DragonFlyBSD

carp	112	CARP	vrrp		# Common Address Redundancy Protocol

SRCS+=	ifcarp.c		# SIOC[GS]VH support

/*	$Id$	*/

/*	from $FreeBSD: src/sbin/ifconfig/ifcarp.c,v 1.2 2005/02/22 14:07:47 glebius Exp $ */

/*	from $OpenBSD: ifconfig.c,v 1.82 2003/10/19 05:43:35 mcbride Exp $ */

/*

 * Copyright (c) 2002 Michael Shalayeff. All rights reserved.

 * Copyright (c) 2003 Ryan McBride. All rights reserved.

 *

 * Redistribution and use in source and binary forms, with or without

 * modification, are permitted provided that the following conditions

 * are met:

 * 1. Redistributions of source code must retain the above copyright

 *    notice, this list of conditions and the following disclaimer.

 * 2. Redistributions in binary form must reproduce the above copyright

 *    notice, this list of conditions and the following disclaimer in the

 *    documentation and/or other materials provided with the distribution.

 *

 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR

 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES

 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.

 * IN NO EVENT SHALL THE AUTHOR OR HIS RELATIVES BE LIABLE FOR ANY DIRECT,

 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES

 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR

 * SERVICES; LOSS OF MIND, USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING

 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF

 * THE POSSIBILITY OF SUCH DAMAGE.

 */

#include <sys/param.h>

#include <sys/ioctl.h>

#include <sys/socket.h>

#include <sys/sockio.h>

#include <stdlib.h>

#include <unistd.h>

#include <net/ethernet.h>

#include <net/if.h>

#include <netinet/ip_carp.h>

#include <net/route.h>

#include <ctype.h>

#include <stdio.h>

#include <string.h>

#include <stdlib.h>

#include <unistd.h>

#include <err.h>

#include <errno.h>

#include "ifconfig.h"

static const char *carp_states[] = { CARP_STATES };

void carp_status(int s);

void setcarp_advbase(const char *,int, int, const struct afswtch *rafp);

void setcarp_advskew(const char *, int, int, const struct afswtch *rafp);

void setcarp_passwd(const char *, int, int, const struct afswtch *rafp);

void setcarp_vhid(const char *, int, int, const struct afswtch *rafp);

void

carp_status(int s)

{

	const char *state;

	struct carpreq carpr;

	memset((char *)&carpr, 0, sizeof(struct carpreq));

	ifr.ifr_data = (caddr_t)&carpr;

	if (ioctl(s, SIOCGVH, (caddr_t)&ifr) == -1)

		return;

	if (carpr.carpr_vhid > 0) {

		if (carpr.carpr_state > CARP_MAXSTATE)

			state = "<UNKNOWN>";

		else

			state = carp_states[carpr.carpr_state];

		printf("\tcarp: %s vhid %d advbase %d advskew %d\n",

		    state, carpr.carpr_vhid, carpr.carpr_advbase,

		    carpr.carpr_advskew);

	}

	return;

}

void

setcarp_passwd(const char *val, int d, int s, const struct afswtch *afp)

{

	struct carpreq carpr;

	memset((char *)&carpr, 0, sizeof(struct carpreq));

	ifr.ifr_data = (caddr_t)&carpr;

	if (ioctl(s, SIOCGVH, (caddr_t)&ifr) == -1)

		err(1, "SIOCGVH");

	/* XXX Should hash the password into the key here, perhaps? */

	strlcpy(carpr.carpr_key, val, CARP_KEY_LEN);

	if (ioctl(s, SIOCSVH, (caddr_t)&ifr) == -1)

		err(1, "SIOCSVH");

	return;

}

void

setcarp_vhid(const char *val, int d, int s, const struct afswtch *afp)

{

	int vhid;

	struct carpreq carpr;

	vhid = atoi(val);

	if (vhid <= 0)

		errx(1, "vhid must be greater than 0");

	memset((char *)&carpr, 0, sizeof(struct carpreq));

	ifr.ifr_data = (caddr_t)&carpr;

	if (ioctl(s, SIOCGVH, (caddr_t)&ifr) == -1)

		err(1, "SIOCGVH");

	carpr.carpr_vhid = vhid;

	if (ioctl(s, SIOCSVH, (caddr_t)&ifr) == -1)

		err(1, "SIOCSVH");

	return;

}

void

setcarp_advskew(const char *val, int d, int s, const struct afswtch *afp)

{

	int advskew;

	struct carpreq carpr;

	advskew = atoi(val);

	memset((char *)&carpr, 0, sizeof(struct carpreq));

	ifr.ifr_data = (caddr_t)&carpr;

	if (ioctl(s, SIOCGVH, (caddr_t)&ifr) == -1)

		err(1, "SIOCGVH");

	carpr.carpr_advskew = advskew;

	if (ioctl(s, SIOCSVH, (caddr_t)&ifr) == -1)

		err(1, "SIOCSVH");

	return;

}

void

setcarp_advbase(const char *val, int d, int s, const struct afswtch *afp)

{

	int advbase;

	struct carpreq carpr;

	advbase = atoi(val);

	memset((char *)&carpr, 0, sizeof(struct carpreq));

	ifr.ifr_data = (caddr_t)&carpr;

	if (ioctl(s, SIOCGVH, (caddr_t)&ifr) == -1)

		err(1, "SIOCGVH");

	carpr.carpr_advbase = advbase;

	if (ioctl(s, SIOCSVH, (caddr_t)&ifr) == -1)

		err(1, "SIOCSVH");

	return;

}

static struct cmd carp_cmds[] = {

	DEF_CMD_ARG("advbase",	setcarp_advbase),

	DEF_CMD_ARG("advskew",	setcarp_advskew),

	DEF_CMD_ARG("pass",	setcarp_passwd),

	DEF_CMD_ARG("vhid",	setcarp_vhid),

};

static struct afswtch af_carp = {

	.af_name	= "af_carp",

	.af_af		= AF_UNSPEC,

	.af_other_status = carp_status,

};

static __constructor void

carp_ctor(void)

{

#define	N(a)	(sizeof(a) / sizeof(a[0]))

	int i;

	for (i = 0; i < N(carp_cmds);  i++)

		cmd_register(&carp_cmds[i]);

	af_register(&af_carp);

#undef N

}

.Dd April 8, 2007

The following parameters are specific to

.Xr carp 4

interfaces:

.Bl -tag -width indent

.It Cm advbase Ar seconds

Specifies the base of the advertisement interval in seconds.

The acceptable values are 1 to 255.

The default value is 1.

.\" The default value is

.\" .Dv CARP_DFLTINTV .

.It Cm advskew Ar interval

Specifies the skew to add to the base advertisement interval to

make one host advertise slower than another host.

It is specified in 1/256 of seconds.

The acceptable values are 1 to 254.

The default value is 0.

.It Cm pass Ar phrase

Set the authentication key to

.Ar phrase .

.It Cm vhid Ar n

Set the virtual host ID.

This is a required setting.

Acceptable values are 1 to 255.

.El

.Pp

.Xr carp 4 ,

		case IFM_CARP:

			if (ifmr.ifm_status & IFM_ACTIVE)

				printf("master");

			else

				printf("backup");

			break;

	carp.4 \

.\"	$OpenBSD: carp.4,v 1.16 2004/12/07 23:41:35 jmc Exp $

.\"     $FreeBSD: src/share/man/man4/carp.4,v 1.10 2006/06/07 10:26:51 glebius Exp $

.\"	$Id$

.\"

.\" Copyright (c) 2003, Ryan McBride.  All rights reserved.

.\"

.\" Redistribution and use in source and binary forms, with or without

.\" modification, are permitted provided that the following conditions

.\" are met:

.\" 1. Redistributions of source code must retain the above copyright

.\"    notice, this list of conditions and the following disclaimer.

.\" 2. Redistributions in binary form must reproduce the above copyright

.\"    notice, this list of conditions and the following disclaimer in the

.\"    documentation and/or other materials provided with the distribution.

.\"

.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND

.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE

.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

.\" SUCH DAMAGE.

.\"

.\"

.Dd April 9, 2007

.Dt CARP 4

.Os

.Sh NAME

.Nm carp

.Nd Common Address Redundancy Protocol

.Sh SYNOPSIS

.Cd "pseudo-device carp"

.Sh DESCRIPTION

The

.Nm

interface is a pseudo-device that implements and controls the

CARP protocol.

CARP allows multiple hosts on the same local network to share a set of IP addresses.

Its primary purpose is to ensure that these

addresses are always available, but in some configurations

.Nm

can also provide load balancing functionality.

.Pp

A

.Nm

interface can be created at runtime using the

.Nm ifconfig Li carp Ns Ar N Cm create

command or by configuring

it via

.Va cloned_interfaces

in the

.Pa /etc/rc.conf

file.

.Pp

To use

.Nm ,

the administrator needs to configure at minimum a common virtual host ID (VHID)

and virtual host IP address on each machine which is to take part in the virtual

group.

Additional parameters can also be set on a per-interface basis:

.Cm advbase

and

.Cm advskew ,

which are used to control how frequently the host sends advertisements when it

is the master for a virtual host, and

.Cm pass

which is used to authenticate

.Nm

advertisements.

The

.Cm advbase

parameter stands for

.Dq "advertisement base" .

It is measured in seconds and specifies the base of the advertisement interval.

The

.Cm advskew

parameter stands for

.Dq "advertisement skew" .

It is measured in 1/256 of seconds.

It is added to the base advertisement interval to make one host advertise

a bit slower that the other does.

Both

.Cm advbase

and

.Cm advskew

are put inside CARP advertisements.

These configurations can be done using

.Xr ifconfig 8 ,

or through the

.Dv SIOCSVH

.Xr ioctl 2 .

.Pp

Additionally, there are a number of global parameters which can be set using

.Xr sysctl 8 :

.Bl -tag -width ".Va net.inet.carp.arpbalance"

.It Va net.inet.carp.allow

Accept incoming

.Nm

packets.

Enabled by default.

.It Va net.inet.carp.preempt

Allow virtual hosts to preempt each other.

It is also used to failover

.Nm

interfaces as a group.

When the option is enabled and one of the

.Nm

enabled physical interfaces

goes down,

.Cm advskew

is changed to 240 on all

.Nm

interfaces.

See also the first example.

Disabled by default.

.It Va net.inet.carp.log

Value of 0 disables any logging.

Value of 1 enables logging of bad

.Nm

packets.

Values above 1 enable logging state changes of

.Nm

interfaces.

Default value is 1.

.It Va net.inet.carp.arpbalance

Balance local traffic using ARP (see below).

Disabled by default.

.It Va net.inet.carp.suppress_preempt

A read only value showing the status of preemption suppression.

Preemption can be suppressed if link on an interface is down

or when

.Xr pfsync 4

interface is not synchronized.

Value of 0 means that preemption is not suppressed, since no

problems are detected.

Every problem increments suppression counter.

.El

.Sh ARP level load balancing

The

.Nm

has limited abilities for load balancing the incoming connections

between hosts in Ethernet network.

For load balancing operation, one needs several CARP interfaces that

are configured to the same IP address, but to a different VHIDs.

Once an ARP request is received, the CARP protocol will use a hashing

function against the source IP address in the ARP request to determine

which VHID should this request belong to.

If the corresponding CARP interface is in master state, the ARP request

will be replied, otherwise it will be ignored.

See the

.Sx EXAMPLES

section for a practical example of load balancing.

.Pp

The ARP load balancing has some limitations.

First, ARP balancing only works on the local network segment.

It cannot balance traffic that crosses a router, because the

router itself will always be balanced to the same virtual host.

Second, ARP load balancing can lead to asymmetric routing

of incoming and outgoing traffic, and thus combining it with

.Xr pfsync 4

is dangerous, because this creates a race condition between

balanced routers and a host they are serving.

Imagine an incoming packet creating state on the first router, being

forwarded to its destination, and destination replying faster

than the state information is packed and synced with the second router.

If the reply would be load balanced to second router, it will be

dropped due to no state.

.Sh EXAMPLES

For firewalls and routers with multiple interfaces, it is desirable to

failover all of the

.Nm

interfaces together, when one of the physical interfaces goes down.

This is achieved by the preempt option.

Enable it on both host A and B:

.Pp

.Dl sysctl net.inet.carp.preempt=1

.Pp

Assume that host A is the preferred master and 192.168.1.x/24 is

configured on one physical interface and 192.168.2.y/24 on another.

This is the setup for host A:

.Bd -literal -offset indent

ifconfig carp0 create

ifconfig carp0 vhid 1 pass mekmitasdigoat 192.168.1.1/24

ifconfig carp1 create

ifconfig carp1 vhid 2 pass mekmitasdigoat 192.168.2.1/24

.Ed

.Pp

The setup for host B is identical, but it has a higher

.Cm advskew :

.Bd -literal -offset indent

ifconfig carp0 create

ifconfig carp0 vhid 1 advskew 100 pass mekmitasdigoat 192.168.1.1/24

ifconfig carp1 create

ifconfig carp1 vhid 2 advskew 100 pass mekmitasdigoat 192.168.2.1/24

.Ed

.Pp

Because of the preempt option, when one of the physical interfaces of

host A fails,

.Cm advskew

is adjusted to 240 on all its

.Nm

interfaces.

This will cause host B to preempt on both interfaces instead of

just the failed one.

.Pp

In order to set up an ARP balanced virtual host, it is necessary to configure

one virtual host for each physical host which would respond to ARP requests

and thus handle the traffic.

In the following example, two virtual hosts are configured on two hosts to

provide balancing and failover for the IP address 192.168.1.10.

.Pp

First the

.Nm

interfaces on host A are configured.

The

.Cm advskew

of 100 on the second virtual host means that its advertisements will be sent

out slightly less frequently.

.Bd -literal -offset indent

ifconfig carp0 create

ifconfig carp0 vhid 1 pass mekmitasdigoat 192.168.1.10/24

ifconfig carp1 create

ifconfig carp1 vhid 2 advskew 100 pass mekmitasdigoat 192.168.1.10/24

.Ed

.Pp

The configuration for host B is identical, except the

.Cm advskew

is on virtual host 1 rather than virtual host 2.

.Bd -literal -offset indent

ifconfig carp0 create

ifconfig carp0 vhid 1 advskew 100 pass mekmitasdigoat 192.168.1.10/24

ifconfig carp1 create

ifconfig carp1 vhid 2 pass mekmitasdigoat 192.168.1.10/24

.Ed

.Pp

Finally, the ARP balancing feature must be enabled on both hosts:

.Pp

.Dl sysctl net.inet.carp.arpbalance=1

.Pp

When the hosts receive an ARP request for 192.168.1.10, the source IP address

of the request is used to compute which virtual host should answer the request.

The host which is master of the selected virtual host will reply to the

request, the other(s) will ignore it.

.Pp

This way, locally connected systems will receive different ARP replies and

subsequent IP traffic will be balanced among the hosts.

If one of the hosts fails, the other will take over the virtual MAC address,

and begin answering ARP requests on its behalf.

.Sh SEE ALSO

.Xr inet 4 ,

.Xr pfsync 4 ,

.Xr rc.conf 5 ,

.Xr ifconfig 8 ,

.Xr sysctl 8

.Sh HISTORY

The

.Nm

device first appeared in

.Ox 3.5 .

.Dd April 9, 2007

.Sh USING PFSYNC WITH CARP

.Nm

and

.Xr carp 4

can be used together to provide automatic failover of a pair of firewalls

configured in parallel.

One firewall handles all traffic \- if it dies or

is shut down, the second firewall takes over automatically.

.Pp

Both firewalls in this example have three

.Xr sis 4

interfaces.

sis0 is the external interface, on the 10.0.0.0/24 subnet; sis1 is the

internal interface, on the 192.168.0.0/24 subnet; and sis2 is the

.Nm

interface, using the 192.168.254.0/24 subnet.

A crossover cable connects the two firewalls via their sis2 interfaces.

On all three interfaces, firewall A uses the .254 address, while firewall B

uses .253.

The interfaces are configured as follows (firewall A unless otherwise

indicated):

.Pp

Interfaces configuration in

.Pa /etc/rc.conf :

.Bd -literal -offset indent

network_interfaces="lo0 sis0 sis1 sis2"

cloned_interfaces="carp0 carp1"

ifconfig_sis0="10.0.0.254/24"

ifconfig_sis1="192.168.0.254/24"

ifconfig_sis2="192.168.254.254/24"

ifconfig_carp0="vhid 1 pass foo 10.0.0.1/24"

ifconfig_carp1="vhid 2 pass bar 192.168.0.1/24"

pfsync_enable="YES"

pfsync_syncdev="sis2"

.Ed

.Pp

.Xr pf 4

must also be configured to allow

.Nm

and

.Xr carp 4

traffic through.

The following should be added to the top of

.Pa /etc/pf.conf :

.Bd -literal -offset indent

pass quick on { sis2 } proto pfsync

pass quick on { sis0 sis1 } proto carp keep state

.Ed

.Pp

If it is preferable that one firewall handle the traffic,

the

.Ar advskew

on the backup firewall's

.Xr carp 4

interfaces should be set to something higher than

the primary's.

For example, if firewall B is the backup, its

carp1 configuration would look like this:

.Bd -literal -offset indent

ifconfig_carp1="vhid 2 pass bar advskew 100 192.168.0.1/24"

.Ed

.Pp

The following must also be added to

.Pa /etc/sysctl.conf :

.Bd -literal -offset indent

net.inet.carp.preempt=1

.Ed

.Xr carp 4 ,

crypto/sha1.c				optional carp

netinet/ip_carp.c		optional carp

CARP			opt_carp.h

#CARP

pseudo-device carp

options CARP

options		CARP

pseudo-device	carp

#include "opt_carp.h"

#ifdef CARP

#include <netinet/ip_carp.h>

#endif

#ifdef CARP

	if (ifp->if_carp && (error = carp_output(ifp, m, dst, NULL)))

		goto bad;

#endif

#ifdef CARP

	/*

         * XXX: Okay, we need to call carp_forus() and - if it is for

         * us jump over code that does the normal check

         * "ac_enaddr == ether_dhost". The check sequence is a bit

         * different from OpenBSD, so we jump over as few code as

         * possible, to catch _all_ sanity checks. This needs

         * evaluation, to see if the carp ether_dhost values break any

         * of these checks!

         */

	if (ifp->if_carp && carp_forus(ifp->if_carp, eh->ether_dhost))

		goto pre_stats;

#endif

#ifdef CARP

pre_stats:

#endif

 * CARP Common Address Redundancy Protocol

 */

#define IFM_CARP        0x000000c0

/*

	{ IFM_CARP,		"Common Address Redundancy Protocol" }, \

#define	IFT_CARP	0xf8		/* Common Address Redundancy Protocol */

struct	carp_if;

	struct	carp_if *if_carp;	/* carp interface structure */

#include "opt_carp.h"

#ifdef CARP

#include <netinet/ip_carp.h>

#endif

void 		arprequest_acces(struct ifnet *ifp, struct in_addr *sip, struct in_addr *tip,  u_char *enaddr);

	u_int8_t *enaddr = NULL;

#ifdef CARP

	/*

	 * If the interface does not match, but the recieving interface

	 * is part of carp, we call carp_iamatch to see if this is a

	 * request for the virtual host ip.

	 * XXX: This is really ugly!

	 */

        	if (ifp->if_carp != NULL &&

		    carp_iamatch(ifp->if_carp, ia, &isaddr, &enaddr) &&

		    itaddr.s_addr == ia->ia_addr.sin_addr.s_addr)

                        goto match;

#endif

	if (!enaddr)

		enaddr = (u_int8_t *)IF_LLADDR(ifp);

	if (!bcmp(ar_sha(ah), enaddr, ifp->if_addrlen)) {

		memcpy(ar_sha(ah), enaddr, ah->ar_hln);

			memcpy(ar_sha(ah), enaddr, ah->ar_hln);

void

arp_ifinit2(struct ifnet *ifp, struct ifaddr *ifa, u_char *enaddr)

{

	if (IA_SIN(ifa)->sin_addr.s_addr != INADDR_ANY)

		arprequest(ifp, &IA_SIN(ifa)->sin_addr, &IA_SIN(ifa)->sin_addr,

			   enaddr);

	ifa->ifa_rtrequest = arp_rtrequest;

	ifa->ifa_flags |= RTF_CLONING;

}

void	arp_ifinit2 (struct ifnet *, struct ifaddr *, u_char *);

#define	IPPROTO_CARP		112		/* CARP */

#define	INADDR_CARP_GROUP       (u_int32_t)0xe0000012   /* 224.0.0.18 */

#include "opt_carp.h"

#ifdef CARP

#include <netinet/ip_carp.h>

#endif

#ifdef CARP

 { SOCK_RAW,     &inetdomain,    IPPROTO_CARP,   PR_ATOMIC|PR_ADDR,

  carp_input,   rip_output,       0,      rip_ctloutput,

  0,

  0,            0,              0,              0,

  &rip_usrreqs

},

#endif

#ifdef CARP

SYSCTL_NODE(_net_inet, IPPROTO_CARP,    carp,    CTLFLAG_RW, 0,  "CARP");

#endif

/*	$Id$	*/

/* 	from $FreeBSD: src/sys/netinet/ip_carp.c,v 1.48 2007/02/02 09:39:09 glebius Exp $ */

/*

 * Copyright (c) 2002 Michael Shalayeff. All rights reserved.

 * Copyright (c) 2003 Ryan McBride. All rights reserved.

 *

 * Redistribution and use in source and binary forms, with or without

 * modification, are permitted provided that the following conditions

 * are met:

 * 1. Redistributions of source code must retain the above copyright

 *    notice, this list of conditions and the following disclaimer.

 * 2. Redistributions in binary form must reproduce the above copyright

 *    notice, this list of conditions and the following disclaimer in the

 *    documentation and/or other materials provided with the distribution.

 *

 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR

 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES

 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.

 * IN NO EVENT SHALL THE AUTHOR OR HIS RELATIVES BE LIABLE FOR ANY DIRECT,

 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES

 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR

 * SERVICES; LOSS OF MIND, USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING

 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF

 * THE POSSIBILITY OF SUCH DAMAGE.

 */

#include "opt_carp.h"

/*#include "opt_bpf.h"*/

#include "opt_inet.h"

#include "opt_inet6.h"

#include <sys/types.h>

#include <sys/param.h>

#include <sys/systm.h>

#include <sys/conf.h>

#include <sys/kernel.h>

#include <machine/limits.h>

#include <sys/malloc.h>

#include <sys/mbuf.h>

#include <sys/module.h>

#include <sys/time.h>

#include <sys/proc.h>

#include <sys/sysctl.h>

#include <sys/syslog.h>

#include <sys/signalvar.h>

#include <sys/filio.h>

#include <sys/sockio.h>

#include <sys/in_cksum.h>

#include <sys/socket.h>

#include <sys/vnode.h>

#include <machine/stdarg.h>

#include <net/bpf.h>

#include <net/ethernet.h>

#include <net/iso88025.h>

#include <net/if.h>

#include <net/if_dl.h>

#include <net/if_types.h>

#include <net/route.h>

#ifdef INET

#include <netinet/in.h>

#include <netinet/in_var.h>

#include <netinet/in_systm.h>

#include <netinet/ip.h>

#include <netinet/ip_var.h>

#include <netinet/if_ether.h>

#include <netinet/if_fddi.h>

#endif

#ifdef INET6

#include <netinet/icmp6.h>

#include <netinet/ip6.h>

#include <netinet6/ip6_var.h>

#include <netinet6/scope6_var.h>

#include <netinet6/nd6.h>

#endif

#include <crypto/sha1.h>

#include <netinet/ip_carp.h>

#include <sys/lock.h>

#define	CARP_IFNAME	"carp"

static MALLOC_DEFINE(M_CARP, "CARP", "CARP interfaces");

static MALLOC_DEFINE(M_IFNET, "IFNET", "IFNET CARP?");

SYSCTL_DECL(_net_inet_carp);

struct carp_softc {

	struct ifnet	 	*sc_ifp;	/* Interface clue */

	struct ifnet		*sc_carpdev;	/* Pointer to parent interface */

	struct in_ifaddr 	*sc_ia;		/* primary iface address */

	struct ip_moptions 	 sc_imo;

#ifdef INET6

	struct in6_ifaddr 	*sc_ia6;	/* primary iface address v6 */

	struct ip6_moptions 	 sc_im6o;

#endif /* INET6 */

	TAILQ_ENTRY(carp_softc)	 sc_list;

	enum { INIT = 0, BACKUP, MASTER }	sc_state;

	int			 sc_flags_backup;

	int			 sc_suppress;

	int			 sc_sendad_errors;

#define	CARP_SENDAD_MAX_ERRORS	3

	int			 sc_sendad_success;

#define	CARP_SENDAD_MIN_SUCCESS 3

	int			 sc_vhid;

	int			 sc_advskew;

	int			 sc_naddrs;

	int			 sc_naddrs6;

	int			 sc_advbase;	/* seconds */

	int			 sc_init_counter;

	u_int64_t		 sc_counter;

	/* authentication */

#define CARP_HMAC_PAD	64

	unsigned char sc_key[CARP_KEY_LEN];

	unsigned char sc_pad[CARP_HMAC_PAD];

	SHA1_CTX sc_sha1;

	struct callout		 sc_ad_tmo;	/* advertisement timeout */

	struct callout		 sc_md_tmo;	/* master down timeout */

	struct callout 		 sc_md6_tmo;	/* master down timeout */

	LIST_ENTRY(carp_softc)	 sc_next;	/* Interface clue */

};

#define	SC2IFP(sc)	((sc)->sc_ifp)

int carp_suppress_preempt = 0;

int carp_opts[CARPCTL_MAXID] = { 0, 1, 0, 1, 0, 0 };	/* XXX for now */

SYSCTL_INT(_net_inet_carp, CARPCTL_ALLOW, allow, CTLFLAG_RW,

    &carp_opts[CARPCTL_ALLOW], 0, "Accept incoming CARP packets");

SYSCTL_INT(_net_inet_carp, CARPCTL_PREEMPT, preempt, CTLFLAG_RW,

    &carp_opts[CARPCTL_PREEMPT], 0, "high-priority backup preemption mode");

SYSCTL_INT(_net_inet_carp, CARPCTL_LOG, log, CTLFLAG_RW,

    &carp_opts[CARPCTL_LOG], 0, "log bad carp packets");

SYSCTL_INT(_net_inet_carp, CARPCTL_ARPBALANCE, arpbalance, CTLFLAG_RW,

    &carp_opts[CARPCTL_ARPBALANCE], 0, "balance arp responses");

SYSCTL_INT(_net_inet_carp, OID_AUTO, suppress_preempt, CTLFLAG_RD,

    &carp_suppress_preempt, 0, "Preemption is suppressed");

struct carpstats carpstats;

SYSCTL_STRUCT(_net_inet_carp, CARPCTL_STATS, stats, CTLFLAG_RW,

    &carpstats, carpstats,

    "CARP statistics (struct carpstats, netinet/ip_carp.h)");

struct carp_if {

	TAILQ_HEAD(, carp_softc) vhif_vrs;

	int vhif_nvrs;

	struct ifnet 	*vhif_ifp;

	struct lock	vhif_lock;

};

/* Get carp_if from softc. Valid after carp_set_addr{,6}. */

#define	SC2CIF(sc)		((struct carp_if *)(sc)->sc_carpdev->if_carp)

#define	CARP_LOCK_INIT(cif)	lockinit(&(cif)->vhif_lock, "carp_if", 0,  LK_NOWAIT);

#define	CARP_LOCK_DESTROY(cif)	;

#define	CARP_LOCK_ASSERT(cif)	;

#define	CARP_LOCK(cif)		lockmgr(&(cif)->vhif_lock, LK_EXCLUSIVE);

#define	CARP_UNLOCK(cif)	lockmgr(&(cif)->vhif_lock, LK_RELEASE);

#define	CARP_SCLOCK(sc)		lockmgr(&SC2CIF(sc)->vhif_lock, LK_EXCLUSIVE);

#define	CARP_SCUNLOCK(sc)	lockmgr(&SC2CIF(sc)->vhif_lock, LK_RELEASE);

#define	CARP_SCLOCK_ASSERT(sc)	;

#define	CARP_LOG(...)	do {				\

	if (carp_opts[CARPCTL_LOG] > 0)			\

		log(LOG_INFO, __VA_ARGS__);		\

} while (0)

#define	CARP_DEBUG(...)	do {				\

	if (carp_opts[CARPCTL_LOG] > 1)			\

		log(LOG_DEBUG, __VA_ARGS__);		\

} while (0)

static void	carp_hmac_prepare(struct carp_softc *);

static void	carp_hmac_generate(struct carp_softc *, u_int32_t *,

		    unsigned char *);

static int	carp_hmac_verify(struct carp_softc *, u_int32_t *,

		    unsigned char *);

static void	carp_setroute(struct carp_softc *, int);

static void	carp_input_c(struct mbuf *, struct carp_header *, sa_family_t);

static int 	carp_clone_create(struct if_clone *, int);

static void 	carp_clone_destroy(struct ifnet *);

static void	carpdetach(struct carp_softc *, int);

static int	carp_prepare_ad(struct mbuf *, struct carp_softc *,

		    struct carp_header *);

static void	carp_send_ad_all(void);

static void	carp_send_ad(void *);

static void	carp_send_ad_locked(struct carp_softc *);

static void	carp_send_arp(struct carp_softc *);

static void	carp_master_down(void *);

static void	carp_master_down_locked(struct carp_softc *);

static int	carp_ioctl(struct ifnet *, u_long, caddr_t, struct ucred *);

static int	carp_looutput(struct ifnet *, struct mbuf *, struct sockaddr *,

		    struct rtentry *);

static void	carp_start(struct ifnet *);

static void	carp_setrun(struct carp_softc *, sa_family_t);

static void	carp_set_state(struct carp_softc *, int);

static int	carp_addrcount(struct carp_if *, struct in_ifaddr *, int);

enum	{ CARP_COUNT_MASTER, CARP_COUNT_RUNNING };

static void	carp_multicast_cleanup(struct carp_softc *);

static int	carp_set_addr(struct carp_softc *, struct sockaddr_in *);

static int	carp_del_addr(struct carp_softc *, struct sockaddr_in *);

static void	carp_carpdev_state_locked(struct carp_if *);

static void	carp_sc_state_locked(struct carp_softc *);

#ifdef INET6

static void	carp_send_na(struct carp_softc *);

static int	carp_set_addr6(struct carp_softc *, struct sockaddr_in6 *);

static int	carp_del_addr6(struct carp_softc *, struct sockaddr_in6 *);

static void	carp_multicast6_cleanup(struct carp_softc *);

#endif

static LIST_HEAD(, carp_softc) carpif_list;

struct if_clone carp_cloner = IF_CLONE_INITIALIZER(CARP_IFNAME, carp_clone_create, carp_clone_destroy, 0, IF_MAXUNIT);

static eventhandler_tag if_detach_event_tag;

static __inline u_int16_t

carp_cksum(struct mbuf *m, int len)

{

	return (in_cksum(m, len));

}

static void

carp_hmac_prepare(struct carp_softc *sc)

{

	u_int8_t version = CARP_VERSION, type = CARP_ADVERTISEMENT;

	u_int8_t vhid = sc->sc_vhid & 0xff;

	struct ifaddr *ifa;

	int i;

#ifdef INET6

	struct in6_addr in6;

#endif

	if (sc->sc_carpdev)

		CARP_SCLOCK(sc);

	/* XXX: possible race here */

	/* compute ipad from key */

	bzero(sc->sc_pad, sizeof(sc->sc_pad));

	bcopy(sc->sc_key, sc->sc_pad, sizeof(sc->sc_key));

	for (i = 0; i < sizeof(sc->sc_pad); i++)

		sc->sc_pad[i] ^= 0x36;

	/* precompute first part of inner hash */

	SHA1Init(&sc->sc_sha1);

	SHA1Update(&sc->sc_sha1, sc->sc_pad, sizeof(sc->sc_pad));

	SHA1Update(&sc->sc_sha1, (void *)&version, sizeof(version));

	SHA1Update(&sc->sc_sha1, (void *)&type, sizeof(type));

	SHA1Update(&sc->sc_sha1, (void *)&vhid, sizeof(vhid));

#ifdef INET

	TAILQ_FOREACH(ifa, &SC2IFP(sc)->if_addrlist, ifa_list) {

		if (ifa->ifa_addr->sa_family == AF_INET)

			SHA1Update(&sc->sc_sha1,

			    (void *)&ifatoia(ifa)->ia_addr.sin_addr.s_addr,

			    sizeof(struct in_addr));

	}

#endif /* INET */

#ifdef INET6

	TAILQ_FOREACH(ifa, &SC2IFP(sc)->if_addrlist, ifa_list) {

		if (ifa->ifa_addr->sa_family == AF_INET6) {

			in6 = ifatoia6(ifa)->ia_addr.sin6_addr;

			in6_clearscope(&in6);

			SHA1Update(&sc->sc_sha1, (void *)&in6, sizeof(in6));

		}

	}

#endif /* INET6 */

	/* convert ipad to opad */

	for (i = 0; i < sizeof(sc->sc_pad); i++)

		sc->sc_pad[i] ^= 0x36 ^ 0x5c;

	if (sc->sc_carpdev)

		CARP_SCUNLOCK(sc);

}

static void

carp_hmac_generate(struct carp_softc *sc, u_int32_t counter[2],

    unsigned char md[20])

{

	SHA1_CTX sha1ctx;

	/* fetch first half of inner hash */

	bcopy(&sc->sc_sha1, &sha1ctx, sizeof(sha1ctx));

	SHA1Update(&sha1ctx, (void *)counter, sizeof(sc->sc_counter));

	SHA1Final(md, &sha1ctx);

	/* outer hash */

	SHA1Init(&sha1ctx);

	SHA1Update(&sha1ctx, sc->sc_pad, sizeof(sc->sc_pad));

	SHA1Update(&sha1ctx, md, 20);

	SHA1Final(md, &sha1ctx);

}

static int

carp_hmac_verify(struct carp_softc *sc, u_int32_t counter[2],

    unsigned char md[20])

{

	unsigned char md2[20];

	CARP_SCLOCK_ASSERT(sc);

	carp_hmac_generate(sc, counter, md2);

	return (bcmp(md, md2, sizeof(md2)));

}

static void

carp_setroute(struct carp_softc *sc, int cmd)

{

	struct ifaddr *ifa;

	if (sc->sc_carpdev)

		CARP_SCLOCK_ASSERT(sc);

	crit_enter();

	TAILQ_FOREACH(ifa, &SC2IFP(sc)->if_addrlist, ifa_list) {

		if (ifa->ifa_addr->sa_family == AF_INET &&

		    sc->sc_carpdev != NULL) {

			int count = carp_addrcount(

			    (struct carp_if *)sc->sc_carpdev->if_carp,

			    ifatoia(ifa), CARP_COUNT_MASTER);

			if ((cmd == RTM_ADD && count == 1) ||

			    (cmd == RTM_DELETE && count == 0))

				rtinit(ifa, cmd, RTF_UP | RTF_HOST);

		}

#ifdef INET6

		if (ifa->ifa_addr->sa_family == AF_INET6) {

			if (cmd == RTM_ADD)

				in6_ifaddloop(ifa);

			else

				in6_ifremloop(ifa);

		}

#endif /* INET6 */

	}

	crit_exit();

}

static int

carp_clone_create(struct if_clone *ifc, int unit)

{

	struct carp_softc *sc;

	struct ifnet *ifp;

        MALLOC(sc, struct carp_softc *, sizeof(*sc), M_CARP, M_WAITOK|M_ZERO); 

	ifp = SC2IFP(sc) = kmalloc(sizeof(struct ifnet), M_IFNET, M_WAITOK|M_ZERO); 

	if (ifp == NULL) {

		FREE(sc, M_CARP);

		return (ENOSPC);

	}

	sc->sc_flags_backup = 0;

	sc->sc_suppress = 0;

	sc->sc_advbase = CARP_DFLTINTV;

	sc->sc_vhid = -1;	/* required setting */

	sc->sc_advskew = 0;

	sc->sc_init_counter = 1;

	sc->sc_naddrs = sc->sc_naddrs6 = 0; /* M_ZERO? */

#ifdef INET6

	sc->sc_im6o.im6o_multicast_hlim = CARP_DFLTTL;

#endif

/*	sc->sc_imo.imo_membership = kmalloc((sizeof(struct in_multi) * IP_MAX_MEMBERSHIPS), M_CARP,M_WAITOK);*/

/*

	sc->sc_imo.imo_max_memberships = IP_MAX_MEMBERSHIPS;

	sc->sc_imo.imo_multicast_vif = -1;

*/

	callout_init(&sc->sc_ad_tmo);

	callout_init(&sc->sc_md_tmo);

	callout_init(&sc->sc_md6_tmo);

	ifp->if_softc = sc;

        if_initname(ifp, CARP_IFNAME, unit);	

	ifp->if_mtu = ETHERMTU;

	ifp->if_flags = IFF_LOOPBACK;

	ifp->if_ioctl = carp_ioctl;

	ifp->if_output = carp_looutput;

	ifp->if_start = carp_start;

	ifp->if_type = IFT_CARP;

	ifp->if_snd.ifq_maxlen = ifqmaxlen;

	ifp->if_hdrlen = 0;

	if_attach(ifp, NULL);

	bpfattach(ifp, DLT_NULL, sizeof(u_int));

	crit_enter();

	LIST_INSERT_HEAD(&carpif_list, sc, sc_next);

	crit_exit();

	return (0);

}

static void

carp_clone_destroy(struct ifnet *ifp)

{

	struct carp_softc *sc = ifp->if_softc;

	if (sc->sc_carpdev)

		CARP_SCLOCK(sc);

	carpdetach(sc, 1);	/* Returns unlocked. */

	crit_enter();

	LIST_REMOVE(sc, sc_next);

	crit_exit();

	bpfdetach(ifp);

	if_detach(ifp);

/*	if_free_type(ifp, IFT_ETHER);*/

/*	kfree(sc->sc_imo.imo_membership, M_CARP); */

	kfree(sc, M_CARP);

}

/*

 * This function can be called on CARP interface destroy path,

 * and in case of the removal of the underlying interface as

 * well. We differentiate these two cases. In the latter case

 * we do not cleanup our multicast memberships, since they

 * are already freed. Also, in the latter case we do not

 * release the lock on return, because the function will be

 * called once more, for another CARP instance on the same

 * interface.

 */