1 /* $NetBSD: nd6_nbr.c,v 1.156 2018/05/19 08:22:58 maxv Exp $ */ 2 /* $KAME: nd6_nbr.c,v 1.61 2001/02/10 16:06:14 jinmei Exp $ */ 3 4 /* 5 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 3. Neither the name of the project nor the names of its contributors 17 * may be used to endorse or promote products derived from this software 18 * without specific prior written permission. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30 * SUCH DAMAGE. 31 */ 32 33 #include <sys/cdefs.h> 34 __KERNEL_RCSID(0, "$NetBSD: nd6_nbr.c,v 1.156 2018/05/19 08:22:58 maxv Exp $"); 35 36 #ifdef _KERNEL_OPT 37 #include "opt_inet.h" 38 #include "opt_net_mpsafe.h" 39 #endif 40 41 #include <sys/param.h> 42 #include <sys/systm.h> 43 #include <sys/kmem.h> 44 #include <sys/mbuf.h> 45 #include <sys/socket.h> 46 #include <sys/socketvar.h> 47 #include <sys/sockio.h> 48 #include <sys/time.h> 49 #include <sys/kernel.h> 50 #include <sys/errno.h> 51 #include <sys/ioctl.h> 52 #include <sys/syslog.h> 53 #include <sys/queue.h> 54 #include <sys/callout.h> 55 #include <sys/cprng.h> 56 57 #include <net/if.h> 58 #include <net/if_types.h> 59 #include <net/if_dl.h> 60 #include <net/route.h> 61 62 #include <netinet/in.h> 63 #include <netinet/in_var.h> 64 #include <netinet6/in6_var.h> 65 #include <netinet6/in6_ifattach.h> 66 #include <netinet/ip6.h> 67 #include <netinet6/ip6_var.h> 68 #include <netinet6/scope6_var.h> 69 #include <netinet6/nd6.h> 70 #include <netinet/icmp6.h> 71 #include <netinet6/icmp6_private.h> 72 73 #include "carp.h" 74 #if NCARP > 0 75 #include <netinet/ip_carp.h> 76 #endif 77 78 struct dadq; 79 static struct dadq *nd6_dad_find(struct ifaddr *, struct nd_opt_nonce *); 80 static void nd6_dad_starttimer(struct dadq *, int); 81 static void nd6_dad_destroytimer(struct dadq *); 82 static void nd6_dad_timer(struct dadq *); 83 static void nd6_dad_ns_output(struct dadq *, struct ifaddr *); 84 static void nd6_dad_ns_input(struct ifaddr *, struct nd_opt_nonce *); 85 static void nd6_dad_na_input(struct ifaddr *); 86 static void nd6_dad_duplicated(struct dadq *); 87 88 static int dad_maxtry = 15; /* max # of *tries* to transmit DAD packet */ 89 90 /* 91 * Input a Neighbor Solicitation Message. 92 * 93 * Based on RFC 2461 94 * Based on RFC 2462 (duplicate address detection) 95 */ 96 void 97 nd6_ns_input(struct mbuf *m, int off, int icmp6len) 98 { 99 struct ifnet *ifp; 100 struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *); 101 struct nd_neighbor_solicit *nd_ns; 102 struct in6_addr saddr6 = ip6->ip6_src; 103 struct in6_addr daddr6 = ip6->ip6_dst; 104 struct in6_addr taddr6; 105 struct in6_addr myaddr6; 106 char *lladdr = NULL; 107 struct ifaddr *ifa = NULL; 108 int lladdrlen = 0; 109 int anycast = 0, proxy = 0, tentative = 0; 110 int router = ip6_forwarding; 111 int tlladdr; 112 union nd_opts ndopts; 113 const struct sockaddr_dl *proxydl = NULL; 114 struct psref psref; 115 struct psref psref_ia; 116 char ip6buf[INET6_ADDRSTRLEN], ip6buf2[INET6_ADDRSTRLEN]; 117 118 ifp = m_get_rcvif_psref(m, &psref); 119 if (ifp == NULL) 120 goto freeit; 121 122 IP6_EXTHDR_GET(nd_ns, struct nd_neighbor_solicit *, m, off, icmp6len); 123 if (nd_ns == NULL) { 124 ICMP6_STATINC(ICMP6_STAT_TOOSHORT); 125 m_put_rcvif_psref(ifp, &psref); 126 return; 127 } 128 ip6 = mtod(m, struct ip6_hdr *); /* adjust pointer for safety */ 129 taddr6 = nd_ns->nd_ns_target; 130 if (in6_setscope(&taddr6, ifp, NULL) != 0) 131 goto bad; 132 133 if (ip6->ip6_hlim != 255) { 134 nd6log(LOG_ERR, "invalid hlim (%d) from %s to %s on %s\n", 135 ip6->ip6_hlim, IN6_PRINT(ip6buf, &ip6->ip6_src), 136 IN6_PRINT(ip6buf2, &ip6->ip6_dst), if_name(ifp)); 137 goto bad; 138 } 139 140 if (IN6_IS_ADDR_UNSPECIFIED(&saddr6)) { 141 /* dst has to be a solicited node multicast address. */ 142 /* don't check ifindex portion */ 143 if (daddr6.s6_addr16[0] == IPV6_ADDR_INT16_MLL && 144 daddr6.s6_addr32[1] == 0 && 145 daddr6.s6_addr32[2] == IPV6_ADDR_INT32_ONE && 146 daddr6.s6_addr8[12] == 0xff) { 147 ; /* good */ 148 } else { 149 nd6log(LOG_INFO, "bad DAD packet (wrong ip6 dst)\n"); 150 goto bad; 151 } 152 } else { 153 struct sockaddr_in6 ssin6; 154 155 /* 156 * Make sure the source address is from a neighbor's address. 157 */ 158 sockaddr_in6_init(&ssin6, &saddr6, 0, 0, 0); 159 if (nd6_is_addr_neighbor(&ssin6, ifp) == 0) { 160 nd6log(LOG_INFO, 161 "NS packet from non-neighbor %s on %s\n", 162 IN6_PRINT(ip6buf, &saddr6), if_name(ifp)); 163 goto bad; 164 } 165 } 166 167 if (IN6_IS_ADDR_MULTICAST(&taddr6)) { 168 nd6log(LOG_INFO, "bad NS target (multicast)\n"); 169 goto bad; 170 } 171 172 icmp6len -= sizeof(*nd_ns); 173 nd6_option_init(nd_ns + 1, icmp6len, &ndopts); 174 if (nd6_options(&ndopts) < 0) { 175 nd6log(LOG_INFO, "invalid ND option, ignored\n"); 176 /* nd6_options have incremented stats */ 177 goto freeit; 178 } 179 180 if (ndopts.nd_opts_src_lladdr) { 181 lladdr = (char *)(ndopts.nd_opts_src_lladdr + 1); 182 lladdrlen = ndopts.nd_opts_src_lladdr->nd_opt_len << 3; 183 } 184 185 if (IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_src) && lladdr) { 186 nd6log(LOG_INFO, 187 "bad DAD packet (link-layer address option)\n"); 188 goto bad; 189 } 190 191 /* 192 * Attaching target link-layer address to the NA? 193 * (RFC 2461 7.2.4) 194 * 195 * NS IP dst is multicast MUST add 196 * Otherwise MAY be omitted 197 * 198 * In this implementation, we omit the target link-layer address 199 * in the "MAY" case. 200 */ 201 #if 0 /* too much! */ 202 ifa = (struct ifaddr *)in6ifa_ifpwithaddr(ifp, &daddr6); 203 if (ifa && (((struct in6_ifaddr *)ifa)->ia6_flags & IN6_IFF_ANYCAST)) 204 tlladdr = 0; 205 else 206 #endif 207 if (!IN6_IS_ADDR_MULTICAST(&daddr6)) 208 tlladdr = 0; 209 else 210 tlladdr = 1; 211 212 /* 213 * Target address (taddr6) must be either: 214 * (1) Valid unicast/anycast address for my receiving interface, 215 * (2) Unicast address for which I'm offering proxy service, or 216 * (3) "tentative" address on which DAD is being performed. 217 */ 218 /* (1) and (3) check. */ 219 #if NCARP > 0 220 if (ifp->if_carp && ifp->if_type != IFT_CARP) { 221 int s = pserialize_read_enter(); 222 ifa = carp_iamatch6(ifp->if_carp, &taddr6); 223 if (ifa != NULL) 224 ifa_acquire(ifa, &psref_ia); 225 pserialize_read_exit(s); 226 } else 227 ifa = NULL; 228 if (!ifa) 229 ifa = (struct ifaddr *)in6ifa_ifpwithaddr_psref(ifp, &taddr6, 230 &psref_ia); 231 #else 232 ifa = (struct ifaddr *)in6ifa_ifpwithaddr_psref(ifp, &taddr6, 233 &psref_ia); 234 #endif 235 236 /* (2) check. */ 237 if (ifa == NULL) { 238 struct rtentry *rt; 239 struct sockaddr_in6 tsin6; 240 241 sockaddr_in6_init(&tsin6, &taddr6, 0, 0, 0); 242 243 rt = rtalloc1(sin6tosa(&tsin6), 0); 244 if (rt && (rt->rt_flags & RTF_ANNOUNCE) != 0 && 245 rt->rt_gateway->sa_family == AF_LINK) { 246 /* 247 * proxy NDP for single entry 248 */ 249 ifa = (struct ifaddr *)in6ifa_ifpforlinklocal_psref(ifp, 250 IN6_IFF_NOTREADY|IN6_IFF_ANYCAST, &psref_ia); 251 if (ifa) { 252 proxy = 1; 253 proxydl = satocsdl(rt->rt_gateway); 254 router = 0; /* XXX */ 255 } 256 } 257 if (rt) 258 rt_unref(rt); 259 } 260 if (ifa == NULL) { 261 /* 262 * We've got an NS packet, and we don't have that address 263 * assigned for us. We MUST silently ignore it. 264 * See RFC2461 7.2.3. 265 */ 266 goto freeit; 267 } 268 myaddr6 = *IFA_IN6(ifa); 269 anycast = ((struct in6_ifaddr *)ifa)->ia6_flags & IN6_IFF_ANYCAST; 270 tentative = ((struct in6_ifaddr *)ifa)->ia6_flags & IN6_IFF_TENTATIVE; 271 if (((struct in6_ifaddr *)ifa)->ia6_flags & IN6_IFF_DUPLICATED) 272 goto freeit; 273 274 if (lladdr && ((ifp->if_addrlen + 2 + 7) & ~7) != lladdrlen) { 275 nd6log(LOG_INFO, "lladdrlen mismatch for %s " 276 "(if %d, NS packet %d)\n", 277 IN6_PRINT(ip6buf, &taddr6), 278 ifp->if_addrlen, lladdrlen - 2); 279 goto bad; 280 } 281 282 if (IN6_ARE_ADDR_EQUAL(&myaddr6, &saddr6)) { 283 nd6log(LOG_INFO, "duplicate IP6 address %s\n", 284 IN6_PRINT(ip6buf, &saddr6)); 285 goto freeit; 286 } 287 288 /* 289 * We have neighbor solicitation packet, with target address equals to 290 * one of my tentative address. 291 * 292 * src addr how to process? 293 * --- --- 294 * multicast of course, invalid (rejected in ip6_input) 295 * unicast somebody is doing address resolution -> ignore 296 * unspec dup address detection 297 * 298 * The processing is defined in RFC 2462. 299 */ 300 if (tentative) { 301 /* 302 * If source address is unspecified address, it is for 303 * duplicate address detection. 304 * 305 * If not, the packet is for addess resolution; 306 * silently ignore it. 307 */ 308 if (IN6_IS_ADDR_UNSPECIFIED(&saddr6)) 309 nd6_dad_ns_input(ifa, ndopts.nd_opts_nonce); 310 ifa_release(ifa, &psref_ia); 311 ifa = NULL; 312 313 goto freeit; 314 } 315 ifa_release(ifa, &psref_ia); 316 ifa = NULL; 317 318 /* 319 * If the source address is unspecified address, entries must not 320 * be created or updated. 321 * It looks that sender is performing DAD. Output NA toward 322 * all-node multicast address, to tell the sender that I'm using 323 * the address. 324 * S bit ("solicited") must be zero. 325 */ 326 if (IN6_IS_ADDR_UNSPECIFIED(&saddr6)) { 327 struct in6_addr in6_all; 328 329 in6_all = in6addr_linklocal_allnodes; 330 if (in6_setscope(&in6_all, ifp, NULL) != 0) 331 goto bad; 332 nd6_na_output(ifp, &in6_all, &taddr6, 333 ((anycast || proxy || !tlladdr) ? 0 : ND_NA_FLAG_OVERRIDE) | 334 (ip6_forwarding ? ND_NA_FLAG_ROUTER : 0), 335 tlladdr, (const struct sockaddr *)proxydl); 336 goto freeit; 337 } 338 339 nd6_cache_lladdr(ifp, &saddr6, lladdr, lladdrlen, ND_NEIGHBOR_SOLICIT, 0); 340 341 nd6_na_output(ifp, &saddr6, &taddr6, 342 ((anycast || proxy || !tlladdr) ? 0 : ND_NA_FLAG_OVERRIDE) | 343 (router ? ND_NA_FLAG_ROUTER : 0) | ND_NA_FLAG_SOLICITED, 344 tlladdr, (const struct sockaddr *)proxydl); 345 freeit: 346 ifa_release(ifa, &psref_ia); 347 m_put_rcvif_psref(ifp, &psref); 348 m_freem(m); 349 return; 350 351 bad: 352 nd6log(LOG_ERR, "src=%s\n", IN6_PRINT(ip6buf, &saddr6)); 353 nd6log(LOG_ERR, "dst=%s\n", IN6_PRINT(ip6buf, &daddr6)); 354 nd6log(LOG_ERR, "tgt=%s\n", IN6_PRINT(ip6buf, &taddr6)); 355 ICMP6_STATINC(ICMP6_STAT_BADNS); 356 ifa_release(ifa, &psref_ia); 357 m_put_rcvif_psref(ifp, &psref); 358 m_freem(m); 359 } 360 361 /* 362 * Output a Neighbor Solicitation Message. Caller specifies: 363 * - ICMP6 header source IP6 address 364 * - ND6 header target IP6 address 365 * - ND6 header source datalink address 366 * 367 * Based on RFC 2461 368 * Based on RFC 2462 (duplicate address detection) 369 */ 370 void 371 nd6_ns_output(struct ifnet *ifp, const struct in6_addr *daddr6, 372 const struct in6_addr *taddr6, 373 struct in6_addr *hsrc, 374 uint8_t *nonce /* duplicate address detection */) 375 { 376 struct mbuf *m; 377 struct ip6_hdr *ip6; 378 struct nd_neighbor_solicit *nd_ns; 379 struct in6_addr *src, src_in; 380 struct ip6_moptions im6o; 381 int icmp6len; 382 int maxlen; 383 const void *mac; 384 struct route ro; 385 386 if (IN6_IS_ADDR_MULTICAST(taddr6)) 387 return; 388 389 memset(&ro, 0, sizeof(ro)); 390 391 /* estimate the size of message */ 392 maxlen = sizeof(*ip6) + sizeof(*nd_ns); 393 maxlen += (sizeof(struct nd_opt_hdr) + ifp->if_addrlen + 7) & ~7; 394 KASSERTMSG(max_linkhdr + maxlen <= MCLBYTES, 395 "max_linkhdr + maxlen > MCLBYTES (%d + %d > %d)", 396 max_linkhdr, maxlen, MCLBYTES); 397 398 MGETHDR(m, M_DONTWAIT, MT_DATA); 399 if (m && max_linkhdr + maxlen >= MHLEN) { 400 MCLGET(m, M_DONTWAIT); 401 if ((m->m_flags & M_EXT) == 0) { 402 m_free(m); 403 m = NULL; 404 } 405 } 406 if (m == NULL) 407 return; 408 m_reset_rcvif(m); 409 410 if (daddr6 == NULL || IN6_IS_ADDR_MULTICAST(daddr6)) { 411 m->m_flags |= M_MCAST; 412 im6o.im6o_multicast_if_index = if_get_index(ifp); 413 im6o.im6o_multicast_hlim = 255; 414 im6o.im6o_multicast_loop = 0; 415 } 416 417 icmp6len = sizeof(*nd_ns); 418 m->m_pkthdr.len = m->m_len = sizeof(*ip6) + icmp6len; 419 m->m_data += max_linkhdr; /* or MH_ALIGN() equivalent? */ 420 421 /* fill neighbor solicitation packet */ 422 ip6 = mtod(m, struct ip6_hdr *); 423 ip6->ip6_flow = 0; 424 ip6->ip6_vfc &= ~IPV6_VERSION_MASK; 425 ip6->ip6_vfc |= IPV6_VERSION; 426 /* ip6->ip6_plen will be set later */ 427 ip6->ip6_nxt = IPPROTO_ICMPV6; 428 ip6->ip6_hlim = 255; 429 if (daddr6) 430 ip6->ip6_dst = *daddr6; 431 else { 432 ip6->ip6_dst.s6_addr16[0] = IPV6_ADDR_INT16_MLL; 433 ip6->ip6_dst.s6_addr16[1] = 0; 434 ip6->ip6_dst.s6_addr32[1] = 0; 435 ip6->ip6_dst.s6_addr32[2] = IPV6_ADDR_INT32_ONE; 436 ip6->ip6_dst.s6_addr32[3] = taddr6->s6_addr32[3]; 437 ip6->ip6_dst.s6_addr8[12] = 0xff; 438 if (in6_setscope(&ip6->ip6_dst, ifp, NULL) != 0) 439 goto bad; 440 } 441 if (nonce == NULL) { 442 int s; 443 /* 444 * RFC2461 7.2.2: 445 * "If the source address of the packet prompting the 446 * solicitation is the same as one of the addresses assigned 447 * to the outgoing interface, that address SHOULD be placed 448 * in the IP Source Address of the outgoing solicitation. 449 * Otherwise, any one of the addresses assigned to the 450 * interface should be used." 451 * 452 * We use the source address for the prompting packet 453 * (hsrc), if: 454 * - hsrc is given from the caller (by giving "ln"), and 455 * - hsrc belongs to the outgoing interface. 456 * Otherwise, we perform the source address selection as usual. 457 */ 458 s = pserialize_read_enter(); 459 if (hsrc && in6ifa_ifpwithaddr(ifp, hsrc)) { 460 pserialize_read_exit(s); 461 src = hsrc; 462 } else { 463 int error; 464 struct sockaddr_in6 dst_sa; 465 466 pserialize_read_exit(s); 467 468 sockaddr_in6_init(&dst_sa, &ip6->ip6_dst, 0, 0, 0); 469 470 error = in6_selectsrc(&dst_sa, NULL, 471 NULL, &ro, NULL, NULL, NULL, &src_in); 472 if (error != 0) { 473 char ip6buf[INET6_ADDRSTRLEN]; 474 nd6log(LOG_DEBUG, "source can't be " 475 "determined: dst=%s, error=%d\n", 476 IN6_PRINT(ip6buf, &dst_sa.sin6_addr), 477 error); 478 pserialize_read_exit(s); 479 goto bad; 480 } 481 src = &src_in; 482 } 483 } else { 484 /* 485 * Source address for DAD packet must always be IPv6 486 * unspecified address. (0::0) 487 * We actually don't have to 0-clear the address (we did it 488 * above), but we do so here explicitly to make the intention 489 * clearer. 490 */ 491 memset(&src_in, 0, sizeof(src_in)); 492 src = &src_in; 493 } 494 ip6->ip6_src = *src; 495 nd_ns = (struct nd_neighbor_solicit *)(ip6 + 1); 496 nd_ns->nd_ns_type = ND_NEIGHBOR_SOLICIT; 497 nd_ns->nd_ns_code = 0; 498 nd_ns->nd_ns_reserved = 0; 499 nd_ns->nd_ns_target = *taddr6; 500 in6_clearscope(&nd_ns->nd_ns_target); /* XXX */ 501 502 /* 503 * Add source link-layer address option. 504 * 505 * spec implementation 506 * --- --- 507 * DAD packet MUST NOT do not add the option 508 * there's no link layer address: 509 * impossible do not add the option 510 * there's link layer address: 511 * Multicast NS MUST add one add the option 512 * Unicast NS SHOULD add one add the option 513 */ 514 if (nonce == NULL && (mac = nd6_ifptomac(ifp))) { 515 int optlen = sizeof(struct nd_opt_hdr) + ifp->if_addrlen; 516 struct nd_opt_hdr *nd_opt = (struct nd_opt_hdr *)(nd_ns + 1); 517 /* 8 byte alignments... */ 518 optlen = (optlen + 7) & ~7; 519 520 m->m_pkthdr.len += optlen; 521 m->m_len += optlen; 522 icmp6len += optlen; 523 memset((void *)nd_opt, 0, optlen); 524 nd_opt->nd_opt_type = ND_OPT_SOURCE_LINKADDR; 525 nd_opt->nd_opt_len = optlen >> 3; 526 memcpy((void *)(nd_opt + 1), mac, ifp->if_addrlen); 527 } 528 529 /* Add a nonce option (RFC 3971) to detect looped back NS messages. 530 * This behavior is documented in RFC 7527. */ 531 if (nonce != NULL) { 532 int optlen = sizeof(struct nd_opt_hdr) + ND_OPT_NONCE_LEN; 533 struct nd_opt_hdr *nd_opt = (struct nd_opt_hdr *)(nd_ns + 1); 534 535 /* 8-byte alignment is required. */ 536 optlen = (optlen + 7) & ~7; 537 m->m_pkthdr.len += optlen; 538 m->m_len += optlen; 539 icmp6len += optlen; 540 memset(nd_opt, 0, optlen); 541 nd_opt->nd_opt_type = ND_OPT_NONCE; 542 nd_opt->nd_opt_len = optlen >> 3; 543 memcpy(nd_opt + 1, nonce, ND_OPT_NONCE_LEN); 544 } 545 546 ip6->ip6_plen = htons((u_int16_t)icmp6len); 547 nd_ns->nd_ns_cksum = 0; 548 nd_ns->nd_ns_cksum = 549 in6_cksum(m, IPPROTO_ICMPV6, sizeof(*ip6), icmp6len); 550 551 ip6_output(m, NULL, &ro, nonce != NULL ? IPV6_UNSPECSRC : 0, 552 &im6o, NULL, NULL); 553 icmp6_ifstat_inc(ifp, ifs6_out_msg); 554 icmp6_ifstat_inc(ifp, ifs6_out_neighborsolicit); 555 ICMP6_STATINC(ICMP6_STAT_OUTHIST + ND_NEIGHBOR_SOLICIT); 556 557 rtcache_free(&ro); 558 return; 559 560 bad: 561 rtcache_free(&ro); 562 m_freem(m); 563 return; 564 } 565 566 /* 567 * Neighbor advertisement input handling. 568 * 569 * Based on RFC 2461 570 * Based on RFC 2462 (duplicate address detection) 571 * 572 * the following items are not implemented yet: 573 * - proxy advertisement delay rule (RFC2461 7.2.8, last paragraph, SHOULD) 574 * - anycast advertisement delay rule (RFC2461 7.2.7, SHOULD) 575 */ 576 void 577 nd6_na_input(struct mbuf *m, int off, int icmp6len) 578 { 579 struct ifnet *ifp; 580 struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *); 581 struct nd_neighbor_advert *nd_na; 582 struct in6_addr saddr6 = ip6->ip6_src; 583 struct in6_addr daddr6 = ip6->ip6_dst; 584 struct in6_addr taddr6; 585 int flags; 586 int is_router; 587 int is_solicited; 588 int is_override; 589 char *lladdr = NULL; 590 int lladdrlen = 0; 591 struct ifaddr *ifa; 592 struct llentry *ln = NULL; 593 union nd_opts ndopts; 594 struct sockaddr_in6 ssin6; 595 int rt_announce; 596 bool checklink = false; 597 struct psref psref; 598 struct psref psref_ia; 599 char ip6buf[INET6_ADDRSTRLEN], ip6buf2[INET6_ADDRSTRLEN]; 600 601 ifp = m_get_rcvif_psref(m, &psref); 602 if (ifp == NULL) 603 goto freeit; 604 605 if (ip6->ip6_hlim != 255) { 606 nd6log(LOG_ERR, 607 "invalid hlim (%d) from %s to %s on %s\n", 608 ip6->ip6_hlim, IN6_PRINT(ip6buf, &ip6->ip6_src), 609 IN6_PRINT(ip6buf2, &ip6->ip6_dst), if_name(ifp)); 610 goto bad; 611 } 612 613 IP6_EXTHDR_GET(nd_na, struct nd_neighbor_advert *, m, off, icmp6len); 614 if (nd_na == NULL) { 615 m_put_rcvif_psref(ifp, &psref); 616 ICMP6_STATINC(ICMP6_STAT_TOOSHORT); 617 return; 618 } 619 620 flags = nd_na->nd_na_flags_reserved; 621 is_router = ((flags & ND_NA_FLAG_ROUTER) != 0); 622 is_solicited = ((flags & ND_NA_FLAG_SOLICITED) != 0); 623 is_override = ((flags & ND_NA_FLAG_OVERRIDE) != 0); 624 625 taddr6 = nd_na->nd_na_target; 626 if (in6_setscope(&taddr6, ifp, NULL)) { 627 goto bad; 628 } 629 630 if (IN6_IS_ADDR_MULTICAST(&taddr6)) { 631 nd6log(LOG_ERR, "invalid target address %s\n", 632 IN6_PRINT(ip6buf, &taddr6)); 633 goto bad; 634 } 635 if (is_solicited && IN6_IS_ADDR_MULTICAST(&daddr6)) { 636 nd6log(LOG_ERR, "a solicited adv is multicasted\n"); 637 goto bad; 638 } 639 640 icmp6len -= sizeof(*nd_na); 641 nd6_option_init(nd_na + 1, icmp6len, &ndopts); 642 if (nd6_options(&ndopts) < 0) { 643 nd6log(LOG_INFO, "invalid ND option, ignored\n"); 644 /* nd6_options have incremented stats */ 645 goto freeit; 646 } 647 648 if (ndopts.nd_opts_tgt_lladdr) { 649 lladdr = (char *)(ndopts.nd_opts_tgt_lladdr + 1); 650 lladdrlen = ndopts.nd_opts_tgt_lladdr->nd_opt_len << 3; 651 } 652 653 ifa = (struct ifaddr *)in6ifa_ifpwithaddr_psref(ifp, &taddr6, &psref_ia); 654 655 /* 656 * Target address matches one of my interface address. 657 * 658 * If my address is tentative, this means that there's somebody 659 * already using the same address as mine. This indicates DAD failure. 660 * This is defined in RFC 2462. 661 * 662 * Otherwise, process as defined in RFC 2461. 663 */ 664 if (ifa 665 && (((struct in6_ifaddr *)ifa)->ia6_flags & IN6_IFF_TENTATIVE)) { 666 nd6_dad_na_input(ifa); 667 ifa_release(ifa, &psref_ia); 668 ifa = NULL; 669 goto freeit; 670 } 671 672 /* Just for safety, maybe unnecessary. */ 673 if (ifa) { 674 log(LOG_ERR, 675 "nd6_na_input: duplicate IP6 address %s\n", 676 IN6_PRINT(ip6buf, &taddr6)); 677 ifa_release(ifa, &psref_ia); 678 ifa = NULL; 679 goto freeit; 680 } 681 682 /* 683 * Make sure the source address is from a neighbor's address. 684 */ 685 sockaddr_in6_init(&ssin6, &saddr6, 0, 0, 0); 686 if (nd6_is_addr_neighbor(&ssin6, ifp) == 0) { 687 nd6log(LOG_INFO, "ND packet from non-neighbor %s on %s\n", 688 IN6_PRINT(ip6buf, &saddr6), if_name(ifp)); 689 goto bad; 690 } 691 692 if (lladdr && ((ifp->if_addrlen + 2 + 7) & ~7) != lladdrlen) { 693 nd6log(LOG_INFO, "lladdrlen mismatch for %s " 694 "(if %d, NA packet %d)\n", IN6_PRINT(ip6buf, &taddr6), 695 ifp->if_addrlen, lladdrlen - 2); 696 goto bad; 697 } 698 699 /* 700 * If no neighbor cache entry is found, NA SHOULD silently be 701 * discarded. 702 */ 703 ln = nd6_lookup(&taddr6, ifp, true); 704 if (ln == NULL) 705 goto freeit; 706 707 rt_announce = 0; 708 if (ln->ln_state == ND6_LLINFO_INCOMPLETE) { 709 /* 710 * If the link-layer has address, and no lladdr option came, 711 * discard the packet. 712 */ 713 if (ifp->if_addrlen && !lladdr) 714 goto freeit; 715 716 /* 717 * Record link-layer address, and update the state. 718 */ 719 memcpy(&ln->ll_addr, lladdr, ifp->if_addrlen); 720 ln->la_flags |= LLE_VALID; 721 rt_announce = 1; 722 if (is_solicited) { 723 ln->ln_state = ND6_LLINFO_REACHABLE; 724 ln->ln_byhint = 0; 725 if (!ND6_LLINFO_PERMANENT(ln)) { 726 nd6_llinfo_settimer(ln, 727 ND_IFINFO(ln->lle_tbl->llt_ifp)->reachable * hz); 728 } 729 } else { 730 ln->ln_state = ND6_LLINFO_STALE; 731 nd6_llinfo_settimer(ln, nd6_gctimer * hz); 732 } 733 if ((ln->ln_router = is_router) != 0) { 734 /* 735 * This means a router's state has changed from 736 * non-reachable to probably reachable, and might 737 * affect the status of associated prefixes.. 738 */ 739 checklink = true; 740 } 741 } else { 742 int llchange; 743 744 /* 745 * Check if the link-layer address has changed or not. 746 */ 747 if (lladdr == NULL) 748 llchange = 0; 749 else { 750 if (ln->la_flags & LLE_VALID) { 751 if (memcmp(lladdr, &ln->ll_addr, ifp->if_addrlen)) 752 llchange = rt_announce = 1; 753 else 754 llchange = 0; 755 } else 756 llchange = rt_announce = 1; 757 } 758 759 /* 760 * This is VERY complex. Look at it with care. 761 * 762 * override solicit lladdr llchange action 763 * (L: record lladdr) 764 * 765 * 0 0 n -- (2c) 766 * 0 0 y n (2b) L 767 * 0 0 y y (1) REACHABLE->STALE 768 * 0 1 n -- (2c) *->REACHABLE 769 * 0 1 y n (2b) L *->REACHABLE 770 * 0 1 y y (1) REACHABLE->STALE 771 * 1 0 n -- (2a) 772 * 1 0 y n (2a) L 773 * 1 0 y y (2a) L *->STALE 774 * 1 1 n -- (2a) *->REACHABLE 775 * 1 1 y n (2a) L *->REACHABLE 776 * 1 1 y y (2a) L *->REACHABLE 777 */ 778 if (!is_override && lladdr != NULL && llchange) { /* (1) */ 779 /* 780 * If state is REACHABLE, make it STALE. 781 * no other updates should be done. 782 */ 783 if (ln->ln_state == ND6_LLINFO_REACHABLE) { 784 ln->ln_state = ND6_LLINFO_STALE; 785 nd6_llinfo_settimer(ln, nd6_gctimer * hz); 786 } 787 goto freeit; 788 } else if (is_override /* (2a) */ 789 || (!is_override && lladdr != NULL && !llchange) /* (2b) */ 790 || lladdr == NULL) { /* (2c) */ 791 /* 792 * Update link-local address, if any. 793 */ 794 if (lladdr != NULL) { 795 memcpy(&ln->ll_addr, lladdr, ifp->if_addrlen); 796 ln->la_flags |= LLE_VALID; 797 } 798 799 /* 800 * If solicited, make the state REACHABLE. 801 * If not solicited and the link-layer address was 802 * changed, make it STALE. 803 */ 804 if (is_solicited) { 805 ln->ln_state = ND6_LLINFO_REACHABLE; 806 ln->ln_byhint = 0; 807 if (!ND6_LLINFO_PERMANENT(ln)) { 808 nd6_llinfo_settimer(ln, 809 ND_IFINFO(ifp)->reachable * hz); 810 } 811 } else { 812 if (lladdr && llchange) { 813 ln->ln_state = ND6_LLINFO_STALE; 814 nd6_llinfo_settimer(ln, 815 nd6_gctimer * hz); 816 } 817 } 818 } 819 820 if (ln->ln_router && !is_router) { 821 /* 822 * The peer dropped the router flag. 823 * Remove the sender from the Default Router List and 824 * update the Destination Cache entries. 825 */ 826 struct nd_defrouter *dr; 827 const struct in6_addr *in6; 828 829 in6 = &ln->r_l3addr.addr6; 830 831 ND6_WLOCK(); 832 dr = nd6_defrouter_lookup(in6, ln->lle_tbl->llt_ifp); 833 if (dr) 834 nd6_defrtrlist_del(dr, NULL); 835 else if (!ip6_forwarding) { 836 /* 837 * Even if the neighbor is not in the default 838 * router list, the neighbor may be used 839 * as a next hop for some destinations 840 * (e.g. redirect case). So we must 841 * call nd6_rt_flush explicitly. 842 */ 843 nd6_rt_flush(&ip6->ip6_src, ln->lle_tbl->llt_ifp); 844 } 845 ND6_UNLOCK(); 846 } 847 ln->ln_router = is_router; 848 } 849 /* 850 * XXX: does this matter? 851 * rt->rt_flags &= ~RTF_REJECT; 852 */ 853 ln->ln_asked = 0; 854 nd6_llinfo_release_pkts(ln, ifp); 855 /* FIXME */ 856 #if 0 857 if (rt_announce) /* tell user process about any new lladdr */ 858 rt_newmsg(RTM_CHANGE, rt); 859 #endif 860 861 freeit: 862 if (ln != NULL) 863 LLE_WUNLOCK(ln); 864 865 if (checklink) { 866 ND6_WLOCK(); 867 nd6_pfxlist_onlink_check(); 868 ND6_UNLOCK(); 869 } 870 871 m_put_rcvif_psref(ifp, &psref); 872 m_freem(m); 873 return; 874 875 bad: 876 if (ln != NULL) 877 LLE_WUNLOCK(ln); 878 879 ICMP6_STATINC(ICMP6_STAT_BADNA); 880 m_put_rcvif_psref(ifp, &psref); 881 m_freem(m); 882 } 883 884 /* 885 * Neighbor advertisement output handling. 886 * 887 * Based on RFC 2461 888 * 889 * the following items are not implemented yet: 890 * - proxy advertisement delay rule (RFC2461 7.2.8, last paragraph, SHOULD) 891 * - anycast advertisement delay rule (RFC2461 7.2.7, SHOULD) 892 */ 893 void 894 nd6_na_output( 895 struct ifnet *ifp, 896 const struct in6_addr *daddr6_0, 897 const struct in6_addr *taddr6, 898 u_long flags, 899 int tlladdr, /* 1 if include target link-layer address */ 900 const struct sockaddr *sdl0) /* sockaddr_dl (= proxy NA) or NULL */ 901 { 902 struct mbuf *m; 903 struct ip6_hdr *ip6; 904 struct nd_neighbor_advert *nd_na; 905 struct ip6_moptions im6o; 906 struct sockaddr *dst; 907 union { 908 struct sockaddr dst; 909 struct sockaddr_in6 dst6; 910 } u; 911 struct in6_addr daddr6; 912 int icmp6len, maxlen, error; 913 const void *mac; 914 struct route ro; 915 916 mac = NULL; 917 memset(&ro, 0, sizeof(ro)); 918 919 daddr6 = *daddr6_0; /* make a local copy for modification */ 920 921 /* estimate the size of message */ 922 maxlen = sizeof(*ip6) + sizeof(*nd_na); 923 maxlen += (sizeof(struct nd_opt_hdr) + ifp->if_addrlen + 7) & ~7; 924 KASSERTMSG(max_linkhdr + maxlen <= MCLBYTES, 925 "max_linkhdr + maxlen > MCLBYTES (%d + %d > %d)", 926 max_linkhdr, maxlen, MCLBYTES); 927 928 MGETHDR(m, M_DONTWAIT, MT_DATA); 929 if (m && max_linkhdr + maxlen >= MHLEN) { 930 MCLGET(m, M_DONTWAIT); 931 if ((m->m_flags & M_EXT) == 0) { 932 m_free(m); 933 m = NULL; 934 } 935 } 936 if (m == NULL) 937 return; 938 m_reset_rcvif(m); 939 940 if (IN6_IS_ADDR_MULTICAST(&daddr6)) { 941 m->m_flags |= M_MCAST; 942 im6o.im6o_multicast_if_index = if_get_index(ifp); 943 im6o.im6o_multicast_hlim = 255; 944 im6o.im6o_multicast_loop = 0; 945 } 946 947 icmp6len = sizeof(*nd_na); 948 m->m_pkthdr.len = m->m_len = sizeof(struct ip6_hdr) + icmp6len; 949 m->m_data += max_linkhdr; /* or MH_ALIGN() equivalent? */ 950 951 /* fill neighbor advertisement packet */ 952 ip6 = mtod(m, struct ip6_hdr *); 953 ip6->ip6_flow = 0; 954 ip6->ip6_vfc &= ~IPV6_VERSION_MASK; 955 ip6->ip6_vfc |= IPV6_VERSION; 956 ip6->ip6_nxt = IPPROTO_ICMPV6; 957 ip6->ip6_hlim = 255; 958 if (IN6_IS_ADDR_UNSPECIFIED(&daddr6)) { 959 /* reply to DAD */ 960 daddr6.s6_addr16[0] = IPV6_ADDR_INT16_MLL; 961 daddr6.s6_addr16[1] = 0; 962 daddr6.s6_addr32[1] = 0; 963 daddr6.s6_addr32[2] = 0; 964 daddr6.s6_addr32[3] = IPV6_ADDR_INT32_ONE; 965 if (in6_setscope(&daddr6, ifp, NULL)) 966 goto bad; 967 968 flags &= ~ND_NA_FLAG_SOLICITED; 969 } 970 ip6->ip6_dst = daddr6; 971 sockaddr_in6_init(&u.dst6, &daddr6, 0, 0, 0); 972 dst = &u.dst; 973 if (rtcache_setdst(&ro, dst) != 0) 974 goto bad; 975 976 /* 977 * Select a source whose scope is the same as that of the dest. 978 */ 979 error = in6_selectsrc(satosin6(dst), NULL, NULL, &ro, NULL, NULL, NULL, 980 &ip6->ip6_src); 981 if (error != 0) { 982 char ip6buf[INET6_ADDRSTRLEN]; 983 nd6log(LOG_DEBUG, "source can't be " 984 "determined: dst=%s, error=%d\n", 985 IN6_PRINT(ip6buf, &satocsin6(dst)->sin6_addr), error); 986 goto bad; 987 } 988 nd_na = (struct nd_neighbor_advert *)(ip6 + 1); 989 nd_na->nd_na_type = ND_NEIGHBOR_ADVERT; 990 nd_na->nd_na_code = 0; 991 nd_na->nd_na_target = *taddr6; 992 in6_clearscope(&nd_na->nd_na_target); /* XXX */ 993 994 /* 995 * "tlladdr" indicates NS's condition for adding tlladdr or not. 996 * see nd6_ns_input() for details. 997 * Basically, if NS packet is sent to unicast/anycast addr, 998 * target lladdr option SHOULD NOT be included. 999 */ 1000 if (tlladdr) { 1001 /* 1002 * sdl0 != NULL indicates proxy NA. If we do proxy, use 1003 * lladdr in sdl0. If we are not proxying (sending NA for 1004 * my address) use lladdr configured for the interface. 1005 */ 1006 if (sdl0 == NULL) 1007 mac = nd6_ifptomac(ifp); 1008 else if (sdl0->sa_family == AF_LINK) { 1009 const struct sockaddr_dl *sdl; 1010 sdl = satocsdl(sdl0); 1011 if (sdl->sdl_alen == ifp->if_addrlen) 1012 mac = CLLADDR(sdl); 1013 } 1014 } 1015 if (tlladdr && mac) { 1016 int optlen = sizeof(struct nd_opt_hdr) + ifp->if_addrlen; 1017 struct nd_opt_hdr *nd_opt = (struct nd_opt_hdr *)(nd_na + 1); 1018 1019 /* roundup to 8 bytes alignment! */ 1020 optlen = (optlen + 7) & ~7; 1021 1022 m->m_pkthdr.len += optlen; 1023 m->m_len += optlen; 1024 icmp6len += optlen; 1025 memset((void *)nd_opt, 0, optlen); 1026 nd_opt->nd_opt_type = ND_OPT_TARGET_LINKADDR; 1027 nd_opt->nd_opt_len = optlen >> 3; 1028 memcpy((void *)(nd_opt + 1), mac, ifp->if_addrlen); 1029 } else 1030 flags &= ~ND_NA_FLAG_OVERRIDE; 1031 1032 ip6->ip6_plen = htons((u_int16_t)icmp6len); 1033 nd_na->nd_na_flags_reserved = flags; 1034 nd_na->nd_na_cksum = 0; 1035 nd_na->nd_na_cksum = 1036 in6_cksum(m, IPPROTO_ICMPV6, sizeof(struct ip6_hdr), icmp6len); 1037 1038 ip6_output(m, NULL, NULL, 0, &im6o, NULL, NULL); 1039 1040 icmp6_ifstat_inc(ifp, ifs6_out_msg); 1041 icmp6_ifstat_inc(ifp, ifs6_out_neighboradvert); 1042 ICMP6_STATINC(ICMP6_STAT_OUTHIST + ND_NEIGHBOR_ADVERT); 1043 1044 rtcache_free(&ro); 1045 return; 1046 1047 bad: 1048 rtcache_free(&ro); 1049 m_freem(m); 1050 return; 1051 } 1052 1053 const void * 1054 nd6_ifptomac(const struct ifnet *ifp) 1055 { 1056 switch (ifp->if_type) { 1057 case IFT_ARCNET: 1058 case IFT_ETHER: 1059 case IFT_FDDI: 1060 case IFT_IEEE1394: 1061 case IFT_PROPVIRTUAL: 1062 case IFT_CARP: 1063 case IFT_L2VLAN: 1064 case IFT_IEEE80211: 1065 return CLLADDR(ifp->if_sadl); 1066 default: 1067 return NULL; 1068 } 1069 } 1070 1071 TAILQ_HEAD(dadq_head, dadq); 1072 struct dadq { 1073 TAILQ_ENTRY(dadq) dad_list; 1074 struct ifaddr *dad_ifa; 1075 int dad_count; /* max NS to send */ 1076 int dad_ns_tcount; /* # of trials to send NS */ 1077 int dad_ns_ocount; /* NS sent so far */ 1078 int dad_ns_icount; 1079 int dad_na_icount; 1080 int dad_ns_lcount; /* looped back NS */ 1081 struct callout dad_timer_ch; 1082 #define ND_OPT_NONCE_STORE 3 /* dad_count should not exceed this */ 1083 /* 1084 * The default ip6_dad_count is 1 as specified by RFC 4862 and 1085 * practically must users won't exceed this. 1086 * A storage of 3 is defaulted to here, in-case the administrator wants 1087 * to match the equivalent behaviour in our ARP implementation. 1088 * This constraint could be removed by sending the on wire nonce as 1089 * hmac(key, dad_ns_ocount), but that would increase the nonce size 1090 * sent on the wire. 1091 */ 1092 uint8_t dad_nonce[ND_OPT_NONCE_STORE][ND_OPT_NONCE_LEN]; 1093 }; 1094 1095 static struct dadq_head dadq; 1096 static int dad_init = 0; 1097 static kmutex_t nd6_dad_lock; 1098 1099 static struct dadq * 1100 nd6_dad_find(struct ifaddr *ifa, struct nd_opt_nonce *nonce) 1101 { 1102 struct dadq *dp; 1103 int i, nonce_max; 1104 1105 KASSERT(mutex_owned(&nd6_dad_lock)); 1106 1107 TAILQ_FOREACH(dp, &dadq, dad_list) { 1108 if (dp->dad_ifa != ifa) 1109 continue; 1110 1111 if (nonce == NULL || 1112 nonce->nd_opt_nonce_len != (ND_OPT_NONCE_LEN + 2) / 8) 1113 break; 1114 1115 nonce_max = MIN(dp->dad_ns_ocount, ND_OPT_NONCE_STORE); 1116 for (i = 0; i < nonce_max; i++) { 1117 if (memcmp(nonce->nd_opt_nonce, 1118 dp->dad_nonce[i], 1119 ND_OPT_NONCE_LEN) == 0) 1120 break; 1121 } 1122 if (i < nonce_max) { 1123 char ip6buf[INET6_ADDRSTRLEN]; 1124 1125 log(LOG_DEBUG, 1126 "%s: detected a looped back NS message for %s\n", 1127 ifa->ifa_ifp ? if_name(ifa->ifa_ifp) : "???", 1128 IN6_PRINT(ip6buf, IFA_IN6(ifa))); 1129 dp->dad_ns_lcount++; 1130 continue; 1131 } 1132 1133 break; 1134 } 1135 return dp; 1136 } 1137 1138 static void 1139 nd6_dad_starttimer(struct dadq *dp, int ticks) 1140 { 1141 1142 callout_reset(&dp->dad_timer_ch, ticks, 1143 (void (*)(void *))nd6_dad_timer, dp); 1144 } 1145 1146 static void 1147 nd6_dad_stoptimer(struct dadq *dp) 1148 { 1149 1150 KASSERT(mutex_owned(&nd6_dad_lock)); 1151 1152 TAILQ_REMOVE(&dadq, dp, dad_list); 1153 /* Tell the timer that dp is being destroyed. */ 1154 dp->dad_ifa = NULL; 1155 callout_halt(&dp->dad_timer_ch, &nd6_dad_lock); 1156 } 1157 1158 static void 1159 nd6_dad_destroytimer(struct dadq *dp) 1160 { 1161 1162 KASSERT(dp->dad_ifa == NULL); 1163 callout_destroy(&dp->dad_timer_ch); 1164 kmem_intr_free(dp, sizeof(*dp)); 1165 } 1166 1167 /* 1168 * Start Duplicate Address Detection (DAD) for specified interface address. 1169 * 1170 * Note that callout is used when xtick > 0 and not when xtick == 0. 1171 * 1172 * xtick: minimum delay ticks for IFF_UP event 1173 */ 1174 void 1175 nd6_dad_start(struct ifaddr *ifa, int xtick) 1176 { 1177 struct in6_ifaddr *ia = (struct in6_ifaddr *)ifa; 1178 struct dadq *dp; 1179 char ip6buf[INET6_ADDRSTRLEN]; 1180 1181 if (!dad_init) { 1182 TAILQ_INIT(&dadq); 1183 mutex_init(&nd6_dad_lock, MUTEX_DEFAULT, IPL_NONE); 1184 dad_init++; 1185 } 1186 1187 /* 1188 * If we don't need DAD, don't do it. 1189 * There are several cases: 1190 * - DAD is disabled (ip6_dad_count == 0) 1191 * - the interface address is anycast 1192 */ 1193 if (!(ia->ia6_flags & IN6_IFF_TENTATIVE)) { 1194 log(LOG_DEBUG, 1195 "nd6_dad_start: called with non-tentative address " 1196 "%s(%s)\n", 1197 IN6_PRINT(ip6buf, &ia->ia_addr.sin6_addr), 1198 ifa->ifa_ifp ? if_name(ifa->ifa_ifp) : "???"); 1199 return; 1200 } 1201 if (ia->ia6_flags & IN6_IFF_ANYCAST || !ip6_dad_count) { 1202 ia->ia6_flags &= ~IN6_IFF_TENTATIVE; 1203 rt_newaddrmsg(RTM_NEWADDR, ifa, 0, NULL); 1204 return; 1205 } 1206 KASSERT(ifa->ifa_ifp != NULL); 1207 if (!(ifa->ifa_ifp->if_flags & IFF_UP)) 1208 return; 1209 1210 dp = kmem_intr_alloc(sizeof(*dp), KM_NOSLEEP); 1211 1212 mutex_enter(&nd6_dad_lock); 1213 if (nd6_dad_find(ifa, NULL) != NULL) { 1214 mutex_exit(&nd6_dad_lock); 1215 /* DAD already in progress */ 1216 if (dp != NULL) 1217 kmem_intr_free(dp, sizeof(*dp)); 1218 return; 1219 } 1220 1221 if (dp == NULL) { 1222 mutex_exit(&nd6_dad_lock); 1223 log(LOG_ERR, "nd6_dad_start: memory allocation failed for " 1224 "%s(%s)\n", 1225 IN6_PRINT(ip6buf, &ia->ia_addr.sin6_addr), 1226 ifa->ifa_ifp ? if_name(ifa->ifa_ifp) : "???"); 1227 return; 1228 } 1229 1230 /* 1231 * Send NS packet for DAD, ip6_dad_count times. 1232 * Note that we must delay the first transmission, if this is the 1233 * first packet to be sent from the interface after interface 1234 * (re)initialization. 1235 */ 1236 callout_init(&dp->dad_timer_ch, CALLOUT_MPSAFE); 1237 dp->dad_ifa = ifa; 1238 ifaref(ifa); /* just for safety */ 1239 dp->dad_count = ip6_dad_count; 1240 dp->dad_ns_icount = dp->dad_na_icount = 0; 1241 dp->dad_ns_ocount = dp->dad_ns_tcount = 0; 1242 dp->dad_ns_lcount = 0; 1243 TAILQ_INSERT_TAIL(&dadq, (struct dadq *)dp, dad_list); 1244 1245 nd6log(LOG_DEBUG, "%s: starting DAD for %s\n", if_name(ifa->ifa_ifp), 1246 IN6_PRINT(ip6buf, &ia->ia_addr.sin6_addr)); 1247 1248 if (xtick == 0) { 1249 nd6_dad_ns_output(dp, ifa); 1250 nd6_dad_starttimer(dp, 1251 (long)ND_IFINFO(ifa->ifa_ifp)->retrans * hz / 1000); 1252 } else 1253 nd6_dad_starttimer(dp, xtick); 1254 mutex_exit(&nd6_dad_lock); 1255 } 1256 1257 /* 1258 * terminate DAD unconditionally. used for address removals. 1259 */ 1260 void 1261 nd6_dad_stop(struct ifaddr *ifa) 1262 { 1263 struct dadq *dp; 1264 1265 if (!dad_init) 1266 return; 1267 1268 mutex_enter(&nd6_dad_lock); 1269 dp = nd6_dad_find(ifa, NULL); 1270 if (dp == NULL) { 1271 mutex_exit(&nd6_dad_lock); 1272 /* DAD wasn't started yet */ 1273 return; 1274 } 1275 1276 /* Prevent the timer from running anymore. */ 1277 nd6_dad_stoptimer(dp); 1278 1279 mutex_exit(&nd6_dad_lock); 1280 1281 nd6_dad_destroytimer(dp); 1282 ifafree(ifa); 1283 } 1284 1285 static void 1286 nd6_dad_timer(struct dadq *dp) 1287 { 1288 struct ifaddr *ifa; 1289 struct in6_ifaddr *ia; 1290 int duplicate = 0; 1291 char ip6buf[INET6_ADDRSTRLEN]; 1292 bool need_free = false; 1293 1294 KERNEL_LOCK_UNLESS_NET_MPSAFE(); 1295 mutex_enter(&nd6_dad_lock); 1296 1297 ifa = dp->dad_ifa; 1298 if (ifa == NULL) { 1299 /* dp is being destroyed by someone. Do nothing. */ 1300 goto done; 1301 } 1302 1303 ia = (struct in6_ifaddr *)ifa; 1304 if (ia->ia6_flags & IN6_IFF_DUPLICATED) { 1305 log(LOG_ERR, "nd6_dad_timer: called with duplicate address " 1306 "%s(%s)\n", 1307 IN6_PRINT(ip6buf, &ia->ia_addr.sin6_addr), 1308 ifa->ifa_ifp ? if_name(ifa->ifa_ifp) : "???"); 1309 goto done; 1310 } 1311 if ((ia->ia6_flags & IN6_IFF_TENTATIVE) == 0) { 1312 log(LOG_ERR, "nd6_dad_timer: called with non-tentative address " 1313 "%s(%s)\n", 1314 IN6_PRINT(ip6buf, &ia->ia_addr.sin6_addr), 1315 ifa->ifa_ifp ? if_name(ifa->ifa_ifp) : "???"); 1316 goto done; 1317 } 1318 1319 /* timeouted with IFF_{RUNNING,UP} check */ 1320 if (dp->dad_ns_tcount > dad_maxtry) { 1321 nd6log(LOG_INFO, "%s: could not run DAD, driver problem?\n", 1322 if_name(ifa->ifa_ifp)); 1323 1324 nd6_dad_stoptimer(dp); 1325 need_free = true; 1326 goto done; 1327 } 1328 1329 /* Need more checks? */ 1330 if (dp->dad_ns_ocount < dp->dad_count) { 1331 /* 1332 * We have more NS to go. Send NS packet for DAD. 1333 */ 1334 nd6_dad_ns_output(dp, ifa); 1335 nd6_dad_starttimer(dp, 1336 (long)ND_IFINFO(ifa->ifa_ifp)->retrans * hz / 1000); 1337 } else { 1338 /* 1339 * We have transmitted sufficient number of DAD packets. 1340 * See what we've got. 1341 */ 1342 if (dp->dad_na_icount) { 1343 /* 1344 * the check is in nd6_dad_na_input(), 1345 * but just in case 1346 */ 1347 duplicate++; 1348 } 1349 1350 if (dp->dad_ns_icount) { 1351 /* We've seen NS, means DAD has failed. */ 1352 duplicate++; 1353 } 1354 1355 if (duplicate) { 1356 nd6_dad_duplicated(dp); 1357 nd6_dad_stoptimer(dp); 1358 need_free = true; 1359 } else { 1360 /* 1361 * We are done with DAD. No NA came, no NS came. 1362 * No duplicate address found. 1363 */ 1364 ia->ia6_flags &= ~IN6_IFF_TENTATIVE; 1365 rt_newaddrmsg(RTM_NEWADDR, ifa, 0, NULL); 1366 1367 nd6log(LOG_DEBUG, 1368 "%s: DAD complete for %s - no duplicates found\n", 1369 if_name(ifa->ifa_ifp), 1370 IN6_PRINT(ip6buf, &ia->ia_addr.sin6_addr)); 1371 1372 nd6_dad_stoptimer(dp); 1373 need_free = true; 1374 } 1375 } 1376 done: 1377 mutex_exit(&nd6_dad_lock); 1378 1379 if (need_free) { 1380 nd6_dad_destroytimer(dp); 1381 KASSERT(ifa != NULL); 1382 ifafree(ifa); 1383 } 1384 1385 KERNEL_UNLOCK_UNLESS_NET_MPSAFE(); 1386 } 1387 1388 static void 1389 nd6_dad_duplicated(struct dadq *dp) 1390 { 1391 struct ifaddr *ifa = dp->dad_ifa; 1392 struct in6_ifaddr *ia; 1393 struct ifnet *ifp; 1394 char ip6buf[INET6_ADDRSTRLEN]; 1395 1396 KASSERT(mutex_owned(&nd6_dad_lock)); 1397 KASSERT(ifa != NULL); 1398 1399 ifp = ifa->ifa_ifp; 1400 ia = (struct in6_ifaddr *)ifa; 1401 log(LOG_ERR, "%s: DAD detected duplicate IPv6 address %s: " 1402 "NS in/out/loopback=%d/%d/%d, NA in=%d\n", 1403 if_name(ifp), IN6_PRINT(ip6buf, &ia->ia_addr.sin6_addr), 1404 dp->dad_ns_icount, dp->dad_ns_ocount, dp->dad_ns_lcount, 1405 dp->dad_na_icount); 1406 1407 ia->ia6_flags &= ~IN6_IFF_TENTATIVE; 1408 ia->ia6_flags |= IN6_IFF_DUPLICATED; 1409 1410 log(LOG_ERR, "%s: DAD complete for %s - duplicate found\n", 1411 if_name(ifp), IN6_PRINT(ip6buf, &ia->ia_addr.sin6_addr)); 1412 log(LOG_ERR, "%s: manual intervention required\n", 1413 if_name(ifp)); 1414 1415 /* Inform the routing socket that DAD has completed */ 1416 rt_newaddrmsg(RTM_NEWADDR, ifa, 0, NULL); 1417 1418 /* 1419 * If the address is a link-local address formed from an interface 1420 * identifier based on the hardware address which is supposed to be 1421 * uniquely assigned (e.g., EUI-64 for an Ethernet interface), IP 1422 * operation on the interface SHOULD be disabled. 1423 * [rfc2462bis-03 Section 5.4.5] 1424 */ 1425 if (IN6_IS_ADDR_LINKLOCAL(&ia->ia_addr.sin6_addr)) { 1426 struct in6_addr in6; 1427 1428 /* 1429 * To avoid over-reaction, we only apply this logic when we are 1430 * very sure that hardware addresses are supposed to be unique. 1431 */ 1432 switch (ifp->if_type) { 1433 case IFT_ETHER: 1434 case IFT_FDDI: 1435 case IFT_ATM: 1436 case IFT_IEEE1394: 1437 case IFT_IEEE80211: 1438 in6 = ia->ia_addr.sin6_addr; 1439 if (in6_get_hw_ifid(ifp, &in6) == 0 && 1440 IN6_ARE_ADDR_EQUAL(&ia->ia_addr.sin6_addr, &in6)) { 1441 ND_IFINFO(ifp)->flags |= ND6_IFF_IFDISABLED; 1442 log(LOG_ERR, "%s: possible hardware address " 1443 "duplication detected, disable IPv6\n", 1444 if_name(ifp)); 1445 } 1446 break; 1447 } 1448 } 1449 } 1450 1451 static void 1452 nd6_dad_ns_output(struct dadq *dp, struct ifaddr *ifa) 1453 { 1454 struct in6_ifaddr *ia = (struct in6_ifaddr *)ifa; 1455 struct ifnet *ifp = ifa->ifa_ifp; 1456 uint8_t *nonce; 1457 1458 dp->dad_ns_tcount++; 1459 if ((ifp->if_flags & IFF_UP) == 0) { 1460 #if 0 1461 printf("%s: interface down?\n", if_name(ifp)); 1462 #endif 1463 return; 1464 } 1465 if ((ifp->if_flags & IFF_RUNNING) == 0) { 1466 #if 0 1467 printf("%s: interface not running?\n", if_name(ifp)); 1468 #endif 1469 return; 1470 } 1471 1472 dp->dad_ns_tcount = 0; 1473 nonce = dp->dad_nonce[dp->dad_ns_ocount % ND_OPT_NONCE_STORE]; 1474 cprng_fast(nonce, ND_OPT_NONCE_LEN); 1475 dp->dad_ns_ocount++; 1476 1477 nd6_ns_output(ifp, NULL, &ia->ia_addr.sin6_addr, NULL, nonce); 1478 } 1479 1480 static void 1481 nd6_dad_ns_input(struct ifaddr *ifa, struct nd_opt_nonce *nonce) 1482 { 1483 struct dadq *dp; 1484 int duplicate; 1485 1486 if (ifa == NULL) 1487 panic("ifa == NULL in nd6_dad_ns_input"); 1488 1489 duplicate = 0; 1490 1491 mutex_enter(&nd6_dad_lock); 1492 dp = nd6_dad_find(ifa, nonce); 1493 1494 /* 1495 * if I'm yet to start DAD, someone else started using this address 1496 * first. I have a duplicate and you win. 1497 */ 1498 if (dp == NULL || dp->dad_ns_ocount == 0) 1499 duplicate++; 1500 1501 /* XXX more checks for loopback situation - see nd6_dad_timer too */ 1502 1503 if (duplicate) { 1504 if (dp) { 1505 nd6_dad_duplicated(dp); 1506 nd6_dad_stoptimer(dp); 1507 } 1508 } else { 1509 /* 1510 * not sure if I got a duplicate. 1511 * increment ns count and see what happens. 1512 */ 1513 if (dp) 1514 dp->dad_ns_icount++; 1515 } 1516 mutex_exit(&nd6_dad_lock); 1517 1518 if (duplicate && dp) { 1519 nd6_dad_destroytimer(dp); 1520 ifafree(ifa); 1521 } 1522 } 1523 1524 static void 1525 nd6_dad_na_input(struct ifaddr *ifa) 1526 { 1527 struct dadq *dp; 1528 1529 KASSERT(ifa != NULL); 1530 1531 mutex_enter(&nd6_dad_lock); 1532 1533 dp = nd6_dad_find(ifa, NULL); 1534 if (dp == NULL) { 1535 mutex_exit(&nd6_dad_lock); 1536 return; 1537 } 1538 1539 dp->dad_na_icount++; 1540 1541 /* remove the address. */ 1542 nd6_dad_duplicated(dp); 1543 nd6_dad_stoptimer(dp); 1544 1545 mutex_exit(&nd6_dad_lock); 1546 1547 nd6_dad_destroytimer(dp); 1548 ifafree(ifa); 1549 } 1550