From: Roopa Prabhu <ro...@cumulusnetworks.com>
add support to match on ip_proto, sport and dport ranges.
For ip_proto, this patch currently enumerates, tcp, udp and sctp.
This list can be extended in the future.
example:
$ip rule add sport 666-777 dport 999 ip_proto tcp table 100
$ip rule show
0: from all lookup local
32765: from all ip_proto 6 sport 666-777 dport 999 lookup 100
32766: from all lookup main
32767: from all lookup default
Signed-off-by: Roopa Prabhu <ro...@cumulusnetworks.com>
---
v2: use inet_proto_* as suggested by David Ahern
v3: fix newlines in usage (feedback from David Ahern)
v4: fixes for json (feedback from Stephen H).
include/uapi/linux/fib_rules.h | 8 +++++
ip/iprule.c | 67 ++++++++++++++++++++++++++++++++++++++++++
man/man8/ip-rule.8 | 32 +++++++++++++++++++-
3 files changed, 106 insertions(+), 1 deletion(-)
diff --git a/include/uapi/linux/fib_rules.h b/include/uapi/linux/fib_rules.h
index 77d90ae..1809af5 100644
--- a/include/uapi/linux/fib_rules.h
+++ b/include/uapi/linux/fib_rules.h
@@ -35,6 +35,11 @@ struct fib_rule_uid_range {
__u32 end;
};
+struct fib_rule_port_range {
+ __u16 start;
+ __u16 end;
+};
+
enum {
FRA_UNSPEC,
FRA_DST, /* destination address */
@@ -59,6 +64,9 @@ enum {
FRA_L3MDEV, /* iif or oif is l3mdev goto its table */
FRA_UID_RANGE, /* UID range */
FRA_PROTOCOL, /* Originator of the rule */
+ FRA_IP_PROTO, /* ip proto */
+ FRA_SPORT_RANGE,/* sport range */
+ FRA_DPORT_RANGE,/* dport range */
__FRA_MAX
};
diff --git a/ip/iprule.c b/ip/iprule.c
index a49753e..3520544 100644
--- a/ip/iprule.c
+++ b/ip/iprule.c
@@ -47,6 +47,9 @@ static void usage(void)
"SELECTOR := [ not ] [ from PREFIX ] [ to PREFIX ] [ tos TOS ]
[ fwmark FWMARK[/MASK] ]\n"
" [ iif STRING ] [ oif STRING ] [ pref NUMBER ] [
l3mdev ]\n"
" [ uidrange NUMBER-NUMBER ]\n"
+ " [ ip_proto PROTOCOL ]\n"
+ " [ sport [ NUMBER | NUMBER-NUMBER ]\n"
+ " [ dport [ NUMBER | NUMBER-NUMBER ] ]\n"
"ACTION := [ table TABLE_ID ]\n"
" [ protocol PROTO ]\n"
" [ nat ADDRESS ]\n"
@@ -306,6 +309,37 @@ int print_rule(const struct sockaddr_nl *who, struct
nlmsghdr *n, void *arg)
print_uint(PRINT_ANY, "uid_end", "-%u ", r->end);
}
+ if (tb[FRA_IP_PROTO]) {
+ SPRINT_BUF(pbuf);
+ print_string(PRINT_ANY, "ip_proto", "ip_proto %s ",
+ inet_proto_n2a(rta_getattr_u8(tb[FRA_IP_PROTO]),
+ pbuf, sizeof(pbuf)));
+ }
+
+ if (tb[FRA_SPORT_RANGE]) {
+ struct fib_rule_port_range *r = RTA_DATA(tb[FRA_SPORT_RANGE]);
+
+ if (r->start == r->end) {
+ print_uint(PRINT_ANY, "sport", "sport %u ", r->start);
+ } else {
+ print_uint(PRINT_ANY, "sport_start", "sport %u",
+ r->start);
+ print_uint(PRINT_ANY, "sport_end", "-%u ", r->end);
+ }
+ }
+
+ if (tb[FRA_DPORT_RANGE]) {
+ struct fib_rule_port_range *r = RTA_DATA(tb[FRA_DPORT_RANGE]);
+
+ if (r->start == r->end) {
+ print_uint(PRINT_ANY, "dport", "dport %u ", r->start);
+ } else {
+ print_uint(PRINT_ANY, "dport_start", "dport %u",
+ r->start);
+ print_uint(PRINT_ANY, "dport_end", "-%u ", r->end);
+ }
+ }
+
table = frh_get_table(frh, tb);
if (table) {
print_string(PRINT_ANY, "table",
@@ -802,6 +836,39 @@ static int iprule_modify(int cmd, int argc, char **argv)
addattr32(&req.n, sizeof(req), RTA_GATEWAY,
get_addr32(*argv));
req.frh.action = RTN_NAT;
+ } else if (strcmp(*argv, "ip_proto") == 0) {
+ __u8 ip_proto;
+
+ NEXT_ARG();
+ ip_proto = inet_proto_a2n(*argv);
+ if (ip_proto < 0)
+ invarg("Invalid \"ip_proto\" value\n",
+ *argv);
+ addattr8(&req.n, sizeof(req), FRA_IP_PROTO, ip_proto);
+ } else if (strcmp(*argv, "sport") == 0) {
+ struct fib_rule_port_range r;
+ int ret = 0;
+
+ NEXT_ARG();
+ ret = sscanf(*argv, "%hu-%hu", &r.start, &r.end);
+ if (ret == 1)
+ r.end = r.start;
+ else if (ret != 2)
+ invarg("invalid port range\n", *argv);
+ addattr_l(&req.n, sizeof(req), FRA_SPORT_RANGE, &r,
+ sizeof(r));
+ } else if (strcmp(*argv, "dport") == 0) {
+ struct fib_rule_port_range r;
+ int ret = 0;
+
+ NEXT_ARG();
+ ret = sscanf(*argv, "%hu-%hu", &r.start, &r.end);
+ if (ret == 1)
+ r.end = r.start;
+ else if (ret != 2)
+ invarg("invalid dport range\n", *argv);
+ addattr_l(&req.n, sizeof(req), FRA_DPORT_RANGE, &r,
+ sizeof(r));
} else {
int type;
diff --git a/man/man8/ip-rule.8 b/man/man8/ip-rule.8
index 7cf8fd9..b3cd41b 100644
--- a/man/man8/ip-rule.8
+++ b/man/man8/ip-rule.8
@@ -44,7 +44,19 @@ ip-rule \- routing policy database management
.IR STRING " ] [ "
.B pref
.IR NUMBER " ] [ "
-.BR l3mdev " ]"
+.IR l3mdev " ] [ "
+.B uidrange
+.IR NUMBER "-" NUMBER " ] [ "
+.B ip_proto
+.IR PROTOCOL " ] [ "
+.BR sport " [ "
+.IR NUMBER " | "
+.IR NUMBER "-" NUMBER " ] ] [ "
+.BR dport " [ "
+.IR NUMBER " | "
+.IR NUMBER "-" NUMBER " ] ]"
+.BR
+
.ti -8
.IR ACTION " := [ "
@@ -227,6 +239,24 @@ select the
value to match.
.TP
+.BI uidrange " NUMBER-NUMBER"
+select the
+.B uid
+value to match.
+
+.TP
+.BI ip_proto " PROTOCOL"
+select the ip protocol value to match.
+
+.TP
+.BI sport " NUMBER | NUMBER-NUMBER"
+select the source port value to match. supports port range.
+
+.TP
+.BI dport " NUMBER | NUMBER-NUMBER"
+select the destination port value to match. supports port range.
+
+.TP
.BI priority " PREFERENCE"
the priority of this rule.
.I PREFERENCE
--
2.1.4
