From 0943b3b7a413dc8b05cc41627754c77257f1f8ac Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Fri, 17 Sep 2021 20:54:47 +0900 Subject: [PATCH 01/23] network: radv: reorder functions In other files, we usually (but not always) place functions in the following order: - network_adjust_xxx(), which applies default or updates settings specified in .network files, - link_xxx_enabled(), which checks if the functionality is enabled, - xxx_new() and xxx_free(), allocator and deallocator for sections, - functions which apply/update/remove configs - validators of section, - conf parsers. This does not change each function, but just changes the order. --- src/network/networkd-radv.c | 740 ++++++++++++++++++------------------ 1 file changed, 370 insertions(+), 370 deletions(-) diff --git a/src/network/networkd-radv.c b/src/network/networkd-radv.c index c734c4c3b48..6a873d76691 100644 --- a/src/network/networkd-radv.c +++ b/src/network/networkd-radv.c @@ -19,6 +19,44 @@ #include "string-table.h" #include "strv.h" +void network_adjust_radv(Network *network) { + assert(network); + + /* After this function is called, network->router_prefix_delegation can be treated as a boolean. */ + + if (network->dhcp6_pd < 0) + /* For backward compatibility. */ + network->dhcp6_pd = FLAGS_SET(network->router_prefix_delegation, RADV_PREFIX_DELEGATION_DHCP6); + + if (!FLAGS_SET(network->link_local, ADDRESS_FAMILY_IPV6)) { + if (network->router_prefix_delegation != RADV_PREFIX_DELEGATION_NONE) + log_warning("%s: IPv6PrefixDelegation= is enabled but IPv6 link local addressing is disabled. " + "Disabling IPv6PrefixDelegation=.", network->filename); + + network->router_prefix_delegation = RADV_PREFIX_DELEGATION_NONE; + } + + if (network->router_prefix_delegation == RADV_PREFIX_DELEGATION_NONE) { + network->n_router_dns = 0; + network->router_dns = mfree(network->router_dns); + network->router_search_domains = ordered_set_free(network->router_search_domains); + } + + if (!FLAGS_SET(network->router_prefix_delegation, RADV_PREFIX_DELEGATION_STATIC)) { + network->prefixes_by_section = hashmap_free_with_destructor(network->prefixes_by_section, prefix_free); + network->route_prefixes_by_section = hashmap_free_with_destructor(network->route_prefixes_by_section, route_prefix_free); + } +} + +static bool link_radv_enabled(Link *link) { + assert(link); + + if (!link_ipv6ll_enabled(link)) + return false; + + return link->network->router_prefix_delegation; +} + Prefix *prefix_free(Prefix *prefix) { if (!prefix) return NULL; @@ -155,64 +193,6 @@ static int route_prefix_new_static(Network *network, const char *filename, unsig return 0; } -void network_drop_invalid_prefixes(Network *network) { - Prefix *prefix; - - assert(network); - - HASHMAP_FOREACH(prefix, network->prefixes_by_section) - if (section_is_invalid(prefix->section)) - prefix_free(prefix); -} - -void network_drop_invalid_route_prefixes(Network *network) { - RoutePrefix *prefix; - - assert(network); - - HASHMAP_FOREACH(prefix, network->route_prefixes_by_section) - if (section_is_invalid(prefix->section)) - route_prefix_free(prefix); -} - -void network_adjust_radv(Network *network) { - assert(network); - - /* After this function is called, network->router_prefix_delegation can be treated as a boolean. */ - - if (network->dhcp6_pd < 0) - /* For backward compatibility. */ - network->dhcp6_pd = FLAGS_SET(network->router_prefix_delegation, RADV_PREFIX_DELEGATION_DHCP6); - - if (!FLAGS_SET(network->link_local, ADDRESS_FAMILY_IPV6)) { - if (network->router_prefix_delegation != RADV_PREFIX_DELEGATION_NONE) - log_warning("%s: IPv6PrefixDelegation= is enabled but IPv6 link local addressing is disabled. " - "Disabling IPv6PrefixDelegation=.", network->filename); - - network->router_prefix_delegation = RADV_PREFIX_DELEGATION_NONE; - } - - if (network->router_prefix_delegation == RADV_PREFIX_DELEGATION_NONE) { - network->n_router_dns = 0; - network->router_dns = mfree(network->router_dns); - network->router_search_domains = ordered_set_free(network->router_search_domains); - } - - if (!FLAGS_SET(network->router_prefix_delegation, RADV_PREFIX_DELEGATION_STATIC)) { - network->prefixes_by_section = hashmap_free_with_destructor(network->prefixes_by_section, prefix_free); - network->route_prefixes_by_section = hashmap_free_with_destructor(network->route_prefixes_by_section, route_prefix_free); - } -} - -static bool link_radv_enabled(Link *link) { - assert(link); - - if (!link_ipv6ll_enabled(link)) - return false; - - return link->network->router_prefix_delegation; -} - int link_request_radv_addresses(Link *link) { Prefix *p; int r; @@ -252,318 +232,6 @@ int link_request_radv_addresses(Link *link) { return 0; } -int config_parse_prefix( - const char *unit, - const char *filename, - unsigned line, - const char *section, - unsigned section_line, - const char *lvalue, - int ltype, - const char *rvalue, - void *data, - void *userdata) { - - Network *network = userdata; - _cleanup_(prefix_free_or_set_invalidp) Prefix *p = NULL; - uint8_t prefixlen = 64; - union in_addr_union in6addr; - int r; - - assert(filename); - assert(section); - assert(lvalue); - assert(rvalue); - assert(data); - - r = prefix_new_static(network, filename, section_line, &p); - if (r < 0) - return log_oom(); - - r = in_addr_prefix_from_string(rvalue, AF_INET6, &in6addr, &prefixlen); - if (r < 0) { - log_syntax(unit, LOG_WARNING, filename, line, r, "Prefix is invalid, ignoring assignment: %s", rvalue); - return 0; - } - - r = sd_radv_prefix_set_prefix(p->radv_prefix, &in6addr.in6, prefixlen); - if (r < 0) { - log_syntax(unit, LOG_WARNING, filename, line, r, "Failed to set radv prefix, ignoring assignment: %s", rvalue); - return 0; - } - - p = NULL; - - return 0; -} - -int config_parse_prefix_flags( - const char *unit, - const char *filename, - unsigned line, - const char *section, - unsigned section_line, - const char *lvalue, - int ltype, - const char *rvalue, - void *data, - void *userdata) { - - Network *network = userdata; - _cleanup_(prefix_free_or_set_invalidp) Prefix *p = NULL; - int r; - - assert(filename); - assert(section); - assert(lvalue); - assert(rvalue); - assert(data); - - r = prefix_new_static(network, filename, section_line, &p); - if (r < 0) - return log_oom(); - - r = parse_boolean(rvalue); - if (r < 0) { - log_syntax(unit, LOG_WARNING, filename, line, r, "Failed to parse %s=, ignoring assignment: %s", lvalue, rvalue); - return 0; - } - - if (streq(lvalue, "OnLink")) - r = sd_radv_prefix_set_onlink(p->radv_prefix, r); - else if (streq(lvalue, "AddressAutoconfiguration")) - r = sd_radv_prefix_set_address_autoconfiguration(p->radv_prefix, r); - if (r < 0) { - log_syntax(unit, LOG_WARNING, filename, line, r, "Failed to set %s=, ignoring assignment: %m", lvalue); - return 0; - } - - p = NULL; - - return 0; -} - -int config_parse_prefix_lifetime( - const char *unit, - const char *filename, - unsigned line, - const char *section, - unsigned section_line, - const char *lvalue, - int ltype, - const char *rvalue, - void *data, - void *userdata) { - - Network *network = userdata; - _cleanup_(prefix_free_or_set_invalidp) Prefix *p = NULL; - usec_t usec; - int r; - - assert(filename); - assert(section); - assert(lvalue); - assert(rvalue); - assert(data); - - r = prefix_new_static(network, filename, section_line, &p); - if (r < 0) - return log_oom(); - - r = parse_sec(rvalue, &usec); - if (r < 0) { - log_syntax(unit, LOG_WARNING, filename, line, r, "Lifetime is invalid, ignoring assignment: %s", rvalue); - return 0; - } - - /* a value of 0xffffffff represents infinity */ - if (streq(lvalue, "PreferredLifetimeSec")) - r = sd_radv_prefix_set_preferred_lifetime(p->radv_prefix, - DIV_ROUND_UP(usec, USEC_PER_SEC)); - else if (streq(lvalue, "ValidLifetimeSec")) - r = sd_radv_prefix_set_valid_lifetime(p->radv_prefix, - DIV_ROUND_UP(usec, USEC_PER_SEC)); - if (r < 0) { - log_syntax(unit, LOG_WARNING, filename, line, r, "Failed to set %s=, ignoring assignment: %m", lvalue); - return 0; - } - - p = NULL; - - return 0; -} - -int config_parse_prefix_assign( - const char *unit, - const char *filename, - unsigned line, - const char *section, - unsigned section_line, - const char *lvalue, - int ltype, - const char *rvalue, - void *data, - void *userdata) { - - Network *network = userdata; - _cleanup_(prefix_free_or_set_invalidp) Prefix *p = NULL; - int r; - - assert(filename); - assert(section); - assert(lvalue); - assert(rvalue); - assert(data); - - r = prefix_new_static(network, filename, section_line, &p); - if (r < 0) - return log_oom(); - - r = parse_boolean(rvalue); - if (r < 0) { - log_syntax(unit, LOG_WARNING, filename, line, r, - "Failed to parse %s=, ignoring assignment: %s", - lvalue, rvalue); - return 0; - } - - p->assign = r; - p = NULL; - - return 0; -} - -int config_parse_prefix_metric( - const char *unit, - const char *filename, - unsigned line, - const char *section, - unsigned section_line, - const char *lvalue, - int ltype, - const char *rvalue, - void *data, - void *userdata) { - - Network *network = userdata; - _cleanup_(prefix_free_or_set_invalidp) Prefix *p = NULL; - int r; - - assert(filename); - assert(section); - assert(lvalue); - assert(rvalue); - assert(data); - - r = prefix_new_static(network, filename, section_line, &p); - if (r < 0) - return log_oom(); - - r = safe_atou32(rvalue, &p->route_metric); - if (r < 0) { - log_syntax(unit, LOG_WARNING, filename, line, r, - "Failed to parse %s=, ignoring assignment: %s", - lvalue, rvalue); - return 0; - } - - TAKE_PTR(p); - - return 0; -} - -int config_parse_route_prefix( - const char *unit, - const char *filename, - unsigned line, - const char *section, - unsigned section_line, - const char *lvalue, - int ltype, - const char *rvalue, - void *data, - void *userdata) { - - Network *network = userdata; - _cleanup_(route_prefix_free_or_set_invalidp) RoutePrefix *p = NULL; - uint8_t prefixlen = 64; - union in_addr_union in6addr; - int r; - - assert(filename); - assert(section); - assert(lvalue); - assert(rvalue); - assert(data); - - r = route_prefix_new_static(network, filename, section_line, &p); - if (r < 0) - return log_oom(); - - r = in_addr_prefix_from_string(rvalue, AF_INET6, &in6addr, &prefixlen); - if (r < 0) { - log_syntax(unit, LOG_WARNING, filename, line, r, "Route prefix is invalid, ignoring assignment: %s", rvalue); - return 0; - } - - r = sd_radv_prefix_set_route_prefix(p->radv_route_prefix, &in6addr.in6, prefixlen); - if (r < 0) { - log_syntax(unit, LOG_WARNING, filename, line, r, "Failed to set route prefix, ignoring assignment: %m"); - return 0; - } - - p = NULL; - - return 0; -} - -int config_parse_route_prefix_lifetime( - const char *unit, - const char *filename, - unsigned line, - const char *section, - unsigned section_line, - const char *lvalue, - int ltype, - const char *rvalue, - void *data, - void *userdata) { - - Network *network = userdata; - _cleanup_(route_prefix_free_or_set_invalidp) RoutePrefix *p = NULL; - usec_t usec; - int r; - - assert(filename); - assert(section); - assert(lvalue); - assert(rvalue); - assert(data); - - r = route_prefix_new_static(network, filename, section_line, &p); - if (r < 0) - return log_oom(); - - r = parse_sec(rvalue, &usec); - if (r < 0) { - log_syntax(unit, LOG_WARNING, filename, line, r, - "Route lifetime is invalid, ignoring assignment: %s", rvalue); - return 0; - } - - /* a value of 0xffffffff represents infinity */ - r = sd_radv_route_prefix_set_lifetime(p->radv_route_prefix, DIV_ROUND_UP(usec, USEC_PER_SEC)); - if (r < 0) { - log_syntax(unit, LOG_WARNING, filename, line, r, - "Failed to set route lifetime, ignoring assignment: %m"); - return 0; - } - - p = NULL; - - return 0; -} - static int network_get_ipv6_dns(Network *network, struct in6_addr **ret_addresses, size_t *ret_size) { _cleanup_free_ struct in6_addr *addresses = NULL; size_t n_addresses = 0; @@ -954,6 +622,338 @@ int radv_add_prefix( return 0; } +void network_drop_invalid_prefixes(Network *network) { + Prefix *prefix; + + assert(network); + + HASHMAP_FOREACH(prefix, network->prefixes_by_section) + if (section_is_invalid(prefix->section)) + prefix_free(prefix); +} + +void network_drop_invalid_route_prefixes(Network *network) { + RoutePrefix *prefix; + + assert(network); + + HASHMAP_FOREACH(prefix, network->route_prefixes_by_section) + if (section_is_invalid(prefix->section)) + route_prefix_free(prefix); +} + +int config_parse_prefix( + const char *unit, + const char *filename, + unsigned line, + const char *section, + unsigned section_line, + const char *lvalue, + int ltype, + const char *rvalue, + void *data, + void *userdata) { + + Network *network = userdata; + _cleanup_(prefix_free_or_set_invalidp) Prefix *p = NULL; + uint8_t prefixlen = 64; + union in_addr_union in6addr; + int r; + + assert(filename); + assert(section); + assert(lvalue); + assert(rvalue); + assert(data); + + r = prefix_new_static(network, filename, section_line, &p); + if (r < 0) + return log_oom(); + + r = in_addr_prefix_from_string(rvalue, AF_INET6, &in6addr, &prefixlen); + if (r < 0) { + log_syntax(unit, LOG_WARNING, filename, line, r, "Prefix is invalid, ignoring assignment: %s", rvalue); + return 0; + } + + r = sd_radv_prefix_set_prefix(p->radv_prefix, &in6addr.in6, prefixlen); + if (r < 0) { + log_syntax(unit, LOG_WARNING, filename, line, r, "Failed to set radv prefix, ignoring assignment: %s", rvalue); + return 0; + } + + p = NULL; + + return 0; +} + +int config_parse_prefix_flags( + const char *unit, + const char *filename, + unsigned line, + const char *section, + unsigned section_line, + const char *lvalue, + int ltype, + const char *rvalue, + void *data, + void *userdata) { + + Network *network = userdata; + _cleanup_(prefix_free_or_set_invalidp) Prefix *p = NULL; + int r; + + assert(filename); + assert(section); + assert(lvalue); + assert(rvalue); + assert(data); + + r = prefix_new_static(network, filename, section_line, &p); + if (r < 0) + return log_oom(); + + r = parse_boolean(rvalue); + if (r < 0) { + log_syntax(unit, LOG_WARNING, filename, line, r, "Failed to parse %s=, ignoring assignment: %s", lvalue, rvalue); + return 0; + } + + if (streq(lvalue, "OnLink")) + r = sd_radv_prefix_set_onlink(p->radv_prefix, r); + else if (streq(lvalue, "AddressAutoconfiguration")) + r = sd_radv_prefix_set_address_autoconfiguration(p->radv_prefix, r); + if (r < 0) { + log_syntax(unit, LOG_WARNING, filename, line, r, "Failed to set %s=, ignoring assignment: %m", lvalue); + return 0; + } + + p = NULL; + + return 0; +} + +int config_parse_prefix_lifetime( + const char *unit, + const char *filename, + unsigned line, + const char *section, + unsigned section_line, + const char *lvalue, + int ltype, + const char *rvalue, + void *data, + void *userdata) { + + Network *network = userdata; + _cleanup_(prefix_free_or_set_invalidp) Prefix *p = NULL; + usec_t usec; + int r; + + assert(filename); + assert(section); + assert(lvalue); + assert(rvalue); + assert(data); + + r = prefix_new_static(network, filename, section_line, &p); + if (r < 0) + return log_oom(); + + r = parse_sec(rvalue, &usec); + if (r < 0) { + log_syntax(unit, LOG_WARNING, filename, line, r, "Lifetime is invalid, ignoring assignment: %s", rvalue); + return 0; + } + + /* a value of 0xffffffff represents infinity */ + if (streq(lvalue, "PreferredLifetimeSec")) + r = sd_radv_prefix_set_preferred_lifetime(p->radv_prefix, + DIV_ROUND_UP(usec, USEC_PER_SEC)); + else if (streq(lvalue, "ValidLifetimeSec")) + r = sd_radv_prefix_set_valid_lifetime(p->radv_prefix, + DIV_ROUND_UP(usec, USEC_PER_SEC)); + if (r < 0) { + log_syntax(unit, LOG_WARNING, filename, line, r, "Failed to set %s=, ignoring assignment: %m", lvalue); + return 0; + } + + p = NULL; + + return 0; +} + +int config_parse_prefix_assign( + const char *unit, + const char *filename, + unsigned line, + const char *section, + unsigned section_line, + const char *lvalue, + int ltype, + const char *rvalue, + void *data, + void *userdata) { + + Network *network = userdata; + _cleanup_(prefix_free_or_set_invalidp) Prefix *p = NULL; + int r; + + assert(filename); + assert(section); + assert(lvalue); + assert(rvalue); + assert(data); + + r = prefix_new_static(network, filename, section_line, &p); + if (r < 0) + return log_oom(); + + r = parse_boolean(rvalue); + if (r < 0) { + log_syntax(unit, LOG_WARNING, filename, line, r, + "Failed to parse %s=, ignoring assignment: %s", + lvalue, rvalue); + return 0; + } + + p->assign = r; + p = NULL; + + return 0; +} + +int config_parse_prefix_metric( + const char *unit, + const char *filename, + unsigned line, + const char *section, + unsigned section_line, + const char *lvalue, + int ltype, + const char *rvalue, + void *data, + void *userdata) { + + Network *network = userdata; + _cleanup_(prefix_free_or_set_invalidp) Prefix *p = NULL; + int r; + + assert(filename); + assert(section); + assert(lvalue); + assert(rvalue); + assert(data); + + r = prefix_new_static(network, filename, section_line, &p); + if (r < 0) + return log_oom(); + + r = safe_atou32(rvalue, &p->route_metric); + if (r < 0) { + log_syntax(unit, LOG_WARNING, filename, line, r, + "Failed to parse %s=, ignoring assignment: %s", + lvalue, rvalue); + return 0; + } + + TAKE_PTR(p); + + return 0; +} + +int config_parse_route_prefix( + const char *unit, + const char *filename, + unsigned line, + const char *section, + unsigned section_line, + const char *lvalue, + int ltype, + const char *rvalue, + void *data, + void *userdata) { + + Network *network = userdata; + _cleanup_(route_prefix_free_or_set_invalidp) RoutePrefix *p = NULL; + uint8_t prefixlen = 64; + union in_addr_union in6addr; + int r; + + assert(filename); + assert(section); + assert(lvalue); + assert(rvalue); + assert(data); + + r = route_prefix_new_static(network, filename, section_line, &p); + if (r < 0) + return log_oom(); + + r = in_addr_prefix_from_string(rvalue, AF_INET6, &in6addr, &prefixlen); + if (r < 0) { + log_syntax(unit, LOG_WARNING, filename, line, r, "Route prefix is invalid, ignoring assignment: %s", rvalue); + return 0; + } + + r = sd_radv_prefix_set_route_prefix(p->radv_route_prefix, &in6addr.in6, prefixlen); + if (r < 0) { + log_syntax(unit, LOG_WARNING, filename, line, r, "Failed to set route prefix, ignoring assignment: %m"); + return 0; + } + + p = NULL; + + return 0; +} + +int config_parse_route_prefix_lifetime( + const char *unit, + const char *filename, + unsigned line, + const char *section, + unsigned section_line, + const char *lvalue, + int ltype, + const char *rvalue, + void *data, + void *userdata) { + + Network *network = userdata; + _cleanup_(route_prefix_free_or_set_invalidp) RoutePrefix *p = NULL; + usec_t usec; + int r; + + assert(filename); + assert(section); + assert(lvalue); + assert(rvalue); + assert(data); + + r = route_prefix_new_static(network, filename, section_line, &p); + if (r < 0) + return log_oom(); + + r = parse_sec(rvalue, &usec); + if (r < 0) { + log_syntax(unit, LOG_WARNING, filename, line, r, + "Route lifetime is invalid, ignoring assignment: %s", rvalue); + return 0; + } + + /* a value of 0xffffffff represents infinity */ + r = sd_radv_route_prefix_set_lifetime(p->radv_route_prefix, DIV_ROUND_UP(usec, USEC_PER_SEC)); + if (r < 0) { + log_syntax(unit, LOG_WARNING, filename, line, r, + "Failed to set route lifetime, ignoring assignment: %m"); + return 0; + } + + p = NULL; + + return 0; +} + int config_parse_radv_dns( const char *unit, const char *filename, From f1cb8933c381652b5c6424c8330d55e0fcf4afba Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Fri, 17 Sep 2021 21:11:50 +0900 Subject: [PATCH 02/23] in-addr-util: introduce in6_addr_hash_ops_free --- src/basic/in-addr-util.c | 6 ++++++ src/basic/in-addr-util.h | 1 + 2 files changed, 7 insertions(+) diff --git a/src/basic/in-addr-util.c b/src/basic/in-addr-util.c index 3d392afc082..c262dfe1560 100644 --- a/src/basic/in-addr-util.c +++ b/src/basic/in-addr-util.c @@ -846,3 +846,9 @@ int in6_addr_compare_func(const struct in6_addr *a, const struct in6_addr *b) { } DEFINE_HASH_OPS(in6_addr_hash_ops, struct in6_addr, in6_addr_hash_func, in6_addr_compare_func); +DEFINE_HASH_OPS_WITH_KEY_DESTRUCTOR( + in6_addr_hash_ops_free, + struct in6_addr, + in6_addr_hash_func, + in6_addr_compare_func, + free); diff --git a/src/basic/in-addr-util.h b/src/basic/in-addr-util.h index c74b0d512b4..1d610c10c83 100644 --- a/src/basic/in-addr-util.h +++ b/src/basic/in-addr-util.h @@ -119,6 +119,7 @@ int in6_addr_compare_func(const struct in6_addr *a, const struct in6_addr *b); extern const struct hash_ops in_addr_data_hash_ops; extern const struct hash_ops in6_addr_hash_ops; +extern const struct hash_ops in6_addr_hash_ops_free; #define IPV4_ADDRESS_FMT_STR "%u.%u.%u.%u" #define IPV4_ADDRESS_FMT_VAL(address) \ From 333f7d8920f0c199818eb8f59ff7fccccd063be1 Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Fri, 17 Sep 2021 21:38:00 +0900 Subject: [PATCH 03/23] in-addr-util: introduce in{4,6}_addr_mask() --- src/basic/in-addr-util.c | 69 +++++++++++++++++++++++----------------- src/basic/in-addr-util.h | 2 ++ 2 files changed, 41 insertions(+), 30 deletions(-) diff --git a/src/basic/in-addr-util.c b/src/basic/in-addr-util.c index c262dfe1560..af3724d9d1f 100644 --- a/src/basic/in-addr-util.c +++ b/src/basic/in-addr-util.c @@ -621,40 +621,49 @@ int in4_addr_default_subnet_mask(const struct in_addr *addr, struct in_addr *mas return 0; } +int in4_addr_mask(struct in_addr *addr, unsigned char prefixlen) { + struct in_addr mask; + + assert(addr); + + if (!in4_addr_prefixlen_to_netmask(&mask, prefixlen)) + return -EINVAL; + + addr->s_addr &= mask.s_addr; + return 0; +} + +int in6_addr_mask(struct in6_addr *addr, unsigned char prefixlen) { + unsigned i; + + for (i = 0; i < 16; i++) { + uint8_t mask; + + if (prefixlen >= 8) { + mask = 0xFF; + prefixlen -= 8; + } else { + mask = 0xFF << (8 - prefixlen); + prefixlen = 0; + } + + addr->s6_addr[i] &= mask; + } + + return 0; +} + int in_addr_mask(int family, union in_addr_union *addr, unsigned char prefixlen) { assert(addr); - if (family == AF_INET) { - struct in_addr mask; - - if (!in4_addr_prefixlen_to_netmask(&mask, prefixlen)) - return -EINVAL; - - addr->in.s_addr &= mask.s_addr; - return 0; + switch (family) { + case AF_INET: + return in4_addr_mask(&addr->in, prefixlen); + case AF_INET6: + return in6_addr_mask(&addr->in6, prefixlen); + default: + return -EAFNOSUPPORT; } - - if (family == AF_INET6) { - unsigned i; - - for (i = 0; i < 16; i++) { - uint8_t mask; - - if (prefixlen >= 8) { - mask = 0xFF; - prefixlen -= 8; - } else { - mask = 0xFF << (8 - prefixlen); - prefixlen = 0; - } - - addr->in6.s6_addr[i] &= mask; - } - - return 0; - } - - return -EAFNOSUPPORT; } int in_addr_prefix_covers(int family, diff --git a/src/basic/in-addr-util.h b/src/basic/in-addr-util.h index 1d610c10c83..50d51297e0b 100644 --- a/src/basic/in-addr-util.h +++ b/src/basic/in-addr-util.h @@ -89,6 +89,8 @@ unsigned char in4_addr_netmask_to_prefixlen(const struct in_addr *addr); struct in_addr* in4_addr_prefixlen_to_netmask(struct in_addr *addr, unsigned char prefixlen); int in4_addr_default_prefixlen(const struct in_addr *addr, unsigned char *prefixlen); int in4_addr_default_subnet_mask(const struct in_addr *addr, struct in_addr *mask); +int in4_addr_mask(struct in_addr *addr, unsigned char prefixlen); +int in6_addr_mask(struct in6_addr *addr, unsigned char prefixlen); int in_addr_mask(int family, union in_addr_union *addr, unsigned char prefixlen); int in_addr_prefix_covers(int family, const union in_addr_union *prefix, unsigned char prefixlen, const union in_addr_union *address); int in_addr_parse_prefixlen(int family, const char *p, unsigned char *ret); From 6df860f3a0e9e1265ee98f06bf276513876d5fc8 Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Fri, 1 Oct 2021 17:35:04 +0900 Subject: [PATCH 04/23] in-addr-util: do not shift 8 or more for uint8_t MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit See ISO/IEC 9899:TC3 ยง 6.5.7.3. --- src/basic/in-addr-util.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/basic/in-addr-util.c b/src/basic/in-addr-util.c index af3724d9d1f..613a5681319 100644 --- a/src/basic/in-addr-util.c +++ b/src/basic/in-addr-util.c @@ -642,9 +642,12 @@ int in6_addr_mask(struct in6_addr *addr, unsigned char prefixlen) { if (prefixlen >= 8) { mask = 0xFF; prefixlen -= 8; - } else { + } else if (prefixlen > 0) { mask = 0xFF << (8 - prefixlen); prefixlen = 0; + } else { + assert(prefixlen == 0); + mask = 0; } addr->s6_addr[i] &= mask; From e174b43fe4ed1a8f097bea7ca92752c669387e15 Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Fri, 1 Oct 2021 17:42:31 +0900 Subject: [PATCH 05/23] in-addr-util: introduce in{4,6}_addr_prefix_covers() --- src/basic/in-addr-util.c | 59 ++++++++++++++++++++++++++++++++++------ src/basic/in-addr-util.h | 2 ++ 2 files changed, 53 insertions(+), 8 deletions(-) diff --git a/src/basic/in-addr-util.c b/src/basic/in-addr-util.c index 613a5681319..a43a8319912 100644 --- a/src/basic/in-addr-util.c +++ b/src/basic/in-addr-util.c @@ -669,28 +669,71 @@ int in_addr_mask(int family, union in_addr_union *addr, unsigned char prefixlen) } } -int in_addr_prefix_covers(int family, - const union in_addr_union *prefix, - unsigned char prefixlen, - const union in_addr_union *address) { +int in4_addr_prefix_covers( + const struct in_addr *prefix, + unsigned char prefixlen, + const struct in_addr *address) { - union in_addr_union masked_prefix, masked_address; + struct in_addr masked_prefix, masked_address; int r; assert(prefix); assert(address); masked_prefix = *prefix; - r = in_addr_mask(family, &masked_prefix, prefixlen); + r = in4_addr_mask(&masked_prefix, prefixlen); if (r < 0) return r; masked_address = *address; - r = in_addr_mask(family, &masked_address, prefixlen); + r = in4_addr_mask(&masked_address, prefixlen); if (r < 0) return r; - return in_addr_equal(family, &masked_prefix, &masked_address); + return in4_addr_equal(&masked_prefix, &masked_address); +} + +int in6_addr_prefix_covers( + const struct in6_addr *prefix, + unsigned char prefixlen, + const struct in6_addr *address) { + + struct in6_addr masked_prefix, masked_address; + int r; + + assert(prefix); + assert(address); + + masked_prefix = *prefix; + r = in6_addr_mask(&masked_prefix, prefixlen); + if (r < 0) + return r; + + masked_address = *address; + r = in6_addr_mask(&masked_address, prefixlen); + if (r < 0) + return r; + + return in6_addr_equal(&masked_prefix, &masked_address); +} + +int in_addr_prefix_covers( + int family, + const union in_addr_union *prefix, + unsigned char prefixlen, + const union in_addr_union *address) { + + assert(prefix); + assert(address); + + switch (family) { + case AF_INET: + return in4_addr_prefix_covers(&prefix->in, prefixlen, &address->in); + case AF_INET6: + return in6_addr_prefix_covers(&prefix->in6, prefixlen, &address->in6); + default: + return -EAFNOSUPPORT; + } } int in_addr_parse_prefixlen(int family, const char *p, unsigned char *ret) { diff --git a/src/basic/in-addr-util.h b/src/basic/in-addr-util.h index 50d51297e0b..97715a230cd 100644 --- a/src/basic/in-addr-util.h +++ b/src/basic/in-addr-util.h @@ -92,6 +92,8 @@ int in4_addr_default_subnet_mask(const struct in_addr *addr, struct in_addr *mas int in4_addr_mask(struct in_addr *addr, unsigned char prefixlen); int in6_addr_mask(struct in6_addr *addr, unsigned char prefixlen); int in_addr_mask(int family, union in_addr_union *addr, unsigned char prefixlen); +int in4_addr_prefix_covers(const struct in_addr *prefix, unsigned char prefixlen, const struct in_addr *address); +int in6_addr_prefix_covers(const struct in6_addr *prefix, unsigned char prefixlen, const struct in6_addr *address); int in_addr_prefix_covers(int family, const union in_addr_union *prefix, unsigned char prefixlen, const union in_addr_union *address); int in_addr_parse_prefixlen(int family, const char *p, unsigned char *ret); int in_addr_prefix_from_string(const char *p, int family, union in_addr_union *ret_prefix, unsigned char *ret_prefixlen); From f09a47476077f901b4c787dfaa77a99f3db8d6d7 Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Fri, 1 Oct 2021 16:44:25 +0900 Subject: [PATCH 06/23] network: move address generation methods to network-address-generation.[ch] --- src/network/meson.build | 2 + src/network/networkd-address-generation.c | 323 ++++++++++++++++++++++ src/network/networkd-address-generation.h | 14 + src/network/networkd-address.c | 26 -- src/network/networkd-address.h | 2 - src/network/networkd-dhcp6.c | 1 + src/network/networkd-ndisc.c | 288 +------------------ src/network/networkd-ndisc.h | 1 - src/network/networkd-network-gperf.gperf | 1 + src/network/networkd-radv.c | 1 + 10 files changed, 343 insertions(+), 316 deletions(-) create mode 100644 src/network/networkd-address-generation.c create mode 100644 src/network/networkd-address-generation.h diff --git a/src/network/meson.build b/src/network/meson.build index 2ea12c8d030..dedfc90f4df 100644 --- a/src/network/meson.build +++ b/src/network/meson.build @@ -51,6 +51,8 @@ sources = files(''' netdev/macsec.h netdev/xfrm.c netdev/xfrm.h + networkd-address-generation.c + networkd-address-generation.h networkd-address-label.c networkd-address-label.h networkd-address-pool.c diff --git a/src/network/networkd-address-generation.c b/src/network/networkd-address-generation.c new file mode 100644 index 00000000000..cb582b21e42 --- /dev/null +++ b/src/network/networkd-address-generation.c @@ -0,0 +1,323 @@ +/* SPDX-License-Identifier: LGPL-2.1-or-later */ + +#include + +#include "sd-id128.h" + +#include "memory-util.h" +#include "networkd-address-generation.h" +#include "networkd-link.h" +#include "networkd-network.h" +#include "string-util.h" + +#define DAD_CONFLICTS_IDGEN_RETRIES_RFC7217 3 + +/* https://tools.ietf.org/html/rfc5453 */ +/* https://www.iana.org/assignments/ipv6-interface-ids/ipv6-interface-ids.xml */ + +#define SUBNET_ROUTER_ANYCAST_ADDRESS_RFC4291 ((struct in6_addr) { .s6_addr = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 } }) +#define SUBNET_ROUTER_ANYCAST_PREFIXLEN 8 +#define RESERVED_IPV6_INTERFACE_IDENTIFIERS_ADDRESS_RFC4291 ((struct in6_addr) { .s6_addr = { 0x02, 0x00, 0x5E, 0xFF, 0xFE } }) +#define RESERVED_IPV6_INTERFACE_IDENTIFIERS_PREFIXLEN 5 +#define RESERVED_SUBNET_ANYCAST_ADDRESSES_RFC4291 ((struct in6_addr) { .s6_addr = { 0xFD, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF } }) +#define RESERVED_SUBNET_ANYCAST_PREFIXLEN 7 + +#define NDISC_APP_ID SD_ID128_MAKE(13,ac,81,a7,d5,3f,49,78,92,79,5d,0c,29,3a,bc,7e) + +typedef enum IPv6TokenAddressGeneration { + IPV6_TOKEN_ADDRESS_GENERATION_NONE, + IPV6_TOKEN_ADDRESS_GENERATION_STATIC, + IPV6_TOKEN_ADDRESS_GENERATION_PREFIXSTABLE, + _IPV6_TOKEN_ADDRESS_GENERATION_MAX, + _IPV6_TOKEN_ADDRESS_GENERATION_INVALID = -EINVAL, +} IPv6TokenAddressGeneration; + +typedef struct IPv6Token { + IPv6TokenAddressGeneration address_generation_type; + + uint8_t dad_counter; + struct in6_addr prefix; +} IPv6Token; + +int generate_ipv6_eui_64_address(const Link *link, struct in6_addr *ret) { + assert(link); + assert(ret); + + if (link->iftype == ARPHRD_INFINIBAND) { + /* see RFC4391 section 8 */ + memcpy(&ret->s6_addr[8], &link->hw_addr.infiniband[12], 8); + ret->s6_addr[8] ^= 1 << 1; + + return 0; + } + + /* see RFC4291 section 2.5.1 */ + ret->s6_addr[8] = link->hw_addr.ether.ether_addr_octet[0]; + ret->s6_addr[8] ^= 1 << 1; + ret->s6_addr[9] = link->hw_addr.ether.ether_addr_octet[1]; + ret->s6_addr[10] = link->hw_addr.ether.ether_addr_octet[2]; + ret->s6_addr[11] = 0xff; + ret->s6_addr[12] = 0xfe; + ret->s6_addr[13] = link->hw_addr.ether.ether_addr_octet[3]; + ret->s6_addr[14] = link->hw_addr.ether.ether_addr_octet[4]; + ret->s6_addr[15] = link->hw_addr.ether.ether_addr_octet[5]; + + return 0; +} + +static bool stable_private_address_is_valid(const struct in6_addr *addr) { + assert(addr); + + /* According to rfc4291, generated address should not be in the following ranges. */ + + if (memcmp(addr, &SUBNET_ROUTER_ANYCAST_ADDRESS_RFC4291, SUBNET_ROUTER_ANYCAST_PREFIXLEN) == 0) + return false; + + if (memcmp(addr, &RESERVED_IPV6_INTERFACE_IDENTIFIERS_ADDRESS_RFC4291, RESERVED_IPV6_INTERFACE_IDENTIFIERS_PREFIXLEN) == 0) + return false; + + if (memcmp(addr, &RESERVED_SUBNET_ANYCAST_ADDRESSES_RFC4291, RESERVED_SUBNET_ANYCAST_PREFIXLEN) == 0) + return false; + + return true; +} + +static int make_stable_private_address(Link *link, const struct in6_addr *prefix, uint8_t prefix_len, uint8_t dad_counter, struct in6_addr **ret) { + _cleanup_free_ struct in6_addr *addr = NULL; + sd_id128_t secret_key; + struct siphash state; + uint64_t rid; + size_t l; + int r; + + /* According to rfc7217 section 5.1 + * RID = F(Prefix, Net_Iface, Network_ID, DAD_Counter, secret_key) */ + + r = sd_id128_get_machine_app_specific(NDISC_APP_ID, &secret_key); + if (r < 0) + return log_link_warning_errno(link, r, "Failed to generate key for IPv6 stable private address: %m"); + + siphash24_init(&state, secret_key.bytes); + + l = MAX(DIV_ROUND_UP(prefix_len, 8), 8); + siphash24_compress(prefix, l, &state); + siphash24_compress_string(link->ifname, &state); + /* Only last 8 bytes of IB MAC are stable */ + if (link->iftype == ARPHRD_INFINIBAND) + siphash24_compress(&link->hw_addr.infiniband[12], 8, &state); + else + siphash24_compress(link->hw_addr.bytes, link->hw_addr.length, &state); + siphash24_compress(&dad_counter, sizeof(uint8_t), &state); + + rid = htole64(siphash24_finalize(&state)); + + addr = new(struct in6_addr, 1); + if (!addr) + return log_oom(); + + memcpy(addr->s6_addr, prefix->s6_addr, l); + memcpy(addr->s6_addr + l, &rid, 16 - l); + + if (!stable_private_address_is_valid(addr)) { + *ret = NULL; + return 0; + } + + *ret = TAKE_PTR(addr); + return 1; +} + +int ndisc_router_generate_addresses(Link *link, struct in6_addr *address, uint8_t prefixlen, Set **ret) { + _cleanup_set_free_free_ Set *addresses = NULL; + IPv6Token *j; + int r; + + assert(link); + assert(address); + assert(ret); + + addresses = set_new(&in6_addr_hash_ops); + if (!addresses) + return log_oom(); + + ORDERED_SET_FOREACH(j, link->network->ipv6_tokens) { + _cleanup_free_ struct in6_addr *new_address = NULL; + + if (j->address_generation_type == IPV6_TOKEN_ADDRESS_GENERATION_PREFIXSTABLE + && (in6_addr_is_null(&j->prefix) || in6_addr_equal(&j->prefix, address))) { + /* While this loop uses dad_counter and a retry limit as specified in RFC 7217, the loop + * does not actually attempt Duplicate Address Detection; the counter will be incremented + * only when the address generation algorithm produces an invalid address, and the loop + * may exit with an address which ends up being unusable due to duplication on the link. */ + for (; j->dad_counter < DAD_CONFLICTS_IDGEN_RETRIES_RFC7217; j->dad_counter++) { + r = make_stable_private_address(link, address, prefixlen, j->dad_counter, &new_address); + if (r < 0) + return r; + if (r > 0) + break; + } + } else if (j->address_generation_type == IPV6_TOKEN_ADDRESS_GENERATION_STATIC) { + new_address = new(struct in6_addr, 1); + if (!new_address) + return log_oom(); + + memcpy(new_address->s6_addr, address->s6_addr, 8); + memcpy(new_address->s6_addr + 8, j->prefix.s6_addr + 8, 8); + } + + if (new_address) { + r = set_put(addresses, new_address); + if (r < 0) + return log_link_error_errno(link, r, "Failed to store SLAAC address: %m"); + else if (r == 0) + log_link_debug_errno(link, r, "Generated SLAAC address is duplicated, ignoring."); + else + TAKE_PTR(new_address); + } + } + + /* fall back to EUI-64 if no tokens provided addresses */ + if (set_isempty(addresses)) { + _cleanup_free_ struct in6_addr *new_address = NULL; + + new_address = newdup(struct in6_addr, address, 1); + if (!new_address) + return log_oom(); + + r = generate_ipv6_eui_64_address(link, new_address); + if (r < 0) + return log_link_error_errno(link, r, "Failed to generate EUI64 address: %m"); + + r = set_put(addresses, new_address); + if (r < 0) + return log_link_error_errno(link, r, "Failed to store SLAAC address: %m"); + + TAKE_PTR(new_address); + } + + *ret = TAKE_PTR(addresses); + + return 0; +} + +static int ipv6token_new(IPv6Token **ret) { + IPv6Token *p; + + p = new(IPv6Token, 1); + if (!p) + return -ENOMEM; + + *p = (IPv6Token) { + .address_generation_type = IPV6_TOKEN_ADDRESS_GENERATION_NONE, + }; + + *ret = TAKE_PTR(p); + + return 0; +} + +static void ipv6_token_hash_func(const IPv6Token *p, struct siphash *state) { + siphash24_compress(&p->address_generation_type, sizeof(p->address_generation_type), state); + siphash24_compress(&p->prefix, sizeof(p->prefix), state); +} + +static int ipv6_token_compare_func(const IPv6Token *a, const IPv6Token *b) { + int r; + + r = CMP(a->address_generation_type, b->address_generation_type); + if (r != 0) + return r; + + return memcmp(&a->prefix, &b->prefix, sizeof(struct in6_addr)); +} + +DEFINE_PRIVATE_HASH_OPS_WITH_KEY_DESTRUCTOR( + ipv6_token_hash_ops, + IPv6Token, + ipv6_token_hash_func, + ipv6_token_compare_func, + free); + +int config_parse_address_generation_type( + const char *unit, + const char *filename, + unsigned line, + const char *section, + unsigned section_line, + const char *lvalue, + int ltype, + const char *rvalue, + void *data, + void *userdata) { + + _cleanup_free_ IPv6Token *token = NULL; + union in_addr_union buffer; + Network *network = data; + const char *p; + int r; + + assert(filename); + assert(lvalue); + assert(rvalue); + assert(data); + + if (isempty(rvalue)) { + network->ipv6_tokens = ordered_set_free(network->ipv6_tokens); + return 0; + } + + r = ipv6token_new(&token); + if (r < 0) + return log_oom(); + + if ((p = startswith(rvalue, "prefixstable"))) { + token->address_generation_type = IPV6_TOKEN_ADDRESS_GENERATION_PREFIXSTABLE; + if (*p == ':') + p++; + else if (*p == '\0') + p = NULL; + else { + log_syntax(unit, LOG_WARNING, filename, line, 0, + "Invalid IPv6 token mode in %s=, ignoring assignment: %s", + lvalue, rvalue); + return 0; + } + } else { + token->address_generation_type = IPV6_TOKEN_ADDRESS_GENERATION_STATIC; + p = startswith(rvalue, "static:"); + if (!p) + p = rvalue; + } + + if (p) { + r = in_addr_from_string(AF_INET6, p, &buffer); + if (r < 0) { + log_syntax(unit, LOG_WARNING, filename, line, r, + "Failed to parse IP address in %s=, ignoring assignment: %s", + lvalue, rvalue); + return 0; + } + if (token->address_generation_type == IPV6_TOKEN_ADDRESS_GENERATION_STATIC && + in_addr_is_null(AF_INET6, &buffer)) { + log_syntax(unit, LOG_WARNING, filename, line, 0, + "IPv6 address in %s= cannot be the ANY address, ignoring assignment: %s", + lvalue, rvalue); + return 0; + } + token->prefix = buffer.in6; + } + + r = ordered_set_ensure_put(&network->ipv6_tokens, &ipv6_token_hash_ops, token); + if (r == -ENOMEM) + return log_oom(); + if (r == -EEXIST) + log_syntax(unit, LOG_DEBUG, filename, line, r, + "IPv6 token '%s' is duplicated, ignoring: %m", rvalue); + else if (r < 0) + log_syntax(unit, LOG_WARNING, filename, line, r, + "Failed to store IPv6 token '%s', ignoring: %m", rvalue); + else + TAKE_PTR(token); + + return 0; +} diff --git a/src/network/networkd-address-generation.h b/src/network/networkd-address-generation.h new file mode 100644 index 00000000000..573fc72dc43 --- /dev/null +++ b/src/network/networkd-address-generation.h @@ -0,0 +1,14 @@ +/* SPDX-License-Identifier: LGPL-2.1-or-later */ +#pragma once + +#include "conf-parser.h" +#include "in-addr-util.h" +#include "set.h" + +typedef struct Link Link; + +int generate_ipv6_eui_64_address(const Link *link, struct in6_addr *ret); + +int ndisc_router_generate_addresses(Link *link, struct in6_addr *address, uint8_t prefixlen, Set **ret); + +CONFIG_PARSER_PROTOTYPE(config_parse_address_generation_type); diff --git a/src/network/networkd-address.c b/src/network/networkd-address.c index 002827eb784..33afdb0335d 100644 --- a/src/network/networkd-address.c +++ b/src/network/networkd-address.c @@ -57,32 +57,6 @@ static int address_flags_to_string_alloc(uint32_t flags, int family, char **ret) return 0; } -int generate_ipv6_eui_64_address(const Link *link, struct in6_addr *ret) { - assert(link); - assert(ret); - - if (link->iftype == ARPHRD_INFINIBAND) { - /* see RFC4391 section 8 */ - memcpy(&ret->s6_addr[8], &link->hw_addr.infiniband[12], 8); - ret->s6_addr[8] ^= 1 << 1; - - return 0; - } - - /* see RFC4291 section 2.5.1 */ - ret->s6_addr[8] = link->hw_addr.ether.ether_addr_octet[0]; - ret->s6_addr[8] ^= 1 << 1; - ret->s6_addr[9] = link->hw_addr.ether.ether_addr_octet[1]; - ret->s6_addr[10] = link->hw_addr.ether.ether_addr_octet[2]; - ret->s6_addr[11] = 0xff; - ret->s6_addr[12] = 0xfe; - ret->s6_addr[13] = link->hw_addr.ether.ether_addr_octet[3]; - ret->s6_addr[14] = link->hw_addr.ether.ether_addr_octet[4]; - ret->s6_addr[15] = link->hw_addr.ether.ether_addr_octet[5]; - - return 0; -} - int address_new(Address **ret) { _cleanup_(address_freep) Address *address = NULL; diff --git a/src/network/networkd-address.h b/src/network/networkd-address.h index 0fd3163fc4e..20e957ccafb 100644 --- a/src/network/networkd-address.h +++ b/src/network/networkd-address.h @@ -67,8 +67,6 @@ int address_dup(const Address *src, Address **ret); bool address_is_ready(const Address *a); void address_set_broadcast(Address *a); -int generate_ipv6_eui_64_address(const Link *link, struct in6_addr *ret); - DEFINE_NETWORK_SECTION_FUNCTIONS(Address, address_free); int link_drop_addresses(Link *link); diff --git a/src/network/networkd-dhcp6.c b/src/network/networkd-dhcp6.c index 23a0f5fb53d..9ea253b2ac5 100644 --- a/src/network/networkd-dhcp6.c +++ b/src/network/networkd-dhcp6.c @@ -14,6 +14,7 @@ #include "hostname-util.h" #include "in-addr-prefix-util.h" #include "missing_network.h" +#include "networkd-address-generation.h" #include "networkd-address.h" #include "networkd-dhcp6.h" #include "networkd-link.h" diff --git a/src/network/networkd-ndisc.c b/src/network/networkd-ndisc.c index 6e6d6560339..4bab4137cd7 100644 --- a/src/network/networkd-ndisc.c +++ b/src/network/networkd-ndisc.c @@ -5,12 +5,12 @@ #include #include -#include #include #include "sd-ndisc.h" #include "missing_network.h" +#include "networkd-address-generation.h" #include "networkd-address.h" #include "networkd-dhcp6.h" #include "networkd-manager.h" @@ -25,35 +25,6 @@ #define NDISC_DNSSL_MAX 64U #define NDISC_RDNSS_MAX 64U -#define DAD_CONFLICTS_IDGEN_RETRIES_RFC7217 3 - -/* https://tools.ietf.org/html/rfc5453 */ -/* https://www.iana.org/assignments/ipv6-interface-ids/ipv6-interface-ids.xml */ - -#define SUBNET_ROUTER_ANYCAST_ADDRESS_RFC4291 ((struct in6_addr) { .s6_addr = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 } }) -#define SUBNET_ROUTER_ANYCAST_PREFIXLEN 8 -#define RESERVED_IPV6_INTERFACE_IDENTIFIERS_ADDRESS_RFC4291 ((struct in6_addr) { .s6_addr = { 0x02, 0x00, 0x5E, 0xFF, 0xFE } }) -#define RESERVED_IPV6_INTERFACE_IDENTIFIERS_PREFIXLEN 5 -#define RESERVED_SUBNET_ANYCAST_ADDRESSES_RFC4291 ((struct in6_addr) { .s6_addr = { 0xFD, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF } }) -#define RESERVED_SUBNET_ANYCAST_PREFIXLEN 7 - -#define NDISC_APP_ID SD_ID128_MAKE(13,ac,81,a7,d5,3f,49,78,92,79,5d,0c,29,3a,bc,7e) - -typedef enum IPv6TokenAddressGeneration { - IPV6_TOKEN_ADDRESS_GENERATION_NONE, - IPV6_TOKEN_ADDRESS_GENERATION_STATIC, - IPV6_TOKEN_ADDRESS_GENERATION_PREFIXSTABLE, - _IPV6_TOKEN_ADDRESS_GENERATION_MAX, - _IPV6_TOKEN_ADDRESS_GENERATION_INVALID = -EINVAL, -} IPv6TokenAddressGeneration; - -typedef struct IPv6Token { - IPv6TokenAddressGeneration address_generation_type; - - uint8_t dad_counter; - struct in6_addr prefix; -} IPv6Token; - bool link_ipv6_accept_ra_enabled(Link *link) { assert(link); @@ -408,141 +379,6 @@ static int ndisc_router_process_default(Link *link, sd_ndisc_router *rt) { return 0; } -static bool stable_private_address_is_valid(const struct in6_addr *addr) { - assert(addr); - - /* According to rfc4291, generated address should not be in the following ranges. */ - - if (memcmp(addr, &SUBNET_ROUTER_ANYCAST_ADDRESS_RFC4291, SUBNET_ROUTER_ANYCAST_PREFIXLEN) == 0) - return false; - - if (memcmp(addr, &RESERVED_IPV6_INTERFACE_IDENTIFIERS_ADDRESS_RFC4291, RESERVED_IPV6_INTERFACE_IDENTIFIERS_PREFIXLEN) == 0) - return false; - - if (memcmp(addr, &RESERVED_SUBNET_ANYCAST_ADDRESSES_RFC4291, RESERVED_SUBNET_ANYCAST_PREFIXLEN) == 0) - return false; - - return true; -} - -static int make_stable_private_address(Link *link, const struct in6_addr *prefix, uint8_t prefix_len, uint8_t dad_counter, struct in6_addr **ret) { - _cleanup_free_ struct in6_addr *addr = NULL; - sd_id128_t secret_key; - struct siphash state; - uint64_t rid; - size_t l; - int r; - - /* According to rfc7217 section 5.1 - * RID = F(Prefix, Net_Iface, Network_ID, DAD_Counter, secret_key) */ - - r = sd_id128_get_machine_app_specific(NDISC_APP_ID, &secret_key); - if (r < 0) - return log_link_warning_errno(link, r, "Failed to generate key for IPv6 stable private address: %m"); - - siphash24_init(&state, secret_key.bytes); - - l = MAX(DIV_ROUND_UP(prefix_len, 8), 8); - siphash24_compress(prefix, l, &state); - siphash24_compress_string(link->ifname, &state); - /* Only last 8 bytes of IB MAC are stable */ - if (link->iftype == ARPHRD_INFINIBAND) - siphash24_compress(&link->hw_addr.infiniband[12], 8, &state); - else - siphash24_compress(link->hw_addr.bytes, link->hw_addr.length, &state); - siphash24_compress(&dad_counter, sizeof(uint8_t), &state); - - rid = htole64(siphash24_finalize(&state)); - - addr = new(struct in6_addr, 1); - if (!addr) - return log_oom(); - - memcpy(addr->s6_addr, prefix->s6_addr, l); - memcpy(addr->s6_addr + l, &rid, 16 - l); - - if (!stable_private_address_is_valid(addr)) { - *ret = NULL; - return 0; - } - - *ret = TAKE_PTR(addr); - return 1; -} - -static int ndisc_router_generate_addresses(Link *link, struct in6_addr *address, uint8_t prefixlen, Set **ret) { - _cleanup_set_free_free_ Set *addresses = NULL; - IPv6Token *j; - int r; - - assert(link); - assert(address); - assert(ret); - - addresses = set_new(&in6_addr_hash_ops); - if (!addresses) - return log_oom(); - - ORDERED_SET_FOREACH(j, link->network->ipv6_tokens) { - _cleanup_free_ struct in6_addr *new_address = NULL; - - if (j->address_generation_type == IPV6_TOKEN_ADDRESS_GENERATION_PREFIXSTABLE - && (in6_addr_is_null(&j->prefix) || in6_addr_equal(&j->prefix, address))) { - /* While this loop uses dad_counter and a retry limit as specified in RFC 7217, the loop - * does not actually attempt Duplicate Address Detection; the counter will be incremented - * only when the address generation algorithm produces an invalid address, and the loop - * may exit with an address which ends up being unusable due to duplication on the link. */ - for (; j->dad_counter < DAD_CONFLICTS_IDGEN_RETRIES_RFC7217; j->dad_counter++) { - r = make_stable_private_address(link, address, prefixlen, j->dad_counter, &new_address); - if (r < 0) - return r; - if (r > 0) - break; - } - } else if (j->address_generation_type == IPV6_TOKEN_ADDRESS_GENERATION_STATIC) { - new_address = new(struct in6_addr, 1); - if (!new_address) - return log_oom(); - - memcpy(new_address->s6_addr, address->s6_addr, 8); - memcpy(new_address->s6_addr + 8, j->prefix.s6_addr + 8, 8); - } - - if (new_address) { - r = set_put(addresses, new_address); - if (r < 0) - return log_link_error_errno(link, r, "Failed to store SLAAC address: %m"); - else if (r == 0) - log_link_debug_errno(link, r, "Generated SLAAC address is duplicated, ignoring."); - else - TAKE_PTR(new_address); - } - } - - /* fall back to EUI-64 if no tokens provided addresses */ - if (set_isempty(addresses)) { - _cleanup_free_ struct in6_addr *new_address = NULL; - - new_address = newdup(struct in6_addr, address, 1); - if (!new_address) - return log_oom(); - - r = generate_ipv6_eui_64_address(link, new_address); - if (r < 0) - return log_link_error_errno(link, r, "Failed to generate EUI64 address: %m"); - - r = set_put(addresses, new_address); - if (r < 0) - return log_link_error_errno(link, r, "Failed to store SLAAC address: %m"); - - TAKE_PTR(new_address); - } - - *ret = TAKE_PTR(addresses); - - return 0; -} - static int ndisc_router_process_autonomous_prefix(Link *link, sd_ndisc_router *rt) { uint32_t lifetime_valid, lifetime_preferred; _cleanup_set_free_free_ Set *addresses = NULL; @@ -1214,128 +1050,6 @@ void ndisc_flush(Link *link) { link->ndisc_dnssl = set_free(link->ndisc_dnssl); } -static int ipv6token_new(IPv6Token **ret) { - IPv6Token *p; - - p = new(IPv6Token, 1); - if (!p) - return -ENOMEM; - - *p = (IPv6Token) { - .address_generation_type = IPV6_TOKEN_ADDRESS_GENERATION_NONE, - }; - - *ret = TAKE_PTR(p); - - return 0; -} - -static void ipv6_token_hash_func(const IPv6Token *p, struct siphash *state) { - siphash24_compress(&p->address_generation_type, sizeof(p->address_generation_type), state); - siphash24_compress(&p->prefix, sizeof(p->prefix), state); -} - -static int ipv6_token_compare_func(const IPv6Token *a, const IPv6Token *b) { - int r; - - r = CMP(a->address_generation_type, b->address_generation_type); - if (r != 0) - return r; - - return memcmp(&a->prefix, &b->prefix, sizeof(struct in6_addr)); -} - -DEFINE_PRIVATE_HASH_OPS_WITH_KEY_DESTRUCTOR( - ipv6_token_hash_ops, - IPv6Token, - ipv6_token_hash_func, - ipv6_token_compare_func, - free); - -int config_parse_address_generation_type( - const char *unit, - const char *filename, - unsigned line, - const char *section, - unsigned section_line, - const char *lvalue, - int ltype, - const char *rvalue, - void *data, - void *userdata) { - - _cleanup_free_ IPv6Token *token = NULL; - union in_addr_union buffer; - Network *network = data; - const char *p; - int r; - - assert(filename); - assert(lvalue); - assert(rvalue); - assert(data); - - if (isempty(rvalue)) { - network->ipv6_tokens = ordered_set_free(network->ipv6_tokens); - return 0; - } - - r = ipv6token_new(&token); - if (r < 0) - return log_oom(); - - if ((p = startswith(rvalue, "prefixstable"))) { - token->address_generation_type = IPV6_TOKEN_ADDRESS_GENERATION_PREFIXSTABLE; - if (*p == ':') - p++; - else if (*p == '\0') - p = NULL; - else { - log_syntax(unit, LOG_WARNING, filename, line, 0, - "Invalid IPv6 token mode in %s=, ignoring assignment: %s", - lvalue, rvalue); - return 0; - } - } else { - token->address_generation_type = IPV6_TOKEN_ADDRESS_GENERATION_STATIC; - p = startswith(rvalue, "static:"); - if (!p) - p = rvalue; - } - - if (p) { - r = in_addr_from_string(AF_INET6, p, &buffer); - if (r < 0) { - log_syntax(unit, LOG_WARNING, filename, line, r, - "Failed to parse IP address in %s=, ignoring assignment: %s", - lvalue, rvalue); - return 0; - } - if (token->address_generation_type == IPV6_TOKEN_ADDRESS_GENERATION_STATIC && - in_addr_is_null(AF_INET6, &buffer)) { - log_syntax(unit, LOG_WARNING, filename, line, 0, - "IPv6 address in %s= cannot be the ANY address, ignoring assignment: %s", - lvalue, rvalue); - return 0; - } - token->prefix = buffer.in6; - } - - r = ordered_set_ensure_put(&network->ipv6_tokens, &ipv6_token_hash_ops, token); - if (r == -ENOMEM) - return log_oom(); - if (r == -EEXIST) - log_syntax(unit, LOG_DEBUG, filename, line, r, - "IPv6 token '%s' is duplicated, ignoring: %m", rvalue); - else if (r < 0) - log_syntax(unit, LOG_WARNING, filename, line, r, - "Failed to store IPv6 token '%s', ignoring: %m", rvalue); - else - TAKE_PTR(token); - - return 0; -} - static const char* const ipv6_accept_ra_start_dhcp6_client_table[_IPV6_ACCEPT_RA_START_DHCP6_CLIENT_MAX] = { [IPV6_ACCEPT_RA_START_DHCP6_CLIENT_NO] = "no", [IPV6_ACCEPT_RA_START_DHCP6_CLIENT_ALWAYS] = "always", diff --git a/src/network/networkd-ndisc.h b/src/network/networkd-ndisc.h index 514089c2259..ed50ebbf9a7 100644 --- a/src/network/networkd-ndisc.h +++ b/src/network/networkd-ndisc.h @@ -44,6 +44,5 @@ int ndisc_start(Link *link); void ndisc_vacuum(Link *link); void ndisc_flush(Link *link); -CONFIG_PARSER_PROTOTYPE(config_parse_address_generation_type); CONFIG_PARSER_PROTOTYPE(config_parse_ipv6_accept_ra_start_dhcp6_client); CONFIG_PARSER_PROTOTYPE(config_parse_ipv6_accept_ra_use_domains); diff --git a/src/network/networkd-network-gperf.gperf b/src/network/networkd-network-gperf.gperf index 29bb5b3b739..6794ac40dba 100644 --- a/src/network/networkd-network-gperf.gperf +++ b/src/network/networkd-network-gperf.gperf @@ -8,6 +8,7 @@ _Pragma("GCC diagnostic ignored \"-Wimplicit-fallthrough\"") #include "in-addr-prefix-util.h" #include "netem.h" #include "net-condition.h" +#include "networkd-address-generation.h" #include "networkd-address-label.h" #include "networkd-address.h" #include "networkd-bridge-fdb.h" diff --git a/src/network/networkd-radv.c b/src/network/networkd-radv.c index 6a873d76691..82b8e8bf3bb 100644 --- a/src/network/networkd-radv.c +++ b/src/network/networkd-radv.c @@ -7,6 +7,7 @@ #include #include "dns-domain.h" +#include "networkd-address-generation.h" #include "networkd-address.h" #include "networkd-link.h" #include "networkd-manager.h" From 397c5418f048ce8ba17a75bae9d746825453c1f6 Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Fri, 1 Oct 2021 17:18:30 +0900 Subject: [PATCH 07/23] network: fix prefixlen for reserved subnet anycast address Then, the prefixlen is not a multiplier of 8, we need to use in6_addr_prefix_covers(). This also constify the reserved addresses, and rename macros. --- src/network/networkd-address-generation.c | 20 +++++++++----------- 1 file changed, 9 insertions(+), 11 deletions(-) diff --git a/src/network/networkd-address-generation.c b/src/network/networkd-address-generation.c index cb582b21e42..55ee8931d06 100644 --- a/src/network/networkd-address-generation.c +++ b/src/network/networkd-address-generation.c @@ -12,15 +12,13 @@ #define DAD_CONFLICTS_IDGEN_RETRIES_RFC7217 3 -/* https://tools.ietf.org/html/rfc5453 */ /* https://www.iana.org/assignments/ipv6-interface-ids/ipv6-interface-ids.xml */ - -#define SUBNET_ROUTER_ANYCAST_ADDRESS_RFC4291 ((struct in6_addr) { .s6_addr = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 } }) -#define SUBNET_ROUTER_ANYCAST_PREFIXLEN 8 -#define RESERVED_IPV6_INTERFACE_IDENTIFIERS_ADDRESS_RFC4291 ((struct in6_addr) { .s6_addr = { 0x02, 0x00, 0x5E, 0xFF, 0xFE } }) -#define RESERVED_IPV6_INTERFACE_IDENTIFIERS_PREFIXLEN 5 -#define RESERVED_SUBNET_ANYCAST_ADDRESSES_RFC4291 ((struct in6_addr) { .s6_addr = { 0xFD, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF } }) -#define RESERVED_SUBNET_ANYCAST_PREFIXLEN 7 +#define SUBNET_ROUTER_ANYCAST_ADDRESS ((const struct in6_addr) { .s6_addr = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 } }) +#define SUBNET_ROUTER_ANYCAST_PREFIXLEN 64 +#define RESERVED_INTERFACE_IDENTIFIERS_ADDRESS ((const struct in6_addr) { .s6_addr = { 0x02, 0x00, 0x5E, 0xFF, 0xFE } }) +#define RESERVED_INTERFACE_IDENTIFIERS_PREFIXLEN 40 +#define RESERVED_SUBNET_ANYCAST_ADDRESSES ((const struct in6_addr) { .s6_addr = { 0xFD, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x80 } }) +#define RESERVED_SUBNET_ANYCAST_PREFIXLEN 57 #define NDISC_APP_ID SD_ID128_MAKE(13,ac,81,a7,d5,3f,49,78,92,79,5d,0c,29,3a,bc,7e) @@ -70,13 +68,13 @@ static bool stable_private_address_is_valid(const struct in6_addr *addr) { /* According to rfc4291, generated address should not be in the following ranges. */ - if (memcmp(addr, &SUBNET_ROUTER_ANYCAST_ADDRESS_RFC4291, SUBNET_ROUTER_ANYCAST_PREFIXLEN) == 0) + if (in6_addr_prefix_covers(&SUBNET_ROUTER_ANYCAST_ADDRESS, SUBNET_ROUTER_ANYCAST_PREFIXLEN, addr)) return false; - if (memcmp(addr, &RESERVED_IPV6_INTERFACE_IDENTIFIERS_ADDRESS_RFC4291, RESERVED_IPV6_INTERFACE_IDENTIFIERS_PREFIXLEN) == 0) + if (in6_addr_prefix_covers(&RESERVED_INTERFACE_IDENTIFIERS_ADDRESS, RESERVED_INTERFACE_IDENTIFIERS_PREFIXLEN, addr)) return false; - if (memcmp(addr, &RESERVED_SUBNET_ANYCAST_ADDRESSES_RFC4291, RESERVED_SUBNET_ANYCAST_PREFIXLEN) == 0) + if (in6_addr_prefix_covers(&RESERVED_SUBNET_ANYCAST_ADDRESSES, RESERVED_SUBNET_ANYCAST_PREFIXLEN, addr)) return false; return true; From 00f1261d397f3147b65898526318fc3ca16dc9e6 Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Fri, 1 Oct 2021 17:58:38 +0900 Subject: [PATCH 08/23] network: make generate_ipv6_eui_64_address() take prefix Also, rename the function. --- src/network/networkd-address-generation.c | 47 ++++++++++------------- src/network/networkd-address-generation.h | 2 +- src/network/networkd-dhcp6.c | 12 ++---- src/network/networkd-radv.c | 15 ++++---- 4 files changed, 34 insertions(+), 42 deletions(-) diff --git a/src/network/networkd-address-generation.c b/src/network/networkd-address-generation.c index 55ee8931d06..191a89dfd93 100644 --- a/src/network/networkd-address-generation.c +++ b/src/network/networkd-address-generation.c @@ -37,30 +37,29 @@ typedef struct IPv6Token { struct in6_addr prefix; } IPv6Token; -int generate_ipv6_eui_64_address(const Link *link, struct in6_addr *ret) { +void generate_eui64_address(const Link *link, const struct in6_addr *prefix, struct in6_addr *ret) { assert(link); + assert(prefix); assert(ret); - if (link->iftype == ARPHRD_INFINIBAND) { - /* see RFC4391 section 8 */ - memcpy(&ret->s6_addr[8], &link->hw_addr.infiniband[12], 8); - ret->s6_addr[8] ^= 1 << 1; + memcpy(ret->s6_addr, prefix, 8); - return 0; + if (link->iftype == ARPHRD_INFINIBAND) + /* Use last 8 byte. See RFC4391 section 8 */ + memcpy(&ret->s6_addr[8], &link->hw_addr.infiniband[INFINIBAND_ALEN - 8], 8); + else { + /* see RFC4291 section 2.5.1 */ + ret->s6_addr[8] = link->hw_addr.ether.ether_addr_octet[0]; + ret->s6_addr[9] = link->hw_addr.ether.ether_addr_octet[1]; + ret->s6_addr[10] = link->hw_addr.ether.ether_addr_octet[2]; + ret->s6_addr[11] = 0xff; + ret->s6_addr[12] = 0xfe; + ret->s6_addr[13] = link->hw_addr.ether.ether_addr_octet[3]; + ret->s6_addr[14] = link->hw_addr.ether.ether_addr_octet[4]; + ret->s6_addr[15] = link->hw_addr.ether.ether_addr_octet[5]; } - /* see RFC4291 section 2.5.1 */ - ret->s6_addr[8] = link->hw_addr.ether.ether_addr_octet[0]; ret->s6_addr[8] ^= 1 << 1; - ret->s6_addr[9] = link->hw_addr.ether.ether_addr_octet[1]; - ret->s6_addr[10] = link->hw_addr.ether.ether_addr_octet[2]; - ret->s6_addr[11] = 0xff; - ret->s6_addr[12] = 0xfe; - ret->s6_addr[13] = link->hw_addr.ether.ether_addr_octet[3]; - ret->s6_addr[14] = link->hw_addr.ether.ether_addr_octet[4]; - ret->s6_addr[15] = link->hw_addr.ether.ether_addr_octet[5]; - - return 0; } static bool stable_private_address_is_valid(const struct in6_addr *addr) { @@ -176,21 +175,17 @@ int ndisc_router_generate_addresses(Link *link, struct in6_addr *address, uint8_ /* fall back to EUI-64 if no tokens provided addresses */ if (set_isempty(addresses)) { - _cleanup_free_ struct in6_addr *new_address = NULL; + struct in6_addr *addr; - new_address = newdup(struct in6_addr, address, 1); - if (!new_address) + addr = new(struct in6_addr, 1); + if (!addr) return log_oom(); - r = generate_ipv6_eui_64_address(link, new_address); - if (r < 0) - return log_link_error_errno(link, r, "Failed to generate EUI64 address: %m"); + generate_eui64_address(link, address, addr); - r = set_put(addresses, new_address); + r = set_consume(addresses, addr); if (r < 0) return log_link_error_errno(link, r, "Failed to store SLAAC address: %m"); - - TAKE_PTR(new_address); } *ret = TAKE_PTR(addresses); diff --git a/src/network/networkd-address-generation.h b/src/network/networkd-address-generation.h index 573fc72dc43..5f67019d95a 100644 --- a/src/network/networkd-address-generation.h +++ b/src/network/networkd-address-generation.h @@ -7,7 +7,7 @@ typedef struct Link Link; -int generate_ipv6_eui_64_address(const Link *link, struct in6_addr *ret); +void generate_eui64_address(const Link *link, const struct in6_addr *prefix, struct in6_addr *ret); int ndisc_router_generate_addresses(Link *link, struct in6_addr *address, uint8_t prefixlen, Set **ret); diff --git a/src/network/networkd-dhcp6.c b/src/network/networkd-dhcp6.c index 9ea253b2ac5..c6911e14a05 100644 --- a/src/network/networkd-dhcp6.c +++ b/src/network/networkd-dhcp6.c @@ -377,15 +377,11 @@ static int dhcp6_pd_request_address( if (r < 0) return log_link_error_errno(link, r, "Failed to allocate address for DHCPv6 delegated prefix: %m"); - address->in_addr.in6 = *prefix; - - if (in6_addr_is_set(&link->network->dhcp6_pd_token)) + if (in6_addr_is_set(&link->network->dhcp6_pd_token)) { + memcpy(address->in_addr.in6.s6_addr, prefix->s6_addr, 8); memcpy(address->in_addr.in6.s6_addr + 8, link->network->dhcp6_pd_token.s6_addr + 8, 8); - else { - r = generate_ipv6_eui_64_address(link, &address->in_addr.in6); - if (r < 0) - return log_link_warning_errno(link, r, "Failed to generate EUI64 address for acquired DHCPv6 delegated prefix: %m"); - } + } else + generate_eui64_address(link, prefix, &address->in_addr.in6); address->source = NETWORK_CONFIG_SOURCE_DHCP6PD; address->prefixlen = 64; diff --git a/src/network/networkd-radv.c b/src/network/networkd-radv.c index 82b8e8bf3bb..dabd91c0f9a 100644 --- a/src/network/networkd-radv.c +++ b/src/network/networkd-radv.c @@ -205,24 +205,25 @@ int link_request_radv_addresses(Link *link) { HASHMAP_FOREACH(p, link->network->prefixes_by_section) { _cleanup_(address_freep) Address *address = NULL; + struct in6_addr prefix; + uint8_t prefixlen; if (!p->assign) continue; + r = sd_radv_prefix_get_prefix(p->radv_prefix, &prefix, &prefixlen); + if (r < 0) + return r; + r = address_new(&address); if (r < 0) return log_oom(); - r = sd_radv_prefix_get_prefix(p->radv_prefix, &address->in_addr.in6, &address->prefixlen); - if (r < 0) - return r; - - r = generate_ipv6_eui_64_address(link, &address->in_addr.in6); - if (r < 0) - return r; + generate_eui64_address(link, &prefix, &address->in_addr.in6); address->source = NETWORK_CONFIG_SOURCE_STATIC; address->family = AF_INET6; + address->prefixlen = prefixlen; address->route_metric = p->route_metric; r = link_request_static_address(link, TAKE_PTR(address), true); From fcd7ad52d7ea361ed6b40191328676ee345105f6 Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Fri, 1 Oct 2021 17:59:56 +0900 Subject: [PATCH 09/23] network: radv: ignore Assign= if prefixlen is larger than 64 --- src/network/networkd-radv.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/src/network/networkd-radv.c b/src/network/networkd-radv.c index dabd91c0f9a..b9ba0ff9baa 100644 --- a/src/network/networkd-radv.c +++ b/src/network/networkd-radv.c @@ -215,6 +215,17 @@ int link_request_radv_addresses(Link *link) { if (r < 0) return r; + /* generate_eui64_address() below requires the prefix length <= 64. */ + if (prefixlen > 64) { + _cleanup_free_ char *str = NULL; + + (void) in6_addr_prefix_to_string(&prefix, prefixlen, &str); + log_link_debug(link, + "Prefix is longer than 64, refusing to assign an address in %s.", + strna(str)); + continue; + } + r = address_new(&address); if (r < 0) return log_oom(); From 151b8ea3048118b7ee3dc6d815d03d3828c8bd39 Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Fri, 1 Oct 2021 20:37:56 +0900 Subject: [PATCH 10/23] network: ndisc: ignore autonomous prefix with prefix length larger than 64 --- src/network/networkd-ndisc.c | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/src/network/networkd-ndisc.c b/src/network/networkd-ndisc.c index 4bab4137cd7..95a8ad1e14a 100644 --- a/src/network/networkd-ndisc.c +++ b/src/network/networkd-ndisc.c @@ -382,7 +382,7 @@ static int ndisc_router_process_default(Link *link, sd_ndisc_router *rt) { static int ndisc_router_process_autonomous_prefix(Link *link, sd_ndisc_router *rt) { uint32_t lifetime_valid, lifetime_preferred; _cleanup_set_free_free_ Set *addresses = NULL; - struct in6_addr addr, *a; + struct in6_addr prefix, *a; unsigned prefixlen; usec_t time_now; int r; @@ -396,10 +396,23 @@ static int ndisc_router_process_autonomous_prefix(Link *link, sd_ndisc_router *r if (r < 0) return log_link_error_errno(link, r, "Failed to get RA timestamp: %m"); + r = sd_ndisc_router_prefix_get_address(rt, &prefix); + if (r < 0) + return log_link_error_errno(link, r, "Failed to get prefix address: %m"); + r = sd_ndisc_router_prefix_get_prefixlen(rt, &prefixlen); if (r < 0) return log_link_error_errno(link, r, "Failed to get prefix length: %m"); + /* ndisc_router_generate_addresses() below requires the prefix length <= 64. */ + if (prefixlen > 64) { + _cleanup_free_ char *buf = NULL; + + (void) in6_addr_prefix_to_string(&prefix, prefixlen, &buf); + log_link_debug(link, "Prefix is longer than 64, ignoring autonomous prefix %s.", strna(buf)); + return 0; + } + r = sd_ndisc_router_prefix_get_valid_lifetime(rt, &lifetime_valid); if (r < 0) return log_link_error_errno(link, r, "Failed to get prefix valid lifetime: %m"); @@ -417,11 +430,7 @@ static int ndisc_router_process_autonomous_prefix(Link *link, sd_ndisc_router *r if (lifetime_preferred > lifetime_valid) return 0; - r = sd_ndisc_router_prefix_get_address(rt, &addr); - if (r < 0) - return log_link_error_errno(link, r, "Failed to get prefix address: %m"); - - r = ndisc_router_generate_addresses(link, &addr, prefixlen, &addresses); + r = ndisc_router_generate_addresses(link, &prefix, prefixlen, &addresses); if (r < 0) return r; From ac77e0b3158795289fb6508d4331248c35f0f085 Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Fri, 1 Oct 2021 21:03:05 +0900 Subject: [PATCH 11/23] network: address-generation: always use the first 64 bits of the prefix Hopefully, the prefix length is usually 64. Previously, if the prefix length is smaller than 64, the result address was undefined. --- src/network/networkd-address-generation.c | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/src/network/networkd-address-generation.c b/src/network/networkd-address-generation.c index 191a89dfd93..a4f53436e31 100644 --- a/src/network/networkd-address-generation.c +++ b/src/network/networkd-address-generation.c @@ -79,12 +79,11 @@ static bool stable_private_address_is_valid(const struct in6_addr *addr) { return true; } -static int make_stable_private_address(Link *link, const struct in6_addr *prefix, uint8_t prefix_len, uint8_t dad_counter, struct in6_addr **ret) { +static int make_stable_private_address(Link *link, const struct in6_addr *prefix, uint8_t dad_counter, struct in6_addr **ret) { _cleanup_free_ struct in6_addr *addr = NULL; sd_id128_t secret_key; struct siphash state; uint64_t rid; - size_t l; int r; /* According to rfc7217 section 5.1 @@ -96,8 +95,7 @@ static int make_stable_private_address(Link *link, const struct in6_addr *prefix siphash24_init(&state, secret_key.bytes); - l = MAX(DIV_ROUND_UP(prefix_len, 8), 8); - siphash24_compress(prefix, l, &state); + siphash24_compress(prefix, 8, &state); siphash24_compress_string(link->ifname, &state); /* Only last 8 bytes of IB MAC are stable */ if (link->iftype == ARPHRD_INFINIBAND) @@ -112,8 +110,8 @@ static int make_stable_private_address(Link *link, const struct in6_addr *prefix if (!addr) return log_oom(); - memcpy(addr->s6_addr, prefix->s6_addr, l); - memcpy(addr->s6_addr + l, &rid, 16 - l); + memcpy(addr->s6_addr, prefix->s6_addr, 8); + memcpy(addr->s6_addr + 8, &rid, 8); if (!stable_private_address_is_valid(addr)) { *ret = NULL; @@ -147,7 +145,7 @@ int ndisc_router_generate_addresses(Link *link, struct in6_addr *address, uint8_ * only when the address generation algorithm produces an invalid address, and the loop * may exit with an address which ends up being unusable due to duplication on the link. */ for (; j->dad_counter < DAD_CONFLICTS_IDGEN_RETRIES_RFC7217; j->dad_counter++) { - r = make_stable_private_address(link, address, prefixlen, j->dad_counter, &new_address); + r = make_stable_private_address(link, address, j->dad_counter, &new_address); if (r < 0) return r; if (r > 0) From 98692ff3b8a1f03309c34ed7eaff739ebb174dc3 Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Fri, 1 Oct 2021 20:57:59 +0900 Subject: [PATCH 12/23] network: address-generation: always start DAD counter from zero The token is stored in Network, and the .network file may be applied to multiple links. --- src/network/networkd-address-generation.c | 97 +++++++++++++++-------- 1 file changed, 62 insertions(+), 35 deletions(-) diff --git a/src/network/networkd-address-generation.c b/src/network/networkd-address-generation.c index a4f53436e31..b0c9a95a01e 100644 --- a/src/network/networkd-address-generation.c +++ b/src/network/networkd-address-generation.c @@ -32,8 +32,6 @@ typedef enum IPv6TokenAddressGeneration { typedef struct IPv6Token { IPv6TokenAddressGeneration address_generation_type; - - uint8_t dad_counter; struct in6_addr prefix; } IPv6Token; @@ -79,47 +77,78 @@ static bool stable_private_address_is_valid(const struct in6_addr *addr) { return true; } -static int make_stable_private_address(Link *link, const struct in6_addr *prefix, uint8_t dad_counter, struct in6_addr **ret) { - _cleanup_free_ struct in6_addr *addr = NULL; - sd_id128_t secret_key; +static void generate_stable_private_address_one( + Link *link, + const sd_id128_t *secret_key, + const struct in6_addr *prefix, + uint8_t dad_counter, + struct in6_addr *ret) { + struct siphash state; uint64_t rid; - int r; - /* According to rfc7217 section 5.1 + assert(link); + assert(secret_key); + assert(prefix); + assert(ret); + + /* According to RFC7217 section 5.1 * RID = F(Prefix, Net_Iface, Network_ID, DAD_Counter, secret_key) */ - r = sd_id128_get_machine_app_specific(NDISC_APP_ID, &secret_key); - if (r < 0) - return log_link_warning_errno(link, r, "Failed to generate key for IPv6 stable private address: %m"); - - siphash24_init(&state, secret_key.bytes); + siphash24_init(&state, secret_key->bytes); siphash24_compress(prefix, 8, &state); siphash24_compress_string(link->ifname, &state); - /* Only last 8 bytes of IB MAC are stable */ if (link->iftype == ARPHRD_INFINIBAND) - siphash24_compress(&link->hw_addr.infiniband[12], 8, &state); + /* Only last 8 bytes of IB MAC are stable */ + siphash24_compress(&link->hw_addr.infiniband[INFINIBAND_ALEN - 8], 8, &state); else siphash24_compress(link->hw_addr.bytes, link->hw_addr.length, &state); siphash24_compress(&dad_counter, sizeof(uint8_t), &state); rid = htole64(siphash24_finalize(&state)); - addr = new(struct in6_addr, 1); - if (!addr) - return log_oom(); + memcpy(ret->s6_addr, prefix->s6_addr, 8); + memcpy(ret->s6_addr + 8, &rid, 8); +} - memcpy(addr->s6_addr, prefix->s6_addr, 8); - memcpy(addr->s6_addr + 8, &rid, 8); +static int generate_stable_private_address( + Link *link, + const sd_id128_t *app_id, + const struct in6_addr *prefix, + struct in6_addr *ret) { - if (!stable_private_address_is_valid(addr)) { - *ret = NULL; - return 0; + struct in6_addr addr; + sd_id128_t secret_key; + uint8_t i; + int r; + + assert(link); + assert(app_id); + assert(prefix); + assert(ret); + + r = sd_id128_get_machine_app_specific(*app_id, &secret_key); + if (r < 0) + return log_link_debug_errno(link, r, "Failed to generate secret key for IPv6 stable private address: %m"); + + /* While this loop uses dad_counter and a retry limit as specified in RFC 7217, the loop does + * not actually attempt Duplicate Address Detection; the counter will be incremented only when + * the address generation algorithm produces an invalid address, and the loop may exit with an + * address which ends up being unusable due to duplication on the link. */ + for (i = 0; i < DAD_CONFLICTS_IDGEN_RETRIES_RFC7217; i++) { + generate_stable_private_address_one(link, &secret_key, prefix, i, &addr); + + if (stable_private_address_is_valid(&addr)) + break; } + if (i >= DAD_CONFLICTS_IDGEN_RETRIES_RFC7217) + /* propagate recognizable errors. */ + return log_link_debug_errno(link, SYNTHETIC_ERRNO(ENOANO), + "Failed to generate stable private address."); - *ret = TAKE_PTR(addr); - return 1; + *ret = addr; + return 0; } int ndisc_router_generate_addresses(Link *link, struct in6_addr *address, uint8_t prefixlen, Set **ret) { @@ -140,17 +169,15 @@ int ndisc_router_generate_addresses(Link *link, struct in6_addr *address, uint8_ if (j->address_generation_type == IPV6_TOKEN_ADDRESS_GENERATION_PREFIXSTABLE && (in6_addr_is_null(&j->prefix) || in6_addr_equal(&j->prefix, address))) { - /* While this loop uses dad_counter and a retry limit as specified in RFC 7217, the loop - * does not actually attempt Duplicate Address Detection; the counter will be incremented - * only when the address generation algorithm produces an invalid address, and the loop - * may exit with an address which ends up being unusable due to duplication on the link. */ - for (; j->dad_counter < DAD_CONFLICTS_IDGEN_RETRIES_RFC7217; j->dad_counter++) { - r = make_stable_private_address(link, address, j->dad_counter, &new_address); - if (r < 0) - return r; - if (r > 0) - break; - } + struct in6_addr addr; + + if (generate_stable_private_address(link, &NDISC_APP_ID, address, &addr) < 0) + continue; + + new_address = newdup(struct in6_addr, &addr, 1); + if (!new_address) + return log_oom(); + } else if (j->address_generation_type == IPV6_TOKEN_ADDRESS_GENERATION_STATIC) { new_address = new(struct in6_addr, 1); if (!new_address) From ffb834cb87caded518f013d35bca74b21d5d00f5 Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Fri, 1 Oct 2021 21:19:51 +0900 Subject: [PATCH 13/23] network: address-generation: mask prefix with prefixlen for safety --- src/network/networkd-address-generation.c | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/src/network/networkd-address-generation.c b/src/network/networkd-address-generation.c index b0c9a95a01e..7a897bf06bc 100644 --- a/src/network/networkd-address-generation.c +++ b/src/network/networkd-address-generation.c @@ -151,15 +151,20 @@ static int generate_stable_private_address( return 0; } -int ndisc_router_generate_addresses(Link *link, struct in6_addr *address, uint8_t prefixlen, Set **ret) { +int ndisc_router_generate_addresses(Link *link, struct in6_addr *prefix, uint8_t prefixlen, Set **ret) { _cleanup_set_free_free_ Set *addresses = NULL; + struct in6_addr masked; IPv6Token *j; int r; assert(link); - assert(address); + assert(prefix); + assert(prefixlen > 0 && prefixlen <= 64); assert(ret); + masked = *prefix; + in6_addr_mask(&masked, prefixlen); + addresses = set_new(&in6_addr_hash_ops); if (!addresses) return log_oom(); @@ -168,10 +173,10 @@ int ndisc_router_generate_addresses(Link *link, struct in6_addr *address, uint8_ _cleanup_free_ struct in6_addr *new_address = NULL; if (j->address_generation_type == IPV6_TOKEN_ADDRESS_GENERATION_PREFIXSTABLE - && (in6_addr_is_null(&j->prefix) || in6_addr_equal(&j->prefix, address))) { + && (in6_addr_is_null(&j->prefix) || in6_addr_equal(&j->prefix, &masked))) { struct in6_addr addr; - if (generate_stable_private_address(link, &NDISC_APP_ID, address, &addr) < 0) + if (generate_stable_private_address(link, &NDISC_APP_ID, &masked, &addr) < 0) continue; new_address = newdup(struct in6_addr, &addr, 1); @@ -183,7 +188,7 @@ int ndisc_router_generate_addresses(Link *link, struct in6_addr *address, uint8_ if (!new_address) return log_oom(); - memcpy(new_address->s6_addr, address->s6_addr, 8); + memcpy(new_address->s6_addr, masked.s6_addr, 8); memcpy(new_address->s6_addr + 8, j->prefix.s6_addr + 8, 8); } @@ -206,7 +211,7 @@ int ndisc_router_generate_addresses(Link *link, struct in6_addr *address, uint8_ if (!addr) return log_oom(); - generate_eui64_address(link, address, addr); + generate_eui64_address(link, &masked, addr); r = set_consume(addresses, addr); if (r < 0) From 3bac5fe6c9b80794d8858066c563bfab5934934f Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Fri, 1 Oct 2021 21:23:56 +0900 Subject: [PATCH 14/23] network: address-generation: modernize config_parse_address_generation_type() - drop unused _NONE type, - rename IPv6Token::prefix -> IPv6Token::address, - clear unused part of IPv6Token::address, - use Set, instead of OrderedSet. --- src/network/networkd-address-generation.c | 121 ++++++++++++---------- src/network/networkd-network-gperf.gperf | 2 +- src/network/networkd-network.c | 2 +- src/network/networkd-network.h | 2 +- 4 files changed, 67 insertions(+), 60 deletions(-) diff --git a/src/network/networkd-address-generation.c b/src/network/networkd-address-generation.c index 7a897bf06bc..3b807dbcfa7 100644 --- a/src/network/networkd-address-generation.c +++ b/src/network/networkd-address-generation.c @@ -22,17 +22,16 @@ #define NDISC_APP_ID SD_ID128_MAKE(13,ac,81,a7,d5,3f,49,78,92,79,5d,0c,29,3a,bc,7e) -typedef enum IPv6TokenAddressGeneration { - IPV6_TOKEN_ADDRESS_GENERATION_NONE, - IPV6_TOKEN_ADDRESS_GENERATION_STATIC, - IPV6_TOKEN_ADDRESS_GENERATION_PREFIXSTABLE, - _IPV6_TOKEN_ADDRESS_GENERATION_MAX, - _IPV6_TOKEN_ADDRESS_GENERATION_INVALID = -EINVAL, -} IPv6TokenAddressGeneration; +typedef enum AddressGenerationType { + ADDRESS_GENERATION_STATIC, + ADDRESS_GENERATION_PREFIXSTABLE, + _ADDRESS_GENERATION_TYPE_MAX, + _ADDRESS_GENERATION_TYPE_INVALID = -EINVAL, +} AddressGenerationType; typedef struct IPv6Token { - IPv6TokenAddressGeneration address_generation_type; - struct in6_addr prefix; + AddressGenerationType type; + struct in6_addr address; } IPv6Token; void generate_eui64_address(const Link *link, const struct in6_addr *prefix, struct in6_addr *ret) { @@ -169,11 +168,11 @@ int ndisc_router_generate_addresses(Link *link, struct in6_addr *prefix, uint8_t if (!addresses) return log_oom(); - ORDERED_SET_FOREACH(j, link->network->ipv6_tokens) { + SET_FOREACH(j, link->network->ndisc_tokens) { _cleanup_free_ struct in6_addr *new_address = NULL; - if (j->address_generation_type == IPV6_TOKEN_ADDRESS_GENERATION_PREFIXSTABLE - && (in6_addr_is_null(&j->prefix) || in6_addr_equal(&j->prefix, &masked))) { + if (j->type == ADDRESS_GENERATION_PREFIXSTABLE + && (in6_addr_is_null(&j->address) || in6_addr_equal(&j->address, &masked))) { struct in6_addr addr; if (generate_stable_private_address(link, &NDISC_APP_ID, &masked, &addr) < 0) @@ -183,13 +182,13 @@ int ndisc_router_generate_addresses(Link *link, struct in6_addr *prefix, uint8_t if (!new_address) return log_oom(); - } else if (j->address_generation_type == IPV6_TOKEN_ADDRESS_GENERATION_STATIC) { + } else if (j->type == ADDRESS_GENERATION_STATIC) { new_address = new(struct in6_addr, 1); if (!new_address) return log_oom(); memcpy(new_address->s6_addr, masked.s6_addr, 8); - memcpy(new_address->s6_addr + 8, j->prefix.s6_addr + 8, 8); + memcpy(new_address->s6_addr + 8, j->address.s6_addr + 8, 8); } if (new_address) { @@ -223,35 +222,19 @@ int ndisc_router_generate_addresses(Link *link, struct in6_addr *prefix, uint8_t return 0; } -static int ipv6token_new(IPv6Token **ret) { - IPv6Token *p; - - p = new(IPv6Token, 1); - if (!p) - return -ENOMEM; - - *p = (IPv6Token) { - .address_generation_type = IPV6_TOKEN_ADDRESS_GENERATION_NONE, - }; - - *ret = TAKE_PTR(p); - - return 0; -} - static void ipv6_token_hash_func(const IPv6Token *p, struct siphash *state) { - siphash24_compress(&p->address_generation_type, sizeof(p->address_generation_type), state); - siphash24_compress(&p->prefix, sizeof(p->prefix), state); + siphash24_compress(&p->type, sizeof(p->type), state); + siphash24_compress(&p->address, sizeof(p->address), state); } static int ipv6_token_compare_func(const IPv6Token *a, const IPv6Token *b) { int r; - r = CMP(a->address_generation_type, b->address_generation_type); + r = CMP(a->type, b->type); if (r != 0) return r; - return memcmp(&a->prefix, &b->prefix, sizeof(struct in6_addr)); + return memcmp(&a->address, &b->address, sizeof(struct in6_addr)); } DEFINE_PRIVATE_HASH_OPS_WITH_KEY_DESTRUCTOR( @@ -261,6 +244,25 @@ DEFINE_PRIVATE_HASH_OPS_WITH_KEY_DESTRUCTOR( ipv6_token_compare_func, free); +static int ipv6_token_add(Set **tokens, AddressGenerationType type, const struct in6_addr *addr) { + IPv6Token *p; + + assert(tokens); + assert(type >= 0 && type < _ADDRESS_GENERATION_TYPE_MAX); + assert(addr); + + p = new(IPv6Token, 1); + if (!p) + return -ENOMEM; + + *p = (IPv6Token) { + .type = type, + .address = *addr, + }; + + return set_ensure_consume(tokens, &ipv6_token_hash_ops, p); +} + int config_parse_address_generation_type( const char *unit, const char *filename, @@ -273,9 +275,9 @@ int config_parse_address_generation_type( void *data, void *userdata) { - _cleanup_free_ IPv6Token *token = NULL; - union in_addr_union buffer; - Network *network = data; + union in_addr_union buffer = {}; + AddressGenerationType type; + Set **tokens = data; const char *p; int r; @@ -285,16 +287,13 @@ int config_parse_address_generation_type( assert(data); if (isempty(rvalue)) { - network->ipv6_tokens = ordered_set_free(network->ipv6_tokens); + *tokens = set_free(*tokens); return 0; } - r = ipv6token_new(&token); - if (r < 0) - return log_oom(); - if ((p = startswith(rvalue, "prefixstable"))) { - token->address_generation_type = IPV6_TOKEN_ADDRESS_GENERATION_PREFIXSTABLE; + type = ADDRESS_GENERATION_PREFIXSTABLE; + if (*p == ':') p++; else if (*p == '\0') @@ -305,8 +304,10 @@ int config_parse_address_generation_type( lvalue, rvalue); return 0; } + } else { - token->address_generation_type = IPV6_TOKEN_ADDRESS_GENERATION_STATIC; + type = ADDRESS_GENERATION_STATIC; + p = startswith(rvalue, "static:"); if (!p) p = rvalue; @@ -320,27 +321,33 @@ int config_parse_address_generation_type( lvalue, rvalue); return 0; } - if (token->address_generation_type == IPV6_TOKEN_ADDRESS_GENERATION_STATIC && - in_addr_is_null(AF_INET6, &buffer)) { + } + + switch (type) { + case ADDRESS_GENERATION_STATIC: + /* Only last 64 bits are used. */ + memzero(buffer.in6.s6_addr, 8); + + if (in6_addr_is_null(&buffer.in6)) { log_syntax(unit, LOG_WARNING, filename, line, 0, "IPv6 address in %s= cannot be the ANY address, ignoring assignment: %s", lvalue, rvalue); return 0; } - token->prefix = buffer.in6; + break; + + case ADDRESS_GENERATION_PREFIXSTABLE: + /* At most, the initial 64 bits are used. */ + (void) in6_addr_mask(&buffer.in6, 64); + break; + + default: + assert_not_reached(); } - r = ordered_set_ensure_put(&network->ipv6_tokens, &ipv6_token_hash_ops, token); - if (r == -ENOMEM) + r = ipv6_token_add(tokens, type, &buffer.in6); + if (r < 0) return log_oom(); - if (r == -EEXIST) - log_syntax(unit, LOG_DEBUG, filename, line, r, - "IPv6 token '%s' is duplicated, ignoring: %m", rvalue); - else if (r < 0) - log_syntax(unit, LOG_WARNING, filename, line, r, - "Failed to store IPv6 token '%s', ignoring: %m", rvalue); - else - TAKE_PTR(token); return 0; } diff --git a/src/network/networkd-network-gperf.gperf b/src/network/networkd-network-gperf.gperf index 6794ac40dba..9aa253e1d94 100644 --- a/src/network/networkd-network-gperf.gperf +++ b/src/network/networkd-network-gperf.gperf @@ -104,7 +104,7 @@ Network.IPv6LinkLocalAddressGenerationMode, config_parse_ipv6_link_local_addres Network.IPv6StableSecretAddress, config_parse_in_addr_non_null, AF_INET6, offsetof(Network, ipv6ll_stable_secret) Network.IPv4LLRoute, config_parse_bool, 0, offsetof(Network, ipv4ll_route) Network.DefaultRouteOnDevice, config_parse_bool, 0, offsetof(Network, default_route_on_device) -Network.IPv6Token, config_parse_address_generation_type, 0, 0 +Network.IPv6Token, config_parse_address_generation_type, 0, offsetof(Network, ndisc_tokens) Network.LLDP, config_parse_lldp_mode, 0, offsetof(Network, lldp_mode) Network.EmitLLDP, config_parse_lldp_multicast_mode, 0, offsetof(Network, lldp_multicast_mode) Network.Address, config_parse_address, 0, 0 diff --git a/src/network/networkd-network.c b/src/network/networkd-network.c index 7611476ad66..98a9cccc03d 100644 --- a/src/network/networkd-network.c +++ b/src/network/networkd-network.c @@ -706,9 +706,9 @@ static Network *network_free(Network *network) { ordered_hashmap_free(network->dhcp_client_send_vendor_options); ordered_hashmap_free(network->dhcp_server_send_options); ordered_hashmap_free(network->dhcp_server_send_vendor_options); - ordered_set_free(network->ipv6_tokens); ordered_hashmap_free(network->dhcp6_client_send_options); ordered_hashmap_free(network->dhcp6_client_send_vendor_options); + set_free(network->ndisc_tokens); return mfree(network); } diff --git a/src/network/networkd-network.h b/src/network/networkd-network.h index fb896598a85..81b7797e6ed 100644 --- a/src/network/networkd-network.h +++ b/src/network/networkd-network.h @@ -321,7 +321,7 @@ struct Network { Set *ndisc_allow_listed_prefix; Set *ndisc_deny_listed_route_prefix; Set *ndisc_allow_listed_route_prefix; - OrderedSet *ipv6_tokens; + Set *ndisc_tokens; /* LLDP support */ LLDPMode lldp_mode; /* LLDP reception */ From d207581fc580abbe7c335d12125f48cfe64a21ea Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Fri, 1 Oct 2021 21:34:59 +0900 Subject: [PATCH 15/23] network: address-generation: use in6_addr_hash_ops_free Also, downgrade error level, and caller logs the error. --- src/network/networkd-address-generation.c | 58 ++++++++++------------- src/network/networkd-ndisc.c | 4 +- 2 files changed, 27 insertions(+), 35 deletions(-) diff --git a/src/network/networkd-address-generation.c b/src/network/networkd-address-generation.c index 3b807dbcfa7..50ae8bcc9df 100644 --- a/src/network/networkd-address-generation.c +++ b/src/network/networkd-address-generation.c @@ -151,7 +151,7 @@ static int generate_stable_private_address( } int ndisc_router_generate_addresses(Link *link, struct in6_addr *prefix, uint8_t prefixlen, Set **ret) { - _cleanup_set_free_free_ Set *addresses = NULL; + _cleanup_set_free_ Set *addresses = NULL; struct in6_addr masked; IPv6Token *j; int r; @@ -164,61 +164,53 @@ int ndisc_router_generate_addresses(Link *link, struct in6_addr *prefix, uint8_t masked = *prefix; in6_addr_mask(&masked, prefixlen); - addresses = set_new(&in6_addr_hash_ops); - if (!addresses) - return log_oom(); - SET_FOREACH(j, link->network->ndisc_tokens) { - _cleanup_free_ struct in6_addr *new_address = NULL; + struct in6_addr addr, *copy; - if (j->type == ADDRESS_GENERATION_PREFIXSTABLE - && (in6_addr_is_null(&j->address) || in6_addr_equal(&j->address, &masked))) { - struct in6_addr addr; + switch (j->type) { + case ADDRESS_GENERATION_STATIC: + memcpy(addr.s6_addr, masked.s6_addr, 8); + memcpy(addr.s6_addr + 8, j->address.s6_addr + 8, 8); + break; + + case ADDRESS_GENERATION_PREFIXSTABLE: + if (in6_addr_is_set(&j->address) && !in6_addr_equal(&j->address, &masked)) + continue; if (generate_stable_private_address(link, &NDISC_APP_ID, &masked, &addr) < 0) continue; - new_address = newdup(struct in6_addr, &addr, 1); - if (!new_address) - return log_oom(); + break; - } else if (j->type == ADDRESS_GENERATION_STATIC) { - new_address = new(struct in6_addr, 1); - if (!new_address) - return log_oom(); - - memcpy(new_address->s6_addr, masked.s6_addr, 8); - memcpy(new_address->s6_addr + 8, j->address.s6_addr + 8, 8); + default: + assert_not_reached(); } - if (new_address) { - r = set_put(addresses, new_address); - if (r < 0) - return log_link_error_errno(link, r, "Failed to store SLAAC address: %m"); - else if (r == 0) - log_link_debug_errno(link, r, "Generated SLAAC address is duplicated, ignoring."); - else - TAKE_PTR(new_address); - } + copy = newdup(struct in6_addr, &addr, 1); + if (!copy) + return -ENOMEM; + + r = set_ensure_consume(&addresses, &in6_addr_hash_ops_free, copy); + if (r < 0) + return r; } - /* fall back to EUI-64 if no tokens provided addresses */ + /* fall back to EUI-64 if no token is provided */ if (set_isempty(addresses)) { struct in6_addr *addr; addr = new(struct in6_addr, 1); if (!addr) - return log_oom(); + return -ENOMEM; generate_eui64_address(link, &masked, addr); - r = set_consume(addresses, addr); + r = set_ensure_consume(&addresses, &in6_addr_hash_ops_free, addr); if (r < 0) - return log_link_error_errno(link, r, "Failed to store SLAAC address: %m"); + return r; } *ret = TAKE_PTR(addresses); - return 0; } diff --git a/src/network/networkd-ndisc.c b/src/network/networkd-ndisc.c index 95a8ad1e14a..cb3117a58b6 100644 --- a/src/network/networkd-ndisc.c +++ b/src/network/networkd-ndisc.c @@ -381,7 +381,7 @@ static int ndisc_router_process_default(Link *link, sd_ndisc_router *rt) { static int ndisc_router_process_autonomous_prefix(Link *link, sd_ndisc_router *rt) { uint32_t lifetime_valid, lifetime_preferred; - _cleanup_set_free_free_ Set *addresses = NULL; + _cleanup_set_free_ Set *addresses = NULL; struct in6_addr prefix, *a; unsigned prefixlen; usec_t time_now; @@ -432,7 +432,7 @@ static int ndisc_router_process_autonomous_prefix(Link *link, sd_ndisc_router *r r = ndisc_router_generate_addresses(link, &prefix, prefixlen, &addresses); if (r < 0) - return r; + return log_link_error_errno(link, r, "Failed to generate SLAAC addresses: %m"); SET_FOREACH(a, addresses) { _cleanup_(address_freep) Address *address = NULL; From 868bd1aa1c35d4f8e5a59c04f698b8e21393363c Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Fri, 1 Oct 2021 21:36:32 +0900 Subject: [PATCH 16/23] network: address-genereation: introduce generate_addresses() Preparation for later commits. This does not change functionality. --- src/network/networkd-address-generation.c | 18 +++++++++++++++--- src/network/networkd-address-generation.h | 2 +- src/network/networkd-ndisc.c | 4 ++-- 3 files changed, 18 insertions(+), 6 deletions(-) diff --git a/src/network/networkd-address-generation.c b/src/network/networkd-address-generation.c index 50ae8bcc9df..008575f7f87 100644 --- a/src/network/networkd-address-generation.c +++ b/src/network/networkd-address-generation.c @@ -150,13 +150,21 @@ static int generate_stable_private_address( return 0; } -int ndisc_router_generate_addresses(Link *link, struct in6_addr *prefix, uint8_t prefixlen, Set **ret) { +static int generate_addresses( + Link *link, + Set *tokens, + const sd_id128_t *app_id, + const struct in6_addr *prefix, + uint8_t prefixlen, + Set **ret) { + _cleanup_set_free_ Set *addresses = NULL; struct in6_addr masked; IPv6Token *j; int r; assert(link); + assert(app_id); assert(prefix); assert(prefixlen > 0 && prefixlen <= 64); assert(ret); @@ -164,7 +172,7 @@ int ndisc_router_generate_addresses(Link *link, struct in6_addr *prefix, uint8_t masked = *prefix; in6_addr_mask(&masked, prefixlen); - SET_FOREACH(j, link->network->ndisc_tokens) { + SET_FOREACH(j, tokens) { struct in6_addr addr, *copy; switch (j->type) { @@ -177,7 +185,7 @@ int ndisc_router_generate_addresses(Link *link, struct in6_addr *prefix, uint8_t if (in6_addr_is_set(&j->address) && !in6_addr_equal(&j->address, &masked)) continue; - if (generate_stable_private_address(link, &NDISC_APP_ID, &masked, &addr) < 0) + if (generate_stable_private_address(link, app_id, &masked, &addr) < 0) continue; break; @@ -214,6 +222,10 @@ int ndisc_router_generate_addresses(Link *link, struct in6_addr *prefix, uint8_t return 0; } +int ndisc_generate_addresses(Link *link, const struct in6_addr *prefix, uint8_t prefixlen, Set **ret) { + return generate_addresses(link, link->network->ndisc_tokens, &NDISC_APP_ID, prefix, prefixlen, ret); +} + static void ipv6_token_hash_func(const IPv6Token *p, struct siphash *state) { siphash24_compress(&p->type, sizeof(p->type), state); siphash24_compress(&p->address, sizeof(p->address), state); diff --git a/src/network/networkd-address-generation.h b/src/network/networkd-address-generation.h index 5f67019d95a..fc0eaa2fe8a 100644 --- a/src/network/networkd-address-generation.h +++ b/src/network/networkd-address-generation.h @@ -9,6 +9,6 @@ typedef struct Link Link; void generate_eui64_address(const Link *link, const struct in6_addr *prefix, struct in6_addr *ret); -int ndisc_router_generate_addresses(Link *link, struct in6_addr *address, uint8_t prefixlen, Set **ret); +int ndisc_generate_addresses(Link *link, const struct in6_addr *prefix, uint8_t prefixlen, Set **ret); CONFIG_PARSER_PROTOTYPE(config_parse_address_generation_type); diff --git a/src/network/networkd-ndisc.c b/src/network/networkd-ndisc.c index cb3117a58b6..956cc273801 100644 --- a/src/network/networkd-ndisc.c +++ b/src/network/networkd-ndisc.c @@ -404,7 +404,7 @@ static int ndisc_router_process_autonomous_prefix(Link *link, sd_ndisc_router *r if (r < 0) return log_link_error_errno(link, r, "Failed to get prefix length: %m"); - /* ndisc_router_generate_addresses() below requires the prefix length <= 64. */ + /* ndisc_generate_addresses() below requires the prefix length <= 64. */ if (prefixlen > 64) { _cleanup_free_ char *buf = NULL; @@ -430,7 +430,7 @@ static int ndisc_router_process_autonomous_prefix(Link *link, sd_ndisc_router *r if (lifetime_preferred > lifetime_valid) return 0; - r = ndisc_router_generate_addresses(link, &prefix, prefixlen, &addresses); + r = ndisc_generate_addresses(link, &prefix, prefixlen, &addresses); if (r < 0) return log_link_error_errno(link, r, "Failed to generate SLAAC addresses: %m"); From a73628e647b15b83bfcc49cb554c0ab31a4045ea Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Sat, 25 Sep 2021 04:52:47 +0900 Subject: [PATCH 17/23] network: rename IPv6Token= in [Network] -> Token= in [IPv6AcceptRA] The token is only used by received prefixes through RA. --- man/systemd.network.xml | 94 +++++++++---------- src/network/networkd-network-gperf.gperf | 3 +- .../fuzz-network-parser/directives.network | 1 + 3 files changed, 50 insertions(+), 48 deletions(-) diff --git a/man/systemd.network.xml b/man/systemd.network.xml index 52043789ed9..7860bd10e6e 100644 --- a/man/systemd.network.xml +++ b/man/systemd.network.xml @@ -488,53 +488,6 @@ Gateway=0.0.0.0 Table=1234 - - IPv6Token= - - Specifies an optional address generation mode for the Stateless Address - Autoconfiguration (SLAAC). Supported modes are prefixstable and - static. - - When the mode is set to static, an IPv6 address must be - specified after a colon (:), and the lower bits of the supplied - address are combined with the upper bits of a prefix received in a Router Advertisement - (RA) message to form a complete address. Note that if multiple prefixes are received in an - RA message, or in multiple RA messages, addresses will be formed from each of them using - the supplied address. This mode implements SLAAC but uses a static interface identifier - instead of an identifier generated by using the EUI-64 algorithm. Because the interface - identifier is static, if Duplicate Address Detection detects that the computed address is a - duplicate (in use by another node on the link), then this mode will fail to provide an - address for that prefix. If an IPv6 address without mode is specified, then - static mode is assumed. - - When the mode is set to prefixstable the - RFC 7217 algorithm for generating - interface identifiers will be used. This mode can optionally take an IPv6 address separated - with a colon (:). If an IPv6 address is specified, then an interface - identifier is generated only when a prefix received in an RA message matches the supplied - address. - - If no address generation mode is specified (which is the default), or a received - prefix does not match any of the addresses provided in prefixstable - mode, then the EUI-64 algorithm will be used to form an interface identifier for that - prefix. This mode is also SLAAC, but with a potentially stable interface identifier which - does not directly map to the interface's hardware address. - - Note that the prefixstable algorithm uses both the interface - name and MAC address as input to the hash to compute the interface identifier, so if either - of those are changed the resulting interface identifier (and address) will change, even if - the prefix received in the RA message has not changed. - - This setting can be specified multiple times. If an empty string is assigned, then - the all previous assignments are cleared. - - Examples: - IPv6Token=::1a:2b:3c:4d -IPv6Token=static:::1a:2b:3c:4d -IPv6Token=prefixstable -IPv6Token=prefixstable:2002:da8:1:: - - LLMNR= @@ -2236,6 +2189,53 @@ IPv6Token=prefixstable:2002:da8:1:: with the IPv6AcceptRA= setting described above: + + Token= + + Specifies an optional address generation mode for the Stateless Address + Autoconfiguration (SLAAC). Supported modes are static and + prefixstable. + + When the mode is set to static, an IPv6 address must be + specified after a colon (:), and the lower bits of the supplied + address are combined with the upper bits of a prefix received in a Router Advertisement + (RA) message to form a complete address. Note that if multiple prefixes are received in an + RA message, or in multiple RA messages, addresses will be formed from each of them using + the supplied address. This mode implements SLAAC but uses a static interface identifier + instead of an identifier generated by using the EUI-64 algorithm. Because the interface + identifier is static, if Duplicate Address Detection detects that the computed address is a + duplicate (in use by another node on the link), then this mode will fail to provide an + address for that prefix. If an IPv6 address without mode is specified, then + static mode is assumed. + + When the mode is set to prefixstable the + RFC 7217 algorithm for generating + interface identifiers will be used. This mode can optionally take an IPv6 address separated + with a colon (:). If an IPv6 address is specified, then an interface + identifier is generated only when a prefix received in an RA message matches the supplied + address. + + If no address generation mode is specified (which is the default), or a received + prefix does not match any of the addresses provided in prefixstable + mode, then the EUI-64 algorithm will be used to form an interface identifier for that + prefix. + + Note that the prefixstable algorithm uses both the interface + name and MAC address as input to the hash to compute the interface identifier, so if either + of those are changed the resulting interface identifier (and address) will be changed, even + if the prefix received in the RA message has not been changed. + + This setting can be specified multiple times. If an empty string is assigned, then + the all previous assignments are cleared. + + Examples: + Token=::1a:2b:3c:4d +Token=static:::1a:2b:3c:4d +Token=prefixstable +Token=prefixstable:2002:da8:1:: + + + UseDNS= diff --git a/src/network/networkd-network-gperf.gperf b/src/network/networkd-network-gperf.gperf index 9aa253e1d94..ce7e6c089ea 100644 --- a/src/network/networkd-network-gperf.gperf +++ b/src/network/networkd-network-gperf.gperf @@ -104,7 +104,6 @@ Network.IPv6LinkLocalAddressGenerationMode, config_parse_ipv6_link_local_addres Network.IPv6StableSecretAddress, config_parse_in_addr_non_null, AF_INET6, offsetof(Network, ipv6ll_stable_secret) Network.IPv4LLRoute, config_parse_bool, 0, offsetof(Network, ipv4ll_route) Network.DefaultRouteOnDevice, config_parse_bool, 0, offsetof(Network, default_route_on_device) -Network.IPv6Token, config_parse_address_generation_type, 0, offsetof(Network, ndisc_tokens) Network.LLDP, config_parse_lldp_mode, 0, offsetof(Network, lldp_mode) Network.EmitLLDP, config_parse_lldp_multicast_mode, 0, offsetof(Network, lldp_multicast_mode) Network.Address, config_parse_address, 0, 0 @@ -271,6 +270,7 @@ IPv6AcceptRA.PrefixAllowList, config_parse_in_addr_prefixes, IPv6AcceptRA.PrefixDenyList, config_parse_in_addr_prefixes, AF_INET6, offsetof(Network, ndisc_deny_listed_prefix) IPv6AcceptRA.RouteAllowList, config_parse_in_addr_prefixes, AF_INET6, offsetof(Network, ndisc_allow_listed_route_prefix) IPv6AcceptRA.RouteDenyList, config_parse_in_addr_prefixes, AF_INET6, offsetof(Network, ndisc_deny_listed_route_prefix) +IPv6AcceptRA.Token, config_parse_address_generation_type, 0, offsetof(Network, ndisc_tokens) DHCPServer.ServerAddress, config_parse_dhcp_server_address, 0, 0 DHCPServer.UplinkInterface, config_parse_uplink, 0, 0 DHCPServer.RelayTarget, config_parse_in_addr_non_null, AF_INET, offsetof(Network, dhcp_server_relay_target) @@ -493,6 +493,7 @@ TrivialLinkEqualizer.Handle, config_parse_qdisc_handle, TrivialLinkEqualizer.Id, config_parse_trivial_link_equalizer_id, QDISC_KIND_TEQL, 0 /* backwards compatibility: do not add new entries to this section */ Network.IPv4LL, config_parse_ipv4ll, 0, offsetof(Network, link_local) +Network.IPv6Token, config_parse_address_generation_type, 0, offsetof(Network, ndisc_tokens) Network.IPv6PrefixDelegation, config_parse_router_prefix_delegation, 0, offsetof(Network, router_prefix_delegation) IPv6PrefixDelegation.RouterLifetimeSec, config_parse_sec, 0, offsetof(Network, router_lifetime_usec) IPv6PrefixDelegation.Managed, config_parse_bool, 0, offsetof(Network, router_managed) diff --git a/test/fuzz/fuzz-network-parser/directives.network b/test/fuzz/fuzz-network-parser/directives.network index fdd7f73baee..9b5ecccedbb 100644 --- a/test/fuzz/fuzz-network-parser/directives.network +++ b/test/fuzz/fuzz-network-parser/directives.network @@ -359,6 +359,7 @@ RouteAllowList= RouteDenyList= DenyList= BlackList= +Token= [DHCPServer] EmitNTP= PoolSize= From 140bf8dacca4d462fe5c71fa57f98458828f813d Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Sat, 25 Sep 2021 04:04:09 +0900 Subject: [PATCH 18/23] network: introduce Token=eui64 So, now user can explicitly request EUI-64 algorithm to generate addresses. --- man/systemd.network.xml | 10 +++++++--- src/network/networkd-address-generation.c | 12 ++++++++++++ 2 files changed, 19 insertions(+), 3 deletions(-) diff --git a/man/systemd.network.xml b/man/systemd.network.xml index 7860bd10e6e..1d811a68678 100644 --- a/man/systemd.network.xml +++ b/man/systemd.network.xml @@ -2193,8 +2193,11 @@ Table=1234 Token= Specifies an optional address generation mode for the Stateless Address - Autoconfiguration (SLAAC). Supported modes are static and - prefixstable. + Autoconfiguration (SLAAC). Supported modes are eui64, + static, and prefixstable. + + When the mode is set to eui64, then the EUI-64 algorithm will be + used to generate an address for that prefix. When the mode is set to static, an IPv6 address must be specified after a colon (:), and the lower bits of the supplied @@ -2229,7 +2232,8 @@ Table=1234 the all previous assignments are cleared. Examples: - Token=::1a:2b:3c:4d + Token=eui64 +Token=::1a:2b:3c:4d Token=static:::1a:2b:3c:4d Token=prefixstable Token=prefixstable:2002:da8:1:: diff --git a/src/network/networkd-address-generation.c b/src/network/networkd-address-generation.c index 008575f7f87..800a96d351a 100644 --- a/src/network/networkd-address-generation.c +++ b/src/network/networkd-address-generation.c @@ -23,6 +23,7 @@ #define NDISC_APP_ID SD_ID128_MAKE(13,ac,81,a7,d5,3f,49,78,92,79,5d,0c,29,3a,bc,7e) typedef enum AddressGenerationType { + ADDRESS_GENERATION_EUI64, ADDRESS_GENERATION_STATIC, ADDRESS_GENERATION_PREFIXSTABLE, _ADDRESS_GENERATION_TYPE_MAX, @@ -176,6 +177,10 @@ static int generate_addresses( struct in6_addr addr, *copy; switch (j->type) { + case ADDRESS_GENERATION_EUI64: + generate_eui64_address(link, &masked, &addr); + break; + case ADDRESS_GENERATION_STATIC: memcpy(addr.s6_addr, masked.s6_addr, 8); memcpy(addr.s6_addr + 8, j->address.s6_addr + 8, 8); @@ -309,6 +314,9 @@ int config_parse_address_generation_type( return 0; } + } else if (streq(rvalue, "eui64")) { + type = ADDRESS_GENERATION_EUI64; + p = NULL; } else { type = ADDRESS_GENERATION_STATIC; @@ -328,6 +336,10 @@ int config_parse_address_generation_type( } switch (type) { + case ADDRESS_GENERATION_EUI64: + assert(in6_addr_is_null(&buffer.in6)); + break; + case ADDRESS_GENERATION_STATIC: /* Only last 64 bits are used. */ memzero(buffer.in6.s6_addr, 8); From f5960e0ab5e4ffa985e8f08308ccadfcb4d4f748 Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Sat, 25 Sep 2021 04:10:34 +0900 Subject: [PATCH 19/23] network: extend Token= setting in [DHCPv6PrefixDelegation] Now the setting supports the same syntax as the one in the [IPv6AcceptRA] section. --- man/systemd.network.xml | 8 ++-- src/network/networkd-address-generation.c | 5 +++ src/network/networkd-address-generation.h | 1 + src/network/networkd-dhcp6.c | 54 ++++++++++++----------- src/network/networkd-network-gperf.gperf | 2 +- src/network/networkd-network.c | 1 + src/network/networkd-network.h | 2 +- 7 files changed, 41 insertions(+), 32 deletions(-) diff --git a/man/systemd.network.xml b/man/systemd.network.xml index 1d811a68678..1459ba83d9b 100644 --- a/man/systemd.network.xml +++ b/man/systemd.network.xml @@ -2158,11 +2158,9 @@ Table=1234 Token= Specifies an optional address generation mode for assigning an address in each - delegated prefix. Takes an IPv6 address. When set, the lower bits of the supplied address is - combined with the upper bits of each delegatad prefix received from the WAN interface by the - DHCPv6 Prefix Delegation to form a complete address. When Assign= is - disabled, this setting is ignored. When unset, the EUI-64 algorithm will be used to form - addresses. Defaults to unset. + delegated prefix. This accepts the same syntax as Token= in the + [IPv6AcceptRA] section. If Assign= is set to false, then this setting will + be ignored. Defaults to unset, which means the EUI-64 algorithm will be used. diff --git a/src/network/networkd-address-generation.c b/src/network/networkd-address-generation.c index 800a96d351a..bea765a3b0d 100644 --- a/src/network/networkd-address-generation.c +++ b/src/network/networkd-address-generation.c @@ -20,6 +20,7 @@ #define RESERVED_SUBNET_ANYCAST_ADDRESSES ((const struct in6_addr) { .s6_addr = { 0xFD, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x80 } }) #define RESERVED_SUBNET_ANYCAST_PREFIXLEN 57 +#define DHCP6PD_APP_ID SD_ID128_MAKE(fb,b9,37,ca,4a,ed,4a,4d,b0,70,7f,aa,71,c0,c9,85) #define NDISC_APP_ID SD_ID128_MAKE(13,ac,81,a7,d5,3f,49,78,92,79,5d,0c,29,3a,bc,7e) typedef enum AddressGenerationType { @@ -227,6 +228,10 @@ static int generate_addresses( return 0; } +int dhcp6_pd_generate_addresses(Link *link, const struct in6_addr *prefix, Set **ret) { + return generate_addresses(link, link->network->dhcp6_pd_tokens, &DHCP6PD_APP_ID, prefix, 64, ret); +} + int ndisc_generate_addresses(Link *link, const struct in6_addr *prefix, uint8_t prefixlen, Set **ret) { return generate_addresses(link, link->network->ndisc_tokens, &NDISC_APP_ID, prefix, prefixlen, ret); } diff --git a/src/network/networkd-address-generation.h b/src/network/networkd-address-generation.h index fc0eaa2fe8a..7e8b01e0a85 100644 --- a/src/network/networkd-address-generation.h +++ b/src/network/networkd-address-generation.h @@ -9,6 +9,7 @@ typedef struct Link Link; void generate_eui64_address(const Link *link, const struct in6_addr *prefix, struct in6_addr *ret); +int dhcp6_pd_generate_addresses(Link *link, const struct in6_addr *prefix, Set **ret); int ndisc_generate_addresses(Link *link, const struct in6_addr *prefix, uint8_t prefixlen, Set **ret); CONFIG_PARSER_PROTOTYPE(config_parse_address_generation_type); diff --git a/src/network/networkd-dhcp6.c b/src/network/networkd-dhcp6.c index c6911e14a05..8827d33c2a6 100644 --- a/src/network/networkd-dhcp6.c +++ b/src/network/networkd-dhcp6.c @@ -362,8 +362,8 @@ static int dhcp6_pd_request_address( uint32_t lifetime_preferred, uint32_t lifetime_valid) { - _cleanup_(address_freep) Address *address = NULL; - Address *existing; + _cleanup_set_free_ Set *addresses = NULL; + struct in6_addr *a; int r; assert(link); @@ -373,35 +373,39 @@ static int dhcp6_pd_request_address( if (!link->network->dhcp6_pd_assign) return 0; - r = address_new(&address); + r = dhcp6_pd_generate_addresses(link, prefix, &addresses); if (r < 0) - return log_link_error_errno(link, r, "Failed to allocate address for DHCPv6 delegated prefix: %m"); + return log_link_warning_errno(link, r, "Failed to generate addresses for acquired DHCPv6 delegated prefix: %m"); - if (in6_addr_is_set(&link->network->dhcp6_pd_token)) { - memcpy(address->in_addr.in6.s6_addr, prefix->s6_addr, 8); - memcpy(address->in_addr.in6.s6_addr + 8, link->network->dhcp6_pd_token.s6_addr + 8, 8); - } else - generate_eui64_address(link, prefix, &address->in_addr.in6); + SET_FOREACH(a, addresses) { + _cleanup_(address_freep) Address *address = NULL; + Address *existing; - address->source = NETWORK_CONFIG_SOURCE_DHCP6PD; - address->prefixlen = 64; - address->family = AF_INET6; - address->cinfo.ifa_prefered = lifetime_preferred; - address->cinfo.ifa_valid = lifetime_valid; - SET_FLAG(address->flags, IFA_F_MANAGETEMPADDR, link->network->dhcp6_pd_manage_temporary_address); - address->route_metric = link->network->dhcp6_pd_route_metric; + r = address_new(&address); + if (r < 0) + return log_link_error_errno(link, r, "Failed to allocate address for DHCPv6 delegated prefix: %m"); - log_dhcp6_pd_address(link, address); + address->source = NETWORK_CONFIG_SOURCE_DHCP6PD; + address->family = AF_INET6; + address->in_addr.in6 = *a; + address->prefixlen = 64; + address->cinfo.ifa_prefered = lifetime_preferred; + address->cinfo.ifa_valid = lifetime_valid; + SET_FLAG(address->flags, IFA_F_MANAGETEMPADDR, link->network->dhcp6_pd_manage_temporary_address); + address->route_metric = link->network->dhcp6_pd_route_metric; - if (address_get(link, address, &existing) < 0) - link->dhcp6_pd_configured = false; - else - address_unmark(existing); + log_dhcp6_pd_address(link, address); - r = link_request_address(link, TAKE_PTR(address), true, &link->dhcp6_pd_messages, - dhcp6_pd_address_handler, NULL); - if (r < 0) - return log_link_error_errno(link, r, "Failed to request DHCPv6 delegated prefix address: %m"); + if (address_get(link, address, &existing) < 0) + link->dhcp6_pd_configured = false; + else + address_unmark(existing); + + r = link_request_address(link, TAKE_PTR(address), true, &link->dhcp6_pd_messages, + dhcp6_pd_address_handler, NULL); + if (r < 0) + return log_link_error_errno(link, r, "Failed to request DHCPv6 delegated prefix address: %m"); + } return 0; } diff --git a/src/network/networkd-network-gperf.gperf b/src/network/networkd-network-gperf.gperf index ce7e6c089ea..c8b1521d903 100644 --- a/src/network/networkd-network-gperf.gperf +++ b/src/network/networkd-network-gperf.gperf @@ -329,7 +329,7 @@ DHCPv6PrefixDelegation.SubnetId, config_parse_dhcp6_pd_subnet_id, DHCPv6PrefixDelegation.Announce, config_parse_bool, 0, offsetof(Network, dhcp6_pd_announce) DHCPv6PrefixDelegation.Assign, config_parse_bool, 0, offsetof(Network, dhcp6_pd_assign) DHCPv6PrefixDelegation.ManageTemporaryAddress, config_parse_bool, 0, offsetof(Network, dhcp6_pd_manage_temporary_address) -DHCPv6PrefixDelegation.Token, config_parse_in_addr_non_null, AF_INET6, offsetof(Network, dhcp6_pd_token) +DHCPv6PrefixDelegation.Token, config_parse_address_generation_type, 0, offsetof(Network, dhcp6_pd_tokens) DHCPv6PrefixDelegation.RouteMetric, config_parse_uint32, 0, offsetof(Network, dhcp6_pd_route_metric) IPv6SendRA.RouterLifetimeSec, config_parse_sec, 0, offsetof(Network, router_lifetime_usec) IPv6SendRA.Managed, config_parse_bool, 0, offsetof(Network, router_managed) diff --git a/src/network/networkd-network.c b/src/network/networkd-network.c index 98a9cccc03d..afbb9d61db4 100644 --- a/src/network/networkd-network.c +++ b/src/network/networkd-network.c @@ -708,6 +708,7 @@ static Network *network_free(Network *network) { ordered_hashmap_free(network->dhcp_server_send_vendor_options); ordered_hashmap_free(network->dhcp6_client_send_options); ordered_hashmap_free(network->dhcp6_client_send_vendor_options); + set_free(network->dhcp6_pd_tokens); set_free(network->ndisc_tokens); return mfree(network); diff --git a/src/network/networkd-network.h b/src/network/networkd-network.h index 81b7797e6ed..ff9d1338fda 100644 --- a/src/network/networkd-network.h +++ b/src/network/networkd-network.h @@ -244,7 +244,7 @@ struct Network { bool dhcp6_pd_manage_temporary_address; int64_t dhcp6_pd_subnet_id; uint32_t dhcp6_pd_route_metric; - struct in6_addr dhcp6_pd_token; + Set *dhcp6_pd_tokens; /* Bridge Support */ int use_bpdu; From e609cd0694ed6fe23f165f6b32312c77432baa4d Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Sat, 25 Sep 2021 04:12:31 +0900 Subject: [PATCH 20/23] network: introduce Token= setting in [IPv6Prefix] Closes #20149. --- man/systemd.network.xml | 10 +++ src/network/networkd-address-generation.c | 5 ++ src/network/networkd-address-generation.h | 1 + src/network/networkd-network-gperf.gperf | 1 + src/network/networkd-radv.c | 73 +++++++++++++++---- src/network/networkd-radv.h | 2 + .../fuzz-network-parser/directives.network | 1 + 7 files changed, 78 insertions(+), 15 deletions(-) diff --git a/man/systemd.network.xml b/man/systemd.network.xml index 1459ba83d9b..77ed77918cf 100644 --- a/man/systemd.network.xml +++ b/man/systemd.network.xml @@ -2729,6 +2729,16 @@ Token=prefixstable:2002:da8:1:: + + Token= + + Specifies an optional address generation mode for assigning an address in each + prefix. This accepts the same syntax as Token= in the [IPv6AcceptRA] + section. If Assign= is set to false, then this setting will be ignored. + Defaults to unset, which means the EUI-64 algorithm will be used. + + + RouteMetric= diff --git a/src/network/networkd-address-generation.c b/src/network/networkd-address-generation.c index bea765a3b0d..04b80dee86e 100644 --- a/src/network/networkd-address-generation.c +++ b/src/network/networkd-address-generation.c @@ -22,6 +22,7 @@ #define DHCP6PD_APP_ID SD_ID128_MAKE(fb,b9,37,ca,4a,ed,4a,4d,b0,70,7f,aa,71,c0,c9,85) #define NDISC_APP_ID SD_ID128_MAKE(13,ac,81,a7,d5,3f,49,78,92,79,5d,0c,29,3a,bc,7e) +#define RADV_APP_ID SD_ID128_MAKE(1f,1e,90,c8,5c,78,4f,dc,8e,61,2d,59,0d,53,c1,25) typedef enum AddressGenerationType { ADDRESS_GENERATION_EUI64, @@ -236,6 +237,10 @@ int ndisc_generate_addresses(Link *link, const struct in6_addr *prefix, uint8_t return generate_addresses(link, link->network->ndisc_tokens, &NDISC_APP_ID, prefix, prefixlen, ret); } +int radv_generate_addresses(Link *link, Set *tokens, const struct in6_addr *prefix, uint8_t prefixlen, Set **ret) { + return generate_addresses(link, tokens, &RADV_APP_ID, prefix, prefixlen, ret); +} + static void ipv6_token_hash_func(const IPv6Token *p, struct siphash *state) { siphash24_compress(&p->type, sizeof(p->type), state); siphash24_compress(&p->address, sizeof(p->address), state); diff --git a/src/network/networkd-address-generation.h b/src/network/networkd-address-generation.h index 7e8b01e0a85..8aa5d4d3f58 100644 --- a/src/network/networkd-address-generation.h +++ b/src/network/networkd-address-generation.h @@ -11,5 +11,6 @@ void generate_eui64_address(const Link *link, const struct in6_addr *prefix, str int dhcp6_pd_generate_addresses(Link *link, const struct in6_addr *prefix, Set **ret); int ndisc_generate_addresses(Link *link, const struct in6_addr *prefix, uint8_t prefixlen, Set **ret); +int radv_generate_addresses(Link *link, Set *tokens, const struct in6_addr *prefix, uint8_t prefixlen, Set **ret); CONFIG_PARSER_PROTOTYPE(config_parse_address_generation_type); diff --git a/src/network/networkd-network-gperf.gperf b/src/network/networkd-network-gperf.gperf index c8b1521d903..b670038d2ae 100644 --- a/src/network/networkd-network-gperf.gperf +++ b/src/network/networkd-network-gperf.gperf @@ -348,6 +348,7 @@ IPv6Prefix.ValidLifetimeSec, config_parse_prefix_lifetime, IPv6Prefix.PreferredLifetimeSec, config_parse_prefix_lifetime, 0, 0 IPv6Prefix.Assign, config_parse_prefix_assign, 0, 0 IPv6Prefix.RouteMetric, config_parse_prefix_metric, 0, 0 +IPv6Prefix.Token, config_parse_prefix_token, 0, 0 IPv6RoutePrefix.Route, config_parse_route_prefix, 0, 0 IPv6RoutePrefix.LifetimeSec, config_parse_route_prefix_lifetime, 0, 0 LLDP.MUDURL, config_parse_mud_url, 0, offsetof(Network, lldp_mudurl) diff --git a/src/network/networkd-radv.c b/src/network/networkd-radv.c index b9ba0ff9baa..34e6a41c34a 100644 --- a/src/network/networkd-radv.c +++ b/src/network/networkd-radv.c @@ -69,6 +69,7 @@ Prefix *prefix_free(Prefix *prefix) { network_config_section_free(prefix->section); sd_radv_prefix_unref(prefix->radv_prefix); + set_free(prefix->tokens); return mfree(prefix); } @@ -204,8 +205,8 @@ int link_request_radv_addresses(Link *link) { return 0; HASHMAP_FOREACH(p, link->network->prefixes_by_section) { - _cleanup_(address_freep) Address *address = NULL; - struct in6_addr prefix; + _cleanup_set_free_ Set *addresses = NULL; + struct in6_addr prefix, *a; uint8_t prefixlen; if (!p->assign) @@ -215,7 +216,7 @@ int link_request_radv_addresses(Link *link) { if (r < 0) return r; - /* generate_eui64_address() below requires the prefix length <= 64. */ + /* radv_generate_addresses() below requires the prefix length <= 64. */ if (prefixlen > 64) { _cleanup_free_ char *str = NULL; @@ -226,20 +227,27 @@ int link_request_radv_addresses(Link *link) { continue; } - r = address_new(&address); - if (r < 0) - return log_oom(); - - generate_eui64_address(link, &prefix, &address->in_addr.in6); - - address->source = NETWORK_CONFIG_SOURCE_STATIC; - address->family = AF_INET6; - address->prefixlen = prefixlen; - address->route_metric = p->route_metric; - - r = link_request_static_address(link, TAKE_PTR(address), true); + r = radv_generate_addresses(link, p->tokens, &prefix, prefixlen, &addresses); if (r < 0) return r; + + SET_FOREACH(a, addresses) { + _cleanup_(address_freep) Address *address = NULL; + + r = address_new(&address); + if (r < 0) + return -ENOMEM; + + address->source = NETWORK_CONFIG_SOURCE_STATIC; + address->family = AF_INET6; + address->in_addr.in6 = *a; + address->prefixlen = prefixlen; + address->route_metric = p->route_metric; + + r = link_request_static_address(link, TAKE_PTR(address), true); + if (r < 0) + return r; + } } return 0; @@ -875,6 +883,41 @@ int config_parse_prefix_metric( return 0; } +int config_parse_prefix_token( + const char *unit, + const char *filename, + unsigned line, + const char *section, + unsigned section_line, + const char *lvalue, + int ltype, + const char *rvalue, + void *data, + void *userdata) { + + _cleanup_(prefix_free_or_set_invalidp) Prefix *p = NULL; + Network *network = userdata; + int r; + + assert(filename); + assert(section); + assert(lvalue); + assert(rvalue); + assert(userdata); + + r = prefix_new_static(network, filename, section_line, &p); + if (r < 0) + return log_oom(); + + r = config_parse_address_generation_type(unit, filename, line, section, section_line, + lvalue, ltype, rvalue, &p->tokens, userdata); + if (r < 0) + return r; + + TAKE_PTR(p); + return 0; +} + int config_parse_route_prefix( const char *unit, const char *filename, diff --git a/src/network/networkd-radv.h b/src/network/networkd-radv.h index aec3d3386fb..5c869d8623e 100644 --- a/src/network/networkd-radv.h +++ b/src/network/networkd-radv.h @@ -35,6 +35,7 @@ typedef struct Prefix { bool assign; uint32_t route_metric; + Set *tokens; } Prefix; typedef struct RoutePrefix { @@ -70,6 +71,7 @@ CONFIG_PARSER_PROTOTYPE(config_parse_prefix_flags); CONFIG_PARSER_PROTOTYPE(config_parse_prefix_lifetime); CONFIG_PARSER_PROTOTYPE(config_parse_prefix_assign); CONFIG_PARSER_PROTOTYPE(config_parse_prefix_metric); +CONFIG_PARSER_PROTOTYPE(config_parse_prefix_token); CONFIG_PARSER_PROTOTYPE(config_parse_radv_dns); CONFIG_PARSER_PROTOTYPE(config_parse_radv_search_domains); CONFIG_PARSER_PROTOTYPE(config_parse_route_prefix); diff --git a/test/fuzz/fuzz-network-parser/directives.network b/test/fuzz/fuzz-network-parser/directives.network index 9b5ecccedbb..ea02d4c640f 100644 --- a/test/fuzz/fuzz-network-parser/directives.network +++ b/test/fuzz/fuzz-network-parser/directives.network @@ -247,6 +247,7 @@ PreferredLifetimeSec= AddressAutoconfiguration= ValidLifetimeSec= Assign= +Token= RouteMetric= [IPv6RoutePrefix] Route= From 34a3a0c4809736edf5850ea35270d8d39a5a8db3 Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Sat, 25 Sep 2021 04:12:53 +0900 Subject: [PATCH 21/23] network: make generate_eui64_address() static --- src/network/networkd-address-generation.c | 2 +- src/network/networkd-address-generation.h | 2 -- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/src/network/networkd-address-generation.c b/src/network/networkd-address-generation.c index 04b80dee86e..2d574ee78bc 100644 --- a/src/network/networkd-address-generation.c +++ b/src/network/networkd-address-generation.c @@ -37,7 +37,7 @@ typedef struct IPv6Token { struct in6_addr address; } IPv6Token; -void generate_eui64_address(const Link *link, const struct in6_addr *prefix, struct in6_addr *ret) { +static void generate_eui64_address(const Link *link, const struct in6_addr *prefix, struct in6_addr *ret) { assert(link); assert(prefix); assert(ret); diff --git a/src/network/networkd-address-generation.h b/src/network/networkd-address-generation.h index 8aa5d4d3f58..391a6ccc970 100644 --- a/src/network/networkd-address-generation.h +++ b/src/network/networkd-address-generation.h @@ -7,8 +7,6 @@ typedef struct Link Link; -void generate_eui64_address(const Link *link, const struct in6_addr *prefix, struct in6_addr *ret); - int dhcp6_pd_generate_addresses(Link *link, const struct in6_addr *prefix, Set **ret); int ndisc_generate_addresses(Link *link, const struct in6_addr *prefix, uint8_t prefixlen, Set **ret); int radv_generate_addresses(Link *link, Set *tokens, const struct in6_addr *prefix, uint8_t prefixlen, Set **ret); From b48b6bd3b9afc29bc150ff096d7cae39f4a986b7 Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Fri, 17 Sep 2021 21:55:00 +0900 Subject: [PATCH 22/23] test-network: replace deprecated settings --- ...x-veth-token-prefixstable-without-address.network | 4 +++- .../conf/ipv6-prefix-veth-token-prefixstable.network | 4 +++- .../conf/ipv6-prefix-veth-token-static.network | 12 +++++++----- 3 files changed, 13 insertions(+), 7 deletions(-) diff --git a/test/test-network/conf/ipv6-prefix-veth-token-prefixstable-without-address.network b/test/test-network/conf/ipv6-prefix-veth-token-prefixstable-without-address.network index 5fe68a2810d..cdafe0d91fe 100644 --- a/test/test-network/conf/ipv6-prefix-veth-token-prefixstable-without-address.network +++ b/test/test-network/conf/ipv6-prefix-veth-token-prefixstable-without-address.network @@ -3,4 +3,6 @@ Name=veth99 [Network] IPv6AcceptRA=true -IPv6Token=prefixstable + +[IPv6AcceptRA] +Token=prefixstable diff --git a/test/test-network/conf/ipv6-prefix-veth-token-prefixstable.network b/test/test-network/conf/ipv6-prefix-veth-token-prefixstable.network index 4d80e024f9c..e95e139391f 100644 --- a/test/test-network/conf/ipv6-prefix-veth-token-prefixstable.network +++ b/test/test-network/conf/ipv6-prefix-veth-token-prefixstable.network @@ -3,4 +3,6 @@ Name=veth99 [Network] IPv6AcceptRA=true -IPv6Token=prefixstable:2002:da8:1:: + +[IPv6AcceptRA] +Token=prefixstable:2002:da8:1:: diff --git a/test/test-network/conf/ipv6-prefix-veth-token-static.network b/test/test-network/conf/ipv6-prefix-veth-token-static.network index 5c5fdc9d4e9..a239619ec7b 100644 --- a/test/test-network/conf/ipv6-prefix-veth-token-static.network +++ b/test/test-network/conf/ipv6-prefix-veth-token-static.network @@ -3,8 +3,10 @@ Name=veth99 [Network] IPv6AcceptRA=true -IPv6Token=::1a:2b:3c:4d -IPv6Token=static:::fa:de:ca:fe -IPv6Token=::1a:2b:3c:4d -IPv6Token=static:::1a:2b:3c:4d -IPv6Token=::fa:de:ca:fe + +[IPv6AcceptRA] +Token=::1a:2b:3c:4d +Token=static:::fa:de:ca:fe +Token=::1a:2b:3c:4d +Token=static:::1a:2b:3c:4d +Token=::fa:de:ca:fe From fe2a8b3d3fc01570ebe8d43433d6a897cb2efc42 Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Fri, 17 Sep 2021 21:55:32 +0900 Subject: [PATCH 23/23] test-network: add tests for Token= in [IPv6Prefix] --- test/test-network/conf/ipv6ra-prefix.network | 2 ++ test/test-network/systemd-networkd-tests.py | 3 ++- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/test/test-network/conf/ipv6ra-prefix.network b/test/test-network/conf/ipv6ra-prefix.network index ae74c6e2c6f..d91847bde7d 100644 --- a/test/test-network/conf/ipv6ra-prefix.network +++ b/test/test-network/conf/ipv6ra-prefix.network @@ -14,6 +14,8 @@ Prefix=2001:db8:0:1::/64 [IPv6Prefix] Prefix=2001:db8:0:2::/64 Assign=yes +Token=::1a:2b:3c:4d +Token=static:::fa:de:ca:fe [IPv6Prefix] Prefix=2001:db8:0:3::/64 diff --git a/test/test-network/systemd-networkd-tests.py b/test/test-network/systemd-networkd-tests.py index 5de2d3ae032..95d526a7f71 100755 --- a/test/test-network/systemd-networkd-tests.py +++ b/test/test-network/systemd-networkd-tests.py @@ -4895,7 +4895,8 @@ class NetworkdIPv6PrefixTests(unittest.TestCase, Utilities): output = check_output('ip address show dev veth99') print(output) self.assertNotIn('inet6 2001:db8:0:1:', output) - self.assertIn('inet6 2001:db8:0:2:', output) + self.assertIn('inet6 2001:db8:0:2:1a:2b:3c:4d', output) + self.assertIn('inet6 2001:db8:0:2:fa:de:ca:fe', output) self.assertNotIn('inet6 2001:db8:0:3:', output) output = check_output(*resolvectl_cmd, 'dns', 'veth-peer', env=env)