From: Hans Dedecker Date: Mon, 28 Sep 2015 06:51:06 +0000 (+0200) Subject: interface-ip: Re-enable iif lo policy rules after main table lookup X-Git-Url: http://git.cdn.openwrt.org/?a=commitdiff_plain;h=97542f03f2c6750dc454b660c6c6331ba9377506;p=project%2Fnetifd.git interface-ip: Re-enable iif lo policy rules after main table lookup --- diff --git a/interface-ip.c b/interface-ip.c index a177557..51a44ac 100644 --- a/interface-ip.c +++ b/interface-ip.c @@ -133,6 +133,23 @@ static int set_ip_source_policy(bool add, bool v6, unsigned int priority, return (add) ? system_add_iprule(&rule) : system_del_iprule(&rule); } +static int set_ip_lo_policy(bool add, bool v6, struct interface *iface) +{ + struct iprule rule = { + .flags = IPRULE_IN | IPRULE_LOOKUP | IPRULE_PRIORITY, + .priority = IPRULE_PRIORITY_NW + iface->l3_dev.dev->ifindex, + .lookup = (v6) ? iface->ip6table : iface->ip4table, + .in_dev = "lo" + }; + + if (!rule.lookup) + return 0; + + rule.flags |= (v6) ? IPRULE_INET6 : IPRULE_INET4; + + return (add) ? system_add_iprule(&rule) : system_del_iprule(&rule); +} + static bool __find_ip_addr_target(struct interface_ip_settings *ip, union if_addr *a, bool v6) { @@ -1283,9 +1300,13 @@ void interface_ip_set_enabled(struct interface_ip_settings *ip, bool enabled) if (!strcmp(a->name, ip->iface->name)) interface_set_prefix_address(a, c, ip->iface, enabled); - if (ip->iface && ip->iface->l3_dev.dev) + if (ip->iface && ip->iface->l3_dev.dev) { + set_ip_lo_policy(enabled, true, ip->iface); + set_ip_lo_policy(enabled, false, ip->iface); + set_ip_source_policy(enabled, true, IPRULE_PRIORITY_REJECT + ip->iface->l3_dev.dev->ifindex, NULL, 0, 0, ip->iface, "failed_policy"); + } } void diff --git a/iprule.h b/iprule.h index e1ac84b..ea87193 100644 --- a/iprule.h +++ b/iprule.h @@ -18,7 +18,7 @@ #include "interface-ip.h" #define IPRULE_PRIORITY_ADDR 10000 -#define IPRULE_PRIORITY_NW 20000 +#define IPRULE_PRIORITY_NW 90000 #define IPRULE_PRIORITY_REJECT 4200000000 enum iprule_flags {