ref: d43d79bda454212f92fcec1ad4d049ecdc66e043
parent: 1cff923af4dbcaaab515cc04ea40c559eab7830f
author: cinap_lenrek <cinap_lenrek@felloff.net>
date: Sun Sep 26 14:43:29 EDT 2021
devip: implement ipv4 arp timeout with icmp host unreachable notification The IPv4 ARP cache used to indefinitely buffer packets in the Arpent hold list. This is bad in case of a router, because it opens a 1 second (retransmit time) window to leak all the to be forwarded packets. This change makes the ipv4 arp code path similar to the IPv6 neighbour solicitation path, using the retransmit process to time out old entries (after 3 arp retransmits => 3 seconds). A new function arpcontinue() has been added that unifies the point when we schedule the (ipv6 sol retransmit) / (ipv4 arp timeout) and reduce the hold queue to the last packet and unlock the cache. As a bonus, we also now send a icmp host unreachable notification for the dropped packets.
--- a/sys/src/9/ip/arp.c
+++ b/sys/src/9/ip/arp.c
@@ -37,7 +37,7 @@
Fs *f;
Arpent *hash[NHASH];
Arpent cache[NCACHE];
- Arpent *rxmt;
+ Arpent *rxmt[2];
Proc *rxmitp; /* neib sol re-transmit proc */
Rendez rxmtq;
Block *dropf, *dropl;
@@ -47,16 +47,15 @@
#define haship(s) ((s)[IPaddrlen-1]%NHASH)
-int ReTransTimer = RETRANS_TIMER;
+static void rxmitproc(void*);
-static void rxmitproc(void *v);
-
void
arpinit(Fs *f)
{
f->arp = smalloc(sizeof(Arp));
f->arp->f = f;
- f->arp->rxmt = nil;
+ f->arp->rxmt[0] = nil;
+ f->arp->rxmt[1] = nil;
f->arp->dropf = f->arp->dropl = nil;
kproc("rxmitproc", rxmitproc, f->arp);
}
@@ -79,7 +78,7 @@
{
Arpent **l;
- for(l = &arp->rxmt; *l != nil; l = &((*l)->nextrxt)){
+ for(l = &arp->rxmt[isv4(a->ip) != 0]; *l != nil; l = &((*l)->nextrxt)){
if(*l == a){
*l = a->nextrxt;
break;
@@ -104,26 +103,20 @@
}
a->hash = nil;
- /* dump waiting packets */
- bp = a->hold;
- a->hold = nil;
- if(isv4(a->ip))
- freeblistchain(bp);
- else {
- rxmtunchain(arp, a);
+ /* remove from retransmit / timout chain */
+ rxmtunchain(arp, a);
- /* queue icmp unreachable for rxmitproc later on, w/o arp lock */
- if(bp != nil){
- if(arp->dropf == nil)
- arp->dropf = bp;
- else
- arp->dropl->list = bp;
- arp->dropl = a->last;
-
- if(bp == arp->dropf)
- wakeup(&arp->rxmtq);
- }
+ /* queue packets for icmp unreachable for rxmitproc later on, w/o arp lock */
+ if((bp = a->hold) != nil){
+ if(arp->dropf == nil)
+ arp->dropf = bp;
+ else
+ arp->dropl->list = bp;
+ arp->dropl = a->last;
+ if(bp == arp->dropf)
+ wakeup(&arp->rxmtq);
}
+ a->hold = nil;
a->last = nil;
a->ifc = nil;
@@ -152,7 +145,7 @@
e = &arp->cache[NCACHE];
a = arp->cache;
t = a->utime;
- for(f = a; f < e; f++){
+ for(f = a+1; t > 0 && f < e; f++){
if(f->utime < t){
t = f->utime;
a = f;
@@ -182,7 +175,6 @@
Arpent*
arpget(Arp *arp, Block *bp, int version, Ipifc *ifc, uchar *ip, uchar *mac)
{
- int hash;
Arpent *a;
uchar v6ip[IPaddrlen];
@@ -192,8 +184,7 @@
}
qlock(arp);
- hash = haship(ip);
- for(a = arp->hash[hash]; a != nil; a = a->hash){
+ for(a = arp->hash[haship(ip)]; a != nil; a = a->hash){
if(a->ifc == ifc && a->ifcid == ifc->ifcid && ipcmp(ip, a->ip) == 0)
break;
}
@@ -225,6 +216,39 @@
}
/*
+ * continue address resolution for the entry,
+ * schedule it on the retransmit / timeout chains
+ * and unlock the arp cache.
+ */
+void
+arpcontinue(Arp *arp, Arpent *a)
+{
+ Arpent **l;
+ Block *bp;
+
+ /* try to keep it around for a second more */
+ a->ctime = NOW;
+
+ /* remove all but the last message */
+ while((bp = a->hold) != nil){
+ if(bp == a->last)
+ break;
+ a->hold = bp->list;
+ freeblist(bp);
+ }
+
+ /* put on end of re-transmit / timeout chain */
+ for(l = rxmtunchain(arp, a); *l != nil; l = &(*l)->nextrxt)
+ ;
+ *l = a;
+
+ if(l == &arp->rxmt[0] || l == &arp->rxmt[1])
+ wakeup(&arp->rxmtq);
+
+ qunlock(arp);
+}
+
+/*
* called with arp locked
*/
void
@@ -233,6 +257,7 @@
qunlock(arp);
}
+
/*
* Copy out the mac address from the Arpent. Return the
* block waiting to get sent to this mac address.
@@ -245,7 +270,7 @@
Block *bp;
memmove(a->mac, mac, type->maclen);
- if(a->state == AWAIT && !isv4(a->ip)){
+ if(a->state == AWAIT) {
rxmtunchain(arp, a);
a->rxtsrem = 0;
}
@@ -363,7 +388,7 @@
memset(arp->hash, 0, sizeof(arp->hash));
freeblistchain(arp->dropf);
arp->dropf = arp->dropl = nil;
- arp->rxmt = nil;
+ arp->rxmt[0] = arp->rxmt[1] = nil;
qunlock(arp);
} else if(strcmp(f[0], "add") == 0){
switch(n){
@@ -480,32 +505,22 @@
ndpsendsol(Fs *f, Ipifc *ifc, Arpent *a)
{
uchar targ[IPaddrlen], src[IPaddrlen];
- Arpent **l;
- a->ctime = NOW;
if(a->rxtsrem == 0)
a->rxtsrem = MAX_MULTICAST_SOLICIT;
else
a->rxtsrem--;
- /* put on end of re-transmit chain */
- for(l = rxmtunchain(f->arp, a); *l != nil; l = &(*l)->nextrxt)
- ;
- *l = a;
-
- if(l == &f->arp->rxmt)
- wakeup(&f->arp->rxmtq);
-
/* try to use source address of original packet */
ipmove(targ, a->ip);
if(a->last != nil){
ipmove(src, ((Ip6hdr*)a->last->rp)->src);
- arprelease(f->arp, a);
+ arpcontinue(f->arp, a);
if(iplocalonifc(ifc, src) != nil || ipproxyifc(f, ifc, src))
goto send;
} else {
- arprelease(f->arp, a);
+ arpcontinue(f->arp, a);
}
if(!ipv6local(ifc, src, 0, targ))
return;
@@ -516,16 +531,17 @@
}
}
-static void
-rxmitsols(Arp *arp)
+static Block*
+rxmt(Arp *arp)
{
- Block *next, *bp;
Arpent *a;
+ Block *bp;
Ipifc *ifc;
- Route *r;
qlock(arp);
- while((a = arp->rxmt) != nil && NOW - a->ctime > 3*ReTransTimer/4){
+
+ /* retransmit ipv6 solicitations */
+ while((a = arp->rxmt[0]) != nil && NOW - a->ctime > 3*RETRANS_TIMER/4){
if(a->rxtsrem > 0 && (ifc = a->ifc) != nil && canrlock(ifc)){
if(a->ifcid == ifc->ifcid){
ndpsendsol(arp->f, ifc, a); /* unlocks arp */
@@ -537,17 +553,40 @@
}
cleanarpent(arp, a);
}
+
+ /* timeout waiting ipv4 arp entries */
+ while((a = arp->rxmt[1]) != nil && NOW - a->ctime > 3*RETRANS_TIMER)
+ cleanarpent(arp, a);
+
bp = arp->dropf;
arp->dropf = arp->dropl = nil;
+
qunlock(arp);
+ return bp;
+}
+
+static void
+drop(Fs *f, Block *bp)
+{
+ Block *next;
+ Ipifc *ifc;
+ Route *r;
+
for(; bp != nil; bp = next){
next = bp->list;
bp->list = nil;
- r = v6lookup(arp->f, ((Ip6hdr*)bp->rp)->src, ((Ip6hdr*)bp->rp)->dst, nil);
+
+ if((bp->rp[0]&0xF0) == IP_VER4)
+ r = v4lookup(f, ((Ip4hdr*)bp->rp)->src, ((Ip4hdr*)bp->rp)->dst, nil);
+ else
+ r = v6lookup(f, ((Ip6hdr*)bp->rp)->src, ((Ip6hdr*)bp->rp)->dst, nil);
if(r != nil && (ifc = r->ifc) != nil && canrlock(ifc)){
if(!waserror()){
- icmphostunr6(arp->f, ifc, bp, Icmp6_adr_unreach, (r->type & Runi) != 0);
+ if((bp->rp[0]&0xF0) == IP_VER4)
+ icmpnohost(f, ifc, bp);
+ else
+ icmphostunr6(f, ifc, bp, Icmp6_adr_unreach, (r->type & Runi) != 0);
poperror();
}
runlock(ifc);
@@ -561,7 +600,7 @@
{
Arp *arp = (Arp *)v;
- return arp->rxmt != nil || arp->dropf != nil;
+ return arp->rxmt[0] != nil || arp->rxmt[1] != nil || arp->dropf != nil;
}
static void
@@ -576,7 +615,7 @@
}
for(;;){
sleep(&arp->rxmtq, rxready, v);
- rxmitsols(arp);
- tsleep(&arp->rxmtq, return0, nil, ReTransTimer/4);
+ drop(arp->f, rxmt(arp));
+ tsleep(&arp->rxmtq, return0, nil, RETRANS_TIMER/4);
}
}
--- a/sys/src/9/ip/ethermedium.c
+++ b/sys/src/9/ip/ethermedium.c
@@ -17,15 +17,6 @@
uchar t[2];
};
-static uchar ipbroadcast[IPaddrlen] = {
- 0xff,0xff,0xff,0xff,
- 0xff,0xff,0xff,0xff,
- 0xff,0xff,0xff,0xff,
- 0xff,0xff,0xff,0xff,
-};
-
-static uchar etherbroadcast[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
-
static void etherread4(void *a);
static void etherread6(void *a);
static void etherbind(Ipifc *ifc, int argc, char **argv);
@@ -35,8 +26,7 @@
static void etherremmulti(Ipifc *ifc, uchar *a, uchar *ia);
static void etherareg(Fs *f, Ipifc *ifc, Iplifc *lifc, uchar *ip);
static Block* multicastarp(Fs *f, Arpent *a, Medium*, uchar *mac);
-static void sendarp(Ipifc *ifc, Arpent *a);
-static void sendndp(Ipifc *ifc, Arpent *a);
+static void sendarpreq(Ipifc *ifc, Arpent *a);
static int multicastea(uchar *ea, uchar *ip);
static void recvarpproc(void*);
static void etherpref2addr(uchar *pref, uchar *ea);
@@ -276,12 +266,17 @@
/* check for broadcast or multicast */
bp = multicastarp(er->f, a, ifc->m, mac);
if(bp == nil){
+ /* don't do anything if it's been less than a second since the last */
+ if(NOW - a->ctime < RETRANS_TIMER){
+ arprelease(er->f->arp, a);
+ return;
+ }
switch(version){
case V4:
- sendarp(ifc, a);
+ sendarpreq(ifc, a); /* unlocks arp */
break;
case V6:
- sendndp(ifc, a);
+ ndpsendsol(er->f, ifc, a); /* unlocks arp */
break;
default:
panic("etherbwrite: version %d", version);
@@ -442,7 +437,7 @@
* (only v4, v6 uses the neighbor discovery, rfc1970)
*/
static void
-sendarp(Ipifc *ifc, Arpent *a)
+sendarpreq(Ipifc *ifc, Arpent *a)
{
int n;
Block *bp;
@@ -450,25 +445,8 @@
Etherrock *er = ifc->arg;
uchar targ[IPv4addrlen], src[IPv4addrlen];
- /* don't do anything if it's been less than a second since the last */
- if(NOW - a->ctime < 1000){
- arprelease(er->f->arp, a);
- return;
- }
-
- /* try to keep it around for a second more */
- a->ctime = NOW;
-
- /* remove all but the last message */
- while((bp = a->hold) != nil){
- if(bp == a->last)
- break;
- a->hold = bp->list;
- freeblist(bp);
- }
-
memmove(targ, a->ip+IPv4off, IPv4addrlen);
- arprelease(er->f->arp, a);
+ arpcontinue(er->f->arp, a);
if(!ipv4local(ifc, src, 0, targ))
return;
@@ -477,8 +455,8 @@
if(n < ifc->m->mintu)
n = ifc->m->mintu;
bp = allocb(n);
- memset(bp->rp, 0, n);
e = (Etherarp*)bp->rp;
+ memset(e, 0, n);
memmove(e->tpa, targ, sizeof(e->tpa));
memmove(e->spa, src, sizeof(e->spa));
memmove(e->sha, ifc->mac, sizeof(e->sha));
@@ -496,29 +474,6 @@
devtab[er->achan->type]->bwrite(er->achan, bp, 0);
}
-static void
-sendndp(Ipifc *ifc, Arpent *a)
-{
- Block *bp;
- Etherrock *er = ifc->arg;
-
- /* don't do anything if it's been less than a second since the last */
- if(NOW - a->ctime < ReTransTimer){
- arprelease(er->f->arp, a);
- return;
- }
-
- /* remove all but the last message */
- while((bp = a->hold) != nil){
- if(bp == a->last)
- break;
- a->hold = bp->list;
- freeblist(bp);
- }
-
- ndpsendsol(er->f, ifc, a); /* unlocks arp */
-}
-
/*
* send a gratuitous arp to refresh arp caches
*/
@@ -534,8 +489,8 @@
if(n < ifc->m->mintu)
n = ifc->m->mintu;
bp = allocb(n);
- memset(bp->rp, 0, n);
e = (Etherarp*)bp->rp;
+ memset(e, 0, n);
memmove(e->tpa, ip+IPv4off, sizeof(e->tpa));
memmove(e->spa, ip+IPv4off, sizeof(e->spa));
memmove(e->sha, ifc->mac, sizeof(e->sha));
--- a/sys/src/9/ip/icmp.c
+++ b/sys/src/9/ip/icmp.c
@@ -242,22 +242,34 @@
}
static void
-icmpunreachable(Fs *f, Block *bp, int code, int seq)
+icmpunreachable(Fs *f, Ipifc *ifc, Block *bp, int code, int seq)
{
Block *nbp;
Icmp *p, *np;
+ uchar ia[IPv4addrlen];
p = (Icmp *)bp->rp;
- if(!ip4me(f, p->dst) || !ip4reply(f, p->src))
+ if(!ip4reply(f, p->src))
return;
- netlog(f, Logicmp, "sending icmpnoconv -> %V\n", p->src);
+ if(ifc == nil){
+ if(!ipforme(f, p->dst))
+ return;
+ memmove(ia, p->dst, sizeof(p->dst));
+ } else {
+ if(!ipv4local(ifc, ia, 0, p->src))
+ return;
+ }
+
+ netlog(f, Logicmp, "sending icmpunreachable %V -> src %V dst %V\n",
+ ia, p->src, p->dst);
+
nbp = allocb(ICMP_IPSIZE + ICMP_HDRSIZE + ICMP_IPSIZE + 8);
nbp->wp += ICMP_IPSIZE + ICMP_HDRSIZE + ICMP_IPSIZE + 8;
np = (Icmp *)nbp->rp;
np->vihl = IP_VER4;
+ memmove(np->src, ia, sizeof(np->src));
memmove(np->dst, p->src, sizeof(np->dst));
- memmove(np->src, p->dst, sizeof(np->src));
memmove(np->data, bp->rp, ICMP_IPSIZE + 8);
np->type = Unreachable;
np->code = code;
@@ -270,15 +282,21 @@
}
void
+icmpnohost(Fs *f, Ipifc *ifc, Block *bp)
+{
+ icmpunreachable(f, ifc, bp, 1, 0);
+}
+
+void
icmpnoconv(Fs *f, Block *bp)
{
- icmpunreachable(f, bp, 3, 0);
+ icmpunreachable(f, nil, bp, 3, 0);
}
void
icmpcantfrag(Fs *f, Block *bp, int mtu)
{
- icmpunreachable(f, bp, 4, mtu);
+ icmpunreachable(f, nil, bp, 4, mtu);
}
static void
--- a/sys/src/9/ip/ip.h
+++ b/sys/src/9/ip/ip.h
@@ -613,6 +613,7 @@
extern int arpwrite(Fs*, char*, int);
extern Arpent* arpget(Arp*, Block *bp, int version, Ipifc *ifc, uchar *ip, uchar *h);
extern void arprelease(Arp*, Arpent *a);
+extern void arpcontinue(Arp*, Arpent *a);
extern Block* arpresolve(Arp*, Arpent *a, Medium *type, uchar *mac);
extern int arpenter(Fs*, int version, uchar *ip, uchar *mac, int n, uchar *ia, Ipifc *ifc, int refresh);
extern void ndpsendsol(Fs*, Ipifc*, Arpent*);
@@ -682,6 +683,7 @@
* ip.c
*/
extern void iprouting(Fs*, int);
+extern void icmpnohost(Fs*, Ipifc*, Block*);
extern void icmpnoconv(Fs*, Block*);
extern void icmpcantfrag(Fs*, Block*, int);
extern void icmpttlexceeded(Fs*, Ipifc*, Block*);
--- a/sys/src/9/ip/ipv6.c
+++ b/sys/src/9/ip/ipv6.c
@@ -32,7 +32,7 @@
v6p->rp.ttl = MAXTTL;
v6p->rp.routerlt = (3 * v6p->rp.maxraint) / 1000;
- v6p->hp.rxmithost = 1000; /* v6 RETRANS_TIMER */
+ v6p->hp.rxmithost = RETRANS_TIMER;
f->v6p = v6p;
}
--- a/sys/src/9/ip/ipv6.h
+++ b/sys/src/9/ip/ipv6.h
@@ -178,8 +178,6 @@
extern int v6aNpreflen;
extern int v6aLpreflen;
-extern int ReTransTimer;
-
void ipv62smcast(uchar *, uchar *);
void icmpns(Fs *f, uchar* src, int suni, uchar* targ, int tuni, uchar* mac);
void icmpna(Fs *f, uchar* src, uchar* dst, uchar* targ, uchar* mac, uchar flags);