Merge pull request #11032 from ssahani/invert-rule

networkd: RPDB rule - add support to configure inverted rule.
2025-01-11 09:18:07 +03:00 · 2018-12-06 14:27:36 +01:00 · 2018-12-06 14:27:36 +01:00 · fda96700e4
commit fda96700e4
parent 253de60634 efecf9cd15
10 changed files with 109 additions and 1 deletions
--- a/man/systemd.network.xml
+++ b/man/systemd.network.xml
@ -1015,6 +1015,12 @@
            Defaults to unset.</para>
          </listitem>
        </varlistentry>
+        <varlistentry>
+          <term><varname>InvertRule=</varname></term>
+          <listitem>
+            <para>A boolean. Specifies wheather the rule to be inverted. Defaults to false.</para>
+          </listitem>
+        </varlistentry>
      </variablelist>
  </refsect1>

--- a/src/libsystemd/sd-netlink/rtnl-message.c
+++ b/src/libsystemd/sd-netlink/rtnl-message.c
@ -852,6 +852,32 @@ int sd_rtnl_message_routing_policy_rule_get_table(sd_netlink_message *m, unsigne
        return 0;
 }

+int sd_rtnl_message_routing_policy_rule_set_flags(sd_netlink_message *m, unsigned flags) {
+        struct rtmsg *routing_policy_rule;
+
+        assert_return(m, -EINVAL);
+        assert_return(m->hdr, -EINVAL);
+        assert_return(rtnl_message_type_is_routing_policy_rule(m->hdr->nlmsg_type), -EINVAL);
+
+        routing_policy_rule = NLMSG_DATA(m->hdr);
+        routing_policy_rule->rtm_flags |= flags;
+
+        return 0;
+}
+
+int sd_rtnl_message_routing_policy_rule_get_flags(sd_netlink_message *m, unsigned *flags) {
+        struct rtmsg *routing_policy_rule;
+
+        assert_return(m, -EINVAL);
+        assert_return(m->hdr, -EINVAL);
+        assert_return(rtnl_message_type_is_routing_policy_rule(m->hdr->nlmsg_type), -EINVAL);
+
+        routing_policy_rule = NLMSG_DATA(m->hdr);
+        *flags = routing_policy_rule->rtm_flags;
+
+        return 0;
+}
+
 int sd_rtnl_message_routing_policy_rule_set_rtm_type(sd_netlink_message *m, unsigned char type) {
        struct rtmsg *routing_policy_rule;

--- a/src/network/networkd-network-gperf.gperf
+++ b/src/network/networkd-network-gperf.gperf
@ -104,6 +104,7 @@ RoutingPolicyRule.OutgoingInterface,    config_parse_routing_policy_rule_device,
 RoutingPolicyRule.IPProtocol,           config_parse_routing_policy_rule_ip_protocol,   0,                             0
 RoutingPolicyRule.SourcePort,           config_parse_routing_policy_rule_port_range,    0,                             0
 RoutingPolicyRule.DestinationPort,      config_parse_routing_policy_rule_port_range,    0,                             0
+RoutingPolicyRule.InvertRule,           config_parse_routing_policy_rule_invert,        0,                             0
 Route.Gateway,                          config_parse_gateway,                           0,                             0
 Route.Destination,                      config_parse_destination,                       0,                             0
 Route.Source,                           config_parse_destination,                       0,                             0
--- a/src/network/networkd-routing-policy-rule.c
+++ b/src/network/networkd-routing-policy-rule.c
@ -588,6 +588,12 @@ int routing_policy_rule_configure(RoutingPolicyRule *rule, Link *link, link_netl
                        return log_error_errno(r, "Could not append FRA_DPORT_RANGE attribute: %m");
        }

+        if (rule->invert_rule) {
+                r = sd_rtnl_message_routing_policy_rule_set_flags(m, FIB_RULE_INVERT);
+                if (r < 0)
+                        return log_error_errno(r, "Could not append FIB_RULE_INVERT attribute: %m");
+        }
+
        rule->link = link;

        r = netlink_call_async(link->manager->rtnl, NULL, m,
@ -959,6 +965,45 @@ int config_parse_routing_policy_rule_ip_protocol(
        return 0;
 }

+int config_parse_routing_policy_rule_invert(
+                const char *unit,
+                const char *filename,
+                unsigned line,
+                const char *section,
+                unsigned section_line,
+                const char *lvalue,
+                int ltype,
+                const char *rvalue,
+                void *data,
+                void *userdata) {
+
+        _cleanup_(routing_policy_rule_freep) RoutingPolicyRule *n = NULL;
+        Network *network = userdata;
+        int r;
+
+        assert(filename);
+        assert(section);
+        assert(lvalue);
+        assert(rvalue);
+        assert(data);
+
+        r = routing_policy_rule_new_static(network, filename, section_line, &n);
+        if (r < 0)
+                return r;
+
+        r = parse_boolean(rvalue);
+        if (r < 0) {
+                log_syntax(unit, LOG_ERR, filename, line, r, "Failed to parse RPDB rule invert, ignoring: %s", rvalue);
+                return 0;
+        }
+
+        n->invert_rule = r;
+
+        n = NULL;
+
+        return 0;
+}
+
 static int routing_policy_rule_read_full_file(const char *state_file, char **ret) {
        _cleanup_free_ char *s = NULL;
        size_t size;
--- a/src/network/networkd-routing-policy-rule.h
+++ b/src/network/networkd-routing-policy-rule.h
@ -25,6 +25,8 @@ struct RoutingPolicyRule {
        Link *link;
        NetworkConfigSection *section;

+        bool invert_rule;
+
        uint8_t tos;
        uint8_t protocol;

@ -79,3 +81,4 @@ CONFIG_PARSER_PROTOTYPE(config_parse_routing_policy_rule_priority);
 CONFIG_PARSER_PROTOTYPE(config_parse_routing_policy_rule_device);
 CONFIG_PARSER_PROTOTYPE(config_parse_routing_policy_rule_port_range);
 CONFIG_PARSER_PROTOTYPE(config_parse_routing_policy_rule_ip_protocol);
+CONFIG_PARSER_PROTOTYPE(config_parse_routing_policy_rule_invert);
--- a/src/systemd/sd-netlink.h
+++ b/src/systemd/sd-netlink.h
@ -179,6 +179,8 @@ int sd_rtnl_message_routing_policy_rule_set_rtm_dst_prefixlen(sd_netlink_message
 int sd_rtnl_message_routing_policy_rule_get_rtm_dst_prefixlen(sd_netlink_message *m, unsigned char *len);
 int sd_rtnl_message_routing_policy_rule_set_rtm_type(sd_netlink_message *m, unsigned char type);
 int sd_rtnl_message_routing_policy_rule_get_rtm_type(sd_netlink_message *m, unsigned char *type);
+int sd_rtnl_message_routing_policy_rule_set_flags(sd_netlink_message *m, unsigned flags);
+int sd_rtnl_message_routing_policy_rule_get_flags(sd_netlink_message *m, unsigned *flags);

 /* genl */
 int sd_genl_socket_open(sd_netlink **nl);
--- a/test/fuzz/fuzz-network-parser/directives.network
+++ b/test/fuzz/fuzz-network-parser/directives.network
@ -153,6 +153,7 @@ FirewallMark=
 SourcePort=
 DestinationPort=
 IPProtocol=
+InvertRule=
 [IPv6PrefixDelegation]
 RouterPreference=
 DNSLifetimeSec=
--- a/test/fuzz/fuzz-unit-file/directives.service
+++ b/test/fuzz/fuzz-unit-file/directives.service
@ -442,6 +442,7 @@ Independent=
 InitialAdvertisedReceiveWindow=
 InitialCongestionWindow=
 InputKey=
+InvertRule=
 KernelCommandLine=
 KernelVersion=
 Key=
--- a/test/test-network/conf/25-fibrule-invert.network
+++ b/test/test-network/conf/25-fibrule-invert.network
@ -0,0 +1,10 @@
+[Match]
+Name=test1
+
+[RoutingPolicyRule]
+TypeOfService=0x08
+Table=7
+From= 192.168.100.18
+Priority=111
+IPProtocol = tcp
+InvertRule=true
--- a/test/test-network/systemd-networkd-tests.py
+++ b/test/test-network/systemd-networkd-tests.py
@ -449,7 +449,7 @@ class NetworkdNetWorkTests(unittest.TestCase, Utilities):
    units = ['12-dummy.netdev', 'test-static.network', 'configure-without-carrier.network', '11-dummy.netdev',
             '23-primary-slave.network', '23-test1-bond199.network', '11-dummy.netdev', '23-bond199.network',
             '25-bond-active-backup-slave.netdev', '12-dummy.netdev', '23-active-slave.network',
-             'routing-policy-rule.network', '25-fibrule-port-range.network', '25-address-section.network',
+             'routing-policy-rule.network', '25-fibrule-port-range.network', '25-fibrule-invert.network', '25-address-section.network',
             '25-address-section-miscellaneous.network', '25-route-section.network', '25-route-type.network',
             '25-route-tcp-window-settings.network', '25-route-gateway.network', '25-route-gateway-on-link.network',
             '25-address-link-section.network', '25-ipv6-address-label-section.network', '25-link-section-unmanaged.network',
@ -532,6 +532,19 @@ class NetworkdNetWorkTests(unittest.TestCase, Utilities):
        self.assertRegex(output, 'tcp')
        self.assertRegex(output, 'lookup 7')

+    def test_routing_policy_rule_invert(self):
+        self.copy_unit_to_networkd_unit_path('25-fibrule-invert.network', '11-dummy.netdev')
+        self.start_networkd()
+
+        self.assertTrue(self.link_exits('test1'))
+        output = subprocess.check_output(['ip', 'rule']).rstrip().decode('utf-8')
+        print(output)
+
+        self.assertRegex(output, '111')
+        self.assertRegex(output, 'not.*?from.*?192.168.100.18')
+        self.assertRegex(output, 'tcp')
+        self.assertRegex(output, 'lookup 7')
+
    def test_address_preferred_lifetime_zero_ipv6(self):
        self.copy_unit_to_networkd_unit_path('25-address-section-miscellaneous.network', '12-dummy.netdev')
        self.start_networkd()