1 /* User-kernel network link */
3 /* See RFCs 791, 792, 1123 and 1812 */
5 /* The netlink device is actually a router. Tunnels are unnumbered
6 point-to-point lines (RFC1812 section 2.2.7); the router has a
7 single address (the 'router-id'). */
9 /* This is where we currently have the anti-spoofing paranoia - before
10 sending a packet to the kernel we check that the tunnel it came
11 over could reasonably have produced it. */
14 /* Points to note from RFC1812 (which may require changes in this
17 3.3.4 Maximum Transmission Unit - MTU
19 The MTU of each logical interface MUST be configurable within the
20 range of legal MTUs for the interface.
22 Many Link Layer protocols define a maximum frame size that may be
23 sent. In such cases, a router MUST NOT allow an MTU to be set which
24 would allow sending of frames larger than those allowed by the Link
25 Layer protocol. However, a router SHOULD be willing to receive a
26 packet as large as the maximum frame size even if that is larger than
29 4.2.1 A router SHOULD count datagrams discarded.
31 4.2.2.1 Source route options - we probably should implement processing
32 of source routes, even though mostly the security policy will prevent
35 5.3.13.4 Source Route Options
37 A router MUST implement support for source route options in forwarded
38 packets. A router MAY implement a configuration option that, when
39 enabled, causes all source-routed packets to be discarded. However,
40 such an option MUST NOT be enabled by default.
42 5.3.13.5 Record Route Option
44 Routers MUST support the Record Route option in forwarded packets.
46 A router MAY provide a configuration option that, if enabled, will
47 cause the router to ignore (i.e., pass through unchanged) Record
48 Route options in forwarded packets. If provided, such an option MUST
49 default to enabling the record-route. This option should not affect
50 the processing of Record Route options in datagrams received by the
51 router itself (in particular, Record Route options in ICMP echo
52 requests will still be processed according to Section [4.3.3.6]).
54 5.3.13.6 Timestamp Option
56 Routers MUST support the timestamp option in forwarded packets. A
57 timestamp value MUST follow the rules given [INTRO:2].
59 If the flags field = 3 (timestamp and prespecified address), the
60 router MUST add its timestamp if the next prespecified address
61 matches any of the router's IP addresses. It is not necessary that
62 the prespecified address be either the address of the interface on
63 which the packet arrived or the address of the interface over which
67 4.2.2.7 Fragmentation: RFC 791 Section 3.2
69 Fragmentation, as described in [INTERNET:1], MUST be supported by a
72 4.2.2.8 Reassembly: RFC 791 Section 3.2
74 As specified in the corresponding section of [INTRO:2], a router MUST
75 support reassembly of datagrams that it delivers to itself.
77 4.2.2.9 Time to Live: RFC 791 Section 3.2
79 Note in particular that a router MUST NOT check the TTL of a packet
80 except when forwarding it.
82 A router MUST NOT discard a datagram just because it was received
83 with TTL equal to zero or one; if it is to the router and otherwise
84 valid, the router MUST attempt to receive it.
86 On messages the router originates, the IP layer MUST provide a means
87 for the transport layer to set the TTL field of every datagram that
88 is sent. When a fixed TTL value is used, it MUST be configurable.
91 8.1 The Simple Network Management Protocol - SNMP
92 8.1.1 SNMP Protocol Elements
94 Routers MUST be manageable by SNMP [MGT:3]. The SNMP MUST operate
95 using UDP/IP as its transport and network protocols.
109 #define ICMP_TYPE_ECHO_REPLY 0
111 #define ICMP_TYPE_UNREACHABLE 3
112 #define ICMP_CODE_NET_UNREACHABLE 0
113 #define ICMP_CODE_PROTOCOL_UNREACHABLE 2
114 #define ICMP_CODE_FRAGMENTATION_REQUIRED 4
115 #define ICMP_CODE_NET_PROHIBITED 13
117 #define ICMP_TYPE_ECHO_REQUEST 8
119 #define ICMP_TYPE_TIME_EXCEEDED 11
120 #define ICMP_CODE_TTL_EXCEEDED 0
122 /* Generic IP checksum routine */
123 static inline uint16_t ip_csum(uint8_t *iph,int32_t count)
125 register uint32_t sum=0;
128 sum+=ntohs(*(uint16_t *)iph);
133 sum+=*(uint8_t *)iph;
135 sum=(sum&0xffff)+(sum>>16);
141 * This is a version of ip_compute_csum() optimized for IP headers,
142 * which always checksum on 4 octet boundaries.
144 * By Jorge Cwik <jorge@laser.satlink.net>, adapted for linux by
147 static inline uint16_t ip_fast_csum(uint8_t *iph, int32_t ihl) {
150 __asm__ __volatile__(
156 "adcl 12(%1), %0 ;\n"
157 "1: adcl 16(%1), %0 ;\n"
168 /* Since the input registers which are loaded with iph and ipl
169 are modified, we must also specify them as outputs, or gcc
170 will assume they contain their original values. */
171 : "=r" (sum), "=r" (iph), "=r" (ihl)
172 : "1" (iph), "2" (ihl)
177 static inline uint16_t ip_fast_csum(uint8_t *iph, int32_t ihl)
179 assert(ihl < INT_MAX/4);
180 return ip_csum(iph,ihl*4);
185 #if defined (WORDS_BIGENDIAN)
196 #define IPHDR_FRAG_OFF ((uint16_t)0x1fff)
197 #define IPHDR_FRAG_MORE ((uint16_t)0x2000)
198 #define IPHDR_FRAG_DONT ((uint16_t)0x4000)
199 /* reserved 0x8000 */
205 /* The options start here. */
228 static void netlink_packet_deliver(struct netlink *st,
229 struct netlink_client *client,
230 struct buffer_if *buf);
232 /* XXX RFC1812 4.3.2.5:
233 All other ICMP error messages (Destination Unreachable,
234 Redirect, Time Exceeded, and Parameter Problem) SHOULD have their
235 precedence value set to 6 (INTERNETWORK CONTROL) or 7 (NETWORK
236 CONTROL). The IP Precedence value for these error messages MAY be
239 static struct icmphdr *netlink_icmp_tmpl(struct netlink *st,
240 uint32_t dest,uint16_t len)
244 BUF_ALLOC(&st->icmp,"netlink_icmp_tmpl");
245 buffer_init(&st->icmp,calculate_max_start_pad());
246 h=buf_append(&st->icmp,sizeof(*h));
251 h->iph.tot_len=htons(len+(h->iph.ihl*4)+8);
254 h->iph.ttl=255; /* XXX should be configurable */
256 h->iph.saddr=htonl(st->secnet_address);
257 h->iph.daddr=htonl(dest);
259 h->iph.check=ip_fast_csum((uint8_t *)&h->iph,h->iph.ihl);
266 /* Fill in the ICMP checksum field correctly */
267 static void netlink_icmp_csum(struct icmphdr *h)
271 len=ntohs(h->iph.tot_len)-(4*h->iph.ihl);
273 h->check=ip_csum(&h->type,len);
277 * An ICMP error message MUST NOT be sent as the result of
280 * * an ICMP error message, or
282 * * a datagram destined to an IP broadcast or IP multicast
285 * * a datagram sent as a link-layer broadcast, or
287 * * a non-initial fragment, or
289 * * a datagram whose source address does not define a single
290 * host -- e.g., a zero address, a loopback address, a
291 * broadcast address, a multicast address, or a Class E
294 static bool_t netlink_icmp_may_reply(struct buffer_if *buf)
297 struct icmphdr *icmph;
300 if (buf->size < (int)sizeof(struct icmphdr)) return False;
301 iph=(struct iphdr *)buf->start;
302 icmph=(struct icmphdr *)buf->start;
303 if (iph->protocol==1) {
304 switch(icmph->type) {
305 case 3: /* Destination unreachable */
306 case 11: /* Time Exceeded */
307 case 12: /* Parameter Problem */
311 /* How do we spot broadcast destination addresses? */
312 if (ntohs(iph->frag_off)&IPHDR_FRAG_OFF) return False;
313 source=ntohl(iph->saddr);
314 if (source==0) return False;
315 if ((source&0xff000000)==0x7f000000) return False;
316 /* How do we spot broadcast source addresses? */
317 if ((source&0xf0000000)==0xe0000000) return False; /* Multicast */
318 if ((source&0xf0000000)==0xf0000000) return False; /* Class E */
322 /* How much of the original IP packet do we include in its ICMP
323 response? The header plus up to 64 bits. */
326 4.3.2.3 Original Message Header
328 Historically, every ICMP error message has included the Internet
329 header and at least the first 8 data bytes of the datagram that
330 triggered the error. This is no longer adequate, due to the use of
331 IP-in-IP tunneling and other technologies. Therefore, the ICMP
332 datagram SHOULD contain as much of the original datagram as possible
333 without the length of the ICMP datagram exceeding 576 bytes. The
334 returned IP header (and user data) MUST be identical to that which
335 was received, except that the router is not required to undo any
336 modifications to the IP header that are normally performed in
337 forwarding that were performed before the error was detected (e.g.,
338 decrementing the TTL, or updating options). Note that the
339 requirements of Section [4.3.3.5] supersede this requirement in some
340 cases (i.e., for a Parameter Problem message, if the problem is in a
341 modified field, the router must undo the modification). See Section
344 static uint16_t netlink_icmp_reply_len(struct buffer_if *buf)
346 if (buf->size < (int)sizeof(struct iphdr)) return 0;
347 struct iphdr *iph=(struct iphdr *)buf->start;
351 /* We include the first 8 bytes of the packet data, provided they exist */
353 plen=ntohs(iph->tot_len);
354 return (hlen>plen?plen:hlen);
357 /* client indicates where the packet we're constructing a response to
358 comes from. NULL indicates the host. */
359 static void netlink_icmp_simple(struct netlink *st, struct buffer_if *buf,
360 struct netlink_client *client,
361 uint8_t type, uint8_t code)
366 if (netlink_icmp_may_reply(buf)) {
367 struct iphdr *iph=(struct iphdr *)buf->start;
368 len=netlink_icmp_reply_len(buf);
369 h=netlink_icmp_tmpl(st,ntohl(iph->saddr),len);
370 h->type=type; h->code=code;
371 memcpy(buf_append(&st->icmp,len),buf->start,len);
372 netlink_icmp_csum(h);
373 netlink_packet_deliver(st,NULL,&st->icmp);
374 BUF_ASSERT_FREE(&st->icmp);
379 * RFC1122: 3.1.2.2 MUST silently discard any IP frame that fails the
381 * RFC1812: 4.2.2.5 MUST discard messages containing invalid checksums.
383 * Is the datagram acceptable?
385 * 1. Length at least the size of an ip header
387 * 3. Checksums correctly.
388 * 4. Doesn't have a bogus length
390 static bool_t netlink_check(struct netlink *st, struct buffer_if *buf,
391 char *errmsgbuf, int errmsgbuflen)
393 #define BAD(...) do{ \
394 snprintf(errmsgbuf,errmsgbuflen,__VA_ARGS__); \
398 if (buf->size < (int)sizeof(struct iphdr)) BAD("len %"PRIu32"",buf->size);
399 struct iphdr *iph=(struct iphdr *)buf->start;
402 if (iph->ihl < 5) BAD("ihl %u",iph->ihl);
403 if (iph->version != 4) BAD("version %u",iph->version);
404 if (buf->size < iph->ihl*4) BAD("size %"PRId32"<%u*4",buf->size,iph->ihl);
405 if (ip_fast_csum((uint8_t *)iph, iph->ihl)!=0) BAD("csum");
406 len=ntohs(iph->tot_len);
407 /* There should be no padding */
408 if (buf->size!=len) BAD("len %"PRId32"!=%"PRId32,buf->size,len);
409 if (len<(iph->ihl<<2)) BAD("len %"PRId32"<(%u<<2)",len,iph->ihl);
410 /* XXX check that there's no source route specified */
416 /* Deliver a packet _to_ client; used after we have decided
417 * what to do with it (and just to check that the client has
418 * actually registered a delivery function with us). */
419 static void netlink_client_deliver(struct netlink *st,
420 struct netlink_client *client,
421 uint32_t source, uint32_t dest,
422 struct buffer_if *buf)
424 if (!client->deliver) {
426 s=ipaddr_to_string(source);
427 d=ipaddr_to_string(dest);
428 Message(M_ERR,"%s: dropping %s->%s, client not registered\n",
434 client->deliver(client->dst, buf);
438 /* Deliver a packet. "client" is the _origin_ of the packet, not its
439 destination, and is NULL for packets from the host and packets
440 generated internally in secnet. */
441 static void netlink_packet_deliver(struct netlink *st,
442 struct netlink_client *client,
443 struct buffer_if *buf)
445 if (buf->size < (int)sizeof(struct iphdr)) {
446 Message(M_ERR,"%s: trying to deliver a too-short packet"
447 " from %s!\n",st->name, client?client->name:"(local)");
452 struct iphdr *iph=(struct iphdr *)buf->start;
453 uint32_t dest=ntohl(iph->daddr);
454 uint32_t source=ntohl(iph->saddr);
455 uint32_t best_quality;
456 bool_t allow_route=False;
457 bool_t found_allowed=False;
461 BUF_ASSERT_USED(buf);
463 if (dest==st->secnet_address) {
464 Message(M_ERR,"%s: trying to deliver a packet to myself!\n",st->name);
469 /* Packets from the host (client==NULL) may always be routed. Packets
470 from clients with the allow_route option will also be routed. */
471 if (!client || (client && (client->options & OPT_ALLOWROUTE)))
474 /* If !allow_route, we check the routing table anyway, and if
475 there's a suitable route with OPT_ALLOWROUTE set we use it. If
476 there's a suitable route, but none with OPT_ALLOWROUTE set then
477 we generate ICMP 'communication with destination network
478 administratively prohibited'. */
482 for (i=0; i<st->n_clients; i++) {
483 if (st->routes[i]->up &&
484 ipset_contains_addr(st->routes[i]->networks,dest)) {
485 /* It's an available route to the correct destination. But is
486 it better than the one we already have? */
488 /* If we have already found an allowed route then we don't
489 bother looking at routes we're not allowed to use. If
490 we don't yet have an allowed route we'll consider any. */
491 if (!allow_route && found_allowed) {
492 if (!(st->routes[i]->options&OPT_ALLOWROUTE)) continue;
495 if (st->routes[i]->link_quality>best_quality
496 || best_quality==0) {
497 best_quality=st->routes[i]->link_quality;
499 if (st->routes[i]->options&OPT_ALLOWROUTE)
501 /* If quality isn't perfect we may wish to
502 consider kicking the tunnel with a 0-length
503 packet to prompt it to perform a key setup.
504 Then it'll eventually decide it's up or
506 /* If quality is perfect and we're allowed to use the
507 route we don't need to search any more. */
508 if (best_quality>=MAXIMUM_LINK_QUALITY &&
509 (allow_route || found_allowed)) break;
513 if (best_match==-1) {
514 /* The packet's not going down a tunnel. It might (ought to)
516 if (ipset_contains_addr(st->networks,dest)) {
517 st->deliver_to_host(st->dst,buf);
519 BUF_ASSERT_FREE(buf);
522 s=ipaddr_to_string(source);
523 d=ipaddr_to_string(dest);
524 Message(M_DEBUG,"%s: don't know where to deliver packet "
525 "(s=%s, d=%s)\n", st->name, s, d);
527 netlink_icmp_simple(st,buf,client,ICMP_TYPE_UNREACHABLE,
528 ICMP_CODE_NET_UNREACHABLE);
533 !(st->routes[best_match]->options&OPT_ALLOWROUTE)) {
535 s=ipaddr_to_string(source);
536 d=ipaddr_to_string(dest);
537 /* We have a usable route but aren't allowed to use it.
538 Generate ICMP destination unreachable: communication
539 with destination network administratively prohibited */
540 Message(M_NOTICE,"%s: denied forwarding for packet (s=%s, d=%s)\n",
544 netlink_icmp_simple(st,buf,client,ICMP_TYPE_UNREACHABLE,
545 ICMP_CODE_NET_PROHIBITED);
548 if (best_quality>0) {
549 /* XXX Fragment if required */
550 netlink_client_deliver(st,st->routes[best_match],
552 BUF_ASSERT_FREE(buf);
554 /* Generate ICMP destination unreachable */
555 netlink_icmp_simple(st,buf,client,ICMP_TYPE_UNREACHABLE,
556 ICMP_CODE_NET_UNREACHABLE); /* client==NULL */
561 BUF_ASSERT_FREE(buf);
564 static void netlink_packet_forward(struct netlink *st,
565 struct netlink_client *client,
566 struct buffer_if *buf)
568 if (buf->size < (int)sizeof(struct iphdr)) return;
569 struct iphdr *iph=(struct iphdr *)buf->start;
571 BUF_ASSERT_USED(buf);
573 /* Packet has already been checked */
575 /* Generate ICMP time exceeded */
576 netlink_icmp_simple(st,buf,client,ICMP_TYPE_TIME_EXCEEDED,
577 ICMP_CODE_TTL_EXCEEDED);
583 iph->check=ip_fast_csum((uint8_t *)iph,iph->ihl);
585 netlink_packet_deliver(st,client,buf);
586 BUF_ASSERT_FREE(buf);
589 /* Deal with packets addressed explicitly to us */
590 static void netlink_packet_local(struct netlink *st,
591 struct netlink_client *client,
592 struct buffer_if *buf)
598 if (buf->size < (int)sizeof(struct icmphdr)) {
599 Message(M_WARNING,"%s: short packet addressed to secnet; "
600 "ignoring it\n",st->name);
604 h=(struct icmphdr *)buf->start;
606 if ((ntohs(h->iph.frag_off)&(IPHDR_FRAG_OFF|IPHDR_FRAG_MORE))!=0) {
607 Message(M_WARNING,"%s: fragmented packet addressed to secnet; "
608 "ignoring it\n",st->name);
613 if (h->iph.protocol==1) {
615 if (h->type==ICMP_TYPE_ECHO_REQUEST && h->code==0) {
616 /* ICMP echo-request. Special case: we re-use the buffer
617 to construct the reply. */
618 h->type=ICMP_TYPE_ECHO_REPLY;
619 h->iph.daddr=h->iph.saddr;
620 h->iph.saddr=htonl(st->secnet_address);
623 h->iph.check=ip_fast_csum((uint8_t *)h,h->iph.ihl);
624 netlink_icmp_csum(h);
625 netlink_packet_deliver(st,NULL,buf);
628 Message(M_WARNING,"%s: unknown incoming ICMP\n",st->name);
630 /* Send ICMP protocol unreachable */
631 netlink_icmp_simple(st,buf,client,ICMP_TYPE_UNREACHABLE,
632 ICMP_CODE_PROTOCOL_UNREACHABLE);
640 /* If cid==NULL packet is from host, otherwise cid specifies which tunnel
642 static void netlink_incoming(struct netlink *st, struct netlink_client *client,
643 struct buffer_if *buf)
645 uint32_t source,dest;
648 const char *sourcedesc=client?client->name:"host";
650 BUF_ASSERT_USED(buf);
652 if (!netlink_check(st,buf,errmsgbuf,sizeof(errmsgbuf))) {
653 Message(M_WARNING,"%s: bad IP packet from %s: %s\n",
659 assert(buf->size >= (int)sizeof(struct icmphdr));
660 iph=(struct iphdr *)buf->start;
662 source=ntohl(iph->saddr);
663 dest=ntohl(iph->daddr);
665 /* Check source. If we don't like the source, there's no point
666 generating ICMP because we won't know how to get it to the
667 source of the packet. */
669 /* Check that the packet source is appropriate for the tunnel
671 if (!ipset_contains_addr(client->networks,source)) {
673 s=ipaddr_to_string(source);
674 d=ipaddr_to_string(dest);
675 Message(M_WARNING,"%s: packet from tunnel %s with bad "
676 "source address (s=%s,d=%s)\n",st->name,client->name,s,d);
682 /* Check that the packet originates in our configured local
683 network, and hasn't been forwarded from elsewhere or
684 generated with the wrong source address */
685 if (!ipset_contains_addr(st->networks,source)) {
687 s=ipaddr_to_string(source);
688 d=ipaddr_to_string(dest);
689 Message(M_WARNING,"%s: outgoing packet with bad source address "
690 "(s=%s,d=%s)\n",st->name,s,d);
697 /* If this is a point-to-point device we don't examine the
698 destination address at all; we blindly send it down our
699 one-and-only registered tunnel, or to the host, depending on
700 where it came from. It's up to external software to check
701 address validity and generate ICMP, etc. */
704 st->deliver_to_host(st->dst,buf);
706 netlink_client_deliver(st,st->clients,source,dest,buf);
708 BUF_ASSERT_FREE(buf);
712 /* st->secnet_address needs checking before matching destination
714 if (dest==st->secnet_address) {
715 netlink_packet_local(st,client,buf);
716 BUF_ASSERT_FREE(buf);
719 netlink_packet_forward(st,client,buf);
720 BUF_ASSERT_FREE(buf);
723 static void netlink_inst_incoming(void *sst, struct buffer_if *buf)
725 struct netlink_client *c=sst;
726 struct netlink *st=c->nst;
728 netlink_incoming(st,c,buf);
731 static void netlink_dev_incoming(void *sst, struct buffer_if *buf)
733 struct netlink *st=sst;
735 netlink_incoming(st,NULL,buf);
738 static void netlink_set_quality(void *sst, uint32_t quality)
740 struct netlink_client *c=sst;
741 struct netlink *st=c->nst;
743 c->link_quality=quality;
744 c->up=(c->link_quality==LINK_QUALITY_DOWN)?False:True;
745 if (c->options&OPT_SOFTROUTE) {
746 st->set_routes(st->dst,c);
750 static void netlink_output_subnets(struct netlink *st, uint32_t loglevel,
751 struct subnet_list *snets)
756 for (i=0; i<snets->entries; i++) {
757 net=subnet_to_string(snets->list[i]);
758 Message(loglevel,"%s ",net);
763 static void netlink_dump_routes(struct netlink *st, bool_t requested)
769 if (requested) c=M_WARNING;
771 net=ipaddr_to_string(st->secnet_address);
772 Message(c,"%s: point-to-point (remote end is %s); routes: ",
775 netlink_output_subnets(st,c,st->clients->subnets);
778 Message(c,"%s: routing table:\n",st->name);
779 for (i=0; i<st->n_clients; i++) {
780 netlink_output_subnets(st,c,st->routes[i]->subnets);
781 Message(c,"-> tunnel %s (%s,mtu %d,%s routes,%s,"
782 "quality %d,use %d,pri %lu)\n",
784 st->routes[i]->up?"up":"down",
786 st->routes[i]->options&OPT_SOFTROUTE?"soft":"hard",
787 st->routes[i]->options&OPT_ALLOWROUTE?"free":"restricted",
788 st->routes[i]->link_quality,
789 st->routes[i]->outcount,
790 (unsigned long)st->routes[i]->priority);
792 net=ipaddr_to_string(st->secnet_address);
793 Message(c,"%s/32 -> netlink \"%s\" (use %d)\n",
794 net,st->name,st->localcount);
796 for (i=0; i<st->subnets->entries; i++) {
797 net=subnet_to_string(st->subnets->list[i]);
798 Message(c,"%s ",net);
802 Message(c,"-> host (use %d)\n",st->outcount);
806 /* ap is a pointer to a member of the routes array */
807 static int netlink_compare_client_priority(const void *ap, const void *bp)
809 const struct netlink_client *const*a=ap;
810 const struct netlink_client *const*b=bp;
812 if ((*a)->priority==(*b)->priority) return 0;
813 if ((*a)->priority<(*b)->priority) return 1;
817 static void netlink_phase_hook(void *sst, uint32_t new_phase)
819 struct netlink *st=sst;
820 struct netlink_client *c;
823 /* All the networks serviced by the various tunnels should now
824 * have been registered. We build a routing table by sorting the
825 * clients by priority. */
826 st->routes=safe_malloc_ary(sizeof(*st->routes),st->n_clients,
827 "netlink_phase_hook");
830 for (c=st->clients; c; c=c->next) {
834 /* Sort the table in descending order of priority */
835 qsort(st->routes,st->n_clients,sizeof(*st->routes),
836 netlink_compare_client_priority);
838 netlink_dump_routes(st,False);
841 static void netlink_signal_handler(void *sst, int signum)
843 struct netlink *st=sst;
844 Message(M_INFO,"%s: route dump requested by SIGUSR1\n",st->name);
845 netlink_dump_routes(st,True);
848 static void netlink_inst_set_mtu(void *sst, int32_t new_mtu)
850 struct netlink_client *c=sst;
855 static void netlink_inst_reg(void *sst, netlink_deliver_fn *deliver,
858 struct netlink_client *c=sst;
864 static struct flagstr netlink_option_table[]={
865 { "soft", OPT_SOFTROUTE },
866 { "allow-route", OPT_ALLOWROUTE },
869 /* This is the routine that gets called when the closure that's
870 returned by an invocation of a netlink device closure (eg. tun,
871 userv-ipif) is invoked. It's used to create routes and pass in
872 information about them; the closure it returns is used by site
874 static closure_t *netlink_inst_create(struct netlink *st,
875 struct cloc loc, dict_t *dict)
877 struct netlink_client *c;
879 struct ipset *networks;
880 uint32_t options,priority;
884 name=dict_read_string(dict, "name", True, st->name, loc);
886 l=dict_lookup(dict,"routes");
888 cfgfatal(loc,st->name,"required parameter \"routes\" not found\n");
889 networks=string_list_to_ipset(l,loc,st->name,"routes");
890 options=string_list_to_word(dict_lookup(dict,"options"),
891 netlink_option_table,st->name);
893 priority=dict_read_number(dict,"priority",False,st->name,loc,0);
894 mtu=dict_read_number(dict,"mtu",False,st->name,loc,0);
896 if ((options&OPT_SOFTROUTE) && !st->set_routes) {
897 cfgfatal(loc,st->name,"this netlink device does not support "
902 if (options&OPT_SOFTROUTE) {
903 /* XXX for now we assume that soft routes require root privilege;
904 this may not always be true. The device driver can tell us. */
905 require_root_privileges=True;
906 require_root_privileges_explanation="netlink: soft routes";
908 cfgfatal(loc,st->name,"point-to-point netlinks do not support "
914 /* Check that nets are a subset of st->remote_networks;
915 refuse to register if they are not. */
916 if (!ipset_is_subset(st->remote_networks,networks)) {
917 cfgfatal(loc,st->name,"routes are not allowed\n");
921 c=safe_malloc(sizeof(*c),"netlink_inst_create");
922 c->cl.description=name;
923 c->cl.type=CL_NETLINK;
925 c->cl.interface=&c->ops;
927 c->ops.reg=netlink_inst_reg;
928 c->ops.deliver=netlink_inst_incoming;
929 c->ops.set_quality=netlink_set_quality;
930 c->ops.set_mtu=netlink_inst_set_mtu;
933 c->networks=networks;
934 c->subnets=ipset_to_subnet_list(networks);
935 c->priority=priority;
939 c->link_quality=LINK_QUALITY_UNUSED;
940 c->mtu=mtu?mtu:st->mtu;
947 assert(st->n_clients < INT_MAX);
953 static list_t *netlink_inst_apply(closure_t *self, struct cloc loc,
954 dict_t *context, list_t *args)
956 struct netlink *st=self->interface;
962 item=list_elem(args,0);
963 if (!item || item->type!=t_dict) {
964 cfgfatal(loc,st->name,"must have a dictionary argument\n");
966 dict=item->data.dict;
968 cl=netlink_inst_create(st,loc,dict);
970 return new_closure(cl);
973 netlink_deliver_fn *netlink_init(struct netlink *st,
974 void *dst, struct cloc loc,
975 dict_t *dict, cstring_t description,
976 netlink_route_fn *set_routes,
977 netlink_deliver_fn *to_host)
983 st->cl.description=description;
985 st->cl.apply=netlink_inst_apply;
990 st->set_routes=set_routes;
991 st->deliver_to_host=to_host;
993 st->name=dict_read_string(dict,"name",False,description,loc);
994 if (!st->name) st->name=description;
995 l=dict_lookup(dict,"networks");
997 st->networks=string_list_to_ipset(l,loc,st->name,"networks");
1001 st->networks=ipset_complement(empty);
1004 l=dict_lookup(dict,"remote-networks");
1006 st->remote_networks=string_list_to_ipset(l,loc,st->name,
1009 struct ipset *empty;
1011 st->remote_networks=ipset_complement(empty);
1015 sa=dict_find_item(dict,"secnet-address",False,"netlink",loc);
1016 ptpa=dict_find_item(dict,"ptp-address",False,"netlink",loc);
1018 cfgfatal(loc,st->name,"you may not specify secnet-address and "
1019 "ptp-address in the same netlink device\n");
1021 if (!(sa || ptpa)) {
1022 cfgfatal(loc,st->name,"you must specify secnet-address or "
1023 "ptp-address for this netlink device\n");
1026 st->secnet_address=string_item_to_ipaddr(sa,"netlink");
1029 st->secnet_address=string_item_to_ipaddr(ptpa,"netlink");
1032 /* To be strictly correct we could subtract secnet_address from
1033 networks here. It shouldn't make any practical difference,
1034 though, and will make the route dump look complicated... */
1035 st->subnets=ipset_to_subnet_list(st->networks);
1036 st->mtu=dict_read_number(dict, "mtu", False, "netlink", loc, DEFAULT_MTU);
1037 buffer_new(&st->icmp,ICMP_BUFSIZE);
1041 add_hook(PHASE_SETUP,netlink_phase_hook,st);
1042 request_signal_notification(SIGUSR1, netlink_signal_handler, st);
1044 /* If we're point-to-point then we return a CL_NETLINK directly,
1045 rather than a CL_NETLINK_OLD or pure closure (depending on
1046 compatibility). This CL_NETLINK is for our one and only
1047 client. Our cl.apply function is NULL. */
1050 cl=netlink_inst_create(st,loc,dict);
1053 return netlink_dev_incoming;
1056 /* No connection to the kernel at all... */
1062 static bool_t null_set_route(void *sst, struct netlink_client *routes)
1064 struct null *st=sst;
1066 if (routes->up!=routes->kup) {
1067 Message(M_INFO,"%s: setting routes for tunnel %s to state %s\n",
1068 st->nl.name,routes->name,
1069 routes->up?"up":"down");
1070 routes->kup=routes->up;
1076 static void null_deliver(void *sst, struct buffer_if *buf)
1081 static list_t *null_apply(closure_t *self, struct cloc loc, dict_t *context,
1088 st=safe_malloc(sizeof(*st),"null_apply");
1090 item=list_elem(args,0);
1091 if (!item || item->type!=t_dict)
1092 cfgfatal(loc,"null-netlink","parameter must be a dictionary\n");
1094 dict=item->data.dict;
1096 netlink_init(&st->nl,st,loc,dict,"null-netlink",null_set_route,
1099 return new_closure(&st->nl.cl);
1102 void netlink_module(dict_t *dict)
1104 add_closure(dict,"null-netlink",null_apply);
~ian / secnet.git / blob