2 * Copyright (C) 2012-2013 Steven Barth <steven@midlink.org>
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License v2 as published by
6 * the Free Software Foundation.
8 * This program is distributed in the hope that it will be useful,
9 * but WITHOUT ANY WARRANTY; without even the implied warranty of
10 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 * GNU General Public License for more details.
22 #include <arpa/inet.h>
23 #include <sys/socket.h>
24 #include <net/ethernet.h>
25 #include <netinet/ip6.h>
26 #include <netinet/icmp6.h>
27 #include <netpacket/packet.h>
29 #include <linux/filter.h>
30 #include <linux/neighbour.h>
36 static void ndp_netevent_cb(unsigned long event, struct netevent_handler_info *info);
37 static void setup_route(struct in6_addr *addr, struct interface *iface, bool add);
38 static void setup_addr_for_relaying(struct in6_addr *addr, struct interface *iface, bool add);
39 static void handle_solicit(void *addr, void *data, size_t len,
40 struct interface *iface, void *dest);
42 /* Filter ICMPv6 messages of type neighbor soliciation */
43 static struct sock_filter bpf[] = {
44 BPF_STMT(BPF_LD | BPF_B | BPF_ABS, offsetof(struct ip6_hdr, ip6_nxt)),
45 BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, IPPROTO_ICMPV6, 0, 3),
46 BPF_STMT(BPF_LD | BPF_B | BPF_ABS, sizeof(struct ip6_hdr) +
47 offsetof(struct icmp6_hdr, icmp6_type)),
48 BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, ND_NEIGHBOR_SOLICIT, 0, 1),
49 BPF_STMT(BPF_RET | BPF_K, 0xffffffff),
50 BPF_STMT(BPF_RET | BPF_K, 0),
52 static const struct sock_fprog bpf_prog = {sizeof(bpf) / sizeof(*bpf), bpf};
53 static struct netevent_handler ndp_netevent_handler = { .cb = ndp_netevent_cb, };
55 /* Initialize NDP-proxy */
60 if (netlink_add_netevent_handler(&ndp_netevent_handler) < 0) {
61 syslog(LOG_ERR, "Failed to add ndp netevent handler");
68 int ndp_setup_interface(struct interface *iface, bool enable)
71 bool dump_neigh = false;
74 snprintf(procbuf, sizeof(procbuf), "/proc/sys/net/ipv6/conf/%s/proxy_ndp", iface->ifname);
75 procfd = open(procbuf, O_WRONLY);
82 if (iface->ndp_ping_fd >= 0) {
83 close(iface->ndp_ping_fd);
84 iface->ndp_ping_fd = -1;
87 if (iface->ndp_event.uloop.fd >= 0) {
88 uloop_fd_delete(&iface->ndp_event.uloop);
89 close(iface->ndp_event.uloop.fd);
90 iface->ndp_event.uloop.fd = -1;
92 if (!enable || iface->ndp != MODE_RELAY)
93 if (write(procfd, "0\n", 2) < 0) {}
98 if (enable && iface->ndp == MODE_RELAY) {
99 struct sockaddr_ll ll;
100 struct packet_mreq mreq;
101 struct icmp6_filter filt;
104 if (write(procfd, "1\n", 2) < 0) {}
106 /* Open ICMPv6 socket */
107 iface->ndp_ping_fd = socket(AF_INET6, SOCK_RAW | SOCK_CLOEXEC, IPPROTO_ICMPV6);
108 if (iface->ndp_ping_fd < 0) {
109 syslog(LOG_ERR, "socket(AF_INET6): %m");
114 if (setsockopt(iface->ndp_ping_fd, SOL_SOCKET, SO_BINDTODEVICE,
115 iface->ifname, strlen(iface->ifname)) < 0) {
116 syslog(LOG_ERR, "setsockopt(SO_BINDTODEVICE): %m");
121 if (setsockopt(iface->ndp_ping_fd, IPPROTO_RAW, IPV6_CHECKSUM,
122 &val, sizeof(val)) < 0) {
123 syslog(LOG_ERR, "setsockopt(IPV6_CHECKSUM): %m");
128 /* This is required by RFC 4861 */
130 if (setsockopt(iface->ndp_ping_fd, IPPROTO_IPV6, IPV6_MULTICAST_HOPS,
131 &val, sizeof(val)) < 0) {
132 syslog(LOG_ERR, "setsockopt(IPV6_MULTICAST_HOPS): %m");
137 if (setsockopt(iface->ndp_ping_fd, IPPROTO_IPV6, IPV6_UNICAST_HOPS,
138 &val, sizeof(val)) < 0) {
139 syslog(LOG_ERR, "setsockopt(IPV6_UNICAST_HOPS): %m");
144 /* Filter all packages, we only want to send */
145 ICMP6_FILTER_SETBLOCKALL(&filt);
146 if (setsockopt(iface->ndp_ping_fd, IPPROTO_ICMPV6, ICMP6_FILTER,
147 &filt, sizeof(filt)) < 0) {
148 syslog(LOG_ERR, "setsockopt(ICMP6_FILTER): %m");
154 iface->ndp_event.uloop.fd = socket(AF_PACKET, SOCK_DGRAM | SOCK_CLOEXEC, htons(ETH_P_IPV6));
155 if (iface->ndp_event.uloop.fd < 0) {
156 syslog(LOG_ERR, "socket(AF_PACKET): %m");
161 #ifdef PACKET_RECV_TYPE
162 int pktt = 1 << PACKET_MULTICAST;
163 if (setsockopt(iface->ndp_event.uloop.fd, SOL_PACKET, PACKET_RECV_TYPE,
164 &pktt, sizeof(pktt)) < 0) {
165 syslog(LOG_ERR, "setsockopt(PACKET_RECV_TYPE): %m");
171 if (setsockopt(iface->ndp_event.uloop.fd, SOL_SOCKET, SO_ATTACH_FILTER,
172 &bpf_prog, sizeof(bpf_prog))) {
173 syslog(LOG_ERR, "setsockopt(SO_ATTACH_FILTER): %m");
178 memset(&ll, 0, sizeof(ll));
179 ll.sll_family = AF_PACKET;
180 ll.sll_ifindex = iface->ifindex;
181 ll.sll_protocol = htons(ETH_P_IPV6);
183 if (bind(iface->ndp_event.uloop.fd, (struct sockaddr*)&ll, sizeof(ll)) < 0) {
184 syslog(LOG_ERR, "bind(): %m");
189 memset(&mreq, 0, sizeof(mreq));
190 mreq.mr_ifindex = iface->ifindex;
191 mreq.mr_type = PACKET_MR_ALLMULTI;
192 mreq.mr_alen = ETH_ALEN;
194 if (setsockopt(iface->ndp_event.uloop.fd, SOL_PACKET, PACKET_ADD_MEMBERSHIP,
195 &mreq, sizeof(mreq)) < 0) {
196 syslog(LOG_ERR, "setsockopt(PACKET_ADD_MEMBERSHIP): %m");
201 iface->ndp_event.handle_dgram = handle_solicit;
202 odhcpd_register(&iface->ndp_event);
204 /* If we already were enabled dump is unnecessary, if not do dump */
206 netlink_dump_neigh_table(false);
212 netlink_dump_neigh_table(true);
216 if (iface->ndp_event.uloop.fd >= 0) {
217 close(iface->ndp_event.uloop.fd);
218 iface->ndp_event.uloop.fd = -1;
221 if (iface->ndp_ping_fd >= 0) {
222 close(iface->ndp_ping_fd);
223 iface->ndp_ping_fd = -1;
233 static void ndp_netevent_cb(unsigned long event, struct netevent_handler_info *info)
235 struct interface *iface = info->iface;
238 if (!iface || iface->ndp == MODE_DISABLED)
242 case NETEV_ADDR6_DEL:
244 netlink_dump_neigh_table(false);
246 case NETEV_ADDR6_ADD:
247 setup_addr_for_relaying(&info->addr.in6, iface, add);
249 case NETEV_NEIGH6_DEL:
252 case NETEV_NEIGH6_ADD:
253 if (info->neigh.flags & NTF_PROXY) {
255 netlink_setup_proxy_neigh(&info->neigh.dst.in6, iface->ifindex, false);
256 setup_route(&info->neigh.dst.in6, iface, false);
257 netlink_dump_neigh_table(false);
263 !(info->neigh.state &
264 (NUD_REACHABLE|NUD_STALE|NUD_DELAY|NUD_PROBE|NUD_PERMANENT|NUD_NOARP)))
267 setup_addr_for_relaying(&info->neigh.dst.in6, iface, add);
268 setup_route(&info->neigh.dst.in6, iface, add);
271 netlink_dump_neigh_table(false);
278 /* Send an ICMP-ECHO. This is less for actually pinging but for the
279 * neighbor cache to be kept up-to-date. */
280 static void ping6(struct in6_addr *addr,
281 const struct interface *iface)
283 struct sockaddr_in6 dest = { .sin6_family = AF_INET6, .sin6_addr = *addr , };
284 struct icmp6_hdr echo = { .icmp6_type = ICMP6_ECHO_REQUEST };
285 struct iovec iov = { .iov_base = &echo, .iov_len = sizeof(echo) };
286 char ipbuf[INET6_ADDRSTRLEN];
288 inet_ntop(AF_INET6, addr, ipbuf, sizeof(ipbuf));
289 syslog(LOG_NOTICE, "Pinging for %s on %s", ipbuf, iface->name);
291 netlink_setup_route(addr, 128, iface->ifindex, NULL, 128, true);
292 odhcpd_send(iface->ndp_ping_fd, &dest, &iov, 1, iface);
293 netlink_setup_route(addr, 128, iface->ifindex, NULL, 128, false);
296 /* Handle solicitations */
297 static void handle_solicit(void *addr, void *data, size_t len,
298 struct interface *iface, _unused void *dest)
300 struct ip6_hdr *ip6 = data;
301 struct nd_neighbor_solicit *req = (struct nd_neighbor_solicit*)&ip6[1];
302 struct sockaddr_ll *ll = addr;
304 char ipbuf[INET6_ADDRSTRLEN];
307 /* Solicitation is for duplicate address detection */
308 bool ns_is_dad = IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_src);
310 /* Don't process solicit messages on non relay interfaces
311 * Don't forward any non-DAD solicitation for external ifaces
312 * TODO: check if we should even forward DADs for them */
313 if (iface->ndp != MODE_RELAY || (iface->external && !ns_is_dad))
316 if (len < sizeof(*ip6) + sizeof(*req))
317 return; // Invalid reqicitation
319 if (IN6_IS_ADDR_LINKLOCAL(&req->nd_ns_target) ||
320 IN6_IS_ADDR_LOOPBACK(&req->nd_ns_target) ||
321 IN6_IS_ADDR_MULTICAST(&req->nd_ns_target))
322 return; /* Invalid target */
324 inet_ntop(AF_INET6, &req->nd_ns_target, ipbuf, sizeof(ipbuf));
325 syslog(LOG_DEBUG, "Got a NS for %s on %s", ipbuf, iface->name);
327 odhcpd_get_mac(iface, mac);
328 if (!memcmp(ll->sll_addr, mac, sizeof(mac)))
329 return; /* Looped back */
331 avl_for_each_element(&interfaces, c, avl) {
332 if (iface != c && c->ndp == MODE_RELAY &&
333 (ns_is_dad || !c->external))
334 ping6(&req->nd_ns_target, c);
338 /* Use rtnetlink to modify kernel routes */
339 static void setup_route(struct in6_addr *addr, struct interface *iface, bool add)
341 char ipbuf[INET6_ADDRSTRLEN];
343 inet_ntop(AF_INET6, addr, ipbuf, sizeof(ipbuf));
344 syslog(LOG_NOTICE, "%s about %s%s on %s",
345 (add) ? "Learning" : "Forgetting",
346 iface->learn_routes ? "proxy routing for " : "",
349 if (iface->learn_routes)
350 netlink_setup_route(addr, 128, iface->ifindex, NULL, 1024, add);
353 static void setup_addr_for_relaying(struct in6_addr *addr, struct interface *iface, bool add)
356 char ipbuf[INET6_ADDRSTRLEN];
358 inet_ntop(AF_INET6, addr, ipbuf, sizeof(ipbuf));
360 avl_for_each_element(&interfaces, c, avl) {
361 if (iface == c || c->ndp != MODE_RELAY)
364 if (netlink_setup_proxy_neigh(addr, c->ifindex, add))
365 syslog(LOG_DEBUG, "Failed to %s proxy neighbour entry %s on %s",
366 add ? "add" : "delete", ipbuf, c->name);
368 syslog(LOG_DEBUG, "%s proxy neighbour entry %s on %s",
369 add ? "Added" : "Deleted", ipbuf, c->name);