if_ether.c revision 189592
1/*- 2 * Copyright (c) 1982, 1986, 1988, 1993 3 * The Regents of the University of California. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 4. Neither the name of the University nor the names of its contributors 14 * may be used to endorse or promote products derived from this software 15 * without specific prior written permission. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27 * SUCH DAMAGE. 28 * 29 * @(#)if_ether.c 8.1 (Berkeley) 6/10/93 30 */ 31 32/* 33 * Ethernet address resolution protocol. 34 * TODO: 35 * add "inuse/lock" bit (or ref. count) along with valid bit 36 */ 37 38#include <sys/cdefs.h> 39__FBSDID("$FreeBSD: head/sys/netinet/if_ether.c 189592 2009-03-09 17:53:05Z bms $"); 40 41#include "opt_inet.h" 42#include "opt_route.h" 43#include "opt_mac.h" 44#include "opt_carp.h" 45 46#include <sys/param.h> 47#include <sys/kernel.h> 48#include <sys/queue.h> 49#include <sys/sysctl.h> 50#include <sys/systm.h> 51#include <sys/mbuf.h> 52#include <sys/malloc.h> 53#include <sys/proc.h> 54#include <sys/socket.h> 55#include <sys/syslog.h> 56#include <sys/vimage.h> 57 58#include <net/if.h> 59#include <net/if_dl.h> 60#include <net/if_types.h> 61#include <net/route.h> 62#include <net/netisr.h> 63#include <net/if_llc.h> 64#include <net/ethernet.h> 65#include <net/vnet.h> 66 67#include <netinet/in.h> 68#include <netinet/in_var.h> 69#include <net/if_llatbl.h> 70#include <netinet/if_ether.h> 71#include <netinet/vinet.h> 72 73#include <net/if_arc.h> 74#include <net/iso88025.h> 75 76#ifdef DEV_CARP 77#include <netinet/ip_carp.h> 78#endif 79 80#include <security/mac/mac_framework.h> 81 82#define SIN(s) ((struct sockaddr_in *)s) 83#define SDL(s) ((struct sockaddr_dl *)s) 84#define LLTABLE(ifp) \ 85 ((struct in_ifinfo *)(ifp)->if_afdata[AF_INET])->ii_llt 86 87SYSCTL_DECL(_net_link_ether); 88SYSCTL_NODE(_net_link_ether, PF_INET, inet, CTLFLAG_RW, 0, ""); 89 90/* timer values */ 91#ifdef VIMAGE_GLOBALS 92static int arpt_keep; /* once resolved, good for 20 more minutes */ 93static int arp_maxtries; 94int useloopback; /* use loopback interface for local traffic */ 95static int arp_proxyall; 96#endif 97 98SYSCTL_V_INT(V_NET, vnet_inet, _net_link_ether_inet, OID_AUTO, max_age, 99 CTLFLAG_RW, arpt_keep, 0, "ARP entry lifetime in seconds"); 100 101static struct ifqueue arpintrq; 102 103SYSCTL_V_INT(V_NET, vnet_inet, _net_link_ether_inet, OID_AUTO, maxtries, 104 CTLFLAG_RW, arp_maxtries, 0, 105 "ARP resolution attempts before returning error"); 106SYSCTL_V_INT(V_NET, vnet_inet, _net_link_ether_inet, OID_AUTO, useloopback, 107 CTLFLAG_RW, useloopback, 0, 108 "Use the loopback interface for local traffic"); 109SYSCTL_V_INT(V_NET, vnet_inet, _net_link_ether_inet, OID_AUTO, proxyall, 110 CTLFLAG_RW, arp_proxyall, 0, 111 "Enable proxy ARP for all suitable requests"); 112 113static void arp_init(void); 114void arprequest(struct ifnet *, 115 struct in_addr *, struct in_addr *, u_char *); 116static void arpintr(struct mbuf *); 117static void arptimer(void *); 118#ifdef INET 119static void in_arpinput(struct mbuf *); 120#endif 121 122#ifdef AF_INET 123void arp_ifscrub(struct ifnet *ifp, uint32_t addr); 124 125/* 126 * called by in_ifscrub to remove entry from the table when 127 * the interface goes away 128 */ 129void 130arp_ifscrub(struct ifnet *ifp, uint32_t addr) 131{ 132 struct sockaddr_in addr4; 133 134 bzero((void *)&addr4, sizeof(addr4)); 135 addr4.sin_len = sizeof(addr4); 136 addr4.sin_family = AF_INET; 137 addr4.sin_addr.s_addr = addr; 138 IF_AFDATA_LOCK(ifp); 139 lla_lookup(LLTABLE(ifp), (LLE_DELETE | LLE_IFADDR), 140 (struct sockaddr *)&addr4); 141 IF_AFDATA_UNLOCK(ifp); 142} 143#endif 144 145/* 146 * Timeout routine. Age arp_tab entries periodically. 147 */ 148static void 149arptimer(void *arg) 150{ 151 struct ifnet *ifp; 152 struct llentry *lle = (struct llentry *)arg; 153 154 if (lle == NULL) { 155 panic("%s: NULL entry!\n", __func__); 156 return; 157 } 158 ifp = lle->lle_tbl->llt_ifp; 159 IF_AFDATA_LOCK(ifp); 160 LLE_WLOCK(lle); 161 if (((lle->la_flags & LLE_DELETED) 162 || (time_second >= lle->la_expire)) 163 && (!callout_pending(&lle->la_timer) && 164 callout_active(&lle->la_timer))) 165 (void) llentry_free(lle); 166 else { 167 /* 168 * Still valid, just drop our reference 169 */ 170 LLE_FREE_LOCKED(lle); 171 } 172 IF_AFDATA_UNLOCK(ifp); 173} 174 175/* 176 * Broadcast an ARP request. Caller specifies: 177 * - arp header source ip address 178 * - arp header target ip address 179 * - arp header source ethernet address 180 */ 181void 182arprequest(struct ifnet *ifp, struct in_addr *sip, struct in_addr *tip, 183 u_char *enaddr) 184{ 185 struct mbuf *m; 186 struct arphdr *ah; 187 struct sockaddr sa; 188 189 if (sip == NULL) { 190 /* XXX don't believe this can happen (or explain why) */ 191 /* 192 * The caller did not supply a source address, try to find 193 * a compatible one among those assigned to this interface. 194 */ 195 struct ifaddr *ifa; 196 197 TAILQ_FOREACH(ifa, &ifp->if_addrhead, ifa_link) { 198 if (!ifa->ifa_addr || 199 ifa->ifa_addr->sa_family != AF_INET) 200 continue; 201 sip = &SIN(ifa->ifa_addr)->sin_addr; 202 if (0 == ((sip->s_addr ^ tip->s_addr) & 203 SIN(ifa->ifa_netmask)->sin_addr.s_addr) ) 204 break; /* found it. */ 205 } 206 if (sip == NULL) { 207 printf("%s: cannot find matching address\n", __func__); 208 return; 209 } 210 } 211 212 if ((m = m_gethdr(M_DONTWAIT, MT_DATA)) == NULL) 213 return; 214 m->m_len = sizeof(*ah) + 2*sizeof(struct in_addr) + 215 2*ifp->if_data.ifi_addrlen; 216 m->m_pkthdr.len = m->m_len; 217 MH_ALIGN(m, m->m_len); 218 ah = mtod(m, struct arphdr *); 219 bzero((caddr_t)ah, m->m_len); 220#ifdef MAC 221 mac_netinet_arp_send(ifp, m); 222#endif 223 ah->ar_pro = htons(ETHERTYPE_IP); 224 ah->ar_hln = ifp->if_addrlen; /* hardware address length */ 225 ah->ar_pln = sizeof(struct in_addr); /* protocol address length */ 226 ah->ar_op = htons(ARPOP_REQUEST); 227 bcopy((caddr_t)enaddr, (caddr_t)ar_sha(ah), ah->ar_hln); 228 bcopy((caddr_t)sip, (caddr_t)ar_spa(ah), ah->ar_pln); 229 bcopy((caddr_t)tip, (caddr_t)ar_tpa(ah), ah->ar_pln); 230 sa.sa_family = AF_ARP; 231 sa.sa_len = 2; 232 m->m_flags |= M_BCAST; 233 (*ifp->if_output)(ifp, m, &sa, (struct rtentry *)0); 234} 235 236/* 237 * Resolve an IP address into an ethernet address. 238 * On input: 239 * ifp is the interface we use 240 * rt0 is the route to the final destination (possibly useless) 241 * m is the mbuf. May be NULL if we don't have a packet. 242 * dst is the next hop, 243 * desten is where we want the address. 244 * 245 * On success, desten is filled in and the function returns 0; 246 * If the packet must be held pending resolution, we return EWOULDBLOCK 247 * On other errors, we return the corresponding error code. 248 * Note that m_freem() handles NULL. 249 */ 250int 251arpresolve(struct ifnet *ifp, struct rtentry *rt0, struct mbuf *m, 252 struct sockaddr *dst, u_char *desten, struct llentry **lle) 253{ 254 INIT_VNET_INET(ifp->if_vnet); 255 struct llentry *la = 0; 256 u_int flags = 0; 257 int error, renew; 258 259 *lle = NULL; 260 if (m != NULL) { 261 if (m->m_flags & M_BCAST) { 262 /* broadcast */ 263 (void)memcpy(desten, 264 ifp->if_broadcastaddr, ifp->if_addrlen); 265 return (0); 266 } 267 if (m->m_flags & M_MCAST && ifp->if_type != IFT_ARCNET) { 268 /* multicast */ 269 ETHER_MAP_IP_MULTICAST(&SIN(dst)->sin_addr, desten); 270 return (0); 271 } 272 } 273 /* XXXXX 274 */ 275retry: 276 IF_AFDATA_RLOCK(ifp); 277 la = lla_lookup(LLTABLE(ifp), flags, dst); 278 IF_AFDATA_RUNLOCK(ifp); 279 if ((la == NULL) && ((flags & LLE_EXCLUSIVE) == 0) 280 && ((ifp->if_flags & (IFF_NOARP | IFF_STATICARP)) == 0)) { 281 flags |= (LLE_CREATE | LLE_EXCLUSIVE); 282 IF_AFDATA_WLOCK(ifp); 283 la = lla_lookup(LLTABLE(ifp), flags, dst); 284 IF_AFDATA_WUNLOCK(ifp); 285 } 286 if (la == NULL) { 287 if (flags & LLE_CREATE) 288 log(LOG_DEBUG, 289 "arpresolve: can't allocate llinfo for %s\n", 290 inet_ntoa(SIN(dst)->sin_addr)); 291 m_freem(m); 292 return (EINVAL); 293 } 294 295 if ((la->la_flags & LLE_VALID) && 296 ((la->la_flags & LLE_STATIC) || la->la_expire > time_uptime)) { 297 bcopy(&la->ll_addr, desten, ifp->if_addrlen); 298 /* 299 * If entry has an expiry time and it is approaching, 300 * see if we need to send an ARP request within this 301 * arpt_down interval. 302 */ 303 if (!(la->la_flags & LLE_STATIC) && 304 time_uptime + la->la_preempt > la->la_expire) { 305 arprequest(ifp, NULL, 306 &SIN(dst)->sin_addr, IF_LLADDR(ifp)); 307 308 la->la_preempt--; 309 } 310 311 *lle = la; 312 error = 0; 313 goto done; 314 } 315 316 if (la->la_flags & LLE_STATIC) { /* should not happen! */ 317 log(LOG_DEBUG, "arpresolve: ouch, empty static llinfo for %s\n", 318 inet_ntoa(SIN(dst)->sin_addr)); 319 m_freem(m); 320 error = EINVAL; 321 goto done; 322 } 323 324 renew = (la->la_asked == 0 || la->la_expire != time_uptime); 325 if ((renew || m != NULL) && (flags & LLE_EXCLUSIVE) == 0) { 326 flags |= LLE_EXCLUSIVE; 327 LLE_RUNLOCK(la); 328 goto retry; 329 } 330 /* 331 * There is an arptab entry, but no ethernet address 332 * response yet. Replace the held mbuf with this 333 * latest one. 334 */ 335 if (m != NULL) { 336 if (la->la_hold != NULL) 337 m_freem(la->la_hold); 338 la->la_hold = m; 339 if (renew == 0 && (flags & LLE_EXCLUSIVE)) { 340 flags &= ~LLE_EXCLUSIVE; 341 LLE_DOWNGRADE(la); 342 } 343 344 } 345 /* 346 * Return EWOULDBLOCK if we have tried less than arp_maxtries. It 347 * will be masked by ether_output(). Return EHOSTDOWN/EHOSTUNREACH 348 * if we have already sent arp_maxtries ARP requests. Retransmit the 349 * ARP request, but not faster than one request per second. 350 */ 351 if (la->la_asked < V_arp_maxtries) 352 error = EWOULDBLOCK; /* First request. */ 353 else 354 error = 355 (rt0->rt_flags & RTF_GATEWAY) ? EHOSTDOWN : EHOSTUNREACH; 356 357 if (renew) { 358 LLE_ADDREF(la); 359 la->la_expire = time_uptime; 360 callout_reset(&la->la_timer, hz, arptimer, la); 361 la->la_asked++; 362 LLE_WUNLOCK(la); 363 arprequest(ifp, NULL, &SIN(dst)->sin_addr, 364 IF_LLADDR(ifp)); 365 return (error); 366 } 367done: 368 if (flags & LLE_EXCLUSIVE) 369 LLE_WUNLOCK(la); 370 else 371 LLE_RUNLOCK(la); 372 return (error); 373} 374 375/* 376 * Common length and type checks are done here, 377 * then the protocol-specific routine is called. 378 */ 379static void 380arpintr(struct mbuf *m) 381{ 382 struct arphdr *ar; 383 384 if (m->m_len < sizeof(struct arphdr) && 385 ((m = m_pullup(m, sizeof(struct arphdr))) == NULL)) { 386 log(LOG_ERR, "arp: runt packet -- m_pullup failed\n"); 387 return; 388 } 389 ar = mtod(m, struct arphdr *); 390 391 if (ntohs(ar->ar_hrd) != ARPHRD_ETHER && 392 ntohs(ar->ar_hrd) != ARPHRD_IEEE802 && 393 ntohs(ar->ar_hrd) != ARPHRD_ARCNET && 394 ntohs(ar->ar_hrd) != ARPHRD_IEEE1394) { 395 log(LOG_ERR, "arp: unknown hardware address format (0x%2D)\n", 396 (unsigned char *)&ar->ar_hrd, ""); 397 m_freem(m); 398 return; 399 } 400 401 if (m->m_len < arphdr_len(ar)) { 402 if ((m = m_pullup(m, arphdr_len(ar))) == NULL) { 403 log(LOG_ERR, "arp: runt packet\n"); 404 m_freem(m); 405 return; 406 } 407 ar = mtod(m, struct arphdr *); 408 } 409 410 switch (ntohs(ar->ar_pro)) { 411#ifdef INET 412 case ETHERTYPE_IP: 413 in_arpinput(m); 414 return; 415#endif 416 } 417 m_freem(m); 418} 419 420#ifdef INET 421/* 422 * ARP for Internet protocols on 10 Mb/s Ethernet. 423 * Algorithm is that given in RFC 826. 424 * In addition, a sanity check is performed on the sender 425 * protocol address, to catch impersonators. 426 * We no longer handle negotiations for use of trailer protocol: 427 * Formerly, ARP replied for protocol type ETHERTYPE_TRAIL sent 428 * along with IP replies if we wanted trailers sent to us, 429 * and also sent them in response to IP replies. 430 * This allowed either end to announce the desire to receive 431 * trailer packets. 432 * We no longer reply to requests for ETHERTYPE_TRAIL protocol either, 433 * but formerly didn't normally send requests. 434 */ 435static int log_arp_wrong_iface = 1; 436static int log_arp_movements = 1; 437static int log_arp_permanent_modify = 1; 438 439SYSCTL_INT(_net_link_ether_inet, OID_AUTO, log_arp_wrong_iface, CTLFLAG_RW, 440 &log_arp_wrong_iface, 0, 441 "log arp packets arriving on the wrong interface"); 442SYSCTL_INT(_net_link_ether_inet, OID_AUTO, log_arp_movements, CTLFLAG_RW, 443 &log_arp_movements, 0, 444 "log arp replies from MACs different than the one in the cache"); 445SYSCTL_INT(_net_link_ether_inet, OID_AUTO, log_arp_permanent_modify, CTLFLAG_RW, 446 &log_arp_permanent_modify, 0, 447 "log arp replies from MACs different than the one in the permanent arp entry"); 448 449 450static void 451in_arpinput(struct mbuf *m) 452{ 453 struct arphdr *ah; 454 struct ifnet *ifp = m->m_pkthdr.rcvif; 455 struct llentry *la = NULL; 456 struct rtentry *rt; 457 struct ifaddr *ifa; 458 struct in_ifaddr *ia; 459 struct sockaddr sa; 460 struct in_addr isaddr, itaddr, myaddr; 461 u_int8_t *enaddr = NULL; 462 int op, flags; 463 struct mbuf *m0; 464 int req_len; 465 int bridged = 0, is_bridge = 0; 466#ifdef DEV_CARP 467 int carp_match = 0; 468#endif 469 struct sockaddr_in sin; 470 sin.sin_len = sizeof(struct sockaddr_in); 471 sin.sin_family = AF_INET; 472 sin.sin_addr.s_addr = 0; 473 INIT_VNET_INET(ifp->if_vnet); 474 475 if (ifp->if_bridge) 476 bridged = 1; 477 if (ifp->if_type == IFT_BRIDGE) 478 is_bridge = 1; 479 480 req_len = arphdr_len2(ifp->if_addrlen, sizeof(struct in_addr)); 481 if (m->m_len < req_len && (m = m_pullup(m, req_len)) == NULL) { 482 log(LOG_ERR, "in_arp: runt packet -- m_pullup failed\n"); 483 return; 484 } 485 486 ah = mtod(m, struct arphdr *); 487 op = ntohs(ah->ar_op); 488 (void)memcpy(&isaddr, ar_spa(ah), sizeof (isaddr)); 489 (void)memcpy(&itaddr, ar_tpa(ah), sizeof (itaddr)); 490 491 /* 492 * For a bridge, we want to check the address irrespective 493 * of the receive interface. (This will change slightly 494 * when we have clusters of interfaces). 495 * If the interface does not match, but the recieving interface 496 * is part of carp, we call carp_iamatch to see if this is a 497 * request for the virtual host ip. 498 * XXX: This is really ugly! 499 */ 500 LIST_FOREACH(ia, INADDR_HASH(itaddr.s_addr), ia_hash) { 501 if (((bridged && ia->ia_ifp->if_bridge != NULL) || 502 ia->ia_ifp == ifp) && 503 itaddr.s_addr == ia->ia_addr.sin_addr.s_addr) 504 goto match; 505#ifdef DEV_CARP 506 if (ifp->if_carp != NULL && 507 carp_iamatch(ifp->if_carp, ia, &isaddr, &enaddr) && 508 itaddr.s_addr == ia->ia_addr.sin_addr.s_addr) { 509 carp_match = 1; 510 goto match; 511 } 512#endif 513 } 514 LIST_FOREACH(ia, INADDR_HASH(isaddr.s_addr), ia_hash) 515 if (((bridged && ia->ia_ifp->if_bridge != NULL) || 516 ia->ia_ifp == ifp) && 517 isaddr.s_addr == ia->ia_addr.sin_addr.s_addr) 518 goto match; 519 520#define BDG_MEMBER_MATCHES_ARP(addr, ifp, ia) \ 521 (ia->ia_ifp->if_bridge == ifp->if_softc && \ 522 !bcmp(IF_LLADDR(ia->ia_ifp), IF_LLADDR(ifp), ifp->if_addrlen) && \ 523 addr == ia->ia_addr.sin_addr.s_addr) 524 /* 525 * Check the case when bridge shares its MAC address with 526 * some of its children, so packets are claimed by bridge 527 * itself (bridge_input() does it first), but they are really 528 * meant to be destined to the bridge member. 529 */ 530 if (is_bridge) { 531 LIST_FOREACH(ia, INADDR_HASH(itaddr.s_addr), ia_hash) { 532 if (BDG_MEMBER_MATCHES_ARP(itaddr.s_addr, ifp, ia)) { 533 ifp = ia->ia_ifp; 534 goto match; 535 } 536 } 537 } 538#undef BDG_MEMBER_MATCHES_ARP 539 540 /* 541 * No match, use the first inet address on the receive interface 542 * as a dummy address for the rest of the function. 543 */ 544 TAILQ_FOREACH(ifa, &ifp->if_addrhead, ifa_link) 545 if (ifa->ifa_addr->sa_family == AF_INET) { 546 ia = ifatoia(ifa); 547 goto match; 548 } 549 /* 550 * If bridging, fall back to using any inet address. 551 */ 552 if (!bridged || (ia = TAILQ_FIRST(&V_in_ifaddrhead)) == NULL) 553 goto drop; 554match: 555 if (!enaddr) 556 enaddr = (u_int8_t *)IF_LLADDR(ifp); 557 myaddr = ia->ia_addr.sin_addr; 558 if (!bcmp(ar_sha(ah), enaddr, ifp->if_addrlen)) 559 goto drop; /* it's from me, ignore it. */ 560 if (!bcmp(ar_sha(ah), ifp->if_broadcastaddr, ifp->if_addrlen)) { 561 log(LOG_ERR, 562 "arp: link address is broadcast for IP address %s!\n", 563 inet_ntoa(isaddr)); 564 goto drop; 565 } 566 /* 567 * Warn if another host is using the same IP address, but only if the 568 * IP address isn't 0.0.0.0, which is used for DHCP only, in which 569 * case we suppress the warning to avoid false positive complaints of 570 * potential misconfiguration. 571 */ 572 if (!bridged && isaddr.s_addr == myaddr.s_addr && myaddr.s_addr != 0) { 573 log(LOG_ERR, 574 "arp: %*D is using my IP address %s on %s!\n", 575 ifp->if_addrlen, (u_char *)ar_sha(ah), ":", 576 inet_ntoa(isaddr), ifp->if_xname); 577 itaddr = myaddr; 578 goto reply; 579 } 580 if (ifp->if_flags & IFF_STATICARP) 581 goto reply; 582 583 bzero(&sin, sizeof(sin)); 584 sin.sin_len = sizeof(struct sockaddr_in); 585 sin.sin_family = AF_INET; 586 sin.sin_addr = isaddr; 587 flags = (itaddr.s_addr == myaddr.s_addr) ? LLE_CREATE : 0; 588 flags |= LLE_EXCLUSIVE; 589 IF_AFDATA_LOCK(ifp); 590 la = lla_lookup(LLTABLE(ifp), flags, (struct sockaddr *)&sin); 591 IF_AFDATA_UNLOCK(ifp); 592 if (la != NULL) { 593 /* the following is not an error when doing bridging */ 594 if (!bridged && la->lle_tbl->llt_ifp != ifp 595#ifdef DEV_CARP 596 && (ifp->if_type != IFT_CARP || !carp_match) 597#endif 598 ) { 599 if (log_arp_wrong_iface) 600 log(LOG_ERR, "arp: %s is on %s " 601 "but got reply from %*D on %s\n", 602 inet_ntoa(isaddr), 603 la->lle_tbl->llt_ifp->if_xname, 604 ifp->if_addrlen, (u_char *)ar_sha(ah), ":", 605 ifp->if_xname); 606 goto reply; 607 } 608 if ((la->la_flags & LLE_VALID) && 609 bcmp(ar_sha(ah), &la->ll_addr, ifp->if_addrlen)) { 610 if (la->la_flags & LLE_STATIC) { 611 log(LOG_ERR, 612 "arp: %*D attempts to modify permanent " 613 "entry for %s on %s\n", 614 ifp->if_addrlen, (u_char *)ar_sha(ah), ":", 615 inet_ntoa(isaddr), ifp->if_xname); 616 goto reply; 617 } 618 if (log_arp_movements) { 619 log(LOG_INFO, "arp: %s moved from %*D " 620 "to %*D on %s\n", 621 inet_ntoa(isaddr), 622 ifp->if_addrlen, 623 (u_char *)&la->ll_addr, ":", 624 ifp->if_addrlen, (u_char *)ar_sha(ah), ":", 625 ifp->if_xname); 626 } 627 } 628 629 if (ifp->if_addrlen != ah->ar_hln) { 630 log(LOG_WARNING, 631 "arp from %*D: addr len: new %d, i/f %d (ignored)", 632 ifp->if_addrlen, (u_char *) ar_sha(ah), ":", 633 ah->ar_hln, ifp->if_addrlen); 634 goto reply; 635 } 636 (void)memcpy(&la->ll_addr, ar_sha(ah), ifp->if_addrlen); 637 la->la_flags |= LLE_VALID; 638 639 if (!(la->la_flags & LLE_STATIC)) { 640 la->la_expire = time_uptime + V_arpt_keep; 641 callout_reset(&la->la_timer, hz * V_arpt_keep, 642 arptimer, la); 643 } 644 la->la_asked = 0; 645 la->la_preempt = V_arp_maxtries; 646 if (la->la_hold != NULL) { 647 m0 = la->la_hold; 648 la->la_hold = 0; 649 memcpy(&sa, L3_ADDR(la), sizeof(sa)); 650 LLE_WUNLOCK(la); 651 652 (*ifp->if_output)(ifp, m0, &sa, NULL); 653 return; 654 } 655 } 656reply: 657 if (op != ARPOP_REQUEST) 658 goto drop; 659 660 if (itaddr.s_addr == myaddr.s_addr) { 661 /* Shortcut.. the receiving interface is the target. */ 662 (void)memcpy(ar_tha(ah), ar_sha(ah), ah->ar_hln); 663 (void)memcpy(ar_sha(ah), enaddr, ah->ar_hln); 664 } else { 665 struct llentry *lle = NULL; 666 667 if (!V_arp_proxyall) 668 goto drop; 669 670 sin.sin_addr = itaddr; 671 /* XXX MRT use table 0 for arp reply */ 672 rt = in_rtalloc1((struct sockaddr *)&sin, 0, 0UL, 0); 673 if (!rt) 674 goto drop; 675 676 /* 677 * Don't send proxies for nodes on the same interface 678 * as this one came out of, or we'll get into a fight 679 * over who claims what Ether address. 680 */ 681 if (!rt->rt_ifp || rt->rt_ifp == ifp) { 682 RTFREE_LOCKED(rt); 683 goto drop; 684 } 685 IF_AFDATA_LOCK(rt->rt_ifp); 686 lle = lla_lookup(LLTABLE(rt->rt_ifp), 0, (struct sockaddr *)&sin); 687 IF_AFDATA_UNLOCK(rt->rt_ifp); 688 RTFREE_LOCKED(rt); 689 690 if (lle != NULL) { 691 (void)memcpy(ar_tha(ah), ar_sha(ah), ah->ar_hln); 692 (void)memcpy(ar_sha(ah), &lle->ll_addr, ah->ar_hln); 693 LLE_RUNLOCK(lle); 694 } else 695 goto drop; 696 697 /* 698 * Also check that the node which sent the ARP packet 699 * is on the the interface we expect it to be on. This 700 * avoids ARP chaos if an interface is connected to the 701 * wrong network. 702 */ 703 sin.sin_addr = isaddr; 704 705 /* XXX MRT use table 0 for arp checks */ 706 rt = in_rtalloc1((struct sockaddr *)&sin, 0, 0UL, 0); 707 if (!rt) 708 goto drop; 709 if (rt->rt_ifp != ifp) { 710 log(LOG_INFO, "arp_proxy: ignoring request" 711 " from %s via %s, expecting %s\n", 712 inet_ntoa(isaddr), ifp->if_xname, 713 rt->rt_ifp->if_xname); 714 RTFREE_LOCKED(rt); 715 goto drop; 716 } 717 RTFREE_LOCKED(rt); 718 719#ifdef DEBUG_PROXY 720 printf("arp: proxying for %s\n", 721 inet_ntoa(itaddr)); 722#endif 723 } 724 725 if (la != NULL) 726 LLE_WUNLOCK(la); 727 if (itaddr.s_addr == myaddr.s_addr && 728 IN_LINKLOCAL(ntohl(itaddr.s_addr))) { 729 /* RFC 3927 link-local IPv4; always reply by broadcast. */ 730#ifdef DEBUG_LINKLOCAL 731 printf("arp: sending reply for link-local addr %s\n", 732 inet_ntoa(itaddr)); 733#endif 734 m->m_flags |= M_BCAST; 735 m->m_flags &= ~M_MCAST; 736 } else { 737 /* default behaviour; never reply by broadcast. */ 738 m->m_flags &= ~(M_BCAST|M_MCAST); 739 } 740 (void)memcpy(ar_tpa(ah), ar_spa(ah), ah->ar_pln); 741 (void)memcpy(ar_spa(ah), &itaddr, ah->ar_pln); 742 ah->ar_op = htons(ARPOP_REPLY); 743 ah->ar_pro = htons(ETHERTYPE_IP); /* let's be sure! */ 744 m->m_len = sizeof(*ah) + (2 * ah->ar_pln) + (2 * ah->ar_hln); 745 m->m_pkthdr.len = m->m_len; 746 sa.sa_family = AF_ARP; 747 sa.sa_len = 2; 748 (*ifp->if_output)(ifp, m, &sa, (struct rtentry *)0); 749 return; 750 751drop: 752 if (la != NULL) 753 LLE_WUNLOCK(la); 754 m_freem(m); 755} 756#endif 757 758void 759arp_ifinit(struct ifnet *ifp, struct ifaddr *ifa) 760{ 761 struct llentry *lle; 762 763 if (ntohl(IA_SIN(ifa)->sin_addr.s_addr) != INADDR_ANY) { 764 arprequest(ifp, &IA_SIN(ifa)->sin_addr, 765 &IA_SIN(ifa)->sin_addr, IF_LLADDR(ifp)); 766 /* 767 * interface address is considered static entry 768 * because the output of the arp utility shows 769 * that L2 entry as permanent 770 */ 771 IF_AFDATA_LOCK(ifp); 772 lle = lla_lookup(LLTABLE(ifp), (LLE_CREATE | LLE_IFADDR | LLE_STATIC), 773 (struct sockaddr *)IA_SIN(ifa)); 774 IF_AFDATA_UNLOCK(ifp); 775 if (lle == NULL) 776 log(LOG_INFO, "arp_ifinit: cannot create arp " 777 "entry for interface address\n"); 778 else 779 LLE_RUNLOCK(lle); 780 } 781 ifa->ifa_rtrequest = NULL; 782} 783 784void 785arp_ifinit2(struct ifnet *ifp, struct ifaddr *ifa, u_char *enaddr) 786{ 787 if (ntohl(IA_SIN(ifa)->sin_addr.s_addr) != INADDR_ANY) 788 arprequest(ifp, &IA_SIN(ifa)->sin_addr, 789 &IA_SIN(ifa)->sin_addr, enaddr); 790 ifa->ifa_rtrequest = NULL; 791} 792 793static void 794arp_init(void) 795{ 796 INIT_VNET_INET(curvnet); 797 798 V_arpt_keep = (20*60); /* once resolved, good for 20 more minutes */ 799 V_arp_maxtries = 5; 800 V_useloopback = 1; /* use loopback interface for local traffic */ 801 V_arp_proxyall = 0; 802 803 arpintrq.ifq_maxlen = 50; 804 mtx_init(&arpintrq.ifq_mtx, "arp_inq", NULL, MTX_DEF); 805 netisr_register(NETISR_ARP, arpintr, &arpintrq, 0); 806} 807SYSINIT(arp, SI_SUB_PROTO_DOMAIN, SI_ORDER_ANY, arp_init, 0); 808