1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
2
3 #include <net/if_arp.h>
4
5 #include "sd-netlink.h"
6
7 #include "alloc-util.h"
8 #include "fd-util.h"
9 #include "local-addresses.h"
10 #include "macro.h"
11 #include "netlink-util.h"
12 #include "sort-util.h"
13
address_compare(const struct local_address * a,const struct local_address * b)14 static int address_compare(const struct local_address *a, const struct local_address *b) {
15 int r;
16
17 /* Order lowest scope first, IPv4 before IPv6, lowest interface index first */
18
19 if (a->family == AF_INET && b->family == AF_INET6)
20 return -1;
21 if (a->family == AF_INET6 && b->family == AF_INET)
22 return 1;
23
24 r = CMP(a->scope, b->scope);
25 if (r != 0)
26 return r;
27
28 r = CMP(a->metric, b->metric);
29 if (r != 0)
30 return r;
31
32 r = CMP(a->ifindex, b->ifindex);
33 if (r != 0)
34 return r;
35
36 return memcmp(&a->address, &b->address, FAMILY_ADDRESS_SIZE(a->family));
37 }
38
suppress_duplicates(struct local_address * list,size_t * n_list)39 static void suppress_duplicates(struct local_address *list, size_t *n_list) {
40 size_t old_size, new_size;
41
42 /* Removes duplicate entries, assumes the list of addresses is already sorted. Updates in-place. */
43
44 if (*n_list < 2) /* list with less than two entries can't have duplicates */
45 return;
46
47 old_size = *n_list;
48 new_size = 1;
49
50 for (size_t i = 1; i < old_size; i++) {
51
52 if (address_compare(list + i, list + new_size - 1) == 0)
53 continue;
54
55 list[new_size++] = list[i];
56 }
57
58 *n_list = new_size;
59 }
60
local_addresses(sd_netlink * context,int ifindex,int af,struct local_address ** ret)61 int local_addresses(
62 sd_netlink *context,
63 int ifindex,
64 int af,
65 struct local_address **ret) {
66
67 _cleanup_(sd_netlink_message_unrefp) sd_netlink_message *req = NULL, *reply = NULL;
68 _cleanup_(sd_netlink_unrefp) sd_netlink *rtnl = NULL;
69 _cleanup_free_ struct local_address *list = NULL;
70 size_t n_list = 0;
71 sd_netlink_message *m;
72 int r;
73
74 if (context)
75 rtnl = sd_netlink_ref(context);
76 else {
77 r = sd_netlink_open(&rtnl);
78 if (r < 0)
79 return r;
80 }
81
82 r = sd_rtnl_message_new_addr(rtnl, &req, RTM_GETADDR, ifindex, af);
83 if (r < 0)
84 return r;
85
86 r = sd_netlink_message_request_dump(req, true);
87 if (r < 0)
88 return r;
89
90 r = sd_netlink_call(rtnl, req, 0, &reply);
91 if (r < 0)
92 return r;
93
94 for (m = reply; m; m = sd_netlink_message_next(m)) {
95 struct local_address *a;
96 unsigned char flags;
97 uint16_t type;
98 int ifi, family;
99
100 r = sd_netlink_message_get_errno(m);
101 if (r < 0)
102 return r;
103
104 r = sd_netlink_message_get_type(m, &type);
105 if (r < 0)
106 return r;
107 if (type != RTM_NEWADDR)
108 continue;
109
110 r = sd_rtnl_message_addr_get_ifindex(m, &ifi);
111 if (r < 0)
112 return r;
113 if (ifindex > 0 && ifi != ifindex)
114 continue;
115
116 r = sd_rtnl_message_addr_get_family(m, &family);
117 if (r < 0)
118 return r;
119 if (af != AF_UNSPEC && af != family)
120 continue;
121
122 r = sd_rtnl_message_addr_get_flags(m, &flags);
123 if (r < 0)
124 return r;
125 if (flags & IFA_F_DEPRECATED)
126 continue;
127
128 if (!GREEDY_REALLOC0(list, n_list+1))
129 return -ENOMEM;
130
131 a = list + n_list;
132
133 r = sd_rtnl_message_addr_get_scope(m, &a->scope);
134 if (r < 0)
135 return r;
136
137 if (ifindex == 0 && IN_SET(a->scope, RT_SCOPE_HOST, RT_SCOPE_NOWHERE))
138 continue;
139
140 switch (family) {
141
142 case AF_INET:
143 r = sd_netlink_message_read_in_addr(m, IFA_LOCAL, &a->address.in);
144 if (r < 0) {
145 r = sd_netlink_message_read_in_addr(m, IFA_ADDRESS, &a->address.in);
146 if (r < 0)
147 continue;
148 }
149 break;
150
151 case AF_INET6:
152 r = sd_netlink_message_read_in6_addr(m, IFA_LOCAL, &a->address.in6);
153 if (r < 0) {
154 r = sd_netlink_message_read_in6_addr(m, IFA_ADDRESS, &a->address.in6);
155 if (r < 0)
156 continue;
157 }
158 break;
159
160 default:
161 continue;
162 }
163
164 a->ifindex = ifi;
165 a->family = family;
166
167 n_list++;
168 };
169
170 if (ret) {
171 typesafe_qsort(list, n_list, address_compare);
172 suppress_duplicates(list, &n_list);
173 *ret = TAKE_PTR(list);
174 }
175
176 return (int) n_list;
177 }
178
add_local_gateway(struct local_address ** list,size_t * n_list,int af,int ifindex,uint32_t metric,const RouteVia * via)179 static int add_local_gateway(
180 struct local_address **list,
181 size_t *n_list,
182 int af,
183 int ifindex,
184 uint32_t metric,
185 const RouteVia *via) {
186
187 assert(list);
188 assert(n_list);
189 assert(via);
190
191 if (af != AF_UNSPEC && af != via->family)
192 return 0;
193
194 if (!GREEDY_REALLOC(*list, *n_list + 1))
195 return -ENOMEM;
196
197 (*list)[(*n_list)++] = (struct local_address) {
198 .ifindex = ifindex,
199 .metric = metric,
200 .family = via->family,
201 .address = via->address,
202 };
203
204 return 0;
205 }
206
local_gateways(sd_netlink * context,int ifindex,int af,struct local_address ** ret)207 int local_gateways(
208 sd_netlink *context,
209 int ifindex,
210 int af,
211 struct local_address **ret) {
212
213 _cleanup_(sd_netlink_message_unrefp) sd_netlink_message *req = NULL, *reply = NULL;
214 _cleanup_(sd_netlink_unrefp) sd_netlink *rtnl = NULL;
215 _cleanup_free_ struct local_address *list = NULL;
216 size_t n_list = 0;
217 int r;
218
219 if (context)
220 rtnl = sd_netlink_ref(context);
221 else {
222 r = sd_netlink_open(&rtnl);
223 if (r < 0)
224 return r;
225 }
226
227 r = sd_rtnl_message_new_route(rtnl, &req, RTM_GETROUTE, af, RTPROT_UNSPEC);
228 if (r < 0)
229 return r;
230
231 r = sd_rtnl_message_route_set_type(req, RTN_UNICAST);
232 if (r < 0)
233 return r;
234
235 r = sd_rtnl_message_route_set_table(req, RT_TABLE_MAIN);
236 if (r < 0)
237 return r;
238
239 r = sd_netlink_message_request_dump(req, true);
240 if (r < 0)
241 return r;
242
243 r = sd_netlink_call(rtnl, req, 0, &reply);
244 if (r < 0)
245 return r;
246
247 for (sd_netlink_message *m = reply; m; m = sd_netlink_message_next(m)) {
248 _cleanup_ordered_set_free_free_ OrderedSet *multipath_routes = NULL;
249 _cleanup_free_ void *rta_multipath = NULL;
250 union in_addr_union gateway;
251 uint16_t type;
252 unsigned char dst_len, src_len, table;
253 uint32_t ifi = 0, metric = 0;
254 size_t rta_len;
255 int family;
256 RouteVia via;
257
258 r = sd_netlink_message_get_errno(m);
259 if (r < 0)
260 return r;
261
262 r = sd_netlink_message_get_type(m, &type);
263 if (r < 0)
264 return r;
265 if (type != RTM_NEWROUTE)
266 continue;
267
268 /* We only care for default routes */
269 r = sd_rtnl_message_route_get_dst_prefixlen(m, &dst_len);
270 if (r < 0)
271 return r;
272 if (dst_len != 0)
273 continue;
274
275 r = sd_rtnl_message_route_get_src_prefixlen(m, &src_len);
276 if (r < 0)
277 return r;
278 if (src_len != 0)
279 continue;
280
281 r = sd_rtnl_message_route_get_table(m, &table);
282 if (r < 0)
283 return r;
284 if (table != RT_TABLE_MAIN)
285 continue;
286
287 r = sd_netlink_message_read_u32(m, RTA_PRIORITY, &metric);
288 if (r < 0 && r != -ENODATA)
289 return r;
290
291 r = sd_rtnl_message_route_get_family(m, &family);
292 if (r < 0)
293 return r;
294 if (!IN_SET(family, AF_INET, AF_INET6))
295 continue;
296
297 r = sd_netlink_message_read_u32(m, RTA_OIF, &ifi);
298 if (r < 0 && r != -ENODATA)
299 return r;
300 if (r >= 0) {
301 if (ifi <= 0)
302 return -EINVAL;
303 if (ifindex > 0 && (int) ifi != ifindex)
304 continue;
305
306 r = netlink_message_read_in_addr_union(m, RTA_GATEWAY, family, &gateway);
307 if (r < 0 && r != -ENODATA)
308 return r;
309 if (r >= 0) {
310 via.family = family;
311 via.address = gateway;
312 r = add_local_gateway(&list, &n_list, af, ifi, metric, &via);
313 if (r < 0)
314 return r;
315
316 continue;
317 }
318
319 if (family != AF_INET)
320 continue;
321
322 r = sd_netlink_message_read(m, RTA_VIA, sizeof(via), &via);
323 if (r < 0 && r != -ENODATA)
324 return r;
325 if (r >= 0) {
326 r = add_local_gateway(&list, &n_list, af, ifi, metric, &via);
327 if (r < 0)
328 return r;
329
330 continue;
331 }
332 }
333
334 r = sd_netlink_message_read_data(m, RTA_MULTIPATH, &rta_len, &rta_multipath);
335 if (r < 0 && r != -ENODATA)
336 return r;
337 if (r >= 0) {
338 MultipathRoute *mr;
339
340 r = rtattr_read_nexthop(rta_multipath, rta_len, family, &multipath_routes);
341 if (r < 0)
342 return r;
343
344 ORDERED_SET_FOREACH(mr, multipath_routes) {
345 if (ifindex > 0 && mr->ifindex != ifindex)
346 continue;
347
348 r = add_local_gateway(&list, &n_list, af, ifi, metric, &mr->gateway);
349 if (r < 0)
350 return r;
351 }
352 }
353 }
354
355 if (ret) {
356 typesafe_qsort(list, n_list, address_compare);
357 suppress_duplicates(list, &n_list);
358 *ret = TAKE_PTR(list);
359 }
360
361 return (int) n_list;
362 }
363
local_outbounds(sd_netlink * context,int ifindex,int af,struct local_address ** ret)364 int local_outbounds(
365 sd_netlink *context,
366 int ifindex,
367 int af,
368 struct local_address **ret) {
369
370 _cleanup_free_ struct local_address *list = NULL, *gateways = NULL;
371 size_t n_list = 0;
372 int r, n_gateways;
373
374 /* Determines our default outbound addresses, i.e. the "primary" local addresses we use to talk to IP
375 * addresses behind the default routes. This is still an address of the local host (i.e. this doesn't
376 * resolve NAT or so), but it's the set of addresses the local IP stack most likely uses to talk to
377 * other hosts.
378 *
379 * This works by connect()ing a SOCK_DGRAM socket to the local gateways, and then reading the IP
380 * address off the socket that was chosen for the routing decision. */
381
382 n_gateways = local_gateways(context, ifindex, af, &gateways);
383 if (n_gateways < 0)
384 return n_gateways;
385 if (n_gateways == 0) {
386 /* No gateways? Then we have no outbound addresses either. */
387 if (ret)
388 *ret = NULL;
389
390 return 0;
391 }
392
393 for (int i = 0; i < n_gateways; i++) {
394 _cleanup_close_ int fd = -1;
395 union sockaddr_union sa;
396 socklen_t salen;
397
398 fd = socket(gateways[i].family, SOCK_DGRAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0);
399 if (fd < 0)
400 return -errno;
401
402 switch (gateways[i].family) {
403
404 case AF_INET:
405 sa.in = (struct sockaddr_in) {
406 .sin_family = AF_INET,
407 .sin_addr = gateways[i].address.in,
408 .sin_port = htobe16(53), /* doesn't really matter which port we pick —
409 * we just care about the routing decision */
410 };
411
412 break;
413
414 case AF_INET6:
415 sa.in6 = (struct sockaddr_in6) {
416 .sin6_family = AF_INET6,
417 .sin6_addr = gateways[i].address.in6,
418 .sin6_port = htobe16(53),
419 .sin6_scope_id = gateways[i].ifindex,
420 };
421
422 break;
423
424 default:
425 assert_not_reached();
426 }
427
428 /* So ideally we'd just use IP_UNICAST_IF here to pass the ifindex info to the kernel before
429 * connect()ing, sot that it influences the routing decision. However, on current kernels
430 * IP_UNICAST_IF doesn't actually influence the routing decision for UDP — which I think
431 * should probably just be considered a bug. Once that bug is fixed this is the best API to
432 * use, since it is the most lightweight. */
433 r = socket_set_unicast_if(fd, gateways[i].family, gateways[i].ifindex);
434 if (r < 0)
435 log_debug_errno(r, "Failed to set unicast interface index %i, ignoring: %m", gateways[i].ifindex);
436
437 /* We'll also use SO_BINDTOINDEX. This requires CAP_NET_RAW on old kernels, hence there's a
438 * good chance this fails. Since 5.7 this restriction was dropped and the first
439 * SO_BINDTOINDEX on a socket may be done without privileges. This one has the benefit of
440 * really influencing the routing decision, i.e. this one definitely works for us — as long
441 * as we have the privileges for it. */
442 r = socket_bind_to_ifindex(fd, gateways[i].ifindex);
443 if (r < 0)
444 log_debug_errno(r, "Failed to bind socket to interface %i, ignoring: %m", gateways[i].ifindex);
445
446 /* Let's now connect() to the UDP socket, forcing the kernel to make a routing decision and
447 * auto-bind the socket. We ignore failures on this, since that failure might happen for a
448 * multitude of reasons (policy/firewall issues, who knows?) and some of them might be
449 * *after* the routing decision and the auto-binding already took place. If so we can still
450 * make use of the binding and return it. Hence, let's not unnecessarily fail early here: we
451 * can still easily detect if the auto-binding worked or not, by comparing the bound IP
452 * address with zero — which we do below. */
453 if (connect(fd, &sa.sa, SOCKADDR_LEN(sa)) < 0)
454 log_debug_errno(errno, "Failed to connect SOCK_DGRAM socket to gateway, ignoring: %m");
455
456 /* Let's now read the socket address of the socket. A routing decision should have been
457 * made. Let's verify that and use the data. */
458 salen = SOCKADDR_LEN(sa);
459 if (getsockname(fd, &sa.sa, &salen) < 0)
460 return -errno;
461 assert(sa.sa.sa_family == gateways[i].family);
462 assert(salen == SOCKADDR_LEN(sa));
463
464 switch (gateways[i].family) {
465
466 case AF_INET:
467 if (in4_addr_is_null(&sa.in.sin_addr)) /* Auto-binding didn't work. :-( */
468 continue;
469
470 if (!GREEDY_REALLOC(list, n_list+1))
471 return -ENOMEM;
472
473 list[n_list++] = (struct local_address) {
474 .family = gateways[i].family,
475 .ifindex = gateways[i].ifindex,
476 .address.in = sa.in.sin_addr,
477 };
478
479 break;
480
481 case AF_INET6:
482 if (in6_addr_is_null(&sa.in6.sin6_addr))
483 continue;
484
485 if (!GREEDY_REALLOC(list, n_list+1))
486 return -ENOMEM;
487
488 list[n_list++] = (struct local_address) {
489 .family = gateways[i].family,
490 .ifindex = gateways[i].ifindex,
491 .address.in6 = sa.in6.sin6_addr,
492 };
493 break;
494
495 default:
496 assert_not_reached();
497 }
498 }
499
500 if (ret) {
501 typesafe_qsort(list, n_list, address_compare);
502 suppress_duplicates(list, &n_list);
503 *ret = TAKE_PTR(list);
504 }
505
506 return (int) n_list;
507 }
508