xref: /openbmc/linux/net/ipv6/ndisc.c (revision e868d61272caa648214046a096e5a6bfc068dc8c)
1 /*
2  *	Neighbour Discovery for IPv6
3  *	Linux INET6 implementation
4  *
5  *	Authors:
6  *	Pedro Roque		<roque@di.fc.ul.pt>
7  *	Mike Shaver		<shaver@ingenia.com>
8  *
9  *	This program is free software; you can redistribute it and/or
10  *      modify it under the terms of the GNU General Public License
11  *      as published by the Free Software Foundation; either version
12  *      2 of the License, or (at your option) any later version.
13  */
14 
15 /*
16  *	Changes:
17  *
18  *	Lars Fenneberg			:	fixed MTU setting on receipt
19  *						of an RA.
20  *
21  *	Janos Farkas			:	kmalloc failure checks
22  *	Alexey Kuznetsov		:	state machine reworked
23  *						and moved to net/core.
24  *	Pekka Savola			:	RFC2461 validation
25  *	YOSHIFUJI Hideaki @USAGI	:	Verify ND options properly
26  */
27 
28 /* Set to 3 to get tracing... */
29 #define ND_DEBUG 1
30 
31 #define ND_PRINTK(fmt, args...) do { if (net_ratelimit()) { printk(fmt, ## args); } } while(0)
32 #define ND_NOPRINTK(x...) do { ; } while(0)
33 #define ND_PRINTK0 ND_PRINTK
34 #define ND_PRINTK1 ND_NOPRINTK
35 #define ND_PRINTK2 ND_NOPRINTK
36 #define ND_PRINTK3 ND_NOPRINTK
37 #if ND_DEBUG >= 1
38 #undef ND_PRINTK1
39 #define ND_PRINTK1 ND_PRINTK
40 #endif
41 #if ND_DEBUG >= 2
42 #undef ND_PRINTK2
43 #define ND_PRINTK2 ND_PRINTK
44 #endif
45 #if ND_DEBUG >= 3
46 #undef ND_PRINTK3
47 #define ND_PRINTK3 ND_PRINTK
48 #endif
49 
50 #include <linux/module.h>
51 #include <linux/errno.h>
52 #include <linux/types.h>
53 #include <linux/socket.h>
54 #include <linux/sockios.h>
55 #include <linux/sched.h>
56 #include <linux/net.h>
57 #include <linux/in6.h>
58 #include <linux/route.h>
59 #include <linux/init.h>
60 #include <linux/rcupdate.h>
61 #ifdef CONFIG_SYSCTL
62 #include <linux/sysctl.h>
63 #endif
64 
65 #include <linux/if_addr.h>
66 #include <linux/if_arp.h>
67 #include <linux/ipv6.h>
68 #include <linux/icmpv6.h>
69 #include <linux/jhash.h>
70 
71 #include <net/sock.h>
72 #include <net/snmp.h>
73 
74 #include <net/ipv6.h>
75 #include <net/protocol.h>
76 #include <net/ndisc.h>
77 #include <net/ip6_route.h>
78 #include <net/addrconf.h>
79 #include <net/icmp.h>
80 
81 #include <net/flow.h>
82 #include <net/ip6_checksum.h>
83 #include <linux/proc_fs.h>
84 
85 #include <linux/netfilter.h>
86 #include <linux/netfilter_ipv6.h>
87 
88 static struct socket *ndisc_socket;
89 
90 static u32 ndisc_hash(const void *pkey, const struct net_device *dev);
91 static int ndisc_constructor(struct neighbour *neigh);
92 static void ndisc_solicit(struct neighbour *neigh, struct sk_buff *skb);
93 static void ndisc_error_report(struct neighbour *neigh, struct sk_buff *skb);
94 static int pndisc_constructor(struct pneigh_entry *n);
95 static void pndisc_destructor(struct pneigh_entry *n);
96 static void pndisc_redo(struct sk_buff *skb);
97 
98 static struct neigh_ops ndisc_generic_ops = {
99 	.family =		AF_INET6,
100 	.solicit =		ndisc_solicit,
101 	.error_report =		ndisc_error_report,
102 	.output =		neigh_resolve_output,
103 	.connected_output =	neigh_connected_output,
104 	.hh_output =		dev_queue_xmit,
105 	.queue_xmit =		dev_queue_xmit,
106 };
107 
108 static struct neigh_ops ndisc_hh_ops = {
109 	.family =		AF_INET6,
110 	.solicit =		ndisc_solicit,
111 	.error_report =		ndisc_error_report,
112 	.output =		neigh_resolve_output,
113 	.connected_output =	neigh_resolve_output,
114 	.hh_output =		dev_queue_xmit,
115 	.queue_xmit =		dev_queue_xmit,
116 };
117 
118 
119 static struct neigh_ops ndisc_direct_ops = {
120 	.family =		AF_INET6,
121 	.output =		dev_queue_xmit,
122 	.connected_output =	dev_queue_xmit,
123 	.hh_output =		dev_queue_xmit,
124 	.queue_xmit =		dev_queue_xmit,
125 };
126 
127 struct neigh_table nd_tbl = {
128 	.family =	AF_INET6,
129 	.entry_size =	sizeof(struct neighbour) + sizeof(struct in6_addr),
130 	.key_len =	sizeof(struct in6_addr),
131 	.hash =		ndisc_hash,
132 	.constructor =	ndisc_constructor,
133 	.pconstructor =	pndisc_constructor,
134 	.pdestructor =	pndisc_destructor,
135 	.proxy_redo =	pndisc_redo,
136 	.id =		"ndisc_cache",
137 	.parms = {
138 		.tbl =			&nd_tbl,
139 		.base_reachable_time =	30 * HZ,
140 		.retrans_time =	 1 * HZ,
141 		.gc_staletime =	60 * HZ,
142 		.reachable_time =		30 * HZ,
143 		.delay_probe_time =	 5 * HZ,
144 		.queue_len =		 3,
145 		.ucast_probes =	 3,
146 		.mcast_probes =	 3,
147 		.anycast_delay =	 1 * HZ,
148 		.proxy_delay =		(8 * HZ) / 10,
149 		.proxy_qlen =		64,
150 	},
151 	.gc_interval =	  30 * HZ,
152 	.gc_thresh1 =	 128,
153 	.gc_thresh2 =	 512,
154 	.gc_thresh3 =	1024,
155 };
156 
157 /* ND options */
158 struct ndisc_options {
159 	struct nd_opt_hdr *nd_opt_array[__ND_OPT_ARRAY_MAX];
160 #ifdef CONFIG_IPV6_ROUTE_INFO
161 	struct nd_opt_hdr *nd_opts_ri;
162 	struct nd_opt_hdr *nd_opts_ri_end;
163 #endif
164 };
165 
166 #define nd_opts_src_lladdr	nd_opt_array[ND_OPT_SOURCE_LL_ADDR]
167 #define nd_opts_tgt_lladdr	nd_opt_array[ND_OPT_TARGET_LL_ADDR]
168 #define nd_opts_pi		nd_opt_array[ND_OPT_PREFIX_INFO]
169 #define nd_opts_pi_end		nd_opt_array[__ND_OPT_PREFIX_INFO_END]
170 #define nd_opts_rh		nd_opt_array[ND_OPT_REDIRECT_HDR]
171 #define nd_opts_mtu		nd_opt_array[ND_OPT_MTU]
172 
173 #define NDISC_OPT_SPACE(len) (((len)+2+7)&~7)
174 
175 /*
176  * Return the padding between the option length and the start of the
177  * link addr.  Currently only IP-over-InfiniBand needs this, although
178  * if RFC 3831 IPv6-over-Fibre Channel is ever implemented it may
179  * also need a pad of 2.
180  */
181 static int ndisc_addr_option_pad(unsigned short type)
182 {
183 	switch (type) {
184 	case ARPHRD_INFINIBAND: return 2;
185 	default:                return 0;
186 	}
187 }
188 
189 static inline int ndisc_opt_addr_space(struct net_device *dev)
190 {
191 	return NDISC_OPT_SPACE(dev->addr_len + ndisc_addr_option_pad(dev->type));
192 }
193 
194 static u8 *ndisc_fill_addr_option(u8 *opt, int type, void *data, int data_len,
195 				  unsigned short addr_type)
196 {
197 	int space = NDISC_OPT_SPACE(data_len);
198 	int pad   = ndisc_addr_option_pad(addr_type);
199 
200 	opt[0] = type;
201 	opt[1] = space>>3;
202 
203 	memset(opt + 2, 0, pad);
204 	opt   += pad;
205 	space -= pad;
206 
207 	memcpy(opt+2, data, data_len);
208 	data_len += 2;
209 	opt += data_len;
210 	if ((space -= data_len) > 0)
211 		memset(opt, 0, space);
212 	return opt + space;
213 }
214 
215 static struct nd_opt_hdr *ndisc_next_option(struct nd_opt_hdr *cur,
216 					    struct nd_opt_hdr *end)
217 {
218 	int type;
219 	if (!cur || !end || cur >= end)
220 		return NULL;
221 	type = cur->nd_opt_type;
222 	do {
223 		cur = ((void *)cur) + (cur->nd_opt_len << 3);
224 	} while(cur < end && cur->nd_opt_type != type);
225 	return (cur <= end && cur->nd_opt_type == type ? cur : NULL);
226 }
227 
228 static struct ndisc_options *ndisc_parse_options(u8 *opt, int opt_len,
229 						 struct ndisc_options *ndopts)
230 {
231 	struct nd_opt_hdr *nd_opt = (struct nd_opt_hdr *)opt;
232 
233 	if (!nd_opt || opt_len < 0 || !ndopts)
234 		return NULL;
235 	memset(ndopts, 0, sizeof(*ndopts));
236 	while (opt_len) {
237 		int l;
238 		if (opt_len < sizeof(struct nd_opt_hdr))
239 			return NULL;
240 		l = nd_opt->nd_opt_len << 3;
241 		if (opt_len < l || l == 0)
242 			return NULL;
243 		switch (nd_opt->nd_opt_type) {
244 		case ND_OPT_SOURCE_LL_ADDR:
245 		case ND_OPT_TARGET_LL_ADDR:
246 		case ND_OPT_MTU:
247 		case ND_OPT_REDIRECT_HDR:
248 			if (ndopts->nd_opt_array[nd_opt->nd_opt_type]) {
249 				ND_PRINTK2(KERN_WARNING
250 					   "%s(): duplicated ND6 option found: type=%d\n",
251 					   __FUNCTION__,
252 					   nd_opt->nd_opt_type);
253 			} else {
254 				ndopts->nd_opt_array[nd_opt->nd_opt_type] = nd_opt;
255 			}
256 			break;
257 		case ND_OPT_PREFIX_INFO:
258 			ndopts->nd_opts_pi_end = nd_opt;
259 			if (ndopts->nd_opt_array[nd_opt->nd_opt_type] == 0)
260 				ndopts->nd_opt_array[nd_opt->nd_opt_type] = nd_opt;
261 			break;
262 #ifdef CONFIG_IPV6_ROUTE_INFO
263 		case ND_OPT_ROUTE_INFO:
264 			ndopts->nd_opts_ri_end = nd_opt;
265 			if (!ndopts->nd_opts_ri)
266 				ndopts->nd_opts_ri = nd_opt;
267 			break;
268 #endif
269 		default:
270 			/*
271 			 * Unknown options must be silently ignored,
272 			 * to accommodate future extension to the protocol.
273 			 */
274 			ND_PRINTK2(KERN_NOTICE
275 				   "%s(): ignored unsupported option; type=%d, len=%d\n",
276 				   __FUNCTION__,
277 				   nd_opt->nd_opt_type, nd_opt->nd_opt_len);
278 		}
279 		opt_len -= l;
280 		nd_opt = ((void *)nd_opt) + l;
281 	}
282 	return ndopts;
283 }
284 
285 static inline u8 *ndisc_opt_addr_data(struct nd_opt_hdr *p,
286 				      struct net_device *dev)
287 {
288 	u8 *lladdr = (u8 *)(p + 1);
289 	int lladdrlen = p->nd_opt_len << 3;
290 	int prepad = ndisc_addr_option_pad(dev->type);
291 	if (lladdrlen != NDISC_OPT_SPACE(dev->addr_len + prepad))
292 		return NULL;
293 	return (lladdr + prepad);
294 }
295 
296 int ndisc_mc_map(struct in6_addr *addr, char *buf, struct net_device *dev, int dir)
297 {
298 	switch (dev->type) {
299 	case ARPHRD_ETHER:
300 	case ARPHRD_IEEE802:	/* Not sure. Check it later. --ANK */
301 	case ARPHRD_FDDI:
302 		ipv6_eth_mc_map(addr, buf);
303 		return 0;
304 	case ARPHRD_IEEE802_TR:
305 		ipv6_tr_mc_map(addr,buf);
306 		return 0;
307 	case ARPHRD_ARCNET:
308 		ipv6_arcnet_mc_map(addr, buf);
309 		return 0;
310 	case ARPHRD_INFINIBAND:
311 		ipv6_ib_mc_map(addr, buf);
312 		return 0;
313 	default:
314 		if (dir) {
315 			memcpy(buf, dev->broadcast, dev->addr_len);
316 			return 0;
317 		}
318 	}
319 	return -EINVAL;
320 }
321 
322 EXPORT_SYMBOL(ndisc_mc_map);
323 
324 static u32 ndisc_hash(const void *pkey, const struct net_device *dev)
325 {
326 	const u32 *p32 = pkey;
327 	u32 addr_hash, i;
328 
329 	addr_hash = 0;
330 	for (i = 0; i < (sizeof(struct in6_addr) / sizeof(u32)); i++)
331 		addr_hash ^= *p32++;
332 
333 	return jhash_2words(addr_hash, dev->ifindex, nd_tbl.hash_rnd);
334 }
335 
336 static int ndisc_constructor(struct neighbour *neigh)
337 {
338 	struct in6_addr *addr = (struct in6_addr*)&neigh->primary_key;
339 	struct net_device *dev = neigh->dev;
340 	struct inet6_dev *in6_dev;
341 	struct neigh_parms *parms;
342 	int is_multicast = ipv6_addr_is_multicast(addr);
343 
344 	rcu_read_lock();
345 	in6_dev = in6_dev_get(dev);
346 	if (in6_dev == NULL) {
347 		rcu_read_unlock();
348 		return -EINVAL;
349 	}
350 
351 	parms = in6_dev->nd_parms;
352 	__neigh_parms_put(neigh->parms);
353 	neigh->parms = neigh_parms_clone(parms);
354 	rcu_read_unlock();
355 
356 	neigh->type = is_multicast ? RTN_MULTICAST : RTN_UNICAST;
357 	if (dev->hard_header == NULL) {
358 		neigh->nud_state = NUD_NOARP;
359 		neigh->ops = &ndisc_direct_ops;
360 		neigh->output = neigh->ops->queue_xmit;
361 	} else {
362 		if (is_multicast) {
363 			neigh->nud_state = NUD_NOARP;
364 			ndisc_mc_map(addr, neigh->ha, dev, 1);
365 		} else if (dev->flags&(IFF_NOARP|IFF_LOOPBACK)) {
366 			neigh->nud_state = NUD_NOARP;
367 			memcpy(neigh->ha, dev->dev_addr, dev->addr_len);
368 			if (dev->flags&IFF_LOOPBACK)
369 				neigh->type = RTN_LOCAL;
370 		} else if (dev->flags&IFF_POINTOPOINT) {
371 			neigh->nud_state = NUD_NOARP;
372 			memcpy(neigh->ha, dev->broadcast, dev->addr_len);
373 		}
374 		if (dev->hard_header_cache)
375 			neigh->ops = &ndisc_hh_ops;
376 		else
377 			neigh->ops = &ndisc_generic_ops;
378 		if (neigh->nud_state&NUD_VALID)
379 			neigh->output = neigh->ops->connected_output;
380 		else
381 			neigh->output = neigh->ops->output;
382 	}
383 	in6_dev_put(in6_dev);
384 	return 0;
385 }
386 
387 static int pndisc_constructor(struct pneigh_entry *n)
388 {
389 	struct in6_addr *addr = (struct in6_addr*)&n->key;
390 	struct in6_addr maddr;
391 	struct net_device *dev = n->dev;
392 
393 	if (dev == NULL || __in6_dev_get(dev) == NULL)
394 		return -EINVAL;
395 	addrconf_addr_solict_mult(addr, &maddr);
396 	ipv6_dev_mc_inc(dev, &maddr);
397 	return 0;
398 }
399 
400 static void pndisc_destructor(struct pneigh_entry *n)
401 {
402 	struct in6_addr *addr = (struct in6_addr*)&n->key;
403 	struct in6_addr maddr;
404 	struct net_device *dev = n->dev;
405 
406 	if (dev == NULL || __in6_dev_get(dev) == NULL)
407 		return;
408 	addrconf_addr_solict_mult(addr, &maddr);
409 	ipv6_dev_mc_dec(dev, &maddr);
410 }
411 
412 /*
413  *	Send a Neighbour Advertisement
414  */
415 
416 static inline void ndisc_flow_init(struct flowi *fl, u8 type,
417 			    struct in6_addr *saddr, struct in6_addr *daddr,
418 			    int oif)
419 {
420 	memset(fl, 0, sizeof(*fl));
421 	ipv6_addr_copy(&fl->fl6_src, saddr);
422 	ipv6_addr_copy(&fl->fl6_dst, daddr);
423 	fl->proto	 	= IPPROTO_ICMPV6;
424 	fl->fl_icmp_type	= type;
425 	fl->fl_icmp_code	= 0;
426 	fl->oif			= oif;
427 	security_sk_classify_flow(ndisc_socket->sk, fl);
428 }
429 
430 static void __ndisc_send(struct net_device *dev,
431 			 struct neighbour *neigh,
432 			 struct in6_addr *daddr, struct in6_addr *saddr,
433 			 struct icmp6hdr *icmp6h, struct in6_addr *target,
434 			 int llinfo, int icmp6_mib_outnd)
435 {
436 	struct flowi fl;
437 	struct dst_entry *dst;
438 	struct sock *sk = ndisc_socket->sk;
439 	struct sk_buff *skb;
440 	struct icmp6hdr *hdr;
441 	struct inet6_dev *idev;
442 	int len;
443 	int err;
444 	u8 *opt;
445 
446 	ndisc_flow_init(&fl, icmp6h->icmp6_type, saddr, daddr,
447 			dev->ifindex);
448 
449 	dst = ndisc_dst_alloc(dev, neigh, daddr, ip6_output);
450 	if (!dst)
451 		return;
452 
453 	err = xfrm_lookup(&dst, &fl, NULL, 0);
454 	if (err < 0)
455 		return;
456 
457 	if (!dev->addr_len)
458 		llinfo = 0;
459 
460 	len = sizeof(struct icmp6hdr) + (target ? sizeof(*target) : 0);
461 	if (llinfo)
462 		len += ndisc_opt_addr_space(dev);
463 
464 	skb = sock_alloc_send_skb(sk,
465 				  (MAX_HEADER + sizeof(struct ipv6hdr) +
466 				   len + LL_RESERVED_SPACE(dev)),
467 				  1, &err);
468 	if (!skb) {
469 		ND_PRINTK0(KERN_ERR
470 			   "ICMPv6 ND: %s() failed to allocate an skb.\n",
471 			   __FUNCTION__);
472 		dst_release(dst);
473 		return;
474 	}
475 
476 	skb_reserve(skb, LL_RESERVED_SPACE(dev));
477 	ip6_nd_hdr(sk, skb, dev, saddr, daddr, IPPROTO_ICMPV6, len);
478 
479 	skb->transport_header = skb->tail;
480 	skb_put(skb, len);
481 
482 	hdr = (struct icmp6hdr *)skb_transport_header(skb);
483 	memcpy(hdr, icmp6h, sizeof(*hdr));
484 
485 	opt = skb_transport_header(skb) + sizeof(struct icmp6hdr);
486 	if (target) {
487 		ipv6_addr_copy((struct in6_addr *)opt, target);
488 		opt += sizeof(*target);
489 	}
490 
491 	if (llinfo)
492 		ndisc_fill_addr_option(opt, llinfo, dev->dev_addr,
493 				       dev->addr_len, dev->type);
494 
495 	hdr->icmp6_cksum = csum_ipv6_magic(saddr, daddr, len,
496 					   IPPROTO_ICMPV6,
497 					   csum_partial((__u8 *) hdr,
498 							len, 0));
499 
500 	skb->dst = dst;
501 
502 	idev = in6_dev_get(dst->dev);
503 	IP6_INC_STATS(idev, IPSTATS_MIB_OUTREQUESTS);
504 
505 	err = NF_HOOK(PF_INET6, NF_IP6_LOCAL_OUT, skb, NULL, dst->dev, dst_output);
506 	if (!err) {
507 		ICMP6_INC_STATS(idev, icmp6_mib_outnd);
508 		ICMP6_INC_STATS(idev, ICMP6_MIB_OUTMSGS);
509 	}
510 
511 	if (likely(idev != NULL))
512 		in6_dev_put(idev);
513 }
514 
515 static void ndisc_send_na(struct net_device *dev, struct neighbour *neigh,
516 		   struct in6_addr *daddr, struct in6_addr *solicited_addr,
517 		   int router, int solicited, int override, int inc_opt)
518 {
519 	struct in6_addr tmpaddr;
520 	struct inet6_ifaddr *ifp;
521 	struct in6_addr *src_addr;
522 	struct icmp6hdr icmp6h = {
523 		.icmp6_type = NDISC_NEIGHBOUR_ADVERTISEMENT,
524 	};
525 
526 	/* for anycast or proxy, solicited_addr != src_addr */
527 	ifp = ipv6_get_ifaddr(solicited_addr, dev, 1);
528 	if (ifp) {
529 		src_addr = solicited_addr;
530 		if (ifp->flags & IFA_F_OPTIMISTIC)
531 			override = 0;
532 		in6_ifa_put(ifp);
533 	} else {
534 		if (ipv6_dev_get_saddr(dev, daddr, &tmpaddr))
535 			return;
536 		src_addr = &tmpaddr;
537 	}
538 
539 	icmp6h.icmp6_router = router;
540 	icmp6h.icmp6_solicited = solicited;
541 	icmp6h.icmp6_override = override;
542 
543 	__ndisc_send(dev, neigh, daddr, src_addr,
544 		     &icmp6h, solicited_addr,
545 		     inc_opt ? ND_OPT_TARGET_LL_ADDR : 0,
546 		     ICMP6_MIB_OUTNEIGHBORADVERTISEMENTS);
547 }
548 
549 void ndisc_send_ns(struct net_device *dev, struct neighbour *neigh,
550 		   struct in6_addr *solicit,
551 		   struct in6_addr *daddr, struct in6_addr *saddr)
552 {
553 	struct in6_addr addr_buf;
554 	struct icmp6hdr icmp6h = {
555 		.icmp6_type = NDISC_NEIGHBOUR_SOLICITATION,
556 	};
557 
558 	if (saddr == NULL) {
559 		if (ipv6_get_lladdr(dev, &addr_buf,
560 				   (IFA_F_TENTATIVE|IFA_F_OPTIMISTIC)))
561 			return;
562 		saddr = &addr_buf;
563 	}
564 
565 	__ndisc_send(dev, neigh, daddr, saddr,
566 		     &icmp6h, solicit,
567 		     !ipv6_addr_any(saddr) ? ND_OPT_SOURCE_LL_ADDR : 0,
568 		     ICMP6_MIB_OUTNEIGHBORSOLICITS);
569 }
570 
571 void ndisc_send_rs(struct net_device *dev, struct in6_addr *saddr,
572 		   struct in6_addr *daddr)
573 {
574 	struct icmp6hdr icmp6h = {
575 		.icmp6_type = NDISC_ROUTER_SOLICITATION,
576 	};
577 	int send_sllao = dev->addr_len;
578 
579 #ifdef CONFIG_IPV6_OPTIMISTIC_DAD
580 	/*
581 	 * According to section 2.2 of RFC 4429, we must not
582 	 * send router solicitations with a sllao from
583 	 * optimistic addresses, but we may send the solicitation
584 	 * if we don't include the sllao.  So here we check
585 	 * if our address is optimistic, and if so, we
586 	 * supress the inclusion of the sllao.
587 	 */
588 	if (send_sllao) {
589 		struct inet6_ifaddr *ifp = ipv6_get_ifaddr(saddr, dev, 1);
590 		if (ifp) {
591 			if (ifp->flags & IFA_F_OPTIMISTIC)  {
592 				send_sllao = 0;
593 			}
594 			in6_ifa_put(ifp);
595 		} else {
596 			send_sllao = 0;
597 		}
598 	}
599 #endif
600 	__ndisc_send(dev, NULL, daddr, saddr,
601 		     &icmp6h, NULL,
602 		     send_sllao ? ND_OPT_SOURCE_LL_ADDR : 0,
603 		     ICMP6_MIB_OUTROUTERSOLICITS);
604 }
605 
606 
607 static void ndisc_error_report(struct neighbour *neigh, struct sk_buff *skb)
608 {
609 	/*
610 	 *	"The sender MUST return an ICMP
611 	 *	 destination unreachable"
612 	 */
613 	dst_link_failure(skb);
614 	kfree_skb(skb);
615 }
616 
617 /* Called with locked neigh: either read or both */
618 
619 static void ndisc_solicit(struct neighbour *neigh, struct sk_buff *skb)
620 {
621 	struct in6_addr *saddr = NULL;
622 	struct in6_addr mcaddr;
623 	struct net_device *dev = neigh->dev;
624 	struct in6_addr *target = (struct in6_addr *)&neigh->primary_key;
625 	int probes = atomic_read(&neigh->probes);
626 
627 	if (skb && ipv6_chk_addr(&ipv6_hdr(skb)->saddr, dev, 1))
628 		saddr = &ipv6_hdr(skb)->saddr;
629 
630 	if ((probes -= neigh->parms->ucast_probes) < 0) {
631 		if (!(neigh->nud_state & NUD_VALID)) {
632 			ND_PRINTK1(KERN_DEBUG
633 				   "%s(): trying to ucast probe in NUD_INVALID: "
634 				   NIP6_FMT "\n",
635 				   __FUNCTION__,
636 				   NIP6(*target));
637 		}
638 		ndisc_send_ns(dev, neigh, target, target, saddr);
639 	} else if ((probes -= neigh->parms->app_probes) < 0) {
640 #ifdef CONFIG_ARPD
641 		neigh_app_ns(neigh);
642 #endif
643 	} else {
644 		addrconf_addr_solict_mult(target, &mcaddr);
645 		ndisc_send_ns(dev, NULL, target, &mcaddr, saddr);
646 	}
647 }
648 
649 static void ndisc_recv_ns(struct sk_buff *skb)
650 {
651 	struct nd_msg *msg = (struct nd_msg *)skb_transport_header(skb);
652 	struct in6_addr *saddr = &ipv6_hdr(skb)->saddr;
653 	struct in6_addr *daddr = &ipv6_hdr(skb)->daddr;
654 	u8 *lladdr = NULL;
655 	u32 ndoptlen = skb->tail - (skb->transport_header +
656 				    offsetof(struct nd_msg, opt));
657 	struct ndisc_options ndopts;
658 	struct net_device *dev = skb->dev;
659 	struct inet6_ifaddr *ifp;
660 	struct inet6_dev *idev = NULL;
661 	struct neighbour *neigh;
662 	struct pneigh_entry *pneigh = NULL;
663 	int dad = ipv6_addr_any(saddr);
664 	int inc;
665 	int is_router;
666 
667 	if (ipv6_addr_is_multicast(&msg->target)) {
668 		ND_PRINTK2(KERN_WARNING
669 			   "ICMPv6 NS: multicast target address");
670 		return;
671 	}
672 
673 	/*
674 	 * RFC2461 7.1.1:
675 	 * DAD has to be destined for solicited node multicast address.
676 	 */
677 	if (dad &&
678 	    !(daddr->s6_addr32[0] == htonl(0xff020000) &&
679 	      daddr->s6_addr32[1] == htonl(0x00000000) &&
680 	      daddr->s6_addr32[2] == htonl(0x00000001) &&
681 	      daddr->s6_addr [12] == 0xff )) {
682 		ND_PRINTK2(KERN_WARNING
683 			   "ICMPv6 NS: bad DAD packet (wrong destination)\n");
684 		return;
685 	}
686 
687 	if (!ndisc_parse_options(msg->opt, ndoptlen, &ndopts)) {
688 		ND_PRINTK2(KERN_WARNING
689 			   "ICMPv6 NS: invalid ND options\n");
690 		return;
691 	}
692 
693 	if (ndopts.nd_opts_src_lladdr) {
694 		lladdr = ndisc_opt_addr_data(ndopts.nd_opts_src_lladdr, dev);
695 		if (!lladdr) {
696 			ND_PRINTK2(KERN_WARNING
697 				   "ICMPv6 NS: invalid link-layer address length\n");
698 			return;
699 		}
700 
701 		/* RFC2461 7.1.1:
702 		 *	If the IP source address is the unspecified address,
703 		 *	there MUST NOT be source link-layer address option
704 		 *	in the message.
705 		 */
706 		if (dad) {
707 			ND_PRINTK2(KERN_WARNING
708 				   "ICMPv6 NS: bad DAD packet (link-layer address option)\n");
709 			return;
710 		}
711 	}
712 
713 	inc = ipv6_addr_is_multicast(daddr);
714 
715 	if ((ifp = ipv6_get_ifaddr(&msg->target, dev, 1)) != NULL) {
716 
717 		if (ifp->flags & (IFA_F_TENTATIVE|IFA_F_OPTIMISTIC)) {
718 			if (dad) {
719 				if (dev->type == ARPHRD_IEEE802_TR) {
720 					const unsigned char *sadr;
721 					sadr = skb_mac_header(skb);
722 					if (((sadr[8] ^ dev->dev_addr[0]) & 0x7f) == 0 &&
723 					    sadr[9] == dev->dev_addr[1] &&
724 					    sadr[10] == dev->dev_addr[2] &&
725 					    sadr[11] == dev->dev_addr[3] &&
726 					    sadr[12] == dev->dev_addr[4] &&
727 					    sadr[13] == dev->dev_addr[5]) {
728 						/* looped-back to us */
729 						goto out;
730 					}
731 				}
732 
733 				/*
734 				 * We are colliding with another node
735 				 * who is doing DAD
736 				 * so fail our DAD process
737 				 */
738 				addrconf_dad_failure(ifp);
739 				goto out;
740 			} else {
741 				/*
742 				 * This is not a dad solicitation.
743 				 * If we are an optimistic node,
744 				 * we should respond.
745 				 * Otherwise, we should ignore it.
746 				 */
747 				if (!(ifp->flags & IFA_F_OPTIMISTIC))
748 					goto out;
749 			}
750 		}
751 
752 		idev = ifp->idev;
753 	} else {
754 		idev = in6_dev_get(dev);
755 		if (!idev) {
756 			/* XXX: count this drop? */
757 			return;
758 		}
759 
760 		if (ipv6_chk_acast_addr(dev, &msg->target) ||
761 		    (idev->cnf.forwarding &&
762 		     (ipv6_devconf.proxy_ndp || idev->cnf.proxy_ndp) &&
763 		     (pneigh = pneigh_lookup(&nd_tbl,
764 					     &msg->target, dev, 0)) != NULL)) {
765 			if (!(NEIGH_CB(skb)->flags & LOCALLY_ENQUEUED) &&
766 			    skb->pkt_type != PACKET_HOST &&
767 			    inc != 0 &&
768 			    idev->nd_parms->proxy_delay != 0) {
769 				/*
770 				 * for anycast or proxy,
771 				 * sender should delay its response
772 				 * by a random time between 0 and
773 				 * MAX_ANYCAST_DELAY_TIME seconds.
774 				 * (RFC2461) -- yoshfuji
775 				 */
776 				struct sk_buff *n = skb_clone(skb, GFP_ATOMIC);
777 				if (n)
778 					pneigh_enqueue(&nd_tbl, idev->nd_parms, n);
779 				goto out;
780 			}
781 		} else
782 			goto out;
783 	}
784 
785 	is_router = !!(pneigh ? pneigh->flags & NTF_ROUTER : idev->cnf.forwarding);
786 
787 	if (dad) {
788 		struct in6_addr maddr;
789 
790 		ipv6_addr_all_nodes(&maddr);
791 		ndisc_send_na(dev, NULL, &maddr, &msg->target,
792 			      is_router, 0, (ifp != NULL), 1);
793 		goto out;
794 	}
795 
796 	if (inc)
797 		NEIGH_CACHE_STAT_INC(&nd_tbl, rcv_probes_mcast);
798 	else
799 		NEIGH_CACHE_STAT_INC(&nd_tbl, rcv_probes_ucast);
800 
801 	/*
802 	 *	update / create cache entry
803 	 *	for the source address
804 	 */
805 	neigh = __neigh_lookup(&nd_tbl, saddr, dev,
806 			       !inc || lladdr || !dev->addr_len);
807 	if (neigh)
808 		neigh_update(neigh, lladdr, NUD_STALE,
809 			     NEIGH_UPDATE_F_WEAK_OVERRIDE|
810 			     NEIGH_UPDATE_F_OVERRIDE);
811 	if (neigh || !dev->hard_header) {
812 		ndisc_send_na(dev, neigh, saddr, &msg->target,
813 			      is_router,
814 			      1, (ifp != NULL && inc), inc);
815 		if (neigh)
816 			neigh_release(neigh);
817 	}
818 
819 out:
820 	if (ifp)
821 		in6_ifa_put(ifp);
822 	else
823 		in6_dev_put(idev);
824 
825 	return;
826 }
827 
828 static void ndisc_recv_na(struct sk_buff *skb)
829 {
830 	struct nd_msg *msg = (struct nd_msg *)skb_transport_header(skb);
831 	struct in6_addr *saddr = &ipv6_hdr(skb)->saddr;
832 	struct in6_addr *daddr = &ipv6_hdr(skb)->daddr;
833 	u8 *lladdr = NULL;
834 	u32 ndoptlen = skb->tail - (skb->transport_header +
835 				    offsetof(struct nd_msg, opt));
836 	struct ndisc_options ndopts;
837 	struct net_device *dev = skb->dev;
838 	struct inet6_ifaddr *ifp;
839 	struct neighbour *neigh;
840 
841 	if (skb->len < sizeof(struct nd_msg)) {
842 		ND_PRINTK2(KERN_WARNING
843 			   "ICMPv6 NA: packet too short\n");
844 		return;
845 	}
846 
847 	if (ipv6_addr_is_multicast(&msg->target)) {
848 		ND_PRINTK2(KERN_WARNING
849 			   "ICMPv6 NA: target address is multicast.\n");
850 		return;
851 	}
852 
853 	if (ipv6_addr_is_multicast(daddr) &&
854 	    msg->icmph.icmp6_solicited) {
855 		ND_PRINTK2(KERN_WARNING
856 			   "ICMPv6 NA: solicited NA is multicasted.\n");
857 		return;
858 	}
859 
860 	if (!ndisc_parse_options(msg->opt, ndoptlen, &ndopts)) {
861 		ND_PRINTK2(KERN_WARNING
862 			   "ICMPv6 NS: invalid ND option\n");
863 		return;
864 	}
865 	if (ndopts.nd_opts_tgt_lladdr) {
866 		lladdr = ndisc_opt_addr_data(ndopts.nd_opts_tgt_lladdr, dev);
867 		if (!lladdr) {
868 			ND_PRINTK2(KERN_WARNING
869 				   "ICMPv6 NA: invalid link-layer address length\n");
870 			return;
871 		}
872 	}
873 	if ((ifp = ipv6_get_ifaddr(&msg->target, dev, 1))) {
874 		if (ifp->flags & IFA_F_TENTATIVE) {
875 			addrconf_dad_failure(ifp);
876 			return;
877 		}
878 		/* What should we make now? The advertisement
879 		   is invalid, but ndisc specs say nothing
880 		   about it. It could be misconfiguration, or
881 		   an smart proxy agent tries to help us :-)
882 		 */
883 		ND_PRINTK1(KERN_WARNING
884 			   "ICMPv6 NA: someone advertises our address on %s!\n",
885 			   ifp->idev->dev->name);
886 		in6_ifa_put(ifp);
887 		return;
888 	}
889 	neigh = neigh_lookup(&nd_tbl, &msg->target, dev);
890 
891 	if (neigh) {
892 		u8 old_flags = neigh->flags;
893 
894 		if (neigh->nud_state & NUD_FAILED)
895 			goto out;
896 
897 		/*
898 		 * Don't update the neighbor cache entry on a proxy NA from
899 		 * ourselves because either the proxied node is off link or it
900 		 * has already sent a NA to us.
901 		 */
902 		if (lladdr && !memcmp(lladdr, dev->dev_addr, dev->addr_len) &&
903 		    ipv6_devconf.forwarding && ipv6_devconf.proxy_ndp &&
904 		    pneigh_lookup(&nd_tbl, &msg->target, dev, 0)) {
905 			/* XXX: idev->cnf.prixy_ndp */
906 			goto out;
907 		}
908 
909 		neigh_update(neigh, lladdr,
910 			     msg->icmph.icmp6_solicited ? NUD_REACHABLE : NUD_STALE,
911 			     NEIGH_UPDATE_F_WEAK_OVERRIDE|
912 			     (msg->icmph.icmp6_override ? NEIGH_UPDATE_F_OVERRIDE : 0)|
913 			     NEIGH_UPDATE_F_OVERRIDE_ISROUTER|
914 			     (msg->icmph.icmp6_router ? NEIGH_UPDATE_F_ISROUTER : 0));
915 
916 		if ((old_flags & ~neigh->flags) & NTF_ROUTER) {
917 			/*
918 			 * Change: router to host
919 			 */
920 			struct rt6_info *rt;
921 			rt = rt6_get_dflt_router(saddr, dev);
922 			if (rt)
923 				ip6_del_rt(rt);
924 		}
925 
926 out:
927 		neigh_release(neigh);
928 	}
929 }
930 
931 static void ndisc_recv_rs(struct sk_buff *skb)
932 {
933 	struct rs_msg *rs_msg = (struct rs_msg *)skb_transport_header(skb);
934 	unsigned long ndoptlen = skb->len - sizeof(*rs_msg);
935 	struct neighbour *neigh;
936 	struct inet6_dev *idev;
937 	struct in6_addr *saddr = &ipv6_hdr(skb)->saddr;
938 	struct ndisc_options ndopts;
939 	u8 *lladdr = NULL;
940 
941 	if (skb->len < sizeof(*rs_msg))
942 		return;
943 
944 	idev = in6_dev_get(skb->dev);
945 	if (!idev) {
946 		if (net_ratelimit())
947 			ND_PRINTK1("ICMP6 RS: can't find in6 device\n");
948 		return;
949 	}
950 
951 	/* Don't accept RS if we're not in router mode */
952 	if (!idev->cnf.forwarding)
953 		goto out;
954 
955 	/*
956 	 * Don't update NCE if src = ::;
957 	 * this implies that the source node has no ip address assigned yet.
958 	 */
959 	if (ipv6_addr_any(saddr))
960 		goto out;
961 
962 	/* Parse ND options */
963 	if (!ndisc_parse_options(rs_msg->opt, ndoptlen, &ndopts)) {
964 		if (net_ratelimit())
965 			ND_PRINTK2("ICMP6 NS: invalid ND option, ignored\n");
966 		goto out;
967 	}
968 
969 	if (ndopts.nd_opts_src_lladdr) {
970 		lladdr = ndisc_opt_addr_data(ndopts.nd_opts_src_lladdr,
971 					     skb->dev);
972 		if (!lladdr)
973 			goto out;
974 	}
975 
976 	neigh = __neigh_lookup(&nd_tbl, saddr, skb->dev, 1);
977 	if (neigh) {
978 		neigh_update(neigh, lladdr, NUD_STALE,
979 			     NEIGH_UPDATE_F_WEAK_OVERRIDE|
980 			     NEIGH_UPDATE_F_OVERRIDE|
981 			     NEIGH_UPDATE_F_OVERRIDE_ISROUTER);
982 		neigh_release(neigh);
983 	}
984 out:
985 	in6_dev_put(idev);
986 }
987 
988 static void ndisc_router_discovery(struct sk_buff *skb)
989 {
990 	struct ra_msg *ra_msg = (struct ra_msg *)skb_transport_header(skb);
991 	struct neighbour *neigh = NULL;
992 	struct inet6_dev *in6_dev;
993 	struct rt6_info *rt = NULL;
994 	int lifetime;
995 	struct ndisc_options ndopts;
996 	int optlen;
997 	unsigned int pref = 0;
998 
999 	__u8 * opt = (__u8 *)(ra_msg + 1);
1000 
1001 	optlen = (skb->tail - skb->transport_header) - sizeof(struct ra_msg);
1002 
1003 	if (!(ipv6_addr_type(&ipv6_hdr(skb)->saddr) & IPV6_ADDR_LINKLOCAL)) {
1004 		ND_PRINTK2(KERN_WARNING
1005 			   "ICMPv6 RA: source address is not link-local.\n");
1006 		return;
1007 	}
1008 	if (optlen < 0) {
1009 		ND_PRINTK2(KERN_WARNING
1010 			   "ICMPv6 RA: packet too short\n");
1011 		return;
1012 	}
1013 
1014 	/*
1015 	 *	set the RA_RECV flag in the interface
1016 	 */
1017 
1018 	in6_dev = in6_dev_get(skb->dev);
1019 	if (in6_dev == NULL) {
1020 		ND_PRINTK0(KERN_ERR
1021 			   "ICMPv6 RA: can't find inet6 device for %s.\n",
1022 			   skb->dev->name);
1023 		return;
1024 	}
1025 	if (in6_dev->cnf.forwarding || !in6_dev->cnf.accept_ra) {
1026 		in6_dev_put(in6_dev);
1027 		return;
1028 	}
1029 
1030 	if (!ndisc_parse_options(opt, optlen, &ndopts)) {
1031 		in6_dev_put(in6_dev);
1032 		ND_PRINTK2(KERN_WARNING
1033 			   "ICMP6 RA: invalid ND options\n");
1034 		return;
1035 	}
1036 
1037 	if (in6_dev->if_flags & IF_RS_SENT) {
1038 		/*
1039 		 *	flag that an RA was received after an RS was sent
1040 		 *	out on this interface.
1041 		 */
1042 		in6_dev->if_flags |= IF_RA_RCVD;
1043 	}
1044 
1045 	/*
1046 	 * Remember the managed/otherconf flags from most recently
1047 	 * received RA message (RFC 2462) -- yoshfuji
1048 	 */
1049 	in6_dev->if_flags = (in6_dev->if_flags & ~(IF_RA_MANAGED |
1050 				IF_RA_OTHERCONF)) |
1051 				(ra_msg->icmph.icmp6_addrconf_managed ?
1052 					IF_RA_MANAGED : 0) |
1053 				(ra_msg->icmph.icmp6_addrconf_other ?
1054 					IF_RA_OTHERCONF : 0);
1055 
1056 	if (!in6_dev->cnf.accept_ra_defrtr)
1057 		goto skip_defrtr;
1058 
1059 	lifetime = ntohs(ra_msg->icmph.icmp6_rt_lifetime);
1060 
1061 #ifdef CONFIG_IPV6_ROUTER_PREF
1062 	pref = ra_msg->icmph.icmp6_router_pref;
1063 	/* 10b is handled as if it were 00b (medium) */
1064 	if (pref == ICMPV6_ROUTER_PREF_INVALID ||
1065 	    in6_dev->cnf.accept_ra_rtr_pref)
1066 		pref = ICMPV6_ROUTER_PREF_MEDIUM;
1067 #endif
1068 
1069 	rt = rt6_get_dflt_router(&ipv6_hdr(skb)->saddr, skb->dev);
1070 
1071 	if (rt)
1072 		neigh = rt->rt6i_nexthop;
1073 
1074 	if (rt && lifetime == 0) {
1075 		neigh_clone(neigh);
1076 		ip6_del_rt(rt);
1077 		rt = NULL;
1078 	}
1079 
1080 	if (rt == NULL && lifetime) {
1081 		ND_PRINTK3(KERN_DEBUG
1082 			   "ICMPv6 RA: adding default router.\n");
1083 
1084 		rt = rt6_add_dflt_router(&ipv6_hdr(skb)->saddr, skb->dev, pref);
1085 		if (rt == NULL) {
1086 			ND_PRINTK0(KERN_ERR
1087 				   "ICMPv6 RA: %s() failed to add default route.\n",
1088 				   __FUNCTION__);
1089 			in6_dev_put(in6_dev);
1090 			return;
1091 		}
1092 
1093 		neigh = rt->rt6i_nexthop;
1094 		if (neigh == NULL) {
1095 			ND_PRINTK0(KERN_ERR
1096 				   "ICMPv6 RA: %s() got default router without neighbour.\n",
1097 				   __FUNCTION__);
1098 			dst_release(&rt->u.dst);
1099 			in6_dev_put(in6_dev);
1100 			return;
1101 		}
1102 		neigh->flags |= NTF_ROUTER;
1103 	} else if (rt) {
1104 		rt->rt6i_flags |= (rt->rt6i_flags & ~RTF_PREF_MASK) | RTF_PREF(pref);
1105 	}
1106 
1107 	if (rt)
1108 		rt->rt6i_expires = jiffies + (HZ * lifetime);
1109 
1110 	if (ra_msg->icmph.icmp6_hop_limit) {
1111 		in6_dev->cnf.hop_limit = ra_msg->icmph.icmp6_hop_limit;
1112 		if (rt)
1113 			rt->u.dst.metrics[RTAX_HOPLIMIT-1] = ra_msg->icmph.icmp6_hop_limit;
1114 	}
1115 
1116 skip_defrtr:
1117 
1118 	/*
1119 	 *	Update Reachable Time and Retrans Timer
1120 	 */
1121 
1122 	if (in6_dev->nd_parms) {
1123 		unsigned long rtime = ntohl(ra_msg->retrans_timer);
1124 
1125 		if (rtime && rtime/1000 < MAX_SCHEDULE_TIMEOUT/HZ) {
1126 			rtime = (rtime*HZ)/1000;
1127 			if (rtime < HZ/10)
1128 				rtime = HZ/10;
1129 			in6_dev->nd_parms->retrans_time = rtime;
1130 			in6_dev->tstamp = jiffies;
1131 			inet6_ifinfo_notify(RTM_NEWLINK, in6_dev);
1132 		}
1133 
1134 		rtime = ntohl(ra_msg->reachable_time);
1135 		if (rtime && rtime/1000 < MAX_SCHEDULE_TIMEOUT/(3*HZ)) {
1136 			rtime = (rtime*HZ)/1000;
1137 
1138 			if (rtime < HZ/10)
1139 				rtime = HZ/10;
1140 
1141 			if (rtime != in6_dev->nd_parms->base_reachable_time) {
1142 				in6_dev->nd_parms->base_reachable_time = rtime;
1143 				in6_dev->nd_parms->gc_staletime = 3 * rtime;
1144 				in6_dev->nd_parms->reachable_time = neigh_rand_reach_time(rtime);
1145 				in6_dev->tstamp = jiffies;
1146 				inet6_ifinfo_notify(RTM_NEWLINK, in6_dev);
1147 			}
1148 		}
1149 	}
1150 
1151 	/*
1152 	 *	Process options.
1153 	 */
1154 
1155 	if (!neigh)
1156 		neigh = __neigh_lookup(&nd_tbl, &ipv6_hdr(skb)->saddr,
1157 				       skb->dev, 1);
1158 	if (neigh) {
1159 		u8 *lladdr = NULL;
1160 		if (ndopts.nd_opts_src_lladdr) {
1161 			lladdr = ndisc_opt_addr_data(ndopts.nd_opts_src_lladdr,
1162 						     skb->dev);
1163 			if (!lladdr) {
1164 				ND_PRINTK2(KERN_WARNING
1165 					   "ICMPv6 RA: invalid link-layer address length\n");
1166 				goto out;
1167 			}
1168 		}
1169 		neigh_update(neigh, lladdr, NUD_STALE,
1170 			     NEIGH_UPDATE_F_WEAK_OVERRIDE|
1171 			     NEIGH_UPDATE_F_OVERRIDE|
1172 			     NEIGH_UPDATE_F_OVERRIDE_ISROUTER|
1173 			     NEIGH_UPDATE_F_ISROUTER);
1174 	}
1175 
1176 #ifdef CONFIG_IPV6_ROUTE_INFO
1177 	if (in6_dev->cnf.accept_ra_rtr_pref && ndopts.nd_opts_ri) {
1178 		struct nd_opt_hdr *p;
1179 		for (p = ndopts.nd_opts_ri;
1180 		     p;
1181 		     p = ndisc_next_option(p, ndopts.nd_opts_ri_end)) {
1182 			if (((struct route_info *)p)->prefix_len > in6_dev->cnf.accept_ra_rt_info_max_plen)
1183 				continue;
1184 			rt6_route_rcv(skb->dev, (u8*)p, (p->nd_opt_len) << 3,
1185 				      &ipv6_hdr(skb)->saddr);
1186 		}
1187 	}
1188 #endif
1189 
1190 	if (in6_dev->cnf.accept_ra_pinfo && ndopts.nd_opts_pi) {
1191 		struct nd_opt_hdr *p;
1192 		for (p = ndopts.nd_opts_pi;
1193 		     p;
1194 		     p = ndisc_next_option(p, ndopts.nd_opts_pi_end)) {
1195 			addrconf_prefix_rcv(skb->dev, (u8*)p, (p->nd_opt_len) << 3);
1196 		}
1197 	}
1198 
1199 	if (ndopts.nd_opts_mtu) {
1200 		__be32 n;
1201 		u32 mtu;
1202 
1203 		memcpy(&n, ((u8*)(ndopts.nd_opts_mtu+1))+2, sizeof(mtu));
1204 		mtu = ntohl(n);
1205 
1206 		if (mtu < IPV6_MIN_MTU || mtu > skb->dev->mtu) {
1207 			ND_PRINTK2(KERN_WARNING
1208 				   "ICMPv6 RA: invalid mtu: %d\n",
1209 				   mtu);
1210 		} else if (in6_dev->cnf.mtu6 != mtu) {
1211 			in6_dev->cnf.mtu6 = mtu;
1212 
1213 			if (rt)
1214 				rt->u.dst.metrics[RTAX_MTU-1] = mtu;
1215 
1216 			rt6_mtu_change(skb->dev, mtu);
1217 		}
1218 	}
1219 
1220 	if (ndopts.nd_opts_tgt_lladdr || ndopts.nd_opts_rh) {
1221 		ND_PRINTK2(KERN_WARNING
1222 			   "ICMPv6 RA: invalid RA options");
1223 	}
1224 out:
1225 	if (rt)
1226 		dst_release(&rt->u.dst);
1227 	else if (neigh)
1228 		neigh_release(neigh);
1229 	in6_dev_put(in6_dev);
1230 }
1231 
1232 static void ndisc_redirect_rcv(struct sk_buff *skb)
1233 {
1234 	struct inet6_dev *in6_dev;
1235 	struct icmp6hdr *icmph;
1236 	struct in6_addr *dest;
1237 	struct in6_addr *target;	/* new first hop to destination */
1238 	struct neighbour *neigh;
1239 	int on_link = 0;
1240 	struct ndisc_options ndopts;
1241 	int optlen;
1242 	u8 *lladdr = NULL;
1243 
1244 	if (!(ipv6_addr_type(&ipv6_hdr(skb)->saddr) & IPV6_ADDR_LINKLOCAL)) {
1245 		ND_PRINTK2(KERN_WARNING
1246 			   "ICMPv6 Redirect: source address is not link-local.\n");
1247 		return;
1248 	}
1249 
1250 	optlen = skb->tail - skb->transport_header;
1251 	optlen -= sizeof(struct icmp6hdr) + 2 * sizeof(struct in6_addr);
1252 
1253 	if (optlen < 0) {
1254 		ND_PRINTK2(KERN_WARNING
1255 			   "ICMPv6 Redirect: packet too short\n");
1256 		return;
1257 	}
1258 
1259 	icmph = icmp6_hdr(skb);
1260 	target = (struct in6_addr *) (icmph + 1);
1261 	dest = target + 1;
1262 
1263 	if (ipv6_addr_is_multicast(dest)) {
1264 		ND_PRINTK2(KERN_WARNING
1265 			   "ICMPv6 Redirect: destination address is multicast.\n");
1266 		return;
1267 	}
1268 
1269 	if (ipv6_addr_equal(dest, target)) {
1270 		on_link = 1;
1271 	} else if (!(ipv6_addr_type(target) & IPV6_ADDR_LINKLOCAL)) {
1272 		ND_PRINTK2(KERN_WARNING
1273 			   "ICMPv6 Redirect: target address is not link-local.\n");
1274 		return;
1275 	}
1276 
1277 	in6_dev = in6_dev_get(skb->dev);
1278 	if (!in6_dev)
1279 		return;
1280 	if (in6_dev->cnf.forwarding || !in6_dev->cnf.accept_redirects) {
1281 		in6_dev_put(in6_dev);
1282 		return;
1283 	}
1284 
1285 	/* RFC2461 8.1:
1286 	 *	The IP source address of the Redirect MUST be the same as the current
1287 	 *	first-hop router for the specified ICMP Destination Address.
1288 	 */
1289 
1290 	if (!ndisc_parse_options((u8*)(dest + 1), optlen, &ndopts)) {
1291 		ND_PRINTK2(KERN_WARNING
1292 			   "ICMPv6 Redirect: invalid ND options\n");
1293 		in6_dev_put(in6_dev);
1294 		return;
1295 	}
1296 	if (ndopts.nd_opts_tgt_lladdr) {
1297 		lladdr = ndisc_opt_addr_data(ndopts.nd_opts_tgt_lladdr,
1298 					     skb->dev);
1299 		if (!lladdr) {
1300 			ND_PRINTK2(KERN_WARNING
1301 				   "ICMPv6 Redirect: invalid link-layer address length\n");
1302 			in6_dev_put(in6_dev);
1303 			return;
1304 		}
1305 	}
1306 
1307 	neigh = __neigh_lookup(&nd_tbl, target, skb->dev, 1);
1308 	if (neigh) {
1309 		rt6_redirect(dest, &ipv6_hdr(skb)->daddr,
1310 			     &ipv6_hdr(skb)->saddr, neigh, lladdr,
1311 			     on_link);
1312 		neigh_release(neigh);
1313 	}
1314 	in6_dev_put(in6_dev);
1315 }
1316 
1317 void ndisc_send_redirect(struct sk_buff *skb, struct neighbour *neigh,
1318 			 struct in6_addr *target)
1319 {
1320 	struct sock *sk = ndisc_socket->sk;
1321 	int len = sizeof(struct icmp6hdr) + 2 * sizeof(struct in6_addr);
1322 	struct sk_buff *buff;
1323 	struct icmp6hdr *icmph;
1324 	struct in6_addr saddr_buf;
1325 	struct in6_addr *addrp;
1326 	struct net_device *dev;
1327 	struct rt6_info *rt;
1328 	struct dst_entry *dst;
1329 	struct inet6_dev *idev;
1330 	struct flowi fl;
1331 	u8 *opt;
1332 	int rd_len;
1333 	int err;
1334 	int hlen;
1335 	u8 ha_buf[MAX_ADDR_LEN], *ha = NULL;
1336 
1337 	dev = skb->dev;
1338 
1339 	if (ipv6_get_lladdr(dev, &saddr_buf, IFA_F_TENTATIVE)) {
1340 		ND_PRINTK2(KERN_WARNING
1341 			   "ICMPv6 Redirect: no link-local address on %s\n",
1342 			   dev->name);
1343 		return;
1344 	}
1345 
1346 	if (!ipv6_addr_equal(&ipv6_hdr(skb)->daddr, target) &&
1347 	    !(ipv6_addr_type(target) & IPV6_ADDR_LINKLOCAL)) {
1348 		ND_PRINTK2(KERN_WARNING
1349 			"ICMPv6 Redirect: target address is not link-local.\n");
1350 		return;
1351 	}
1352 
1353 	ndisc_flow_init(&fl, NDISC_REDIRECT, &saddr_buf, &ipv6_hdr(skb)->saddr,
1354 			dev->ifindex);
1355 
1356 	dst = ip6_route_output(NULL, &fl);
1357 	if (dst == NULL)
1358 		return;
1359 
1360 	err = xfrm_lookup(&dst, &fl, NULL, 0);
1361 	if (err)
1362 		return;
1363 
1364 	rt = (struct rt6_info *) dst;
1365 
1366 	if (rt->rt6i_flags & RTF_GATEWAY) {
1367 		ND_PRINTK2(KERN_WARNING
1368 			   "ICMPv6 Redirect: destination is not a neighbour.\n");
1369 		dst_release(dst);
1370 		return;
1371 	}
1372 	if (!xrlim_allow(dst, 1*HZ)) {
1373 		dst_release(dst);
1374 		return;
1375 	}
1376 
1377 	if (dev->addr_len) {
1378 		read_lock_bh(&neigh->lock);
1379 		if (neigh->nud_state & NUD_VALID) {
1380 			memcpy(ha_buf, neigh->ha, dev->addr_len);
1381 			read_unlock_bh(&neigh->lock);
1382 			ha = ha_buf;
1383 			len += ndisc_opt_addr_space(dev);
1384 		} else
1385 			read_unlock_bh(&neigh->lock);
1386 	}
1387 
1388 	rd_len = min_t(unsigned int,
1389 		     IPV6_MIN_MTU-sizeof(struct ipv6hdr)-len, skb->len + 8);
1390 	rd_len &= ~0x7;
1391 	len += rd_len;
1392 
1393 	buff = sock_alloc_send_skb(sk,
1394 				   (MAX_HEADER + sizeof(struct ipv6hdr) +
1395 				    len + LL_RESERVED_SPACE(dev)),
1396 				   1, &err);
1397 	if (buff == NULL) {
1398 		ND_PRINTK0(KERN_ERR
1399 			   "ICMPv6 Redirect: %s() failed to allocate an skb.\n",
1400 			   __FUNCTION__);
1401 		dst_release(dst);
1402 		return;
1403 	}
1404 
1405 	hlen = 0;
1406 
1407 	skb_reserve(buff, LL_RESERVED_SPACE(dev));
1408 	ip6_nd_hdr(sk, buff, dev, &saddr_buf, &ipv6_hdr(skb)->saddr,
1409 		   IPPROTO_ICMPV6, len);
1410 
1411 	skb_set_transport_header(buff, skb_tail_pointer(buff) - buff->data);
1412 	skb_put(buff, len);
1413 	icmph = icmp6_hdr(buff);
1414 
1415 	memset(icmph, 0, sizeof(struct icmp6hdr));
1416 	icmph->icmp6_type = NDISC_REDIRECT;
1417 
1418 	/*
1419 	 *	copy target and destination addresses
1420 	 */
1421 
1422 	addrp = (struct in6_addr *)(icmph + 1);
1423 	ipv6_addr_copy(addrp, target);
1424 	addrp++;
1425 	ipv6_addr_copy(addrp, &ipv6_hdr(skb)->daddr);
1426 
1427 	opt = (u8*) (addrp + 1);
1428 
1429 	/*
1430 	 *	include target_address option
1431 	 */
1432 
1433 	if (ha)
1434 		opt = ndisc_fill_addr_option(opt, ND_OPT_TARGET_LL_ADDR, ha,
1435 					     dev->addr_len, dev->type);
1436 
1437 	/*
1438 	 *	build redirect option and copy skb over to the new packet.
1439 	 */
1440 
1441 	memset(opt, 0, 8);
1442 	*(opt++) = ND_OPT_REDIRECT_HDR;
1443 	*(opt++) = (rd_len >> 3);
1444 	opt += 6;
1445 
1446 	memcpy(opt, ipv6_hdr(skb), rd_len - 8);
1447 
1448 	icmph->icmp6_cksum = csum_ipv6_magic(&saddr_buf, &ipv6_hdr(skb)->saddr,
1449 					     len, IPPROTO_ICMPV6,
1450 					     csum_partial((u8 *) icmph, len, 0));
1451 
1452 	buff->dst = dst;
1453 	idev = in6_dev_get(dst->dev);
1454 	IP6_INC_STATS(idev, IPSTATS_MIB_OUTREQUESTS);
1455 	err = NF_HOOK(PF_INET6, NF_IP6_LOCAL_OUT, buff, NULL, dst->dev, dst_output);
1456 	if (!err) {
1457 		ICMP6_INC_STATS(idev, ICMP6_MIB_OUTREDIRECTS);
1458 		ICMP6_INC_STATS(idev, ICMP6_MIB_OUTMSGS);
1459 	}
1460 
1461 	if (likely(idev != NULL))
1462 		in6_dev_put(idev);
1463 }
1464 
1465 static void pndisc_redo(struct sk_buff *skb)
1466 {
1467 	ndisc_recv_ns(skb);
1468 	kfree_skb(skb);
1469 }
1470 
1471 int ndisc_rcv(struct sk_buff *skb)
1472 {
1473 	struct nd_msg *msg;
1474 
1475 	if (!pskb_may_pull(skb, skb->len))
1476 		return 0;
1477 
1478 	msg = (struct nd_msg *)skb_transport_header(skb);
1479 
1480 	__skb_push(skb, skb->data - skb_transport_header(skb));
1481 
1482 	if (ipv6_hdr(skb)->hop_limit != 255) {
1483 		ND_PRINTK2(KERN_WARNING
1484 			   "ICMPv6 NDISC: invalid hop-limit: %d\n",
1485 			   ipv6_hdr(skb)->hop_limit);
1486 		return 0;
1487 	}
1488 
1489 	if (msg->icmph.icmp6_code != 0) {
1490 		ND_PRINTK2(KERN_WARNING
1491 			   "ICMPv6 NDISC: invalid ICMPv6 code: %d\n",
1492 			   msg->icmph.icmp6_code);
1493 		return 0;
1494 	}
1495 
1496 	memset(NEIGH_CB(skb), 0, sizeof(struct neighbour_cb));
1497 
1498 	switch (msg->icmph.icmp6_type) {
1499 	case NDISC_NEIGHBOUR_SOLICITATION:
1500 		ndisc_recv_ns(skb);
1501 		break;
1502 
1503 	case NDISC_NEIGHBOUR_ADVERTISEMENT:
1504 		ndisc_recv_na(skb);
1505 		break;
1506 
1507 	case NDISC_ROUTER_SOLICITATION:
1508 		ndisc_recv_rs(skb);
1509 		break;
1510 
1511 	case NDISC_ROUTER_ADVERTISEMENT:
1512 		ndisc_router_discovery(skb);
1513 		break;
1514 
1515 	case NDISC_REDIRECT:
1516 		ndisc_redirect_rcv(skb);
1517 		break;
1518 	}
1519 
1520 	return 0;
1521 }
1522 
1523 static int ndisc_netdev_event(struct notifier_block *this, unsigned long event, void *ptr)
1524 {
1525 	struct net_device *dev = ptr;
1526 
1527 	switch (event) {
1528 	case NETDEV_CHANGEADDR:
1529 		neigh_changeaddr(&nd_tbl, dev);
1530 		fib6_run_gc(~0UL);
1531 		break;
1532 	case NETDEV_DOWN:
1533 		neigh_ifdown(&nd_tbl, dev);
1534 		fib6_run_gc(~0UL);
1535 		break;
1536 	default:
1537 		break;
1538 	}
1539 
1540 	return NOTIFY_DONE;
1541 }
1542 
1543 static struct notifier_block ndisc_netdev_notifier = {
1544 	.notifier_call = ndisc_netdev_event,
1545 };
1546 
1547 #ifdef CONFIG_SYSCTL
1548 static void ndisc_warn_deprecated_sysctl(struct ctl_table *ctl,
1549 					 const char *func, const char *dev_name)
1550 {
1551 	static char warncomm[TASK_COMM_LEN];
1552 	static int warned;
1553 	if (strcmp(warncomm, current->comm) && warned < 5) {
1554 		strcpy(warncomm, current->comm);
1555 		printk(KERN_WARNING
1556 			"process `%s' is using deprecated sysctl (%s) "
1557 			"net.ipv6.neigh.%s.%s; "
1558 			"Use net.ipv6.neigh.%s.%s_ms "
1559 			"instead.\n",
1560 			warncomm, func,
1561 			dev_name, ctl->procname,
1562 			dev_name, ctl->procname);
1563 		warned++;
1564 	}
1565 }
1566 
1567 int ndisc_ifinfo_sysctl_change(struct ctl_table *ctl, int write, struct file * filp, void __user *buffer, size_t *lenp, loff_t *ppos)
1568 {
1569 	struct net_device *dev = ctl->extra1;
1570 	struct inet6_dev *idev;
1571 	int ret;
1572 
1573 	if (ctl->ctl_name == NET_NEIGH_RETRANS_TIME ||
1574 	    ctl->ctl_name == NET_NEIGH_REACHABLE_TIME)
1575 		ndisc_warn_deprecated_sysctl(ctl, "syscall", dev ? dev->name : "default");
1576 
1577 	switch (ctl->ctl_name) {
1578 	case NET_NEIGH_RETRANS_TIME:
1579 		ret = proc_dointvec(ctl, write, filp, buffer, lenp, ppos);
1580 		break;
1581 	case NET_NEIGH_REACHABLE_TIME:
1582 		ret = proc_dointvec_jiffies(ctl, write,
1583 					    filp, buffer, lenp, ppos);
1584 		break;
1585 	case NET_NEIGH_RETRANS_TIME_MS:
1586 	case NET_NEIGH_REACHABLE_TIME_MS:
1587 		ret = proc_dointvec_ms_jiffies(ctl, write,
1588 					       filp, buffer, lenp, ppos);
1589 		break;
1590 	default:
1591 		ret = -1;
1592 	}
1593 
1594 	if (write && ret == 0 && dev && (idev = in6_dev_get(dev)) != NULL) {
1595 		if (ctl->ctl_name == NET_NEIGH_REACHABLE_TIME ||
1596 		    ctl->ctl_name == NET_NEIGH_REACHABLE_TIME_MS)
1597 			idev->nd_parms->reachable_time = neigh_rand_reach_time(idev->nd_parms->base_reachable_time);
1598 		idev->tstamp = jiffies;
1599 		inet6_ifinfo_notify(RTM_NEWLINK, idev);
1600 		in6_dev_put(idev);
1601 	}
1602 	return ret;
1603 }
1604 
1605 static int ndisc_ifinfo_sysctl_strategy(ctl_table *ctl, int __user *name,
1606 					int nlen, void __user *oldval,
1607 					size_t __user *oldlenp,
1608 					void __user *newval, size_t newlen)
1609 {
1610 	struct net_device *dev = ctl->extra1;
1611 	struct inet6_dev *idev;
1612 	int ret;
1613 
1614 	if (ctl->ctl_name == NET_NEIGH_RETRANS_TIME ||
1615 	    ctl->ctl_name == NET_NEIGH_REACHABLE_TIME)
1616 		ndisc_warn_deprecated_sysctl(ctl, "procfs", dev ? dev->name : "default");
1617 
1618 	switch (ctl->ctl_name) {
1619 	case NET_NEIGH_REACHABLE_TIME:
1620 		ret = sysctl_jiffies(ctl, name, nlen,
1621 				     oldval, oldlenp, newval, newlen);
1622 		break;
1623 	case NET_NEIGH_RETRANS_TIME_MS:
1624 	case NET_NEIGH_REACHABLE_TIME_MS:
1625 		 ret = sysctl_ms_jiffies(ctl, name, nlen,
1626 					 oldval, oldlenp, newval, newlen);
1627 		 break;
1628 	default:
1629 		ret = 0;
1630 	}
1631 
1632 	if (newval && newlen && ret > 0 &&
1633 	    dev && (idev = in6_dev_get(dev)) != NULL) {
1634 		if (ctl->ctl_name == NET_NEIGH_REACHABLE_TIME ||
1635 		    ctl->ctl_name == NET_NEIGH_REACHABLE_TIME_MS)
1636 			idev->nd_parms->reachable_time = neigh_rand_reach_time(idev->nd_parms->base_reachable_time);
1637 		idev->tstamp = jiffies;
1638 		inet6_ifinfo_notify(RTM_NEWLINK, idev);
1639 		in6_dev_put(idev);
1640 	}
1641 
1642 	return ret;
1643 }
1644 
1645 #endif
1646 
1647 int __init ndisc_init(struct net_proto_family *ops)
1648 {
1649 	struct ipv6_pinfo *np;
1650 	struct sock *sk;
1651 	int err;
1652 
1653 	err = sock_create_kern(PF_INET6, SOCK_RAW, IPPROTO_ICMPV6, &ndisc_socket);
1654 	if (err < 0) {
1655 		ND_PRINTK0(KERN_ERR
1656 			   "ICMPv6 NDISC: Failed to initialize the control socket (err %d).\n",
1657 			   err);
1658 		ndisc_socket = NULL; /* For safety. */
1659 		return err;
1660 	}
1661 
1662 	sk = ndisc_socket->sk;
1663 	np = inet6_sk(sk);
1664 	sk->sk_allocation = GFP_ATOMIC;
1665 	np->hop_limit = 255;
1666 	/* Do not loopback ndisc messages */
1667 	np->mc_loop = 0;
1668 	sk->sk_prot->unhash(sk);
1669 
1670 	/*
1671 	 * Initialize the neighbour table
1672 	 */
1673 
1674 	neigh_table_init(&nd_tbl);
1675 
1676 #ifdef CONFIG_SYSCTL
1677 	neigh_sysctl_register(NULL, &nd_tbl.parms, NET_IPV6, NET_IPV6_NEIGH,
1678 			      "ipv6",
1679 			      &ndisc_ifinfo_sysctl_change,
1680 			      &ndisc_ifinfo_sysctl_strategy);
1681 #endif
1682 
1683 	register_netdevice_notifier(&ndisc_netdev_notifier);
1684 	return 0;
1685 }
1686 
1687 void ndisc_cleanup(void)
1688 {
1689 	unregister_netdevice_notifier(&ndisc_netdev_notifier);
1690 #ifdef CONFIG_SYSCTL
1691 	neigh_sysctl_unregister(&nd_tbl.parms);
1692 #endif
1693 	neigh_table_clear(&nd_tbl);
1694 	sock_release(ndisc_socket);
1695 	ndisc_socket = NULL; /* For safety. */
1696 }
1697