]> git.saurik.com Git - apple/xnu.git/blob - bsd/netinet6/nd6_nbr.c
projects / apple / xnu.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
xnu-6153.121.1.tar.gz
[apple/xnu.git] / bsd / netinet6 / nd6_nbr.c
1 /*
2 * Copyright (c) 2000-2019 Apple Inc. All rights reserved.
3 *
4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
14 *
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 *
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
25 *
26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27 */
28
29 /*
30 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
31 * All rights reserved.
32 *
33 * Redistribution and use in source and binary forms, with or without
34 * modification, are permitted provided that the following conditions
35 * are met:
36 * 1. Redistributions of source code must retain the above copyright
37 * notice, this list of conditions and the following disclaimer.
38 * 2. Redistributions in binary form must reproduce the above copyright
39 * notice, this list of conditions and the following disclaimer in the
40 * documentation and/or other materials provided with the distribution.
41 * 3. Neither the name of the project nor the names of its contributors
42 * may be used to endorse or promote products derived from this software
43 * without specific prior written permission.
44 *
45 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
46 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
47 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
48 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
49 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
50 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
51 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
52 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
53 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
54 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
55 * SUCH DAMAGE.
56 */
57
58 #include <sys/param.h>
59 #include <sys/systm.h>
60 #include <sys/malloc.h>
61 #include <sys/mbuf.h>
62 #include <sys/socket.h>
63 #include <sys/sockio.h>
64 #include <sys/time.h>
65 #include <sys/kernel.h>
66 #include <sys/errno.h>
67 #include <sys/syslog.h>
68 #include <sys/sysctl.h>
69 #include <sys/mcache.h>
70 #include <sys/protosw.h>
71 #include <kern/queue.h>
72 #include <dev/random/randomdev.h>
73
74 #include <kern/locks.h>
75 #include <kern/zalloc.h>
76
77 #include <net/if.h>
78 #include <net/if_var.h>
79 #include <net/if_types.h>
80 #include <net/if_dl.h>
81 #include <net/if_llreach.h>
82 #include <net/route.h>
83 #include <net/dlil.h>
84 #include <net/nwk_wq.h>
85
86 #include <netinet/in.h>
87 #include <netinet/in_var.h>
88 #include <netinet6/in6_var.h>
89 #include <netinet6/in6_ifattach.h>
90 #include <netinet/ip6.h>
91 #include <netinet6/ip6_var.h>
92 #include <netinet6/nd6.h>
93 #include <netinet6/scope6_var.h>
94 #include <netinet/icmp6.h>
95
96 #if IPSEC
97 #include <netinet6/ipsec.h>
98 #if INET6
99 #include <netinet6/ipsec6.h>
100 #endif
101 #endif
102
103 struct dadq;
104 static struct dadq *nd6_dad_find(struct ifaddr *, struct nd_opt_nonce *);
105 void nd6_dad_stoptimer(struct ifaddr *);
106 static void nd6_dad_timer(struct ifaddr *);
107 static void nd6_dad_ns_output(struct dadq *, struct ifaddr *);
108 static void nd6_dad_ns_input(struct ifaddr *, char *, int, struct nd_opt_nonce *);
109 static struct mbuf *nd6_dad_na_input(struct mbuf *, struct ifnet *,
110 struct in6_addr *, caddr_t, int);
111 static void dad_addref(struct dadq *, int);
112 static void dad_remref(struct dadq *);
113 static struct dadq *nd6_dad_attach(struct dadq *, struct ifaddr *);
114 static void nd6_dad_detach(struct dadq *, struct ifaddr *);
115
116 static int dad_maxtry = 15; /* max # of *tries* to transmit DAD packet */
117
118 static unsigned int dad_size; /* size of zone element */
119 static struct zone *dad_zone; /* zone for dadq */
120
121 #define DAD_ZONE_MAX 64 /* maximum elements in zone */
122 #define DAD_ZONE_NAME "nd6_dad" /* zone name */
123
124 #define DAD_LOCK_ASSERT_HELD(_dp) \
125 LCK_MTX_ASSERT(&(_dp)->dad_lock, LCK_MTX_ASSERT_OWNED)
126
127 #define DAD_LOCK_ASSERT_NOTHELD(_dp) \
128 LCK_MTX_ASSERT(&(_dp)->dad_lock, LCK_MTX_ASSERT_NOTOWNED)
129
130 #define DAD_LOCK(_dp) \
131 lck_mtx_lock(&(_dp)->dad_lock)
132
133 #define DAD_LOCK_SPIN(_dp) \
134 lck_mtx_lock_spin(&(_dp)->dad_lock)
135
136 #define DAD_CONVERT_LOCK(_dp) do { \
137 DAD_LOCK_ASSERT_HELD(_dp); \
138 lck_mtx_convert_spin(&(_dp)->dad_lock); \
139 } while (0)
140
141 #define DAD_UNLOCK(_dp) \
142 lck_mtx_unlock(&(_dp)->dad_lock)
143
144 #define DAD_ADDREF(_dp) \
145 dad_addref(_dp, 0)
146
147 #define DAD_ADDREF_LOCKED(_dp) \
148 dad_addref(_dp, 1)
149
150 #define DAD_REMREF(_dp) \
151 dad_remref(_dp)
152
153 extern lck_mtx_t *dad6_mutex;
154 extern lck_mtx_t *nd6_mutex;
155
156 static int nd6_llreach_base = 30; /* seconds */
157
158 static struct sockaddr_in6 hostrtmask;
159
160 SYSCTL_DECL(_net_inet6_icmp6);
161 SYSCTL_INT(_net_inet6_icmp6, OID_AUTO, nd6_llreach_base,
162 CTLFLAG_RW | CTLFLAG_LOCKED, &nd6_llreach_base, 0,
163 "default ND6 link-layer reachability max lifetime (in seconds)");
164
165 int dad_enhanced = 1;
166 SYSCTL_DECL(_net_inet6_ip6);
167 SYSCTL_INT(_net_inet6_ip6, OID_AUTO, dad_enhanced, CTLFLAG_RW | CTLFLAG_LOCKED,
168 &dad_enhanced, 0,
169 "Enable Enhanced DAD, which adds a random nonce to NS messages for DAD.");
170
171 /*
172 * Obtain a link-layer source cache entry for the sender.
173 *
174 * NOTE: This is currently only for ND6/Ethernet.
175 */
176 void
177 nd6_llreach_alloc(struct rtentry *rt, struct ifnet *ifp, void *addr,
178 unsigned int alen, boolean_t solicited)
179 {
180 struct llinfo_nd6 *ln = rt->rt_llinfo;
181
182 if (nd6_llreach_base != 0 &&
183 (ln->ln_expire != 0 || (ifp->if_eflags & IFEF_IPV6_ND6ALT) != 0) &&
184 !(rt->rt_ifp->if_flags & IFF_LOOPBACK) &&
185 ifp->if_addrlen == IF_LLREACH_MAXLEN && /* Ethernet */
186 alen == ifp->if_addrlen) {
187 struct if_llreach *lr;
188 const char *why = NULL, *type = "";
189
190 /* Become a regular mutex, just in case */
191 RT_CONVERT_LOCK(rt);
192
193 if ((lr = ln->ln_llreach) != NULL) {
194 type = (solicited ? "ND6 advertisement" :
195 "ND6 unsolicited announcement");
196 /*
197 * If target has changed, create a new record;
198 * otherwise keep existing record.
199 */
200 IFLR_LOCK(lr);
201 if (bcmp(addr, lr->lr_key.addr, alen) != 0) {
202 IFLR_UNLOCK(lr);
203 /* Purge any link-layer info caching */
204 VERIFY(rt->rt_llinfo_purge != NULL);
205 rt->rt_llinfo_purge(rt);
206 lr = NULL;
207 why = " for different target HW address; "
208 "using new llreach record";
209 } else {
210 lr->lr_probes = 0; /* reset probe count */
211 IFLR_UNLOCK(lr);
212 if (solicited) {
213 why = " for same target HW address; "
214 "keeping existing llreach record";
215 }
216 }
217 }
218
219 if (lr == NULL) {
220 lr = ln->ln_llreach = ifnet_llreach_alloc(ifp,
221 ETHERTYPE_IPV6, addr, alen, nd6_llreach_base);
222 if (lr != NULL) {
223 lr->lr_probes = 0; /* reset probe count */
224 if (why == NULL) {
225 why = "creating new llreach record";
226 }
227 }
228 }
229
230 if (nd6_debug && lr != NULL && why != NULL) {
231 char tmp[MAX_IPv6_STR_LEN];
232
233 nd6log(debug, "%s: %s%s for %s\n", if_name(ifp),
234 type, why, inet_ntop(AF_INET6,
235 &SIN6(rt_key(rt))->sin6_addr, tmp, sizeof(tmp)));
236 }
237 }
238 }
239
240 void
241 nd6_llreach_use(struct llinfo_nd6 *ln)
242 {
243 if (ln->ln_llreach != NULL) {
244 ln->ln_lastused = net_uptime();
245 }
246 }
247
248 /*
249 * Input a Neighbor Solicitation Message.
250 *
251 * Based on RFC 4861
252 * Based on RFC 4862 (duplicate address detection)
253 */
254 void
255 nd6_ns_input(
256 struct mbuf *m,
257 int off,
258 int icmp6len)
259 {
260 struct ifnet *ifp = m->m_pkthdr.rcvif;
261 struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *);
262 struct nd_neighbor_solicit *nd_ns;
263 struct in6_addr saddr6 = ip6->ip6_src;
264 struct in6_addr daddr6 = ip6->ip6_dst;
265 struct in6_addr taddr6;
266 struct in6_addr myaddr6;
267 char *lladdr = NULL;
268 struct ifaddr *ifa = NULL;
269 int lladdrlen = 0;
270 int anycast = 0, proxy = 0, dadprogress = 0;
271 int tlladdr;
272 union nd_opts ndopts;
273 struct sockaddr_dl proxydl;
274 boolean_t advrouter;
275 boolean_t is_dad_probe;
276 int oflgclr = 0;
277
278 /* Expect 32-bit aligned data pointer on strict-align platforms */
279 MBUF_STRICT_DATA_ALIGNMENT_CHECK_32(m);
280
281 IP6_EXTHDR_CHECK(m, off, icmp6len, return );
282 nd_ns = (struct nd_neighbor_solicit *)((caddr_t)ip6 + off);
283 m->m_pkthdr.pkt_flags |= PKTF_INET6_RESOLVE;
284
285 ip6 = mtod(m, struct ip6_hdr *); /* adjust pointer for safety */
286 taddr6 = nd_ns->nd_ns_target;
287 if (in6_setscope(&taddr6, ifp, NULL) != 0) {
288 goto bad;
289 }
290
291 if (ip6->ip6_hlim != IPV6_MAXHLIM) {
292 nd6log(error,
293 "nd6_ns_input: invalid hlim (%d) from %s to %s on %s\n",
294 ip6->ip6_hlim, ip6_sprintf(&ip6->ip6_src),
295 ip6_sprintf(&ip6->ip6_dst), if_name(ifp));
296 goto bad;
297 }
298
299 is_dad_probe = IN6_IS_ADDR_UNSPECIFIED(&saddr6);
300 if (is_dad_probe) {
301 /* dst has to be a solicited node multicast address. */
302 if (daddr6.s6_addr16[0] == IPV6_ADDR_INT16_MLL &&
303 /* don't check ifindex portion */
304 daddr6.s6_addr32[1] == 0 &&
305 daddr6.s6_addr32[2] == IPV6_ADDR_INT32_ONE &&
306 daddr6.s6_addr8[12] == 0xff) {
307 ; /* good */
308 } else {
309 nd6log(info, "nd6_ns_input: bad DAD packet "
310 "(wrong ip6 dst)\n");
311 goto bad;
312 }
313 } else if (!nd6_onlink_ns_rfc4861) {
314 struct sockaddr_in6 src_sa6;
315
316 /*
317 * According to recent IETF discussions, it is not a good idea
318 * to accept a NS from an address which would not be deemed
319 * to be a neighbor otherwise. This point is expected to be
320 * clarified in future revisions of the specification.
321 */
322 bzero(&src_sa6, sizeof(src_sa6));
323 src_sa6.sin6_family = AF_INET6;
324 src_sa6.sin6_len = sizeof(src_sa6);
325 src_sa6.sin6_addr = saddr6;
326 if (!nd6_is_addr_neighbor(&src_sa6, ifp, 0)) {
327 nd6log(info, "nd6_ns_input: "
328 "NS packet from non-neighbor\n");
329 goto bad;
330 }
331 }
332
333 if (IN6_IS_ADDR_MULTICAST(&taddr6)) {
334 nd6log(info, "nd6_ns_input: bad NS target (multicast)\n");
335 goto bad;
336 }
337
338 icmp6len -= sizeof(*nd_ns);
339 nd6_option_init(nd_ns + 1, icmp6len, &ndopts);
340 if (nd6_options(&ndopts) < 0) {
341 nd6log(info,
342 "nd6_ns_input: invalid ND option, ignored\n");
343 /* nd6_options have incremented stats */
344 goto freeit;
345 }
346
347 if (ndopts.nd_opts_src_lladdr) {
348 lladdr = (char *)(ndopts.nd_opts_src_lladdr + 1);
349 lladdrlen = ndopts.nd_opts_src_lladdr->nd_opt_len << 3;
350 }
351
352 if (is_dad_probe && lladdr) {
353 nd6log(info, "nd6_ns_input: bad DAD packet "
354 "(link-layer address option)\n");
355 goto bad;
356 }
357
358 /*
359 * Attaching target link-layer address to the NA?
360 * (RFC 2461 7.2.4)
361 *
362 * NS IP dst is unicast/anycast MUST NOT add
363 * NS IP dst is solicited-node multicast MUST add
364 *
365 * In implementation, we add target link-layer address by default.
366 * We do not add one in MUST NOT cases.
367 */
368 if (!IN6_IS_ADDR_MULTICAST(&daddr6)) {
369 tlladdr = 0;
370 } else {
371 tlladdr = 1;
372 }
373
374 /*
375 * Target address (taddr6) must be either:
376 * (1) Valid unicast/anycast address for my receiving interface,
377 * (2) Unicast address for which I'm offering proxy service, or
378 * (3) "tentative" or "optimistic" address [DAD is in progress].
379 */
380 /* (1) and (3) check. */
381 ifa = (struct ifaddr *)in6ifa_ifpwithaddr(ifp, &taddr6);
382
383 /* (2) check. */
384 if (ifa == NULL) {
385 struct rtentry *rt;
386 struct sockaddr_in6 tsin6;
387
388 bzero(&tsin6, sizeof tsin6);
389 tsin6.sin6_len = sizeof(struct sockaddr_in6);
390 tsin6.sin6_family = AF_INET6;
391 tsin6.sin6_addr = taddr6;
392
393 rt = rtalloc1_scoped((struct sockaddr *)&tsin6, 0, 0,
394 ifp->if_index);
395
396 if (rt != NULL) {
397 RT_LOCK(rt);
398 if ((rt->rt_flags & RTF_ANNOUNCE) != 0 &&
399 rt->rt_gateway->sa_family == AF_LINK) {
400 /*
401 * proxy NDP for single entry
402 */
403 ifa = (struct ifaddr *)in6ifa_ifpforlinklocal(
404 ifp, IN6_IFF_NOTREADY | IN6_IFF_ANYCAST);
405 if (ifa) {
406 proxy = 1;
407 proxydl = *SDL(rt->rt_gateway);
408 }
409 }
410 RT_UNLOCK(rt);
411 rtfree(rt);
412 }
413 }
414 if (ifa == NULL && ip6_forwarding && nd6_prproxy) {
415 /*
416 * Is the target address part of the prefix that is being
417 * proxied and installed on another interface?
418 */
419 ifa = (struct ifaddr *)in6ifa_prproxyaddr(&taddr6);
420 }
421 if (ifa == NULL) {
422 /*
423 * We've got an NS packet, and we don't have that address
424 * assigned for us. We MUST silently ignore it on this
425 * interface, c.f. RFC 4861 7.2.3.
426 *
427 * Forwarding associated with NDPRF_PRPROXY may apply.
428 */
429 if (ip6_forwarding && nd6_prproxy) {
430 nd6_prproxy_ns_input(ifp, &saddr6, lladdr,
431 lladdrlen, &daddr6, &taddr6,
432 (ndopts.nd_opts_nonce == NULL) ? NULL :
433 ndopts.nd_opts_nonce->nd_opt_nonce);
434 }
435 goto freeit;
436 }
437 IFA_LOCK(ifa);
438 myaddr6 = *IFA_IN6(ifa);
439 anycast = ((struct in6_ifaddr *)ifa)->ia6_flags & IN6_IFF_ANYCAST;
440 dadprogress =
441 ((struct in6_ifaddr *)ifa)->ia6_flags & IN6_IFF_DADPROGRESS;
442 if (((struct in6_ifaddr *)ifa)->ia6_flags & IN6_IFF_DUPLICATED) {
443 IFA_UNLOCK(ifa);
444 goto freeit;
445 }
446 IFA_UNLOCK(ifa);
447
448 if (lladdr && ((ifp->if_addrlen + 2 + 7) & ~7) != lladdrlen) {
449 nd6log(info,
450 "nd6_ns_input: lladdrlen mismatch for %s "
451 "(if %d, NS packet %d)\n",
452 ip6_sprintf(&taddr6), ifp->if_addrlen, lladdrlen - 2);
453 goto bad;
454 }
455
456 if (IN6_ARE_ADDR_EQUAL(&myaddr6, &saddr6)) {
457 nd6log(info,
458 "nd6_ns_input: duplicate IP6 address %s\n",
459 ip6_sprintf(&saddr6));
460 goto freeit;
461 }
462
463 /*
464 * We have neighbor solicitation packet, with target address equals to
465 * one of my DAD in-progress addresses.
466 *
467 * src addr how to process?
468 * --- ---
469 * multicast of course, invalid (rejected in ip6_input)
470 * unicast somebody is doing address resolution
471 * unspec dup address detection
472 *
473 * The processing is defined in the "draft standard" RFC 4862 (and by
474 * RFC 4429, which is a "proposed standard" update to its obsolete
475 * predecessor, RFC 2462) The reason optimistic DAD is not included
476 * in RFC 4862 is entirely due to IETF procedural considerations.
477 */
478 if (dadprogress) {
479 /*
480 * If source address is unspecified address, it is for
481 * duplicate address detection.
482 *
483 * If not, the packet is for addess resolution;
484 * silently ignore it when not optimistic
485 *
486 * Per RFC 4429 the reply for an optimistic address must
487 * have the Override flag cleared
488 */
489 if (!is_dad_probe && (dadprogress & IN6_IFF_OPTIMISTIC) != 0) {
490 oflgclr = 1;
491 } else {
492 if (is_dad_probe) {
493 nd6_dad_ns_input(ifa, lladdr, lladdrlen, ndopts.nd_opts_nonce);
494 }
495
496 goto freeit;
497 }
498 }
499
500 /* Are we an advertising router on this interface? */
501 advrouter = (ifp->if_eflags & IFEF_IPV6_ROUTER);
502
503 /*
504 * If the source address is unspecified address, entries must not
505 * be created or updated.
506 * It looks that sender is performing DAD. If I'm using the address,
507 * and it's a "preferred" address, i.e. not optimistic, then output NA
508 * toward all-node multicast address, to tell the sender that I'm using
509 * the address.
510 * S bit ("solicited") must be zero.
511 */
512 if (is_dad_probe) {
513 saddr6 = in6addr_linklocal_allnodes;
514 if (in6_setscope(&saddr6, ifp, NULL) != 0) {
515 goto bad;
516 }
517 if ((dadprogress & IN6_IFF_OPTIMISTIC) == 0) {
518 nd6_na_output(ifp, &saddr6, &taddr6,
519 ((anycast || proxy || !tlladdr) ? 0 :
520 ND_NA_FLAG_OVERRIDE) | (advrouter ?
521 ND_NA_FLAG_ROUTER : 0), tlladdr, proxy ?
522 (struct sockaddr *)&proxydl : NULL);
523 }
524 goto freeit;
525 }
526
527 nd6_cache_lladdr(ifp, &saddr6, lladdr, lladdrlen,
528 ND_NEIGHBOR_SOLICIT, 0);
529
530 nd6_na_output(ifp, &saddr6, &taddr6,
531 ((anycast || proxy || !tlladdr || oflgclr) ? 0 : ND_NA_FLAG_OVERRIDE) |
532 (advrouter ? ND_NA_FLAG_ROUTER : 0) | ND_NA_FLAG_SOLICITED,
533 tlladdr, proxy ? (struct sockaddr *)&proxydl : NULL);
534 freeit:
535 m_freem(m);
536 if (ifa != NULL) {
537 IFA_REMREF(ifa);
538 }
539 return;
540
541 bad:
542 nd6log(error, "nd6_ns_input: src=%s\n", ip6_sprintf(&saddr6));
543 nd6log(error, "nd6_ns_input: dst=%s\n", ip6_sprintf(&daddr6));
544 nd6log(error, "nd6_ns_input: tgt=%s\n", ip6_sprintf(&taddr6));
545 icmp6stat.icp6s_badns++;
546 m_freem(m);
547 if (ifa != NULL) {
548 IFA_REMREF(ifa);
549 }
550 }
551
552 /*
553 * Output a Neighbor Solicitation Message. Caller specifies:
554 * - ICMP6 header source IP6 address
555 * - ND6 header target IP6 address
556 * - ND6 header source datalink address
557 *
558 * Based on RFC 4861
559 * Based on RFC 4862 (duplicate address detection)
560 * Based on RFC 4429 (optimistic duplicate address detection)
561 *
562 * Caller must bump up ln->ln_rt refcnt to make sure 'ln' doesn't go
563 * away if there is a llinfo_nd6 passed in.
564 */
565 void
566 nd6_ns_output(
567 struct ifnet *ifp,
568 const struct in6_addr *daddr6,
569 const struct in6_addr *taddr6,
570 struct llinfo_nd6 *ln, /* for source address determination */
571 uint8_t *nonce) /* duplicated address detection */
572 {
573 struct mbuf *m;
574 struct ip6_hdr *ip6;
575 struct nd_neighbor_solicit *nd_ns;
576 struct in6_ifaddr *ia = NULL;
577 struct in6_addr *src, src_in, src_storage;
578 struct ip6_moptions *im6o = NULL;
579 struct ifnet *outif = NULL;
580 int icmp6len;
581 int maxlen;
582 int flags;
583 caddr_t mac;
584 struct route_in6 ro;
585 struct ip6_out_args ip6oa;
586 u_int32_t rtflags = 0;
587
588 if ((ifp->if_eflags & IFEF_IPV6_ND6ALT) || IN6_IS_ADDR_MULTICAST(taddr6)) {
589 return;
590 }
591
592 bzero(&ro, sizeof(ro));
593 bzero(&ip6oa, sizeof(ip6oa));
594 ip6oa.ip6oa_boundif = ifp->if_index;
595 ip6oa.ip6oa_flags = IP6OAF_SELECT_SRCIF | IP6OAF_BOUND_SRCADDR |
596 IP6OAF_AWDL_UNRESTRICTED | IP6OAF_INTCOPROC_ALLOWED;
597 ip6oa.ip6oa_sotc = SO_TC_UNSPEC;
598 ip6oa.ip6oa_netsvctype = _NET_SERVICE_TYPE_UNSPEC;
599
600 ip6oa.ip6oa_flags |= IP6OAF_BOUND_IF;
601
602 /* estimate the size of message */
603 maxlen = sizeof(*ip6) + sizeof(*nd_ns);
604 maxlen += (sizeof(struct nd_opt_hdr) + ifp->if_addrlen + 7) & ~7;
605 if (max_linkhdr + maxlen >= MCLBYTES) {
606 #if DIAGNOSTIC
607 printf("nd6_ns_output: max_linkhdr + maxlen >= MCLBYTES "
608 "(%d + %d > %d)\n", max_linkhdr, maxlen, MCLBYTES);
609 #endif
610 return;
611 }
612
613 MGETHDR(m, M_DONTWAIT, MT_DATA); /* XXXMAC: mac_create_mbuf_linklayer() probably */
614 if (m && max_linkhdr + maxlen >= MHLEN) {
615 MCLGET(m, M_DONTWAIT);
616 if ((m->m_flags & M_EXT) == 0) {
617 m_free(m);
618 m = NULL;
619 }
620 }
621 if (m == NULL) {
622 return;
623 }
624 m->m_pkthdr.rcvif = NULL;
625
626 if (daddr6 == NULL || IN6_IS_ADDR_MULTICAST(daddr6)) {
627 m->m_flags |= M_MCAST;
628
629 im6o = ip6_allocmoptions(M_DONTWAIT);
630 if (im6o == NULL) {
631 m_freem(m);
632 return;
633 }
634
635 im6o->im6o_multicast_ifp = ifp;
636 im6o->im6o_multicast_hlim = IPV6_MAXHLIM;
637 im6o->im6o_multicast_loop = 0;
638 }
639
640 icmp6len = sizeof(*nd_ns);
641 m->m_pkthdr.len = m->m_len = sizeof(*ip6) + icmp6len;
642 m->m_data += max_linkhdr; /* or MH_ALIGN() equivalent? */
643
644 /* fill neighbor solicitation packet */
645 ip6 = mtod(m, struct ip6_hdr *);
646 ip6->ip6_flow = 0;
647 ip6->ip6_vfc &= ~IPV6_VERSION_MASK;
648 ip6->ip6_vfc |= IPV6_VERSION;
649 /* ip6->ip6_plen will be set later */
650 ip6->ip6_nxt = IPPROTO_ICMPV6;
651 ip6->ip6_hlim = IPV6_MAXHLIM;
652 if (daddr6) {
653 ip6->ip6_dst = *daddr6;
654 } else {
655 ip6->ip6_dst.s6_addr16[0] = IPV6_ADDR_INT16_MLL;
656 ip6->ip6_dst.s6_addr16[1] = 0;
657 ip6->ip6_dst.s6_addr32[1] = 0;
658 ip6->ip6_dst.s6_addr32[2] = IPV6_ADDR_INT32_ONE;
659 ip6->ip6_dst.s6_addr32[3] = taddr6->s6_addr32[3];
660 ip6->ip6_dst.s6_addr8[12] = 0xff;
661 if (in6_setscope(&ip6->ip6_dst, ifp, NULL) != 0) {
662 goto bad;
663 }
664 }
665 if (nonce == NULL) {
666 /*
667 * RFC2461 7.2.2:
668 * "If the source address of the packet prompting the
669 * solicitation is the same as one of the addresses assigned
670 * to the outgoing interface, that address SHOULD be placed
671 * in the IP Source Address of the outgoing solicitation.
672 * Otherwise, any one of the addresses assigned to the
673 * interface should be used."
674 *
675 * We use the source address for the prompting packet
676 * (saddr6), if:
677 * - saddr6 is given from the caller (by giving "ln"), and
678 * - saddr6 belongs to the outgoing interface.
679 * Otherwise, we perform the source address selection as usual.
680 */
681 struct ip6_hdr *hip6; /* hold ip6 */
682 struct in6_addr *hsrc = NULL;
683
684 /* Caller holds ref on this route */
685 if (ln != NULL) {
686 RT_LOCK(ln->ln_rt);
687 /*
688 * assuming every packet in ln_hold has the same IP
689 * header
690 */
691 if (ln->ln_hold != NULL) {
692 hip6 = mtod(ln->ln_hold, struct ip6_hdr *);
693 /* XXX pullup? */
694 if (sizeof(*hip6) < ln->ln_hold->m_len) {
695 hsrc = &hip6->ip6_src;
696 } else {
697 hsrc = NULL;
698 }
699 }
700 /* Update probe count, if applicable */
701 if (ln->ln_llreach != NULL) {
702 IFLR_LOCK_SPIN(ln->ln_llreach);
703 ln->ln_llreach->lr_probes++;
704 IFLR_UNLOCK(ln->ln_llreach);
705 }
706 rtflags = ln->ln_rt->rt_flags;
707 RT_UNLOCK(ln->ln_rt);
708 }
709 if (hsrc != NULL && (ia = in6ifa_ifpwithaddr(ifp, hsrc)) &&
710 (ia->ia6_flags & IN6_IFF_OPTIMISTIC) == 0) {
711 src = hsrc;
712 } else {
713 int error;
714 struct sockaddr_in6 dst_sa;
715
716 bzero(&dst_sa, sizeof(dst_sa));
717 dst_sa.sin6_family = AF_INET6;
718 dst_sa.sin6_len = sizeof(dst_sa);
719 dst_sa.sin6_addr = ip6->ip6_dst;
720
721 src = in6_selectsrc(&dst_sa, NULL,
722 NULL, &ro, NULL, &src_storage, ip6oa.ip6oa_boundif,
723 &error);
724 if (src == NULL) {
725 nd6log(debug,
726 "nd6_ns_output: source can't be "
727 "determined: dst=%s, error=%d\n",
728 ip6_sprintf(&dst_sa.sin6_addr),
729 error);
730 goto bad;
731 }
732
733 if (ia != NULL) {
734 IFA_REMREF(&ia->ia_ifa);
735 ia = NULL;
736 }
737 /*
738 * RFC 4429 section 3.2:
739 * When a node has a unicast packet to send
740 * from an Optimistic Address to a neighbor,
741 * but does not know the neighbor's link-layer
742 * address, it MUST NOT perform Address
743 * Resolution.
744 */
745 ia = in6ifa_ifpwithaddr(ifp, src);
746 if (!ia || (ia->ia6_flags & IN6_IFF_OPTIMISTIC)) {
747 nd6log(debug,
748 "nd6_ns_output: no preferred source "
749 "available: dst=%s\n",
750 ip6_sprintf(&dst_sa.sin6_addr));
751 goto bad;
752 }
753 }
754 } else {
755 /*
756 * Source address for DAD packet must always be IPv6
757 * unspecified address. (0::0)
758 * We actually don't have to 0-clear the address (we did it
759 * above), but we do so here explicitly to make the intention
760 * clearer.
761 */
762 bzero(&src_in, sizeof(src_in));
763 src = &src_in;
764 ip6oa.ip6oa_flags &= ~IP6OAF_BOUND_SRCADDR;
765 }
766 ip6->ip6_src = *src;
767 nd_ns = (struct nd_neighbor_solicit *)(ip6 + 1);
768 nd_ns->nd_ns_type = ND_NEIGHBOR_SOLICIT;
769 nd_ns->nd_ns_code = 0;
770 nd_ns->nd_ns_reserved = 0;
771 nd_ns->nd_ns_target = *taddr6;
772 in6_clearscope(&nd_ns->nd_ns_target); /* XXX */
773
774 /*
775 * Add source link-layer address option.
776 *
777 * spec implementation
778 * --- ---
779 * DAD packet MUST NOT do not add the option
780 * there's no link layer address:
781 * impossible do not add the option
782 * there's link layer address:
783 * Multicast NS MUST add one add the option
784 * Unicast NS SHOULD add one add the option
785 */
786 if (nonce == NULL && (mac = nd6_ifptomac(ifp))) {
787 int optlen = sizeof(struct nd_opt_hdr) + ifp->if_addrlen;
788 struct nd_opt_hdr *nd_opt = (struct nd_opt_hdr *)(nd_ns + 1);
789 /* 8 byte alignments... */
790 optlen = (optlen + 7) & ~7;
791
792 m->m_pkthdr.len += optlen;
793 m->m_len += optlen;
794 icmp6len += optlen;
795 bzero((caddr_t)nd_opt, optlen);
796 nd_opt->nd_opt_type = ND_OPT_SOURCE_LINKADDR;
797 nd_opt->nd_opt_len = optlen >> 3;
798 bcopy(mac, (caddr_t)(nd_opt + 1), ifp->if_addrlen);
799 }
800 /*
801 * Add a Nonce option (RFC 3971) to detect looped back NS messages.
802 * This behavior is documented as Enhanced Duplicate Address
803 * Detection in draft-ietf-6man-enhanced-dad-13.
804 * net.inet6.ip6.dad_enhanced=0 disables this.
805 */
806 if (dad_enhanced != 0 && nonce != NULL && !(ifp->if_flags & IFF_POINTOPOINT)) {
807 int optlen = sizeof(struct nd_opt_hdr) + ND_OPT_NONCE_LEN;
808 struct nd_opt_hdr *nd_opt = (struct nd_opt_hdr *)(nd_ns + 1);
809 /* 8-byte alignment is required. */
810 optlen = (optlen + 7) & ~7;
811
812 m->m_pkthdr.len += optlen;
813 m->m_len += optlen;
814 icmp6len += optlen;
815 bzero((caddr_t)nd_opt, optlen);
816 nd_opt->nd_opt_type = ND_OPT_NONCE;
817 nd_opt->nd_opt_len = optlen >> 3;
818 bcopy(nonce, (caddr_t)(nd_opt + 1), ND_OPT_NONCE_LEN);
819 }
820 ip6->ip6_plen = htons((u_short)icmp6len);
821 nd_ns->nd_ns_cksum = 0;
822 nd_ns->nd_ns_cksum
823 = in6_cksum(m, IPPROTO_ICMPV6, sizeof(*ip6), icmp6len);
824
825 flags = nonce ? IPV6_UNSPECSRC : 0;
826 flags |= IPV6_OUTARGS;
827
828 /*
829 * PKTF_{INET,INET6}_RESOLVE_RTR are mutually exclusive, so make
830 * sure only one of them is set (just in case.)
831 */
832 m->m_pkthdr.pkt_flags &= ~(PKTF_INET_RESOLVE | PKTF_RESOLVE_RTR);
833 m->m_pkthdr.pkt_flags |= PKTF_INET6_RESOLVE;
834 /*
835 * If this is a NS for resolving the (default) router, mark
836 * the packet accordingly so that the driver can find out,
837 * in case it needs to perform driver-specific action(s).
838 */
839 if (rtflags & RTF_ROUTER) {
840 m->m_pkthdr.pkt_flags |= PKTF_RESOLVE_RTR;
841 }
842
843 if (ifp->if_eflags & IFEF_TXSTART) {
844 /*
845 * Use control service class if the interface
846 * supports transmit-start model
847 */
848 (void) m_set_service_class(m, MBUF_SC_CTL);
849 }
850
851 ip6oa.ip6oa_flags |= IP6OAF_SKIP_PF;
852 ip6_output(m, NULL, NULL, flags, im6o, &outif, &ip6oa);
853 if (outif) {
854 icmp6_ifstat_inc(outif, ifs6_out_msg);
855 icmp6_ifstat_inc(outif, ifs6_out_neighborsolicit);
856 ifnet_release(outif);
857 }
858 icmp6stat.icp6s_outhist[ND_NEIGHBOR_SOLICIT]++;
859
860 exit:
861 if (im6o != NULL) {
862 IM6O_REMREF(im6o);
863 }
864
865 ROUTE_RELEASE(&ro); /* we don't cache this route. */
866
867 if (ia != NULL) {
868 IFA_REMREF(&ia->ia_ifa);
869 }
870 return;
871
872 bad:
873 m_freem(m);
874 goto exit;
875 }
876
877 /*
878 * Neighbor advertisement input handling.
879 *
880 * Based on RFC 4861
881 * Based on RFC 4862 (duplicate address detection)
882 *
883 * the following items are not implemented yet:
884 * - anycast advertisement delay rule (RFC 4861 7.2.7, SHOULD)
885 * - proxy advertisement delay rule (RFC 4861 7.2.8, last paragraph, "should")
886 */
887 void
888 nd6_na_input(struct mbuf *m, int off, int icmp6len)
889 {
890 struct ifnet *ifp = m->m_pkthdr.rcvif;
891 struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *);
892 struct nd_neighbor_advert *nd_na;
893 struct in6_addr saddr6 = ip6->ip6_src;
894 struct in6_addr daddr6 = ip6->ip6_dst;
895 struct in6_addr taddr6;
896 int flags;
897 int is_router;
898 int is_solicited;
899 int is_override;
900 char *lladdr = NULL;
901 int lladdrlen = 0;
902 struct llinfo_nd6 *ln;
903 struct rtentry *rt;
904 struct sockaddr_dl *sdl;
905 union nd_opts ndopts;
906 uint64_t timenow;
907 bool send_nc_alive_kev = false;
908
909 if ((ifp->if_eflags & IFEF_IPV6_ND6ALT) != 0) {
910 nd6log(info, "nd6_na_input: on ND6ALT interface!\n");
911 goto freeit;
912 }
913
914 /* Expect 32-bit aligned data pointer on strict-align platforms */
915 MBUF_STRICT_DATA_ALIGNMENT_CHECK_32(m);
916
917 if (ip6->ip6_hlim != IPV6_MAXHLIM) {
918 nd6log(error,
919 "nd6_na_input: invalid hlim (%d) from %s to %s on %s\n",
920 ip6->ip6_hlim, ip6_sprintf(&ip6->ip6_src),
921 ip6_sprintf(&ip6->ip6_dst), if_name(ifp));
922 goto bad;
923 }
924
925 IP6_EXTHDR_CHECK(m, off, icmp6len, return );
926 nd_na = (struct nd_neighbor_advert *)((caddr_t)ip6 + off);
927 m->m_pkthdr.pkt_flags |= PKTF_INET6_RESOLVE;
928
929 flags = nd_na->nd_na_flags_reserved;
930 is_router = ((flags & ND_NA_FLAG_ROUTER) != 0);
931 is_solicited = ((flags & ND_NA_FLAG_SOLICITED) != 0);
932 is_override = ((flags & ND_NA_FLAG_OVERRIDE) != 0);
933
934 taddr6 = nd_na->nd_na_target;
935 if (in6_setscope(&taddr6, ifp, NULL)) {
936 goto bad; /* XXX: impossible */
937 }
938 if (IN6_IS_ADDR_MULTICAST(&taddr6)) {
939 nd6log(error,
940 "nd6_na_input: invalid target address %s\n",
941 ip6_sprintf(&taddr6));
942 goto bad;
943 }
944 if (IN6_IS_ADDR_MULTICAST(&daddr6)) {
945 if (is_solicited) {
946 nd6log(error,
947 "nd6_na_input: a solicited adv is multicasted\n");
948 goto bad;
949 }
950 }
951
952 icmp6len -= sizeof(*nd_na);
953 nd6_option_init(nd_na + 1, icmp6len, &ndopts);
954 if (nd6_options(&ndopts) < 0) {
955 nd6log(info,
956 "nd6_na_input: invalid ND option, ignored\n");
957 /* nd6_options have incremented stats */
958 goto freeit;
959 }
960
961 if (ndopts.nd_opts_tgt_lladdr) {
962 lladdr = (char *)(ndopts.nd_opts_tgt_lladdr + 1);
963 lladdrlen = ndopts.nd_opts_tgt_lladdr->nd_opt_len << 3;
964
965 if (((ifp->if_addrlen + 2 + 7) & ~7) != lladdrlen) {
966 nd6log(info,
967 "nd6_na_input: lladdrlen mismatch for %s "
968 "(if %d, NA packet %d)\n",
969 ip6_sprintf(&taddr6), ifp->if_addrlen,
970 lladdrlen - 2);
971 goto bad;
972 }
973 }
974
975 m = nd6_dad_na_input(m, ifp, &taddr6, lladdr, lladdrlen);
976 if (m == NULL) {
977 return;
978 }
979
980 /* Forwarding associated with NDPRF_PRPROXY may apply. */
981 if (ip6_forwarding && nd6_prproxy) {
982 nd6_prproxy_na_input(ifp, &saddr6, &daddr6, &taddr6, flags);
983 }
984
985 /*
986 * If no neighbor cache entry is found, NA SHOULD silently be
987 * discarded. If we are forwarding (and Scoped Routing is in
988 * effect), try to see if there is a neighbor cache entry on
989 * another interface (in case we are doing prefix proxying.)
990 */
991 if ((rt = nd6_lookup(&taddr6, 0, ifp, 0)) == NULL) {
992 if (!ip6_forwarding || !nd6_prproxy) {
993 goto freeit;
994 }
995
996 if ((rt = nd6_lookup(&taddr6, 0, NULL, 0)) == NULL) {
997 goto freeit;
998 }
999
1000 RT_LOCK_ASSERT_HELD(rt);
1001 if (rt->rt_ifp != ifp) {
1002 /*
1003 * Purge any link-layer info caching.
1004 */
1005 if (rt->rt_llinfo_purge != NULL) {
1006 rt->rt_llinfo_purge(rt);
1007 }
1008
1009 /* Adjust route ref count for the interfaces */
1010 if (rt->rt_if_ref_fn != NULL) {
1011 rt->rt_if_ref_fn(ifp, 1);
1012 rt->rt_if_ref_fn(rt->rt_ifp, -1);
1013 }
1014
1015 /* Change the interface when the existing route is on */
1016 rt->rt_ifp = ifp;
1017
1018 /*
1019 * If rmx_mtu is not locked, update it
1020 * to the MTU used by the new interface.
1021 */
1022 if (!(rt->rt_rmx.rmx_locks & RTV_MTU)) {
1023 rt->rt_rmx.rmx_mtu = rt->rt_ifp->if_mtu;
1024 }
1025 }
1026 }
1027
1028 RT_LOCK_ASSERT_HELD(rt);
1029 if ((ln = rt->rt_llinfo) == NULL ||
1030 (sdl = SDL(rt->rt_gateway)) == NULL) {
1031 RT_REMREF_LOCKED(rt);
1032 RT_UNLOCK(rt);
1033 goto freeit;
1034 }
1035
1036 timenow = net_uptime();
1037
1038 if (ln->ln_state == ND6_LLINFO_INCOMPLETE) {
1039 /*
1040 * If the link-layer has address, and no lladdr option came,
1041 * discard the packet.
1042 */
1043 if (ifp->if_addrlen && !lladdr) {
1044 RT_REMREF_LOCKED(rt);
1045 RT_UNLOCK(rt);
1046 goto freeit;
1047 }
1048
1049 /*
1050 * Record link-layer address, and update the state.
1051 */
1052 sdl->sdl_alen = ifp->if_addrlen;
1053 bcopy(lladdr, LLADDR(sdl), ifp->if_addrlen);
1054 if (is_solicited) {
1055 send_nc_alive_kev = (rt->rt_flags & RTF_ROUTER) ? true : false;
1056 ND6_CACHE_STATE_TRANSITION(ln, ND6_LLINFO_REACHABLE);
1057 if (ln->ln_expire != 0) {
1058 struct nd_ifinfo *ndi = NULL;
1059
1060 ndi = ND_IFINFO(rt->rt_ifp);
1061 VERIFY(ndi != NULL && ndi->initialized);
1062 lck_mtx_lock(&ndi->lock);
1063 ln_setexpire(ln, timenow + ndi->reachable);
1064 lck_mtx_unlock(&ndi->lock);
1065 RT_UNLOCK(rt);
1066 lck_mtx_lock(rnh_lock);
1067 nd6_sched_timeout(NULL, NULL);
1068 lck_mtx_unlock(rnh_lock);
1069 RT_LOCK(rt);
1070 }
1071 } else {
1072 ND6_CACHE_STATE_TRANSITION(ln, ND6_LLINFO_STALE);
1073 ln_setexpire(ln, timenow + nd6_gctimer);
1074 }
1075
1076
1077 /*
1078 * Enqueue work item to invoke callback for this
1079 * route entry
1080 */
1081 route_event_enqueue_nwk_wq_entry(rt, NULL,
1082 ROUTE_LLENTRY_RESOLVED, NULL, TRUE);
1083
1084 if ((ln->ln_router = is_router) != 0) {
1085 struct radix_node_head *rnh = NULL;
1086 struct route_event rt_ev;
1087 route_event_init(&rt_ev, rt, NULL, ROUTE_LLENTRY_RESOLVED);
1088 /*
1089 * This means a router's state has changed from
1090 * non-reachable to probably reachable, and might
1091 * affect the status of associated prefixes..
1092 * We already have a reference on rt. Don't need to
1093 * take one for the unlock/lock.
1094 */
1095 RT_UNLOCK(rt);
1096 lck_mtx_lock(rnh_lock);
1097 rnh = rt_tables[AF_INET6];
1098
1099 if (rnh != NULL) {
1100 (void) rnh->rnh_walktree(rnh, route_event_walktree,
1101 (void *)&rt_ev);
1102 }
1103 lck_mtx_unlock(rnh_lock);
1104 lck_mtx_lock(nd6_mutex);
1105 pfxlist_onlink_check();
1106 lck_mtx_unlock(nd6_mutex);
1107 RT_LOCK(rt);
1108 }
1109 } else {
1110 int llchange = 0;
1111
1112 /*
1113 * Check if the link-layer address has changed or not.
1114 */
1115 if (lladdr == NULL) {
1116 llchange = 0;
1117 } else {
1118 if (sdl->sdl_alen) {
1119 if (bcmp(lladdr, LLADDR(sdl), ifp->if_addrlen)) {
1120 llchange = 1;
1121 } else {
1122 llchange = 0;
1123 }
1124 } else {
1125 llchange = 1;
1126 }
1127 }
1128
1129 /*
1130 * This is VERY complex. Look at it with care.
1131 *
1132 * override solicit lladdr llchange action
1133 * (L: record lladdr)
1134 *
1135 * 0 0 n -- (2c)
1136 * 0 0 y n (2b) L
1137 * 0 0 y y (1) REACHABLE->STALE
1138 * 0 1 n -- (2c) *->REACHABLE
1139 * 0 1 y n (2b) L *->REACHABLE
1140 * 0 1 y y (1) REACHABLE->STALE
1141 * 1 0 n -- (2a)
1142 * 1 0 y n (2a) L
1143 * 1 0 y y (2a) L *->STALE
1144 * 1 1 n -- (2a) *->REACHABLE
1145 * 1 1 y n (2a) L *->REACHABLE
1146 * 1 1 y y (2a) L *->REACHABLE
1147 */
1148 if (!is_override && (lladdr != NULL && llchange)) { /* (1) */
1149 /*
1150 * If state is REACHABLE, make it STALE.
1151 * no other updates should be done.
1152 */
1153 if (ln->ln_state == ND6_LLINFO_REACHABLE) {
1154 ND6_CACHE_STATE_TRANSITION(ln, ND6_LLINFO_STALE);
1155 ln_setexpire(ln, timenow + nd6_gctimer);
1156 }
1157 RT_REMREF_LOCKED(rt);
1158 RT_UNLOCK(rt);
1159 goto freeit;
1160 } else if (is_override /* (2a) */
1161 || (!is_override && (lladdr && !llchange)) /* (2b) */
1162 || !lladdr) { /* (2c) */
1163 /*
1164 * Update link-local address, if any.
1165 */
1166 if (lladdr) {
1167 sdl->sdl_alen = ifp->if_addrlen;
1168 bcopy(lladdr, LLADDR(sdl), ifp->if_addrlen);
1169 }
1170
1171 /*
1172 * If solicited, make the state REACHABLE.
1173 * If not solicited and the link-layer address was
1174 * changed, make it STALE.
1175 */
1176 if (is_solicited) {
1177 ND6_CACHE_STATE_TRANSITION(ln, ND6_LLINFO_REACHABLE);
1178 if (ln->ln_expire != 0) {
1179 struct nd_ifinfo *ndi = NULL;
1180
1181 ndi = ND_IFINFO(ifp);
1182 VERIFY(ndi != NULL && ndi->initialized);
1183 lck_mtx_lock(&ndi->lock);
1184 ln_setexpire(ln,
1185 timenow + ndi->reachable);
1186 lck_mtx_unlock(&ndi->lock);
1187 RT_UNLOCK(rt);
1188 lck_mtx_lock(rnh_lock);
1189 nd6_sched_timeout(NULL, NULL);
1190 lck_mtx_unlock(rnh_lock);
1191 RT_LOCK(rt);
1192 }
1193 } else {
1194 if (lladdr && llchange) {
1195 ND6_CACHE_STATE_TRANSITION(ln, ND6_LLINFO_STALE);
1196 ln_setexpire(ln, timenow + nd6_gctimer);
1197 }
1198 }
1199
1200 /*
1201 * XXX
1202 * The above is somewhat convoluted, for now just
1203 * issue a callback for LLENTRY changed.
1204 */
1205 /* Enqueue work item to invoke callback for this route entry */
1206 if (llchange) {
1207 route_event_enqueue_nwk_wq_entry(rt, NULL,
1208 ROUTE_LLENTRY_CHANGED, NULL, TRUE);
1209 }
1210
1211 /*
1212 * If the router's link-layer address has changed,
1213 * notify routes using this as gateway so they can
1214 * update any cached information.
1215 */
1216 if (ln->ln_router && is_router && llchange) {
1217 struct radix_node_head *rnh = NULL;
1218 struct route_event rt_ev;
1219 route_event_init(&rt_ev, rt, NULL, ROUTE_LLENTRY_CHANGED);
1220 /*
1221 * This means a router's state has changed from
1222 * non-reachable to probably reachable, and might
1223 * affect the status of associated prefixes..
1224 *
1225 * We already have a valid rt reference here.
1226 * We don't need to take another one for unlock/lock.
1227 */
1228 RT_UNLOCK(rt);
1229 lck_mtx_lock(rnh_lock);
1230 rnh = rt_tables[AF_INET6];
1231
1232 if (rnh != NULL) {
1233 (void) rnh->rnh_walktree(rnh, route_event_walktree,
1234 (void *)&rt_ev);
1235 }
1236 lck_mtx_unlock(rnh_lock);
1237 RT_LOCK(rt);
1238 }
1239 }
1240
1241 if (ln->ln_router && !is_router) {
1242 /*
1243 * The peer dropped the router flag.
1244 * Remove the sender from the Default Router List and
1245 * update the Destination Cache entries.
1246 */
1247 struct nd_defrouter *dr;
1248 struct in6_addr *in6;
1249 struct ifnet *rt_ifp = rt->rt_ifp;
1250
1251 in6 = &((struct sockaddr_in6 *)
1252 (void *)rt_key(rt))->sin6_addr;
1253
1254 RT_UNLOCK(rt);
1255 lck_mtx_lock(nd6_mutex);
1256 dr = defrouter_lookup(in6, rt_ifp);
1257 if (dr) {
1258 TAILQ_REMOVE(&nd_defrouter, dr, dr_entry);
1259 defrtrlist_del(dr);
1260 NDDR_REMREF(dr); /* remove list reference */
1261 NDDR_REMREF(dr);
1262 lck_mtx_unlock(nd6_mutex);
1263 } else {
1264 lck_mtx_unlock(nd6_mutex);
1265 /*
1266 * Even if the neighbor is not in the
1267 * default router list, the neighbor
1268 * may be used as a next hop for some
1269 * destinations (e.g. redirect case).
1270 * So we must call rt6_flush explicitly.
1271 */
1272 rt6_flush(&ip6->ip6_src, rt_ifp);
1273 }
1274 RT_LOCK(rt);
1275 }
1276 ln->ln_router = is_router;
1277 }
1278
1279 if (send_nc_alive_kev && (ifp->if_addrlen == IF_LLREACH_MAXLEN)) {
1280 struct kev_msg ev_msg;
1281 struct kev_nd6_ndalive nd6_ndalive;
1282 bzero(&ev_msg, sizeof(ev_msg));
1283 bzero(&nd6_ndalive, sizeof(nd6_ndalive));
1284 ev_msg.vendor_code = KEV_VENDOR_APPLE;
1285 ev_msg.kev_class = KEV_NETWORK_CLASS;
1286 ev_msg.kev_subclass = KEV_ND6_SUBCLASS;
1287 ev_msg.event_code = KEV_ND6_NDALIVE;
1288
1289 nd6_ndalive.link_data.if_family = ifp->if_family;
1290 nd6_ndalive.link_data.if_unit = ifp->if_unit;
1291 strlcpy(nd6_ndalive.link_data.if_name,
1292 ifp->if_name,
1293 sizeof(nd6_ndalive.link_data.if_name));
1294 ev_msg.dv[0].data_ptr = &nd6_ndalive;
1295 ev_msg.dv[0].data_length =
1296 sizeof(nd6_ndalive);
1297 dlil_post_complete_msg(NULL, &ev_msg);
1298 }
1299
1300 RT_LOCK_ASSERT_HELD(rt);
1301 rt->rt_flags &= ~RTF_REJECT;
1302
1303 /* cache the gateway (sender HW) address */
1304 nd6_llreach_alloc(rt, ifp, LLADDR(sdl), sdl->sdl_alen, TRUE);
1305
1306 /* update the llinfo, send a queued packet if there is one */
1307 ln->ln_asked = 0;
1308 if (ln->ln_hold != NULL) {
1309 struct mbuf *m_hold, *m_hold_next;
1310 struct sockaddr_in6 sin6;
1311
1312 rtkey_to_sa6(rt, &sin6);
1313 /*
1314 * reset the ln_hold in advance, to explicitly
1315 * prevent a ln_hold lookup in nd6_output()
1316 * (wouldn't happen, though...)
1317 */
1318 m_hold = ln->ln_hold;
1319 ln->ln_hold = NULL;
1320 for (; m_hold; m_hold = m_hold_next) {
1321 m_hold_next = m_hold->m_nextpkt;
1322 m_hold->m_nextpkt = NULL;
1323 /*
1324 * we assume ifp is not a loopback here, so just set
1325 * the 2nd argument as the 1st one.
1326 */
1327 RT_UNLOCK(rt);
1328 nd6_output(ifp, ifp, m_hold, &sin6, rt, NULL);
1329 RT_LOCK_SPIN(rt);
1330 }
1331 }
1332 RT_REMREF_LOCKED(rt);
1333 RT_UNLOCK(rt);
1334 m_freem(m);
1335 return;
1336
1337 bad:
1338 icmp6stat.icp6s_badna++;
1339 /* fall through */
1340 freeit:
1341 m_freem(m);
1342 return;
1343 }
1344
1345 /*
1346 * Neighbor advertisement output handling.
1347 *
1348 * Based on RFC 2461
1349 *
1350 * the following items are not implemented yet:
1351 * - proxy advertisement delay rule (RFC2461 7.2.8, last paragraph, SHOULD)
1352 * - anycast advertisement delay rule (RFC2461 7.2.7, SHOULD)
1353 *
1354 * tlladdr - 1 if include target link-layer address
1355 * sdl0 - sockaddr_dl (= proxy NA) or NULL
1356 */
1357 void
1358 nd6_na_output(
1359 struct ifnet *ifp,
1360 const struct in6_addr *daddr6_0,
1361 const struct in6_addr *taddr6,
1362 uint32_t flags,
1363 int tlladdr, /* 1 if include target link-layer address */
1364 struct sockaddr *sdl0) /* sockaddr_dl (= proxy NA) or NULL */
1365 {
1366 struct mbuf *m;
1367 struct ip6_hdr *ip6;
1368 struct nd_neighbor_advert *nd_na;
1369 struct ip6_moptions *im6o = NULL;
1370 caddr_t mac = NULL;
1371 struct route_in6 ro;
1372 struct in6_addr *src, src_storage, daddr6;
1373 struct in6_ifaddr *ia;
1374 struct sockaddr_in6 dst_sa;
1375 int icmp6len, maxlen, error;
1376 struct ifnet *outif = NULL;
1377
1378 struct ip6_out_args ip6oa;
1379 bzero(&ro, sizeof(ro));
1380
1381 daddr6 = *daddr6_0; /* make a local copy for modification */
1382
1383 bzero(&ip6oa, sizeof(ip6oa));
1384 ip6oa.ip6oa_boundif = ifp->if_index;
1385 ip6oa.ip6oa_flags = IP6OAF_SELECT_SRCIF | IP6OAF_BOUND_SRCADDR |
1386 IP6OAF_AWDL_UNRESTRICTED | IP6OAF_INTCOPROC_ALLOWED;
1387 ip6oa.ip6oa_sotc = SO_TC_UNSPEC;
1388 ip6oa.ip6oa_netsvctype = _NET_SERVICE_TYPE_UNSPEC;
1389
1390 ip6oa.ip6oa_flags |= IP6OAF_BOUND_IF;
1391
1392 /* estimate the size of message */
1393 maxlen = sizeof(*ip6) + sizeof(*nd_na);
1394 maxlen += (sizeof(struct nd_opt_hdr) + ifp->if_addrlen + 7) & ~7;
1395 if (max_linkhdr + maxlen >= MCLBYTES) {
1396 #if DIAGNOSTIC
1397 printf("nd6_na_output: max_linkhdr + maxlen >= MCLBYTES "
1398 "(%d + %d > %d)\n", max_linkhdr, maxlen, MCLBYTES);
1399 #endif
1400 return;
1401 }
1402
1403 MGETHDR(m, M_DONTWAIT, MT_DATA); /* XXXMAC: mac_create_mbuf_linklayer() probably */
1404 if (m && max_linkhdr + maxlen >= MHLEN) {
1405 MCLGET(m, M_DONTWAIT);
1406 if ((m->m_flags & M_EXT) == 0) {
1407 m_free(m);
1408 m = NULL;
1409 }
1410 }
1411 if (m == NULL) {
1412 return;
1413 }
1414 m->m_pkthdr.rcvif = NULL;
1415
1416 if (IN6_IS_ADDR_MULTICAST(&daddr6)) {
1417 m->m_flags |= M_MCAST;
1418
1419 im6o = ip6_allocmoptions(M_DONTWAIT);
1420 if (im6o == NULL) {
1421 m_freem(m);
1422 return;
1423 }
1424
1425 im6o->im6o_multicast_ifp = ifp;
1426 im6o->im6o_multicast_hlim = IPV6_MAXHLIM;
1427 im6o->im6o_multicast_loop = 0;
1428 }
1429
1430 icmp6len = sizeof(*nd_na);
1431 m->m_pkthdr.len = m->m_len = sizeof(struct ip6_hdr) + icmp6len;
1432 m->m_data += max_linkhdr; /* or MH_ALIGN() equivalent? */
1433
1434 /* fill neighbor advertisement packet */
1435 ip6 = mtod(m, struct ip6_hdr *);
1436 ip6->ip6_flow = 0;
1437 ip6->ip6_vfc &= ~IPV6_VERSION_MASK;
1438 ip6->ip6_vfc |= IPV6_VERSION;
1439 ip6->ip6_nxt = IPPROTO_ICMPV6;
1440 ip6->ip6_hlim = IPV6_MAXHLIM;
1441 if (IN6_IS_ADDR_UNSPECIFIED(&daddr6)) {
1442 /* reply to DAD */
1443 daddr6.s6_addr16[0] = IPV6_ADDR_INT16_MLL;
1444 daddr6.s6_addr16[1] = 0;
1445 daddr6.s6_addr32[1] = 0;
1446 daddr6.s6_addr32[2] = 0;
1447 daddr6.s6_addr32[3] = IPV6_ADDR_INT32_ONE;
1448 if (in6_setscope(&daddr6, ifp, NULL)) {
1449 goto bad;
1450 }
1451
1452 flags &= ~ND_NA_FLAG_SOLICITED;
1453 } else {
1454 ip6->ip6_dst = daddr6;
1455 }
1456
1457 bzero(&dst_sa, sizeof(struct sockaddr_in6));
1458 dst_sa.sin6_family = AF_INET6;
1459 dst_sa.sin6_len = sizeof(struct sockaddr_in6);
1460 dst_sa.sin6_addr = daddr6;
1461
1462 /*
1463 * Select a source whose scope is the same as that of the dest.
1464 */
1465 bcopy(&dst_sa, &ro.ro_dst, sizeof(dst_sa));
1466 src = in6_selectsrc(&dst_sa, NULL, NULL, &ro, NULL, &src_storage,
1467 ip6oa.ip6oa_boundif, &error);
1468 if (src == NULL) {
1469 nd6log(debug, "nd6_na_output: source can't be "
1470 "determined: dst=%s, error=%d\n",
1471 ip6_sprintf(&dst_sa.sin6_addr), error);
1472 goto bad;
1473 }
1474 ip6->ip6_src = *src;
1475
1476 /*
1477 * RFC 4429 requires not setting "override" flag on NA packets sent
1478 * from optimistic addresses.
1479 */
1480 ia = in6ifa_ifpwithaddr(ifp, src);
1481 if (ia != NULL) {
1482 if (ia->ia6_flags & IN6_IFF_OPTIMISTIC) {
1483 flags &= ~ND_NA_FLAG_OVERRIDE;
1484 }
1485 IFA_REMREF(&ia->ia_ifa);
1486 }
1487
1488 nd_na = (struct nd_neighbor_advert *)(ip6 + 1);
1489 nd_na->nd_na_type = ND_NEIGHBOR_ADVERT;
1490 nd_na->nd_na_code = 0;
1491 nd_na->nd_na_target = *taddr6;
1492 in6_clearscope(&nd_na->nd_na_target); /* XXX */
1493
1494 /*
1495 * "tlladdr" indicates NS's condition for adding tlladdr or not.
1496 * see nd6_ns_input() for details.
1497 * Basically, if NS packet is sent to unicast/anycast addr,
1498 * target lladdr option SHOULD NOT be included.
1499 */
1500 if (tlladdr) {
1501 /*
1502 * sdl0 != NULL indicates proxy NA. If we do proxy, use
1503 * lladdr in sdl0. If we are not proxying (sending NA for
1504 * my address) use lladdr configured for the interface.
1505 */
1506 if (sdl0 == NULL) {
1507 mac = nd6_ifptomac(ifp);
1508 } else if (sdl0->sa_family == AF_LINK) {
1509 struct sockaddr_dl *sdl;
1510 sdl = (struct sockaddr_dl *)(void *)sdl0;
1511 if (sdl->sdl_alen == ifp->if_addrlen) {
1512 mac = LLADDR(sdl);
1513 }
1514 }
1515 }
1516 if (tlladdr && mac) {
1517 int optlen = sizeof(struct nd_opt_hdr) + ifp->if_addrlen;
1518 struct nd_opt_hdr *nd_opt = (struct nd_opt_hdr *)(nd_na + 1);
1519
1520 /* roundup to 8 bytes alignment! */
1521 optlen = (optlen + 7) & ~7;
1522
1523 m->m_pkthdr.len += optlen;
1524 m->m_len += optlen;
1525 icmp6len += optlen;
1526 bzero((caddr_t)nd_opt, optlen);
1527 nd_opt->nd_opt_type = ND_OPT_TARGET_LINKADDR;
1528 nd_opt->nd_opt_len = optlen >> 3;
1529 bcopy(mac, (caddr_t)(nd_opt + 1), ifp->if_addrlen);
1530 } else {
1531 flags &= ~ND_NA_FLAG_OVERRIDE;
1532 }
1533
1534 ip6->ip6_plen = htons((u_short)icmp6len);
1535 nd_na->nd_na_flags_reserved = flags;
1536 nd_na->nd_na_cksum = 0;
1537 nd_na->nd_na_cksum =
1538 in6_cksum(m, IPPROTO_ICMPV6, sizeof(struct ip6_hdr), icmp6len);
1539
1540 m->m_pkthdr.pkt_flags |= PKTF_INET6_RESOLVE;
1541
1542 if (ifp->if_eflags & IFEF_TXSTART) {
1543 /* Use control service class if the interface supports
1544 * transmit-start model.
1545 */
1546 (void) m_set_service_class(m, MBUF_SC_CTL);
1547 }
1548
1549 ip6oa.ip6oa_flags |= IP6OAF_SKIP_PF;
1550 ip6_output(m, NULL, NULL, IPV6_OUTARGS, im6o, &outif, &ip6oa);
1551 if (outif) {
1552 icmp6_ifstat_inc(outif, ifs6_out_msg);
1553 icmp6_ifstat_inc(outif, ifs6_out_neighboradvert);
1554 ifnet_release(outif);
1555 }
1556 icmp6stat.icp6s_outhist[ND_NEIGHBOR_ADVERT]++;
1557
1558 exit:
1559 if (im6o != NULL) {
1560 IM6O_REMREF(im6o);
1561 }
1562
1563 ROUTE_RELEASE(&ro);
1564 return;
1565
1566 bad:
1567 m_freem(m);
1568 goto exit;
1569 }
1570
1571 caddr_t
1572 nd6_ifptomac(
1573 struct ifnet *ifp)
1574 {
1575 switch (ifp->if_type) {
1576 case IFT_ARCNET:
1577 case IFT_ETHER:
1578 case IFT_IEEE8023ADLAG:
1579 case IFT_FDDI:
1580 case IFT_IEEE1394:
1581 #ifdef IFT_L2VLAN
1582 case IFT_L2VLAN:
1583 #endif
1584 #ifdef IFT_IEEE80211
1585 case IFT_IEEE80211:
1586 #endif
1587 #ifdef IFT_CARP
1588 case IFT_CARP:
1589 #endif
1590 case IFT_BRIDGE:
1591 case IFT_ISO88025:
1592 case IFT_6LOWPAN:
1593 return (caddr_t)IF_LLADDR(ifp);
1594 default:
1595 return NULL;
1596 }
1597 }
1598
1599 TAILQ_HEAD(dadq_head, dadq);
1600 struct dadq {
1601 decl_lck_mtx_data(, dad_lock);
1602 u_int32_t dad_refcount; /* reference count */
1603 int dad_attached;
1604 TAILQ_ENTRY(dadq) dad_list;
1605 struct ifaddr *dad_ifa;
1606 int dad_count; /* max NS to send */
1607 int dad_ns_tcount; /* # of trials to send NS */
1608 int dad_ns_ocount; /* NS sent so far */
1609 int dad_ns_icount;
1610 int dad_na_icount;
1611 int dad_ns_lcount; /* looped back NS */
1612 int dad_loopbackprobe; /* probing state for loopback detection */
1613 uint8_t dad_lladdr[ETHER_ADDR_LEN];
1614 uint8_t dad_lladdrlen;
1615 #define ND_OPT_NONCE_LEN32 \
1616 ((ND_OPT_NONCE_LEN + sizeof(uint32_t) - 1)/sizeof(uint32_t))
1617 uint32_t dad_nonce[ND_OPT_NONCE_LEN32];
1618 };
1619
1620 static struct dadq_head dadq;
1621
1622 void
1623 nd6_nbr_init(void)
1624 {
1625 int i;
1626
1627 TAILQ_INIT(&dadq);
1628
1629 dad_size = sizeof(struct dadq);
1630 dad_zone = zinit(dad_size, DAD_ZONE_MAX * dad_size, 0, DAD_ZONE_NAME);
1631 if (dad_zone == NULL) {
1632 panic("%s: failed allocating %s", __func__, DAD_ZONE_NAME);
1633 /* NOTREACHED */
1634 }
1635 zone_change(dad_zone, Z_EXPAND, TRUE);
1636 zone_change(dad_zone, Z_CALLERACCT, FALSE);
1637
1638 bzero(&hostrtmask, sizeof hostrtmask);
1639 hostrtmask.sin6_family = AF_INET6;
1640 hostrtmask.sin6_len = sizeof hostrtmask;
1641 for (i = 0; i < sizeof hostrtmask.sin6_addr; ++i) {
1642 hostrtmask.sin6_addr.s6_addr[i] = 0xff;
1643 }
1644 }
1645
1646 static struct dadq *
1647 nd6_dad_find(struct ifaddr *ifa, struct nd_opt_nonce *nonce)
1648 {
1649 struct dadq *dp;
1650
1651 lck_mtx_lock(dad6_mutex);
1652 for (dp = dadq.tqh_first; dp; dp = dp->dad_list.tqe_next) {
1653 DAD_LOCK_SPIN(dp);
1654 if (dp->dad_ifa != ifa) {
1655 DAD_UNLOCK(dp);
1656 continue;
1657 }
1658
1659 /*
1660 * Skip if the nonce matches the received one.
1661 * +2 in the length is required because of type and
1662 * length fields are included in a header.
1663 */
1664 if (nonce != NULL &&
1665 nonce->nd_opt_nonce_len == (ND_OPT_NONCE_LEN + 2) / 8 &&
1666 memcmp(&nonce->nd_opt_nonce[0], &dp->dad_nonce[0],
1667 ND_OPT_NONCE_LEN) == 0) {
1668 nd6log(error, "%s: a looped back NS message is "
1669 "detected during DAD for %s. Ignoring.\n",
1670 if_name(ifa->ifa_ifp),
1671 ip6_sprintf(IFA_IN6(ifa)));
1672 dp->dad_ns_lcount++;
1673 ++ip6stat.ip6s_dad_loopcount;
1674 DAD_UNLOCK(dp);
1675 continue;
1676 }
1677
1678 DAD_ADDREF_LOCKED(dp);
1679 DAD_UNLOCK(dp);
1680 break;
1681 }
1682 lck_mtx_unlock(dad6_mutex);
1683 return dp;
1684 }
1685
1686 void
1687 nd6_dad_stoptimer(
1688 struct ifaddr *ifa)
1689 {
1690 untimeout((void (*)(void *))nd6_dad_timer, (void *)ifa);
1691 }
1692
1693 /*
1694 * Start Duplicate Address Detection (DAD) for specified interface address.
1695 */
1696 void
1697 nd6_dad_start(
1698 struct ifaddr *ifa,
1699 int *tick_delay) /* minimum delay ticks for IFF_UP event */
1700 {
1701 struct in6_ifaddr *ia = (struct in6_ifaddr *)ifa;
1702 struct dadq *dp;
1703
1704 nd6log2(debug, "%s - %s ifp %s ia6_flags 0x%x\n",
1705 __func__,
1706 ip6_sprintf(&ia->ia_addr.sin6_addr),
1707 if_name(ia->ia_ifp),
1708 ia->ia6_flags);
1709
1710 /*
1711 * If we don't need DAD, don't do it.
1712 * There are several cases:
1713 * - DAD is disabled (ip6_dad_count == 0)
1714 * - the interface address is anycast
1715 */
1716 IFA_LOCK(&ia->ia_ifa);
1717 if (!(ia->ia6_flags & IN6_IFF_DADPROGRESS)) {
1718 nd6log0(debug,
1719 "nd6_dad_start: not a tentative or optimistic address "
1720 "%s(%s)\n",
1721 ip6_sprintf(&ia->ia_addr.sin6_addr),
1722 ifa->ifa_ifp ? if_name(ifa->ifa_ifp) : "???");
1723 IFA_UNLOCK(&ia->ia_ifa);
1724 return;
1725 }
1726 if (!ip6_dad_count || (ia->ia6_flags & IN6_IFF_ANYCAST) != 0) {
1727 ia->ia6_flags &= ~IN6_IFF_DADPROGRESS;
1728 IFA_UNLOCK(&ia->ia_ifa);
1729 return;
1730 }
1731 IFA_UNLOCK(&ia->ia_ifa);
1732 if (ifa->ifa_ifp == NULL) {
1733 panic("nd6_dad_start: ifa->ifa_ifp == NULL");
1734 }
1735 if (!(ifa->ifa_ifp->if_flags & IFF_UP) ||
1736 (ifa->ifa_ifp->if_eflags & IFEF_IPV6_ND6ALT)) {
1737 return;
1738 }
1739 if ((dp = nd6_dad_find(ifa, NULL)) != NULL) {
1740 DAD_REMREF(dp);
1741 /* DAD already in progress */
1742 return;
1743 }
1744
1745 dp = zalloc(dad_zone);
1746 if (dp == NULL) {
1747 nd6log0(error, "nd6_dad_start: memory allocation failed for %s(%s)\n",
1748 ip6_sprintf(&ia->ia_addr.sin6_addr),
1749 ifa->ifa_ifp ? if_name(ifa->ifa_ifp) : "???");
1750 return;
1751 }
1752 bzero(dp, dad_size);
1753 lck_mtx_init(&dp->dad_lock, ifa_mtx_grp, ifa_mtx_attr);
1754
1755 /* Callee adds one reference for us */
1756 dp = nd6_dad_attach(dp, ifa);
1757
1758 nd6log0(debug, "%s: starting %sDAD %sfor %s\n",
1759 if_name(ifa->ifa_ifp),
1760 (ia->ia6_flags & IN6_IFF_OPTIMISTIC) ? "optimistic " : "",
1761 (tick_delay == NULL) ? "immediately " : "",
1762 ip6_sprintf(&ia->ia_addr.sin6_addr));
1763
1764 /*
1765 * Send NS packet for DAD, ip6_dad_count times.
1766 * Note that we must delay the first transmission, if this is the
1767 * first packet to be sent from the interface after interface
1768 * (re)initialization.
1769 */
1770 if (tick_delay == NULL) {
1771 u_int32_t retrans;
1772 struct nd_ifinfo *ndi = NULL;
1773
1774 nd6_dad_ns_output(dp, ifa);
1775 ndi = ND_IFINFO(ifa->ifa_ifp);
1776 VERIFY(ndi != NULL && ndi->initialized);
1777 lck_mtx_lock(&ndi->lock);
1778 retrans = ndi->retrans * hz / 1000;
1779 lck_mtx_unlock(&ndi->lock);
1780 timeout((void (*)(void *))nd6_dad_timer, (void *)ifa, retrans);
1781 } else {
1782 int ntick;
1783
1784 if (*tick_delay == 0) {
1785 ntick = random() % (MAX_RTR_SOLICITATION_DELAY * hz);
1786 } else {
1787 ntick = *tick_delay + random() % (hz / 2);
1788 }
1789 *tick_delay = ntick;
1790 timeout((void (*)(void *))nd6_dad_timer, (void *)ifa,
1791 ntick);
1792 }
1793
1794 DAD_REMREF(dp); /* drop our reference */
1795 }
1796
1797 static struct dadq *
1798 nd6_dad_attach(struct dadq *dp, struct ifaddr *ifa)
1799 {
1800 lck_mtx_lock(dad6_mutex);
1801 DAD_LOCK(dp);
1802 dp->dad_ifa = ifa;
1803 IFA_ADDREF(ifa); /* for dad_ifa */
1804 dp->dad_count = ip6_dad_count;
1805 dp->dad_ns_icount = dp->dad_na_icount = 0;
1806 dp->dad_ns_ocount = dp->dad_ns_tcount = 0;
1807 dp->dad_ns_lcount = dp->dad_loopbackprobe = 0;
1808 VERIFY(!dp->dad_attached);
1809 dp->dad_attached = 1;
1810 dp->dad_lladdrlen = 0;
1811 DAD_ADDREF_LOCKED(dp); /* for caller */
1812 DAD_ADDREF_LOCKED(dp); /* for dadq_head list */
1813 TAILQ_INSERT_TAIL(&dadq, (struct dadq *)dp, dad_list);
1814 DAD_UNLOCK(dp);
1815 lck_mtx_unlock(dad6_mutex);
1816
1817 return dp;
1818 }
1819
1820 static void
1821 nd6_dad_detach(struct dadq *dp, struct ifaddr *ifa)
1822 {
1823 int detached;
1824
1825 lck_mtx_lock(dad6_mutex);
1826 DAD_LOCK(dp);
1827 if ((detached = dp->dad_attached)) {
1828 VERIFY(dp->dad_ifa == ifa);
1829 TAILQ_REMOVE(&dadq, (struct dadq *)dp, dad_list);
1830 dp->dad_list.tqe_next = NULL;
1831 dp->dad_list.tqe_prev = NULL;
1832 dp->dad_attached = 0;
1833 }
1834 DAD_UNLOCK(dp);
1835 lck_mtx_unlock(dad6_mutex);
1836 if (detached) {
1837 DAD_REMREF(dp); /* drop dadq_head reference */
1838 }
1839 }
1840
1841 /*
1842 * terminate DAD unconditionally. used for address removals.
1843 */
1844 void
1845 nd6_dad_stop(struct ifaddr *ifa)
1846 {
1847 struct dadq *dp;
1848
1849 dp = nd6_dad_find(ifa, NULL);
1850 if (!dp) {
1851 /* DAD wasn't started yet */
1852 return;
1853 }
1854
1855 untimeout((void (*)(void *))nd6_dad_timer, (void *)ifa);
1856
1857 nd6_dad_detach(dp, ifa);
1858 DAD_REMREF(dp); /* drop our reference */
1859 }
1860
1861 static void
1862 nd6_unsol_na_output(struct ifaddr *ifa)
1863 {
1864 struct in6_ifaddr *ia = (struct in6_ifaddr *)ifa;
1865 struct ifnet *ifp = ifa->ifa_ifp;
1866 struct in6_addr saddr6, taddr6;
1867
1868 if ((ifp->if_flags & IFF_UP) == 0 ||
1869 (ifp->if_flags & IFF_RUNNING) == 0 ||
1870 (ifp->if_eflags & IFEF_IPV6_ND6ALT) != 0) {
1871 return;
1872 }
1873
1874 IFA_LOCK_SPIN(&ia->ia_ifa);
1875 taddr6 = ia->ia_addr.sin6_addr;
1876 IFA_UNLOCK(&ia->ia_ifa);
1877 if (in6_setscope(&taddr6, ifp, NULL) != 0) {
1878 return;
1879 }
1880 saddr6 = in6addr_linklocal_allnodes;
1881 if (in6_setscope(&saddr6, ifp, NULL) != 0) {
1882 return;
1883 }
1884
1885 nd6log(info, "%s: sending unsolicited NA\n",
1886 if_name(ifa->ifa_ifp));
1887
1888 nd6_na_output(ifp, &saddr6, &taddr6, ND_NA_FLAG_OVERRIDE, 1, NULL);
1889 }
1890
1891 static void
1892 nd6_dad_timer(struct ifaddr *ifa)
1893 {
1894 struct in6_ifaddr *ia = (struct in6_ifaddr *)ifa;
1895 struct dadq *dp = NULL;
1896 struct nd_ifinfo *ndi = NULL;
1897 u_int32_t retrans;
1898
1899 /* Sanity check */
1900 if (ia == NULL) {
1901 nd6log0(error, "nd6_dad_timer: called with null parameter\n");
1902 goto done;
1903 }
1904
1905 nd6log2(debug, "%s - %s ifp %s ia6_flags 0x%x\n",
1906 __func__,
1907 ip6_sprintf(&ia->ia_addr.sin6_addr),
1908 if_name(ia->ia_ifp),
1909 ia->ia6_flags);
1910
1911 dp = nd6_dad_find(ifa, NULL);
1912 if (dp == NULL) {
1913 nd6log0(error, "nd6_dad_timer: DAD structure not found\n");
1914 goto done;
1915 }
1916 IFA_LOCK(&ia->ia_ifa);
1917 if (ia->ia6_flags & IN6_IFF_DUPLICATED) {
1918 nd6log0(error, "nd6_dad_timer: called with duplicated address "
1919 "%s(%s)\n",
1920 ip6_sprintf(&ia->ia_addr.sin6_addr),
1921 ifa->ifa_ifp ? if_name(ifa->ifa_ifp) : "???");
1922 IFA_UNLOCK(&ia->ia_ifa);
1923 goto done;
1924 }
1925 if ((ia->ia6_flags & IN6_IFF_DADPROGRESS) == 0) {
1926 nd6log0(error, "nd6_dad_timer: not a tentative or optimistic "
1927 "address %s(%s)\n",
1928 ip6_sprintf(&ia->ia_addr.sin6_addr),
1929 ifa->ifa_ifp ? if_name(ifa->ifa_ifp) : "???");
1930 IFA_UNLOCK(&ia->ia_ifa);
1931 goto done;
1932 }
1933 IFA_UNLOCK(&ia->ia_ifa);
1934
1935 /* timeouted with IFF_{RUNNING,UP} check */
1936 DAD_LOCK(dp);
1937 if (dp->dad_ns_tcount > dad_maxtry) {
1938 DAD_UNLOCK(dp);
1939 nd6log0(info, "%s: could not run DAD, driver problem?\n",
1940 if_name(ifa->ifa_ifp));
1941
1942 nd6_dad_detach(dp, ifa);
1943 goto done;
1944 }
1945
1946 /* Need more checks? */
1947 if (dp->dad_ns_ocount < dp->dad_count) {
1948 DAD_UNLOCK(dp);
1949 /*
1950 * We have more NS to go. Send NS packet for DAD.
1951 */
1952 nd6_dad_ns_output(dp, ifa);
1953 ndi = ND_IFINFO(ifa->ifa_ifp);
1954 VERIFY(ndi != NULL && ndi->initialized);
1955 lck_mtx_lock(&ndi->lock);
1956 retrans = ndi->retrans * hz / 1000;
1957 lck_mtx_unlock(&ndi->lock);
1958 timeout((void (*)(void *))nd6_dad_timer, (void *)ifa, retrans);
1959 } else {
1960 /*
1961 * We have transmitted sufficient number of DAD packets.
1962 * See what we've got.
1963 */
1964 if (dp->dad_na_icount > 0 || dp->dad_ns_icount) {
1965 /* We've seen NS or NA, means DAD has failed. */
1966 DAD_UNLOCK(dp);
1967 nd6log0(info,
1968 "%s: duplicate IPv6 address %s if:%s [timer]\n",
1969 __func__, ip6_sprintf(&ia->ia_addr.sin6_addr),
1970 if_name(ia->ia_ifp));
1971 nd6_dad_duplicated(ifa);
1972 /* (*dp) will be freed in nd6_dad_duplicated() */
1973 } else if (dad_enhanced != 0 &&
1974 dp->dad_ns_lcount > 0 &&
1975 dp->dad_ns_lcount > dp->dad_loopbackprobe) {
1976 dp->dad_loopbackprobe = dp->dad_ns_lcount;
1977 dp->dad_count =
1978 dp->dad_ns_ocount + dad_maxtry - 1;
1979 DAD_UNLOCK(dp);
1980 ndi = ND_IFINFO(ifa->ifa_ifp);
1981 VERIFY(ndi != NULL && ndi->initialized);
1982 lck_mtx_lock(&ndi->lock);
1983 retrans = ndi->retrans * hz / 1000;
1984 lck_mtx_unlock(&ndi->lock);
1985
1986 /*
1987 * Sec. 4.1 in RFC 7527 requires transmission of
1988 * additional probes until the loopback condition
1989 * becomes clear when a looped back probe is detected.
1990 */
1991 nd6log0(info,
1992 "%s: a looped back NS message is detected during DAD for %s. Another DAD probe is being sent on interface %s.\n",
1993 __func__, ip6_sprintf(&ia->ia_addr.sin6_addr),
1994 if_name(ia->ia_ifp));
1995 /*
1996 * Send an NS immediately and increase dad_count by
1997 * nd6_mmaxtries - 1.
1998 */
1999 nd6_dad_ns_output(dp, ifa);
2000 timeout((void (*)(void *))nd6_dad_timer, (void *)ifa, retrans);
2001 goto done;
2002 } else {
2003 boolean_t txunsolna;
2004 DAD_UNLOCK(dp);
2005 /*
2006 * We are done with DAD. No NA came, no NS came.
2007 * No duplicate address found.
2008 */
2009 IFA_LOCK_SPIN(&ia->ia_ifa);
2010 ia->ia6_flags &= ~IN6_IFF_DADPROGRESS;
2011 IFA_UNLOCK(&ia->ia_ifa);
2012
2013 ndi = ND_IFINFO(ifa->ifa_ifp);
2014 VERIFY(ndi != NULL && ndi->initialized);
2015 lck_mtx_lock(&ndi->lock);
2016 txunsolna = (ndi->flags & ND6_IFF_REPLICATED) != 0;
2017 lck_mtx_unlock(&ndi->lock);
2018
2019 if (txunsolna) {
2020 nd6_unsol_na_output(ifa);
2021 }
2022
2023 nd6log0(debug,
2024 "%s: DAD complete for %s - no duplicates found %s\n",
2025 if_name(ifa->ifa_ifp),
2026 ip6_sprintf(&ia->ia_addr.sin6_addr),
2027 txunsolna ? ", tx unsolicited NA with O=1" : ".");
2028
2029 if (dp->dad_ns_lcount > 0) {
2030 nd6log0(debug,
2031 "%s: DAD completed while "
2032 "a looped back NS message is detected "
2033 "during DAD for %s om interface %s\n",
2034 __func__,
2035 ip6_sprintf(&ia->ia_addr.sin6_addr),
2036 if_name(ia->ia_ifp));
2037 }
2038
2039 in6_post_msg(ia->ia_ifp, KEV_INET6_NEW_USER_ADDR, ia,
2040 dp->dad_lladdr);
2041 nd6_dad_detach(dp, ifa);
2042 }
2043 }
2044
2045 done:
2046 if (dp != NULL) {
2047 DAD_REMREF(dp); /* drop our reference */
2048 }
2049 }
2050
2051 void
2052 nd6_dad_duplicated(struct ifaddr *ifa)
2053 {
2054 struct in6_ifaddr *ia = (struct in6_ifaddr *)ifa;
2055 struct dadq *dp;
2056 struct ifnet *ifp = ifa->ifa_ifp;
2057 boolean_t candisable;
2058
2059 dp = nd6_dad_find(ifa, NULL);
2060 if (dp == NULL) {
2061 log(LOG_ERR, "%s: DAD structure not found.\n", __func__);
2062 return;
2063 }
2064 IFA_LOCK(&ia->ia_ifa);
2065 DAD_LOCK(dp);
2066 nd6log(error, "%s: NS in/out/loopback=%d/%d/%d, NA in=%d\n",
2067 __func__, dp->dad_ns_icount, dp->dad_ns_ocount, dp->dad_ns_lcount,
2068 dp->dad_na_icount);
2069 candisable = FALSE;
2070
2071 if (IN6_IS_ADDR_LINKLOCAL(&ia->ia_addr.sin6_addr) &&
2072 !(ia->ia6_flags & IN6_IFF_SECURED)) {
2073 struct in6_addr in6;
2074 struct ifaddr *llifa = NULL;
2075 struct sockaddr_dl *sdl = NULL;
2076 uint8_t *lladdr = dp->dad_lladdr;
2077 uint8_t lladdrlen = dp->dad_lladdrlen;
2078
2079 /*
2080 * To avoid over-reaction, we only apply this logic when we are
2081 * very sure that hardware addresses are supposed to be unique.
2082 */
2083 switch (ifp->if_type) {
2084 case IFT_BRIDGE:
2085 case IFT_ETHER:
2086 case IFT_FDDI:
2087 case IFT_ATM:
2088 case IFT_IEEE1394:
2089 #ifdef IFT_IEEE80211
2090 case IFT_IEEE80211:
2091 #endif
2092 /*
2093 * Check if our hardware address matches the
2094 * link layer information received in the
2095 * NS/NA
2096 */
2097 llifa = ifp->if_lladdr;
2098 IFA_LOCK(llifa);
2099 sdl = (struct sockaddr_dl *)(void *)
2100 llifa->ifa_addr;
2101 if (lladdrlen == sdl->sdl_alen &&
2102 bcmp(lladdr, LLADDR(sdl), lladdrlen) == 0) {
2103 candisable = TRUE;
2104 }
2105 IFA_UNLOCK(llifa);
2106
2107 in6 = ia->ia_addr.sin6_addr;
2108 if (in6_iid_from_hw(ifp, &in6) != 0) {
2109 break;
2110 }
2111
2112 /* Refine decision about whether IPv6 can be disabled */
2113 if (candisable &&
2114 !IN6_ARE_ADDR_EQUAL(&ia->ia_addr.sin6_addr, &in6)) {
2115 /*
2116 * Apply this logic only to the embedded MAC
2117 * address form of link-local IPv6 address.
2118 */
2119 candisable = FALSE;
2120 } else if (lladdr == NULL &&
2121 IN6_ARE_ADDR_EQUAL(&ia->ia_addr.sin6_addr, &in6)) {
2122 /*
2123 * We received a NA with no target link-layer
2124 * address option. This means that someone else
2125 * has our address. Mark it as a hardware
2126 * duplicate so we disable IPv6 later on.
2127 */
2128 candisable = TRUE;
2129 }
2130 break;
2131 default:
2132 break;
2133 }
2134 }
2135 DAD_UNLOCK(dp);
2136
2137 ia->ia6_flags &= ~IN6_IFF_DADPROGRESS;
2138 ia->ia6_flags |= IN6_IFF_DUPLICATED;
2139 in6_event_enqueue_nwk_wq_entry(IN6_ADDR_MARKED_DUPLICATED,
2140 ia->ia_ifa.ifa_ifp, &ia->ia_addr.sin6_addr,
2141 0);
2142 IFA_UNLOCK(&ia->ia_ifa);
2143
2144 /* increment DAD collision counter */
2145 ++ip6stat.ip6s_dad_collide;
2146
2147 /* We are done with DAD, with duplicated address found. (failure) */
2148 untimeout((void (*)(void *))nd6_dad_timer, (void *)ifa);
2149
2150 IFA_LOCK(&ia->ia_ifa);
2151 log(LOG_ERR, "%s: DAD complete for %s - duplicate found.\n",
2152 if_name(ifp), ip6_sprintf(&ia->ia_addr.sin6_addr));
2153 IFA_UNLOCK(&ia->ia_ifa);
2154
2155 if (candisable) {
2156 struct nd_ifinfo *ndi = ND_IFINFO(ifp);
2157 log(LOG_ERR, "%s: possible hardware address duplication "
2158 "detected, disabling IPv6 for interface.\n", if_name(ifp));
2159
2160 VERIFY((NULL != ndi) && (TRUE == ndi->initialized));
2161 ndi->flags |= ND6_IFF_IFDISABLED;
2162 /* Make sure to set IFEF_IPV6_DISABLED too */
2163 nd6_if_disable(ifp, TRUE);
2164 }
2165
2166 log(LOG_ERR, "%s: manual intervention required!\n", if_name(ifp));
2167
2168 /* Send an event to the configuration agent so that the
2169 * duplicate address will be notified to the user and will
2170 * be removed.
2171 */
2172 in6_post_msg(ifp, KEV_INET6_NEW_USER_ADDR, ia, dp->dad_lladdr);
2173 nd6_dad_detach(dp, ifa);
2174 DAD_REMREF(dp); /* drop our reference */
2175 }
2176
2177 static void
2178 nd6_dad_ns_output(struct dadq *dp, struct ifaddr *ifa)
2179 {
2180 struct in6_ifaddr *ia = (struct in6_ifaddr *)ifa;
2181 struct ifnet *ifp = ifa->ifa_ifp;
2182 int i = 0;
2183 struct in6_addr taddr6;
2184
2185 DAD_LOCK(dp);
2186 dp->dad_ns_tcount++;
2187 if ((ifp->if_flags & IFF_UP) == 0) {
2188 DAD_UNLOCK(dp);
2189 return;
2190 }
2191 if ((ifp->if_flags & IFF_RUNNING) == 0) {
2192 DAD_UNLOCK(dp);
2193 return;
2194 }
2195
2196 dp->dad_ns_ocount++;
2197 DAD_UNLOCK(dp);
2198 IFA_LOCK_SPIN(&ia->ia_ifa);
2199 taddr6 = ia->ia_addr.sin6_addr;
2200 IFA_UNLOCK(&ia->ia_ifa);
2201 if (dad_enhanced != 0 && !(ifp->if_flags & IFF_POINTOPOINT)) {
2202 for (i = 0; i < ND_OPT_NONCE_LEN32; i++) {
2203 dp->dad_nonce[i] = RandomULong();
2204 }
2205 /*
2206 * XXXHRS: Note that in the case that
2207 * DupAddrDetectTransmits > 1, multiple NS messages with
2208 * different nonces can be looped back in an unexpected
2209 * order. The current implementation recognizes only
2210 * the latest nonce on the sender side. Practically it
2211 * should work well in almost all cases.
2212 */
2213 }
2214 nd6_ns_output(ifp, NULL, &taddr6, NULL,
2215 (uint8_t *)&dp->dad_nonce[0]);
2216 }
2217
2218 /*
2219 * @brief Called to process DAD NS
2220 *
2221 * @param ifa is the pointer to the interface's address
2222 * @param lladdr is source link layer information
2223 * @param lladdrlen is source's linklayer length
2224 *
2225 * @return void
2226 */
2227 static void
2228 nd6_dad_ns_input(struct ifaddr *ifa, char *lladdr,
2229 int lladdrlen, struct nd_opt_nonce *ndopt_nonce)
2230 {
2231 struct dadq *dp;
2232 VERIFY(ifa != NULL);
2233
2234 /* Ignore Nonce option when Enhanced DAD is disabled. */
2235 if (dad_enhanced == 0) {
2236 ndopt_nonce = NULL;
2237 }
2238
2239 dp = nd6_dad_find(ifa, ndopt_nonce);
2240 if (dp == NULL) {
2241 return;
2242 }
2243
2244 DAD_LOCK(dp);
2245 ++dp->dad_ns_icount;
2246 if (lladdr && lladdrlen >= ETHER_ADDR_LEN) {
2247 memcpy(dp->dad_lladdr, lladdr, ETHER_ADDR_LEN);
2248 dp->dad_lladdrlen = lladdrlen;
2249 }
2250 DAD_UNLOCK(dp);
2251 DAD_REMREF(dp);
2252 }
2253
2254 /*
2255 * @brief Called to process received NA for DAD
2256 *
2257 * @param m is the pointer to the packet's mbuf
2258 * @param ifp is the pointer to the interface on which packet
2259 * was receicved.
2260 * @param taddr is pointer to target's IPv6 address
2261 * @param lladdr is target's link layer information
2262 * @param lladdrlen is target's linklayer length
2263 *
2264 * @return NULL if the packet is consumed by DAD processing, else
2265 * pointer to the mbuf.
2266 */
2267 static struct mbuf *
2268 nd6_dad_na_input(struct mbuf *m, struct ifnet *ifp, struct in6_addr *taddr,
2269 caddr_t lladdr, int lladdrlen)
2270 {
2271 struct ifaddr *ifa = NULL;
2272 struct in6_ifaddr *ia = NULL;
2273 struct dadq *dp = NULL;
2274 struct nd_ifinfo *ndi = NULL;
2275 boolean_t replicated;
2276
2277 ifa = (struct ifaddr *) in6ifa_ifpwithaddr(ifp, taddr);
2278 if (ifa == NULL) {
2279 return m;
2280 }
2281
2282 replicated = FALSE;
2283
2284 /* Get the ND6_IFF_REPLICATED flag. */
2285 ndi = ND_IFINFO(ifp);
2286 if (ndi != NULL && ndi->initialized) {
2287 lck_mtx_lock(&ndi->lock);
2288 replicated = !!(ndi->flags & ND6_IFF_REPLICATED);
2289 lck_mtx_unlock(&ndi->lock);
2290 }
2291
2292 if (replicated) {
2293 nd6log(info, "%s: ignoring duplicate NA on "
2294 "replicated interface %s\n", __func__, if_name(ifp));
2295 goto done;
2296 }
2297
2298 /* Lock the interface address until done (see label below). */
2299 IFA_LOCK(ifa);
2300 ia = (struct in6_ifaddr *) ifa;
2301
2302 if (!(ia->ia6_flags & IN6_IFF_DADPROGRESS)) {
2303 IFA_UNLOCK(ifa);
2304 nd6log(info, "%s: ignoring duplicate NA on "
2305 "%s [DAD not in progress]\n", __func__,
2306 if_name(ifp));
2307 goto done;
2308 }
2309
2310 /* Some sleep proxies improperly send the client's Ethernet address in
2311 * the target link-layer address option, so detect this by comparing
2312 * the L2-header source address, if we have seen it, with the target
2313 * address, and ignoring the NA if they don't match.
2314 */
2315 if (lladdr != NULL && lladdrlen >= ETHER_ADDR_LEN) {
2316 struct ip6aux *ip6a = ip6_findaux(m);
2317 if (ip6a && (ip6a->ip6a_flags & IP6A_HASEEN) != 0 &&
2318 bcmp(ip6a->ip6a_ehsrc, lladdr, ETHER_ADDR_LEN) != 0) {
2319 IFA_UNLOCK(ifa);
2320 nd6log(error, "%s: ignoring duplicate NA on %s "
2321 "[eh_src != tgtlladdr]\n", __func__, if_name(ifp));
2322 goto done;
2323 }
2324 }
2325
2326 IFA_UNLOCK(ifa);
2327
2328 dp = nd6_dad_find(ifa, NULL);
2329 if (dp == NULL) {
2330 nd6log(info, "%s: no DAD structure for %s on %s.\n",
2331 __func__, ip6_sprintf(taddr), if_name(ifp));
2332 goto done;
2333 }
2334
2335 DAD_LOCK_SPIN(dp);
2336 if (lladdr != NULL && lladdrlen >= ETHER_ADDR_LEN) {
2337 memcpy(dp->dad_lladdr, lladdr, ETHER_ADDR_LEN);
2338 dp->dad_lladdrlen = lladdrlen;
2339 }
2340 dp->dad_na_icount++;
2341 DAD_UNLOCK(dp);
2342 DAD_REMREF(dp);
2343
2344 /* remove the address. */
2345 nd6log(info,
2346 "%s: duplicate IPv6 address %s [processing NA on %s]\n", __func__,
2347 ip6_sprintf(taddr), if_name(ifp));
2348 done:
2349 IFA_LOCK_ASSERT_NOTHELD(ifa);
2350 IFA_REMREF(ifa);
2351 m_freem(m);
2352 return NULL;
2353 }
2354
2355 static void
2356 dad_addref(struct dadq *dp, int locked)
2357 {
2358 if (!locked) {
2359 DAD_LOCK_SPIN(dp);
2360 } else {
2361 DAD_LOCK_ASSERT_HELD(dp);
2362 }
2363
2364 if (++dp->dad_refcount == 0) {
2365 panic("%s: dad %p wraparound refcnt\n", __func__, dp);
2366 /* NOTREACHED */
2367 }
2368 if (!locked) {
2369 DAD_UNLOCK(dp);
2370 }
2371 }
2372
2373 static void
2374 dad_remref(struct dadq *dp)
2375 {
2376 struct ifaddr *ifa;
2377
2378 DAD_LOCK_SPIN(dp);
2379 if (dp->dad_refcount == 0) {
2380 panic("%s: dad %p negative refcnt\n", __func__, dp);
2381 }
2382 --dp->dad_refcount;
2383 if (dp->dad_refcount > 0) {
2384 DAD_UNLOCK(dp);
2385 return;
2386 }
2387 DAD_UNLOCK(dp);
2388
2389 if (dp->dad_attached ||
2390 dp->dad_list.tqe_next != NULL || dp->dad_list.tqe_prev != NULL) {
2391 panic("%s: attached dad=%p is being freed", __func__, dp);
2392 /* NOTREACHED */
2393 }
2394
2395 if ((ifa = dp->dad_ifa) != NULL) {
2396 IFA_REMREF(ifa); /* drop dad_ifa reference */
2397 dp->dad_ifa = NULL;
2398 }
2399
2400 lck_mtx_destroy(&dp->dad_lock, ifa_mtx_grp);
2401 zfree(dad_zone, dp);
2402 }
2403
2404 void
2405 nd6_llreach_set_reachable(struct ifnet *ifp, void *addr, unsigned int alen)
2406 {
2407 /* Nothing more to do if it's disabled */
2408 if (nd6_llreach_base == 0) {
2409 return;
2410 }
2411
2412 ifnet_llreach_set_reachable(ifp, ETHERTYPE_IPV6, addr, alen);
2413 }
2414
2415 void
2416 nd6_alt_node_addr_decompose(struct ifnet *ifp, struct sockaddr *sa,
2417 struct sockaddr_dl* sdl, struct sockaddr_in6 *sin6)
2418 {
2419 static const size_t EUI64_LENGTH = 8;
2420
2421 VERIFY(nd6_need_cache(ifp));
2422 VERIFY(sa);
2423 VERIFY(sdl && (void *)sa != (void *)sdl);
2424 VERIFY(sin6 && (void *)sa != (void *)sin6);
2425
2426 bzero(sin6, sizeof(*sin6));
2427 sin6->sin6_len = sizeof *sin6;
2428 sin6->sin6_family = AF_INET6;
2429
2430 bzero(sdl, sizeof(*sdl));
2431 sdl->sdl_len = sizeof *sdl;
2432 sdl->sdl_family = AF_LINK;
2433 sdl->sdl_type = ifp->if_type;
2434 sdl->sdl_index = ifp->if_index;
2435
2436 switch (sa->sa_family) {
2437 case AF_INET6: {
2438 struct sockaddr_in6 *sin6a = (struct sockaddr_in6 *)(void *)sa;
2439 struct in6_addr *in6 = &sin6a->sin6_addr;
2440
2441 VERIFY(sa->sa_len == sizeof *sin6);
2442
2443 sdl->sdl_nlen = strlen(ifp->if_name);
2444 bcopy(ifp->if_name, sdl->sdl_data, sdl->sdl_nlen);
2445 if (in6->s6_addr[11] == 0xff && in6->s6_addr[12] == 0xfe) {
2446 sdl->sdl_alen = ETHER_ADDR_LEN;
2447 LLADDR(sdl)[0] = (in6->s6_addr[8] ^ ND6_EUI64_UBIT);
2448 LLADDR(sdl)[1] = in6->s6_addr[9];
2449 LLADDR(sdl)[2] = in6->s6_addr[10];
2450 LLADDR(sdl)[3] = in6->s6_addr[13];
2451 LLADDR(sdl)[4] = in6->s6_addr[14];
2452 LLADDR(sdl)[5] = in6->s6_addr[15];
2453 } else {
2454 sdl->sdl_alen = EUI64_LENGTH;
2455 bcopy(&in6->s6_addr[8], LLADDR(sdl), EUI64_LENGTH);
2456 }
2457
2458 sdl->sdl_slen = 0;
2459 break;
2460 }
2461 case AF_LINK: {
2462 struct sockaddr_dl *sdla = (struct sockaddr_dl *)(void *)sa;
2463 struct in6_addr *in6 = &sin6->sin6_addr;
2464 caddr_t lla = LLADDR(sdla);
2465
2466 VERIFY(sa->sa_len <= sizeof(*sdl));
2467 bcopy(sa, sdl, sa->sa_len);
2468
2469 sin6->sin6_scope_id = sdla->sdl_index;
2470 if (sin6->sin6_scope_id == 0) {
2471 sin6->sin6_scope_id = ifp->if_index;
2472 }
2473 in6->s6_addr[0] = 0xfe;
2474 in6->s6_addr[1] = 0x80;
2475 if (sdla->sdl_alen == EUI64_LENGTH) {
2476 bcopy(lla, &in6->s6_addr[8], EUI64_LENGTH);
2477 } else {
2478 VERIFY(sdla->sdl_alen == ETHER_ADDR_LEN);
2479
2480 in6->s6_addr[8] = ((uint8_t) lla[0] ^ ND6_EUI64_UBIT);
2481 in6->s6_addr[9] = (uint8_t) lla[1];
2482 in6->s6_addr[10] = (uint8_t) lla[2];
2483 in6->s6_addr[11] = 0xff;
2484 in6->s6_addr[12] = 0xfe;
2485 in6->s6_addr[13] = (uint8_t) lla[3];
2486 in6->s6_addr[14] = (uint8_t) lla[4];
2487 in6->s6_addr[15] = (uint8_t) lla[5];
2488 }
2489
2490 break;
2491 }
2492 default:
2493 VERIFY(false);
2494 break;
2495 }
2496 }
2497
2498 int
2499 nd6_alt_node_present(struct ifnet *ifp, struct sockaddr_in6 *sin6,
2500 struct sockaddr_dl *sdl, int32_t rssi, int lqm, int npm)
2501 {
2502 struct rtentry *rt;
2503 struct llinfo_nd6 *ln;
2504 struct if_llreach *lr = NULL;
2505 const uint16_t temp_embedded_id = sin6->sin6_addr.s6_addr16[1];
2506
2507 if (IN6_IS_SCOPE_LINKLOCAL(&sin6->sin6_addr) &&
2508 (temp_embedded_id == 0)) {
2509 sin6->sin6_addr.s6_addr16[1] = htons(ifp->if_index);
2510 }
2511
2512 nd6_cache_lladdr(ifp, &sin6->sin6_addr, LLADDR(sdl), sdl->sdl_alen,
2513 ND_NEIGHBOR_ADVERT, 0);
2514
2515 LCK_MTX_ASSERT(rnh_lock, LCK_MTX_ASSERT_NOTOWNED);
2516 lck_mtx_lock(rnh_lock);
2517
2518 rt = rtalloc1_scoped_locked((struct sockaddr *)sin6, 1, 0,
2519 ifp->if_index);
2520
2521 /* Restore the address that was passed to us */
2522 if (temp_embedded_id == 0) {
2523 sin6->sin6_addr.s6_addr16[1] = 0;
2524 }
2525
2526 if (rt != NULL) {
2527 RT_LOCK(rt);
2528 VERIFY(rt->rt_flags & RTF_LLINFO);
2529 VERIFY(rt->rt_llinfo);
2530
2531 ln = rt->rt_llinfo;
2532 ND6_CACHE_STATE_TRANSITION(ln, ND6_LLINFO_REACHABLE);
2533 ln_setexpire(ln, 0);
2534
2535 lr = ln->ln_llreach;
2536 if (lr) {
2537 IFLR_LOCK(lr);
2538 lr->lr_rssi = rssi;
2539 lr->lr_lqm = (int32_t) lqm;
2540 lr->lr_npm = (int32_t) npm;
2541 IFLR_UNLOCK(lr);
2542 }
2543
2544 RT_UNLOCK(rt);
2545 RT_REMREF(rt);
2546 }
2547
2548 lck_mtx_unlock(rnh_lock);
2549
2550 if (rt == NULL) {
2551 log(LOG_ERR, "%s: failed to add/update host route to %s.\n",
2552 __func__, ip6_sprintf(&sin6->sin6_addr));
2553 return EHOSTUNREACH;
2554 } else {
2555 nd6log(debug, "%s: host route to %s [lr=0x%llx]\n",
2556 __func__, ip6_sprintf(&sin6->sin6_addr),
2557 (uint64_t)VM_KERNEL_ADDRPERM(lr));
2558 return 0;
2559 }
2560 }
2561
2562 void
2563 nd6_alt_node_absent(struct ifnet *ifp, struct sockaddr_in6 *sin6, struct sockaddr_dl *sdl)
2564 {
2565 struct rtentry *rt;
2566 const uint16_t temp_embedded_id = sin6->sin6_addr.s6_addr16[1];
2567
2568 nd6log(debug, "%s: host route to %s\n", __func__,
2569 ip6_sprintf(&sin6->sin6_addr));
2570
2571 if (IN6_IS_SCOPE_LINKLOCAL(&sin6->sin6_addr) &&
2572 (temp_embedded_id == 0)) {
2573 sin6->sin6_addr.s6_addr16[1] = htons(ifp->if_index);
2574 }
2575
2576 LCK_MTX_ASSERT(rnh_lock, LCK_MTX_ASSERT_NOTOWNED);
2577 lck_mtx_lock(rnh_lock);
2578
2579 rt = rtalloc1_scoped_locked((struct sockaddr *)sin6, 0, 0,
2580 ifp->if_index);
2581
2582 /* Restore the address that was passed to us */
2583 if (temp_embedded_id == 0) {
2584 sin6->sin6_addr.s6_addr16[1] = 0;
2585 }
2586
2587 if (rt != NULL) {
2588 RT_LOCK(rt);
2589
2590 if (!(rt->rt_flags & (RTF_CLONING | RTF_PRCLONING)) &&
2591 (rt->rt_flags & (RTF_HOST | RTF_LLINFO | RTF_WASCLONED)) ==
2592 (RTF_HOST | RTF_LLINFO | RTF_WASCLONED)) {
2593 /*
2594 * Copy the link layer information in SDL when present
2595 * as it later gets used to issue the kernel event for
2596 * node absence.
2597 */
2598 if (sdl != NULL && rt->rt_gateway != NULL &&
2599 rt->rt_gateway->sa_family == AF_LINK &&
2600 SDL(rt->rt_gateway)->sdl_len <= sizeof(*sdl)) {
2601 bcopy(rt->rt_gateway, sdl, SDL(rt->rt_gateway)->sdl_len);
2602 }
2603
2604 rt->rt_flags |= RTF_CONDEMNED;
2605 RT_UNLOCK(rt);
2606
2607 (void) rtrequest_locked(RTM_DELETE, rt_key(rt),
2608 (struct sockaddr *)NULL, rt_mask(rt), 0,
2609 (struct rtentry **)NULL);
2610
2611 rtfree_locked(rt);
2612 } else {
2613 RT_REMREF_LOCKED(rt);
2614 RT_UNLOCK(rt);
2615 }
2616 }
2617
2618 lck_mtx_unlock(rnh_lock);
2619 }
mirror of XNU