projects / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Filter ignored interfaces in kernel interfaces (for events, address enumeration,...
[strongswan.git] / src / libhydra / plugins / kernel_netlink / kernel_netlink_net.c
1 /*
2 * Copyright (C) 2008-2012 Tobias Brunner
3 * Copyright (C) 2005-2008 Martin Willi
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 /*
18 * Copyright (C) 2010 secunet Security Networks AG
19 * Copyright (C) 2010 Thomas Egerer
20 *
21 * Permission is hereby granted, free of charge, to any person obtaining a copy
22 * of this software and associated documentation files (the "Software"), to deal
23 * in the Software without restriction, including without limitation the rights
24 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
25 * copies of the Software, and to permit persons to whom the Software is
26 * furnished to do so, subject to the following conditions:
27 *
28 * The above copyright notice and this permission notice shall be included in
29 * all copies or substantial portions of the Software.
30 *
31 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
32 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
33 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
34 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
35 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
36 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
37 * THE SOFTWARE.
38 */
39
40 #include <sys/socket.h>
41 #include <sys/utsname.h>
42 #include <linux/netlink.h>
43 #include <linux/rtnetlink.h>
44 #include <unistd.h>
45 #include <errno.h>
46 #include <net/if.h>
47
48 #include "kernel_netlink_net.h"
49 #include "kernel_netlink_shared.h"
50
51 #include <hydra.h>
52 #include <debug.h>
53 #include <threading/thread.h>
54 #include <threading/condvar.h>
55 #include <threading/mutex.h>
56 #include <utils/hashtable.h>
57 #include <utils/linked_list.h>
58 #include <processing/jobs/callback_job.h>
59
60 /** delay before firing roam events (ms) */
61 #define ROAM_DELAY 100
62
63 /** delay before reinstalling routes (ms) */
64 #define ROUTE_DELAY 100
65
66 typedef struct addr_entry_t addr_entry_t;
67
68 /**
69 * IP address in an inface_entry_t
70 */
71 struct addr_entry_t {
72
73 /** The ip address */
74 host_t *ip;
75
76 /** virtual IP managed by us */
77 bool virtual;
78
79 /** scope of the address */
80 u_char scope;
81
82 /** Number of times this IP is used, if virtual */
83 u_int refcount;
84 };
85
86 /**
87 * destroy a addr_entry_t object
88 */
89 static void addr_entry_destroy(addr_entry_t *this)
90 {
91 this->ip->destroy(this->ip);
92 free(this);
93 }
94
95 typedef struct iface_entry_t iface_entry_t;
96
97 /**
98 * A network interface on this system, containing addr_entry_t's
99 */
100 struct iface_entry_t {
101
102 /** interface index */
103 int ifindex;
104
105 /** name of the interface */
106 char ifname[IFNAMSIZ];
107
108 /** interface flags, as in netdevice(7) SIOCGIFFLAGS */
109 u_int flags;
110
111 /** list of addresses as host_t */
112 linked_list_t *addrs;
113
114 /** TRUE if usable by config */
115 bool usable;
116 };
117
118 /**
119 * destroy an interface entry
120 */
121 static void iface_entry_destroy(iface_entry_t *this)
122 {
123 this->addrs->destroy_function(this->addrs, (void*)addr_entry_destroy);
124 free(this);
125 }
126
127 /**
128 * find an interface entry by index
129 */
130 static bool iface_entry_by_index(iface_entry_t *this, int *ifindex)
131 {
132 return this->ifindex == *ifindex;
133 }
134
135 /**
136 * check if an interface is up and usable
137 */
138 static inline bool iface_entry_up_and_usable(iface_entry_t *iface)
139 {
140 return iface->usable && (iface->flags & IFF_UP) == IFF_UP;
141 }
142
143 typedef struct route_entry_t route_entry_t;
144
145 /**
146 * Installed routing entry
147 */
148 struct route_entry_t {
149 /** Name of the interface the route is bound to */
150 char *if_name;
151
152 /** Source ip of the route */
153 host_t *src_ip;
154
155 /** Gateway for this route */
156 host_t *gateway;
157
158 /** Destination net */
159 chunk_t dst_net;
160
161 /** Destination net prefixlen */
162 u_int8_t prefixlen;
163 };
164
165 /**
166 * Clone a route_entry_t object.
167 */
168 static route_entry_t *route_entry_clone(route_entry_t *this)
169 {
170 route_entry_t *route;
171
172 INIT(route,
173 .if_name = strdup(this->if_name),
174 .src_ip = this->src_ip->clone(this->src_ip),
175 .gateway = this->gateway->clone(this->gateway),
176 .dst_net = chunk_clone(this->dst_net),
177 .prefixlen = this->prefixlen,
178 );
179 return route;
180 }
181
182 /**
183 * Destroy a route_entry_t object
184 */
185 static void route_entry_destroy(route_entry_t *this)
186 {
187 free(this->if_name);
188 DESTROY_IF(this->src_ip);
189 DESTROY_IF(this->gateway);
190 chunk_free(&this->dst_net);
191 free(this);
192 }
193
194 /**
195 * Hash a route_entry_t object
196 */
197 static u_int route_entry_hash(route_entry_t *this)
198 {
199 return chunk_hash_inc(chunk_from_thing(this->prefixlen),
200 chunk_hash(this->dst_net));
201 }
202
203 /**
204 * Compare two route_entry_t objects
205 */
206 static bool route_entry_equals(route_entry_t *a, route_entry_t *b)
207 {
208 return a->if_name && b->if_name && streq(a->if_name, b->if_name) &&
209 a->src_ip->ip_equals(a->src_ip, b->src_ip) &&
210 a->gateway->ip_equals(a->gateway, b->gateway) &&
211 chunk_equals(a->dst_net, b->dst_net) && a->prefixlen == b->prefixlen;
212 }
213
214 typedef struct net_change_t net_change_t;
215
216 /**
217 * Queued network changes
218 */
219 struct net_change_t {
220 /** Name of the interface that got activated (or an IP appeared on) */
221 char *if_name;
222 };
223
224 /**
225 * Destroy a net_change_t object
226 */
227 static void net_change_destroy(net_change_t *this)
228 {
229 free(this->if_name);
230 free(this);
231 }
232
233 /**
234 * Hash a net_change_t object
235 */
236 static u_int net_change_hash(net_change_t *this)
237 {
238 return chunk_hash(chunk_create(this->if_name, strlen(this->if_name)));
239 }
240
241 /**
242 * Compare two net_change_t objects
243 */
244 static bool net_change_equals(net_change_t *a, net_change_t *b)
245 {
246 return streq(a->if_name, b->if_name);
247 }
248
249 typedef struct private_kernel_netlink_net_t private_kernel_netlink_net_t;
250
251 /**
252 * Private variables and functions of kernel_netlink_net class.
253 */
254 struct private_kernel_netlink_net_t {
255 /**
256 * Public part of the kernel_netlink_net_t object.
257 */
258 kernel_netlink_net_t public;
259
260 /**
261 * mutex to lock access to various lists
262 */
263 mutex_t *mutex;
264
265 /**
266 * condition variable to signal virtual IP add/removal
267 */
268 condvar_t *condvar;
269
270 /**
271 * Cached list of interfaces and its addresses (iface_entry_t)
272 */
273 linked_list_t *ifaces;
274
275 /**
276 * netlink rt socket (routing)
277 */
278 netlink_socket_t *socket;
279
280 /**
281 * Netlink rt socket to receive address change events
282 */
283 int socket_events;
284
285 /**
286 * time of the last roam event
287 */
288 timeval_t last_roam;
289
290 /**
291 * routing table to install routes
292 */
293 int routing_table;
294
295 /**
296 * priority of used routing table
297 */
298 int routing_table_prio;
299
300 /**
301 * installed routes
302 */
303 hashtable_t *routes;
304
305 /**
306 * interface changes which may trigger route reinstallation
307 */
308 hashtable_t *net_changes;
309
310 /**
311 * mutex for route reinstallation triggers
312 */
313 mutex_t *net_changes_lock;
314
315 /**
316 * time of last route reinstallation
317 */
318 timeval_t last_route_reinstall;
319
320 /**
321 * whether to react to RTM_NEWROUTE or RTM_DELROUTE events
322 */
323 bool process_route;
324
325 /**
326 * whether to actually install virtual IPs
327 */
328 bool install_virtual_ip;
329
330 /**
331 * whether preferred source addresses can be specified for IPv6 routes
332 */
333 bool rta_prefsrc_for_ipv6;
334
335 /**
336 * list with routing tables to be excluded from route lookup
337 */
338 linked_list_t *rt_exclude;
339 };
340
341 /**
342 * Forward declaration
343 */
344 static status_t manage_srcroute(private_kernel_netlink_net_t *this,
345 int nlmsg_type, int flags, chunk_t dst_net,
346 u_int8_t prefixlen, host_t *gateway,
347 host_t *src_ip, char *if_name);
348
349 /**
350 * Clear the queued network changes.
351 */
352 static void net_changes_clear(private_kernel_netlink_net_t *this)
353 {
354 enumerator_t *enumerator;
355 net_change_t *change;
356
357 enumerator = this->net_changes->create_enumerator(this->net_changes);
358 while (enumerator->enumerate(enumerator, NULL, (void**)&change))
359 {
360 this->net_changes->remove_at(this->net_changes, enumerator);
361 net_change_destroy(change);
362 }
363 enumerator->destroy(enumerator);
364 }
365
366 /**
367 * Act upon queued network changes.
368 */
369 static job_requeue_t reinstall_routes(private_kernel_netlink_net_t *this)
370 {
371 enumerator_t *enumerator;
372 route_entry_t *route;
373
374 this->net_changes_lock->lock(this->net_changes_lock);
375 this->mutex->lock(this->mutex);
376
377 enumerator = this->routes->create_enumerator(this->routes);
378 while (enumerator->enumerate(enumerator, NULL, (void**)&route))
379 {
380 net_change_t *change, lookup = {
381 .if_name = route->if_name,
382 };
383 /* check if a change for the outgoing interface is queued */
384 change = this->net_changes->get(this->net_changes, &lookup);
385 if (!change)
386 { /* in case src_ip is not on the outgoing interface */
387 if (this->public.interface.get_interface(&this->public.interface,
388 route->src_ip, &lookup.if_name))
389 {
390 if (!streq(lookup.if_name, route->if_name))
391 {
392 change = this->net_changes->get(this->net_changes, &lookup);
393 }
394 free(lookup.if_name);
395 }
396 }
397 if (change)
398 {
399 manage_srcroute(this, RTM_NEWROUTE, NLM_F_CREATE | NLM_F_EXCL,
400 route->dst_net, route->prefixlen, route->gateway,
401 route->src_ip, route->if_name);
402 }
403 }
404 enumerator->destroy(enumerator);
405 this->mutex->unlock(this->mutex);
406
407 net_changes_clear(this);
408 this->net_changes_lock->unlock(this->net_changes_lock);
409 return JOB_REQUEUE_NONE;
410 }
411
412 /**
413 * Queue route reinstallation caused by network changes for a given interface.
414 *
415 * The route reinstallation is delayed for a while and only done once for
416 * several calls during this delay, in order to avoid doing it too often.
417 * The interface name is freed.
418 */
419 static void queue_route_reinstall(private_kernel_netlink_net_t *this,
420 char *if_name)
421 {
422 net_change_t *update, *found;
423 timeval_t now;
424 job_t *job;
425
426 INIT(update,
427 .if_name = if_name
428 );
429
430 this->net_changes_lock->lock(this->net_changes_lock);
431 found = this->net_changes->put(this->net_changes, update, update);
432 if (found)
433 {
434 net_change_destroy(found);
435 }
436 time_monotonic(&now);
437 if (timercmp(&now, &this->last_route_reinstall, >))
438 {
439 now.tv_usec += ROUTE_DELAY * 1000;
440 while (now.tv_usec > 1000000)
441 {
442 now.tv_sec++;
443 now.tv_usec -= 1000000;
444 }
445 this->last_route_reinstall = now;
446
447 job = (job_t*)callback_job_create((callback_job_cb_t)reinstall_routes,
448 this, NULL, NULL);
449 lib->scheduler->schedule_job_ms(lib->scheduler, job, ROUTE_DELAY);
450 }
451 this->net_changes_lock->unlock(this->net_changes_lock);
452 }
453
454 /**
455 * get the refcount of a virtual ip
456 */
457 static int get_vip_refcount(private_kernel_netlink_net_t *this, host_t* ip)
458 {
459 enumerator_t *ifaces, *addrs;
460 iface_entry_t *iface;
461 addr_entry_t *addr;
462 int refcount = 0;
463
464 ifaces = this->ifaces->create_enumerator(this->ifaces);
465 while (ifaces->enumerate(ifaces, (void**)&iface))
466 {
467 addrs = iface->addrs->create_enumerator(iface->addrs);
468 while (addrs->enumerate(addrs, (void**)&addr))
469 {
470 if (addr->virtual && (iface->flags & IFF_UP) &&
471 ip->ip_equals(ip, addr->ip))
472 {
473 refcount = addr->refcount;
474 break;
475 }
476 }
477 addrs->destroy(addrs);
478 if (refcount)
479 {
480 break;
481 }
482 }
483 ifaces->destroy(ifaces);
484
485 return refcount;
486 }
487
488 /**
489 * get the first non-virtual ip address on the given interface.
490 * if a candidate address is given, we first search for that address and if not
491 * found return the address as above.
492 * returned host is a clone, has to be freed by caller.
493 */
494 static host_t *get_interface_address(private_kernel_netlink_net_t *this,
495 int ifindex, int family, host_t *candidate)
496 {
497 enumerator_t *ifaces, *addrs;
498 iface_entry_t *iface;
499 addr_entry_t *addr;
500 host_t *ip = NULL;
501
502 this->mutex->lock(this->mutex);
503 ifaces = this->ifaces->create_enumerator(this->ifaces);
504 while (ifaces->enumerate(ifaces, &iface))
505 {
506 if (iface->ifindex == ifindex)
507 {
508 if (!iface->usable)
509 { /* ignore interfaces excluded by config */
510 break;
511 }
512 addrs = iface->addrs->create_enumerator(iface->addrs);
513 while (addrs->enumerate(addrs, &addr))
514 {
515 if (addr->virtual)
516 {
517 continue;
518 }
519 if (addr->ip->get_family(addr->ip) == family)
520 {
521 if (!candidate || candidate->ip_equals(candidate, addr->ip))
522 { /* stop at the first address if we don't search for a
523 * candidate or if the candidate matches */
524 ip = addr->ip;
525 break;
526 }
527 else if (!ip)
528 { /* store the first address as fallback if candidate is
529 * not found */
530 ip = addr->ip;
531 }
532 }
533 }
534 addrs->destroy(addrs);
535 break;
536 }
537 }
538 ifaces->destroy(ifaces);
539 if (ip)
540 {
541 ip = ip->clone(ip);
542 }
543 this->mutex->unlock(this->mutex);
544 return ip;
545 }
546
547 /**
548 * callback function that raises the delayed roam event
549 */
550 static job_requeue_t roam_event(uintptr_t address)
551 {
552 hydra->kernel_interface->roam(hydra->kernel_interface, address != 0);
553 return JOB_REQUEUE_NONE;
554 }
555
556 /**
557 * fire a roaming event. we delay it for a bit and fire only one event
558 * for multiple calls. otherwise we would create too many events.
559 */
560 static void fire_roam_event(private_kernel_netlink_net_t *this, bool address)
561 {
562 timeval_t now;
563 job_t *job;
564
565 time_monotonic(&now);
566 if (timercmp(&now, &this->last_roam, >))
567 {
568 now.tv_usec += ROAM_DELAY * 1000;
569 while (now.tv_usec > 1000000)
570 {
571 now.tv_sec++;
572 now.tv_usec -= 1000000;
573 }
574 this->last_roam = now;
575
576 job = (job_t*)callback_job_create((callback_job_cb_t)roam_event,
577 (void*)(uintptr_t)(address ? 1 : 0),
578 NULL, NULL);
579 lib->scheduler->schedule_job_ms(lib->scheduler, job, ROAM_DELAY);
580 }
581 }
582
583 /**
584 * check if an interface with a given index is up and usable
585 */
586 static bool is_interface_up_and_usable(private_kernel_netlink_net_t *this,
587 int index)
588 {
589 iface_entry_t *iface;
590
591 if (this->ifaces->find_first(this->ifaces, (void*)iface_entry_by_index,
592 (void**)&iface, &index) == SUCCESS)
593 {
594 return iface_entry_up_and_usable(iface);
595 }
596 return FALSE;
597 }
598
599 /**
600 * process RTM_NEWLINK/RTM_DELLINK from kernel
601 */
602 static void process_link(private_kernel_netlink_net_t *this,
603 struct nlmsghdr *hdr, bool event)
604 {
605 struct ifinfomsg* msg = (struct ifinfomsg*)(NLMSG_DATA(hdr));
606 struct rtattr *rta = IFLA_RTA(msg);
607 size_t rtasize = IFLA_PAYLOAD (hdr);
608 enumerator_t *enumerator;
609 iface_entry_t *current, *entry = NULL;
610 char *name = NULL;
611 bool update = FALSE, update_routes = FALSE;
612
613 while (RTA_OK(rta, rtasize))
614 {
615 switch (rta->rta_type)
616 {
617 case IFLA_IFNAME:
618 name = RTA_DATA(rta);
619 break;
620 }
621 rta = RTA_NEXT(rta, rtasize);
622 }
623 if (!name)
624 {
625 name = "(unknown)";
626 }
627
628 this->mutex->lock(this->mutex);
629 switch (hdr->nlmsg_type)
630 {
631 case RTM_NEWLINK:
632 {
633 enumerator = this->ifaces->create_enumerator(this->ifaces);
634 while (enumerator->enumerate(enumerator, &current))
635 {
636 if (current->ifindex == msg->ifi_index)
637 {
638 entry = current;
639 break;
640 }
641 }
642 enumerator->destroy(enumerator);
643 if (!entry)
644 {
645 entry = malloc_thing(iface_entry_t);
646 entry->ifindex = msg->ifi_index;
647 entry->flags = 0;
648 entry->usable = hydra->kernel_interface->is_interface_usable(
649 hydra->kernel_interface, name);
650 entry->addrs = linked_list_create();
651 this->ifaces->insert_last(this->ifaces, entry);
652 }
653 strncpy(entry->ifname, name, IFNAMSIZ);
654 entry->ifname[IFNAMSIZ-1] = '\0';
655 if (event && entry->usable)
656 {
657 if (!(entry->flags & IFF_UP) && (msg->ifi_flags & IFF_UP))
658 {
659 update = update_routes = TRUE;
660 DBG1(DBG_KNL, "interface %s activated", name);
661 }
662 if ((entry->flags & IFF_UP) && !(msg->ifi_flags & IFF_UP))
663 {
664 update = TRUE;
665 DBG1(DBG_KNL, "interface %s deactivated", name);
666 }
667 }
668 entry->flags = msg->ifi_flags;
669 break;
670 }
671 case RTM_DELLINK:
672 {
673 enumerator = this->ifaces->create_enumerator(this->ifaces);
674 while (enumerator->enumerate(enumerator, &current))
675 {
676 if (current->ifindex == msg->ifi_index)
677 {
678 if (event && current->usable)
679 {
680 update = TRUE;
681 DBG1(DBG_KNL, "interface %s deleted", current->ifname);
682 }
683 this->ifaces->remove_at(this->ifaces, enumerator);
684 iface_entry_destroy(current);
685 break;
686 }
687 }
688 enumerator->destroy(enumerator);
689 break;
690 }
691 }
692 this->mutex->unlock(this->mutex);
693
694 if (update_routes && event)
695 {
696 queue_route_reinstall(this, strdup(name));
697 }
698
699 /* send an update to all IKE_SAs */
700 if (update && event)
701 {
702 fire_roam_event(this, TRUE);
703 }
704 }
705
706 /**
707 * process RTM_NEWADDR/RTM_DELADDR from kernel
708 */
709 static void process_addr(private_kernel_netlink_net_t *this,
710 struct nlmsghdr *hdr, bool event)
711 {
712 struct ifaddrmsg* msg = (struct ifaddrmsg*)(NLMSG_DATA(hdr));
713 struct rtattr *rta = IFA_RTA(msg);
714 size_t rtasize = IFA_PAYLOAD (hdr);
715 host_t *host = NULL;
716 enumerator_t *ifaces, *addrs;
717 iface_entry_t *iface;
718 addr_entry_t *addr;
719 chunk_t local = chunk_empty, address = chunk_empty;
720 char *route_ifname = NULL;
721 bool update = FALSE, found = FALSE, changed = FALSE;
722
723 while (RTA_OK(rta, rtasize))
724 {
725 switch (rta->rta_type)
726 {
727 case IFA_LOCAL:
728 local.ptr = RTA_DATA(rta);
729 local.len = RTA_PAYLOAD(rta);
730 break;
731 case IFA_ADDRESS:
732 address.ptr = RTA_DATA(rta);
733 address.len = RTA_PAYLOAD(rta);
734 break;
735 }
736 rta = RTA_NEXT(rta, rtasize);
737 }
738
739 /* For PPP interfaces, we need the IFA_LOCAL address,
740 * IFA_ADDRESS is the peers address. But IFA_LOCAL is
741 * not included in all cases (IPv6?), so fallback to IFA_ADDRESS. */
742 if (local.ptr)
743 {
744 host = host_create_from_chunk(msg->ifa_family, local, 0);
745 }
746 else if (address.ptr)
747 {
748 host = host_create_from_chunk(msg->ifa_family, address, 0);
749 }
750
751 if (host == NULL)
752 { /* bad family? */
753 return;
754 }
755
756 this->mutex->lock(this->mutex);
757 ifaces = this->ifaces->create_enumerator(this->ifaces);
758 while (ifaces->enumerate(ifaces, &iface))
759 {
760 if (iface->ifindex == msg->ifa_index)
761 {
762 addrs = iface->addrs->create_enumerator(iface->addrs);
763 while (addrs->enumerate(addrs, &addr))
764 {
765 if (host->ip_equals(host, addr->ip))
766 {
767 found = TRUE;
768 if (hdr->nlmsg_type == RTM_DELADDR)
769 {
770 iface->addrs->remove_at(iface->addrs, addrs);
771 if (!addr->virtual && iface->usable)
772 {
773 changed = TRUE;
774 DBG1(DBG_KNL, "%H disappeared from %s",
775 host, iface->ifname);
776 }
777 addr_entry_destroy(addr);
778 }
779 else if (hdr->nlmsg_type == RTM_NEWADDR && addr->virtual)
780 {
781 addr->refcount = 1;
782 }
783 }
784 }
785 addrs->destroy(addrs);
786
787 if (hdr->nlmsg_type == RTM_NEWADDR)
788 {
789 if (!found)
790 {
791 found = TRUE;
792 changed = TRUE;
793 route_ifname = strdup(iface->ifname);
794 addr = malloc_thing(addr_entry_t);
795 addr->ip = host->clone(host);
796 addr->virtual = FALSE;
797 addr->refcount = 1;
798 addr->scope = msg->ifa_scope;
799
800 iface->addrs->insert_last(iface->addrs, addr);
801 if (event && iface->usable)
802 {
803 DBG1(DBG_KNL, "%H appeared on %s", host, iface->ifname);
804 }
805 }
806 }
807 if (found && (iface->flags & IFF_UP))
808 {
809 update = TRUE;
810 }
811 if (!iface->usable)
812 { /* ignore events for interfaces excluded by config */
813 update = changed = FALSE;
814 }
815 break;
816 }
817 }
818 ifaces->destroy(ifaces);
819 this->mutex->unlock(this->mutex);
820
821 if (update && event && route_ifname)
822 {
823 queue_route_reinstall(this, route_ifname);
824 }
825 else
826 {
827 free(route_ifname);
828 }
829 host->destroy(host);
830
831 /* send an update to all IKE_SAs */
832 if (update && event && changed)
833 {
834 fire_roam_event(this, TRUE);
835 }
836 }
837
838 /**
839 * process RTM_NEWROUTE and RTM_DELROUTE from kernel
840 */
841 static void process_route(private_kernel_netlink_net_t *this, struct nlmsghdr *hdr)
842 {
843 struct rtmsg* msg = (struct rtmsg*)(NLMSG_DATA(hdr));
844 struct rtattr *rta = RTM_RTA(msg);
845 size_t rtasize = RTM_PAYLOAD(hdr);
846 u_int32_t rta_oif = 0;
847 host_t *host = NULL;
848
849 /* ignore routes added by us or in the local routing table (local addrs) */
850 if (msg->rtm_table && (msg->rtm_table == this->routing_table ||
851 msg->rtm_table == RT_TABLE_LOCAL))
852 {
853 return;
854 }
855 else if (msg->rtm_flags & RTM_F_CLONED)
856 { /* ignore cached routes, seem to be created a lot for IPv6 */
857 return;
858 }
859
860 while (RTA_OK(rta, rtasize))
861 {
862 switch (rta->rta_type)
863 {
864 case RTA_PREFSRC:
865 DESTROY_IF(host);
866 host = host_create_from_chunk(msg->rtm_family,
867 chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta)), 0);
868 break;
869 case RTA_OIF:
870 if (RTA_PAYLOAD(rta) == sizeof(rta_oif))
871 {
872 rta_oif = *(u_int32_t*)RTA_DATA(rta);
873 }
874 break;
875 }
876 rta = RTA_NEXT(rta, rtasize);
877 }
878 this->mutex->lock(this->mutex);
879 if (rta_oif && !is_interface_up_and_usable(this, rta_oif))
880 { /* ignore route changes for interfaces that are ignored or down */
881 this->mutex->unlock(this->mutex);
882 DESTROY_IF(host);
883 return;
884 }
885 if (!host && rta_oif)
886 {
887 host = get_interface_address(this, rta_oif, msg->rtm_family, NULL);
888 }
889 if (host)
890 {
891 if (!get_vip_refcount(this, host))
892 { /* ignore routes added for virtual IPs */
893 fire_roam_event(this, FALSE);
894 }
895 host->destroy(host);
896 }
897 this->mutex->unlock(this->mutex);
898 }
899
900 /**
901 * Receives events from kernel
902 */
903 static job_requeue_t receive_events(private_kernel_netlink_net_t *this)
904 {
905 char response[1024];
906 struct nlmsghdr *hdr = (struct nlmsghdr*)response;
907 struct sockaddr_nl addr;
908 socklen_t addr_len = sizeof(addr);
909 int len;
910 bool oldstate;
911
912 oldstate = thread_cancelability(TRUE);
913 len = recvfrom(this->socket_events, response, sizeof(response), 0,
914 (struct sockaddr*)&addr, &addr_len);
915 thread_cancelability(oldstate);
916
917 if (len < 0)
918 {
919 switch (errno)
920 {
921 case EINTR:
922 /* interrupted, try again */
923 return JOB_REQUEUE_DIRECT;
924 case EAGAIN:
925 /* no data ready, select again */
926 return JOB_REQUEUE_DIRECT;
927 default:
928 DBG1(DBG_KNL, "unable to receive from rt event socket");
929 sleep(1);
930 return JOB_REQUEUE_FAIR;
931 }
932 }
933
934 if (addr.nl_pid != 0)
935 { /* not from kernel. not interested, try another one */
936 return JOB_REQUEUE_DIRECT;
937 }
938
939 while (NLMSG_OK(hdr, len))
940 {
941 /* looks good so far, dispatch netlink message */
942 switch (hdr->nlmsg_type)
943 {
944 case RTM_NEWADDR:
945 case RTM_DELADDR:
946 process_addr(this, hdr, TRUE);
947 this->condvar->broadcast(this->condvar);
948 break;
949 case RTM_NEWLINK:
950 case RTM_DELLINK:
951 process_link(this, hdr, TRUE);
952 this->condvar->broadcast(this->condvar);
953 break;
954 case RTM_NEWROUTE:
955 case RTM_DELROUTE:
956 if (this->process_route)
957 {
958 process_route(this, hdr);
959 }
960 break;
961 default:
962 break;
963 }
964 hdr = NLMSG_NEXT(hdr, len);
965 }
966 return JOB_REQUEUE_DIRECT;
967 }
968
969 /** enumerator over addresses */
970 typedef struct {
971 private_kernel_netlink_net_t* this;
972 /** whether to enumerate down interfaces */
973 bool include_down_ifaces;
974 /** whether to enumerate virtual ip addresses */
975 bool include_virtual_ips;
976 /** whether to enumerate loopback interfaces */
977 bool include_loopback;
978 } address_enumerator_t;
979
980 /**
981 * cleanup function for address enumerator
982 */
983 static void address_enumerator_destroy(address_enumerator_t *data)
984 {
985 data->this->mutex->unlock(data->this->mutex);
986 free(data);
987 }
988
989 /**
990 * filter for addresses
991 */
992 static bool filter_addresses(address_enumerator_t *data,
993 addr_entry_t** in, host_t** out)
994 {
995 if (!data->include_virtual_ips && (*in)->virtual)
996 { /* skip virtual interfaces added by us */
997 return FALSE;
998 }
999 if ((*in)->scope >= RT_SCOPE_LINK)
1000 { /* skip addresses with a unusable scope */
1001 return FALSE;
1002 }
1003 *out = (*in)->ip;
1004 return TRUE;
1005 }
1006
1007 /**
1008 * enumerator constructor for interfaces
1009 */
1010 static enumerator_t *create_iface_enumerator(iface_entry_t *iface,
1011 address_enumerator_t *data)
1012 {
1013 return enumerator_create_filter(
1014 iface->addrs->create_enumerator(iface->addrs),
1015 (void*)filter_addresses, data, NULL);
1016 }
1017
1018 /**
1019 * filter for interfaces
1020 */
1021 static bool filter_interfaces(address_enumerator_t *data, iface_entry_t** in,
1022 iface_entry_t** out)
1023 {
1024 if (!(*in)->usable)
1025 { /* skip interfaces excluded by config */
1026 return FALSE;
1027 }
1028 if (!data->include_loopback && ((*in)->flags & IFF_LOOPBACK))
1029 { /* ignore loopback devices */
1030 return FALSE;
1031 }
1032 if (!data->include_down_ifaces && !((*in)->flags & IFF_UP))
1033 { /* skip interfaces not up */
1034 return FALSE;
1035 }
1036 *out = *in;
1037 return TRUE;
1038 }
1039
1040 METHOD(kernel_net_t, create_address_enumerator, enumerator_t*,
1041 private_kernel_netlink_net_t *this,
1042 bool include_down_ifaces, bool include_virtual_ips, bool include_loopback)
1043 {
1044 address_enumerator_t *data = malloc_thing(address_enumerator_t);
1045 data->this = this;
1046 data->include_down_ifaces = include_down_ifaces;
1047 data->include_virtual_ips = include_virtual_ips;
1048 data->include_loopback = include_loopback;
1049
1050 this->mutex->lock(this->mutex);
1051 return enumerator_create_nested(
1052 enumerator_create_filter(
1053 this->ifaces->create_enumerator(this->ifaces),
1054 (void*)filter_interfaces, data, NULL),
1055 (void*)create_iface_enumerator, data,
1056 (void*)address_enumerator_destroy);
1057 }
1058
1059 METHOD(kernel_net_t, get_interface_name, bool,
1060 private_kernel_netlink_net_t *this, host_t* ip, char **name)
1061 {
1062 enumerator_t *ifaces, *addrs;
1063 iface_entry_t *iface;
1064 addr_entry_t *addr;
1065 bool found = FALSE, ignored = FALSE;
1066
1067 if (ip->is_anyaddr(ip))
1068 {
1069 return FALSE;
1070 }
1071
1072 this->mutex->lock(this->mutex);
1073 ifaces = this->ifaces->create_enumerator(this->ifaces);
1074 while (ifaces->enumerate(ifaces, &iface))
1075 {
1076 addrs = iface->addrs->create_enumerator(iface->addrs);
1077 while (addrs->enumerate(addrs, &addr))
1078 {
1079 if (ip->ip_equals(ip, addr->ip))
1080 {
1081 found = TRUE;
1082 if (!iface->usable)
1083 {
1084 ignored = TRUE;
1085 break;
1086 }
1087 if (name)
1088 {
1089 *name = strdup(iface->ifname);
1090 }
1091 break;
1092 }
1093 }
1094 addrs->destroy(addrs);
1095 if (found)
1096 {
1097 break;
1098 }
1099 }
1100 ifaces->destroy(ifaces);
1101 this->mutex->unlock(this->mutex);
1102
1103 if (!ignored)
1104 {
1105 if (!found)
1106 {
1107 DBG2(DBG_KNL, "%H is not a local address", ip);
1108 }
1109 else if (name)
1110 {
1111 DBG2(DBG_KNL, "%H is on interface %s", ip, *name);
1112 }
1113 }
1114 return found && !ignored;
1115 }
1116
1117 /**
1118 * get the index of an interface by name
1119 */
1120 static int get_interface_index(private_kernel_netlink_net_t *this, char* name)
1121 {
1122 enumerator_t *ifaces;
1123 iface_entry_t *iface;
1124 int ifindex = 0;
1125
1126 DBG2(DBG_KNL, "getting iface index for %s", name);
1127
1128 this->mutex->lock(this->mutex);
1129 ifaces = this->ifaces->create_enumerator(this->ifaces);
1130 while (ifaces->enumerate(ifaces, &iface))
1131 {
1132 if (streq(name, iface->ifname))
1133 {
1134 ifindex = iface->ifindex;
1135 break;
1136 }
1137 }
1138 ifaces->destroy(ifaces);
1139 this->mutex->unlock(this->mutex);
1140
1141 if (ifindex == 0)
1142 {
1143 DBG1(DBG_KNL, "unable to get interface index for %s", name);
1144 }
1145 return ifindex;
1146 }
1147
1148 /**
1149 * check if an address (chunk) addr is in subnet (net with net_len net bits)
1150 */
1151 static bool addr_in_subnet(chunk_t addr, chunk_t net, int net_len)
1152 {
1153 static const u_char mask[] = { 0x00, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe };
1154 int byte = 0;
1155
1156 if (net_len == 0)
1157 { /* any address matches a /0 network */
1158 return TRUE;
1159 }
1160 if (addr.len != net.len || net_len > 8 * net.len )
1161 {
1162 return FALSE;
1163 }
1164 /* scan through all bytes in network order */
1165 while (net_len > 0)
1166 {
1167 if (net_len < 8)
1168 {
1169 return (mask[net_len] & addr.ptr[byte]) == (mask[net_len] & net.ptr[byte]);
1170 }
1171 else
1172 {
1173 if (addr.ptr[byte] != net.ptr[byte])
1174 {
1175 return FALSE;
1176 }
1177 byte++;
1178 net_len -= 8;
1179 }
1180 }
1181 return TRUE;
1182 }
1183
1184 /**
1185 * Store information about a route retrieved via RTNETLINK
1186 */
1187 typedef struct {
1188 chunk_t gtw;
1189 chunk_t src;
1190 chunk_t dst;
1191 host_t *src_host;
1192 u_int8_t dst_len;
1193 u_int32_t table;
1194 u_int32_t oif;
1195 } rt_entry_t;
1196
1197 /**
1198 * Free a route entry
1199 */
1200 static void rt_entry_destroy(rt_entry_t *this)
1201 {
1202 DESTROY_IF(this->src_host);
1203 free(this);
1204 }
1205
1206 /**
1207 * Parse route received with RTM_NEWROUTE. The given rt_entry_t object will be
1208 * reused if not NULL.
1209 *
1210 * Returned chunks point to internal data of the Netlink message.
1211 */
1212 static rt_entry_t *parse_route(struct nlmsghdr *hdr, rt_entry_t *route)
1213 {
1214 struct rtattr *rta;
1215 struct rtmsg *msg;
1216 size_t rtasize;
1217
1218 msg = (struct rtmsg*)(NLMSG_DATA(hdr));
1219 rta = RTM_RTA(msg);
1220 rtasize = RTM_PAYLOAD(hdr);
1221
1222 if (route)
1223 {
1224 route->gtw = chunk_empty;
1225 route->src = chunk_empty;
1226 route->dst = chunk_empty;
1227 route->dst_len = msg->rtm_dst_len;
1228 route->table = msg->rtm_table;
1229 route->oif = 0;
1230 }
1231 else
1232 {
1233 INIT(route,
1234 .dst_len = msg->rtm_dst_len,
1235 .table = msg->rtm_table,
1236 );
1237 }
1238
1239 while (RTA_OK(rta, rtasize))
1240 {
1241 switch (rta->rta_type)
1242 {
1243 case RTA_PREFSRC:
1244 route->src = chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta));
1245 break;
1246 case RTA_GATEWAY:
1247 route->gtw = chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta));
1248 break;
1249 case RTA_DST:
1250 route->dst = chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta));
1251 break;
1252 case RTA_OIF:
1253 if (RTA_PAYLOAD(rta) == sizeof(route->oif))
1254 {
1255 route->oif = *(u_int32_t*)RTA_DATA(rta);
1256 }
1257 break;
1258 #ifdef HAVE_RTA_TABLE
1259 case RTA_TABLE:
1260 if (RTA_PAYLOAD(rta) == sizeof(route->table))
1261 {
1262 route->table = *(u_int32_t*)RTA_DATA(rta);
1263 }
1264 break;
1265 #endif /* HAVE_RTA_TABLE*/
1266 }
1267 rta = RTA_NEXT(rta, rtasize);
1268 }
1269 return route;
1270 }
1271
1272 /**
1273 * Get a route: If "nexthop", the nexthop is returned. source addr otherwise.
1274 */
1275 static host_t *get_route(private_kernel_netlink_net_t *this, host_t *dest,
1276 bool nexthop, host_t *candidate)
1277 {
1278 netlink_buf_t request;
1279 struct nlmsghdr *hdr, *out, *current;
1280 struct rtmsg *msg;
1281 chunk_t chunk;
1282 size_t len;
1283 linked_list_t *routes;
1284 rt_entry_t *route = NULL, *best = NULL;
1285 enumerator_t *enumerator;
1286 host_t *addr = NULL;
1287
1288 memset(&request, 0, sizeof(request));
1289
1290 hdr = (struct nlmsghdr*)request;
1291 hdr->nlmsg_flags = NLM_F_REQUEST;
1292 if (dest->get_family(dest) == AF_INET || this->rta_prefsrc_for_ipv6 ||
1293 this->routing_table)
1294 { /* kernels prior to 3.0 do not support RTA_PREFSRC for IPv6 routes.
1295 * as we want to ignore routes with virtual IPs we cannot use DUMP
1296 * if these routes are not installed in a separate table */
1297 hdr->nlmsg_flags |= NLM_F_DUMP;
1298 }
1299 hdr->nlmsg_type = RTM_GETROUTE;
1300 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg));
1301
1302 msg = (struct rtmsg*)NLMSG_DATA(hdr);
1303 msg->rtm_family = dest->get_family(dest);
1304 if (candidate)
1305 {
1306 chunk = candidate->get_address(candidate);
1307 netlink_add_attribute(hdr, RTA_PREFSRC, chunk, sizeof(request));
1308 }
1309 chunk = dest->get_address(dest);
1310 netlink_add_attribute(hdr, RTA_DST, chunk, sizeof(request));
1311
1312 if (this->socket->send(this->socket, hdr, &out, &len) != SUCCESS)
1313 {
1314 DBG2(DBG_KNL, "getting %s to reach %H failed",
1315 nexthop ? "nexthop" : "address", dest);
1316 return NULL;
1317 }
1318 routes = linked_list_create();
1319 this->mutex->lock(this->mutex);
1320
1321 for (current = out; NLMSG_OK(current, len);
1322 current = NLMSG_NEXT(current, len))
1323 {
1324 switch (current->nlmsg_type)
1325 {
1326 case NLMSG_DONE:
1327 break;
1328 case RTM_NEWROUTE:
1329 {
1330 rt_entry_t *other;
1331 uintptr_t table;
1332
1333 route = parse_route(current, route);
1334
1335 table = (uintptr_t)route->table;
1336 if (this->rt_exclude->find_first(this->rt_exclude, NULL,
1337 (void**)&table) == SUCCESS)
1338 { /* route is from an excluded routing table */
1339 continue;
1340 }
1341 if (this->routing_table != 0 &&
1342 route->table == this->routing_table)
1343 { /* route is from our own ipsec routing table */
1344 continue;
1345 }
1346 if (route->oif && !is_interface_up_and_usable(this, route->oif))
1347 { /* interface is down */
1348 continue;
1349 }
1350 if (!addr_in_subnet(chunk, route->dst, route->dst_len))
1351 { /* route destination does not contain dest */
1352 continue;
1353 }
1354 if (route->src.ptr)
1355 { /* verify source address, if any */
1356 host_t *src = host_create_from_chunk(msg->rtm_family,
1357 route->src, 0);
1358 if (src && get_vip_refcount(this, src))
1359 { /* ignore routes installed by us */
1360 src->destroy(src);
1361 continue;
1362 }
1363 route->src_host = src;
1364 }
1365 /* insert route, sorted by decreasing network prefix */
1366 enumerator = routes->create_enumerator(routes);
1367 while (enumerator->enumerate(enumerator, &other))
1368 {
1369 if (route->dst_len > other->dst_len)
1370 {
1371 break;
1372 }
1373 }
1374 routes->insert_before(routes, enumerator, route);
1375 enumerator->destroy(enumerator);
1376 route = NULL;
1377 continue;
1378 }
1379 default:
1380 continue;
1381 }
1382 break;
1383 }
1384 if (route)
1385 {
1386 rt_entry_destroy(route);
1387 }
1388
1389 /* now we have a list of routes matching dest, sorted by net prefix.
1390 * we will look for source addresses for these routes and select the one
1391 * with the preferred source address, if possible */
1392 enumerator = routes->create_enumerator(routes);
1393 while (enumerator->enumerate(enumerator, &route))
1394 {
1395 if (route->src_host)
1396 { /* got a source address with the route, if no preferred source
1397 * is given or it matches we are done, as this is the best route */
1398 if (!candidate || candidate->ip_equals(candidate, route->src_host))
1399 {
1400 best = route;
1401 break;
1402 }
1403 else if (route->oif)
1404 { /* no match yet, maybe it is assigned to the same interface */
1405 host_t *src = get_interface_address(this, route->oif,
1406 msg->rtm_family, candidate);
1407 if (src && src->ip_equals(src, candidate))
1408 {
1409 route->src_host->destroy(route->src_host);
1410 route->src_host = src;
1411 best = route;
1412 break;
1413 }
1414 DESTROY_IF(src);
1415 }
1416 /* no luck yet with the source address. if this is the best (first)
1417 * route we store it as fallback in case we don't find a route with
1418 * the preferred source */
1419 best = best ?: route;
1420 continue;
1421 }
1422 if (route->oif)
1423 { /* no src, but an interface - get address from it */
1424 route->src_host = get_interface_address(this, route->oif,
1425 msg->rtm_family, candidate);
1426 if (route->src_host)
1427 { /* we handle this address the same as the one above */
1428 if (!candidate ||
1429 candidate->ip_equals(candidate, route->src_host))
1430 {
1431 best = route;
1432 break;
1433 }
1434 best = best ?: route;
1435 continue;
1436 }
1437 }
1438 if (route->gtw.ptr)
1439 { /* no src, no iface, but a gateway - lookup src to reach gtw */
1440 host_t *gtw;
1441
1442 gtw = host_create_from_chunk(msg->rtm_family, route->gtw, 0);
1443 route->src_host = get_route(this, gtw, FALSE, candidate);
1444 gtw->destroy(gtw);
1445 if (route->src_host)
1446 { /* more of the same */
1447 if (!candidate ||
1448 candidate->ip_equals(candidate, route->src_host))
1449 {
1450 best = route;
1451 break;
1452 }
1453 best = best ?: route;
1454 }
1455 }
1456 }
1457 enumerator->destroy(enumerator);
1458
1459 if (nexthop)
1460 { /* nexthop lookup, return gateway if any */
1461 if (best || routes->get_first(routes, (void**)&best) == SUCCESS)
1462 {
1463 addr = host_create_from_chunk(msg->rtm_family, best->gtw, 0);
1464 }
1465 addr = addr ?: dest->clone(dest);
1466 }
1467 else
1468 {
1469 if (best)
1470 {
1471 addr = best->src_host->clone(best->src_host);
1472 }
1473 }
1474 this->mutex->unlock(this->mutex);
1475 routes->destroy_function(routes, (void*)rt_entry_destroy);
1476 free(out);
1477
1478 if (addr)
1479 {
1480 DBG2(DBG_KNL, "using %H as %s to reach %H", addr,
1481 nexthop ? "nexthop" : "address", dest);
1482 }
1483 else
1484 {
1485 DBG2(DBG_KNL, "no %s found to reach %H",
1486 nexthop ? "nexthop" : "address", dest);
1487 }
1488 return addr;
1489 }
1490
1491 METHOD(kernel_net_t, get_source_addr, host_t*,
1492 private_kernel_netlink_net_t *this, host_t *dest, host_t *src)
1493 {
1494 return get_route(this, dest, FALSE, src);
1495 }
1496
1497 METHOD(kernel_net_t, get_nexthop, host_t*,
1498 private_kernel_netlink_net_t *this, host_t *dest, host_t *src)
1499 {
1500 return get_route(this, dest, TRUE, src);
1501 }
1502
1503 /**
1504 * Manages the creation and deletion of ip addresses on an interface.
1505 * By setting the appropriate nlmsg_type, the ip will be set or unset.
1506 */
1507 static status_t manage_ipaddr(private_kernel_netlink_net_t *this, int nlmsg_type,
1508 int flags, int if_index, host_t *ip)
1509 {
1510 netlink_buf_t request;
1511 struct nlmsghdr *hdr;
1512 struct ifaddrmsg *msg;
1513 chunk_t chunk;
1514
1515 memset(&request, 0, sizeof(request));
1516
1517 chunk = ip->get_address(ip);
1518
1519 hdr = (struct nlmsghdr*)request;
1520 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
1521 hdr->nlmsg_type = nlmsg_type;
1522 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct ifaddrmsg));
1523
1524 msg = (struct ifaddrmsg*)NLMSG_DATA(hdr);
1525 msg->ifa_family = ip->get_family(ip);
1526 msg->ifa_flags = 0;
1527 msg->ifa_prefixlen = 8 * chunk.len;
1528 msg->ifa_scope = RT_SCOPE_UNIVERSE;
1529 msg->ifa_index = if_index;
1530
1531 netlink_add_attribute(hdr, IFA_LOCAL, chunk, sizeof(request));
1532
1533 return this->socket->send_ack(this->socket, hdr);
1534 }
1535
1536 METHOD(kernel_net_t, add_ip, status_t,
1537 private_kernel_netlink_net_t *this, host_t *virtual_ip, host_t *iface_ip)
1538 {
1539 iface_entry_t *iface;
1540 addr_entry_t *addr;
1541 enumerator_t *addrs, *ifaces;
1542 int ifindex;
1543
1544 if (!this->install_virtual_ip)
1545 { /* disabled by config */
1546 return SUCCESS;
1547 }
1548
1549 DBG2(DBG_KNL, "adding virtual IP %H", virtual_ip);
1550
1551 this->mutex->lock(this->mutex);
1552 ifaces = this->ifaces->create_enumerator(this->ifaces);
1553 while (ifaces->enumerate(ifaces, &iface))
1554 {
1555 bool iface_found = FALSE;
1556
1557 addrs = iface->addrs->create_enumerator(iface->addrs);
1558 while (addrs->enumerate(addrs, &addr))
1559 {
1560 if (iface_ip->ip_equals(iface_ip, addr->ip))
1561 {
1562 iface_found = TRUE;
1563 }
1564 else if (virtual_ip->ip_equals(virtual_ip, addr->ip))
1565 {
1566 addr->refcount++;
1567 DBG2(DBG_KNL, "virtual IP %H already installed on %s",
1568 virtual_ip, iface->ifname);
1569 addrs->destroy(addrs);
1570 ifaces->destroy(ifaces);
1571 this->mutex->unlock(this->mutex);
1572 return SUCCESS;
1573 }
1574 }
1575 addrs->destroy(addrs);
1576
1577 if (iface_found)
1578 {
1579 ifindex = iface->ifindex;
1580 addr = malloc_thing(addr_entry_t);
1581 addr->ip = virtual_ip->clone(virtual_ip);
1582 addr->refcount = 0;
1583 addr->virtual = TRUE;
1584 addr->scope = RT_SCOPE_UNIVERSE;
1585 iface->addrs->insert_last(iface->addrs, addr);
1586
1587 if (manage_ipaddr(this, RTM_NEWADDR, NLM_F_CREATE | NLM_F_EXCL,
1588 ifindex, virtual_ip) == SUCCESS)
1589 {
1590 while (get_vip_refcount(this, virtual_ip) == 0)
1591 { /* wait until address appears */
1592 this->condvar->wait(this->condvar, this->mutex);
1593 }
1594 ifaces->destroy(ifaces);
1595 this->mutex->unlock(this->mutex);
1596 return SUCCESS;
1597 }
1598 ifaces->destroy(ifaces);
1599 this->mutex->unlock(this->mutex);
1600 DBG1(DBG_KNL, "adding virtual IP %H failed", virtual_ip);
1601 return FAILED;
1602 }
1603 }
1604 ifaces->destroy(ifaces);
1605 this->mutex->unlock(this->mutex);
1606
1607 DBG1(DBG_KNL, "interface address %H not found, unable to install"
1608 "virtual IP %H", iface_ip, virtual_ip);
1609 return FAILED;
1610 }
1611
1612 METHOD(kernel_net_t, del_ip, status_t,
1613 private_kernel_netlink_net_t *this, host_t *virtual_ip)
1614 {
1615 iface_entry_t *iface;
1616 addr_entry_t *addr;
1617 enumerator_t *addrs, *ifaces;
1618 status_t status;
1619 int ifindex;
1620
1621 if (!this->install_virtual_ip)
1622 { /* disabled by config */
1623 return SUCCESS;
1624 }
1625
1626 DBG2(DBG_KNL, "deleting virtual IP %H", virtual_ip);
1627
1628 this->mutex->lock(this->mutex);
1629 ifaces = this->ifaces->create_enumerator(this->ifaces);
1630 while (ifaces->enumerate(ifaces, &iface))
1631 {
1632 addrs = iface->addrs->create_enumerator(iface->addrs);
1633 while (addrs->enumerate(addrs, &addr))
1634 {
1635 if (virtual_ip->ip_equals(virtual_ip, addr->ip))
1636 {
1637 ifindex = iface->ifindex;
1638 if (addr->refcount == 1)
1639 {
1640 status = manage_ipaddr(this, RTM_DELADDR, 0,
1641 ifindex, virtual_ip);
1642 if (status == SUCCESS)
1643 { /* wait until the address is really gone */
1644 while (get_vip_refcount(this, virtual_ip) > 0)
1645 {
1646 this->condvar->wait(this->condvar, this->mutex);
1647 }
1648 }
1649 addrs->destroy(addrs);
1650 ifaces->destroy(ifaces);
1651 this->mutex->unlock(this->mutex);
1652 return status;
1653 }
1654 else
1655 {
1656 addr->refcount--;
1657 }
1658 DBG2(DBG_KNL, "virtual IP %H used by other SAs, not deleting",
1659 virtual_ip);
1660 addrs->destroy(addrs);
1661 ifaces->destroy(ifaces);
1662 this->mutex->unlock(this->mutex);
1663 return SUCCESS;
1664 }
1665 }
1666 addrs->destroy(addrs);
1667 }
1668 ifaces->destroy(ifaces);
1669 this->mutex->unlock(this->mutex);
1670
1671 DBG2(DBG_KNL, "virtual IP %H not cached, unable to delete", virtual_ip);
1672 return FAILED;
1673 }
1674
1675 /**
1676 * Manages source routes in the routing table.
1677 * By setting the appropriate nlmsg_type, the route gets added or removed.
1678 */
1679 static status_t manage_srcroute(private_kernel_netlink_net_t *this,
1680 int nlmsg_type, int flags, chunk_t dst_net,
1681 u_int8_t prefixlen, host_t *gateway,
1682 host_t *src_ip, char *if_name)
1683 {
1684 netlink_buf_t request;
1685 struct nlmsghdr *hdr;
1686 struct rtmsg *msg;
1687 int ifindex;
1688 chunk_t chunk;
1689
1690 /* if route is 0.0.0.0/0, we can't install it, as it would
1691 * overwrite the default route. Instead, we add two routes:
1692 * 0.0.0.0/1 and 128.0.0.0/1 */
1693 if (this->routing_table == 0 && prefixlen == 0)
1694 {
1695 chunk_t half_net;
1696 u_int8_t half_prefixlen;
1697 status_t status;
1698
1699 half_net = chunk_alloca(dst_net.len);
1700 memset(half_net.ptr, 0, half_net.len);
1701 half_prefixlen = 1;
1702
1703 status = manage_srcroute(this, nlmsg_type, flags, half_net, half_prefixlen,
1704 gateway, src_ip, if_name);
1705 half_net.ptr[0] |= 0x80;
1706 status = manage_srcroute(this, nlmsg_type, flags, half_net, half_prefixlen,
1707 gateway, src_ip, if_name);
1708 return status;
1709 }
1710
1711 memset(&request, 0, sizeof(request));
1712
1713 hdr = (struct nlmsghdr*)request;
1714 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
1715 hdr->nlmsg_type = nlmsg_type;
1716 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg));
1717
1718 msg = (struct rtmsg*)NLMSG_DATA(hdr);
1719 msg->rtm_family = src_ip->get_family(src_ip);
1720 msg->rtm_dst_len = prefixlen;
1721 msg->rtm_table = this->routing_table;
1722 msg->rtm_protocol = RTPROT_STATIC;
1723 msg->rtm_type = RTN_UNICAST;
1724 msg->rtm_scope = RT_SCOPE_UNIVERSE;
1725
1726 netlink_add_attribute(hdr, RTA_DST, dst_net, sizeof(request));
1727 chunk = src_ip->get_address(src_ip);
1728 netlink_add_attribute(hdr, RTA_PREFSRC, chunk, sizeof(request));
1729 if (gateway && gateway->get_family(gateway) == src_ip->get_family(src_ip))
1730 {
1731 chunk = gateway->get_address(gateway);
1732 netlink_add_attribute(hdr, RTA_GATEWAY, chunk, sizeof(request));
1733 }
1734 ifindex = get_interface_index(this, if_name);
1735 chunk.ptr = (char*)&ifindex;
1736 chunk.len = sizeof(ifindex);
1737 netlink_add_attribute(hdr, RTA_OIF, chunk, sizeof(request));
1738
1739 return this->socket->send_ack(this->socket, hdr);
1740 }
1741
1742 METHOD(kernel_net_t, add_route, status_t,
1743 private_kernel_netlink_net_t *this, chunk_t dst_net, u_int8_t prefixlen,
1744 host_t *gateway, host_t *src_ip, char *if_name)
1745 {
1746 status_t status;
1747 route_entry_t *found, route = {
1748 .dst_net = dst_net,
1749 .prefixlen = prefixlen,
1750 .gateway = gateway,
1751 .src_ip = src_ip,
1752 .if_name = if_name,
1753 };
1754
1755 this->mutex->lock(this->mutex);
1756 found = this->routes->get(this->routes, &route);
1757 if (found)
1758 {
1759 this->mutex->unlock(this->mutex);
1760 return ALREADY_DONE;
1761 }
1762 found = route_entry_clone(&route);
1763 this->routes->put(this->routes, found, found);
1764 status = manage_srcroute(this, RTM_NEWROUTE, NLM_F_CREATE | NLM_F_EXCL,
1765 dst_net, prefixlen, gateway, src_ip, if_name);
1766 this->mutex->unlock(this->mutex);
1767 return status;
1768 }
1769
1770 METHOD(kernel_net_t, del_route, status_t,
1771 private_kernel_netlink_net_t *this, chunk_t dst_net, u_int8_t prefixlen,
1772 host_t *gateway, host_t *src_ip, char *if_name)
1773 {
1774 status_t status;
1775 route_entry_t *found, route = {
1776 .dst_net = dst_net,
1777 .prefixlen = prefixlen,
1778 .gateway = gateway,
1779 .src_ip = src_ip,
1780 .if_name = if_name,
1781 };
1782
1783 this->mutex->lock(this->mutex);
1784 found = this->routes->get(this->routes, &route);
1785 if (!found)
1786 {
1787 this->mutex->unlock(this->mutex);
1788 return NOT_FOUND;
1789 }
1790 this->routes->remove(this->routes, found);
1791 route_entry_destroy(found);
1792 status = manage_srcroute(this, RTM_DELROUTE, 0, dst_net, prefixlen,
1793 gateway, src_ip, if_name);
1794 this->mutex->unlock(this->mutex);
1795 return status;
1796 }
1797
1798 /**
1799 * Initialize a list of local addresses.
1800 */
1801 static status_t init_address_list(private_kernel_netlink_net_t *this)
1802 {
1803 netlink_buf_t request;
1804 struct nlmsghdr *out, *current, *in;
1805 struct rtgenmsg *msg;
1806 size_t len;
1807 enumerator_t *ifaces, *addrs;
1808 iface_entry_t *iface;
1809 addr_entry_t *addr;
1810
1811 DBG2(DBG_KNL, "known interfaces and IP addresses:");
1812
1813 memset(&request, 0, sizeof(request));
1814
1815 in = (struct nlmsghdr*)&request;
1816 in->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtgenmsg));
1817 in->nlmsg_flags = NLM_F_REQUEST | NLM_F_MATCH | NLM_F_ROOT;
1818 msg = (struct rtgenmsg*)NLMSG_DATA(in);
1819 msg->rtgen_family = AF_UNSPEC;
1820
1821 /* get all links */
1822 in->nlmsg_type = RTM_GETLINK;
1823 if (this->socket->send(this->socket, in, &out, &len) != SUCCESS)
1824 {
1825 return FAILED;
1826 }
1827 current = out;
1828 while (NLMSG_OK(current, len))
1829 {
1830 switch (current->nlmsg_type)
1831 {
1832 case NLMSG_DONE:
1833 break;
1834 case RTM_NEWLINK:
1835 process_link(this, current, FALSE);
1836 /* fall through */
1837 default:
1838 current = NLMSG_NEXT(current, len);
1839 continue;
1840 }
1841 break;
1842 }
1843 free(out);
1844
1845 /* get all interface addresses */
1846 in->nlmsg_type = RTM_GETADDR;
1847 if (this->socket->send(this->socket, in, &out, &len) != SUCCESS)
1848 {
1849 return FAILED;
1850 }
1851 current = out;
1852 while (NLMSG_OK(current, len))
1853 {
1854 switch (current->nlmsg_type)
1855 {
1856 case NLMSG_DONE:
1857 break;
1858 case RTM_NEWADDR:
1859 process_addr(this, current, FALSE);
1860 /* fall through */
1861 default:
1862 current = NLMSG_NEXT(current, len);
1863 continue;
1864 }
1865 break;
1866 }
1867 free(out);
1868
1869 this->mutex->lock(this->mutex);
1870 ifaces = this->ifaces->create_enumerator(this->ifaces);
1871 while (ifaces->enumerate(ifaces, &iface))
1872 {
1873 if (iface_entry_up_and_usable(iface))
1874 {
1875 DBG2(DBG_KNL, " %s", iface->ifname);
1876 addrs = iface->addrs->create_enumerator(iface->addrs);
1877 while (addrs->enumerate(addrs, (void**)&addr))
1878 {
1879 DBG2(DBG_KNL, " %H", addr->ip);
1880 }
1881 addrs->destroy(addrs);
1882 }
1883 }
1884 ifaces->destroy(ifaces);
1885 this->mutex->unlock(this->mutex);
1886 return SUCCESS;
1887 }
1888
1889 /**
1890 * create or delete a rule to use our routing table
1891 */
1892 static status_t manage_rule(private_kernel_netlink_net_t *this, int nlmsg_type,
1893 int family, u_int32_t table, u_int32_t prio)
1894 {
1895 netlink_buf_t request;
1896 struct nlmsghdr *hdr;
1897 struct rtmsg *msg;
1898 chunk_t chunk;
1899
1900 memset(&request, 0, sizeof(request));
1901 hdr = (struct nlmsghdr*)request;
1902 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1903 hdr->nlmsg_type = nlmsg_type;
1904 if (nlmsg_type == RTM_NEWRULE)
1905 {
1906 hdr->nlmsg_flags |= NLM_F_CREATE | NLM_F_EXCL;
1907 }
1908 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg));
1909
1910 msg = (struct rtmsg*)NLMSG_DATA(hdr);
1911 msg->rtm_table = table;
1912 msg->rtm_family = family;
1913 msg->rtm_protocol = RTPROT_BOOT;
1914 msg->rtm_scope = RT_SCOPE_UNIVERSE;
1915 msg->rtm_type = RTN_UNICAST;
1916
1917 chunk = chunk_from_thing(prio);
1918 netlink_add_attribute(hdr, RTA_PRIORITY, chunk, sizeof(request));
1919
1920 return this->socket->send_ack(this->socket, hdr);
1921 }
1922
1923 /**
1924 * check for kernel features (currently only via version number)
1925 */
1926 static void check_kernel_features(private_kernel_netlink_net_t *this)
1927 {
1928 struct utsname utsname;
1929 int a, b, c;
1930
1931 if (uname(&utsname) == 0)
1932 {
1933 switch(sscanf(utsname.release, "%d.%d.%d", &a, &b, &c))
1934 {
1935 case 3:
1936 if (a == 2)
1937 {
1938 DBG2(DBG_KNL, "detected Linux %d.%d.%d, no support for "
1939 "RTA_PREFSRC for IPv6 routes", a, b, c);
1940 break;
1941 }
1942 /* fall-through */
1943 case 2:
1944 /* only 3.x+ uses two part version numbers */
1945 this->rta_prefsrc_for_ipv6 = TRUE;
1946 break;
1947 default:
1948 break;
1949 }
1950 }
1951 }
1952
1953 METHOD(kernel_net_t, destroy, void,
1954 private_kernel_netlink_net_t *this)
1955 {
1956 enumerator_t *enumerator;
1957 route_entry_t *route;
1958
1959 if (this->routing_table)
1960 {
1961 manage_rule(this, RTM_DELRULE, AF_INET, this->routing_table,
1962 this->routing_table_prio);
1963 manage_rule(this, RTM_DELRULE, AF_INET6, this->routing_table,
1964 this->routing_table_prio);
1965 }
1966 if (this->socket_events > 0)
1967 {
1968 close(this->socket_events);
1969 }
1970 enumerator = this->routes->create_enumerator(this->routes);
1971 while (enumerator->enumerate(enumerator, NULL, (void**)&route))
1972 {
1973 manage_srcroute(this, RTM_DELROUTE, 0, route->dst_net, route->prefixlen,
1974 route->gateway, route->src_ip, route->if_name);
1975 route_entry_destroy(route);
1976 }
1977 enumerator->destroy(enumerator);
1978 this->routes->destroy(this->routes);
1979 DESTROY_IF(this->socket);
1980
1981 net_changes_clear(this);
1982 this->net_changes->destroy(this->net_changes);
1983 this->net_changes_lock->destroy(this->net_changes_lock);
1984
1985 this->ifaces->destroy_function(this->ifaces, (void*)iface_entry_destroy);
1986 this->rt_exclude->destroy(this->rt_exclude);
1987 this->condvar->destroy(this->condvar);
1988 this->mutex->destroy(this->mutex);
1989 free(this);
1990 }
1991
1992 /*
1993 * Described in header.
1994 */
1995 kernel_netlink_net_t *kernel_netlink_net_create()
1996 {
1997 private_kernel_netlink_net_t *this;
1998 enumerator_t *enumerator;
1999 bool register_for_events = TRUE;
2000 char *exclude;
2001
2002 INIT(this,
2003 .public = {
2004 .interface = {
2005 .get_interface = _get_interface_name,
2006 .create_address_enumerator = _create_address_enumerator,
2007 .get_source_addr = _get_source_addr,
2008 .get_nexthop = _get_nexthop,
2009 .add_ip = _add_ip,
2010 .del_ip = _del_ip,
2011 .add_route = _add_route,
2012 .del_route = _del_route,
2013 .destroy = _destroy,
2014 },
2015 },
2016 .socket = netlink_socket_create(NETLINK_ROUTE),
2017 .rt_exclude = linked_list_create(),
2018 .routes = hashtable_create((hashtable_hash_t)route_entry_hash,
2019 (hashtable_equals_t)route_entry_equals, 16),
2020 .net_changes = hashtable_create(
2021 (hashtable_hash_t)net_change_hash,
2022 (hashtable_equals_t)net_change_equals, 16),
2023 .net_changes_lock = mutex_create(MUTEX_TYPE_DEFAULT),
2024 .ifaces = linked_list_create(),
2025 .mutex = mutex_create(MUTEX_TYPE_RECURSIVE),
2026 .condvar = condvar_create(CONDVAR_TYPE_DEFAULT),
2027 .routing_table = lib->settings->get_int(lib->settings,
2028 "%s.routing_table", ROUTING_TABLE, hydra->daemon),
2029 .routing_table_prio = lib->settings->get_int(lib->settings,
2030 "%s.routing_table_prio", ROUTING_TABLE_PRIO, hydra->daemon),
2031 .process_route = lib->settings->get_bool(lib->settings,
2032 "%s.process_route", TRUE, hydra->daemon),
2033 .install_virtual_ip = lib->settings->get_bool(lib->settings,
2034 "%s.install_virtual_ip", TRUE, hydra->daemon),
2035 );
2036 timerclear(&this->last_route_reinstall);
2037 timerclear(&this->last_roam);
2038
2039 check_kernel_features(this);
2040
2041 if (streq(hydra->daemon, "starter"))
2042 { /* starter has no threads, so we do not register for kernel events */
2043 register_for_events = FALSE;
2044 }
2045
2046 exclude = lib->settings->get_str(lib->settings,
2047 "%s.ignore_routing_tables", NULL, hydra->daemon);
2048 if (exclude)
2049 {
2050 char *token;
2051 uintptr_t table;
2052
2053 enumerator = enumerator_create_token(exclude, " ", " ");
2054 while (enumerator->enumerate(enumerator, &token))
2055 {
2056 errno = 0;
2057 table = strtoul(token, NULL, 10);
2058
2059 if (errno == 0)
2060 {
2061 this->rt_exclude->insert_last(this->rt_exclude, (void*)table);
2062 }
2063 }
2064 enumerator->destroy(enumerator);
2065 }
2066
2067 if (register_for_events)
2068 {
2069 struct sockaddr_nl addr;
2070
2071 memset(&addr, 0, sizeof(addr));
2072 addr.nl_family = AF_NETLINK;
2073
2074 /* create and bind RT socket for events (address/interface/route changes) */
2075 this->socket_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
2076 if (this->socket_events < 0)
2077 {
2078 DBG1(DBG_KNL, "unable to create RT event socket");
2079 destroy(this);
2080 return NULL;
2081 }
2082 addr.nl_groups = RTMGRP_IPV4_IFADDR | RTMGRP_IPV6_IFADDR |
2083 RTMGRP_IPV4_ROUTE | RTMGRP_IPV6_ROUTE | RTMGRP_LINK;
2084 if (bind(this->socket_events, (struct sockaddr*)&addr, sizeof(addr)))
2085 {
2086 DBG1(DBG_KNL, "unable to bind RT event socket");
2087 destroy(this);
2088 return NULL;
2089 }
2090
2091 lib->processor->queue_job(lib->processor,
2092 (job_t*)callback_job_create_with_prio(
2093 (callback_job_cb_t)receive_events, this, NULL,
2094 (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
2095 }
2096
2097 if (init_address_list(this) != SUCCESS)
2098 {
2099 DBG1(DBG_KNL, "unable to get interface list");
2100 destroy(this);
2101 return NULL;
2102 }
2103
2104 if (this->routing_table)
2105 {
2106 if (manage_rule(this, RTM_NEWRULE, AF_INET, this->routing_table,
2107 this->routing_table_prio) != SUCCESS)
2108 {
2109 DBG1(DBG_KNL, "unable to create IPv4 routing table rule");
2110 }
2111 if (manage_rule(this, RTM_NEWRULE, AF_INET6, this->routing_table,
2112 this->routing_table_prio) != SUCCESS)
2113 {
2114 DBG1(DBG_KNL, "unable to create IPv6 routing table rule");
2115 }
2116 }
2117
2118 return &this->public;
2119 }
strongSwan - IPsec VPN