fib_rules: add route suppression based on ifgroup
This change adds the ability to suppress a routing decision based upon the interface group the selected interface belongs to. This allows it to exclude specific devices from a routing decision. Signed-off-by: Stefan Tomanek <stefan.tomanek@wertarbyte.de> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Stefan Tomanek
David S. Miller
Родитель
d1c53c8e87
Коммит
6ef94cfafb
|
|
@ -18,6 +18,7 @@ struct fib_rule {
|
|||
u32 pref;
|
||||
u32 flags;
|
||||
u32 table;
|
||||
int suppress_ifgroup;
|
||||
u8 table_prefixlen_min;
|
||||
u8 action;
|
||||
u32 target;
|
||||
|
|
@ -84,6 +85,7 @@ struct fib_rules_ops {
|
|||
[FRA_FWMASK] = { .type = NLA_U32 }, \
|
||||
[FRA_TABLE] = { .type = NLA_U32 }, \
|
||||
[FRA_TABLE_PREFIXLEN_MIN] = { .type = NLA_U8 }, \
|
||||
[FRA_SUPPRESS_IFGROUP] = { .type = NLA_U32 }, \
|
||||
[FRA_GOTO] = { .type = NLA_U32 }
|
||||
|
||||
static inline void fib_rule_get(struct fib_rule *rule)
|
||||
|
|
|
|||
|
|
@ -44,7 +44,7 @@ enum {
|
|||
FRA_FWMARK, /* mark */
|
||||
FRA_FLOW, /* flow/class id */
|
||||
FRA_UNUSED6,
|
||||
FRA_UNUSED7,
|
||||
FRA_SUPPRESS_IFGROUP,
|
||||
FRA_TABLE_PREFIXLEN_MIN,
|
||||
FRA_TABLE, /* Extended table id */
|
||||
FRA_FWMASK, /* mask for netfilter mark */
|
||||
|
|
|
|||
|
|
@ -343,6 +343,9 @@ static int fib_nl_newrule(struct sk_buff *skb, struct nlmsghdr* nlh)
|
|||
if (tb[FRA_TABLE_PREFIXLEN_MIN])
|
||||
rule->table_prefixlen_min = nla_get_u8(tb[FRA_TABLE_PREFIXLEN_MIN]);
|
||||
|
||||
if (tb[FRA_SUPPRESS_IFGROUP])
|
||||
rule->suppress_ifgroup = nla_get_u32(tb[FRA_SUPPRESS_IFGROUP]);
|
||||
|
||||
if (!tb[FRA_PRIORITY] && ops->default_pref)
|
||||
rule->pref = ops->default_pref(ops);
|
||||
|
||||
|
|
@ -529,6 +532,7 @@ static inline size_t fib_rule_nlmsg_size(struct fib_rules_ops *ops,
|
|||
+ nla_total_size(4) /* FRA_PRIORITY */
|
||||
+ nla_total_size(4) /* FRA_TABLE */
|
||||
+ nla_total_size(1) /* FRA_TABLE_PREFIXLEN_MIN */
|
||||
+ nla_total_size(4) /* FRA_SUPPRESS_IFGROUP */
|
||||
+ nla_total_size(4) /* FRA_FWMARK */
|
||||
+ nla_total_size(4); /* FRA_FWMASK */
|
||||
|
||||
|
|
@ -588,6 +592,12 @@ static int fib_nl_fill_rule(struct sk_buff *skb, struct fib_rule *rule,
|
|||
(rule->target &&
|
||||
nla_put_u32(skb, FRA_GOTO, rule->target)))
|
||||
goto nla_put_failure;
|
||||
|
||||
if (rule->suppress_ifgroup != -1) {
|
||||
if (nla_put_u32(skb, FRA_SUPPRESS_IFGROUP, rule->suppress_ifgroup))
|
||||
goto nla_put_failure;
|
||||
}
|
||||
|
||||
if (ops->fill(rule, skb, frh) < 0)
|
||||
goto nla_put_failure;
|
||||
|
||||
|
|
|
|||
|
|
@ -103,16 +103,27 @@ errout:
|
|||
|
||||
static bool fib4_rule_suppress(struct fib_rule *rule, struct fib_lookup_arg *arg)
|
||||
{
|
||||
struct fib_result *result = (struct fib_result *) arg->result;
|
||||
struct net_device *dev = result->fi->fib_dev;
|
||||
|
||||
/* do not accept result if the route does
|
||||
* not meet the required prefix length
|
||||
*/
|
||||
struct fib_result *result = (struct fib_result *) arg->result;
|
||||
if (result->prefixlen < rule->table_prefixlen_min) {
|
||||
if (!(arg->flags & FIB_LOOKUP_NOREF))
|
||||
fib_info_put(result->fi);
|
||||
return true;
|
||||
}
|
||||
if (result->prefixlen < rule->table_prefixlen_min)
|
||||
goto suppress_route;
|
||||
|
||||
/* do not accept result if the route uses a device
|
||||
* belonging to a forbidden interface group
|
||||
*/
|
||||
if (rule->suppress_ifgroup != -1 && dev && dev->group == rule->suppress_ifgroup)
|
||||
goto suppress_route;
|
||||
|
||||
return false;
|
||||
|
||||
suppress_route:
|
||||
if (!(arg->flags & FIB_LOOKUP_NOREF))
|
||||
fib_info_put(result->fi);
|
||||
return true;
|
||||
}
|
||||
|
||||
static int fib4_rule_match(struct fib_rule *rule, struct flowi *fl, int flags)
|
||||
|
|
|
|||
|
|
@ -122,14 +122,24 @@ out:
|
|||
static bool fib6_rule_suppress(struct fib_rule *rule, struct fib_lookup_arg *arg)
|
||||
{
|
||||
struct rt6_info *rt = (struct rt6_info *) arg->result;
|
||||
struct net_device *dev = rt->rt6i_idev->dev;
|
||||
/* do not accept result if the route does
|
||||
* not meet the required prefix length
|
||||
*/
|
||||
if (rt->rt6i_dst.plen < rule->table_prefixlen_min) {
|
||||
if (rt->rt6i_dst.plen < rule->table_prefixlen_min)
|
||||
goto suppress_route;
|
||||
|
||||
/* do not accept result if the route uses a device
|
||||
* belonging to a forbidden interface group
|
||||
*/
|
||||
if (rule->suppress_ifgroup != -1 && dev && dev->group == rule->suppress_ifgroup)
|
||||
goto suppress_route;
|
||||
|
||||
return false;
|
||||
|
||||
suppress_route:
|
||||
ip6_rt_put(rt);
|
||||
return true;
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
static int fib6_rule_match(struct fib_rule *rule, struct flowi *fl, int flags)
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче