]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/network/networkd-routing-policy-rule.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge pull request #30720 from yuwata/dhcp-server-address-verification
[thirdparty/systemd.git] / src / network / networkd-routing-policy-rule.c
1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
2
3 #include <net/if.h>
4 #include <linux/fib_rules.h>
5
6 #include "af-list.h"
7 #include "alloc-util.h"
8 #include "conf-parser.h"
9 #include "fileio.h"
10 #include "format-util.h"
11 #include "hashmap.h"
12 #include "ip-protocol-list.h"
13 #include "netlink-util.h"
14 #include "networkd-manager.h"
15 #include "networkd-queue.h"
16 #include "networkd-route-util.h"
17 #include "networkd-routing-policy-rule.h"
18 #include "networkd-util.h"
19 #include "parse-util.h"
20 #include "socket-util.h"
21 #include "string-table.h"
22 #include "string-util.h"
23 #include "strv.h"
24 #include "user-util.h"
25
26 static const char *const fr_act_type_table[__FR_ACT_MAX] = {
27 [FR_ACT_BLACKHOLE] = "blackhole",
28 [FR_ACT_UNREACHABLE] = "unreachable",
29 [FR_ACT_PROHIBIT] = "prohibit",
30 };
31
32 static const char *const fr_act_type_full_table[__FR_ACT_MAX] = {
33 [FR_ACT_TO_TBL] = "table",
34 [FR_ACT_GOTO] = "goto",
35 [FR_ACT_NOP] = "nop",
36 [FR_ACT_BLACKHOLE] = "blackhole",
37 [FR_ACT_UNREACHABLE] = "unreachable",
38 [FR_ACT_PROHIBIT] = "prohibit",
39 };
40
41 assert_cc(__FR_ACT_MAX <= UINT8_MAX);
42 DEFINE_PRIVATE_STRING_TABLE_LOOKUP_FROM_STRING(fr_act_type, int);
43 DEFINE_STRING_TABLE_LOOKUP_TO_STRING(fr_act_type_full, int);
44
45 RoutingPolicyRule *routing_policy_rule_free(RoutingPolicyRule *rule) {
46 if (!rule)
47 return NULL;
48
49 if (rule->network) {
50 assert(rule->section);
51 hashmap_remove(rule->network->rules_by_section, rule->section);
52 }
53
54 if (rule->manager)
55 set_remove(rule->manager->rules, rule);
56
57 config_section_free(rule->section);
58 free(rule->iif);
59 free(rule->oif);
60
61 return mfree(rule);
62 }
63
64 DEFINE_SECTION_CLEANUP_FUNCTIONS(RoutingPolicyRule, routing_policy_rule_free);
65
66 static int routing_policy_rule_new(RoutingPolicyRule **ret) {
67 RoutingPolicyRule *rule;
68
69 rule = new(RoutingPolicyRule, 1);
70 if (!rule)
71 return -ENOMEM;
72
73 *rule = (RoutingPolicyRule) {
74 .table = RT_TABLE_MAIN,
75 .uid_range.start = UID_INVALID,
76 .uid_range.end = UID_INVALID,
77 .suppress_prefixlen = -1,
78 .suppress_ifgroup = -1,
79 .protocol = RTPROT_UNSPEC,
80 .type = FR_ACT_TO_TBL,
81 };
82
83 *ret = rule;
84 return 0;
85 }
86
87 static int routing_policy_rule_new_static(Network *network, const char *filename, unsigned section_line, RoutingPolicyRule **ret) {
88 _cleanup_(routing_policy_rule_freep) RoutingPolicyRule *rule = NULL;
89 _cleanup_(config_section_freep) ConfigSection *n = NULL;
90 int r;
91
92 assert(network);
93 assert(ret);
94 assert(filename);
95 assert(section_line > 0);
96
97 r = config_section_new(filename, section_line, &n);
98 if (r < 0)
99 return r;
100
101 rule = hashmap_get(network->rules_by_section, n);
102 if (rule) {
103 *ret = TAKE_PTR(rule);
104 return 0;
105 }
106
107 r = routing_policy_rule_new(&rule);
108 if (r < 0)
109 return r;
110
111 rule->network = network;
112 rule->section = TAKE_PTR(n);
113 rule->source = NETWORK_CONFIG_SOURCE_STATIC;
114 rule->protocol = RTPROT_STATIC;
115
116 r = hashmap_ensure_put(&network->rules_by_section, &config_section_hash_ops, rule->section, rule);
117 if (r < 0)
118 return r;
119
120 *ret = TAKE_PTR(rule);
121 return 0;
122 }
123
124 static int routing_policy_rule_dup(const RoutingPolicyRule *src, RoutingPolicyRule **ret) {
125 _cleanup_(routing_policy_rule_freep) RoutingPolicyRule *dest = NULL;
126
127 assert(src);
128 assert(ret);
129
130 dest = newdup(RoutingPolicyRule, src, 1);
131 if (!dest)
132 return -ENOMEM;
133
134 /* Unset all pointers */
135 dest->manager = NULL;
136 dest->network = NULL;
137 dest->section = NULL;
138 dest->iif = dest->oif = NULL;
139
140 if (src->iif) {
141 dest->iif = strdup(src->iif);
142 if (!dest->iif)
143 return -ENOMEM;
144 }
145
146 if (src->oif) {
147 dest->oif = strdup(src->oif);
148 if (!dest->oif)
149 return -ENOMEM;
150 }
151
152 *ret = TAKE_PTR(dest);
153 return 0;
154 }
155
156 static void routing_policy_rule_hash_func(const RoutingPolicyRule *rule, struct siphash *state) {
157 assert(rule);
158
159 siphash24_compress_typesafe(rule->family, state);
160
161 switch (rule->family) {
162 case AF_INET:
163 case AF_INET6:
164 in_addr_hash_func(&rule->from, rule->family, state);
165 siphash24_compress_typesafe(rule->from_prefixlen, state);
166
167 in_addr_hash_func(&rule->to, rule->family, state);
168 siphash24_compress_typesafe(rule->to_prefixlen, state);
169
170 siphash24_compress_boolean(rule->invert_rule, state);
171
172 siphash24_compress_typesafe(rule->tos, state);
173 siphash24_compress_typesafe(rule->type, state);
174 siphash24_compress_typesafe(rule->fwmark, state);
175 siphash24_compress_typesafe(rule->fwmask, state);
176 siphash24_compress_typesafe(rule->priority, state);
177 siphash24_compress_typesafe(rule->table, state);
178 siphash24_compress_typesafe(rule->suppress_prefixlen, state);
179 siphash24_compress_typesafe(rule->suppress_ifgroup, state);
180
181 siphash24_compress_typesafe(rule->ipproto, state);
182 siphash24_compress_typesafe(rule->protocol, state);
183 siphash24_compress_typesafe(rule->sport, state);
184 siphash24_compress_typesafe(rule->dport, state);
185 siphash24_compress_typesafe(rule->uid_range, state);
186
187 siphash24_compress_string(rule->iif, state);
188 siphash24_compress_string(rule->oif, state);
189
190 break;
191 default:
192 /* treat any other address family as AF_UNSPEC */
193 break;
194 }
195 }
196
197 static int routing_policy_rule_compare_func(const RoutingPolicyRule *a, const RoutingPolicyRule *b) {
198 int r;
199
200 r = CMP(a->family, b->family);
201 if (r != 0)
202 return r;
203
204 switch (a->family) {
205 case AF_INET:
206 case AF_INET6:
207 r = CMP(a->from_prefixlen, b->from_prefixlen);
208 if (r != 0)
209 return r;
210
211 r = memcmp(&a->from, &b->from, FAMILY_ADDRESS_SIZE(a->family));
212 if (r != 0)
213 return r;
214
215 r = CMP(a->to_prefixlen, b->to_prefixlen);
216 if (r != 0)
217 return r;
218
219 r = memcmp(&a->to, &b->to, FAMILY_ADDRESS_SIZE(a->family));
220 if (r != 0)
221 return r;
222
223 r = CMP(a->invert_rule, b->invert_rule);
224 if (r != 0)
225 return r;
226
227 r = CMP(a->tos, b->tos);
228 if (r != 0)
229 return r;
230
231 r = CMP(a->type, b->type);
232 if (r != 0)
233 return r;
234
235 r = CMP(a->fwmark, b->fwmark);
236 if (r != 0)
237 return r;
238
239 r = CMP(a->fwmask, b->fwmask);
240 if (r != 0)
241 return r;
242
243 r = CMP(a->priority, b->priority);
244 if (r != 0)
245 return r;
246
247 r = CMP(a->table, b->table);
248 if (r != 0)
249 return r;
250
251 r = CMP(a->suppress_prefixlen, b->suppress_prefixlen);
252 if (r != 0)
253 return r;
254
255 r = CMP(a->suppress_ifgroup, b->suppress_ifgroup);
256 if (r != 0)
257 return r;
258
259 r = CMP(a->ipproto, b->ipproto);
260 if (r != 0)
261 return r;
262
263 r = CMP(a->protocol, b->protocol);
264 if (r != 0)
265 return r;
266
267 r = memcmp(&a->sport, &b->sport, sizeof(a->sport));
268 if (r != 0)
269 return r;
270
271 r = memcmp(&a->dport, &b->dport, sizeof(a->dport));
272 if (r != 0)
273 return r;
274
275 r = memcmp(&a->uid_range, &b->uid_range, sizeof(a->uid_range));
276 if (r != 0)
277 return r;
278
279 r = strcmp_ptr(a->iif, b->iif);
280 if (r != 0)
281 return r;
282
283 r = strcmp_ptr(a->oif, b->oif);
284 if (r != 0)
285 return r;
286
287 return 0;
288 default:
289 /* treat any other address family as AF_UNSPEC */
290 return 0;
291 }
292 }
293
294 static bool routing_policy_rule_equal(const RoutingPolicyRule *rule1, const RoutingPolicyRule *rule2) {
295 if (rule1 == rule2)
296 return true;
297
298 if (!rule1 || !rule2)
299 return false;
300
301 return routing_policy_rule_compare_func(rule1, rule2) == 0;
302 }
303
304 DEFINE_PRIVATE_HASH_OPS_WITH_KEY_DESTRUCTOR(
305 routing_policy_rule_hash_ops,
306 RoutingPolicyRule,
307 routing_policy_rule_hash_func,
308 routing_policy_rule_compare_func,
309 routing_policy_rule_free);
310
311 static int routing_policy_rule_get(Manager *m, const RoutingPolicyRule *in, RoutingPolicyRule **ret) {
312 RoutingPolicyRule *rule;
313
314 assert(m);
315 assert(in);
316
317 rule = set_get(m->rules, in);
318 if (rule) {
319 if (ret)
320 *ret = rule;
321 return 0;
322 }
323
324 if (in->priority_set)
325 return -ENOENT;
326
327 /* Also find rules configured without priority. */
328 SET_FOREACH(rule, m->rules) {
329 uint32_t priority;
330 bool found;
331
332 if (rule->priority_set)
333 /* The rule is configured with priority. */
334 continue;
335
336 priority = rule->priority;
337 rule->priority = 0;
338 found = routing_policy_rule_equal(rule, in);
339 rule->priority = priority;
340
341 if (found) {
342 if (ret)
343 *ret = rule;
344 return 0;
345 }
346 }
347
348 return -ENOENT;
349 }
350
351 static int routing_policy_rule_add(Manager *m, RoutingPolicyRule *rule) {
352 int r;
353
354 assert(m);
355 assert(rule);
356 assert(IN_SET(rule->family, AF_INET, AF_INET6));
357
358 r = set_ensure_put(&m->rules, &routing_policy_rule_hash_ops, rule);
359 if (r < 0)
360 return r;
361 if (r == 0)
362 return -EEXIST;
363
364 rule->manager = m;
365 return 0;
366 }
367
368 static int routing_policy_rule_acquire_priority(Manager *manager, RoutingPolicyRule *rule) {
369 _cleanup_set_free_ Set *priorities = NULL;
370 RoutingPolicyRule *tmp;
371 uint32_t priority;
372 Network *network;
373 int r;
374
375 assert(manager);
376 assert(rule);
377 assert(IN_SET(rule->family, AF_INET, AF_INET6));
378
379 if (rule->priority_set)
380 return 0;
381
382 /* Find the highest unused priority. Note that 32766 is already used by kernel.
383 * See kernel_rules[] below. */
384
385 SET_FOREACH(tmp, manager->rules) {
386 if (tmp->family != rule->family)
387 continue;
388 if (tmp->priority == 0 || tmp->priority > 32765)
389 continue;
390 r = set_ensure_put(&priorities, NULL, UINT32_TO_PTR(tmp->priority));
391 if (r < 0)
392 return r;
393 }
394
395 ORDERED_HASHMAP_FOREACH(network, manager->networks)
396 HASHMAP_FOREACH(tmp, network->rules_by_section) {
397 if (tmp->family != AF_UNSPEC && tmp->family != rule->family)
398 continue;
399 if (!tmp->priority_set)
400 continue;
401 if (tmp->priority == 0 || tmp->priority > 32765)
402 continue;
403 r = set_ensure_put(&priorities, NULL, UINT32_TO_PTR(tmp->priority));
404 if (r < 0)
405 return r;
406 }
407
408 for (priority = 32765; priority > 0; priority--)
409 if (!set_contains(priorities, UINT32_TO_PTR(priority)))
410 break;
411
412 rule->priority = priority;
413 return 0;
414 }
415
416 static void log_routing_policy_rule_debug(const RoutingPolicyRule *rule, const char *str, const Link *link, const Manager *m) {
417 _cleanup_free_ char *state = NULL, *table = NULL;
418
419 assert(rule);
420 assert(IN_SET(rule->family, AF_INET, AF_INET6));
421 assert(str);
422 assert(m);
423
424 /* link may be NULL. */
425
426 if (!DEBUG_LOGGING)
427 return;
428
429 (void) network_config_state_to_string_alloc(rule->state, &state);
430 (void) manager_get_route_table_to_string(m, rule->table, /* append_num = */ true, &table);
431
432 log_link_debug(link,
433 "%s %s routing policy rule (%s): priority: %"PRIu32", %s -> %s, iif: %s, oif: %s, table: %s",
434 str, strna(network_config_source_to_string(rule->source)), strna(state),
435 rule->priority,
436 IN_ADDR_PREFIX_TO_STRING(rule->family, &rule->from, rule->from_prefixlen),
437 IN_ADDR_PREFIX_TO_STRING(rule->family, &rule->to, rule->to_prefixlen),
438 strna(rule->iif), strna(rule->oif), strna(table));
439 }
440
441 static int routing_policy_rule_set_netlink_message(const RoutingPolicyRule *rule, sd_netlink_message *m, Link *link) {
442 int r;
443
444 assert(rule);
445 assert(m);
446
447 /* link may be NULL. */
448
449 if (rule->from_prefixlen > 0) {
450 r = netlink_message_append_in_addr_union(m, FRA_SRC, rule->family, &rule->from);
451 if (r < 0)
452 return r;
453
454 r = sd_rtnl_message_routing_policy_rule_set_fib_src_prefixlen(m, rule->from_prefixlen);
455 if (r < 0)
456 return r;
457 }
458
459 if (rule->to_prefixlen > 0) {
460 r = netlink_message_append_in_addr_union(m, FRA_DST, rule->family, &rule->to);
461 if (r < 0)
462 return r;
463
464 r = sd_rtnl_message_routing_policy_rule_set_fib_dst_prefixlen(m, rule->to_prefixlen);
465 if (r < 0)
466 return r;
467 }
468
469 r = sd_netlink_message_append_u32(m, FRA_PRIORITY, rule->priority);
470 if (r < 0)
471 return r;
472
473 if (rule->tos > 0) {
474 r = sd_rtnl_message_routing_policy_rule_set_tos(m, rule->tos);
475 if (r < 0)
476 return r;
477 }
478
479 if (rule->table < 256) {
480 r = sd_rtnl_message_routing_policy_rule_set_table(m, rule->table);
481 if (r < 0)
482 return r;
483 } else {
484 r = sd_rtnl_message_routing_policy_rule_set_table(m, RT_TABLE_UNSPEC);
485 if (r < 0)
486 return r;
487
488 r = sd_netlink_message_append_u32(m, FRA_TABLE, rule->table);
489 if (r < 0)
490 return r;
491 }
492
493 if (rule->fwmark > 0) {
494 r = sd_netlink_message_append_u32(m, FRA_FWMARK, rule->fwmark);
495 if (r < 0)
496 return r;
497
498 r = sd_netlink_message_append_u32(m, FRA_FWMASK, rule->fwmask);
499 if (r < 0)
500 return r;
501 }
502
503 if (rule->iif) {
504 r = sd_netlink_message_append_string(m, FRA_IIFNAME, rule->iif);
505 if (r < 0)
506 return r;
507 }
508
509 if (rule->oif) {
510 r = sd_netlink_message_append_string(m, FRA_OIFNAME, rule->oif);
511 if (r < 0)
512 return r;
513 }
514
515 r = sd_netlink_message_append_u8(m, FRA_IP_PROTO, rule->ipproto);
516 if (r < 0)
517 return r;
518
519 r = sd_netlink_message_append_u8(m, FRA_PROTOCOL, rule->protocol);
520 if (r < 0)
521 return r;
522
523 if (rule->sport.start != 0 || rule->sport.end != 0) {
524 r = sd_netlink_message_append_data(m, FRA_SPORT_RANGE, &rule->sport, sizeof(rule->sport));
525 if (r < 0)
526 return r;
527 }
528
529 if (rule->dport.start != 0 || rule->dport.end != 0) {
530 r = sd_netlink_message_append_data(m, FRA_DPORT_RANGE, &rule->dport, sizeof(rule->dport));
531 if (r < 0)
532 return r;
533 }
534
535 if (rule->uid_range.start != UID_INVALID && rule->uid_range.end != UID_INVALID) {
536 r = sd_netlink_message_append_data(m, FRA_UID_RANGE, &rule->uid_range, sizeof(rule->uid_range));
537 if (r < 0)
538 return r;
539 }
540
541 if (rule->invert_rule) {
542 r = sd_rtnl_message_routing_policy_rule_set_flags(m, FIB_RULE_INVERT);
543 if (r < 0)
544 return r;
545 }
546
547 if (rule->suppress_prefixlen >= 0) {
548 r = sd_netlink_message_append_u32(m, FRA_SUPPRESS_PREFIXLEN, (uint32_t) rule->suppress_prefixlen);
549 if (r < 0)
550 return r;
551 }
552
553 if (rule->suppress_ifgroup >= 0) {
554 r = sd_netlink_message_append_u32(m, FRA_SUPPRESS_IFGROUP, (uint32_t) rule->suppress_ifgroup);
555 if (r < 0)
556 return r;
557 }
558
559 r = sd_rtnl_message_routing_policy_rule_set_fib_type(m, rule->type);
560 if (r < 0)
561 return r;
562
563 return 0;
564 }
565
566 static int routing_policy_rule_remove_handler(sd_netlink *rtnl, sd_netlink_message *m, void *userdata) {
567 int r;
568
569 assert(m);
570
571 r = sd_netlink_message_get_errno(m);
572 if (r < 0)
573 log_message_warning_errno(m, r, "Could not drop routing policy rule");
574
575 return 1;
576 }
577
578 static int routing_policy_rule_remove(RoutingPolicyRule *rule) {
579 _cleanup_(sd_netlink_message_unrefp) sd_netlink_message *m = NULL;
580 int r;
581
582 assert(rule);
583 assert(rule->manager);
584 assert(rule->manager->rtnl);
585 assert(IN_SET(rule->family, AF_INET, AF_INET6));
586
587 log_routing_policy_rule_debug(rule, "Removing", NULL, rule->manager);
588
589 r = sd_rtnl_message_new_routing_policy_rule(rule->manager->rtnl, &m, RTM_DELRULE, rule->family);
590 if (r < 0)
591 return log_warning_errno(r, "Could not allocate netlink message: %m");
592
593 r = routing_policy_rule_set_netlink_message(rule, m, NULL);
594 if (r < 0)
595 return log_warning_errno(r, "Could not create netlink message: %m");
596
597 r = netlink_call_async(rule->manager->rtnl, NULL, m,
598 routing_policy_rule_remove_handler,
599 NULL, NULL);
600 if (r < 0)
601 return log_warning_errno(r, "Could not send netlink message: %m");
602
603 routing_policy_rule_enter_removing(rule);
604 return 0;
605 }
606
607 static int routing_policy_rule_configure(RoutingPolicyRule *rule, Link *link, Request *req) {
608 _cleanup_(sd_netlink_message_unrefp) sd_netlink_message *m = NULL;
609 int r;
610
611 assert(rule);
612 assert(IN_SET(rule->family, AF_INET, AF_INET6));
613 assert(link);
614 assert(link->ifindex > 0);
615 assert(link->manager);
616 assert(link->manager->rtnl);
617 assert(req);
618
619 log_routing_policy_rule_debug(rule, "Configuring", link, link->manager);
620
621 r = sd_rtnl_message_new_routing_policy_rule(link->manager->rtnl, &m, RTM_NEWRULE, rule->family);
622 if (r < 0)
623 return r;
624
625 r = routing_policy_rule_set_netlink_message(rule, m, link);
626 if (r < 0)
627 return r;
628
629 return request_call_netlink_async(link->manager->rtnl, m, req);
630 }
631
632 static void manager_mark_routing_policy_rules(Manager *m, bool foreign, const Link *except) {
633 RoutingPolicyRule *rule;
634 Link *link;
635
636 assert(m);
637
638 /* First, mark all existing rules. */
639 SET_FOREACH(rule, m->rules) {
640 /* Do not touch rules managed by kernel. */
641 if (rule->protocol == RTPROT_KERNEL)
642 continue;
643
644 /* When 'foreign' is true, mark only foreign rules, and vice versa. */
645 if (foreign != (rule->source == NETWORK_CONFIG_SOURCE_FOREIGN))
646 continue;
647
648 /* Ignore rules not assigned yet or already removing. */
649 if (!routing_policy_rule_exists(rule))
650 continue;
651
652 routing_policy_rule_mark(rule);
653 }
654
655 /* Then, unmark all rules requested by active links. */
656 HASHMAP_FOREACH(link, m->links_by_index) {
657 if (link == except)
658 continue;
659
660 if (!IN_SET(link->state, LINK_STATE_CONFIGURING, LINK_STATE_CONFIGURED))
661 continue;
662
663 HASHMAP_FOREACH(rule, link->network->rules_by_section) {
664 RoutingPolicyRule *existing;
665
666 if (IN_SET(rule->family, AF_INET, AF_INET6)) {
667 if (routing_policy_rule_get(m, rule, &existing) >= 0)
668 routing_policy_rule_unmark(existing);
669 } else {
670 /* The case Family=both. */
671 rule->family = AF_INET;
672 if (routing_policy_rule_get(m, rule, &existing) >= 0)
673 routing_policy_rule_unmark(existing);
674
675 rule->family = AF_INET6;
676 if (routing_policy_rule_get(m, rule, &existing) >= 0)
677 routing_policy_rule_unmark(existing);
678
679 rule->family = AF_UNSPEC;
680 }
681 }
682 }
683 }
684
685 int manager_drop_routing_policy_rules_internal(Manager *m, bool foreign, const Link *except) {
686 RoutingPolicyRule *rule;
687 int r = 0;
688
689 assert(m);
690
691 manager_mark_routing_policy_rules(m, foreign, except);
692
693 SET_FOREACH(rule, m->rules) {
694 if (!routing_policy_rule_is_marked(rule))
695 continue;
696
697 RET_GATHER(r, routing_policy_rule_remove(rule));
698 }
699
700 return r;
701 }
702
703 void link_foreignize_routing_policy_rules(Link *link) {
704 RoutingPolicyRule *rule;
705
706 assert(link);
707 assert(link->manager);
708
709 manager_mark_routing_policy_rules(link->manager, /* foreign = */ false, link);
710
711 SET_FOREACH(rule, link->manager->rules) {
712 if (!routing_policy_rule_is_marked(rule))
713 continue;
714
715 rule->source = NETWORK_CONFIG_SOURCE_FOREIGN;
716 }
717 }
718
719 static int routing_policy_rule_process_request(Request *req, Link *link, RoutingPolicyRule *rule) {
720 int r;
721
722 assert(req);
723 assert(link);
724 assert(rule);
725
726 if (!link_is_ready_to_configure(link, false))
727 return 0;
728
729 r = routing_policy_rule_configure(rule, link, req);
730 if (r < 0)
731 return log_link_warning_errno(link, r, "Failed to configure routing policy rule: %m");
732
733 routing_policy_rule_enter_configuring(rule);
734 return 1;
735 }
736
737 static int static_routing_policy_rule_configure_handler(
738 sd_netlink *rtnl,
739 sd_netlink_message *m,
740 Request *req,
741 Link *link,
742 RoutingPolicyRule *rule) {
743
744 int r;
745
746 assert(m);
747 assert(link);
748
749 r = sd_netlink_message_get_errno(m);
750 if (r < 0 && r != -EEXIST) {
751 log_link_message_warning_errno(link, m, r, "Could not add routing policy rule");
752 link_enter_failed(link);
753 return 1;
754 }
755
756 if (link->static_routing_policy_rule_messages == 0) {
757 log_link_debug(link, "Routing policy rule configured");
758 link->static_routing_policy_rules_configured = true;
759 link_check_ready(link);
760 }
761
762 return 1;
763 }
764
765 static int link_request_routing_policy_rule(Link *link, RoutingPolicyRule *rule) {
766 RoutingPolicyRule *existing;
767 int r;
768
769 assert(link);
770 assert(link->manager);
771 assert(rule);
772 assert(rule->source != NETWORK_CONFIG_SOURCE_FOREIGN);
773
774 if (routing_policy_rule_get(link->manager, rule, &existing) < 0) {
775 _cleanup_(routing_policy_rule_freep) RoutingPolicyRule *tmp = NULL;
776
777 r = routing_policy_rule_dup(rule, &tmp);
778 if (r < 0)
779 return r;
780
781 r = routing_policy_rule_acquire_priority(link->manager, tmp);
782 if (r < 0)
783 return r;
784
785 r = routing_policy_rule_add(link->manager, tmp);
786 if (r < 0)
787 return r;
788
789 existing = TAKE_PTR(tmp);
790 } else
791 existing->source = rule->source;
792
793 log_routing_policy_rule_debug(existing, "Requesting", link, link->manager);
794 r = link_queue_request_safe(link, REQUEST_TYPE_ROUTING_POLICY_RULE,
795 existing, NULL,
796 routing_policy_rule_hash_func,
797 routing_policy_rule_compare_func,
798 routing_policy_rule_process_request,
799 &link->static_routing_policy_rule_messages,
800 static_routing_policy_rule_configure_handler,
801 NULL);
802 if (r <= 0)
803 return r;
804
805 routing_policy_rule_enter_requesting(existing);
806 return 1;
807 }
808
809 static int link_request_static_routing_policy_rule(Link *link, RoutingPolicyRule *rule) {
810 int r;
811
812 if (IN_SET(rule->family, AF_INET, AF_INET6))
813 return link_request_routing_policy_rule(link, rule);
814
815 rule->family = AF_INET;
816 r = link_request_routing_policy_rule(link, rule);
817 if (r < 0) {
818 rule->family = AF_UNSPEC;
819 return r;
820 }
821
822 rule->family = AF_INET6;
823 r = link_request_routing_policy_rule(link, rule);
824 rule->family = AF_UNSPEC;
825 return r;
826 }
827
828 int link_request_static_routing_policy_rules(Link *link) {
829 RoutingPolicyRule *rule;
830 int r;
831
832 assert(link);
833 assert(link->network);
834
835 link->static_routing_policy_rules_configured = false;
836
837 HASHMAP_FOREACH(rule, link->network->rules_by_section) {
838 r = link_request_static_routing_policy_rule(link, rule);
839 if (r < 0)
840 return log_link_warning_errno(link, r, "Could not request routing policy rule: %m");
841 }
842
843 if (link->static_routing_policy_rule_messages == 0) {
844 link->static_routing_policy_rules_configured = true;
845 link_check_ready(link);
846 } else {
847 log_link_debug(link, "Requesting routing policy rules");
848 link_set_state(link, LINK_STATE_CONFIGURING);
849 }
850
851 return 0;
852 }
853
854 static const RoutingPolicyRule kernel_rules[] = {
855 { .family = AF_INET, .priority_set = true, .priority = 0, .table = RT_TABLE_LOCAL, .type = FR_ACT_TO_TBL, .uid_range.start = UID_INVALID, .uid_range.end = UID_INVALID, .suppress_prefixlen = -1, .suppress_ifgroup = -1, },
856 { .family = AF_INET, .priority_set = true, .priority = 32766, .table = RT_TABLE_MAIN, .type = FR_ACT_TO_TBL, .uid_range.start = UID_INVALID, .uid_range.end = UID_INVALID, .suppress_prefixlen = -1, .suppress_ifgroup = -1, },
857 { .family = AF_INET, .priority_set = true, .priority = 32767, .table = RT_TABLE_DEFAULT, .type = FR_ACT_TO_TBL, .uid_range.start = UID_INVALID, .uid_range.end = UID_INVALID, .suppress_prefixlen = -1, .suppress_ifgroup = -1, },
858 { .family = AF_INET6, .priority_set = true, .priority = 0, .table = RT_TABLE_LOCAL, .type = FR_ACT_TO_TBL, .uid_range.start = UID_INVALID, .uid_range.end = UID_INVALID, .suppress_prefixlen = -1, .suppress_ifgroup = -1, },
859 { .family = AF_INET6, .priority_set = true, .priority = 32766, .table = RT_TABLE_MAIN, .type = FR_ACT_TO_TBL, .uid_range.start = UID_INVALID, .uid_range.end = UID_INVALID, .suppress_prefixlen = -1, .suppress_ifgroup = -1, },
860 };
861
862 static bool routing_policy_rule_is_created_by_kernel(const RoutingPolicyRule *rule) {
863 assert(rule);
864
865 if (rule->l3mdev > 0)
866 /* Currently, [RoutingPolicyRule] does not explicitly set FRA_L3MDEV. So, if the flag
867 * is set, it is safe to treat the rule as created by kernel. */
868 return true;
869
870 for (size_t i = 0; i < ELEMENTSOF(kernel_rules); i++)
871 if (routing_policy_rule_equal(rule, &kernel_rules[i]))
872 return true;
873
874 return false;
875 }
876
877 int manager_rtnl_process_rule(sd_netlink *rtnl, sd_netlink_message *message, Manager *m) {
878 _cleanup_(routing_policy_rule_freep) RoutingPolicyRule *tmp = NULL;
879 RoutingPolicyRule *rule = NULL;
880 bool adjust_protocol = false;
881 uint16_t type;
882 int r;
883
884 assert(rtnl);
885 assert(message);
886
887 if (sd_netlink_message_is_error(message)) {
888 r = sd_netlink_message_get_errno(message);
889 if (r < 0)
890 log_message_warning_errno(message, r, "rtnl: failed to receive rule message, ignoring");
891
892 return 0;
893 }
894
895 r = sd_netlink_message_get_type(message, &type);
896 if (r < 0) {
897 log_warning_errno(r, "rtnl: could not get message type, ignoring: %m");
898 return 0;
899 } else if (!IN_SET(type, RTM_NEWRULE, RTM_DELRULE)) {
900 log_warning("rtnl: received unexpected message type %u when processing rule, ignoring.", type);
901 return 0;
902 }
903
904 r = routing_policy_rule_new(&tmp);
905 if (r < 0) {
906 log_oom();
907 return 0;
908 }
909
910 r = sd_rtnl_message_get_family(message, &tmp->family);
911 if (r < 0) {
912 log_warning_errno(r, "rtnl: could not get rule family, ignoring: %m");
913 return 0;
914 } else if (!IN_SET(tmp->family, AF_INET, AF_INET6)) {
915 log_debug("rtnl: received rule message with invalid family %d, ignoring.", tmp->family);
916 return 0;
917 }
918
919 r = netlink_message_read_in_addr_union(message, FRA_SRC, tmp->family, &tmp->from);
920 if (r < 0 && r != -ENODATA) {
921 log_warning_errno(r, "rtnl: could not get FRA_SRC attribute, ignoring: %m");
922 return 0;
923 } else if (r >= 0) {
924 r = sd_rtnl_message_routing_policy_rule_get_fib_src_prefixlen(message, &tmp->from_prefixlen);
925 if (r < 0) {
926 log_warning_errno(r, "rtnl: received rule message without valid source prefix length, ignoring: %m");
927 return 0;
928 }
929 }
930
931 r = netlink_message_read_in_addr_union(message, FRA_DST, tmp->family, &tmp->to);
932 if (r < 0 && r != -ENODATA) {
933 log_warning_errno(r, "rtnl: could not get FRA_DST attribute, ignoring: %m");
934 return 0;
935 } else if (r >= 0) {
936 r = sd_rtnl_message_routing_policy_rule_get_fib_dst_prefixlen(message, &tmp->to_prefixlen);
937 if (r < 0) {
938 log_warning_errno(r, "rtnl: received rule message without valid destination prefix length, ignoring: %m");
939 return 0;
940 }
941 }
942
943 unsigned flags;
944 r = sd_rtnl_message_routing_policy_rule_get_flags(message, &flags);
945 if (r < 0) {
946 log_warning_errno(r, "rtnl: received rule message without valid flag, ignoring: %m");
947 return 0;
948 }
949 tmp->invert_rule = flags & FIB_RULE_INVERT;
950
951 r = sd_netlink_message_read_u32(message, FRA_FWMARK, &tmp->fwmark);
952 if (r < 0 && r != -ENODATA) {
953 log_warning_errno(r, "rtnl: could not get FRA_FWMARK attribute, ignoring: %m");
954 return 0;
955 }
956
957 r = sd_netlink_message_read_u32(message, FRA_FWMASK, &tmp->fwmask);
958 if (r < 0 && r != -ENODATA) {
959 log_warning_errno(r, "rtnl: could not get FRA_FWMASK attribute, ignoring: %m");
960 return 0;
961 }
962
963 r = sd_netlink_message_read_u32(message, FRA_PRIORITY, &tmp->priority);
964 if (r < 0 && r != -ENODATA) {
965 log_warning_errno(r, "rtnl: could not get FRA_PRIORITY attribute, ignoring: %m");
966 return 0;
967 }
968 /* The kernel does not send priority if priority is zero. So, the flag below must be always set
969 * even if the message does not contain FRA_PRIORITY. */
970 tmp->priority_set = true;
971
972 r = sd_netlink_message_read_u32(message, FRA_TABLE, &tmp->table);
973 if (r < 0 && r != -ENODATA) {
974 log_warning_errno(r, "rtnl: could not get FRA_TABLE attribute, ignoring: %m");
975 return 0;
976 }
977
978 r = sd_rtnl_message_routing_policy_rule_get_tos(message, &tmp->tos);
979 if (r < 0 && r != -ENODATA) {
980 log_warning_errno(r, "rtnl: could not get FIB rule TOS, ignoring: %m");
981 return 0;
982 }
983
984 r = sd_rtnl_message_routing_policy_rule_get_fib_type(message, &tmp->type);
985 if (r < 0 && r != -ENODATA) {
986 log_warning_errno(r, "rtnl: could not get FIB rule type, ignoring: %m");
987 return 0;
988 }
989
990 r = sd_netlink_message_read_string_strdup(message, FRA_IIFNAME, &tmp->iif);
991 if (r < 0 && r != -ENODATA) {
992 log_warning_errno(r, "rtnl: could not get FRA_IIFNAME attribute, ignoring: %m");
993 return 0;
994 }
995
996 r = sd_netlink_message_read_string_strdup(message, FRA_OIFNAME, &tmp->oif);
997 if (r < 0 && r != -ENODATA) {
998 log_warning_errno(r, "rtnl: could not get FRA_OIFNAME attribute, ignoring: %m");
999 return 0;
1000 }
1001
1002 r = sd_netlink_message_read_u8(message, FRA_IP_PROTO, &tmp->ipproto);
1003 if (r < 0 && r != -ENODATA) {
1004 log_warning_errno(r, "rtnl: could not get FRA_IP_PROTO attribute, ignoring: %m");
1005 return 0;
1006 }
1007
1008 r = sd_netlink_message_read_u8(message, FRA_PROTOCOL, &tmp->protocol);
1009 if (r == -ENODATA)
1010 /* If FRA_PROTOCOL is supported by kernel, then the attribute is always appended.
1011 * When the received message does not have FRA_PROTOCOL, then we need to adjust the
1012 * protocol of the rule later. */
1013 adjust_protocol = true;
1014 else if (r < 0) {
1015 log_warning_errno(r, "rtnl: could not get FRA_PROTOCOL attribute, ignoring: %m");
1016 return 0;
1017 }
1018
1019 r = sd_netlink_message_read_u8(message, FRA_L3MDEV, &tmp->l3mdev);
1020 if (r < 0 && r != -ENODATA) {
1021 log_warning_errno(r, "rtnl: could not get FRA_L3MDEV attribute, ignoring: %m");
1022 return 0;
1023 }
1024
1025 r = sd_netlink_message_read(message, FRA_SPORT_RANGE, sizeof(tmp->sport), &tmp->sport);
1026 if (r < 0 && r != -ENODATA) {
1027 log_warning_errno(r, "rtnl: could not get FRA_SPORT_RANGE attribute, ignoring: %m");
1028 return 0;
1029 }
1030
1031 r = sd_netlink_message_read(message, FRA_DPORT_RANGE, sizeof(tmp->dport), &tmp->dport);
1032 if (r < 0 && r != -ENODATA) {
1033 log_warning_errno(r, "rtnl: could not get FRA_DPORT_RANGE attribute, ignoring: %m");
1034 return 0;
1035 }
1036
1037 r = sd_netlink_message_read(message, FRA_UID_RANGE, sizeof(tmp->uid_range), &tmp->uid_range);
1038 if (r < 0 && r != -ENODATA) {
1039 log_warning_errno(r, "rtnl: could not get FRA_UID_RANGE attribute, ignoring: %m");
1040 return 0;
1041 }
1042
1043 uint32_t suppress_prefixlen;
1044 r = sd_netlink_message_read_u32(message, FRA_SUPPRESS_PREFIXLEN, &suppress_prefixlen);
1045 if (r < 0 && r != -ENODATA) {
1046 log_warning_errno(r, "rtnl: could not get FRA_SUPPRESS_PREFIXLEN attribute, ignoring: %m");
1047 return 0;
1048 }
1049 if (r >= 0)
1050 tmp->suppress_prefixlen = (int32_t) suppress_prefixlen;
1051
1052 uint32_t suppress_ifgroup;
1053 r = sd_netlink_message_read_u32(message, FRA_SUPPRESS_IFGROUP, &suppress_ifgroup);
1054 if (r < 0 && r != -ENODATA) {
1055 log_warning_errno(r, "rtnl: could not get FRA_SUPPRESS_IFGROUP attribute, ignoring: %m");
1056 return 0;
1057 }
1058 if (r >= 0)
1059 tmp->suppress_ifgroup = (int32_t) suppress_ifgroup;
1060
1061 if (adjust_protocol)
1062 /* As .network files does not have setting to specify protocol, we can assume the
1063 * protocol of the received rule is RTPROT_KERNEL or RTPROT_STATIC. */
1064 tmp->protocol = routing_policy_rule_is_created_by_kernel(tmp) ? RTPROT_KERNEL : RTPROT_STATIC;
1065
1066 (void) routing_policy_rule_get(m, tmp, &rule);
1067
1068 switch (type) {
1069 case RTM_NEWRULE:
1070 if (rule) {
1071 routing_policy_rule_enter_configured(rule);
1072 log_routing_policy_rule_debug(rule, "Received remembered", NULL, m);
1073 } else if (!m->manage_foreign_rules) {
1074 routing_policy_rule_enter_configured(tmp);
1075 log_routing_policy_rule_debug(tmp, "Ignoring received", NULL, m);
1076 } else {
1077 routing_policy_rule_enter_configured(tmp);
1078 log_routing_policy_rule_debug(tmp, "Remembering", NULL, m);
1079 r = routing_policy_rule_add(m, tmp);
1080 if (r < 0) {
1081 log_warning_errno(r, "Could not remember foreign rule, ignoring: %m");
1082 return 0;
1083 }
1084 TAKE_PTR(tmp);
1085 }
1086 break;
1087 case RTM_DELRULE:
1088 if (rule) {
1089 routing_policy_rule_enter_removed(rule);
1090 if (rule->state == 0) {
1091 log_routing_policy_rule_debug(rule, "Forgetting", NULL, m);
1092 routing_policy_rule_free(rule);
1093 } else
1094 log_routing_policy_rule_debug(rule, "Removed", NULL, m);
1095 } else
1096 log_routing_policy_rule_debug(tmp, "Kernel removed unknown", NULL, m);
1097 break;
1098
1099 default:
1100 assert_not_reached();
1101 }
1102
1103 return 1;
1104 }
1105
1106 static int parse_fwmark_fwmask(const char *s, uint32_t *ret_fwmark, uint32_t *ret_fwmask) {
1107 _cleanup_free_ char *fwmark_str = NULL;
1108 uint32_t fwmark, fwmask = 0;
1109 const char *slash;
1110 int r;
1111
1112 assert(s);
1113 assert(ret_fwmark);
1114 assert(ret_fwmask);
1115
1116 slash = strchr(s, '/');
1117 if (slash) {
1118 fwmark_str = strndup(s, slash - s);
1119 if (!fwmark_str)
1120 return -ENOMEM;
1121 }
1122
1123 r = safe_atou32(fwmark_str ?: s, &fwmark);
1124 if (r < 0)
1125 return r;
1126
1127 if (fwmark > 0) {
1128 if (slash) {
1129 r = safe_atou32(slash + 1, &fwmask);
1130 if (r < 0)
1131 return r;
1132 } else
1133 fwmask = UINT32_MAX;
1134 }
1135
1136 *ret_fwmark = fwmark;
1137 *ret_fwmask = fwmask;
1138
1139 return 0;
1140 }
1141
1142 int config_parse_routing_policy_rule_tos(
1143 const char *unit,
1144 const char *filename,
1145 unsigned line,
1146 const char *section,
1147 unsigned section_line,
1148 const char *lvalue,
1149 int ltype,
1150 const char *rvalue,
1151 void *data,
1152 void *userdata) {
1153
1154 _cleanup_(routing_policy_rule_free_or_set_invalidp) RoutingPolicyRule *n = NULL;
1155 Network *network = userdata;
1156 int r;
1157
1158 assert(filename);
1159 assert(section);
1160 assert(lvalue);
1161 assert(rvalue);
1162 assert(data);
1163
1164 r = routing_policy_rule_new_static(network, filename, section_line, &n);
1165 if (r < 0)
1166 return log_oom();
1167
1168 r = safe_atou8(rvalue, &n->tos);
1169 if (r < 0) {
1170 log_syntax(unit, LOG_WARNING, filename, line, r, "Failed to parse RPDB rule TOS, ignoring: %s", rvalue);
1171 return 0;
1172 }
1173
1174 TAKE_PTR(n);
1175 return 0;
1176 }
1177
1178 int config_parse_routing_policy_rule_priority(
1179 const char *unit,
1180 const char *filename,
1181 unsigned line,
1182 const char *section,
1183 unsigned section_line,
1184 const char *lvalue,
1185 int ltype,
1186 const char *rvalue,
1187 void *data,
1188 void *userdata) {
1189
1190 _cleanup_(routing_policy_rule_free_or_set_invalidp) RoutingPolicyRule *n = NULL;
1191 Network *network = userdata;
1192 int r;
1193
1194 assert(filename);
1195 assert(section);
1196 assert(lvalue);
1197 assert(rvalue);
1198 assert(data);
1199
1200 r = routing_policy_rule_new_static(network, filename, section_line, &n);
1201 if (r < 0)
1202 return log_oom();
1203
1204 if (isempty(rvalue)) {
1205 n->priority = 0;
1206 n->priority_set = false;
1207 TAKE_PTR(n);
1208 return 0;
1209 }
1210
1211 r = safe_atou32(rvalue, &n->priority);
1212 if (r < 0) {
1213 log_syntax(unit, LOG_WARNING, filename, line, r, "Failed to parse RPDB rule priority, ignoring: %s", rvalue);
1214 return 0;
1215 }
1216 n->priority_set = true;
1217
1218 TAKE_PTR(n);
1219 return 0;
1220 }
1221
1222 int config_parse_routing_policy_rule_table(
1223 const char *unit,
1224 const char *filename,
1225 unsigned line,
1226 const char *section,
1227 unsigned section_line,
1228 const char *lvalue,
1229 int ltype,
1230 const char *rvalue,
1231 void *data,
1232 void *userdata) {
1233
1234 _cleanup_(routing_policy_rule_free_or_set_invalidp) RoutingPolicyRule *n = NULL;
1235 Network *network = userdata;
1236 int r;
1237
1238 assert(filename);
1239 assert(section);
1240 assert(lvalue);
1241 assert(rvalue);
1242 assert(data);
1243
1244 r = routing_policy_rule_new_static(network, filename, section_line, &n);
1245 if (r < 0)
1246 return log_oom();
1247
1248 r = manager_get_route_table_from_string(network->manager, rvalue, &n->table);
1249 if (r < 0) {
1250 log_syntax(unit, LOG_WARNING, filename, line, r,
1251 "Could not parse RPDB rule route table \"%s\", ignoring assignment: %m", rvalue);
1252 return 0;
1253 }
1254
1255 TAKE_PTR(n);
1256 return 0;
1257 }
1258
1259 int config_parse_routing_policy_rule_fwmark_mask(
1260 const char *unit,
1261 const char *filename,
1262 unsigned line,
1263 const char *section,
1264 unsigned section_line,
1265 const char *lvalue,
1266 int ltype,
1267 const char *rvalue,
1268 void *data,
1269 void *userdata) {
1270
1271 _cleanup_(routing_policy_rule_free_or_set_invalidp) RoutingPolicyRule *n = NULL;
1272 Network *network = userdata;
1273 int r;
1274
1275 assert(filename);
1276 assert(section);
1277 assert(lvalue);
1278 assert(rvalue);
1279 assert(data);
1280
1281 r = routing_policy_rule_new_static(network, filename, section_line, &n);
1282 if (r < 0)
1283 return log_oom();
1284
1285 r = parse_fwmark_fwmask(rvalue, &n->fwmark, &n->fwmask);
1286 if (r < 0) {
1287 log_syntax(unit, LOG_WARNING, filename, line, r, "Failed to parse RPDB rule firewall mark or mask, ignoring: %s", rvalue);
1288 return 0;
1289 }
1290
1291 TAKE_PTR(n);
1292 return 0;
1293 }
1294
1295 int config_parse_routing_policy_rule_prefix(
1296 const char *unit,
1297 const char *filename,
1298 unsigned line,
1299 const char *section,
1300 unsigned section_line,
1301 const char *lvalue,
1302 int ltype,
1303 const char *rvalue,
1304 void *data,
1305 void *userdata) {
1306
1307 _cleanup_(routing_policy_rule_free_or_set_invalidp) RoutingPolicyRule *n = NULL;
1308 Network *network = userdata;
1309 union in_addr_union *buffer;
1310 uint8_t *prefixlen;
1311 int r;
1312
1313 assert(filename);
1314 assert(section);
1315 assert(lvalue);
1316 assert(rvalue);
1317 assert(data);
1318
1319 r = routing_policy_rule_new_static(network, filename, section_line, &n);
1320 if (r < 0)
1321 return log_oom();
1322
1323 if (streq(lvalue, "To")) {
1324 buffer = &n->to;
1325 prefixlen = &n->to_prefixlen;
1326 } else {
1327 buffer = &n->from;
1328 prefixlen = &n->from_prefixlen;
1329 }
1330
1331 if (n->family == AF_UNSPEC)
1332 r = in_addr_prefix_from_string_auto(rvalue, &n->family, buffer, prefixlen);
1333 else
1334 r = in_addr_prefix_from_string(rvalue, n->family, buffer, prefixlen);
1335 if (r < 0) {
1336 log_syntax(unit, LOG_WARNING, filename, line, r, "RPDB rule prefix is invalid, ignoring assignment: %s", rvalue);
1337 return 0;
1338 }
1339
1340 TAKE_PTR(n);
1341 return 0;
1342 }
1343
1344 int config_parse_routing_policy_rule_device(
1345 const char *unit,
1346 const char *filename,
1347 unsigned line,
1348 const char *section,
1349 unsigned section_line,
1350 const char *lvalue,
1351 int ltype,
1352 const char *rvalue,
1353 void *data,
1354 void *userdata) {
1355
1356 _cleanup_(routing_policy_rule_free_or_set_invalidp) RoutingPolicyRule *n = NULL;
1357 Network *network = userdata;
1358 int r;
1359
1360 assert(filename);
1361 assert(section);
1362 assert(lvalue);
1363 assert(rvalue);
1364 assert(data);
1365
1366 r = routing_policy_rule_new_static(network, filename, section_line, &n);
1367 if (r < 0)
1368 return log_oom();
1369
1370 if (!ifname_valid(rvalue)) {
1371 log_syntax(unit, LOG_WARNING, filename, line, 0,
1372 "Invalid interface name '%s' in %s=, ignoring assignment.", rvalue, lvalue);
1373 return 0;
1374 }
1375
1376 r = free_and_strdup(streq(lvalue, "IncomingInterface") ? &n->iif : &n->oif, rvalue);
1377 if (r < 0)
1378 return log_oom();
1379
1380 TAKE_PTR(n);
1381 return 0;
1382 }
1383
1384 int config_parse_routing_policy_rule_port_range(
1385 const char *unit,
1386 const char *filename,
1387 unsigned line,
1388 const char *section,
1389 unsigned section_line,
1390 const char *lvalue,
1391 int ltype,
1392 const char *rvalue,
1393 void *data,
1394 void *userdata) {
1395
1396 _cleanup_(routing_policy_rule_free_or_set_invalidp) RoutingPolicyRule *n = NULL;
1397 Network *network = userdata;
1398 uint16_t low, high;
1399 int r;
1400
1401 assert(filename);
1402 assert(section);
1403 assert(lvalue);
1404 assert(rvalue);
1405 assert(data);
1406
1407 r = routing_policy_rule_new_static(network, filename, section_line, &n);
1408 if (r < 0)
1409 return log_oom();
1410
1411 r = parse_ip_port_range(rvalue, &low, &high, /* allow_zero = */ false);
1412 if (r < 0) {
1413 log_syntax(unit, LOG_WARNING, filename, line, r, "Failed to parse routing policy rule port range '%s'", rvalue);
1414 return 0;
1415 }
1416
1417 if (streq(lvalue, "SourcePort")) {
1418 n->sport.start = low;
1419 n->sport.end = high;
1420 } else {
1421 n->dport.start = low;
1422 n->dport.end = high;
1423 }
1424
1425 TAKE_PTR(n);
1426 return 0;
1427 }
1428
1429 int config_parse_routing_policy_rule_ip_protocol(
1430 const char *unit,
1431 const char *filename,
1432 unsigned line,
1433 const char *section,
1434 unsigned section_line,
1435 const char *lvalue,
1436 int ltype,
1437 const char *rvalue,
1438 void *data,
1439 void *userdata) {
1440
1441 _cleanup_(routing_policy_rule_free_or_set_invalidp) RoutingPolicyRule *n = NULL;
1442 Network *network = userdata;
1443 int r;
1444
1445 assert(filename);
1446 assert(section);
1447 assert(lvalue);
1448 assert(rvalue);
1449 assert(data);
1450
1451 r = routing_policy_rule_new_static(network, filename, section_line, &n);
1452 if (r < 0)
1453 return log_oom();
1454
1455 r = parse_ip_protocol(rvalue);
1456 if (r < 0) {
1457 log_syntax(unit, LOG_WARNING, filename, line, r, "Failed to parse IP protocol '%s' for routing policy rule, ignoring: %m", rvalue);
1458 return 0;
1459 }
1460
1461 n->ipproto = r;
1462
1463 TAKE_PTR(n);
1464 return 0;
1465 }
1466
1467 int config_parse_routing_policy_rule_invert(
1468 const char *unit,
1469 const char *filename,
1470 unsigned line,
1471 const char *section,
1472 unsigned section_line,
1473 const char *lvalue,
1474 int ltype,
1475 const char *rvalue,
1476 void *data,
1477 void *userdata) {
1478
1479 _cleanup_(routing_policy_rule_free_or_set_invalidp) RoutingPolicyRule *n = NULL;
1480 Network *network = userdata;
1481 int r;
1482
1483 assert(filename);
1484 assert(section);
1485 assert(lvalue);
1486 assert(rvalue);
1487 assert(data);
1488
1489 r = routing_policy_rule_new_static(network, filename, section_line, &n);
1490 if (r < 0)
1491 return log_oom();
1492
1493 r = parse_boolean(rvalue);
1494 if (r < 0) {
1495 log_syntax(unit, LOG_WARNING, filename, line, r, "Failed to parse RPDB rule invert, ignoring: %s", rvalue);
1496 return 0;
1497 }
1498
1499 n->invert_rule = r;
1500
1501 TAKE_PTR(n);
1502 return 0;
1503 }
1504
1505 int config_parse_routing_policy_rule_family(
1506 const char *unit,
1507 const char *filename,
1508 unsigned line,
1509 const char *section,
1510 unsigned section_line,
1511 const char *lvalue,
1512 int ltype,
1513 const char *rvalue,
1514 void *data,
1515 void *userdata) {
1516
1517 _cleanup_(routing_policy_rule_free_or_set_invalidp) RoutingPolicyRule *n = NULL;
1518 Network *network = userdata;
1519 AddressFamily a;
1520 int r;
1521
1522 assert(filename);
1523 assert(section);
1524 assert(lvalue);
1525 assert(rvalue);
1526 assert(data);
1527
1528 r = routing_policy_rule_new_static(network, filename, section_line, &n);
1529 if (r < 0)
1530 return log_oom();
1531
1532 a = routing_policy_rule_address_family_from_string(rvalue);
1533 if (a < 0) {
1534 log_syntax(unit, LOG_WARNING, filename, line, a,
1535 "Invalid address family '%s', ignoring.", rvalue);
1536 return 0;
1537 }
1538
1539 n->address_family = a;
1540
1541 TAKE_PTR(n);
1542 return 0;
1543 }
1544
1545 int config_parse_routing_policy_rule_uid_range(
1546 const char *unit,
1547 const char *filename,
1548 unsigned line,
1549 const char *section,
1550 unsigned section_line,
1551 const char *lvalue,
1552 int ltype,
1553 const char *rvalue,
1554 void *data,
1555 void *userdata) {
1556
1557 _cleanup_(routing_policy_rule_free_or_set_invalidp) RoutingPolicyRule *n = NULL;
1558 Network *network = userdata;
1559 uid_t start, end;
1560 int r;
1561
1562 assert(filename);
1563 assert(section);
1564 assert(lvalue);
1565 assert(rvalue);
1566 assert(data);
1567
1568 r = routing_policy_rule_new_static(network, filename, section_line, &n);
1569 if (r < 0)
1570 return log_oom();
1571
1572 r = get_user_creds(&rvalue, &start, NULL, NULL, NULL, 0);
1573 if (r >= 0)
1574 end = start;
1575 else {
1576 r = parse_uid_range(rvalue, &start, &end);
1577 if (r < 0) {
1578 log_syntax(unit, LOG_WARNING, filename, line, r,
1579 "Invalid uid or uid range '%s', ignoring: %m", rvalue);
1580 return 0;
1581 }
1582 }
1583
1584 n->uid_range.start = start;
1585 n->uid_range.end = end;
1586
1587 TAKE_PTR(n);
1588 return 0;
1589 }
1590
1591 int config_parse_routing_policy_rule_suppress_prefixlen(
1592 const char *unit,
1593 const char *filename,
1594 unsigned line,
1595 const char *section,
1596 unsigned section_line,
1597 const char *lvalue,
1598 int ltype,
1599 const char *rvalue,
1600 void *data,
1601 void *userdata) {
1602
1603 _cleanup_(routing_policy_rule_free_or_set_invalidp) RoutingPolicyRule *n = NULL;
1604 Network *network = userdata;
1605 int r;
1606
1607 assert(filename);
1608 assert(section);
1609 assert(lvalue);
1610 assert(rvalue);
1611 assert(data);
1612
1613 r = routing_policy_rule_new_static(network, filename, section_line, &n);
1614 if (r < 0)
1615 return log_oom();
1616
1617 r = parse_ip_prefix_length(rvalue, &n->suppress_prefixlen);
1618 if (r == -ERANGE) {
1619 log_syntax(unit, LOG_WARNING, filename, line, r, "Prefix length outside of valid range 0-128, ignoring: %s", rvalue);
1620 return 0;
1621 }
1622 if (r < 0) {
1623 log_syntax(unit, LOG_WARNING, filename, line, r, "Failed to parse RPDB rule suppress_prefixlen, ignoring: %s", rvalue);
1624 return 0;
1625 }
1626
1627 TAKE_PTR(n);
1628 return 0;
1629 }
1630
1631 int config_parse_routing_policy_rule_suppress_ifgroup(
1632 const char *unit,
1633 const char *filename,
1634 unsigned line,
1635 const char *section,
1636 unsigned section_line,
1637 const char *lvalue,
1638 int ltype,
1639 const char *rvalue,
1640 void *data,
1641 void *userdata) {
1642
1643 _cleanup_(routing_policy_rule_free_or_set_invalidp) RoutingPolicyRule *n = NULL;
1644 Network *network = userdata;
1645 int32_t suppress_ifgroup;
1646 int r;
1647
1648 assert(filename);
1649 assert(section);
1650 assert(lvalue);
1651 assert(rvalue);
1652 assert(data);
1653
1654 r = routing_policy_rule_new_static(network, filename, section_line, &n);
1655 if (r < 0)
1656 return log_oom();
1657
1658 if (isempty(rvalue)) {
1659 n->suppress_ifgroup = -1;
1660 return 0;
1661 }
1662
1663 r = safe_atoi32(rvalue, &suppress_ifgroup);
1664 if (r < 0) {
1665 log_syntax(unit, LOG_WARNING, filename, line, r,
1666 "Failed to parse SuppressInterfaceGroup=, ignoring assignment: %s", rvalue);
1667 return 0;
1668 }
1669 if (suppress_ifgroup < 0) {
1670 log_syntax(unit, LOG_WARNING, filename, line, 0,
1671 "Value of SuppressInterfaceGroup= must be in the range 0…2147483647, ignoring assignment: %s", rvalue);
1672 return 0;
1673 }
1674 n->suppress_ifgroup = suppress_ifgroup;
1675 TAKE_PTR(n);
1676 return 0;
1677 }
1678
1679 int config_parse_routing_policy_rule_type(
1680 const char *unit,
1681 const char *filename,
1682 unsigned line,
1683 const char *section,
1684 unsigned section_line,
1685 const char *lvalue,
1686 int ltype,
1687 const char *rvalue,
1688 void *data,
1689 void *userdata) {
1690
1691 _cleanup_(routing_policy_rule_free_or_set_invalidp) RoutingPolicyRule *n = NULL;
1692 Network *network = userdata;
1693 int r, t;
1694
1695 assert(filename);
1696 assert(section);
1697 assert(lvalue);
1698 assert(rvalue);
1699 assert(data);
1700
1701 r = routing_policy_rule_new_static(network, filename, section_line, &n);
1702 if (r < 0)
1703 return log_oom();
1704
1705 t = fr_act_type_from_string(rvalue);
1706 if (t < 0) {
1707 log_syntax(unit, LOG_WARNING, filename, line, t,
1708 "Could not parse FIB rule type \"%s\", ignoring assignment: %m", rvalue);
1709 return 0;
1710 }
1711
1712 n->type = (uint8_t) t;
1713
1714 TAKE_PTR(n);
1715 return 0;
1716 }
1717
1718 static int routing_policy_rule_section_verify(RoutingPolicyRule *rule) {
1719 if (section_is_invalid(rule->section))
1720 return -EINVAL;
1721
1722 if ((rule->family == AF_INET && FLAGS_SET(rule->address_family, ADDRESS_FAMILY_IPV6)) ||
1723 (rule->family == AF_INET6 && FLAGS_SET(rule->address_family, ADDRESS_FAMILY_IPV4)))
1724 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
1725 "%s: address family specified by Family= conflicts with the address "
1726 "specified by To= or From=. Ignoring [RoutingPolicyRule] section from line %u.",
1727 rule->section->filename, rule->section->line);
1728
1729 if (rule->family == AF_UNSPEC) {
1730 if (IN_SET(rule->address_family, ADDRESS_FAMILY_IPV4, ADDRESS_FAMILY_NO))
1731 rule->family = AF_INET;
1732 else if (rule->address_family == ADDRESS_FAMILY_IPV6)
1733 rule->family = AF_INET6;
1734 /* rule->family can be AF_UNSPEC only when Family=both. */
1735 }
1736
1737 /* Currently, [RoutingPolicyRule] does not have a setting to set FRA_L3MDEV flag. Please also
1738 * update routing_policy_rule_is_created_by_kernel() when a new setting which sets the flag is
1739 * added in the future. */
1740 if (rule->l3mdev > 0)
1741 assert_not_reached();
1742
1743 return 0;
1744 }
1745
1746 void network_drop_invalid_routing_policy_rules(Network *network) {
1747 RoutingPolicyRule *rule;
1748
1749 assert(network);
1750
1751 HASHMAP_FOREACH(rule, network->rules_by_section)
1752 if (routing_policy_rule_section_verify(rule) < 0)
1753 routing_policy_rule_free(rule);
1754 }
Unnamed repository; edit this file 'description' to name the repository.