Merge release-20201208.0-89-g3ff7324df (automated)

4 files changed, 176 insertions, 37 deletions

diff --git a/pkg/tcpip/network/ip/generic_multicast_protocol.go b/pkg/tcpip/network/ip/generic_multicast_protocol.go
index f85c5ff9d..f2f0e069c 100644
--- a/pkg/tcpip/network/ip/generic_multicast_protocol.go
+++ b/pkg/tcpip/network/ip/generic_multicast_protocol.go
@@ -131,17 +131,6 @@ type multicastGroupState struct {
 // GenericMulticastProtocolOptions holds options for the generic multicast
 // protocol.
 type GenericMulticastProtocolOptions struct {
-	// Enabled indicates whether the generic multicast protocol will be
-	// performed.
-	//
-	// When enabled, the protocol may transmit report and leave messages when
-	// joining and leaving multicast groups respectively, and handle incoming
-	// packets.
-	//
-	// When disabled, the protocol will still keep track of locally joined groups,
-	// it just won't transmit and handle packets, or update groups' state.
-	Enabled bool
-
 	// Rand is the source of random numbers.
 	Rand *rand.Rand
 
@@ -170,6 +159,17 @@ type GenericMulticastProtocolOptions struct {
 // MulticastGroupProtocol is a multicast group protocol whose core state machine
 // can be represented by GenericMulticastProtocolState.
 type MulticastGroupProtocol interface {
+	// Enabled indicates whether the generic multicast protocol will be
+	// performed.
+	//
+	// When enabled, the protocol may transmit report and leave messages when
+	// joining and leaving multicast groups respectively, and handle incoming
+	// packets.
+	//
+	// When disabled, the protocol will still keep track of locally joined groups,
+	// it just won't transmit and handle packets, or update groups' state.
+	Enabled() bool
+
 	// SendReport sends a multicast report for the specified group address.
 	//
 	// Returns false if the caller should queue the report to be sent later. Note,
@@ -196,6 +196,9 @@ type MulticastGroupProtocol interface {
 //
 // GenericMulticastProtocolState.Init MUST be called before calling any of
 // the methods on GenericMulticastProtocolState.
+//
+// GenericMulticastProtocolState.MakeAllNonMemberLocked MUST be called when the
+// multicast group protocol is disabled so that leave messages may be sent.
 type GenericMulticastProtocolState struct {
 	// Do not allow overwriting this state.
 	_ sync.NoCopy
@@ -235,9 +238,11 @@ func (g *GenericMulticastProtocolState) Init(protocolMU *sync.RWMutex, opts Gene
 //
 // The groups will still be considered joined locally.
 //
+// MUST be called when the multicast group protocol is disabled.
+//
 // Precondition: g.protocolMU must be locked.
 func (g *GenericMulticastProtocolState) MakeAllNonMemberLocked() {
-	if !g.opts.Enabled {
+	if !g.opts.Protocol.Enabled() {
 		return
 	}
 
@@ -255,7 +260,7 @@ func (g *GenericMulticastProtocolState) MakeAllNonMemberLocked() {
 //
 // Precondition: g.protocolMU must be locked.
 func (g *GenericMulticastProtocolState) InitializeGroupsLocked() {
-	if !g.opts.Enabled {
+	if !g.opts.Protocol.Enabled() {
 		return
 	}
 
@@ -290,12 +295,8 @@ func (g *GenericMulticastProtocolState) SendQueuedReportsLocked() {
 
 // JoinGroupLocked handles joining a new group.
 //
-// If dontInitialize is true, the group will be not be initialized and will be
-// left in the non-member state - no packets will be sent for it until it is
-// initialized via InitializeGroups.
-//
 // Precondition: g.protocolMU must be locked.
-func (g *GenericMulticastProtocolState) JoinGroupLocked(groupAddress tcpip.Address, dontInitialize bool) {
+func (g *GenericMulticastProtocolState) JoinGroupLocked(groupAddress tcpip.Address) {
 	if info, ok := g.memberships[groupAddress]; ok {
 		// The group has already been joined.
 		info.joins++
@@ -310,6 +311,10 @@ func (g *GenericMulticastProtocolState) JoinGroupLocked(groupAddress tcpip.Addre
 		state:            nonMember,
 		lastToSendReport: false,
 		delayedReportJob: tcpip.NewJob(g.opts.Clock, g.protocolMU, func() {
+			if !g.opts.Protocol.Enabled() {
+				panic(fmt.Sprintf("delayed report job fired for group %s while the multicast group protocol is disabled", groupAddress))
+			}
+
 			info, ok := g.memberships[groupAddress]
 			if !ok {
 				panic(fmt.Sprintf("expected to find group state for group = %s", groupAddress))
@@ -320,7 +325,7 @@ func (g *GenericMulticastProtocolState) JoinGroupLocked(groupAddress tcpip.Addre
 		}),
 	}
 
-	if !dontInitialize && g.opts.Enabled {
+	if g.opts.Protocol.Enabled() {
 		g.initializeNewMemberLocked(groupAddress, &info)
 	}
 
@@ -372,7 +377,7 @@ func (g *GenericMulticastProtocolState) LeaveGroupLocked(groupAddress tcpip.Addr
 //
 // Precondition: g.protocolMU must be locked.
 func (g *GenericMulticastProtocolState) HandleQueryLocked(groupAddress tcpip.Address, maxResponseTime time.Duration) {
-	if !g.opts.Enabled {
+	if !g.opts.Protocol.Enabled() {
 		return
 	}
 
@@ -406,7 +411,7 @@ func (g *GenericMulticastProtocolState) HandleQueryLocked(groupAddress tcpip.Add
 //
 // Precondition: g.protocolMU must be locked.
 func (g *GenericMulticastProtocolState) HandleReportLocked(groupAddress tcpip.Address) {
-	if !g.opts.Enabled {
+	if !g.opts.Protocol.Enabled() {
 		return
 	}
 
@@ -518,7 +523,7 @@ func (g *GenericMulticastProtocolState) maybeSendDelayedReportLocked(groupAddres
 
 // maybeSendLeave attempts to send a leave message.
 func (g *GenericMulticastProtocolState) maybeSendLeave(groupAddress tcpip.Address, lastToSendReport bool) {
-	if !g.opts.Enabled || !lastToSendReport {
+	if !g.opts.Protocol.Enabled() || !lastToSendReport {
 		return
 	}
 
diff --git a/pkg/tcpip/network/ipv4/igmp.go b/pkg/tcpip/network/ipv4/igmp.go
index fb7a9e68e..da88d65d1 100644
--- a/pkg/tcpip/network/ipv4/igmp.go
+++ b/pkg/tcpip/network/ipv4/igmp.go
@@ -72,8 +72,6 @@ type igmpState struct {
 	// The IPv4 endpoint this igmpState is for.
 	ep *endpoint
 
-	enabled bool
-
 	genericMulticastProtocol ip.GenericMulticastProtocolState
 
 	// igmpV1Present is for maintaining compatibility with IGMPv1 Routers, from
@@ -95,6 +93,13 @@ type igmpState struct {
 	igmpV1Job *tcpip.Job
 }
 
+// Enabled implements ip.MulticastGroupProtocol.
+func (igmp *igmpState) Enabled() bool {
+	// No need to perform IGMP on loopback interfaces since they don't have
+	// neighbouring nodes.
+	return igmp.ep.protocol.options.IGMP.Enabled && !igmp.ep.nic.IsLoopback() && igmp.ep.Enabled()
+}
+
 // SendReport implements ip.MulticastGroupProtocol.
 //
 // Precondition: igmp.ep.mu must be read locked.
@@ -127,11 +132,7 @@ func (igmp *igmpState) SendLeave(groupAddress tcpip.Address) *tcpip.Error {
 // Must only be called once for the lifetime of igmp.
 func (igmp *igmpState) init(ep *endpoint) {
 	igmp.ep = ep
-	// No need to perform IGMP on loopback interfaces since they don't have
-	// neighbouring nodes.
-	igmp.enabled = ep.protocol.options.IGMP.Enabled && !igmp.ep.nic.IsLoopback()
 	igmp.genericMulticastProtocol.Init(&ep.mu.RWMutex, ip.GenericMulticastProtocolOptions{
-		Enabled:                   igmp.enabled,
 		Rand:                      ep.protocol.stack.Rand(),
 		Clock:                     ep.protocol.stack.Clock(),
 		Protocol:                  igmp,
@@ -223,7 +224,7 @@ func (igmp *igmpState) handleMembershipQuery(groupAddress tcpip.Address, maxResp
 	// As per RFC 2236 Section 6, Page 10: If the maximum response time is zero
 	// then change the state to note that an IGMPv1 router is present and
 	// schedule the query received Job.
-	if igmp.enabled && maxRespTime == 0 {
+	if maxRespTime == 0 && igmp.Enabled() {
 		igmp.igmpV1Job.Cancel()
 		igmp.igmpV1Job.Schedule(v1RouterPresentTimeout)
 		igmp.setV1Present(true)
@@ -296,7 +297,7 @@ func (igmp *igmpState) writePacket(destAddress tcpip.Address, groupAddress tcpip
 //
 // Precondition: igmp.ep.mu must be locked.
 func (igmp *igmpState) joinGroup(groupAddress tcpip.Address) {
-	igmp.genericMulticastProtocol.JoinGroupLocked(groupAddress, !igmp.ep.Enabled() /* dontInitialize */)
+	igmp.genericMulticastProtocol.JoinGroupLocked(groupAddress)
 }
 
 // isInGroup returns true if the specified group has been joined locally.
diff --git a/pkg/tcpip/network/ipv6/ipv6.go b/pkg/tcpip/network/ipv6/ipv6.go
index a49b5ac77..f2018d073 100644
--- a/pkg/tcpip/network/ipv6/ipv6.go
+++ b/pkg/tcpip/network/ipv6/ipv6.go
@@ -61,6 +61,108 @@ const (
 	buckets = 2048
 )
 
+// policyTable is the default policy table defined in RFC 6724 section 2.1.
+//
+// A more human-readable version:
+//
+//  Prefix        Precedence Label
+//  ::1/128               50     0
+//  ::/0                  40     1
+//  ::ffff:0:0/96         35     4
+//  2002::/16             30     2
+//  2001::/32              5     5
+//  fc00::/7               3    13
+//  ::/96                  1     3
+//  fec0::/10              1    11
+//  3ffe::/16              1    12
+//
+// The table is sorted by prefix length so longest-prefix match can be easily
+// achieved.
+//
+// We willingly left out ::/96, fec0::/10 and 3ffe::/16 since those prefix
+// assignments are deprecated.
+//
+// As per RFC 4291 section 2.5.5.1 (for ::/96),
+//
+//   The "IPv4-Compatible IPv6 address" is now deprecated because the
+//   current IPv6 transition mechanisms no longer use these addresses.
+//   New or updated implementations are not required to support this
+//   address type.
+//
+// As per RFC 3879 section 4 (for fec0::/10),
+//
+//    This document formally deprecates the IPv6 site-local unicast prefix
+//    defined in [RFC3513], i.e., 1111111011 binary or FEC0::/10.
+//
+// As per RFC 3701 section 1 (for 3ffe::/16),
+//
+//   As clearly stated in [TEST-NEW], the addresses for the 6bone are
+//   temporary and will be reclaimed in the future. It further states
+//   that all users of these addresses (within the 3FFE::/16 prefix) will
+//   be required to renumber at some time in the future.
+//
+// and section 2,
+//
+//   Thus after the pTLA allocation cutoff date January 1, 2004, it is
+//   REQUIRED that no new 6bone 3FFE pTLAs be allocated.
+//
+// MUST NOT BE MODIFIED.
+var policyTable = [...]struct {
+	subnet tcpip.Subnet
+
+	label uint8
+}{
+	// ::1/128
+	{
+		subnet: header.IPv6Loopback.WithPrefix().Subnet(),
+		label:  0,
+	},
+	// ::ffff:0:0/96
+	{
+		subnet: header.IPv4MappedIPv6Subnet,
+		label:  4,
+	},
+	// 2001::/32 (Teredo prefix as per RFC 4380 section 2.6).
+	{
+		subnet: tcpip.AddressWithPrefix{
+			Address:   "\x20\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
+			PrefixLen: 32,
+		}.Subnet(),
+		label: 5,
+	},
+	// 2002::/16 (6to4 prefix as per RFC 3056 section 2).
+	{
+		subnet: tcpip.AddressWithPrefix{
+			Address:   "\x20\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
+			PrefixLen: 16,
+		}.Subnet(),
+		label: 2,
+	},
+	// fc00::/7 (Unique local addresses as per RFC 4193 section 3.1).
+	{
+		subnet: tcpip.AddressWithPrefix{
+			Address:   "\xfc\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
+			PrefixLen: 7,
+		}.Subnet(),
+		label: 13,
+	},
+	// ::/0
+	{
+		subnet: header.IPv6EmptySubnet,
+		label:  1,
+	},
+}
+
+func getLabel(addr tcpip.Address) uint8 {
+	for _, p := range policyTable {
+		if p.subnet.Contains(addr) {
+			return p.label
+		}
+	}
+
+	panic(fmt.Sprintf("should have a label for address = %s", addr))
+}
+
 var _ stack.GroupAddressableEndpoint = (*endpoint)(nil)
 var _ stack.AddressableEndpoint = (*endpoint)(nil)
 var _ stack.NetworkEndpoint = (*endpoint)(nil)
@@ -1373,7 +1475,11 @@ func (e *endpoint) acquireOutgoingPrimaryAddressRLocked(remoteAddr tcpip.Address
 	// RFC 6724 section 5.
 	type addrCandidate struct {
 		addressEndpoint stack.AddressEndpoint
+		addr            tcpip.Address
 		scope           header.IPv6AddressScope
+
+		label          uint8
+		matchingPrefix uint8
 	}
 
 	if len(remoteAddr) == 0 {
@@ -1400,7 +1506,10 @@ func (e *endpoint) acquireOutgoingPrimaryAddressRLocked(remoteAddr tcpip.Address
 
 		cs = append(cs, addrCandidate{
 			addressEndpoint: addressEndpoint,
+			addr:            addr,
 			scope:           scope,
+			label:           getLabel(addr),
+			matchingPrefix:  remoteAddr.MatchingPrefix(addr),
 		})
 
 		return true
@@ -1412,18 +1521,20 @@ func (e *endpoint) acquireOutgoingPrimaryAddressRLocked(remoteAddr tcpip.Address
 		panic(fmt.Sprintf("header.ScopeForIPv6Address(%s): %s", remoteAddr, err))
 	}
 
+	remoteLabel := getLabel(remoteAddr)
+
 	// Sort the addresses as per RFC 6724 section 5 rules 1-3.
 	//
-	// TODO(b/146021396): Implement rules 4-8 of RFC 6724 section 5.
+	// TODO(b/146021396): Implement rules 4, 5 of RFC 6724 section 5.
 	sort.Slice(cs, func(i, j int) bool {
 		sa := cs[i]
 		sb := cs[j]
 
 		// Prefer same address as per RFC 6724 section 5 rule 1.
-		if sa.addressEndpoint.AddressWithPrefix().Address == remoteAddr {
+		if sa.addr == remoteAddr {
 			return true
 		}
-		if sb.addressEndpoint.AddressWithPrefix().Address == remoteAddr {
+		if sb.addr == remoteAddr {
 			return false
 		}
 
@@ -1440,11 +1551,29 @@ func (e *endpoint) acquireOutgoingPrimaryAddressRLocked(remoteAddr tcpip.Address
 			return sbDep
 		}
 
+		// Prefer matching label as per RFC 6724 section 5 rule 6.
+		if sa, sb := sa.label == remoteLabel, sb.label == remoteLabel; sa != sb {
+			if sa {
+				return true
+			}
+			if sb {
+				return false
+			}
+		}
+
 		// Prefer temporary addresses as per RFC 6724 section 5 rule 7.
 		if saTemp, sbTemp := sa.addressEndpoint.ConfigType() == stack.AddressConfigSlaacTemp, sb.addressEndpoint.ConfigType() == stack.AddressConfigSlaacTemp; saTemp != sbTemp {
 			return saTemp
 		}
 
+		// Use longest matching prefix as per RFC 6724 section 5 rule 8.
+		if sa.matchingPrefix > sb.matchingPrefix {
+			return true
+		}
+		if sb.matchingPrefix > sa.matchingPrefix {
+			return false
+		}
+
 		// sa and sb are equal, return the endpoint that is closest to the front of
 		// the primary endpoint list.
 		return i < j
diff --git a/pkg/tcpip/network/ipv6/mld.go b/pkg/tcpip/network/ipv6/mld.go
index 6f64b8462..e8d1e7a79 100644
--- a/pkg/tcpip/network/ipv6/mld.go
+++ b/pkg/tcpip/network/ipv6/mld.go
@@ -58,6 +58,13 @@ type mldState struct {
 	genericMulticastProtocol ip.GenericMulticastProtocolState
 }
 
+// Enabled implements ip.MulticastGroupProtocol.
+func (mld *mldState) Enabled() bool {
+	// No need to perform MLD on loopback interfaces since they don't have
+	// neighbouring nodes.
+	return mld.ep.protocol.options.MLD.Enabled && !mld.ep.nic.IsLoopback() && mld.ep.Enabled()
+}
+
 // SendReport implements ip.MulticastGroupProtocol.
 //
 // Precondition: mld.ep.mu must be read locked.
@@ -80,9 +87,6 @@ func (mld *mldState) SendLeave(groupAddress tcpip.Address) *tcpip.Error {
 func (mld *mldState) init(ep *endpoint) {
 	mld.ep = ep
 	mld.genericMulticastProtocol.Init(&ep.mu.RWMutex, ip.GenericMulticastProtocolOptions{
-		// No need to perform MLD on loopback interfaces since they don't have
-		// neighbouring nodes.
-		Enabled:                   ep.protocol.options.MLD.Enabled && !mld.ep.nic.IsLoopback(),
 		Rand:                      ep.protocol.stack.Rand(),
 		Clock:                     ep.protocol.stack.Clock(),
 		Protocol:                  mld,
@@ -112,7 +116,7 @@ func (mld *mldState) handleMulticastListenerReport(mldHdr header.MLD) {
 //
 // Precondition: mld.ep.mu must be locked.
 func (mld *mldState) joinGroup(groupAddress tcpip.Address) {
-	mld.genericMulticastProtocol.JoinGroupLocked(groupAddress, !mld.ep.Enabled() /* dontInitialize */)
+	mld.genericMulticastProtocol.JoinGroupLocked(groupAddress)
 }
 
 // isInGroup returns true if the specified group has been joined locally.