projects / mirror_iproute2.git / blame
| Commit | Line | Data |
|---|---|---|
| 9932abb4 PM |
1 | /* |
| 2 | * f_flow.c Flow filter | |
| 3 | * | |
| 4 | * This program is free software; you can redistribute it and/or | |
| 5 | * modify it under the terms of the GNU General Public License | |
| 6 | * as published by the Free Software Foundation; either version | |
| 7 | * 2 of the License, or (at your option) any later version. | |
| 8 | * | |
| 9 | * Authors: Patrick McHardy <kaber@trash.net> | |
| 10 | */ | |
| 11 | #include <stdio.h> | |
| 12 | #include <stdlib.h> | |
| 13 | #include <unistd.h> | |
| 14 | #include <string.h> | |
| 15 | #include <errno.h> | |
| 16 | ||
| 17 | #include "utils.h" | |
| 18 | #include "tc_util.h" | |
| 19 | #include "m_ematch.h" | |
| 20 | ||
| 21 | static void explain(void) | |
| 22 | { | |
| 23 | fprintf(stderr, | |
| 24 | "Usage: ... flow ...\n" | |
| 25 | "\n" | |
| 26 | " [mapping mode]: map key KEY [ OPS ] ...\n" | |
| 27 | " [hashing mode]: hash keys KEY-LIST ...\n" | |
| 28 | "\n" | |
| 29 | " [ divisor NUM ] [ baseclass ID ] [ match EMATCH_TREE ]\n" | |
| 30 | " [ police POLICE_SPEC ] [ action ACTION_SPEC ]\n" | |
| 31 | "\n" | |
| 32 | "KEY-LIST := [ KEY-LIST , ] KEY\n" | |
| 33 | "KEY := [ src | dst | proto | proto-src | proto-dst | iif | priority | \n" | |
| 34 | " mark | nfct | nfct-src | nfct-dst | nfct-proto-src | \n" | |
| 35 | " nfct-proto-dst | rt-classid | sk-uid | sk-gid ]\n" | |
| 36 | "OPS := [ or NUM | and NUM | xor NUM | rshift NUM | addend NUM ]\n" | |
| 37 | "ID := X:Y\n" | |
| 38 | ); | |
| 39 | } | |
| 40 | ||
| 41 | static const char *flow_keys[FLOW_KEY_MAX+1] = { | |
| 42 | [FLOW_KEY_SRC] = "src", | |
| 43 | [FLOW_KEY_DST] = "dst", | |
| 44 | [FLOW_KEY_PROTO] = "proto", | |
| 45 | [FLOW_KEY_PROTO_SRC] = "proto-src", | |
| 46 | [FLOW_KEY_PROTO_DST] = "proto-dst", | |
| 47 | [FLOW_KEY_IIF] = "iif", | |
| 48 | [FLOW_KEY_PRIORITY] = "priority", | |
| 49 | [FLOW_KEY_MARK] = "mark", | |
| 50 | [FLOW_KEY_NFCT] = "nfct", | |
| 51 | [FLOW_KEY_NFCT_SRC] = "nfct-src", | |
| 52 | [FLOW_KEY_NFCT_DST] = "nfct-dst", | |
| 53 | [FLOW_KEY_NFCT_PROTO_SRC] = "nfct-proto-src", | |
| 54 | [FLOW_KEY_NFCT_PROTO_DST] = "nfct-proto-dst", | |
| 55 | [FLOW_KEY_RTCLASSID] = "rt-classid", | |
| 56 | [FLOW_KEY_SKUID] = "sk-uid", | |
| 57 | [FLOW_KEY_SKGID] = "sk-gid", | |
| 58 | }; | |
| 59 | ||
| 60 | static int flow_parse_keys(__u32 *keys, __u32 *nkeys, char *argv) | |
| 61 | { | |
| 62 | char *s, *sep; | |
| 63 | unsigned int i; | |
| 64 | ||
| 65 | *keys = 0; | |
| 66 | *nkeys = 0; | |
| 67 | s = argv; | |
| 68 | while (s != NULL) { | |
| 69 | sep = strchr(s, ','); | |
| 70 | if (sep) | |
| 71 | *sep = '\0'; | |
| 72 | ||
| 73 | for (i = 0; i <= FLOW_KEY_MAX; i++) { | |
| 74 | if (matches(s, flow_keys[i]) == 0) { | |
| 75 | *keys |= 1 << i; | |
| 76 | (*nkeys)++; | |
| 77 | break; | |
| 78 | } | |
| 79 | } | |
| 80 | if (i > FLOW_KEY_MAX) { | |
| 81 | fprintf(stderr, "Unknown flow key \"%s\"\n", s); | |
| 82 | return -1; | |
| 83 | } | |
| 84 | s = sep ? sep + 1 : NULL; | |
| 85 | } | |
| 86 | return 0; | |
| 87 | } | |
| 88 | ||
| 89 | static void transfer_bitop(__u32 *mask, __u32 *xor, __u32 m, __u32 x) | |
| 90 | { | |
| 91 | *xor = x ^ (*xor & m); | |
| 92 | *mask &= m; | |
| 93 | } | |
| 94 | ||
| 95 | static int get_addend(__u32 *addend, char *argv, __u32 keys) | |
| 96 | { | |
| 97 | inet_prefix addr; | |
| 98 | int sign = 0; | |
| 99 | __u32 tmp; | |
| 100 | ||
| 101 | if (*argv == '-') { | |
| 102 | sign = 1; | |
| 103 | argv++; | |
| 104 | } | |
| 105 | ||
| 106 | if (get_u32(&tmp, argv, 0) == 0) | |
| 107 | goto out; | |
| 108 | ||
| 109 | if (keys & (FLOW_KEY_SRC | FLOW_KEY_DST | | |
| 110 | FLOW_KEY_NFCT_SRC | FLOW_KEY_NFCT_DST) && | |
| 111 | get_addr(&addr, argv, AF_UNSPEC) == 0) { | |
| 112 | switch (addr.family) { | |
| 113 | case AF_INET: | |
| 114 | tmp = ntohl(addr.data[0]); | |
| 115 | goto out; | |
| 116 | case AF_INET6: | |
| 117 | tmp = ntohl(addr.data[3]); | |
| 118 | goto out; | |
| 119 | } | |
| 120 | } | |
| 121 | ||
| 122 | return -1; | |
| 123 | out: | |
| 124 | if (sign) | |
| 125 | tmp = -tmp; | |
| 126 | *addend = tmp; | |
| 127 | return 0; | |
| 128 | } | |
| 129 | ||
| 130 | static int flow_parse_opt(struct filter_util *fu, char *handle, | |
| 131 | int argc, char **argv, struct nlmsghdr *n) | |
| 132 | { | |
| 133 | struct tc_police tp; | |
| 134 | struct tcmsg *t = NLMSG_DATA(n); | |
| 135 | struct rtattr *tail; | |
| 136 | __u32 mask = ~0U, xor = 0; | |
| 137 | __u32 keys = 0, nkeys = 0; | |
| 138 | __u32 mode = FLOW_MODE_MAP; | |
| 139 | __u32 tmp; | |
| 140 | ||
| 141 | memset(&tp, 0, sizeof(tp)); | |
| 142 | ||
| 143 | if (handle) { | |
| 144 | if (get_u32(&t->tcm_handle, handle, 0)) { | |
| 145 | fprintf(stderr, "Illegal \"handle\"\n"); | |
| 146 | return -1; | |
| 147 | } | |
| 148 | } | |
| 149 | ||
| 150 | tail = NLMSG_TAIL(n); | |
| 151 | addattr_l(n, 4096, TCA_OPTIONS, NULL, 0); | |
| 152 | ||
| 153 | while (argc > 0) { | |
| 154 | if (matches(*argv, "map") == 0) { | |
| 155 | mode = FLOW_MODE_MAP; | |
| 156 | } else if (matches(*argv, "hash") == 0) { | |
| 157 | mode = FLOW_MODE_HASH; | |
| 158 | } else if (matches(*argv, "keys") == 0) { | |
| 159 | NEXT_ARG(); | |
| 160 | if (flow_parse_keys(&keys, &nkeys, *argv)) | |
| 161 | return -1; | |
| 162 | addattr32(n, 4096, TCA_FLOW_KEYS, keys); | |
| 163 | } else if (matches(*argv, "and") == 0) { | |
| 164 | NEXT_ARG(); | |
| 165 | if (get_u32(&tmp, *argv, 0)) { | |
| 166 | fprintf(stderr, "Illegal \"mask\"\n"); | |
| 167 | return -1; | |
| 168 | } | |
| 169 | transfer_bitop(&mask, &xor, tmp, 0); | |
| 170 | } else if (matches(*argv, "or") == 0) { | |
| 171 | NEXT_ARG(); | |
| 172 | if (get_u32(&tmp, *argv, 0)) { | |
| 173 | fprintf(stderr, "Illegal \"or\"\n"); | |
| 174 | return -1; | |
| 175 | } | |
| 176 | transfer_bitop(&mask, &xor, ~tmp, tmp); | |
| 177 | } else if (matches(*argv, "xor") == 0) { | |
| 178 | NEXT_ARG(); | |
| 179 | if (get_u32(&tmp, *argv, 0)) { | |
| 180 | fprintf(stderr, "Illegal \"xor\"\n"); | |
| 181 | return -1; | |
| 182 | } | |
| 183 | transfer_bitop(&mask, &xor, ~0, tmp); | |
| 184 | } else if (matches(*argv, "rshift") == 0) { | |
| 185 | NEXT_ARG(); | |
| 186 | if (get_u32(&tmp, *argv, 0)) { | |
| 187 | fprintf(stderr, "Illegal \"rshift\"\n"); | |
| 188 | return -1; | |
| 189 | } | |
| 190 | addattr32(n, 4096, TCA_FLOW_RSHIFT, tmp); | |
| 191 | } else if (matches(*argv, "addend") == 0) { | |
| 192 | NEXT_ARG(); | |
| 193 | if (get_addend(&tmp, *argv, keys)) { | |
| 194 | fprintf(stderr, "Illegal \"addend\"\n"); | |
| 195 | return -1; | |
| 196 | } | |
| 197 | addattr32(n, 4096, TCA_FLOW_ADDEND, tmp); | |
| 198 | } else if (matches(*argv, "divisor") == 0) { | |
| 199 | NEXT_ARG(); | |
| 200 | if (get_u32(&tmp, *argv, 0)) { | |
| 201 | fprintf(stderr, "Illegal \"divisor\"\n"); | |
| 202 | return -1; | |
| 203 | } | |
| 204 | addattr32(n, 4096, TCA_FLOW_DIVISOR, tmp); | |
| 205 | } else if (matches(*argv, "baseclass") == 0) { | |
| 206 | NEXT_ARG(); | |
| 207 | if (get_tc_classid(&tmp, *argv) || TC_H_MIN(tmp) == 0) { | |
| 208 | fprintf(stderr, "Illegal \"baseclass\"\n"); | |
| 209 | return -1; | |
| 210 | } | |
| 211 | addattr32(n, 4096, TCA_FLOW_BASECLASS, tmp); | |
| 212 | } else if (matches(*argv, "police") == 0) { | |
| 213 | NEXT_ARG(); | |
| 214 | if (parse_police(&argc, &argv, TCA_FLOW_POLICE, n)) { | |
| 215 | fprintf(stderr, "Illegal \"police\"\n"); | |
| 216 | return -1; | |
| 217 | } | |
| 218 | continue; | |
| 219 | } else if (matches(*argv, "action") == 0) { | |
| 220 | NEXT_ARG(); | |
| 221 | if (parse_action(&argc, &argv, TCA_FLOW_ACT, n)) { | |
| 222 | fprintf(stderr, "Illegal \"action\"\n"); | |
| 223 | return -1; | |
| 224 | } | |
| 225 | continue; | |
| 226 | } else if (matches(*argv, "match") == 0) { | |
| 227 | NEXT_ARG(); | |
| 228 | if (parse_ematch(&argc, &argv, TCA_FLOW_EMATCHES, n)) { | |
| 229 | fprintf(stderr, "Illegal \"ematch\"\n"); | |
| 230 | return -1; | |
| 231 | } | |
| 232 | continue; | |
| 233 | } else if (matches(*argv, "help") == 0) { | |
| 234 | explain(); | |
| 235 | return -1; | |
| 236 | } else { | |
| 237 | fprintf(stderr, "What is \"%s\"?\n", *argv); | |
| 238 | explain(); | |
| 239 | return -1; | |
| 240 | } | |
| 241 | argv++, argc--; | |
| 242 | } | |
| 243 | ||
| 244 | if (nkeys > 1 && mode != FLOW_MODE_HASH) { | |
| 245 | fprintf(stderr, "Invalid mode \"map\" for multiple keys\n"); | |
| 246 | return -1; | |
| 247 | } | |
| 248 | addattr32(n, 4096, TCA_FLOW_MODE, mode); | |
| 249 | ||
| 250 | if (mask != ~0 || xor != 0) { | |
| 251 | addattr32(n, 4096, TCA_FLOW_MASK, mask); | |
| 252 | addattr32(n, 4096, TCA_FLOW_XOR, xor); | |
| 253 | } | |
| 254 | ||
| 255 | tail->rta_len = (void *)NLMSG_TAIL(n) - (void *)tail; | |
| 256 | return 0; | |
| 257 | } | |
| 258 | ||
| 259 | static int flow_print_opt(struct filter_util *fu, FILE *f, struct rtattr *opt, | |
| 260 | __u32 handle) | |
| 261 | { | |
| 262 | struct rtattr *tb[TCA_FLOW_MAX+1]; | |
| 263 | SPRINT_BUF(b1); | |
| 264 | unsigned int i; | |
| 265 | __u32 mask = ~0, val = 0; | |
| 266 | ||
| 267 | if (opt == NULL) | |
| 268 | return -EINVAL; | |
| 269 | ||
| 270 | parse_rtattr_nested(tb, TCA_FLOW_MAX, opt); | |
| 271 | ||
| 272 | fprintf(f, "handle 0x%x ", handle); | |
| 273 | ||
| 274 | if (tb[TCA_FLOW_MODE]) { | |
| 275 | __u32 mode = *(__u32 *)RTA_DATA(tb[TCA_FLOW_MODE]); | |
| 276 | ||
| 277 | switch (mode) { | |
| 278 | case FLOW_MODE_MAP: | |
| 279 | fprintf(f, "map "); | |
| 280 | break; | |
| 281 | case FLOW_MODE_HASH: | |
| 282 | fprintf(f, "hash "); | |
| 283 | break; | |
| 284 | } | |
| 285 | } | |
| 286 | ||
| 287 | if (tb[TCA_FLOW_KEYS]) { | |
| 288 | __u32 keymask = *(__u32 *)RTA_DATA(tb[TCA_FLOW_KEYS]); | |
| 289 | char *sep = ""; | |
| 290 | ||
| 291 | fprintf(f, "keys "); | |
| 292 | for (i = 0; i <= FLOW_KEY_MAX; i++) { | |
| 293 | if (keymask & (1 << i)) { | |
| 294 | fprintf(f, "%s%s", sep, flow_keys[i]); | |
| 295 | sep = ","; | |
| 296 | } | |
| 297 | } | |
| 298 | fprintf(f, " "); | |
| 299 | } | |
| 300 | ||
| 301 | if (tb[TCA_FLOW_MASK]) | |
| 302 | mask = *(__u32 *)RTA_DATA(tb[TCA_FLOW_MASK]); | |
| 303 | if (tb[TCA_FLOW_XOR]) | |
| 304 | val = *(__u32 *)RTA_DATA(tb[TCA_FLOW_XOR]); | |
| 305 | ||
| 306 | if (mask != ~0 || val != 0) { | |
| 307 | __u32 or = (mask & val) ^ val; | |
| 308 | __u32 xor = mask & val; | |
| 309 | ||
| 310 | if (mask != ~0) | |
| 311 | fprintf(f, "and 0x%.8x ", mask); | |
| 312 | if (xor != 0) | |
| 313 | fprintf(f, "xor 0x%.8x ", xor); | |
| 314 | if (or != 0) | |
| 315 | fprintf(f, "or 0x%.8x ", or); | |
| 316 | } | |
| 317 | ||
| 318 | if (tb[TCA_FLOW_RSHIFT]) | |
| 319 | fprintf(f, "rshift %u ", | |
| 320 | *(__u32 *)RTA_DATA(tb[TCA_FLOW_RSHIFT])); | |
| 321 | if (tb[TCA_FLOW_ADDEND]) | |
| 322 | fprintf(f, "addend 0x%x ", | |
| 323 | *(__u32 *)RTA_DATA(tb[TCA_FLOW_ADDEND])); | |
| 324 | ||
| 325 | if (tb[TCA_FLOW_DIVISOR]) | |
| 326 | fprintf(f, "divisor %u ", | |
| 327 | *(__u32 *)RTA_DATA(tb[TCA_FLOW_DIVISOR])); | |
| 328 | if (tb[TCA_FLOW_BASECLASS]) | |
| 329 | fprintf(f, "baseclass %s ", | |
| 330 | sprint_tc_classid(*(__u32 *)RTA_DATA(tb[TCA_FLOW_BASECLASS]), b1)); | |
| 331 | ||
| 332 | if (tb[TCA_FLOW_EMATCHES]) | |
| 333 | print_ematch(f, tb[TCA_FLOW_EMATCHES]); | |
| 334 | if (tb[TCA_FLOW_POLICE]) | |
| 335 | tc_print_police(f, tb[TCA_FLOW_POLICE]); | |
| 336 | if (tb[TCA_FLOW_ACT]) { | |
| 337 | fprintf(f, "\n"); | |
| 338 | tc_print_action(f, tb[TCA_FLOW_ACT]); | |
| 339 | } | |
| 340 | return 0; | |
| 341 | } | |
| 342 | ||
| 343 | struct filter_util flow_filter_util = { | |
| 344 | .id = "flow", | |
| 345 | .parse_fopt = flow_parse_opt, | |
| 346 | .print_fopt = flow_print_opt, | |
| 347 | }; |