To address the misaligned access issues reported by UBSAN, introduce raw
variant of certain IPv4 functions used in the critical data path of the
network stack, operating on plain uint8_t buffers in stead of IPv4
address struct.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
Rework the rest of the IPv6-related code to avoid casting. Use raw
variants of IPv6-related functions whenever possible (especially on the
critical data path). For the routing case, use a copy of the address to
avoid massive rework of the routing module.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
To address the misaligned access issues reported by UBSAN, introduce raw
variant of certain IPv6 functions used in the critical data path of the
network stack, operating on plain uint8_t buffers in stead of IPv6
address struct.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
When adding IPv4 address to the network interface, there is no
need to start ACD procedure for localhost or point-to-point links.
The ACD start function would mark the IP address like 127.0.0.1 as
tentative and never make it preferred which would then cause issues
when selecting the network address for sending.
As the ACD start is also called when the network interface comes up,
add the localhost and point-to-point link check to ACD start function
so that we will avoid ACD checks in this case.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
Useful to see what prefix is being selected for a given
IPv6 address if debugging is enabled.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
Always prefer preferred IPv6 address over deprecated one
regardless of prefix length. This works now same way as in
Linux.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
This adjust the IPv6 source address selection so that it is possible
to select deprecated IPv6 address if no better preferred address is found.
From RFC 6724 chapter 5:
Rule 3: Avoid deprecated addresses.
If one of the two source addresses is "preferred" and one of them is
"deprecated" (in the RFC 4862 sense), then prefer the one that is
"preferred".
Rule 8: Use longest matching prefix.
If CommonPrefixLen(SA, D) > CommonPrefixLen(SB, D), then prefer SA.
Similarly, if CommonPrefixLen(SB, D) > CommonPrefixLen(SA, D), then
prefer SB.
So the fix allows deprecated address to be selected if it is a better
match than the preferred one. The reasoning here is that an address with
a longer matching prefix is generally considered topologically closer to
the destination. Using such a source address can lead to more efficient
routing, as it's more likely that the source and destination are within
the same network segment or a closely related one.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
Make sure RS process is stopped if network interface goes down
as there is no point doing it any more.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
It might happen that if the network interface is going up/down
fast enough, the RS timer could get inserted to the active RS
timer list twice. This would then cause a forever loop in
rs_timeout() when traversing the active list.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
Print a warning if sending a packet on the L2 interface fails. Currently
this is completely silent unless `NET_DBG` is enabled and the `context`
parameter is provided.
Signed-off-by: Jordan Yates <jordan@embeint.com>
As the network packet filter drops packets without any indication
that the packet is dropped, it can be difficult to monitor what
is going on in the system when receiving data. The user can
now monitor the statistics and see if packets are being dropped
because of packet filter activity.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
IPPROTO_RAW is not a valid protocol type for AF_PACKET sockets, which
should only use IEEE 802.3 protocol numbers. Therefore remove support
for this type of sockets.
As an alternative, users can use AF_PACKET/SOCK_DGRAM or
AF_INET(6)/SOCK_RAW, depending on the actual use case.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
Introduce changes in the networking stack which allow to create raw IP
sockets, so that applications can send and receive raw IP datagrams.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
This is a hack that is used until we have proper IP routing
in place. The code has now special check that makes sure that
we only route IP packets to VPN interface when the packet is
destined to that subnet. So if destination IP address does
not belong to VPN interface subnet, it is not routed there.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
Instead of calling various network interface API functions to get
the network interface and related source IP address, have a single
function that can return both data.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
Set NET_ADDR_PREFERRED before network event is generated, so that conn_mgr
properly generates NET_EVENT_L4_CONNECTED and NET_EVENT_L4_IPV6_CONNECTED
events.
Fixes: 1a5e13a79b ("net: if: Release the interface lock early when
starting IPv4 ACD")
Signed-off-by: Marcin Niestroj <m.niestroj@emb.dev>
Set NET_ADDR_PREFERRED before network event is generated, so that conn_mgr
properly generates NET_EVENT_L4_CONNECTED and NET_EVENT_L4_IPV4_CONNECTED
events.
Fixes: 1a5e13a79b ("net: if: Release the interface lock early when
starting IPv4 ACD")
Signed-off-by: Marcin Niestroj <m.niestroj@emb.dev>
Previously the net_linkaddr struct had pointers to the link address.
This is error prone and difficult to handle if cloning the packet as
those pointers can point to wrong place. Mitigate this issue by
allocating the space for link address in net_linkaddr struct. This will
increase the size of the net_pkt by 4 octets for IEEE 802.15.4 where the
link address length is 8, but there no increase in size if link address
is 6 bytes like in Ethernet/Wi-Fi.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
Allows to send with different timeouts to not block caller in some
situations. Stable API is kept and just calls `try`-variant with a timeout
of `K_FOREVER`.
Signed-off-by: Cla Mattia Galliard <cla-mattia.galliard@zuehlke.com>
In order to avoid any mutex deadlocks between iface->lock and
TX lock, release the interface lock before calling a function
that will acquire TX lock. See previous commit for similar issue
in RS timer handling. So here we create a separate list of ACD
addresses that are to be started when network interface comes up
without iface->lock held.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
In order to avoid any mutex deadlocks between iface->lock and
TX lock, release the interface lock before calling a function
that will acquire TX lock. See previous commit for similar issue
in RS timer handling. So here we create a separate list of multicast
addresses that are to be rejoined when network interface comes up
and then rejoin the groups without iface->lock held.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
In order to avoid any mutex deadlocks between iface->lock and
TX lock, release the interface lock before calling a function
that will acquire TX lock. See previous commit for similar issue
in RS timer handling.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
The net_if.c:rs_timeout() is sending a new IPv6 router solicitation
message to network by calling net_if_start_rs(). That function will
then acquire iface->lock and call net_ipv6_start_rs() which will try
to send the RS message and acquire TX send lock.
During this RS send, we might receive TCP data that could try to
send an ack to peer. This will then in turn cause also TX lock
to be acquired. Depending on timing, the lock ordering between
rx thread and system workq might mix which could lead to deadlock.
Fix this issue by releasing the iface->lock before starting the
RS sending process. The net_if_start_rs() does not really need to
keep the interface lock for a long time as it is the only one sending
the RS message.
Fixes#86499
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
In rare occasions when sending DAD NS packet fails, we should still
setup the DAD timer, unless we implement some kind of more advanced
retry mechanism. If we don't do that, the IPv6 address added to the
interface will never be usable in such cases.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
DAD creates an entry in the neighbor cache for the queried (own)
address. In case the address is removed from the interface while DAD is
still incomplete, we need to remove the corresponding cache entry (just
like in case of DAD timeout) to avoid stale entries in the cache.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
If an IP address already exists when it is tried to be added to the
network interface, then just return it but update ref count if it was
not updated. This could happen if the address was added and then removed,
but for example an active connection was still using it and keeping the
ref count > 0. In this case we must update the ref count so that the IP
address is not removed if the connection is closed.
Fixes#85380
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
Print interface status information for "net iface" command.
This is useful information when debugging connectivity issues.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
Since a separate CONFIG_NET_TC_RX_SKIP_FOR_HIGH_PRIO was introduced for
RX TC queues, CONFIG_NET_TC_SKIP_FOR_HIGH_PRIO became ambiguous,
rename it to CONFIG_NET_TC_TX_SKIP_FOR_HIGH_PRIO and deprecate the old
config.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
To avoid starvation of a traffic class by another, limit the maximum amount
of packets, that can sit in a single traffic-class-fifo to a fraction of
the maximum amount of available packets. In the tx-case also reserve
packets for direct sending, in the case, where
CONFIG_NET_TC_SKIP_FOR_HIGH_PRIO is enabled.
Signed-off-by: Cla Mattia Galliard <cla-mattia.galliard@zuehlke.com>
If network interface goes operative down, then re-join user defined
IPv4 multicast groups that where joined earlier when the interface comes
up again. If user takes the network interface down manually (admin down),
then the user specific groups are not re-joined. This works now the same
way as IPv6 re-joining.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
The asserts were not proper here, replace those by runtime
checks as the functions can be called from applications and
asserts are not meant for error checking.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
When IPv4 address is added, currently the netmask remains empty. This
makes it impossible to use the address now that the netmask is
considered during address selection if the application does not
specify the netmask manually. Therefore specify a default netmask for
IPv4 addresses added to an interface with Kconfig.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
Bit-wise comparing of the entire IPv4 addresses doesn't make much sense
as when selecting the source address for communication, what really
matters is the subnet part.
Doing so may actually lead to unexpected results, i. e. two addresses
within the same subnet should be considered equally good for
communication within the subnet, yet comparing the unique part of
the address (beyond the netmask) may lead to different results.
This is a problem for the mechanism of preferring the default interface
for LL communication if two interfaces have LL addresses with the
default subnet mask.
Fix this by filtering out the subnet from the IPv4 address before
passing it to net_if_ipv4_get_best_match() function.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
Currently we blindly return the LL address found on the default
interface or else on the first interface that has a valid LL address
configured.
This doesn't work well, if different interfaces have LL addresses
configured with a different subnet mask. Therefore, instead of blindly
selecting the address based on the first LL address encountered, use
net_if_ipv4_get_best_match() function for LL addresses to find the best
match for the given interface.
The rework takes into account current behavior, i. e. default interface
still gets the preference if there is no better candidate.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
This is helper is only needed in socket multicast interface selection
where we need to get one address from the interface so that it will
tell (when getsockopt() is used), the interface IPv4 address where
multicast packets will be sent. This is private function which is not
needed in public headers so place the prototype to net_private.h file.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
Do the selection same way as in IPv6 so that if user supplies
unspecified destination address, the default interface is selected
the same way.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
Catch "Destination Unreachable" ICMPv4 messages and update PMTU for
a given destination IPv4 address.
Use that PMTU when sending data to the destination.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
This implements support for RFC 7217 which describes a method
to have stable IPv6 Interface Identifiers to be used with IPv6
Stateless Address Autoconfiguration (SLAAC). The stable IIDs are used
to provide enhanced privacy so that an IPv6 address configured using
this method is stable within each subnet, but the corresponding
Interface Identifier changes when the host moves from one network
to another. This method is meant to be an alternative to generating
Interface Identifiers based on hardware (MAC) addresses,
such that the benefits of stable addresses can be achieved without
sacrificing the security and privacy of users.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
IPv6 based interface lookups doesn't require native IP stack support,
hence reflect that in the API.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
IPv6 MLD API was so far defined in an internal header. This does not
seem correct though, as application code should be able to join/leave
multicast groups, hence the API should be exposed in a public header,
just as it is done for its IPv4 countepart - IGMP.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
In case NET_NATIVE is disabled, certain network stack components do not
need to be compiled. Otherwise, they could throw errors if
--no-gc-sections compiler options is enabled.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
Make sure we check the checksum offloading capabilities correctly
for VLAN interfaces. Use the real Ethernet interface when doing the
check.
Fixes#78724
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
It shouldn't be needed to enable native networking to be able to
add/delete IP addresses on network interfaces.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
Running IPv6 on STM32H743 using eth_stm32_hal I had to extend
the timeout between the attempts to send Router Solicitation packets
from 1 second to 2 seconds. Else it looked liked the packet never
got sent (checked using tcpdump).
Signed-off-by: Stefan Petersen <spe@ciellt.se>
