Lines Matching +full:container +full:- +full:rules
1 // SPDX-License-Identifier: GPL-2.0-or-later
58 return -ENOMEM;
64 hlist_add_head_rcu(&local_table->tb_hlist,
65 &net->ipv4.fib_table_hash[TABLE_LOCAL_INDEX]);
66 hlist_add_head_rcu(&main_table->tb_hlist,
67 &net->ipv4.fib_table_hash[TABLE_MAIN_INDEX]);
72 return -ENOMEM;
87 if (id == RT_TABLE_LOCAL && !net->ipv4.fib_has_custom_rules)
96 rcu_assign_pointer(net->ipv4.fib_main, tb);
99 rcu_assign_pointer(net->ipv4.fib_default, tb);
105 h = id & (FIB_TABLE_HASHSZ - 1);
106 hlist_add_head_rcu(&tb->tb_hlist, &net->ipv4.fib_table_hash[h]);
120 h = id & (FIB_TABLE_HASHSZ - 1);
122 head = &net->ipv4.fib_table_hash[h];
125 if (tb->tb_id == id)
136 switch (new->tb_id) {
138 rcu_assign_pointer(net->ipv4.fib_main, new);
141 rcu_assign_pointer(net->ipv4.fib_default, new);
149 hlist_replace_rcu(&old->tb_hlist, &new->tb_hlist);
163 return -ENOMEM;
190 struct hlist_head *head = &net->ipv4.fib_table_hash[h];
228 if (!dev || dev == nhc->nhc_dev)
273 struct net_device *dev = skb->dev;
281 if ((rt->rt_flags & (RTCF_BROADCAST | RTCF_MULTICAST | RTCF_LOCAL)) ==
283 return ip_hdr(skb)->daddr;
290 if (!ipv4_is_zeronet(ip_hdr(skb)->saddr)) {
295 .daddr = ip_hdr(skb)->saddr,
298 .flowi4_mark = vmark ? skb->mark : 0,
306 return inet_select_addr(dev, ip_hdr(skb)->saddr, scope);
313 if (unlikely(fi->nh)) {
314 dev_match = nexthop_uses_dev(fi->nh, dev);
328 if (fib_info_nhc(fi, 0)->nhc_dev == dev)
337 * - (main) check, that source is valid i.e. not broadcast or our local
339 * - figure out what "logical" interface this packet arrived
341 * - check, that packet arrived from expected physical interface.
368 no_addr = idev->ifa_list == NULL;
370 fl4.flowi4_mark = IN_DEV_SRC_VMARK(idev) ? skb->mark : 0;
397 dev == net->loopback_dev);
399 ret = FIB_RES_NHC(res)->nhc_scope >= RT_SCOPE_HOST;
406 fl4.flowi4_oif = dev->ifindex;
411 ret = FIB_RES_NHC(res)->nhc_scope >= RT_SCOPE_HOST;
422 return -reason;
424 return -SKB_DROP_REASON_IP_RPFILTER;
436 (dev->ifindex != oif || !IN_DEV_TX_REDIRECTS(idev))) {
440 * only will be too optimistic, with custom rules, checking
443 if (net->ipv4.fib_has_custom_local_routes ||
446 /* Within the same container, it is regarded as a martian source,
450 return -SKB_DROP_REASON_IP_LOCAL_SOURCE;
464 return ((struct sockaddr_in *) addr)->sin_addr.s_addr;
472 nla->nla_type = type;
473 nla->nla_len = nla_attr_size(4);
486 cfg->fc_nlinfo.nl_net = net;
488 if (rt->rt_dst.sa_family != AF_INET)
489 return -EAFNOSUPPORT;
500 addr = sk_extract_addr(&rt->rt_dst);
501 if (!(rt->rt_flags & RTF_HOST)) {
502 __be32 mask = sk_extract_addr(&rt->rt_genmask);
504 if (rt->rt_genmask.sa_family != AF_INET) {
505 if (mask || rt->rt_genmask.sa_family)
506 return -EAFNOSUPPORT;
510 return -EINVAL;
515 cfg->fc_dst_len = plen;
516 cfg->fc_dst = addr;
519 cfg->fc_nlflags = NLM_F_CREATE;
520 cfg->fc_protocol = RTPROT_BOOT;
523 if (rt->rt_metric)
524 cfg->fc_priority = rt->rt_metric - 1;
526 if (rt->rt_flags & RTF_REJECT) {
527 cfg->fc_scope = RT_SCOPE_HOST;
528 cfg->fc_type = RTN_UNREACHABLE;
532 cfg->fc_scope = RT_SCOPE_NOWHERE;
533 cfg->fc_type = RTN_UNICAST;
535 if (rt->rt_dev) {
540 if (copy_from_user(devname, rt->rt_dev, IFNAMSIZ-1))
541 return -EFAULT;
543 devname[IFNAMSIZ-1] = 0;
549 return -ENODEV;
550 cfg->fc_oif = dev->ifindex;
551 cfg->fc_table = l3mdev_fib_table(dev);
558 return -ENODEV;
563 if (strcmp(ifa->ifa_label, devname) == 0)
568 return -ENODEV;
569 cfg->fc_prefsrc = ifa->ifa_local;
573 addr = sk_extract_addr(&rt->rt_gateway);
574 if (rt->rt_gateway.sa_family == AF_INET && addr) {
577 cfg->fc_gw4 = addr;
578 cfg->fc_gw_family = AF_INET;
579 addr_type = inet_addr_type_table(net, addr, cfg->fc_table);
580 if (rt->rt_flags & RTF_GATEWAY &&
582 cfg->fc_scope = RT_SCOPE_UNIVERSE;
585 if (!cfg->fc_table)
586 cfg->fc_table = RT_TABLE_MAIN;
591 if (rt->rt_flags & RTF_GATEWAY && !cfg->fc_gw_family)
592 return -EINVAL;
594 if (cfg->fc_scope == RT_SCOPE_NOWHERE)
595 cfg->fc_scope = RT_SCOPE_LINK;
597 if (rt->rt_flags & (RTF_MTU | RTF_WINDOW | RTF_IRTT)) {
603 return -ENOMEM;
605 if (rt->rt_flags & RTF_MTU)
606 len = put_rtax(mx, len, RTAX_ADVMSS, rt->rt_mtu - 40);
608 if (rt->rt_flags & RTF_WINDOW)
609 len = put_rtax(mx, len, RTAX_WINDOW, rt->rt_window);
611 if (rt->rt_flags & RTF_IRTT)
612 len = put_rtax(mx, len, RTAX_RTT, rt->rt_irtt << 3);
614 cfg->fc_mx = mx;
615 cfg->fc_mx_len = len;
633 if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
634 return -EPERM;
647 err = -ESRCH;
654 err = -ENOBUFS;
663 return -EINVAL;
697 return -EINVAL;
701 alen = nla_len(nla) - offsetof(struct rtvia, rtvia_addr);
703 switch (via->rtvia_family) {
707 return -EINVAL;
709 cfg->fc_gw_family = AF_INET;
710 cfg->fc_gw4 = *((__be32 *)via->rtvia_addr);
716 return -EINVAL;
718 cfg->fc_gw_family = AF_INET6;
719 cfg->fc_gw6 = *((struct in6_addr *)via->rtvia_addr);
722 return -EINVAL;
727 return -EINVAL;
751 if (!inet_validate_dscp(rtm->rtm_tos)) {
754 err = -EINVAL;
757 cfg->fc_dscp = inet_dsfield_to_dscp(rtm->rtm_tos);
759 cfg->fc_dst_len = rtm->rtm_dst_len;
760 cfg->fc_table = rtm->rtm_table;
761 cfg->fc_protocol = rtm->rtm_protocol;
762 cfg->fc_scope = rtm->rtm_scope;
763 cfg->fc_type = rtm->rtm_type;
764 cfg->fc_flags = rtm->rtm_flags;
765 cfg->fc_nlflags = nlh->nlmsg_flags;
767 cfg->fc_nlinfo.portid = NETLINK_CB(skb).portid;
768 cfg->fc_nlinfo.nlh = nlh;
769 cfg->fc_nlinfo.nl_net = net;
771 if (cfg->fc_type > RTN_MAX) {
773 err = -EINVAL;
780 cfg->fc_dst = nla_get_be32(attr);
783 cfg->fc_oif = nla_get_u32(attr);
787 cfg->fc_gw4 = nla_get_be32(attr);
788 if (cfg->fc_gw4)
789 cfg->fc_gw_family = AF_INET;
798 cfg->fc_priority = nla_get_u32(attr);
801 cfg->fc_prefsrc = nla_get_be32(attr);
804 cfg->fc_mx = nla_data(attr);
805 cfg->fc_mx_len = nla_len(attr);
813 cfg->fc_mp = nla_data(attr);
814 cfg->fc_mp_len = nla_len(attr);
817 cfg->fc_flow = nla_get_u32(attr);
820 cfg->fc_table = nla_get_u32(attr);
823 cfg->fc_encap = attr;
826 cfg->fc_encap_type = nla_get_u16(attr);
827 err = lwtunnel_valid_encap_type(cfg->fc_encap_type,
833 cfg->fc_nh_id = nla_get_u32(attr);
838 if (cfg->fc_dst_len > 32) {
840 err = -EINVAL;
844 if (cfg->fc_dst_len < 32 && (ntohl(cfg->fc_dst) << cfg->fc_dst_len)) {
846 err = -EINVAL;
850 if (cfg->fc_nh_id) {
851 if (cfg->fc_oif || cfg->fc_gw_family ||
852 cfg->fc_encap || cfg->fc_mp) {
855 err = -EINVAL;
863 err = -EINVAL;
867 if (!cfg->fc_table)
868 cfg->fc_table = RT_TABLE_MAIN;
878 struct net *net = sock_net(skb->sk);
891 err = -EINVAL;
898 err = -ESRCH;
912 struct net *net = sock_net(skb->sk);
925 err = -ENOBUFS;
931 net->ipv4.fib_has_custom_local_routes = true;
943 struct netlink_ext_ack *extack = cb->extack;
948 if (filter->rtnl_held)
954 return -EINVAL;
957 if (rtm->rtm_dst_len || rtm->rtm_src_len || rtm->rtm_tos ||
958 rtm->rtm_scope) {
960 return -EINVAL;
963 if (rtm->rtm_flags & ~(RTM_F_CLONED | RTM_F_PREFIX)) {
965 return -EINVAL;
967 if (rtm->rtm_flags & RTM_F_CLONED)
968 filter->dump_routes = false;
970 filter->dump_exceptions = false;
972 filter->flags = rtm->rtm_flags;
973 filter->protocol = rtm->rtm_protocol;
974 filter->rt_type = rtm->rtm_type;
975 filter->table_id = rtm->rtm_table;
990 filter->table_id = nla_get_u32(tb[i]);
994 if (filter->rtnl_held)
995 filter->dev = __dev_get_by_index(net, ifindex);
997 filter->dev = dev_get_by_index_rcu(net, ifindex);
998 if (!filter->dev)
999 return -ENODEV;
1003 return -EINVAL;
1007 if (filter->flags || filter->protocol || filter->rt_type ||
1008 filter->table_id || filter->dev) {
1009 filter->filter_set = 1;
1010 cb->answer_flags = NLM_F_DUMP_FILTERED;
1024 const struct nlmsghdr *nlh = cb->nlh;
1025 struct net *net = sock_net(skb->sk);
1033 if (cb->strict_check) {
1040 filter.flags = rtm->rtm_flags & (RTM_F_PREFIX | RTM_F_CLONED);
1050 if (rtnl_msg_family(cb->nlh) != PF_INET)
1053 NL_SET_ERR_MSG(cb->extack, "ipv4: FIB table does not exist");
1054 err = -ENOENT;
1061 s_h = cb->args[0];
1062 s_e = cb->args[1];
1067 head = &net->ipv4.fib_table_hash[h];
1072 memset(&cb->args[2], 0, sizeof(cb->args) -
1073 2 * sizeof(cb->args[0]));
1084 cb->args[1] = e;
1085 cb->args[0] = h;
1092 /* Prepare and feed intra-kernel routing request.
1093 * Really, it should be netlink message, but :-( netlink
1101 struct net *net = dev_net(ifa->ifa_dev->dev);
1102 u32 tb_id = l3mdev_fib_table(ifa->ifa_dev->dev);
1110 .fc_prefsrc = ifa->ifa_local,
1111 .fc_oif = ifa->ifa_dev->dev->ifindex,
1125 cfg.fc_table = tb->tb_id;
1140 struct in_device *in_dev = ifa->ifa_dev;
1141 struct net_device *dev = in_dev->dev;
1143 __be32 mask = ifa->ifa_mask;
1144 __be32 addr = ifa->ifa_local;
1145 __be32 prefix = ifa->ifa_address & mask;
1147 if (ifa->ifa_flags & IFA_F_SECONDARY) {
1157 if (!(dev->flags & IFF_UP))
1161 if (ifa->ifa_broadcast && ifa->ifa_broadcast != htonl(0xFFFFFFFF)) {
1162 fib_magic(RTM_NEWROUTE, RTN_BROADCAST, ifa->ifa_broadcast, 32,
1164 arp_invalidate(dev, ifa->ifa_broadcast, false);
1167 if (!ipv4_is_zeronet(prefix) && !(ifa->ifa_flags & IFA_F_SECONDARY) &&
1168 (prefix != addr || ifa->ifa_prefixlen < 32)) {
1169 if (!(ifa->ifa_flags & IFA_F_NOPREFIXROUTE))
1171 dev->flags & IFF_LOOPBACK ? RTN_LOCAL : RTN_UNICAST,
1172 prefix, ifa->ifa_prefixlen, prim,
1173 ifa->ifa_rt_priority);
1176 if (ifa->ifa_prefixlen < 31) {
1186 __be32 prefix = ifa->ifa_address & ifa->ifa_mask;
1187 struct in_device *in_dev = ifa->ifa_dev;
1188 struct net_device *dev = in_dev->dev;
1190 if (!(dev->flags & IFF_UP) ||
1191 ifa->ifa_flags & (IFA_F_SECONDARY | IFA_F_NOPREFIXROUTE) ||
1193 (prefix == ifa->ifa_local && ifa->ifa_prefixlen == 32))
1198 dev->flags & IFF_LOOPBACK ? RTN_LOCAL : RTN_UNICAST,
1199 prefix, ifa->ifa_prefixlen, ifa, new_metric);
1203 dev->flags & IFF_LOOPBACK ? RTN_LOCAL : RTN_UNICAST,
1204 prefix, ifa->ifa_prefixlen, ifa, ifa->ifa_rt_priority);
1214 struct in_device *in_dev = ifa->ifa_dev;
1215 struct net_device *dev = in_dev->dev;
1218 __be32 brd = ifa->ifa_address | ~ifa->ifa_mask;
1219 __be32 any = ifa->ifa_address & ifa->ifa_mask;
1229 if (ifa->ifa_flags & IFA_F_SECONDARY) {
1230 prim = inet_ifa_byprefix(in_dev, any, ifa->ifa_mask);
1235 if (!in_dev->dead)
1244 (any != ifa->ifa_local || ifa->ifa_prefixlen < 32)) {
1245 if (!(ifa->ifa_flags & IFA_F_NOPREFIXROUTE))
1247 dev->flags & IFF_LOOPBACK ? RTN_LOCAL : RTN_UNICAST,
1248 any, ifa->ifa_prefixlen, prim, 0);
1252 if (in_dev->dead)
1256 * We should take care of not to delete too much :-)
1268 if (iprim && ifa1->ifa_mask == iprim->ifa_mask &&
1269 inet_ifa_match(ifa1->ifa_address, iprim))
1273 if (ifa1->ifa_flags & IFA_F_SECONDARY) {
1275 if (ifa1->ifa_mask == prim->ifa_mask &&
1276 inet_ifa_match(ifa1->ifa_address, prim))
1288 ifa1->ifa_mask != prim1->ifa_mask ||
1289 !inet_ifa_match(ifa1->ifa_address, prim1))
1291 ifa1->ifa_address,
1292 ifa1->ifa_mask);
1295 if (prim1->ifa_local != prim->ifa_local)
1299 if (prim->ifa_local != ifa1->ifa_local)
1305 if (ifa->ifa_local == ifa1->ifa_local)
1307 if (ifa->ifa_broadcast == ifa1->ifa_broadcast)
1309 if (brd == ifa1->ifa_broadcast)
1311 if (any == ifa1->ifa_broadcast)
1314 if (prim1 == ifa1 && ifa1->ifa_prefixlen < 31) {
1315 __be32 brd1 = ifa1->ifa_address | ~ifa1->ifa_mask;
1316 __be32 any1 = ifa1->ifa_address & ifa1->ifa_mask;
1319 if (ifa->ifa_broadcast == brd1 ||
1320 ifa->ifa_broadcast == any1)
1333 fib_magic(RTM_DELROUTE, RTN_BROADCAST, ifa->ifa_broadcast, 32,
1335 if (subnet && ifa->ifa_prefixlen < 31) {
1346 fib_magic(RTM_DELROUTE, RTN_LOCAL, ifa->ifa_local, 32, prim, 0);
1350 ifa->ifa_local);
1358 if (fib_sync_down_addr(dev, ifa->ifa_local))
1373 .flowi4_mark = frn->fl_mark,
1374 .daddr = frn->fl_addr,
1375 .flowi4_tos = frn->fl_tos & INET_DSCP_MASK,
1376 .flowi4_scope = frn->fl_scope,
1382 tb = fib_get_table(net, frn->tb_id_in);
1384 frn->err = -ENOENT;
1388 frn->tb_id = tb->tb_id;
1389 frn->err = fib_table_lookup(tb, &fl4, &res, FIB_LOOKUP_NOREF);
1391 if (!frn->err) {
1392 frn->prefixlen = res.prefixlen;
1393 frn->nh_sel = res.nh_sel;
1394 frn->type = res.type;
1395 frn->scope = res.scope;
1410 net = sock_net(skb->sk);
1412 if (skb->len < nlmsg_total_size(sizeof(*frn)) ||
1413 skb->len < nlh->nlmsg_len ||
1428 nlmsg_unicast(net->ipv4.fibnl, skb, portid);
1440 return -EAFNOSUPPORT;
1441 net->ipv4.fibnl = sk;
1447 netlink_kernel_release(net->ipv4.fibnl);
1448 net->ipv4.fibnl = NULL;
1464 struct net_device *dev = ifa->ifa_dev->dev;
1473 atomic_inc(&net->ipv4.dev_addr_genid);
1478 atomic_inc(&net->ipv4.dev_addr_genid);
1479 if (!ifa->ifa_dev->ifa_list) {
1520 atomic_inc(&net->ipv4.dev_addr_genid);
1535 fib_sync_mtu(dev, info_ext->ext.mtu);
1543 if (upper_info->upper_dev &&
1544 netif_is_l3_master(upper_info->upper_dev))
1569 /* Default to 3-tuple */
1570 net->ipv4.sysctl_fib_multipath_hash_fields =
1577 net->ipv4.fib_table_hash = kzalloc(size, GFP_KERNEL);
1578 if (!net->ipv4.fib_table_hash) {
1579 err = -ENOMEM;
1589 kfree(net->ipv4.fib_table_hash);
1601 RCU_INIT_POINTER(net->ipv4.fib_main, NULL);
1602 RCU_INIT_POINTER(net->ipv4.fib_default, NULL);
1609 for (i = FIB_TABLE_HASHSZ - 1; i >= 0; i--) {
1610 struct hlist_head *head = &net->ipv4.fib_table_hash[i];
1615 hlist_del(&tb->tb_hlist);
1625 kfree(net->ipv4.fib_table_hash);
1634 atomic_set(&net->ipv4.fib_num_tclassid_users, 0);