Do not forward link-local packets

As per RFC 3927 section 7 and RFC 4291 section 2.5.6.

Test: forward_test.TestMulticastForwarding
PiperOrigin-RevId: 367519336

5 files changed, 207 insertions, 13 deletions

diff --git a/pkg/tcpip/tests/integration/BUILD b/pkg/tcpip/tests/integration/BUILD
index 3cc8c36f1..3b51e4be0 100644
--- a/pkg/tcpip/tests/integration/BUILD
+++ b/pkg/tcpip/tests/integration/BUILD
@@ -9,6 +9,8 @@ go_test(
     deps = [
         "//pkg/tcpip",
         "//pkg/tcpip/checker",
+        "//pkg/tcpip/header",
+        "//pkg/tcpip/link/channel",
         "//pkg/tcpip/network/arp",
         "//pkg/tcpip/network/ipv4",
         "//pkg/tcpip/network/ipv6",
diff --git a/pkg/tcpip/tests/integration/forward_test.go b/pkg/tcpip/tests/integration/forward_test.go
index d10ae05c2..0de5079e8 100644
--- a/pkg/tcpip/tests/integration/forward_test.go
+++ b/pkg/tcpip/tests/integration/forward_test.go
@@ -21,6 +21,8 @@ import (
 	"github.com/google/go-cmp/cmp"
 	"gvisor.dev/gvisor/pkg/tcpip"
 	"gvisor.dev/gvisor/pkg/tcpip/checker"
+	"gvisor.dev/gvisor/pkg/tcpip/header"
+	"gvisor.dev/gvisor/pkg/tcpip/link/channel"
 	"gvisor.dev/gvisor/pkg/tcpip/network/arp"
 	"gvisor.dev/gvisor/pkg/tcpip/network/ipv4"
 	"gvisor.dev/gvisor/pkg/tcpip/network/ipv6"
@@ -312,3 +314,193 @@ func TestForwarding(t *testing.T) {
 		})
 	}
 }
+
+func TestMulticastForwarding(t *testing.T) {
+	const (
+		nicID1 = 1
+		nicID2 = 2
+
+		ipv4LinkLocalUnicastAddr   = tcpip.Address("\xa9\xfe\x00\x0a")
+		ipv4LinkLocalMulticastAddr = tcpip.Address("\xe0\x00\x00\x0a")
+		ipv4GlobalMulticastAddr    = tcpip.Address("\xe0\x00\x01\x0a")
+
+		ipv6LinkLocalUnicastAddr   = tcpip.Address("\xfe\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0a")
+		ipv6LinkLocalMulticastAddr = tcpip.Address("\xff\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0a")
+		ipv6GlobalMulticastAddr    = tcpip.Address("\xff\x0e\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0a")
+
+		ttl = 64
+	)
+
+	rxICMPv4EchoRequest := func(e *channel.Endpoint, src, dst tcpip.Address) {
+		utils.RxICMPv4EchoRequest(e, src, dst, ttl)
+	}
+
+	rxICMPv6EchoRequest := func(e *channel.Endpoint, src, dst tcpip.Address) {
+		utils.RxICMPv6EchoRequest(e, src, dst, ttl)
+	}
+
+	v4Checker := func(t *testing.T, b []byte, src, dst tcpip.Address) {
+		checker.IPv4(t, b,
+			checker.SrcAddr(src),
+			checker.DstAddr(dst),
+			checker.TTL(ttl-1),
+			checker.ICMPv4(
+				checker.ICMPv4Type(header.ICMPv4Echo)))
+	}
+
+	v6Checker := func(t *testing.T, b []byte, src, dst tcpip.Address) {
+		checker.IPv6(t, b,
+			checker.SrcAddr(src),
+			checker.DstAddr(dst),
+			checker.TTL(ttl-1),
+			checker.ICMPv6(
+				checker.ICMPv6Type(header.ICMPv6EchoRequest)))
+	}
+
+	tests := []struct {
+		name             string
+		srcAddr, dstAddr tcpip.Address
+		rx               func(*channel.Endpoint, tcpip.Address, tcpip.Address)
+		expectForward    bool
+		checker          func(*testing.T, []byte)
+	}{
+		{
+			name:          "IPv4 link-local multicast destination",
+			srcAddr:       utils.RemoteIPv4Addr,
+			dstAddr:       ipv4LinkLocalMulticastAddr,
+			rx:            rxICMPv4EchoRequest,
+			expectForward: false,
+		},
+		{
+			name:          "IPv4 link-local source",
+			srcAddr:       ipv4LinkLocalUnicastAddr,
+			dstAddr:       utils.RemoteIPv4Addr,
+			rx:            rxICMPv4EchoRequest,
+			expectForward: false,
+		},
+		{
+			name:          "IPv4 link-local destination",
+			srcAddr:       utils.RemoteIPv4Addr,
+			dstAddr:       ipv4LinkLocalUnicastAddr,
+			rx:            rxICMPv4EchoRequest,
+			expectForward: false,
+		},
+		{
+			name:          "IPv4 non-link-local unicast",
+			srcAddr:       utils.RemoteIPv4Addr,
+			dstAddr:       utils.Ipv4Addr2.AddressWithPrefix.Address,
+			rx:            rxICMPv4EchoRequest,
+			expectForward: true,
+			checker: func(t *testing.T, b []byte) {
+				v4Checker(t, b, utils.RemoteIPv4Addr, utils.Ipv4Addr2.AddressWithPrefix.Address)
+			},
+		},
+		{
+			name:          "IPv4 non-link-local multicast",
+			srcAddr:       utils.RemoteIPv4Addr,
+			dstAddr:       ipv4GlobalMulticastAddr,
+			rx:            rxICMPv4EchoRequest,
+			expectForward: true,
+			checker: func(t *testing.T, b []byte) {
+				v4Checker(t, b, utils.RemoteIPv4Addr, ipv4GlobalMulticastAddr)
+			},
+		},
+
+		{
+			name:          "IPv6 link-local multicast destination",
+			srcAddr:       utils.RemoteIPv6Addr,
+			dstAddr:       ipv6LinkLocalMulticastAddr,
+			rx:            rxICMPv6EchoRequest,
+			expectForward: false,
+		},
+		{
+			name:          "IPv6 link-local source",
+			srcAddr:       ipv6LinkLocalUnicastAddr,
+			dstAddr:       utils.RemoteIPv6Addr,
+			rx:            rxICMPv6EchoRequest,
+			expectForward: false,
+		},
+		{
+			name:          "IPv6 link-local destination",
+			srcAddr:       utils.RemoteIPv6Addr,
+			dstAddr:       ipv6LinkLocalUnicastAddr,
+			rx:            rxICMPv6EchoRequest,
+			expectForward: false,
+		},
+		{
+			name:          "IPv6 non-link-local unicast",
+			srcAddr:       utils.RemoteIPv6Addr,
+			dstAddr:       utils.Ipv6Addr2.AddressWithPrefix.Address,
+			rx:            rxICMPv6EchoRequest,
+			expectForward: true,
+			checker: func(t *testing.T, b []byte) {
+				v6Checker(t, b, utils.RemoteIPv6Addr, utils.Ipv6Addr2.AddressWithPrefix.Address)
+			},
+		},
+		{
+			name:          "IPv6 non-link-local multicast",
+			srcAddr:       utils.RemoteIPv6Addr,
+			dstAddr:       ipv6GlobalMulticastAddr,
+			rx:            rxICMPv6EchoRequest,
+			expectForward: true,
+			checker: func(t *testing.T, b []byte) {
+				v6Checker(t, b, utils.RemoteIPv6Addr, ipv6GlobalMulticastAddr)
+			},
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			s := stack.New(stack.Options{
+				NetworkProtocols:   []stack.NetworkProtocolFactory{ipv4.NewProtocol, ipv6.NewProtocol},
+				TransportProtocols: []stack.TransportProtocolFactory{udp.NewProtocol},
+			})
+
+			e1 := channel.New(1, header.IPv6MinimumMTU, "")
+			if err := s.CreateNIC(nicID1, e1); err != nil {
+				t.Fatalf("s.CreateNIC(%d, _): %s", nicID1, err)
+			}
+
+			e2 := channel.New(1, header.IPv6MinimumMTU, "")
+			if err := s.CreateNIC(nicID2, e2); err != nil {
+				t.Fatalf("s.CreateNIC(%d, _): %s", nicID2, err)
+			}
+
+			if err := s.AddAddress(nicID2, ipv4.ProtocolNumber, utils.Ipv4Addr.Address); err != nil {
+				t.Fatalf("s.AddAddress(%d, %d, %s): %s", nicID2, ipv4.ProtocolNumber, utils.Ipv4Addr.Address, err)
+			}
+			if err := s.AddAddress(nicID2, ipv6.ProtocolNumber, utils.Ipv6Addr.Address); err != nil {
+				t.Fatalf("s.AddAddress(%d, %d, %s): %s", nicID2, ipv6.ProtocolNumber, utils.Ipv6Addr.Address, err)
+			}
+
+			if err := s.SetForwarding(ipv4.ProtocolNumber, true); err != nil {
+				t.Fatalf("s.SetForwarding(%d, true): %s", ipv4.ProtocolNumber, err)
+			}
+			if err := s.SetForwarding(ipv6.ProtocolNumber, true); err != nil {
+				t.Fatalf("s.SetForwarding(%d, true): %s", ipv6.ProtocolNumber, err)
+			}
+
+			s.SetRouteTable([]tcpip.Route{
+				{
+					Destination: header.IPv4EmptySubnet,
+					NIC:         nicID2,
+				},
+				{
+					Destination: header.IPv6EmptySubnet,
+					NIC:         nicID2,
+				},
+			})
+
+			test.rx(e1, test.srcAddr, test.dstAddr)
+
+			p, ok := e2.Read()
+			if ok != test.expectForward {
+				t.Fatalf("got e2.Read() = (%#v, %t), want = (_, %t)", p, ok, test.expectForward)
+			}
+
+			if test.expectForward {
+				test.checker(t, stack.PayloadSince(p.Pkt.NetworkHeader()))
+			}
+		})
+	}
+}
diff --git a/pkg/tcpip/tests/integration/loopback_test.go b/pkg/tcpip/tests/integration/loopback_test.go
index 2c538a43e..82c2e11ab 100644
--- a/pkg/tcpip/tests/integration/loopback_test.go
+++ b/pkg/tcpip/tests/integration/loopback_test.go
@@ -513,22 +513,23 @@ func TestExternalLoopbackTraffic(t *testing.T) {
 		ipv4Loopback = tcpip.Address("\x7f\x00\x00\x01")
 
 		numPackets = 1
+		ttl        = 64
 	)
 
 	loopbackSourcedICMPv4 := func(e *channel.Endpoint) {
-		utils.RxICMPv4EchoRequest(e, ipv4Loopback, utils.Ipv4Addr.Address)
+		utils.RxICMPv4EchoRequest(e, ipv4Loopback, utils.Ipv4Addr.Address, ttl)
 	}
 
 	loopbackSourcedICMPv6 := func(e *channel.Endpoint) {
-		utils.RxICMPv6EchoRequest(e, header.IPv6Loopback, utils.Ipv6Addr.Address)
+		utils.RxICMPv6EchoRequest(e, header.IPv6Loopback, utils.Ipv6Addr.Address, ttl)
 	}
 
 	loopbackDestinedICMPv4 := func(e *channel.Endpoint) {
-		utils.RxICMPv4EchoRequest(e, utils.RemoteIPv4Addr, ipv4Loopback)
+		utils.RxICMPv4EchoRequest(e, utils.RemoteIPv4Addr, ipv4Loopback, ttl)
 	}
 
 	loopbackDestinedICMPv6 := func(e *channel.Endpoint) {
-		utils.RxICMPv6EchoRequest(e, utils.RemoteIPv6Addr, header.IPv6Loopback)
+		utils.RxICMPv6EchoRequest(e, utils.RemoteIPv6Addr, header.IPv6Loopback, ttl)
 	}
 
 	invalidSrcAddrStat := func(s tcpip.IPStats) *tcpip.StatCounter {
diff --git a/pkg/tcpip/tests/integration/multicast_broadcast_test.go b/pkg/tcpip/tests/integration/multicast_broadcast_test.go
index c6a9c2393..09ff3b892 100644
--- a/pkg/tcpip/tests/integration/multicast_broadcast_test.go
+++ b/pkg/tcpip/tests/integration/multicast_broadcast_test.go
@@ -43,12 +43,15 @@ const (
 // to a multicast or broadcast address uses a unicast source address for the
 // reply.
 func TestPingMulticastBroadcast(t *testing.T) {
-	const nicID = 1
+	const (
+		nicID = 1
+		ttl   = 64
+	)
 
 	tests := []struct {
 		name        string
 		protoNum    tcpip.NetworkProtocolNumber
-		rxICMP      func(*channel.Endpoint, tcpip.Address, tcpip.Address)
+		rxICMP      func(*channel.Endpoint, tcpip.Address, tcpip.Address, uint8)
 		srcAddr     tcpip.Address
 		dstAddr     tcpip.Address
 		expectedSrc tcpip.Address
@@ -136,7 +139,7 @@ func TestPingMulticastBroadcast(t *testing.T) {
 				},
 			})
 
-			test.rxICMP(e, test.srcAddr, test.dstAddr)
+			test.rxICMP(e, test.srcAddr, test.dstAddr, ttl)
 			pkt, ok := e.Read()
 			if !ok {
 				t.Fatal("expected ICMP response")
diff --git a/pkg/tcpip/tests/utils/utils.go b/pkg/tcpip/tests/utils/utils.go
index d1c9f3a94..8fd9be32b 100644
--- a/pkg/tcpip/tests/utils/utils.go
+++ b/pkg/tcpip/tests/utils/utils.go
@@ -48,10 +48,6 @@ const (
 	LinkAddr4 = tcpip.LinkAddress("\x02\x03\x03\x04\x05\x09")
 )
 
-const (
-	ttl = 255
-)
-
 // Common IP addresses used by tests.
 var (
 	Ipv4Addr = tcpip.AddressWithPrefix{
@@ -322,7 +318,7 @@ func SetupRoutedStacks(t *testing.T, host1Stack, routerStack, host2Stack *stack.
 
 // RxICMPv4EchoRequest constructs and injects an ICMPv4 echo request packet on
 // the provided endpoint.
-func RxICMPv4EchoRequest(e *channel.Endpoint, src, dst tcpip.Address) {
+func RxICMPv4EchoRequest(e *channel.Endpoint, src, dst tcpip.Address, ttl uint8) {
 	totalLen := header.IPv4MinimumSize + header.ICMPv4MinimumSize
 	hdr := buffer.NewPrependable(totalLen)
 	pkt := header.ICMPv4(hdr.Prepend(header.ICMPv4MinimumSize))
@@ -347,7 +343,7 @@ func RxICMPv4EchoRequest(e *channel.Endpoint, src, dst tcpip.Address) {
 
 // RxICMPv6EchoRequest constructs and injects an ICMPv6 echo request packet on
 // the provided endpoint.
-func RxICMPv6EchoRequest(e *channel.Endpoint, src, dst tcpip.Address) {
+func RxICMPv6EchoRequest(e *channel.Endpoint, src, dst tcpip.Address, ttl uint8) {
 	totalLen := header.IPv6MinimumSize + header.ICMPv6MinimumSize
 	hdr := buffer.NewPrependable(totalLen)
 	pkt := header.ICMPv6(hdr.Prepend(header.ICMPv6MinimumSize))