]> git.proxmox.com Git - mirror_frr.git/blob - zebra/zebra_pbr.c
projects / mirror_frr.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
zebra: flog_warn conversion
[mirror_frr.git] / zebra / zebra_pbr.c
1 /* Zebra Policy Based Routing (PBR) main handling.
2 * Copyright (C) 2018 Cumulus Networks, Inc.
3 *
4 * This file is part of FRR.
5 *
6 * FRR is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2, or (at your option) any
9 * later version.
10 *
11 * FRR is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with FRR; see the file COPYING. If not, write to the Free
18 * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
19 * 02111-1307, USA.
20 */
21
22 #include <zebra.h>
23
24 #include <jhash.h>
25 #include <hash.h>
26 #include <memory.h>
27 #include <hook.h>
28
29 #include "zebra/zebra_pbr.h"
30 #include "zebra/rt.h"
31 #include "zebra/zapi_msg.h"
32 #include "zebra/zebra_memory.h"
33 #include "zebra/zserv.h"
34
35 /* definitions */
36 DEFINE_MTYPE_STATIC(ZEBRA, PBR_IPTABLE_IFNAME, "PBR interface list")
37
38 /* definitions */
39 static const struct message ipset_type_msg[] = {
40 {IPSET_NET_PORT_NET, "net,port,net"},
41 {IPSET_NET_PORT, "net,port"},
42 {IPSET_NET_NET, "net,net"},
43 {IPSET_NET, "net"},
44 {0}
45 };
46
47 const struct message icmp_typecode_str[] = {
48 { 0 << 8, "echo-reply"},
49 { 0 << 8, "pong"},
50 { 3 << 8, "network-unreachable"},
51 { (3 << 8) + 1, "host-unreachable"},
52 { (3 << 8) + 2, "protocol-unreachable"},
53 { (3 << 8) + 3, "port-unreachable"},
54 { (3 << 8) + 4, "fragmentation-needed"},
55 { (3 << 8) + 5, "source-route-failed"},
56 { (3 << 8) + 6, "network-unknown"},
57 { (3 << 8) + 7, "host-unknown"},
58 { (3 << 8) + 9, "network-prohibited"},
59 { (3 << 8) + 10, "host-prohibited"},
60 { (3 << 8) + 11, "TOS-network-unreachable"},
61 { (3 << 8) + 12, "TOS-host-unreachable"},
62 { (3 << 8) + 13, "communication-prohibited"},
63 { (3 << 8) + 14, "host-precedence-violation"},
64 { (3 << 8) + 15, "precedence-cutoff"},
65 { 4 << 8, "source-quench"},
66 { 5 << 8, "network-redirect"},
67 { (5 << 8) + 1, "host-redirect"},
68 { (5 << 8) + 2, "TOS-network-redirect"},
69 { (5 << 8) + 3, "TOS-host-redirect"},
70 { 8 << 8, "echo-request"},
71 { 8 << 8, "ping"},
72 { 9 << 8, "router-advertisement"},
73 { 10 << 8, "router-solicitation"},
74 { 11 << 8, "ttl-zero-during-transit"},
75 { (11 << 8) + 1, "ttl-zero-during-reassembly"},
76 { 12 << 8, "ip-header-bad"},
77 { (12 << 8) + 1, "required-option-missing"},
78 { 13 << 8, "timestamp-request"},
79 { 14 << 8, "timestamp-reply"},
80 { 17 << 8, "address-mask-request"},
81 { 18 << 8, "address-mask-reply"},
82 {0}
83 };
84
85 /* definitions */
86 static const struct message tcp_value_str[] = {
87 {TCP_HEADER_FIN, "FIN"},
88 {TCP_HEADER_SYN, "SYN"},
89 {TCP_HEADER_RST, "RST"},
90 {TCP_HEADER_PSH, "PSH"},
91 {TCP_HEADER_ACK, "ACK"},
92 {TCP_HEADER_URG, "URG"},
93 {0}
94 };
95
96 static const struct message fragment_value_str[] = {
97 {1, "dont-fragment"},
98 {2, "is-fragment"},
99 {4, "first-fragment"},
100 {8, "last-fragment"},
101 {0}
102 };
103
104 /* static function declarations */
105 DEFINE_HOOK(zebra_pbr_ipset_entry_wrap_script_get_stat, (struct zebra_ns *zns,
106 struct zebra_pbr_ipset_entry *ipset,
107 uint64_t *pkts, uint64_t *bytes),
108 (zns, ipset, pkts, bytes))
109
110 DEFINE_HOOK(zebra_pbr_iptable_wrap_script_get_stat, (struct zebra_ns *zns,
111 struct zebra_pbr_iptable *iptable,
112 uint64_t *pkts, uint64_t *bytes),
113 (zns, iptable, pkts, bytes))
114
115 DEFINE_HOOK(zebra_pbr_iptable_wrap_script_update, (struct zebra_ns *zns,
116 int cmd,
117 struct zebra_pbr_iptable *iptable),
118 (zns, cmd, iptable));
119
120 DEFINE_HOOK(zebra_pbr_ipset_entry_wrap_script_update, (struct zebra_ns *zns,
121 int cmd,
122 struct zebra_pbr_ipset_entry *ipset),
123 (zns, cmd, ipset));
124
125 DEFINE_HOOK(zebra_pbr_ipset_wrap_script_update, (struct zebra_ns *zns,
126 int cmd,
127 struct zebra_pbr_ipset *ipset),
128 (zns, cmd, ipset));
129
130 /* Private functions */
131
132 /* Public functions */
133 void zebra_pbr_rules_free(void *arg)
134 {
135 struct zebra_pbr_rule *rule;
136
137 rule = (struct zebra_pbr_rule *)arg;
138
139 (void)kernel_del_pbr_rule(rule);
140 XFREE(MTYPE_TMP, rule);
141 }
142
143 uint32_t zebra_pbr_rules_hash_key(void *arg)
144 {
145 struct zebra_pbr_rule *rule;
146 uint32_t key;
147
148 rule = (struct zebra_pbr_rule *)arg;
149 key = jhash_3words(rule->rule.seq, rule->rule.priority,
150 rule->rule.action.table,
151 prefix_hash_key(&rule->rule.filter.src_ip));
152 if (rule->ifp)
153 key = jhash_1word(rule->ifp->ifindex, key);
154 else
155 key = jhash_1word(0, key);
156
157 if (rule->rule.filter.fwmark)
158 key = jhash_1word(rule->rule.filter.fwmark, key);
159 else
160 key = jhash_1word(0, key);
161 return jhash_3words(rule->rule.filter.src_port,
162 rule->rule.filter.dst_port,
163 prefix_hash_key(&rule->rule.filter.dst_ip),
164 jhash_1word(rule->rule.unique, key));
165 }
166
167 int zebra_pbr_rules_hash_equal(const void *arg1, const void *arg2)
168 {
169 const struct zebra_pbr_rule *r1, *r2;
170
171 r1 = (const struct zebra_pbr_rule *)arg1;
172 r2 = (const struct zebra_pbr_rule *)arg2;
173
174 if (r1->rule.seq != r2->rule.seq)
175 return 0;
176
177 if (r1->rule.priority != r2->rule.priority)
178 return 0;
179
180 if (r1->rule.unique != r2->rule.unique)
181 return 0;
182
183 if (r1->rule.action.table != r2->rule.action.table)
184 return 0;
185
186 if (r1->rule.filter.src_port != r2->rule.filter.src_port)
187 return 0;
188
189 if (r1->rule.filter.dst_port != r2->rule.filter.dst_port)
190 return 0;
191
192 if (r1->rule.filter.fwmark != r2->rule.filter.fwmark)
193 return 0;
194
195 if (!prefix_same(&r1->rule.filter.src_ip, &r2->rule.filter.src_ip))
196 return 0;
197
198 if (!prefix_same(&r1->rule.filter.dst_ip, &r2->rule.filter.dst_ip))
199 return 0;
200
201 if (r1->ifp != r2->ifp)
202 return 0;
203
204 return 1;
205 }
206
207 struct pbr_rule_unique_lookup {
208 struct zebra_pbr_rule *rule;
209 uint32_t unique;
210 struct interface *ifp;
211 };
212
213 static int pbr_rule_lookup_unique_walker(struct hash_backet *b, void *data)
214 {
215 struct pbr_rule_unique_lookup *pul = data;
216 struct zebra_pbr_rule *rule = b->data;
217
218 if (pul->unique == rule->rule.unique && pul->ifp == rule->ifp) {
219 pul->rule = rule;
220 return HASHWALK_ABORT;
221 }
222
223 return HASHWALK_CONTINUE;
224 }
225
226 static struct zebra_pbr_rule *pbr_rule_lookup_unique(struct zebra_ns *zns,
227 uint32_t unique,
228 struct interface *ifp)
229 {
230 struct pbr_rule_unique_lookup pul;
231
232 pul.unique = unique;
233 pul.ifp = ifp;
234 pul.rule = NULL;
235 hash_walk(zns->rules_hash, &pbr_rule_lookup_unique_walker, &pul);
236
237 return pul.rule;
238 }
239
240 void zebra_pbr_ipset_free(void *arg)
241 {
242 struct zebra_pbr_ipset *ipset;
243 struct zebra_ns *zns;
244
245 ipset = (struct zebra_pbr_ipset *)arg;
246 if (vrf_is_backend_netns())
247 zns = zebra_ns_lookup(ipset->vrf_id);
248 else
249 zns = zebra_ns_lookup(NS_DEFAULT);
250 hook_call(zebra_pbr_ipset_wrap_script_update,
251 zns, 0, ipset);
252 XFREE(MTYPE_TMP, ipset);
253 }
254
255 uint32_t zebra_pbr_ipset_hash_key(void *arg)
256 {
257 struct zebra_pbr_ipset *ipset = (struct zebra_pbr_ipset *)arg;
258 uint32_t *pnt = (uint32_t *)&ipset->ipset_name;
259
260 return jhash2(pnt, ZEBRA_IPSET_NAME_HASH_SIZE, 0x63ab42de);
261 }
262
263 int zebra_pbr_ipset_hash_equal(const void *arg1, const void *arg2)
264 {
265 const struct zebra_pbr_ipset *r1, *r2;
266
267 r1 = (const struct zebra_pbr_ipset *)arg1;
268 r2 = (const struct zebra_pbr_ipset *)arg2;
269
270 if (r1->type != r2->type)
271 return 0;
272 if (r1->unique != r2->unique)
273 return 0;
274 if (strncmp(r1->ipset_name, r2->ipset_name,
275 ZEBRA_IPSET_NAME_SIZE))
276 return 0;
277 return 1;
278 }
279
280 void zebra_pbr_ipset_entry_free(void *arg)
281 {
282 struct zebra_pbr_ipset_entry *ipset;
283 struct zebra_ns *zns;
284
285 ipset = (struct zebra_pbr_ipset_entry *)arg;
286 if (ipset->backpointer && vrf_is_backend_netns()) {
287 struct zebra_pbr_ipset *ips = ipset->backpointer;
288
289 zns = zebra_ns_lookup((ns_id_t)ips->vrf_id);
290 } else
291 zns = zebra_ns_lookup(NS_DEFAULT);
292 hook_call(zebra_pbr_ipset_entry_wrap_script_update,
293 zns, 0, ipset);
294
295 XFREE(MTYPE_TMP, ipset);
296 }
297
298 uint32_t zebra_pbr_ipset_entry_hash_key(void *arg)
299 {
300 struct zebra_pbr_ipset_entry *ipset;
301 uint32_t key;
302
303 ipset = (struct zebra_pbr_ipset_entry *)arg;
304 key = prefix_hash_key(&ipset->src);
305 key = jhash_1word(ipset->unique, key);
306 key = jhash_1word(prefix_hash_key(&ipset->dst), key);
307 key = jhash(&ipset->dst_port_min, 2, key);
308 key = jhash(&ipset->dst_port_max, 2, key);
309 key = jhash(&ipset->src_port_min, 2, key);
310 key = jhash(&ipset->src_port_max, 2, key);
311 key = jhash(&ipset->proto, 1, key);
312
313 return key;
314 }
315
316 int zebra_pbr_ipset_entry_hash_equal(const void *arg1, const void *arg2)
317 {
318 const struct zebra_pbr_ipset_entry *r1, *r2;
319
320 r1 = (const struct zebra_pbr_ipset_entry *)arg1;
321 r2 = (const struct zebra_pbr_ipset_entry *)arg2;
322
323 if (r1->unique != r2->unique)
324 return 0;
325
326 if (!prefix_same(&r1->src, &r2->src))
327 return 0;
328
329 if (!prefix_same(&r1->dst, &r2->dst))
330 return 0;
331
332 if (r1->src_port_min != r2->src_port_min)
333 return 0;
334
335 if (r1->src_port_max != r2->src_port_max)
336 return 0;
337
338 if (r1->dst_port_min != r2->dst_port_min)
339 return 0;
340
341 if (r1->dst_port_max != r2->dst_port_max)
342 return 0;
343
344 if (r1->proto != r2->proto)
345 return 0;
346 return 1;
347 }
348
349 void zebra_pbr_iptable_free(void *arg)
350 {
351 struct zebra_pbr_iptable *iptable;
352 struct listnode *node, *nnode;
353 char *name;
354 struct zebra_ns *zns;
355
356 iptable = (struct zebra_pbr_iptable *)arg;
357 if (vrf_is_backend_netns())
358 zns = zebra_ns_lookup((ns_id_t)iptable->vrf_id);
359 else
360 zns = zebra_ns_lookup(NS_DEFAULT);
361 hook_call(zebra_pbr_iptable_wrap_script_update,
362 zns, 0, iptable);
363
364 for (ALL_LIST_ELEMENTS(iptable->interface_name_list,
365 node, nnode, name)) {
366 XFREE(MTYPE_PBR_IPTABLE_IFNAME, name);
367 list_delete_node(iptable->interface_name_list,
368 node);
369 }
370 XFREE(MTYPE_TMP, iptable);
371 }
372
373 uint32_t zebra_pbr_iptable_hash_key(void *arg)
374 {
375 struct zebra_pbr_iptable *iptable = (struct zebra_pbr_iptable *)arg;
376 uint32_t *pnt = (uint32_t *)&(iptable->ipset_name);
377 uint32_t key;
378
379 key = jhash2(pnt, ZEBRA_IPSET_NAME_HASH_SIZE,
380 0x63ab42de);
381 key = jhash_1word(iptable->fwmark, key);
382 key = jhash_1word(iptable->pkt_len_min, key);
383 key = jhash_1word(iptable->pkt_len_max, key);
384 key = jhash_1word(iptable->tcp_flags, key);
385 key = jhash_1word(iptable->tcp_mask_flags, key);
386 key = jhash_1word(iptable->dscp_value, key);
387 key = jhash_1word(iptable->fragment, key);
388 return jhash_3words(iptable->filter_bm, iptable->type,
389 iptable->unique, key);
390 }
391
392 int zebra_pbr_iptable_hash_equal(const void *arg1, const void *arg2)
393 {
394 const struct zebra_pbr_iptable *r1, *r2;
395
396 r1 = (const struct zebra_pbr_iptable *)arg1;
397 r2 = (const struct zebra_pbr_iptable *)arg2;
398
399 if (r1->type != r2->type)
400 return 0;
401 if (r1->unique != r2->unique)
402 return 0;
403 if (r1->filter_bm != r2->filter_bm)
404 return 0;
405 if (r1->fwmark != r2->fwmark)
406 return 0;
407 if (r1->action != r2->action)
408 return 0;
409 if (strncmp(r1->ipset_name, r2->ipset_name,
410 ZEBRA_IPSET_NAME_SIZE))
411 return 0;
412 if (r1->pkt_len_min != r2->pkt_len_min)
413 return 0;
414 if (r1->pkt_len_max != r2->pkt_len_max)
415 return 0;
416 if (r1->tcp_flags != r2->tcp_flags)
417 return 0;
418 if (r1->tcp_mask_flags != r2->tcp_mask_flags)
419 return 0;
420 if (r1->dscp_value != r2->dscp_value)
421 return 0;
422 if (r1->fragment != r2->fragment)
423 return 0;
424 return 1;
425 }
426
427 static void *pbr_rule_alloc_intern(void *arg)
428 {
429 struct zebra_pbr_rule *zpr;
430 struct zebra_pbr_rule *new;
431
432 zpr = (struct zebra_pbr_rule *)arg;
433
434 new = XCALLOC(MTYPE_TMP, sizeof(*new));
435
436 memcpy(new, zpr, sizeof(*zpr));
437
438 return new;
439 }
440
441 void zebra_pbr_add_rule(struct zebra_ns *zns, struct zebra_pbr_rule *rule)
442 {
443 struct zebra_pbr_rule *unique =
444 pbr_rule_lookup_unique(zns, rule->rule.unique, rule->ifp);
445
446 (void)hash_get(zns->rules_hash, rule, pbr_rule_alloc_intern);
447 (void)kernel_add_pbr_rule(rule);
448 /*
449 * Rule Replace semantics, if we have an old, install the
450 * new rule, look above, and then delete the old
451 */
452 if (unique)
453 zebra_pbr_del_rule(zns, unique);
454 }
455
456 void zebra_pbr_del_rule(struct zebra_ns *zns, struct zebra_pbr_rule *rule)
457 {
458 struct zebra_pbr_rule *lookup;
459
460 lookup = hash_lookup(zns->rules_hash, rule);
461 (void)kernel_del_pbr_rule(rule);
462
463 if (lookup) {
464 hash_release(zns->rules_hash, lookup);
465 XFREE(MTYPE_TMP, lookup);
466 } else
467 zlog_debug("%s: Rule being deleted we know nothing about",
468 __PRETTY_FUNCTION__);
469 }
470
471 static void zebra_pbr_cleanup_rules(struct hash_backet *b, void *data)
472 {
473 struct zebra_ns *zns = zebra_ns_lookup(NS_DEFAULT);
474 struct zebra_pbr_rule *rule = b->data;
475 int *sock = data;
476
477 if (rule->sock == *sock) {
478 (void)kernel_del_pbr_rule(rule);
479 hash_release(zns->rules_hash, rule);
480 XFREE(MTYPE_TMP, rule);
481 }
482 }
483
484 static void zebra_pbr_cleanup_ipset(struct hash_backet *b, void *data)
485 {
486 struct zebra_ns *zns = zebra_ns_lookup(NS_DEFAULT);
487 struct zebra_pbr_ipset *ipset = b->data;
488 int *sock = data;
489
490 if (ipset->sock == *sock) {
491 hook_call(zebra_pbr_ipset_wrap_script_update,
492 zns, 0, ipset);
493 hash_release(zns->ipset_hash, ipset);
494 }
495 }
496
497 static void zebra_pbr_cleanup_ipset_entry(struct hash_backet *b, void *data)
498 {
499 struct zebra_ns *zns = zebra_ns_lookup(NS_DEFAULT);
500 struct zebra_pbr_ipset_entry *ipset = b->data;
501 int *sock = data;
502
503 if (ipset->sock == *sock) {
504 hook_call(zebra_pbr_ipset_entry_wrap_script_update,
505 zns, 0, ipset);
506 hash_release(zns->ipset_entry_hash, ipset);
507 }
508 }
509
510 static void zebra_pbr_cleanup_iptable(struct hash_backet *b, void *data)
511 {
512 struct zebra_ns *zns = zebra_ns_lookup(NS_DEFAULT);
513 struct zebra_pbr_iptable *iptable = b->data;
514 int *sock = data;
515
516 if (iptable->sock == *sock) {
517 hook_call(zebra_pbr_iptable_wrap_script_update,
518 zns, 0, iptable);
519 hash_release(zns->iptable_hash, iptable);
520 }
521 }
522
523 static int zebra_pbr_client_close_cleanup(struct zserv *client)
524 {
525 int sock = client->sock;
526 struct zebra_ns *zns = zebra_ns_lookup(NS_DEFAULT);
527
528 if (!sock)
529 return 0;
530 hash_iterate(zns->rules_hash, zebra_pbr_cleanup_rules, &sock);
531 hash_iterate(zns->iptable_hash,
532 zebra_pbr_cleanup_iptable, &sock);
533 hash_iterate(zns->ipset_entry_hash,
534 zebra_pbr_cleanup_ipset_entry, &sock);
535 hash_iterate(zns->ipset_hash,
536 zebra_pbr_cleanup_ipset, &sock);
537 return 1;
538 }
539
540 void zebra_pbr_init(void)
541 {
542 hook_register(zserv_client_close, zebra_pbr_client_close_cleanup);
543 }
544
545 static void *pbr_ipset_alloc_intern(void *arg)
546 {
547 struct zebra_pbr_ipset *zpi;
548 struct zebra_pbr_ipset *new;
549
550 zpi = (struct zebra_pbr_ipset *)arg;
551
552 new = XCALLOC(MTYPE_TMP, sizeof(struct zebra_pbr_ipset));
553
554 memcpy(new, zpi, sizeof(*zpi));
555
556 return new;
557 }
558
559 void zebra_pbr_create_ipset(struct zebra_ns *zns,
560 struct zebra_pbr_ipset *ipset)
561 {
562 int ret;
563
564 (void)hash_get(zns->ipset_hash, ipset, pbr_ipset_alloc_intern);
565 ret = hook_call(zebra_pbr_ipset_wrap_script_update,
566 zns, 1, ipset);
567 kernel_pbr_ipset_add_del_status(ipset,
568 ret ? DP_INSTALL_SUCCESS
569 : DP_INSTALL_FAILURE);
570 }
571
572 void zebra_pbr_destroy_ipset(struct zebra_ns *zns,
573 struct zebra_pbr_ipset *ipset)
574 {
575 struct zebra_pbr_ipset *lookup;
576
577 lookup = hash_lookup(zns->ipset_hash, ipset);
578 hook_call(zebra_pbr_ipset_wrap_script_update,
579 zns, 0, ipset);
580 if (lookup) {
581 hash_release(zns->ipset_hash, lookup);
582 XFREE(MTYPE_TMP, lookup);
583 } else
584 zlog_debug(
585 "%s: IPSet Entry being deleted we know nothing about",
586 __PRETTY_FUNCTION__);
587 }
588
589 struct pbr_ipset_name_lookup {
590 struct zebra_pbr_ipset *ipset;
591 char ipset_name[ZEBRA_IPSET_NAME_SIZE];
592 };
593
594 const char *zebra_pbr_ipset_type2str(uint32_t type)
595 {
596 return lookup_msg(ipset_type_msg, type,
597 "Unrecognized IPset Type");
598 }
599
600 static int zebra_pbr_ipset_pername_walkcb(struct hash_backet *backet, void *arg)
601 {
602 struct pbr_ipset_name_lookup *pinl =
603 (struct pbr_ipset_name_lookup *)arg;
604 struct zebra_pbr_ipset *zpi = (struct zebra_pbr_ipset *)backet->data;
605
606 if (!strncmp(pinl->ipset_name, zpi->ipset_name,
607 ZEBRA_IPSET_NAME_SIZE)) {
608 pinl->ipset = zpi;
609 return HASHWALK_ABORT;
610 }
611 return HASHWALK_CONTINUE;
612 }
613
614 struct zebra_pbr_ipset *zebra_pbr_lookup_ipset_pername(struct zebra_ns *zns,
615 char *ipsetname)
616 {
617 struct pbr_ipset_name_lookup pinl;
618 struct pbr_ipset_name_lookup *ptr = &pinl;
619
620 if (!ipsetname)
621 return NULL;
622 memset(ptr, 0, sizeof(struct pbr_ipset_name_lookup));
623 snprintf((char *)ptr->ipset_name, ZEBRA_IPSET_NAME_SIZE, "%s",
624 ipsetname);
625 hash_walk(zns->ipset_hash, zebra_pbr_ipset_pername_walkcb, ptr);
626 return ptr->ipset;
627 }
628
629 static void *pbr_ipset_entry_alloc_intern(void *arg)
630 {
631 struct zebra_pbr_ipset_entry *zpi;
632 struct zebra_pbr_ipset_entry *new;
633
634 zpi = (struct zebra_pbr_ipset_entry *)arg;
635
636 new = XCALLOC(MTYPE_TMP, sizeof(struct zebra_pbr_ipset_entry));
637
638 memcpy(new, zpi, sizeof(*zpi));
639
640 return new;
641 }
642
643 void zebra_pbr_add_ipset_entry(struct zebra_ns *zns,
644 struct zebra_pbr_ipset_entry *ipset)
645 {
646 int ret;
647
648 (void)hash_get(zns->ipset_entry_hash, ipset,
649 pbr_ipset_entry_alloc_intern);
650 ret = hook_call(zebra_pbr_ipset_entry_wrap_script_update,
651 zns, 1, ipset);
652 kernel_pbr_ipset_entry_add_del_status(ipset,
653 ret ? DP_INSTALL_SUCCESS
654 : DP_INSTALL_FAILURE);
655 }
656
657 void zebra_pbr_del_ipset_entry(struct zebra_ns *zns,
658 struct zebra_pbr_ipset_entry *ipset)
659 {
660 struct zebra_pbr_ipset_entry *lookup;
661
662 lookup = hash_lookup(zns->ipset_entry_hash, ipset);
663 hook_call(zebra_pbr_ipset_entry_wrap_script_update,
664 zns, 0, ipset);
665 if (lookup) {
666 hash_release(zns->ipset_entry_hash, lookup);
667 XFREE(MTYPE_TMP, lookup);
668 } else
669 zlog_debug("%s: IPSet being deleted we know nothing about",
670 __PRETTY_FUNCTION__);
671 }
672
673 static void *pbr_iptable_alloc_intern(void *arg)
674 {
675 struct zebra_pbr_iptable *zpi;
676 struct zebra_pbr_iptable *new;
677
678 zpi = (struct zebra_pbr_iptable *)arg;
679
680 new = XCALLOC(MTYPE_TMP, sizeof(struct zebra_pbr_iptable));
681
682 memcpy(new, zpi, sizeof(*zpi));
683
684 return new;
685 }
686
687 void zebra_pbr_add_iptable(struct zebra_ns *zns,
688 struct zebra_pbr_iptable *iptable)
689 {
690 int ret;
691
692 (void)hash_get(zns->iptable_hash, iptable,
693 pbr_iptable_alloc_intern);
694 ret = hook_call(zebra_pbr_iptable_wrap_script_update, zns, 1, iptable);
695 kernel_pbr_iptable_add_del_status(iptable,
696 ret ? DP_INSTALL_SUCCESS
697 : DP_INSTALL_FAILURE);
698 }
699
700 void zebra_pbr_del_iptable(struct zebra_ns *zns,
701 struct zebra_pbr_iptable *iptable)
702 {
703 struct zebra_pbr_iptable *lookup;
704
705 lookup = hash_lookup(zns->iptable_hash, iptable);
706 hook_call(zebra_pbr_iptable_wrap_script_update, zns, 0, iptable);
707 if (lookup) {
708 struct listnode *node, *nnode;
709 char *name;
710
711 hash_release(zns->iptable_hash, lookup);
712 for (ALL_LIST_ELEMENTS(iptable->interface_name_list,
713 node, nnode, name)) {
714 XFREE(MTYPE_PBR_IPTABLE_IFNAME, name);
715 list_delete_node(iptable->interface_name_list,
716 node);
717 }
718 XFREE(MTYPE_TMP, lookup);
719 } else
720 zlog_debug("%s: IPTable being deleted we know nothing about",
721 __PRETTY_FUNCTION__);
722 }
723
724 /*
725 * Handle success or failure of rule (un)install in the kernel.
726 */
727 void kernel_pbr_rule_add_del_status(struct zebra_pbr_rule *rule,
728 enum dp_results res)
729 {
730 switch (res) {
731 case DP_INSTALL_SUCCESS:
732 zsend_rule_notify_owner(rule, ZAPI_RULE_INSTALLED);
733 break;
734 case DP_INSTALL_FAILURE:
735 zsend_rule_notify_owner(rule, ZAPI_RULE_FAIL_INSTALL);
736 break;
737 case DP_DELETE_SUCCESS:
738 zsend_rule_notify_owner(rule, ZAPI_RULE_REMOVED);
739 break;
740 case DP_DELETE_FAILURE:
741 zsend_rule_notify_owner(rule, ZAPI_RULE_FAIL_REMOVE);
742 break;
743 }
744 }
745
746 /*
747 * Handle success or failure of ipset (un)install in the kernel.
748 */
749 void kernel_pbr_ipset_add_del_status(struct zebra_pbr_ipset *ipset,
750 enum dp_results res)
751 {
752 switch (res) {
753 case DP_INSTALL_SUCCESS:
754 zsend_ipset_notify_owner(ipset, ZAPI_IPSET_INSTALLED);
755 break;
756 case DP_INSTALL_FAILURE:
757 zsend_ipset_notify_owner(ipset, ZAPI_IPSET_FAIL_INSTALL);
758 break;
759 case DP_DELETE_SUCCESS:
760 zsend_ipset_notify_owner(ipset, ZAPI_IPSET_REMOVED);
761 break;
762 case DP_DELETE_FAILURE:
763 zsend_ipset_notify_owner(ipset, ZAPI_IPSET_FAIL_REMOVE);
764 break;
765 }
766 }
767
768 /*
769 * Handle success or failure of ipset (un)install in the kernel.
770 */
771 void kernel_pbr_ipset_entry_add_del_status(
772 struct zebra_pbr_ipset_entry *ipset,
773 enum dp_results res)
774 {
775 switch (res) {
776 case DP_INSTALL_SUCCESS:
777 zsend_ipset_entry_notify_owner(ipset,
778 ZAPI_IPSET_ENTRY_INSTALLED);
779 break;
780 case DP_INSTALL_FAILURE:
781 zsend_ipset_entry_notify_owner(ipset,
782 ZAPI_IPSET_ENTRY_FAIL_INSTALL);
783 break;
784 case DP_DELETE_SUCCESS:
785 zsend_ipset_entry_notify_owner(ipset,
786 ZAPI_IPSET_ENTRY_REMOVED);
787 break;
788 case DP_DELETE_FAILURE:
789 zsend_ipset_entry_notify_owner(ipset,
790 ZAPI_IPSET_ENTRY_FAIL_REMOVE);
791 break;
792 }
793 }
794
795 /*
796 * Handle success or failure of ipset (un)install in the kernel.
797 */
798 void kernel_pbr_iptable_add_del_status(struct zebra_pbr_iptable *iptable,
799 enum dp_results res)
800 {
801 switch (res) {
802 case DP_INSTALL_SUCCESS:
803 zsend_iptable_notify_owner(iptable, ZAPI_IPTABLE_INSTALLED);
804 break;
805 case DP_INSTALL_FAILURE:
806 zsend_iptable_notify_owner(iptable, ZAPI_IPTABLE_FAIL_INSTALL);
807 break;
808 case DP_DELETE_SUCCESS:
809 zsend_iptable_notify_owner(iptable,
810 ZAPI_IPTABLE_REMOVED);
811 break;
812 case DP_DELETE_FAILURE:
813 zsend_iptable_notify_owner(iptable,
814 ZAPI_IPTABLE_FAIL_REMOVE);
815 break;
816 }
817 }
818
819 /*
820 * Handle rule delete notification from kernel.
821 */
822 int kernel_pbr_rule_del(struct zebra_pbr_rule *rule)
823 {
824 return 0;
825 }
826
827 struct zebra_pbr_ipset_entry_unique_display {
828 struct zebra_pbr_ipset *zpi;
829 struct vty *vty;
830 struct zebra_ns *zns;
831 };
832
833 struct zebra_pbr_env_display {
834 struct zebra_ns *zns;
835 struct vty *vty;
836 char *name;
837 };
838
839 static const char *zebra_pbr_prefix2str(union prefixconstptr pu,
840 char *str, int size)
841 {
842 const struct prefix *p = pu.p;
843 char buf[PREFIX2STR_BUFFER];
844
845 if (p->family == AF_INET && p->prefixlen == IPV4_MAX_PREFIXLEN) {
846 snprintf(str, size, "%s", inet_ntop(p->family, &p->u.prefix,
847 buf, PREFIX2STR_BUFFER));
848 return str;
849 }
850 return prefix2str(pu, str, size);
851 }
852
853 static void zebra_pbr_display_icmp(struct vty *vty,
854 struct zebra_pbr_ipset_entry *zpie)
855 {
856 char decoded_str[20];
857 uint16_t port;
858
859 /* range icmp type */
860 if (zpie->src_port_max || zpie->dst_port_max) {
861 vty_out(vty, ":icmp:[type <%d:%d>;code <%d:%d>",
862 zpie->src_port_min, zpie->src_port_max,
863 zpie->dst_port_min, zpie->dst_port_max);
864 } else {
865 port = ((zpie->src_port_min << 8) & 0xff00) +
866 (zpie->dst_port_min & 0xff);
867 memset(decoded_str, 0, sizeof(decoded_str));
868 sprintf(decoded_str, "%d/%d",
869 zpie->src_port_min,
870 zpie->dst_port_min);
871 vty_out(vty, ":icmp:%s",
872 lookup_msg(icmp_typecode_str,
873 port, decoded_str));
874 }
875 }
876
877 static void zebra_pbr_display_port(struct vty *vty, uint32_t filter_bm,
878 uint16_t port_min, uint16_t port_max,
879 uint8_t proto)
880 {
881 if (!(filter_bm & PBR_FILTER_PROTO)) {
882 if (port_max)
883 vty_out(vty, ":udp/tcp:%d-%d",
884 port_min, port_max);
885 else
886 vty_out(vty, ":udp/tcp:%d",
887 port_min);
888 } else {
889 if (port_max)
890 vty_out(vty, ":proto %d:%d-%d",
891 proto, port_min, port_max);
892 else
893 vty_out(vty, ":proto %d:%d",
894 proto, port_min);
895 }
896 }
897
898 static int zebra_pbr_show_ipset_entry_walkcb(struct hash_backet *backet,
899 void *arg)
900 {
901 struct zebra_pbr_ipset_entry_unique_display *unique =
902 (struct zebra_pbr_ipset_entry_unique_display *)arg;
903 struct zebra_pbr_ipset *zpi = unique->zpi;
904 struct vty *vty = unique->vty;
905 struct zebra_pbr_ipset_entry *zpie =
906 (struct zebra_pbr_ipset_entry *)backet->data;
907 uint64_t pkts = 0, bytes = 0;
908 struct zebra_ns *zns = unique->zns;
909 int ret = 0;
910
911 if (zpie->backpointer != zpi)
912 return HASHWALK_CONTINUE;
913
914 if ((zpi->type == IPSET_NET_NET) ||
915 (zpi->type == IPSET_NET_PORT_NET)) {
916 char buf[PREFIX_STRLEN];
917
918 zebra_pbr_prefix2str(&(zpie->src), buf, sizeof(buf));
919 vty_out(vty, "\tfrom %s", buf);
920 if (zpie->filter_bm & PBR_FILTER_SRC_PORT &&
921 zpie->proto != IPPROTO_ICMP)
922 zebra_pbr_display_port(vty, zpie->filter_bm,
923 zpie->src_port_min,
924 zpie->src_port_max,
925 zpie->proto);
926 vty_out(vty, " to ");
927 zebra_pbr_prefix2str(&(zpie->dst), buf, sizeof(buf));
928 vty_out(vty, "%s", buf);
929 if (zpie->filter_bm & PBR_FILTER_DST_PORT &&
930 zpie->proto != IPPROTO_ICMP)
931 zebra_pbr_display_port(vty, zpie->filter_bm,
932 zpie->dst_port_min,
933 zpie->dst_port_max,
934 zpie->proto);
935 if (zpie->proto == IPPROTO_ICMP)
936 zebra_pbr_display_icmp(vty, zpie);
937 } else if ((zpi->type == IPSET_NET) ||
938 (zpi->type == IPSET_NET_PORT)) {
939 char buf[PREFIX_STRLEN];
940
941 if (zpie->filter_bm & PBR_FILTER_SRC_IP) {
942 zebra_pbr_prefix2str(&(zpie->src), buf, sizeof(buf));
943 vty_out(vty, "\tfrom %s", buf);
944 }
945 if (zpie->filter_bm & PBR_FILTER_SRC_PORT &&
946 zpie->proto != IPPROTO_ICMP)
947 zebra_pbr_display_port(vty, zpie->filter_bm,
948 zpie->src_port_min,
949 zpie->src_port_max,
950 zpie->proto);
951 if (zpie->filter_bm & PBR_FILTER_DST_IP) {
952 zebra_pbr_prefix2str(&(zpie->dst), buf, sizeof(buf));
953 vty_out(vty, "\tto %s", buf);
954 }
955 if (zpie->filter_bm & PBR_FILTER_DST_PORT &&
956 zpie->proto != IPPROTO_ICMP)
957 zebra_pbr_display_port(vty, zpie->filter_bm,
958 zpie->dst_port_min,
959 zpie->dst_port_max,
960 zpie->proto);
961 if (zpie->proto == IPPROTO_ICMP)
962 zebra_pbr_display_icmp(vty, zpie);
963 }
964 vty_out(vty, " (%u)\n", zpie->unique);
965
966 ret = hook_call(zebra_pbr_ipset_entry_wrap_script_get_stat,
967 zns, zpie, &pkts, &bytes);
968 if (ret && pkts > 0)
969 vty_out(vty, "\t pkts %" PRIu64 ", bytes %" PRIu64"\n",
970 pkts, bytes);
971 return HASHWALK_CONTINUE;
972 }
973
974 static int zebra_pbr_show_ipset_walkcb(struct hash_backet *backet, void *arg)
975 {
976 struct zebra_pbr_env_display *uniqueipset =
977 (struct zebra_pbr_env_display *)arg;
978 struct zebra_pbr_ipset *zpi = (struct zebra_pbr_ipset *)backet->data;
979 struct zebra_pbr_ipset_entry_unique_display unique;
980 struct vty *vty = uniqueipset->vty;
981 struct zebra_ns *zns = uniqueipset->zns;
982
983 vty_out(vty, "IPset %s type %s\n", zpi->ipset_name,
984 zebra_pbr_ipset_type2str(zpi->type));
985 unique.vty = vty;
986 unique.zpi = zpi;
987 unique.zns = zns;
988 hash_walk(zns->ipset_entry_hash, zebra_pbr_show_ipset_entry_walkcb,
989 &unique);
990 vty_out(vty, "\n");
991 return HASHWALK_CONTINUE;
992 }
993
994 size_t zebra_pbr_tcpflags_snprintf(char *buffer, size_t len,
995 uint16_t tcp_val)
996 {
997 size_t len_written = 0;
998 static struct message nt = {0};
999 const struct message *pnt;
1000 int incr = 0;
1001
1002 for (pnt = tcp_value_str;
1003 memcmp(pnt, &nt, sizeof(struct message)); pnt++)
1004 if (pnt->key & tcp_val) {
1005 len_written += snprintf(buffer + len_written,
1006 len - len_written,
1007 "%s%s", incr ?
1008 ",":"", pnt->str);
1009 incr++;
1010 }
1011 return len_written;
1012 }
1013
1014 /*
1015 */
1016 void zebra_pbr_show_ipset_list(struct vty *vty, char *ipsetname)
1017 {
1018 struct zebra_pbr_ipset *zpi;
1019 struct zebra_ns *zns = zebra_ns_lookup(NS_DEFAULT);
1020 struct zebra_pbr_ipset_entry_unique_display unique;
1021 struct zebra_pbr_env_display uniqueipset;
1022
1023 if (ipsetname) {
1024 zpi = zebra_pbr_lookup_ipset_pername(zns, ipsetname);
1025 if (!zpi) {
1026 vty_out(vty, "No IPset %s found\n", ipsetname);
1027 return;
1028 }
1029 vty_out(vty, "IPset %s type %s\n", ipsetname,
1030 zebra_pbr_ipset_type2str(zpi->type));
1031
1032 unique.vty = vty;
1033 unique.zpi = zpi;
1034 unique.zns = zns;
1035 hash_walk(zns->ipset_entry_hash,
1036 zebra_pbr_show_ipset_entry_walkcb,
1037 &unique);
1038 return;
1039 }
1040 uniqueipset.zns = zns;
1041 uniqueipset.vty = vty;
1042 uniqueipset.name = NULL;
1043 hash_walk(zns->ipset_hash, zebra_pbr_show_ipset_walkcb,
1044 &uniqueipset);
1045 }
1046
1047 struct pbr_rule_fwmark_lookup {
1048 struct zebra_pbr_rule *ptr;
1049 uint32_t fwmark;
1050 };
1051
1052 static int zebra_pbr_rule_lookup_fwmark_walkcb(struct hash_backet *backet,
1053 void *arg)
1054 {
1055 struct pbr_rule_fwmark_lookup *iprule =
1056 (struct pbr_rule_fwmark_lookup *)arg;
1057 struct zebra_pbr_rule *zpr = (struct zebra_pbr_rule *)backet->data;
1058
1059 if (iprule->fwmark == zpr->rule.filter.fwmark) {
1060 iprule->ptr = zpr;
1061 return HASHWALK_ABORT;
1062 }
1063 return HASHWALK_CONTINUE;
1064 }
1065
1066 static void zebra_pbr_show_iptable_unit(struct zebra_pbr_iptable *iptable,
1067 struct vty *vty,
1068 struct zebra_ns *zns)
1069 {
1070 int ret;
1071 uint64_t pkts = 0, bytes = 0;
1072
1073 vty_out(vty, "IPtable %s action %s (%u)\n", iptable->ipset_name,
1074 iptable->action == ZEBRA_IPTABLES_DROP ? "drop" : "redirect",
1075 iptable->unique);
1076 if (iptable->type == IPSET_NET_PORT ||
1077 iptable->type == IPSET_NET_PORT_NET) {
1078 if (!(iptable->filter_bm & MATCH_ICMP_SET)) {
1079 if (iptable->filter_bm & PBR_FILTER_DST_PORT)
1080 vty_out(vty, "\t lookup dst port\n");
1081 else if (iptable->filter_bm & PBR_FILTER_SRC_PORT)
1082 vty_out(vty, "\t lookup src port\n");
1083 }
1084 }
1085 if (iptable->pkt_len_min || iptable->pkt_len_max) {
1086 if (!iptable->pkt_len_max)
1087 vty_out(vty, "\t pkt len %u\n",
1088 iptable->pkt_len_min);
1089 else
1090 vty_out(vty, "\t pkt len [%u;%u]\n",
1091 iptable->pkt_len_min,
1092 iptable->pkt_len_max);
1093 }
1094 if (iptable->tcp_flags || iptable->tcp_mask_flags) {
1095 char tcp_flag_str[64];
1096 char tcp_flag_mask_str[64];
1097
1098 zebra_pbr_tcpflags_snprintf(tcp_flag_str,
1099 sizeof(tcp_flag_str),
1100 iptable->tcp_flags);
1101 zebra_pbr_tcpflags_snprintf(tcp_flag_mask_str,
1102 sizeof(tcp_flag_mask_str),
1103 iptable->tcp_mask_flags);
1104 vty_out(vty, "\t tcpflags [%s/%s]\n",
1105 tcp_flag_str, tcp_flag_mask_str);
1106 }
1107 if (iptable->filter_bm & (MATCH_DSCP_SET | MATCH_DSCP_INVERSE_SET)) {
1108 vty_out(vty, "\t dscp %s %d\n",
1109 iptable->filter_bm & MATCH_DSCP_INVERSE_SET ?
1110 "not" : "", iptable->dscp_value);
1111 }
1112 if (iptable->fragment) {
1113 char val_str[10];
1114
1115 sprintf(val_str, "%d", iptable->fragment);
1116 vty_out(vty, "\t fragment%s %s\n",
1117 iptable->filter_bm & MATCH_FRAGMENT_INVERSE_SET ?
1118 " not" : "", lookup_msg(fragment_value_str,
1119 iptable->fragment, val_str));
1120 }
1121 ret = hook_call(zebra_pbr_iptable_wrap_script_get_stat,
1122 zns, iptable, &pkts, &bytes);
1123 if (ret && pkts > 0)
1124 vty_out(vty, "\t pkts %" PRIu64 ", bytes %" PRIu64"\n",
1125 pkts, bytes);
1126 if (iptable->action != ZEBRA_IPTABLES_DROP) {
1127 struct pbr_rule_fwmark_lookup prfl;
1128
1129 prfl.fwmark = iptable->fwmark;
1130 prfl.ptr = NULL;
1131 hash_walk(zns->rules_hash,
1132 &zebra_pbr_rule_lookup_fwmark_walkcb, &prfl);
1133 if (prfl.ptr) {
1134 struct zebra_pbr_rule *zpr = prfl.ptr;
1135
1136 vty_out(vty, "\t table %u, fwmark %u\n",
1137 zpr->rule.action.table,
1138 prfl.fwmark);
1139 }
1140 }
1141 }
1142
1143 static int zebra_pbr_show_iptable_walkcb(struct hash_backet *backet, void *arg)
1144 {
1145 struct zebra_pbr_iptable *iptable =
1146 (struct zebra_pbr_iptable *)backet->data;
1147 struct zebra_pbr_env_display *env = (struct zebra_pbr_env_display *)arg;
1148 struct vty *vty = env->vty;
1149 struct zebra_ns *zns = env->zns;
1150 char *iptable_name = env->name;
1151
1152 if (!iptable_name)
1153 zebra_pbr_show_iptable_unit(iptable, vty, zns);
1154 else if (!strncmp(iptable_name,
1155 iptable->ipset_name,
1156 ZEBRA_IPSET_NAME_SIZE))
1157 zebra_pbr_show_iptable_unit(iptable, vty, zns);
1158 return HASHWALK_CONTINUE;
1159 }
1160
1161 void zebra_pbr_show_iptable(struct vty *vty, char *iptable_name)
1162 {
1163 struct zebra_ns *zns = zebra_ns_lookup(NS_DEFAULT);
1164 struct zebra_pbr_env_display env;
1165
1166 env.vty = vty;
1167 env.zns = zns;
1168 env.name = iptable_name;
1169 hash_walk(zns->iptable_hash, zebra_pbr_show_iptable_walkcb,
1170 &env);
1171 }
1172
1173 void zebra_pbr_iptable_update_interfacelist(struct stream *s,
1174 struct zebra_pbr_iptable *zpi)
1175 {
1176 uint32_t i = 0, index;
1177 struct interface *ifp;
1178 char *name;
1179
1180 for (i = 0; i < zpi->nb_interface; i++) {
1181 STREAM_GETL(s, index);
1182 ifp = if_lookup_by_index(index, zpi->vrf_id);
1183 if (!ifp)
1184 continue;
1185 name = XSTRDUP(MTYPE_PBR_IPTABLE_IFNAME, ifp->name);
1186 listnode_add(zpi->interface_name_list, name);
1187 }
1188 stream_failure:
1189 return;
1190 }
FRRouting mirror