xref: /openbmc/linux/net/ipv6/ndisc.c (revision 278002edb19bce2c628fafb0af936e77000f3a5b)
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3  *	Neighbour Discovery for IPv6
4  *	Linux INET6 implementation
5  *
6  *	Authors:
7  *	Pedro Roque		<roque@di.fc.ul.pt>
8  *	Mike Shaver		<shaver@ingenia.com>
9  */
10 
11 /*
12  *	Changes:
13  *
14  *	Alexey I. Froloff		:	RFC6106 (DNSSL) support
15  *	Pierre Ynard			:	export userland ND options
16  *						through netlink (RDNSS support)
17  *	Lars Fenneberg			:	fixed MTU setting on receipt
18  *						of an RA.
19  *	Janos Farkas			:	kmalloc failure checks
20  *	Alexey Kuznetsov		:	state machine reworked
21  *						and moved to net/core.
22  *	Pekka Savola			:	RFC2461 validation
23  *	YOSHIFUJI Hideaki @USAGI	:	Verify ND options properly
24  */
25 
26 #define pr_fmt(fmt) "ICMPv6: " fmt
27 
28 #include <linux/module.h>
29 #include <linux/errno.h>
30 #include <linux/types.h>
31 #include <linux/socket.h>
32 #include <linux/sockios.h>
33 #include <linux/sched.h>
34 #include <linux/net.h>
35 #include <linux/in6.h>
36 #include <linux/route.h>
37 #include <linux/init.h>
38 #include <linux/rcupdate.h>
39 #include <linux/slab.h>
40 #ifdef CONFIG_SYSCTL
41 #include <linux/sysctl.h>
42 #endif
43 
44 #include <linux/if_addr.h>
45 #include <linux/if_ether.h>
46 #include <linux/if_arp.h>
47 #include <linux/ipv6.h>
48 #include <linux/icmpv6.h>
49 #include <linux/jhash.h>
50 
51 #include <net/sock.h>
52 #include <net/snmp.h>
53 
54 #include <net/ipv6.h>
55 #include <net/protocol.h>
56 #include <net/ndisc.h>
57 #include <net/ip6_route.h>
58 #include <net/addrconf.h>
59 #include <net/icmp.h>
60 
61 #include <net/netlink.h>
62 #include <linux/rtnetlink.h>
63 
64 #include <net/flow.h>
65 #include <net/ip6_checksum.h>
66 #include <net/inet_common.h>
67 #include <linux/proc_fs.h>
68 
69 #include <linux/netfilter.h>
70 #include <linux/netfilter_ipv6.h>
71 
72 static u32 ndisc_hash(const void *pkey,
73 		      const struct net_device *dev,
74 		      __u32 *hash_rnd);
75 static bool ndisc_key_eq(const struct neighbour *neigh, const void *pkey);
76 static bool ndisc_allow_add(const struct net_device *dev,
77 			    struct netlink_ext_ack *extack);
78 static int ndisc_constructor(struct neighbour *neigh);
79 static void ndisc_solicit(struct neighbour *neigh, struct sk_buff *skb);
80 static void ndisc_error_report(struct neighbour *neigh, struct sk_buff *skb);
81 static int pndisc_constructor(struct pneigh_entry *n);
82 static void pndisc_destructor(struct pneigh_entry *n);
83 static void pndisc_redo(struct sk_buff *skb);
84 static int ndisc_is_multicast(const void *pkey);
85 
86 static const struct neigh_ops ndisc_generic_ops = {
87 	.family =		AF_INET6,
88 	.solicit =		ndisc_solicit,
89 	.error_report =		ndisc_error_report,
90 	.output =		neigh_resolve_output,
91 	.connected_output =	neigh_connected_output,
92 };
93 
94 static const struct neigh_ops ndisc_hh_ops = {
95 	.family =		AF_INET6,
96 	.solicit =		ndisc_solicit,
97 	.error_report =		ndisc_error_report,
98 	.output =		neigh_resolve_output,
99 	.connected_output =	neigh_resolve_output,
100 };
101 
102 
103 static const struct neigh_ops ndisc_direct_ops = {
104 	.family =		AF_INET6,
105 	.output =		neigh_direct_output,
106 	.connected_output =	neigh_direct_output,
107 };
108 
109 struct neigh_table nd_tbl = {
110 	.family =	AF_INET6,
111 	.key_len =	sizeof(struct in6_addr),
112 	.protocol =	cpu_to_be16(ETH_P_IPV6),
113 	.hash =		ndisc_hash,
114 	.key_eq =	ndisc_key_eq,
115 	.constructor =	ndisc_constructor,
116 	.pconstructor =	pndisc_constructor,
117 	.pdestructor =	pndisc_destructor,
118 	.proxy_redo =	pndisc_redo,
119 	.is_multicast =	ndisc_is_multicast,
120 	.allow_add  =   ndisc_allow_add,
121 	.id =		"ndisc_cache",
122 	.parms = {
123 		.tbl			= &nd_tbl,
124 		.reachable_time		= ND_REACHABLE_TIME,
125 		.data = {
126 			[NEIGH_VAR_MCAST_PROBES] = 3,
127 			[NEIGH_VAR_UCAST_PROBES] = 3,
128 			[NEIGH_VAR_RETRANS_TIME] = ND_RETRANS_TIMER,
129 			[NEIGH_VAR_BASE_REACHABLE_TIME] = ND_REACHABLE_TIME,
130 			[NEIGH_VAR_DELAY_PROBE_TIME] = 5 * HZ,
131 			[NEIGH_VAR_INTERVAL_PROBE_TIME_MS] = 5 * HZ,
132 			[NEIGH_VAR_GC_STALETIME] = 60 * HZ,
133 			[NEIGH_VAR_QUEUE_LEN_BYTES] = SK_WMEM_MAX,
134 			[NEIGH_VAR_PROXY_QLEN] = 64,
135 			[NEIGH_VAR_ANYCAST_DELAY] = 1 * HZ,
136 			[NEIGH_VAR_PROXY_DELAY] = (8 * HZ) / 10,
137 		},
138 	},
139 	.gc_interval =	  30 * HZ,
140 	.gc_thresh1 =	 128,
141 	.gc_thresh2 =	 512,
142 	.gc_thresh3 =	1024,
143 };
144 EXPORT_SYMBOL_GPL(nd_tbl);
145 
__ndisc_fill_addr_option(struct sk_buff * skb,int type,const void * data,int data_len,int pad)146 void __ndisc_fill_addr_option(struct sk_buff *skb, int type, const void *data,
147 			      int data_len, int pad)
148 {
149 	int space = __ndisc_opt_addr_space(data_len, pad);
150 	u8 *opt = skb_put(skb, space);
151 
152 	opt[0] = type;
153 	opt[1] = space>>3;
154 
155 	memset(opt + 2, 0, pad);
156 	opt   += pad;
157 	space -= pad;
158 
159 	memcpy(opt+2, data, data_len);
160 	data_len += 2;
161 	opt += data_len;
162 	space -= data_len;
163 	if (space > 0)
164 		memset(opt, 0, space);
165 }
166 EXPORT_SYMBOL_GPL(__ndisc_fill_addr_option);
167 
ndisc_fill_addr_option(struct sk_buff * skb,int type,const void * data,u8 icmp6_type)168 static inline void ndisc_fill_addr_option(struct sk_buff *skb, int type,
169 					  const void *data, u8 icmp6_type)
170 {
171 	__ndisc_fill_addr_option(skb, type, data, skb->dev->addr_len,
172 				 ndisc_addr_option_pad(skb->dev->type));
173 	ndisc_ops_fill_addr_option(skb->dev, skb, icmp6_type);
174 }
175 
ndisc_fill_redirect_addr_option(struct sk_buff * skb,void * ha,const u8 * ops_data)176 static inline void ndisc_fill_redirect_addr_option(struct sk_buff *skb,
177 						   void *ha,
178 						   const u8 *ops_data)
179 {
180 	ndisc_fill_addr_option(skb, ND_OPT_TARGET_LL_ADDR, ha, NDISC_REDIRECT);
181 	ndisc_ops_fill_redirect_addr_option(skb->dev, skb, ops_data);
182 }
183 
ndisc_next_option(struct nd_opt_hdr * cur,struct nd_opt_hdr * end)184 static struct nd_opt_hdr *ndisc_next_option(struct nd_opt_hdr *cur,
185 					    struct nd_opt_hdr *end)
186 {
187 	int type;
188 	if (!cur || !end || cur >= end)
189 		return NULL;
190 	type = cur->nd_opt_type;
191 	do {
192 		cur = ((void *)cur) + (cur->nd_opt_len << 3);
193 	} while (cur < end && cur->nd_opt_type != type);
194 	return cur <= end && cur->nd_opt_type == type ? cur : NULL;
195 }
196 
ndisc_is_useropt(const struct net_device * dev,struct nd_opt_hdr * opt)197 static inline int ndisc_is_useropt(const struct net_device *dev,
198 				   struct nd_opt_hdr *opt)
199 {
200 	return opt->nd_opt_type == ND_OPT_PREFIX_INFO ||
201 		opt->nd_opt_type == ND_OPT_RDNSS ||
202 		opt->nd_opt_type == ND_OPT_DNSSL ||
203 		opt->nd_opt_type == ND_OPT_CAPTIVE_PORTAL ||
204 		opt->nd_opt_type == ND_OPT_PREF64 ||
205 		ndisc_ops_is_useropt(dev, opt->nd_opt_type);
206 }
207 
ndisc_next_useropt(const struct net_device * dev,struct nd_opt_hdr * cur,struct nd_opt_hdr * end)208 static struct nd_opt_hdr *ndisc_next_useropt(const struct net_device *dev,
209 					     struct nd_opt_hdr *cur,
210 					     struct nd_opt_hdr *end)
211 {
212 	if (!cur || !end || cur >= end)
213 		return NULL;
214 	do {
215 		cur = ((void *)cur) + (cur->nd_opt_len << 3);
216 	} while (cur < end && !ndisc_is_useropt(dev, cur));
217 	return cur <= end && ndisc_is_useropt(dev, cur) ? cur : NULL;
218 }
219 
ndisc_parse_options(const struct net_device * dev,u8 * opt,int opt_len,struct ndisc_options * ndopts)220 struct ndisc_options *ndisc_parse_options(const struct net_device *dev,
221 					  u8 *opt, int opt_len,
222 					  struct ndisc_options *ndopts)
223 {
224 	struct nd_opt_hdr *nd_opt = (struct nd_opt_hdr *)opt;
225 
226 	if (!nd_opt || opt_len < 0 || !ndopts)
227 		return NULL;
228 	memset(ndopts, 0, sizeof(*ndopts));
229 	while (opt_len) {
230 		bool unknown = false;
231 		int l;
232 		if (opt_len < sizeof(struct nd_opt_hdr))
233 			return NULL;
234 		l = nd_opt->nd_opt_len << 3;
235 		if (opt_len < l || l == 0)
236 			return NULL;
237 		if (ndisc_ops_parse_options(dev, nd_opt, ndopts))
238 			goto next_opt;
239 		switch (nd_opt->nd_opt_type) {
240 		case ND_OPT_SOURCE_LL_ADDR:
241 		case ND_OPT_TARGET_LL_ADDR:
242 		case ND_OPT_MTU:
243 		case ND_OPT_NONCE:
244 		case ND_OPT_REDIRECT_HDR:
245 			if (ndopts->nd_opt_array[nd_opt->nd_opt_type]) {
246 				ND_PRINTK(2, warn,
247 					  "%s: duplicated ND6 option found: type=%d\n",
248 					  __func__, nd_opt->nd_opt_type);
249 			} else {
250 				ndopts->nd_opt_array[nd_opt->nd_opt_type] = nd_opt;
251 			}
252 			break;
253 		case ND_OPT_PREFIX_INFO:
254 			ndopts->nd_opts_pi_end = nd_opt;
255 			if (!ndopts->nd_opt_array[nd_opt->nd_opt_type])
256 				ndopts->nd_opt_array[nd_opt->nd_opt_type] = nd_opt;
257 			break;
258 #ifdef CONFIG_IPV6_ROUTE_INFO
259 		case ND_OPT_ROUTE_INFO:
260 			ndopts->nd_opts_ri_end = nd_opt;
261 			if (!ndopts->nd_opts_ri)
262 				ndopts->nd_opts_ri = nd_opt;
263 			break;
264 #endif
265 		default:
266 			unknown = true;
267 		}
268 		if (ndisc_is_useropt(dev, nd_opt)) {
269 			ndopts->nd_useropts_end = nd_opt;
270 			if (!ndopts->nd_useropts)
271 				ndopts->nd_useropts = nd_opt;
272 		} else if (unknown) {
273 			/*
274 			 * Unknown options must be silently ignored,
275 			 * to accommodate future extension to the
276 			 * protocol.
277 			 */
278 			ND_PRINTK(2, notice,
279 				  "%s: ignored unsupported option; type=%d, len=%d\n",
280 				  __func__,
281 				  nd_opt->nd_opt_type,
282 				  nd_opt->nd_opt_len);
283 		}
284 next_opt:
285 		opt_len -= l;
286 		nd_opt = ((void *)nd_opt) + l;
287 	}
288 	return ndopts;
289 }
290 
ndisc_mc_map(const struct in6_addr * addr,char * buf,struct net_device * dev,int dir)291 int ndisc_mc_map(const struct in6_addr *addr, char *buf, struct net_device *dev, int dir)
292 {
293 	switch (dev->type) {
294 	case ARPHRD_ETHER:
295 	case ARPHRD_IEEE802:	/* Not sure. Check it later. --ANK */
296 	case ARPHRD_FDDI:
297 		ipv6_eth_mc_map(addr, buf);
298 		return 0;
299 	case ARPHRD_ARCNET:
300 		ipv6_arcnet_mc_map(addr, buf);
301 		return 0;
302 	case ARPHRD_INFINIBAND:
303 		ipv6_ib_mc_map(addr, dev->broadcast, buf);
304 		return 0;
305 	case ARPHRD_IPGRE:
306 		return ipv6_ipgre_mc_map(addr, dev->broadcast, buf);
307 	default:
308 		if (dir) {
309 			memcpy(buf, dev->broadcast, dev->addr_len);
310 			return 0;
311 		}
312 	}
313 	return -EINVAL;
314 }
315 EXPORT_SYMBOL(ndisc_mc_map);
316 
ndisc_hash(const void * pkey,const struct net_device * dev,__u32 * hash_rnd)317 static u32 ndisc_hash(const void *pkey,
318 		      const struct net_device *dev,
319 		      __u32 *hash_rnd)
320 {
321 	return ndisc_hashfn(pkey, dev, hash_rnd);
322 }
323 
ndisc_key_eq(const struct neighbour * n,const void * pkey)324 static bool ndisc_key_eq(const struct neighbour *n, const void *pkey)
325 {
326 	return neigh_key_eq128(n, pkey);
327 }
328 
ndisc_constructor(struct neighbour * neigh)329 static int ndisc_constructor(struct neighbour *neigh)
330 {
331 	struct in6_addr *addr = (struct in6_addr *)&neigh->primary_key;
332 	struct net_device *dev = neigh->dev;
333 	struct inet6_dev *in6_dev;
334 	struct neigh_parms *parms;
335 	bool is_multicast = ipv6_addr_is_multicast(addr);
336 
337 	in6_dev = in6_dev_get(dev);
338 	if (!in6_dev) {
339 		return -EINVAL;
340 	}
341 
342 	parms = in6_dev->nd_parms;
343 	__neigh_parms_put(neigh->parms);
344 	neigh->parms = neigh_parms_clone(parms);
345 
346 	neigh->type = is_multicast ? RTN_MULTICAST : RTN_UNICAST;
347 	if (!dev->header_ops) {
348 		neigh->nud_state = NUD_NOARP;
349 		neigh->ops = &ndisc_direct_ops;
350 		neigh->output = neigh_direct_output;
351 	} else {
352 		if (is_multicast) {
353 			neigh->nud_state = NUD_NOARP;
354 			ndisc_mc_map(addr, neigh->ha, dev, 1);
355 		} else if (dev->flags&(IFF_NOARP|IFF_LOOPBACK)) {
356 			neigh->nud_state = NUD_NOARP;
357 			memcpy(neigh->ha, dev->dev_addr, dev->addr_len);
358 			if (dev->flags&IFF_LOOPBACK)
359 				neigh->type = RTN_LOCAL;
360 		} else if (dev->flags&IFF_POINTOPOINT) {
361 			neigh->nud_state = NUD_NOARP;
362 			memcpy(neigh->ha, dev->broadcast, dev->addr_len);
363 		}
364 		if (dev->header_ops->cache)
365 			neigh->ops = &ndisc_hh_ops;
366 		else
367 			neigh->ops = &ndisc_generic_ops;
368 		if (neigh->nud_state&NUD_VALID)
369 			neigh->output = neigh->ops->connected_output;
370 		else
371 			neigh->output = neigh->ops->output;
372 	}
373 	in6_dev_put(in6_dev);
374 	return 0;
375 }
376 
pndisc_constructor(struct pneigh_entry * n)377 static int pndisc_constructor(struct pneigh_entry *n)
378 {
379 	struct in6_addr *addr = (struct in6_addr *)&n->key;
380 	struct in6_addr maddr;
381 	struct net_device *dev = n->dev;
382 
383 	if (!dev || !__in6_dev_get(dev))
384 		return -EINVAL;
385 	addrconf_addr_solict_mult(addr, &maddr);
386 	ipv6_dev_mc_inc(dev, &maddr);
387 	return 0;
388 }
389 
pndisc_destructor(struct pneigh_entry * n)390 static void pndisc_destructor(struct pneigh_entry *n)
391 {
392 	struct in6_addr *addr = (struct in6_addr *)&n->key;
393 	struct in6_addr maddr;
394 	struct net_device *dev = n->dev;
395 
396 	if (!dev || !__in6_dev_get(dev))
397 		return;
398 	addrconf_addr_solict_mult(addr, &maddr);
399 	ipv6_dev_mc_dec(dev, &maddr);
400 }
401 
402 /* called with rtnl held */
ndisc_allow_add(const struct net_device * dev,struct netlink_ext_ack * extack)403 static bool ndisc_allow_add(const struct net_device *dev,
404 			    struct netlink_ext_ack *extack)
405 {
406 	struct inet6_dev *idev = __in6_dev_get(dev);
407 
408 	if (!idev || idev->cnf.disable_ipv6) {
409 		NL_SET_ERR_MSG(extack, "IPv6 is disabled on this device");
410 		return false;
411 	}
412 
413 	return true;
414 }
415 
ndisc_alloc_skb(struct net_device * dev,int len)416 static struct sk_buff *ndisc_alloc_skb(struct net_device *dev,
417 				       int len)
418 {
419 	int hlen = LL_RESERVED_SPACE(dev);
420 	int tlen = dev->needed_tailroom;
421 	struct sock *sk = dev_net(dev)->ipv6.ndisc_sk;
422 	struct sk_buff *skb;
423 
424 	skb = alloc_skb(hlen + sizeof(struct ipv6hdr) + len + tlen, GFP_ATOMIC);
425 	if (!skb) {
426 		ND_PRINTK(0, err, "ndisc: %s failed to allocate an skb\n",
427 			  __func__);
428 		return NULL;
429 	}
430 
431 	skb->protocol = htons(ETH_P_IPV6);
432 	skb->dev = dev;
433 
434 	skb_reserve(skb, hlen + sizeof(struct ipv6hdr));
435 	skb_reset_transport_header(skb);
436 
437 	/* Manually assign socket ownership as we avoid calling
438 	 * sock_alloc_send_pskb() to bypass wmem buffer limits
439 	 */
440 	skb_set_owner_w(skb, sk);
441 
442 	return skb;
443 }
444 
ip6_nd_hdr(struct sk_buff * skb,const struct in6_addr * saddr,const struct in6_addr * daddr,int hop_limit,int len)445 static void ip6_nd_hdr(struct sk_buff *skb,
446 		       const struct in6_addr *saddr,
447 		       const struct in6_addr *daddr,
448 		       int hop_limit, int len)
449 {
450 	struct ipv6hdr *hdr;
451 	struct inet6_dev *idev;
452 	unsigned tclass;
453 
454 	rcu_read_lock();
455 	idev = __in6_dev_get(skb->dev);
456 	tclass = idev ? idev->cnf.ndisc_tclass : 0;
457 	rcu_read_unlock();
458 
459 	skb_push(skb, sizeof(*hdr));
460 	skb_reset_network_header(skb);
461 	hdr = ipv6_hdr(skb);
462 
463 	ip6_flow_hdr(hdr, tclass, 0);
464 
465 	hdr->payload_len = htons(len);
466 	hdr->nexthdr = IPPROTO_ICMPV6;
467 	hdr->hop_limit = hop_limit;
468 
469 	hdr->saddr = *saddr;
470 	hdr->daddr = *daddr;
471 }
472 
ndisc_send_skb(struct sk_buff * skb,const struct in6_addr * daddr,const struct in6_addr * saddr)473 void ndisc_send_skb(struct sk_buff *skb, const struct in6_addr *daddr,
474 		    const struct in6_addr *saddr)
475 {
476 	struct dst_entry *dst = skb_dst(skb);
477 	struct net *net = dev_net(skb->dev);
478 	struct sock *sk = net->ipv6.ndisc_sk;
479 	struct inet6_dev *idev;
480 	int err;
481 	struct icmp6hdr *icmp6h = icmp6_hdr(skb);
482 	u8 type;
483 
484 	type = icmp6h->icmp6_type;
485 
486 	if (!dst) {
487 		struct flowi6 fl6;
488 		int oif = skb->dev->ifindex;
489 
490 		icmpv6_flow_init(sk, &fl6, type, saddr, daddr, oif);
491 		dst = icmp6_dst_alloc(skb->dev, &fl6);
492 		if (IS_ERR(dst)) {
493 			kfree_skb(skb);
494 			return;
495 		}
496 
497 		skb_dst_set(skb, dst);
498 	}
499 
500 	icmp6h->icmp6_cksum = csum_ipv6_magic(saddr, daddr, skb->len,
501 					      IPPROTO_ICMPV6,
502 					      csum_partial(icmp6h,
503 							   skb->len, 0));
504 
505 	ip6_nd_hdr(skb, saddr, daddr, inet6_sk(sk)->hop_limit, skb->len);
506 
507 	rcu_read_lock();
508 	idev = __in6_dev_get(dst->dev);
509 	IP6_INC_STATS(net, idev, IPSTATS_MIB_OUTREQUESTS);
510 
511 	err = NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT,
512 		      net, sk, skb, NULL, dst->dev,
513 		      dst_output);
514 	if (!err) {
515 		ICMP6MSGOUT_INC_STATS(net, idev, type);
516 		ICMP6_INC_STATS(net, idev, ICMP6_MIB_OUTMSGS);
517 	}
518 
519 	rcu_read_unlock();
520 }
521 EXPORT_SYMBOL(ndisc_send_skb);
522 
ndisc_send_na(struct net_device * dev,const struct in6_addr * daddr,const struct in6_addr * solicited_addr,bool router,bool solicited,bool override,bool inc_opt)523 void ndisc_send_na(struct net_device *dev, const struct in6_addr *daddr,
524 		   const struct in6_addr *solicited_addr,
525 		   bool router, bool solicited, bool override, bool inc_opt)
526 {
527 	struct sk_buff *skb;
528 	struct in6_addr tmpaddr;
529 	struct inet6_ifaddr *ifp;
530 	const struct in6_addr *src_addr;
531 	struct nd_msg *msg;
532 	int optlen = 0;
533 
534 	/* for anycast or proxy, solicited_addr != src_addr */
535 	ifp = ipv6_get_ifaddr(dev_net(dev), solicited_addr, dev, 1);
536 	if (ifp) {
537 		src_addr = solicited_addr;
538 		if (ifp->flags & IFA_F_OPTIMISTIC)
539 			override = false;
540 		inc_opt |= ifp->idev->cnf.force_tllao;
541 		in6_ifa_put(ifp);
542 	} else {
543 		if (ipv6_dev_get_saddr(dev_net(dev), dev, daddr,
544 				       inet6_sk(dev_net(dev)->ipv6.ndisc_sk)->srcprefs,
545 				       &tmpaddr))
546 			return;
547 		src_addr = &tmpaddr;
548 	}
549 
550 	if (!dev->addr_len)
551 		inc_opt = false;
552 	if (inc_opt)
553 		optlen += ndisc_opt_addr_space(dev,
554 					       NDISC_NEIGHBOUR_ADVERTISEMENT);
555 
556 	skb = ndisc_alloc_skb(dev, sizeof(*msg) + optlen);
557 	if (!skb)
558 		return;
559 
560 	msg = skb_put(skb, sizeof(*msg));
561 	*msg = (struct nd_msg) {
562 		.icmph = {
563 			.icmp6_type = NDISC_NEIGHBOUR_ADVERTISEMENT,
564 			.icmp6_router = router,
565 			.icmp6_solicited = solicited,
566 			.icmp6_override = override,
567 		},
568 		.target = *solicited_addr,
569 	};
570 
571 	if (inc_opt)
572 		ndisc_fill_addr_option(skb, ND_OPT_TARGET_LL_ADDR,
573 				       dev->dev_addr,
574 				       NDISC_NEIGHBOUR_ADVERTISEMENT);
575 
576 	ndisc_send_skb(skb, daddr, src_addr);
577 }
578 
ndisc_send_unsol_na(struct net_device * dev)579 static void ndisc_send_unsol_na(struct net_device *dev)
580 {
581 	struct inet6_dev *idev;
582 	struct inet6_ifaddr *ifa;
583 
584 	idev = in6_dev_get(dev);
585 	if (!idev)
586 		return;
587 
588 	read_lock_bh(&idev->lock);
589 	list_for_each_entry(ifa, &idev->addr_list, if_list) {
590 		/* skip tentative addresses until dad completes */
591 		if (ifa->flags & IFA_F_TENTATIVE &&
592 		    !(ifa->flags & IFA_F_OPTIMISTIC))
593 			continue;
594 
595 		ndisc_send_na(dev, &in6addr_linklocal_allnodes, &ifa->addr,
596 			      /*router=*/ !!idev->cnf.forwarding,
597 			      /*solicited=*/ false, /*override=*/ true,
598 			      /*inc_opt=*/ true);
599 	}
600 	read_unlock_bh(&idev->lock);
601 
602 	in6_dev_put(idev);
603 }
604 
ndisc_ns_create(struct net_device * dev,const struct in6_addr * solicit,const struct in6_addr * saddr,u64 nonce)605 struct sk_buff *ndisc_ns_create(struct net_device *dev, const struct in6_addr *solicit,
606 				const struct in6_addr *saddr, u64 nonce)
607 {
608 	int inc_opt = dev->addr_len;
609 	struct sk_buff *skb;
610 	struct nd_msg *msg;
611 	int optlen = 0;
612 
613 	if (!saddr)
614 		return NULL;
615 
616 	if (ipv6_addr_any(saddr))
617 		inc_opt = false;
618 	if (inc_opt)
619 		optlen += ndisc_opt_addr_space(dev,
620 					       NDISC_NEIGHBOUR_SOLICITATION);
621 	if (nonce != 0)
622 		optlen += 8;
623 
624 	skb = ndisc_alloc_skb(dev, sizeof(*msg) + optlen);
625 	if (!skb)
626 		return NULL;
627 
628 	msg = skb_put(skb, sizeof(*msg));
629 	*msg = (struct nd_msg) {
630 		.icmph = {
631 			.icmp6_type = NDISC_NEIGHBOUR_SOLICITATION,
632 		},
633 		.target = *solicit,
634 	};
635 
636 	if (inc_opt)
637 		ndisc_fill_addr_option(skb, ND_OPT_SOURCE_LL_ADDR,
638 				       dev->dev_addr,
639 				       NDISC_NEIGHBOUR_SOLICITATION);
640 	if (nonce != 0) {
641 		u8 *opt = skb_put(skb, 8);
642 
643 		opt[0] = ND_OPT_NONCE;
644 		opt[1] = 8 >> 3;
645 		memcpy(opt + 2, &nonce, 6);
646 	}
647 
648 	return skb;
649 }
650 EXPORT_SYMBOL(ndisc_ns_create);
651 
ndisc_send_ns(struct net_device * dev,const struct in6_addr * solicit,const struct in6_addr * daddr,const struct in6_addr * saddr,u64 nonce)652 void ndisc_send_ns(struct net_device *dev, const struct in6_addr *solicit,
653 		   const struct in6_addr *daddr, const struct in6_addr *saddr,
654 		   u64 nonce)
655 {
656 	struct in6_addr addr_buf;
657 	struct sk_buff *skb;
658 
659 	if (!saddr) {
660 		if (ipv6_get_lladdr(dev, &addr_buf,
661 				    (IFA_F_TENTATIVE | IFA_F_OPTIMISTIC)))
662 			return;
663 		saddr = &addr_buf;
664 	}
665 
666 	skb = ndisc_ns_create(dev, solicit, saddr, nonce);
667 
668 	if (skb)
669 		ndisc_send_skb(skb, daddr, saddr);
670 }
671 
ndisc_send_rs(struct net_device * dev,const struct in6_addr * saddr,const struct in6_addr * daddr)672 void ndisc_send_rs(struct net_device *dev, const struct in6_addr *saddr,
673 		   const struct in6_addr *daddr)
674 {
675 	struct sk_buff *skb;
676 	struct rs_msg *msg;
677 	int send_sllao = dev->addr_len;
678 	int optlen = 0;
679 
680 #ifdef CONFIG_IPV6_OPTIMISTIC_DAD
681 	/*
682 	 * According to section 2.2 of RFC 4429, we must not
683 	 * send router solicitations with a sllao from
684 	 * optimistic addresses, but we may send the solicitation
685 	 * if we don't include the sllao.  So here we check
686 	 * if our address is optimistic, and if so, we
687 	 * suppress the inclusion of the sllao.
688 	 */
689 	if (send_sllao) {
690 		struct inet6_ifaddr *ifp = ipv6_get_ifaddr(dev_net(dev), saddr,
691 							   dev, 1);
692 		if (ifp) {
693 			if (ifp->flags & IFA_F_OPTIMISTIC)  {
694 				send_sllao = 0;
695 			}
696 			in6_ifa_put(ifp);
697 		} else {
698 			send_sllao = 0;
699 		}
700 	}
701 #endif
702 	if (send_sllao)
703 		optlen += ndisc_opt_addr_space(dev, NDISC_ROUTER_SOLICITATION);
704 
705 	skb = ndisc_alloc_skb(dev, sizeof(*msg) + optlen);
706 	if (!skb)
707 		return;
708 
709 	msg = skb_put(skb, sizeof(*msg));
710 	*msg = (struct rs_msg) {
711 		.icmph = {
712 			.icmp6_type = NDISC_ROUTER_SOLICITATION,
713 		},
714 	};
715 
716 	if (send_sllao)
717 		ndisc_fill_addr_option(skb, ND_OPT_SOURCE_LL_ADDR,
718 				       dev->dev_addr,
719 				       NDISC_ROUTER_SOLICITATION);
720 
721 	ndisc_send_skb(skb, daddr, saddr);
722 }
723 
724 
ndisc_error_report(struct neighbour * neigh,struct sk_buff * skb)725 static void ndisc_error_report(struct neighbour *neigh, struct sk_buff *skb)
726 {
727 	/*
728 	 *	"The sender MUST return an ICMP
729 	 *	 destination unreachable"
730 	 */
731 	dst_link_failure(skb);
732 	kfree_skb(skb);
733 }
734 
735 /* Called with locked neigh: either read or both */
736 
ndisc_solicit(struct neighbour * neigh,struct sk_buff * skb)737 static void ndisc_solicit(struct neighbour *neigh, struct sk_buff *skb)
738 {
739 	struct in6_addr *saddr = NULL;
740 	struct in6_addr mcaddr;
741 	struct net_device *dev = neigh->dev;
742 	struct in6_addr *target = (struct in6_addr *)&neigh->primary_key;
743 	int probes = atomic_read(&neigh->probes);
744 
745 	if (skb && ipv6_chk_addr_and_flags(dev_net(dev), &ipv6_hdr(skb)->saddr,
746 					   dev, false, 1,
747 					   IFA_F_TENTATIVE|IFA_F_OPTIMISTIC))
748 		saddr = &ipv6_hdr(skb)->saddr;
749 	probes -= NEIGH_VAR(neigh->parms, UCAST_PROBES);
750 	if (probes < 0) {
751 		if (!(READ_ONCE(neigh->nud_state) & NUD_VALID)) {
752 			ND_PRINTK(1, dbg,
753 				  "%s: trying to ucast probe in NUD_INVALID: %pI6\n",
754 				  __func__, target);
755 		}
756 		ndisc_send_ns(dev, target, target, saddr, 0);
757 	} else if ((probes -= NEIGH_VAR(neigh->parms, APP_PROBES)) < 0) {
758 		neigh_app_ns(neigh);
759 	} else {
760 		addrconf_addr_solict_mult(target, &mcaddr);
761 		ndisc_send_ns(dev, target, &mcaddr, saddr, 0);
762 	}
763 }
764 
pndisc_is_router(const void * pkey,struct net_device * dev)765 static int pndisc_is_router(const void *pkey,
766 			    struct net_device *dev)
767 {
768 	struct pneigh_entry *n;
769 	int ret = -1;
770 
771 	read_lock_bh(&nd_tbl.lock);
772 	n = __pneigh_lookup(&nd_tbl, dev_net(dev), pkey, dev);
773 	if (n)
774 		ret = !!(n->flags & NTF_ROUTER);
775 	read_unlock_bh(&nd_tbl.lock);
776 
777 	return ret;
778 }
779 
ndisc_update(const struct net_device * dev,struct neighbour * neigh,const u8 * lladdr,u8 new,u32 flags,u8 icmp6_type,struct ndisc_options * ndopts)780 void ndisc_update(const struct net_device *dev, struct neighbour *neigh,
781 		  const u8 *lladdr, u8 new, u32 flags, u8 icmp6_type,
782 		  struct ndisc_options *ndopts)
783 {
784 	neigh_update(neigh, lladdr, new, flags, 0);
785 	/* report ndisc ops about neighbour update */
786 	ndisc_ops_update(dev, neigh, flags, icmp6_type, ndopts);
787 }
788 
ndisc_recv_ns(struct sk_buff * skb)789 static enum skb_drop_reason ndisc_recv_ns(struct sk_buff *skb)
790 {
791 	struct nd_msg *msg = (struct nd_msg *)skb_transport_header(skb);
792 	const struct in6_addr *saddr = &ipv6_hdr(skb)->saddr;
793 	const struct in6_addr *daddr = &ipv6_hdr(skb)->daddr;
794 	u8 *lladdr = NULL;
795 	u32 ndoptlen = skb_tail_pointer(skb) - (skb_transport_header(skb) +
796 				    offsetof(struct nd_msg, opt));
797 	struct ndisc_options ndopts;
798 	struct net_device *dev = skb->dev;
799 	struct inet6_ifaddr *ifp;
800 	struct inet6_dev *idev = NULL;
801 	struct neighbour *neigh;
802 	int dad = ipv6_addr_any(saddr);
803 	int is_router = -1;
804 	SKB_DR(reason);
805 	u64 nonce = 0;
806 	bool inc;
807 
808 	if (skb->len < sizeof(struct nd_msg))
809 		return SKB_DROP_REASON_PKT_TOO_SMALL;
810 
811 	if (ipv6_addr_is_multicast(&msg->target)) {
812 		ND_PRINTK(2, warn, "NS: multicast target address\n");
813 		return reason;
814 	}
815 
816 	/*
817 	 * RFC2461 7.1.1:
818 	 * DAD has to be destined for solicited node multicast address.
819 	 */
820 	if (dad && !ipv6_addr_is_solict_mult(daddr)) {
821 		ND_PRINTK(2, warn, "NS: bad DAD packet (wrong destination)\n");
822 		return reason;
823 	}
824 
825 	if (!ndisc_parse_options(dev, msg->opt, ndoptlen, &ndopts))
826 		return SKB_DROP_REASON_IPV6_NDISC_BAD_OPTIONS;
827 
828 	if (ndopts.nd_opts_src_lladdr) {
829 		lladdr = ndisc_opt_addr_data(ndopts.nd_opts_src_lladdr, dev);
830 		if (!lladdr) {
831 			ND_PRINTK(2, warn,
832 				  "NS: invalid link-layer address length\n");
833 			return reason;
834 		}
835 
836 		/* RFC2461 7.1.1:
837 		 *	If the IP source address is the unspecified address,
838 		 *	there MUST NOT be source link-layer address option
839 		 *	in the message.
840 		 */
841 		if (dad) {
842 			ND_PRINTK(2, warn,
843 				  "NS: bad DAD packet (link-layer address option)\n");
844 			return reason;
845 		}
846 	}
847 	if (ndopts.nd_opts_nonce && ndopts.nd_opts_nonce->nd_opt_len == 1)
848 		memcpy(&nonce, (u8 *)(ndopts.nd_opts_nonce + 1), 6);
849 
850 	inc = ipv6_addr_is_multicast(daddr);
851 
852 	ifp = ipv6_get_ifaddr(dev_net(dev), &msg->target, dev, 1);
853 	if (ifp) {
854 have_ifp:
855 		if (ifp->flags & (IFA_F_TENTATIVE|IFA_F_OPTIMISTIC)) {
856 			if (dad) {
857 				if (nonce != 0 && ifp->dad_nonce == nonce) {
858 					u8 *np = (u8 *)&nonce;
859 					/* Matching nonce if looped back */
860 					ND_PRINTK(2, notice,
861 						  "%s: IPv6 DAD loopback for address %pI6c nonce %pM ignored\n",
862 						  ifp->idev->dev->name,
863 						  &ifp->addr, np);
864 					goto out;
865 				}
866 				/*
867 				 * We are colliding with another node
868 				 * who is doing DAD
869 				 * so fail our DAD process
870 				 */
871 				addrconf_dad_failure(skb, ifp);
872 				return reason;
873 			} else {
874 				/*
875 				 * This is not a dad solicitation.
876 				 * If we are an optimistic node,
877 				 * we should respond.
878 				 * Otherwise, we should ignore it.
879 				 */
880 				if (!(ifp->flags & IFA_F_OPTIMISTIC))
881 					goto out;
882 			}
883 		}
884 
885 		idev = ifp->idev;
886 	} else {
887 		struct net *net = dev_net(dev);
888 
889 		/* perhaps an address on the master device */
890 		if (netif_is_l3_slave(dev)) {
891 			struct net_device *mdev;
892 
893 			mdev = netdev_master_upper_dev_get_rcu(dev);
894 			if (mdev) {
895 				ifp = ipv6_get_ifaddr(net, &msg->target, mdev, 1);
896 				if (ifp)
897 					goto have_ifp;
898 			}
899 		}
900 
901 		idev = in6_dev_get(dev);
902 		if (!idev) {
903 			/* XXX: count this drop? */
904 			return reason;
905 		}
906 
907 		if (ipv6_chk_acast_addr(net, dev, &msg->target) ||
908 		    (idev->cnf.forwarding &&
909 		     (net->ipv6.devconf_all->proxy_ndp || idev->cnf.proxy_ndp) &&
910 		     (is_router = pndisc_is_router(&msg->target, dev)) >= 0)) {
911 			if (!(NEIGH_CB(skb)->flags & LOCALLY_ENQUEUED) &&
912 			    skb->pkt_type != PACKET_HOST &&
913 			    inc &&
914 			    NEIGH_VAR(idev->nd_parms, PROXY_DELAY) != 0) {
915 				/*
916 				 * for anycast or proxy,
917 				 * sender should delay its response
918 				 * by a random time between 0 and
919 				 * MAX_ANYCAST_DELAY_TIME seconds.
920 				 * (RFC2461) -- yoshfuji
921 				 */
922 				struct sk_buff *n = skb_clone(skb, GFP_ATOMIC);
923 				if (n)
924 					pneigh_enqueue(&nd_tbl, idev->nd_parms, n);
925 				goto out;
926 			}
927 		} else {
928 			SKB_DR_SET(reason, IPV6_NDISC_NS_OTHERHOST);
929 			goto out;
930 		}
931 	}
932 
933 	if (is_router < 0)
934 		is_router = idev->cnf.forwarding;
935 
936 	if (dad) {
937 		ndisc_send_na(dev, &in6addr_linklocal_allnodes, &msg->target,
938 			      !!is_router, false, (ifp != NULL), true);
939 		goto out;
940 	}
941 
942 	if (inc)
943 		NEIGH_CACHE_STAT_INC(&nd_tbl, rcv_probes_mcast);
944 	else
945 		NEIGH_CACHE_STAT_INC(&nd_tbl, rcv_probes_ucast);
946 
947 	/*
948 	 *	update / create cache entry
949 	 *	for the source address
950 	 */
951 	neigh = __neigh_lookup(&nd_tbl, saddr, dev,
952 			       !inc || lladdr || !dev->addr_len);
953 	if (neigh)
954 		ndisc_update(dev, neigh, lladdr, NUD_STALE,
955 			     NEIGH_UPDATE_F_WEAK_OVERRIDE|
956 			     NEIGH_UPDATE_F_OVERRIDE,
957 			     NDISC_NEIGHBOUR_SOLICITATION, &ndopts);
958 	if (neigh || !dev->header_ops) {
959 		ndisc_send_na(dev, saddr, &msg->target, !!is_router,
960 			      true, (ifp != NULL && inc), inc);
961 		if (neigh)
962 			neigh_release(neigh);
963 		reason = SKB_CONSUMED;
964 	}
965 
966 out:
967 	if (ifp)
968 		in6_ifa_put(ifp);
969 	else
970 		in6_dev_put(idev);
971 	return reason;
972 }
973 
accept_untracked_na(struct net_device * dev,struct in6_addr * saddr)974 static int accept_untracked_na(struct net_device *dev, struct in6_addr *saddr)
975 {
976 	struct inet6_dev *idev = __in6_dev_get(dev);
977 
978 	switch (idev->cnf.accept_untracked_na) {
979 	case 0: /* Don't accept untracked na (absent in neighbor cache) */
980 		return 0;
981 	case 1: /* Create new entries from na if currently untracked */
982 		return 1;
983 	case 2: /* Create new entries from untracked na only if saddr is in the
984 		 * same subnet as an address configured on the interface that
985 		 * received the na
986 		 */
987 		return !!ipv6_chk_prefix(saddr, dev);
988 	default:
989 		return 0;
990 	}
991 }
992 
ndisc_recv_na(struct sk_buff * skb)993 static enum skb_drop_reason ndisc_recv_na(struct sk_buff *skb)
994 {
995 	struct nd_msg *msg = (struct nd_msg *)skb_transport_header(skb);
996 	struct in6_addr *saddr = &ipv6_hdr(skb)->saddr;
997 	const struct in6_addr *daddr = &ipv6_hdr(skb)->daddr;
998 	u8 *lladdr = NULL;
999 	u32 ndoptlen = skb_tail_pointer(skb) - (skb_transport_header(skb) +
1000 				    offsetof(struct nd_msg, opt));
1001 	struct ndisc_options ndopts;
1002 	struct net_device *dev = skb->dev;
1003 	struct inet6_dev *idev = __in6_dev_get(dev);
1004 	struct inet6_ifaddr *ifp;
1005 	struct neighbour *neigh;
1006 	SKB_DR(reason);
1007 	u8 new_state;
1008 
1009 	if (skb->len < sizeof(struct nd_msg))
1010 		return SKB_DROP_REASON_PKT_TOO_SMALL;
1011 
1012 	if (ipv6_addr_is_multicast(&msg->target)) {
1013 		ND_PRINTK(2, warn, "NA: target address is multicast\n");
1014 		return reason;
1015 	}
1016 
1017 	if (ipv6_addr_is_multicast(daddr) &&
1018 	    msg->icmph.icmp6_solicited) {
1019 		ND_PRINTK(2, warn, "NA: solicited NA is multicasted\n");
1020 		return reason;
1021 	}
1022 
1023 	/* For some 802.11 wireless deployments (and possibly other networks),
1024 	 * there will be a NA proxy and unsolicitd packets are attacks
1025 	 * and thus should not be accepted.
1026 	 * drop_unsolicited_na takes precedence over accept_untracked_na
1027 	 */
1028 	if (!msg->icmph.icmp6_solicited && idev &&
1029 	    idev->cnf.drop_unsolicited_na)
1030 		return reason;
1031 
1032 	if (!ndisc_parse_options(dev, msg->opt, ndoptlen, &ndopts))
1033 		return SKB_DROP_REASON_IPV6_NDISC_BAD_OPTIONS;
1034 
1035 	if (ndopts.nd_opts_tgt_lladdr) {
1036 		lladdr = ndisc_opt_addr_data(ndopts.nd_opts_tgt_lladdr, dev);
1037 		if (!lladdr) {
1038 			ND_PRINTK(2, warn,
1039 				  "NA: invalid link-layer address length\n");
1040 			return reason;
1041 		}
1042 	}
1043 	ifp = ipv6_get_ifaddr(dev_net(dev), &msg->target, dev, 1);
1044 	if (ifp) {
1045 		if (skb->pkt_type != PACKET_LOOPBACK
1046 		    && (ifp->flags & IFA_F_TENTATIVE)) {
1047 				addrconf_dad_failure(skb, ifp);
1048 				return reason;
1049 		}
1050 		/* What should we make now? The advertisement
1051 		   is invalid, but ndisc specs say nothing
1052 		   about it. It could be misconfiguration, or
1053 		   an smart proxy agent tries to help us :-)
1054 
1055 		   We should not print the error if NA has been
1056 		   received from loopback - it is just our own
1057 		   unsolicited advertisement.
1058 		 */
1059 		if (skb->pkt_type != PACKET_LOOPBACK)
1060 			ND_PRINTK(1, warn,
1061 				  "NA: %pM advertised our address %pI6c on %s!\n",
1062 				  eth_hdr(skb)->h_source, &ifp->addr, ifp->idev->dev->name);
1063 		in6_ifa_put(ifp);
1064 		return reason;
1065 	}
1066 
1067 	neigh = neigh_lookup(&nd_tbl, &msg->target, dev);
1068 
1069 	/* RFC 9131 updates original Neighbour Discovery RFC 4861.
1070 	 * NAs with Target LL Address option without a corresponding
1071 	 * entry in the neighbour cache can now create a STALE neighbour
1072 	 * cache entry on routers.
1073 	 *
1074 	 *   entry accept  fwding  solicited        behaviour
1075 	 * ------- ------  ------  ---------    ----------------------
1076 	 * present      X       X         0     Set state to STALE
1077 	 * present      X       X         1     Set state to REACHABLE
1078 	 *  absent      0       X         X     Do nothing
1079 	 *  absent      1       0         X     Do nothing
1080 	 *  absent      1       1         X     Add a new STALE entry
1081 	 *
1082 	 * Note that we don't do a (daddr == all-routers-mcast) check.
1083 	 */
1084 	new_state = msg->icmph.icmp6_solicited ? NUD_REACHABLE : NUD_STALE;
1085 	if (!neigh && lladdr && idev && idev->cnf.forwarding) {
1086 		if (accept_untracked_na(dev, saddr)) {
1087 			neigh = neigh_create(&nd_tbl, &msg->target, dev);
1088 			new_state = NUD_STALE;
1089 		}
1090 	}
1091 
1092 	if (neigh && !IS_ERR(neigh)) {
1093 		u8 old_flags = neigh->flags;
1094 		struct net *net = dev_net(dev);
1095 
1096 		if (READ_ONCE(neigh->nud_state) & NUD_FAILED)
1097 			goto out;
1098 
1099 		/*
1100 		 * Don't update the neighbor cache entry on a proxy NA from
1101 		 * ourselves because either the proxied node is off link or it
1102 		 * has already sent a NA to us.
1103 		 */
1104 		if (lladdr && !memcmp(lladdr, dev->dev_addr, dev->addr_len) &&
1105 		    net->ipv6.devconf_all->forwarding && net->ipv6.devconf_all->proxy_ndp &&
1106 		    pneigh_lookup(&nd_tbl, net, &msg->target, dev, 0)) {
1107 			/* XXX: idev->cnf.proxy_ndp */
1108 			goto out;
1109 		}
1110 
1111 		ndisc_update(dev, neigh, lladdr,
1112 			     new_state,
1113 			     NEIGH_UPDATE_F_WEAK_OVERRIDE|
1114 			     (msg->icmph.icmp6_override ? NEIGH_UPDATE_F_OVERRIDE : 0)|
1115 			     NEIGH_UPDATE_F_OVERRIDE_ISROUTER|
1116 			     (msg->icmph.icmp6_router ? NEIGH_UPDATE_F_ISROUTER : 0),
1117 			     NDISC_NEIGHBOUR_ADVERTISEMENT, &ndopts);
1118 
1119 		if ((old_flags & ~neigh->flags) & NTF_ROUTER) {
1120 			/*
1121 			 * Change: router to host
1122 			 */
1123 			rt6_clean_tohost(dev_net(dev),  saddr);
1124 		}
1125 		reason = SKB_CONSUMED;
1126 out:
1127 		neigh_release(neigh);
1128 	}
1129 	return reason;
1130 }
1131 
ndisc_recv_rs(struct sk_buff * skb)1132 static enum skb_drop_reason ndisc_recv_rs(struct sk_buff *skb)
1133 {
1134 	struct rs_msg *rs_msg = (struct rs_msg *)skb_transport_header(skb);
1135 	unsigned long ndoptlen = skb->len - sizeof(*rs_msg);
1136 	struct neighbour *neigh;
1137 	struct inet6_dev *idev;
1138 	const struct in6_addr *saddr = &ipv6_hdr(skb)->saddr;
1139 	struct ndisc_options ndopts;
1140 	u8 *lladdr = NULL;
1141 	SKB_DR(reason);
1142 
1143 	if (skb->len < sizeof(*rs_msg))
1144 		return SKB_DROP_REASON_PKT_TOO_SMALL;
1145 
1146 	idev = __in6_dev_get(skb->dev);
1147 	if (!idev) {
1148 		ND_PRINTK(1, err, "RS: can't find in6 device\n");
1149 		return reason;
1150 	}
1151 
1152 	/* Don't accept RS if we're not in router mode */
1153 	if (!idev->cnf.forwarding)
1154 		goto out;
1155 
1156 	/*
1157 	 * Don't update NCE if src = ::;
1158 	 * this implies that the source node has no ip address assigned yet.
1159 	 */
1160 	if (ipv6_addr_any(saddr))
1161 		goto out;
1162 
1163 	/* Parse ND options */
1164 	if (!ndisc_parse_options(skb->dev, rs_msg->opt, ndoptlen, &ndopts))
1165 		return SKB_DROP_REASON_IPV6_NDISC_BAD_OPTIONS;
1166 
1167 	if (ndopts.nd_opts_src_lladdr) {
1168 		lladdr = ndisc_opt_addr_data(ndopts.nd_opts_src_lladdr,
1169 					     skb->dev);
1170 		if (!lladdr)
1171 			goto out;
1172 	}
1173 
1174 	neigh = __neigh_lookup(&nd_tbl, saddr, skb->dev, 1);
1175 	if (neigh) {
1176 		ndisc_update(skb->dev, neigh, lladdr, NUD_STALE,
1177 			     NEIGH_UPDATE_F_WEAK_OVERRIDE|
1178 			     NEIGH_UPDATE_F_OVERRIDE|
1179 			     NEIGH_UPDATE_F_OVERRIDE_ISROUTER,
1180 			     NDISC_ROUTER_SOLICITATION, &ndopts);
1181 		neigh_release(neigh);
1182 		reason = SKB_CONSUMED;
1183 	}
1184 out:
1185 	return reason;
1186 }
1187 
ndisc_ra_useropt(struct sk_buff * ra,struct nd_opt_hdr * opt)1188 static void ndisc_ra_useropt(struct sk_buff *ra, struct nd_opt_hdr *opt)
1189 {
1190 	struct icmp6hdr *icmp6h = (struct icmp6hdr *)skb_transport_header(ra);
1191 	struct sk_buff *skb;
1192 	struct nlmsghdr *nlh;
1193 	struct nduseroptmsg *ndmsg;
1194 	struct net *net = dev_net(ra->dev);
1195 	int err;
1196 	int base_size = NLMSG_ALIGN(sizeof(struct nduseroptmsg)
1197 				    + (opt->nd_opt_len << 3));
1198 	size_t msg_size = base_size + nla_total_size(sizeof(struct in6_addr));
1199 
1200 	skb = nlmsg_new(msg_size, GFP_ATOMIC);
1201 	if (!skb) {
1202 		err = -ENOBUFS;
1203 		goto errout;
1204 	}
1205 
1206 	nlh = nlmsg_put(skb, 0, 0, RTM_NEWNDUSEROPT, base_size, 0);
1207 	if (!nlh) {
1208 		goto nla_put_failure;
1209 	}
1210 
1211 	ndmsg = nlmsg_data(nlh);
1212 	ndmsg->nduseropt_family = AF_INET6;
1213 	ndmsg->nduseropt_ifindex = ra->dev->ifindex;
1214 	ndmsg->nduseropt_icmp_type = icmp6h->icmp6_type;
1215 	ndmsg->nduseropt_icmp_code = icmp6h->icmp6_code;
1216 	ndmsg->nduseropt_opts_len = opt->nd_opt_len << 3;
1217 
1218 	memcpy(ndmsg + 1, opt, opt->nd_opt_len << 3);
1219 
1220 	if (nla_put_in6_addr(skb, NDUSEROPT_SRCADDR, &ipv6_hdr(ra)->saddr))
1221 		goto nla_put_failure;
1222 	nlmsg_end(skb, nlh);
1223 
1224 	rtnl_notify(skb, net, 0, RTNLGRP_ND_USEROPT, NULL, GFP_ATOMIC);
1225 	return;
1226 
1227 nla_put_failure:
1228 	nlmsg_free(skb);
1229 	err = -EMSGSIZE;
1230 errout:
1231 	rtnl_set_sk_err(net, RTNLGRP_ND_USEROPT, err);
1232 }
1233 
ndisc_router_discovery(struct sk_buff * skb)1234 static enum skb_drop_reason ndisc_router_discovery(struct sk_buff *skb)
1235 {
1236 	struct ra_msg *ra_msg = (struct ra_msg *)skb_transport_header(skb);
1237 	bool send_ifinfo_notify = false;
1238 	struct neighbour *neigh = NULL;
1239 	struct ndisc_options ndopts;
1240 	struct fib6_info *rt = NULL;
1241 	struct inet6_dev *in6_dev;
1242 	u32 defrtr_usr_metric;
1243 	unsigned int pref = 0;
1244 	__u32 old_if_flags;
1245 	struct net *net;
1246 	SKB_DR(reason);
1247 	int lifetime;
1248 	int optlen;
1249 
1250 	__u8 *opt = (__u8 *)(ra_msg + 1);
1251 
1252 	optlen = (skb_tail_pointer(skb) - skb_transport_header(skb)) -
1253 		sizeof(struct ra_msg);
1254 
1255 	ND_PRINTK(2, info,
1256 		  "RA: %s, dev: %s\n",
1257 		  __func__, skb->dev->name);
1258 	if (!(ipv6_addr_type(&ipv6_hdr(skb)->saddr) & IPV6_ADDR_LINKLOCAL)) {
1259 		ND_PRINTK(2, warn, "RA: source address is not link-local\n");
1260 		return reason;
1261 	}
1262 	if (optlen < 0)
1263 		return SKB_DROP_REASON_PKT_TOO_SMALL;
1264 
1265 #ifdef CONFIG_IPV6_NDISC_NODETYPE
1266 	if (skb->ndisc_nodetype == NDISC_NODETYPE_HOST) {
1267 		ND_PRINTK(2, warn, "RA: from host or unauthorized router\n");
1268 		return reason;
1269 	}
1270 #endif
1271 
1272 	in6_dev = __in6_dev_get(skb->dev);
1273 	if (!in6_dev) {
1274 		ND_PRINTK(0, err, "RA: can't find inet6 device for %s\n",
1275 			  skb->dev->name);
1276 		return reason;
1277 	}
1278 
1279 	if (!ndisc_parse_options(skb->dev, opt, optlen, &ndopts))
1280 		return SKB_DROP_REASON_IPV6_NDISC_BAD_OPTIONS;
1281 
1282 	if (!ipv6_accept_ra(in6_dev)) {
1283 		ND_PRINTK(2, info,
1284 			  "RA: %s, did not accept ra for dev: %s\n",
1285 			  __func__, skb->dev->name);
1286 		goto skip_linkparms;
1287 	}
1288 
1289 #ifdef CONFIG_IPV6_NDISC_NODETYPE
1290 	/* skip link-specific parameters from interior routers */
1291 	if (skb->ndisc_nodetype == NDISC_NODETYPE_NODEFAULT) {
1292 		ND_PRINTK(2, info,
1293 			  "RA: %s, nodetype is NODEFAULT, dev: %s\n",
1294 			  __func__, skb->dev->name);
1295 		goto skip_linkparms;
1296 	}
1297 #endif
1298 
1299 	if (in6_dev->if_flags & IF_RS_SENT) {
1300 		/*
1301 		 *	flag that an RA was received after an RS was sent
1302 		 *	out on this interface.
1303 		 */
1304 		in6_dev->if_flags |= IF_RA_RCVD;
1305 	}
1306 
1307 	/*
1308 	 * Remember the managed/otherconf flags from most recently
1309 	 * received RA message (RFC 2462) -- yoshfuji
1310 	 */
1311 	old_if_flags = in6_dev->if_flags;
1312 	in6_dev->if_flags = (in6_dev->if_flags & ~(IF_RA_MANAGED |
1313 				IF_RA_OTHERCONF)) |
1314 				(ra_msg->icmph.icmp6_addrconf_managed ?
1315 					IF_RA_MANAGED : 0) |
1316 				(ra_msg->icmph.icmp6_addrconf_other ?
1317 					IF_RA_OTHERCONF : 0);
1318 
1319 	if (old_if_flags != in6_dev->if_flags)
1320 		send_ifinfo_notify = true;
1321 
1322 	if (!in6_dev->cnf.accept_ra_defrtr) {
1323 		ND_PRINTK(2, info,
1324 			  "RA: %s, defrtr is false for dev: %s\n",
1325 			  __func__, skb->dev->name);
1326 		goto skip_defrtr;
1327 	}
1328 
1329 	lifetime = ntohs(ra_msg->icmph.icmp6_rt_lifetime);
1330 	if (lifetime != 0 && lifetime < in6_dev->cnf.accept_ra_min_lft) {
1331 		ND_PRINTK(2, info,
1332 			  "RA: router lifetime (%ds) is too short: %s\n",
1333 			  lifetime, skb->dev->name);
1334 		goto skip_defrtr;
1335 	}
1336 
1337 	/* Do not accept RA with source-addr found on local machine unless
1338 	 * accept_ra_from_local is set to true.
1339 	 */
1340 	net = dev_net(in6_dev->dev);
1341 	if (!in6_dev->cnf.accept_ra_from_local &&
1342 	    ipv6_chk_addr(net, &ipv6_hdr(skb)->saddr, in6_dev->dev, 0)) {
1343 		ND_PRINTK(2, info,
1344 			  "RA from local address detected on dev: %s: default router ignored\n",
1345 			  skb->dev->name);
1346 		goto skip_defrtr;
1347 	}
1348 
1349 #ifdef CONFIG_IPV6_ROUTER_PREF
1350 	pref = ra_msg->icmph.icmp6_router_pref;
1351 	/* 10b is handled as if it were 00b (medium) */
1352 	if (pref == ICMPV6_ROUTER_PREF_INVALID ||
1353 	    !in6_dev->cnf.accept_ra_rtr_pref)
1354 		pref = ICMPV6_ROUTER_PREF_MEDIUM;
1355 #endif
1356 	/* routes added from RAs do not use nexthop objects */
1357 	rt = rt6_get_dflt_router(net, &ipv6_hdr(skb)->saddr, skb->dev);
1358 	if (rt) {
1359 		neigh = ip6_neigh_lookup(&rt->fib6_nh->fib_nh_gw6,
1360 					 rt->fib6_nh->fib_nh_dev, NULL,
1361 					  &ipv6_hdr(skb)->saddr);
1362 		if (!neigh) {
1363 			ND_PRINTK(0, err,
1364 				  "RA: %s got default router without neighbour\n",
1365 				  __func__);
1366 			fib6_info_release(rt);
1367 			return reason;
1368 		}
1369 	}
1370 	/* Set default route metric as specified by user */
1371 	defrtr_usr_metric = in6_dev->cnf.ra_defrtr_metric;
1372 	/* delete the route if lifetime is 0 or if metric needs change */
1373 	if (rt && (lifetime == 0 || rt->fib6_metric != defrtr_usr_metric)) {
1374 		ip6_del_rt(net, rt, false);
1375 		rt = NULL;
1376 	}
1377 
1378 	ND_PRINTK(3, info, "RA: rt: %p  lifetime: %d, metric: %d, for dev: %s\n",
1379 		  rt, lifetime, defrtr_usr_metric, skb->dev->name);
1380 	if (!rt && lifetime) {
1381 		ND_PRINTK(3, info, "RA: adding default router\n");
1382 
1383 		if (neigh)
1384 			neigh_release(neigh);
1385 
1386 		rt = rt6_add_dflt_router(net, &ipv6_hdr(skb)->saddr,
1387 					 skb->dev, pref, defrtr_usr_metric);
1388 		if (!rt) {
1389 			ND_PRINTK(0, err,
1390 				  "RA: %s failed to add default route\n",
1391 				  __func__);
1392 			return reason;
1393 		}
1394 
1395 		neigh = ip6_neigh_lookup(&rt->fib6_nh->fib_nh_gw6,
1396 					 rt->fib6_nh->fib_nh_dev, NULL,
1397 					  &ipv6_hdr(skb)->saddr);
1398 		if (!neigh) {
1399 			ND_PRINTK(0, err,
1400 				  "RA: %s got default router without neighbour\n",
1401 				  __func__);
1402 			fib6_info_release(rt);
1403 			return reason;
1404 		}
1405 		neigh->flags |= NTF_ROUTER;
1406 	} else if (rt && IPV6_EXTRACT_PREF(rt->fib6_flags) != pref) {
1407 		struct nl_info nlinfo = {
1408 			.nl_net = net,
1409 		};
1410 		rt->fib6_flags = (rt->fib6_flags & ~RTF_PREF_MASK) | RTF_PREF(pref);
1411 		inet6_rt_notify(RTM_NEWROUTE, rt, &nlinfo, NLM_F_REPLACE);
1412 	}
1413 
1414 	if (rt)
1415 		fib6_set_expires(rt, jiffies + (HZ * lifetime));
1416 	if (in6_dev->cnf.accept_ra_min_hop_limit < 256 &&
1417 	    ra_msg->icmph.icmp6_hop_limit) {
1418 		if (in6_dev->cnf.accept_ra_min_hop_limit <= ra_msg->icmph.icmp6_hop_limit) {
1419 			in6_dev->cnf.hop_limit = ra_msg->icmph.icmp6_hop_limit;
1420 			fib6_metric_set(rt, RTAX_HOPLIMIT,
1421 					ra_msg->icmph.icmp6_hop_limit);
1422 		} else {
1423 			ND_PRINTK(2, warn, "RA: Got route advertisement with lower hop_limit than minimum\n");
1424 		}
1425 	}
1426 
1427 skip_defrtr:
1428 
1429 	/*
1430 	 *	Update Reachable Time and Retrans Timer
1431 	 */
1432 
1433 	if (in6_dev->nd_parms) {
1434 		unsigned long rtime = ntohl(ra_msg->retrans_timer);
1435 
1436 		if (rtime && rtime/1000 < MAX_SCHEDULE_TIMEOUT/HZ) {
1437 			rtime = (rtime*HZ)/1000;
1438 			if (rtime < HZ/100)
1439 				rtime = HZ/100;
1440 			NEIGH_VAR_SET(in6_dev->nd_parms, RETRANS_TIME, rtime);
1441 			in6_dev->tstamp = jiffies;
1442 			send_ifinfo_notify = true;
1443 		}
1444 
1445 		rtime = ntohl(ra_msg->reachable_time);
1446 		if (rtime && rtime/1000 < MAX_SCHEDULE_TIMEOUT/(3*HZ)) {
1447 			rtime = (rtime*HZ)/1000;
1448 
1449 			if (rtime < HZ/10)
1450 				rtime = HZ/10;
1451 
1452 			if (rtime != NEIGH_VAR(in6_dev->nd_parms, BASE_REACHABLE_TIME)) {
1453 				NEIGH_VAR_SET(in6_dev->nd_parms,
1454 					      BASE_REACHABLE_TIME, rtime);
1455 				NEIGH_VAR_SET(in6_dev->nd_parms,
1456 					      GC_STALETIME, 3 * rtime);
1457 				in6_dev->nd_parms->reachable_time = neigh_rand_reach_time(rtime);
1458 				in6_dev->tstamp = jiffies;
1459 				send_ifinfo_notify = true;
1460 			}
1461 		}
1462 	}
1463 
1464 skip_linkparms:
1465 
1466 	/*
1467 	 *	Process options.
1468 	 */
1469 
1470 	if (!neigh)
1471 		neigh = __neigh_lookup(&nd_tbl, &ipv6_hdr(skb)->saddr,
1472 				       skb->dev, 1);
1473 	if (neigh) {
1474 		u8 *lladdr = NULL;
1475 		if (ndopts.nd_opts_src_lladdr) {
1476 			lladdr = ndisc_opt_addr_data(ndopts.nd_opts_src_lladdr,
1477 						     skb->dev);
1478 			if (!lladdr) {
1479 				ND_PRINTK(2, warn,
1480 					  "RA: invalid link-layer address length\n");
1481 				goto out;
1482 			}
1483 		}
1484 		ndisc_update(skb->dev, neigh, lladdr, NUD_STALE,
1485 			     NEIGH_UPDATE_F_WEAK_OVERRIDE|
1486 			     NEIGH_UPDATE_F_OVERRIDE|
1487 			     NEIGH_UPDATE_F_OVERRIDE_ISROUTER|
1488 			     NEIGH_UPDATE_F_ISROUTER,
1489 			     NDISC_ROUTER_ADVERTISEMENT, &ndopts);
1490 		reason = SKB_CONSUMED;
1491 	}
1492 
1493 	if (!ipv6_accept_ra(in6_dev)) {
1494 		ND_PRINTK(2, info,
1495 			  "RA: %s, accept_ra is false for dev: %s\n",
1496 			  __func__, skb->dev->name);
1497 		goto out;
1498 	}
1499 
1500 #ifdef CONFIG_IPV6_ROUTE_INFO
1501 	if (!in6_dev->cnf.accept_ra_from_local &&
1502 	    ipv6_chk_addr(dev_net(in6_dev->dev), &ipv6_hdr(skb)->saddr,
1503 			  in6_dev->dev, 0)) {
1504 		ND_PRINTK(2, info,
1505 			  "RA from local address detected on dev: %s: router info ignored.\n",
1506 			  skb->dev->name);
1507 		goto skip_routeinfo;
1508 	}
1509 
1510 	if (in6_dev->cnf.accept_ra_rtr_pref && ndopts.nd_opts_ri) {
1511 		struct nd_opt_hdr *p;
1512 		for (p = ndopts.nd_opts_ri;
1513 		     p;
1514 		     p = ndisc_next_option(p, ndopts.nd_opts_ri_end)) {
1515 			struct route_info *ri = (struct route_info *)p;
1516 #ifdef CONFIG_IPV6_NDISC_NODETYPE
1517 			if (skb->ndisc_nodetype == NDISC_NODETYPE_NODEFAULT &&
1518 			    ri->prefix_len == 0)
1519 				continue;
1520 #endif
1521 			if (ri->prefix_len == 0 &&
1522 			    !in6_dev->cnf.accept_ra_defrtr)
1523 				continue;
1524 			if (ri->lifetime != 0 &&
1525 			    ntohl(ri->lifetime) < in6_dev->cnf.accept_ra_min_lft)
1526 				continue;
1527 			if (ri->prefix_len < in6_dev->cnf.accept_ra_rt_info_min_plen)
1528 				continue;
1529 			if (ri->prefix_len > in6_dev->cnf.accept_ra_rt_info_max_plen)
1530 				continue;
1531 			rt6_route_rcv(skb->dev, (u8 *)p, (p->nd_opt_len) << 3,
1532 				      &ipv6_hdr(skb)->saddr);
1533 		}
1534 	}
1535 
1536 skip_routeinfo:
1537 #endif
1538 
1539 #ifdef CONFIG_IPV6_NDISC_NODETYPE
1540 	/* skip link-specific ndopts from interior routers */
1541 	if (skb->ndisc_nodetype == NDISC_NODETYPE_NODEFAULT) {
1542 		ND_PRINTK(2, info,
1543 			  "RA: %s, nodetype is NODEFAULT (interior routes), dev: %s\n",
1544 			  __func__, skb->dev->name);
1545 		goto out;
1546 	}
1547 #endif
1548 
1549 	if (in6_dev->cnf.accept_ra_pinfo && ndopts.nd_opts_pi) {
1550 		struct nd_opt_hdr *p;
1551 		for (p = ndopts.nd_opts_pi;
1552 		     p;
1553 		     p = ndisc_next_option(p, ndopts.nd_opts_pi_end)) {
1554 			addrconf_prefix_rcv(skb->dev, (u8 *)p,
1555 					    (p->nd_opt_len) << 3,
1556 					    ndopts.nd_opts_src_lladdr != NULL);
1557 		}
1558 	}
1559 
1560 	if (ndopts.nd_opts_mtu && in6_dev->cnf.accept_ra_mtu) {
1561 		__be32 n;
1562 		u32 mtu;
1563 
1564 		memcpy(&n, ((u8 *)(ndopts.nd_opts_mtu+1))+2, sizeof(mtu));
1565 		mtu = ntohl(n);
1566 
1567 		if (in6_dev->ra_mtu != mtu) {
1568 			in6_dev->ra_mtu = mtu;
1569 			send_ifinfo_notify = true;
1570 		}
1571 
1572 		if (mtu < IPV6_MIN_MTU || mtu > skb->dev->mtu) {
1573 			ND_PRINTK(2, warn, "RA: invalid mtu: %d\n", mtu);
1574 		} else if (in6_dev->cnf.mtu6 != mtu) {
1575 			in6_dev->cnf.mtu6 = mtu;
1576 			fib6_metric_set(rt, RTAX_MTU, mtu);
1577 			rt6_mtu_change(skb->dev, mtu);
1578 		}
1579 	}
1580 
1581 	if (ndopts.nd_useropts) {
1582 		struct nd_opt_hdr *p;
1583 		for (p = ndopts.nd_useropts;
1584 		     p;
1585 		     p = ndisc_next_useropt(skb->dev, p,
1586 					    ndopts.nd_useropts_end)) {
1587 			ndisc_ra_useropt(skb, p);
1588 		}
1589 	}
1590 
1591 	if (ndopts.nd_opts_tgt_lladdr || ndopts.nd_opts_rh) {
1592 		ND_PRINTK(2, warn, "RA: invalid RA options\n");
1593 	}
1594 out:
1595 	/* Send a notify if RA changed managed/otherconf flags or
1596 	 * timer settings or ra_mtu value
1597 	 */
1598 	if (send_ifinfo_notify)
1599 		inet6_ifinfo_notify(RTM_NEWLINK, in6_dev);
1600 
1601 	fib6_info_release(rt);
1602 	if (neigh)
1603 		neigh_release(neigh);
1604 	return reason;
1605 }
1606 
ndisc_redirect_rcv(struct sk_buff * skb)1607 static enum skb_drop_reason ndisc_redirect_rcv(struct sk_buff *skb)
1608 {
1609 	struct rd_msg *msg = (struct rd_msg *)skb_transport_header(skb);
1610 	u32 ndoptlen = skb_tail_pointer(skb) - (skb_transport_header(skb) +
1611 				    offsetof(struct rd_msg, opt));
1612 	struct ndisc_options ndopts;
1613 	SKB_DR(reason);
1614 	u8 *hdr;
1615 
1616 #ifdef CONFIG_IPV6_NDISC_NODETYPE
1617 	switch (skb->ndisc_nodetype) {
1618 	case NDISC_NODETYPE_HOST:
1619 	case NDISC_NODETYPE_NODEFAULT:
1620 		ND_PRINTK(2, warn,
1621 			  "Redirect: from host or unauthorized router\n");
1622 		return reason;
1623 	}
1624 #endif
1625 
1626 	if (!(ipv6_addr_type(&ipv6_hdr(skb)->saddr) & IPV6_ADDR_LINKLOCAL)) {
1627 		ND_PRINTK(2, warn,
1628 			  "Redirect: source address is not link-local\n");
1629 		return reason;
1630 	}
1631 
1632 	if (!ndisc_parse_options(skb->dev, msg->opt, ndoptlen, &ndopts))
1633 		return SKB_DROP_REASON_IPV6_NDISC_BAD_OPTIONS;
1634 
1635 	if (!ndopts.nd_opts_rh) {
1636 		ip6_redirect_no_header(skb, dev_net(skb->dev),
1637 					skb->dev->ifindex);
1638 		return reason;
1639 	}
1640 
1641 	hdr = (u8 *)ndopts.nd_opts_rh;
1642 	hdr += 8;
1643 	if (!pskb_pull(skb, hdr - skb_transport_header(skb)))
1644 		return SKB_DROP_REASON_PKT_TOO_SMALL;
1645 
1646 	return icmpv6_notify(skb, NDISC_REDIRECT, 0, 0);
1647 }
1648 
ndisc_fill_redirect_hdr_option(struct sk_buff * skb,struct sk_buff * orig_skb,int rd_len)1649 static void ndisc_fill_redirect_hdr_option(struct sk_buff *skb,
1650 					   struct sk_buff *orig_skb,
1651 					   int rd_len)
1652 {
1653 	u8 *opt = skb_put(skb, rd_len);
1654 
1655 	memset(opt, 0, 8);
1656 	*(opt++) = ND_OPT_REDIRECT_HDR;
1657 	*(opt++) = (rd_len >> 3);
1658 	opt += 6;
1659 
1660 	skb_copy_bits(orig_skb, skb_network_offset(orig_skb), opt,
1661 		      rd_len - 8);
1662 }
1663 
ndisc_send_redirect(struct sk_buff * skb,const struct in6_addr * target)1664 void ndisc_send_redirect(struct sk_buff *skb, const struct in6_addr *target)
1665 {
1666 	struct net_device *dev = skb->dev;
1667 	struct net *net = dev_net(dev);
1668 	struct sock *sk = net->ipv6.ndisc_sk;
1669 	int optlen = 0;
1670 	struct inet_peer *peer;
1671 	struct sk_buff *buff;
1672 	struct rd_msg *msg;
1673 	struct in6_addr saddr_buf;
1674 	struct rt6_info *rt;
1675 	struct dst_entry *dst;
1676 	struct flowi6 fl6;
1677 	int rd_len;
1678 	u8 ha_buf[MAX_ADDR_LEN], *ha = NULL,
1679 	   ops_data_buf[NDISC_OPS_REDIRECT_DATA_SPACE], *ops_data = NULL;
1680 	bool ret;
1681 
1682 	if (netif_is_l3_master(skb->dev)) {
1683 		dev = __dev_get_by_index(dev_net(skb->dev), IPCB(skb)->iif);
1684 		if (!dev)
1685 			return;
1686 	}
1687 
1688 	if (ipv6_get_lladdr(dev, &saddr_buf, IFA_F_TENTATIVE)) {
1689 		ND_PRINTK(2, warn, "Redirect: no link-local address on %s\n",
1690 			  dev->name);
1691 		return;
1692 	}
1693 
1694 	if (!ipv6_addr_equal(&ipv6_hdr(skb)->daddr, target) &&
1695 	    ipv6_addr_type(target) != (IPV6_ADDR_UNICAST|IPV6_ADDR_LINKLOCAL)) {
1696 		ND_PRINTK(2, warn,
1697 			  "Redirect: target address is not link-local unicast\n");
1698 		return;
1699 	}
1700 
1701 	icmpv6_flow_init(sk, &fl6, NDISC_REDIRECT,
1702 			 &saddr_buf, &ipv6_hdr(skb)->saddr, dev->ifindex);
1703 
1704 	dst = ip6_route_output(net, NULL, &fl6);
1705 	if (dst->error) {
1706 		dst_release(dst);
1707 		return;
1708 	}
1709 	dst = xfrm_lookup(net, dst, flowi6_to_flowi(&fl6), NULL, 0);
1710 	if (IS_ERR(dst))
1711 		return;
1712 
1713 	rt = dst_rt6_info(dst);
1714 
1715 	if (rt->rt6i_flags & RTF_GATEWAY) {
1716 		ND_PRINTK(2, warn,
1717 			  "Redirect: destination is not a neighbour\n");
1718 		goto release;
1719 	}
1720 	peer = inet_getpeer_v6(net->ipv6.peers, &ipv6_hdr(skb)->saddr, 1);
1721 	ret = inet_peer_xrlim_allow(peer, 1*HZ);
1722 	if (peer)
1723 		inet_putpeer(peer);
1724 	if (!ret)
1725 		goto release;
1726 
1727 	if (dev->addr_len) {
1728 		struct neighbour *neigh = dst_neigh_lookup(skb_dst(skb), target);
1729 		if (!neigh) {
1730 			ND_PRINTK(2, warn,
1731 				  "Redirect: no neigh for target address\n");
1732 			goto release;
1733 		}
1734 
1735 		read_lock_bh(&neigh->lock);
1736 		if (neigh->nud_state & NUD_VALID) {
1737 			memcpy(ha_buf, neigh->ha, dev->addr_len);
1738 			read_unlock_bh(&neigh->lock);
1739 			ha = ha_buf;
1740 			optlen += ndisc_redirect_opt_addr_space(dev, neigh,
1741 								ops_data_buf,
1742 								&ops_data);
1743 		} else
1744 			read_unlock_bh(&neigh->lock);
1745 
1746 		neigh_release(neigh);
1747 	}
1748 
1749 	rd_len = min_t(unsigned int,
1750 		       IPV6_MIN_MTU - sizeof(struct ipv6hdr) - sizeof(*msg) - optlen,
1751 		       skb->len + 8);
1752 	rd_len &= ~0x7;
1753 	optlen += rd_len;
1754 
1755 	buff = ndisc_alloc_skb(dev, sizeof(*msg) + optlen);
1756 	if (!buff)
1757 		goto release;
1758 
1759 	msg = skb_put(buff, sizeof(*msg));
1760 	*msg = (struct rd_msg) {
1761 		.icmph = {
1762 			.icmp6_type = NDISC_REDIRECT,
1763 		},
1764 		.target = *target,
1765 		.dest = ipv6_hdr(skb)->daddr,
1766 	};
1767 
1768 	/*
1769 	 *	include target_address option
1770 	 */
1771 
1772 	if (ha)
1773 		ndisc_fill_redirect_addr_option(buff, ha, ops_data);
1774 
1775 	/*
1776 	 *	build redirect option and copy skb over to the new packet.
1777 	 */
1778 
1779 	if (rd_len)
1780 		ndisc_fill_redirect_hdr_option(buff, skb, rd_len);
1781 
1782 	skb_dst_set(buff, dst);
1783 	ndisc_send_skb(buff, &ipv6_hdr(skb)->saddr, &saddr_buf);
1784 	return;
1785 
1786 release:
1787 	dst_release(dst);
1788 }
1789 
pndisc_redo(struct sk_buff * skb)1790 static void pndisc_redo(struct sk_buff *skb)
1791 {
1792 	enum skb_drop_reason reason = ndisc_recv_ns(skb);
1793 
1794 	kfree_skb_reason(skb, reason);
1795 }
1796 
ndisc_is_multicast(const void * pkey)1797 static int ndisc_is_multicast(const void *pkey)
1798 {
1799 	return ipv6_addr_is_multicast((struct in6_addr *)pkey);
1800 }
1801 
ndisc_suppress_frag_ndisc(struct sk_buff * skb)1802 static bool ndisc_suppress_frag_ndisc(struct sk_buff *skb)
1803 {
1804 	struct inet6_dev *idev = __in6_dev_get(skb->dev);
1805 
1806 	if (!idev)
1807 		return true;
1808 	if (IP6CB(skb)->flags & IP6SKB_FRAGMENTED &&
1809 	    idev->cnf.suppress_frag_ndisc) {
1810 		net_warn_ratelimited("Received fragmented ndisc packet. Carefully consider disabling suppress_frag_ndisc.\n");
1811 		return true;
1812 	}
1813 	return false;
1814 }
1815 
ndisc_rcv(struct sk_buff * skb)1816 enum skb_drop_reason ndisc_rcv(struct sk_buff *skb)
1817 {
1818 	struct nd_msg *msg;
1819 	SKB_DR(reason);
1820 
1821 	if (ndisc_suppress_frag_ndisc(skb))
1822 		return SKB_DROP_REASON_IPV6_NDISC_FRAG;
1823 
1824 	if (skb_linearize(skb))
1825 		return SKB_DROP_REASON_NOMEM;
1826 
1827 	msg = (struct nd_msg *)skb_transport_header(skb);
1828 
1829 	__skb_push(skb, skb->data - skb_transport_header(skb));
1830 
1831 	if (ipv6_hdr(skb)->hop_limit != 255) {
1832 		ND_PRINTK(2, warn, "NDISC: invalid hop-limit: %d\n",
1833 			  ipv6_hdr(skb)->hop_limit);
1834 		return SKB_DROP_REASON_IPV6_NDISC_HOP_LIMIT;
1835 	}
1836 
1837 	if (msg->icmph.icmp6_code != 0) {
1838 		ND_PRINTK(2, warn, "NDISC: invalid ICMPv6 code: %d\n",
1839 			  msg->icmph.icmp6_code);
1840 		return SKB_DROP_REASON_IPV6_NDISC_BAD_CODE;
1841 	}
1842 
1843 	switch (msg->icmph.icmp6_type) {
1844 	case NDISC_NEIGHBOUR_SOLICITATION:
1845 		memset(NEIGH_CB(skb), 0, sizeof(struct neighbour_cb));
1846 		reason = ndisc_recv_ns(skb);
1847 		break;
1848 
1849 	case NDISC_NEIGHBOUR_ADVERTISEMENT:
1850 		reason = ndisc_recv_na(skb);
1851 		break;
1852 
1853 	case NDISC_ROUTER_SOLICITATION:
1854 		reason = ndisc_recv_rs(skb);
1855 		break;
1856 
1857 	case NDISC_ROUTER_ADVERTISEMENT:
1858 		reason = ndisc_router_discovery(skb);
1859 		break;
1860 
1861 	case NDISC_REDIRECT:
1862 		reason = ndisc_redirect_rcv(skb);
1863 		break;
1864 	}
1865 
1866 	return reason;
1867 }
1868 
ndisc_netdev_event(struct notifier_block * this,unsigned long event,void * ptr)1869 static int ndisc_netdev_event(struct notifier_block *this, unsigned long event, void *ptr)
1870 {
1871 	struct net_device *dev = netdev_notifier_info_to_dev(ptr);
1872 	struct netdev_notifier_change_info *change_info;
1873 	struct net *net = dev_net(dev);
1874 	struct inet6_dev *idev;
1875 	bool evict_nocarrier;
1876 
1877 	switch (event) {
1878 	case NETDEV_CHANGEADDR:
1879 		neigh_changeaddr(&nd_tbl, dev);
1880 		fib6_run_gc(0, net, false);
1881 		fallthrough;
1882 	case NETDEV_UP:
1883 		idev = in6_dev_get(dev);
1884 		if (!idev)
1885 			break;
1886 		if (idev->cnf.ndisc_notify ||
1887 		    net->ipv6.devconf_all->ndisc_notify)
1888 			ndisc_send_unsol_na(dev);
1889 		in6_dev_put(idev);
1890 		break;
1891 	case NETDEV_CHANGE:
1892 		idev = in6_dev_get(dev);
1893 		if (!idev)
1894 			evict_nocarrier = true;
1895 		else {
1896 			evict_nocarrier = idev->cnf.ndisc_evict_nocarrier &&
1897 					  net->ipv6.devconf_all->ndisc_evict_nocarrier;
1898 			in6_dev_put(idev);
1899 		}
1900 
1901 		change_info = ptr;
1902 		if (change_info->flags_changed & IFF_NOARP)
1903 			neigh_changeaddr(&nd_tbl, dev);
1904 		if (evict_nocarrier && !netif_carrier_ok(dev))
1905 			neigh_carrier_down(&nd_tbl, dev);
1906 		break;
1907 	case NETDEV_DOWN:
1908 		neigh_ifdown(&nd_tbl, dev);
1909 		fib6_run_gc(0, net, false);
1910 		break;
1911 	case NETDEV_NOTIFY_PEERS:
1912 		ndisc_send_unsol_na(dev);
1913 		break;
1914 	default:
1915 		break;
1916 	}
1917 
1918 	return NOTIFY_DONE;
1919 }
1920 
1921 static struct notifier_block ndisc_netdev_notifier = {
1922 	.notifier_call = ndisc_netdev_event,
1923 	.priority = ADDRCONF_NOTIFY_PRIORITY - 5,
1924 };
1925 
1926 #ifdef CONFIG_SYSCTL
ndisc_warn_deprecated_sysctl(struct ctl_table * ctl,const char * func,const char * dev_name)1927 static void ndisc_warn_deprecated_sysctl(struct ctl_table *ctl,
1928 					 const char *func, const char *dev_name)
1929 {
1930 	static char warncomm[TASK_COMM_LEN];
1931 	static int warned;
1932 	if (strcmp(warncomm, current->comm) && warned < 5) {
1933 		strcpy(warncomm, current->comm);
1934 		pr_warn("process `%s' is using deprecated sysctl (%s) net.ipv6.neigh.%s.%s - use net.ipv6.neigh.%s.%s_ms instead\n",
1935 			warncomm, func,
1936 			dev_name, ctl->procname,
1937 			dev_name, ctl->procname);
1938 		warned++;
1939 	}
1940 }
1941 
ndisc_ifinfo_sysctl_change(struct ctl_table * ctl,int write,void * buffer,size_t * lenp,loff_t * ppos)1942 int ndisc_ifinfo_sysctl_change(struct ctl_table *ctl, int write, void *buffer,
1943 		size_t *lenp, loff_t *ppos)
1944 {
1945 	struct net_device *dev = ctl->extra1;
1946 	struct inet6_dev *idev;
1947 	int ret;
1948 
1949 	if ((strcmp(ctl->procname, "retrans_time") == 0) ||
1950 	    (strcmp(ctl->procname, "base_reachable_time") == 0))
1951 		ndisc_warn_deprecated_sysctl(ctl, "syscall", dev ? dev->name : "default");
1952 
1953 	if (strcmp(ctl->procname, "retrans_time") == 0)
1954 		ret = neigh_proc_dointvec(ctl, write, buffer, lenp, ppos);
1955 
1956 	else if (strcmp(ctl->procname, "base_reachable_time") == 0)
1957 		ret = neigh_proc_dointvec_jiffies(ctl, write,
1958 						  buffer, lenp, ppos);
1959 
1960 	else if ((strcmp(ctl->procname, "retrans_time_ms") == 0) ||
1961 		 (strcmp(ctl->procname, "base_reachable_time_ms") == 0))
1962 		ret = neigh_proc_dointvec_ms_jiffies(ctl, write,
1963 						     buffer, lenp, ppos);
1964 	else
1965 		ret = -1;
1966 
1967 	if (write && ret == 0 && dev && (idev = in6_dev_get(dev)) != NULL) {
1968 		if (ctl->data == &NEIGH_VAR(idev->nd_parms, BASE_REACHABLE_TIME))
1969 			idev->nd_parms->reachable_time =
1970 					neigh_rand_reach_time(NEIGH_VAR(idev->nd_parms, BASE_REACHABLE_TIME));
1971 		idev->tstamp = jiffies;
1972 		inet6_ifinfo_notify(RTM_NEWLINK, idev);
1973 		in6_dev_put(idev);
1974 	}
1975 	return ret;
1976 }
1977 
1978 
1979 #endif
1980 
ndisc_net_init(struct net * net)1981 static int __net_init ndisc_net_init(struct net *net)
1982 {
1983 	struct ipv6_pinfo *np;
1984 	struct sock *sk;
1985 	int err;
1986 
1987 	err = inet_ctl_sock_create(&sk, PF_INET6,
1988 				   SOCK_RAW, IPPROTO_ICMPV6, net);
1989 	if (err < 0) {
1990 		ND_PRINTK(0, err,
1991 			  "NDISC: Failed to initialize the control socket (err %d)\n",
1992 			  err);
1993 		return err;
1994 	}
1995 
1996 	net->ipv6.ndisc_sk = sk;
1997 
1998 	np = inet6_sk(sk);
1999 	np->hop_limit = 255;
2000 	/* Do not loopback ndisc messages */
2001 	np->mc_loop = 0;
2002 
2003 	return 0;
2004 }
2005 
ndisc_net_exit(struct net * net)2006 static void __net_exit ndisc_net_exit(struct net *net)
2007 {
2008 	inet_ctl_sock_destroy(net->ipv6.ndisc_sk);
2009 }
2010 
2011 static struct pernet_operations ndisc_net_ops = {
2012 	.init = ndisc_net_init,
2013 	.exit = ndisc_net_exit,
2014 };
2015 
ndisc_init(void)2016 int __init ndisc_init(void)
2017 {
2018 	int err;
2019 
2020 	err = register_pernet_subsys(&ndisc_net_ops);
2021 	if (err)
2022 		return err;
2023 	/*
2024 	 * Initialize the neighbour table
2025 	 */
2026 	neigh_table_init(NEIGH_ND_TABLE, &nd_tbl);
2027 
2028 #ifdef CONFIG_SYSCTL
2029 	err = neigh_sysctl_register(NULL, &nd_tbl.parms,
2030 				    ndisc_ifinfo_sysctl_change);
2031 	if (err)
2032 		goto out_unregister_pernet;
2033 out:
2034 #endif
2035 	return err;
2036 
2037 #ifdef CONFIG_SYSCTL
2038 out_unregister_pernet:
2039 	unregister_pernet_subsys(&ndisc_net_ops);
2040 	goto out;
2041 #endif
2042 }
2043 
ndisc_late_init(void)2044 int __init ndisc_late_init(void)
2045 {
2046 	return register_netdevice_notifier(&ndisc_netdev_notifier);
2047 }
2048 
ndisc_late_cleanup(void)2049 void ndisc_late_cleanup(void)
2050 {
2051 	unregister_netdevice_notifier(&ndisc_netdev_notifier);
2052 }
2053 
ndisc_cleanup(void)2054 void ndisc_cleanup(void)
2055 {
2056 #ifdef CONFIG_SYSCTL
2057 	neigh_sysctl_unregister(&nd_tbl.parms);
2058 #endif
2059 	neigh_table_clear(NEIGH_ND_TABLE, &nd_tbl);
2060 	unregister_pernet_subsys(&ndisc_net_ops);
2061 }
2062