xref: /openbmc/linux/net/ipv6/ndisc.c (revision 92b19ff5)
1 /*
2  *	Neighbour Discovery for IPv6
3  *	Linux INET6 implementation
4  *
5  *	Authors:
6  *	Pedro Roque		<roque@di.fc.ul.pt>
7  *	Mike Shaver		<shaver@ingenia.com>
8  *
9  *	This program is free software; you can redistribute it and/or
10  *      modify it under the terms of the GNU General Public License
11  *      as published by the Free Software Foundation; either version
12  *      2 of the License, or (at your option) any later version.
13  */
14 
15 /*
16  *	Changes:
17  *
18  *	Alexey I. Froloff		:	RFC6106 (DNSSL) support
19  *	Pierre Ynard			:	export userland ND options
20  *						through netlink (RDNSS support)
21  *	Lars Fenneberg			:	fixed MTU setting on receipt
22  *						of an RA.
23  *	Janos Farkas			:	kmalloc failure checks
24  *	Alexey Kuznetsov		:	state machine reworked
25  *						and moved to net/core.
26  *	Pekka Savola			:	RFC2461 validation
27  *	YOSHIFUJI Hideaki @USAGI	:	Verify ND options properly
28  */
29 
30 #define pr_fmt(fmt) "ICMPv6: " fmt
31 
32 #include <linux/module.h>
33 #include <linux/errno.h>
34 #include <linux/types.h>
35 #include <linux/socket.h>
36 #include <linux/sockios.h>
37 #include <linux/sched.h>
38 #include <linux/net.h>
39 #include <linux/in6.h>
40 #include <linux/route.h>
41 #include <linux/init.h>
42 #include <linux/rcupdate.h>
43 #include <linux/slab.h>
44 #ifdef CONFIG_SYSCTL
45 #include <linux/sysctl.h>
46 #endif
47 
48 #include <linux/if_addr.h>
49 #include <linux/if_arp.h>
50 #include <linux/ipv6.h>
51 #include <linux/icmpv6.h>
52 #include <linux/jhash.h>
53 
54 #include <net/sock.h>
55 #include <net/snmp.h>
56 
57 #include <net/ipv6.h>
58 #include <net/protocol.h>
59 #include <net/ndisc.h>
60 #include <net/ip6_route.h>
61 #include <net/addrconf.h>
62 #include <net/icmp.h>
63 
64 #include <net/netlink.h>
65 #include <linux/rtnetlink.h>
66 
67 #include <net/flow.h>
68 #include <net/ip6_checksum.h>
69 #include <net/inet_common.h>
70 #include <linux/proc_fs.h>
71 
72 #include <linux/netfilter.h>
73 #include <linux/netfilter_ipv6.h>
74 
75 /* Set to 3 to get tracing... */
76 #define ND_DEBUG 1
77 
78 #define ND_PRINTK(val, level, fmt, ...)				\
79 do {								\
80 	if (val <= ND_DEBUG)					\
81 		net_##level##_ratelimited(fmt, ##__VA_ARGS__);	\
82 } while (0)
83 
84 static u32 ndisc_hash(const void *pkey,
85 		      const struct net_device *dev,
86 		      __u32 *hash_rnd);
87 static bool ndisc_key_eq(const struct neighbour *neigh, const void *pkey);
88 static int ndisc_constructor(struct neighbour *neigh);
89 static void ndisc_solicit(struct neighbour *neigh, struct sk_buff *skb);
90 static void ndisc_error_report(struct neighbour *neigh, struct sk_buff *skb);
91 static int pndisc_constructor(struct pneigh_entry *n);
92 static void pndisc_destructor(struct pneigh_entry *n);
93 static void pndisc_redo(struct sk_buff *skb);
94 
95 static const struct neigh_ops ndisc_generic_ops = {
96 	.family =		AF_INET6,
97 	.solicit =		ndisc_solicit,
98 	.error_report =		ndisc_error_report,
99 	.output =		neigh_resolve_output,
100 	.connected_output =	neigh_connected_output,
101 };
102 
103 static const struct neigh_ops ndisc_hh_ops = {
104 	.family =		AF_INET6,
105 	.solicit =		ndisc_solicit,
106 	.error_report =		ndisc_error_report,
107 	.output =		neigh_resolve_output,
108 	.connected_output =	neigh_resolve_output,
109 };
110 
111 
112 static const struct neigh_ops ndisc_direct_ops = {
113 	.family =		AF_INET6,
114 	.output =		neigh_direct_output,
115 	.connected_output =	neigh_direct_output,
116 };
117 
118 struct neigh_table nd_tbl = {
119 	.family =	AF_INET6,
120 	.key_len =	sizeof(struct in6_addr),
121 	.protocol =	cpu_to_be16(ETH_P_IPV6),
122 	.hash =		ndisc_hash,
123 	.key_eq =	ndisc_key_eq,
124 	.constructor =	ndisc_constructor,
125 	.pconstructor =	pndisc_constructor,
126 	.pdestructor =	pndisc_destructor,
127 	.proxy_redo =	pndisc_redo,
128 	.id =		"ndisc_cache",
129 	.parms = {
130 		.tbl			= &nd_tbl,
131 		.reachable_time		= ND_REACHABLE_TIME,
132 		.data = {
133 			[NEIGH_VAR_MCAST_PROBES] = 3,
134 			[NEIGH_VAR_UCAST_PROBES] = 3,
135 			[NEIGH_VAR_RETRANS_TIME] = ND_RETRANS_TIMER,
136 			[NEIGH_VAR_BASE_REACHABLE_TIME] = ND_REACHABLE_TIME,
137 			[NEIGH_VAR_DELAY_PROBE_TIME] = 5 * HZ,
138 			[NEIGH_VAR_GC_STALETIME] = 60 * HZ,
139 			[NEIGH_VAR_QUEUE_LEN_BYTES] = 64 * 1024,
140 			[NEIGH_VAR_PROXY_QLEN] = 64,
141 			[NEIGH_VAR_ANYCAST_DELAY] = 1 * HZ,
142 			[NEIGH_VAR_PROXY_DELAY] = (8 * HZ) / 10,
143 		},
144 	},
145 	.gc_interval =	  30 * HZ,
146 	.gc_thresh1 =	 128,
147 	.gc_thresh2 =	 512,
148 	.gc_thresh3 =	1024,
149 };
150 
151 static void ndisc_fill_addr_option(struct sk_buff *skb, int type, void *data)
152 {
153 	int pad   = ndisc_addr_option_pad(skb->dev->type);
154 	int data_len = skb->dev->addr_len;
155 	int space = ndisc_opt_addr_space(skb->dev);
156 	u8 *opt = skb_put(skb, space);
157 
158 	opt[0] = type;
159 	opt[1] = space>>3;
160 
161 	memset(opt + 2, 0, pad);
162 	opt   += pad;
163 	space -= pad;
164 
165 	memcpy(opt+2, data, data_len);
166 	data_len += 2;
167 	opt += data_len;
168 	space -= data_len;
169 	if (space > 0)
170 		memset(opt, 0, space);
171 }
172 
173 static struct nd_opt_hdr *ndisc_next_option(struct nd_opt_hdr *cur,
174 					    struct nd_opt_hdr *end)
175 {
176 	int type;
177 	if (!cur || !end || cur >= end)
178 		return NULL;
179 	type = cur->nd_opt_type;
180 	do {
181 		cur = ((void *)cur) + (cur->nd_opt_len << 3);
182 	} while (cur < end && cur->nd_opt_type != type);
183 	return cur <= end && cur->nd_opt_type == type ? cur : NULL;
184 }
185 
186 static inline int ndisc_is_useropt(struct nd_opt_hdr *opt)
187 {
188 	return opt->nd_opt_type == ND_OPT_RDNSS ||
189 		opt->nd_opt_type == ND_OPT_DNSSL;
190 }
191 
192 static struct nd_opt_hdr *ndisc_next_useropt(struct nd_opt_hdr *cur,
193 					     struct nd_opt_hdr *end)
194 {
195 	if (!cur || !end || cur >= end)
196 		return NULL;
197 	do {
198 		cur = ((void *)cur) + (cur->nd_opt_len << 3);
199 	} while (cur < end && !ndisc_is_useropt(cur));
200 	return cur <= end && ndisc_is_useropt(cur) ? cur : NULL;
201 }
202 
203 struct ndisc_options *ndisc_parse_options(u8 *opt, int opt_len,
204 					  struct ndisc_options *ndopts)
205 {
206 	struct nd_opt_hdr *nd_opt = (struct nd_opt_hdr *)opt;
207 
208 	if (!nd_opt || opt_len < 0 || !ndopts)
209 		return NULL;
210 	memset(ndopts, 0, sizeof(*ndopts));
211 	while (opt_len) {
212 		int l;
213 		if (opt_len < sizeof(struct nd_opt_hdr))
214 			return NULL;
215 		l = nd_opt->nd_opt_len << 3;
216 		if (opt_len < l || l == 0)
217 			return NULL;
218 		switch (nd_opt->nd_opt_type) {
219 		case ND_OPT_SOURCE_LL_ADDR:
220 		case ND_OPT_TARGET_LL_ADDR:
221 		case ND_OPT_MTU:
222 		case ND_OPT_REDIRECT_HDR:
223 			if (ndopts->nd_opt_array[nd_opt->nd_opt_type]) {
224 				ND_PRINTK(2, warn,
225 					  "%s: duplicated ND6 option found: type=%d\n",
226 					  __func__, nd_opt->nd_opt_type);
227 			} else {
228 				ndopts->nd_opt_array[nd_opt->nd_opt_type] = nd_opt;
229 			}
230 			break;
231 		case ND_OPT_PREFIX_INFO:
232 			ndopts->nd_opts_pi_end = nd_opt;
233 			if (!ndopts->nd_opt_array[nd_opt->nd_opt_type])
234 				ndopts->nd_opt_array[nd_opt->nd_opt_type] = nd_opt;
235 			break;
236 #ifdef CONFIG_IPV6_ROUTE_INFO
237 		case ND_OPT_ROUTE_INFO:
238 			ndopts->nd_opts_ri_end = nd_opt;
239 			if (!ndopts->nd_opts_ri)
240 				ndopts->nd_opts_ri = nd_opt;
241 			break;
242 #endif
243 		default:
244 			if (ndisc_is_useropt(nd_opt)) {
245 				ndopts->nd_useropts_end = nd_opt;
246 				if (!ndopts->nd_useropts)
247 					ndopts->nd_useropts = nd_opt;
248 			} else {
249 				/*
250 				 * Unknown options must be silently ignored,
251 				 * to accommodate future extension to the
252 				 * protocol.
253 				 */
254 				ND_PRINTK(2, notice,
255 					  "%s: ignored unsupported option; type=%d, len=%d\n",
256 					  __func__,
257 					  nd_opt->nd_opt_type,
258 					  nd_opt->nd_opt_len);
259 			}
260 		}
261 		opt_len -= l;
262 		nd_opt = ((void *)nd_opt) + l;
263 	}
264 	return ndopts;
265 }
266 
267 int ndisc_mc_map(const struct in6_addr *addr, char *buf, struct net_device *dev, int dir)
268 {
269 	switch (dev->type) {
270 	case ARPHRD_ETHER:
271 	case ARPHRD_IEEE802:	/* Not sure. Check it later. --ANK */
272 	case ARPHRD_FDDI:
273 		ipv6_eth_mc_map(addr, buf);
274 		return 0;
275 	case ARPHRD_ARCNET:
276 		ipv6_arcnet_mc_map(addr, buf);
277 		return 0;
278 	case ARPHRD_INFINIBAND:
279 		ipv6_ib_mc_map(addr, dev->broadcast, buf);
280 		return 0;
281 	case ARPHRD_IPGRE:
282 		return ipv6_ipgre_mc_map(addr, dev->broadcast, buf);
283 	default:
284 		if (dir) {
285 			memcpy(buf, dev->broadcast, dev->addr_len);
286 			return 0;
287 		}
288 	}
289 	return -EINVAL;
290 }
291 EXPORT_SYMBOL(ndisc_mc_map);
292 
293 static u32 ndisc_hash(const void *pkey,
294 		      const struct net_device *dev,
295 		      __u32 *hash_rnd)
296 {
297 	return ndisc_hashfn(pkey, dev, hash_rnd);
298 }
299 
300 static bool ndisc_key_eq(const struct neighbour *n, const void *pkey)
301 {
302 	return neigh_key_eq128(n, pkey);
303 }
304 
305 static int ndisc_constructor(struct neighbour *neigh)
306 {
307 	struct in6_addr *addr = (struct in6_addr *)&neigh->primary_key;
308 	struct net_device *dev = neigh->dev;
309 	struct inet6_dev *in6_dev;
310 	struct neigh_parms *parms;
311 	bool is_multicast = ipv6_addr_is_multicast(addr);
312 
313 	in6_dev = in6_dev_get(dev);
314 	if (!in6_dev) {
315 		return -EINVAL;
316 	}
317 
318 	parms = in6_dev->nd_parms;
319 	__neigh_parms_put(neigh->parms);
320 	neigh->parms = neigh_parms_clone(parms);
321 
322 	neigh->type = is_multicast ? RTN_MULTICAST : RTN_UNICAST;
323 	if (!dev->header_ops) {
324 		neigh->nud_state = NUD_NOARP;
325 		neigh->ops = &ndisc_direct_ops;
326 		neigh->output = neigh_direct_output;
327 	} else {
328 		if (is_multicast) {
329 			neigh->nud_state = NUD_NOARP;
330 			ndisc_mc_map(addr, neigh->ha, dev, 1);
331 		} else if (dev->flags&(IFF_NOARP|IFF_LOOPBACK)) {
332 			neigh->nud_state = NUD_NOARP;
333 			memcpy(neigh->ha, dev->dev_addr, dev->addr_len);
334 			if (dev->flags&IFF_LOOPBACK)
335 				neigh->type = RTN_LOCAL;
336 		} else if (dev->flags&IFF_POINTOPOINT) {
337 			neigh->nud_state = NUD_NOARP;
338 			memcpy(neigh->ha, dev->broadcast, dev->addr_len);
339 		}
340 		if (dev->header_ops->cache)
341 			neigh->ops = &ndisc_hh_ops;
342 		else
343 			neigh->ops = &ndisc_generic_ops;
344 		if (neigh->nud_state&NUD_VALID)
345 			neigh->output = neigh->ops->connected_output;
346 		else
347 			neigh->output = neigh->ops->output;
348 	}
349 	in6_dev_put(in6_dev);
350 	return 0;
351 }
352 
353 static int pndisc_constructor(struct pneigh_entry *n)
354 {
355 	struct in6_addr *addr = (struct in6_addr *)&n->key;
356 	struct in6_addr maddr;
357 	struct net_device *dev = n->dev;
358 
359 	if (!dev || !__in6_dev_get(dev))
360 		return -EINVAL;
361 	addrconf_addr_solict_mult(addr, &maddr);
362 	ipv6_dev_mc_inc(dev, &maddr);
363 	return 0;
364 }
365 
366 static void pndisc_destructor(struct pneigh_entry *n)
367 {
368 	struct in6_addr *addr = (struct in6_addr *)&n->key;
369 	struct in6_addr maddr;
370 	struct net_device *dev = n->dev;
371 
372 	if (!dev || !__in6_dev_get(dev))
373 		return;
374 	addrconf_addr_solict_mult(addr, &maddr);
375 	ipv6_dev_mc_dec(dev, &maddr);
376 }
377 
378 static struct sk_buff *ndisc_alloc_skb(struct net_device *dev,
379 				       int len)
380 {
381 	int hlen = LL_RESERVED_SPACE(dev);
382 	int tlen = dev->needed_tailroom;
383 	struct sock *sk = dev_net(dev)->ipv6.ndisc_sk;
384 	struct sk_buff *skb;
385 
386 	skb = alloc_skb(hlen + sizeof(struct ipv6hdr) + len + tlen, GFP_ATOMIC);
387 	if (!skb) {
388 		ND_PRINTK(0, err, "ndisc: %s failed to allocate an skb\n",
389 			  __func__);
390 		return NULL;
391 	}
392 
393 	skb->protocol = htons(ETH_P_IPV6);
394 	skb->dev = dev;
395 
396 	skb_reserve(skb, hlen + sizeof(struct ipv6hdr));
397 	skb_reset_transport_header(skb);
398 
399 	/* Manually assign socket ownership as we avoid calling
400 	 * sock_alloc_send_pskb() to bypass wmem buffer limits
401 	 */
402 	skb_set_owner_w(skb, sk);
403 
404 	return skb;
405 }
406 
407 static void ip6_nd_hdr(struct sk_buff *skb,
408 		       const struct in6_addr *saddr,
409 		       const struct in6_addr *daddr,
410 		       int hop_limit, int len)
411 {
412 	struct ipv6hdr *hdr;
413 
414 	skb_push(skb, sizeof(*hdr));
415 	skb_reset_network_header(skb);
416 	hdr = ipv6_hdr(skb);
417 
418 	ip6_flow_hdr(hdr, 0, 0);
419 
420 	hdr->payload_len = htons(len);
421 	hdr->nexthdr = IPPROTO_ICMPV6;
422 	hdr->hop_limit = hop_limit;
423 
424 	hdr->saddr = *saddr;
425 	hdr->daddr = *daddr;
426 }
427 
428 static void ndisc_send_skb(struct sk_buff *skb,
429 			   const struct in6_addr *daddr,
430 			   const struct in6_addr *saddr)
431 {
432 	struct dst_entry *dst = skb_dst(skb);
433 	struct net *net = dev_net(skb->dev);
434 	struct sock *sk = net->ipv6.ndisc_sk;
435 	struct inet6_dev *idev;
436 	int err;
437 	struct icmp6hdr *icmp6h = icmp6_hdr(skb);
438 	u8 type;
439 
440 	type = icmp6h->icmp6_type;
441 
442 	if (!dst) {
443 		struct flowi6 fl6;
444 
445 		icmpv6_flow_init(sk, &fl6, type, saddr, daddr, skb->dev->ifindex);
446 		dst = icmp6_dst_alloc(skb->dev, &fl6);
447 		if (IS_ERR(dst)) {
448 			kfree_skb(skb);
449 			return;
450 		}
451 
452 		skb_dst_set(skb, dst);
453 	}
454 
455 	icmp6h->icmp6_cksum = csum_ipv6_magic(saddr, daddr, skb->len,
456 					      IPPROTO_ICMPV6,
457 					      csum_partial(icmp6h,
458 							   skb->len, 0));
459 
460 	ip6_nd_hdr(skb, saddr, daddr, inet6_sk(sk)->hop_limit, skb->len);
461 
462 	rcu_read_lock();
463 	idev = __in6_dev_get(dst->dev);
464 	IP6_UPD_PO_STATS(net, idev, IPSTATS_MIB_OUT, skb->len);
465 
466 	err = NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT, sk, skb,
467 		      NULL, dst->dev,
468 		      dst_output_sk);
469 	if (!err) {
470 		ICMP6MSGOUT_INC_STATS(net, idev, type);
471 		ICMP6_INC_STATS(net, idev, ICMP6_MIB_OUTMSGS);
472 	}
473 
474 	rcu_read_unlock();
475 }
476 
477 void ndisc_send_na(struct net_device *dev, struct neighbour *neigh,
478 		   const struct in6_addr *daddr,
479 		   const struct in6_addr *solicited_addr,
480 		   bool router, bool solicited, bool override, bool inc_opt)
481 {
482 	struct sk_buff *skb;
483 	struct in6_addr tmpaddr;
484 	struct inet6_ifaddr *ifp;
485 	const struct in6_addr *src_addr;
486 	struct nd_msg *msg;
487 	int optlen = 0;
488 
489 	/* for anycast or proxy, solicited_addr != src_addr */
490 	ifp = ipv6_get_ifaddr(dev_net(dev), solicited_addr, dev, 1);
491 	if (ifp) {
492 		src_addr = solicited_addr;
493 		if (ifp->flags & IFA_F_OPTIMISTIC)
494 			override = false;
495 		inc_opt |= ifp->idev->cnf.force_tllao;
496 		in6_ifa_put(ifp);
497 	} else {
498 		if (ipv6_dev_get_saddr(dev_net(dev), dev, daddr,
499 				       inet6_sk(dev_net(dev)->ipv6.ndisc_sk)->srcprefs,
500 				       &tmpaddr))
501 			return;
502 		src_addr = &tmpaddr;
503 	}
504 
505 	if (!dev->addr_len)
506 		inc_opt = 0;
507 	if (inc_opt)
508 		optlen += ndisc_opt_addr_space(dev);
509 
510 	skb = ndisc_alloc_skb(dev, sizeof(*msg) + optlen);
511 	if (!skb)
512 		return;
513 
514 	msg = (struct nd_msg *)skb_put(skb, sizeof(*msg));
515 	*msg = (struct nd_msg) {
516 		.icmph = {
517 			.icmp6_type = NDISC_NEIGHBOUR_ADVERTISEMENT,
518 			.icmp6_router = router,
519 			.icmp6_solicited = solicited,
520 			.icmp6_override = override,
521 		},
522 		.target = *solicited_addr,
523 	};
524 
525 	if (inc_opt)
526 		ndisc_fill_addr_option(skb, ND_OPT_TARGET_LL_ADDR,
527 				       dev->dev_addr);
528 
529 
530 	ndisc_send_skb(skb, daddr, src_addr);
531 }
532 
533 static void ndisc_send_unsol_na(struct net_device *dev)
534 {
535 	struct inet6_dev *idev;
536 	struct inet6_ifaddr *ifa;
537 
538 	idev = in6_dev_get(dev);
539 	if (!idev)
540 		return;
541 
542 	read_lock_bh(&idev->lock);
543 	list_for_each_entry(ifa, &idev->addr_list, if_list) {
544 		ndisc_send_na(dev, NULL, &in6addr_linklocal_allnodes, &ifa->addr,
545 			      /*router=*/ !!idev->cnf.forwarding,
546 			      /*solicited=*/ false, /*override=*/ true,
547 			      /*inc_opt=*/ true);
548 	}
549 	read_unlock_bh(&idev->lock);
550 
551 	in6_dev_put(idev);
552 }
553 
554 void ndisc_send_ns(struct net_device *dev, struct neighbour *neigh,
555 		   const struct in6_addr *solicit,
556 		   const struct in6_addr *daddr, const struct in6_addr *saddr)
557 {
558 	struct sk_buff *skb;
559 	struct in6_addr addr_buf;
560 	int inc_opt = dev->addr_len;
561 	int optlen = 0;
562 	struct nd_msg *msg;
563 
564 	if (!saddr) {
565 		if (ipv6_get_lladdr(dev, &addr_buf,
566 				   (IFA_F_TENTATIVE|IFA_F_OPTIMISTIC)))
567 			return;
568 		saddr = &addr_buf;
569 	}
570 
571 	if (ipv6_addr_any(saddr))
572 		inc_opt = false;
573 	if (inc_opt)
574 		optlen += ndisc_opt_addr_space(dev);
575 
576 	skb = ndisc_alloc_skb(dev, sizeof(*msg) + optlen);
577 	if (!skb)
578 		return;
579 
580 	msg = (struct nd_msg *)skb_put(skb, sizeof(*msg));
581 	*msg = (struct nd_msg) {
582 		.icmph = {
583 			.icmp6_type = NDISC_NEIGHBOUR_SOLICITATION,
584 		},
585 		.target = *solicit,
586 	};
587 
588 	if (inc_opt)
589 		ndisc_fill_addr_option(skb, ND_OPT_SOURCE_LL_ADDR,
590 				       dev->dev_addr);
591 
592 	ndisc_send_skb(skb, daddr, saddr);
593 }
594 
595 void ndisc_send_rs(struct net_device *dev, const struct in6_addr *saddr,
596 		   const struct in6_addr *daddr)
597 {
598 	struct sk_buff *skb;
599 	struct rs_msg *msg;
600 	int send_sllao = dev->addr_len;
601 	int optlen = 0;
602 
603 #ifdef CONFIG_IPV6_OPTIMISTIC_DAD
604 	/*
605 	 * According to section 2.2 of RFC 4429, we must not
606 	 * send router solicitations with a sllao from
607 	 * optimistic addresses, but we may send the solicitation
608 	 * if we don't include the sllao.  So here we check
609 	 * if our address is optimistic, and if so, we
610 	 * suppress the inclusion of the sllao.
611 	 */
612 	if (send_sllao) {
613 		struct inet6_ifaddr *ifp = ipv6_get_ifaddr(dev_net(dev), saddr,
614 							   dev, 1);
615 		if (ifp) {
616 			if (ifp->flags & IFA_F_OPTIMISTIC)  {
617 				send_sllao = 0;
618 			}
619 			in6_ifa_put(ifp);
620 		} else {
621 			send_sllao = 0;
622 		}
623 	}
624 #endif
625 	if (send_sllao)
626 		optlen += ndisc_opt_addr_space(dev);
627 
628 	skb = ndisc_alloc_skb(dev, sizeof(*msg) + optlen);
629 	if (!skb)
630 		return;
631 
632 	msg = (struct rs_msg *)skb_put(skb, sizeof(*msg));
633 	*msg = (struct rs_msg) {
634 		.icmph = {
635 			.icmp6_type = NDISC_ROUTER_SOLICITATION,
636 		},
637 	};
638 
639 	if (send_sllao)
640 		ndisc_fill_addr_option(skb, ND_OPT_SOURCE_LL_ADDR,
641 				       dev->dev_addr);
642 
643 	ndisc_send_skb(skb, daddr, saddr);
644 }
645 
646 
647 static void ndisc_error_report(struct neighbour *neigh, struct sk_buff *skb)
648 {
649 	/*
650 	 *	"The sender MUST return an ICMP
651 	 *	 destination unreachable"
652 	 */
653 	dst_link_failure(skb);
654 	kfree_skb(skb);
655 }
656 
657 /* Called with locked neigh: either read or both */
658 
659 static void ndisc_solicit(struct neighbour *neigh, struct sk_buff *skb)
660 {
661 	struct in6_addr *saddr = NULL;
662 	struct in6_addr mcaddr;
663 	struct net_device *dev = neigh->dev;
664 	struct in6_addr *target = (struct in6_addr *)&neigh->primary_key;
665 	int probes = atomic_read(&neigh->probes);
666 
667 	if (skb && ipv6_chk_addr_and_flags(dev_net(dev), &ipv6_hdr(skb)->saddr,
668 					   dev, 1,
669 					   IFA_F_TENTATIVE|IFA_F_OPTIMISTIC))
670 		saddr = &ipv6_hdr(skb)->saddr;
671 	probes -= NEIGH_VAR(neigh->parms, UCAST_PROBES);
672 	if (probes < 0) {
673 		if (!(neigh->nud_state & NUD_VALID)) {
674 			ND_PRINTK(1, dbg,
675 				  "%s: trying to ucast probe in NUD_INVALID: %pI6\n",
676 				  __func__, target);
677 		}
678 		ndisc_send_ns(dev, neigh, target, target, saddr);
679 	} else if ((probes -= NEIGH_VAR(neigh->parms, APP_PROBES)) < 0) {
680 		neigh_app_ns(neigh);
681 	} else {
682 		addrconf_addr_solict_mult(target, &mcaddr);
683 		ndisc_send_ns(dev, NULL, target, &mcaddr, saddr);
684 	}
685 }
686 
687 static int pndisc_is_router(const void *pkey,
688 			    struct net_device *dev)
689 {
690 	struct pneigh_entry *n;
691 	int ret = -1;
692 
693 	read_lock_bh(&nd_tbl.lock);
694 	n = __pneigh_lookup(&nd_tbl, dev_net(dev), pkey, dev);
695 	if (n)
696 		ret = !!(n->flags & NTF_ROUTER);
697 	read_unlock_bh(&nd_tbl.lock);
698 
699 	return ret;
700 }
701 
702 static void ndisc_recv_ns(struct sk_buff *skb)
703 {
704 	struct nd_msg *msg = (struct nd_msg *)skb_transport_header(skb);
705 	const struct in6_addr *saddr = &ipv6_hdr(skb)->saddr;
706 	const struct in6_addr *daddr = &ipv6_hdr(skb)->daddr;
707 	u8 *lladdr = NULL;
708 	u32 ndoptlen = skb_tail_pointer(skb) - (skb_transport_header(skb) +
709 				    offsetof(struct nd_msg, opt));
710 	struct ndisc_options ndopts;
711 	struct net_device *dev = skb->dev;
712 	struct inet6_ifaddr *ifp;
713 	struct inet6_dev *idev = NULL;
714 	struct neighbour *neigh;
715 	int dad = ipv6_addr_any(saddr);
716 	bool inc;
717 	int is_router = -1;
718 
719 	if (skb->len < sizeof(struct nd_msg)) {
720 		ND_PRINTK(2, warn, "NS: packet too short\n");
721 		return;
722 	}
723 
724 	if (ipv6_addr_is_multicast(&msg->target)) {
725 		ND_PRINTK(2, warn, "NS: multicast target address\n");
726 		return;
727 	}
728 
729 	/*
730 	 * RFC2461 7.1.1:
731 	 * DAD has to be destined for solicited node multicast address.
732 	 */
733 	if (dad && !ipv6_addr_is_solict_mult(daddr)) {
734 		ND_PRINTK(2, warn, "NS: bad DAD packet (wrong destination)\n");
735 		return;
736 	}
737 
738 	if (!ndisc_parse_options(msg->opt, ndoptlen, &ndopts)) {
739 		ND_PRINTK(2, warn, "NS: invalid ND options\n");
740 		return;
741 	}
742 
743 	if (ndopts.nd_opts_src_lladdr) {
744 		lladdr = ndisc_opt_addr_data(ndopts.nd_opts_src_lladdr, dev);
745 		if (!lladdr) {
746 			ND_PRINTK(2, warn,
747 				  "NS: invalid link-layer address length\n");
748 			return;
749 		}
750 
751 		/* RFC2461 7.1.1:
752 		 *	If the IP source address is the unspecified address,
753 		 *	there MUST NOT be source link-layer address option
754 		 *	in the message.
755 		 */
756 		if (dad) {
757 			ND_PRINTK(2, warn,
758 				  "NS: bad DAD packet (link-layer address option)\n");
759 			return;
760 		}
761 	}
762 
763 	inc = ipv6_addr_is_multicast(daddr);
764 
765 	ifp = ipv6_get_ifaddr(dev_net(dev), &msg->target, dev, 1);
766 	if (ifp) {
767 
768 		if (ifp->flags & (IFA_F_TENTATIVE|IFA_F_OPTIMISTIC)) {
769 			if (dad) {
770 				/*
771 				 * We are colliding with another node
772 				 * who is doing DAD
773 				 * so fail our DAD process
774 				 */
775 				addrconf_dad_failure(ifp);
776 				return;
777 			} else {
778 				/*
779 				 * This is not a dad solicitation.
780 				 * If we are an optimistic node,
781 				 * we should respond.
782 				 * Otherwise, we should ignore it.
783 				 */
784 				if (!(ifp->flags & IFA_F_OPTIMISTIC))
785 					goto out;
786 			}
787 		}
788 
789 		idev = ifp->idev;
790 	} else {
791 		struct net *net = dev_net(dev);
792 
793 		idev = in6_dev_get(dev);
794 		if (!idev) {
795 			/* XXX: count this drop? */
796 			return;
797 		}
798 
799 		if (ipv6_chk_acast_addr(net, dev, &msg->target) ||
800 		    (idev->cnf.forwarding &&
801 		     (net->ipv6.devconf_all->proxy_ndp || idev->cnf.proxy_ndp) &&
802 		     (is_router = pndisc_is_router(&msg->target, dev)) >= 0)) {
803 			if (!(NEIGH_CB(skb)->flags & LOCALLY_ENQUEUED) &&
804 			    skb->pkt_type != PACKET_HOST &&
805 			    inc &&
806 			    NEIGH_VAR(idev->nd_parms, PROXY_DELAY) != 0) {
807 				/*
808 				 * for anycast or proxy,
809 				 * sender should delay its response
810 				 * by a random time between 0 and
811 				 * MAX_ANYCAST_DELAY_TIME seconds.
812 				 * (RFC2461) -- yoshfuji
813 				 */
814 				struct sk_buff *n = skb_clone(skb, GFP_ATOMIC);
815 				if (n)
816 					pneigh_enqueue(&nd_tbl, idev->nd_parms, n);
817 				goto out;
818 			}
819 		} else
820 			goto out;
821 	}
822 
823 	if (is_router < 0)
824 		is_router = idev->cnf.forwarding;
825 
826 	if (dad) {
827 		ndisc_send_na(dev, NULL, &in6addr_linklocal_allnodes, &msg->target,
828 			      !!is_router, false, (ifp != NULL), true);
829 		goto out;
830 	}
831 
832 	if (inc)
833 		NEIGH_CACHE_STAT_INC(&nd_tbl, rcv_probes_mcast);
834 	else
835 		NEIGH_CACHE_STAT_INC(&nd_tbl, rcv_probes_ucast);
836 
837 	/*
838 	 *	update / create cache entry
839 	 *	for the source address
840 	 */
841 	neigh = __neigh_lookup(&nd_tbl, saddr, dev,
842 			       !inc || lladdr || !dev->addr_len);
843 	if (neigh)
844 		neigh_update(neigh, lladdr, NUD_STALE,
845 			     NEIGH_UPDATE_F_WEAK_OVERRIDE|
846 			     NEIGH_UPDATE_F_OVERRIDE);
847 	if (neigh || !dev->header_ops) {
848 		ndisc_send_na(dev, neigh, saddr, &msg->target,
849 			      !!is_router,
850 			      true, (ifp != NULL && inc), inc);
851 		if (neigh)
852 			neigh_release(neigh);
853 	}
854 
855 out:
856 	if (ifp)
857 		in6_ifa_put(ifp);
858 	else
859 		in6_dev_put(idev);
860 }
861 
862 static void ndisc_recv_na(struct sk_buff *skb)
863 {
864 	struct nd_msg *msg = (struct nd_msg *)skb_transport_header(skb);
865 	struct in6_addr *saddr = &ipv6_hdr(skb)->saddr;
866 	const struct in6_addr *daddr = &ipv6_hdr(skb)->daddr;
867 	u8 *lladdr = NULL;
868 	u32 ndoptlen = skb_tail_pointer(skb) - (skb_transport_header(skb) +
869 				    offsetof(struct nd_msg, opt));
870 	struct ndisc_options ndopts;
871 	struct net_device *dev = skb->dev;
872 	struct inet6_ifaddr *ifp;
873 	struct neighbour *neigh;
874 
875 	if (skb->len < sizeof(struct nd_msg)) {
876 		ND_PRINTK(2, warn, "NA: packet too short\n");
877 		return;
878 	}
879 
880 	if (ipv6_addr_is_multicast(&msg->target)) {
881 		ND_PRINTK(2, warn, "NA: target address is multicast\n");
882 		return;
883 	}
884 
885 	if (ipv6_addr_is_multicast(daddr) &&
886 	    msg->icmph.icmp6_solicited) {
887 		ND_PRINTK(2, warn, "NA: solicited NA is multicasted\n");
888 		return;
889 	}
890 
891 	if (!ndisc_parse_options(msg->opt, ndoptlen, &ndopts)) {
892 		ND_PRINTK(2, warn, "NS: invalid ND option\n");
893 		return;
894 	}
895 	if (ndopts.nd_opts_tgt_lladdr) {
896 		lladdr = ndisc_opt_addr_data(ndopts.nd_opts_tgt_lladdr, dev);
897 		if (!lladdr) {
898 			ND_PRINTK(2, warn,
899 				  "NA: invalid link-layer address length\n");
900 			return;
901 		}
902 	}
903 	ifp = ipv6_get_ifaddr(dev_net(dev), &msg->target, dev, 1);
904 	if (ifp) {
905 		if (skb->pkt_type != PACKET_LOOPBACK
906 		    && (ifp->flags & IFA_F_TENTATIVE)) {
907 				addrconf_dad_failure(ifp);
908 				return;
909 		}
910 		/* What should we make now? The advertisement
911 		   is invalid, but ndisc specs say nothing
912 		   about it. It could be misconfiguration, or
913 		   an smart proxy agent tries to help us :-)
914 
915 		   We should not print the error if NA has been
916 		   received from loopback - it is just our own
917 		   unsolicited advertisement.
918 		 */
919 		if (skb->pkt_type != PACKET_LOOPBACK)
920 			ND_PRINTK(1, warn,
921 				  "NA: someone advertises our address %pI6 on %s!\n",
922 				  &ifp->addr, ifp->idev->dev->name);
923 		in6_ifa_put(ifp);
924 		return;
925 	}
926 	neigh = neigh_lookup(&nd_tbl, &msg->target, dev);
927 
928 	if (neigh) {
929 		u8 old_flags = neigh->flags;
930 		struct net *net = dev_net(dev);
931 
932 		if (neigh->nud_state & NUD_FAILED)
933 			goto out;
934 
935 		/*
936 		 * Don't update the neighbor cache entry on a proxy NA from
937 		 * ourselves because either the proxied node is off link or it
938 		 * has already sent a NA to us.
939 		 */
940 		if (lladdr && !memcmp(lladdr, dev->dev_addr, dev->addr_len) &&
941 		    net->ipv6.devconf_all->forwarding && net->ipv6.devconf_all->proxy_ndp &&
942 		    pneigh_lookup(&nd_tbl, net, &msg->target, dev, 0)) {
943 			/* XXX: idev->cnf.proxy_ndp */
944 			goto out;
945 		}
946 
947 		neigh_update(neigh, lladdr,
948 			     msg->icmph.icmp6_solicited ? NUD_REACHABLE : NUD_STALE,
949 			     NEIGH_UPDATE_F_WEAK_OVERRIDE|
950 			     (msg->icmph.icmp6_override ? NEIGH_UPDATE_F_OVERRIDE : 0)|
951 			     NEIGH_UPDATE_F_OVERRIDE_ISROUTER|
952 			     (msg->icmph.icmp6_router ? NEIGH_UPDATE_F_ISROUTER : 0));
953 
954 		if ((old_flags & ~neigh->flags) & NTF_ROUTER) {
955 			/*
956 			 * Change: router to host
957 			 */
958 			rt6_clean_tohost(dev_net(dev),  saddr);
959 		}
960 
961 out:
962 		neigh_release(neigh);
963 	}
964 }
965 
966 static void ndisc_recv_rs(struct sk_buff *skb)
967 {
968 	struct rs_msg *rs_msg = (struct rs_msg *)skb_transport_header(skb);
969 	unsigned long ndoptlen = skb->len - sizeof(*rs_msg);
970 	struct neighbour *neigh;
971 	struct inet6_dev *idev;
972 	const struct in6_addr *saddr = &ipv6_hdr(skb)->saddr;
973 	struct ndisc_options ndopts;
974 	u8 *lladdr = NULL;
975 
976 	if (skb->len < sizeof(*rs_msg))
977 		return;
978 
979 	idev = __in6_dev_get(skb->dev);
980 	if (!idev) {
981 		ND_PRINTK(1, err, "RS: can't find in6 device\n");
982 		return;
983 	}
984 
985 	/* Don't accept RS if we're not in router mode */
986 	if (!idev->cnf.forwarding)
987 		goto out;
988 
989 	/*
990 	 * Don't update NCE if src = ::;
991 	 * this implies that the source node has no ip address assigned yet.
992 	 */
993 	if (ipv6_addr_any(saddr))
994 		goto out;
995 
996 	/* Parse ND options */
997 	if (!ndisc_parse_options(rs_msg->opt, ndoptlen, &ndopts)) {
998 		ND_PRINTK(2, notice, "NS: invalid ND option, ignored\n");
999 		goto out;
1000 	}
1001 
1002 	if (ndopts.nd_opts_src_lladdr) {
1003 		lladdr = ndisc_opt_addr_data(ndopts.nd_opts_src_lladdr,
1004 					     skb->dev);
1005 		if (!lladdr)
1006 			goto out;
1007 	}
1008 
1009 	neigh = __neigh_lookup(&nd_tbl, saddr, skb->dev, 1);
1010 	if (neigh) {
1011 		neigh_update(neigh, lladdr, NUD_STALE,
1012 			     NEIGH_UPDATE_F_WEAK_OVERRIDE|
1013 			     NEIGH_UPDATE_F_OVERRIDE|
1014 			     NEIGH_UPDATE_F_OVERRIDE_ISROUTER);
1015 		neigh_release(neigh);
1016 	}
1017 out:
1018 	return;
1019 }
1020 
1021 static void ndisc_ra_useropt(struct sk_buff *ra, struct nd_opt_hdr *opt)
1022 {
1023 	struct icmp6hdr *icmp6h = (struct icmp6hdr *)skb_transport_header(ra);
1024 	struct sk_buff *skb;
1025 	struct nlmsghdr *nlh;
1026 	struct nduseroptmsg *ndmsg;
1027 	struct net *net = dev_net(ra->dev);
1028 	int err;
1029 	int base_size = NLMSG_ALIGN(sizeof(struct nduseroptmsg)
1030 				    + (opt->nd_opt_len << 3));
1031 	size_t msg_size = base_size + nla_total_size(sizeof(struct in6_addr));
1032 
1033 	skb = nlmsg_new(msg_size, GFP_ATOMIC);
1034 	if (!skb) {
1035 		err = -ENOBUFS;
1036 		goto errout;
1037 	}
1038 
1039 	nlh = nlmsg_put(skb, 0, 0, RTM_NEWNDUSEROPT, base_size, 0);
1040 	if (!nlh) {
1041 		goto nla_put_failure;
1042 	}
1043 
1044 	ndmsg = nlmsg_data(nlh);
1045 	ndmsg->nduseropt_family = AF_INET6;
1046 	ndmsg->nduseropt_ifindex = ra->dev->ifindex;
1047 	ndmsg->nduseropt_icmp_type = icmp6h->icmp6_type;
1048 	ndmsg->nduseropt_icmp_code = icmp6h->icmp6_code;
1049 	ndmsg->nduseropt_opts_len = opt->nd_opt_len << 3;
1050 
1051 	memcpy(ndmsg + 1, opt, opt->nd_opt_len << 3);
1052 
1053 	if (nla_put_in6_addr(skb, NDUSEROPT_SRCADDR, &ipv6_hdr(ra)->saddr))
1054 		goto nla_put_failure;
1055 	nlmsg_end(skb, nlh);
1056 
1057 	rtnl_notify(skb, net, 0, RTNLGRP_ND_USEROPT, NULL, GFP_ATOMIC);
1058 	return;
1059 
1060 nla_put_failure:
1061 	nlmsg_free(skb);
1062 	err = -EMSGSIZE;
1063 errout:
1064 	rtnl_set_sk_err(net, RTNLGRP_ND_USEROPT, err);
1065 }
1066 
1067 static void ndisc_router_discovery(struct sk_buff *skb)
1068 {
1069 	struct ra_msg *ra_msg = (struct ra_msg *)skb_transport_header(skb);
1070 	struct neighbour *neigh = NULL;
1071 	struct inet6_dev *in6_dev;
1072 	struct rt6_info *rt = NULL;
1073 	int lifetime;
1074 	struct ndisc_options ndopts;
1075 	int optlen;
1076 	unsigned int pref = 0;
1077 
1078 	__u8 *opt = (__u8 *)(ra_msg + 1);
1079 
1080 	optlen = (skb_tail_pointer(skb) - skb_transport_header(skb)) -
1081 		sizeof(struct ra_msg);
1082 
1083 	ND_PRINTK(2, info,
1084 		  "RA: %s, dev: %s\n",
1085 		  __func__, skb->dev->name);
1086 	if (!(ipv6_addr_type(&ipv6_hdr(skb)->saddr) & IPV6_ADDR_LINKLOCAL)) {
1087 		ND_PRINTK(2, warn, "RA: source address is not link-local\n");
1088 		return;
1089 	}
1090 	if (optlen < 0) {
1091 		ND_PRINTK(2, warn, "RA: packet too short\n");
1092 		return;
1093 	}
1094 
1095 #ifdef CONFIG_IPV6_NDISC_NODETYPE
1096 	if (skb->ndisc_nodetype == NDISC_NODETYPE_HOST) {
1097 		ND_PRINTK(2, warn, "RA: from host or unauthorized router\n");
1098 		return;
1099 	}
1100 #endif
1101 
1102 	/*
1103 	 *	set the RA_RECV flag in the interface
1104 	 */
1105 
1106 	in6_dev = __in6_dev_get(skb->dev);
1107 	if (!in6_dev) {
1108 		ND_PRINTK(0, err, "RA: can't find inet6 device for %s\n",
1109 			  skb->dev->name);
1110 		return;
1111 	}
1112 
1113 	if (!ndisc_parse_options(opt, optlen, &ndopts)) {
1114 		ND_PRINTK(2, warn, "RA: invalid ND options\n");
1115 		return;
1116 	}
1117 
1118 	if (!ipv6_accept_ra(in6_dev)) {
1119 		ND_PRINTK(2, info,
1120 			  "RA: %s, did not accept ra for dev: %s\n",
1121 			  __func__, skb->dev->name);
1122 		goto skip_linkparms;
1123 	}
1124 
1125 #ifdef CONFIG_IPV6_NDISC_NODETYPE
1126 	/* skip link-specific parameters from interior routers */
1127 	if (skb->ndisc_nodetype == NDISC_NODETYPE_NODEFAULT) {
1128 		ND_PRINTK(2, info,
1129 			  "RA: %s, nodetype is NODEFAULT, dev: %s\n",
1130 			  __func__, skb->dev->name);
1131 		goto skip_linkparms;
1132 	}
1133 #endif
1134 
1135 	if (in6_dev->if_flags & IF_RS_SENT) {
1136 		/*
1137 		 *	flag that an RA was received after an RS was sent
1138 		 *	out on this interface.
1139 		 */
1140 		in6_dev->if_flags |= IF_RA_RCVD;
1141 	}
1142 
1143 	/*
1144 	 * Remember the managed/otherconf flags from most recently
1145 	 * received RA message (RFC 2462) -- yoshfuji
1146 	 */
1147 	in6_dev->if_flags = (in6_dev->if_flags & ~(IF_RA_MANAGED |
1148 				IF_RA_OTHERCONF)) |
1149 				(ra_msg->icmph.icmp6_addrconf_managed ?
1150 					IF_RA_MANAGED : 0) |
1151 				(ra_msg->icmph.icmp6_addrconf_other ?
1152 					IF_RA_OTHERCONF : 0);
1153 
1154 	if (!in6_dev->cnf.accept_ra_defrtr) {
1155 		ND_PRINTK(2, info,
1156 			  "RA: %s, defrtr is false for dev: %s\n",
1157 			  __func__, skb->dev->name);
1158 		goto skip_defrtr;
1159 	}
1160 
1161 	/* Do not accept RA with source-addr found on local machine unless
1162 	 * accept_ra_from_local is set to true.
1163 	 */
1164 	if (!in6_dev->cnf.accept_ra_from_local &&
1165 	    ipv6_chk_addr(dev_net(in6_dev->dev), &ipv6_hdr(skb)->saddr,
1166 			  NULL, 0)) {
1167 		ND_PRINTK(2, info,
1168 			  "RA from local address detected on dev: %s: default router ignored\n",
1169 			  skb->dev->name);
1170 		goto skip_defrtr;
1171 	}
1172 
1173 	lifetime = ntohs(ra_msg->icmph.icmp6_rt_lifetime);
1174 
1175 #ifdef CONFIG_IPV6_ROUTER_PREF
1176 	pref = ra_msg->icmph.icmp6_router_pref;
1177 	/* 10b is handled as if it were 00b (medium) */
1178 	if (pref == ICMPV6_ROUTER_PREF_INVALID ||
1179 	    !in6_dev->cnf.accept_ra_rtr_pref)
1180 		pref = ICMPV6_ROUTER_PREF_MEDIUM;
1181 #endif
1182 
1183 	rt = rt6_get_dflt_router(&ipv6_hdr(skb)->saddr, skb->dev);
1184 
1185 	if (rt) {
1186 		neigh = dst_neigh_lookup(&rt->dst, &ipv6_hdr(skb)->saddr);
1187 		if (!neigh) {
1188 			ND_PRINTK(0, err,
1189 				  "RA: %s got default router without neighbour\n",
1190 				  __func__);
1191 			ip6_rt_put(rt);
1192 			return;
1193 		}
1194 	}
1195 	if (rt && lifetime == 0) {
1196 		ip6_del_rt(rt);
1197 		rt = NULL;
1198 	}
1199 
1200 	ND_PRINTK(3, info, "RA: rt: %p  lifetime: %d, for dev: %s\n",
1201 		  rt, lifetime, skb->dev->name);
1202 	if (!rt && lifetime) {
1203 		ND_PRINTK(3, info, "RA: adding default router\n");
1204 
1205 		rt = rt6_add_dflt_router(&ipv6_hdr(skb)->saddr, skb->dev, pref);
1206 		if (!rt) {
1207 			ND_PRINTK(0, err,
1208 				  "RA: %s failed to add default route\n",
1209 				  __func__);
1210 			return;
1211 		}
1212 
1213 		neigh = dst_neigh_lookup(&rt->dst, &ipv6_hdr(skb)->saddr);
1214 		if (!neigh) {
1215 			ND_PRINTK(0, err,
1216 				  "RA: %s got default router without neighbour\n",
1217 				  __func__);
1218 			ip6_rt_put(rt);
1219 			return;
1220 		}
1221 		neigh->flags |= NTF_ROUTER;
1222 	} else if (rt) {
1223 		rt->rt6i_flags = (rt->rt6i_flags & ~RTF_PREF_MASK) | RTF_PREF(pref);
1224 	}
1225 
1226 	if (rt)
1227 		rt6_set_expires(rt, jiffies + (HZ * lifetime));
1228 	if (ra_msg->icmph.icmp6_hop_limit) {
1229 		/* Only set hop_limit on the interface if it is higher than
1230 		 * the current hop_limit.
1231 		 */
1232 		if (in6_dev->cnf.hop_limit < ra_msg->icmph.icmp6_hop_limit) {
1233 			in6_dev->cnf.hop_limit = ra_msg->icmph.icmp6_hop_limit;
1234 		} else {
1235 			ND_PRINTK(2, warn, "RA: Got route advertisement with lower hop_limit than current\n");
1236 		}
1237 		if (rt)
1238 			dst_metric_set(&rt->dst, RTAX_HOPLIMIT,
1239 				       ra_msg->icmph.icmp6_hop_limit);
1240 	}
1241 
1242 skip_defrtr:
1243 
1244 	/*
1245 	 *	Update Reachable Time and Retrans Timer
1246 	 */
1247 
1248 	if (in6_dev->nd_parms) {
1249 		unsigned long rtime = ntohl(ra_msg->retrans_timer);
1250 
1251 		if (rtime && rtime/1000 < MAX_SCHEDULE_TIMEOUT/HZ) {
1252 			rtime = (rtime*HZ)/1000;
1253 			if (rtime < HZ/10)
1254 				rtime = HZ/10;
1255 			NEIGH_VAR_SET(in6_dev->nd_parms, RETRANS_TIME, rtime);
1256 			in6_dev->tstamp = jiffies;
1257 			inet6_ifinfo_notify(RTM_NEWLINK, in6_dev);
1258 		}
1259 
1260 		rtime = ntohl(ra_msg->reachable_time);
1261 		if (rtime && rtime/1000 < MAX_SCHEDULE_TIMEOUT/(3*HZ)) {
1262 			rtime = (rtime*HZ)/1000;
1263 
1264 			if (rtime < HZ/10)
1265 				rtime = HZ/10;
1266 
1267 			if (rtime != NEIGH_VAR(in6_dev->nd_parms, BASE_REACHABLE_TIME)) {
1268 				NEIGH_VAR_SET(in6_dev->nd_parms,
1269 					      BASE_REACHABLE_TIME, rtime);
1270 				NEIGH_VAR_SET(in6_dev->nd_parms,
1271 					      GC_STALETIME, 3 * rtime);
1272 				in6_dev->nd_parms->reachable_time = neigh_rand_reach_time(rtime);
1273 				in6_dev->tstamp = jiffies;
1274 				inet6_ifinfo_notify(RTM_NEWLINK, in6_dev);
1275 			}
1276 		}
1277 	}
1278 
1279 skip_linkparms:
1280 
1281 	/*
1282 	 *	Process options.
1283 	 */
1284 
1285 	if (!neigh)
1286 		neigh = __neigh_lookup(&nd_tbl, &ipv6_hdr(skb)->saddr,
1287 				       skb->dev, 1);
1288 	if (neigh) {
1289 		u8 *lladdr = NULL;
1290 		if (ndopts.nd_opts_src_lladdr) {
1291 			lladdr = ndisc_opt_addr_data(ndopts.nd_opts_src_lladdr,
1292 						     skb->dev);
1293 			if (!lladdr) {
1294 				ND_PRINTK(2, warn,
1295 					  "RA: invalid link-layer address length\n");
1296 				goto out;
1297 			}
1298 		}
1299 		neigh_update(neigh, lladdr, NUD_STALE,
1300 			     NEIGH_UPDATE_F_WEAK_OVERRIDE|
1301 			     NEIGH_UPDATE_F_OVERRIDE|
1302 			     NEIGH_UPDATE_F_OVERRIDE_ISROUTER|
1303 			     NEIGH_UPDATE_F_ISROUTER);
1304 	}
1305 
1306 	if (!ipv6_accept_ra(in6_dev)) {
1307 		ND_PRINTK(2, info,
1308 			  "RA: %s, accept_ra is false for dev: %s\n",
1309 			  __func__, skb->dev->name);
1310 		goto out;
1311 	}
1312 
1313 #ifdef CONFIG_IPV6_ROUTE_INFO
1314 	if (!in6_dev->cnf.accept_ra_from_local &&
1315 	    ipv6_chk_addr(dev_net(in6_dev->dev), &ipv6_hdr(skb)->saddr,
1316 			  NULL, 0)) {
1317 		ND_PRINTK(2, info,
1318 			  "RA from local address detected on dev: %s: router info ignored.\n",
1319 			  skb->dev->name);
1320 		goto skip_routeinfo;
1321 	}
1322 
1323 	if (in6_dev->cnf.accept_ra_rtr_pref && ndopts.nd_opts_ri) {
1324 		struct nd_opt_hdr *p;
1325 		for (p = ndopts.nd_opts_ri;
1326 		     p;
1327 		     p = ndisc_next_option(p, ndopts.nd_opts_ri_end)) {
1328 			struct route_info *ri = (struct route_info *)p;
1329 #ifdef CONFIG_IPV6_NDISC_NODETYPE
1330 			if (skb->ndisc_nodetype == NDISC_NODETYPE_NODEFAULT &&
1331 			    ri->prefix_len == 0)
1332 				continue;
1333 #endif
1334 			if (ri->prefix_len == 0 &&
1335 			    !in6_dev->cnf.accept_ra_defrtr)
1336 				continue;
1337 			if (ri->prefix_len > in6_dev->cnf.accept_ra_rt_info_max_plen)
1338 				continue;
1339 			rt6_route_rcv(skb->dev, (u8 *)p, (p->nd_opt_len) << 3,
1340 				      &ipv6_hdr(skb)->saddr);
1341 		}
1342 	}
1343 
1344 skip_routeinfo:
1345 #endif
1346 
1347 #ifdef CONFIG_IPV6_NDISC_NODETYPE
1348 	/* skip link-specific ndopts from interior routers */
1349 	if (skb->ndisc_nodetype == NDISC_NODETYPE_NODEFAULT) {
1350 		ND_PRINTK(2, info,
1351 			  "RA: %s, nodetype is NODEFAULT (interior routes), dev: %s\n",
1352 			  __func__, skb->dev->name);
1353 		goto out;
1354 	}
1355 #endif
1356 
1357 	if (in6_dev->cnf.accept_ra_pinfo && ndopts.nd_opts_pi) {
1358 		struct nd_opt_hdr *p;
1359 		for (p = ndopts.nd_opts_pi;
1360 		     p;
1361 		     p = ndisc_next_option(p, ndopts.nd_opts_pi_end)) {
1362 			addrconf_prefix_rcv(skb->dev, (u8 *)p,
1363 					    (p->nd_opt_len) << 3,
1364 					    ndopts.nd_opts_src_lladdr != NULL);
1365 		}
1366 	}
1367 
1368 	if (ndopts.nd_opts_mtu && in6_dev->cnf.accept_ra_mtu) {
1369 		__be32 n;
1370 		u32 mtu;
1371 
1372 		memcpy(&n, ((u8 *)(ndopts.nd_opts_mtu+1))+2, sizeof(mtu));
1373 		mtu = ntohl(n);
1374 
1375 		if (mtu < IPV6_MIN_MTU || mtu > skb->dev->mtu) {
1376 			ND_PRINTK(2, warn, "RA: invalid mtu: %d\n", mtu);
1377 		} else if (in6_dev->cnf.mtu6 != mtu) {
1378 			in6_dev->cnf.mtu6 = mtu;
1379 
1380 			if (rt)
1381 				dst_metric_set(&rt->dst, RTAX_MTU, mtu);
1382 
1383 			rt6_mtu_change(skb->dev, mtu);
1384 		}
1385 	}
1386 
1387 	if (ndopts.nd_useropts) {
1388 		struct nd_opt_hdr *p;
1389 		for (p = ndopts.nd_useropts;
1390 		     p;
1391 		     p = ndisc_next_useropt(p, ndopts.nd_useropts_end)) {
1392 			ndisc_ra_useropt(skb, p);
1393 		}
1394 	}
1395 
1396 	if (ndopts.nd_opts_tgt_lladdr || ndopts.nd_opts_rh) {
1397 		ND_PRINTK(2, warn, "RA: invalid RA options\n");
1398 	}
1399 out:
1400 	ip6_rt_put(rt);
1401 	if (neigh)
1402 		neigh_release(neigh);
1403 }
1404 
1405 static void ndisc_redirect_rcv(struct sk_buff *skb)
1406 {
1407 	u8 *hdr;
1408 	struct ndisc_options ndopts;
1409 	struct rd_msg *msg = (struct rd_msg *)skb_transport_header(skb);
1410 	u32 ndoptlen = skb_tail_pointer(skb) - (skb_transport_header(skb) +
1411 				    offsetof(struct rd_msg, opt));
1412 
1413 #ifdef CONFIG_IPV6_NDISC_NODETYPE
1414 	switch (skb->ndisc_nodetype) {
1415 	case NDISC_NODETYPE_HOST:
1416 	case NDISC_NODETYPE_NODEFAULT:
1417 		ND_PRINTK(2, warn,
1418 			  "Redirect: from host or unauthorized router\n");
1419 		return;
1420 	}
1421 #endif
1422 
1423 	if (!(ipv6_addr_type(&ipv6_hdr(skb)->saddr) & IPV6_ADDR_LINKLOCAL)) {
1424 		ND_PRINTK(2, warn,
1425 			  "Redirect: source address is not link-local\n");
1426 		return;
1427 	}
1428 
1429 	if (!ndisc_parse_options(msg->opt, ndoptlen, &ndopts))
1430 		return;
1431 
1432 	if (!ndopts.nd_opts_rh) {
1433 		ip6_redirect_no_header(skb, dev_net(skb->dev),
1434 					skb->dev->ifindex, 0);
1435 		return;
1436 	}
1437 
1438 	hdr = (u8 *)ndopts.nd_opts_rh;
1439 	hdr += 8;
1440 	if (!pskb_pull(skb, hdr - skb_transport_header(skb)))
1441 		return;
1442 
1443 	icmpv6_notify(skb, NDISC_REDIRECT, 0, 0);
1444 }
1445 
1446 static void ndisc_fill_redirect_hdr_option(struct sk_buff *skb,
1447 					   struct sk_buff *orig_skb,
1448 					   int rd_len)
1449 {
1450 	u8 *opt = skb_put(skb, rd_len);
1451 
1452 	memset(opt, 0, 8);
1453 	*(opt++) = ND_OPT_REDIRECT_HDR;
1454 	*(opt++) = (rd_len >> 3);
1455 	opt += 6;
1456 
1457 	memcpy(opt, ipv6_hdr(orig_skb), rd_len - 8);
1458 }
1459 
1460 void ndisc_send_redirect(struct sk_buff *skb, const struct in6_addr *target)
1461 {
1462 	struct net_device *dev = skb->dev;
1463 	struct net *net = dev_net(dev);
1464 	struct sock *sk = net->ipv6.ndisc_sk;
1465 	int optlen = 0;
1466 	struct inet_peer *peer;
1467 	struct sk_buff *buff;
1468 	struct rd_msg *msg;
1469 	struct in6_addr saddr_buf;
1470 	struct rt6_info *rt;
1471 	struct dst_entry *dst;
1472 	struct flowi6 fl6;
1473 	int rd_len;
1474 	u8 ha_buf[MAX_ADDR_LEN], *ha = NULL;
1475 	bool ret;
1476 
1477 	if (ipv6_get_lladdr(dev, &saddr_buf, IFA_F_TENTATIVE)) {
1478 		ND_PRINTK(2, warn, "Redirect: no link-local address on %s\n",
1479 			  dev->name);
1480 		return;
1481 	}
1482 
1483 	if (!ipv6_addr_equal(&ipv6_hdr(skb)->daddr, target) &&
1484 	    ipv6_addr_type(target) != (IPV6_ADDR_UNICAST|IPV6_ADDR_LINKLOCAL)) {
1485 		ND_PRINTK(2, warn,
1486 			  "Redirect: target address is not link-local unicast\n");
1487 		return;
1488 	}
1489 
1490 	icmpv6_flow_init(sk, &fl6, NDISC_REDIRECT,
1491 			 &saddr_buf, &ipv6_hdr(skb)->saddr, dev->ifindex);
1492 
1493 	dst = ip6_route_output(net, NULL, &fl6);
1494 	if (dst->error) {
1495 		dst_release(dst);
1496 		return;
1497 	}
1498 	dst = xfrm_lookup(net, dst, flowi6_to_flowi(&fl6), NULL, 0);
1499 	if (IS_ERR(dst))
1500 		return;
1501 
1502 	rt = (struct rt6_info *) dst;
1503 
1504 	if (rt->rt6i_flags & RTF_GATEWAY) {
1505 		ND_PRINTK(2, warn,
1506 			  "Redirect: destination is not a neighbour\n");
1507 		goto release;
1508 	}
1509 	peer = inet_getpeer_v6(net->ipv6.peers, &ipv6_hdr(skb)->saddr, 1);
1510 	ret = inet_peer_xrlim_allow(peer, 1*HZ);
1511 	if (peer)
1512 		inet_putpeer(peer);
1513 	if (!ret)
1514 		goto release;
1515 
1516 	if (dev->addr_len) {
1517 		struct neighbour *neigh = dst_neigh_lookup(skb_dst(skb), target);
1518 		if (!neigh) {
1519 			ND_PRINTK(2, warn,
1520 				  "Redirect: no neigh for target address\n");
1521 			goto release;
1522 		}
1523 
1524 		read_lock_bh(&neigh->lock);
1525 		if (neigh->nud_state & NUD_VALID) {
1526 			memcpy(ha_buf, neigh->ha, dev->addr_len);
1527 			read_unlock_bh(&neigh->lock);
1528 			ha = ha_buf;
1529 			optlen += ndisc_opt_addr_space(dev);
1530 		} else
1531 			read_unlock_bh(&neigh->lock);
1532 
1533 		neigh_release(neigh);
1534 	}
1535 
1536 	rd_len = min_t(unsigned int,
1537 		       IPV6_MIN_MTU - sizeof(struct ipv6hdr) - sizeof(*msg) - optlen,
1538 		       skb->len + 8);
1539 	rd_len &= ~0x7;
1540 	optlen += rd_len;
1541 
1542 	buff = ndisc_alloc_skb(dev, sizeof(*msg) + optlen);
1543 	if (!buff)
1544 		goto release;
1545 
1546 	msg = (struct rd_msg *)skb_put(buff, sizeof(*msg));
1547 	*msg = (struct rd_msg) {
1548 		.icmph = {
1549 			.icmp6_type = NDISC_REDIRECT,
1550 		},
1551 		.target = *target,
1552 		.dest = ipv6_hdr(skb)->daddr,
1553 	};
1554 
1555 	/*
1556 	 *	include target_address option
1557 	 */
1558 
1559 	if (ha)
1560 		ndisc_fill_addr_option(buff, ND_OPT_TARGET_LL_ADDR, ha);
1561 
1562 	/*
1563 	 *	build redirect option and copy skb over to the new packet.
1564 	 */
1565 
1566 	if (rd_len)
1567 		ndisc_fill_redirect_hdr_option(buff, skb, rd_len);
1568 
1569 	skb_dst_set(buff, dst);
1570 	ndisc_send_skb(buff, &ipv6_hdr(skb)->saddr, &saddr_buf);
1571 	return;
1572 
1573 release:
1574 	dst_release(dst);
1575 }
1576 
1577 static void pndisc_redo(struct sk_buff *skb)
1578 {
1579 	ndisc_recv_ns(skb);
1580 	kfree_skb(skb);
1581 }
1582 
1583 static bool ndisc_suppress_frag_ndisc(struct sk_buff *skb)
1584 {
1585 	struct inet6_dev *idev = __in6_dev_get(skb->dev);
1586 
1587 	if (!idev)
1588 		return true;
1589 	if (IP6CB(skb)->flags & IP6SKB_FRAGMENTED &&
1590 	    idev->cnf.suppress_frag_ndisc) {
1591 		net_warn_ratelimited("Received fragmented ndisc packet. Carefully consider disabling suppress_frag_ndisc.\n");
1592 		return true;
1593 	}
1594 	return false;
1595 }
1596 
1597 int ndisc_rcv(struct sk_buff *skb)
1598 {
1599 	struct nd_msg *msg;
1600 
1601 	if (ndisc_suppress_frag_ndisc(skb))
1602 		return 0;
1603 
1604 	if (skb_linearize(skb))
1605 		return 0;
1606 
1607 	msg = (struct nd_msg *)skb_transport_header(skb);
1608 
1609 	__skb_push(skb, skb->data - skb_transport_header(skb));
1610 
1611 	if (ipv6_hdr(skb)->hop_limit != 255) {
1612 		ND_PRINTK(2, warn, "NDISC: invalid hop-limit: %d\n",
1613 			  ipv6_hdr(skb)->hop_limit);
1614 		return 0;
1615 	}
1616 
1617 	if (msg->icmph.icmp6_code != 0) {
1618 		ND_PRINTK(2, warn, "NDISC: invalid ICMPv6 code: %d\n",
1619 			  msg->icmph.icmp6_code);
1620 		return 0;
1621 	}
1622 
1623 	memset(NEIGH_CB(skb), 0, sizeof(struct neighbour_cb));
1624 
1625 	switch (msg->icmph.icmp6_type) {
1626 	case NDISC_NEIGHBOUR_SOLICITATION:
1627 		ndisc_recv_ns(skb);
1628 		break;
1629 
1630 	case NDISC_NEIGHBOUR_ADVERTISEMENT:
1631 		ndisc_recv_na(skb);
1632 		break;
1633 
1634 	case NDISC_ROUTER_SOLICITATION:
1635 		ndisc_recv_rs(skb);
1636 		break;
1637 
1638 	case NDISC_ROUTER_ADVERTISEMENT:
1639 		ndisc_router_discovery(skb);
1640 		break;
1641 
1642 	case NDISC_REDIRECT:
1643 		ndisc_redirect_rcv(skb);
1644 		break;
1645 	}
1646 
1647 	return 0;
1648 }
1649 
1650 static int ndisc_netdev_event(struct notifier_block *this, unsigned long event, void *ptr)
1651 {
1652 	struct net_device *dev = netdev_notifier_info_to_dev(ptr);
1653 	struct net *net = dev_net(dev);
1654 	struct inet6_dev *idev;
1655 
1656 	switch (event) {
1657 	case NETDEV_CHANGEADDR:
1658 		neigh_changeaddr(&nd_tbl, dev);
1659 		fib6_run_gc(0, net, false);
1660 		idev = in6_dev_get(dev);
1661 		if (!idev)
1662 			break;
1663 		if (idev->cnf.ndisc_notify)
1664 			ndisc_send_unsol_na(dev);
1665 		in6_dev_put(idev);
1666 		break;
1667 	case NETDEV_DOWN:
1668 		neigh_ifdown(&nd_tbl, dev);
1669 		fib6_run_gc(0, net, false);
1670 		break;
1671 	case NETDEV_NOTIFY_PEERS:
1672 		ndisc_send_unsol_na(dev);
1673 		break;
1674 	default:
1675 		break;
1676 	}
1677 
1678 	return NOTIFY_DONE;
1679 }
1680 
1681 static struct notifier_block ndisc_netdev_notifier = {
1682 	.notifier_call = ndisc_netdev_event,
1683 };
1684 
1685 #ifdef CONFIG_SYSCTL
1686 static void ndisc_warn_deprecated_sysctl(struct ctl_table *ctl,
1687 					 const char *func, const char *dev_name)
1688 {
1689 	static char warncomm[TASK_COMM_LEN];
1690 	static int warned;
1691 	if (strcmp(warncomm, current->comm) && warned < 5) {
1692 		strcpy(warncomm, current->comm);
1693 		pr_warn("process `%s' is using deprecated sysctl (%s) net.ipv6.neigh.%s.%s - use net.ipv6.neigh.%s.%s_ms instead\n",
1694 			warncomm, func,
1695 			dev_name, ctl->procname,
1696 			dev_name, ctl->procname);
1697 		warned++;
1698 	}
1699 }
1700 
1701 int ndisc_ifinfo_sysctl_change(struct ctl_table *ctl, int write, void __user *buffer, size_t *lenp, loff_t *ppos)
1702 {
1703 	struct net_device *dev = ctl->extra1;
1704 	struct inet6_dev *idev;
1705 	int ret;
1706 
1707 	if ((strcmp(ctl->procname, "retrans_time") == 0) ||
1708 	    (strcmp(ctl->procname, "base_reachable_time") == 0))
1709 		ndisc_warn_deprecated_sysctl(ctl, "syscall", dev ? dev->name : "default");
1710 
1711 	if (strcmp(ctl->procname, "retrans_time") == 0)
1712 		ret = neigh_proc_dointvec(ctl, write, buffer, lenp, ppos);
1713 
1714 	else if (strcmp(ctl->procname, "base_reachable_time") == 0)
1715 		ret = neigh_proc_dointvec_jiffies(ctl, write,
1716 						  buffer, lenp, ppos);
1717 
1718 	else if ((strcmp(ctl->procname, "retrans_time_ms") == 0) ||
1719 		 (strcmp(ctl->procname, "base_reachable_time_ms") == 0))
1720 		ret = neigh_proc_dointvec_ms_jiffies(ctl, write,
1721 						     buffer, lenp, ppos);
1722 	else
1723 		ret = -1;
1724 
1725 	if (write && ret == 0 && dev && (idev = in6_dev_get(dev)) != NULL) {
1726 		if (ctl->data == &NEIGH_VAR(idev->nd_parms, BASE_REACHABLE_TIME))
1727 			idev->nd_parms->reachable_time =
1728 					neigh_rand_reach_time(NEIGH_VAR(idev->nd_parms, BASE_REACHABLE_TIME));
1729 		idev->tstamp = jiffies;
1730 		inet6_ifinfo_notify(RTM_NEWLINK, idev);
1731 		in6_dev_put(idev);
1732 	}
1733 	return ret;
1734 }
1735 
1736 
1737 #endif
1738 
1739 static int __net_init ndisc_net_init(struct net *net)
1740 {
1741 	struct ipv6_pinfo *np;
1742 	struct sock *sk;
1743 	int err;
1744 
1745 	err = inet_ctl_sock_create(&sk, PF_INET6,
1746 				   SOCK_RAW, IPPROTO_ICMPV6, net);
1747 	if (err < 0) {
1748 		ND_PRINTK(0, err,
1749 			  "NDISC: Failed to initialize the control socket (err %d)\n",
1750 			  err);
1751 		return err;
1752 	}
1753 
1754 	net->ipv6.ndisc_sk = sk;
1755 
1756 	np = inet6_sk(sk);
1757 	np->hop_limit = 255;
1758 	/* Do not loopback ndisc messages */
1759 	np->mc_loop = 0;
1760 
1761 	return 0;
1762 }
1763 
1764 static void __net_exit ndisc_net_exit(struct net *net)
1765 {
1766 	inet_ctl_sock_destroy(net->ipv6.ndisc_sk);
1767 }
1768 
1769 static struct pernet_operations ndisc_net_ops = {
1770 	.init = ndisc_net_init,
1771 	.exit = ndisc_net_exit,
1772 };
1773 
1774 int __init ndisc_init(void)
1775 {
1776 	int err;
1777 
1778 	err = register_pernet_subsys(&ndisc_net_ops);
1779 	if (err)
1780 		return err;
1781 	/*
1782 	 * Initialize the neighbour table
1783 	 */
1784 	neigh_table_init(NEIGH_ND_TABLE, &nd_tbl);
1785 
1786 #ifdef CONFIG_SYSCTL
1787 	err = neigh_sysctl_register(NULL, &nd_tbl.parms,
1788 				    ndisc_ifinfo_sysctl_change);
1789 	if (err)
1790 		goto out_unregister_pernet;
1791 out:
1792 #endif
1793 	return err;
1794 
1795 #ifdef CONFIG_SYSCTL
1796 out_unregister_pernet:
1797 	unregister_pernet_subsys(&ndisc_net_ops);
1798 	goto out;
1799 #endif
1800 }
1801 
1802 int __init ndisc_late_init(void)
1803 {
1804 	return register_netdevice_notifier(&ndisc_netdev_notifier);
1805 }
1806 
1807 void ndisc_late_cleanup(void)
1808 {
1809 	unregister_netdevice_notifier(&ndisc_netdev_notifier);
1810 }
1811 
1812 void ndisc_cleanup(void)
1813 {
1814 #ifdef CONFIG_SYSCTL
1815 	neigh_sysctl_unregister(&nd_tbl.parms);
1816 #endif
1817 	neigh_table_clear(NEIGH_ND_TABLE, &nd_tbl);
1818 	unregister_pernet_subsys(&ndisc_net_ops);
1819 }
1820