Reverse path filtering config support; possible values are:
0: no source validation
1|strict: strict mode as packet will be dropped if the
incoming interface is not the best reverse path
2|loose: loose mode as packet will be dropped if the
source address is not reachable via any interface
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
[DEV_ATTR_ENABLED] = { .name = "enabled", .type = BLOBMSG_TYPE_BOOL },
[DEV_ATTR_IPV6] = { .name = "ipv6", .type = BLOBMSG_TYPE_BOOL },
[DEV_ATTR_PROMISC] = { .name = "promisc", .type = BLOBMSG_TYPE_BOOL },
[DEV_ATTR_ENABLED] = { .name = "enabled", .type = BLOBMSG_TYPE_BOOL },
[DEV_ATTR_IPV6] = { .name = "ipv6", .type = BLOBMSG_TYPE_BOOL },
[DEV_ATTR_PROMISC] = { .name = "promisc", .type = BLOBMSG_TYPE_BOOL },
+ [DEV_ATTR_RPFILTER] = { .name = "rpfilter", .type = BLOBMSG_TYPE_STRING },
};
const struct uci_blob_param_list device_attr_list = {
};
const struct uci_blob_param_list device_attr_list = {
sizeof(n->macaddr));
n->ipv6 = s->flags & DEV_OPT_IPV6 ? s->ipv6 : os->ipv6;
n->promisc = s->flags & DEV_OPT_PROMISC ? s->promisc : os->promisc;
sizeof(n->macaddr));
n->ipv6 = s->flags & DEV_OPT_IPV6 ? s->ipv6 : os->ipv6;
n->promisc = s->flags & DEV_OPT_PROMISC ? s->promisc : os->promisc;
+ n->rpfilter = s->flags & DEV_OPT_RPFILTER ? s->rpfilter : os->rpfilter;
n->flags = s->flags | os->flags;
}
n->flags = s->flags | os->flags;
}
s->flags |= DEV_OPT_PROMISC;
}
s->flags |= DEV_OPT_PROMISC;
}
+ if ((cur = tb[DEV_ATTR_RPFILTER])) {
+ if (system_resolve_rpfilter(blobmsg_data(cur), &s->rpfilter))
+ s->flags |= DEV_OPT_RPFILTER;
+ else
+ DPRINTF("Failed to resolve rpfilter: %s\n", (char *) blobmsg_data(cur));
+ }
+
device_set_disabled(dev, disabled);
}
device_set_disabled(dev, disabled);
}
blobmsg_add_u8(b, "ipv6", st.ipv6);
if (st.flags & DEV_OPT_PROMISC)
blobmsg_add_u8(b, "promisc", st.promisc);
blobmsg_add_u8(b, "ipv6", st.ipv6);
if (st.flags & DEV_OPT_PROMISC)
blobmsg_add_u8(b, "promisc", st.promisc);
+ if (st.flags & DEV_OPT_RPFILTER)
+ blobmsg_add_u32(b, "rpfilter", st.rpfilter);
}
s = blobmsg_open_table(b, "statistics");
}
s = blobmsg_open_table(b, "statistics");
DEV_ATTR_ENABLED,
DEV_ATTR_IPV6,
DEV_ATTR_PROMISC,
DEV_ATTR_ENABLED,
DEV_ATTR_IPV6,
DEV_ATTR_PROMISC,
DEV_OPT_TXQUEUELEN = (1 << 2),
DEV_OPT_IPV6 = (1 << 3),
DEV_OPT_PROMISC = (1 << 4),
DEV_OPT_TXQUEUELEN = (1 << 2),
DEV_OPT_IPV6 = (1 << 3),
DEV_OPT_PROMISC = (1 << 4),
+ DEV_OPT_RPFILTER = (1 << 5),
};
/* events broadcasted to all users of a device */
};
/* events broadcasted to all users of a device */
uint8_t macaddr[6];
bool ipv6;
bool promisc;
uint8_t macaddr[6];
bool ipv6;
bool promisc;
+bool system_resolve_rpfilter(const char *filter, unsigned int *id)
+{
+ *id = 0;
+ return true;
+}
+
int system_add_iprule(struct iprule *rule)
{
return 0;
int system_add_iprule(struct iprule *rule)
{
return 0;
system_set_dev_sysctl("/proc/sys/net/ipv6/conf/%s/disable_ipv6", dev->ifname, val);
}
system_set_dev_sysctl("/proc/sys/net/ipv6/conf/%s/disable_ipv6", dev->ifname, val);
}
+static void system_set_rpfilter(struct device *dev, const char *val)
+{
+ system_set_dev_sysctl("/proc/sys/net/ipv4/conf/%s/rp_filter", dev->ifname, val);
+}
+
static int system_get_sysctl(const char *path, char *buf, const size_t buf_sz)
{
int fd = -1, ret = -1;
static int system_get_sysctl(const char *path, char *buf, const size_t buf_sz)
{
int fd = -1, ret = -1;
dev->ifname, buf, buf_sz);
}
dev->ifname, buf, buf_sz);
}
+static int system_get_rpfilter(struct device *dev, char *buf, const size_t buf_sz)
+{
+ return system_get_dev_sysctl("/proc/sys/net/ipv4/conf/%s/rp_filter",
+ dev->ifname, buf, buf_sz);
+}
+
// Evaluate netlink messages
static int cb_rtnl_event(struct nl_msg *msg, void *arg)
{
// Evaluate netlink messages
static int cb_rtnl_event(struct nl_msg *msg, void *arg)
{
s->promisc = ifr.ifr_flags & IFF_PROMISC;
s->flags |= DEV_OPT_PROMISC;
}
s->promisc = ifr.ifr_flags & IFF_PROMISC;
s->flags |= DEV_OPT_PROMISC;
}
+
+ if (!system_get_rpfilter(dev, buf, sizeof(buf))) {
+ s->rpfilter = strtoul(buf, NULL, 0);
+ s->flags |= DEV_OPT_RPFILTER;
+ }
!s->promisc ? IFF_PROMISC : 0) < 0)
s->flags &= ~DEV_OPT_PROMISC;
}
!s->promisc ? IFF_PROMISC : 0) < 0)
s->flags &= ~DEV_OPT_PROMISC;
}
+ if (s->flags & DEV_OPT_RPFILTER & apply_mask) {
+ char buf[2];
+
+ snprintf(buf, sizeof(buf), "%d", s->rpfilter);
+ system_set_rpfilter(dev, buf);
+ }
}
int system_if_up(struct device *dev)
}
int system_if_up(struct device *dev)
return (id == RT_TABLE_MAIN);
}
return (id == RT_TABLE_MAIN);
}
+bool system_resolve_rpfilter(const char *filter, unsigned int *id)
+{
+ char *e;
+ unsigned int n;
+
+ if (!strcmp(filter, "strict"))
+ n = 1;
+ else if (!strcmp(filter, "loose"))
+ n = 2;
+ else {
+ n = strtoul(filter, &e, 0);
+ if (*e || e == filter || n > 2)
+ return false;
+ }
+
+ *id = n;
+ return true;
+}
+
static int system_iprule(struct iprule *rule, int cmd)
{
int alen = ((rule->flags & IPRULE_FAMILY) == IPRULE_INET4) ? 4 : 16;
static int system_iprule(struct iprule *rule, int cmd)
{
int alen = ((rule->flags & IPRULE_FAMILY) == IPRULE_INET4) ? 4 : 16;
bool system_resolve_rt_type(const char *type, unsigned int *id);
bool system_resolve_rt_table(const char *name, unsigned int *id);
bool system_is_default_rt_table(unsigned int id);
bool system_resolve_rt_type(const char *type, unsigned int *id);
bool system_resolve_rt_table(const char *name, unsigned int *id);
bool system_is_default_rt_table(unsigned int id);
+bool system_resolve_rpfilter(const char *filter, unsigned int *id);
int system_del_ip_tunnel(const char *name, struct blob_attr *attr);
int system_add_ip_tunnel(const char *name, struct blob_attr *attr);
int system_del_ip_tunnel(const char *name, struct blob_attr *attr);
int system_add_ip_tunnel(const char *name, struct blob_attr *attr);
projects / project / netifd.git / commitdiff