[PATCH 0/2] Interface groups

[PATCH 0/2] Interface groups

[Laszlo Attila Toth]

Hello,

Different network interfaces can be grouped using the same group ID. With this
patch fewer netfilter rules are necessary but it may also be used by routing.

The interface group (ifgroup) member of the net_device can be modified via
netlink (with iproute2) and it is used in the new 'ifgroup' netfilter match. 

ip link set eth0 group 4
iptables -A INPUT -m ifgroup --if-group 4 -j ACCEPT

--
Laszlo Attila Toth

[PATCH 0/2] Interface groups

[Laszlo Attila Toth]

Hello,

Different network interfaces can be grouped using the same group ID. With this
patch fewer netfilter rules are necessary but it may also be used by routing.

The interface group (ifgroup) member of the net_device can be modified via
netlink (with iproute2) and it is used in the new 'ifgroup' netfilter match. 

ip link set eth0 group 4
iptables -A INPUT -m ifgroup --if-group 4 -j ACCEPT

--
Laszlo Attila Toth

[PATCH 1/2] Interface group: core (netlink) part

[Laszlo Attila Toth]

 Interface groups let handle different interfaces with one (netfilter) rule.
 Modified net device structure and netlink interface.

Signed-off-by: Laszlo Attila Toth <panther@balabit.hu>
---
 include/linux/if_link.h   |    2 ++
 include/linux/netdevice.h |    2 ++
 net/core/rtnetlink.c      |    8 ++++++++
 3 files changed, 12 insertions(+), 0 deletions(-)

diff --git a/include/linux/if_link.h b/include/linux/if_link.h
index 422084d..d9f1726 100644
--- a/include/linux/if_link.h
+++ b/include/linux/if_link.h
@@ -78,6 +78,8 @@ enum
 	IFLA_LINKMODE,
 	IFLA_LINKINFO,
 #define IFLA_LINKINFO IFLA_LINKINFO
+	IFLA_IFGROUP,
+#define IFLA_IFGROUP IFLA_IFGROUP
 	__IFLA_MAX
 };
 
diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
index e679b27..4cfc697 100644
--- a/include/linux/netdevice.h
+++ b/include/linux/netdevice.h
@@ -365,6 +365,8 @@ struct net_device
 	/* Interface index. Unique device identifier	*/
 	int			ifindex;
 	int			iflink;
+	/* interface group this interface belongs to */
+	int			ifgroup;
 
 
 	struct net_device_stats* (*get_stats)(struct net_device *dev);
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 4756d58..18ff3c5 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -646,6 +646,9 @@ static int rtnl_fill_ifinfo(struct sk_buff *skb, struct net_device *dev,
 	if (dev->master)
 		NLA_PUT_U32(skb, IFLA_MASTER, dev->master->ifindex);
 
+	if (dev->ifgroup)
+		NLA_PUT_U32(skb, IFLA_IFGROUP, dev->ifgroup);
+
 	if (dev->qdisc_sleeping)
 		NLA_PUT_STRING(skb, IFLA_QDISC, dev->qdisc_sleeping->ops->id);
 
@@ -846,6 +849,11 @@ static int do_setlink(struct net_device *dev, struct ifinfomsg *ifm,
 		write_unlock_bh(&dev_base_lock);
 	}
 
+	if (tb[IFLA_IFGROUP]) {
+		dev->ifgroup = nla_get_u32(tb[IFLA_IFGROUP ]);
+		rtmsg_ifinfo(RTM_NEWLINK, dev, 0);
+	}
+
 	err = 0;
 
 errout:
-- 
1.5.2.5

[PATCH 1/2] Interface group: core (netlink) part

[Laszlo Attila Toth]

 Interface groups let handle different interfaces with one (netfilter) rule.
 Modified net device structure and netlink interface.

Signed-off-by: Laszlo Attila Toth <panther@balabit.hu>
---
 include/linux/if_link.h   |    2 ++
 include/linux/netdevice.h |    2 ++
 net/core/rtnetlink.c      |    8 ++++++++
 3 files changed, 12 insertions(+), 0 deletions(-)

diff --git a/include/linux/if_link.h b/include/linux/if_link.h
index 422084d..d9f1726 100644
--- a/include/linux/if_link.h
+++ b/include/linux/if_link.h
@@ -78,6 +78,8 @@ enum
 	IFLA_LINKMODE,
 	IFLA_LINKINFO,
 #define IFLA_LINKINFO IFLA_LINKINFO
+	IFLA_IFGROUP,
+#define IFLA_IFGROUP IFLA_IFGROUP
 	__IFLA_MAX
 };
 
diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
index e679b27..4cfc697 100644
--- a/include/linux/netdevice.h
+++ b/include/linux/netdevice.h
@@ -365,6 +365,8 @@ struct net_device
 	/* Interface index. Unique device identifier	*/
 	int			ifindex;
 	int			iflink;
+	/* interface group this interface belongs to */
+	int			ifgroup;
 
 
 	struct net_device_stats* (*get_stats)(struct net_device *dev);
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 4756d58..18ff3c5 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -646,6 +646,9 @@ static int rtnl_fill_ifinfo(struct sk_buff *skb, struct net_device *dev,
 	if (dev->master)
 		NLA_PUT_U32(skb, IFLA_MASTER, dev->master->ifindex);
 
+	if (dev->ifgroup)
+		NLA_PUT_U32(skb, IFLA_IFGROUP, dev->ifgroup);
+
 	if (dev->qdisc_sleeping)
 		NLA_PUT_STRING(skb, IFLA_QDISC, dev->qdisc_sleeping->ops->id);
 
@@ -846,6 +849,11 @@ static int do_setlink(struct net_device *dev, struct ifinfomsg *ifm,
 		write_unlock_bh(&dev_base_lock);
 	}
 
+	if (tb[IFLA_IFGROUP]) {
+		dev->ifgroup = nla_get_u32(tb[IFLA_IFGROUP ]);
+		rtmsg_ifinfo(RTM_NEWLINK, dev, 0);
+	}
+
 	err = 0;
 
 errout:
-- 
1.5.2.5

[PATCH 2/2] Interface group match - netfilter part

[Laszlo Attila Toth]

Signed-off-by: Laszlo Attila Toth <panther@balabit.hu>
---
 include/linux/netfilter/xt_ifgroup.h |   11 +++++
 net/netfilter/Kconfig                |   16 +++++++
 net/netfilter/Makefile               |    1 +
 net/netfilter/xt_ifgroup.c           |   78 ++++++++++++++++++++++++++++++++++
 4 files changed, 106 insertions(+), 0 deletions(-)

diff --git a/include/linux/netfilter/xt_ifgroup.h b/include/linux/netfilter/xt_ifgroup.h
new file mode 100644
index 0000000..a992d4c
--- /dev/null
+++ b/include/linux/netfilter/xt_ifgroup.h
@@ -0,0 +1,11 @@
+#ifndef _XT_IFGROUP_H
+#define _XT_IFGROUP_H
+
+struct xt_ifgroup_info {
+	u_int32_t group;
+	u_int32_t mask;
+	u_int8_t invert;
+};
+
+#endif /*_XT_IFGROUP_H*/
+
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 3599770..0864e19 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -597,6 +597,22 @@ config NETFILTER_XT_MATCH_QUOTA
 	  If you want to compile it as a module, say M here and read
 	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
 
+config NETFILTER_XT_MATCH_IFGROUP
+	tristate '"ifgroup" interface group match support'
+	depends on NETFILTER_XTABLES
+	help
+	  Interface group matching allows you to match a packet by
+	  its incoming interface "group", settable using ip link set
+	  group
+
+	  Typical usage is to assign dynamic interfaces to a group
+	  when they come up using "ip link set group" and then match
+	  incoming packets with a rule like this:
+
+	    iptables -A INPUT -m ifgroup --if-group openvpn-rw1 -j LOG
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+
 config NETFILTER_XT_MATCH_REALM
 	tristate  '"realm" match support'
 	depends on NETFILTER_XTABLES
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index 0c054bf..da9ab07 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -77,3 +77,4 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_TCPMSS) += xt_tcpmss.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_PHYSDEV) += xt_physdev.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_U32) += xt_u32.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o
+obj-$(CONFIG_NETFILTER_XT_MATCH_IFGROUP) += xt_ifgroup.o
diff --git a/net/netfilter/xt_ifgroup.c b/net/netfilter/xt_ifgroup.c
new file mode 100644
index 0000000..766f668
--- /dev/null
+++ b/net/netfilter/xt_ifgroup.c
@@ -0,0 +1,78 @@
+/*
+ * An x_tables match module to match interface groups
+ *
+ * (C) 2006 Balazs Scheidler <bazsi@balabit.hu>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/if_ether.h>
+#include <linux/if_packet.h>
+
+#include <linux/netfilter/xt_ifgroup.h>
+#include <linux/netfilter/x_tables.h>
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Balazs Scheidler <bazsi@balabit.hu>");
+MODULE_DESCRIPTION("IP tables match to match on interface group");
+MODULE_ALIAS("ipt_ifgroup");
+MODULE_ALIAS("ip6t_ifgroup");
+
+static int match(const struct sk_buff *skb,
+      const struct net_device *in,
+      const struct net_device *out,
+      const struct xt_match *match,
+      const void *matchinfo,
+      int offset,
+      unsigned int protoff,
+      int *hotdrop)
+{
+	const struct xt_ifgroup_info *info = matchinfo;
+
+	return ((in->ifgroup & info->mask) == info->group) ^ info->invert;
+}
+
+static struct xt_match ifgroup_match = {
+	.name		= "ifgroup",
+	.match		= match,
+	.matchsize	= sizeof(struct xt_ifgroup_info),
+	.family		= AF_INET,
+	.me		= THIS_MODULE,
+};
+
+static struct xt_match ifgroup6_match = {
+	.name		= "ifgroup",
+	.match		= match,
+	.matchsize	= sizeof(struct xt_ifgroup_info),
+	.family		= AF_INET6,
+	.me		= THIS_MODULE,
+};
+
+static int __init xt_ifgroup_init(void)
+{
+	int ret;
+
+	ret = xt_register_match(&ifgroup_match);
+	if (ret)
+		return ret;
+
+	ret = xt_register_match(&ifgroup6_match);
+	if (ret)
+		xt_unregister_match(&ifgroup_match);
+
+	return ret;
+}
+
+static void __exit xt_ifgroup_fini(void)
+{
+	xt_unregister_match(&ifgroup_match);
+	xt_unregister_match(&ifgroup6_match);
+}
+
+module_init(xt_ifgroup_init);
+module_exit(xt_ifgroup_fini);
+
-- 
1.5.2.5

[PATCH 2/2] Interface group match - netfilter part

[Laszlo Attila Toth]

Signed-off-by: Laszlo Attila Toth <panther@balabit.hu>
---
 include/linux/netfilter/xt_ifgroup.h |   11 +++++
 net/netfilter/Kconfig                |   16 +++++++
 net/netfilter/Makefile               |    1 +
 net/netfilter/xt_ifgroup.c           |   78 ++++++++++++++++++++++++++++++++++
 4 files changed, 106 insertions(+), 0 deletions(-)

diff --git a/include/linux/netfilter/xt_ifgroup.h b/include/linux/netfilter/xt_ifgroup.h
new file mode 100644
index 0000000..a992d4c
--- /dev/null
+++ b/include/linux/netfilter/xt_ifgroup.h
@@ -0,0 +1,11 @@
+#ifndef _XT_IFGROUP_H
+#define _XT_IFGROUP_H
+
+struct xt_ifgroup_info {
+	u_int32_t group;
+	u_int32_t mask;
+	u_int8_t invert;
+};
+
+#endif /*_XT_IFGROUP_H*/
+
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 3599770..0864e19 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -597,6 +597,22 @@ config NETFILTER_XT_MATCH_QUOTA
 	  If you want to compile it as a module, say M here and read
 	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
 
+config NETFILTER_XT_MATCH_IFGROUP
+	tristate '"ifgroup" interface group match support'
+	depends on NETFILTER_XTABLES
+	help
+	  Interface group matching allows you to match a packet by
+	  its incoming interface "group", settable using ip link set
+	  group
+
+	  Typical usage is to assign dynamic interfaces to a group
+	  when they come up using "ip link set group" and then match
+	  incoming packets with a rule like this:
+
+	    iptables -A INPUT -m ifgroup --if-group openvpn-rw1 -j LOG
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+
 config NETFILTER_XT_MATCH_REALM
 	tristate  '"realm" match support'
 	depends on NETFILTER_XTABLES
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index 0c054bf..da9ab07 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -77,3 +77,4 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_TCPMSS) += xt_tcpmss.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_PHYSDEV) += xt_physdev.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_U32) += xt_u32.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o
+obj-$(CONFIG_NETFILTER_XT_MATCH_IFGROUP) += xt_ifgroup.o
diff --git a/net/netfilter/xt_ifgroup.c b/net/netfilter/xt_ifgroup.c
new file mode 100644
index 0000000..766f668
--- /dev/null
+++ b/net/netfilter/xt_ifgroup.c
@@ -0,0 +1,78 @@
+/*
+ * An x_tables match module to match interface groups
+ *
+ * (C) 2006 Balazs Scheidler <bazsi@balabit.hu>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/if_ether.h>
+#include <linux/if_packet.h>
+
+#include <linux/netfilter/xt_ifgroup.h>
+#include <linux/netfilter/x_tables.h>
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Balazs Scheidler <bazsi@balabit.hu>");
+MODULE_DESCRIPTION("IP tables match to match on interface group");
+MODULE_ALIAS("ipt_ifgroup");
+MODULE_ALIAS("ip6t_ifgroup");
+
+static int match(const struct sk_buff *skb,
+      const struct net_device *in,
+      const struct net_device *out,
+      const struct xt_match *match,
+      const void *matchinfo,
+      int offset,
+      unsigned int protoff,
+      int *hotdrop)
+{
+	const struct xt_ifgroup_info *info = matchinfo;
+
+	return ((in->ifgroup & info->mask) == info->group) ^ info->invert;
+}
+
+static struct xt_match ifgroup_match = {
+	.name		= "ifgroup",
+	.match		= match,
+	.matchsize	= sizeof(struct xt_ifgroup_info),
+	.family		= AF_INET,
+	.me		= THIS_MODULE,
+};
+
+static struct xt_match ifgroup6_match = {
+	.name		= "ifgroup",
+	.match		= match,
+	.matchsize	= sizeof(struct xt_ifgroup_info),
+	.family		= AF_INET6,
+	.me		= THIS_MODULE,
+};
+
+static int __init xt_ifgroup_init(void)
+{
+	int ret;
+
+	ret = xt_register_match(&ifgroup_match);
+	if (ret)
+		return ret;
+
+	ret = xt_register_match(&ifgroup6_match);
+	if (ret)
+		xt_unregister_match(&ifgroup_match);
+
+	return ret;
+}
+
+static void __exit xt_ifgroup_fini(void)
+{
+	xt_unregister_match(&ifgroup_match);
+	xt_unregister_match(&ifgroup6_match);
+}
+
+module_init(xt_ifgroup_init);
+module_exit(xt_ifgroup_fini);
+
-- 
1.5.2.5

[IPROUTE2 PATCH] Interface group as new ip link option

[Laszlo Attila Toth]

Interfaces can be grouped and each group has an unique positive integer ID.
It can be set via ip link.

Signed-off-by: Laszlo Attila Toth <panther@aldaris.(none)>
---
 include/linux/if_link.h |    2 +
 include/rt_names.h      |    2 +
 ip/ipaddress.c          |    4 +++
 ip/iplink.c             |   49 +++++++++++++++++++++++++++++++++++++
 lib/rt_names.c          |   62 +++++++++++++++++++++++++++++++++++++++++++++++
 man/man8/ip.8           |    8 ++++++
 6 files changed, 127 insertions(+), 0 deletions(-)

diff --git a/include/linux/if_link.h b/include/linux/if_link.h
index 23b3a8e..2dfb0b7 100644
--- a/include/linux/if_link.h
+++ b/include/linux/if_link.h
@@ -78,6 +78,8 @@ enum
 	IFLA_LINKMODE,
 	IFLA_LINKINFO,
 #define IFLA_LINKINFO IFLA_LINKINFO
+	IFLA_IFGROUP,
+#define	IFLA_IFGROUP IFLA_IFGROUP
 	__IFLA_MAX
 };
 
diff --git a/include/rt_names.h b/include/rt_names.h
index 07a10e0..72c5247 100644
--- a/include/rt_names.h
+++ b/include/rt_names.h
@@ -8,11 +8,13 @@ char* rtnl_rtscope_n2a(int id, char *buf, int len);
 char* rtnl_rttable_n2a(__u32 id, char *buf, int len);
 char* rtnl_rtrealm_n2a(int id, char *buf, int len);
 char* rtnl_dsfield_n2a(int id, char *buf, int len);
+char* rtnl_ifgroup_n2a(int id, char *buf, int len);
 int rtnl_rtprot_a2n(__u32 *id, char *arg);
 int rtnl_rtscope_a2n(__u32 *id, char *arg);
 int rtnl_rttable_a2n(__u32 *id, char *arg);
 int rtnl_rtrealm_a2n(__u32 *id, char *arg);
 int rtnl_dsfield_a2n(__u32 *id, char *arg);
+int rtnl_ifgroup_a2n(__u32 *id, char *arg);
 
 const char *inet_proto_n2a(int proto, char *buf, int len);
 int inet_proto_a2n(char *buf);
diff --git a/ip/ipaddress.c b/ip/ipaddress.c
index 518d8cd..405e85c 100644
--- a/ip/ipaddress.c
+++ b/ip/ipaddress.c
@@ -227,6 +227,10 @@ int print_linkinfo(const struct sockaddr_nl *who,
 		fprintf(fp, "mtu %u ", *(int*)RTA_DATA(tb[IFLA_MTU]));
 	if (tb[IFLA_QDISC])
 		fprintf(fp, "qdisc %s ", (char*)RTA_DATA(tb[IFLA_QDISC]));
+	if (tb[IFLA_IFGROUP]) {
+		SPRINT_BUF(b1);
+		fprintf(fp, "group %s ", rtnl_ifgroup_n2a(*(int*)RTA_DATA(tb[IFLA_IFGROUP]), b1, sizeof(b1)));
+	}
 #ifdef IFLA_MASTER
 	if (tb[IFLA_MASTER]) {
 		SPRINT_BUF(b1);
diff --git a/ip/iplink.c b/ip/iplink.c
index 8e0ed2a..87901e7 100644
--- a/ip/iplink.c
+++ b/ip/iplink.c
@@ -27,6 +27,7 @@
 #include <string.h>
 #include <sys/ioctl.h>
 #include <linux/sockios.h>
+#include <linux/rtnetlink.h>
 
 #include "rt_names.h"
 #include "utils.h"
@@ -46,6 +47,7 @@ void iplink_usage(void)
 	fprintf(stderr, "	                     promisc { on | off } |\n");
 	fprintf(stderr, "	                     trailers { on | off } |\n");
 	fprintf(stderr, "	                     txqueuelen PACKETS |\n");
+	fprintf(stderr, "	                     group GROUP |\n");
 	fprintf(stderr, "	                     name NEWNAME |\n");
 	fprintf(stderr, "	                     address LLADDR | broadcast LLADDR |\n");
 	fprintf(stderr, "	                     mtu MTU }\n");
@@ -145,6 +147,7 @@ static int iplink_have_newlink(void)
 static int iplink_modify(int cmd, unsigned int flags, int argc, char **argv)
 {
 	int qlen = -1;
+	__u32 group = 0;
 	int mtu = -1;
 	int len;
 	char abuf[32];
@@ -197,6 +200,14 @@ static int iplink_modify(int cmd, unsigned int flags, int argc, char **argv)
 			if (get_integer(&qlen,  *argv, 0))
 				invarg("Invalid \"txqueuelen\" value\n", *argv);
 			addattr_l(&req.n, sizeof(req), IFLA_TXQLEN, &qlen, 4);
+		} else if (matches(*argv, "group") == 0) {
+			NEXT_ARG();
+			if (group != 0)
+				duparg("group", *argv);
+
+			if (rtnl_ifgroup_a2n(&group, *argv) || group == 0)
+				invarg("\"group\" value is invalid\n", *argv);
+			addattr_l(&req.n, sizeof(req), IFLA_IFGROUP, &group, sizeof(group));
 		} else if (strcmp(*argv, "mtu") == 0) {
 			NEXT_ARG();
 			if (mtu != -1)
@@ -462,6 +473,32 @@ static int set_mtu(const char *dev, int mtu)
 	return 0;
 }
 
+static int set_group(const char *dev, int ifgroup)
+{
+	struct {
+		struct nlmsghdr 	n;
+		struct ifinfomsg 	ifi;
+		char   			buf[256];
+	} req;
+	struct rtnl_handle rth;
+	
+	memset(&req, 0, sizeof(req));
+	req.n.nlmsg_len = NLMSG_LENGTH(sizeof(req.ifi));
+	req.n.nlmsg_flags = NLM_F_REQUEST;
+	req.n.nlmsg_type = RTM_SETLINK;
+	
+	req.ifi.ifi_index = -1;
+	
+	addattr_l(&req.n, sizeof(req), IFLA_IFNAME, dev, strlen(dev)+1);
+	addattr_l(&req.n, sizeof(req), IFLA_IFGROUP, &ifgroup, sizeof(ifgroup));
+	if (rtnl_open(&rth, 0) < 0)
+		exit(1);
+	if (rtnl_talk(&rth, &req.n, 0, 0, NULL, NULL, NULL) < 0)
+		return -1;
+	rtnl_close(&rth);
+	return 0;
+}
+
 static int get_address(const char *dev, int *htype)
 {
 	struct ifreq ifr;
@@ -545,6 +582,7 @@ static int do_set(int argc, char **argv)
 	__u32 mask = 0;
 	__u32 flags = 0;
 	int qlen = -1;
+	__u32 group = 0;
 	int mtu = -1;
 	char *newaddr = NULL;
 	char *newbrd = NULL;
@@ -577,6 +615,13 @@ static int do_set(int argc, char **argv)
 				duparg("txqueuelen", *argv);
 			if (get_integer(&qlen,  *argv, 0))
 				invarg("Invalid \"txqueuelen\" value\n", *argv);
+		} else if (matches(*argv, "group") == 0) {
+			NEXT_ARG();
+			if (group != 0)
+				duparg("group", *argv);
+
+			if (rtnl_ifgroup_a2n(&group, *argv) || group == 0)
+				invarg("\"group\" value is invalid\n", *argv);
 		} else if (strcmp(*argv, "mtu") == 0) {
 			NEXT_ARG();
 			if (mtu != -1)
@@ -696,6 +741,10 @@ static int do_set(int argc, char **argv)
 				return -1;
 		}
 	}
+	if (group) {
+		if (set_group(dev, group) < 0)
+			return -1;
+	}
 	if (mask)
 		return do_chflags(dev, flags, mask);
 	return 0;
diff --git a/lib/rt_names.c b/lib/rt_names.c
index 8d019a0..a067e74 100644
--- a/lib/rt_names.c
+++ b/lib/rt_names.c
@@ -446,3 +446,65 @@ int rtnl_dsfield_a2n(__u32 *id, char *arg)
 	return 0;
 }
 
+static char * rtnl_rtifgroup_tab[256] = {
+	"0",
+};
+
+static int rtnl_rtifgroup_init;
+
+static void rtnl_rtifgroup_initialize(void)
+{
+	rtnl_rtifgroup_init = 1;
+	rtnl_tab_initialize("/etc/iproute2/rt_ifgroup",
+			    rtnl_rtifgroup_tab, 256);
+}
+
+char * rtnl_ifgroup_n2a(int id, char *buf, int len)
+{
+	if (id<0 || id>=256) {
+		snprintf(buf, len, "%d", id);
+		return buf;
+	}
+	if (!rtnl_rtifgroup_tab[id]) {
+		if (!rtnl_rtifgroup_init)
+			rtnl_rtifgroup_initialize();
+	}
+	if (rtnl_rtifgroup_tab[id])
+		return rtnl_rtifgroup_tab[id];
+	snprintf(buf, len, "0x%02x", id);
+	return buf;
+}
+
+
+int rtnl_ifgroup_a2n(__u32 *id, char *arg)
+{
+	static char *cache = NULL;
+	static unsigned long res;
+	char *end;
+	int i;
+
+	if (cache && strcmp(cache, arg) == 0) {
+		*id = res;
+		return 0;
+	}
+
+	if (!rtnl_rtifgroup_init)
+		rtnl_rtifgroup_initialize();
+
+	for (i=0; i<256; i++) {
+		if (rtnl_rtifgroup_tab[i] &&
+		    strcmp(rtnl_rtifgroup_tab[i], arg) == 0) {
+			cache = rtnl_rtifgroup_tab[i];
+			res = i;
+			*id = res;
+			return 0;
+		}
+	}
+
+	res = strtoul(arg, &end, 16);
+	if (!end || end == arg || *end || res > 255)
+		return -1;
+	*id = res;
+	return 0;
+}
+
diff --git a/man/man8/ip.8 b/man/man8/ip.8
index c74440a..8e6a9a3 100644
--- a/man/man8/ip.8
+++ b/man/man8/ip.8
@@ -511,6 +511,11 @@ already configured.
 change the transmit queue length of the device.
 
 .TP
+.BI group " GROUP"
+.TP 
+change the interface group identifier of the device.
+
+.TP
 .BI mtu " NUMBER"
 change the 
 .I MTU
@@ -1835,3 +1840,6 @@ was written by Alexey N. Kuznetsov and added in Linux 2.2.
 
 .SH AUTHOR
 Original Manpage  by Michail Litvak <mci@owl.openwall.com>
+.br
+Modified for ZorpOS by Tamas Pal <folti@balabit.hu>
+
-- 
1.5.2.5

[IPROUTE2 PATCH] Interface group as new ip link option

[Laszlo Attila Toth]

Interfaces can be grouped and each group has an unique positive integer ID.
It can be set via ip link.

Signed-off-by: Laszlo Attila Toth <panther@aldaris.(none)>
---
 include/linux/if_link.h |    2 +
 include/rt_names.h      |    2 +
 ip/ipaddress.c          |    4 +++
 ip/iplink.c             |   49 +++++++++++++++++++++++++++++++++++++
 lib/rt_names.c          |   62 +++++++++++++++++++++++++++++++++++++++++++++++
 man/man8/ip.8           |    8 ++++++
 6 files changed, 127 insertions(+), 0 deletions(-)

diff --git a/include/linux/if_link.h b/include/linux/if_link.h
index 23b3a8e..2dfb0b7 100644
--- a/include/linux/if_link.h
+++ b/include/linux/if_link.h
@@ -78,6 +78,8 @@ enum
 	IFLA_LINKMODE,
 	IFLA_LINKINFO,
 #define IFLA_LINKINFO IFLA_LINKINFO
+	IFLA_IFGROUP,
+#define	IFLA_IFGROUP IFLA_IFGROUP
 	__IFLA_MAX
 };
 
diff --git a/include/rt_names.h b/include/rt_names.h
index 07a10e0..72c5247 100644
--- a/include/rt_names.h
+++ b/include/rt_names.h
@@ -8,11 +8,13 @@ char* rtnl_rtscope_n2a(int id, char *buf, int len);
 char* rtnl_rttable_n2a(__u32 id, char *buf, int len);
 char* rtnl_rtrealm_n2a(int id, char *buf, int len);
 char* rtnl_dsfield_n2a(int id, char *buf, int len);
+char* rtnl_ifgroup_n2a(int id, char *buf, int len);
 int rtnl_rtprot_a2n(__u32 *id, char *arg);
 int rtnl_rtscope_a2n(__u32 *id, char *arg);
 int rtnl_rttable_a2n(__u32 *id, char *arg);
 int rtnl_rtrealm_a2n(__u32 *id, char *arg);
 int rtnl_dsfield_a2n(__u32 *id, char *arg);
+int rtnl_ifgroup_a2n(__u32 *id, char *arg);
 
 const char *inet_proto_n2a(int proto, char *buf, int len);
 int inet_proto_a2n(char *buf);
diff --git a/ip/ipaddress.c b/ip/ipaddress.c
index 518d8cd..405e85c 100644
--- a/ip/ipaddress.c
+++ b/ip/ipaddress.c
@@ -227,6 +227,10 @@ int print_linkinfo(const struct sockaddr_nl *who,
 		fprintf(fp, "mtu %u ", *(int*)RTA_DATA(tb[IFLA_MTU]));
 	if (tb[IFLA_QDISC])
 		fprintf(fp, "qdisc %s ", (char*)RTA_DATA(tb[IFLA_QDISC]));
+	if (tb[IFLA_IFGROUP]) {
+		SPRINT_BUF(b1);
+		fprintf(fp, "group %s ", rtnl_ifgroup_n2a(*(int*)RTA_DATA(tb[IFLA_IFGROUP]), b1, sizeof(b1)));
+	}
 #ifdef IFLA_MASTER
 	if (tb[IFLA_MASTER]) {
 		SPRINT_BUF(b1);
diff --git a/ip/iplink.c b/ip/iplink.c
index 8e0ed2a..87901e7 100644
--- a/ip/iplink.c
+++ b/ip/iplink.c
@@ -27,6 +27,7 @@
 #include <string.h>
 #include <sys/ioctl.h>
 #include <linux/sockios.h>
+#include <linux/rtnetlink.h>
 
 #include "rt_names.h"
 #include "utils.h"
@@ -46,6 +47,7 @@ void iplink_usage(void)
 	fprintf(stderr, "	                     promisc { on | off } |\n");
 	fprintf(stderr, "	                     trailers { on | off } |\n");
 	fprintf(stderr, "	                     txqueuelen PACKETS |\n");
+	fprintf(stderr, "	                     group GROUP |\n");
 	fprintf(stderr, "	                     name NEWNAME |\n");
 	fprintf(stderr, "	                     address LLADDR | broadcast LLADDR |\n");
 	fprintf(stderr, "	                     mtu MTU }\n");
@@ -145,6 +147,7 @@ static int iplink_have_newlink(void)
 static int iplink_modify(int cmd, unsigned int flags, int argc, char **argv)
 {
 	int qlen = -1;
+	__u32 group = 0;
 	int mtu = -1;
 	int len;
 	char abuf[32];
@@ -197,6 +200,14 @@ static int iplink_modify(int cmd, unsigned int flags, int argc, char **argv)
 			if (get_integer(&qlen,  *argv, 0))
 				invarg("Invalid \"txqueuelen\" value\n", *argv);
 			addattr_l(&req.n, sizeof(req), IFLA_TXQLEN, &qlen, 4);
+		} else if (matches(*argv, "group") == 0) {
+			NEXT_ARG();
+			if (group != 0)
+				duparg("group", *argv);
+
+			if (rtnl_ifgroup_a2n(&group, *argv) || group == 0)
+				invarg("\"group\" value is invalid\n", *argv);
+			addattr_l(&req.n, sizeof(req), IFLA_IFGROUP, &group, sizeof(group));
 		} else if (strcmp(*argv, "mtu") == 0) {
 			NEXT_ARG();
 			if (mtu != -1)
@@ -462,6 +473,32 @@ static int set_mtu(const char *dev, int mtu)
 	return 0;
 }
 
+static int set_group(const char *dev, int ifgroup)
+{
+	struct {
+		struct nlmsghdr 	n;
+		struct ifinfomsg 	ifi;
+		char   			buf[256];
+	} req;
+	struct rtnl_handle rth;
+	
+	memset(&req, 0, sizeof(req));
+	req.n.nlmsg_len = NLMSG_LENGTH(sizeof(req.ifi));
+	req.n.nlmsg_flags = NLM_F_REQUEST;
+	req.n.nlmsg_type = RTM_SETLINK;
+	
+	req.ifi.ifi_index = -1;
+	
+	addattr_l(&req.n, sizeof(req), IFLA_IFNAME, dev, strlen(dev)+1);
+	addattr_l(&req.n, sizeof(req), IFLA_IFGROUP, &ifgroup, sizeof(ifgroup));
+	if (rtnl_open(&rth, 0) < 0)
+		exit(1);
+	if (rtnl_talk(&rth, &req.n, 0, 0, NULL, NULL, NULL) < 0)
+		return -1;
+	rtnl_close(&rth);
+	return 0;
+}
+
 static int get_address(const char *dev, int *htype)
 {
 	struct ifreq ifr;
@@ -545,6 +582,7 @@ static int do_set(int argc, char **argv)
 	__u32 mask = 0;
 	__u32 flags = 0;
 	int qlen = -1;
+	__u32 group = 0;
 	int mtu = -1;
 	char *newaddr = NULL;
 	char *newbrd = NULL;
@@ -577,6 +615,13 @@ static int do_set(int argc, char **argv)
 				duparg("txqueuelen", *argv);
 			if (get_integer(&qlen,  *argv, 0))
 				invarg("Invalid \"txqueuelen\" value\n", *argv);
+		} else if (matches(*argv, "group") == 0) {
+			NEXT_ARG();
+			if (group != 0)
+				duparg("group", *argv);
+
+			if (rtnl_ifgroup_a2n(&group, *argv) || group == 0)
+				invarg("\"group\" value is invalid\n", *argv);
 		} else if (strcmp(*argv, "mtu") == 0) {
 			NEXT_ARG();
 			if (mtu != -1)
@@ -696,6 +741,10 @@ static int do_set(int argc, char **argv)
 				return -1;
 		}
 	}
+	if (group) {
+		if (set_group(dev, group) < 0)
+			return -1;
+	}
 	if (mask)
 		return do_chflags(dev, flags, mask);
 	return 0;
diff --git a/lib/rt_names.c b/lib/rt_names.c
index 8d019a0..a067e74 100644
--- a/lib/rt_names.c
+++ b/lib/rt_names.c
@@ -446,3 +446,65 @@ int rtnl_dsfield_a2n(__u32 *id, char *arg)
 	return 0;
 }
 
+static char * rtnl_rtifgroup_tab[256] = {
+	"0",
+};
+
+static int rtnl_rtifgroup_init;
+
+static void rtnl_rtifgroup_initialize(void)
+{
+	rtnl_rtifgroup_init = 1;
+	rtnl_tab_initialize("/etc/iproute2/rt_ifgroup",
+			    rtnl_rtifgroup_tab, 256);
+}
+
+char * rtnl_ifgroup_n2a(int id, char *buf, int len)
+{
+	if (id<0 || id>=256) {
+		snprintf(buf, len, "%d", id);
+		return buf;
+	}
+	if (!rtnl_rtifgroup_tab[id]) {
+		if (!rtnl_rtifgroup_init)
+			rtnl_rtifgroup_initialize();
+	}
+	if (rtnl_rtifgroup_tab[id])
+		return rtnl_rtifgroup_tab[id];
+	snprintf(buf, len, "0x%02x", id);
+	return buf;
+}
+
+
+int rtnl_ifgroup_a2n(__u32 *id, char *arg)
+{
+	static char *cache = NULL;
+	static unsigned long res;
+	char *end;
+	int i;
+
+	if (cache && strcmp(cache, arg) == 0) {
+		*id = res;
+		return 0;
+	}
+
+	if (!rtnl_rtifgroup_init)
+		rtnl_rtifgroup_initialize();
+
+	for (i=0; i<256; i++) {
+		if (rtnl_rtifgroup_tab[i] &&
+		    strcmp(rtnl_rtifgroup_tab[i], arg) == 0) {
+			cache = rtnl_rtifgroup_tab[i];
+			res = i;
+			*id = res;
+			return 0;
+		}
+	}
+
+	res = strtoul(arg, &end, 16);
+	if (!end || end == arg || *end || res > 255)
+		return -1;
+	*id = res;
+	return 0;
+}
+
diff --git a/man/man8/ip.8 b/man/man8/ip.8
index c74440a..8e6a9a3 100644
--- a/man/man8/ip.8
+++ b/man/man8/ip.8
@@ -511,6 +511,11 @@ already configured.
 change the transmit queue length of the device.
 
 .TP
+.BI group " GROUP"
+.TP 
+change the interface group identifier of the device.
+
+.TP
 .BI mtu " NUMBER"
 change the 
 .I MTU
@@ -1835,3 +1840,6 @@ was written by Alexey N. Kuznetsov and added in Linux 2.2.
 
 .SH AUTHOR
 Original Manpage  by Michail Litvak <mci@owl.openwall.com>
+.br
+Modified for ZorpOS by Tamas Pal <folti@balabit.hu>
+
-- 
1.5.2.5

Re: [PATCH 2/2] Interface group match - netfilter part

[Patrick McHardy]

Laszlo Attila Toth wrote:
> +static int match(const struct sk_buff *skb,
> +      const struct net_device *in,
> +      const struct net_device *out,
> +      const struct xt_match *match,
> +      const void *matchinfo,
> +      int offset,
> +      unsigned int protoff,
> +      int *hotdrop)
> +{
> +	const struct xt_ifgroup_info *info = matchinfo;
> +
> +	return ((in->ifgroup & info->mask) == info->group) ^ info->invert;

The input interface is only valid in PREROUTING, INPUT and FORWARD.
Why don't you support output-interface matching?

> +}
> +
> +static struct xt_match ifgroup_match = {
> +	.name		= "ifgroup",
> +	.match		= match,
> +	.matchsize	= sizeof(struct xt_ifgroup_info),
> +	.family		= AF_INET,
> +	.me		= THIS_MODULE,
> +};
> +
> +static struct xt_match ifgroup6_match = {
> +	.name		= "ifgroup",
> +	.match		= match,
> +	.matchsize	= sizeof(struct xt_ifgroup_info),
> +	.family		= AF_INET6,
> +	.me		= THIS_MODULE,
> +};

__read_mostly

> +
> +static int __init xt_ifgroup_init(void)
> +{
> +	int ret;
> +
> +	ret = xt_register_match(&ifgroup_match);

xt_register_matches please.

Re: [PATCH 1/2] Interface group: core (netlink) part

[Patrick McHardy]

Laszlo Attila Toth wrote:
> diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
> index 4756d58..18ff3c5 100644
> --- a/net/core/rtnetlink.c
> +++ b/net/core/rtnetlink.c
> @@ -646,6 +646,9 @@ static int rtnl_fill_ifinfo(struct sk_buff *skb, struct net_device *dev,
>  	if (dev->master)
>  		NLA_PUT_U32(skb, IFLA_MASTER, dev->master->ifindex);
>  
> +	if (dev->ifgroup)
> +		NLA_PUT_U32(skb, IFLA_IFGROUP, dev->ifgroup);
> +

You need to adjust if_nlmsg_size() to account for this.

>  	if (dev->qdisc_sleeping)
>  		NLA_PUT_STRING(skb, IFLA_QDISC, dev->qdisc_sleeping->ops->id);
>  
> @@ -846,6 +849,11 @@ static int do_setlink(struct net_device *dev, struct ifinfomsg *ifm,
>  		write_unlock_bh(&dev_base_lock);
>  	}
>  
> +	if (tb[IFLA_IFGROUP]) {
> +		dev->ifgroup = nla_get_u32(tb[IFLA_IFGROUP ]);
> +		rtmsg_ifinfo(RTM_NEWLINK, dev, 0);
> +	}


Notifcations should be atomic, not one for every single change. I know
thats not the case currently, but it seems we're missing a notifcation
for some of the attributes anyway (like tx_queue_len, operstate,
linkmode), please consolidate all these and send a single notifcation.

Re: [IPROUTE2 PATCH] Interface group as new ip link option

[Patrick McHardy]

Laszlo Attila Toth wrote:
> diff --git a/man/man8/ip.8 b/man/man8/ip.8
> index c74440a..8e6a9a3 100644
> --- a/man/man8/ip.8
> +++ b/man/man8/ip.8
> @@ -511,6 +511,11 @@ already configured.
> @@ -1835,3 +1840,6 @@ was written by Alexey N. Kuznetsov and added in Linux 2.2.
>  
>  .SH AUTHOR
>  Original Manpage  by Michail Litvak <mci@owl.openwall.com>
> +.br
> +Modified for ZorpOS by Tamas Pal <folti@balabit.hu>


Did you really intend to include this?

Re: [PATCH 0/2] Interface groups

[Philip Craig]

Laszlo Attila Toth wrote:
> Hello,
> 
> Different network interfaces can be grouped using the same group ID. With this
> patch fewer netfilter rules are necessary but it may also be used by routing.

This allows an interface to belong to only one group.  I expect there are
situations where you want more.  eg you might want a group of all pptp
connections, and another group of pptp connections for a subset of users.

An alternative approach would be to extend ipset to have sets of ifindex,
although this would tie it closer to iptables, and it would be slower.
But it still gives the properties of reducing the number of iptables rules,
and allowing to change group membership without reinstalling rules.

Maybe Jozsef has designed nfset to be able to handle this already?

Resend: [IPROUTE2 PATCH] Interface group as new ip link option

[Laszlo Attila Toth]

Interfaces can be grouped and each group has an unique positive integer ID.
It can be set via ip link.

Signed-off-by: Laszlo Attila Toth <panther@balabit.hu>
---
 include/linux/if_link.h |    2 +
 include/rt_names.h      |    2 +
 ip/ipaddress.c          |    4 +++
 ip/iplink.c             |   49 +++++++++++++++++++++++++++++++++++++
 lib/rt_names.c          |   62 +++++++++++++++++++++++++++++++++++++++++++++++
 man/man8/ip.8           |    8 ++++++
 6 files changed, 127 insertions(+), 0 deletions(-)

diff --git a/include/linux/if_link.h b/include/linux/if_link.h
index 23b3a8e..2dfb0b7 100644
--- a/include/linux/if_link.h
+++ b/include/linux/if_link.h
@@ -78,6 +78,8 @@ enum
 	IFLA_LINKMODE,
 	IFLA_LINKINFO,
 #define IFLA_LINKINFO IFLA_LINKINFO
+	IFLA_IFGROUP,
+#define	IFLA_IFGROUP IFLA_IFGROUP
 	__IFLA_MAX
 };
 
diff --git a/include/rt_names.h b/include/rt_names.h
index 07a10e0..72c5247 100644
--- a/include/rt_names.h
+++ b/include/rt_names.h
@@ -8,11 +8,13 @@ char* rtnl_rtscope_n2a(int id, char *buf, int len);
 char* rtnl_rttable_n2a(__u32 id, char *buf, int len);
 char* rtnl_rtrealm_n2a(int id, char *buf, int len);
 char* rtnl_dsfield_n2a(int id, char *buf, int len);
+char* rtnl_ifgroup_n2a(int id, char *buf, int len);
 int rtnl_rtprot_a2n(__u32 *id, char *arg);
 int rtnl_rtscope_a2n(__u32 *id, char *arg);
 int rtnl_rttable_a2n(__u32 *id, char *arg);
 int rtnl_rtrealm_a2n(__u32 *id, char *arg);
 int rtnl_dsfield_a2n(__u32 *id, char *arg);
+int rtnl_ifgroup_a2n(__u32 *id, char *arg);
 
 const char *inet_proto_n2a(int proto, char *buf, int len);
 int inet_proto_a2n(char *buf);
diff --git a/ip/ipaddress.c b/ip/ipaddress.c
index 518d8cd..405e85c 100644
--- a/ip/ipaddress.c
+++ b/ip/ipaddress.c
@@ -227,6 +227,10 @@ int print_linkinfo(const struct sockaddr_nl *who,
 		fprintf(fp, "mtu %u ", *(int*)RTA_DATA(tb[IFLA_MTU]));
 	if (tb[IFLA_QDISC])
 		fprintf(fp, "qdisc %s ", (char*)RTA_DATA(tb[IFLA_QDISC]));
+	if (tb[IFLA_IFGROUP]) {
+		SPRINT_BUF(b1);
+		fprintf(fp, "group %s ", rtnl_ifgroup_n2a(*(int*)RTA_DATA(tb[IFLA_IFGROUP]), b1, sizeof(b1)));
+	}
 #ifdef IFLA_MASTER
 	if (tb[IFLA_MASTER]) {
 		SPRINT_BUF(b1);
diff --git a/ip/iplink.c b/ip/iplink.c
index 8e0ed2a..87901e7 100644
--- a/ip/iplink.c
+++ b/ip/iplink.c
@@ -27,6 +27,7 @@
 #include <string.h>
 #include <sys/ioctl.h>
 #include <linux/sockios.h>
+#include <linux/rtnetlink.h>
 
 #include "rt_names.h"
 #include "utils.h"
@@ -46,6 +47,7 @@ void iplink_usage(void)
 	fprintf(stderr, "	                     promisc { on | off } |\n");
 	fprintf(stderr, "	                     trailers { on | off } |\n");
 	fprintf(stderr, "	                     txqueuelen PACKETS |\n");
+	fprintf(stderr, "	                     group GROUP |\n");
 	fprintf(stderr, "	                     name NEWNAME |\n");
 	fprintf(stderr, "	                     address LLADDR | broadcast LLADDR |\n");
 	fprintf(stderr, "	                     mtu MTU }\n");
@@ -145,6 +147,7 @@ static int iplink_have_newlink(void)
 static int iplink_modify(int cmd, unsigned int flags, int argc, char **argv)
 {
 	int qlen = -1;
+	__u32 group = 0;
 	int mtu = -1;
 	int len;
 	char abuf[32];
@@ -197,6 +200,14 @@ static int iplink_modify(int cmd, unsigned int flags, int argc, char **argv)
 			if (get_integer(&qlen,  *argv, 0))
 				invarg("Invalid \"txqueuelen\" value\n", *argv);
 			addattr_l(&req.n, sizeof(req), IFLA_TXQLEN, &qlen, 4);
+		} else if (matches(*argv, "group") == 0) {
+			NEXT_ARG();
+			if (group != 0)
+				duparg("group", *argv);
+
+			if (rtnl_ifgroup_a2n(&group, *argv) || group == 0)
+				invarg("\"group\" value is invalid\n", *argv);
+			addattr_l(&req.n, sizeof(req), IFLA_IFGROUP, &group, sizeof(group));
 		} else if (strcmp(*argv, "mtu") == 0) {
 			NEXT_ARG();
 			if (mtu != -1)
@@ -462,6 +473,32 @@ static int set_mtu(const char *dev, int mtu)
 	return 0;
 }
 
+static int set_group(const char *dev, int ifgroup)
+{
+	struct {
+		struct nlmsghdr 	n;
+		struct ifinfomsg 	ifi;
+		char   			buf[256];
+	} req;
+	struct rtnl_handle rth;
+	
+	memset(&req, 0, sizeof(req));
+	req.n.nlmsg_len = NLMSG_LENGTH(sizeof(req.ifi));
+	req.n.nlmsg_flags = NLM_F_REQUEST;
+	req.n.nlmsg_type = RTM_SETLINK;
+	
+	req.ifi.ifi_index = -1;
+	
+	addattr_l(&req.n, sizeof(req), IFLA_IFNAME, dev, strlen(dev)+1);
+	addattr_l(&req.n, sizeof(req), IFLA_IFGROUP, &ifgroup, sizeof(ifgroup));
+	if (rtnl_open(&rth, 0) < 0)
+		exit(1);
+	if (rtnl_talk(&rth, &req.n, 0, 0, NULL, NULL, NULL) < 0)
+		return -1;
+	rtnl_close(&rth);
+	return 0;
+}
+
 static int get_address(const char *dev, int *htype)
 {
 	struct ifreq ifr;
@@ -545,6 +582,7 @@ static int do_set(int argc, char **argv)
 	__u32 mask = 0;
 	__u32 flags = 0;
 	int qlen = -1;
+	__u32 group = 0;
 	int mtu = -1;
 	char *newaddr = NULL;
 	char *newbrd = NULL;
@@ -577,6 +615,13 @@ static int do_set(int argc, char **argv)
 				duparg("txqueuelen", *argv);
 			if (get_integer(&qlen,  *argv, 0))
 				invarg("Invalid \"txqueuelen\" value\n", *argv);
+		} else if (matches(*argv, "group") == 0) {
+			NEXT_ARG();
+			if (group != 0)
+				duparg("group", *argv);
+
+			if (rtnl_ifgroup_a2n(&group, *argv) || group == 0)
+				invarg("\"group\" value is invalid\n", *argv);
 		} else if (strcmp(*argv, "mtu") == 0) {
 			NEXT_ARG();
 			if (mtu != -1)
@@ -696,6 +741,10 @@ static int do_set(int argc, char **argv)
 				return -1;
 		}
 	}
+	if (group) {
+		if (set_group(dev, group) < 0)
+			return -1;
+	}
 	if (mask)
 		return do_chflags(dev, flags, mask);
 	return 0;
diff --git a/lib/rt_names.c b/lib/rt_names.c
index 8d019a0..a067e74 100644
--- a/lib/rt_names.c
+++ b/lib/rt_names.c
@@ -446,3 +446,65 @@ int rtnl_dsfield_a2n(__u32 *id, char *arg)
 	return 0;
 }
 
+static char * rtnl_rtifgroup_tab[256] = {
+	"0",
+};
+
+static int rtnl_rtifgroup_init;
+
+static void rtnl_rtifgroup_initialize(void)
+{
+	rtnl_rtifgroup_init = 1;
+	rtnl_tab_initialize("/etc/iproute2/rt_ifgroup",
+			    rtnl_rtifgroup_tab, 256);
+}
+
+char * rtnl_ifgroup_n2a(int id, char *buf, int len)
+{
+	if (id<0 || id>=256) {
+		snprintf(buf, len, "%d", id);
+		return buf;
+	}
+	if (!rtnl_rtifgroup_tab[id]) {
+		if (!rtnl_rtifgroup_init)
+			rtnl_rtifgroup_initialize();
+	}
+	if (rtnl_rtifgroup_tab[id])
+		return rtnl_rtifgroup_tab[id];
+	snprintf(buf, len, "0x%02x", id);
+	return buf;
+}
+
+
+int rtnl_ifgroup_a2n(__u32 *id, char *arg)
+{
+	static char *cache = NULL;
+	static unsigned long res;
+	char *end;
+	int i;
+
+	if (cache && strcmp(cache, arg) == 0) {
+		*id = res;
+		return 0;
+	}
+
+	if (!rtnl_rtifgroup_init)
+		rtnl_rtifgroup_initialize();
+
+	for (i=0; i<256; i++) {
+		if (rtnl_rtifgroup_tab[i] &&
+		    strcmp(rtnl_rtifgroup_tab[i], arg) == 0) {
+			cache = rtnl_rtifgroup_tab[i];
+			res = i;
+			*id = res;
+			return 0;
+		}
+	}
+
+	res = strtoul(arg, &end, 16);
+	if (!end || end == arg || *end || res > 255)
+		return -1;
+	*id = res;
+	return 0;
+}
+
diff --git a/man/man8/ip.8 b/man/man8/ip.8
index c74440a..8e6a9a3 100644
--- a/man/man8/ip.8
+++ b/man/man8/ip.8
@@ -511,6 +511,11 @@ already configured.
 change the transmit queue length of the device.
 
 .TP
+.BI group " GROUP"
+.TP 
+change the interface group identifier of the device.
+
+.TP
 .BI mtu " NUMBER"
 change the 
 .I MTU
-- 
1.5.2.5

Resend: [IPROUTE2 PATCH] Interface group as new ip link option

[Laszlo Attila Toth]

Interfaces can be grouped and each group has an unique positive integer ID.
It can be set via ip link.

Signed-off-by: Laszlo Attila Toth <panther@balabit.hu>
---
 include/linux/if_link.h |    2 +
 include/rt_names.h      |    2 +
 ip/ipaddress.c          |    4 +++
 ip/iplink.c             |   49 +++++++++++++++++++++++++++++++++++++
 lib/rt_names.c          |   62 +++++++++++++++++++++++++++++++++++++++++++++++
 man/man8/ip.8           |    8 ++++++
 6 files changed, 127 insertions(+), 0 deletions(-)

diff --git a/include/linux/if_link.h b/include/linux/if_link.h
index 23b3a8e..2dfb0b7 100644
--- a/include/linux/if_link.h
+++ b/include/linux/if_link.h
@@ -78,6 +78,8 @@ enum
 	IFLA_LINKMODE,
 	IFLA_LINKINFO,
 #define IFLA_LINKINFO IFLA_LINKINFO
+	IFLA_IFGROUP,
+#define	IFLA_IFGROUP IFLA_IFGROUP
 	__IFLA_MAX
 };
 
diff --git a/include/rt_names.h b/include/rt_names.h
index 07a10e0..72c5247 100644
--- a/include/rt_names.h
+++ b/include/rt_names.h
@@ -8,11 +8,13 @@ char* rtnl_rtscope_n2a(int id, char *buf, int len);
 char* rtnl_rttable_n2a(__u32 id, char *buf, int len);
 char* rtnl_rtrealm_n2a(int id, char *buf, int len);
 char* rtnl_dsfield_n2a(int id, char *buf, int len);
+char* rtnl_ifgroup_n2a(int id, char *buf, int len);
 int rtnl_rtprot_a2n(__u32 *id, char *arg);
 int rtnl_rtscope_a2n(__u32 *id, char *arg);
 int rtnl_rttable_a2n(__u32 *id, char *arg);
 int rtnl_rtrealm_a2n(__u32 *id, char *arg);
 int rtnl_dsfield_a2n(__u32 *id, char *arg);
+int rtnl_ifgroup_a2n(__u32 *id, char *arg);
 
 const char *inet_proto_n2a(int proto, char *buf, int len);
 int inet_proto_a2n(char *buf);
diff --git a/ip/ipaddress.c b/ip/ipaddress.c
index 518d8cd..405e85c 100644
--- a/ip/ipaddress.c
+++ b/ip/ipaddress.c
@@ -227,6 +227,10 @@ int print_linkinfo(const struct sockaddr_nl *who,
 		fprintf(fp, "mtu %u ", *(int*)RTA_DATA(tb[IFLA_MTU]));
 	if (tb[IFLA_QDISC])
 		fprintf(fp, "qdisc %s ", (char*)RTA_DATA(tb[IFLA_QDISC]));
+	if (tb[IFLA_IFGROUP]) {
+		SPRINT_BUF(b1);
+		fprintf(fp, "group %s ", rtnl_ifgroup_n2a(*(int*)RTA_DATA(tb[IFLA_IFGROUP]), b1, sizeof(b1)));
+	}
 #ifdef IFLA_MASTER
 	if (tb[IFLA_MASTER]) {
 		SPRINT_BUF(b1);
diff --git a/ip/iplink.c b/ip/iplink.c
index 8e0ed2a..87901e7 100644
--- a/ip/iplink.c
+++ b/ip/iplink.c
@@ -27,6 +27,7 @@
 #include <string.h>
 #include <sys/ioctl.h>
 #include <linux/sockios.h>
+#include <linux/rtnetlink.h>
 
 #include "rt_names.h"
 #include "utils.h"
@@ -46,6 +47,7 @@ void iplink_usage(void)
 	fprintf(stderr, "	                     promisc { on | off } |\n");
 	fprintf(stderr, "	                     trailers { on | off } |\n");
 	fprintf(stderr, "	                     txqueuelen PACKETS |\n");
+	fprintf(stderr, "	                     group GROUP |\n");
 	fprintf(stderr, "	                     name NEWNAME |\n");
 	fprintf(stderr, "	                     address LLADDR | broadcast LLADDR |\n");
 	fprintf(stderr, "	                     mtu MTU }\n");
@@ -145,6 +147,7 @@ static int iplink_have_newlink(void)
 static int iplink_modify(int cmd, unsigned int flags, int argc, char **argv)
 {
 	int qlen = -1;
+	__u32 group = 0;
 	int mtu = -1;
 	int len;
 	char abuf[32];
@@ -197,6 +200,14 @@ static int iplink_modify(int cmd, unsigned int flags, int argc, char **argv)
 			if (get_integer(&qlen,  *argv, 0))
 				invarg("Invalid \"txqueuelen\" value\n", *argv);
 			addattr_l(&req.n, sizeof(req), IFLA_TXQLEN, &qlen, 4);
+		} else if (matches(*argv, "group") == 0) {
+			NEXT_ARG();
+			if (group != 0)
+				duparg("group", *argv);
+
+			if (rtnl_ifgroup_a2n(&group, *argv) || group == 0)
+				invarg("\"group\" value is invalid\n", *argv);
+			addattr_l(&req.n, sizeof(req), IFLA_IFGROUP, &group, sizeof(group));
 		} else if (strcmp(*argv, "mtu") == 0) {
 			NEXT_ARG();
 			if (mtu != -1)
@@ -462,6 +473,32 @@ static int set_mtu(const char *dev, int mtu)
 	return 0;
 }
 
+static int set_group(const char *dev, int ifgroup)
+{
+	struct {
+		struct nlmsghdr 	n;
+		struct ifinfomsg 	ifi;
+		char   			buf[256];
+	} req;
+	struct rtnl_handle rth;
+	
+	memset(&req, 0, sizeof(req));
+	req.n.nlmsg_len = NLMSG_LENGTH(sizeof(req.ifi));
+	req.n.nlmsg_flags = NLM_F_REQUEST;
+	req.n.nlmsg_type = RTM_SETLINK;
+	
+	req.ifi.ifi_index = -1;
+	
+	addattr_l(&req.n, sizeof(req), IFLA_IFNAME, dev, strlen(dev)+1);
+	addattr_l(&req.n, sizeof(req), IFLA_IFGROUP, &ifgroup, sizeof(ifgroup));
+	if (rtnl_open(&rth, 0) < 0)
+		exit(1);
+	if (rtnl_talk(&rth, &req.n, 0, 0, NULL, NULL, NULL) < 0)
+		return -1;
+	rtnl_close(&rth);
+	return 0;
+}
+
 static int get_address(const char *dev, int *htype)
 {
 	struct ifreq ifr;
@@ -545,6 +582,7 @@ static int do_set(int argc, char **argv)
 	__u32 mask = 0;
 	__u32 flags = 0;
 	int qlen = -1;
+	__u32 group = 0;
 	int mtu = -1;
 	char *newaddr = NULL;
 	char *newbrd = NULL;
@@ -577,6 +615,13 @@ static int do_set(int argc, char **argv)
 				duparg("txqueuelen", *argv);
 			if (get_integer(&qlen,  *argv, 0))
 				invarg("Invalid \"txqueuelen\" value\n", *argv);
+		} else if (matches(*argv, "group") == 0) {
+			NEXT_ARG();
+			if (group != 0)
+				duparg("group", *argv);
+
+			if (rtnl_ifgroup_a2n(&group, *argv) || group == 0)
+				invarg("\"group\" value is invalid\n", *argv);
 		} else if (strcmp(*argv, "mtu") == 0) {
 			NEXT_ARG();
 			if (mtu != -1)
@@ -696,6 +741,10 @@ static int do_set(int argc, char **argv)
 				return -1;
 		}
 	}
+	if (group) {
+		if (set_group(dev, group) < 0)
+			return -1;
+	}
 	if (mask)
 		return do_chflags(dev, flags, mask);
 	return 0;
diff --git a/lib/rt_names.c b/lib/rt_names.c
index 8d019a0..a067e74 100644
--- a/lib/rt_names.c
+++ b/lib/rt_names.c
@@ -446,3 +446,65 @@ int rtnl_dsfield_a2n(__u32 *id, char *arg)
 	return 0;
 }
 
+static char * rtnl_rtifgroup_tab[256] = {
+	"0",
+};
+
+static int rtnl_rtifgroup_init;
+
+static void rtnl_rtifgroup_initialize(void)
+{
+	rtnl_rtifgroup_init = 1;
+	rtnl_tab_initialize("/etc/iproute2/rt_ifgroup",
+			    rtnl_rtifgroup_tab, 256);
+}
+
+char * rtnl_ifgroup_n2a(int id, char *buf, int len)
+{
+	if (id<0 || id>=256) {
+		snprintf(buf, len, "%d", id);
+		return buf;
+	}
+	if (!rtnl_rtifgroup_tab[id]) {
+		if (!rtnl_rtifgroup_init)
+			rtnl_rtifgroup_initialize();
+	}
+	if (rtnl_rtifgroup_tab[id])
+		return rtnl_rtifgroup_tab[id];
+	snprintf(buf, len, "0x%02x", id);
+	return buf;
+}
+
+
+int rtnl_ifgroup_a2n(__u32 *id, char *arg)
+{
+	static char *cache = NULL;
+	static unsigned long res;
+	char *end;
+	int i;
+
+	if (cache && strcmp(cache, arg) == 0) {
+		*id = res;
+		return 0;
+	}
+
+	if (!rtnl_rtifgroup_init)
+		rtnl_rtifgroup_initialize();
+
+	for (i=0; i<256; i++) {
+		if (rtnl_rtifgroup_tab[i] &&
+		    strcmp(rtnl_rtifgroup_tab[i], arg) == 0) {
+			cache = rtnl_rtifgroup_tab[i];
+			res = i;
+			*id = res;
+			return 0;
+		}
+	}
+
+	res = strtoul(arg, &end, 16);
+	if (!end || end == arg || *end || res > 255)
+		return -1;
+	*id = res;
+	return 0;
+}
+
diff --git a/man/man8/ip.8 b/man/man8/ip.8
index c74440a..8e6a9a3 100644
--- a/man/man8/ip.8
+++ b/man/man8/ip.8
@@ -511,6 +511,11 @@ already configured.
 change the transmit queue length of the device.
 
 .TP
+.BI group " GROUP"
+.TP 
+change the interface group identifier of the device.
+
+.TP
 .BI mtu " NUMBER"
 change the 
 .I MTU
-- 
1.5.2.5

Re: Resend: [IPROUTE2 PATCH] Interface group as new ip link option

[Patrick McHardy]

Laszlo Attila Toth wrote:
> +static int set_group(const char *dev, int ifgroup)
> +{
> +	struct {
> +		struct nlmsghdr 	n;
> +		struct ifinfomsg 	ifi;
> +		char   			buf[256];
> +	} req;
> +	struct rtnl_handle rth;
> +	
> +	memset(&req, 0, sizeof(req));
> +	req.n.nlmsg_len = NLMSG_LENGTH(sizeof(req.ifi));
> +	req.n.nlmsg_flags = NLM_F_REQUEST;
> +	req.n.nlmsg_type = RTM_SETLINK;
> +	
> +	req.ifi.ifi_index = -1;
> +	
> +	addattr_l(&req.n, sizeof(req), IFLA_IFNAME, dev, strlen(dev)+1);
> +	addattr_l(&req.n, sizeof(req), IFLA_IFGROUP, &ifgroup, sizeof(ifgroup));
> +	if (rtnl_open(&rth, 0) < 0)
> +		exit(1);
> +	if (rtnl_talk(&rth, &req.n, 0, 0, NULL, NULL, NULL) < 0)
> +		return -1;
> +	rtnl_close(&rth);
> +	return 0;
> +}
> +
>  static int get_address(const char *dev, int *htype)
>  {
>  	struct ifreq ifr;
> @@ -545,6 +582,7 @@ static int do_set(int argc, char **argv)
>  	__u32 mask = 0;
>  	__u32 flags = 0;
>  	int qlen = -1;
> +	__u32 group = 0;
>  	int mtu = -1;
>  	char *newaddr = NULL;
>  	char *newbrd = NULL;
> @@ -577,6 +615,13 @@ static int do_set(int argc, char **argv)
>  				duparg("txqueuelen", *argv);
>  			if (get_integer(&qlen,  *argv, 0))
>  				invarg("Invalid \"txqueuelen\" value\n", *argv);
> +		} else if (matches(*argv, "group") == 0) {
> +			NEXT_ARG();
> +			if (group != 0)
> +				duparg("group", *argv);
> +
> +			if (rtnl_ifgroup_a2n(&group, *argv) || group == 0)
> +				invarg("\"group\" value is invalid\n", *argv);
>  		} else if (strcmp(*argv, "mtu") == 0) {
>  			NEXT_ARG();
>  			if (mtu != -1)
> @@ -696,6 +741,10 @@ static int do_set(int argc, char **argv)
>  				return -1;
>  		}
>  	}
> +	if (group) {
> +		if (set_group(dev, group) < 0)
> +			return -1;
> +	}


This part looks useless, for new kernels iproute always uses netlink
to configure things and old kernels don't support this feature. So
there's no need to support it in the ioctl-based configuration path.

Re: [IPROUTE2 PATCH] Interface group as new ip link option

[Laszlo Attila Toth]

Patrick McHardy írta:
> Laszlo Attila Toth wrote:
>> diff --git a/man/man8/ip.8 b/man/man8/ip.8
>> index c74440a..8e6a9a3 100644
>> --- a/man/man8/ip.8
>> +++ b/man/man8/ip.8
>> @@ -511,6 +511,11 @@ already configured.
>> @@ -1835,3 +1840,6 @@ was written by Alexey N. Kuznetsov and added in 
>> Linux 2.2.
>>  
>>  .SH AUTHOR
>>  Original Manpage  by Michail Litvak <mci@owl.openwall.com>
>> +.br
>> +Modified for ZorpOS by Tamas Pal <folti@balabit.hu>
> 
> 
> Did you really intend to include this?
> 

I forgot to cut it off because in ZorpOS (v3.1, which is Sarge-based) 
the manual page contains this part.
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 2/2] Interface group match - netfilter part

[Laszlo Attila Toth]

Patrick McHardy írta:
> Laszlo Attila Toth wrote:
>> +static int match(const struct sk_buff *skb,
>> +      const struct net_device *in,
>> +      const struct net_device *out,
>> +      const struct xt_match *match,
>> +      const void *matchinfo,
>> +      int offset,
>> +      unsigned int protoff,
>> +      int *hotdrop)
>> +{
>> +    const struct xt_ifgroup_info *info = matchinfo;
>> +
>> +    return ((in->ifgroup & info->mask) == info->group) ^ info->invert;
> 
> The input interface is only valid in PREROUTING, INPUT and FORWARD.
> Why don't you support output-interface matching?
> 
It has no specific reason. I'll make it with the other changes you 
wrote. I'll send the iptables patch at the same time.

-- 
Attila
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 0/2] Interface groups

[Laszlo Attila Toth]

Philip Craig írta:
> Laszlo Attila Toth wrote:
>> Hello,
>>
>> Different network interfaces can be grouped using the same group ID. With this
>> patch fewer netfilter rules are necessary but it may also be used by routing.
> 
> This allows an interface to belong to only one group.  I expect there are
> situations where you want more.  eg you might want a group of all pptp
> connections, and another group of pptp connections for a subset of users.

With masked values it should work with only one group.

-- 
Attila

Re: Resend: [IPROUTE2 PATCH] Interface group as new ip link option

[jamal]

On Tue, 2007-16-10 at 11:03 +0200, Laszlo Attila Toth wrote:
> Interfaces can be grouped and each group has an unique positive integer ID.
> It can be set via ip link.

Feature request: Can you also implement a get operation. Perhaps
something that returns from the kernel a list of ifindices when one
passes a group to it?

BTW, does it make sense to have one interface in multiple groups?

cheers,
jamal

Re: Resend: [IPROUTE2 PATCH] Interface group as new ip link option

[Laszlo Attila Toth]

jamal írta:
> On Tue, 2007-16-10 at 11:03 +0200, Laszlo Attila Toth wrote:
>> Interfaces can be grouped and each group has an unique positive integer ID.
>> It can be set via ip link.
> 
> Feature request: Can you also implement a get operation. Perhaps
> something that returns from the kernel a list of ifindices when one
> passes a group to it?

That sounds great but for what whould you like to use? It may help me 
for the implementation. Currently it is not available since the the 
net_device structure holds the group id and for this get operation an 
iteration (of net_devices) may be necessary...
> 
> BTW, does it make sense to have one interface in multiple groups?

We didn't want to use multiple groups in favour of masked group ids. 
What kind of usage needs other implementation?

--
Attila

Re: Resend: [IPROUTE2 PATCH] Interface group as new ip link option

[jamal]

On Tue, 2007-16-10 at 13:05 +0200, Laszlo Attila Toth wrote:

> That sounds great but for what whould you like to use? It may help me 
> for the implementation.

For example i may want to add a tc rule to a group of interfaces.
tc BNF roughly looks like:
tc <object> <operation> <target>

Where targe is := <dev devname>
It may be useful to extend "target" to include alternatively a group of
devices.
The way i would see that done is to add a little wrapper to tc to first
ask the kernel for a list of interfaces and then invoke each with the
equivalent of current syntax.
Did that make sense?

> Currently it is not available since the the 
> net_device structure holds the group id and for this get operation an 
> iteration (of net_devices) may be necessary...

I understand - but i would rather do the iteration in the kernel than in
user space and save myself a gazillion netlink messages.

> We didn't want to use multiple groups in favour of masked group ids. 
> What kind of usage needs other implementation?

Same lazyperson use cases as above; in one case i may want to set a rule
to group = {eth0, eth1, eth10} and in another {eth0,eth5}. I realize
this may be more involved something clever for an implementation (eg
using a bitmap instead of a straight int) - so if it not a simple thing,
just defer it to some later time.

Ok, now that you are asking, heres another one feature request for
you;-> It would be nice if i can set a group based on a regular
expression of a devices name; eg "ppp*". Use case for this, off top of
my head (without looking at your syntax):

ip set group 10 ppp*

And equivalent to "ifconfig ppp*" so i dont list 10K interfaces
ip list group 10 or pass any 5K messages to user space

cheers,
jamal

Re: Resend: [IPROUTE2 PATCH] Interface group as new ip link option

[Laszlo Attila Toth]

jamal írta:
> On Tue, 2007-16-10 at 13:05 +0200, Laszlo Attila Toth wrote:
> 
>> That sounds great but for what whould you like to use? It may help me 
>> for the implementation.
> 
> For example i may want to add a tc rule to a group of interfaces.
> tc BNF roughly looks like:
> tc <object> <operation> <target>
> 
> Where targe is := <dev devname>
> It may be useful to extend "target" to include alternatively a group of
> devices.

Ok, I see.

> 
>> Currently it is not available since the the 
>> net_device structure holds the group id and for this get operation an 
>> iteration (of net_devices) may be necessary...
> 
> I understand - but i would rather do the iteration in the kernel than in
> user space and save myself a gazillion netlink messages.

You are right - that's faster in the kernel and useless to move it to 
userspace.

> 
>> We didn't want to use multiple groups in favour of masked group ids. 
>> What kind of usage needs other implementation?
> 
> Same lazyperson use cases as above; in one case i may want to set a rule
> to group = {eth0, eth1, eth10} and in another {eth0,eth5}. I realize
> this may be more involved something clever for an implementation (eg
> using a bitmap instead of a straight int) - so if it not a simple thing,
> just defer it to some later time.

Hm, the main problem (for me) is that it requires more then one value 
per net device and it should be limited. But if I say it is 5 for 
instance, anyone can say it is not enough for him.


> 
> Ok, now that you are asking, heres another one feature request for
> you;-> It would be nice if i can set a group based on a regular
> expression of a devices name; eg "ppp*". Use case for this, off top of
> my head (without looking at your syntax):
> 
> ip set group 10 ppp*

ip link set ppp0 group 10
also if "ip link set..." works for multiple interfaces it is already 
done. If it is not, it will affect positively all other settings :)

-- 
Attila

Re: Resend: [IPROUTE2 PATCH] Interface group as new ip link option

[jamal]

On Tue, 2007-16-10 at 13:47 +0200, Laszlo Attila Toth wrote:

> Hm, the main problem (for me) is that it requires more then one value 
> per net device and it should be limited. But if I say it is 5 for 
> instance, anyone can say it is not enough for him.

Yes, those pesky humans, you give them an inch and they want a mile ;->
I think 32 for example is better than 1. So if you use a u32 variable
doesnt pollute the netdevice that much - and used as a bitmap, then
setting any of the 32 bits implies the device is in that group. This of
course limits the group ids to be (1..32). Your mileage may vary.

> ip link set ppp0 group 10
> also if "ip link set..." works for multiple interfaces it is already 
> done. If it is not, it will affect positively all other settings :)

nice.
The part that is not very useful today with ifconfig or ip link ls is i
have only two choices: Either i ask for all devices or for one; i cant
ask for something in the middle. If i can group them together then i can
solve that problem sith some user space plumbing (which avoids 10K
netlink messages). 
"get ppp*" may actually be a totally separate call which also traverses
the list in the kernel and just returns the matching devices. 

cheers,
jamal

Re: [PATCH 2/2] Interface group match - netfilter part

[Jan Engelhardt]

On Oct 16 2007 10:30, Patrick McHardy wrote:

>> +static int match(const struct sk_buff *skb,

Potential symbol clash, name it ifgroup_match() for example.

>> +      const struct net_device *in,
>> +      const struct net_device *out,
>> +      const struct xt_match *match,
>> +      const void *matchinfo,
>> +      int offset,
>> +      unsigned int protoff,
>> +      int *hotdrop)

2.6.23 => bool ifgroup_match(... bool *hotdrop)

>> +static struct xt_match ifgroup_match = {
>> +	.name		= "ifgroup",
>> +	.match		= match,
>> +	.matchsize	= sizeof(struct xt_ifgroup_info),
>> +	.family		= AF_INET,
>> +	.me		= THIS_MODULE,
>> +};
>> +
>> +static struct xt_match ifgroup6_match = {
>> +	.name		= "ifgroup",
>> +	.match		= match,
>> +	.matchsize	= sizeof(struct xt_ifgroup_info),
>> +	.family		= AF_INET6,
>> +	.me		= THIS_MODULE,
>> +};
>
> __read_mostly

And actually, an array,

	static struct xt_match ifgroup_match[] __read_mostly = {
		...
	}

Re: [PATCH 2/2] Interface group match - netfilter part

[Laszlo Attila Toth]

Patrick McHardy írta:
> Laszlo Attila Toth wrote:
>> +static int match(const struct sk_buff *skb,
>> +      const struct net_device *in,
>> +      const struct net_device *out,
>> +      const struct xt_match *match,
>> +      const void *matchinfo,
>> +      int offset,
>> +      unsigned int protoff,
>> +      int *hotdrop)
>> +{
>> +    const struct xt_ifgroup_info *info = matchinfo;
>> +
>> +    return ((in->ifgroup & info->mask) == info->group) ^ info->invert;
> 
> The input interface is only valid in PREROUTING, INPUT and FORWARD.
> Why don't you support output-interface matching?
> 

The new version supports output-interface, currently I'm rewriting 
iptables part. But I'm not sure what to do with the forward chain 
because both input and output interface are valid here. My idea is that 
the ifgroup_match function checks ifgroup values of both input and 
output interfaces if they are set. An example:

iptables -A FORWARD -m ifgroup --in-ifgroup 4 --out-ifgroup 5/0x0f -j ACCEPT

The packet's input interface must be in group 4 and output interface 
must be in group 5 but only lower 4 bits are checked. If one of these 
assumptions fails the match fails.

Is it ok, or only one of them should be checked as in xt_policy: if 
input side matches, other one is not checked?

-- 
Attila

Re: [PATCH 2/2] Interface group match - netfilter part

[Patrick McHardy]

Laszlo Attila Toth wrote:
> Patrick McHardy írta:
>
>> The input interface is only valid in PREROUTING, INPUT and FORWARD.
>> Why don't you support output-interface matching?
>>
> 
> The new version supports output-interface, currently I'm rewriting 
> iptables part. But I'm not sure what to do with the forward chain 
> because both input and output interface are valid here. My idea is that 
> the ifgroup_match function checks ifgroup values of both input and 
> output interfaces if they are set. An example:
> 
> iptables -A FORWARD -m ifgroup --in-ifgroup 4 --out-ifgroup 5/0x0f -j 
> ACCEPT
> 
> The packet's input interface must be in group 4 and output interface 
> must be in group 5 but only lower 4 bits are checked. If one of these 
> assumptions fails the match fails.
> 
> Is it ok, or only one of them should be checked as in xt_policy: if 
> input side matches, other one is not checked?


xt_policy is a special case because the policy structure is so
large I decided the user should better use the match twice if
he really needs it (its also a quite uncommon use). For the
ifgroup match I think it should behave exactly as the -i and -o
matches: allow matching both in FORWARD, input device in
PREROUTING and INPUT and output device in OUTPUT and POSTROUTING.
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 1/2] Interface group: core (netlink) part

[Laszlo Attila Toth]

Interface groups let handle different interfaces together
especially in netfilter modules.
Modified net device structure and netlink interface.

Signed-off-by: Laszlo Attila Toth <panther@balabit.hu>
---
 include/linux/if_link.h   |    2 ++
 include/linux/netdevice.h |    2 ++
 net/core/rtnetlink.c      |   10 ++++++++++
 3 files changed, 14 insertions(+), 0 deletions(-)

diff --git a/include/linux/if_link.h b/include/linux/if_link.h
index 422084d..d9f1726 100644
--- a/include/linux/if_link.h
+++ b/include/linux/if_link.h
@@ -78,6 +78,8 @@ enum
 	IFLA_LINKMODE,
 	IFLA_LINKINFO,
 #define IFLA_LINKINFO IFLA_LINKINFO
+	IFLA_IFGROUP,
+#define IFLA_IFGROUP IFLA_IFGROUP
 	__IFLA_MAX
 };
 
diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
index e679b27..c489a20 100644
--- a/include/linux/netdevice.h
+++ b/include/linux/netdevice.h
@@ -365,6 +365,8 @@ struct net_device
 	/* Interface index. Unique device identifier	*/
 	int			ifindex;
 	int			iflink;
+	/* interface group this interface belongs to */
+	u_int32_t		ifgroup;
 
 
 	struct net_device_stats* (*get_stats)(struct net_device *dev);
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 4756d58..bbe4a98 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -608,6 +608,7 @@ static inline size_t if_nlmsg_size(const struct net_device *dev)
 	       + nla_total_size(4) /* IFLA_MTU */
 	       + nla_total_size(4) /* IFLA_LINK */
 	       + nla_total_size(4) /* IFLA_MASTER */
+	       + nla_total_size(4) /* IFLA_IFGROUP */
 	       + nla_total_size(1) /* IFLA_OPERSTATE */
 	       + nla_total_size(1) /* IFLA_LINKMODE */
 	       + rtnl_link_get_size(dev); /* IFLA_LINKINFO */
@@ -646,6 +647,9 @@ static int rtnl_fill_ifinfo(struct sk_buff *skb, struct net_device *dev,
 	if (dev->master)
 		NLA_PUT_U32(skb, IFLA_MASTER, dev->master->ifindex);
 
+	if (dev->ifgroup)
+		NLA_PUT_U32(skb, IFLA_IFGROUP, dev->ifgroup);
+
 	if (dev->qdisc_sleeping)
 		NLA_PUT_STRING(skb, IFLA_QDISC, dev->qdisc_sleeping->ops->id);
 
@@ -846,6 +850,12 @@ static int do_setlink(struct net_device *dev, struct ifinfomsg *ifm,
 		write_unlock_bh(&dev_base_lock);
 	}
 
+	if (tb[IFLA_IFGROUP]) {
+		write_lock_bh(&dev_base_lock);
+		dev->ifgroup = nla_get_u32(tb[IFLA_IFGROUP]);
+		write_unlock_bh(&dev_base_lock);
+	}
+
 	err = 0;
 
 errout:
-- 
1.5.2.5

[PATCH 1/2] Interface group: core (netlink) part

[Laszlo Attila Toth]

Interface groups let handle different interfaces together
especially in netfilter modules.
Modified net device structure and netlink interface.

Signed-off-by: Laszlo Attila Toth <panther@balabit.hu>
---
 include/linux/if_link.h   |    2 ++
 include/linux/netdevice.h |    2 ++
 net/core/rtnetlink.c      |   10 ++++++++++
 3 files changed, 14 insertions(+), 0 deletions(-)

diff --git a/include/linux/if_link.h b/include/linux/if_link.h
index 422084d..d9f1726 100644
--- a/include/linux/if_link.h
+++ b/include/linux/if_link.h
@@ -78,6 +78,8 @@ enum
 	IFLA_LINKMODE,
 	IFLA_LINKINFO,
 #define IFLA_LINKINFO IFLA_LINKINFO
+	IFLA_IFGROUP,
+#define IFLA_IFGROUP IFLA_IFGROUP
 	__IFLA_MAX
 };
 
diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
index e679b27..c489a20 100644
--- a/include/linux/netdevice.h
+++ b/include/linux/netdevice.h
@@ -365,6 +365,8 @@ struct net_device
 	/* Interface index. Unique device identifier	*/
 	int			ifindex;
 	int			iflink;
+	/* interface group this interface belongs to */
+	u_int32_t		ifgroup;
 
 
 	struct net_device_stats* (*get_stats)(struct net_device *dev);
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 4756d58..bbe4a98 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -608,6 +608,7 @@ static inline size_t if_nlmsg_size(const struct net_device *dev)
 	       + nla_total_size(4) /* IFLA_MTU */
 	       + nla_total_size(4) /* IFLA_LINK */
 	       + nla_total_size(4) /* IFLA_MASTER */
+	       + nla_total_size(4) /* IFLA_IFGROUP */
 	       + nla_total_size(1) /* IFLA_OPERSTATE */
 	       + nla_total_size(1) /* IFLA_LINKMODE */
 	       + rtnl_link_get_size(dev); /* IFLA_LINKINFO */
@@ -646,6 +647,9 @@ static int rtnl_fill_ifinfo(struct sk_buff *skb, struct net_device *dev,
 	if (dev->master)
 		NLA_PUT_U32(skb, IFLA_MASTER, dev->master->ifindex);
 
+	if (dev->ifgroup)
+		NLA_PUT_U32(skb, IFLA_IFGROUP, dev->ifgroup);
+
 	if (dev->qdisc_sleeping)
 		NLA_PUT_STRING(skb, IFLA_QDISC, dev->qdisc_sleeping->ops->id);
 
@@ -846,6 +850,12 @@ static int do_setlink(struct net_device *dev, struct ifinfomsg *ifm,
 		write_unlock_bh(&dev_base_lock);
 	}
 
+	if (tb[IFLA_IFGROUP]) {
+		write_lock_bh(&dev_base_lock);
+		dev->ifgroup = nla_get_u32(tb[IFLA_IFGROUP]);
+		write_unlock_bh(&dev_base_lock);
+	}
+
 	err = 0;
 
 errout:
-- 
1.5.2.5

Re: [PATCH 1/2] Interface group: core (netlink) part

[Patrick McHardy]

Laszlo Attila Toth wrote:
> @@ -846,6 +850,12 @@ static int do_setlink(struct net_device *dev, struct ifinfomsg *ifm,
>  		write_unlock_bh(&dev_base_lock);
>  	}
>  
> +	if (tb[IFLA_IFGROUP]) {
> +		write_lock_bh(&dev_base_lock);
> +		dev->ifgroup = nla_get_u32(tb[IFLA_IFGROUP]);
> +		write_unlock_bh(&dev_base_lock);
> +	}


So no notifications at all? Mhh .. I guess its OK for now, this stuff
needs to be fixed to notify once for all changes anyway.

Re: [PATCH 1/2] Interface group: core (netlink) part

[Laszlo Attila Toth]

Patrick McHardy írta:
> Laszlo Attila Toth wrote:
>> @@ -846,6 +850,12 @@ static int do_setlink(struct net_device *dev, 
>> struct ifinfomsg *ifm,
>>          write_unlock_bh(&dev_base_lock);
>>      }
>>  
>> +    if (tb[IFLA_IFGROUP]) {
>> +        write_lock_bh(&dev_base_lock);
>> +        dev->ifgroup = nla_get_u32(tb[IFLA_IFGROUP]);
>> +        write_unlock_bh(&dev_base_lock);
>> +    }
> 
> 
> So no notifications at all? Mhh .. I guess its OK for now, this stuff
> needs to be fixed to notify once for all changes anyway.
> 

I'll resend the following patch with the new ifgroup patches. The 
current changes: changes are now atomic and a notification will be send 
later at the end of the function. If an address was changed, a 
notification will be send and after that another which is always sent 
when anyi modification happened.

This patch may not be complete.


diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 4756d58..87ab3ff 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -819,6 +819,7 @@ static int do_setlink(struct net_device *dev, struct 
ifinfomsg *ifm,
         if (tb[IFLA_BROADCAST]) {
                 nla_memcpy(dev->broadcast, tb[IFLA_BROADCAST], 
dev->addr_len);
                 send_addr_notify = 1;
+               modified = 1;
         }

         if (ifm->ifi_flags || ifm->ifi_change) {
@@ -829,21 +830,35 @@ static int do_setlink(struct net_device *dev, 
struct ifinfomsg *ifm,
                         flags = (flags & ifm->ifi_change) |
                                 (dev->flags & ~ifm->ifi_change);
                 dev_change_flags(dev, flags);
+               modified = 1;
         }

-       if (tb[IFLA_TXQLEN])
+       if (tb[IFLA_TXQLEN]) {
+               write_lock_bh(&dev_base_lock);
                 dev->tx_queue_len = nla_get_u32(tb[IFLA_TXQLEN]);
+               write_unlock_bh(&dev_base_lock);
+               modified = 1;
+       }

-       if (tb[IFLA_WEIGHT])
+       if (tb[IFLA_WEIGHT]) {
+               write_lock_bh(&dev_base_lock);
                 dev->weight = nla_get_u32(tb[IFLA_WEIGHT]);
+               write_unlock_bh(&dev_base_lock);
+               modified = 1;
+       }

-       if (tb[IFLA_OPERSTATE])
+       if (tb[IFLA_OPERSTATE]) {
+               write_lock_bh(&dev_base_lock);
                 set_operstate(dev, nla_get_u8(tb[IFLA_OPERSTATE]));
+               write_unlock_bh(&dev_base_lock);
+               modified = 1;
+       }

         if (tb[IFLA_LINKMODE]) {
                 write_lock_bh(&dev_base_lock);
                 dev->link_mode = nla_get_u8(tb[IFLA_LINKMODE]);
                 write_unlock_bh(&dev_base_lock);
+               modified = 1;
         }

         err = 0;
@@ -857,6 +872,8 @@ errout:

         if (send_addr_notify)
                 call_netdevice_notifiers(NETDEV_CHANGEADDR, dev);
+       if (modified)
+               rtmsg_ifinfo(RTM_NEWLINK, dev, 0)
         return err;
  }

-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html