iprule: support for ip_proto, sport and dport match options

add support to match on ip_proto, sport and dport ranges.
For ip_proto, this patch currently enumerates, tcp, udp and sctp.
This list can be extended in the future.

example:
$ip rule add sport 666-777 dport 999 ip_proto tcp table 100
$ip rule show
0:      from all lookup local
32765:  from all ip_proto 6 sport 666-777 dport 999 lookup 100
32766:  from all lookup main
32767:  from all lookup default

Signed-off-by: Roopa Prabhu <roopa@cumulusnetworks.com>
Signed-off-by: David Ahern <dsahern@gmail.com>

diff --git a/ip/iprule.c b/ip/iprule.c
index a49753e640d95691619e2e09ba5efe4f6b774d20..8b9421431c26adc77d8bd32dd3e6970095f4f76d 100644 (file)
--- a/ip/iprule.c
+++ b/ip/iprule.c
@@ -47,6 +47,9 @@ static void usage(void)
                "SELECTOR := [ not ] [ from PREFIX ] [ to PREFIX ] [ tos TOS ] [ fwmark FWMARK[/MASK] ]\n"
                "            [ iif STRING ] [ oif STRING ] [ pref NUMBER ] [ l3mdev ]\n"
                "            [ uidrange NUMBER-NUMBER ]\n"
+               "            [ ipproto PROTOCOL ]\n"
+               "            [ sport [ NUMBER | NUMBER-NUMBER ]\n"
+               "            [ dport [ NUMBER | NUMBER-NUMBER ] ]\n"
                "ACTION := [ table TABLE_ID ]\n"
                "          [ protocol PROTO ]\n"
                "          [ nat ADDRESS ]\n"
@@ -306,6 +309,37 @@ int print_rule(const struct sockaddr_nl *who, struct nlmsghdr *n, void *arg)
                print_uint(PRINT_ANY, "uid_end", "-%u ", r->end);
        }
 
+       if (tb[FRA_IP_PROTO]) {
+               SPRINT_BUF(pbuf);
+               print_string(PRINT_ANY, "ipproto", "ipproto %s ",
+                            inet_proto_n2a(rta_getattr_u8(tb[FRA_IP_PROTO]),
+                                           pbuf, sizeof(pbuf)));
+       }
+
+       if (tb[FRA_SPORT_RANGE]) {
+               struct fib_rule_port_range *r = RTA_DATA(tb[FRA_SPORT_RANGE]);
+
+               if (r->start == r->end) {
+                       print_uint(PRINT_ANY, "sport", "sport %u ", r->start);
+               } else {
+                       print_uint(PRINT_ANY, "sport_start", "sport %u",
+                                  r->start);
+                       print_uint(PRINT_ANY, "sport_end", "-%u ", r->end);
+               }
+       }
+
+       if (tb[FRA_DPORT_RANGE]) {
+               struct fib_rule_port_range *r = RTA_DATA(tb[FRA_DPORT_RANGE]);
+
+               if (r->start == r->end) {
+                       print_uint(PRINT_ANY, "dport", "dport %u ", r->start);
+               } else {
+                       print_uint(PRINT_ANY, "dport_start", "dport %u",
+                                  r->start);
+                       print_uint(PRINT_ANY, "dport_end", "-%u ", r->end);
+               }
+       }
+
        table = frh_get_table(frh, tb);
        if (table) {
                print_string(PRINT_ANY, "table",
@@ -802,6 +836,39 @@ static int iprule_modify(int cmd, int argc, char **argv)
                        addattr32(&req.n, sizeof(req), RTA_GATEWAY,
                                  get_addr32(*argv));
                        req.frh.action = RTN_NAT;
+               } else if (strcmp(*argv, "ipproto") == 0) {
+                       int ipproto;
+
+                       NEXT_ARG();
+                       ipproto = inet_proto_a2n(*argv);
+                       if (ipproto < 0)
+                               invarg("Invalid \"ipproto\" value\n",
+                                      *argv);
+                       addattr8(&req.n, sizeof(req), FRA_IP_PROTO, ipproto);
+               } else if (strcmp(*argv, "sport") == 0) {
+                       struct fib_rule_port_range r;
+                       int ret = 0;
+
+                       NEXT_ARG();
+                       ret = sscanf(*argv, "%hu-%hu", &r.start, &r.end);
+                       if (ret == 1)
+                               r.end = r.start;
+                       else if (ret != 2)
+                               invarg("invalid port range\n", *argv);
+                       addattr_l(&req.n, sizeof(req), FRA_SPORT_RANGE, &r,
+                                 sizeof(r));
+               } else if (strcmp(*argv, "dport") == 0) {
+                       struct fib_rule_port_range r;
+                       int ret = 0;
+
+                       NEXT_ARG();
+                       ret = sscanf(*argv, "%hu-%hu", &r.start, &r.end);
+                       if (ret == 1)
+                               r.end = r.start;
+                       else if (ret != 2)
+                               invarg("invalid dport range\n", *argv);
+                       addattr_l(&req.n, sizeof(req), FRA_DPORT_RANGE, &r,
+                                 sizeof(r));
                } else {
                        int type;
 

diff --git a/man/man8/ip-rule.8 b/man/man8/ip-rule.8
index 7cf8fd9a412f21bd8358b50526ec0da1da78e948..1455a49a5ea573fb8c623fe387524bcd6e256928 100644 (file)
--- a/man/man8/ip-rule.8
+++ b/man/man8/ip-rule.8
@@ -44,7 +44,19 @@ ip-rule \- routing policy database management
 .IR STRING " ] [ "
 .B  pref
 .IR NUMBER " ] [ "
-.BR l3mdev " ]"
+.IR l3mdev " ] [ "
+.B uidrange
+.IR NUMBER "-" NUMBER " ] [ "
+.B ipproto
+.IR PROTOCOL " ] [ "
+.BR sport " [ "
+.IR NUMBER " | "
+.IR NUMBER "-" NUMBER " ] ] [ "
+.BR dport " [ "
+.IR NUMBER " | "
+.IR NUMBER "-" NUMBER " ] ]"
+.BR
+
 
 .ti -8
 .IR ACTION " := [ "
@@ -226,6 +238,24 @@ select the
 .B fwmark
 value to match.
 
+.TP
+.BI uidrange " NUMBER-NUMBER"
+select the
+.B uid
+value to match.
+
+.TP
+.BI ipproto " PROTOCOL"
+select the ip protocol value to match.
+
+.TP
+.BI sport " NUMBER | NUMBER-NUMBER"
+select the source port value to match. supports port range.
+
+.TP
+.BI dport " NUMBER | NUMBER-NUMBER"
+select the destination port value to match. supports port range.
+
 .TP
 .BI priority " PREFERENCE"
 the priority of this rule.