xref: /linux/net/ipv4/fib_rules.c (revision c4ee0af3fa0dc65f690fc908f02b8355f9576ea0) 
1 /*
2  * INET		An implementation of the TCP/IP protocol suite for the LINUX
3  *		operating system.  INET is implemented using the  BSD Socket
4  *		interface as the means of communication with the user level.
5  *
6  *		IPv4 Forwarding Information Base: policy rules.
7  *
8  * Authors:	Alexey Kuznetsov, <kuznet@ms2.inr.ac.ru>
9  *		Thomas Graf <tgraf@suug.ch>
10  *
11  *		This program is free software; you can redistribute it and/or
12  *		modify it under the terms of the GNU General Public License
13  *		as published by the Free Software Foundation; either version
14  *		2 of the License, or (at your option) any later version.
15  *
16  * Fixes:
17  *		Rani Assaf	:	local_rule cannot be deleted
18  *		Marc Boucher	:	routing by fwmark
19  */
20 
21 #include <linux/types.h>
22 #include <linux/kernel.h>
23 #include <linux/netdevice.h>
24 #include <linux/netlink.h>
25 #include <linux/inetdevice.h>
26 #include <linux/init.h>
27 #include <linux/list.h>
28 #include <linux/rcupdate.h>
29 #include <linux/export.h>
30 #include <net/ip.h>
31 #include <net/route.h>
32 #include <net/tcp.h>
33 #include <net/ip_fib.h>
34 #include <net/fib_rules.h>
35 
36 struct fib4_rule {
37 	struct fib_rule		common;
38 	u8			dst_len;
39 	u8			src_len;
40 	u8			tos;
41 	__be32			src;
42 	__be32			srcmask;
43 	__be32			dst;
44 	__be32			dstmask;
45 #ifdef CONFIG_IP_ROUTE_CLASSID
46 	u32			tclassid;
47 #endif
48 };
49 
50 int __fib_lookup(struct net *net, struct flowi4 *flp, struct fib_result *res)
51 {
52 	struct fib_lookup_arg arg = {
53 		.result = res,
54 		.flags = FIB_LOOKUP_NOREF,
55 	};
56 	int err;
57 
58 	err = fib_rules_lookup(net->ipv4.rules_ops, flowi4_to_flowi(flp), 0, &arg);
59 #ifdef CONFIG_IP_ROUTE_CLASSID
60 	if (arg.rule)
61 		res->tclassid = ((struct fib4_rule *)arg.rule)->tclassid;
62 	else
63 		res->tclassid = 0;
64 #endif
65 	return err;
66 }
67 EXPORT_SYMBOL_GPL(__fib_lookup);
68 
69 static int fib4_rule_action(struct fib_rule *rule, struct flowi *flp,
70 			    int flags, struct fib_lookup_arg *arg)
71 {
72 	int err = -EAGAIN;
73 	struct fib_table *tbl;
74 
75 	switch (rule->action) {
76 	case FR_ACT_TO_TBL:
77 		break;
78 
79 	case FR_ACT_UNREACHABLE:
80 		err = -ENETUNREACH;
81 		goto errout;
82 
83 	case FR_ACT_PROHIBIT:
84 		err = -EACCES;
85 		goto errout;
86 
87 	case FR_ACT_BLACKHOLE:
88 	default:
89 		err = -EINVAL;
90 		goto errout;
91 	}
92 
93 	tbl = fib_get_table(rule->fr_net, rule->table);
94 	if (!tbl)
95 		goto errout;
96 
97 	err = fib_table_lookup(tbl, &flp->u.ip4, (struct fib_result *) arg->result, arg->flags);
98 	if (err > 0)
99 		err = -EAGAIN;
100 errout:
101 	return err;
102 }
103 
104 static bool fib4_rule_suppress(struct fib_rule *rule, struct fib_lookup_arg *arg)
105 {
106 	struct fib_result *result = (struct fib_result *) arg->result;
107 	struct net_device *dev = NULL;
108 
109 	if (result->fi)
110 		dev = result->fi->fib_dev;
111 
112 	/* do not accept result if the route does
113 	 * not meet the required prefix length
114 	 */
115 	if (result->prefixlen <= rule->suppress_prefixlen)
116 		goto suppress_route;
117 
118 	/* do not accept result if the route uses a device
119 	 * belonging to a forbidden interface group
120 	 */
121 	if (rule->suppress_ifgroup != -1 && dev && dev->group == rule->suppress_ifgroup)
122 		goto suppress_route;
123 
124 	return false;
125 
126 suppress_route:
127 	if (!(arg->flags & FIB_LOOKUP_NOREF))
128 		fib_info_put(result->fi);
129 	return true;
130 }
131 
132 static int fib4_rule_match(struct fib_rule *rule, struct flowi *fl, int flags)
133 {
134 	struct fib4_rule *r = (struct fib4_rule *) rule;
135 	struct flowi4 *fl4 = &fl->u.ip4;
136 	__be32 daddr = fl4->daddr;
137 	__be32 saddr = fl4->saddr;
138 
139 	if (((saddr ^ r->src) & r->srcmask) ||
140 	    ((daddr ^ r->dst) & r->dstmask))
141 		return 0;
142 
143 	if (r->tos && (r->tos != fl4->flowi4_tos))
144 		return 0;
145 
146 	return 1;
147 }
148 
149 static struct fib_table *fib_empty_table(struct net *net)
150 {
151 	u32 id;
152 
153 	for (id = 1; id <= RT_TABLE_MAX; id++)
154 		if (fib_get_table(net, id) == NULL)
155 			return fib_new_table(net, id);
156 	return NULL;
157 }
158 
159 static const struct nla_policy fib4_rule_policy[FRA_MAX+1] = {
160 	FRA_GENERIC_POLICY,
161 	[FRA_FLOW]	= { .type = NLA_U32 },
162 };
163 
164 static int fib4_rule_configure(struct fib_rule *rule, struct sk_buff *skb,
165 			       struct fib_rule_hdr *frh,
166 			       struct nlattr **tb)
167 {
168 	struct net *net = sock_net(skb->sk);
169 	int err = -EINVAL;
170 	struct fib4_rule *rule4 = (struct fib4_rule *) rule;
171 
172 	if (frh->tos & ~IPTOS_TOS_MASK)
173 		goto errout;
174 
175 	if (rule->table == RT_TABLE_UNSPEC) {
176 		if (rule->action == FR_ACT_TO_TBL) {
177 			struct fib_table *table;
178 
179 			table = fib_empty_table(net);
180 			if (table == NULL) {
181 				err = -ENOBUFS;
182 				goto errout;
183 			}
184 
185 			rule->table = table->tb_id;
186 		}
187 	}
188 
189 	if (frh->src_len)
190 		rule4->src = nla_get_be32(tb[FRA_SRC]);
191 
192 	if (frh->dst_len)
193 		rule4->dst = nla_get_be32(tb[FRA_DST]);
194 
195 #ifdef CONFIG_IP_ROUTE_CLASSID
196 	if (tb[FRA_FLOW]) {
197 		rule4->tclassid = nla_get_u32(tb[FRA_FLOW]);
198 		if (rule4->tclassid)
199 			net->ipv4.fib_num_tclassid_users++;
200 	}
201 #endif
202 
203 	rule4->src_len = frh->src_len;
204 	rule4->srcmask = inet_make_mask(rule4->src_len);
205 	rule4->dst_len = frh->dst_len;
206 	rule4->dstmask = inet_make_mask(rule4->dst_len);
207 	rule4->tos = frh->tos;
208 
209 	net->ipv4.fib_has_custom_rules = true;
210 	err = 0;
211 errout:
212 	return err;
213 }
214 
215 static void fib4_rule_delete(struct fib_rule *rule)
216 {
217 	struct net *net = rule->fr_net;
218 #ifdef CONFIG_IP_ROUTE_CLASSID
219 	struct fib4_rule *rule4 = (struct fib4_rule *) rule;
220 
221 	if (rule4->tclassid)
222 		net->ipv4.fib_num_tclassid_users--;
223 #endif
224 	net->ipv4.fib_has_custom_rules = true;
225 }
226 
227 static int fib4_rule_compare(struct fib_rule *rule, struct fib_rule_hdr *frh,
228 			     struct nlattr **tb)
229 {
230 	struct fib4_rule *rule4 = (struct fib4_rule *) rule;
231 
232 	if (frh->src_len && (rule4->src_len != frh->src_len))
233 		return 0;
234 
235 	if (frh->dst_len && (rule4->dst_len != frh->dst_len))
236 		return 0;
237 
238 	if (frh->tos && (rule4->tos != frh->tos))
239 		return 0;
240 
241 #ifdef CONFIG_IP_ROUTE_CLASSID
242 	if (tb[FRA_FLOW] && (rule4->tclassid != nla_get_u32(tb[FRA_FLOW])))
243 		return 0;
244 #endif
245 
246 	if (frh->src_len && (rule4->src != nla_get_be32(tb[FRA_SRC])))
247 		return 0;
248 
249 	if (frh->dst_len && (rule4->dst != nla_get_be32(tb[FRA_DST])))
250 		return 0;
251 
252 	return 1;
253 }
254 
255 static int fib4_rule_fill(struct fib_rule *rule, struct sk_buff *skb,
256 			  struct fib_rule_hdr *frh)
257 {
258 	struct fib4_rule *rule4 = (struct fib4_rule *) rule;
259 
260 	frh->dst_len = rule4->dst_len;
261 	frh->src_len = rule4->src_len;
262 	frh->tos = rule4->tos;
263 
264 	if ((rule4->dst_len &&
265 	     nla_put_be32(skb, FRA_DST, rule4->dst)) ||
266 	    (rule4->src_len &&
267 	     nla_put_be32(skb, FRA_SRC, rule4->src)))
268 		goto nla_put_failure;
269 #ifdef CONFIG_IP_ROUTE_CLASSID
270 	if (rule4->tclassid &&
271 	    nla_put_u32(skb, FRA_FLOW, rule4->tclassid))
272 		goto nla_put_failure;
273 #endif
274 	return 0;
275 
276 nla_put_failure:
277 	return -ENOBUFS;
278 }
279 
280 static size_t fib4_rule_nlmsg_payload(struct fib_rule *rule)
281 {
282 	return nla_total_size(4) /* dst */
283 	       + nla_total_size(4) /* src */
284 	       + nla_total_size(4); /* flow */
285 }
286 
287 static void fib4_rule_flush_cache(struct fib_rules_ops *ops)
288 {
289 	rt_cache_flush(ops->fro_net);
290 }
291 
292 static const struct fib_rules_ops __net_initconst fib4_rules_ops_template = {
293 	.family		= AF_INET,
294 	.rule_size	= sizeof(struct fib4_rule),
295 	.addr_size	= sizeof(u32),
296 	.action		= fib4_rule_action,
297 	.suppress	= fib4_rule_suppress,
298 	.match		= fib4_rule_match,
299 	.configure	= fib4_rule_configure,
300 	.delete		= fib4_rule_delete,
301 	.compare	= fib4_rule_compare,
302 	.fill		= fib4_rule_fill,
303 	.default_pref	= fib_default_rule_pref,
304 	.nlmsg_payload	= fib4_rule_nlmsg_payload,
305 	.flush_cache	= fib4_rule_flush_cache,
306 	.nlgroup	= RTNLGRP_IPV4_RULE,
307 	.policy		= fib4_rule_policy,
308 	.owner		= THIS_MODULE,
309 };
310 
311 static int fib_default_rules_init(struct fib_rules_ops *ops)
312 {
313 	int err;
314 
315 	err = fib_default_rule_add(ops, 0, RT_TABLE_LOCAL, 0);
316 	if (err < 0)
317 		return err;
318 	err = fib_default_rule_add(ops, 0x7FFE, RT_TABLE_MAIN, 0);
319 	if (err < 0)
320 		return err;
321 	err = fib_default_rule_add(ops, 0x7FFF, RT_TABLE_DEFAULT, 0);
322 	if (err < 0)
323 		return err;
324 	return 0;
325 }
326 
327 int __net_init fib4_rules_init(struct net *net)
328 {
329 	int err;
330 	struct fib_rules_ops *ops;
331 
332 	ops = fib_rules_register(&fib4_rules_ops_template, net);
333 	if (IS_ERR(ops))
334 		return PTR_ERR(ops);
335 
336 	err = fib_default_rules_init(ops);
337 	if (err < 0)
338 		goto fail;
339 	net->ipv4.rules_ops = ops;
340 	net->ipv4.fib_has_custom_rules = false;
341 	return 0;
342 
343 fail:
344 	/* also cleans all rules already added */
345 	fib_rules_unregister(ops);
346 	return err;
347 }
348 
349 void __net_exit fib4_rules_exit(struct net *net)
350 {
351 	fib_rules_unregister(net->ipv4.rules_ops);
352 }
353