From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <netdev-owner@vger.kernel.org>
Received: from mail-pl0-f67.google.com ([209.85.160.67]:40086 "EHLO
        mail-pl0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S932177AbeCHSGw (ORCPT
        <rfc822;netdev@vger.kernel.org>); Thu, 8 Mar 2018 13:06:52 -0500
Received: by mail-pl0-f67.google.com with SMTP id i6-v6so3739468plt.7
        for <netdev@vger.kernel.org>; Thu, 08 Mar 2018 10:06:51 -0800 (PST)
From: Roopa Prabhu <roopa@cumulusnetworks.com>
To: dsahern@gmail.com
Cc: netdev@vger.kernel.org
Subject: [PATCH iproute2 net-next v5] iprule: support for ip_proto, sport and dport match options
Date: Thu,  8 Mar 2018 10:06:47 -0800
Message-Id: <1520532407-22966-1-git-send-email-roopa@cumulusnetworks.com>
Sender: netdev-owner@vger.kernel.org
List-ID: <netdev.vger.kernel.org>

From: Roopa Prabhu <roopa@cumulusnetworks.com>

add support to match on ip_proto, sport and dport ranges.
For ip_proto, this patch currently enumerates, tcp, udp and sctp.
This list can be extended in the future.

example:
$ip rule add sport 666-777 dport 999 ip_proto tcp table 100
$ip rule show
0:      from all lookup local
32765:  from all ip_proto 6 sport 666-777 dport 999 lookup 100
32766:  from all lookup main
32767:  from all lookup default

Signed-off-by: Roopa Prabhu <roopa@cumulusnetworks.com>
---
v2: use inet_proto_* as suggested by David Ahern

v3: fix newlines in usage (feedback from David Ahern)

v4: fixes for json (feedback from Stephen H).

v5: drop uapi header update from patch, use int for inet_proto_a2n
return val to catch invalid proto errors, rename ip_proto to ipproto
to be consistent with tc

 ip/iprule.c        | 67 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 man/man8/ip-rule.8 | 32 +++++++++++++++++++++++++-
 2 files changed, 98 insertions(+), 1 deletion(-)

diff --git a/ip/iprule.c b/ip/iprule.c
index a49753e..8b94214 100644
--- a/ip/iprule.c
+++ b/ip/iprule.c
@@ -47,6 +47,9 @@ static void usage(void)
 		"SELECTOR := [ not ] [ from PREFIX ] [ to PREFIX ] [ tos TOS ] [ fwmark FWMARK[/MASK] ]\n"
 		"            [ iif STRING ] [ oif STRING ] [ pref NUMBER ] [ l3mdev ]\n"
 		"            [ uidrange NUMBER-NUMBER ]\n"
+		"            [ ipproto PROTOCOL ]\n"
+		"            [ sport [ NUMBER | NUMBER-NUMBER ]\n"
+		"            [ dport [ NUMBER | NUMBER-NUMBER ] ]\n"
 		"ACTION := [ table TABLE_ID ]\n"
 		"          [ protocol PROTO ]\n"
 		"          [ nat ADDRESS ]\n"
@@ -306,6 +309,37 @@ int print_rule(const struct sockaddr_nl *who, struct nlmsghdr *n, void *arg)
 		print_uint(PRINT_ANY, "uid_end", "-%u ", r->end);
 	}
 
+	if (tb[FRA_IP_PROTO]) {
+		SPRINT_BUF(pbuf);
+		print_string(PRINT_ANY, "ipproto", "ipproto %s ",
+			     inet_proto_n2a(rta_getattr_u8(tb[FRA_IP_PROTO]),
+					    pbuf, sizeof(pbuf)));
+	}
+
+	if (tb[FRA_SPORT_RANGE]) {
+		struct fib_rule_port_range *r = RTA_DATA(tb[FRA_SPORT_RANGE]);
+
+		if (r->start == r->end) {
+			print_uint(PRINT_ANY, "sport", "sport %u ", r->start);
+		} else {
+			print_uint(PRINT_ANY, "sport_start", "sport %u",
+				   r->start);
+			print_uint(PRINT_ANY, "sport_end", "-%u ", r->end);
+		}
+	}
+
+	if (tb[FRA_DPORT_RANGE]) {
+		struct fib_rule_port_range *r = RTA_DATA(tb[FRA_DPORT_RANGE]);
+
+		if (r->start == r->end) {
+			print_uint(PRINT_ANY, "dport", "dport %u ", r->start);
+		} else {
+			print_uint(PRINT_ANY, "dport_start", "dport %u",
+				   r->start);
+			print_uint(PRINT_ANY, "dport_end", "-%u ", r->end);
+		}
+	}
+
 	table = frh_get_table(frh, tb);
 	if (table) {
 		print_string(PRINT_ANY, "table",
@@ -802,6 +836,39 @@ static int iprule_modify(int cmd, int argc, char **argv)
 			addattr32(&req.n, sizeof(req), RTA_GATEWAY,
 				  get_addr32(*argv));
 			req.frh.action = RTN_NAT;
+		} else if (strcmp(*argv, "ipproto") == 0) {
+			int ipproto;
+
+			NEXT_ARG();
+			ipproto = inet_proto_a2n(*argv);
+			if (ipproto < 0)
+				invarg("Invalid \"ipproto\" value\n",
+				       *argv);
+			addattr8(&req.n, sizeof(req), FRA_IP_PROTO, ipproto);
+		} else if (strcmp(*argv, "sport") == 0) {
+			struct fib_rule_port_range r;
+			int ret = 0;
+
+			NEXT_ARG();
+			ret = sscanf(*argv, "%hu-%hu", &r.start, &r.end);
+			if (ret == 1)
+				r.end = r.start;
+			else if (ret != 2)
+				invarg("invalid port range\n", *argv);
+			addattr_l(&req.n, sizeof(req), FRA_SPORT_RANGE, &r,
+				  sizeof(r));
+		} else if (strcmp(*argv, "dport") == 0) {
+			struct fib_rule_port_range r;
+			int ret = 0;
+
+			NEXT_ARG();
+			ret = sscanf(*argv, "%hu-%hu", &r.start, &r.end);
+			if (ret == 1)
+				r.end = r.start;
+			else if (ret != 2)
+				invarg("invalid dport range\n", *argv);
+			addattr_l(&req.n, sizeof(req), FRA_DPORT_RANGE, &r,
+				  sizeof(r));
 		} else {
 			int type;
 
diff --git a/man/man8/ip-rule.8 b/man/man8/ip-rule.8
index 7cf8fd9..1455a49 100644
--- a/man/man8/ip-rule.8
+++ b/man/man8/ip-rule.8
@@ -44,7 +44,19 @@ ip-rule \- routing policy database management
 .IR STRING " ] [ "
 .B  pref
 .IR NUMBER " ] [ "
-.BR l3mdev " ]"
+.IR l3mdev " ] [ "
+.B uidrange
+.IR NUMBER "-" NUMBER " ] [ "
+.B ipproto
+.IR PROTOCOL " ] [ "
+.BR sport " [ "
+.IR NUMBER " | "
+.IR NUMBER "-" NUMBER " ] ] [ "
+.BR dport " [ "
+.IR NUMBER " | "
+.IR NUMBER "-" NUMBER " ] ]"
+.BR
+
 
 .ti -8
 .IR ACTION " := [ "
@@ -227,6 +239,24 @@ select the
 value to match.
 
 .TP
+.BI uidrange " NUMBER-NUMBER"
+select the
+.B uid
+value to match.
+
+.TP
+.BI ipproto " PROTOCOL"
+select the ip protocol value to match.
+
+.TP
+.BI sport " NUMBER | NUMBER-NUMBER"
+select the source port value to match. supports port range.
+
+.TP
+.BI dport " NUMBER | NUMBER-NUMBER"
+select the destination port value to match. supports port range.
+
+.TP
 .BI priority " PREFERENCE"
 the priority of this rule.
 .I PREFERENCE
-- 
2.1.4