Gitiles
Code Review Sign In
code.illumos.org / illumos-gate / bbb9d5d65bf8372aae4b8821c80e218b8b832846 / . / usr / src / uts / common / io / mac / mac_protect.c
blob: da83dc643e2f97b72e4901f8fe2f45435a0eb005 [file] [log] [blame]
/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License (the "License").
* You may not use this file except in compliance with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* or http://www.opensolaris.org/os/licensing.
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
* Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2015, Joyent, Inc. All rights reserved.
*/
/*
* Copyright 2014 Nexenta Systems, Inc. All rights reserved.
*/
#include <sys/cmn_err.h>
#include <sys/strsun.h>
#include <sys/sdt.h>
#include <sys/mac.h>
#include <sys/mac_impl.h>
#include <sys/mac_client_impl.h>
#include <sys/mac_client_priv.h>
#include <sys/ethernet.h>
#include <sys/vlan.h>
#include <sys/dlpi.h>
#include <sys/avl.h>
#include <inet/ip.h>
#include <inet/ip6.h>
#include <inet/arp.h>
#include <netinet/arp.h>
#include <netinet/udp.h>
#include <netinet/dhcp.h>
#include <netinet/dhcp6.h>
/*
* Implementation overview for DHCP address detection
*
* The purpose of DHCP address detection is to relieve the user of having to
* manually configure static IP addresses when ip-nospoof protection is turned
* on. To achieve this, the mac layer needs to intercept DHCP packets to
* determine the assigned IP addresses.
*
* A DHCP handshake between client and server typically requires at least
* 4 messages:
*
* 1. DISCOVER - client attempts to locate DHCP servers via a
* broadcast message to its subnet.
* 2. OFFER - server responds to client with an IP address and
* other parameters.
* 3. REQUEST - client requests the offered address.
* 4. ACK - server verifies that the requested address matches
* the one it offered.
*
* DHCPv6 behaves pretty much the same way aside from different message names.
*
* Address information is embedded in either the OFFER or REQUEST message.
* We chose to intercept REQUEST because this is at the last part of the
* handshake and it indicates that the client intends to keep the address.
* Intercepting OFFERs is unreliable because the client may receive multiple
* offers from different servers, and we can't tell which address the client
* will keep.
*
* Each DHCP message has a transaction ID. We use this transaction ID to match
* REQUESTs with ACKs received from servers.
*
* For IPv4, the process to acquire a DHCP-assigned address is as follows:
*
* 1. Client sends REQUEST. a new dhcpv4_txn_t object is created and inserted
* in the the mci_v4_pending_txn table (keyed by xid). This object represents
* a new transaction. It contains the xid, the client ID and requested IP
* address.
*
* 2. Server responds with an ACK. The xid from this ACK is used to lookup the
* pending transaction from the mci_v4_pending_txn table. Once the object is
* found, it is removed from the pending table and inserted into the
* completed table (mci_v4_completed_txn, keyed by client ID) and the dynamic
* IP table (mci_v4_dyn_ip, keyed by IP address).
*
* 3. An outgoing packet that goes through the ip-nospoof path will be checked
* against the dynamic IP table. Packets that have the assigned DHCP address
* as the source IP address will pass the check and be admitted onto the
* network.
*
* IPv4 notes:
*
* If the server never responds with an ACK, there is a timer that is set after
* the insertion of the transaction into the pending table. When the timer
* fires, it will check whether the transaction is old (by comparing current
* time and the txn's timestamp), if so the transaction will be freed. along
* with this, any transaction in the completed/dyn-ip tables matching the client
* ID of this stale transaction will also be freed. If the client fails to
* extend a lease, we want to stop the client from using any IP addresses that
* were granted previously.
*
* A RELEASE message from the client will not cause a transaction to be created.
* The client ID in the RELEASE message will be used for finding and removing
* transactions in the completed and dyn-ip tables.
*
*
* For IPv6, the process to acquire a DHCPv6-assigned address is as follows:
*
* 1. Client sends REQUEST. The DUID is extracted and stored into a dhcpv6_cid_t
* structure. A new transaction structure (dhcpv6_txn_t) is also created and
* it will point to the dhcpv6_cid_t. If an existing transaction with a
* matching xid is not found, this dhcpv6_txn_t will be inserted into the
* mci_v6_pending_txn table (keyed by xid).
*
* 2. Server responds with a REPLY. If a pending transaction is found, the
* addresses in the reply will be placed into the dhcpv6_cid_t pointed to by
* the transaction. The dhcpv6_cid_t will then be moved to the mci_v6_cid
* table (keyed by cid). The associated addresses will be added to the
* mci_v6_dyn_ip table (while still being pointed to by the dhcpv6_cid_t).
*
* 3. IPv6 ip-nospoof will now check mci_v6_dyn_ip for matching packets.
* Packets with a source address matching one of the DHCPv6-assigned
* addresses will be allowed through.
*
* IPv6 notes:
*
* The v6 code shares the same timer as v4 for scrubbing stale transactions.
* Just like v4, as part of removing an expired transaction, a RELEASE will be
* be triggered on the cid associated with the expired transaction.
*
* The data structures used for v6 are slightly different because a v6 client
* may have multiple addresses associated with it.
*/
/*
* These are just arbitrary limits meant for preventing abuse (e.g. a user
* flooding the network with bogus transactions). They are not meant to be
* user-modifiable so they are not exposed as linkprops.
*/
static ulong_t dhcp_max_pending_txn = 512;
static ulong_t dhcp_max_completed_txn = 512;
static ulong_t slaac_max_allowed = 512;
static hrtime_t txn_cleanup_interval = 60 * NANOSEC;
/*
* DHCPv4 transaction. It may be added to three different tables
* (keyed by different fields).
*/
typedef struct dhcpv4_txn {
uint32_t dt_xid;
hrtime_t dt_timestamp;
uint8_t dt_cid[DHCP_MAX_OPT_SIZE];
uint8_t dt_cid_len;
ipaddr_t dt_ipaddr;
avl_node_t dt_node;
avl_node_t dt_ipnode;
struct dhcpv4_txn *dt_next;
} dhcpv4_txn_t;
/*
* DHCPv6 address. May be added to mci_v6_dyn_ip.
* It is always pointed to by its parent dhcpv6_cid_t structure.
*/
typedef struct dhcpv6_addr {
in6_addr_t da_addr;
avl_node_t da_node;
struct dhcpv6_addr *da_next;
} dhcpv6_addr_t;
/*
* DHCPv6 client ID. May be added to mci_v6_cid.
* No dhcpv6_txn_t should be pointing to it after it is added to mci_v6_cid.
*/
typedef struct dhcpv6_cid {
uchar_t *dc_cid;
uint_t dc_cid_len;
dhcpv6_addr_t *dc_addr;
uint_t dc_addrcnt;
avl_node_t dc_node;
} dhcpv6_cid_t;
/*
* DHCPv6 transaction. Unlike its v4 counterpart, this object gets freed up
* as soon as the transaction completes or expires.
*/
typedef struct dhcpv6_txn {
uint32_t dt_xid;
hrtime_t dt_timestamp;
dhcpv6_cid_t *dt_cid;
avl_node_t dt_node;
struct dhcpv6_txn *dt_next;
} dhcpv6_txn_t;
/*
* Stateless address autoconfiguration (SLAAC) address. May be added to
* mci_v6_slaac_ip.
*/
typedef struct slaac_addr {
in6_addr_t sla_prefix;
in6_addr_t sla_addr;
avl_node_t sla_node;
} slaac_addr_t;
static void start_txn_cleanup_timer(mac_client_impl_t *);
static boolean_t allowed_ips_set(mac_resource_props_t *, uint32_t);
#define BUMP_STAT(m, s) (m)->mci_misc_stat.mms_##s++
/*
* Comparison functions for the 3 AVL trees used:
* mci_v4_pending_txn, mci_v4_completed_txn, mci_v4_dyn_ip
*/
static int
compare_dhcpv4_xid(const void *arg1, const void *arg2)
{
const dhcpv4_txn_t *txn1 = arg1, *txn2 = arg2;
if (txn1->dt_xid < txn2->dt_xid)
return (-1);
else if (txn1->dt_xid > txn2->dt_xid)
return (1);
else
return (0);
}
static int
compare_dhcpv4_cid(const void *arg1, const void *arg2)
{
const dhcpv4_txn_t *txn1 = arg1, *txn2 = arg2;
int ret;
if (txn1->dt_cid_len < txn2->dt_cid_len)
return (-1);
else if (txn1->dt_cid_len > txn2->dt_cid_len)
return (1);
if (txn1->dt_cid_len == 0)
return (0);
ret = memcmp(txn1->dt_cid, txn2->dt_cid, txn1->dt_cid_len);
if (ret < 0)
return (-1);
else if (ret > 0)
return (1);
else
return (0);
}
static int
compare_dhcpv4_ip(const void *arg1, const void *arg2)
{
const dhcpv4_txn_t *txn1 = arg1, *txn2 = arg2;
if (txn1->dt_ipaddr < txn2->dt_ipaddr)
return (-1);
else if (txn1->dt_ipaddr > txn2->dt_ipaddr)
return (1);
else
return (0);
}
/*
* Find the specified DHCPv4 option.
*/
static int
get_dhcpv4_option(struct dhcp *dh4, uchar_t *end, uint8_t type,
uchar_t **opt, uint8_t *opt_len)
{
uchar_t *start = (uchar_t *)dh4->options;
uint8_t otype, olen;
while (start < end) {
if (*start == CD_PAD) {
start++;
continue;
}
if (*start == CD_END)
break;
otype = *start++;
olen = *start++;
if (otype == type && olen > 0) {
*opt = start;
*opt_len = olen;
return (0);
}
start += olen;
}
return (ENOENT);
}
/*
* Locate the start of a DHCPv4 header.
* The possible return values and associated meanings are:
* 0 - packet is DHCP and has a DHCP header.
* EINVAL - packet is not DHCP. the recommended action is to let it pass.
* ENOSPC - packet is a initial fragment that is DHCP or is unidentifiable.
* the recommended action is to drop it.
*/
static int
get_dhcpv4_info(ipha_t *ipha, uchar_t *end, struct dhcp **dh4)
{
uint16_t offset_and_flags, client, server;
boolean_t first_frag = B_FALSE;
struct udphdr *udph;
uchar_t *dh;
if (ipha->ipha_protocol != IPPROTO_UDP)
return (EINVAL);
offset_and_flags = ntohs(ipha->ipha_fragment_offset_and_flags);
if ((offset_and_flags & (IPH_MF | IPH_OFFSET)) != 0) {
/*
* All non-initial fragments may pass because we cannot
* identify their type. It's safe to let them through
* because reassembly will fail if we decide to drop the
* initial fragment.
*/
if (((offset_and_flags << 3) & 0xffff) != 0)
return (EINVAL);
first_frag = B_TRUE;
}
/* drop packets without a udp header */
udph = (struct udphdr *)((uchar_t *)ipha + IPH_HDR_LENGTH(ipha));
if ((uchar_t *)&udph[1] > end)
return (ENOSPC);
client = htons(IPPORT_BOOTPC);
server = htons(IPPORT_BOOTPS);
if (udph->uh_sport != client && udph->uh_sport != server &&
udph->uh_dport != client && udph->uh_dport != server)
return (EINVAL);
/* drop dhcp fragments */
if (first_frag)
return (ENOSPC);
dh = (uchar_t *)&udph[1];
if (dh + BASE_PKT_SIZE > end)
return (EINVAL);
*dh4 = (struct dhcp *)dh;
return (0);
}
/*
* Wrappers for accesses to avl trees to improve readability.
* Their purposes are fairly self-explanatory.
*/
static dhcpv4_txn_t *
find_dhcpv4_pending_txn(mac_client_impl_t *mcip, uint32_t xid)
{
dhcpv4_txn_t tmp_txn;
ASSERT(MUTEX_HELD(&mcip->mci_protect_lock));
tmp_txn.dt_xid = xid;
return (avl_find(&mcip->mci_v4_pending_txn, &tmp_txn, NULL));
}
static int
insert_dhcpv4_pending_txn(mac_client_impl_t *mcip, dhcpv4_txn_t *txn)
{
avl_index_t where;
ASSERT(MUTEX_HELD(&mcip->mci_protect_lock));
if (avl_find(&mcip->mci_v4_pending_txn, txn, &where) != NULL)
return (EEXIST);
if (avl_numnodes(&mcip->mci_v4_pending_txn) >= dhcp_max_pending_txn) {
BUMP_STAT(mcip, dhcpdropped);
return (EAGAIN);
}
avl_insert(&mcip->mci_v4_pending_txn, txn, where);
return (0);
}
static void
remove_dhcpv4_pending_txn(mac_client_impl_t *mcip, dhcpv4_txn_t *txn)
{
ASSERT(MUTEX_HELD(&mcip->mci_protect_lock));
avl_remove(&mcip->mci_v4_pending_txn, txn);
}
static dhcpv4_txn_t *
find_dhcpv4_completed_txn(mac_client_impl_t *mcip, uint8_t *cid,
uint8_t cid_len)
{
dhcpv4_txn_t tmp_txn;
ASSERT(MUTEX_HELD(&mcip->mci_protect_lock));
if (cid_len > 0)
bcopy(cid, tmp_txn.dt_cid, cid_len);
tmp_txn.dt_cid_len = cid_len;
return (avl_find(&mcip->mci_v4_completed_txn, &tmp_txn, NULL));
}
/*
* After a pending txn is removed from the pending table, it is inserted
* into both the completed and dyn-ip tables. These two insertions are
* done together because a client ID must have 1:1 correspondence with
* an IP address and IP addresses must be unique in the dyn-ip table.
*/
static int
insert_dhcpv4_completed_txn(mac_client_impl_t *mcip, dhcpv4_txn_t *txn)
{
avl_index_t where;
ASSERT(MUTEX_HELD(&mcip->mci_protect_lock));
if (avl_find(&mcip->mci_v4_completed_txn, txn, &where) != NULL)
return (EEXIST);
if (avl_numnodes(&mcip->mci_v4_completed_txn) >=
dhcp_max_completed_txn) {
BUMP_STAT(mcip, dhcpdropped);
return (EAGAIN);
}
avl_insert(&mcip->mci_v4_completed_txn, txn, where);
if (avl_find(&mcip->mci_v4_dyn_ip, txn, &where) != NULL) {
avl_remove(&mcip->mci_v4_completed_txn, txn);
return (EEXIST);
}
avl_insert(&mcip->mci_v4_dyn_ip, txn, where);
return (0);
}
static void
remove_dhcpv4_completed_txn(mac_client_impl_t *mcip, dhcpv4_txn_t *txn)
{
dhcpv4_txn_t *ctxn;
ASSERT(MUTEX_HELD(&mcip->mci_protect_lock));
if ((ctxn = avl_find(&mcip->mci_v4_dyn_ip, txn, NULL)) != NULL &&
ctxn == txn)
avl_remove(&mcip->mci_v4_dyn_ip, txn);
avl_remove(&mcip->mci_v4_completed_txn, txn);
}
/*
* Check whether an IP address is in the dyn-ip table.
*/
static boolean_t
check_dhcpv4_dyn_ip(mac_client_impl_t *mcip, ipaddr_t ipaddr)
{
dhcpv4_txn_t tmp_txn, *txn;
mutex_enter(&mcip->mci_protect_lock);
tmp_txn.dt_ipaddr = ipaddr;
txn = avl_find(&mcip->mci_v4_dyn_ip, &tmp_txn, NULL);
mutex_exit(&mcip->mci_protect_lock);
return (txn != NULL);
}
/*
* Create/destroy a DHCPv4 transaction.
*/
static dhcpv4_txn_t *
create_dhcpv4_txn(uint32_t xid, uint8_t *cid, uint8_t cid_len, ipaddr_t ipaddr)
{
dhcpv4_txn_t *txn;
if ((txn = kmem_zalloc(sizeof (*txn), KM_NOSLEEP)) == NULL)
return (NULL);
txn->dt_xid = xid;
txn->dt_timestamp = gethrtime();
if (cid_len > 0)
bcopy(cid, &txn->dt_cid, cid_len);
txn->dt_cid_len = cid_len;
txn->dt_ipaddr = ipaddr;
return (txn);
}
static void
free_dhcpv4_txn(dhcpv4_txn_t *txn)
{
kmem_free(txn, sizeof (*txn));
}
/*
* Clean up all v4 tables.
*/
static void
flush_dhcpv4(mac_client_impl_t *mcip)
{
void *cookie = NULL;
dhcpv4_txn_t *txn;
ASSERT(MUTEX_HELD(&mcip->mci_protect_lock));
while ((txn = avl_destroy_nodes(&mcip->mci_v4_dyn_ip,
&cookie)) != NULL) {
/*
* No freeing needed here because the same txn exists
* in the mci_v4_completed_txn table as well.
*/
}
cookie = NULL;
while ((txn = avl_destroy_nodes(&mcip->mci_v4_completed_txn,
&cookie)) != NULL) {
free_dhcpv4_txn(txn);
}
cookie = NULL;
while ((txn = avl_destroy_nodes(&mcip->mci_v4_pending_txn,
&cookie)) != NULL) {
free_dhcpv4_txn(txn);
}
}
/*
* Cleanup stale DHCPv4 transactions.
*/
static void
txn_cleanup_v4(mac_client_impl_t *mcip)
{
dhcpv4_txn_t *txn, *ctxn, *next, *txn_list = NULL;
/*
* Find stale pending transactions and place them on a list
* to be removed.
*/
for (txn = avl_first(&mcip->mci_v4_pending_txn); txn != NULL;
txn = avl_walk(&mcip->mci_v4_pending_txn, txn, AVL_AFTER)) {
if (gethrtime() - txn->dt_timestamp > txn_cleanup_interval) {
DTRACE_PROBE2(found__expired__txn,
mac_client_impl_t *, mcip,
dhcpv4_txn_t *, txn);
txn->dt_next = txn_list;
txn_list = txn;
}
}
/*
* Remove and free stale pending transactions and completed
* transactions with the same client IDs as the stale transactions.
*/
for (txn = txn_list; txn != NULL; txn = next) {
avl_remove(&mcip->mci_v4_pending_txn, txn);
ctxn = find_dhcpv4_completed_txn(mcip, txn->dt_cid,
txn->dt_cid_len);
if (ctxn != NULL) {
DTRACE_PROBE2(removing__completed__txn,
mac_client_impl_t *, mcip,
dhcpv4_txn_t *, ctxn);
remove_dhcpv4_completed_txn(mcip, ctxn);
free_dhcpv4_txn(ctxn);
}
next = txn->dt_next;
txn->dt_next = NULL;
DTRACE_PROBE2(freeing__txn, mac_client_impl_t *, mcip,
dhcpv4_txn_t *, txn);
free_dhcpv4_txn(txn);
}
}
/*
* Core logic for intercepting outbound DHCPv4 packets.
*/
static boolean_t
intercept_dhcpv4_outbound(mac_client_impl_t *mcip, ipha_t *ipha, uchar_t *end)
{
struct dhcp *dh4;
uchar_t *opt;
dhcpv4_txn_t *txn, *ctxn;
ipaddr_t ipaddr;
uint8_t opt_len, mtype, cid[DHCP_MAX_OPT_SIZE], cid_len;
mac_resource_props_t *mrp = MCIP_RESOURCE_PROPS(mcip);
if (get_dhcpv4_info(ipha, end, &dh4) != 0)
return (B_TRUE);
/* ip_nospoof/allowed-ips and DHCP are mutually exclusive by default */
if (allowed_ips_set(mrp, IPV4_VERSION))
return (B_FALSE);
if (get_dhcpv4_option(dh4, end, CD_DHCP_TYPE, &opt, &opt_len) != 0 ||
opt_len != 1) {
DTRACE_PROBE2(mtype__not__found, mac_client_impl_t *, mcip,
struct dhcp *, dh4);
return (B_TRUE);
}
mtype = *opt;
if (mtype != REQUEST && mtype != RELEASE) {
DTRACE_PROBE3(ignored__mtype, mac_client_impl_t *, mcip,
struct dhcp *, dh4, uint8_t, mtype);
return (B_TRUE);
}
/* client ID is optional for IPv4 */
if (get_dhcpv4_option(dh4, end, CD_CLIENT_ID, &opt, &opt_len) == 0 &&
opt_len >= 2) {
bcopy(opt, cid, opt_len);
cid_len = opt_len;
} else {
bzero(cid, DHCP_MAX_OPT_SIZE);
cid_len = 0;
}
mutex_enter(&mcip->mci_protect_lock);
if (mtype == RELEASE) {
DTRACE_PROBE2(release, mac_client_impl_t *, mcip,
struct dhcp *, dh4);
/* flush any completed txn with this cid */
ctxn = find_dhcpv4_completed_txn(mcip, cid, cid_len);
if (ctxn != NULL) {
DTRACE_PROBE2(release__successful, mac_client_impl_t *,
mcip, struct dhcp *, dh4);
remove_dhcpv4_completed_txn(mcip, ctxn);
free_dhcpv4_txn(ctxn);
}
goto done;
}
/*
* If a pending txn already exists, we'll update its timestamp so
* it won't get flushed by the timer. We don't need to create new
* txns for retransmissions.
*/
if ((txn = find_dhcpv4_pending_txn(mcip, dh4->xid)) != NULL) {
DTRACE_PROBE2(update, mac_client_impl_t *, mcip,
dhcpv4_txn_t *, txn);
txn->dt_timestamp = gethrtime();
goto done;
}
if (get_dhcpv4_option(dh4, end, CD_REQUESTED_IP_ADDR,
&opt, &opt_len) != 0 || opt_len != sizeof (ipaddr)) {
DTRACE_PROBE2(ipaddr__not__found, mac_client_impl_t *, mcip,
struct dhcp *, dh4);
goto done;
}
bcopy(opt, &ipaddr, sizeof (ipaddr));
if ((txn = create_dhcpv4_txn(dh4->xid, cid, cid_len, ipaddr)) == NULL)
goto done;
if (insert_dhcpv4_pending_txn(mcip, txn) != 0) {
DTRACE_PROBE2(insert__failed, mac_client_impl_t *, mcip,
dhcpv4_txn_t *, txn);
free_dhcpv4_txn(txn);
goto done;
}
start_txn_cleanup_timer(mcip);
DTRACE_PROBE2(txn__pending, mac_client_impl_t *, mcip,
dhcpv4_txn_t *, txn);
done:
mutex_exit(&mcip->mci_protect_lock);
return (B_TRUE);
}
/*
* Core logic for intercepting inbound DHCPv4 packets.
*/
static void
intercept_dhcpv4_inbound(mac_client_impl_t *mcip, uchar_t *end,
struct dhcp *dh4)
{
uchar_t *opt;
dhcpv4_txn_t *txn, *ctxn;
uint8_t opt_len, mtype;
if (get_dhcpv4_option(dh4, end, CD_DHCP_TYPE, &opt, &opt_len) != 0 ||
opt_len != 1) {
DTRACE_PROBE2(mtype__not__found, mac_client_impl_t *, mcip,
struct dhcp *, dh4);
return;
}
mtype = *opt;
if (mtype != ACK && mtype != NAK) {
DTRACE_PROBE3(ignored__mtype, mac_client_impl_t *, mcip,
struct dhcp *, dh4, uint8_t, mtype);
return;
}
mutex_enter(&mcip->mci_protect_lock);
if ((txn = find_dhcpv4_pending_txn(mcip, dh4->xid)) == NULL) {
DTRACE_PROBE2(txn__not__found, mac_client_impl_t *, mcip,
struct dhcp *, dh4);
goto done;
}
remove_dhcpv4_pending_txn(mcip, txn);
/*
* We're about to move a txn from the pending table to the completed/
* dyn-ip tables. If there is an existing completed txn with the
* same cid as our txn, we need to remove and free it.
*/
ctxn = find_dhcpv4_completed_txn(mcip, txn->dt_cid, txn->dt_cid_len);
if (ctxn != NULL) {
DTRACE_PROBE2(replacing__old__txn, mac_client_impl_t *, mcip,
dhcpv4_txn_t *, ctxn);
remove_dhcpv4_completed_txn(mcip, ctxn);
free_dhcpv4_txn(ctxn);
}
if (mtype == NAK) {
DTRACE_PROBE2(nak__received, mac_client_impl_t *, mcip,
dhcpv4_txn_t *, txn);
free_dhcpv4_txn(txn);
goto done;
}
if (insert_dhcpv4_completed_txn(mcip, txn) != 0) {
DTRACE_PROBE2(insert__failed, mac_client_impl_t *, mcip,
dhcpv4_txn_t *, txn);
free_dhcpv4_txn(txn);
goto done;
}
DTRACE_PROBE2(txn__completed, mac_client_impl_t *, mcip,
dhcpv4_txn_t *, txn);
done:
mutex_exit(&mcip->mci_protect_lock);
}
/*
* Comparison functions for the DHCPv6 AVL trees.
*/
static int
compare_dhcpv6_xid(const void *arg1, const void *arg2)
{
const dhcpv6_txn_t *txn1 = arg1, *txn2 = arg2;
if (txn1->dt_xid < txn2->dt_xid)
return (-1);
else if (txn1->dt_xid > txn2->dt_xid)
return (1);
else
return (0);
}
static int
compare_dhcpv6_ip(const void *arg1, const void *arg2)
{
const dhcpv6_addr_t *ip1 = arg1, *ip2 = arg2;
int ret;
ret = memcmp(&ip1->da_addr, &ip2->da_addr, sizeof (in6_addr_t));
if (ret < 0)
return (-1);
else if (ret > 0)
return (1);
else
return (0);
}
static int
compare_dhcpv6_cid(const void *arg1, const void *arg2)
{
const dhcpv6_cid_t *cid1 = arg1, *cid2 = arg2;
int ret;
if (cid1->dc_cid_len < cid2->dc_cid_len)
return (-1);
else if (cid1->dc_cid_len > cid2->dc_cid_len)
return (1);
if (cid1->dc_cid_len == 0)
return (0);
ret = memcmp(cid1->dc_cid, cid2->dc_cid, cid1->dc_cid_len);
if (ret < 0)
return (-1);
else if (ret > 0)
return (1);
else
return (0);
}
static int
compare_slaac_ip(const void *arg1, const void *arg2)
{
const slaac_addr_t *ip1 = arg1, *ip2 = arg2;
int ret;
ret = memcmp(&ip1->sla_addr, &ip2->sla_addr, sizeof (in6_addr_t));
if (ret < 0)
return (-1);
else if (ret > 0)
return (1);
else
return (0);
}
/*
* Locate the start of a DHCPv6 header.
* The possible return values and associated meanings are:
* 0 - packet is DHCP and has a DHCP header.
* EINVAL - packet is not DHCP. the recommended action is to let it pass.
* ENOSPC - packet is a initial fragment that is DHCP or is unidentifiable.
* the recommended action is to drop it.
*/
static int
get_dhcpv6_info(ip6_t *ip6h, uchar_t *end, dhcpv6_message_t **dh6)
{
uint16_t hdrlen, client, server;
boolean_t first_frag = B_FALSE;
ip6_frag_t *frag = NULL;
uint8_t proto;
struct udphdr *udph;
uchar_t *dh;
if (!mac_ip_hdr_length_v6(ip6h, end, &hdrlen, &proto, &frag))
return (ENOSPC);
if (proto != IPPROTO_UDP)
return (EINVAL);
if (frag != NULL) {
/*
* All non-initial fragments may pass because we cannot
* identify their type. It's safe to let them through
* because reassembly will fail if we decide to drop the
* initial fragment.
*/
if ((ntohs(frag->ip6f_offlg) & ~7) != 0)
return (EINVAL);
first_frag = B_TRUE;
}
/* drop packets without a udp header */
udph = (struct udphdr *)((uchar_t *)ip6h + hdrlen);
if ((uchar_t *)&udph[1] > end)
return (ENOSPC);
client = htons(IPPORT_DHCPV6C);
server = htons(IPPORT_DHCPV6S);
if (udph->uh_sport != client && udph->uh_sport != server &&
udph->uh_dport != client && udph->uh_dport != server)
return (EINVAL);
/* drop dhcp fragments */
if (first_frag)
return (ENOSPC);
dh = (uchar_t *)&udph[1];
if (dh + sizeof (dhcpv6_message_t) > end)
return (EINVAL);
*dh6 = (dhcpv6_message_t *)dh;
return (0);
}
static int
get_ra_info(ip6_t *ip6h, uchar_t *end, nd_router_advert_t **ra)
{
uint16_t hdrlen;
ip6_frag_t *frag = NULL;
uint8_t proto;
uchar_t *hdrp;
struct icmp6_hdr *icmp;
if (!mac_ip_hdr_length_v6(ip6h, end, &hdrlen, &proto, &frag))
return (ENOSPC);
if (proto != IPPROTO_ICMPV6)
return (EINVAL);
if (frag != NULL) {
/*
* All non-initial fragments may pass because we cannot
* identify their type. It's safe to let them through
* because reassembly will fail if we decide to drop the
* initial fragment.
*/
if ((ntohs(frag->ip6f_offlg) & ~7) != 0)
return (EINVAL);
return (ENOSPC);
}
/*
* Ensure that the ICMP header falls w/in packet boundaries, in case
* we've received a malicious packet that reports incorrect lengths.
*/
hdrp = (uchar_t *)ip6h + hdrlen;
if ((hdrp + sizeof (struct icmp6_hdr)) > end) {
return (EINVAL);
}
icmp = (struct icmp6_hdr *)hdrp;
if (icmp->icmp6_type != ND_ROUTER_ADVERT ||
icmp->icmp6_code != 0)
return (EINVAL);
*ra = (nd_router_advert_t *)icmp;
return (0);
}
/*
* Find the specified DHCPv6 option.
*/
static dhcpv6_option_t *
get_dhcpv6_option(void *buf, size_t buflen, dhcpv6_option_t *oldopt,
uint16_t codenum, uint_t *retlenp)
{
uchar_t *bp;
dhcpv6_option_t d6o;
uint_t olen;
codenum = htons(codenum);
bp = buf;
while (buflen >= sizeof (dhcpv6_option_t)) {
bcopy(bp, &d6o, sizeof (d6o));
olen = ntohs(d6o.d6o_len) + sizeof (d6o);
if (olen > buflen)
break;
if (d6o.d6o_code != codenum || d6o.d6o_len == 0 ||
(oldopt != NULL && bp <= (uchar_t *)oldopt)) {
bp += olen;
buflen -= olen;
continue;
}
if (retlenp != NULL)
*retlenp = olen;
/* LINTED : alignment */
return ((dhcpv6_option_t *)bp);
}
return (NULL);
}
/*
* Get the status code from a reply message.
*/
static int
get_dhcpv6_status(dhcpv6_message_t *dh6, uchar_t *end, uint16_t *status)
{
dhcpv6_option_t *d6o;
uint_t olen;
uint16_t s;
d6o = get_dhcpv6_option(&dh6[1], end - (uchar_t *)&dh6[1], NULL,
DHCPV6_OPT_STATUS_CODE, &olen);
/* Success is implied if status code is missing */
if (d6o == NULL) {
*status = DHCPV6_STAT_SUCCESS;
return (0);
}
if ((uchar_t *)d6o + olen > end)
return (EINVAL);
olen -= sizeof (*d6o);
if (olen < sizeof (s))
return (EINVAL);
bcopy(&d6o[1], &s, sizeof (s));
*status = ntohs(s);
return (0);
}
/*
* Get the addresses from a reply message.
*/
static int
get_dhcpv6_addrs(dhcpv6_message_t *dh6, uchar_t *end, dhcpv6_cid_t *cid)
{
dhcpv6_option_t *d6o;
dhcpv6_addr_t *next;
uint_t olen;
d6o = NULL;
while ((d6o = get_dhcpv6_option(&dh6[1], end - (uchar_t *)&dh6[1],
d6o, DHCPV6_OPT_IA_NA, &olen)) != NULL) {
dhcpv6_option_t *d6so;
dhcpv6_iaaddr_t d6ia;
dhcpv6_addr_t **addrp;
uchar_t *obase;
uint_t solen;
if (olen < sizeof (dhcpv6_ia_na_t) ||
(uchar_t *)d6o + olen > end)
goto fail;
obase = (uchar_t *)d6o + sizeof (dhcpv6_ia_na_t);
olen -= sizeof (dhcpv6_ia_na_t);
d6so = NULL;
while ((d6so = get_dhcpv6_option(obase, olen, d6so,
DHCPV6_OPT_IAADDR, &solen)) != NULL) {
if (solen < sizeof (dhcpv6_iaaddr_t) ||
(uchar_t *)d6so + solen > end)
goto fail;
bcopy(d6so, &d6ia, sizeof (d6ia));
for (addrp = &cid->dc_addr; *addrp != NULL;
addrp = &(*addrp)->da_next) {
if (bcmp(&(*addrp)->da_addr, &d6ia.d6ia_addr,
sizeof (in6_addr_t)) == 0)
goto fail;
}
if ((*addrp = kmem_zalloc(sizeof (dhcpv6_addr_t),
KM_NOSLEEP)) == NULL)
goto fail;
bcopy(&d6ia.d6ia_addr, &(*addrp)->da_addr,
sizeof (in6_addr_t));
cid->dc_addrcnt++;
}
}
if (cid->dc_addrcnt == 0)
return (ENOENT);
return (0);
fail:
for (; cid->dc_addr != NULL; cid->dc_addr = next) {
next = cid->dc_addr->da_next;
kmem_free(cid->dc_addr, sizeof (dhcpv6_addr_t));
cid->dc_addrcnt--;
}
ASSERT(cid->dc_addrcnt == 0);
return (EINVAL);
}
/*
* Free a cid.
* Before this gets called the caller must ensure that all the
* addresses are removed from the mci_v6_dyn_ip table.
*/
static void
free_dhcpv6_cid(dhcpv6_cid_t *cid)
{
dhcpv6_addr_t *addr, *next;
uint_t cnt = 0;
kmem_free(cid->dc_cid, cid->dc_cid_len);
for (addr = cid->dc_addr; addr != NULL; addr = next) {
next = addr->da_next;
kmem_free(addr, sizeof (*addr));
cnt++;
}
ASSERT(cnt == cid->dc_addrcnt);
kmem_free(cid, sizeof (*cid));
}
/*
* Extract the DUID from a message. The associated addresses will be
* extracted later from the reply message.
*/
static dhcpv6_cid_t *
create_dhcpv6_cid(dhcpv6_message_t *dh6, uchar_t *end)
{
dhcpv6_option_t *d6o;
dhcpv6_cid_t *cid;
uchar_t *rawcid;
uint_t olen, rawcidlen;
d6o = get_dhcpv6_option(&dh6[1], end - (uchar_t *)&dh6[1], NULL,
DHCPV6_OPT_CLIENTID, &olen);
if (d6o == NULL || (uchar_t *)d6o + olen > end)
return (NULL);
rawcidlen = olen - sizeof (*d6o);
if ((rawcid = kmem_zalloc(rawcidlen, KM_NOSLEEP)) == NULL)
return (NULL);
bcopy(d6o + 1, rawcid, rawcidlen);
if ((cid = kmem_zalloc(sizeof (*cid), KM_NOSLEEP)) == NULL) {
kmem_free(rawcid, rawcidlen);
return (NULL);
}
cid->dc_cid = rawcid;
cid->dc_cid_len = rawcidlen;
return (cid);
}
/*
* Remove a cid from mci_v6_cid. The addresses owned by the cid
* are also removed from mci_v6_dyn_ip.
*/
static void
remove_dhcpv6_cid(mac_client_impl_t *mcip, dhcpv6_cid_t *cid)
{
dhcpv6_addr_t *addr, *tmp_addr;
ASSERT(MUTEX_HELD(&mcip->mci_protect_lock));
avl_remove(&mcip->mci_v6_cid, cid);
for (addr = cid->dc_addr; addr != NULL; addr = addr->da_next) {
tmp_addr = avl_find(&mcip->mci_v6_dyn_ip, addr, NULL);
if (tmp_addr == addr)
avl_remove(&mcip->mci_v6_dyn_ip, addr);
}
}
/*
* Find and remove a matching cid and associated addresses from
* their respective tables.
*/
static void
release_dhcpv6_cid(mac_client_impl_t *mcip, dhcpv6_cid_t *cid)
{
dhcpv6_cid_t *oldcid;
ASSERT(MUTEX_HELD(&mcip->mci_protect_lock));
if ((oldcid = avl_find(&mcip->mci_v6_cid, cid, NULL)) == NULL)
return;
/*
* Since cid belongs to a pending txn, it can't possibly be in
* mci_v6_cid. Anything that's found must be an existing cid.
*/
ASSERT(oldcid != cid);
remove_dhcpv6_cid(mcip, oldcid);
free_dhcpv6_cid(oldcid);
}
/*
* Insert cid into mci_v6_cid.
*/
static int
insert_dhcpv6_cid(mac_client_impl_t *mcip, dhcpv6_cid_t *cid)
{
avl_index_t where;
dhcpv6_addr_t *addr;
ASSERT(MUTEX_HELD(&mcip->mci_protect_lock));
if (avl_find(&mcip->mci_v6_cid, cid, &where) != NULL)
return (EEXIST);
if (avl_numnodes(&mcip->mci_v6_cid) >= dhcp_max_completed_txn) {
BUMP_STAT(mcip, dhcpdropped);
return (EAGAIN);
}
avl_insert(&mcip->mci_v6_cid, cid, where);
for (addr = cid->dc_addr; addr != NULL; addr = addr->da_next) {
if (avl_find(&mcip->mci_v6_dyn_ip, addr, &where) != NULL)
goto fail;
avl_insert(&mcip->mci_v6_dyn_ip, addr, where);
}
return (0);
fail:
remove_dhcpv6_cid(mcip, cid);
return (EEXIST);
}
/*
* Check whether an IP address is in the dyn-ip table.
*/
static boolean_t
check_dhcpv6_dyn_ip(mac_client_impl_t *mcip, in6_addr_t *addr)
{
dhcpv6_addr_t tmp_addr, *a;
mutex_enter(&mcip->mci_protect_lock);
bcopy(addr, &tmp_addr.da_addr, sizeof (in6_addr_t));
a = avl_find(&mcip->mci_v6_dyn_ip, &tmp_addr, NULL);
mutex_exit(&mcip->mci_protect_lock);
return (a != NULL);
}
static dhcpv6_txn_t *
find_dhcpv6_pending_txn(mac_client_impl_t *mcip, uint32_t xid)
{
dhcpv6_txn_t tmp_txn;
ASSERT(MUTEX_HELD(&mcip->mci_protect_lock));
tmp_txn.dt_xid = xid;
return (avl_find(&mcip->mci_v6_pending_txn, &tmp_txn, NULL));
}
static void
remove_dhcpv6_pending_txn(mac_client_impl_t *mcip, dhcpv6_txn_t *txn)
{
ASSERT(MUTEX_HELD(&mcip->mci_protect_lock));
avl_remove(&mcip->mci_v6_pending_txn, txn);
}
static dhcpv6_txn_t *
create_dhcpv6_txn(uint32_t xid, dhcpv6_cid_t *cid)
{
dhcpv6_txn_t *txn;
if ((txn = kmem_zalloc(sizeof (dhcpv6_txn_t), KM_NOSLEEP)) == NULL)
return (NULL);
txn->dt_xid = xid;
txn->dt_cid = cid;
txn->dt_timestamp = gethrtime();
return (txn);
}
static void
free_dhcpv6_txn(dhcpv6_txn_t *txn)
{
if (txn->dt_cid != NULL)
free_dhcpv6_cid(txn->dt_cid);
kmem_free(txn, sizeof (dhcpv6_txn_t));
}
static int
insert_dhcpv6_pending_txn(mac_client_impl_t *mcip, dhcpv6_txn_t *txn)
{
avl_index_t where;
ASSERT(MUTEX_HELD(&mcip->mci_protect_lock));
if (avl_find(&mcip->mci_v6_pending_txn, txn, &where) != NULL)
return (EEXIST);
if (avl_numnodes(&mcip->mci_v6_pending_txn) >= dhcp_max_pending_txn) {
BUMP_STAT(mcip, dhcpdropped);
return (EAGAIN);
}
avl_insert(&mcip->mci_v6_pending_txn, txn, where);
return (0);
}
/*
* Clean up all v6 tables.
*/
static void
flush_dhcpv6(mac_client_impl_t *mcip)
{
void *cookie = NULL;
dhcpv6_cid_t *cid;
dhcpv6_txn_t *txn;
ASSERT(MUTEX_HELD(&mcip->mci_protect_lock));
while (avl_destroy_nodes(&mcip->mci_v6_dyn_ip, &cookie) != NULL) {
}
cookie = NULL;
while ((cid = avl_destroy_nodes(&mcip->mci_v6_cid, &cookie)) != NULL) {
free_dhcpv6_cid(cid);
}
cookie = NULL;
while ((txn = avl_destroy_nodes(&mcip->mci_v6_pending_txn,
&cookie)) != NULL) {
free_dhcpv6_txn(txn);
}
}
void
flush_slaac(mac_client_impl_t *mcip)
{
void *cookie = NULL;
slaac_addr_t *addr = NULL;
while ((addr = avl_destroy_nodes(&mcip->mci_v6_slaac_ip, &cookie)) !=
NULL) {
kmem_free(addr, sizeof (slaac_addr_t));
}
}
/*
* Cleanup stale DHCPv6 transactions.
*/
static void
txn_cleanup_v6(mac_client_impl_t *mcip)
{
dhcpv6_txn_t *txn, *next, *txn_list = NULL;
/*
* Find stale pending transactions and place them on a list
* to be removed.
*/
for (txn = avl_first(&mcip->mci_v6_pending_txn); txn != NULL;
txn = avl_walk(&mcip->mci_v6_pending_txn, txn, AVL_AFTER)) {
if (gethrtime() - txn->dt_timestamp > txn_cleanup_interval) {
DTRACE_PROBE2(found__expired__txn,
mac_client_impl_t *, mcip,
dhcpv6_txn_t *, txn);
txn->dt_next = txn_list;
txn_list = txn;
}
}
/*
* Remove and free stale pending transactions.
* Release any existing cids matching the stale transactions.
*/
for (txn = txn_list; txn != NULL; txn = next) {
avl_remove(&mcip->mci_v6_pending_txn, txn);
release_dhcpv6_cid(mcip, txn->dt_cid);
next = txn->dt_next;
txn->dt_next = NULL;
DTRACE_PROBE2(freeing__txn, mac_client_impl_t *, mcip,
dhcpv6_txn_t *, txn);
free_dhcpv6_txn(txn);
}
}
/*
* Core logic for intercepting outbound DHCPv6 packets.
*/
static boolean_t
intercept_dhcpv6_outbound(mac_client_impl_t *mcip, ip6_t *ip6h, uchar_t *end)
{
dhcpv6_message_t *dh6;
dhcpv6_txn_t *txn;
dhcpv6_cid_t *cid = NULL;
uint32_t xid;
uint8_t mtype;
mac_resource_props_t *mrp = MCIP_RESOURCE_PROPS(mcip);
if (get_dhcpv6_info(ip6h, end, &dh6) != 0)
return (B_TRUE);
/* ip_nospoof/allowed-ips and DHCP are mutually exclusive by default */
if (allowed_ips_set(mrp, IPV6_VERSION))
return (B_FALSE);
/*
* We want to act on packets that result in DHCPv6 Reply messages, or
* on packets that give up an IPv6 address. For example, a Request or
* Solicit (w/ the Rapid Commit option) will cause the server to send a
* Reply, ending the transaction.
*/
mtype = dh6->d6m_msg_type;
if (mtype != DHCPV6_MSG_SOLICIT && mtype != DHCPV6_MSG_REQUEST &&
mtype != DHCPV6_MSG_RENEW && mtype != DHCPV6_MSG_REBIND &&
mtype != DHCPV6_MSG_RELEASE)
return (B_TRUE);
if ((cid = create_dhcpv6_cid(dh6, end)) == NULL)
return (B_TRUE);
mutex_enter(&mcip->mci_protect_lock);
if (mtype == DHCPV6_MSG_RELEASE) {
release_dhcpv6_cid(mcip, cid);
goto done;
}
xid = DHCPV6_GET_TRANSID(dh6);
if ((txn = find_dhcpv6_pending_txn(mcip, xid)) != NULL) {
DTRACE_PROBE2(update, mac_client_impl_t *, mcip,
dhcpv6_txn_t *, txn);
txn->dt_timestamp = gethrtime();
goto done;
}
if ((txn = create_dhcpv6_txn(xid, cid)) == NULL)
goto done;
cid = NULL;
if (insert_dhcpv6_pending_txn(mcip, txn) != 0) {
DTRACE_PROBE2(insert__failed, mac_client_impl_t *, mcip,
dhcpv6_txn_t *, txn);
free_dhcpv6_txn(txn);
goto done;
}
start_txn_cleanup_timer(mcip);
DTRACE_PROBE2(txn__pending, mac_client_impl_t *, mcip,
dhcpv6_txn_t *, txn);
done:
if (cid != NULL)
free_dhcpv6_cid(cid);
mutex_exit(&mcip->mci_protect_lock);
return (B_TRUE);
}
/*
* Core logic for intercepting inbound DHCPv6 packets.
*/
static void
intercept_dhcpv6_inbound(mac_client_impl_t *mcip, uchar_t *end,
dhcpv6_message_t *dh6)
{
dhcpv6_txn_t *txn;
uint32_t xid;
uint8_t mtype;
uint16_t status;
mtype = dh6->d6m_msg_type;
if (mtype != DHCPV6_MSG_REPLY)
return;
mutex_enter(&mcip->mci_protect_lock);
xid = DHCPV6_GET_TRANSID(dh6);
if ((txn = find_dhcpv6_pending_txn(mcip, xid)) == NULL) {
DTRACE_PROBE2(txn__not__found, mac_client_impl_t *, mcip,
dhcpv6_message_t *, dh6);
goto done;
}
remove_dhcpv6_pending_txn(mcip, txn);
release_dhcpv6_cid(mcip, txn->dt_cid);
if (get_dhcpv6_status(dh6, end, &status) != 0 ||
status != DHCPV6_STAT_SUCCESS) {
DTRACE_PROBE2(error__status, mac_client_impl_t *, mcip,
dhcpv6_txn_t *, txn);
goto done;
}
if (get_dhcpv6_addrs(dh6, end, txn->dt_cid) != 0) {
DTRACE_PROBE2(no__addrs, mac_client_impl_t *, mcip,
dhcpv6_txn_t *, txn);
goto done;
}
if (insert_dhcpv6_cid(mcip, txn->dt_cid) != 0) {
DTRACE_PROBE2(insert__failed, mac_client_impl_t *, mcip,
dhcpv6_txn_t *, txn);
goto done;
}
DTRACE_PROBE2(txn__completed, mac_client_impl_t *, mcip,
dhcpv6_txn_t *, txn);
txn->dt_cid = NULL;
done:
if (txn != NULL)
free_dhcpv6_txn(txn);
mutex_exit(&mcip->mci_protect_lock);
}
/*
* Check whether an IP address is in the SLAAC table.
*/
static boolean_t
check_slaac_ip(mac_client_impl_t *mcip, in6_addr_t *addr)
{
slaac_addr_t tmp_addr, *a;
mutex_enter(&mcip->mci_protect_lock);
bcopy(addr, &tmp_addr.sla_addr, sizeof (in6_addr_t));
a = avl_find(&mcip->mci_v6_slaac_ip, &tmp_addr, NULL);
mutex_exit(&mcip->mci_protect_lock);
return (a != NULL);
}
static boolean_t
insert_slaac_ip(avl_tree_t *tree, in6_addr_t *token, slaac_addr_t *addr)
{
uint_t i;
avl_index_t where;
in6_addr_t *prefix = &addr->sla_prefix;
in6_addr_t *in6p = &addr->sla_addr;
bcopy(prefix, in6p, sizeof (struct in6_addr));
for (i = 0; i < 4; i++) {
in6p->s6_addr32[i] = token->s6_addr32[i] |
in6p->s6_addr32[i];
}
DTRACE_PROBE1(generated__addr, in6_addr_t *, in6p);
if (avl_find(tree, addr, &where) != NULL)
return (B_FALSE);
avl_insert(tree, addr, where);
return (B_TRUE);
}
static void
insert_slaac_prefix(mac_client_impl_t *mcip, nd_opt_prefix_info_t *po)
{
slaac_addr_t *addr = NULL;
in6_addr_t *token = &mcip->mci_v6_mac_token;
ASSERT(MUTEX_HELD(&mcip->mci_protect_lock));
if (avl_numnodes(&mcip->mci_v6_slaac_ip) >= slaac_max_allowed) {
DTRACE_PROBE(limit__reached);
return;
}
if ((addr = kmem_zalloc(sizeof (slaac_addr_t),
KM_NOSLEEP | KM_NORMALPRI)) == NULL)
return;
bcopy(&po->nd_opt_pi_prefix, &addr->sla_prefix,
sizeof (struct in6_addr));
if (!insert_slaac_ip(&mcip->mci_v6_slaac_ip, token, addr)) {
kmem_free(addr, sizeof (slaac_addr_t));
}
}
static void
intercept_prefix_info(mac_client_impl_t *mcip, nd_opt_prefix_info_t *po)
{
if (8 * po->nd_opt_pi_len != sizeof (nd_opt_prefix_info_t)) {
DTRACE_PROBE(invalid__length);
return;
}
if (po->nd_opt_pi_prefix_len > 128) {
DTRACE_PROBE(invalid__plen);
return;
}
if (IN6_IS_ADDR_LINKLOCAL(&po->nd_opt_pi_prefix)) {
DTRACE_PROBE(link__local);
return;
}
if ((po->nd_opt_pi_flags_reserved & ND_OPT_PI_FLAG_AUTO) == 0)
return;
mutex_enter(&mcip->mci_protect_lock);
insert_slaac_prefix(mcip, po);
mutex_exit(&mcip->mci_protect_lock);
}
/*
* If we receive a Router Advertisement carrying prefix information and
* indicating that SLAAC should be performed, then track the prefix.
*/
static void
intercept_ra_inbound(mac_client_impl_t *mcip, ip6_t *ip6h, uchar_t *end,
nd_router_advert_t *ra)
{
struct nd_opt_hdr *opt;
int len, optlen;
if (ip6h->ip6_hlim != 255) {
DTRACE_PROBE1(invalid__hoplimit, uint8_t, ip6h->ip6_hlim);
return;
}
len = ip6h->ip6_plen - sizeof (nd_router_advert_t);
opt = (struct nd_opt_hdr *)&ra[1];
while (len >= sizeof (struct nd_opt_hdr) &&
((uchar_t *)opt + sizeof (struct nd_opt_hdr)) <= end) {
optlen = opt->nd_opt_len * 8;
if (optlen < sizeof (struct nd_opt_hdr) ||
((uchar_t *)opt + optlen) > end) {
DTRACE_PROBE(invalid__length);
return;
}
if (opt->nd_opt_type == ND_OPT_PREFIX_INFORMATION) {
intercept_prefix_info(mcip,
(nd_opt_prefix_info_t *)opt);
}
opt = (struct nd_opt_hdr *)((char *)opt + optlen);
len -= optlen;
}
}
/*
* Timer for cleaning up stale transactions.
*/
static void
txn_cleanup_timer(void *arg)
{
mac_client_impl_t *mcip = arg;
mutex_enter(&mcip->mci_protect_lock);
if (mcip->mci_txn_cleanup_tid == 0) {
/* do nothing if timer got cancelled */
mutex_exit(&mcip->mci_protect_lock);
return;
}
mcip->mci_txn_cleanup_tid = 0;
txn_cleanup_v4(mcip);
txn_cleanup_v6(mcip);
/*
* Restart timer if pending transactions still exist.
*/
if (!avl_is_empty(&mcip->mci_v4_pending_txn) ||
!avl_is_empty(&mcip->mci_v6_pending_txn)) {
DTRACE_PROBE1(restarting__timer, mac_client_impl_t *, mcip);
mcip->mci_txn_cleanup_tid = timeout(txn_cleanup_timer, mcip,
drv_usectohz(txn_cleanup_interval / (NANOSEC / MICROSEC)));
}
mutex_exit(&mcip->mci_protect_lock);
}
static void
start_txn_cleanup_timer(mac_client_impl_t *mcip)
{
ASSERT(MUTEX_HELD(&mcip->mci_protect_lock));
if (mcip->mci_txn_cleanup_tid == 0) {
mcip->mci_txn_cleanup_tid = timeout(txn_cleanup_timer, mcip,
drv_usectohz(txn_cleanup_interval / (NANOSEC / MICROSEC)));
}
}
static void
cancel_txn_cleanup_timer(mac_client_impl_t *mcip)
{
timeout_id_t tid;
ASSERT(MUTEX_HELD(&mcip->mci_protect_lock));
/*
* This needs to be a while loop because the timer could get
* rearmed during untimeout().
*/
while ((tid = mcip->mci_txn_cleanup_tid) != 0) {
mcip->mci_txn_cleanup_tid = 0;
mutex_exit(&mcip->mci_protect_lock);
(void) untimeout(tid);
mutex_enter(&mcip->mci_protect_lock);
}
}
/*
* Get the start/end pointers of an L3 packet and also do pullup if needed.
* pulled-up packet needs to be freed by the caller.
*/
static int
get_l3_info(mblk_t *mp, size_t hdrsize, uchar_t **start, uchar_t **end,
mblk_t **nmp)
{
uchar_t *s, *e;
mblk_t *newmp = NULL;
/*
* Pullup if necessary but reject packets that do not have
* a proper mac header.
*/
s = mp->b_rptr + hdrsize;
e = mp->b_wptr;
if (s > mp->b_wptr)
return (EINVAL);
if (!OK_32PTR(s) || mp->b_cont != NULL) {
/*
* Temporarily adjust mp->b_rptr to ensure proper
* alignment of IP header in newmp.
*/
DTRACE_PROBE1(pullup__needed, mblk_t *, mp);
mp->b_rptr += hdrsize;
newmp = msgpullup(mp, -1);
mp->b_rptr -= hdrsize;
if (newmp == NULL)
return (ENOMEM);
s = newmp->b_rptr;
e = newmp->b_wptr;
}
*start = s;
*end = e;
*nmp = newmp;
return (0);
}
void
mac_protect_intercept_dynamic_one(mac_client_impl_t *mcip, mblk_t *mp)
{
mac_impl_t *mip = mcip->mci_mip;
uchar_t *start, *end;
mblk_t *nmp = NULL;
mac_header_info_t mhi;
int err;
err = mac_vlan_header_info((mac_handle_t)mip, mp, &mhi);
if (err != 0) {
DTRACE_PROBE2(invalid__header, mac_client_impl_t *, mcip,
mblk_t *, mp);
return;
}
err = get_l3_info(mp, mhi.mhi_hdrsize, &start, &end, &nmp);
if (err != 0) {
DTRACE_PROBE2(invalid__l3, mac_client_impl_t *, mcip,
mblk_t *, mp);
return;
}
switch (mhi.mhi_bindsap) {
case ETHERTYPE_IP: {
struct dhcp *dh4;
ipha_t *ipha = (ipha_t *)start;
if (start + sizeof (ipha_t) > end)
return;
if (get_dhcpv4_info(ipha, end, &dh4) == 0) {
intercept_dhcpv4_inbound(mcip, end, dh4);
}
break;
}
case ETHERTYPE_IPV6: {
dhcpv6_message_t *dh6;
nd_router_advert_t *ra;
ip6_t *ip6h = (ip6_t *)start;
if (start + sizeof (ip6_t) > end)
return;
if (get_dhcpv6_info(ip6h, end, &dh6) == 0) {
intercept_dhcpv6_inbound(mcip, end, dh6);
} else if (get_ra_info(ip6h, end, &ra) == 0) {
intercept_ra_inbound(mcip, ip6h, end, ra);
}
break;
}
}
freemsg(nmp);
}
void
mac_protect_intercept_dynamic(mac_client_impl_t *mcip, mblk_t *mp)
{
/*
* Skip checks if we are part of an aggr.
*/
if ((mcip->mci_state_flags & MCIS_IS_AGGR_PORT) != 0)
return;
for (; mp != NULL; mp = mp->b_next)
mac_protect_intercept_dynamic_one(mcip, mp);
}
void
mac_protect_flush_dynamic(mac_client_impl_t *mcip)
{
mutex_enter(&mcip->mci_protect_lock);
flush_dhcpv4(mcip);
flush_dhcpv6(mcip);
flush_slaac(mcip);
mutex_exit(&mcip->mci_protect_lock);
}
void
mac_protect_cancel_timer(mac_client_impl_t *mcip)
{
mutex_enter(&mcip->mci_protect_lock);
cancel_txn_cleanup_timer(mcip);
mutex_exit(&mcip->mci_protect_lock);
}
/*
* Check if addr is in the 'allowed-ips' list.
*/
/* ARGSUSED */
static boolean_t
ipnospoof_check_v4(mac_client_impl_t *mcip, mac_protect_t *protect,
ipaddr_t *addr)
{
uint_t i;
/*
* The unspecified address is allowed.
*/
if (*addr == INADDR_ANY)
return (B_TRUE);
for (i = 0; i < protect->mp_ipaddrcnt; i++) {
mac_ipaddr_t *v4addr = &protect->mp_ipaddrs[i];
if (v4addr->ip_version == IPV4_VERSION) {
uint32_t mask;
/* LINTED E_SUSPICIOUS_COMPARISON */
ASSERT(v4addr->ip_netmask >= 0 &&
v4addr->ip_netmask <= 32);
mask = 0xFFFFFFFFu << (32 - v4addr->ip_netmask);
/*
* Since we have a netmask we know this entry
* signifies the entire subnet. Check if the
* given address is on the subnet.
*/
if (htonl(V4_PART_OF_V6(v4addr->ip_addr)) ==
(htonl(*addr) & mask))
return (B_TRUE);
}
}
return (protect->mp_ipaddrcnt == 0 ?
check_dhcpv4_dyn_ip(mcip, *addr) : B_FALSE);
}
static boolean_t
ipnospoof_check_v6(mac_client_impl_t *mcip, mac_protect_t *protect,
in6_addr_t *addr)
{
uint_t i;
/*
* The unspecified address and the v6 link local address are allowed.
*/
if (IN6_IS_ADDR_UNSPECIFIED(addr) ||
((mcip->mci_protect_flags & MPT_FLAG_V6_LOCAL_ADDR_SET) != 0 &&
IN6_ARE_ADDR_EQUAL(&mcip->mci_v6_local_addr, addr)))
return (B_TRUE);
for (i = 0; i < protect->mp_ipaddrcnt; i++) {
mac_ipaddr_t *v6addr = &protect->mp_ipaddrs[i];
if (v6addr->ip_version == IPV6_VERSION &&
/* LINTED E_SUSPICIOUS_COMPARISON */
IN6_ARE_PREFIXEDADDR_EQUAL(&v6addr->ip_addr, addr,
v6addr->ip_netmask))
return (B_TRUE);
}
if (protect->mp_ipaddrcnt == 0) {
return (check_slaac_ip(mcip, addr) ||
check_dhcpv6_dyn_ip(mcip, addr));
} else {
return (B_FALSE);
}
}
/*
* Checks various fields within an IPv6 NDP packet.
*/
static boolean_t
ipnospoof_check_ndp(mac_client_impl_t *mcip, mac_protect_t *protect,
ip6_t *ip6h, uchar_t *end)
{
icmp6_t *icmp_nd = (icmp6_t *)&ip6h[1];
int hdrlen, optlen, opttype, len;
uint_t addrlen, maclen;
uint8_t type;
nd_opt_hdr_t *opt;
struct nd_opt_lla *lla = NULL;
/*
* NDP packets do not have extension headers so the ICMPv6 header
* must immediately follow the IPv6 header.
*/
if (ip6h->ip6_nxt != IPPROTO_ICMPV6)
return (B_TRUE);
/* ICMPv6 header missing */
if ((uchar_t *)&icmp_nd[1] > end)
return (B_FALSE);
len = end - (uchar_t *)icmp_nd;
type = icmp_nd->icmp6_type;
switch (type) {
case ND_ROUTER_SOLICIT:
hdrlen = sizeof (nd_router_solicit_t);
break;
case ND_ROUTER_ADVERT:
hdrlen = sizeof (nd_router_advert_t);
break;
case ND_NEIGHBOR_SOLICIT:
hdrlen = sizeof (nd_neighbor_solicit_t);
break;
case ND_NEIGHBOR_ADVERT:
hdrlen = sizeof (nd_neighbor_advert_t);
break;
case ND_REDIRECT:
hdrlen = sizeof (nd_redirect_t);
break;
default:
return (B_TRUE);
}
if (len < hdrlen)
return (B_FALSE);
/* SLLA option checking is needed for RS/RA/NS */
opttype = ND_OPT_SOURCE_LINKADDR;
switch (type) {
case ND_NEIGHBOR_ADVERT: {
nd_neighbor_advert_t *na = (nd_neighbor_advert_t *)icmp_nd;
if (!ipnospoof_check_v6(mcip, protect, &na->nd_na_target)) {
DTRACE_PROBE2(ndp__na__fail,
mac_client_impl_t *, mcip, ip6_t *, ip6h);
return (B_FALSE);
}
/* TLLA option for NA */
opttype = ND_OPT_TARGET_LINKADDR;
break;
}
case ND_REDIRECT: {
/* option checking not needed for RD */
return (B_TRUE);
}
default:
break;
}
if (len == hdrlen) {
/* no options, we're done */
return (B_TRUE);
}
opt = (nd_opt_hdr_t *)((uchar_t *)icmp_nd + hdrlen);
optlen = len - hdrlen;
/* find the option header we need */
while (optlen > sizeof (nd_opt_hdr_t)) {
if (opt->nd_opt_type == opttype) {
lla = (struct nd_opt_lla *)opt;
break;
}
optlen -= 8 * opt->nd_opt_len;
opt = (nd_opt_hdr_t *)
((uchar_t *)opt + 8 * opt->nd_opt_len);
}
if (lla == NULL)
return (B_TRUE);
addrlen = lla->nd_opt_lla_len * 8 - sizeof (nd_opt_hdr_t);
maclen = mcip->mci_mip->mi_info.mi_addr_length;
if (addrlen != maclen ||
bcmp(mcip->mci_unicast->ma_addr,
lla->nd_opt_lla_hdw_addr, maclen) != 0) {
DTRACE_PROBE2(ndp__lla__fail,
mac_client_impl_t *, mcip, ip6_t *, ip6h);
return (B_FALSE);
}
DTRACE_PROBE2(ndp__lla__ok, mac_client_impl_t *, mcip, ip6_t *, ip6h);
return (B_TRUE);
}
/*
* Enforce ip-nospoof protection.
*/
static int
ipnospoof_check(mac_client_impl_t *mcip, mac_protect_t *protect,
mblk_t *mp, mac_header_info_t *mhip)
{
size_t hdrsize = mhip->mhi_hdrsize;
uint32_t sap = mhip->mhi_bindsap;
uchar_t *start, *end;
mblk_t *nmp = NULL;
int err;
err = get_l3_info(mp, hdrsize, &start, &end, &nmp);
if (err != 0) {
DTRACE_PROBE2(invalid__l3, mac_client_impl_t *, mcip,
mblk_t *, mp);
return (err);
}
err = EINVAL;
switch (sap) {
case ETHERTYPE_IP: {
ipha_t *ipha = (ipha_t *)start;
if (start + sizeof (ipha_t) > end)
goto fail;
if (!ipnospoof_check_v4(mcip, protect, &ipha->ipha_src))
goto fail;
if (!intercept_dhcpv4_outbound(mcip, ipha, end))
goto fail;
break;
}
case ETHERTYPE_ARP: {
arh_t *arh = (arh_t *)start;
uint32_t maclen, hlen, plen, arplen;
ipaddr_t spaddr;
uchar_t *shaddr;
if (start + sizeof (arh_t) > end)
goto fail;
maclen = mcip->mci_mip->mi_info.mi_addr_length;
hlen = arh->arh_hlen;
plen = arh->arh_plen;
if ((hlen != 0 && hlen != maclen) ||
plen != sizeof (ipaddr_t))
goto fail;
arplen = sizeof (arh_t) + 2 * hlen + 2 * plen;
if (start + arplen > end)
goto fail;
shaddr = start + sizeof (arh_t);
if (hlen != 0 &&
bcmp(mcip->mci_unicast->ma_addr, shaddr, maclen) != 0)
goto fail;
bcopy(shaddr + hlen, &spaddr, sizeof (spaddr));
if (!ipnospoof_check_v4(mcip, protect, &spaddr))
goto fail;
break;
}
case ETHERTYPE_IPV6: {
ip6_t *ip6h = (ip6_t *)start;
if (start + sizeof (ip6_t) > end)
goto fail;
if (!ipnospoof_check_v6(mcip, protect, &ip6h->ip6_src))
goto fail;
if (!ipnospoof_check_ndp(mcip, protect, ip6h, end))
goto fail;
if (!intercept_dhcpv6_outbound(mcip, ip6h, end))
goto fail;
break;
}
}
freemsg(nmp);
return (0);
fail:
freemsg(nmp);
return (err);
}
static boolean_t
dhcpnospoof_check_cid(mac_protect_t *p, uchar_t *cid, uint_t cidlen)
{
int i;
for (i = 0; i < p->mp_cidcnt; i++) {
mac_dhcpcid_t *dcid = &p->mp_cids[i];
if (dcid->dc_len == cidlen &&
bcmp(dcid->dc_id, cid, cidlen) == 0)
return (B_TRUE);
}
return (B_FALSE);
}
static boolean_t
dhcpnospoof_check_v4(mac_client_impl_t *mcip, mac_protect_t *p,
ipha_t *ipha, uchar_t *end)
{
struct dhcp *dh4;
uchar_t *cid;
uint_t maclen, cidlen = 0;
uint8_t optlen;
int err;
if ((err = get_dhcpv4_info(ipha, end, &dh4)) != 0)
return (err == EINVAL);
maclen = mcip->mci_mip->mi_info.mi_addr_length;
if (dh4->hlen == maclen &&
bcmp(mcip->mci_unicast->ma_addr, dh4->chaddr, maclen) != 0) {
return (B_FALSE);
}
if (get_dhcpv4_option(dh4, end, CD_CLIENT_ID, &cid, &optlen) == 0)
cidlen = optlen;
if (cidlen == 0)
return (B_TRUE);
if (*cid == ARPHRD_ETHER && cidlen - 1 == maclen &&
bcmp(mcip->mci_unicast->ma_addr, cid + 1, maclen) == 0)
return (B_TRUE);
return (dhcpnospoof_check_cid(p, cid, cidlen));
}
static boolean_t
dhcpnospoof_check_v6(mac_client_impl_t *mcip, mac_protect_t *p,
ip6_t *ip6h, uchar_t *end)
{
dhcpv6_message_t *dh6;
dhcpv6_option_t *d6o;
uint8_t mtype;
uchar_t *cid, *lladdr = NULL;
uint_t cidlen, maclen, addrlen = 0;
uint16_t cidtype;
int err;
if ((err = get_dhcpv6_info(ip6h, end, &dh6)) != 0)
return (err == EINVAL);
/*
* We only check client-generated messages.
*/
mtype = dh6->d6m_msg_type;
if (mtype == DHCPV6_MSG_ADVERTISE || mtype == DHCPV6_MSG_REPLY ||
mtype == DHCPV6_MSG_RECONFIGURE)
return (B_TRUE);
d6o = get_dhcpv6_option(&dh6[1], end - (uchar_t *)&dh6[1], NULL,
DHCPV6_OPT_CLIENTID, &cidlen);
if (d6o == NULL || (uchar_t *)d6o + cidlen > end)
return (B_TRUE);
cid = (uchar_t *)&d6o[1];
cidlen -= sizeof (*d6o);
if (cidlen < sizeof (cidtype))
return (B_TRUE);
bcopy(cid, &cidtype, sizeof (cidtype));
cidtype = ntohs(cidtype);
if (cidtype == DHCPV6_DUID_LLT && cidlen >= sizeof (duid_llt_t)) {
lladdr = cid + sizeof (duid_llt_t);
addrlen = cidlen - sizeof (duid_llt_t);
}
if (cidtype == DHCPV6_DUID_LL && cidlen >= sizeof (duid_ll_t)) {
lladdr = cid + sizeof (duid_ll_t);
addrlen = cidlen - sizeof (duid_ll_t);
}
maclen = mcip->mci_mip->mi_info.mi_addr_length;
if (lladdr != NULL && addrlen == maclen &&
bcmp(mcip->mci_unicast->ma_addr, lladdr, maclen) == 0) {
return (B_TRUE);
}
return (dhcpnospoof_check_cid(p, cid, cidlen));
}
/*
* Enforce dhcp-nospoof protection.
*/
static int
dhcpnospoof_check(mac_client_impl_t *mcip, mac_protect_t *protect,
mblk_t *mp, mac_header_info_t *mhip)
{
size_t hdrsize = mhip->mhi_hdrsize;
uint32_t sap = mhip->mhi_bindsap;
uchar_t *start, *end;
mblk_t *nmp = NULL;
int err;
err = get_l3_info(mp, hdrsize, &start, &end, &nmp);
if (err != 0) {
DTRACE_PROBE2(invalid__l3, mac_client_impl_t *, mcip,
mblk_t *, mp);
return (err);
}
err = EINVAL;
switch (sap) {
case ETHERTYPE_IP: {
ipha_t *ipha = (ipha_t *)start;
if (start + sizeof (ipha_t) > end)
goto fail;
if (!dhcpnospoof_check_v4(mcip, protect, ipha, end))
goto fail;
break;
}
case ETHERTYPE_IPV6: {
ip6_t *ip6h = (ip6_t *)start;
if (start + sizeof (ip6_t) > end)
goto fail;
if (!dhcpnospoof_check_v6(mcip, protect, ip6h, end))
goto fail;
break;
}
}
freemsg(nmp);
return (0);
fail:
/* increment dhcpnospoof stat here */
freemsg(nmp);
return (err);
}
/*
* This is called whenever the mac client's mac address changes, to make sure
* we allow use of the new link-local address.
*/
static void
mac_protect_update_v6_local_addr(mac_client_impl_t *mcip)
{
uint_t i;
in6_addr_t *token = &mcip->mci_v6_mac_token;
in6_addr_t *v6addr = &mcip->mci_v6_local_addr;
in6_addr_t ll_template = {(uint32_t)V6_LINKLOCAL, 0x0, 0x0, 0x0};
for (i = 0; i < 4; i++) {
v6addr->s6_addr32[i] = token->s6_addr32[i] |
ll_template.s6_addr32[i];
}
mcip->mci_protect_flags |= MPT_FLAG_V6_LOCAL_ADDR_SET;
}
/*
* This is called whenever the mac client's mac address changes, to make sure
* that any existing addresses gained via SLAAC are appropriately updated.
*/
static void
mac_protect_update_v6_slaac_addr(mac_client_impl_t *mcip)
{
void *cookie = NULL;
avl_tree_t temp_tree;
avl_tree_t *ttp = &temp_tree, *sip = &mcip->mci_v6_slaac_ip;
in6_addr_t *token = &mcip->mci_v6_mac_token;
slaac_addr_t *addr = NULL;
avl_create(ttp, compare_slaac_ip, sizeof (slaac_addr_t),
offsetof(slaac_addr_t, sla_node));
/* Copy everything over to the temporary tree, and fix the IP address */
while ((addr = avl_destroy_nodes(sip, &cookie)) != NULL) {
VERIFY(insert_slaac_ip(ttp, token, addr) == B_TRUE);
}
/*
* Now that the tempory tree has all of the modified addresses, we can
* swap them over to the original tree once it's reset.
*/
avl_destroy(sip);
avl_create(sip, compare_slaac_ip, sizeof (slaac_addr_t),
offsetof(slaac_addr_t, sla_node));
avl_swap(ttp, sip);
}
/*
* After the unicast MAC address changes, we need to update the derived token,
* and update the IPv6 addresses that use the token.
*/
void
mac_protect_update_mac_token(mac_client_impl_t *mcip)
{
uint_t media = mcip->mci_mip->mi_info.mi_media;
uint8_t *p, *macaddr = mcip->mci_unicast->ma_addr;
in6_addr_t *token = &mcip->mci_v6_mac_token;
bzero(token, sizeof (in6_addr_t));
p = (uint8_t *)&token->s6_addr32[2];
switch (media) {
case DL_ETHER:
bcopy(macaddr, p, 3);
p[0] ^= 0x2;
p[3] = 0xff;
p[4] = 0xfe;
bcopy(macaddr + 3, p + 5, 3);
break;
case DL_IB:
ASSERT(mcip->mci_mip->mi_info.mi_addr_length == 20);
bcopy(macaddr + 12, p, 8);
p[0] |= 2;
break;
default:
/*
* We do not need to generate the local address for link types
* that do not support link protection. Wifi pretends to be
* Ethernet so it is covered by the DL_ETHER case (note the
* use of mi_media instead of mi_nativemedia).
*/
return;
}
mac_protect_update_v6_local_addr(mcip);
mac_protect_update_v6_slaac_addr(mcip);
}
/*
* Enforce link protection on one packet.
*/
static int
mac_protect_check_one(mac_client_impl_t *mcip, mblk_t *mp)
{
mac_impl_t *mip = mcip->mci_mip;
mac_resource_props_t *mrp = MCIP_RESOURCE_PROPS(mcip);
mac_protect_t *protect;
mac_header_info_t mhi;
uint32_t types;
int err;
ASSERT(mp->b_next == NULL);
ASSERT(mrp != NULL);
err = mac_vlan_header_info((mac_handle_t)mip, mp, &mhi);
if (err != 0) {
DTRACE_PROBE2(invalid__header, mac_client_impl_t *, mcip,
mblk_t *, mp);
return (err);
}
protect = &mrp->mrp_protect;
types = protect->mp_types;
if ((types & MPT_MACNOSPOOF) != 0) {
if (mhi.mhi_saddr != NULL &&
bcmp(mcip->mci_unicast->ma_addr, mhi.mhi_saddr,
mip->mi_info.mi_addr_length) != 0) {
BUMP_STAT(mcip, macspoofed);
DTRACE_PROBE2(mac__nospoof__fail,
mac_client_impl_t *, mcip, mblk_t *, mp);
return (EINVAL);
}
}
if ((types & MPT_RESTRICTED) != 0) {
uint32_t vid = VLAN_ID(mhi.mhi_tci);
uint32_t sap = mhi.mhi_bindsap;
/*
* ETHERTYPE_VLAN packets are allowed through, provided that
* the vid is not spoofed.
*/
if (vid != 0 && !mac_client_check_flow_vid(mcip, vid)) {
BUMP_STAT(mcip, restricted);
DTRACE_PROBE2(restricted__vid__invalid,
mac_client_impl_t *, mcip, mblk_t *, mp);
return (EINVAL);
}
if (sap != ETHERTYPE_IP && sap != ETHERTYPE_IPV6 &&
sap != ETHERTYPE_ARP) {
BUMP_STAT(mcip, restricted);
DTRACE_PROBE2(restricted__fail,
mac_client_impl_t *, mcip, mblk_t *, mp);
return (EINVAL);
}
}
if ((types & MPT_IPNOSPOOF) != 0) {
if ((err = ipnospoof_check(mcip, protect, mp, &mhi)) != 0) {
BUMP_STAT(mcip, ipspoofed);
DTRACE_PROBE2(ip__nospoof__fail,
mac_client_impl_t *, mcip, mblk_t *, mp);
return (err);
}
}
if ((types & MPT_DHCPNOSPOOF) != 0) {
if ((err = dhcpnospoof_check(mcip, protect, mp, &mhi)) != 0) {
BUMP_STAT(mcip, dhcpspoofed);
DTRACE_PROBE2(dhcp__nospoof__fail,
mac_client_impl_t *, mcip, mblk_t *, mp);
return (err);
}
}
return (0);
}
/*
* Enforce link protection on a packet chain.
* Packets that pass the checks are returned back to the caller.
*/
mblk_t *
mac_protect_check(mac_client_handle_t mch, mblk_t *mp)
{
mac_client_impl_t *mcip = (mac_client_impl_t *)mch;
mblk_t *ret_mp = NULL, **tailp = &ret_mp, *next;
/*
* Skip checks if we are part of an aggr.
*/
if ((mcip->mci_state_flags & MCIS_IS_AGGR_PORT) != 0)
return (mp);
for (; mp != NULL; mp = next) {
next = mp->b_next;
mp->b_next = NULL;
if (mac_protect_check_one(mcip, mp) == 0) {
*tailp = mp;
tailp = &mp->b_next;
} else {
freemsg(mp);
}
}
return (ret_mp);
}
/*
* Check if a particular protection type is enabled.
*/
boolean_t
mac_protect_enabled(mac_client_handle_t mch, uint32_t type)
{
return (MAC_PROTECT_ENABLED((mac_client_impl_t *)mch, type));
}
static int
validate_ips(mac_protect_t *p)
{
uint_t i, j;
if (p->mp_ipaddrcnt == MPT_RESET)
return (0);
if (p->mp_ipaddrcnt > MPT_MAXIPADDR)
return (EINVAL);
for (i = 0; i < p->mp_ipaddrcnt; i++) {
mac_ipaddr_t *addr = &p->mp_ipaddrs[i];
/*
* The unspecified address is implicitly allowed so there's no
* need to add it to the list. Also, validate that the netmask,
* if any, is sane for the specific version of IP. A mask of
* some kind is always required.
*/
if (addr->ip_netmask == 0)
return (EINVAL);
if (addr->ip_version == IPV4_VERSION) {
if (V4_PART_OF_V6(addr->ip_addr) == INADDR_ANY)
return (EINVAL);
if (addr->ip_netmask > 32)
return (EINVAL);
} else if (addr->ip_version == IPV6_VERSION) {
if (IN6_IS_ADDR_UNSPECIFIED(&addr->ip_addr))
return (EINVAL);
if (IN6_IS_ADDR_V4MAPPED_ANY(&addr->ip_addr))
return (EINVAL);
if (addr->ip_netmask > 128)
return (EINVAL);
} else {
/* invalid ip version */
return (EINVAL);
}
for (j = 0; j < p->mp_ipaddrcnt; j++) {
mac_ipaddr_t *addr1 = &p->mp_ipaddrs[j];
if (i == j || addr->ip_version != addr1->ip_version)
continue;
/* found a duplicate */
if ((addr->ip_version == IPV4_VERSION &&
V4_PART_OF_V6(addr->ip_addr) ==
V4_PART_OF_V6(addr1->ip_addr)) ||
IN6_ARE_ADDR_EQUAL(&addr->ip_addr,
&addr1->ip_addr))
return (EINVAL);
}
}
return (0);
}
/* ARGSUSED */
static int
validate_cids(mac_protect_t *p)
{
uint_t i, j;
if (p->mp_cidcnt == MPT_RESET)
return (0);
if (p->mp_cidcnt > MPT_MAXCID)
return (EINVAL);
for (i = 0; i < p->mp_cidcnt; i++) {
mac_dhcpcid_t *cid = &p->mp_cids[i];
if (cid->dc_len > MPT_MAXCIDLEN ||
(cid->dc_form != CIDFORM_TYPED &&
cid->dc_form != CIDFORM_HEX &&
cid->dc_form != CIDFORM_STR))
return (EINVAL);
for (j = 0; j < p->mp_cidcnt; j++) {
mac_dhcpcid_t *cid1 = &p->mp_cids[j];
if (i == j || cid->dc_len != cid1->dc_len)
continue;
/* found a duplicate */
if (bcmp(cid->dc_id, cid1->dc_id, cid->dc_len) == 0)
return (EINVAL);
}
}
return (0);
}
/*
* Sanity-checks parameters given by userland.
*/
int
mac_protect_validate(mac_resource_props_t *mrp)
{
mac_protect_t *p = &mrp->mrp_protect;
int err;
/* check for invalid types */
if (p->mp_types != MPT_RESET && (p->mp_types & ~MPT_ALL) != 0)
return (EINVAL);
if ((err = validate_ips(p)) != 0)
return (err);
if ((err = validate_cids(p)) != 0)
return (err);
return (0);
}
/*
* Enable/disable link protection.
*/
int
mac_protect_set(mac_client_handle_t mch, mac_resource_props_t *mrp)
{
mac_client_impl_t *mcip = (mac_client_impl_t *)mch;
mac_impl_t *mip = mcip->mci_mip;
uint_t media = mip->mi_info.mi_nativemedia;
int err;
ASSERT(MAC_PERIM_HELD((mac_handle_t)mip));
/* tunnels are not supported */
if (media == DL_IPV4 || media == DL_IPV6 || media == DL_6TO4)
return (ENOTSUP);
if ((err = mac_protect_validate(mrp)) != 0)
return (err);
if (err != 0)
return (err);
mac_update_resources(mrp, MCIP_RESOURCE_PROPS(mcip), B_FALSE);
i_mac_notify(((mcip->mci_state_flags & MCIS_IS_VNIC) != 0 ?
mcip->mci_upper_mip : mip), MAC_NOTE_ALLOWED_IPS);
return (0);
}
void
mac_protect_update(mac_resource_props_t *new, mac_resource_props_t *curr)
{
mac_protect_t *np = &new->mrp_protect;
mac_protect_t *cp = &curr->mrp_protect;
uint32_t types = np->mp_types;
if (types == MPT_RESET) {
cp->mp_types = 0;
curr->mrp_mask &= ~MRP_PROTECT;
} else {
if (types != 0) {
cp->mp_types = types;
curr->mrp_mask |= MRP_PROTECT;
}
}
if (np->mp_ipaddrcnt != 0) {
if (np->mp_ipaddrcnt <= MPT_MAXIPADDR) {
bcopy(np->mp_ipaddrs, cp->mp_ipaddrs,
sizeof (cp->mp_ipaddrs));
cp->mp_ipaddrcnt = np->mp_ipaddrcnt;
} else if (np->mp_ipaddrcnt == MPT_RESET) {
bzero(cp->mp_ipaddrs, sizeof (cp->mp_ipaddrs));
cp->mp_ipaddrcnt = 0;
}
}
if (np->mp_cidcnt != 0) {
if (np->mp_cidcnt <= MPT_MAXCID) {
bcopy(np->mp_cids, cp->mp_cids, sizeof (cp->mp_cids));
cp->mp_cidcnt = np->mp_cidcnt;
} else if (np->mp_cidcnt == MPT_RESET) {
bzero(cp->mp_cids, sizeof (cp->mp_cids));
cp->mp_cidcnt = 0;
}
}
}
void
mac_protect_init(mac_client_impl_t *mcip)
{
mutex_init(&mcip->mci_protect_lock, NULL, MUTEX_DRIVER, NULL);
mcip->mci_protect_flags = 0;
mcip->mci_txn_cleanup_tid = 0;
avl_create(&mcip->mci_v4_pending_txn, compare_dhcpv4_xid,
sizeof (dhcpv4_txn_t), offsetof(dhcpv4_txn_t, dt_node));
avl_create(&mcip->mci_v4_completed_txn, compare_dhcpv4_cid,
sizeof (dhcpv4_txn_t), offsetof(dhcpv4_txn_t, dt_node));
avl_create(&mcip->mci_v4_dyn_ip, compare_dhcpv4_ip,
sizeof (dhcpv4_txn_t), offsetof(dhcpv4_txn_t, dt_ipnode));
avl_create(&mcip->mci_v6_pending_txn, compare_dhcpv6_xid,
sizeof (dhcpv6_txn_t), offsetof(dhcpv6_txn_t, dt_node));
avl_create(&mcip->mci_v6_cid, compare_dhcpv6_cid,
sizeof (dhcpv6_cid_t), offsetof(dhcpv6_cid_t, dc_node));
avl_create(&mcip->mci_v6_dyn_ip, compare_dhcpv6_ip,
sizeof (dhcpv6_addr_t), offsetof(dhcpv6_addr_t, da_node));
avl_create(&mcip->mci_v6_slaac_ip, compare_slaac_ip,
sizeof (slaac_addr_t), offsetof(slaac_addr_t, sla_node));
if (mcip->mci_state_flags & MCIS_IS_VNIC)
mcip->mci_protect_flags |= MPT_FLAG_PROMISC_FILTERED;
}
void
mac_protect_fini(mac_client_impl_t *mcip)
{
avl_destroy(&mcip->mci_v6_dyn_ip);
avl_destroy(&mcip->mci_v6_cid);
avl_destroy(&mcip->mci_v6_pending_txn);
avl_destroy(&mcip->mci_v4_dyn_ip);
avl_destroy(&mcip->mci_v4_completed_txn);
avl_destroy(&mcip->mci_v4_pending_txn);
avl_destroy(&mcip->mci_v6_slaac_ip);
mcip->mci_txn_cleanup_tid = 0;
mcip->mci_protect_flags = 0;
mutex_destroy(&mcip->mci_protect_lock);
}
static boolean_t
allowed_ips_set(mac_resource_props_t *mrp, uint32_t af)
{
int i;
for (i = 0; i < mrp->mrp_protect.mp_ipaddrcnt; i++) {
if (mrp->mrp_protect.mp_ipaddrs[i].ip_version == af)
return (B_TRUE);
}
return (B_FALSE);
}
mac_protect_t *
mac_protect_get(mac_handle_t mh)
{
mac_impl_t *mip = (mac_impl_t *)mh;
return (&mip->mi_resource_props.mrp_protect);
}