github.com/SagerNet/gvisor@v0.0.0-20210707092255-7731c139d75c/pkg/tcpip/stack/nic.go (about) 1 // Copyright 2018 The gVisor Authors. 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 package stack 16 17 import ( 18 "fmt" 19 "reflect" 20 "sync/atomic" 21 22 "github.com/SagerNet/gvisor/pkg/sync" 23 "github.com/SagerNet/gvisor/pkg/tcpip" 24 "github.com/SagerNet/gvisor/pkg/tcpip/header" 25 ) 26 27 type linkResolver struct { 28 resolver LinkAddressResolver 29 30 neigh neighborCache 31 } 32 33 func (l *linkResolver) getNeighborLinkAddress(addr, localAddr tcpip.Address, onResolve func(LinkResolutionResult)) (tcpip.LinkAddress, <-chan struct{}, tcpip.Error) { 34 entry, ch, err := l.neigh.entry(addr, localAddr, onResolve) 35 return entry.LinkAddr, ch, err 36 } 37 38 func (l *linkResolver) confirmReachable(addr tcpip.Address) { 39 l.neigh.handleUpperLevelConfirmation(addr) 40 } 41 42 var _ NetworkInterface = (*nic)(nil) 43 44 // nic represents a "network interface card" to which the networking stack is 45 // attached. 46 type nic struct { 47 LinkEndpoint 48 49 stack *Stack 50 id tcpip.NICID 51 name string 52 context NICContext 53 54 stats sharedStats 55 56 // The network endpoints themselves may be modified by calling the interface's 57 // methods, but the map reference and entries must be constant. 58 networkEndpoints map[tcpip.NetworkProtocolNumber]NetworkEndpoint 59 linkAddrResolvers map[tcpip.NetworkProtocolNumber]*linkResolver 60 duplicateAddressDetectors map[tcpip.NetworkProtocolNumber]DuplicateAddressDetector 61 62 // enabled is set to 1 when the NIC is enabled and 0 when it is disabled. 63 // 64 // Must be accessed using atomic operations. 65 enabled uint32 66 67 // linkResQueue holds packets that are waiting for link resolution to 68 // complete. 69 linkResQueue packetsPendingLinkResolution 70 71 mu struct { 72 sync.RWMutex 73 spoofing bool 74 promiscuous bool 75 // packetEPs is protected by mu, but the contained packetEndpointList are 76 // not. 77 packetEPs map[tcpip.NetworkProtocolNumber]*packetEndpointList 78 } 79 } 80 81 // makeNICStats initializes the NIC statistics and associates them to the global 82 // NIC statistics. 83 func makeNICStats(global tcpip.NICStats) sharedStats { 84 var stats sharedStats 85 tcpip.InitStatCounters(reflect.ValueOf(&stats.local).Elem()) 86 stats.init(&stats.local, &global) 87 return stats 88 } 89 90 type packetEndpointList struct { 91 mu sync.RWMutex 92 93 // eps is protected by mu, but the contained PacketEndpoint values are not. 94 eps []PacketEndpoint 95 } 96 97 func (p *packetEndpointList) add(ep PacketEndpoint) { 98 p.mu.Lock() 99 defer p.mu.Unlock() 100 p.eps = append(p.eps, ep) 101 } 102 103 func (p *packetEndpointList) remove(ep PacketEndpoint) { 104 p.mu.Lock() 105 defer p.mu.Unlock() 106 for i, epOther := range p.eps { 107 if epOther == ep { 108 p.eps = append(p.eps[:i], p.eps[i+1:]...) 109 break 110 } 111 } 112 } 113 114 // forEach calls fn with each endpoints in p while holding the read lock on p. 115 func (p *packetEndpointList) forEach(fn func(PacketEndpoint)) { 116 p.mu.RLock() 117 defer p.mu.RUnlock() 118 for _, ep := range p.eps { 119 fn(ep) 120 } 121 } 122 123 // newNIC returns a new NIC using the default NDP configurations from stack. 124 func newNIC(stack *Stack, id tcpip.NICID, name string, ep LinkEndpoint, ctx NICContext) *nic { 125 // TODO(b/141011931): Validate a LinkEndpoint (ep) is valid. For 126 // example, make sure that the link address it provides is a valid 127 // unicast ethernet address. 128 129 // TODO(b/143357959): RFC 8200 section 5 requires that IPv6 endpoints 130 // observe an MTU of at least 1280 bytes. Ensure that this requirement 131 // of IPv6 is supported on this endpoint's LinkEndpoint. 132 133 nic := &nic{ 134 LinkEndpoint: ep, 135 136 stack: stack, 137 id: id, 138 name: name, 139 context: ctx, 140 stats: makeNICStats(stack.Stats().NICs), 141 networkEndpoints: make(map[tcpip.NetworkProtocolNumber]NetworkEndpoint), 142 linkAddrResolvers: make(map[tcpip.NetworkProtocolNumber]*linkResolver), 143 duplicateAddressDetectors: make(map[tcpip.NetworkProtocolNumber]DuplicateAddressDetector), 144 } 145 nic.linkResQueue.init(nic) 146 nic.mu.packetEPs = make(map[tcpip.NetworkProtocolNumber]*packetEndpointList) 147 148 resolutionRequired := ep.Capabilities()&CapabilityResolutionRequired != 0 149 150 // Register supported packet and network endpoint protocols. 151 for _, netProto := range header.Ethertypes { 152 nic.mu.packetEPs[netProto] = new(packetEndpointList) 153 } 154 for _, netProto := range stack.networkProtocols { 155 netNum := netProto.Number() 156 nic.mu.packetEPs[netNum] = new(packetEndpointList) 157 158 netEP := netProto.NewEndpoint(nic, nic) 159 nic.networkEndpoints[netNum] = netEP 160 161 if resolutionRequired { 162 if r, ok := netEP.(LinkAddressResolver); ok { 163 l := &linkResolver{resolver: r} 164 l.neigh.init(nic, r) 165 nic.linkAddrResolvers[r.LinkAddressProtocol()] = l 166 } 167 } 168 169 if d, ok := netEP.(DuplicateAddressDetector); ok { 170 nic.duplicateAddressDetectors[d.DuplicateAddressProtocol()] = d 171 } 172 } 173 174 nic.LinkEndpoint.Attach(nic) 175 176 return nic 177 } 178 179 func (n *nic) getNetworkEndpoint(proto tcpip.NetworkProtocolNumber) NetworkEndpoint { 180 return n.networkEndpoints[proto] 181 } 182 183 // Enabled implements NetworkInterface. 184 func (n *nic) Enabled() bool { 185 return atomic.LoadUint32(&n.enabled) == 1 186 } 187 188 // setEnabled sets the enabled status for the NIC. 189 // 190 // Returns true if the enabled status was updated. 191 func (n *nic) setEnabled(v bool) bool { 192 if v { 193 return atomic.SwapUint32(&n.enabled, 1) == 0 194 } 195 return atomic.SwapUint32(&n.enabled, 0) == 1 196 } 197 198 // disable disables n. 199 // 200 // It undoes the work done by enable. 201 func (n *nic) disable() { 202 n.mu.Lock() 203 n.disableLocked() 204 n.mu.Unlock() 205 } 206 207 // disableLocked disables n. 208 // 209 // It undoes the work done by enable. 210 // 211 // n MUST be locked. 212 func (n *nic) disableLocked() { 213 if !n.Enabled() { 214 return 215 } 216 217 // TODO(github.com/SagerNet/issue/1491): Should Routes that are currently bound to n be 218 // invalidated? Currently, Routes will continue to work when a NIC is enabled 219 // again, and applications may not know that the underlying NIC was ever 220 // disabled. 221 222 for _, ep := range n.networkEndpoints { 223 ep.Disable() 224 225 // Clear the neighbour table (including static entries) as we cannot 226 // guarantee that the current neighbour table will be valid when the NIC is 227 // enabled again. 228 // 229 // This matches linux's behaviour at the time of writing: 230 // https://github.com/torvalds/linux/blob/71c061d2443814de15e177489d5cc00a4a253ef3/net/core/neighbour.c#L371 231 netProto := ep.NetworkProtocolNumber() 232 switch err := n.clearNeighbors(netProto); err.(type) { 233 case nil, *tcpip.ErrNotSupported: 234 default: 235 panic(fmt.Sprintf("n.clearNeighbors(%d): %s", netProto, err)) 236 } 237 } 238 239 if !n.setEnabled(false) { 240 panic("should have only done work to disable the NIC if it was enabled") 241 } 242 } 243 244 // enable enables n. 245 // 246 // If the stack has IPv6 enabled, enable will join the IPv6 All-Nodes Multicast 247 // address (ff02::1), start DAD for permanent addresses, and start soliciting 248 // routers if the stack is not operating as a router. If the stack is also 249 // configured to auto-generate a link-local address, one will be generated. 250 func (n *nic) enable() tcpip.Error { 251 n.mu.Lock() 252 defer n.mu.Unlock() 253 254 if !n.setEnabled(true) { 255 return nil 256 } 257 258 for _, ep := range n.networkEndpoints { 259 if err := ep.Enable(); err != nil { 260 return err 261 } 262 } 263 264 return nil 265 } 266 267 // remove detaches NIC from the link endpoint and releases network endpoint 268 // resources. This guarantees no packets between this NIC and the network 269 // stack. 270 func (n *nic) remove() tcpip.Error { 271 n.mu.Lock() 272 defer n.mu.Unlock() 273 274 n.disableLocked() 275 276 for _, ep := range n.networkEndpoints { 277 ep.Close() 278 } 279 280 // Detach from link endpoint, so no packet comes in. 281 n.LinkEndpoint.Attach(nil) 282 return nil 283 } 284 285 // setPromiscuousMode enables or disables promiscuous mode. 286 func (n *nic) setPromiscuousMode(enable bool) { 287 n.mu.Lock() 288 n.mu.promiscuous = enable 289 n.mu.Unlock() 290 } 291 292 // Promiscuous implements NetworkInterface. 293 func (n *nic) Promiscuous() bool { 294 n.mu.RLock() 295 rv := n.mu.promiscuous 296 n.mu.RUnlock() 297 return rv 298 } 299 300 // IsLoopback implements NetworkInterface. 301 func (n *nic) IsLoopback() bool { 302 return n.LinkEndpoint.Capabilities()&CapabilityLoopback != 0 303 } 304 305 // WritePacket implements NetworkLinkEndpoint. 306 func (n *nic) WritePacket(r *Route, protocol tcpip.NetworkProtocolNumber, pkt *PacketBuffer) tcpip.Error { 307 _, err := n.enqueuePacketBuffer(r, protocol, pkt) 308 return err 309 } 310 311 func (n *nic) writePacketBuffer(r RouteInfo, protocol tcpip.NetworkProtocolNumber, pkt pendingPacketBuffer) (int, tcpip.Error) { 312 switch pkt := pkt.(type) { 313 case *PacketBuffer: 314 if err := n.writePacket(r, protocol, pkt); err != nil { 315 return 0, err 316 } 317 return 1, nil 318 case *PacketBufferList: 319 return n.writePackets(r, protocol, *pkt) 320 default: 321 panic(fmt.Sprintf("unrecognized pending packet buffer type = %T", pkt)) 322 } 323 } 324 325 func (n *nic) enqueuePacketBuffer(r *Route, protocol tcpip.NetworkProtocolNumber, pkt pendingPacketBuffer) (int, tcpip.Error) { 326 routeInfo, _, err := r.resolvedFields(nil) 327 switch err.(type) { 328 case nil: 329 return n.writePacketBuffer(routeInfo, protocol, pkt) 330 case *tcpip.ErrWouldBlock: 331 // As per relevant RFCs, we should queue packets while we wait for link 332 // resolution to complete. 333 // 334 // RFC 1122 section 2.3.2.2 (for IPv4): 335 // The link layer SHOULD save (rather than discard) at least 336 // one (the latest) packet of each set of packets destined to 337 // the same unresolved IP address, and transmit the saved 338 // packet when the address has been resolved. 339 // 340 // RFC 4861 section 7.2.2 (for IPv6): 341 // While waiting for address resolution to complete, the sender MUST, for 342 // each neighbor, retain a small queue of packets waiting for address 343 // resolution to complete. The queue MUST hold at least one packet, and 344 // MAY contain more. However, the number of queued packets per neighbor 345 // SHOULD be limited to some small value. When a queue overflows, the new 346 // arrival SHOULD replace the oldest entry. Once address resolution 347 // completes, the node transmits any queued packets. 348 return n.linkResQueue.enqueue(r, protocol, pkt) 349 default: 350 return 0, err 351 } 352 } 353 354 // WritePacketToRemote implements NetworkInterface. 355 func (n *nic) WritePacketToRemote(remoteLinkAddr tcpip.LinkAddress, protocol tcpip.NetworkProtocolNumber, pkt *PacketBuffer) tcpip.Error { 356 var r RouteInfo 357 r.NetProto = protocol 358 r.RemoteLinkAddress = remoteLinkAddr 359 return n.writePacket(r, protocol, pkt) 360 } 361 362 func (n *nic) writePacket(r RouteInfo, protocol tcpip.NetworkProtocolNumber, pkt *PacketBuffer) tcpip.Error { 363 // WritePacket takes ownership of pkt, calculate numBytes first. 364 numBytes := pkt.Size() 365 366 pkt.EgressRoute = r 367 pkt.NetworkProtocolNumber = protocol 368 if err := n.LinkEndpoint.WritePacket(r, protocol, pkt); err != nil { 369 return err 370 } 371 372 n.stats.tx.packets.Increment() 373 n.stats.tx.bytes.IncrementBy(uint64(numBytes)) 374 return nil 375 } 376 377 // WritePackets implements NetworkLinkEndpoint. 378 func (n *nic) WritePackets(r *Route, pkts PacketBufferList, protocol tcpip.NetworkProtocolNumber) (int, tcpip.Error) { 379 return n.enqueuePacketBuffer(r, protocol, &pkts) 380 } 381 382 func (n *nic) writePackets(r RouteInfo, protocol tcpip.NetworkProtocolNumber, pkts PacketBufferList) (int, tcpip.Error) { 383 for pkt := pkts.Front(); pkt != nil; pkt = pkt.Next() { 384 pkt.EgressRoute = r 385 pkt.NetworkProtocolNumber = protocol 386 } 387 388 writtenPackets, err := n.LinkEndpoint.WritePackets(r, pkts, protocol) 389 n.stats.tx.packets.IncrementBy(uint64(writtenPackets)) 390 writtenBytes := 0 391 for i, pb := 0, pkts.Front(); i < writtenPackets && pb != nil; i, pb = i+1, pb.Next() { 392 writtenBytes += pb.Size() 393 } 394 395 n.stats.tx.bytes.IncrementBy(uint64(writtenBytes)) 396 return writtenPackets, err 397 } 398 399 // setSpoofing enables or disables address spoofing. 400 func (n *nic) setSpoofing(enable bool) { 401 n.mu.Lock() 402 n.mu.spoofing = enable 403 n.mu.Unlock() 404 } 405 406 // Spoofing implements NetworkInterface. 407 func (n *nic) Spoofing() bool { 408 n.mu.RLock() 409 defer n.mu.RUnlock() 410 return n.mu.spoofing 411 } 412 413 // primaryAddress returns an address that can be used to communicate with 414 // remoteAddr. 415 func (n *nic) primaryEndpoint(protocol tcpip.NetworkProtocolNumber, remoteAddr tcpip.Address) AssignableAddressEndpoint { 416 ep, ok := n.networkEndpoints[protocol] 417 if !ok { 418 return nil 419 } 420 421 addressableEndpoint, ok := ep.(AddressableEndpoint) 422 if !ok { 423 return nil 424 } 425 426 n.mu.RLock() 427 spoofing := n.mu.spoofing 428 n.mu.RUnlock() 429 430 return addressableEndpoint.AcquireOutgoingPrimaryAddress(remoteAddr, spoofing) 431 } 432 433 type getAddressBehaviour int 434 435 const ( 436 // spoofing indicates that the NIC's spoofing flag should be observed when 437 // getting a NIC's address endpoint. 438 spoofing getAddressBehaviour = iota 439 440 // promiscuous indicates that the NIC's promiscuous flag should be observed 441 // when getting a NIC's address endpoint. 442 promiscuous 443 ) 444 445 func (n *nic) getAddress(protocol tcpip.NetworkProtocolNumber, dst tcpip.Address) AssignableAddressEndpoint { 446 return n.getAddressOrCreateTemp(protocol, dst, CanBePrimaryEndpoint, promiscuous) 447 } 448 449 func (n *nic) hasAddress(protocol tcpip.NetworkProtocolNumber, addr tcpip.Address) bool { 450 ep := n.getAddressOrCreateTempInner(protocol, addr, false, NeverPrimaryEndpoint) 451 if ep != nil { 452 ep.DecRef() 453 return true 454 } 455 456 return false 457 } 458 459 // findEndpoint finds the endpoint, if any, with the given address. 460 func (n *nic) findEndpoint(protocol tcpip.NetworkProtocolNumber, address tcpip.Address, peb PrimaryEndpointBehavior) AssignableAddressEndpoint { 461 return n.getAddressOrCreateTemp(protocol, address, peb, spoofing) 462 } 463 464 // getAddressEpOrCreateTemp returns the address endpoint for the given protocol 465 // and address. 466 // 467 // If none exists a temporary one may be created if we are in promiscuous mode 468 // or spoofing. Promiscuous mode will only be checked if promiscuous is true. 469 // Similarly, spoofing will only be checked if spoofing is true. 470 // 471 // If the address is the IPv4 broadcast address for an endpoint's network, that 472 // endpoint will be returned. 473 func (n *nic) getAddressOrCreateTemp(protocol tcpip.NetworkProtocolNumber, address tcpip.Address, peb PrimaryEndpointBehavior, tempRef getAddressBehaviour) AssignableAddressEndpoint { 474 n.mu.RLock() 475 var spoofingOrPromiscuous bool 476 switch tempRef { 477 case spoofing: 478 spoofingOrPromiscuous = n.mu.spoofing 479 case promiscuous: 480 spoofingOrPromiscuous = n.mu.promiscuous 481 } 482 n.mu.RUnlock() 483 return n.getAddressOrCreateTempInner(protocol, address, spoofingOrPromiscuous, peb) 484 } 485 486 // getAddressOrCreateTempInner is like getAddressEpOrCreateTemp except a boolean 487 // is passed to indicate whether or not we should generate temporary endpoints. 488 func (n *nic) getAddressOrCreateTempInner(protocol tcpip.NetworkProtocolNumber, address tcpip.Address, createTemp bool, peb PrimaryEndpointBehavior) AssignableAddressEndpoint { 489 ep, ok := n.networkEndpoints[protocol] 490 if !ok { 491 return nil 492 } 493 494 addressableEndpoint, ok := ep.(AddressableEndpoint) 495 if !ok { 496 return nil 497 } 498 499 return addressableEndpoint.AcquireAssignedAddress(address, createTemp, peb) 500 } 501 502 // addAddress adds a new address to n, so that it starts accepting packets 503 // targeted at the given address (and network protocol). 504 func (n *nic) addAddress(protocolAddress tcpip.ProtocolAddress, peb PrimaryEndpointBehavior) tcpip.Error { 505 ep, ok := n.networkEndpoints[protocolAddress.Protocol] 506 if !ok { 507 return &tcpip.ErrUnknownProtocol{} 508 } 509 510 addressableEndpoint, ok := ep.(AddressableEndpoint) 511 if !ok { 512 return &tcpip.ErrNotSupported{} 513 } 514 515 addressEndpoint, err := addressableEndpoint.AddAndAcquirePermanentAddress(protocolAddress.AddressWithPrefix, peb, AddressConfigStatic, false /* deprecated */) 516 if err == nil { 517 // We have no need for the address endpoint. 518 addressEndpoint.DecRef() 519 } 520 return err 521 } 522 523 // allPermanentAddresses returns all permanent addresses associated with 524 // this NIC. 525 func (n *nic) allPermanentAddresses() []tcpip.ProtocolAddress { 526 var addrs []tcpip.ProtocolAddress 527 for p, ep := range n.networkEndpoints { 528 addressableEndpoint, ok := ep.(AddressableEndpoint) 529 if !ok { 530 continue 531 } 532 533 for _, a := range addressableEndpoint.PermanentAddresses() { 534 addrs = append(addrs, tcpip.ProtocolAddress{Protocol: p, AddressWithPrefix: a}) 535 } 536 } 537 return addrs 538 } 539 540 // primaryAddresses returns the primary addresses associated with this NIC. 541 func (n *nic) primaryAddresses() []tcpip.ProtocolAddress { 542 var addrs []tcpip.ProtocolAddress 543 for p, ep := range n.networkEndpoints { 544 addressableEndpoint, ok := ep.(AddressableEndpoint) 545 if !ok { 546 continue 547 } 548 549 for _, a := range addressableEndpoint.PrimaryAddresses() { 550 addrs = append(addrs, tcpip.ProtocolAddress{Protocol: p, AddressWithPrefix: a}) 551 } 552 } 553 return addrs 554 } 555 556 // PrimaryAddress implements NetworkInterface. 557 func (n *nic) PrimaryAddress(proto tcpip.NetworkProtocolNumber) (tcpip.AddressWithPrefix, tcpip.Error) { 558 ep, ok := n.networkEndpoints[proto] 559 if !ok { 560 return tcpip.AddressWithPrefix{}, &tcpip.ErrUnknownProtocol{} 561 } 562 563 addressableEndpoint, ok := ep.(AddressableEndpoint) 564 if !ok { 565 return tcpip.AddressWithPrefix{}, &tcpip.ErrNotSupported{} 566 } 567 568 return addressableEndpoint.MainAddress(), nil 569 } 570 571 // removeAddress removes an address from n. 572 func (n *nic) removeAddress(addr tcpip.Address) tcpip.Error { 573 for _, ep := range n.networkEndpoints { 574 addressableEndpoint, ok := ep.(AddressableEndpoint) 575 if !ok { 576 continue 577 } 578 579 switch err := addressableEndpoint.RemovePermanentAddress(addr); err.(type) { 580 case *tcpip.ErrBadLocalAddress: 581 continue 582 default: 583 return err 584 } 585 } 586 587 return &tcpip.ErrBadLocalAddress{} 588 } 589 590 func (n *nic) getLinkAddress(addr, localAddr tcpip.Address, protocol tcpip.NetworkProtocolNumber, onResolve func(LinkResolutionResult)) tcpip.Error { 591 linkRes, ok := n.linkAddrResolvers[protocol] 592 if !ok { 593 return &tcpip.ErrNotSupported{} 594 } 595 596 if linkAddr, ok := linkRes.resolver.ResolveStaticAddress(addr); ok { 597 onResolve(LinkResolutionResult{LinkAddress: linkAddr, Err: nil}) 598 return nil 599 } 600 601 _, _, err := linkRes.getNeighborLinkAddress(addr, localAddr, onResolve) 602 return err 603 } 604 605 func (n *nic) neighbors(protocol tcpip.NetworkProtocolNumber) ([]NeighborEntry, tcpip.Error) { 606 if linkRes, ok := n.linkAddrResolvers[protocol]; ok { 607 return linkRes.neigh.entries(), nil 608 } 609 610 return nil, &tcpip.ErrNotSupported{} 611 } 612 613 func (n *nic) addStaticNeighbor(addr tcpip.Address, protocol tcpip.NetworkProtocolNumber, linkAddress tcpip.LinkAddress) tcpip.Error { 614 if linkRes, ok := n.linkAddrResolvers[protocol]; ok { 615 linkRes.neigh.addStaticEntry(addr, linkAddress) 616 return nil 617 } 618 619 return &tcpip.ErrNotSupported{} 620 } 621 622 func (n *nic) removeNeighbor(protocol tcpip.NetworkProtocolNumber, addr tcpip.Address) tcpip.Error { 623 if linkRes, ok := n.linkAddrResolvers[protocol]; ok { 624 if !linkRes.neigh.removeEntry(addr) { 625 return &tcpip.ErrBadAddress{} 626 } 627 return nil 628 } 629 630 return &tcpip.ErrNotSupported{} 631 } 632 633 func (n *nic) clearNeighbors(protocol tcpip.NetworkProtocolNumber) tcpip.Error { 634 if linkRes, ok := n.linkAddrResolvers[protocol]; ok { 635 linkRes.neigh.clear() 636 return nil 637 } 638 639 return &tcpip.ErrNotSupported{} 640 } 641 642 // joinGroup adds a new endpoint for the given multicast address, if none 643 // exists yet. Otherwise it just increments its count. 644 func (n *nic) joinGroup(protocol tcpip.NetworkProtocolNumber, addr tcpip.Address) tcpip.Error { 645 // TODO(b/143102137): When implementing MLD, make sure MLD packets are 646 // not sent unless a valid link-local address is available for use on n 647 // as an MLD packet's source address must be a link-local address as 648 // outlined in RFC 3810 section 5. 649 650 ep, ok := n.networkEndpoints[protocol] 651 if !ok { 652 return &tcpip.ErrNotSupported{} 653 } 654 655 gep, ok := ep.(GroupAddressableEndpoint) 656 if !ok { 657 return &tcpip.ErrNotSupported{} 658 } 659 660 return gep.JoinGroup(addr) 661 } 662 663 // leaveGroup decrements the count for the given multicast address, and when it 664 // reaches zero removes the endpoint for this address. 665 func (n *nic) leaveGroup(protocol tcpip.NetworkProtocolNumber, addr tcpip.Address) tcpip.Error { 666 ep, ok := n.networkEndpoints[protocol] 667 if !ok { 668 return &tcpip.ErrNotSupported{} 669 } 670 671 gep, ok := ep.(GroupAddressableEndpoint) 672 if !ok { 673 return &tcpip.ErrNotSupported{} 674 } 675 676 return gep.LeaveGroup(addr) 677 } 678 679 // isInGroup returns true if n has joined the multicast group addr. 680 func (n *nic) isInGroup(addr tcpip.Address) bool { 681 for _, ep := range n.networkEndpoints { 682 gep, ok := ep.(GroupAddressableEndpoint) 683 if !ok { 684 continue 685 } 686 687 if gep.IsInGroup(addr) { 688 return true 689 } 690 } 691 692 return false 693 } 694 695 // DeliverNetworkPacket finds the appropriate network protocol endpoint and 696 // hands the packet over for further processing. This function is called when 697 // the NIC receives a packet from the link endpoint. 698 // Note that the ownership of the slice backing vv is retained by the caller. 699 // This rule applies only to the slice itself, not to the items of the slice; 700 // the ownership of the items is not retained by the caller. 701 func (n *nic) DeliverNetworkPacket(remote, local tcpip.LinkAddress, protocol tcpip.NetworkProtocolNumber, pkt *PacketBuffer) { 702 n.mu.RLock() 703 enabled := n.Enabled() 704 // If the NIC is not yet enabled, don't receive any packets. 705 if !enabled { 706 n.mu.RUnlock() 707 708 n.stats.disabledRx.packets.Increment() 709 n.stats.disabledRx.bytes.IncrementBy(uint64(pkt.Data().Size())) 710 return 711 } 712 713 n.stats.rx.packets.Increment() 714 n.stats.rx.bytes.IncrementBy(uint64(pkt.Data().Size())) 715 716 networkEndpoint, ok := n.networkEndpoints[protocol] 717 if !ok { 718 n.mu.RUnlock() 719 n.stats.unknownL3ProtocolRcvdPackets.Increment() 720 return 721 } 722 723 // If no local link layer address is provided, assume it was sent 724 // directly to this NIC. 725 if local == "" { 726 local = n.LinkEndpoint.LinkAddress() 727 } 728 pkt.RXTransportChecksumValidated = n.LinkEndpoint.Capabilities()&CapabilityRXChecksumOffload != 0 729 730 // Are any packet type sockets listening for this network protocol? 731 protoEPs := n.mu.packetEPs[protocol] 732 // Other packet type sockets that are listening for all protocols. 733 anyEPs := n.mu.packetEPs[header.EthernetProtocolAll] 734 n.mu.RUnlock() 735 736 // Deliver to interested packet endpoints without holding NIC lock. 737 deliverPacketEPs := func(ep PacketEndpoint) { 738 p := pkt.Clone() 739 p.PktType = tcpip.PacketHost 740 ep.HandlePacket(n.id, local, protocol, p) 741 } 742 if protoEPs != nil { 743 protoEPs.forEach(deliverPacketEPs) 744 } 745 if anyEPs != nil { 746 anyEPs.forEach(deliverPacketEPs) 747 } 748 749 networkEndpoint.HandlePacket(pkt) 750 } 751 752 // DeliverOutboundPacket implements NetworkDispatcher.DeliverOutboundPacket. 753 func (n *nic) DeliverOutboundPacket(remote, local tcpip.LinkAddress, protocol tcpip.NetworkProtocolNumber, pkt *PacketBuffer) { 754 n.mu.RLock() 755 // We do not deliver to protocol specific packet endpoints as on Linux 756 // only ETH_P_ALL endpoints get outbound packets. 757 // Add any other packet sockets that maybe listening for all protocols. 758 eps := n.mu.packetEPs[header.EthernetProtocolAll] 759 n.mu.RUnlock() 760 761 eps.forEach(func(ep PacketEndpoint) { 762 p := pkt.Clone() 763 p.PktType = tcpip.PacketOutgoing 764 // Add the link layer header as outgoing packets are intercepted 765 // before the link layer header is created. 766 n.LinkEndpoint.AddHeader(local, remote, protocol, p) 767 ep.HandlePacket(n.id, local, protocol, p) 768 }) 769 } 770 771 // DeliverTransportPacket delivers the packets to the appropriate transport 772 // protocol endpoint. 773 func (n *nic) DeliverTransportPacket(protocol tcpip.TransportProtocolNumber, pkt *PacketBuffer) TransportPacketDisposition { 774 state, ok := n.stack.transportProtocols[protocol] 775 if !ok { 776 n.stats.unknownL4ProtocolRcvdPackets.Increment() 777 return TransportPacketProtocolUnreachable 778 } 779 780 transProto := state.proto 781 782 // TransportHeader is empty only when pkt is an ICMP packet or was reassembled 783 // from fragments. 784 if pkt.TransportHeader().View().IsEmpty() { 785 // ICMP packets don't have their TransportHeader fields set yet, parse it 786 // here. See icmp/protocol.go:protocol.Parse for a full explanation. 787 if protocol == header.ICMPv4ProtocolNumber || protocol == header.ICMPv6ProtocolNumber { 788 // ICMP packets may be longer, but until icmp.Parse is implemented, here 789 // we parse it using the minimum size. 790 if _, ok := pkt.TransportHeader().Consume(transProto.MinimumPacketSize()); !ok { 791 n.stats.malformedL4RcvdPackets.Increment() 792 // We consider a malformed transport packet handled because there is 793 // nothing the caller can do. 794 return TransportPacketHandled 795 } 796 } else if !transProto.Parse(pkt) { 797 n.stats.malformedL4RcvdPackets.Increment() 798 return TransportPacketHandled 799 } 800 } 801 802 srcPort, dstPort, err := transProto.ParsePorts(pkt.TransportHeader().View()) 803 if err != nil { 804 n.stats.malformedL4RcvdPackets.Increment() 805 return TransportPacketHandled 806 } 807 808 netProto, ok := n.stack.networkProtocols[pkt.NetworkProtocolNumber] 809 if !ok { 810 panic(fmt.Sprintf("expected network protocol = %d, have = %#v", pkt.NetworkProtocolNumber, n.stack.networkProtocolNumbers())) 811 } 812 813 src, dst := netProto.ParseAddresses(pkt.NetworkHeader().View()) 814 id := TransportEndpointID{ 815 LocalPort: dstPort, 816 LocalAddress: dst, 817 RemotePort: srcPort, 818 RemoteAddress: src, 819 } 820 if n.stack.demux.deliverPacket(protocol, pkt, id) { 821 return TransportPacketHandled 822 } 823 824 // Try to deliver to per-stack default handler. 825 if state.defaultHandler != nil { 826 if state.defaultHandler(id, pkt) { 827 return TransportPacketHandled 828 } 829 } 830 831 // We could not find an appropriate destination for this packet so 832 // give the protocol specific error handler a chance to handle it. 833 // If it doesn't handle it then we should do so. 834 switch res := transProto.HandleUnknownDestinationPacket(id, pkt); res { 835 case UnknownDestinationPacketMalformed: 836 n.stats.malformedL4RcvdPackets.Increment() 837 return TransportPacketHandled 838 case UnknownDestinationPacketUnhandled: 839 return TransportPacketDestinationPortUnreachable 840 case UnknownDestinationPacketHandled: 841 return TransportPacketHandled 842 default: 843 panic(fmt.Sprintf("unrecognized result from HandleUnknownDestinationPacket = %d", res)) 844 } 845 } 846 847 // DeliverTransportError implements TransportDispatcher. 848 func (n *nic) DeliverTransportError(local, remote tcpip.Address, net tcpip.NetworkProtocolNumber, trans tcpip.TransportProtocolNumber, transErr TransportError, pkt *PacketBuffer) { 849 state, ok := n.stack.transportProtocols[trans] 850 if !ok { 851 return 852 } 853 854 transProto := state.proto 855 856 // ICMPv4 only guarantees that 8 bytes of the transport protocol will 857 // be present in the payload. We know that the ports are within the 858 // first 8 bytes for all known transport protocols. 859 transHeader, ok := pkt.Data().PullUp(8) 860 if !ok { 861 return 862 } 863 864 srcPort, dstPort, err := transProto.ParsePorts(transHeader) 865 if err != nil { 866 return 867 } 868 869 id := TransportEndpointID{srcPort, local, dstPort, remote} 870 if n.stack.demux.deliverError(n, net, trans, transErr, pkt, id) { 871 return 872 } 873 } 874 875 // DeliverRawPacket implements TransportDispatcher. 876 func (n *nic) DeliverRawPacket(protocol tcpip.TransportProtocolNumber, pkt *PacketBuffer) { 877 // For ICMPv4 only we validate the header length for compatibility with 878 // raw(7) ICMP_FILTER. The same check is made in Linux here: 879 // https://github.com/torvalds/linux/blob/70585216/net/ipv4/raw.c#L189. 880 if protocol == header.ICMPv4ProtocolNumber && pkt.TransportHeader().View().Size()+pkt.Data().Size() < header.ICMPv4MinimumSize { 881 return 882 } 883 n.stack.demux.deliverRawPacket(protocol, pkt) 884 } 885 886 // ID implements NetworkInterface. 887 func (n *nic) ID() tcpip.NICID { 888 return n.id 889 } 890 891 // Name implements NetworkInterface. 892 func (n *nic) Name() string { 893 return n.name 894 } 895 896 // nudConfigs gets the NUD configurations for n. 897 func (n *nic) nudConfigs(protocol tcpip.NetworkProtocolNumber) (NUDConfigurations, tcpip.Error) { 898 if linkRes, ok := n.linkAddrResolvers[protocol]; ok { 899 return linkRes.neigh.config(), nil 900 } 901 902 return NUDConfigurations{}, &tcpip.ErrNotSupported{} 903 } 904 905 // setNUDConfigs sets the NUD configurations for n. 906 // 907 // Note, if c contains invalid NUD configuration values, it will be fixed to 908 // use default values for the erroneous values. 909 func (n *nic) setNUDConfigs(protocol tcpip.NetworkProtocolNumber, c NUDConfigurations) tcpip.Error { 910 if linkRes, ok := n.linkAddrResolvers[protocol]; ok { 911 c.resetInvalidFields() 912 linkRes.neigh.setConfig(c) 913 return nil 914 } 915 916 return &tcpip.ErrNotSupported{} 917 } 918 919 func (n *nic) registerPacketEndpoint(netProto tcpip.NetworkProtocolNumber, ep PacketEndpoint) tcpip.Error { 920 n.mu.Lock() 921 defer n.mu.Unlock() 922 923 eps, ok := n.mu.packetEPs[netProto] 924 if !ok { 925 return &tcpip.ErrNotSupported{} 926 } 927 eps.add(ep) 928 929 return nil 930 } 931 932 func (n *nic) unregisterPacketEndpoint(netProto tcpip.NetworkProtocolNumber, ep PacketEndpoint) { 933 n.mu.Lock() 934 defer n.mu.Unlock() 935 936 eps, ok := n.mu.packetEPs[netProto] 937 if !ok { 938 return 939 } 940 eps.remove(ep) 941 } 942 943 // isValidForOutgoing returns true if the endpoint can be used to send out a 944 // packet. It requires the endpoint to not be marked expired (i.e., its address 945 // has been removed) unless the NIC is in spoofing mode, or temporary. 946 func (n *nic) isValidForOutgoing(ep AssignableAddressEndpoint) bool { 947 n.mu.RLock() 948 spoofing := n.mu.spoofing 949 n.mu.RUnlock() 950 return n.Enabled() && ep.IsAssigned(spoofing) 951 } 952 953 // HandleNeighborProbe implements NetworkInterface. 954 func (n *nic) HandleNeighborProbe(protocol tcpip.NetworkProtocolNumber, addr tcpip.Address, linkAddr tcpip.LinkAddress) tcpip.Error { 955 if l, ok := n.linkAddrResolvers[protocol]; ok { 956 l.neigh.handleProbe(addr, linkAddr) 957 return nil 958 } 959 960 return &tcpip.ErrNotSupported{} 961 } 962 963 // HandleNeighborConfirmation implements NetworkInterface. 964 func (n *nic) HandleNeighborConfirmation(protocol tcpip.NetworkProtocolNumber, addr tcpip.Address, linkAddr tcpip.LinkAddress, flags ReachabilityConfirmationFlags) tcpip.Error { 965 if l, ok := n.linkAddrResolvers[protocol]; ok { 966 l.neigh.handleConfirmation(addr, linkAddr, flags) 967 return nil 968 } 969 970 return &tcpip.ErrNotSupported{} 971 } 972 973 // CheckLocalAddress implements NetworkInterface. 974 func (n *nic) CheckLocalAddress(protocol tcpip.NetworkProtocolNumber, addr tcpip.Address) bool { 975 if n.Spoofing() { 976 return true 977 } 978 979 if addressEndpoint := n.getAddressOrCreateTempInner(protocol, addr, false /* createTemp */, NeverPrimaryEndpoint); addressEndpoint != nil { 980 addressEndpoint.DecRef() 981 return true 982 } 983 984 return false 985 } 986 987 func (n *nic) checkDuplicateAddress(protocol tcpip.NetworkProtocolNumber, addr tcpip.Address, h DADCompletionHandler) (DADCheckAddressDisposition, tcpip.Error) { 988 d, ok := n.duplicateAddressDetectors[protocol] 989 if !ok { 990 return 0, &tcpip.ErrNotSupported{} 991 } 992 993 return d.CheckDuplicateAddress(addr, h), nil 994 } 995 996 func (n *nic) setForwarding(protocol tcpip.NetworkProtocolNumber, enable bool) tcpip.Error { 997 ep := n.getNetworkEndpoint(protocol) 998 if ep == nil { 999 return &tcpip.ErrUnknownProtocol{} 1000 } 1001 1002 forwardingEP, ok := ep.(ForwardingNetworkEndpoint) 1003 if !ok { 1004 return &tcpip.ErrNotSupported{} 1005 } 1006 1007 forwardingEP.SetForwarding(enable) 1008 return nil 1009 } 1010 1011 func (n *nic) forwarding(protocol tcpip.NetworkProtocolNumber) (bool, tcpip.Error) { 1012 ep := n.getNetworkEndpoint(protocol) 1013 if ep == nil { 1014 return false, &tcpip.ErrUnknownProtocol{} 1015 } 1016 1017 forwardingEP, ok := ep.(ForwardingNetworkEndpoint) 1018 if !ok { 1019 return false, &tcpip.ErrNotSupported{} 1020 } 1021 1022 return forwardingEP.Forwarding(), nil 1023 }