net: nexthop uapi

New UAPI for nexthops as standalone objects:
- defines netlink ancillary header, struct nhmsg
- RTM commands for nexthop objects, RTM_*NEXTHOP,
- RTNLGRP for nexthop notifications, RTNLGRP_NEXTHOP,
- Attributes for creating nexthops, NHA_*
- Attribute for route specs to specify a nexthop by id, RTA_NH_ID.

The nexthop attributes and semantics follow the route and RTA ones for
device, gateway and lwt encap. Unique to nexthop objects are a blackhole
and a group which contains references to other nexthop objects. With the
exception of blackhole and group, nexthop objects MUST contain a device.
Gateway and encap are optional. Nexthop groups can only reference other
pre-existing nexthops by id. If the NHA_ID attribute is present that id
is used for the nexthop. If not specified, one is auto assigned.

Dump requests can include attributes:
- NHA_GROUPS to return only nexthop groups,
- NHA_MASTER to limit dumps to nexthops with devices enslaved to the
  given master (e.g., VRF)
- NHA_OIF to limit dumps to nexthops using given device

nlmsg_route_perms in selinux code is updated for the new RTM comands.

Signed-off-by: David Ahern <dsahern@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/include/uapi/linux/nexthop.h b/include/uapi/linux/nexthop.h
new file mode 100644 (file)
index 0000000..7b61867
--- /dev/null
+++ b/include/uapi/linux/nexthop.h
@@ -0,0 +1,56 @@
+/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
+#ifndef _UAPI_LINUX_NEXTHOP_H
+#define _UAPI_LINUX_NEXTHOP_H
+
+#include <linux/types.h>
+
+struct nhmsg {
+       unsigned char   nh_family;
+       unsigned char   nh_scope;     /* return only */
+       unsigned char   nh_protocol;  /* Routing protocol that installed nh */
+       unsigned char   resvd;
+       unsigned int    nh_flags;     /* RTNH_F flags */
+};
+
+/* entry in a nexthop group */
+struct nexthop_grp {
+       __u32   id;       /* nexthop id - must exist */
+       __u8    weight;   /* weight of this nexthop */
+       __u8    resvd1;
+       __u16   resvd2;
+};
+
+enum {
+       NEXTHOP_GRP_TYPE_MPATH,  /* default type if not specified */
+       __NEXTHOP_GRP_TYPE_MAX,
+};
+
+#define NEXTHOP_GRP_TYPE_MAX (__NEXTHOP_GRP_TYPE_MAX - 1)
+
+enum {
+       NHA_UNSPEC,
+       NHA_ID,         /* u32; id for nexthop. id == 0 means auto-assign */
+
+       NHA_GROUP,      /* array of nexthop_grp */
+       NHA_GROUP_TYPE, /* u16 one of NEXTHOP_GRP_TYPE */
+       /* if NHA_GROUP attribute is added, no other attributes can be set */
+
+       NHA_BLACKHOLE,  /* flag; nexthop used to blackhole packets */
+       /* if NHA_BLACKHOLE is added, OIF, GATEWAY, ENCAP can not be set */
+
+       NHA_OIF,        /* u32; nexthop device */
+       NHA_GATEWAY,    /* be32 (IPv4) or in6_addr (IPv6) gw address */
+       NHA_ENCAP_TYPE, /* u16; lwt encap type */
+       NHA_ENCAP,      /* lwt encap data */
+
+       /* NHA_OIF can be appended to dump request to return only
+        * nexthops using given device
+        */
+       NHA_GROUPS,     /* flag; only return nexthop groups in dump */
+       NHA_MASTER,     /* u32;  only return nexthops with given master dev */
+
+       __NHA_MAX,
+};
+
+#define NHA_MAX        (__NHA_MAX - 1)
+#endif

diff --git a/include/uapi/linux/rtnetlink.h b/include/uapi/linux/rtnetlink.h
index 46399367627fcefb0abdf145e374dd82f4de731a..ce2a623abb752dccb3c105e6cf380ca96d80347f 100644 (file)
--- a/include/uapi/linux/rtnetlink.h
+++ b/include/uapi/linux/rtnetlink.h
@@ -157,6 +157,13 @@ enum {
        RTM_GETCHAIN,
 #define RTM_GETCHAIN RTM_GETCHAIN
 
+       RTM_NEWNEXTHOP = 104,
+#define RTM_NEWNEXTHOP RTM_NEWNEXTHOP
+       RTM_DELNEXTHOP,
+#define RTM_DELNEXTHOP RTM_DELNEXTHOP
+       RTM_GETNEXTHOP,
+#define RTM_GETNEXTHOP RTM_GETNEXTHOP
+
        __RTM_MAX,
 #define RTM_MAX                (((__RTM_MAX + 3) & ~3) - 1)
 };
@@ -342,6 +349,7 @@ enum rtattr_type_t {
        RTA_IP_PROTO,
        RTA_SPORT,
        RTA_DPORT,
+       RTA_NH_ID,
        __RTA_MAX
 };
 
@@ -704,6 +712,8 @@ enum rtnetlink_groups {
 #define RTNLGRP_IPV4_MROUTE_R  RTNLGRP_IPV4_MROUTE_R
        RTNLGRP_IPV6_MROUTE_R,
 #define RTNLGRP_IPV6_MROUTE_R  RTNLGRP_IPV6_MROUTE_R
+       RTNLGRP_NEXTHOP,
+#define RTNLGRP_NEXTHOP                RTNLGRP_NEXTHOP
        __RTNLGRP_MAX
 };
 #define RTNLGRP_MAX    (__RTNLGRP_MAX - 1)

diff --git a/security/selinux/nlmsgtab.c b/security/selinux/nlmsgtab.c
index 9cec81209617d5295cb244ca3b2c4079ae578391..2c75d823d8e257c1974aa71b8899e566af2acb0d 100644 (file)
--- a/security/selinux/nlmsgtab.c
+++ b/security/selinux/nlmsgtab.c
@@ -83,6 +83,9 @@ static const struct nlmsg_perm nlmsg_route_perms[] =
        { RTM_NEWCHAIN,         NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
        { RTM_DELCHAIN,         NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
        { RTM_GETCHAIN,         NETLINK_ROUTE_SOCKET__NLMSG_READ  },
+       { RTM_NEWNEXTHOP,       NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
+       { RTM_DELNEXTHOP,       NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
+       { RTM_GETNEXTHOP,       NETLINK_ROUTE_SOCKET__NLMSG_READ  },
 };
 
 static const struct nlmsg_perm nlmsg_tcpdiag_perms[] =
@@ -166,7 +169,7 @@ int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm)
                 * structures at the top of this file with the new mappings
                 * before updating the BUILD_BUG_ON() macro!
                 */
-               BUILD_BUG_ON(RTM_MAX != (RTM_NEWCHAIN + 3));
+               BUILD_BUG_ON(RTM_MAX != (RTM_NEWNEXTHOP + 3));
                err = nlmsg_perm(nlmsg_type, perm, nlmsg_route_perms,
                                 sizeof(nlmsg_route_perms));
                break;