diff options
author | Pau Espin Pedrol <pespin@sysmocom.de> | 2017-10-13 14:32:09 +0200 |
---|---|---|
committer | Pau Espin Pedrol <pespin@sysmocom.de> | 2017-10-13 15:10:04 +0200 |
commit | 503f468366fc28720208aeee957bfb32a50a60d8 (patch) | |
tree | 0851e43c00d3faef3411ee83220437a1a021ceec /lib | |
parent | d6ede37b7e62ca7e3544b7319b9234c564365dca (diff) |
ippool: Implement and use blacklist instead of blindly using IPPOOL_NOGATEWAYpespin/ippool
Commit dda21ed7d4a897c9284c69175d0da598598eae40 modified previous calls
to ippool_new() removing the pass of flags to avoid allocating certain
problematic IPs from the pool to MS, such as the network, gateway and
broadcast IPs.
Today I did some unsucessful tests with osmo-ggsn with a pool "ip prefix
dynamic 176.16.222.0/24", and thus IP 176.16.222.0 was being assigned to
the MS. De-capsulated DNS packets were received in the tun interface,
but the Linux system in there was unable to correctly forward the
packets to the gateway interface connected to the Internet. However,
adding a second MS which got 176.16.222.1 had its packets forwarded
correctly.
However, previous implementation relies on flag IPPOOL_NOGATEWAY flag to
blindly blacklist first IP after the network ip (ie, .0 and .1 are
removed), which limits the IP reserved for the tun device to be .1. If a
different IP in the range is assigned, it may cause issues. As a result,
a blacklist is introduced in this commit to dynamically fetch the tun IP
address and exlucde it from the pool of available IPs.
Change-Id: I8e91f7280d60490c858a769dd578c1c8e54e9243
Diffstat (limited to 'lib')
-rw-r--r-- | lib/in46_addr.c | 48 | ||||
-rw-r--r-- | lib/in46_addr.h | 3 | ||||
-rw-r--r-- | lib/ippool.c | 35 | ||||
-rw-r--r-- | lib/ippool.h | 4 | ||||
-rw-r--r-- | lib/tun.c | 48 | ||||
-rw-r--r-- | lib/tun.h | 11 |
6 files changed, 130 insertions, 19 deletions
diff --git a/lib/in46_addr.c b/lib/in46_addr.c index 068499c..7901be9 100644 --- a/lib/in46_addr.c +++ b/lib/in46_addr.c @@ -195,6 +195,54 @@ int in46a_within_mask(const struct in46_addr *addr, const struct in46_addr *net, } } +unsigned int netmask_ipv4_prefixlen(const struct in_addr *netmask) +{ + struct in_addr tmp = *netmask; + int prefix = 0; + + while (tmp.s_addr & 0x01) { + prefix++; + tmp.s_addr = tmp.s_addr >> 1; + } + return prefix; +} + +unsigned int netmask_ipv6_prefixlen(const struct in6_addr *netmask) +{ + struct in6_addr tmp = *netmask; + int prefix = 0; + + #if defined(__linux__) + #define ADDRFIELD(i) s6_addr32[i] + #else + #define ADDRFIELD(i) __u6_addr.__u6_addr32[i] + #endif + + for (int i = 0; i < 4; i++) { + while (tmp.ADDRFIELD(i) & 0x01) { + prefix++; + tmp.ADDRFIELD(i) = tmp.ADDRFIELD(i) >> 1; + } + } + + #undef ADDRFIELD + + return prefix; +} + +unsigned int in46a_prefixlen(const struct in46_addr *netmask) +{ + switch (netmask->len) { + case 4: + return netmask_ipv4_prefixlen(&netmask->v4); + case 16: + return netmask_ipv6_prefixlen(&netmask->v6); + default: + OSMO_ASSERT(0); + return 0; + } +} + /*! Convert given PDP End User Address to in46_addr * \returns 0 on success; negative on error */ int in46a_to_eua(const struct in46_addr *src, struct ul66_t *eua) diff --git a/lib/in46_addr.h b/lib/in46_addr.h index ce2df14..109a933 100644 --- a/lib/in46_addr.h +++ b/lib/in46_addr.h @@ -27,6 +27,9 @@ extern const char *in46p_ntoa(const struct in46_prefix *in46p); extern int in46a_equal(const struct in46_addr *a, const struct in46_addr *b); extern int in46a_prefix_equal(const struct in46_addr *a, const struct in46_addr *b); extern int in46a_within_mask(const struct in46_addr *addr, const struct in46_addr *net, size_t prefixlen); +extern unsigned int netmask_ipv4_prefixlen(const struct in_addr *netmask); +extern unsigned int netmask_ipv6_prefixlen(const struct in6_addr *netmask); +extern unsigned int in46a_prefixlen(const struct in46_addr *netmask); int in46a_to_eua(const struct in46_addr *src, struct ul66_t *eua); int in46a_from_eua(const struct ul66_t *eua, struct in46_addr *dst); diff --git a/lib/ippool.c b/lib/ippool.c index 03323e2..f1b4223 100644 --- a/lib/ippool.c +++ b/lib/ippool.c @@ -184,9 +184,18 @@ void in46a_inc(struct in46_addr *addr) } } +static bool addr_in_prefix_list(struct in46_addr *addr, struct in46_prefix *list, size_t list_size) +{ + for (int i = 0; i < list_size; i++) { + if(in46a_prefix_equal(addr, &list[i].addr)) + return true; + } + return false; +} + /* Create new address pool */ int ippool_new(struct ippool_t **this, const struct in46_prefix *dyn, const struct in46_prefix *stat, - int flags) + int flags, struct in46_prefix *blacklist, size_t blacklist_size) { /* Parse only first instance of pool for now */ @@ -210,18 +219,16 @@ int ippool_new(struct ippool_t **this, const struct in46_prefix *dyn, const stru if (addr.len == sizeof(struct in6_addr)) addr.len = 64/8; - /* Set IPPOOL_NONETWORK if IPPOOL_NOGATEWAY is set */ - if (flags & IPPOOL_NOGATEWAY) { - flags |= IPPOOL_NONETWORK; - } - dynsize = (1 << (addr.len*8 - addrprefixlen)); if (flags & IPPOOL_NONETWORK) /* Exclude network address from pool */ dynsize--; - if (flags & IPPOOL_NOGATEWAY) /* Exclude gateway address from pool */ - dynsize--; if (flags & IPPOOL_NOBROADCAST) /* Exclude broadcast address from pool */ dynsize--; + /* Exclude included blacklist addresses from pool */ + for (int i = 0; i < blacklist_size; i++) { + if (in46a_within_mask(&blacklist[i].addr, &addr, addrprefixlen)) + dynsize--; + } } if (!stat || stat->addr.len == 0) { @@ -278,13 +285,17 @@ int ippool_new(struct ippool_t **this, const struct in46_prefix *dyn, const stru (*this)->firstdyn = NULL; (*this)->lastdyn = NULL; - if (flags & IPPOOL_NOGATEWAY) { - in46a_inc(&addr); - in46a_inc(&addr); - } else if (flags & IPPOOL_NONETWORK) { + if (flags & IPPOOL_NONETWORK) { in46a_inc(&addr); } for (i = 0; i < dynsize; i++) { + if (addr_in_prefix_list(&addr, blacklist, blacklist_size)) { + SYS_ERR(DIP, LOGL_DEBUG, 0, + "addr blacklisted from pool: %s", in46a_ntoa(&addr)); + in46a_inc(&addr); + i--; + continue; + } (*this)->member[i].addr = addr; in46a_inc(&addr); diff --git a/lib/ippool.h b/lib/ippool.h index 56beb4e..efb274b 100644 --- a/lib/ippool.h +++ b/lib/ippool.h @@ -31,7 +31,6 @@ #define IPPOOL_NONETWORK 0x01 #define IPPOOL_NOBROADCAST 0x02 -#define IPPOOL_NOGATEWAY 0x04 #define IPPOOL_STATSIZE 0x10000 @@ -72,7 +71,8 @@ extern unsigned long int ippool_hash(struct in46_addr *addr); /* Create new address pool */ extern int ippool_new(struct ippool_t **this, const struct in46_prefix *dyn, - const struct in46_prefix *stat, int flags); + const struct in46_prefix *stat, int flags, + struct in46_prefix *blacklist, size_t blacklist_size); /* Delete existing address pool */ extern int ippool_free(struct ippool_t *this); @@ -751,8 +751,40 @@ int tun_runscript(struct tun_t *tun, char *script) #include <ifaddrs.h> -/* obtain the link-local address of the tun device */ -int tun_ipv6_linklocal_get(const struct tun_t *tun, struct in6_addr *ia) +/* Obtain the local address of the tun device */ +int tun_ipv4_local_get(const struct tun_t *tun, struct in46_prefix *prefix) +{ + struct ifaddrs *ifaddr, *ifa; + + if (getifaddrs(&ifaddr) == -1) { + return -1; + } + + for (ifa = ifaddr; ifa != NULL; ifa = ifa->ifa_next) { + struct sockaddr_in *sin4 = (struct sockaddr_in *) ifa->ifa_addr; + struct sockaddr_in *netmask4 = (struct sockaddr_in *) ifa->ifa_netmask; + if (ifa->ifa_addr == NULL) + continue; + + if (ifa->ifa_addr->sa_family != AF_INET) + continue; + + if (strcmp(ifa->ifa_name, tun->devname)) + continue; + + prefix->addr.len = sizeof(sin4->sin_addr); + prefix->addr.v4 = sin4->sin_addr; + prefix->prefixlen = netmask_ipv4_prefixlen(&netmask4->sin_addr); + freeifaddrs(ifaddr); + return 0; + } + freeifaddrs(ifaddr); + return -1; +} + +/* Obtain the local address of the tun device. + Type of IPv6 address can be specified with "flags = IPV6_TYPE_LINK | IPV6_TYPE_GLOBAL" */ +int tun_ipv6_local_get(const struct tun_t *tun, struct in46_prefix *prefix, int flags) { struct ifaddrs *ifaddr, *ifa; static const uint8_t ll_prefix[] = { 0xfe,0x80, 0,0, 0,0, 0,0 }; @@ -763,6 +795,7 @@ int tun_ipv6_linklocal_get(const struct tun_t *tun, struct in6_addr *ia) for (ifa = ifaddr; ifa != NULL; ifa = ifa->ifa_next) { struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *) ifa->ifa_addr; + struct sockaddr_in6 *netmask6 = (struct sockaddr_in6 *) ifa->ifa_netmask; if (ifa->ifa_addr == NULL) continue; @@ -772,10 +805,17 @@ int tun_ipv6_linklocal_get(const struct tun_t *tun, struct in6_addr *ia) if (strcmp(ifa->ifa_name, tun->devname)) continue; - if (memcmp(sin6->sin6_addr.s6_addr, ll_prefix, sizeof(ll_prefix))) + if (!(flags & IPV6_TYPE_LINK) && + !memcmp(sin6->sin6_addr.s6_addr, ll_prefix, sizeof(ll_prefix))) + continue; + + if (!(flags & IPV6_TYPE_GLOBAL) && + memcmp(sin6->sin6_addr.s6_addr, ll_prefix, sizeof(ll_prefix))) continue; - *ia = sin6->sin6_addr; + prefix->addr.len = sizeof(sin6->sin6_addr); + prefix->addr.v6 = sin6->sin6_addr; + prefix->prefixlen = netmask_ipv6_prefixlen(&netmask6->sin6_addr); freeifaddrs(ifaddr); return 0; } @@ -23,6 +23,14 @@ #define TUN_NLBUFSIZE 1024 #include "config.h" + +/* ipv6 ip type flags for tun_ipv6_local_get() */ +enum { + IPV6_TYPE_LINK = 1, + IPV6_TYPE_GLOBAL = 2, +}; + + #ifndef HAVE_IPHDR struct iphdr { @@ -85,6 +93,7 @@ extern int tun_set_cb_ind(struct tun_t *this, extern int tun_runscript(struct tun_t *tun, char *script); -int tun_ipv6_linklocal_get(const struct tun_t *tun, struct in6_addr *ia); +int tun_ipv4_local_get(const struct tun_t *tun, struct in46_prefix *prefix); +int tun_ipv6_local_get(const struct tun_t *tun, struct in46_prefix *prefix, int flags); #endif /* !_TUN_H */ |