iprule: support for ip_proto, sport and dport match options

add support to match on ip_proto, sport and dport ranges. For ip_proto, this patch currently enumerates, tcp, udp and sctp. This list can be extended in the future. example: $ip rule add sport 666-777 dport 999 ip_proto tcp table 100 $ip rule show 0: from all lookup local 32765: from all ip_proto 6 sport 666-777 dport 999 lookup 100 32766: from all lookup main 32767: from all lookup default Signed-off-by: Roopa Prabhu <roopa@cumulusnetworks.com> Signed-off-by: David Ahern <dsahern@gmail.com>
2025-10-04 23:36:47 +00:00 · 2018-03-08 10:06:47 -08:00 · 2018-03-08 10:06:47 -08:00 · f686f76468
commit f686f76468
parent e93d922123
2 changed files with 98 additions and 1 deletions
--- a/ip/iprule.c
+++ b/ip/iprule.c
@ -47,6 +47,9 @@ static void usage(void)
 		"SELECTOR := [ not ] [ from PREFIX ] [ to PREFIX ] [ tos TOS ] [ fwmark FWMARK[/MASK] ]\n"
 		"            [ iif STRING ] [ oif STRING ] [ pref NUMBER ] [ l3mdev ]\n"
 		"            [ uidrange NUMBER-NUMBER ]\n"
+		"            [ ipproto PROTOCOL ]\n"
+		"            [ sport [ NUMBER | NUMBER-NUMBER ]\n"
+		"            [ dport [ NUMBER | NUMBER-NUMBER ] ]\n"
 		"ACTION := [ table TABLE_ID ]\n"
 		"          [ protocol PROTO ]\n"
 		"          [ nat ADDRESS ]\n"
@ -306,6 +309,37 @@ int print_rule(const struct sockaddr_nl *who, struct nlmsghdr *n, void *arg)
 		print_uint(PRINT_ANY, "uid_end", "-%u ", r->end);
 	}

+	if (tb[FRA_IP_PROTO]) {
+		SPRINT_BUF(pbuf);
+		print_string(PRINT_ANY, "ipproto", "ipproto %s ",
+			     inet_proto_n2a(rta_getattr_u8(tb[FRA_IP_PROTO]),
+					    pbuf, sizeof(pbuf)));
+	}
+
+	if (tb[FRA_SPORT_RANGE]) {
+		struct fib_rule_port_range *r = RTA_DATA(tb[FRA_SPORT_RANGE]);
+
+		if (r->start == r->end) {
+			print_uint(PRINT_ANY, "sport", "sport %u ", r->start);
+		} else {
+			print_uint(PRINT_ANY, "sport_start", "sport %u",
+				   r->start);
+			print_uint(PRINT_ANY, "sport_end", "-%u ", r->end);
+		}
+	}
+
+	if (tb[FRA_DPORT_RANGE]) {
+		struct fib_rule_port_range *r = RTA_DATA(tb[FRA_DPORT_RANGE]);
+
+		if (r->start == r->end) {
+			print_uint(PRINT_ANY, "dport", "dport %u ", r->start);
+		} else {
+			print_uint(PRINT_ANY, "dport_start", "dport %u",
+				   r->start);
+			print_uint(PRINT_ANY, "dport_end", "-%u ", r->end);
+		}
+	}
+
 	table = frh_get_table(frh, tb);
 	if (table) {
 		print_string(PRINT_ANY, "table",
@ -802,6 +836,39 @@ static int iprule_modify(int cmd, int argc, char **argv)
 			addattr32(&req.n, sizeof(req), RTA_GATEWAY,
 				  get_addr32(*argv));
 			req.frh.action = RTN_NAT;
+		} else if (strcmp(*argv, "ipproto") == 0) {
+			int ipproto;
+
+			NEXT_ARG();
+			ipproto = inet_proto_a2n(*argv);
+			if (ipproto < 0)
+				invarg("Invalid \"ipproto\" value\n",
+				       *argv);
+			addattr8(&req.n, sizeof(req), FRA_IP_PROTO, ipproto);
+		} else if (strcmp(*argv, "sport") == 0) {
+			struct fib_rule_port_range r;
+			int ret = 0;
+
+			NEXT_ARG();
+			ret = sscanf(*argv, "%hu-%hu", &r.start, &r.end);
+			if (ret == 1)
+				r.end = r.start;
+			else if (ret != 2)
+				invarg("invalid port range\n", *argv);
+			addattr_l(&req.n, sizeof(req), FRA_SPORT_RANGE, &r,
+				  sizeof(r));
+		} else if (strcmp(*argv, "dport") == 0) {
+			struct fib_rule_port_range r;
+			int ret = 0;
+
+			NEXT_ARG();
+			ret = sscanf(*argv, "%hu-%hu", &r.start, &r.end);
+			if (ret == 1)
+				r.end = r.start;
+			else if (ret != 2)
+				invarg("invalid dport range\n", *argv);
+			addattr_l(&req.n, sizeof(req), FRA_DPORT_RANGE, &r,
+				  sizeof(r));
 		} else {
 			int type;

--- a/man/man8/ip-rule.8
+++ b/man/man8/ip-rule.8
@ -44,7 +44,19 @@ ip-rule \- routing policy database management
 .IR STRING " ] [ "
 .B  pref
 .IR NUMBER " ] [ "
-.BR l3mdev " ]"
+.IR l3mdev " ] [ "
+.B uidrange
+.IR NUMBER "-" NUMBER " ] [ "
+.B ipproto
+.IR PROTOCOL " ] [ "
+.BR sport " [ "
+.IR NUMBER " | "
+.IR NUMBER "-" NUMBER " ] ] [ "
+.BR dport " [ "
+.IR NUMBER " | "
+.IR NUMBER "-" NUMBER " ] ]"
+.BR
+

 .ti -8
 .IR ACTION " := [ "
@ -226,6 +238,24 @@ select the
 .B fwmark
 value to match.

+.TP
+.BI uidrange " NUMBER-NUMBER"
+select the
+.B uid
+value to match.
+
+.TP
+.BI ipproto " PROTOCOL"
+select the ip protocol value to match.
+
+.TP
+.BI sport " NUMBER | NUMBER-NUMBER"
+select the source port value to match. supports port range.
+
+.TP
+.BI dport " NUMBER | NUMBER-NUMBER"
+select the destination port value to match. supports port range.
+
 .TP
 .BI priority " PREFERENCE"
 the priority of this rule.