[PATCH iproute2 net-next v5] iprule: support for ip_proto, sport and dport match options

* [PATCH iproute2 net-next v5] iprule: support for ip_proto, sport and dport match options
@ 2018-03-08 18:06 Roopa Prabhu
  2018-03-08 18:14 ` David Ahern
  0 siblings, 1 reply; 2+ messages in thread
From: Roopa Prabhu @ 2018-03-08 18:06 UTC (permalink / raw)
  To: dsahern; +Cc: netdev

From: Roopa Prabhu <roopa@cumulusnetworks.com>

add support to match on ip_proto, sport and dport ranges.
For ip_proto, this patch currently enumerates, tcp, udp and sctp.
This list can be extended in the future.

example:
$ip rule add sport 666-777 dport 999 ip_proto tcp table 100
$ip rule show
0:      from all lookup local
32765:  from all ip_proto 6 sport 666-777 dport 999 lookup 100
32766:  from all lookup main
32767:  from all lookup default

Signed-off-by: Roopa Prabhu <roopa@cumulusnetworks.com>
---
v2: use inet_proto_* as suggested by David Ahern

v3: fix newlines in usage (feedback from David Ahern)

v4: fixes for json (feedback from Stephen H).

v5: drop uapi header update from patch, use int for inet_proto_a2n
return val to catch invalid proto errors, rename ip_proto to ipproto
to be consistent with tc

 ip/iprule.c        | 67 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 man/man8/ip-rule.8 | 32 +++++++++++++++++++++++++-
 2 files changed, 98 insertions(+), 1 deletion(-)

diff --git a/ip/iprule.c b/ip/iprule.c
index a49753e..8b94214 100644
--- a/ip/iprule.c
+++ b/ip/iprule.c
@@ -47,6 +47,9 @@ static void usage(void)
 		"SELECTOR := [ not ] [ from PREFIX ] [ to PREFIX ] [ tos TOS ] [ fwmark FWMARK[/MASK] ]\n"
 		"            [ iif STRING ] [ oif STRING ] [ pref NUMBER ] [ l3mdev ]\n"
 		"            [ uidrange NUMBER-NUMBER ]\n"
+		"            [ ipproto PROTOCOL ]\n"
+		"            [ sport [ NUMBER | NUMBER-NUMBER ]\n"
+		"            [ dport [ NUMBER | NUMBER-NUMBER ] ]\n"
 		"ACTION := [ table TABLE_ID ]\n"
 		"          [ protocol PROTO ]\n"
 		"          [ nat ADDRESS ]\n"
@@ -306,6 +309,37 @@ int print_rule(const struct sockaddr_nl *who, struct nlmsghdr *n, void *arg)
 		print_uint(PRINT_ANY, "uid_end", "-%u ", r->end);
 	}
 
+	if (tb[FRA_IP_PROTO]) {
+		SPRINT_BUF(pbuf);
+		print_string(PRINT_ANY, "ipproto", "ipproto %s ",
+			     inet_proto_n2a(rta_getattr_u8(tb[FRA_IP_PROTO]),
+					    pbuf, sizeof(pbuf)));
+	}
+
+	if (tb[FRA_SPORT_RANGE]) {
+		struct fib_rule_port_range *r = RTA_DATA(tb[FRA_SPORT_RANGE]);
+
+		if (r->start == r->end) {
+			print_uint(PRINT_ANY, "sport", "sport %u ", r->start);
+		} else {
+			print_uint(PRINT_ANY, "sport_start", "sport %u",
+				   r->start);
+			print_uint(PRINT_ANY, "sport_end", "-%u ", r->end);
+		}
+	}
+
+	if (tb[FRA_DPORT_RANGE]) {
+		struct fib_rule_port_range *r = RTA_DATA(tb[FRA_DPORT_RANGE]);
+
+		if (r->start == r->end) {
+			print_uint(PRINT_ANY, "dport", "dport %u ", r->start);
+		} else {
+			print_uint(PRINT_ANY, "dport_start", "dport %u",
+				   r->start);
+			print_uint(PRINT_ANY, "dport_end", "-%u ", r->end);
+		}
+	}
+
 	table = frh_get_table(frh, tb);
 	if (table) {
 		print_string(PRINT_ANY, "table",
@@ -802,6 +836,39 @@ static int iprule_modify(int cmd, int argc, char **argv)
 			addattr32(&req.n, sizeof(req), RTA_GATEWAY,
 				  get_addr32(*argv));
 			req.frh.action = RTN_NAT;
+		} else if (strcmp(*argv, "ipproto") == 0) {
+			int ipproto;
+
+			NEXT_ARG();
+			ipproto = inet_proto_a2n(*argv);
+			if (ipproto < 0)
+				invarg("Invalid \"ipproto\" value\n",
+				       *argv);
+			addattr8(&req.n, sizeof(req), FRA_IP_PROTO, ipproto);
+		} else if (strcmp(*argv, "sport") == 0) {
+			struct fib_rule_port_range r;
+			int ret = 0;
+
+			NEXT_ARG();
+			ret = sscanf(*argv, "%hu-%hu", &r.start, &r.end);
+			if (ret == 1)
+				r.end = r.start;
+			else if (ret != 2)
+				invarg("invalid port range\n", *argv);
+			addattr_l(&req.n, sizeof(req), FRA_SPORT_RANGE, &r,
+				  sizeof(r));
+		} else if (strcmp(*argv, "dport") == 0) {
+			struct fib_rule_port_range r;
+			int ret = 0;
+
+			NEXT_ARG();
+			ret = sscanf(*argv, "%hu-%hu", &r.start, &r.end);
+			if (ret == 1)
+				r.end = r.start;
+			else if (ret != 2)
+				invarg("invalid dport range\n", *argv);
+			addattr_l(&req.n, sizeof(req), FRA_DPORT_RANGE, &r,
+				  sizeof(r));
 		} else {
 			int type;
 
diff --git a/man/man8/ip-rule.8 b/man/man8/ip-rule.8
index 7cf8fd9..1455a49 100644
--- a/man/man8/ip-rule.8
+++ b/man/man8/ip-rule.8
@@ -44,7 +44,19 @@ ip-rule \- routing policy database management
 .IR STRING " ] [ "
 .B  pref
 .IR NUMBER " ] [ "
-.BR l3mdev " ]"
+.IR l3mdev " ] [ "
+.B uidrange
+.IR NUMBER "-" NUMBER " ] [ "
+.B ipproto
+.IR PROTOCOL " ] [ "
+.BR sport " [ "
+.IR NUMBER " | "
+.IR NUMBER "-" NUMBER " ] ] [ "
+.BR dport " [ "
+.IR NUMBER " | "
+.IR NUMBER "-" NUMBER " ] ]"
+.BR
+
 
 .ti -8
 .IR ACTION " := [ "
@@ -227,6 +239,24 @@ select the
 value to match.
 
 .TP
+.BI uidrange " NUMBER-NUMBER"
+select the
+.B uid
+value to match.
+
+.TP
+.BI ipproto " PROTOCOL"
+select the ip protocol value to match.
+
+.TP
+.BI sport " NUMBER | NUMBER-NUMBER"
+select the source port value to match. supports port range.
+
+.TP
+.BI dport " NUMBER | NUMBER-NUMBER"
+select the destination port value to match. supports port range.
+
+.TP
 .BI priority " PREFERENCE"
 the priority of this rule.
 .I PREFERENCE
-- 
2.1.4

^ permalink raw reply related	[flat|nested] 2+ messages in thread