1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
2
3 #include <net/if.h>
4 #include <linux/if.h>
5 #include <linux/veth.h>
6 #include <sys/file.h>
7
8 #include "sd-device.h"
9 #include "sd-id128.h"
10 #include "sd-netlink.h"
11
12 #include "alloc-util.h"
13 #include "ether-addr-util.h"
14 #include "hexdecoct.h"
15 #include "lockfile-util.h"
16 #include "missing_network.h"
17 #include "netif-naming-scheme.h"
18 #include "netlink-util.h"
19 #include "nspawn-network.h"
20 #include "parse-util.h"
21 #include "siphash24.h"
22 #include "socket-netlink.h"
23 #include "socket-util.h"
24 #include "stat-util.h"
25 #include "string-util.h"
26 #include "strv.h"
27 #include "udev-util.h"
28 #include "util.h"
29
30 #define HOST_HASH_KEY SD_ID128_MAKE(1a,37,6f,c7,46,ec,45,0b,ad,a3,d5,31,06,60,5d,b1)
31 #define CONTAINER_HASH_KEY SD_ID128_MAKE(c3,c4,f9,19,b5,57,b2,1c,e6,cf,14,27,03,9c,ee,a2)
32 #define VETH_EXTRA_HOST_HASH_KEY SD_ID128_MAKE(48,c7,f6,b7,ea,9d,4c,9e,b7,28,d4,de,91,d5,bf,66)
33 #define VETH_EXTRA_CONTAINER_HASH_KEY SD_ID128_MAKE(af,50,17,61,ce,f9,4d,35,84,0d,2b,20,54,be,ce,59)
34 #define MACVLAN_HASH_KEY SD_ID128_MAKE(00,13,6d,bc,66,83,44,81,bb,0c,f9,51,1f,24,a6,6f)
35 #define SHORTEN_IFNAME_HASH_KEY SD_ID128_MAKE(e1,90,a4,04,a8,ef,4b,51,8c,cc,c3,3a,9f,11,fc,a2)
36
remove_one_link(sd_netlink * rtnl,const char * name)37 static int remove_one_link(sd_netlink *rtnl, const char *name) {
38 _cleanup_(sd_netlink_message_unrefp) sd_netlink_message *m = NULL;
39 int r;
40
41 if (isempty(name))
42 return 0;
43
44 r = sd_rtnl_message_new_link(rtnl, &m, RTM_DELLINK, 0);
45 if (r < 0)
46 return log_error_errno(r, "Failed to allocate netlink message: %m");
47
48 r = sd_netlink_message_append_string(m, IFLA_IFNAME, name);
49 if (r < 0)
50 return log_error_errno(r, "Failed to add netlink interface name: %m");
51
52 r = sd_netlink_call(rtnl, m, 0, NULL);
53 if (r == -ENODEV) /* Already gone */
54 return 0;
55 if (r < 0)
56 return log_error_errno(r, "Failed to remove interface %s: %m", name);
57
58 return 1;
59 }
60
generate_mac(const char * machine_name,struct ether_addr * mac,sd_id128_t hash_key,uint64_t idx)61 static int generate_mac(
62 const char *machine_name,
63 struct ether_addr *mac,
64 sd_id128_t hash_key,
65 uint64_t idx) {
66
67 uint64_t result;
68 size_t l, sz;
69 uint8_t *v, *i;
70 int r;
71
72 l = strlen(machine_name);
73 sz = sizeof(sd_id128_t) + l;
74 if (idx > 0)
75 sz += sizeof(idx);
76
77 v = newa(uint8_t, sz);
78
79 /* fetch some persistent data unique to the host */
80 r = sd_id128_get_machine((sd_id128_t*) v);
81 if (r < 0)
82 return r;
83
84 /* combine with some data unique (on this host) to this
85 * container instance */
86 i = mempcpy(v + sizeof(sd_id128_t), machine_name, l);
87 if (idx > 0) {
88 idx = htole64(idx);
89 memcpy(i, &idx, sizeof(idx));
90 }
91
92 /* Let's hash the host machine ID plus the container name. We
93 * use a fixed, but originally randomly created hash key here. */
94 result = htole64(siphash24(v, sz, hash_key.bytes));
95
96 assert_cc(ETH_ALEN <= sizeof(result));
97 memcpy(mac->ether_addr_octet, &result, ETH_ALEN);
98
99 /* see eth_random_addr in the kernel */
100 mac->ether_addr_octet[0] &= 0xfe; /* clear multicast bit */
101 mac->ether_addr_octet[0] |= 0x02; /* set local assignment bit (IEEE802) */
102
103 return 0;
104 }
105
set_alternative_ifname(sd_netlink * rtnl,const char * ifname,const char * altifname)106 static int set_alternative_ifname(sd_netlink *rtnl, const char *ifname, const char *altifname) {
107 int r;
108
109 assert(rtnl);
110 assert(ifname);
111
112 if (!altifname)
113 return 0;
114
115 if (strlen(altifname) >= ALTIFNAMSIZ)
116 return log_warning_errno(SYNTHETIC_ERRNO(ERANGE),
117 "Alternative interface name '%s' for '%s' is too long, ignoring",
118 altifname, ifname);
119
120 r = rtnl_set_link_alternative_names_by_ifname(&rtnl, ifname, STRV_MAKE(altifname));
121 if (r < 0)
122 return log_warning_errno(r,
123 "Failed to set alternative interface name '%s' to '%s', ignoring: %m",
124 altifname, ifname);
125
126 return 0;
127 }
128
add_veth(sd_netlink * rtnl,pid_t pid,const char * ifname_host,const char * altifname_host,const struct ether_addr * mac_host,const char * ifname_container,const struct ether_addr * mac_container)129 static int add_veth(
130 sd_netlink *rtnl,
131 pid_t pid,
132 const char *ifname_host,
133 const char *altifname_host,
134 const struct ether_addr *mac_host,
135 const char *ifname_container,
136 const struct ether_addr *mac_container) {
137
138 _cleanup_(sd_netlink_message_unrefp) sd_netlink_message *m = NULL;
139 int r;
140
141 assert(rtnl);
142 assert(ifname_host);
143 assert(mac_host);
144 assert(ifname_container);
145 assert(mac_container);
146
147 r = sd_rtnl_message_new_link(rtnl, &m, RTM_NEWLINK, 0);
148 if (r < 0)
149 return log_error_errno(r, "Failed to allocate netlink message: %m");
150
151 r = sd_netlink_message_append_string(m, IFLA_IFNAME, ifname_host);
152 if (r < 0)
153 return log_error_errno(r, "Failed to add netlink interface name: %m");
154
155 r = sd_netlink_message_append_ether_addr(m, IFLA_ADDRESS, mac_host);
156 if (r < 0)
157 return log_error_errno(r, "Failed to add netlink MAC address: %m");
158
159 r = sd_netlink_message_open_container(m, IFLA_LINKINFO);
160 if (r < 0)
161 return log_error_errno(r, "Failed to open netlink container: %m");
162
163 r = sd_netlink_message_open_container_union(m, IFLA_INFO_DATA, "veth");
164 if (r < 0)
165 return log_error_errno(r, "Failed to open netlink container: %m");
166
167 r = sd_netlink_message_open_container(m, VETH_INFO_PEER);
168 if (r < 0)
169 return log_error_errno(r, "Failed to open netlink container: %m");
170
171 r = sd_netlink_message_append_string(m, IFLA_IFNAME, ifname_container);
172 if (r < 0)
173 return log_error_errno(r, "Failed to add netlink interface name: %m");
174
175 r = sd_netlink_message_append_ether_addr(m, IFLA_ADDRESS, mac_container);
176 if (r < 0)
177 return log_error_errno(r, "Failed to add netlink MAC address: %m");
178
179 r = sd_netlink_message_append_u32(m, IFLA_NET_NS_PID, pid);
180 if (r < 0)
181 return log_error_errno(r, "Failed to add netlink namespace field: %m");
182
183 r = sd_netlink_message_close_container(m);
184 if (r < 0)
185 return log_error_errno(r, "Failed to close netlink container: %m");
186
187 r = sd_netlink_message_close_container(m);
188 if (r < 0)
189 return log_error_errno(r, "Failed to close netlink container: %m");
190
191 r = sd_netlink_message_close_container(m);
192 if (r < 0)
193 return log_error_errno(r, "Failed to close netlink container: %m");
194
195 r = sd_netlink_call(rtnl, m, 0, NULL);
196 if (r < 0)
197 return log_error_errno(r, "Failed to add new veth interfaces (%s:%s): %m", ifname_host, ifname_container);
198
199 (void) set_alternative_ifname(rtnl, ifname_host, altifname_host);
200
201 return 0;
202 }
203
shorten_ifname(char * ifname)204 static int shorten_ifname(char *ifname) {
205 char new_ifname[IFNAMSIZ];
206
207 assert(ifname);
208
209 if (strlen(ifname) < IFNAMSIZ) /* Name is short enough */
210 return 0;
211
212 if (naming_scheme_has(NAMING_NSPAWN_LONG_HASH)) {
213 uint64_t h;
214
215 /* Calculate 64bit hash value */
216 h = siphash24(ifname, strlen(ifname), SHORTEN_IFNAME_HASH_KEY.bytes);
217
218 /* Set the final four bytes (i.e. 32bit) to the lower 24bit of the hash, encoded in url-safe base64 */
219 memcpy(new_ifname, ifname, IFNAMSIZ - 5);
220 new_ifname[IFNAMSIZ - 5] = urlsafe_base64char(h >> 18);
221 new_ifname[IFNAMSIZ - 4] = urlsafe_base64char(h >> 12);
222 new_ifname[IFNAMSIZ - 3] = urlsafe_base64char(h >> 6);
223 new_ifname[IFNAMSIZ - 2] = urlsafe_base64char(h);
224 } else
225 /* On old nspawn versions we just truncated the name, provide compatibility */
226 memcpy(new_ifname, ifname, IFNAMSIZ-1);
227
228 new_ifname[IFNAMSIZ - 1] = 0;
229
230 /* Log the incident to make it more discoverable */
231 log_warning("Network interface name '%s' has been changed to '%s' to fit length constraints.", ifname, new_ifname);
232
233 strcpy(ifname, new_ifname);
234 return 1;
235 }
236
setup_veth(const char * machine_name,pid_t pid,char iface_name[IFNAMSIZ],bool bridge)237 int setup_veth(const char *machine_name,
238 pid_t pid,
239 char iface_name[IFNAMSIZ],
240 bool bridge) {
241
242 _cleanup_(sd_netlink_unrefp) sd_netlink *rtnl = NULL;
243 struct ether_addr mac_host, mac_container;
244 unsigned u;
245 char *n, *a = NULL;
246 int r;
247
248 assert(machine_name);
249 assert(pid > 0);
250 assert(iface_name);
251
252 /* Use two different interface name prefixes depending whether
253 * we are in bridge mode or not. */
254 n = strjoina(bridge ? "vb-" : "ve-", machine_name);
255 r = shorten_ifname(n);
256 if (r > 0)
257 a = strjoina(bridge ? "vb-" : "ve-", machine_name);
258
259 r = generate_mac(machine_name, &mac_container, CONTAINER_HASH_KEY, 0);
260 if (r < 0)
261 return log_error_errno(r, "Failed to generate predictable MAC address for container side: %m");
262
263 r = generate_mac(machine_name, &mac_host, HOST_HASH_KEY, 0);
264 if (r < 0)
265 return log_error_errno(r, "Failed to generate predictable MAC address for host side: %m");
266
267 r = sd_netlink_open(&rtnl);
268 if (r < 0)
269 return log_error_errno(r, "Failed to connect to netlink: %m");
270
271 r = add_veth(rtnl, pid, n, a, &mac_host, "host0", &mac_container);
272 if (r < 0)
273 return r;
274
275 u = if_nametoindex(n); /* We don't need to use rtnl_resolve_ifname() here because the
276 * name we assigned is always the main name. */
277 if (u == 0)
278 return log_error_errno(errno, "Failed to resolve interface %s: %m", n);
279
280 strcpy(iface_name, n);
281 return (int) u;
282 }
283
setup_veth_extra(const char * machine_name,pid_t pid,char ** pairs)284 int setup_veth_extra(
285 const char *machine_name,
286 pid_t pid,
287 char **pairs) {
288
289 _cleanup_(sd_netlink_unrefp) sd_netlink *rtnl = NULL;
290 uint64_t idx = 0;
291 int r;
292
293 assert(machine_name);
294 assert(pid > 0);
295
296 if (strv_isempty(pairs))
297 return 0;
298
299 r = sd_netlink_open(&rtnl);
300 if (r < 0)
301 return log_error_errno(r, "Failed to connect to netlink: %m");
302
303 STRV_FOREACH_PAIR(a, b, pairs) {
304 struct ether_addr mac_host, mac_container;
305
306 r = generate_mac(machine_name, &mac_container, VETH_EXTRA_CONTAINER_HASH_KEY, idx);
307 if (r < 0)
308 return log_error_errno(r, "Failed to generate predictable MAC address for container side of extra veth link: %m");
309
310 r = generate_mac(machine_name, &mac_host, VETH_EXTRA_HOST_HASH_KEY, idx);
311 if (r < 0)
312 return log_error_errno(r, "Failed to generate predictable MAC address for host side of extra veth link: %m");
313
314 r = add_veth(rtnl, pid, *a, NULL, &mac_host, *b, &mac_container);
315 if (r < 0)
316 return r;
317
318 idx++;
319 }
320
321 return 0;
322 }
323
join_bridge(sd_netlink * rtnl,const char * veth_name,const char * bridge_name)324 static int join_bridge(sd_netlink *rtnl, const char *veth_name, const char *bridge_name) {
325 _cleanup_(sd_netlink_message_unrefp) sd_netlink_message *m = NULL;
326 int r, bridge_ifi;
327
328 assert(rtnl);
329 assert(veth_name);
330 assert(bridge_name);
331
332 bridge_ifi = rtnl_resolve_interface(&rtnl, bridge_name);
333 if (bridge_ifi < 0)
334 return bridge_ifi;
335
336 r = sd_rtnl_message_new_link(rtnl, &m, RTM_SETLINK, 0);
337 if (r < 0)
338 return r;
339
340 r = sd_rtnl_message_link_set_flags(m, IFF_UP, IFF_UP);
341 if (r < 0)
342 return r;
343
344 r = sd_netlink_message_append_string(m, IFLA_IFNAME, veth_name);
345 if (r < 0)
346 return r;
347
348 r = sd_netlink_message_append_u32(m, IFLA_MASTER, bridge_ifi);
349 if (r < 0)
350 return r;
351
352 r = sd_netlink_call(rtnl, m, 0, NULL);
353 if (r < 0)
354 return r;
355
356 return bridge_ifi;
357 }
358
create_bridge(sd_netlink * rtnl,const char * bridge_name)359 static int create_bridge(sd_netlink *rtnl, const char *bridge_name) {
360 _cleanup_(sd_netlink_message_unrefp) sd_netlink_message *m = NULL;
361 int r;
362
363 r = sd_rtnl_message_new_link(rtnl, &m, RTM_NEWLINK, 0);
364 if (r < 0)
365 return r;
366
367 r = sd_netlink_message_append_string(m, IFLA_IFNAME, bridge_name);
368 if (r < 0)
369 return r;
370
371 r = sd_netlink_message_open_container(m, IFLA_LINKINFO);
372 if (r < 0)
373 return r;
374
375 r = sd_netlink_message_open_container_union(m, IFLA_INFO_DATA, "bridge");
376 if (r < 0)
377 return r;
378
379 r = sd_netlink_message_close_container(m);
380 if (r < 0)
381 return r;
382
383 r = sd_netlink_message_close_container(m);
384 if (r < 0)
385 return r;
386
387 r = sd_netlink_call(rtnl, m, 0, NULL);
388 if (r < 0)
389 return r;
390
391 return 0;
392 }
393
setup_bridge(const char * veth_name,const char * bridge_name,bool create)394 int setup_bridge(const char *veth_name, const char *bridge_name, bool create) {
395 _cleanup_(release_lock_file) LockFile bridge_lock = LOCK_FILE_INIT;
396 _cleanup_(sd_netlink_unrefp) sd_netlink *rtnl = NULL;
397 int r, bridge_ifi;
398 unsigned n = 0;
399
400 assert(veth_name);
401 assert(bridge_name);
402
403 r = sd_netlink_open(&rtnl);
404 if (r < 0)
405 return log_error_errno(r, "Failed to connect to netlink: %m");
406
407 if (create) {
408 /* We take a system-wide lock here, so that we can safely check whether there's still a member in the
409 * bridge before removing it, without risking interference from other nspawn instances. */
410
411 r = make_lock_file("/run/systemd/nspawn-network-zone", LOCK_EX, &bridge_lock);
412 if (r < 0)
413 return log_error_errno(r, "Failed to take network zone lock: %m");
414 }
415
416 for (;;) {
417 bridge_ifi = join_bridge(rtnl, veth_name, bridge_name);
418 if (bridge_ifi >= 0)
419 return bridge_ifi;
420 if (bridge_ifi != -ENODEV || !create || n > 10)
421 return log_error_errno(bridge_ifi, "Failed to add interface %s to bridge %s: %m", veth_name, bridge_name);
422
423 /* Count attempts, so that we don't enter an endless loop here. */
424 n++;
425
426 /* The bridge doesn't exist yet. Let's create it */
427 r = create_bridge(rtnl, bridge_name);
428 if (r < 0)
429 return log_error_errno(r, "Failed to create bridge interface %s: %m", bridge_name);
430
431 /* Try again, now that the bridge exists */
432 }
433 }
434
remove_bridge(const char * bridge_name)435 int remove_bridge(const char *bridge_name) {
436 _cleanup_(release_lock_file) LockFile bridge_lock = LOCK_FILE_INIT;
437 _cleanup_(sd_netlink_unrefp) sd_netlink *rtnl = NULL;
438 const char *path;
439 int r;
440
441 /* Removes the specified bridge, but only if it is currently empty */
442
443 if (isempty(bridge_name))
444 return 0;
445
446 r = make_lock_file("/run/systemd/nspawn-network-zone", LOCK_EX, &bridge_lock);
447 if (r < 0)
448 return log_error_errno(r, "Failed to take network zone lock: %m");
449
450 path = strjoina("/sys/class/net/", bridge_name, "/brif");
451
452 r = dir_is_empty(path, /* ignore_hidden_or_backup= */ false);
453 if (r == -ENOENT) /* Already gone? */
454 return 0;
455 if (r < 0)
456 return log_error_errno(r, "Can't detect if bridge %s is empty: %m", bridge_name);
457 if (r == 0) /* Still populated, leave it around */
458 return 0;
459
460 r = sd_netlink_open(&rtnl);
461 if (r < 0)
462 return log_error_errno(r, "Failed to connect to netlink: %m");
463
464 return remove_one_link(rtnl, bridge_name);
465 }
466
test_network_interface_initialized(const char * name)467 int test_network_interface_initialized(const char *name) {
468 _cleanup_(sd_device_unrefp) sd_device *d = NULL;
469 int r;
470
471 if (path_is_read_only_fs("/sys") > 0)
472 return 0;
473
474 /* udev should be around. */
475
476 r = sd_device_new_from_ifname(&d, name);
477 if (r < 0)
478 return log_error_errno(r, "Failed to get device %s: %m", name);
479
480 r = sd_device_get_is_initialized(d);
481 if (r < 0)
482 return log_error_errno(r, "Failed to determine whether interface %s is initialized: %m", name);
483 if (r == 0)
484 return log_error_errno(SYNTHETIC_ERRNO(EBUSY), "Network interface %s is not initialized yet.", name);
485
486 r = device_is_renaming(d);
487 if (r < 0)
488 return log_error_errno(r, "Failed to determine the interface %s is being renamed: %m", name);
489 if (r > 0)
490 return log_error_errno(SYNTHETIC_ERRNO(EBUSY), "Interface %s is being renamed.", name);
491
492 return 0;
493 }
494
move_network_interfaces(int netns_fd,char ** ifaces)495 int move_network_interfaces(int netns_fd, char **ifaces) {
496 _cleanup_(sd_netlink_unrefp) sd_netlink *rtnl = NULL;
497 int r;
498
499 if (strv_isempty(ifaces))
500 return 0;
501
502 r = sd_netlink_open(&rtnl);
503 if (r < 0)
504 return log_error_errno(r, "Failed to connect to netlink: %m");
505
506 STRV_FOREACH(i, ifaces) {
507 _cleanup_(sd_netlink_message_unrefp) sd_netlink_message *m = NULL;
508 int ifi;
509
510 ifi = rtnl_resolve_interface_or_warn(&rtnl, *i);
511 if (ifi < 0)
512 return ifi;
513
514 r = sd_rtnl_message_new_link(rtnl, &m, RTM_SETLINK, ifi);
515 if (r < 0)
516 return log_error_errno(r, "Failed to allocate netlink message: %m");
517
518 r = sd_netlink_message_append_u32(m, IFLA_NET_NS_FD, netns_fd);
519 if (r < 0)
520 return log_error_errno(r, "Failed to append namespace fd to netlink message: %m");
521
522 r = sd_netlink_call(rtnl, m, 0, NULL);
523 if (r < 0)
524 return log_error_errno(r, "Failed to move interface %s to namespace: %m", *i);
525 }
526
527 return 0;
528 }
529
setup_macvlan(const char * machine_name,pid_t pid,char ** ifaces)530 int setup_macvlan(const char *machine_name, pid_t pid, char **ifaces) {
531 _cleanup_(sd_netlink_unrefp) sd_netlink *rtnl = NULL;
532 unsigned idx = 0;
533 int r;
534
535 if (strv_isempty(ifaces))
536 return 0;
537
538 r = sd_netlink_open(&rtnl);
539 if (r < 0)
540 return log_error_errno(r, "Failed to connect to netlink: %m");
541
542 STRV_FOREACH(i, ifaces) {
543 _cleanup_(sd_netlink_message_unrefp) sd_netlink_message *m = NULL;
544 _cleanup_free_ char *n = NULL, *a = NULL;
545 struct ether_addr mac;
546 int ifi;
547
548 ifi = rtnl_resolve_interface_or_warn(&rtnl, *i);
549 if (ifi < 0)
550 return ifi;
551
552 r = generate_mac(machine_name, &mac, MACVLAN_HASH_KEY, idx++);
553 if (r < 0)
554 return log_error_errno(r, "Failed to create MACVLAN MAC address: %m");
555
556 r = sd_rtnl_message_new_link(rtnl, &m, RTM_NEWLINK, 0);
557 if (r < 0)
558 return log_error_errno(r, "Failed to allocate netlink message: %m");
559
560 r = sd_netlink_message_append_u32(m, IFLA_LINK, ifi);
561 if (r < 0)
562 return log_error_errno(r, "Failed to add netlink interface index: %m");
563
564 n = strjoin("mv-", *i);
565 if (!n)
566 return log_oom();
567
568 r = shorten_ifname(n);
569 if (r > 0) {
570 a = strjoin("mv-", *i);
571 if (!a)
572 return log_oom();
573 }
574
575 r = sd_netlink_message_append_string(m, IFLA_IFNAME, n);
576 if (r < 0)
577 return log_error_errno(r, "Failed to add netlink interface name: %m");
578
579 r = sd_netlink_message_append_ether_addr(m, IFLA_ADDRESS, &mac);
580 if (r < 0)
581 return log_error_errno(r, "Failed to add netlink MAC address: %m");
582
583 r = sd_netlink_message_append_u32(m, IFLA_NET_NS_PID, pid);
584 if (r < 0)
585 return log_error_errno(r, "Failed to add netlink namespace field: %m");
586
587 r = sd_netlink_message_open_container(m, IFLA_LINKINFO);
588 if (r < 0)
589 return log_error_errno(r, "Failed to open netlink container: %m");
590
591 r = sd_netlink_message_open_container_union(m, IFLA_INFO_DATA, "macvlan");
592 if (r < 0)
593 return log_error_errno(r, "Failed to open netlink container: %m");
594
595 r = sd_netlink_message_append_u32(m, IFLA_MACVLAN_MODE, MACVLAN_MODE_BRIDGE);
596 if (r < 0)
597 return log_error_errno(r, "Failed to append macvlan mode: %m");
598
599 r = sd_netlink_message_close_container(m);
600 if (r < 0)
601 return log_error_errno(r, "Failed to close netlink container: %m");
602
603 r = sd_netlink_message_close_container(m);
604 if (r < 0)
605 return log_error_errno(r, "Failed to close netlink container: %m");
606
607 r = sd_netlink_call(rtnl, m, 0, NULL);
608 if (r < 0)
609 return log_error_errno(r, "Failed to add new macvlan interfaces: %m");
610
611 (void) set_alternative_ifname(rtnl, n, a);
612 }
613
614 return 0;
615 }
616
setup_ipvlan(const char * machine_name,pid_t pid,char ** ifaces)617 int setup_ipvlan(const char *machine_name, pid_t pid, char **ifaces) {
618 _cleanup_(sd_netlink_unrefp) sd_netlink *rtnl = NULL;
619 int r;
620
621 if (strv_isempty(ifaces))
622 return 0;
623
624 r = sd_netlink_open(&rtnl);
625 if (r < 0)
626 return log_error_errno(r, "Failed to connect to netlink: %m");
627
628 STRV_FOREACH(i, ifaces) {
629 _cleanup_(sd_netlink_message_unrefp) sd_netlink_message *m = NULL;
630 _cleanup_free_ char *n = NULL, *a = NULL;
631 int ifi;
632
633 ifi = rtnl_resolve_interface_or_warn(&rtnl, *i);
634 if (ifi < 0)
635 return ifi;
636
637 r = sd_rtnl_message_new_link(rtnl, &m, RTM_NEWLINK, 0);
638 if (r < 0)
639 return log_error_errno(r, "Failed to allocate netlink message: %m");
640
641 r = sd_netlink_message_append_u32(m, IFLA_LINK, ifi);
642 if (r < 0)
643 return log_error_errno(r, "Failed to add netlink interface index: %m");
644
645 n = strjoin("iv-", *i);
646 if (!n)
647 return log_oom();
648
649 r = shorten_ifname(n);
650 if (r > 0) {
651 a = strjoin("iv-", *i);
652 if (!a)
653 return log_oom();
654 }
655
656 r = sd_netlink_message_append_string(m, IFLA_IFNAME, n);
657 if (r < 0)
658 return log_error_errno(r, "Failed to add netlink interface name: %m");
659
660 r = sd_netlink_message_append_u32(m, IFLA_NET_NS_PID, pid);
661 if (r < 0)
662 return log_error_errno(r, "Failed to add netlink namespace field: %m");
663
664 r = sd_netlink_message_open_container(m, IFLA_LINKINFO);
665 if (r < 0)
666 return log_error_errno(r, "Failed to open netlink container: %m");
667
668 r = sd_netlink_message_open_container_union(m, IFLA_INFO_DATA, "ipvlan");
669 if (r < 0)
670 return log_error_errno(r, "Failed to open netlink container: %m");
671
672 r = sd_netlink_message_append_u16(m, IFLA_IPVLAN_MODE, IPVLAN_MODE_L2);
673 if (r < 0)
674 return log_error_errno(r, "Failed to add ipvlan mode: %m");
675
676 r = sd_netlink_message_close_container(m);
677 if (r < 0)
678 return log_error_errno(r, "Failed to close netlink container: %m");
679
680 r = sd_netlink_message_close_container(m);
681 if (r < 0)
682 return log_error_errno(r, "Failed to close netlink container: %m");
683
684 r = sd_netlink_call(rtnl, m, 0, NULL);
685 if (r < 0)
686 return log_error_errno(r, "Failed to add new ipvlan interfaces: %m");
687
688 (void) set_alternative_ifname(rtnl, n, a);
689 }
690
691 return 0;
692 }
693
veth_extra_parse(char *** l,const char * p)694 int veth_extra_parse(char ***l, const char *p) {
695 _cleanup_free_ char *a = NULL, *b = NULL;
696 int r;
697
698 r = extract_first_word(&p, &a, ":", EXTRACT_DONT_COALESCE_SEPARATORS);
699 if (r < 0)
700 return r;
701 if (r == 0 || !ifname_valid(a))
702 return -EINVAL;
703
704 r = extract_first_word(&p, &b, ":", EXTRACT_DONT_COALESCE_SEPARATORS);
705 if (r < 0)
706 return r;
707 if (r == 0 || !ifname_valid(b)) {
708 free(b);
709 b = strdup(a);
710 if (!b)
711 return -ENOMEM;
712 }
713
714 if (p)
715 return -EINVAL;
716
717 r = strv_push_pair(l, a, b);
718 if (r < 0)
719 return -ENOMEM;
720
721 a = b = NULL;
722 return 0;
723 }
724
remove_veth_links(const char * primary,char ** pairs)725 int remove_veth_links(const char *primary, char **pairs) {
726 _cleanup_(sd_netlink_unrefp) sd_netlink *rtnl = NULL;
727 int r;
728
729 /* In some cases the kernel might pin the veth links between host and container even after the namespace
730 * died. Hence, let's better remove them explicitly too. */
731
732 if (isempty(primary) && strv_isempty(pairs))
733 return 0;
734
735 r = sd_netlink_open(&rtnl);
736 if (r < 0)
737 return log_error_errno(r, "Failed to connect to netlink: %m");
738
739 remove_one_link(rtnl, primary);
740
741 STRV_FOREACH_PAIR(a, b, pairs)
742 remove_one_link(rtnl, *a);
743
744 return 0;
745 }
746