gvisor.dev/gvisor@v0.0.0-20240520182842-f9d4d51c7e0f/pkg/tcpip/stack/nic.go (about) 1 // Copyright 2018 The gVisor Authors. 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 package stack 16 17 import ( 18 "fmt" 19 "reflect" 20 21 "gvisor.dev/gvisor/pkg/atomicbitops" 22 "gvisor.dev/gvisor/pkg/tcpip" 23 "gvisor.dev/gvisor/pkg/tcpip/header" 24 ) 25 26 type linkResolver struct { 27 resolver LinkAddressResolver 28 29 neigh neighborCache 30 } 31 32 var _ NetworkInterface = (*nic)(nil) 33 var _ NetworkDispatcher = (*nic)(nil) 34 35 // nic represents a "network interface card" to which the networking stack is 36 // attached. 37 type nic struct { 38 NetworkLinkEndpoint 39 40 stack *Stack 41 id tcpip.NICID 42 name string 43 context NICContext 44 45 stats sharedStats 46 47 // enableDisableMu is used to synchronize attempts to enable/disable the NIC. 48 // Without this mutex, calls to enable/disable the NIC may interleave and 49 // leave the NIC in an inconsistent state. 50 enableDisableMu nicRWMutex 51 52 // The network endpoints themselves may be modified by calling the interface's 53 // methods, but the map reference and entries must be constant. 54 networkEndpoints map[tcpip.NetworkProtocolNumber]NetworkEndpoint 55 linkAddrResolvers map[tcpip.NetworkProtocolNumber]*linkResolver 56 duplicateAddressDetectors map[tcpip.NetworkProtocolNumber]DuplicateAddressDetector 57 58 // enabled indicates whether the NIC is enabled. 59 enabled atomicbitops.Bool 60 61 // spoofing indicates whether the NIC is spoofing. 62 spoofing atomicbitops.Bool 63 64 // promiscuous indicates whether the NIC is promiscuous. 65 promiscuous atomicbitops.Bool 66 67 // linkResQueue holds packets that are waiting for link resolution to 68 // complete. 69 linkResQueue packetsPendingLinkResolution 70 71 // packetEPsMu protects annotated fields below. 72 packetEPsMu packetEPsRWMutex 73 74 // eps is protected by the mutex, but the values contained in it are not. 75 // 76 // +checklocks:packetEPsMu 77 packetEPs map[tcpip.NetworkProtocolNumber]*packetEndpointList 78 79 qDisc QueueingDiscipline 80 81 // deliverLinkPackets specifies whether this NIC delivers packets to 82 // packet sockets. It is immutable. 83 // 84 // deliverLinkPackets is off by default because some users already 85 // deliver link packets by explicitly calling nic.DeliverLinkPackets. 86 deliverLinkPackets bool 87 } 88 89 // makeNICStats initializes the NIC statistics and associates them to the global 90 // NIC statistics. 91 func makeNICStats(global tcpip.NICStats) sharedStats { 92 var stats sharedStats 93 tcpip.InitStatCounters(reflect.ValueOf(&stats.local).Elem()) 94 stats.init(&stats.local, &global) 95 return stats 96 } 97 98 type packetEndpointList struct { 99 mu packetEndpointListRWMutex 100 101 // eps is protected by mu, but the contained PacketEndpoint values are not. 102 // 103 // +checklocks:mu 104 eps []PacketEndpoint 105 } 106 107 func (p *packetEndpointList) add(ep PacketEndpoint) { 108 p.mu.Lock() 109 defer p.mu.Unlock() 110 p.eps = append(p.eps, ep) 111 } 112 113 func (p *packetEndpointList) remove(ep PacketEndpoint) { 114 p.mu.Lock() 115 defer p.mu.Unlock() 116 for i, epOther := range p.eps { 117 if epOther == ep { 118 p.eps = append(p.eps[:i], p.eps[i+1:]...) 119 break 120 } 121 } 122 } 123 124 func (p *packetEndpointList) len() int { 125 p.mu.RLock() 126 defer p.mu.RUnlock() 127 return len(p.eps) 128 } 129 130 // forEach calls fn with each endpoints in p while holding the read lock on p. 131 func (p *packetEndpointList) forEach(fn func(PacketEndpoint)) { 132 p.mu.RLock() 133 defer p.mu.RUnlock() 134 for _, ep := range p.eps { 135 fn(ep) 136 } 137 } 138 139 var _ QueueingDiscipline = (*delegatingQueueingDiscipline)(nil) 140 141 type delegatingQueueingDiscipline struct { 142 LinkWriter 143 } 144 145 func (*delegatingQueueingDiscipline) Close() {} 146 147 // WritePacket passes the packet through to the underlying LinkWriter's WritePackets. 148 func (qDisc *delegatingQueueingDiscipline) WritePacket(pkt *PacketBuffer) tcpip.Error { 149 var pkts PacketBufferList 150 pkts.PushBack(pkt) 151 _, err := qDisc.LinkWriter.WritePackets(pkts) 152 return err 153 } 154 155 // newNIC returns a new NIC using the default NDP configurations from stack. 156 func newNIC(stack *Stack, id tcpip.NICID, ep LinkEndpoint, opts NICOptions) *nic { 157 // TODO(b/141011931): Validate a LinkEndpoint (ep) is valid. For 158 // example, make sure that the link address it provides is a valid 159 // unicast ethernet address. 160 161 // If no queueing discipline was specified provide a stub implementation that 162 // just delegates to the lower link endpoint. 163 qDisc := opts.QDisc 164 if qDisc == nil { 165 qDisc = &delegatingQueueingDiscipline{LinkWriter: ep} 166 } 167 168 // TODO(b/143357959): RFC 8200 section 5 requires that IPv6 endpoints 169 // observe an MTU of at least 1280 bytes. Ensure that this requirement 170 // of IPv6 is supported on this endpoint's LinkEndpoint. 171 nic := &nic{ 172 NetworkLinkEndpoint: ep, 173 stack: stack, 174 id: id, 175 name: opts.Name, 176 context: opts.Context, 177 stats: makeNICStats(stack.Stats().NICs), 178 networkEndpoints: make(map[tcpip.NetworkProtocolNumber]NetworkEndpoint), 179 linkAddrResolvers: make(map[tcpip.NetworkProtocolNumber]*linkResolver), 180 duplicateAddressDetectors: make(map[tcpip.NetworkProtocolNumber]DuplicateAddressDetector), 181 qDisc: qDisc, 182 deliverLinkPackets: opts.DeliverLinkPackets, 183 } 184 nic.linkResQueue.init(nic) 185 186 nic.packetEPsMu.Lock() 187 defer nic.packetEPsMu.Unlock() 188 189 nic.packetEPs = make(map[tcpip.NetworkProtocolNumber]*packetEndpointList) 190 191 resolutionRequired := ep.Capabilities()&CapabilityResolutionRequired != 0 192 193 for _, netProto := range stack.networkProtocols { 194 netNum := netProto.Number() 195 netEP := netProto.NewEndpoint(nic, nic) 196 nic.networkEndpoints[netNum] = netEP 197 198 if resolutionRequired { 199 if r, ok := netEP.(LinkAddressResolver); ok { 200 l := &linkResolver{resolver: r} 201 l.neigh.init(nic, r) 202 nic.linkAddrResolvers[r.LinkAddressProtocol()] = l 203 } 204 } 205 206 if d, ok := netEP.(DuplicateAddressDetector); ok { 207 nic.duplicateAddressDetectors[d.DuplicateAddressProtocol()] = d 208 } 209 } 210 211 nic.NetworkLinkEndpoint.Attach(nic) 212 213 return nic 214 } 215 216 func (n *nic) getNetworkEndpoint(proto tcpip.NetworkProtocolNumber) NetworkEndpoint { 217 return n.networkEndpoints[proto] 218 } 219 220 // Enabled implements NetworkInterface. 221 func (n *nic) Enabled() bool { 222 return n.enabled.Load() 223 } 224 225 // setEnabled sets the enabled status for the NIC. 226 // 227 // Returns true if the enabled status was updated. 228 // 229 // +checklocks:n.enableDisableMu 230 func (n *nic) setEnabled(v bool) bool { 231 return n.enabled.Swap(v) != v 232 } 233 234 // disable disables n. 235 // 236 // It undoes the work done by enable. 237 func (n *nic) disable() { 238 n.enableDisableMu.Lock() 239 defer n.enableDisableMu.Unlock() 240 n.disableLocked() 241 } 242 243 // disableLocked disables n. 244 // 245 // It undoes the work done by enable. 246 // 247 // +checklocks:n.enableDisableMu 248 func (n *nic) disableLocked() { 249 if !n.Enabled() { 250 return 251 } 252 253 // TODO(gvisor.dev/issue/1491): Should Routes that are currently bound to n be 254 // invalidated? Currently, Routes will continue to work when a NIC is enabled 255 // again, and applications may not know that the underlying NIC was ever 256 // disabled. 257 258 for _, ep := range n.networkEndpoints { 259 ep.Disable() 260 261 // Clear the neighbour table (including static entries) as we cannot 262 // guarantee that the current neighbour table will be valid when the NIC is 263 // enabled again. 264 // 265 // This matches linux's behaviour at the time of writing: 266 // https://github.com/torvalds/linux/blob/71c061d2443814de15e177489d5cc00a4a253ef3/net/core/neighbour.c#L371 267 netProto := ep.NetworkProtocolNumber() 268 switch err := n.clearNeighbors(netProto); err.(type) { 269 case nil, *tcpip.ErrNotSupported: 270 default: 271 panic(fmt.Sprintf("n.clearNeighbors(%d): %s", netProto, err)) 272 } 273 } 274 275 if !n.setEnabled(false) { 276 panic("should have only done work to disable the NIC if it was enabled") 277 } 278 } 279 280 // enable enables n. 281 // 282 // If the stack has IPv6 enabled, enable will join the IPv6 All-Nodes Multicast 283 // address (ff02::1), start DAD for permanent addresses, and start soliciting 284 // routers if the stack is not operating as a router. If the stack is also 285 // configured to auto-generate a link-local address, one will be generated. 286 func (n *nic) enable() tcpip.Error { 287 n.enableDisableMu.Lock() 288 defer n.enableDisableMu.Unlock() 289 290 if !n.setEnabled(true) { 291 return nil 292 } 293 294 for _, ep := range n.networkEndpoints { 295 if err := ep.Enable(); err != nil { 296 return err 297 } 298 } 299 300 return nil 301 } 302 303 // remove detaches NIC from the link endpoint and releases network endpoint 304 // resources. This guarantees no packets between this NIC and the network 305 // stack. 306 func (n *nic) remove() tcpip.Error { 307 n.enableDisableMu.Lock() 308 309 n.disableLocked() 310 311 for _, ep := range n.networkEndpoints { 312 ep.Close() 313 } 314 315 n.enableDisableMu.Unlock() 316 317 // Drain and drop any packets pending link resolution. 318 // We must not hold n.enableDisableMu here. 319 n.linkResQueue.cancel() 320 321 // Prevent packets from going down to the link before shutting the link down. 322 n.qDisc.Close() 323 n.NetworkLinkEndpoint.Attach(nil) 324 325 return nil 326 } 327 328 // setPromiscuousMode enables or disables promiscuous mode. 329 func (n *nic) setPromiscuousMode(enable bool) { 330 n.promiscuous.Store(enable) 331 } 332 333 // Promiscuous implements NetworkInterface. 334 func (n *nic) Promiscuous() bool { 335 return n.promiscuous.Load() 336 } 337 338 // IsLoopback implements NetworkInterface. 339 func (n *nic) IsLoopback() bool { 340 return n.NetworkLinkEndpoint.Capabilities()&CapabilityLoopback != 0 341 } 342 343 // WritePacket implements NetworkEndpoint. 344 func (n *nic) WritePacket(r *Route, pkt *PacketBuffer) tcpip.Error { 345 routeInfo, _, err := r.resolvedFields(nil) 346 switch err.(type) { 347 case nil: 348 pkt.EgressRoute = routeInfo 349 return n.writePacket(pkt) 350 case *tcpip.ErrWouldBlock: 351 // As per relevant RFCs, we should queue packets while we wait for link 352 // resolution to complete. 353 // 354 // RFC 1122 section 2.3.2.2 (for IPv4): 355 // The link layer SHOULD save (rather than discard) at least 356 // one (the latest) packet of each set of packets destined to 357 // the same unresolved IP address, and transmit the saved 358 // packet when the address has been resolved. 359 // 360 // RFC 4861 section 7.2.2 (for IPv6): 361 // While waiting for address resolution to complete, the sender MUST, for 362 // each neighbor, retain a small queue of packets waiting for address 363 // resolution to complete. The queue MUST hold at least one packet, and 364 // MAY contain more. However, the number of queued packets per neighbor 365 // SHOULD be limited to some small value. When a queue overflows, the new 366 // arrival SHOULD replace the oldest entry. Once address resolution 367 // completes, the node transmits any queued packets. 368 return n.linkResQueue.enqueue(r, pkt) 369 default: 370 return err 371 } 372 } 373 374 // WritePacketToRemote implements NetworkInterface. 375 func (n *nic) WritePacketToRemote(remoteLinkAddr tcpip.LinkAddress, pkt *PacketBuffer) tcpip.Error { 376 pkt.EgressRoute = RouteInfo{ 377 routeInfo: routeInfo{ 378 NetProto: pkt.NetworkProtocolNumber, 379 LocalLinkAddress: n.LinkAddress(), 380 }, 381 RemoteLinkAddress: remoteLinkAddr, 382 } 383 return n.writePacket(pkt) 384 } 385 386 func (n *nic) writePacket(pkt *PacketBuffer) tcpip.Error { 387 n.NetworkLinkEndpoint.AddHeader(pkt) 388 return n.writeRawPacket(pkt) 389 } 390 391 func (n *nic) writeRawPacketWithLinkHeaderInPayload(pkt *PacketBuffer) tcpip.Error { 392 if !n.NetworkLinkEndpoint.ParseHeader(pkt) { 393 return &tcpip.ErrMalformedHeader{} 394 } 395 return n.writeRawPacket(pkt) 396 } 397 398 func (n *nic) writeRawPacket(pkt *PacketBuffer) tcpip.Error { 399 // Always an outgoing packet. 400 pkt.PktType = tcpip.PacketOutgoing 401 402 if n.deliverLinkPackets { 403 n.DeliverLinkPacket(pkt.NetworkProtocolNumber, pkt) 404 } 405 406 if err := n.qDisc.WritePacket(pkt); err != nil { 407 if _, ok := err.(*tcpip.ErrNoBufferSpace); ok { 408 n.stats.txPacketsDroppedNoBufferSpace.Increment() 409 } 410 return err 411 } 412 413 n.stats.tx.packets.Increment() 414 n.stats.tx.bytes.IncrementBy(uint64(pkt.Size())) 415 return nil 416 } 417 418 // setSpoofing enables or disables address spoofing. 419 func (n *nic) setSpoofing(enable bool) { 420 n.spoofing.Store(enable) 421 } 422 423 // Spoofing implements NetworkInterface. 424 func (n *nic) Spoofing() bool { 425 return n.spoofing.Load() 426 } 427 428 // primaryAddress returns an address that can be used to communicate with 429 // remoteAddr. 430 func (n *nic) primaryEndpoint(protocol tcpip.NetworkProtocolNumber, remoteAddr, srcHint tcpip.Address) AssignableAddressEndpoint { 431 ep := n.getNetworkEndpoint(protocol) 432 if ep == nil { 433 return nil 434 } 435 436 addressableEndpoint, ok := ep.(AddressableEndpoint) 437 if !ok { 438 return nil 439 } 440 441 return addressableEndpoint.AcquireOutgoingPrimaryAddress(remoteAddr, srcHint, n.Spoofing()) 442 } 443 444 type getAddressBehaviour int 445 446 const ( 447 // spoofing indicates that the NIC's spoofing flag should be observed when 448 // getting a NIC's address endpoint. 449 spoofing getAddressBehaviour = iota 450 451 // promiscuous indicates that the NIC's promiscuous flag should be observed 452 // when getting a NIC's address endpoint. 453 promiscuous 454 ) 455 456 func (n *nic) getAddress(protocol tcpip.NetworkProtocolNumber, dst tcpip.Address) AssignableAddressEndpoint { 457 return n.getAddressOrCreateTemp(protocol, dst, CanBePrimaryEndpoint, promiscuous) 458 } 459 460 func (n *nic) hasAddress(protocol tcpip.NetworkProtocolNumber, addr tcpip.Address) bool { 461 ep := n.getAddressOrCreateTempInner(protocol, addr, false, NeverPrimaryEndpoint) 462 if ep != nil { 463 ep.DecRef() 464 return true 465 } 466 467 return false 468 } 469 470 // findEndpoint finds the endpoint, if any, with the given address. 471 func (n *nic) findEndpoint(protocol tcpip.NetworkProtocolNumber, address tcpip.Address, peb PrimaryEndpointBehavior) AssignableAddressEndpoint { 472 return n.getAddressOrCreateTemp(protocol, address, peb, spoofing) 473 } 474 475 // getAddressEpOrCreateTemp returns the address endpoint for the given protocol 476 // and address. 477 // 478 // If none exists a temporary one may be created if we are in promiscuous mode 479 // or spoofing. Promiscuous mode will only be checked if promiscuous is true. 480 // Similarly, spoofing will only be checked if spoofing is true. 481 // 482 // If the address is the IPv4 broadcast address for an endpoint's network, that 483 // endpoint will be returned. 484 func (n *nic) getAddressOrCreateTemp(protocol tcpip.NetworkProtocolNumber, address tcpip.Address, peb PrimaryEndpointBehavior, tempRef getAddressBehaviour) AssignableAddressEndpoint { 485 var spoofingOrPromiscuous bool 486 switch tempRef { 487 case spoofing: 488 spoofingOrPromiscuous = n.Spoofing() 489 case promiscuous: 490 spoofingOrPromiscuous = n.Promiscuous() 491 } 492 return n.getAddressOrCreateTempInner(protocol, address, spoofingOrPromiscuous, peb) 493 } 494 495 // getAddressOrCreateTempInner is like getAddressEpOrCreateTemp except a boolean 496 // is passed to indicate whether or not we should generate temporary endpoints. 497 func (n *nic) getAddressOrCreateTempInner(protocol tcpip.NetworkProtocolNumber, address tcpip.Address, createTemp bool, peb PrimaryEndpointBehavior) AssignableAddressEndpoint { 498 ep := n.getNetworkEndpoint(protocol) 499 if ep == nil { 500 return nil 501 } 502 503 addressableEndpoint, ok := ep.(AddressableEndpoint) 504 if !ok { 505 return nil 506 } 507 508 return addressableEndpoint.AcquireAssignedAddress(address, createTemp, peb, false) 509 } 510 511 // addAddress adds a new address to n, so that it starts accepting packets 512 // targeted at the given address (and network protocol). 513 func (n *nic) addAddress(protocolAddress tcpip.ProtocolAddress, properties AddressProperties) tcpip.Error { 514 ep := n.getNetworkEndpoint(protocolAddress.Protocol) 515 if ep == nil { 516 return &tcpip.ErrUnknownProtocol{} 517 } 518 519 addressableEndpoint, ok := ep.(AddressableEndpoint) 520 if !ok { 521 return &tcpip.ErrNotSupported{} 522 } 523 524 addressEndpoint, err := addressableEndpoint.AddAndAcquirePermanentAddress(protocolAddress.AddressWithPrefix, properties) 525 if err == nil { 526 // We have no need for the address endpoint. 527 addressEndpoint.DecRef() 528 } 529 return err 530 } 531 532 // allPermanentAddresses returns all permanent addresses associated with 533 // this NIC. 534 func (n *nic) allPermanentAddresses() []tcpip.ProtocolAddress { 535 var addrs []tcpip.ProtocolAddress 536 for p, ep := range n.networkEndpoints { 537 addressableEndpoint, ok := ep.(AddressableEndpoint) 538 if !ok { 539 continue 540 } 541 542 for _, a := range addressableEndpoint.PermanentAddresses() { 543 addrs = append(addrs, tcpip.ProtocolAddress{Protocol: p, AddressWithPrefix: a}) 544 } 545 } 546 return addrs 547 } 548 549 // primaryAddresses returns the primary addresses associated with this NIC. 550 func (n *nic) primaryAddresses() []tcpip.ProtocolAddress { 551 var addrs []tcpip.ProtocolAddress 552 for p, ep := range n.networkEndpoints { 553 addressableEndpoint, ok := ep.(AddressableEndpoint) 554 if !ok { 555 continue 556 } 557 558 for _, a := range addressableEndpoint.PrimaryAddresses() { 559 addrs = append(addrs, tcpip.ProtocolAddress{Protocol: p, AddressWithPrefix: a}) 560 } 561 } 562 return addrs 563 } 564 565 // PrimaryAddress implements NetworkInterface. 566 func (n *nic) PrimaryAddress(proto tcpip.NetworkProtocolNumber) (tcpip.AddressWithPrefix, tcpip.Error) { 567 ep := n.getNetworkEndpoint(proto) 568 if ep == nil { 569 return tcpip.AddressWithPrefix{}, &tcpip.ErrUnknownProtocol{} 570 } 571 572 addressableEndpoint, ok := ep.(AddressableEndpoint) 573 if !ok { 574 return tcpip.AddressWithPrefix{}, &tcpip.ErrNotSupported{} 575 } 576 577 return addressableEndpoint.MainAddress(), nil 578 } 579 580 // removeAddress removes an address from n. 581 func (n *nic) removeAddress(addr tcpip.Address) tcpip.Error { 582 for _, ep := range n.networkEndpoints { 583 addressableEndpoint, ok := ep.(AddressableEndpoint) 584 if !ok { 585 continue 586 } 587 588 switch err := addressableEndpoint.RemovePermanentAddress(addr); err.(type) { 589 case *tcpip.ErrBadLocalAddress: 590 continue 591 default: 592 return err 593 } 594 } 595 596 return &tcpip.ErrBadLocalAddress{} 597 } 598 599 func (n *nic) setAddressLifetimes(addr tcpip.Address, lifetimes AddressLifetimes) tcpip.Error { 600 for _, ep := range n.networkEndpoints { 601 ep, ok := ep.(AddressableEndpoint) 602 if !ok { 603 continue 604 } 605 606 switch err := ep.SetLifetimes(addr, lifetimes); err.(type) { 607 case *tcpip.ErrBadLocalAddress: 608 continue 609 default: 610 return err 611 } 612 } 613 614 return &tcpip.ErrBadLocalAddress{} 615 } 616 617 func (n *nic) getLinkAddress(addr, localAddr tcpip.Address, protocol tcpip.NetworkProtocolNumber, onResolve func(LinkResolutionResult)) tcpip.Error { 618 linkRes, ok := n.linkAddrResolvers[protocol] 619 if !ok { 620 return &tcpip.ErrNotSupported{} 621 } 622 623 if linkAddr, ok := linkRes.resolver.ResolveStaticAddress(addr); ok { 624 onResolve(LinkResolutionResult{LinkAddress: linkAddr, Err: nil}) 625 return nil 626 } 627 628 _, _, err := linkRes.neigh.entry(addr, localAddr, onResolve) 629 return err 630 } 631 632 func (n *nic) neighbors(protocol tcpip.NetworkProtocolNumber) ([]NeighborEntry, tcpip.Error) { 633 if linkRes, ok := n.linkAddrResolvers[protocol]; ok { 634 return linkRes.neigh.entries(), nil 635 } 636 637 return nil, &tcpip.ErrNotSupported{} 638 } 639 640 func (n *nic) addStaticNeighbor(addr tcpip.Address, protocol tcpip.NetworkProtocolNumber, linkAddress tcpip.LinkAddress) tcpip.Error { 641 if linkRes, ok := n.linkAddrResolvers[protocol]; ok { 642 linkRes.neigh.addStaticEntry(addr, linkAddress) 643 return nil 644 } 645 646 return &tcpip.ErrNotSupported{} 647 } 648 649 func (n *nic) removeNeighbor(protocol tcpip.NetworkProtocolNumber, addr tcpip.Address) tcpip.Error { 650 if linkRes, ok := n.linkAddrResolvers[protocol]; ok { 651 if !linkRes.neigh.removeEntry(addr) { 652 return &tcpip.ErrBadAddress{} 653 } 654 return nil 655 } 656 657 return &tcpip.ErrNotSupported{} 658 } 659 660 func (n *nic) clearNeighbors(protocol tcpip.NetworkProtocolNumber) tcpip.Error { 661 if linkRes, ok := n.linkAddrResolvers[protocol]; ok { 662 linkRes.neigh.clear() 663 return nil 664 } 665 666 return &tcpip.ErrNotSupported{} 667 } 668 669 // joinGroup adds a new endpoint for the given multicast address, if none 670 // exists yet. Otherwise it just increments its count. 671 func (n *nic) joinGroup(protocol tcpip.NetworkProtocolNumber, addr tcpip.Address) tcpip.Error { 672 // TODO(b/143102137): When implementing MLD, make sure MLD packets are 673 // not sent unless a valid link-local address is available for use on n 674 // as an MLD packet's source address must be a link-local address as 675 // outlined in RFC 3810 section 5. 676 677 ep := n.getNetworkEndpoint(protocol) 678 if ep == nil { 679 return &tcpip.ErrNotSupported{} 680 } 681 682 gep, ok := ep.(GroupAddressableEndpoint) 683 if !ok { 684 return &tcpip.ErrNotSupported{} 685 } 686 687 return gep.JoinGroup(addr) 688 } 689 690 // leaveGroup decrements the count for the given multicast address, and when it 691 // reaches zero removes the endpoint for this address. 692 func (n *nic) leaveGroup(protocol tcpip.NetworkProtocolNumber, addr tcpip.Address) tcpip.Error { 693 ep := n.getNetworkEndpoint(protocol) 694 if ep == nil { 695 return &tcpip.ErrNotSupported{} 696 } 697 698 gep, ok := ep.(GroupAddressableEndpoint) 699 if !ok { 700 return &tcpip.ErrNotSupported{} 701 } 702 703 return gep.LeaveGroup(addr) 704 } 705 706 // isInGroup returns true if n has joined the multicast group addr. 707 func (n *nic) isInGroup(addr tcpip.Address) bool { 708 for _, ep := range n.networkEndpoints { 709 gep, ok := ep.(GroupAddressableEndpoint) 710 if !ok { 711 continue 712 } 713 714 if gep.IsInGroup(addr) { 715 return true 716 } 717 } 718 719 return false 720 } 721 722 // DeliverNetworkPacket finds the appropriate network protocol endpoint and 723 // hands the packet over for further processing. This function is called when 724 // the NIC receives a packet from the link endpoint. 725 func (n *nic) DeliverNetworkPacket(protocol tcpip.NetworkProtocolNumber, pkt *PacketBuffer) { 726 enabled := n.Enabled() 727 // If the NIC is not yet enabled, don't receive any packets. 728 if !enabled { 729 n.stats.disabledRx.packets.Increment() 730 n.stats.disabledRx.bytes.IncrementBy(uint64(pkt.Data().Size())) 731 return 732 } 733 734 n.stats.rx.packets.Increment() 735 n.stats.rx.bytes.IncrementBy(uint64(pkt.Data().Size())) 736 737 networkEndpoint := n.getNetworkEndpoint(protocol) 738 if networkEndpoint == nil { 739 n.stats.unknownL3ProtocolRcvdPacketCounts.Increment(uint64(protocol)) 740 return 741 } 742 743 pkt.RXChecksumValidated = n.NetworkLinkEndpoint.Capabilities()&CapabilityRXChecksumOffload != 0 744 745 if n.deliverLinkPackets { 746 n.DeliverLinkPacket(protocol, pkt) 747 } 748 749 networkEndpoint.HandlePacket(pkt) 750 } 751 752 func (n *nic) DeliverLinkPacket(protocol tcpip.NetworkProtocolNumber, pkt *PacketBuffer) { 753 // Deliver to interested packet endpoints without holding NIC lock. 754 var packetEPPkt *PacketBuffer 755 defer func() { 756 if packetEPPkt != nil { 757 packetEPPkt.DecRef() 758 } 759 }() 760 deliverPacketEPs := func(ep PacketEndpoint) { 761 if packetEPPkt == nil { 762 // Packet endpoints hold the full packet. 763 // 764 // We perform a deep copy because higher-level endpoints may point to 765 // the middle of a view that is held by a packet endpoint. Save/Restore 766 // does not support overlapping slices and will panic in this case. 767 // 768 // TODO(https://gvisor.dev/issue/6517): Avoid this copy once S/R supports 769 // overlapping slices (e.g. by passing a shallow copy of pkt to the packet 770 // endpoint). 771 packetEPPkt = NewPacketBuffer(PacketBufferOptions{ 772 Payload: BufferSince(pkt.LinkHeader()), 773 }) 774 // If a link header was populated in the original packet buffer, then 775 // populate it in the packet buffer we provide to packet endpoints as 776 // packet endpoints inspect link headers. 777 packetEPPkt.LinkHeader().Consume(len(pkt.LinkHeader().Slice())) 778 packetEPPkt.PktType = pkt.PktType 779 // Assume the packet is for us if the packet type is unset. 780 // The packet type is set to PacketOutgoing when sending packets so 781 // this may only be unset for incoming packets where link endpoints 782 // have not set it. 783 if packetEPPkt.PktType == 0 { 784 packetEPPkt.PktType = tcpip.PacketHost 785 } 786 } 787 788 clone := packetEPPkt.Clone() 789 defer clone.DecRef() 790 ep.HandlePacket(n.id, protocol, clone) 791 } 792 793 n.packetEPsMu.Lock() 794 // Are any packet type sockets listening for this network protocol? 795 protoEPs, protoEPsOK := n.packetEPs[protocol] 796 // Other packet type sockets that are listening for all protocols. 797 anyEPs, anyEPsOK := n.packetEPs[header.EthernetProtocolAll] 798 n.packetEPsMu.Unlock() 799 800 // On Linux, only ETH_P_ALL endpoints get outbound packets. 801 if pkt.PktType != tcpip.PacketOutgoing && protoEPsOK { 802 protoEPs.forEach(deliverPacketEPs) 803 } 804 if anyEPsOK { 805 anyEPs.forEach(deliverPacketEPs) 806 } 807 } 808 809 // DeliverTransportPacket delivers the packets to the appropriate transport 810 // protocol endpoint. 811 func (n *nic) DeliverTransportPacket(protocol tcpip.TransportProtocolNumber, pkt *PacketBuffer) TransportPacketDisposition { 812 state, ok := n.stack.transportProtocols[protocol] 813 if !ok { 814 n.stats.unknownL4ProtocolRcvdPacketCounts.Increment(uint64(protocol)) 815 return TransportPacketProtocolUnreachable 816 } 817 818 transProto := state.proto 819 820 if len(pkt.TransportHeader().Slice()) == 0 { 821 n.stats.malformedL4RcvdPackets.Increment() 822 return TransportPacketHandled 823 } 824 825 srcPort, dstPort, err := transProto.ParsePorts(pkt.TransportHeader().Slice()) 826 if err != nil { 827 n.stats.malformedL4RcvdPackets.Increment() 828 return TransportPacketHandled 829 } 830 831 netProto, ok := n.stack.networkProtocols[pkt.NetworkProtocolNumber] 832 if !ok { 833 panic(fmt.Sprintf("expected network protocol = %d, have = %#v", pkt.NetworkProtocolNumber, n.stack.networkProtocolNumbers())) 834 } 835 836 src, dst := netProto.ParseAddresses(pkt.NetworkHeader().Slice()) 837 id := TransportEndpointID{ 838 LocalPort: dstPort, 839 LocalAddress: dst, 840 RemotePort: srcPort, 841 RemoteAddress: src, 842 } 843 if n.stack.demux.deliverPacket(protocol, pkt, id) { 844 return TransportPacketHandled 845 } 846 847 // Try to deliver to per-stack default handler. 848 if state.defaultHandler != nil { 849 if state.defaultHandler(id, pkt) { 850 return TransportPacketHandled 851 } 852 } 853 854 // We could not find an appropriate destination for this packet so 855 // give the protocol specific error handler a chance to handle it. 856 // If it doesn't handle it then we should do so. 857 switch res := transProto.HandleUnknownDestinationPacket(id, pkt); res { 858 case UnknownDestinationPacketMalformed: 859 n.stats.malformedL4RcvdPackets.Increment() 860 return TransportPacketHandled 861 case UnknownDestinationPacketUnhandled: 862 return TransportPacketDestinationPortUnreachable 863 case UnknownDestinationPacketHandled: 864 return TransportPacketHandled 865 default: 866 panic(fmt.Sprintf("unrecognized result from HandleUnknownDestinationPacket = %d", res)) 867 } 868 } 869 870 // DeliverTransportError implements TransportDispatcher. 871 func (n *nic) DeliverTransportError(local, remote tcpip.Address, net tcpip.NetworkProtocolNumber, trans tcpip.TransportProtocolNumber, transErr TransportError, pkt *PacketBuffer) { 872 state, ok := n.stack.transportProtocols[trans] 873 if !ok { 874 return 875 } 876 877 transProto := state.proto 878 879 // ICMPv4 only guarantees that 8 bytes of the transport protocol will 880 // be present in the payload. We know that the ports are within the 881 // first 8 bytes for all known transport protocols. 882 transHeader, ok := pkt.Data().PullUp(8) 883 if !ok { 884 return 885 } 886 887 srcPort, dstPort, err := transProto.ParsePorts(transHeader) 888 if err != nil { 889 return 890 } 891 892 id := TransportEndpointID{srcPort, local, dstPort, remote} 893 if n.stack.demux.deliverError(n, net, trans, transErr, pkt, id) { 894 return 895 } 896 } 897 898 // DeliverRawPacket implements TransportDispatcher. 899 func (n *nic) DeliverRawPacket(protocol tcpip.TransportProtocolNumber, pkt *PacketBuffer) { 900 // For ICMPv4 only we validate the header length for compatibility with 901 // raw(7) ICMP_FILTER. The same check is made in Linux here: 902 // https://github.com/torvalds/linux/blob/70585216/net/ipv4/raw.c#L189. 903 if protocol == header.ICMPv4ProtocolNumber && len(pkt.TransportHeader().Slice())+pkt.Data().Size() < header.ICMPv4MinimumSize { 904 return 905 } 906 n.stack.demux.deliverRawPacket(protocol, pkt) 907 } 908 909 // ID implements NetworkInterface. 910 func (n *nic) ID() tcpip.NICID { 911 return n.id 912 } 913 914 // Name implements NetworkInterface. 915 func (n *nic) Name() string { 916 return n.name 917 } 918 919 // nudConfigs gets the NUD configurations for n. 920 func (n *nic) nudConfigs(protocol tcpip.NetworkProtocolNumber) (NUDConfigurations, tcpip.Error) { 921 if linkRes, ok := n.linkAddrResolvers[protocol]; ok { 922 return linkRes.neigh.config(), nil 923 } 924 925 return NUDConfigurations{}, &tcpip.ErrNotSupported{} 926 } 927 928 // setNUDConfigs sets the NUD configurations for n. 929 // 930 // Note, if c contains invalid NUD configuration values, it will be fixed to 931 // use default values for the erroneous values. 932 func (n *nic) setNUDConfigs(protocol tcpip.NetworkProtocolNumber, c NUDConfigurations) tcpip.Error { 933 if linkRes, ok := n.linkAddrResolvers[protocol]; ok { 934 c.resetInvalidFields() 935 linkRes.neigh.setConfig(c) 936 return nil 937 } 938 939 return &tcpip.ErrNotSupported{} 940 } 941 942 func (n *nic) registerPacketEndpoint(netProto tcpip.NetworkProtocolNumber, ep PacketEndpoint) { 943 n.packetEPsMu.Lock() 944 defer n.packetEPsMu.Unlock() 945 946 eps, ok := n.packetEPs[netProto] 947 if !ok { 948 eps = new(packetEndpointList) 949 n.packetEPs[netProto] = eps 950 } 951 eps.add(ep) 952 } 953 954 func (n *nic) unregisterPacketEndpoint(netProto tcpip.NetworkProtocolNumber, ep PacketEndpoint) { 955 n.packetEPsMu.Lock() 956 defer n.packetEPsMu.Unlock() 957 958 eps, ok := n.packetEPs[netProto] 959 if !ok { 960 return 961 } 962 eps.remove(ep) 963 if eps.len() == 0 { 964 delete(n.packetEPs, netProto) 965 } 966 } 967 968 // isValidForOutgoing returns true if the endpoint can be used to send out a 969 // packet. It requires the endpoint to not be marked expired (i.e., its address 970 // has been removed) unless the NIC is in spoofing mode, or temporary. 971 func (n *nic) isValidForOutgoing(ep AssignableAddressEndpoint) bool { 972 return n.Enabled() && ep.IsAssigned(n.Spoofing()) 973 } 974 975 // HandleNeighborProbe implements NetworkInterface. 976 func (n *nic) HandleNeighborProbe(protocol tcpip.NetworkProtocolNumber, addr tcpip.Address, linkAddr tcpip.LinkAddress) tcpip.Error { 977 if l, ok := n.linkAddrResolvers[protocol]; ok { 978 l.neigh.handleProbe(addr, linkAddr) 979 return nil 980 } 981 982 return &tcpip.ErrNotSupported{} 983 } 984 985 // HandleNeighborConfirmation implements NetworkInterface. 986 func (n *nic) HandleNeighborConfirmation(protocol tcpip.NetworkProtocolNumber, addr tcpip.Address, linkAddr tcpip.LinkAddress, flags ReachabilityConfirmationFlags) tcpip.Error { 987 if l, ok := n.linkAddrResolvers[protocol]; ok { 988 l.neigh.handleConfirmation(addr, linkAddr, flags) 989 return nil 990 } 991 992 return &tcpip.ErrNotSupported{} 993 } 994 995 // CheckLocalAddress implements NetworkInterface. 996 func (n *nic) CheckLocalAddress(protocol tcpip.NetworkProtocolNumber, addr tcpip.Address) bool { 997 if n.Spoofing() { 998 return true 999 } 1000 1001 if addressEndpoint := n.getAddressOrCreateTempInner(protocol, addr, false /* createTemp */, NeverPrimaryEndpoint); addressEndpoint != nil { 1002 addressEndpoint.DecRef() 1003 return true 1004 } 1005 1006 return false 1007 } 1008 1009 func (n *nic) checkDuplicateAddress(protocol tcpip.NetworkProtocolNumber, addr tcpip.Address, h DADCompletionHandler) (DADCheckAddressDisposition, tcpip.Error) { 1010 d, ok := n.duplicateAddressDetectors[protocol] 1011 if !ok { 1012 return 0, &tcpip.ErrNotSupported{} 1013 } 1014 1015 return d.CheckDuplicateAddress(addr, h), nil 1016 } 1017 1018 func (n *nic) setForwarding(protocol tcpip.NetworkProtocolNumber, enable bool) (bool, tcpip.Error) { 1019 ep := n.getNetworkEndpoint(protocol) 1020 if ep == nil { 1021 return false, &tcpip.ErrUnknownProtocol{} 1022 } 1023 1024 forwardingEP, ok := ep.(ForwardingNetworkEndpoint) 1025 if !ok { 1026 return false, &tcpip.ErrNotSupported{} 1027 } 1028 1029 return forwardingEP.SetForwarding(enable), nil 1030 } 1031 1032 func (n *nic) forwarding(protocol tcpip.NetworkProtocolNumber) (bool, tcpip.Error) { 1033 ep := n.getNetworkEndpoint(protocol) 1034 if ep == nil { 1035 return false, &tcpip.ErrUnknownProtocol{} 1036 } 1037 1038 forwardingEP, ok := ep.(ForwardingNetworkEndpoint) 1039 if !ok { 1040 return false, &tcpip.ErrNotSupported{} 1041 } 1042 1043 return forwardingEP.Forwarding(), nil 1044 } 1045 1046 func (n *nic) multicastForwardingEndpoint(protocol tcpip.NetworkProtocolNumber) (MulticastForwardingNetworkEndpoint, tcpip.Error) { 1047 ep := n.getNetworkEndpoint(protocol) 1048 if ep == nil { 1049 return nil, &tcpip.ErrUnknownProtocol{} 1050 } 1051 1052 forwardingEP, ok := ep.(MulticastForwardingNetworkEndpoint) 1053 if !ok { 1054 return nil, &tcpip.ErrNotSupported{} 1055 } 1056 1057 return forwardingEP, nil 1058 } 1059 1060 func (n *nic) setMulticastForwarding(protocol tcpip.NetworkProtocolNumber, enable bool) (bool, tcpip.Error) { 1061 ep, err := n.multicastForwardingEndpoint(protocol) 1062 if err != nil { 1063 return false, err 1064 } 1065 1066 return ep.SetMulticastForwarding(enable), nil 1067 } 1068 1069 func (n *nic) multicastForwarding(protocol tcpip.NetworkProtocolNumber) (bool, tcpip.Error) { 1070 ep, err := n.multicastForwardingEndpoint(protocol) 1071 if err != nil { 1072 return false, err 1073 } 1074 1075 return ep.MulticastForwarding(), nil 1076 }