1 /* 2 * f_flow.c Flow filter 3 * 4 * This program is free software; you can redistribute it and/or 5 * modify it under the terms of the GNU General Public License 6 * as published by the Free Software Foundation; either version 7 * 2 of the License, or (at your option) any later version. 8 * 9 * Authors: Patrick McHardy <kaber (at) trash.net> 10 */ 11 #include <stdio.h> 12 #include <stdlib.h> 13 #include <unistd.h> 14 #include <string.h> 15 #include <errno.h> 16 17 #include "utils.h" 18 #include "tc_util.h" 19 #include "m_ematch.h" 20 21 static void explain(void) 22 { 23 fprintf(stderr, 24 "Usage: ... flow ...\n" 25 "\n" 26 " [mapping mode]: map key KEY [ OPS ] ...\n" 27 " [hashing mode]: hash keys KEY-LIST ... [ perturb SECS ]\n" 28 "\n" 29 " [ divisor NUM ] [ baseclass ID ] [ match EMATCH_TREE ]\n" 30 " [ action ACTION_SPEC ]\n" 31 "\n" 32 "KEY-LIST := [ KEY-LIST , ] KEY\n" 33 "KEY := [ src | dst | proto | proto-src | proto-dst | iif | priority |\n" 34 " mark | nfct | nfct-src | nfct-dst | nfct-proto-src |\n" 35 " nfct-proto-dst | rt-classid | sk-uid | sk-gid |\n" 36 " vlan-tag | rxhash ]\n" 37 "OPS := [ or NUM | and NUM | xor NUM | rshift NUM | addend NUM ]\n" 38 "ID := X:Y\n" 39 ); 40 } 41 42 static const char *flow_keys[FLOW_KEY_MAX+1] = { 43 [FLOW_KEY_SRC] = "src", 44 [FLOW_KEY_DST] = "dst", 45 [FLOW_KEY_PROTO] = "proto", 46 [FLOW_KEY_PROTO_SRC] = "proto-src", 47 [FLOW_KEY_PROTO_DST] = "proto-dst", 48 [FLOW_KEY_IIF] = "iif", 49 [FLOW_KEY_PRIORITY] = "priority", 50 [FLOW_KEY_MARK] = "mark", 51 [FLOW_KEY_NFCT] = "nfct", 52 [FLOW_KEY_NFCT_SRC] = "nfct-src", 53 [FLOW_KEY_NFCT_DST] = "nfct-dst", 54 [FLOW_KEY_NFCT_PROTO_SRC] = "nfct-proto-src", 55 [FLOW_KEY_NFCT_PROTO_DST] = "nfct-proto-dst", 56 [FLOW_KEY_RTCLASSID] = "rt-classid", 57 [FLOW_KEY_SKUID] = "sk-uid", 58 [FLOW_KEY_SKGID] = "sk-gid", 59 [FLOW_KEY_VLAN_TAG] = "vlan-tag", 60 [FLOW_KEY_RXHASH] = "rxhash", 61 }; 62 63 static int flow_parse_keys(__u32 *keys, __u32 *nkeys, char *argv) 64 { 65 char *s, *sep; 66 unsigned int i; 67 68 *keys = 0; 69 *nkeys = 0; 70 s = argv; 71 while (s != NULL) { 72 sep = strchr(s, ','); 73 if (sep) 74 *sep = '\0'; 75 76 for (i = 0; i <= FLOW_KEY_MAX; i++) { 77 if (matches(s, flow_keys[i]) == 0) { 78 *keys |= 1 << i; 79 (*nkeys)++; 80 break; 81 } 82 } 83 if (i > FLOW_KEY_MAX) { 84 fprintf(stderr, "Unknown flow key \"%s\"\n", s); 85 return -1; 86 } 87 s = sep ? sep + 1 : NULL; 88 } 89 return 0; 90 } 91 92 static void transfer_bitop(__u32 *mask, __u32 *xor, __u32 m, __u32 x) 93 { 94 *xor = x ^ (*xor & m); 95 *mask &= m; 96 } 97 98 static int get_addend(__u32 *addend, char *argv, __u32 keys) 99 { 100 inet_prefix addr; 101 int sign = 0; 102 __u32 tmp; 103 104 if (*argv == '-') { 105 sign = 1; 106 argv++; 107 } 108 109 if (get_u32(&tmp, argv, 0) == 0) 110 goto out; 111 112 if (keys & (FLOW_KEY_SRC | FLOW_KEY_DST | 113 FLOW_KEY_NFCT_SRC | FLOW_KEY_NFCT_DST) && 114 get_addr(&addr, argv, AF_UNSPEC) == 0) { 115 switch (addr.family) { 116 case AF_INET: 117 tmp = ntohl(addr.data[0]); 118 goto out; 119 case AF_INET6: 120 tmp = ntohl(addr.data[3]); 121 goto out; 122 } 123 } 124 125 return -1; 126 out: 127 if (sign) 128 tmp = -tmp; 129 *addend = tmp; 130 return 0; 131 } 132 133 static int flow_parse_opt(struct filter_util *fu, char *handle, 134 int argc, char **argv, struct nlmsghdr *n) 135 { 136 struct tcmsg *t = NLMSG_DATA(n); 137 struct rtattr *tail; 138 __u32 mask = ~0U, xor = 0; 139 __u32 keys = 0, nkeys = 0; 140 __u32 mode = FLOW_MODE_MAP; 141 __u32 tmp; 142 143 if (handle) { 144 if (get_u32(&t->tcm_handle, handle, 0)) { 145 fprintf(stderr, "Illegal \"handle\"\n"); 146 return -1; 147 } 148 } 149 150 tail = NLMSG_TAIL(n); 151 addattr_l(n, 4096, TCA_OPTIONS, NULL, 0); 152 153 while (argc > 0) { 154 if (matches(*argv, "map") == 0) { 155 mode = FLOW_MODE_MAP; 156 } else if (matches(*argv, "hash") == 0) { 157 mode = FLOW_MODE_HASH; 158 } else if (matches(*argv, "keys") == 0) { 159 NEXT_ARG(); 160 if (flow_parse_keys(&keys, &nkeys, *argv)) 161 return -1; 162 addattr32(n, 4096, TCA_FLOW_KEYS, keys); 163 } else if (matches(*argv, "and") == 0) { 164 NEXT_ARG(); 165 if (get_u32(&tmp, *argv, 0)) { 166 fprintf(stderr, "Illegal \"mask\"\n"); 167 return -1; 168 } 169 transfer_bitop(&mask, &xor, tmp, 0); 170 } else if (matches(*argv, "or") == 0) { 171 NEXT_ARG(); 172 if (get_u32(&tmp, *argv, 0)) { 173 fprintf(stderr, "Illegal \"or\"\n"); 174 return -1; 175 } 176 transfer_bitop(&mask, &xor, ~tmp, tmp); 177 } else if (matches(*argv, "xor") == 0) { 178 NEXT_ARG(); 179 if (get_u32(&tmp, *argv, 0)) { 180 fprintf(stderr, "Illegal \"xor\"\n"); 181 return -1; 182 } 183 transfer_bitop(&mask, &xor, ~0, tmp); 184 } else if (matches(*argv, "rshift") == 0) { 185 NEXT_ARG(); 186 if (get_u32(&tmp, *argv, 0)) { 187 fprintf(stderr, "Illegal \"rshift\"\n"); 188 return -1; 189 } 190 addattr32(n, 4096, TCA_FLOW_RSHIFT, tmp); 191 } else if (matches(*argv, "addend") == 0) { 192 NEXT_ARG(); 193 if (get_addend(&tmp, *argv, keys)) { 194 fprintf(stderr, "Illegal \"addend\"\n"); 195 return -1; 196 } 197 addattr32(n, 4096, TCA_FLOW_ADDEND, tmp); 198 } else if (matches(*argv, "divisor") == 0) { 199 NEXT_ARG(); 200 if (get_u32(&tmp, *argv, 0)) { 201 fprintf(stderr, "Illegal \"divisor\"\n"); 202 return -1; 203 } 204 addattr32(n, 4096, TCA_FLOW_DIVISOR, tmp); 205 } else if (matches(*argv, "baseclass") == 0) { 206 NEXT_ARG(); 207 if (get_tc_classid(&tmp, *argv) || TC_H_MIN(tmp) == 0) { 208 fprintf(stderr, "Illegal \"baseclass\"\n"); 209 return -1; 210 } 211 addattr32(n, 4096, TCA_FLOW_BASECLASS, tmp); 212 } else if (matches(*argv, "perturb") == 0) { 213 NEXT_ARG(); 214 if (get_u32(&tmp, *argv, 0)) { 215 fprintf(stderr, "Illegal \"perturb\"\n"); 216 return -1; 217 } 218 addattr32(n, 4096, TCA_FLOW_PERTURB, tmp); 219 } else if (matches(*argv, "police") == 0) { 220 NEXT_ARG(); 221 if (parse_police(&argc, &argv, TCA_FLOW_POLICE, n)) { 222 fprintf(stderr, "Illegal \"police\"\n"); 223 return -1; 224 } 225 continue; 226 } else if (matches(*argv, "action") == 0) { 227 NEXT_ARG(); 228 if (parse_action(&argc, &argv, TCA_FLOW_ACT, n)) { 229 fprintf(stderr, "Illegal \"action\"\n"); 230 return -1; 231 } 232 continue; 233 } else if (matches(*argv, "match") == 0) { 234 NEXT_ARG(); 235 if (parse_ematch(&argc, &argv, TCA_FLOW_EMATCHES, n)) { 236 fprintf(stderr, "Illegal \"ematch\"\n"); 237 return -1; 238 } 239 continue; 240 } else if (matches(*argv, "help") == 0) { 241 explain(); 242 return -1; 243 } else { 244 fprintf(stderr, "What is \"%s\"?\n", *argv); 245 explain(); 246 return -1; 247 } 248 argv++, argc--; 249 } 250 251 if (nkeys > 1 && mode != FLOW_MODE_HASH) { 252 fprintf(stderr, "Invalid mode \"map\" for multiple keys\n"); 253 return -1; 254 } 255 addattr32(n, 4096, TCA_FLOW_MODE, mode); 256 257 if (mask != ~0 || xor != 0) { 258 addattr32(n, 4096, TCA_FLOW_MASK, mask); 259 addattr32(n, 4096, TCA_FLOW_XOR, xor); 260 } 261 262 tail->rta_len = (void *)NLMSG_TAIL(n) - (void *)tail; 263 return 0; 264 } 265 266 static int flow_print_opt(struct filter_util *fu, FILE *f, struct rtattr *opt, 267 __u32 handle) 268 { 269 struct rtattr *tb[TCA_FLOW_MAX+1]; 270 271 SPRINT_BUF(b1); 272 unsigned int i; 273 __u32 mask = ~0, val = 0; 274 275 if (opt == NULL) 276 return -EINVAL; 277 278 parse_rtattr_nested(tb, TCA_FLOW_MAX, opt); 279 280 fprintf(f, "handle 0x%x ", handle); 281 282 if (tb[TCA_FLOW_MODE]) { 283 __u32 mode = rta_getattr_u32(tb[TCA_FLOW_MODE]); 284 285 switch (mode) { 286 case FLOW_MODE_MAP: 287 fprintf(f, "map "); 288 break; 289 case FLOW_MODE_HASH: 290 fprintf(f, "hash "); 291 break; 292 } 293 } 294 295 if (tb[TCA_FLOW_KEYS]) { 296 __u32 keymask = rta_getattr_u32(tb[TCA_FLOW_KEYS]); 297 char *sep = ""; 298 299 fprintf(f, "keys "); 300 for (i = 0; i <= FLOW_KEY_MAX; i++) { 301 if (keymask & (1 << i)) { 302 fprintf(f, "%s%s", sep, flow_keys[i]); 303 sep = ","; 304 } 305 } 306 fprintf(f, " "); 307 } 308 309 if (tb[TCA_FLOW_MASK]) 310 mask = rta_getattr_u32(tb[TCA_FLOW_MASK]); 311 if (tb[TCA_FLOW_XOR]) 312 val = rta_getattr_u32(tb[TCA_FLOW_XOR]); 313 314 if (mask != ~0 || val != 0) { 315 __u32 or = (mask & val) ^ val; 316 __u32 xor = mask & val; 317 318 if (mask != ~0) 319 fprintf(f, "and 0x%.8x ", mask); 320 if (xor != 0) 321 fprintf(f, "xor 0x%.8x ", xor); 322 if (or != 0) 323 fprintf(f, "or 0x%.8x ", or); 324 } 325 326 if (tb[TCA_FLOW_RSHIFT]) 327 fprintf(f, "rshift %u ", 328 rta_getattr_u32(tb[TCA_FLOW_RSHIFT])); 329 if (tb[TCA_FLOW_ADDEND]) 330 fprintf(f, "addend 0x%x ", 331 rta_getattr_u32(tb[TCA_FLOW_ADDEND])); 332 333 if (tb[TCA_FLOW_DIVISOR]) 334 fprintf(f, "divisor %u ", 335 rta_getattr_u32(tb[TCA_FLOW_DIVISOR])); 336 if (tb[TCA_FLOW_BASECLASS]) 337 fprintf(f, "baseclass %s ", 338 sprint_tc_classid(rta_getattr_u32(tb[TCA_FLOW_BASECLASS]), b1)); 339 340 if (tb[TCA_FLOW_PERTURB]) 341 fprintf(f, "perturb %usec ", 342 rta_getattr_u32(tb[TCA_FLOW_PERTURB])); 343 344 if (tb[TCA_FLOW_EMATCHES]) 345 print_ematch(f, tb[TCA_FLOW_EMATCHES]); 346 if (tb[TCA_FLOW_POLICE]) 347 tc_print_police(f, tb[TCA_FLOW_POLICE]); 348 if (tb[TCA_FLOW_ACT]) { 349 fprintf(f, "\n"); 350 tc_print_action(f, tb[TCA_FLOW_ACT], 0); 351 } 352 return 0; 353 } 354 355 struct filter_util flow_filter_util = { 356 .id = "flow", 357 .parse_fopt = flow_parse_opt, 358 .print_fopt = flow_print_opt, 359 }; 360
