summaryrefslogtreecommitdiff
path: root/iprule.h
Commit message (Collapse)AuthorAgeFilesLines
* treewide: correctly apply IFNAMSIZ limitJo-Philipp Wich2022-11-171-2/+2
| | | | | | | | | | | | | | | | The `IFNAMSIZ` macro defines the required buffer size to hold a Linux interface name including the terminating zero byte while netifd currently uses an `IFNAMSIZ + 1` limit for interface name buffers. This causes netifd to use overlong names (16 instead of 15 bytes) in netlink communication with the kernel, leading to netlink failure replies due to policy violations. Fix this issue by applying the correct length, that is `IFNAMSIZ` directly, to the corresponding buffers. Ref: https://github.com/openwrt/openwrt/issues/11259 Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* iprule: add support for uidrangeMatthew Hagan2022-01-221-0/+5
| | | | | | | | Allow for per-user routing policies via the uidrange iprule option. Option allows for a single UID or range of UIDs. Signed-off-by: Matthew Hagan <mnhagan88@gmail.com> Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* iprule: fix missing ip rules after a reload (FS#2296)Hans Dedecker2019-05-271-9/+11
| | | | | | | | | | | | | | | | Since commit 5cf79759a24e9bb2a6a3aef7c83d73efb9bf2df3 (iprule: rework interface based rules to handle dynamic interfaces) the rule comparison is broken and doesn't correctly recognize matching rules. This in turn break the reloading as adding the "new" rule fails because it already exists and it then delete the "old" rule. The comparison is broken because it now include fields that are not defining the rule itself, as well as some pointer to malloced strings. To fix this we move back the offending fields in the iprule struct before the 'flags' field and match the malloced strings separately. Signed-off-by: Alban Bedel <albeu@free.fr> Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* iprule: rework interface based rules to handle dynamic interfacesAlexander Couzens2018-07-051-0/+9
| | | | | | | | | | | | | Previous netifd would only apply `ip rule`s while config phase. If the iprule is depending on an interface (iif or oif), the rule will fail if the interface is not up. Allow iprules to track interfaces and their devices by using the interface events. Fixes: FS#1571 Acked-by: Hans Dedecker <dedeckeh@gmail.com> Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
* iprule: coding style line upHans Dedecker2017-06-111-10/+10
| | | | Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* iprule: Add option to suppress unspecific routing lookupsStefan Tomanek2017-06-111-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | After applying this patch, policy routing rules can be employed that ignore parts of a routing table. The following config snippet ignores routing lookups from the specified main routing table yielding the default route, passing the lookup process on to the next rule (that might provide a special default route for marked packets): config rule option priority 10 # check main routing table first, but ignore default route result option lookup main option suppress_prefixlength 0 config rule option priority 11 # use special routing table for marked packets # (unless already consumed by previous rule) option mark 0xFF option lookup 100 The result is a ruleset like this (only visible using the full 'ip' binary): # ip rule 0: from all lookup local 10: from all lookup main suppress_prefixlength 0 11: from all fwmark 0xff lookup 100 32766: from all lookup main 32767: from all lookup default # Signed-off-by: Stefan Tomanek <stefan.tomanek@wertarbyte.de>
* netifd: Route traffic from LAN to WAN using rulesKristian Evensen2016-01-281-0/+1
| | | | | | | | | | | | After commit ebd3d8417c7a ("interface: fix moving interface address routes to the table specified by ip[46]table"), it is no longer possible for clients on LAN to reach machines on the WAN. This patch restores support for clients on LAN reaching clients on WAN by using rules. The rules are placed after the address rules, in order to make sure that traffic originating from the router is routed correctly. Signed-off-by: Kristian Evensen <kristian.evensen@gmail.com>
* interface-ip: Re-enable iif lo policy rules after main table lookupHans Dedecker2015-09-291-1/+1
|
* iprule: Insert network and address ip rules before main table lookup ruleHans Dedecker2015-09-101-2/+2
| | | | | | | | | Specific IP address and network rules are now checked before the main table lookup as the main table often holds a default route. As a result the IP address and network rules pointing to a specific routing table will not be checked anymore; by reversing the order the specific routing tables are checked first if the ip rule matches. Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* IPv6: Remove IPv6 source-routing workaround (kernel is fixed)Steven Barth2013-12-111-1/+0
| | | | Signed-off-by: Steven Barth <steven@midlink.org>
* Add source-restricted routesSteven Barth2013-10-181-1/+2
|
* config: use the new uci_blob library codeFelix Fietkau2013-06-101-1/+1
| | | | Signed-off-by: Felix Fietkau <nbd@openwrt.org>
* IPv6: Improve source-routing policiesSteven Barth2013-06-031-0/+1
| | | | | | * Set a default policy-failed rule per prefix (based on a patch by Jonas Gorski) * Use input interface in addition to source for filtering * Avoid duplicate routing policies
* Add option to define target routing table for protocol routes.Steven Barth2013-05-171-0/+3
| | | | | | This unifies source-routing for both IPv6 and IPv4 (default off). Based on a patch by Kristian Evensen
* Maintain config order of ip rules unless user explicitely provides priorityJo-Philipp Wich2013-04-051-0/+1
|
* Add support for ip rulesJo-Philipp Wich2013-04-041-0/+95
View Lorry Controller Status