1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 /* 26 * Copyright (c) 1990 Mentat Inc. 27 */ 28 29 /* 30 * This file contains the interface control functions for IPv6. 31 */ 32 33 #include <sys/types.h> 34 #include <sys/sysmacros.h> 35 #include <sys/stream.h> 36 #include <sys/dlpi.h> 37 #include <sys/stropts.h> 38 #include <sys/ddi.h> 39 #include <sys/cmn_err.h> 40 #include <sys/kstat.h> 41 #include <sys/debug.h> 42 #include <sys/zone.h> 43 #include <sys/policy.h> 44 45 #include <sys/systm.h> 46 #include <sys/param.h> 47 #include <sys/socket.h> 48 #include <sys/isa_defs.h> 49 #include <net/if.h> 50 #include <net/if_dl.h> 51 #include <net/route.h> 52 #include <netinet/in.h> 53 #include <netinet/igmp_var.h> 54 #include <netinet/ip6.h> 55 #include <netinet/icmp6.h> 56 57 #include <inet/common.h> 58 #include <inet/nd.h> 59 #include <inet/mib2.h> 60 #include <inet/ip.h> 61 #include <inet/ip6.h> 62 #include <inet/ip_multi.h> 63 #include <inet/ip_ire.h> 64 #include <inet/ip_rts.h> 65 #include <inet/ip_ndp.h> 66 #include <inet/ip_if.h> 67 #include <inet/ip6_asp.h> 68 #include <inet/ipclassifier.h> 69 #include <inet/sctp_ip.h> 70 71 #include <sys/tsol/tndb.h> 72 #include <sys/tsol/tnet.h> 73 74 static in6_addr_t ipv6_ll_template = 75 {(uint32_t)V6_LINKLOCAL, 0x0, 0x0, 0x0}; 76 77 static ipif_t * 78 ipif_lookup_interface_v6(const in6_addr_t *if_addr, const in6_addr_t *dst, 79 ip_stack_t *ipst); 80 81 static int ipif_add_ires_v6(ipif_t *, boolean_t); 82 83 /* 84 * This function is called when an application does not specify an interface 85 * to be used for multicast traffic. It calls ire_lookup_multi_v6() to look 86 * for an interface route for the specified multicast group. Doing 87 * this allows the administrator to add prefix routes for multicast to 88 * indicate which interface to be used for multicast traffic in the above 89 * scenario. The route could be for all multicast (ff00::/8), for a single 90 * multicast group (a /128 route) or anything in between. If there is no 91 * such multicast route, we just find any multicast capable interface and 92 * return it. 93 * 94 * We support MULTIRT and RTF_SETSRC on the multicast routes added to the 95 * unicast table. This is used by CGTP. 96 */ 97 ill_t * 98 ill_lookup_group_v6(const in6_addr_t *group, zoneid_t zoneid, ip_stack_t *ipst, 99 boolean_t *multirtp, in6_addr_t *setsrcp) 100 { 101 ill_t *ill; 102 103 ill = ire_lookup_multi_ill_v6(group, zoneid, ipst, multirtp, setsrcp); 104 if (ill != NULL) 105 return (ill); 106 107 return (ill_lookup_multicast(ipst, zoneid, B_TRUE)); 108 } 109 110 /* 111 * Look for an ipif with the specified interface address and destination. 112 * The destination address is used only for matching point-to-point interfaces. 113 */ 114 static ipif_t * 115 ipif_lookup_interface_v6(const in6_addr_t *if_addr, const in6_addr_t *dst, 116 ip_stack_t *ipst) 117 { 118 ipif_t *ipif; 119 ill_t *ill; 120 ill_walk_context_t ctx; 121 122 /* 123 * First match all the point-to-point interfaces 124 * before looking at non-point-to-point interfaces. 125 * This is done to avoid returning non-point-to-point 126 * ipif instead of unnumbered point-to-point ipif. 127 */ 128 rw_enter(&ipst->ips_ill_g_lock, RW_READER); 129 ill = ILL_START_WALK_V6(&ctx, ipst); 130 for (; ill != NULL; ill = ill_next(&ctx, ill)) { 131 mutex_enter(&ill->ill_lock); 132 for (ipif = ill->ill_ipif; ipif != NULL; 133 ipif = ipif->ipif_next) { 134 /* Allow the ipif to be down */ 135 if ((ipif->ipif_flags & IPIF_POINTOPOINT) && 136 (IN6_ARE_ADDR_EQUAL(&ipif->ipif_v6lcl_addr, 137 if_addr)) && 138 (IN6_ARE_ADDR_EQUAL(&ipif->ipif_v6pp_dst_addr, 139 dst))) { 140 if (!IPIF_IS_CONDEMNED(ipif)) { 141 ipif_refhold_locked(ipif); 142 mutex_exit(&ill->ill_lock); 143 rw_exit(&ipst->ips_ill_g_lock); 144 return (ipif); 145 } 146 } 147 } 148 mutex_exit(&ill->ill_lock); 149 } 150 rw_exit(&ipst->ips_ill_g_lock); 151 /* lookup the ipif based on interface address */ 152 ipif = ipif_lookup_addr_v6(if_addr, NULL, ALL_ZONES, ipst); 153 ASSERT(ipif == NULL || ipif->ipif_isv6); 154 return (ipif); 155 } 156 157 /* 158 * Common function for ipif_lookup_addr_v6() and ipif_lookup_addr_exact_v6(). 159 */ 160 static ipif_t * 161 ipif_lookup_addr_common_v6(const in6_addr_t *addr, ill_t *match_ill, 162 uint32_t match_flags, zoneid_t zoneid, ip_stack_t *ipst) 163 { 164 ipif_t *ipif; 165 ill_t *ill; 166 boolean_t ptp = B_FALSE; 167 ill_walk_context_t ctx; 168 boolean_t match_illgrp = (match_flags & IPIF_MATCH_ILLGRP); 169 boolean_t no_duplicate = (match_flags & IPIF_MATCH_NONDUP); 170 171 rw_enter(&ipst->ips_ill_g_lock, RW_READER); 172 /* 173 * Repeat twice, first based on local addresses and 174 * next time for pointopoint. 175 */ 176 repeat: 177 ill = ILL_START_WALK_V6(&ctx, ipst); 178 for (; ill != NULL; ill = ill_next(&ctx, ill)) { 179 if (match_ill != NULL && ill != match_ill && 180 (!match_illgrp || !IS_IN_SAME_ILLGRP(ill, match_ill))) { 181 continue; 182 } 183 mutex_enter(&ill->ill_lock); 184 for (ipif = ill->ill_ipif; ipif != NULL; 185 ipif = ipif->ipif_next) { 186 if (zoneid != ALL_ZONES && 187 ipif->ipif_zoneid != zoneid && 188 ipif->ipif_zoneid != ALL_ZONES) 189 continue; 190 191 if (no_duplicate && 192 !(ipif->ipif_flags & IPIF_UP)) { 193 continue; 194 } 195 196 /* Allow the ipif to be down */ 197 if ((!ptp && (IN6_ARE_ADDR_EQUAL( 198 &ipif->ipif_v6lcl_addr, addr) && 199 (ipif->ipif_flags & IPIF_UNNUMBERED) == 0)) || 200 (ptp && (ipif->ipif_flags & IPIF_POINTOPOINT) && 201 IN6_ARE_ADDR_EQUAL(&ipif->ipif_v6pp_dst_addr, 202 addr))) { 203 if (!IPIF_IS_CONDEMNED(ipif)) { 204 ipif_refhold_locked(ipif); 205 mutex_exit(&ill->ill_lock); 206 rw_exit(&ipst->ips_ill_g_lock); 207 return (ipif); 208 } 209 } 210 } 211 mutex_exit(&ill->ill_lock); 212 } 213 214 /* If we already did the ptp case, then we are done */ 215 if (ptp) { 216 rw_exit(&ipst->ips_ill_g_lock); 217 return (NULL); 218 } 219 ptp = B_TRUE; 220 goto repeat; 221 } 222 223 /* 224 * Lookup an ipif with the specified address. For point-to-point links we 225 * look for matches on either the destination address or the local address, 226 * but we skip the local address check if IPIF_UNNUMBERED is set. If the 227 * `match_ill' argument is non-NULL, the lookup is restricted to that ill 228 * (or illgrp if `match_ill' is in an IPMP group). 229 */ 230 ipif_t * 231 ipif_lookup_addr_v6(const in6_addr_t *addr, ill_t *match_ill, zoneid_t zoneid, 232 ip_stack_t *ipst) 233 { 234 return (ipif_lookup_addr_common_v6(addr, match_ill, IPIF_MATCH_ILLGRP, 235 zoneid, ipst)); 236 } 237 238 /* 239 * Lookup an ipif with the specified address. Similar to ipif_lookup_addr, 240 * except that we will only return an address if it is not marked as 241 * IPIF_DUPLICATE 242 */ 243 ipif_t * 244 ipif_lookup_addr_nondup_v6(const in6_addr_t *addr, ill_t *match_ill, 245 zoneid_t zoneid, ip_stack_t *ipst) 246 { 247 return (ipif_lookup_addr_common_v6(addr, match_ill, 248 (IPIF_MATCH_ILLGRP | IPIF_MATCH_NONDUP), zoneid, 249 ipst)); 250 } 251 252 /* 253 * Special abbreviated version of ipif_lookup_addr_v6() that doesn't match 254 * `match_ill' across the IPMP group. This function is only needed in some 255 * corner-cases; almost everything should use ipif_lookup_addr_v6(). 256 */ 257 ipif_t * 258 ipif_lookup_addr_exact_v6(const in6_addr_t *addr, ill_t *match_ill, 259 ip_stack_t *ipst) 260 { 261 ASSERT(match_ill != NULL); 262 return (ipif_lookup_addr_common_v6(addr, match_ill, 0, ALL_ZONES, 263 ipst)); 264 } 265 266 /* 267 * Look for an ipif with the specified address. For point-point links 268 * we look for matches on either the destination address and the local 269 * address, but we ignore the check on the local address if IPIF_UNNUMBERED 270 * is set. 271 * If the `match_ill' argument is non-NULL, the lookup is restricted to that 272 * ill (or illgrp if `match_ill' is in an IPMP group). 273 * Return the zoneid for the ipif. ALL_ZONES if none found. 274 */ 275 zoneid_t 276 ipif_lookup_addr_zoneid_v6(const in6_addr_t *addr, ill_t *match_ill, 277 ip_stack_t *ipst) 278 { 279 ipif_t *ipif; 280 ill_t *ill; 281 boolean_t ptp = B_FALSE; 282 ill_walk_context_t ctx; 283 zoneid_t zoneid; 284 285 rw_enter(&ipst->ips_ill_g_lock, RW_READER); 286 /* 287 * Repeat twice, first based on local addresses and 288 * next time for pointopoint. 289 */ 290 repeat: 291 ill = ILL_START_WALK_V6(&ctx, ipst); 292 for (; ill != NULL; ill = ill_next(&ctx, ill)) { 293 if (match_ill != NULL && ill != match_ill && 294 !IS_IN_SAME_ILLGRP(ill, match_ill)) { 295 continue; 296 } 297 mutex_enter(&ill->ill_lock); 298 for (ipif = ill->ill_ipif; ipif != NULL; 299 ipif = ipif->ipif_next) { 300 /* Allow the ipif to be down */ 301 if ((!ptp && (IN6_ARE_ADDR_EQUAL( 302 &ipif->ipif_v6lcl_addr, addr) && 303 (ipif->ipif_flags & IPIF_UNNUMBERED) == 0)) || 304 (ptp && (ipif->ipif_flags & IPIF_POINTOPOINT) && 305 IN6_ARE_ADDR_EQUAL(&ipif->ipif_v6pp_dst_addr, 306 addr)) && 307 !(ipif->ipif_state_flags & IPIF_CONDEMNED)) { 308 zoneid = ipif->ipif_zoneid; 309 mutex_exit(&ill->ill_lock); 310 rw_exit(&ipst->ips_ill_g_lock); 311 /* 312 * If ipif_zoneid was ALL_ZONES then we have 313 * a trusted extensions shared IP address. 314 * In that case GLOBAL_ZONEID works to send. 315 */ 316 if (zoneid == ALL_ZONES) 317 zoneid = GLOBAL_ZONEID; 318 return (zoneid); 319 } 320 } 321 mutex_exit(&ill->ill_lock); 322 } 323 324 /* If we already did the ptp case, then we are done */ 325 if (ptp) { 326 rw_exit(&ipst->ips_ill_g_lock); 327 return (ALL_ZONES); 328 } 329 ptp = B_TRUE; 330 goto repeat; 331 } 332 333 /* 334 * Perform various checks to verify that an address would make sense as a local 335 * interface address. This is currently only called when an attempt is made 336 * to set a local address. 337 * 338 * Does not allow a v4-mapped address, an address that equals the subnet 339 * anycast address, ... a multicast address, ... 340 */ 341 boolean_t 342 ip_local_addr_ok_v6(const in6_addr_t *addr, const in6_addr_t *subnet_mask) 343 { 344 in6_addr_t subnet; 345 346 if (IN6_IS_ADDR_UNSPECIFIED(addr)) 347 return (B_TRUE); /* Allow all zeros */ 348 349 /* 350 * Don't allow all zeroes or host part, but allow 351 * all ones netmask. 352 */ 353 V6_MASK_COPY(*addr, *subnet_mask, subnet); 354 if (IN6_IS_ADDR_V4MAPPED(addr) || 355 (IN6_ARE_ADDR_EQUAL(addr, &subnet) && 356 !IN6_ARE_ADDR_EQUAL(subnet_mask, &ipv6_all_ones)) || 357 (IN6_IS_ADDR_V4COMPAT(addr) && CLASSD(V4_PART_OF_V6((*addr)))) || 358 IN6_IS_ADDR_MULTICAST(addr)) 359 return (B_FALSE); 360 361 return (B_TRUE); 362 } 363 364 /* 365 * Perform various checks to verify that an address would make sense as a 366 * remote/subnet interface address. 367 */ 368 boolean_t 369 ip_remote_addr_ok_v6(const in6_addr_t *addr, const in6_addr_t *subnet_mask) 370 { 371 in6_addr_t subnet; 372 373 if (IN6_IS_ADDR_UNSPECIFIED(addr)) 374 return (B_TRUE); /* Allow all zeros */ 375 376 V6_MASK_COPY(*addr, *subnet_mask, subnet); 377 if (IN6_IS_ADDR_V4MAPPED(addr) || 378 (IN6_ARE_ADDR_EQUAL(addr, &subnet) && 379 !IN6_ARE_ADDR_EQUAL(subnet_mask, &ipv6_all_ones)) || 380 IN6_IS_ADDR_MULTICAST(addr) || 381 (IN6_IS_ADDR_V4COMPAT(addr) && CLASSD(V4_PART_OF_V6((*addr))))) 382 return (B_FALSE); 383 384 return (B_TRUE); 385 } 386 387 /* 388 * ip_rt_add_v6 is called to add an IPv6 route to the forwarding table. 389 * ill is passed in to associate it with the correct interface 390 * (for link-local destinations and gateways). 391 * If ire_arg is set, then we return the held IRE in that location. 392 */ 393 /* ARGSUSED1 */ 394 int 395 ip_rt_add_v6(const in6_addr_t *dst_addr, const in6_addr_t *mask, 396 const in6_addr_t *gw_addr, const in6_addr_t *src_addr, int flags, 397 ill_t *ill, ire_t **ire_arg, struct rtsa_s *sp, ip_stack_t *ipst, 398 zoneid_t zoneid) 399 { 400 ire_t *ire, *nire; 401 ire_t *gw_ire = NULL; 402 ipif_t *ipif; 403 uint_t type; 404 int match_flags = MATCH_IRE_TYPE; 405 tsol_gc_t *gc = NULL; 406 tsol_gcgrp_t *gcgrp = NULL; 407 boolean_t gcgrp_xtraref = B_FALSE; 408 409 if (ire_arg != NULL) 410 *ire_arg = NULL; 411 412 /* 413 * Prevent routes with a zero gateway from being created (since 414 * interfaces can currently be plumbed and brought up with no assigned 415 * address). 416 */ 417 if (IN6_IS_ADDR_UNSPECIFIED(gw_addr)) 418 return (ENETUNREACH); 419 420 /* 421 * If this is the case of RTF_HOST being set, then we set the netmask 422 * to all ones (regardless if one was supplied). 423 */ 424 if (flags & RTF_HOST) 425 mask = &ipv6_all_ones; 426 427 /* 428 * Get the ipif, if any, corresponding to the gw_addr 429 * If -ifp was specified we restrict ourselves to the ill, otherwise 430 * we match on the gatway and destination to handle unnumbered pt-pt 431 * interfaces. 432 */ 433 if (ill != NULL) 434 ipif = ipif_lookup_addr_v6(gw_addr, ill, ALL_ZONES, ipst); 435 else 436 ipif = ipif_lookup_interface_v6(gw_addr, dst_addr, ipst); 437 if (ipif != NULL) { 438 if (IS_VNI(ipif->ipif_ill)) { 439 ipif_refrele(ipif); 440 return (EINVAL); 441 } 442 } 443 444 /* 445 * GateD will attempt to create routes with a loopback interface 446 * address as the gateway and with RTF_GATEWAY set. We allow 447 * these routes to be added, but create them as interface routes 448 * since the gateway is an interface address. 449 */ 450 if ((ipif != NULL) && (ipif->ipif_ire_type == IRE_LOOPBACK)) { 451 flags &= ~RTF_GATEWAY; 452 if (IN6_ARE_ADDR_EQUAL(gw_addr, &ipv6_loopback) && 453 IN6_ARE_ADDR_EQUAL(dst_addr, &ipv6_loopback) && 454 IN6_ARE_ADDR_EQUAL(mask, &ipv6_all_ones)) { 455 ire = ire_ftable_lookup_v6(dst_addr, 0, 0, IRE_LOOPBACK, 456 NULL, ALL_ZONES, NULL, MATCH_IRE_TYPE, 0, ipst, 457 NULL); 458 if (ire != NULL) { 459 ire_refrele(ire); 460 ipif_refrele(ipif); 461 return (EEXIST); 462 } 463 ip1dbg(("ip_rt_add_v6: 0x%p creating IRE 0x%x" 464 "for 0x%x\n", (void *)ipif, 465 ipif->ipif_ire_type, 466 ntohl(ipif->ipif_lcl_addr))); 467 ire = ire_create_v6( 468 dst_addr, 469 mask, 470 NULL, 471 ipif->ipif_ire_type, /* LOOPBACK */ 472 ipif->ipif_ill, 473 zoneid, 474 (ipif->ipif_flags & IPIF_PRIVATE) ? RTF_PRIVATE : 0, 475 NULL, 476 ipst); 477 478 if (ire == NULL) { 479 ipif_refrele(ipif); 480 return (ENOMEM); 481 } 482 /* src address assigned by the caller? */ 483 if ((flags & RTF_SETSRC) && 484 !IN6_IS_ADDR_UNSPECIFIED(src_addr)) 485 ire->ire_setsrc_addr_v6 = *src_addr; 486 487 nire = ire_add(ire); 488 if (nire == NULL) { 489 /* 490 * In the result of failure, ire_add() will have 491 * already deleted the ire in question, so there 492 * is no need to do that here. 493 */ 494 ipif_refrele(ipif); 495 return (ENOMEM); 496 } 497 /* 498 * Check if it was a duplicate entry. This handles 499 * the case of two racing route adds for the same route 500 */ 501 if (nire != ire) { 502 ASSERT(nire->ire_identical_ref > 1); 503 ire_delete(nire); 504 ire_refrele(nire); 505 ipif_refrele(ipif); 506 return (EEXIST); 507 } 508 ire = nire; 509 goto save_ire; 510 } 511 } 512 513 /* 514 * The routes for multicast with CGTP are quite special in that 515 * the gateway is the local interface address, yet RTF_GATEWAY 516 * is set. We turn off RTF_GATEWAY to provide compatibility with 517 * this undocumented and unusual use of multicast routes. 518 */ 519 if ((flags & RTF_MULTIRT) && ipif != NULL) 520 flags &= ~RTF_GATEWAY; 521 522 /* 523 * Traditionally, interface routes are ones where RTF_GATEWAY isn't set 524 * and the gateway address provided is one of the system's interface 525 * addresses. By using the routing socket interface and supplying an 526 * RTA_IFP sockaddr with an interface index, an alternate method of 527 * specifying an interface route to be created is available which uses 528 * the interface index that specifies the outgoing interface rather than 529 * the address of an outgoing interface (which may not be able to 530 * uniquely identify an interface). When coupled with the RTF_GATEWAY 531 * flag, routes can be specified which not only specify the next-hop to 532 * be used when routing to a certain prefix, but also which outgoing 533 * interface should be used. 534 * 535 * Previously, interfaces would have unique addresses assigned to them 536 * and so the address assigned to a particular interface could be used 537 * to identify a particular interface. One exception to this was the 538 * case of an unnumbered interface (where IPIF_UNNUMBERED was set). 539 * 540 * With the advent of IPv6 and its link-local addresses, this 541 * restriction was relaxed and interfaces could share addresses between 542 * themselves. In fact, typically all of the link-local interfaces on 543 * an IPv6 node or router will have the same link-local address. In 544 * order to differentiate between these interfaces, the use of an 545 * interface index is necessary and this index can be carried inside a 546 * RTA_IFP sockaddr (which is actually a sockaddr_dl). One restriction 547 * of using the interface index, however, is that all of the ipif's that 548 * are part of an ill have the same index and so the RTA_IFP sockaddr 549 * cannot be used to differentiate between ipif's (or logical 550 * interfaces) that belong to the same ill (physical interface). 551 * 552 * For example, in the following case involving IPv4 interfaces and 553 * logical interfaces 554 * 555 * 192.0.2.32 255.255.255.224 192.0.2.33 U if0 556 * 192.0.2.32 255.255.255.224 192.0.2.34 U if0 557 * 192.0.2.32 255.255.255.224 192.0.2.35 U if0 558 * 559 * the ipif's corresponding to each of these interface routes can be 560 * uniquely identified by the "gateway" (actually interface address). 561 * 562 * In this case involving multiple IPv6 default routes to a particular 563 * link-local gateway, the use of RTA_IFP is necessary to specify which 564 * default route is of interest: 565 * 566 * default fe80::123:4567:89ab:cdef U if0 567 * default fe80::123:4567:89ab:cdef U if1 568 */ 569 570 /* RTF_GATEWAY not set */ 571 if (!(flags & RTF_GATEWAY)) { 572 if (sp != NULL) { 573 ip2dbg(("ip_rt_add_v6: gateway security attributes " 574 "cannot be set with interface route\n")); 575 if (ipif != NULL) 576 ipif_refrele(ipif); 577 return (EINVAL); 578 } 579 580 /* 581 * Whether or not ill (RTA_IFP) is set, we require that 582 * the gateway is one of our local addresses. 583 */ 584 if (ipif == NULL) 585 return (ENETUNREACH); 586 587 /* 588 * We use MATCH_IRE_ILL here. If the caller specified an 589 * interface (from the RTA_IFP sockaddr) we use it, otherwise 590 * we use the ill derived from the gateway address. 591 * We can always match the gateway address since we record it 592 * in ire_gateway_addr. 593 * We don't allow RTA_IFP to specify a different ill than the 594 * one matching the ipif to make sure we can delete the route. 595 */ 596 match_flags |= MATCH_IRE_GW | MATCH_IRE_ILL; 597 if (ill == NULL) { 598 ill = ipif->ipif_ill; 599 } else if (ill != ipif->ipif_ill) { 600 ipif_refrele(ipif); 601 return (EINVAL); 602 } 603 604 /* 605 * We check for an existing entry at this point. 606 */ 607 match_flags |= MATCH_IRE_MASK; 608 ire = ire_ftable_lookup_v6(dst_addr, mask, gw_addr, 609 IRE_INTERFACE, ill, ALL_ZONES, NULL, match_flags, 0, ipst, 610 NULL); 611 if (ire != NULL) { 612 ire_refrele(ire); 613 ipif_refrele(ipif); 614 return (EEXIST); 615 } 616 617 /* 618 * Create a copy of the IRE_LOOPBACK, IRE_IF_NORESOLVER or 619 * IRE_IF_RESOLVER with the modified address, netmask, and 620 * gateway. 621 */ 622 ire = ire_create_v6( 623 dst_addr, 624 mask, 625 gw_addr, 626 ill->ill_net_type, 627 ill, 628 zoneid, 629 flags, 630 NULL, 631 ipst); 632 if (ire == NULL) { 633 ipif_refrele(ipif); 634 return (ENOMEM); 635 } 636 637 /* 638 * Some software (for example, GateD and Sun Cluster) attempts 639 * to create (what amount to) IRE_PREFIX routes with the 640 * loopback address as the gateway. This is primarily done to 641 * set up prefixes with the RTF_REJECT flag set (for example, 642 * when generating aggregate routes). We also OR in the 643 * RTF_BLACKHOLE flag as these interface routes, by 644 * definition, can only be that. 645 * 646 * If the IRE type (as defined by ill->ill_net_type) is 647 * IRE_LOOPBACK, then we map the request into a 648 * IRE_IF_NORESOLVER. 649 * 650 * Needless to say, the real IRE_LOOPBACK is NOT created by this 651 * routine, but rather using ire_create_v6() directly. 652 */ 653 if (ill->ill_net_type == IRE_LOOPBACK) { 654 ire->ire_type = IRE_IF_NORESOLVER; 655 ire->ire_flags |= RTF_BLACKHOLE; 656 } 657 /* src address assigned by the caller? */ 658 if ((flags & RTF_SETSRC) && !IN6_IS_ADDR_UNSPECIFIED(src_addr)) 659 ire->ire_setsrc_addr_v6 = *src_addr; 660 661 nire = ire_add(ire); 662 if (nire == NULL) { 663 /* 664 * In the result of failure, ire_add() will have 665 * already deleted the ire in question, so there 666 * is no need to do that here. 667 */ 668 ipif_refrele(ipif); 669 return (ENOMEM); 670 } 671 /* 672 * Check if it was a duplicate entry. This handles 673 * the case of two racing route adds for the same route 674 */ 675 if (nire != ire) { 676 ASSERT(nire->ire_identical_ref > 1); 677 ire_delete(nire); 678 ire_refrele(nire); 679 ipif_refrele(ipif); 680 return (EEXIST); 681 } 682 ire = nire; 683 goto save_ire; 684 } 685 686 /* 687 * Get an interface IRE for the specified gateway. 688 * If we don't have an IRE_IF_NORESOLVER or IRE_IF_RESOLVER for the 689 * gateway, it is currently unreachable and we fail the request 690 * accordingly. 691 * If RTA_IFP was specified we look on that particular ill. 692 */ 693 if (ill != NULL) 694 match_flags |= MATCH_IRE_ILL; 695 696 /* Check whether the gateway is reachable. */ 697 type = IRE_INTERFACE; 698 if (flags & RTF_INDIRECT) 699 type |= IRE_OFFLINK; 700 701 gw_ire = ire_ftable_lookup_v6(gw_addr, 0, 0, type, ill, 702 ALL_ZONES, NULL, match_flags, 0, ipst, NULL); 703 if (gw_ire == NULL) { 704 if (ipif != NULL) 705 ipif_refrele(ipif); 706 return (ENETUNREACH); 707 } 708 709 /* 710 * We create one of three types of IREs as a result of this request 711 * based on the netmask. A netmask of all ones (which is automatically 712 * assumed when RTF_HOST is set) results in an IRE_HOST being created. 713 * An all zeroes netmask implies a default route so an IRE_DEFAULT is 714 * created. Otherwise, an IRE_PREFIX route is created for the 715 * destination prefix. 716 */ 717 if (IN6_ARE_ADDR_EQUAL(mask, &ipv6_all_ones)) 718 type = IRE_HOST; 719 else if (IN6_IS_ADDR_UNSPECIFIED(mask)) 720 type = IRE_DEFAULT; 721 else 722 type = IRE_PREFIX; 723 724 /* check for a duplicate entry */ 725 ire = ire_ftable_lookup_v6(dst_addr, mask, gw_addr, type, ill, 726 ALL_ZONES, NULL, 727 match_flags | MATCH_IRE_MASK | MATCH_IRE_GW, 0, ipst, NULL); 728 if (ire != NULL) { 729 if (ipif != NULL) 730 ipif_refrele(ipif); 731 ire_refrele(gw_ire); 732 ire_refrele(ire); 733 return (EEXIST); 734 } 735 736 /* Security attribute exists */ 737 if (sp != NULL) { 738 tsol_gcgrp_addr_t ga; 739 740 /* find or create the gateway credentials group */ 741 ga.ga_af = AF_INET6; 742 ga.ga_addr = *gw_addr; 743 744 /* we hold reference to it upon success */ 745 gcgrp = gcgrp_lookup(&ga, B_TRUE); 746 if (gcgrp == NULL) { 747 if (ipif != NULL) 748 ipif_refrele(ipif); 749 ire_refrele(gw_ire); 750 return (ENOMEM); 751 } 752 753 /* 754 * Create and add the security attribute to the group; a 755 * reference to the group is made upon allocating a new 756 * entry successfully. If it finds an already-existing 757 * entry for the security attribute in the group, it simply 758 * returns it and no new reference is made to the group. 759 */ 760 gc = gc_create(sp, gcgrp, &gcgrp_xtraref); 761 if (gc == NULL) { 762 /* release reference held by gcgrp_lookup */ 763 GCGRP_REFRELE(gcgrp); 764 if (ipif != NULL) 765 ipif_refrele(ipif); 766 ire_refrele(gw_ire); 767 return (ENOMEM); 768 } 769 } 770 771 /* Create the IRE. */ 772 ire = ire_create_v6( 773 dst_addr, /* dest address */ 774 mask, /* mask */ 775 gw_addr, /* gateway address */ 776 (ushort_t)type, /* IRE type */ 777 ill, 778 zoneid, 779 flags, 780 gc, /* security attribute */ 781 ipst); 782 783 /* 784 * The ire holds a reference to the 'gc' and the 'gc' holds a 785 * reference to the 'gcgrp'. We can now release the extra reference 786 * the 'gcgrp' acquired in the gcgrp_lookup, if it was not used. 787 */ 788 if (gcgrp_xtraref) 789 GCGRP_REFRELE(gcgrp); 790 if (ire == NULL) { 791 if (gc != NULL) 792 GC_REFRELE(gc); 793 if (ipif != NULL) 794 ipif_refrele(ipif); 795 ire_refrele(gw_ire); 796 return (ENOMEM); 797 } 798 799 /* src address assigned by the caller? */ 800 if ((flags & RTF_SETSRC) && !IN6_IS_ADDR_UNSPECIFIED(src_addr)) 801 ire->ire_setsrc_addr_v6 = *src_addr; 802 803 /* 804 * POLICY: should we allow an RTF_HOST with address INADDR_ANY? 805 * SUN/OS socket stuff does but do we really want to allow ::0 ? 806 */ 807 808 /* Add the new IRE. */ 809 nire = ire_add(ire); 810 if (nire == NULL) { 811 /* 812 * In the result of failure, ire_add() will have 813 * already deleted the ire in question, so there 814 * is no need to do that here. 815 */ 816 if (ipif != NULL) 817 ipif_refrele(ipif); 818 ire_refrele(gw_ire); 819 return (ENOMEM); 820 } 821 /* 822 * Check if it was a duplicate entry. This handles 823 * the case of two racing route adds for the same route 824 */ 825 if (nire != ire) { 826 ASSERT(nire->ire_identical_ref > 1); 827 ire_delete(nire); 828 ire_refrele(nire); 829 if (ipif != NULL) 830 ipif_refrele(ipif); 831 ire_refrele(gw_ire); 832 return (EEXIST); 833 } 834 ire = nire; 835 836 if (flags & RTF_MULTIRT) { 837 /* 838 * Invoke the CGTP (multirouting) filtering module 839 * to add the dst address in the filtering database. 840 * Replicated inbound packets coming from that address 841 * will be filtered to discard the duplicates. 842 * It is not necessary to call the CGTP filter hook 843 * when the dst address is a multicast, because an 844 * IP source address cannot be a multicast. 845 */ 846 if (ipst->ips_ip_cgtp_filter_ops != NULL && 847 !IN6_IS_ADDR_MULTICAST(&(ire->ire_addr_v6))) { 848 int res; 849 ipif_t *src_ipif; 850 851 /* Find the source address corresponding to gw_ire */ 852 src_ipif = ipif_lookup_addr_v6( 853 &gw_ire->ire_gateway_addr_v6, NULL, zoneid, ipst); 854 if (src_ipif != NULL) { 855 res = ipst->ips_ip_cgtp_filter_ops-> 856 cfo_add_dest_v6( 857 ipst->ips_netstack->netstack_stackid, 858 &ire->ire_addr_v6, 859 &ire->ire_gateway_addr_v6, 860 &ire->ire_setsrc_addr_v6, 861 &src_ipif->ipif_v6lcl_addr); 862 ipif_refrele(src_ipif); 863 } else { 864 res = EADDRNOTAVAIL; 865 } 866 if (res != 0) { 867 if (ipif != NULL) 868 ipif_refrele(ipif); 869 ire_refrele(gw_ire); 870 ire_delete(ire); 871 ire_refrele(ire); /* Held in ire_add */ 872 return (res); 873 } 874 } 875 } 876 877 save_ire: 878 if (gw_ire != NULL) { 879 ire_refrele(gw_ire); 880 gw_ire = NULL; 881 } 882 if (ire->ire_ill != NULL) { 883 /* 884 * Save enough information so that we can recreate the IRE if 885 * the ILL goes down and then up. The metrics associated 886 * with the route will be saved as well when rts_setmetrics() is 887 * called after the IRE has been created. In the case where 888 * memory cannot be allocated, none of this information will be 889 * saved. 890 */ 891 ill_save_ire(ire->ire_ill, ire); 892 } 893 894 if (ire_arg != NULL) { 895 /* 896 * Store the ire that was successfully added into where ire_arg 897 * points to so that callers don't have to look it up 898 * themselves (but they are responsible for ire_refrele()ing 899 * the ire when they are finished with it). 900 */ 901 *ire_arg = ire; 902 } else { 903 ire_refrele(ire); /* Held in ire_add */ 904 } 905 if (ipif != NULL) 906 ipif_refrele(ipif); 907 return (0); 908 } 909 910 /* 911 * ip_rt_delete_v6 is called to delete an IPv6 route. 912 * ill is passed in to associate it with the correct interface. 913 * (for link-local destinations and gateways). 914 */ 915 /* ARGSUSED4 */ 916 int 917 ip_rt_delete_v6(const in6_addr_t *dst_addr, const in6_addr_t *mask, 918 const in6_addr_t *gw_addr, uint_t rtm_addrs, int flags, ill_t *ill, 919 ip_stack_t *ipst, zoneid_t zoneid) 920 { 921 ire_t *ire = NULL; 922 ipif_t *ipif; 923 uint_t type; 924 uint_t match_flags = MATCH_IRE_TYPE; 925 int err = 0; 926 927 /* 928 * If this is the case of RTF_HOST being set, then we set the netmask 929 * to all ones. Otherwise, we use the netmask if one was supplied. 930 */ 931 if (flags & RTF_HOST) { 932 mask = &ipv6_all_ones; 933 match_flags |= MATCH_IRE_MASK; 934 } else if (rtm_addrs & RTA_NETMASK) { 935 match_flags |= MATCH_IRE_MASK; 936 } 937 938 /* 939 * Note that RTF_GATEWAY is never set on a delete, therefore 940 * we check if the gateway address is one of our interfaces first, 941 * and fall back on RTF_GATEWAY routes. 942 * 943 * This makes it possible to delete an original 944 * IRE_IF_NORESOLVER/IRE_IF_RESOLVER - consistent with SunOS 4.1. 945 * However, we have RTF_KERNEL set on the ones created by ipif_up 946 * and those can not be deleted here. 947 * 948 * We use MATCH_IRE_ILL if we know the interface. If the caller 949 * specified an interface (from the RTA_IFP sockaddr) we use it, 950 * otherwise we use the ill derived from the gateway address. 951 * We can always match the gateway address since we record it 952 * in ire_gateway_addr. 953 * 954 * For more detail on specifying routes by gateway address and by 955 * interface index, see the comments in ip_rt_add_v6(). 956 */ 957 ipif = ipif_lookup_interface_v6(gw_addr, dst_addr, ipst); 958 if (ipif != NULL) { 959 ill_t *ill_match; 960 961 if (ill != NULL) 962 ill_match = ill; 963 else 964 ill_match = ipif->ipif_ill; 965 966 match_flags |= MATCH_IRE_ILL; 967 if (ipif->ipif_ire_type == IRE_LOOPBACK) { 968 ire = ire_ftable_lookup_v6(dst_addr, 0, 0, IRE_LOOPBACK, 969 ill_match, ALL_ZONES, NULL, match_flags, 0, ipst, 970 NULL); 971 } 972 if (ire == NULL) { 973 match_flags |= MATCH_IRE_GW; 974 ire = ire_ftable_lookup_v6(dst_addr, mask, gw_addr, 975 IRE_INTERFACE, ill_match, ALL_ZONES, NULL, 976 match_flags, 0, ipst, NULL); 977 } 978 /* Avoid deleting routes created by kernel from an ipif */ 979 if (ire != NULL && (ire->ire_flags & RTF_KERNEL)) { 980 ire_refrele(ire); 981 ire = NULL; 982 } 983 984 /* Restore in case we didn't find a match */ 985 match_flags &= ~(MATCH_IRE_GW|MATCH_IRE_ILL); 986 } 987 988 if (ire == NULL) { 989 /* 990 * At this point, the gateway address is not one of our own 991 * addresses or a matching interface route was not found. We 992 * set the IRE type to lookup based on whether 993 * this is a host route, a default route or just a prefix. 994 * 995 * If an ill was passed in, then the lookup is based on an 996 * interface index so MATCH_IRE_ILL is added to match_flags. 997 */ 998 match_flags |= MATCH_IRE_GW; 999 if (ill != NULL) 1000 match_flags |= MATCH_IRE_ILL; 1001 if (IN6_ARE_ADDR_EQUAL(mask, &ipv6_all_ones)) 1002 type = IRE_HOST; 1003 else if (IN6_IS_ADDR_UNSPECIFIED(mask)) 1004 type = IRE_DEFAULT; 1005 else 1006 type = IRE_PREFIX; 1007 ire = ire_ftable_lookup_v6(dst_addr, mask, gw_addr, type, 1008 ill, ALL_ZONES, NULL, match_flags, 0, ipst, NULL); 1009 } 1010 1011 if (ipif != NULL) { 1012 ipif_refrele(ipif); 1013 ipif = NULL; 1014 } 1015 if (ire == NULL) 1016 return (ESRCH); 1017 1018 if (ire->ire_flags & RTF_MULTIRT) { 1019 /* 1020 * Invoke the CGTP (multirouting) filtering module 1021 * to remove the dst address from the filtering database. 1022 * Packets coming from that address will no longer be 1023 * filtered to remove duplicates. 1024 */ 1025 if (ipst->ips_ip_cgtp_filter_ops != NULL) { 1026 err = ipst->ips_ip_cgtp_filter_ops->cfo_del_dest_v6( 1027 ipst->ips_netstack->netstack_stackid, 1028 &ire->ire_addr_v6, &ire->ire_gateway_addr_v6); 1029 } 1030 } 1031 1032 ill = ire->ire_ill; 1033 if (ill != NULL) 1034 ill_remove_saved_ire(ill, ire); 1035 ire_delete(ire); 1036 ire_refrele(ire); 1037 return (err); 1038 } 1039 1040 /* 1041 * Derive an interface id from the link layer address. 1042 */ 1043 void 1044 ill_setdefaulttoken(ill_t *ill) 1045 { 1046 if (!ill->ill_manual_token) { 1047 bzero(&ill->ill_token, sizeof (ill->ill_token)); 1048 MEDIA_V6INTFID(ill->ill_media, ill, &ill->ill_token); 1049 ill->ill_token_length = IPV6_TOKEN_LEN; 1050 } 1051 } 1052 1053 void 1054 ill_setdesttoken(ill_t *ill) 1055 { 1056 bzero(&ill->ill_dest_token, sizeof (ill->ill_dest_token)); 1057 MEDIA_V6DESTINTFID(ill->ill_media, ill, &ill->ill_dest_token); 1058 } 1059 1060 /* 1061 * Create a link-local address from a token. 1062 */ 1063 static void 1064 ipif_get_linklocal(in6_addr_t *dest, const in6_addr_t *token) 1065 { 1066 int i; 1067 1068 for (i = 0; i < 4; i++) { 1069 dest->s6_addr32[i] = 1070 token->s6_addr32[i] | ipv6_ll_template.s6_addr32[i]; 1071 } 1072 } 1073 1074 /* 1075 * Set a default IPv6 address for a 6to4 tunnel interface 2002:<tsrc>::1/16 1076 */ 1077 static void 1078 ipif_set6to4addr(ipif_t *ipif) 1079 { 1080 ill_t *ill = ipif->ipif_ill; 1081 struct in_addr v4phys; 1082 1083 ASSERT(ill->ill_mactype == DL_6TO4); 1084 ASSERT(ill->ill_phys_addr_length == sizeof (struct in_addr)); 1085 ASSERT(ipif->ipif_isv6); 1086 1087 if (ipif->ipif_flags & IPIF_UP) 1088 return; 1089 1090 (void) ip_plen_to_mask_v6(16, &ipif->ipif_v6net_mask); 1091 bcopy(ill->ill_phys_addr, &v4phys, sizeof (struct in_addr)); 1092 IN6_V4ADDR_TO_6TO4(&v4phys, &ipif->ipif_v6lcl_addr); 1093 V6_MASK_COPY(ipif->ipif_v6lcl_addr, ipif->ipif_v6net_mask, 1094 ipif->ipif_v6subnet); 1095 } 1096 1097 /* 1098 * Is it not possible to set the link local address? 1099 * The address can be set if the token is set, and the token 1100 * isn't too long. 1101 * Return B_TRUE if the address can't be set, or B_FALSE if it can. 1102 */ 1103 boolean_t 1104 ipif_cant_setlinklocal(ipif_t *ipif) 1105 { 1106 ill_t *ill = ipif->ipif_ill; 1107 1108 if (IN6_IS_ADDR_UNSPECIFIED(&ill->ill_token) || 1109 ill->ill_token_length > IPV6_ABITS - IPV6_LL_PREFIXLEN) 1110 return (B_TRUE); 1111 1112 return (B_FALSE); 1113 } 1114 1115 /* 1116 * Generate a link-local address from the token. 1117 */ 1118 void 1119 ipif_setlinklocal(ipif_t *ipif) 1120 { 1121 ill_t *ill = ipif->ipif_ill; 1122 in6_addr_t ov6addr; 1123 1124 ASSERT(IAM_WRITER_ILL(ill)); 1125 1126 /* 1127 * ill_manual_linklocal is set when the link-local address was 1128 * manually configured. 1129 */ 1130 if (ill->ill_manual_linklocal) 1131 return; 1132 1133 /* 1134 * IPv6 interfaces over 6to4 tunnels are special. They do not have 1135 * link-local addresses, but instead have a single automatically 1136 * generated global address. 1137 */ 1138 if (ill->ill_mactype == DL_6TO4) { 1139 ipif_set6to4addr(ipif); 1140 return; 1141 } 1142 1143 if (ipif_cant_setlinklocal(ipif)) 1144 return; 1145 1146 ov6addr = ipif->ipif_v6lcl_addr; 1147 ipif_get_linklocal(&ipif->ipif_v6lcl_addr, &ill->ill_token); 1148 sctp_update_ipif_addr(ipif, ov6addr); 1149 (void) ip_plen_to_mask_v6(IPV6_LL_PREFIXLEN, &ipif->ipif_v6net_mask); 1150 if (IN6_IS_ADDR_UNSPECIFIED(&ipif->ipif_v6pp_dst_addr)) { 1151 V6_MASK_COPY(ipif->ipif_v6lcl_addr, ipif->ipif_v6net_mask, 1152 ipif->ipif_v6subnet); 1153 } 1154 1155 ip_rts_newaddrmsg(RTM_CHGADDR, 0, ipif, RTSQ_DEFAULT); 1156 } 1157 1158 /* 1159 * Set the destination link-local address for a point-to-point IPv6 1160 * interface with a destination interface id (IP tunnels are such 1161 * interfaces). 1162 */ 1163 void 1164 ipif_setdestlinklocal(ipif_t *ipif) 1165 { 1166 ill_t *ill = ipif->ipif_ill; 1167 1168 ASSERT(IAM_WRITER_ILL(ill)); 1169 if (IN6_IS_ADDR_UNSPECIFIED(&ill->ill_dest_token)) 1170 return; 1171 /* Skip if we've already set the pp_dst_addr */ 1172 if (!IN6_IS_ADDR_UNSPECIFIED(&ipif->ipif_v6pp_dst_addr)) 1173 return; 1174 1175 ipif_get_linklocal(&ipif->ipif_v6pp_dst_addr, &ill->ill_dest_token); 1176 ipif->ipif_v6subnet = ipif->ipif_v6pp_dst_addr; 1177 } 1178 1179 /* 1180 * Get the resolver set up for a new ipif. (Always called as writer.) 1181 */ 1182 int 1183 ipif_ndp_up(ipif_t *ipif, boolean_t initial) 1184 { 1185 ill_t *ill = ipif->ipif_ill; 1186 int err = 0; 1187 nce_t *nce = NULL; 1188 boolean_t added_ipif = B_FALSE; 1189 1190 DTRACE_PROBE3(ipif__downup, char *, "ipif_ndp_up", 1191 ill_t *, ill, ipif_t *, ipif); 1192 ip1dbg(("ipif_ndp_up(%s:%u)\n", ill->ill_name, ipif->ipif_id)); 1193 1194 if (IN6_IS_ADDR_UNSPECIFIED(&ipif->ipif_v6lcl_addr) || 1195 (!(ill->ill_net_type & IRE_INTERFACE))) { 1196 ipif->ipif_addr_ready = 1; 1197 return (0); 1198 } 1199 1200 if ((ipif->ipif_flags & (IPIF_UNNUMBERED|IPIF_NOLOCAL)) == 0) { 1201 uint16_t flags; 1202 uint16_t state; 1203 uchar_t *hw_addr; 1204 ill_t *bound_ill; 1205 ipmp_illgrp_t *illg = ill->ill_grp; 1206 uint_t hw_addr_len; 1207 1208 flags = NCE_F_MYADDR | NCE_F_NONUD | NCE_F_PUBLISH | 1209 NCE_F_AUTHORITY; 1210 if (ill->ill_flags & ILLF_ROUTER) 1211 flags |= NCE_F_ISROUTER; 1212 1213 if (ipif->ipif_flags & IPIF_ANYCAST) 1214 flags |= NCE_F_ANYCAST; 1215 1216 if (IS_IPMP(ill)) { 1217 ASSERT(ill->ill_net_type == IRE_IF_RESOLVER); 1218 /* 1219 * If we're here via ipif_up(), then the ipif won't be 1220 * bound yet -- add it to the group, which will bind 1221 * it if possible. (We would add it in ipif_up(), but 1222 * deleting on failure there is gruesome.) If we're 1223 * here via ipmp_ill_bind_ipif(), then the ipif has 1224 * already been added to the group and we just need to 1225 * use the binding. 1226 */ 1227 if ((bound_ill = ipmp_ipif_bound_ill(ipif)) == NULL) { 1228 bound_ill = ipmp_illgrp_add_ipif(illg, ipif); 1229 if (bound_ill == NULL) { 1230 /* 1231 * We couldn't bind the ipif to an ill 1232 * yet, so we have nothing to publish. 1233 * Set ipif_addr_ready so that this 1234 * address can be used locally for now. 1235 * The routing socket message will be 1236 * sent from ipif_up_done_v6(). 1237 */ 1238 ipif->ipif_addr_ready = 1; 1239 return (0); 1240 } 1241 added_ipif = B_TRUE; 1242 } 1243 hw_addr = bound_ill->ill_nd_lla; 1244 hw_addr_len = bound_ill->ill_phys_addr_length; 1245 } else { 1246 bound_ill = ill; 1247 hw_addr = ill->ill_nd_lla; 1248 hw_addr_len = ill->ill_phys_addr_length; 1249 } 1250 1251 /* 1252 * If this is an initial bring-up (or the ipif was never 1253 * completely brought up), do DAD. Otherwise, we're here 1254 * because IPMP has rebound an address to this ill: send 1255 * unsolicited advertisements to inform others. 1256 */ 1257 if (initial || !ipif->ipif_addr_ready) { 1258 /* Causes Duplicate Address Detection to run */ 1259 state = ND_PROBE; 1260 } else { 1261 state = ND_REACHABLE; 1262 flags |= NCE_F_UNSOL_ADV; 1263 } 1264 1265 retry: 1266 err = nce_lookup_then_add_v6(ill, hw_addr, hw_addr_len, 1267 &ipif->ipif_v6lcl_addr, flags, state, &nce); 1268 switch (err) { 1269 case 0: 1270 ip1dbg(("ipif_ndp_up: NCE created for %s\n", 1271 ill->ill_name)); 1272 ipif->ipif_addr_ready = 1; 1273 ipif->ipif_added_nce = 1; 1274 nce->nce_ipif_cnt++; 1275 break; 1276 case EINPROGRESS: 1277 ip1dbg(("ipif_ndp_up: running DAD now for %s\n", 1278 ill->ill_name)); 1279 ipif->ipif_added_nce = 1; 1280 nce->nce_ipif_cnt++; 1281 break; 1282 case EEXIST: 1283 ip1dbg(("ipif_ndp_up: NCE already exists for %s\n", 1284 ill->ill_name)); 1285 if (!NCE_MYADDR(nce->nce_common)) { 1286 /* 1287 * A leftover nce from before this address 1288 * existed 1289 */ 1290 ncec_delete(nce->nce_common); 1291 nce_refrele(nce); 1292 nce = NULL; 1293 goto retry; 1294 } 1295 if ((ipif->ipif_flags & IPIF_POINTOPOINT) == 0) { 1296 nce_refrele(nce); 1297 nce = NULL; 1298 ip1dbg(("ipif_ndp_up: NCE already exists " 1299 "for %s\n", ill->ill_name)); 1300 goto fail; 1301 } 1302 /* 1303 * Duplicate local addresses are permissible for 1304 * IPIF_POINTOPOINT interfaces which will get marked 1305 * IPIF_UNNUMBERED later in 1306 * ip_addr_availability_check(). 1307 * 1308 * The nce_ipif_cnt field tracks the number of 1309 * ipifs that have nce_addr as their local address. 1310 */ 1311 ipif->ipif_addr_ready = 1; 1312 ipif->ipif_added_nce = 1; 1313 nce->nce_ipif_cnt++; 1314 err = 0; 1315 break; 1316 default: 1317 ip1dbg(("ipif_ndp_up: NCE creation failed for %s\n", 1318 ill->ill_name)); 1319 goto fail; 1320 } 1321 } else { 1322 /* No local NCE for this entry */ 1323 ipif->ipif_addr_ready = 1; 1324 } 1325 if (nce != NULL) 1326 nce_refrele(nce); 1327 return (0); 1328 fail: 1329 if (added_ipif) 1330 ipmp_illgrp_del_ipif(ill->ill_grp, ipif); 1331 1332 return (err); 1333 } 1334 1335 /* Remove all cache entries for this logical interface */ 1336 void 1337 ipif_ndp_down(ipif_t *ipif) 1338 { 1339 ipif_nce_down(ipif); 1340 } 1341 1342 /* 1343 * Return the scope of the given IPv6 address. If the address is an 1344 * IPv4 mapped IPv6 address, return the scope of the corresponding 1345 * IPv4 address. 1346 */ 1347 in6addr_scope_t 1348 ip_addr_scope_v6(const in6_addr_t *addr) 1349 { 1350 static in6_addr_t ipv6loopback = IN6ADDR_LOOPBACK_INIT; 1351 1352 if (IN6_IS_ADDR_V4MAPPED(addr)) { 1353 in_addr_t v4addr_h = ntohl(V4_PART_OF_V6((*addr))); 1354 if ((v4addr_h >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET || 1355 (v4addr_h & IN_AUTOCONF_MASK) == IN_AUTOCONF_NET) 1356 return (IP6_SCOPE_LINKLOCAL); 1357 if ((v4addr_h & IN_PRIVATE8_MASK) == IN_PRIVATE8_NET || 1358 (v4addr_h & IN_PRIVATE12_MASK) == IN_PRIVATE12_NET || 1359 (v4addr_h & IN_PRIVATE16_MASK) == IN_PRIVATE16_NET) 1360 return (IP6_SCOPE_SITELOCAL); 1361 return (IP6_SCOPE_GLOBAL); 1362 } 1363 1364 if (IN6_IS_ADDR_MULTICAST(addr)) 1365 return (IN6_ADDR_MC_SCOPE(addr)); 1366 1367 /* link-local and loopback addresses are of link-local scope */ 1368 if (IN6_IS_ADDR_LINKLOCAL(addr) || 1369 IN6_ARE_ADDR_EQUAL(addr, &ipv6loopback)) 1370 return (IP6_SCOPE_LINKLOCAL); 1371 if (IN6_IS_ADDR_SITELOCAL(addr)) 1372 return (IP6_SCOPE_SITELOCAL); 1373 return (IP6_SCOPE_GLOBAL); 1374 } 1375 1376 1377 /* 1378 * Returns the length of the common prefix of a1 and a2, as per 1379 * CommonPrefixLen() defined in RFC 3484. 1380 */ 1381 static int 1382 ip_common_prefix_v6(const in6_addr_t *a1, const in6_addr_t *a2) 1383 { 1384 int i; 1385 uint32_t a1val, a2val, mask; 1386 1387 for (i = 0; i < 4; i++) { 1388 if ((a1val = a1->s6_addr32[i]) != (a2val = a2->s6_addr32[i])) { 1389 a1val ^= a2val; 1390 i *= 32; 1391 mask = 0x80000000u; 1392 while (!(a1val & mask)) { 1393 mask >>= 1; 1394 i++; 1395 } 1396 return (i); 1397 } 1398 } 1399 return (IPV6_ABITS); 1400 } 1401 1402 #define IPIF_VALID_IPV6_SOURCE(ipif) \ 1403 (((ipif)->ipif_flags & IPIF_UP) && \ 1404 !((ipif)->ipif_flags & (IPIF_NOLOCAL|IPIF_ANYCAST)) && \ 1405 !((ipif)->ipif_ill->ill_flags & ILLF_NOACCEPT)) 1406 1407 /* source address candidate */ 1408 typedef struct candidate { 1409 ipif_t *cand_ipif; 1410 /* The properties of this candidate */ 1411 boolean_t cand_isdst; 1412 boolean_t cand_isdst_set; 1413 in6addr_scope_t cand_scope; 1414 boolean_t cand_scope_set; 1415 boolean_t cand_isdeprecated; 1416 boolean_t cand_isdeprecated_set; 1417 boolean_t cand_ispreferred; 1418 boolean_t cand_ispreferred_set; 1419 boolean_t cand_matchedinterface; 1420 boolean_t cand_matchedinterface_set; 1421 boolean_t cand_matchedlabel; 1422 boolean_t cand_matchedlabel_set; 1423 boolean_t cand_istmp; 1424 boolean_t cand_istmp_set; 1425 int cand_common_pref; 1426 boolean_t cand_common_pref_set; 1427 boolean_t cand_pref_eq; 1428 boolean_t cand_pref_eq_set; 1429 int cand_pref_len; 1430 boolean_t cand_pref_len_set; 1431 } cand_t; 1432 #define cand_srcaddr cand_ipif->ipif_v6lcl_addr 1433 #define cand_mask cand_ipif->ipif_v6net_mask 1434 #define cand_flags cand_ipif->ipif_flags 1435 #define cand_ill cand_ipif->ipif_ill 1436 #define cand_zoneid cand_ipif->ipif_zoneid 1437 1438 /* information about the destination for source address selection */ 1439 typedef struct dstinfo { 1440 const in6_addr_t *dst_addr; 1441 ill_t *dst_ill; 1442 uint_t dst_restrict_ill; 1443 boolean_t dst_prefer_src_tmp; 1444 in6addr_scope_t dst_scope; 1445 char *dst_label; 1446 } dstinfo_t; 1447 1448 /* 1449 * The following functions are rules used to select a source address in 1450 * ipif_select_source_v6(). Each rule compares a current candidate (cc) 1451 * against the best candidate (bc). Each rule has three possible outcomes; 1452 * the candidate is preferred over the best candidate (CAND_PREFER), the 1453 * candidate is not preferred over the best candidate (CAND_AVOID), or the 1454 * candidate is of equal value as the best candidate (CAND_TIE). 1455 * 1456 * These rules are part of a greater "Default Address Selection for IPv6" 1457 * sheme, which is standards based work coming out of the IETF ipv6 working 1458 * group. The IETF document defines both IPv6 source address selection and 1459 * destination address ordering. The rules defined here implement the IPv6 1460 * source address selection. Destination address ordering is done by 1461 * libnsl, and uses a similar set of rules to implement the sorting. 1462 * 1463 * Most of the rules are defined by the RFC and are not typically altered. The 1464 * last rule, number 8, has language that allows for local preferences. In the 1465 * scheme below, this means that new Solaris rules should normally go between 1466 * rule_ifprefix and rule_prefix. 1467 */ 1468 typedef enum {CAND_AVOID, CAND_TIE, CAND_PREFER} rule_res_t; 1469 typedef rule_res_t (*rulef_t)(cand_t *, cand_t *, const dstinfo_t *, 1470 ip_stack_t *); 1471 1472 /* Prefer an address if it is equal to the destination address. */ 1473 /* ARGSUSED3 */ 1474 static rule_res_t 1475 rule_isdst(cand_t *bc, cand_t *cc, const dstinfo_t *dstinfo, ip_stack_t *ipst) 1476 { 1477 if (!bc->cand_isdst_set) { 1478 bc->cand_isdst = 1479 IN6_ARE_ADDR_EQUAL(&bc->cand_srcaddr, dstinfo->dst_addr); 1480 bc->cand_isdst_set = B_TRUE; 1481 } 1482 1483 cc->cand_isdst = 1484 IN6_ARE_ADDR_EQUAL(&cc->cand_srcaddr, dstinfo->dst_addr); 1485 cc->cand_isdst_set = B_TRUE; 1486 1487 if (cc->cand_isdst == bc->cand_isdst) 1488 return (CAND_TIE); 1489 else if (cc->cand_isdst) 1490 return (CAND_PREFER); 1491 else 1492 return (CAND_AVOID); 1493 } 1494 1495 /* 1496 * Prefer addresses that are of closest scope to the destination. Always 1497 * prefer addresses that are of greater scope than the destination over 1498 * those that are of lesser scope than the destination. 1499 */ 1500 /* ARGSUSED3 */ 1501 static rule_res_t 1502 rule_scope(cand_t *bc, cand_t *cc, const dstinfo_t *dstinfo, ip_stack_t *ipst) 1503 { 1504 if (!bc->cand_scope_set) { 1505 bc->cand_scope = ip_addr_scope_v6(&bc->cand_srcaddr); 1506 bc->cand_scope_set = B_TRUE; 1507 } 1508 1509 cc->cand_scope = ip_addr_scope_v6(&cc->cand_srcaddr); 1510 cc->cand_scope_set = B_TRUE; 1511 1512 if (cc->cand_scope < bc->cand_scope) { 1513 if (cc->cand_scope < dstinfo->dst_scope) 1514 return (CAND_AVOID); 1515 else 1516 return (CAND_PREFER); 1517 } else if (bc->cand_scope < cc->cand_scope) { 1518 if (bc->cand_scope < dstinfo->dst_scope) 1519 return (CAND_PREFER); 1520 else 1521 return (CAND_AVOID); 1522 } else { 1523 return (CAND_TIE); 1524 } 1525 } 1526 1527 /* 1528 * Prefer non-deprecated source addresses. 1529 */ 1530 /* ARGSUSED2 */ 1531 static rule_res_t 1532 rule_deprecated(cand_t *bc, cand_t *cc, const dstinfo_t *dstinfo, 1533 ip_stack_t *ipst) 1534 { 1535 if (!bc->cand_isdeprecated_set) { 1536 bc->cand_isdeprecated = 1537 ((bc->cand_flags & IPIF_DEPRECATED) != 0); 1538 bc->cand_isdeprecated_set = B_TRUE; 1539 } 1540 1541 cc->cand_isdeprecated = ((cc->cand_flags & IPIF_DEPRECATED) != 0); 1542 cc->cand_isdeprecated_set = B_TRUE; 1543 1544 if (bc->cand_isdeprecated == cc->cand_isdeprecated) 1545 return (CAND_TIE); 1546 else if (cc->cand_isdeprecated) 1547 return (CAND_AVOID); 1548 else 1549 return (CAND_PREFER); 1550 } 1551 1552 /* 1553 * Prefer source addresses that have the IPIF_PREFERRED flag set. This 1554 * rule must be before rule_interface because the flag could be set on any 1555 * interface, not just the interface being used for outgoing packets (for 1556 * example, the IFF_PREFERRED could be set on an address assigned to the 1557 * loopback interface). 1558 */ 1559 /* ARGSUSED2 */ 1560 static rule_res_t 1561 rule_preferred(cand_t *bc, cand_t *cc, const dstinfo_t *dstinfo, 1562 ip_stack_t *ipst) 1563 { 1564 if (!bc->cand_ispreferred_set) { 1565 bc->cand_ispreferred = ((bc->cand_flags & IPIF_PREFERRED) != 0); 1566 bc->cand_ispreferred_set = B_TRUE; 1567 } 1568 1569 cc->cand_ispreferred = ((cc->cand_flags & IPIF_PREFERRED) != 0); 1570 cc->cand_ispreferred_set = B_TRUE; 1571 1572 if (bc->cand_ispreferred == cc->cand_ispreferred) 1573 return (CAND_TIE); 1574 else if (cc->cand_ispreferred) 1575 return (CAND_PREFER); 1576 else 1577 return (CAND_AVOID); 1578 } 1579 1580 /* 1581 * Prefer source addresses that are assigned to the outgoing interface. 1582 */ 1583 /* ARGSUSED3 */ 1584 static rule_res_t 1585 rule_interface(cand_t *bc, cand_t *cc, const dstinfo_t *dstinfo, 1586 ip_stack_t *ipst) 1587 { 1588 ill_t *dstill = dstinfo->dst_ill; 1589 1590 /* 1591 * If dstinfo->dst_restrict_ill is set, this rule is unnecessary 1592 * since we know all candidates will be on the same link. 1593 */ 1594 if (dstinfo->dst_restrict_ill) 1595 return (CAND_TIE); 1596 1597 if (!bc->cand_matchedinterface_set) { 1598 bc->cand_matchedinterface = bc->cand_ill == dstill; 1599 bc->cand_matchedinterface_set = B_TRUE; 1600 } 1601 1602 cc->cand_matchedinterface = cc->cand_ill == dstill; 1603 cc->cand_matchedinterface_set = B_TRUE; 1604 1605 if (bc->cand_matchedinterface == cc->cand_matchedinterface) 1606 return (CAND_TIE); 1607 else if (cc->cand_matchedinterface) 1608 return (CAND_PREFER); 1609 else 1610 return (CAND_AVOID); 1611 } 1612 1613 /* 1614 * Prefer source addresses whose label matches the destination's label. 1615 */ 1616 static rule_res_t 1617 rule_label(cand_t *bc, cand_t *cc, const dstinfo_t *dstinfo, ip_stack_t *ipst) 1618 { 1619 char *label; 1620 1621 if (!bc->cand_matchedlabel_set) { 1622 label = ip6_asp_lookup(&bc->cand_srcaddr, NULL, ipst); 1623 bc->cand_matchedlabel = 1624 ip6_asp_labelcmp(label, dstinfo->dst_label); 1625 bc->cand_matchedlabel_set = B_TRUE; 1626 } 1627 1628 label = ip6_asp_lookup(&cc->cand_srcaddr, NULL, ipst); 1629 cc->cand_matchedlabel = ip6_asp_labelcmp(label, dstinfo->dst_label); 1630 cc->cand_matchedlabel_set = B_TRUE; 1631 1632 if (bc->cand_matchedlabel == cc->cand_matchedlabel) 1633 return (CAND_TIE); 1634 else if (cc->cand_matchedlabel) 1635 return (CAND_PREFER); 1636 else 1637 return (CAND_AVOID); 1638 } 1639 1640 /* 1641 * Prefer public addresses over temporary ones. An application can reverse 1642 * the logic of this rule and prefer temporary addresses by using the 1643 * IPV6_SRC_PREFERENCES socket option. 1644 */ 1645 /* ARGSUSED3 */ 1646 static rule_res_t 1647 rule_temporary(cand_t *bc, cand_t *cc, const dstinfo_t *dstinfo, 1648 ip_stack_t *ipst) 1649 { 1650 if (!bc->cand_istmp_set) { 1651 bc->cand_istmp = ((bc->cand_flags & IPIF_TEMPORARY) != 0); 1652 bc->cand_istmp_set = B_TRUE; 1653 } 1654 1655 cc->cand_istmp = ((cc->cand_flags & IPIF_TEMPORARY) != 0); 1656 cc->cand_istmp_set = B_TRUE; 1657 1658 if (bc->cand_istmp == cc->cand_istmp) 1659 return (CAND_TIE); 1660 1661 if (dstinfo->dst_prefer_src_tmp && cc->cand_istmp) 1662 return (CAND_PREFER); 1663 else if (!dstinfo->dst_prefer_src_tmp && !cc->cand_istmp) 1664 return (CAND_PREFER); 1665 else 1666 return (CAND_AVOID); 1667 } 1668 1669 /* 1670 * Prefer source addresses with longer matching prefix with the destination 1671 * under the interface mask. This gets us on the same subnet before applying 1672 * any Solaris-specific rules. 1673 */ 1674 /* ARGSUSED3 */ 1675 static rule_res_t 1676 rule_ifprefix(cand_t *bc, cand_t *cc, const dstinfo_t *dstinfo, 1677 ip_stack_t *ipst) 1678 { 1679 if (!bc->cand_pref_eq_set) { 1680 bc->cand_pref_eq = V6_MASK_EQ_2(bc->cand_srcaddr, 1681 bc->cand_mask, *dstinfo->dst_addr); 1682 bc->cand_pref_eq_set = B_TRUE; 1683 } 1684 1685 cc->cand_pref_eq = V6_MASK_EQ_2(cc->cand_srcaddr, cc->cand_mask, 1686 *dstinfo->dst_addr); 1687 cc->cand_pref_eq_set = B_TRUE; 1688 1689 if (bc->cand_pref_eq) { 1690 if (cc->cand_pref_eq) { 1691 if (!bc->cand_pref_len_set) { 1692 bc->cand_pref_len = 1693 ip_mask_to_plen_v6(&bc->cand_mask); 1694 bc->cand_pref_len_set = B_TRUE; 1695 } 1696 cc->cand_pref_len = ip_mask_to_plen_v6(&cc->cand_mask); 1697 cc->cand_pref_len_set = B_TRUE; 1698 if (bc->cand_pref_len == cc->cand_pref_len) 1699 return (CAND_TIE); 1700 else if (bc->cand_pref_len > cc->cand_pref_len) 1701 return (CAND_AVOID); 1702 else 1703 return (CAND_PREFER); 1704 } else { 1705 return (CAND_AVOID); 1706 } 1707 } else { 1708 if (cc->cand_pref_eq) 1709 return (CAND_PREFER); 1710 else 1711 return (CAND_TIE); 1712 } 1713 } 1714 1715 /* 1716 * Prefer to use zone-specific addresses when possible instead of all-zones 1717 * addresses. 1718 */ 1719 /* ARGSUSED2 */ 1720 static rule_res_t 1721 rule_zone_specific(cand_t *bc, cand_t *cc, const dstinfo_t *dstinfo, 1722 ip_stack_t *ipst) 1723 { 1724 if ((bc->cand_zoneid == ALL_ZONES) == 1725 (cc->cand_zoneid == ALL_ZONES)) 1726 return (CAND_TIE); 1727 else if (cc->cand_zoneid == ALL_ZONES) 1728 return (CAND_AVOID); 1729 else 1730 return (CAND_PREFER); 1731 } 1732 1733 /* 1734 * Prefer to use DHCPv6 (first) and static addresses (second) when possible 1735 * instead of statelessly autoconfigured addresses. 1736 * 1737 * This is done after trying all other preferences (and before the final tie 1738 * breaker) so that, if all else is equal, we select addresses configured by 1739 * DHCPv6 over other addresses. We presume that DHCPv6 addresses, unlike 1740 * stateless autoconfigured addresses, are deliberately configured by an 1741 * administrator, and thus are correctly set up in DNS and network packet 1742 * filters. 1743 */ 1744 /* ARGSUSED2 */ 1745 static rule_res_t 1746 rule_addr_type(cand_t *bc, cand_t *cc, const dstinfo_t *dstinfo, 1747 ip_stack_t *ipst) 1748 { 1749 #define ATYPE(x) \ 1750 ((x) & IPIF_DHCPRUNNING) ? 1 : ((x) & IPIF_ADDRCONF) ? 3 : 2 1751 int bcval = ATYPE(bc->cand_flags); 1752 int ccval = ATYPE(cc->cand_flags); 1753 #undef ATYPE 1754 1755 if (bcval == ccval) 1756 return (CAND_TIE); 1757 else if (ccval < bcval) 1758 return (CAND_PREFER); 1759 else 1760 return (CAND_AVOID); 1761 } 1762 1763 /* 1764 * Prefer source addresses with longer matching prefix with the destination. 1765 * We do the longest matching prefix calculation by doing an xor of both 1766 * addresses with the destination, and pick the address with the longest string 1767 * of leading zeros, as per CommonPrefixLen() defined in RFC 3484. 1768 */ 1769 /* ARGSUSED3 */ 1770 static rule_res_t 1771 rule_prefix(cand_t *bc, cand_t *cc, const dstinfo_t *dstinfo, ip_stack_t *ipst) 1772 { 1773 if (!bc->cand_common_pref_set) { 1774 bc->cand_common_pref = ip_common_prefix_v6(&bc->cand_srcaddr, 1775 dstinfo->dst_addr); 1776 bc->cand_common_pref_set = B_TRUE; 1777 } 1778 1779 cc->cand_common_pref = ip_common_prefix_v6(&cc->cand_srcaddr, 1780 dstinfo->dst_addr); 1781 cc->cand_common_pref_set = B_TRUE; 1782 1783 if (bc->cand_common_pref == cc->cand_common_pref) 1784 return (CAND_TIE); 1785 else if (bc->cand_common_pref > cc->cand_common_pref) 1786 return (CAND_AVOID); 1787 else 1788 return (CAND_PREFER); 1789 } 1790 1791 /* 1792 * Last rule: we must pick something, so just prefer the current best 1793 * candidate. 1794 */ 1795 /* ARGSUSED */ 1796 static rule_res_t 1797 rule_must_be_last(cand_t *bc, cand_t *cc, const dstinfo_t *dstinfo, 1798 ip_stack_t *ipst) 1799 { 1800 return (CAND_AVOID); 1801 } 1802 1803 /* 1804 * Determine the best source address given a destination address and a 1805 * destination ill. If no suitable source address is found, it returns 1806 * NULL. If there is a usable address pointed to by the usesrc 1807 * (i.e ill_usesrc_ifindex != 0) then return that first since it is more 1808 * fine grained (i.e per interface) 1809 * 1810 * This implementation is based on the "Default Address Selection for IPv6" 1811 * specification produced by the IETF IPv6 working group. It has been 1812 * implemented so that the list of addresses is only traversed once (the 1813 * specification's algorithm could traverse the list of addresses once for 1814 * every rule). 1815 * 1816 * The restrict_ill argument restricts the algorithm to choose a source 1817 * address that is assigned to the destination ill. This is used when 1818 * the destination address is a link-local or multicast address, and when 1819 * ipv6_strict_dst_multihoming is turned on. 1820 * 1821 * src_prefs is the caller's set of source address preferences. If source 1822 * address selection is being called to determine the source address of a 1823 * connected socket (from ip_set_destination_v6()), then the preferences are 1824 * taken from conn_ixa->ixa_src_preferences. These preferences can be set on a 1825 * per-socket basis using the IPV6_SRC_PREFERENCES socket option. The only 1826 * preference currently implemented is for rfc3041 temporary addresses. 1827 */ 1828 ipif_t * 1829 ipif_select_source_v6(ill_t *dstill, const in6_addr_t *dst, 1830 boolean_t restrict_ill, uint32_t src_prefs, zoneid_t zoneid, 1831 boolean_t allow_usesrc, boolean_t *notreadyp) 1832 { 1833 dstinfo_t dstinfo; 1834 char dstr[INET6_ADDRSTRLEN]; 1835 char sstr[INET6_ADDRSTRLEN]; 1836 ipif_t *ipif, *start_ipif, *next_ipif; 1837 ill_t *ill, *usesrc_ill = NULL, *ipmp_ill = NULL; 1838 ill_walk_context_t ctx; 1839 cand_t best_c; /* The best candidate */ 1840 cand_t curr_c; /* The current candidate */ 1841 uint_t index; 1842 boolean_t first_candidate = B_TRUE; 1843 rule_res_t rule_result; 1844 tsol_tpc_t *src_rhtp, *dst_rhtp; 1845 ip_stack_t *ipst = dstill->ill_ipst; 1846 1847 /* 1848 * The list of ordering rules. They are applied in the order they 1849 * appear in the list. 1850 * 1851 * Solaris doesn't currently support Mobile IPv6, so there's no 1852 * rule_mipv6 corresponding to rule 4 in the specification. 1853 */ 1854 rulef_t rules[] = { 1855 rule_isdst, 1856 rule_scope, 1857 rule_deprecated, 1858 rule_preferred, 1859 rule_interface, 1860 rule_label, 1861 rule_temporary, 1862 rule_ifprefix, /* local rules after this */ 1863 rule_zone_specific, 1864 rule_addr_type, 1865 rule_prefix, /* local rules before this */ 1866 rule_must_be_last, /* must always be last */ 1867 NULL 1868 }; 1869 1870 ASSERT(dstill->ill_isv6); 1871 ASSERT(!IN6_IS_ADDR_V4MAPPED(dst)); 1872 1873 /* 1874 * Check if there is a usable src address pointed to by the 1875 * usesrc ifindex. This has higher precedence since it is 1876 * finer grained (i.e per interface) v/s being system wide. 1877 */ 1878 if (dstill->ill_usesrc_ifindex != 0 && allow_usesrc) { 1879 if ((usesrc_ill = 1880 ill_lookup_on_ifindex(dstill->ill_usesrc_ifindex, B_TRUE, 1881 ipst)) != NULL) { 1882 dstinfo.dst_ill = usesrc_ill; 1883 } else { 1884 return (NULL); 1885 } 1886 } else if (IS_UNDER_IPMP(dstill)) { 1887 /* 1888 * Test addresses should never be used for source address 1889 * selection, so if we were passed an underlying ill, switch 1890 * to the IPMP meta-interface. 1891 */ 1892 if ((ipmp_ill = ipmp_ill_hold_ipmp_ill(dstill)) != NULL) 1893 dstinfo.dst_ill = ipmp_ill; 1894 else 1895 return (NULL); 1896 } else { 1897 dstinfo.dst_ill = dstill; 1898 } 1899 1900 /* 1901 * If we're dealing with an unlabeled destination on a labeled system, 1902 * make sure that we ignore source addresses that are incompatible with 1903 * the destination's default label. That destination's default label 1904 * must dominate the minimum label on the source address. 1905 * 1906 * (Note that this has to do with Trusted Solaris. It's not related to 1907 * the labels described by ip6_asp_lookup.) 1908 */ 1909 dst_rhtp = NULL; 1910 if (is_system_labeled()) { 1911 dst_rhtp = find_tpc(dst, IPV6_VERSION, B_FALSE); 1912 if (dst_rhtp == NULL) 1913 return (NULL); 1914 if (dst_rhtp->tpc_tp.host_type != UNLABELED) { 1915 TPC_RELE(dst_rhtp); 1916 dst_rhtp = NULL; 1917 } 1918 } 1919 1920 dstinfo.dst_addr = dst; 1921 dstinfo.dst_scope = ip_addr_scope_v6(dst); 1922 dstinfo.dst_label = ip6_asp_lookup(dst, NULL, ipst); 1923 dstinfo.dst_prefer_src_tmp = ((src_prefs & IPV6_PREFER_SRC_TMP) != 0); 1924 rw_enter(&ipst->ips_ill_g_lock, RW_READER); 1925 /* 1926 * Section three of the I-D states that for multicast and 1927 * link-local destinations, the candidate set must be restricted to 1928 * an interface that is on the same link as the outgoing interface. 1929 * Also, when ipv6_strict_dst_multihoming is turned on, always 1930 * restrict the source address to the destination link as doing 1931 * otherwise will almost certainly cause problems. 1932 */ 1933 if (IN6_IS_ADDR_LINKLOCAL(dst) || IN6_IS_ADDR_MULTICAST(dst) || 1934 ipst->ips_ipv6_strict_dst_multihoming || usesrc_ill != NULL) { 1935 dstinfo.dst_restrict_ill = B_TRUE; 1936 } else { 1937 dstinfo.dst_restrict_ill = restrict_ill; 1938 } 1939 1940 bzero(&best_c, sizeof (cand_t)); 1941 1942 /* 1943 * Take a pass through the list of IPv6 interfaces to choose the best 1944 * possible source address. If restrict_ill is set, just use dst_ill. 1945 */ 1946 if (dstinfo.dst_restrict_ill) 1947 ill = dstinfo.dst_ill; 1948 else 1949 ill = ILL_START_WALK_V6(&ctx, ipst); 1950 1951 for (; ill != NULL; ill = ill_next(&ctx, ill)) { 1952 ASSERT(ill->ill_isv6); 1953 1954 /* 1955 * Test addresses should never be used for source address 1956 * selection, so ignore underlying ills. 1957 */ 1958 if (IS_UNDER_IPMP(ill)) 1959 continue; 1960 1961 if (ill->ill_ipif == NULL) 1962 continue; 1963 /* 1964 * For source address selection, we treat the ipif list as 1965 * circular and continue until we get back to where we 1966 * started. This allows IPMP to vary source address selection 1967 * (which improves inbound load spreading) by caching its last 1968 * ending point and starting from there. NOTE: we don't have 1969 * to worry about ill_src_ipif changing ills since that can't 1970 * happen on the IPMP ill. 1971 */ 1972 start_ipif = ill->ill_ipif; 1973 if (IS_IPMP(ill) && ill->ill_src_ipif != NULL) 1974 start_ipif = ill->ill_src_ipif; 1975 1976 ipif = start_ipif; 1977 do { 1978 if ((next_ipif = ipif->ipif_next) == NULL) 1979 next_ipif = ill->ill_ipif; 1980 1981 if (!IPIF_VALID_IPV6_SOURCE(ipif)) 1982 continue; 1983 1984 if (!ipif->ipif_addr_ready) { 1985 if (notreadyp != NULL) 1986 *notreadyp = B_TRUE; 1987 continue; 1988 } 1989 1990 if (zoneid != ALL_ZONES && 1991 ipif->ipif_zoneid != zoneid && 1992 ipif->ipif_zoneid != ALL_ZONES) 1993 continue; 1994 1995 /* 1996 * Check compatibility of local address for 1997 * destination's default label if we're on a labeled 1998 * system. Incompatible addresses can't be used at 1999 * all and must be skipped over. 2000 */ 2001 if (dst_rhtp != NULL) { 2002 boolean_t incompat; 2003 2004 src_rhtp = find_tpc(&ipif->ipif_v6lcl_addr, 2005 IPV6_VERSION, B_FALSE); 2006 if (src_rhtp == NULL) 2007 continue; 2008 incompat = 2009 src_rhtp->tpc_tp.host_type != SUN_CIPSO || 2010 src_rhtp->tpc_tp.tp_doi != 2011 dst_rhtp->tpc_tp.tp_doi || 2012 (!_blinrange(&dst_rhtp->tpc_tp.tp_def_label, 2013 &src_rhtp->tpc_tp.tp_sl_range_cipso) && 2014 !blinlset(&dst_rhtp->tpc_tp.tp_def_label, 2015 src_rhtp->tpc_tp.tp_sl_set_cipso)); 2016 TPC_RELE(src_rhtp); 2017 if (incompat) 2018 continue; 2019 } 2020 2021 if (first_candidate) { 2022 /* 2023 * This is first valid address in the list. 2024 * It is automatically the best candidate 2025 * so far. 2026 */ 2027 best_c.cand_ipif = ipif; 2028 first_candidate = B_FALSE; 2029 continue; 2030 } 2031 2032 bzero(&curr_c, sizeof (cand_t)); 2033 curr_c.cand_ipif = ipif; 2034 2035 /* 2036 * Compare this current candidate (curr_c) with the 2037 * best candidate (best_c) by applying the 2038 * comparison rules in order until one breaks the 2039 * tie. 2040 */ 2041 for (index = 0; rules[index] != NULL; index++) { 2042 /* Apply a comparison rule. */ 2043 rule_result = (rules[index])(&best_c, &curr_c, 2044 &dstinfo, ipst); 2045 if (rule_result == CAND_AVOID) { 2046 /* 2047 * The best candidate is still the 2048 * best candidate. Forget about 2049 * this current candidate and go on 2050 * to the next one. 2051 */ 2052 break; 2053 } else if (rule_result == CAND_PREFER) { 2054 /* 2055 * This candidate is prefered. It 2056 * becomes the best candidate so 2057 * far. Go on to the next address. 2058 */ 2059 best_c = curr_c; 2060 break; 2061 } 2062 /* We have a tie, apply the next rule. */ 2063 } 2064 2065 /* 2066 * The last rule must be a tie breaker rule and 2067 * must never produce a tie. At this point, the 2068 * candidate should have either been rejected, or 2069 * have been prefered as the best candidate so far. 2070 */ 2071 ASSERT(rule_result != CAND_TIE); 2072 } while ((ipif = next_ipif) != start_ipif); 2073 2074 /* 2075 * For IPMP, update the source ipif rotor to the next ipif, 2076 * provided we can look it up. (We must not use it if it's 2077 * IPIF_CONDEMNED since we may have grabbed ill_g_lock after 2078 * ipif_free() checked ill_src_ipif.) 2079 */ 2080 if (IS_IPMP(ill) && ipif != NULL) { 2081 mutex_enter(&ipif->ipif_ill->ill_lock); 2082 next_ipif = ipif->ipif_next; 2083 if (next_ipif != NULL && !IPIF_IS_CONDEMNED(next_ipif)) 2084 ill->ill_src_ipif = next_ipif; 2085 else 2086 ill->ill_src_ipif = NULL; 2087 mutex_exit(&ipif->ipif_ill->ill_lock); 2088 } 2089 2090 /* 2091 * Only one ill to consider if dst_restrict_ill is set. 2092 */ 2093 if (dstinfo.dst_restrict_ill) 2094 break; 2095 } 2096 2097 ipif = best_c.cand_ipif; 2098 ip1dbg(("ipif_select_source_v6(%s, %s) -> %s\n", 2099 dstinfo.dst_ill->ill_name, 2100 inet_ntop(AF_INET6, dstinfo.dst_addr, dstr, sizeof (dstr)), 2101 (ipif == NULL ? "NULL" : 2102 inet_ntop(AF_INET6, &ipif->ipif_v6lcl_addr, sstr, sizeof (sstr))))); 2103 2104 if (usesrc_ill != NULL) 2105 ill_refrele(usesrc_ill); 2106 2107 if (ipmp_ill != NULL) 2108 ill_refrele(ipmp_ill); 2109 2110 if (dst_rhtp != NULL) 2111 TPC_RELE(dst_rhtp); 2112 2113 if (ipif == NULL) { 2114 rw_exit(&ipst->ips_ill_g_lock); 2115 return (NULL); 2116 } 2117 2118 mutex_enter(&ipif->ipif_ill->ill_lock); 2119 if (!IPIF_IS_CONDEMNED(ipif)) { 2120 ipif_refhold_locked(ipif); 2121 mutex_exit(&ipif->ipif_ill->ill_lock); 2122 rw_exit(&ipst->ips_ill_g_lock); 2123 return (ipif); 2124 } 2125 mutex_exit(&ipif->ipif_ill->ill_lock); 2126 rw_exit(&ipst->ips_ill_g_lock); 2127 ip1dbg(("ipif_select_source_v6 cannot lookup ipif %p" 2128 " returning null \n", (void *)ipif)); 2129 2130 return (NULL); 2131 } 2132 2133 /* 2134 * Pick a source address based on the destination ill and an optional setsrc 2135 * address. 2136 * The result is stored in srcp. If generation is set, then put the source 2137 * generation number there before we look for the source address (to avoid 2138 * missing changes in the set of source addresses. 2139 * If flagsp is set, then us it to pass back ipif_flags. 2140 * 2141 * If the caller wants to cache the returned source address and detect when 2142 * that might be stale, the caller should pass in a generation argument, 2143 * which the caller can later compare against ips_src_generation 2144 * 2145 * The precedence order for selecting an IPv6 source address is: 2146 * - RTF_SETSRC on the first ire in the recursive lookup always wins. 2147 * - If usrsrc is set, swap the ill to be the usesrc one. 2148 * - If IPMP is used on the ill, select a random address from the most 2149 * preferred ones below: 2150 * That is followed by the long list of IPv6 source address selection rules 2151 * starting with rule_isdst(), rule_scope(), etc. 2152 * 2153 * We have lower preference for ALL_ZONES IP addresses, 2154 * as they pose problems with unlabeled destinations. 2155 * 2156 * Note that when multiple IP addresses match e.g., with rule_scope() we pick 2157 * the first one if IPMP is not in use. With IPMP we randomize. 2158 */ 2159 int 2160 ip_select_source_v6(ill_t *ill, const in6_addr_t *setsrc, const in6_addr_t *dst, 2161 zoneid_t zoneid, ip_stack_t *ipst, uint_t restrict_ill, uint32_t src_prefs, 2162 in6_addr_t *srcp, uint32_t *generation, uint64_t *flagsp) 2163 { 2164 ipif_t *ipif; 2165 boolean_t notready = B_FALSE; /* Set if !ipif_addr_ready found */ 2166 2167 if (flagsp != NULL) 2168 *flagsp = 0; 2169 2170 /* 2171 * Need to grab the generation number before we check to 2172 * avoid a race with a change to the set of local addresses. 2173 * No lock needed since the thread which updates the set of local 2174 * addresses use ipif/ill locks and exit those (hence a store memory 2175 * barrier) before doing the atomic increase of ips_src_generation. 2176 */ 2177 if (generation != NULL) { 2178 *generation = ipst->ips_src_generation; 2179 } 2180 2181 /* Was RTF_SETSRC set on the first IRE in the recursive lookup? */ 2182 if (setsrc != NULL && !IN6_IS_ADDR_UNSPECIFIED(setsrc)) { 2183 *srcp = *setsrc; 2184 return (0); 2185 } 2186 2187 ipif = ipif_select_source_v6(ill, dst, restrict_ill, src_prefs, zoneid, 2188 B_TRUE, ¬ready); 2189 if (ipif == NULL) { 2190 if (notready) 2191 return (ENETDOWN); 2192 else 2193 return (EADDRNOTAVAIL); 2194 } 2195 *srcp = ipif->ipif_v6lcl_addr; 2196 if (flagsp != NULL) 2197 *flagsp = ipif->ipif_flags; 2198 ipif_refrele(ipif); 2199 return (0); 2200 } 2201 2202 /* 2203 * Perform an attach and bind to get phys addr plus info_req for 2204 * the physical device. 2205 * q and mp represents an ioctl which will be queued waiting for 2206 * completion of the DLPI message exchange. 2207 * MUST be called on an ill queue. 2208 * 2209 * Returns EINPROGRESS when mp has been consumed by queueing it. 2210 * The ioctl will complete in ip_rput. 2211 */ 2212 int 2213 ill_dl_phys(ill_t *ill, ipif_t *ipif, mblk_t *mp, queue_t *q) 2214 { 2215 mblk_t *v6token_mp = NULL; 2216 mblk_t *v6lla_mp = NULL; 2217 mblk_t *dest_mp = NULL; 2218 mblk_t *phys_mp = NULL; 2219 mblk_t *info_mp = NULL; 2220 mblk_t *attach_mp = NULL; 2221 mblk_t *bind_mp = NULL; 2222 mblk_t *unbind_mp = NULL; 2223 mblk_t *notify_mp = NULL; 2224 mblk_t *capab_mp = NULL; 2225 2226 ip1dbg(("ill_dl_phys(%s:%u)\n", ill->ill_name, ipif->ipif_id)); 2227 ASSERT(ill->ill_dlpi_style_set); 2228 ASSERT(WR(q)->q_next != NULL); 2229 2230 if (ill->ill_isv6) { 2231 v6token_mp = ip_dlpi_alloc(sizeof (dl_phys_addr_req_t) + 2232 sizeof (t_scalar_t), DL_PHYS_ADDR_REQ); 2233 if (v6token_mp == NULL) 2234 goto bad; 2235 ((dl_phys_addr_req_t *)v6token_mp->b_rptr)->dl_addr_type = 2236 DL_IPV6_TOKEN; 2237 2238 v6lla_mp = ip_dlpi_alloc(sizeof (dl_phys_addr_req_t) + 2239 sizeof (t_scalar_t), DL_PHYS_ADDR_REQ); 2240 if (v6lla_mp == NULL) 2241 goto bad; 2242 ((dl_phys_addr_req_t *)v6lla_mp->b_rptr)->dl_addr_type = 2243 DL_IPV6_LINK_LAYER_ADDR; 2244 } 2245 2246 if (ill->ill_mactype == DL_IPV4 || ill->ill_mactype == DL_IPV6) { 2247 dest_mp = ip_dlpi_alloc(sizeof (dl_phys_addr_req_t) + 2248 sizeof (t_scalar_t), DL_PHYS_ADDR_REQ); 2249 if (dest_mp == NULL) 2250 goto bad; 2251 ((dl_phys_addr_req_t *)dest_mp->b_rptr)->dl_addr_type = 2252 DL_CURR_DEST_ADDR; 2253 } 2254 2255 /* 2256 * Allocate a DL_NOTIFY_REQ and set the notifications we want. 2257 */ 2258 notify_mp = ip_dlpi_alloc(sizeof (dl_notify_req_t) + sizeof (long), 2259 DL_NOTIFY_REQ); 2260 if (notify_mp == NULL) 2261 goto bad; 2262 ((dl_notify_req_t *)notify_mp->b_rptr)->dl_notifications = 2263 (DL_NOTE_PHYS_ADDR | DL_NOTE_SDU_SIZE | DL_NOTE_FASTPATH_FLUSH | 2264 DL_NOTE_LINK_UP | DL_NOTE_LINK_DOWN | DL_NOTE_CAPAB_RENEG | 2265 DL_NOTE_PROMISC_ON_PHYS | DL_NOTE_PROMISC_OFF_PHYS | 2266 DL_NOTE_REPLUMB); 2267 2268 phys_mp = ip_dlpi_alloc(sizeof (dl_phys_addr_req_t) + 2269 sizeof (t_scalar_t), DL_PHYS_ADDR_REQ); 2270 if (phys_mp == NULL) 2271 goto bad; 2272 ((dl_phys_addr_req_t *)phys_mp->b_rptr)->dl_addr_type = 2273 DL_CURR_PHYS_ADDR; 2274 2275 info_mp = ip_dlpi_alloc( 2276 sizeof (dl_info_req_t) + sizeof (dl_info_ack_t), 2277 DL_INFO_REQ); 2278 if (info_mp == NULL) 2279 goto bad; 2280 2281 ASSERT(ill->ill_dlpi_capab_state == IDCS_UNKNOWN); 2282 capab_mp = ip_dlpi_alloc(sizeof (dl_capability_req_t), 2283 DL_CAPABILITY_REQ); 2284 if (capab_mp == NULL) 2285 goto bad; 2286 2287 bind_mp = ip_dlpi_alloc(sizeof (dl_bind_req_t) + sizeof (long), 2288 DL_BIND_REQ); 2289 if (bind_mp == NULL) 2290 goto bad; 2291 ((dl_bind_req_t *)bind_mp->b_rptr)->dl_sap = ill->ill_sap; 2292 ((dl_bind_req_t *)bind_mp->b_rptr)->dl_service_mode = DL_CLDLS; 2293 2294 unbind_mp = ip_dlpi_alloc(sizeof (dl_unbind_req_t), DL_UNBIND_REQ); 2295 if (unbind_mp == NULL) 2296 goto bad; 2297 2298 /* If we need to attach, pre-alloc and initialize the mblk */ 2299 if (ill->ill_needs_attach) { 2300 attach_mp = ip_dlpi_alloc(sizeof (dl_attach_req_t), 2301 DL_ATTACH_REQ); 2302 if (attach_mp == NULL) 2303 goto bad; 2304 ((dl_attach_req_t *)attach_mp->b_rptr)->dl_ppa = ill->ill_ppa; 2305 } 2306 2307 /* 2308 * Here we are going to delay the ioctl ack until after 2309 * ACKs from DL_PHYS_ADDR_REQ. So need to save the 2310 * original ioctl message before sending the requests 2311 */ 2312 mutex_enter(&ill->ill_lock); 2313 /* ipsq_pending_mp_add won't fail since we pass in a NULL connp */ 2314 (void) ipsq_pending_mp_add(NULL, ipif, ill->ill_wq, mp, 0); 2315 /* 2316 * Set ill_phys_addr_pend to zero. It will be set to the addr_type of 2317 * the DL_PHYS_ADDR_REQ in ill_dlpi_send() and ill_dlpi_done(). It will 2318 * be used to track which DL_PHYS_ADDR_REQ is being ACK'd/NAK'd. 2319 */ 2320 ill->ill_phys_addr_pend = 0; 2321 mutex_exit(&ill->ill_lock); 2322 2323 if (attach_mp != NULL) { 2324 ip1dbg(("ill_dl_phys: attach\n")); 2325 ill_dlpi_send(ill, attach_mp); 2326 } 2327 ill_dlpi_send(ill, bind_mp); 2328 ill_dlpi_send(ill, info_mp); 2329 2330 /* 2331 * Send the capability request to get the VRRP capability information. 2332 */ 2333 ill_capability_send(ill, capab_mp); 2334 2335 if (v6token_mp != NULL) 2336 ill_dlpi_send(ill, v6token_mp); 2337 if (v6lla_mp != NULL) 2338 ill_dlpi_send(ill, v6lla_mp); 2339 if (dest_mp != NULL) 2340 ill_dlpi_send(ill, dest_mp); 2341 ill_dlpi_send(ill, phys_mp); 2342 ill_dlpi_send(ill, notify_mp); 2343 ill_dlpi_send(ill, unbind_mp); 2344 2345 /* 2346 * This operation will complete in ip_rput_dlpi_writer with either 2347 * a DL_PHYS_ADDR_ACK or DL_ERROR_ACK. 2348 */ 2349 return (EINPROGRESS); 2350 bad: 2351 freemsg(v6token_mp); 2352 freemsg(v6lla_mp); 2353 freemsg(dest_mp); 2354 freemsg(phys_mp); 2355 freemsg(info_mp); 2356 freemsg(attach_mp); 2357 freemsg(bind_mp); 2358 freemsg(capab_mp); 2359 freemsg(unbind_mp); 2360 freemsg(notify_mp); 2361 return (ENOMEM); 2362 } 2363 2364 /* Add room for tcp+ip headers */ 2365 uint_t ip_loopback_mtu_v6plus = IP_LOOPBACK_MTU + IPV6_HDR_LEN + 20; 2366 2367 /* 2368 * DLPI is up. 2369 * Create all the IREs associated with an interface bring up multicast. 2370 * Set the interface flag and finish other initialization 2371 * that potentially had to be differed to after DL_BIND_ACK. 2372 */ 2373 int 2374 ipif_up_done_v6(ipif_t *ipif) 2375 { 2376 ill_t *ill = ipif->ipif_ill; 2377 int err; 2378 boolean_t loopback = B_FALSE; 2379 2380 ip1dbg(("ipif_up_done_v6(%s:%u)\n", 2381 ipif->ipif_ill->ill_name, ipif->ipif_id)); 2382 DTRACE_PROBE3(ipif__downup, char *, "ipif_up_done_v6", 2383 ill_t *, ill, ipif_t *, ipif); 2384 2385 /* Check if this is a loopback interface */ 2386 if (ipif->ipif_ill->ill_wq == NULL) 2387 loopback = B_TRUE; 2388 2389 ASSERT(ipif->ipif_isv6); 2390 ASSERT(!MUTEX_HELD(&ipif->ipif_ill->ill_lock)); 2391 2392 if (IS_LOOPBACK(ill) || ill->ill_net_type == IRE_IF_NORESOLVER) { 2393 nce_t *loop_nce = NULL; 2394 uint16_t flags = (NCE_F_MYADDR | NCE_F_NONUD | NCE_F_AUTHORITY); 2395 2396 /* 2397 * lo0:1 and subsequent ipifs were marked IRE_LOCAL in 2398 * ipif_lookup_on_name(), but in the case of zones we can have 2399 * several loopback addresses on lo0. So all the interfaces with 2400 * loopback addresses need to be marked IRE_LOOPBACK. 2401 */ 2402 if (IN6_ARE_ADDR_EQUAL(&ipif->ipif_v6lcl_addr, &ipv6_loopback)) 2403 ipif->ipif_ire_type = IRE_LOOPBACK; 2404 else 2405 ipif->ipif_ire_type = IRE_LOCAL; 2406 if (ill->ill_net_type != IRE_LOOPBACK) 2407 flags |= NCE_F_PUBLISH; 2408 err = nce_lookup_then_add_v6(ill, NULL, 2409 ill->ill_phys_addr_length, 2410 &ipif->ipif_v6lcl_addr, flags, ND_REACHABLE, &loop_nce); 2411 2412 /* A shared-IP zone sees EEXIST for lo0:N */ 2413 if (err == 0 || err == EEXIST) { 2414 ipif->ipif_added_nce = 1; 2415 loop_nce->nce_ipif_cnt++; 2416 nce_refrele(loop_nce); 2417 err = 0; 2418 } else { 2419 ASSERT(loop_nce == NULL); 2420 return (err); 2421 } 2422 } 2423 2424 err = ipif_add_ires_v6(ipif, loopback); 2425 if (err != 0) { 2426 /* 2427 * See comments about return value from 2428 * ipif_addr_availability_check() in ipif_add_ires_v6(). 2429 */ 2430 if (err != EADDRINUSE) { 2431 ipif_ndp_down(ipif); 2432 } else { 2433 /* 2434 * Make IPMP aware of the deleted ipif so that 2435 * the needed ipmp cleanup (e.g., of ipif_bound_ill) 2436 * can be completed. Note that we do not want to 2437 * destroy the nce that was created on the ipmp_ill 2438 * for the active copy of the duplicate address in 2439 * use. 2440 */ 2441 if (IS_IPMP(ill)) 2442 ipmp_illgrp_del_ipif(ill->ill_grp, ipif); 2443 err = EADDRNOTAVAIL; 2444 } 2445 return (err); 2446 } 2447 2448 if (ill->ill_ipif_up_count == 1 && !loopback) { 2449 /* Recover any additional IREs entries for this ill */ 2450 (void) ill_recover_saved_ire(ill); 2451 } 2452 2453 if (ill->ill_need_recover_multicast) { 2454 /* 2455 * Need to recover all multicast memberships in the driver. 2456 * This had to be deferred until we had attached. 2457 */ 2458 ill_recover_multicast(ill); 2459 } 2460 2461 if (ill->ill_ipif_up_count == 1) { 2462 /* 2463 * Since the interface is now up, it may now be active. 2464 */ 2465 if (IS_UNDER_IPMP(ill)) 2466 ipmp_ill_refresh_active(ill); 2467 } 2468 2469 /* Join the allhosts multicast address and the solicited node MC */ 2470 ipif_multicast_up(ipif); 2471 2472 /* Perhaps ilgs should use this ill */ 2473 update_conn_ill(NULL, ill->ill_ipst); 2474 2475 if (ipif->ipif_addr_ready) 2476 ipif_up_notify(ipif); 2477 2478 return (0); 2479 } 2480 2481 /* 2482 * Add the IREs associated with the ipif. 2483 * Those MUST be explicitly removed in ipif_delete_ires_v6. 2484 */ 2485 static int 2486 ipif_add_ires_v6(ipif_t *ipif, boolean_t loopback) 2487 { 2488 ill_t *ill = ipif->ipif_ill; 2489 ip_stack_t *ipst = ill->ill_ipst; 2490 in6_addr_t v6addr; 2491 in6_addr_t route_mask; 2492 int err; 2493 char buf[INET6_ADDRSTRLEN]; 2494 ire_t *ire_local = NULL; /* LOCAL or LOOPBACK */ 2495 ire_t *ire_if = NULL; 2496 2497 if (!IN6_IS_ADDR_UNSPECIFIED(&ipif->ipif_v6lcl_addr) && 2498 !(ipif->ipif_flags & IPIF_NOLOCAL)) { 2499 2500 /* 2501 * If we're on a labeled system then make sure that zone- 2502 * private addresses have proper remote host database entries. 2503 */ 2504 if (is_system_labeled() && 2505 ipif->ipif_ire_type != IRE_LOOPBACK) { 2506 if (ip6opt_ls == 0) { 2507 cmn_err(CE_WARN, "IPv6 not enabled " 2508 "via /etc/system"); 2509 return (EINVAL); 2510 } 2511 if (!tsol_check_interface_address(ipif)) 2512 return (EINVAL); 2513 } 2514 2515 /* Register the source address for __sin6_src_id */ 2516 err = ip_srcid_insert(&ipif->ipif_v6lcl_addr, 2517 ipif->ipif_zoneid, ipst); 2518 if (err != 0) { 2519 ip0dbg(("ipif_add_ires_v6: srcid_insert %d\n", err)); 2520 return (err); 2521 } 2522 /* 2523 * If the interface address is set, create the LOCAL 2524 * or LOOPBACK IRE. 2525 */ 2526 ip1dbg(("ipif_add_ires_v6: creating IRE %d for %s\n", 2527 ipif->ipif_ire_type, 2528 inet_ntop(AF_INET6, &ipif->ipif_v6lcl_addr, 2529 buf, sizeof (buf)))); 2530 2531 ire_local = ire_create_v6( 2532 &ipif->ipif_v6lcl_addr, /* dest address */ 2533 &ipv6_all_ones, /* mask */ 2534 NULL, /* no gateway */ 2535 ipif->ipif_ire_type, /* LOCAL or LOOPBACK */ 2536 ipif->ipif_ill, /* interface */ 2537 ipif->ipif_zoneid, 2538 ((ipif->ipif_flags & IPIF_PRIVATE) ? 2539 RTF_PRIVATE : 0) | RTF_KERNEL, 2540 NULL, 2541 ipst); 2542 if (ire_local == NULL) { 2543 ip1dbg(("ipif_up_done_v6: NULL ire_local\n")); 2544 err = ENOMEM; 2545 goto bad; 2546 } 2547 } 2548 2549 /* Set up the IRE_IF_RESOLVER or IRE_IF_NORESOLVER, as appropriate. */ 2550 if (!loopback && !(ipif->ipif_flags & IPIF_NOXMIT) && 2551 !(IN6_IS_ADDR_UNSPECIFIED(&ipif->ipif_v6subnet) && 2552 IN6_IS_ADDR_UNSPECIFIED(&ipif->ipif_v6net_mask))) { 2553 /* ipif_v6subnet is ipif_v6pp_dst_addr for pt-pt */ 2554 v6addr = ipif->ipif_v6subnet; 2555 2556 if (ipif->ipif_flags & IPIF_POINTOPOINT) { 2557 route_mask = ipv6_all_ones; 2558 } else { 2559 route_mask = ipif->ipif_v6net_mask; 2560 } 2561 2562 ip1dbg(("ipif_add_ires_v6: creating if IRE %d for %s\n", 2563 ill->ill_net_type, 2564 inet_ntop(AF_INET6, &v6addr, buf, sizeof (buf)))); 2565 2566 ire_if = ire_create_v6( 2567 &v6addr, /* dest pref */ 2568 &route_mask, /* mask */ 2569 &ipif->ipif_v6lcl_addr, /* gateway */ 2570 ill->ill_net_type, /* IF_[NO]RESOLVER */ 2571 ipif->ipif_ill, 2572 ipif->ipif_zoneid, 2573 ((ipif->ipif_flags & IPIF_PRIVATE) ? 2574 RTF_PRIVATE : 0) | RTF_KERNEL, 2575 NULL, 2576 ipst); 2577 if (ire_if == NULL) { 2578 ip1dbg(("ipif_up_done: NULL ire_if\n")); 2579 err = ENOMEM; 2580 goto bad; 2581 } 2582 } 2583 2584 /* 2585 * Need to atomically check for IP address availability under 2586 * ip_addr_avail_lock. ill_g_lock is held as reader to ensure no new 2587 * ills or new ipifs can be added while we are checking availability. 2588 */ 2589 rw_enter(&ipst->ips_ill_g_lock, RW_READER); 2590 mutex_enter(&ipst->ips_ip_addr_avail_lock); 2591 ill->ill_ipif_up_count++; 2592 ipif->ipif_flags |= IPIF_UP; 2593 err = ip_addr_availability_check(ipif); 2594 mutex_exit(&ipst->ips_ip_addr_avail_lock); 2595 rw_exit(&ipst->ips_ill_g_lock); 2596 2597 if (err != 0) { 2598 /* 2599 * Our address may already be up on the same ill. In this case, 2600 * the external resolver entry for our ipif replaced the one for 2601 * the other ipif. So we don't want to delete it (otherwise the 2602 * other ipif would be unable to send packets). 2603 * ip_addr_availability_check() identifies this case for us and 2604 * returns EADDRINUSE; Caller must turn it into EADDRNOTAVAIL 2605 * which is the expected error code. 2606 * 2607 * Note that ipif_ndp_down() will only delete the nce in the 2608 * case when the nce_ipif_cnt drops to 0. 2609 */ 2610 ill->ill_ipif_up_count--; 2611 ipif->ipif_flags &= ~IPIF_UP; 2612 goto bad; 2613 } 2614 2615 /* 2616 * Add in all newly created IREs. 2617 * We add the IRE_INTERFACE before the IRE_LOCAL to ensure 2618 * that lookups find the IRE_LOCAL even if the IRE_INTERFACE is 2619 * a /128 route. 2620 */ 2621 if (ire_if != NULL) { 2622 ire_if = ire_add(ire_if); 2623 if (ire_if == NULL) { 2624 err = ENOMEM; 2625 goto bad2; 2626 } 2627 #ifdef DEBUG 2628 ire_refhold_notr(ire_if); 2629 ire_refrele(ire_if); 2630 #endif 2631 } 2632 if (ire_local != NULL) { 2633 ire_local = ire_add(ire_local); 2634 if (ire_local == NULL) { 2635 err = ENOMEM; 2636 goto bad2; 2637 } 2638 #ifdef DEBUG 2639 ire_refhold_notr(ire_local); 2640 ire_refrele(ire_local); 2641 #endif 2642 } 2643 rw_enter(&ipst->ips_ill_g_lock, RW_WRITER); 2644 if (ire_local != NULL) 2645 ipif->ipif_ire_local = ire_local; 2646 if (ire_if != NULL) 2647 ipif->ipif_ire_if = ire_if; 2648 rw_exit(&ipst->ips_ill_g_lock); 2649 ire_local = NULL; 2650 ire_if = NULL; 2651 2652 if (ipif->ipif_addr_ready) 2653 ipif_up_notify(ipif); 2654 return (0); 2655 2656 bad2: 2657 ill->ill_ipif_up_count--; 2658 ipif->ipif_flags &= ~IPIF_UP; 2659 2660 bad: 2661 if (ire_local != NULL) 2662 ire_delete(ire_local); 2663 if (ire_if != NULL) 2664 ire_delete(ire_if); 2665 2666 rw_enter(&ipst->ips_ill_g_lock, RW_WRITER); 2667 ire_local = ipif->ipif_ire_local; 2668 ipif->ipif_ire_local = NULL; 2669 ire_if = ipif->ipif_ire_if; 2670 ipif->ipif_ire_if = NULL; 2671 rw_exit(&ipst->ips_ill_g_lock); 2672 if (ire_local != NULL) { 2673 ire_delete(ire_local); 2674 ire_refrele_notr(ire_local); 2675 } 2676 if (ire_if != NULL) { 2677 ire_delete(ire_if); 2678 ire_refrele_notr(ire_if); 2679 } 2680 (void) ip_srcid_remove(&ipif->ipif_v6lcl_addr, ipif->ipif_zoneid, ipst); 2681 2682 return (err); 2683 } 2684 2685 /* Remove all the IREs created by ipif_add_ires_v6 */ 2686 void 2687 ipif_delete_ires_v6(ipif_t *ipif) 2688 { 2689 ill_t *ill = ipif->ipif_ill; 2690 ip_stack_t *ipst = ill->ill_ipst; 2691 ire_t *ire; 2692 2693 rw_enter(&ipst->ips_ill_g_lock, RW_WRITER); 2694 ire = ipif->ipif_ire_local; 2695 ipif->ipif_ire_local = NULL; 2696 rw_exit(&ipst->ips_ill_g_lock); 2697 if (ire != NULL) { 2698 /* 2699 * Move count to ipif so we don't loose the count due to 2700 * a down/up dance. 2701 */ 2702 atomic_add_32(&ipif->ipif_ib_pkt_count, ire->ire_ib_pkt_count); 2703 2704 ire_delete(ire); 2705 ire_refrele_notr(ire); 2706 } 2707 rw_enter(&ipst->ips_ill_g_lock, RW_WRITER); 2708 ire = ipif->ipif_ire_if; 2709 ipif->ipif_ire_if = NULL; 2710 rw_exit(&ipst->ips_ill_g_lock); 2711 if (ire != NULL) { 2712 ire_delete(ire); 2713 ire_refrele_notr(ire); 2714 } 2715 } 2716 2717 /* 2718 * Delete an ND entry if it exists. 2719 */ 2720 /* ARGSUSED */ 2721 int 2722 ip_siocdelndp_v6(ipif_t *ipif, sin_t *dummy_sin, queue_t *q, mblk_t *mp, 2723 ip_ioctl_cmd_t *ipip, void *dummy_ifreq) 2724 { 2725 sin6_t *sin6; 2726 struct lifreq *lifr; 2727 lif_nd_req_t *lnr; 2728 ill_t *ill = ipif->ipif_ill; 2729 nce_t *nce; 2730 2731 lifr = (struct lifreq *)mp->b_cont->b_cont->b_rptr; 2732 lnr = &lifr->lifr_nd; 2733 /* Only allow for logical unit zero i.e. not on "le0:17" */ 2734 if (ipif->ipif_id != 0) 2735 return (EINVAL); 2736 2737 if (!ipif->ipif_isv6) 2738 return (EINVAL); 2739 2740 if (lnr->lnr_addr.ss_family != AF_INET6) 2741 return (EAFNOSUPPORT); 2742 2743 sin6 = (sin6_t *)&lnr->lnr_addr; 2744 2745 /* 2746 * Since ND mappings must be consistent across an IPMP group, prohibit 2747 * deleting ND mappings on underlying interfaces. 2748 * Don't allow deletion of mappings for local addresses. 2749 */ 2750 if (IS_UNDER_IPMP(ill)) 2751 return (EPERM); 2752 2753 nce = nce_lookup_v6(ill, &sin6->sin6_addr); 2754 if (nce == NULL) 2755 return (ESRCH); 2756 2757 if (NCE_MYADDR(nce->nce_common)) { 2758 nce_refrele(nce); 2759 return (EPERM); 2760 } 2761 2762 /* 2763 * delete the nce_common which will also delete the nces on any 2764 * under_ill in the case of ipmp. 2765 */ 2766 ncec_delete(nce->nce_common); 2767 nce_refrele(nce); 2768 return (0); 2769 } 2770 2771 /* 2772 * Return nbr cache info. 2773 */ 2774 /* ARGSUSED */ 2775 int 2776 ip_siocqueryndp_v6(ipif_t *ipif, sin_t *dummy_sin, queue_t *q, mblk_t *mp, 2777 ip_ioctl_cmd_t *ipip, void *dummy_ifreq) 2778 { 2779 ill_t *ill = ipif->ipif_ill; 2780 struct lifreq *lifr; 2781 lif_nd_req_t *lnr; 2782 2783 lifr = (struct lifreq *)mp->b_cont->b_cont->b_rptr; 2784 lnr = &lifr->lifr_nd; 2785 /* Only allow for logical unit zero i.e. not on "le0:17" */ 2786 if (ipif->ipif_id != 0) 2787 return (EINVAL); 2788 2789 if (!ipif->ipif_isv6) 2790 return (EINVAL); 2791 2792 if (lnr->lnr_addr.ss_family != AF_INET6) 2793 return (EAFNOSUPPORT); 2794 2795 if (ill->ill_phys_addr_length > sizeof (lnr->lnr_hdw_addr)) 2796 return (EINVAL); 2797 2798 return (ndp_query(ill, lnr)); 2799 } 2800 2801 /* 2802 * Perform an update of the nd entry for the specified address. 2803 */ 2804 /* ARGSUSED */ 2805 int 2806 ip_siocsetndp_v6(ipif_t *ipif, sin_t *dummy_sin, queue_t *q, mblk_t *mp, 2807 ip_ioctl_cmd_t *ipip, void *dummy_ifreq) 2808 { 2809 sin6_t *sin6; 2810 ill_t *ill = ipif->ipif_ill; 2811 struct lifreq *lifr; 2812 lif_nd_req_t *lnr; 2813 ire_t *ire; 2814 2815 lifr = (struct lifreq *)mp->b_cont->b_cont->b_rptr; 2816 lnr = &lifr->lifr_nd; 2817 /* Only allow for logical unit zero i.e. not on "le0:17" */ 2818 if (ipif->ipif_id != 0) 2819 return (EINVAL); 2820 2821 if (!ipif->ipif_isv6) 2822 return (EINVAL); 2823 2824 if (lnr->lnr_addr.ss_family != AF_INET6) 2825 return (EAFNOSUPPORT); 2826 2827 sin6 = (sin6_t *)&lnr->lnr_addr; 2828 2829 /* 2830 * Since ND mappings must be consistent across an IPMP group, prohibit 2831 * updating ND mappings on underlying interfaces. Also, since ND 2832 * mappings for IPMP data addresses are owned by IP itself, prohibit 2833 * updating them. 2834 */ 2835 if (IS_UNDER_IPMP(ill)) 2836 return (EPERM); 2837 2838 if (IS_IPMP(ill)) { 2839 ire = ire_ftable_lookup_v6(&sin6->sin6_addr, NULL, NULL, 2840 IRE_LOCAL, ill, ALL_ZONES, NULL, 2841 MATCH_IRE_TYPE | MATCH_IRE_ILL, 0, ill->ill_ipst, NULL); 2842 if (ire != NULL) { 2843 ire_refrele(ire); 2844 return (EPERM); 2845 } 2846 } 2847 2848 return (ndp_sioc_update(ill, lnr)); 2849 } 2850
Indexes created Sun Nov 22 11:30:35 UTC 2009
Terms of Use |
Privacy |
Trademarks |
Copyright Policy |
Site Guidelines |
Help
Your use of this web site or any of its content or software indicates your agreement to be bound by these Terms of Use.
Copyright © 1995-2008 Sun Microsystems, Inc.