IPv6 Blackhole策略路由

IPv6全局定义了一个blackhole路由缓存项的模板ip6_blk_hole_entry_template，每个网络命名空间将据此生成一个路由缓存项ip6_blk_hole_entry。

static const struct rt6_info ip6_blk_hole_entry_template = {.dst = {.__refcnt   = ATOMIC_INIT(1),.__use      = 1,.obsolete   = DST_OBSOLETE_FORCE_CHK,.error      = -EINVAL,.input      = dst_discard,.output     = dst_discard_out,},.rt6i_flags = (RTF_REJECT | RTF_NONEXTHOP),
};

如下ip6_route_net_init函数，复制模板ip6_blk_hole_entry_template生成本命名空间中的ip6_blk_hole_entry项。

static int __net_init ip6_route_net_init(struct net *net)
{...net->ipv6.ip6_blk_hole_entry = kmemdup(&ip6_blk_hole_entry_template,sizeof(*net->ipv6.ip6_blk_hole_entry),GFP_KERNEL);if (!net->ipv6.ip6_blk_hole_entry)goto out_ip6_prohibit_entry;net->ipv6.ip6_blk_hole_entry->dst.ops = &net->ipv6.ip6_dst_ops;dst_init_metrics(&net->ipv6.ip6_blk_hole_entry->dst,ip6_template_metrics, true);INIT_LIST_HEAD(&net->ipv6.ip6_blk_hole_entry->rt6i_uncached);

Blackhole缓存设备

在IPv6路由系统初始化时，注册通知处理函数ip6_route_dev_notify。

static struct notifier_block ip6_route_dev_notifier = {.notifier_call = ip6_route_dev_notify,.priority = ADDRCONF_NOTIFY_PRIORITY - 10,
};int __init ip6_route_init(void)
{...ret = register_netdevice_notifier(&ip6_route_dev_notifier);if (ret)goto out_register_late_subsys;

对于命名空间中新注册的环回网络设备（NETDEV_REGISTER事件），将其以及其所对应的inet6_dev结构，赋值到ip6_blk_hole_entry中。

static int ip6_route_dev_notify(struct notifier_block *this,unsigned long event, void *ptr)
{struct net_device *dev = netdev_notifier_info_to_dev(ptr);struct net *net = dev_net(dev);if (!(dev->flags & IFF_LOOPBACK))return NOTIFY_OK;if (event == NETDEV_REGISTER) {...
#ifdef CONFIG_IPV6_MULTIPLE_TABLESnet->ipv6.ip6_blk_hole_entry->dst.dev = dev;net->ipv6.ip6_blk_hole_entry->rt6i_idev = in6_dev_get(dev);...
#endif} else if (event == NETDEV_UNREGISTER &&dev->reg_state != NETREG_UNREGISTERED) {/* NETDEV_UNREGISTER could be fired for multiple times by* netdev_wait_allrefs(). Make sure we only call this once.*/in6_dev_put_clear(&net->ipv6.ip6_null_entry->rt6i_idev);
#ifdef CONFIG_IPV6_MULTIPLE_TABLESin6_dev_put_clear(&net->ipv6.ip6_blk_hole_entry->rt6i_idev);

默认命名空间中的blackhole路由缓存项，由初始化函数ip6_route_init_special_entries赋值回环接口以及其所对应的inet6_dev结构。

void __init ip6_route_init_special_entries(void)
{/* Registering of the loopback is done before this portion of code,* the loopback reference in rt6_info will not be taken, do it* manually for init_net */...#ifdef CONFIG_IPV6_MULTIPLE_TABLESinit_net.ipv6.ip6_blk_hole_entry->dst.dev = init_net.loopback_dev;init_net.ipv6.ip6_blk_hole_entry->rt6i_idev = in6_dev_get(init_net.loopback_dev);

由函数addrconf_init可知，在调用ip6_route_init_special_entries之前，已经将默认命名空间init_net中的环回接口进行了初始化。

int __init addrconf_init(void)
{struct inet6_dev *idev;int i, err;...rtnl_lock();idev = ipv6_add_dev(init_net.loopback_dev);rtnl_unlock();if (IS_ERR(idev)) {err = PTR_ERR(idev);goto errlo;}ip6_route_init_special_entries();

blackhole策略路由

如下策略路由，对于目的地址属于3ffe::/64的报文，禁止报文进行路由。

# ip -6 rule add from 3ffe::/64 type blackhole
#
$ ip -6 rule
0:      from all lookup local
32764:  from 3ffe::/64 blackhole

策略路由查找函数fib_rules_lookup，如果action不等于FR_ACT_GOTO或者FR_ACT_NOP，对于IPv6协议，执行fib6_rule_action。

int fib_rules_lookup(struct fib_rules_ops *ops, struct flowi *fl,int flags, struct fib_lookup_arg *arg)
{struct fib_rule *rule;list_for_each_entry_rcu(rule, &ops->rules_list, list) {
jumped:if (!fib_rule_match(rule, ops, fl, flags, arg))continue;if (rule->action == FR_ACT_GOTO) {struct fib_rule *target;target = rcu_dereference(rule->ctarget);if (target == NULL) {continue;} else {rule = target;goto jumped;}} else if (rule->action == FR_ACT_NOP)continue;elseerr = INDIRECT_CALL_MT(ops->action,fib6_rule_action,fib4_rule_action,rule, fl, flags, arg);

对于action类型等于FR_ACT_BLACKHOLE的策略路由，直接使用命名空间中的ip6_blk_hole_entry路由缓存项。

static int __fib6_rule_action(struct fib_rule *rule, struct flowi *flp,int flags, struct fib_lookup_arg *arg)
{struct fib6_result *res = arg->result;struct rt6_info *rt = NULL;struct net *net = rule->fr_net;switch (rule->action) {default:case FR_ACT_BLACKHOLE:err = -EINVAL;rt = net->ipv6.ip6_blk_hole_entry;goto discard_pkt;...}discard_pkt:if (!(flags & RT6_LOOKUP_F_DST_NOREF))dst_hold(&rt->dst);
out:res->rt6 = rt;return err;

blackhole路由缓存处理函数

在ip6_blk_hole_entry_template中，将input和output函数分别赋值为dst_discard和dst_discard_out，对于接收到的外部报文，或者本机发出的报文，都执行丢弃，释放skb。

static inline int dst_discard(struct sk_buff *skb)
{return dst_discard_out(&init_net, skb->sk, skb);
}int dst_discard_out(struct net *net, struct sock *sk, struct sk_buff *skb)
{kfree_skb(skb);return 0;
}

内核版本 5.10