[mirror_frr.git] / zebra / rule_netlink.c

/*
 * Zebra Policy Based Routing (PBR) interaction with the kernel using
 * netlink.
 * Copyright (C) 2018  Cumulus Networks, Inc.
 *
 * This file is part of FRR.
 *
 * FRR is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License as published by the
 * Free Software Foundation; either version 2, or (at your option) any
 * later version.
 *
 * FRR is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with FRR; see the file COPYING.  If not, write to the Free
 * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
 * 02111-1307, USA.
 */

#include <zebra.h>

#ifdef HAVE_NETLINK

#include "if.h"
#include "prefix.h"
#include "vrf.h"

#include <linux/fib_rules.h>
#include "zebra/zserv.h"
#include "zebra/zebra_ns.h"
#include "zebra/zebra_vrf.h"
#include "zebra/rt.h"
#include "zebra/interface.h"
#include "zebra/debug.h"
#include "zebra/rtadv.h"
#include "zebra/kernel_netlink.h"
#include "zebra/rule_netlink.h"
#include "zebra/zebra_pbr.h"
#include "zebra/zebra_errors.h"
#include "zebra/zebra_dplane.h"
#include "zebra/zebra_trace.h"

/* definitions */

/* static function declarations */

/* Private functions */


/*
 * netlink_rule_msg_encode
 *
 * Encodes netlink RTM_ADDRULE/RTM_DELRULE message to buffer buf of size buflen.
 *
 * Returns -1 on failure, 0 when the msg doesn't fit entirely in the buffer
 * or the number of bytes written to buf.
 */
static ssize_t netlink_rule_msg_encode(
	int cmd, const struct zebra_dplane_ctx *ctx, uint32_t filter_bm,
	uint32_t priority, uint32_t table, const struct prefix *src_ip,
	const struct prefix *dst_ip, uint32_t fwmark, uint8_t dsfield,
	uint8_t ip_protocol, void *buf, size_t buflen)
{
	uint8_t protocol = RTPROT_ZEBRA;
	int family;
	int bytelen;
	struct {
		struct nlmsghdr n;
		struct fib_rule_hdr frh;
		char buf[];
	} *req = buf;

	const char *ifname = dplane_ctx_rule_get_ifname(ctx);

	if (buflen < sizeof(*req))
		return 0;
	memset(req, 0, sizeof(*req));

	/* Assume ipv4 if no src/dst set, we only support ipv4/ipv6 */
	if (PREFIX_FAMILY(src_ip))
		family = PREFIX_FAMILY(src_ip);
	else if (PREFIX_FAMILY(dst_ip))
		family = PREFIX_FAMILY(dst_ip);
	else
		family = AF_INET;

	bytelen = (family == AF_INET ? 4 : 16);

	req->n.nlmsg_type = cmd;
	req->n.nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg));
	req->n.nlmsg_flags = NLM_F_REQUEST;

	req->frh.family = family;
	req->frh.action = FR_ACT_TO_TBL;

	if (!nl_attr_put(&req->n, buflen, FRA_PROTOCOL, &protocol,
			 sizeof(protocol)))
		return 0;

	/* rule's pref # */
	if (!nl_attr_put32(&req->n, buflen, FRA_PRIORITY, priority))
		return 0;

	/* interface on which applied */
	if (!nl_attr_put(&req->n, buflen, FRA_IFNAME, ifname,
			 strlen(ifname) + 1))
		return 0;

	/* source IP, if specified */
	if (filter_bm & PBR_FILTER_SRC_IP) {
		req->frh.src_len = src_ip->prefixlen;
		if (!nl_attr_put(&req->n, buflen, FRA_SRC, &src_ip->u.prefix,
				 bytelen))
			return 0;
	}

	/* destination IP, if specified */
	if (filter_bm & PBR_FILTER_DST_IP) {
		req->frh.dst_len = dst_ip->prefixlen;
		if (!nl_attr_put(&req->n, buflen, FRA_DST, &dst_ip->u.prefix,
				 bytelen))
			return 0;
	}

	/* fwmark, if specified */
	if (filter_bm & PBR_FILTER_FWMARK) {
		if (!nl_attr_put32(&req->n, buflen, FRA_FWMARK, fwmark))
			return 0;
	}

	/* dsfield, if specified */
	if (filter_bm & PBR_FILTER_DSFIELD)
		req->frh.tos = dsfield;

	/* protocol to match on */
	if (filter_bm & PBR_FILTER_IP_PROTOCOL)
		nl_attr_put8(&req->n, buflen, FRA_IP_PROTO, ip_protocol);

	/* Route table to use to forward, if filter criteria matches. */
	if (table < 256)
		req->frh.table = table;
	else {
		req->frh.table = RT_TABLE_UNSPEC;
		if (!nl_attr_put32(&req->n, buflen, FRA_TABLE, table))
			return 0;
	}

	if (IS_ZEBRA_DEBUG_KERNEL)
		zlog_debug(
			"Tx %s family %s IF %s Pref %u Fwmark %u Src %pFX Dst %pFX Table %u",
			nl_msg_type_to_str(cmd), nl_family_to_str(family),
			ifname, priority, fwmark, src_ip, dst_ip, table);

	return NLMSG_ALIGN(req->n.nlmsg_len);
}

static ssize_t netlink_rule_msg_encoder(struct zebra_dplane_ctx *ctx, void *buf,
					size_t buflen)
{
	int cmd = RTM_NEWRULE;

	if (dplane_ctx_get_op(ctx) == DPLANE_OP_RULE_DELETE)
		cmd = RTM_DELRULE;

	return netlink_rule_msg_encode(
		cmd, ctx, dplane_ctx_rule_get_filter_bm(ctx),
		dplane_ctx_rule_get_priority(ctx),
		dplane_ctx_rule_get_table(ctx), dplane_ctx_rule_get_src_ip(ctx),
		dplane_ctx_rule_get_dst_ip(ctx),
		dplane_ctx_rule_get_fwmark(ctx),
		dplane_ctx_rule_get_dsfield(ctx),
		dplane_ctx_rule_get_ipproto(ctx), buf, buflen);
}

static ssize_t netlink_oldrule_msg_encoder(struct zebra_dplane_ctx *ctx,
					   void *buf, size_t buflen)
{
	return netlink_rule_msg_encode(
		RTM_DELRULE, ctx, dplane_ctx_rule_get_old_filter_bm(ctx),
		dplane_ctx_rule_get_old_priority(ctx),
		dplane_ctx_rule_get_old_table(ctx),
		dplane_ctx_rule_get_old_src_ip(ctx),
		dplane_ctx_rule_get_old_dst_ip(ctx),
		dplane_ctx_rule_get_old_fwmark(ctx),
		dplane_ctx_rule_get_old_dsfield(ctx),
		dplane_ctx_rule_get_old_ipproto(ctx), buf, buflen);
}

/* Public functions */

enum netlink_msg_status
netlink_put_rule_update_msg(struct nl_batch *bth, struct zebra_dplane_ctx *ctx)
{
	enum dplane_op_e op;
	enum netlink_msg_status ret;

	op = dplane_ctx_get_op(ctx);
	if (!(op == DPLANE_OP_RULE_ADD || op == DPLANE_OP_RULE_UPDATE
	      || op == DPLANE_OP_RULE_DELETE)) {
		flog_err(
			EC_ZEBRA_PBR_RULE_UPDATE,
			"Context received for kernel rule update with incorrect OP code (%u)",
			op);
		return FRR_NETLINK_ERROR;
	}

	ret = netlink_batch_add_msg(bth, ctx, netlink_rule_msg_encoder, false);

	/**
	 * Delete the old one.
	 *
	 * Don't care about this result right?
	 */
	if (op == DPLANE_OP_RULE_UPDATE)
		netlink_batch_add_msg(bth, ctx, netlink_oldrule_msg_encoder,
				      true);

	return ret;
}

/*
 * Handle netlink notification informing a rule add or delete.
 * Handling of an ADD is TBD.
 * DELs are notified up, if other attributes indicate it may be a
 * notification of interest. The expectation is that if this corresponds
 * to a PBR rule added by FRR, it will be readded.
 *
 * If startup and we see a rule we created, delete it as its leftover
 * from a previous instance and should have been removed on shutdown.
 *
 */
int netlink_rule_change(struct nlmsghdr *h, ns_id_t ns_id, int startup)
{
	struct zebra_ns *zns;
	struct fib_rule_hdr *frh;
	struct rtattr *tb[FRA_MAX + 1];
	int len;
	char *ifname;
	struct zebra_pbr_rule rule = {};
	uint8_t proto = 0;
	uint8_t ip_proto = 0;

	frrtrace(3, frr_zebra, netlink_rule_change, h, ns_id, startup);

	/* Basic validation followed by extracting attributes. */
	if (h->nlmsg_type != RTM_NEWRULE && h->nlmsg_type != RTM_DELRULE)
		return 0;

	len = h->nlmsg_len - NLMSG_LENGTH(sizeof(struct fib_rule_hdr));
	if (len < 0) {
		zlog_err(
			"%s: Message received from netlink is of a broken size: %d %zu",
			__func__, h->nlmsg_len,
			(size_t)NLMSG_LENGTH(sizeof(struct fib_rule_hdr)));
		return -1;
	}

	frh = NLMSG_DATA(h);

	if (frh->family != AF_INET && frh->family != AF_INET6) {
		if (frh->family == RTNL_FAMILY_IPMR
		    || frh->family == RTNL_FAMILY_IP6MR) {
			if (IS_ZEBRA_DEBUG_KERNEL)
				zlog_debug(
					"Received rule netlink that we are ignoring for family %u, rule change: %u",
					frh->family, h->nlmsg_type);
			return 0;
		}
		flog_warn(
			EC_ZEBRA_NETLINK_INVALID_AF,
			"Invalid address family: %u received from kernel rule change: %u",
			frh->family, h->nlmsg_type);
		return 0;
	}
	if (frh->action != FR_ACT_TO_TBL)
		return 0;

	memset(tb, 0, sizeof(tb));
	netlink_parse_rtattr(tb, FRA_MAX, RTM_RTA(frh), len);

	if (tb[FRA_PRIORITY])
		rule.rule.priority = *(uint32_t *)RTA_DATA(tb[FRA_PRIORITY]);

	if (tb[FRA_SRC]) {
		if (frh->family == AF_INET)
			memcpy(&rule.rule.filter.src_ip.u.prefix4,
			       RTA_DATA(tb[FRA_SRC]), 4);
		else
			memcpy(&rule.rule.filter.src_ip.u.prefix6,
			       RTA_DATA(tb[FRA_SRC]), 16);
		rule.rule.filter.src_ip.prefixlen = frh->src_len;
		rule.rule.filter.src_ip.family = frh->family;
		rule.rule.filter.filter_bm |= PBR_FILTER_SRC_IP;
	}

	if (tb[FRA_DST]) {
		if (frh->family == AF_INET)
			memcpy(&rule.rule.filter.dst_ip.u.prefix4,
			       RTA_DATA(tb[FRA_DST]), 4);
		else
			memcpy(&rule.rule.filter.dst_ip.u.prefix6,
			       RTA_DATA(tb[FRA_DST]), 16);
		rule.rule.filter.dst_ip.prefixlen = frh->dst_len;
		rule.rule.filter.dst_ip.family = frh->family;
		rule.rule.filter.filter_bm |= PBR_FILTER_DST_IP;
	}

	if (tb[FRA_TABLE])
		rule.rule.action.table = *(uint32_t *)RTA_DATA(tb[FRA_TABLE]);
	else
		rule.rule.action.table = frh->table;

	/* TBD: We don't care about rules not specifying an IIF. */
	if (tb[FRA_IFNAME] == NULL)
		return 0;

	if (tb[FRA_PROTOCOL])
		proto = *(uint8_t *)RTA_DATA(tb[FRA_PROTOCOL]);

	if (tb[FRA_IP_PROTO])
		ip_proto = *(uint8_t *)RTA_DATA(tb[FRA_IP_PROTO]);

	ifname = (char *)RTA_DATA(tb[FRA_IFNAME]);
	strlcpy(rule.ifname, ifname, sizeof(rule.ifname));

	if (h->nlmsg_type == RTM_NEWRULE) {
		/*
		 * If we see a rule at startup we created, delete it now.
		 * It should have been flushed on a previous shutdown.
		 */
		if (startup && proto == RTPROT_ZEBRA) {
			enum zebra_dplane_result ret;

			ret = dplane_pbr_rule_delete(&rule);

			zlog_debug(
				"%s: %s leftover rule: family %s IF %s Pref %u Src %pFX Dst %pFX Table %u ip-proto: %u",
				__func__,
				((ret == ZEBRA_DPLANE_REQUEST_FAILURE)
					 ? "Failed to remove"
					 : "Removed"),
				nl_family_to_str(frh->family), rule.ifname,
				rule.rule.priority, &rule.rule.filter.src_ip,
				&rule.rule.filter.dst_ip,
				rule.rule.action.table, ip_proto);
		}

		/* TBD */
		return 0;
	}

	zns = zebra_ns_lookup(ns_id);

	/* If we don't know the interface, we don't care. */
	if (!if_lookup_by_name_per_ns(zns, ifname))
		return 0;

	if (IS_ZEBRA_DEBUG_KERNEL)
		zlog_debug(
			"Rx %s family %s IF %s Pref %u Src %pFX Dst %pFX Table %u ip-proto: %u",
			nl_msg_type_to_str(h->nlmsg_type),
			nl_family_to_str(frh->family), rule.ifname,
			rule.rule.priority, &rule.rule.filter.src_ip,
			&rule.rule.filter.dst_ip, rule.rule.action.table,
			ip_proto);

	return kernel_pbr_rule_del(&rule);
}

/*
 * Request rules from the kernel
 */
static int netlink_request_rules(struct zebra_ns *zns, int family, int type)
{
	struct {
		struct nlmsghdr n;
		struct fib_rule_hdr frh;
		char buf[NL_PKT_BUF_SIZE];
	} req;

	memset(&req, 0, sizeof(req));
	req.n.nlmsg_type = type;
	req.n.nlmsg_flags = NLM_F_ROOT | NLM_F_MATCH | NLM_F_REQUEST;
	req.n.nlmsg_len = NLMSG_LENGTH(sizeof(struct fib_rule_hdr));
	req.frh.family = family;

	return netlink_request(&zns->netlink_cmd, &req);
}

/*
 * Get to know existing PBR rules in the kernel - typically called at startup.
 */
int netlink_rules_read(struct zebra_ns *zns)
{
	int ret;
	struct zebra_dplane_info dp_info;

	zebra_dplane_info_from_zns(&dp_info, zns, true);

	ret = netlink_request_rules(zns, AF_INET, RTM_GETRULE);
	if (ret < 0)
		return ret;

	ret = netlink_parse_info(netlink_rule_change, &zns->netlink_cmd,
				 &dp_info, 0, true);
	if (ret < 0)
		return ret;

	ret = netlink_request_rules(zns, AF_INET6, RTM_GETRULE);
	if (ret < 0)
		return ret;

	ret = netlink_parse_info(netlink_rule_change, &zns->netlink_cmd,
				 &dp_info, 0, true);
	return ret;
}

#endif /* HAVE_NETLINK */
Commit	Line	Data
942bf97b	1	/*
	2	* Zebra Policy Based Routing (PBR) interaction with the kernel using
	3	* netlink.
	4	* Copyright (C) 2018 Cumulus Networks, Inc.
	5	*
	6	* This file is part of FRR.
	7	*
	8	* FRR is free software; you can redistribute it and/or modify it
	9	* under the terms of the GNU General Public License as published by the
	10	* Free Software Foundation; either version 2, or (at your option) any
	11	* later version.
	12	*
	13	* FRR is distributed in the hope that it will be useful, but
	14	* WITHOUT ANY WARRANTY; without even the implied warranty of
	15	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	16	* General Public License for more details.
	17	*
	18	* You should have received a copy of the GNU General Public License
	19	* along with FRR; see the file COPYING. If not, write to the Free
	20	* Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
	21	* 02111-1307, USA.
	22	*/
	23
	24	#include <zebra.h>
	25
	26	#ifdef HAVE_NETLINK
	27
	28	#include "if.h"
	29	#include "prefix.h"
	30	#include "vrf.h"
	31
	32	#include <linux/fib_rules.h>
	33	#include "zebra/zserv.h"
	34	#include "zebra/zebra_ns.h"
	35	#include "zebra/zebra_vrf.h"
	36	#include "zebra/rt.h"
	37	#include "zebra/interface.h"
	38	#include "zebra/debug.h"
	39	#include "zebra/rtadv.h"
	40	#include "zebra/kernel_netlink.h"
	41	#include "zebra/rule_netlink.h"
	42	#include "zebra/zebra_pbr.h"
9df414fe	43	#include "zebra/zebra_errors.h"
f62e5480	44	#include "zebra/zebra_dplane.h"
1239b60c	45	#include "zebra/zebra_trace.h"
942bf97b	46
	47	/* definitions */
	48
	49	/* static function declarations */
	50
	51	/* Private functions */
	52
99e387d5 JU	53
	54	/*
	55	* netlink_rule_msg_encode
	56	*
	57	* Encodes netlink RTM_ADDRULE/RTM_DELRULE message to buffer buf of size buflen.
	58	*
312a6bee JU	59	* Returns -1 on failure, 0 when the msg doesn't fit entirely in the buffer
312a6bee JU	60	* or the number of bytes written to buf.
942bf97b	61	*/
8096bd72 DS	62	static ssize_t netlink_rule_msg_encode(
	63	int cmd, const struct zebra_dplane_ctx *ctx, uint32_t filter_bm,
	64	uint32_t priority, uint32_t table, const struct prefix *src_ip,
	65	const struct prefix *dst_ip, uint32_t fwmark, uint8_t dsfield,
	66	uint8_t ip_protocol, void *buf, size_t buflen)
942bf97b	67	{
f3dbec60	68	uint8_t protocol = RTPROT_ZEBRA;
942bf97b	69	int family;
	70	int bytelen;
	71	struct {
	72	struct nlmsghdr n;
	73	struct fib_rule_hdr frh;
99e387d5 JU	74	char buf[];
	75	} *req = buf;
	76
58a1d249	77	const char *ifname = dplane_ctx_rule_get_ifname(ctx);
942bf97b	78
67e3369e JU	79	if (buflen < sizeof(*req))
67e3369e JU	80	return 0;
99e387d5	81	memset(req, 0, sizeof(*req));
e36ea40d SW	82
	83	/* Assume ipv4 if no src/dst set, we only support ipv4/ipv6 */
	84	if (PREFIX_FAMILY(src_ip))
	85	family = PREFIX_FAMILY(src_ip);
	86	else if (PREFIX_FAMILY(dst_ip))
	87	family = PREFIX_FAMILY(dst_ip);
	88	else
	89	family = AF_INET;
	90
942bf97b	91	bytelen = (family == AF_INET ? 4 : 16);
942bf97b	92
99e387d5 JU	93	req->n.nlmsg_type = cmd;
	94	req->n.nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg));
	95	req->n.nlmsg_flags = NLM_F_REQUEST;
942bf97b	96
99e387d5 JU	97	req->frh.family = family;
99e387d5 JU	98	req->frh.action = FR_ACT_TO_TBL;
942bf97b	99
0be6e7d7 JU	100	if (!nl_attr_put(&req->n, buflen, FRA_PROTOCOL, &protocol,
	101	sizeof(protocol)))
	102	return 0;
f3dbec60	103
942bf97b	104	/* rule's pref # */
0be6e7d7 JU	105	if (!nl_attr_put32(&req->n, buflen, FRA_PRIORITY, priority))
0be6e7d7 JU	106	return 0;
942bf97b	107
942bf97b	108	/* interface on which applied */
0be6e7d7 JU	109	if (!nl_attr_put(&req->n, buflen, FRA_IFNAME, ifname,
	110	strlen(ifname) + 1))
	111	return 0;
942bf97b	112
942bf97b	113	/* source IP, if specified */
f62e5480	114	if (filter_bm & PBR_FILTER_SRC_IP) {
99e387d5	115	req->frh.src_len = src_ip->prefixlen;
0be6e7d7 JU	116	if (!nl_attr_put(&req->n, buflen, FRA_SRC, &src_ip->u.prefix,
	117	bytelen))
	118	return 0;
942bf97b	119	}
99e387d5	120
942bf97b	121	/* destination IP, if specified */
f62e5480	122	if (filter_bm & PBR_FILTER_DST_IP) {
99e387d5	123	req->frh.dst_len = dst_ip->prefixlen;
0be6e7d7 JU	124	if (!nl_attr_put(&req->n, buflen, FRA_DST, &dst_ip->u.prefix,
	125	bytelen))
	126	return 0;
942bf97b	127	}
942bf97b	128
2bee7aae	129	/* fwmark, if specified */
0be6e7d7 JU	130	if (filter_bm & PBR_FILTER_FWMARK) {
	131	if (!nl_attr_put32(&req->n, buflen, FRA_FWMARK, fwmark))
	132	return 0;
	133	}
2bee7aae	134
01f23aff WC	135	/* dsfield, if specified */
	136	if (filter_bm & PBR_FILTER_DSFIELD)
	137	req->frh.tos = dsfield;
	138
8096bd72 DS	139	/* protocol to match on */
	140	if (filter_bm & PBR_FILTER_IP_PROTOCOL)
	141	nl_attr_put8(&req->n, buflen, FRA_IP_PROTO, ip_protocol);
	142
942bf97b	143	/* Route table to use to forward, if filter criteria matches. */
f62e5480	144	if (table < 256)
99e387d5	145	req->frh.table = table;
942bf97b	146	else {
99e387d5	147	req->frh.table = RT_TABLE_UNSPEC;
0be6e7d7 JU	148	if (!nl_attr_put32(&req->n, buflen, FRA_TABLE, table))
0be6e7d7 JU	149	return 0;
942bf97b	150	}
	151
	152	if (IS_ZEBRA_DEBUG_KERNEL)
fd71d73e	153	zlog_debug(
2dbe669b	154	"Tx %s family %s IF %s Pref %u Fwmark %u Src %pFX Dst %pFX Table %u",
fd71d73e	155	nl_msg_type_to_str(cmd), nl_family_to_str(family),
2dbe669b	156	ifname, priority, fwmark, src_ip, dst_ip, table);
942bf97b	157
99e387d5	158	return NLMSG_ALIGN(req->n.nlmsg_len);
942bf97b	159	}
942bf97b	160
67e3369e JU	161	static ssize_t netlink_rule_msg_encoder(struct zebra_dplane_ctx ctx, void buf,
67e3369e JU	162	size_t buflen)
99e387d5	163	{
67e3369e JU	164	int cmd = RTM_NEWRULE;
	165
	166	if (dplane_ctx_get_op(ctx) == DPLANE_OP_RULE_DELETE)
	167	cmd = RTM_DELRULE;
	168
	169	return netlink_rule_msg_encode(
	170	cmd, ctx, dplane_ctx_rule_get_filter_bm(ctx),
	171	dplane_ctx_rule_get_priority(ctx),
	172	dplane_ctx_rule_get_table(ctx), dplane_ctx_rule_get_src_ip(ctx),
	173	dplane_ctx_rule_get_dst_ip(ctx),
	174	dplane_ctx_rule_get_fwmark(ctx),
8ccbc778 DS	175	dplane_ctx_rule_get_dsfield(ctx),
8ccbc778 DS	176	dplane_ctx_rule_get_ipproto(ctx), buf, buflen);
67e3369e	177	}
99e387d5	178
67e3369e JU	179	static ssize_t netlink_oldrule_msg_encoder(struct zebra_dplane_ctx *ctx,
	180	void *buf, size_t buflen)
	181	{
	182	return netlink_rule_msg_encode(
	183	RTM_DELRULE, ctx, dplane_ctx_rule_get_old_filter_bm(ctx),
	184	dplane_ctx_rule_get_old_priority(ctx),
	185	dplane_ctx_rule_get_old_table(ctx),
	186	dplane_ctx_rule_get_old_src_ip(ctx),
	187	dplane_ctx_rule_get_old_dst_ip(ctx),
	188	dplane_ctx_rule_get_old_fwmark(ctx),
8ccbc778 DS	189	dplane_ctx_rule_get_old_dsfield(ctx),
8ccbc778 DS	190	dplane_ctx_rule_get_old_ipproto(ctx), buf, buflen);
99e387d5	191	}
67e3369e	192
942bf97b	193	/* Public functions */
942bf97b	194
67e3369e JU	195	enum netlink_msg_status
67e3369e JU	196	netlink_put_rule_update_msg(struct nl_batch bth, struct zebra_dplane_ctx ctx)
942bf97b	197	{
f62e5480	198	enum dplane_op_e op;
67e3369e	199	enum netlink_msg_status ret;
f62e5480 JU	200
f62e5480 JU	201	op = dplane_ctx_get_op(ctx);
67e3369e JU	202	if (!(op == DPLANE_OP_RULE_ADD \|\| op == DPLANE_OP_RULE_UPDATE
67e3369e JU	203	\|\| op == DPLANE_OP_RULE_DELETE)) {
f62e5480 JU	204	flog_err(
	205	EC_ZEBRA_PBR_RULE_UPDATE,
	206	"Context received for kernel rule update with incorrect OP code (%u)",
	207	op);
67e3369e	208	return FRR_NETLINK_ERROR;
f62e5480	209	}
3ae327cb	210
67e3369e	211	ret = netlink_batch_add_msg(bth, ctx, netlink_rule_msg_encoder, false);
3ae327cb SW	212
	213	/**
	214	* Delete the old one.
	215	*
	216	* Don't care about this result right?
	217	*/
f62e5480	218	if (op == DPLANE_OP_RULE_UPDATE)
67e3369e JU	219	netlink_batch_add_msg(bth, ctx, netlink_oldrule_msg_encoder,
	220	true);
	221
	222	return ret;
3ae327cb SW	223	}
3ae327cb SW	224
942bf97b	225	/*
	226	* Handle netlink notification informing a rule add or delete.
	227	* Handling of an ADD is TBD.
	228	* DELs are notified up, if other attributes indicate it may be a
	229	* notification of interest. The expectation is that if this corresponds
	230	* to a PBR rule added by FRR, it will be readded.
ab35be75 SW	231	*
	232	* If startup and we see a rule we created, delete it as its leftover
	233	* from a previous instance and should have been removed on shutdown.
	234	*
942bf97b	235	*/
2414abd3	236	int netlink_rule_change(struct nlmsghdr *h, ns_id_t ns_id, int startup)
942bf97b	237	{
	238	struct zebra_ns *zns;
	239	struct fib_rule_hdr *frh;
	240	struct rtattr *tb[FRA_MAX + 1];
	241	int len;
	242	char *ifname;
cc42104c	243	struct zebra_pbr_rule rule = {};
ab35be75	244	uint8_t proto = 0;
8096bd72	245	uint8_t ip_proto = 0;
942bf97b	246
1239b60c DS	247	frrtrace(3, frr_zebra, netlink_rule_change, h, ns_id, startup);
1239b60c DS	248
942bf97b	249	/* Basic validation followed by extracting attributes. */
	250	if (h->nlmsg_type != RTM_NEWRULE && h->nlmsg_type != RTM_DELRULE)
	251	return 0;
	252
942bf97b	253	len = h->nlmsg_len - NLMSG_LENGTH(sizeof(struct fib_rule_hdr));
9bdf8618	254	if (len < 0) {
15569c58 DA	255	zlog_err(
	256	"%s: Message received from netlink is of a broken size: %d %zu",
	257	__func__, h->nlmsg_len,
	258	(size_t)NLMSG_LENGTH(sizeof(struct fib_rule_hdr)));
942bf97b	259	return -1;
9bdf8618	260	}
942bf97b	261
942bf97b	262	frh = NLMSG_DATA(h);
dfbe3a2b	263
8a1b681c	264	if (frh->family != AF_INET && frh->family != AF_INET6) {
dfbe3a2b DS	265	if (frh->family == RTNL_FAMILY_IPMR
	266	\|\| frh->family == RTNL_FAMILY_IP6MR) {
	267	if (IS_ZEBRA_DEBUG_KERNEL)
	268	zlog_debug(
	269	"Received rule netlink that we are ignoring for family %u, rule change: %u",
	270	frh->family, h->nlmsg_type);
	271	return 0;
	272	}
9df414fe	273	flog_warn(
e914ccbe	274	EC_ZEBRA_NETLINK_INVALID_AF,
81227874	275	"Invalid address family: %u received from kernel rule change: %u",
8a1b681c	276	frh->family, h->nlmsg_type);
942bf97b	277	return 0;
8a1b681c	278	}
942bf97b	279	if (frh->action != FR_ACT_TO_TBL)
	280	return 0;
	281
	282	memset(tb, 0, sizeof(tb));
	283	netlink_parse_rtattr(tb, FRA_MAX, RTM_RTA(frh), len);
	284
942bf97b	285	if (tb[FRA_PRIORITY])
5dd0722d	286	rule.rule.priority = (uint32_t )RTA_DATA(tb[FRA_PRIORITY]);
942bf97b	287
	288	if (tb[FRA_SRC]) {
	289	if (frh->family == AF_INET)
5dd0722d	290	memcpy(&rule.rule.filter.src_ip.u.prefix4,
942bf97b	291	RTA_DATA(tb[FRA_SRC]), 4);
942bf97b	292	else
5dd0722d	293	memcpy(&rule.rule.filter.src_ip.u.prefix6,
942bf97b	294	RTA_DATA(tb[FRA_SRC]), 16);
5dd0722d	295	rule.rule.filter.src_ip.prefixlen = frh->src_len;
b6d34c26	296	rule.rule.filter.src_ip.family = frh->family;
5dd0722d	297	rule.rule.filter.filter_bm \|= PBR_FILTER_SRC_IP;
942bf97b	298	}
	299
	300	if (tb[FRA_DST]) {
	301	if (frh->family == AF_INET)
5dd0722d	302	memcpy(&rule.rule.filter.dst_ip.u.prefix4,
942bf97b	303	RTA_DATA(tb[FRA_DST]), 4);
942bf97b	304	else
5dd0722d	305	memcpy(&rule.rule.filter.dst_ip.u.prefix6,
942bf97b	306	RTA_DATA(tb[FRA_DST]), 16);
5dd0722d	307	rule.rule.filter.dst_ip.prefixlen = frh->dst_len;
b6d34c26	308	rule.rule.filter.dst_ip.family = frh->family;
5dd0722d	309	rule.rule.filter.filter_bm \|= PBR_FILTER_DST_IP;
942bf97b	310	}
	311
	312	if (tb[FRA_TABLE])
5dd0722d	313	rule.rule.action.table = (uint32_t )RTA_DATA(tb[FRA_TABLE]);
942bf97b	314	else
5dd0722d	315	rule.rule.action.table = frh->table;
942bf97b	316
ab35be75 SW	317	/* TBD: We don't care about rules not specifying an IIF. */
	318	if (tb[FRA_IFNAME] == NULL)
	319	return 0;
	320
	321	if (tb[FRA_PROTOCOL])
	322	proto = (uint8_t )RTA_DATA(tb[FRA_PROTOCOL]);
	323
8096bd72 DS	324	if (tb[FRA_IP_PROTO])
	325	ip_proto = (uint8_t )RTA_DATA(tb[FRA_IP_PROTO]);
	326
ab35be75 SW	327	ifname = (char *)RTA_DATA(tb[FRA_IFNAME]);
	328	strlcpy(rule.ifname, ifname, sizeof(rule.ifname));
	329
	330	if (h->nlmsg_type == RTM_NEWRULE) {
	331	/*
	332	* If we see a rule at startup we created, delete it now.
	333	* It should have been flushed on a previous shutdown.
	334	*/
	335	if (startup && proto == RTPROT_ZEBRA) {
f62e5480	336	enum zebra_dplane_result ret;
ab35be75	337
f62e5480	338	ret = dplane_pbr_rule_delete(&rule);
ab35be75 SW	339
ab35be75 SW	340	zlog_debug(
8096bd72	341	"%s: %s leftover rule: family %s IF %s Pref %u Src %pFX Dst %pFX Table %u ip-proto: %u",
ab35be75	342	__func__,
f62e5480 JU	343	((ret == ZEBRA_DPLANE_REQUEST_FAILURE)
	344	? "Failed to remove"
	345	: "Removed"),
ab35be75	346	nl_family_to_str(frh->family), rule.ifname,
2dbe669b DA	347	rule.rule.priority, &rule.rule.filter.src_ip,
2dbe669b DA	348	&rule.rule.filter.dst_ip,
8096bd72	349	rule.rule.action.table, ip_proto);
ab35be75 SW	350	}
	351
	352	/* TBD */
	353	return 0;
	354	}
	355
	356	zns = zebra_ns_lookup(ns_id);
	357
	358	/* If we don't know the interface, we don't care. */
	359	if (!if_lookup_by_name_per_ns(zns, ifname))
	360	return 0;
	361
942bf97b	362	if (IS_ZEBRA_DEBUG_KERNEL)
fd71d73e	363	zlog_debug(
8096bd72	364	"Rx %s family %s IF %s Pref %u Src %pFX Dst %pFX Table %u ip-proto: %u",
fd71d73e	365	nl_msg_type_to_str(h->nlmsg_type),
b19d55d0	366	nl_family_to_str(frh->family), rule.ifname,
2dbe669b	367	rule.rule.priority, &rule.rule.filter.src_ip,
8096bd72 DS	368	&rule.rule.filter.dst_ip, rule.rule.action.table,
8096bd72 DS	369	ip_proto);
fd71d73e	370
a0321978	371	return kernel_pbr_rule_del(&rule);
942bf97b	372	}
942bf97b	373
ab35be75 SW	374	/*
	375	* Request rules from the kernel
	376	*/
	377	static int netlink_request_rules(struct zebra_ns *zns, int family, int type)
	378	{
	379	struct {
	380	struct nlmsghdr n;
	381	struct fib_rule_hdr frh;
	382	char buf[NL_PKT_BUF_SIZE];
	383	} req;
	384
	385	memset(&req, 0, sizeof(req));
	386	req.n.nlmsg_type = type;
	387	req.n.nlmsg_flags = NLM_F_ROOT \| NLM_F_MATCH \| NLM_F_REQUEST;
	388	req.n.nlmsg_len = NLMSG_LENGTH(sizeof(struct fib_rule_hdr));
	389	req.frh.family = family;
	390
fd3f8e52	391	return netlink_request(&zns->netlink_cmd, &req);
ab35be75 SW	392	}
ab35be75 SW	393
942bf97b	394	/*
942bf97b	395	* Get to know existing PBR rules in the kernel - typically called at startup.
942bf97b	396	*/
	397	int netlink_rules_read(struct zebra_ns *zns)
	398	{
ab35be75 SW	399	int ret;
	400	struct zebra_dplane_info dp_info;
	401
	402	zebra_dplane_info_from_zns(&dp_info, zns, true);
	403
	404	ret = netlink_request_rules(zns, AF_INET, RTM_GETRULE);
	405	if (ret < 0)
	406	return ret;
	407
	408	ret = netlink_parse_info(netlink_rule_change, &zns->netlink_cmd,
9bfadae8	409	&dp_info, 0, true);
ab35be75 SW	410	if (ret < 0)
	411	return ret;
	412
	413	ret = netlink_request_rules(zns, AF_INET6, RTM_GETRULE);
	414	if (ret < 0)
	415	return ret;
	416
	417	ret = netlink_parse_info(netlink_rule_change, &zns->netlink_cmd,
9bfadae8	418	&dp_info, 0, true);
ab35be75	419	return ret;
942bf97b	420	}
	421
	422	#endif /* HAVE_NETLINK */