1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 /* 26 * Copyright (c) 1990 Mentat Inc. 27 */ 28 29 #pragma ident "%Z%%M% %I% %E% SMI" 30 31 /* 32 * This file contains the interface control functions for IPv6. 33 */ 34 35 #include <sys/types.h> 36 #include <sys/sysmacros.h> 37 #include <sys/stream.h> 38 #include <sys/dlpi.h> 39 #include <sys/stropts.h> 40 #include <sys/ddi.h> 41 #include <sys/cmn_err.h> 42 #include <sys/kstat.h> 43 #include <sys/debug.h> 44 #include <sys/zone.h> 45 #include <sys/policy.h> 46 47 #include <sys/systm.h> 48 #include <sys/param.h> 49 #include <sys/socket.h> 50 #include <sys/isa_defs.h> 51 #include <net/if.h> 52 #include <net/if_dl.h> 53 #include <net/route.h> 54 #include <netinet/in.h> 55 #include <netinet/igmp_var.h> 56 #include <netinet/ip6.h> 57 #include <netinet/icmp6.h> 58 #include <netinet/in.h> 59 60 #include <inet/common.h> 61 #include <inet/nd.h> 62 #include <inet/mib2.h> 63 #include <inet/ip.h> 64 #include <inet/ip6.h> 65 #include <inet/ip_multi.h> 66 #include <inet/ip_ire.h> 67 #include <inet/ip_rts.h> 68 #include <inet/ip_ndp.h> 69 #include <inet/ip_if.h> 70 #include <inet/ip6_asp.h> 71 #include <inet/tun.h> 72 #include <inet/ipclassifier.h> 73 #include <inet/sctp_ip.h> 74 75 #include <sys/tsol/tndb.h> 76 #include <sys/tsol/tnet.h> 77 78 static in6_addr_t ipv6_ll_template = 79 {(uint32_t)V6_LINKLOCAL, 0x0, 0x0, 0x0}; 80 81 static ipif_t * 82 ipif_lookup_interface_v6(const in6_addr_t *if_addr, const in6_addr_t *dst, 83 queue_t *q, mblk_t *mp, ipsq_func_t func, int *error, ip_stack_t *ipst); 84 85 /* 86 * These two functions, ipif_lookup_group_v6() and ill_lookup_group_v6(), 87 * are called when an application does not specify an interface to be 88 * used for multicast traffic. It calls ire_lookup_multi_v6() to look 89 * for an interface route for the specified multicast group. Doing 90 * this allows the administrator to add prefix routes for multicast to 91 * indicate which interface to be used for multicast traffic in the above 92 * scenario. The route could be for all multicast (ff00::/8), for a single 93 * multicast group (a /128 route) or anything in between. If there is no 94 * such multicast route, we just find any multicast capable interface and 95 * return it. 96 */ 97 ipif_t * 98 ipif_lookup_group_v6(const in6_addr_t *group, zoneid_t zoneid, ip_stack_t *ipst) 99 { 100 ire_t *ire; 101 ipif_t *ipif; 102 103 ire = ire_lookup_multi_v6(group, zoneid, ipst); 104 if (ire != NULL) { 105 ipif = ire->ire_ipif; 106 ipif_refhold(ipif); 107 ire_refrele(ire); 108 return (ipif); 109 } 110 111 return (ipif_lookup_multicast(ipst, zoneid, B_TRUE)); 112 } 113 114 ill_t * 115 ill_lookup_group_v6(const in6_addr_t *group, zoneid_t zoneid, ip_stack_t *ipst) 116 { 117 ire_t *ire; 118 ill_t *ill; 119 ipif_t *ipif; 120 121 ire = ire_lookup_multi_v6(group, zoneid, ipst); 122 if (ire != NULL) { 123 ill = ire->ire_ipif->ipif_ill; 124 ill_refhold(ill); 125 ire_refrele(ire); 126 return (ill); 127 } 128 129 ipif = ipif_lookup_multicast(ipst, zoneid, B_TRUE); 130 if (ipif == NULL) 131 return (NULL); 132 133 ill = ipif->ipif_ill; 134 ill_refhold(ill); 135 ipif_refrele(ipif); 136 return (ill); 137 } 138 139 /* 140 * Look for an ipif with the specified interface address and destination. 141 * The destination address is used only for matching point-to-point interfaces. 142 */ 143 static ipif_t * 144 ipif_lookup_interface_v6(const in6_addr_t *if_addr, const in6_addr_t *dst, 145 queue_t *q, mblk_t *mp, ipsq_func_t func, int *error, ip_stack_t *ipst) 146 { 147 ipif_t *ipif; 148 ill_t *ill; 149 ipsq_t *ipsq; 150 ill_walk_context_t ctx; 151 152 if (error != NULL) 153 *error = 0; 154 155 /* 156 * First match all the point-to-point interfaces 157 * before looking at non-point-to-point interfaces. 158 * This is done to avoid returning non-point-to-point 159 * ipif instead of unnumbered point-to-point ipif. 160 */ 161 rw_enter(&ipst->ips_ill_g_lock, RW_READER); 162 ill = ILL_START_WALK_V6(&ctx, ipst); 163 for (; ill != NULL; ill = ill_next(&ctx, ill)) { 164 GRAB_CONN_LOCK(q); 165 mutex_enter(&ill->ill_lock); 166 for (ipif = ill->ill_ipif; ipif != NULL; 167 ipif = ipif->ipif_next) { 168 /* Allow the ipif to be down */ 169 if ((ipif->ipif_flags & IPIF_POINTOPOINT) && 170 (IN6_ARE_ADDR_EQUAL(&ipif->ipif_v6lcl_addr, 171 if_addr)) && 172 (IN6_ARE_ADDR_EQUAL(&ipif->ipif_v6pp_dst_addr, 173 dst))) { 174 if (IPIF_CAN_LOOKUP(ipif)) { 175 ipif_refhold_locked(ipif); 176 mutex_exit(&ill->ill_lock); 177 RELEASE_CONN_LOCK(q); 178 rw_exit(&ipst->ips_ill_g_lock); 179 return (ipif); 180 } else if (IPIF_CAN_WAIT(ipif, q)) { 181 ipsq = ill->ill_phyint->phyint_ipsq; 182 mutex_enter(&ipsq->ipsq_lock); 183 mutex_exit(&ill->ill_lock); 184 rw_exit(&ipst->ips_ill_g_lock); 185 ipsq_enq(ipsq, q, mp, func, NEW_OP, 186 ill); 187 mutex_exit(&ipsq->ipsq_lock); 188 RELEASE_CONN_LOCK(q); 189 if (error != NULL) 190 *error = EINPROGRESS; 191 return (NULL); 192 } 193 } 194 } 195 mutex_exit(&ill->ill_lock); 196 RELEASE_CONN_LOCK(q); 197 } 198 rw_exit(&ipst->ips_ill_g_lock); 199 /* lookup the ipif based on interface address */ 200 ipif = ipif_lookup_addr_v6(if_addr, NULL, ALL_ZONES, q, mp, func, 201 error, ipst); 202 ASSERT(ipif == NULL || ipif->ipif_isv6); 203 return (ipif); 204 } 205 206 /* 207 * Look for an ipif with the specified address. For point-point links 208 * we look for matches on either the destination address and the local 209 * address, but we ignore the check on the local address if IPIF_UNNUMBERED 210 * is set. 211 * Matches on a specific ill if match_ill is set. 212 */ 213 /* ARGSUSED */ 214 ipif_t * 215 ipif_lookup_addr_v6(const in6_addr_t *addr, ill_t *match_ill, zoneid_t zoneid, 216 queue_t *q, mblk_t *mp, ipsq_func_t func, int *error, ip_stack_t *ipst) 217 { 218 ipif_t *ipif; 219 ill_t *ill; 220 boolean_t ptp = B_FALSE; 221 ipsq_t *ipsq; 222 ill_walk_context_t ctx; 223 224 if (error != NULL) 225 *error = 0; 226 227 rw_enter(&ipst->ips_ill_g_lock, RW_READER); 228 /* 229 * Repeat twice, first based on local addresses and 230 * next time for pointopoint. 231 */ 232 repeat: 233 ill = ILL_START_WALK_V6(&ctx, ipst); 234 for (; ill != NULL; ill = ill_next(&ctx, ill)) { 235 if (match_ill != NULL && ill != match_ill) { 236 continue; 237 } 238 GRAB_CONN_LOCK(q); 239 mutex_enter(&ill->ill_lock); 240 for (ipif = ill->ill_ipif; ipif != NULL; 241 ipif = ipif->ipif_next) { 242 if (zoneid != ALL_ZONES && 243 ipif->ipif_zoneid != zoneid && 244 ipif->ipif_zoneid != ALL_ZONES) 245 continue; 246 /* Allow the ipif to be down */ 247 if ((!ptp && (IN6_ARE_ADDR_EQUAL( 248 &ipif->ipif_v6lcl_addr, addr) && 249 (ipif->ipif_flags & IPIF_UNNUMBERED) == 0)) || 250 (ptp && (ipif->ipif_flags & IPIF_POINTOPOINT) && 251 IN6_ARE_ADDR_EQUAL(&ipif->ipif_v6pp_dst_addr, 252 addr))) { 253 if (IPIF_CAN_LOOKUP(ipif)) { 254 ipif_refhold_locked(ipif); 255 mutex_exit(&ill->ill_lock); 256 RELEASE_CONN_LOCK(q); 257 rw_exit(&ipst->ips_ill_g_lock); 258 return (ipif); 259 } else if (IPIF_CAN_WAIT(ipif, q)) { 260 ipsq = ill->ill_phyint->phyint_ipsq; 261 mutex_enter(&ipsq->ipsq_lock); 262 mutex_exit(&ill->ill_lock); 263 rw_exit(&ipst->ips_ill_g_lock); 264 ipsq_enq(ipsq, q, mp, func, NEW_OP, 265 ill); 266 mutex_exit(&ipsq->ipsq_lock); 267 RELEASE_CONN_LOCK(q); 268 if (error != NULL) 269 *error = EINPROGRESS; 270 return (NULL); 271 } 272 } 273 } 274 mutex_exit(&ill->ill_lock); 275 RELEASE_CONN_LOCK(q); 276 } 277 278 /* If we already did the ptp case, then we are done */ 279 if (ptp) { 280 rw_exit(&ipst->ips_ill_g_lock); 281 if (error != NULL) 282 *error = ENXIO; 283 return (NULL); 284 } 285 ptp = B_TRUE; 286 goto repeat; 287 } 288 289 /* 290 * Look for an ipif with the specified address. For point-point links 291 * we look for matches on either the destination address and the local 292 * address, but we ignore the check on the local address if IPIF_UNNUMBERED 293 * is set. 294 * Matches on a specific ill if match_ill is set. 295 * Return the zoneid for the ipif. ALL_ZONES if none found. 296 */ 297 zoneid_t 298 ipif_lookup_addr_zoneid_v6(const in6_addr_t *addr, ill_t *match_ill, 299 ip_stack_t *ipst) 300 { 301 ipif_t *ipif; 302 ill_t *ill; 303 boolean_t ptp = B_FALSE; 304 ill_walk_context_t ctx; 305 zoneid_t zoneid; 306 307 rw_enter(&ipst->ips_ill_g_lock, RW_READER); 308 /* 309 * Repeat twice, first based on local addresses and 310 * next time for pointopoint. 311 */ 312 repeat: 313 ill = ILL_START_WALK_V6(&ctx, ipst); 314 for (; ill != NULL; ill = ill_next(&ctx, ill)) { 315 if (match_ill != NULL && ill != match_ill) { 316 continue; 317 } 318 mutex_enter(&ill->ill_lock); 319 for (ipif = ill->ill_ipif; ipif != NULL; 320 ipif = ipif->ipif_next) { 321 /* Allow the ipif to be down */ 322 if ((!ptp && (IN6_ARE_ADDR_EQUAL( 323 &ipif->ipif_v6lcl_addr, addr) && 324 (ipif->ipif_flags & IPIF_UNNUMBERED) == 0)) || 325 (ptp && (ipif->ipif_flags & IPIF_POINTOPOINT) && 326 IN6_ARE_ADDR_EQUAL(&ipif->ipif_v6pp_dst_addr, 327 addr)) && 328 !(ipif->ipif_state_flags & IPIF_CONDEMNED)) { 329 zoneid = ipif->ipif_zoneid; 330 mutex_exit(&ill->ill_lock); 331 rw_exit(&ipst->ips_ill_g_lock); 332 /* 333 * If ipif_zoneid was ALL_ZONES then we have 334 * a trusted extensions shared IP address. 335 * In that case GLOBAL_ZONEID works to send. 336 */ 337 if (zoneid == ALL_ZONES) 338 zoneid = GLOBAL_ZONEID; 339 return (zoneid); 340 } 341 } 342 mutex_exit(&ill->ill_lock); 343 } 344 345 /* If we already did the ptp case, then we are done */ 346 if (ptp) { 347 rw_exit(&ipst->ips_ill_g_lock); 348 return (ALL_ZONES); 349 } 350 ptp = B_TRUE; 351 goto repeat; 352 } 353 354 /* 355 * Perform various checks to verify that an address would make sense as a local 356 * interface address. This is currently only called when an attempt is made 357 * to set a local address. 358 * 359 * Does not allow a v4-mapped address, an address that equals the subnet 360 * anycast address, ... a multicast address, ... 361 */ 362 boolean_t 363 ip_local_addr_ok_v6(const in6_addr_t *addr, const in6_addr_t *subnet_mask) 364 { 365 in6_addr_t subnet; 366 367 if (IN6_IS_ADDR_UNSPECIFIED(addr)) 368 return (B_TRUE); /* Allow all zeros */ 369 370 /* 371 * Don't allow all zeroes or host part, but allow 372 * all ones netmask. 373 */ 374 V6_MASK_COPY(*addr, *subnet_mask, subnet); 375 if (IN6_IS_ADDR_V4MAPPED(addr) || 376 (IN6_ARE_ADDR_EQUAL(addr, &subnet) && 377 !IN6_ARE_ADDR_EQUAL(subnet_mask, &ipv6_all_ones)) || 378 (IN6_IS_ADDR_V4COMPAT(addr) && CLASSD(V4_PART_OF_V6((*addr)))) || 379 IN6_IS_ADDR_MULTICAST(addr)) 380 return (B_FALSE); 381 382 return (B_TRUE); 383 } 384 385 /* 386 * Perform various checks to verify that an address would make sense as a 387 * remote/subnet interface address. 388 */ 389 boolean_t 390 ip_remote_addr_ok_v6(const in6_addr_t *addr, const in6_addr_t *subnet_mask) 391 { 392 in6_addr_t subnet; 393 394 if (IN6_IS_ADDR_UNSPECIFIED(addr)) 395 return (B_TRUE); /* Allow all zeros */ 396 397 V6_MASK_COPY(*addr, *subnet_mask, subnet); 398 if (IN6_IS_ADDR_V4MAPPED(addr) || 399 (IN6_ARE_ADDR_EQUAL(addr, &subnet) && 400 !IN6_ARE_ADDR_EQUAL(subnet_mask, &ipv6_all_ones)) || 401 IN6_IS_ADDR_MULTICAST(addr) || 402 (IN6_IS_ADDR_V4COMPAT(addr) && CLASSD(V4_PART_OF_V6((*addr))))) 403 return (B_FALSE); 404 405 return (B_TRUE); 406 } 407 408 /* 409 * ip_rt_add_v6 is called to add an IPv6 route to the forwarding table. 410 * ipif_arg is passed in to associate it with the correct interface 411 * (for link-local destinations and gateways). 412 */ 413 /* ARGSUSED1 */ 414 int 415 ip_rt_add_v6(const in6_addr_t *dst_addr, const in6_addr_t *mask, 416 const in6_addr_t *gw_addr, const in6_addr_t *src_addr, int flags, 417 ipif_t *ipif_arg, ire_t **ire_arg, queue_t *q, mblk_t *mp, ipsq_func_t func, 418 struct rtsa_s *sp, ip_stack_t *ipst) 419 { 420 ire_t *ire; 421 ire_t *gw_ire = NULL; 422 ipif_t *ipif; 423 boolean_t ipif_refheld = B_FALSE; 424 uint_t type; 425 int match_flags = MATCH_IRE_TYPE; 426 int error; 427 tsol_gc_t *gc = NULL; 428 tsol_gcgrp_t *gcgrp = NULL; 429 boolean_t gcgrp_xtraref = B_FALSE; 430 431 if (ire_arg != NULL) 432 *ire_arg = NULL; 433 434 /* 435 * Prevent routes with a zero gateway from being created (since 436 * interfaces can currently be plumbed and brought up with no assigned 437 * address). 438 */ 439 if (IN6_IS_ADDR_UNSPECIFIED(gw_addr)) 440 return (ENETUNREACH); 441 442 /* 443 * If this is the case of RTF_HOST being set, then we set the netmask 444 * to all ones (regardless if one was supplied). 445 */ 446 if (flags & RTF_HOST) 447 mask = &ipv6_all_ones; 448 449 /* 450 * Get the ipif, if any, corresponding to the gw_addr 451 */ 452 ipif = ipif_lookup_interface_v6(gw_addr, dst_addr, q, mp, func, 453 &error, ipst); 454 if (ipif != NULL) 455 ipif_refheld = B_TRUE; 456 else if (error == EINPROGRESS) { 457 ip1dbg(("ip_rt_add_v6: null and EINPROGRESS")); 458 return (error); 459 } 460 461 /* 462 * GateD will attempt to create routes with a loopback interface 463 * address as the gateway and with RTF_GATEWAY set. We allow 464 * these routes to be added, but create them as interface routes 465 * since the gateway is an interface address. 466 */ 467 if ((ipif != NULL) && (ipif->ipif_ire_type == IRE_LOOPBACK)) { 468 flags &= ~RTF_GATEWAY; 469 if (IN6_ARE_ADDR_EQUAL(gw_addr, &ipv6_loopback) && 470 IN6_ARE_ADDR_EQUAL(dst_addr, &ipv6_loopback) && 471 IN6_ARE_ADDR_EQUAL(mask, &ipv6_all_ones)) { 472 ire = ire_ctable_lookup_v6(dst_addr, 0, IRE_LOOPBACK, 473 ipif, ALL_ZONES, NULL, match_flags, ipst); 474 if (ire != NULL) { 475 ire_refrele(ire); 476 if (ipif_refheld) 477 ipif_refrele(ipif); 478 return (EEXIST); 479 } 480 ip1dbg(("ipif_up_done: 0x%p creating IRE 0x%x" 481 "for 0x%x\n", (void *)ipif, 482 ipif->ipif_ire_type, 483 ntohl(ipif->ipif_lcl_addr))); 484 ire = ire_create_v6( 485 dst_addr, 486 mask, 487 &ipif->ipif_v6src_addr, 488 NULL, 489 &ipif->ipif_mtu, 490 NULL, 491 NULL, 492 NULL, 493 ipif->ipif_net_type, 494 ipif, 495 NULL, 496 0, 497 0, 498 flags, 499 &ire_uinfo_null, 500 NULL, 501 NULL, 502 ipst); 503 if (ire == NULL) { 504 if (ipif_refheld) 505 ipif_refrele(ipif); 506 return (ENOMEM); 507 } 508 error = ire_add(&ire, q, mp, func, B_FALSE); 509 if (error == 0) 510 goto save_ire; 511 /* 512 * In the result of failure, ire_add() will have already 513 * deleted the ire in question, so there is no need to 514 * do that here. 515 */ 516 if (ipif_refheld) 517 ipif_refrele(ipif); 518 return (error); 519 } 520 } 521 522 /* 523 * Traditionally, interface routes are ones where RTF_GATEWAY isn't set 524 * and the gateway address provided is one of the system's interface 525 * addresses. By using the routing socket interface and supplying an 526 * RTA_IFP sockaddr with an interface index, an alternate method of 527 * specifying an interface route to be created is available which uses 528 * the interface index that specifies the outgoing interface rather than 529 * the address of an outgoing interface (which may not be able to 530 * uniquely identify an interface). When coupled with the RTF_GATEWAY 531 * flag, routes can be specified which not only specify the next-hop to 532 * be used when routing to a certain prefix, but also which outgoing 533 * interface should be used. 534 * 535 * Previously, interfaces would have unique addresses assigned to them 536 * and so the address assigned to a particular interface could be used 537 * to identify a particular interface. One exception to this was the 538 * case of an unnumbered interface (where IPIF_UNNUMBERED was set). 539 * 540 * With the advent of IPv6 and its link-local addresses, this 541 * restriction was relaxed and interfaces could share addresses between 542 * themselves. In fact, typically all of the link-local interfaces on 543 * an IPv6 node or router will have the same link-local address. In 544 * order to differentiate between these interfaces, the use of an 545 * interface index is necessary and this index can be carried inside a 546 * RTA_IFP sockaddr (which is actually a sockaddr_dl). One restriction 547 * of using the interface index, however, is that all of the ipif's that 548 * are part of an ill have the same index and so the RTA_IFP sockaddr 549 * cannot be used to differentiate between ipif's (or logical 550 * interfaces) that belong to the same ill (physical interface). 551 * 552 * For example, in the following case involving IPv4 interfaces and 553 * logical interfaces 554 * 555 * 192.0.2.32 255.255.255.224 192.0.2.33 U if0 556 * 192.0.2.32 255.255.255.224 192.0.2.34 U if0:1 557 * 192.0.2.32 255.255.255.224 192.0.2.35 U if0:2 558 * 559 * the ipif's corresponding to each of these interface routes can be 560 * uniquely identified by the "gateway" (actually interface address). 561 * 562 * In this case involving multiple IPv6 default routes to a particular 563 * link-local gateway, the use of RTA_IFP is necessary to specify which 564 * default route is of interest: 565 * 566 * default fe80::123:4567:89ab:cdef U if0 567 * default fe80::123:4567:89ab:cdef U if1 568 */ 569 570 /* RTF_GATEWAY not set */ 571 if (!(flags & RTF_GATEWAY)) { 572 queue_t *stq; 573 574 if (sp != NULL) { 575 ip2dbg(("ip_rt_add_v6: gateway security attributes " 576 "cannot be set with interface route\n")); 577 if (ipif_refheld) 578 ipif_refrele(ipif); 579 return (EINVAL); 580 } 581 582 /* 583 * As the interface index specified with the RTA_IFP sockaddr is 584 * the same for all ipif's off of an ill, the matching logic 585 * below uses MATCH_IRE_ILL if such an index was specified. 586 * This means that routes sharing the same prefix when added 587 * using a RTA_IFP sockaddr must have distinct interface 588 * indices (namely, they must be on distinct ill's). 589 * 590 * On the other hand, since the gateway address will usually be 591 * different for each ipif on the system, the matching logic 592 * uses MATCH_IRE_IPIF in the case of a traditional interface 593 * route. This means that interface routes for the same prefix 594 * can be created if they belong to distinct ipif's and if a 595 * RTA_IFP sockaddr is not present. 596 */ 597 if (ipif_arg != NULL) { 598 if (ipif_refheld) { 599 ipif_refrele(ipif); 600 ipif_refheld = B_FALSE; 601 } 602 ipif = ipif_arg; 603 match_flags |= MATCH_IRE_ILL; 604 } else { 605 /* 606 * Check the ipif corresponding to the gw_addr 607 */ 608 if (ipif == NULL) 609 return (ENETUNREACH); 610 match_flags |= MATCH_IRE_IPIF; 611 } 612 613 ASSERT(ipif != NULL); 614 /* 615 * We check for an existing entry at this point. 616 */ 617 match_flags |= MATCH_IRE_MASK; 618 ire = ire_ftable_lookup_v6(dst_addr, mask, 0, IRE_INTERFACE, 619 ipif, NULL, ALL_ZONES, 0, NULL, match_flags, ipst); 620 if (ire != NULL) { 621 ire_refrele(ire); 622 if (ipif_refheld) 623 ipif_refrele(ipif); 624 return (EEXIST); 625 } 626 627 stq = (ipif->ipif_net_type == IRE_IF_RESOLVER) 628 ? ipif->ipif_rq : ipif->ipif_wq; 629 630 /* 631 * Create a copy of the IRE_LOOPBACK, IRE_IF_NORESOLVER or 632 * IRE_IF_RESOLVER with the modified address and netmask. 633 */ 634 ire = ire_create_v6( 635 dst_addr, 636 mask, 637 &ipif->ipif_v6src_addr, 638 NULL, 639 &ipif->ipif_mtu, 640 NULL, 641 NULL, 642 stq, 643 ipif->ipif_net_type, 644 ipif, 645 NULL, 646 0, 647 0, 648 flags, 649 &ire_uinfo_null, 650 NULL, 651 NULL, 652 ipst); 653 if (ire == NULL) { 654 if (ipif_refheld) 655 ipif_refrele(ipif); 656 return (ENOMEM); 657 } 658 659 /* 660 * Some software (for example, GateD and Sun Cluster) attempts 661 * to create (what amount to) IRE_PREFIX routes with the 662 * loopback address as the gateway. This is primarily done to 663 * set up prefixes with the RTF_REJECT flag set (for example, 664 * when generating aggregate routes). We also OR in the 665 * RTF_BLACKHOLE flag as these interface routes, by 666 * definition, can only be that. 667 * 668 * If the IRE type (as defined by ipif->ipif_net_type) is 669 * IRE_LOOPBACK, then we map the request into a 670 * IRE_IF_NORESOLVER. 671 * 672 * Needless to say, the real IRE_LOOPBACK is NOT created by this 673 * routine, but rather using ire_create_v6() directly. 674 */ 675 if (ipif->ipif_net_type == IRE_LOOPBACK) { 676 ire->ire_type = IRE_IF_NORESOLVER; 677 ire->ire_flags |= RTF_BLACKHOLE; 678 } 679 error = ire_add(&ire, q, mp, func, B_FALSE); 680 if (error == 0) 681 goto save_ire; 682 /* 683 * In the result of failure, ire_add() will have already 684 * deleted the ire in question, so there is no need to 685 * do that here. 686 */ 687 if (ipif_refheld) 688 ipif_refrele(ipif); 689 return (error); 690 } 691 if (ipif_refheld) { 692 ipif_refrele(ipif); 693 ipif_refheld = B_FALSE; 694 } 695 696 /* 697 * Get an interface IRE for the specified gateway. 698 * If we don't have an IRE_IF_NORESOLVER or IRE_IF_RESOLVER for the 699 * gateway, it is currently unreachable and we fail the request 700 * accordingly. 701 */ 702 ipif = ipif_arg; 703 if (ipif_arg != NULL) 704 match_flags |= MATCH_IRE_ILL; 705 gw_ire = ire_ftable_lookup_v6(gw_addr, 0, 0, IRE_INTERFACE, ipif_arg, 706 NULL, ALL_ZONES, 0, NULL, match_flags, ipst); 707 if (gw_ire == NULL) 708 return (ENETUNREACH); 709 710 /* 711 * We create one of three types of IREs as a result of this request 712 * based on the netmask. A netmask of all ones (which is automatically 713 * assumed when RTF_HOST is set) results in an IRE_HOST being created. 714 * An all zeroes netmask implies a default route so an IRE_DEFAULT is 715 * created. Otherwise, an IRE_PREFIX route is created for the 716 * destination prefix. 717 */ 718 if (IN6_ARE_ADDR_EQUAL(mask, &ipv6_all_ones)) 719 type = IRE_HOST; 720 else if (IN6_IS_ADDR_UNSPECIFIED(mask)) 721 type = IRE_DEFAULT; 722 else 723 type = IRE_PREFIX; 724 725 /* check for a duplicate entry */ 726 ire = ire_ftable_lookup_v6(dst_addr, mask, gw_addr, type, ipif_arg, 727 NULL, ALL_ZONES, 0, NULL, 728 match_flags | MATCH_IRE_MASK | MATCH_IRE_GW, ipst); 729 if (ire != NULL) { 730 ire_refrele(gw_ire); 731 ire_refrele(ire); 732 return (EEXIST); 733 } 734 735 /* Security attribute exists */ 736 if (sp != NULL) { 737 tsol_gcgrp_addr_t ga; 738 739 /* find or create the gateway credentials group */ 740 ga.ga_af = AF_INET6; 741 ga.ga_addr = *gw_addr; 742 743 /* we hold reference to it upon success */ 744 gcgrp = gcgrp_lookup(&ga, B_TRUE); 745 if (gcgrp == NULL) { 746 ire_refrele(gw_ire); 747 return (ENOMEM); 748 } 749 750 /* 751 * Create and add the security attribute to the group; a 752 * reference to the group is made upon allocating a new 753 * entry successfully. If it finds an already-existing 754 * entry for the security attribute in the group, it simply 755 * returns it and no new reference is made to the group. 756 */ 757 gc = gc_create(sp, gcgrp, &gcgrp_xtraref); 758 if (gc == NULL) { 759 /* release reference held by gcgrp_lookup */ 760 GCGRP_REFRELE(gcgrp); 761 ire_refrele(gw_ire); 762 return (ENOMEM); 763 } 764 } 765 766 /* Create the IRE. */ 767 ire = ire_create_v6( 768 dst_addr, /* dest address */ 769 mask, /* mask */ 770 /* src address assigned by the caller? */ 771 (((flags & RTF_SETSRC) && !IN6_IS_ADDR_UNSPECIFIED(src_addr)) ? 772 src_addr : NULL), 773 gw_addr, /* gateway address */ 774 &gw_ire->ire_max_frag, 775 NULL, /* no src nce */ 776 NULL, /* no recv-from queue */ 777 NULL, /* no send-to queue */ 778 (ushort_t)type, /* IRE type */ 779 ipif_arg, 780 NULL, 781 0, 782 0, 783 flags, 784 &gw_ire->ire_uinfo, /* Inherit ULP info from gw */ 785 gc, /* security attribute */ 786 NULL, 787 ipst); 788 789 /* 790 * The ire holds a reference to the 'gc' and the 'gc' holds a 791 * reference to the 'gcgrp'. We can now release the extra reference 792 * the 'gcgrp' acquired in the gcgrp_lookup, if it was not used. 793 */ 794 if (gcgrp_xtraref) 795 GCGRP_REFRELE(gcgrp); 796 if (ire == NULL) { 797 if (gc != NULL) 798 GC_REFRELE(gc); 799 ire_refrele(gw_ire); 800 return (ENOMEM); 801 } 802 803 /* 804 * POLICY: should we allow an RTF_HOST with address INADDR_ANY? 805 * SUN/OS socket stuff does but do we really want to allow ::0 ? 806 */ 807 808 /* Add the new IRE. */ 809 error = ire_add(&ire, q, mp, func, B_FALSE); 810 /* 811 * In the result of failure, ire_add() will have already 812 * deleted the ire in question, so there is no need to 813 * do that here. 814 */ 815 if (error != 0) { 816 ire_refrele(gw_ire); 817 return (error); 818 } 819 820 if (flags & RTF_MULTIRT) { 821 /* 822 * Invoke the CGTP (multirouting) filtering module 823 * to add the dst address in the filtering database. 824 * Replicated inbound packets coming from that address 825 * will be filtered to discard the duplicates. 826 * It is not necessary to call the CGTP filter hook 827 * when the dst address is a multicast, because an 828 * IP source address cannot be a multicast. 829 */ 830 if (ipst->ips_ip_cgtp_filter_ops != NULL && 831 !IN6_IS_ADDR_MULTICAST(&(ire->ire_addr_v6))) { 832 int res; 833 834 res = ipst->ips_ip_cgtp_filter_ops->cfo_add_dest_v6( 835 ipst->ips_netstack->netstack_stackid, 836 &ire->ire_addr_v6, 837 &ire->ire_gateway_addr_v6, 838 &ire->ire_src_addr_v6, 839 &gw_ire->ire_src_addr_v6); 840 if (res != 0) { 841 ire_refrele(gw_ire); 842 ire_delete(ire); 843 return (res); 844 } 845 } 846 } 847 848 /* 849 * Now that the prefix IRE entry has been created, delete any 850 * existing gateway IRE cache entries as well as any IRE caches 851 * using the gateway, and force them to be created through 852 * ip_newroute_v6. 853 */ 854 if (gc != NULL) { 855 ASSERT(gcgrp != NULL); 856 ire_clookup_delete_cache_gw_v6(gw_addr, ALL_ZONES, ipst); 857 } 858 859 save_ire: 860 if (gw_ire != NULL) { 861 ire_refrele(gw_ire); 862 } 863 if (ipif != NULL) { 864 mblk_t *save_mp; 865 866 /* 867 * Save enough information so that we can recreate the IRE if 868 * the interface goes down and then up. The metrics associated 869 * with the route will be saved as well when rts_setmetrics() is 870 * called after the IRE has been created. In the case where 871 * memory cannot be allocated, none of this information will be 872 * saved. 873 */ 874 save_mp = allocb(sizeof (ifrt_t), BPRI_MED); 875 if (save_mp != NULL) { 876 ifrt_t *ifrt; 877 878 save_mp->b_wptr += sizeof (ifrt_t); 879 ifrt = (ifrt_t *)save_mp->b_rptr; 880 bzero(ifrt, sizeof (ifrt_t)); 881 ifrt->ifrt_type = ire->ire_type; 882 ifrt->ifrt_v6addr = ire->ire_addr_v6; 883 mutex_enter(&ire->ire_lock); 884 ifrt->ifrt_v6gateway_addr = ire->ire_gateway_addr_v6; 885 ifrt->ifrt_v6src_addr = ire->ire_src_addr_v6; 886 mutex_exit(&ire->ire_lock); 887 ifrt->ifrt_v6mask = ire->ire_mask_v6; 888 ifrt->ifrt_flags = ire->ire_flags; 889 ifrt->ifrt_max_frag = ire->ire_max_frag; 890 mutex_enter(&ipif->ipif_saved_ire_lock); 891 save_mp->b_cont = ipif->ipif_saved_ire_mp; 892 ipif->ipif_saved_ire_mp = save_mp; 893 ipif->ipif_saved_ire_cnt++; 894 mutex_exit(&ipif->ipif_saved_ire_lock); 895 } 896 } 897 if (ire_arg != NULL) { 898 /* 899 * Store the ire that was successfully added into where ire_arg 900 * points to so that callers don't have to look it up 901 * themselves (but they are responsible for ire_refrele()ing 902 * the ire when they are finished with it). 903 */ 904 *ire_arg = ire; 905 } else { 906 ire_refrele(ire); /* Held in ire_add */ 907 } 908 if (ipif_refheld) 909 ipif_refrele(ipif); 910 return (0); 911 } 912 913 /* 914 * ip_rt_delete_v6 is called to delete an IPv6 route. 915 * ipif_arg is passed in to associate it with the correct interface 916 * (for link-local destinations and gateways). 917 */ 918 /* ARGSUSED4 */ 919 int 920 ip_rt_delete_v6(const in6_addr_t *dst_addr, const in6_addr_t *mask, 921 const in6_addr_t *gw_addr, uint_t rtm_addrs, int flags, ipif_t *ipif_arg, 922 queue_t *q, mblk_t *mp, ipsq_func_t func, ip_stack_t *ipst) 923 { 924 ire_t *ire = NULL; 925 ipif_t *ipif; 926 uint_t type; 927 uint_t match_flags = MATCH_IRE_TYPE; 928 int err = 0; 929 boolean_t ipif_refheld = B_FALSE; 930 931 /* 932 * If this is the case of RTF_HOST being set, then we set the netmask 933 * to all ones. Otherwise, we use the netmask if one was supplied. 934 */ 935 if (flags & RTF_HOST) { 936 mask = &ipv6_all_ones; 937 match_flags |= MATCH_IRE_MASK; 938 } else if (rtm_addrs & RTA_NETMASK) { 939 match_flags |= MATCH_IRE_MASK; 940 } 941 942 /* 943 * Note that RTF_GATEWAY is never set on a delete, therefore 944 * we check if the gateway address is one of our interfaces first, 945 * and fall back on RTF_GATEWAY routes. 946 * 947 * This makes it possible to delete an original 948 * IRE_IF_NORESOLVER/IRE_IF_RESOLVER - consistent with SunOS 4.1. 949 * 950 * As the interface index specified with the RTA_IFP sockaddr is the 951 * same for all ipif's off of an ill, the matching logic below uses 952 * MATCH_IRE_ILL if such an index was specified. This means a route 953 * sharing the same prefix and interface index as the the route 954 * intended to be deleted might be deleted instead if a RTA_IFP sockaddr 955 * is specified in the request. 956 * 957 * On the other hand, since the gateway address will usually be 958 * different for each ipif on the system, the matching logic 959 * uses MATCH_IRE_IPIF in the case of a traditional interface 960 * route. This means that interface routes for the same prefix can be 961 * uniquely identified if they belong to distinct ipif's and if a 962 * RTA_IFP sockaddr is not present. 963 * 964 * For more detail on specifying routes by gateway address and by 965 * interface index, see the comments in ip_rt_add_v6(). 966 */ 967 ipif = ipif_lookup_interface_v6(gw_addr, dst_addr, q, mp, func, &err, 968 ipst); 969 if (ipif != NULL) { 970 ipif_refheld = B_TRUE; 971 if (ipif_arg != NULL) { 972 ipif_refrele(ipif); 973 ipif_refheld = B_FALSE; 974 ipif = ipif_arg; 975 match_flags |= MATCH_IRE_ILL; 976 } else { 977 match_flags |= MATCH_IRE_IPIF; 978 } 979 980 if (ipif->ipif_ire_type == IRE_LOOPBACK) 981 ire = ire_ctable_lookup_v6(dst_addr, 0, IRE_LOOPBACK, 982 ipif, ALL_ZONES, NULL, match_flags, ipst); 983 if (ire == NULL) 984 ire = ire_ftable_lookup_v6(dst_addr, mask, 0, 985 IRE_INTERFACE, ipif, NULL, ALL_ZONES, 0, NULL, 986 match_flags, ipst); 987 } else if (err == EINPROGRESS) { 988 return (err); 989 } else { 990 err = 0; 991 } 992 if (ire == NULL) { 993 /* 994 * At this point, the gateway address is not one of our own 995 * addresses or a matching interface route was not found. We 996 * set the IRE type to lookup based on whether 997 * this is a host route, a default route or just a prefix. 998 * 999 * If an ipif_arg was passed in, then the lookup is based on an 1000 * interface index so MATCH_IRE_ILL is added to match_flags. 1001 * In any case, MATCH_IRE_IPIF is cleared and MATCH_IRE_GW is 1002 * set as the route being looked up is not a traditional 1003 * interface route. 1004 */ 1005 match_flags &= ~MATCH_IRE_IPIF; 1006 match_flags |= MATCH_IRE_GW; 1007 if (ipif_arg != NULL) 1008 match_flags |= MATCH_IRE_ILL; 1009 if (IN6_ARE_ADDR_EQUAL(mask, &ipv6_all_ones)) 1010 type = IRE_HOST; 1011 else if (IN6_IS_ADDR_UNSPECIFIED(mask)) 1012 type = IRE_DEFAULT; 1013 else 1014 type = IRE_PREFIX; 1015 ire = ire_ftable_lookup_v6(dst_addr, mask, gw_addr, type, 1016 ipif_arg, NULL, ALL_ZONES, 0, NULL, match_flags, ipst); 1017 } 1018 1019 if (ipif_refheld) { 1020 ipif_refrele(ipif); 1021 ipif_refheld = B_FALSE; 1022 } 1023 if (ire == NULL) 1024 return (ESRCH); 1025 1026 if (ire->ire_flags & RTF_MULTIRT) { 1027 /* 1028 * Invoke the CGTP (multirouting) filtering module 1029 * to remove the dst address from the filtering database. 1030 * Packets coming from that address will no longer be 1031 * filtered to remove duplicates. 1032 */ 1033 if (ipst->ips_ip_cgtp_filter_ops != NULL) { 1034 err = ipst->ips_ip_cgtp_filter_ops->cfo_del_dest_v6( 1035 ipst->ips_netstack->netstack_stackid, 1036 &ire->ire_addr_v6, &ire->ire_gateway_addr_v6); 1037 } 1038 } 1039 1040 ipif = ire->ire_ipif; 1041 if (ipif != NULL) { 1042 mblk_t **mpp; 1043 mblk_t *mp; 1044 ifrt_t *ifrt; 1045 in6_addr_t gw_addr_v6; 1046 1047 /* Remove from ipif_saved_ire_mp list if it is there */ 1048 mutex_enter(&ire->ire_lock); 1049 gw_addr_v6 = ire->ire_gateway_addr_v6; 1050 mutex_exit(&ire->ire_lock); 1051 mutex_enter(&ipif->ipif_saved_ire_lock); 1052 for (mpp = &ipif->ipif_saved_ire_mp; *mpp != NULL; 1053 mpp = &(*mpp)->b_cont) { 1054 /* 1055 * On a given ipif, the triple of address, gateway and 1056 * mask is unique for each saved IRE (in the case of 1057 * ordinary interface routes, the gateway address is 1058 * all-zeroes). 1059 */ 1060 mp = *mpp; 1061 ifrt = (ifrt_t *)mp->b_rptr; 1062 if (IN6_ARE_ADDR_EQUAL(&ifrt->ifrt_v6addr, 1063 &ire->ire_addr_v6) && 1064 IN6_ARE_ADDR_EQUAL(&ifrt->ifrt_v6gateway_addr, 1065 &gw_addr_v6) && 1066 IN6_ARE_ADDR_EQUAL(&ifrt->ifrt_v6mask, 1067 &ire->ire_mask_v6)) { 1068 *mpp = mp->b_cont; 1069 ipif->ipif_saved_ire_cnt--; 1070 freeb(mp); 1071 break; 1072 } 1073 } 1074 mutex_exit(&ipif->ipif_saved_ire_lock); 1075 } 1076 ire_delete(ire); 1077 ire_refrele(ire); 1078 return (err); 1079 } 1080 1081 /* 1082 * Derive a token from the link layer address. 1083 */ 1084 boolean_t 1085 ill_setdefaulttoken(ill_t *ill) 1086 { 1087 int i; 1088 in6_addr_t v6addr, v6mask; 1089 1090 if (!MEDIA_V6INTFID(ill->ill_media, ill->ill_phys_addr_length, 1091 ill->ill_phys_addr, &v6addr)) 1092 return (B_FALSE); 1093 1094 (void) ip_plen_to_mask_v6(IPV6_TOKEN_LEN, &v6mask); 1095 1096 for (i = 0; i < 4; i++) 1097 v6mask.s6_addr32[i] = v6mask.s6_addr32[i] ^ 1098 (uint32_t)0xffffffff; 1099 1100 V6_MASK_COPY(v6addr, v6mask, ill->ill_token); 1101 ill->ill_token_length = IPV6_TOKEN_LEN; 1102 return (B_TRUE); 1103 } 1104 1105 /* 1106 * Create a link-local address from a token. 1107 */ 1108 static void 1109 ipif_get_linklocal(in6_addr_t *dest, const in6_addr_t *token) 1110 { 1111 int i;