xref: /openbmc/linux/net/ipv6/ndisc.c (revision e23feb16)
1 /*
2  *	Neighbour Discovery for IPv6
3  *	Linux INET6 implementation
4  *
5  *	Authors:
6  *	Pedro Roque		<roque@di.fc.ul.pt>
7  *	Mike Shaver		<shaver@ingenia.com>
8  *
9  *	This program is free software; you can redistribute it and/or
10  *      modify it under the terms of the GNU General Public License
11  *      as published by the Free Software Foundation; either version
12  *      2 of the License, or (at your option) any later version.
13  */
14 
15 /*
16  *	Changes:
17  *
18  *	Alexey I. Froloff		:	RFC6106 (DNSSL) support
19  *	Pierre Ynard			:	export userland ND options
20  *						through netlink (RDNSS support)
21  *	Lars Fenneberg			:	fixed MTU setting on receipt
22  *						of an RA.
23  *	Janos Farkas			:	kmalloc failure checks
24  *	Alexey Kuznetsov		:	state machine reworked
25  *						and moved to net/core.
26  *	Pekka Savola			:	RFC2461 validation
27  *	YOSHIFUJI Hideaki @USAGI	:	Verify ND options properly
28  */
29 
30 #define pr_fmt(fmt) "ICMPv6: " fmt
31 
32 #include <linux/module.h>
33 #include <linux/errno.h>
34 #include <linux/types.h>
35 #include <linux/socket.h>
36 #include <linux/sockios.h>
37 #include <linux/sched.h>
38 #include <linux/net.h>
39 #include <linux/in6.h>
40 #include <linux/route.h>
41 #include <linux/init.h>
42 #include <linux/rcupdate.h>
43 #include <linux/slab.h>
44 #ifdef CONFIG_SYSCTL
45 #include <linux/sysctl.h>
46 #endif
47 
48 #include <linux/if_addr.h>
49 #include <linux/if_arp.h>
50 #include <linux/ipv6.h>
51 #include <linux/icmpv6.h>
52 #include <linux/jhash.h>
53 
54 #include <net/sock.h>
55 #include <net/snmp.h>
56 
57 #include <net/ipv6.h>
58 #include <net/protocol.h>
59 #include <net/ndisc.h>
60 #include <net/ip6_route.h>
61 #include <net/addrconf.h>
62 #include <net/icmp.h>
63 
64 #include <net/netlink.h>
65 #include <linux/rtnetlink.h>
66 
67 #include <net/flow.h>
68 #include <net/ip6_checksum.h>
69 #include <net/inet_common.h>
70 #include <linux/proc_fs.h>
71 
72 #include <linux/netfilter.h>
73 #include <linux/netfilter_ipv6.h>
74 
75 /* Set to 3 to get tracing... */
76 #define ND_DEBUG 1
77 
78 #define ND_PRINTK(val, level, fmt, ...)				\
79 do {								\
80 	if (val <= ND_DEBUG)					\
81 		net_##level##_ratelimited(fmt, ##__VA_ARGS__);	\
82 } while (0)
83 
84 static u32 ndisc_hash(const void *pkey,
85 		      const struct net_device *dev,
86 		      __u32 *hash_rnd);
87 static int ndisc_constructor(struct neighbour *neigh);
88 static void ndisc_solicit(struct neighbour *neigh, struct sk_buff *skb);
89 static void ndisc_error_report(struct neighbour *neigh, struct sk_buff *skb);
90 static int pndisc_constructor(struct pneigh_entry *n);
91 static void pndisc_destructor(struct pneigh_entry *n);
92 static void pndisc_redo(struct sk_buff *skb);
93 
94 static const struct neigh_ops ndisc_generic_ops = {
95 	.family =		AF_INET6,
96 	.solicit =		ndisc_solicit,
97 	.error_report =		ndisc_error_report,
98 	.output =		neigh_resolve_output,
99 	.connected_output =	neigh_connected_output,
100 };
101 
102 static const struct neigh_ops ndisc_hh_ops = {
103 	.family =		AF_INET6,
104 	.solicit =		ndisc_solicit,
105 	.error_report =		ndisc_error_report,
106 	.output =		neigh_resolve_output,
107 	.connected_output =	neigh_resolve_output,
108 };
109 
110 
111 static const struct neigh_ops ndisc_direct_ops = {
112 	.family =		AF_INET6,
113 	.output =		neigh_direct_output,
114 	.connected_output =	neigh_direct_output,
115 };
116 
117 struct neigh_table nd_tbl = {
118 	.family =	AF_INET6,
119 	.key_len =	sizeof(struct in6_addr),
120 	.hash =		ndisc_hash,
121 	.constructor =	ndisc_constructor,
122 	.pconstructor =	pndisc_constructor,
123 	.pdestructor =	pndisc_destructor,
124 	.proxy_redo =	pndisc_redo,
125 	.id =		"ndisc_cache",
126 	.parms = {
127 		.tbl			= &nd_tbl,
128 		.base_reachable_time	= ND_REACHABLE_TIME,
129 		.retrans_time		= ND_RETRANS_TIMER,
130 		.gc_staletime		= 60 * HZ,
131 		.reachable_time		= ND_REACHABLE_TIME,
132 		.delay_probe_time	= 5 * HZ,
133 		.queue_len_bytes	= 64*1024,
134 		.ucast_probes		= 3,
135 		.mcast_probes		= 3,
136 		.anycast_delay		= 1 * HZ,
137 		.proxy_delay		= (8 * HZ) / 10,
138 		.proxy_qlen		= 64,
139 	},
140 	.gc_interval =	  30 * HZ,
141 	.gc_thresh1 =	 128,
142 	.gc_thresh2 =	 512,
143 	.gc_thresh3 =	1024,
144 };
145 
146 static void ndisc_fill_addr_option(struct sk_buff *skb, int type, void *data)
147 {
148 	int pad   = ndisc_addr_option_pad(skb->dev->type);
149 	int data_len = skb->dev->addr_len;
150 	int space = ndisc_opt_addr_space(skb->dev);
151 	u8 *opt = skb_put(skb, space);
152 
153 	opt[0] = type;
154 	opt[1] = space>>3;
155 
156 	memset(opt + 2, 0, pad);
157 	opt   += pad;
158 	space -= pad;
159 
160 	memcpy(opt+2, data, data_len);
161 	data_len += 2;
162 	opt += data_len;
163 	if ((space -= data_len) > 0)
164 		memset(opt, 0, space);
165 }
166 
167 static struct nd_opt_hdr *ndisc_next_option(struct nd_opt_hdr *cur,
168 					    struct nd_opt_hdr *end)
169 {
170 	int type;
171 	if (!cur || !end || cur >= end)
172 		return NULL;
173 	type = cur->nd_opt_type;
174 	do {
175 		cur = ((void *)cur) + (cur->nd_opt_len << 3);
176 	} while(cur < end && cur->nd_opt_type != type);
177 	return cur <= end && cur->nd_opt_type == type ? cur : NULL;
178 }
179 
180 static inline int ndisc_is_useropt(struct nd_opt_hdr *opt)
181 {
182 	return opt->nd_opt_type == ND_OPT_RDNSS ||
183 		opt->nd_opt_type == ND_OPT_DNSSL;
184 }
185 
186 static struct nd_opt_hdr *ndisc_next_useropt(struct nd_opt_hdr *cur,
187 					     struct nd_opt_hdr *end)
188 {
189 	if (!cur || !end || cur >= end)
190 		return NULL;
191 	do {
192 		cur = ((void *)cur) + (cur->nd_opt_len << 3);
193 	} while(cur < end && !ndisc_is_useropt(cur));
194 	return cur <= end && ndisc_is_useropt(cur) ? cur : NULL;
195 }
196 
197 struct ndisc_options *ndisc_parse_options(u8 *opt, int opt_len,
198 					  struct ndisc_options *ndopts)
199 {
200 	struct nd_opt_hdr *nd_opt = (struct nd_opt_hdr *)opt;
201 
202 	if (!nd_opt || opt_len < 0 || !ndopts)
203 		return NULL;
204 	memset(ndopts, 0, sizeof(*ndopts));
205 	while (opt_len) {
206 		int l;
207 		if (opt_len < sizeof(struct nd_opt_hdr))
208 			return NULL;
209 		l = nd_opt->nd_opt_len << 3;
210 		if (opt_len < l || l == 0)
211 			return NULL;
212 		switch (nd_opt->nd_opt_type) {
213 		case ND_OPT_SOURCE_LL_ADDR:
214 		case ND_OPT_TARGET_LL_ADDR:
215 		case ND_OPT_MTU:
216 		case ND_OPT_REDIRECT_HDR:
217 			if (ndopts->nd_opt_array[nd_opt->nd_opt_type]) {
218 				ND_PRINTK(2, warn,
219 					  "%s: duplicated ND6 option found: type=%d\n",
220 					  __func__, nd_opt->nd_opt_type);
221 			} else {
222 				ndopts->nd_opt_array[nd_opt->nd_opt_type] = nd_opt;
223 			}
224 			break;
225 		case ND_OPT_PREFIX_INFO:
226 			ndopts->nd_opts_pi_end = nd_opt;
227 			if (!ndopts->nd_opt_array[nd_opt->nd_opt_type])
228 				ndopts->nd_opt_array[nd_opt->nd_opt_type] = nd_opt;
229 			break;
230 #ifdef CONFIG_IPV6_ROUTE_INFO
231 		case ND_OPT_ROUTE_INFO:
232 			ndopts->nd_opts_ri_end = nd_opt;
233 			if (!ndopts->nd_opts_ri)
234 				ndopts->nd_opts_ri = nd_opt;
235 			break;
236 #endif
237 		default:
238 			if (ndisc_is_useropt(nd_opt)) {
239 				ndopts->nd_useropts_end = nd_opt;
240 				if (!ndopts->nd_useropts)
241 					ndopts->nd_useropts = nd_opt;
242 			} else {
243 				/*
244 				 * Unknown options must be silently ignored,
245 				 * to accommodate future extension to the
246 				 * protocol.
247 				 */
248 				ND_PRINTK(2, notice,
249 					  "%s: ignored unsupported option; type=%d, len=%d\n",
250 					  __func__,
251 					  nd_opt->nd_opt_type,
252 					  nd_opt->nd_opt_len);
253 			}
254 		}
255 		opt_len -= l;
256 		nd_opt = ((void *)nd_opt) + l;
257 	}
258 	return ndopts;
259 }
260 
261 int ndisc_mc_map(const struct in6_addr *addr, char *buf, struct net_device *dev, int dir)
262 {
263 	switch (dev->type) {
264 	case ARPHRD_ETHER:
265 	case ARPHRD_IEEE802:	/* Not sure. Check it later. --ANK */
266 	case ARPHRD_FDDI:
267 		ipv6_eth_mc_map(addr, buf);
268 		return 0;
269 	case ARPHRD_ARCNET:
270 		ipv6_arcnet_mc_map(addr, buf);
271 		return 0;
272 	case ARPHRD_INFINIBAND:
273 		ipv6_ib_mc_map(addr, dev->broadcast, buf);
274 		return 0;
275 	case ARPHRD_IPGRE:
276 		return ipv6_ipgre_mc_map(addr, dev->broadcast, buf);
277 	default:
278 		if (dir) {
279 			memcpy(buf, dev->broadcast, dev->addr_len);
280 			return 0;
281 		}
282 	}
283 	return -EINVAL;
284 }
285 
286 EXPORT_SYMBOL(ndisc_mc_map);
287 
288 static u32 ndisc_hash(const void *pkey,
289 		      const struct net_device *dev,
290 		      __u32 *hash_rnd)
291 {
292 	return ndisc_hashfn(pkey, dev, hash_rnd);
293 }
294 
295 static int ndisc_constructor(struct neighbour *neigh)
296 {
297 	struct in6_addr *addr = (struct in6_addr*)&neigh->primary_key;
298 	struct net_device *dev = neigh->dev;
299 	struct inet6_dev *in6_dev;
300 	struct neigh_parms *parms;
301 	bool is_multicast = ipv6_addr_is_multicast(addr);
302 
303 	in6_dev = in6_dev_get(dev);
304 	if (in6_dev == NULL) {
305 		return -EINVAL;
306 	}
307 
308 	parms = in6_dev->nd_parms;
309 	__neigh_parms_put(neigh->parms);
310 	neigh->parms = neigh_parms_clone(parms);
311 
312 	neigh->type = is_multicast ? RTN_MULTICAST : RTN_UNICAST;
313 	if (!dev->header_ops) {
314 		neigh->nud_state = NUD_NOARP;
315 		neigh->ops = &ndisc_direct_ops;
316 		neigh->output = neigh_direct_output;
317 	} else {
318 		if (is_multicast) {
319 			neigh->nud_state = NUD_NOARP;
320 			ndisc_mc_map(addr, neigh->ha, dev, 1);
321 		} else if (dev->flags&(IFF_NOARP|IFF_LOOPBACK)) {
322 			neigh->nud_state = NUD_NOARP;
323 			memcpy(neigh->ha, dev->dev_addr, dev->addr_len);
324 			if (dev->flags&IFF_LOOPBACK)
325 				neigh->type = RTN_LOCAL;
326 		} else if (dev->flags&IFF_POINTOPOINT) {
327 			neigh->nud_state = NUD_NOARP;
328 			memcpy(neigh->ha, dev->broadcast, dev->addr_len);
329 		}
330 		if (dev->header_ops->cache)
331 			neigh->ops = &ndisc_hh_ops;
332 		else
333 			neigh->ops = &ndisc_generic_ops;
334 		if (neigh->nud_state&NUD_VALID)
335 			neigh->output = neigh->ops->connected_output;
336 		else
337 			neigh->output = neigh->ops->output;
338 	}
339 	in6_dev_put(in6_dev);
340 	return 0;
341 }
342 
343 static int pndisc_constructor(struct pneigh_entry *n)
344 {
345 	struct in6_addr *addr = (struct in6_addr*)&n->key;
346 	struct in6_addr maddr;
347 	struct net_device *dev = n->dev;
348 
349 	if (dev == NULL || __in6_dev_get(dev) == NULL)
350 		return -EINVAL;
351 	addrconf_addr_solict_mult(addr, &maddr);
352 	ipv6_dev_mc_inc(dev, &maddr);
353 	return 0;
354 }
355 
356 static void pndisc_destructor(struct pneigh_entry *n)
357 {
358 	struct in6_addr *addr = (struct in6_addr*)&n->key;
359 	struct in6_addr maddr;
360 	struct net_device *dev = n->dev;
361 
362 	if (dev == NULL || __in6_dev_get(dev) == NULL)
363 		return;
364 	addrconf_addr_solict_mult(addr, &maddr);
365 	ipv6_dev_mc_dec(dev, &maddr);
366 }
367 
368 static struct sk_buff *ndisc_alloc_skb(struct net_device *dev,
369 				       int len)
370 {
371 	int hlen = LL_RESERVED_SPACE(dev);
372 	int tlen = dev->needed_tailroom;
373 	struct sock *sk = dev_net(dev)->ipv6.ndisc_sk;
374 	struct sk_buff *skb;
375 
376 	skb = alloc_skb(hlen + sizeof(struct ipv6hdr) + len + tlen, GFP_ATOMIC);
377 	if (!skb) {
378 		ND_PRINTK(0, err, "ndisc: %s failed to allocate an skb\n",
379 			  __func__);
380 		return NULL;
381 	}
382 
383 	skb->protocol = htons(ETH_P_IPV6);
384 	skb->dev = dev;
385 
386 	skb_reserve(skb, hlen + sizeof(struct ipv6hdr));
387 	skb_reset_transport_header(skb);
388 
389 	/* Manually assign socket ownership as we avoid calling
390 	 * sock_alloc_send_pskb() to bypass wmem buffer limits
391 	 */
392 	skb_set_owner_w(skb, sk);
393 
394 	return skb;
395 }
396 
397 static void ip6_nd_hdr(struct sk_buff *skb,
398 		       const struct in6_addr *saddr,
399 		       const struct in6_addr *daddr,
400 		       int hop_limit, int len)
401 {
402 	struct ipv6hdr *hdr;
403 
404 	skb_push(skb, sizeof(*hdr));
405 	skb_reset_network_header(skb);
406 	hdr = ipv6_hdr(skb);
407 
408 	ip6_flow_hdr(hdr, 0, 0);
409 
410 	hdr->payload_len = htons(len);
411 	hdr->nexthdr = IPPROTO_ICMPV6;
412 	hdr->hop_limit = hop_limit;
413 
414 	hdr->saddr = *saddr;
415 	hdr->daddr = *daddr;
416 }
417 
418 static void ndisc_send_skb(struct sk_buff *skb,
419 			   const struct in6_addr *daddr,
420 			   const struct in6_addr *saddr)
421 {
422 	struct dst_entry *dst = skb_dst(skb);
423 	struct net *net = dev_net(skb->dev);
424 	struct sock *sk = net->ipv6.ndisc_sk;
425 	struct inet6_dev *idev;
426 	int err;
427 	struct icmp6hdr *icmp6h = icmp6_hdr(skb);
428 	u8 type;
429 
430 	type = icmp6h->icmp6_type;
431 
432 	if (!dst) {
433 		struct flowi6 fl6;
434 
435 		icmpv6_flow_init(sk, &fl6, type, saddr, daddr, skb->dev->ifindex);
436 		dst = icmp6_dst_alloc(skb->dev, &fl6);
437 		if (IS_ERR(dst)) {
438 			kfree_skb(skb);
439 			return;
440 		}
441 
442 		skb_dst_set(skb, dst);
443 	}
444 
445 	icmp6h->icmp6_cksum = csum_ipv6_magic(saddr, daddr, skb->len,
446 					      IPPROTO_ICMPV6,
447 					      csum_partial(icmp6h,
448 							   skb->len, 0));
449 
450 	ip6_nd_hdr(skb, saddr, daddr, inet6_sk(sk)->hop_limit, skb->len);
451 
452 	rcu_read_lock();
453 	idev = __in6_dev_get(dst->dev);
454 	IP6_UPD_PO_STATS(net, idev, IPSTATS_MIB_OUT, skb->len);
455 
456 	err = NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT, skb, NULL, dst->dev,
457 		      dst_output);
458 	if (!err) {
459 		ICMP6MSGOUT_INC_STATS(net, idev, type);
460 		ICMP6_INC_STATS(net, idev, ICMP6_MIB_OUTMSGS);
461 	}
462 
463 	rcu_read_unlock();
464 }
465 
466 void ndisc_send_na(struct net_device *dev, struct neighbour *neigh,
467 		   const struct in6_addr *daddr,
468 		   const struct in6_addr *solicited_addr,
469 		   bool router, bool solicited, bool override, bool inc_opt)
470 {
471 	struct sk_buff *skb;
472 	struct in6_addr tmpaddr;
473 	struct inet6_ifaddr *ifp;
474 	const struct in6_addr *src_addr;
475 	struct nd_msg *msg;
476 	int optlen = 0;
477 
478 	/* for anycast or proxy, solicited_addr != src_addr */
479 	ifp = ipv6_get_ifaddr(dev_net(dev), solicited_addr, dev, 1);
480 	if (ifp) {
481 		src_addr = solicited_addr;
482 		if (ifp->flags & IFA_F_OPTIMISTIC)
483 			override = false;
484 		inc_opt |= ifp->idev->cnf.force_tllao;
485 		in6_ifa_put(ifp);
486 	} else {
487 		if (ipv6_dev_get_saddr(dev_net(dev), dev, daddr,
488 				       inet6_sk(dev_net(dev)->ipv6.ndisc_sk)->srcprefs,
489 				       &tmpaddr))
490 			return;
491 		src_addr = &tmpaddr;
492 	}
493 
494 	if (!dev->addr_len)
495 		inc_opt = 0;
496 	if (inc_opt)
497 		optlen += ndisc_opt_addr_space(dev);
498 
499 	skb = ndisc_alloc_skb(dev, sizeof(*msg) + optlen);
500 	if (!skb)
501 		return;
502 
503 	msg = (struct nd_msg *)skb_put(skb, sizeof(*msg));
504 	*msg = (struct nd_msg) {
505 		.icmph = {
506 			.icmp6_type = NDISC_NEIGHBOUR_ADVERTISEMENT,
507 			.icmp6_router = router,
508 			.icmp6_solicited = solicited,
509 			.icmp6_override = override,
510 		},
511 		.target = *solicited_addr,
512 	};
513 
514 	if (inc_opt)
515 		ndisc_fill_addr_option(skb, ND_OPT_TARGET_LL_ADDR,
516 				       dev->dev_addr);
517 
518 
519 	ndisc_send_skb(skb, daddr, src_addr);
520 }
521 
522 static void ndisc_send_unsol_na(struct net_device *dev)
523 {
524 	struct inet6_dev *idev;
525 	struct inet6_ifaddr *ifa;
526 
527 	idev = in6_dev_get(dev);
528 	if (!idev)
529 		return;
530 
531 	read_lock_bh(&idev->lock);
532 	list_for_each_entry(ifa, &idev->addr_list, if_list) {
533 		ndisc_send_na(dev, NULL, &in6addr_linklocal_allnodes, &ifa->addr,
534 			      /*router=*/ !!idev->cnf.forwarding,
535 			      /*solicited=*/ false, /*override=*/ true,
536 			      /*inc_opt=*/ true);
537 	}
538 	read_unlock_bh(&idev->lock);
539 
540 	in6_dev_put(idev);
541 }
542 
543 void ndisc_send_ns(struct net_device *dev, struct neighbour *neigh,
544 		   const struct in6_addr *solicit,
545 		   const struct in6_addr *daddr, const struct in6_addr *saddr)
546 {
547 	struct sk_buff *skb;
548 	struct in6_addr addr_buf;
549 	int inc_opt = dev->addr_len;
550 	int optlen = 0;
551 	struct nd_msg *msg;
552 
553 	if (saddr == NULL) {
554 		if (ipv6_get_lladdr(dev, &addr_buf,
555 				   (IFA_F_TENTATIVE|IFA_F_OPTIMISTIC)))
556 			return;
557 		saddr = &addr_buf;
558 	}
559 
560 	if (ipv6_addr_any(saddr))
561 		inc_opt = false;
562 	if (inc_opt)
563 		optlen += ndisc_opt_addr_space(dev);
564 
565 	skb = ndisc_alloc_skb(dev, sizeof(*msg) + optlen);
566 	if (!skb)
567 		return;
568 
569 	msg = (struct nd_msg *)skb_put(skb, sizeof(*msg));
570 	*msg = (struct nd_msg) {
571 		.icmph = {
572 			.icmp6_type = NDISC_NEIGHBOUR_SOLICITATION,
573 		},
574 		.target = *solicit,
575 	};
576 
577 	if (inc_opt)
578 		ndisc_fill_addr_option(skb, ND_OPT_SOURCE_LL_ADDR,
579 				       dev->dev_addr);
580 
581 	ndisc_send_skb(skb, daddr, saddr);
582 }
583 
584 void ndisc_send_rs(struct net_device *dev, const struct in6_addr *saddr,
585 		   const struct in6_addr *daddr)
586 {
587 	struct sk_buff *skb;
588 	struct rs_msg *msg;
589 	int send_sllao = dev->addr_len;
590 	int optlen = 0;
591 
592 #ifdef CONFIG_IPV6_OPTIMISTIC_DAD
593 	/*
594 	 * According to section 2.2 of RFC 4429, we must not
595 	 * send router solicitations with a sllao from
596 	 * optimistic addresses, but we may send the solicitation
597 	 * if we don't include the sllao.  So here we check
598 	 * if our address is optimistic, and if so, we
599 	 * suppress the inclusion of the sllao.
600 	 */
601 	if (send_sllao) {
602 		struct inet6_ifaddr *ifp = ipv6_get_ifaddr(dev_net(dev), saddr,
603 							   dev, 1);
604 		if (ifp) {
605 			if (ifp->flags & IFA_F_OPTIMISTIC)  {
606 				send_sllao = 0;
607 			}
608 			in6_ifa_put(ifp);
609 		} else {
610 			send_sllao = 0;
611 		}
612 	}
613 #endif
614 	if (send_sllao)
615 		optlen += ndisc_opt_addr_space(dev);
616 
617 	skb = ndisc_alloc_skb(dev, sizeof(*msg) + optlen);
618 	if (!skb)
619 		return;
620 
621 	msg = (struct rs_msg *)skb_put(skb, sizeof(*msg));
622 	*msg = (struct rs_msg) {
623 		.icmph = {
624 			.icmp6_type = NDISC_ROUTER_SOLICITATION,
625 		},
626 	};
627 
628 	if (send_sllao)
629 		ndisc_fill_addr_option(skb, ND_OPT_SOURCE_LL_ADDR,
630 				       dev->dev_addr);
631 
632 	ndisc_send_skb(skb, daddr, saddr);
633 }
634 
635 
636 static void ndisc_error_report(struct neighbour *neigh, struct sk_buff *skb)
637 {
638 	/*
639 	 *	"The sender MUST return an ICMP
640 	 *	 destination unreachable"
641 	 */
642 	dst_link_failure(skb);
643 	kfree_skb(skb);
644 }
645 
646 /* Called with locked neigh: either read or both */
647 
648 static void ndisc_solicit(struct neighbour *neigh, struct sk_buff *skb)
649 {
650 	struct in6_addr *saddr = NULL;
651 	struct in6_addr mcaddr;
652 	struct net_device *dev = neigh->dev;
653 	struct in6_addr *target = (struct in6_addr *)&neigh->primary_key;
654 	int probes = atomic_read(&neigh->probes);
655 
656 	if (skb && ipv6_chk_addr(dev_net(dev), &ipv6_hdr(skb)->saddr, dev, 1))
657 		saddr = &ipv6_hdr(skb)->saddr;
658 
659 	if ((probes -= neigh->parms->ucast_probes) < 0) {
660 		if (!(neigh->nud_state & NUD_VALID)) {
661 			ND_PRINTK(1, dbg,
662 				  "%s: trying to ucast probe in NUD_INVALID: %pI6\n",
663 				  __func__, target);
664 		}
665 		ndisc_send_ns(dev, neigh, target, target, saddr);
666 	} else if ((probes -= neigh->parms->app_probes) < 0) {
667 		neigh_app_ns(neigh);
668 	} else {
669 		addrconf_addr_solict_mult(target, &mcaddr);
670 		ndisc_send_ns(dev, NULL, target, &mcaddr, saddr);
671 	}
672 }
673 
674 static int pndisc_is_router(const void *pkey,
675 			    struct net_device *dev)
676 {
677 	struct pneigh_entry *n;
678 	int ret = -1;
679 
680 	read_lock_bh(&nd_tbl.lock);
681 	n = __pneigh_lookup(&nd_tbl, dev_net(dev), pkey, dev);
682 	if (n)
683 		ret = !!(n->flags & NTF_ROUTER);
684 	read_unlock_bh(&nd_tbl.lock);
685 
686 	return ret;
687 }
688 
689 static void ndisc_recv_ns(struct sk_buff *skb)
690 {
691 	struct nd_msg *msg = (struct nd_msg *)skb_transport_header(skb);
692 	const struct in6_addr *saddr = &ipv6_hdr(skb)->saddr;
693 	const struct in6_addr *daddr = &ipv6_hdr(skb)->daddr;
694 	u8 *lladdr = NULL;
695 	u32 ndoptlen = skb_tail_pointer(skb) - (skb_transport_header(skb) +
696 				    offsetof(struct nd_msg, opt));
697 	struct ndisc_options ndopts;
698 	struct net_device *dev = skb->dev;
699 	struct inet6_ifaddr *ifp;
700 	struct inet6_dev *idev = NULL;
701 	struct neighbour *neigh;
702 	int dad = ipv6_addr_any(saddr);
703 	bool inc;
704 	int is_router = -1;
705 
706 	if (skb->len < sizeof(struct nd_msg)) {
707 		ND_PRINTK(2, warn, "NS: packet too short\n");
708 		return;
709 	}
710 
711 	if (ipv6_addr_is_multicast(&msg->target)) {
712 		ND_PRINTK(2, warn, "NS: multicast target address\n");
713 		return;
714 	}
715 
716 	/*
717 	 * RFC2461 7.1.1:
718 	 * DAD has to be destined for solicited node multicast address.
719 	 */
720 	if (dad && !ipv6_addr_is_solict_mult(daddr)) {
721 		ND_PRINTK(2, warn, "NS: bad DAD packet (wrong destination)\n");
722 		return;
723 	}
724 
725 	if (!ndisc_parse_options(msg->opt, ndoptlen, &ndopts)) {
726 		ND_PRINTK(2, warn, "NS: invalid ND options\n");
727 		return;
728 	}
729 
730 	if (ndopts.nd_opts_src_lladdr) {
731 		lladdr = ndisc_opt_addr_data(ndopts.nd_opts_src_lladdr, dev);
732 		if (!lladdr) {
733 			ND_PRINTK(2, warn,
734 				  "NS: invalid link-layer address length\n");
735 			return;
736 		}
737 
738 		/* RFC2461 7.1.1:
739 		 *	If the IP source address is the unspecified address,
740 		 *	there MUST NOT be source link-layer address option
741 		 *	in the message.
742 		 */
743 		if (dad) {
744 			ND_PRINTK(2, warn,
745 				  "NS: bad DAD packet (link-layer address option)\n");
746 			return;
747 		}
748 	}
749 
750 	inc = ipv6_addr_is_multicast(daddr);
751 
752 	ifp = ipv6_get_ifaddr(dev_net(dev), &msg->target, dev, 1);
753 	if (ifp) {
754 
755 		if (ifp->flags & (IFA_F_TENTATIVE|IFA_F_OPTIMISTIC)) {
756 			if (dad) {
757 				/*
758 				 * We are colliding with another node
759 				 * who is doing DAD
760 				 * so fail our DAD process
761 				 */
762 				addrconf_dad_failure(ifp);
763 				return;
764 			} else {
765 				/*
766 				 * This is not a dad solicitation.
767 				 * If we are an optimistic node,
768 				 * we should respond.
769 				 * Otherwise, we should ignore it.
770 				 */
771 				if (!(ifp->flags & IFA_F_OPTIMISTIC))
772 					goto out;
773 			}
774 		}
775 
776 		idev = ifp->idev;
777 	} else {
778 		struct net *net = dev_net(dev);
779 
780 		idev = in6_dev_get(dev);
781 		if (!idev) {
782 			/* XXX: count this drop? */
783 			return;
784 		}
785 
786 		if (ipv6_chk_acast_addr(net, dev, &msg->target) ||
787 		    (idev->cnf.forwarding &&
788 		     (net->ipv6.devconf_all->proxy_ndp || idev->cnf.proxy_ndp) &&
789 		     (is_router = pndisc_is_router(&msg->target, dev)) >= 0)) {
790 			if (!(NEIGH_CB(skb)->flags & LOCALLY_ENQUEUED) &&
791 			    skb->pkt_type != PACKET_HOST &&
792 			    inc &&
793 			    idev->nd_parms->proxy_delay != 0) {
794 				/*
795 				 * for anycast or proxy,
796 				 * sender should delay its response
797 				 * by a random time between 0 and
798 				 * MAX_ANYCAST_DELAY_TIME seconds.
799 				 * (RFC2461) -- yoshfuji
800 				 */
801 				struct sk_buff *n = skb_clone(skb, GFP_ATOMIC);
802 				if (n)
803 					pneigh_enqueue(&nd_tbl, idev->nd_parms, n);
804 				goto out;
805 			}
806 		} else
807 			goto out;
808 	}
809 
810 	if (is_router < 0)
811 		is_router = idev->cnf.forwarding;
812 
813 	if (dad) {
814 		ndisc_send_na(dev, NULL, &in6addr_linklocal_allnodes, &msg->target,
815 			      !!is_router, false, (ifp != NULL), true);
816 		goto out;
817 	}
818 
819 	if (inc)
820 		NEIGH_CACHE_STAT_INC(&nd_tbl, rcv_probes_mcast);
821 	else
822 		NEIGH_CACHE_STAT_INC(&nd_tbl, rcv_probes_ucast);
823 
824 	/*
825 	 *	update / create cache entry
826 	 *	for the source address
827 	 */
828 	neigh = __neigh_lookup(&nd_tbl, saddr, dev,
829 			       !inc || lladdr || !dev->addr_len);
830 	if (neigh)
831 		neigh_update(neigh, lladdr, NUD_STALE,
832 			     NEIGH_UPDATE_F_WEAK_OVERRIDE|
833 			     NEIGH_UPDATE_F_OVERRIDE);
834 	if (neigh || !dev->header_ops) {
835 		ndisc_send_na(dev, neigh, saddr, &msg->target,
836 			      !!is_router,
837 			      true, (ifp != NULL && inc), inc);
838 		if (neigh)
839 			neigh_release(neigh);
840 	}
841 
842 out:
843 	if (ifp)
844 		in6_ifa_put(ifp);
845 	else
846 		in6_dev_put(idev);
847 }
848 
849 static void ndisc_recv_na(struct sk_buff *skb)
850 {
851 	struct nd_msg *msg = (struct nd_msg *)skb_transport_header(skb);
852 	const struct in6_addr *saddr = &ipv6_hdr(skb)->saddr;
853 	const struct in6_addr *daddr = &ipv6_hdr(skb)->daddr;
854 	u8 *lladdr = NULL;
855 	u32 ndoptlen = skb_tail_pointer(skb) - (skb_transport_header(skb) +
856 				    offsetof(struct nd_msg, opt));
857 	struct ndisc_options ndopts;
858 	struct net_device *dev = skb->dev;
859 	struct inet6_ifaddr *ifp;
860 	struct neighbour *neigh;
861 
862 	if (skb->len < sizeof(struct nd_msg)) {
863 		ND_PRINTK(2, warn, "NA: packet too short\n");
864 		return;
865 	}
866 
867 	if (ipv6_addr_is_multicast(&msg->target)) {
868 		ND_PRINTK(2, warn, "NA: target address is multicast\n");
869 		return;
870 	}
871 
872 	if (ipv6_addr_is_multicast(daddr) &&
873 	    msg->icmph.icmp6_solicited) {
874 		ND_PRINTK(2, warn, "NA: solicited NA is multicasted\n");
875 		return;
876 	}
877 
878 	if (!ndisc_parse_options(msg->opt, ndoptlen, &ndopts)) {
879 		ND_PRINTK(2, warn, "NS: invalid ND option\n");
880 		return;
881 	}
882 	if (ndopts.nd_opts_tgt_lladdr) {
883 		lladdr = ndisc_opt_addr_data(ndopts.nd_opts_tgt_lladdr, dev);
884 		if (!lladdr) {
885 			ND_PRINTK(2, warn,
886 				  "NA: invalid link-layer address length\n");
887 			return;
888 		}
889 	}
890 	ifp = ipv6_get_ifaddr(dev_net(dev), &msg->target, dev, 1);
891 	if (ifp) {
892 		if (skb->pkt_type != PACKET_LOOPBACK
893 		    && (ifp->flags & IFA_F_TENTATIVE)) {
894 				addrconf_dad_failure(ifp);
895 				return;
896 		}
897 		/* What should we make now? The advertisement
898 		   is invalid, but ndisc specs say nothing
899 		   about it. It could be misconfiguration, or
900 		   an smart proxy agent tries to help us :-)
901 
902 		   We should not print the error if NA has been
903 		   received from loopback - it is just our own
904 		   unsolicited advertisement.
905 		 */
906 		if (skb->pkt_type != PACKET_LOOPBACK)
907 			ND_PRINTK(1, warn,
908 				  "NA: someone advertises our address %pI6 on %s!\n",
909 				  &ifp->addr, ifp->idev->dev->name);
910 		in6_ifa_put(ifp);
911 		return;
912 	}
913 	neigh = neigh_lookup(&nd_tbl, &msg->target, dev);
914 
915 	if (neigh) {
916 		u8 old_flags = neigh->flags;
917 		struct net *net = dev_net(dev);
918 
919 		if (neigh->nud_state & NUD_FAILED)
920 			goto out;
921 
922 		/*
923 		 * Don't update the neighbor cache entry on a proxy NA from
924 		 * ourselves because either the proxied node is off link or it
925 		 * has already sent a NA to us.
926 		 */
927 		if (lladdr && !memcmp(lladdr, dev->dev_addr, dev->addr_len) &&
928 		    net->ipv6.devconf_all->forwarding && net->ipv6.devconf_all->proxy_ndp &&
929 		    pneigh_lookup(&nd_tbl, net, &msg->target, dev, 0)) {
930 			/* XXX: idev->cnf.proxy_ndp */
931 			goto out;
932 		}
933 
934 		neigh_update(neigh, lladdr,
935 			     msg->icmph.icmp6_solicited ? NUD_REACHABLE : NUD_STALE,
936 			     NEIGH_UPDATE_F_WEAK_OVERRIDE|
937 			     (msg->icmph.icmp6_override ? NEIGH_UPDATE_F_OVERRIDE : 0)|
938 			     NEIGH_UPDATE_F_OVERRIDE_ISROUTER|
939 			     (msg->icmph.icmp6_router ? NEIGH_UPDATE_F_ISROUTER : 0));
940 
941 		if ((old_flags & ~neigh->flags) & NTF_ROUTER) {
942 			/*
943 			 * Change: router to host
944 			 */
945 			struct rt6_info *rt;
946 			rt = rt6_get_dflt_router(saddr, dev);
947 			if (rt)
948 				ip6_del_rt(rt);
949 		}
950 
951 out:
952 		neigh_release(neigh);
953 	}
954 }
955 
956 static void ndisc_recv_rs(struct sk_buff *skb)
957 {
958 	struct rs_msg *rs_msg = (struct rs_msg *)skb_transport_header(skb);
959 	unsigned long ndoptlen = skb->len - sizeof(*rs_msg);
960 	struct neighbour *neigh;
961 	struct inet6_dev *idev;
962 	const struct in6_addr *saddr = &ipv6_hdr(skb)->saddr;
963 	struct ndisc_options ndopts;
964 	u8 *lladdr = NULL;
965 
966 	if (skb->len < sizeof(*rs_msg))
967 		return;
968 
969 	idev = __in6_dev_get(skb->dev);
970 	if (!idev) {
971 		ND_PRINTK(1, err, "RS: can't find in6 device\n");
972 		return;
973 	}
974 
975 	/* Don't accept RS if we're not in router mode */
976 	if (!idev->cnf.forwarding)
977 		goto out;
978 
979 	/*
980 	 * Don't update NCE if src = ::;
981 	 * this implies that the source node has no ip address assigned yet.
982 	 */
983 	if (ipv6_addr_any(saddr))
984 		goto out;
985 
986 	/* Parse ND options */
987 	if (!ndisc_parse_options(rs_msg->opt, ndoptlen, &ndopts)) {
988 		ND_PRINTK(2, notice, "NS: invalid ND option, ignored\n");
989 		goto out;
990 	}
991 
992 	if (ndopts.nd_opts_src_lladdr) {
993 		lladdr = ndisc_opt_addr_data(ndopts.nd_opts_src_lladdr,
994 					     skb->dev);
995 		if (!lladdr)
996 			goto out;
997 	}
998 
999 	neigh = __neigh_lookup(&nd_tbl, saddr, skb->dev, 1);
1000 	if (neigh) {
1001 		neigh_update(neigh, lladdr, NUD_STALE,
1002 			     NEIGH_UPDATE_F_WEAK_OVERRIDE|
1003 			     NEIGH_UPDATE_F_OVERRIDE|
1004 			     NEIGH_UPDATE_F_OVERRIDE_ISROUTER);
1005 		neigh_release(neigh);
1006 	}
1007 out:
1008 	return;
1009 }
1010 
1011 static void ndisc_ra_useropt(struct sk_buff *ra, struct nd_opt_hdr *opt)
1012 {
1013 	struct icmp6hdr *icmp6h = (struct icmp6hdr *)skb_transport_header(ra);
1014 	struct sk_buff *skb;
1015 	struct nlmsghdr *nlh;
1016 	struct nduseroptmsg *ndmsg;
1017 	struct net *net = dev_net(ra->dev);
1018 	int err;
1019 	int base_size = NLMSG_ALIGN(sizeof(struct nduseroptmsg)
1020 				    + (opt->nd_opt_len << 3));
1021 	size_t msg_size = base_size + nla_total_size(sizeof(struct in6_addr));
1022 
1023 	skb = nlmsg_new(msg_size, GFP_ATOMIC);
1024 	if (skb == NULL) {
1025 		err = -ENOBUFS;
1026 		goto errout;
1027 	}
1028 
1029 	nlh = nlmsg_put(skb, 0, 0, RTM_NEWNDUSEROPT, base_size, 0);
1030 	if (nlh == NULL) {
1031 		goto nla_put_failure;
1032 	}
1033 
1034 	ndmsg = nlmsg_data(nlh);
1035 	ndmsg->nduseropt_family = AF_INET6;
1036 	ndmsg->nduseropt_ifindex = ra->dev->ifindex;
1037 	ndmsg->nduseropt_icmp_type = icmp6h->icmp6_type;
1038 	ndmsg->nduseropt_icmp_code = icmp6h->icmp6_code;
1039 	ndmsg->nduseropt_opts_len = opt->nd_opt_len << 3;
1040 
1041 	memcpy(ndmsg + 1, opt, opt->nd_opt_len << 3);
1042 
1043 	if (nla_put(skb, NDUSEROPT_SRCADDR, sizeof(struct in6_addr),
1044 		    &ipv6_hdr(ra)->saddr))
1045 		goto nla_put_failure;
1046 	nlmsg_end(skb, nlh);
1047 
1048 	rtnl_notify(skb, net, 0, RTNLGRP_ND_USEROPT, NULL, GFP_ATOMIC);
1049 	return;
1050 
1051 nla_put_failure:
1052 	nlmsg_free(skb);
1053 	err = -EMSGSIZE;
1054 errout:
1055 	rtnl_set_sk_err(net, RTNLGRP_ND_USEROPT, err);
1056 }
1057 
1058 static void ndisc_router_discovery(struct sk_buff *skb)
1059 {
1060 	struct ra_msg *ra_msg = (struct ra_msg *)skb_transport_header(skb);
1061 	struct neighbour *neigh = NULL;
1062 	struct inet6_dev *in6_dev;
1063 	struct rt6_info *rt = NULL;
1064 	int lifetime;
1065 	struct ndisc_options ndopts;
1066 	int optlen;
1067 	unsigned int pref = 0;
1068 
1069 	__u8 * opt = (__u8 *)(ra_msg + 1);
1070 
1071 	optlen = (skb_tail_pointer(skb) - skb_transport_header(skb)) -
1072 		sizeof(struct ra_msg);
1073 
1074 	if (!(ipv6_addr_type(&ipv6_hdr(skb)->saddr) & IPV6_ADDR_LINKLOCAL)) {
1075 		ND_PRINTK(2, warn, "RA: source address is not link-local\n");
1076 		return;
1077 	}
1078 	if (optlen < 0) {
1079 		ND_PRINTK(2, warn, "RA: packet too short\n");
1080 		return;
1081 	}
1082 
1083 #ifdef CONFIG_IPV6_NDISC_NODETYPE
1084 	if (skb->ndisc_nodetype == NDISC_NODETYPE_HOST) {
1085 		ND_PRINTK(2, warn, "RA: from host or unauthorized router\n");
1086 		return;
1087 	}
1088 #endif
1089 
1090 	/*
1091 	 *	set the RA_RECV flag in the interface
1092 	 */
1093 
1094 	in6_dev = __in6_dev_get(skb->dev);
1095 	if (in6_dev == NULL) {
1096 		ND_PRINTK(0, err, "RA: can't find inet6 device for %s\n",
1097 			  skb->dev->name);
1098 		return;
1099 	}
1100 
1101 	if (!ndisc_parse_options(opt, optlen, &ndopts)) {
1102 		ND_PRINTK(2, warn, "RA: invalid ND options\n");
1103 		return;
1104 	}
1105 
1106 	if (!ipv6_accept_ra(in6_dev))
1107 		goto skip_linkparms;
1108 
1109 #ifdef CONFIG_IPV6_NDISC_NODETYPE
1110 	/* skip link-specific parameters from interior routers */
1111 	if (skb->ndisc_nodetype == NDISC_NODETYPE_NODEFAULT)
1112 		goto skip_linkparms;
1113 #endif
1114 
1115 	if (in6_dev->if_flags & IF_RS_SENT) {
1116 		/*
1117 		 *	flag that an RA was received after an RS was sent
1118 		 *	out on this interface.
1119 		 */
1120 		in6_dev->if_flags |= IF_RA_RCVD;
1121 	}
1122 
1123 	/*
1124 	 * Remember the managed/otherconf flags from most recently
1125 	 * received RA message (RFC 2462) -- yoshfuji
1126 	 */
1127 	in6_dev->if_flags = (in6_dev->if_flags & ~(IF_RA_MANAGED |
1128 				IF_RA_OTHERCONF)) |
1129 				(ra_msg->icmph.icmp6_addrconf_managed ?
1130 					IF_RA_MANAGED : 0) |
1131 				(ra_msg->icmph.icmp6_addrconf_other ?
1132 					IF_RA_OTHERCONF : 0);
1133 
1134 	if (!in6_dev->cnf.accept_ra_defrtr)
1135 		goto skip_defrtr;
1136 
1137 	if (ipv6_chk_addr(dev_net(in6_dev->dev), &ipv6_hdr(skb)->saddr, NULL, 0))
1138 		goto skip_defrtr;
1139 
1140 	lifetime = ntohs(ra_msg->icmph.icmp6_rt_lifetime);
1141 
1142 #ifdef CONFIG_IPV6_ROUTER_PREF
1143 	pref = ra_msg->icmph.icmp6_router_pref;
1144 	/* 10b is handled as if it were 00b (medium) */
1145 	if (pref == ICMPV6_ROUTER_PREF_INVALID ||
1146 	    !in6_dev->cnf.accept_ra_rtr_pref)
1147 		pref = ICMPV6_ROUTER_PREF_MEDIUM;
1148 #endif
1149 
1150 	rt = rt6_get_dflt_router(&ipv6_hdr(skb)->saddr, skb->dev);
1151 
1152 	if (rt) {
1153 		neigh = dst_neigh_lookup(&rt->dst, &ipv6_hdr(skb)->saddr);
1154 		if (!neigh) {
1155 			ND_PRINTK(0, err,
1156 				  "RA: %s got default router without neighbour\n",
1157 				  __func__);
1158 			ip6_rt_put(rt);
1159 			return;
1160 		}
1161 	}
1162 	if (rt && lifetime == 0) {
1163 		ip6_del_rt(rt);
1164 		rt = NULL;
1165 	}
1166 
1167 	if (rt == NULL && lifetime) {
1168 		ND_PRINTK(3, dbg, "RA: adding default router\n");
1169 
1170 		rt = rt6_add_dflt_router(&ipv6_hdr(skb)->saddr, skb->dev, pref);
1171 		if (rt == NULL) {
1172 			ND_PRINTK(0, err,
1173 				  "RA: %s failed to add default route\n",
1174 				  __func__);
1175 			return;
1176 		}
1177 
1178 		neigh = dst_neigh_lookup(&rt->dst, &ipv6_hdr(skb)->saddr);
1179 		if (neigh == NULL) {
1180 			ND_PRINTK(0, err,
1181 				  "RA: %s got default router without neighbour\n",
1182 				  __func__);
1183 			ip6_rt_put(rt);
1184 			return;
1185 		}
1186 		neigh->flags |= NTF_ROUTER;
1187 	} else if (rt) {
1188 		rt->rt6i_flags = (rt->rt6i_flags & ~RTF_PREF_MASK) | RTF_PREF(pref);
1189 	}
1190 
1191 	if (rt)
1192 		rt6_set_expires(rt, jiffies + (HZ * lifetime));
1193 	if (ra_msg->icmph.icmp6_hop_limit) {
1194 		in6_dev->cnf.hop_limit = ra_msg->icmph.icmp6_hop_limit;
1195 		if (rt)
1196 			dst_metric_set(&rt->dst, RTAX_HOPLIMIT,
1197 				       ra_msg->icmph.icmp6_hop_limit);
1198 	}
1199 
1200 skip_defrtr:
1201 
1202 	/*
1203 	 *	Update Reachable Time and Retrans Timer
1204 	 */
1205 
1206 	if (in6_dev->nd_parms) {
1207 		unsigned long rtime = ntohl(ra_msg->retrans_timer);
1208 
1209 		if (rtime && rtime/1000 < MAX_SCHEDULE_TIMEOUT/HZ) {
1210 			rtime = (rtime*HZ)/1000;
1211 			if (rtime < HZ/10)
1212 				rtime = HZ/10;
1213 			in6_dev->nd_parms->retrans_time = rtime;
1214 			in6_dev->tstamp = jiffies;
1215 			inet6_ifinfo_notify(RTM_NEWLINK, in6_dev);
1216 		}
1217 
1218 		rtime = ntohl(ra_msg->reachable_time);
1219 		if (rtime && rtime/1000 < MAX_SCHEDULE_TIMEOUT/(3*HZ)) {
1220 			rtime = (rtime*HZ)/1000;
1221 
1222 			if (rtime < HZ/10)
1223 				rtime = HZ/10;
1224 
1225 			if (rtime != in6_dev->nd_parms->base_reachable_time) {
1226 				in6_dev->nd_parms->base_reachable_time = rtime;
1227 				in6_dev->nd_parms->gc_staletime = 3 * rtime;
1228 				in6_dev->nd_parms->reachable_time = neigh_rand_reach_time(rtime);
1229 				in6_dev->tstamp = jiffies;
1230 				inet6_ifinfo_notify(RTM_NEWLINK, in6_dev);
1231 			}
1232 		}
1233 	}
1234 
1235 skip_linkparms:
1236 
1237 	/*
1238 	 *	Process options.
1239 	 */
1240 
1241 	if (!neigh)
1242 		neigh = __neigh_lookup(&nd_tbl, &ipv6_hdr(skb)->saddr,
1243 				       skb->dev, 1);
1244 	if (neigh) {
1245 		u8 *lladdr = NULL;
1246 		if (ndopts.nd_opts_src_lladdr) {
1247 			lladdr = ndisc_opt_addr_data(ndopts.nd_opts_src_lladdr,
1248 						     skb->dev);
1249 			if (!lladdr) {
1250 				ND_PRINTK(2, warn,
1251 					  "RA: invalid link-layer address length\n");
1252 				goto out;
1253 			}
1254 		}
1255 		neigh_update(neigh, lladdr, NUD_STALE,
1256 			     NEIGH_UPDATE_F_WEAK_OVERRIDE|
1257 			     NEIGH_UPDATE_F_OVERRIDE|
1258 			     NEIGH_UPDATE_F_OVERRIDE_ISROUTER|
1259 			     NEIGH_UPDATE_F_ISROUTER);
1260 	}
1261 
1262 	if (!ipv6_accept_ra(in6_dev))
1263 		goto out;
1264 
1265 #ifdef CONFIG_IPV6_ROUTE_INFO
1266 	if (ipv6_chk_addr(dev_net(in6_dev->dev), &ipv6_hdr(skb)->saddr, NULL, 0))
1267 		goto skip_routeinfo;
1268 
1269 	if (in6_dev->cnf.accept_ra_rtr_pref && ndopts.nd_opts_ri) {
1270 		struct nd_opt_hdr *p;
1271 		for (p = ndopts.nd_opts_ri;
1272 		     p;
1273 		     p = ndisc_next_option(p, ndopts.nd_opts_ri_end)) {
1274 			struct route_info *ri = (struct route_info *)p;
1275 #ifdef CONFIG_IPV6_NDISC_NODETYPE
1276 			if (skb->ndisc_nodetype == NDISC_NODETYPE_NODEFAULT &&
1277 			    ri->prefix_len == 0)
1278 				continue;
1279 #endif
1280 			if (ri->prefix_len > in6_dev->cnf.accept_ra_rt_info_max_plen)
1281 				continue;
1282 			rt6_route_rcv(skb->dev, (u8*)p, (p->nd_opt_len) << 3,
1283 				      &ipv6_hdr(skb)->saddr);
1284 		}
1285 	}
1286 
1287 skip_routeinfo:
1288 #endif
1289 
1290 #ifdef CONFIG_IPV6_NDISC_NODETYPE
1291 	/* skip link-specific ndopts from interior routers */
1292 	if (skb->ndisc_nodetype == NDISC_NODETYPE_NODEFAULT)
1293 		goto out;
1294 #endif
1295 
1296 	if (in6_dev->cnf.accept_ra_pinfo && ndopts.nd_opts_pi) {
1297 		struct nd_opt_hdr *p;
1298 		for (p = ndopts.nd_opts_pi;
1299 		     p;
1300 		     p = ndisc_next_option(p, ndopts.nd_opts_pi_end)) {
1301 			addrconf_prefix_rcv(skb->dev, (u8 *)p,
1302 					    (p->nd_opt_len) << 3,
1303 					    ndopts.nd_opts_src_lladdr != NULL);
1304 		}
1305 	}
1306 
1307 	if (ndopts.nd_opts_mtu) {
1308 		__be32 n;
1309 		u32 mtu;
1310 
1311 		memcpy(&n, ((u8*)(ndopts.nd_opts_mtu+1))+2, sizeof(mtu));
1312 		mtu = ntohl(n);
1313 
1314 		if (mtu < IPV6_MIN_MTU || mtu > skb->dev->mtu) {
1315 			ND_PRINTK(2, warn, "RA: invalid mtu: %d\n", mtu);
1316 		} else if (in6_dev->cnf.mtu6 != mtu) {
1317 			in6_dev->cnf.mtu6 = mtu;
1318 
1319 			if (rt)
1320 				dst_metric_set(&rt->dst, RTAX_MTU, mtu);
1321 
1322 			rt6_mtu_change(skb->dev, mtu);
1323 		}
1324 	}
1325 
1326 	if (ndopts.nd_useropts) {
1327 		struct nd_opt_hdr *p;
1328 		for (p = ndopts.nd_useropts;
1329 		     p;
1330 		     p = ndisc_next_useropt(p, ndopts.nd_useropts_end)) {
1331 			ndisc_ra_useropt(skb, p);
1332 		}
1333 	}
1334 
1335 	if (ndopts.nd_opts_tgt_lladdr || ndopts.nd_opts_rh) {
1336 		ND_PRINTK(2, warn, "RA: invalid RA options\n");
1337 	}
1338 out:
1339 	ip6_rt_put(rt);
1340 	if (neigh)
1341 		neigh_release(neigh);
1342 }
1343 
1344 static void ndisc_redirect_rcv(struct sk_buff *skb)
1345 {
1346 	u8 *hdr;
1347 	struct ndisc_options ndopts;
1348 	struct rd_msg *msg = (struct rd_msg *)skb_transport_header(skb);
1349 	u32 ndoptlen = skb_tail_pointer(skb) - (skb_transport_header(skb) +
1350 				    offsetof(struct rd_msg, opt));
1351 
1352 #ifdef CONFIG_IPV6_NDISC_NODETYPE
1353 	switch (skb->ndisc_nodetype) {
1354 	case NDISC_NODETYPE_HOST:
1355 	case NDISC_NODETYPE_NODEFAULT:
1356 		ND_PRINTK(2, warn,
1357 			  "Redirect: from host or unauthorized router\n");
1358 		return;
1359 	}
1360 #endif
1361 
1362 	if (!(ipv6_addr_type(&ipv6_hdr(skb)->saddr) & IPV6_ADDR_LINKLOCAL)) {
1363 		ND_PRINTK(2, warn,
1364 			  "Redirect: source address is not link-local\n");
1365 		return;
1366 	}
1367 
1368 	if (!ndisc_parse_options(msg->opt, ndoptlen, &ndopts))
1369 		return;
1370 
1371 	if (!ndopts.nd_opts_rh) {
1372 		ip6_redirect_no_header(skb, dev_net(skb->dev),
1373 					skb->dev->ifindex, 0);
1374 		return;
1375 	}
1376 
1377 	hdr = (u8 *)ndopts.nd_opts_rh;
1378 	hdr += 8;
1379 	if (!pskb_pull(skb, hdr - skb_transport_header(skb)))
1380 		return;
1381 
1382 	icmpv6_notify(skb, NDISC_REDIRECT, 0, 0);
1383 }
1384 
1385 static void ndisc_fill_redirect_hdr_option(struct sk_buff *skb,
1386 					   struct sk_buff *orig_skb,
1387 					   int rd_len)
1388 {
1389 	u8 *opt = skb_put(skb, rd_len);
1390 
1391 	memset(opt, 0, 8);
1392 	*(opt++) = ND_OPT_REDIRECT_HDR;
1393 	*(opt++) = (rd_len >> 3);
1394 	opt += 6;
1395 
1396 	memcpy(opt, ipv6_hdr(orig_skb), rd_len - 8);
1397 }
1398 
1399 void ndisc_send_redirect(struct sk_buff *skb, const struct in6_addr *target)
1400 {
1401 	struct net_device *dev = skb->dev;
1402 	struct net *net = dev_net(dev);
1403 	struct sock *sk = net->ipv6.ndisc_sk;
1404 	int optlen = 0;
1405 	struct inet_peer *peer;
1406 	struct sk_buff *buff;
1407 	struct rd_msg *msg;
1408 	struct in6_addr saddr_buf;
1409 	struct rt6_info *rt;
1410 	struct dst_entry *dst;
1411 	struct flowi6 fl6;
1412 	int rd_len;
1413 	u8 ha_buf[MAX_ADDR_LEN], *ha = NULL;
1414 	bool ret;
1415 
1416 	if (ipv6_get_lladdr(dev, &saddr_buf, IFA_F_TENTATIVE)) {
1417 		ND_PRINTK(2, warn, "Redirect: no link-local address on %s\n",
1418 			  dev->name);
1419 		return;
1420 	}
1421 
1422 	if (!ipv6_addr_equal(&ipv6_hdr(skb)->daddr, target) &&
1423 	    ipv6_addr_type(target) != (IPV6_ADDR_UNICAST|IPV6_ADDR_LINKLOCAL)) {
1424 		ND_PRINTK(2, warn,
1425 			  "Redirect: target address is not link-local unicast\n");
1426 		return;
1427 	}
1428 
1429 	icmpv6_flow_init(sk, &fl6, NDISC_REDIRECT,
1430 			 &saddr_buf, &ipv6_hdr(skb)->saddr, dev->ifindex);
1431 
1432 	dst = ip6_route_output(net, NULL, &fl6);
1433 	if (dst->error) {
1434 		dst_release(dst);
1435 		return;
1436 	}
1437 	dst = xfrm_lookup(net, dst, flowi6_to_flowi(&fl6), NULL, 0);
1438 	if (IS_ERR(dst))
1439 		return;
1440 
1441 	rt = (struct rt6_info *) dst;
1442 
1443 	if (rt->rt6i_flags & RTF_GATEWAY) {
1444 		ND_PRINTK(2, warn,
1445 			  "Redirect: destination is not a neighbour\n");
1446 		goto release;
1447 	}
1448 	peer = inet_getpeer_v6(net->ipv6.peers, &rt->rt6i_dst.addr, 1);
1449 	ret = inet_peer_xrlim_allow(peer, 1*HZ);
1450 	if (peer)
1451 		inet_putpeer(peer);
1452 	if (!ret)
1453 		goto release;
1454 
1455 	if (dev->addr_len) {
1456 		struct neighbour *neigh = dst_neigh_lookup(skb_dst(skb), target);
1457 		if (!neigh) {
1458 			ND_PRINTK(2, warn,
1459 				  "Redirect: no neigh for target address\n");
1460 			goto release;
1461 		}
1462 
1463 		read_lock_bh(&neigh->lock);
1464 		if (neigh->nud_state & NUD_VALID) {
1465 			memcpy(ha_buf, neigh->ha, dev->addr_len);
1466 			read_unlock_bh(&neigh->lock);
1467 			ha = ha_buf;
1468 			optlen += ndisc_opt_addr_space(dev);
1469 		} else
1470 			read_unlock_bh(&neigh->lock);
1471 
1472 		neigh_release(neigh);
1473 	}
1474 
1475 	rd_len = min_t(unsigned int,
1476 		       IPV6_MIN_MTU - sizeof(struct ipv6hdr) - sizeof(*msg) - optlen,
1477 		       skb->len + 8);
1478 	rd_len &= ~0x7;
1479 	optlen += rd_len;
1480 
1481 	buff = ndisc_alloc_skb(dev, sizeof(*msg) + optlen);
1482 	if (!buff)
1483 		goto release;
1484 
1485 	msg = (struct rd_msg *)skb_put(buff, sizeof(*msg));
1486 	*msg = (struct rd_msg) {
1487 		.icmph = {
1488 			.icmp6_type = NDISC_REDIRECT,
1489 		},
1490 		.target = *target,
1491 		.dest = ipv6_hdr(skb)->daddr,
1492 	};
1493 
1494 	/*
1495 	 *	include target_address option
1496 	 */
1497 
1498 	if (ha)
1499 		ndisc_fill_addr_option(buff, ND_OPT_TARGET_LL_ADDR, ha);
1500 
1501 	/*
1502 	 *	build redirect option and copy skb over to the new packet.
1503 	 */
1504 
1505 	if (rd_len)
1506 		ndisc_fill_redirect_hdr_option(buff, skb, rd_len);
1507 
1508 	skb_dst_set(buff, dst);
1509 	ndisc_send_skb(buff, &ipv6_hdr(skb)->saddr, &saddr_buf);
1510 	return;
1511 
1512 release:
1513 	dst_release(dst);
1514 }
1515 
1516 static void pndisc_redo(struct sk_buff *skb)
1517 {
1518 	ndisc_recv_ns(skb);
1519 	kfree_skb(skb);
1520 }
1521 
1522 static bool ndisc_suppress_frag_ndisc(struct sk_buff *skb)
1523 {
1524 	struct inet6_dev *idev = __in6_dev_get(skb->dev);
1525 
1526 	if (!idev)
1527 		return true;
1528 	if (IP6CB(skb)->flags & IP6SKB_FRAGMENTED &&
1529 	    idev->cnf.suppress_frag_ndisc) {
1530 		net_warn_ratelimited("Received fragmented ndisc packet. Carefully consider disabling suppress_frag_ndisc.\n");
1531 		return true;
1532 	}
1533 	return false;
1534 }
1535 
1536 int ndisc_rcv(struct sk_buff *skb)
1537 {
1538 	struct nd_msg *msg;
1539 
1540 	if (ndisc_suppress_frag_ndisc(skb))
1541 		return 0;
1542 
1543 	if (skb_linearize(skb))
1544 		return 0;
1545 
1546 	msg = (struct nd_msg *)skb_transport_header(skb);
1547 
1548 	__skb_push(skb, skb->data - skb_transport_header(skb));
1549 
1550 	if (ipv6_hdr(skb)->hop_limit != 255) {
1551 		ND_PRINTK(2, warn, "NDISC: invalid hop-limit: %d\n",
1552 			  ipv6_hdr(skb)->hop_limit);
1553 		return 0;
1554 	}
1555 
1556 	if (msg->icmph.icmp6_code != 0) {
1557 		ND_PRINTK(2, warn, "NDISC: invalid ICMPv6 code: %d\n",
1558 			  msg->icmph.icmp6_code);
1559 		return 0;
1560 	}
1561 
1562 	memset(NEIGH_CB(skb), 0, sizeof(struct neighbour_cb));
1563 
1564 	switch (msg->icmph.icmp6_type) {
1565 	case NDISC_NEIGHBOUR_SOLICITATION:
1566 		ndisc_recv_ns(skb);
1567 		break;
1568 
1569 	case NDISC_NEIGHBOUR_ADVERTISEMENT:
1570 		ndisc_recv_na(skb);
1571 		break;
1572 
1573 	case NDISC_ROUTER_SOLICITATION:
1574 		ndisc_recv_rs(skb);
1575 		break;
1576 
1577 	case NDISC_ROUTER_ADVERTISEMENT:
1578 		ndisc_router_discovery(skb);
1579 		break;
1580 
1581 	case NDISC_REDIRECT:
1582 		ndisc_redirect_rcv(skb);
1583 		break;
1584 	}
1585 
1586 	return 0;
1587 }
1588 
1589 static int ndisc_netdev_event(struct notifier_block *this, unsigned long event, void *ptr)
1590 {
1591 	struct net_device *dev = netdev_notifier_info_to_dev(ptr);
1592 	struct net *net = dev_net(dev);
1593 	struct inet6_dev *idev;
1594 
1595 	switch (event) {
1596 	case NETDEV_CHANGEADDR:
1597 		neigh_changeaddr(&nd_tbl, dev);
1598 		fib6_run_gc(0, net, false);
1599 		idev = in6_dev_get(dev);
1600 		if (!idev)
1601 			break;
1602 		if (idev->cnf.ndisc_notify)
1603 			ndisc_send_unsol_na(dev);
1604 		in6_dev_put(idev);
1605 		break;
1606 	case NETDEV_DOWN:
1607 		neigh_ifdown(&nd_tbl, dev);
1608 		fib6_run_gc(0, net, false);
1609 		break;
1610 	case NETDEV_NOTIFY_PEERS:
1611 		ndisc_send_unsol_na(dev);
1612 		break;
1613 	default:
1614 		break;
1615 	}
1616 
1617 	return NOTIFY_DONE;
1618 }
1619 
1620 static struct notifier_block ndisc_netdev_notifier = {
1621 	.notifier_call = ndisc_netdev_event,
1622 };
1623 
1624 #ifdef CONFIG_SYSCTL
1625 static void ndisc_warn_deprecated_sysctl(struct ctl_table *ctl,
1626 					 const char *func, const char *dev_name)
1627 {
1628 	static char warncomm[TASK_COMM_LEN];
1629 	static int warned;
1630 	if (strcmp(warncomm, current->comm) && warned < 5) {
1631 		strcpy(warncomm, current->comm);
1632 		pr_warn("process `%s' is using deprecated sysctl (%s) net.ipv6.neigh.%s.%s - use net.ipv6.neigh.%s.%s_ms instead\n",
1633 			warncomm, func,
1634 			dev_name, ctl->procname,
1635 			dev_name, ctl->procname);
1636 		warned++;
1637 	}
1638 }
1639 
1640 int ndisc_ifinfo_sysctl_change(struct ctl_table *ctl, int write, void __user *buffer, size_t *lenp, loff_t *ppos)
1641 {
1642 	struct net_device *dev = ctl->extra1;
1643 	struct inet6_dev *idev;
1644 	int ret;
1645 
1646 	if ((strcmp(ctl->procname, "retrans_time") == 0) ||
1647 	    (strcmp(ctl->procname, "base_reachable_time") == 0))
1648 		ndisc_warn_deprecated_sysctl(ctl, "syscall", dev ? dev->name : "default");
1649 
1650 	if (strcmp(ctl->procname, "retrans_time") == 0)
1651 		ret = proc_dointvec(ctl, write, buffer, lenp, ppos);
1652 
1653 	else if (strcmp(ctl->procname, "base_reachable_time") == 0)
1654 		ret = proc_dointvec_jiffies(ctl, write,
1655 					    buffer, lenp, ppos);
1656 
1657 	else if ((strcmp(ctl->procname, "retrans_time_ms") == 0) ||
1658 		 (strcmp(ctl->procname, "base_reachable_time_ms") == 0))
1659 		ret = proc_dointvec_ms_jiffies(ctl, write,
1660 					       buffer, lenp, ppos);
1661 	else
1662 		ret = -1;
1663 
1664 	if (write && ret == 0 && dev && (idev = in6_dev_get(dev)) != NULL) {
1665 		if (ctl->data == &idev->nd_parms->base_reachable_time)
1666 			idev->nd_parms->reachable_time = neigh_rand_reach_time(idev->nd_parms->base_reachable_time);
1667 		idev->tstamp = jiffies;
1668 		inet6_ifinfo_notify(RTM_NEWLINK, idev);
1669 		in6_dev_put(idev);
1670 	}
1671 	return ret;
1672 }
1673 
1674 
1675 #endif
1676 
1677 static int __net_init ndisc_net_init(struct net *net)
1678 {
1679 	struct ipv6_pinfo *np;
1680 	struct sock *sk;
1681 	int err;
1682 
1683 	err = inet_ctl_sock_create(&sk, PF_INET6,
1684 				   SOCK_RAW, IPPROTO_ICMPV6, net);
1685 	if (err < 0) {
1686 		ND_PRINTK(0, err,
1687 			  "NDISC: Failed to initialize the control socket (err %d)\n",
1688 			  err);
1689 		return err;
1690 	}
1691 
1692 	net->ipv6.ndisc_sk = sk;
1693 
1694 	np = inet6_sk(sk);
1695 	np->hop_limit = 255;
1696 	/* Do not loopback ndisc messages */
1697 	np->mc_loop = 0;
1698 
1699 	return 0;
1700 }
1701 
1702 static void __net_exit ndisc_net_exit(struct net *net)
1703 {
1704 	inet_ctl_sock_destroy(net->ipv6.ndisc_sk);
1705 }
1706 
1707 static struct pernet_operations ndisc_net_ops = {
1708 	.init = ndisc_net_init,
1709 	.exit = ndisc_net_exit,
1710 };
1711 
1712 int __init ndisc_init(void)
1713 {
1714 	int err;
1715 
1716 	err = register_pernet_subsys(&ndisc_net_ops);
1717 	if (err)
1718 		return err;
1719 	/*
1720 	 * Initialize the neighbour table
1721 	 */
1722 	neigh_table_init(&nd_tbl);
1723 
1724 #ifdef CONFIG_SYSCTL
1725 	err = neigh_sysctl_register(NULL, &nd_tbl.parms, "ipv6",
1726 				    &ndisc_ifinfo_sysctl_change);
1727 	if (err)
1728 		goto out_unregister_pernet;
1729 #endif
1730 out:
1731 	return err;
1732 
1733 #ifdef CONFIG_SYSCTL
1734 out_unregister_pernet:
1735 	unregister_pernet_subsys(&ndisc_net_ops);
1736 	goto out;
1737 #endif
1738 }
1739 
1740 int __init ndisc_late_init(void)
1741 {
1742 	return register_netdevice_notifier(&ndisc_netdev_notifier);
1743 }
1744 
1745 void ndisc_late_cleanup(void)
1746 {
1747 	unregister_netdevice_notifier(&ndisc_netdev_notifier);
1748 }
1749 
1750 void ndisc_cleanup(void)
1751 {
1752 #ifdef CONFIG_SYSCTL
1753 	neigh_sysctl_unregister(&nd_tbl.parms);
1754 #endif
1755 	neigh_table_clear(&nd_tbl);
1756 	unregister_pernet_subsys(&ndisc_net_ops);
1757 }
1758