static void handle_solicit(void *addr, void *data, size_t len,
struct interface *iface, void *dest);
-static int ping_socket = -1;
-
-// Filter ICMPv6 messages of type neighbor soliciation
+/* Filter ICMPv6 messages of type neighbor soliciation */
static struct sock_filter bpf[] = {
BPF_STMT(BPF_LD | BPF_B | BPF_ABS, offsetof(struct ip6_hdr, ip6_nxt)),
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, IPPROTO_ICMPV6, 0, 3),
static const struct sock_fprog bpf_prog = {sizeof(bpf) / sizeof(*bpf), bpf};
static struct netevent_handler ndp_netevent_handler = { .cb = ndp_netevent_cb, };
-// Initialize NDP-proxy
+/* Initialize NDP-proxy */
int ndp_init(void)
{
- struct icmp6_filter filt;
- int val = 2, ret = 0;
-
- // Open ICMPv6 socket
- ping_socket = socket(AF_INET6, SOCK_RAW | SOCK_CLOEXEC, IPPROTO_ICMPV6);
- if (ping_socket < 0) {
- syslog(LOG_ERR, "socket(AF_INET6): %m");
- ret = -1;
- goto out;
- }
+ int ret = 0;
- if (setsockopt(ping_socket, IPPROTO_RAW, IPV6_CHECKSUM,
- &val, sizeof(val)) < 0) {
- syslog(LOG_ERR, "setsockopt(IPV6_CHECKSUM): %m");
+ if (netlink_add_netevent_handler(&ndp_netevent_handler) < 0) {
+ syslog(LOG_ERR, "Failed to add ndp netevent handler");
ret = -1;
- goto out;
- }
-
- // This is required by RFC 4861
- val = 255;
- if (setsockopt(ping_socket, IPPROTO_IPV6, IPV6_MULTICAST_HOPS,
- &val, sizeof(val)) < 0) {
- syslog(LOG_ERR, "setsockopt(IPV6_MULTICAST_HOPS): %m");
- ret = -1;
- goto out;
- }
-
- if (setsockopt(ping_socket, IPPROTO_IPV6, IPV6_UNICAST_HOPS,
- &val, sizeof(val)) < 0) {
- syslog(LOG_ERR, "setsockopt(IPV6_UNICAST_HOPS): %m");
- ret = -1;
- goto out;
- }
-
- // Filter all packages, we only want to send
- ICMP6_FILTER_SETBLOCKALL(&filt);
- if (setsockopt(ping_socket, IPPROTO_ICMPV6, ICMP6_FILTER,
- &filt, sizeof(filt)) < 0) {
- syslog(LOG_ERR, "setsockopt(ICMP6_FILTER): %m");
- ret = -1;
- goto out;
- }
-
- netlink_add_netevent_handler(&ndp_netevent_handler);
-
-out:
- if (ret < 0 && ping_socket > 0) {
- close(ping_socket);
- ping_socket = -1;
}
return ret;
bool dump_neigh = false;
char procbuf[64];
+ enable = enable && (iface->ndp == MODE_RELAY);
+
snprintf(procbuf, sizeof(procbuf), "/proc/sys/net/ipv6/conf/%s/proxy_ndp", iface->ifname);
procfd = open(procbuf, O_WRONLY);
goto out;
}
- if (iface->ndp_event.uloop.fd > 0) {
+ if (iface->ndp_ping_fd >= 0) {
+ close(iface->ndp_ping_fd);
+ iface->ndp_ping_fd = -1;
+ }
+
+ if (iface->ndp_event.uloop.fd >= 0) {
uloop_fd_delete(&iface->ndp_event.uloop);
close(iface->ndp_event.uloop.fd);
iface->ndp_event.uloop.fd = -1;
- if (!enable || iface->ndp != MODE_RELAY)
+ if (!enable)
if (write(procfd, "0\n", 2) < 0) {}
dump_neigh = true;
}
- if (enable && iface->ndp == MODE_RELAY) {
+ if (enable) {
struct sockaddr_ll ll;
struct packet_mreq mreq;
+ struct icmp6_filter filt;
+ int val = 2;
if (write(procfd, "1\n", 2) < 0) {}
+ /* Open ICMPv6 socket */
+ iface->ndp_ping_fd = socket(AF_INET6, SOCK_RAW | SOCK_CLOEXEC, IPPROTO_ICMPV6);
+ if (iface->ndp_ping_fd < 0) {
+ syslog(LOG_ERR, "socket(AF_INET6): %m");
+ ret = -1;
+ goto out;
+ }
+
+ if (setsockopt(iface->ndp_ping_fd, SOL_SOCKET, SO_BINDTODEVICE,
+ iface->ifname, strlen(iface->ifname)) < 0) {
+ syslog(LOG_ERR, "setsockopt(SO_BINDTODEVICE): %m");
+ ret = -1;
+ goto out;
+ }
+
+ if (setsockopt(iface->ndp_ping_fd, IPPROTO_RAW, IPV6_CHECKSUM,
+ &val, sizeof(val)) < 0) {
+ syslog(LOG_ERR, "setsockopt(IPV6_CHECKSUM): %m");
+ ret = -1;
+ goto out;
+ }
+
+ /* This is required by RFC 4861 */
+ val = 255;
+ if (setsockopt(iface->ndp_ping_fd, IPPROTO_IPV6, IPV6_MULTICAST_HOPS,
+ &val, sizeof(val)) < 0) {
+ syslog(LOG_ERR, "setsockopt(IPV6_MULTICAST_HOPS): %m");
+ ret = -1;
+ goto out;
+ }
+
+ if (setsockopt(iface->ndp_ping_fd, IPPROTO_IPV6, IPV6_UNICAST_HOPS,
+ &val, sizeof(val)) < 0) {
+ syslog(LOG_ERR, "setsockopt(IPV6_UNICAST_HOPS): %m");
+ ret = -1;
+ goto out;
+ }
+
+ /* Filter all packages, we only want to send */
+ ICMP6_FILTER_SETBLOCKALL(&filt);
+ if (setsockopt(iface->ndp_ping_fd, IPPROTO_ICMPV6, ICMP6_FILTER,
+ &filt, sizeof(filt)) < 0) {
+ syslog(LOG_ERR, "setsockopt(ICMP6_FILTER): %m");
+ ret = -1;
+ goto out;
+ }
+
+
iface->ndp_event.uloop.fd = socket(AF_PACKET, SOCK_DGRAM | SOCK_CLOEXEC, htons(ETH_P_IPV6));
if (iface->ndp_event.uloop.fd < 0) {
syslog(LOG_ERR, "socket(AF_PACKET): %m");
iface->ndp_event.handle_dgram = handle_solicit;
odhcpd_register(&iface->ndp_event);
- // If we already were enabled dump is unnecessary, if not do dump
+ /* If we already were enabled dump is unnecessary, if not do dump */
if (!dump_neigh)
netlink_dump_neigh_table(false);
else
netlink_dump_neigh_table(true);
out:
- if (ret < 0 && iface->ndp_event.uloop.fd > 0) {
- close(iface->ndp_event.uloop.fd);
- iface->ndp_event.uloop.fd = -1;
+ if (ret < 0) {
+ if (iface->ndp_event.uloop.fd >= 0) {
+ close(iface->ndp_event.uloop.fd);
+ iface->ndp_event.uloop.fd = -1;
+ }
+
+ if (iface->ndp_ping_fd >= 0) {
+ close(iface->ndp_ping_fd);
+ iface->ndp_ping_fd = -1;
+ }
}
if (procfd >= 0)
}
}
-// Send an ICMP-ECHO. This is less for actually pinging but for the
-// neighbor cache to be kept up-to-date.
+/* Send an ICMP-ECHO. This is less for actually pinging but for the
+ * neighbor cache to be kept up-to-date. */
static void ping6(struct in6_addr *addr,
const struct interface *iface)
{
- struct sockaddr_in6 dest = { .sin6_family = AF_INET6, .sin6_addr = *addr, .sin6_scope_id = iface->ifindex, };
+ struct sockaddr_in6 dest = { .sin6_family = AF_INET6, .sin6_addr = *addr , };
struct icmp6_hdr echo = { .icmp6_type = ICMP6_ECHO_REQUEST };
struct iovec iov = { .iov_base = &echo, .iov_len = sizeof(echo) };
char ipbuf[INET6_ADDRSTRLEN];
inet_ntop(AF_INET6, addr, ipbuf, sizeof(ipbuf));
- syslog(LOG_NOTICE, "Pinging for %s%%%s", ipbuf, iface->ifname);
+ syslog(LOG_DEBUG, "Pinging for %s on %s", ipbuf, iface->name);
netlink_setup_route(addr, 128, iface->ifindex, NULL, 128, true);
- odhcpd_send(ping_socket, &dest, &iov, 1, iface);
+ odhcpd_send(iface->ndp_ping_fd, &dest, &iov, 1, iface);
netlink_setup_route(addr, 128, iface->ifindex, NULL, 128, false);
}
-// Handle solicitations
+/* Send a Neighbor Advertisement. */
+static void send_na(struct in6_addr *to_addr,
+ const struct interface *iface, struct in6_addr *for_addr,
+ const uint8_t *mac)
+{
+ struct sockaddr_in6 dest = { .sin6_family = AF_INET6, .sin6_addr = *to_addr };
+ char pbuf[sizeof(struct nd_neighbor_advert) + sizeof(struct nd_opt_hdr) + 6];
+ struct nd_neighbor_advert *adv = (struct nd_neighbor_advert*)pbuf;
+ struct nd_opt_hdr *opt = (struct nd_opt_hdr*) &pbuf[sizeof(struct nd_neighbor_advert)];
+ struct iovec iov = { .iov_base = &pbuf, .iov_len = sizeof(pbuf) };
+ char ipbuf[INET6_ADDRSTRLEN];
+
+ memset(pbuf, 0, sizeof(pbuf));
+ adv->nd_na_hdr = (struct icmp6_hdr) {
+ .icmp6_type = ND_NEIGHBOR_ADVERT,
+ .icmp6_dataun.icmp6_un_data32 = { ND_NA_FLAG_SOLICITED }
+ };
+ adv->nd_na_target = *for_addr;
+ *opt = (struct nd_opt_hdr) { .nd_opt_type = ND_OPT_TARGET_LINKADDR, .nd_opt_len = 1 };
+ memcpy(&pbuf[sizeof(struct nd_neighbor_advert) + sizeof(struct nd_opt_hdr)], mac, 6);
+
+ inet_ntop(AF_INET6, to_addr, ipbuf, sizeof(ipbuf));
+ syslog(LOG_DEBUG, "Answering NS to %s on %s", ipbuf, iface->ifname);
+
+ odhcpd_send(iface->ndp_ping_fd, &dest, &iov, 1, iface);
+}
+
+/* Handle solicitations */
static void handle_solicit(void *addr, void *data, size_t len,
struct interface *iface, _unused void *dest)
{
struct ip6_hdr *ip6 = data;
struct nd_neighbor_solicit *req = (struct nd_neighbor_solicit*)&ip6[1];
struct sockaddr_ll *ll = addr;
+ struct interface *c;
char ipbuf[INET6_ADDRSTRLEN];
uint8_t mac[6];
- // Solicitation is for duplicate address detection
+ /* Solicitation is for duplicate address detection */
bool ns_is_dad = IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_src);
- // Don't process solicit messages on non relay interfaces
- // Don't forward any non-DAD solicitation for external ifaces
- // TODO: check if we should even forward DADs for them
+ /* Don't process solicit messages on non relay interfaces
+ * Don't forward any non-DAD solicitation for external ifaces
+ * TODO: check if we should even forward DADs for them */
if (iface->ndp != MODE_RELAY || (iface->external && !ns_is_dad))
return;
if (IN6_IS_ADDR_LINKLOCAL(&req->nd_ns_target) ||
IN6_IS_ADDR_LOOPBACK(&req->nd_ns_target) ||
IN6_IS_ADDR_MULTICAST(&req->nd_ns_target))
- return; // Invalid target
+ return; /* Invalid target */
inet_ntop(AF_INET6, &req->nd_ns_target, ipbuf, sizeof(ipbuf));
- syslog(LOG_DEBUG, "Got a NS for %s%%%s", ipbuf, iface->ifname);
+ syslog(LOG_DEBUG, "Got a NS for %s on %s", ipbuf, iface->name);
odhcpd_get_mac(iface, mac);
if (!memcmp(ll->sll_addr, mac, sizeof(mac)))
- return; // Looped back
+ return; /* Looped back */
- struct interface *c;
- list_for_each_entry(c, &interfaces, head)
+ avl_for_each_element(&interfaces, c, avl) {
if (iface != c && c->ndp == MODE_RELAY &&
(ns_is_dad || !c->external))
ping6(&req->nd_ns_target, c);
+ }
+
+ /* Catch global-addressed NS and answer them manually.
+ * The kernel won't answer these and cannot route them either. */
+ if (!IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst) &&
+ IN6_IS_ADDR_LINKLOCAL(&ip6->ip6_src)) {
+ bool is_proxy_neigh = netlink_get_interface_proxy_neigh(iface->ifindex,
+ &req->nd_ns_target) == 1;
+
+ if (is_proxy_neigh)
+ send_na(&ip6->ip6_src, iface, &req->nd_ns_target, mac);
+ }
}
-// Use rtnetlink to modify kernel routes
+/* Use rtnetlink to modify kernel routes */
static void setup_route(struct in6_addr *addr, struct interface *iface, bool add)
{
char ipbuf[INET6_ADDRSTRLEN];
inet_ntop(AF_INET6, addr, ipbuf, sizeof(ipbuf));
- syslog(LOG_NOTICE, "%s about %s%s%%%s",
+ syslog(LOG_DEBUG, "%s about %s%s on %s",
(add) ? "Learning" : "Forgetting",
iface->learn_routes ? "proxy routing for " : "",
- ipbuf, iface->ifname);
+ ipbuf, iface->name);
if (iface->learn_routes)
netlink_setup_route(addr, 128, iface->ifindex, NULL, 1024, add);
inet_ntop(AF_INET6, addr, ipbuf, sizeof(ipbuf));
- list_for_each_entry(c, &interfaces, head) {
- if (iface == c || (c->ndp != MODE_RELAY && !add))
+ avl_for_each_element(&interfaces, c, avl) {
+ if (iface == c || c->ndp != MODE_RELAY)
continue;
- bool neigh_add = (c->ndp == MODE_RELAY ? add : false);
-
- if (netlink_setup_proxy_neigh(addr, c->ifindex, neigh_add))
- syslog(LOG_DEBUG, "Failed to %s proxy neighbour entry %s%%%s",
- neigh_add ? "add" : "delete", ipbuf, c->ifname);
- else
- syslog(LOG_DEBUG, "%s proxy neighbour entry %s%%%s",
- neigh_add ? "Added" : "Deleted", ipbuf, c->ifname);
+ if (netlink_setup_proxy_neigh(addr, c->ifindex, add)) {
+ if (add)
+ syslog(LOG_ERR, "Failed to add proxy neighbour entry %s on %s",
+ ipbuf, c->name);
+ } else
+ syslog(LOG_DEBUG, "%s proxy neighbour entry %s on %s",
+ add ? "Added" : "Deleted", ipbuf, c->name);
}
}