lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <1520267801-10359-1-git-send-email-roopa@cumulusnetworks.com>
Date:   Mon,  5 Mar 2018 08:36:41 -0800
From:   Roopa Prabhu <roopa@...ulusnetworks.com>
To:     dsahern@...il.com
Cc:     netdev@...r.kernel.org
Subject: [PATCH iproute2 net-next] iprule: support for ip_proto, sport and dport match options

From: Roopa Prabhu <roopa@...ulusnetworks.com>

add support to match on ip_proto, sport and dport ranges.
For ip_proto, this patch currently enumerates tcp, udp and sctp.
This list can be extended in the future.

example:
$ip rule add sport 666-777 dport 999 ip_proto tcp table 100
$ip rule show
0:      from all lookup local
32765:  from all ip_proto 6 sport 666-777 dport 999 lookup 100
32766:  from all lookup main
32767:  from all lookup default

Signed-off-by: Roopa Prabhu <roopa@...ulusnetworks.com>
---
 include/uapi/linux/fib_rules.h |  8 +++++
 ip/iprule.c                    | 76 +++++++++++++++++++++++++++++++++++++++++-
 man/man8/ip-rule.8             | 32 +++++++++++++++++-
 3 files changed, 114 insertions(+), 2 deletions(-)

diff --git a/include/uapi/linux/fib_rules.h b/include/uapi/linux/fib_rules.h
index 77d90ae..1809af5 100644
--- a/include/uapi/linux/fib_rules.h
+++ b/include/uapi/linux/fib_rules.h
@@ -35,6 +35,11 @@ struct fib_rule_uid_range {
 	__u32		end;
 };
 
+struct fib_rule_port_range {
+	__u16		start;
+	__u16		end;
+};
+
 enum {
 	FRA_UNSPEC,
 	FRA_DST,	/* destination address */
@@ -59,6 +64,9 @@ enum {
 	FRA_L3MDEV,	/* iif or oif is l3mdev goto its table */
 	FRA_UID_RANGE,	/* UID range */
 	FRA_PROTOCOL,   /* Originator of the rule */
+	FRA_IP_PROTO,	/* ip proto */
+	FRA_SPORT_RANGE,/* sport range */
+	FRA_DPORT_RANGE,/* dport range */
 	__FRA_MAX
 };
 
diff --git a/ip/iprule.c b/ip/iprule.c
index 6fdc9b5..973f8cb 100644
--- a/ip/iprule.c
+++ b/ip/iprule.c
@@ -45,7 +45,10 @@ static void usage(void)
 		"       ip rule [ list [ SELECTOR ]]\n"
 		"SELECTOR := [ not ] [ from PREFIX ] [ to PREFIX ] [ tos TOS ] [ fwmark FWMARK[/MASK] ]\n"
 		"            [ iif STRING ] [ oif STRING ] [ pref NUMBER ] [ l3mdev ]\n"
-		"            [ uidrange NUMBER-NUMBER ]\n"
+		"            [ uidrange NUMBER-NUMBER ]"
+		"            [ ip_proto [tcp | udp | sctp] ]"
+		"            [ sport [ NUMBER | NUMBER-NUMBER ]"
+		"            [ dport [ NUMBER | NUMBER-NUMBER ] ]\n"
 		"ACTION := [ table TABLE_ID ]\n"
 		"          [ protocol PROTO ]\n"
 		"          [ nat ADDRESS ]\n"
@@ -284,6 +287,31 @@ int print_rule(const struct sockaddr_nl *who, struct nlmsghdr *n, void *arg)
 		fprintf(fp, "uidrange %u-%u ", r->start, r->end);
 	}
 
+	if (tb[FRA_IP_PROTO]) {
+		print_uint(PRINT_ANY,
+			   "ip_proto",
+			   "ip_proto %u ",
+			   rta_getattr_u8(tb[FRA_IP_PROTO]));
+	}
+
+	if (tb[FRA_SPORT_RANGE]) {
+		struct fib_rule_port_range *r = RTA_DATA(tb[FRA_SPORT_RANGE]);
+
+		if (r->start == r->end)
+			fprintf(fp, "sport %hu ", r->start);
+		else
+			fprintf(fp, "sport %hu-%hu ", r->start, r->end);
+	}
+
+	if (tb[FRA_DPORT_RANGE]) {
+		struct fib_rule_port_range *r = RTA_DATA(tb[FRA_DPORT_RANGE]);
+
+		if (r->start == r->end)
+			fprintf(fp, "dport %hu ", r->start);
+		else
+			fprintf(fp, "dport %hu-%hu ", r->start, r->end);
+	}
+
 	table = frh_get_table(frh, tb);
 	if (table) {
 		fprintf(fp, "lookup %s ",
@@ -608,6 +636,20 @@ static int iprule_restore(void)
 	exit(rtnl_from_file(stdin, &restore_handler, NULL));
 }
 
+static int parse_ip_proto(__u8 *ip_proto, char *str)
+{
+	if (matches(str, "tcp") == 0)
+		*ip_proto = IPPROTO_TCP;
+	else if (matches(str, "udp") == 0)
+		*ip_proto = IPPROTO_UDP;
+	else if (matches(str, "sctp") == 0)
+		*ip_proto = IPPROTO_SCTP;
+	else
+		return -1;
+
+	return 0;
+}
+
 static int iprule_modify(int cmd, int argc, char **argv)
 {
 	int l3mdev_rule = 0;
@@ -768,6 +810,38 @@ static int iprule_modify(int cmd, int argc, char **argv)
 			addattr32(&req.n, sizeof(req), RTA_GATEWAY,
 				  get_addr32(*argv));
 			req.frh.action = RTN_NAT;
+		} else if (strcmp(*argv, "ip_proto") == 0) {
+			NEXT_ARG();
+			__u8 ip_proto;
+
+			if (parse_ip_proto(&ip_proto, *argv))
+				invarg("Invalid \"ip_proto\" value\n",
+				       *argv);
+			addattr8(&req.n, sizeof(req), FRA_IP_PROTO, ip_proto);
+		} else if (strcmp(*argv, "sport") == 0) {
+			struct fib_rule_port_range r;
+			int ret = 0;
+
+			NEXT_ARG();
+			ret = sscanf(*argv, "%hu-%hu", &r.start, &r.end);
+			if (ret == 1)
+				r.end = r.start;
+			else if (ret != 2)
+				invarg("invalid port range\n", *argv);
+			addattr_l(&req.n, sizeof(req), FRA_SPORT_RANGE, &r,
+				  sizeof(r));
+		} else if (strcmp(*argv, "dport") == 0) {
+			struct fib_rule_port_range r;
+			int ret = 0;
+
+			NEXT_ARG();
+			ret = sscanf(*argv, "%hu-%hu", &r.start, &r.end);
+			if (ret == 1)
+				r.end = r.start;
+			else if (ret != 2)
+				invarg("invalid dport range\n", *argv);
+			addattr_l(&req.n, sizeof(req), FRA_DPORT_RANGE, &r,
+				  sizeof(r));
 		} else {
 			int type;
 
diff --git a/man/man8/ip-rule.8 b/man/man8/ip-rule.8
index 7cf8fd9..59f3228 100644
--- a/man/man8/ip-rule.8
+++ b/man/man8/ip-rule.8
@@ -44,7 +44,19 @@ ip-rule \- routing policy database management
 .IR STRING " ] [ "
 .B  pref
 .IR NUMBER " ] [ "
-.BR l3mdev " ]"
+.IR l3mdev " ] [ "
+.B uidrange
+.IR NUMBER "-" NUMBER " ] [ "
+.B ip_proto
+.RB "[ " tcp " | " udp " | " sctp " ] ] [ "
+.BR sport " [ "
+.IR NUMBER " | "
+.IR NUMBER "-" NUMBER " ] [ "
+.BR dport " [ "
+.IR NUMBER " | "
+.IR NUMBER "-" NUMBER " ]"
+.BR
+
 
 .ti -8
 .IR ACTION " := [ "
@@ -227,6 +239,24 @@ select the
 value to match.
 
 .TP
+.BI uidrange " NUMBER-NUMBER"
+select the
+.B uid
+value to match.
+
+.TP
+.BI ip_proto " tcp | udp | sctp "
+select the ip protocol value to match.
+
+.TP
+.BI sport " NUMBER | NUMBER-NUMBER"
+select the source port value to match. supports port range.
+
+.TP
+.BI dport " NUMBER | NUMBER-NUMBER"
+select the destination port value to match. supports port range.
+
+.TP
 .BI priority " PREFERENCE"
 the priority of this rule.
 .I PREFERENCE
-- 
2.1.4

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ