![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to kernel_netlink_net.c CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / libcharon / plugins / kernel_netlink|
Return to kernel_netlink_net.c CVS log | Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / libcharon / plugins / kernel_netlink |
1.1 misho 1: /*
2: * Copyright (C) 2008-2019 Tobias Brunner
3: * Copyright (C) 2005-2008 Martin Willi
4: * HSR Hochschule fuer Technik Rapperswil
5: *
6: * This program is free software; you can redistribute it and/or modify it
7: * under the terms of the GNU General Public License as published by the
8: * Free Software Foundation; either version 2 of the License, or (at your
9: * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10: *
11: * This program is distributed in the hope that it will be useful, but
12: * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13: * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14: * for more details.
15: */
16:
17: /*
18: * Copyright (C) 2010 secunet Security Networks AG
19: * Copyright (C) 2010 Thomas Egerer
20: *
21: * Permission is hereby granted, free of charge, to any person obtaining a copy
22: * of this software and associated documentation files (the "Software"), to deal
23: * in the Software without restriction, including without limitation the rights
24: * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
25: * copies of the Software, and to permit persons to whom the Software is
26: * furnished to do so, subject to the following conditions:
27: *
28: * The above copyright notice and this permission notice shall be included in
29: * all copies or substantial portions of the Software.
30: *
31: * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
32: * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
33: * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
34: * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
35: * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
36: * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
37: * THE SOFTWARE.
38: */
39:
40: #include <sys/socket.h>
41: #include <sys/utsname.h>
42: #include <linux/netlink.h>
43: #include <linux/rtnetlink.h>
44: #include <linux/if_addrlabel.h>
45: #include <unistd.h>
46: #include <errno.h>
47: #include <net/if.h>
48: #ifdef HAVE_LINUX_FIB_RULES_H
49: #include <linux/fib_rules.h>
50: #endif
51:
52: #include "kernel_netlink_net.h"
53: #include "kernel_netlink_shared.h"
54:
55: #include <daemon.h>
56: #include <utils/debug.h>
57: #include <threading/mutex.h>
58: #include <threading/rwlock.h>
59: #include <threading/rwlock_condvar.h>
60: #include <threading/spinlock.h>
61: #include <collections/hashtable.h>
62: #include <collections/linked_list.h>
63: #include <processing/jobs/callback_job.h>
64:
65: /** delay before firing roam events (ms) */
66: #define ROAM_DELAY 100
67:
68: /** delay before reinstalling routes (ms) */
69: #define ROUTE_DELAY 100
70:
71: /** maximum recursion when searching for addresses in get_route() */
72: #define MAX_ROUTE_RECURSION 2
73:
74: #ifndef ROUTING_TABLE
75: #define ROUTING_TABLE 0
76: #endif
77:
78: #ifndef ROUTING_TABLE_PRIO
79: #define ROUTING_TABLE_PRIO 0
80: #endif
81:
82: /** multicast groups (for groups > 31 setsockopt has to be used) */
83: #define nl_group(group) (1 << (group - 1))
84:
85: ENUM(rt_msg_names, RTM_NEWLINK, RTM_GETRULE,
86: "RTM_NEWLINK",
87: "RTM_DELLINK",
88: "RTM_GETLINK",
89: "RTM_SETLINK",
90: "RTM_NEWADDR",
91: "RTM_DELADDR",
92: "RTM_GETADDR",
93: "23",
94: "RTM_NEWROUTE",
95: "RTM_DELROUTE",
96: "RTM_GETROUTE",
97: "27",
98: "RTM_NEWNEIGH",
99: "RTM_DELNEIGH",
100: "RTM_GETNEIGH",
101: "31",
102: "RTM_NEWRULE",
103: "RTM_DELRULE",
104: "RTM_GETRULE",
105: );
106:
107: typedef struct addr_entry_t addr_entry_t;
108:
109: /**
110: * IP address in an iface_entry_t
111: */
112: struct addr_entry_t {
113:
114: /** the ip address */
115: host_t *ip;
116:
117: /** address flags */
118: u_char flags;
119:
120: /** scope of the address */
121: u_char scope;
122:
123: /** number of times this IP is used, if virtual (i.e. managed by us) */
124: u_int refcount;
125:
126: /** TRUE once it is installed, if virtual */
127: bool installed;
128: };
129:
130: /**
131: * destroy a addr_entry_t object
132: */
133: static void addr_entry_destroy(addr_entry_t *this)
134: {
135: this->ip->destroy(this->ip);
136: free(this);
137: }
138:
139: typedef struct iface_entry_t iface_entry_t;
140:
141: /**
142: * A network interface on this system, containing addr_entry_t's
143: */
144: struct iface_entry_t {
145:
146: /** interface index */
147: int ifindex;
148:
149: /** name of the interface */
150: char ifname[IFNAMSIZ];
151:
152: /** interface flags, as in netdevice(7) SIOCGIFFLAGS */
153: u_int flags;
154:
155: /** list of addresses as host_t */
156: linked_list_t *addrs;
157:
158: /** TRUE if usable by config */
159: bool usable;
160: };
161:
162: /**
163: * destroy an interface entry
164: */
165: static void iface_entry_destroy(iface_entry_t *this)
166: {
167: this->addrs->destroy_function(this->addrs, (void*)addr_entry_destroy);
168: free(this);
169: }
170:
171: CALLBACK(iface_entry_by_index, bool,
172: iface_entry_t *this, va_list args)
173: {
174: int ifindex;
175:
176: VA_ARGS_VGET(args, ifindex);
177: return this->ifindex == ifindex;
178: }
179:
180: CALLBACK(iface_entry_by_name, bool,
181: iface_entry_t *this, va_list args)
182: {
183: char *ifname;
184:
185: VA_ARGS_VGET(args, ifname);
186: return streq(this->ifname, ifname);
187: }
188:
189: /**
190: * check if an interface is up
191: */
192: static inline bool iface_entry_up(iface_entry_t *iface)
193: {
194: return (iface->flags & IFF_UP) == IFF_UP;
195: }
196:
197: /**
198: * check if an interface is up and usable
199: */
200: static inline bool iface_entry_up_and_usable(iface_entry_t *iface)
201: {
202: return iface->usable && iface_entry_up(iface);
203: }
204:
205: typedef struct addr_map_entry_t addr_map_entry_t;
206:
207: /**
208: * Entry that maps an IP address to an interface entry
209: */
210: struct addr_map_entry_t {
211: /** The IP address */
212: host_t *ip;
213:
214: /** The address entry for this IP address */
215: addr_entry_t *addr;
216:
217: /** The interface this address is installed on */
218: iface_entry_t *iface;
219: };
220:
221: /**
222: * Hash a addr_map_entry_t object, all entries with the same IP address
223: * are stored in the same bucket
224: */
225: static u_int addr_map_entry_hash(addr_map_entry_t *this)
226: {
227: return chunk_hash(this->ip->get_address(this->ip));
228: }
229:
230: /**
231: * Compare two addr_map_entry_t objects, two entries are equal if they are
232: * installed on the same interface
233: */
234: static bool addr_map_entry_equals(addr_map_entry_t *a, addr_map_entry_t *b)
235: {
236: return a->iface->ifindex == b->iface->ifindex &&
237: a->ip->ip_equals(a->ip, b->ip);
238: }
239:
240: /**
241: * Used with get_match this finds an address entry if it is installed on
242: * an up and usable interface
243: */
244: static bool addr_map_entry_match_up_and_usable(addr_map_entry_t *a,
245: addr_map_entry_t *b)
246: {
247: return iface_entry_up_and_usable(b->iface) &&
248: a->ip->ip_equals(a->ip, b->ip);
249: }
250:
251: /**
252: * Used with get_match this finds an address entry if it is installed on
253: * any active local interface
254: */
255: static bool addr_map_entry_match_up(addr_map_entry_t *a, addr_map_entry_t *b)
256: {
257: return iface_entry_up(b->iface) && a->ip->ip_equals(a->ip, b->ip);
258: }
259:
260: /**
261: * Used with get_match this finds an address entry if it is installed on
262: * any local interface
263: */
264: static bool addr_map_entry_match(addr_map_entry_t *a, addr_map_entry_t *b)
265: {
266: return a->ip->ip_equals(a->ip, b->ip);
267: }
268:
269: typedef struct net_change_t net_change_t;
270:
271: /**
272: * Queued network changes
273: */
274: struct net_change_t {
275: /** Name of the interface that got activated (or an IP appeared on) */
276: char *if_name;
277: };
278:
279: /**
280: * Destroy a net_change_t object
281: */
282: static void net_change_destroy(net_change_t *this)
283: {
284: free(this->if_name);
285: free(this);
286: }
287:
288: /**
289: * Hash a net_change_t object
290: */
291: static u_int net_change_hash(net_change_t *this)
292: {
293: return chunk_hash(chunk_create(this->if_name, strlen(this->if_name)));
294: }
295:
296: /**
297: * Compare two net_change_t objects
298: */
299: static bool net_change_equals(net_change_t *a, net_change_t *b)
300: {
301: return streq(a->if_name, b->if_name);
302: }
303:
304: typedef struct private_kernel_netlink_net_t private_kernel_netlink_net_t;
305:
306: /**
307: * Private variables and functions of kernel_netlink_net class.
308: */
309: struct private_kernel_netlink_net_t {
310: /**
311: * Public part of the kernel_netlink_net_t object.
312: */
313: kernel_netlink_net_t public;
314:
315: /**
316: * lock to access various lists and maps
317: */
318: rwlock_t *lock;
319:
320: /**
321: * condition variable to signal virtual IP add/removal
322: */
323: rwlock_condvar_t *condvar;
324:
325: /**
326: * Cached list of interfaces and its addresses (iface_entry_t)
327: */
328: linked_list_t *ifaces;
329:
330: /**
331: * Map for IP addresses to iface_entry_t objects (addr_map_entry_t)
332: */
333: hashtable_t *addrs;
334:
335: /**
336: * Map for virtual IP addresses to iface_entry_t objects (addr_map_entry_t)
337: */
338: hashtable_t *vips;
339:
340: /**
341: * netlink rt socket (routing)
342: */
343: netlink_socket_t *socket;
344:
345: /**
346: * Netlink rt socket to receive address change events
347: */
348: int socket_events;
349:
350: /**
351: * earliest time of the next roam event
352: */
353: timeval_t next_roam;
354:
355: /**
356: * roam event due to address change
357: */
358: bool roam_address;
359:
360: /**
361: * lock to check and update roam event time
362: */
363: spinlock_t *roam_lock;
364:
365: /**
366: * routing table to install routes
367: */
368: uint32_t routing_table;
369:
370: /**
371: * priority of used routing table
372: */
373: uint32_t routing_table_prio;
374:
375: /**
376: * installed routes
377: */
378: hashtable_t *routes;
379:
380: /**
381: * mutex for routes
382: */
383: mutex_t *routes_lock;
384:
385: /**
386: * interface changes which may trigger route reinstallation
387: */
388: hashtable_t *net_changes;
389:
390: /**
391: * mutex for route reinstallation triggers
392: */
393: mutex_t *net_changes_lock;
394:
395: /**
396: * time of last route reinstallation
397: */
398: timeval_t last_route_reinstall;
399:
400: /**
401: * whether to react to RTM_NEWROUTE or RTM_DELROUTE events
402: */
403: bool process_route;
404:
405: /**
406: * whether to react to RTM_NEWRULE or RTM_DELRULE events
407: */
408: bool process_rules;
409:
410: /**
411: * whether to trigger roam events
412: */
413: bool roam_events;
414:
415: /**
416: * whether to install IPsec policy routes
417: */
418: bool install_routes;
419:
420: /**
421: * whether to actually install virtual IPs
422: */
423: bool install_virtual_ip;
424:
425: /**
426: * the name of the interface virtual IP addresses are installed on
427: */
428: char *install_virtual_ip_on;
429:
430: /**
431: * whether preferred source addresses can be specified for IPv6 routes
432: */
433: bool rta_prefsrc_for_ipv6;
434:
435: /**
436: * whether marks can be used in route lookups
437: */
438: bool rta_mark;
439:
440: /**
441: * the mark excluded from the routing rule used for virtual IPs
442: */
443: mark_t routing_mark;
444:
445: /**
446: * whether to prefer temporary IPv6 addresses over public ones
447: */
448: bool prefer_temporary_addrs;
449:
450: /**
451: * list with routing tables to be excluded from route lookup
452: */
453: linked_list_t *rt_exclude;
454:
455: /**
456: * MTU to set on installed routes
457: */
458: uint32_t mtu;
459:
460: /**
461: * MSS to set on installed routes
462: */
463: uint32_t mss;
464: };
465:
466: /**
467: * Forward declaration
468: */
469: static status_t manage_srcroute(private_kernel_netlink_net_t *this,
470: int nlmsg_type, int flags, chunk_t dst_net,
471: uint8_t prefixlen, host_t *gateway,
472: host_t *src_ip, char *if_name, bool pass);
473:
474: /**
475: * Clear the queued network changes.
476: */
477: static void net_changes_clear(private_kernel_netlink_net_t *this)
478: {
479: enumerator_t *enumerator;
480: net_change_t *change;
481:
482: enumerator = this->net_changes->create_enumerator(this->net_changes);
483: while (enumerator->enumerate(enumerator, NULL, (void**)&change))
484: {
485: this->net_changes->remove_at(this->net_changes, enumerator);
486: net_change_destroy(change);
487: }
488: enumerator->destroy(enumerator);
489: }
490:
491: /**
492: * Act upon queued network changes.
493: */
494: static job_requeue_t reinstall_routes(private_kernel_netlink_net_t *this)
495: {
496: enumerator_t *enumerator;
497: route_entry_t *route;
498:
499: this->net_changes_lock->lock(this->net_changes_lock);
500: this->routes_lock->lock(this->routes_lock);
501:
502: enumerator = this->routes->create_enumerator(this->routes);
503: while (enumerator->enumerate(enumerator, NULL, (void**)&route))
504: {
505: net_change_t *change, lookup = {
506: .if_name = route->if_name,
507: };
508: if (route->pass || !route->if_name)
509: { /* no need to reinstall these, they don't reference interfaces */
510: continue;
511: }
512: /* check if a change for the outgoing interface is queued */
513: change = this->net_changes->get(this->net_changes, &lookup);
514: if (!change)
515: { /* in case src_ip is not on the outgoing interface */
516: if (this->public.interface.get_interface(&this->public.interface,
517: route->src_ip, &lookup.if_name))
518: {
519: if (!streq(lookup.if_name, route->if_name))
520: {
521: change = this->net_changes->get(this->net_changes, &lookup);
522: }
523: free(lookup.if_name);
524: }
525: }
526: if (change)
527: {
528: manage_srcroute(this, RTM_NEWROUTE, NLM_F_CREATE | NLM_F_EXCL,
529: route->dst_net, route->prefixlen, route->gateway,
530: route->src_ip, route->if_name, route->pass);
531: }
532: }
533: enumerator->destroy(enumerator);
534: this->routes_lock->unlock(this->routes_lock);
535:
536: net_changes_clear(this);
537: this->net_changes_lock->unlock(this->net_changes_lock);
538: return JOB_REQUEUE_NONE;
539: }
540:
541: /**
542: * Queue route reinstallation caused by network changes for a given interface.
543: *
544: * The route reinstallation is delayed for a while and only done once for
545: * several calls during this delay, in order to avoid doing it too often.
546: * The interface name is freed.
547: */
548: static void queue_route_reinstall(private_kernel_netlink_net_t *this,
549: char *if_name)
550: {
551: net_change_t *update, *found;
552: timeval_t now;
553: job_t *job;
554:
555: INIT(update,
556: .if_name = if_name
557: );
558:
559: this->net_changes_lock->lock(this->net_changes_lock);
560: found = this->net_changes->put(this->net_changes, update, update);
561: if (found)
562: {
563: net_change_destroy(found);
564: }
565: time_monotonic(&now);
566: if (timercmp(&now, &this->last_route_reinstall, >))
567: {
568: timeval_add_ms(&now, ROUTE_DELAY);
569: this->last_route_reinstall = now;
570:
571: job = (job_t*)callback_job_create((callback_job_cb_t)reinstall_routes,
572: this, NULL, NULL);
573: lib->scheduler->schedule_job_ms(lib->scheduler, job, ROUTE_DELAY);
574: }
575: this->net_changes_lock->unlock(this->net_changes_lock);
576: }
577:
578: /**
579: * check if the given IP is known as virtual IP and currently installed
580: *
581: * this function will also return TRUE if the virtual IP entry disappeared.
582: * in that case the returned entry will be NULL.
583: *
584: * this->lock must be held when calling this function
585: */
586: static bool is_vip_installed_or_gone(private_kernel_netlink_net_t *this,
587: host_t *ip, addr_map_entry_t **entry)
588: {
589: addr_map_entry_t lookup = {
590: .ip = ip,
591: };
592:
593: *entry = this->vips->get_match(this->vips, &lookup,
594: (void*)addr_map_entry_match);
595: if (*entry == NULL)
596: { /* the virtual IP disappeared */
597: return TRUE;
598: }
599: return (*entry)->addr->installed;
600: }
601:
602: /**
603: * check if the given IP is known as virtual IP
604: *
605: * this->lock must be held when calling this function
606: */
607: static bool is_known_vip(private_kernel_netlink_net_t *this, host_t *ip)
608: {
609: addr_map_entry_t lookup = {
610: .ip = ip,
611: };
612:
613: return this->vips->get_match(this->vips, &lookup,
614: (void*)addr_map_entry_match) != NULL;
615: }
616:
617: /**
618: * Add an address map entry
619: */
620: static void addr_map_entry_add(hashtable_t *map, addr_entry_t *addr,
621: iface_entry_t *iface)
622: {
623: addr_map_entry_t *entry;
624:
625: INIT(entry,
626: .ip = addr->ip,
627: .addr = addr,
628: .iface = iface,
629: );
630: entry = map->put(map, entry, entry);
631: free(entry);
632: }
633:
634: /**
635: * Remove an address map entry
636: */
637: static void addr_map_entry_remove(hashtable_t *map, addr_entry_t *addr,
638: iface_entry_t *iface)
639: {
640: addr_map_entry_t *entry, lookup = {
641: .ip = addr->ip,
642: .addr = addr,
643: .iface = iface,
644: };
645:
646: entry = map->remove(map, &lookup);
647: free(entry);
648: }
649:
650: /**
651: * Check if an address or net (addr with prefix net bits) is in
652: * subnet (net with net_len net bits)
653: */
654: static bool addr_in_subnet(chunk_t addr, int prefix, chunk_t net, int net_len)
655: {
656: static const u_char mask[] = { 0x00, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe };
657: int byte = 0;
658:
659: if (net_len == 0)
660: { /* any address matches a /0 network */
661: return TRUE;
662: }
663: if (addr.len != net.len || net_len > 8 * net.len || prefix < net_len)
664: {
665: return FALSE;
666: }
667: /* scan through all bytes in network order */
668: while (net_len > 0)
669: {
670: if (net_len < 8)
671: {
672: return (mask[net_len] & addr.ptr[byte]) == (mask[net_len] & net.ptr[byte]);
673: }
674: else
675: {
676: if (addr.ptr[byte] != net.ptr[byte])
677: {
678: return FALSE;
679: }
680: byte++;
681: net_len -= 8;
682: }
683: }
684: return TRUE;
685: }
686:
687: /**
688: * Check if the given address is in subnet (net with net_len net bits)
689: */
690: static bool host_in_subnet(host_t *host, chunk_t net, int net_len)
691: {
692: chunk_t addr;
693:
694: addr = host->get_address(host);
695: return addr_in_subnet(addr, addr.len * 8, net, net_len);
696: }
697:
698: /**
699: * Determine the type or scope of the given unicast IP address. This is not
700: * the same thing returned in rtm_scope/ifa_scope.
701: *
702: * We use return values as defined in RFC 6724 (referring to RFC 4291).
703: */
704: static u_char get_scope(host_t *ip)
705: {
706: chunk_t addr;
707:
708: addr = ip->get_address(ip);
709: switch (addr.len)
710: {
711: case 4:
712: /* we use the mapping defined in RFC 6724, 3.2 */
713: if (addr.ptr[0] == 127)
714: { /* link-local, same as the IPv6 loopback address */
715: return 2;
716: }
717: if (addr.ptr[0] == 169 && addr.ptr[1] == 254)
718: { /* link-local */
719: return 2;
720: }
721: break;
722: case 16:
723: if (IN6_IS_ADDR_LOOPBACK((struct in6_addr*)addr.ptr))
724: { /* link-local, according to RFC 4291, 2.5.3 */
725: return 2;
726: }
727: if (IN6_IS_ADDR_LINKLOCAL((struct in6_addr*)addr.ptr))
728: {
729: return 2;
730: }
731: if (IN6_IS_ADDR_SITELOCAL((struct in6_addr*)addr.ptr))
732: { /* deprecated, according to RFC 4291, 2.5.7 */
733: return 5;
734: }
735: break;
736: default:
737: break;
738: }
739: /* global */
740: return 14;
741: }
742:
743: /**
744: * Determine the label of the given unicast IP address.
745: *
746: * We currently only support the default table given in RFC 6724:
747: *
748: * Prefix Precedence Label
749: * ::1/128 50 0
750: * ::/0 40 1
751: * ::ffff:0:0/96 35 4
752: * 2002::/16 30 2
753: * 2001::/32 5 5
754: * fc00::/7 3 13
755: * ::/96 1 3
756: * fec0::/10 1 11
757: * 3ffe::/16 1 12
758: */
759: static u_char get_label(host_t *ip)
760: {
761: struct {
762: chunk_t net;
763: u_char prefix;
764: u_char label;
765: } priorities[] = {
766: /* priority table ordered by prefix */
767: /* ::1/128 */
768: { chunk_from_chars(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
769: 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01), 128, 0 },
770: /* ::ffff:0:0/96 */
771: { chunk_from_chars(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
772: 0x00, 0x00, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00), 96, 4 },
773: /* ::/96 */
774: { chunk_from_chars(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
775: 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00), 96, 3 },
776: /* 2001::/32 */
777: { chunk_from_chars(0x20, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
778: 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00), 32, 5 },
779: /* 2002::/16 */
780: { chunk_from_chars(0x20, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
781: 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00), 16, 2 },
782: /* 3ffe::/16 */
783: { chunk_from_chars(0x3f, 0xfe, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
784: 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00), 16, 12 },
785: /* fec0::/10 */
786: { chunk_from_chars(0xfe, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
787: 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00), 10, 11 },
788: /* fc00::/7 */
789: { chunk_from_chars(0xfc, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
790: 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00), 7, 13 },
791: };
792: int i;
793:
794: for (i = 0; i < countof(priorities); i++)
795: {
796: if (host_in_subnet(ip, priorities[i].net, priorities[i].prefix))
797: {
798: return priorities[i].label;
799: }
800: }
801: /* ::/0 */
802: return 1;
803: }
804:
805: /**
806: * Returns the length of the common prefix in bits up to the length of a's
807: * prefix, defined by RFC 6724 as the portion of the address not including the
808: * interface ID, which is 64-bit for most unicast addresses (see RFC 4291).
809: */
810: static u_char common_prefix(host_t *a, host_t *b)
811: {
812: chunk_t aa, ba;
813: u_char byte, bits = 0, match;
814:
815: aa = a->get_address(a);
816: ba = b->get_address(b);
817: for (byte = 0; byte < 8; byte++)
818: {
819: if (aa.ptr[byte] != ba.ptr[byte])
820: {
821: match = aa.ptr[byte] ^ ba.ptr[byte];
822: for (bits = 8; match; match >>= 1)
823: {
824: bits--;
825: }
826: break;
827: }
828: }
829: return byte * 8 + bits;
830: }
831:
832: /**
833: * Compare two IP addresses and return TRUE if the second address is the better
834: * choice of the two to reach the destination.
835: * For IPv6 we approximately follow RFC 6724.
836: */
837: static bool is_address_better(private_kernel_netlink_net_t *this,
838: addr_entry_t *a, addr_entry_t *b, host_t *d)
839: {
840: u_char sa, sb, sd, la, lb, ld, pa, pb;
841:
842: /* rule 2: prefer appropriate scope */
843: if (d)
844: {
845: sa = get_scope(a->ip);
846: sb = get_scope(b->ip);
847: sd = get_scope(d);
848: if (sa < sb)
849: {
850: return sa < sd;
851: }
852: else if (sb < sa)
853: {
854: return sb >= sd;
855: }
856: }
857: if (a->ip->get_family(a->ip) == AF_INET)
858: { /* stop here for IPv4, default to addresses found earlier */
859: return FALSE;
860: }
861: /* rule 3: avoid deprecated addresses (RFC 4862) */
862: if ((a->flags & IFA_F_DEPRECATED) != (b->flags & IFA_F_DEPRECATED))
863: {
864: return a->flags & IFA_F_DEPRECATED;
865: }
866: /* rule 4 is not applicable as we don't know if an address is a home or
867: * care-of addresses.
868: * rule 5 does not apply as we only compare addresses from one interface
869: */
870: /* rule 6: prefer matching label */
871: if (d)
872: {
873: la = get_label(a->ip);
874: lb = get_label(b->ip);
875: ld = get_label(d);
876: if (la == ld && lb != ld)
877: {
878: return FALSE;
879: }
880: else if (lb == ld && la != ld)
881: {
882: return TRUE;
883: }
884: }
885: /* rule 7: prefer temporary addresses (WE REVERSE THIS BY DEFAULT!) */
886: if ((a->flags & IFA_F_TEMPORARY) != (b->flags & IFA_F_TEMPORARY))
887: {
888: if (this->prefer_temporary_addrs)
889: {
890: return b->flags & IFA_F_TEMPORARY;
891: }
892: return a->flags & IFA_F_TEMPORARY;
893: }
894: /* rule 8: use longest matching prefix */
895: if (d)
896: {
897: pa = common_prefix(a->ip, d);
898: pb = common_prefix(b->ip, d);
899: if (pa != pb)
900: {
901: return pb > pa;
902: }
903: }
904: /* default to addresses found earlier */
905: return FALSE;
906: }
907:
908: /**
909: * Get a non-virtual IP address on the given interfaces and optionally in a
910: * given subnet.
911: *
912: * If a candidate address is given, we first search for that address and if not
913: * found return the address as above.
914: * Returned host is a clone, has to be freed by caller.
915: *
916: * this->lock must be held when calling this function.
917: */
918: static host_t *get_matching_address(private_kernel_netlink_net_t *this,
919: int *ifindex, int family, chunk_t net,
920: uint8_t mask, host_t *dest,
921: host_t *candidate)
922: {
923: enumerator_t *ifaces, *addrs;
924: iface_entry_t *iface;
925: addr_entry_t *addr, *best = NULL;
926: bool candidate_matched = FALSE;
927:
928: ifaces = this->ifaces->create_enumerator(this->ifaces);
929: while (ifaces->enumerate(ifaces, &iface))
930: {
931: if (iface->usable && (!ifindex || iface->ifindex == *ifindex))
932: { /* only use matching interfaces not excluded by config */
933: addrs = iface->addrs->create_enumerator(iface->addrs);
934: while (addrs->enumerate(addrs, &addr))
935: {
936: if (addr->refcount ||
937: addr->ip->get_family(addr->ip) != family)
938: { /* ignore virtual IP addresses and ensure family matches */
939: continue;
940: }
941: if (net.ptr && !host_in_subnet(addr->ip, net, mask))
942: { /* optionally match a subnet */
943: continue;
944: }
945: if (candidate && candidate->ip_equals(candidate, addr->ip))
946: { /* stop if we find the candidate */
947: best = addr;
948: candidate_matched = TRUE;
949: break;
950: }
951: else if (!best || is_address_better(this, best, addr, dest))
952: {
953: best = addr;
954: }
955: }
956: addrs->destroy(addrs);
957: if (ifindex || candidate_matched)
958: {
959: break;
960: }
961: }
962: }
963: ifaces->destroy(ifaces);
964: return best ? best->ip->clone(best->ip) : NULL;
965: }
966:
967: /**
968: * Get a non-virtual IP address on the given interface.
969: *
970: * If a candidate address is given, we first search for that address and if not
971: * found return the address as above.
972: * Returned host is a clone, has to be freed by caller.
973: *
974: * this->lock must be held when calling this function.
975: */
976: static host_t *get_interface_address(private_kernel_netlink_net_t *this,
977: int ifindex, int family, host_t *dest,
978: host_t *candidate)
979: {
980: return get_matching_address(this, &ifindex, family, chunk_empty, 0, dest,
981: candidate);
982: }
983:
984: /**
985: * Get a non-virtual IP address in the given subnet.
986: *
987: * If a candidate address is given, we first search for that address and if not
988: * found return the address as above.
989: * Returned host is a clone, has to be freed by caller.
990: *
991: * this->lock must be held when calling this function.
992: */
993: static host_t *get_subnet_address(private_kernel_netlink_net_t *this,
994: int family, chunk_t net, uint8_t mask,
995: host_t *dest, host_t *candidate)
996: {
997: return get_matching_address(this, NULL, family, net, mask, dest, candidate);
998: }
999:
1000: /**
1001: * callback function that raises the delayed roam event
1002: */
1003: static job_requeue_t roam_event(private_kernel_netlink_net_t *this)
1004: {
1005: bool address;
1006:
1007: this->roam_lock->lock(this->roam_lock);
1008: address = this->roam_address;
1009: this->roam_address = FALSE;
1010: this->roam_lock->unlock(this->roam_lock);
1011: charon->kernel->roam(charon->kernel, address);
1012: return JOB_REQUEUE_NONE;
1013: }
1014:
1015: /**
1016: * fire a roaming event. we delay it for a bit and fire only one event
1017: * for multiple calls. otherwise we would create too many events.
1018: */
1019: static void fire_roam_event(private_kernel_netlink_net_t *this, bool address)
1020: {
1021: timeval_t now;
1022: job_t *job;
1023:
1024: if (!this->roam_events)
1025: {
1026: return;
1027: }
1028:
1029: time_monotonic(&now);
1030: this->roam_lock->lock(this->roam_lock);
1031: this->roam_address |= address;
1032: if (!timercmp(&now, &this->next_roam, >))
1033: {
1034: this->roam_lock->unlock(this->roam_lock);
1035: return;
1036: }
1037: timeval_add_ms(&now, ROAM_DELAY);
1038: this->next_roam = now;
1039: this->roam_lock->unlock(this->roam_lock);
1040:
1041: job = (job_t*)callback_job_create((callback_job_cb_t)roam_event,
1042: this, NULL, NULL);
1043: lib->scheduler->schedule_job_ms(lib->scheduler, job, ROAM_DELAY);
1044: }
1045:
1046: /**
1047: * check if an interface with a given index is up and usable
1048: *
1049: * this->lock must be locked when calling this function
1050: */
1051: static bool is_interface_up_and_usable(private_kernel_netlink_net_t *this,
1052: int index)
1053: {
1054: iface_entry_t *iface;
1055:
1056: if (this->ifaces->find_first(this->ifaces, iface_entry_by_index,
1057: (void**)&iface, index))
1058: {
1059: return iface_entry_up_and_usable(iface);
1060: }
1061: return FALSE;
1062: }
1063:
1064: /**
1065: * unregister the current addr_entry_t from the hashtable it is stored in
1066: *
1067: * this->lock must be locked when calling this function
1068: */
1069: CALLBACK(addr_entry_unregister, void,
1070: addr_entry_t *addr, va_list args)
1071: {
1072: private_kernel_netlink_net_t *this;
1073: iface_entry_t *iface;
1074:
1075: VA_ARGS_VGET(args, iface, this);
1076: if (addr->refcount)
1077: {
1078: addr_map_entry_remove(this->vips, addr, iface);
1079: this->condvar->broadcast(this->condvar);
1080: return;
1081: }
1082: addr_map_entry_remove(this->addrs, addr, iface);
1083: }
1084:
1085: /**
1086: * process RTM_NEWLINK/RTM_DELLINK from kernel
1087: */
1088: static void process_link(private_kernel_netlink_net_t *this,
1089: struct nlmsghdr *hdr, bool event)
1090: {
1091: struct ifinfomsg* msg = NLMSG_DATA(hdr);
1092: struct rtattr *rta = IFLA_RTA(msg);
1093: size_t rtasize = IFLA_PAYLOAD (hdr);
1094: enumerator_t *enumerator;
1095: iface_entry_t *current, *entry = NULL;
1096: char *name = NULL;
1097: bool update = FALSE, update_routes = FALSE;
1098:
1099: while (RTA_OK(rta, rtasize))
1100: {
1101: switch (rta->rta_type)
1102: {
1103: case IFLA_IFNAME:
1104: name = RTA_DATA(rta);
1105: break;
1106: }
1107: rta = RTA_NEXT(rta, rtasize);
1108: }
1109: if (!name)
1110: {
1111: name = "(unknown)";
1112: }
1113:
1114: this->lock->write_lock(this->lock);
1115: switch (hdr->nlmsg_type)
1116: {
1117: case RTM_NEWLINK:
1118: {
1119: if (!this->ifaces->find_first(this->ifaces, iface_entry_by_index,
1120: (void**)&entry, msg->ifi_index))
1121: {
1122: INIT(entry,
1123: .ifindex = msg->ifi_index,
1124: .addrs = linked_list_create(),
1125: );
1126: this->ifaces->insert_last(this->ifaces, entry);
1127: }
1128: strncpy(entry->ifname, name, IFNAMSIZ);
1129: entry->ifname[IFNAMSIZ-1] = '\0';
1130: entry->usable = charon->kernel->is_interface_usable(charon->kernel,
1131: name);
1132: if (event && entry->usable)
1133: {
1134: if (!(entry->flags & IFF_UP) && (msg->ifi_flags & IFF_UP))
1135: {
1136: update = update_routes = TRUE;
1137: DBG1(DBG_KNL, "interface %s activated", name);
1138: }
1139: if ((entry->flags & IFF_UP) && !(msg->ifi_flags & IFF_UP))
1140: {
1141: update = TRUE;
1142: DBG1(DBG_KNL, "interface %s deactivated", name);
1143: }
1144: }
1145: entry->flags = msg->ifi_flags;
1146: break;
1147: }
1148: case RTM_DELLINK:
1149: {
1150: enumerator = this->ifaces->create_enumerator(this->ifaces);
1151: while (enumerator->enumerate(enumerator, ¤t))
1152: {
1153: if (current->ifindex == msg->ifi_index)
1154: {
1155: if (event && current->usable)
1156: {
1157: update = TRUE;
1158: DBG1(DBG_KNL, "interface %s deleted", current->ifname);
1159: }
1160: /* TODO: move virtual IPs installed on this interface to
1161: * another interface? */
1162: this->ifaces->remove_at(this->ifaces, enumerator);
1163: current->addrs->invoke_function(current->addrs,
1164: addr_entry_unregister, current, this);
1165: iface_entry_destroy(current);
1166: break;
1167: }
1168: }
1169: enumerator->destroy(enumerator);
1170: break;
1171: }
1172: }
1173: this->lock->unlock(this->lock);
1174:
1175: if (update_routes && event)
1176: {
1177: queue_route_reinstall(this, strdup(name));
1178: }
1179:
1180: if (update && event)
1181: {
1182: fire_roam_event(this, TRUE);
1183: }
1184: }
1185:
1186: /**
1187: * process RTM_NEWADDR/RTM_DELADDR from kernel
1188: */
1189: static void process_addr(private_kernel_netlink_net_t *this,
1190: struct nlmsghdr *hdr, bool event)
1191: {
1192: struct ifaddrmsg* msg = NLMSG_DATA(hdr);
1193: struct rtattr *rta = IFA_RTA(msg);
1194: size_t rtasize = IFA_PAYLOAD (hdr);
1195: host_t *host = NULL;
1196: iface_entry_t *iface;
1197: chunk_t local = chunk_empty, address = chunk_empty;
1198: char *route_ifname = NULL;
1199: bool update = FALSE, found = FALSE, changed = FALSE;
1200:
1201: while (RTA_OK(rta, rtasize))
1202: {
1203: switch (rta->rta_type)
1204: {
1205: case IFA_LOCAL:
1206: local.ptr = RTA_DATA(rta);
1207: local.len = RTA_PAYLOAD(rta);
1208: break;
1209: case IFA_ADDRESS:
1210: address.ptr = RTA_DATA(rta);
1211: address.len = RTA_PAYLOAD(rta);
1212: break;
1213: }
1214: rta = RTA_NEXT(rta, rtasize);
1215: }
1216:
1217: /* For PPP interfaces, we need the IFA_LOCAL address,
1218: * IFA_ADDRESS is the peers address. But IFA_LOCAL is
1219: * not included in all cases (IPv6?), so fallback to IFA_ADDRESS. */
1220: if (local.ptr)
1221: {
1222: host = host_create_from_chunk(msg->ifa_family, local, 0);
1223: }
1224: else if (address.ptr)
1225: {
1226: host = host_create_from_chunk(msg->ifa_family, address, 0);
1227: }
1228:
1229: if (host == NULL)
1230: { /* bad family? */
1231: return;
1232: }
1233:
1234: this->lock->write_lock(this->lock);
1235: if (this->ifaces->find_first(this->ifaces, iface_entry_by_index,
1236: (void**)&iface, msg->ifa_index))
1237: {
1238: addr_map_entry_t *entry, lookup = {
1239: .ip = host,
1240: .iface = iface,
1241: };
1242: addr_entry_t *addr;
1243:
1244: entry = this->vips->get(this->vips, &lookup);
1245: if (entry)
1246: {
1247: if (hdr->nlmsg_type == RTM_NEWADDR)
1248: { /* mark as installed and signal waiting threads */
1249: entry->addr->installed = TRUE;
1250: }
1251: else
1252: { /* the address was already marked as uninstalled */
1253: addr = entry->addr;
1254: iface->addrs->remove(iface->addrs, addr, NULL);
1255: addr_map_entry_remove(this->vips, addr, iface);
1256: addr_entry_destroy(addr);
1257: }
1258: /* no roam events etc. for virtual IPs */
1259: this->condvar->broadcast(this->condvar);
1260: this->lock->unlock(this->lock);
1261: host->destroy(host);
1262: return;
1263: }
1264: entry = this->addrs->get(this->addrs, &lookup);
1265: if (entry)
1266: {
1267: if (hdr->nlmsg_type == RTM_DELADDR)
1268: {
1269: found = TRUE;
1270: addr = entry->addr;
1271: iface->addrs->remove(iface->addrs, addr, NULL);
1272: if (iface->usable)
1273: {
1274: changed = TRUE;
1275: DBG1(DBG_KNL, "%H disappeared from %s", host,
1276: iface->ifname);
1277: }
1278: addr_map_entry_remove(this->addrs, addr, iface);
1279: addr_entry_destroy(addr);
1280: }
1281: }
1282: else
1283: {
1284: if (hdr->nlmsg_type == RTM_NEWADDR)
1285: {
1286: found = TRUE;
1287: changed = TRUE;
1288: route_ifname = strdup(iface->ifname);
1289: INIT(addr,
1290: .ip = host->clone(host),
1291: .flags = msg->ifa_flags,
1292: .scope = msg->ifa_scope,
1293: );
1294: iface->addrs->insert_last(iface->addrs, addr);
1295: addr_map_entry_add(this->addrs, addr, iface);
1296: if (event && iface->usable)
1297: {
1298: DBG1(DBG_KNL, "%H appeared on %s", host, iface->ifname);
1299: }
1300: }
1301: }
1302: if (found && (iface->flags & IFF_UP))
1303: {
1304: update = TRUE;
1305: }
1306: if (!iface->usable)
1307: { /* ignore events for interfaces excluded by config */
1308: update = changed = FALSE;
1309: }
1310: }
1311: this->lock->unlock(this->lock);
1312:
1313: if (update && event && route_ifname)
1314: {
1315: queue_route_reinstall(this, route_ifname);
1316: }
1317: else
1318: {
1319: free(route_ifname);
1320: }
1321: host->destroy(host);
1322:
1323: /* send an update to all IKE_SAs */
1324: if (update && event && changed)
1325: {
1326: fire_roam_event(this, TRUE);
1327: }
1328: }
1329:
1330: /**
1331: * process RTM_NEWROUTE and RTM_DELROUTE from kernel
1332: */
1333: static void process_route(private_kernel_netlink_net_t *this,
1334: struct nlmsghdr *hdr)
1335: {
1336: struct rtmsg* msg = NLMSG_DATA(hdr);
1337: struct rtattr *rta = RTM_RTA(msg);
1338: size_t rtasize = RTM_PAYLOAD(hdr);
1339: uint32_t rta_oif = 0;
1340: host_t *host = NULL;
1341:
1342: /* ignore routes added by us or in the local routing table (local addrs) */
1343: if (msg->rtm_table && (msg->rtm_table == this->routing_table ||
1344: msg->rtm_table == RT_TABLE_LOCAL))
1345: {
1346: return;
1347: }
1348: else if (msg->rtm_flags & RTM_F_CLONED)
1349: { /* ignore cached routes, seem to be created a lot for IPv6 */
1350: return;
1351: }
1352:
1353: while (RTA_OK(rta, rtasize))
1354: {
1355: switch (rta->rta_type)
1356: {
1357: #ifdef HAVE_RTA_TABLE
1358: case RTA_TABLE:
1359: /* also check against extended table ID */
1360: if (RTA_PAYLOAD(rta) == sizeof(uint32_t) &&
1361: this->routing_table == *(uint32_t*)RTA_DATA(rta))
1362: {
1363: return;
1364: }
1365: break;
1366: #endif /* HAVE_RTA_TABLE */
1367: case RTA_PREFSRC:
1368: DESTROY_IF(host);
1369: host = host_create_from_chunk(msg->rtm_family,
1370: chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta)), 0);
1371: break;
1372: case RTA_OIF:
1373: if (RTA_PAYLOAD(rta) == sizeof(rta_oif))
1374: {
1375: rta_oif = *(uint32_t*)RTA_DATA(rta);
1376: }
1377: break;
1378: }
1379: rta = RTA_NEXT(rta, rtasize);
1380: }
1381: this->lock->read_lock(this->lock);
1382: if (rta_oif && !is_interface_up_and_usable(this, rta_oif))
1383: { /* ignore route changes for interfaces that are ignored or down */
1384: this->lock->unlock(this->lock);
1385: DESTROY_IF(host);
1386: return;
1387: }
1388: if (!host && rta_oif)
1389: {
1390: host = get_interface_address(this, rta_oif, msg->rtm_family,
1391: NULL, NULL);
1392: }
1393: if (!host || is_known_vip(this, host))
1394: { /* ignore routes added for virtual IPs */
1395: this->lock->unlock(this->lock);
1396: DESTROY_IF(host);
1397: return;
1398: }
1399: this->lock->unlock(this->lock);
1400: fire_roam_event(this, FALSE);
1401: host->destroy(host);
1402: }
1403:
1404: /**
1405: * process RTM_NEW|DELRULE from kernel
1406: */
1407: static void process_rule(private_kernel_netlink_net_t *this,
1408: struct nlmsghdr *hdr)
1409: {
1410: #ifdef HAVE_LINUX_FIB_RULES_H
1411: struct rtmsg* msg = NLMSG_DATA(hdr);
1412: struct rtattr *rta = RTM_RTA(msg);
1413: size_t rtasize = RTM_PAYLOAD(hdr);
1414:
1415: /* ignore rules added by us or in the local routing table (local addrs) */
1416: if (msg->rtm_table && (msg->rtm_table == this->routing_table ||
1417: msg->rtm_table == RT_TABLE_LOCAL))
1418: {
1419: return;
1420: }
1421:
1422: while (RTA_OK(rta, rtasize))
1423: {
1424: switch (rta->rta_type)
1425: {
1426: case FRA_TABLE:
1427: /* also check against extended table ID */
1428: if (RTA_PAYLOAD(rta) == sizeof(uint32_t) &&
1429: this->routing_table == *(uint32_t*)RTA_DATA(rta))
1430: {
1431: return;
1432: }
1433: break;
1434: }
1435: rta = RTA_NEXT(rta, rtasize);
1436: }
1437: fire_roam_event(this, FALSE);
1438: #endif
1439: }
1440:
1441: /**
1442: * Receives events from kernel
1443: */
1444: static bool receive_events(private_kernel_netlink_net_t *this, int fd,
1445: watcher_event_t event)
1446: {
1447: char response[netlink_get_buflen()];
1448: struct nlmsghdr *hdr = (struct nlmsghdr*)response;
1449: struct sockaddr_nl addr;
1450: socklen_t addr_len = sizeof(addr);
1451: int len;
1452:
1453: len = recvfrom(this->socket_events, response, sizeof(response),
1454: MSG_DONTWAIT, (struct sockaddr*)&addr, &addr_len);
1455: if (len < 0)
1456: {
1457: switch (errno)
1458: {
1459: case EINTR:
1460: /* interrupted, try again */
1461: return TRUE;
1462: case EAGAIN:
1463: /* no data ready, select again */
1464: return TRUE;
1465: default:
1466: DBG1(DBG_KNL, "unable to receive from RT event socket %s (%d)",
1467: strerror(errno), errno);
1468: sleep(1);
1469: return TRUE;
1470: }
1471: }
1472:
1473: if (addr.nl_pid != 0)
1474: { /* not from kernel. not interested, try another one */
1475: return TRUE;
1476: }
1477:
1478: while (NLMSG_OK(hdr, len))
1479: {
1480: /* looks good so far, dispatch netlink message */
1481: switch (hdr->nlmsg_type)
1482: {
1483: case RTM_NEWADDR:
1484: case RTM_DELADDR:
1485: process_addr(this, hdr, TRUE);
1486: break;
1487: case RTM_NEWLINK:
1488: case RTM_DELLINK:
1489: process_link(this, hdr, TRUE);
1490: break;
1491: case RTM_NEWROUTE:
1492: case RTM_DELROUTE:
1493: if (this->process_route)
1494: {
1495: process_route(this, hdr);
1496: }
1497: break;
1498: case RTM_NEWRULE:
1499: case RTM_DELRULE:
1500: if (this->process_rules)
1501: {
1502: process_rule(this, hdr);
1503: }
1504: break;
1505: default:
1506: break;
1507: }
1508: hdr = NLMSG_NEXT(hdr, len);
1509: }
1510: return TRUE;
1511: }
1512:
1513: /** enumerator over addresses */
1514: typedef struct {
1515: private_kernel_netlink_net_t* this;
1516: /** which addresses to enumerate */
1517: kernel_address_type_t which;
1518: } address_enumerator_t;
1519:
1520: CALLBACK(address_enumerator_destroy, void,
1521: address_enumerator_t *data)
1522: {
1523: data->this->lock->unlock(data->this->lock);
1524: free(data);
1525: }
1526:
1527: CALLBACK(filter_addresses, bool,
1528: address_enumerator_t *data, enumerator_t *orig, va_list args)
1529: {
1530: addr_entry_t *addr;
1531: host_t **out;
1532:
1533: VA_ARGS_VGET(args, out);
1534:
1535: while (orig->enumerate(orig, &addr))
1536: {
1537: if (!(data->which & ADDR_TYPE_VIRTUAL) && addr->refcount)
1538: { /* skip virtual interfaces added by us */
1539: continue;
1540: }
1541: if (!(data->which & ADDR_TYPE_REGULAR) && !addr->refcount)
1542: { /* address is regular, but not requested */
1543: continue;
1544: }
1545: if (addr->flags & IFA_F_DEPRECATED ||
1546: addr->scope >= RT_SCOPE_LINK)
1547: { /* skip deprecated addresses or those with an unusable scope */
1548: continue;
1549: }
1550: if (addr->ip->get_family(addr->ip) == AF_INET6)
1551: { /* handle temporary IPv6 addresses according to config */
1552: bool temporary = (addr->flags & IFA_F_TEMPORARY) == IFA_F_TEMPORARY;
1553: if (data->this->prefer_temporary_addrs != temporary)
1554: {
1555: continue;
1556: }
1557: }
1558: *out = addr->ip;
1559: return TRUE;
1560: }
1561: return FALSE;
1562: }
1563:
1564: /**
1565: * enumerator constructor for interfaces
1566: */
1567: static enumerator_t *create_iface_enumerator(iface_entry_t *iface,
1568: address_enumerator_t *data)
1569: {
1570: return enumerator_create_filter(
1571: iface->addrs->create_enumerator(iface->addrs),
1572: filter_addresses, data, NULL);
1573: }
1574:
1575: CALLBACK(filter_interfaces, bool,
1576: address_enumerator_t *data, enumerator_t *orig, va_list args)
1577: {
1578: iface_entry_t *iface, **out;
1579:
1580: VA_ARGS_VGET(args, out);
1581:
1582: while (orig->enumerate(orig, &iface))
1583: {
1584: if (!(data->which & ADDR_TYPE_IGNORED) && !iface->usable)
1585: { /* skip interfaces excluded by config */
1586: continue;
1587: }
1588: if (!(data->which & ADDR_TYPE_LOOPBACK) && (iface->flags & IFF_LOOPBACK))
1589: { /* ignore loopback devices */
1590: continue;
1591: }
1592: if (!(data->which & ADDR_TYPE_DOWN) && !(iface->flags & IFF_UP))
1593: { /* skip interfaces not up */
1594: continue;
1595: }
1596: *out = iface;
1597: return TRUE;
1598: }
1599: return FALSE;
1600: }
1601:
1602: METHOD(kernel_net_t, create_address_enumerator, enumerator_t*,
1603: private_kernel_netlink_net_t *this, kernel_address_type_t which)
1604: {
1605: address_enumerator_t *data;
1606:
1607: INIT(data,
1608: .this = this,
1609: .which = which,
1610: );
1611:
1612: this->lock->read_lock(this->lock);
1613: return enumerator_create_nested(
1614: enumerator_create_filter(
1615: this->ifaces->create_enumerator(this->ifaces),
1616: filter_interfaces, data, NULL),
1617: (void*)create_iface_enumerator, data,
1618: address_enumerator_destroy);
1619: }
1620:
1621: METHOD(kernel_net_t, get_interface_name, bool,
1622: private_kernel_netlink_net_t *this, host_t* ip, char **name)
1623: {
1624: addr_map_entry_t *entry, lookup = {
1625: .ip = ip,
1626: };
1627:
1628: if (ip->is_anyaddr(ip))
1629: {
1630: return FALSE;
1631: }
1632: this->lock->read_lock(this->lock);
1633: /* first try to find it on an up and usable interface */
1634: entry = this->addrs->get_match(this->addrs, &lookup,
1635: (void*)addr_map_entry_match_up_and_usable);
1636: if (entry)
1637: {
1638: if (name)
1639: {
1640: *name = strdup(entry->iface->ifname);
1641: DBG2(DBG_KNL, "%H is on interface %s", ip, *name);
1642: }
1643: this->lock->unlock(this->lock);
1644: return TRUE;
1645: }
1646: /* in a second step, consider virtual IPs installed by us */
1647: entry = this->vips->get_match(this->vips, &lookup,
1648: (void*)addr_map_entry_match_up_and_usable);
1649: if (entry)
1650: {
1651: if (name)
1652: {
1653: *name = strdup(entry->iface->ifname);
1654: DBG2(DBG_KNL, "virtual IP %H is on interface %s", ip, *name);
1655: }
1656: this->lock->unlock(this->lock);
1657: return TRUE;
1658: }
1659: /* maybe it is installed on an ignored interface */
1660: entry = this->addrs->get_match(this->addrs, &lookup,
1661: (void*)addr_map_entry_match_up);
1662: if (!entry)
1663: {
1664: DBG2(DBG_KNL, "%H is not a local address or the interface is down", ip);
1665: }
1666: this->lock->unlock(this->lock);
1667: return FALSE;
1668: }
1669:
1670: /**
1671: * get the index of an interface by name
1672: */
1673: static int get_interface_index(private_kernel_netlink_net_t *this, char* name)
1674: {
1675: iface_entry_t *iface;
1676: int ifindex = 0;
1677:
1678: DBG2(DBG_KNL, "getting iface index for %s", name);
1679:
1680: this->lock->read_lock(this->lock);
1681: if (this->ifaces->find_first(this->ifaces, iface_entry_by_name,
1682: (void**)&iface, name))
1683: {
1684: ifindex = iface->ifindex;
1685: }
1686: this->lock->unlock(this->lock);
1687:
1688: if (ifindex == 0)
1689: {
1690: DBG1(DBG_KNL, "unable to get interface index for %s", name);
1691: }
1692: return ifindex;
1693: }
1694:
1695: /**
1696: * get the name of an interface by index (allocated)
1697: */
1698: static char *get_interface_name_by_index(private_kernel_netlink_net_t *this,
1699: int index)
1700: {
1701: iface_entry_t *iface;
1702: char *name = NULL;
1703:
1704: DBG2(DBG_KNL, "getting iface name for index %d", index);
1705:
1706: this->lock->read_lock(this->lock);
1707: if (this->ifaces->find_first(this->ifaces, iface_entry_by_index,
1708: (void**)&iface, index))
1709: {
1710: name = strdup(iface->ifname);
1711: }
1712: this->lock->unlock(this->lock);
1713:
1714: if (!name)
1715: {
1716: DBG1(DBG_KNL, "unable to get interface name for %d", index);
1717: }
1718: return name;
1719: }
1720:
1721: /**
1722: * Store information about a route retrieved via RTNETLINK
1723: */
1724: typedef struct {
1725: chunk_t gtw;
1726: chunk_t pref_src;
1727: chunk_t dst;
1728: chunk_t src;
1729: host_t *src_host;
1730: uint8_t dst_len;
1731: uint8_t src_len;
1732: uint32_t table;
1733: uint32_t oif;
1734: uint32_t priority;
1735: } rt_entry_t;
1736:
1737: /**
1738: * Free a route entry
1739: */
1740: static void rt_entry_destroy(rt_entry_t *this)
1741: {
1742: DESTROY_IF(this->src_host);
1743: free(this);
1744: }
1745:
1746: /**
1747: * Check if the route received with RTM_NEWROUTE is usable based on its type.
1748: */
1749: static bool route_usable(struct nlmsghdr *hdr, bool allow_local)
1750: {
1751: struct rtmsg *msg;
1752:
1753: msg = NLMSG_DATA(hdr);
1754: switch (msg->rtm_type)
1755: {
1756: case RTN_BLACKHOLE:
1757: case RTN_UNREACHABLE:
1758: case RTN_PROHIBIT:
1759: case RTN_THROW:
1760: return FALSE;
1761: case RTN_LOCAL:
1762: return allow_local;
1763: default:
1764: return TRUE;
1765: }
1766: }
1767:
1768: /**
1769: * Parse route received with RTM_NEWROUTE. The given rt_entry_t object will be
1770: * reused if not NULL.
1771: *
1772: * Returned chunks point to internal data of the Netlink message.
1773: */
1774: static rt_entry_t *parse_route(struct nlmsghdr *hdr, rt_entry_t *route)
1775: {
1776: struct rtattr *rta;
1777: struct rtmsg *msg;
1778: size_t rtasize;
1779:
1780: msg = NLMSG_DATA(hdr);
1781: rta = RTM_RTA(msg);
1782: rtasize = RTM_PAYLOAD(hdr);
1783:
1784: if (route)
1785: {
1786: *route = (rt_entry_t){
1787: .dst_len = msg->rtm_dst_len,
1788: .src_len = msg->rtm_src_len,
1789: .table = msg->rtm_table,
1790: };
1791: }
1792: else
1793: {
1794: INIT(route,
1795: .dst_len = msg->rtm_dst_len,
1796: .src_len = msg->rtm_src_len,
1797: .table = msg->rtm_table,
1798: );
1799: }
1800:
1801: while (RTA_OK(rta, rtasize))
1802: {
1803: switch (rta->rta_type)
1804: {
1805: case RTA_PREFSRC:
1806: route->pref_src = chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta));
1807: break;
1808: case RTA_GATEWAY:
1809: route->gtw = chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta));
1810: break;
1811: case RTA_DST:
1812: route->dst = chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta));
1813: break;
1814: case RTA_SRC:
1815: route->src = chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta));
1816: break;
1817: case RTA_OIF:
1818: if (RTA_PAYLOAD(rta) == sizeof(route->oif))
1819: {
1820: route->oif = *(uint32_t*)RTA_DATA(rta);
1821: }
1822: break;
1823: case RTA_PRIORITY:
1824: if (RTA_PAYLOAD(rta) == sizeof(route->priority))
1825: {
1826: route->priority = *(uint32_t*)RTA_DATA(rta);
1827: }
1828: break;
1829: #ifdef HAVE_RTA_TABLE
1830: case RTA_TABLE:
1831: if (RTA_PAYLOAD(rta) == sizeof(route->table))
1832: {
1833: route->table = *(uint32_t*)RTA_DATA(rta);
1834: }
1835: break;
1836: #endif /* HAVE_RTA_TABLE*/
1837: }
1838: rta = RTA_NEXT(rta, rtasize);
1839: }
1840: return route;
1841: }
1842:
1843: /**
1844: * Get a route: If "nexthop", the nexthop is returned. source addr otherwise.
1845: */
1846: static host_t *get_route(private_kernel_netlink_net_t *this, host_t *dest,
1847: int prefix, bool nexthop, host_t *candidate,
1848: char **iface, u_int recursion)
1849: {
1850: netlink_buf_t request;
1851: struct nlmsghdr *hdr, *out, *current;
1852: struct rtmsg *msg;
1853: chunk_t chunk;
1854: size_t len;
1855: linked_list_t *routes;
1856: rt_entry_t *route = NULL, *best = NULL;
1857: enumerator_t *enumerator;
1858: host_t *addr = NULL;
1859: bool match_net;
1860: int family;
1861:
1862: if (recursion > MAX_ROUTE_RECURSION)
1863: {
1864: return NULL;
1865: }
1866: chunk = dest->get_address(dest);
1867: len = chunk.len * 8;
1868: prefix = prefix < 0 ? len : min(prefix, len);
1869: match_net = prefix != len;
1870:
1871: memset(&request, 0, sizeof(request));
1872:
1873: family = dest->get_family(dest);
1874: hdr = &request.hdr;
1875: hdr->nlmsg_flags = NLM_F_REQUEST;
1876: hdr->nlmsg_type = RTM_GETROUTE;
1877: hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg));
1878:
1879: msg = NLMSG_DATA(hdr);
1880: msg->rtm_family = family;
1881: if (!match_net && this->rta_mark && this->routing_mark.value)
1882: {
1883: /* if our routing rule excludes packets with a certain mark we can
1884: * get the preferred route without having to dump all routes */
1885: chunk = chunk_from_thing(this->routing_mark.value);
1886: netlink_add_attribute(hdr, RTA_MARK, chunk, sizeof(request));
1887: }
1888: else if (family == AF_INET || this->rta_prefsrc_for_ipv6 ||
1889: this->routing_table || match_net)
1890: { /* kernels prior to 3.0 do not support RTA_PREFSRC for IPv6 routes.
1891: * as we want to ignore routes with virtual IPs we cannot use DUMP
1892: * if these routes are not installed in a separate table */
1893: if (this->install_routes)
1894: {
1895: hdr->nlmsg_flags |= NLM_F_DUMP;
1896: }
1897: }
1898: if (candidate)
1899: {
1900: chunk = candidate->get_address(candidate);
1901: if (hdr->nlmsg_flags & NLM_F_DUMP)
1902: {
1903: netlink_add_attribute(hdr, RTA_PREFSRC, chunk, sizeof(request));
1904: }
1905: else
1906: {
1907: netlink_add_attribute(hdr, RTA_SRC, chunk, sizeof(request));
1908: }
1909: }
1910: /* we use this below to match against the routes */
1911: chunk = dest->get_address(dest);
1912: if (!match_net)
1913: {
1914: netlink_add_attribute(hdr, RTA_DST, chunk, sizeof(request));
1915: }
1916:
1917: if (this->socket->send(this->socket, hdr, &out, &len) != SUCCESS)
1918: {
1919: DBG2(DBG_KNL, "getting %s to reach %H/%d failed",
1920: nexthop ? "nexthop" : "address", dest, prefix);
1921: return NULL;
1922: }
1923: routes = linked_list_create();
1924: this->lock->read_lock(this->lock);
1925:
1926: for (current = out; NLMSG_OK(current, len);
1927: current = NLMSG_NEXT(current, len))
1928: {
1929: switch (current->nlmsg_type)
1930: {
1931: case NLMSG_DONE:
1932: break;
1933: case RTM_NEWROUTE:
1934: {
1935: rt_entry_t *other;
1936: uintptr_t table;
1937:
1938: if (!route_usable(current, TRUE))
1939: {
1940: continue;
1941: }
1942: route = parse_route(current, route);
1943:
1944: table = (uintptr_t)route->table;
1945: if (this->rt_exclude->find_first(this->rt_exclude, NULL,
1946: (void**)&table))
1947: { /* route is from an excluded routing table */
1948: continue;
1949: }
1950: if (this->routing_table != 0 &&
1951: route->table == this->routing_table)
1952: { /* route is from our own ipsec routing table */
1953: continue;
1954: }
1955: if (route->oif && !is_interface_up_and_usable(this, route->oif))
1956: { /* interface is down */
1957: continue;
1958: }
1959: if (!addr_in_subnet(chunk, prefix, route->dst, route->dst_len))
1960: { /* route destination does not contain dest */
1961: continue;
1962: }
1963: if (route->pref_src.ptr)
1964: { /* verify source address, if any */
1965: host_t *src = host_create_from_chunk(msg->rtm_family,
1966: route->pref_src, 0);
1967: if (src && is_known_vip(this, src))
1968: { /* ignore routes installed by us */
1969: src->destroy(src);
1970: continue;
1971: }
1972: route->src_host = src;
1973: }
1974: /* insert route, sorted by network prefix and priority */
1975: enumerator = routes->create_enumerator(routes);
1976: while (enumerator->enumerate(enumerator, &other))
1977: {
1978: if (route->dst_len > other->dst_len)
1979: {
1980: break;
1981: }
1982: if (route->dst_len == other->dst_len &&
1983: route->priority < other->priority)
1984: {
1985: break;
1986: }
1987: }
1988: routes->insert_before(routes, enumerator, route);
1989: enumerator->destroy(enumerator);
1990: route = NULL;
1991: continue;
1992: }
1993: default:
1994: continue;
1995: }
1996: break;
1997: }
1998: if (route)
1999: {
2000: rt_entry_destroy(route);
2001: }
2002:
2003: /* now we have a list of routes matching dest, sorted by net prefix.
2004: * we will look for source addresses for these routes and select the one
2005: * with the preferred source address, if possible */
2006: enumerator = routes->create_enumerator(routes);
2007: while (enumerator->enumerate(enumerator, &route))
2008: {
2009: if (route->src_host)
2010: { /* got a source address with the route, if no preferred source
2011: * is given or it matches we are done, as this is the best route */
2012: if (!candidate || candidate->ip_equals(candidate, route->src_host))
2013: {
2014: best = route;
2015: break;
2016: }
2017: else if (route->oif)
2018: { /* no match yet, maybe it is assigned to the same interface */
2019: host_t *src = get_interface_address(this, route->oif,
2020: msg->rtm_family, dest, candidate);
2021: if (src && src->ip_equals(src, candidate))
2022: {
2023: route->src_host->destroy(route->src_host);
2024: route->src_host = src;
2025: best = route;
2026: break;
2027: }
2028: DESTROY_IF(src);
2029: }
2030: /* no luck yet with the source address. if this is the best (first)
2031: * route we store it as fallback in case we don't find a route with
2032: * the preferred source */
2033: best = best ?: route;
2034: continue;
2035: }
2036: if (route->src.ptr)
2037: { /* no src, but a source selector, try to find a matching address */
2038: route->src_host = get_subnet_address(this, msg->rtm_family,
2039: route->src, route->src_len, dest,
2040: candidate);
2041: if (route->src_host)
2042: { /* we handle this address the same as the one above */
2043: if (!candidate ||
2044: candidate->ip_equals(candidate, route->src_host))
2045: {
2046: best = route;
2047: break;
2048: }
2049: best = best ?: route;
2050: continue;
2051: }
2052: }
2053: if (route->oif)
2054: { /* no src, but an interface - get address from it */
2055: route->src_host = get_interface_address(this, route->oif,
2056: msg->rtm_family, dest, candidate);
2057: if (route->src_host)
2058: { /* more of the same */
2059: if (!candidate ||
2060: candidate->ip_equals(candidate, route->src_host))
2061: {
2062: best = route;
2063: break;
2064: }
2065: best = best ?: route;
2066: continue;
2067: }
2068: }
2069: if (route->gtw.ptr)
2070: { /* no src, no iface, but a gateway - lookup src to reach gtw */
2071: host_t *gtw;
2072:
2073: gtw = host_create_from_chunk(msg->rtm_family, route->gtw, 0);
2074: if (gtw && !gtw->ip_equals(gtw, dest))
2075: {
2076: route->src_host = get_route(this, gtw, -1, FALSE, candidate,
2077: iface, recursion + 1);
2078: }
2079: DESTROY_IF(gtw);
2080: if (route->src_host)
2081: { /* more of the same */
2082: if (!candidate ||
2083: candidate->ip_equals(candidate, route->src_host))
2084: {
2085: best = route;
2086: break;
2087: }
2088: best = best ?: route;
2089: }
2090: }
2091: }
2092: enumerator->destroy(enumerator);
2093:
2094: if (nexthop)
2095: { /* nexthop lookup, return gateway and oif if any */
2096: if (iface)
2097: {
2098: *iface = NULL;
2099: }
2100: if (best || routes->get_first(routes, (void**)&best) == SUCCESS)
2101: {
2102: addr = host_create_from_chunk(msg->rtm_family, best->gtw, 0);
2103: if (iface && best->oif)
2104: {
2105: *iface = get_interface_name_by_index(this, best->oif);
2106: }
2107: }
2108: if (!addr && !match_net)
2109: { /* fallback to destination address */
2110: addr = dest->clone(dest);
2111: }
2112: }
2113: else
2114: {
2115: if (best)
2116: {
2117: addr = best->src_host->clone(best->src_host);
2118: }
2119: }
2120: this->lock->unlock(this->lock);
2121: routes->destroy_function(routes, (void*)rt_entry_destroy);
2122: free(out);
2123:
2124: if (addr)
2125: {
2126: if (nexthop && iface && *iface)
2127: {
2128: DBG2(DBG_KNL, "using %H as nexthop and %s as dev to reach %H/%d",
2129: addr, *iface, dest, prefix);
2130: }
2131: else
2132: {
2133: DBG2(DBG_KNL, "using %H as %s to reach %H/%d", addr,
2134: nexthop ? "nexthop" : "address", dest, prefix);
2135: }
2136: }
2137: else if (!recursion)
2138: {
2139: DBG2(DBG_KNL, "no %s found to reach %H/%d",
2140: nexthop ? "nexthop" : "address", dest, prefix);
2141: }
2142: return addr;
2143: }
2144:
2145: METHOD(kernel_net_t, get_source_addr, host_t*,
2146: private_kernel_netlink_net_t *this, host_t *dest, host_t *src)
2147: {
2148: return get_route(this, dest, -1, FALSE, src, NULL, 0);
2149: }
2150:
2151: METHOD(kernel_net_t, get_nexthop, host_t*,
2152: private_kernel_netlink_net_t *this, host_t *dest, int prefix, host_t *src,
2153: char **iface)
2154: {
2155: return get_route(this, dest, prefix, TRUE, src, iface, 0);
2156: }
2157:
2158: /** enumerator over subnets */
2159: typedef struct {
2160: enumerator_t public;
2161: private_kernel_netlink_net_t *private;
2162: /** message from the kernel */
2163: struct nlmsghdr *msg;
2164: /** current message from the kernel */
2165: struct nlmsghdr *current;
2166: /** remaining length */
2167: size_t len;
2168: /** last subnet enumerated */
2169: host_t *net;
2170: /** interface of current net */
2171: char ifname[IFNAMSIZ];
2172: } subnet_enumerator_t;
2173:
2174: METHOD(enumerator_t, destroy_subnet_enumerator, void,
2175: subnet_enumerator_t *this)
2176: {
2177: DESTROY_IF(this->net);
2178: free(this->msg);
2179: free(this);
2180: }
2181:
2182: METHOD(enumerator_t, enumerate_subnets, bool,
2183: subnet_enumerator_t *this, va_list args)
2184: {
2185: host_t **net;
2186: uint8_t *mask;
2187: char **ifname;
2188:
2189: VA_ARGS_VGET(args, net, mask, ifname);
2190:
2191: if (!this->current)
2192: {
2193: this->current = this->msg;
2194: }
2195: else
2196: {
2197: this->current = NLMSG_NEXT(this->current, this->len);
2198: DESTROY_IF(this->net);
2199: this->net = NULL;
2200: }
2201:
2202: while (NLMSG_OK(this->current, this->len))
2203: {
2204: switch (this->current->nlmsg_type)
2205: {
2206: case NLMSG_DONE:
2207: break;
2208: case RTM_NEWROUTE:
2209: {
2210: rt_entry_t route;
2211:
2212: if (!route_usable(this->current, FALSE))
2213: {
2214: break;
2215: }
2216: parse_route(this->current, &route);
2217:
2218: if (route.table && (
2219: route.table == RT_TABLE_LOCAL ||
2220: route.table == this->private->routing_table))
2221: { /* ignore our own and the local routing tables */
2222: break;
2223: }
2224: else if (route.gtw.ptr)
2225: { /* ignore routes via gateway/next hop */
2226: break;
2227: }
2228:
2229: if (route.dst.ptr && route.oif &&
2230: if_indextoname(route.oif, this->ifname))
2231: {
2232: this->net = host_create_from_chunk(AF_UNSPEC, route.dst, 0);
2233: *net = this->net;
2234: *mask = route.dst_len;
2235: *ifname = this->ifname;
2236: return TRUE;
2237: }
2238: break;
2239: }
2240: default:
2241: break;
2242: }
2243: this->current = NLMSG_NEXT(this->current, this->len);
2244: }
2245: return FALSE;
2246: }
2247:
2248: METHOD(kernel_net_t, create_local_subnet_enumerator, enumerator_t*,
2249: private_kernel_netlink_net_t *this)
2250: {
2251: netlink_buf_t request;
2252: struct nlmsghdr *hdr, *out;
2253: struct rtmsg *msg;
2254: size_t len;
2255: subnet_enumerator_t *enumerator;
2256:
2257: memset(&request, 0, sizeof(request));
2258:
2259: hdr = &request.hdr;
2260: hdr->nlmsg_flags = NLM_F_REQUEST;
2261: hdr->nlmsg_type = RTM_GETROUTE;
2262: hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg));
2263: hdr->nlmsg_flags |= NLM_F_DUMP;
2264:
2265: msg = NLMSG_DATA(hdr);
2266: msg->rtm_scope = RT_SCOPE_LINK;
2267:
2268: if (this->socket->send(this->socket, hdr, &out, &len) != SUCCESS)
2269: {
2270: DBG2(DBG_KNL, "enumerating local subnets failed");
2271: return enumerator_create_empty();
2272: }
2273:
2274: INIT(enumerator,
2275: .public = {
2276: .enumerate = enumerator_enumerate_default,
2277: .venumerate = _enumerate_subnets,
2278: .destroy = _destroy_subnet_enumerator,
2279: },
2280: .private = this,
2281: .msg = out,
2282: .len = len,
2283: );
2284: return &enumerator->public;
2285: }
2286:
2287: /**
2288: * Manages the creation and deletion of IPv6 address labels for virtual IPs.
2289: * By setting the appropriate nlmsg_type the label is either added or removed.
2290: */
2291: static status_t manage_addrlabel(private_kernel_netlink_net_t *this,
2292: int nlmsg_type, host_t *ip)
2293: {
2294: netlink_buf_t request;
2295: struct nlmsghdr *hdr;
2296: struct ifaddrlblmsg *msg;
2297: chunk_t chunk;
2298: uint32_t label;
2299:
2300: memset(&request, 0, sizeof(request));
2301:
2302: chunk = ip->get_address(ip);
2303:
2304: hdr = &request.hdr;
2305: hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
2306: if (nlmsg_type == RTM_NEWADDRLABEL)
2307: {
2308: hdr->nlmsg_flags |= NLM_F_CREATE | NLM_F_EXCL;
2309: }
2310: hdr->nlmsg_type = nlmsg_type;
2311: hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct ifaddrlblmsg));
2312:
2313: msg = NLMSG_DATA(hdr);
2314: msg->ifal_family = ip->get_family(ip);
2315: msg->ifal_prefixlen = chunk.len * 8;
2316:
2317: netlink_add_attribute(hdr, IFAL_ADDRESS, chunk, sizeof(request));
2318: /* doesn't really matter as default labels are < 20 but this makes it kinda
2319: * recognizable */
2320: label = 220;
2321: netlink_add_attribute(hdr, IFAL_LABEL, chunk_from_thing(label),
2322: sizeof(request));
2323:
2324: return this->socket->send_ack(this->socket, hdr);
2325: }
2326:
2327: /**
2328: * Manages the creation and deletion of ip addresses on an interface.
2329: * By setting the appropriate nlmsg_type, the ip will be set or unset.
2330: */
2331: static status_t manage_ipaddr(private_kernel_netlink_net_t *this, int nlmsg_type,
2332: int flags, int if_index, host_t *ip, int prefix)
2333: {
2334: netlink_buf_t request;
2335: struct nlmsghdr *hdr;
2336: struct ifaddrmsg *msg;
2337: chunk_t chunk;
2338:
2339: memset(&request, 0, sizeof(request));
2340:
2341: chunk = ip->get_address(ip);
2342:
2343: hdr = &request.hdr;
2344: hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
2345: hdr->nlmsg_type = nlmsg_type;
2346: hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct ifaddrmsg));
2347:
2348: msg = NLMSG_DATA(hdr);
2349: msg->ifa_family = ip->get_family(ip);
2350: msg->ifa_flags = 0;
2351: msg->ifa_prefixlen = prefix < 0 ? chunk.len * 8 : prefix;
2352: msg->ifa_scope = RT_SCOPE_UNIVERSE;
2353: msg->ifa_index = if_index;
2354:
2355: netlink_add_attribute(hdr, IFA_LOCAL, chunk, sizeof(request));
2356:
2357: if (ip->get_family(ip) == AF_INET6)
2358: {
2359: #ifdef IFA_F_NODAD
2360: msg->ifa_flags |= IFA_F_NODAD;
2361: #endif
2362: if (this->rta_prefsrc_for_ipv6)
2363: {
2364: /* if source routes are possible we set a label for this virtual IP
2365: * so it gets only used if forced by our route, and not by the
2366: * default IPv6 address selection */
2367: int labelop = nlmsg_type == RTM_NEWADDR ? RTM_NEWADDRLABEL
2368: : RTM_DELADDRLABEL;
2369: if (manage_addrlabel(this, labelop, ip) != SUCCESS)
2370: {
2371: /* if we can't use address labels we let the virtual IP get
2372: * deprecated immediately (but mark it as valid forever), which
2373: * should also avoid that it gets used by the default address
2374: * selection */
2375: struct ifa_cacheinfo cache = {
2376: .ifa_valid = 0xFFFFFFFF,
2377: .ifa_prefered = 0,
2378: };
2379: netlink_add_attribute(hdr, IFA_CACHEINFO,
2380: chunk_from_thing(cache), sizeof(request));
2381: }
2382: }
2383: }
2384: return this->socket->send_ack(this->socket, hdr);
2385: }
2386:
2387: METHOD(kernel_net_t, add_ip, status_t,
2388: private_kernel_netlink_net_t *this, host_t *virtual_ip, int prefix,
2389: char *iface_name)
2390: {
2391: addr_map_entry_t *entry, lookup = {
2392: .ip = virtual_ip,
2393: };
2394: iface_entry_t *iface = NULL;
2395:
2396: if (!this->install_virtual_ip)
2397: { /* disabled by config */
2398: return SUCCESS;
2399: }
2400:
2401: this->lock->write_lock(this->lock);
2402: /* the virtual IP might actually be installed as regular IP, in which case
2403: * we don't track it as virtual IP */
2404: entry = this->addrs->get_match(this->addrs, &lookup,
2405: (void*)addr_map_entry_match);
2406: if (!entry)
2407: { /* otherwise it might already be installed as virtual IP */
2408: entry = this->vips->get_match(this->vips, &lookup,
2409: (void*)addr_map_entry_match);
2410: if (entry)
2411: { /* the vip we found can be in one of three states: 1) installed and
2412: * ready, 2) just added by another thread, but not yet confirmed to
2413: * be installed by the kernel, 3) just deleted, but not yet gone.
2414: * Then while we wait below, several things could happen (as we
2415: * release the lock). For instance, the interface could disappear,
2416: * or the IP is finally deleted, and it reappears on a different
2417: * interface. All these cases are handled by the call below. */
2418: while (!is_vip_installed_or_gone(this, virtual_ip, &entry))
2419: {
2420: this->condvar->wait(this->condvar, this->lock);
2421: }
2422: if (entry)
2423: {
2424: entry->addr->refcount++;
2425: }
2426: }
2427: }
2428: if (entry)
2429: {
2430: DBG2(DBG_KNL, "virtual IP %H is already installed on %s", virtual_ip,
2431: entry->iface->ifname);
2432: this->lock->unlock(this->lock);
2433: return SUCCESS;
2434: }
2435: /* try to find the target interface, either by config or via src ip */
2436: if (!this->install_virtual_ip_on ||
2437: !this->ifaces->find_first(this->ifaces, iface_entry_by_name,
2438: (void**)&iface, this->install_virtual_ip_on))
2439: {
2440: if (!this->ifaces->find_first(this->ifaces, iface_entry_by_name,
2441: (void**)&iface, iface_name))
2442: { /* if we don't find the requested interface we just use the first */
2443: this->ifaces->get_first(this->ifaces, (void**)&iface);
2444: }
2445: }
2446: if (iface)
2447: {
2448: addr_entry_t *addr;
2449: char *ifname;
2450: int ifi;
2451:
2452: INIT(addr,
2453: .ip = virtual_ip->clone(virtual_ip),
2454: .refcount = 1,
2455: .scope = RT_SCOPE_UNIVERSE,
2456: );
2457: iface->addrs->insert_last(iface->addrs, addr);
2458: addr_map_entry_add(this->vips, addr, iface);
2459: ifi = iface->ifindex;
2460: this->lock->unlock(this->lock);
2461: if (manage_ipaddr(this, RTM_NEWADDR, NLM_F_CREATE | NLM_F_EXCL,
2462: ifi, virtual_ip, prefix) == SUCCESS)
2463: {
2464: this->lock->write_lock(this->lock);
2465: while (!is_vip_installed_or_gone(this, virtual_ip, &entry))
2466: { /* wait until address appears */
2467: this->condvar->wait(this->condvar, this->lock);
2468: }
2469: if (entry)
2470: { /* we fail if the interface got deleted in the meantime */
2471: ifname = strdup(entry->iface->ifname);
2472: this->lock->unlock(this->lock);
2473: DBG2(DBG_KNL, "virtual IP %H installed on %s",
2474: virtual_ip, ifname);
2475: /* during IKEv1 reauthentication, children get moved from
2476: * old the new SA before the virtual IP is available. This
2477: * kills the route for our virtual IP, reinstall. */
2478: queue_route_reinstall(this, ifname);
2479: return SUCCESS;
2480: }
2481: this->lock->unlock(this->lock);
2482: }
2483: DBG1(DBG_KNL, "adding virtual IP %H failed", virtual_ip);
2484: return FAILED;
2485: }
2486: this->lock->unlock(this->lock);
2487: DBG1(DBG_KNL, "no interface available, unable to install virtual IP %H",
2488: virtual_ip);
2489: return FAILED;
2490: }
2491:
2492: METHOD(kernel_net_t, del_ip, status_t,
2493: private_kernel_netlink_net_t *this, host_t *virtual_ip, int prefix,
2494: bool wait)
2495: {
2496: addr_map_entry_t *entry, lookup = {
2497: .ip = virtual_ip,
2498: };
2499:
2500: if (!this->install_virtual_ip)
2501: { /* disabled by config */
2502: return SUCCESS;
2503: }
2504:
2505: DBG2(DBG_KNL, "deleting virtual IP %H", virtual_ip);
2506:
2507: this->lock->write_lock(this->lock);
2508: entry = this->vips->get_match(this->vips, &lookup,
2509: (void*)addr_map_entry_match);
2510: if (!entry)
2511: { /* we didn't install this IP as virtual IP */
2512: entry = this->addrs->get_match(this->addrs, &lookup,
2513: (void*)addr_map_entry_match);
2514: if (entry)
2515: {
2516: DBG2(DBG_KNL, "not deleting existing IP %H on %s", virtual_ip,
2517: entry->iface->ifname);
2518: this->lock->unlock(this->lock);
2519: return SUCCESS;
2520: }
2521: DBG2(DBG_KNL, "virtual IP %H not cached, unable to delete", virtual_ip);
2522: this->lock->unlock(this->lock);
2523: return FAILED;
2524: }
2525: if (entry->addr->refcount == 1)
2526: {
2527: status_t status;
2528: int ifi;
2529:
2530: /* we set this flag so that threads calling add_ip will block and wait
2531: * until the entry is gone, also so we can wait below */
2532: entry->addr->installed = FALSE;
2533: ifi = entry->iface->ifindex;
2534: this->lock->unlock(this->lock);
2535: status = manage_ipaddr(this, RTM_DELADDR, 0, ifi, virtual_ip, prefix);
2536: if (status == SUCCESS && wait)
2537: { /* wait until the address is really gone */
2538: this->lock->write_lock(this->lock);
2539: while (is_known_vip(this, virtual_ip))
2540: {
2541: this->condvar->wait(this->condvar, this->lock);
2542: }
2543: this->lock->unlock(this->lock);
2544: }
2545: return status;
2546: }
2547: else
2548: {
2549: entry->addr->refcount--;
2550: }
2551: DBG2(DBG_KNL, "virtual IP %H used by other SAs, not deleting",
2552: virtual_ip);
2553: this->lock->unlock(this->lock);
2554: return SUCCESS;
2555: }
2556:
2557: /**
2558: * Manages source routes in the routing table.
2559: * By setting the appropriate nlmsg_type, the route gets added or removed.
2560: */
2561: static status_t manage_srcroute(private_kernel_netlink_net_t *this,
2562: int nlmsg_type, int flags, chunk_t dst_net,
2563: uint8_t prefixlen, host_t *gateway,
2564: host_t *src_ip, char *if_name, bool pass)
2565: {
2566: netlink_buf_t request;
2567: struct nlmsghdr *hdr;
2568: struct rtmsg *msg;
2569: struct rtattr *rta;
2570: int ifindex;
2571: chunk_t chunk;
2572:
2573: /* if route is 0.0.0.0/0, we can't install it, as it would
2574: * overwrite the default route. Instead, we add two routes:
2575: * 0.0.0.0/1 and 128.0.0.0/1 */
2576: if (this->routing_table == 0 && prefixlen == 0)
2577: {
2578: chunk_t half_net;
2579: uint8_t half_prefixlen;
2580: status_t status;
2581:
2582: half_net = chunk_alloca(dst_net.len);
2583: memset(half_net.ptr, 0, half_net.len);
2584: half_prefixlen = 1;
2585: /* no throw routes in the main table */
2586: status = manage_srcroute(this, nlmsg_type, flags, half_net,
2587: half_prefixlen, gateway, src_ip, if_name, FALSE);
2588: half_net.ptr[0] |= 0x80;
2589: status |= manage_srcroute(this, nlmsg_type, flags, half_net,
2590: half_prefixlen, gateway, src_ip, if_name, FALSE);
2591: return status;
2592: }
2593:
2594: memset(&request, 0, sizeof(request));
2595:
2596: hdr = &request.hdr;
2597: hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
2598: hdr->nlmsg_type = nlmsg_type;
2599: hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg));
2600:
2601: msg = NLMSG_DATA(hdr);
2602: msg->rtm_family = (dst_net.len == 4) ? AF_INET : AF_INET6;
2603: msg->rtm_dst_len = prefixlen;
2604: msg->rtm_protocol = RTPROT_STATIC;
2605: msg->rtm_type = pass ? RTN_THROW : RTN_UNICAST;
2606: msg->rtm_scope = RT_SCOPE_UNIVERSE;
2607:
2608: if (this->routing_table < 256)
2609: {
2610: msg->rtm_table = this->routing_table;
2611: }
2612: else
2613: {
2614: #ifdef HAVE_RTA_TABLE
2615: chunk = chunk_from_thing(this->routing_table);
2616: netlink_add_attribute(hdr, RTA_TABLE, chunk, sizeof(request));
2617: #else
2618: DBG1(DBG_KNL, "routing table IDs > 255 are not supported");
2619: return FAILED;
2620: #endif /* HAVE_RTA_TABLE */
2621: }
2622: netlink_add_attribute(hdr, RTA_DST, dst_net, sizeof(request));
2623:
2624: /* only when installing regular routes do we need all the parameters,
2625: * deletes are done by destination net (except if metrics are used, which
2626: * we don't support), for throw routes we don't need any of them either */
2627: if (nlmsg_type == RTM_NEWROUTE && !pass)
2628: {
2629: chunk = src_ip->get_address(src_ip);
2630: netlink_add_attribute(hdr, RTA_PREFSRC, chunk, sizeof(request));
2631: if (gateway && gateway->get_family(gateway) == src_ip->get_family(src_ip))
2632: {
2633: chunk = gateway->get_address(gateway);
2634: netlink_add_attribute(hdr, RTA_GATEWAY, chunk, sizeof(request));
2635: }
2636: ifindex = get_interface_index(this, if_name);
2637: chunk.ptr = (char*)&ifindex;
2638: chunk.len = sizeof(ifindex);
2639: netlink_add_attribute(hdr, RTA_OIF, chunk, sizeof(request));
2640:
2641: if (this->mtu || this->mss)
2642: {
2643: chunk = chunk_alloca(RTA_LENGTH((sizeof(struct rtattr) +
2644: sizeof(uint32_t)) * 2));
2645: chunk.len = 0;
2646: rta = (struct rtattr*)chunk.ptr;
2647: if (this->mtu)
2648: {
2649: rta->rta_type = RTAX_MTU;
2650: rta->rta_len = RTA_LENGTH(sizeof(uint32_t));
2651: memcpy(RTA_DATA(rta), &this->mtu, sizeof(uint32_t));
2652: chunk.len = rta->rta_len;
2653: }
2654: if (this->mss)
2655: {
2656: rta = (struct rtattr*)(chunk.ptr + RTA_ALIGN(chunk.len));
2657: rta->rta_type = RTAX_ADVMSS;
2658: rta->rta_len = RTA_LENGTH(sizeof(uint32_t));
2659: memcpy(RTA_DATA(rta), &this->mss, sizeof(uint32_t));
2660: chunk.len = RTA_ALIGN(chunk.len) + rta->rta_len;
2661: }
2662: netlink_add_attribute(hdr, RTA_METRICS, chunk, sizeof(request));
2663: }
2664: }
2665: return this->socket->send_ack(this->socket, hdr);
2666: }
2667:
2668: /**
2669: * Helper struct used to check routes
2670: */
2671: typedef struct {
2672: /** the entry we look for */
2673: route_entry_t route;
2674: /** kernel interface */
2675: private_kernel_netlink_net_t *this;
2676: } route_entry_lookup_t;
2677:
2678: /**
2679: * Check if a matching route entry has a VIP associated
2680: */
2681: static bool route_with_vip(route_entry_lookup_t *a, route_entry_t *b)
2682: {
2683: if (chunk_equals(a->route.dst_net, b->dst_net) &&
2684: a->route.prefixlen == b->prefixlen &&
2685: is_known_vip(a->this, b->src_ip))
2686: {
2687: return TRUE;
2688: }
2689: return FALSE;
2690: }
2691:
2692: /**
2693: * Check if there is any route entry with a matching destination
2694: */
2695: static bool route_with_dst(route_entry_lookup_t *a, route_entry_t *b)
2696: {
2697: if (chunk_equals(a->route.dst_net, b->dst_net) &&
2698: a->route.prefixlen == b->prefixlen)
2699: {
2700: return TRUE;
2701: }
2702: return FALSE;
2703: }
2704:
2705: METHOD(kernel_net_t, add_route, status_t,
2706: private_kernel_netlink_net_t *this, chunk_t dst_net, uint8_t prefixlen,
2707: host_t *gateway, host_t *src_ip, char *if_name, bool pass)
2708: {
2709: status_t status;
2710: route_entry_t *found;
2711: route_entry_lookup_t lookup = {
2712: .route = {
2713: .dst_net = dst_net,
2714: .prefixlen = prefixlen,
2715: .gateway = gateway,
2716: .src_ip = src_ip,
2717: .if_name = if_name,
2718: .pass = pass,
2719: },
2720: .this = this,
2721: };
2722:
2723: if (!this->routing_table)
2724: { /* treat these as regular routes if installing in the main table */
2725: pass = lookup.route.pass = FALSE;
2726: }
2727:
2728: this->routes_lock->lock(this->routes_lock);
2729: found = this->routes->get(this->routes, &lookup.route);
2730: if (found)
2731: {
2732: this->routes_lock->unlock(this->routes_lock);
2733: return ALREADY_DONE;
2734: }
2735:
2736: /* don't replace the route if we already have one with a VIP installed,
2737: * but keep track of it in case that other route is uninstalled */
2738: this->lock->read_lock(this->lock);
2739: if (!is_known_vip(this, src_ip))
2740: {
2741: found = this->routes->get_match(this->routes, &lookup,
2742: (void*)route_with_vip);
2743: }
2744: this->lock->unlock(this->lock);
2745: if (found)
2746: {
2747: status = SUCCESS;
2748: }
2749: else
2750: {
2751: status = manage_srcroute(this, RTM_NEWROUTE, NLM_F_CREATE|NLM_F_REPLACE,
2752: dst_net, prefixlen, gateway, src_ip, if_name,
2753: pass);
2754: }
2755: if (status == SUCCESS)
2756: {
2757: found = route_entry_clone(&lookup.route);
2758: this->routes->put(this->routes, found, found);
2759: }
2760: this->routes_lock->unlock(this->routes_lock);
2761: return status;
2762: }
2763:
2764: METHOD(kernel_net_t, del_route, status_t,
2765: private_kernel_netlink_net_t *this, chunk_t dst_net, uint8_t prefixlen,
2766: host_t *gateway, host_t *src_ip, char *if_name, bool pass)
2767: {
2768: status_t status;
2769: route_entry_t *found;
2770: route_entry_lookup_t lookup = {
2771: .route = {
2772: .dst_net = dst_net,
2773: .prefixlen = prefixlen,
2774: .gateway = gateway,
2775: .src_ip = src_ip,
2776: .if_name = if_name,
2777: .pass = pass,
2778: },
2779: .this = this,
2780: };
2781:
2782: if (!this->routing_table)
2783: { /* treat these as regular routes if installing in the main table */
2784: pass = lookup.route.pass = FALSE;
2785: }
2786:
2787: this->routes_lock->lock(this->routes_lock);
2788: found = this->routes->remove(this->routes, &lookup.route);
2789: if (!found)
2790: {
2791: this->routes_lock->unlock(this->routes_lock);
2792: return NOT_FOUND;
2793: }
2794: route_entry_destroy(found);
2795:
2796: /* check if there are any other routes for the same destination and if
2797: * so update the route, otherwise uninstall it */
2798: this->lock->read_lock(this->lock);
2799: found = this->routes->get_match(this->routes, &lookup,
2800: (void*)route_with_vip);
2801: this->lock->unlock(this->lock);
2802: if (!found)
2803: {
2804: found = this->routes->get_match(this->routes, &lookup,
2805: (void*)route_with_dst);
2806: }
2807: if (found)
2808: {
2809: status = manage_srcroute(this, RTM_NEWROUTE, NLM_F_CREATE|NLM_F_REPLACE,
2810: found->dst_net, found->prefixlen, found->gateway,
2811: found->src_ip, found->if_name, found->pass);
2812: }
2813: else
2814: {
2815: status = manage_srcroute(this, RTM_DELROUTE, 0, dst_net, prefixlen,
2816: gateway, src_ip, if_name, pass);
2817: }
2818: this->routes_lock->unlock(this->routes_lock);
2819: return status;
2820: }
2821:
2822: /**
2823: * Initialize a list of local addresses.
2824: */
2825: static status_t init_address_list(private_kernel_netlink_net_t *this)
2826: {
2827: netlink_buf_t request;
2828: struct nlmsghdr *out, *current, *in;
2829: struct rtgenmsg *msg;
2830: size_t len;
2831: enumerator_t *ifaces, *addrs;
2832: iface_entry_t *iface;
2833: addr_entry_t *addr;
2834:
2835: DBG2(DBG_KNL, "known interfaces and IP addresses:");
2836:
2837: memset(&request, 0, sizeof(request));
2838:
2839: in = &request.hdr;
2840: in->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtgenmsg));
2841: in->nlmsg_flags = NLM_F_REQUEST | NLM_F_MATCH | NLM_F_ROOT;
2842: msg = NLMSG_DATA(in);
2843: msg->rtgen_family = AF_UNSPEC;
2844:
2845: /* get all links */
2846: in->nlmsg_type = RTM_GETLINK;
2847: if (this->socket->send(this->socket, in, &out, &len) != SUCCESS)
2848: {
2849: return FAILED;
2850: }
2851: current = out;
2852: while (NLMSG_OK(current, len))
2853: {
2854: switch (current->nlmsg_type)
2855: {
2856: case NLMSG_DONE:
2857: break;
2858: case RTM_NEWLINK:
2859: process_link(this, current, FALSE);
2860: /* fall through */
2861: default:
2862: current = NLMSG_NEXT(current, len);
2863: continue;
2864: }
2865: break;
2866: }
2867: free(out);
2868:
2869: /* get all interface addresses */
2870: in->nlmsg_type = RTM_GETADDR;
2871: if (this->socket->send(this->socket, in, &out, &len) != SUCCESS)
2872: {
2873: return FAILED;
2874: }
2875: current = out;
2876: while (NLMSG_OK(current, len))
2877: {
2878: switch (current->nlmsg_type)
2879: {
2880: case NLMSG_DONE:
2881: break;
2882: case RTM_NEWADDR:
2883: process_addr(this, current, FALSE);
2884: /* fall through */
2885: default:
2886: current = NLMSG_NEXT(current, len);
2887: continue;
2888: }
2889: break;
2890: }
2891: free(out);
2892:
2893: this->lock->read_lock(this->lock);
2894: ifaces = this->ifaces->create_enumerator(this->ifaces);
2895: while (ifaces->enumerate(ifaces, &iface))
2896: {
2897: if (iface_entry_up_and_usable(iface))
2898: {
2899: DBG2(DBG_KNL, " %s", iface->ifname);
2900: addrs = iface->addrs->create_enumerator(iface->addrs);
2901: while (addrs->enumerate(addrs, (void**)&addr))
2902: {
2903: DBG2(DBG_KNL, " %H", addr->ip);
2904: }
2905: addrs->destroy(addrs);
2906: }
2907: }
2908: ifaces->destroy(ifaces);
2909: this->lock->unlock(this->lock);
2910: return SUCCESS;
2911: }
2912:
2913: /**
2914: * create or delete a rule to use our routing table
2915: */
2916: static status_t manage_rule(private_kernel_netlink_net_t *this, int nlmsg_type,
2917: int family, uint32_t table, uint32_t prio)
2918: {
2919: netlink_buf_t request;
2920: struct nlmsghdr *hdr;
2921: struct rtmsg *msg;
2922: chunk_t chunk;
2923: char *fwmark;
2924:
2925: memset(&request, 0, sizeof(request));
2926: hdr = &request.hdr;
2927: hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
2928: hdr->nlmsg_type = nlmsg_type;
2929: if (nlmsg_type == RTM_NEWRULE)
2930: {
2931: hdr->nlmsg_flags |= NLM_F_CREATE | NLM_F_EXCL;
2932: }
2933: hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg));
2934:
2935: msg = NLMSG_DATA(hdr);
2936: msg->rtm_family = family;
2937: msg->rtm_protocol = RTPROT_BOOT;
2938: msg->rtm_scope = RT_SCOPE_UNIVERSE;
2939: msg->rtm_type = RTN_UNICAST;
2940:
2941: if (this->routing_table < 256)
2942: {
2943: msg->rtm_table = table;
2944: }
2945: else
2946: {
2947: #ifdef HAVE_LINUX_FIB_RULES_H
2948: chunk = chunk_from_thing(table);
2949: netlink_add_attribute(hdr, FRA_TABLE, chunk, sizeof(request));
2950: #else
2951: DBG1(DBG_KNL, "routing table IDs > 255 are not supported");
2952: return FAILED;
2953: #endif /* HAVE_LINUX_FIB_RULES_H */
2954: }
2955: chunk = chunk_from_thing(prio);
2956: netlink_add_attribute(hdr, RTA_PRIORITY, chunk, sizeof(request));
2957:
2958: fwmark = lib->settings->get_str(lib->settings,
2959: "%s.plugins.kernel-netlink.fwmark", NULL, lib->ns);
2960: if (fwmark)
2961: {
2962: #ifdef HAVE_LINUX_FIB_RULES_H
2963: mark_t mark;
2964:
2965: if (fwmark[0] == '!')
2966: {
2967: msg->rtm_flags |= FIB_RULE_INVERT;
2968: fwmark++;
2969: }
2970: if (mark_from_string(fwmark, MARK_OP_NONE, &mark))
2971: {
2972: chunk = chunk_from_thing(mark.value);
2973: netlink_add_attribute(hdr, FRA_FWMARK, chunk, sizeof(request));
2974: chunk = chunk_from_thing(mark.mask);
2975: netlink_add_attribute(hdr, FRA_FWMASK, chunk, sizeof(request));
2976: if (msg->rtm_flags & FIB_RULE_INVERT)
2977: {
2978: this->routing_mark = mark;
2979: }
2980: }
2981: #else
2982: DBG1(DBG_KNL, "setting firewall mark on routing rule is not supported");
2983: #endif /* HAVE_LINUX_FIB_RULES_H */
2984: }
2985: return this->socket->send_ack(this->socket, hdr);
2986: }
2987:
2988: /**
2989: * check for kernel features (currently only via version number)
2990: */
2991: static void check_kernel_features(private_kernel_netlink_net_t *this)
2992: {
2993: struct utsname utsname;
2994: int a, b, c;
2995:
2996: if (uname(&utsname) == 0)
2997: {
2998: switch(sscanf(utsname.release, "%d.%d.%d", &a, &b, &c))
2999: {
3000: case 3:
3001: if (a == 2)
3002: {
3003: if (b == 6 && c >= 36)
3004: {
3005: this->rta_mark = TRUE;
3006: }
3007: DBG2(DBG_KNL, "detected Linux %d.%d.%d, no support for "
3008: "RTA_PREFSRC for IPv6 routes", a, b, c);
3009: break;
3010: }
3011: /* fall-through */
3012: case 2:
3013: /* only 3.x+ uses two part version numbers */
3014: this->rta_prefsrc_for_ipv6 = TRUE;
3015: this->rta_mark = TRUE;
3016: break;
3017: default:
3018: break;
3019: }
3020: }
3021: }
3022:
3023: /**
3024: * Destroy an address to iface map
3025: */
3026: static void addr_map_destroy(hashtable_t *map)
3027: {
3028: enumerator_t *enumerator;
3029: addr_map_entry_t *addr;
3030:
3031: enumerator = map->create_enumerator(map);
3032: while (enumerator->enumerate(enumerator, NULL, (void**)&addr))
3033: {
3034: free(addr);
3035: }
3036: enumerator->destroy(enumerator);
3037: map->destroy(map);
3038: }
3039:
3040: METHOD(kernel_net_t, destroy, void,
3041: private_kernel_netlink_net_t *this)
3042: {
3043: enumerator_t *enumerator;
3044: route_entry_t *route;
3045:
3046: if (this->routing_table)
3047: {
3048: manage_rule(this, RTM_DELRULE, AF_INET, this->routing_table,
3049: this->routing_table_prio);
3050: manage_rule(this, RTM_DELRULE, AF_INET6, this->routing_table,
3051: this->routing_table_prio);
3052: }
3053: if (this->socket_events > 0)
3054: {
3055: lib->watcher->remove(lib->watcher, this->socket_events);
3056: close(this->socket_events);
3057: }
3058: enumerator = this->routes->create_enumerator(this->routes);
3059: while (enumerator->enumerate(enumerator, NULL, (void**)&route))
3060: {
3061: manage_srcroute(this, RTM_DELROUTE, 0, route->dst_net, route->prefixlen,
3062: route->gateway, route->src_ip, route->if_name,
3063: route->pass);
3064: route_entry_destroy(route);
3065: }
3066: enumerator->destroy(enumerator);
3067: this->routes->destroy(this->routes);
3068: this->routes_lock->destroy(this->routes_lock);
3069: DESTROY_IF(this->socket);
3070:
3071: net_changes_clear(this);
3072: this->net_changes->destroy(this->net_changes);
3073: this->net_changes_lock->destroy(this->net_changes_lock);
3074:
3075: addr_map_destroy(this->addrs);
3076: addr_map_destroy(this->vips);
3077:
3078: this->ifaces->destroy_function(this->ifaces, (void*)iface_entry_destroy);
3079: this->rt_exclude->destroy(this->rt_exclude);
3080: this->roam_lock->destroy(this->roam_lock);
3081: this->condvar->destroy(this->condvar);
3082: this->lock->destroy(this->lock);
3083: free(this);
3084: }
3085:
3086: /*
3087: * Described in header.
3088: */
3089: kernel_netlink_net_t *kernel_netlink_net_create()
3090: {
3091: private_kernel_netlink_net_t *this;
3092: enumerator_t *enumerator;
3093: bool register_for_events = TRUE;
3094: char *exclude;
3095:
3096: INIT(this,
3097: .public = {
3098: .interface = {
3099: .get_interface = _get_interface_name,
3100: .create_address_enumerator = _create_address_enumerator,
3101: .create_local_subnet_enumerator = _create_local_subnet_enumerator,
3102: .get_source_addr = _get_source_addr,
3103: .get_nexthop = _get_nexthop,
3104: .add_ip = _add_ip,
3105: .del_ip = _del_ip,
3106: .add_route = _add_route,
3107: .del_route = _del_route,
3108: .destroy = _destroy,
3109: },
3110: },
3111: .socket = netlink_socket_create(NETLINK_ROUTE, rt_msg_names,
3112: lib->settings->get_bool(lib->settings,
3113: "%s.plugins.kernel-netlink.parallel_route", FALSE, lib->ns)),
3114: .rt_exclude = linked_list_create(),
3115: .routes = hashtable_create((hashtable_hash_t)route_entry_hash,
3116: (hashtable_equals_t)route_entry_equals, 16),
3117: .net_changes = hashtable_create(
3118: (hashtable_hash_t)net_change_hash,
3119: (hashtable_equals_t)net_change_equals, 16),
3120: .addrs = hashtable_create(
3121: (hashtable_hash_t)addr_map_entry_hash,
3122: (hashtable_equals_t)addr_map_entry_equals, 16),
3123: .vips = hashtable_create((hashtable_hash_t)addr_map_entry_hash,
3124: (hashtable_equals_t)addr_map_entry_equals, 16),
3125: .routes_lock = mutex_create(MUTEX_TYPE_DEFAULT),
3126: .net_changes_lock = mutex_create(MUTEX_TYPE_DEFAULT),
3127: .ifaces = linked_list_create(),
3128: .lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
3129: .condvar = rwlock_condvar_create(),
3130: .roam_lock = spinlock_create(),
3131: .routing_table = lib->settings->get_int(lib->settings,
3132: "%s.routing_table", ROUTING_TABLE, lib->ns),
3133: .routing_table_prio = lib->settings->get_int(lib->settings,
3134: "%s.routing_table_prio", ROUTING_TABLE_PRIO, lib->ns),
3135: .process_route = lib->settings->get_bool(lib->settings,
3136: "%s.process_route", TRUE, lib->ns),
3137: .install_routes = lib->settings->get_bool(lib->settings,
3138: "%s.install_routes", TRUE, lib->ns),
3139: .install_virtual_ip = lib->settings->get_bool(lib->settings,
3140: "%s.install_virtual_ip", TRUE, lib->ns),
3141: .install_virtual_ip_on = lib->settings->get_str(lib->settings,
3142: "%s.install_virtual_ip_on", NULL, lib->ns),
3143: .prefer_temporary_addrs = lib->settings->get_bool(lib->settings,
3144: "%s.prefer_temporary_addrs", FALSE, lib->ns),
3145: .roam_events = lib->settings->get_bool(lib->settings,
3146: "%s.plugins.kernel-netlink.roam_events", TRUE, lib->ns),
3147: .process_rules = lib->settings->get_bool(lib->settings,
3148: "%s.plugins.kernel-netlink.process_rules", FALSE, lib->ns),
3149: .mtu = lib->settings->get_int(lib->settings,
3150: "%s.plugins.kernel-netlink.mtu", 0, lib->ns),
3151: .mss = lib->settings->get_int(lib->settings,
3152: "%s.plugins.kernel-netlink.mss", 0, lib->ns),
3153: );
3154: timerclear(&this->last_route_reinstall);
3155: timerclear(&this->next_roam);
3156:
3157: check_kernel_features(this);
3158:
3159: if (streq(lib->ns, "starter"))
3160: { /* starter has no threads, so we do not register for kernel events */
3161: register_for_events = FALSE;
3162: }
3163:
3164: exclude = lib->settings->get_str(lib->settings,
3165: "%s.ignore_routing_tables", NULL, lib->ns);
3166: if (exclude)
3167: {
3168: char *token;
3169: uintptr_t table;
3170:
3171: enumerator = enumerator_create_token(exclude, " ", " ");
3172: while (enumerator->enumerate(enumerator, &token))
3173: {
3174: errno = 0;
3175: table = strtoul(token, NULL, 10);
3176:
3177: if (errno == 0)
3178: {
3179: this->rt_exclude->insert_last(this->rt_exclude, (void*)table);
3180: }
3181: }
3182: enumerator->destroy(enumerator);
3183: }
3184:
3185: if (register_for_events)
3186: {
3187: struct sockaddr_nl addr;
3188:
3189: memset(&addr, 0, sizeof(addr));
3190: addr.nl_family = AF_NETLINK;
3191:
3192: /* create and bind RT socket for events (address/interface/route changes) */
3193: this->socket_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
3194: if (this->socket_events < 0)
3195: {
3196: DBG1(DBG_KNL, "unable to create RT event socket: %s (%d)",
3197: strerror(errno), errno);
3198: destroy(this);
3199: return NULL;
3200: }
3201: addr.nl_groups = nl_group(RTNLGRP_IPV4_IFADDR) |
3202: nl_group(RTNLGRP_IPV6_IFADDR) |
3203: nl_group(RTNLGRP_LINK);
3204: if (this->process_route)
3205: {
3206: addr.nl_groups |= nl_group(RTNLGRP_IPV4_ROUTE) |
3207: nl_group(RTNLGRP_IPV6_ROUTE);
3208: }
3209: if (this->process_rules)
3210: {
3211: addr.nl_groups |= nl_group(RTNLGRP_IPV4_RULE) |
3212: nl_group(RTNLGRP_IPV6_RULE);
3213: }
3214: if (bind(this->socket_events, (struct sockaddr*)&addr, sizeof(addr)))
3215: {
3216: DBG1(DBG_KNL, "unable to bind RT event socket: %s (%d)",
3217: strerror(errno), errno);
3218: destroy(this);
3219: return NULL;
3220: }
3221:
3222: lib->watcher->add(lib->watcher, this->socket_events, WATCHER_READ,
3223: (watcher_cb_t)receive_events, this);
3224: }
3225:
3226: if (init_address_list(this) != SUCCESS)
3227: {
3228: DBG1(DBG_KNL, "unable to get interface list");
3229: destroy(this);
3230: return NULL;
3231: }
3232:
3233: if (this->routing_table)
3234: {
3235: if (manage_rule(this, RTM_NEWRULE, AF_INET, this->routing_table,
3236: this->routing_table_prio) != SUCCESS)
3237: {
3238: DBG1(DBG_KNL, "unable to create IPv4 routing table rule");
3239: }
3240: if (manage_rule(this, RTM_NEWRULE, AF_INET6, this->routing_table,
3241: this->routing_table_prio) != SUCCESS)
3242: {
3243: DBG1(DBG_KNL, "unable to create IPv6 routing table rule");
3244: }
3245: }
3246:
3247: return &this->public;
3248: }