[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <1520267801-10359-1-git-send-email-roopa@cumulusnetworks.com>
Date: Mon, 5 Mar 2018 08:36:41 -0800
From: Roopa Prabhu <roopa@...ulusnetworks.com>
To: dsahern@...il.com
Cc: netdev@...r.kernel.org
Subject: [PATCH iproute2 net-next] iprule: support for ip_proto, sport and dport match options
From: Roopa Prabhu <roopa@...ulusnetworks.com>
add support to match on ip_proto, sport and dport ranges.
For ip_proto, this patch currently enumerates tcp, udp and sctp.
This list can be extended in the future.
example:
$ip rule add sport 666-777 dport 999 ip_proto tcp table 100
$ip rule show
0: from all lookup local
32765: from all ip_proto 6 sport 666-777 dport 999 lookup 100
32766: from all lookup main
32767: from all lookup default
Signed-off-by: Roopa Prabhu <roopa@...ulusnetworks.com>
---
include/uapi/linux/fib_rules.h | 8 +++++
ip/iprule.c | 76 +++++++++++++++++++++++++++++++++++++++++-
man/man8/ip-rule.8 | 32 +++++++++++++++++-
3 files changed, 114 insertions(+), 2 deletions(-)
diff --git a/include/uapi/linux/fib_rules.h b/include/uapi/linux/fib_rules.h
index 77d90ae..1809af5 100644
--- a/include/uapi/linux/fib_rules.h
+++ b/include/uapi/linux/fib_rules.h
@@ -35,6 +35,11 @@ struct fib_rule_uid_range {
__u32 end;
};
+struct fib_rule_port_range {
+ __u16 start;
+ __u16 end;
+};
+
enum {
FRA_UNSPEC,
FRA_DST, /* destination address */
@@ -59,6 +64,9 @@ enum {
FRA_L3MDEV, /* iif or oif is l3mdev goto its table */
FRA_UID_RANGE, /* UID range */
FRA_PROTOCOL, /* Originator of the rule */
+ FRA_IP_PROTO, /* ip proto */
+ FRA_SPORT_RANGE,/* sport range */
+ FRA_DPORT_RANGE,/* dport range */
__FRA_MAX
};
diff --git a/ip/iprule.c b/ip/iprule.c
index 6fdc9b5..973f8cb 100644
--- a/ip/iprule.c
+++ b/ip/iprule.c
@@ -45,7 +45,10 @@ static void usage(void)
" ip rule [ list [ SELECTOR ]]\n"
"SELECTOR := [ not ] [ from PREFIX ] [ to PREFIX ] [ tos TOS ] [ fwmark FWMARK[/MASK] ]\n"
" [ iif STRING ] [ oif STRING ] [ pref NUMBER ] [ l3mdev ]\n"
- " [ uidrange NUMBER-NUMBER ]\n"
+ " [ uidrange NUMBER-NUMBER ]"
+ " [ ip_proto [tcp | udp | sctp] ]"
+ " [ sport [ NUMBER | NUMBER-NUMBER ]"
+ " [ dport [ NUMBER | NUMBER-NUMBER ] ]\n"
"ACTION := [ table TABLE_ID ]\n"
" [ protocol PROTO ]\n"
" [ nat ADDRESS ]\n"
@@ -284,6 +287,31 @@ int print_rule(const struct sockaddr_nl *who, struct nlmsghdr *n, void *arg)
fprintf(fp, "uidrange %u-%u ", r->start, r->end);
}
+ if (tb[FRA_IP_PROTO]) {
+ print_uint(PRINT_ANY,
+ "ip_proto",
+ "ip_proto %u ",
+ rta_getattr_u8(tb[FRA_IP_PROTO]));
+ }
+
+ if (tb[FRA_SPORT_RANGE]) {
+ struct fib_rule_port_range *r = RTA_DATA(tb[FRA_SPORT_RANGE]);
+
+ if (r->start == r->end)
+ fprintf(fp, "sport %hu ", r->start);
+ else
+ fprintf(fp, "sport %hu-%hu ", r->start, r->end);
+ }
+
+ if (tb[FRA_DPORT_RANGE]) {
+ struct fib_rule_port_range *r = RTA_DATA(tb[FRA_DPORT_RANGE]);
+
+ if (r->start == r->end)
+ fprintf(fp, "dport %hu ", r->start);
+ else
+ fprintf(fp, "dport %hu-%hu ", r->start, r->end);
+ }
+
table = frh_get_table(frh, tb);
if (table) {
fprintf(fp, "lookup %s ",
@@ -608,6 +636,20 @@ static int iprule_restore(void)
exit(rtnl_from_file(stdin, &restore_handler, NULL));
}
+static int parse_ip_proto(__u8 *ip_proto, char *str)
+{
+ if (matches(str, "tcp") == 0)
+ *ip_proto = IPPROTO_TCP;
+ else if (matches(str, "udp") == 0)
+ *ip_proto = IPPROTO_UDP;
+ else if (matches(str, "sctp") == 0)
+ *ip_proto = IPPROTO_SCTP;
+ else
+ return -1;
+
+ return 0;
+}
+
static int iprule_modify(int cmd, int argc, char **argv)
{
int l3mdev_rule = 0;
@@ -768,6 +810,38 @@ static int iprule_modify(int cmd, int argc, char **argv)
addattr32(&req.n, sizeof(req), RTA_GATEWAY,
get_addr32(*argv));
req.frh.action = RTN_NAT;
+ } else if (strcmp(*argv, "ip_proto") == 0) {
+ NEXT_ARG();
+ __u8 ip_proto;
+
+ if (parse_ip_proto(&ip_proto, *argv))
+ invarg("Invalid \"ip_proto\" value\n",
+ *argv);
+ addattr8(&req.n, sizeof(req), FRA_IP_PROTO, ip_proto);
+ } else if (strcmp(*argv, "sport") == 0) {
+ struct fib_rule_port_range r;
+ int ret = 0;
+
+ NEXT_ARG();
+ ret = sscanf(*argv, "%hu-%hu", &r.start, &r.end);
+ if (ret == 1)
+ r.end = r.start;
+ else if (ret != 2)
+ invarg("invalid port range\n", *argv);
+ addattr_l(&req.n, sizeof(req), FRA_SPORT_RANGE, &r,
+ sizeof(r));
+ } else if (strcmp(*argv, "dport") == 0) {
+ struct fib_rule_port_range r;
+ int ret = 0;
+
+ NEXT_ARG();
+ ret = sscanf(*argv, "%hu-%hu", &r.start, &r.end);
+ if (ret == 1)
+ r.end = r.start;
+ else if (ret != 2)
+ invarg("invalid dport range\n", *argv);
+ addattr_l(&req.n, sizeof(req), FRA_DPORT_RANGE, &r,
+ sizeof(r));
} else {
int type;
diff --git a/man/man8/ip-rule.8 b/man/man8/ip-rule.8
index 7cf8fd9..59f3228 100644
--- a/man/man8/ip-rule.8
+++ b/man/man8/ip-rule.8
@@ -44,7 +44,19 @@ ip-rule \- routing policy database management
.IR STRING " ] [ "
.B pref
.IR NUMBER " ] [ "
-.BR l3mdev " ]"
+.IR l3mdev " ] [ "
+.B uidrange
+.IR NUMBER "-" NUMBER " ] [ "
+.B ip_proto
+.RB "[ " tcp " | " udp " | " sctp " ] ] [ "
+.BR sport " [ "
+.IR NUMBER " | "
+.IR NUMBER "-" NUMBER " ] [ "
+.BR dport " [ "
+.IR NUMBER " | "
+.IR NUMBER "-" NUMBER " ]"
+.BR
+
.ti -8
.IR ACTION " := [ "
@@ -227,6 +239,24 @@ select the
value to match.
.TP
+.BI uidrange " NUMBER-NUMBER"
+select the
+.B uid
+value to match.
+
+.TP
+.BI ip_proto " tcp | udp | sctp "
+select the ip protocol value to match.
+
+.TP
+.BI sport " NUMBER | NUMBER-NUMBER"
+select the source port value to match. supports port range.
+
+.TP
+.BI dport " NUMBER | NUMBER-NUMBER"
+select the destination port value to match. supports port range.
+
+.TP
.BI priority " PREFERENCE"
the priority of this rule.
.I PREFERENCE
--
2.1.4
Powered by blists - more mailing lists