1 /* $OpenBSD: ip_output.c,v 1.195 2009/10/06 21:21:48 claudio Exp $ */ 2 /* $NetBSD: ip_output.c,v 1.28 1996/02/13 23:43:07 christos Exp $ */ 3 4 /* 5 * Copyright (c) 1982, 1986, 1988, 1990, 1993 6 * The Regents of the University of California. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 3. Neither the name of the University nor the names of its contributors 17 * may be used to endorse or promote products derived from this software 18 * without specific prior written permission. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30 * SUCH DAMAGE. 31 * 32 * @(#)ip_output.c 8.3 (Berkeley) 1/21/94 33 */ 34 35 #include "pf.h" 36 37 #include <sys/param.h> 38 #include <sys/systm.h> 39 #include <sys/mbuf.h> 40 #include <sys/protosw.h> 41 #include <sys/socket.h> 42 #include <sys/socketvar.h> 43 #include <sys/proc.h> 44 #include <sys/kernel.h> 45 46 #include <net/if.h> 47 #include <net/if_enc.h> 48 #include <net/route.h> 49 50 #include <netinet/in.h> 51 #include <netinet/in_systm.h> 52 #include <netinet/ip.h> 53 #include <netinet/in_pcb.h> 54 #include <netinet/in_var.h> 55 #include <netinet/ip_var.h> 56 #include <netinet/ip_icmp.h> 57 #include <netinet/tcp.h> 58 #include <netinet/udp.h> 59 #include <netinet/tcp_timer.h> 60 #include <netinet/tcp_var.h> 61 #include <netinet/udp_var.h> 62 63 #if NPF > 0 64 #include <net/pfvar.h> 65 #endif 66 67 #ifdef IPSEC 68 #ifdef ENCDEBUG 69 #define DPRINTF(x) do { if (encdebug) printf x ; } while (0) 70 #else 71 #define DPRINTF(x) 72 #endif 73 74 extern u_int8_t get_sa_require(struct inpcb *); 75 76 extern int ipsec_auth_default_level; 77 extern int ipsec_esp_trans_default_level; 78 extern int ipsec_esp_network_default_level; 79 extern int ipsec_ipcomp_default_level; 80 extern int ipforwarding; 81 #endif /* IPSEC */ 82 83 #ifdef MROUTING 84 extern int ipmforwarding; 85 #endif 86 87 struct mbuf *ip_insertoptions(struct mbuf *, struct mbuf *, int *); 88 void ip_mloopback(struct ifnet *, struct mbuf *, struct sockaddr_in *); 89 90 /* 91 * IP output. The packet in mbuf chain m contains a skeletal IP 92 * header (with len, off, ttl, proto, tos, src, dst). 93 * The mbuf chain containing the packet will be freed. 94 * The mbuf opt, if present, will not be freed. 95 */ 96 int 97 ip_output(struct mbuf *m0, ...) 98 { 99 struct ip *ip; 100 struct ifnet *ifp; 101 struct mbuf *m = m0; 102 int hlen = sizeof (struct ip); 103 int len, error = 0; 104 struct route iproute; 105 struct sockaddr_in *dst; 106 struct in_ifaddr *ia; 107 struct mbuf *opt; 108 struct route *ro; 109 int flags; 110 struct ip_moptions *imo; 111 va_list ap; 112 u_int8_t sproto = 0, donerouting = 0; 113 u_long mtu; 114 #ifdef IPSEC 115 u_int32_t icmp_mtu = 0; 116 union sockaddr_union sdst; 117 u_int32_t sspi; 118 struct m_tag *mtag; 119 struct tdb_ident *tdbi; 120 121 struct inpcb *inp; 122 struct tdb *tdb; 123 int s; 124 #endif /* IPSEC */ 125 126 va_start(ap, m0); 127 opt = va_arg(ap, struct mbuf *); 128 ro = va_arg(ap, struct route *); 129 flags = va_arg(ap, int); 130 imo = va_arg(ap, struct ip_moptions *); 131 #ifdef IPSEC 132 inp = va_arg(ap, struct inpcb *); 133 if (inp && (inp->inp_flags & INP_IPV6) != 0) 134 panic("ip_output: IPv6 pcb is passed"); 135 #endif /* IPSEC */ 136 va_end(ap); 137 138 #ifdef DIAGNOSTIC 139 if ((m->m_flags & M_PKTHDR) == 0) 140 panic("ip_output no HDR"); 141 #endif 142 if (opt) { 143 m = ip_insertoptions(m, opt, &len); 144 hlen = len; 145 } 146 147 ip = mtod(m, struct ip *); 148 149 /* 150 * Fill in IP header. 151 */ 152 if ((flags & (IP_FORWARDING|IP_RAWOUTPUT)) == 0) { 153 ip->ip_v = IPVERSION; 154 ip->ip_off &= htons(IP_DF); 155 ip->ip_id = htons(ip_randomid()); 156 ip->ip_hl = hlen >> 2; 157 ipstat.ips_localout++; 158 } else { 159 hlen = ip->ip_hl << 2; 160 } 161 162 /* 163 * If we're missing the IP source address, do a route lookup. We'll 164 * remember this result, in case we don't need to do any IPsec 165 * processing on the packet. We need the source address so we can 166 * do an SPD lookup in IPsec; for most packets, the source address 167 * is set at a higher level protocol. ICMPs and other packets 168 * though (e.g., traceroute) have a source address of zeroes. 169 */ 170 if (ip->ip_src.s_addr == INADDR_ANY) { 171 if (flags & IP_ROUTETOETHER) { 172 error = EINVAL; 173 goto bad; 174 } 175 donerouting = 1; 176 177 if (ro == 0) { 178 ro = &iproute; 179 bzero((caddr_t)ro, sizeof (*ro)); 180 } 181 182 dst = satosin(&ro->ro_dst); 183 184 /* 185 * If there is a cached route, check that it is to the same 186 * destination and is still up. If not, free it and try again. 187 */ 188 if (ro->ro_rt && ((ro->ro_rt->rt_flags & RTF_UP) == 0 || 189 dst->sin_addr.s_addr != ip->ip_dst.s_addr)) { 190 RTFREE(ro->ro_rt); 191 ro->ro_rt = (struct rtentry *)0; 192 } 193 194 if (ro->ro_rt == 0) { 195 dst->sin_family = AF_INET; 196 dst->sin_len = sizeof(*dst); 197 dst->sin_addr = ip->ip_dst; 198 } 199 200 /* 201 * If routing to interface only, short-circuit routing lookup. 202 */ 203 if (flags & IP_ROUTETOIF) { 204 if ((ia = ifatoia(ifa_ifwithdstaddr(sintosa(dst), 205 m->m_pkthdr.rdomain))) == 0 && 206 (ia = ifatoia(ifa_ifwithnet(sintosa(dst), 207 m->m_pkthdr.rdomain))) == 0) { 208 ipstat.ips_noroute++; 209 error = ENETUNREACH; 210 goto bad; 211 } 212 213 ifp = ia->ia_ifp; 214 mtu = ifp->if_mtu; 215 ip->ip_ttl = 1; 216 } else if ((IN_MULTICAST(ip->ip_dst.s_addr) || 217 (ip->ip_dst.s_addr == INADDR_BROADCAST)) && 218 imo != NULL && imo->imo_multicast_ifp != NULL) { 219 ifp = imo->imo_multicast_ifp; 220 mtu = ifp->if_mtu; 221 IFP_TO_IA(ifp, ia); 222 } else { 223 if (ro->ro_rt == 0) 224 rtalloc_mpath(ro, NULL, 225 m->m_pkthdr.rdomain); 226 227 if (ro->ro_rt == 0) { 228 ipstat.ips_noroute++; 229 error = EHOSTUNREACH; 230 goto bad; 231 } 232 233 ia = ifatoia(ro->ro_rt->rt_ifa); 234 ifp = ro->ro_rt->rt_ifp; 235 if ((mtu = ro->ro_rt->rt_rmx.rmx_mtu) == 0) 236 mtu = ifp->if_mtu; 237 ro->ro_rt->rt_use++; 238 239 if (ro->ro_rt->rt_flags & RTF_GATEWAY) 240 dst = satosin(ro->ro_rt->rt_gateway); 241 } 242 243 /* Set the source IP address */ 244 if (!IN_MULTICAST(ip->ip_dst.s_addr)) 245 ip->ip_src = ia->ia_addr.sin_addr; 246 } 247 248 #if NPF > 0 249 reroute: 250 #endif 251 252 #ifdef IPSEC 253 if (!ipsec_in_use && inp == NULL) 254 goto done_spd; 255 256 /* 257 * splnet is chosen over spltdb because we are not allowed to 258 * lower the level, and udp_output calls us in splnet(). 259 */ 260 s = splnet(); 261 262 /* Do we have any pending SAs to apply ? */ 263 mtag = m_tag_find(m, PACKET_TAG_IPSEC_PENDING_TDB, NULL); 264 if (mtag != NULL) { 265 #ifdef DIAGNOSTIC 266 if (mtag->m_tag_len != sizeof (struct tdb_ident)) 267 panic("ip_output: tag of length %d (should be %d", 268 mtag->m_tag_len, sizeof (struct tdb_ident)); 269 #endif 270 tdbi = (struct tdb_ident *)(mtag + 1); 271 tdb = gettdb(tdbi->spi, &tdbi->dst, tdbi->proto); 272 if (tdb == NULL) 273 error = -EINVAL; 274 m_tag_delete(m, mtag); 275 } 276 else 277 tdb = ipsp_spd_lookup(m, AF_INET, hlen, &error, 278 IPSP_DIRECTION_OUT, NULL, inp); 279 280 if (tdb == NULL) { 281 splx(s); 282 283 if (error == 0) { 284 /* 285 * No IPsec processing required, we'll just send the 286 * packet out. 287 */ 288 sproto = 0; 289 290 /* Fall through to routing/multicast handling */ 291 } else { 292 /* 293 * -EINVAL is used to indicate that the packet should 294 * be silently dropped, typically because we've asked 295 * key management for an SA. 296 */ 297 if (error == -EINVAL) /* Should silently drop packet */ 298 error = 0; 299 300 m_freem(m); 301 goto done; 302 } 303 } else { 304 /* Loop detection */ 305 for (mtag = m_tag_first(m); mtag != NULL; 306 mtag = m_tag_next(m, mtag)) { 307 if (mtag->m_tag_id != PACKET_TAG_IPSEC_OUT_DONE && 308 mtag->m_tag_id != 309 PACKET_TAG_IPSEC_OUT_CRYPTO_NEEDED) 310 continue; 311 tdbi = (struct tdb_ident *)(mtag + 1); 312 if (tdbi->spi == tdb->tdb_spi && 313 tdbi->proto == tdb->tdb_sproto && 314 !bcmp(&tdbi->dst, &tdb->tdb_dst, 315 sizeof(union sockaddr_union))) { 316 splx(s); 317 sproto = 0; /* mark as no-IPsec-needed */ 318 goto done_spd; 319 } 320 } 321 322 /* We need to do IPsec */ 323 bcopy(&tdb->tdb_dst, &sdst, sizeof(sdst)); 324 sspi = tdb->tdb_spi; 325 sproto = tdb->tdb_sproto; 326 splx(s); 327 328 /* 329 * If it needs TCP/UDP hardware-checksumming, do the 330 * computation now. 331 */ 332 if (m->m_pkthdr.csum_flags & (M_TCPV4_CSUM_OUT | M_UDPV4_CSUM_OUT)) { 333 in_delayed_cksum(m); 334 m->m_pkthdr.csum_flags &= 335 ~(M_UDPV4_CSUM_OUT | M_TCPV4_CSUM_OUT); 336 } 337 338 /* If it's not a multicast packet, try to fast-path */ 339 if (!IN_MULTICAST(ip->ip_dst.s_addr)) { 340 goto sendit; 341 } 342 } 343 344 /* Fall through to the routing/multicast handling code */ 345 done_spd: 346 #endif /* IPSEC */ 347 348 if (flags & IP_ROUTETOETHER) { 349 dst = satosin(&ro->ro_dst); 350 ifp = ro->ro_rt->rt_ifp; 351 mtu = ifp->if_mtu; 352 ro->ro_rt = NULL; 353 } else if (donerouting == 0) { 354 if (ro == 0) { 355 ro = &iproute; 356 bzero((caddr_t)ro, sizeof (*ro)); 357 } 358 359 dst = satosin(&ro->ro_dst); 360 361 /* 362 * If there is a cached route, check that it is to the same 363 * destination and is still up. If not, free it and try again. 364 */ 365 if (ro->ro_rt && ((ro->ro_rt->rt_flags & RTF_UP) == 0 || 366 dst->sin_addr.s_addr != ip->ip_dst.s_addr)) { 367 RTFREE(ro->ro_rt); 368 ro->ro_rt = (struct rtentry *)0; 369 } 370 371 if (ro->ro_rt == 0) { 372 dst->sin_family = AF_INET; 373 dst->sin_len = sizeof(*dst); 374 dst->sin_addr = ip->ip_dst; 375 } 376 377 /* 378 * If routing to interface only, short-circuit routing lookup. 379 */ 380 if (flags & IP_ROUTETOIF) { 381 if ((ia = ifatoia(ifa_ifwithdstaddr(sintosa(dst), 382 m->m_pkthdr.rdomain))) == 0 && 383 (ia = ifatoia(ifa_ifwithnet(sintosa(dst), 384 m->m_pkthdr.rdomain))) == 0) { 385 ipstat.ips_noroute++; 386 error = ENETUNREACH; 387 goto bad; 388 } 389 390 ifp = ia->ia_ifp; 391 mtu = ifp->if_mtu; 392 ip->ip_ttl = 1; 393 } else if ((IN_MULTICAST(ip->ip_dst.s_addr) || 394 (ip->ip_dst.s_addr == INADDR_BROADCAST)) && 395 imo != NULL && imo->imo_multicast_ifp != NULL) { 396 ifp = imo->imo_multicast_ifp; 397 mtu = ifp->if_mtu; 398 IFP_TO_IA(ifp, ia); 399 } else { 400 if (ro->ro_rt == 0) 401 rtalloc_mpath(ro, &ip->ip_src.s_addr, 402 m->m_pkthdr.rdomain); 403 404 if (ro->ro_rt == 0) { 405 ipstat.ips_noroute++; 406 error = EHOSTUNREACH; 407 goto bad; 408 } 409 410 ia = ifatoia(ro->ro_rt->rt_ifa); 411 ifp = ro->ro_rt->rt_ifp; 412 if ((mtu = ro->ro_rt->rt_rmx.rmx_mtu) == 0) 413 mtu = ifp->if_mtu; 414 ro->ro_rt->rt_use++; 415 416 if (ro->ro_rt->rt_flags & RTF_GATEWAY) 417 dst = satosin(ro->ro_rt->rt_gateway); 418 } 419 420 /* Set the source IP address */ 421 if (ip->ip_src.s_addr == INADDR_ANY) 422 ip->ip_src = ia->ia_addr.sin_addr; 423 } 424 425 if (IN_MULTICAST(ip->ip_dst.s_addr) || 426 (ip->ip_dst.s_addr == INADDR_BROADCAST)) { 427 struct in_multi *inm; 428 429 m->m_flags |= (ip->ip_dst.s_addr == INADDR_BROADCAST) ? 430 M_BCAST : M_MCAST; 431 432 /* 433 * IP destination address is multicast. Make sure "dst" 434 * still points to the address in "ro". (It may have been 435 * changed to point to a gateway address, above.) 436 */ 437 dst = satosin(&ro->ro_dst); 438 439 /* 440 * See if the caller provided any multicast options 441 */ 442 if (imo != NULL) 443 ip->ip_ttl = imo->imo_multicast_ttl; 444 else 445 ip->ip_ttl = IP_DEFAULT_MULTICAST_TTL; 446 447 /* 448 * if we don't know the outgoing ifp yet, we can't generate 449 * output 450 */ 451 if (!ifp) { 452 ipstat.ips_noroute++; 453 error = EHOSTUNREACH; 454 goto bad; 455 } 456 457 /* 458 * Confirm that the outgoing interface supports multicast, 459 * but only if the packet actually is going out on that 460 * interface (i.e., no IPsec is applied). 461 */ 462 if ((((m->m_flags & M_MCAST) && 463 (ifp->if_flags & IFF_MULTICAST) == 0) || 464 ((m->m_flags & M_BCAST) && 465 (ifp->if_flags & IFF_BROADCAST) == 0)) && (sproto == 0)) { 466 ipstat.ips_noroute++; 467 error = ENETUNREACH; 468 goto bad; 469 } 470 471 /* 472 * If source address not specified yet, use address 473 * of outgoing interface. 474 */ 475 if (ip->ip_src.s_addr == INADDR_ANY) { 476 struct in_ifaddr *ia; 477 478 TAILQ_FOREACH(ia, &in_ifaddr, ia_list) 479 if (ia->ia_ifp == ifp) { 480 ip->ip_src = ia->ia_addr.sin_addr; 481 break; 482 } 483 } 484 485 IN_LOOKUP_MULTI(ip->ip_dst, ifp, inm); 486 if (inm != NULL && 487 (imo == NULL || imo->imo_multicast_loop)) { 488 /* 489 * If we belong to the destination multicast group 490 * on the outgoing interface, and the caller did not 491 * forbid loopback, loop back a copy. 492 * Can't defer TCP/UDP checksumming, do the 493 * computation now. 494 */ 495 if (m->m_pkthdr.csum_flags & 496 (M_TCPV4_CSUM_OUT | M_UDPV4_CSUM_OUT)) { 497 in_delayed_cksum(m); 498 m->m_pkthdr.csum_flags &= 499 ~(M_UDPV4_CSUM_OUT | M_TCPV4_CSUM_OUT); 500 } 501 ip_mloopback(ifp, m, dst); 502 } 503 #ifdef MROUTING 504 else { 505 /* 506 * If we are acting as a multicast router, perform 507 * multicast forwarding as if the packet had just 508 * arrived on the interface to which we are about 509 * to send. The multicast forwarding function 510 * recursively calls this function, using the 511 * IP_FORWARDING flag to prevent infinite recursion. 512 * 513 * Multicasts that are looped back by ip_mloopback(), 514 * above, will be forwarded by the ip_input() routine, 515 * if necessary. 516 */ 517 extern struct socket *ip_mrouter; 518 519 if (ipmforwarding && ip_mrouter && 520 (flags & IP_FORWARDING) == 0) { 521 if (ip_mforward(m, ifp) != 0) { 522 m_freem(m); 523 goto done; 524 } 525 } 526 } 527 #endif 528 /* 529 * Multicasts with a time-to-live of zero may be looped- 530 * back, above, but must not be transmitted on a network. 531 * Also, multicasts addressed to the loopback interface 532 * are not sent -- the above call to ip_mloopback() will 533 * loop back a copy if this host actually belongs to the 534 * destination group on the loopback interface. 535 */ 536 if (ip->ip_ttl == 0 || (ifp->if_flags & IFF_LOOPBACK) != 0) { 537 m_freem(m); 538 goto done; 539 } 540 541 goto sendit; 542 } 543 544 /* 545 * Look for broadcast address and and verify user is allowed to send 546 * such a packet; if the packet is going in an IPsec tunnel, skip 547 * this check. 548 */ 549 if ((sproto == 0) && (in_broadcast(dst->sin_addr, ifp))) { 550 if ((ifp->if_flags & IFF_BROADCAST) == 0) { 551 error = EADDRNOTAVAIL; 552 goto bad; 553 } 554 if ((flags & IP_ALLOWBROADCAST) == 0) { 555 error = EACCES; 556 goto bad; 557 } 558 559 /* Don't allow broadcast messages to be fragmented */ 560 if (ntohs(ip->ip_len) > ifp->if_mtu) { 561 error = EMSGSIZE; 562 goto bad; 563 } 564 m->m_flags |= M_BCAST; 565 } else 566 m->m_flags &= ~M_BCAST; 567 568 sendit: 569 /* 570 * If we're doing Path MTU discovery, we need to set DF unless 571 * the route's MTU is locked. 572 */ 573 if ((flags & IP_MTUDISC) && ro && ro->ro_rt && 574 (ro->ro_rt->rt_rmx.rmx_locks & RTV_MTU) == 0) 575 ip->ip_off |= htons(IP_DF); 576 577 #ifdef IPSEC 578 /* 579 * Check if the packet needs encapsulation. 580 */ 581 if (sproto != 0) { 582 s = splnet(); 583 584 /* 585 * Packet filter 586 */ 587 #if NPF > 0 588 589 if (pf_test(PF_OUT, &encif[0].sc_if, &m, NULL) != PF_PASS) { 590 error = EHOSTUNREACH; 591 splx(s); 592 m_freem(m); 593 goto done; 594 } 595 if (m == NULL) { 596 splx(s); 597 goto done; 598 } 599 ip = mtod(m, struct ip *); 600 hlen = ip->ip_hl << 2; 601 /* 602 * PF_TAG_REROUTE handling or not... 603 * Packet is entering IPsec so the routing is 604 * already overruled by the IPsec policy. 605 * Until now the change was not reconsidered. 606 * What's the behaviour? 607 */ 608 #endif 609 610 tdb = gettdb(sspi, &sdst, sproto); 611 if (tdb == NULL) { 612 DPRINTF(("ip_output: unknown TDB")); 613 error = EHOSTUNREACH; 614 splx(s); 615 m_freem(m); 616 goto done; 617 } 618 619 /* Check if we are allowed to fragment */ 620 if (ip_mtudisc && (ip->ip_off & htons(IP_DF)) && tdb->tdb_mtu && 621 ntohs(ip->ip_len) > tdb->tdb_mtu && 622 tdb->tdb_mtutimeout > time_second) { 623 struct rtentry *rt = NULL; 624 int rt_mtucloned = 0; 625 int transportmode = 0; 626 627 transportmode = (tdb->tdb_dst.sa.sa_family == AF_INET) && 628 (tdb->tdb_dst.sin.sin_addr.s_addr == 629 ip->ip_dst.s_addr); 630 icmp_mtu = tdb->tdb_mtu; 631 splx(s); 632 633 /* Find a host route to store the mtu in */ 634 if (ro != NULL) 635 rt = ro->ro_rt; 636 /* but don't add a PMTU route for transport mode SAs */ 637 if (transportmode) 638 rt = NULL; 639 else if (rt == NULL || (rt->rt_flags & RTF_HOST) == 0) { 640 struct sockaddr_in dst = { 641 sizeof(struct sockaddr_in), AF_INET}; 642 dst.sin_addr = ip->ip_dst; 643 rt = icmp_mtudisc_clone((struct sockaddr *)&dst, 644 m->m_pkthdr.rdomain); 645 rt_mtucloned = 1; 646 } 647 DPRINTF(("ip_output: spi %08x mtu %d rt %p cloned %d\n", 648 ntohl(tdb->tdb_spi), icmp_mtu, rt, rt_mtucloned)); 649 if (rt != NULL) { 650 rt->rt_rmx.rmx_mtu = icmp_mtu; 651 if (ro && ro->ro_rt != NULL) { 652 RTFREE(ro->ro_rt); 653 ro->ro_rt = NULL; 654 rtalloc1(&ro->ro_dst, 1, 655 m->m_pkthdr.rdomain); 656 } 657 if (rt_mtucloned) 658 rtfree(rt); 659 } 660 error = EMSGSIZE; 661 goto bad; 662 } 663 664 /* 665 * Clear these -- they'll be set in the recursive invocation 666 * as needed. 667 */ 668 m->m_flags &= ~(M_MCAST | M_BCAST); 669 670 /* Callee frees mbuf */ 671 error = ipsp_process_packet(m, tdb, AF_INET, 0); 672 splx(s); 673 return error; /* Nothing more to be done */ 674 } 675 676 /* 677 * If deferred crypto processing is needed, check that the 678 * interface supports it. 679 */ 680 if (ipsec_in_use && (mtag = m_tag_find(m, 681 PACKET_TAG_IPSEC_OUT_CRYPTO_NEEDED, NULL)) != NULL && 682 (ifp->if_capabilities & IFCAP_IPSEC) == 0) { 683 /* Notify IPsec to do its own crypto. */ 684 ipsp_skipcrypto_unmark((struct tdb_ident *)(mtag + 1)); 685 m_freem(m); 686 error = EHOSTUNREACH; 687 goto done; 688 } 689 #endif /* IPSEC */ 690 691 /* Catch routing changes wrt. hardware checksumming for TCP or UDP. */ 692 if (m->m_pkthdr.csum_flags & M_TCPV4_CSUM_OUT) { 693 if (!(ifp->if_capabilities & IFCAP_CSUM_TCPv4) || 694 ifp->if_bridge != NULL) { 695 in_delayed_cksum(m); 696 m->m_pkthdr.csum_flags &= ~M_TCPV4_CSUM_OUT; /* Clear */ 697 } 698 } else if (m->m_pkthdr.csum_flags & M_UDPV4_CSUM_OUT) { 699 if (!(ifp->if_capabilities & IFCAP_CSUM_UDPv4) || 700 ifp->if_bridge != NULL) { 701 in_delayed_cksum(m); 702 m->m_pkthdr.csum_flags &= ~M_UDPV4_CSUM_OUT; /* Clear */ 703 } 704 } 705 706 /* 707 * Packet filter 708 */ 709 #if NPF > 0 710 if (pf_test(PF_OUT, ifp, &m, NULL) != PF_PASS) { 711 error = EHOSTUNREACH; 712 m_freem(m); 713 goto done; 714 } 715 if (m == NULL) 716 goto done; 717 ip = mtod(m, struct ip *); 718 hlen = ip->ip_hl << 2; 719 if ((m->m_pkthdr.pf.flags & (PF_TAG_REROUTE | PF_TAG_GENERATED)) == 720 (PF_TAG_REROUTE | PF_TAG_GENERATED)) 721 /* already rerun the route lookup, go on */ 722 m->m_pkthdr.pf.flags &= ~(PF_TAG_GENERATED | PF_TAG_REROUTE); 723 else if (m->m_pkthdr.pf.flags & PF_TAG_REROUTE) { 724 /* tag as generated to skip over pf_test on rerun */ 725 m->m_pkthdr.pf.flags |= PF_TAG_GENERATED; 726 ro = NULL; 727 donerouting = 0; 728 goto reroute; 729 } 730 #endif 731 732 #ifdef IPSEC 733 if (ipsec_in_use && (flags & IP_FORWARDING) && (ipforwarding == 2) && 734 (m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL) == NULL)) { 735 error = EHOSTUNREACH; 736 m_freem(m); 737 goto done; 738 } 739 #endif 740 741 /* XXX 742 * Try to use jumbograms based on socket option, or the route 743 * or... for other reasons later on. 744 */ 745 if ((flags & IP_JUMBO) && ro->ro_rt && (ro->ro_rt->rt_flags & RTF_JUMBO) && 746 ro->ro_rt->rt_ifp) 747 mtu = ro->ro_rt->rt_ifp->if_hardmtu; 748 749 /* 750 * If small enough for interface, can just send directly. 751 */ 752 if (ntohs(ip->ip_len) <= mtu) { 753 ip->ip_sum = 0; 754 if ((ifp->if_capabilities & IFCAP_CSUM_IPv4) && 755 ifp->if_bridge == NULL) { 756 m->m_pkthdr.csum_flags |= M_IPV4_CSUM_OUT; 757 ipstat.ips_outhwcsum++; 758 } else 759 ip->ip_sum = in_cksum(m, hlen); 760 /* Update relevant hardware checksum stats for TCP/UDP */ 761 if (m->m_pkthdr.csum_flags & M_TCPV4_CSUM_OUT) 762 tcpstat.tcps_outhwcsum++; 763 else if (m->m_pkthdr.csum_flags & M_UDPV4_CSUM_OUT) 764 udpstat.udps_outhwcsum++; 765 error = (*ifp->if_output)(ifp, m, sintosa(dst), ro->ro_rt); 766 goto done; 767 } 768 769 /* 770 * Too large for interface; fragment if possible. 771 * Must be able to put at least 8 bytes per fragment. 772 */ 773 if (ip->ip_off & htons(IP_DF)) { 774 #ifdef IPSEC 775 icmp_mtu = ifp->if_mtu; 776 #endif 777 error = EMSGSIZE; 778 /* 779 * This case can happen if the user changed the MTU 780 * of an interface after enabling IP on it. Because 781 * most netifs don't keep track of routes pointing to 782 * them, there is no way for one to update all its 783 * routes when the MTU is changed. 784 */ 785 if (ro->ro_rt != NULL && 786 (ro->ro_rt->rt_flags & (RTF_UP | RTF_HOST)) && 787 !(ro->ro_rt->rt_rmx.rmx_locks & RTV_MTU) && 788 (ro->ro_rt->rt_rmx.rmx_mtu > ifp->if_mtu)) { 789 ro->ro_rt->rt_rmx.rmx_mtu = ifp->if_mtu; 790 } 791 ipstat.ips_cantfrag++; 792 goto bad; 793 } 794 795 error = ip_fragment(m, ifp, mtu); 796 if (error) { 797 m = m0 = NULL; 798 goto bad; 799 } 800 801 for (; m; m = m0) { 802 m0 = m->m_nextpkt; 803 m->m_nextpkt = 0; 804 if (error == 0) 805 error = (*ifp->if_output)(ifp, m, sintosa(dst), 806 ro->ro_rt); 807 else 808 m_freem(m); 809 } 810 811 if (error == 0) 812 ipstat.ips_fragmented++; 813 814 done: 815 if (ro == &iproute && (flags & IP_ROUTETOIF) == 0 && ro->ro_rt) 816 RTFREE(ro->ro_rt); 817 return (error); 818 bad: 819 #ifdef IPSEC 820 if (error == EMSGSIZE && ip_mtudisc && icmp_mtu != 0 && m != NULL) 821 ipsec_adjust_mtu(m, icmp_mtu); 822 #endif 823 m_freem(m0); 824 goto done; 825 } 826 827 int 828 ip_fragment(struct mbuf *m, struct ifnet *ifp, u_long mtu) 829 { 830 struct ip *ip, *mhip; 831 struct mbuf *m0; 832 int len, hlen, off; 833 int mhlen, firstlen; 834 struct mbuf **mnext; 835 int fragments = 0; 836 int s; 837 int error = 0; 838 839 ip = mtod(m, struct ip *); 840 hlen = ip->ip_hl << 2; 841 842 len = (mtu - hlen) &~ 7; 843 if (len < 8) { 844 m_freem(m); 845 return (EMSGSIZE); 846 } 847 848 /* 849 * If we are doing fragmentation, we can't defer TCP/UDP 850 * checksumming; compute the checksum and clear the flag. 851 */ 852 if (m->m_pkthdr.csum_flags & (M_TCPV4_CSUM_OUT | M_UDPV4_CSUM_OUT)) { 853 in_delayed_cksum(m); 854 m->m_pkthdr.csum_flags &= ~(M_UDPV4_CSUM_OUT | M_TCPV4_CSUM_OUT); 855 } 856 857 firstlen = len; 858 mnext = &m->m_nextpkt; 859 860 /* 861 * Loop through length of segment after first fragment, 862 * make new header and copy data of each part and link onto chain. 863 */ 864 m0 = m; 865 mhlen = sizeof (struct ip); 866 for (off = hlen + len; off < ntohs(ip->ip_len); off += len) { 867 MGETHDR(m, M_DONTWAIT, MT_HEADER); 868 if (m == 0) { 869 ipstat.ips_odropped++; 870 error = ENOBUFS; 871 goto sendorfree; 872 } 873 *mnext = m; 874 mnext = &m->m_nextpkt; 875 m->m_data += max_linkhdr; 876 mhip = mtod(m, struct ip *); 877 *mhip = *ip; 878 /* we must inherit MCAST and BCAST flags */ 879 m->m_flags |= m0->m_flags & (M_MCAST|M_BCAST); 880 if (hlen > sizeof (struct ip)) { 881 mhlen = ip_optcopy(ip, mhip) + sizeof (struct ip); 882 mhip->ip_hl = mhlen >> 2; 883 } 884 m->m_len = mhlen; 885 mhip->ip_off = ((off - hlen) >> 3) + 886 (ntohs(ip->ip_off) & ~IP_MF); 887 if (ip->ip_off & htons(IP_MF)) 888 mhip->ip_off |= IP_MF; 889 if (off + len >= ntohs(ip->ip_len)) 890 len = ntohs(ip->ip_len) - off; 891 else 892 mhip->ip_off |= IP_MF; 893 mhip->ip_len = htons((u_int16_t)(len + mhlen)); 894 m->m_next = m_copy(m0, off, len); 895 if (m->m_next == 0) { 896 ipstat.ips_odropped++; 897 error = ENOBUFS; 898 goto sendorfree; 899 } 900 m->m_pkthdr.len = mhlen + len; 901 m->m_pkthdr.rcvif = (struct ifnet *)0; 902 mhip->ip_off = htons((u_int16_t)mhip->ip_off); 903 mhip->ip_sum = 0; 904 if ((ifp != NULL) && 905 (ifp->if_capabilities & IFCAP_CSUM_IPv4) && 906 ifp->if_bridge == NULL) { 907 m->m_pkthdr.csum_flags |= M_IPV4_CSUM_OUT; 908 ipstat.ips_outhwcsum++; 909 } else 910 mhip->ip_sum = in_cksum(m, mhlen); 911 ipstat.ips_ofragments++; 912 fragments++; 913 } 914 /* 915 * Update first fragment by trimming what's been copied out 916 * and updating header, then send each fragment (in order). 917 */ 918 m = m0; 919 m_adj(m, hlen + firstlen - ntohs(ip->ip_len)); 920 m->m_pkthdr.len = hlen + firstlen; 921 ip->ip_len = htons((u_int16_t)m->m_pkthdr.len); 922 ip->ip_off |= htons(IP_MF); 923 ip->ip_sum = 0; 924 if ((ifp != NULL) && 925 (ifp->if_capabilities & IFCAP_CSUM_IPv4) && 926 ifp->if_bridge == NULL) { 927 m->m_pkthdr.csum_flags |= M_IPV4_CSUM_OUT; 928 ipstat.ips_outhwcsum++; 929 } else 930 ip->ip_sum = in_cksum(m, hlen); 931 sendorfree: 932 /* 933 * If there is no room for all the fragments, don't queue 934 * any of them. 935 */ 936 if (ifp != NULL) { 937 s = splnet(); 938 if (ifp->if_snd.ifq_maxlen - ifp->if_snd.ifq_len < fragments && 939 error == 0) { 940 error = ENOBUFS; 941 ipstat.ips_odropped++; 942 IFQ_INC_DROPS(&ifp->if_snd); 943 } 944 splx(s); 945 } 946 if (error) { 947 for (m = m0; m; m = m0) { 948 m0 = m->m_nextpkt; 949 m->m_nextpkt = NULL; 950 m_freem(m); 951 } 952 } 953 954 return (error); 955 } 956 957 /* 958 * Insert IP options into preformed packet. 959 * Adjust IP destination as required for IP source routing, 960 * as indicated by a non-zero in_addr at the start of the options. 961 */ 962 struct mbuf * 963 ip_insertoptions(m, opt, phlen) 964 struct mbuf *m; 965 struct mbuf *opt; 966 int *phlen; 967 { 968 struct ipoption *p = mtod(opt, struct ipoption *); 969 struct mbuf *n; 970 struct ip *ip = mtod(m, struct ip *); 971 unsigned optlen; 972 973 optlen = opt->m_len - sizeof(p->ipopt_dst); 974 if (optlen + ntohs(ip->ip_len) > IP_MAXPACKET) 975 return (m); /* XXX should fail */ 976 if (p->ipopt_dst.s_addr) 977 ip->ip_dst = p->ipopt_dst; 978 if (m->m_flags & M_EXT || m->m_data - optlen < m->m_pktdat) { 979 MGETHDR(n, M_DONTWAIT, MT_HEADER); 980 if (n == 0) 981 return (m); 982 M_MOVE_HDR(n, m); 983 n->m_pkthdr.len += optlen; 984 m->m_len -= sizeof(struct ip); 985 m->m_data += sizeof(struct ip); 986 n->m_next = m; 987 m = n; 988 m->m_len = optlen + sizeof(struct ip); 989 m->m_data += max_linkhdr; 990 bcopy((caddr_t)ip, mtod(m, caddr_t), sizeof(struct ip)); 991 } else { 992 m->m_data -= optlen; 993 m->m_len += optlen; 994 m->m_pkthdr.len += optlen; 995 ovbcopy((caddr_t)ip, mtod(m, caddr_t), sizeof(struct ip)); 996 } 997 ip = mtod(m, struct ip *); 998 bcopy((caddr_t)p->ipopt_list, (caddr_t)(ip + 1), (unsigned)optlen); 999 *phlen = sizeof(struct ip) + optlen; 1000 ip->ip_len = htons(ntohs(ip->ip_len) + optlen); 1001 return (m); 1002 } 1003 1004 /* 1005 * Copy options from ip to jp, 1006 * omitting those not copied during fragmentation. 1007 */ 1008 int 1009 ip_optcopy(ip, jp) 1010 struct ip *ip, *jp; 1011 { 1012 u_char *cp, *dp; 1013 int opt, optlen, cnt; 1014 1015 cp = (u_char *)(ip + 1); 1016 dp = (u_char *)(jp + 1); 1017 cnt = (ip->ip_hl << 2) - sizeof (struct ip); 1018 for (; cnt > 0; cnt -= optlen, cp += optlen) { 1019 opt = cp[0]; 1020 if (opt == IPOPT_EOL) 1021 break; 1022 if (opt == IPOPT_NOP) { 1023 /* Preserve for IP mcast tunnel's LSRR alignment. */ 1024 *dp++ = IPOPT_NOP; 1025 optlen = 1; 1026 continue; 1027 } 1028 #ifdef DIAGNOSTIC 1029 if (cnt < IPOPT_OLEN + sizeof(*cp)) 1030 panic("malformed IPv4 option passed to ip_optcopy"); 1031 #endif 1032 optlen = cp[IPOPT_OLEN]; 1033 #ifdef DIAGNOSTIC 1034 if (optlen < IPOPT_OLEN + sizeof(*cp) || optlen > cnt) 1035 panic("malformed IPv4 option passed to ip_optcopy"); 1036 #endif 1037 /* bogus lengths should have been caught by ip_dooptions */ 1038 if (optlen > cnt) 1039 optlen = cnt; 1040 if (IPOPT_COPIED(opt)) { 1041 bcopy((caddr_t)cp, (caddr_t)dp, (unsigned)optlen); 1042 dp += optlen; 1043 } 1044 } 1045 for (optlen = dp - (u_char *)(jp+1); optlen & 0x3; optlen++) 1046 *dp++ = IPOPT_EOL; 1047 return (optlen); 1048 } 1049 1050 /* 1051 * IP socket option processing. 1052 */ 1053 int 1054 ip_ctloutput(op, so, level, optname, mp) 1055 int op; 1056 struct socket *so; 1057 int level, optname; 1058 struct mbuf **mp; 1059 { 1060 struct inpcb *inp = sotoinpcb(so); 1061 struct mbuf *m = *mp; 1062 int optval = 0; 1063 #ifdef IPSEC 1064 struct proc *p = curproc; /* XXX */ 1065 struct ipsec_ref *ipr; 1066 u_int16_t opt16val; 1067 #endif 1068 int error = 0; 1069 u_int rtid = 0; 1070 1071 if (level != IPPROTO_IP) { 1072 error = EINVAL; 1073 if (op == PRCO_SETOPT && *mp) 1074 (void) m_free(*mp); 1075 } else switch (op) { 1076 case PRCO_SETOPT: 1077 switch (optname) { 1078 case IP_OPTIONS: 1079 #ifdef notyet 1080 case IP_RETOPTS: 1081 return (ip_pcbopts(optname, &inp->inp_options, m)); 1082 #else 1083 return (ip_pcbopts(&inp->inp_options, m)); 1084 #endif 1085 1086 case IP_TOS: 1087 case IP_TTL: 1088 case IP_MINTTL: 1089 case IP_RECVOPTS: 1090 case IP_RECVRETOPTS: 1091 case IP_RECVDSTADDR: 1092 case IP_RECVIF: 1093 case IP_RECVTTL: 1094 case IP_RECVDSTPORT: 1095 if (m == NULL || m->m_len != sizeof(int)) 1096 error = EINVAL; 1097 else { 1098 optval = *mtod(m, int *); 1099 switch (optname) { 1100 1101 case IP_TOS: 1102 inp->inp_ip.ip_tos = optval; 1103 break; 1104 1105 case IP_TTL: 1106 if (optval > 0 && optval <= MAXTTL) 1107 inp->inp_ip.ip_ttl = optval; 1108 else 1109 error = EINVAL; 1110 break; 1111 1112 case IP_MINTTL: 1113 if (optval > 0 && optval <= MAXTTL) 1114 inp->inp_ip_minttl = optval; 1115 else 1116 error = EINVAL; 1117 break; 1118 #define OPTSET(bit) \ 1119 if (optval) \ 1120 inp->inp_flags |= bit; \ 1121 else \ 1122 inp->inp_flags &= ~bit; 1123 1124 case IP_RECVOPTS: 1125 OPTSET(INP_RECVOPTS); 1126 break; 1127 1128 case IP_RECVRETOPTS: 1129 OPTSET(INP_RECVRETOPTS); 1130 break; 1131 1132 case IP_RECVDSTADDR: 1133 OPTSET(INP_RECVDSTADDR); 1134 break; 1135 case IP_RECVIF: 1136 OPTSET(INP_RECVIF); 1137 break; 1138 case IP_RECVTTL: 1139 OPTSET(INP_RECVTTL); 1140 break; 1141 case IP_RECVDSTPORT: 1142 OPTSET(INP_RECVDSTPORT); 1143 break; 1144 } 1145 } 1146 break; 1147 #undef OPTSET 1148 1149 case IP_MULTICAST_IF: 1150 case IP_MULTICAST_TTL: 1151 case IP_MULTICAST_LOOP: 1152 case IP_ADD_MEMBERSHIP: 1153 case IP_DROP_MEMBERSHIP: 1154 error = ip_setmoptions(optname, &inp->inp_moptions, m, 1155 inp->inp_rdomain); 1156 break; 1157 1158 case IP_PORTRANGE: 1159 if (m == 0 || m->m_len != sizeof(int)) 1160 error = EINVAL; 1161 else { 1162 optval = *mtod(m, int *); 1163 1164 switch (optval) { 1165 1166 case IP_PORTRANGE_DEFAULT: 1167 inp->inp_flags &= ~(INP_LOWPORT); 1168 inp->inp_flags &= ~(INP_HIGHPORT); 1169 break; 1170 1171 case IP_PORTRANGE_HIGH: 1172 inp->inp_flags &= ~(INP_LOWPORT); 1173 inp->inp_flags |= INP_HIGHPORT; 1174 break; 1175 1176 case IP_PORTRANGE_LOW: 1177 inp->inp_flags &= ~(INP_HIGHPORT); 1178 inp->inp_flags |= INP_LOWPORT; 1179 break; 1180 1181 default: 1182 1183 error = EINVAL; 1184 break; 1185 } 1186 } 1187 break; 1188 case IP_AUTH_LEVEL: 1189 case IP_ESP_TRANS_LEVEL: 1190 case IP_ESP_NETWORK_LEVEL: 1191 case IP_IPCOMP_LEVEL: 1192 #ifndef IPSEC 1193 error = EOPNOTSUPP; 1194 #else 1195 if (m == 0 || m->m_len != sizeof(int)) { 1196 error = EINVAL; 1197 break; 1198 } 1199 optval = *mtod(m, int *); 1200 1201 if (optval < IPSEC_LEVEL_BYPASS || 1202 optval > IPSEC_LEVEL_UNIQUE) { 1203 error = EINVAL; 1204 break; 1205 } 1206 1207 /* Unlink cached output TDB to force a re-search */ 1208 if (inp->inp_tdb_out) { 1209 int s = spltdb(); 1210 TAILQ_REMOVE(&inp->inp_tdb_out->tdb_inp_out, 1211 inp, inp_tdb_out_next); 1212 splx(s); 1213 } 1214 1215 if (inp->inp_tdb_in) { 1216 int s = spltdb(); 1217 TAILQ_REMOVE(&inp->inp_tdb_in->tdb_inp_in, 1218 inp, inp_tdb_in_next); 1219 splx(s); 1220 } 1221 1222 switch (optname) { 1223 case IP_AUTH_LEVEL: 1224 if (optval < ipsec_auth_default_level && 1225 suser(p, 0)) { 1226 error = EACCES; 1227 break; 1228 } 1229 inp->inp_seclevel[SL_AUTH] = optval; 1230 break; 1231 1232 case IP_ESP_TRANS_LEVEL: 1233 if (optval < ipsec_esp_trans_default_level && 1234 suser(p, 0)) { 1235 error = EACCES; 1236 break; 1237 } 1238 inp->inp_seclevel[SL_ESP_TRANS] = optval; 1239 break; 1240 1241 case IP_ESP_NETWORK_LEVEL: 1242 if (optval < ipsec_esp_network_default_level && 1243 suser(p, 0)) { 1244 error = EACCES; 1245 break; 1246 } 1247 inp->inp_seclevel[SL_ESP_NETWORK] = optval; 1248 break; 1249 case IP_IPCOMP_LEVEL: 1250 if (optval < ipsec_ipcomp_default_level && 1251 suser(p, 0)) { 1252 error = EACCES; 1253 break; 1254 } 1255 inp->inp_seclevel[SL_IPCOMP] = optval; 1256 break; 1257 } 1258 if (!error) 1259 inp->inp_secrequire = get_sa_require(inp); 1260 #endif 1261 break; 1262 1263 case IP_IPSEC_REMOTE_CRED: 1264 case IP_IPSEC_REMOTE_AUTH: 1265 /* Can't set the remote credential or key */ 1266 error = EOPNOTSUPP; 1267 break; 1268 1269 case IP_IPSEC_LOCAL_ID: 1270 case IP_IPSEC_REMOTE_ID: 1271 case IP_IPSEC_LOCAL_CRED: 1272 case IP_IPSEC_LOCAL_AUTH: 1273 #ifndef IPSEC 1274 error = EOPNOTSUPP; 1275 #else 1276 if (m->m_len < 2) { 1277 error = EINVAL; 1278 break; 1279 } 1280 1281 m_copydata(m, 0, 2, (caddr_t) &opt16val); 1282 1283 /* If the type is 0, then we cleanup and return */ 1284 if (opt16val == 0) { 1285 switch (optname) { 1286 case IP_IPSEC_LOCAL_ID: 1287 if (inp->inp_ipo != NULL && 1288 inp->inp_ipo->ipo_srcid != NULL) { 1289 ipsp_reffree(inp->inp_ipo->ipo_srcid); 1290 inp->inp_ipo->ipo_srcid = NULL; 1291 } 1292 break; 1293 1294 case IP_IPSEC_REMOTE_ID: 1295 if (inp->inp_ipo != NULL && 1296 inp->inp_ipo->ipo_dstid != NULL) { 1297 ipsp_reffree(inp->inp_ipo->ipo_dstid); 1298 inp->inp_ipo->ipo_dstid = NULL; 1299 } 1300 break; 1301 1302 case IP_IPSEC_LOCAL_CRED: 1303 if (inp->inp_ipo != NULL && 1304 inp->inp_ipo->ipo_local_cred != NULL) { 1305 ipsp_reffree(inp->inp_ipo->ipo_local_cred); 1306 inp->inp_ipo->ipo_local_cred = NULL; 1307 } 1308 break; 1309 1310 case IP_IPSEC_LOCAL_AUTH: 1311 if (inp->inp_ipo != NULL && 1312 inp->inp_ipo->ipo_local_auth != NULL) { 1313 ipsp_reffree(inp->inp_ipo->ipo_local_auth); 1314 inp->inp_ipo->ipo_local_auth = NULL; 1315 } 1316 break; 1317 } 1318 1319 error = 0; 1320 break; 1321 } 1322 1323 /* Can't have an empty payload */ 1324 if (m->m_len == 2) { 1325 error = EINVAL; 1326 break; 1327 } 1328 1329 /* Allocate if needed */ 1330 if (inp->inp_ipo == NULL) { 1331 inp->inp_ipo = ipsec_add_policy(inp, 1332 AF_INET, IPSP_DIRECTION_OUT); 1333 if (inp->inp_ipo == NULL) { 1334 error = ENOBUFS; 1335 break; 1336 } 1337 } 1338 1339 ipr = malloc(sizeof(struct ipsec_ref) + m->m_len - 2, 1340 M_CREDENTIALS, M_NOWAIT); 1341 if (ipr == NULL) { 1342 error = ENOBUFS; 1343 break; 1344 } 1345 1346 ipr->ref_count = 1; 1347 ipr->ref_malloctype = M_CREDENTIALS; 1348 ipr->ref_len = m->m_len - 2; 1349 ipr->ref_type = opt16val; 1350 m_copydata(m, 2, m->m_len - 2, (caddr_t)(ipr + 1)); 1351 1352 switch (optname) { 1353 case IP_IPSEC_LOCAL_ID: 1354 /* Check valid types and NUL-termination */ 1355 if (ipr->ref_type < IPSP_IDENTITY_PREFIX || 1356 ipr->ref_type > IPSP_IDENTITY_CONNECTION || 1357 ((char *)(ipr + 1))[ipr->ref_len - 1]) { 1358 free(ipr, M_CREDENTIALS); 1359 error = EINVAL; 1360 } else { 1361 if (inp->inp_ipo->ipo_srcid != NULL) 1362 ipsp_reffree(inp->inp_ipo->ipo_srcid); 1363 inp->inp_ipo->ipo_srcid = ipr; 1364 } 1365 break; 1366 case IP_IPSEC_REMOTE_ID: 1367 /* Check valid types and NUL-termination */ 1368 if (ipr->ref_type < IPSP_IDENTITY_PREFIX || 1369 ipr->ref_type > IPSP_IDENTITY_CONNECTION || 1370 ((char *)(ipr + 1))[ipr->ref_len - 1]) { 1371 free(ipr, M_CREDENTIALS); 1372 error = EINVAL; 1373 } else { 1374 if (inp->inp_ipo->ipo_dstid != NULL) 1375 ipsp_reffree(inp->inp_ipo->ipo_dstid); 1376 inp->inp_ipo->ipo_dstid = ipr; 1377 } 1378 break; 1379 case IP_IPSEC_LOCAL_CRED: 1380 if (ipr->ref_type < IPSP_CRED_KEYNOTE || 1381 ipr->ref_type > IPSP_CRED_X509) { 1382 free(ipr, M_CREDENTIALS); 1383 error = EINVAL; 1384 } else { 1385 if (inp->inp_ipo->ipo_local_cred != NULL) 1386 ipsp_reffree(inp->inp_ipo->ipo_local_cred); 1387 inp->inp_ipo->ipo_local_cred = ipr; 1388 } 1389 break; 1390 case IP_IPSEC_LOCAL_AUTH: 1391 if (ipr->ref_type < IPSP_AUTH_PASSPHRASE || 1392 ipr->ref_type > IPSP_AUTH_RSA) { 1393 free(ipr, M_CREDENTIALS); 1394 error = EINVAL; 1395 } else { 1396 if (inp->inp_ipo->ipo_local_auth != NULL) 1397 ipsp_reffree(inp->inp_ipo->ipo_local_auth); 1398 inp->inp_ipo->ipo_local_auth = ipr; 1399 } 1400 break; 1401 } 1402 1403 /* Unlink cached output TDB to force a re-search */ 1404 if (inp->inp_tdb_out) { 1405 int s = spltdb(); 1406 TAILQ_REMOVE(&inp->inp_tdb_out->tdb_inp_out, 1407 inp, inp_tdb_out_next); 1408 splx(s); 1409 } 1410 1411 if (inp->inp_tdb_in) { 1412 int s = spltdb(); 1413 TAILQ_REMOVE(&inp->inp_tdb_in->tdb_inp_in, 1414 inp, inp_tdb_in_next); 1415 splx(s); 1416 } 1417 #endif 1418 break; 1419 case SO_RDOMAIN: 1420 if (m == NULL || m->m_len < sizeof(u_int)) { 1421 error = EINVAL; 1422 break; 1423 } 1424 rtid = *mtod(m, u_int *); 1425 if (!rtable_exists(rtid)) { 1426 error = EINVAL; 1427 break; 1428 } 1429 inp->inp_rdomain = rtid; 1430 break; 1431 default: 1432 error = ENOPROTOOPT; 1433 break; 1434 } 1435 if (m) 1436 (void)m_free(m); 1437 break; 1438 1439 case PRCO_GETOPT: 1440 switch (optname) { 1441 case IP_OPTIONS: 1442 case IP_RETOPTS: 1443 *mp = m = m_get(M_WAIT, MT_SOOPTS); 1444 if (inp->inp_options) { 1445 m->m_len = inp->inp_options->m_len; 1446 bcopy(mtod(inp->inp_options, caddr_t), 1447 mtod(m, caddr_t), (unsigned)m->m_len); 1448 } else 1449 m->m_len = 0; 1450 break; 1451 1452 case IP_TOS: 1453 case IP_TTL: 1454 case IP_MINTTL: 1455 case IP_RECVOPTS: 1456 case IP_RECVRETOPTS: 1457 case IP_RECVDSTADDR: 1458 case IP_RECVIF: 1459 case IP_RECVTTL: 1460 case IP_RECVDSTPORT: 1461 *mp = m = m_get(M_WAIT, MT_SOOPTS); 1462 m->m_len = sizeof(int); 1463 switch (optname) { 1464 1465 case IP_TOS: 1466 optval = inp->inp_ip.ip_tos; 1467 break; 1468 1469 case IP_TTL: 1470 optval = inp->inp_ip.ip_ttl; 1471 break; 1472 1473 case IP_MINTTL: 1474 optval = inp->inp_ip_minttl; 1475 break; 1476 1477 #define OPTBIT(bit) (inp->inp_flags & bit ? 1 : 0) 1478 1479 case IP_RECVOPTS: 1480 optval = OPTBIT(INP_RECVOPTS); 1481 break; 1482 1483 case IP_RECVRETOPTS: 1484 optval = OPTBIT(INP_RECVRETOPTS); 1485 break; 1486 1487 case IP_RECVDSTADDR: 1488 optval = OPTBIT(INP_RECVDSTADDR); 1489 break; 1490 case IP_RECVIF: 1491 optval = OPTBIT(INP_RECVIF); 1492 break; 1493 case IP_RECVTTL: 1494 optval = OPTBIT(INP_RECVTTL); 1495 break; 1496 case IP_RECVDSTPORT: 1497 optval = OPTBIT(INP_RECVDSTPORT); 1498 break; 1499 } 1500 *mtod(m, int *) = optval; 1501 break; 1502 1503 case IP_MULTICAST_IF: 1504 case IP_MULTICAST_TTL: 1505 case IP_MULTICAST_LOOP: 1506 case IP_ADD_MEMBERSHIP: 1507 case IP_DROP_MEMBERSHIP: 1508 error = ip_getmoptions(optname, inp->inp_moptions, mp); 1509 break; 1510 1511 case IP_PORTRANGE: 1512 *mp = m = m_get(M_WAIT, MT_SOOPTS); 1513 m->m_len = sizeof(int); 1514 1515 if (inp->inp_flags & INP_HIGHPORT) 1516 optval = IP_PORTRANGE_HIGH; 1517 else if (inp->inp_flags & INP_LOWPORT) 1518 optval = IP_PORTRANGE_LOW; 1519 else 1520 optval = 0; 1521 1522 *mtod(m, int *) = optval; 1523 break; 1524 1525 case IP_AUTH_LEVEL: 1526 case IP_ESP_TRANS_LEVEL: 1527 case IP_ESP_NETWORK_LEVEL: 1528 case IP_IPCOMP_LEVEL: 1529 #ifndef IPSEC 1530 m->m_len = sizeof(int); 1531 *mtod(m, int *) = IPSEC_LEVEL_NONE; 1532 #else 1533 m->m_len = sizeof(int); 1534 switch (optname) { 1535 case IP_AUTH_LEVEL: 1536 optval = inp->inp_seclevel[SL_AUTH]; 1537 break; 1538 1539 case IP_ESP_TRANS_LEVEL: 1540 optval = inp->inp_seclevel[SL_ESP_TRANS]; 1541 break; 1542 1543 case IP_ESP_NETWORK_LEVEL: 1544 optval = inp->inp_seclevel[SL_ESP_NETWORK]; 1545 break; 1546 case IP_IPCOMP_LEVEL: 1547 optval = inp->inp_seclevel[SL_IPCOMP]; 1548 break; 1549 } 1550 *mtod(m, int *) = optval; 1551 #endif 1552 break; 1553 case IP_IPSEC_LOCAL_ID: 1554 case IP_IPSEC_REMOTE_ID: 1555 case IP_IPSEC_LOCAL_CRED: 1556 case IP_IPSEC_REMOTE_CRED: 1557 case IP_IPSEC_LOCAL_AUTH: 1558 case IP_IPSEC_REMOTE_AUTH: 1559 #ifndef IPSEC 1560 error = EOPNOTSUPP; 1561 #else 1562 *mp = m = m_get(M_WAIT, MT_SOOPTS); 1563 m->m_len = sizeof(u_int16_t); 1564 ipr = NULL; 1565 switch (optname) { 1566 case IP_IPSEC_LOCAL_ID: 1567 if (inp->inp_ipo != NULL) 1568 ipr = inp->inp_ipo->ipo_srcid; 1569 opt16val = IPSP_IDENTITY_NONE; 1570 break; 1571 case IP_IPSEC_REMOTE_ID: 1572 if (inp->inp_ipo != NULL) 1573 ipr = inp->inp_ipo->ipo_dstid; 1574 opt16val = IPSP_IDENTITY_NONE; 1575 break; 1576 case IP_IPSEC_LOCAL_CRED: 1577 if (inp->inp_ipo != NULL) 1578 ipr = inp->inp_ipo->ipo_local_cred; 1579 opt16val = IPSP_CRED_NONE; 1580 break; 1581 case IP_IPSEC_REMOTE_CRED: 1582 ipr = inp->inp_ipsec_remotecred; 1583 opt16val = IPSP_CRED_NONE; 1584 break; 1585 case IP_IPSEC_LOCAL_AUTH: 1586 if (inp->inp_ipo != NULL) 1587 ipr = inp->inp_ipo->ipo_local_auth; 1588 break; 1589 case IP_IPSEC_REMOTE_AUTH: 1590 ipr = inp->inp_ipsec_remoteauth; 1591 break; 1592 } 1593 if (ipr == NULL) 1594 *mtod(m, u_int16_t *) = opt16val; 1595 else { 1596 size_t len; 1597 1598 len = m->m_len + ipr->ref_len; 1599 if (len > MCLBYTES) { 1600 m_free(m); 1601 error = EINVAL; 1602 break; 1603 } 1604 /* allocate mbuf cluster for larger option */ 1605 if (len > MLEN) { 1606 MCLGET(m, M_WAITOK); 1607 if ((m->m_flags & M_EXT) == 0) { 1608 m_free(m); 1609 error = ENOBUFS; 1610 break; 1611 } 1612 1613 } 1614 m->m_len = len; 1615 *mtod(m, u_int16_t *) = ipr->ref_type; 1616 m_copyback(m, sizeof(u_int16_t), ipr->ref_len, 1617 ipr + 1); 1618 } 1619 #endif 1620 break; 1621 case SO_RDOMAIN: 1622 *mp = m = m_get(M_WAIT, MT_SOOPTS); 1623 m->m_len = sizeof(u_int); 1624 *mtod(m, u_int *) = inp->inp_rdomain; 1625 break; 1626 default: 1627 error = ENOPROTOOPT; 1628 break; 1629 } 1630 break; 1631 } 1632 return (error); 1633 } 1634 1635 /* 1636 * Set up IP options in pcb for insertion in output packets. 1637 * Store in mbuf with pointer in pcbopt, adding pseudo-option 1638 * with destination address if source routed. 1639 */ 1640 int 1641 #ifdef notyet 1642 ip_pcbopts(optname, pcbopt, m) 1643 int optname; 1644 #else 1645 ip_pcbopts(pcbopt, m) 1646 #endif 1647 struct mbuf **pcbopt; 1648 struct mbuf *m; 1649 { 1650 int cnt, optlen; 1651 u_char *cp; 1652 u_char opt; 1653 1654 /* turn off any old options */ 1655 if (*pcbopt) 1656 (void)m_free(*pcbopt); 1657 *pcbopt = 0; 1658 if (m == (struct mbuf *)0 || m->m_len == 0) { 1659 /* 1660 * Only turning off any previous options. 1661 */ 1662 if (m) 1663 (void)m_free(m); 1664 return (0); 1665 } 1666 1667 if (m->m_len % sizeof(int32_t)) 1668 goto bad; 1669 1670 /* 1671 * IP first-hop destination address will be stored before 1672 * actual options; move other options back 1673 * and clear it when none present. 1674 */ 1675 if (m->m_data + m->m_len + sizeof(struct in_addr) >= &m->m_dat[MLEN]) 1676 goto bad; 1677 cnt = m->m_len; 1678 m->m_len += sizeof(struct in_addr); 1679 cp = mtod(m, u_char *) + sizeof(struct in_addr); 1680 ovbcopy(mtod(m, caddr_t), (caddr_t)cp, (unsigned)cnt); 1681 bzero(mtod(m, caddr_t), sizeof(struct in_addr)); 1682 1683 for (; cnt > 0; cnt -= optlen, cp += optlen) { 1684 opt = cp[IPOPT_OPTVAL]; 1685 if (opt == IPOPT_EOL) 1686 break; 1687 if (opt == IPOPT_NOP) 1688 optlen = 1; 1689 else { 1690 if (cnt < IPOPT_OLEN + sizeof(*cp)) 1691 goto bad; 1692 optlen = cp[IPOPT_OLEN]; 1693 if (optlen < IPOPT_OLEN + sizeof(*cp) || optlen > cnt) 1694 goto bad; 1695 } 1696 switch (opt) { 1697 1698 default: 1699 break; 1700 1701 case IPOPT_LSRR: 1702 case IPOPT_SSRR: 1703 /* 1704 * user process specifies route as: 1705 * ->A->B->C->D 1706 * D must be our final destination (but we can't 1707 * check that since we may not have connected yet). 1708 * A is first hop destination, which doesn't appear in 1709 * actual IP option, but is stored before the options. 1710 */ 1711 if (optlen < IPOPT_MINOFF - 1 + sizeof(struct in_addr)) 1712 goto bad; 1713 m->m_len -= sizeof(struct in_addr); 1714 cnt -= sizeof(struct in_addr); 1715 optlen -= sizeof(struct in_addr); 1716 cp[IPOPT_OLEN] = optlen; 1717 /* 1718 * Move first hop before start of options. 1719 */ 1720 bcopy((caddr_t)&cp[IPOPT_OFFSET+1], mtod(m, caddr_t), 1721 sizeof(struct in_addr)); 1722 /* 1723 * Then copy rest of options back 1724 * to close up the deleted entry. 1725 */ 1726 ovbcopy((caddr_t)(&cp[IPOPT_OFFSET+1] + 1727 sizeof(struct in_addr)), 1728 (caddr_t)&cp[IPOPT_OFFSET+1], 1729 (unsigned)cnt - (IPOPT_OFFSET+1)); 1730 break; 1731 } 1732 } 1733 if (m->m_len > MAX_IPOPTLEN + sizeof(struct in_addr)) 1734 goto bad; 1735 *pcbopt = m; 1736 return (0); 1737 1738 bad: 1739 (void)m_free(m); 1740 return (EINVAL); 1741 } 1742 1743 /* 1744 * Set the IP multicast options in response to user setsockopt(). 1745 */ 1746 int 1747 ip_setmoptions(int optname, struct ip_moptions **imop, struct mbuf *m, 1748 u_int rdomain) 1749 { 1750 int error = 0; 1751 u_char loop; 1752 int i; 1753 struct in_addr addr; 1754 struct ip_mreq *mreq; 1755 struct ifnet *ifp; 1756 struct ip_moptions *imo = *imop; 1757 struct in_multi **immp; 1758 struct route ro; 1759 struct sockaddr_in *dst; 1760 1761 if (imo == NULL) { 1762 /* 1763 * No multicast option buffer attached to the pcb; 1764 * allocate one and initialize to default values. 1765 */ 1766 imo = (struct ip_moptions *)malloc(sizeof(*imo), M_IPMOPTS, 1767 M_WAITOK|M_ZERO); 1768 immp = (struct in_multi **)malloc( 1769 (sizeof(*immp) * IP_MIN_MEMBERSHIPS), M_IPMOPTS, 1770 M_WAITOK|M_ZERO); 1771 *imop = imo; 1772 imo->imo_multicast_ifp = NULL; 1773 imo->imo_multicast_ttl = IP_DEFAULT_MULTICAST_TTL; 1774 imo->imo_multicast_loop = IP_DEFAULT_MULTICAST_LOOP; 1775 imo->imo_num_memberships = 0; 1776 imo->imo_max_memberships = IP_MIN_MEMBERSHIPS; 1777 imo->imo_membership = immp; 1778 } 1779 1780 switch (optname) { 1781 1782 case IP_MULTICAST_IF: 1783 /* 1784 * Select the interface for outgoing multicast packets. 1785 */ 1786 if (m == NULL || m->m_len != sizeof(struct in_addr)) { 1787 error = EINVAL; 1788 break; 1789 } 1790 addr = *(mtod(m, struct in_addr *)); 1791 /* 1792 * INADDR_ANY is used to remove a previous selection. 1793 * When no interface is selected, a default one is 1794 * chosen every time a multicast packet is sent. 1795 */ 1796 if (addr.s_addr == INADDR_ANY) { 1797 imo->imo_multicast_ifp = NULL; 1798 break; 1799 } 1800 /* 1801 * The selected interface is identified by its local 1802 * IP address. Find the interface and confirm that 1803 * it supports multicasting. 1804 */ 1805 INADDR_TO_IFP(addr, ifp, rdomain); 1806 if (ifp == NULL || (ifp->if_flags & IFF_MULTICAST) == 0) { 1807 error = EADDRNOTAVAIL; 1808 break; 1809 } 1810 imo->imo_multicast_ifp = ifp; 1811 break; 1812 1813 case IP_MULTICAST_TTL: 1814 /* 1815 * Set the IP time-to-live for outgoing multicast packets. 1816 */ 1817 if (m == NULL || m->m_len != 1) { 1818 error = EINVAL; 1819 break; 1820 } 1821 imo->imo_multicast_ttl = *(mtod(m, u_char *)); 1822 break; 1823 1824 case IP_MULTICAST_LOOP: 1825 /* 1826 * Set the loopback flag for outgoing multicast packets. 1827 * Must be zero or one. 1828 */ 1829 if (m == NULL || m->m_len != 1 || 1830 (loop = *(mtod(m, u_char *))) > 1) { 1831 error = EINVAL; 1832 break; 1833 } 1834 imo->imo_multicast_loop = loop; 1835 break; 1836 1837 case IP_ADD_MEMBERSHIP: 1838 /* 1839 * Add a multicast group membership. 1840 * Group must be a valid IP multicast address. 1841 */ 1842 if (m == NULL || m->m_len != sizeof(struct ip_mreq)) { 1843 error = EINVAL; 1844 break; 1845 } 1846 mreq = mtod(m, struct ip_mreq *); 1847 if (!IN_MULTICAST(mreq->imr_multiaddr.s_addr)) { 1848 error = EINVAL; 1849 break; 1850 } 1851 /* 1852 * If no interface address was provided, use the interface of 1853 * the route to the given multicast address. 1854 */ 1855 if (mreq->imr_interface.s_addr == INADDR_ANY) { 1856 ro.ro_rt = NULL; 1857 dst = satosin(&ro.ro_dst); 1858 dst->sin_len = sizeof(*dst); 1859 dst->sin_family = AF_INET; 1860 dst->sin_addr = mreq->imr_multiaddr; 1861 if (!(ro.ro_rt && ro.ro_rt->rt_ifp && 1862 (ro.ro_rt->rt_flags & RTF_UP))) 1863 ro.ro_rt = rtalloc1(&ro.ro_dst, 1, rdomain); 1864 if (ro.ro_rt == NULL) { 1865 error = EADDRNOTAVAIL; 1866 break; 1867 } 1868 ifp = ro.ro_rt->rt_ifp; 1869 rtfree(ro.ro_rt); 1870 } else { 1871 INADDR_TO_IFP(mreq->imr_interface, ifp, rdomain); 1872 } 1873 /* 1874 * See if we found an interface, and confirm that it 1875 * supports multicast. 1876 */ 1877 if (ifp == NULL || (ifp->if_flags & IFF_MULTICAST) == 0) { 1878 error = EADDRNOTAVAIL; 1879 break; 1880 } 1881 /* 1882 * See if the membership already exists or if all the 1883 * membership slots are full. 1884 */ 1885 for (i = 0; i < imo->imo_num_memberships; ++i) { 1886 if (imo->imo_membership[i]->inm_ia->ia_ifp == ifp && 1887 imo->imo_membership[i]->inm_addr.s_addr 1888 == mreq->imr_multiaddr.s_addr) 1889 break; 1890 } 1891 if (i < imo->imo_num_memberships) { 1892 error = EADDRINUSE; 1893 break; 1894 } 1895 if (imo->imo_num_memberships == imo->imo_max_memberships) { 1896 struct in_multi **nmships, **omships; 1897 size_t newmax; 1898 /* 1899 * Resize the vector to next power-of-two minus 1. If the 1900 * size would exceed the maximum then we know we've really 1901 * run out of entries. Otherwise, we reallocate the vector. 1902 */ 1903 nmships = NULL; 1904 omships = imo->imo_membership; 1905 newmax = ((imo->imo_max_memberships + 1) * 2) - 1; 1906 if (newmax <= IP_MAX_MEMBERSHIPS) { 1907 nmships = (struct in_multi **)malloc( 1908 sizeof(*nmships) * newmax, M_IPMOPTS, 1909 M_NOWAIT|M_ZERO); 1910 if (nmships != NULL) { 1911 bcopy(omships, nmships, 1912 sizeof(*omships) * 1913 imo->imo_max_memberships); 1914 free(omships, M_IPMOPTS); 1915 imo->imo_membership = nmships; 1916 imo->imo_max_memberships = newmax; 1917 } 1918 } 1919 if (nmships == NULL) { 1920 error = ETOOMANYREFS; 1921 break; 1922 } 1923 } 1924 /* 1925 * Everything looks good; add a new record to the multicast 1926 * address list for the given interface. 1927 */ 1928 if ((imo->imo_membership[i] = 1929 in_addmulti(&mreq->imr_multiaddr, ifp)) == NULL) { 1930 error = ENOBUFS; 1931 break; 1932 } 1933 ++imo->imo_num_memberships; 1934 break; 1935 1936 case IP_DROP_MEMBERSHIP: 1937 /* 1938 * Drop a multicast group membership. 1939 * Group must be a valid IP multicast address. 1940 */ 1941 if (m == NULL || m->m_len != sizeof(struct ip_mreq)) { 1942 error = EINVAL; 1943 break; 1944 } 1945 mreq = mtod(m, struct ip_mreq *); 1946 if (!IN_MULTICAST(mreq->imr_multiaddr.s_addr)) { 1947 error = EINVAL; 1948 break; 1949 } 1950 /* 1951 * If an interface address was specified, get a pointer 1952 * to its ifnet structure. 1953 */ 1954 if (mreq->imr_interface.s_addr == INADDR_ANY) 1955 ifp = NULL; 1956 else { 1957 INADDR_TO_IFP(mreq->imr_interface, ifp, rdomain); 1958 if (ifp == NULL) { 1959 error = EADDRNOTAVAIL; 1960 break; 1961 } 1962 } 1963 /* 1964 * Find the membership in the membership array. 1965 */ 1966 for (i = 0; i < imo->imo_num_memberships; ++i) { 1967 if ((ifp == NULL || 1968 imo->imo_membership[i]->inm_ia->ia_ifp == ifp) && 1969 imo->imo_membership[i]->inm_addr.s_addr == 1970 mreq->imr_multiaddr.s_addr) 1971 break; 1972 } 1973 if (i == imo->imo_num_memberships) { 1974 error = EADDRNOTAVAIL; 1975 break; 1976 } 1977 /* 1978 * Give up the multicast address record to which the 1979 * membership points. 1980 */ 1981 in_delmulti(imo->imo_membership[i]); 1982 /* 1983 * Remove the gap in the membership array. 1984 */ 1985 for (++i; i < imo->imo_num_memberships; ++i) 1986 imo->imo_membership[i-1] = imo->imo_membership[i]; 1987 --imo->imo_num_memberships; 1988 break; 1989 1990 default: 1991 error = EOPNOTSUPP; 1992 break; 1993 } 1994 1995 /* 1996 * If all options have default values, no need to keep the data. 1997 */ 1998 if (imo->imo_multicast_ifp == NULL && 1999 imo->imo_multicast_ttl == IP_DEFAULT_MULTICAST_TTL && 2000 imo->imo_multicast_loop == IP_DEFAULT_MULTICAST_LOOP && 2001 imo->imo_num_memberships == 0) { 2002 free(imo->imo_membership , M_IPMOPTS); 2003 free(*imop, M_IPMOPTS); 2004 *imop = NULL; 2005 } 2006 2007 return (error); 2008 } 2009 2010 /* 2011 * Return the IP multicast options in response to user getsockopt(). 2012 */ 2013 int 2014 ip_getmoptions(optname, imo, mp) 2015 int optname; 2016 struct ip_moptions *imo; 2017 struct mbuf **mp; 2018 { 2019 u_char *ttl; 2020 u_char *loop; 2021 struct in_addr *addr; 2022 struct in_ifaddr *ia; 2023 2024 *mp = m_get(M_WAIT, MT_SOOPTS); 2025 2026 switch (optname) { 2027 2028 case IP_MULTICAST_IF: 2029 addr = mtod(*mp, struct in_addr *); 2030 (*mp)->m_len = sizeof(struct in_addr); 2031 if (imo == NULL || imo->imo_multicast_ifp == NULL) 2032 addr->s_addr = INADDR_ANY; 2033 else { 2034 IFP_TO_IA(imo->imo_multicast_ifp, ia); 2035 addr->s_addr = (ia == NULL) ? INADDR_ANY 2036 : ia->ia_addr.sin_addr.s_addr; 2037 } 2038 return (0); 2039 2040 case IP_MULTICAST_TTL: 2041 ttl = mtod(*mp, u_char *); 2042 (*mp)->m_len = 1; 2043 *ttl = (imo == NULL) ? IP_DEFAULT_MULTICAST_TTL 2044 : imo->imo_multicast_ttl; 2045 return (0); 2046 2047 case IP_MULTICAST_LOOP: 2048 loop = mtod(*mp, u_char *); 2049 (*mp)->m_len = 1; 2050 *loop = (imo == NULL) ? IP_DEFAULT_MULTICAST_LOOP 2051 : imo->imo_multicast_loop; 2052 return (0); 2053 2054 default: 2055 return (EOPNOTSUPP); 2056 } 2057 } 2058 2059 /* 2060 * Discard the IP multicast options. 2061 */ 2062 void 2063 ip_freemoptions(imo) 2064 struct ip_moptions *imo; 2065 { 2066 int i; 2067 2068 if (imo != NULL) { 2069 for (i = 0; i < imo->imo_num_memberships; ++i) 2070 in_delmulti(imo->imo_membership[i]); 2071 free(imo->imo_membership, M_IPMOPTS); 2072 free(imo, M_IPMOPTS); 2073 } 2074 } 2075 2076 /* 2077 * Routine called from ip_output() to loop back a copy of an IP multicast 2078 * packet to the input queue of a specified interface. Note that this 2079 * calls the output routine of the loopback "driver", but with an interface 2080 * pointer that might NOT be &loif -- easier than replicating that code here. 2081 */ 2082 void 2083 ip_mloopback(ifp, m, dst) 2084 struct ifnet *ifp; 2085 struct mbuf *m; 2086 struct sockaddr_in *dst; 2087 { 2088 struct ip *ip; 2089 struct mbuf *copym; 2090 2091 copym = m_copym2(m, 0, M_COPYALL, M_DONTWAIT); 2092 if (copym != NULL) { 2093 /* 2094 * We don't bother to fragment if the IP length is greater 2095 * than the interface's MTU. Can this possibly matter? 2096 */ 2097 ip = mtod(copym, struct ip *); 2098 ip->ip_sum = 0; 2099 ip->ip_sum = in_cksum(copym, ip->ip_hl << 2); 2100 (void) looutput(ifp, copym, sintosa(dst), NULL); 2101 } 2102 } 2103 2104 /* 2105 * Process a delayed payload checksum calculation. 2106 */ 2107 void 2108 in_delayed_cksum(struct mbuf *m) 2109 { 2110 struct ip *ip; 2111 u_int16_t csum, offset; 2112 2113 ip = mtod(m, struct ip *); 2114 offset = ip->ip_hl << 2; 2115 csum = in4_cksum(m, 0, offset, m->m_pkthdr.len - offset); 2116 if (csum == 0 && ip->ip_p == IPPROTO_UDP) 2117 csum = 0xffff; 2118 2119 switch (ip->ip_p) { 2120 case IPPROTO_TCP: 2121 offset += offsetof(struct tcphdr, th_sum); 2122 break; 2123 2124 case IPPROTO_UDP: 2125 offset += offsetof(struct udphdr, uh_sum); 2126 break; 2127 2128 default: 2129 return; 2130 } 2131 2132 if ((offset + sizeof(u_int16_t)) > m->m_len) 2133 m_copyback(m, offset, sizeof(csum), &csum); 2134 else 2135 *(u_int16_t *)(mtod(m, caddr_t) + offset) = csum; 2136 } 2137