netifd: Do not add local/source policy rules multiple times

interface_ip_set_enabled() is usually called two times right after one another,
once to handle config_ip and once to handle proto_ip. As long as
ip->iface->l3_dev.dev is set, the local/source policy rules are updated.

This value is in several cases set on both config_ip and proto_ip, causing the
rules to be added multiple time. The reason is that the kernel does not respect
the NLM_F_* flag for rules. In other words, the rule state has to be managed by
the routing daemon.

Since the local/source policy rules are bound to iface, this commit solves the
problem by adding a flag to interface which stores the current rule state. The
flag follows the enabled-paramter passed to interface_ip_set_enabled(), similar
to route-> and addr->enabled. The flag breaks the alignment of the interface
struct, but based on earlier commits this seems to be ok.

I have tested the patch in different configurations and have not found any
regression.

Signed-off-by: Kristian Evensen <kristian.evensen@gmail.com>

diff --git a/interface-ip.c b/interface-ip.c
index 1e085bc..b96d98c 100644 (file)
--- a/interface-ip.c
+++ b/interface-ip.c
@@ -1289,12 +1289,14 @@ void interface_ip_set_enabled(struct interface_ip_settings *ip, bool enabled)
                        if (!strcmp(a->name, ip->iface->name))
                                interface_set_prefix_address(a, c, ip->iface, enabled);
 
-       if (ip->iface && ip->iface->l3_dev.dev) {
+       if (ip->iface && ip->iface->policy_rules_set != enabled &&
+           ip->iface->l3_dev.dev) {
                set_ip_lo_policy(enabled, true, ip->iface);
                set_ip_lo_policy(enabled, false, ip->iface);
 
                set_ip_source_policy(enabled, true, IPRULE_PRIORITY_REJECT + ip->iface->l3_dev.dev->ifindex,
                        NULL, 0, 0, ip->iface, "failed_policy");
+               ip->iface->policy_rules_set = enabled;
        }
 }
 

diff --git a/interface.h b/interface.h
index c2049f1..73a3b55 100644 (file)
--- a/interface.h
+++ b/interface.h
@@ -112,6 +112,7 @@ struct interface {
        bool link_state;
        bool force_link;
        bool dynamic;
+       bool policy_rules_set;
 
        time_t start_time;
        enum interface_state state;

diff --git a/system-linux.c b/system-linux.c
index d3bb64d..2b17764 100644 (file)
--- a/system-linux.c
+++ b/system-linux.c
@@ -1792,10 +1792,8 @@ static int system_iprule(struct iprule *rule, int cmd)
                .rtm_flags = 0,
        };
 
-       if (cmd == RTM_NEWRULE) {
+       if (cmd == RTM_NEWRULE)
                rtm.rtm_type = RTN_UNICAST;
-               rtm.rtm_flags |= NLM_F_REPLACE | NLM_F_EXCL;
-       }
 
        if (rule->invert)
                rtm.rtm_flags |= FIB_RULE_INVERT;