This adjust the IPv6 source address selection so that it is possible
to select deprecated IPv6 address if no better preferred address is found.
From RFC 6724 chapter 5:
Rule 3: Avoid deprecated addresses.
If one of the two source addresses is "preferred" and one of them is
"deprecated" (in the RFC 4862 sense), then prefer the one that is
"preferred".
Rule 8: Use longest matching prefix.
If CommonPrefixLen(SA, D) > CommonPrefixLen(SB, D), then prefer SA.
Similarly, if CommonPrefixLen(SB, D) > CommonPrefixLen(SA, D), then
prefer SB.
So the fix allows deprecated address to be selected if it is a better
match than the preferred one. The reasoning here is that an address with
a longer matching prefix is generally considered topologically closer to
the destination. Using such a source address can lead to more efficient
routing, as it's more likely that the source and destination are within
the same network segment or a closely related one.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
Make sure RS process is stopped if network interface goes down
as there is no point doing it any more.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
It might happen that if the network interface is going up/down
fast enough, the RS timer could get inserted to the active RS
timer list twice. This would then cause a forever loop in
rs_timeout() when traversing the active list.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
Update `net_arp_prepare` to return a return code instead of a pointer,
so that the various results of the function can be differentiated.
Signed-off-by: Jordan Yates <jordan@embeint.com>
Print a warning if sending a packet on the L2 interface fails. Currently
this is completely silent unless `NET_DBG` is enabled and the `context`
parameter is provided.
Signed-off-by: Jordan Yates <jordan@embeint.com>
The new DSA framework purpose and changes are as below.
- Aligned to Linux DSA framework which has been already mature framework
for many years, For now in zephyr, the DSA components were splited
as: switch, port, master(not need driver file for now), slave, and tag.
Seperated drivers were used for maintaining and developing new
features.
- The unified dts bindings (aligned to linux) were supported. The port
driver would parse DTS to decide the port type (master port, slave
port, or cpu port) to set up the switch. All the ports registered as
standard ethernet devices. (dsa port and dsa switch tree was not
supported.)
- How to add DSA device driver based on the framework? All the device
driver needing to do is providing dsa_spi implementation and private
data, and calling below initialization.
DSA_INIT_INSTANCE(n, _dapi, data)
- For switch tag case, recv/xmit helpers in dsa_api could be used for
taging/untagging. No modified ethernet drivers.
For no-tag type case, ethernet driver of master port should support
packet injection/extraction for slave ports leaving NULL recv/xmit.
The dsa_nxp_imx_netc.c driver will be the first example of the new DSA
framework.
The future work for DSA will be supporting bridge for ports. We may align
Linux to give users two options to use DSA device:
- Standalone mode: the switch ports work as regular ethernet ports.
- Bridge mode: switch mode with virtual bridge device which could be
assigned IP address.
Signed-off-by: Yangbo Lu <yangbo.lu@nxp.com>
Current DSA TX/RX way was hard-coded in ethernet devices driver
with ETH_DSA_SUPPORT and NET_DSA.
This patch is to make such way obsolete, as we actually will support
a better DSA framework to handle this in NET/DSA core driver.
To make legacy devices not affected, below options are used instead.
- ETH_DSA_SUPPORT_DEPRECATED
- NET_DSA_DEPRECATED
Once the legacy devices are converted to new DSA framework, this code
could be removed.
Signed-off-by: Yangbo Lu <yangbo.lu@nxp.com>
Part of the socket matching criteria for AF_PACKET family took place
inside conn_raw_socket() function, and some of it was redundant with
what already was checked in net_conn_packet_input(). Moreover, if the
packet cloning for packet socket failed for whatever reason, the packet
was reported as NET_DROP, which was confusing.
Finally, conn_raw_socket() updated network stats, which didn't really
work as net stats are only collected for UDP/TCP protocols and not for
L2 level protocols.
Therefore, cleanup the processing by:
* Moving all socket matching criteria into net_conn_packet_input()
for clarity,
* Drop unneeded net stats functions,
* Clarify NET_DROP strategy for packet socket input.
net_conn_packet_input() should only be responsible for delivering
packets to respective packet sockets, it should not decide whether
to drop the packet or not - it's L2/L3 processing code
responsibility. Therefore, assume this function forwards packet for
further processing by default, and only allow small optimization to
return NET_OK if the packet socket was really the only endpoint in
the system.
* And finally, since now conn_raw_socket() responsibility was to clone
the packet for the respective socket, and was almost identical to a
corresponding function for raw IP sockets, unify the two functions.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
The current implementation of net_conn_input() can accept different
packet types, with completely different processing code, resulting in a
function which is pretty bloated, sliced with conditionally enabled code
and hard to understand and therefore maintain.
This commit splits that function into smaller ones, specialized for
different packet types (and entry levels). The following functions have
been extracted from the original one:
- net_conn_packet_input() for early packet processing (covering
AF_PACKET family sockets)
- net_conn_raw_ip_input() for raw IP packets processing (covering
AF_INET(6)/SOCK_RAW sockets)
- net_conn_can_input() for CAN packets processing (covering AF_CAN
family sockets)
The net_conn_input() function stripped from above cases now only takes
care of packets that have been processed by respective L4 and are
intended for regular TCP/UDP sockets.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
After L2 processing, the LL protocol type is already known and should be
set accordingly on the packet. Therefore it can be passed to the
net_packet_socket_input() function to allow proper socket filtering
based on protocol.
Additionally, as LL protocol type is 16 bit value, fix the proto
parameter type in net_packet_socket_input().
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
Make sure that when sendto is being used without the socket being bound
before, a correct interface is used for transmission. As
zpacket_sendto_ctx() calls net_context_recv() to register receive
callback before sending, a default binding was used by the context
layer, which would bind the socket to the default interface. This could
lead to unexpected results, i.e. packet being sent on a default
interface, even though a different one was specified.
Make also sure that there is no ambiguity in the interface selection -
the application should be explicitly clear what interface it wants to
use when it comes to packet sockets. It's better to return an error if
no valid interface was specified.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
According to AF_PACKET man pages protocol number 0 is allowed, however
in such case the socket is only capable of transmitting packets then:
"If protocol is set to zero, no packets are received."
Therefore, allow to create sockets with such protocol, and at the
connection.c level filter out such sockets from data reception.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
Add a "net filter" command that will allow user to see the
current network packet filter configuration.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
As the network packet filter drops packets without any indication
that the packet is dropped, it can be difficult to monitor what
is going on in the system when receiving data. The user can
now monitor the statistics and see if packets are being dropped
because of packet filter activity.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
Increase the verbosity of the message when there is no source address
in `net_context_create_ipv4_new`. This is likely the first failure point
when attempting to send data on an interface that has not yet been
assigned an IP address. Burying the fault at the DBG level makes it much
more time consuming to determine the root cause of this error.
Signed-off-by: Jordan Yates <jordan@embeint.com>
IPPROTO_RAW is not a valid protocol type for AF_PACKET sockets, which
should only use IEEE 802.3 protocol numbers. Therefore remove support
for this type of sockets.
As an alternative, users can use AF_PACKET/SOCK_DGRAM or
AF_INET(6)/SOCK_RAW, depending on the actual use case.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
Introduce changes in the networking stack which allow to create raw IP
sockets, so that applications can send and receive raw IP datagrams.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
Register connection type along with family and protocol, so that it's
possible to differentiate between connection listening for raw IP
datagrams and TCP/UDP/other packets.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
Add CONFIG_NET_CONN_PACKET_CLONE_TIMEOUT to allow for longer
timeouts. This can be used to prevent dropping packets when
transmitting large amounts of data (with PPP).
Signed-off-by: Markus Lassila <markus.lassila@nordicsemi.no>
This is a hack that is used until we have proper IP routing
in place. The code has now special check that makes sure that
we only route IP packets to VPN interface when the packet is
destined to that subnet. So if destination IP address does
not belong to VPN interface subnet, it is not routed there.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
Instead of calling various network interface API functions to get
the network interface and related source IP address, have a single
function that can return both data.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
Add support for the IP_MULTICAST_LOOP socket option to control
multicast packet loopback.
Signed-off-by: AbdElRahman Khalifa <abdelrahman.5alifa@gmail.com>
Add support for the IPV6_MULTICAST_LOOP socket option.
This option allows enabling or disabling the consumption of multicast
packets by the sender. By default, the socket option will be enabled.
Co-authored-by: Pieter De Gendt <pieter.degendt@gmail.com>
Signed-off-by: Sayooj K Karun <sayooj@aerlync.com>
We drop the packet if TTL or hop limit is 0, but we should
also unref the packet in this case because we return 0 to
the caller which is not then able to free the packet because
it thinks that the packet was sent properly.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
The check_ip() in net_core.c did not check that the packet
Ethernet type is either IPv4 or IPv6. This meant that we for
example checked TTL also for ARP packets which is pointless as
those are not IPv4 packets.
Fix this by checking the link layer protocol type of the packet
to be either IPv4 or IPv6 before doing L3 checks.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
Adding a helper to parse one or more IPv4/6 strings with optional
netmask or prefix length.
Example of the string:
2001:db8::1/64,192.0.2.1,2001:db8::2,192.0.2.2/24
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
Set NET_ADDR_PREFERRED before network event is generated, so that conn_mgr
properly generates NET_EVENT_L4_CONNECTED and NET_EVENT_L4_IPV6_CONNECTED
events.
Fixes: 1a5e13a79b ("net: if: Release the interface lock early when
starting IPv4 ACD")
Signed-off-by: Marcin Niestroj <m.niestroj@emb.dev>
Set NET_ADDR_PREFERRED before network event is generated, so that conn_mgr
properly generates NET_EVENT_L4_CONNECTED and NET_EVENT_L4_IPV4_CONNECTED
events.
Fixes: 1a5e13a79b ("net: if: Release the interface lock early when
starting IPv4 ACD")
Signed-off-by: Marcin Niestroj <m.niestroj@emb.dev>
Previously the net_linkaddr struct had pointers to the link address.
This is error prone and difficult to handle if cloning the packet as
those pointers can point to wrong place. Mitigate this issue by
allocating the space for link address in net_linkaddr struct. This will
increase the size of the net_pkt by 4 octets for IEEE 802.15.4 where the
link address length is 8, but there no increase in size if link address
is 6 bytes like in Ethernet/Wi-Fi.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
Use the newly added timeout in various send functions from within
net_context_sendto.
Signed-off-by: Cla Mattia Galliard <cla-mattia.galliard@zuehlke.com>
Allows to send with different timeouts to not block caller in some
situations. Stable API is kept and just calls `try`-variant with a timeout
of `K_FOREVER`.
Signed-off-by: Cla Mattia Galliard <cla-mattia.galliard@zuehlke.com>
When a TCP connection is refused during zsock_connect, errno is set
to -ENOTCONN, but errno should be set to -ECONNREFUSED. This change
causes the ECONNREFUSED status to be propagated from tcp_in to
net_tcp_connect, which eventually causes errno to be set
to -ECONNREFUSED.
Signed-off-by: Noah Olson <noah@wavelynx.com>
In order to avoid any mutex deadlocks between iface->lock and
TX lock, release the interface lock before calling a function
that will acquire TX lock. See previous commit for similar issue
in RS timer handling. So here we create a separate list of ACD
addresses that are to be started when network interface comes up
without iface->lock held.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
In order to avoid any mutex deadlocks between iface->lock and
TX lock, release the interface lock before calling a function
that will acquire TX lock. See previous commit for similar issue
in RS timer handling. So here we create a separate list of multicast
addresses that are to be rejoined when network interface comes up
and then rejoin the groups without iface->lock held.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
In order to avoid any mutex deadlocks between iface->lock and
TX lock, release the interface lock before calling a function
that will acquire TX lock. See previous commit for similar issue
in RS timer handling.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
The net_if.c:rs_timeout() is sending a new IPv6 router solicitation
message to network by calling net_if_start_rs(). That function will
then acquire iface->lock and call net_ipv6_start_rs() which will try
to send the RS message and acquire TX send lock.
During this RS send, we might receive TCP data that could try to
send an ack to peer. This will then in turn cause also TX lock
to be acquired. Depending on timing, the lock ordering between
rx thread and system workq might mix which could lead to deadlock.
Fix this issue by releasing the iface->lock before starting the
RS sending process. The net_if_start_rs() does not really need to
keep the interface lock for a long time as it is the only one sending
the RS message.
Fixes#86499
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
Queueing packets should be possible from the ISR context, recent changes
prevented that. Therefore add extra checks in
net_tc_submit_to_tx/rx_queue() to make them ISR friendly again.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
When run the Zperf UDP throughput with '-a' (Asynchronous call),
zperf_work_q thread will generate and send the packets to tx_q thread.
When zperf_work_q and tx_q threads have same priority, if zperf_work_q
fails to take the semaphore of fifo_slot, it will not wait and directly
drop the net_pkt. Then it will allocate new net_pkt, repeat, and always
occupy the CPU, which leads to extreme low throughput.
For TX, when take the semaphore of fifo_slot, setting a wait time of
K_FOREVER to let other thread to process and free these packets.
For RX, when failed to take the semaphore of fifo_slot, yield the CPU
to let the thread of data path with same priority to run to reduce
dropping packets.
Signed-off-by: Maochen Wang <maochen.wang@nxp.com>
In rare occasions when sending DAD NS packet fails, we should still
setup the DAD timer, unless we implement some kind of more advanced
retry mechanism. If we don't do that, the IPv6 address added to the
interface will never be usable in such cases.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
DAD creates an entry in the neighbor cache for the queried (own)
address. In case the address is removed from the interface while DAD is
still incomplete, we need to remove the corresponding cache entry (just
like in case of DAD timeout) to avoid stale entries in the cache.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
According to RFC 4861, ch. 7.2.5:
"If the Override flag is set, or the supplied link-layer address
is the same as that in the cache, or no Target Link-Layer Address
option was supplied, the received advertisement MUST update the
Neighbor Cache entry as follows
...
If the Solicited flag is set, the state of the entry MUST be
set to REACHABLE"
This indicates that Target Link-Layer Address option does not need to be
present in the received solicited Neighbor Advertisement to confirm
reachability. Therefore remove `tllao_offset` variable check from the
if condition responsible for updating cache entry. No further changes in
the logic are required because if TLLA option is missing,
`lladdr_changed` will be set to false, so no LL address will be updated.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
According to RFC 4861, ch. 7.3.3:
"Upon entering the PROBE state, a node sends a unicast Neighbor
Solicitation message to the neighbor using the cached link-layer
address."
Zephyr's implementation was not compliant with behavior, as instead of
sending a unicast probe for reachability confirmation, it was sending a
multicast packet instead. This commit fixes it.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
When Router Advertisement with Source Link-Layer Address option is
received, host should register a new neighbor marked as STALE
(RFC 4861, ch. 6.3.4). This behavior was broken however, because
we always added a new neighbor in INCOMPLETE state before processing
SLLA option. In result, the entry was not updated to the STALE state,
and a redundant Neighbor Solicitation was sent.
Fix this by moving the code responsible for adding neighbor in
INCOMPLETE state after options processing, and only as a fallback
behavior if the SLLA option was not present.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
If an IP address already exists when it is tried to be added to the
network interface, then just return it but update ref count if it was
not updated. This could happen if the address was added and then removed,
but for example an active connection was still using it and keeping the
ref count > 0. In this case we must update the ref count so that the IP
address is not removed if the connection is closed.
Fixes#85380
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
