Mercurial > illumos > git > illumos-omnios

changeset 11430:7b1870d99874

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
6913366 Missing zones check for IP_BOUND_IF and IPV6_MULTICAST_IF 6913365 Should refuse adding routes that can't be used
author Erik Nordmark <Erik.Nordmark@Sun.COM>
date Mon, 04 Jan 2010 23:29:24 -0800
parents 3398895a8df2
children 753a00801df0
files usr/src/uts/common/inet/ip/conn_opt.c usr/src/uts/common/inet/ip/ip6_if.c usr/src/uts/common/inet/ip/ip_if.c usr/src/uts/common/inet/ip_if.h
diffstat 4 files changed, 49 insertions(+), 19 deletions(-) [+]
line wrap: on
line diff
--- a/usr/src/uts/common/inet/ip/conn_opt.c	Mon Jan 04 23:03:14 2010 -0800
+++ b/usr/src/uts/common/inet/ip/conn_opt.c	Mon Jan 04 23:29:24 2010 -0800
@@ -20,7 +20,7 @@
  */
 
 /*
- * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 /* Copyright (c) 1990 Mentat Inc. */
@@ -1265,7 +1265,8 @@
 				return (EADDRNOTAVAIL);
 			}
 		}
-		if (!ip_ifindex_valid(pktinfo->ipi_ifindex, B_FALSE, ipst))
+		if (!ip_xmit_ifindex_valid(pktinfo->ipi_ifindex, zoneid,
+		    B_FALSE, ipst))
 			return (ENXIO);
 		break;
 	}
@@ -1273,7 +1274,7 @@
 		ifindex = *(uint_t *)i1;
 
 		/* Just check it is ok. */
-		if (!ip_ifindex_valid(ifindex, B_FALSE, ipst))
+		if (!ip_xmit_ifindex_valid(ifindex, zoneid, B_FALSE, ipst))
 			return (ENXIO);
 		break;
 	}
@@ -1523,8 +1524,8 @@
 		 */
 		ifindex = *(uint_t *)i1;
 
-		if (!ip_ifindex_valid(ifindex, B_TRUE, ipst) &&
-		    !ip_ifindex_valid(ifindex, B_FALSE, ipst))
+		if (!ip_xmit_ifindex_valid(ifindex, zoneid, B_TRUE, ipst) &&
+		    !ip_xmit_ifindex_valid(ifindex, zoneid, B_FALSE, ipst))
 			return (EINVAL);
 		break;
 	case IPV6_UNICAST_HOPS:
@@ -1544,7 +1545,7 @@
 	case IPV6_BOUND_IF:
 		ifindex = *(uint_t *)i1;
 
-		if (!ip_ifindex_valid(ifindex, B_TRUE, ipst))
+		if (!ip_xmit_ifindex_valid(ifindex, zoneid, B_TRUE, ipst))
 			return (ENXIO);
 		break;
 	case IPV6_PKTINFO: {
@@ -1600,7 +1601,8 @@
 			ixa->ixa_flags &= ~IXAF_VERIFY_SOURCE;
 		}
 		isv6 = !(IN6_IS_ADDR_V4MAPPED(&pkti->ipi6_addr));
-		if (!ip_ifindex_valid(pkti->ipi6_ifindex, isv6, ipst))
+		if (!ip_xmit_ifindex_valid(pkti->ipi6_ifindex, zoneid, isv6,
+		    ipst))
 			return (ENXIO);
 		break;
 	}
--- a/usr/src/uts/common/inet/ip/ip6_if.c	Mon Jan 04 23:03:14 2010 -0800
+++ b/usr/src/uts/common/inet/ip/ip6_if.c	Mon Jan 04 23:29:24 2010 -0800
@@ -19,7 +19,7 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 /*
@@ -687,20 +687,39 @@
 	 * Get an interface IRE for the specified gateway.
 	 * If we don't have an IRE_IF_NORESOLVER or IRE_IF_RESOLVER for the
 	 * gateway, it is currently unreachable and we fail the request
-	 * accordingly.
+	 * accordingly. We reject any RTF_GATEWAY routes where the gateway
+	 * is an IRE_LOCAL or IRE_LOOPBACK.
 	 * If RTA_IFP was specified we look on that particular ill.
 	 */
 	if (ill != NULL)
 		match_flags |= MATCH_IRE_ILL;
 
 	/* Check whether the gateway is reachable. */
-	type = IRE_INTERFACE;
+again:
+	type = IRE_INTERFACE | IRE_LOCAL | IRE_LOOPBACK;
 	if (flags & RTF_INDIRECT)
 		type |= IRE_OFFLINK;
 
 	gw_ire = ire_ftable_lookup_v6(gw_addr, 0, 0, type, ill,
 	    ALL_ZONES, NULL, match_flags, 0, ipst, NULL);
 	if (gw_ire == NULL) {
+		/*
+		 * With IPMP, we allow host routes to influence in.mpathd's
+		 * target selection.  However, if the test addresses are on
+		 * their own network, the above lookup will fail since the
+		 * underlying IRE_INTERFACEs are marked hidden.  So allow
+		 * hidden test IREs to be found and try again.
+		 */
+		if (!(match_flags & MATCH_IRE_TESTHIDDEN))  {
+			match_flags |= MATCH_IRE_TESTHIDDEN;
+			goto again;
+		}
+		if (ipif != NULL)
+			ipif_refrele(ipif);
+		return (ENETUNREACH);
+	}
+	if (gw_ire->ire_type & (IRE_LOCAL|IRE_LOOPBACK)) {
+		ire_refrele(gw_ire);
 		if (ipif != NULL)
 			ipif_refrele(ipif);
 		return (ENETUNREACH);
--- a/usr/src/uts/common/inet/ip/ip_if.c	Mon Jan 04 23:03:14 2010 -0800
+++ b/usr/src/uts/common/inet/ip/ip_if.c	Mon Jan 04 23:29:24 2010 -0800
@@ -19,7 +19,7 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 /* Copyright (c) 1990 Mentat Inc. */
@@ -3916,19 +3916,21 @@
 }
 
 /*
- * Verify whether or not an interface index is valid.
+ * Verify whether or not an interface index is valid for the specified zoneid
+ * to transmit packets.
  * It can be zero (meaning "reset") or an interface index assigned
  * to a non-VNI interface. (We don't use VNI interface to send packets.)
  */
 boolean_t
-ip_ifindex_valid(uint_t ifindex, boolean_t isv6, ip_stack_t *ipst)
+ip_xmit_ifindex_valid(uint_t ifindex, zoneid_t zoneid, boolean_t isv6,
+    ip_stack_t *ipst)
 {
 	ill_t		*ill;
 
 	if (ifindex == 0)
 		return (B_TRUE);
 
-	ill = ill_lookup_on_ifindex(ifindex, isv6, ipst);
+	ill = ill_lookup_on_ifindex_zoneid(ifindex, zoneid, isv6, ipst);
 	if (ill == NULL)
 		return (B_FALSE);
 	if (IS_VNI(ill)) {
@@ -5690,7 +5692,8 @@
 	 * Get an interface IRE for the specified gateway.
 	 * If we don't have an IRE_IF_NORESOLVER or IRE_IF_RESOLVER for the
 	 * gateway, it is currently unreachable and we fail the request
-	 * accordingly.
+	 * accordingly. We reject any RTF_GATEWAY routes where the gateway
+	 * is an IRE_LOCAL or IRE_LOOPBACK.
 	 * If RTA_IFP was specified we look on that particular ill.
 	 */
 	if (ill != NULL)
@@ -5698,7 +5701,7 @@
 
 	/* Check whether the gateway is reachable. */
 again:
-	type = IRE_INTERFACE;
+	type = IRE_INTERFACE | IRE_LOCAL | IRE_LOOPBACK;
 	if (flags & RTF_INDIRECT)
 		type |= IRE_OFFLINK;
 
@@ -5716,7 +5719,12 @@
 			match_flags |= MATCH_IRE_TESTHIDDEN;
 			goto again;
 		}
-
+		if (ipif != NULL)
+			ipif_refrele(ipif);
+		return (ENETUNREACH);
+	}
+	if (gw_ire->ire_type & (IRE_LOCAL|IRE_LOOPBACK)) {
+		ire_refrele(gw_ire);
 		if (ipif != NULL)
 			ipif_refrele(ipif);
 		return (ENETUNREACH);
--- a/usr/src/uts/common/inet/ip_if.h	Mon Jan 04 23:03:14 2010 -0800
+++ b/usr/src/uts/common/inet/ip_if.h	Mon Jan 04 23:29:24 2010 -0800
@@ -19,7 +19,7 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 /* Copyright (c) 1990 Mentat Inc. */
@@ -172,7 +172,8 @@
     ip_stack_t *);
 extern	ill_t	*ill_lookup_on_name(char *, boolean_t,
     boolean_t, boolean_t *, ip_stack_t *);
-extern boolean_t ip_ifindex_valid(uint_t, boolean_t, ip_stack_t *);
+extern boolean_t ip_xmit_ifindex_valid(uint_t, zoneid_t, boolean_t,
+    ip_stack_t *);
 extern uint_t	ill_get_next_ifindex(uint_t, boolean_t, ip_stack_t *);
 extern uint_t	ill_get_ifindex_by_name(char *, ip_stack_t *);
 extern uint_t	ill_get_upper_ifindex(const ill_t *);