kernel-netlink: Extract shared route handling code in net/ipsec
[strongswan.git] / src / libcharon / plugins / kernel_netlink / kernel_netlink_shared.c
1 /*
2 * Copyright (C) 2014 Martin Willi
3 * Copyright (C) 2014 revosec AG
4 *
5 * Copyright (C) 2008-2020 Tobias Brunner
6 * HSR Hochschule fuer Technik Rapperswil
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 */
18
19 /*
20 * Copyright (C) 2016 secunet Security Networks AG
21 * Copyright (C) 2016 Thomas Egerer
22 *
23 * Permission is hereby granted, free of charge, to any person obtaining a copy
24 * of this software and associated documentation files (the "Software"), to deal
25 * in the Software without restriction, including without limitation the rights
26 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
27 * copies of the Software, and to permit persons to whom the Software is
28 * furnished to do so, subject to the following conditions:
29 *
30 * The above copyright notice and this permission notice shall be included in
31 * all copies or substantial portions of the Software.
32 *
33 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
34 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
35 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
36 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
37 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
38 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
39 * THE SOFTWARE.
40 */
41
42 #include <sys/socket.h>
43 #include <linux/netlink.h>
44 #include <linux/rtnetlink.h>
45 #include <linux/xfrm.h>
46 #include <errno.h>
47 #include <unistd.h>
48
49 #include "kernel_netlink_shared.h"
50
51 #include <utils/debug.h>
52 #include <threading/mutex.h>
53 #include <threading/condvar.h>
54 #include <collections/array.h>
55 #include <collections/hashtable.h>
56
57 typedef struct private_netlink_socket_t private_netlink_socket_t;
58
59 /**
60 * Private variables and functions of netlink_socket_t class.
61 */
62 struct private_netlink_socket_t {
63
64 /**
65 * public part of the netlink_socket_t object.
66 */
67 netlink_socket_t public;
68
69 /**
70 * mutex to lock access entries
71 */
72 mutex_t *mutex;
73
74 /**
75 * Netlink request entries currently active, uintptr_t seq => entry_t
76 */
77 hashtable_t *entries;
78
79 /**
80 * Current sequence number for Netlink requests
81 */
82 refcount_t seq;
83
84 /**
85 * netlink socket
86 */
87 int socket;
88
89 /**
90 * Netlink protocol
91 */
92 int protocol;
93
94 /**
95 * Enum names for Netlink messages
96 */
97 enum_name_t *names;
98
99 /**
100 * Timeout for Netlink replies, in ms
101 */
102 u_int timeout;
103
104 /**
105 * Number of times to repeat timed out queries
106 */
107 u_int retries;
108
109 /**
110 * Buffer size for received Netlink messages
111 */
112 u_int buflen;
113
114 /**
115 * Use parallel netlink queries
116 */
117 bool parallel;
118
119 /**
120 * Ignore errors potentially resulting from a retransmission
121 */
122 bool ignore_retransmit_errors;
123 };
124
125 /**
126 * #definable hook to simulate request message loss
127 */
128 #ifdef NETLINK_MSG_LOSS_HOOK
129 bool NETLINK_MSG_LOSS_HOOK(struct nlmsghdr *msg);
130 #define msg_loss_hook(msg) NETLINK_MSG_LOSS_HOOK(msg)
131 #else
132 #define msg_loss_hook(msg) FALSE
133 #endif
134
135 /**
136 * Request entry the answer for a waiting thread is collected in
137 */
138 typedef struct {
139 /** Condition variable thread is waiting */
140 condvar_t *condvar;
141 /** Array of hdrs in a multi-message response, as struct nlmsghdr* */
142 array_t *hdrs;
143 /** All response messages received? */
144 bool complete;
145 } entry_t;
146
147 /**
148 * Clean up a thread waiting entry
149 */
150 static void destroy_entry(entry_t *entry)
151 {
152 entry->condvar->destroy(entry->condvar);
153 array_destroy_function(entry->hdrs, (void*)free, NULL);
154 free(entry);
155 }
156
157 /**
158 * Write a Netlink message to socket
159 */
160 static bool write_msg(private_netlink_socket_t *this, struct nlmsghdr *msg)
161 {
162 struct sockaddr_nl addr = {
163 .nl_family = AF_NETLINK,
164 };
165 int len;
166
167 if (msg_loss_hook(msg))
168 {
169 return TRUE;
170 }
171
172 while (TRUE)
173 {
174 len = sendto(this->socket, msg, msg->nlmsg_len, 0,
175 (struct sockaddr*)&addr, sizeof(addr));
176 if (len != msg->nlmsg_len)
177 {
178 if (errno == EINTR)
179 {
180 continue;
181 }
182 DBG1(DBG_KNL, "netlink write error: %s", strerror(errno));
183 return FALSE;
184 }
185 return TRUE;
186 }
187 }
188
189 /**
190 * Read a single Netlink message from socket, return 0 on error, -1 on timeout
191 */
192 static ssize_t read_msg(private_netlink_socket_t *this,
193 char *buf, size_t buflen, bool block)
194 {
195 ssize_t len;
196
197 if (block)
198 {
199 fd_set set;
200 timeval_t tv = {};
201
202 FD_ZERO(&set);
203 FD_SET(this->socket, &set);
204 timeval_add_ms(&tv, this->timeout);
205
206 if (select(this->socket + 1, &set, NULL, NULL,
207 this->timeout ? &tv : NULL) <= 0)
208 {
209 return -1;
210 }
211 }
212 len = recv(this->socket, buf, buflen, MSG_TRUNC|(block ? 0 : MSG_DONTWAIT));
213 if (len > buflen)
214 {
215 DBG1(DBG_KNL, "netlink response exceeds buffer size");
216 return 0;
217 }
218 if (len < 0)
219 {
220 if (errno != EAGAIN && errno != EWOULDBLOCK && errno != EINTR)
221 {
222 DBG1(DBG_KNL, "netlink read error: %s", strerror(errno));
223 }
224 return 0;
225 }
226 return len;
227 }
228
229 /**
230 * Queue received response message
231 */
232 static bool queue(private_netlink_socket_t *this, struct nlmsghdr *buf)
233 {
234 struct nlmsghdr *hdr;
235 entry_t *entry;
236 uintptr_t seq;
237
238 seq = (uintptr_t)buf->nlmsg_seq;
239
240 this->mutex->lock(this->mutex);
241 entry = this->entries->get(this->entries, (void*)seq);
242 if (entry)
243 {
244 hdr = malloc(buf->nlmsg_len);
245 memcpy(hdr, buf, buf->nlmsg_len);
246 array_insert(entry->hdrs, ARRAY_TAIL, hdr);
247 if (hdr->nlmsg_type == NLMSG_DONE || !(hdr->nlmsg_flags & NLM_F_MULTI))
248 {
249 entry->complete = TRUE;
250 entry->condvar->signal(entry->condvar);
251 }
252 }
253 else
254 {
255 DBG1(DBG_KNL, "received unknown netlink seq %u, ignored", seq);
256 }
257 this->mutex->unlock(this->mutex);
258
259 return entry != NULL;
260 }
261
262 /**
263 * Read and queue response message, optionally blocking, returns TRUE on timeout
264 */
265 static bool read_and_queue(private_netlink_socket_t *this, bool block)
266 {
267 struct nlmsghdr *hdr;
268 char buf[this->buflen];
269 ssize_t len, read_len;
270 bool wipe = FALSE;
271
272 len = read_len = read_msg(this, buf, sizeof(buf), block);
273 if (len == -1)
274 {
275 return TRUE;
276 }
277 if (len)
278 {
279 hdr = (struct nlmsghdr*)buf;
280 while (NLMSG_OK(hdr, len))
281 {
282 if (this->protocol == NETLINK_XFRM &&
283 hdr->nlmsg_type == XFRM_MSG_NEWSA)
284 { /* wipe potential IPsec SA keys */
285 wipe = TRUE;
286 }
287 if (!queue(this, hdr))
288 {
289 break;
290 }
291 hdr = NLMSG_NEXT(hdr, len);
292 }
293 }
294 if (wipe)
295 {
296 memwipe(buf, read_len);
297 }
298 return FALSE;
299 }
300
301 CALLBACK(watch, bool,
302 private_netlink_socket_t *this, int fd, watcher_event_t event)
303 {
304 if (event == WATCHER_READ)
305 {
306 read_and_queue(this, FALSE);
307 }
308 return TRUE;
309 }
310
311 /**
312 * Send a netlink request, try once
313 */
314 static status_t send_once(private_netlink_socket_t *this, struct nlmsghdr *in,
315 uintptr_t seq, struct nlmsghdr **out, size_t *out_len)
316 {
317 struct nlmsghdr *hdr;
318 entry_t *entry;
319 u_char *ptr;
320 int i;
321
322 in->nlmsg_seq = seq;
323 in->nlmsg_pid = getpid();
324
325 if (this->names)
326 {
327 DBG3(DBG_KNL, "sending %N %u: %b", this->names, in->nlmsg_type,
328 (u_int)seq, in, in->nlmsg_len);
329 }
330
331 this->mutex->lock(this->mutex);
332 if (!write_msg(this, in))
333 {
334 this->mutex->unlock(this->mutex);
335 return FAILED;
336 }
337
338 INIT(entry,
339 .condvar = condvar_create(CONDVAR_TYPE_DEFAULT),
340 .hdrs = array_create(0, 0),
341 );
342 this->entries->put(this->entries, (void*)seq, entry);
343
344 while (!entry->complete)
345 {
346 if (this->parallel &&
347 lib->watcher->get_state(lib->watcher) != WATCHER_STOPPED &&
348 lib->processor->get_total_threads(lib->processor))
349 {
350 if (this->timeout)
351 {
352 if (entry->condvar->timed_wait(entry->condvar, this->mutex,
353 this->timeout))
354 {
355 break;
356 }
357 }
358 else
359 {
360 entry->condvar->wait(entry->condvar, this->mutex);
361 }
362 }
363 else
364 { /* During (de-)initialization, no watcher thread is active.
365 * collect responses ourselves. */
366 if (read_and_queue(this, TRUE))
367 {
368 break;
369 }
370 }
371 }
372 this->entries->remove(this->entries, (void*)seq);
373
374 this->mutex->unlock(this->mutex);
375
376 if (!entry->complete)
377 { /* timeout */
378 destroy_entry(entry);
379 return OUT_OF_RES;
380 }
381
382 for (i = 0, *out_len = 0; i < array_count(entry->hdrs); i++)
383 {
384 array_get(entry->hdrs, i, &hdr);
385 *out_len += NLMSG_ALIGN(hdr->nlmsg_len);
386 }
387 ptr = malloc(*out_len);
388 *out = (struct nlmsghdr*)ptr;
389
390 while (array_remove(entry->hdrs, ARRAY_HEAD, &hdr))
391 {
392 if (this->names)
393 {
394 DBG3(DBG_KNL, "received %N %u: %b", this->names, hdr->nlmsg_type,
395 hdr->nlmsg_seq, hdr, hdr->nlmsg_len);
396 }
397 memcpy(ptr, hdr, hdr->nlmsg_len);
398 ptr += NLMSG_ALIGN(hdr->nlmsg_len);
399 free(hdr);
400 }
401 destroy_entry(entry);
402 return SUCCESS;
403 }
404
405 /**
406 * Ignore errors for message types that might have completed previously
407 */
408 static void ignore_retransmit_error(private_netlink_socket_t *this,
409 struct nlmsgerr *err, int type)
410 {
411 switch (err->error)
412 {
413 case -EEXIST:
414 switch (this->protocol)
415 {
416 case NETLINK_XFRM:
417 switch (type)
418 {
419 case XFRM_MSG_NEWPOLICY:
420 case XFRM_MSG_NEWSA:
421 err->error = 0;
422 break;
423 }
424 break;
425 case NETLINK_ROUTE:
426 switch (type)
427 {
428 case RTM_NEWADDR:
429 case RTM_NEWLINK:
430 case RTM_NEWNEIGH:
431 case RTM_NEWROUTE:
432 case RTM_NEWRULE:
433 err->error = 0;
434 break;
435 }
436 break;
437 }
438 break;
439 case -ENOENT:
440 switch (this->protocol)
441 {
442 case NETLINK_XFRM:
443 switch (type)
444 {
445 case XFRM_MSG_DELPOLICY:
446 case XFRM_MSG_DELSA:
447 err->error = 0;
448 break;
449 }
450 break;
451 case NETLINK_ROUTE:
452 switch (type)
453 {
454 case RTM_DELADDR:
455 case RTM_DELLINK:
456 case RTM_DELNEIGH:
457 case RTM_DELROUTE:
458 case RTM_DELRULE:
459 err->error = 0;
460 break;
461 }
462 break;
463 }
464 break;
465 }
466 }
467
468 METHOD(netlink_socket_t, netlink_send, status_t,
469 private_netlink_socket_t *this, struct nlmsghdr *in, struct nlmsghdr **out,
470 size_t *out_len)
471 {
472 uintptr_t seq;
473 u_int try;
474
475 seq = ref_get(&this->seq);
476
477 for (try = 0; try <= this->retries; ++try)
478 {
479 struct nlmsghdr *hdr;
480 status_t status;
481 size_t len;
482
483 if (try > 0)
484 {
485 DBG1(DBG_KNL, "retransmitting Netlink request (%u/%u)",
486 try, this->retries);
487 }
488 status = send_once(this, in, seq, &hdr, &len);
489 switch (status)
490 {
491 case SUCCESS:
492 break;
493 case OUT_OF_RES:
494 continue;
495 default:
496 return status;
497 }
498 if (hdr->nlmsg_type == NLMSG_ERROR)
499 {
500 struct nlmsgerr* err;
501
502 err = NLMSG_DATA(hdr);
503 if (err->error == -EBUSY)
504 {
505 free(hdr);
506 try--;
507 continue;
508 }
509 if (this->ignore_retransmit_errors && try > 0)
510 {
511 ignore_retransmit_error(this, err, in->nlmsg_type);
512 }
513 }
514 *out = hdr;
515 *out_len = len;
516 return SUCCESS;
517 }
518 DBG1(DBG_KNL, "Netlink request timed out after %u retransmits",
519 this->retries);
520 return OUT_OF_RES;
521 }
522
523 METHOD(netlink_socket_t, netlink_send_ack, status_t,
524 private_netlink_socket_t *this, struct nlmsghdr *in)
525 {
526 struct nlmsghdr *out, *hdr;
527 size_t len;
528
529 if (netlink_send(this, in, &out, &len) != SUCCESS)
530 {
531 return FAILED;
532 }
533 hdr = out;
534 while (NLMSG_OK(hdr, len))
535 {
536 switch (hdr->nlmsg_type)
537 {
538 case NLMSG_ERROR:
539 {
540 struct nlmsgerr* err = NLMSG_DATA(hdr);
541
542 if (err->error)
543 {
544 if (-err->error == EEXIST)
545 { /* do not report existing routes */
546 free(out);
547 return ALREADY_DONE;
548 }
549 if (-err->error == ESRCH)
550 { /* do not report missing entries */
551 free(out);
552 return NOT_FOUND;
553 }
554 DBG1(DBG_KNL, "received netlink error: %s (%d)",
555 strerror(-err->error), -err->error);
556 free(out);
557 return FAILED;
558 }
559 free(out);
560 return SUCCESS;
561 }
562 default:
563 hdr = NLMSG_NEXT(hdr, len);
564 continue;
565 case NLMSG_DONE:
566 break;
567 }
568 break;
569 }
570 DBG1(DBG_KNL, "netlink request not acknowledged");
571 free(out);
572 return FAILED;
573 }
574
575 METHOD(netlink_socket_t, destroy, void,
576 private_netlink_socket_t *this)
577 {
578 if (this->socket != -1)
579 {
580 if (this->parallel)
581 {
582 lib->watcher->remove(lib->watcher, this->socket);
583 }
584 close(this->socket);
585 }
586 this->entries->destroy(this->entries);
587 this->mutex->destroy(this->mutex);
588 free(this);
589 }
590
591 /*
592 * Described in header
593 */
594 u_int netlink_get_buflen()
595 {
596 u_int buflen;
597
598 buflen = lib->settings->get_int(lib->settings,
599 "%s.plugins.kernel-netlink.buflen", 0, lib->ns);
600 if (!buflen)
601 {
602 long pagesize = sysconf(_SC_PAGESIZE);
603
604 if (pagesize == -1)
605 {
606 pagesize = 4096;
607 }
608 /* base this on NLMSG_GOODSIZE */
609 buflen = min(pagesize, 8192);
610 }
611 return buflen;
612 }
613
614 /*
615 * Described in header
616 */
617 netlink_socket_t *netlink_socket_create(int protocol, enum_name_t *names,
618 bool parallel)
619 {
620 private_netlink_socket_t *this;
621 struct sockaddr_nl addr = {
622 .nl_family = AF_NETLINK,
623 };
624 bool force_buf = FALSE;
625 int rcvbuf_size = 0;
626
627 INIT(this,
628 .public = {
629 .send = _netlink_send,
630 .send_ack = _netlink_send_ack,
631 .destroy = _destroy,
632 },
633 .seq = 200,
634 .mutex = mutex_create(MUTEX_TYPE_RECURSIVE),
635 .socket = socket(AF_NETLINK, SOCK_RAW, protocol),
636 .entries = hashtable_create(hashtable_hash_ptr, hashtable_equals_ptr, 4),
637 .protocol = protocol,
638 .names = names,
639 .buflen = netlink_get_buflen(),
640 .timeout = lib->settings->get_int(lib->settings,
641 "%s.plugins.kernel-netlink.timeout", 0, lib->ns),
642 .retries = lib->settings->get_int(lib->settings,
643 "%s.plugins.kernel-netlink.retries", 0, lib->ns),
644 .ignore_retransmit_errors = lib->settings->get_bool(lib->settings,
645 "%s.plugins.kernel-netlink.ignore_retransmit_errors",
646 FALSE, lib->ns),
647 .parallel = parallel,
648 );
649
650 if (this->socket == -1)
651 {
652 DBG1(DBG_KNL, "unable to create netlink socket: %s (%d)",
653 strerror(errno), errno);
654 destroy(this);
655 return NULL;
656 }
657 if (bind(this->socket, (struct sockaddr*)&addr, sizeof(addr)))
658 {
659 DBG1(DBG_KNL, "unable to bind netlink socket: %s (%d)",
660 strerror(errno), errno);
661 destroy(this);
662 return NULL;
663 }
664 rcvbuf_size = lib->settings->get_int(lib->settings,
665 "%s.plugins.kernel-netlink.receive_buffer_size",
666 rcvbuf_size, lib->ns);
667 if (rcvbuf_size)
668 {
669 int optname;
670
671 force_buf = lib->settings->get_bool(lib->settings,
672 "%s.plugins.kernel-netlink.force_receive_buffer_size",
673 force_buf, lib->ns);
674 optname = force_buf ? SO_RCVBUFFORCE : SO_RCVBUF;
675
676 if (setsockopt(this->socket, SOL_SOCKET, optname, &rcvbuf_size,
677 sizeof(rcvbuf_size)) == -1)
678 {
679 DBG1(DBG_KNL, "failed to %supdate receive buffer size to %d: %s",
680 force_buf ? "forcibly " : "", rcvbuf_size, strerror(errno));
681 }
682 }
683 if (this->parallel)
684 {
685 lib->watcher->add(lib->watcher, this->socket, WATCHER_READ, watch, this);
686 }
687
688 return &this->public;
689 }
690
691 /*
692 * Described in header
693 */
694 void netlink_add_attribute(struct nlmsghdr *hdr, int rta_type, chunk_t data,
695 size_t buflen)
696 {
697 struct rtattr *rta;
698
699 if (NLMSG_ALIGN(hdr->nlmsg_len) + RTA_LENGTH(data.len) > buflen)
700 {
701 DBG1(DBG_KNL, "unable to add attribute, buffer too small");
702 return;
703 }
704
705 rta = (struct rtattr*)(((char*)hdr) + NLMSG_ALIGN(hdr->nlmsg_len));
706 rta->rta_type = rta_type;
707 rta->rta_len = RTA_LENGTH(data.len);
708 memcpy(RTA_DATA(rta), data.ptr, data.len);
709 hdr->nlmsg_len = NLMSG_ALIGN(hdr->nlmsg_len) + RTA_ALIGN(rta->rta_len);
710 }
711
712 /**
713 * Add an attribute to the given Netlink message
714 */
715 static struct rtattr *add_rtattr(struct nlmsghdr *hdr, int buflen, int type,
716 int len)
717 {
718 struct rtattr *rta;
719
720 if (NLMSG_ALIGN(hdr->nlmsg_len) + RTA_LENGTH(len) > buflen)
721 {
722 DBG1(DBG_KNL, "unable to add attribute, buffer too small");
723 return NULL;
724 }
725
726 rta = ((void*)hdr) + NLMSG_ALIGN(hdr->nlmsg_len);
727 rta->rta_type = type;
728 rta->rta_len = RTA_LENGTH(len);
729 hdr->nlmsg_len = NLMSG_ALIGN(hdr->nlmsg_len) + RTA_ALIGN(rta->rta_len);
730 return rta;
731 }
732
733 /*
734 * Described in header
735 */
736 void *netlink_nested_start(struct nlmsghdr *hdr, size_t buflen, int type)
737 {
738 return add_rtattr(hdr, buflen, type, 0);
739 }
740
741 /*
742 * Described in header
743 */
744 void netlink_nested_end(struct nlmsghdr *hdr, void *attr)
745 {
746 struct rtattr *rta = attr;
747 void *end;
748
749 if (attr)
750 {
751 end = (char*)hdr + NLMSG_ALIGN(hdr->nlmsg_len);
752 rta->rta_len = end - attr;
753 }
754 }
755
756 /*
757 * Described in header
758 */
759 void *netlink_reserve(struct nlmsghdr *hdr, int buflen, int type, int len)
760 {
761 struct rtattr *rta;
762
763 rta = add_rtattr(hdr, buflen, type, len);
764 if (!rta)
765 {
766 return NULL;
767 }
768 return RTA_DATA(rta);
769 }
770
771 /*
772 * Described in header
773 */
774 void route_entry_destroy(route_entry_t *this)
775 {
776 free(this->if_name);
777 DESTROY_IF(this->src_ip);
778 DESTROY_IF(this->gateway);
779 chunk_free(&this->dst_net);
780 free(this);
781 }
782
783 /*
784 * Described in header
785 */
786 route_entry_t *route_entry_clone(const route_entry_t *this)
787 {
788 route_entry_t *route;
789
790 INIT(route,
791 .if_name = strdupnull(this->if_name),
792 .src_ip = this->src_ip ? this->src_ip->clone(this->src_ip) : NULL,
793 .gateway = this->gateway ? this->gateway->clone(this->gateway) : NULL,
794 .dst_net = chunk_clone(this->dst_net),
795 .prefixlen = this->prefixlen,
796 .pass = this->pass,
797 );
798 return route;
799 }
800
801 /*
802 * Described in header
803 */
804 u_int route_entry_hash(const route_entry_t *this)
805 {
806 return chunk_hash_inc(chunk_from_thing(this->prefixlen),
807 chunk_hash(this->dst_net));
808 }
809
810 /**
811 * Compare two IP addresses, also accept it if both are NULL
812 */
813 static bool addrs_null_or_equal(host_t *a, host_t *b)
814 {
815 return (!a && !b) || (a && b && a->ip_equals(a, b));
816 }
817
818 /*
819 * Described in header
820 */
821 bool route_entry_equals(const route_entry_t *a, const route_entry_t *b)
822 {
823 return streq(a->if_name, b->if_name) &&
824 a->pass == b->pass &&
825 a->prefixlen == b->prefixlen &&
826 chunk_equals(a->dst_net, b->dst_net) &&
827 addrs_null_or_equal(a->src_ip, b->src_ip) &&
828 addrs_null_or_equal(a->gateway, b->gateway);
829 }