]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/network/networkd-ndisc.c
projects / thirdparty / systemd.git / blob
? search:


0c79061c024d1143484dc63e354a6229c67893b0
[thirdparty/systemd.git] / src / network / networkd-ndisc.c
1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
2 /***
3 Copyright © 2014 Intel Corporation. All rights reserved.
4 ***/
5
6 #include <linux/if_arp.h>
7 #include <linux/rtnetlink.h>
8 #include <netinet/icmp6.h>
9
10 #include "sd-ndisc.h"
11
12 #include "conf-parser.h"
13 #include "errno-util.h"
14 #include "event-util.h"
15 #include "missing_network.h"
16 #include "ndisc-router-internal.h"
17 #include "networkd-address.h"
18 #include "networkd-address-generation.h"
19 #include "networkd-dhcp6.h"
20 #include "networkd-link.h"
21 #include "networkd-manager.h"
22 #include "networkd-ndisc.h"
23 #include "networkd-nexthop.h"
24 #include "networkd-queue.h"
25 #include "networkd-route.h"
26 #include "networkd-state-file.h"
27 #include "networkd-sysctl.h"
28 #include "ordered-set.h"
29 #include "set.h"
30 #include "siphash24.h"
31 #include "socket-util.h"
32 #include "string-table.h"
33 #include "string-util.h"
34 #include "strv.h"
35 #include "sysctl-util.h"
36
37 #define NDISC_DNSSL_MAX 64U
38 #define NDISC_RDNSS_MAX 64U
39 #define NDISC_ENCRYPTED_DNS_MAX 64U
40 /* Not defined in the RFC, but let's set an upper limit to make not consume much memory.
41 * This should be safe as typically there should be at most 1 portal per network. */
42 #define NDISC_CAPTIVE_PORTAL_MAX 64U
43 /* Neither defined in the RFC. Just for safety. Otherwise, malformed messages can make clients trigger OOM.
44 * Not sure if the threshold is high enough. Let's adjust later if not. */
45 #define NDISC_PREF64_MAX 64U
46
47 static int ndisc_drop_outdated(Link *link, const struct in6_addr *router, usec_t timestamp_usec);
48
49 char* ndisc_dnssl_domain(const NDiscDNSSL *n) {
50 return ((char*) n) + ALIGN(sizeof(NDiscDNSSL));
51 }
52
53 bool link_ndisc_enabled(Link *link) {
54 assert(link);
55
56 if (!socket_ipv6_is_supported())
57 return false;
58
59 if (link->flags & IFF_LOOPBACK)
60 return false;
61
62 if (link->iftype == ARPHRD_CAN)
63 return false;
64
65 if (!link->network)
66 return false;
67
68 if (!link_may_have_ipv6ll(link, /* check_multicast = */ true))
69 return false;
70
71 /* Honor explicitly specified value. */
72 if (link->network->ndisc >= 0)
73 return link->network->ndisc;
74
75 /* Disable if RADV is enabled. */
76 if (link_radv_enabled(link))
77 return false;
78
79 /* Accept RAs if IPv6 forwarding is disabled, and ignore RAs if IPv6 forwarding is enabled. */
80 int t = link_get_ip_forwarding(link, AF_INET6);
81 if (t >= 0)
82 return !t;
83
84 /* Otherwise, defaults to true. */
85 return true;
86 }
87
88 void network_adjust_ndisc(Network *network) {
89 assert(network);
90
91 if (!FLAGS_SET(network->link_local, ADDRESS_FAMILY_IPV6)) {
92 if (network->ndisc > 0)
93 log_warning("%s: IPv6AcceptRA= is enabled but IPv6 link-local addressing is disabled or not supported. "
94 "Disabling IPv6AcceptRA=.", network->filename);
95 network->ndisc = false;
96 }
97
98 /* When RouterAllowList=, PrefixAllowList= or RouteAllowList= are specified, then
99 * RouterDenyList=, PrefixDenyList= or RouteDenyList= are ignored, respectively. */
100 if (!set_isempty(network->ndisc_allow_listed_router))
101 network->ndisc_deny_listed_router = set_free(network->ndisc_deny_listed_router);
102 if (!set_isempty(network->ndisc_allow_listed_prefix))
103 network->ndisc_deny_listed_prefix = set_free(network->ndisc_deny_listed_prefix);
104 if (!set_isempty(network->ndisc_allow_listed_route_prefix))
105 network->ndisc_deny_listed_route_prefix = set_free(network->ndisc_deny_listed_route_prefix);
106 }
107
108 static int ndisc_check_ready(Link *link);
109
110 static int ndisc_address_ready_callback(Address *address) {
111 Address *a;
112
113 assert(address);
114 assert(address->link);
115
116 SET_FOREACH(a, address->link->addresses)
117 if (a->source == NETWORK_CONFIG_SOURCE_NDISC)
118 a->callback = NULL;
119
120 return ndisc_check_ready(address->link);
121 }
122
123 static int ndisc_check_ready(Link *link) {
124 bool found = false, ready = false;
125 Address *address;
126
127 assert(link);
128
129 if (link->ndisc_messages > 0) {
130 log_link_debug(link, "%s(): SLAAC addresses and routes are not set.", __func__);
131 return 0;
132 }
133
134 SET_FOREACH(address, link->addresses) {
135 if (address->source != NETWORK_CONFIG_SOURCE_NDISC)
136 continue;
137
138 found = true;
139
140 if (address_is_ready(address)) {
141 ready = true;
142 break;
143 }
144 }
145
146 if (found && !ready) {
147 SET_FOREACH(address, link->addresses)
148 if (address->source == NETWORK_CONFIG_SOURCE_NDISC)
149 address->callback = ndisc_address_ready_callback;
150
151 log_link_debug(link, "%s(): no SLAAC address is ready.", __func__);
152 return 0;
153 }
154
155 link->ndisc_configured = true;
156 log_link_debug(link, "SLAAC addresses and routes set.");
157
158 link_check_ready(link);
159 return 0;
160 }
161
162 static int ndisc_remove_unused_nexthop(Link *link, NextHop *nexthop) {
163 int r;
164
165 assert(link);
166 assert(link->manager);
167 assert(link->ifindex > 0);
168 assert(nexthop);
169
170 if (nexthop->source != NETWORK_CONFIG_SOURCE_NDISC)
171 return 0;
172
173 if (nexthop->ifindex != link->ifindex)
174 return 0;
175
176 Route *route;
177 SET_FOREACH(route, nexthop->routes)
178 if (route_exists(route) || route_is_requesting(route))
179 return 0;
180
181 Request *req;
182 ORDERED_SET_FOREACH(req, link->manager->request_queue) {
183 if (req->type != REQUEST_TYPE_ROUTE)
184 continue;
185
186 route = ASSERT_PTR(req->userdata);
187 if (route->nexthop_id == nexthop->id)
188 return 0;
189 }
190
191 r = nexthop_remove_and_cancel(nexthop, link->manager);
192 if (r < 0)
193 return log_link_debug_errno(link, r, "Failed to remove unused nexthop: %m");
194
195 return 0;
196 }
197
198 static int ndisc_remove_unused_nexthop_by_id(Link *link, uint32_t id) {
199 assert(link);
200 assert(link->manager);
201
202 if (id == 0)
203 return 0;
204
205 NextHop *nexthop;
206 if (nexthop_get_by_id(link->manager, id, &nexthop) < 0)
207 return 0;
208
209 return ndisc_remove_unused_nexthop(link, nexthop);
210 }
211
212 static int ndisc_remove_unused_nexthops(Link *link) {
213 int ret = 0;
214
215 assert(link);
216 assert(link->manager);
217
218 NextHop *nexthop;
219 HASHMAP_FOREACH(nexthop, link->manager->nexthops_by_id)
220 RET_GATHER(ret, ndisc_remove_unused_nexthop(link, nexthop));
221
222 return ret;
223 }
224
225 #define NDISC_NEXTHOP_APP_ID SD_ID128_MAKE(76,d2,0f,1f,76,1e,44,d1,97,3a,52,5c,05,68,b5,0d)
226
227 static uint32_t ndisc_generate_nexthop_id(const NextHop *nexthop, Link *link, sd_id128_t app_id, uint64_t trial) {
228 assert(nexthop);
229 assert(link);
230
231 struct siphash state;
232 siphash24_init(&state, app_id.bytes);
233 siphash24_compress_typesafe(nexthop->protocol, &state);
234 siphash24_compress_string(link->ifname, &state);
235 siphash24_compress_typesafe(nexthop->gw.address.in6, &state);
236 siphash24_compress_typesafe(nexthop->provider.in6, &state);
237 uint64_t n = htole64(trial);
238 siphash24_compress_typesafe(n, &state);
239
240 uint64_t result = htole64(siphash24_finalize(&state));
241 return (uint32_t) ((result & 0xffffffff) ^ (result >> 32));
242 }
243
244 static bool ndisc_nexthop_equal(const NextHop *a, const NextHop *b) {
245 assert(a);
246 assert(b);
247
248 if (a->source != b->source)
249 return false;
250 if (a->protocol != b->protocol)
251 return false;
252 if (a->ifindex != b->ifindex)
253 return false;
254 if (!in6_addr_equal(&a->provider.in6, &b->provider.in6))
255 return false;
256 if (!in6_addr_equal(&a->gw.address.in6, &b->gw.address.in6))
257 return false;
258
259 return true;
260 }
261
262 static bool ndisc_take_nexthop_id(NextHop *nexthop, const NextHop *existing, Manager *manager) {
263 assert(nexthop);
264 assert(nexthop->id == 0);
265 assert(existing);
266 assert(existing->id > 0);
267 assert(manager);
268
269 if (!ndisc_nexthop_equal(nexthop, existing))
270 return false;
271
272 log_nexthop_debug(existing, "Found matching", manager);
273 nexthop->id = existing->id;
274 return true;
275 }
276
277 static int ndisc_nexthop_find_id(NextHop *nexthop, Link *link) {
278 NextHop *n;
279 Request *req;
280 int r;
281
282 assert(nexthop);
283 assert(link);
284 assert(link->manager);
285
286 sd_id128_t app_id;
287 r = sd_id128_get_machine_app_specific(NDISC_NEXTHOP_APP_ID, &app_id);
288 if (r < 0)
289 return r;
290
291 uint32_t id = ndisc_generate_nexthop_id(nexthop, link, app_id, 0);
292 if (nexthop_get_by_id(link->manager, id, &n) >= 0 &&
293 ndisc_take_nexthop_id(nexthop, n, link->manager))
294 return true;
295 if (nexthop_get_request_by_id(link->manager, id, &req) >= 0 &&
296 ndisc_take_nexthop_id(nexthop, req->userdata, link->manager))
297 return true;
298
299 HASHMAP_FOREACH(n, link->manager->nexthops_by_id)
300 if (ndisc_take_nexthop_id(nexthop, n, link->manager))
301 return true;
302
303 ORDERED_SET_FOREACH(req, link->manager->request_queue) {
304 if (req->type != REQUEST_TYPE_NEXTHOP)
305 continue;
306
307 if (ndisc_take_nexthop_id(nexthop, req->userdata, link->manager))
308 return true;
309 }
310
311 return false;
312 }
313
314 static int ndisc_nexthop_new(const Route *route, Link *link, NextHop **ret) {
315 _cleanup_(nexthop_unrefp) NextHop *nexthop = NULL;
316 int r;
317
318 assert(route);
319 assert(link);
320 assert(ret);
321
322 r = nexthop_new(&nexthop);
323 if (r < 0)
324 return r;
325
326 nexthop->source = NETWORK_CONFIG_SOURCE_NDISC;
327 nexthop->provider = route->provider;
328 nexthop->protocol = route->protocol == RTPROT_REDIRECT ? RTPROT_REDIRECT : RTPROT_RA;
329 nexthop->family = AF_INET6;
330 nexthop->gw.address = route->nexthop.gw;
331 nexthop->ifindex = link->ifindex;
332
333 r = ndisc_nexthop_find_id(nexthop, link);
334 if (r < 0)
335 return r;
336
337 *ret = TAKE_PTR(nexthop);
338 return 0;
339 }
340
341 static int ndisc_nexthop_acquire_id(NextHop *nexthop, Link *link) {
342 int r;
343
344 assert(nexthop);
345 assert(nexthop->id == 0);
346 assert(link);
347 assert(link->manager);
348
349 sd_id128_t app_id;
350 r = sd_id128_get_machine_app_specific(NDISC_NEXTHOP_APP_ID, &app_id);
351 if (r < 0)
352 return r;
353
354 for (uint64_t trial = 0; trial < 100; trial++) {
355 uint32_t id = ndisc_generate_nexthop_id(nexthop, link, app_id, trial);
356 if (id == 0)
357 continue;
358
359 if (set_contains(link->manager->nexthop_ids, UINT32_TO_PTR(id)))
360 continue; /* The ID is already used in a .network file. */
361
362 if (nexthop_get_by_id(link->manager, id, NULL) >= 0)
363 continue; /* The ID is already used by an existing nexthop. */
364
365 if (nexthop_get_request_by_id(link->manager, id, NULL) >= 0)
366 continue; /* The ID is already used by a nexthop being requested. */
367
368 log_link_debug(link, "Generated new ndisc nexthop ID for %s with trial %"PRIu64": %"PRIu32,
369 IN6_ADDR_TO_STRING(&nexthop->gw.address.in6), trial, id);
370 nexthop->id = id;
371 return 0;
372 }
373
374 return log_link_debug_errno(link, SYNTHETIC_ERRNO(EBUSY), "Cannot find free nexthop ID for %s.",
375 IN6_ADDR_TO_STRING(&nexthop->gw.address.in6));
376 }
377
378 static int ndisc_nexthop_handler(sd_netlink *rtnl, sd_netlink_message *m, Request *req, Link *link, NextHop *nexthop) {
379 int r;
380
381 assert(link);
382 assert(nexthop);
383
384 r = nexthop_configure_handler_internal(m, link, nexthop);
385 if (r <= 0)
386 return r;
387
388 r = ndisc_check_ready(link);
389 if (r < 0)
390 link_enter_failed(link);
391
392 return 1;
393 }
394
395 static int ndisc_request_nexthop(NextHop *nexthop, Link *link) {
396 int r;
397
398 assert(nexthop);
399 assert(link);
400
401 if (nexthop->id > 0)
402 return 0;
403
404 r = ndisc_nexthop_acquire_id(nexthop, link);
405 if (r < 0)
406 return r;
407
408 r = link_request_nexthop(link, nexthop, &link->ndisc_messages, ndisc_nexthop_handler);
409 if (r < 0)
410 return r;
411 if (r > 0)
412 link->ndisc_configured = false;
413
414 return 0;
415 }
416
417 static int ndisc_set_route_nexthop(Route *route, Link *link, bool request) {
418 _cleanup_(nexthop_unrefp) NextHop *nexthop = NULL;
419 int r;
420
421 assert(route);
422 assert(link);
423 assert(link->manager);
424
425 if (!link->manager->manage_foreign_nexthops)
426 goto finalize;
427
428 if (route->nexthop.family != AF_INET6 || in6_addr_is_null(&route->nexthop.gw.in6))
429 goto finalize;
430
431 r = ndisc_nexthop_new(route, link, &nexthop);
432 if (r < 0)
433 return r;
434
435 if (nexthop->id == 0 && !request)
436 goto finalize;
437
438 r = ndisc_request_nexthop(nexthop, link);
439 if (r < 0)
440 return r;
441
442 route->nexthop = (RouteNextHop) {};
443 route->nexthop_id = nexthop->id;
444
445 finalize:
446 return route_adjust_nexthops(route, link);
447 }
448
449 static int ndisc_route_handler(sd_netlink *rtnl, sd_netlink_message *m, Request *req, Link *link, Route *route) {
450 int r;
451
452 assert(req);
453 assert(link);
454 assert(route);
455
456 r = route_configure_handler_internal(m, req, route);
457 if (r <= 0)
458 return r;
459
460 r = ndisc_check_ready(link);
461 if (r < 0)
462 link_enter_failed(link);
463
464 return 1;
465 }
466
467 static void ndisc_set_route_priority(Link *link, Route *route) {
468 assert(link);
469 assert(route);
470
471 if (route->priority_set)
472 return; /* explicitly configured. */
473
474 switch (route->pref) {
475 case SD_NDISC_PREFERENCE_LOW:
476 route->priority = link->network->ndisc_route_metric_low;
477 break;
478 case SD_NDISC_PREFERENCE_MEDIUM:
479 route->priority = link->network->ndisc_route_metric_medium;
480 break;
481 case SD_NDISC_PREFERENCE_HIGH:
482 route->priority = link->network->ndisc_route_metric_high;
483 break;
484 default:
485 assert_not_reached();
486 }
487 }
488
489 static int ndisc_request_route(Route *route, Link *link) {
490 int r;
491
492 assert(route);
493 assert(link);
494 assert(link->manager);
495 assert(link->network);
496
497 r = route_metric_set(&route->metric, RTAX_QUICKACK, link->network->ndisc_quickack);
498 if (r < 0)
499 return r;
500
501 r = ndisc_set_route_nexthop(route, link, /* request = */ true);
502 if (r < 0)
503 return r;
504
505 uint8_t pref, pref_original = route->pref;
506 FOREACH_ARGUMENT(pref, SD_NDISC_PREFERENCE_LOW, SD_NDISC_PREFERENCE_MEDIUM, SD_NDISC_PREFERENCE_HIGH) {
507 Route *existing;
508 Request *req;
509
510 /* If the preference is specified by the user config (that is, for semi-static routes),
511 * rather than RA, then only search conflicting routes that have the same preference. */
512 if (route->pref_set && pref != pref_original)
513 continue;
514
515 route->pref = pref;
516 ndisc_set_route_priority(link, route);
517
518 /* Note, here do not call route_remove_and_cancel() with 'route' directly, otherwise
519 * existing route(s) may be removed needlessly. */
520
521 /* First, check if a conflicting route is already requested. If there is an existing route,
522 * and also an existing pending request, then the source may be updated by the request. So,
523 * we first need to check the source of the requested route. */
524 if (route_get_request(link->manager, route, &req) >= 0) {
525 route->pref = pref_original;
526 ndisc_set_route_priority(link, route);
527
528 existing = ASSERT_PTR(req->userdata);
529 if (!route_can_update(link->manager, existing, route)) {
530 if (existing->source == NETWORK_CONFIG_SOURCE_STATIC) {
531 log_link_debug(link, "Found a pending route request that conflicts with new request based on a received RA, ignoring request.");
532 return 0;
533 }
534
535 log_link_debug(link, "Found a pending route request that conflicts with new request based on a received RA, cancelling.");
536 r = route_remove_and_cancel(existing, link->manager);
537 if (r < 0)
538 return r;
539 }
540 }
541
542 route->pref = pref;
543 ndisc_set_route_priority(link, route);
544
545 /* Then, check if a conflicting route exists. */
546 if (route_get(link->manager, route, &existing) >= 0) {
547 route->pref = pref_original;
548 ndisc_set_route_priority(link, route);
549
550 if (!route_can_update(link->manager, existing, route)) {
551 if (existing->source == NETWORK_CONFIG_SOURCE_STATIC) {
552 log_link_debug(link, "Found an existing route that conflicts with new route based on a received RA, ignoring request.");
553 return 0;
554 }
555
556 log_link_debug(link, "Found an existing route that conflicts with new route based on a received RA, removing.");
557 r = route_remove_and_cancel(existing, link->manager);
558 if (r < 0)
559 return r;
560 }
561 }
562 }
563
564 /* The preference (and priority) may be changed in the above loop. Restore it. */
565 route->pref = pref_original;
566 ndisc_set_route_priority(link, route);
567
568 bool is_new = route_get(link->manager, route, NULL) < 0;
569
570 r = link_request_route(link, route, &link->ndisc_messages, ndisc_route_handler);
571 if (r < 0)
572 return r;
573 if (r > 0 && is_new)
574 link->ndisc_configured = false;
575
576 return 0;
577 }
578
579 static void ndisc_route_prepare(Route *route, Link *link) {
580 assert(route);
581 assert(link);
582
583 route->source = NETWORK_CONFIG_SOURCE_NDISC;
584
585 if (!route->table_set)
586 route->table = link_get_ndisc_route_table(link);
587 }
588
589 static int ndisc_router_route_prepare(Route *route, Link *link, sd_ndisc_router *rt) {
590 assert(route);
591 assert(link);
592 assert(rt);
593
594 ndisc_route_prepare(route, link);
595
596 if (!route->protocol_set)
597 route->protocol = RTPROT_RA;
598
599 return sd_ndisc_router_get_sender_address(rt, &route->provider.in6);
600 }
601
602 static int ndisc_request_router_route(Route *route, Link *link, sd_ndisc_router *rt) {
603 int r;
604
605 assert(route);
606 assert(link);
607 assert(rt);
608
609 r = ndisc_router_route_prepare(route, link, rt);
610 if (r < 0)
611 return r;
612
613 return ndisc_request_route(route, link);
614 }
615
616 static int ndisc_remove_route(Route *route, Link *link) {
617 int r, ret = 0;
618
619 assert(route);
620 assert(link);
621 assert(link->manager);
622
623 r = ndisc_set_route_nexthop(route, link, /* request = */ false);
624 if (r < 0)
625 return r;
626
627 uint8_t pref, pref_original = route->pref;
628 FOREACH_ARGUMENT(pref, SD_NDISC_PREFERENCE_LOW, SD_NDISC_PREFERENCE_MEDIUM, SD_NDISC_PREFERENCE_HIGH) {
629 Route *existing;
630 Request *req;
631
632 /* If the preference is specified by the user config (that is, for semi-static routes),
633 * rather than RA, then only search conflicting routes that have the same preference. */
634 if (route->pref_set && pref != pref_original)
635 continue;
636
637 route->pref = pref;
638 ndisc_set_route_priority(link, route);
639
640 /* Unfortunately, we cannot directly pass 'route' to route_remove_and_cancel() here, as the
641 * same or similar route may be configured or requested statically. */
642
643 /* First, check if the route is already requested. If there is an existing route, and also an
644 * existing pending request, then the source may be updated by the request. So, we first need
645 * to check the source of the requested route. */
646 if (route_get_request(link->manager, route, &req) >= 0) {
647 existing = ASSERT_PTR(req->userdata);
648 if (existing->source == NETWORK_CONFIG_SOURCE_STATIC)
649 continue;
650
651 RET_GATHER(ret, route_remove_and_cancel(existing, link->manager));
652 }
653
654 /* Then, check if the route exists. */
655 if (route_get(link->manager, route, &existing) >= 0) {
656 if (existing->source == NETWORK_CONFIG_SOURCE_STATIC)
657 continue;
658
659 RET_GATHER(ret, route_remove_and_cancel(existing, link->manager));
660 }
661 }
662
663 return RET_GATHER(ret, ndisc_remove_unused_nexthop_by_id(link, route->nexthop_id));
664 }
665
666 static int ndisc_remove_router_route(Route *route, Link *link, sd_ndisc_router *rt) {
667 int r;
668
669 assert(route);
670 assert(link);
671 assert(rt);
672
673 r = ndisc_router_route_prepare(route, link, rt);
674 if (r < 0)
675 return r;
676
677 return ndisc_remove_route(route, link);
678 }
679
680 static int ndisc_address_handler(sd_netlink *rtnl, sd_netlink_message *m, Request *req, Link *link, Address *address) {
681 int r;
682
683 assert(link);
684 assert(address);
685
686 r = address_configure_handler_internal(m, link, address);
687 if (r <= 0)
688 return r;
689
690 r = ndisc_check_ready(link);
691 if (r < 0)
692 link_enter_failed(link);
693
694 return 1;
695 }
696
697 static int ndisc_request_address(Address *address, Link *link) {
698 bool is_new;
699 int r;
700
701 assert(address);
702 assert(link);
703
704 address->source = NETWORK_CONFIG_SOURCE_NDISC;
705
706 r = free_and_strdup_warn(&address->netlabel, link->network->ndisc_netlabel);
707 if (r < 0)
708 return r;
709
710 Address *existing;
711 if (address_get_harder(link, address, &existing) < 0)
712 is_new = true;
713 else if (address_can_update(existing, address))
714 is_new = false;
715 else if (existing->source == NETWORK_CONFIG_SOURCE_DHCP6) {
716 /* SLAAC address is preferred over DHCPv6 address. */
717 log_link_debug(link, "Conflicting DHCPv6 address %s exists, removing.",
718 IN_ADDR_PREFIX_TO_STRING(existing->family, &existing->in_addr, existing->prefixlen));
719 r = address_remove(existing, link);
720 if (r < 0)
721 return r;
722
723 is_new = true;
724 } else {
725 /* Conflicting static address is configured?? */
726 log_link_debug(link, "Conflicting address %s exists, ignoring request.",
727 IN_ADDR_PREFIX_TO_STRING(existing->family, &existing->in_addr, existing->prefixlen));
728 return 0;
729 }
730
731 r = link_request_address(link, address, &link->ndisc_messages,
732 ndisc_address_handler, NULL);
733 if (r < 0)
734 return r;
735 if (r > 0 && is_new)
736 link->ndisc_configured = false;
737
738 return 0;
739 }
740
741 int ndisc_reconfigure_address(Address *address, Link *link) {
742 int r;
743
744 assert(address);
745 assert(address->source == NETWORK_CONFIG_SOURCE_NDISC);
746 assert(link);
747
748 r = regenerate_address(address, link);
749 if (r <= 0)
750 return r;
751
752 r = ndisc_request_address(address, link);
753 if (r < 0)
754 return r;
755
756 if (!link->ndisc_configured)
757 link_set_state(link, LINK_STATE_CONFIGURING);
758
759 link_check_ready(link);
760 return 0;
761 }
762
763 static int ndisc_redirect_route_new(sd_ndisc_redirect *rd, Route **ret) {
764 _cleanup_(route_unrefp) Route *route = NULL;
765 struct in6_addr gateway, destination;
766 int r;
767
768 assert(rd);
769 assert(ret);
770
771 r = sd_ndisc_redirect_get_target_address(rd, &gateway);
772 if (r < 0)
773 return r;
774
775 r = sd_ndisc_redirect_get_destination_address(rd, &destination);
776 if (r < 0)
777 return r;
778
779 r = route_new(&route);
780 if (r < 0)
781 return r;
782
783 route->family = AF_INET6;
784 if (!in6_addr_equal(&gateway, &destination)) {
785 route->nexthop.gw.in6 = gateway;
786 route->nexthop.family = AF_INET6;
787 }
788 route->dst.in6 = destination;
789 route->dst_prefixlen = 128;
790 route->protocol = RTPROT_REDIRECT;
791
792 r = sd_ndisc_redirect_get_sender_address(rd, &route->provider.in6);
793 if (r < 0)
794 return r;
795
796 *ret = TAKE_PTR(route);
797 return 0;
798 }
799
800 static int ndisc_remove_redirect_route(Link *link, sd_ndisc_redirect *rd) {
801 _cleanup_(route_unrefp) Route *route = NULL;
802 int r;
803
804 assert(link);
805 assert(rd);
806
807 r = ndisc_redirect_route_new(rd, &route);
808 if (r < 0)
809 return r;
810
811 ndisc_route_prepare(route, link);
812
813 return ndisc_remove_route(route, link);
814 }
815
816 static void ndisc_redirect_hash_func(const sd_ndisc_redirect *x, struct siphash *state) {
817 struct in6_addr dest = {};
818
819 assert(x);
820 assert(state);
821
822 (void) sd_ndisc_redirect_get_destination_address((sd_ndisc_redirect*) x, &dest);
823
824 siphash24_compress_typesafe(dest, state);
825 }
826
827 static int ndisc_redirect_compare_func(const sd_ndisc_redirect *x, const sd_ndisc_redirect *y) {
828 struct in6_addr dest_x = {}, dest_y = {};
829
830 assert(x);
831 assert(y);
832
833 (void) sd_ndisc_redirect_get_destination_address((sd_ndisc_redirect*) x, &dest_x);
834 (void) sd_ndisc_redirect_get_destination_address((sd_ndisc_redirect*) y, &dest_y);
835
836 return memcmp(&dest_x, &dest_y, sizeof(dest_x));
837 }
838
839 DEFINE_PRIVATE_HASH_OPS_WITH_KEY_DESTRUCTOR(
840 ndisc_redirect_hash_ops,
841 sd_ndisc_redirect,
842 ndisc_redirect_hash_func,
843 ndisc_redirect_compare_func,
844 sd_ndisc_redirect_unref);
845
846 static int ndisc_redirect_equal(sd_ndisc_redirect *x, sd_ndisc_redirect *y) {
847 struct in6_addr a, b;
848 int r;
849
850 assert(x);
851 assert(y);
852
853 r = sd_ndisc_redirect_get_destination_address(x, &a);
854 if (r < 0)
855 return r;
856
857 r = sd_ndisc_redirect_get_destination_address(y, &b);
858 if (r < 0)
859 return r;
860
861 if (!in6_addr_equal(&a, &b))
862 return false;
863
864 r = sd_ndisc_redirect_get_target_address(x, &a);
865 if (r < 0)
866 return r;
867
868 r = sd_ndisc_redirect_get_target_address(y, &b);
869 if (r < 0)
870 return r;
871
872 return in6_addr_equal(&a, &b);
873 }
874
875 static int ndisc_redirect_drop_conflict(Link *link, sd_ndisc_redirect *rd) {
876 _cleanup_(sd_ndisc_redirect_unrefp) sd_ndisc_redirect *existing = NULL;
877 int r;
878
879 assert(link);
880 assert(rd);
881
882 existing = set_remove(link->ndisc_redirects, rd);
883 if (!existing)
884 return 0;
885
886 r = ndisc_redirect_equal(rd, existing);
887 if (r != 0)
888 return r;
889
890 return ndisc_remove_redirect_route(link, existing);
891 }
892
893 static int ndisc_redirect_verify_sender(Link *link, sd_ndisc_redirect *rd) {
894 int r;
895
896 assert(link);
897 assert(rd);
898
899 /* RFC 4861 section 8.1
900 * The IP source address of the Redirect is the same as the current first-hop router for the specified
901 * ICMP Destination Address. */
902
903 struct in6_addr sender;
904 r = sd_ndisc_redirect_get_sender_address(rd, &sender);
905 if (r < 0)
906 return r;
907
908 /* We will reuse the sender's router lifetime as the lifetime of the redirect route. Hence, if we
909 * have not remembered an RA from the sender, refuse the Redirect message. */
910 sd_ndisc_router *router = hashmap_get(link->ndisc_routers_by_sender, &sender);
911 if (!router)
912 return false;
913
914 sd_ndisc_redirect *existing = set_get(link->ndisc_redirects, rd);
915 if (existing) {
916 struct in6_addr target, dest;
917
918 /* If we have received Redirect message for the host, the sender must be the previous target. */
919
920 r = sd_ndisc_redirect_get_target_address(existing, &target);
921 if (r < 0)
922 return r;
923
924 if (in6_addr_equal(&sender, &target))
925 return true;
926
927 /* If the existing redirect route is on-link, that is, the destination and target address are
928 * equivalent, then also accept Redirect message from the current default router. This is not
929 * mentioned by the RFC, but without this, we cannot update on-link redirect route. */
930 r = sd_ndisc_redirect_get_destination_address(existing, &dest);
931 if (r < 0)
932 return r;
933
934 if (!in6_addr_equal(&dest, &target))
935 return false;
936 }
937
938 /* Check if the sender is one of the known router with highest priority. */
939 uint8_t preference;
940 r = sd_ndisc_router_get_preference(router, &preference);
941 if (r < 0)
942 return r;
943
944 if (preference == SD_NDISC_PREFERENCE_HIGH)
945 return true;
946
947 sd_ndisc_router *rt;
948 HASHMAP_FOREACH(rt, link->ndisc_routers_by_sender) {
949 if (rt == router)
950 continue;
951
952 uint8_t pref;
953 if (sd_ndisc_router_get_preference(rt, &pref) < 0)
954 continue;
955
956 if (pref == SD_NDISC_PREFERENCE_HIGH ||
957 (pref == SD_NDISC_PREFERENCE_MEDIUM && preference == SD_NDISC_PREFERENCE_LOW))
958 return false;
959 }
960
961 return true;
962 }
963
964 static int ndisc_redirect_handler(Link *link, sd_ndisc_redirect *rd) {
965 int r;
966
967 assert(link);
968 assert(link->network);
969 assert(rd);
970
971 if (!link->network->ndisc_use_redirect)
972 return 0;
973
974 usec_t now_usec;
975 r = sd_event_now(link->manager->event, CLOCK_BOOTTIME, &now_usec);
976 if (r < 0)
977 return r;
978
979 r = ndisc_drop_outdated(link, /* router = */ NULL, now_usec);
980 if (r < 0)
981 return r;
982
983 r = ndisc_redirect_verify_sender(link, rd);
984 if (r <= 0)
985 return r;
986
987 /* First, drop conflicting redirect route, if exists. */
988 r = ndisc_redirect_drop_conflict(link, rd);
989 if (r < 0)
990 return r;
991
992 /* Then, remember the received message. */
993 r = set_ensure_put(&link->ndisc_redirects, &ndisc_redirect_hash_ops, rd);
994 if (r < 0)
995 return r;
996
997 sd_ndisc_redirect_ref(rd);
998
999 /* Finally, request the corresponding route. */
1000 _cleanup_(route_unrefp) Route *route = NULL;
1001 r = ndisc_redirect_route_new(rd, &route);
1002 if (r < 0)
1003 return r;
1004
1005 sd_ndisc_router *rt = hashmap_get(link->ndisc_routers_by_sender, &route->provider.in6);
1006 if (!rt)
1007 return -EADDRNOTAVAIL;
1008
1009 r = sd_ndisc_router_get_lifetime_timestamp(rt, CLOCK_BOOTTIME, &route->lifetime_usec);
1010 if (r < 0)
1011 return r;
1012
1013 ndisc_route_prepare(route, link);
1014
1015 return ndisc_request_route(route, link);
1016 }
1017
1018 static int ndisc_drop_redirect(Link *link, const struct in6_addr *router) {
1019 int r, ret = 0;
1020
1021 assert(link);
1022
1023 sd_ndisc_redirect *rd;
1024 SET_FOREACH(rd, link->ndisc_redirects) {
1025 if (router) {
1026 struct in6_addr a;
1027
1028 if (!(sd_ndisc_redirect_get_sender_address(rd, &a) >= 0 && in6_addr_equal(&a, router)) &&
1029 !(sd_ndisc_redirect_get_target_address(rd, &a) >= 0 && in6_addr_equal(&a, router)))
1030 continue;
1031 }
1032
1033 r = ndisc_remove_redirect_route(link, rd);
1034 if (r < 0)
1035 RET_GATHER(ret, log_link_warning_errno(link, r, "Failed to remove redirect route, ignoring: %m"));
1036
1037 sd_ndisc_redirect_unref(set_remove(link->ndisc_redirects, rd));
1038 }
1039
1040 return ret;
1041 }
1042
1043 static int ndisc_update_redirect_sender(Link *link, const struct in6_addr *original_address, const struct in6_addr *current_address) {
1044 int r;
1045
1046 assert(link);
1047 assert(original_address);
1048 assert(current_address);
1049
1050 sd_ndisc_redirect *rd;
1051 SET_FOREACH(rd, link->ndisc_redirects) {
1052 struct in6_addr sender;
1053
1054 r = sd_ndisc_redirect_get_sender_address(rd, &sender);
1055 if (r < 0)
1056 return r;
1057
1058 if (!in6_addr_equal(&sender, original_address))
1059 continue;
1060
1061 r = sd_ndisc_redirect_set_sender_address(rd, current_address);
1062 if (r < 0)
1063 return r;
1064 }
1065
1066 return 0;
1067 }
1068
1069 static int ndisc_router_drop_default(Link *link, sd_ndisc_router *rt) {
1070 _cleanup_(route_unrefp) Route *route = NULL;
1071 struct in6_addr gateway;
1072 int r;
1073
1074 assert(link);
1075 assert(link->network);
1076 assert(rt);
1077
1078 r = sd_ndisc_router_get_sender_address(rt, &gateway);
1079 if (r < 0)
1080 return log_link_warning_errno(link, r, "Failed to get router address from RA: %m");
1081
1082 r = route_new(&route);
1083 if (r < 0)
1084 return log_oom();
1085
1086 route->family = AF_INET6;
1087 route->nexthop.family = AF_INET6;
1088 route->nexthop.gw.in6 = gateway;
1089
1090 r = ndisc_remove_router_route(route, link, rt);
1091 if (r < 0)
1092 return log_link_warning_errno(link, r, "Failed to remove the default gateway configured by RA: %m");
1093
1094 Route *route_gw;
1095 HASHMAP_FOREACH(route_gw, link->network->routes_by_section) {
1096 _cleanup_(route_unrefp) Route *tmp = NULL;
1097
1098 if (route_gw->source != NETWORK_CONFIG_SOURCE_NDISC)
1099 continue;
1100
1101 assert(route_gw->nexthop.family == AF_INET6);
1102
1103 r = route_dup(route_gw, NULL, &tmp);
1104 if (r < 0)
1105 return r;
1106
1107 tmp->nexthop.gw.in6 = gateway;
1108
1109 r = ndisc_remove_router_route(tmp, link, rt);
1110 if (r < 0)
1111 return log_link_warning_errno(link, r, "Could not remove semi-static gateway: %m");
1112 }
1113
1114 return 0;
1115 }
1116
1117 static int ndisc_router_process_default(Link *link, sd_ndisc_router *rt) {
1118 usec_t lifetime_usec;
1119 struct in6_addr gateway;
1120 uint8_t preference;
1121 int r;
1122
1123 assert(link);
1124 assert(link->network);
1125 assert(rt);
1126
1127 /* If the router lifetime is zero, the router should not be used as the default gateway. */
1128 r = sd_ndisc_router_get_lifetime(rt, NULL);
1129 if (r < 0)
1130 return r;
1131 if (r == 0)
1132 return ndisc_router_drop_default(link, rt);
1133
1134 if (!link->network->ndisc_use_gateway &&
1135 hashmap_isempty(link->network->routes_by_section))
1136 return 0;
1137
1138 r = sd_ndisc_router_get_lifetime_timestamp(rt, CLOCK_BOOTTIME, &lifetime_usec);
1139 if (r < 0)
1140 return log_link_warning_errno(link, r, "Failed to get gateway lifetime from RA: %m");
1141
1142 r = sd_ndisc_router_get_sender_address(rt, &gateway);
1143 if (r < 0)
1144 return log_link_warning_errno(link, r, "Failed to get gateway address from RA: %m");
1145
1146 r = sd_ndisc_router_get_preference(rt, &preference);
1147 if (r < 0)
1148 return log_link_warning_errno(link, r, "Failed to get router preference from RA: %m");
1149
1150 if (link->network->ndisc_use_gateway) {
1151 _cleanup_(route_unrefp) Route *route = NULL;
1152
1153 r = route_new(&route);
1154 if (r < 0)
1155 return log_oom();
1156
1157 route->family = AF_INET6;
1158 route->pref = preference;
1159 route->nexthop.family = AF_INET6;
1160 route->nexthop.gw.in6 = gateway;
1161 route->lifetime_usec = lifetime_usec;
1162
1163 r = ndisc_request_router_route(route, link, rt);
1164 if (r < 0)
1165 return log_link_warning_errno(link, r, "Could not request default route: %m");
1166 }
1167
1168 Route *route_gw;
1169 HASHMAP_FOREACH(route_gw, link->network->routes_by_section) {
1170 _cleanup_(route_unrefp) Route *route = NULL;
1171
1172 if (route_gw->source != NETWORK_CONFIG_SOURCE_NDISC)
1173 continue;
1174
1175 assert(route_gw->nexthop.family == AF_INET6);
1176
1177 r = route_dup(route_gw, NULL, &route);
1178 if (r < 0)
1179 return r;
1180
1181 route->nexthop.gw.in6 = gateway;
1182 if (!route->pref_set)
1183 route->pref = preference;
1184 route->lifetime_usec = lifetime_usec;
1185
1186 r = ndisc_request_router_route(route, link, rt);
1187 if (r < 0)
1188 return log_link_warning_errno(link, r, "Could not request gateway: %m");
1189 }
1190
1191 return 0;
1192 }
1193
1194 DEFINE_PRIVATE_HASH_OPS_WITH_VALUE_DESTRUCTOR(
1195 ndisc_router_hash_ops,
1196 struct in6_addr,
1197 in6_addr_hash_func,
1198 in6_addr_compare_func,
1199 sd_ndisc_router,
1200 sd_ndisc_router_unref);
1201
1202 static int ndisc_update_router_address(Link *link, const struct in6_addr *original_address, const struct in6_addr *current_address) {
1203 _cleanup_(sd_ndisc_router_unrefp) sd_ndisc_router *rt = NULL;
1204 int r;
1205
1206 assert(link);
1207 assert(original_address);
1208 assert(current_address);
1209
1210 rt = hashmap_remove(link->ndisc_routers_by_sender, original_address);
1211 if (!rt)
1212 return 0;
1213
1214 /* If we already received an RA from the new address, then forget the RA from the old address. */
1215 if (hashmap_contains(link->ndisc_routers_by_sender, current_address))
1216 return 0;
1217
1218 /* Otherwise, update the sender address of the previously received RA. */
1219 r = sd_ndisc_router_set_sender_address(rt, current_address);
1220 if (r < 0)
1221 return r;
1222
1223 r = hashmap_put(link->ndisc_routers_by_sender, &rt->packet->sender_address, rt);
1224 if (r < 0)
1225 return r;
1226
1227 TAKE_PTR(rt);
1228 return 0;
1229 }
1230
1231 static int ndisc_drop_router_one(Link *link, sd_ndisc_router *rt, usec_t timestamp_usec) {
1232 usec_t lifetime_usec;
1233 int r;
1234
1235 assert(link);
1236 assert(rt);
1237 assert(rt->packet);
1238
1239 r = sd_ndisc_router_get_lifetime_timestamp(rt, CLOCK_BOOTTIME, &lifetime_usec);
1240 if (r < 0)
1241 return r;
1242
1243 if (lifetime_usec > timestamp_usec)
1244 return 0;
1245
1246 r = ndisc_drop_redirect(link, &rt->packet->sender_address);
1247
1248 sd_ndisc_router_unref(hashmap_remove(link->ndisc_routers_by_sender, &rt->packet->sender_address));
1249
1250 return r;
1251 }
1252
1253 static int ndisc_drop_routers(Link *link, const struct in6_addr *router, usec_t timestamp_usec) {
1254 sd_ndisc_router *rt;
1255 int ret = 0;
1256
1257 assert(link);
1258
1259 if (router) {
1260 rt = hashmap_get(link->ndisc_routers_by_sender, router);
1261 if (!rt)
1262 return 0;
1263
1264 return ndisc_drop_router_one(link, rt, timestamp_usec);
1265 }
1266
1267 HASHMAP_FOREACH_KEY(rt, router, link->ndisc_routers_by_sender)
1268 RET_GATHER(ret, ndisc_drop_router_one(link, rt, timestamp_usec));
1269
1270 return ret;
1271 }
1272
1273 static int ndisc_remember_router(Link *link, sd_ndisc_router *rt) {
1274 int r;
1275
1276 assert(link);
1277 assert(rt);
1278 assert(rt->packet);
1279
1280 sd_ndisc_router_unref(hashmap_remove(link->ndisc_routers_by_sender, &rt->packet->sender_address));
1281
1282 /* Remember RAs with non-zero lifetime. */
1283 r = sd_ndisc_router_get_lifetime(rt, NULL);
1284 if (r <= 0)
1285 return r;
1286
1287 r = hashmap_ensure_put(&link->ndisc_routers_by_sender, &ndisc_router_hash_ops, &rt->packet->sender_address, rt);
1288 if (r < 0)
1289 return r;
1290
1291 sd_ndisc_router_ref(rt);
1292 return 0;
1293 }
1294
1295 static int ndisc_router_process_reachable_time(Link *link, sd_ndisc_router *rt) {
1296 usec_t reachable_time, msec;
1297 int r;
1298
1299 assert(link);
1300 assert(link->manager);
1301 assert(link->network);
1302 assert(rt);
1303
1304 if (!link->network->ndisc_use_reachable_time)
1305 return 0;
1306
1307 r = sd_ndisc_router_get_reachable_time(rt, &reachable_time);
1308 if (r < 0)
1309 return log_link_warning_errno(link, r, "Failed to get reachable time from RA: %m");
1310
1311 /* 0 is the unspecified value and must not be set (see RFC4861, 6.3.4) */
1312 if (!timestamp_is_set(reachable_time))
1313 return 0;
1314
1315 msec = DIV_ROUND_UP(reachable_time, USEC_PER_MSEC);
1316 if (msec <= 0 || msec > UINT32_MAX) {
1317 log_link_debug(link, "Failed to get reachable time from RA - out of range (%"PRIu64"), ignoring", msec);
1318 return 0;
1319 }
1320
1321 /* Set the reachable time for Neighbor Solicitations. */
1322 r = sysctl_write_ip_neighbor_property_uint32(AF_INET6, link->ifname, "base_reachable_time_ms", (uint32_t) msec, manager_get_sysctl_shadow(link->manager));
1323 if (r < 0)
1324 log_link_warning_errno(link, r, "Failed to apply neighbor reachable time (%"PRIu64"), ignoring: %m", msec);
1325
1326 return 0;
1327 }
1328
1329 static int ndisc_router_process_retransmission_time(Link *link, sd_ndisc_router *rt) {
1330 usec_t retrans_time, msec;
1331 int r;
1332
1333 assert(link);
1334 assert(link->manager);
1335 assert(link->network);
1336 assert(rt);
1337
1338 if (!link->network->ndisc_use_retransmission_time)
1339 return 0;
1340
1341 r = sd_ndisc_router_get_retransmission_time(rt, &retrans_time);
1342 if (r < 0)
1343 return log_link_warning_errno(link, r, "Failed to get retransmission time from RA: %m");
1344
1345 /* 0 is the unspecified value and must not be set (see RFC4861, 6.3.4) */
1346 if (!timestamp_is_set(retrans_time))
1347 return 0;
1348
1349 msec = DIV_ROUND_UP(retrans_time, USEC_PER_MSEC);
1350 if (msec <= 0 || msec > UINT32_MAX) {
1351 log_link_debug(link, "Failed to get retransmission time from RA - out of range (%"PRIu64"), ignoring", msec);
1352 return 0;
1353 }
1354
1355 /* Set the retransmission time for Neighbor Solicitations. */
1356 r = sysctl_write_ip_neighbor_property_uint32(AF_INET6, link->ifname, "retrans_time_ms", (uint32_t) msec, manager_get_sysctl_shadow(link->manager));
1357 if (r < 0)
1358 log_link_warning_errno(link, r, "Failed to apply neighbor retransmission time (%"PRIu64"), ignoring: %m", msec);
1359
1360 return 0;
1361 }
1362
1363 static int ndisc_router_process_hop_limit(Link *link, sd_ndisc_router *rt) {
1364 uint8_t hop_limit;
1365 int r;
1366
1367 assert(link);
1368 assert(link->manager);
1369 assert(link->network);
1370 assert(rt);
1371
1372 if (!link->network->ndisc_use_hop_limit)
1373 return 0;
1374
1375 r = sd_ndisc_router_get_hop_limit(rt, &hop_limit);
1376 if (r < 0)
1377 return log_link_warning_errno(link, r, "Failed to get hop limit from RA: %m");
1378
1379 /* 0 is the unspecified value and must not be set (see RFC4861, 6.3.4):
1380 *
1381 * A Router Advertisement field (e.g., Cur Hop Limit, Reachable Time, and Retrans Timer) may contain
1382 * a value denoting that it is unspecified. In such cases, the parameter should be ignored and the
1383 * host should continue using whatever value it is already using. In particular, a host MUST NOT
1384 * interpret the unspecified value as meaning change back to the default value that was in use before
1385 * the first Router Advertisement was received.
1386 *
1387 * If the received Cur Hop Limit value is non-zero, the host SHOULD set
1388 * its CurHopLimit variable to the received value. */
1389 if (hop_limit <= 0)
1390 return 0;
1391
1392 r = sysctl_write_ip_property_uint32(AF_INET6, link->ifname, "hop_limit", (uint32_t) hop_limit, manager_get_sysctl_shadow(link->manager));
1393 if (r < 0)
1394 log_link_warning_errno(link, r, "Failed to apply hop_limit (%u), ignoring: %m", hop_limit);
1395
1396 return 0;
1397 }
1398
1399 static int ndisc_router_process_mtu(Link *link, sd_ndisc_router *rt) {
1400 uint32_t mtu;
1401 int r;
1402
1403 assert(link);
1404 assert(link->network);
1405 assert(rt);
1406
1407 if (!link->network->ndisc_use_mtu)
1408 return 0;
1409
1410 r = sd_ndisc_router_get_mtu(rt, &mtu);
1411 if (r == -ENODATA)
1412 return 0;
1413 if (r < 0)
1414 return log_link_warning_errno(link, r, "Failed to get MTU from RA: %m");
1415
1416 link->ndisc_mtu = mtu;
1417
1418 (void) link_set_ipv6_mtu(link, LOG_DEBUG);
1419
1420 return 0;
1421 }
1422
1423 static int ndisc_address_set_lifetime(Address *address, Link *link, sd_ndisc_router *rt) {
1424 Address *existing;
1425 usec_t t;
1426 int r;
1427
1428 assert(address);
1429 assert(link);
1430 assert(rt);
1431
1432 /* This is mostly based on RFC 4862 section 5.5.3 (e). However, the definition of 'RemainingLifetime'
1433 * is ambiguous, and there is no clear explanation when the address is not assigned yet. If we assume
1434 * that 'RemainingLifetime' is zero in that case, then IPv6 Core Conformance test [v6LC.3.2.5 Part C]
1435 * fails. So, in such case, we skip the conditions about 'RemainingLifetime'. */
1436
1437 r = sd_ndisc_router_prefix_get_valid_lifetime_timestamp(rt, CLOCK_BOOTTIME, &address->lifetime_valid_usec);
1438 if (r < 0)
1439 return r;
1440
1441 r = sd_ndisc_router_prefix_get_preferred_lifetime_timestamp(rt, CLOCK_BOOTTIME, &address->lifetime_preferred_usec);
1442 if (r < 0)
1443 return r;
1444
1445 /* RFC 4862 section 5.5.3 (e)
1446 * 1. If the received Valid Lifetime is greater than 2 hours or greater than RemainingLifetime,
1447 * set the valid lifetime of the corresponding address to the advertised Valid Lifetime. */
1448 r = sd_ndisc_router_prefix_get_valid_lifetime(rt, &t);
1449 if (r < 0)
1450 return r;
1451
1452 if (t > 2 * USEC_PER_HOUR)
1453 return 0;
1454
1455 if (address_get(link, address, &existing) < 0 || existing->source != NETWORK_CONFIG_SOURCE_NDISC)
1456 return 0;
1457
1458 if (address->lifetime_valid_usec > existing->lifetime_valid_usec)
1459 return 0;
1460
1461 /* 2. If RemainingLifetime is less than or equal to 2 hours, ignore the Prefix Information option
1462 * with regards to the valid lifetime, unless the Router Advertisement from which this option was
1463 * obtained has been authenticated (e.g., via Secure Neighbor Discovery [RFC3971]). If the Router
1464 * Advertisement was authenticated, the valid lifetime of the corresponding address should be set
1465 * to the Valid Lifetime in the received option.
1466 *
1467 * Currently, authentication is not supported. So check the lifetime of the existing address. */
1468 r = sd_ndisc_router_get_timestamp(rt, CLOCK_BOOTTIME, &t);
1469 if (r < 0)
1470 return r;
1471
1472 if (existing->lifetime_valid_usec <= usec_add(t, 2 * USEC_PER_HOUR)) {
1473 address->lifetime_valid_usec = existing->lifetime_valid_usec;
1474 return 0;
1475 }
1476
1477 /* 3. Otherwise, reset the valid lifetime of the corresponding address to 2 hours. */
1478 address->lifetime_valid_usec = usec_add(t, 2 * USEC_PER_HOUR);
1479 return 0;
1480 }
1481
1482 static int ndisc_router_process_autonomous_prefix(Link *link, sd_ndisc_router *rt) {
1483 usec_t lifetime_valid_usec, lifetime_preferred_usec;
1484 struct in6_addr prefix, router;
1485 uint8_t prefixlen;
1486 int r;
1487
1488 assert(link);
1489 assert(link->network);
1490 assert(rt);
1491
1492 if (!link->network->ndisc_use_autonomous_prefix)
1493 return 0;
1494
1495 r = sd_ndisc_router_get_sender_address(rt, &router);
1496 if (r < 0)
1497 return log_link_warning_errno(link, r, "Failed to get router address: %m");
1498
1499 r = sd_ndisc_router_prefix_get_address(rt, &prefix);
1500 if (r < 0)
1501 return log_link_warning_errno(link, r, "Failed to get prefix address: %m");
1502
1503 r = sd_ndisc_router_prefix_get_prefixlen(rt, &prefixlen);
1504 if (r < 0)
1505 return log_link_warning_errno(link, r, "Failed to get prefix length: %m");
1506
1507 /* ndisc_generate_addresses() below requires the prefix length <= 64. */
1508 if (prefixlen > 64) {
1509 log_link_debug(link, "Prefix is longer than 64, ignoring autonomous prefix %s.",
1510 IN6_ADDR_PREFIX_TO_STRING(&prefix, prefixlen));
1511 return 0;
1512 }
1513
1514 r = sd_ndisc_router_prefix_get_valid_lifetime(rt, &lifetime_valid_usec);
1515 if (r < 0)
1516 return log_link_warning_errno(link, r, "Failed to get prefix valid lifetime: %m");
1517
1518 r = sd_ndisc_router_prefix_get_preferred_lifetime(rt, &lifetime_preferred_usec);
1519 if (r < 0)
1520 return log_link_warning_errno(link, r, "Failed to get prefix preferred lifetime: %m");
1521
1522 /* RFC 4862 section 5.5.3 (c)
1523 * If the preferred lifetime is greater than the valid lifetime, silently ignore the Prefix
1524 * Information option. */
1525 if (lifetime_preferred_usec > lifetime_valid_usec)
1526 return 0;
1527
1528 _cleanup_hashmap_free_ Hashmap *tokens_by_address = NULL;
1529 r = ndisc_generate_addresses(link, &prefix, prefixlen, &tokens_by_address);
1530 if (r < 0)
1531 return log_link_warning_errno(link, r, "Failed to generate SLAAC addresses: %m");
1532
1533 IPv6Token *token;
1534 struct in6_addr *a;
1535 HASHMAP_FOREACH_KEY(token, a, tokens_by_address) {
1536 _cleanup_(address_unrefp) Address *address = NULL;
1537
1538 r = address_new(&address);
1539 if (r < 0)
1540 return log_oom();
1541
1542 address->provider.in6 = router;
1543 address->family = AF_INET6;
1544 address->in_addr.in6 = *a;
1545 address->prefixlen = prefixlen;
1546 address->flags = IFA_F_NOPREFIXROUTE|IFA_F_MANAGETEMPADDR;
1547 address->token = ipv6_token_ref(token);
1548
1549 r = ndisc_address_set_lifetime(address, link, rt);
1550 if (r < 0)
1551 return log_link_warning_errno(link, r, "Failed to set lifetime of SLAAC address: %m");
1552
1553 assert(address->lifetime_preferred_usec <= address->lifetime_valid_usec);
1554
1555 r = ndisc_request_address(address, link);
1556 if (r < 0)
1557 return log_link_warning_errno(link, r, "Could not request SLAAC address: %m");
1558 }
1559
1560 return 0;
1561 }
1562
1563 static int ndisc_router_process_onlink_prefix(Link *link, sd_ndisc_router *rt) {
1564 _cleanup_(route_unrefp) Route *route = NULL;
1565 uint8_t prefixlen, preference;
1566 usec_t lifetime_usec;
1567 struct in6_addr prefix;
1568 int r;
1569
1570 assert(link);
1571 assert(link->network);
1572 assert(rt);
1573
1574 if (!link->network->ndisc_use_onlink_prefix)
1575 return 0;
1576
1577 r = sd_ndisc_router_prefix_get_valid_lifetime_timestamp(rt, CLOCK_BOOTTIME, &lifetime_usec);
1578 if (r < 0)
1579 return log_link_warning_errno(link, r, "Failed to get prefix lifetime: %m");
1580
1581 r = sd_ndisc_router_prefix_get_address(rt, &prefix);
1582 if (r < 0)
1583 return log_link_warning_errno(link, r, "Failed to get prefix address: %m");
1584
1585 r = sd_ndisc_router_prefix_get_prefixlen(rt, &prefixlen);
1586 if (r < 0)
1587 return log_link_warning_errno(link, r, "Failed to get prefix length: %m");
1588
1589 /* Prefix Information option does not have preference, hence we use the 'main' preference here */
1590 r = sd_ndisc_router_get_preference(rt, &preference);
1591 if (r < 0)
1592 return log_link_warning_errno(link, r, "Failed to get router preference from RA: %m");
1593
1594 r = route_new(&route);
1595 if (r < 0)
1596 return log_oom();
1597
1598 route->family = AF_INET6;
1599 route->dst.in6 = prefix;
1600 route->dst_prefixlen = prefixlen;
1601 route->pref = preference;
1602 route->lifetime_usec = lifetime_usec;
1603
1604 /* RFC 4861 section 6.3.4:
1605 * - If the prefix is not already present in the Prefix List, and the Prefix Information option's
1606 * Valid Lifetime field is non-zero, create a new entry for the prefix and initialize its
1607 * invalidation timer to the Valid Lifetime value in the Prefix Information option.
1608 *
1609 * - If the prefix is already present in the host's Prefix List as the result of a previously
1610 * received advertisement, reset its invalidation timer to the Valid Lifetime value in the Prefix
1611 * Information option. If the new Lifetime value is zero, timeout the prefix immediately. */
1612 if (lifetime_usec == 0) {
1613 r = ndisc_remove_router_route(route, link, rt);
1614 if (r < 0)
1615 return log_link_warning_errno(link, r, "Failed to remove prefix route: %m");
1616 } else {
1617 r = ndisc_request_router_route(route, link, rt);
1618 if (r < 0)
1619 return log_link_warning_errno(link, r, "Failed to request prefix route: %m");
1620 }
1621
1622 return 0;
1623 }
1624
1625 static int ndisc_router_process_prefix(Link *link, sd_ndisc_router *rt, bool zero_lifetime) {
1626 uint8_t flags, prefixlen;
1627 struct in6_addr a;
1628 int r;
1629
1630 assert(link);
1631 assert(link->network);
1632 assert(rt);
1633
1634 usec_t lifetime_usec;
1635 r = sd_ndisc_router_prefix_get_valid_lifetime(rt, &lifetime_usec);
1636 if (r < 0)
1637 return log_link_warning_errno(link, r, "Failed to get prefix lifetime: %m");
1638
1639 if ((lifetime_usec == 0) != zero_lifetime)
1640 return 0;
1641
1642 r = sd_ndisc_router_prefix_get_address(rt, &a);
1643 if (r < 0)
1644 return log_link_warning_errno(link, r, "Failed to get prefix address: %m");
1645
1646 /* RFC 4861 Section 4.6.2:
1647 * A router SHOULD NOT send a prefix option for the link-local prefix and a host SHOULD ignore such
1648 * a prefix option. */
1649 if (in6_addr_is_link_local(&a)) {
1650 log_link_debug(link, "Received link-local prefix, ignoring prefix.");
1651 return 0;
1652 }
1653
1654 r = sd_ndisc_router_prefix_get_prefixlen(rt, &prefixlen);
1655 if (r < 0)
1656 return log_link_warning_errno(link, r, "Failed to get prefix length: %m");
1657
1658 if (in6_prefix_is_filtered(&a, prefixlen, link->network->ndisc_allow_listed_prefix, link->network->ndisc_deny_listed_prefix)) {
1659 if (set_isempty(link->network->ndisc_allow_listed_prefix))
1660 log_link_debug(link, "Prefix '%s' is in deny list, ignoring.",
1661 IN6_ADDR_PREFIX_TO_STRING(&a, prefixlen));
1662 else
1663 log_link_debug(link, "Prefix '%s' is not in allow list, ignoring.",
1664 IN6_ADDR_PREFIX_TO_STRING(&a, prefixlen));
1665 return 0;
1666 }
1667
1668 r = sd_ndisc_router_prefix_get_flags(rt, &flags);
1669 if (r < 0)
1670 return log_link_warning_errno(link, r, "Failed to get RA prefix flags: %m");
1671
1672 if (FLAGS_SET(flags, ND_OPT_PI_FLAG_ONLINK)) {
1673 r = ndisc_router_process_onlink_prefix(link, rt);
1674 if (r < 0)
1675 return r;
1676 }
1677
1678 if (FLAGS_SET(flags, ND_OPT_PI_FLAG_AUTO)) {
1679 r = ndisc_router_process_autonomous_prefix(link, rt);
1680 if (r < 0)
1681 return r;
1682 }
1683
1684 return 0;
1685 }
1686
1687 static int ndisc_router_process_route(Link *link, sd_ndisc_router *rt, bool zero_lifetime) {
1688 _cleanup_(route_unrefp) Route *route = NULL;
1689 uint8_t preference, prefixlen;
1690 struct in6_addr gateway, dst;
1691 usec_t lifetime_usec;
1692 int r;
1693
1694 assert(link);
1695
1696 if (!link->network->ndisc_use_route_prefix)
1697 return 0;
1698
1699 r = sd_ndisc_router_route_get_lifetime_timestamp(rt, CLOCK_BOOTTIME, &lifetime_usec);
1700 if (r < 0)
1701 return log_link_warning_errno(link, r, "Failed to get route lifetime from RA: %m");
1702
1703 if ((lifetime_usec == 0) != zero_lifetime)
1704 return 0;
1705
1706 r = sd_ndisc_router_route_get_address(rt, &dst);
1707 if (r < 0)
1708 return log_link_warning_errno(link, r, "Failed to get route destination address: %m");
1709
1710 r = sd_ndisc_router_route_get_prefixlen(rt, &prefixlen);
1711 if (r < 0)
1712 return log_link_warning_errno(link, r, "Failed to get route prefix length: %m");
1713
1714 if (in6_prefix_is_filtered(&dst, prefixlen,
1715 link->network->ndisc_allow_listed_route_prefix,
1716 link->network->ndisc_deny_listed_route_prefix)) {
1717 if (set_isempty(link->network->ndisc_allow_listed_route_prefix))
1718 log_link_debug(link, "Route prefix '%s' is in deny list, ignoring.",
1719 IN6_ADDR_PREFIX_TO_STRING(&dst, prefixlen));
1720 else
1721 log_link_debug(link, "Route prefix '%s' is not in allow list, ignoring.",
1722 IN6_ADDR_PREFIX_TO_STRING(&dst, prefixlen));
1723 return 0;
1724 }
1725
1726 r = sd_ndisc_router_get_sender_address(rt, &gateway);
1727 if (r < 0)
1728 return log_link_warning_errno(link, r, "Failed to get gateway address from RA: %m");
1729
1730 if (link_get_ipv6_address(link, &gateway, NULL) >= 0) {
1731 if (DEBUG_LOGGING)
1732 log_link_debug(link, "Advertised route gateway %s is local to the link, ignoring route",
1733 IN6_ADDR_TO_STRING(&gateway));
1734 return 0;
1735 }
1736
1737 r = sd_ndisc_router_route_get_preference(rt, &preference);
1738 if (r < 0)
1739 return log_link_warning_errno(link, r, "Failed to get router preference from RA: %m");
1740
1741 r = route_new(&route);
1742 if (r < 0)
1743 return log_oom();
1744
1745 route->family = AF_INET6;
1746 route->pref = preference;
1747 route->nexthop.gw.in6 = gateway;
1748 route->nexthop.family = AF_INET6;
1749 route->dst.in6 = dst;
1750 route->dst_prefixlen = prefixlen;
1751 route->lifetime_usec = lifetime_usec;
1752
1753 if (lifetime_usec != 0) {
1754 r = ndisc_request_router_route(route, link, rt);
1755 if (r < 0)
1756 return log_link_warning_errno(link, r, "Could not request additional route: %m");
1757 } else {
1758 r = ndisc_remove_router_route(route, link, rt);
1759 if (r < 0)
1760 return log_link_warning_errno(link, r, "Could not remove additional route with zero lifetime: %m");
1761 }
1762
1763 return 0;
1764 }
1765
1766 static void ndisc_rdnss_hash_func(const NDiscRDNSS *x, struct siphash *state) {
1767 siphash24_compress_typesafe(x->address, state);
1768 }
1769
1770 static int ndisc_rdnss_compare_func(const NDiscRDNSS *a, const NDiscRDNSS *b) {
1771 return memcmp(&a->address, &b->address, sizeof(a->address));
1772 }
1773
1774 DEFINE_PRIVATE_HASH_OPS_WITH_KEY_DESTRUCTOR(
1775 ndisc_rdnss_hash_ops,
1776 NDiscRDNSS,
1777 ndisc_rdnss_hash_func,
1778 ndisc_rdnss_compare_func,
1779 free);
1780
1781 static int ndisc_router_process_rdnss(Link *link, sd_ndisc_router *rt, bool zero_lifetime) {
1782 usec_t lifetime_usec;
1783 const struct in6_addr *a;
1784 struct in6_addr router;
1785 bool updated = false, logged_about_too_many = false;
1786 int n, r;
1787
1788 assert(link);
1789 assert(link->network);
1790 assert(rt);
1791
1792 if (!link_get_use_dns(link, NETWORK_CONFIG_SOURCE_NDISC))
1793 return 0;
1794
1795 r = sd_ndisc_router_get_sender_address(rt, &router);
1796 if (r < 0)
1797 return log_link_warning_errno(link, r, "Failed to get router address from RA: %m");
1798
1799 r = sd_ndisc_router_rdnss_get_lifetime_timestamp(rt, CLOCK_BOOTTIME, &lifetime_usec);
1800 if (r < 0)
1801 return log_link_warning_errno(link, r, "Failed to get RDNSS lifetime: %m");
1802
1803 if ((lifetime_usec == 0) != zero_lifetime)
1804 return 0;
1805
1806 n = sd_ndisc_router_rdnss_get_addresses(rt, &a);
1807 if (n < 0)
1808 return log_link_warning_errno(link, n, "Failed to get RDNSS addresses: %m");
1809
1810 for (int j = 0; j < n; j++) {
1811 _cleanup_free_ NDiscRDNSS *x = NULL;
1812 NDiscRDNSS *rdnss, d = {
1813 .address = a[j],
1814 };
1815
1816 if (lifetime_usec == 0) {
1817 /* The entry is outdated. */
1818 free(set_remove(link->ndisc_rdnss, &d));
1819 updated = true;
1820 continue;
1821 }
1822
1823 rdnss = set_get(link->ndisc_rdnss, &d);
1824 if (rdnss) {
1825 rdnss->router = router;
1826 rdnss->lifetime_usec = lifetime_usec;
1827 continue;
1828 }
1829
1830 if (set_size(link->ndisc_rdnss) >= NDISC_RDNSS_MAX) {
1831 if (!logged_about_too_many)
1832 log_link_warning(link, "Too many RDNSS records per link. Only first %u records will be used.", NDISC_RDNSS_MAX);
1833 logged_about_too_many = true;
1834 continue;
1835 }
1836
1837 x = new(NDiscRDNSS, 1);
1838 if (!x)
1839 return log_oom();
1840
1841 *x = (NDiscRDNSS) {
1842 .address = a[j],
1843 .router = router,
1844 .lifetime_usec = lifetime_usec,
1845 };
1846
1847 r = set_ensure_consume(&link->ndisc_rdnss, &ndisc_rdnss_hash_ops, TAKE_PTR(x));
1848 if (r < 0)
1849 return log_oom();
1850 assert(r > 0);
1851
1852 updated = true;
1853 }
1854
1855 if (updated)
1856 link_dirty(link);
1857
1858 return 0;
1859 }
1860
1861 static void ndisc_dnssl_hash_func(const NDiscDNSSL *x, struct siphash *state) {
1862 siphash24_compress_string(ndisc_dnssl_domain(x), state);
1863 }
1864
1865 static int ndisc_dnssl_compare_func(const NDiscDNSSL *a, const NDiscDNSSL *b) {
1866 return strcmp(ndisc_dnssl_domain(a), ndisc_dnssl_domain(b));
1867 }
1868
1869 DEFINE_PRIVATE_HASH_OPS_WITH_KEY_DESTRUCTOR(
1870 ndisc_dnssl_hash_ops,
1871 NDiscDNSSL,
1872 ndisc_dnssl_hash_func,
1873 ndisc_dnssl_compare_func,
1874 free);
1875
1876 static int ndisc_router_process_dnssl(Link *link, sd_ndisc_router *rt, bool zero_lifetime) {
1877 char **l;
1878 usec_t lifetime_usec;
1879 struct in6_addr router;
1880 bool updated = false, logged_about_too_many = false;
1881 int r;
1882
1883 assert(link);
1884 assert(link->network);
1885 assert(rt);
1886
1887 if (link_get_use_domains(link, NETWORK_CONFIG_SOURCE_NDISC) <= 0)
1888 return 0;
1889
1890 r = sd_ndisc_router_get_sender_address(rt, &router);
1891 if (r < 0)
1892 return log_link_warning_errno(link, r, "Failed to get router address from RA: %m");
1893
1894 r = sd_ndisc_router_dnssl_get_lifetime_timestamp(rt, CLOCK_BOOTTIME, &lifetime_usec);
1895 if (r < 0)
1896 return log_link_warning_errno(link, r, "Failed to get DNSSL lifetime: %m");
1897
1898 if ((lifetime_usec == 0) != zero_lifetime)
1899 return 0;
1900
1901 r = sd_ndisc_router_dnssl_get_domains(rt, &l);
1902 if (r < 0)
1903 return log_link_warning_errno(link, r, "Failed to get DNSSL addresses: %m");
1904
1905 STRV_FOREACH(j, l) {
1906 _cleanup_free_ NDiscDNSSL *s = NULL;
1907 NDiscDNSSL *dnssl;
1908
1909 s = malloc0(ALIGN(sizeof(NDiscDNSSL)) + strlen(*j) + 1);
1910 if (!s)
1911 return log_oom();
1912
1913 strcpy(ndisc_dnssl_domain(s), *j);
1914
1915 if (lifetime_usec == 0) {
1916 /* The entry is outdated. */
1917 free(set_remove(link->ndisc_dnssl, s));
1918 updated = true;
1919 continue;
1920 }
1921
1922 dnssl = set_get(link->ndisc_dnssl, s);
1923 if (dnssl) {
1924 dnssl->router = router;
1925 dnssl->lifetime_usec = lifetime_usec;
1926 continue;
1927 }
1928
1929 if (set_size(link->ndisc_dnssl) >= NDISC_DNSSL_MAX) {
1930 if (!logged_about_too_many)
1931 log_link_warning(link, "Too many DNSSL records per link. Only first %u records will be used.", NDISC_DNSSL_MAX);
1932 logged_about_too_many = true;
1933 continue;
1934 }
1935
1936 s->router = router;
1937 s->lifetime_usec = lifetime_usec;
1938
1939 r = set_ensure_consume(&link->ndisc_dnssl, &ndisc_dnssl_hash_ops, TAKE_PTR(s));
1940 if (r < 0)
1941 return log_oom();
1942 assert(r > 0);
1943
1944 updated = true;
1945 }
1946
1947 if (updated)
1948 link_dirty(link);
1949
1950 return 0;
1951 }
1952
1953 static NDiscCaptivePortal* ndisc_captive_portal_free(NDiscCaptivePortal *x) {
1954 if (!x)
1955 return NULL;
1956
1957 free(x->captive_portal);
1958 return mfree(x);
1959 }
1960
1961 DEFINE_TRIVIAL_CLEANUP_FUNC(NDiscCaptivePortal*, ndisc_captive_portal_free);
1962
1963 static void ndisc_captive_portal_hash_func(const NDiscCaptivePortal *x, struct siphash *state) {
1964 assert(x);
1965 siphash24_compress_string(x->captive_portal, state);
1966 }
1967
1968 static int ndisc_captive_portal_compare_func(const NDiscCaptivePortal *a, const NDiscCaptivePortal *b) {
1969 assert(a);
1970 assert(b);
1971 return strcmp_ptr(a->captive_portal, b->captive_portal);
1972 }
1973
1974 DEFINE_PRIVATE_HASH_OPS_WITH_KEY_DESTRUCTOR(
1975 ndisc_captive_portal_hash_ops,
1976 NDiscCaptivePortal,
1977 ndisc_captive_portal_hash_func,
1978 ndisc_captive_portal_compare_func,
1979 ndisc_captive_portal_free);
1980
1981 static int ndisc_router_process_captive_portal(Link *link, sd_ndisc_router *rt, bool zero_lifetime) {
1982 _cleanup_(ndisc_captive_portal_freep) NDiscCaptivePortal *new_entry = NULL;
1983 _cleanup_free_ char *captive_portal = NULL;
1984 const char *uri;
1985 usec_t lifetime_usec;
1986 NDiscCaptivePortal *exist;
1987 struct in6_addr router;
1988 int r;
1989
1990 assert(link);
1991 assert(link->network);
1992 assert(rt);
1993
1994 if (!link->network->ndisc_use_captive_portal)
1995 return 0;
1996
1997 r = sd_ndisc_router_get_sender_address(rt, &router);
1998 if (r < 0)
1999 return log_link_warning_errno(link, r, "Failed to get router address from RA: %m");
2000
2001 /* RFC 4861 section 4.2. states that the lifetime in the message header should be used only for the
2002 * default gateway, but the captive portal option does not have a lifetime field, hence, we use the
2003 * main lifetime for the portal. */
2004 r = sd_ndisc_router_get_lifetime_timestamp(rt, CLOCK_BOOTTIME, &lifetime_usec);
2005 if (r < 0)
2006 return log_link_warning_errno(link, r, "Failed to get lifetime of RA message: %m");
2007
2008 if ((lifetime_usec == 0) != zero_lifetime)
2009 return 0;
2010
2011 r = sd_ndisc_router_get_captive_portal(rt, &uri);
2012 if (r < 0)
2013 return log_link_warning_errno(link, r, "Failed to get captive portal from RA: %m");
2014
2015 captive_portal = strdup(uri);
2016 if (!captive_portal)
2017 return log_oom();
2018
2019 if (lifetime_usec == 0) {
2020 /* Drop the portal with zero lifetime. */
2021 ndisc_captive_portal_free(set_remove(link->ndisc_captive_portals,
2022 &(const NDiscCaptivePortal) {
2023 .captive_portal = captive_portal,
2024 }));
2025 return 0;
2026 }
2027
2028 exist = set_get(link->ndisc_captive_portals,
2029 &(const NDiscCaptivePortal) {
2030 .captive_portal = captive_portal,
2031 });
2032 if (exist) {
2033 /* update existing entry */
2034 exist->router = router;
2035 exist->lifetime_usec = lifetime_usec;
2036 return 1;
2037 }
2038
2039 if (set_size(link->ndisc_captive_portals) >= NDISC_CAPTIVE_PORTAL_MAX) {
2040 NDiscCaptivePortal *c, *target = NULL;
2041
2042 /* Find the portal who has the minimal lifetime and drop it to store new one. */
2043 SET_FOREACH(c, link->ndisc_captive_portals)
2044 if (!target || c->lifetime_usec < target->lifetime_usec)
2045 target = c;
2046
2047 assert(target);
2048 assert(set_remove(link->ndisc_captive_portals, target) == target);
2049 ndisc_captive_portal_free(target);
2050 }
2051
2052 new_entry = new(NDiscCaptivePortal, 1);
2053 if (!new_entry)
2054 return log_oom();
2055
2056 *new_entry = (NDiscCaptivePortal) {
2057 .router = router,
2058 .lifetime_usec = lifetime_usec,
2059 .captive_portal = TAKE_PTR(captive_portal),
2060 };
2061
2062 r = set_ensure_put(&link->ndisc_captive_portals, &ndisc_captive_portal_hash_ops, new_entry);
2063 if (r < 0)
2064 return log_oom();
2065 assert(r > 0);
2066 TAKE_PTR(new_entry);
2067
2068 link_dirty(link);
2069 return 1;
2070 }
2071
2072 static void ndisc_pref64_hash_func(const NDiscPREF64 *x, struct siphash *state) {
2073 assert(x);
2074
2075 siphash24_compress_typesafe(x->prefix_len, state);
2076 siphash24_compress_typesafe(x->prefix, state);
2077 }
2078
2079 static int ndisc_pref64_compare_func(const NDiscPREF64 *a, const NDiscPREF64 *b) {
2080 int r;
2081
2082 assert(a);
2083 assert(b);
2084
2085 r = CMP(a->prefix_len, b->prefix_len);
2086 if (r != 0)
2087 return r;
2088
2089 return memcmp(&a->prefix, &b->prefix, sizeof(a->prefix));
2090 }
2091
2092 DEFINE_PRIVATE_HASH_OPS_WITH_KEY_DESTRUCTOR(
2093 ndisc_pref64_hash_ops,
2094 NDiscPREF64,
2095 ndisc_pref64_hash_func,
2096 ndisc_pref64_compare_func,
2097 mfree);
2098
2099 static int ndisc_router_process_pref64(Link *link, sd_ndisc_router *rt, bool zero_lifetime) {
2100 _cleanup_free_ NDiscPREF64 *new_entry = NULL;
2101 usec_t lifetime_usec;
2102 struct in6_addr a, router;
2103 uint8_t prefix_len;
2104 NDiscPREF64 *exist;
2105 int r;
2106
2107 assert(link);
2108 assert(link->network);
2109 assert(rt);
2110
2111 if (!link->network->ndisc_use_pref64)
2112 return 0;
2113
2114 r = sd_ndisc_router_get_sender_address(rt, &router);
2115 if (r < 0)
2116 return log_link_warning_errno(link, r, "Failed to get router address from RA: %m");
2117
2118 r = sd_ndisc_router_prefix64_get_prefix(rt, &a);
2119 if (r < 0)
2120 return log_link_warning_errno(link, r, "Failed to get pref64 prefix: %m");
2121
2122 r = sd_ndisc_router_prefix64_get_prefixlen(rt, &prefix_len);
2123 if (r < 0)
2124 return log_link_warning_errno(link, r, "Failed to get pref64 prefix length: %m");
2125
2126 r = sd_ndisc_router_prefix64_get_lifetime_timestamp(rt, CLOCK_BOOTTIME, &lifetime_usec);
2127 if (r < 0)
2128 return log_link_warning_errno(link, r, "Failed to get pref64 prefix lifetime: %m");
2129
2130 if ((lifetime_usec == 0) != zero_lifetime)
2131 return 0;
2132
2133 if (lifetime_usec == 0) {
2134 free(set_remove(link->ndisc_pref64,
2135 &(NDiscPREF64) {
2136 .prefix = a,
2137 .prefix_len = prefix_len
2138 }));
2139 return 0;
2140 }
2141
2142 exist = set_get(link->ndisc_pref64,
2143 &(NDiscPREF64) {
2144 .prefix = a,
2145 .prefix_len = prefix_len
2146 });
2147 if (exist) {
2148 /* update existing entry */
2149 exist->router = router;
2150 exist->lifetime_usec = lifetime_usec;
2151 return 0;
2152 }
2153
2154 if (set_size(link->ndisc_pref64) >= NDISC_PREF64_MAX) {
2155 log_link_debug(link, "Too many PREF64 records received. Only first %u records will be used.", NDISC_PREF64_MAX);
2156 return 0;
2157 }
2158
2159 new_entry = new(NDiscPREF64, 1);
2160 if (!new_entry)
2161 return log_oom();
2162
2163 *new_entry = (NDiscPREF64) {
2164 .router = router,
2165 .lifetime_usec = lifetime_usec,
2166 .prefix = a,
2167 .prefix_len = prefix_len,
2168 };
2169
2170 r = set_ensure_put(&link->ndisc_pref64, &ndisc_pref64_hash_ops, new_entry);
2171 if (r < 0)
2172 return log_oom();
2173
2174 assert(r > 0);
2175 TAKE_PTR(new_entry);
2176
2177 return 0;
2178 }
2179
2180 static NDiscDNR* ndisc_dnr_free(NDiscDNR *x) {
2181 if (!x)
2182 return NULL;
2183
2184 sd_dns_resolver_done(&x->resolver);
2185 return mfree(x);
2186 }
2187
2188 DEFINE_TRIVIAL_CLEANUP_FUNC(NDiscDNR*, ndisc_dnr_free);
2189
2190 static int ndisc_dnr_compare_func(const NDiscDNR *a, const NDiscDNR *b) {
2191 return CMP(a->resolver.priority, b->resolver.priority) ||
2192 strcmp_ptr(a->resolver.auth_name, b->resolver.auth_name) ||
2193 CMP(a->resolver.transports, b->resolver.transports) ||
2194 CMP(a->resolver.port, b->resolver.port) ||
2195 strcmp_ptr(a->resolver.dohpath, b->resolver.dohpath) ||
2196 CMP(a->resolver.family, b->resolver.family) ||
2197 CMP(a->resolver.n_addrs, b->resolver.n_addrs) ||
2198 memcmp(a->resolver.addrs, b->resolver.addrs, sizeof(a->resolver.addrs[0]) * a->resolver.n_addrs);
2199 }
2200
2201 static void ndisc_dnr_hash_func(const NDiscDNR *x, struct siphash *state) {
2202 assert(x);
2203
2204 siphash24_compress_resolver(&x->resolver, state);
2205 }
2206
2207 DEFINE_PRIVATE_HASH_OPS_WITH_KEY_DESTRUCTOR(
2208 ndisc_dnr_hash_ops,
2209 NDiscDNR,
2210 ndisc_dnr_hash_func,
2211 ndisc_dnr_compare_func,
2212 ndisc_dnr_free);
2213
2214 static int sd_dns_resolver_copy(const sd_dns_resolver *a, sd_dns_resolver *b) {
2215 int r;
2216
2217 assert(a);
2218 assert(b);
2219
2220 _cleanup_(sd_dns_resolver_done) sd_dns_resolver c = {
2221 .priority = a->priority,
2222 .transports = a->transports,
2223 .port = a->port,
2224 /* .auth_name */
2225 .family = a->family,
2226 /* .addrs */
2227 /* .n_addrs */
2228 /* .dohpath */
2229 };
2230
2231 /* auth_name */
2232 r = strdup_to(&c.auth_name, a->auth_name);
2233 if (r < 0)
2234 return r;
2235
2236 /* addrs, n_addrs */
2237 c.addrs = newdup(union in_addr_union, a->addrs, a->n_addrs);
2238 if (!c.addrs)
2239 return r;
2240 c.n_addrs = a->n_addrs;
2241
2242 /* dohpath */
2243 r = strdup_to(&c.dohpath, a->dohpath);
2244 if (r < 0)
2245 return r;
2246
2247 *b = TAKE_STRUCT(c);
2248 return 0;
2249 }
2250
2251 static int ndisc_router_process_encrypted_dns(Link *link, sd_ndisc_router *rt, bool zero_lifetime) {
2252 int r;
2253
2254 assert(link);
2255 assert(link->network);
2256 assert(rt);
2257
2258 struct in6_addr router;
2259 usec_t lifetime_usec;
2260 sd_dns_resolver *res;
2261 _cleanup_(ndisc_dnr_freep) NDiscDNR *new_entry = NULL;
2262
2263 if (!link_get_use_dnr(link, NETWORK_CONFIG_SOURCE_NDISC))
2264 return 0;
2265
2266 r = sd_ndisc_router_get_sender_address(rt, &router);
2267 if (r < 0)
2268 return log_link_warning_errno(link, r, "Failed to get gateway address from RA: %m");
2269
2270 r = sd_ndisc_router_encrypted_dns_get_lifetime_timestamp(rt, CLOCK_BOOTTIME, &lifetime_usec);
2271 if (r < 0)
2272 return log_link_warning_errno(link, r, "Failed to get lifetime of RA message: %m");
2273
2274 if ((lifetime_usec == 0) != zero_lifetime)
2275 return 0;
2276
2277 r = sd_ndisc_router_encrypted_dns_get_resolver(rt, &res);
2278 if (r < 0)
2279 return log_link_warning_errno(link, r, "Failed to get encrypted dns resolvers: %m");
2280
2281 NDiscDNR *dnr, d = { .resolver = *res };
2282 if (lifetime_usec == 0) {
2283 dnr = set_remove(link->ndisc_dnr, &d);
2284 if (dnr) {
2285 ndisc_dnr_free(dnr);
2286 link_dirty(link);
2287 }
2288 return 0;
2289 }
2290
2291 dnr = set_get(link->ndisc_dnr, &d);
2292 if (dnr) {
2293 dnr->router = router;
2294 dnr->lifetime_usec = lifetime_usec;
2295 return 0;
2296 }
2297
2298 if (set_size(link->ndisc_dnr) >= NDISC_ENCRYPTED_DNS_MAX) {
2299 log_link_warning(link, "Too many Encrypted DNS records received. Only first %u records will be used.", NDISC_ENCRYPTED_DNS_MAX);
2300 return 0;
2301 }
2302
2303 new_entry = new(NDiscDNR, 1);
2304 if (!new_entry)
2305 return log_oom();
2306
2307 *new_entry = (NDiscDNR) {
2308 .router = router,
2309 /* .resolver, */
2310 .lifetime_usec = lifetime_usec,
2311 };
2312 r = sd_dns_resolver_copy(res, &new_entry->resolver);
2313 if (r < 0)
2314 return log_oom();
2315
2316 /* Not sorted by priority */
2317 r = set_ensure_put(&link->ndisc_dnr, &ndisc_dnr_hash_ops, new_entry);
2318 if (r < 0)
2319 return log_oom();
2320
2321 assert(r > 0);
2322 TAKE_PTR(new_entry);
2323
2324 link_dirty(link);
2325
2326 return 0;
2327 }
2328
2329 static int ndisc_router_process_options(Link *link, sd_ndisc_router *rt, bool zero_lifetime) {
2330 size_t n_captive_portal = 0;
2331 int r;
2332
2333 assert(link);
2334 assert(link->network);
2335 assert(rt);
2336
2337 for (r = sd_ndisc_router_option_rewind(rt); ; r = sd_ndisc_router_option_next(rt)) {
2338 uint8_t type;
2339
2340 if (r < 0)
2341 return log_link_warning_errno(link, r, "Failed to iterate through options: %m");
2342 if (r == 0) /* EOF */
2343 return 0;
2344
2345 r = sd_ndisc_router_option_get_type(rt, &type);
2346 if (r < 0)
2347 return log_link_warning_errno(link, r, "Failed to get RA option type: %m");
2348
2349 switch (type) {
2350 case SD_NDISC_OPTION_PREFIX_INFORMATION:
2351 r = ndisc_router_process_prefix(link, rt, zero_lifetime);
2352 break;
2353
2354 case SD_NDISC_OPTION_ROUTE_INFORMATION:
2355 r = ndisc_router_process_route(link, rt, zero_lifetime);
2356 break;
2357
2358 case SD_NDISC_OPTION_RDNSS:
2359 r = ndisc_router_process_rdnss(link, rt, zero_lifetime);
2360 break;
2361
2362 case SD_NDISC_OPTION_DNSSL:
2363 r = ndisc_router_process_dnssl(link, rt, zero_lifetime);
2364 break;
2365 case SD_NDISC_OPTION_CAPTIVE_PORTAL:
2366 if (n_captive_portal > 0) {
2367 if (n_captive_portal == 1)
2368 log_link_notice(link, "Received RA with multiple captive portals, only using the first one.");
2369
2370 n_captive_portal++;
2371 continue;
2372 }
2373 r = ndisc_router_process_captive_portal(link, rt, zero_lifetime);
2374 if (r > 0)
2375 n_captive_portal++;
2376 break;
2377 case SD_NDISC_OPTION_PREF64:
2378 r = ndisc_router_process_pref64(link, rt, zero_lifetime);
2379 break;
2380 case SD_NDISC_OPTION_ENCRYPTED_DNS:
2381 r = ndisc_router_process_encrypted_dns(link, rt, zero_lifetime);
2382 break;
2383 }
2384 if (r < 0 && r != -EBADMSG)
2385 return r;
2386 }
2387 }
2388
2389 static int ndisc_drop_outdated(Link *link, const struct in6_addr *router, usec_t timestamp_usec) {
2390 bool updated = false;
2391 NDiscDNSSL *dnssl;
2392 NDiscRDNSS *rdnss;
2393 NDiscCaptivePortal *cp;
2394 NDiscPREF64 *p64;
2395 NDiscDNR *dnr;
2396 Address *address;
2397 Route *route;
2398 int r, ret = 0;
2399
2400 assert(link);
2401 assert(link->manager);
2402
2403 /* If an address or friends is already assigned, but not valid anymore, then refuse to update it,
2404 * and let's immediately remove it.
2405 * See RFC4862, section 5.5.3.e. But the following logic is deviated from RFC4862 by honoring all
2406 * valid lifetimes to improve the reaction of SLAAC to renumbering events.
2407 * See draft-ietf-6man-slaac-renum-02, section 4.2. */
2408
2409 r = ndisc_drop_routers(link, router, timestamp_usec);
2410 if (r < 0)
2411 RET_GATHER(ret, log_link_warning_errno(link, r, "Failed to drop outdated default router, ignoring: %m"));
2412
2413 SET_FOREACH(route, link->manager->routes) {
2414 if (route->source != NETWORK_CONFIG_SOURCE_NDISC)
2415 continue;
2416
2417 if (!route_is_bound_to_link(route, link))
2418 continue;
2419
2420 if (route->protocol == RTPROT_REDIRECT)
2421 continue; /* redirect route will be dropped by ndisc_drop_redirect(). */
2422
2423 if (route->lifetime_usec > timestamp_usec)
2424 continue; /* the route is still valid */
2425
2426 if (router && !in6_addr_equal(&route->provider.in6, router))
2427 continue;
2428
2429 r = route_remove_and_cancel(route, link->manager);
2430 if (r < 0)
2431 RET_GATHER(ret, log_link_warning_errno(link, r, "Failed to remove outdated SLAAC route, ignoring: %m"));
2432 }
2433
2434 RET_GATHER(ret, ndisc_remove_unused_nexthops(link));
2435
2436 SET_FOREACH(address, link->addresses) {
2437 if (address->source != NETWORK_CONFIG_SOURCE_NDISC)
2438 continue;
2439
2440 if (address->lifetime_valid_usec > timestamp_usec)
2441 continue; /* the address is still valid */
2442
2443 if (router && !in6_addr_equal(&address->provider.in6, router))
2444 continue;
2445
2446 r = address_remove_and_cancel(address, link);
2447 if (r < 0)
2448 RET_GATHER(ret, log_link_warning_errno(link, r, "Failed to remove outdated SLAAC address, ignoring: %m"));
2449 }
2450
2451 SET_FOREACH(rdnss, link->ndisc_rdnss) {
2452 if (rdnss->lifetime_usec > timestamp_usec)
2453 continue; /* the DNS server is still valid */
2454
2455 if (router && !in6_addr_equal(&rdnss->router, router))
2456 continue;
2457
2458 free(set_remove(link->ndisc_rdnss, rdnss));
2459 updated = true;
2460 }
2461
2462 SET_FOREACH(dnssl, link->ndisc_dnssl) {
2463 if (dnssl->lifetime_usec > timestamp_usec)
2464 continue; /* the DNS domain is still valid */
2465
2466 if (router && !in6_addr_equal(&dnssl->router, router))
2467 continue;
2468
2469 free(set_remove(link->ndisc_dnssl, dnssl));
2470 updated = true;
2471 }
2472
2473 SET_FOREACH(cp, link->ndisc_captive_portals) {
2474 if (cp->lifetime_usec > timestamp_usec)
2475 continue; /* the captive portal is still valid */
2476
2477 if (router && !in6_addr_equal(&cp->router, router))
2478 continue;
2479
2480 ndisc_captive_portal_free(set_remove(link->ndisc_captive_portals, cp));
2481 updated = true;
2482 }
2483
2484 SET_FOREACH(p64, link->ndisc_pref64) {
2485 if (p64->lifetime_usec > timestamp_usec)
2486 continue; /* the pref64 prefix is still valid */
2487
2488 if (router && !in6_addr_equal(&p64->router, router))
2489 continue;
2490
2491 free(set_remove(link->ndisc_pref64, p64));
2492 /* The pref64 prefix is not exported through the state file, hence it is not necessary to set
2493 * the 'updated' flag. */
2494 }
2495
2496 SET_FOREACH(dnr, link->ndisc_dnr) {
2497 if (dnr->lifetime_usec > timestamp_usec)
2498 continue; /* The resolver is still valid */
2499
2500 ndisc_dnr_free(set_remove(link->ndisc_dnr, dnr));
2501 updated = true;
2502 }
2503
2504 RET_GATHER(ret, link_request_stacked_netdevs(link, NETDEV_LOCAL_ADDRESS_SLAAC));
2505
2506 if (updated)
2507 link_dirty(link);
2508
2509 return ret;
2510 }
2511
2512 static int ndisc_setup_expire(Link *link);
2513
2514 static int ndisc_expire_handler(sd_event_source *s, uint64_t usec, void *userdata) {
2515 Link *link = ASSERT_PTR(userdata);
2516 usec_t now_usec;
2517
2518 assert(link->manager);
2519
2520 assert_se(sd_event_now(link->manager->event, CLOCK_BOOTTIME, &now_usec) >= 0);
2521
2522 (void) ndisc_drop_outdated(link, /* router = */ NULL, now_usec);
2523 (void) ndisc_setup_expire(link);
2524 return 0;
2525 }
2526
2527 static int ndisc_setup_expire(Link *link) {
2528 usec_t lifetime_usec = USEC_INFINITY;
2529 NDiscCaptivePortal *cp;
2530 NDiscDNSSL *dnssl;
2531 NDiscRDNSS *rdnss;
2532 NDiscPREF64 *p64;
2533 NDiscDNR *dnr;
2534 Address *address;
2535 Route *route;
2536 int r;
2537
2538 assert(link);
2539 assert(link->manager);
2540
2541 sd_ndisc_router *rt;
2542 HASHMAP_FOREACH(rt, link->ndisc_routers_by_sender) {
2543 usec_t t;
2544
2545 if (sd_ndisc_router_get_lifetime_timestamp(rt, CLOCK_BOOTTIME, &t) < 0)
2546 continue;
2547
2548 lifetime_usec = MIN(lifetime_usec, t);
2549 }
2550
2551 SET_FOREACH(route, link->manager->routes) {
2552 if (route->source != NETWORK_CONFIG_SOURCE_NDISC)
2553 continue;
2554
2555 if (!route_is_bound_to_link(route, link))
2556 continue;
2557
2558 if (!route_exists(route))
2559 continue;
2560
2561 lifetime_usec = MIN(lifetime_usec, route->lifetime_usec);
2562 }
2563
2564 SET_FOREACH(address, link->addresses) {
2565 if (address->source != NETWORK_CONFIG_SOURCE_NDISC)
2566 continue;
2567
2568 if (!address_exists(address))
2569 continue;
2570
2571 lifetime_usec = MIN(lifetime_usec, address->lifetime_valid_usec);
2572 }
2573
2574 SET_FOREACH(rdnss, link->ndisc_rdnss)
2575 lifetime_usec = MIN(lifetime_usec, rdnss->lifetime_usec);
2576
2577 SET_FOREACH(dnssl, link->ndisc_dnssl)
2578 lifetime_usec = MIN(lifetime_usec, dnssl->lifetime_usec);
2579
2580 SET_FOREACH(cp, link->ndisc_captive_portals)
2581 lifetime_usec = MIN(lifetime_usec, cp->lifetime_usec);
2582
2583 SET_FOREACH(p64, link->ndisc_pref64)
2584 lifetime_usec = MIN(lifetime_usec, p64->lifetime_usec);
2585
2586 SET_FOREACH(dnr, link->ndisc_dnr)
2587 lifetime_usec = MIN(lifetime_usec, dnr->lifetime_usec);
2588
2589 if (lifetime_usec == USEC_INFINITY)
2590 return 0;
2591
2592 r = event_reset_time(link->manager->event, &link->ndisc_expire, CLOCK_BOOTTIME,
2593 lifetime_usec, 0, ndisc_expire_handler, link, 0, "ndisc-expiration", true);
2594 if (r < 0)
2595 return log_link_warning_errno(link, r, "Failed to update expiration timer for ndisc: %m");
2596
2597 return 0;
2598 }
2599
2600 static int ndisc_start_dhcp6_client(Link *link, sd_ndisc_router *rt) {
2601 int r;
2602
2603 assert(link);
2604 assert(link->network);
2605
2606 switch (link->network->ndisc_start_dhcp6_client) {
2607 case IPV6_ACCEPT_RA_START_DHCP6_CLIENT_NO:
2608 return 0;
2609
2610 case IPV6_ACCEPT_RA_START_DHCP6_CLIENT_YES: {
2611 uint64_t flags;
2612
2613 r = sd_ndisc_router_get_flags(rt, &flags);
2614 if (r < 0)
2615 return log_link_warning_errno(link, r, "Failed to get RA flags: %m");
2616
2617 if ((flags & (ND_RA_FLAG_MANAGED | ND_RA_FLAG_OTHER)) == 0)
2618 return 0;
2619
2620 /* (re)start DHCPv6 client in stateful or stateless mode according to RA flags.
2621 * Note, if both "managed" and "other configuration" bits are set, then ignore
2622 * "other configuration" bit. See RFC 4861. */
2623 r = dhcp6_start_on_ra(link, !(flags & ND_RA_FLAG_MANAGED));
2624 break;
2625 }
2626 case IPV6_ACCEPT_RA_START_DHCP6_CLIENT_ALWAYS:
2627 /* When IPv6AcceptRA.DHCPv6Client=always, start dhcp6 client in solicit mode
2628 * even if the router flags have neither M nor O flags. */
2629 r = dhcp6_start_on_ra(link, /* information_request = */ false);
2630 break;
2631
2632 default:
2633 assert_not_reached();
2634 }
2635
2636 if (r < 0)
2637 return log_link_warning_errno(link, r, "Could not acquire DHCPv6 lease on NDisc request: %m");
2638
2639 log_link_debug(link, "Acquiring DHCPv6 lease on NDisc request");
2640 return 0;
2641 }
2642
2643 static int ndisc_router_handler(Link *link, sd_ndisc_router *rt) {
2644 struct in6_addr router;
2645 usec_t timestamp_usec;
2646 int r;
2647
2648 assert(link);
2649 assert(link->network);
2650 assert(link->manager);
2651 assert(rt);
2652
2653 r = sd_ndisc_router_get_sender_address(rt, &router);
2654 if (r == -ENODATA) {
2655 log_link_debug(link, "Received RA without router address, ignoring.");
2656 return 0;
2657 }
2658 if (r < 0)
2659 return log_link_warning_errno(link, r, "Failed to get router address from RA: %m");
2660
2661 if (in6_prefix_is_filtered(&router, 128, link->network->ndisc_allow_listed_router, link->network->ndisc_deny_listed_router)) {
2662 if (!set_isempty(link->network->ndisc_allow_listed_router))
2663 log_link_debug(link, "Router %s is not in allow list, ignoring.", IN6_ADDR_TO_STRING(&router));
2664 else
2665 log_link_debug(link, "Router %s is in deny list, ignoring.", IN6_ADDR_TO_STRING(&router));
2666 return 0;
2667 }
2668
2669 r = sd_ndisc_router_get_timestamp(rt, CLOCK_BOOTTIME, &timestamp_usec);
2670 if (r == -ENODATA) {
2671 log_link_debug(link, "Received RA without timestamp, ignoring.");
2672 return 0;
2673 }
2674 if (r < 0)
2675 return r;
2676
2677 r = ndisc_drop_outdated(link, /* router = */ NULL, timestamp_usec);
2678 if (r < 0)
2679 return r;
2680
2681 r = ndisc_remember_router(link, rt);
2682 if (r < 0)
2683 return r;
2684
2685 r = ndisc_start_dhcp6_client(link, rt);
2686 if (r < 0)
2687 return r;
2688
2689 r = ndisc_router_process_reachable_time(link, rt);
2690 if (r < 0)
2691 return r;
2692
2693 r = ndisc_router_process_retransmission_time(link, rt);
2694 if (r < 0)
2695 return r;
2696
2697 r = ndisc_router_process_hop_limit(link, rt);
2698 if (r < 0)
2699 return r;
2700
2701 r = ndisc_router_process_mtu(link, rt);
2702 if (r < 0)
2703 return r;
2704
2705 r = ndisc_router_process_options(link, rt, /* zero_lifetime = */ true);
2706 if (r < 0)
2707 return r;
2708
2709 r = ndisc_router_process_default(link, rt);
2710 if (r < 0)
2711 return r;
2712
2713 r = ndisc_router_process_options(link, rt, /* zero_lifetime = */ false);
2714 if (r < 0)
2715 return r;
2716
2717 r = ndisc_setup_expire(link);
2718 if (r < 0)
2719 return r;
2720
2721 if (sd_ndisc_router_get_lifetime(rt, NULL) <= 0)
2722 (void) ndisc_drop_redirect(link, &router);
2723
2724 if (link->ndisc_messages == 0)
2725 link->ndisc_configured = true;
2726 else
2727 log_link_debug(link, "Setting SLAAC addresses and router.");
2728
2729 if (!link->ndisc_configured)
2730 link_set_state(link, LINK_STATE_CONFIGURING);
2731
2732 link_check_ready(link);
2733 return 0;
2734 }
2735
2736 static int ndisc_neighbor_handle_non_router_message(Link *link, sd_ndisc_neighbor *na) {
2737 struct in6_addr address;
2738 int r;
2739
2740 assert(link);
2741 assert(na);
2742
2743 /* Received Neighbor Advertisement message without Router flag. The node might have been a router,
2744 * and now it is not. Let's drop all configurations based on RAs sent from the node. */
2745
2746 r = sd_ndisc_neighbor_get_target_address(na, &address);
2747 if (r == -ENODATA)
2748 return 0;
2749 if (r < 0)
2750 return r;
2751
2752 /* Remove the routes configured by Redirect messages. */
2753 r = ndisc_drop_redirect(link, &address);
2754
2755 /* Also remove the default gateway via the host, but keep the configurations based on the RA options. */
2756 _cleanup_(sd_ndisc_router_unrefp) sd_ndisc_router *rt = hashmap_remove(link->ndisc_routers_by_sender, &address);
2757 if (rt)
2758 RET_GATHER(r, ndisc_router_drop_default(link, rt));
2759
2760 return r;
2761 }
2762
2763 static int ndisc_neighbor_handle_router_message(Link *link, sd_ndisc_neighbor *na) {
2764 struct in6_addr current_address, original_address;
2765 int r;
2766
2767 assert(link);
2768 assert(link->manager);
2769 assert(na);
2770
2771 /* Received Neighbor Advertisement message with Router flag. If the router address is changed, update
2772 * the provider field of configurations. */
2773
2774 r = sd_ndisc_neighbor_get_sender_address(na, &current_address);
2775 if (r == -ENODATA)
2776 return 0;
2777 if (r < 0)
2778 return r;
2779
2780 r = sd_ndisc_neighbor_get_target_address(na, &original_address);
2781 if (r == -ENODATA)
2782 return 0;
2783 if (r < 0)
2784 return r;
2785
2786 if (in6_addr_equal(&current_address, &original_address))
2787 return 0; /* the router address is not changed */
2788
2789 r = ndisc_update_router_address(link, &original_address, &current_address);
2790 if (r < 0)
2791 return r;
2792
2793 r = ndisc_update_redirect_sender(link, &original_address, &current_address);
2794 if (r < 0)
2795 return r;
2796
2797 Route *route;
2798 SET_FOREACH(route, link->manager->routes) {
2799 if (route->source != NETWORK_CONFIG_SOURCE_NDISC)
2800 continue;
2801
2802 if (!route_is_bound_to_link(route, link))
2803 continue;
2804
2805 if (!in6_addr_equal(&route->provider.in6, &original_address))
2806 continue;
2807
2808 route->provider.in6 = current_address;
2809 }
2810
2811 Address *address;
2812 SET_FOREACH(address, link->addresses) {
2813 if (address->source != NETWORK_CONFIG_SOURCE_NDISC)
2814 continue;
2815
2816 if (!in6_addr_equal(&address->provider.in6, &original_address))
2817 continue;
2818
2819 address->provider.in6 = current_address;
2820 }
2821
2822 NDiscRDNSS *rdnss;
2823 SET_FOREACH(rdnss, link->ndisc_rdnss) {
2824 if (!in6_addr_equal(&rdnss->router, &original_address))
2825 continue;
2826
2827 rdnss->router = current_address;
2828 }
2829
2830 NDiscDNSSL *dnssl;
2831 SET_FOREACH(dnssl, link->ndisc_dnssl) {
2832 if (!in6_addr_equal(&dnssl->router, &original_address))
2833 continue;
2834
2835 dnssl->router = current_address;
2836 }
2837
2838 NDiscCaptivePortal *cp;
2839 SET_FOREACH(cp, link->ndisc_captive_portals) {
2840 if (!in6_addr_equal(&cp->router, &original_address))
2841 continue;
2842
2843 cp->router = current_address;
2844 }
2845
2846 NDiscPREF64 *p64;
2847 SET_FOREACH(p64, link->ndisc_pref64) {
2848 if (!in6_addr_equal(&p64->router, &original_address))
2849 continue;
2850
2851 p64->router = current_address;
2852 }
2853
2854 NDiscDNR *dnr;
2855 SET_FOREACH(dnr, link->ndisc_dnr) {
2856 if (!in6_addr_equal(&dnr->router, &original_address))
2857 continue;
2858
2859 dnr->router = current_address;
2860 }
2861
2862 return 0;
2863 }
2864
2865 static int ndisc_neighbor_handler(Link *link, sd_ndisc_neighbor *na) {
2866 int r;
2867
2868 assert(link);
2869 assert(na);
2870
2871 r = sd_ndisc_neighbor_is_router(na);
2872 if (r < 0)
2873 return r;
2874 if (r == 0)
2875 r = ndisc_neighbor_handle_non_router_message(link, na);
2876 else
2877 r = ndisc_neighbor_handle_router_message(link, na);
2878 if (r < 0)
2879 return r;
2880
2881 return 0;
2882 }
2883
2884 static void ndisc_handler(sd_ndisc *nd, sd_ndisc_event_t event, void *message, void *userdata) {
2885 Link *link = ASSERT_PTR(userdata);
2886 int r;
2887
2888 if (IN_SET(link->state, LINK_STATE_FAILED, LINK_STATE_LINGER))
2889 return;
2890
2891 switch (event) {
2892
2893 case SD_NDISC_EVENT_ROUTER:
2894 r = ndisc_router_handler(link, ASSERT_PTR(message));
2895 if (r < 0 && r != -EBADMSG) {
2896 link_enter_failed(link);
2897 return;
2898 }
2899 break;
2900
2901 case SD_NDISC_EVENT_NEIGHBOR:
2902 r = ndisc_neighbor_handler(link, ASSERT_PTR(message));
2903 if (r < 0 && r != -EBADMSG) {
2904 link_enter_failed(link);
2905 return;
2906 }
2907 break;
2908
2909 case SD_NDISC_EVENT_REDIRECT:
2910 r = ndisc_redirect_handler(link, ASSERT_PTR(message));
2911 if (r < 0 && r != -EBADMSG) {
2912 log_link_warning_errno(link, r, "Failed to process Redirect message: %m");
2913 link_enter_failed(link);
2914 return;
2915 }
2916 break;
2917
2918 case SD_NDISC_EVENT_TIMEOUT:
2919 log_link_debug(link, "NDisc handler get timeout event");
2920 if (link->ndisc_messages == 0) {
2921 link->ndisc_configured = true;
2922 link_check_ready(link);
2923 }
2924 break;
2925
2926 default:
2927 log_link_debug(link, "Received unsupported NDisc event, ignoring.");
2928 }
2929 }
2930
2931 static int ndisc_configure(Link *link) {
2932 int r;
2933
2934 assert(link);
2935
2936 if (!link_ndisc_enabled(link))
2937 return 0;
2938
2939 if (link->ndisc)
2940 return -EBUSY; /* Already configured. */
2941
2942 r = sd_ndisc_new(&link->ndisc);
2943 if (r < 0)
2944 return r;
2945
2946 r = sd_ndisc_attach_event(link->ndisc, link->manager->event, 0);
2947 if (r < 0)
2948 return r;
2949
2950 if (link->hw_addr.length == ETH_ALEN) {
2951 r = sd_ndisc_set_mac(link->ndisc, &link->hw_addr.ether);
2952 if (r < 0)
2953 return r;
2954 }
2955
2956 r = sd_ndisc_set_ifindex(link->ndisc, link->ifindex);
2957 if (r < 0)
2958 return r;
2959
2960 r = sd_ndisc_set_callback(link->ndisc, ndisc_handler, link);
2961 if (r < 0)
2962 return r;
2963
2964 return 0;
2965 }
2966
2967 int ndisc_start(Link *link) {
2968 int r;
2969
2970 assert(link);
2971
2972 if (!link->ndisc || !link->dhcp6_client)
2973 return 0;
2974
2975 if (!link_has_carrier(link))
2976 return 0;
2977
2978 if (in6_addr_is_null(&link->ipv6ll_address))
2979 return 0;
2980
2981 r = sd_ndisc_set_link_local_address(link->ndisc, &link->ipv6ll_address);
2982 if (r < 0)
2983 return r;
2984
2985 log_link_debug(link, "Discovering IPv6 routers");
2986
2987 r = sd_ndisc_start(link->ndisc);
2988 if (r < 0)
2989 return r;
2990
2991 return 1;
2992 }
2993
2994 static int ndisc_process_request(Request *req, Link *link, void *userdata) {
2995 int r;
2996
2997 assert(link);
2998
2999 if (!link_is_ready_to_configure(link, /* allow_unmanaged = */ false))
3000 return 0;
3001
3002 r = ndisc_configure(link);
3003 if (r < 0)
3004 return log_link_warning_errno(link, r, "Failed to configure IPv6 Router Discovery: %m");
3005
3006 r = ndisc_start(link);
3007 if (r < 0)
3008 return log_link_warning_errno(link, r, "Failed to start IPv6 Router Discovery: %m");
3009
3010 log_link_debug(link, "IPv6 Router Discovery is configured%s.",
3011 r > 0 ? " and started" : "");
3012 return 1;
3013 }
3014
3015 int link_request_ndisc(Link *link) {
3016 int r;
3017
3018 assert(link);
3019
3020 if (!link_ndisc_enabled(link))
3021 return 0;
3022
3023 if (link->ndisc)
3024 return 0;
3025
3026 r = link_queue_request(link, REQUEST_TYPE_NDISC, ndisc_process_request, NULL);
3027 if (r < 0)
3028 return log_link_warning_errno(link, r, "Failed to request configuring of the IPv6 Router Discovery: %m");
3029
3030 log_link_debug(link, "Requested configuring of the IPv6 Router Discovery.");
3031 return 0;
3032 }
3033
3034 int link_drop_ndisc_config(Link *link, Network *network) {
3035 int r, ret = 0;
3036
3037 assert(link);
3038 assert(link->network);
3039
3040 if (link->network == network)
3041 return 0; /* .network file is unchanged. It is not necessary to reconfigure the client. */
3042
3043 if (!link_ndisc_enabled(link)) {
3044 /* NDisc is disabled. Stop the client if it is running and flush configs. */
3045 ret = ndisc_stop(link);
3046 ndisc_flush(link);
3047 link->ndisc = sd_ndisc_unref(link->ndisc);
3048 return ret;
3049 }
3050
3051 /* Even if the client was previously enabled and also enabled in the new .network file, detailed
3052 * settings for the client may be different. Let's unref() the client. */
3053 link->ndisc = sd_ndisc_unref(link->ndisc);
3054
3055 /* Get if NDisc was enabled or not. */
3056 Network *current = link->network;
3057 link->network = network;
3058 bool enabled = link_ndisc_enabled(link);
3059 link->network = current;
3060
3061 /* If previously explicitly disabled, there should be nothing to drop.
3062 * If we do not know the previous setting of the client, e.g. when networkd is restarted, in that
3063 * case we do not have the previous .network file assigned to the interface, then let's assume no
3064 * detailed configuration is changed. Hopefully, unmatching configurations will be dropped after
3065 * their lifetime. */
3066 if (!enabled)
3067 return 0;
3068
3069 assert(network);
3070
3071 /* Redirect messages will be ignored. Drop configurations based on the previously received redirect
3072 * messages. */
3073 if (!network->ndisc_use_redirect)
3074 (void) ndisc_drop_redirect(link, /* router = */ NULL);
3075
3076 /* If one of the route setting is changed, drop all routes. */
3077 if (link->network->ndisc_use_gateway != network->ndisc_use_gateway ||
3078 link->network->ndisc_use_route_prefix != network->ndisc_use_route_prefix ||
3079 link->network->ndisc_use_onlink_prefix != network->ndisc_use_onlink_prefix ||
3080 link->network->ndisc_quickack != network->ndisc_quickack ||
3081 link->network->ndisc_route_metric_high != network->ndisc_route_metric_high ||
3082 link->network->ndisc_route_metric_medium != network->ndisc_route_metric_medium ||
3083 link->network->ndisc_route_metric_low != network->ndisc_route_metric_low ||
3084 !set_equal(link->network->ndisc_deny_listed_router, network->ndisc_deny_listed_router) ||
3085 !set_equal(link->network->ndisc_allow_listed_router, network->ndisc_allow_listed_router) ||
3086 !set_equal(link->network->ndisc_deny_listed_prefix, network->ndisc_deny_listed_prefix) ||
3087 !set_equal(link->network->ndisc_allow_listed_prefix, network->ndisc_allow_listed_prefix) ||
3088 !set_equal(link->network->ndisc_deny_listed_route_prefix, network->ndisc_deny_listed_route_prefix) ||
3089 !set_equal(link->network->ndisc_allow_listed_route_prefix, network->ndisc_allow_listed_route_prefix)) {
3090 Route *route;
3091 SET_FOREACH(route, link->manager->routes) {
3092 if (route->source != NETWORK_CONFIG_SOURCE_NDISC)
3093 continue;
3094
3095 if (!route_is_bound_to_link(route, link))
3096 continue;
3097
3098 if (route->protocol == RTPROT_REDIRECT)
3099 continue; /* redirect route is handled by ndisc_drop_redirect(). */
3100
3101 r = route_remove_and_cancel(route, link->manager);
3102 if (r < 0)
3103 RET_GATHER(ret, log_link_warning_errno(link, r, "Failed to remove SLAAC route, ignoring: %m"));
3104 }
3105
3106 RET_GATHER(ret, ndisc_remove_unused_nexthops(link));
3107 }
3108
3109 /* If SLAAC address is disabled, drop all addresses. */
3110 if (!network->ndisc_use_autonomous_prefix ||
3111 !set_equal(link->network->ndisc_tokens, network->ndisc_tokens) ||
3112 !set_equal(link->network->ndisc_deny_listed_prefix, network->ndisc_deny_listed_prefix) ||
3113 !set_equal(link->network->ndisc_allow_listed_prefix, network->ndisc_allow_listed_prefix)) {
3114 Address *address;
3115 SET_FOREACH(address, link->addresses) {
3116 if (address->source != NETWORK_CONFIG_SOURCE_NDISC)
3117 continue;
3118
3119 r = address_remove_and_cancel(address, link);
3120 if (r < 0)
3121 RET_GATHER(ret, log_link_warning_errno(link, r, "Failed to remove SLAAC address, ignoring: %m"));
3122 }
3123 }
3124
3125 if (!network->ndisc_use_mtu)
3126 link->ndisc_mtu = 0;
3127
3128 return ret;
3129 }
3130
3131 int ndisc_stop(Link *link) {
3132 assert(link);
3133
3134 link->ndisc_expire = sd_event_source_disable_unref(link->ndisc_expire);
3135
3136 return sd_ndisc_stop(link->ndisc);
3137 }
3138
3139 void ndisc_flush(Link *link) {
3140 assert(link);
3141
3142 /* Remove all addresses, routes, RDNSS, DNSSL, DNR, and Captive Portal entries, without exception. */
3143 (void) ndisc_drop_outdated(link, /* router = */ NULL, /* timestamp_usec = */ USEC_INFINITY);
3144 (void) ndisc_drop_redirect(link, /* router = */ NULL);
3145
3146 link->ndisc_routers_by_sender = hashmap_free(link->ndisc_routers_by_sender);
3147 link->ndisc_rdnss = set_free(link->ndisc_rdnss);
3148 link->ndisc_dnssl = set_free(link->ndisc_dnssl);
3149 link->ndisc_captive_portals = set_free(link->ndisc_captive_portals);
3150 link->ndisc_pref64 = set_free(link->ndisc_pref64);
3151 link->ndisc_redirects = set_free(link->ndisc_redirects);
3152 link->ndisc_dnr = set_free(link->ndisc_dnr);
3153 link->ndisc_mtu = 0;
3154 }
3155
3156 static const char* const ndisc_start_dhcp6_client_table[_IPV6_ACCEPT_RA_START_DHCP6_CLIENT_MAX] = {
3157 [IPV6_ACCEPT_RA_START_DHCP6_CLIENT_NO] = "no",
3158 [IPV6_ACCEPT_RA_START_DHCP6_CLIENT_ALWAYS] = "always",
3159 [IPV6_ACCEPT_RA_START_DHCP6_CLIENT_YES] = "yes",
3160 };
3161
3162 DEFINE_PRIVATE_STRING_TABLE_LOOKUP_FROM_STRING_WITH_BOOLEAN(ndisc_start_dhcp6_client, IPv6AcceptRAStartDHCP6Client, IPV6_ACCEPT_RA_START_DHCP6_CLIENT_YES);
3163
3164 DEFINE_CONFIG_PARSE_ENUM(config_parse_ndisc_start_dhcp6_client, ndisc_start_dhcp6_client, IPv6AcceptRAStartDHCP6Client);
Unnamed repository; edit this file 'description' to name the repository.