1 /* 2 * f_flow.c Flow filter 3 * 4 * This program is free software; you can redistribute it and/or 5 * modify it under the terms of the GNU General Public License 6 * as published by the Free Software Foundation; either version 7 * 2 of the License, or (at your option) any later version. 8 * 9 * Authors: Patrick McHardy <kaber (at) trash.net> 10 */ 11 #include <stdio.h> 12 #include <stdlib.h> 13 #include <unistd.h> 14 #include <string.h> 15 #include <errno.h> 16 17 #include "utils.h" 18 #include "tc_util.h" 19 #include "m_ematch.h" 20 21 static void explain(void) 22 { 23 fprintf(stderr, 24 "Usage: ... flow ...\n" 25 "\n" 26 " [mapping mode]: map key KEY [ OPS ] ...\n" 27 " [hashing mode]: hash keys KEY-LIST ... [ perturb SECS ]\n" 28 "\n" 29 " [ divisor NUM ] [ baseclass ID ] [ match EMATCH_TREE ]\n" 30 " [ action ACTION_SPEC ]\n" 31 "\n" 32 "KEY-LIST := [ KEY-LIST , ] KEY\n" 33 "KEY := [ src | dst | proto | proto-src | proto-dst | iif | priority | \n" 34 " mark | nfct | nfct-src | nfct-dst | nfct-proto-src | \n" 35 " nfct-proto-dst | rt-classid | sk-uid | sk-gid |\n" 36 " vlan-tag | rxhash ]\n" 37 "OPS := [ or NUM | and NUM | xor NUM | rshift NUM | addend NUM ]\n" 38 "ID := X:Y\n" 39 ); 40 } 41 42 static const char *flow_keys[FLOW_KEY_MAX+1] = { 43 [FLOW_KEY_SRC] = "src", 44 [FLOW_KEY_DST] = "dst", 45 [FLOW_KEY_PROTO] = "proto", 46 [FLOW_KEY_PROTO_SRC] = "proto-src", 47 [FLOW_KEY_PROTO_DST] = "proto-dst", 48 [FLOW_KEY_IIF] = "iif", 49 [FLOW_KEY_PRIORITY] = "priority", 50 [FLOW_KEY_MARK] = "mark", 51 [FLOW_KEY_NFCT] = "nfct", 52 [FLOW_KEY_NFCT_SRC] = "nfct-src", 53 [FLOW_KEY_NFCT_DST] = "nfct-dst", 54 [FLOW_KEY_NFCT_PROTO_SRC] = "nfct-proto-src", 55 [FLOW_KEY_NFCT_PROTO_DST] = "nfct-proto-dst", 56 [FLOW_KEY_RTCLASSID] = "rt-classid", 57 [FLOW_KEY_SKUID] = "sk-uid", 58 [FLOW_KEY_SKGID] = "sk-gid", 59 [FLOW_KEY_VLAN_TAG] = "vlan-tag", 60 [FLOW_KEY_RXHASH] = "rxhash", 61 }; 62 63 static int flow_parse_keys(__u32 *keys, __u32 *nkeys, char *argv) 64 { 65 char *s, *sep; 66 unsigned int i; 67 68 *keys = 0; 69 *nkeys = 0; 70 s = argv; 71 while (s != NULL) { 72 sep = strchr(s, ','); 73 if (sep) 74 *sep = '\0'; 75 76 for (i = 0; i <= FLOW_KEY_MAX; i++) { 77 if (matches(s, flow_keys[i]) == 0) { 78 *keys |= 1 << i; 79 (*nkeys)++; 80 break; 81 } 82 } 83 if (i > FLOW_KEY_MAX) { 84 fprintf(stderr, "Unknown flow key \"%s\"\n", s); 85 return -1; 86 } 87 s = sep ? sep + 1 : NULL; 88 } 89 return 0; 90 } 91 92 static void transfer_bitop(__u32 *mask, __u32 *xor, __u32 m, __u32 x) 93 { 94 *xor = x ^ (*xor & m); 95 *mask &= m; 96 } 97 98 static int get_addend(__u32 *addend, char *argv, __u32 keys) 99 { 100 inet_prefix addr; 101 int sign = 0; 102 __u32 tmp; 103 104 if (*argv == '-') { 105 sign = 1; 106 argv++; 107 } 108 109 if (get_u32(&tmp, argv, 0) == 0) 110 goto out; 111 112 if (keys & (FLOW_KEY_SRC | FLOW_KEY_DST | 113 FLOW_KEY_NFCT_SRC | FLOW_KEY_NFCT_DST) && 114 get_addr(&addr, argv, AF_UNSPEC) == 0) { 115 switch (addr.family) { 116 case AF_INET: 117 tmp = ntohl(addr.data[0]); 118 goto out; 119 case AF_INET6: 120 tmp = ntohl(addr.data[3]); 121 goto out; 122 } 123 } 124 125 return -1; 126 out: 127 if (sign) 128 tmp = -tmp; 129 *addend = tmp; 130 return 0; 131 } 132 133 static int flow_parse_opt(struct filter_util *fu, char *handle, 134 int argc, char **argv, struct nlmsghdr *n) 135 { 136 struct tc_police tp; 137 struct tcmsg *t = NLMSG_DATA(n); 138 struct rtattr *tail; 139 __u32 mask = ~0U, xor = 0; 140 __u32 keys = 0, nkeys = 0; 141 __u32 mode = FLOW_MODE_MAP; 142 __u32 tmp; 143 144 memset(&tp, 0, sizeof(tp)); 145 146 if (handle) { 147 if (get_u32(&t->tcm_handle, handle, 0)) { 148 fprintf(stderr, "Illegal \"handle\"\n"); 149 return -1; 150 } 151 } 152 153 tail = NLMSG_TAIL(n); 154 addattr_l(n, 4096, TCA_OPTIONS, NULL, 0); 155 156 while (argc > 0) { 157 if (matches(*argv, "map") == 0) { 158 mode = FLOW_MODE_MAP; 159 } else if (matches(*argv, "hash") == 0) { 160 mode = FLOW_MODE_HASH; 161 } else if (matches(*argv, "keys") == 0) { 162 NEXT_ARG(); 163 if (flow_parse_keys(&keys, &nkeys, *argv)) 164 return -1; 165 addattr32(n, 4096, TCA_FLOW_KEYS, keys); 166 } else if (matches(*argv, "and") == 0) { 167 NEXT_ARG(); 168 if (get_u32(&tmp, *argv, 0)) { 169 fprintf(stderr, "Illegal \"mask\"\n"); 170 return -1; 171 } 172 transfer_bitop(&mask, &xor, tmp, 0); 173 } else if (matches(*argv, "or") == 0) { 174 NEXT_ARG(); 175 if (get_u32(&tmp, *argv, 0)) { 176 fprintf(stderr, "Illegal \"or\"\n"); 177 return -1; 178 } 179 transfer_bitop(&mask, &xor, ~tmp, tmp); 180 } else if (matches(*argv, "xor") == 0) { 181 NEXT_ARG(); 182 if (get_u32(&tmp, *argv, 0)) { 183 fprintf(stderr, "Illegal \"xor\"\n"); 184 return -1; 185 } 186 transfer_bitop(&mask, &xor, ~0, tmp); 187 } else if (matches(*argv, "rshift") == 0) { 188 NEXT_ARG(); 189 if (get_u32(&tmp, *argv, 0)) { 190 fprintf(stderr, "Illegal \"rshift\"\n"); 191 return -1; 192 } 193 addattr32(n, 4096, TCA_FLOW_RSHIFT, tmp); 194 } else if (matches(*argv, "addend") == 0) { 195 NEXT_ARG(); 196 if (get_addend(&tmp, *argv, keys)) { 197 fprintf(stderr, "Illegal \"addend\"\n"); 198 return -1; 199 } 200 addattr32(n, 4096, TCA_FLOW_ADDEND, tmp); 201 } else if (matches(*argv, "divisor") == 0) { 202 NEXT_ARG(); 203 if (get_u32(&tmp, *argv, 0)) { 204 fprintf(stderr, "Illegal \"divisor\"\n"); 205 return -1; 206 } 207 addattr32(n, 4096, TCA_FLOW_DIVISOR, tmp); 208 } else if (matches(*argv, "baseclass") == 0) { 209 NEXT_ARG(); 210 if (get_tc_classid(&tmp, *argv) || TC_H_MIN(tmp) == 0) { 211 fprintf(stderr, "Illegal \"baseclass\"\n"); 212 return -1; 213 } 214 addattr32(n, 4096, TCA_FLOW_BASECLASS, tmp); 215 } else if (matches(*argv, "perturb") == 0) { 216 NEXT_ARG(); 217 if (get_u32(&tmp, *argv, 0)) { 218 fprintf(stderr, "Illegal \"perturb\"\n"); 219 return -1; 220 } 221 addattr32(n, 4096, TCA_FLOW_PERTURB, tmp); 222 } else if (matches(*argv, "police") == 0) { 223 NEXT_ARG(); 224 if (parse_police(&argc, &argv, TCA_FLOW_POLICE, n)) { 225 fprintf(stderr, "Illegal \"police\"\n"); 226 return -1; 227 } 228 continue; 229 } else if (matches(*argv, "action") == 0) { 230 NEXT_ARG(); 231 if (parse_action(&argc, &argv, TCA_FLOW_ACT, n)) { 232 fprintf(stderr, "Illegal \"action\"\n"); 233 return -1; 234 } 235 continue; 236 } else if (matches(*argv, "match") == 0) { 237 NEXT_ARG(); 238 if (parse_ematch(&argc, &argv, TCA_FLOW_EMATCHES, n)) { 239 fprintf(stderr, "Illegal \"ematch\"\n"); 240 return -1; 241 } 242 continue; 243 } else if (matches(*argv, "help") == 0) { 244 explain(); 245 return -1; 246 } else { 247 fprintf(stderr, "What is \"%s\"?\n", *argv); 248 explain(); 249 return -1; 250 } 251 argv++, argc--; 252 } 253 254 if (nkeys > 1 && mode != FLOW_MODE_HASH) { 255 fprintf(stderr, "Invalid mode \"map\" for multiple keys\n"); 256 return -1; 257 } 258 addattr32(n, 4096, TCA_FLOW_MODE, mode); 259 260 if (mask != ~0 || xor != 0) { 261 addattr32(n, 4096, TCA_FLOW_MASK, mask); 262 addattr32(n, 4096, TCA_FLOW_XOR, xor); 263 } 264 265 tail->rta_len = (void *)NLMSG_TAIL(n) - (void *)tail; 266 return 0; 267 } 268 269 static int flow_print_opt(struct filter_util *fu, FILE *f, struct rtattr *opt, 270 __u32 handle) 271 { 272 struct rtattr *tb[TCA_FLOW_MAX+1]; 273 SPRINT_BUF(b1); 274 unsigned int i; 275 __u32 mask = ~0, val = 0; 276 277 if (opt == NULL) 278 return -EINVAL; 279 280 parse_rtattr_nested(tb, TCA_FLOW_MAX, opt); 281 282 fprintf(f, "handle 0x%x ", handle); 283 284 if (tb[TCA_FLOW_MODE]) { 285 __u32 mode = rta_getattr_u32(tb[TCA_FLOW_MODE]); 286 287 switch (mode) { 288 case FLOW_MODE_MAP: 289 fprintf(f, "map "); 290 break; 291 case FLOW_MODE_HASH: 292 fprintf(f, "hash "); 293 break; 294 } 295 } 296 297 if (tb[TCA_FLOW_KEYS]) { 298 __u32 keymask = rta_getattr_u32(tb[TCA_FLOW_KEYS]); 299 char *sep = ""; 300 301 fprintf(f, "keys "); 302 for (i = 0; i <= FLOW_KEY_MAX; i++) { 303 if (keymask & (1 << i)) { 304 fprintf(f, "%s%s", sep, flow_keys[i]); 305 sep = ","; 306 } 307 } 308 fprintf(f, " "); 309 } 310 311 if (tb[TCA_FLOW_MASK]) 312 mask = rta_getattr_u32(tb[TCA_FLOW_MASK]); 313 if (tb[TCA_FLOW_XOR]) 314 val = rta_getattr_u32(tb[TCA_FLOW_XOR]); 315 316 if (mask != ~0 || val != 0) { 317 __u32 or = (mask & val) ^ val; 318 __u32 xor = mask & val; 319 320 if (mask != ~0) 321 fprintf(f, "and 0x%.8x ", mask); 322 if (xor != 0) 323 fprintf(f, "xor 0x%.8x ", xor); 324 if (or != 0) 325 fprintf(f, "or 0x%.8x ", or); 326 } 327 328 if (tb[TCA_FLOW_RSHIFT]) 329 fprintf(f, "rshift %u ", 330 rta_getattr_u32(tb[TCA_FLOW_RSHIFT])); 331 if (tb[TCA_FLOW_ADDEND]) 332 fprintf(f, "addend 0x%x ", 333 rta_getattr_u32(tb[TCA_FLOW_ADDEND])); 334 335 if (tb[TCA_FLOW_DIVISOR]) 336 fprintf(f, "divisor %u ", 337 rta_getattr_u32(tb[TCA_FLOW_DIVISOR])); 338 if (tb[TCA_FLOW_BASECLASS]) 339 fprintf(f, "baseclass %s ", 340 sprint_tc_classid(rta_getattr_u32(tb[TCA_FLOW_BASECLASS]), b1)); 341 342 if (tb[TCA_FLOW_PERTURB]) 343 fprintf(f, "perturb %usec ", 344 rta_getattr_u32(tb[TCA_FLOW_PERTURB])); 345 346 if (tb[TCA_FLOW_EMATCHES]) 347 print_ematch(f, tb[TCA_FLOW_EMATCHES]); 348 if (tb[TCA_FLOW_POLICE]) 349 tc_print_police(f, tb[TCA_FLOW_POLICE]); 350 if (tb[TCA_FLOW_ACT]) { 351 fprintf(f, "\n"); 352 tc_print_action(f, tb[TCA_FLOW_ACT]); 353 } 354 return 0; 355 } 356 357 struct filter_util flow_filter_util = { 358 .id = "flow", 359 .parse_fopt = flow_parse_opt, 360 .print_fopt = flow_print_opt, 361 }; 362
