/*
* Handle netlink notification informing a rule add or delete.
* Handling of an ADD is TBD.
* DELs are notified up, if other attributes indicate it may be a
* notification of interest. The expectation is that if this corresponds
* to a PBR rule added by FRR, it will be readded.
*/
int netlink_rule_change(struct nlmsghdr *h, ns_id_t ns_id, int startup)
{
struct zebra_ns *zns;
struct fib_rule_hdr *frh;
struct rtattr *tb[FRA_MAX + 1];
int len;
char *ifname;
struct zebra_pbr_rule rule = {};
char buf1[PREFIX_STRLEN];
char buf2[PREFIX_STRLEN];
/* Basic validation followed by extracting attributes. */
if (h->nlmsg_type != RTM_NEWRULE && h->nlmsg_type != RTM_DELRULE)
return 0;
/* TBD */
if (h->nlmsg_type == RTM_NEWRULE)
return 0;
len = h->nlmsg_len - NLMSG_LENGTH(sizeof(struct fib_rule_hdr));
if (len < 0) {
zlog_err("%s: Message received from netlink is of a broken size: %d %zu",
__PRETTY_FUNCTION__, h->nlmsg_len,
(size_t)NLMSG_LENGTH(sizeof(struct fib_rule_hdr)));
return -1;
}
frh = NLMSG_DATA(h);
if (frh->family != AF_INET && frh->family != AF_INET6) {
flog_warn(
EC_ZEBRA_NETLINK_INVALID_AF,
"Invalid address family: %u received from kernel rule change: %u",
frh->family, h->nlmsg_type);
return 0;
}
if (frh->action != FR_ACT_TO_TBL)
return 0;
memset(tb, 0, sizeof(tb));
netlink_parse_rtattr(tb, FRA_MAX, RTM_RTA(frh), len);
/* TBD: We don't care about rules not specifying an IIF. */
if (tb[FRA_IFNAME] == NULL)
return 0;
/* If we don't know the interface, we don't care. */
ifname = (char *)RTA_DATA(tb[FRA_IFNAME]);
zns = zebra_ns_lookup(ns_id);
rule.ifp = if_lookup_by_name_per_ns(zns, ifname);
if (!rule.ifp)
return 0;
if (tb[FRA_PRIORITY])
rule.rule.priority = *(uint32_t *)RTA_DATA(tb[FRA_PRIORITY]);
if (tb[FRA_SRC]) {
if (frh->family == AF_INET)
memcpy(&rule.rule.filter.src_ip.u.prefix4,
RTA_DATA(tb[FRA_SRC]), 4);
else
memcpy(&rule.rule.filter.src_ip.u.prefix6,
RTA_DATA(tb[FRA_SRC]), 16);
rule.rule.filter.src_ip.prefixlen = frh->src_len;
rule.rule.filter.filter_bm |= PBR_FILTER_SRC_IP;
}
if (tb[FRA_DST]) {
if (frh->family == AF_INET)
memcpy(&rule.rule.filter.dst_ip.u.prefix4,
RTA_DATA(tb[FRA_DST]), 4);
else
memcpy(&rule.rule.filter.dst_ip.u.prefix6,
RTA_DATA(tb[FRA_DST]), 16);
rule.rule.filter.dst_ip.prefixlen = frh->dst_len;
rule.rule.filter.filter_bm |= PBR_FILTER_DST_IP;
}
if (tb[FRA_TABLE])
rule.rule.action.table = *(uint32_t *)RTA_DATA(tb[FRA_TABLE]);
else
rule.rule.action.table = frh->table;
if (IS_ZEBRA_DEBUG_KERNEL)
zlog_debug(
"Rx %s family %s IF %s(%u) Pref %u Src %s Dst %s Table %u",
nl_msg_type_to_str(h->nlmsg_type),
nl_family_to_str(frh->family), rule.ifp->name,
rule.ifp->ifindex, rule.rule.priority,
prefix2str(&rule.rule.filter.src_ip, buf1,
sizeof(buf1)),
prefix2str(&rule.rule.filter.dst_ip, buf2,
sizeof(buf2)),
rule.rule.action.table);
return kernel_pbr_rule_del(&rule);
}
/* Install or uninstall specified rule for a specific interface.
* Form netlink message and ship it. Currently, notify status after
* waiting for netlink status.
*/
static int netlink_rule_update(int cmd, struct zebra_pbr_rule *rule)
{
int family;
int bytelen;
struct {
struct nlmsghdr n;
struct fib_rule_hdr frh;
char buf[NL_PKT_BUF_SIZE];
} req;
struct zebra_ns *zns = zebra_ns_lookup(NS_DEFAULT);
struct sockaddr_nl snl;
char buf1[PREFIX_STRLEN];
char buf2[PREFIX_STRLEN];
memset(&req, 0, sizeof(req) - NL_PKT_BUF_SIZE);
family = PREFIX_FAMILY(&rule->rule.filter.src_ip);
bytelen = (family == AF_INET ? 4 : 16);
req.n.nlmsg_type = cmd;
req.n.nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg));
req.n.nlmsg_flags = NLM_F_REQUEST;
req.n.nlmsg_pid = zns->netlink_cmd.snl.nl_pid;
req.frh.family = family;
req.frh.action = FR_ACT_TO_TBL;
/* rule's pref # */
addattr32(&req.n, sizeof(req), FRA_PRIORITY, rule->rule.priority);
/* interface on which applied */
if (rule->ifp)
addattr_l(&req.n, sizeof(req), FRA_IFNAME, rule->ifp->name,
strlen(rule->ifp->name) + 1);
/* source IP, if specified */
if (IS_RULE_FILTERING_ON_SRC_IP(rule)) {
req.frh.src_len = rule->rule.filter.src_ip.prefixlen;
addattr_l(&req.n, sizeof(req), FRA_SRC,
&rule->rule.filter.src_ip.u.prefix, bytelen);
}
/* destination IP, if specified */
if (IS_RULE_FILTERING_ON_DST_IP(rule)) {
req.frh.dst_len = rule->rule.filter.dst_ip.prefixlen;
addattr_l(&req.n, sizeof(req), FRA_DST,
&rule->rule.filter.dst_ip.u.prefix, bytelen);
}
/* fwmark, if specified */
if (IS_RULE_FILTERING_ON_FWMARK(rule)) {
addattr32(&req.n, sizeof(req), FRA_FWMARK,
rule->rule.filter.fwmark);
}
/* Route table to use to forward, if filter criteria matches. */
if (rule->rule.action.table < 256)
req.frh.table = rule->rule.action.table;
else {
req.frh.table = RT_TABLE_UNSPEC;
addattr32(&req.n, sizeof(req), FRA_TABLE,
rule->rule.action.table);
}
if (IS_ZEBRA_DEBUG_KERNEL)
zlog_debug(
"Tx %s family %s IF %s(%u) Pref %u Fwmark %u Src %s Dst %s Table %u",
nl_msg_type_to_str(cmd), nl_family_to_str(family),
rule->ifp ? rule->ifp->name : "Unknown",
rule->ifp ? rule->ifp->ifindex : 0, rule->rule.priority,
rule->rule.filter.fwmark,
prefix2str(&rule->rule.filter.src_ip, buf1,
sizeof(buf1)),
prefix2str(&rule->rule.filter.dst_ip, buf2,
sizeof(buf2)),
rule->rule.action.table);
/* Ship off the message.
* Note: Currently, netlink_talk() is a blocking call which returns
* back the status.
*/
memset(&snl, 0, sizeof(snl));
snl.nl_family = AF_NETLINK;
return netlink_talk(netlink_talk_filter, &req.n,
&zns->netlink_cmd, zns, 0);
}
int netlink_interface_addr(struct nlmsghdr *h, ns_id_t ns_id, int startup)
{
int len;
struct ifaddrmsg *ifa;
struct rtattr *tb[IFA_MAX + 1];
struct interface *ifp;
void *addr;
void *broad;
uint8_t flags = 0;
char *label = NULL;
struct zebra_ns *zns;
zns = zebra_ns_lookup(ns_id);
ifa = NLMSG_DATA(h);
if (ifa->ifa_family != AF_INET && ifa->ifa_family != AF_INET6) {
zlog_warn(
"Invalid address family: %u received from kernel interface addr change: %u",
ifa->ifa_family, h->nlmsg_type);
return 0;
}
if (h->nlmsg_type != RTM_NEWADDR && h->nlmsg_type != RTM_DELADDR)
return 0;
len = h->nlmsg_len - NLMSG_LENGTH(sizeof(struct ifaddrmsg));
if (len < 0) {
zlog_err("%s: Message received from netlink is of a broken size: %d %zu",
__PRETTY_FUNCTION__,
h->nlmsg_len,
(size_t)NLMSG_LENGTH(sizeof(struct ifaddrmsg)));
return -1;
}
memset(tb, 0, sizeof tb);
netlink_parse_rtattr(tb, IFA_MAX, IFA_RTA(ifa), len);
ifp = if_lookup_by_index_per_ns(zns, ifa->ifa_index);
if (ifp == NULL) {
flog_err(
LIB_ERR_INTERFACE,
"netlink_interface_addr can't find interface by index %d",
ifa->ifa_index);
return -1;
}
if (IS_ZEBRA_DEBUG_KERNEL) /* remove this line to see initial ifcfg */
{
char buf[BUFSIZ];
zlog_debug("netlink_interface_addr %s %s flags 0x%x:",
nl_msg_type_to_str(h->nlmsg_type), ifp->name,
ifa->ifa_flags);
if (tb[IFA_LOCAL])
zlog_debug(" IFA_LOCAL %s/%d",
inet_ntop(ifa->ifa_family,
RTA_DATA(tb[IFA_LOCAL]), buf,
BUFSIZ),
ifa->ifa_prefixlen);
if (tb[IFA_ADDRESS])
zlog_debug(" IFA_ADDRESS %s/%d",
inet_ntop(ifa->ifa_family,
RTA_DATA(tb[IFA_ADDRESS]), buf,
BUFSIZ),
ifa->ifa_prefixlen);
if (tb[IFA_BROADCAST])
zlog_debug(" IFA_BROADCAST %s/%d",
inet_ntop(ifa->ifa_family,
RTA_DATA(tb[IFA_BROADCAST]), buf,
BUFSIZ),
ifa->ifa_prefixlen);
if (tb[IFA_LABEL] && strcmp(ifp->name, RTA_DATA(tb[IFA_LABEL])))
zlog_debug(" IFA_LABEL %s",
(char *)RTA_DATA(tb[IFA_LABEL]));
if (tb[IFA_CACHEINFO]) {
struct ifa_cacheinfo *ci = RTA_DATA(tb[IFA_CACHEINFO]);
zlog_debug(" IFA_CACHEINFO pref %d, valid %d",
ci->ifa_prefered, ci->ifa_valid);
}
}
/* logic copied from iproute2/ip/ipaddress.c:print_addrinfo() */
if (tb[IFA_LOCAL] == NULL)
tb[IFA_LOCAL] = tb[IFA_ADDRESS];
if (tb[IFA_ADDRESS] == NULL)
tb[IFA_ADDRESS] = tb[IFA_LOCAL];
/* local interface address */
addr = (tb[IFA_LOCAL] ? RTA_DATA(tb[IFA_LOCAL]) : NULL);
/* is there a peer address? */
if (tb[IFA_ADDRESS]
&& memcmp(RTA_DATA(tb[IFA_ADDRESS]), RTA_DATA(tb[IFA_LOCAL]),
RTA_PAYLOAD(tb[IFA_ADDRESS]))) {
broad = RTA_DATA(tb[IFA_ADDRESS]);
SET_FLAG(flags, ZEBRA_IFA_PEER);
} else
/* seeking a broadcast address */
broad = (tb[IFA_BROADCAST] ? RTA_DATA(tb[IFA_BROADCAST])
: NULL);
/* addr is primary key, SOL if we don't have one */
if (addr == NULL) {
zlog_debug("%s: NULL address", __func__);
return -1;
}
/* Flags. */
if (ifa->ifa_flags & IFA_F_SECONDARY)
SET_FLAG(flags, ZEBRA_IFA_SECONDARY);
/* Label */
if (tb[IFA_LABEL])
label = (char *)RTA_DATA(tb[IFA_LABEL]);
if (label && strcmp(ifp->name, label) == 0)
label = NULL;
/* Register interface address to the interface. */
if (ifa->ifa_family == AF_INET) {
if (ifa->ifa_prefixlen > IPV4_MAX_BITLEN) {
zlog_err(
"Invalid prefix length: %u received from kernel interface addr change: %u",
ifa->ifa_prefixlen, h->nlmsg_type);
return -1;
}
if (h->nlmsg_type == RTM_NEWADDR)
connected_add_ipv4(ifp, flags, (struct in_addr *)addr,
ifa->ifa_prefixlen,
(struct in_addr *)broad, label);
else
connected_delete_ipv4(
ifp, flags, (struct in_addr *)addr,
ifa->ifa_prefixlen, (struct in_addr *)broad);
}
if (ifa->ifa_family == AF_INET6) {
if (ifa->ifa_prefixlen > IPV6_MAX_BITLEN) {
zlog_err(
"Invalid prefix length: %u received from kernel interface addr change: %u",
ifa->ifa_prefixlen, h->nlmsg_type);
return -1;
}
if (h->nlmsg_type == RTM_NEWADDR) {
/* Only consider valid addresses; we'll not get a
* notification from
* the kernel till IPv6 DAD has completed, but at init
* time, Quagga
* does query for and will receive all addresses.
*/
if (!(ifa->ifa_flags
& (IFA_F_DADFAILED | IFA_F_TENTATIVE)))
connected_add_ipv6(ifp, flags,
(struct in6_addr *)addr,
(struct in6_addr *)broad,
ifa->ifa_prefixlen, label);
} else
connected_delete_ipv6(ifp, (struct in6_addr *)addr,
(struct in6_addr *)broad,
ifa->ifa_prefixlen);
}
return 0;
}
