1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * IPv6 Address Label subsystem 4 * for the IPv6 "Default" Source Address Selection 5 * 6 * Copyright (C)2007 USAGI/WIDE Project 7 */ 8 /* 9 * Author: 10 * YOSHIFUJI Hideaki @ USAGI/WIDE Project <yoshfuji@linux-ipv6.org> 11 */ 12 13 #include <linux/kernel.h> 14 #include <linux/list.h> 15 #include <linux/rcupdate.h> 16 #include <linux/in6.h> 17 #include <linux/slab.h> 18 #include <net/addrconf.h> 19 #include <linux/if_addrlabel.h> 20 #include <linux/netlink.h> 21 #include <linux/rtnetlink.h> 22 23 /* 24 * Policy Table 25 */ 26 struct ip6addrlbl_entry { 27 struct in6_addr prefix; 28 int prefixlen; 29 int ifindex; 30 int addrtype; 31 u32 label; 32 struct hlist_node list; 33 struct rcu_head rcu; 34 }; 35 36 /* 37 * Default policy table (RFC6724 + extensions) 38 * 39 * prefix addr_type label 40 * ------------------------------------------------------------------------- 41 * ::1/128 LOOPBACK 0 42 * ::/0 N/A 1 43 * 2002::/16 N/A 2 44 * ::/96 COMPATv4 3 45 * ::ffff:0:0/96 V4MAPPED 4 46 * fc00::/7 N/A 5 ULA (RFC 4193) 47 * 2001::/32 N/A 6 Teredo (RFC 4380) 48 * 2001:10::/28 N/A 7 ORCHID (RFC 4843) 49 * fec0::/10 N/A 11 Site-local 50 * (deprecated by RFC3879) 51 * 3ffe::/16 N/A 12 6bone 52 * 53 * Note: 0xffffffff is used if we do not have any policies. 54 * Note: Labels for ULA and 6to4 are different from labels listed in RFC6724. 55 */ 56 57 #define IPV6_ADDR_LABEL_DEFAULT 0xffffffffUL 58 59 static const __net_initconst struct ip6addrlbl_init_table 60 { 61 const struct in6_addr *prefix; 62 int prefixlen; 63 u32 label; 64 } ip6addrlbl_init_table[] = { 65 { /* ::/0 */ 66 .prefix = &in6addr_any, 67 .label = 1, 68 }, { /* fc00::/7 */ 69 .prefix = &(struct in6_addr){ { { 0xfc } } } , 70 .prefixlen = 7, 71 .label = 5, 72 }, { /* fec0::/10 */ 73 .prefix = &(struct in6_addr){ { { 0xfe, 0xc0 } } }, 74 .prefixlen = 10, 75 .label = 11, 76 }, { /* 2002::/16 */ 77 .prefix = &(struct in6_addr){ { { 0x20, 0x02 } } }, 78 .prefixlen = 16, 79 .label = 2, 80 }, { /* 3ffe::/16 */ 81 .prefix = &(struct in6_addr){ { { 0x3f, 0xfe } } }, 82 .prefixlen = 16, 83 .label = 12, 84 }, { /* 2001::/32 */ 85 .prefix = &(struct in6_addr){ { { 0x20, 0x01 } } }, 86 .prefixlen = 32, 87 .label = 6, 88 }, { /* 2001:10::/28 */ 89 .prefix = &(struct in6_addr){ { { 0x20, 0x01, 0x00, 0x10 } } }, 90 .prefixlen = 28, 91 .label = 7, 92 }, { /* ::ffff:0:0 */ 93 .prefix = &(struct in6_addr){ { { [10] = 0xff, [11] = 0xff } } }, 94 .prefixlen = 96, 95 .label = 4, 96 }, { /* ::/96 */ 97 .prefix = &in6addr_any, 98 .prefixlen = 96, 99 .label = 3, 100 }, { /* ::1/128 */ 101 .prefix = &in6addr_loopback, 102 .prefixlen = 128, 103 .label = 0, 104 } 105 }; 106 107 /* Find label */ 108 static bool __ip6addrlbl_match(const struct ip6addrlbl_entry *p, 109 const struct in6_addr *addr, 110 int addrtype, int ifindex) 111 { 112 if (p->ifindex && p->ifindex != ifindex) 113 return false; 114 if (p->addrtype && p->addrtype != addrtype) 115 return false; 116 if (!ipv6_prefix_equal(addr, &p->prefix, p->prefixlen)) 117 return false; 118 return true; 119 } 120 121 static struct ip6addrlbl_entry *__ipv6_addr_label(struct net *net, 122 const struct in6_addr *addr, 123 int type, int ifindex) 124 { 125 struct ip6addrlbl_entry *p; 126 127 hlist_for_each_entry_rcu(p, &net->ipv6.ip6addrlbl_table.head, list) { 128 if (__ip6addrlbl_match(p, addr, type, ifindex)) 129 return p; 130 } 131 return NULL; 132 } 133 134 u32 ipv6_addr_label(struct net *net, 135 const struct in6_addr *addr, int type, int ifindex) 136 { 137 u32 label; 138 struct ip6addrlbl_entry *p; 139 140 type &= IPV6_ADDR_MAPPED | IPV6_ADDR_COMPATv4 | IPV6_ADDR_LOOPBACK; 141 142 rcu_read_lock(); 143 p = __ipv6_addr_label(net, addr, type, ifindex); 144 label = p ? p->label : IPV6_ADDR_LABEL_DEFAULT; 145 rcu_read_unlock(); 146 147 net_dbg_ratelimited("%s(addr=%pI6, type=%d, ifindex=%d) => %08x\n", __func__, addr, type, 148 ifindex, label); 149 150 return label; 151 } 152 153 /* allocate one entry */ 154 static struct ip6addrlbl_entry *ip6addrlbl_alloc(const struct in6_addr *prefix, 155 int prefixlen, int ifindex, 156 u32 label) 157 { 158 struct ip6addrlbl_entry *newp; 159 int addrtype; 160 161 net_dbg_ratelimited("%s(prefix=%pI6, prefixlen=%d, ifindex=%d, label=%u)\n", __func__, 162 prefix, prefixlen, ifindex, (unsigned int)label); 163 164 addrtype = ipv6_addr_type(prefix) & (IPV6_ADDR_MAPPED | IPV6_ADDR_COMPATv4 | IPV6_ADDR_LOOPBACK); 165 166 switch (addrtype) { 167 case IPV6_ADDR_MAPPED: 168 if (prefixlen > 96) 169 return ERR_PTR(-EINVAL); 170 if (prefixlen < 96) 171 addrtype = 0; 172 break; 173 case IPV6_ADDR_COMPATv4: 174 if (prefixlen != 96) 175 addrtype = 0; 176 break; 177 case IPV6_ADDR_LOOPBACK: 178 if (prefixlen != 128) 179 addrtype = 0; 180 break; 181 } 182 183 newp = kmalloc(sizeof(*newp), GFP_KERNEL); 184 if (!newp) 185 return ERR_PTR(-ENOMEM); 186 187 ipv6_addr_prefix(&newp->prefix, prefix, prefixlen); 188 newp->prefixlen = prefixlen; 189 newp->ifindex = ifindex; 190 newp->addrtype = addrtype; 191 newp->label = label; 192 INIT_HLIST_NODE(&newp->list); 193 return newp; 194 } 195 196 /* add a label */ 197 static int __ip6addrlbl_add(struct net *net, struct ip6addrlbl_entry *newp, 198 int replace) 199 { 200 struct ip6addrlbl_entry *last = NULL, *p = NULL; 201 struct hlist_node *n; 202 int ret = 0; 203 204 net_dbg_ratelimited("%s(newp=%p, replace=%d)\n", __func__, newp, replace); 205 206 hlist_for_each_entry_safe(p, n, &net->ipv6.ip6addrlbl_table.head, list) { 207 if (p->prefixlen == newp->prefixlen && 208 p->ifindex == newp->ifindex && 209 ipv6_addr_equal(&p->prefix, &newp->prefix)) { 210 if (!replace) { 211 ret = -EEXIST; 212 goto out; 213 } 214 hlist_replace_rcu(&p->list, &newp->list); 215 kfree_rcu(p, rcu); 216 goto out; 217 } else if ((p->prefixlen == newp->prefixlen && !p->ifindex) || 218 (p->prefixlen < newp->prefixlen)) { 219 hlist_add_before_rcu(&newp->list, &p->list); 220 goto out; 221 } 222 last = p; 223 } 224 if (last) 225 hlist_add_behind_rcu(&newp->list, &last->list); 226 else 227 hlist_add_head_rcu(&newp->list, &net->ipv6.ip6addrlbl_table.head); 228 out: 229 if (!ret) 230 WRITE_ONCE(net->ipv6.ip6addrlbl_table.seq, 231 net->ipv6.ip6addrlbl_table.seq + 1); 232 return ret; 233 } 234 235 /* add a label */ 236 static int ip6addrlbl_add(struct net *net, 237 const struct in6_addr *prefix, int prefixlen, 238 int ifindex, u32 label, int replace) 239 { 240 struct ip6addrlbl_entry *newp; 241 int ret = 0; 242 243 net_dbg_ratelimited("%s(prefix=%pI6, prefixlen=%d, ifindex=%d, label=%u, replace=%d)\n", 244 __func__, prefix, prefixlen, ifindex, (unsigned int)label, replace); 245 246 newp = ip6addrlbl_alloc(prefix, prefixlen, ifindex, label); 247 if (IS_ERR(newp)) 248 return PTR_ERR(newp); 249 spin_lock(&net->ipv6.ip6addrlbl_table.lock); 250 ret = __ip6addrlbl_add(net, newp, replace); 251 spin_unlock(&net->ipv6.ip6addrlbl_table.lock); 252 if (ret) 253 kfree(newp); 254 return ret; 255 } 256 257 /* remove a label */ 258 static int __ip6addrlbl_del(struct net *net, 259 const struct in6_addr *prefix, int prefixlen, 260 int ifindex) 261 { 262 struct ip6addrlbl_entry *p = NULL; 263 struct hlist_node *n; 264 int ret = -ESRCH; 265 266 net_dbg_ratelimited("%s(prefix=%pI6, prefixlen=%d, ifindex=%d)\n", __func__, prefix, 267 prefixlen, ifindex); 268 269 hlist_for_each_entry_safe(p, n, &net->ipv6.ip6addrlbl_table.head, list) { 270 if (p->prefixlen == prefixlen && 271 p->ifindex == ifindex && 272 ipv6_addr_equal(&p->prefix, prefix)) { 273 hlist_del_rcu(&p->list); 274 kfree_rcu(p, rcu); 275 ret = 0; 276 break; 277 } 278 } 279 return ret; 280 } 281 282 static int ip6addrlbl_del(struct net *net, 283 const struct in6_addr *prefix, int prefixlen, 284 int ifindex) 285 { 286 struct in6_addr prefix_buf; 287 int ret; 288 289 net_dbg_ratelimited("%s(prefix=%pI6, prefixlen=%d, ifindex=%d)\n", __func__, prefix, 290 prefixlen, ifindex); 291 292 ipv6_addr_prefix(&prefix_buf, prefix, prefixlen); 293 spin_lock(&net->ipv6.ip6addrlbl_table.lock); 294 ret = __ip6addrlbl_del(net, &prefix_buf, prefixlen, ifindex); 295 spin_unlock(&net->ipv6.ip6addrlbl_table.lock); 296 return ret; 297 } 298 299 /* add default label */ 300 static int __net_init ip6addrlbl_net_init(struct net *net) 301 { 302 struct ip6addrlbl_entry *p = NULL; 303 struct hlist_node *n; 304 int err; 305 int i; 306 307 spin_lock_init(&net->ipv6.ip6addrlbl_table.lock); 308 INIT_HLIST_HEAD(&net->ipv6.ip6addrlbl_table.head); 309 310 for (i = 0; i < ARRAY_SIZE(ip6addrlbl_init_table); i++) { 311 err = ip6addrlbl_add(net, 312 ip6addrlbl_init_table[i].prefix, 313 ip6addrlbl_init_table[i].prefixlen, 314 0, 315 ip6addrlbl_init_table[i].label, 0); 316 if (err) 317 goto err_ip6addrlbl_add; 318 } 319 return 0; 320 321 err_ip6addrlbl_add: 322 hlist_for_each_entry_safe(p, n, &net->ipv6.ip6addrlbl_table.head, list) { 323 hlist_del_rcu(&p->list); 324 kfree_rcu(p, rcu); 325 } 326 return err; 327 } 328 329 static void __net_exit ip6addrlbl_net_exit(struct net *net) 330 { 331 struct ip6addrlbl_entry *p = NULL; 332 struct hlist_node *n; 333 334 /* Remove all labels belonging to the exiting net */ 335 spin_lock(&net->ipv6.ip6addrlbl_table.lock); 336 hlist_for_each_entry_safe(p, n, &net->ipv6.ip6addrlbl_table.head, list) { 337 hlist_del_rcu(&p->list); 338 kfree_rcu(p, rcu); 339 } 340 spin_unlock(&net->ipv6.ip6addrlbl_table.lock); 341 } 342 343 static struct pernet_operations ipv6_addr_label_ops = { 344 .init = ip6addrlbl_net_init, 345 .exit = ip6addrlbl_net_exit, 346 }; 347 348 int __init ipv6_addr_label_init(void) 349 { 350 return register_pernet_subsys(&ipv6_addr_label_ops); 351 } 352 353 void ipv6_addr_label_cleanup(void) 354 { 355 unregister_pernet_subsys(&ipv6_addr_label_ops); 356 } 357 358 static const struct nla_policy ifal_policy[IFAL_MAX+1] = { 359 [IFAL_ADDRESS] = { .len = sizeof(struct in6_addr), }, 360 [IFAL_LABEL] = { .len = sizeof(u32), }, 361 }; 362 363 static bool addrlbl_ifindex_exists(struct net *net, int ifindex) 364 { 365 366 struct net_device *dev; 367 368 rcu_read_lock(); 369 dev = dev_get_by_index_rcu(net, ifindex); 370 rcu_read_unlock(); 371 372 return dev != NULL; 373 } 374 375 static int ip6addrlbl_newdel(struct sk_buff *skb, struct nlmsghdr *nlh, 376 struct netlink_ext_ack *extack) 377 { 378 struct net *net = sock_net(skb->sk); 379 struct ifaddrlblmsg *ifal; 380 struct nlattr *tb[IFAL_MAX+1]; 381 struct in6_addr *pfx; 382 u32 label; 383 int err = 0; 384 385 err = nlmsg_parse_deprecated(nlh, sizeof(*ifal), tb, IFAL_MAX, 386 ifal_policy, extack); 387 if (err < 0) 388 return err; 389 390 ifal = nlmsg_data(nlh); 391 392 if (ifal->ifal_family != AF_INET6 || 393 ifal->ifal_prefixlen > 128) 394 return -EINVAL; 395 396 if (!tb[IFAL_ADDRESS]) 397 return -EINVAL; 398 pfx = nla_data(tb[IFAL_ADDRESS]); 399 400 if (!tb[IFAL_LABEL]) 401 return -EINVAL; 402 label = nla_get_u32(tb[IFAL_LABEL]); 403 if (label == IPV6_ADDR_LABEL_DEFAULT) 404 return -EINVAL; 405 406 switch (nlh->nlmsg_type) { 407 case RTM_NEWADDRLABEL: 408 if (ifal->ifal_index && 409 !addrlbl_ifindex_exists(net, ifal->ifal_index)) 410 return -EINVAL; 411 412 err = ip6addrlbl_add(net, pfx, ifal->ifal_prefixlen, 413 ifal->ifal_index, label, 414 nlh->nlmsg_flags & NLM_F_REPLACE); 415 break; 416 case RTM_DELADDRLABEL: 417 err = ip6addrlbl_del(net, pfx, ifal->ifal_prefixlen, 418 ifal->ifal_index); 419 break; 420 default: 421 err = -EOPNOTSUPP; 422 } 423 return err; 424 } 425 426 static void ip6addrlbl_putmsg(struct nlmsghdr *nlh, 427 int prefixlen, int ifindex, u32 lseq) 428 { 429 struct ifaddrlblmsg *ifal = nlmsg_data(nlh); 430 ifal->ifal_family = AF_INET6; 431 ifal->__ifal_reserved = 0; 432 ifal->ifal_prefixlen = prefixlen; 433 ifal->ifal_flags = 0; 434 ifal->ifal_index = ifindex; 435 ifal->ifal_seq = lseq; 436 }; 437 438 static int ip6addrlbl_fill(struct sk_buff *skb, 439 const struct ip6addrlbl_entry *p, 440 u32 lseq, 441 u32 portid, u32 seq, int event, 442 unsigned int flags) 443 { 444 struct nlmsghdr *nlh = nlmsg_put(skb, portid, seq, event, 445 sizeof(struct ifaddrlblmsg), flags); 446 if (!nlh) 447 return -EMSGSIZE; 448 449 ip6addrlbl_putmsg(nlh, p->prefixlen, p->ifindex, lseq); 450 451 if (nla_put_in6_addr(skb, IFAL_ADDRESS, &p->prefix) < 0 || 452 nla_put_u32(skb, IFAL_LABEL, p->label) < 0) { 453 nlmsg_cancel(skb, nlh); 454 return -EMSGSIZE; 455 } 456 457 nlmsg_end(skb, nlh); 458 return 0; 459 } 460 461 static int ip6addrlbl_valid_dump_req(const struct nlmsghdr *nlh, 462 struct netlink_ext_ack *extack) 463 { 464 struct ifaddrlblmsg *ifal; 465 466 ifal = nlmsg_payload(nlh, sizeof(*ifal)); 467 if (!ifal) { 468 NL_SET_ERR_MSG_MOD(extack, "Invalid header for address label dump request"); 469 return -EINVAL; 470 } 471 472 if (ifal->__ifal_reserved || ifal->ifal_prefixlen || 473 ifal->ifal_flags || ifal->ifal_index || ifal->ifal_seq) { 474 NL_SET_ERR_MSG_MOD(extack, "Invalid values in header for address label dump request"); 475 return -EINVAL; 476 } 477 478 if (nlmsg_attrlen(nlh, sizeof(*ifal))) { 479 NL_SET_ERR_MSG_MOD(extack, "Invalid data after header for address label dump request"); 480 return -EINVAL; 481 } 482 483 return 0; 484 } 485 486 static int ip6addrlbl_dump(struct sk_buff *skb, struct netlink_callback *cb) 487 { 488 const struct nlmsghdr *nlh = cb->nlh; 489 struct net *net = sock_net(skb->sk); 490 struct ip6addrlbl_entry *p; 491 int idx = 0, s_idx = cb->args[0]; 492 int err = 0; 493 u32 lseq; 494 495 if (cb->strict_check) { 496 err = ip6addrlbl_valid_dump_req(nlh, cb->extack); 497 if (err < 0) 498 return err; 499 } 500 501 rcu_read_lock(); 502 lseq = READ_ONCE(net->ipv6.ip6addrlbl_table.seq); 503 hlist_for_each_entry_rcu(p, &net->ipv6.ip6addrlbl_table.head, list) { 504 if (idx >= s_idx) { 505 err = ip6addrlbl_fill(skb, p, 506 lseq, 507 NETLINK_CB(cb->skb).portid, 508 nlh->nlmsg_seq, 509 RTM_NEWADDRLABEL, 510 NLM_F_MULTI); 511 if (err < 0) 512 break; 513 } 514 idx++; 515 } 516 rcu_read_unlock(); 517 cb->args[0] = idx; 518 return err; 519 } 520 521 static inline int ip6addrlbl_msgsize(void) 522 { 523 return NLMSG_ALIGN(sizeof(struct ifaddrlblmsg)) 524 + nla_total_size(16) /* IFAL_ADDRESS */ 525 + nla_total_size(4); /* IFAL_LABEL */ 526 } 527 528 static int ip6addrlbl_valid_get_req(struct sk_buff *skb, 529 const struct nlmsghdr *nlh, 530 struct nlattr **tb, 531 struct netlink_ext_ack *extack) 532 { 533 struct ifaddrlblmsg *ifal; 534 int i, err; 535 536 ifal = nlmsg_payload(nlh, sizeof(*ifal)); 537 if (!ifal) { 538 NL_SET_ERR_MSG_MOD(extack, "Invalid header for addrlabel get request"); 539 return -EINVAL; 540 } 541 542 if (!netlink_strict_get_check(skb)) 543 return nlmsg_parse_deprecated(nlh, sizeof(*ifal), tb, 544 IFAL_MAX, ifal_policy, extack); 545 546 if (ifal->__ifal_reserved || ifal->ifal_flags || ifal->ifal_seq) { 547 NL_SET_ERR_MSG_MOD(extack, "Invalid values in header for addrlabel get request"); 548 return -EINVAL; 549 } 550 551 err = nlmsg_parse_deprecated_strict(nlh, sizeof(*ifal), tb, IFAL_MAX, 552 ifal_policy, extack); 553 if (err) 554 return err; 555 556 for (i = 0; i <= IFAL_MAX; i++) { 557 if (!tb[i]) 558 continue; 559 560 switch (i) { 561 case IFAL_ADDRESS: 562 break; 563 default: 564 NL_SET_ERR_MSG_MOD(extack, "Unsupported attribute in addrlabel get request"); 565 return -EINVAL; 566 } 567 } 568 569 return 0; 570 } 571 572 static int ip6addrlbl_get(struct sk_buff *in_skb, struct nlmsghdr *nlh, 573 struct netlink_ext_ack *extack) 574 { 575 struct net *net = sock_net(in_skb->sk); 576 struct ifaddrlblmsg *ifal; 577 struct nlattr *tb[IFAL_MAX+1]; 578 struct in6_addr *addr; 579 u32 lseq; 580 int err = 0; 581 struct ip6addrlbl_entry *p; 582 struct sk_buff *skb; 583 584 err = ip6addrlbl_valid_get_req(in_skb, nlh, tb, extack); 585 if (err < 0) 586 return err; 587 588 ifal = nlmsg_data(nlh); 589 590 if (ifal->ifal_family != AF_INET6 || 591 ifal->ifal_prefixlen != 128) 592 return -EINVAL; 593 594 if (ifal->ifal_index && 595 !addrlbl_ifindex_exists(net, ifal->ifal_index)) 596 return -EINVAL; 597 598 if (!tb[IFAL_ADDRESS]) 599 return -EINVAL; 600 addr = nla_data(tb[IFAL_ADDRESS]); 601 602 skb = nlmsg_new(ip6addrlbl_msgsize(), GFP_KERNEL); 603 if (!skb) 604 return -ENOBUFS; 605 606 err = -ESRCH; 607 608 rcu_read_lock(); 609 p = __ipv6_addr_label(net, addr, ipv6_addr_type(addr), ifal->ifal_index); 610 lseq = READ_ONCE(net->ipv6.ip6addrlbl_table.seq); 611 if (p) 612 err = ip6addrlbl_fill(skb, p, lseq, 613 NETLINK_CB(in_skb).portid, 614 nlh->nlmsg_seq, 615 RTM_NEWADDRLABEL, 0); 616 rcu_read_unlock(); 617 618 if (err < 0) { 619 WARN_ON(err == -EMSGSIZE); 620 kfree_skb(skb); 621 } else { 622 err = rtnl_unicast(skb, net, NETLINK_CB(in_skb).portid); 623 } 624 return err; 625 } 626 627 static const struct rtnl_msg_handler ipv6_adddr_label_rtnl_msg_handlers[] __initconst_or_module = { 628 {.owner = THIS_MODULE, .protocol = PF_INET6, .msgtype = RTM_NEWADDRLABEL, 629 .doit = ip6addrlbl_newdel, .flags = RTNL_FLAG_DOIT_UNLOCKED}, 630 {.owner = THIS_MODULE, .protocol = PF_INET6, .msgtype = RTM_DELADDRLABEL, 631 .doit = ip6addrlbl_newdel, .flags = RTNL_FLAG_DOIT_UNLOCKED}, 632 {.owner = THIS_MODULE, .protocol = PF_INET6, .msgtype = RTM_GETADDRLABEL, 633 .doit = ip6addrlbl_get, .dumpit = ip6addrlbl_dump, 634 .flags = RTNL_FLAG_DOIT_UNLOCKED | RTNL_FLAG_DUMP_UNLOCKED}, 635 }; 636 637 int __init ipv6_addr_label_rtnl_register(void) 638 { 639 return rtnl_register_many(ipv6_adddr_label_rtnl_msg_handlers); 640 } 641