xref: /openbmc/linux/net/ipv6/ndisc.c (revision 1a4e39c2e5ca2eb494a53ecd73055562f690bca0)
1 /*
2  *	Neighbour Discovery for IPv6
3  *	Linux INET6 implementation
4  *
5  *	Authors:
6  *	Pedro Roque		<roque@di.fc.ul.pt>
7  *	Mike Shaver		<shaver@ingenia.com>
8  *
9  *	This program is free software; you can redistribute it and/or
10  *      modify it under the terms of the GNU General Public License
11  *      as published by the Free Software Foundation; either version
12  *      2 of the License, or (at your option) any later version.
13  */
14 
15 /*
16  *	Changes:
17  *
18  *	Alexey I. Froloff		:	RFC6106 (DNSSL) support
19  *	Pierre Ynard			:	export userland ND options
20  *						through netlink (RDNSS support)
21  *	Lars Fenneberg			:	fixed MTU setting on receipt
22  *						of an RA.
23  *	Janos Farkas			:	kmalloc failure checks
24  *	Alexey Kuznetsov		:	state machine reworked
25  *						and moved to net/core.
26  *	Pekka Savola			:	RFC2461 validation
27  *	YOSHIFUJI Hideaki @USAGI	:	Verify ND options properly
28  */
29 
30 #define pr_fmt(fmt) "ICMPv6: " fmt
31 
32 #include <linux/module.h>
33 #include <linux/errno.h>
34 #include <linux/types.h>
35 #include <linux/socket.h>
36 #include <linux/sockios.h>
37 #include <linux/sched.h>
38 #include <linux/net.h>
39 #include <linux/in6.h>
40 #include <linux/route.h>
41 #include <linux/init.h>
42 #include <linux/rcupdate.h>
43 #include <linux/slab.h>
44 #ifdef CONFIG_SYSCTL
45 #include <linux/sysctl.h>
46 #endif
47 
48 #include <linux/if_addr.h>
49 #include <linux/if_arp.h>
50 #include <linux/ipv6.h>
51 #include <linux/icmpv6.h>
52 #include <linux/jhash.h>
53 
54 #include <net/sock.h>
55 #include <net/snmp.h>
56 
57 #include <net/ipv6.h>
58 #include <net/protocol.h>
59 #include <net/ndisc.h>
60 #include <net/ip6_route.h>
61 #include <net/addrconf.h>
62 #include <net/icmp.h>
63 
64 #include <net/netlink.h>
65 #include <linux/rtnetlink.h>
66 
67 #include <net/flow.h>
68 #include <net/ip6_checksum.h>
69 #include <net/inet_common.h>
70 #include <linux/proc_fs.h>
71 
72 #include <linux/netfilter.h>
73 #include <linux/netfilter_ipv6.h>
74 
75 /* Set to 3 to get tracing... */
76 #define ND_DEBUG 1
77 
78 #define ND_PRINTK(val, level, fmt, ...)				\
79 do {								\
80 	if (val <= ND_DEBUG)					\
81 		net_##level##_ratelimited(fmt, ##__VA_ARGS__);	\
82 } while (0)
83 
84 static u32 ndisc_hash(const void *pkey,
85 		      const struct net_device *dev,
86 		      __u32 *hash_rnd);
87 static int ndisc_constructor(struct neighbour *neigh);
88 static void ndisc_solicit(struct neighbour *neigh, struct sk_buff *skb);
89 static void ndisc_error_report(struct neighbour *neigh, struct sk_buff *skb);
90 static int pndisc_constructor(struct pneigh_entry *n);
91 static void pndisc_destructor(struct pneigh_entry *n);
92 static void pndisc_redo(struct sk_buff *skb);
93 
94 static const struct neigh_ops ndisc_generic_ops = {
95 	.family =		AF_INET6,
96 	.solicit =		ndisc_solicit,
97 	.error_report =		ndisc_error_report,
98 	.output =		neigh_resolve_output,
99 	.connected_output =	neigh_connected_output,
100 };
101 
102 static const struct neigh_ops ndisc_hh_ops = {
103 	.family =		AF_INET6,
104 	.solicit =		ndisc_solicit,
105 	.error_report =		ndisc_error_report,
106 	.output =		neigh_resolve_output,
107 	.connected_output =	neigh_resolve_output,
108 };
109 
110 
111 static const struct neigh_ops ndisc_direct_ops = {
112 	.family =		AF_INET6,
113 	.output =		neigh_direct_output,
114 	.connected_output =	neigh_direct_output,
115 };
116 
117 struct neigh_table nd_tbl = {
118 	.family =	AF_INET6,
119 	.key_len =	sizeof(struct in6_addr),
120 	.hash =		ndisc_hash,
121 	.constructor =	ndisc_constructor,
122 	.pconstructor =	pndisc_constructor,
123 	.pdestructor =	pndisc_destructor,
124 	.proxy_redo =	pndisc_redo,
125 	.id =		"ndisc_cache",
126 	.parms = {
127 		.tbl			= &nd_tbl,
128 		.reachable_time		= ND_REACHABLE_TIME,
129 		.data = {
130 			[NEIGH_VAR_MCAST_PROBES] = 3,
131 			[NEIGH_VAR_UCAST_PROBES] = 3,
132 			[NEIGH_VAR_RETRANS_TIME] = ND_RETRANS_TIMER,
133 			[NEIGH_VAR_BASE_REACHABLE_TIME] = ND_REACHABLE_TIME,
134 			[NEIGH_VAR_DELAY_PROBE_TIME] = 5 * HZ,
135 			[NEIGH_VAR_GC_STALETIME] = 60 * HZ,
136 			[NEIGH_VAR_QUEUE_LEN_BYTES] = 64 * 1024,
137 			[NEIGH_VAR_PROXY_QLEN] = 64,
138 			[NEIGH_VAR_ANYCAST_DELAY] = 1 * HZ,
139 			[NEIGH_VAR_PROXY_DELAY] = (8 * HZ) / 10,
140 		},
141 	},
142 	.gc_interval =	  30 * HZ,
143 	.gc_thresh1 =	 128,
144 	.gc_thresh2 =	 512,
145 	.gc_thresh3 =	1024,
146 };
147 
148 static void ndisc_fill_addr_option(struct sk_buff *skb, int type, void *data)
149 {
150 	int pad   = ndisc_addr_option_pad(skb->dev->type);
151 	int data_len = skb->dev->addr_len;
152 	int space = ndisc_opt_addr_space(skb->dev);
153 	u8 *opt = skb_put(skb, space);
154 
155 	opt[0] = type;
156 	opt[1] = space>>3;
157 
158 	memset(opt + 2, 0, pad);
159 	opt   += pad;
160 	space -= pad;
161 
162 	memcpy(opt+2, data, data_len);
163 	data_len += 2;
164 	opt += data_len;
165 	if ((space -= data_len) > 0)
166 		memset(opt, 0, space);
167 }
168 
169 static struct nd_opt_hdr *ndisc_next_option(struct nd_opt_hdr *cur,
170 					    struct nd_opt_hdr *end)
171 {
172 	int type;
173 	if (!cur || !end || cur >= end)
174 		return NULL;
175 	type = cur->nd_opt_type;
176 	do {
177 		cur = ((void *)cur) + (cur->nd_opt_len << 3);
178 	} while (cur < end && cur->nd_opt_type != type);
179 	return cur <= end && cur->nd_opt_type == type ? cur : NULL;
180 }
181 
182 static inline int ndisc_is_useropt(struct nd_opt_hdr *opt)
183 {
184 	return opt->nd_opt_type == ND_OPT_RDNSS ||
185 		opt->nd_opt_type == ND_OPT_DNSSL;
186 }
187 
188 static struct nd_opt_hdr *ndisc_next_useropt(struct nd_opt_hdr *cur,
189 					     struct nd_opt_hdr *end)
190 {
191 	if (!cur || !end || cur >= end)
192 		return NULL;
193 	do {
194 		cur = ((void *)cur) + (cur->nd_opt_len << 3);
195 	} while (cur < end && !ndisc_is_useropt(cur));
196 	return cur <= end && ndisc_is_useropt(cur) ? cur : NULL;
197 }
198 
199 struct ndisc_options *ndisc_parse_options(u8 *opt, int opt_len,
200 					  struct ndisc_options *ndopts)
201 {
202 	struct nd_opt_hdr *nd_opt = (struct nd_opt_hdr *)opt;
203 
204 	if (!nd_opt || opt_len < 0 || !ndopts)
205 		return NULL;
206 	memset(ndopts, 0, sizeof(*ndopts));
207 	while (opt_len) {
208 		int l;
209 		if (opt_len < sizeof(struct nd_opt_hdr))
210 			return NULL;
211 		l = nd_opt->nd_opt_len << 3;
212 		if (opt_len < l || l == 0)
213 			return NULL;
214 		switch (nd_opt->nd_opt_type) {
215 		case ND_OPT_SOURCE_LL_ADDR:
216 		case ND_OPT_TARGET_LL_ADDR:
217 		case ND_OPT_MTU:
218 		case ND_OPT_REDIRECT_HDR:
219 			if (ndopts->nd_opt_array[nd_opt->nd_opt_type]) {
220 				ND_PRINTK(2, warn,
221 					  "%s: duplicated ND6 option found: type=%d\n",
222 					  __func__, nd_opt->nd_opt_type);
223 			} else {
224 				ndopts->nd_opt_array[nd_opt->nd_opt_type] = nd_opt;
225 			}
226 			break;
227 		case ND_OPT_PREFIX_INFO:
228 			ndopts->nd_opts_pi_end = nd_opt;
229 			if (!ndopts->nd_opt_array[nd_opt->nd_opt_type])
230 				ndopts->nd_opt_array[nd_opt->nd_opt_type] = nd_opt;
231 			break;
232 #ifdef CONFIG_IPV6_ROUTE_INFO
233 		case ND_OPT_ROUTE_INFO:
234 			ndopts->nd_opts_ri_end = nd_opt;
235 			if (!ndopts->nd_opts_ri)
236 				ndopts->nd_opts_ri = nd_opt;
237 			break;
238 #endif
239 		default:
240 			if (ndisc_is_useropt(nd_opt)) {
241 				ndopts->nd_useropts_end = nd_opt;
242 				if (!ndopts->nd_useropts)
243 					ndopts->nd_useropts = nd_opt;
244 			} else {
245 				/*
246 				 * Unknown options must be silently ignored,
247 				 * to accommodate future extension to the
248 				 * protocol.
249 				 */
250 				ND_PRINTK(2, notice,
251 					  "%s: ignored unsupported option; type=%d, len=%d\n",
252 					  __func__,
253 					  nd_opt->nd_opt_type,
254 					  nd_opt->nd_opt_len);
255 			}
256 		}
257 		opt_len -= l;
258 		nd_opt = ((void *)nd_opt) + l;
259 	}
260 	return ndopts;
261 }
262 
263 int ndisc_mc_map(const struct in6_addr *addr, char *buf, struct net_device *dev, int dir)
264 {
265 	switch (dev->type) {
266 	case ARPHRD_ETHER:
267 	case ARPHRD_IEEE802:	/* Not sure. Check it later. --ANK */
268 	case ARPHRD_FDDI:
269 		ipv6_eth_mc_map(addr, buf);
270 		return 0;
271 	case ARPHRD_ARCNET:
272 		ipv6_arcnet_mc_map(addr, buf);
273 		return 0;
274 	case ARPHRD_INFINIBAND:
275 		ipv6_ib_mc_map(addr, dev->broadcast, buf);
276 		return 0;
277 	case ARPHRD_IPGRE:
278 		return ipv6_ipgre_mc_map(addr, dev->broadcast, buf);
279 	default:
280 		if (dir) {
281 			memcpy(buf, dev->broadcast, dev->addr_len);
282 			return 0;
283 		}
284 	}
285 	return -EINVAL;
286 }
287 EXPORT_SYMBOL(ndisc_mc_map);
288 
289 static u32 ndisc_hash(const void *pkey,
290 		      const struct net_device *dev,
291 		      __u32 *hash_rnd)
292 {
293 	return ndisc_hashfn(pkey, dev, hash_rnd);
294 }
295 
296 static int ndisc_constructor(struct neighbour *neigh)
297 {
298 	struct in6_addr *addr = (struct in6_addr *)&neigh->primary_key;
299 	struct net_device *dev = neigh->dev;
300 	struct inet6_dev *in6_dev;
301 	struct neigh_parms *parms;
302 	bool is_multicast = ipv6_addr_is_multicast(addr);
303 
304 	in6_dev = in6_dev_get(dev);
305 	if (in6_dev == NULL) {
306 		return -EINVAL;
307 	}
308 
309 	parms = in6_dev->nd_parms;
310 	__neigh_parms_put(neigh->parms);
311 	neigh->parms = neigh_parms_clone(parms);
312 
313 	neigh->type = is_multicast ? RTN_MULTICAST : RTN_UNICAST;
314 	if (!dev->header_ops) {
315 		neigh->nud_state = NUD_NOARP;
316 		neigh->ops = &ndisc_direct_ops;
317 		neigh->output = neigh_direct_output;
318 	} else {
319 		if (is_multicast) {
320 			neigh->nud_state = NUD_NOARP;
321 			ndisc_mc_map(addr, neigh->ha, dev, 1);
322 		} else if (dev->flags&(IFF_NOARP|IFF_LOOPBACK)) {
323 			neigh->nud_state = NUD_NOARP;
324 			memcpy(neigh->ha, dev->dev_addr, dev->addr_len);
325 			if (dev->flags&IFF_LOOPBACK)
326 				neigh->type = RTN_LOCAL;
327 		} else if (dev->flags&IFF_POINTOPOINT) {
328 			neigh->nud_state = NUD_NOARP;
329 			memcpy(neigh->ha, dev->broadcast, dev->addr_len);
330 		}
331 		if (dev->header_ops->cache)
332 			neigh->ops = &ndisc_hh_ops;
333 		else
334 			neigh->ops = &ndisc_generic_ops;
335 		if (neigh->nud_state&NUD_VALID)
336 			neigh->output = neigh->ops->connected_output;
337 		else
338 			neigh->output = neigh->ops->output;
339 	}
340 	in6_dev_put(in6_dev);
341 	return 0;
342 }
343 
344 static int pndisc_constructor(struct pneigh_entry *n)
345 {
346 	struct in6_addr *addr = (struct in6_addr *)&n->key;
347 	struct in6_addr maddr;
348 	struct net_device *dev = n->dev;
349 
350 	if (dev == NULL || __in6_dev_get(dev) == NULL)
351 		return -EINVAL;
352 	addrconf_addr_solict_mult(addr, &maddr);
353 	ipv6_dev_mc_inc(dev, &maddr);
354 	return 0;
355 }
356 
357 static void pndisc_destructor(struct pneigh_entry *n)
358 {
359 	struct in6_addr *addr = (struct in6_addr *)&n->key;
360 	struct in6_addr maddr;
361 	struct net_device *dev = n->dev;
362 
363 	if (dev == NULL || __in6_dev_get(dev) == NULL)
364 		return;
365 	addrconf_addr_solict_mult(addr, &maddr);
366 	ipv6_dev_mc_dec(dev, &maddr);
367 }
368 
369 static struct sk_buff *ndisc_alloc_skb(struct net_device *dev,
370 				       int len)
371 {
372 	int hlen = LL_RESERVED_SPACE(dev);
373 	int tlen = dev->needed_tailroom;
374 	struct sock *sk = dev_net(dev)->ipv6.ndisc_sk;
375 	struct sk_buff *skb;
376 
377 	skb = alloc_skb(hlen + sizeof(struct ipv6hdr) + len + tlen, GFP_ATOMIC);
378 	if (!skb) {
379 		ND_PRINTK(0, err, "ndisc: %s failed to allocate an skb\n",
380 			  __func__);
381 		return NULL;
382 	}
383 
384 	skb->protocol = htons(ETH_P_IPV6);
385 	skb->dev = dev;
386 
387 	skb_reserve(skb, hlen + sizeof(struct ipv6hdr));
388 	skb_reset_transport_header(skb);
389 
390 	/* Manually assign socket ownership as we avoid calling
391 	 * sock_alloc_send_pskb() to bypass wmem buffer limits
392 	 */
393 	skb_set_owner_w(skb, sk);
394 
395 	return skb;
396 }
397 
398 static void ip6_nd_hdr(struct sk_buff *skb,
399 		       const struct in6_addr *saddr,
400 		       const struct in6_addr *daddr,
401 		       int hop_limit, int len)
402 {
403 	struct ipv6hdr *hdr;
404 
405 	skb_push(skb, sizeof(*hdr));
406 	skb_reset_network_header(skb);
407 	hdr = ipv6_hdr(skb);
408 
409 	ip6_flow_hdr(hdr, 0, 0);
410 
411 	hdr->payload_len = htons(len);
412 	hdr->nexthdr = IPPROTO_ICMPV6;
413 	hdr->hop_limit = hop_limit;
414 
415 	hdr->saddr = *saddr;
416 	hdr->daddr = *daddr;
417 }
418 
419 static void ndisc_send_skb(struct sk_buff *skb,
420 			   const struct in6_addr *daddr,
421 			   const struct in6_addr *saddr)
422 {
423 	struct dst_entry *dst = skb_dst(skb);
424 	struct net *net = dev_net(skb->dev);
425 	struct sock *sk = net->ipv6.ndisc_sk;
426 	struct inet6_dev *idev;
427 	int err;
428 	struct icmp6hdr *icmp6h = icmp6_hdr(skb);
429 	u8 type;
430 
431 	type = icmp6h->icmp6_type;
432 
433 	if (!dst) {
434 		struct flowi6 fl6;
435 
436 		icmpv6_flow_init(sk, &fl6, type, saddr, daddr, skb->dev->ifindex);
437 		dst = icmp6_dst_alloc(skb->dev, &fl6);
438 		if (IS_ERR(dst)) {
439 			kfree_skb(skb);
440 			return;
441 		}
442 
443 		skb_dst_set(skb, dst);
444 	}
445 
446 	icmp6h->icmp6_cksum = csum_ipv6_magic(saddr, daddr, skb->len,
447 					      IPPROTO_ICMPV6,
448 					      csum_partial(icmp6h,
449 							   skb->len, 0));
450 
451 	ip6_nd_hdr(skb, saddr, daddr, inet6_sk(sk)->hop_limit, skb->len);
452 
453 	rcu_read_lock();
454 	idev = __in6_dev_get(dst->dev);
455 	IP6_UPD_PO_STATS(net, idev, IPSTATS_MIB_OUT, skb->len);
456 
457 	err = NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT, skb, NULL, dst->dev,
458 		      dst_output);
459 	if (!err) {
460 		ICMP6MSGOUT_INC_STATS(net, idev, type);
461 		ICMP6_INC_STATS(net, idev, ICMP6_MIB_OUTMSGS);
462 	}
463 
464 	rcu_read_unlock();
465 }
466 
467 void ndisc_send_na(struct net_device *dev, struct neighbour *neigh,
468 		   const struct in6_addr *daddr,
469 		   const struct in6_addr *solicited_addr,
470 		   bool router, bool solicited, bool override, bool inc_opt)
471 {
472 	struct sk_buff *skb;
473 	struct in6_addr tmpaddr;
474 	struct inet6_ifaddr *ifp;
475 	const struct in6_addr *src_addr;
476 	struct nd_msg *msg;
477 	int optlen = 0;
478 
479 	/* for anycast or proxy, solicited_addr != src_addr */
480 	ifp = ipv6_get_ifaddr(dev_net(dev), solicited_addr, dev, 1);
481 	if (ifp) {
482 		src_addr = solicited_addr;
483 		if (ifp->flags & IFA_F_OPTIMISTIC)
484 			override = false;
485 		inc_opt |= ifp->idev->cnf.force_tllao;
486 		in6_ifa_put(ifp);
487 	} else {
488 		if (ipv6_dev_get_saddr(dev_net(dev), dev, daddr,
489 				       inet6_sk(dev_net(dev)->ipv6.ndisc_sk)->srcprefs,
490 				       &tmpaddr))
491 			return;
492 		src_addr = &tmpaddr;
493 	}
494 
495 	if (!dev->addr_len)
496 		inc_opt = 0;
497 	if (inc_opt)
498 		optlen += ndisc_opt_addr_space(dev);
499 
500 	skb = ndisc_alloc_skb(dev, sizeof(*msg) + optlen);
501 	if (!skb)
502 		return;
503 
504 	msg = (struct nd_msg *)skb_put(skb, sizeof(*msg));
505 	*msg = (struct nd_msg) {
506 		.icmph = {
507 			.icmp6_type = NDISC_NEIGHBOUR_ADVERTISEMENT,
508 			.icmp6_router = router,
509 			.icmp6_solicited = solicited,
510 			.icmp6_override = override,
511 		},
512 		.target = *solicited_addr,
513 	};
514 
515 	if (inc_opt)
516 		ndisc_fill_addr_option(skb, ND_OPT_TARGET_LL_ADDR,
517 				       dev->dev_addr);
518 
519 
520 	ndisc_send_skb(skb, daddr, src_addr);
521 }
522 
523 static void ndisc_send_unsol_na(struct net_device *dev)
524 {
525 	struct inet6_dev *idev;
526 	struct inet6_ifaddr *ifa;
527 
528 	idev = in6_dev_get(dev);
529 	if (!idev)
530 		return;
531 
532 	read_lock_bh(&idev->lock);
533 	list_for_each_entry(ifa, &idev->addr_list, if_list) {
534 		ndisc_send_na(dev, NULL, &in6addr_linklocal_allnodes, &ifa->addr,
535 			      /*router=*/ !!idev->cnf.forwarding,
536 			      /*solicited=*/ false, /*override=*/ true,
537 			      /*inc_opt=*/ true);
538 	}
539 	read_unlock_bh(&idev->lock);
540 
541 	in6_dev_put(idev);
542 }
543 
544 void ndisc_send_ns(struct net_device *dev, struct neighbour *neigh,
545 		   const struct in6_addr *solicit,
546 		   const struct in6_addr *daddr, const struct in6_addr *saddr)
547 {
548 	struct sk_buff *skb;
549 	struct in6_addr addr_buf;
550 	int inc_opt = dev->addr_len;
551 	int optlen = 0;
552 	struct nd_msg *msg;
553 
554 	if (saddr == NULL) {
555 		if (ipv6_get_lladdr(dev, &addr_buf,
556 				   (IFA_F_TENTATIVE|IFA_F_OPTIMISTIC)))
557 			return;
558 		saddr = &addr_buf;
559 	}
560 
561 	if (ipv6_addr_any(saddr))
562 		inc_opt = false;
563 	if (inc_opt)
564 		optlen += ndisc_opt_addr_space(dev);
565 
566 	skb = ndisc_alloc_skb(dev, sizeof(*msg) + optlen);
567 	if (!skb)
568 		return;
569 
570 	msg = (struct nd_msg *)skb_put(skb, sizeof(*msg));
571 	*msg = (struct nd_msg) {
572 		.icmph = {
573 			.icmp6_type = NDISC_NEIGHBOUR_SOLICITATION,
574 		},
575 		.target = *solicit,
576 	};
577 
578 	if (inc_opt)
579 		ndisc_fill_addr_option(skb, ND_OPT_SOURCE_LL_ADDR,
580 				       dev->dev_addr);
581 
582 	ndisc_send_skb(skb, daddr, saddr);
583 }
584 
585 void ndisc_send_rs(struct net_device *dev, const struct in6_addr *saddr,
586 		   const struct in6_addr *daddr)
587 {
588 	struct sk_buff *skb;
589 	struct rs_msg *msg;
590 	int send_sllao = dev->addr_len;
591 	int optlen = 0;
592 
593 #ifdef CONFIG_IPV6_OPTIMISTIC_DAD
594 	/*
595 	 * According to section 2.2 of RFC 4429, we must not
596 	 * send router solicitations with a sllao from
597 	 * optimistic addresses, but we may send the solicitation
598 	 * if we don't include the sllao.  So here we check
599 	 * if our address is optimistic, and if so, we
600 	 * suppress the inclusion of the sllao.
601 	 */
602 	if (send_sllao) {
603 		struct inet6_ifaddr *ifp = ipv6_get_ifaddr(dev_net(dev), saddr,
604 							   dev, 1);
605 		if (ifp) {
606 			if (ifp->flags & IFA_F_OPTIMISTIC)  {
607 				send_sllao = 0;
608 			}
609 			in6_ifa_put(ifp);
610 		} else {
611 			send_sllao = 0;
612 		}
613 	}
614 #endif
615 	if (send_sllao)
616 		optlen += ndisc_opt_addr_space(dev);
617 
618 	skb = ndisc_alloc_skb(dev, sizeof(*msg) + optlen);
619 	if (!skb)
620 		return;
621 
622 	msg = (struct rs_msg *)skb_put(skb, sizeof(*msg));
623 	*msg = (struct rs_msg) {
624 		.icmph = {
625 			.icmp6_type = NDISC_ROUTER_SOLICITATION,
626 		},
627 	};
628 
629 	if (send_sllao)
630 		ndisc_fill_addr_option(skb, ND_OPT_SOURCE_LL_ADDR,
631 				       dev->dev_addr);
632 
633 	ndisc_send_skb(skb, daddr, saddr);
634 }
635 
636 
637 static void ndisc_error_report(struct neighbour *neigh, struct sk_buff *skb)
638 {
639 	/*
640 	 *	"The sender MUST return an ICMP
641 	 *	 destination unreachable"
642 	 */
643 	dst_link_failure(skb);
644 	kfree_skb(skb);
645 }
646 
647 /* Called with locked neigh: either read or both */
648 
649 static void ndisc_solicit(struct neighbour *neigh, struct sk_buff *skb)
650 {
651 	struct in6_addr *saddr = NULL;
652 	struct in6_addr mcaddr;
653 	struct net_device *dev = neigh->dev;
654 	struct in6_addr *target = (struct in6_addr *)&neigh->primary_key;
655 	int probes = atomic_read(&neigh->probes);
656 
657 	if (skb && ipv6_chk_addr(dev_net(dev), &ipv6_hdr(skb)->saddr, dev, 1))
658 		saddr = &ipv6_hdr(skb)->saddr;
659 
660 	if ((probes -= NEIGH_VAR(neigh->parms, UCAST_PROBES)) < 0) {
661 		if (!(neigh->nud_state & NUD_VALID)) {
662 			ND_PRINTK(1, dbg,
663 				  "%s: trying to ucast probe in NUD_INVALID: %pI6\n",
664 				  __func__, target);
665 		}
666 		ndisc_send_ns(dev, neigh, target, target, saddr);
667 	} else if ((probes -= NEIGH_VAR(neigh->parms, APP_PROBES)) < 0) {
668 		neigh_app_ns(neigh);
669 	} else {
670 		addrconf_addr_solict_mult(target, &mcaddr);
671 		ndisc_send_ns(dev, NULL, target, &mcaddr, saddr);
672 	}
673 }
674 
675 static int pndisc_is_router(const void *pkey,
676 			    struct net_device *dev)
677 {
678 	struct pneigh_entry *n;
679 	int ret = -1;
680 
681 	read_lock_bh(&nd_tbl.lock);
682 	n = __pneigh_lookup(&nd_tbl, dev_net(dev), pkey, dev);
683 	if (n)
684 		ret = !!(n->flags & NTF_ROUTER);
685 	read_unlock_bh(&nd_tbl.lock);
686 
687 	return ret;
688 }
689 
690 static void ndisc_recv_ns(struct sk_buff *skb)
691 {
692 	struct nd_msg *msg = (struct nd_msg *)skb_transport_header(skb);
693 	const struct in6_addr *saddr = &ipv6_hdr(skb)->saddr;
694 	const struct in6_addr *daddr = &ipv6_hdr(skb)->daddr;
695 	u8 *lladdr = NULL;
696 	u32 ndoptlen = skb_tail_pointer(skb) - (skb_transport_header(skb) +
697 				    offsetof(struct nd_msg, opt));
698 	struct ndisc_options ndopts;
699 	struct net_device *dev = skb->dev;
700 	struct inet6_ifaddr *ifp;
701 	struct inet6_dev *idev = NULL;
702 	struct neighbour *neigh;
703 	int dad = ipv6_addr_any(saddr);
704 	bool inc;
705 	int is_router = -1;
706 
707 	if (skb->len < sizeof(struct nd_msg)) {
708 		ND_PRINTK(2, warn, "NS: packet too short\n");
709 		return;
710 	}
711 
712 	if (ipv6_addr_is_multicast(&msg->target)) {
713 		ND_PRINTK(2, warn, "NS: multicast target address\n");
714 		return;
715 	}
716 
717 	/*
718 	 * RFC2461 7.1.1:
719 	 * DAD has to be destined for solicited node multicast address.
720 	 */
721 	if (dad && !ipv6_addr_is_solict_mult(daddr)) {
722 		ND_PRINTK(2, warn, "NS: bad DAD packet (wrong destination)\n");
723 		return;
724 	}
725 
726 	if (!ndisc_parse_options(msg->opt, ndoptlen, &ndopts)) {
727 		ND_PRINTK(2, warn, "NS: invalid ND options\n");
728 		return;
729 	}
730 
731 	if (ndopts.nd_opts_src_lladdr) {
732 		lladdr = ndisc_opt_addr_data(ndopts.nd_opts_src_lladdr, dev);
733 		if (!lladdr) {
734 			ND_PRINTK(2, warn,
735 				  "NS: invalid link-layer address length\n");
736 			return;
737 		}
738 
739 		/* RFC2461 7.1.1:
740 		 *	If the IP source address is the unspecified address,
741 		 *	there MUST NOT be source link-layer address option
742 		 *	in the message.
743 		 */
744 		if (dad) {
745 			ND_PRINTK(2, warn,
746 				  "NS: bad DAD packet (link-layer address option)\n");
747 			return;
748 		}
749 	}
750 
751 	inc = ipv6_addr_is_multicast(daddr);
752 
753 	ifp = ipv6_get_ifaddr(dev_net(dev), &msg->target, dev, 1);
754 	if (ifp) {
755 
756 		if (ifp->flags & (IFA_F_TENTATIVE|IFA_F_OPTIMISTIC)) {
757 			if (dad) {
758 				/*
759 				 * We are colliding with another node
760 				 * who is doing DAD
761 				 * so fail our DAD process
762 				 */
763 				addrconf_dad_failure(ifp);
764 				return;
765 			} else {
766 				/*
767 				 * This is not a dad solicitation.
768 				 * If we are an optimistic node,
769 				 * we should respond.
770 				 * Otherwise, we should ignore it.
771 				 */
772 				if (!(ifp->flags & IFA_F_OPTIMISTIC))
773 					goto out;
774 			}
775 		}
776 
777 		idev = ifp->idev;
778 	} else {
779 		struct net *net = dev_net(dev);
780 
781 		idev = in6_dev_get(dev);
782 		if (!idev) {
783 			/* XXX: count this drop? */
784 			return;
785 		}
786 
787 		if (ipv6_chk_acast_addr(net, dev, &msg->target) ||
788 		    (idev->cnf.forwarding &&
789 		     (net->ipv6.devconf_all->proxy_ndp || idev->cnf.proxy_ndp) &&
790 		     (is_router = pndisc_is_router(&msg->target, dev)) >= 0)) {
791 			if (!(NEIGH_CB(skb)->flags & LOCALLY_ENQUEUED) &&
792 			    skb->pkt_type != PACKET_HOST &&
793 			    inc &&
794 			    NEIGH_VAR(idev->nd_parms, PROXY_DELAY) != 0) {
795 				/*
796 				 * for anycast or proxy,
797 				 * sender should delay its response
798 				 * by a random time between 0 and
799 				 * MAX_ANYCAST_DELAY_TIME seconds.
800 				 * (RFC2461) -- yoshfuji
801 				 */
802 				struct sk_buff *n = skb_clone(skb, GFP_ATOMIC);
803 				if (n)
804 					pneigh_enqueue(&nd_tbl, idev->nd_parms, n);
805 				goto out;
806 			}
807 		} else
808 			goto out;
809 	}
810 
811 	if (is_router < 0)
812 		is_router = idev->cnf.forwarding;
813 
814 	if (dad) {
815 		ndisc_send_na(dev, NULL, &in6addr_linklocal_allnodes, &msg->target,
816 			      !!is_router, false, (ifp != NULL), true);
817 		goto out;
818 	}
819 
820 	if (inc)
821 		NEIGH_CACHE_STAT_INC(&nd_tbl, rcv_probes_mcast);
822 	else
823 		NEIGH_CACHE_STAT_INC(&nd_tbl, rcv_probes_ucast);
824 
825 	/*
826 	 *	update / create cache entry
827 	 *	for the source address
828 	 */
829 	neigh = __neigh_lookup(&nd_tbl, saddr, dev,
830 			       !inc || lladdr || !dev->addr_len);
831 	if (neigh)
832 		neigh_update(neigh, lladdr, NUD_STALE,
833 			     NEIGH_UPDATE_F_WEAK_OVERRIDE|
834 			     NEIGH_UPDATE_F_OVERRIDE);
835 	if (neigh || !dev->header_ops) {
836 		ndisc_send_na(dev, neigh, saddr, &msg->target,
837 			      !!is_router,
838 			      true, (ifp != NULL && inc), inc);
839 		if (neigh)
840 			neigh_release(neigh);
841 	}
842 
843 out:
844 	if (ifp)
845 		in6_ifa_put(ifp);
846 	else
847 		in6_dev_put(idev);
848 }
849 
850 static void ndisc_recv_na(struct sk_buff *skb)
851 {
852 	struct nd_msg *msg = (struct nd_msg *)skb_transport_header(skb);
853 	struct in6_addr *saddr = &ipv6_hdr(skb)->saddr;
854 	const struct in6_addr *daddr = &ipv6_hdr(skb)->daddr;
855 	u8 *lladdr = NULL;
856 	u32 ndoptlen = skb_tail_pointer(skb) - (skb_transport_header(skb) +
857 				    offsetof(struct nd_msg, opt));
858 	struct ndisc_options ndopts;
859 	struct net_device *dev = skb->dev;
860 	struct inet6_ifaddr *ifp;
861 	struct neighbour *neigh;
862 
863 	if (skb->len < sizeof(struct nd_msg)) {
864 		ND_PRINTK(2, warn, "NA: packet too short\n");
865 		return;
866 	}
867 
868 	if (ipv6_addr_is_multicast(&msg->target)) {
869 		ND_PRINTK(2, warn, "NA: target address is multicast\n");
870 		return;
871 	}
872 
873 	if (ipv6_addr_is_multicast(daddr) &&
874 	    msg->icmph.icmp6_solicited) {
875 		ND_PRINTK(2, warn, "NA: solicited NA is multicasted\n");
876 		return;
877 	}
878 
879 	if (!ndisc_parse_options(msg->opt, ndoptlen, &ndopts)) {
880 		ND_PRINTK(2, warn, "NS: invalid ND option\n");
881 		return;
882 	}
883 	if (ndopts.nd_opts_tgt_lladdr) {
884 		lladdr = ndisc_opt_addr_data(ndopts.nd_opts_tgt_lladdr, dev);
885 		if (!lladdr) {
886 			ND_PRINTK(2, warn,
887 				  "NA: invalid link-layer address length\n");
888 			return;
889 		}
890 	}
891 	ifp = ipv6_get_ifaddr(dev_net(dev), &msg->target, dev, 1);
892 	if (ifp) {
893 		if (skb->pkt_type != PACKET_LOOPBACK
894 		    && (ifp->flags & IFA_F_TENTATIVE)) {
895 				addrconf_dad_failure(ifp);
896 				return;
897 		}
898 		/* What should we make now? The advertisement
899 		   is invalid, but ndisc specs say nothing
900 		   about it. It could be misconfiguration, or
901 		   an smart proxy agent tries to help us :-)
902 
903 		   We should not print the error if NA has been
904 		   received from loopback - it is just our own
905 		   unsolicited advertisement.
906 		 */
907 		if (skb->pkt_type != PACKET_LOOPBACK)
908 			ND_PRINTK(1, warn,
909 				  "NA: someone advertises our address %pI6 on %s!\n",
910 				  &ifp->addr, ifp->idev->dev->name);
911 		in6_ifa_put(ifp);
912 		return;
913 	}
914 	neigh = neigh_lookup(&nd_tbl, &msg->target, dev);
915 
916 	if (neigh) {
917 		u8 old_flags = neigh->flags;
918 		struct net *net = dev_net(dev);
919 
920 		if (neigh->nud_state & NUD_FAILED)
921 			goto out;
922 
923 		/*
924 		 * Don't update the neighbor cache entry on a proxy NA from
925 		 * ourselves because either the proxied node is off link or it
926 		 * has already sent a NA to us.
927 		 */
928 		if (lladdr && !memcmp(lladdr, dev->dev_addr, dev->addr_len) &&
929 		    net->ipv6.devconf_all->forwarding && net->ipv6.devconf_all->proxy_ndp &&
930 		    pneigh_lookup(&nd_tbl, net, &msg->target, dev, 0)) {
931 			/* XXX: idev->cnf.proxy_ndp */
932 			goto out;
933 		}
934 
935 		neigh_update(neigh, lladdr,
936 			     msg->icmph.icmp6_solicited ? NUD_REACHABLE : NUD_STALE,
937 			     NEIGH_UPDATE_F_WEAK_OVERRIDE|
938 			     (msg->icmph.icmp6_override ? NEIGH_UPDATE_F_OVERRIDE : 0)|
939 			     NEIGH_UPDATE_F_OVERRIDE_ISROUTER|
940 			     (msg->icmph.icmp6_router ? NEIGH_UPDATE_F_ISROUTER : 0));
941 
942 		if ((old_flags & ~neigh->flags) & NTF_ROUTER) {
943 			/*
944 			 * Change: router to host
945 			 */
946 			rt6_clean_tohost(dev_net(dev),  saddr);
947 		}
948 
949 out:
950 		neigh_release(neigh);
951 	}
952 }
953 
954 static void ndisc_recv_rs(struct sk_buff *skb)
955 {
956 	struct rs_msg *rs_msg = (struct rs_msg *)skb_transport_header(skb);
957 	unsigned long ndoptlen = skb->len - sizeof(*rs_msg);
958 	struct neighbour *neigh;
959 	struct inet6_dev *idev;
960 	const struct in6_addr *saddr = &ipv6_hdr(skb)->saddr;
961 	struct ndisc_options ndopts;
962 	u8 *lladdr = NULL;
963 
964 	if (skb->len < sizeof(*rs_msg))
965 		return;
966 
967 	idev = __in6_dev_get(skb->dev);
968 	if (!idev) {
969 		ND_PRINTK(1, err, "RS: can't find in6 device\n");
970 		return;
971 	}
972 
973 	/* Don't accept RS if we're not in router mode */
974 	if (!idev->cnf.forwarding)
975 		goto out;
976 
977 	/*
978 	 * Don't update NCE if src = ::;
979 	 * this implies that the source node has no ip address assigned yet.
980 	 */
981 	if (ipv6_addr_any(saddr))
982 		goto out;
983 
984 	/* Parse ND options */
985 	if (!ndisc_parse_options(rs_msg->opt, ndoptlen, &ndopts)) {
986 		ND_PRINTK(2, notice, "NS: invalid ND option, ignored\n");
987 		goto out;
988 	}
989 
990 	if (ndopts.nd_opts_src_lladdr) {
991 		lladdr = ndisc_opt_addr_data(ndopts.nd_opts_src_lladdr,
992 					     skb->dev);
993 		if (!lladdr)
994 			goto out;
995 	}
996 
997 	neigh = __neigh_lookup(&nd_tbl, saddr, skb->dev, 1);
998 	if (neigh) {
999 		neigh_update(neigh, lladdr, NUD_STALE,
1000 			     NEIGH_UPDATE_F_WEAK_OVERRIDE|
1001 			     NEIGH_UPDATE_F_OVERRIDE|
1002 			     NEIGH_UPDATE_F_OVERRIDE_ISROUTER);
1003 		neigh_release(neigh);
1004 	}
1005 out:
1006 	return;
1007 }
1008 
1009 static void ndisc_ra_useropt(struct sk_buff *ra, struct nd_opt_hdr *opt)
1010 {
1011 	struct icmp6hdr *icmp6h = (struct icmp6hdr *)skb_transport_header(ra);
1012 	struct sk_buff *skb;
1013 	struct nlmsghdr *nlh;
1014 	struct nduseroptmsg *ndmsg;
1015 	struct net *net = dev_net(ra->dev);
1016 	int err;
1017 	int base_size = NLMSG_ALIGN(sizeof(struct nduseroptmsg)
1018 				    + (opt->nd_opt_len << 3));
1019 	size_t msg_size = base_size + nla_total_size(sizeof(struct in6_addr));
1020 
1021 	skb = nlmsg_new(msg_size, GFP_ATOMIC);
1022 	if (skb == NULL) {
1023 		err = -ENOBUFS;
1024 		goto errout;
1025 	}
1026 
1027 	nlh = nlmsg_put(skb, 0, 0, RTM_NEWNDUSEROPT, base_size, 0);
1028 	if (nlh == NULL) {
1029 		goto nla_put_failure;
1030 	}
1031 
1032 	ndmsg = nlmsg_data(nlh);
1033 	ndmsg->nduseropt_family = AF_INET6;
1034 	ndmsg->nduseropt_ifindex = ra->dev->ifindex;
1035 	ndmsg->nduseropt_icmp_type = icmp6h->icmp6_type;
1036 	ndmsg->nduseropt_icmp_code = icmp6h->icmp6_code;
1037 	ndmsg->nduseropt_opts_len = opt->nd_opt_len << 3;
1038 
1039 	memcpy(ndmsg + 1, opt, opt->nd_opt_len << 3);
1040 
1041 	if (nla_put(skb, NDUSEROPT_SRCADDR, sizeof(struct in6_addr),
1042 		    &ipv6_hdr(ra)->saddr))
1043 		goto nla_put_failure;
1044 	nlmsg_end(skb, nlh);
1045 
1046 	rtnl_notify(skb, net, 0, RTNLGRP_ND_USEROPT, NULL, GFP_ATOMIC);
1047 	return;
1048 
1049 nla_put_failure:
1050 	nlmsg_free(skb);
1051 	err = -EMSGSIZE;
1052 errout:
1053 	rtnl_set_sk_err(net, RTNLGRP_ND_USEROPT, err);
1054 }
1055 
1056 static void ndisc_router_discovery(struct sk_buff *skb)
1057 {
1058 	struct ra_msg *ra_msg = (struct ra_msg *)skb_transport_header(skb);
1059 	struct neighbour *neigh = NULL;
1060 	struct inet6_dev *in6_dev;
1061 	struct rt6_info *rt = NULL;
1062 	int lifetime;
1063 	struct ndisc_options ndopts;
1064 	int optlen;
1065 	unsigned int pref = 0;
1066 
1067 	__u8 *opt = (__u8 *)(ra_msg + 1);
1068 
1069 	optlen = (skb_tail_pointer(skb) - skb_transport_header(skb)) -
1070 		sizeof(struct ra_msg);
1071 
1072 	ND_PRINTK(2, info,
1073 		  "RA: %s, dev: %s\n",
1074 		  __func__, skb->dev->name);
1075 	if (!(ipv6_addr_type(&ipv6_hdr(skb)->saddr) & IPV6_ADDR_LINKLOCAL)) {
1076 		ND_PRINTK(2, warn, "RA: source address is not link-local\n");
1077 		return;
1078 	}
1079 	if (optlen < 0) {
1080 		ND_PRINTK(2, warn, "RA: packet too short\n");
1081 		return;
1082 	}
1083 
1084 #ifdef CONFIG_IPV6_NDISC_NODETYPE
1085 	if (skb->ndisc_nodetype == NDISC_NODETYPE_HOST) {
1086 		ND_PRINTK(2, warn, "RA: from host or unauthorized router\n");
1087 		return;
1088 	}
1089 #endif
1090 
1091 	/*
1092 	 *	set the RA_RECV flag in the interface
1093 	 */
1094 
1095 	in6_dev = __in6_dev_get(skb->dev);
1096 	if (in6_dev == NULL) {
1097 		ND_PRINTK(0, err, "RA: can't find inet6 device for %s\n",
1098 			  skb->dev->name);
1099 		return;
1100 	}
1101 
1102 	if (!ndisc_parse_options(opt, optlen, &ndopts)) {
1103 		ND_PRINTK(2, warn, "RA: invalid ND options\n");
1104 		return;
1105 	}
1106 
1107 	if (!ipv6_accept_ra(in6_dev)) {
1108 		ND_PRINTK(2, info,
1109 			  "RA: %s, did not accept ra for dev: %s\n",
1110 			  __func__, skb->dev->name);
1111 		goto skip_linkparms;
1112 	}
1113 
1114 #ifdef CONFIG_IPV6_NDISC_NODETYPE
1115 	/* skip link-specific parameters from interior routers */
1116 	if (skb->ndisc_nodetype == NDISC_NODETYPE_NODEFAULT) {
1117 		ND_PRINTK(2, info,
1118 			  "RA: %s, nodetype is NODEFAULT, dev: %s\n",
1119 			  __func__, skb->dev->name);
1120 		goto skip_linkparms;
1121 	}
1122 #endif
1123 
1124 	if (in6_dev->if_flags & IF_RS_SENT) {
1125 		/*
1126 		 *	flag that an RA was received after an RS was sent
1127 		 *	out on this interface.
1128 		 */
1129 		in6_dev->if_flags |= IF_RA_RCVD;
1130 	}
1131 
1132 	/*
1133 	 * Remember the managed/otherconf flags from most recently
1134 	 * received RA message (RFC 2462) -- yoshfuji
1135 	 */
1136 	in6_dev->if_flags = (in6_dev->if_flags & ~(IF_RA_MANAGED |
1137 				IF_RA_OTHERCONF)) |
1138 				(ra_msg->icmph.icmp6_addrconf_managed ?
1139 					IF_RA_MANAGED : 0) |
1140 				(ra_msg->icmph.icmp6_addrconf_other ?
1141 					IF_RA_OTHERCONF : 0);
1142 
1143 	if (!in6_dev->cnf.accept_ra_defrtr) {
1144 		ND_PRINTK(2, info,
1145 			  "RA: %s, defrtr is false for dev: %s\n",
1146 			  __func__, skb->dev->name);
1147 		goto skip_defrtr;
1148 	}
1149 
1150 	/* Do not accept RA with source-addr found on local machine unless
1151 	 * accept_ra_from_local is set to true.
1152 	 */
1153 	if (!in6_dev->cnf.accept_ra_from_local &&
1154 	    ipv6_chk_addr(dev_net(in6_dev->dev), &ipv6_hdr(skb)->saddr,
1155 			  NULL, 0)) {
1156 		ND_PRINTK(2, info,
1157 			  "RA from local address detected on dev: %s: default router ignored\n",
1158 			  skb->dev->name);
1159 		goto skip_defrtr;
1160 	}
1161 
1162 	lifetime = ntohs(ra_msg->icmph.icmp6_rt_lifetime);
1163 
1164 #ifdef CONFIG_IPV6_ROUTER_PREF
1165 	pref = ra_msg->icmph.icmp6_router_pref;
1166 	/* 10b is handled as if it were 00b (medium) */
1167 	if (pref == ICMPV6_ROUTER_PREF_INVALID ||
1168 	    !in6_dev->cnf.accept_ra_rtr_pref)
1169 		pref = ICMPV6_ROUTER_PREF_MEDIUM;
1170 #endif
1171 
1172 	rt = rt6_get_dflt_router(&ipv6_hdr(skb)->saddr, skb->dev);
1173 
1174 	if (rt) {
1175 		neigh = dst_neigh_lookup(&rt->dst, &ipv6_hdr(skb)->saddr);
1176 		if (!neigh) {
1177 			ND_PRINTK(0, err,
1178 				  "RA: %s got default router without neighbour\n",
1179 				  __func__);
1180 			ip6_rt_put(rt);
1181 			return;
1182 		}
1183 	}
1184 	if (rt && lifetime == 0) {
1185 		ip6_del_rt(rt);
1186 		rt = NULL;
1187 	}
1188 
1189 	ND_PRINTK(3, info, "RA: rt: %p  lifetime: %d, for dev: %s\n",
1190 		  rt, lifetime, skb->dev->name);
1191 	if (rt == NULL && lifetime) {
1192 		ND_PRINTK(3, info, "RA: adding default router\n");
1193 
1194 		rt = rt6_add_dflt_router(&ipv6_hdr(skb)->saddr, skb->dev, pref);
1195 		if (rt == NULL) {
1196 			ND_PRINTK(0, err,
1197 				  "RA: %s failed to add default route\n",
1198 				  __func__);
1199 			return;
1200 		}
1201 
1202 		neigh = dst_neigh_lookup(&rt->dst, &ipv6_hdr(skb)->saddr);
1203 		if (neigh == NULL) {
1204 			ND_PRINTK(0, err,
1205 				  "RA: %s got default router without neighbour\n",
1206 				  __func__);
1207 			ip6_rt_put(rt);
1208 			return;
1209 		}
1210 		neigh->flags |= NTF_ROUTER;
1211 	} else if (rt) {
1212 		rt->rt6i_flags = (rt->rt6i_flags & ~RTF_PREF_MASK) | RTF_PREF(pref);
1213 	}
1214 
1215 	if (rt)
1216 		rt6_set_expires(rt, jiffies + (HZ * lifetime));
1217 	if (ra_msg->icmph.icmp6_hop_limit) {
1218 		in6_dev->cnf.hop_limit = ra_msg->icmph.icmp6_hop_limit;
1219 		if (rt)
1220 			dst_metric_set(&rt->dst, RTAX_HOPLIMIT,
1221 				       ra_msg->icmph.icmp6_hop_limit);
1222 	}
1223 
1224 skip_defrtr:
1225 
1226 	/*
1227 	 *	Update Reachable Time and Retrans Timer
1228 	 */
1229 
1230 	if (in6_dev->nd_parms) {
1231 		unsigned long rtime = ntohl(ra_msg->retrans_timer);
1232 
1233 		if (rtime && rtime/1000 < MAX_SCHEDULE_TIMEOUT/HZ) {
1234 			rtime = (rtime*HZ)/1000;
1235 			if (rtime < HZ/10)
1236 				rtime = HZ/10;
1237 			NEIGH_VAR_SET(in6_dev->nd_parms, RETRANS_TIME, rtime);
1238 			in6_dev->tstamp = jiffies;
1239 			inet6_ifinfo_notify(RTM_NEWLINK, in6_dev);
1240 		}
1241 
1242 		rtime = ntohl(ra_msg->reachable_time);
1243 		if (rtime && rtime/1000 < MAX_SCHEDULE_TIMEOUT/(3*HZ)) {
1244 			rtime = (rtime*HZ)/1000;
1245 
1246 			if (rtime < HZ/10)
1247 				rtime = HZ/10;
1248 
1249 			if (rtime != NEIGH_VAR(in6_dev->nd_parms, BASE_REACHABLE_TIME)) {
1250 				NEIGH_VAR_SET(in6_dev->nd_parms,
1251 					      BASE_REACHABLE_TIME, rtime);
1252 				NEIGH_VAR_SET(in6_dev->nd_parms,
1253 					      GC_STALETIME, 3 * rtime);
1254 				in6_dev->nd_parms->reachable_time = neigh_rand_reach_time(rtime);
1255 				in6_dev->tstamp = jiffies;
1256 				inet6_ifinfo_notify(RTM_NEWLINK, in6_dev);
1257 			}
1258 		}
1259 	}
1260 
1261 skip_linkparms:
1262 
1263 	/*
1264 	 *	Process options.
1265 	 */
1266 
1267 	if (!neigh)
1268 		neigh = __neigh_lookup(&nd_tbl, &ipv6_hdr(skb)->saddr,
1269 				       skb->dev, 1);
1270 	if (neigh) {
1271 		u8 *lladdr = NULL;
1272 		if (ndopts.nd_opts_src_lladdr) {
1273 			lladdr = ndisc_opt_addr_data(ndopts.nd_opts_src_lladdr,
1274 						     skb->dev);
1275 			if (!lladdr) {
1276 				ND_PRINTK(2, warn,
1277 					  "RA: invalid link-layer address length\n");
1278 				goto out;
1279 			}
1280 		}
1281 		neigh_update(neigh, lladdr, NUD_STALE,
1282 			     NEIGH_UPDATE_F_WEAK_OVERRIDE|
1283 			     NEIGH_UPDATE_F_OVERRIDE|
1284 			     NEIGH_UPDATE_F_OVERRIDE_ISROUTER|
1285 			     NEIGH_UPDATE_F_ISROUTER);
1286 	}
1287 
1288 	if (!ipv6_accept_ra(in6_dev)) {
1289 		ND_PRINTK(2, info,
1290 			  "RA: %s, accept_ra is false for dev: %s\n",
1291 			  __func__, skb->dev->name);
1292 		goto out;
1293 	}
1294 
1295 #ifdef CONFIG_IPV6_ROUTE_INFO
1296 	if (!in6_dev->cnf.accept_ra_from_local &&
1297 	    ipv6_chk_addr(dev_net(in6_dev->dev), &ipv6_hdr(skb)->saddr,
1298 			  NULL, 0)) {
1299 		ND_PRINTK(2, info,
1300 			  "RA from local address detected on dev: %s: router info ignored.\n",
1301 			  skb->dev->name);
1302 		goto skip_routeinfo;
1303 	}
1304 
1305 	if (in6_dev->cnf.accept_ra_rtr_pref && ndopts.nd_opts_ri) {
1306 		struct nd_opt_hdr *p;
1307 		for (p = ndopts.nd_opts_ri;
1308 		     p;
1309 		     p = ndisc_next_option(p, ndopts.nd_opts_ri_end)) {
1310 			struct route_info *ri = (struct route_info *)p;
1311 #ifdef CONFIG_IPV6_NDISC_NODETYPE
1312 			if (skb->ndisc_nodetype == NDISC_NODETYPE_NODEFAULT &&
1313 			    ri->prefix_len == 0)
1314 				continue;
1315 #endif
1316 			if (ri->prefix_len == 0 &&
1317 			    !in6_dev->cnf.accept_ra_defrtr)
1318 				continue;
1319 			if (ri->prefix_len > in6_dev->cnf.accept_ra_rt_info_max_plen)
1320 				continue;
1321 			rt6_route_rcv(skb->dev, (u8 *)p, (p->nd_opt_len) << 3,
1322 				      &ipv6_hdr(skb)->saddr);
1323 		}
1324 	}
1325 
1326 skip_routeinfo:
1327 #endif
1328 
1329 #ifdef CONFIG_IPV6_NDISC_NODETYPE
1330 	/* skip link-specific ndopts from interior routers */
1331 	if (skb->ndisc_nodetype == NDISC_NODETYPE_NODEFAULT) {
1332 		ND_PRINTK(2, info,
1333 			  "RA: %s, nodetype is NODEFAULT (interior routes), dev: %s\n",
1334 			  __func__, skb->dev->name);
1335 		goto out;
1336 	}
1337 #endif
1338 
1339 	if (in6_dev->cnf.accept_ra_pinfo && ndopts.nd_opts_pi) {
1340 		struct nd_opt_hdr *p;
1341 		for (p = ndopts.nd_opts_pi;
1342 		     p;
1343 		     p = ndisc_next_option(p, ndopts.nd_opts_pi_end)) {
1344 			addrconf_prefix_rcv(skb->dev, (u8 *)p,
1345 					    (p->nd_opt_len) << 3,
1346 					    ndopts.nd_opts_src_lladdr != NULL);
1347 		}
1348 	}
1349 
1350 	if (ndopts.nd_opts_mtu) {
1351 		__be32 n;
1352 		u32 mtu;
1353 
1354 		memcpy(&n, ((u8 *)(ndopts.nd_opts_mtu+1))+2, sizeof(mtu));
1355 		mtu = ntohl(n);
1356 
1357 		if (mtu < IPV6_MIN_MTU || mtu > skb->dev->mtu) {
1358 			ND_PRINTK(2, warn, "RA: invalid mtu: %d\n", mtu);
1359 		} else if (in6_dev->cnf.mtu6 != mtu) {
1360 			in6_dev->cnf.mtu6 = mtu;
1361 
1362 			if (rt)
1363 				dst_metric_set(&rt->dst, RTAX_MTU, mtu);
1364 
1365 			rt6_mtu_change(skb->dev, mtu);
1366 		}
1367 	}
1368 
1369 	if (ndopts.nd_useropts) {
1370 		struct nd_opt_hdr *p;
1371 		for (p = ndopts.nd_useropts;
1372 		     p;
1373 		     p = ndisc_next_useropt(p, ndopts.nd_useropts_end)) {
1374 			ndisc_ra_useropt(skb, p);
1375 		}
1376 	}
1377 
1378 	if (ndopts.nd_opts_tgt_lladdr || ndopts.nd_opts_rh) {
1379 		ND_PRINTK(2, warn, "RA: invalid RA options\n");
1380 	}
1381 out:
1382 	ip6_rt_put(rt);
1383 	if (neigh)
1384 		neigh_release(neigh);
1385 }
1386 
1387 static void ndisc_redirect_rcv(struct sk_buff *skb)
1388 {
1389 	u8 *hdr;
1390 	struct ndisc_options ndopts;
1391 	struct rd_msg *msg = (struct rd_msg *)skb_transport_header(skb);
1392 	u32 ndoptlen = skb_tail_pointer(skb) - (skb_transport_header(skb) +
1393 				    offsetof(struct rd_msg, opt));
1394 
1395 #ifdef CONFIG_IPV6_NDISC_NODETYPE
1396 	switch (skb->ndisc_nodetype) {
1397 	case NDISC_NODETYPE_HOST:
1398 	case NDISC_NODETYPE_NODEFAULT:
1399 		ND_PRINTK(2, warn,
1400 			  "Redirect: from host or unauthorized router\n");
1401 		return;
1402 	}
1403 #endif
1404 
1405 	if (!(ipv6_addr_type(&ipv6_hdr(skb)->saddr) & IPV6_ADDR_LINKLOCAL)) {
1406 		ND_PRINTK(2, warn,
1407 			  "Redirect: source address is not link-local\n");
1408 		return;
1409 	}
1410 
1411 	if (!ndisc_parse_options(msg->opt, ndoptlen, &ndopts))
1412 		return;
1413 
1414 	if (!ndopts.nd_opts_rh) {
1415 		ip6_redirect_no_header(skb, dev_net(skb->dev),
1416 					skb->dev->ifindex, 0);
1417 		return;
1418 	}
1419 
1420 	hdr = (u8 *)ndopts.nd_opts_rh;
1421 	hdr += 8;
1422 	if (!pskb_pull(skb, hdr - skb_transport_header(skb)))
1423 		return;
1424 
1425 	icmpv6_notify(skb, NDISC_REDIRECT, 0, 0);
1426 }
1427 
1428 static void ndisc_fill_redirect_hdr_option(struct sk_buff *skb,
1429 					   struct sk_buff *orig_skb,
1430 					   int rd_len)
1431 {
1432 	u8 *opt = skb_put(skb, rd_len);
1433 
1434 	memset(opt, 0, 8);
1435 	*(opt++) = ND_OPT_REDIRECT_HDR;
1436 	*(opt++) = (rd_len >> 3);
1437 	opt += 6;
1438 
1439 	memcpy(opt, ipv6_hdr(orig_skb), rd_len - 8);
1440 }
1441 
1442 void ndisc_send_redirect(struct sk_buff *skb, const struct in6_addr *target)
1443 {
1444 	struct net_device *dev = skb->dev;
1445 	struct net *net = dev_net(dev);
1446 	struct sock *sk = net->ipv6.ndisc_sk;
1447 	int optlen = 0;
1448 	struct inet_peer *peer;
1449 	struct sk_buff *buff;
1450 	struct rd_msg *msg;
1451 	struct in6_addr saddr_buf;
1452 	struct rt6_info *rt;
1453 	struct dst_entry *dst;
1454 	struct flowi6 fl6;
1455 	int rd_len;
1456 	u8 ha_buf[MAX_ADDR_LEN], *ha = NULL;
1457 	bool ret;
1458 
1459 	if (ipv6_get_lladdr(dev, &saddr_buf, IFA_F_TENTATIVE)) {
1460 		ND_PRINTK(2, warn, "Redirect: no link-local address on %s\n",
1461 			  dev->name);
1462 		return;
1463 	}
1464 
1465 	if (!ipv6_addr_equal(&ipv6_hdr(skb)->daddr, target) &&
1466 	    ipv6_addr_type(target) != (IPV6_ADDR_UNICAST|IPV6_ADDR_LINKLOCAL)) {
1467 		ND_PRINTK(2, warn,
1468 			  "Redirect: target address is not link-local unicast\n");
1469 		return;
1470 	}
1471 
1472 	icmpv6_flow_init(sk, &fl6, NDISC_REDIRECT,
1473 			 &saddr_buf, &ipv6_hdr(skb)->saddr, dev->ifindex);
1474 
1475 	dst = ip6_route_output(net, NULL, &fl6);
1476 	if (dst->error) {
1477 		dst_release(dst);
1478 		return;
1479 	}
1480 	dst = xfrm_lookup(net, dst, flowi6_to_flowi(&fl6), NULL, 0);
1481 	if (IS_ERR(dst))
1482 		return;
1483 
1484 	rt = (struct rt6_info *) dst;
1485 
1486 	if (rt->rt6i_flags & RTF_GATEWAY) {
1487 		ND_PRINTK(2, warn,
1488 			  "Redirect: destination is not a neighbour\n");
1489 		goto release;
1490 	}
1491 	peer = inet_getpeer_v6(net->ipv6.peers, &rt->rt6i_dst.addr, 1);
1492 	ret = inet_peer_xrlim_allow(peer, 1*HZ);
1493 	if (peer)
1494 		inet_putpeer(peer);
1495 	if (!ret)
1496 		goto release;
1497 
1498 	if (dev->addr_len) {
1499 		struct neighbour *neigh = dst_neigh_lookup(skb_dst(skb), target);
1500 		if (!neigh) {
1501 			ND_PRINTK(2, warn,
1502 				  "Redirect: no neigh for target address\n");
1503 			goto release;
1504 		}
1505 
1506 		read_lock_bh(&neigh->lock);
1507 		if (neigh->nud_state & NUD_VALID) {
1508 			memcpy(ha_buf, neigh->ha, dev->addr_len);
1509 			read_unlock_bh(&neigh->lock);
1510 			ha = ha_buf;
1511 			optlen += ndisc_opt_addr_space(dev);
1512 		} else
1513 			read_unlock_bh(&neigh->lock);
1514 
1515 		neigh_release(neigh);
1516 	}
1517 
1518 	rd_len = min_t(unsigned int,
1519 		       IPV6_MIN_MTU - sizeof(struct ipv6hdr) - sizeof(*msg) - optlen,
1520 		       skb->len + 8);
1521 	rd_len &= ~0x7;
1522 	optlen += rd_len;
1523 
1524 	buff = ndisc_alloc_skb(dev, sizeof(*msg) + optlen);
1525 	if (!buff)
1526 		goto release;
1527 
1528 	msg = (struct rd_msg *)skb_put(buff, sizeof(*msg));
1529 	*msg = (struct rd_msg) {
1530 		.icmph = {
1531 			.icmp6_type = NDISC_REDIRECT,
1532 		},
1533 		.target = *target,
1534 		.dest = ipv6_hdr(skb)->daddr,
1535 	};
1536 
1537 	/*
1538 	 *	include target_address option
1539 	 */
1540 
1541 	if (ha)
1542 		ndisc_fill_addr_option(buff, ND_OPT_TARGET_LL_ADDR, ha);
1543 
1544 	/*
1545 	 *	build redirect option and copy skb over to the new packet.
1546 	 */
1547 
1548 	if (rd_len)
1549 		ndisc_fill_redirect_hdr_option(buff, skb, rd_len);
1550 
1551 	skb_dst_set(buff, dst);
1552 	ndisc_send_skb(buff, &ipv6_hdr(skb)->saddr, &saddr_buf);
1553 	return;
1554 
1555 release:
1556 	dst_release(dst);
1557 }
1558 
1559 static void pndisc_redo(struct sk_buff *skb)
1560 {
1561 	ndisc_recv_ns(skb);
1562 	kfree_skb(skb);
1563 }
1564 
1565 static bool ndisc_suppress_frag_ndisc(struct sk_buff *skb)
1566 {
1567 	struct inet6_dev *idev = __in6_dev_get(skb->dev);
1568 
1569 	if (!idev)
1570 		return true;
1571 	if (IP6CB(skb)->flags & IP6SKB_FRAGMENTED &&
1572 	    idev->cnf.suppress_frag_ndisc) {
1573 		net_warn_ratelimited("Received fragmented ndisc packet. Carefully consider disabling suppress_frag_ndisc.\n");
1574 		return true;
1575 	}
1576 	return false;
1577 }
1578 
1579 int ndisc_rcv(struct sk_buff *skb)
1580 {
1581 	struct nd_msg *msg;
1582 
1583 	if (ndisc_suppress_frag_ndisc(skb))
1584 		return 0;
1585 
1586 	if (skb_linearize(skb))
1587 		return 0;
1588 
1589 	msg = (struct nd_msg *)skb_transport_header(skb);
1590 
1591 	__skb_push(skb, skb->data - skb_transport_header(skb));
1592 
1593 	if (ipv6_hdr(skb)->hop_limit != 255) {
1594 		ND_PRINTK(2, warn, "NDISC: invalid hop-limit: %d\n",
1595 			  ipv6_hdr(skb)->hop_limit);
1596 		return 0;
1597 	}
1598 
1599 	if (msg->icmph.icmp6_code != 0) {
1600 		ND_PRINTK(2, warn, "NDISC: invalid ICMPv6 code: %d\n",
1601 			  msg->icmph.icmp6_code);
1602 		return 0;
1603 	}
1604 
1605 	memset(NEIGH_CB(skb), 0, sizeof(struct neighbour_cb));
1606 
1607 	switch (msg->icmph.icmp6_type) {
1608 	case NDISC_NEIGHBOUR_SOLICITATION:
1609 		ndisc_recv_ns(skb);
1610 		break;
1611 
1612 	case NDISC_NEIGHBOUR_ADVERTISEMENT:
1613 		ndisc_recv_na(skb);
1614 		break;
1615 
1616 	case NDISC_ROUTER_SOLICITATION:
1617 		ndisc_recv_rs(skb);
1618 		break;
1619 
1620 	case NDISC_ROUTER_ADVERTISEMENT:
1621 		ndisc_router_discovery(skb);
1622 		break;
1623 
1624 	case NDISC_REDIRECT:
1625 		ndisc_redirect_rcv(skb);
1626 		break;
1627 	}
1628 
1629 	return 0;
1630 }
1631 
1632 static int ndisc_netdev_event(struct notifier_block *this, unsigned long event, void *ptr)
1633 {
1634 	struct net_device *dev = netdev_notifier_info_to_dev(ptr);
1635 	struct net *net = dev_net(dev);
1636 	struct inet6_dev *idev;
1637 
1638 	switch (event) {
1639 	case NETDEV_CHANGEADDR:
1640 		neigh_changeaddr(&nd_tbl, dev);
1641 		fib6_run_gc(0, net, false);
1642 		idev = in6_dev_get(dev);
1643 		if (!idev)
1644 			break;
1645 		if (idev->cnf.ndisc_notify)
1646 			ndisc_send_unsol_na(dev);
1647 		in6_dev_put(idev);
1648 		break;
1649 	case NETDEV_DOWN:
1650 		neigh_ifdown(&nd_tbl, dev);
1651 		fib6_run_gc(0, net, false);
1652 		break;
1653 	case NETDEV_NOTIFY_PEERS:
1654 		ndisc_send_unsol_na(dev);
1655 		break;
1656 	default:
1657 		break;
1658 	}
1659 
1660 	return NOTIFY_DONE;
1661 }
1662 
1663 static struct notifier_block ndisc_netdev_notifier = {
1664 	.notifier_call = ndisc_netdev_event,
1665 };
1666 
1667 #ifdef CONFIG_SYSCTL
1668 static void ndisc_warn_deprecated_sysctl(struct ctl_table *ctl,
1669 					 const char *func, const char *dev_name)
1670 {
1671 	static char warncomm[TASK_COMM_LEN];
1672 	static int warned;
1673 	if (strcmp(warncomm, current->comm) && warned < 5) {
1674 		strcpy(warncomm, current->comm);
1675 		pr_warn("process `%s' is using deprecated sysctl (%s) net.ipv6.neigh.%s.%s - use net.ipv6.neigh.%s.%s_ms instead\n",
1676 			warncomm, func,
1677 			dev_name, ctl->procname,
1678 			dev_name, ctl->procname);
1679 		warned++;
1680 	}
1681 }
1682 
1683 int ndisc_ifinfo_sysctl_change(struct ctl_table *ctl, int write, void __user *buffer, size_t *lenp, loff_t *ppos)
1684 {
1685 	struct net_device *dev = ctl->extra1;
1686 	struct inet6_dev *idev;
1687 	int ret;
1688 
1689 	if ((strcmp(ctl->procname, "retrans_time") == 0) ||
1690 	    (strcmp(ctl->procname, "base_reachable_time") == 0))
1691 		ndisc_warn_deprecated_sysctl(ctl, "syscall", dev ? dev->name : "default");
1692 
1693 	if (strcmp(ctl->procname, "retrans_time") == 0)
1694 		ret = neigh_proc_dointvec(ctl, write, buffer, lenp, ppos);
1695 
1696 	else if (strcmp(ctl->procname, "base_reachable_time") == 0)
1697 		ret = neigh_proc_dointvec_jiffies(ctl, write,
1698 						  buffer, lenp, ppos);
1699 
1700 	else if ((strcmp(ctl->procname, "retrans_time_ms") == 0) ||
1701 		 (strcmp(ctl->procname, "base_reachable_time_ms") == 0))
1702 		ret = neigh_proc_dointvec_ms_jiffies(ctl, write,
1703 						     buffer, lenp, ppos);
1704 	else
1705 		ret = -1;
1706 
1707 	if (write && ret == 0 && dev && (idev = in6_dev_get(dev)) != NULL) {
1708 		if (ctl->data == &NEIGH_VAR(idev->nd_parms, BASE_REACHABLE_TIME))
1709 			idev->nd_parms->reachable_time =
1710 					neigh_rand_reach_time(NEIGH_VAR(idev->nd_parms, BASE_REACHABLE_TIME));
1711 		idev->tstamp = jiffies;
1712 		inet6_ifinfo_notify(RTM_NEWLINK, idev);
1713 		in6_dev_put(idev);
1714 	}
1715 	return ret;
1716 }
1717 
1718 
1719 #endif
1720 
1721 static int __net_init ndisc_net_init(struct net *net)
1722 {
1723 	struct ipv6_pinfo *np;
1724 	struct sock *sk;
1725 	int err;
1726 
1727 	err = inet_ctl_sock_create(&sk, PF_INET6,
1728 				   SOCK_RAW, IPPROTO_ICMPV6, net);
1729 	if (err < 0) {
1730 		ND_PRINTK(0, err,
1731 			  "NDISC: Failed to initialize the control socket (err %d)\n",
1732 			  err);
1733 		return err;
1734 	}
1735 
1736 	net->ipv6.ndisc_sk = sk;
1737 
1738 	np = inet6_sk(sk);
1739 	np->hop_limit = 255;
1740 	/* Do not loopback ndisc messages */
1741 	np->mc_loop = 0;
1742 
1743 	return 0;
1744 }
1745 
1746 static void __net_exit ndisc_net_exit(struct net *net)
1747 {
1748 	inet_ctl_sock_destroy(net->ipv6.ndisc_sk);
1749 }
1750 
1751 static struct pernet_operations ndisc_net_ops = {
1752 	.init = ndisc_net_init,
1753 	.exit = ndisc_net_exit,
1754 };
1755 
1756 int __init ndisc_init(void)
1757 {
1758 	int err;
1759 
1760 	err = register_pernet_subsys(&ndisc_net_ops);
1761 	if (err)
1762 		return err;
1763 	/*
1764 	 * Initialize the neighbour table
1765 	 */
1766 	neigh_table_init(&nd_tbl);
1767 
1768 #ifdef CONFIG_SYSCTL
1769 	err = neigh_sysctl_register(NULL, &nd_tbl.parms,
1770 				    ndisc_ifinfo_sysctl_change);
1771 	if (err)
1772 		goto out_unregister_pernet;
1773 out:
1774 #endif
1775 	return err;
1776 
1777 #ifdef CONFIG_SYSCTL
1778 out_unregister_pernet:
1779 	unregister_pernet_subsys(&ndisc_net_ops);
1780 	goto out;
1781 #endif
1782 }
1783 
1784 int __init ndisc_late_init(void)
1785 {
1786 	return register_netdevice_notifier(&ndisc_netdev_notifier);
1787 }
1788 
1789 void ndisc_late_cleanup(void)
1790 {
1791 	unregister_netdevice_notifier(&ndisc_netdev_notifier);
1792 }
1793 
1794 void ndisc_cleanup(void)
1795 {
1796 #ifdef CONFIG_SYSCTL
1797 	neigh_sysctl_unregister(&nd_tbl.parms);
1798 #endif
1799 	neigh_table_clear(&nd_tbl);
1800 	unregister_pernet_subsys(&ndisc_net_ops);
1801 }
1802