1 /* $OpenBSD: ip6_input.c,v 1.267 2024/11/21 20:15:44 bluhm Exp $ */ 2 /* $KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $ */ 3 4 /* 5 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 3. Neither the name of the project nor the names of its contributors 17 * may be used to endorse or promote products derived from this software 18 * without specific prior written permission. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30 * SUCH DAMAGE. 31 */ 32 33 /* 34 * Copyright (c) 1982, 1986, 1988, 1993 35 * The Regents of the University of California. All rights reserved. 36 * 37 * Redistribution and use in source and binary forms, with or without 38 * modification, are permitted provided that the following conditions 39 * are met: 40 * 1. Redistributions of source code must retain the above copyright 41 * notice, this list of conditions and the following disclaimer. 42 * 2. Redistributions in binary form must reproduce the above copyright 43 * notice, this list of conditions and the following disclaimer in the 44 * documentation and/or other materials provided with the distribution. 45 * 3. Neither the name of the University nor the names of its contributors 46 * may be used to endorse or promote products derived from this software 47 * without specific prior written permission. 48 * 49 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 50 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 51 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 52 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 53 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 54 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 55 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 56 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 57 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 58 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 59 * SUCH DAMAGE. 60 * 61 * @(#)ip_input.c 8.2 (Berkeley) 1/4/94 62 */ 63 64 #include "pf.h" 65 #include "carp.h" 66 67 #include <sys/param.h> 68 #include <sys/systm.h> 69 #include <sys/mbuf.h> 70 #include <sys/domain.h> 71 #include <sys/sysctl.h> 72 #include <sys/protosw.h> 73 #include <sys/socket.h> 74 #include <sys/socketvar.h> 75 #include <sys/errno.h> 76 #include <sys/time.h> 77 #include <sys/timeout.h> 78 #include <sys/kernel.h> 79 #include <sys/syslog.h> 80 #include <sys/task.h> 81 82 #include <net/if.h> 83 #include <net/if_var.h> 84 #include <net/if_types.h> 85 #include <net/route.h> 86 #include <net/netisr.h> 87 88 #include <netinet/in.h> 89 90 #include <netinet/ip.h> 91 92 #include <netinet/in_pcb.h> 93 #include <netinet/ip_var.h> 94 #include <netinet6/in6_var.h> 95 #include <netinet6/in6_ifattach.h> 96 #include <netinet/ip6.h> 97 #include <netinet6/ip6_var.h> 98 #include <netinet/icmp6.h> 99 #include <netinet6/nd6.h> 100 101 #include "gif.h" 102 #include "bpfilter.h" 103 104 #ifdef MROUTING 105 #include <netinet6/ip6_mroute.h> 106 #endif 107 108 #if NPF > 0 109 #include <net/pfvar.h> 110 #endif 111 112 #if NCARP > 0 113 #include <netinet/ip_carp.h> 114 #endif 115 116 struct niqueue ip6intrq = NIQUEUE_INITIALIZER(IPQ_MAXLEN, NETISR_IPV6); 117 118 struct cpumem *ip6counters; 119 120 uint8_t ip6_soiikey[IP6_SOIIKEY_LEN]; 121 122 int ip6_ours(struct mbuf **, int *, int, int, int); 123 int ip6_check_rh0hdr(struct mbuf *, int *); 124 int ip6_hbhchcheck(struct mbuf **, int *, int *, int); 125 int ip6_hopopts_input(struct mbuf **, int *, u_int32_t *, u_int32_t *); 126 struct mbuf *ip6_pullexthdr(struct mbuf *, size_t, int); 127 int ip6_sysctl_soiikey(void *, size_t *, void *, size_t); 128 129 static struct mbuf_queue ip6send_mq; 130 131 static void ip6_send_dispatch(void *); 132 static struct task ip6send_task = 133 TASK_INITIALIZER(ip6_send_dispatch, &ip6send_mq); 134 135 /* 136 * IP6 initialization: fill in IP6 protocol switch table. 137 * All protocols not implemented in kernel go to raw IP6 protocol handler. 138 */ 139 void 140 ip6_init(void) 141 { 142 const struct protosw *pr; 143 int i; 144 145 pr = pffindproto(PF_INET6, IPPROTO_RAW, SOCK_RAW); 146 if (pr == NULL) 147 panic("%s", __func__); 148 for (i = 0; i < IPPROTO_MAX; i++) 149 ip6_protox[i] = pr - inet6sw; 150 for (pr = inet6domain.dom_protosw; 151 pr < inet6domain.dom_protoswNPROTOSW; pr++) 152 if (pr->pr_domain->dom_family == PF_INET6 && 153 pr->pr_protocol && pr->pr_protocol != IPPROTO_RAW && 154 pr->pr_protocol < IPPROTO_MAX) 155 ip6_protox[pr->pr_protocol] = pr - inet6sw; 156 ip6_randomid_init(); 157 nd6_init(); 158 frag6_init(); 159 160 mq_init(&ip6send_mq, 64, IPL_SOFTNET); 161 162 ip6counters = counters_alloc(ip6s_ncounters); 163 #ifdef MROUTING 164 rt_timer_queue_init(&ip6_mrouterq, MCAST_EXPIRE_TIMEOUT, 165 &mf6c_expire_route); 166 #endif 167 } 168 169 /* 170 * Enqueue packet for local delivery. Queuing is used as a boundary 171 * between the network layer (input/forward path) running with 172 * NET_LOCK_SHARED() and the transport layer needing it exclusively. 173 */ 174 int 175 ip6_ours(struct mbuf **mp, int *offp, int nxt, int af, int flags) 176 { 177 /* ip6_hbhchcheck() may be run before, then off and nxt are set */ 178 if (*offp == 0) { 179 nxt = ip6_hbhchcheck(mp, offp, NULL, flags); 180 if (nxt == IPPROTO_DONE) 181 return IPPROTO_DONE; 182 } 183 184 /* We are already in a IPv4/IPv6 local deliver loop. */ 185 if (af != AF_UNSPEC) 186 return nxt; 187 188 nxt = ip_deliver(mp, offp, nxt, AF_INET6, 1); 189 if (nxt == IPPROTO_DONE) 190 return IPPROTO_DONE; 191 192 return ip6_ours_enqueue(mp, offp, nxt); 193 } 194 195 int 196 ip6_ours_enqueue(struct mbuf **mp, int *offp, int nxt) 197 { 198 /* save values for later, use after dequeue */ 199 if (*offp != sizeof(struct ip6_hdr)) { 200 struct m_tag *mtag; 201 struct ipoffnxt *ion; 202 203 /* mbuf tags are expensive, but only used for header options */ 204 mtag = m_tag_get(PACKET_TAG_IP6_OFFNXT, sizeof(*ion), 205 M_NOWAIT); 206 if (mtag == NULL) { 207 ip6stat_inc(ip6s_idropped); 208 m_freemp(mp); 209 return IPPROTO_DONE; 210 } 211 ion = (struct ipoffnxt *)(mtag + 1); 212 ion->ion_off = *offp; 213 ion->ion_nxt = nxt; 214 215 m_tag_prepend(*mp, mtag); 216 } 217 218 niq_enqueue(&ip6intrq, *mp); 219 *mp = NULL; 220 return IPPROTO_DONE; 221 } 222 223 /* 224 * Dequeue and process locally delivered packets. 225 * This is called with exclusive NET_LOCK(). 226 */ 227 void 228 ip6intr(void) 229 { 230 struct mbuf *m; 231 232 while ((m = niq_dequeue(&ip6intrq)) != NULL) { 233 struct m_tag *mtag; 234 int off, nxt; 235 236 #ifdef DIAGNOSTIC 237 if ((m->m_flags & M_PKTHDR) == 0) 238 panic("ip6intr no HDR"); 239 #endif 240 mtag = m_tag_find(m, PACKET_TAG_IP6_OFFNXT, NULL); 241 if (mtag != NULL) { 242 struct ipoffnxt *ion; 243 244 ion = (struct ipoffnxt *)(mtag + 1); 245 off = ion->ion_off; 246 nxt = ion->ion_nxt; 247 248 m_tag_delete(m, mtag); 249 } else { 250 struct ip6_hdr *ip6; 251 252 ip6 = mtod(m, struct ip6_hdr *); 253 off = sizeof(struct ip6_hdr); 254 nxt = ip6->ip6_nxt; 255 } 256 nxt = ip_deliver(&m, &off, nxt, AF_INET6, 0); 257 KASSERT(nxt == IPPROTO_DONE); 258 } 259 } 260 261 void 262 ipv6_input(struct ifnet *ifp, struct mbuf *m) 263 { 264 int off, nxt; 265 266 off = 0; 267 nxt = ip6_input_if(&m, &off, IPPROTO_IPV6, AF_UNSPEC, ifp); 268 KASSERT(nxt == IPPROTO_DONE); 269 } 270 271 struct mbuf * 272 ipv6_check(struct ifnet *ifp, struct mbuf *m) 273 { 274 struct ip6_hdr *ip6; 275 276 if (m->m_len < sizeof(*ip6)) { 277 m = m_pullup(m, sizeof(*ip6)); 278 if (m == NULL) { 279 ip6stat_inc(ip6s_toosmall); 280 return (NULL); 281 } 282 } 283 284 ip6 = mtod(m, struct ip6_hdr *); 285 286 if ((ip6->ip6_vfc & IPV6_VERSION_MASK) != IPV6_VERSION) { 287 ip6stat_inc(ip6s_badvers); 288 goto bad; 289 } 290 291 /* 292 * Check against address spoofing/corruption. 293 */ 294 if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_src) || 295 IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_dst)) { 296 /* 297 * XXX: "badscope" is not very suitable for a multicast source. 298 */ 299 ip6stat_inc(ip6s_badscope); 300 goto bad; 301 } 302 if ((IN6_IS_ADDR_LOOPBACK(&ip6->ip6_src) || 303 IN6_IS_ADDR_LOOPBACK(&ip6->ip6_dst)) && 304 (ifp->if_flags & IFF_LOOPBACK) == 0) { 305 ip6stat_inc(ip6s_badscope); 306 goto bad; 307 } 308 /* Drop packets if interface ID portion is already filled. */ 309 if (((IN6_IS_SCOPE_EMBED(&ip6->ip6_src) && ip6->ip6_src.s6_addr16[1]) || 310 (IN6_IS_SCOPE_EMBED(&ip6->ip6_dst) && ip6->ip6_dst.s6_addr16[1])) && 311 (ifp->if_flags & IFF_LOOPBACK) == 0) { 312 ip6stat_inc(ip6s_badscope); 313 goto bad; 314 } 315 if (IN6_IS_ADDR_MC_INTFACELOCAL(&ip6->ip6_dst) && 316 !(m->m_flags & M_LOOP)) { 317 /* 318 * In this case, the packet should come from the loopback 319 * interface. However, we cannot just check the if_flags, 320 * because ip6_mloopback() passes the "actual" interface 321 * as the outgoing/incoming interface. 322 */ 323 ip6stat_inc(ip6s_badscope); 324 goto bad; 325 } 326 327 /* 328 * The following check is not documented in specs. A malicious 329 * party may be able to use IPv4 mapped addr to confuse tcp/udp stack 330 * and bypass security checks (act as if it was from 127.0.0.1 by using 331 * IPv6 src ::ffff:127.0.0.1). Be cautious. 332 * 333 * This check chokes if we are in an SIIT cloud. As none of BSDs 334 * support IPv4-less kernel compilation, we cannot support SIIT 335 * environment at all. So, it makes more sense for us to reject any 336 * malicious packets for non-SIIT environment, than try to do a 337 * partial support for SIIT environment. 338 */ 339 if (IN6_IS_ADDR_V4MAPPED(&ip6->ip6_src) || 340 IN6_IS_ADDR_V4MAPPED(&ip6->ip6_dst)) { 341 ip6stat_inc(ip6s_badscope); 342 goto bad; 343 } 344 345 /* 346 * Reject packets with IPv4 compatible addresses (auto tunnel). 347 * 348 * The code forbids automatic tunneling as per RFC4213. 349 */ 350 if (IN6_IS_ADDR_V4COMPAT(&ip6->ip6_src) || 351 IN6_IS_ADDR_V4COMPAT(&ip6->ip6_dst)) { 352 ip6stat_inc(ip6s_badscope); 353 goto bad; 354 } 355 356 return (m); 357 bad: 358 m_freem(m); 359 return (NULL); 360 } 361 362 int 363 ip6_input_if(struct mbuf **mp, int *offp, int nxt, int af, struct ifnet *ifp) 364 { 365 struct route ro; 366 struct mbuf *m; 367 struct ip6_hdr *ip6; 368 struct rtentry *rt; 369 int ours = 0; 370 u_int16_t src_scope, dst_scope; 371 #if NPF > 0 372 struct in6_addr odst; 373 #endif 374 int flags = 0; 375 376 KASSERT(*offp == 0); 377 378 ro.ro_rt = NULL; 379 ip6stat_inc(ip6s_total); 380 m = *mp = ipv6_check(ifp, *mp); 381 if (m == NULL) 382 goto bad; 383 384 ip6 = mtod(m, struct ip6_hdr *); 385 386 #if NCARP > 0 387 if (carp_lsdrop(ifp, m, AF_INET6, ip6->ip6_src.s6_addr32, 388 ip6->ip6_dst.s6_addr32, (ip6->ip6_nxt == IPPROTO_ICMPV6 ? 0 : 1))) 389 goto bad; 390 #endif 391 ip6stat_inc(ip6s_nxthist + ip6->ip6_nxt); 392 393 /* 394 * If the packet has been received on a loopback interface it 395 * can be destined to any local address, not necessarily to 396 * an address configured on `ifp'. 397 */ 398 if (ifp->if_flags & IFF_LOOPBACK) { 399 if (IN6_IS_SCOPE_EMBED(&ip6->ip6_src)) { 400 src_scope = ip6->ip6_src.s6_addr16[1]; 401 ip6->ip6_src.s6_addr16[1] = 0; 402 } 403 if (IN6_IS_SCOPE_EMBED(&ip6->ip6_dst)) { 404 dst_scope = ip6->ip6_dst.s6_addr16[1]; 405 ip6->ip6_dst.s6_addr16[1] = 0; 406 } 407 } 408 409 #if NPF > 0 410 /* 411 * Packet filter 412 */ 413 odst = ip6->ip6_dst; 414 if (pf_test(AF_INET6, PF_IN, ifp, mp) != PF_PASS) 415 goto bad; 416 m = *mp; 417 if (m == NULL) 418 goto bad; 419 420 ip6 = mtod(m, struct ip6_hdr *); 421 if (!IN6_ARE_ADDR_EQUAL(&odst, &ip6->ip6_dst)) 422 SET(flags, IPV6_REDIRECT); 423 #endif 424 425 switch (atomic_load_int(&ip6_forwarding)) { 426 case 2: 427 SET(flags, IPV6_FORWARDING_IPSEC); 428 /* FALLTHROUGH */ 429 case 1: 430 SET(flags, IPV6_FORWARDING); 431 break; 432 } 433 434 /* 435 * Without embedded scope ID we cannot find link-local 436 * addresses in the routing table. 437 */ 438 if (ifp->if_flags & IFF_LOOPBACK) { 439 if (IN6_IS_SCOPE_EMBED(&ip6->ip6_src)) 440 ip6->ip6_src.s6_addr16[1] = src_scope; 441 if (IN6_IS_SCOPE_EMBED(&ip6->ip6_dst)) 442 ip6->ip6_dst.s6_addr16[1] = dst_scope; 443 } else { 444 if (IN6_IS_SCOPE_EMBED(&ip6->ip6_src)) 445 ip6->ip6_src.s6_addr16[1] = htons(ifp->if_index); 446 if (IN6_IS_SCOPE_EMBED(&ip6->ip6_dst)) 447 ip6->ip6_dst.s6_addr16[1] = htons(ifp->if_index); 448 } 449 450 /* 451 * Be more secure than RFC5095 and scan for type 0 routing headers. 452 * If pf has already scanned the header chain, do not do it twice. 453 */ 454 if (!(m->m_pkthdr.pf.flags & PF_TAG_PROCESSED) && 455 ip6_check_rh0hdr(m, offp)) { 456 ip6stat_inc(ip6s_badoptions); 457 icmp6_error(m, ICMP6_PARAM_PROB, ICMP6_PARAMPROB_HEADER, *offp); 458 m = *mp = NULL; 459 goto bad; 460 } 461 462 #if NPF > 0 463 if (pf_ouraddr(m) == 1) { 464 nxt = ip6_ours(mp, offp, nxt, af, flags); 465 goto out; 466 } 467 #endif 468 469 /* 470 * Multicast check 471 */ 472 if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst)) { 473 /* 474 * Make sure M_MCAST is set. It should theoretically 475 * already be there, but let's play safe because upper 476 * layers check for this flag. 477 */ 478 m->m_flags |= M_MCAST; 479 480 /* 481 * See if we belong to the destination multicast group on the 482 * arrival interface. 483 */ 484 if (in6_hasmulti(&ip6->ip6_dst, ifp)) 485 ours = 1; 486 487 #ifdef MROUTING 488 if (ip6_mforwarding && ip6_mrouter[ifp->if_rdomain]) { 489 int error; 490 491 nxt = ip6_hbhchcheck(&m, offp, &ours, flags); 492 if (nxt == IPPROTO_DONE) 493 goto out; 494 495 ip6 = mtod(m, struct ip6_hdr *); 496 497 /* 498 * If we are acting as a multicast router, all 499 * incoming multicast packets are passed to the 500 * kernel-level multicast forwarding function. 501 * The packet is returned (relatively) intact; if 502 * ip6_mforward() returns a non-zero value, the packet 503 * must be discarded, else it may be accepted below. 504 */ 505 KERNEL_LOCK(); 506 error = ip6_mforward(ip6, ifp, m, flags); 507 KERNEL_UNLOCK(); 508 if (error) { 509 ip6stat_inc(ip6s_cantforward); 510 goto bad; 511 } 512 513 if (ours) { 514 if (af == AF_UNSPEC) 515 nxt = ip6_ours(mp, offp, nxt, af, 516 flags); 517 goto out; 518 } 519 goto bad; 520 } 521 #endif 522 if (!ours) { 523 ip6stat_inc(ip6s_notmember); 524 if (!IN6_IS_ADDR_MC_LINKLOCAL(&ip6->ip6_dst)) 525 ip6stat_inc(ip6s_cantforward); 526 goto bad; 527 } 528 nxt = ip6_ours(mp, offp, nxt, af, flags); 529 goto out; 530 } 531 532 533 /* 534 * Unicast check 535 */ 536 rt = route6_mpath(&ro, &ip6->ip6_dst, &ip6->ip6_src, 537 m->m_pkthdr.ph_rtableid); 538 539 /* 540 * Accept the packet if the route to the destination is marked 541 * as local. 542 */ 543 if (rt != NULL && ISSET(rt->rt_flags, RTF_LOCAL)) { 544 struct in6_ifaddr *ia6 = ifatoia6(rt->rt_ifa); 545 546 if (!ISSET(flags, IPV6_FORWARDING) && 547 rt->rt_ifidx != ifp->if_index && 548 !((ifp->if_flags & IFF_LOOPBACK) || 549 (ifp->if_type == IFT_ENC) || 550 (m->m_pkthdr.pf.flags & PF_TAG_TRANSLATE_LOCALHOST))) { 551 /* received on wrong interface */ 552 #if NCARP > 0 553 struct ifnet *out_if; 554 555 /* 556 * Virtual IPs on carp interfaces need to be checked 557 * also against the parent interface and other carp 558 * interfaces sharing the same parent. 559 */ 560 out_if = if_get(rt->rt_ifidx); 561 if (!(out_if && carp_strict_addr_chk(out_if, ifp))) { 562 ip6stat_inc(ip6s_wrongif); 563 if_put(out_if); 564 goto bad; 565 } 566 if_put(out_if); 567 #else 568 ip6stat_inc(ip6s_wrongif); 569 goto bad; 570 #endif 571 } 572 /* 573 * packets to a tentative, duplicated, or somehow invalid 574 * address must not be accepted. 575 */ 576 if ((ia6->ia6_flags & (IN6_IFF_TENTATIVE|IN6_IFF_DUPLICATED))) { 577 char src[INET6_ADDRSTRLEN], dst[INET6_ADDRSTRLEN]; 578 579 inet_ntop(AF_INET6, &ip6->ip6_src, src, sizeof(src)); 580 inet_ntop(AF_INET6, &ip6->ip6_dst, dst, sizeof(dst)); 581 /* address is not ready, so discard the packet. */ 582 nd6log((LOG_INFO, 583 "%s: packet to an unready address %s->%s\n", 584 __func__, src, dst)); 585 586 goto bad; 587 } else { 588 nxt = ip6_ours(mp, offp, nxt, af, flags); 589 goto out; 590 } 591 } 592 593 #if NCARP > 0 594 if (ip6->ip6_nxt == IPPROTO_ICMPV6 && 595 carp_lsdrop(ifp, m, AF_INET6, ip6->ip6_src.s6_addr32, 596 ip6->ip6_dst.s6_addr32, 1)) 597 goto bad; 598 #endif 599 /* 600 * Now there is no reason to process the packet if it's not our own 601 * and we're not a router. 602 */ 603 if (!ISSET(flags, IPV6_FORWARDING)) { 604 ip6stat_inc(ip6s_cantforward); 605 goto bad; 606 } 607 608 nxt = ip6_hbhchcheck(&m, offp, &ours, flags); 609 if (nxt == IPPROTO_DONE) 610 goto out; 611 612 if (ours) { 613 if (af == AF_UNSPEC) 614 nxt = ip6_ours(mp, offp, nxt, af, flags); 615 goto out; 616 } 617 618 #ifdef IPSEC 619 if (ipsec_in_use) { 620 int rv; 621 622 rv = ipsec_forward_check(m, *offp, AF_INET6); 623 if (rv != 0) { 624 ip6stat_inc(ip6s_cantforward); 625 goto bad; 626 } 627 /* 628 * Fall through, forward packet. Outbound IPsec policy 629 * checking will occur in ip6_forward(). 630 */ 631 } 632 #endif /* IPSEC */ 633 634 ip6_forward(m, &ro, flags); 635 *mp = NULL; 636 rtfree(ro.ro_rt); 637 return IPPROTO_DONE; 638 bad: 639 nxt = IPPROTO_DONE; 640 m_freemp(mp); 641 out: 642 rtfree(ro.ro_rt); 643 return nxt; 644 } 645 646 /* On error free mbuf and return IPPROTO_DONE. */ 647 int 648 ip6_hbhchcheck(struct mbuf **mp, int *offp, int *oursp, int flags) 649 { 650 struct ip6_hdr *ip6; 651 u_int32_t plen, rtalert = ~0; 652 int nxt; 653 654 ip6 = mtod(*mp, struct ip6_hdr *); 655 656 /* 657 * Process Hop-by-Hop options header if it's contained. 658 * m may be modified in ip6_hopopts_input(). 659 * If a JumboPayload option is included, plen will also be modified. 660 */ 661 plen = (u_int32_t)ntohs(ip6->ip6_plen); 662 *offp = sizeof(struct ip6_hdr); 663 if (ip6->ip6_nxt == IPPROTO_HOPOPTS) { 664 struct ip6_hbh *hbh; 665 666 if (ip6_hopopts_input(mp, offp, &plen, &rtalert)) 667 goto bad; /* m have already been freed */ 668 669 /* adjust pointer */ 670 ip6 = mtod(*mp, struct ip6_hdr *); 671 672 /* 673 * if the payload length field is 0 and the next header field 674 * indicates Hop-by-Hop Options header, then a Jumbo Payload 675 * option MUST be included. 676 */ 677 if (ip6->ip6_plen == 0 && plen == 0) { 678 /* 679 * Note that if a valid jumbo payload option is 680 * contained, ip6_hopopts_input() must set a valid 681 * (non-zero) payload length to the variable plen. 682 */ 683 ip6stat_inc(ip6s_badoptions); 684 icmp6_error(*mp, ICMP6_PARAM_PROB, 685 ICMP6_PARAMPROB_HEADER, 686 (caddr_t)&ip6->ip6_plen - (caddr_t)ip6); 687 goto bad; 688 } 689 IP6_EXTHDR_GET(hbh, struct ip6_hbh *, *mp, 690 sizeof(struct ip6_hdr), sizeof(struct ip6_hbh)); 691 if (hbh == NULL) { 692 ip6stat_inc(ip6s_tooshort); 693 goto bad; 694 } 695 nxt = hbh->ip6h_nxt; 696 697 /* 698 * accept the packet if a router alert option is included 699 * and we act as an IPv6 router. 700 */ 701 if (rtalert != ~0 && ISSET(flags, IPV6_FORWARDING) && 702 oursp != NULL) 703 *oursp = 1; 704 } else 705 nxt = ip6->ip6_nxt; 706 707 /* 708 * Check that the amount of data in the buffers 709 * is as at least much as the IPv6 header would have us expect. 710 * Trim mbufs if longer than we expect. 711 * Drop packet if shorter than we expect. 712 */ 713 if ((*mp)->m_pkthdr.len - sizeof(struct ip6_hdr) < plen) { 714 ip6stat_inc(ip6s_tooshort); 715 m_freemp(mp); 716 goto bad; 717 } 718 if ((*mp)->m_pkthdr.len > sizeof(struct ip6_hdr) + plen) { 719 if ((*mp)->m_len == (*mp)->m_pkthdr.len) { 720 (*mp)->m_len = sizeof(struct ip6_hdr) + plen; 721 (*mp)->m_pkthdr.len = sizeof(struct ip6_hdr) + plen; 722 } else { 723 m_adj((*mp), sizeof(struct ip6_hdr) + plen - 724 (*mp)->m_pkthdr.len); 725 } 726 } 727 728 return nxt; 729 bad: 730 return IPPROTO_DONE; 731 } 732 733 /* scan packet for RH0 routing header. Mostly stolen from pf.c:pf_test() */ 734 int 735 ip6_check_rh0hdr(struct mbuf *m, int *offp) 736 { 737 struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *); 738 struct ip6_rthdr rthdr; 739 struct ip6_ext opt6; 740 u_int8_t proto = ip6->ip6_nxt; 741 int done = 0, lim, off, rh_cnt = 0; 742 743 off = ((caddr_t)ip6 - m->m_data) + sizeof(struct ip6_hdr); 744 lim = min(m->m_pkthdr.len, ntohs(ip6->ip6_plen) + sizeof(*ip6)); 745 do { 746 switch (proto) { 747 case IPPROTO_ROUTING: 748 if (rh_cnt++) { 749 /* more than one rh header present */ 750 *offp = off; 751 return (1); 752 } 753 754 if (off + sizeof(rthdr) > lim) { 755 /* packet to short to make sense */ 756 *offp = off; 757 return (1); 758 } 759 760 m_copydata(m, off, sizeof(rthdr), &rthdr); 761 762 if (rthdr.ip6r_type == IPV6_RTHDR_TYPE_0) { 763 *offp = off + 764 offsetof(struct ip6_rthdr, ip6r_type); 765 return (1); 766 } 767 768 off += (rthdr.ip6r_len + 1) * 8; 769 proto = rthdr.ip6r_nxt; 770 break; 771 case IPPROTO_AH: 772 case IPPROTO_HOPOPTS: 773 case IPPROTO_DSTOPTS: 774 /* get next header and header length */ 775 if (off + sizeof(opt6) > lim) { 776 /* 777 * Packet to short to make sense, we could 778 * reject the packet but as a router we 779 * should not do that so forward it. 780 */ 781 return (0); 782 } 783 784 m_copydata(m, off, sizeof(opt6), &opt6); 785 786 if (proto == IPPROTO_AH) 787 off += (opt6.ip6e_len + 2) * 4; 788 else 789 off += (opt6.ip6e_len + 1) * 8; 790 proto = opt6.ip6e_nxt; 791 break; 792 case IPPROTO_FRAGMENT: 793 default: 794 /* end of header stack */ 795 done = 1; 796 break; 797 } 798 } while (!done); 799 800 return (0); 801 } 802 803 /* 804 * Hop-by-Hop options header processing. If a valid jumbo payload option is 805 * included, the real payload length will be stored in plenp. 806 * On error free mbuf and return -1. 807 * 808 * rtalertp - XXX: should be stored in a more smart way 809 */ 810 int 811 ip6_hopopts_input(struct mbuf **mp, int *offp, u_int32_t *plenp, 812 u_int32_t *rtalertp) 813 { 814 int off = *offp, hbhlen; 815 struct ip6_hbh *hbh; 816 817 /* validation of the length of the header */ 818 IP6_EXTHDR_GET(hbh, struct ip6_hbh *, *mp, 819 sizeof(struct ip6_hdr), sizeof(struct ip6_hbh)); 820 if (hbh == NULL) { 821 ip6stat_inc(ip6s_tooshort); 822 return -1; 823 } 824 hbhlen = (hbh->ip6h_len + 1) << 3; 825 IP6_EXTHDR_GET(hbh, struct ip6_hbh *, *mp, sizeof(struct ip6_hdr), 826 hbhlen); 827 if (hbh == NULL) { 828 ip6stat_inc(ip6s_tooshort); 829 return -1; 830 } 831 off += hbhlen; 832 hbhlen -= sizeof(struct ip6_hbh); 833 834 if (ip6_process_hopopts(mp, (u_int8_t *)hbh + sizeof(struct ip6_hbh), 835 hbhlen, rtalertp, plenp) < 0) 836 return (-1); 837 838 *offp = off; 839 return (0); 840 } 841 842 /* 843 * Search header for all Hop-by-hop options and process each option. 844 * This function is separate from ip6_hopopts_input() in order to 845 * handle a case where the sending node itself process its hop-by-hop 846 * options header. In such a case, the function is called from ip6_output(). 847 * On error free mbuf and return -1. 848 * 849 * The function assumes that hbh header is located right after the IPv6 header 850 * (RFC2460 p7), opthead is pointer into data content in m, and opthead to 851 * opthead + hbhlen is located in continuous memory region. 852 */ 853 int 854 ip6_process_hopopts(struct mbuf **mp, u_int8_t *opthead, int hbhlen, 855 u_int32_t *rtalertp, u_int32_t *plenp) 856 { 857 struct ip6_hdr *ip6; 858 int optlen = 0; 859 u_int8_t *opt = opthead; 860 u_int16_t rtalert_val; 861 u_int32_t jumboplen; 862 const int erroff = sizeof(struct ip6_hdr) + sizeof(struct ip6_hbh); 863 864 for (; hbhlen > 0; hbhlen -= optlen, opt += optlen) { 865 switch (*opt) { 866 case IP6OPT_PAD1: 867 optlen = 1; 868 break; 869 case IP6OPT_PADN: 870 if (hbhlen < IP6OPT_MINLEN) { 871 ip6stat_inc(ip6s_toosmall); 872 goto bad; 873 } 874 optlen = *(opt + 1) + 2; 875 break; 876 case IP6OPT_ROUTER_ALERT: 877 /* XXX may need check for alignment */ 878 if (hbhlen < IP6OPT_RTALERT_LEN) { 879 ip6stat_inc(ip6s_toosmall); 880 goto bad; 881 } 882 if (*(opt + 1) != IP6OPT_RTALERT_LEN - 2) { 883 /* XXX stat */ 884 icmp6_error(*mp, ICMP6_PARAM_PROB, 885 ICMP6_PARAMPROB_HEADER, 886 erroff + opt + 1 - opthead); 887 return (-1); 888 } 889 optlen = IP6OPT_RTALERT_LEN; 890 memcpy((caddr_t)&rtalert_val, (caddr_t)(opt + 2), 2); 891 *rtalertp = ntohs(rtalert_val); 892 break; 893 case IP6OPT_JUMBO: 894 /* XXX may need check for alignment */ 895 if (hbhlen < IP6OPT_JUMBO_LEN) { 896 ip6stat_inc(ip6s_toosmall); 897 goto bad; 898 } 899 if (*(opt + 1) != IP6OPT_JUMBO_LEN - 2) { 900 /* XXX stat */ 901 icmp6_error(*mp, ICMP6_PARAM_PROB, 902 ICMP6_PARAMPROB_HEADER, 903 erroff + opt + 1 - opthead); 904 return (-1); 905 } 906 optlen = IP6OPT_JUMBO_LEN; 907 908 /* 909 * IPv6 packets that have non 0 payload length 910 * must not contain a jumbo payload option. 911 */ 912 ip6 = mtod(*mp, struct ip6_hdr *); 913 if (ip6->ip6_plen) { 914 ip6stat_inc(ip6s_badoptions); 915 icmp6_error(*mp, ICMP6_PARAM_PROB, 916 ICMP6_PARAMPROB_HEADER, 917 erroff + opt - opthead); 918 return (-1); 919 } 920 921 /* 922 * We may see jumbolen in unaligned location, so 923 * we'd need to perform memcpy(). 924 */ 925 memcpy(&jumboplen, opt + 2, sizeof(jumboplen)); 926 jumboplen = (u_int32_t)htonl(jumboplen); 927 928 #if 1 929 /* 930 * if there are multiple jumbo payload options, 931 * *plenp will be non-zero and the packet will be 932 * rejected. 933 * the behavior may need some debate in ipngwg - 934 * multiple options does not make sense, however, 935 * there's no explicit mention in specification. 936 */ 937 if (*plenp != 0) { 938 ip6stat_inc(ip6s_badoptions); 939 icmp6_error(*mp, ICMP6_PARAM_PROB, 940 ICMP6_PARAMPROB_HEADER, 941 erroff + opt + 2 - opthead); 942 return (-1); 943 } 944 #endif 945 946 /* 947 * jumbo payload length must be larger than 65535. 948 */ 949 if (jumboplen <= IPV6_MAXPACKET) { 950 ip6stat_inc(ip6s_badoptions); 951 icmp6_error(*mp, ICMP6_PARAM_PROB, 952 ICMP6_PARAMPROB_HEADER, 953 erroff + opt + 2 - opthead); 954 return (-1); 955 } 956 *plenp = jumboplen; 957 958 break; 959 default: /* unknown option */ 960 if (hbhlen < IP6OPT_MINLEN) { 961 ip6stat_inc(ip6s_toosmall); 962 goto bad; 963 } 964 optlen = ip6_unknown_opt(mp, opt, 965 erroff + opt - opthead); 966 if (optlen == -1) 967 return (-1); 968 optlen += 2; 969 break; 970 } 971 } 972 973 return (0); 974 975 bad: 976 m_freemp(mp); 977 return (-1); 978 } 979 980 /* 981 * Unknown option processing. 982 * The third argument `off' is the offset from the IPv6 header to the option, 983 * which allows returning an ICMPv6 error even if the IPv6 header and the 984 * option header are not continuous. 985 * On error free mbuf and return -1. 986 */ 987 int 988 ip6_unknown_opt(struct mbuf **mp, u_int8_t *optp, int off) 989 { 990 struct ip6_hdr *ip6; 991 992 switch (IP6OPT_TYPE(*optp)) { 993 case IP6OPT_TYPE_SKIP: /* ignore the option */ 994 return ((int)*(optp + 1)); 995 case IP6OPT_TYPE_DISCARD: /* silently discard */ 996 m_freemp(mp); 997 return (-1); 998 case IP6OPT_TYPE_FORCEICMP: /* send ICMP even if multicasted */ 999 ip6stat_inc(ip6s_badoptions); 1000 icmp6_error(*mp, ICMP6_PARAM_PROB, ICMP6_PARAMPROB_OPTION, off); 1001 return (-1); 1002 case IP6OPT_TYPE_ICMP: /* send ICMP if not multicasted */ 1003 ip6stat_inc(ip6s_badoptions); 1004 ip6 = mtod(*mp, struct ip6_hdr *); 1005 if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst) || 1006 ((*mp)->m_flags & (M_BCAST|M_MCAST))) 1007 m_freemp(mp); 1008 else 1009 icmp6_error(*mp, ICMP6_PARAM_PROB, 1010 ICMP6_PARAMPROB_OPTION, off); 1011 return (-1); 1012 } 1013 1014 m_freemp(mp); /* XXX: NOTREACHED */ 1015 return (-1); 1016 } 1017 1018 /* 1019 * Create the "control" list for this pcb. 1020 * 1021 * The routine will be called from upper layer handlers like udp_input(). 1022 * Thus the routine assumes that the caller (udp_input) have already 1023 * called IP6_EXTHDR_CHECK() and all the extension headers are located in the 1024 * very first mbuf on the mbuf chain. 1025 * We may want to add some infinite loop prevention or sanity checks for safety. 1026 * (This applies only when you are using KAME mbuf chain restriction, i.e. 1027 * you are using IP6_EXTHDR_CHECK() not m_pulldown()) 1028 */ 1029 void 1030 ip6_savecontrol(struct inpcb *inp, struct mbuf *m, struct mbuf **mp) 1031 { 1032 struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *); 1033 1034 if (inp->inp_socket->so_options & SO_TIMESTAMP) { 1035 struct timeval tv; 1036 1037 m_microtime(m, &tv); 1038 *mp = sbcreatecontrol((caddr_t) &tv, sizeof(tv), 1039 SCM_TIMESTAMP, SOL_SOCKET); 1040 if (*mp) 1041 mp = &(*mp)->m_next; 1042 } 1043 1044 /* RFC 2292 sec. 5 */ 1045 if ((inp->inp_flags & IN6P_PKTINFO) != 0) { 1046 struct in6_pktinfo pi6; 1047 memcpy(&pi6.ipi6_addr, &ip6->ip6_dst, sizeof(struct in6_addr)); 1048 if (IN6_IS_SCOPE_EMBED(&pi6.ipi6_addr)) 1049 pi6.ipi6_addr.s6_addr16[1] = 0; 1050 pi6.ipi6_ifindex = m ? m->m_pkthdr.ph_ifidx : 0; 1051 *mp = sbcreatecontrol((caddr_t) &pi6, 1052 sizeof(struct in6_pktinfo), 1053 IPV6_PKTINFO, IPPROTO_IPV6); 1054 if (*mp) 1055 mp = &(*mp)->m_next; 1056 } 1057 1058 if ((inp->inp_flags & IN6P_HOPLIMIT) != 0) { 1059 int hlim = ip6->ip6_hlim & 0xff; 1060 *mp = sbcreatecontrol((caddr_t) &hlim, sizeof(int), 1061 IPV6_HOPLIMIT, IPPROTO_IPV6); 1062 if (*mp) 1063 mp = &(*mp)->m_next; 1064 } 1065 1066 if ((inp->inp_flags & IN6P_TCLASS) != 0) { 1067 u_int32_t flowinfo; 1068 int tclass; 1069 1070 flowinfo = (u_int32_t)ntohl(ip6->ip6_flow & IPV6_FLOWINFO_MASK); 1071 flowinfo >>= 20; 1072 1073 tclass = flowinfo & 0xff; 1074 *mp = sbcreatecontrol((caddr_t)&tclass, sizeof(tclass), 1075 IPV6_TCLASS, IPPROTO_IPV6); 1076 if (*mp) 1077 mp = &(*mp)->m_next; 1078 } 1079 1080 /* 1081 * IPV6_HOPOPTS socket option. Recall that we required super-user 1082 * privilege for the option (see ip6_ctloutput), but it might be too 1083 * strict, since there might be some hop-by-hop options which can be 1084 * returned to normal user. 1085 * See also RFC 2292 section 6 (or RFC 3542 section 8). 1086 */ 1087 if ((inp->inp_flags & IN6P_HOPOPTS) != 0) { 1088 /* 1089 * Check if a hop-by-hop options header is contained in the 1090 * received packet, and if so, store the options as ancillary 1091 * data. Note that a hop-by-hop options header must be 1092 * just after the IPv6 header, which is assured through the 1093 * IPv6 input processing. 1094 */ 1095 struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *); 1096 if (ip6->ip6_nxt == IPPROTO_HOPOPTS) { 1097 struct ip6_hbh *hbh; 1098 int hbhlen = 0; 1099 struct mbuf *ext; 1100 1101 ext = ip6_pullexthdr(m, sizeof(struct ip6_hdr), 1102 ip6->ip6_nxt); 1103 if (ext == NULL) { 1104 ip6stat_inc(ip6s_tooshort); 1105 return; 1106 } 1107 hbh = mtod(ext, struct ip6_hbh *); 1108 hbhlen = (hbh->ip6h_len + 1) << 3; 1109 if (hbhlen != ext->m_len) { 1110 m_freem(ext); 1111 ip6stat_inc(ip6s_tooshort); 1112 return; 1113 } 1114 1115 /* 1116 * XXX: We copy the whole header even if a 1117 * jumbo payload option is included, the option which 1118 * is to be removed before returning according to 1119 * RFC2292. 1120 * Note: this constraint is removed in RFC3542. 1121 */ 1122 *mp = sbcreatecontrol((caddr_t)hbh, hbhlen, 1123 IPV6_HOPOPTS, 1124 IPPROTO_IPV6); 1125 if (*mp) 1126 mp = &(*mp)->m_next; 1127 m_freem(ext); 1128 } 1129 } 1130 1131 /* IPV6_DSTOPTS and IPV6_RTHDR socket options */ 1132 if ((inp->inp_flags & (IN6P_RTHDR | IN6P_DSTOPTS)) != 0) { 1133 struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *); 1134 int nxt = ip6->ip6_nxt, off = sizeof(struct ip6_hdr); 1135 1136 /* 1137 * Search for destination options headers or routing 1138 * header(s) through the header chain, and stores each 1139 * header as ancillary data. 1140 * Note that the order of the headers remains in 1141 * the chain of ancillary data. 1142 */ 1143 while (1) { /* is explicit loop prevention necessary? */ 1144 struct ip6_ext *ip6e = NULL; 1145 int elen; 1146 struct mbuf *ext = NULL; 1147 1148 /* 1149 * if it is not an extension header, don't try to 1150 * pull it from the chain. 1151 */ 1152 switch (nxt) { 1153 case IPPROTO_DSTOPTS: 1154 case IPPROTO_ROUTING: 1155 case IPPROTO_HOPOPTS: 1156 case IPPROTO_AH: /* is it possible? */ 1157 break; 1158 default: 1159 goto loopend; 1160 } 1161 1162 ext = ip6_pullexthdr(m, off, nxt); 1163 if (ext == NULL) { 1164 ip6stat_inc(ip6s_tooshort); 1165 return; 1166 } 1167 ip6e = mtod(ext, struct ip6_ext *); 1168 if (nxt == IPPROTO_AH) 1169 elen = (ip6e->ip6e_len + 2) << 2; 1170 else 1171 elen = (ip6e->ip6e_len + 1) << 3; 1172 if (elen != ext->m_len) { 1173 m_freem(ext); 1174 ip6stat_inc(ip6s_tooshort); 1175 return; 1176 } 1177 1178 switch (nxt) { 1179 case IPPROTO_DSTOPTS: 1180 if (!(inp->inp_flags & IN6P_DSTOPTS)) 1181 break; 1182 1183 *mp = sbcreatecontrol((caddr_t)ip6e, elen, 1184 IPV6_DSTOPTS, 1185 IPPROTO_IPV6); 1186 if (*mp) 1187 mp = &(*mp)->m_next; 1188 break; 1189 1190 case IPPROTO_ROUTING: 1191 if (!(inp->inp_flags & IN6P_RTHDR)) 1192 break; 1193 1194 *mp = sbcreatecontrol((caddr_t)ip6e, elen, 1195 IPV6_RTHDR, 1196 IPPROTO_IPV6); 1197 if (*mp) 1198 mp = &(*mp)->m_next; 1199 break; 1200 1201 case IPPROTO_HOPOPTS: 1202 case IPPROTO_AH: /* is it possible? */ 1203 break; 1204 1205 default: 1206 /* 1207 * other cases have been filtered in the above. 1208 * none will visit this case. here we supply 1209 * the code just in case (nxt overwritten or 1210 * other cases). 1211 */ 1212 m_freem(ext); 1213 goto loopend; 1214 1215 } 1216 1217 /* proceed with the next header. */ 1218 off += elen; 1219 nxt = ip6e->ip6e_nxt; 1220 ip6e = NULL; 1221 m_freem(ext); 1222 ext = NULL; 1223 } 1224 loopend: 1225 ; 1226 } 1227 } 1228 1229 /* 1230 * pull single extension header from mbuf chain. returns single mbuf that 1231 * contains the result, or NULL on error. 1232 */ 1233 struct mbuf * 1234 ip6_pullexthdr(struct mbuf *m, size_t off, int nxt) 1235 { 1236 struct ip6_ext ip6e; 1237 size_t elen; 1238 struct mbuf *n; 1239 1240 #ifdef DIAGNOSTIC 1241 switch (nxt) { 1242 case IPPROTO_DSTOPTS: 1243 case IPPROTO_ROUTING: 1244 case IPPROTO_HOPOPTS: 1245 case IPPROTO_AH: /* is it possible? */ 1246 break; 1247 default: 1248 printf("ip6_pullexthdr: invalid nxt=%d\n", nxt); 1249 } 1250 #endif 1251 1252 if (off + sizeof(ip6e) > m->m_pkthdr.len) 1253 return NULL; 1254 1255 m_copydata(m, off, sizeof(ip6e), &ip6e); 1256 if (nxt == IPPROTO_AH) 1257 elen = (ip6e.ip6e_len + 2) << 2; 1258 else 1259 elen = (ip6e.ip6e_len + 1) << 3; 1260 1261 if (off + elen > m->m_pkthdr.len) 1262 return NULL; 1263 1264 MGET(n, M_DONTWAIT, MT_DATA); 1265 if (n && elen >= MLEN) { 1266 MCLGET(n, M_DONTWAIT); 1267 if ((n->m_flags & M_EXT) == 0) { 1268 m_free(n); 1269 n = NULL; 1270 } 1271 } 1272 if (n == NULL) { 1273 ip6stat_inc(ip6s_idropped); 1274 return NULL; 1275 } 1276 1277 n->m_len = 0; 1278 if (elen >= m_trailingspace(n)) { 1279 m_free(n); 1280 return NULL; 1281 } 1282 1283 m_copydata(m, off, elen, mtod(n, caddr_t)); 1284 n->m_len = elen; 1285 return n; 1286 } 1287 1288 /* 1289 * Get offset to the previous header followed by the header 1290 * currently processed. 1291 */ 1292 int 1293 ip6_get_prevhdr(struct mbuf *m, int off) 1294 { 1295 struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *); 1296 1297 if (off == sizeof(struct ip6_hdr)) { 1298 return offsetof(struct ip6_hdr, ip6_nxt); 1299 } else if (off < sizeof(struct ip6_hdr)) { 1300 panic("%s: off < sizeof(struct ip6_hdr)", __func__); 1301 } else { 1302 int len, nlen, nxt; 1303 struct ip6_ext ip6e; 1304 1305 nxt = ip6->ip6_nxt; 1306 len = sizeof(struct ip6_hdr); 1307 nlen = 0; 1308 while (len < off) { 1309 m_copydata(m, len, sizeof(ip6e), &ip6e); 1310 1311 switch (nxt) { 1312 case IPPROTO_FRAGMENT: 1313 nlen = sizeof(struct ip6_frag); 1314 break; 1315 case IPPROTO_AH: 1316 nlen = (ip6e.ip6e_len + 2) << 2; 1317 break; 1318 default: 1319 nlen = (ip6e.ip6e_len + 1) << 3; 1320 break; 1321 } 1322 len += nlen; 1323 nxt = ip6e.ip6e_nxt; 1324 } 1325 1326 return (len - nlen); 1327 } 1328 } 1329 1330 /* 1331 * get next header offset. m will be retained. 1332 */ 1333 int 1334 ip6_nexthdr(struct mbuf *m, int off, int proto, int *nxtp) 1335 { 1336 struct ip6_hdr ip6; 1337 struct ip6_ext ip6e; 1338 struct ip6_frag fh; 1339 1340 /* just in case */ 1341 if (m == NULL) 1342 panic("%s: m == NULL", __func__); 1343 if ((m->m_flags & M_PKTHDR) == 0 || m->m_pkthdr.len < off) 1344 return -1; 1345 1346 switch (proto) { 1347 case IPPROTO_IPV6: 1348 if (m->m_pkthdr.len < off + sizeof(ip6)) 1349 return -1; 1350 m_copydata(m, off, sizeof(ip6), &ip6); 1351 if (nxtp) 1352 *nxtp = ip6.ip6_nxt; 1353 off += sizeof(ip6); 1354 return off; 1355 1356 case IPPROTO_FRAGMENT: 1357 /* 1358 * terminate parsing if it is not the first fragment, 1359 * it does not make sense to parse through it. 1360 */ 1361 if (m->m_pkthdr.len < off + sizeof(fh)) 1362 return -1; 1363 m_copydata(m, off, sizeof(fh), &fh); 1364 if ((fh.ip6f_offlg & IP6F_OFF_MASK) != 0) 1365 return -1; 1366 if (nxtp) 1367 *nxtp = fh.ip6f_nxt; 1368 off += sizeof(struct ip6_frag); 1369 return off; 1370 1371 case IPPROTO_AH: 1372 if (m->m_pkthdr.len < off + sizeof(ip6e)) 1373 return -1; 1374 m_copydata(m, off, sizeof(ip6e), &ip6e); 1375 if (nxtp) 1376 *nxtp = ip6e.ip6e_nxt; 1377 off += (ip6e.ip6e_len + 2) << 2; 1378 if (m->m_pkthdr.len < off) 1379 return -1; 1380 return off; 1381 1382 case IPPROTO_HOPOPTS: 1383 case IPPROTO_ROUTING: 1384 case IPPROTO_DSTOPTS: 1385 if (m->m_pkthdr.len < off + sizeof(ip6e)) 1386 return -1; 1387 m_copydata(m, off, sizeof(ip6e), &ip6e); 1388 if (nxtp) 1389 *nxtp = ip6e.ip6e_nxt; 1390 off += (ip6e.ip6e_len + 1) << 3; 1391 if (m->m_pkthdr.len < off) 1392 return -1; 1393 return off; 1394 1395 case IPPROTO_NONE: 1396 case IPPROTO_ESP: 1397 case IPPROTO_IPCOMP: 1398 /* give up */ 1399 return -1; 1400 1401 default: 1402 return -1; 1403 } 1404 1405 return -1; 1406 } 1407 1408 /* 1409 * get offset for the last header in the chain. m will be kept untainted. 1410 */ 1411 int 1412 ip6_lasthdr(struct mbuf *m, int off, int proto, int *nxtp) 1413 { 1414 int newoff; 1415 int nxt; 1416 1417 if (!nxtp) { 1418 nxt = -1; 1419 nxtp = &nxt; 1420 } 1421 while (1) { 1422 newoff = ip6_nexthdr(m, off, proto, nxtp); 1423 if (newoff < 0) 1424 return off; 1425 else if (newoff < off) 1426 return -1; /* invalid */ 1427 else if (newoff == off) 1428 return newoff; 1429 1430 off = newoff; 1431 proto = *nxtp; 1432 } 1433 } 1434 1435 /* 1436 * System control for IP6 1437 */ 1438 1439 const u_char inet6ctlerrmap[PRC_NCMDS] = { 1440 0, 0, 0, 0, 1441 0, EMSGSIZE, EHOSTDOWN, EHOSTUNREACH, 1442 EHOSTUNREACH, EHOSTUNREACH, ECONNREFUSED, ECONNREFUSED, 1443 EMSGSIZE, EHOSTUNREACH, 0, 0, 1444 0, 0, 0, 0, 1445 ENOPROTOOPT 1446 }; 1447 1448 #ifdef MROUTING 1449 extern int ip6_mrtproto; 1450 #endif 1451 1452 const struct sysctl_bounded_args ipv6ctl_vars_unlocked[] = { 1453 { IPV6CTL_FORWARDING, &ip6_forwarding, 0, 2 }, 1454 { IPV6CTL_SENDREDIRECTS, &ip6_sendredirects, 0, 1 }, 1455 }; 1456 1457 const struct sysctl_bounded_args ipv6ctl_vars[] = { 1458 { IPV6CTL_DAD_PENDING, &ip6_dad_pending, SYSCTL_INT_READONLY }, 1459 #ifdef MROUTING 1460 { IPV6CTL_MRTPROTO, &ip6_mrtproto, SYSCTL_INT_READONLY }, 1461 #endif 1462 { IPV6CTL_DEFHLIM, &ip6_defhlim, 0, 255 }, 1463 { IPV6CTL_MAXFRAGPACKETS, &ip6_maxfragpackets, 0, 1000 }, 1464 { IPV6CTL_LOG_INTERVAL, &ip6_log_interval, 0, INT_MAX }, 1465 { IPV6CTL_HDRNESTLIMIT, &ip6_hdrnestlimit, 0, 100 }, 1466 { IPV6CTL_DAD_COUNT, &ip6_dad_count, 0, 10 }, 1467 { IPV6CTL_AUTO_FLOWLABEL, &ip6_auto_flowlabel, 0, 1 }, 1468 { IPV6CTL_DEFMCASTHLIM, &ip6_defmcasthlim, 0, 255 }, 1469 { IPV6CTL_USE_DEPRECATED, &ip6_use_deprecated, 0, 1 }, 1470 { IPV6CTL_MAXFRAGS, &ip6_maxfrags, 0, 1000 }, 1471 { IPV6CTL_MFORWARDING, &ip6_mforwarding, 0, 1 }, 1472 { IPV6CTL_MCAST_PMTU, &ip6_mcast_pmtu, 0, 1 }, 1473 { IPV6CTL_NEIGHBORGCTHRESH, &ip6_neighborgcthresh, -1, 5 * 2048 }, 1474 { IPV6CTL_MAXDYNROUTES, &ip6_maxdynroutes, -1, 5 * 4096 }, 1475 }; 1476 1477 int 1478 ip6_sysctl_ip6stat(void *oldp, size_t *oldlenp, void *newp) 1479 { 1480 struct ip6stat *ip6stat; 1481 int ret; 1482 1483 CTASSERT(sizeof(*ip6stat) == (ip6s_ncounters * sizeof(uint64_t))); 1484 1485 ip6stat = malloc(sizeof(*ip6stat), M_TEMP, M_WAITOK); 1486 counters_read(ip6counters, (uint64_t *)ip6stat, ip6s_ncounters, NULL); 1487 ret = sysctl_rdstruct(oldp, oldlenp, newp, 1488 ip6stat, sizeof(*ip6stat)); 1489 free(ip6stat, M_TEMP, sizeof(*ip6stat)); 1490 1491 return (ret); 1492 } 1493 1494 int 1495 ip6_sysctl_soiikey(void *oldp, size_t *oldlenp, void *newp, size_t newlen) 1496 { 1497 uint8_t oldkey[IP6_SOIIKEY_LEN]; 1498 int error; 1499 1500 error = suser(curproc); 1501 if (error != 0) 1502 return (error); 1503 1504 memcpy(oldkey, ip6_soiikey, sizeof(oldkey)); 1505 1506 error = sysctl_struct(oldp, oldlenp, newp, newlen, ip6_soiikey, 1507 sizeof(ip6_soiikey)); 1508 1509 return (error); 1510 } 1511 1512 int 1513 ip6_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, 1514 void *newp, size_t newlen) 1515 { 1516 #ifdef MROUTING 1517 extern struct mrt6stat mrt6stat; 1518 #endif 1519 int oldval, error; 1520 1521 /* Almost all sysctl names at this level are terminal. */ 1522 if (namelen != 1 && name[0] != IPV6CTL_IFQUEUE) 1523 return (ENOTDIR); 1524 1525 switch (name[0]) { 1526 case IPV6CTL_STATS: 1527 return (ip6_sysctl_ip6stat(oldp, oldlenp, newp)); 1528 #ifdef MROUTING 1529 case IPV6CTL_MRTSTATS: 1530 if (newp != NULL) 1531 return (EPERM); 1532 NET_LOCK(); 1533 error = sysctl_struct(oldp, oldlenp, newp, newlen, 1534 &mrt6stat, sizeof(mrt6stat)); 1535 NET_UNLOCK(); 1536 return (error); 1537 case IPV6CTL_MRTMIF: 1538 if (newp) 1539 return (EPERM); 1540 NET_LOCK(); 1541 error = mrt6_sysctl_mif(oldp, oldlenp); 1542 NET_UNLOCK(); 1543 return (error); 1544 case IPV6CTL_MRTMFC: 1545 if (newp) 1546 return (EPERM); 1547 NET_LOCK(); 1548 error = mrt6_sysctl_mfc(oldp, oldlenp); 1549 NET_UNLOCK(); 1550 return (error); 1551 #else 1552 case IPV6CTL_MRTSTATS: 1553 case IPV6CTL_MRTPROTO: 1554 case IPV6CTL_MRTMIF: 1555 case IPV6CTL_MRTMFC: 1556 return (EOPNOTSUPP); 1557 #endif 1558 case IPV6CTL_MTUDISCTIMEOUT: 1559 NET_LOCK(); 1560 error = sysctl_int_bounded(oldp, oldlenp, newp, newlen, 1561 &ip6_mtudisc_timeout, 0, INT_MAX); 1562 rt_timer_queue_change(&icmp6_mtudisc_timeout_q, 1563 ip6_mtudisc_timeout); 1564 NET_UNLOCK(); 1565 return (error); 1566 case IPV6CTL_IFQUEUE: 1567 return (sysctl_niq(name + 1, namelen - 1, 1568 oldp, oldlenp, newp, newlen, &ip6intrq)); 1569 case IPV6CTL_SOIIKEY: 1570 return (ip6_sysctl_soiikey(oldp, oldlenp, newp, newlen)); 1571 case IPV6CTL_MULTIPATH: 1572 NET_LOCK(); 1573 oldval = ip6_multipath; 1574 error = sysctl_int_bounded(oldp, oldlenp, newp, newlen, 1575 &ip6_multipath, 0, 1); 1576 if (oldval != ip6_multipath) 1577 atomic_inc_long(&rtgeneration); 1578 NET_UNLOCK(); 1579 return (error); 1580 case IPV6CTL_FORWARDING: 1581 case IPV6CTL_SENDREDIRECTS: 1582 return (sysctl_bounded_arr( 1583 ipv6ctl_vars_unlocked, nitems(ipv6ctl_vars_unlocked), 1584 name, namelen, oldp, oldlenp, newp, newlen)); 1585 default: 1586 NET_LOCK(); 1587 error = sysctl_bounded_arr(ipv6ctl_vars, nitems(ipv6ctl_vars), 1588 name, namelen, oldp, oldlenp, newp, newlen); 1589 NET_UNLOCK(); 1590 return (error); 1591 } 1592 /* NOTREACHED */ 1593 } 1594 1595 void 1596 ip6_send_dispatch(void *xmq) 1597 { 1598 struct mbuf_queue *mq = xmq; 1599 struct mbuf *m; 1600 struct mbuf_list ml; 1601 1602 mq_delist(mq, &ml); 1603 if (ml_empty(&ml)) 1604 return; 1605 1606 NET_LOCK_SHARED(); 1607 while ((m = ml_dequeue(&ml)) != NULL) { 1608 ip6_output(m, NULL, NULL, 0, NULL, NULL); 1609 } 1610 NET_UNLOCK_SHARED(); 1611 } 1612 1613 void 1614 ip6_send(struct mbuf *m) 1615 { 1616 mq_enqueue(&ip6send_mq, m); 1617 task_add(net_tq(0), &ip6send_task); 1618 } 1619