From: Hans Dedecker Date: Thu, 13 Nov 2014 15:57:58 +0000 (+0000) Subject: netifd: Add rpfilter config support X-Git-Url: http://git.openwrt.org/?p=project%2Fnetifd.git;a=commitdiff_plain;h=f6f065d3997ccc8d42805529e4aad59b789579ad netifd: Add rpfilter config support Reverse path filtering config support; possible values are: 0: no source validation 1|strict: strict mode as packet will be dropped if the incoming interface is not the best reverse path 2|loose: loose mode as packet will be dropped if the source address is not reachable via any interface Signed-off-by: Hans Dedecker --- diff --git a/device.c b/device.c index 5d1dcac..d261e25 100644 --- a/device.c +++ b/device.c @@ -39,6 +39,7 @@ static const struct blobmsg_policy dev_attrs[__DEV_ATTR_MAX] = { [DEV_ATTR_ENABLED] = { .name = "enabled", .type = BLOBMSG_TYPE_BOOL }, [DEV_ATTR_IPV6] = { .name = "ipv6", .type = BLOBMSG_TYPE_BOOL }, [DEV_ATTR_PROMISC] = { .name = "promisc", .type = BLOBMSG_TYPE_BOOL }, + [DEV_ATTR_RPFILTER] = { .name = "rpfilter", .type = BLOBMSG_TYPE_STRING }, }; const struct uci_blob_param_list device_attr_list = { @@ -154,6 +155,7 @@ device_merge_settings(struct device *dev, struct device_settings *n) sizeof(n->macaddr)); n->ipv6 = s->flags & DEV_OPT_IPV6 ? s->ipv6 : os->ipv6; n->promisc = s->flags & DEV_OPT_PROMISC ? s->promisc : os->promisc; + n->rpfilter = s->flags & DEV_OPT_RPFILTER ? s->rpfilter : os->rpfilter; n->flags = s->flags | os->flags; } @@ -197,6 +199,13 @@ device_init_settings(struct device *dev, struct blob_attr **tb) s->flags |= DEV_OPT_PROMISC; } + if ((cur = tb[DEV_ATTR_RPFILTER])) { + if (system_resolve_rpfilter(blobmsg_data(cur), &s->rpfilter)) + s->flags |= DEV_OPT_RPFILTER; + else + DPRINTF("Failed to resolve rpfilter: %s\n", (char *) blobmsg_data(cur)); + } + device_set_disabled(dev, disabled); } @@ -734,6 +743,8 @@ device_dump_status(struct blob_buf *b, struct device *dev) blobmsg_add_u8(b, "ipv6", st.ipv6); if (st.flags & DEV_OPT_PROMISC) blobmsg_add_u8(b, "promisc", st.promisc); + if (st.flags & DEV_OPT_RPFILTER) + blobmsg_add_u32(b, "rpfilter", st.rpfilter); } s = blobmsg_open_table(b, "statistics"); diff --git a/device.h b/device.h index adf72c5..0af65be 100644 --- a/device.h +++ b/device.h @@ -33,6 +33,7 @@ enum { DEV_ATTR_ENABLED, DEV_ATTR_IPV6, DEV_ATTR_PROMISC, + DEV_ATTR_RPFILTER, __DEV_ATTR_MAX, }; @@ -66,6 +67,7 @@ enum { DEV_OPT_TXQUEUELEN = (1 << 2), DEV_OPT_IPV6 = (1 << 3), DEV_OPT_PROMISC = (1 << 4), + DEV_OPT_RPFILTER = (1 << 5), }; /* events broadcasted to all users of a device */ @@ -113,6 +115,7 @@ struct device_settings { uint8_t macaddr[6]; bool ipv6; bool promisc; + unsigned int rpfilter; }; /* diff --git a/system-dummy.c b/system-dummy.c index 7d54315..76c6ffa 100644 --- a/system-dummy.c +++ b/system-dummy.c @@ -209,6 +209,12 @@ bool system_is_default_rt_table(unsigned int id) return true; } +bool system_resolve_rpfilter(const char *filter, unsigned int *id) +{ + *id = 0; + return true; +} + int system_add_iprule(struct iprule *rule) { return 0; diff --git a/system-linux.c b/system-linux.c index 01c3deb..bb7ccf9 100644 --- a/system-linux.c +++ b/system-linux.c @@ -265,6 +265,11 @@ static void system_set_disable_ipv6(struct device *dev, const char *val) system_set_dev_sysctl("/proc/sys/net/ipv6/conf/%s/disable_ipv6", dev->ifname, val); } +static void system_set_rpfilter(struct device *dev, const char *val) +{ + system_set_dev_sysctl("/proc/sys/net/ipv4/conf/%s/rp_filter", dev->ifname, val); +} + static int system_get_sysctl(const char *path, char *buf, const size_t buf_sz) { int fd = -1, ret = -1; @@ -299,6 +304,12 @@ static int system_get_disable_ipv6(struct device *dev, char *buf, const size_t b dev->ifname, buf, buf_sz); } +static int system_get_rpfilter(struct device *dev, char *buf, const size_t buf_sz) +{ + return system_get_dev_sysctl("/proc/sys/net/ipv4/conf/%s/rp_filter", + dev->ifname, buf, buf_sz); +} + // Evaluate netlink messages static int cb_rtnl_event(struct nl_msg *msg, void *arg) { @@ -953,6 +964,11 @@ system_if_get_settings(struct device *dev, struct device_settings *s) s->promisc = ifr.ifr_flags & IFF_PROMISC; s->flags |= DEV_OPT_PROMISC; } + + if (!system_get_rpfilter(dev, buf, sizeof(buf))) { + s->rpfilter = strtoul(buf, NULL, 0); + s->flags |= DEV_OPT_RPFILTER; + } } void @@ -988,6 +1004,12 @@ system_if_apply_settings(struct device *dev, struct device_settings *s, unsigned !s->promisc ? IFF_PROMISC : 0) < 0) s->flags &= ~DEV_OPT_PROMISC; } + if (s->flags & DEV_OPT_RPFILTER & apply_mask) { + char buf[2]; + + snprintf(buf, sizeof(buf), "%d", s->rpfilter); + system_set_rpfilter(dev, buf); + } } int system_if_up(struct device *dev) @@ -1506,6 +1528,25 @@ bool system_is_default_rt_table(unsigned int id) return (id == RT_TABLE_MAIN); } +bool system_resolve_rpfilter(const char *filter, unsigned int *id) +{ + char *e; + unsigned int n; + + if (!strcmp(filter, "strict")) + n = 1; + else if (!strcmp(filter, "loose")) + n = 2; + else { + n = strtoul(filter, &e, 0); + if (*e || e == filter || n > 2) + return false; + } + + *id = n; + return true; +} + static int system_iprule(struct iprule *rule, int cmd) { int alen = ((rule->flags & IPRULE_FAMILY) == IPRULE_INET4) ? 4 : 16; diff --git a/system.h b/system.h index 3bf6f97..9a2326b 100644 --- a/system.h +++ b/system.h @@ -135,6 +135,7 @@ int system_flush_routes(void); bool system_resolve_rt_type(const char *type, unsigned int *id); bool system_resolve_rt_table(const char *name, unsigned int *id); bool system_is_default_rt_table(unsigned int id); +bool system_resolve_rpfilter(const char *filter, unsigned int *id); int system_del_ip_tunnel(const char *name, struct blob_attr *attr); int system_add_ip_tunnel(const char *name, struct blob_attr *attr);