diff options
-rw-r--r-- | src/config.c | 25 | ||||
-rw-r--r-- | src/ndp.c | 368 | ||||
-rw-r--r-- | src/odhcpd.h | 4 |
3 files changed, 242 insertions, 155 deletions
diff --git a/src/config.c b/src/config.c index 35d8af7..068d1a7 100644 --- a/src/config.c +++ b/src/config.c @@ -42,6 +42,7 @@ enum { IFACE_ATTR_PD_CER, IFACE_ATTR_NDPROXY_ROUTING, IFACE_ATTR_NDPROXY_SLAVE, + IFACE_ATTR_NDPROXY_STATIC, IFACE_ATTR_MAX }; @@ -72,12 +73,14 @@ static const struct blobmsg_policy iface_attrs[IFACE_ATTR_MAX] = { [IFACE_ATTR_RA_PREFERENCE] = { .name = "ra_preference", .type = BLOBMSG_TYPE_STRING }, [IFACE_ATTR_NDPROXY_ROUTING] = { .name = "ndproxy_routing", .type = BLOBMSG_TYPE_BOOL }, [IFACE_ATTR_NDPROXY_SLAVE] = { .name = "ndproxy_slave", .type = BLOBMSG_TYPE_BOOL }, + [IFACE_ATTR_NDPROXY_STATIC] = { .name = "ndproxy_static", .type = BLOBMSG_TYPE_ARRAY }, }; static const struct uci_blob_param_info iface_attr_info[IFACE_ATTR_MAX] = { [IFACE_ATTR_UPSTREAM] = { .type = BLOBMSG_TYPE_STRING }, [IFACE_ATTR_DNS] = { .type = BLOBMSG_TYPE_STRING }, [IFACE_ATTR_DOMAIN] = { .type = BLOBMSG_TYPE_STRING }, + [IFACE_ATTR_NDPROXY_STATIC] = { .type = BLOBMSG_TYPE_STRING }, }; const struct uci_blob_param_list interface_attr_list = { @@ -148,6 +151,7 @@ static void clean_interface(struct interface *iface) free(iface->dns); free(iface->search); free(iface->upstream); + free(iface->static_ndp); free(iface->dhcpv4_dns); free(iface->dhcpv6_raw); free(iface->filter_class); @@ -515,6 +519,27 @@ int config_parse_interface(void *data, size_t len, const char *name, bool overwr if ((c = tb[IFACE_ATTR_NDPROXY_SLAVE])) iface->external = blobmsg_get_bool(c); + if ((c = tb[IFACE_ATTR_NDPROXY_STATIC])) { + struct blob_attr *cur; + unsigned rem; + + blobmsg_for_each_attr(cur, c, rem) { + if (blobmsg_type(cur) != BLOBMSG_TYPE_STRING || !blobmsg_check_attr(cur, NULL)) + continue; + + int len = blobmsg_data_len(cur); + iface->static_ndp = realloc(iface->static_ndp, iface->static_ndp_len + len); + if (!iface->static_ndp) + goto err; + + if (iface->static_ndp_len) + iface->static_ndp[iface->static_ndp_len - 1] = ' '; + + memcpy(&iface->static_ndp[iface->static_ndp_len], blobmsg_get_string(cur), len); + iface->static_ndp_len += len; + } + } + return 0; err: @@ -17,7 +17,6 @@ #include <signal.h> #include <errno.h> -#include <fcntl.h> #include <unistd.h> #include <arpa/inet.h> #include <sys/socket.h> @@ -37,11 +36,18 @@ static void handle_solicit(void *addr, void *data, size_t len, struct interface *iface, void *dest); static void handle_rtnetlink(void *addr, void *data, size_t len, struct interface *iface, void *dest); +static struct ndp_neighbor* find_neighbor(struct in6_addr *addr, bool strict); +static void modify_neighbor(struct in6_addr *addr, struct interface *iface, + bool add); static ssize_t ping6(struct in6_addr *addr, const struct interface *iface); +static struct list_head neighbors = LIST_HEAD_INIT(neighbors); +static size_t neighbor_count = 0; static uint32_t rtnl_seqid = 0; + static int ping_socket = -1; +static struct odhcpd_event ndp_event = {{.fd = -1}, handle_solicit}; static struct odhcpd_event rtnl_event = {{.fd = -1}, handle_rtnetlink}; @@ -110,89 +116,105 @@ int init_ndp(void) group = RTNLGRP_NEIGH; setsockopt(rtnl_event.uloop.fd, SOL_NETLINK, NETLINK_ADD_MEMBERSHIP, &group, sizeof(group)); - return 0; -} - - -static void dump_neigh_table(bool proxy) -{ + // Synthesize initial neighbor events struct { struct nlmsghdr nh; struct ndmsg ndm; } req = { {sizeof(req), RTM_GETNEIGH, NLM_F_REQUEST | NLM_F_DUMP, ++rtnl_seqid, 0}, - {.ndm_family = AF_INET6, .ndm_flags = (proxy) ? NTF_PROXY : 0} + {.ndm_family = AF_INET6} }; send(rtnl_event.uloop.fd, &req, sizeof(req), MSG_DONTWAIT); + + return 0; } int setup_ndp_interface(struct interface *iface, bool enable) { - char procbuf[64]; - snprintf(procbuf, sizeof(procbuf), "/proc/sys/net/ipv6/conf/%s/proxy_ndp", iface->ifname); - int procfd = open(procbuf, O_WRONLY); - bool dump_neigh = false; - - if (iface->ndp_event.uloop.fd >= 0) { - uloop_fd_delete(&iface->ndp_event.uloop); - close(iface->ndp_event.uloop.fd); - iface->ndp_event.uloop.fd = -1; - - write(procfd, "0\n", 2); - dump_neigh = true; - } + struct packet_mreq mreq = {iface->ifindex, PACKET_MR_ALLMULTI, ETH_ALEN, {0}}; + setsockopt(ndp_event.uloop.fd, SOL_PACKET, PACKET_DROP_MEMBERSHIP, &mreq, sizeof(mreq)); + + struct ndp_neighbor *c, *n; + list_for_each_entry_safe(c, n, &neighbors, head) + if (c->iface == iface && (c->timeout == 0 || iface->ndp != RELAYD_RELAY || !enable)) + modify_neighbor(&c->addr, c->iface, false); if (enable && iface->ndp == RELAYD_RELAY) { - write(procfd, "1\n", 2); + setsockopt(ndp_event.uloop.fd, SOL_PACKET, PACKET_ADD_MEMBERSHIP, &mreq, sizeof(mreq)); + + if (iface->static_ndp_len) { + char *entry = alloca(iface->static_ndp_len), *saveptr; + if (!entry) { + syslog(LOG_ERR, "Alloca failed for static NDP list"); + return -1; + } + memcpy(entry, iface->static_ndp, iface->static_ndp_len); + + for (entry = strtok_r(entry, " ", &saveptr); entry; entry = strtok_r(NULL, " ", &saveptr)) { + char *sep; + struct ndp_neighbor *n = malloc(sizeof(*n)); + if (!n) { + syslog(LOG_ERR, "Malloc failed for static NDP-prefix %s", entry); + return -1; + } + + n->iface = iface; + n->timeout = 0; - int sock = socket(AF_PACKET, SOCK_DGRAM | SOCK_CLOEXEC, htons(ETH_P_IPV6)); + sep = strchr(entry, '/'); + if (!sep) { + free(n); + syslog(LOG_ERR, "Invalid static NDP-prefix %s", entry); + return -1; + } + + *sep = 0; + n->len = atoi(sep + 1); + if (inet_pton(AF_INET6, entry, &n->addr) != 1 || n->len > 128) { + free(n); + syslog(LOG_ERR, "Invalid static NDP-prefix %s/%s", entry, sep + 1); + return -1; + } + + list_add(&n->head, &neighbors); + } + } + } + + bool enable_packet = false; + struct interface *i; + list_for_each_entry(i, &interfaces, head) { + if (i == iface && !enable) + continue; + + if (i->ndp == RELAYD_RELAY) + enable_packet = true; + } + + if (enable_packet && ndp_event.uloop.fd < 0) { + // Create socket for intercepting NDP + int sock = socket(AF_PACKET, SOCK_DGRAM | SOCK_CLOEXEC | SOCK_NONBLOCK, + htons(ETH_P_ALL)); // ETH_P_ALL for ingress + egress if (sock < 0) { syslog(LOG_ERR, "Unable to open packet socket: %s", strerror(errno)); return -1; } -#ifdef PACKET_RECV_TYPE - int pktt = 1 << PACKET_MULTICAST; - setsockopt(sock, SOL_PACKET, PACKET_RECV_TYPE, &pktt, sizeof(pktt)); -#endif - if (setsockopt(sock, SOL_SOCKET, SO_ATTACH_FILTER, &bpf_prog, sizeof(bpf_prog))) { syslog(LOG_ERR, "Failed to set BPF: %s", strerror(errno)); return -1; } - struct sockaddr_ll ll = { - .sll_family = AF_PACKET, - .sll_ifindex = iface->ifindex, - .sll_protocol = htons(ETH_P_IPV6), - .sll_hatype = 0, - .sll_pkttype = 0, - .sll_halen = 0, - .sll_addr = {0}, - }; - bind(sock, (struct sockaddr*)&ll, sizeof(ll)); - - struct packet_mreq mreq = {iface->ifindex, PACKET_MR_ALLMULTI, ETH_ALEN, {0}}; - setsockopt(sock, SOL_PACKET, PACKET_ADD_MEMBERSHIP, &mreq, sizeof(mreq)); - - iface->ndp_event.uloop.fd = sock; - iface->ndp_event.handle_dgram = handle_solicit; - odhcpd_register(&iface->ndp_event); - - // If we already were enabled dump is unnecessary, if not do dump - if (!dump_neigh) - dump_neigh_table(false); - else - dump_neigh = false; + ndp_event.uloop.fd = sock; + odhcpd_register(&ndp_event); + } else if (!enable_packet && ndp_event.uloop.fd >= 0) { + close(ndp_event.uloop.fd); + ndp_event.uloop.fd = -1; } - close(procfd); - - if (dump_neigh) - dump_neigh_table(true); return 0; } @@ -244,14 +266,61 @@ static void handle_solicit(void *addr, void *data, size_t len, uint8_t mac[6]; odhcpd_get_mac(iface, mac); - if (!memcmp(ll->sll_addr, mac, sizeof(mac))) + if (!memcmp(ll->sll_addr, mac, sizeof(mac)) && + ll->sll_pkttype != PACKET_OUTGOING) return; // Looped back - struct interface *c; - list_for_each_entry(c, &interfaces, head) - if (iface->ndp == RELAYD_RELAY && iface != c && - (!ns_is_dad || !c->external == false)) - ping6(&req->nd_ns_target, c); + time_t now = time(NULL); + + struct ndp_neighbor *n = find_neighbor(&req->nd_ns_target, false); + if (n && (n->iface || abs(n->timeout - now) < 5)) { + syslog(LOG_DEBUG, "%s is on %s", ipbuf, + (n->iface) ? n->iface->ifname : "<pending>"); + if (!n->iface || n->iface == iface) + return; + + // Found on other interface, answer with advertisement + struct { + struct nd_neighbor_advert body; + struct nd_opt_hdr opt_ll_hdr; + uint8_t mac[6]; + } advert = { + .body = { + .nd_na_hdr = {ND_NEIGHBOR_ADVERT, + 0, 0, {{0}}}, + .nd_na_target = req->nd_ns_target, + }, + .opt_ll_hdr = {ND_OPT_TARGET_LINKADDR, 1}, + }; + + memcpy(advert.mac, mac, sizeof(advert.mac)); + advert.body.nd_na_flags_reserved = ND_NA_FLAG_ROUTER | + ND_NA_FLAG_SOLICITED; + + struct sockaddr_in6 dest = {AF_INET6, 0, 0, ALL_IPV6_NODES, 0}; + if (!ns_is_dad) // If not DAD, then unicast to source + dest.sin6_addr = ip6->ip6_src; + + // Linux seems to not honor IPV6_PKTINFO on raw-sockets, so work around + setsockopt(ping_socket, SOL_SOCKET, SO_BINDTODEVICE, + iface->ifname, sizeof(iface->ifname)); + struct iovec iov = {&advert, sizeof(advert)}; + odhcpd_send(ping_socket, &dest, &iov, 1, iface); + } else { + // Send echo to all other interfaces to see where target is on + // This will trigger neighbor discovery which is what we want. + // We will observe the neighbor cache to see results. + + ssize_t sent = 0; + struct interface *c; + list_for_each_entry(c, &interfaces, head) + if (iface->ndp == RELAYD_RELAY && iface != c && + (!ns_is_dad || !c->external == false)) + sent += ping6(&req->nd_ns_target, c); + + if (sent > 0) // Sent a ping, add pending neighbor entry + modify_neighbor(&req->nd_ns_target, NULL, true); + } } @@ -315,15 +384,74 @@ static void setup_route(struct in6_addr *addr, struct interface *iface, odhcpd_setup_route(addr, 128, iface, NULL, add); } +static void free_neighbor(struct ndp_neighbor *n) +{ + setup_route(&n->addr, n->iface, false); + list_del(&n->head); + free(n); + --neighbor_count; +} + +static struct ndp_neighbor* find_neighbor(struct in6_addr *addr, bool strict) +{ + time_t now = time(NULL); + struct ndp_neighbor *n, *e; + list_for_each_entry_safe(n, e, &neighbors, head) { + if ((!strict && !odhcpd_bmemcmp(&n->addr, addr, n->len)) || + (n->len == 128 && IN6_ARE_ADDR_EQUAL(&n->addr, addr))) + return n; + + if (!n->iface && abs(n->timeout - now) >= 5) + free_neighbor(n); + } + return NULL; +} + + +// Modified our own neighbor-entries +static void modify_neighbor(struct in6_addr *addr, + struct interface *iface, bool add) +{ + if (!addr || (void*)addr == (void*)iface) + return; + + struct ndp_neighbor *n = find_neighbor(addr, true); + if (!add) { // Delete action + if (n && (!n->iface || n->iface == iface)) + free_neighbor(n); + } else if (!n) { // No entry yet, add one if possible + if (neighbor_count >= NDP_MAX_NEIGHBORS || + !(n = malloc(sizeof(*n)))) + return; + + n->len = 128; + n->addr = *addr; + n->iface = iface; + if (!n->iface) + time(&n->timeout); + list_add(&n->head, &neighbors); + ++neighbor_count; + setup_route(addr, n->iface, add); + } else if (n->iface == iface) { + if (!n->iface) + time(&n->timeout); + } else if (iface && (!n->iface || + (!iface->external && n->iface->external))) { + setup_route(addr, n->iface, false); + n->iface = iface; + setup_route(addr, n->iface, add); + } + // TODO: In case a host switches interfaces we might want + // to set its old neighbor entry to NUD_STALE and ping it + // on the old interface to confirm if the MACs match. +} + // Handler for neighbor cache entries from the kernel. This is our source // to learn and unlearn hosts on interfaces. static void handle_rtnetlink(_unused void *addr, void *data, size_t len, _unused struct interface *iface, _unused void *dest) { - bool dump_neigh = false; - struct in6_addr last_solicited = IN6ADDR_ANY_INIT; - for (struct nlmsghdr *nh = data; NLMSG_OK(nh, len); nh = NLMSG_NEXT(nh, len)) { struct rtmsg *rtm = NLMSG_DATA(nh); @@ -378,103 +506,35 @@ static void handle_rtnetlink(_unused void *addr, void *data, size_t len, (NUD_REACHABLE | NUD_STALE | NUD_DELAY | NUD_PROBE | NUD_PERMANENT | NUD_NOARP))); - if (iface->ndp == RELAYD_RELAY) { - // Replay change to all neighbor cache - struct { - struct nlmsghdr nh; - struct ndmsg ndm; - struct nlattr nla_dst; - struct in6_addr dst; - } req = { - {sizeof(req), RTM_DELNEIGH, NLM_F_REQUEST, - ++rtnl_seqid, 0}, - {.ndm_family = AF_INET6, .ndm_flags = NTF_PROXY}, - {sizeof(struct nlattr) + sizeof(struct in6_addr), NDA_DST}, - *addr - }; - - if (ndm->ndm_flags & NTF_PROXY) { - // Dump & flush proxy entries - if (nh->nlmsg_type == RTM_NEWNEIGH) { - req.ndm.ndm_ifindex = iface->ifindex; - send(rtnl_event.uloop.fd, &req, sizeof(req), MSG_DONTWAIT); - dump_neigh = true; - } - } else if (add) { - struct interface *c; - list_for_each_entry(c, &interfaces, head) { - if (iface == c) - continue; - - if (c->ndp == RELAYD_RELAY) { - req.nh.nlmsg_type = RTM_NEWNEIGH; - req.nh.nlmsg_flags |= NLM_F_CREATE | NLM_F_REPLACE; - - req.ndm.ndm_ifindex = c->ifindex; - send(rtnl_event.uloop.fd, &req, sizeof(req), MSG_DONTWAIT); - } else { // Delete NDP cache from interfaces without relay - req.nh.nlmsg_type = RTM_DELNEIGH; - req.nh.nlmsg_flags &= ~(NLM_F_CREATE | NLM_F_REPLACE); - - req.ndm.ndm_ifindex = c->ifindex; - send(rtnl_event.uloop.fd, &req, sizeof(req), MSG_DONTWAIT); - } - } + if (iface->ndp == RELAYD_RELAY) + modify_neighbor(addr, iface, add); - setup_route(addr, iface, true); - } else { - if (nh->nlmsg_type == RTM_NEWNEIGH) { - // might be locally originating - if (!IN6_ARE_ADDR_EQUAL(&last_solicited, addr)) { - last_solicited = *addr; - - struct interface *c; - list_for_each_entry(c, &interfaces, head) - if (iface->ndp == RELAYD_RELAY && iface != c && - !c->external == false) - ping6(addr, c); - } - } else { - struct interface *c; - list_for_each_entry(c, &interfaces, head) { - if (c->ndp == RELAYD_RELAY && iface != c) { - req.ndm.ndm_ifindex = c->ifindex; - send(rtnl_event.uloop.fd, &req, sizeof(req), MSG_DONTWAIT); - } - } - setup_route(addr, iface, false); - - // also: dump to add proxies back in case it moved elsewhere - dump_neigh = true; - } - } - } + if (is_addr && iface->ra == RELAYD_SERVER) + raise(SIGUSR1); // Inform about a change in addresses - if (is_addr) { - if (iface->ra == RELAYD_SERVER) - raise(SIGUSR1); // Inform about a change in addresses + if (is_addr && iface->dhcpv6 == RELAYD_SERVER) + iface->ia_reconf = true; - if (iface->dhcpv6 == RELAYD_SERVER) - iface->ia_reconf = true; + if (iface->ndp == RELAYD_RELAY && is_addr && iface->master) { + // Replay address changes on all slave interfaces + nh->nlmsg_flags = NLM_F_REQUEST; - if (iface->ndp == RELAYD_RELAY && iface->master) { - // Replay address changes on all slave interfaces - nh->nlmsg_flags = NLM_F_REQUEST; + if (nh->nlmsg_type == RTM_NEWADDR) + nh->nlmsg_flags |= NLM_F_CREATE | NLM_F_REPLACE; - if (nh->nlmsg_type == RTM_NEWADDR) - nh->nlmsg_flags |= NLM_F_CREATE | NLM_F_REPLACE; - - struct interface *c; - list_for_each_entry(c, &interfaces, head) { - if (c->ndp == RELAYD_RELAY && !c->master) { - ifa->ifa_index = c->ifindex; - send(rtnl_event.uloop.fd, nh, nh->nlmsg_len, MSG_DONTWAIT); - } + struct interface *c; + list_for_each_entry(c, &interfaces, head) { + if (c->ndp == RELAYD_RELAY && !c->master) { + ifa->ifa_index = c->ifindex; + send(rtnl_event.uloop.fd, nh, nh->nlmsg_len, MSG_DONTWAIT); } } } - } - if (dump_neigh) - dump_neigh_table(false); + /* TODO: See if this is required for optimal operation + // Keep neighbor entries alive so we don't loose routes + */ + if (add && (ndm->ndm_state & NUD_STALE)) + ping6(addr, iface); + } } diff --git a/src/odhcpd.h b/src/odhcpd.h index 1fe775e..b2b38dc 100644 --- a/src/odhcpd.h +++ b/src/odhcpd.h @@ -118,7 +118,6 @@ struct interface { // DHCPv4 struct odhcpd_event dhcpv6_event; struct odhcpd_event dhcpv4_event; - struct odhcpd_event ndp_event; struct list_head dhcpv4_assignments; // Managed PD @@ -161,6 +160,9 @@ struct interface { void *dhcpv6_raw; size_t dhcpv6_raw_len; + char* static_ndp; + size_t static_ndp_len; + char *upstream; size_t upstream_len; |