1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright (c) 1991, 2010, Oracle and/or its affiliates. All rights reserved. 23 * Copyright (c) 1990 Mentat Inc. 24 */ 25 26 #include <inet/ip.h> 27 #include <inet/ip6.h> 28 #include <inet/ip_if.h> 29 #include <inet/ip_ire.h> 30 #include <inet/ipclassifier.h> 31 #include <inet/ip_impl.h> 32 #include <inet/tunables.h> 33 #include <sys/sunddi.h> 34 #include <sys/policy.h> 35 36 /* How long, in seconds, we allow frags to hang around. */ 37 #define IP_REASM_TIMEOUT 15 38 #define IPV6_REASM_TIMEOUT 60 39 40 /* 41 * Set ip{,6}_forwarding values. If the value is being set on an ill, 42 * find the ill and set the value on it. On the other hand if we are modifying 43 * global property, modify the global value and set the value on all the ills. 44 */ 45 /* ARGSUSED */ 46 static int 47 ip_set_forwarding(void *cbarg, cred_t *cr, mod_prop_info_t *pinfo, 48 const char *ifname, const void* pval, uint_t flags) 49 { 50 char *end; 51 unsigned long new_value; 52 boolean_t per_ill, isv6; 53 ill_walk_context_t ctx; 54 ill_t *ill; 55 ip_stack_t *ipst = (ip_stack_t *)cbarg; 56 57 if (flags & MOD_PROP_DEFAULT) { 58 new_value = pinfo->prop_def_bval; 59 } else { 60 if (ddi_strtoul(pval, &end, 10, &new_value) != 0 || 61 *end != '\0') 62 return (EINVAL); 63 if (new_value != B_TRUE && new_value != B_FALSE) 64 return (EINVAL); 65 } 66 67 per_ill = (ifname != NULL && ifname[0] != '\0'); 68 /* 69 * if it's not per ill then set the global property and bring all the 70 * ills up to date with the new global value. 71 */ 72 if (!per_ill) 73 pinfo->prop_cur_bval = (new_value == 1 ? B_TRUE : B_FALSE); 74 75 isv6 = (pinfo->mpi_proto == MOD_PROTO_IPV6 ? B_TRUE : B_FALSE); 76 rw_enter(&ipst->ips_ill_g_lock, RW_READER); 77 if (isv6) 78 ill = ILL_START_WALK_V6(&ctx, ipst); 79 else 80 ill = ILL_START_WALK_V4(&ctx, ipst); 81 82 for (; ill != NULL; ill = ill_next(&ctx, ill)) { 83 /* 84 * if the property needs to be set on a particular 85 * interface, look for that interface. 86 */ 87 if (per_ill && strcmp(ifname, ill->ill_name) != 0) 88 continue; 89 (void) ill_forward_set(ill, new_value != 0); 90 } 91 rw_exit(&ipst->ips_ill_g_lock); 92 93 return (0); 94 } 95 96 static int 97 ip_get_forwarding(void *cbarg, mod_prop_info_t *pinfo, const char *ifname, 98 void *pval, uint_t pr_size, uint_t flags) 99 { 100 boolean_t value; 101 ill_walk_context_t ctx; 102 ill_t *ill; 103 ip_stack_t *ipst = (ip_stack_t *)cbarg; 104 boolean_t get_def = (flags & MOD_PROP_DEFAULT); 105 boolean_t get_perm = (flags & MOD_PROP_PERM); 106 boolean_t isv6; 107 size_t nbytes = 0; 108 109 if (get_perm) { 110 nbytes = snprintf(pval, pr_size, "%d", MOD_PROP_PERM_RW); 111 goto ret; 112 } else if (get_def) { 113 nbytes = snprintf(pval, pr_size, "%d", pinfo->prop_def_bval); 114 goto ret; 115 } 116 117 /* 118 * if per interface value is not asked for return the current 119 * global value 120 */ 121 if (ifname == NULL || ifname[0] == '\0') { 122 nbytes = snprintf(pval, pr_size, "%d", pinfo->prop_cur_bval); 123 goto ret; 124 } 125 126 isv6 = (pinfo->mpi_proto == MOD_PROTO_IPV6 ? B_TRUE : B_FALSE); 127 rw_enter(&ipst->ips_ill_g_lock, RW_READER); 128 if (isv6) 129 ill = ILL_START_WALK_V6(&ctx, ipst); 130 else 131 ill = ILL_START_WALK_V4(&ctx, ipst); 132 for (; ill != NULL; ill = ill_next(&ctx, ill)) { 133 /* 134 * if the property needs to be obtained on a particular 135 * interface, look for that interface. 136 */ 137 if (strcmp(ifname, ill->ill_name) == 0) 138 break; 139 } 140 if (ill == NULL) { 141 rw_exit(&ipst->ips_ill_g_lock); 142 return (ENXIO); 143 } 144 value = ((ill->ill_flags & ILLF_ROUTER) ? B_TRUE : B_FALSE); 145 rw_exit(&ipst->ips_ill_g_lock); 146 nbytes = snprintf(pval, pr_size, "%d", value); 147 ret: 148 if (nbytes >= pr_size) 149 return (ENOBUFS); 150 return (0); 151 } 152 153 /* 154 * `ip_debug' is a global variable. So, we will be modifying the global 155 * variable here. 156 */ 157 /* ARGSUSED */ 158 int 159 ip_set_debug(void *cbarg, cred_t *cr, mod_prop_info_t *pinfo, 160 const char *ifname, const void* pval, uint_t flags) 161 { 162 unsigned long new_value; 163 int err; 164 165 if (cr != NULL && secpolicy_net_config(cr, B_FALSE) != 0) 166 return (EPERM); 167 168 if ((err = mod_uint32_value(pval, pinfo, flags, &new_value)) != 0) 169 return (err); 170 ip_debug = (uint32_t)new_value; 171 return (0); 172 } 173 174 /* 175 * ip_debug is a global property. For default, permission and value range 176 * we retrieve the value from `pinfo'. However for the current value we 177 * retrieve the value from the global variable `ip_debug' 178 */ 179 /* ARGSUSED */ 180 int 181 ip_get_debug(void *cbarg, mod_prop_info_t *pinfo, const char *ifname, 182 void *pval, uint_t psize, uint_t flags) 183 { 184 boolean_t get_def = (flags & MOD_PROP_DEFAULT); 185 boolean_t get_perm = (flags & MOD_PROP_PERM); 186 boolean_t get_range = (flags & MOD_PROP_POSSIBLE); 187 size_t nbytes; 188 189 bzero(pval, psize); 190 if (get_perm) 191 nbytes = snprintf(pval, psize, "%u", MOD_PROP_PERM_RW); 192 else if (get_range) 193 nbytes = snprintf(pval, psize, "%u-%u", 194 pinfo->prop_min_uval, pinfo->prop_max_uval); 195 else if (get_def) 196 nbytes = snprintf(pval, psize, "%u", pinfo->prop_def_uval); 197 else 198 nbytes = snprintf(pval, psize, "%u", ip_debug); 199 if (nbytes >= psize) 200 return (ENOBUFS); 201 return (0); 202 } 203 204 /* 205 * Set the CGTP (multirouting) filtering status. If the status is changed 206 * from active to transparent or from transparent to active, forward the 207 * new status to the filtering module (if loaded). 208 */ 209 /* ARGSUSED */ 210 static int 211 ip_set_cgtp_filter(void *cbarg, cred_t *cr, mod_prop_info_t *pinfo, 212 const char *ifname, const void* pval, uint_t flags) 213 { 214 unsigned long new_value; 215 ip_stack_t *ipst = (ip_stack_t *)cbarg; 216 char *end; 217 218 if (flags & MOD_PROP_DEFAULT) { 219 new_value = pinfo->prop_def_bval; 220 } else { 221 if (ddi_strtoul(pval, &end, 10, &new_value) != 0 || 222 *end != '\0' || new_value > 1) { 223 return (EINVAL); 224 } 225 } 226 if (!pinfo->prop_cur_bval && new_value) { 227 cmn_err(CE_NOTE, "IP: enabling CGTP filtering%s", 228 ipst->ips_ip_cgtp_filter_ops == NULL ? 229 " (module not loaded)" : ""); 230 } 231 if (pinfo->prop_cur_bval && !new_value) { 232 cmn_err(CE_NOTE, "IP: disabling CGTP filtering%s", 233 ipst->ips_ip_cgtp_filter_ops == NULL ? 234 " (module not loaded)" : ""); 235 } 236 if (ipst->ips_ip_cgtp_filter_ops != NULL) { 237 int res; 238 netstackid_t stackid = ipst->ips_netstack->netstack_stackid; 239 240 res = ipst->ips_ip_cgtp_filter_ops->cfo_change_state(stackid, 241 new_value); 242 if (res) 243 return (res); 244 } 245 pinfo->prop_cur_bval = (new_value == 1 ? B_TRUE : B_FALSE); 246 ill_set_inputfn_all(ipst); 247 return (0); 248 } 249 250 /* 251 * Retrieve the default MTU or min-max MTU range for a given interface. 252 * 253 * -- ill_max_frag value tells us the maximum MTU that can be handled by the 254 * datalink. This value is advertised by the driver via DLPI messages 255 * (DL_NOTE_SDU_SIZE/DL_INFO_ACK). 256 * 257 * -- ill_current_frag for the most link-types will be same as ill_max_frag 258 * to begin with. However it is dynamically computed for some link-types 259 * like tunnels, based on the tunnel PMTU. 260 * 261 * -- ill_mtu is the user set MTU using SIOCSLIFMTU and must lie between 262 * (IPV6_MIN_MTU/IP_MIN_MTU) and ill_max_frag. 263 * 264 * -- ill_user_mtu is set by in.ndpd using SIOCSLIFLNKINFO and must lie between 265 * (IPV6_MIN_MTU/IP_MIN_MTU) and ill_max_frag. 266 */ 267 int 268 ip_get_mtu(void *cbarg, mod_prop_info_t *pinfo, const char *ifname, 269 void *pval, uint_t psize, uint_t flags) 270 { 271 ill_walk_context_t ctx; 272 ill_t *ill; 273 ip_stack_t *ipst = (ip_stack_t *)cbarg; 274 boolean_t isv6; 275 uint32_t max_mtu, def_mtu; 276 size_t nbytes = 0; 277 278 if (!(flags & (MOD_PROP_DEFAULT|MOD_PROP_POSSIBLE))) 279 return (ENOTSUP); 280 281 if (ifname == NULL || ifname[0] == '\0') 282 return (ENOTSUP); 283 284 isv6 = (pinfo->mpi_proto == MOD_PROTO_IPV6 ? B_TRUE : B_FALSE); 285 rw_enter(&ipst->ips_ill_g_lock, RW_READER); 286 if (isv6) 287 ill = ILL_START_WALK_V6(&ctx, ipst); 288 else 289 ill = ILL_START_WALK_V4(&ctx, ipst); 290 for (; ill != NULL; ill = ill_next(&ctx, ill)) { 291 if (strcmp(ifname, ill->ill_name) == 0) 292 break; 293 } 294 if (ill == NULL) { 295 rw_exit(&ipst->ips_ill_g_lock); 296 return (ENXIO); 297 } 298 max_mtu = ill->ill_max_frag; 299 def_mtu = ill->ill_current_frag; 300 rw_exit(&ipst->ips_ill_g_lock); 301 302 if (flags & MOD_PROP_DEFAULT) { 303 nbytes = snprintf(pval, psize, "%u", def_mtu); 304 } else if (flags & MOD_PROP_POSSIBLE) { 305 uint32_t min_mtu; 306 307 min_mtu = isv6 ? IPV6_MIN_MTU : IP_MIN_MTU; 308 nbytes = snprintf(pval, psize, "%u-%u", min_mtu, max_mtu); 309 } else { 310 return (ENOTSUP); 311 } 312 313 if (nbytes >= psize) 314 return (ENOBUFS); 315 return (0); 316 } 317 318 /* 319 * See the comments for ip[6]_strict_src_multihoming for an explanation 320 * of the semanitcs. 321 */ 322 void 323 ip_set_src_multihoming_common(ulong_t new_value, ulong_t old_value, 324 boolean_t isv6, ip_stack_t *ipst) 325 { 326 if (isv6) 327 ipst->ips_ipv6_strict_src_multihoming = new_value; 328 else 329 ipst->ips_ip_strict_src_multihoming = new_value; 330 if (new_value != old_value) { 331 if (!isv6) { 332 if (old_value == 0) { 333 ire_walk_v4(ip_ire_rebind_walker, NULL, 334 ALL_ZONES, ipst); 335 } else if (new_value == 0) { 336 ire_walk_v4(ip_ire_unbind_walker, NULL, 337 ALL_ZONES, ipst); 338 } 339 ipcl_walk(conn_ire_revalidate, (void *)B_FALSE, ipst); 340 } else { 341 if (old_value == 0) { 342 ire_walk_v6(ip_ire_rebind_walker, NULL, 343 ALL_ZONES, ipst); 344 } else if (new_value == 0) { 345 ire_walk_v6(ip_ire_unbind_walker, NULL, 346 ALL_ZONES, ipst); 347 } 348 ipcl_walk(conn_ire_revalidate, (void *)B_TRUE, ipst); 349 } 350 } 351 } 352 353 /* ARGSUSED */ 354 static int 355 ip_set_src_multihoming(void *cbarg, cred_t *cr, mod_prop_info_t *pinfo, 356 const char *ifname, const void* pval, uint_t flags) 357 { 358 unsigned long new_value, old_value; 359 boolean_t isv6; 360 ip_stack_t *ipst = (ip_stack_t *)cbarg; 361 int err; 362 363 old_value = pinfo->prop_cur_uval; 364 365 if ((err = mod_uint32_value(pval, pinfo, flags, &new_value)) != 0) 366 return (err); 367 pinfo->prop_cur_uval = new_value; 368 isv6 = (strcmp(pinfo->mpi_name, "ip6_strict_src_multihoming") == 0); 369 ip_set_src_multihoming_common(new_value, old_value, isv6, ipst); 370 return (0); 371 } 372 373 374 /* ARGSUSED */ 375 static int 376 ip_set_hostmodel(void *cbarg, cred_t *cr, mod_prop_info_t *pinfo, 377 const char *ifname, const void* pval, uint_t flags) 378 { 379 ip_hostmodel_t new_value, old_value; 380 ip_stack_t *ipst = (ip_stack_t *)cbarg; 381 uint32_t old_src_multihoming; 382 int err; 383 ulong_t tmp; 384 boolean_t isv6; 385 386 old_value = pinfo->prop_cur_uval; 387 388 if ((err = mod_uint32_value(pval, pinfo, flags, &tmp)) != 0) 389 return (err); 390 new_value = tmp; 391 pinfo->prop_cur_uval = new_value; 392 393 switch (old_value) { 394 case IP_WEAK_ES: 395 old_src_multihoming = 0; 396 break; 397 case IP_SRC_PRI_ES: 398 old_src_multihoming = 1; 399 break; 400 case IP_STRONG_ES: 401 old_src_multihoming = 2; 402 break; 403 default: 404 ASSERT(0); 405 old_src_multihoming = IP_MAXVAL_ES; 406 break; 407 } 408 /* 409 * Changes to src_multihoming may require ire's to be rebound/unbound, 410 * and also require generation number resets. Changes to dst_multihoming 411 * require a simple reset of the value. 412 */ 413 isv6 = (pinfo->mpi_proto == MOD_PROTO_IPV6); 414 if (new_value != old_value) { 415 switch (new_value) { 416 case IP_WEAK_ES: 417 ip_set_src_multihoming_common(0, old_src_multihoming, 418 isv6, ipst); 419 if (isv6) 420 ipst->ips_ipv6_strict_dst_multihoming = 0; 421 else 422 ipst->ips_ip_strict_dst_multihoming = 0; 423 break; 424 case IP_SRC_PRI_ES: 425 ip_set_src_multihoming_common(1, old_src_multihoming, 426 isv6, ipst); 427 if (isv6) 428 ipst->ips_ipv6_strict_dst_multihoming = 0; 429 else 430 ipst->ips_ip_strict_dst_multihoming = 0; 431 break; 432 case IP_STRONG_ES: 433 ip_set_src_multihoming_common(2, old_src_multihoming, 434 isv6, ipst); 435 if (isv6) 436 ipst->ips_ipv6_strict_dst_multihoming = 1; 437 else 438 ipst->ips_ip_strict_dst_multihoming = 1; 439 break; 440 default: 441 return (EINVAL); 442 } 443 } 444 return (0); 445 } 446 447 /* ARGSUSED */ 448 int 449 ip_get_hostmodel(void *cbarg, mod_prop_info_t *pinfo, const char *ifname, 450 void *pval, uint_t psize, uint_t flags) 451 { 452 boolean_t isv6 = (pinfo->mpi_proto == MOD_PROTO_IPV6); 453 ip_stack_t *ipst = cbarg; 454 ip_hostmodel_t hostmodel; 455 456 if (psize < sizeof (hostmodel)) 457 return (ENOBUFS); 458 bzero(pval, psize); 459 if (!isv6) { 460 if (ipst->ips_ip_strict_src_multihoming == 0 && 461 ipst->ips_ip_strict_dst_multihoming == 0) 462 hostmodel = IP_WEAK_ES; 463 else if (ipst->ips_ip_strict_src_multihoming == 1 && 464 ipst->ips_ip_strict_dst_multihoming == 0) 465 hostmodel = IP_SRC_PRI_ES; 466 else if (ipst->ips_ip_strict_src_multihoming == 2 && 467 ipst->ips_ip_strict_dst_multihoming == 1) 468 hostmodel = IP_STRONG_ES; 469 else 470 hostmodel = IP_MAXVAL_ES; 471 } else { 472 if (ipst->ips_ipv6_strict_src_multihoming == 0 && 473 ipst->ips_ipv6_strict_dst_multihoming == 0) 474 hostmodel = IP_WEAK_ES; 475 else if (ipst->ips_ipv6_strict_src_multihoming == 1 && 476 ipst->ips_ipv6_strict_dst_multihoming == 0) 477 hostmodel = IP_SRC_PRI_ES; 478 else if (ipst->ips_ipv6_strict_src_multihoming == 2 && 479 ipst->ips_ipv6_strict_dst_multihoming == 1) 480 hostmodel = IP_STRONG_ES; 481 else 482 hostmodel = IP_MAXVAL_ES; 483 } 484 bcopy(&hostmodel, pval, sizeof (hostmodel)); 485 return (0); 486 } 487 488 /* 489 * All of these are alterable, within the min/max values given, at run time. 490 * 491 * Note: All those tunables which do not start with "ip_" are Committed and 492 * therefore are public. See PSARC 2009/306. 493 */ 494 mod_prop_info_t ip_propinfo_tbl[] = { 495 /* tunable - 0 */ 496 { "ip_respond_to_address_mask_broadcast", MOD_PROTO_IP, 497 mod_set_boolean, mod_get_boolean, 498 {B_FALSE}, {B_FALSE} }, 499 500 { "ip_respond_to_echo_broadcast", MOD_PROTO_IP, 501 mod_set_boolean, mod_get_boolean, 502 {B_TRUE}, {B_TRUE} }, 503 504 { "ip_respond_to_echo_multicast", MOD_PROTO_IP, 505 mod_set_boolean, mod_get_boolean, 506 {B_TRUE}, {B_TRUE} }, 507 508 { "ip_respond_to_timestamp", MOD_PROTO_IP, 509 mod_set_boolean, mod_get_boolean, 510 {B_FALSE}, {B_FALSE} }, 511 512 { "ip_respond_to_timestamp_broadcast", MOD_PROTO_IP, 513 mod_set_boolean, mod_get_boolean, 514 {B_FALSE}, {B_FALSE} }, 515 516 { "ip_send_redirects", MOD_PROTO_IP, 517 mod_set_boolean, mod_get_boolean, 518 {B_TRUE}, {B_TRUE} }, 519 520 { "ip_forward_directed_broadcasts", MOD_PROTO_IP, 521 mod_set_boolean, mod_get_boolean, 522 {B_FALSE}, {B_FALSE} }, 523 524 { "ip_mrtdebug", MOD_PROTO_IP, 525 mod_set_uint32, mod_get_uint32, 526 {0, 10, 0}, {0} }, 527 528 { "ip_ire_reclaim_fraction", MOD_PROTO_IP, 529 mod_set_uint32, mod_get_uint32, 530 {1, 8, 3}, {3} }, 531 532 { "ip_nce_reclaim_fraction", MOD_PROTO_IP, 533 mod_set_uint32, mod_get_uint32, 534 {1, 8, 3}, {3} }, 535 536 /* tunable - 10 */ 537 { "ip_dce_reclaim_fraction", MOD_PROTO_IP, 538 mod_set_uint32, mod_get_uint32, 539 {1, 8, 3}, {3} }, 540 541 { "ttl", MOD_PROTO_IPV4, 542 mod_set_uint32, mod_get_uint32, 543 {1, 255, 255}, {255} }, 544 545 { "ip_forward_src_routed", MOD_PROTO_IP, 546 mod_set_boolean, mod_get_boolean, 547 {B_FALSE}, {B_FALSE} }, 548 549 { "ip_wroff_extra", MOD_PROTO_IP, 550 mod_set_uint32, mod_get_uint32, 551 {0, 256, 32}, {32} }, 552 553 /* following tunable is in seconds - a deviant! */ 554 { "ip_pathmtu_interval", MOD_PROTO_IP, 555 mod_set_uint32, mod_get_uint32, 556 {2, 999999999, 60*20}, {60*20} }, 557 558 { "ip_icmp_return_data_bytes", MOD_PROTO_IP, 559 mod_set_uint32, mod_get_uint32, 560 {8, 65536, 64}, {64} }, 561 562 { "ip_path_mtu_discovery", MOD_PROTO_IP, 563 mod_set_boolean, mod_get_boolean, 564 {B_TRUE}, {B_TRUE} }, 565 566 { "ip_pmtu_min", MOD_PROTO_IP, 567 mod_set_uint32, mod_get_uint32, 568 {68, 65535, 576}, {576} }, 569 570 { "ip_ignore_redirect", MOD_PROTO_IP, 571 mod_set_boolean, mod_get_boolean, 572 {B_FALSE}, {B_FALSE} }, 573 574 { "ip_arp_icmp_error", MOD_PROTO_IP, 575 mod_set_boolean, mod_get_boolean, 576 {B_FALSE}, {B_FALSE} }, 577 578 /* tunable - 20 */ 579 { "ip_broadcast_ttl", MOD_PROTO_IP, 580 mod_set_uint32, mod_get_uint32, 581 {1, 254, 1}, {1} }, 582 583 { "ip_icmp_err_interval", MOD_PROTO_IP, 584 mod_set_uint32, mod_get_uint32, 585 {0, 99999, 100}, {100} }, 586 587 { "ip_icmp_err_burst", MOD_PROTO_IP, 588 mod_set_uint32, mod_get_uint32, 589 {1, 99999, 10}, {10} }, 590 591 { "ip_reass_queue_bytes", MOD_PROTO_IP, 592 mod_set_uint32, mod_get_uint32, 593 {0, 999999999, 1000000}, {1000000} }, 594 595 /* 596 * See comments for ip_strict_src_multihoming for an explanation 597 * of the semantics of ip_strict_dst_multihoming 598 */ 599 { "ip_strict_dst_multihoming", MOD_PROTO_IP, 600 mod_set_uint32, mod_get_uint32, 601 {0, 1, 0}, {0} }, 602 603 { "ip_addrs_per_if", MOD_PROTO_IP, 604 mod_set_uint32, mod_get_uint32, 605 {1, MAX_ADDRS_PER_IF, 256}, {256} }, 606 607 { "ipsec_override_persocket_policy", MOD_PROTO_IP, 608 mod_set_boolean, mod_get_boolean, 609 {B_FALSE}, {B_FALSE} }, 610 611 { "icmp_accept_clear_messages", MOD_PROTO_IP, 612 mod_set_boolean, mod_get_boolean, 613 {B_TRUE}, {B_TRUE} }, 614 615 { "igmp_accept_clear_messages", MOD_PROTO_IP, 616 mod_set_boolean, mod_get_boolean, 617 {B_TRUE}, {B_TRUE} }, 618 619 { "ip_ndp_delay_first_probe_time", MOD_PROTO_IP, 620 mod_set_uint32, mod_get_uint32, 621 {2, 999999999, ND_DELAY_FIRST_PROBE_TIME}, 622 {ND_DELAY_FIRST_PROBE_TIME} }, 623 624 /* tunable - 30 */ 625 { "ip_ndp_max_unicast_solicit", MOD_PROTO_IP, 626 mod_set_uint32, mod_get_uint32, 627 {1, 999999999, ND_MAX_UNICAST_SOLICIT}, {ND_MAX_UNICAST_SOLICIT} }, 628 629 { "hoplimit", MOD_PROTO_IPV6, 630 mod_set_uint32, mod_get_uint32, 631 {1, 255, IPV6_MAX_HOPS}, {IPV6_MAX_HOPS} }, 632 633 { "ip6_icmp_return_data_bytes", MOD_PROTO_IP, 634 mod_set_uint32, mod_get_uint32, 635 {8, IPV6_MIN_MTU, IPV6_MIN_MTU}, {IPV6_MIN_MTU} }, 636 637 { "ip6_forward_src_routed", MOD_PROTO_IP, 638 mod_set_boolean, mod_get_boolean, 639 {B_FALSE}, {B_FALSE} }, 640 641 { "ip6_respond_to_echo_multicast", MOD_PROTO_IP, 642 mod_set_boolean, mod_get_boolean, 643 {B_TRUE}, {B_TRUE} }, 644 645 { "ip6_send_redirects", MOD_PROTO_IP, 646 mod_set_boolean, mod_get_boolean, 647 {B_TRUE}, {B_TRUE} }, 648 649 { "ip6_ignore_redirect", MOD_PROTO_IP, 650 mod_set_boolean, mod_get_boolean, 651 {B_FALSE}, {B_FALSE} }, 652 653 /* 654 * See comments for ip6_strict_src_multihoming for an explanation 655 * of the semantics of ip6_strict_dst_multihoming 656 */ 657 { "ip6_strict_dst_multihoming", MOD_PROTO_IP, 658 mod_set_uint32, mod_get_uint32, 659 {0, 1, 0}, {0} }, 660 661 { "ip_src_check", MOD_PROTO_IP, 662 mod_set_uint32, mod_get_uint32, 663 {0, 2, 2}, {2} }, 664 665 { "ipsec_policy_log_interval", MOD_PROTO_IP, 666 mod_set_uint32, mod_get_uint32, 667 {0, 999999, 1000}, {1000} }, 668 669 /* tunable - 40 */ 670 { "pim_accept_clear_messages", MOD_PROTO_IP, 671 mod_set_boolean, mod_get_boolean, 672 {B_TRUE}, {B_TRUE} }, 673 674 { "ip_ndp_unsolicit_interval", MOD_PROTO_IP, 675 mod_set_uint32, mod_get_uint32, 676 {1000, 20000, 2000}, {2000} }, 677 678 { "ip_ndp_unsolicit_count", MOD_PROTO_IP, 679 mod_set_uint32, mod_get_uint32, 680 {1, 20, 3}, {3} }, 681 682 { "ip6_ignore_home_address_opt", MOD_PROTO_IP, 683 mod_set_boolean, mod_get_boolean, 684 {B_TRUE}, {B_TRUE} }, 685 686 { "ip_policy_mask", MOD_PROTO_IP, 687 mod_set_uint32, mod_get_uint32, 688 {0, 15, 0}, {0} }, 689 690 { "ip_ecmp_behavior", MOD_PROTO_IP, 691 mod_set_uint32, mod_get_uint32, 692 {0, 2, 2}, {2} }, 693 694 { "ip_multirt_ttl", MOD_PROTO_IP, 695 mod_set_uint32, mod_get_uint32, 696 {0, 255, 1}, {1} }, 697 698 /* following tunable is in seconds - a deviant */ 699 { "ip_ire_badcnt_lifetime", MOD_PROTO_IP, 700 mod_set_uint32, mod_get_uint32, 701 {0, 3600, 60}, {60} }, 702 703 { "ip_max_temp_idle", MOD_PROTO_IP, 704 mod_set_uint32, mod_get_uint32, 705 {0, 999999, 60*60*24}, {60*60*24} }, 706 707 { "ip_max_temp_defend", MOD_PROTO_IP, 708 mod_set_uint32, mod_get_uint32, 709 {0, 1000, 1}, {1} }, 710 711 /* tunable - 50 */ 712 /* 713 * when a conflict of an active address is detected, 714 * defend up to ip_max_defend times, within any 715 * ip_defend_interval span. 716 */ 717 { "ip_max_defend", MOD_PROTO_IP, 718 mod_set_uint32, mod_get_uint32, 719 {0, 1000, 3}, {3} }, 720 721 { "ip_defend_interval", MOD_PROTO_IP, 722 mod_set_uint32, mod_get_uint32, 723 {0, 999999, 30}, {30} }, 724 725 { "ip_dup_recovery", MOD_PROTO_IP, 726 mod_set_uint32, mod_get_uint32, 727 {0, 3600000, 300000}, {300000} }, 728 729 { "ip_restrict_interzone_loopback", MOD_PROTO_IP, 730 mod_set_boolean, mod_get_boolean, 731 {B_TRUE}, {B_TRUE} }, 732 733 { "ip_lso_outbound", MOD_PROTO_IP, 734 mod_set_boolean, mod_get_boolean, 735 {B_TRUE}, {B_TRUE} }, 736 737 { "igmp_max_version", MOD_PROTO_IP, 738 mod_set_uint32, mod_get_uint32, 739 {IGMP_V1_ROUTER, IGMP_V3_ROUTER, IGMP_V3_ROUTER}, 740 {IGMP_V3_ROUTER} }, 741 742 { "mld_max_version", MOD_PROTO_IP, 743 mod_set_uint32, mod_get_uint32, 744 {MLD_V1_ROUTER, MLD_V2_ROUTER, MLD_V2_ROUTER}, {MLD_V2_ROUTER} }, 745 746 { "forwarding", MOD_PROTO_IPV4, 747 ip_set_forwarding, ip_get_forwarding, 748 {IP_FORWARD_NEVER}, {IP_FORWARD_NEVER} }, 749 750 { "forwarding", MOD_PROTO_IPV6, 751 ip_set_forwarding, ip_get_forwarding, 752 {IP_FORWARD_NEVER}, {IP_FORWARD_NEVER} }, 753 754 { "ip_reasm_timeout", MOD_PROTO_IP, 755 mod_set_uint32, mod_get_uint32, 756 {5, 255, IP_REASM_TIMEOUT}, 757 {IP_REASM_TIMEOUT} }, 758 759 /* tunable - 60 */ 760 { "ip6_reasm_timeout", MOD_PROTO_IP, 761 mod_set_uint32, mod_get_uint32, 762 {5, 255, IPV6_REASM_TIMEOUT}, 763 {IPV6_REASM_TIMEOUT} }, 764 765 { "ip_cgtp_filter", MOD_PROTO_IP, 766 ip_set_cgtp_filter, mod_get_boolean, 767 {B_FALSE}, {B_FALSE} }, 768 769 /* delay before sending first probe: */ 770 { "arp_probe_delay", MOD_PROTO_IP, 771 mod_set_uint32, mod_get_uint32, 772 {0, 20000, 1000}, {1000} }, 773 774 { "arp_fastprobe_delay", MOD_PROTO_IP, 775 mod_set_uint32, mod_get_uint32, 776 {0, 20000, 100}, {100} }, 777 778 /* interval at which DAD probes are sent: */ 779 { "arp_probe_interval", MOD_PROTO_IP, 780 mod_set_uint32, mod_get_uint32, 781 {10, 20000, 1500}, {1500} }, 782 783 { "arp_fastprobe_interval", MOD_PROTO_IP, 784 mod_set_uint32, mod_get_uint32, 785 {10, 20000, 150}, {150} }, 786 787 { "arp_probe_count", MOD_PROTO_IP, 788 mod_set_uint32, mod_get_uint32, 789 {0, 20, 3}, {3} }, 790 791 { "arp_fastprobe_count", MOD_PROTO_IP, 792 mod_set_uint32, mod_get_uint32, 793 {0, 20, 3}, {3} }, 794 795 { "ipv4_dad_announce_interval", MOD_PROTO_IP, 796 mod_set_uint32, mod_get_uint32, 797 {0, 3600000, 15000}, {15000} }, 798 799 { "ipv6_dad_announce_interval", MOD_PROTO_IP, 800 mod_set_uint32, mod_get_uint32, 801 {0, 3600000, 15000}, {15000} }, 802 803 /* tunable - 70 */ 804 /* 805 * Rate limiting parameters for DAD defense used in 806 * ill_defend_rate_limit(): 807 * defend_rate : pkts/hour permitted 808 * defend_interval : time that can elapse before we send out a 809 * DAD defense. 810 * defend_period: denominator for defend_rate (in seconds). 811 */ 812 { "arp_defend_interval", MOD_PROTO_IP, 813 mod_set_uint32, mod_get_uint32, 814 {0, 3600000, 300000}, {300000} }, 815 816 { "arp_defend_rate", MOD_PROTO_IP, 817 mod_set_uint32, mod_get_uint32, 818 {0, 20000, 100}, {100} }, 819 820 { "ndp_defend_interval", MOD_PROTO_IP, 821 mod_set_uint32, mod_get_uint32, 822 {0, 3600000, 300000}, {300000} }, 823 824 { "ndp_defend_rate", MOD_PROTO_IP, 825 mod_set_uint32, mod_get_uint32, 826 {0, 20000, 100}, {100} }, 827 828 { "arp_defend_period", MOD_PROTO_IP, 829 mod_set_uint32, mod_get_uint32, 830 {5, 86400, 3600}, {3600} }, 831 832 { "ndp_defend_period", MOD_PROTO_IP, 833 mod_set_uint32, mod_get_uint32, 834 {5, 86400, 3600}, {3600} }, 835 836 { "ipv4_icmp_return_pmtu", MOD_PROTO_IP, 837 mod_set_boolean, mod_get_boolean, 838 {B_TRUE}, {B_TRUE} }, 839 840 { "ipv6_icmp_return_pmtu", MOD_PROTO_IP, 841 mod_set_boolean, mod_get_boolean, 842 {B_TRUE}, {B_TRUE} }, 843 844 /* 845 * publish count/interval values used to announce local addresses 846 * for IPv4, IPv6. 847 */ 848 { "ip_arp_publish_count", MOD_PROTO_IP, 849 mod_set_uint32, mod_get_uint32, 850 {1, 20, 5}, {5} }, 851 852 { "ip_arp_publish_interval", MOD_PROTO_IP, 853 mod_set_uint32, mod_get_uint32, 854 {1000, 20000, 2000}, {2000} }, 855 856 /* tunable - 80 */ 857 /* 858 * The ip*strict_src_multihoming and ip*strict_dst_multihoming provide 859 * a range of choices for setting strong/weak/preferred end-system 860 * behavior. The semantics for setting these are: 861 * 862 * ip*_strict_dst_multihoming = 0 863 * weak end system model for managing ip destination addresses. 864 * A packet with IP dst D1 that's received on interface I1 will be 865 * accepted as long as D1 is one of the local addresses on 866 * the machine, even if D1 is not configured on I1. 867 * ip*strict_dst_multihioming = 1 868 * strong end system model for managing ip destination addresses. 869 * A packet with IP dst D1 that's received on interface I1 will be 870 * accepted if, and only if, D1 is configured on I1. 871 * 872 * ip*strict_src_multihoming = 0 873 * Source agnostic route selection for outgoing packets: the 874 * outgoing interface for a packet will be computed using 875 * default algorithms for route selection, where the route 876 * with the longest matching prefix is chosen for the output 877 * unless other route selection constraints are explicitly 878 * specified during routing table lookup. This may result 879 * in packet being sent out on interface I2 with source 880 * address S1, even though S1 is not a configured address on I2. 881 * ip*strict_src_multihoming = 1 882 * Preferred source aware route selection for outgoing packets: for 883 * a packet with source S2, destination D2, the route selection 884 * algorithm will first attempt to find a route for the destination 885 * that goes out through an interface where S2 is 886 * configured. If such a route cannot be found, then the 887 * best-matching route for D2 will be selected. 888 * ip*strict_src_multihoming = 2 889 * Source aware route selection for outgoing packets: a packet will 890 * be sent out on an interface I2 only if the src address S2 of the 891 * packet is a configured address on I2. In conjunction with 892 * the setting 'ip_strict_dst_multihoming == 1', this will result in 893 * the implementation of Strong ES as defined in Section 3.3.4.2 of 894 * RFC 1122 895 */ 896 { "ip_strict_src_multihoming", MOD_PROTO_IP, 897 ip_set_src_multihoming, mod_get_uint32, 898 {0, 2, 0}, {0} }, 899 900 { "ip6_strict_src_multihoming", MOD_PROTO_IP, 901 ip_set_src_multihoming, mod_get_uint32, 902 {0, 2, 0}, {0} }, 903 904 #ifdef DEBUG 905 { "ip6_drop_inbound_icmpv6", MOD_PROTO_IP, 906 mod_set_boolean, mod_get_boolean, 907 {B_FALSE}, {B_FALSE} }, 908 #else 909 { "", 0, NULL, NULL, {0}, {0} }, 910 #endif 911 { "mtu", MOD_PROTO_IPV4, NULL, ip_get_mtu, {0}, {0} }, 912 913 { "mtu", MOD_PROTO_IPV6, NULL, ip_get_mtu, {0}, {0} }, 914 915 /* 916 * The following entry is a placeholder for `ip_debug' global 917 * variable. Within these callback functions, we will be 918 * setting/getting the global variable 919 */ 920 { "ip_debug", MOD_PROTO_IP, 921 ip_set_debug, ip_get_debug, 922 {0, 20, 0}, {0} }, 923 924 { "hostmodel", MOD_PROTO_IPV4, ip_set_hostmodel, ip_get_hostmodel, 925 {IP_WEAK_ES, IP_STRONG_ES, IP_WEAK_ES}, {IP_WEAK_ES} }, 926 927 { "hostmodel", MOD_PROTO_IPV6, ip_set_hostmodel, ip_get_hostmodel, 928 {IP_WEAK_ES, IP_STRONG_ES, IP_WEAK_ES}, {IP_WEAK_ES} }, 929 930 { "?", MOD_PROTO_IP, NULL, mod_get_allprop, {0}, {0} }, 931 932 { NULL, 0, NULL, NULL, {0}, {0} } 933 }; 934 935 int ip_propinfo_count = A_CNT(ip_propinfo_tbl); 936