1 /* User-kernel network link */
3 /* See RFCs 791, 792, 1123 and 1812 */
5 /* The netlink device is actually a router. Tunnels are unnumbered
6 point-to-point lines (RFC1812 section 2.2.7); the router has a
7 single address (the 'router-id'). */
9 /* This is where we currently have the anti-spoofing paranoia - before
10 sending a packet to the kernel we check that the tunnel it came
11 over could reasonably have produced it. */
14 /* Points to note from RFC1812 (which may require changes in this
17 3.3.4 Maximum Transmission Unit - MTU
19 The MTU of each logical interface MUST be configurable within the
20 range of legal MTUs for the interface.
22 Many Link Layer protocols define a maximum frame size that may be
23 sent. In such cases, a router MUST NOT allow an MTU to be set which
24 would allow sending of frames larger than those allowed by the Link
25 Layer protocol. However, a router SHOULD be willing to receive a
26 packet as large as the maximum frame size even if that is larger than
29 4.2.1 A router SHOULD count datagrams discarded.
31 4.2.2.1 Source route options - we probably should implement processing
32 of source routes, even though mostly the security policy will prevent
35 5.3.13.4 Source Route Options
37 A router MUST implement support for source route options in forwarded
38 packets. A router MAY implement a configuration option that, when
39 enabled, causes all source-routed packets to be discarded. However,
40 such an option MUST NOT be enabled by default.
42 5.3.13.5 Record Route Option
44 Routers MUST support the Record Route option in forwarded packets.
46 A router MAY provide a configuration option that, if enabled, will
47 cause the router to ignore (i.e., pass through unchanged) Record
48 Route options in forwarded packets. If provided, such an option MUST
49 default to enabling the record-route. This option should not affect
50 the processing of Record Route options in datagrams received by the
51 router itself (in particular, Record Route options in ICMP echo
52 requests will still be processed according to Section [4.3.3.6]).
54 5.3.13.6 Timestamp Option
56 Routers MUST support the timestamp option in forwarded packets. A
57 timestamp value MUST follow the rules given [INTRO:2].
59 If the flags field = 3 (timestamp and prespecified address), the
60 router MUST add its timestamp if the next prespecified address
61 matches any of the router's IP addresses. It is not necessary that
62 the prespecified address be either the address of the interface on
63 which the packet arrived or the address of the interface over which
67 4.2.2.7 Fragmentation: RFC 791 Section 3.2
69 Fragmentation, as described in [INTERNET:1], MUST be supported by a
72 4.2.2.8 Reassembly: RFC 791 Section 3.2
74 As specified in the corresponding section of [INTRO:2], a router MUST
75 support reassembly of datagrams that it delivers to itself.
77 4.2.2.9 Time to Live: RFC 791 Section 3.2
79 Note in particular that a router MUST NOT check the TTL of a packet
80 except when forwarding it.
82 A router MUST NOT discard a datagram just because it was received
83 with TTL equal to zero or one; if it is to the router and otherwise
84 valid, the router MUST attempt to receive it.
86 On messages the router originates, the IP layer MUST provide a means
87 for the transport layer to set the TTL field of every datagram that
88 is sent. When a fixed TTL value is used, it MUST be configurable.
91 8.1 The Simple Network Management Protocol - SNMP
92 8.1.1 SNMP Protocol Elements
94 Routers MUST be manageable by SNMP [MGT:3]. The SNMP MUST operate
95 using UDP/IP as its transport and network protocols.
109 #define OPT_SOFTROUTE 1
110 #define OPT_ALLOWROUTE 2
112 #define ICMP_TYPE_ECHO_REPLY 0
114 #define ICMP_TYPE_UNREACHABLE 3
115 #define ICMP_CODE_NET_UNREACHABLE 0
116 #define ICMP_CODE_PROTOCOL_UNREACHABLE 2
117 #define ICMP_CODE_FRAGMENTATION_REQUIRED 4
118 #define ICMP_CODE_NET_PROHIBITED 13
120 #define ICMP_TYPE_ECHO_REQUEST 8
122 #define ICMP_TYPE_TIME_EXCEEDED 11
123 #define ICMP_CODE_TTL_EXCEEDED 0
125 /* Generic IP checksum routine */
126 static inline uint16_t ip_csum(uint8_t *iph,uint32_t count)
128 register uint32_t sum=0;
131 sum+=ntohs(*(uint16_t *)iph);
136 sum+=*(uint8_t *)iph;
138 sum=(sum&0xffff)+(sum>>16);
144 * This is a version of ip_compute_csum() optimized for IP headers,
145 * which always checksum on 4 octet boundaries.
147 * By Jorge Cwik <jorge@laser.satlink.net>, adapted for linux by
150 static inline uint16_t ip_fast_csum(uint8_t *iph, uint32_t ihl) {
153 __asm__ __volatile__(
159 "adcl 12(%1), %0 ;\n"
160 "1: adcl 16(%1), %0 ;\n"
171 /* Since the input registers which are loaded with iph and ipl
172 are modified, we must also specify them as outputs, or gcc
173 will assume they contain their original values. */
174 : "=r" (sum), "=r" (iph), "=r" (ihl)
175 : "1" (iph), "2" (ihl)
180 static inline uint16_t ip_fast_csum(uint8_t *iph, uint32_t ihl)
182 return ip_csum(iph,ihl*4);
187 #if defined (WORDS_BIGENDIAN)
203 /* The options start here. */
226 static void netlink_packet_deliver(struct netlink *st,
227 struct netlink_client *client,
228 struct buffer_if *buf);
230 /* XXX RFC1812 4.3.2.5:
231 All other ICMP error messages (Destination Unreachable,
232 Redirect, Time Exceeded, and Parameter Problem) SHOULD have their
233 precedence value set to 6 (INTERNETWORK CONTROL) or 7 (NETWORK
234 CONTROL). The IP Precedence value for these error messages MAY be
237 static struct icmphdr *netlink_icmp_tmpl(struct netlink *st,
238 uint32_t dest,uint16_t len)
242 BUF_ALLOC(&st->icmp,"netlink_icmp_tmpl");
243 buffer_init(&st->icmp,st->max_start_pad);
244 h=buf_append(&st->icmp,sizeof(*h));
249 h->iph.tot_len=htons(len+(h->iph.ihl*4)+8);
252 h->iph.ttl=255; /* XXX should be configurable */
254 h->iph.saddr=htonl(st->secnet_address);
255 h->iph.daddr=htonl(dest);
257 h->iph.check=ip_fast_csum((uint8_t *)&h->iph,h->iph.ihl);
264 /* Fill in the ICMP checksum field correctly */
265 static void netlink_icmp_csum(struct icmphdr *h)
269 len=ntohs(h->iph.tot_len)-(4*h->iph.ihl);
271 h->check=ip_csum(&h->type,len);
275 * An ICMP error message MUST NOT be sent as the result of
278 * * an ICMP error message, or
280 * * a datagram destined to an IP broadcast or IP multicast
283 * * a datagram sent as a link-layer broadcast, or
285 * * a non-initial fragment, or
287 * * a datagram whose source address does not define a single
288 * host -- e.g., a zero address, a loopback address, a
289 * broadcast address, a multicast address, or a Class E
292 static bool_t netlink_icmp_may_reply(struct buffer_if *buf)
295 struct icmphdr *icmph;
298 iph=(struct iphdr *)buf->start;
299 icmph=(struct icmphdr *)buf->start;
300 if (iph->protocol==1) {
301 switch(icmph->type) {
302 case 3: /* Destination unreachable */
303 case 11: /* Time Exceeded */
304 case 12: /* Parameter Problem */
308 /* How do we spot broadcast destination addresses? */
309 if (ntohs(iph->frag_off)&0x1fff) return False; /* Non-initial fragment */
310 source=ntohl(iph->saddr);
311 if (source==0) return False;
312 if ((source&0xff000000)==0x7f000000) return False;
313 /* How do we spot broadcast source addresses? */
314 if ((source&0xf0000000)==0xe0000000) return False; /* Multicast */
315 if ((source&0xf0000000)==0xf0000000) return False; /* Class E */
319 /* How much of the original IP packet do we include in its ICMP
320 response? The header plus up to 64 bits. */
323 4.3.2.3 Original Message Header
325 Historically, every ICMP error message has included the Internet
326 header and at least the first 8 data bytes of the datagram that
327 triggered the error. This is no longer adequate, due to the use of
328 IP-in-IP tunneling and other technologies. Therefore, the ICMP
329 datagram SHOULD contain as much of the original datagram as possible
330 without the length of the ICMP datagram exceeding 576 bytes. The
331 returned IP header (and user data) MUST be identical to that which
332 was received, except that the router is not required to undo any
333 modifications to the IP header that are normally performed in
334 forwarding that were performed before the error was detected (e.g.,
335 decrementing the TTL, or updating options). Note that the
336 requirements of Section [4.3.3.5] supersede this requirement in some
337 cases (i.e., for a Parameter Problem message, if the problem is in a
338 modified field, the router must undo the modification). See Section
341 static uint16_t netlink_icmp_reply_len(struct buffer_if *buf)
343 struct iphdr *iph=(struct iphdr *)buf->start;
347 /* We include the first 8 bytes of the packet data, provided they exist */
349 plen=ntohs(iph->tot_len);
350 return (hlen>plen?plen:hlen);
353 /* client indicates where the packet we're constructing a response to
354 comes from. NULL indicates the host. */
355 static void netlink_icmp_simple(struct netlink *st, struct buffer_if *buf,
356 struct netlink_client *client,
357 uint8_t type, uint8_t code)
359 struct iphdr *iph=(struct iphdr *)buf->start;
363 if (netlink_icmp_may_reply(buf)) {
364 len=netlink_icmp_reply_len(buf);
365 h=netlink_icmp_tmpl(st,ntohl(iph->saddr),len);
366 h->type=type; h->code=code;
367 memcpy(buf_append(&st->icmp,len),buf->start,len);
368 netlink_icmp_csum(h);
369 netlink_packet_deliver(st,NULL,&st->icmp);
370 BUF_ASSERT_FREE(&st->icmp);
375 * RFC1122: 3.1.2.2 MUST silently discard any IP frame that fails the
377 * RFC1812: 4.2.2.5 MUST discard messages containing invalid checksums.
379 * Is the datagram acceptable?
381 * 1. Length at least the size of an ip header
383 * 3. Checksums correctly.
384 * 4. Doesn't have a bogus length
386 static bool_t netlink_check(struct netlink *st, struct buffer_if *buf)
388 struct iphdr *iph=(struct iphdr *)buf->start;
391 if (iph->ihl < 5 || iph->version != 4) return False;
392 if (buf->size < iph->ihl*4) return False;
393 if (ip_fast_csum((uint8_t *)iph, iph->ihl)!=0) return False;
394 len=ntohs(iph->tot_len);
395 /* There should be no padding */
396 if (buf->size!=len || len<(iph->ihl<<2)) return False;
397 /* XXX check that there's no source route specified */
401 /* Deliver a packet. "client" is the _origin_ of the packet, not its
402 destination, and is NULL for packets from the host and packets
403 generated internally in secnet. */
404 static void netlink_packet_deliver(struct netlink *st,
405 struct netlink_client *client,
406 struct buffer_if *buf)
408 struct iphdr *iph=(struct iphdr *)buf->start;
409 uint32_t dest=ntohl(iph->daddr);
410 uint32_t source=ntohl(iph->saddr);
411 uint32_t best_quality;
412 bool_t allow_route=False;
413 bool_t found_allowed=False;
417 BUF_ASSERT_USED(buf);
419 if (dest==st->secnet_address) {
420 Message(M_ERR,"%s: trying to deliver a packet to myself!\n",st->name);
425 /* Packets from the host (client==NULL) may always be routed. Packets
426 from clients with the allow_route option will also be routed. */
427 if (!client || (client && (client->options & OPT_ALLOWROUTE)))
430 /* If !allow_route, we check the routing table anyway, and if
431 there's a suitable route with OPT_ALLOWROUTE set we use it. If
432 there's a suitable route, but none with OPT_ALLOWROUTE set then
433 we generate ICMP 'communication with destination network
434 administratively prohibited'. */
438 for (i=0; i<st->n_clients; i++) {
439 if (st->routes[i]->up &&
440 ipset_contains_addr(st->routes[i]->networks,dest)) {
441 /* It's an available route to the correct destination. But is
442 it better than the one we already have? */
444 /* If we have already found an allowed route then we don't
445 bother looking at routes we're not allowed to use. If
446 we don't yet have an allowed route we'll consider any. */
447 if (!allow_route && found_allowed) {
448 if (!(st->routes[i]->options&OPT_ALLOWROUTE)) continue;
451 if (st->routes[i]->link_quality>best_quality
452 || best_quality==0) {
453 best_quality=st->routes[i]->link_quality;
455 if (st->routes[i]->options&OPT_ALLOWROUTE)
457 /* If quality isn't perfect we may wish to
458 consider kicking the tunnel with a 0-length
459 packet to prompt it to perform a key setup.
460 Then it'll eventually decide it's up or
462 /* If quality is perfect and we're allowed to use the
463 route we don't need to search any more. */
464 if (best_quality>=MAXIMUM_LINK_QUALITY &&
465 (allow_route || found_allowed)) break;
469 if (best_match==-1) {
470 /* The packet's not going down a tunnel. It might (ought to)
472 if (ipset_contains_addr(st->networks,dest)) {
473 st->deliver_to_host(st->dst,buf);
475 BUF_ASSERT_FREE(buf);
478 s=ipaddr_to_string(source);
479 d=ipaddr_to_string(dest);
480 Message(M_DEBUG,"%s: don't know where to deliver packet "
481 "(s=%s, d=%s)\n", st->name, s, d);
483 netlink_icmp_simple(st,buf,client,ICMP_TYPE_UNREACHABLE,
484 ICMP_CODE_NET_UNREACHABLE);
489 !(st->routes[best_match]->options&OPT_ALLOWROUTE)) {
491 s=ipaddr_to_string(source);
492 d=ipaddr_to_string(dest);
493 /* We have a usable route but aren't allowed to use it.
494 Generate ICMP destination unreachable: communication
495 with destination network administratively prohibited */
496 Message(M_NOTICE,"%s: denied forwarding for packet (s=%s, d=%s)\n",
500 netlink_icmp_simple(st,buf,client,ICMP_TYPE_UNREACHABLE,
501 ICMP_CODE_NET_PROHIBITED);
504 if (best_quality>0) {
505 /* XXX Fragment if required */
506 st->routes[best_match]->deliver(
507 st->routes[best_match]->dst, buf);
508 st->routes[best_match]->outcount++;
509 BUF_ASSERT_FREE(buf);
511 /* Generate ICMP destination unreachable */
512 netlink_icmp_simple(st,buf,client,ICMP_TYPE_UNREACHABLE,
513 ICMP_CODE_NET_UNREACHABLE); /* client==NULL */
518 BUF_ASSERT_FREE(buf);
521 static void netlink_packet_forward(struct netlink *st,
522 struct netlink_client *client,
523 struct buffer_if *buf)
525 struct iphdr *iph=(struct iphdr *)buf->start;
527 BUF_ASSERT_USED(buf);
529 /* Packet has already been checked */
531 /* Generate ICMP time exceeded */
532 netlink_icmp_simple(st,buf,client,ICMP_TYPE_TIME_EXCEEDED,
533 ICMP_CODE_TTL_EXCEEDED);
539 iph->check=ip_fast_csum((uint8_t *)iph,iph->ihl);
541 netlink_packet_deliver(st,client,buf);
542 BUF_ASSERT_FREE(buf);
545 /* Deal with packets addressed explicitly to us */
546 static void netlink_packet_local(struct netlink *st,
547 struct netlink_client *client,
548 struct buffer_if *buf)
554 h=(struct icmphdr *)buf->start;
556 if ((ntohs(h->iph.frag_off)&0xbfff)!=0) {
557 Message(M_WARNING,"%s: fragmented packet addressed to secnet; "
558 "ignoring it\n",st->name);
563 if (h->iph.protocol==1) {
565 if (h->type==ICMP_TYPE_ECHO_REQUEST && h->code==0) {
566 /* ICMP echo-request. Special case: we re-use the buffer
567 to construct the reply. */
568 h->type=ICMP_TYPE_ECHO_REPLY;
569 h->iph.daddr=h->iph.saddr;
570 h->iph.saddr=htonl(st->secnet_address);
573 h->iph.check=ip_fast_csum((uint8_t *)h,h->iph.ihl);
574 netlink_icmp_csum(h);
575 netlink_packet_deliver(st,NULL,buf);
578 Message(M_WARNING,"%s: unknown incoming ICMP\n",st->name);
580 /* Send ICMP protocol unreachable */
581 netlink_icmp_simple(st,buf,client,ICMP_TYPE_UNREACHABLE,
582 ICMP_CODE_PROTOCOL_UNREACHABLE);
590 /* If cid==NULL packet is from host, otherwise cid specifies which tunnel
592 static void netlink_incoming(struct netlink *st, struct netlink_client *client,
593 struct buffer_if *buf)
595 uint32_t source,dest;
598 BUF_ASSERT_USED(buf);
599 if (!netlink_check(st,buf)) {
600 Message(M_WARNING,"%s: bad IP packet from %s\n",
601 st->name,client?client->name:"host");
605 iph=(struct iphdr *)buf->start;
607 source=ntohl(iph->saddr);
608 dest=ntohl(iph->daddr);
610 /* Check source. If we don't like the source, there's no point
611 generating ICMP because we won't know how to get it to the
612 source of the packet. */
614 /* Check that the packet source is appropriate for the tunnel
616 if (!ipset_contains_addr(client->networks,source)) {
618 s=ipaddr_to_string(source);
619 d=ipaddr_to_string(dest);
620 Message(M_WARNING,"%s: packet from tunnel %s with bad "
621 "source address (s=%s,d=%s)\n",st->name,client->name,s,d);
627 /* Check that the packet originates in our configured local
628 network, and hasn't been forwarded from elsewhere or
629 generated with the wrong source address */
630 if (!ipset_contains_addr(st->networks,source)) {
632 s=ipaddr_to_string(source);
633 d=ipaddr_to_string(dest);
634 Message(M_WARNING,"%s: outgoing packet with bad source address "
635 "(s=%s,d=%s)\n",st->name,s,d);
642 /* If this is a point-to-point device we don't examine the
643 destination address at all; we blindly send it down our
644 one-and-only registered tunnel, or to the host, depending on
645 where it came from. It's up to external software to check
646 address validity and generate ICMP, etc. */
649 st->deliver_to_host(st->dst,buf);
651 st->clients->deliver(st->clients->dst,buf);
653 BUF_ASSERT_FREE(buf);
657 /* st->secnet_address needs checking before matching destination
659 if (dest==st->secnet_address) {
660 netlink_packet_local(st,client,buf);
661 BUF_ASSERT_FREE(buf);
664 netlink_packet_forward(st,client,buf);
665 BUF_ASSERT_FREE(buf);
668 static void netlink_inst_incoming(void *sst, struct buffer_if *buf)
670 struct netlink_client *c=sst;
671 struct netlink *st=c->nst;
673 netlink_incoming(st,c,buf);
676 static void netlink_dev_incoming(void *sst, struct buffer_if *buf)
678 struct netlink *st=sst;
680 netlink_incoming(st,NULL,buf);
683 static void netlink_set_quality(void *sst, uint32_t quality)
685 struct netlink_client *c=sst;
686 struct netlink *st=c->nst;
688 c->link_quality=quality;
689 c->up=(c->link_quality==LINK_QUALITY_DOWN)?False:True;
690 if (c->options&OPT_SOFTROUTE) {
691 st->set_routes(st->dst,c);
695 static void netlink_output_subnets(struct netlink *st, uint32_t loglevel,
696 struct subnet_list *snets)
701 for (i=0; i<snets->entries; i++) {
702 net=subnet_to_string(snets->list[i]);
703 Message(loglevel,"%s ",net);
708 static void netlink_dump_routes(struct netlink *st, bool_t requested)
714 if (requested) c=M_WARNING;
716 net=ipaddr_to_string(st->secnet_address);
717 Message(c,"%s: point-to-point (remote end is %s); routes:\n",
720 netlink_output_subnets(st,c,st->clients->subnets);
723 Message(c,"%s: routing table:\n",st->name);
724 for (i=0; i<st->n_clients; i++) {
725 netlink_output_subnets(st,c,st->routes[i]->subnets);
726 Message(c,"-> tunnel %s (%s,mtu %d,%s routes,%s,"
727 "quality %d,use %d,pri %lu)\n",
729 st->routes[i]->up?"up":"down",
731 st->routes[i]->options&OPT_SOFTROUTE?"soft":"hard",
732 st->routes[i]->options&OPT_ALLOWROUTE?"free":"restricted",
733 st->routes[i]->link_quality,
734 st->routes[i]->outcount,
735 (unsigned long)st->routes[i]->priority);
737 net=ipaddr_to_string(st->secnet_address);
738 Message(c,"%s/32 -> netlink \"%s\" (use %d)\n",
739 net,st->name,st->localcount);
741 for (i=0; i<st->subnets->entries; i++) {
742 net=subnet_to_string(st->subnets->list[i]);
743 Message(c,"%s ",net);
747 Message(c,"-> host (use %d)\n",st->outcount);
751 /* ap is a pointer to a member of the routes array */
752 static int netlink_compare_client_priority(const void *ap, const void *bp)
754 const struct netlink_client *const*a=ap;
755 const struct netlink_client *const*b=bp;
757 if ((*a)->priority==(*b)->priority) return 0;
758 if ((*a)->priority<(*b)->priority) return 1;
762 static void netlink_phase_hook(void *sst, uint32_t new_phase)
764 struct netlink *st=sst;
765 struct netlink_client *c;
768 /* All the networks serviced by the various tunnels should now
769 * have been registered. We build a routing table by sorting the
770 * clients by priority. */
771 st->routes=safe_malloc(st->n_clients*sizeof(*st->routes),
772 "netlink_phase_hook");
775 for (c=st->clients; c; c=c->next) {
779 /* Sort the table in descending order of priority */
780 qsort(st->routes,st->n_clients,sizeof(*st->routes),
781 netlink_compare_client_priority);
783 netlink_dump_routes(st,False);
786 static void netlink_signal_handler(void *sst, int signum)
788 struct netlink *st=sst;
789 Message(M_INFO,"%s: route dump requested by SIGUSR1\n",st->name);
790 netlink_dump_routes(st,True);
793 static void netlink_inst_output_config(void *sst, struct buffer_if *buf)
795 /* struct netlink_client *c=sst; */
796 /* struct netlink *st=c->nst; */
798 /* For now we don't output anything */
799 BUF_ASSERT_USED(buf);
802 static bool_t netlink_inst_check_config(void *sst, struct buffer_if *buf)
804 /* struct netlink_client *c=sst; */
805 /* struct netlink *st=c->nst; */
807 BUF_ASSERT_USED(buf);
808 /* We need to eat all of the configuration information from the buffer
809 for backward compatibility. */
814 static void netlink_inst_set_mtu(void *sst, uint32_t new_mtu)
816 struct netlink_client *c=sst;
821 static void netlink_inst_reg(void *sst, netlink_deliver_fn *deliver,
822 void *dst, uint32_t max_start_pad,
823 uint32_t max_end_pad)
825 struct netlink_client *c=sst;
826 struct netlink *st=c->nst;
828 if (max_start_pad > st->max_start_pad) st->max_start_pad=max_start_pad;
829 if (max_end_pad > st->max_end_pad) st->max_end_pad=max_end_pad;
834 static struct flagstr netlink_option_table[]={
835 { "soft", OPT_SOFTROUTE },
836 { "allow-route", OPT_ALLOWROUTE },
839 /* This is the routine that gets called when the closure that's
840 returned by an invocation of a netlink device closure (eg. tun,
841 userv-ipif) is invoked. It's used to create routes and pass in
842 information about them; the closure it returns is used by site
844 static closure_t *netlink_inst_create(struct netlink *st,
845 struct cloc loc, dict_t *dict)
847 struct netlink_client *c;
849 struct ipset *networks;
850 uint32_t options,priority,mtu;
853 name=dict_read_string(dict, "name", True, st->name, loc);
855 l=dict_lookup(dict,"routes");
857 cfgfatal(loc,st->name,"required parameter \"routes\" not found\n");
858 networks=string_list_to_ipset(l,loc,st->name,"routes");
859 options=string_list_to_word(dict_lookup(dict,"options"),
860 netlink_option_table,st->name);
862 priority=dict_read_number(dict,"priority",False,st->name,loc,0);
863 mtu=dict_read_number(dict,"mtu",False,st->name,loc,0);
865 if ((options&OPT_SOFTROUTE) && !st->set_routes) {
866 cfgfatal(loc,st->name,"this netlink device does not support "
871 if (options&OPT_SOFTROUTE) {
872 /* XXX for now we assume that soft routes require root privilege;
873 this may not always be true. The device driver can tell us. */
874 require_root_privileges=True;
875 require_root_privileges_explanation="netlink: soft routes";
877 cfgfatal(loc,st->name,"point-to-point netlinks do not support "
883 /* Check that nets are a subset of st->remote_networks;
884 refuse to register if they are not. */
885 if (!ipset_is_subset(st->remote_networks,networks)) {
886 cfgfatal(loc,st->name,"routes are not allowed\n");
890 c=safe_malloc(sizeof(*c),"netlink_inst_create");
891 c->cl.description=name;
892 c->cl.type=CL_NETLINK;
894 c->cl.interface=&c->ops;
896 c->ops.reg=netlink_inst_reg;
897 c->ops.deliver=netlink_inst_incoming;
898 c->ops.set_quality=netlink_set_quality;
899 c->ops.output_config=netlink_inst_output_config;
900 c->ops.check_config=netlink_inst_check_config;
901 c->ops.set_mtu=netlink_inst_set_mtu;
904 c->networks=networks;
905 c->subnets=ipset_to_subnet_list(networks);
906 c->priority=priority;
910 c->link_quality=LINK_QUALITY_DOWN;
911 c->mtu=mtu?mtu:st->mtu;
918 assert(st->n_clients < INT_MAX);
924 static list_t *netlink_inst_apply(closure_t *self, struct cloc loc,
925 dict_t *context, list_t *args)
927 struct netlink *st=self->interface;
933 item=list_elem(args,0);
934 if (!item || item->type!=t_dict) {
935 cfgfatal(loc,st->name,"must have a dictionary argument\n");
937 dict=item->data.dict;
939 cl=netlink_inst_create(st,loc,dict);
941 return new_closure(cl);
944 netlink_deliver_fn *netlink_init(struct netlink *st,
945 void *dst, struct cloc loc,
946 dict_t *dict, cstring_t description,
947 netlink_route_fn *set_routes,
948 netlink_deliver_fn *to_host)
954 st->cl.description=description;
956 st->cl.apply=netlink_inst_apply;
963 st->set_routes=set_routes;
964 st->deliver_to_host=to_host;
966 st->name=dict_read_string(dict,"name",False,description,loc);
967 if (!st->name) st->name=description;
968 l=dict_lookup(dict,"networks");
970 st->networks=string_list_to_ipset(l,loc,st->name,"networks");
974 st->networks=ipset_complement(empty);
977 l=dict_lookup(dict,"remote-networks");
979 st->remote_networks=string_list_to_ipset(l,loc,st->name,
984 st->remote_networks=ipset_complement(empty);
988 sa=dict_find_item(dict,"secnet-address",False,"netlink",loc);
989 ptpa=dict_find_item(dict,"ptp-address",False,"netlink",loc);
991 cfgfatal(loc,st->name,"you may not specify secnet-address and "
992 "ptp-address in the same netlink device\n");
995 cfgfatal(loc,st->name,"you must specify secnet-address or "
996 "ptp-address for this netlink device\n");
999 st->secnet_address=string_item_to_ipaddr(sa,"netlink");
1002 st->secnet_address=string_item_to_ipaddr(ptpa,"netlink");
1005 /* To be strictly correct we could subtract secnet_address from
1006 networks here. It shouldn't make any practical difference,
1007 though, and will make the route dump look complicated... */
1008 st->subnets=ipset_to_subnet_list(st->networks);
1009 st->mtu=dict_read_number(dict, "mtu", False, "netlink", loc, DEFAULT_MTU);
1010 buffer_new(&st->icmp,ICMP_BUFSIZE);
1014 add_hook(PHASE_SETUP,netlink_phase_hook,st);
1015 request_signal_notification(SIGUSR1, netlink_signal_handler, st);
1017 /* If we're point-to-point then we return a CL_NETLINK directly,
1018 rather than a CL_NETLINK_OLD or pure closure (depending on
1019 compatibility). This CL_NETLINK is for our one and only
1020 client. Our cl.apply function is NULL. */
1023 cl=netlink_inst_create(st,loc,dict);
1026 return netlink_dev_incoming;
1029 /* No connection to the kernel at all... */
1035 static bool_t null_set_route(void *sst, struct netlink_client *routes)
1037 struct null *st=sst;
1039 if (routes->up!=routes->kup) {
1040 Message(M_INFO,"%s: setting routes for tunnel %s to state %s\n",
1041 st->nl.name,routes->name,
1042 routes->up?"up":"down");
1043 routes->kup=routes->up;
1049 static void null_deliver(void *sst, struct buffer_if *buf)
1054 static list_t *null_apply(closure_t *self, struct cloc loc, dict_t *context,
1061 st=safe_malloc(sizeof(*st),"null_apply");
1063 item=list_elem(args,0);
1064 if (!item || item->type!=t_dict)
1065 cfgfatal(loc,"null-netlink","parameter must be a dictionary\n");
1067 dict=item->data.dict;
1069 netlink_init(&st->nl,st,loc,dict,"null-netlink",null_set_route,
1072 return new_closure(&st->nl.cl);
1075 void netlink_module(dict_t *dict)
1077 add_closure(dict,"null-netlink",null_apply);
~ian / secnet.git / blob