[developer] [REVIEW] 16370 ipclassifier should pay more attention to sin6_scope

public inbox for developer@lists.illumos.org (since 2011-08)
 help / color / mirror / Atom feed

* [developer] [REVIEW] 16370 ipclassifier should pay more attention to sin6_scope_id
@ 2024-10-23 22:26 Bill Sommerfeld via illumos-developer
  0 siblings, 0 replies; only message in thread
From: Bill Sommerfeld via illumos-developer @ 2024-10-23 22:26 UTC (permalink / raw)
  To: developer

Issue: https://www.illumos.org/issues/16370
CR: https://code.illumos.org/c/illumos-gate/+/3355
Diff: 
https://code.illumos.org/~diff/c0a01353c4678bdaf869f86f35095d04bad081a3

I have a couple fixes to the handling of scoped addresses in our IP
stack.

IPv6 adds link-local addresses which need only be unique on a specific
link; to properly distinguish them on a host connected to multiple
links they need to be tagged with an additional scope id.  In textual
form, you might see fe80::1%lan0 vs fe80::1%wan0.  At the sockets API,
the scope can be found in the sin6_scope_id field of a struct
sockaddr_in6.

A common pattern in UDP-based services (used by named, ntpd, and
others) is to bind one socket to each interface address; this makes it
straightforward for the server to respond with packets from the ip
address the client is expecting.  This might mean that on a machine
with multiple interfaces you might have multiple sockets bound to
fe80::1234 with different scopes.

I've fixed a couple of places in our stack where these interface scope
checks are not quite right, typically rendering all but one of these
sockets either unbindable or bound but deaf to inbound packets.

1) In the receive path, the scope match between packet and conn_t is
done too late, after ipcl_classify_v6() commits to a conn_t; if there
are multiple sockets differing only in scope, there is no chance to go
back and try a different one.  Instead, this check should be inside
the loop in the classifier so it can continue to look for other
potential matches.

Fixing this allows ntp to work over all interfaces configured with a
duplicate link-local address.

2) In the socket bind path, TCP (but not other protocols) rejects
socket binds that differ only in ifindex.  This results in an "address
in use" error during named startup (as it tries to bind() a TCP socket
to each interface address, appropriately scoped).

Inspired in part by the link-local test, I've also included a couple
new tests to exercise sin6_scope_id and IP*_BOUND_IF; scope-test-v6
passes on a build with these changes but fails on a build without
them.

------------------------------------------
illumos: illumos-developer
Permalink: https://illumos.topicbox.com/groups/developer/Tb15df26879b6ea3c-M20ae2b8972dfe12e21609c5b
Delivery options: https://illumos.topicbox.com/groups/developer/subscription

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2024-10-23 22:28 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-10-23 22:26 [developer] [REVIEW] 16370 ipclassifier should pay more attention to sin6_scope_id Bill Sommerfeld via illumos-developer

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).