summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorStefan Tomanek <stefan.tomanek@wertarbyte.de>2013-08-02 17:19:56 +0200
committerDavid S. Miller <davem@davemloft.net>2013-08-03 00:24:22 +0200
commit6ef94cfafba159d6b1a902ccb3349ac6a34ff6ad (patch)
treef2d7afebf4534ea50273165f4b0798aed704a37c
parenticmpv6_filter: allow ICMPv6 messages with bodies < 4 bytes (diff)
downloadlinux-6ef94cfafba159d6b1a902ccb3349ac6a34ff6ad.tar.xz
linux-6ef94cfafba159d6b1a902ccb3349ac6a34ff6ad.zip
fib_rules: add route suppression based on ifgroup
This change adds the ability to suppress a routing decision based upon the interface group the selected interface belongs to. This allows it to exclude specific devices from a routing decision. Signed-off-by: Stefan Tomanek <stefan.tomanek@wertarbyte.de> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--include/net/fib_rules.h2
-rw-r--r--include/uapi/linux/fib_rules.h2
-rw-r--r--net/core/fib_rules.c10
-rw-r--r--net/ipv4/fib_rules.c23
-rw-r--r--net/ipv6/fib6_rules.c16
5 files changed, 43 insertions, 10 deletions
diff --git a/include/net/fib_rules.h b/include/net/fib_rules.h
index 2f286dce9259..d13c461b4b59 100644
--- a/include/net/fib_rules.h
+++ b/include/net/fib_rules.h
@@ -18,6 +18,7 @@ struct fib_rule {
u32 pref;
u32 flags;
u32 table;
+ int suppress_ifgroup;
u8 table_prefixlen_min;
u8 action;
u32 target;
@@ -84,6 +85,7 @@ struct fib_rules_ops {
[FRA_FWMASK] = { .type = NLA_U32 }, \
[FRA_TABLE] = { .type = NLA_U32 }, \
[FRA_TABLE_PREFIXLEN_MIN] = { .type = NLA_U8 }, \
+ [FRA_SUPPRESS_IFGROUP] = { .type = NLA_U32 }, \
[FRA_GOTO] = { .type = NLA_U32 }
static inline void fib_rule_get(struct fib_rule *rule)
diff --git a/include/uapi/linux/fib_rules.h b/include/uapi/linux/fib_rules.h
index 59cd31b3455e..63e31166e85b 100644
--- a/include/uapi/linux/fib_rules.h
+++ b/include/uapi/linux/fib_rules.h
@@ -44,7 +44,7 @@ enum {
FRA_FWMARK, /* mark */
FRA_FLOW, /* flow/class id */
FRA_UNUSED6,
- FRA_UNUSED7,
+ FRA_SUPPRESS_IFGROUP,
FRA_TABLE_PREFIXLEN_MIN,
FRA_TABLE, /* Extended table id */
FRA_FWMASK, /* mask for netfilter mark */
diff --git a/net/core/fib_rules.c b/net/core/fib_rules.c
index 2ef5040c99c8..5040a61bf28a 100644
--- a/net/core/fib_rules.c
+++ b/net/core/fib_rules.c
@@ -343,6 +343,9 @@ static int fib_nl_newrule(struct sk_buff *skb, struct nlmsghdr* nlh)
if (tb[FRA_TABLE_PREFIXLEN_MIN])
rule->table_prefixlen_min = nla_get_u8(tb[FRA_TABLE_PREFIXLEN_MIN]);
+ if (tb[FRA_SUPPRESS_IFGROUP])
+ rule->suppress_ifgroup = nla_get_u32(tb[FRA_SUPPRESS_IFGROUP]);
+
if (!tb[FRA_PRIORITY] && ops->default_pref)
rule->pref = ops->default_pref(ops);
@@ -529,6 +532,7 @@ static inline size_t fib_rule_nlmsg_size(struct fib_rules_ops *ops,
+ nla_total_size(4) /* FRA_PRIORITY */
+ nla_total_size(4) /* FRA_TABLE */
+ nla_total_size(1) /* FRA_TABLE_PREFIXLEN_MIN */
+ + nla_total_size(4) /* FRA_SUPPRESS_IFGROUP */
+ nla_total_size(4) /* FRA_FWMARK */
+ nla_total_size(4); /* FRA_FWMASK */
@@ -588,6 +592,12 @@ static int fib_nl_fill_rule(struct sk_buff *skb, struct fib_rule *rule,
(rule->target &&
nla_put_u32(skb, FRA_GOTO, rule->target)))
goto nla_put_failure;
+
+ if (rule->suppress_ifgroup != -1) {
+ if (nla_put_u32(skb, FRA_SUPPRESS_IFGROUP, rule->suppress_ifgroup))
+ goto nla_put_failure;
+ }
+
if (ops->fill(rule, skb, frh) < 0)
goto nla_put_failure;
diff --git a/net/ipv4/fib_rules.c b/net/ipv4/fib_rules.c
index 9f2906679d1f..b78fd28970c9 100644
--- a/net/ipv4/fib_rules.c
+++ b/net/ipv4/fib_rules.c
@@ -103,16 +103,27 @@ errout:
static bool fib4_rule_suppress(struct fib_rule *rule, struct fib_lookup_arg *arg)
{
+ struct fib_result *result = (struct fib_result *) arg->result;
+ struct net_device *dev = result->fi->fib_dev;
+
/* do not accept result if the route does
* not meet the required prefix length
*/
- struct fib_result *result = (struct fib_result *) arg->result;
- if (result->prefixlen < rule->table_prefixlen_min) {
- if (!(arg->flags & FIB_LOOKUP_NOREF))
- fib_info_put(result->fi);
- return true;
- }
+ if (result->prefixlen < rule->table_prefixlen_min)
+ goto suppress_route;
+
+ /* do not accept result if the route uses a device
+ * belonging to a forbidden interface group
+ */
+ if (rule->suppress_ifgroup != -1 && dev && dev->group == rule->suppress_ifgroup)
+ goto suppress_route;
+
return false;
+
+suppress_route:
+ if (!(arg->flags & FIB_LOOKUP_NOREF))
+ fib_info_put(result->fi);
+ return true;
}
static int fib4_rule_match(struct fib_rule *rule, struct flowi *fl, int flags)
diff --git a/net/ipv6/fib6_rules.c b/net/ipv6/fib6_rules.c
index 554a4fbabfb3..36283267e2f8 100644
--- a/net/ipv6/fib6_rules.c
+++ b/net/ipv6/fib6_rules.c
@@ -122,14 +122,24 @@ out:
static bool fib6_rule_suppress(struct fib_rule *rule, struct fib_lookup_arg *arg)
{
struct rt6_info *rt = (struct rt6_info *) arg->result;
+ struct net_device *dev = rt->rt6i_idev->dev;
/* do not accept result if the route does
* not meet the required prefix length
*/
- if (rt->rt6i_dst.plen < rule->table_prefixlen_min) {
+ if (rt->rt6i_dst.plen < rule->table_prefixlen_min)
+ goto suppress_route;
+
+ /* do not accept result if the route uses a device
+ * belonging to a forbidden interface group
+ */
+ if (rule->suppress_ifgroup != -1 && dev && dev->group == rule->suppress_ifgroup)
+ goto suppress_route;
+
+ return false;
+
+suppress_route:
ip6_rt_put(rt);
return true;
- }
- return false;
}
static int fib6_rule_match(struct fib_rule *rule, struct flowi *fl, int flags)