1 /* User-kernel network link */
3 /* See RFCs 791, 792, 1123 and 1812 */
5 /* The netlink device is actually a router. Tunnels are unnumbered
6 point-to-point lines (RFC1812 section 2.2.7); the router has a
7 single address (the 'router-id'). */
9 /* This is where we currently have the anti-spoofing paranoia - before
10 sending a packet to the kernel we check that the tunnel it came
11 over could reasonably have produced it. */
14 /* Points to note from RFC1812 (which may require changes in this
17 3.3.4 Maximum Transmission Unit - MTU
19 The MTU of each logical interface MUST be configurable within the
20 range of legal MTUs for the interface.
22 Many Link Layer protocols define a maximum frame size that may be
23 sent. In such cases, a router MUST NOT allow an MTU to be set which
24 would allow sending of frames larger than those allowed by the Link
25 Layer protocol. However, a router SHOULD be willing to receive a
26 packet as large as the maximum frame size even if that is larger than
29 4.2.1 A router SHOULD count datagrams discarded.
31 4.2.2.1 Source route options - we probably should implement processing
32 of source routes, even though mostly the security policy will prevent
35 5.3.13.4 Source Route Options
37 A router MUST implement support for source route options in forwarded
38 packets. A router MAY implement a configuration option that, when
39 enabled, causes all source-routed packets to be discarded. However,
40 such an option MUST NOT be enabled by default.
42 5.3.13.5 Record Route Option
44 Routers MUST support the Record Route option in forwarded packets.
46 A router MAY provide a configuration option that, if enabled, will
47 cause the router to ignore (i.e., pass through unchanged) Record
48 Route options in forwarded packets. If provided, such an option MUST
49 default to enabling the record-route. This option should not affect
50 the processing of Record Route options in datagrams received by the
51 router itself (in particular, Record Route options in ICMP echo
52 requests will still be processed according to Section [4.3.3.6]).
54 5.3.13.6 Timestamp Option
56 Routers MUST support the timestamp option in forwarded packets. A
57 timestamp value MUST follow the rules given [INTRO:2].
59 If the flags field = 3 (timestamp and prespecified address), the
60 router MUST add its timestamp if the next prespecified address
61 matches any of the router's IP addresses. It is not necessary that
62 the prespecified address be either the address of the interface on
63 which the packet arrived or the address of the interface over which
67 4.2.2.7 Fragmentation: RFC 791 Section 3.2
69 Fragmentation, as described in [INTERNET:1], MUST be supported by a
72 4.2.2.8 Reassembly: RFC 791 Section 3.2
74 As specified in the corresponding section of [INTRO:2], a router MUST
75 support reassembly of datagrams that it delivers to itself.
77 4.2.2.9 Time to Live: RFC 791 Section 3.2
79 Note in particular that a router MUST NOT check the TTL of a packet
80 except when forwarding it.
82 A router MUST NOT discard a datagram just because it was received
83 with TTL equal to zero or one; if it is to the router and otherwise
84 valid, the router MUST attempt to receive it.
86 On messages the router originates, the IP layer MUST provide a means
87 for the transport layer to set the TTL field of every datagram that
88 is sent. When a fixed TTL value is used, it MUST be configurable.
91 8.1 The Simple Network Management Protocol - SNMP
92 8.1.1 SNMP Protocol Elements
94 Routers MUST be manageable by SNMP [MGT:3]. The SNMP MUST operate
95 using UDP/IP as its transport and network protocols.
109 #define ICMP_TYPE_ECHO_REPLY 0
111 #define ICMP_TYPE_UNREACHABLE 3
112 #define ICMP_CODE_NET_UNREACHABLE 0
113 #define ICMP_CODE_PROTOCOL_UNREACHABLE 2
114 #define ICMP_CODE_FRAGMENTATION_REQUIRED 4
115 #define ICMP_CODE_NET_PROHIBITED 13
117 #define ICMP_TYPE_ECHO_REQUEST 8
119 #define ICMP_TYPE_TIME_EXCEEDED 11
120 #define ICMP_CODE_TTL_EXCEEDED 0
122 /* Generic IP checksum routine */
123 static inline uint16_t ip_csum(uint8_t *iph,int32_t count)
125 register uint32_t sum=0;
128 sum+=ntohs(*(uint16_t *)iph);
133 sum+=*(uint8_t *)iph;
135 sum=(sum&0xffff)+(sum>>16);
141 * This is a version of ip_compute_csum() optimized for IP headers,
142 * which always checksum on 4 octet boundaries.
144 * By Jorge Cwik <jorge@laser.satlink.net>, adapted for linux by
147 static inline uint16_t ip_fast_csum(uint8_t *iph, int32_t ihl) {
150 __asm__ __volatile__(
156 "adcl 12(%1), %0 ;\n"
157 "1: adcl 16(%1), %0 ;\n"
168 /* Since the input registers which are loaded with iph and ipl
169 are modified, we must also specify them as outputs, or gcc
170 will assume they contain their original values. */
171 : "=r" (sum), "=r" (iph), "=r" (ihl)
172 : "1" (iph), "2" (ihl)
177 static inline uint16_t ip_fast_csum(uint8_t *iph, int32_t ihl)
179 assert(ihl < INT_MAX/4);
180 return ip_csum(iph,ihl*4);
185 #if defined (WORDS_BIGENDIAN)
196 #define IPHDR_FRAG_OFF ((uint16_t)0x1fff)
197 #define IPHDR_FRAG_MORE ((uint16_t)0x2000)
198 #define IPHDR_FRAG_DONT ((uint16_t)0x4000)
199 /* reserved 0x8000 */
205 /* The options start here. */
213 union icmpinfofield {
228 static const union icmpinfofield icmp_noinfo;
230 static void netlink_packet_deliver(struct netlink *st,
231 struct netlink_client *client,
232 struct buffer_if *buf);
234 /* XXX RFC1812 4.3.2.5:
235 All other ICMP error messages (Destination Unreachable,
236 Redirect, Time Exceeded, and Parameter Problem) SHOULD have their
237 precedence value set to 6 (INTERNETWORK CONTROL) or 7 (NETWORK
238 CONTROL). The IP Precedence value for these error messages MAY be
241 static struct icmphdr *netlink_icmp_tmpl(struct netlink *st,
242 uint32_t dest,uint16_t len)
246 BUF_ALLOC(&st->icmp,"netlink_icmp_tmpl");
247 buffer_init(&st->icmp,calculate_max_start_pad());
248 h=buf_append(&st->icmp,sizeof(*h));
253 h->iph.tot_len=htons(len+(h->iph.ihl*4)+8);
256 h->iph.ttl=255; /* XXX should be configurable */
258 h->iph.saddr=htonl(st->secnet_address);
259 h->iph.daddr=htonl(dest);
261 h->iph.check=ip_fast_csum((uint8_t *)&h->iph,h->iph.ihl);
268 /* Fill in the ICMP checksum field correctly */
269 static void netlink_icmp_csum(struct icmphdr *h)
273 len=ntohs(h->iph.tot_len)-(4*h->iph.ihl);
275 h->check=ip_csum(&h->type,len);
279 * An ICMP error message MUST NOT be sent as the result of
282 * * an ICMP error message, or
284 * * a datagram destined to an IP broadcast or IP multicast
287 * * a datagram sent as a link-layer broadcast, or
289 * * a non-initial fragment, or
291 * * a datagram whose source address does not define a single
292 * host -- e.g., a zero address, a loopback address, a
293 * broadcast address, a multicast address, or a Class E
296 static bool_t netlink_icmp_may_reply(struct buffer_if *buf)
299 struct icmphdr *icmph;
302 if (buf->size < (int)sizeof(struct icmphdr)) return False;
303 iph=(struct iphdr *)buf->start;
304 icmph=(struct icmphdr *)buf->start;
305 if (iph->protocol==1) {
306 switch(icmph->type) {
307 case 3: /* Destination unreachable */
308 case 11: /* Time Exceeded */
309 case 12: /* Parameter Problem */
313 /* How do we spot broadcast destination addresses? */
314 if (ntohs(iph->frag_off)&IPHDR_FRAG_OFF) return False;
315 source=ntohl(iph->saddr);
316 if (source==0) return False;
317 if ((source&0xff000000)==0x7f000000) return False;
318 /* How do we spot broadcast source addresses? */
319 if ((source&0xf0000000)==0xe0000000) return False; /* Multicast */
320 if ((source&0xf0000000)==0xf0000000) return False; /* Class E */
324 /* How much of the original IP packet do we include in its ICMP
325 response? The header plus up to 64 bits. */
328 4.3.2.3 Original Message Header
330 Historically, every ICMP error message has included the Internet
331 header and at least the first 8 data bytes of the datagram that
332 triggered the error. This is no longer adequate, due to the use of
333 IP-in-IP tunneling and other technologies. Therefore, the ICMP
334 datagram SHOULD contain as much of the original datagram as possible
335 without the length of the ICMP datagram exceeding 576 bytes. The
336 returned IP header (and user data) MUST be identical to that which
337 was received, except that the router is not required to undo any
338 modifications to the IP header that are normally performed in
339 forwarding that were performed before the error was detected (e.g.,
340 decrementing the TTL, or updating options). Note that the
341 requirements of Section [4.3.3.5] supersede this requirement in some
342 cases (i.e., for a Parameter Problem message, if the problem is in a
343 modified field, the router must undo the modification). See Section
346 static uint16_t netlink_icmp_reply_len(struct buffer_if *buf)
348 if (buf->size < (int)sizeof(struct iphdr)) return 0;
349 struct iphdr *iph=(struct iphdr *)buf->start;
353 /* We include the first 8 bytes of the packet data, provided they exist */
355 plen=ntohs(iph->tot_len);
356 return (hlen>plen?plen:hlen);
359 /* client indicates where the packet we're constructing a response to
360 comes from. NULL indicates the host. */
361 static void netlink_icmp_simple(struct netlink *st, struct buffer_if *buf,
362 struct netlink_client *client,
363 uint8_t type, uint8_t code,
364 union icmpinfofield info)
369 if (netlink_icmp_may_reply(buf)) {
370 struct iphdr *iph=(struct iphdr *)buf->start;
371 len=netlink_icmp_reply_len(buf);
372 h=netlink_icmp_tmpl(st,ntohl(iph->saddr),len);
373 h->type=type; h->code=code; h->d=info;
374 memcpy(buf_append(&st->icmp,len),buf->start,len);
375 netlink_icmp_csum(h);
376 netlink_packet_deliver(st,NULL,&st->icmp);
377 BUF_ASSERT_FREE(&st->icmp);
382 * RFC1122: 3.1.2.2 MUST silently discard any IP frame that fails the
384 * RFC1812: 4.2.2.5 MUST discard messages containing invalid checksums.
386 * Is the datagram acceptable?
388 * 1. Length at least the size of an ip header
390 * 3. Checksums correctly.
391 * 4. Doesn't have a bogus length
393 static bool_t netlink_check(struct netlink *st, struct buffer_if *buf,
394 char *errmsgbuf, int errmsgbuflen)
396 #define BAD(...) do{ \
397 snprintf(errmsgbuf,errmsgbuflen,__VA_ARGS__); \
401 if (buf->size < (int)sizeof(struct iphdr)) BAD("len %"PRIu32"",buf->size);
402 struct iphdr *iph=(struct iphdr *)buf->start;
405 if (iph->ihl < 5) BAD("ihl %u",iph->ihl);
406 if (iph->version != 4) BAD("version %u",iph->version);
407 if (buf->size < iph->ihl*4) BAD("size %"PRId32"<%u*4",buf->size,iph->ihl);
408 if (ip_fast_csum((uint8_t *)iph, iph->ihl)!=0) BAD("csum");
409 len=ntohs(iph->tot_len);
410 /* There should be no padding */
411 if (buf->size!=len) BAD("len %"PRId32"!=%"PRId32,buf->size,len);
412 if (len<(iph->ihl<<2)) BAD("len %"PRId32"<(%u<<2)",len,iph->ihl);
413 /* XXX check that there's no source route specified */
419 /* Deliver a packet _to_ client; used after we have decided
420 * what to do with it (and just to check that the client has
421 * actually registered a delivery function with us). */
422 static void netlink_client_deliver(struct netlink *st,
423 struct netlink_client *client,
424 uint32_t source, uint32_t dest,
425 struct buffer_if *buf)
427 if (!client->deliver) {
429 s=ipaddr_to_string(source);
430 d=ipaddr_to_string(dest);
431 Message(M_ERR,"%s: dropping %s->%s, client not registered\n",
437 client->deliver(client->dst, buf);
441 /* Deliver a packet. "client" is the _origin_ of the packet, not its
442 destination, and is NULL for packets from the host and packets
443 generated internally in secnet. */
444 static void netlink_packet_deliver(struct netlink *st,
445 struct netlink_client *client,
446 struct buffer_if *buf)
448 if (buf->size < (int)sizeof(struct iphdr)) {
449 Message(M_ERR,"%s: trying to deliver a too-short packet"
450 " from %s!\n",st->name, client?client->name:"(local)");
455 struct iphdr *iph=(struct iphdr *)buf->start;
456 uint32_t dest=ntohl(iph->daddr);
457 uint32_t source=ntohl(iph->saddr);
458 uint32_t best_quality;
459 bool_t allow_route=False;
460 bool_t found_allowed=False;
464 BUF_ASSERT_USED(buf);
466 if (dest==st->secnet_address) {
467 Message(M_ERR,"%s: trying to deliver a packet to myself!\n",st->name);
472 /* Packets from the host (client==NULL) may always be routed. Packets
473 from clients with the allow_route option will also be routed. */
474 if (!client || (client && (client->options & OPT_ALLOWROUTE)))
477 /* If !allow_route, we check the routing table anyway, and if
478 there's a suitable route with OPT_ALLOWROUTE set we use it. If
479 there's a suitable route, but none with OPT_ALLOWROUTE set then
480 we generate ICMP 'communication with destination network
481 administratively prohibited'. */
485 for (i=0; i<st->n_clients; i++) {
486 if (st->routes[i]->up &&
487 ipset_contains_addr(st->routes[i]->networks,dest)) {
488 /* It's an available route to the correct destination. But is
489 it better than the one we already have? */
491 /* If we have already found an allowed route then we don't
492 bother looking at routes we're not allowed to use. If
493 we don't yet have an allowed route we'll consider any. */
494 if (!allow_route && found_allowed) {
495 if (!(st->routes[i]->options&OPT_ALLOWROUTE)) continue;
498 if (st->routes[i]->link_quality>best_quality
499 || best_quality==0) {
500 best_quality=st->routes[i]->link_quality;
502 if (st->routes[i]->options&OPT_ALLOWROUTE)
504 /* If quality isn't perfect we may wish to
505 consider kicking the tunnel with a 0-length
506 packet to prompt it to perform a key setup.
507 Then it'll eventually decide it's up or
509 /* If quality is perfect and we're allowed to use the
510 route we don't need to search any more. */
511 if (best_quality>=MAXIMUM_LINK_QUALITY &&
512 (allow_route || found_allowed)) break;
516 if (best_match==-1) {
517 /* The packet's not going down a tunnel. It might (ought to)
519 if (ipset_contains_addr(st->networks,dest)) {
520 st->deliver_to_host(st->dst,buf);
522 BUF_ASSERT_FREE(buf);
525 s=ipaddr_to_string(source);
526 d=ipaddr_to_string(dest);
527 Message(M_DEBUG,"%s: don't know where to deliver packet "
528 "(s=%s, d=%s)\n", st->name, s, d);
530 netlink_icmp_simple(st,buf,client,ICMP_TYPE_UNREACHABLE,
531 ICMP_CODE_NET_UNREACHABLE, icmp_noinfo);
536 !(st->routes[best_match]->options&OPT_ALLOWROUTE)) {
538 s=ipaddr_to_string(source);
539 d=ipaddr_to_string(dest);
540 /* We have a usable route but aren't allowed to use it.
541 Generate ICMP destination unreachable: communication
542 with destination network administratively prohibited */
543 Message(M_NOTICE,"%s: denied forwarding for packet (s=%s, d=%s)\n",
547 netlink_icmp_simple(st,buf,client,ICMP_TYPE_UNREACHABLE,
548 ICMP_CODE_NET_PROHIBITED, icmp_noinfo);
551 if (best_quality>0) {
552 /* XXX Fragment if required */
553 netlink_client_deliver(st,st->routes[best_match],
555 BUF_ASSERT_FREE(buf);
557 /* Generate ICMP destination unreachable */
558 netlink_icmp_simple(st,buf,client,/* client==NULL */
559 ICMP_TYPE_UNREACHABLE,
560 ICMP_CODE_NET_UNREACHABLE,
566 BUF_ASSERT_FREE(buf);
569 static void netlink_packet_forward(struct netlink *st,
570 struct netlink_client *client,
571 struct buffer_if *buf)
573 if (buf->size < (int)sizeof(struct iphdr)) return;
574 struct iphdr *iph=(struct iphdr *)buf->start;
576 BUF_ASSERT_USED(buf);
578 /* Packet has already been checked */
580 /* Generate ICMP time exceeded */
581 netlink_icmp_simple(st,buf,client,ICMP_TYPE_TIME_EXCEEDED,
582 ICMP_CODE_TTL_EXCEEDED,icmp_noinfo);
588 iph->check=ip_fast_csum((uint8_t *)iph,iph->ihl);
590 netlink_packet_deliver(st,client,buf);
591 BUF_ASSERT_FREE(buf);
594 /* Deal with packets addressed explicitly to us */
595 static void netlink_packet_local(struct netlink *st,
596 struct netlink_client *client,
597 struct buffer_if *buf)
603 if (buf->size < (int)sizeof(struct icmphdr)) {
604 Message(M_WARNING,"%s: short packet addressed to secnet; "
605 "ignoring it\n",st->name);
609 h=(struct icmphdr *)buf->start;
611 if ((ntohs(h->iph.frag_off)&(IPHDR_FRAG_OFF|IPHDR_FRAG_MORE))!=0) {
612 Message(M_WARNING,"%s: fragmented packet addressed to secnet; "
613 "ignoring it\n",st->name);
618 if (h->iph.protocol==1) {
620 if (h->type==ICMP_TYPE_ECHO_REQUEST && h->code==0) {
621 /* ICMP echo-request. Special case: we re-use the buffer
622 to construct the reply. */
623 h->type=ICMP_TYPE_ECHO_REPLY;
624 h->iph.daddr=h->iph.saddr;
625 h->iph.saddr=htonl(st->secnet_address);
628 h->iph.check=ip_fast_csum((uint8_t *)h,h->iph.ihl);
629 netlink_icmp_csum(h);
630 netlink_packet_deliver(st,NULL,buf);
633 Message(M_WARNING,"%s: unknown incoming ICMP\n",st->name);
635 /* Send ICMP protocol unreachable */
636 netlink_icmp_simple(st,buf,client,ICMP_TYPE_UNREACHABLE,
637 ICMP_CODE_PROTOCOL_UNREACHABLE,icmp_noinfo);
645 /* If cid==NULL packet is from host, otherwise cid specifies which tunnel
647 static void netlink_incoming(struct netlink *st, struct netlink_client *client,
648 struct buffer_if *buf)
650 uint32_t source,dest;
653 const char *sourcedesc=client?client->name:"host";
655 BUF_ASSERT_USED(buf);
657 if (!netlink_check(st,buf,errmsgbuf,sizeof(errmsgbuf))) {
658 Message(M_WARNING,"%s: bad IP packet from %s: %s\n",
664 assert(buf->size >= (int)sizeof(struct icmphdr));
665 iph=(struct iphdr *)buf->start;
667 source=ntohl(iph->saddr);
668 dest=ntohl(iph->daddr);
670 /* Check source. If we don't like the source, there's no point
671 generating ICMP because we won't know how to get it to the
672 source of the packet. */
674 /* Check that the packet source is appropriate for the tunnel
676 if (!ipset_contains_addr(client->networks,source)) {
678 s=ipaddr_to_string(source);
679 d=ipaddr_to_string(dest);
680 Message(M_WARNING,"%s: packet from tunnel %s with bad "
681 "source address (s=%s,d=%s)\n",st->name,client->name,s,d);
687 /* Check that the packet originates in our configured local
688 network, and hasn't been forwarded from elsewhere or
689 generated with the wrong source address */
690 if (!ipset_contains_addr(st->networks,source)) {
692 s=ipaddr_to_string(source);
693 d=ipaddr_to_string(dest);
694 Message(M_WARNING,"%s: outgoing packet with bad source address "
695 "(s=%s,d=%s)\n",st->name,s,d);
702 /* If this is a point-to-point device we don't examine the
703 destination address at all; we blindly send it down our
704 one-and-only registered tunnel, or to the host, depending on
705 where it came from. It's up to external software to check
706 address validity and generate ICMP, etc. */
709 st->deliver_to_host(st->dst,buf);
711 netlink_client_deliver(st,st->clients,source,dest,buf);
713 BUF_ASSERT_FREE(buf);
717 /* st->secnet_address needs checking before matching destination
719 if (dest==st->secnet_address) {
720 netlink_packet_local(st,client,buf);
721 BUF_ASSERT_FREE(buf);
724 netlink_packet_forward(st,client,buf);
725 BUF_ASSERT_FREE(buf);
728 static void netlink_inst_incoming(void *sst, struct buffer_if *buf)
730 struct netlink_client *c=sst;
731 struct netlink *st=c->nst;
733 netlink_incoming(st,c,buf);
736 static void netlink_dev_incoming(void *sst, struct buffer_if *buf)
738 struct netlink *st=sst;
740 netlink_incoming(st,NULL,buf);
743 static void netlink_set_quality(void *sst, uint32_t quality)
745 struct netlink_client *c=sst;
746 struct netlink *st=c->nst;
748 c->link_quality=quality;
749 c->up=(c->link_quality==LINK_QUALITY_DOWN)?False:True;
750 if (c->options&OPT_SOFTROUTE) {
751 st->set_routes(st->dst,c);
755 static void netlink_output_subnets(struct netlink *st, uint32_t loglevel,
756 struct subnet_list *snets)
761 for (i=0; i<snets->entries; i++) {
762 net=subnet_to_string(snets->list[i]);
763 Message(loglevel,"%s ",net);
768 static void netlink_dump_routes(struct netlink *st, bool_t requested)
774 if (requested) c=M_WARNING;
776 net=ipaddr_to_string(st->secnet_address);
777 Message(c,"%s: point-to-point (remote end is %s); routes: ",
780 netlink_output_subnets(st,c,st->clients->subnets);
783 Message(c,"%s: routing table:\n",st->name);
784 for (i=0; i<st->n_clients; i++) {
785 netlink_output_subnets(st,c,st->routes[i]->subnets);
786 Message(c,"-> tunnel %s (%s,mtu %d,%s routes,%s,"
787 "quality %d,use %d,pri %lu)\n",
789 st->routes[i]->up?"up":"down",
791 st->routes[i]->options&OPT_SOFTROUTE?"soft":"hard",
792 st->routes[i]->options&OPT_ALLOWROUTE?"free":"restricted",
793 st->routes[i]->link_quality,
794 st->routes[i]->outcount,
795 (unsigned long)st->routes[i]->priority);
797 net=ipaddr_to_string(st->secnet_address);
798 Message(c,"%s/32 -> netlink \"%s\" (use %d)\n",
799 net,st->name,st->localcount);
801 for (i=0; i<st->subnets->entries; i++) {
802 net=subnet_to_string(st->subnets->list[i]);
803 Message(c,"%s ",net);
807 Message(c,"-> host (use %d)\n",st->outcount);
811 /* ap is a pointer to a member of the routes array */
812 static int netlink_compare_client_priority(const void *ap, const void *bp)
814 const struct netlink_client *const*a=ap;
815 const struct netlink_client *const*b=bp;
817 if ((*a)->priority==(*b)->priority) return 0;
818 if ((*a)->priority<(*b)->priority) return 1;
822 static void netlink_phase_hook(void *sst, uint32_t new_phase)
824 struct netlink *st=sst;
825 struct netlink_client *c;
828 /* All the networks serviced by the various tunnels should now
829 * have been registered. We build a routing table by sorting the
830 * clients by priority. */
831 st->routes=safe_malloc_ary(sizeof(*st->routes),st->n_clients,
832 "netlink_phase_hook");
835 for (c=st->clients; c; c=c->next) {
839 /* Sort the table in descending order of priority */
840 qsort(st->routes,st->n_clients,sizeof(*st->routes),
841 netlink_compare_client_priority);
843 netlink_dump_routes(st,False);
846 static void netlink_signal_handler(void *sst, int signum)
848 struct netlink *st=sst;
849 Message(M_INFO,"%s: route dump requested by SIGUSR1\n",st->name);
850 netlink_dump_routes(st,True);
853 static void netlink_inst_set_mtu(void *sst, int32_t new_mtu)
855 struct netlink_client *c=sst;
860 static void netlink_inst_reg(void *sst, netlink_deliver_fn *deliver,
863 struct netlink_client *c=sst;
869 static struct flagstr netlink_option_table[]={
870 { "soft", OPT_SOFTROUTE },
871 { "allow-route", OPT_ALLOWROUTE },
874 /* This is the routine that gets called when the closure that's
875 returned by an invocation of a netlink device closure (eg. tun,
876 userv-ipif) is invoked. It's used to create routes and pass in
877 information about them; the closure it returns is used by site
879 static closure_t *netlink_inst_create(struct netlink *st,
880 struct cloc loc, dict_t *dict)
882 struct netlink_client *c;
884 struct ipset *networks;
885 uint32_t options,priority;
889 name=dict_read_string(dict, "name", True, st->name, loc);
891 l=dict_lookup(dict,"routes");
893 cfgfatal(loc,st->name,"required parameter \"routes\" not found\n");
894 networks=string_list_to_ipset(l,loc,st->name,"routes");
895 options=string_list_to_word(dict_lookup(dict,"options"),
896 netlink_option_table,st->name);
898 priority=dict_read_number(dict,"priority",False,st->name,loc,0);
899 mtu=dict_read_number(dict,"mtu",False,st->name,loc,0);
901 if ((options&OPT_SOFTROUTE) && !st->set_routes) {
902 cfgfatal(loc,st->name,"this netlink device does not support "
907 if (options&OPT_SOFTROUTE) {
908 /* XXX for now we assume that soft routes require root privilege;
909 this may not always be true. The device driver can tell us. */
910 require_root_privileges=True;
911 require_root_privileges_explanation="netlink: soft routes";
913 cfgfatal(loc,st->name,"point-to-point netlinks do not support "
919 /* Check that nets are a subset of st->remote_networks;
920 refuse to register if they are not. */
921 if (!ipset_is_subset(st->remote_networks,networks)) {
922 cfgfatal(loc,st->name,"routes are not allowed\n");
926 c=safe_malloc(sizeof(*c),"netlink_inst_create");
927 c->cl.description=name;
928 c->cl.type=CL_NETLINK;
930 c->cl.interface=&c->ops;
932 c->ops.reg=netlink_inst_reg;
933 c->ops.deliver=netlink_inst_incoming;
934 c->ops.set_quality=netlink_set_quality;
935 c->ops.set_mtu=netlink_inst_set_mtu;
938 c->networks=networks;
939 c->subnets=ipset_to_subnet_list(networks);
940 c->priority=priority;
944 c->link_quality=LINK_QUALITY_UNUSED;
945 c->mtu=mtu?mtu:st->mtu;
952 assert(st->n_clients < INT_MAX);
958 static list_t *netlink_inst_apply(closure_t *self, struct cloc loc,
959 dict_t *context, list_t *args)
961 struct netlink *st=self->interface;
967 item=list_elem(args,0);
968 if (!item || item->type!=t_dict) {
969 cfgfatal(loc,st->name,"must have a dictionary argument\n");
971 dict=item->data.dict;
973 cl=netlink_inst_create(st,loc,dict);
975 return new_closure(cl);
978 netlink_deliver_fn *netlink_init(struct netlink *st,
979 void *dst, struct cloc loc,
980 dict_t *dict, cstring_t description,
981 netlink_route_fn *set_routes,
982 netlink_deliver_fn *to_host)
988 st->cl.description=description;
990 st->cl.apply=netlink_inst_apply;
995 st->set_routes=set_routes;
996 st->deliver_to_host=to_host;
998 st->name=dict_read_string(dict,"name",False,description,loc);
999 if (!st->name) st->name=description;
1000 l=dict_lookup(dict,"networks");
1002 st->networks=string_list_to_ipset(l,loc,st->name,"networks");
1004 struct ipset *empty;
1006 st->networks=ipset_complement(empty);
1009 l=dict_lookup(dict,"remote-networks");
1011 st->remote_networks=string_list_to_ipset(l,loc,st->name,
1014 struct ipset *empty;
1016 st->remote_networks=ipset_complement(empty);
1020 sa=dict_find_item(dict,"secnet-address",False,"netlink",loc);
1021 ptpa=dict_find_item(dict,"ptp-address",False,"netlink",loc);
1023 cfgfatal(loc,st->name,"you may not specify secnet-address and "
1024 "ptp-address in the same netlink device\n");
1026 if (!(sa || ptpa)) {
1027 cfgfatal(loc,st->name,"you must specify secnet-address or "
1028 "ptp-address for this netlink device\n");
1031 st->secnet_address=string_item_to_ipaddr(sa,"netlink");
1034 st->secnet_address=string_item_to_ipaddr(ptpa,"netlink");
1037 /* To be strictly correct we could subtract secnet_address from
1038 networks here. It shouldn't make any practical difference,
1039 though, and will make the route dump look complicated... */
1040 st->subnets=ipset_to_subnet_list(st->networks);
1041 st->mtu=dict_read_number(dict, "mtu", False, "netlink", loc, DEFAULT_MTU);
1042 buffer_new(&st->icmp,ICMP_BUFSIZE);
1046 add_hook(PHASE_SETUP,netlink_phase_hook,st);
1047 request_signal_notification(SIGUSR1, netlink_signal_handler, st);
1049 /* If we're point-to-point then we return a CL_NETLINK directly,
1050 rather than a CL_NETLINK_OLD or pure closure (depending on
1051 compatibility). This CL_NETLINK is for our one and only
1052 client. Our cl.apply function is NULL. */
1055 cl=netlink_inst_create(st,loc,dict);
1058 return netlink_dev_incoming;
1061 /* No connection to the kernel at all... */
1067 static bool_t null_set_route(void *sst, struct netlink_client *routes)
1069 struct null *st=sst;
1071 if (routes->up!=routes->kup) {
1072 Message(M_INFO,"%s: setting routes for tunnel %s to state %s\n",
1073 st->nl.name,routes->name,
1074 routes->up?"up":"down");
1075 routes->kup=routes->up;
1081 static void null_deliver(void *sst, struct buffer_if *buf)
1086 static list_t *null_apply(closure_t *self, struct cloc loc, dict_t *context,
1093 st=safe_malloc(sizeof(*st),"null_apply");
1095 item=list_elem(args,0);
1096 if (!item || item->type!=t_dict)
1097 cfgfatal(loc,"null-netlink","parameter must be a dictionary\n");
1099 dict=item->data.dict;
1101 netlink_init(&st->nl,st,loc,dict,"null-netlink",null_set_route,
1104 return new_closure(&st->nl.cl);
1107 void netlink_module(dict_t *dict)
1109 add_closure(dict,"null-netlink",null_apply);