static int
netlink3_reset_interface_parameters(const interface_t* ifp)
{
struct nl_sock *sk;
struct nl_cache *cache;
struct rtnl_link *link = NULL;
struct rtnl_link *new_state = NULL;
int res = 0;
if (!(sk = nl_socket_alloc())) {
log_message(LOG_INFO, "Unable to open netlink socket");
return -1;
}
if (nl_connect(sk, NETLINK_ROUTE) < 0)
goto err;
if (rtnl_link_alloc_cache(sk, AF_UNSPEC, &cache))
goto err;
if (!(link = rtnl_link_get(cache, ifp->ifindex)))
goto err;
if (!(new_state = rtnl_link_alloc()))
goto err;
if (rtnl_link_inet_set_conf(new_state, IPV4_DEVCONF_ARP_IGNORE, ifp->reset_arp_ignore_value) ||
rtnl_link_inet_set_conf(new_state, IPV4_DEVCONF_ARPFILTER, ifp->reset_arp_filter_value) ||
rtnl_link_change(sk, link, new_state, 0))
goto err;
rtnl_link_put(link);
link = NULL;
rtnl_link_put(new_state);
new_state = NULL;
goto exit;
err:
res = -1;
if (link)
rtnl_link_put(link);
if (new_state)
rtnl_link_put(new_state);
exit:
nl_socket_free(sk);
return res;
}
/*
* Set the MTU on the specified device.
*/
int iface_set_interface_mtu(char *ifname, int mtu) {
int ret = 0;
struct nl_handle *handle = NULL;
struct nl_cache *cache = NULL;
struct rtnl_link *link = NULL;
struct rtnl_link *request = NULL;
if (ifname == NULL) {
return -1;
}
if (mtu <= 0) {
return -2;
}
if ((cache = _iface_get_link_cache(&handle)) == NULL) {
return -3;
}
if ((link = rtnl_link_get_by_name(cache, ifname)) == NULL) {
ret = -4;
goto ifacemtu_error1;
}
request = rtnl_link_alloc();
rtnl_link_set_mtu(request, mtu);
if (rtnl_link_change(handle, link, request, 0)) {
ret = -5;
goto ifacemtu_error2;
}
ifacemtu_error2:
rtnl_link_put(link);
ifacemtu_error1:
nl_close(handle);
nl_handle_destroy(handle);
return ret;
}
TError TNlLink::Enslave(const std::string &name) {
struct rtnl_link *link;
int ret;
link = rtnl_link_alloc();
rtnl_link_set_name(link, name.c_str());
rtnl_link_set_master(link, GetIndex());
rtnl_link_set_flags(link, IFF_UP);
Dump("mod", link);
ret = rtnl_link_change(GetSock(), link, link, 0);
if (ret < 0) {
Dump("del", link);
(void)rtnl_link_delete(GetSock(), link);
rtnl_link_put(link);
return Error(ret, "Cannot enslave interface " + name);
}
rtnl_link_put(link);
return TError::Success();
}
/**
* Add a link to a bond (enslave)
* @arg sock netlink socket
* @arg master ifindex of bonding master
* @arg slave ifindex of slave link to add to bond
*
* This function is identical to rtnl_link_bond_enslave() except that
* it takes interface indices instead of rtnl_link objcets.
*
* @see rtnl_link_bond_enslave()
*
* @return 0 on success or a negative error code.
*/
int rtnl_link_bond_enslave_ifindex(struct nl_sock *sock, int master,
int slave)
{
struct rtnl_link *link;
int err;
if (!(link = rtnl_link_alloc()))
return -NLE_NOMEM;
if ((err = rtnl_link_set_type(link, "bond")) < 0)
goto errout;
rtnl_link_set_ifindex(link, slave);
rtnl_link_set_master(link, master);
if ((err = rtnl_link_change(sock, link, link, 0)) < 0)
goto errout;
rtnl_link_put(link);
/*
* Due to the kernel not signaling whether this opertion is
* supported or not, we will retrieve the attribute to see if the
* request was successful. If the master assigned remains unchanged
* we will return NLE_OPNOTSUPP to allow performing backwards
* compatibility of some sort.
*/
if ((err = rtnl_link_get_kernel(sock, slave, NULL, &link)) < 0)
return err;
if (rtnl_link_get_master(link) != master)
err = -NLE_OPNOTSUPP;
errout:
rtnl_link_put(link);
return err;
}
int sysnet_interface_set(VPNInterface *i, int up)
{
int err;
struct nl_cache *link_cache;
struct nl_sock *sock;
struct rtnl_link *link;
struct rtnl_link *new_link;
sock = nl_socket_alloc();
nl_connect(sock, NETLINK_ROUTE);
rtnl_link_alloc_cache(sock, AF_UNSPEC, &link_cache);
link = rtnl_link_get_by_name(link_cache, i->name);
new_link = rtnl_link_alloc();
if (!link)
{
tox_trace(i->context->tox, "Can't find link \"%s\"", i->name);
return -1;
}
unsigned int new_flags = up ? IFF_UP : 0;
rtnl_link_set_flags(new_link, new_flags);
if ((err = rtnl_link_change(sock, link, new_link, 0)) < 0) {
tox_trace(i->context->tox, "Unable to change link \"%s\" flags: %s", rtnl_link_get_name(link), nl_geterror(err));
}
rtnl_link_put(link);
rtnl_link_put(new_link);
nl_cache_free(link_cache);
nl_socket_free(sock);
return 0;
}
static int
netlink3_set_interface_parameters(const interface_t *ifp, interface_t *base_ifp)
{
struct nl_sock *sk;
struct nl_cache *cache;
struct rtnl_link *link = NULL;
struct rtnl_link *new_state = NULL;
int res = 0;
if (!(sk = nl_socket_alloc())) {
log_message(LOG_INFO, "Unable to open netlink socket");
return -1;
}
if (nl_connect(sk, NETLINK_ROUTE) < 0)
goto err;
if (rtnl_link_alloc_cache(sk, AF_UNSPEC, &cache))
goto err;
if (!(link = rtnl_link_get(cache, ifp->ifindex)))
goto err;
// Allocate a new link
if (!(new_state = rtnl_link_alloc()))
goto err;
if (rtnl_link_inet_set_conf(new_state, IPV4_DEVCONF_ARP_IGNORE, 1) ||
rtnl_link_inet_set_conf(new_state, IPV4_DEVCONF_ACCEPT_LOCAL, 1) ||
rtnl_link_inet_set_conf(new_state, IPV4_DEVCONF_RP_FILTER, 0) ||
rtnl_link_inet_set_conf(new_state, IPV4_DEVCONF_PROMOTE_SECONDARIES, 1) ||
rtnl_link_change (sk, link, new_state, 0))
goto err;
rtnl_link_put(new_state);
new_state = NULL;
rtnl_link_put(link);
link = NULL;
/* Set arp_ignore and arp_filter on base interface if needed */
if (base_ifp->reset_arp_config)
(base_ifp->reset_arp_config)++;
else {
if (!(link = rtnl_link_get(cache, base_ifp->ifindex)))
goto err;
if (rtnl_link_inet_get_conf(link, IPV4_DEVCONF_ARP_IGNORE, &base_ifp->reset_arp_ignore_value) < 0)
goto err;
if (rtnl_link_inet_get_conf(link, IPV4_DEVCONF_ARPFILTER, &base_ifp->reset_arp_filter_value) < 0)
goto err;
if (base_ifp->reset_arp_ignore_value != 1 ||
base_ifp->reset_arp_filter_value != 1 ) {
/* The underlying interface mustn't reply for our address(es) */
if (!(new_state = rtnl_link_alloc()))
goto err;
if (rtnl_link_inet_set_conf(new_state, IPV4_DEVCONF_ARP_IGNORE, 1) ||
rtnl_link_inet_set_conf(new_state, IPV4_DEVCONF_ARPFILTER, 1) ||
rtnl_link_change(sk, link, new_state, 0))
goto err;
rtnl_link_put(new_state);
new_state = NULL;
rtnl_link_put(link);
link = NULL;
base_ifp->reset_arp_config = 1;
}
}
goto exit;
err:
res = -1;
if (link)
rtnl_link_put(link);
if (new_state)
rtnl_link_put(new_state);
exit:
nl_socket_free(sk);
return res;
}
int main(int argc, char *argv[])
{
char *unikernel;
enum {
QEMU,
KVM,
UKVM,
UNIX
} hypervisor;
if (argc < 3) {
fprintf(stderr, "usage: runner HYPERVISOR UNIKERNEL [ ARGS... ]\n");
fprintf(stderr, "HYPERVISOR: qemu | kvm | ukvm | unix\n");
return 1;
}
if (strcmp(argv[1], "qemu") == 0)
hypervisor = QEMU;
else if (strcmp(argv[1], "kvm") == 0)
hypervisor = KVM;
else if (strcmp(argv[1], "ukvm") == 0)
hypervisor = UKVM;
else if (strcmp(argv[1], "unix") == 0)
hypervisor = UNIX;
else {
warnx("error: Invalid hypervisor: %s", argv[1]);
return 1;
}
unikernel = argv[2];
/*
* Remaining arguments are to be passed on to the unikernel.
*/
argv += 3;
argc -= 3;
/*
* Check we have CAP_NET_ADMIN.
*/
if (capng_get_caps_process() != 0) {
warnx("error: capng_get_caps_process() failed");
return 1;
}
if (!capng_have_capability(CAPNG_EFFECTIVE, CAP_NET_ADMIN)) {
warnx("error: CAP_NET_ADMIN is required");
return 1;
}
/*
* Connect to netlink, load link cache from kernel.
*/
struct nl_sock *sk;
struct nl_cache *link_cache;
int err;
sk = nl_socket_alloc();
assert(sk);
err = nl_connect(sk, NETLINK_ROUTE);
if (err < 0) {
warnx("nl_connect() failed: %s", nl_geterror(err));
return 1;
}
err = rtnl_link_alloc_cache(sk, AF_UNSPEC, &link_cache);
if (err < 0) {
warnx("rtnl_link_alloc_cache() failed: %s", nl_geterror(err));
return 1;
}
/*
* Retrieve container network configuration -- IP address and
* default gateway.
*/
struct rtnl_link *l_veth;
l_veth = rtnl_link_get_by_name(link_cache, VETH_LINK_NAME);
if (l_veth == NULL) {
warnx("error: Could not get link information for %s", VETH_LINK_NAME);
return 1;
}
struct nl_addr *veth_addr;
err = get_link_inet_addr(sk, l_veth, &veth_addr);
if (err) {
warnx("error: Unable to determine IP address of %s",
VETH_LINK_NAME);
return 1;
}
struct nl_addr *gw_addr;
err = get_default_gw_inet_addr(sk, &gw_addr);
if (err) {
warnx("error: get_deGfault_gw_inet_addr() failed");
return 1;
}
if (gw_addr == NULL) {
warnx("error: No default gateway found. This is currently "
"not supported");
return 1;
}
/*
* Create bridge and tap interface, enslave veth and tap interfaces to
* bridge.
*/
err = create_bridge_link(sk, BRIDGE_LINK_NAME);
if (err < 0) {
warnx("create_bridge_link(%s) failed: %s", BRIDGE_LINK_NAME,
nl_geterror(err));
return 1;
}
int tap_fd;
if (hypervisor == UKVM)
err = create_tap_link(TAP_LINK_NAME, &tap_fd);
else
err = create_tap_link(TAP_LINK_NAME, NULL);
if (err != 0) {
warnx("create_tap_link(%s) failed: %s", TAP_LINK_NAME, strerror(err));
return 1;
}
/* Refill link cache with newly-created interfaces */
nl_cache_refill(sk, link_cache);
struct rtnl_link *l_bridge;
l_bridge = rtnl_link_get_by_name(link_cache, BRIDGE_LINK_NAME);
if (l_bridge == NULL) {
warnx("error: Could not get link information for %s", BRIDGE_LINK_NAME);
return 1;
}
struct rtnl_link *l_tap;
l_tap = rtnl_link_get_by_name(link_cache, TAP_LINK_NAME);
if (l_tap == NULL) {
warnx("error: Could not get link information for %s", TAP_LINK_NAME);
return 1;
}
err = rtnl_link_enslave(sk, l_bridge, l_veth);
if (err < 0) {
warnx("error: Unable to enslave %s to %s: %s", VETH_LINK_NAME,
BRIDGE_LINK_NAME, nl_geterror(err));
return 1;
}
err = rtnl_link_enslave(sk, l_bridge, l_tap);
if (err < 0) {
warnx("error: Unable to enslave %s to %s: %s", TAP_LINK_NAME,
BRIDGE_LINK_NAME, nl_geterror(err));
return 1;
}
/*
* Flush all IPv4 addresses from the veth interface. This is now safe
* as we are good to commit and have retrieved the existing configuration.
*/
struct rtnl_addr *flush_addr;
flush_addr = rtnl_addr_alloc();
assert(flush_addr);
rtnl_addr_set_ifindex(flush_addr, rtnl_link_get_ifindex(l_veth));
rtnl_addr_set_family(flush_addr, AF_INET);
rtnl_addr_set_local(flush_addr, veth_addr);
err = rtnl_addr_delete(sk, flush_addr, 0);
if (err < 0) {
warnx("error: Could not flush addresses on %s: %s", VETH_LINK_NAME,
nl_geterror(err));
return 1;
}
rtnl_addr_put(flush_addr);
/*
* Bring up the tap and bridge interfaces.
*/
struct rtnl_link *l_up;
l_up = rtnl_link_alloc();
assert(l_up);
/* You'd think set_operstate was the thing to do here. It's not. */
rtnl_link_set_flags(l_up, IFF_UP);
err = rtnl_link_change(sk, l_tap, l_up, 0);
if (err < 0) {
warnx("error: rtnl_link_change(%s, UP) failed: %s", TAP_LINK_NAME,
nl_geterror(err));
return 1;
}
err = rtnl_link_change(sk, l_bridge, l_up, 0);
if (err < 0) {
warnx("error: rtnl_link_change(%s, UP) failed: %s", BRIDGE_LINK_NAME,
nl_geterror(err));
return 1;
}
rtnl_link_put(l_up);
/*
* Collect network configuration data.
*/
char ip[AF_INET_BUFSIZE];
if (inet_ntop(AF_INET, nl_addr_get_binary_addr(veth_addr), ip,
sizeof ip) == NULL) {
perror("inet_ntop()");
return 1;
}
char uarg_ip[AF_INET_BUFSIZE];
unsigned int prefixlen = nl_addr_get_prefixlen(veth_addr);
snprintf(uarg_ip, sizeof uarg_ip, "%s/%u", ip, prefixlen);
char uarg_gw[AF_INET_BUFSIZE];
if (inet_ntop(AF_INET, nl_addr_get_binary_addr(gw_addr), uarg_gw,
sizeof uarg_gw) == NULL) {
perror("inet_ntop()");
return 1;
}
/*
* Build unikernel and hypervisor arguments.
*/
ptrvec* uargpv = pvnew();
char *uarg_buf;
/*
* QEMU/KVM:
* /usr/bin/qemu-system-x86_64 <qemu args> -kernel <unikernel> -append "<unikernel args>"
*/
if (hypervisor == QEMU || hypervisor == KVM) {
pvadd(uargpv, "/usr/bin/qemu-system-x86_64");
pvadd(uargpv, "-nodefaults");
pvadd(uargpv, "-no-acpi");
pvadd(uargpv, "-display");
pvadd(uargpv, "none");
pvadd(uargpv, "-serial");
pvadd(uargpv, "stdio");
pvadd(uargpv, "-m");
pvadd(uargpv, "512");
if (hypervisor == KVM) {
pvadd(uargpv, "-enable-kvm");
pvadd(uargpv, "-cpu");
pvadd(uargpv, "host");
}
else {
/*
* Required for AESNI use in Mirage.
*/
pvadd(uargpv, "-cpu");
pvadd(uargpv, "Westmere");
}
pvadd(uargpv, "-device");
char *guest_mac = generate_mac();
assert(guest_mac);
err = asprintf(&uarg_buf, "virtio-net-pci,netdev=n0,mac=%s", guest_mac);
assert(err != -1);
pvadd(uargpv, uarg_buf);
pvadd(uargpv, "-netdev");
err = asprintf(&uarg_buf, "tap,id=n0,ifname=%s,script=no,downscript=no",
TAP_LINK_NAME);
assert(err != -1);
pvadd(uargpv, uarg_buf);
pvadd(uargpv, "-kernel");
pvadd(uargpv, unikernel);
pvadd(uargpv, "-append");
/*
* TODO: Replace any occurences of ',' with ',,' in -append, because
* QEMU arguments are insane.
*/
char cmdline[1024];
char *cmdline_p = cmdline;
size_t cmdline_free = sizeof cmdline;
for (; *argv; argc--, argv++) {
size_t alen = snprintf(cmdline_p, cmdline_free, "%s%s", *argv,
(argc > 1) ? " " : "");
if (alen >= cmdline_free) {
warnx("error: Command line too long");
return 1;
}
cmdline_free -= alen;
cmdline_p += alen;
}
size_t alen = snprintf(cmdline_p, cmdline_free,
"--ipv4=%s --ipv4-gateway=%s", uarg_ip, uarg_gw);
if (alen >= cmdline_free) {
warnx("error: Command line too long");
return 1;
}
pvadd(uargpv, cmdline);
}
/*
* UKVM:
* /unikernel/ukvm <ukvm args> <unikernel> -- <unikernel args>
*/
else if (hypervisor == UKVM) {
pvadd(uargpv, "/unikernel/ukvm");
err = asprintf(&uarg_buf, "--net=@%d", tap_fd);
assert(err != -1);
pvadd(uargpv, uarg_buf);
pvadd(uargpv, "--");
pvadd(uargpv, unikernel);
for (; *argv; argc--, argv++) {
pvadd(uargpv, *argv);
}
err = asprintf(&uarg_buf, "--ipv4=%s", uarg_ip);
assert(err != -1);
pvadd(uargpv, uarg_buf);
err = asprintf(&uarg_buf, "--ipv4-gateway=%s", uarg_gw);
assert(err != -1);
pvadd(uargpv, uarg_buf);
}
/*
* UNIX:
* <unikernel> <unikernel args>
*/
else if (hypervisor == UNIX) {
pvadd(uargpv, unikernel);
err = asprintf(&uarg_buf, "--interface=%s", TAP_LINK_NAME);
assert(err != -1);
pvadd(uargpv, uarg_buf);
for (; *argv; argc--, argv++) {
pvadd(uargpv, *argv);
}
err = asprintf(&uarg_buf, "--ipv4=%s", uarg_ip);
assert(err != -1);
pvadd(uargpv, uarg_buf);
err = asprintf(&uarg_buf, "--ipv4-gateway=%s", uarg_gw);
assert(err != -1);
pvadd(uargpv, uarg_buf);
}
char **uargv = (char **)pvfinal(uargpv);
/*
* Done with netlink, free all resources and close socket.
*/
rtnl_link_put(l_veth);
rtnl_link_put(l_bridge);
rtnl_link_put(l_tap);
nl_addr_put(veth_addr);
nl_addr_put(gw_addr);
nl_cache_free(link_cache);
nl_close(sk);
nl_socket_free(sk);
/*
* Drop all capabilities except CAP_NET_BIND_SERVICE.
*/
capng_clear(CAPNG_SELECT_BOTH);
capng_update(CAPNG_ADD,
CAPNG_EFFECTIVE | CAPNG_PERMITTED | CAPNG_INHERITABLE,
CAP_NET_BIND_SERVICE);
if (capng_apply(CAPNG_SELECT_BOTH) != 0) {
warnx("error: Could not drop capabilities");
return 1;
}
/*
* Run the unikernel.
*/
err = execv(uargv[0], uargv);
warn("error: execv() of %s failed", uargv[0]);
return 1;
}
int configure_loopback_interface() {
struct nl_sock *sock = NULL;
struct rtnl_addr *addr = NULL;
struct nl_addr* lo_addr = NULL;
struct nl_cache *cache = NULL;
struct rtnl_link *link = NULL, *link2 = NULL;
int err, nlflags = NLM_F_CREATE, ret = 0;
if(!want_cap(CAP_NET_ADMIN)) {
errWarn("Cannot set the CAP_NET_ADMIN effective capability");
return -1;
}
sock = nl_socket_alloc();
if(sock == NULL) {
errWarn("nl_socket_alloc");
return -1;
}
if((err = nl_connect(sock, NETLINK_ROUTE)) < 0) {
fprintf(stderr, "Unable to connect to netlink: %s\n", nl_geterror(err));
ret = -1;
goto out2;
}
if(rtnl_link_alloc_cache(sock, AF_UNSPEC, &cache) < 0) {
ret = -1;
goto out;
}
link = rtnl_link_get_by_name(cache, "lo");
if (link == NULL) {
ret = -1;
goto out;
}
addr = rtnl_addr_alloc();
if(addr == NULL) {
ret = -1;
goto out;
}
rtnl_addr_set_link(addr, link);
rtnl_addr_set_family(addr, AF_INET);
if((err = nl_addr_parse("127.0.0.1/8", AF_INET, &lo_addr)) < 0) {
fprintf(stderr, "Unable to parse address: %s\n", nl_geterror(err));
ret = -1;
goto out;
}
if((err = rtnl_addr_set_local(addr, lo_addr)) < 0) {
fprintf(stderr, "Unable to set address: %s\n", nl_geterror(err));
ret = -1;
goto out;
}
nl_addr_put(lo_addr);
lo_addr = NULL;
if ((err = rtnl_addr_add(sock, addr, nlflags)) < 0) {
fprintf(stderr, "Unable to add address: %s\n", nl_geterror(err));
ret = -1;
goto out;
}
rtnl_addr_set_family(addr, AF_INET6);
if((err = nl_addr_parse("::1/128", AF_INET6, &lo_addr)) < 0) {
fprintf(stderr, "Unable to parse address: %s\n", nl_geterror(err));
ret = -1;
goto out;
}
if((err = rtnl_addr_set_local(addr, lo_addr)) < 0) {
fprintf(stderr, "Unable to set address: %s\n", nl_geterror(err));
ret = -1;
goto out;
}
nl_addr_put(lo_addr);
lo_addr = NULL;
if ((err = rtnl_addr_add(sock, addr, nlflags)) < 0) {
fprintf(stderr, "Unable to add address: %s\n", nl_geterror(err));
ret = -1;
goto out;
}
link2 = rtnl_link_alloc();
if(link2 == NULL) {
ret = -1;
goto out;
}
rtnl_link_set_flags(link2, IFF_UP);
if((err = rtnl_link_change(sock, link, link2, 0)) < 0) {
fprintf(stderr, "Unable to change link: %s\n", nl_geterror(err));
ret = -1;
goto out;
}
out:
if(lo_addr!=NULL)
nl_addr_put(lo_addr);
if(link2!=NULL)
rtnl_link_put(link2);
if(link!=NULL)
rtnl_link_put(link);
if(cache!=NULL)
nl_cache_put(cache);
if(addr!=NULL)
rtnl_addr_put(addr);
nl_close(sock);
out2:
nl_socket_free(sock);
drop_caps();
return ret;
}