1 /* $NetBSD: ip6_input.c,v 1.65 2003/08/07 16:33:26 agc Exp $ */ 2 /* $KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $ */ 3 4 /* 5 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 3. Neither the name of the project nor the names of its contributors 17 * may be used to endorse or promote products derived from this software 18 * without specific prior written permission. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30 * SUCH DAMAGE. 31 */ 32 33 /* 34 * Copyright (c) 1982, 1986, 1988, 1993 35 * The Regents of the University of California. All rights reserved. 36 * 37 * Redistribution and use in source and binary forms, with or without 38 * modification, are permitted provided that the following conditions 39 * are met: 40 * 1. Redistributions of source code must retain the above copyright 41 * notice, this list of conditions and the following disclaimer. 42 * 2. Redistributions in binary form must reproduce the above copyright 43 * notice, this list of conditions and the following disclaimer in the 44 * documentation and/or other materials provided with the distribution. 45 * 3. Neither the name of the University nor the names of its contributors 46 * may be used to endorse or promote products derived from this software 47 * without specific prior written permission. 48 * 49 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 50 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 51 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 52 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 53 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 54 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 55 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 56 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 57 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 58 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 59 * SUCH DAMAGE. 60 * 61 * @(#)ip_input.c 8.2 (Berkeley) 1/4/94 62 */ 63 64 #include <sys/cdefs.h> 65 __KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.65 2003/08/07 16:33:26 agc Exp $"); 66 67 #include "opt_inet.h" 68 #include "opt_ipsec.h" 69 #include "opt_pfil_hooks.h" 70 71 #include <sys/param.h> 72 #include <sys/systm.h> 73 #include <sys/malloc.h> 74 #include <sys/mbuf.h> 75 #include <sys/domain.h> 76 #include <sys/protosw.h> 77 #include <sys/socket.h> 78 #include <sys/socketvar.h> 79 #include <sys/errno.h> 80 #include <sys/time.h> 81 #include <sys/kernel.h> 82 #include <sys/syslog.h> 83 #include <sys/proc.h> 84 #include <sys/sysctl.h> 85 86 #include <net/if.h> 87 #include <net/if_types.h> 88 #include <net/if_dl.h> 89 #include <net/route.h> 90 #include <net/netisr.h> 91 #ifdef PFIL_HOOKS 92 #include <net/pfil.h> 93 #endif 94 95 #include <netinet/in.h> 96 #include <netinet/in_systm.h> 97 #ifdef INET 98 #include <netinet/ip.h> 99 #include <netinet/ip_icmp.h> 100 #endif /* INET */ 101 #include <netinet/ip6.h> 102 #include <netinet6/in6_var.h> 103 #include <netinet6/ip6_var.h> 104 #include <netinet6/in6_pcb.h> 105 #include <netinet/icmp6.h> 106 #include <netinet6/in6_ifattach.h> 107 #include <netinet6/nd6.h> 108 109 #ifdef IPSEC 110 #include <netinet6/ipsec.h> 111 #endif 112 113 #include <netinet6/ip6protosw.h> 114 115 /* we need it for NLOOP. */ 116 #include "loop.h" 117 #include "faith.h" 118 #include "gif.h" 119 #include "bpfilter.h" 120 121 #if NGIF > 0 122 #include <netinet6/in6_gif.h> 123 #endif 124 125 #include <net/net_osdep.h> 126 127 extern struct domain inet6domain; 128 129 u_char ip6_protox[IPPROTO_MAX]; 130 static int ip6qmaxlen = IFQ_MAXLEN; 131 struct in6_ifaddr *in6_ifaddr; 132 struct ifqueue ip6intrq; 133 134 extern struct ifnet loif[NLOOP]; 135 int ip6_forward_srcrt; /* XXX */ 136 int ip6_sourcecheck; /* XXX */ 137 int ip6_sourcecheck_interval; /* XXX */ 138 139 #ifdef PFIL_HOOKS 140 struct pfil_head inet6_pfil_hook; 141 #endif 142 143 struct ip6stat ip6stat; 144 145 static void ip6_init2 __P((void *)); 146 147 static int ip6_hopopts_input __P((u_int32_t *, u_int32_t *, struct mbuf **, int *)); 148 static struct mbuf *ip6_pullexthdr __P((struct mbuf *, size_t, int)); 149 150 /* 151 * IP6 initialization: fill in IP6 protocol switch table. 152 * All protocols not implemented in kernel go to raw IP6 protocol handler. 153 */ 154 void 155 ip6_init() 156 { 157 struct ip6protosw *pr; 158 int i; 159 160 pr = (struct ip6protosw *)pffindproto(PF_INET6, IPPROTO_RAW, SOCK_RAW); 161 if (pr == 0) 162 panic("ip6_init"); 163 for (i = 0; i < IPPROTO_MAX; i++) 164 ip6_protox[i] = pr - inet6sw; 165 for (pr = (struct ip6protosw *)inet6domain.dom_protosw; 166 pr < (struct ip6protosw *)inet6domain.dom_protoswNPROTOSW; pr++) 167 if (pr->pr_domain->dom_family == PF_INET6 && 168 pr->pr_protocol && pr->pr_protocol != IPPROTO_RAW) 169 ip6_protox[pr->pr_protocol] = pr - inet6sw; 170 ip6intrq.ifq_maxlen = ip6qmaxlen; 171 nd6_init(); 172 frag6_init(); 173 ip6_flow_seq = arc4random(); 174 175 ip6_init2((void *)0); 176 177 #ifdef PFIL_HOOKS 178 /* Register our Packet Filter hook. */ 179 inet6_pfil_hook.ph_type = PFIL_TYPE_AF; 180 inet6_pfil_hook.ph_af = AF_INET6; 181 i = pfil_head_register(&inet6_pfil_hook); 182 if (i != 0) 183 printf("ip6_init: WARNING: unable to register pfil hook, " 184 "error %d\n", i); 185 #endif /* PFIL_HOOKS */ 186 } 187 188 static void 189 ip6_init2(dummy) 190 void *dummy; 191 { 192 193 /* nd6_timer_init */ 194 callout_init(&nd6_timer_ch); 195 callout_reset(&nd6_timer_ch, hz, nd6_timer, NULL); 196 } 197 198 /* 199 * IP6 input interrupt handling. Just pass the packet to ip6_input. 200 */ 201 void 202 ip6intr() 203 { 204 int s; 205 struct mbuf *m; 206 207 for (;;) { 208 s = splnet(); 209 IF_DEQUEUE(&ip6intrq, m); 210 splx(s); 211 if (m == 0) 212 return; 213 ip6_input(m); 214 } 215 } 216 217 extern struct route_in6 ip6_forward_rt; 218 219 void 220 ip6_input(m) 221 struct mbuf *m; 222 { 223 struct ip6_hdr *ip6; 224 int off = sizeof(struct ip6_hdr), nest; 225 u_int32_t plen; 226 u_int32_t rtalert = ~0; 227 int nxt, ours = 0; 228 struct ifnet *deliverifp = NULL; 229 int srcrt = 0; 230 231 #ifdef IPSEC 232 /* 233 * should the inner packet be considered authentic? 234 * see comment in ah4_input(). 235 */ 236 m->m_flags &= ~M_AUTHIPHDR; 237 m->m_flags &= ~M_AUTHIPDGM; 238 #endif 239 240 /* 241 * mbuf statistics 242 */ 243 if (m->m_flags & M_EXT) { 244 if (m->m_next) 245 ip6stat.ip6s_mext2m++; 246 else 247 ip6stat.ip6s_mext1++; 248 } else { 249 #define M2MMAX (sizeof(ip6stat.ip6s_m2m)/sizeof(ip6stat.ip6s_m2m[0])) 250 if (m->m_next) { 251 if (m->m_flags & M_LOOP) { 252 ip6stat.ip6s_m2m[loif[0].if_index]++; /* XXX */ 253 } else if (m->m_pkthdr.rcvif->if_index < M2MMAX) 254 ip6stat.ip6s_m2m[m->m_pkthdr.rcvif->if_index]++; 255 else 256 ip6stat.ip6s_m2m[0]++; 257 } else 258 ip6stat.ip6s_m1++; 259 #undef M2MMAX 260 } 261 262 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_receive); 263 ip6stat.ip6s_total++; 264 265 /* 266 * If the IPv6 header is not aligned, slurp it up into a new 267 * mbuf with space for link headers, in the event we forward 268 * it. OTherwise, if it is aligned, make sure the entire base 269 * IPv6 header is in the first mbuf of the chain. 270 */ 271 if (IP6_HDR_ALIGNED_P(mtod(m, caddr_t)) == 0) { 272 struct ifnet *inifp = m->m_pkthdr.rcvif; 273 if ((m = m_copyup(m, sizeof(struct ip6_hdr), 274 (max_linkhdr + 3) & ~3)) == NULL) { 275 /* XXXJRT new stat, please */ 276 ip6stat.ip6s_toosmall++; 277 in6_ifstat_inc(inifp, ifs6_in_hdrerr); 278 return; 279 } 280 } else if (__predict_false(m->m_len < sizeof(struct ip6_hdr))) { 281 struct ifnet *inifp = m->m_pkthdr.rcvif; 282 if ((m = m_pullup(m, sizeof(struct ip6_hdr))) == NULL) { 283 ip6stat.ip6s_toosmall++; 284 in6_ifstat_inc(inifp, ifs6_in_hdrerr); 285 return; 286 } 287 } 288 289 ip6 = mtod(m, struct ip6_hdr *); 290 291 if ((ip6->ip6_vfc & IPV6_VERSION_MASK) != IPV6_VERSION) { 292 ip6stat.ip6s_badvers++; 293 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_hdrerr); 294 goto bad; 295 } 296 297 #ifdef PFIL_HOOKS 298 /* 299 * Run through list of hooks for input packets. If there are any 300 * filters which require that additional packets in the flow are 301 * not fast-forwarded, they must clear the M_CANFASTFWD flag. 302 * Note that filters must _never_ set this flag, as another filter 303 * in the list may have previously cleared it. 304 */ 305 /* 306 * let ipfilter look at packet on the wire, 307 * not the decapsulated packet. 308 */ 309 #ifdef IPSEC 310 if (!ipsec_getnhist(m)) 311 #else 312 if (1) 313 #endif 314 { 315 struct in6_addr odst; 316 317 odst = ip6->ip6_dst; 318 if (pfil_run_hooks(&inet6_pfil_hook, &m, m->m_pkthdr.rcvif, 319 PFIL_IN) != 0) 320 return; 321 if (m == NULL) 322 return; 323 ip6 = mtod(m, struct ip6_hdr *); 324 srcrt = !IN6_ARE_ADDR_EQUAL(&odst, &ip6->ip6_dst); 325 } 326 #endif /* PFIL_HOOKS */ 327 328 ip6stat.ip6s_nxthist[ip6->ip6_nxt]++; 329 330 #ifdef ALTQ 331 if (altq_input != NULL && (*altq_input)(m, AF_INET6) == 0) { 332 /* packet is dropped by traffic conditioner */ 333 return; 334 } 335 #endif 336 337 /* 338 * Check against address spoofing/corruption. 339 */ 340 if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_src) || 341 IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_dst)) { 342 /* 343 * XXX: "badscope" is not very suitable for a multicast source. 344 */ 345 ip6stat.ip6s_badscope++; 346 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr); 347 goto bad; 348 } 349 /* 350 * The following check is not documented in specs. A malicious 351 * party may be able to use IPv4 mapped addr to confuse tcp/udp stack 352 * and bypass security checks (act as if it was from 127.0.0.1 by using 353 * IPv6 src ::ffff:127.0.0.1). Be cautious. 354 * 355 * This check chokes if we are in an SIIT cloud. As none of BSDs 356 * support IPv4-less kernel compilation, we cannot support SIIT 357 * environment at all. So, it makes more sense for us to reject any 358 * malicious packets for non-SIIT environment, than try to do a 359 * partial support for SIIT environment. 360 */ 361 if (IN6_IS_ADDR_V4MAPPED(&ip6->ip6_src) || 362 IN6_IS_ADDR_V4MAPPED(&ip6->ip6_dst)) { 363 ip6stat.ip6s_badscope++; 364 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr); 365 goto bad; 366 } 367 #if 0 368 /* 369 * Reject packets with IPv4 compatible addresses (auto tunnel). 370 * 371 * The code forbids auto tunnel relay case in RFC1933 (the check is 372 * stronger than RFC1933). We may want to re-enable it if mech-xx 373 * is revised to forbid relaying case. 374 */ 375 if (IN6_IS_ADDR_V4COMPAT(&ip6->ip6_src) || 376 IN6_IS_ADDR_V4COMPAT(&ip6->ip6_dst)) { 377 ip6stat.ip6s_badscope++; 378 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr); 379 goto bad; 380 } 381 #endif 382 383 if (IN6_IS_ADDR_LOOPBACK(&ip6->ip6_src) || 384 IN6_IS_ADDR_LOOPBACK(&ip6->ip6_dst)) { 385 if (m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK) { 386 ours = 1; 387 deliverifp = m->m_pkthdr.rcvif; 388 goto hbhcheck; 389 } else { 390 ip6stat.ip6s_badscope++; 391 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr); 392 goto bad; 393 } 394 } 395 396 /* drop packets if interface ID portion is already filled */ 397 if ((m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK) == 0) { 398 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src) && 399 ip6->ip6_src.s6_addr16[1]) { 400 ip6stat.ip6s_badscope++; 401 goto bad; 402 } 403 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst) && 404 ip6->ip6_dst.s6_addr16[1]) { 405 ip6stat.ip6s_badscope++; 406 goto bad; 407 } 408 } 409 410 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) 411 ip6->ip6_src.s6_addr16[1] 412 = htons(m->m_pkthdr.rcvif->if_index); 413 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) 414 ip6->ip6_dst.s6_addr16[1] 415 = htons(m->m_pkthdr.rcvif->if_index); 416 417 /* 418 * We use rt->rt_ifp to determine if the address is ours or not. 419 * If rt_ifp is lo0, the address is ours. 420 * The problem here is, rt->rt_ifp for fe80::%lo0/64 is set to lo0, 421 * so any address under fe80::%lo0/64 will be mistakenly considered 422 * local. The special case is supplied to handle the case properly 423 * by actually looking at interface addresses 424 * (using in6ifa_ifpwithaddr). 425 */ 426 if ((m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK) != 0 && 427 IN6_IS_ADDR_LINKLOCAL(&ip6->ip6_dst)) { 428 if (!in6ifa_ifpwithaddr(m->m_pkthdr.rcvif, &ip6->ip6_dst)) { 429 icmp6_error(m, ICMP6_DST_UNREACH, 430 ICMP6_DST_UNREACH_ADDR, 0); 431 /* m is already freed */ 432 return; 433 } 434 435 ours = 1; 436 deliverifp = m->m_pkthdr.rcvif; 437 goto hbhcheck; 438 } 439 440 /* 441 * Multicast check 442 */ 443 if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst)) { 444 struct in6_multi *in6m = 0; 445 446 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_mcast); 447 /* 448 * See if we belong to the destination multicast group on the 449 * arrival interface. 450 */ 451 IN6_LOOKUP_MULTI(ip6->ip6_dst, m->m_pkthdr.rcvif, in6m); 452 if (in6m) 453 ours = 1; 454 else if (!ip6_mrouter) { 455 ip6stat.ip6s_notmember++; 456 ip6stat.ip6s_cantforward++; 457 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_discard); 458 goto bad; 459 } 460 deliverifp = m->m_pkthdr.rcvif; 461 goto hbhcheck; 462 } 463 464 /* 465 * Unicast check 466 */ 467 if (ip6_forward_rt.ro_rt != NULL && 468 (ip6_forward_rt.ro_rt->rt_flags & RTF_UP) != 0 && 469 IN6_ARE_ADDR_EQUAL(&ip6->ip6_dst, 470 &((struct sockaddr_in6 *)(&ip6_forward_rt.ro_dst))->sin6_addr)) 471 ip6stat.ip6s_forward_cachehit++; 472 else { 473 struct sockaddr_in6 *dst6; 474 475 if (ip6_forward_rt.ro_rt) { 476 /* route is down or destination is different */ 477 ip6stat.ip6s_forward_cachemiss++; 478 RTFREE(ip6_forward_rt.ro_rt); 479 ip6_forward_rt.ro_rt = 0; 480 } 481 482 bzero(&ip6_forward_rt.ro_dst, sizeof(struct sockaddr_in6)); 483 dst6 = (struct sockaddr_in6 *)&ip6_forward_rt.ro_dst; 484 dst6->sin6_len = sizeof(struct sockaddr_in6); 485 dst6->sin6_family = AF_INET6; 486 dst6->sin6_addr = ip6->ip6_dst; 487 488 rtalloc((struct route *)&ip6_forward_rt); 489 } 490 491 #define rt6_key(r) ((struct sockaddr_in6 *)((r)->rt_nodes->rn_key)) 492 493 /* 494 * Accept the packet if the forwarding interface to the destination 495 * according to the routing table is the loopback interface, 496 * unless the associated route has a gateway. 497 * Note that this approach causes to accept a packet if there is a 498 * route to the loopback interface for the destination of the packet. 499 * But we think it's even useful in some situations, e.g. when using 500 * a special daemon which wants to intercept the packet. 501 */ 502 if (ip6_forward_rt.ro_rt && 503 (ip6_forward_rt.ro_rt->rt_flags & 504 (RTF_HOST|RTF_GATEWAY)) == RTF_HOST && 505 !(ip6_forward_rt.ro_rt->rt_flags & RTF_CLONED) && 506 #if 0 507 /* 508 * The check below is redundant since the comparison of 509 * the destination and the key of the rtentry has 510 * already done through looking up the routing table. 511 */ 512 IN6_ARE_ADDR_EQUAL(&ip6->ip6_dst, 513 &rt6_key(ip6_forward_rt.ro_rt)->sin6_addr) && 514 #endif 515 ip6_forward_rt.ro_rt->rt_ifp->if_type == IFT_LOOP) { 516 struct in6_ifaddr *ia6 = 517 (struct in6_ifaddr *)ip6_forward_rt.ro_rt->rt_ifa; 518 if (ia6->ia6_flags & IN6_IFF_ANYCAST) 519 m->m_flags |= M_ANYCAST6; 520 /* 521 * packets to a tentative, duplicated, or somehow invalid 522 * address must not be accepted. 523 */ 524 if (!(ia6->ia6_flags & IN6_IFF_NOTREADY)) { 525 /* this address is ready */ 526 ours = 1; 527 deliverifp = ia6->ia_ifp; /* correct? */ 528 goto hbhcheck; 529 } else { 530 /* address is not ready, so discard the packet. */ 531 nd6log((LOG_INFO, 532 "ip6_input: packet to an unready address %s->%s\n", 533 ip6_sprintf(&ip6->ip6_src), 534 ip6_sprintf(&ip6->ip6_dst))); 535 536 goto bad; 537 } 538 } 539 540 /* 541 * FAITH (Firewall Aided Internet Translator) 542 */ 543 #if defined(NFAITH) && 0 < NFAITH 544 if (ip6_keepfaith) { 545 if (ip6_forward_rt.ro_rt && ip6_forward_rt.ro_rt->rt_ifp 546 && ip6_forward_rt.ro_rt->rt_ifp->if_type == IFT_FAITH) { 547 /* XXX do we need more sanity checks? */ 548 ours = 1; 549 deliverifp = ip6_forward_rt.ro_rt->rt_ifp; /* faith */ 550 goto hbhcheck; 551 } 552 } 553 #endif 554 555 #if 0 556 { 557 /* 558 * Last resort: check in6_ifaddr for incoming interface. 559 * The code is here until I update the "goto ours hack" code above 560 * working right. 561 */ 562 struct ifaddr *ifa; 563 for (ifa = m->m_pkthdr.rcvif->if_addrlist.tqh_first; 564 ifa; 565 ifa = ifa->ifa_list.tqe_next) { 566 if (ifa->ifa_addr == NULL) 567 continue; /* just for safety */ 568 if (ifa->ifa_addr->sa_family != AF_INET6) 569 continue; 570 if (IN6_ARE_ADDR_EQUAL(IFA_IN6(ifa), &ip6->ip6_dst)) { 571 ours = 1; 572 deliverifp = ifa->ifa_ifp; 573 goto hbhcheck; 574 } 575 } 576 } 577 #endif 578 579 /* 580 * Now there is no reason to process the packet if it's not our own 581 * and we're not a router. 582 */ 583 if (!ip6_forwarding) { 584 ip6stat.ip6s_cantforward++; 585 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_discard); 586 goto bad; 587 } 588 589 hbhcheck: 590 /* 591 * Process Hop-by-Hop options header if it's contained. 592 * m may be modified in ip6_hopopts_input(). 593 * If a JumboPayload option is included, plen will also be modified. 594 */ 595 plen = (u_int32_t)ntohs(ip6->ip6_plen); 596 if (ip6->ip6_nxt == IPPROTO_HOPOPTS) { 597 struct ip6_hbh *hbh; 598 599 if (ip6_hopopts_input(&plen, &rtalert, &m, &off)) { 600 #if 0 /*touches NULL pointer*/ 601 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_discard); 602 #endif 603 return; /* m have already been freed */ 604 } 605 606 /* adjust pointer */ 607 ip6 = mtod(m, struct ip6_hdr *); 608 609 /* 610 * if the payload length field is 0 and the next header field 611 * indicates Hop-by-Hop Options header, then a Jumbo Payload 612 * option MUST be included. 613 */ 614 if (ip6->ip6_plen == 0 && plen == 0) { 615 /* 616 * Note that if a valid jumbo payload option is 617 * contained, ip6_hoptops_input() must set a valid 618 * (non-zero) payload length to the variable plen. 619 */ 620 ip6stat.ip6s_badoptions++; 621 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_discard); 622 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_hdrerr); 623 icmp6_error(m, ICMP6_PARAM_PROB, 624 ICMP6_PARAMPROB_HEADER, 625 (caddr_t)&ip6->ip6_plen - (caddr_t)ip6); 626 return; 627 } 628 IP6_EXTHDR_GET(hbh, struct ip6_hbh *, m, sizeof(struct ip6_hdr), 629 sizeof(struct ip6_hbh)); 630 if (hbh == NULL) { 631 ip6stat.ip6s_tooshort++; 632 return; 633 } 634 KASSERT(IP6_HDR_ALIGNED_P(hbh)); 635 nxt = hbh->ip6h_nxt; 636 637 /* 638 * accept the packet if a router alert option is included 639 * and we act as an IPv6 router. 640 */ 641 if (rtalert != ~0 && ip6_forwarding) 642 ours = 1; 643 } else 644 nxt = ip6->ip6_nxt; 645 646 /* 647 * Check that the amount of data in the buffers 648 * is as at least much as the IPv6 header would have us expect. 649 * Trim mbufs if longer than we expect. 650 * Drop packet if shorter than we expect. 651 */ 652 if (m->m_pkthdr.len - sizeof(struct ip6_hdr) < plen) { 653 ip6stat.ip6s_tooshort++; 654 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_truncated); 655 goto bad; 656 } 657 if (m->m_pkthdr.len > sizeof(struct ip6_hdr) + plen) { 658 if (m->m_len == m->m_pkthdr.len) { 659 m->m_len = sizeof(struct ip6_hdr) + plen; 660 m->m_pkthdr.len = sizeof(struct ip6_hdr) + plen; 661 } else 662 m_adj(m, sizeof(struct ip6_hdr) + plen - m->m_pkthdr.len); 663 } 664 665 /* 666 * Forward if desirable. 667 */ 668 if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst)) { 669 /* 670 * If we are acting as a multicast router, all 671 * incoming multicast packets are passed to the 672 * kernel-level multicast forwarding function. 673 * The packet is returned (relatively) intact; if 674 * ip6_mforward() returns a non-zero value, the packet 675 * must be discarded, else it may be accepted below. 676 */ 677 if (ip6_mrouter && ip6_mforward(ip6, m->m_pkthdr.rcvif, m)) { 678 ip6stat.ip6s_cantforward++; 679 m_freem(m); 680 return; 681 } 682 if (!ours) { 683 m_freem(m); 684 return; 685 } 686 } else if (!ours) { 687 ip6_forward(m, srcrt); 688 return; 689 } 690 691 ip6 = mtod(m, struct ip6_hdr *); 692 693 /* 694 * Malicious party may be able to use IPv4 mapped addr to confuse 695 * tcp/udp stack and bypass security checks (act as if it was from 696 * 127.0.0.1 by using IPv6 src ::ffff:127.0.0.1). Be cautious. 697 * 698 * For SIIT end node behavior, you may want to disable the check. 699 * However, you will become vulnerable to attacks using IPv4 mapped 700 * source. 701 */ 702 if (IN6_IS_ADDR_V4MAPPED(&ip6->ip6_src) || 703 IN6_IS_ADDR_V4MAPPED(&ip6->ip6_dst)) { 704 ip6stat.ip6s_badscope++; 705 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr); 706 goto bad; 707 } 708 709 /* 710 * Tell launch routine the next header 711 */ 712 #ifdef IFA_STATS 713 if (deliverifp != NULL) { 714 struct in6_ifaddr *ia6; 715 ia6 = in6_ifawithifp(deliverifp, &ip6->ip6_dst); 716 if (ia6) 717 ia6->ia_ifa.ifa_data.ifad_inbytes += m->m_pkthdr.len; 718 } 719 #endif 720 ip6stat.ip6s_delivered++; 721 in6_ifstat_inc(deliverifp, ifs6_in_deliver); 722 nest = 0; 723 724 while (nxt != IPPROTO_DONE) { 725 if (ip6_hdrnestlimit && (++nest > ip6_hdrnestlimit)) { 726 ip6stat.ip6s_toomanyhdr++; 727 goto bad; 728 } 729 730 /* 731 * protection against faulty packet - there should be 732 * more sanity checks in header chain processing. 733 */ 734 if (m->m_pkthdr.len < off) { 735 ip6stat.ip6s_tooshort++; 736 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_truncated); 737 goto bad; 738 } 739 740 #ifdef IPSEC 741 /* 742 * enforce IPsec policy checking if we are seeing last header. 743 * note that we do not visit this with protocols with pcb layer 744 * code - like udp/tcp/raw ip. 745 */ 746 if ((inet6sw[ip6_protox[nxt]].pr_flags & PR_LASTHDR) != 0 && 747 ipsec6_in_reject(m, NULL)) { 748 ipsec6stat.in_polvio++; 749 goto bad; 750 } 751 #endif 752 753 nxt = (*inet6sw[ip6_protox[nxt]].pr_input)(&m, &off, nxt); 754 } 755 return; 756 bad: 757 m_freem(m); 758 } 759 760 /* 761 * Hop-by-Hop options header processing. If a valid jumbo payload option is 762 * included, the real payload length will be stored in plenp. 763 */ 764 static int 765 ip6_hopopts_input(plenp, rtalertp, mp, offp) 766 u_int32_t *plenp; 767 u_int32_t *rtalertp; /* XXX: should be stored more smart way */ 768 struct mbuf **mp; 769 int *offp; 770 { 771 struct mbuf *m = *mp; 772 int off = *offp, hbhlen; 773 struct ip6_hbh *hbh; 774 u_int8_t *opt; 775 776 /* validation of the length of the header */ 777 IP6_EXTHDR_GET(hbh, struct ip6_hbh *, m, 778 sizeof(struct ip6_hdr), sizeof(struct ip6_hbh)); 779 if (hbh == NULL) { 780 ip6stat.ip6s_tooshort++; 781 return -1; 782 } 783 hbhlen = (hbh->ip6h_len + 1) << 3; 784 IP6_EXTHDR_GET(hbh, struct ip6_hbh *, m, sizeof(struct ip6_hdr), 785 hbhlen); 786 if (hbh == NULL) { 787 ip6stat.ip6s_tooshort++; 788 return -1; 789 } 790 KASSERT(IP6_HDR_ALIGNED_P(hbh)); 791 off += hbhlen; 792 hbhlen -= sizeof(struct ip6_hbh); 793 opt = (u_int8_t *)hbh + sizeof(struct ip6_hbh); 794 795 if (ip6_process_hopopts(m, (u_int8_t *)hbh + sizeof(struct ip6_hbh), 796 hbhlen, rtalertp, plenp) < 0) 797 return (-1); 798 799 *offp = off; 800 *mp = m; 801 return (0); 802 } 803 804 /* 805 * Search header for all Hop-by-hop options and process each option. 806 * This function is separate from ip6_hopopts_input() in order to 807 * handle a case where the sending node itself process its hop-by-hop 808 * options header. In such a case, the function is called from ip6_output(). 809 * 810 * The function assumes that hbh header is located right after the IPv6 header 811 * (RFC2460 p7), opthead is pointer into data content in m, and opthead to 812 * opthead + hbhlen is located in continuous memory region. 813 */ 814 int 815 ip6_process_hopopts(m, opthead, hbhlen, rtalertp, plenp) 816 struct mbuf *m; 817 u_int8_t *opthead; 818 int hbhlen; 819 u_int32_t *rtalertp; 820 u_int32_t *plenp; 821 { 822 struct ip6_hdr *ip6; 823 int optlen = 0; 824 u_int8_t *opt = opthead; 825 u_int16_t rtalert_val; 826 u_int32_t jumboplen; 827 const int erroff = sizeof(struct ip6_hdr) + sizeof(struct ip6_hbh); 828 829 for (; hbhlen > 0; hbhlen -= optlen, opt += optlen) { 830 switch (*opt) { 831 case IP6OPT_PAD1: 832 optlen = 1; 833 break; 834 case IP6OPT_PADN: 835 if (hbhlen < IP6OPT_MINLEN) { 836 ip6stat.ip6s_toosmall++; 837 goto bad; 838 } 839 optlen = *(opt + 1) + 2; 840 break; 841 case IP6OPT_RTALERT: 842 /* XXX may need check for alignment */ 843 if (hbhlen < IP6OPT_RTALERT_LEN) { 844 ip6stat.ip6s_toosmall++; 845 goto bad; 846 } 847 if (*(opt + 1) != IP6OPT_RTALERT_LEN - 2) { 848 /* XXX stat */ 849 icmp6_error(m, ICMP6_PARAM_PROB, 850 ICMP6_PARAMPROB_HEADER, 851 erroff + opt + 1 - opthead); 852 return (-1); 853 } 854 optlen = IP6OPT_RTALERT_LEN; 855 bcopy((caddr_t)(opt + 2), (caddr_t)&rtalert_val, 2); 856 *rtalertp = ntohs(rtalert_val); 857 break; 858 case IP6OPT_JUMBO: 859 /* XXX may need check for alignment */ 860 if (hbhlen < IP6OPT_JUMBO_LEN) { 861 ip6stat.ip6s_toosmall++; 862 goto bad; 863 } 864 if (*(opt + 1) != IP6OPT_JUMBO_LEN - 2) { 865 /* XXX stat */ 866 icmp6_error(m, ICMP6_PARAM_PROB, 867 ICMP6_PARAMPROB_HEADER, 868 erroff + opt + 1 - opthead); 869 return (-1); 870 } 871 optlen = IP6OPT_JUMBO_LEN; 872 873 /* 874 * IPv6 packets that have non 0 payload length 875 * must not contain a jumbo payload option. 876 */ 877 ip6 = mtod(m, struct ip6_hdr *); 878 if (ip6->ip6_plen) { 879 ip6stat.ip6s_badoptions++; 880 icmp6_error(m, ICMP6_PARAM_PROB, 881 ICMP6_PARAMPROB_HEADER, 882 erroff + opt - opthead); 883 return (-1); 884 } 885 886 /* 887 * We may see jumbolen in unaligned location, so 888 * we'd need to perform bcopy(). 889 */ 890 bcopy(opt + 2, &jumboplen, sizeof(jumboplen)); 891 jumboplen = (u_int32_t)htonl(jumboplen); 892 893 #if 1 894 /* 895 * if there are multiple jumbo payload options, 896 * *plenp will be non-zero and the packet will be 897 * rejected. 898 * the behavior may need some debate in ipngwg - 899 * multiple options does not make sense, however, 900 * there's no explicit mention in specification. 901 */ 902 if (*plenp != 0) { 903 ip6stat.ip6s_badoptions++; 904 icmp6_error(m, ICMP6_PARAM_PROB, 905 ICMP6_PARAMPROB_HEADER, 906 erroff + opt + 2 - opthead); 907 return (-1); 908 } 909 #endif 910 911 /* 912 * jumbo payload length must be larger than 65535. 913 */ 914 if (jumboplen <= IPV6_MAXPACKET) { 915 ip6stat.ip6s_badoptions++; 916 icmp6_error(m, ICMP6_PARAM_PROB, 917 ICMP6_PARAMPROB_HEADER, 918 erroff + opt + 2 - opthead); 919 return (-1); 920 } 921 *plenp = jumboplen; 922 923 break; 924 default: /* unknown option */ 925 if (hbhlen < IP6OPT_MINLEN) { 926 ip6stat.ip6s_toosmall++; 927 goto bad; 928 } 929 optlen = ip6_unknown_opt(opt, m, 930 erroff + opt - opthead); 931 if (optlen == -1) 932 return (-1); 933 optlen += 2; 934 break; 935 } 936 } 937 938 return (0); 939 940 bad: 941 m_freem(m); 942 return (-1); 943 } 944 945 /* 946 * Unknown option processing. 947 * The third argument `off' is the offset from the IPv6 header to the option, 948 * which is necessary if the IPv6 header the and option header and IPv6 header 949 * is not continuous in order to return an ICMPv6 error. 950 */ 951 int 952 ip6_unknown_opt(optp, m, off) 953 u_int8_t *optp; 954 struct mbuf *m; 955 int off; 956 { 957 struct ip6_hdr *ip6; 958 959 switch (IP6OPT_TYPE(*optp)) { 960 case IP6OPT_TYPE_SKIP: /* ignore the option */ 961 return ((int)*(optp + 1)); 962 case IP6OPT_TYPE_DISCARD: /* silently discard */ 963 m_freem(m); 964 return (-1); 965 case IP6OPT_TYPE_FORCEICMP: /* send ICMP even if multicasted */ 966 ip6stat.ip6s_badoptions++; 967 icmp6_error(m, ICMP6_PARAM_PROB, ICMP6_PARAMPROB_OPTION, off); 968 return (-1); 969 case IP6OPT_TYPE_ICMP: /* send ICMP if not multicasted */ 970 ip6stat.ip6s_badoptions++; 971 ip6 = mtod(m, struct ip6_hdr *); 972 if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst) || 973 (m->m_flags & (M_BCAST|M_MCAST))) 974 m_freem(m); 975 else 976 icmp6_error(m, ICMP6_PARAM_PROB, 977 ICMP6_PARAMPROB_OPTION, off); 978 return (-1); 979 } 980 981 m_freem(m); /* XXX: NOTREACHED */ 982 return (-1); 983 } 984 985 /* 986 * Create the "control" list for this pcb. 987 * 988 * The routine will be called from upper layer handlers like tcp6_input(). 989 * Thus the routine assumes that the caller (tcp6_input) have already 990 * called IP6_EXTHDR_CHECK() and all the extension headers are located in the 991 * very first mbuf on the mbuf chain. 992 * We may want to add some infinite loop prevention or sanity checks for safety. 993 * (This applies only when you are using KAME mbuf chain restriction, i.e. 994 * you are using IP6_EXTHDR_CHECK() not m_pulldown()) 995 */ 996 void 997 ip6_savecontrol(in6p, mp, ip6, m) 998 struct in6pcb *in6p; 999 struct mbuf **mp; 1000 struct ip6_hdr *ip6; 1001 struct mbuf *m; 1002 { 1003 struct proc *p = curproc; /* XXX */ 1004 int privileged; 1005 1006 privileged = 0; 1007 if (p && !suser(p->p_ucred, &p->p_acflag)) 1008 privileged++; 1009 1010 #ifdef SO_TIMESTAMP 1011 if (in6p->in6p_socket->so_options & SO_TIMESTAMP) { 1012 struct timeval tv; 1013 1014 microtime(&tv); 1015 *mp = sbcreatecontrol((caddr_t) &tv, sizeof(tv), 1016 SCM_TIMESTAMP, SOL_SOCKET); 1017 if (*mp) 1018 mp = &(*mp)->m_next; 1019 } 1020 #endif 1021 if (in6p->in6p_flags & IN6P_RECVDSTADDR) { 1022 *mp = sbcreatecontrol((caddr_t) &ip6->ip6_dst, 1023 sizeof(struct in6_addr), IPV6_RECVDSTADDR, IPPROTO_IPV6); 1024 if (*mp) 1025 mp = &(*mp)->m_next; 1026 } 1027 1028 #ifdef noyet 1029 /* options were tossed above */ 1030 if (in6p->in6p_flags & IN6P_RECVOPTS) 1031 /* broken */ 1032 /* ip6_srcroute doesn't do what we want here, need to fix */ 1033 if (in6p->in6p_flags & IPV6P_RECVRETOPTS) 1034 /* broken */ 1035 #endif 1036 1037 /* RFC 2292 sec. 5 */ 1038 if ((in6p->in6p_flags & IN6P_PKTINFO) != 0) { 1039 struct in6_pktinfo pi6; 1040 bcopy(&ip6->ip6_dst, &pi6.ipi6_addr, sizeof(struct in6_addr)); 1041 if (IN6_IS_SCOPE_LINKLOCAL(&pi6.ipi6_addr)) 1042 pi6.ipi6_addr.s6_addr16[1] = 0; 1043 pi6.ipi6_ifindex = (m && m->m_pkthdr.rcvif) 1044 ? m->m_pkthdr.rcvif->if_index 1045 : 0; 1046 *mp = sbcreatecontrol((caddr_t) &pi6, 1047 sizeof(struct in6_pktinfo), IPV6_PKTINFO, IPPROTO_IPV6); 1048 if (*mp) 1049 mp = &(*mp)->m_next; 1050 } 1051 if (in6p->in6p_flags & IN6P_HOPLIMIT) { 1052 int hlim = ip6->ip6_hlim & 0xff; 1053 *mp = sbcreatecontrol((caddr_t) &hlim, sizeof(int), 1054 IPV6_HOPLIMIT, IPPROTO_IPV6); 1055 if (*mp) 1056 mp = &(*mp)->m_next; 1057 } 1058 /* IN6P_NEXTHOP - for outgoing packet only */ 1059 1060 /* 1061 * IPV6_HOPOPTS socket option. We require super-user privilege 1062 * for the option, but it might be too strict, since there might 1063 * be some hop-by-hop options which can be returned to normal user. 1064 * See RFC 2292 section 6. 1065 */ 1066 if ((in6p->in6p_flags & IN6P_HOPOPTS) != 0 && privileged) { 1067 /* 1068 * Check if a hop-by-hop options header is contatined in the 1069 * received packet, and if so, store the options as ancillary 1070 * data. Note that a hop-by-hop options header must be 1071 * just after the IPv6 header, which fact is assured through 1072 * the IPv6 input processing. 1073 */ 1074 struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *); 1075 if (ip6->ip6_nxt == IPPROTO_HOPOPTS) { 1076 struct ip6_hbh *hbh; 1077 int hbhlen; 1078 struct mbuf *ext; 1079 1080 ext = ip6_pullexthdr(m, sizeof(struct ip6_hdr), 1081 ip6->ip6_nxt); 1082 if (ext == NULL) { 1083 ip6stat.ip6s_tooshort++; 1084 return; 1085 } 1086 hbh = mtod(ext, struct ip6_hbh *); 1087 hbhlen = (hbh->ip6h_len + 1) << 3; 1088 if (hbhlen != ext->m_len) { 1089 m_freem(ext); 1090 ip6stat.ip6s_tooshort++; 1091 return; 1092 } 1093 1094 /* 1095 * XXX: We copy whole the header even if a jumbo 1096 * payload option is included, which option is to 1097 * be removed before returning in the RFC 2292. 1098 * But it's too painful operation... 1099 */ 1100 *mp = sbcreatecontrol((caddr_t)hbh, hbhlen, 1101 IPV6_HOPOPTS, IPPROTO_IPV6); 1102 if (*mp) 1103 mp = &(*mp)->m_next; 1104 m_freem(ext); 1105 } 1106 } 1107 1108 /* IPV6_DSTOPTS and IPV6_RTHDR socket options */ 1109 if (in6p->in6p_flags & (IN6P_DSTOPTS | IN6P_RTHDR)) { 1110 struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *); 1111 int nxt = ip6->ip6_nxt, off = sizeof(struct ip6_hdr); 1112 1113 /* 1114 * Search for destination options headers or routing 1115 * header(s) through the header chain, and stores each 1116 * header as ancillary data. 1117 * Note that the order of the headers remains in 1118 * the chain of ancillary data. 1119 */ 1120 while (1) { /* is explicit loop prevention necessary? */ 1121 struct ip6_ext *ip6e = NULL; 1122 int elen; 1123 struct mbuf *ext = NULL; 1124 1125 /* 1126 * if it is not an extension header, don't try to 1127 * pull it from the chain. 1128 */ 1129 switch (nxt) { 1130 case IPPROTO_DSTOPTS: 1131 case IPPROTO_ROUTING: 1132 case IPPROTO_HOPOPTS: 1133 case IPPROTO_AH: /* is it possible? */ 1134 break; 1135 default: 1136 goto loopend; 1137 } 1138 1139 ext = ip6_pullexthdr(m, off, nxt); 1140 if (ext == NULL) { 1141 ip6stat.ip6s_tooshort++; 1142 return; 1143 } 1144 ip6e = mtod(ext, struct ip6_ext *); 1145 if (nxt == IPPROTO_AH) 1146 elen = (ip6e->ip6e_len + 2) << 2; 1147 else 1148 elen = (ip6e->ip6e_len + 1) << 3; 1149 if (elen != ext->m_len) { 1150 m_freem(ext); 1151 ip6stat.ip6s_tooshort++; 1152 return; 1153 } 1154 KASSERT(IP6_HDR_ALIGNED_P(ip6e)); 1155 1156 switch (nxt) { 1157 case IPPROTO_DSTOPTS: 1158 if (!in6p->in6p_flags & IN6P_DSTOPTS) 1159 break; 1160 1161 /* 1162 * We also require super-user privilege for 1163 * the option. 1164 * See the comments on IN6_HOPOPTS. 1165 */ 1166 if (!privileged) 1167 break; 1168 1169 *mp = sbcreatecontrol((caddr_t)ip6e, elen, 1170 IPV6_DSTOPTS, IPPROTO_IPV6); 1171 if (*mp) 1172 mp = &(*mp)->m_next; 1173 break; 1174 1175 case IPPROTO_ROUTING: 1176 if (!in6p->in6p_flags & IN6P_RTHDR) 1177 break; 1178 1179 *mp = sbcreatecontrol((caddr_t)ip6e, elen, 1180 IPV6_RTHDR, IPPROTO_IPV6); 1181 if (*mp) 1182 mp = &(*mp)->m_next; 1183 break; 1184 1185 case IPPROTO_HOPOPTS: 1186 case IPPROTO_AH: /* is it possible? */ 1187 break; 1188 1189 default: 1190 /* 1191 * other cases have been filtered in the above. 1192 * none will visit this case. here we supply 1193 * the code just in case (nxt overwritten or 1194 * other cases). 1195 */ 1196 m_freem(ext); 1197 goto loopend; 1198 1199 } 1200 1201 /* proceed with the next header. */ 1202 off += elen; 1203 nxt = ip6e->ip6e_nxt; 1204 ip6e = NULL; 1205 m_freem(ext); 1206 ext = NULL; 1207 } 1208 loopend: 1209 ; 1210 } 1211 } 1212 1213 /* 1214 * pull single extension header from mbuf chain. returns single mbuf that 1215 * contains the result, or NULL on error. 1216 */ 1217 static struct mbuf * 1218 ip6_pullexthdr(m, off, nxt) 1219 struct mbuf *m; 1220 size_t off; 1221 int nxt; 1222 { 1223 struct ip6_ext ip6e; 1224 size_t elen; 1225 struct mbuf *n; 1226 1227 #ifdef DIAGNOSTIC 1228 switch (nxt) { 1229 case IPPROTO_DSTOPTS: 1230 case IPPROTO_ROUTING: 1231 case IPPROTO_HOPOPTS: 1232 case IPPROTO_AH: /* is it possible? */ 1233 break; 1234 default: 1235 printf("ip6_pullexthdr: invalid nxt=%d\n", nxt); 1236 } 1237 #endif 1238 1239 m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e); 1240 if (nxt == IPPROTO_AH) 1241 elen = (ip6e.ip6e_len + 2) << 2; 1242 else 1243 elen = (ip6e.ip6e_len + 1) << 3; 1244 1245 MGET(n, M_DONTWAIT, MT_DATA); 1246 if (n && elen >= MLEN) { 1247 MCLGET(n, M_DONTWAIT); 1248 if ((n->m_flags & M_EXT) == 0) { 1249 m_free(n); 1250 n = NULL; 1251 } 1252 } 1253 if (!n) 1254 return NULL; 1255 1256 n->m_len = 0; 1257 if (elen >= M_TRAILINGSPACE(n)) { 1258 m_free(n); 1259 return NULL; 1260 } 1261 1262 m_copydata(m, off, elen, mtod(n, caddr_t)); 1263 n->m_len = elen; 1264 return n; 1265 } 1266 1267 /* 1268 * Get pointer to the previous header followed by the header 1269 * currently processed. 1270 * XXX: This function supposes that 1271 * M includes all headers, 1272 * the next header field and the header length field of each header 1273 * are valid, and 1274 * the sum of each header length equals to OFF. 1275 * Because of these assumptions, this function must be called very 1276 * carefully. Moreover, it will not be used in the near future when 1277 * we develop `neater' mechanism to process extension headers. 1278 */ 1279 u_int8_t * 1280 ip6_get_prevhdr(m, off) 1281 struct mbuf *m; 1282 int off; 1283 { 1284 struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *); 1285 1286 if (off == sizeof(struct ip6_hdr)) 1287 return (&ip6->ip6_nxt); 1288 else { 1289 int len, nxt; 1290 struct ip6_ext *ip6e = NULL; 1291 1292 nxt = ip6->ip6_nxt; 1293 len = sizeof(struct ip6_hdr); 1294 while (len < off) { 1295 ip6e = (struct ip6_ext *)(mtod(m, caddr_t) + len); 1296 1297 switch (nxt) { 1298 case IPPROTO_FRAGMENT: 1299 len += sizeof(struct ip6_frag); 1300 break; 1301 case IPPROTO_AH: 1302 len += (ip6e->ip6e_len + 2) << 2; 1303 break; 1304 default: 1305 len += (ip6e->ip6e_len + 1) << 3; 1306 break; 1307 } 1308 nxt = ip6e->ip6e_nxt; 1309 } 1310 if (ip6e) 1311 return (&ip6e->ip6e_nxt); 1312 else 1313 return NULL; 1314 } 1315 } 1316 1317 /* 1318 * get next header offset. m will be retained. 1319 */ 1320 int 1321 ip6_nexthdr(m, off, proto, nxtp) 1322 struct mbuf *m; 1323 int off; 1324 int proto; 1325 int *nxtp; 1326 { 1327 struct ip6_hdr ip6; 1328 struct ip6_ext ip6e; 1329 struct ip6_frag fh; 1330 1331 /* just in case */ 1332 if (m == NULL) 1333 panic("ip6_nexthdr: m == NULL"); 1334 if ((m->m_flags & M_PKTHDR) == 0 || m->m_pkthdr.len < off) 1335 return -1; 1336 1337 switch (proto) { 1338 case IPPROTO_IPV6: 1339 if (m->m_pkthdr.len < off + sizeof(ip6)) 1340 return -1; 1341 m_copydata(m, off, sizeof(ip6), (caddr_t)&ip6); 1342 if (nxtp) 1343 *nxtp = ip6.ip6_nxt; 1344 off += sizeof(ip6); 1345 return off; 1346 1347 case IPPROTO_FRAGMENT: 1348 /* 1349 * terminate parsing if it is not the first fragment, 1350 * it does not make sense to parse through it. 1351 */ 1352 if (m->m_pkthdr.len < off + sizeof(fh)) 1353 return -1; 1354 m_copydata(m, off, sizeof(fh), (caddr_t)&fh); 1355 if ((ntohs(fh.ip6f_offlg) & IP6F_OFF_MASK) != 0) 1356 return -1; 1357 if (nxtp) 1358 *nxtp = fh.ip6f_nxt; 1359 off += sizeof(struct ip6_frag); 1360 return off; 1361 1362 case IPPROTO_AH: 1363 if (m->m_pkthdr.len < off + sizeof(ip6e)) 1364 return -1; 1365 m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e); 1366 if (nxtp) 1367 *nxtp = ip6e.ip6e_nxt; 1368 off += (ip6e.ip6e_len + 2) << 2; 1369 if (m->m_pkthdr.len < off) 1370 return -1; 1371 return off; 1372 1373 case IPPROTO_HOPOPTS: 1374 case IPPROTO_ROUTING: 1375 case IPPROTO_DSTOPTS: 1376 if (m->m_pkthdr.len < off + sizeof(ip6e)) 1377 return -1; 1378 m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e); 1379 if (nxtp) 1380 *nxtp = ip6e.ip6e_nxt; 1381 off += (ip6e.ip6e_len + 1) << 3; 1382 if (m->m_pkthdr.len < off) 1383 return -1; 1384 return off; 1385 1386 case IPPROTO_NONE: 1387 case IPPROTO_ESP: 1388 case IPPROTO_IPCOMP: 1389 /* give up */ 1390 return -1; 1391 1392 default: 1393 return -1; 1394 } 1395 } 1396 1397 /* 1398 * get offset for the last header in the chain. m will be kept untainted. 1399 */ 1400 int 1401 ip6_lasthdr(m, off, proto, nxtp) 1402 struct mbuf *m; 1403 int off; 1404 int proto; 1405 int *nxtp; 1406 { 1407 int newoff; 1408 int nxt; 1409 1410 if (!nxtp) { 1411 nxt = -1; 1412 nxtp = &nxt; 1413 } 1414 while (1) { 1415 newoff = ip6_nexthdr(m, off, proto, nxtp); 1416 if (newoff < 0) 1417 return off; 1418 else if (newoff < off) 1419 return -1; /* invalid */ 1420 else if (newoff == off) 1421 return newoff; 1422 1423 off = newoff; 1424 proto = *nxtp; 1425 } 1426 } 1427 1428 /* 1429 * System control for IP6 1430 */ 1431 1432 u_char inet6ctlerrmap[PRC_NCMDS] = { 1433 0, 0, 0, 0, 1434 0, EMSGSIZE, EHOSTDOWN, EHOSTUNREACH, 1435 EHOSTUNREACH, EHOSTUNREACH, ECONNREFUSED, ECONNREFUSED, 1436 EMSGSIZE, EHOSTUNREACH, 0, 0, 1437 0, 0, 0, 0, 1438 ENOPROTOOPT 1439 }; 1440 1441 int 1442 ip6_sysctl(name, namelen, oldp, oldlenp, newp, newlen) 1443 int *name; 1444 u_int namelen; 1445 void *oldp; 1446 size_t *oldlenp; 1447 void *newp; 1448 size_t newlen; 1449 { 1450 int old, error; 1451 1452 /* All sysctl names at this level are terminal. */ 1453 if (namelen != 1) 1454 return ENOTDIR; 1455 1456 switch (name[0]) { 1457 1458 case IPV6CTL_FORWARDING: 1459 return sysctl_int(oldp, oldlenp, newp, newlen, 1460 &ip6_forwarding); 1461 case IPV6CTL_SENDREDIRECTS: 1462 return sysctl_int(oldp, oldlenp, newp, newlen, 1463 &ip6_sendredirects); 1464 case IPV6CTL_DEFHLIM: 1465 return sysctl_int(oldp, oldlenp, newp, newlen, &ip6_defhlim); 1466 case IPV6CTL_MAXFRAGPACKETS: 1467 return sysctl_int(oldp, oldlenp, newp, newlen, 1468 &ip6_maxfragpackets); 1469 case IPV6CTL_ACCEPT_RTADV: 1470 return sysctl_int(oldp, oldlenp, newp, newlen, 1471 &ip6_accept_rtadv); 1472 case IPV6CTL_KEEPFAITH: 1473 return sysctl_int(oldp, oldlenp, newp, newlen, &ip6_keepfaith); 1474 case IPV6CTL_LOG_INTERVAL: 1475 return sysctl_int(oldp, oldlenp, newp, newlen, 1476 &ip6_log_interval); 1477 case IPV6CTL_HDRNESTLIMIT: 1478 return sysctl_int(oldp, oldlenp, newp, newlen, 1479 &ip6_hdrnestlimit); 1480 case IPV6CTL_DAD_COUNT: 1481 return sysctl_int(oldp, oldlenp, newp, newlen, &ip6_dad_count); 1482 case IPV6CTL_AUTO_FLOWLABEL: 1483 return sysctl_int(oldp, oldlenp, newp, newlen, 1484 &ip6_auto_flowlabel); 1485 case IPV6CTL_DEFMCASTHLIM: 1486 return sysctl_int(oldp, oldlenp, newp, newlen, 1487 &ip6_defmcasthlim); 1488 #if NGIF > 0 1489 case IPV6CTL_GIF_HLIM: 1490 return sysctl_int(oldp, oldlenp, newp, newlen, 1491 &ip6_gif_hlim); 1492 #endif 1493 case IPV6CTL_KAME_VERSION: 1494 return sysctl_rdstring(oldp, oldlenp, newp, __KAME_VERSION); 1495 case IPV6CTL_USE_DEPRECATED: 1496 return sysctl_int(oldp, oldlenp, newp, newlen, 1497 &ip6_use_deprecated); 1498 case IPV6CTL_RR_PRUNE: 1499 return sysctl_int(oldp, oldlenp, newp, newlen, &ip6_rr_prune); 1500 case IPV6CTL_V6ONLY: 1501 #ifdef INET6_BINDV6ONLY 1502 return sysctl_rdint(oldp, oldlenp, newp, ip6_v6only); 1503 #else 1504 return sysctl_int(oldp, oldlenp, newp, newlen, &ip6_v6only); 1505 #endif 1506 case IPV6CTL_ANONPORTMIN: 1507 old = ip6_anonportmin; 1508 error = sysctl_int(oldp, oldlenp, newp, newlen, 1509 &ip6_anonportmin); 1510 if (ip6_anonportmin >= ip6_anonportmax || ip6_anonportmin < 0 || 1511 ip6_anonportmin > 65535 1512 #ifndef IPNOPRIVPORTS 1513 || ip6_anonportmin < IPV6PORT_RESERVED 1514 #endif 1515 ) { 1516 ip6_anonportmin = old; 1517 return (EINVAL); 1518 } 1519 return (error); 1520 case IPV6CTL_ANONPORTMAX: 1521 old = ip6_anonportmax; 1522 error = sysctl_int(oldp, oldlenp, newp, newlen, 1523 &ip6_anonportmax); 1524 if (ip6_anonportmin >= ip6_anonportmax || ip6_anonportmax < 0 || 1525 ip6_anonportmax > 65535 1526 #ifndef IPNOPRIVPORTS 1527 || ip6_anonportmax < IPV6PORT_RESERVED 1528 #endif 1529 ) { 1530 ip6_anonportmax = old; 1531 return (EINVAL); 1532 } 1533 return (error); 1534 #ifndef IPNOPRIVPORTS 1535 case IPV6CTL_LOWPORTMIN: 1536 old = ip6_lowportmin; 1537 error = sysctl_int(oldp, oldlenp, newp, newlen, 1538 &ip6_lowportmin); 1539 if (ip6_lowportmin >= ip6_lowportmax || 1540 ip6_lowportmin > IPV6PORT_RESERVEDMAX || 1541 ip6_lowportmin < IPV6PORT_RESERVEDMIN) { 1542 ip6_lowportmin = old; 1543 return (EINVAL); 1544 } 1545 return (error); 1546 case IPV6CTL_LOWPORTMAX: 1547 old = ip6_lowportmax; 1548 error = sysctl_int(oldp, oldlenp, newp, newlen, 1549 &ip6_lowportmax); 1550 if (ip6_lowportmin >= ip6_lowportmax || 1551 ip6_lowportmax > IPV6PORT_RESERVEDMAX || 1552 ip6_lowportmax < IPV6PORT_RESERVEDMIN) { 1553 ip6_lowportmax = old; 1554 return (EINVAL); 1555 } 1556 return (error); 1557 #endif 1558 case IPV6CTL_MAXFRAGS: 1559 return sysctl_int(oldp, oldlenp, newp, newlen, &ip6_maxfrags); 1560 default: 1561 return EOPNOTSUPP; 1562 } 1563 /* NOTREACHED */ 1564 } 1565