linux内核 策略路由之添加
4.3策略规则的添加
对于策略规则的添加,也可以抽象出通用规则接口函数,然后根据传参进入协议相关的策略规则的接口函数;
4.3.1 通用规则的添加
在规则初始化时,会注册添加函数fib_nl_newrule
rtnl_register(PF_UNSPEC, RTM_NEWRULE, fib_nl_newrule, NULL);
接下来,分析创建规则fib_nl_newrule函数
功能:
(1)根据应用层传递的协议类型,找到相应的fib_rules_ops变量;
(2)解析应用层传入的数据;
(3)针对源IP和目的IP,有效性检查
(4)分配新的fib_rule缓存,并对优先级、接口index、接口名称、mark值、action等赋值;
(5)调用协议对应的configure函数,对fib_rule的源IP、目的IP、掩码、tos进行配置;
(6)将fib_rule添加到rule_lists中,并通过netlink通知其他进程。
4.3.1.1 查找fib_rule对应的ops
功能:
根据协议簇 在链表rules_ops中查找符合要求的fib_rules_ops类型的变量;
对于IPV4,变量为fib4_rules_ops。
4.3.2 协议相关规则的配置
此处以IPV4协议类型为例,
对于策略规则的添加,也可以抽象出通用规则接口函数,然后根据传参进入协议相关的策略规则的接口函数;
4.3.1 通用规则的添加
在规则初始化时,会注册添加函数fib_nl_newrule
rtnl_register(PF_UNSPEC, RTM_NEWRULE, fib_nl_newrule, NULL);
接下来,分析创建规则fib_nl_newrule函数
功能:
(1)根据应用层传递的协议类型,找到相应的fib_rules_ops变量;
(2)解析应用层传入的数据;
(3)针对源IP和目的IP,有效性检查
(4)分配新的fib_rule缓存,并对优先级、接口index、接口名称、mark值、action等赋值;
(5)调用协议对应的configure函数,对fib_rule的源IP、目的IP、掩码、tos进行配置;
(6)将fib_rule添加到rule_lists中,并通过netlink通知其他进程。
static int fib_nl_newrule(struct sk_buff *skb, struct nlmsghdr* nlh, void *arg)
{
struct net *net = sock_net(skb->sk);
struct fib_rule_hdr *frh = nlmsg_data(nlh);
struct fib_rules_ops *ops = NULL;
struct fib_rule *rule, *r, *last = NULL;
struct nlattr *tb[FRA_MAX+1];
int err = -EINVAL, unresolved = 0;
if (nlh->nlmsg_len < nlmsg_msg_size(sizeof(*frh)))
goto errout;
//根据应用层传递的协议类型,找到相应的fib_rules_ops变量
//ipv4对应的是fib4_rules_ops
ops = lookup_rules_ops(net, frh->family);
if (ops == NULL) {
err = -EAFNOSUPPORT;
goto errout;
}
//解析应用层传入的数据nlh,放入tb中。
err = nlmsg_parse(nlh, sizeof(*frh), tb, FRA_MAX, ops->policy);
if (err < 0)
goto errout;
//有效性检查,针对源IP和目的IP
err = validate_rulemsg(frh, tb, ops);
if (err < 0)
goto errout;
//分配新的fib_rule缓存
rule = kzalloc(ops->rule_size, GFP_KERNEL);
if (rule == NULL) {
err = -ENOMEM;
goto errout;
}
rule->fr_net = hold_net(net);//增加rule->net的引用计数
if (tb[FRA_PRIORITY])
rule->pref = nla_get_u32(tb[FRA_PRIORITY]);//设置优先级
if (tb[FRA_IFNAME]) {
struct net_device *dev;
rule->ifindex = -1;//接口index
nla_strlcpy(rule->ifname, tb[FRA_IFNAME], IFNAMSIZ);//接口名称
dev = __dev_get_by_name(net, rule->ifname);//通过接口名找dev
if (dev)
rule->ifindex = dev->ifindex;//将dev的index赋值给rule接口index
}
if (tb[FRA_FWMARK]) {
rule->mark = nla_get_u32(tb[FRA_FWMARK]);//mark值
if (rule->mark)
/* compatibility: if the mark value is non-zero all bits
* are compared unless a mask is explicitly specified.
*/
rule->mark_mask = 0xFFFFFFFF;
}
if (tb[FRA_FWMASK])
rule->mark_mask = nla_get_u32(tb[FRA_FWMASK]);//mark掩码值
//设置规则action,table id,实现规则与路由表的关联
rule->action = frh->action;
rule->flags = frh->flags;
rule->table = frh_get_table(frh, tb);
//获取默认优先级为除0外的最高优先级 ??怎么理解
if (!rule->pref && ops->default_pref)
rule->pref = ops->default_pref(ops);
err = -EINVAL;
if (tb[FRA_GOTO]) {
if (rule->action != FR_ACT_GOTO)
goto errout_free;
rule->target = nla_get_u32(tb[FRA_GOTO]);
/* Backward jumps are prohibited to avoid endless loops */
if (rule->target <= rule->pref)
goto errout_free;
list_for_each_entry(r, &ops->rules_list, list) {
if (r->pref == rule->target) {
rule->ctarget = r;
break;
}
}
if (rule->ctarget == NULL)
unresolved = 1;
} else if (rule->action == FR_ACT_GOTO)
goto errout_free;
//调用协议对应的configure函数,这里就是协议相关的添加
err = ops->configure(rule, skb, frh, tb);
if (err < 0)
goto errout_free;
//找到第一个pref比新创建的fib_rule的pref值大的 fib_rule
//然后将新创建的fib_rule添到该规则之前
//若没有找到,则添加到已有规则链表之后
list_for_each_entry(r, &ops->rules_list, list) {
if (r->pref > rule->pref)
break;
last = r;
}
fib_rule_get(rule);//增加fib_rule的引用计数
if (ops->unresolved_rules) {
/*
* There are unresolved goto rules in the list, check if
* any of them are pointing to this new rule.
*/
list_for_each_entry(r, &ops->rules_list, list) {
if (r->action == FR_ACT_GOTO &&
r->target == rule->pref) {
BUG_ON(r->ctarget != NULL);
rcu_assign_pointer(r->ctarget, rule);
if (--ops->unresolved_rules == 0)
break;
}
}
}
if (rule->action == FR_ACT_GOTO)
ops->nr_goto_rules++;
if (unresolved)
ops->unresolved_rules++;
//根据优先级,将fib_rule添到rules_list链表中
if (last)
list_add_rcu(&rule->list, &last->list);
else
list_add_rcu(&rule->list, &ops->rules_list);
//通过netlink通知其他进程
notify_rule_change(RTM_NEWRULE, rule, ops, nlh, NETLINK_CB(skb).pid);
flush_route_cache(ops);//刷新路由缓存
rules_ops_put(ops);//将一个特定模块module的引用计数减1
return 0;
errout_free:
release_net(rule->fr_net);//减少rule->net的引用计数
kfree(rule);
errout:
rules_ops_put(ops);
return err;
}4.3.1.1 查找fib_rule对应的ops
功能:
根据协议簇 在链表rules_ops中查找符合要求的fib_rules_ops类型的变量;
对于IPV4,变量为fib4_rules_ops。
static struct fib_rules_ops *lookup_rules_ops(struct net *net, int family)
{
struct fib_rules_ops *ops;
rcu_read_lock();
list_for_each_entry_rcu(ops, &net->rules_ops, list) {
if (ops->family == family) {
if (!try_module_get(ops->owner))
ops = NULL;
rcu_read_unlock();
return ops;
}
}
rcu_read_unlock();
return NULL;
}4.3.2 协议相关规则的配置
此处以IPV4协议类型为例,
功能:
ipv4的配置函数,根据应用层传参,设置fib4_rule变量参数:源IP、目的IP、掩码、路由表ID、tos;
static int fib4_rule_configure(struct fib_rule *rule, struct sk_buff *skb,
struct fib_rule_hdr *frh,
struct nlattr **tb)// tb 添加策略规则的可选属性
{
struct net *net = sock_net(skb->sk);
int err = -EINVAL;
struct fib4_rule *rule4 = (struct fib4_rule *) rule;
if (frh->tos & ~IPTOS_TOS_MASK)
goto errout;
//若应用层没有设置路由表ID,则创建一个新的,并赋值给rule->table
if (rule->table == RT_TABLE_UNSPEC) {
if (rule->action == FR_ACT_TO_TBL) {
struct fib_table *table;
table = fib_empty_table(net);
if (table == NULL) {
err = -ENOBUFS;
goto errout;
}
rule->table = table->tb_id;
}
}
if (frh->src_len)
rule4->src = nla_get_be32(tb[FRA_SRC]);
if (frh->dst_len)
rule4->dst = nla_get_be32(tb[FRA_DST]);
#ifdef CONFIG_NET_CLS_ROUTE
if (tb[FRA_FLOW])
rule4->tclassid = nla_get_u32(tb[FRA_FLOW]);
#endif
rule4->src_len = frh->src_len;
rule4->srcmask = inet_make_mask(rule4->src_len);
rule4->dst_len = frh->dst_len;
rule4->dstmask = inet_make_mask(rule4->dst_len);
rule4->tos = frh->tos;
err = 0;
errout:
return err;
}