1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
23 * Use is subject to license terms.
24 */
25
26 #include <sys/types.h>
27 #include <sys/socket.h>
28 #include <sys/ksynch.h>
29 #include <sys/kmem.h>
30 #include <sys/errno.h>
31 #include <sys/systm.h>
32 #include <sys/sysmacros.h>
33 #include <sys/cmn_err.h>
34 #include <sys/strsun.h>
35 #include <sys/zone.h>
36 #include <netinet/in.h>
37 #include <inet/common.h>
38 #include <inet/ip.h>
39 #include <inet/ip6.h>
40 #include <inet/ip6_asp.h>
41 #include <inet/ip_ire.h>
42 #include <inet/ip_if.h>
43 #include <inet/ipclassifier.h>
44
45 #define IN6ADDR_MASK128_INIT \
46 {{{ 0xffffffffU, 0xffffffffU, 0xffffffffU, 0xffffffffU }}}
47 #define IN6ADDR_MASK96_INIT {{{ 0xffffffffU, 0xffffffffU, 0xffffffffU, 0 }}}
48 #ifdef _BIG_ENDIAN
49 #define IN6ADDR_MASK16_INIT {{{ 0xffff0000U, 0, 0, 0 }}}
50 #else
51 #define IN6ADDR_MASK16_INIT {{{ 0x0000ffffU, 0, 0, 0 }}}
52 #endif
53
54
55 /*
56 * This table is ordered such that longest prefix matches are hit first
57 * (longer prefix lengths first). The last entry must be the "default"
58 * entry (::0/0).
59 */
60 static ip6_asp_t default_ip6_asp_table[] = {
61 { IN6ADDR_LOOPBACK_INIT, IN6ADDR_MASK128_INIT,
62 {"Loopback"}, 50 },
63 { IN6ADDR_ANY_INIT, IN6ADDR_MASK96_INIT,
64 {"IPv4_Compatible"}, 20 },
65 #ifdef _BIG_ENDIAN
66 { {{{ 0, 0, 0x0000ffffU, 0 }}}, IN6ADDR_MASK96_INIT,
67 {"IPv4"}, 10 },
68 { {{{ 0x20020000U, 0, 0, 0 }}}, IN6ADDR_MASK16_INIT,
69 {"6to4"}, 30 },
70 #else
71 { {{{ 0, 0, 0xffff0000U, 0 }}}, IN6ADDR_MASK96_INIT,
72 {"IPv4"}, 10 },
73 { {{{ 0x00000220U, 0, 0, 0 }}}, IN6ADDR_MASK16_INIT,
74 {"6to4"}, 30 },
75 #endif
76 { IN6ADDR_ANY_INIT, IN6ADDR_ANY_INIT,
77 {"Default"}, 40 }
78 };
79
80 /*
81 * The IPv6 Default Address Selection policy table.
82 * Until someone up above reconfigures the policy table, use the global
83 * default. The table needs no lock since the only way to alter it is
84 * through the SIOCSIP6ADDRPOLICY which is exclusive in ip.
85 */
86 static void ip6_asp_copy(ip6_asp_t *, ip6_asp_t *, uint_t);
87 static void ip6_asp_check_for_updates(ip_stack_t *);
88
89 void
90 ip6_asp_init(ip_stack_t *ipst)
91 {
92 /* Initialize the table lock */
93 mutex_init(&ipst->ips_ip6_asp_lock, NULL, MUTEX_DEFAULT, NULL);
94
95 ipst->ips_ip6_asp_table = default_ip6_asp_table;
96
97 ipst->ips_ip6_asp_table_count =
98 sizeof (default_ip6_asp_table) / sizeof (ip6_asp_t);
99 }
100
101 void
102 ip6_asp_free(ip_stack_t *ipst)
103 {
104 if (ipst->ips_ip6_asp_table != default_ip6_asp_table) {
105 kmem_free(ipst->ips_ip6_asp_table,
106 ipst->ips_ip6_asp_table_count * sizeof (ip6_asp_t));
107 ipst->ips_ip6_asp_table = NULL;
108 }
109 mutex_destroy(&ipst->ips_ip6_asp_lock);
110 }
111
112 /*
113 * Return false if the table is being updated. Else, increment the ref
114 * count and return true.
115 */
116 boolean_t
117 ip6_asp_can_lookup(ip_stack_t *ipst)
118 {
119 mutex_enter(&ipst->ips_ip6_asp_lock);
120 if (ipst->ips_ip6_asp_uip) {
121 mutex_exit(&ipst->ips_ip6_asp_lock);
122 return (B_FALSE);
123 }
124 IP6_ASP_TABLE_REFHOLD(ipst);
125 mutex_exit(&ipst->ips_ip6_asp_lock);
126 return (B_TRUE);
127
128 }
129
130 void
131 ip6_asp_pending_op(queue_t *q, mblk_t *mp, aspfunc_t func)
132 {
133 conn_t *connp = Q_TO_CONN(q);
134 ip_stack_t *ipst = connp->conn_netstack->netstack_ip;
135
136 ASSERT((mp->b_prev == NULL) && (mp->b_queue == NULL) &&
137 (mp->b_next == NULL));
138 mp->b_queue = (void *)q;
139 mp->b_prev = (void *)func;
140 mp->b_next = NULL;
141
142 mutex_enter(&ipst->ips_ip6_asp_lock);
143 if (ipst->ips_ip6_asp_pending_ops == NULL) {
144 ASSERT(ipst->ips_ip6_asp_pending_ops_tail == NULL);
145 ipst->ips_ip6_asp_pending_ops =
146 ipst->ips_ip6_asp_pending_ops_tail = mp;
147 } else {
148 ipst->ips_ip6_asp_pending_ops_tail->b_next = mp;
149 ipst->ips_ip6_asp_pending_ops_tail = mp;
150 }
151 mutex_exit(&ipst->ips_ip6_asp_lock);
152 }
153
154 static void
155 ip6_asp_complete_op(ip_stack_t *ipst)
156 {
157 mblk_t *mp;
158 queue_t *q;
159 aspfunc_t func;
160
161 mutex_enter(&ipst->ips_ip6_asp_lock);
162 while (ipst->ips_ip6_asp_pending_ops != NULL) {
163 mp = ipst->ips_ip6_asp_pending_ops;
164 ipst->ips_ip6_asp_pending_ops = mp->b_next;
165 mp->b_next = NULL;
166 if (ipst->ips_ip6_asp_pending_ops == NULL)
167 ipst->ips_ip6_asp_pending_ops_tail = NULL;
168 mutex_exit(&ipst->ips_ip6_asp_lock);
169
170 q = (queue_t *)mp->b_queue;
171 func = (aspfunc_t)mp->b_prev;
172
173 mp->b_prev = NULL;
174 mp->b_queue = NULL;
175
176
177 (*func)(NULL, q, mp, NULL);
178 mutex_enter(&ipst->ips_ip6_asp_lock);
179 }
180 mutex_exit(&ipst->ips_ip6_asp_lock);
181 }
182
183 /*
184 * Decrement reference count. When it gets to 0, we check for (pending)
185 * saved update to the table, if any.
186 */
187 void
188 ip6_asp_table_refrele(ip_stack_t *ipst)
189 {
190 IP6_ASP_TABLE_REFRELE(ipst);
191 }
192
193 /*
194 * This function is guaranteed never to return a NULL pointer. It
195 * will always return information from one of the entries in the
196 * asp_table (which will never be empty). If a pointer is passed
197 * in for the precedence, the precedence value will be set; a
198 * pointer to the label will be returned by the function.
199 *
200 * Since the table is only anticipated to have five or six entries
201 * total, the lookup algorithm hasn't been optimized to anything
202 * better than O(n).
203 */
204 char *
205 ip6_asp_lookup(const in6_addr_t *addr, uint32_t *precedence, ip_stack_t *ipst)
206 {
207 ip6_asp_t *aspp;
208 ip6_asp_t *match = NULL;
209 ip6_asp_t *default_policy;
210
211 aspp = ipst->ips_ip6_asp_table;
212 /* The default entry must always be the last one */
213 default_policy = aspp + ipst->ips_ip6_asp_table_count - 1;
214
215 while (match == NULL) {
216 if (aspp == default_policy) {
217 match = aspp;
218 } else {
219 if (V6_MASK_EQ(*addr, aspp->ip6_asp_mask,
220 aspp->ip6_asp_prefix))
221 match = aspp;
222 else
223 aspp++;
224 }
225 }
226
227 if (precedence != NULL)
228 *precedence = match->ip6_asp_precedence;
229 return (match->ip6_asp_label);
230 }
231
232 /*
233 * If we had deferred updating the table because of outstanding references,
234 * do it now. Note, we don't do error checking on the queued IOCTL mblk, since
235 * ip_sioctl_ip6addrpolicy() has already done it for us.
236 */
237 void
238 ip6_asp_check_for_updates(ip_stack_t *ipst)
239 {
240 ip6_asp_t *table;
241 size_t table_size;
242 mblk_t *data_mp, *mp;
243 struct iocblk *iocp;
244
245 mutex_enter(&ipst->ips_ip6_asp_lock);
246 if (ipst->ips_ip6_asp_pending_update == NULL ||
247 ipst->ips_ip6_asp_refcnt > 0) {
248 mutex_exit(&ipst->ips_ip6_asp_lock);
249 return;
250 }
251
252 mp = ipst->ips_ip6_asp_pending_update;
253 ipst->ips_ip6_asp_pending_update = NULL;
254 ASSERT(mp->b_prev != NULL);
255
256 ipst->ips_ip6_asp_uip = B_TRUE;
257
258 iocp = (struct iocblk *)mp->b_rptr;
259 data_mp = mp->b_cont;
260 if (data_mp == NULL) {
261 table = NULL;
262 table_size = iocp->ioc_count;
263 } else {
264 table = (ip6_asp_t *)data_mp->b_rptr;
265 table_size = iocp->ioc_count;
266 }
267
268 ip6_asp_replace(mp, table, table_size, B_TRUE, ipst,
269 iocp->ioc_flag & IOC_MODELS);
270 }
271
272 /*
273 * ip6_asp_replace replaces the contents of the IPv6 address selection
274 * policy table with those specified in new_table. If new_table is NULL,
275 * this indicates that the caller wishes ip to use the default policy
276 * table. The caller is responsible for making sure that there are exactly
277 * new_count policy entries in new_table.
278 */
279 /*ARGSUSED5*/
280 void
281 ip6_asp_replace(mblk_t *mp, ip6_asp_t *new_table, size_t new_size,
282 boolean_t locked, ip_stack_t *ipst, model_t datamodel)
283 {
284 int ret_val = 0;
285 ip6_asp_t *tmp_table;
286 uint_t count;
287 queue_t *q;
288 struct iocblk *iocp;
289 #if defined(_SYSCALL32_IMPL) && _LONG_LONG_ALIGNMENT_32 == 4
290 size_t ip6_asp_size = SIZEOF_STRUCT(ip6_asp, datamodel);
291 #else
292 const size_t ip6_asp_size = sizeof (ip6_asp_t);
293 #endif
294
295 if (new_size % ip6_asp_size != 0) {
296 ip1dbg(("ip6_asp_replace: invalid table size\n"));
297 ret_val = EINVAL;
298 if (locked)
299 goto unlock_end;
300 goto replace_end;
301 } else {
302 count = new_size / ip6_asp_size;
303 }
304
305
306 if (!locked)
307 mutex_enter(&ipst->ips_ip6_asp_lock);
308 /*
309 * Check if we are in the process of creating any IRE using the
310 * current information. If so, wait till that is done.
311 */
312 if (!locked && ipst->ips_ip6_asp_refcnt > 0) {
313 /* Save this request for later processing */
314 if (ipst->ips_ip6_asp_pending_update == NULL) {
315 ipst->ips_ip6_asp_pending_update = mp;
316 } else {
317 /* Let's not queue multiple requests for now */
318 ip1dbg(("ip6_asp_replace: discarding request\n"));
319 mutex_exit(&ipst->ips_ip6_asp_lock);
320 ret_val = EAGAIN;
321 goto replace_end;
322 }
323 mutex_exit(&ipst->ips_ip6_asp_lock);
324 return;
325 }
326
327 /* Prevent lookups till the table have been updated */
328 if (!locked)
329 ipst->ips_ip6_asp_uip = B_TRUE;
330
331 ASSERT(ipst->ips_ip6_asp_refcnt == 0);
332
333 if (new_table == NULL) {
334 /*
335 * This is a special case. The user wants to revert
336 * back to using the default table.
337 */
338 if (ipst->ips_ip6_asp_table == default_ip6_asp_table)
339 goto unlock_end;
340
341 kmem_free(ipst->ips_ip6_asp_table,
342 ipst->ips_ip6_asp_table_count * sizeof (ip6_asp_t));
343 ipst->ips_ip6_asp_table = default_ip6_asp_table;
344 ipst->ips_ip6_asp_table_count =
345 sizeof (default_ip6_asp_table) / sizeof (ip6_asp_t);
346 goto unlock_end;
347 }
348
349 if (count == 0) {
350 ret_val = EINVAL;
351 ip1dbg(("ip6_asp_replace: empty table\n"));
352 goto unlock_end;
353 }
354
355 if ((tmp_table = kmem_alloc(count * sizeof (ip6_asp_t), KM_NOSLEEP)) ==
356 NULL) {
357 ret_val = ENOMEM;
358 goto unlock_end;
359 }
360
361 #if defined(_SYSCALL32_IMPL) && _LONG_LONG_ALIGNMENT_32 == 4
362
363 /*
364 * If 'new_table' -actually- originates from a 32-bit process
365 * then the nicely aligned ip6_asp_label array will be
366 * subtlely misaligned on this kernel, because the structure
367 * is 8 byte aligned in the kernel, but only 4 byte aligned in
368 * userland. Fix it up here.
369 *
370 * XX64 See the notes in ip_sioctl_ip6addrpolicy. Perhaps we could
371 * do the datamodel transformation (below) there instead of here?
372 */
373 if (datamodel == IOC_ILP32) {
374 ip6_asp_t *dst;
375 ip6_asp32_t *src;
376 int i;
377
378 if ((dst = kmem_zalloc(count * sizeof (*dst),
379 KM_NOSLEEP)) == NULL) {
380 kmem_free(tmp_table, count * sizeof (ip6_asp_t));
381 ret_val = ENOMEM;
382 goto unlock_end;
383 }
384
385 /*
386 * Copy each element of the table from ip6_asp32_t
387 * format into ip6_asp_t format. Fortunately, since
388 * we're just dealing with a trailing structure pad,
389 * we can do this straightforwardly with a flurry of
390 * bcopying.
391 */
392 src = (void *)new_table;
393 for (i = 0; i < count; i++)
394 bcopy(src + i, dst + i, sizeof (*src));
395
396 ip6_asp_copy(dst, tmp_table, count);
397 kmem_free(dst, count * sizeof (*dst));
398 } else
399 #endif
400 ip6_asp_copy(new_table, tmp_table, count);
401
402 /* Make sure the last entry is the default entry */
403 if (!IN6_IS_ADDR_UNSPECIFIED(&tmp_table[count - 1].ip6_asp_prefix) ||
404 !IN6_IS_ADDR_UNSPECIFIED(&tmp_table[count - 1].ip6_asp_mask)) {
405 ret_val = EINVAL;
406 kmem_free(tmp_table, count * sizeof (ip6_asp_t));
407 ip1dbg(("ip6_asp_replace: bad table: no default entry\n"));
408 goto unlock_end;
409 }
410 if (ipst->ips_ip6_asp_table != default_ip6_asp_table) {
411 kmem_free(ipst->ips_ip6_asp_table,
412 ipst->ips_ip6_asp_table_count * sizeof (ip6_asp_t));
413 }
414 ipst->ips_ip6_asp_table = tmp_table;
415 ipst->ips_ip6_asp_table_count = count;
416
417 unlock_end:
418 ipst->ips_ip6_asp_uip = B_FALSE;
419 mutex_exit(&ipst->ips_ip6_asp_lock);
420
421 /* Let conn_ixa caching know that source address selection changed */
422 ip_update_source_selection(ipst);
423
424 replace_end:
425 /* Reply to the ioctl */
426 q = (queue_t *)mp->b_prev;
427 mp->b_prev = NULL;
428 if (q == NULL) {
429 freemsg(mp);
430 goto check_binds;
431 }
432 iocp = (struct iocblk *)mp->b_rptr;
433 iocp->ioc_error = ret_val;
434 iocp->ioc_count = 0;
435 DB_TYPE(mp) = (iocp->ioc_error == 0) ? M_IOCACK : M_IOCNAK;
436 qreply(q, mp);
437 check_binds:
438 ip6_asp_complete_op(ipst);
439 }
440
441 /*
442 * Copies the contents of src_table to dst_table, and sorts the
443 * entries in decending order of prefix lengths. It assumes that both
444 * tables are appropriately sized to contain count entries.
445 */
446 static void
447 ip6_asp_copy(ip6_asp_t *src_table, ip6_asp_t *dst_table, uint_t count)
448 {
449 ip6_asp_t *src_ptr, *src_limit, *dst_ptr, *dst_limit, *dp;
450
451 dst_table[0] = src_table[0];
452 if (count == 1)
453 return;
454
455 /*
456 * Sort the entries in descending order of prefix lengths.
457 *
458 * Note: this should be a small table. In 99% of cases, we
459 * expect the table to have 5 entries. In the remaining 1%
460 * of cases, we expect the table to have one or two more
461 * entries. It would be very rare for the table to have
462 * double-digit entries.
463 */
464 src_limit = src_table + count;
465 dst_limit = dst_table + 1;
466 for (src_ptr = src_table + 1; src_ptr != src_limit;
467 src_ptr++, dst_limit++) {
468 for (dst_ptr = dst_table; dst_ptr < dst_limit; dst_ptr++) {
469 if (ip_mask_to_plen_v6(&src_ptr->ip6_asp_mask) >
470 ip_mask_to_plen_v6(&dst_ptr->ip6_asp_mask)) {
471 /*
472 * Make room to insert the source entry
473 * before dst_ptr by shifting entries to
474 * the right.
475 */
476 for (dp = dst_limit - 1; dp >= dst_ptr; dp--)
477 *(dp + 1) = *dp;
478 break;
479 }
480 }
481 *dst_ptr = *src_ptr;
482 }
483 }
484
485 /*
486 * This function copies as many entries from ip6_asp_table as will fit
487 * into dtable. The dtable_size parameter is the size of dtable
488 * in bytes. This function returns the number of entries in
489 * ip6_asp_table, even if it's not able to fit all of the entries into
490 * dtable.
491 */
492 int
493 ip6_asp_get(ip6_asp_t *dtable, size_t dtable_size, ip_stack_t *ipst)
494 {
495 uint_t dtable_count;
496
497 if (dtable != NULL) {
498 if (dtable_size < sizeof (ip6_asp_t))
499 return (-1);
500
501 dtable_count = dtable_size / sizeof (ip6_asp_t);
502 bcopy(ipst->ips_ip6_asp_table, dtable,
503 MIN(ipst->ips_ip6_asp_table_count, dtable_count) *
504 sizeof (ip6_asp_t));
505 }
506
507 return (ipst->ips_ip6_asp_table_count);
508 }
509
510 /*
511 * Compare two labels. Return B_TRUE if they are equal, B_FALSE
512 * otherwise.
513 */
514 boolean_t
515 ip6_asp_labelcmp(const char *label1, const char *label2)
516 {
517 int64_t *llptr1, *llptr2;
518
519 /*
520 * The common case, the two labels are actually the same string
521 * from the policy table.
522 */
523 if (label1 == label2)
524 return (B_TRUE);
525
526 /*
527 * Since we know the labels are at most 16 bytes long, compare
528 * the two strings as two 8-byte long integers. The ip6_asp_t
529 * structure guarantees that the labels are 8 byte alligned.
530 */
531 llptr1 = (int64_t *)label1;
532 llptr2 = (int64_t *)label2;
533 if (llptr1[0] == llptr2[0] && llptr1[1] == llptr2[1])
534 return (B_TRUE);
535 return (B_FALSE);
536 }