AMPR-Rip44
view release on metacpan or search on metacpan
#
# Version history:
#
# see Changes
# Things to do in the future:
#
# - proper logging to syslog
# - support for better authentication, if one would be supported
# - support for multiple RIP masters, to fix the single point of failure
#
use strict;
use warnings;
use IO::Socket::Multicast;
use Getopt::Std;
use constant {
RIP_HDR_LEN => 4,
RIP_ENTRY_LEN => 2+2+4*4,
RIP_CMD_REQUEST => 1,
RIP_CMD_RESPONSE => 2,
RIP_AUTH_PASSWD => 2,
AF_INET => 2,
};
my $rip_passwd;
my $tunnel_if = 'tunl0';
my $routebin = '/sbin/ip';
my $ifconfig = '/sbin/ifconfig';
my $verbose = 0;
# Local gateway addresses (whose routes are skipped)
my %my_addresses;
# Allowed route destination networks
my $net_44_regexp = '^44\.';
# We do not accept routes less specific than /15
my $minimum_prefix_len = 15;
# tcp window to set
my $tcp_window = 840;
# time (in seconds) to use routes which are no longer advertised
# - this is set to a large value, so that if the rip advertisements
# from mirrorshades stop, the network won't go down right away.
my $route_ttl = 7*24*60*60;
my %current_routes;
my $me = 'rip44d';
my $VERSION = '1.1';
# help and version texts
$Getopt::Std::STANDARD_HELP_VERSION = 1;
sub HELP_MESSAGE()
{
my($fh) = @_;
print $fh "Usage:\n"
. " $me [-v] [-d] [-i <tunnelif>] [-a <localaddrs>] [-p <password>]\n"
. "Options:\n"
. " -v increase verbosity slightly to print error messages on stderr\n"
. " -d increase verbosity greatly (debug mode)\n"
. " -i <tunnelinterface>\n"
. " use the specified tunnel interface, defaults to tunl0\n"
. " -a <comma-separated-ip-list>\n"
. " ignore routes pointing to these (local) gateways\n"
. " (list contains system's local IP addresses by default)\n"
. " -p <password>\n"
. " use RIPv2 password 'authentication', defaults to none\n"
;
}
sub VERSION_MESSAGE()
{
my($fh) = @_;
print $fh "$me version $VERSION\n";
}
# Figure out local interface IP addresses so that routes to them can be ignored
sub fill_local_ifs()
{
my $s = `$ifconfig -a`;
while ($s =~ s/inet addr:(\d+\.\d+\.\d+\.\d+)//) {
warn "found local address: $1\n" if ($verbose);
$my_addresses{$1} = 1;
}
}
# Convert a netmask (in integer form) to the corresponding prefix length,
# and validate it too. This is a bit ugly, optimizations are welcome.
sub mask2prefix($)
{
my($mask) = @_; # integer
# convert to a string of 1's and 0's, like this (/25):
# 11111111111111111111111110000000
my($bits) = unpack("B32", pack('N', $mask));
# There should be a continuous row of 1's in the
# beginning, and a continuous row of 0's in the end.
# Regexp is our hammer, again.
return -1 if ($bits !~ /^(1*)(0*)$/);
# The amount of 1's in the beginning is the prefix length.
return length($1);
}
# delete a route from the kernel's table
sub route_delete($)
{
my($rkey) = @_;
# This is ugly and slow - we fork /sbin/ip twice for every route change.
# Should talk to the netlink device instead, but this is easier to
# do right now, and good enough for this little routing table.
my($out, $cmd);
return (0, 'nexthop is in 44/8');
}
# nexthop address does not point to self
if (defined $my_addresses{$e_nexthop_s}) {
warn "$e_net_s/$e_netmask_s => $e_nexthop_s blocked, local gw\n" if ($verbose);
return (0, 'local gw');
}
return (1, 'ok');
}
# process a RIPv2 route entry
sub process_rip_route_entry($)
{
my($entry) = @_;
my $e_af = unpack('n', substr($entry, 0, 2));
my $e_rtag = unpack('n', substr($entry, 2, 2));
if ($e_af == 0xFFFF) {
process_rip_auth_entry($entry);
return -1;
}
if ($e_af != AF_INET) {
warn "$me: RIPv2 entry has unsupported AF $e_af\n";
return 0;
}
my $e_net = substr($entry, 4, 4);
my $e_net_i = unpack('N', $e_net);
my $e_netmask = substr($entry, 8, 4);
my $e_netmask_i = unpack('N', $e_netmask);
my $e_nexthop = substr($entry, 12, 4);
my $e_metric = unpack('N', substr($entry, 16, 4));
my $e_net_s = inet_ntoa($e_net);
my $e_netmask_s = inet_ntoa($e_netmask);
my $e_nexthop_s = inet_ntoa($e_nexthop);
# Validate the route
my($result, $reason) = validate_route($e_net_i, $e_net_s, $e_netmask_i, $e_netmask_s, $e_nexthop_s);
if (!$result) {
warn "entry ignored ($reason): af $e_af rtag $e_rtag $e_net_s/$e_netmask_s via $e_nexthop_s metric $e_metric\n" if ($verbose);
return 0;
}
warn "entry: af $e_af rtag $e_rtag $e_net_s/$e_netmask_s via $e_nexthop_s metric $e_metric\n" if ($verbose > 1);
# Ok, we have a valid route, consider adding it in the kernel's routing table
consider_route($e_net_s, $e_netmask_s, $e_nexthop_s, $e_rtag);
return 1;
}
# process a RIP message
sub process_msg($$$)
{
my($addr_s, $perr_port, $msg) = @_;
# validate packet's length
if (length($msg) < RIP_HDR_LEN + RIP_ENTRY_LEN) {
warn "$me: ignored too short packet from $addr_s: " . length($msg) . "\n";
return -1;
}
if (length($msg) > RIP_HDR_LEN + RIP_ENTRY_LEN*25) {
warn "$me: ignored too long packet from $addr_s: " . length($msg) . "\n";
return -1;
}
# packet's length must be divisible by the length of an entry
if ((length($msg) - RIP_HDR_LEN) % RIP_ENTRY_LEN != 0) {
warn "$me: ignored invalid length packet from $addr_s: " . length($msg) . "\n";
return -1;
}
# validate RIP packet header
my $hdr = substr($msg, 0, 4);
my $entries = substr($msg, 4);
my($rip_command, $rip_version, $zero1, $zero2) = unpack('C*', $hdr);
if ($rip_command != RIP_CMD_RESPONSE) {
warn "$me: ignored non-response RIP packet from $addr_s\n";
return -1;
}
if ($rip_version != 2) {
warn "$me: ignored RIP version $rip_version packet from $addr_s (only accept v2)\n";
return -1;
}
if ($zero1 != 0 || $zero2 != 0) {
warn "$me: ignored RIP packet from $addr_s: zero bytes are not zero in header\n";
return -1;
}
my $init_msg = 0;
# if password auth is required, require it!
if (defined $rip_passwd) {
return -1 if (!process_rip_auth_entry(substr($entries, 0, RIP_ENTRY_LEN)));
$init_msg += RIP_ENTRY_LEN;
}
# Ok, process the actual route entries
my $routes = 0;
for (my $i = $init_msg; $i < length($entries); $i += RIP_ENTRY_LEN) {
my $entry = substr($entries, $i, RIP_ENTRY_LEN);
my $n = process_rip_route_entry($entry);
return -1 if ($n < 0);
$routes += $n;
}
return $routes;
}
#
####### main #############################################
#
( run in 0.630 second using v1.01-cache-2.11-cpan-140bd7fdf52 )