1 /* $NetBSD: nd6_nbr.c,v 1.185 2024/11/13 09:25:52 roy Exp $ */ 2 /* $KAME: nd6_nbr.c,v 1.61 2001/02/10 16:06:14 jinmei Exp $ */ 3 4 /* 5 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 3. Neither the name of the project nor the names of its contributors 17 * may be used to endorse or promote products derived from this software 18 * without specific prior written permission. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30 * SUCH DAMAGE. 31 */ 32 33 #include <sys/cdefs.h> 34 __KERNEL_RCSID(0, "$NetBSD: nd6_nbr.c,v 1.185 2024/11/13 09:25:52 roy Exp $"); 35 36 #ifdef _KERNEL_OPT 37 #include "opt_inet.h" 38 #include "opt_net_mpsafe.h" 39 #endif 40 41 #include <sys/param.h> 42 #include <sys/systm.h> 43 #include <sys/kmem.h> 44 #include <sys/mbuf.h> 45 #include <sys/socket.h> 46 #include <sys/socketvar.h> 47 #include <sys/sockio.h> 48 #include <sys/time.h> 49 #include <sys/kernel.h> 50 #include <sys/errno.h> 51 #include <sys/ioctl.h> 52 #include <sys/syslog.h> 53 #include <sys/queue.h> 54 #include <sys/callout.h> 55 #include <sys/cprng.h> 56 57 #include <net/if.h> 58 #include <net/if_types.h> 59 #include <net/if_dl.h> 60 #include <net/if_llatbl.h> 61 #include <net/nd.h> 62 #include <net/route.h> 63 64 #include <netinet/in.h> 65 #include <netinet/in_var.h> 66 #include <netinet6/in6_var.h> 67 #include <netinet6/in6_ifattach.h> 68 #include <netinet/ip6.h> 69 #include <netinet6/ip6_var.h> 70 #include <netinet6/scope6_var.h> 71 #include <netinet6/nd6.h> 72 #include <netinet/icmp6.h> 73 #include <netinet6/icmp6_private.h> 74 75 #include "carp.h" 76 #if NCARP > 0 77 #include <netinet/ip_carp.h> 78 #endif 79 80 struct dadq; 81 static struct dadq *nd6_dad_find(struct ifaddr *, struct nd_opt_nonce *, bool *); 82 static bool nd6_dad_ownnonce(struct ifaddr *, struct nd_opt_nonce *nonce); 83 static void nd6_dad_starttimer(struct dadq *, int); 84 static void nd6_dad_destroytimer(struct dadq *); 85 static void nd6_dad_timer(struct dadq *); 86 static void nd6_dad_ns_output(struct dadq *, struct ifaddr *); 87 static void nd6_dad_input(struct ifaddr *, struct nd_opt_nonce *, 88 const struct sockaddr_dl *); 89 static void nd6_dad_duplicated(struct ifaddr *, struct dadq *, 90 const struct sockaddr_dl *); 91 92 static int dad_maxtry = 15; /* max # of *tries* to transmit DAD packet */ 93 94 /* 95 * Input a Neighbor Solicitation Message. 96 * 97 * Based on RFC 2461 98 * Based on RFC 2462 (duplicate address detection) 99 */ 100 void 101 nd6_ns_input(struct mbuf *m, int off, int icmp6len) 102 { 103 struct ifnet *ifp, *ifpc; 104 struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *); 105 struct nd_neighbor_solicit *nd_ns; 106 struct in6_addr saddr6 = ip6->ip6_src; 107 struct in6_addr daddr6 = ip6->ip6_dst; 108 struct in6_addr taddr6; 109 struct in6_addr myaddr6; 110 char *lladdr = NULL; 111 struct ifaddr *ifa = NULL; 112 int lladdrlen = 0; 113 int anycast = 0, proxy = 0, tentative = 0; 114 int router = ip6_forwarding; 115 int tlladdr; 116 union nd_opts ndopts; 117 const struct sockaddr_dl *proxydl = NULL; 118 struct psref psref; 119 struct psref psref_c; 120 struct psref psref_ia; 121 char ip6buf[INET6_ADDRSTRLEN], ip6buf2[INET6_ADDRSTRLEN]; 122 123 ifp = ifpc = m_get_rcvif_psref(m, &psref); 124 if (ifp == NULL) 125 goto freeit; 126 127 IP6_EXTHDR_GET(nd_ns, struct nd_neighbor_solicit *, m, off, icmp6len); 128 if (nd_ns == NULL) { 129 ICMP6_STATINC(ICMP6_STAT_TOOSHORT); 130 m_put_rcvif_psref(ifp, &psref); 131 return; 132 } 133 ip6 = mtod(m, struct ip6_hdr *); /* adjust pointer for safety */ 134 taddr6 = nd_ns->nd_ns_target; 135 if (in6_setscope(&taddr6, ifp, NULL) != 0) 136 goto bad; 137 138 if (ip6->ip6_hlim != 255) { 139 nd6log(LOG_ERR, "invalid hlim (%d) from %s to %s on %s\n", 140 ip6->ip6_hlim, IN6_PRINT(ip6buf, &ip6->ip6_src), 141 IN6_PRINT(ip6buf2, &ip6->ip6_dst), if_name(ifp)); 142 goto bad; 143 } 144 145 if (IN6_IS_ADDR_UNSPECIFIED(&saddr6)) { 146 /* dst has to be a solicited node multicast address. */ 147 /* don't check ifindex portion */ 148 if (daddr6.s6_addr16[0] == IPV6_ADDR_INT16_MLL && 149 daddr6.s6_addr32[1] == 0 && 150 daddr6.s6_addr32[2] == IPV6_ADDR_INT32_ONE && 151 daddr6.s6_addr8[12] == 0xff) { 152 ; /* good */ 153 } else { 154 nd6log(LOG_INFO, "bad DAD packet (wrong ip6 dst)\n"); 155 goto bad; 156 } 157 } else { 158 struct sockaddr_in6 ssin6; 159 160 /* 161 * Make sure the source address is from a neighbor's address. 162 */ 163 sockaddr_in6_init(&ssin6, &saddr6, 0, 0, 0); 164 if (nd6_is_addr_neighbor(&ssin6, ifp) == 0) { 165 nd6log(LOG_INFO, 166 "NS packet from non-neighbor %s on %s\n", 167 IN6_PRINT(ip6buf, &saddr6), if_name(ifp)); 168 goto bad; 169 } 170 } 171 172 if (IN6_IS_ADDR_MULTICAST(&taddr6)) { 173 nd6log(LOG_INFO, "bad NS target (multicast)\n"); 174 goto bad; 175 } 176 177 icmp6len -= sizeof(*nd_ns); 178 nd6_option_init(nd_ns + 1, icmp6len, &ndopts); 179 if (nd6_options(&ndopts) < 0) { 180 nd6log(LOG_INFO, "invalid ND option, ignored\n"); 181 /* nd6_options have incremented stats */ 182 goto freeit; 183 } 184 185 if (ndopts.nd_opts_src_lladdr) { 186 lladdr = (char *)(ndopts.nd_opts_src_lladdr + 1); 187 lladdrlen = ndopts.nd_opts_src_lladdr->nd_opt_len << 3; 188 } 189 190 if (IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_src) && lladdr) { 191 nd6log(LOG_INFO, 192 "bad DAD packet (link-layer address option)\n"); 193 goto bad; 194 } 195 196 /* 197 * Attaching target link-layer address to the NA? 198 * (RFC 2461 7.2.4) 199 * 200 * NS IP dst is multicast MUST add 201 * Otherwise MAY be omitted 202 * 203 * In this implementation, we omit the target link-layer address 204 * in the "MAY" case. 205 */ 206 #if 0 /* too much! */ 207 ifa = (struct ifaddr *)in6ifa_ifpwithaddr(ifp, &daddr6); 208 if (ifa && (((struct in6_ifaddr *)ifa)->ia6_flags & IN6_IFF_ANYCAST)) 209 tlladdr = 0; 210 else 211 #endif 212 if (!IN6_IS_ADDR_MULTICAST(&daddr6)) 213 tlladdr = 0; 214 else 215 tlladdr = 1; 216 217 /* 218 * Target address (taddr6) must be either: 219 * (1) Valid unicast/anycast address for my receiving interface, 220 * (2) Unicast address for which I'm offering proxy service, or 221 * (3) "tentative" address on which DAD is being performed. 222 */ 223 /* (1) and (3) check. */ 224 #if NCARP > 0 225 if (ifp->if_carp && ifp->if_type != IFT_CARP) { 226 int s = pserialize_read_enter(); 227 ifa = carp_iamatch6(ifp->if_carp, &taddr6); 228 if (ifa != NULL) { 229 ifa_acquire(ifa, &psref_ia); 230 if (ifa->ifa_ifp && ifa->ifa_ifp != ifp) { 231 ifpc = ifa->ifa_ifp; 232 if_acquire(ifpc, &psref_c); 233 } 234 } 235 236 237 pserialize_read_exit(s); 238 } else 239 ifa = NULL; 240 if (!ifa) 241 ifa = (struct ifaddr *)in6ifa_ifpwithaddr_psref(ifp, &taddr6, 242 &psref_ia); 243 #else 244 ifa = (struct ifaddr *)in6ifa_ifpwithaddr_psref(ifp, &taddr6, 245 &psref_ia); 246 #endif 247 248 /* (2) check. */ 249 if (ifa == NULL) { 250 struct rtentry *rt; 251 struct sockaddr_in6 tsin6; 252 253 sockaddr_in6_init(&tsin6, &taddr6, 0, 0, 0); 254 255 rt = rtalloc1(sin6tosa(&tsin6), 0); 256 if (rt && (rt->rt_flags & RTF_ANNOUNCE) != 0 && 257 rt->rt_gateway->sa_family == AF_LINK) { 258 /* 259 * proxy NDP for single entry 260 */ 261 ifa = (struct ifaddr *)in6ifa_ifpforlinklocal_psref(ifp, 262 IN6_IFF_NOTREADY|IN6_IFF_ANYCAST, &psref_ia); 263 if (ifa) { 264 proxy = 1; 265 proxydl = satocsdl(rt->rt_gateway); 266 router = 0; /* XXX */ 267 } 268 } 269 if (rt) 270 rt_unref(rt); 271 } 272 if (ifa == NULL) { 273 /* 274 * We've got an NS packet, and we don't have that address 275 * assigned for us. We MUST silently ignore it. 276 * See RFC2461 7.2.3. 277 */ 278 goto freeit; 279 } 280 myaddr6 = *IFA_IN6(ifa); 281 anycast = ((struct in6_ifaddr *)ifa)->ia6_flags & IN6_IFF_ANYCAST; 282 tentative = ((struct in6_ifaddr *)ifa)->ia6_flags & IN6_IFF_TENTATIVE; 283 if (((struct in6_ifaddr *)ifa)->ia6_flags & IN6_IFF_DUPLICATED) 284 goto freeit; 285 286 if (lladdr && ((ifp->if_addrlen + 2 + 7) & ~7) != lladdrlen) { 287 nd6log(LOG_INFO, "lladdrlen mismatch for %s " 288 "(if %d, NS packet %d)\n", 289 IN6_PRINT(ip6buf, &taddr6), 290 ifp->if_addrlen, lladdrlen - 2); 291 goto bad; 292 } 293 294 if (IN6_ARE_ADDR_EQUAL(&myaddr6, &saddr6)) { 295 nd6log(LOG_INFO, "duplicate IP6 address %s\n", 296 IN6_PRINT(ip6buf, &saddr6)); 297 goto freeit; 298 } 299 300 /* 301 * We have neighbor solicitation packet, with target address equals to 302 * one of my tentative address. 303 * 304 * src addr how to process? 305 * --- --- 306 * multicast of course, invalid (rejected in ip6_input) 307 * unicast somebody is doing address resolution -> ignore 308 * unspec dup address detection 309 * 310 * The processing is defined in RFC 2462. 311 */ 312 if (tentative) { 313 /* 314 * If source address is unspecified address, it is for 315 * duplicate address detection. 316 * 317 * If not, the packet is for address resolution; 318 * silently ignore it. 319 */ 320 if (IN6_IS_ADDR_UNSPECIFIED(&saddr6)) { 321 struct sockaddr_dl sdl, *sdlp; 322 323 if (lladdr != NULL) 324 sdlp = sockaddr_dl_init(&sdl, sizeof(sdl), 325 ifp->if_index, ifp->if_type, 326 NULL, 0, lladdr, lladdrlen); 327 else 328 sdlp = NULL; 329 nd6_dad_input(ifa, ndopts.nd_opts_nonce, sdlp); 330 } 331 goto freeit; 332 } 333 334 /* 335 * It looks that sender is performing DAD. 336 * Check that the nonce is not being used by the same address 337 * on another interface. 338 */ 339 if (IN6_IS_ADDR_UNSPECIFIED(&saddr6) && ndopts.nd_opts_nonce != NULL) { 340 if (nd6_dad_ownnonce(ifa, ndopts.nd_opts_nonce)) 341 goto freeit; 342 } 343 344 ifa_release(ifa, &psref_ia); 345 ifa = NULL; 346 347 /* 348 * If the source address is unspecified address, entries must not 349 * be created or updated. 350 * It looks that sender is performing DAD. Output NA toward 351 * all-node multicast address, to tell the sender that I'm using 352 * the address. 353 * S bit ("solicited") must be zero. 354 */ 355 if (IN6_IS_ADDR_UNSPECIFIED(&saddr6)) { 356 struct in6_addr in6_all; 357 358 in6_all = in6addr_linklocal_allnodes; 359 if (in6_setscope(&in6_all, ifp, NULL) != 0) 360 goto bad; 361 nd6_na_output(ifpc, &in6_all, &taddr6, 362 ((anycast || proxy || !tlladdr) ? 0 : ND_NA_FLAG_OVERRIDE) | 363 (ip6_forwarding ? ND_NA_FLAG_ROUTER : 0), 364 tlladdr, (const struct sockaddr *)proxydl); 365 goto freeit; 366 } 367 368 nd6_cache_lladdr(ifpc, &saddr6, lladdr, lladdrlen, ND_NEIGHBOR_SOLICIT, 0); 369 370 nd6_na_output(ifp, &saddr6, &taddr6, 371 ((anycast || proxy || !tlladdr) ? 0 : ND_NA_FLAG_OVERRIDE) | 372 (router ? ND_NA_FLAG_ROUTER : 0) | ND_NA_FLAG_SOLICITED, 373 tlladdr, (const struct sockaddr *)proxydl); 374 freeit: 375 ifa_release(ifa, &psref_ia); 376 m_put_rcvif_psref(ifp, &psref); 377 if (ifp != ifpc) 378 if_put(ifpc, &psref_c); 379 380 m_freem(m); 381 return; 382 383 bad: 384 nd6log(LOG_ERR, "src=%s\n", IN6_PRINT(ip6buf, &saddr6)); 385 nd6log(LOG_ERR, "dst=%s\n", IN6_PRINT(ip6buf, &daddr6)); 386 nd6log(LOG_ERR, "tgt=%s\n", IN6_PRINT(ip6buf, &taddr6)); 387 ICMP6_STATINC(ICMP6_STAT_BADNS); 388 ifa_release(ifa, &psref_ia); 389 m_put_rcvif_psref(ifp, &psref); 390 m_freem(m); 391 } 392 393 /* 394 * Output a Neighbor Solicitation Message. Caller specifies: 395 * - ICMP6 header source IP6 address 396 * - ND6 header target IP6 address 397 * - ND6 header source datalink address 398 * 399 * Based on RFC 2461 400 * Based on RFC 2462 (duplicate address detection) 401 */ 402 void 403 nd6_ns_output(struct ifnet *ifp, const struct in6_addr *daddr6, 404 const struct in6_addr *taddr6, 405 const struct in6_addr *hsrc, 406 const uint8_t *nonce /* duplicate address detection */) 407 { 408 struct mbuf *m; 409 struct ip6_hdr *ip6; 410 struct nd_neighbor_solicit *nd_ns; 411 const struct in6_addr *src; 412 struct in6_addr src_in; 413 struct ip6_moptions im6o; 414 int icmp6len; 415 int maxlen; 416 const void *mac; 417 struct route ro; 418 419 if (IN6_IS_ADDR_MULTICAST(taddr6)) 420 return; 421 422 memset(&ro, 0, sizeof(ro)); 423 424 /* estimate the size of message */ 425 maxlen = sizeof(*ip6) + sizeof(*nd_ns); 426 maxlen += (sizeof(struct nd_opt_hdr) + ifp->if_addrlen + 7) & ~7; 427 KASSERTMSG(max_linkhdr + maxlen <= MCLBYTES, 428 "max_linkhdr + maxlen > MCLBYTES (%d + %d > %d)", 429 max_linkhdr, maxlen, MCLBYTES); 430 431 MGETHDR(m, M_DONTWAIT, MT_DATA); 432 if (m && max_linkhdr + maxlen >= MHLEN) { 433 MCLGET(m, M_DONTWAIT); 434 if ((m->m_flags & M_EXT) == 0) { 435 m_free(m); 436 m = NULL; 437 } 438 } 439 if (m == NULL) 440 return; 441 m_reset_rcvif(m); 442 443 if (daddr6 == NULL || IN6_IS_ADDR_MULTICAST(daddr6)) { 444 m->m_flags |= M_MCAST; 445 im6o.im6o_multicast_if_index = if_get_index(ifp); 446 im6o.im6o_multicast_hlim = 255; 447 im6o.im6o_multicast_loop = 0; 448 } 449 450 icmp6len = sizeof(*nd_ns); 451 m->m_pkthdr.len = m->m_len = sizeof(*ip6) + icmp6len; 452 m->m_data += max_linkhdr; /* or m_align() equivalent? */ 453 454 /* fill neighbor solicitation packet */ 455 ip6 = mtod(m, struct ip6_hdr *); 456 ip6->ip6_flow = 0; 457 ip6->ip6_vfc &= ~IPV6_VERSION_MASK; 458 ip6->ip6_vfc |= IPV6_VERSION; 459 /* ip6->ip6_plen will be set later */ 460 ip6->ip6_nxt = IPPROTO_ICMPV6; 461 ip6->ip6_hlim = 255; 462 if (daddr6) 463 ip6->ip6_dst = *daddr6; 464 else { 465 ip6->ip6_dst.s6_addr16[0] = IPV6_ADDR_INT16_MLL; 466 ip6->ip6_dst.s6_addr16[1] = 0; 467 ip6->ip6_dst.s6_addr32[1] = 0; 468 ip6->ip6_dst.s6_addr32[2] = IPV6_ADDR_INT32_ONE; 469 ip6->ip6_dst.s6_addr32[3] = taddr6->s6_addr32[3]; 470 ip6->ip6_dst.s6_addr8[12] = 0xff; 471 if (in6_setscope(&ip6->ip6_dst, ifp, NULL) != 0) 472 goto bad; 473 } 474 if (nonce == NULL) { 475 int s; 476 /* 477 * RFC2461 7.2.2: 478 * "If the source address of the packet prompting the 479 * solicitation is the same as one of the addresses assigned 480 * to the outgoing interface, that address SHOULD be placed 481 * in the IP Source Address of the outgoing solicitation. 482 * Otherwise, any one of the addresses assigned to the 483 * interface should be used." 484 * 485 * We use the source address for the prompting packet 486 * (hsrc), if: 487 * - hsrc is given from the caller (by giving "ln"), and 488 * - hsrc belongs to the outgoing interface. 489 * Otherwise, we perform the source address selection as usual. 490 */ 491 s = pserialize_read_enter(); 492 if (hsrc && in6ifa_ifpwithaddr(ifp, hsrc)) { 493 pserialize_read_exit(s); 494 src = hsrc; 495 } else { 496 int error; 497 struct sockaddr_in6 dst_sa; 498 499 pserialize_read_exit(s); 500 501 sockaddr_in6_init(&dst_sa, &ip6->ip6_dst, 0, 0, 0); 502 503 error = in6_selectsrc(&dst_sa, NULL, 504 NULL, &ro, NULL, NULL, NULL, &src_in); 505 if (error != 0) { 506 char ip6buf[INET6_ADDRSTRLEN]; 507 nd6log(LOG_DEBUG, "source can't be " 508 "determined: dst=%s, error=%d\n", 509 IN6_PRINT(ip6buf, &dst_sa.sin6_addr), 510 error); 511 goto bad; 512 } 513 src = &src_in; 514 } 515 } else { 516 /* 517 * Source address for DAD packet must always be IPv6 518 * unspecified address. (0::0) 519 * We actually don't have to 0-clear the address (we did it 520 * above), but we do so here explicitly to make the intention 521 * clearer. 522 */ 523 memset(&src_in, 0, sizeof(src_in)); 524 src = &src_in; 525 } 526 ip6->ip6_src = *src; 527 nd_ns = (struct nd_neighbor_solicit *)(ip6 + 1); 528 nd_ns->nd_ns_type = ND_NEIGHBOR_SOLICIT; 529 nd_ns->nd_ns_code = 0; 530 nd_ns->nd_ns_reserved = 0; 531 nd_ns->nd_ns_target = *taddr6; 532 in6_clearscope(&nd_ns->nd_ns_target); /* XXX */ 533 534 /* 535 * Add source link-layer address option. 536 * 537 * spec implementation 538 * --- --- 539 * DAD packet MUST NOT do not add the option 540 * there's no link layer address: 541 * impossible do not add the option 542 * there's link layer address: 543 * Multicast NS MUST add one add the option 544 * Unicast NS SHOULD add one add the option 545 */ 546 if (nonce == NULL && (mac = nd6_ifptomac(ifp))) { 547 int optlen = sizeof(struct nd_opt_hdr) + ifp->if_addrlen; 548 struct nd_opt_hdr *nd_opt = (struct nd_opt_hdr *)(nd_ns + 1); 549 /* 8 byte alignments... */ 550 optlen = (optlen + 7) & ~7; 551 552 m->m_pkthdr.len += optlen; 553 m->m_len += optlen; 554 icmp6len += optlen; 555 memset((void *)nd_opt, 0, optlen); 556 nd_opt->nd_opt_type = ND_OPT_SOURCE_LINKADDR; 557 nd_opt->nd_opt_len = optlen >> 3; 558 memcpy((void *)(nd_opt + 1), mac, ifp->if_addrlen); 559 } 560 561 /* Add a nonce option (RFC 3971) to detect looped back NS messages. 562 * This behavior is documented in RFC 7527. */ 563 if (nonce != NULL) { 564 int optlen = sizeof(struct nd_opt_hdr) + ND_OPT_NONCE_LEN; 565 struct nd_opt_hdr *nd_opt = (struct nd_opt_hdr *)(nd_ns + 1); 566 567 /* 8-byte alignment is required. */ 568 optlen = (optlen + 7) & ~7; 569 m->m_pkthdr.len += optlen; 570 m->m_len += optlen; 571 icmp6len += optlen; 572 memset(nd_opt, 0, optlen); 573 nd_opt->nd_opt_type = ND_OPT_NONCE; 574 nd_opt->nd_opt_len = optlen >> 3; 575 memcpy(nd_opt + 1, nonce, ND_OPT_NONCE_LEN); 576 } 577 578 ip6->ip6_plen = htons((u_int16_t)icmp6len); 579 nd_ns->nd_ns_cksum = 0; 580 nd_ns->nd_ns_cksum = 581 in6_cksum(m, IPPROTO_ICMPV6, sizeof(*ip6), icmp6len); 582 583 ip6_output(m, NULL, &ro, nonce != NULL ? IPV6_UNSPECSRC : 0, 584 &im6o, NULL, NULL); 585 icmp6_ifstat_inc(ifp, ifs6_out_msg); 586 icmp6_ifstat_inc(ifp, ifs6_out_neighborsolicit); 587 ICMP6_STATINC(ICMP6_STAT_OUTHIST + ND_NEIGHBOR_SOLICIT); 588 589 rtcache_free(&ro); 590 return; 591 592 bad: 593 rtcache_free(&ro); 594 m_freem(m); 595 return; 596 } 597 598 /* 599 * Neighbor advertisement input handling. 600 * 601 * Based on RFC 2461 602 * Based on RFC 2462 (duplicate address detection) 603 * 604 * the following items are not implemented yet: 605 * - proxy advertisement delay rule (RFC2461 7.2.8, last paragraph, SHOULD) 606 * - anycast advertisement delay rule (RFC2461 7.2.7, SHOULD) 607 */ 608 void 609 nd6_na_input(struct mbuf *m, int off, int icmp6len) 610 { 611 struct ifnet *ifp; 612 struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *); 613 struct nd_neighbor_advert *nd_na; 614 struct in6_addr saddr6 = ip6->ip6_src; 615 struct in6_addr daddr6 = ip6->ip6_dst; 616 struct in6_addr taddr6; 617 int flags; 618 int is_router; 619 int is_solicited; 620 int is_override; 621 int rt_cmd; 622 char *lladdr = NULL; 623 int lladdrlen = 0; 624 struct ifaddr *ifa; 625 struct llentry *ln = NULL; 626 union nd_opts ndopts; 627 struct sockaddr_in6 ssin6; 628 struct psref psref; 629 struct psref psref_ia; 630 char ip6buf[INET6_ADDRSTRLEN], ip6buf2[INET6_ADDRSTRLEN]; 631 632 ifp = m_get_rcvif_psref(m, &psref); 633 if (ifp == NULL) 634 goto freeit; 635 636 if (ip6->ip6_hlim != 255) { 637 nd6log(LOG_ERR, 638 "invalid hlim (%d) from %s to %s on %s\n", 639 ip6->ip6_hlim, IN6_PRINT(ip6buf, &ip6->ip6_src), 640 IN6_PRINT(ip6buf2, &ip6->ip6_dst), if_name(ifp)); 641 goto bad; 642 } 643 644 IP6_EXTHDR_GET(nd_na, struct nd_neighbor_advert *, m, off, icmp6len); 645 if (nd_na == NULL) { 646 m_put_rcvif_psref(ifp, &psref); 647 ICMP6_STATINC(ICMP6_STAT_TOOSHORT); 648 return; 649 } 650 651 flags = nd_na->nd_na_flags_reserved; 652 is_router = ((flags & ND_NA_FLAG_ROUTER) != 0); 653 is_solicited = ((flags & ND_NA_FLAG_SOLICITED) != 0); 654 is_override = ((flags & ND_NA_FLAG_OVERRIDE) != 0); 655 656 taddr6 = nd_na->nd_na_target; 657 if (in6_setscope(&taddr6, ifp, NULL)) { 658 goto bad; 659 } 660 661 if (IN6_IS_ADDR_MULTICAST(&taddr6)) { 662 nd6log(LOG_ERR, "invalid target address %s\n", 663 IN6_PRINT(ip6buf, &taddr6)); 664 goto bad; 665 } 666 if (is_solicited && IN6_IS_ADDR_MULTICAST(&daddr6)) { 667 nd6log(LOG_ERR, "a solicited adv is multicasted\n"); 668 goto bad; 669 } 670 671 icmp6len -= sizeof(*nd_na); 672 nd6_option_init(nd_na + 1, icmp6len, &ndopts); 673 if (nd6_options(&ndopts) < 0) { 674 nd6log(LOG_INFO, "invalid ND option, ignored\n"); 675 /* nd6_options have incremented stats */ 676 goto freeit; 677 } 678 679 if (ndopts.nd_opts_tgt_lladdr != NULL) { 680 struct ifnet *ifp_ll; 681 struct psref psref_ll; 682 683 lladdr = (char *)(ndopts.nd_opts_tgt_lladdr + 1); 684 lladdrlen = ndopts.nd_opts_tgt_lladdr->nd_opt_len << 3; 685 686 if (lladdr && ((ifp->if_addrlen + 2 + 7) & ~7) != lladdrlen) { 687 nd6log(LOG_INFO, "lladdrlen mismatch for %s " 688 "(if %d, NA packet %d)\n", 689 IN6_PRINT(ip6buf, &taddr6), 690 ifp->if_addrlen, lladdrlen - 2); 691 goto bad; 692 } 693 694 ifp_ll = if_get_bylla(lladdr, ifp->if_addrlen, &psref_ll); 695 if (ifp_ll != NULL) { 696 /* it's from me, ignore it. */ 697 if_put(ifp_ll, &psref_ll); 698 goto freeit; 699 } 700 } 701 702 ifa = (struct ifaddr *)in6ifa_ifpwithaddr_psref(ifp, &taddr6, &psref_ia); 703 704 /* 705 * Target address matches one of my interface address. 706 * 707 * If my address is tentative, this means that there's somebody 708 * already using the same address as mine. This indicates DAD failure. 709 * This is defined in RFC 2462. 710 * 711 * Otherwise, process as defined in RFC 2461. 712 */ 713 if (ifa) { 714 if (((struct in6_ifaddr *)ifa)->ia6_flags & IN6_IFF_TENTATIVE) { 715 struct sockaddr_dl sdl, *sdlp; 716 717 if (lladdr != NULL) 718 sdlp = sockaddr_dl_init(&sdl, sizeof(sdl), 719 ifp->if_index, ifp->if_type, 720 NULL, 0, lladdr, lladdrlen); 721 else 722 sdlp = NULL; 723 nd6_dad_input(ifa, NULL, sdlp); 724 } else 725 log(LOG_ERR, 726 "nd6_na_input: duplicate IP6 address %s\n", 727 IN6_PRINT(ip6buf, &taddr6)); 728 ifa_release(ifa, &psref_ia); 729 ifa = NULL; 730 goto freeit; 731 } 732 733 /* 734 * Make sure the source address is from a neighbor's address. 735 */ 736 sockaddr_in6_init(&ssin6, &saddr6, 0, 0, 0); 737 if (nd6_is_addr_neighbor(&ssin6, ifp) == 0) { 738 nd6log(LOG_INFO, "ND packet from non-neighbor %s on %s\n", 739 IN6_PRINT(ip6buf, &saddr6), if_name(ifp)); 740 goto bad; 741 } 742 743 /* 744 * If no neighbor cache entry is found, NA SHOULD silently be 745 * discarded. 746 */ 747 ln = nd6_lookup(&taddr6, ifp, true); 748 if (ln == NULL) 749 goto freeit; 750 751 rt_cmd = 0; 752 if (ln->ln_state <= ND_LLINFO_INCOMPLETE) { 753 /* 754 * If the link-layer has address, and no lladdr option came, 755 * discard the packet. 756 */ 757 if (ifp->if_addrlen && !lladdr) 758 goto freeit; 759 760 /* 761 * Record link-layer address, and update the state. 762 */ 763 memcpy(&ln->ll_addr, lladdr, ifp->if_addrlen); 764 ln->la_flags |= LLE_VALID; 765 rt_cmd = RTM_ADD; 766 if (is_solicited) { 767 ln->ln_state = ND_LLINFO_REACHABLE; 768 ln->ln_byhint = 0; 769 if (!ND_IS_LLINFO_PERMANENT(ln)) 770 nd_set_timer(ln, ND_TIMER_REACHABLE); 771 } else { 772 ln->ln_state = ND_LLINFO_STALE; 773 nd_set_timer(ln, ND_TIMER_GC); 774 } 775 } else { 776 bool llchange; 777 778 /* 779 * Check if the link-layer address has changed or not. 780 */ 781 if (lladdr == NULL) 782 llchange = false; 783 else { 784 if (ln->la_flags & LLE_VALID) { 785 if (memcmp(lladdr, &ln->ll_addr, ifp->if_addrlen)) 786 llchange = true; 787 else 788 llchange = false; 789 } else 790 llchange = true; 791 } 792 if (llchange) 793 rt_cmd = RTM_CHANGE; 794 795 /* 796 * This is VERY complex. Look at it with care. 797 * 798 * override solicit lladdr llchange action 799 * (L: record lladdr) 800 * 801 * 0 0 n -- (2c) 802 * 0 0 y n (2b) L 803 * 0 0 y y (1) REACHABLE->STALE 804 * 0 1 n -- (2c) *->REACHABLE 805 * 0 1 y n (2b) L *->REACHABLE 806 * 0 1 y y (1) REACHABLE->STALE 807 * 1 0 n -- (2a) 808 * 1 0 y n (2a) L 809 * 1 0 y y (2a) L *->STALE 810 * 1 1 n -- (2a) *->REACHABLE 811 * 1 1 y n (2a) L *->REACHABLE 812 * 1 1 y y (2a) L *->REACHABLE 813 */ 814 if (!is_override && lladdr != NULL && llchange) { /* (1) */ 815 /* 816 * If state is REACHABLE, make it STALE. 817 * no other updates should be done. 818 */ 819 if (ln->ln_state == ND_LLINFO_REACHABLE) { 820 ln->ln_state = ND_LLINFO_STALE; 821 nd_set_timer(ln, ND_TIMER_GC); 822 } 823 goto freeit; 824 } else if (is_override /* (2a) */ 825 || (!is_override && lladdr != NULL && !llchange) /* (2b) */ 826 || lladdr == NULL) { /* (2c) */ 827 /* 828 * Update link-local address, if any. 829 */ 830 if (lladdr != NULL) { 831 memcpy(&ln->ll_addr, lladdr, ifp->if_addrlen); 832 ln->la_flags |= LLE_VALID; 833 } 834 835 /* 836 * If solicited, make the state REACHABLE. 837 * If not solicited and the link-layer address was 838 * changed, make it STALE. 839 */ 840 if (is_solicited) { 841 ln->ln_state = ND_LLINFO_REACHABLE; 842 ln->ln_byhint = 0; 843 if (!ND_IS_LLINFO_PERMANENT(ln)) 844 nd_set_timer(ln, ND_TIMER_REACHABLE); 845 } else { 846 if (lladdr && llchange) { 847 ln->ln_state = ND_LLINFO_STALE; 848 nd_set_timer(ln, ND_TIMER_GC); 849 } 850 } 851 } 852 ln->ln_router = is_router; 853 } 854 /* 855 * XXX: does this matter? 856 * rt->rt_flags &= ~RTF_REJECT; 857 */ 858 ln->ln_asked = 0; 859 nd6_llinfo_release_pkts(ln, ifp); 860 861 if (rt_cmd != 0) { 862 struct sockaddr_in6 sin6; 863 864 sockaddr_in6_init(&sin6, &ln->r_l3addr.addr6, 0, 0, 0); 865 rt_clonedmsg(rt_cmd, sin6tosa(&ssin6), sin6tosa(&sin6), 866 (char *)&ln->ll_addr, ln->lle_tbl->llt_ifp); 867 } 868 869 freeit: 870 if (ln != NULL) 871 LLE_WUNLOCK(ln); 872 873 m_put_rcvif_psref(ifp, &psref); 874 m_freem(m); 875 return; 876 877 bad: 878 if (ln != NULL) 879 LLE_WUNLOCK(ln); 880 881 ICMP6_STATINC(ICMP6_STAT_BADNA); 882 m_put_rcvif_psref(ifp, &psref); 883 m_freem(m); 884 } 885 886 /* 887 * Neighbor advertisement output handling. 888 * 889 * Based on RFC 2461 890 * 891 * the following items are not implemented yet: 892 * - proxy advertisement delay rule (RFC2461 7.2.8, last paragraph, SHOULD) 893 * - anycast advertisement delay rule (RFC2461 7.2.7, SHOULD) 894 */ 895 void 896 nd6_na_output( 897 struct ifnet *ifp, 898 const struct in6_addr *daddr6_0, 899 const struct in6_addr *taddr6, 900 u_long flags, 901 int tlladdr, /* 1 if include target link-layer address */ 902 const struct sockaddr *sdl0) /* sockaddr_dl (= proxy NA) or NULL */ 903 { 904 struct mbuf *m; 905 struct ip6_hdr *ip6; 906 struct nd_neighbor_advert *nd_na; 907 struct ip6_moptions im6o; 908 struct sockaddr *dst; 909 union { 910 struct sockaddr dst; 911 struct sockaddr_in6 dst6; 912 } u; 913 struct in6_addr daddr6; 914 int icmp6len, maxlen, error; 915 const void *mac; 916 struct route ro; 917 918 mac = NULL; 919 memset(&ro, 0, sizeof(ro)); 920 921 daddr6 = *daddr6_0; /* make a local copy for modification */ 922 923 /* estimate the size of message */ 924 maxlen = sizeof(*ip6) + sizeof(*nd_na); 925 maxlen += (sizeof(struct nd_opt_hdr) + ifp->if_addrlen + 7) & ~7; 926 KASSERTMSG(max_linkhdr + maxlen <= MCLBYTES, 927 "max_linkhdr + maxlen > MCLBYTES (%d + %d > %d)", 928 max_linkhdr, maxlen, MCLBYTES); 929 930 MGETHDR(m, M_DONTWAIT, MT_DATA); 931 if (m && max_linkhdr + maxlen >= MHLEN) { 932 MCLGET(m, M_DONTWAIT); 933 if ((m->m_flags & M_EXT) == 0) { 934 m_free(m); 935 m = NULL; 936 } 937 } 938 if (m == NULL) 939 return; 940 m_reset_rcvif(m); 941 942 if (IN6_IS_ADDR_MULTICAST(&daddr6)) { 943 m->m_flags |= M_MCAST; 944 im6o.im6o_multicast_if_index = if_get_index(ifp); 945 im6o.im6o_multicast_hlim = 255; 946 im6o.im6o_multicast_loop = 0; 947 } 948 949 icmp6len = sizeof(*nd_na); 950 m->m_pkthdr.len = m->m_len = sizeof(struct ip6_hdr) + icmp6len; 951 m->m_data += max_linkhdr; /* or m_align() equivalent? */ 952 953 /* fill neighbor advertisement packet */ 954 ip6 = mtod(m, struct ip6_hdr *); 955 ip6->ip6_flow = 0; 956 ip6->ip6_vfc &= ~IPV6_VERSION_MASK; 957 ip6->ip6_vfc |= IPV6_VERSION; 958 ip6->ip6_nxt = IPPROTO_ICMPV6; 959 ip6->ip6_hlim = 255; 960 if (IN6_IS_ADDR_UNSPECIFIED(&daddr6)) { 961 /* reply to DAD */ 962 daddr6.s6_addr16[0] = IPV6_ADDR_INT16_MLL; 963 daddr6.s6_addr16[1] = 0; 964 daddr6.s6_addr32[1] = 0; 965 daddr6.s6_addr32[2] = 0; 966 daddr6.s6_addr32[3] = IPV6_ADDR_INT32_ONE; 967 if (in6_setscope(&daddr6, ifp, NULL)) 968 goto bad; 969 970 flags &= ~ND_NA_FLAG_SOLICITED; 971 } 972 ip6->ip6_dst = daddr6; 973 sockaddr_in6_init(&u.dst6, &daddr6, 0, 0, 0); 974 dst = &u.dst; 975 if (rtcache_setdst(&ro, dst) != 0) 976 goto bad; 977 978 /* 979 * Select a source whose scope is the same as that of the dest. 980 */ 981 error = in6_selectsrc(satosin6(dst), NULL, NULL, &ro, NULL, NULL, NULL, 982 &ip6->ip6_src); 983 if (error != 0) { 984 char ip6buf[INET6_ADDRSTRLEN]; 985 nd6log(LOG_DEBUG, "source can't be " 986 "determined: dst=%s, error=%d\n", 987 IN6_PRINT(ip6buf, &satocsin6(dst)->sin6_addr), error); 988 goto bad; 989 } 990 nd_na = (struct nd_neighbor_advert *)(ip6 + 1); 991 nd_na->nd_na_type = ND_NEIGHBOR_ADVERT; 992 nd_na->nd_na_code = 0; 993 nd_na->nd_na_target = *taddr6; 994 in6_clearscope(&nd_na->nd_na_target); /* XXX */ 995 996 /* 997 * "tlladdr" indicates NS's condition for adding tlladdr or not. 998 * see nd6_ns_input() for details. 999 * Basically, if NS packet is sent to unicast/anycast addr, 1000 * target lladdr option SHOULD NOT be included. 1001 */ 1002 if (tlladdr) { 1003 /* 1004 * sdl0 != NULL indicates proxy NA. If we do proxy, use 1005 * lladdr in sdl0. If we are not proxying (sending NA for 1006 * my address) use lladdr configured for the interface. 1007 */ 1008 if (sdl0 == NULL) 1009 mac = nd6_ifptomac(ifp); 1010 else if (sdl0->sa_family == AF_LINK) { 1011 const struct sockaddr_dl *sdl; 1012 sdl = satocsdl(sdl0); 1013 if (sdl->sdl_alen == ifp->if_addrlen) 1014 mac = CLLADDR(sdl); 1015 } 1016 } 1017 if (tlladdr && mac) { 1018 int optlen = sizeof(struct nd_opt_hdr) + ifp->if_addrlen; 1019 struct nd_opt_hdr *nd_opt = (struct nd_opt_hdr *)(nd_na + 1); 1020 1021 /* roundup to 8 bytes alignment! */ 1022 optlen = (optlen + 7) & ~7; 1023 1024 m->m_pkthdr.len += optlen; 1025 m->m_len += optlen; 1026 icmp6len += optlen; 1027 memset((void *)nd_opt, 0, optlen); 1028 nd_opt->nd_opt_type = ND_OPT_TARGET_LINKADDR; 1029 nd_opt->nd_opt_len = optlen >> 3; 1030 memcpy((void *)(nd_opt + 1), mac, ifp->if_addrlen); 1031 } else 1032 flags &= ~ND_NA_FLAG_OVERRIDE; 1033 1034 ip6->ip6_plen = htons((u_int16_t)icmp6len); 1035 nd_na->nd_na_flags_reserved = flags; 1036 nd_na->nd_na_cksum = 0; 1037 nd_na->nd_na_cksum = 1038 in6_cksum(m, IPPROTO_ICMPV6, sizeof(struct ip6_hdr), icmp6len); 1039 1040 ip6_output(m, NULL, NULL, 0, &im6o, NULL, NULL); 1041 1042 icmp6_ifstat_inc(ifp, ifs6_out_msg); 1043 icmp6_ifstat_inc(ifp, ifs6_out_neighboradvert); 1044 ICMP6_STATINC(ICMP6_STAT_OUTHIST + ND_NEIGHBOR_ADVERT); 1045 1046 rtcache_free(&ro); 1047 return; 1048 1049 bad: 1050 rtcache_free(&ro); 1051 m_freem(m); 1052 return; 1053 } 1054 1055 const void * 1056 nd6_ifptomac(const struct ifnet *ifp) 1057 { 1058 switch (ifp->if_type) { 1059 case IFT_ARCNET: 1060 case IFT_ETHER: 1061 case IFT_IEEE1394: 1062 case IFT_PROPVIRTUAL: 1063 case IFT_CARP: 1064 case IFT_L2VLAN: 1065 case IFT_IEEE80211: 1066 return CLLADDR(ifp->if_sadl); 1067 default: 1068 return NULL; 1069 } 1070 } 1071 1072 TAILQ_HEAD(dadq_head, dadq); 1073 struct dadq { 1074 TAILQ_ENTRY(dadq) dad_list; 1075 struct ifaddr *dad_ifa; 1076 int dad_count; /* max NS to send */ 1077 int dad_ns_tcount; /* # of trials to send NS */ 1078 int dad_ns_ocount; /* NS sent so far */ 1079 int dad_ns_lcount; /* looped back NS */ 1080 struct callout dad_timer_ch; 1081 #define ND_OPT_NONCE_STORE 3 /* dad_count should not exceed this */ 1082 /* 1083 * The default ip6_dad_count is 1 as specified by RFC 4862 and 1084 * practically must users won't exceed this. 1085 * A storage of 3 is defaulted to here, in-case the administrator wants 1086 * to match the equivalent behaviour in our ARP implementation. 1087 * This constraint could be removed by sending the on wire nonce as 1088 * hmac(key, dad_ns_ocount), but that would increase the nonce size 1089 * sent on the wire. 1090 */ 1091 uint8_t dad_nonce[ND_OPT_NONCE_STORE][ND_OPT_NONCE_LEN]; 1092 }; 1093 1094 static struct dadq_head dadq; 1095 static kmutex_t nd6_dad_lock; 1096 1097 void 1098 nd6_nbr_init(void) 1099 { 1100 1101 TAILQ_INIT(&dadq); 1102 mutex_init(&nd6_dad_lock, MUTEX_DEFAULT, IPL_NONE); 1103 } 1104 1105 static struct dadq * 1106 nd6_dad_find(struct ifaddr *ifa, struct nd_opt_nonce *nonce, bool *found_nonce) 1107 { 1108 struct in6_addr *myaddr6, *dadaddr6; 1109 bool match_ifa; 1110 struct dadq *dp; 1111 int i, nonce_max; 1112 1113 KASSERT(mutex_owned(&nd6_dad_lock)); 1114 KASSERT(ifa != NULL); 1115 1116 myaddr6 = IFA_IN6(ifa); 1117 if (nonce != NULL && 1118 nonce->nd_opt_nonce_len != (ND_OPT_NONCE_LEN + 2) / 8) 1119 nonce = NULL; 1120 match_ifa = nonce == NULL || found_nonce == NULL || *found_nonce == false; 1121 if (found_nonce != NULL) 1122 *found_nonce = false; 1123 1124 TAILQ_FOREACH(dp, &dadq, dad_list) { 1125 if (match_ifa) { 1126 if (dp->dad_ifa != ifa) 1127 continue; 1128 } else { 1129 dadaddr6 = IFA_IN6(dp->dad_ifa); 1130 if (!IN6_ARE_ADDR_EQUAL(myaddr6, dadaddr6)) 1131 continue; 1132 } 1133 1134 if (nonce == NULL) 1135 break; 1136 1137 nonce_max = MIN(dp->dad_ns_ocount, ND_OPT_NONCE_STORE); 1138 for (i = 0; i < nonce_max; i++) { 1139 if (memcmp(nonce->nd_opt_nonce, 1140 dp->dad_nonce[i], 1141 ND_OPT_NONCE_LEN) == 0) 1142 break; 1143 } 1144 if (i < nonce_max) { 1145 char ip6buf[INET6_ADDRSTRLEN]; 1146 1147 *found_nonce = true; 1148 log(LOG_DEBUG, 1149 "%s: detected a looped back NS message for %s\n", 1150 if_name(ifa->ifa_ifp), IN6_PRINT(ip6buf, myaddr6)); 1151 dp->dad_ns_lcount++; 1152 continue; 1153 } 1154 1155 break; 1156 } 1157 return dp; 1158 } 1159 1160 static bool 1161 nd6_dad_ownnonce(struct ifaddr *ifa, struct nd_opt_nonce *nonce) 1162 { 1163 bool found_nonce = true; 1164 1165 mutex_enter(&nd6_dad_lock); 1166 nd6_dad_find(ifa, nonce, &found_nonce); 1167 mutex_exit(&nd6_dad_lock); 1168 1169 return found_nonce; 1170 } 1171 1172 static void 1173 nd6_dad_starttimer(struct dadq *dp, int ticks) 1174 { 1175 1176 callout_reset(&dp->dad_timer_ch, ticks, 1177 (void (*)(void *))nd6_dad_timer, dp); 1178 } 1179 1180 static void 1181 nd6_dad_stoptimer(struct dadq *dp) 1182 { 1183 1184 KASSERT(mutex_owned(&nd6_dad_lock)); 1185 1186 TAILQ_REMOVE(&dadq, dp, dad_list); 1187 /* Tell the timer that dp is being destroyed. */ 1188 dp->dad_ifa = NULL; 1189 callout_halt(&dp->dad_timer_ch, &nd6_dad_lock); 1190 } 1191 1192 static void 1193 nd6_dad_destroytimer(struct dadq *dp) 1194 { 1195 1196 KASSERT(dp->dad_ifa == NULL); 1197 callout_destroy(&dp->dad_timer_ch); 1198 kmem_intr_free(dp, sizeof(*dp)); 1199 } 1200 1201 /* 1202 * Start Duplicate Address Detection (DAD) for specified interface address. 1203 * 1204 * Note that callout is used when xtick > 0 and not when xtick == 0. 1205 * 1206 * xtick: minimum delay ticks for IFF_UP event 1207 */ 1208 void 1209 nd6_dad_start(struct ifaddr *ifa, int xtick) 1210 { 1211 struct in6_ifaddr *ia = (struct in6_ifaddr *)ifa; 1212 struct dadq *dp; 1213 char ip6buf[INET6_ADDRSTRLEN]; 1214 1215 /* 1216 * If we don't need DAD, don't do it. 1217 * There are several cases: 1218 * - DAD is disabled 1219 * - the interface address is anycast 1220 */ 1221 if (!(ia->ia6_flags & IN6_IFF_TENTATIVE)) { 1222 log(LOG_DEBUG, 1223 "nd6_dad_start: called with non-tentative address " 1224 "%s(%s)\n", 1225 IN6_PRINT(ip6buf, &ia->ia_addr.sin6_addr), 1226 if_name(ifa->ifa_ifp)); 1227 return; 1228 } 1229 if (ia->ia6_flags & IN6_IFF_ANYCAST || !ip6_dad_enabled()) { 1230 ia->ia6_flags &= ~IN6_IFF_TENTATIVE; 1231 rt_addrmsg(RTM_NEWADDR, ifa); 1232 return; 1233 } 1234 if (!(ifa->ifa_ifp->if_flags & IFF_UP)) 1235 return; 1236 1237 dp = kmem_intr_alloc(sizeof(*dp), KM_NOSLEEP); 1238 1239 mutex_enter(&nd6_dad_lock); 1240 if (nd6_dad_find(ifa, NULL, NULL) != NULL) { 1241 mutex_exit(&nd6_dad_lock); 1242 /* DAD already in progress */ 1243 if (dp != NULL) 1244 kmem_intr_free(dp, sizeof(*dp)); 1245 return; 1246 } 1247 1248 if (dp == NULL) { 1249 mutex_exit(&nd6_dad_lock); 1250 log(LOG_ERR, "nd6_dad_start: memory allocation failed for " 1251 "%s(%s)\n", 1252 IN6_PRINT(ip6buf, &ia->ia_addr.sin6_addr), 1253 if_name(ifa->ifa_ifp)); 1254 return; 1255 } 1256 1257 /* 1258 * Send NS packet for DAD, ip6_dad_count times. 1259 * Note that we must delay the first transmission, if this is the 1260 * first packet to be sent from the interface after interface 1261 * (re)initialization. 1262 */ 1263 callout_init(&dp->dad_timer_ch, CALLOUT_MPSAFE); 1264 dp->dad_ifa = ifa; 1265 ifaref(ifa); /* just for safety */ 1266 dp->dad_count = ip6_dad_count; 1267 dp->dad_ns_ocount = dp->dad_ns_tcount = 0; 1268 dp->dad_ns_lcount = 0; 1269 TAILQ_INSERT_TAIL(&dadq, (struct dadq *)dp, dad_list); 1270 1271 nd6log(LOG_DEBUG, "%s: starting DAD for %s\n", if_name(ifa->ifa_ifp), 1272 IN6_PRINT(ip6buf, &ia->ia_addr.sin6_addr)); 1273 1274 if (xtick == 0) { 1275 nd6_dad_ns_output(dp, ifa); 1276 nd6_dad_starttimer(dp, 1277 (long)ND_IFINFO(ifa->ifa_ifp)->retrans * hz / 1000); 1278 } else 1279 nd6_dad_starttimer(dp, xtick); 1280 mutex_exit(&nd6_dad_lock); 1281 } 1282 1283 /* 1284 * terminate DAD unconditionally. used for address removals. 1285 */ 1286 void 1287 nd6_dad_stop(struct ifaddr *ifa) 1288 { 1289 struct dadq *dp; 1290 1291 mutex_enter(&nd6_dad_lock); 1292 dp = nd6_dad_find(ifa, NULL, NULL); 1293 if (dp == NULL) { 1294 mutex_exit(&nd6_dad_lock); 1295 /* DAD wasn't started yet */ 1296 return; 1297 } 1298 1299 /* Prevent the timer from running anymore. */ 1300 nd6_dad_stoptimer(dp); 1301 1302 mutex_exit(&nd6_dad_lock); 1303 1304 nd6_dad_destroytimer(dp); 1305 ifafree(ifa); 1306 } 1307 1308 static void 1309 nd6_dad_timer(struct dadq *dp) 1310 { 1311 struct ifaddr *ifa; 1312 struct in6_ifaddr *ia; 1313 char ip6buf[INET6_ADDRSTRLEN]; 1314 bool need_free = false; 1315 1316 KERNEL_LOCK_UNLESS_NET_MPSAFE(); 1317 mutex_enter(&nd6_dad_lock); 1318 1319 ifa = dp->dad_ifa; 1320 if (ifa == NULL) { 1321 /* dp is being destroyed by someone. Do nothing. */ 1322 goto done; 1323 } 1324 1325 ia = (struct in6_ifaddr *)ifa; 1326 if (ia->ia6_flags & IN6_IFF_DUPLICATED) { 1327 log(LOG_ERR, "nd6_dad_timer: called with duplicate address " 1328 "%s(%s)\n", 1329 IN6_PRINT(ip6buf, &ia->ia_addr.sin6_addr), 1330 if_name(ifa->ifa_ifp)); 1331 goto done; 1332 } 1333 if ((ia->ia6_flags & IN6_IFF_TENTATIVE) == 0) { 1334 log(LOG_ERR, "nd6_dad_timer: called with non-tentative address " 1335 "%s(%s)\n", 1336 IN6_PRINT(ip6buf, &ia->ia_addr.sin6_addr), 1337 if_name(ifa->ifa_ifp)); 1338 goto done; 1339 } 1340 1341 /* timeouted with IFF_{RUNNING,UP} check */ 1342 if (dp->dad_ns_tcount > dad_maxtry) { 1343 nd6log(LOG_INFO, "%s: could not run DAD, driver problem?\n", 1344 if_name(ifa->ifa_ifp)); 1345 1346 nd6_dad_stoptimer(dp); 1347 need_free = true; 1348 goto done; 1349 } 1350 1351 /* Need more checks? */ 1352 if (dp->dad_ns_ocount < dp->dad_count) { 1353 /* 1354 * We have more NS to go. Send NS packet for DAD. 1355 */ 1356 nd6_dad_ns_output(dp, ifa); 1357 nd6_dad_starttimer(dp, 1358 (long)ND_IFINFO(ifa->ifa_ifp)->retrans * hz / 1000); 1359 } else { 1360 /* 1361 * We are done with DAD. No NA came, no NS came. 1362 * No duplicate address found. 1363 */ 1364 ia->ia6_flags &= ~IN6_IFF_TENTATIVE; 1365 rt_addrmsg(RTM_NEWADDR, ifa); 1366 1367 nd6log(LOG_DEBUG, 1368 "%s: DAD complete for %s - no duplicates found\n", 1369 if_name(ifa->ifa_ifp), 1370 IN6_PRINT(ip6buf, &ia->ia_addr.sin6_addr)); 1371 1372 nd6_dad_stoptimer(dp); 1373 need_free = true; 1374 } 1375 done: 1376 mutex_exit(&nd6_dad_lock); 1377 1378 if (need_free) { 1379 nd6_dad_destroytimer(dp); 1380 KASSERT(ifa != NULL); 1381 ifafree(ifa); 1382 } 1383 1384 KERNEL_UNLOCK_UNLESS_NET_MPSAFE(); 1385 } 1386 1387 static void 1388 nd6_dad_duplicated(struct ifaddr *ifa, struct dadq *dp, 1389 const struct sockaddr_dl *from) 1390 { 1391 struct in6_ifaddr *ia; 1392 struct ifnet *ifp; 1393 char ip6buf[INET6_ADDRSTRLEN], llabuf[LLA_ADDRSTRLEN], *llastr; 1394 1395 KASSERT(mutex_owned(&nd6_dad_lock)); 1396 KASSERT(ifa != NULL); 1397 1398 ifp = ifa->ifa_ifp; 1399 ia = (struct in6_ifaddr *)ifa; 1400 1401 ia->ia6_flags &= ~IN6_IFF_TENTATIVE; 1402 ia->ia6_flags |= IN6_IFF_DUPLICATED; 1403 1404 if (__predict_false(from == NULL)) 1405 llastr = NULL; 1406 else 1407 llastr = lla_snprintf(llabuf, sizeof(llabuf), 1408 CLLADDR(from), from->sdl_alen); 1409 1410 log(LOG_ERR, "%s: DAD duplicate address %s from %s\n", 1411 if_name(ifp), IN6_PRINT(ip6buf, &ia->ia_addr.sin6_addr), llastr); 1412 1413 /* Inform the routing socket that DAD has completed */ 1414 rt_addrmsg_src(RTM_NEWADDR, ifa, (const struct sockaddr *)from); 1415 1416 /* 1417 * If the address is a link-local address formed from an interface 1418 * identifier based on the hardware address which is supposed to be 1419 * uniquely assigned (e.g., EUI-64 for an Ethernet interface), IP 1420 * operation on the interface SHOULD be disabled. 1421 * [rfc2462bis-03 Section 5.4.5] 1422 */ 1423 if (IN6_IS_ADDR_LINKLOCAL(&ia->ia_addr.sin6_addr)) { 1424 struct in6_addr in6; 1425 1426 /* 1427 * To avoid over-reaction, we only apply this logic when we are 1428 * very sure that hardware addresses are supposed to be unique. 1429 */ 1430 switch (ifp->if_type) { 1431 case IFT_ETHER: 1432 case IFT_ATM: 1433 case IFT_IEEE1394: 1434 case IFT_IEEE80211: 1435 in6 = ia->ia_addr.sin6_addr; 1436 if (in6_get_hw_ifid(ifp, &in6) == 0 && 1437 IN6_ARE_ADDR_EQUAL(&ia->ia_addr.sin6_addr, &in6)) { 1438 ND_IFINFO(ifp)->flags |= ND6_IFF_IFDISABLED; 1439 log(LOG_ERR, "%s: possible hardware address " 1440 "duplication detected, disable IPv6\n", 1441 if_name(ifp)); 1442 } 1443 break; 1444 } 1445 } 1446 } 1447 1448 static void 1449 nd6_dad_ns_output(struct dadq *dp, struct ifaddr *ifa) 1450 { 1451 struct in6_ifaddr *ia = (struct in6_ifaddr *)ifa; 1452 struct ifnet *ifp = ifa->ifa_ifp; 1453 uint8_t *nonce; 1454 1455 dp->dad_ns_tcount++; 1456 if ((ifp->if_flags & IFF_UP) == 0) { 1457 #if 0 1458 printf("%s: interface down?\n", if_name(ifp)); 1459 #endif 1460 return; 1461 } 1462 if ((ifp->if_flags & IFF_RUNNING) == 0) { 1463 #if 0 1464 printf("%s: interface not running?\n", if_name(ifp)); 1465 #endif 1466 return; 1467 } 1468 1469 dp->dad_ns_tcount = 0; 1470 nonce = dp->dad_nonce[dp->dad_ns_ocount % ND_OPT_NONCE_STORE]; 1471 cprng_fast(nonce, ND_OPT_NONCE_LEN); 1472 dp->dad_ns_ocount++; 1473 1474 nd6_ns_output(ifp, NULL, &ia->ia_addr.sin6_addr, NULL, nonce); 1475 } 1476 1477 static void 1478 nd6_dad_input(struct ifaddr *ifa, struct nd_opt_nonce *nonce, 1479 const struct sockaddr_dl *from) 1480 { 1481 struct dadq *dp; 1482 bool found_nonce = false; 1483 1484 KASSERT(ifa != NULL); 1485 1486 mutex_enter(&nd6_dad_lock); 1487 dp = nd6_dad_find(ifa, nonce, &found_nonce); 1488 if (!found_nonce) { 1489 nd6_dad_duplicated(ifa, dp, from); 1490 if (dp != NULL) 1491 nd6_dad_stoptimer(dp); 1492 } 1493 mutex_exit(&nd6_dad_lock); 1494 if (dp != NULL) { 1495 nd6_dad_destroytimer(dp); 1496 ifafree(ifa); 1497 } 1498 } 1499