1 /* $NetBSD: nd6_nbr.c,v 1.154 2018/05/01 07:21:39 maxv Exp $ */ 2 /* $KAME: nd6_nbr.c,v 1.61 2001/02/10 16:06:14 jinmei Exp $ */ 3 4 /* 5 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 3. Neither the name of the project nor the names of its contributors 17 * may be used to endorse or promote products derived from this software 18 * without specific prior written permission. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30 * SUCH DAMAGE. 31 */ 32 33 #include <sys/cdefs.h> 34 __KERNEL_RCSID(0, "$NetBSD: nd6_nbr.c,v 1.154 2018/05/01 07:21:39 maxv Exp $"); 35 36 #ifdef _KERNEL_OPT 37 #include "opt_inet.h" 38 #include "opt_net_mpsafe.h" 39 #endif 40 41 #include <sys/param.h> 42 #include <sys/systm.h> 43 #include <sys/kmem.h> 44 #include <sys/mbuf.h> 45 #include <sys/socket.h> 46 #include <sys/socketvar.h> 47 #include <sys/sockio.h> 48 #include <sys/time.h> 49 #include <sys/kernel.h> 50 #include <sys/errno.h> 51 #include <sys/ioctl.h> 52 #include <sys/syslog.h> 53 #include <sys/queue.h> 54 #include <sys/callout.h> 55 #include <sys/cprng.h> 56 57 #include <net/if.h> 58 #include <net/if_types.h> 59 #include <net/if_dl.h> 60 #include <net/route.h> 61 62 #include <netinet/in.h> 63 #include <netinet/in_var.h> 64 #include <netinet6/in6_var.h> 65 #include <netinet6/in6_ifattach.h> 66 #include <netinet/ip6.h> 67 #include <netinet6/ip6_var.h> 68 #include <netinet6/scope6_var.h> 69 #include <netinet6/nd6.h> 70 #include <netinet/icmp6.h> 71 #include <netinet6/icmp6_private.h> 72 73 #include "carp.h" 74 #if NCARP > 0 75 #include <netinet/ip_carp.h> 76 #endif 77 78 struct dadq; 79 static struct dadq *nd6_dad_find(struct ifaddr *, struct nd_opt_nonce *); 80 static void nd6_dad_starttimer(struct dadq *, int); 81 static void nd6_dad_destroytimer(struct dadq *); 82 static void nd6_dad_timer(struct dadq *); 83 static void nd6_dad_ns_output(struct dadq *, struct ifaddr *); 84 static void nd6_dad_ns_input(struct ifaddr *, struct nd_opt_nonce *); 85 static void nd6_dad_na_input(struct ifaddr *); 86 static void nd6_dad_duplicated(struct dadq *); 87 88 static int dad_maxtry = 15; /* max # of *tries* to transmit DAD packet */ 89 90 /* 91 * Input a Neighbor Solicitation Message. 92 * 93 * Based on RFC 2461 94 * Based on RFC 2462 (duplicate address detection) 95 */ 96 void 97 nd6_ns_input(struct mbuf *m, int off, int icmp6len) 98 { 99 struct ifnet *ifp; 100 struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *); 101 struct nd_neighbor_solicit *nd_ns; 102 struct in6_addr saddr6 = ip6->ip6_src; 103 struct in6_addr daddr6 = ip6->ip6_dst; 104 struct in6_addr taddr6; 105 struct in6_addr myaddr6; 106 char *lladdr = NULL; 107 struct ifaddr *ifa = NULL; 108 int lladdrlen = 0; 109 int anycast = 0, proxy = 0, tentative = 0; 110 int router = ip6_forwarding; 111 int tlladdr; 112 union nd_opts ndopts; 113 const struct sockaddr_dl *proxydl = NULL; 114 struct psref psref; 115 struct psref psref_ia; 116 char ip6buf[INET6_ADDRSTRLEN], ip6buf2[INET6_ADDRSTRLEN]; 117 118 ifp = m_get_rcvif_psref(m, &psref); 119 if (ifp == NULL) 120 goto freeit; 121 122 IP6_EXTHDR_GET(nd_ns, struct nd_neighbor_solicit *, m, off, icmp6len); 123 if (nd_ns == NULL) { 124 ICMP6_STATINC(ICMP6_STAT_TOOSHORT); 125 m_put_rcvif_psref(ifp, &psref); 126 return; 127 } 128 ip6 = mtod(m, struct ip6_hdr *); /* adjust pointer for safety */ 129 taddr6 = nd_ns->nd_ns_target; 130 if (in6_setscope(&taddr6, ifp, NULL) != 0) 131 goto bad; 132 133 if (ip6->ip6_hlim != 255) { 134 nd6log(LOG_ERR, "invalid hlim (%d) from %s to %s on %s\n", 135 ip6->ip6_hlim, IN6_PRINT(ip6buf, &ip6->ip6_src), 136 IN6_PRINT(ip6buf2, &ip6->ip6_dst), if_name(ifp)); 137 goto bad; 138 } 139 140 if (IN6_IS_ADDR_UNSPECIFIED(&saddr6)) { 141 /* dst has to be a solicited node multicast address. */ 142 /* don't check ifindex portion */ 143 if (daddr6.s6_addr16[0] == IPV6_ADDR_INT16_MLL && 144 daddr6.s6_addr32[1] == 0 && 145 daddr6.s6_addr32[2] == IPV6_ADDR_INT32_ONE && 146 daddr6.s6_addr8[12] == 0xff) { 147 ; /* good */ 148 } else { 149 nd6log(LOG_INFO, "bad DAD packet (wrong ip6 dst)\n"); 150 goto bad; 151 } 152 } else { 153 struct sockaddr_in6 ssin6; 154 155 /* 156 * Make sure the source address is from a neighbor's address. 157 */ 158 sockaddr_in6_init(&ssin6, &saddr6, 0, 0, 0); 159 if (nd6_is_addr_neighbor(&ssin6, ifp) == 0) { 160 nd6log(LOG_INFO, 161 "NS packet from non-neighbor %s on %s\n", 162 IN6_PRINT(ip6buf, &saddr6), if_name(ifp)); 163 goto bad; 164 } 165 } 166 167 168 if (IN6_IS_ADDR_MULTICAST(&taddr6)) { 169 nd6log(LOG_INFO, "bad NS target (multicast)\n"); 170 goto bad; 171 } 172 173 icmp6len -= sizeof(*nd_ns); 174 nd6_option_init(nd_ns + 1, icmp6len, &ndopts); 175 if (nd6_options(&ndopts) < 0) { 176 nd6log(LOG_INFO, "invalid ND option, ignored\n"); 177 /* nd6_options have incremented stats */ 178 goto freeit; 179 } 180 181 if (ndopts.nd_opts_src_lladdr) { 182 lladdr = (char *)(ndopts.nd_opts_src_lladdr + 1); 183 lladdrlen = ndopts.nd_opts_src_lladdr->nd_opt_len << 3; 184 } 185 186 if (IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_src) && lladdr) { 187 nd6log(LOG_INFO, 188 "bad DAD packet (link-layer address option)\n"); 189 goto bad; 190 } 191 192 /* 193 * Attaching target link-layer address to the NA? 194 * (RFC 2461 7.2.4) 195 * 196 * NS IP dst is multicast MUST add 197 * Otherwise MAY be omitted 198 * 199 * In this implementation, we omit the target link-layer address 200 * in the "MAY" case. 201 */ 202 #if 0 /* too much! */ 203 ifa = (struct ifaddr *)in6ifa_ifpwithaddr(ifp, &daddr6); 204 if (ifa && (((struct in6_ifaddr *)ifa)->ia6_flags & IN6_IFF_ANYCAST)) 205 tlladdr = 0; 206 else 207 #endif 208 if (!IN6_IS_ADDR_MULTICAST(&daddr6)) 209 tlladdr = 0; 210 else 211 tlladdr = 1; 212 213 /* 214 * Target address (taddr6) must be either: 215 * (1) Valid unicast/anycast address for my receiving interface, 216 * (2) Unicast address for which I'm offering proxy service, or 217 * (3) "tentative" address on which DAD is being performed. 218 */ 219 /* (1) and (3) check. */ 220 #if NCARP > 0 221 if (ifp->if_carp && ifp->if_type != IFT_CARP) { 222 int s = pserialize_read_enter(); 223 ifa = carp_iamatch6(ifp->if_carp, &taddr6); 224 if (ifa != NULL) 225 ifa_acquire(ifa, &psref_ia); 226 pserialize_read_exit(s); 227 } else 228 ifa = NULL; 229 if (!ifa) 230 ifa = (struct ifaddr *)in6ifa_ifpwithaddr_psref(ifp, &taddr6, 231 &psref_ia); 232 #else 233 ifa = (struct ifaddr *)in6ifa_ifpwithaddr_psref(ifp, &taddr6, 234 &psref_ia); 235 #endif 236 237 /* (2) check. */ 238 if (ifa == NULL) { 239 struct rtentry *rt; 240 struct sockaddr_in6 tsin6; 241 242 sockaddr_in6_init(&tsin6, &taddr6, 0, 0, 0); 243 244 rt = rtalloc1(sin6tosa(&tsin6), 0); 245 if (rt && (rt->rt_flags & RTF_ANNOUNCE) != 0 && 246 rt->rt_gateway->sa_family == AF_LINK) { 247 /* 248 * proxy NDP for single entry 249 */ 250 ifa = (struct ifaddr *)in6ifa_ifpforlinklocal_psref(ifp, 251 IN6_IFF_NOTREADY|IN6_IFF_ANYCAST, &psref_ia); 252 if (ifa) { 253 proxy = 1; 254 proxydl = satocsdl(rt->rt_gateway); 255 router = 0; /* XXX */ 256 } 257 } 258 if (rt) 259 rt_unref(rt); 260 } 261 if (ifa == NULL) { 262 /* 263 * We've got an NS packet, and we don't have that address 264 * assigned for us. We MUST silently ignore it. 265 * See RFC2461 7.2.3. 266 */ 267 goto freeit; 268 } 269 myaddr6 = *IFA_IN6(ifa); 270 anycast = ((struct in6_ifaddr *)ifa)->ia6_flags & IN6_IFF_ANYCAST; 271 tentative = ((struct in6_ifaddr *)ifa)->ia6_flags & IN6_IFF_TENTATIVE; 272 if (((struct in6_ifaddr *)ifa)->ia6_flags & IN6_IFF_DUPLICATED) 273 goto freeit; 274 275 if (lladdr && ((ifp->if_addrlen + 2 + 7) & ~7) != lladdrlen) { 276 nd6log(LOG_INFO, "lladdrlen mismatch for %s " 277 "(if %d, NS packet %d)\n", 278 IN6_PRINT(ip6buf, &taddr6), 279 ifp->if_addrlen, lladdrlen - 2); 280 goto bad; 281 } 282 283 if (IN6_ARE_ADDR_EQUAL(&myaddr6, &saddr6)) { 284 nd6log(LOG_INFO, "duplicate IP6 address %s\n", 285 IN6_PRINT(ip6buf, &saddr6)); 286 goto freeit; 287 } 288 289 /* 290 * We have neighbor solicitation packet, with target address equals to 291 * one of my tentative address. 292 * 293 * src addr how to process? 294 * --- --- 295 * multicast of course, invalid (rejected in ip6_input) 296 * unicast somebody is doing address resolution -> ignore 297 * unspec dup address detection 298 * 299 * The processing is defined in RFC 2462. 300 */ 301 if (tentative) { 302 /* 303 * If source address is unspecified address, it is for 304 * duplicate address detection. 305 * 306 * If not, the packet is for addess resolution; 307 * silently ignore it. 308 */ 309 if (IN6_IS_ADDR_UNSPECIFIED(&saddr6)) 310 nd6_dad_ns_input(ifa, ndopts.nd_opts_nonce); 311 ifa_release(ifa, &psref_ia); 312 ifa = NULL; 313 314 goto freeit; 315 } 316 ifa_release(ifa, &psref_ia); 317 ifa = NULL; 318 319 /* 320 * If the source address is unspecified address, entries must not 321 * be created or updated. 322 * It looks that sender is performing DAD. Output NA toward 323 * all-node multicast address, to tell the sender that I'm using 324 * the address. 325 * S bit ("solicited") must be zero. 326 */ 327 if (IN6_IS_ADDR_UNSPECIFIED(&saddr6)) { 328 struct in6_addr in6_all; 329 330 in6_all = in6addr_linklocal_allnodes; 331 if (in6_setscope(&in6_all, ifp, NULL) != 0) 332 goto bad; 333 nd6_na_output(ifp, &in6_all, &taddr6, 334 ((anycast || proxy || !tlladdr) ? 0 : ND_NA_FLAG_OVERRIDE) | 335 (ip6_forwarding ? ND_NA_FLAG_ROUTER : 0), 336 tlladdr, (const struct sockaddr *)proxydl); 337 goto freeit; 338 } 339 340 nd6_cache_lladdr(ifp, &saddr6, lladdr, lladdrlen, ND_NEIGHBOR_SOLICIT, 0); 341 342 nd6_na_output(ifp, &saddr6, &taddr6, 343 ((anycast || proxy || !tlladdr) ? 0 : ND_NA_FLAG_OVERRIDE) | 344 (router ? ND_NA_FLAG_ROUTER : 0) | ND_NA_FLAG_SOLICITED, 345 tlladdr, (const struct sockaddr *)proxydl); 346 freeit: 347 ifa_release(ifa, &psref_ia); 348 m_put_rcvif_psref(ifp, &psref); 349 m_freem(m); 350 return; 351 352 bad: 353 nd6log(LOG_ERR, "src=%s\n", IN6_PRINT(ip6buf, &saddr6)); 354 nd6log(LOG_ERR, "dst=%s\n", IN6_PRINT(ip6buf, &daddr6)); 355 nd6log(LOG_ERR, "tgt=%s\n", IN6_PRINT(ip6buf, &taddr6)); 356 ICMP6_STATINC(ICMP6_STAT_BADNS); 357 ifa_release(ifa, &psref_ia); 358 m_put_rcvif_psref(ifp, &psref); 359 m_freem(m); 360 } 361 362 /* 363 * Output a Neighbor Solicitation Message. Caller specifies: 364 * - ICMP6 header source IP6 address 365 * - ND6 header target IP6 address 366 * - ND6 header source datalink address 367 * 368 * Based on RFC 2461 369 * Based on RFC 2462 (duplicate address detection) 370 */ 371 void 372 nd6_ns_output(struct ifnet *ifp, const struct in6_addr *daddr6, 373 const struct in6_addr *taddr6, 374 struct in6_addr *hsrc, 375 uint8_t *nonce /* duplicate address detection */) 376 { 377 struct mbuf *m; 378 struct ip6_hdr *ip6; 379 struct nd_neighbor_solicit *nd_ns; 380 struct in6_addr *src, src_in; 381 struct ip6_moptions im6o; 382 int icmp6len; 383 int maxlen; 384 const void *mac; 385 struct route ro; 386 387 if (IN6_IS_ADDR_MULTICAST(taddr6)) 388 return; 389 390 memset(&ro, 0, sizeof(ro)); 391 392 /* estimate the size of message */ 393 maxlen = sizeof(*ip6) + sizeof(*nd_ns); 394 maxlen += (sizeof(struct nd_opt_hdr) + ifp->if_addrlen + 7) & ~7; 395 KASSERTMSG(max_linkhdr + maxlen < MCLBYTES, 396 "max_linkhdr + maxlen >= MCLBYTES (%d + %d >= %d)", 397 max_linkhdr, maxlen, MCLBYTES); 398 399 MGETHDR(m, M_DONTWAIT, MT_DATA); 400 if (m && max_linkhdr + maxlen >= MHLEN) { 401 MCLGET(m, M_DONTWAIT); 402 if ((m->m_flags & M_EXT) == 0) { 403 m_free(m); 404 m = NULL; 405 } 406 } 407 if (m == NULL) 408 return; 409 m_reset_rcvif(m); 410 411 if (daddr6 == NULL || IN6_IS_ADDR_MULTICAST(daddr6)) { 412 m->m_flags |= M_MCAST; 413 im6o.im6o_multicast_if_index = if_get_index(ifp); 414 im6o.im6o_multicast_hlim = 255; 415 im6o.im6o_multicast_loop = 0; 416 } 417 418 icmp6len = sizeof(*nd_ns); 419 m->m_pkthdr.len = m->m_len = sizeof(*ip6) + icmp6len; 420 m->m_data += max_linkhdr; /* or MH_ALIGN() equivalent? */ 421 422 /* fill neighbor solicitation packet */ 423 ip6 = mtod(m, struct ip6_hdr *); 424 ip6->ip6_flow = 0; 425 ip6->ip6_vfc &= ~IPV6_VERSION_MASK; 426 ip6->ip6_vfc |= IPV6_VERSION; 427 /* ip6->ip6_plen will be set later */ 428 ip6->ip6_nxt = IPPROTO_ICMPV6; 429 ip6->ip6_hlim = 255; 430 if (daddr6) 431 ip6->ip6_dst = *daddr6; 432 else { 433 ip6->ip6_dst.s6_addr16[0] = IPV6_ADDR_INT16_MLL; 434 ip6->ip6_dst.s6_addr16[1] = 0; 435 ip6->ip6_dst.s6_addr32[1] = 0; 436 ip6->ip6_dst.s6_addr32[2] = IPV6_ADDR_INT32_ONE; 437 ip6->ip6_dst.s6_addr32[3] = taddr6->s6_addr32[3]; 438 ip6->ip6_dst.s6_addr8[12] = 0xff; 439 if (in6_setscope(&ip6->ip6_dst, ifp, NULL) != 0) 440 goto bad; 441 } 442 if (nonce == NULL) { 443 int s; 444 /* 445 * RFC2461 7.2.2: 446 * "If the source address of the packet prompting the 447 * solicitation is the same as one of the addresses assigned 448 * to the outgoing interface, that address SHOULD be placed 449 * in the IP Source Address of the outgoing solicitation. 450 * Otherwise, any one of the addresses assigned to the 451 * interface should be used." 452 * 453 * We use the source address for the prompting packet 454 * (hsrc), if: 455 * - hsrc is given from the caller (by giving "ln"), and 456 * - hsrc belongs to the outgoing interface. 457 * Otherwise, we perform the source address selection as usual. 458 */ 459 s = pserialize_read_enter(); 460 if (hsrc && in6ifa_ifpwithaddr(ifp, hsrc)) { 461 pserialize_read_exit(s); 462 src = hsrc; 463 } else { 464 int error; 465 struct sockaddr_in6 dst_sa; 466 467 pserialize_read_exit(s); 468 469 sockaddr_in6_init(&dst_sa, &ip6->ip6_dst, 0, 0, 0); 470 471 error = in6_selectsrc(&dst_sa, NULL, 472 NULL, &ro, NULL, NULL, NULL, &src_in); 473 if (error != 0) { 474 char ip6buf[INET6_ADDRSTRLEN]; 475 nd6log(LOG_DEBUG, "source can't be " 476 "determined: dst=%s, error=%d\n", 477 IN6_PRINT(ip6buf, &dst_sa.sin6_addr), 478 error); 479 pserialize_read_exit(s); 480 goto bad; 481 } 482 src = &src_in; 483 } 484 } else { 485 /* 486 * Source address for DAD packet must always be IPv6 487 * unspecified address. (0::0) 488 * We actually don't have to 0-clear the address (we did it 489 * above), but we do so here explicitly to make the intention 490 * clearer. 491 */ 492 memset(&src_in, 0, sizeof(src_in)); 493 src = &src_in; 494 } 495 ip6->ip6_src = *src; 496 nd_ns = (struct nd_neighbor_solicit *)(ip6 + 1); 497 nd_ns->nd_ns_type = ND_NEIGHBOR_SOLICIT; 498 nd_ns->nd_ns_code = 0; 499 nd_ns->nd_ns_reserved = 0; 500 nd_ns->nd_ns_target = *taddr6; 501 in6_clearscope(&nd_ns->nd_ns_target); /* XXX */ 502 503 /* 504 * Add source link-layer address option. 505 * 506 * spec implementation 507 * --- --- 508 * DAD packet MUST NOT do not add the option 509 * there's no link layer address: 510 * impossible do not add the option 511 * there's link layer address: 512 * Multicast NS MUST add one add the option 513 * Unicast NS SHOULD add one add the option 514 */ 515 if (nonce == NULL && (mac = nd6_ifptomac(ifp))) { 516 int optlen = sizeof(struct nd_opt_hdr) + ifp->if_addrlen; 517 struct nd_opt_hdr *nd_opt = (struct nd_opt_hdr *)(nd_ns + 1); 518 /* 8 byte alignments... */ 519 optlen = (optlen + 7) & ~7; 520 521 m->m_pkthdr.len += optlen; 522 m->m_len += optlen; 523 icmp6len += optlen; 524 memset((void *)nd_opt, 0, optlen); 525 nd_opt->nd_opt_type = ND_OPT_SOURCE_LINKADDR; 526 nd_opt->nd_opt_len = optlen >> 3; 527 memcpy((void *)(nd_opt + 1), mac, ifp->if_addrlen); 528 } 529 530 /* Add a nonce option (RFC 3971) to detect looped back NS messages. 531 * This behavior is documented in RFC 7527. */ 532 if (nonce != NULL) { 533 int optlen = sizeof(struct nd_opt_hdr) + ND_OPT_NONCE_LEN; 534 struct nd_opt_hdr *nd_opt = (struct nd_opt_hdr *)(nd_ns + 1); 535 536 /* 8-byte alignment is required. */ 537 optlen = (optlen + 7) & ~7; 538 m->m_pkthdr.len += optlen; 539 m->m_len += optlen; 540 icmp6len += optlen; 541 memset(nd_opt, 0, optlen); 542 nd_opt->nd_opt_type = ND_OPT_NONCE; 543 nd_opt->nd_opt_len = optlen >> 3; 544 memcpy(nd_opt + 1, nonce, ND_OPT_NONCE_LEN); 545 } 546 547 ip6->ip6_plen = htons((u_int16_t)icmp6len); 548 nd_ns->nd_ns_cksum = 0; 549 nd_ns->nd_ns_cksum = 550 in6_cksum(m, IPPROTO_ICMPV6, sizeof(*ip6), icmp6len); 551 552 ip6_output(m, NULL, &ro, nonce != NULL ? IPV6_UNSPECSRC : 0, 553 &im6o, NULL, NULL); 554 icmp6_ifstat_inc(ifp, ifs6_out_msg); 555 icmp6_ifstat_inc(ifp, ifs6_out_neighborsolicit); 556 ICMP6_STATINC(ICMP6_STAT_OUTHIST + ND_NEIGHBOR_SOLICIT); 557 558 rtcache_free(&ro); 559 return; 560 561 bad: 562 rtcache_free(&ro); 563 m_freem(m); 564 return; 565 } 566 567 /* 568 * Neighbor advertisement input handling. 569 * 570 * Based on RFC 2461 571 * Based on RFC 2462 (duplicate address detection) 572 * 573 * the following items are not implemented yet: 574 * - proxy advertisement delay rule (RFC2461 7.2.8, last paragraph, SHOULD) 575 * - anycast advertisement delay rule (RFC2461 7.2.7, SHOULD) 576 */ 577 void 578 nd6_na_input(struct mbuf *m, int off, int icmp6len) 579 { 580 struct ifnet *ifp; 581 struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *); 582 struct nd_neighbor_advert *nd_na; 583 struct in6_addr saddr6 = ip6->ip6_src; 584 struct in6_addr daddr6 = ip6->ip6_dst; 585 struct in6_addr taddr6; 586 int flags; 587 int is_router; 588 int is_solicited; 589 int is_override; 590 char *lladdr = NULL; 591 int lladdrlen = 0; 592 struct ifaddr *ifa; 593 struct llentry *ln = NULL; 594 union nd_opts ndopts; 595 struct sockaddr_in6 ssin6; 596 int rt_announce; 597 bool checklink = false; 598 struct psref psref; 599 struct psref psref_ia; 600 char ip6buf[INET6_ADDRSTRLEN], ip6buf2[INET6_ADDRSTRLEN]; 601 602 ifp = m_get_rcvif_psref(m, &psref); 603 if (ifp == NULL) 604 goto freeit; 605 606 if (ip6->ip6_hlim != 255) { 607 nd6log(LOG_ERR, 608 "invalid hlim (%d) from %s to %s on %s\n", 609 ip6->ip6_hlim, IN6_PRINT(ip6buf, &ip6->ip6_src), 610 IN6_PRINT(ip6buf2, &ip6->ip6_dst), if_name(ifp)); 611 goto bad; 612 } 613 614 IP6_EXTHDR_GET(nd_na, struct nd_neighbor_advert *, m, off, icmp6len); 615 if (nd_na == NULL) { 616 m_put_rcvif_psref(ifp, &psref); 617 ICMP6_STATINC(ICMP6_STAT_TOOSHORT); 618 return; 619 } 620 621 flags = nd_na->nd_na_flags_reserved; 622 is_router = ((flags & ND_NA_FLAG_ROUTER) != 0); 623 is_solicited = ((flags & ND_NA_FLAG_SOLICITED) != 0); 624 is_override = ((flags & ND_NA_FLAG_OVERRIDE) != 0); 625 626 taddr6 = nd_na->nd_na_target; 627 if (in6_setscope(&taddr6, ifp, NULL)) { 628 goto bad; 629 } 630 631 if (IN6_IS_ADDR_MULTICAST(&taddr6)) { 632 nd6log(LOG_ERR, "invalid target address %s\n", 633 IN6_PRINT(ip6buf, &taddr6)); 634 goto bad; 635 } 636 if (is_solicited && IN6_IS_ADDR_MULTICAST(&daddr6)) { 637 nd6log(LOG_ERR, "a solicited adv is multicasted\n"); 638 goto bad; 639 } 640 641 icmp6len -= sizeof(*nd_na); 642 nd6_option_init(nd_na + 1, icmp6len, &ndopts); 643 if (nd6_options(&ndopts) < 0) { 644 nd6log(LOG_INFO, "invalid ND option, ignored\n"); 645 /* nd6_options have incremented stats */ 646 goto freeit; 647 } 648 649 if (ndopts.nd_opts_tgt_lladdr) { 650 lladdr = (char *)(ndopts.nd_opts_tgt_lladdr + 1); 651 lladdrlen = ndopts.nd_opts_tgt_lladdr->nd_opt_len << 3; 652 } 653 654 ifa = (struct ifaddr *)in6ifa_ifpwithaddr_psref(ifp, &taddr6, &psref_ia); 655 656 /* 657 * Target address matches one of my interface address. 658 * 659 * If my address is tentative, this means that there's somebody 660 * already using the same address as mine. This indicates DAD failure. 661 * This is defined in RFC 2462. 662 * 663 * Otherwise, process as defined in RFC 2461. 664 */ 665 if (ifa 666 && (((struct in6_ifaddr *)ifa)->ia6_flags & IN6_IFF_TENTATIVE)) { 667 nd6_dad_na_input(ifa); 668 ifa_release(ifa, &psref_ia); 669 ifa = NULL; 670 goto freeit; 671 } 672 673 /* Just for safety, maybe unnecessary. */ 674 if (ifa) { 675 log(LOG_ERR, 676 "nd6_na_input: duplicate IP6 address %s\n", 677 IN6_PRINT(ip6buf, &taddr6)); 678 ifa_release(ifa, &psref_ia); 679 ifa = NULL; 680 goto freeit; 681 } 682 683 /* 684 * Make sure the source address is from a neighbor's address. 685 */ 686 sockaddr_in6_init(&ssin6, &saddr6, 0, 0, 0); 687 if (nd6_is_addr_neighbor(&ssin6, ifp) == 0) { 688 nd6log(LOG_INFO, "ND packet from non-neighbor %s on %s\n", 689 IN6_PRINT(ip6buf, &saddr6), if_name(ifp)); 690 goto bad; 691 } 692 693 if (lladdr && ((ifp->if_addrlen + 2 + 7) & ~7) != lladdrlen) { 694 nd6log(LOG_INFO, "lladdrlen mismatch for %s " 695 "(if %d, NA packet %d)\n", IN6_PRINT(ip6buf, &taddr6), 696 ifp->if_addrlen, lladdrlen - 2); 697 goto bad; 698 } 699 700 /* 701 * If no neighbor cache entry is found, NA SHOULD silently be 702 * discarded. 703 */ 704 ln = nd6_lookup(&taddr6, ifp, true); 705 if (ln == NULL) 706 goto freeit; 707 708 rt_announce = 0; 709 if (ln->ln_state == ND6_LLINFO_INCOMPLETE) { 710 /* 711 * If the link-layer has address, and no lladdr option came, 712 * discard the packet. 713 */ 714 if (ifp->if_addrlen && !lladdr) 715 goto freeit; 716 717 /* 718 * Record link-layer address, and update the state. 719 */ 720 memcpy(&ln->ll_addr, lladdr, ifp->if_addrlen); 721 ln->la_flags |= LLE_VALID; 722 rt_announce = 1; 723 if (is_solicited) { 724 ln->ln_state = ND6_LLINFO_REACHABLE; 725 ln->ln_byhint = 0; 726 if (!ND6_LLINFO_PERMANENT(ln)) { 727 nd6_llinfo_settimer(ln, 728 ND_IFINFO(ln->lle_tbl->llt_ifp)->reachable * hz); 729 } 730 } else { 731 ln->ln_state = ND6_LLINFO_STALE; 732 nd6_llinfo_settimer(ln, nd6_gctimer * hz); 733 } 734 if ((ln->ln_router = is_router) != 0) { 735 /* 736 * This means a router's state has changed from 737 * non-reachable to probably reachable, and might 738 * affect the status of associated prefixes.. 739 */ 740 checklink = true; 741 } 742 } else { 743 int llchange; 744 745 /* 746 * Check if the link-layer address has changed or not. 747 */ 748 if (lladdr == NULL) 749 llchange = 0; 750 else { 751 if (ln->la_flags & LLE_VALID) { 752 if (memcmp(lladdr, &ln->ll_addr, ifp->if_addrlen)) 753 llchange = rt_announce = 1; 754 else 755 llchange = 0; 756 } else 757 llchange = rt_announce = 1; 758 } 759 760 /* 761 * This is VERY complex. Look at it with care. 762 * 763 * override solicit lladdr llchange action 764 * (L: record lladdr) 765 * 766 * 0 0 n -- (2c) 767 * 0 0 y n (2b) L 768 * 0 0 y y (1) REACHABLE->STALE 769 * 0 1 n -- (2c) *->REACHABLE 770 * 0 1 y n (2b) L *->REACHABLE 771 * 0 1 y y (1) REACHABLE->STALE 772 * 1 0 n -- (2a) 773 * 1 0 y n (2a) L 774 * 1 0 y y (2a) L *->STALE 775 * 1 1 n -- (2a) *->REACHABLE 776 * 1 1 y n (2a) L *->REACHABLE 777 * 1 1 y y (2a) L *->REACHABLE 778 */ 779 if (!is_override && lladdr != NULL && llchange) { /* (1) */ 780 /* 781 * If state is REACHABLE, make it STALE. 782 * no other updates should be done. 783 */ 784 if (ln->ln_state == ND6_LLINFO_REACHABLE) { 785 ln->ln_state = ND6_LLINFO_STALE; 786 nd6_llinfo_settimer(ln, nd6_gctimer * hz); 787 } 788 goto freeit; 789 } else if (is_override /* (2a) */ 790 || (!is_override && lladdr != NULL && !llchange) /* (2b) */ 791 || lladdr == NULL) { /* (2c) */ 792 /* 793 * Update link-local address, if any. 794 */ 795 if (lladdr != NULL) { 796 memcpy(&ln->ll_addr, lladdr, ifp->if_addrlen); 797 ln->la_flags |= LLE_VALID; 798 } 799 800 /* 801 * If solicited, make the state REACHABLE. 802 * If not solicited and the link-layer address was 803 * changed, make it STALE. 804 */ 805 if (is_solicited) { 806 ln->ln_state = ND6_LLINFO_REACHABLE; 807 ln->ln_byhint = 0; 808 if (!ND6_LLINFO_PERMANENT(ln)) { 809 nd6_llinfo_settimer(ln, 810 ND_IFINFO(ifp)->reachable * hz); 811 } 812 } else { 813 if (lladdr && llchange) { 814 ln->ln_state = ND6_LLINFO_STALE; 815 nd6_llinfo_settimer(ln, 816 nd6_gctimer * hz); 817 } 818 } 819 } 820 821 if (ln->ln_router && !is_router) { 822 /* 823 * The peer dropped the router flag. 824 * Remove the sender from the Default Router List and 825 * update the Destination Cache entries. 826 */ 827 struct nd_defrouter *dr; 828 const struct in6_addr *in6; 829 830 in6 = &ln->r_l3addr.addr6; 831 832 ND6_WLOCK(); 833 dr = nd6_defrouter_lookup(in6, ln->lle_tbl->llt_ifp); 834 if (dr) 835 nd6_defrtrlist_del(dr, NULL); 836 else if (!ip6_forwarding) { 837 /* 838 * Even if the neighbor is not in the default 839 * router list, the neighbor may be used 840 * as a next hop for some destinations 841 * (e.g. redirect case). So we must 842 * call nd6_rt_flush explicitly. 843 */ 844 nd6_rt_flush(&ip6->ip6_src, ln->lle_tbl->llt_ifp); 845 } 846 ND6_UNLOCK(); 847 } 848 ln->ln_router = is_router; 849 } 850 /* 851 * XXX: does this matter? 852 * rt->rt_flags &= ~RTF_REJECT; 853 */ 854 ln->ln_asked = 0; 855 nd6_llinfo_release_pkts(ln, ifp); 856 /* FIXME */ 857 #if 0 858 if (rt_announce) /* tell user process about any new lladdr */ 859 rt_newmsg(RTM_CHANGE, rt); 860 #endif 861 862 freeit: 863 if (ln != NULL) 864 LLE_WUNLOCK(ln); 865 866 if (checklink) { 867 ND6_WLOCK(); 868 nd6_pfxlist_onlink_check(); 869 ND6_UNLOCK(); 870 } 871 872 m_put_rcvif_psref(ifp, &psref); 873 m_freem(m); 874 return; 875 876 bad: 877 if (ln != NULL) 878 LLE_WUNLOCK(ln); 879 880 ICMP6_STATINC(ICMP6_STAT_BADNA); 881 m_put_rcvif_psref(ifp, &psref); 882 m_freem(m); 883 } 884 885 /* 886 * Neighbor advertisement output handling. 887 * 888 * Based on RFC 2461 889 * 890 * the following items are not implemented yet: 891 * - proxy advertisement delay rule (RFC2461 7.2.8, last paragraph, SHOULD) 892 * - anycast advertisement delay rule (RFC2461 7.2.7, SHOULD) 893 */ 894 void 895 nd6_na_output( 896 struct ifnet *ifp, 897 const struct in6_addr *daddr6_0, 898 const struct in6_addr *taddr6, 899 u_long flags, 900 int tlladdr, /* 1 if include target link-layer address */ 901 const struct sockaddr *sdl0) /* sockaddr_dl (= proxy NA) or NULL */ 902 { 903 struct mbuf *m; 904 struct ip6_hdr *ip6; 905 struct nd_neighbor_advert *nd_na; 906 struct ip6_moptions im6o; 907 struct sockaddr *dst; 908 union { 909 struct sockaddr dst; 910 struct sockaddr_in6 dst6; 911 } u; 912 struct in6_addr daddr6; 913 int icmp6len, maxlen, error; 914 const void *mac; 915 struct route ro; 916 917 mac = NULL; 918 memset(&ro, 0, sizeof(ro)); 919 920 daddr6 = *daddr6_0; /* make a local copy for modification */ 921 922 /* estimate the size of message */ 923 maxlen = sizeof(*ip6) + sizeof(*nd_na); 924 maxlen += (sizeof(struct nd_opt_hdr) + ifp->if_addrlen + 7) & ~7; 925 KASSERTMSG(max_linkhdr + maxlen < MCLBYTES, 926 "max_linkhdr + maxlen >= MCLBYTES (%d + %d >= %d)", 927 max_linkhdr, maxlen, MCLBYTES); 928 929 MGETHDR(m, M_DONTWAIT, MT_DATA); 930 if (m && max_linkhdr + maxlen >= MHLEN) { 931 MCLGET(m, M_DONTWAIT); 932 if ((m->m_flags & M_EXT) == 0) { 933 m_free(m); 934 m = NULL; 935 } 936 } 937 if (m == NULL) 938 return; 939 m_reset_rcvif(m); 940 941 if (IN6_IS_ADDR_MULTICAST(&daddr6)) { 942 m->m_flags |= M_MCAST; 943 im6o.im6o_multicast_if_index = if_get_index(ifp); 944 im6o.im6o_multicast_hlim = 255; 945 im6o.im6o_multicast_loop = 0; 946 } 947 948 icmp6len = sizeof(*nd_na); 949 m->m_pkthdr.len = m->m_len = sizeof(struct ip6_hdr) + icmp6len; 950 m->m_data += max_linkhdr; /* or MH_ALIGN() equivalent? */ 951 952 /* fill neighbor advertisement packet */ 953 ip6 = mtod(m, struct ip6_hdr *); 954 ip6->ip6_flow = 0; 955 ip6->ip6_vfc &= ~IPV6_VERSION_MASK; 956 ip6->ip6_vfc |= IPV6_VERSION; 957 ip6->ip6_nxt = IPPROTO_ICMPV6; 958 ip6->ip6_hlim = 255; 959 if (IN6_IS_ADDR_UNSPECIFIED(&daddr6)) { 960 /* reply to DAD */ 961 daddr6.s6_addr16[0] = IPV6_ADDR_INT16_MLL; 962 daddr6.s6_addr16[1] = 0; 963 daddr6.s6_addr32[1] = 0; 964 daddr6.s6_addr32[2] = 0; 965 daddr6.s6_addr32[3] = IPV6_ADDR_INT32_ONE; 966 if (in6_setscope(&daddr6, ifp, NULL)) 967 goto bad; 968 969 flags &= ~ND_NA_FLAG_SOLICITED; 970 } 971 ip6->ip6_dst = daddr6; 972 sockaddr_in6_init(&u.dst6, &daddr6, 0, 0, 0); 973 dst = &u.dst; 974 if (rtcache_setdst(&ro, dst) != 0) 975 goto bad; 976 977 /* 978 * Select a source whose scope is the same as that of the dest. 979 */ 980 error = in6_selectsrc(satosin6(dst), NULL, NULL, &ro, NULL, NULL, NULL, 981 &ip6->ip6_src); 982 if (error != 0) { 983 char ip6buf[INET6_ADDRSTRLEN]; 984 nd6log(LOG_DEBUG, "source can't be " 985 "determined: dst=%s, error=%d\n", 986 IN6_PRINT(ip6buf, &satocsin6(dst)->sin6_addr), error); 987 goto bad; 988 } 989 nd_na = (struct nd_neighbor_advert *)(ip6 + 1); 990 nd_na->nd_na_type = ND_NEIGHBOR_ADVERT; 991 nd_na->nd_na_code = 0; 992 nd_na->nd_na_target = *taddr6; 993 in6_clearscope(&nd_na->nd_na_target); /* XXX */ 994 995 /* 996 * "tlladdr" indicates NS's condition for adding tlladdr or not. 997 * see nd6_ns_input() for details. 998 * Basically, if NS packet is sent to unicast/anycast addr, 999 * target lladdr option SHOULD NOT be included. 1000 */ 1001 if (tlladdr) { 1002 /* 1003 * sdl0 != NULL indicates proxy NA. If we do proxy, use 1004 * lladdr in sdl0. If we are not proxying (sending NA for 1005 * my address) use lladdr configured for the interface. 1006 */ 1007 if (sdl0 == NULL) 1008 mac = nd6_ifptomac(ifp); 1009 else if (sdl0->sa_family == AF_LINK) { 1010 const struct sockaddr_dl *sdl; 1011 sdl = satocsdl(sdl0); 1012 if (sdl->sdl_alen == ifp->if_addrlen) 1013 mac = CLLADDR(sdl); 1014 } 1015 } 1016 if (tlladdr && mac) { 1017 int optlen = sizeof(struct nd_opt_hdr) + ifp->if_addrlen; 1018 struct nd_opt_hdr *nd_opt = (struct nd_opt_hdr *)(nd_na + 1); 1019 1020 /* roundup to 8 bytes alignment! */ 1021 optlen = (optlen + 7) & ~7; 1022 1023 m->m_pkthdr.len += optlen; 1024 m->m_len += optlen; 1025 icmp6len += optlen; 1026 memset((void *)nd_opt, 0, optlen); 1027 nd_opt->nd_opt_type = ND_OPT_TARGET_LINKADDR; 1028 nd_opt->nd_opt_len = optlen >> 3; 1029 memcpy((void *)(nd_opt + 1), mac, ifp->if_addrlen); 1030 } else 1031 flags &= ~ND_NA_FLAG_OVERRIDE; 1032 1033 ip6->ip6_plen = htons((u_int16_t)icmp6len); 1034 nd_na->nd_na_flags_reserved = flags; 1035 nd_na->nd_na_cksum = 0; 1036 nd_na->nd_na_cksum = 1037 in6_cksum(m, IPPROTO_ICMPV6, sizeof(struct ip6_hdr), icmp6len); 1038 1039 ip6_output(m, NULL, NULL, 0, &im6o, NULL, NULL); 1040 1041 icmp6_ifstat_inc(ifp, ifs6_out_msg); 1042 icmp6_ifstat_inc(ifp, ifs6_out_neighboradvert); 1043 ICMP6_STATINC(ICMP6_STAT_OUTHIST + ND_NEIGHBOR_ADVERT); 1044 1045 rtcache_free(&ro); 1046 return; 1047 1048 bad: 1049 rtcache_free(&ro); 1050 m_freem(m); 1051 return; 1052 } 1053 1054 const void * 1055 nd6_ifptomac(const struct ifnet *ifp) 1056 { 1057 switch (ifp->if_type) { 1058 case IFT_ARCNET: 1059 case IFT_ETHER: 1060 case IFT_FDDI: 1061 case IFT_IEEE1394: 1062 case IFT_PROPVIRTUAL: 1063 case IFT_CARP: 1064 case IFT_L2VLAN: 1065 case IFT_IEEE80211: 1066 return CLLADDR(ifp->if_sadl); 1067 default: 1068 return NULL; 1069 } 1070 } 1071 1072 TAILQ_HEAD(dadq_head, dadq); 1073 struct dadq { 1074 TAILQ_ENTRY(dadq) dad_list; 1075 struct ifaddr *dad_ifa; 1076 int dad_count; /* max NS to send */ 1077 int dad_ns_tcount; /* # of trials to send NS */ 1078 int dad_ns_ocount; /* NS sent so far */ 1079 int dad_ns_icount; 1080 int dad_na_icount; 1081 int dad_ns_lcount; /* looped back NS */ 1082 struct callout dad_timer_ch; 1083 #define ND_OPT_NONCE_STORE 3 /* dad_count should not exceed this */ 1084 /* 1085 * The default ip6_dad_count is 1 as specified by RFC 4862 and 1086 * practically must users won't exceed this. 1087 * A storage of 3 is defaulted to here, in-case the administrator wants 1088 * to match the equivalent behaviour in our ARP implementation. 1089 * This constraint could be removed by sending the on wire nonce as 1090 * hmac(key, dad_ns_ocount), but that would increase the nonce size 1091 * sent on the wire. 1092 */ 1093 uint8_t dad_nonce[ND_OPT_NONCE_STORE][ND_OPT_NONCE_LEN]; 1094 }; 1095 1096 static struct dadq_head dadq; 1097 static int dad_init = 0; 1098 static kmutex_t nd6_dad_lock; 1099 1100 static struct dadq * 1101 nd6_dad_find(struct ifaddr *ifa, struct nd_opt_nonce *nonce) 1102 { 1103 struct dadq *dp; 1104 int i, nonce_max; 1105 1106 KASSERT(mutex_owned(&nd6_dad_lock)); 1107 1108 TAILQ_FOREACH(dp, &dadq, dad_list) { 1109 if (dp->dad_ifa != ifa) 1110 continue; 1111 1112 if (nonce == NULL || 1113 nonce->nd_opt_nonce_len != (ND_OPT_NONCE_LEN + 2) / 8) 1114 break; 1115 1116 nonce_max = MIN(dp->dad_ns_ocount, ND_OPT_NONCE_STORE); 1117 for (i = 0; i < nonce_max; i++) { 1118 if (memcmp(nonce->nd_opt_nonce, 1119 dp->dad_nonce[i], 1120 ND_OPT_NONCE_LEN) == 0) 1121 break; 1122 } 1123 if (i < nonce_max) { 1124 char ip6buf[INET6_ADDRSTRLEN]; 1125 1126 log(LOG_DEBUG, 1127 "%s: detected a looped back NS message for %s\n", 1128 ifa->ifa_ifp ? if_name(ifa->ifa_ifp) : "???", 1129 IN6_PRINT(ip6buf, IFA_IN6(ifa))); 1130 dp->dad_ns_lcount++; 1131 continue; 1132 } 1133 1134 break; 1135 } 1136 return dp; 1137 } 1138 1139 static void 1140 nd6_dad_starttimer(struct dadq *dp, int ticks) 1141 { 1142 1143 callout_reset(&dp->dad_timer_ch, ticks, 1144 (void (*)(void *))nd6_dad_timer, dp); 1145 } 1146 1147 static void 1148 nd6_dad_stoptimer(struct dadq *dp) 1149 { 1150 1151 KASSERT(mutex_owned(&nd6_dad_lock)); 1152 1153 TAILQ_REMOVE(&dadq, dp, dad_list); 1154 /* Tell the timer that dp is being destroyed. */ 1155 dp->dad_ifa = NULL; 1156 callout_halt(&dp->dad_timer_ch, &nd6_dad_lock); 1157 } 1158 1159 static void 1160 nd6_dad_destroytimer(struct dadq *dp) 1161 { 1162 1163 KASSERT(dp->dad_ifa == NULL); 1164 callout_destroy(&dp->dad_timer_ch); 1165 kmem_intr_free(dp, sizeof(*dp)); 1166 } 1167 1168 /* 1169 * Start Duplicate Address Detection (DAD) for specified interface address. 1170 * 1171 * Note that callout is used when xtick > 0 and not when xtick == 0. 1172 * 1173 * xtick: minimum delay ticks for IFF_UP event 1174 */ 1175 void 1176 nd6_dad_start(struct ifaddr *ifa, int xtick) 1177 { 1178 struct in6_ifaddr *ia = (struct in6_ifaddr *)ifa; 1179 struct dadq *dp; 1180 char ip6buf[INET6_ADDRSTRLEN]; 1181 1182 if (!dad_init) { 1183 TAILQ_INIT(&dadq); 1184 mutex_init(&nd6_dad_lock, MUTEX_DEFAULT, IPL_NONE); 1185 dad_init++; 1186 } 1187 1188 /* 1189 * If we don't need DAD, don't do it. 1190 * There are several cases: 1191 * - DAD is disabled (ip6_dad_count == 0) 1192 * - the interface address is anycast 1193 */ 1194 if (!(ia->ia6_flags & IN6_IFF_TENTATIVE)) { 1195 log(LOG_DEBUG, 1196 "nd6_dad_start: called with non-tentative address " 1197 "%s(%s)\n", 1198 IN6_PRINT(ip6buf, &ia->ia_addr.sin6_addr), 1199 ifa->ifa_ifp ? if_name(ifa->ifa_ifp) : "???"); 1200 return; 1201 } 1202 if (ia->ia6_flags & IN6_IFF_ANYCAST || !ip6_dad_count) { 1203 ia->ia6_flags &= ~IN6_IFF_TENTATIVE; 1204 rt_newaddrmsg(RTM_NEWADDR, ifa, 0, NULL); 1205 return; 1206 } 1207 KASSERT(ifa->ifa_ifp != NULL); 1208 if (!(ifa->ifa_ifp->if_flags & IFF_UP)) 1209 return; 1210 1211 dp = kmem_intr_alloc(sizeof(*dp), KM_NOSLEEP); 1212 1213 mutex_enter(&nd6_dad_lock); 1214 if (nd6_dad_find(ifa, NULL) != NULL) { 1215 mutex_exit(&nd6_dad_lock); 1216 /* DAD already in progress */ 1217 if (dp != NULL) 1218 kmem_intr_free(dp, sizeof(*dp)); 1219 return; 1220 } 1221 1222 if (dp == NULL) { 1223 mutex_exit(&nd6_dad_lock); 1224 log(LOG_ERR, "nd6_dad_start: memory allocation failed for " 1225 "%s(%s)\n", 1226 IN6_PRINT(ip6buf, &ia->ia_addr.sin6_addr), 1227 ifa->ifa_ifp ? if_name(ifa->ifa_ifp) : "???"); 1228 return; 1229 } 1230 1231 /* 1232 * Send NS packet for DAD, ip6_dad_count times. 1233 * Note that we must delay the first transmission, if this is the 1234 * first packet to be sent from the interface after interface 1235 * (re)initialization. 1236 */ 1237 callout_init(&dp->dad_timer_ch, CALLOUT_MPSAFE); 1238 dp->dad_ifa = ifa; 1239 ifaref(ifa); /* just for safety */ 1240 dp->dad_count = ip6_dad_count; 1241 dp->dad_ns_icount = dp->dad_na_icount = 0; 1242 dp->dad_ns_ocount = dp->dad_ns_tcount = 0; 1243 dp->dad_ns_lcount = 0; 1244 TAILQ_INSERT_TAIL(&dadq, (struct dadq *)dp, dad_list); 1245 1246 nd6log(LOG_DEBUG, "%s: starting DAD for %s\n", if_name(ifa->ifa_ifp), 1247 IN6_PRINT(ip6buf, &ia->ia_addr.sin6_addr)); 1248 1249 if (xtick == 0) { 1250 nd6_dad_ns_output(dp, ifa); 1251 nd6_dad_starttimer(dp, 1252 (long)ND_IFINFO(ifa->ifa_ifp)->retrans * hz / 1000); 1253 } else 1254 nd6_dad_starttimer(dp, xtick); 1255 mutex_exit(&nd6_dad_lock); 1256 } 1257 1258 /* 1259 * terminate DAD unconditionally. used for address removals. 1260 */ 1261 void 1262 nd6_dad_stop(struct ifaddr *ifa) 1263 { 1264 struct dadq *dp; 1265 1266 if (!dad_init) 1267 return; 1268 1269 mutex_enter(&nd6_dad_lock); 1270 dp = nd6_dad_find(ifa, NULL); 1271 if (dp == NULL) { 1272 mutex_exit(&nd6_dad_lock); 1273 /* DAD wasn't started yet */ 1274 return; 1275 } 1276 1277 /* Prevent the timer from running anymore. */ 1278 nd6_dad_stoptimer(dp); 1279 1280 mutex_exit(&nd6_dad_lock); 1281 1282 nd6_dad_destroytimer(dp); 1283 ifafree(ifa); 1284 } 1285 1286 static void 1287 nd6_dad_timer(struct dadq *dp) 1288 { 1289 struct ifaddr *ifa; 1290 struct in6_ifaddr *ia; 1291 int duplicate = 0; 1292 char ip6buf[INET6_ADDRSTRLEN]; 1293 bool need_free = false; 1294 1295 KERNEL_LOCK_UNLESS_NET_MPSAFE(); 1296 mutex_enter(&nd6_dad_lock); 1297 1298 ifa = dp->dad_ifa; 1299 if (ifa == NULL) { 1300 /* dp is being destroyed by someone. Do nothing. */ 1301 goto done; 1302 } 1303 1304 ia = (struct in6_ifaddr *)ifa; 1305 if (ia->ia6_flags & IN6_IFF_DUPLICATED) { 1306 log(LOG_ERR, "nd6_dad_timer: called with duplicate address " 1307 "%s(%s)\n", 1308 IN6_PRINT(ip6buf, &ia->ia_addr.sin6_addr), 1309 ifa->ifa_ifp ? if_name(ifa->ifa_ifp) : "???"); 1310 goto done; 1311 } 1312 if ((ia->ia6_flags & IN6_IFF_TENTATIVE) == 0) { 1313 log(LOG_ERR, "nd6_dad_timer: called with non-tentative address " 1314 "%s(%s)\n", 1315 IN6_PRINT(ip6buf, &ia->ia_addr.sin6_addr), 1316 ifa->ifa_ifp ? if_name(ifa->ifa_ifp) : "???"); 1317 goto done; 1318 } 1319 1320 /* timeouted with IFF_{RUNNING,UP} check */ 1321 if (dp->dad_ns_tcount > dad_maxtry) { 1322 nd6log(LOG_INFO, "%s: could not run DAD, driver problem?\n", 1323 if_name(ifa->ifa_ifp)); 1324 1325 nd6_dad_stoptimer(dp); 1326 need_free = true; 1327 goto done; 1328 } 1329 1330 /* Need more checks? */ 1331 if (dp->dad_ns_ocount < dp->dad_count) { 1332 /* 1333 * We have more NS to go. Send NS packet for DAD. 1334 */ 1335 nd6_dad_ns_output(dp, ifa); 1336 nd6_dad_starttimer(dp, 1337 (long)ND_IFINFO(ifa->ifa_ifp)->retrans * hz / 1000); 1338 } else { 1339 /* 1340 * We have transmitted sufficient number of DAD packets. 1341 * See what we've got. 1342 */ 1343 if (dp->dad_na_icount) { 1344 /* 1345 * the check is in nd6_dad_na_input(), 1346 * but just in case 1347 */ 1348 duplicate++; 1349 } 1350 1351 if (dp->dad_ns_icount) { 1352 /* We've seen NS, means DAD has failed. */ 1353 duplicate++; 1354 } 1355 1356 if (duplicate) { 1357 nd6_dad_duplicated(dp); 1358 nd6_dad_stoptimer(dp); 1359 need_free = true; 1360 } else { 1361 /* 1362 * We are done with DAD. No NA came, no NS came. 1363 * No duplicate address found. 1364 */ 1365 ia->ia6_flags &= ~IN6_IFF_TENTATIVE; 1366 rt_newaddrmsg(RTM_NEWADDR, ifa, 0, NULL); 1367 1368 nd6log(LOG_DEBUG, 1369 "%s: DAD complete for %s - no duplicates found\n", 1370 if_name(ifa->ifa_ifp), 1371 IN6_PRINT(ip6buf, &ia->ia_addr.sin6_addr)); 1372 1373 nd6_dad_stoptimer(dp); 1374 need_free = true; 1375 } 1376 } 1377 done: 1378 mutex_exit(&nd6_dad_lock); 1379 1380 if (need_free) { 1381 nd6_dad_destroytimer(dp); 1382 KASSERT(ifa != NULL); 1383 ifafree(ifa); 1384 } 1385 1386 KERNEL_UNLOCK_UNLESS_NET_MPSAFE(); 1387 } 1388 1389 static void 1390 nd6_dad_duplicated(struct dadq *dp) 1391 { 1392 struct ifaddr *ifa = dp->dad_ifa; 1393 struct in6_ifaddr *ia; 1394 struct ifnet *ifp; 1395 char ip6buf[INET6_ADDRSTRLEN]; 1396 1397 KASSERT(mutex_owned(&nd6_dad_lock)); 1398 KASSERT(ifa != NULL); 1399 1400 ifp = ifa->ifa_ifp; 1401 ia = (struct in6_ifaddr *)ifa; 1402 log(LOG_ERR, "%s: DAD detected duplicate IPv6 address %s: " 1403 "NS in/out/loopback=%d/%d/%d, NA in=%d\n", 1404 if_name(ifp), IN6_PRINT(ip6buf, &ia->ia_addr.sin6_addr), 1405 dp->dad_ns_icount, dp->dad_ns_ocount, dp->dad_ns_lcount, 1406 dp->dad_na_icount); 1407 1408 ia->ia6_flags &= ~IN6_IFF_TENTATIVE; 1409 ia->ia6_flags |= IN6_IFF_DUPLICATED; 1410 1411 log(LOG_ERR, "%s: DAD complete for %s - duplicate found\n", 1412 if_name(ifp), IN6_PRINT(ip6buf, &ia->ia_addr.sin6_addr)); 1413 log(LOG_ERR, "%s: manual intervention required\n", 1414 if_name(ifp)); 1415 1416 /* Inform the routing socket that DAD has completed */ 1417 rt_newaddrmsg(RTM_NEWADDR, ifa, 0, NULL); 1418 1419 /* 1420 * If the address is a link-local address formed from an interface 1421 * identifier based on the hardware address which is supposed to be 1422 * uniquely assigned (e.g., EUI-64 for an Ethernet interface), IP 1423 * operation on the interface SHOULD be disabled. 1424 * [rfc2462bis-03 Section 5.4.5] 1425 */ 1426 if (IN6_IS_ADDR_LINKLOCAL(&ia->ia_addr.sin6_addr)) { 1427 struct in6_addr in6; 1428 1429 /* 1430 * To avoid over-reaction, we only apply this logic when we are 1431 * very sure that hardware addresses are supposed to be unique. 1432 */ 1433 switch (ifp->if_type) { 1434 case IFT_ETHER: 1435 case IFT_FDDI: 1436 case IFT_ATM: 1437 case IFT_IEEE1394: 1438 case IFT_IEEE80211: 1439 in6 = ia->ia_addr.sin6_addr; 1440 if (in6_get_hw_ifid(ifp, &in6) == 0 && 1441 IN6_ARE_ADDR_EQUAL(&ia->ia_addr.sin6_addr, &in6)) { 1442 ND_IFINFO(ifp)->flags |= ND6_IFF_IFDISABLED; 1443 log(LOG_ERR, "%s: possible hardware address " 1444 "duplication detected, disable IPv6\n", 1445 if_name(ifp)); 1446 } 1447 break; 1448 } 1449 } 1450 } 1451 1452 static void 1453 nd6_dad_ns_output(struct dadq *dp, struct ifaddr *ifa) 1454 { 1455 struct in6_ifaddr *ia = (struct in6_ifaddr *)ifa; 1456 struct ifnet *ifp = ifa->ifa_ifp; 1457 uint8_t *nonce; 1458 1459 dp->dad_ns_tcount++; 1460 if ((ifp->if_flags & IFF_UP) == 0) { 1461 #if 0 1462 printf("%s: interface down?\n", if_name(ifp)); 1463 #endif 1464 return; 1465 } 1466 if ((ifp->if_flags & IFF_RUNNING) == 0) { 1467 #if 0 1468 printf("%s: interface not running?\n", if_name(ifp)); 1469 #endif 1470 return; 1471 } 1472 1473 dp->dad_ns_tcount = 0; 1474 nonce = dp->dad_nonce[dp->dad_ns_ocount % ND_OPT_NONCE_STORE]; 1475 cprng_fast(nonce, ND_OPT_NONCE_LEN); 1476 dp->dad_ns_ocount++; 1477 1478 nd6_ns_output(ifp, NULL, &ia->ia_addr.sin6_addr, NULL, nonce); 1479 } 1480 1481 static void 1482 nd6_dad_ns_input(struct ifaddr *ifa, struct nd_opt_nonce *nonce) 1483 { 1484 struct dadq *dp; 1485 int duplicate; 1486 1487 if (ifa == NULL) 1488 panic("ifa == NULL in nd6_dad_ns_input"); 1489 1490 duplicate = 0; 1491 1492 mutex_enter(&nd6_dad_lock); 1493 dp = nd6_dad_find(ifa, nonce); 1494 1495 /* 1496 * if I'm yet to start DAD, someone else started using this address 1497 * first. I have a duplicate and you win. 1498 */ 1499 if (dp == NULL || dp->dad_ns_ocount == 0) 1500 duplicate++; 1501 1502 /* XXX more checks for loopback situation - see nd6_dad_timer too */ 1503 1504 if (duplicate) { 1505 if (dp) { 1506 nd6_dad_duplicated(dp); 1507 nd6_dad_stoptimer(dp); 1508 } 1509 } else { 1510 /* 1511 * not sure if I got a duplicate. 1512 * increment ns count and see what happens. 1513 */ 1514 if (dp) 1515 dp->dad_ns_icount++; 1516 } 1517 mutex_exit(&nd6_dad_lock); 1518 1519 if (duplicate && dp) { 1520 nd6_dad_destroytimer(dp); 1521 ifafree(ifa); 1522 } 1523 } 1524 1525 static void 1526 nd6_dad_na_input(struct ifaddr *ifa) 1527 { 1528 struct dadq *dp; 1529 1530 KASSERT(ifa != NULL); 1531 1532 mutex_enter(&nd6_dad_lock); 1533 1534 dp = nd6_dad_find(ifa, NULL); 1535 if (dp == NULL) { 1536 mutex_exit(&nd6_dad_lock); 1537 return; 1538 } 1539 1540 dp->dad_na_icount++; 1541 1542 /* remove the address. */ 1543 nd6_dad_duplicated(dp); 1544 nd6_dad_stoptimer(dp); 1545 1546 mutex_exit(&nd6_dad_lock); 1547 1548 nd6_dad_destroytimer(dp); 1549 ifafree(ifa); 1550 } 1551