ip6_if.c revision a1b6bb22225758893709ddb81f495b831d79b4ec
/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License (the "License").
* You may not use this file except in compliance with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
* Copyright 2010 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
/*
* Copyright (c) 1990 Mentat Inc.
*/
/*
* This file contains the interface control functions for IPv6.
*/
#include <sys/sysmacros.h>
#include <sys/isa_defs.h>
#include <netinet/igmp_var.h>
#include <inet/ip_multi.h>
#include <inet/ipclassifier.h>
static in6_addr_t ipv6_ll_template =
static ipif_t *
ip_stack_t *ipst);
/*
* This function is called when an application does not specify an interface
* to be used for multicast traffic. It calls ire_lookup_multi_v6() to look
* for an interface route for the specified multicast group. Doing
* this allows the administrator to add prefix routes for multicast to
* indicate which interface to be used for multicast traffic in the above
* scenario. The route could be for all multicast (ff00::/8), for a single
* multicast group (a /128 route) or anything in between. If there is no
* such multicast route, we just find any multicast capable interface and
* return it.
*
* We support MULTIRT and RTF_SETSRC on the multicast routes added to the
* unicast table. This is used by CGTP.
*/
ill_t *
{
return (ill);
}
/*
* Look for an ipif with the specified interface address and destination.
* The destination address is used only for matching point-to-point interfaces.
*/
static ipif_t *
{
/*
* First match all the point-to-point interfaces
* before looking at non-point-to-point interfaces.
* This is done to avoid returning non-point-to-point
* ipif instead of unnumbered point-to-point ipif.
*/
/* Allow the ipif to be down */
if_addr)) &&
dst))) {
if (!IPIF_IS_CONDEMNED(ipif)) {
return (ipif);
}
}
}
}
/* lookup the ipif based on interface address */
return (ipif);
}
/*
* Common function for ipif_lookup_addr_v6() and ipif_lookup_addr_exact_v6().
*/
static ipif_t *
{
/*
* Repeat twice, first based on local addresses and
* next time for pointopoint.
*/
continue;
}
continue;
if (no_duplicate &&
continue;
}
/* Allow the ipif to be down */
if ((!ptp && (IN6_ARE_ADDR_EQUAL(
addr))) {
if (!IPIF_IS_CONDEMNED(ipif)) {
return (ipif);
}
}
}
}
/* If we already did the ptp case, then we are done */
if (ptp) {
return (NULL);
}
goto repeat;
}
/*
* Lookup an ipif with the specified address. For point-to-point links we
* look for matches on either the destination address or the local address,
* but we skip the local address check if IPIF_UNNUMBERED is set. If the
* `match_ill' argument is non-NULL, the lookup is restricted to that ill
* (or illgrp if `match_ill' is in an IPMP group).
*/
ipif_t *
{
}
/*
* Lookup an ipif with the specified address. Similar to ipif_lookup_addr,
* except that we will only return an address if it is not marked as
* IPIF_DUPLICATE
*/
ipif_t *
{
ipst));
}
/*
* Special abbreviated version of ipif_lookup_addr_v6() that doesn't match
* `match_ill' across the IPMP group. This function is only needed in some
* corner-cases; almost everything should use ipif_lookup_addr_v6().
*/
ipif_t *
{
ipst));
}
/*
* Look for an ipif with the specified address. For point-point links
* we look for matches on either the destination address and the local
* address, but we ignore the check on the local address if IPIF_UNNUMBERED
* is set.
* If the `match_ill' argument is non-NULL, the lookup is restricted to that
* ill (or illgrp if `match_ill' is in an IPMP group).
* Return the zoneid for the ipif. ALL_ZONES if none found.
*/
{
/*
* Repeat twice, first based on local addresses and
* next time for pointopoint.
*/
continue;
}
/* Allow the ipif to be down */
if ((!ptp && (IN6_ARE_ADDR_EQUAL(
addr)) &&
/*
* If ipif_zoneid was ALL_ZONES then we have
* a trusted extensions shared IP address.
* In that case GLOBAL_ZONEID works to send.
*/
return (zoneid);
}
}
}
/* If we already did the ptp case, then we are done */
if (ptp) {
return (ALL_ZONES);
}
goto repeat;
}
/*
* Perform various checks to verify that an address would make sense as a local
* interface address. This is currently only called when an attempt is made
* to set a local address.
*
* Does not allow a v4-mapped address, an address that equals the subnet
* anycast address, ... a multicast address, ...
*/
{
if (IN6_IS_ADDR_UNSPECIFIED(addr))
return (B_TRUE); /* Allow all zeros */
/*
* Don't allow all zeroes or host part, but allow
* all ones netmask.
*/
if (IN6_IS_ADDR_V4MAPPED(addr) ||
return (B_FALSE);
return (B_TRUE);
}
/*
* Perform various checks to verify that an address would make sense as a
*/
{
if (IN6_IS_ADDR_UNSPECIFIED(addr))
return (B_TRUE); /* Allow all zeros */
if (IN6_IS_ADDR_V4MAPPED(addr) ||
return (B_FALSE);
return (B_TRUE);
}
/*
* ip_rt_add_v6 is called to add an IPv6 route to the forwarding table.
* ill is passed in to associate it with the correct interface
* (for link-local destinations and gateways).
* If ire_arg is set, then we return the held IRE in that location.
*/
/* ARGSUSED1 */
int
{
int match_flags = MATCH_IRE_TYPE;
/*
* Prevent routes with a zero gateway from being created (since
* interfaces can currently be plumbed and brought up with no assigned
* address).
*/
return (ENETUNREACH);
/*
* If this is the case of RTF_HOST being set, then we set the netmask
* to all ones (regardless if one was supplied).
*/
mask = &ipv6_all_ones;
/*
* Get the ipif, if any, corresponding to the gw_addr
* If -ifp was specified we restrict ourselves to the ill, otherwise
* we match on the gatway and destination to handle unnumbered pt-pt
* interfaces.
*/
else
return (EINVAL);
}
}
/*
* GateD will attempt to create routes with a loopback interface
* address as the gateway and with RTF_GATEWAY set. We allow
* these routes to be added, but create them as interface routes
* since the gateway is an interface address.
*/
flags &= ~RTF_GATEWAY;
NULL);
return (EEXIST);
}
ip1dbg(("ip_rt_add_v6: 0x%p creating IRE 0x%x"
"for 0x%x\n", (void *)ipif,
ire = ire_create_v6(
mask,
NULL,
NULL,
ipst);
return (ENOMEM);
}
/* src address assigned by the caller? */
if ((flags & RTF_SETSRC) &&
/*
* In the result of failure, ire_add() will have
* already deleted the ire in question, so there
* is no need to do that here.
*/
return (ENOMEM);
}
/*
* Check if it was a duplicate entry. This handles
* the case of two racing route adds for the same route
*/
return (EEXIST);
}
goto save_ire;
}
}
/*
* The routes for multicast with CGTP are quite special in that
* the gateway is the local interface address, yet RTF_GATEWAY
* is set. We turn off RTF_GATEWAY to provide compatibility with
* this undocumented and unusual use of multicast routes.
*/
flags &= ~RTF_GATEWAY;
/*
* Traditionally, interface routes are ones where RTF_GATEWAY isn't set
* and the gateway address provided is one of the system's interface
* addresses. By using the routing socket interface and supplying an
* RTA_IFP sockaddr with an interface index, an alternate method of
* specifying an interface route to be created is available which uses
* the interface index that specifies the outgoing interface rather than
* the address of an outgoing interface (which may not be able to
* uniquely identify an interface). When coupled with the RTF_GATEWAY
* flag, routes can be specified which not only specify the next-hop to
* be used when routing to a certain prefix, but also which outgoing
* interface should be used.
*
* Previously, interfaces would have unique addresses assigned to them
* and so the address assigned to a particular interface could be used
* to identify a particular interface. One exception to this was the
* case of an unnumbered interface (where IPIF_UNNUMBERED was set).
*
* With the advent of IPv6 and its link-local addresses, this
* restriction was relaxed and interfaces could share addresses between
* themselves. In fact, typically all of the link-local interfaces on
* an IPv6 node or router will have the same link-local address. In
* order to differentiate between these interfaces, the use of an
* interface index is necessary and this index can be carried inside a
* RTA_IFP sockaddr (which is actually a sockaddr_dl). One restriction
* of using the interface index, however, is that all of the ipif's that
* are part of an ill have the same index and so the RTA_IFP sockaddr
* cannot be used to differentiate between ipif's (or logical
* interfaces) that belong to the same ill (physical interface).
*
* For example, in the following case involving IPv4 interfaces and
* logical interfaces
*
* 192.0.2.32 255.255.255.224 192.0.2.33 U if0
* 192.0.2.32 255.255.255.224 192.0.2.34 U if0
* 192.0.2.32 255.255.255.224 192.0.2.35 U if0
*
* the ipif's corresponding to each of these interface routes can be
* uniquely identified by the "gateway" (actually interface address).
*
* In this case involving multiple IPv6 default routes to a particular
* link-local gateway, the use of RTA_IFP is necessary to specify which
* default route is of interest:
*
* default fe80::123:4567:89ab:cdef U if0
* default fe80::123:4567:89ab:cdef U if1
*/
/* RTF_GATEWAY not set */
if (!(flags & RTF_GATEWAY)) {
ip2dbg(("ip_rt_add_v6: gateway security attributes "
"cannot be set with interface route\n"));
return (EINVAL);
}
/*
* Whether or not ill (RTA_IFP) is set, we require that
* the gateway is one of our local addresses.
*/
return (ENETUNREACH);
/*
* We use MATCH_IRE_ILL here. If the caller specified an
* interface (from the RTA_IFP sockaddr) we use it, otherwise
* we use the ill derived from the gateway address.
* We can always match the gateway address since we record it
* in ire_gateway_addr.
* We don't allow RTA_IFP to specify a different ill than the
* one matching the ipif to make sure we can delete the route.
*/
return (EINVAL);
}
/*
* We check for an existing entry at this point.
*/
NULL);
return (EEXIST);
}
/*
* Create a copy of the IRE_LOOPBACK, IRE_IF_NORESOLVER or
* IRE_IF_RESOLVER with the modified address, netmask, and
* gateway.
*/
ire = ire_create_v6(
mask,
ill,
NULL,
ipst);
return (ENOMEM);
}
/*
* Some software (for example, GateD and Sun Cluster) attempts
* to create (what amount to) IRE_PREFIX routes with the
* loopback address as the gateway. This is primarily done to
* set up prefixes with the RTF_REJECT flag set (for example,
* when generating aggregate routes). We also OR in the
* RTF_BLACKHOLE flag as these interface routes, by
* definition, can only be that.
*
* If the IRE type (as defined by ill->ill_net_type) is
* IRE_LOOPBACK, then we map the request into a
* IRE_IF_NORESOLVER.
*
* Needless to say, the real IRE_LOOPBACK is NOT created by this
* routine, but rather using ire_create_v6() directly.
*/
}
/* src address assigned by the caller? */
/*
* In the result of failure, ire_add() will have
* already deleted the ire in question, so there
* is no need to do that here.
*/
return (ENOMEM);
}
/*
* Check if it was a duplicate entry. This handles
* the case of two racing route adds for the same route
*/
return (EEXIST);
}
goto save_ire;
}
/*
* Get an interface IRE for the specified gateway.
* If we don't have an IRE_IF_NORESOLVER or IRE_IF_RESOLVER for the
* gateway, it is currently unreachable and we fail the request
* accordingly. We reject any RTF_GATEWAY routes where the gateway
* is an IRE_LOCAL or IRE_LOOPBACK.
* If RTA_IFP was specified we look on that particular ill.
*/
/* Check whether the gateway is reachable. */
if (flags & RTF_INDIRECT)
type |= IRE_OFFLINK;
/*
* With IPMP, we allow host routes to influence in.mpathd's
* target selection. However, if the test addresses are on
* their own network, the above lookup will fail since the
* underlying IRE_INTERFACEs are marked hidden. So allow
* hidden test IREs to be found and try again.
*/
if (!(match_flags & MATCH_IRE_TESTHIDDEN)) {
goto again;
}
return (ENETUNREACH);
}
return (ENETUNREACH);
}
/*
* We create one of three types of IREs as a result of this request
* based on the netmask. A netmask of all ones (which is automatically
* assumed when RTF_HOST is set) results in an IRE_HOST being created.
* An all zeroes netmask implies a default route so an IRE_DEFAULT is
* created. Otherwise, an IRE_PREFIX route is created for the
* destination prefix.
*/
else if (IN6_IS_ADDR_UNSPECIFIED(mask))
type = IRE_DEFAULT;
else
type = IRE_PREFIX;
/* check for a duplicate entry */
return (EEXIST);
}
/* Security attribute exists */
/* find or create the gateway credentials group */
/* we hold reference to it upon success */
return (ENOMEM);
}
/*
* Create and add the security attribute to the group; a
* reference to the group is made upon allocating a new
* entry successfully. If it finds an already-existing
* entry for the security attribute in the group, it simply
* returns it and no new reference is made to the group.
*/
/* release reference held by gcgrp_lookup */
return (ENOMEM);
}
}
/* Create the IRE. */
ire = ire_create_v6(
dst_addr, /* dest address */
mask, /* mask */
gw_addr, /* gateway address */
ill,
gc, /* security attribute */
ipst);
/*
* The ire holds a reference to the 'gc' and the 'gc' holds a
* reference to the 'gcgrp'. We can now release the extra reference
* the 'gcgrp' acquired in the gcgrp_lookup, if it was not used.
*/
if (gcgrp_xtraref)
GC_REFRELE(gc);
return (ENOMEM);
}
/* src address assigned by the caller? */
/*
* POLICY: should we allow an RTF_HOST with address INADDR_ANY?
*/
/* Add the new IRE. */
/*
* In the result of failure, ire_add() will have
* already deleted the ire in question, so there
* is no need to do that here.
*/
return (ENOMEM);
}
/*
* Check if it was a duplicate entry. This handles
* the case of two racing route adds for the same route
*/
return (EEXIST);
}
if (flags & RTF_MULTIRT) {
/*
* Invoke the CGTP (multirouting) filtering module
* to add the dst address in the filtering database.
* Replicated inbound packets coming from that address
* will be filtered to discard the duplicates.
* It is not necessary to call the CGTP filter hook
* when the dst address is a multicast, because an
* IP source address cannot be a multicast.
*/
int res;
/* Find the source address corresponding to gw_ire */
&ire->ire_addr_v6,
} else {
res = EADDRNOTAVAIL;
}
if (res != 0) {
return (res);
}
}
}
}
/*
* Save enough information so that we can recreate the IRE if
* the ILL goes down and then up. The metrics associated
* with the route will be saved as well when rts_setmetrics() is
* called after the IRE has been created. In the case where
* memory cannot be allocated, none of this information will be
* saved.
*/
}
/*
* Store the ire that was successfully added into where ire_arg
* points to so that callers don't have to look it up
* themselves (but they are responsible for ire_refrele()ing
* the ire when they are finished with it).
*/
} else {
}
return (0);
}
/*
* ip_rt_delete_v6 is called to delete an IPv6 route.
* ill is passed in to associate it with the correct interface.
* (for link-local destinations and gateways).
*/
/* ARGSUSED4 */
int
{
int err = 0;
/*
* If this is the case of RTF_HOST being set, then we set the netmask
* to all ones. Otherwise, we use the netmask if one was supplied.
*/
mask = &ipv6_all_ones;
} else if (rtm_addrs & RTA_NETMASK) {
}
/*
* Note that RTF_GATEWAY is never set on a delete, therefore
* we check if the gateway address is one of our interfaces first,
* and fall back on RTF_GATEWAY routes.
*
* This makes it possible to delete an original
* IRE_IF_NORESOLVER/IRE_IF_RESOLVER - consistent with SunOS 4.1.
* However, we have RTF_KERNEL set on the ones created by ipif_up
* and those can not be deleted here.
*
* We use MATCH_IRE_ILL if we know the interface. If the caller
* specified an interface (from the RTA_IFP sockaddr) we use it,
* otherwise we use the ill derived from the gateway address.
* We can always match the gateway address since we record it
* in ire_gateway_addr.
*
* For more detail on specifying routes by gateway address and by
* interface index, see the comments in ip_rt_add_v6().
*/
else
NULL);
}
}
/* Avoid deleting routes created by kernel from an ipif */
}
/* Restore in case we didn't find a match */
}
/*
* At this point, the gateway address is not one of our own
* addresses or a matching interface route was not found. We
* set the IRE type to lookup based on whether
* this is a host route, a default route or just a prefix.
*
* If an ill was passed in, then the lookup is based on an
* interface index so MATCH_IRE_ILL is added to match_flags.
*/
else if (IN6_IS_ADDR_UNSPECIFIED(mask))
type = IRE_DEFAULT;
else
type = IRE_PREFIX;
}
}
return (ESRCH);
/*
* Invoke the CGTP (multirouting) filtering module
* to remove the dst address from the filtering database.
* Packets coming from that address will no longer be
* filtered to remove duplicates.
*/
}
}
return (err);
}
/*
* Derive an interface id from the link layer address.
*/
void
{
if (!ill->ill_manual_token) {
}
}
void
{
}
/*
* Create a link-local address from a token.
*/
static void
{
int i;
for (i = 0; i < 4; i++) {
}
}
/*
* Set a default IPv6 address for a 6to4 tunnel interface 2002:<tsrc>::1/16
*/
static void
{
return;
}
/*
* Is it not possible to set the link local address?
* The address can be set if the token is set, and the token
* isn't too long.
* Return B_TRUE if the address can't be set, or B_FALSE if it can.
*/
{
return (B_TRUE);
return (B_FALSE);
}
/*
* Generate a link-local address from the token.
*/
void
{
/*
* ill_manual_linklocal is set when the link-local address was
* manually configured.
*/
if (ill->ill_manual_linklocal)
return;
/*
* IPv6 interfaces over 6to4 tunnels are special. They do not have
* link-local addresses, but instead have a single automatically
* generated global address.
*/
return;
}
if (ipif_cant_setlinklocal(ipif))
return;
}
}
/*
* Generate a destination link-local address for a point-to-point IPv6
* interface with a destination interface id (IP tunnels are such interfaces)
* based on the destination token.
*/
void
{
if (ill->ill_manual_dst_linklocal)
return;
return;
}
/*
* Get the resolver set up for a new ipif. (Always called as writer.)
*/
int
{
int err = 0;
return (0);
}
flags |= NCE_F_ISROUTER;
flags |= NCE_F_ANYCAST;
/*
* If we're here via ipif_up(), then the ipif won't be
* bound yet -- add it to the group, which will bind
* it if possible. (We would add it in ipif_up(), but
* deleting on failure there is gruesome.) If we're
* here via ipmp_ill_bind_ipif(), then the ipif has
* already been added to the group and we just need to
* use the binding.
*/
/*
* We couldn't bind the ipif to an ill
* yet, so we have nothing to publish.
* Set ipif_addr_ready so that this
* address can be used locally for now.
* The routing socket message will be
* sent from ipif_up_done_v6().
*/
return (0);
}
added_ipif = B_TRUE;
}
} else {
}
/*
* If this is an initial bring-up (or the ipif was never
* completely brought up), do DAD. Otherwise, we're here
* because IPMP has rebound an address to this ill: send
* unsolicited advertisements to inform others.
*/
/* Causes Duplicate Address Detection to run */
} else {
flags |= NCE_F_UNSOL_ADV;
}
switch (err) {
case 0:
ip1dbg(("ipif_ndp_up: NCE created for %s\n",
nce->nce_ipif_cnt++;
break;
case EINPROGRESS:
ip1dbg(("ipif_ndp_up: running DAD now for %s\n",
nce->nce_ipif_cnt++;
break;
case EEXIST:
ip1dbg(("ipif_ndp_up: NCE already exists for %s\n",
/*
* A leftover nce from before this address
* existed
*/
goto retry;
}
ip1dbg(("ipif_ndp_up: NCE already exists "
goto fail;
}
/*
* Duplicate local addresses are permissible for
* IPIF_POINTOPOINT interfaces which will get marked
* IPIF_UNNUMBERED later in
* ip_addr_availability_check().
*
* The nce_ipif_cnt field tracks the number of
* ipifs that have nce_addr as their local address.
*/
nce->nce_ipif_cnt++;
err = 0;
break;
default:
ip1dbg(("ipif_ndp_up: NCE creation failed for %s\n",
goto fail;
}
} else {
/* No local NCE for this entry */
}
return (0);
fail:
if (added_ipif)
return (err);
}
/* Remove all cache entries for this logical interface */
void
{
}
/*
* Return the scope of the given IPv6 address. If the address is an
* IPv4 mapped IPv6 address, return the scope of the corresponding
* IPv4 address.
*/
{
if (IN6_IS_ADDR_V4MAPPED(addr)) {
return (IP6_SCOPE_LINKLOCAL);
return (IP6_SCOPE_SITELOCAL);
return (IP6_SCOPE_GLOBAL);
}
if (IN6_IS_ADDR_MULTICAST(addr))
return (IN6_ADDR_MC_SCOPE(addr));
/* link-local and loopback addresses are of link-local scope */
if (IN6_IS_ADDR_LINKLOCAL(addr) ||
return (IP6_SCOPE_LINKLOCAL);
if (IN6_IS_ADDR_SITELOCAL(addr))
return (IP6_SCOPE_SITELOCAL);
return (IP6_SCOPE_GLOBAL);
}
/*
* Returns the length of the common prefix of a1 and a2, as per
* CommonPrefixLen() defined in RFC 3484.
*/
static int
{
int i;
for (i = 0; i < 4; i++) {
i *= 32;
mask = 0x80000000u;
mask >>= 1;
i++;
}
return (i);
}
}
return (IPV6_ABITS);
}
#define IPIF_VALID_IPV6_SOURCE(ipif) \
/* source address candidate */
typedef struct candidate {
/* The properties of this candidate */
int cand_common_pref;
int cand_pref_len;
} cand_t;
/* information about the destination for source address selection */
typedef struct dstinfo {
const in6_addr_t *dst_addr;
char *dst_label;
} dstinfo_t;
/*
* The following functions are rules used to select a source address in
* ipif_select_source_v6(). Each rule compares a current candidate (cc)
* against the best candidate (bc). Each rule has three possible outcomes;
* the candidate is preferred over the best candidate (CAND_PREFER), the
* candidate is not preferred over the best candidate (CAND_AVOID), or the
* candidate is of equal value as the best candidate (CAND_TIE).
*
* These rules are part of a greater "Default Address Selection for IPv6"
* sheme, which is standards based work coming out of the IETF ipv6 working
* group. The IETF document defines both IPv6 source address selection and
* destination address ordering. The rules defined here implement the IPv6
* source address selection. Destination address ordering is done by
* libnsl, and uses a similar set of rules to implement the sorting.
*
* Most of the rules are defined by the RFC and are not typically altered. The
* last rule, number 8, has language that allows for local preferences. In the
* scheme below, this means that new Solaris rules should normally go between
* rule_ifprefix and rule_prefix.
*/
ip_stack_t *);
/* Prefer an address if it is equal to the destination address. */
/* ARGSUSED3 */
static rule_res_t
{
if (!bc->cand_isdst_set) {
bc->cand_isdst =
}
cc->cand_isdst =
return (CAND_TIE);
else if (cc->cand_isdst)
return (CAND_PREFER);
else
return (CAND_AVOID);
}
/*
* Prefer addresses that are of closest scope to the destination. Always
* prefer addresses that are of greater scope than the destination over
* those that are of lesser scope than the destination.
*/
/* ARGSUSED3 */
static rule_res_t
{
if (!bc->cand_scope_set) {
}
return (CAND_AVOID);
else
return (CAND_PREFER);
return (CAND_PREFER);
else
return (CAND_AVOID);
} else {
return (CAND_TIE);
}
}
/*
* Prefer non-deprecated source addresses.
*/
/* ARGSUSED2 */
static rule_res_t
{
if (!bc->cand_isdeprecated_set) {
}
return (CAND_TIE);
else if (cc->cand_isdeprecated)
return (CAND_AVOID);
else
return (CAND_PREFER);
}
/*
* Prefer source addresses that have the IPIF_PREFERRED flag set. This
* rule must be before rule_interface because the flag could be set on any
* interface, not just the interface being used for outgoing packets (for
* example, the IFF_PREFERRED could be set on an address assigned to the
* loopback interface).
*/
/* ARGSUSED2 */
static rule_res_t
{
if (!bc->cand_ispreferred_set) {
}
return (CAND_TIE);
else if (cc->cand_ispreferred)
return (CAND_PREFER);
else
return (CAND_AVOID);
}
/*
* Prefer source addresses that are assigned to the outgoing interface.
*/
/* ARGSUSED3 */
static rule_res_t
{
/*
* If dstinfo->dst_restrict_ill is set, this rule is unnecessary
* since we know all candidates will be on the same link.
*/
if (dstinfo->dst_restrict_ill)
return (CAND_TIE);
if (!bc->cand_matchedinterface_set) {
}
return (CAND_TIE);
else if (cc->cand_matchedinterface)
return (CAND_PREFER);
else
return (CAND_AVOID);
}
/*
* Prefer source addresses whose label matches the destination's label.
*/
static rule_res_t
{
char *label;
if (!bc->cand_matchedlabel_set) {
}
return (CAND_TIE);
else if (cc->cand_matchedlabel)
return (CAND_PREFER);
else
return (CAND_AVOID);
}
/*
* Prefer public addresses over temporary ones. An application can reverse
* the logic of this rule and prefer temporary addresses by using the
* IPV6_SRC_PREFERENCES socket option.
*/
/* ARGSUSED3 */
static rule_res_t
{
if (!bc->cand_istmp_set) {
}
return (CAND_TIE);
return (CAND_PREFER);
return (CAND_PREFER);
else
return (CAND_AVOID);
}
/*
* Prefer source addresses with longer matching prefix with the destination
* under the interface mask. This gets us on the same subnet before applying
* any Solaris-specific rules.
*/
/* ARGSUSED3 */
static rule_res_t
{
if (!bc->cand_pref_eq_set) {
}
if (bc->cand_pref_eq) {
if (cc->cand_pref_eq) {
if (!bc->cand_pref_len_set) {
bc->cand_pref_len =
}
return (CAND_TIE);
return (CAND_AVOID);
else
return (CAND_PREFER);
} else {
return (CAND_AVOID);
}
} else {
if (cc->cand_pref_eq)
return (CAND_PREFER);
else
return (CAND_TIE);
}
}
/*
* Prefer to use zone-specific addresses when possible instead of all-zones
* addresses.
*/
/* ARGSUSED2 */
static rule_res_t
{
return (CAND_TIE);
return (CAND_AVOID);
else
return (CAND_PREFER);
}
/*
* Prefer to use DHCPv6 (first) and static addresses (second) when possible
* instead of statelessly autoconfigured addresses.
*
* This is done after trying all other preferences (and before the final tie
* breaker) so that, if all else is equal, we select addresses configured by
* DHCPv6 over other addresses. We presume that DHCPv6 addresses, unlike
* stateless autoconfigured addresses, are deliberately configured by an
* administrator, and thus are correctly set up in DNS and network packet
* filters.
*/
/* ARGSUSED2 */
static rule_res_t
{
#define ATYPE(x) \
return (CAND_TIE);
return (CAND_PREFER);
else
return (CAND_AVOID);
}
/*
* Prefer source addresses with longer matching prefix with the destination.
* We do the longest matching prefix calculation by doing an xor of both
* addresses with the destination, and pick the address with the longest string
* of leading zeros, as per CommonPrefixLen() defined in RFC 3484.
*/
/* ARGSUSED3 */
static rule_res_t
{
if (!bc->cand_common_pref_set) {
}
return (CAND_TIE);
return (CAND_AVOID);
else
return (CAND_PREFER);
}
/*
* Last rule: we must pick something, so just prefer the current best
* candidate.
*/
/* ARGSUSED */
static rule_res_t
{
return (CAND_AVOID);
}
/*
* Determine the best source address given a destination address and a
* destination ill. If no suitable source address is found, it returns
* NULL. If there is a usable address pointed to by the usesrc
* (i.e ill_usesrc_ifindex != 0) then return that first since it is more
* fine grained (i.e per interface)
*
* This implementation is based on the "Default Address Selection for IPv6"
* specification produced by the IETF IPv6 working group. It has been
* implemented so that the list of addresses is only traversed once (the
* specification's algorithm could traverse the list of addresses once for
* every rule).
*
* The restrict_ill argument restricts the algorithm to choose a source
* address that is assigned to the destination ill. This is used when
* the destination address is a link-local or multicast address, and when
* ipv6_strict_dst_multihoming is turned on.
*
* src_prefs is the caller's set of source address preferences. If source
* address selection is being called to determine the source address of a
* connected socket (from ip_set_destination_v6()), then the preferences are
* taken from conn_ixa->ixa_src_preferences. These preferences can be set on a
* per-socket basis using the IPV6_SRC_PREFERENCES socket option. The only
* preference currently implemented is for rfc3041 temporary addresses.
*/
ipif_t *
{
char dstr[INET6_ADDRSTRLEN];
char sstr[INET6_ADDRSTRLEN];
/*
* The list of ordering rules. They are applied in the order they
* appear in the list.
*
* Solaris doesn't currently support Mobile IPv6, so there's no
* rule_mipv6 corresponding to rule 4 in the specification.
*/
rule_ifprefix, /* local rules after this */
rule_prefix, /* local rules before this */
rule_must_be_last, /* must always be last */
};
/*
* Check if there is a usable src address pointed to by the
* usesrc ifindex. This has higher precedence since it is
* finer grained (i.e per interface) v/s being system wide.
*/
if ((usesrc_ill =
} else {
return (NULL);
}
} else if (IS_UNDER_IPMP(dstill)) {
/*
* Test addresses should never be used for source address
* selection, so if we were passed an underlying ill, switch
* to the IPMP meta-interface.
*/
else
return (NULL);
} else {
}
/*
* If we're dealing with an unlabeled destination on a labeled system,
* make sure that we ignore source addresses that are incompatible with
* the destination's default label. That destination's default label
* must dominate the minimum label on the source address.
*
* (Note that this has to do with Trusted Solaris. It's not related to
* the labels described by ip6_asp_lookup.)
*/
if (is_system_labeled()) {
return (NULL);
}
}
/*
* Section three of the I-D states that for multicast and
* link-local destinations, the candidate set must be restricted to
* an interface that is on the same link as the outgoing interface.
* Also, when ipv6_strict_dst_multihoming is turned on, always
* restrict the source address to the destination link as doing
* otherwise will almost certainly cause problems.
*/
} else {
}
/*
* Take a pass through the list of IPv6 interfaces to choose the best
* possible source address. If restrict_ill is set, just use dst_ill.
*/
if (dstinfo.dst_restrict_ill)
else
/*
* Test addresses should never be used for source address
* selection, so ignore underlying ills.
*/
if (IS_UNDER_IPMP(ill))
continue;
continue;
/*
* For source address selection, we treat the ipif list as
* circular and continue until we get back to where we
* started. This allows IPMP to vary source address selection
* (which improves inbound load spreading) by caching its last
* ending point and starting from there. NOTE: we don't have
* to worry about ill_src_ipif changing ills since that can't
* happen on the IPMP ill.
*/
ipif = start_ipif;
do {
if (!IPIF_VALID_IPV6_SOURCE(ipif))
continue;
if (!ipif->ipif_addr_ready) {
continue;
}
continue;
/*
* Check compatibility of local address for
* destination's default label if we're on a labeled
* system. Incompatible addresses can't be used at
* all and must be skipped over.
*/
continue;
incompat =
if (incompat)
continue;
}
if (first_candidate) {
/*
* This is first valid address in the list.
* It is automatically the best candidate
* so far.
*/
continue;
}
/*
* Compare this current candidate (curr_c) with the
* best candidate (best_c) by applying the
* comparison rules in order until one breaks the
* tie.
*/
/* Apply a comparison rule. */
if (rule_result == CAND_AVOID) {
/*
* The best candidate is still the
* best candidate. Forget about
* this current candidate and go on
* to the next one.
*/
break;
} else if (rule_result == CAND_PREFER) {
/*
* This candidate is prefered. It
* becomes the best candidate so
* far. Go on to the next address.
*/
break;
}
/* We have a tie, apply the next rule. */
}
/*
* The last rule must be a tie breaker rule and
* must never produce a tie. At this point, the
* candidate should have either been rejected, or
* have been prefered as the best candidate so far.
*/
/*
* For IPMP, update the source ipif rotor to the next ipif,
* provided we can look it up. (We must not use it if it's
* IPIF_CONDEMNED since we may have grabbed ill_g_lock after
* ipif_free() checked ill_src_ipif.)
*/
else
}
/*
* Only one ill to consider if dst_restrict_ill is set.
*/
if (dstinfo.dst_restrict_ill)
break;
}
ip1dbg(("ipif_select_source_v6(%s, %s) -> %s\n",
if (usesrc_ill != NULL)
return (NULL);
}
if (!IPIF_IS_CONDEMNED(ipif)) {
return (ipif);
}
ip1dbg(("ipif_select_source_v6 cannot lookup ipif %p"
" returning null \n", (void *)ipif));
return (NULL);
}
/*
* Pick a source address based on the destination ill and an optional setsrc
* address.
* The result is stored in srcp. If generation is set, then put the source
* generation number there before we look for the source address (to avoid
* missing changes in the set of source addresses.
* If flagsp is set, then us it to pass back ipif_flags.
*
* If the caller wants to cache the returned source address and detect when
* that might be stale, the caller should pass in a generation argument,
* which the caller can later compare against ips_src_generation
*
* The precedence order for selecting an IPv6 source address is:
* - RTF_SETSRC on the first ire in the recursive lookup always wins.
* - If usrsrc is set, swap the ill to be the usesrc one.
* - If IPMP is used on the ill, select a random address from the most
* preferred ones below:
* That is followed by the long list of IPv6 source address selection rules
* starting with rule_isdst(), rule_scope(), etc.
*
* We have lower preference for ALL_ZONES IP addresses,
* as they pose problems with unlabeled destinations.
*
* Note that when multiple IP addresses match e.g., with rule_scope() we pick
* the first one if IPMP is not in use. With IPMP we randomize.
*/
int
{
*flagsp = 0;
/*
* Need to grab the generation number before we check to
* avoid a race with a change to the set of local addresses.
* No lock needed since the thread which updates the set of local
* barrier) before doing the atomic increase of ips_src_generation.
*/
if (generation != NULL) {
}
/* Was RTF_SETSRC set on the first IRE in the recursive lookup? */
return (0);
}
if (notready)
return (ENETDOWN);
else
return (EADDRNOTAVAIL);
}
return (0);
}
/*
* Perform an attach and bind to get phys addr plus info_req for
* the physical device.
* q and mp represents an ioctl which will be queued waiting for
* completion of the DLPI message exchange.
* MUST be called on an ill queue.
*
* Returns EINPROGRESS when mp has been consumed by queueing it.
* The ioctl will complete in ip_rput.
*/
int
{
sizeof (t_scalar_t), DL_PHYS_ADDR_REQ);
if (v6token_mp == NULL)
goto bad;
sizeof (t_scalar_t), DL_PHYS_ADDR_REQ);
goto bad;
}
sizeof (t_scalar_t), DL_PHYS_ADDR_REQ);
goto bad;
}
/*
* Allocate a DL_NOTIFY_REQ and set the notifications we want.
*/
goto bad;
sizeof (t_scalar_t), DL_PHYS_ADDR_REQ);
goto bad;
sizeof (dl_info_req_t) + sizeof (dl_info_ack_t),
goto bad;
goto bad;
goto bad;
goto bad;
/* If we need to attach, pre-alloc and initialize the mblk */
if (ill->ill_needs_attach) {
goto bad;
}
/*
* Here we are going to delay the ioctl ack until after
* ACKs from DL_PHYS_ADDR_REQ. So need to save the
* original ioctl message before sending the requests
*/
/* ipsq_pending_mp_add won't fail since we pass in a NULL connp */
/*
* Set ill_phys_addr_pend to zero. It will be set to the addr_type of
* the DL_PHYS_ADDR_REQ in ill_dlpi_send() and ill_dlpi_done(). It will
*/
ill->ill_phys_addr_pend = 0;
ip1dbg(("ill_dl_phys: attach\n"));
}
/*
* Send the capability request to get the VRRP capability information.
*/
if (v6token_mp != NULL)
/*
* This operation will complete in ip_rput_dlpi_writer with either
* a DL_PHYS_ADDR_ACK or DL_ERROR_ACK.
*/
return (EINPROGRESS);
bad:
return (ENOMEM);
}
/* Add room for tcp+ip headers */
/*
* DLPI is up.
* Create all the IREs associated with an interface bring up multicast.
* Set the interface flag and finish other initialization
* that potentially had to be differed to after DL_BIND_ACK.
*/
int
{
int err;
ip1dbg(("ipif_up_done_v6(%s:%u)\n",
/* Check if this is a loopback interface */
/*
* lo0:1 and subsequent ipifs were marked IRE_LOCAL in
* ipif_lookup_on_name(), but in the case of zones we can have
* several loopback addresses on lo0. So all the interfaces with
* loopback addresses need to be marked IRE_LOOPBACK.
*/
else
flags |= NCE_F_PUBLISH;
/* A shared-IP zone sees EEXIST for lo0:N */
loop_nce->nce_ipif_cnt++;
err = 0;
} else {
return (err);
}
}
if (err != 0) {
/*
* See comments about return value from
* ipif_addr_availability_check() in ipif_add_ires_v6().
*/
if (err != EADDRINUSE) {
} else {
/*
* Make IPMP aware of the deleted ipif so that
* the needed ipmp cleanup (e.g., of ipif_bound_ill)
* can be completed. Note that we do not want to
* destroy the nce that was created on the ipmp_ill
* for the active copy of the duplicate address in
* use.
*/
err = EADDRNOTAVAIL;
}
return (err);
}
/* Recover any additional IREs entries for this ill */
(void) ill_recover_saved_ire(ill);
}
if (ill->ill_need_recover_multicast) {
/*
* Need to recover all multicast memberships in the driver.
* This had to be deferred until we had attached.
*/
}
/*
* Since the interface is now up, it may now be active.
*/
if (IS_UNDER_IPMP(ill))
}
/* Join the allhosts multicast address and the solicited node MC */
/* Perhaps ilgs should use this ill */
if (ipif->ipif_addr_ready)
return (0);
}
/*
* Add the IREs associated with the ipif.
* Those MUST be explicitly removed in ipif_delete_ires_v6.
*/
static int
{
int err;
char buf[INET6_ADDRSTRLEN];
in6_addr_t *gw;
/*
* If we're on a labeled system then make sure that zone-
* private addresses have proper remote host database entries.
*/
if (is_system_labeled() &&
if (ip6opt_ls == 0) {
return (EINVAL);
}
if (!tsol_check_interface_address(ipif))
return (EINVAL);
}
if (loopback)
else
/* Register the source address for __sin6_src_id */
if (err != 0) {
return (err);
}
/*
* If the interface address is set, create the LOCAL
* or LOOPBACK IRE.
*/
ip1dbg(("ipif_add_ires_v6: creating IRE %d for %s\n",
&ipv6_all_ones, /* mask */
gw, /* gateway */
RTF_PRIVATE : 0) | RTF_KERNEL,
NULL,
ipst);
ip1dbg(("ipif_up_done_v6: NULL ire_local\n"));
goto bad;
}
}
/* Set up the IRE_IF_RESOLVER or IRE_IF_NORESOLVER, as appropriate. */
/* ipif_v6subnet is ipif_v6pp_dst_addr for pt-pt */
} else {
}
ip1dbg(("ipif_add_ires_v6: creating if IRE %d for %s\n",
&v6addr, /* dest pref */
&route_mask, /* mask */
RTF_PRIVATE : 0) | RTF_KERNEL,
NULL,
ipst);
ip1dbg(("ipif_up_done: NULL ire_if\n"));
goto bad;
}
}
/*
* Need to atomically check for IP address availability under
* ip_addr_avail_lock. ill_g_lock is held as reader to ensure no new
* ills or new ipifs can be added while we are checking availability.
*/
ill->ill_ipif_up_count++;
if (err != 0) {
/*
* Our address may already be up on the same ill. In this case,
* the external resolver entry for our ipif replaced the one for
* the other ipif. So we don't want to delete it (otherwise the
* other ipif would be unable to send packets).
* ip_addr_availability_check() identifies this case for us and
* returns EADDRINUSE; Caller must turn it into EADDRNOTAVAIL
* which is the expected error code.
*
* Note that ipif_ndp_down() will only delete the nce in the
* case when the nce_ipif_cnt drops to 0.
*/
ill->ill_ipif_up_count--;
goto bad;
}
/*
* Add in all newly created IREs.
* We add the IRE_INTERFACE before the IRE_LOCAL to ensure
* that lookups find the IRE_LOCAL even if the IRE_INTERFACE is
* a /128 route.
*/
goto bad2;
}
#ifdef DEBUG
#endif
}
goto bad2;
}
#ifdef DEBUG
#endif
}
if (ipif->ipif_addr_ready)
return (0);
bad2:
ill->ill_ipif_up_count--;
bad:
}
}
return (err);
}
/* Remove all the IREs created by ipif_add_ires_v6 */
void
{
/*
* Move count to ipif so we don't loose the count due to
*/
}
}
}
/*
* Delete an ND entry if it exists.
*/
/* ARGSUSED */
int
{
/* Only allow for logical unit zero i.e. not on "le0:17" */
return (EINVAL);
return (EINVAL);
return (EAFNOSUPPORT);
/*
* Since ND mappings must be consistent across an IPMP group, prohibit
* deleting ND mappings on underlying interfaces.
* Don't allow deletion of mappings for local addresses.
*/
if (IS_UNDER_IPMP(ill))
return (EPERM);
return (ESRCH);
return (EPERM);
}
/*
* delete the nce_common which will also delete the nces on any
* under_ill in the case of ipmp.
*/
return (0);
}
/*
* Return nbr cache info.
*/
/* ARGSUSED */
int
{
/* Only allow for logical unit zero i.e. not on "le0:17" */
return (EINVAL);
return (EINVAL);
return (EAFNOSUPPORT);
return (EINVAL);
}
/*
* Perform an update of the nd entry for the specified address.
*/
/* ARGSUSED */
int
{
/* Only allow for logical unit zero i.e. not on "le0:17" */
return (EINVAL);
return (EINVAL);
return (EAFNOSUPPORT);
/*
* Since ND mappings must be consistent across an IPMP group, prohibit
* updating ND mappings on underlying interfaces. Also, since ND
* mappings for IPMP data addresses are owned by IP itself, prohibit
* updating them.
*/
if (IS_UNDER_IPMP(ill))
return (EPERM);
return (EPERM);
}
}
}