From nobody Thu Oct 06 17:01:29 2022 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MjyQL1l3Nz4f1fk; Thu, 6 Oct 2022 17:01:30 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4MjyQL1L27z3Xqy; Thu, 6 Oct 2022 17:01:30 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1665075690; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=iH26GzpIQoFAgmgXhViF130FP17zp++VWPf23WZ2FP0=; b=MLPqsYhvTorwjqmULt1c2VAD1sLetcVP2JVTPZBfmYPvjjrDBH4nz61pWnPhxo0PTYBDd8 dTwytJWKjtN6SpxPOb/al1nKYt/k21xs/muPO7Qgzq1tgbg14nky39uli0Lhw0yAzVlORI Y2FeQm9FzzCrwNWINnE0guMvWvF+g+3ohuh4w6QTwscF0b6/sdM8Lw4S6Au08npyhV91T0 bReZnz6djjQcbQnXdQCSAF/z+bj7VufzsIXe8Rxn9ODLyxA6eLb72a+Q1rJBZeebn/dTlq fPKYUyHg6753ApkCKH7LIl1Tkye3evHrziP5J7cStnuwMPL+ldnLeameD9vQvQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4MjyQL0PHKzKFy; Thu, 6 Oct 2022 17:01:30 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 296H1T64079145; Thu, 6 Oct 2022 17:01:29 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 296H1Tdg079144; Thu, 6 Oct 2022 17:01:29 GMT (envelope-from git) Date: Thu, 6 Oct 2022 17:01:29 GMT Message-Id: <202210061701.296H1Tdg079144@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: "Andrey V. Elsukov" Subject: git: ccd69bd573f1 - main - Ignore IPv6 NA and drop IPv6 NS when BACKUP CARP address is used List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-main@freebsd.org X-BeenThere: dev-commits-src-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: ae X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: ccd69bd573f185308e7652190ff64b50f7fba381 Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1665075690; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=iH26GzpIQoFAgmgXhViF130FP17zp++VWPf23WZ2FP0=; b=d+flOKg2aI9IZoWUhDVArlIKIYfvFlNOXJ6Grrr4B8PevcqjTpvT3/GEk1CD1pLEuLMqK/ weCKlFt8/UQSdrLXoCcw0vqJLUJ1Cd4ivao3Eb8VaVWalh8//92ojjd3JA5j5Qehs7z3E1 u0VMcZSmhrtkKQ4yNExg68WhEd59zmEsNAoWtHR7rnnlzamTv4wkwsSc9qvzJm7NIOw+GZ AyRJioZAN9zM89oGvwx9LZEA3kXgPLzlJjh7hS1cRjWaYeu07Dq4WSXSPOAvnrSdKNyrYn idbJSACLIWDGj4rcO0Xd17YFCXhWuF4odZ2yqkdk/3ucRYMAD4w/brfZjEzcvw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1665075690; a=rsa-sha256; cv=none; b=tq+5AegOmf6GQkeIv09vTwLci/01sjQUXk7X0hoaTJRXHgRBVMQfUb4IdGTKqy9F6+8HAk vmugJhNsmx74tLQPpiWw8z1U57NysdAXVl2O/onBXV18PLG+xRvuErCirvM48s78aCnZJu IDSj5Q1TM4llaPQUlLb1yYolYWGGLxPWUU8/bJOmIFklUZdxIZpwZPz9nbg/hvkfwg0Dm0 UlFB3hlt4O4x+Q+9r7leiAXH+byN/Djo0Bd4cRVHDFCxYE1qe5wA0KY0im92i4DUMPQr1a pDH5BsIh7zH9fBI/sP88p2feGYCEbcAyxSG2CSugFN5jO5Ub8WGdjMiQjv3upQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by ae: URL: https://cgit.FreeBSD.org/src/commit/?id=ccd69bd573f185308e7652190ff64b50f7fba381 commit ccd69bd573f185308e7652190ff64b50f7fba381 Author: Andrey V. Elsukov AuthorDate: 2022-10-06 16:50:33 +0000 Commit: Andrey V. Elsukov CommitDate: 2022-10-06 17:01:16 +0000 Ignore IPv6 NA and drop IPv6 NS when BACKUP CARP address is used When system acts as CARP BACKUP ignore received IPv6 Neighbor Advertisements to ensure that neighbor cache will not be changed. Also do not send IPv6 Neighbor Solicitation from CARP BACKUP source address. Such packets can confuse network switch and it detects MAC addresses flapping. Obtained from: Yandex LLC MFC after: 2 weeks Sponsored by: Yandex LLC Differential Revision: https://reviews.freebsd.org/D36649 --- sys/netinet6/nd6_nbr.c | 56 +++++++++++++++++++++++++++++++++++--------------- 1 file changed, 40 insertions(+), 16 deletions(-) diff --git a/sys/netinet6/nd6_nbr.c b/sys/netinet6/nd6_nbr.c index f96bf8e58dc3..7bca7fa59ac7 100644 --- a/sys/netinet6/nd6_nbr.c +++ b/sys/netinet6/nd6_nbr.c @@ -465,6 +465,7 @@ nd6_ns_output_fib(struct ifnet *ifp, const struct in6_addr *saddr6, goto bad; } if (nonce == NULL) { + char ip6buf[INET6_ADDRSTRLEN]; struct ifaddr *ifa = NULL; /* @@ -480,14 +481,9 @@ nd6_ns_output_fib(struct ifnet *ifp, const struct in6_addr *saddr6, * (saddr6), if saddr6 belongs to the outgoing interface. * Otherwise, we perform the source address selection as usual. */ - if (saddr6 != NULL) ifa = (struct ifaddr *)in6ifa_ifpwithaddr(ifp, saddr6); - if (ifa != NULL) { - /* ip6_src set already. */ - ip6->ip6_src = *saddr6; - ifa_free(ifa); - } else { + if (ifa == NULL) { int error; struct in6_addr dst6, src6; uint32_t scopeid; @@ -496,7 +492,6 @@ nd6_ns_output_fib(struct ifnet *ifp, const struct in6_addr *saddr6, error = in6_selectsrc_addr(fibnum, &dst6, scopeid, ifp, &src6, NULL); if (error) { - char ip6buf[INET6_ADDRSTRLEN]; nd6log((LOG_DEBUG, "%s: source can't be " "determined: dst=%s, error=%d\n", __func__, ip6_sprintf(ip6buf, &dst6), @@ -504,7 +499,31 @@ nd6_ns_output_fib(struct ifnet *ifp, const struct in6_addr *saddr6, goto bad; } ip6->ip6_src = src6; + } else + ip6->ip6_src = *saddr6; + + if (ifp->if_carp != NULL) { + /* + * Check that selected source address belongs to + * CARP addresses. + */ + if (ifa == NULL) + ifa = (struct ifaddr *)in6ifa_ifpwithaddr(ifp, + &ip6->ip6_src); + /* + * Do not send NS for CARP address if we are not + * the CARP master. + */ + if (ifa != NULL && !(*carp_master_p)(ifa)) { + log(LOG_DEBUG, + "nd6_ns_output: NS from BACKUP CARP address %s\n", + ip6_sprintf(ip6buf, &ip6->ip6_src)); + ifa_free(ifa); + goto bad; + } } + if (ifa != NULL) + ifa_free(ifa); } else { /* * Source address for DAD packet must always be IPv6 @@ -714,15 +733,20 @@ nd6_na_input(struct mbuf *m, int off, int icmp6len) lladdrlen = ndopts.nd_opts_tgt_lladdr->nd_opt_len << 3; } - /* - * This effectively disables the DAD check on a non-master CARP - * address. - */ - if (ifp->if_carp) - ifa = (*carp_iamatch6_p)(ifp, &taddr6); - else - ifa = (struct ifaddr *)in6ifa_ifpwithaddr(ifp, &taddr6); - + ifa = (struct ifaddr *)in6ifa_ifpwithaddr(ifp, &taddr6); + if (ifa != NULL && ifa->ifa_carp != NULL) { + /* + * Silently ignore NAs for CARP addresses if we are not + * the CARP master. + */ + if (!(*carp_master_p)(ifa)) { + log(LOG_DEBUG, + "nd6_na_input: NA for BACKUP CARP address %s\n", + ip6_sprintf(ip6bufs, &taddr6)); + ifa_free(ifa); + goto freeit; + } + } /* * Target address matches one of my interface address. *