1 /*- 2 * SPDX-License-Identifier: BSD-3-Clause 3 * 4 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. Neither the name of the project nor the names of its contributors 16 * may be used to endorse or promote products derived from this software 17 * without specific prior written permission. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29 * SUCH DAMAGE. 30 * 31 * $KAME: nd6_nbr.c,v 1.86 2002/01/21 02:33:04 jinmei Exp $ 32 */ 33 34 #include <sys/cdefs.h> 35 #include "opt_inet.h" 36 #include "opt_inet6.h" 37 #include "opt_ipsec.h" 38 39 #include <sys/param.h> 40 #include <sys/systm.h> 41 #include <sys/eventhandler.h> 42 #include <sys/malloc.h> 43 #include <sys/libkern.h> 44 #include <sys/lock.h> 45 #include <sys/rwlock.h> 46 #include <sys/mbuf.h> 47 #include <sys/socket.h> 48 #include <sys/sockio.h> 49 #include <sys/time.h> 50 #include <sys/kernel.h> 51 #include <sys/errno.h> 52 #include <sys/sysctl.h> 53 #include <sys/syslog.h> 54 #include <sys/queue.h> 55 #include <sys/callout.h> 56 #include <sys/refcount.h> 57 58 #include <net/if.h> 59 #include <net/if_types.h> 60 #include <net/if_dl.h> 61 #include <net/if_var.h> 62 #include <net/if_private.h> 63 #include <net/route.h> 64 #include <net/vnet.h> 65 66 #include <netinet/in.h> 67 #include <netinet/in_var.h> 68 #include <net/if_llatbl.h> 69 #include <netinet6/in6_var.h> 70 #include <netinet6/in6_ifattach.h> 71 #include <netinet/ip6.h> 72 #include <netinet6/ip6_var.h> 73 #include <netinet6/scope6_var.h> 74 #include <netinet6/nd6.h> 75 #include <netinet/icmp6.h> 76 #include <netinet/ip_carp.h> 77 #include <netinet6/send.h> 78 79 #define SDL(s) ((struct sockaddr_dl *)s) 80 81 struct dadq; 82 static struct dadq *nd6_dad_find(struct ifaddr *, struct nd_opt_nonce *); 83 static void nd6_dad_add(struct dadq *dp); 84 static void nd6_dad_del(struct dadq *dp); 85 static void nd6_dad_rele(struct dadq *); 86 static void nd6_dad_starttimer(struct dadq *, int); 87 static void nd6_dad_stoptimer(struct dadq *); 88 static void nd6_dad_timer(void *); 89 static void nd6_dad_duplicated(struct ifaddr *, struct dadq *); 90 static void nd6_dad_ns_output(struct dadq *); 91 static void nd6_dad_ns_input(struct ifaddr *, struct nd_opt_nonce *); 92 static void nd6_dad_na_input(struct ifaddr *); 93 static void nd6_na_output_fib(struct ifnet *, const struct in6_addr *, 94 const struct in6_addr *, u_long, int, struct sockaddr *, u_int); 95 static void nd6_ns_output_fib(struct ifnet *, const struct in6_addr *, 96 const struct in6_addr *, const struct in6_addr *, uint8_t *, u_int); 97 98 static struct ifaddr *nd6_proxy_fill_sdl(struct ifnet *, 99 const struct in6_addr *, struct sockaddr_dl *); 100 101 VNET_DEFINE_STATIC(int, dad_enhanced) = 1; 102 #define V_dad_enhanced VNET(dad_enhanced) 103 104 SYSCTL_DECL(_net_inet6_ip6); 105 SYSCTL_INT(_net_inet6_ip6, OID_AUTO, dad_enhanced, CTLFLAG_VNET | CTLFLAG_RW, 106 &VNET_NAME(dad_enhanced), 0, 107 "Enable Enhanced DAD, which adds a random nonce to NS messages for DAD."); 108 109 VNET_DEFINE_STATIC(int, dad_maxtry) = 15; /* max # of *tries* to 110 transmit DAD packet */ 111 #define V_dad_maxtry VNET(dad_maxtry) 112 113 /* 114 * Input a Neighbor Solicitation Message. 115 * 116 * Based on RFC 2461 117 * Based on RFC 2462 (duplicate address detection) 118 */ 119 void 120 nd6_ns_input(struct mbuf *m, int off, int icmp6len) 121 { 122 struct ifnet *ifp; 123 struct ip6_hdr *ip6; 124 struct nd_neighbor_solicit *nd_ns; 125 struct in6_addr daddr6, myaddr6, saddr6, taddr6; 126 struct ifaddr *ifa; 127 struct sockaddr_dl proxydl; 128 union nd_opts ndopts; 129 char ip6bufs[INET6_ADDRSTRLEN], ip6bufd[INET6_ADDRSTRLEN]; 130 char *lladdr; 131 int anycast, lladdrlen, proxy, rflag, tentative, tlladdr; 132 133 ifa = NULL; 134 135 /* RFC 6980: Nodes MUST silently ignore fragments */ 136 if(m->m_flags & M_FRAGMENTED) 137 goto freeit; 138 139 ifp = m->m_pkthdr.rcvif; 140 ip6 = mtod(m, struct ip6_hdr *); 141 if (__predict_false(ip6->ip6_hlim != 255)) { 142 ICMP6STAT_INC(icp6s_invlhlim); 143 nd6log((LOG_ERR, 144 "nd6_ns_input: invalid hlim (%d) from %s to %s on %s\n", 145 ip6->ip6_hlim, ip6_sprintf(ip6bufs, &ip6->ip6_src), 146 ip6_sprintf(ip6bufd, &ip6->ip6_dst), if_name(ifp))); 147 goto bads; 148 } 149 150 if (m->m_len < off + icmp6len) { 151 m = m_pullup(m, off + icmp6len); 152 if (m == NULL) { 153 IP6STAT_INC(ip6s_exthdrtoolong); 154 return; 155 } 156 } 157 ip6 = mtod(m, struct ip6_hdr *); 158 nd_ns = (struct nd_neighbor_solicit *)((caddr_t)ip6 + off); 159 160 saddr6 = ip6->ip6_src; 161 daddr6 = ip6->ip6_dst; 162 taddr6 = nd_ns->nd_ns_target; 163 if (in6_setscope(&taddr6, ifp, NULL) != 0) 164 goto bad; 165 166 rflag = (V_ip6_forwarding) ? ND_NA_FLAG_ROUTER : 0; 167 if (ND_IFINFO(ifp)->flags & ND6_IFF_ACCEPT_RTADV && V_ip6_norbit_raif) 168 rflag = 0; 169 170 if (IN6_IS_ADDR_UNSPECIFIED(&saddr6)) { 171 /* dst has to be a solicited node multicast address. */ 172 if (daddr6.s6_addr16[0] == IPV6_ADDR_INT16_MLL && 173 /* don't check ifindex portion */ 174 daddr6.s6_addr32[1] == 0 && 175 daddr6.s6_addr32[2] == IPV6_ADDR_INT32_ONE && 176 daddr6.s6_addr8[12] == 0xff) { 177 ; /* good */ 178 } else { 179 nd6log((LOG_INFO, "nd6_ns_input: bad DAD packet " 180 "(wrong ip6 dst)\n")); 181 goto bad; 182 } 183 } else if (!V_nd6_onlink_ns_rfc4861) { 184 struct sockaddr_in6 src_sa6; 185 186 /* 187 * According to recent IETF discussions, it is not a good idea 188 * to accept a NS from an address which would not be deemed 189 * to be a neighbor otherwise. This point is expected to be 190 * clarified in future revisions of the specification. 191 */ 192 bzero(&src_sa6, sizeof(src_sa6)); 193 src_sa6.sin6_family = AF_INET6; 194 src_sa6.sin6_len = sizeof(src_sa6); 195 src_sa6.sin6_addr = saddr6; 196 if (nd6_is_addr_neighbor(&src_sa6, ifp) == 0) { 197 nd6log((LOG_INFO, "nd6_ns_input: " 198 "NS packet from non-neighbor\n")); 199 goto bad; 200 } 201 } 202 203 if (IN6_IS_ADDR_MULTICAST(&taddr6)) { 204 nd6log((LOG_INFO, "nd6_ns_input: bad NS target (multicast)\n")); 205 goto bad; 206 } 207 208 icmp6len -= sizeof(*nd_ns); 209 nd6_option_init(nd_ns + 1, icmp6len, &ndopts); 210 if (nd6_options(&ndopts) < 0) { 211 nd6log((LOG_INFO, 212 "nd6_ns_input: invalid ND option, ignored\n")); 213 /* nd6_options have incremented stats */ 214 goto freeit; 215 } 216 217 lladdr = NULL; 218 lladdrlen = 0; 219 if (ndopts.nd_opts_src_lladdr) { 220 lladdr = (char *)(ndopts.nd_opts_src_lladdr + 1); 221 lladdrlen = ndopts.nd_opts_src_lladdr->nd_opt_len << 3; 222 } 223 224 if (IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_src) && lladdr) { 225 nd6log((LOG_INFO, "nd6_ns_input: bad DAD packet " 226 "(link-layer address option)\n")); 227 goto bad; 228 } 229 230 /* 231 * Attaching target link-layer address to the NA? 232 * (RFC 2461 7.2.4) 233 * 234 * NS IP dst is unicast/anycast MUST NOT add 235 * NS IP dst is solicited-node multicast MUST add 236 * 237 * In implementation, we add target link-layer address by default. 238 * We do not add one in MUST NOT cases. 239 */ 240 if (!IN6_IS_ADDR_MULTICAST(&daddr6)) 241 tlladdr = 0; 242 else 243 tlladdr = 1; 244 245 /* 246 * Target address (taddr6) must be either: 247 * (1) Valid unicast/anycast address for my receiving interface, 248 * (2) Unicast address for which I'm offering proxy service, or 249 * (3) "tentative" address on which DAD is being performed. 250 */ 251 /* (1) and (3) check. */ 252 if (ifp->if_carp) 253 ifa = (*carp_iamatch6_p)(ifp, &taddr6); 254 else 255 ifa = (struct ifaddr *)in6ifa_ifpwithaddr(ifp, &taddr6); 256 257 /* (2) check. */ 258 proxy = 0; 259 if (ifa == NULL) { 260 if ((ifa = nd6_proxy_fill_sdl(ifp, &taddr6, &proxydl)) != NULL) 261 proxy = 1; 262 } 263 if (ifa == NULL) { 264 /* 265 * We've got an NS packet, and we don't have that address 266 * assigned for us. We MUST silently ignore it. 267 * See RFC2461 7.2.3. 268 */ 269 goto freeit; 270 } 271 myaddr6 = *IFA_IN6(ifa); 272 anycast = ((struct in6_ifaddr *)ifa)->ia6_flags & IN6_IFF_ANYCAST; 273 tentative = ((struct in6_ifaddr *)ifa)->ia6_flags & IN6_IFF_TENTATIVE; 274 if (((struct in6_ifaddr *)ifa)->ia6_flags & IN6_IFF_DUPLICATED) 275 goto freeit; 276 277 if (lladdr && ((ifp->if_addrlen + 2 + 7) & ~7) != lladdrlen) { 278 nd6log((LOG_INFO, "nd6_ns_input: lladdrlen mismatch for %s " 279 "(if %d, NS packet %d)\n", 280 ip6_sprintf(ip6bufs, &taddr6), 281 ifp->if_addrlen, lladdrlen - 2)); 282 goto bad; 283 } 284 285 if (IN6_ARE_ADDR_EQUAL(&myaddr6, &saddr6)) { 286 nd6log((LOG_INFO, "nd6_ns_input: duplicate IP6 address %s\n", 287 ip6_sprintf(ip6bufs, &saddr6))); 288 goto freeit; 289 } 290 291 /* 292 * We have neighbor solicitation packet, with target address equals to 293 * one of my tentative address. 294 * 295 * src addr how to process? 296 * --- --- 297 * multicast of course, invalid (rejected in ip6_input) 298 * unicast somebody is doing address resolution -> ignore 299 * unspec dup address detection 300 * 301 * The processing is defined in RFC 2462. 302 */ 303 if (tentative) { 304 /* 305 * If source address is unspecified address, it is for 306 * duplicate address detection. 307 * 308 * If not, the packet is for addess resolution; 309 * silently ignore it. 310 */ 311 if (IN6_IS_ADDR_UNSPECIFIED(&saddr6)) 312 nd6_dad_ns_input(ifa, ndopts.nd_opts_nonce); 313 314 goto freeit; 315 } 316 317 /* 318 * If the source address is unspecified address, entries must not 319 * be created or updated. 320 * It looks that sender is performing DAD. Output NA toward 321 * all-node multicast address, to tell the sender that I'm using 322 * the address. 323 * S bit ("solicited") must be zero. 324 */ 325 if (IN6_IS_ADDR_UNSPECIFIED(&saddr6)) { 326 struct in6_addr in6_all; 327 328 in6_all = in6addr_linklocal_allnodes; 329 if (in6_setscope(&in6_all, ifp, NULL) != 0) 330 goto bad; 331 nd6_na_output_fib(ifp, &in6_all, &taddr6, 332 ((anycast || proxy || !tlladdr) ? 0 : ND_NA_FLAG_OVERRIDE) | 333 rflag, tlladdr, proxy ? (struct sockaddr *)&proxydl : NULL, 334 M_GETFIB(m)); 335 goto freeit; 336 } 337 338 nd6_cache_lladdr(ifp, &saddr6, lladdr, lladdrlen, 339 ND_NEIGHBOR_SOLICIT, 0); 340 341 nd6_na_output_fib(ifp, &saddr6, &taddr6, 342 ((anycast || proxy || !tlladdr) ? 0 : ND_NA_FLAG_OVERRIDE) | 343 rflag | ND_NA_FLAG_SOLICITED, tlladdr, 344 proxy ? (struct sockaddr *)&proxydl : NULL, M_GETFIB(m)); 345 freeit: 346 if (ifa != NULL) 347 ifa_free(ifa); 348 m_freem(m); 349 return; 350 351 bad: 352 nd6log((LOG_ERR, "nd6_ns_input: src=%s\n", 353 ip6_sprintf(ip6bufs, &saddr6))); 354 nd6log((LOG_ERR, "nd6_ns_input: dst=%s\n", 355 ip6_sprintf(ip6bufs, &daddr6))); 356 nd6log((LOG_ERR, "nd6_ns_input: tgt=%s\n", 357 ip6_sprintf(ip6bufs, &taddr6))); 358 bads: 359 ICMP6STAT_INC(icp6s_badns); 360 if (ifa != NULL) 361 ifa_free(ifa); 362 m_freem(m); 363 } 364 365 static struct ifaddr * 366 nd6_proxy_fill_sdl(struct ifnet *ifp, const struct in6_addr *taddr6, 367 struct sockaddr_dl *sdl) 368 { 369 struct ifaddr *ifa; 370 struct llentry *ln; 371 372 ifa = NULL; 373 ln = nd6_lookup(taddr6, LLE_SF(AF_INET6, 0), ifp); 374 if (ln == NULL) 375 return (ifa); 376 if ((ln->la_flags & (LLE_PUB | LLE_VALID)) == (LLE_PUB | LLE_VALID)) { 377 link_init_sdl(ifp, (struct sockaddr *)sdl, ifp->if_type); 378 sdl->sdl_alen = ifp->if_addrlen; 379 bcopy(ln->ll_addr, &sdl->sdl_data, ifp->if_addrlen); 380 LLE_RUNLOCK(ln); 381 ifa = (struct ifaddr *)in6ifa_ifpforlinklocal(ifp, 382 IN6_IFF_NOTREADY|IN6_IFF_ANYCAST); 383 } else 384 LLE_RUNLOCK(ln); 385 386 return (ifa); 387 } 388 389 /* 390 * Output a Neighbor Solicitation Message. Caller specifies: 391 * - ICMP6 header source IP6 address 392 * - ND6 header target IP6 address 393 * - ND6 header source datalink address 394 * 395 * Based on RFC 2461 396 * Based on RFC 2462 (duplicate address detection) 397 * 398 * ln - for source address determination 399 * nonce - If non-NULL, NS is used for duplicate address detection and 400 * the value (length is ND_OPT_NONCE_LEN) is used as a random nonce. 401 */ 402 static void 403 nd6_ns_output_fib(struct ifnet *ifp, const struct in6_addr *saddr6, 404 const struct in6_addr *daddr6, const struct in6_addr *taddr6, 405 uint8_t *nonce, u_int fibnum) 406 { 407 struct mbuf *m; 408 struct m_tag *mtag; 409 struct ip6_hdr *ip6; 410 struct nd_neighbor_solicit *nd_ns; 411 struct ip6_moptions im6o; 412 int icmp6len; 413 int maxlen; 414 415 NET_EPOCH_ASSERT(); 416 417 if (IN6_IS_ADDR_MULTICAST(taddr6)) 418 return; 419 420 /* estimate the size of message */ 421 maxlen = sizeof(*ip6) + sizeof(*nd_ns); 422 maxlen += (sizeof(struct nd_opt_hdr) + ifp->if_addrlen + 7) & ~7; 423 KASSERT(max_linkhdr + maxlen <= MCLBYTES, ( 424 "%s: max_linkhdr + maxlen > MCLBYTES (%d + %d > %d)", 425 __func__, max_linkhdr, maxlen, MCLBYTES)); 426 427 if (max_linkhdr + maxlen > MHLEN) 428 m = m_getcl(M_NOWAIT, MT_DATA, M_PKTHDR); 429 else 430 m = m_gethdr(M_NOWAIT, MT_DATA); 431 if (m == NULL) 432 return; 433 M_SETFIB(m, fibnum); 434 435 if (daddr6 == NULL || IN6_IS_ADDR_MULTICAST(daddr6)) { 436 m->m_flags |= M_MCAST; 437 im6o.im6o_multicast_ifp = ifp; 438 im6o.im6o_multicast_hlim = 255; 439 im6o.im6o_multicast_loop = 0; 440 } 441 442 icmp6len = sizeof(*nd_ns); 443 m->m_pkthdr.len = m->m_len = sizeof(*ip6) + icmp6len; 444 m->m_data += max_linkhdr; /* or M_ALIGN() equivalent? */ 445 446 /* fill neighbor solicitation packet */ 447 ip6 = mtod(m, struct ip6_hdr *); 448 ip6->ip6_flow = 0; 449 ip6->ip6_vfc &= ~IPV6_VERSION_MASK; 450 ip6->ip6_vfc |= IPV6_VERSION; 451 /* ip6->ip6_plen will be set later */ 452 ip6->ip6_nxt = IPPROTO_ICMPV6; 453 ip6->ip6_hlim = 255; 454 if (daddr6) 455 ip6->ip6_dst = *daddr6; 456 else { 457 ip6->ip6_dst.s6_addr16[0] = IPV6_ADDR_INT16_MLL; 458 ip6->ip6_dst.s6_addr16[1] = 0; 459 ip6->ip6_dst.s6_addr32[1] = 0; 460 ip6->ip6_dst.s6_addr32[2] = IPV6_ADDR_INT32_ONE; 461 ip6->ip6_dst.s6_addr32[3] = taddr6->s6_addr32[3]; 462 ip6->ip6_dst.s6_addr8[12] = 0xff; 463 if (in6_setscope(&ip6->ip6_dst, ifp, NULL) != 0) 464 goto bad; 465 } 466 if (nonce == NULL) { 467 char ip6buf[INET6_ADDRSTRLEN]; 468 struct ifaddr *ifa = NULL; 469 470 /* 471 * RFC2461 7.2.2: 472 * "If the source address of the packet prompting the 473 * solicitation is the same as one of the addresses assigned 474 * to the outgoing interface, that address SHOULD be placed 475 * in the IP Source Address of the outgoing solicitation. 476 * Otherwise, any one of the addresses assigned to the 477 * interface should be used." 478 * 479 * We use the source address for the prompting packet 480 * (saddr6), if saddr6 belongs to the outgoing interface. 481 * Otherwise, we perform the source address selection as usual. 482 */ 483 if (saddr6 != NULL) 484 ifa = (struct ifaddr *)in6ifa_ifpwithaddr(ifp, saddr6); 485 if (ifa == NULL) { 486 int error; 487 struct in6_addr dst6, src6; 488 uint32_t scopeid; 489 490 in6_splitscope(&ip6->ip6_dst, &dst6, &scopeid); 491 error = in6_selectsrc_addr(fibnum, &dst6, 492 scopeid, ifp, &src6, NULL); 493 if (error) { 494 nd6log((LOG_DEBUG, "%s: source can't be " 495 "determined: dst=%s, error=%d\n", __func__, 496 ip6_sprintf(ip6buf, &dst6), 497 error)); 498 goto bad; 499 } 500 ip6->ip6_src = src6; 501 } else 502 ip6->ip6_src = *saddr6; 503 504 if (ifp->if_carp != NULL) { 505 /* 506 * Check that selected source address belongs to 507 * CARP addresses. 508 */ 509 if (ifa == NULL) 510 ifa = (struct ifaddr *)in6ifa_ifpwithaddr(ifp, 511 &ip6->ip6_src); 512 /* 513 * Do not send NS for CARP address if we are not 514 * the CARP master. 515 */ 516 if (ifa != NULL && ifa->ifa_carp != NULL && 517 !(*carp_master_p)(ifa)) { 518 nd6log((LOG_DEBUG, 519 "nd6_ns_output: NS from BACKUP CARP address %s\n", 520 ip6_sprintf(ip6buf, &ip6->ip6_src))); 521 ifa_free(ifa); 522 goto bad; 523 } 524 } 525 if (ifa != NULL) 526 ifa_free(ifa); 527 } else { 528 /* 529 * Source address for DAD packet must always be IPv6 530 * unspecified address. (0::0) 531 * We actually don't have to 0-clear the address (we did it 532 * above), but we do so here explicitly to make the intention 533 * clearer. 534 */ 535 bzero(&ip6->ip6_src, sizeof(ip6->ip6_src)); 536 } 537 nd_ns = (struct nd_neighbor_solicit *)(ip6 + 1); 538 nd_ns->nd_ns_type = ND_NEIGHBOR_SOLICIT; 539 nd_ns->nd_ns_code = 0; 540 nd_ns->nd_ns_reserved = 0; 541 nd_ns->nd_ns_target = *taddr6; 542 in6_clearscope(&nd_ns->nd_ns_target); /* XXX */ 543 544 /* 545 * Add source link-layer address option. 546 * 547 * spec implementation 548 * --- --- 549 * DAD packet MUST NOT do not add the option 550 * there's no link layer address: 551 * impossible do not add the option 552 * there's link layer address: 553 * Multicast NS MUST add one add the option 554 * Unicast NS SHOULD add one add the option 555 */ 556 if (nonce == NULL) { 557 struct nd_opt_hdr *nd_opt; 558 char *mac; 559 int optlen; 560 561 mac = NULL; 562 if (ifp->if_carp) 563 mac = (*carp_macmatch6_p)(ifp, m, &ip6->ip6_src); 564 if (mac == NULL) 565 mac = nd6_ifptomac(ifp); 566 567 if (mac != NULL) { 568 nd_opt = (struct nd_opt_hdr *)(nd_ns + 1); 569 optlen = sizeof(struct nd_opt_hdr) + ifp->if_addrlen; 570 /* 8 byte alignments... */ 571 optlen = (optlen + 7) & ~7; 572 m->m_pkthdr.len += optlen; 573 m->m_len += optlen; 574 icmp6len += optlen; 575 bzero(nd_opt, optlen); 576 nd_opt->nd_opt_type = ND_OPT_SOURCE_LINKADDR; 577 nd_opt->nd_opt_len = optlen >> 3; 578 bcopy(mac, nd_opt + 1, ifp->if_addrlen); 579 } 580 } 581 /* 582 * Add a Nonce option (RFC 3971) to detect looped back NS messages. 583 * This behavior is documented as Enhanced Duplicate Address 584 * Detection in RFC 7527. 585 * net.inet6.ip6.dad_enhanced=0 disables this. 586 */ 587 if (V_dad_enhanced != 0 && nonce != NULL) { 588 int optlen = sizeof(struct nd_opt_hdr) + ND_OPT_NONCE_LEN; 589 struct nd_opt_hdr *nd_opt = (struct nd_opt_hdr *)(nd_ns + 1); 590 /* 8-byte alignment is required. */ 591 optlen = (optlen + 7) & ~7; 592 593 m->m_pkthdr.len += optlen; 594 m->m_len += optlen; 595 icmp6len += optlen; 596 bzero((caddr_t)nd_opt, optlen); 597 nd_opt->nd_opt_type = ND_OPT_NONCE; 598 nd_opt->nd_opt_len = optlen >> 3; 599 bcopy(nonce, (caddr_t)(nd_opt + 1), ND_OPT_NONCE_LEN); 600 } 601 ip6->ip6_plen = htons((u_short)icmp6len); 602 nd_ns->nd_ns_cksum = 0; 603 nd_ns->nd_ns_cksum = 604 in6_cksum(m, IPPROTO_ICMPV6, sizeof(*ip6), icmp6len); 605 606 if (send_sendso_input_hook != NULL) { 607 mtag = m_tag_get(PACKET_TAG_ND_OUTGOING, 608 sizeof(unsigned short), M_NOWAIT); 609 if (mtag == NULL) 610 goto bad; 611 *(unsigned short *)(mtag + 1) = nd_ns->nd_ns_type; 612 m_tag_prepend(m, mtag); 613 } 614 615 ip6_output(m, NULL, NULL, (nonce != NULL) ? IPV6_UNSPECSRC : 0, 616 &im6o, NULL, NULL); 617 icmp6_ifstat_inc(ifp, ifs6_out_msg); 618 icmp6_ifstat_inc(ifp, ifs6_out_neighborsolicit); 619 ICMP6STAT_INC(icp6s_outhist[ND_NEIGHBOR_SOLICIT]); 620 621 return; 622 623 bad: 624 m_freem(m); 625 } 626 627 #ifndef BURN_BRIDGES 628 void 629 nd6_ns_output(struct ifnet *ifp, const struct in6_addr *saddr6, 630 const struct in6_addr *daddr6, const struct in6_addr *taddr6,uint8_t *nonce) 631 { 632 633 nd6_ns_output_fib(ifp, saddr6, daddr6, taddr6, nonce, RT_DEFAULT_FIB); 634 } 635 #endif 636 /* 637 * Neighbor advertisement input handling. 638 * 639 * Based on RFC 2461 640 * Based on RFC 2462 (duplicate address detection) 641 * 642 * the following items are not implemented yet: 643 * - proxy advertisement delay rule (RFC2461 7.2.8, last paragraph, SHOULD) 644 * - anycast advertisement delay rule (RFC2461 7.2.7, SHOULD) 645 */ 646 void 647 nd6_na_input(struct mbuf *m, int off, int icmp6len) 648 { 649 struct ifnet *ifp; 650 struct ip6_hdr *ip6; 651 struct ifaddr *ifa; 652 struct llentry *ln; 653 struct mbuf *chain; 654 struct nd_neighbor_advert *nd_na; 655 struct in6_addr daddr6, taddr6; 656 union nd_opts ndopts; 657 u_char linkhdr[LLE_MAX_LINKHDR]; 658 char ip6bufs[INET6_ADDRSTRLEN], ip6bufd[INET6_ADDRSTRLEN]; 659 char *lladdr; 660 size_t linkhdrsize; 661 int flags, is_override, is_router, is_solicited; 662 int lladdr_off, lladdrlen, checklink; 663 bool flush_holdchain = false; 664 665 NET_EPOCH_ASSERT(); 666 667 chain = NULL; 668 ln = NULL; 669 checklink = 0; 670 671 /* RFC 6980: Nodes MUST silently ignore fragments */ 672 if(m->m_flags & M_FRAGMENTED) 673 goto freeit; 674 675 ifp = m->m_pkthdr.rcvif; 676 ip6 = mtod(m, struct ip6_hdr *); 677 if (__predict_false(ip6->ip6_hlim != 255)) { 678 ICMP6STAT_INC(icp6s_invlhlim); 679 nd6log((LOG_ERR, 680 "nd6_na_input: invalid hlim (%d) from %s to %s on %s\n", 681 ip6->ip6_hlim, ip6_sprintf(ip6bufs, &ip6->ip6_src), 682 ip6_sprintf(ip6bufd, &ip6->ip6_dst), if_name(ifp))); 683 goto bad; 684 } 685 686 if (m->m_len < off + icmp6len) { 687 m = m_pullup(m, off + icmp6len); 688 if (m == NULL) { 689 IP6STAT_INC(ip6s_exthdrtoolong); 690 return; 691 } 692 } 693 ip6 = mtod(m, struct ip6_hdr *); 694 nd_na = (struct nd_neighbor_advert *)((caddr_t)ip6 + off); 695 696 flags = nd_na->nd_na_flags_reserved; 697 is_router = ((flags & ND_NA_FLAG_ROUTER) != 0); 698 is_solicited = ((flags & ND_NA_FLAG_SOLICITED) != 0); 699 is_override = ((flags & ND_NA_FLAG_OVERRIDE) != 0); 700 701 taddr6 = nd_na->nd_na_target; 702 if (in6_setscope(&taddr6, ifp, NULL)) 703 goto bad; /* XXX: impossible */ 704 705 if (IN6_IS_ADDR_MULTICAST(&taddr6)) { 706 nd6log((LOG_ERR, 707 "nd6_na_input: invalid target address %s\n", 708 ip6_sprintf(ip6bufs, &taddr6))); 709 goto bad; 710 } 711 712 daddr6 = ip6->ip6_dst; 713 if (IN6_IS_ADDR_MULTICAST(&daddr6)) 714 if (is_solicited) { 715 nd6log((LOG_ERR, 716 "nd6_na_input: a solicited adv is multicasted\n")); 717 goto bad; 718 } 719 720 icmp6len -= sizeof(*nd_na); 721 nd6_option_init(nd_na + 1, icmp6len, &ndopts); 722 if (nd6_options(&ndopts) < 0) { 723 nd6log((LOG_INFO, 724 "nd6_na_input: invalid ND option, ignored\n")); 725 /* nd6_options have incremented stats */ 726 goto freeit; 727 } 728 729 lladdr = NULL; 730 lladdrlen = 0; 731 if (ndopts.nd_opts_tgt_lladdr) { 732 lladdr = (char *)(ndopts.nd_opts_tgt_lladdr + 1); 733 lladdrlen = ndopts.nd_opts_tgt_lladdr->nd_opt_len << 3; 734 } 735 736 ifa = (struct ifaddr *)in6ifa_ifpwithaddr(ifp, &taddr6); 737 if (ifa != NULL && ifa->ifa_carp != NULL) { 738 /* 739 * Silently ignore NAs for CARP addresses if we are not 740 * the CARP master. 741 */ 742 if (!(*carp_master_p)(ifa)) { 743 nd6log((LOG_DEBUG, 744 "nd6_na_input: NA for BACKUP CARP address %s\n", 745 ip6_sprintf(ip6bufs, &taddr6))); 746 ifa_free(ifa); 747 goto freeit; 748 } 749 } 750 /* 751 * Target address matches one of my interface address. 752 * 753 * If my address is tentative, this means that there's somebody 754 * already using the same address as mine. This indicates DAD failure. 755 * This is defined in RFC 2462. 756 * 757 * Otherwise, process as defined in RFC 2461. 758 */ 759 if (ifa 760 && (((struct in6_ifaddr *)ifa)->ia6_flags & IN6_IFF_TENTATIVE)) { 761 nd6_dad_na_input(ifa); 762 ifa_free(ifa); 763 goto freeit; 764 } 765 766 /* Just for safety, maybe unnecessary. */ 767 if (ifa) { 768 ifa_free(ifa); 769 log(LOG_ERR, 770 "nd6_na_input: duplicate IP6 address %s\n", 771 ip6_sprintf(ip6bufs, &taddr6)); 772 goto freeit; 773 } 774 775 if (lladdr && ((ifp->if_addrlen + 2 + 7) & ~7) != lladdrlen) { 776 nd6log((LOG_INFO, "nd6_na_input: lladdrlen mismatch for %s " 777 "(if %d, NA packet %d)\n", ip6_sprintf(ip6bufs, &taddr6), 778 ifp->if_addrlen, lladdrlen - 2)); 779 goto bad; 780 } 781 782 /* 783 * If no neighbor cache entry is found, NA SHOULD silently be 784 * discarded. 785 */ 786 ln = nd6_lookup(&taddr6, LLE_SF(AF_INET6, LLE_EXCLUSIVE), ifp); 787 if (ln == NULL) { 788 goto freeit; 789 } 790 791 /* 792 * Do not try to override static entry. 793 */ 794 if (ln->la_flags & LLE_STATIC) 795 goto freeit; 796 797 if (ln->ln_state == ND6_LLINFO_INCOMPLETE) { 798 /* 799 * If the link-layer has address, and no lladdr option came, 800 * discard the packet. 801 */ 802 if (ifp->if_addrlen && lladdr == NULL) { 803 goto freeit; 804 } 805 806 /* 807 * Record link-layer address, and update the state. 808 */ 809 if (!nd6_try_set_entry_addr(ifp, ln, lladdr)) 810 goto freeit; 811 812 flush_holdchain = true; 813 if (is_solicited) 814 nd6_llinfo_setstate(ln, ND6_LLINFO_REACHABLE); 815 else 816 nd6_llinfo_setstate(ln, ND6_LLINFO_STALE); 817 EVENTHANDLER_INVOKE(lle_event, ln, LLENTRY_RESOLVED); 818 if ((ln->ln_router = is_router) != 0) { 819 /* 820 * This means a router's state has changed from 821 * non-reachable to probably reachable, and might 822 * affect the status of associated prefixes.. 823 */ 824 checklink = 1; 825 } 826 } else { 827 int llchange; 828 829 /* 830 * Check if the link-layer address has changed or not. 831 */ 832 if (lladdr == NULL) 833 llchange = 0; 834 else { 835 if (ln->la_flags & LLE_VALID) { 836 if (bcmp(lladdr, ln->ll_addr, ifp->if_addrlen)) 837 llchange = 1; 838 else 839 llchange = 0; 840 } else 841 llchange = 1; 842 } 843 844 /* 845 * This is VERY complex. Look at it with care. 846 * 847 * override solicit lladdr llchange action 848 * (L: record lladdr) 849 * 850 * 0 0 n -- (2c) 851 * 0 0 y n (2b) L 852 * 0 0 y y (1) REACHABLE->STALE 853 * 0 1 n -- (2c) *->REACHABLE 854 * 0 1 y n (2b) L *->REACHABLE 855 * 0 1 y y (1) REACHABLE->STALE 856 * 1 0 n -- (2a) 857 * 1 0 y n (2a) L 858 * 1 0 y y (2a) L *->STALE 859 * 1 1 n -- (2a) *->REACHABLE 860 * 1 1 y n (2a) L *->REACHABLE 861 * 1 1 y y (2a) L *->REACHABLE 862 */ 863 if (!is_override && (lladdr != NULL && llchange)) { /* (1) */ 864 /* 865 * If state is REACHABLE, make it STALE. 866 * no other updates should be done. 867 */ 868 if (ln->ln_state == ND6_LLINFO_REACHABLE) 869 nd6_llinfo_setstate(ln, ND6_LLINFO_STALE); 870 goto freeit; 871 } else if (is_override /* (2a) */ 872 || (!is_override && (lladdr != NULL && !llchange)) /* (2b) */ 873 || lladdr == NULL) { /* (2c) */ 874 /* 875 * Update link-local address, if any. 876 */ 877 if (lladdr != NULL) { 878 linkhdrsize = sizeof(linkhdr); 879 if (lltable_calc_llheader(ifp, AF_INET6, lladdr, 880 linkhdr, &linkhdrsize, &lladdr_off) != 0) 881 goto freeit; 882 if (lltable_try_set_entry_addr(ifp, ln, linkhdr, 883 linkhdrsize, lladdr_off) == 0) 884 goto freeit; 885 EVENTHANDLER_INVOKE(lle_event, ln, 886 LLENTRY_RESOLVED); 887 } 888 889 /* 890 * If solicited, make the state REACHABLE. 891 * If not solicited and the link-layer address was 892 * changed, make it STALE. 893 */ 894 if (is_solicited) 895 nd6_llinfo_setstate(ln, ND6_LLINFO_REACHABLE); 896 else { 897 if (lladdr != NULL && llchange) 898 nd6_llinfo_setstate(ln, ND6_LLINFO_STALE); 899 } 900 } 901 902 if (ln->ln_router && !is_router) { 903 /* 904 * The peer dropped the router flag. 905 * Remove the sender from the Default Router List and 906 * update the Destination Cache entries. 907 */ 908 struct ifnet *nd6_ifp; 909 910 nd6_ifp = lltable_get_ifp(ln->lle_tbl); 911 if (!defrouter_remove(&ln->r_l3addr.addr6, nd6_ifp) && 912 (ND_IFINFO(nd6_ifp)->flags & 913 ND6_IFF_ACCEPT_RTADV) != 0) 914 /* 915 * Even if the neighbor is not in the default 916 * router list, the neighbor may be used as a 917 * next hop for some destinations (e.g. redirect 918 * case). So we must call rt6_flush explicitly. 919 */ 920 rt6_flush(&ip6->ip6_src, ifp); 921 } 922 ln->ln_router = is_router; 923 } 924 /* XXX - QL 925 * Does this matter? 926 * rt->rt_flags &= ~RTF_REJECT; 927 */ 928 ln->la_asked = 0; 929 if (ln->la_hold != NULL) 930 chain = nd6_grab_holdchain(ln); 931 freeit: 932 if (ln != NULL) 933 LLE_WUNLOCK(ln); 934 935 if (chain != NULL) 936 nd6_flush_holdchain(ifp, ln, chain); 937 if (flush_holdchain) 938 nd6_flush_children_holdchain(ifp, ln); 939 940 if (checklink) 941 pfxlist_onlink_check(); 942 943 m_freem(m); 944 return; 945 946 bad: 947 if (ln != NULL) 948 LLE_WUNLOCK(ln); 949 950 ICMP6STAT_INC(icp6s_badna); 951 m_freem(m); 952 } 953 954 /* 955 * Neighbor advertisement output handling. 956 * 957 * Based on RFC 2461 958 * 959 * the following items are not implemented yet: 960 * - proxy advertisement delay rule (RFC2461 7.2.8, last paragraph, SHOULD) 961 * - anycast advertisement delay rule (RFC2461 7.2.7, SHOULD) 962 * 963 * tlladdr - 1 if include target link-layer address 964 * sdl0 - sockaddr_dl (= proxy NA) or NULL 965 */ 966 static void 967 nd6_na_output_fib(struct ifnet *ifp, const struct in6_addr *daddr6_0, 968 const struct in6_addr *taddr6, u_long flags, int tlladdr, 969 struct sockaddr *sdl0, u_int fibnum) 970 { 971 struct mbuf *m; 972 struct m_tag *mtag; 973 struct ip6_hdr *ip6; 974 struct nd_neighbor_advert *nd_na; 975 struct ip6_moptions im6o; 976 struct in6_addr daddr6, dst6, src6; 977 uint32_t scopeid; 978 979 NET_EPOCH_ASSERT(); 980 981 int icmp6len, maxlen, error; 982 caddr_t mac = NULL; 983 984 daddr6 = *daddr6_0; /* make a local copy for modification */ 985 986 /* estimate the size of message */ 987 maxlen = sizeof(*ip6) + sizeof(*nd_na); 988 maxlen += (sizeof(struct nd_opt_hdr) + ifp->if_addrlen + 7) & ~7; 989 KASSERT(max_linkhdr + maxlen <= MCLBYTES, ( 990 "%s: max_linkhdr + maxlen > MCLBYTES (%d + %d > %d)", 991 __func__, max_linkhdr, maxlen, MCLBYTES)); 992 993 if (max_linkhdr + maxlen > MHLEN) 994 m = m_getcl(M_NOWAIT, MT_DATA, M_PKTHDR); 995 else 996 m = m_gethdr(M_NOWAIT, MT_DATA); 997 if (m == NULL) 998 return; 999 M_SETFIB(m, fibnum); 1000 1001 if (IN6_IS_ADDR_MULTICAST(&daddr6)) { 1002 m->m_flags |= M_MCAST; 1003 im6o.im6o_multicast_ifp = ifp; 1004 im6o.im6o_multicast_hlim = 255; 1005 im6o.im6o_multicast_loop = 0; 1006 } 1007 1008 icmp6len = sizeof(*nd_na); 1009 m->m_pkthdr.len = m->m_len = sizeof(struct ip6_hdr) + icmp6len; 1010 m->m_data += max_linkhdr; /* or M_ALIGN() equivalent? */ 1011 1012 /* fill neighbor advertisement packet */ 1013 ip6 = mtod(m, struct ip6_hdr *); 1014 ip6->ip6_flow = 0; 1015 ip6->ip6_vfc &= ~IPV6_VERSION_MASK; 1016 ip6->ip6_vfc |= IPV6_VERSION; 1017 ip6->ip6_nxt = IPPROTO_ICMPV6; 1018 ip6->ip6_hlim = 255; 1019 if (IN6_IS_ADDR_UNSPECIFIED(&daddr6)) { 1020 /* reply to DAD */ 1021 daddr6.s6_addr16[0] = IPV6_ADDR_INT16_MLL; 1022 daddr6.s6_addr16[1] = 0; 1023 daddr6.s6_addr32[1] = 0; 1024 daddr6.s6_addr32[2] = 0; 1025 daddr6.s6_addr32[3] = IPV6_ADDR_INT32_ONE; 1026 if (in6_setscope(&daddr6, ifp, NULL)) 1027 goto bad; 1028 1029 flags &= ~ND_NA_FLAG_SOLICITED; 1030 } 1031 ip6->ip6_dst = daddr6; 1032 1033 /* 1034 * Select a source whose scope is the same as that of the dest. 1035 */ 1036 in6_splitscope(&daddr6, &dst6, &scopeid); 1037 error = in6_selectsrc_addr(fibnum, &dst6, 1038 scopeid, ifp, &src6, NULL); 1039 if (error) { 1040 char ip6buf[INET6_ADDRSTRLEN]; 1041 nd6log((LOG_DEBUG, "nd6_na_output: source can't be " 1042 "determined: dst=%s, error=%d\n", 1043 ip6_sprintf(ip6buf, &daddr6), error)); 1044 goto bad; 1045 } 1046 ip6->ip6_src = src6; 1047 nd_na = (struct nd_neighbor_advert *)(ip6 + 1); 1048 nd_na->nd_na_type = ND_NEIGHBOR_ADVERT; 1049 nd_na->nd_na_code = 0; 1050 nd_na->nd_na_target = *taddr6; 1051 in6_clearscope(&nd_na->nd_na_target); /* XXX */ 1052 1053 /* 1054 * "tlladdr" indicates NS's condition for adding tlladdr or not. 1055 * see nd6_ns_input() for details. 1056 * Basically, if NS packet is sent to unicast/anycast addr, 1057 * target lladdr option SHOULD NOT be included. 1058 */ 1059 if (tlladdr) { 1060 /* 1061 * sdl0 != NULL indicates proxy NA. If we do proxy, use 1062 * lladdr in sdl0. If we are not proxying (sending NA for 1063 * my address) use lladdr configured for the interface. 1064 */ 1065 if (sdl0 == NULL) { 1066 if (ifp->if_carp) 1067 mac = (*carp_macmatch6_p)(ifp, m, taddr6); 1068 if (mac == NULL) 1069 mac = nd6_ifptomac(ifp); 1070 } else if (sdl0->sa_family == AF_LINK) { 1071 struct sockaddr_dl *sdl; 1072 sdl = (struct sockaddr_dl *)sdl0; 1073 if (sdl->sdl_alen == ifp->if_addrlen) 1074 mac = LLADDR(sdl); 1075 } 1076 } 1077 if (tlladdr && mac) { 1078 int optlen = sizeof(struct nd_opt_hdr) + ifp->if_addrlen; 1079 struct nd_opt_hdr *nd_opt = (struct nd_opt_hdr *)(nd_na + 1); 1080 1081 /* roundup to 8 bytes alignment! */ 1082 optlen = (optlen + 7) & ~7; 1083 1084 m->m_pkthdr.len += optlen; 1085 m->m_len += optlen; 1086 icmp6len += optlen; 1087 bzero((caddr_t)nd_opt, optlen); 1088 nd_opt->nd_opt_type = ND_OPT_TARGET_LINKADDR; 1089 nd_opt->nd_opt_len = optlen >> 3; 1090 bcopy(mac, (caddr_t)(nd_opt + 1), ifp->if_addrlen); 1091 } else 1092 flags &= ~ND_NA_FLAG_OVERRIDE; 1093 1094 ip6->ip6_plen = htons((u_short)icmp6len); 1095 nd_na->nd_na_flags_reserved = flags; 1096 nd_na->nd_na_cksum = 0; 1097 nd_na->nd_na_cksum = 1098 in6_cksum(m, IPPROTO_ICMPV6, sizeof(struct ip6_hdr), icmp6len); 1099 1100 if (send_sendso_input_hook != NULL) { 1101 mtag = m_tag_get(PACKET_TAG_ND_OUTGOING, 1102 sizeof(unsigned short), M_NOWAIT); 1103 if (mtag == NULL) 1104 goto bad; 1105 *(unsigned short *)(mtag + 1) = nd_na->nd_na_type; 1106 m_tag_prepend(m, mtag); 1107 } 1108 1109 ip6_output(m, NULL, NULL, 0, &im6o, NULL, NULL); 1110 icmp6_ifstat_inc(ifp, ifs6_out_msg); 1111 icmp6_ifstat_inc(ifp, ifs6_out_neighboradvert); 1112 ICMP6STAT_INC(icp6s_outhist[ND_NEIGHBOR_ADVERT]); 1113 1114 return; 1115 1116 bad: 1117 m_freem(m); 1118 } 1119 1120 #ifndef BURN_BRIDGES 1121 void 1122 nd6_na_output(struct ifnet *ifp, const struct in6_addr *daddr6_0, 1123 const struct in6_addr *taddr6, u_long flags, int tlladdr, 1124 struct sockaddr *sdl0) 1125 { 1126 1127 nd6_na_output_fib(ifp, daddr6_0, taddr6, flags, tlladdr, sdl0, 1128 RT_DEFAULT_FIB); 1129 } 1130 #endif 1131 1132 caddr_t 1133 nd6_ifptomac(struct ifnet *ifp) 1134 { 1135 switch (ifp->if_type) { 1136 case IFT_ETHER: 1137 case IFT_IEEE1394: 1138 case IFT_L2VLAN: 1139 case IFT_INFINIBAND: 1140 case IFT_BRIDGE: 1141 return IF_LLADDR(ifp); 1142 default: 1143 return NULL; 1144 } 1145 } 1146 1147 struct dadq { 1148 TAILQ_ENTRY(dadq) dad_list; 1149 struct ifaddr *dad_ifa; 1150 int dad_count; /* max NS to send */ 1151 int dad_ns_tcount; /* # of trials to send NS */ 1152 int dad_ns_ocount; /* NS sent so far */ 1153 int dad_ns_icount; 1154 int dad_na_icount; 1155 int dad_ns_lcount; /* looped back NS */ 1156 int dad_loopbackprobe; /* probing state for loopback detection */ 1157 struct callout dad_timer_ch; 1158 struct vnet *dad_vnet; 1159 u_int dad_refcnt; 1160 #define ND_OPT_NONCE_LEN32 \ 1161 ((ND_OPT_NONCE_LEN + sizeof(uint32_t) - 1)/sizeof(uint32_t)) 1162 uint32_t dad_nonce[ND_OPT_NONCE_LEN32]; 1163 bool dad_ondadq; /* on dadq? Protected by DADQ_WLOCK. */ 1164 }; 1165 1166 VNET_DEFINE_STATIC(TAILQ_HEAD(, dadq), dadq); 1167 VNET_DEFINE_STATIC(struct rwlock, dad_rwlock); 1168 #define V_dadq VNET(dadq) 1169 #define V_dad_rwlock VNET(dad_rwlock) 1170 1171 #define DADQ_LOCKPTR() (&V_dad_rwlock) 1172 #define DADQ_LOCK_INIT() rw_init(DADQ_LOCKPTR(), "nd6 DAD queue") 1173 #define DADQ_RLOCK() rw_rlock(DADQ_LOCKPTR()) 1174 #define DADQ_RUNLOCK() rw_runlock(DADQ_LOCKPTR()) 1175 #define DADQ_WLOCK() rw_wlock(DADQ_LOCKPTR()) 1176 #define DADQ_WUNLOCK() rw_wunlock(DADQ_LOCKPTR()) 1177 1178 #define DADQ_LOCK_ASSERT() rw_assert(DADQ_LOCKPTR(), RA_LOCKED); 1179 #define DADQ_RLOCK_ASSERT() rw_assert(DADQ_LOCKPTR(), RA_RLOCKED); 1180 #define DADQ_WLOCK_ASSERT() rw_assert(DADQ_LOCKPTR(), RA_WLOCKED); 1181 1182 static void 1183 nd6_dad_add(struct dadq *dp) 1184 { 1185 DADQ_WLOCK_ASSERT(); 1186 1187 TAILQ_INSERT_TAIL(&V_dadq, dp, dad_list); 1188 dp->dad_ondadq = true; 1189 } 1190 1191 static void 1192 nd6_dad_del(struct dadq *dp) 1193 { 1194 DADQ_WLOCK_ASSERT(); 1195 1196 if (dp->dad_ondadq) { 1197 /* 1198 * Remove dp from the dadq and release the dadq's 1199 * reference. 1200 */ 1201 TAILQ_REMOVE(&V_dadq, dp, dad_list); 1202 dp->dad_ondadq = false; 1203 nd6_dad_rele(dp); 1204 } 1205 } 1206 1207 static struct dadq * 1208 nd6_dad_find(struct ifaddr *ifa, struct nd_opt_nonce *n) 1209 { 1210 struct dadq *dp; 1211 1212 DADQ_LOCK_ASSERT(); 1213 1214 TAILQ_FOREACH(dp, &V_dadq, dad_list) { 1215 if (dp->dad_ifa != ifa) 1216 continue; 1217 1218 /* 1219 * Skip if the nonce matches the received one. 1220 * +2 in the length is required because of type and 1221 * length fields are included in a header. 1222 */ 1223 if (n != NULL && 1224 n->nd_opt_nonce_len == (ND_OPT_NONCE_LEN + 2) / 8 && 1225 memcmp(&n->nd_opt_nonce[0], &dp->dad_nonce[0], 1226 ND_OPT_NONCE_LEN) == 0) { 1227 dp->dad_ns_lcount++; 1228 continue; 1229 } 1230 break; 1231 } 1232 1233 return (dp); 1234 } 1235 1236 static void 1237 nd6_dad_starttimer(struct dadq *dp, int ticks) 1238 { 1239 DADQ_WLOCK_ASSERT(); 1240 1241 callout_reset(&dp->dad_timer_ch, ticks, nd6_dad_timer, dp); 1242 } 1243 1244 static void 1245 nd6_dad_stoptimer(struct dadq *dp) 1246 { 1247 callout_drain(&dp->dad_timer_ch); 1248 } 1249 1250 static void 1251 nd6_dad_rele(struct dadq *dp) 1252 { 1253 if (refcount_release(&dp->dad_refcnt)) { 1254 KASSERT(!dp->dad_ondadq, ("dp %p still on DAD queue", dp)); 1255 ifa_free(dp->dad_ifa); 1256 free(dp, M_IP6NDP); 1257 } 1258 } 1259 1260 void 1261 nd6_dad_init(void) 1262 { 1263 DADQ_LOCK_INIT(); 1264 TAILQ_INIT(&V_dadq); 1265 } 1266 1267 /* 1268 * Start Duplicate Address Detection (DAD) for specified interface address. 1269 */ 1270 void 1271 nd6_dad_start(struct ifaddr *ifa, int delay) 1272 { 1273 struct in6_ifaddr *ia = (struct in6_ifaddr *)ifa; 1274 struct dadq *dp; 1275 char ip6buf[INET6_ADDRSTRLEN]; 1276 1277 KASSERT((ia->ia6_flags & IN6_IFF_TENTATIVE) != 0, 1278 ("starting DAD on non-tentative address %p", ifa)); 1279 1280 /* 1281 * If we don't need DAD, don't do it. 1282 * There are several cases: 1283 * - DAD is disabled globally or on the interface 1284 * - the interface address is anycast 1285 */ 1286 if ((ia->ia6_flags & IN6_IFF_ANYCAST) != 0 || 1287 V_ip6_dad_count == 0 || 1288 (ND_IFINFO(ifa->ifa_ifp)->flags & ND6_IFF_NO_DAD) != 0) { 1289 ia->ia6_flags &= ~IN6_IFF_TENTATIVE; 1290 return; 1291 } 1292 if ((ifa->ifa_ifp->if_flags & IFF_UP) == 0 || 1293 (ifa->ifa_ifp->if_drv_flags & IFF_DRV_RUNNING) == 0 || 1294 (ND_IFINFO(ifa->ifa_ifp)->flags & ND6_IFF_IFDISABLED) != 0) 1295 return; 1296 1297 DADQ_WLOCK(); 1298 if ((dp = nd6_dad_find(ifa, NULL)) != NULL) { 1299 /* 1300 * DAD is already in progress. Let the existing entry 1301 * finish it. 1302 */ 1303 DADQ_WUNLOCK(); 1304 return; 1305 } 1306 1307 dp = malloc(sizeof(*dp), M_IP6NDP, M_NOWAIT | M_ZERO); 1308 if (dp == NULL) { 1309 log(LOG_ERR, "nd6_dad_start: memory allocation failed for " 1310 "%s(%s)\n", 1311 ip6_sprintf(ip6buf, &ia->ia_addr.sin6_addr), 1312 ifa->ifa_ifp ? if_name(ifa->ifa_ifp) : "???"); 1313 return; 1314 } 1315 callout_init_rw(&dp->dad_timer_ch, DADQ_LOCKPTR(), 1316 CALLOUT_RETURNUNLOCKED); 1317 #ifdef VIMAGE 1318 dp->dad_vnet = curvnet; 1319 #endif 1320 nd6log((LOG_DEBUG, "%s: starting DAD for %s\n", if_name(ifa->ifa_ifp), 1321 ip6_sprintf(ip6buf, &ia->ia_addr.sin6_addr))); 1322 1323 /* 1324 * Send NS packet for DAD, ip6_dad_count times. 1325 * Note that we must delay the first transmission, if this is the 1326 * first packet to be sent from the interface after interface 1327 * (re)initialization. 1328 */ 1329 dp->dad_ifa = ifa; 1330 ifa_ref(dp->dad_ifa); 1331 dp->dad_count = V_ip6_dad_count; 1332 dp->dad_ns_icount = dp->dad_na_icount = 0; 1333 dp->dad_ns_ocount = dp->dad_ns_tcount = 0; 1334 dp->dad_ns_lcount = dp->dad_loopbackprobe = 0; 1335 1336 /* Add this to the dadq and add a reference for the dadq. */ 1337 refcount_init(&dp->dad_refcnt, 1); 1338 nd6_dad_add(dp); 1339 nd6_dad_starttimer(dp, delay); 1340 DADQ_WUNLOCK(); 1341 } 1342 1343 /* 1344 * terminate DAD unconditionally. used for address removals. 1345 */ 1346 void 1347 nd6_dad_stop(struct ifaddr *ifa) 1348 { 1349 struct dadq *dp; 1350 1351 DADQ_WLOCK(); 1352 dp = nd6_dad_find(ifa, NULL); 1353 if (dp == NULL) { 1354 DADQ_WUNLOCK(); 1355 /* DAD wasn't started yet */ 1356 return; 1357 } 1358 1359 /* 1360 * Acquire a temporary reference so that we can safely stop the callout. 1361 */ 1362 (void)refcount_acquire(&dp->dad_refcnt); 1363 nd6_dad_del(dp); 1364 DADQ_WUNLOCK(); 1365 1366 nd6_dad_stoptimer(dp); 1367 nd6_dad_rele(dp); 1368 } 1369 1370 static void 1371 nd6_dad_timer(void *arg) 1372 { 1373 struct dadq *dp = arg; 1374 struct ifaddr *ifa = dp->dad_ifa; 1375 struct ifnet *ifp = dp->dad_ifa->ifa_ifp; 1376 struct in6_ifaddr *ia = (struct in6_ifaddr *)ifa; 1377 char ip6buf[INET6_ADDRSTRLEN]; 1378 struct epoch_tracker et; 1379 1380 CURVNET_SET(dp->dad_vnet); 1381 KASSERT(ia != NULL, ("DAD entry %p with no address", dp)); 1382 1383 NET_EPOCH_ENTER(et); 1384 if (ND_IFINFO(ifp)->flags & ND6_IFF_IFDISABLED) { 1385 /* Do not need DAD for ifdisabled interface. */ 1386 log(LOG_ERR, "nd6_dad_timer: cancel DAD on %s because of " 1387 "ND6_IFF_IFDISABLED.\n", ifp->if_xname); 1388 goto err; 1389 } 1390 if (ia->ia6_flags & IN6_IFF_DUPLICATED) { 1391 log(LOG_ERR, "nd6_dad_timer: called with duplicated address " 1392 "%s(%s)\n", 1393 ip6_sprintf(ip6buf, &ia->ia_addr.sin6_addr), 1394 ifa->ifa_ifp ? if_name(ifa->ifa_ifp) : "???"); 1395 goto err; 1396 } 1397 if ((ia->ia6_flags & IN6_IFF_TENTATIVE) == 0) { 1398 log(LOG_ERR, "nd6_dad_timer: called with non-tentative address " 1399 "%s(%s)\n", 1400 ip6_sprintf(ip6buf, &ia->ia_addr.sin6_addr), 1401 ifa->ifa_ifp ? if_name(ifa->ifa_ifp) : "???"); 1402 goto err; 1403 } 1404 1405 /* Stop DAD if the interface is down even after dad_maxtry attempts. */ 1406 if ((dp->dad_ns_tcount > V_dad_maxtry) && 1407 (((ifp->if_flags & IFF_UP) == 0) || 1408 ((ifp->if_drv_flags & IFF_DRV_RUNNING) == 0))) { 1409 nd6log((LOG_INFO, "%s: could not run DAD " 1410 "because the interface was down or not running.\n", 1411 if_name(ifa->ifa_ifp))); 1412 goto err; 1413 } 1414 1415 /* Need more checks? */ 1416 if (dp->dad_ns_ocount < dp->dad_count) { 1417 /* 1418 * We have more NS to go. Send NS packet for DAD. 1419 */ 1420 nd6_dad_starttimer(dp, 1421 (long)ND_IFINFO(ifa->ifa_ifp)->retrans * hz / 1000); 1422 nd6_dad_ns_output(dp); 1423 goto done; 1424 } else { 1425 /* 1426 * We have transmitted sufficient number of DAD packets. 1427 * See what we've got. 1428 */ 1429 if (dp->dad_ns_icount > 0 || dp->dad_na_icount > 0) { 1430 /* We've seen NS or NA, means DAD has failed. */ 1431 nd6_dad_duplicated(ifa, dp); 1432 } else if (V_dad_enhanced != 0 && 1433 dp->dad_ns_lcount > 0 && 1434 dp->dad_ns_lcount > dp->dad_loopbackprobe) { 1435 /* 1436 * Sec. 4.1 in RFC 7527 requires transmission of 1437 * additional probes until the loopback condition 1438 * becomes clear when a looped back probe is detected. 1439 */ 1440 log(LOG_ERR, "%s: a looped back NS message is " 1441 "detected during DAD for %s. " 1442 "Another DAD probes are being sent.\n", 1443 if_name(ifa->ifa_ifp), 1444 ip6_sprintf(ip6buf, IFA_IN6(ifa))); 1445 dp->dad_loopbackprobe = dp->dad_ns_lcount; 1446 /* 1447 * Send an NS immediately and increase dad_count by 1448 * V_nd6_mmaxtries - 1. 1449 */ 1450 dp->dad_count = 1451 dp->dad_ns_ocount + V_nd6_mmaxtries - 1; 1452 nd6_dad_starttimer(dp, 1453 (long)ND_IFINFO(ifa->ifa_ifp)->retrans * hz / 1000); 1454 nd6_dad_ns_output(dp); 1455 goto done; 1456 } else { 1457 /* 1458 * We are done with DAD. No NA came, no NS came. 1459 * No duplicate address found. Check IFDISABLED flag 1460 * again in case that it is changed between the 1461 * beginning of this function and here. 1462 */ 1463 if ((ND_IFINFO(ifp)->flags & ND6_IFF_IFDISABLED) == 0) 1464 ia->ia6_flags &= ~IN6_IFF_TENTATIVE; 1465 1466 nd6log((LOG_DEBUG, 1467 "%s: DAD complete for %s - no duplicates found\n", 1468 if_name(ifa->ifa_ifp), 1469 ip6_sprintf(ip6buf, &ia->ia_addr.sin6_addr))); 1470 if (dp->dad_ns_lcount > 0) 1471 log(LOG_ERR, "%s: DAD completed while " 1472 "a looped back NS message is detected " 1473 "during DAD for %s.\n", 1474 if_name(ifa->ifa_ifp), 1475 ip6_sprintf(ip6buf, IFA_IN6(ifa))); 1476 } 1477 } 1478 err: 1479 nd6_dad_del(dp); 1480 DADQ_WUNLOCK(); 1481 done: 1482 NET_EPOCH_EXIT(et); 1483 CURVNET_RESTORE(); 1484 } 1485 1486 static void 1487 nd6_dad_duplicated(struct ifaddr *ifa, struct dadq *dp) 1488 { 1489 struct in6_ifaddr *ia = (struct in6_ifaddr *)ifa; 1490 struct ifnet *ifp; 1491 char ip6buf[INET6_ADDRSTRLEN]; 1492 1493 log(LOG_ERR, "%s: DAD detected duplicate IPv6 address %s: " 1494 "NS in/out/loopback=%d/%d/%d, NA in=%d\n", 1495 if_name(ifa->ifa_ifp), ip6_sprintf(ip6buf, &ia->ia_addr.sin6_addr), 1496 dp->dad_ns_icount, dp->dad_ns_ocount, dp->dad_ns_lcount, 1497 dp->dad_na_icount); 1498 1499 ia->ia6_flags &= ~IN6_IFF_TENTATIVE; 1500 ia->ia6_flags |= IN6_IFF_DUPLICATED; 1501 1502 ifp = ifa->ifa_ifp; 1503 log(LOG_ERR, "%s: DAD complete for %s - duplicate found\n", 1504 if_name(ifp), ip6_sprintf(ip6buf, &ia->ia_addr.sin6_addr)); 1505 log(LOG_ERR, "%s: manual intervention required\n", 1506 if_name(ifp)); 1507 1508 /* 1509 * If the address is a link-local address formed from an interface 1510 * identifier based on the hardware address which is supposed to be 1511 * uniquely assigned (e.g., EUI-64 for an Ethernet interface), IP 1512 * operation on the interface SHOULD be disabled. 1513 * [RFC 4862, Section 5.4.5] 1514 */ 1515 if (IN6_IS_ADDR_LINKLOCAL(&ia->ia_addr.sin6_addr)) { 1516 struct in6_addr in6; 1517 1518 /* 1519 * To avoid over-reaction, we only apply this logic when we are 1520 * very sure that hardware addresses are supposed to be unique. 1521 */ 1522 switch (ifp->if_type) { 1523 case IFT_ETHER: 1524 case IFT_ATM: 1525 case IFT_IEEE1394: 1526 case IFT_INFINIBAND: 1527 in6 = ia->ia_addr.sin6_addr; 1528 if (in6_get_hw_ifid(ifp, &in6) == 0 && 1529 IN6_ARE_ADDR_EQUAL(&ia->ia_addr.sin6_addr, &in6)) { 1530 ND_IFINFO(ifp)->flags |= ND6_IFF_IFDISABLED; 1531 log(LOG_ERR, "%s: possible hardware address " 1532 "duplication detected, disable IPv6\n", 1533 if_name(ifp)); 1534 } 1535 break; 1536 } 1537 } 1538 } 1539 1540 /* 1541 * Transmit a neighbour solicitation for the purpose of DAD. Returns with the 1542 * DAD queue unlocked. 1543 */ 1544 static void 1545 nd6_dad_ns_output(struct dadq *dp) 1546 { 1547 struct in6_ifaddr *ia = (struct in6_ifaddr *)dp->dad_ifa; 1548 struct ifnet *ifp = dp->dad_ifa->ifa_ifp; 1549 int i; 1550 1551 DADQ_WLOCK_ASSERT(); 1552 1553 dp->dad_ns_tcount++; 1554 if ((ifp->if_flags & IFF_UP) == 0) { 1555 DADQ_WUNLOCK(); 1556 return; 1557 } 1558 if ((ifp->if_drv_flags & IFF_DRV_RUNNING) == 0) { 1559 DADQ_WUNLOCK(); 1560 return; 1561 } 1562 1563 dp->dad_ns_ocount++; 1564 if (V_dad_enhanced != 0) { 1565 for (i = 0; i < ND_OPT_NONCE_LEN32; i++) 1566 dp->dad_nonce[i] = arc4random(); 1567 /* 1568 * XXXHRS: Note that in the case that 1569 * DupAddrDetectTransmits > 1, multiple NS messages with 1570 * different nonces can be looped back in an unexpected 1571 * order. The current implementation recognizes only 1572 * the latest nonce on the sender side. Practically it 1573 * should work well in almost all cases. 1574 */ 1575 } 1576 DADQ_WUNLOCK(); 1577 nd6_ns_output(ifp, NULL, NULL, &ia->ia_addr.sin6_addr, 1578 (uint8_t *)&dp->dad_nonce[0]); 1579 } 1580 1581 static void 1582 nd6_dad_ns_input(struct ifaddr *ifa, struct nd_opt_nonce *ndopt_nonce) 1583 { 1584 struct dadq *dp; 1585 1586 if (ifa == NULL) 1587 panic("ifa == NULL in nd6_dad_ns_input"); 1588 1589 /* Ignore Nonce option when Enhanced DAD is disabled. */ 1590 if (V_dad_enhanced == 0) 1591 ndopt_nonce = NULL; 1592 DADQ_RLOCK(); 1593 dp = nd6_dad_find(ifa, ndopt_nonce); 1594 if (dp != NULL) 1595 dp->dad_ns_icount++; 1596 DADQ_RUNLOCK(); 1597 } 1598 1599 static void 1600 nd6_dad_na_input(struct ifaddr *ifa) 1601 { 1602 struct dadq *dp; 1603 1604 if (ifa == NULL) 1605 panic("ifa == NULL in nd6_dad_na_input"); 1606 1607 DADQ_RLOCK(); 1608 dp = nd6_dad_find(ifa, NULL); 1609 if (dp != NULL) 1610 dp->dad_na_icount++; 1611 DADQ_RUNLOCK(); 1612 } 1613