Google Git
Sign in
fuchsia / fuchsia / bbc9ce36f629 / . / src / connectivity / network / netstack / netstack.go
blob: 0a1d11459ba53311af251bb07cf5392c4270c2fd [file] [log] [blame]
// Copyright 2017 The Fuchsia Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//go:build !build_with_native_toolchain
// +build !build_with_native_toolchain
package netstack
import (
"context"
"errors"
"fmt"
"net"
"sync"
"syscall/zx"
"go.fuchsia.dev/fuchsia/src/connectivity/network/netstack/dhcp"
"go.fuchsia.dev/fuchsia/src/connectivity/network/netstack/dns"
"go.fuchsia.dev/fuchsia/src/connectivity/network/netstack/link"
"go.fuchsia.dev/fuchsia/src/connectivity/network/netstack/link/bridge"
"go.fuchsia.dev/fuchsia/src/connectivity/network/netstack/link/eth"
"go.fuchsia.dev/fuchsia/src/connectivity/network/netstack/routes"
zxtime "go.fuchsia.dev/fuchsia/src/connectivity/network/netstack/time"
"go.fuchsia.dev/fuchsia/src/connectivity/network/netstack/util"
syslog "go.fuchsia.dev/fuchsia/src/lib/syslog/go"
fidlethernet "fidl/fuchsia/hardware/ethernet"
"fidl/fuchsia/net/interfaces/admin"
"fidl/fuchsia/netstack"
"gvisor.dev/gvisor/pkg/tcpip"
"gvisor.dev/gvisor/pkg/tcpip/header"
"gvisor.dev/gvisor/pkg/tcpip/link/ethernet"
"gvisor.dev/gvisor/pkg/tcpip/link/loopback"
"gvisor.dev/gvisor/pkg/tcpip/link/sniffer"
"gvisor.dev/gvisor/pkg/tcpip/network/ipv4"
"gvisor.dev/gvisor/pkg/tcpip/network/ipv6"
"gvisor.dev/gvisor/pkg/tcpip/stack"
)
const (
defaultInterfaceMetric routes.Metric = 100
metricNotSet routes.Metric = 0
lowPriorityRoute routes.Metric = 99999
ipv4Loopback tcpip.Address = "\x7f\x00\x00\x01"
ipv6Loopback tcpip.Address = "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01"
dhcpAcquisition = 60 * zxtime.Second
dhcpBackoff = 1 * zxtime.Second
dhcpRetransmission = 4 * zxtime.Second
)
var (
errNoSuchAddress = errors.New("no such address")
)
func ipv6LinkLocalOnLinkRoute(nicID tcpip.NICID) tcpip.Route {
return onLinkV6Route(nicID, header.IPv6LinkLocalPrefix.Subnet())
}
type stats struct {
tcpip.Stats
SocketCount tcpip.StatCounter
SocketsCreated tcpip.StatCounter
SocketsDestroyed tcpip.StatCounter
DHCPv6 struct {
NoConfiguration tcpip.StatCounter
ManagedAddress tcpip.StatCounter
OtherConfiguration tcpip.StatCounter
}
IPv6AddressConfig struct {
NoGlobalSLAACOrDHCPv6ManagedAddress tcpip.StatCounter
GlobalSLAACOnly tcpip.StatCounter
DHCPv6ManagedAddressOnly tcpip.StatCounter
GlobalSLAACAndDHCPv6ManagedAddress tcpip.StatCounter
}
}
// endpointsMap is a map from a monotonically increasing uint64 value to tcpip.Endpoint.
//
// It is a typesafe wrapper around sync.Map.
type endpointsMap struct {
nextKey uint64
inner sync.Map
}
func (m *endpointsMap) Load(key uint64) (tcpip.Endpoint, bool) {
if value, ok := m.inner.Load(key); ok {
return value.(tcpip.Endpoint), true
}
return nil, false
}
func (m *endpointsMap) Store(key uint64, value tcpip.Endpoint) {
m.inner.Store(key, value)
}
func (m *endpointsMap) LoadOrStore(key uint64, value tcpip.Endpoint) (tcpip.Endpoint, bool) {
// Create a scope to allow `value` to be shadowed below.
{
value, ok := m.inner.LoadOrStore(key, value)
return value.(tcpip.Endpoint), ok
}
}
func (m *endpointsMap) LoadAndDelete(key uint64) (tcpip.Endpoint, bool) {
if value, ok := m.inner.LoadAndDelete(key); ok {
return value.(tcpip.Endpoint), ok
}
return nil, false
}
func (m *endpointsMap) Delete(key uint64) {
m.inner.Delete(key)
}
func (m *endpointsMap) Range(f func(key uint64, value tcpip.Endpoint) bool) {
m.inner.Range(func(key, value interface{}) bool {
return f(key.(uint64), value.(tcpip.Endpoint))
})
}
// NICRemovedHandler is an interface implemented by types that are interested
// in NICs that have been removed.
type NICRemovedHandler interface {
// RemovedNIC informs the receiver that the specified NIC has been removed.
RemovedNIC(tcpip.NICID)
}
// A Netstack tracks all of the running state of the network stack.
type Netstack struct {
dnsConfig dns.ServersConfig
interfaceWatchers interfaceWatcherCollection
stack *stack.Stack
routeTable routes.RouteTable
mu struct {
sync.Mutex
transactionRequest *netstack.RouteTableTransactionWithCtxInterfaceRequest
countNIC tcpip.NICID
}
stats stats
endpoints endpointsMap
nicRemovedHandlers []NICRemovedHandler
}
// Each ifState tracks the state of a network interface.
type ifState struct {
ns *Netstack
// Implements administrative control of link status.
//
// Non-nil iff the underlying link status can be toggled.
controller link.Controller
// Implements observation of link status.
//
// Non-nil iff the underlying link status can be observed.
observer link.Observer
nicid tcpip.NICID
mu struct {
sync.Mutex
adminUp, linkOnline bool
// metric is used by default for routes that originate from this NIC.
metric routes.Metric
dhcp struct {
*dhcp.Client
// running must not be nil.
running func() bool
// cancel must not be nil.
cancel context.CancelFunc
// Used to restart the DHCP client when we go from down to up.
enabled bool
}
}
adminControls adminControlCollection
addressStateProviders addressStateProviderCollection
dns struct {
mu struct {
sync.Mutex
servers []tcpip.Address
}
}
// The "outermost" LinkEndpoint implementation (the composition of link
// endpoint functionality happens by wrapping other link endpoints).
endpoint stack.LinkEndpoint
bridgeable *bridge.BridgeableEndpoint
// TODO(https://fxbug.dev/86665): Bridged interfaces are disabled within
// gVisor upon creation and thus the bridge must keep track of them
// in order to re-enable them when the bridge is removed. This is a
// hack, and should be replaced with a proper bridging implementation.
bridgedInterfaces []tcpip.NICID
}
func (ifs *ifState) LinkOnlineLocked() bool {
return ifs.observer == nil || ifs.mu.linkOnline
}
func (ifs *ifState) IsUpLocked() bool {
return ifs.mu.adminUp && ifs.LinkOnlineLocked()
}
// defaultV4Route returns a default IPv4 route through gateway on the specified
// NIC.
func defaultV4Route(nicid tcpip.NICID, gateway tcpip.Address) tcpip.Route {
return tcpip.Route{
Destination: header.IPv4EmptySubnet,
Gateway: gateway,
NIC: nicid,
}
}
// onLinkV6Route returns an on-link route to dest through the specified NIC.
//
// dest must be a subnet that is directly reachable by the specified NIC as
// an on-link route is a route to a subnet that a NIC is directly connected to.
func onLinkV6Route(nicID tcpip.NICID, dest tcpip.Subnet) tcpip.Route {
return tcpip.Route{
Destination: dest,
NIC: nicID,
}
}
func addressWithPrefixRoute(nicid tcpip.NICID, addr tcpip.AddressWithPrefix) tcpip.Route {
mask := net.CIDRMask(addr.PrefixLen, len(addr.Address)*8)
destination, err := tcpip.NewSubnet(tcpip.Address(net.IP(addr.Address).Mask(mask)), tcpip.AddressMask(mask))
if err != nil {
panic(err)
}
return tcpip.Route{
Destination: destination,
NIC: nicid,
}
}
func (ns *Netstack) name(nicid tcpip.NICID) string {
name := ns.stack.FindNICNameFromID(nicid)
if len(name) == 0 {
name = fmt.Sprintf("unknown(NICID=%d)", nicid)
}
return name
}
// AddRoute adds a single route to the route table in a sorted fashion.
func (ns *Netstack) AddRoute(r tcpip.Route, metric routes.Metric, dynamic bool) error {
return ns.AddRoutes([]tcpip.Route{r}, metric, dynamic)
}
func (ns *Netstack) addRouteWithPreference(r tcpip.Route, prf routes.Preference, metric routes.Metric, dynamic bool) error {
return ns.addRoutesWithPreference([]tcpip.Route{r}, prf, metric, dynamic)
}
// AddRoutes adds one or more routes to the route table in a sorted
// fashion.
//
// The routes will be added with the default (medium) medium preference value.
func (ns *Netstack) AddRoutes(rs []tcpip.Route, metric routes.Metric, dynamic bool) error {
return ns.addRoutesWithPreference(rs, routes.MediumPreference, metric, dynamic)
}
func (ns *Netstack) addRoutesWithPreference(rs []tcpip.Route, prf routes.Preference, metric routes.Metric, dynamic bool) error {
metricTracksInterface := false
if metric == metricNotSet {
metricTracksInterface = true
}
_ = syslog.Infof("adding routes [%s] prf=%d metric=%d dynamic=%t", rs, prf, metric, dynamic)
var defaultRouteAdded bool
for _, r := range rs {
// If we don't have an interface set, find it using the gateway address.
if r.NIC == 0 {
nic, err := ns.routeTable.FindNIC(r.Gateway)
if err != nil {
return fmt.Errorf("error finding NIC for gateway %s: %w", r.Gateway, err)
}
r.NIC = nic
}
nicInfo, ok := ns.stack.NICInfo()[r.NIC]
if !ok {
return fmt.Errorf("error getting nicInfo for NIC %d, not in map: %w", r.NIC, routes.ErrNoSuchNIC)
}
ifs := nicInfo.Context.(*ifState)
ifs.mu.Lock()
enabled := ifs.IsUpLocked()
if metricTracksInterface {
metric = ifs.mu.metric
}
ns.routeTable.AddRoute(r, prf, metric, metricTracksInterface, dynamic, enabled)
ifs.mu.Unlock()
if util.IsAny(r.Destination.ID()) && enabled {
defaultRouteAdded = true
}
}
ns.routeTable.UpdateStack(ns.stack)
if defaultRouteAdded {
ns.onDefaultRouteChange()
}
return nil
}
// DelRoute deletes a single route from the route table.
func (ns *Netstack) DelRoute(r tcpip.Route) error {
_ = syslog.Infof("deleting route %s", r)
if err := ns.routeTable.DelRoute(r); err != nil {
return err
}
ns.routeTable.UpdateStack(ns.stack)
if util.IsAny(r.Destination.ID()) {
ns.onDefaultRouteChange()
}
return nil
}
// GetExtendedRouteTable returns a copy of the current extended route table.
func (ns *Netstack) GetExtendedRouteTable() []routes.ExtendedRoute {
return ns.routeTable.GetExtendedRouteTable()
}
// UpdateRoutesByInterface applies update actions to the routes for a
// given interface.
func (ns *Netstack) UpdateRoutesByInterface(nicid tcpip.NICID, action routes.Action) {
ns.routeTable.UpdateRoutesByInterface(nicid, action)
ns.routeTable.UpdateStack(ns.stack)
// TODO(https://fxbug.dev/82590): Avoid spawning the goroutine by not
// computing all interface properties and just sending the default route
// changes.
//
// ifState may be locked here, so run the default route change handler in a
// goroutine to prevent deadlock.
go ns.onDefaultRouteChange()
}
func (ns *Netstack) removeInterfaceAddress(nic tcpip.NICID, addr tcpip.ProtocolAddress, removeRoute bool) zx.Status {
_ = syslog.Infof("removing static IP %s from NIC %d, removeRoute=%t", addr.AddressWithPrefix, nic, removeRoute)
nicInfo, ok := ns.stack.NICInfo()[nic]
if !ok {
return zx.ErrNotFound
}
if _, foundAddr := findAddress(nicInfo.ProtocolAddresses, addr); !foundAddr {
return zx.ErrNotFound
}
if removeRoute {
route := addressWithPrefixRoute(nic, addr.AddressWithPrefix)
_ = syslog.Infof("removing subnet route %s", route)
if err := ns.DelRoute(route); err == routes.ErrNoSuchRoute {
// The route might have been removed by user action. Continue.
} else if err != nil {
panic(fmt.Sprintf("unexpected error deleting route: %s", err))
}
}
switch err := ns.stack.RemoveAddress(nic, addr.AddressWithPrefix.Address); err.(type) {
case nil:
case *tcpip.ErrUnknownNICID:
panic(fmt.Sprintf("stack.RemoveAddress(_): NIC [%d] not found", nic))
case *tcpip.ErrBadLocalAddress:
return zx.ErrNotFound
default:
panic(fmt.Sprintf("stack.RemoveAddress(%d, %s) = %s", nic, addr.AddressWithPrefix.Address, err))
}
ns.onPropertiesChange(nic, nil)
nicInfo.Context.(*ifState).addressStateProviders.onAddressRemove(addr.AddressWithPrefix.Address)
return zx.ErrOk
}
// addInterfaceAddress adds `addr` to `nic`, returning `zx.ErrOk` if successful.
//
// TODO(https://fxbug.dev/21222): Change this function to return
// `admin.AddressRemovalReason` when we no longer need it for
// `fuchsia.net.stack/Stack` or `fuchsia.netstack/Netstack`.
func (ns *Netstack) addInterfaceAddress(nic tcpip.NICID, addr tcpip.ProtocolAddress, addRoute bool) zx.Status {
_ = syslog.Infof("adding static IP %s to NIC %d, addRoute=%t", addr.AddressWithPrefix, nic, addRoute)
if info, ok := ns.stack.NICInfo()[nic]; ok {
if a, addrFound := findAddress(info.ProtocolAddresses, addr); addrFound {
if a.AddressWithPrefix.PrefixLen == addr.AddressWithPrefix.PrefixLen {
return zx.ErrAlreadyExists
}
// Same address but different prefix. Remove the address and re-add it
// with the new prefix (below).
switch err := ns.stack.RemoveAddress(nic, addr.AddressWithPrefix.Address); err.(type) {
case nil:
case *tcpip.ErrUnknownNICID:
return zx.ErrNotFound
case *tcpip.ErrBadLocalAddress:
// We lost a race, the address was already removed.
default:
panic(fmt.Sprintf("NIC %d: failed to remove address %s: %s", nic, addr.AddressWithPrefix, err))
}
}
}
switch err := ns.stack.AddProtocolAddress(nic, addr, stack.AddressProperties{}); err.(type) {
case nil:
case *tcpip.ErrUnknownNICID:
return zx.ErrNotFound
case *tcpip.ErrDuplicateAddress:
return zx.ErrAlreadyExists
default:
panic(fmt.Sprintf("NIC %d: failed to add address %s: %s", nic, addr.AddressWithPrefix, err))
}
if addRoute {
route := addressWithPrefixRoute(nic, addr.AddressWithPrefix)
_ = syslog.Infof("creating subnet route %s with metric=<not-set>, dynamic=false", route)
if err := ns.AddRoute(route, metricNotSet, false); err != nil {
if !errors.Is(err, routes.ErrNoSuchNIC) {
panic(fmt.Sprintf("NIC %d: failed to add subnet route %s: %s", nic, route, err))
}
return zx.ErrNotFound
}
}
switch addr.Protocol {
case header.IPv4ProtocolNumber:
ns.interfaceWatchers.onAddressAdd(nic, addr, zxtime.Monotonic(int64(zx.TimensecInfinite)))
// TODO(https://fxbug.dev/82045): This assumes that DAD is always enabled, and relies on the DAD
// completion callback to unblock hanging gets waiting for interface address changes.
case header.IPv6ProtocolNumber:
default:
}
return zx.ErrOk
}
func (ns *Netstack) onInterfaceAdd(nicid tcpip.NICID) {
ns.interfaceWatchers.mu.Lock()
defer ns.interfaceWatchers.mu.Unlock()
nicInfo, ok := ns.stack.NICInfo()[nicid]
if !ok {
_ = syslog.Warnf("onInterfaceAdd(%d): NIC cannot be found", nicid)
return
}
ns.interfaceWatchers.onInterfaceAddLocked(nicid, nicInfo, ns.GetExtendedRouteTable())
}
func (ns *Netstack) onPropertiesChange(nicid tcpip.NICID, addressPatches []addressPatch) {
ns.interfaceWatchers.mu.Lock()
defer ns.interfaceWatchers.mu.Unlock()
nicInfo, ok := ns.stack.NICInfo()[nicid]
if !ok {
_ = syslog.Warnf("onPropertiesChange(%d, %+v): interface cannot be found", nicid, addressPatches)
return
}
ns.interfaceWatchers.onPropertiesChangeLocked(nicid, nicInfo, addressPatches)
}
func (ns *Netstack) onDefaultRouteChange() {
ns.interfaceWatchers.mu.Lock()
defer ns.interfaceWatchers.mu.Unlock()
ns.interfaceWatchers.onDefaultRouteChangeLocked(ns.GetExtendedRouteTable())
}
// Called when DAD completes with either success or failure.
//
// Note that this function should not be called if DAD was aborted due to
// interface going offline, as the link online change handler will update the
// address assignment state accordingly.
func (ns *Netstack) onDuplicateAddressDetectionComplete(nicid tcpip.NICID, addr tcpip.Address, success bool) {
nicInfo, ok := ns.stack.NICInfo()[nicid]
if !ok {
_ = syslog.Warnf("DAD completed for address %s on interface %d, interface not found", addr, nicid)
return
}
ifs := nicInfo.Context.(*ifState)
ifs.onDuplicateAddressDetectionComplete(addr, success)
}
func (ifs *ifState) onDuplicateAddressDetectionComplete(addr tcpip.Address, success bool) {
// TODO(https://fxbug.dev/82045): DAD completion and interface
// online/offline race against each other since they both set address
// assignment state, which means that we must lock `ifState.mu`
// and then `addressStateProviderCollection.mu` here to prevent
// interface online change concurrently attempting to mutate the
// address assignment state.
online := func() bool {
ifs.mu.Lock()
defer ifs.mu.Unlock()
ifs.addressStateProviders.mu.Lock()
return ifs.IsUpLocked()
}()
defer ifs.addressStateProviders.mu.Unlock()
ifs.addressStateProviders.onDuplicateAddressDetectionCompleteLocked(ifs.nicid, addr, online, success)
}
func (ifs *ifState) updateMetric(metric routes.Metric) {
ifs.mu.Lock()
ifs.mu.metric = metric
ifs.mu.Unlock()
}
func (ifs *ifState) dhcpAcquired(lost, acquired tcpip.AddressWithPrefix, config dhcp.Config) {
name := ifs.ns.name(ifs.nicid)
if lost == acquired {
_ = syslog.Infof("NIC %s: DHCP renewed address %s for %s", name, acquired, config.LeaseLength)
} else {
if lost != (tcpip.AddressWithPrefix{}) {
if err := ifs.ns.stack.RemoveAddress(ifs.nicid, lost.Address); err != nil {
_ = syslog.Errorf("NIC %s: failed to remove DHCP address %s: %s", name, lost, err)
} else {
_ = syslog.Infof("NIC %s: removed DHCP address %s", name, lost)
}
// Remove the dynamic routes for this interface.
ifs.ns.UpdateRoutesByInterface(ifs.nicid, routes.ActionDeleteDynamic)
}
if acquired != (tcpip.AddressWithPrefix{}) {
if err := ifs.ns.stack.AddProtocolAddress(ifs.nicid, tcpip.ProtocolAddress{
Protocol: ipv4.ProtocolNumber,
AddressWithPrefix: acquired,
}, stack.AddressProperties{
PEB: stack.CanBePrimaryEndpoint,
}); err != nil {
_ = syslog.Errorf("NIC %s: failed to add DHCP acquired address %s: %s", name, acquired, err)
} else {
_ = syslog.Infof("NIC %s: DHCP acquired address %s for %s", name, acquired, config.LeaseLength)
// Add a route for the local subnet.
rs := []tcpip.Route{
addressWithPrefixRoute(ifs.nicid, acquired),
}
// Add a default route through each router.
for _, router := range config.Router {
// Reject non-unicast addresses to avoid an explosion of traffic in
// case of misconfiguration.
if ip := net.IP(router); !ip.IsLinkLocalUnicast() && !ip.IsGlobalUnicast() {
_ = syslog.Warnf("NIC %s: DHCP specified non-unicast router %s, skipping", name, ip)
continue
}
rs = append(rs, defaultV4Route(ifs.nicid, router))
}
_ = syslog.Infof("adding routes %s with metric=<not-set> dynamic=true", rs)
if err := ifs.ns.AddRoutes(rs, metricNotSet, true /* dynamic */); err != nil {
_ = syslog.Infof("error adding routes for DHCP: %s", err)
}
}
}
}
// Patch the address data exposed by fuchsia.net.interfaces with a validUntil
// value derived from the DHCP configuration.
patches := []addressPatch{
{
addr: acquired,
validUntil: config.UpdatedAt.Add(config.LeaseLength.Duration()),
},
}
// TODO(https://fxbug.dev/82590): Avoid spawning this goroutine by sending
// the delta of the address property change only instead of computing the
// delta of all properties, which requires acquiring `ifState.mu`.
//
// Dispatch interface change handlers on another goroutine to prevent a
// deadlock while holding ifState.mu since dhcpAcquired is called on
// cancellation.
go ifs.ns.onPropertiesChange(ifs.nicid, patches)
if updated := ifs.setDNSServers(config.DNS); updated {
_ = syslog.Infof("NIC %s: set DNS servers: %s", name, config.DNS)
}
}
// setDNSServers updates the receiver's dnsServers if necessary and returns
// whether they were updated.
func (ifs *ifState) setDNSServers(servers []tcpip.Address) bool {
ifs.dns.mu.Lock()
sameDNS := len(ifs.dns.mu.servers) == len(servers)
if sameDNS {
for i := range ifs.dns.mu.servers {
sameDNS = ifs.dns.mu.servers[i] == servers[i]
if !sameDNS {
break
}
}
}
if !sameDNS {
ifs.dns.mu.servers = servers
ifs.ns.dnsConfig.UpdateDhcpServers(ifs.nicid, &ifs.dns.mu.servers)
}
ifs.dns.mu.Unlock()
return !sameDNS
}
// setDHCPStatus updates the DHCP status on an interface and runs the DHCP
// client if it should be enabled.
//
// Takes the ifState lock.
func (ifs *ifState) setDHCPStatus(name string, enabled bool) {
_ = syslog.VLogf(syslog.DebugVerbosity, "NIC %s: setDHCPStatus = %t", name, enabled)
ifs.mu.Lock()
defer ifs.mu.Unlock()
ifs.mu.dhcp.enabled = enabled
ifs.mu.dhcp.cancel()
if ifs.mu.dhcp.enabled && ifs.IsUpLocked() {
ifs.runDHCPLocked(name)
}
}
// Runs the DHCP client with a fresh context and initializes ifs.mu.dhcp.cancel.
// Call the old cancel function before calling this function.
func (ifs *ifState) runDHCPLocked(name string) {
_ = syslog.Infof("NIC %s: run DHCP", name)
ctx, cancel := context.WithCancel(context.Background())
var wg sync.WaitGroup
ifs.mu.dhcp.cancel = func() {
cancel()
wg.Wait()
}
ifs.mu.dhcp.running = func() bool {
return ctx.Err() == nil
}
if c := ifs.mu.dhcp.Client; c != nil {
wg.Add(1)
go func() {
c.Run(ctx)
wg.Done()
}()
} else {
panic(fmt.Sprintf("nil DHCP client on interface %s", name))
}
}
func (ifs *ifState) dhcpEnabled() bool {
ifs.mu.Lock()
defer ifs.mu.Unlock()
return ifs.mu.dhcp.enabled
}
func (ifs *ifState) onDownLocked(name string, closed bool) {
// Stop DHCP, this triggers the removal of all dynamically obtained configuration (IP, routes,
// DNS servers).
ifs.mu.dhcp.cancel()
// Remove DNS servers through ifs.
ifs.ns.dnsConfig.RemoveAllServersWithNIC(ifs.nicid)
ifs.setDNSServers(nil)
if closed {
// The interface is removed, force all of its routes to be removed.
ifs.ns.UpdateRoutesByInterface(ifs.nicid, routes.ActionDeleteAll)
} else {
// The interface is down, disable static routes (dynamic ones are handled
// by the cancelled DHCP server).
ifs.ns.UpdateRoutesByInterface(ifs.nicid, routes.ActionDisableStatic)
}
if err := ifs.ns.DelRoute(ipv6LinkLocalOnLinkRoute(ifs.nicid)); err != nil && err != routes.ErrNoSuchRoute {
_ = syslog.Errorf("error deleting link-local on-link route for nicID (%d): %s", ifs.nicid, err)
}
if closed {
switch err := ifs.ns.stack.RemoveNIC(ifs.nicid); err.(type) {
case nil, *tcpip.ErrUnknownNICID:
default:
_ = syslog.Errorf("error removing NIC %s in stack.Stack: %s", name, err)
}
for _, h := range ifs.ns.nicRemovedHandlers {
h.RemovedNIC(ifs.nicid)
}
// TODO(https://fxbug.dev/86665): Re-enabling bridged interfaces on removal
// of the bridge is a hack, and needs a proper implementation.
for _, nicid := range ifs.bridgedInterfaces {
nicInfo, ok := ifs.ns.stack.NICInfo()[nicid]
if !ok {
continue
}
bridgedIfs := nicInfo.Context.(*ifState)
bridgedIfs.mu.Lock()
if bridgedIfs.IsUpLocked() {
switch err := ifs.ns.stack.EnableNIC(nicid); err.(type) {
case nil, *tcpip.ErrUnknownNICID:
default:
_ = syslog.Errorf("failed to enable bridged interface %d after removing bridge: %s", nicid, err)
}
}
bridgedIfs.mu.Unlock()
}
} else {
if err := ifs.ns.stack.DisableNIC(ifs.nicid); err != nil {
_ = syslog.Errorf("error disabling NIC %s in stack.Stack: %s", name, err)
}
}
}
func (ifs *ifState) stateChangeLocked(name string, adminUp, linkOnline bool) bool {
before := ifs.IsUpLocked()
after := adminUp && linkOnline
if after != before {
if after {
if ifs.bridgeable.IsBridged() {
_ = syslog.Warnf("not enabling NIC %s in stack.Stack because it is attached to a bridge", name)
} else if err := ifs.ns.stack.EnableNIC(ifs.nicid); err != nil {
_ = syslog.Errorf("error enabling NIC %s in stack.Stack: %s", name, err)
}
// DHCPv4 sends packets to the IPv4 broadcast address so make sure there is
// a valid route to it. This route is only needed for the initial DHCPv4
// transaction. Marking the route as dynamic will result in it being removed
// when configurations are acquired via DHCPv4, which is okay as following
// DHCPv4 requests will be sent directly to the DHCPv4 server instead of
// broadcasting it to the whole link.
ifs.ns.routeTable.AddRoute(
tcpip.Route{Destination: util.PointSubnet(header.IPv4Broadcast), NIC: ifs.nicid},
routes.MediumPreference,
lowPriorityRoute,
false, /* metricTracksInterface */
true, /* dynamic */
true, /* enabled */
)
// Re-enable static routes out this interface.
ifs.ns.UpdateRoutesByInterface(ifs.nicid, routes.ActionEnableStatic)
if ifs.mu.dhcp.enabled {
ifs.mu.dhcp.cancel()
ifs.runDHCPLocked(name)
}
// Add an on-link route for the IPv6 link-local subnet. The route is added
// as a 'static' route because Netstack will remove dynamic routes on DHCPv4
// changes. See staticRouteAvoidingLifeCycleHooks for more details.
ifs.ns.routeTable.AddRoute(
ipv6LinkLocalOnLinkRoute(ifs.nicid),
routes.MediumPreference,
metricNotSet,
true, /* metricTracksInterface */
staticRouteAvoidingLifeCycleHooks,
true, /* enabled */
)
ifs.ns.routeTable.UpdateStack(ifs.ns.stack)
} else {
ifs.onDownLocked(name, false)
}
}
ifs.mu.adminUp = adminUp
ifs.mu.linkOnline = linkOnline
return after != before
}
func (ifs *ifState) onLinkOnlineChanged(linkOnline bool) {
name := ifs.ns.name(ifs.nicid)
if func() bool {
after, changed := func() (bool, bool) {
ifs.mu.Lock()
defer func() {
ifs.addressStateProviders.mu.Lock()
ifs.mu.Unlock()
}()
changed := ifs.stateChangeLocked(name, ifs.mu.adminUp, linkOnline)
_ = syslog.Infof("NIC %s: observed linkOnline=%t when adminUp=%t, interfacesChanged=%t", name, linkOnline, ifs.mu.adminUp, changed)
return ifs.IsUpLocked(), changed
}()
defer ifs.addressStateProviders.mu.Unlock()
ifs.addressStateProviders.onInterfaceOnlineChangeLocked(after)
return changed
}() {
ifs.ns.onPropertiesChange(ifs.nicid, nil)
}
}
func (ifs *ifState) setState(enabled bool) (bool, error) {
name := ifs.ns.name(ifs.nicid)
wasEnabled, changed, err := func() (bool, bool, error) {
wasEnabled, isUpAfter, changed, err := func() (bool, bool, bool, error) {
ifs.mu.Lock()
defer func() {
ifs.addressStateProviders.mu.Lock()
ifs.mu.Unlock()
}()
wasEnabled := ifs.mu.adminUp
if wasEnabled == enabled {
return wasEnabled, ifs.IsUpLocked(), false, nil
}
if controller := ifs.controller; controller != nil {
fn := controller.Down
if enabled {
fn = controller.Up
}
if err := fn(); err != nil {
return wasEnabled, false, false, err
}
}
changed := ifs.stateChangeLocked(name, enabled, ifs.LinkOnlineLocked())
_ = syslog.Infof("NIC %s: set adminUp=%t when linkOnline=%t, interfacesChanged=%t", name, ifs.mu.adminUp, ifs.LinkOnlineLocked(), changed)
return wasEnabled, ifs.IsUpLocked(), changed, nil
}()
defer ifs.addressStateProviders.mu.Unlock()
if err != nil {
return wasEnabled, false, err
}
ifs.addressStateProviders.onInterfaceOnlineChangeLocked(isUpAfter)
return wasEnabled, changed, nil
}()
if err != nil {
_ = syslog.Infof("NIC %s: setting adminUp=%t failed: %s", name, enabled, err)
return wasEnabled, err
}
if changed {
ifs.ns.onPropertiesChange(ifs.nicid, nil)
}
return wasEnabled, nil
}
func (ifs *ifState) Up() error {
_, err := ifs.setState(true)
return err
}
func (ifs *ifState) Down() error {
_, err := ifs.setState(false)
return err
}
func (ifs *ifState) RemoveByUser() {
ifs.remove(admin.InterfaceRemovedReasonUser)
}
func (ifs *ifState) RemoveByLinkClose() {
ifs.remove(admin.InterfaceRemovedReasonPortClosed)
}
func (ifs *ifState) remove(reason admin.InterfaceRemovedReason) {
name := ifs.ns.name(ifs.nicid)
_ = syslog.Infof("NIC %s: removing, reason=%s", name, reason)
// Close all open control channels with the interface before removing it from
// the stack. That prevents any further administrative action from happening.
ifs.adminControls.onInterfaceRemove(reason)
// Detach the endpoint and wait for clean termination before we remove the
// NIC from the stack, that ensures that we can't be racing with other calls
// to onDown that are signalling link status changes.
ifs.endpoint.Attach(nil)
_ = syslog.Infof("NIC %s: waiting for endpoint cleanup...", name)
ifs.endpoint.Wait()
_ = syslog.Infof("NIC %s: endpoint cleanup done", name)
ifs.mu.Lock()
ifs.onDownLocked(name, true /* closed */)
ifs.mu.Unlock()
_ = syslog.Infof("NIC %s: removed", name)
ifs.ns.interfaceWatchers.onInterfaceRemove(ifs.nicid)
ifs.addressStateProviders.onInterfaceRemove()
}
var nameProviderErrorLogged uint32 = 0
// TODO(stijlist): figure out a way to make it impossible to accidentally
// enable DHCP on loopback interfaces.
func (ns *Netstack) addLoopback() error {
ifs, err := ns.addEndpoint(
func(tcpip.NICID) string {
return "lo"
},
// To match linux behaviour, as per
// https://github.com/torvalds/linux/blob/5bfc75d92efd494db37f5c4c173d3639d4772966/drivers/net/loopback.c#L162.
ethernet.New(loopback.New()),
nil, /* controller */
nil, /* observer */
defaultInterfaceMetric,
)
if err != nil {
return err
}
ifs.mu.Lock()
nicid := ifs.nicid
ifs.mu.Unlock()
// Loopback interfaces do not need NDP or DAD.
if err := func() tcpip.Error {
ep, err := ns.stack.GetNetworkEndpoint(nicid, ipv6.ProtocolNumber)
if err != nil {
return err
}
// Must never fail, but the compiler can't tell.
ndpEP := ep.(ipv6.NDPEndpoint)
ndpEP.SetNDPConfigurations(ipv6.NDPConfigurations{})
dadEP := ep.(stack.DuplicateAddressDetector)
dadEP.SetDADConfigurations(stack.DADConfigurations{})
return nil
}(); err != nil {
return fmt.Errorf("error setting NDP configurations to NIC ID %d: %s", nicid, err)
}
ipv4LoopbackPrefix := tcpip.AddressMask(net.IP(ipv4Loopback).DefaultMask()).Prefix()
ipv4LoopbackProtocolAddress := tcpip.ProtocolAddress{
Protocol: ipv4.ProtocolNumber,
AddressWithPrefix: tcpip.AddressWithPrefix{
Address: ipv4Loopback,
PrefixLen: ipv4LoopbackPrefix,
},
}
ipv4LoopbackRoute := addressWithPrefixRoute(nicid, ipv4LoopbackProtocolAddress.AddressWithPrefix)
if err := ns.stack.AddProtocolAddress(nicid, ipv4LoopbackProtocolAddress, stack.AddressProperties{}); err != nil {
return fmt.Errorf("AddProtocolAddress(%d, %#v, {}): %s", nicid, ipv4LoopbackProtocolAddress, err)
}
ipv6LoopbackProtocolAddress := tcpip.ProtocolAddress{
Protocol: ipv6.ProtocolNumber,
AddressWithPrefix: ipv6Loopback.WithPrefix(),
}
if err := ns.stack.AddProtocolAddress(nicid, ipv6LoopbackProtocolAddress, stack.AddressProperties{}); err != nil {
return fmt.Errorf("AddProtocolAddress(%d, %#v, {}): %s", nicid, ipv6LoopbackProtocolAddress, err)
}
if err := ns.AddRoutes(
[]tcpip.Route{
ipv4LoopbackRoute,
{
Destination: util.PointSubnet(ipv6Loopback),
NIC: nicid,
},
},
metricNotSet, /* use interface metric */
false, /* dynamic */
); err != nil {
return fmt.Errorf("loopback: adding routes failed: %w", err)
}
if err := ifs.Up(); err != nil {
return err
}
return nil
}
func (ns *Netstack) Bridge(nics []tcpip.NICID) (*ifState, error) {
links := make([]*bridge.BridgeableEndpoint, 0, len(nics))
ifStates := make([]*ifState, 0, len(nics))
for _, nicid := range nics {
nicInfo, ok := ns.stack.NICInfo()[nicid]
if !ok {
return nil, fmt.Errorf("failed to find NIC %d", nicid)
}
ifs := nicInfo.Context.(*ifState)
ifStates = append(ifStates, ifs)
if controller := ifs.controller; controller != nil {
if err := controller.SetPromiscuousMode(true); err != nil {
return nil, fmt.Errorf("error enabling promiscuous mode for NIC %d in stack.Stack while bridging endpoint: %w", ifs.nicid, err)
}
}
links = append(links, ifs.bridgeable)
}
b, err := bridge.New(links)
if err != nil {
return nil, err
}
ifs, err := ns.addEndpoint(
func(nicid tcpip.NICID) string {
return fmt.Sprintf("br%d", nicid)
},
b,
b,
nil, /* observer */
defaultInterfaceMetric,
)
if err != nil {
return nil, err
}
ifs.bridgedInterfaces = nics
for _, ifs := range ifStates {
func() {
// Disabling the NIC and attaching interfaces to the bridge must be called
// under lock to avoid racing against admin/link status changes which may
// enable the NIC.
ifs.mu.Lock()
defer ifs.mu.Unlock()
// TODO(https://fxbug.dev/86665): Disabling bridged interfaces inside gVisor
// is a hack, and in need of a proper implementation.
switch err := ifs.ns.stack.DisableNIC(ifs.nicid); err.(type) {
case nil:
case *tcpip.ErrUnknownNICID:
// TODO(https://fxbug.dev/86959): Handle bridged interface removal.
_ = syslog.Warnf("NIC %d removed while attaching to bridge", ifs.nicid)
default:
panic(fmt.Sprintf("unexpected error disabling NIC %d while attaching to bridge: %s", ifs.nicid, err))
}
ifs.bridgeable.SetBridge(b)
}()
}
return ifs, err
}
func makeEndpointName(prefix, configName string) func(nicid tcpip.NICID) string {
return func(nicid tcpip.NICID) string {
if len(configName) == 0 {
return fmt.Sprintf("%s%d", prefix, nicid)
}
return configName
}
}
func (ns *Netstack) addEth(topopath string, config netstack.InterfaceConfig, device fidlethernet.DeviceWithCtx) (*ifState, error) {
client, err := eth.NewClient("netstack", topopath, config.Filepath, device)
if err != nil {
return nil, err
}
return ns.addEndpoint(
makeEndpointName("eth", config.Name),
ethernet.New(client),
client,
client,
routes.Metric(config.Metric),
)
}
// addEndpoint creates a new NIC with stack.Stack.
func (ns *Netstack) addEndpoint(
nameFn func(nicid tcpip.NICID) string,
ep stack.LinkEndpoint,
controller link.Controller,
observer link.Observer,
metric routes.Metric,
) (*ifState, error) {
ifs := &ifState{
ns: ns,
controller: controller,
observer: observer,
}
ifs.adminControls.mu.controls = make(map[*adminControlImpl]struct{})
ifs.addressStateProviders.mu.providers = make(map[tcpip.Address]*adminAddressStateProviderImpl)
if observer != nil {
observer.SetOnLinkClosed(ifs.RemoveByLinkClose)
observer.SetOnLinkOnlineChanged(ifs.onLinkOnlineChanged)
}
ifs.mu.metric = metric
ifs.mu.dhcp.running = func() bool { return false }
ifs.mu.dhcp.cancel = func() {}
ns.mu.Lock()
ifs.nicid = ns.mu.countNIC + 1
ns.mu.countNIC++
ns.mu.Unlock()
name := nameFn(ifs.nicid)
// LinkEndpoint chains:
// Put sniffer as close as the NIC.
// A wrapper LinkEndpoint should encapsulate the underlying
// one, and manifest itself to 3rd party netstack.
ifs.bridgeable = bridge.NewEndpoint(sniffer.NewWithPrefix(ep, fmt.Sprintf("[%s(id=%d)] ", name, ifs.nicid)))
ep = ifs.bridgeable
ifs.endpoint = ep
if err := ns.stack.CreateNICWithOptions(ifs.nicid, ep, stack.NICOptions{Name: name, Context: ifs, Disabled: true}); err != nil {
return nil, fmt.Errorf("NIC %s: could not create NIC: %w", name, WrapTcpIpError(err))
}
_ = syslog.Infof("NIC %s added", name)
if linkAddr := ep.LinkAddress(); len(linkAddr) > 0 {
dhcpClient := dhcp.NewClient(ns.stack, ifs.nicid, linkAddr, dhcpAcquisition, dhcpBackoff, dhcpRetransmission, ifs.dhcpAcquired)
ifs.mu.Lock()
ifs.mu.dhcp.Client = dhcpClient
ifs.mu.Unlock()
}
ns.onInterfaceAdd(ifs.nicid)
return ifs, nil
}
func (ns *Netstack) getIfStateInfo(nicInfo map[tcpip.NICID]stack.NICInfo) map[tcpip.NICID]ifStateInfo {
ifStates := make(map[tcpip.NICID]ifStateInfo)
for id, ni := range nicInfo {
ifs := ni.Context.(*ifState)
ifs.dns.mu.Lock()
dnsServers := ifs.dns.mu.servers
ifs.dns.mu.Unlock()
ifs.mu.Lock()
info := ifStateInfo{
NICInfo: ni,
nicid: ifs.nicid,
adminUp: ifs.mu.adminUp,
linkOnline: ifs.LinkOnlineLocked(),
dnsServers: dnsServers,
dhcpEnabled: ifs.mu.dhcp.enabled,
}
if ifs.mu.dhcp.enabled {
info.dhcpInfo = ifs.mu.dhcp.Info()
info.dhcpStats = ifs.mu.dhcp.Stats()
info.dhcpStateRecentHistory = ifs.mu.dhcp.StateRecentHistory()
}
for _, network := range []tcpip.NetworkProtocolNumber{header.IPv4ProtocolNumber, header.IPv6ProtocolNumber} {
{
neighbors, err := ns.stack.Neighbors(id, network)
switch err.(type) {
case nil:
if info.neighbors == nil {
info.neighbors = make(map[string]stack.NeighborEntry)
}
for _, n := range neighbors {
info.neighbors[n.Addr.String()] = n
}
case *tcpip.ErrNotSupported:
// NIC does not have a neighbor table, skip.
case *tcpip.ErrUnknownNICID:
_ = syslog.Warnf("getIfStateInfo: NIC removed before ns.stack.Neighbors(%d) could be called", id)
default:
_ = syslog.Errorf("getIfStateInfo: unexpected error from ns.stack.Neighbors(%d) = %s", id, err)
}
}
}
info.networkEndpointStats = make(map[string]stack.NetworkEndpointStats, len(ni.NetworkStats))
for proto, netEPStats := range ni.NetworkStats {
info.networkEndpointStats[networkProtocolToString(proto)] = netEPStats
}
ifs.mu.Unlock()
info.controller = ifs.controller
ifStates[id] = info
}
return ifStates
}
func findAddress(addrs []tcpip.ProtocolAddress, addr tcpip.ProtocolAddress) (tcpip.ProtocolAddress, bool) {
// Ignore prefix length.
addr.AddressWithPrefix.PrefixLen = 0
for _, candidate := range addrs {
// Copy to avoid mutating the return value.
matcher := candidate
matcher.AddressWithPrefix.PrefixLen = 0
if matcher == addr {
return candidate, true
}
}
return tcpip.ProtocolAddress{}, false
}
func networkProtocolToString(proto tcpip.NetworkProtocolNumber) string {
switch proto {
case header.IPv4ProtocolNumber:
return "IPv4"
case header.IPv6ProtocolNumber:
return "IPv6"
case header.ARPProtocolNumber:
return "ARP"
default:
return fmt.Sprintf("0x%x", proto)
}
}