[Babel-users] [PATCH] RFC: block imports earlier
Dave Taht
dave at taht.net
Fri Oct 26 04:05:59 BST 2018
While this quick n' dirty implementation has problems, short
circuiting route import from elsewhere and not running complex rules
on some things may have benefits.
* For testing I'd ended up with 110,000 ipv6 bogon filter route
entries (ipset can only handle 64k). Injecting these every 4 hours
was "interesting".
The POC method I used here is not safe or robust enough for
complicated rules.
my pentultimate thought was to add a new babel keyword, "block", which
would take place long before the in, out, or redistribute keywords and
only be capable of simple matches like:
block proto 50
block pid odhcpd
a bitset implementation is also easily translatable to ebpf, and
bitsets may well be useful elsewhere, although I do not expect this
code or implementation to go anywhere as is.
---
bittests.h | 23 +++++++++++++++++++++++
configuration.c | 7 +++++++
kernel_netlink.c | 5 ++++-
3 files changed, 34 insertions(+), 1 deletion(-)
create mode 100644 bittests.h
diff --git a/bittests.h b/bittests.h
new file mode 100644
index 0000000..2beb643
--- /dev/null
+++ b/bittests.h
@@ -0,0 +1,23 @@
+#define BitArraySize (sizeof(long)/8)
+#define SetBit(A,k) ( A[(k/BitArraySize)] |= (1 << (k%BitArraySize)) )
+#define ClearBit(A,k) ( A[(k/BitArraySize)] &= ~(1 << (k%BitArraySize)) )
+#define TestBit(A,k) ( A[(k/BitArraySize)] & (1 << (k%BitArraySize)) )
+
+#ifdef TEST_BITS
+#include <stdio.h>
+
+main(int argc, char **argv)
+{
+long protobits[256/BitArraySize] = {};
+
+SetBit(protobits,12);
+SetBit(protobits,128);
+
+if(!TestBit(protobits,128)) printf("boo!\n");
+if(!TestBit(protobits,12)) printf("boo!\n");
+if(TestBit(protobits,10)) printf("boo!\n");
+if(TestBit(protobits,127)) printf("boo!\n");
+
+}
+
+#endif
diff --git a/configuration.c b/configuration.c
index 5f52ecb..23c3d21 100644
--- a/configuration.c
+++ b/configuration.c
@@ -32,6 +32,7 @@ THE SOFTWARE.
#define RTPROT_BOOT 3 /* Route installed during boot */
#endif
+#include "bittests.h"
#include "babeld.h"
#include "util.h"
#include "interface.h"
@@ -332,6 +333,8 @@ free_filter(struct filter *f)
free(f);
}
+long protobits[256/BitArraySize] = {};
+
static int
parse_filter(int c, gnc_t gnc, void *closure, struct filter **filter_return)
{
@@ -472,6 +475,10 @@ parse_filter(int c, gnc_t gnc, void *closure, struct filter **filter_return)
} else {
goto error;
}
+ if(filter->proto != 0 && filter->action.add_metric != INFINITY)
+ SetBit(protobits,filter->proto);
+ if(filter->proto != 0 && filter->action.add_metric == INFINITY)
+ ClearBit(protobits,filter->proto);
free(token);
}
if(filter->af == 0) {
diff --git a/kernel_netlink.c b/kernel_netlink.c
index 76e6350..76004a4 100644
--- a/kernel_netlink.c
+++ b/kernel_netlink.c
@@ -51,6 +51,7 @@ THE SOFTWARE.
#define RTA_TABLE 15
#endif
+#include "bittests.h"
#include "babeld.h"
#include "kernel.h"
#include "util.h"
@@ -1183,6 +1184,8 @@ print_kernel_route(int add, int protocol, int type,
protocol, type);
}
+long protobits[256/BitArraySize];
+
static int
filter_kernel_routes(struct nlmsghdr *nh, struct kernel_route *route)
{
@@ -1198,7 +1201,7 @@ filter_kernel_routes(struct nlmsghdr *nh, struct kernel_route *route)
rtm = (struct rtmsg*)NLMSG_DATA(nh);
len -= NLMSG_LENGTH(0);
- if(rtm->rtm_protocol == RTPROT_BABEL)
+ if(!TestBit(protobits,rtm->rtm_protocol))
return 0;
/* Ignore cached routes, advertised by some kernels (linux 3.x). */
--
1.8.3.2
More information about the Babel-users
mailing list