fib_rules: add route suppression based on ifgroup

This change adds the ability to suppress a routing decision based upon the
interface group the selected interface belongs to. This allows it to
exclude specific devices from a routing decision.

Signed-off-by: Stefan Tomanek <stefan.tomanek@wertarbyte.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Stefan Tomanek 2013-08-02 17:19:56 +02:00 committed by David S. Miller
parent d1c53c8e87
commit 6ef94cfafb
5 changed files with 43 additions and 10 deletions

View File

@ -18,6 +18,7 @@ struct fib_rule {
u32 pref; u32 pref;
u32 flags; u32 flags;
u32 table; u32 table;
int suppress_ifgroup;
u8 table_prefixlen_min; u8 table_prefixlen_min;
u8 action; u8 action;
u32 target; u32 target;
@ -84,6 +85,7 @@ struct fib_rules_ops {
[FRA_FWMASK] = { .type = NLA_U32 }, \ [FRA_FWMASK] = { .type = NLA_U32 }, \
[FRA_TABLE] = { .type = NLA_U32 }, \ [FRA_TABLE] = { .type = NLA_U32 }, \
[FRA_TABLE_PREFIXLEN_MIN] = { .type = NLA_U8 }, \ [FRA_TABLE_PREFIXLEN_MIN] = { .type = NLA_U8 }, \
[FRA_SUPPRESS_IFGROUP] = { .type = NLA_U32 }, \
[FRA_GOTO] = { .type = NLA_U32 } [FRA_GOTO] = { .type = NLA_U32 }
static inline void fib_rule_get(struct fib_rule *rule) static inline void fib_rule_get(struct fib_rule *rule)

View File

@ -44,7 +44,7 @@ enum {
FRA_FWMARK, /* mark */ FRA_FWMARK, /* mark */
FRA_FLOW, /* flow/class id */ FRA_FLOW, /* flow/class id */
FRA_UNUSED6, FRA_UNUSED6,
FRA_UNUSED7, FRA_SUPPRESS_IFGROUP,
FRA_TABLE_PREFIXLEN_MIN, FRA_TABLE_PREFIXLEN_MIN,
FRA_TABLE, /* Extended table id */ FRA_TABLE, /* Extended table id */
FRA_FWMASK, /* mask for netfilter mark */ FRA_FWMASK, /* mask for netfilter mark */

View File

@ -343,6 +343,9 @@ static int fib_nl_newrule(struct sk_buff *skb, struct nlmsghdr* nlh)
if (tb[FRA_TABLE_PREFIXLEN_MIN]) if (tb[FRA_TABLE_PREFIXLEN_MIN])
rule->table_prefixlen_min = nla_get_u8(tb[FRA_TABLE_PREFIXLEN_MIN]); rule->table_prefixlen_min = nla_get_u8(tb[FRA_TABLE_PREFIXLEN_MIN]);
if (tb[FRA_SUPPRESS_IFGROUP])
rule->suppress_ifgroup = nla_get_u32(tb[FRA_SUPPRESS_IFGROUP]);
if (!tb[FRA_PRIORITY] && ops->default_pref) if (!tb[FRA_PRIORITY] && ops->default_pref)
rule->pref = ops->default_pref(ops); rule->pref = ops->default_pref(ops);
@ -529,6 +532,7 @@ static inline size_t fib_rule_nlmsg_size(struct fib_rules_ops *ops,
+ nla_total_size(4) /* FRA_PRIORITY */ + nla_total_size(4) /* FRA_PRIORITY */
+ nla_total_size(4) /* FRA_TABLE */ + nla_total_size(4) /* FRA_TABLE */
+ nla_total_size(1) /* FRA_TABLE_PREFIXLEN_MIN */ + nla_total_size(1) /* FRA_TABLE_PREFIXLEN_MIN */
+ nla_total_size(4) /* FRA_SUPPRESS_IFGROUP */
+ nla_total_size(4) /* FRA_FWMARK */ + nla_total_size(4) /* FRA_FWMARK */
+ nla_total_size(4); /* FRA_FWMASK */ + nla_total_size(4); /* FRA_FWMASK */
@ -588,6 +592,12 @@ static int fib_nl_fill_rule(struct sk_buff *skb, struct fib_rule *rule,
(rule->target && (rule->target &&
nla_put_u32(skb, FRA_GOTO, rule->target))) nla_put_u32(skb, FRA_GOTO, rule->target)))
goto nla_put_failure; goto nla_put_failure;
if (rule->suppress_ifgroup != -1) {
if (nla_put_u32(skb, FRA_SUPPRESS_IFGROUP, rule->suppress_ifgroup))
goto nla_put_failure;
}
if (ops->fill(rule, skb, frh) < 0) if (ops->fill(rule, skb, frh) < 0)
goto nla_put_failure; goto nla_put_failure;

View File

@ -103,16 +103,27 @@ static int fib4_rule_action(struct fib_rule *rule, struct flowi *flp,
static bool fib4_rule_suppress(struct fib_rule *rule, struct fib_lookup_arg *arg) static bool fib4_rule_suppress(struct fib_rule *rule, struct fib_lookup_arg *arg)
{ {
struct fib_result *result = (struct fib_result *) arg->result;
struct net_device *dev = result->fi->fib_dev;
/* do not accept result if the route does /* do not accept result if the route does
* not meet the required prefix length * not meet the required prefix length
*/ */
struct fib_result *result = (struct fib_result *) arg->result; if (result->prefixlen < rule->table_prefixlen_min)
if (result->prefixlen < rule->table_prefixlen_min) { goto suppress_route;
if (!(arg->flags & FIB_LOOKUP_NOREF))
fib_info_put(result->fi); /* do not accept result if the route uses a device
return true; * belonging to a forbidden interface group
} */
if (rule->suppress_ifgroup != -1 && dev && dev->group == rule->suppress_ifgroup)
goto suppress_route;
return false; return false;
suppress_route:
if (!(arg->flags & FIB_LOOKUP_NOREF))
fib_info_put(result->fi);
return true;
} }
static int fib4_rule_match(struct fib_rule *rule, struct flowi *fl, int flags) static int fib4_rule_match(struct fib_rule *rule, struct flowi *fl, int flags)

View File

@ -122,14 +122,24 @@ static int fib6_rule_action(struct fib_rule *rule, struct flowi *flp,
static bool fib6_rule_suppress(struct fib_rule *rule, struct fib_lookup_arg *arg) static bool fib6_rule_suppress(struct fib_rule *rule, struct fib_lookup_arg *arg)
{ {
struct rt6_info *rt = (struct rt6_info *) arg->result; struct rt6_info *rt = (struct rt6_info *) arg->result;
struct net_device *dev = rt->rt6i_idev->dev;
/* do not accept result if the route does /* do not accept result if the route does
* not meet the required prefix length * not meet the required prefix length
*/ */
if (rt->rt6i_dst.plen < rule->table_prefixlen_min) { if (rt->rt6i_dst.plen < rule->table_prefixlen_min)
goto suppress_route;
/* do not accept result if the route uses a device
* belonging to a forbidden interface group
*/
if (rule->suppress_ifgroup != -1 && dev && dev->group == rule->suppress_ifgroup)
goto suppress_route;
return false;
suppress_route:
ip6_rt_put(rt); ip6_rt_put(rt);
return true; return true;
}
return false;
} }
static int fib6_rule_match(struct fib_rule *rule, struct flowi *fl, int flags) static int fib6_rule_match(struct fib_rule *rule, struct flowi *fl, int flags)