end = UID_INVALID, .suppress_prefixlen = -1, },
827 { .family = AF_INET6, .priority = 0, .table = RT_TABLE_LOCAL, .type = FR_ACT_TO_TBL, .uid_range.start = UID_INVALID, .uid_range.end = UID_INVALID, .suppress_prefixlen = -1, },
828 { .family = AF_INET6, .priority = 32766, .table = RT_TABLE_MAIN, .type = FR_ACT_TO_TBL, .uid_range.start = UID_INVALID, .uid_range.end = UID_INVALID, .suppress_prefixlen = -1, },
829 };
830
831 static bool routing_policy_rule_is_created_by_kernel(const RoutingPolicyRule *rule) {
832 assert(rule);
833
834 if (rule->l3mdev > 0)
835 /* Currently, [RoutingPolicyRule] does not explicitly set FRA_L3MDEV. So, if the flag
836 * is set, it is safe to treat the rule as created by kernel. */
837 return true;
838
839 for (size_t i = 0; i < ELEMENTSOF(kernel_rules); i++)
840 if (routing_policy_rule_equal(rule, &kernel_rules[i]))
841 return true;
842
843 return false;
844 }
845
846 int manager_rtnl_process_rule(sd_netlink *rtnl, sd_netlink_message *message, Manager *m) {
847 _cleanup_(routing_policy_rule_freep) RoutingPolicyRule *tmp = NULL;
848 RoutingPolicyRule *rule = NULL;
849 const char *iif = NULL, *oif = NULL;
850 bool adjust_protocol = false;
851 uint32_t suppress_prefixlen;
852 unsigned flags;
853 uint16_t type;
854 int r;
855
856 assert(rtnl);
857 assert(message);
858
859 if (sd_netlink_message_is_error(message)) {
860 r = sd_netlink_message_get_errno(message);
861 if (r < 0)
862 log_message_warning_errno(message, r, "rtnl: failed to receive rule message, ignoring");
863
864 return 0;
865 }
866
867 r = sd_netlink_message_get_type(message, &type);
868 if (r < 0) {
869 log_warning_errno(r, "rtnl: could not get message type, ignoring: %m");
870 return 0;
871 } else if (!IN_SET(type, RTM_NEWRULE, RTM_DELRULE)) {
872 log_warning("rtnl: received unexpected message type %u when processing rule, ignoring.", type);
873 return 0;
874 }
875
876 r = routing_policy_rule_new(&tmp);
877 if (r < 0) {
878 log_oom();
879 return 0;
880 }
881
882 r = sd_rtnl_message_get_family(message, &tmp->family);
883 if (r < 0) {
884 log_warning_errno(r, "rtnl: could not get rule family, ignoring: %m");
885 return 0;
886 } else if (!IN_SET(tmp->family, AF_INET, AF_INET6)) {
887 log_debug("rtnl: received rule message with invalid family %d, ignoring.", tmp->family);
888 return 0;
889 }
890
891 r = netlink_message_read_in_addr_union(message, FRA_SRC, tmp->family, &tmp->from);
892 if (r < 0 && r != -ENODATA) {
893 log_warning_errno(r, "rtnl: could not get FRA_SRC attribute, ignoring: %m");
894 return 0;
895 } else if (r >= 0) {
896 r = sd_rtnl_message_routing_policy_rule_get_fib_src_prefixlen(message, &tmp->from_prefixlen);
897 if (r < 0) {
898 log_warning_errno(r, "rtnl: received rule message without valid source prefix length, ignoring: %m");
899 return 0;
900 }
901 }
902
903 r = netlink_message_read_in_addr_union(message, FRA_DST, tmp->family, &tmp->to);
904 if (r < 0 && r != -ENODATA) {
905 log_warning_errno(r, "rtnl: could not get FRA_DST attribute, ignoring: %m");
906 return 0;
907 } else if (r >= 0) {
908 r = sd_rtnl_message_routing_policy_rule_get_fib_dst_prefixlen(message, &tmp->to_prefixlen);
909 if (r < 0) {
910 log_warning_errno(r, "rtnl: received rule message without valid destination prefix length, ignoring: %m");
911 return 0;
912 }
913 }
914
915 r = sd_rtnl_message_routing_policy_rule_get_flags(message, &flags);
916 if (r < 0) {
917 log_warning_errno(r, "rtnl: received rule message without valid flag, ignoring: %m");
918 return 0;
919 }
920 tmp->invert_rule = flags & FIB_RULE_INVERT;
921
922 r = sd_netlink_message_read_u32(message, FRA_FWMARK, &tmp->fwmark);
923 if (r < 0 && r != -ENODATA) {
924 log_warning_errno(r, "rtnl: could not get FRA_FWMARK attribute, ignoring: %m");
925 return 0;
926 }
927
928 r = sd_netlink_message_read_u32(message, FRA_FWMASK, &tmp->fwmask);
929 if (r < 0 && r != -ENODATA) {
930 log_warning_errno(r, "rtnl: could not get FRA_FWMASK attribute, ignoring: %m");
931 return 0;
932 }
933
934 r = sd_netlink_message_read_u32(message, FRA_PRIORITY, &tmp->priority);
935 if (r < 0 && r != -ENODATA) {
936 log_warning_errno(r, "rtnl: could not get FRA_PRIORITY attribute, ignoring: %m");
937 return 0;
938 }
939
940 r = sd_netlink_message_read_u32(message, FRA_TABLE, &tmp->table);
941 if (r < 0 && r != -ENODATA) {
942 log_warning_errno(r, "rtnl: could not get FRA_TABLE attribute, ignoring: %m");
943 return 0;
944 }
945
946 r = sd_rtnl_message_routing_policy_rule_get_tos(message, &tmp->tos);
947 if (r < 0 && r != -ENODATA) {
948 log_warning_errno(r, "rtnl: could not get FIB rule TOS, ignoring: %m");
949 return 0;
950 }
951
952 r = sd_rtnl_message_routing_policy_rule_get_fib_type(message, &tmp->type);
953 if (r < 0 && r != -ENODATA) {
954 log_warning_errno(r, "rtnl: could not get FIB rule type, ignoring: %m");
955 return 0;
956 }
957
958 r = sd_netlink_message_read_string(message, FRA_IIFNAME, &iif);
959 if (r < 0 && r != -ENODATA) {
960 log_warning_errno(r, "rtnl: could not get FRA_IIFNAME attribute, ignoring: %m");
961 return 0;
962 }
963 r = free_and_strdup(&tmp->iif, iif);
964 if (r < 0)
965 return log_oom();
966
967 r = sd_netlink_message_read_string(message, FRA_OIFNAME, &oif);
968 if (r < 0 && r != -ENODATA) {
969 log_warning_errno(r, "rtnl: could not get FRA_OIFNAME attribute, ignoring: %m");
970 return 0;
971 }
972 r = free_and_strdup(&tmp->oif, oif);
973 if (r < 0)
974 return log_oom();
975
976 r = sd_netlink_message_read_u8(message, FRA_IP_PROTO, &tmp->ipproto);
977 if (r < 0 && r != -ENODATA) {
978 log_warning_errno(r, "rtnl: could not get FRA_IP_PROTO attribute, ignoring: %m");
979 return 0;
980 }
981
982 r = sd_netlink_message_read_u8(message, FRA_PROTOCOL, &tmp->protocol);
983 if (r == -ENODATA)
984 /* If FRA_PROTOCOL is supported by kernel, then the attribute is always appended.
985 * When the received message does not have FRA_PROTOCOL, then we need to adjust the
986 * protocol of the rule later. */
987 adjust_protocol = true;
988 else if (r < 0) {
989 log_warning_errno(r, "rtnl: could not get FRA_PROTOCOL attribute, ignoring: %m");
990 return 0;
991 }
992
993 r = sd_netlink_message_read_u8(message, FRA_L3MDEV, &tmp->l3mdev);
994 if (r < 0 && r != -ENODATA) {
995 log_warning_errno(r, "rtnl: could not get FRA_L3MDEV attribute, ignoring: %m");
996 return 0;
997 }
998
999 r = sd_netlink_message_read(message, FRA_SPORT_RANGE, sizeof(tmp->sport), &tmp->sport);
1000 if (r < 0 && r != -ENODATA) {
1001 log_warning_errno(r, "rtnl: could not get FRA_SPORT_RANGE attribute, ignoring: %m");
1002 return 0;
1003 }
1004
1005 r = sd_netlink_message_read(message, FRA_DPORT_RANGE, sizeof(tmp->dport), &tmp->dport);
1006 if (r < 0 && r != -ENODATA) {
1007 log_warning_errno(r, "rtnl: could not get FRA_DPORT_RANGE attribute, ignoring: %m");
1008 return 0;
1009 }
1010
1011 r = sd_netlink_message_read(message, FRA_UID_RANGE, sizeof(tmp->uid_range), &tmp->uid_range);
1012 if (r < 0 && r != -ENODATA) {
1013 log_warning_errno(r, "rtnl: could not get FRA_UID_RANGE attribute, ignoring: %m");
1014 return 0;
1015 }
1016
1017 r = sd_netlink_message_read_u32(message, FRA_SUPPRESS_PREFIXLEN, &suppress_prefixlen);
1018 if (r < 0 && r != -ENODATA) {
1019 log_warning_errno(r, "rtnl: could not get FRA_SUPPRESS_PREFIXLEN attribute, ignoring: %m");
1020 return 0;
1021 }
1022 if (r >= 0)
1023 tmp->suppress_prefixlen = (int) suppress_prefixlen;
1024
1025 if (adjust_protocol)
1026 /* As .network files does not have setting to specify protocol, we can assume the
1027 * protocol of the received rule is RTPROT_KERNEL or RTPROT_STATIC. */
1028 tmp->protocol = routing_policy_rule_is_created_by_kernel(tmp) ? RTPROT_KERNEL : RTPROT_STATIC;
1029
1030 (void) routing_policy_rule_get(m, tmp, &rule);
1031
1032 switch (type) {
1033 case RTM_NEWRULE:
1034 if (rule)
1035 log_routing_policy_rule_debug(tmp, "Received remembered", NULL, m);
1036 else if (!m->manage_foreign_routes)
1037 log_routing_policy_rule_debug(tmp, "Ignoring received foreign", NULL, m);
1038 else {
1039 log_routing_policy_rule_debug(tmp, "Remembering foreign", NULL, m);
1040 r = routing_policy_rule_consume_foreign(m, TAKE_PTR(tmp));
1041 if (r < 0)
1042 log_warning_errno(r, "Could not remember foreign rule, ignoring: %m");
1043 }
1044 break;
1045 case RTM_DELRULE:
1046 if (rule) {
1047 log_routing_policy_rule_debug(tmp, "Forgetting", NULL, m);
1048 routing_policy_rule_free(rule);
1049 } else
1050 log_routing_policy_rule_debug(tmp, "Kernel removed unknown", NULL, m);
1051 break;
1052
1053 default:
1054 assert_not_reached();
1055 }
1056
1057 return 1;
1058 }
1059
1060 static int parse_fwmark_fwmask(const char *s, uint32_t *ret_fwmark, uint32_t *ret_fwmask) {
1061 _cleanup_free_ char *fwmark_str = NULL;
1062 uint32_t fwmark, fwmask = 0;
1063 const char *slash;
1064 int r;
1065
1066 assert(s);
1067 assert(ret_fwmark);
1068 assert(ret_fwmask);
1069
1070 slash = strchr(s, '/');
1071 if (slash) {
1072 fwmark_str = strndup(s, slash - s);
1073 if (!fwmark_str)
1074 return -ENOMEM;
1075 }
1076
1077 r = safe_atou32(fwmark_str ?: s, &fwmark);
1078 if (r < 0)
1079 return r;
1080
1081 if (fwmark > 0) {
1082 if (slash) {
1083 r = safe_atou32(slash + 1, &fwmask);
1084 if (r < 0)
1085 return r;
1086 } else
1087 fwmask = UINT32_MAX;
1088 }
1089
1090 *ret_fwmark = fwmark;
1091 *ret_fwmask = fwmask;
1092
1093 return 0;
1094 }
1095
1096 int config_parse_routing_policy_rule_tos(
1097 const char *unit,
1098 const char *filename,
1099 unsigned line,
1100 const char *section,
1101 unsigned section_line,
1102 const char *lvalue,
1103 int ltype,
1104 const char *rvalue,
1105 void *data,
1106 void *userdata) {
1107
1108 _cleanup_(routing_policy_rule_free_or_set_invalidp) RoutingPolicyRule *n = NULL;
1109 Network *network = userdata;
1110 int r;
1111
1112 assert(filename);
1113 assert(section);
1114 assert(lvalue);
1115 assert(rvalue);
1116 assert(data);
1117
1118 r = routing_policy_rule_new_static(network, filename, section_line, &n);
1119 if (r < 0)
1120 return log_oom();
1121
1122 r = safe_atou8(rvalue, &n->tos);
1123 if (r < 0) {
1124 log_syntax(unit, LOG_WARNING, filename, line, r, "Failed to parse RPDB rule TOS, ignoring: %s", rvalue);
1125 return 0;
1126 }
1127
1128 TAKE_PTR(n);
1129 return 0;
1130 }
1131
1132 int config_parse_routing_policy_rule_priority(
1133 const char *unit,
1134 const char *filename,
1135 unsigned line,
1136 const char *section,
1137 unsigned section_line,
1138 const char *lvalue,
1139 int ltype,
1140 const char *rvalue,
1141 void *data,
1142 void *userdata) {
1143
1144 _cleanup_(routing_policy_rule_free_or_set_invalidp) RoutingPolicyRule *n = NULL;
1145 Network *network = userdata;
1146 int r;
1147
1148 assert(filename);
1149 assert(section);
1150 assert(lvalue);
1151 assert(rvalue);
1152 assert(data);
1153
1154 r = routing_policy_rule_new_static(network, filename, section_line, &n);
1155 if (r < 0)
1156 return log_oom();
1157
1158 r = safe_atou32(rvalue, &n->priority);
1159 if (r < 0) {
1160 log_syntax(unit, LOG_WARNING, filename, line, r, "Failed to parse RPDB rule priority, ignoring: %s", rvalue);
1161 return 0;
1162 }
1163
1164 TAKE_PTR(n);
1165 return 0;
1166 }
1167
1168 int config_parse_routing_policy_rule_table(
1169 const char *unit,
1170 const char *filename,
1171 unsigned line,
1172 const char *section,
1173 unsigned section_line,
1174 const char *lvalue,
1175 int ltype,
1176 const char *rvalue,
1177 void *data,
1178 void *userdata) {
1179
1180 _cleanup_(routing_policy_rule_free_or_set_invalidp) RoutingPolicyRule *n = NULL;
1181 Network *network = userdata;
1182 int r;
1183
1184 assert(filename);
1185 assert(section);
1186 assert(lvalue);
1187 assert(rvalue);
1188 assert(data);
1189
1190 r = routing_policy_rule_new_static(network, filename, section_line, &n);
1191 if (r < 0)
1192 return log_oom();
1193
1194 r = manager_get_route_table_from_string(network->manager, rvalue, &n->table);
1195 if (r < 0) {
1196 log_syntax(unit, LOG_WARNING, filename, line, r,
1197 "Could not parse RPDB rule route table number \"%s\", ignoring assignment: %m", rvalue);
1198 return 0;
1199 }
1200
1201 TAKE_PTR(n);
1202 return 0;
1203 }
1204
1205 int config_parse_routing_policy_rule_fwmark_mask(
1206 const char *unit,
1207 const char *filename,
1208 unsigned line,
1209 const char *section,
1210 unsigned section_line,
1211 const char *lvalue,
1212 int ltype,
1213 const char *rvalue,
1214 void *data,
1215 void *userdata) {
1216
1217 _cleanup_(routing_policy_rule_free_or_set_invalidp) RoutingPolicyRule *n = NULL;
1218 Network *network = userdata;
1219 int r;
1220
1221 assert(filename);
1222 assert(section);
1223 assert(lvalue);
1224 assert(rvalue);
1225 assert(data);
1226
1227 r = routing_policy_rule_new_static(network, filename, section_line, &n);
1228 if (r < 0)
1229 return log_oom();
1230
1231 r = parse_fwmark_fwmask(rvalue, &n->fwmark, &n->fwmask);
1232 if (r < 0) {
1233 log_syntax(unit, LOG_WARNING, filename, line, r, "Failed to parse RPDB rule firewall mark or mask, ignoring: %s", rvalue);
1234 return 0;
1235 }
1236
1237 TAKE_PTR(n);
1238 return 0;
1239 }
1240
1241 int config_parse_routing_policy_rule_prefix(
1242 const char *unit,
1243 const char *filename,
1244 unsigned line,
1245 const char *section,
1246 unsigned section_line,
1247 const char *lvalue,
1248 int ltype,
1249 const char *rvalue,
1250 void *data,
1251 void *userdata) {
1252
1253 _cleanup_(routing_policy_rule_free_or_set_invalidp) RoutingPolicyRule *n = NULL;
1254 Network *network = userdata;
1255 union in_addr_union *buffer;
1256 uint8_t *prefixlen;
1257 int r;
1258
1259 assert(filename);
1260 assert(section);
1261 assert(lvalue);
1262 assert(rvalue);
1263 assert(data);
1264
1265 r = routing_policy_rule_new_static(network, filename, section_line, &n);
1266 if (r < 0)
1267 return log_oom();
1268
1269 if (streq(lvalue, "To")) {
1270 buffer = &n->to;
1271 prefixlen = &n->to_prefixlen;
1272 } else {
1273 buffer = &n->from;
1274 prefixlen = &n->from_prefixlen;
1275 }
1276
1277 if (n->family == AF_UNSPEC)
1278 r = in_addr_prefix_from_string_auto(rvalue, &n->family, buffer, prefixlen);
1279 else
1280 r = in_addr_prefix_from_string(rvalue, n->family, buffer, prefixlen);
1281 if (r < 0) {
1282 log_syntax(unit, LOG_WARNING, filename, line, r, "RPDB rule prefix is invalid, ignoring assignment: %s", rvalue);
1283 return 0;
1284 }
1285
1286 TAKE_PTR(n);
1287 return 0;
1288 }
1289
1290 int config_parse_routing_policy_rule_device(
1291 const char *unit,
1292 const char *filename,
1293 unsigned line,
1294 const char *section,
1295 unsigned section_line,
1296 const char *lvalue,
1297 int ltype,
1298 const char *rvalue,
1299 void *data,
1300 void *userdata) {
1301
1302 _cleanup_(routing_policy_rule_free_or_set_invalidp) RoutingPolicyRule *n = NULL;
1303 Network *network = userdata;
1304 int r;
1305
1306 assert(filename);
1307 assert(section);
1308 assert(lvalue);
1309 assert(rvalue);
1310 assert(data);
1311
1312 r = routing_policy_rule_new_static(network, filename, section_line, &n);
1313 if (r < 0)
1314 return log_oom();
1315
1316 if (!ifname_valid(rvalue)) {
1317 log_syntax(unit, LOG_WARNING, filename, line, 0,
1318 "Invalid interface name '%s' in %s=, ignoring assignment.", rvalue, lvalue);
1319 return 0;
1320 }
1321
1322 r = free_and_strdup(streq(lvalue, "IncomingInterface") ? &n->iif : &n->oif, rvalue);
1323 if (r < 0)
1324 return log_oom();
1325
1326 TAKE_PTR(n);
1327 return 0;
1328 }
1329
1330 int config_parse_routing_policy_rule_port_range(
1331 const char *unit,
1332 const char *filename,
1333 unsigned line,
1334 const char *section,
1335 unsigned section_line,
1336 const char *lvalue,
1337 int ltype,
1338 const char *rvalue,
1339 void *data,
1340 void *userdata) {
1341
1342 _cleanup_(routing_policy_rule_free_or_set_invalidp) RoutingPolicyRule *n = NULL;
1343 Network *network = userdata;
1344 uint16_t low, high;
1345 int r;
1346
1347 assert(filename);
1348 assert(section);
1349 assert(lvalue);
1350 assert(rvalue);
1351 assert(data);
1352
1353 r = routing_policy_rule_new_static(network, filename, section_line, &n);
1354 if (r < 0)
1355 return log_oom();
1356
1357 r = parse_ip_port_range(rvalue, &low, &high);
1358 if (r < 0) {
1359 log_syntax(unit, LOG_WARNING, filename, line, r, "Failed to parse routing policy rule port range '%s'", rvalue);
1360 return 0;
1361 }
1362
1363 if (streq(lvalue, "SourcePort")) {
1364 n->sport.start = low;
1365 n->sport.end = high;
1366 } else {
1367 n->dport.start = low;
1368 n->dport.end = high;
1369 }
1370
1371 TAKE_PTR(n);
1372 return 0;
1373 }
1374
1375 int config_parse_routing_policy_rule_ip_protocol(
1376 const char *unit,
1377 const char *filename,
1378 unsigned line,
1379 const char *section,
1380 unsigned section_line,
1381 const char *lvalue,
1382 int ltype,
1383 const char *rvalue,
1384 void *data,
1385 void *userdata) {
1386
1387 _cleanup_(routing_policy_rule_free_or_set_invalidp) RoutingPolicyRule *n = NULL;
1388 Network *network = userdata;
1389 int r;
1390
1391 assert(filename);
1392 assert(section);
1393 assert(lvalue);
1394 assert(rvalue);
1395 assert(data);
1396
1397 r = routing_policy_rule_new_static(network, filename, section_line, &n);
1398 if (r < 0)
1399 return log_oom();
1400
1401 r = parse_ip_protocol(rvalue);
1402 if (r < 0) {
1403 log_syntax(unit, LOG_WARNING, filename, line, r, "Failed to parse IP protocol '%s' for routing policy rule, ignoring: %m", rvalue);
1404 return 0;
1405 }
1406
1407 n->ipproto = r;
1408
1409 TAKE_PTR(n);
1410 return 0;
1411 }
1412
1413 int config_parse_routing_policy_rule_invert(
1414 const char *unit,
1415 const char *filename,
1416 unsigned line,
1417 const char *section,
1418 unsigned section_line,
1419 const char *lvalue,
1420 int ltype,
1421 const char *rvalue,
1422 void *data,
1423 void *userdata) {
1424
1425 _cleanup_(routing_policy_rule_free_or_set_invalidp) RoutingPolicyRule *n = NULL;
1426 Network *network = userdata;
1427 int r;
1428
1429 assert(filename);
1430 assert(section);
1431 assert(lvalue);
1432 assert(rvalue);
1433 assert(data);
1434
1435 r = routing_policy_rule_new_static(network, filename, section_line, &n);
1436 if (r < 0)
1437 return log_oom();
1438
1439 r = parse_boolean(rvalue);
1440 if (r < 0) {
1441 log_syntax(unit, LOG_WARNING, filename, line, r, "Failed to parse RPDB rule invert, ignoring: %s", rvalue);
1442 return 0;
1443 }
1444
1445 n->invert_rule = r;
1446
1447 TAKE_PTR(n);
1448 return 0;
1449 }
1450
1451 int config_parse_routing_policy_rule_family(
1452 const char *unit,
1453 const char *filename,
1454 unsigned line,
1455 const char *section,
1456 unsigned section_line,
1457 const char *lvalue,
1458 int ltype,
1459 const char *rvalue,
1460 void *data,
1461 void *userdata) {
1462
1463 _cleanup_(routing_policy_rule_free_or_set_invalidp) RoutingPolicyRule *n = NULL;
1464 Network *network = userdata;
1465 AddressFamily a;
1466 int r;
1467
1468 assert(filename);
1469 assert(section);
1470 assert(lvalue);
1471 assert(rvalue);
1472 assert(data);
1473
1474 r = routing_policy_rule_new_static(network, filename, section_line, &n);
1475 if (r < 0)
1476 return log_oom();
1477
1478 a = routing_policy_rule_address_family_from_string(rvalue);
1479 if (a < 0) {
1480 log_syntax(unit, LOG_WARNING, filename, line, a,
1481 "Invalid address family '%s', ignoring.", rvalue);
1482 return 0;
1483 }
1484
1485 n->address_family = a;
1486
1487 TAKE_PTR(n);
1488 return 0;
1489 }
1490
1491 int config_parse_routing_policy_rule_uid_range(
1492 const char *unit,
1493 const char *filename,
1494 unsigned line,
1495 const char *section,
1496 unsigned section_line,
1497 const char *lvalue,
1498 int ltype,
1499 const char *rvalue,
1500 void *data,
1501 void *userdata) {
1502
1503 _cleanup_(routing_policy_rule_free_or_set_invalidp) RoutingPolicyRule *n = NULL;
1504 Network *network = userdata;
1505 uid_t start, end;
1506 int r;
1507
1508 assert(filename);
1509 assert(section);
1510 assert(lvalue);
1511 assert(rvalue);
1512 assert(data);
1513
1514 r = routing_policy_rule_new_static(network, filename, section_line, &n);
1515 if (r < 0)
1516 return log_oom();
1517
1518 r = get_user_creds(&rvalue, &start, NULL, NULL, NULL, 0);
1519 if (r >= 0)
1520 end = start;
1521 else {
1522 r = parse_uid_range(rvalue, &start, &end);
1523 if (r < 0) {
1524 log_syntax(unit, LOG_WARNING, filename, line, r,
1525 "Invalid uid or uid range '%s', ignoring: %m", rvalue);
1526 return 0;
1527 }
1528 }
1529
1530 n->uid_range.start = start;
1531 n->uid_range.end = end;
1532
1533 TAKE_PTR(n);
1534 return 0;
1535 }
1536
1537 int config_parse_routing_policy_rule_suppress_prefixlen(
1538 const char *unit,
1539 const char *filename,
1540 unsigned line,
1541 const char *section,
1542 unsigned section_line,
1543 const char *lvalue,
1544 int ltype,
1545 const char *rvalue,
1546 void *data,
1547 void *userdata) {
1548
1549 _cleanup_(routing_policy_rule_free_or_set_invalidp) RoutingPolicyRule *n = NULL;
1550 Network *network = userdata;
1551 int r;
1552
1553 assert(filename);
1554 assert(section);
1555 assert(lvalue);
1556 assert(rvalue);
1557 assert(data);
1558
1559 r = routing_policy_rule_new_static(network, filename, section_line, &n);
1560 if (r < 0)
1561 return log_oom();
1562
1563 r = parse_ip_prefix_length(rvalue, &n->suppress_prefixlen);
1564 if (r == -ERANGE) {
1565 log_syntax(unit, LOG_WARNING, filename, line, r, "Prefix length outside of valid range 0-128, ignoring: %s", rvalue);
1566 return 0;
1567 }
1568 if (r < 0) {
1569 log_syntax(unit, LOG_WARNING, filename, line, r, "Failed to parse RPDB rule suppress_prefixlen, ignoring: %s", rvalue);
1570 return 0;
1571 }
1572
1573 TAKE_PTR(n);
1574 return 0;
1575 }
1576
1577 int config_parse_routing_policy_rule_type(
1578 const char *unit,
1579 const char *filename,
1580 unsigned line,
1581 const char *section,
1582 unsigned section_line,
1583 const char *lvalue,
1584 int ltype,
1585 const char *rvalue,
1586 void *data,
1587 void *userdata) {
1588
1589 _cleanup_(routing_policy_rule_free_or_set_invalidp) RoutingPolicyRule *n = NULL;
1590 Network *network = userdata;
1591 int r, t;
1592
1593 assert(filename);
1594 assert(section);
1595 assert(lvalue);
1596 assert(rvalue);
1597 assert(data);
1598
1599 r = routing_policy_rule_new_static(network, filename, section_line, &n);
1600 if (r < 0)
1601 return log_oom();
1602
1603 t = fr_act_type_from_string(rvalue);
1604 if (t < 0) {
1605 log_syntax(unit, LOG_WARNING, filename, line, t,
1606 "Could not parse FIB rule type \"%s\", ignoring assignment: %m", rvalue);
1607 return 0;
1608 }
1609
1610 n->type = (uint8_t) t;
1611
1612 TAKE_PTR(n);
1613 return 0;
1614 }
1615
1616 static int routing_policy_rule_section_verify(RoutingPolicyRule *rule) {
1617 if (section_is_invalid(rule->section))
1618 return -EINVAL;
1619
1620 if ((rule->family == AF_INET && FLAGS_SET(rule->address_family, ADDRESS_FAMILY_IPV6)) ||
1621 (rule->family == AF_INET6 && FLAGS_SET(rule->address_family, ADDRESS_FAMILY_IPV4)))
1622 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
1623 "%s: address family specified by Family= conflicts with the address "
1624 "specified by To= or From=. Ignoring [RoutingPolicyRule] section from line %u.",
1625 rule->section->filename, rule->section->line);
1626
1627 if (rule->family == AF_UNSPEC) {
1628 if (IN_SET(rule->address_family, ADDRESS_FAMILY_IPV4, ADDRESS_FAMILY_NO))
1629 rule->family = AF_INET;
1630 else if (rule->address_family == ADDRESS_FAMILY_IPV6)
1631 rule->family = AF_INET6;
1632 /* rule->family can be AF_UNSPEC only when Family=both. */
1633 }
1634
1635 /* Currently, [RoutingPolicyRule] does not have a setting to set FRA_L3MDEV flag. Please also
1636 * update routing_policy_rule_is_created_by_kernel() when a new setting which sets the flag is
1637 * added in the future. */
1638 if (rule->l3mdev > 0)
1639 assert_not_reached();
1640
1641 return 0;
1642 }
1643
1644 void network_drop_invalid_routing_policy_rules(Network *network) {
1645 RoutingPolicyRule *rule;
1646
1647 assert(network);
1648
1649 HASHMAP_FOREACH(rule, network->rules_by_section)
1650 if (routing_policy_rule_section_verify(rule) < 0)
1651 routing_policy_rule_free(rule);
1652 }
Unnamed repository; edit this file 'description' to name the repository.