1 /* 2 * netifd - network interface daemon 3 * Copyright (C) 2012 Felix Fietkau <nbd@openwrt.org> 4 * Copyright (C) 2013 Jo-Philipp Wich <jow@openwrt.org> 5 * Copyright (C) 2018 Alexander Couzens <lynxis@fe80.eu> 6 * 7 * This program is free software; you can redistribute it and/or modify 8 * it under the terms of the GNU General Public License version 2 9 * as published by the Free Software Foundation 10 * 11 * This program is distributed in the hope that it will be useful, 12 * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 * GNU General Public License for more details. 15 */ 16 #include <string.h> 17 #include <stdlib.h> 18 #include <stdio.h> 19 20 #include <arpa/inet.h> 21 22 #include "netifd.h" 23 #include "device.h" 24 #include "interface.h" 25 #include "iprule.h" 26 #include "proto.h" 27 #include "ubus.h" 28 #include "system.h" 29 30 struct vlist_tree iprules; 31 static bool iprules_flushed = false; 32 static unsigned int iprules_counter[2]; 33 34 enum { 35 RULE_INTERFACE_IN, 36 RULE_INTERFACE_OUT, 37 RULE_INVERT, 38 RULE_SRC, 39 RULE_DEST, 40 RULE_PRIORITY, 41 RULE_TOS, 42 RULE_FWMARK, 43 RULE_LOOKUP, 44 RULE_ACTION, 45 RULE_GOTO, 46 RULE_SUP_PREFIXLEN, 47 RULE_UIDRANGE, 48 RULE_IPPROTO, 49 RULE_SPORT, 50 RULE_DPORT, 51 RULE_DISABLED, 52 __RULE_MAX 53 }; 54 55 static const struct blobmsg_policy rule_attr[__RULE_MAX] = { 56 [RULE_INTERFACE_IN] = { .name = "in", .type = BLOBMSG_TYPE_STRING }, 57 [RULE_INTERFACE_OUT] = { .name = "out", .type = BLOBMSG_TYPE_STRING }, 58 [RULE_INVERT] = { .name = "invert", .type = BLOBMSG_TYPE_BOOL }, 59 [RULE_SRC] = { .name = "src", .type = BLOBMSG_TYPE_STRING }, 60 [RULE_DEST] = { .name = "dest", .type = BLOBMSG_TYPE_STRING }, 61 [RULE_PRIORITY] = { .name = "priority", .type = BLOBMSG_TYPE_INT32 }, 62 [RULE_TOS] = { .name = "tos", .type = BLOBMSG_TYPE_INT32 }, 63 [RULE_FWMARK] = { .name = "mark", .type = BLOBMSG_TYPE_STRING }, 64 [RULE_LOOKUP] = { .name = "lookup", .type = BLOBMSG_TYPE_STRING }, 65 [RULE_SUP_PREFIXLEN] = { .name = "suppress_prefixlength", .type = BLOBMSG_TYPE_INT32 }, 66 [RULE_UIDRANGE] = { .name = "uidrange", .type = BLOBMSG_TYPE_STRING }, 67 [RULE_ACTION] = { .name = "action", .type = BLOBMSG_TYPE_STRING }, 68 [RULE_GOTO] = { .name = "goto", .type = BLOBMSG_TYPE_INT32 }, 69 [RULE_IPPROTO] = { .name = "ipproto", .type = BLOBMSG_TYPE_STRING }, 70 [RULE_SPORT] = { .name = "sport", .type = BLOBMSG_TYPE_STRING }, 71 [RULE_DPORT] = { .name = "dport", .type = BLOBMSG_TYPE_STRING }, 72 [RULE_DISABLED] = { .name = "disabled", .type = BLOBMSG_TYPE_BOOL }, 73 }; 74 75 const struct uci_blob_param_list rule_attr_list = { 76 .n_params = __RULE_MAX, 77 .params = rule_attr, 78 }; 79 80 /* interface based rules are dynamic. */ 81 static bool 82 rule_ready(struct iprule *rule) 83 { 84 if (rule->flags & IPRULE_OUT && !rule->out_dev[0]) 85 return false; 86 87 if (rule->flags & IPRULE_IN && !rule->in_dev[0]) 88 return false; 89 90 return true; 91 } 92 93 static bool 94 iprule_parse_mark(const char *mark, struct iprule *rule) 95 { 96 char *s, *e; 97 unsigned int n; 98 99 if ((s = strchr(mark, '/')) != NULL) 100 *s++ = 0; 101 102 n = strtoul(mark, &e, 0); 103 104 if (e == mark || *e) 105 return false; 106 107 rule->fwmark = n; 108 rule->flags |= IPRULE_FWMARK; 109 110 if (s) { 111 n = strtoul(s, &e, 0); 112 113 if (e == s || *e) 114 return false; 115 116 rule->fwmask = n; 117 rule->flags |= IPRULE_FWMASK; 118 } 119 120 return true; 121 } 122 123 /* called on interface changes of the incoming interface */ 124 static void 125 rule_in_cb(struct interface_user *dep, struct interface *iface, enum interface_event ev) 126 { 127 struct iprule *rule = container_of(dep, struct iprule, in_iface_user); 128 129 switch (ev) { 130 case IFEV_UP: 131 if (!iface->l3_dev.dev) 132 break; 133 134 strcpy(rule->in_dev, iface->l3_dev.dev->ifname); 135 if (rule_ready(rule)) 136 system_add_iprule(rule); 137 break; 138 case IFEV_DOWN: 139 case IFEV_UP_FAILED: 140 case IFEV_FREE: 141 if (rule_ready(rule)) 142 system_del_iprule(rule); 143 144 rule->in_dev[0] = 0; 145 break; 146 default: 147 break; 148 } 149 } 150 151 /* called on interface changes of the outgoing interface */ 152 static void 153 rule_out_cb(struct interface_user *dep, struct interface *iface, enum interface_event ev) 154 { 155 struct iprule *rule = container_of(dep, struct iprule, out_iface_user); 156 157 switch (ev) { 158 case IFEV_UP: 159 if (!iface->l3_dev.dev) 160 break; 161 162 strcpy(rule->out_dev, iface->l3_dev.dev->ifname); 163 if (rule_ready(rule)) 164 system_add_iprule(rule); 165 break; 166 case IFEV_DOWN: 167 case IFEV_UP_FAILED: 168 case IFEV_FREE: 169 if (rule_ready(rule)) 170 system_del_iprule(rule); 171 172 rule->out_dev[0] = 0; 173 break; 174 default: 175 break; 176 } 177 } 178 179 /* called on all interface events */ 180 static void 181 generic_interface_cb(struct interface_user *dep, 182 struct interface *iface, enum interface_event ev) 183 { 184 struct iprule *rule; 185 186 if (ev != IFEV_CREATE) 187 return; 188 189 /* add new interfaces to rules */ 190 vlist_for_each_element(&iprules, rule, node) { 191 if (rule_ready(rule)) 192 continue; 193 194 if ((rule->flags & IPRULE_OUT) && !strcmp(rule->out_iface, iface->name)) 195 interface_add_user(&rule->out_iface_user, iface); 196 197 if ((rule->flags & IPRULE_IN) && !strcmp(rule->in_iface, iface->name)) 198 interface_add_user(&rule->in_iface_user, iface); 199 } 200 } 201 202 struct interface_user generic_listener = { 203 .cb = generic_interface_cb 204 }; 205 206 void 207 iprule_add(struct blob_attr *attr, bool v6) 208 { 209 struct blob_attr *tb[__RULE_MAX], *cur; 210 struct iprule *rule; 211 char *iface_name; 212 int af = v6 ? AF_INET6 : AF_INET; 213 214 blobmsg_parse(rule_attr, __RULE_MAX, tb, blobmsg_data(attr), blobmsg_data_len(attr)); 215 216 if ((cur = tb[RULE_DISABLED]) != NULL && blobmsg_get_bool(cur)) 217 return; 218 219 rule = calloc(1, sizeof(*rule)); 220 if (!rule) 221 return; 222 223 rule->flags = v6 ? IPRULE_INET6 : IPRULE_INET4; 224 rule->order = iprules_counter[rule->flags]++; 225 226 if ((cur = tb[RULE_INVERT]) != NULL) 227 rule->invert = blobmsg_get_bool(cur); 228 229 if ((cur = tb[RULE_INTERFACE_IN]) != NULL) { 230 iface_name = calloc(1, strlen(blobmsg_data(cur)) + 1); 231 rule->in_iface = strcpy(iface_name, blobmsg_data(cur)); 232 rule->in_iface_user.cb = &rule_in_cb; 233 rule->flags |= IPRULE_IN; 234 } 235 236 if ((cur = tb[RULE_INTERFACE_OUT]) != NULL) { 237 iface_name = calloc(1, strlen(blobmsg_data(cur)) + 1); 238 rule->out_iface = strcpy(iface_name, blobmsg_data(cur)); 239 rule->out_iface_user.cb = &rule_out_cb; 240 rule->flags |= IPRULE_OUT; 241 } 242 243 if ((cur = tb[RULE_SRC]) != NULL) { 244 if (!parse_ip_and_netmask(af, blobmsg_data(cur), &rule->src_addr, &rule->src_mask)) { 245 D(INTERFACE, "Failed to parse rule source: %s", (char *) blobmsg_data(cur)); 246 goto error; 247 } 248 rule->flags |= IPRULE_SRC; 249 } 250 251 if ((cur = tb[RULE_DEST]) != NULL) { 252 if (!parse_ip_and_netmask(af, blobmsg_data(cur), &rule->dest_addr, &rule->dest_mask)) { 253 D(INTERFACE, "Failed to parse rule destination: %s", (char *) blobmsg_data(cur)); 254 goto error; 255 } 256 rule->flags |= IPRULE_DEST; 257 } 258 259 if ((cur = tb[RULE_PRIORITY]) != NULL) { 260 rule->priority = blobmsg_get_u32(cur); 261 rule->flags |= IPRULE_PRIORITY; 262 } 263 264 if ((cur = tb[RULE_TOS]) != NULL) { 265 if ((rule->tos = blobmsg_get_u32(cur)) > 255) { 266 D(INTERFACE, "Invalid TOS value: %u", blobmsg_get_u32(cur)); 267 goto error; 268 } 269 rule->flags |= IPRULE_TOS; 270 } 271 272 if ((cur = tb[RULE_FWMARK]) != NULL) { 273 if (!iprule_parse_mark(blobmsg_data(cur), rule)) { 274 D(INTERFACE, "Failed to parse rule fwmark: %s", (char *) blobmsg_data(cur)); 275 goto error; 276 } 277 /* flags set by iprule_parse_mark() */ 278 } 279 280 if ((cur = tb[RULE_LOOKUP]) != NULL) { 281 if (!system_resolve_rt_table(blobmsg_data(cur), &rule->lookup)) { 282 D(INTERFACE, "Failed to parse rule lookup table: %s", (char *) blobmsg_data(cur)); 283 goto error; 284 } 285 rule->flags |= IPRULE_LOOKUP; 286 } 287 288 if ((cur = tb[RULE_SUP_PREFIXLEN]) != NULL) { 289 rule->sup_prefixlen = blobmsg_get_u32(cur); 290 rule->flags |= IPRULE_SUP_PREFIXLEN; 291 } 292 293 if ((cur = tb[RULE_UIDRANGE]) != NULL) { 294 int ret = sscanf(blobmsg_get_string(cur), "%u-%u", &rule->uidrange_start, &rule->uidrange_end); 295 296 if (ret == 1) 297 rule->uidrange_end = rule->uidrange_start; 298 else if (ret != 2) { 299 D(INTERFACE, "Failed to parse UID range: %s", (char *) blobmsg_data(cur)); 300 goto error; 301 } 302 rule->flags |= IPRULE_UIDRANGE; 303 } 304 305 if ((cur = tb[RULE_ACTION]) != NULL) { 306 if (!system_resolve_iprule_action(blobmsg_data(cur), &rule->action)) { 307 D(INTERFACE, "Failed to parse rule action: %s", (char *) blobmsg_data(cur)); 308 goto error; 309 } 310 rule->flags |= IPRULE_ACTION; 311 } 312 313 if ((cur = tb[RULE_GOTO]) != NULL) { 314 rule->gotoid = blobmsg_get_u32(cur); 315 rule->flags |= IPRULE_GOTO; 316 } 317 318 if ((cur = tb[RULE_IPPROTO]) != NULL) { 319 if (!system_resolve_iprule_ipproto(blobmsg_data(cur), &rule->ipproto)) { 320 D(INTERFACE, "Failed to parse rule ip protocol: %s", (char *) blobmsg_data(cur)); 321 goto error; 322 } 323 rule->flags |= IPRULE_IPPROTO; 324 } 325 326 if ((cur = tb[RULE_SPORT]) != NULL) { 327 int ret = sscanf(blobmsg_get_string(cur), "%u-%u", &rule->sport_start, &rule->sport_end); 328 329 if (ret == 1) 330 rule->sport_end = rule->sport_start; 331 else if (ret != 2) { 332 D(INTERFACE, "Failed to parse sport range: %s", (char *) blobmsg_data(cur)); 333 goto error; 334 } 335 rule->flags |= IPRULE_SPORT; 336 } 337 338 if ((cur = tb[RULE_DPORT]) != NULL) { 339 int ret = sscanf(blobmsg_get_string(cur), "%u-%u", &rule->dport_start, &rule->dport_end); 340 341 if (ret == 1) 342 rule->dport_end = rule->dport_start; 343 else if (ret != 2) { 344 D(INTERFACE, "Failed to parse dport range: %s", (char *) blobmsg_data(cur)); 345 goto error; 346 } 347 rule->flags |= IPRULE_DPORT; 348 } 349 350 vlist_add(&iprules, &rule->node, rule); 351 return; 352 353 error: 354 free(rule); 355 } 356 357 void 358 iprule_update_start(void) 359 { 360 if (!iprules_flushed) { 361 system_flush_iprules(); 362 iprules_flushed = true; 363 } 364 365 iprules_counter[0] = 1; 366 iprules_counter[1] = 1; 367 vlist_update(&iprules); 368 } 369 370 void 371 iprule_update_complete(void) 372 { 373 vlist_flush(&iprules); 374 } 375 376 377 static int 378 rule_cmp(const void *k1, const void *k2, void *ptr) 379 { 380 const struct iprule *r1 = k1, *r2 = k2; 381 int ret; 382 383 /* First compare the interface names */ 384 if (r1->flags & IPRULE_IN || r2->flags & IPRULE_IN) { 385 char *str1 = r1->flags & IPRULE_IN ? r1->in_iface : ""; 386 char *str2 = r2->flags & IPRULE_IN ? r2->in_iface : ""; 387 388 ret = strcmp(str1, str2); 389 if (ret) 390 return ret; 391 } 392 393 if (r1->flags & IPRULE_OUT || r2->flags & IPRULE_OUT) { 394 char *str1 = r1->flags & IPRULE_OUT ? r1->out_iface : ""; 395 char *str2 = r2->flags & IPRULE_OUT ? r2->out_iface : ""; 396 397 ret = strcmp(str1, str2); 398 if (ret) 399 return ret; 400 } 401 402 /* Next compare everything after the flags field */ 403 return memcmp(k1 + offsetof(struct iprule, flags), 404 k2 + offsetof(struct iprule, flags), 405 sizeof(struct iprule) - offsetof(struct iprule, flags)); 406 } 407 408 static void deregister_interfaces(struct iprule *rule) 409 { 410 if (rule->flags & IPRULE_IN && rule->in_iface_user.iface) 411 interface_remove_user(&rule->in_iface_user); 412 413 if (rule->flags & IPRULE_OUT && rule->out_iface_user.iface) 414 interface_remove_user(&rule->out_iface_user); 415 } 416 417 static void register_interfaces(struct iprule *rule) 418 { 419 struct interface *iface, *tmp; 420 421 if (rule->flags & IPRULE_IN) { 422 tmp = vlist_find(&interfaces, rule->in_iface, iface, node); 423 if (tmp) 424 interface_add_user(&rule->in_iface_user, tmp); 425 } 426 if (rule->flags & IPRULE_OUT) { 427 tmp = vlist_find(&interfaces, rule->out_iface, iface, node); 428 if (tmp) 429 interface_add_user(&rule->out_iface_user, tmp); 430 } 431 } 432 433 static void 434 iprule_update_rule(struct vlist_tree *tree, 435 struct vlist_node *node_new, struct vlist_node *node_old) 436 { 437 struct iprule *rule_old, *rule_new; 438 439 rule_old = container_of(node_old, struct iprule, node); 440 rule_new = container_of(node_new, struct iprule, node); 441 442 if (node_old) { 443 if (rule_ready(rule_old)) 444 system_del_iprule(rule_old); 445 446 if (rule_old->flags & (IPRULE_IN | IPRULE_OUT)) 447 deregister_interfaces(rule_old); 448 449 if (rule_old->in_iface) 450 free(rule_old->in_iface); 451 452 if (rule_old->out_iface) 453 free(rule_old->out_iface); 454 455 free(rule_old); 456 } 457 458 if (node_new) { 459 /* interface based rules calls system_add_iprule over the event cb */ 460 if (rule_new->flags & (IPRULE_IN | IPRULE_OUT)) { 461 register_interfaces(rule_new); 462 } else { 463 system_add_iprule(rule_new); 464 } 465 } 466 } 467 468 static void __init 469 iprule_init_list(void) 470 { 471 vlist_init(&iprules, rule_cmp, iprule_update_rule); 472 interface_add_user(&generic_listener, NULL); 473 } 474
This page was automatically generated by LXR 0.3.1. • OpenWrt