xref: /illumos-gate/usr/src/uts/common/inet/ip/ip6_asp.c (revision 2983dda76a6d296fdb560c88114fe41caad1b84f)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #include <sys/types.h>
27 #include <sys/socket.h>
28 #include <sys/ksynch.h>
29 #include <sys/kmem.h>
30 #include <sys/errno.h>
31 #include <sys/systm.h>
32 #include <sys/sysmacros.h>
33 #include <sys/cmn_err.h>
34 #include <sys/strsun.h>
35 #include <sys/zone.h>
36 #include <netinet/in.h>
37 #include <inet/common.h>
38 #include <inet/ip.h>
39 #include <inet/ip6.h>
40 #include <inet/ip6_asp.h>
41 #include <inet/ip_ire.h>
42 #include <inet/ip_if.h>
43 #include <inet/ipclassifier.h>
44 
45 #define	IN6ADDR_MASK128_INIT \
46 	{ 0xffffffffU, 0xffffffffU, 0xffffffffU, 0xffffffffU }
47 #define	IN6ADDR_MASK96_INIT	{ 0xffffffffU, 0xffffffffU, 0xffffffffU, 0 }
48 #ifdef _BIG_ENDIAN
49 #define	IN6ADDR_MASK16_INIT	{ 0xffff0000U, 0, 0, 0 }
50 #else
51 #define	IN6ADDR_MASK16_INIT	{ 0x0000ffffU, 0, 0, 0 }
52 #endif
53 
54 
55 /*
56  * This table is ordered such that longest prefix matches are hit first
57  * (longer prefix lengths first).  The last entry must be the "default"
58  * entry (::0/0).
59  */
60 static ip6_asp_t default_ip6_asp_table[] = {
61 	{ IN6ADDR_LOOPBACK_INIT,	IN6ADDR_MASK128_INIT,
62 	    "Loopback", 50 },
63 	{ IN6ADDR_ANY_INIT,		IN6ADDR_MASK96_INIT,
64 	    "IPv4_Compatible", 20 },
65 #ifdef _BIG_ENDIAN
66 	{ { 0, 0, 0x0000ffffU, 0 },	IN6ADDR_MASK96_INIT,
67 	    "IPv4", 10 },
68 	{ { 0x20020000U, 0, 0, 0 },	IN6ADDR_MASK16_INIT,
69 	    "6to4", 30 },
70 #else
71 	{ { 0, 0, 0xffff0000U, 0 },	IN6ADDR_MASK96_INIT,
72 	    "IPv4", 10 },
73 	{ { 0x00000220U, 0, 0, 0 },	IN6ADDR_MASK16_INIT,
74 	    "6to4", 30 },
75 #endif
76 	{ IN6ADDR_ANY_INIT,		IN6ADDR_ANY_INIT,
77 	    "Default", 40 }
78 };
79 
80 /*
81  * The IPv6 Default Address Selection policy table.
82  * Until someone up above reconfigures the policy table, use the global
83  * default.  The table needs no lock since the only way to alter it is
84  * through the SIOCSIP6ADDRPOLICY which is exclusive in ip.
85  */
86 static void ip6_asp_copy(ip6_asp_t *, ip6_asp_t *, uint_t);
87 static void ip6_asp_check_for_updates(ip_stack_t *);
88 
89 void
90 ip6_asp_init(ip_stack_t *ipst)
91 {
92 	/* Initialize the table lock */
93 	mutex_init(&ipst->ips_ip6_asp_lock, NULL, MUTEX_DEFAULT, NULL);
94 
95 	ipst->ips_ip6_asp_table = default_ip6_asp_table;
96 
97 	ipst->ips_ip6_asp_table_count =
98 	    sizeof (default_ip6_asp_table) / sizeof (ip6_asp_t);
99 }
100 
101 void
102 ip6_asp_free(ip_stack_t *ipst)
103 {
104 	if (ipst->ips_ip6_asp_table != default_ip6_asp_table) {
105 		kmem_free(ipst->ips_ip6_asp_table,
106 		    ipst->ips_ip6_asp_table_count * sizeof (ip6_asp_t));
107 		ipst->ips_ip6_asp_table = NULL;
108 	}
109 	mutex_destroy(&ipst->ips_ip6_asp_lock);
110 }
111 
112 /*
113  * Return false if the table is being updated. Else, increment the ref
114  * count and return true.
115  */
116 boolean_t
117 ip6_asp_can_lookup(ip_stack_t *ipst)
118 {
119 	mutex_enter(&ipst->ips_ip6_asp_lock);
120 	if (ipst->ips_ip6_asp_uip) {
121 		mutex_exit(&ipst->ips_ip6_asp_lock);
122 		return (B_FALSE);
123 	}
124 	IP6_ASP_TABLE_REFHOLD(ipst);
125 	mutex_exit(&ipst->ips_ip6_asp_lock);
126 	return (B_TRUE);
127 
128 }
129 
130 void
131 ip6_asp_pending_op(queue_t *q, mblk_t *mp, aspfunc_t func)
132 {
133 	conn_t	*connp = Q_TO_CONN(q);
134 	ip_stack_t *ipst = connp->conn_netstack->netstack_ip;
135 
136 	ASSERT((mp->b_prev == NULL) && (mp->b_queue == NULL) &&
137 	    (mp->b_next == NULL));
138 	mp->b_queue = (void *)q;
139 	mp->b_prev = (void *)func;
140 	mp->b_next = NULL;
141 
142 	mutex_enter(&ipst->ips_ip6_asp_lock);
143 	if (ipst->ips_ip6_asp_pending_ops == NULL) {
144 		ASSERT(ipst->ips_ip6_asp_pending_ops_tail == NULL);
145 		ipst->ips_ip6_asp_pending_ops =
146 		    ipst->ips_ip6_asp_pending_ops_tail = mp;
147 	} else {
148 		ipst->ips_ip6_asp_pending_ops_tail->b_next = mp;
149 		ipst->ips_ip6_asp_pending_ops_tail = mp;
150 	}
151 	mutex_exit(&ipst->ips_ip6_asp_lock);
152 }
153 
154 static void
155 ip6_asp_complete_op(ip_stack_t *ipst)
156 {
157 	mblk_t		*mp;
158 	queue_t		*q;
159 	aspfunc_t	func;
160 
161 	mutex_enter(&ipst->ips_ip6_asp_lock);
162 	while (ipst->ips_ip6_asp_pending_ops != NULL) {
163 		mp = ipst->ips_ip6_asp_pending_ops;
164 		ipst->ips_ip6_asp_pending_ops = mp->b_next;
165 		mp->b_next = NULL;
166 		if (ipst->ips_ip6_asp_pending_ops == NULL)
167 			ipst->ips_ip6_asp_pending_ops_tail = NULL;
168 		mutex_exit(&ipst->ips_ip6_asp_lock);
169 
170 		q = (queue_t *)mp->b_queue;
171 		func = (aspfunc_t)mp->b_prev;
172 
173 		mp->b_prev = NULL;
174 		mp->b_queue = NULL;
175 
176 
177 		(*func)(NULL, q, mp, NULL);
178 		mutex_enter(&ipst->ips_ip6_asp_lock);
179 	}
180 	mutex_exit(&ipst->ips_ip6_asp_lock);
181 }
182 
183 /*
184  * Decrement reference count. When it gets to 0, we check for (pending)
185  * saved update to the table, if any.
186  */
187 void
188 ip6_asp_table_refrele(ip_stack_t *ipst)
189 {
190 	IP6_ASP_TABLE_REFRELE(ipst);
191 }
192 
193 /*
194  * This function is guaranteed never to return a NULL pointer.  It
195  * will always return information from one of the entries in the
196  * asp_table (which will never be empty).  If a pointer is passed
197  * in for the precedence, the precedence value will be set; a
198  * pointer to the label will be returned by the function.
199  *
200  * Since the table is only anticipated to have five or six entries
201  * total, the lookup algorithm hasn't been optimized to anything
202  * better than O(n).
203  */
204 char *
205 ip6_asp_lookup(const in6_addr_t *addr, uint32_t *precedence, ip_stack_t *ipst)
206 {
207 	ip6_asp_t *aspp;
208 	ip6_asp_t *match = NULL;
209 	ip6_asp_t *default_policy;
210 
211 	aspp = ipst->ips_ip6_asp_table;
212 	/* The default entry must always be the last one */
213 	default_policy = aspp + ipst->ips_ip6_asp_table_count - 1;
214 
215 	while (match == NULL) {
216 		if (aspp == default_policy) {
217 			match = aspp;
218 		} else {
219 			if (V6_MASK_EQ(*addr, aspp->ip6_asp_mask,
220 			    aspp->ip6_asp_prefix))
221 				match = aspp;
222 			else
223 				aspp++;
224 		}
225 	}
226 
227 	if (precedence != NULL)
228 		*precedence = match->ip6_asp_precedence;
229 	return (match->ip6_asp_label);
230 }
231 
232 /*
233  * If we had deferred updating the table because of outstanding references,
234  * do it now. Note, we don't do error checking on the queued IOCTL mblk, since
235  * ip_sioctl_ip6addrpolicy() has already done it for us.
236  */
237 void
238 ip6_asp_check_for_updates(ip_stack_t *ipst)
239 {
240 	ip6_asp_t *table;
241 	size_t	table_size;
242 	mblk_t	*data_mp, *mp;
243 	struct iocblk *iocp;
244 
245 	mutex_enter(&ipst->ips_ip6_asp_lock);
246 	if (ipst->ips_ip6_asp_pending_update == NULL ||
247 	    ipst->ips_ip6_asp_refcnt > 0) {
248 		mutex_exit(&ipst->ips_ip6_asp_lock);
249 		return;
250 	}
251 
252 	mp = ipst->ips_ip6_asp_pending_update;
253 	ipst->ips_ip6_asp_pending_update = NULL;
254 	ASSERT(mp->b_prev != NULL);
255 
256 	ipst->ips_ip6_asp_uip = B_TRUE;
257 
258 	iocp = (struct iocblk *)mp->b_rptr;
259 	data_mp = mp->b_cont;
260 	if (data_mp == NULL) {
261 		table = NULL;
262 		table_size = iocp->ioc_count;
263 	} else {
264 		table = (ip6_asp_t *)data_mp->b_rptr;
265 		table_size = iocp->ioc_count;
266 	}
267 
268 	ip6_asp_replace(mp, table, table_size, B_TRUE, ipst,
269 	    iocp->ioc_flag & IOC_MODELS);
270 }
271 
272 /*
273  * ip6_asp_replace replaces the contents of the IPv6 address selection
274  * policy table with those specified in new_table.  If new_table is NULL,
275  * this indicates that the caller wishes ip to use the default policy
276  * table.  The caller is responsible for making sure that there are exactly
277  * new_count policy entries in new_table.
278  */
279 /*ARGSUSED5*/
280 void
281 ip6_asp_replace(mblk_t *mp, ip6_asp_t *new_table, size_t new_size,
282     boolean_t locked, ip_stack_t *ipst, model_t datamodel)
283 {
284 	int			ret_val = 0;
285 	ip6_asp_t		*tmp_table;
286 	uint_t			count;
287 	queue_t			*q;
288 	struct iocblk		*iocp;
289 #if defined(_SYSCALL32_IMPL) && _LONG_LONG_ALIGNMENT_32 == 4
290 	size_t ip6_asp_size = SIZEOF_STRUCT(ip6_asp, datamodel);
291 #else
292 	const size_t ip6_asp_size = sizeof (ip6_asp_t);
293 #endif
294 
295 	if (new_size % ip6_asp_size != 0) {
296 		ip1dbg(("ip6_asp_replace: invalid table size\n"));
297 		ret_val = EINVAL;
298 		if (locked)
299 			goto unlock_end;
300 		goto replace_end;
301 	} else {
302 		count = new_size / ip6_asp_size;
303 	}
304 
305 
306 	if (!locked)
307 		mutex_enter(&ipst->ips_ip6_asp_lock);
308 	/*
309 	 * Check if we are in the process of creating any IRE using the
310 	 * current information. If so, wait till that is done.
311 	 */
312 	if (!locked && ipst->ips_ip6_asp_refcnt > 0) {
313 		/* Save this request for later processing */
314 		if (ipst->ips_ip6_asp_pending_update == NULL) {
315 			ipst->ips_ip6_asp_pending_update = mp;
316 		} else {
317 			/* Let's not queue multiple requests for now */
318 			ip1dbg(("ip6_asp_replace: discarding request\n"));
319 			mutex_exit(&ipst->ips_ip6_asp_lock);
320 			ret_val =  EAGAIN;
321 			goto replace_end;
322 		}
323 		mutex_exit(&ipst->ips_ip6_asp_lock);
324 		return;
325 	}
326 
327 	/* Prevent lookups till the table have been updated */
328 	if (!locked)
329 		ipst->ips_ip6_asp_uip = B_TRUE;
330 
331 	ASSERT(ipst->ips_ip6_asp_refcnt == 0);
332 
333 	if (new_table == NULL) {
334 		/*
335 		 * This is a special case.  The user wants to revert
336 		 * back to using the default table.
337 		 */
338 		if (ipst->ips_ip6_asp_table == default_ip6_asp_table)
339 			goto unlock_end;
340 
341 		kmem_free(ipst->ips_ip6_asp_table,
342 		    ipst->ips_ip6_asp_table_count * sizeof (ip6_asp_t));
343 		ipst->ips_ip6_asp_table = default_ip6_asp_table;
344 		ipst->ips_ip6_asp_table_count =
345 		    sizeof (default_ip6_asp_table) / sizeof (ip6_asp_t);
346 		goto unlock_end;
347 	}
348 
349 	if (count == 0) {
350 		ret_val = EINVAL;
351 		ip1dbg(("ip6_asp_replace: empty table\n"));
352 		goto unlock_end;
353 	}
354 
355 	if ((tmp_table = kmem_alloc(count * sizeof (ip6_asp_t), KM_NOSLEEP)) ==
356 	    NULL) {
357 		ret_val = ENOMEM;
358 		goto unlock_end;
359 	}
360 
361 #if defined(_SYSCALL32_IMPL) && _LONG_LONG_ALIGNMENT_32 == 4
362 
363 	/*
364 	 * If 'new_table' -actually- originates from a 32-bit process
365 	 * then the nicely aligned ip6_asp_label array will be
366 	 * subtlely misaligned on this kernel, because the structure
367 	 * is 8 byte aligned in the kernel, but only 4 byte aligned in
368 	 * userland.  Fix it up here.
369 	 *
370 	 * XX64	See the notes in ip_sioctl_ip6addrpolicy.  Perhaps we could
371 	 *	do the datamodel transformation (below) there instead of here?
372 	 */
373 	if (datamodel == IOC_ILP32) {
374 		ip6_asp_t *dst;
375 		ip6_asp32_t *src;
376 		int i;
377 
378 		if ((dst = kmem_zalloc(count * sizeof (*dst),
379 		    KM_NOSLEEP)) == NULL) {
380 			kmem_free(tmp_table, count * sizeof (ip6_asp_t));
381 			ret_val = ENOMEM;
382 			goto unlock_end;
383 		}
384 
385 		/*
386 		 * Copy each element of the table from ip6_asp32_t
387 		 * format into ip6_asp_t format.  Fortunately, since
388 		 * we're just dealing with a trailing structure pad,
389 		 * we can do this straightforwardly with a flurry of
390 		 * bcopying.
391 		 */
392 		src = (void *)new_table;
393 		for (i = 0; i < count; i++)
394 			bcopy(src + i, dst + i, sizeof (*src));
395 
396 		ip6_asp_copy(dst, tmp_table, count);
397 		kmem_free(dst, count * sizeof (*dst));
398 	} else
399 #endif
400 		ip6_asp_copy(new_table, tmp_table, count);
401 
402 	/* Make sure the last entry is the default entry */
403 	if (!IN6_IS_ADDR_UNSPECIFIED(&tmp_table[count - 1].ip6_asp_prefix) ||
404 	    !IN6_IS_ADDR_UNSPECIFIED(&tmp_table[count - 1].ip6_asp_mask)) {
405 		ret_val = EINVAL;
406 		kmem_free(tmp_table, count * sizeof (ip6_asp_t));
407 		ip1dbg(("ip6_asp_replace: bad table: no default entry\n"));
408 		goto unlock_end;
409 	}
410 	if (ipst->ips_ip6_asp_table != default_ip6_asp_table) {
411 		kmem_free(ipst->ips_ip6_asp_table,
412 		    ipst->ips_ip6_asp_table_count * sizeof (ip6_asp_t));
413 	}
414 	ipst->ips_ip6_asp_table = tmp_table;
415 	ipst->ips_ip6_asp_table_count = count;
416 
417 unlock_end:
418 	ipst->ips_ip6_asp_uip = B_FALSE;
419 	mutex_exit(&ipst->ips_ip6_asp_lock);
420 
421 	/* Let conn_ixa caching know that source address selection changed */
422 	ip_update_source_selection(ipst);
423 
424 replace_end:
425 	/* Reply to the ioctl */
426 	q = (queue_t *)mp->b_prev;
427 	mp->b_prev = NULL;
428 	if (q == NULL) {
429 		freemsg(mp);
430 		goto check_binds;
431 	}
432 	iocp = (struct iocblk *)mp->b_rptr;
433 	iocp->ioc_error = ret_val;
434 	iocp->ioc_count = 0;
435 	DB_TYPE(mp) = (iocp->ioc_error == 0) ? M_IOCACK : M_IOCNAK;
436 	qreply(q, mp);
437 check_binds:
438 	ip6_asp_complete_op(ipst);
439 }
440 
441 /*
442  * Copies the contents of src_table to dst_table, and sorts the
443  * entries in decending order of prefix lengths.  It assumes that both
444  * tables are appropriately sized to contain count entries.
445  */
446 static void
447 ip6_asp_copy(ip6_asp_t *src_table, ip6_asp_t *dst_table, uint_t count)
448 {
449 	ip6_asp_t *src_ptr, *src_limit, *dst_ptr, *dst_limit, *dp;
450 
451 	dst_table[0] = src_table[0];
452 	if (count == 1)
453 		return;
454 
455 	/*
456 	 * Sort the entries in descending order of prefix lengths.
457 	 *
458 	 * Note: this should be a small table.  In 99% of cases, we
459 	 * expect the table to have 5 entries.  In the remaining 1%
460 	 * of cases, we expect the table to have one or two more
461 	 * entries.  It would be very rare for the table to have
462 	 * double-digit entries.
463 	 */
464 	src_limit = src_table + count;
465 	dst_limit = dst_table + 1;
466 	for (src_ptr = src_table + 1; src_ptr != src_limit;
467 	    src_ptr++, dst_limit++) {
468 		for (dst_ptr = dst_table; dst_ptr < dst_limit; dst_ptr++) {
469 			if (ip_mask_to_plen_v6(&src_ptr->ip6_asp_mask) >
470 			    ip_mask_to_plen_v6(&dst_ptr->ip6_asp_mask)) {
471 				/*
472 				 * Make room to insert the source entry
473 				 * before dst_ptr by shifting entries to
474 				 * the right.
475 				 */
476 				for (dp = dst_limit - 1; dp >= dst_ptr; dp--)
477 					*(dp + 1) = *dp;
478 				break;
479 			}
480 		}
481 		*dst_ptr = *src_ptr;
482 	}
483 }
484 
485 /*
486  * This function copies as many entries from ip6_asp_table as will fit
487  * into dtable.  The dtable_size parameter is the size of dtable
488  * in bytes.  This function returns the number of entries in
489  * ip6_asp_table, even if it's not able to fit all of the entries into
490  * dtable.
491  */
492 int
493 ip6_asp_get(ip6_asp_t *dtable, size_t dtable_size, ip_stack_t *ipst)
494 {
495 	uint_t dtable_count;
496 
497 	if (dtable != NULL) {
498 		if (dtable_size < sizeof (ip6_asp_t))
499 			return (-1);
500 
501 		dtable_count = dtable_size / sizeof (ip6_asp_t);
502 		bcopy(ipst->ips_ip6_asp_table, dtable,
503 		    MIN(ipst->ips_ip6_asp_table_count, dtable_count) *
504 		    sizeof (ip6_asp_t));
505 	}
506 
507 	return (ipst->ips_ip6_asp_table_count);
508 }
509 
510 /*
511  * Compare two labels.  Return B_TRUE if they are equal, B_FALSE
512  * otherwise.
513  */
514 boolean_t
515 ip6_asp_labelcmp(const char *label1, const char *label2)
516 {
517 	int64_t *llptr1, *llptr2;
518 
519 	/*
520 	 * The common case, the two labels are actually the same string
521 	 * from the policy table.
522 	 */
523 	if (label1 == label2)
524 		return (B_TRUE);
525 
526 	/*
527 	 * Since we know the labels are at most 16 bytes long, compare
528 	 * the two strings as two 8-byte long integers.  The ip6_asp_t
529 	 * structure guarantees that the labels are 8 byte alligned.
530 	 */
531 	llptr1 = (int64_t *)label1;
532 	llptr2 = (int64_t *)label2;
533 	if (llptr1[0] == llptr2[0] && llptr1[1] == llptr2[1])
534 		return (B_TRUE);
535 	return (B_FALSE);
536 }
537