1 /* $OpenBSD: ip_output.c,v 1.198 2009/11/13 14:14:56 claudio Exp $ */ 2 /* $NetBSD: ip_output.c,v 1.28 1996/02/13 23:43:07 christos Exp $ */ 3 4 /* 5 * Copyright (c) 1982, 1986, 1988, 1990, 1993 6 * The Regents of the University of California. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 3. Neither the name of the University nor the names of its contributors 17 * may be used to endorse or promote products derived from this software 18 * without specific prior written permission. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30 * SUCH DAMAGE. 31 * 32 * @(#)ip_output.c 8.3 (Berkeley) 1/21/94 33 */ 34 35 #include "pf.h" 36 37 #include <sys/param.h> 38 #include <sys/systm.h> 39 #include <sys/mbuf.h> 40 #include <sys/protosw.h> 41 #include <sys/socket.h> 42 #include <sys/socketvar.h> 43 #include <sys/proc.h> 44 #include <sys/kernel.h> 45 46 #include <net/if.h> 47 #include <net/if_enc.h> 48 #include <net/route.h> 49 50 #include <netinet/in.h> 51 #include <netinet/in_systm.h> 52 #include <netinet/ip.h> 53 #include <netinet/in_pcb.h> 54 #include <netinet/in_var.h> 55 #include <netinet/ip_var.h> 56 #include <netinet/ip_icmp.h> 57 #include <netinet/tcp.h> 58 #include <netinet/udp.h> 59 #include <netinet/tcp_timer.h> 60 #include <netinet/tcp_var.h> 61 #include <netinet/udp_var.h> 62 63 #if NPF > 0 64 #include <net/pfvar.h> 65 #endif 66 67 #ifdef IPSEC 68 #ifdef ENCDEBUG 69 #define DPRINTF(x) do { if (encdebug) printf x ; } while (0) 70 #else 71 #define DPRINTF(x) 72 #endif 73 74 extern u_int8_t get_sa_require(struct inpcb *); 75 76 extern int ipsec_auth_default_level; 77 extern int ipsec_esp_trans_default_level; 78 extern int ipsec_esp_network_default_level; 79 extern int ipsec_ipcomp_default_level; 80 extern int ipforwarding; 81 #endif /* IPSEC */ 82 83 #ifdef MROUTING 84 extern int ipmforwarding; 85 #endif 86 87 struct mbuf *ip_insertoptions(struct mbuf *, struct mbuf *, int *); 88 void ip_mloopback(struct ifnet *, struct mbuf *, struct sockaddr_in *); 89 90 /* 91 * IP output. The packet in mbuf chain m contains a skeletal IP 92 * header (with len, off, ttl, proto, tos, src, dst). 93 * The mbuf chain containing the packet will be freed. 94 * The mbuf opt, if present, will not be freed. 95 */ 96 int 97 ip_output(struct mbuf *m0, ...) 98 { 99 struct ip *ip; 100 struct ifnet *ifp; 101 struct mbuf *m = m0; 102 int hlen = sizeof (struct ip); 103 int len, error = 0; 104 struct route iproute; 105 struct sockaddr_in *dst; 106 struct in_ifaddr *ia; 107 struct mbuf *opt; 108 struct route *ro; 109 int flags; 110 struct ip_moptions *imo; 111 va_list ap; 112 u_int8_t sproto = 0, donerouting = 0; 113 u_long mtu; 114 #ifdef IPSEC 115 u_int32_t icmp_mtu = 0; 116 union sockaddr_union sdst; 117 u_int32_t sspi; 118 struct m_tag *mtag; 119 struct tdb_ident *tdbi; 120 121 struct inpcb *inp; 122 struct tdb *tdb; 123 int s; 124 #endif /* IPSEC */ 125 126 va_start(ap, m0); 127 opt = va_arg(ap, struct mbuf *); 128 ro = va_arg(ap, struct route *); 129 flags = va_arg(ap, int); 130 imo = va_arg(ap, struct ip_moptions *); 131 #ifdef IPSEC 132 inp = va_arg(ap, struct inpcb *); 133 if (inp && (inp->inp_flags & INP_IPV6) != 0) 134 panic("ip_output: IPv6 pcb is passed"); 135 #endif /* IPSEC */ 136 va_end(ap); 137 138 #ifdef DIAGNOSTIC 139 if ((m->m_flags & M_PKTHDR) == 0) 140 panic("ip_output no HDR"); 141 #endif 142 if (opt) { 143 m = ip_insertoptions(m, opt, &len); 144 hlen = len; 145 } 146 147 ip = mtod(m, struct ip *); 148 149 /* 150 * Fill in IP header. 151 */ 152 if ((flags & (IP_FORWARDING|IP_RAWOUTPUT)) == 0) { 153 ip->ip_v = IPVERSION; 154 ip->ip_off &= htons(IP_DF); 155 ip->ip_id = htons(ip_randomid()); 156 ip->ip_hl = hlen >> 2; 157 ipstat.ips_localout++; 158 } else { 159 hlen = ip->ip_hl << 2; 160 } 161 162 /* 163 * If we're missing the IP source address, do a route lookup. We'll 164 * remember this result, in case we don't need to do any IPsec 165 * processing on the packet. We need the source address so we can 166 * do an SPD lookup in IPsec; for most packets, the source address 167 * is set at a higher level protocol. ICMPs and other packets 168 * though (e.g., traceroute) have a source address of zeroes. 169 */ 170 if (ip->ip_src.s_addr == INADDR_ANY) { 171 if (flags & IP_ROUTETOETHER) { 172 error = EINVAL; 173 goto bad; 174 } 175 donerouting = 1; 176 177 if (ro == 0) { 178 ro = &iproute; 179 bzero((caddr_t)ro, sizeof (*ro)); 180 } 181 182 dst = satosin(&ro->ro_dst); 183 184 /* 185 * If there is a cached route, check that it is to the same 186 * destination and is still up. If not, free it and try again. 187 */ 188 if (ro->ro_rt && ((ro->ro_rt->rt_flags & RTF_UP) == 0 || 189 dst->sin_addr.s_addr != ip->ip_dst.s_addr)) { 190 RTFREE(ro->ro_rt); 191 ro->ro_rt = (struct rtentry *)0; 192 } 193 194 if (ro->ro_rt == 0) { 195 dst->sin_family = AF_INET; 196 dst->sin_len = sizeof(*dst); 197 dst->sin_addr = ip->ip_dst; 198 } 199 200 /* 201 * If routing to interface only, short-circuit routing lookup. 202 */ 203 if (flags & IP_ROUTETOIF) { 204 if ((ia = ifatoia(ifa_ifwithdstaddr(sintosa(dst), 205 m->m_pkthdr.rdomain))) == 0 && 206 (ia = ifatoia(ifa_ifwithnet(sintosa(dst), 207 m->m_pkthdr.rdomain))) == 0) { 208 ipstat.ips_noroute++; 209 error = ENETUNREACH; 210 goto bad; 211 } 212 213 ifp = ia->ia_ifp; 214 mtu = ifp->if_mtu; 215 ip->ip_ttl = 1; 216 } else if ((IN_MULTICAST(ip->ip_dst.s_addr) || 217 (ip->ip_dst.s_addr == INADDR_BROADCAST)) && 218 imo != NULL && imo->imo_multicast_ifp != NULL) { 219 ifp = imo->imo_multicast_ifp; 220 mtu = ifp->if_mtu; 221 IFP_TO_IA(ifp, ia); 222 } else { 223 if (ro->ro_rt == 0) 224 rtalloc_mpath(ro, NULL, 225 m->m_pkthdr.rdomain); 226 227 if (ro->ro_rt == 0) { 228 ipstat.ips_noroute++; 229 error = EHOSTUNREACH; 230 goto bad; 231 } 232 233 ia = ifatoia(ro->ro_rt->rt_ifa); 234 ifp = ro->ro_rt->rt_ifp; 235 if ((mtu = ro->ro_rt->rt_rmx.rmx_mtu) == 0) 236 mtu = ifp->if_mtu; 237 ro->ro_rt->rt_use++; 238 239 if (ro->ro_rt->rt_flags & RTF_GATEWAY) 240 dst = satosin(ro->ro_rt->rt_gateway); 241 } 242 243 /* Set the source IP address */ 244 if (!IN_MULTICAST(ip->ip_dst.s_addr)) 245 ip->ip_src = ia->ia_addr.sin_addr; 246 } 247 248 #if NPF > 0 249 reroute: 250 #endif 251 252 #ifdef IPSEC 253 if (!ipsec_in_use && inp == NULL) 254 goto done_spd; 255 256 /* 257 * splnet is chosen over spltdb because we are not allowed to 258 * lower the level, and udp_output calls us in splnet(). 259 */ 260 s = splnet(); 261 262 /* Do we have any pending SAs to apply ? */ 263 mtag = m_tag_find(m, PACKET_TAG_IPSEC_PENDING_TDB, NULL); 264 if (mtag != NULL) { 265 #ifdef DIAGNOSTIC 266 if (mtag->m_tag_len != sizeof (struct tdb_ident)) 267 panic("ip_output: tag of length %d (should be %d", 268 mtag->m_tag_len, sizeof (struct tdb_ident)); 269 #endif 270 tdbi = (struct tdb_ident *)(mtag + 1); 271 tdb = gettdb(tdbi->spi, &tdbi->dst, tdbi->proto); 272 if (tdb == NULL) 273 error = -EINVAL; 274 m_tag_delete(m, mtag); 275 } 276 else 277 tdb = ipsp_spd_lookup(m, AF_INET, hlen, &error, 278 IPSP_DIRECTION_OUT, NULL, inp); 279 280 if (tdb == NULL) { 281 splx(s); 282 283 if (error == 0) { 284 /* 285 * No IPsec processing required, we'll just send the 286 * packet out. 287 */ 288 sproto = 0; 289 290 /* Fall through to routing/multicast handling */ 291 } else { 292 /* 293 * -EINVAL is used to indicate that the packet should 294 * be silently dropped, typically because we've asked 295 * key management for an SA. 296 */ 297 if (error == -EINVAL) /* Should silently drop packet */ 298 error = 0; 299 300 m_freem(m); 301 goto done; 302 } 303 } else { 304 /* Loop detection */ 305 for (mtag = m_tag_first(m); mtag != NULL; 306 mtag = m_tag_next(m, mtag)) { 307 if (mtag->m_tag_id != PACKET_TAG_IPSEC_OUT_DONE && 308 mtag->m_tag_id != 309 PACKET_TAG_IPSEC_OUT_CRYPTO_NEEDED) 310 continue; 311 tdbi = (struct tdb_ident *)(mtag + 1); 312 if (tdbi->spi == tdb->tdb_spi && 313 tdbi->proto == tdb->tdb_sproto && 314 !bcmp(&tdbi->dst, &tdb->tdb_dst, 315 sizeof(union sockaddr_union))) { 316 splx(s); 317 sproto = 0; /* mark as no-IPsec-needed */ 318 goto done_spd; 319 } 320 } 321 322 /* We need to do IPsec */ 323 bcopy(&tdb->tdb_dst, &sdst, sizeof(sdst)); 324 sspi = tdb->tdb_spi; 325 sproto = tdb->tdb_sproto; 326 splx(s); 327 328 /* 329 * If it needs TCP/UDP hardware-checksumming, do the 330 * computation now. 331 */ 332 if (m->m_pkthdr.csum_flags & (M_TCPV4_CSUM_OUT | M_UDPV4_CSUM_OUT)) { 333 in_delayed_cksum(m); 334 m->m_pkthdr.csum_flags &= 335 ~(M_UDPV4_CSUM_OUT | M_TCPV4_CSUM_OUT); 336 } 337 338 /* If it's not a multicast packet, try to fast-path */ 339 if (!IN_MULTICAST(ip->ip_dst.s_addr)) { 340 goto sendit; 341 } 342 } 343 344 /* Fall through to the routing/multicast handling code */ 345 done_spd: 346 #endif /* IPSEC */ 347 348 if (flags & IP_ROUTETOETHER) { 349 dst = satosin(&ro->ro_dst); 350 ifp = ro->ro_rt->rt_ifp; 351 mtu = ifp->if_mtu; 352 ro->ro_rt = NULL; 353 } else if (donerouting == 0) { 354 if (ro == 0) { 355 ro = &iproute; 356 bzero((caddr_t)ro, sizeof (*ro)); 357 } 358 359 dst = satosin(&ro->ro_dst); 360 361 /* 362 * If there is a cached route, check that it is to the same 363 * destination and is still up. If not, free it and try again. 364 */ 365 if (ro->ro_rt && ((ro->ro_rt->rt_flags & RTF_UP) == 0 || 366 dst->sin_addr.s_addr != ip->ip_dst.s_addr)) { 367 RTFREE(ro->ro_rt); 368 ro->ro_rt = (struct rtentry *)0; 369 } 370 371 if (ro->ro_rt == 0) { 372 dst->sin_family = AF_INET; 373 dst->sin_len = sizeof(*dst); 374 dst->sin_addr = ip->ip_dst; 375 } 376 377 /* 378 * If routing to interface only, short-circuit routing lookup. 379 */ 380 if (flags & IP_ROUTETOIF) { 381 if ((ia = ifatoia(ifa_ifwithdstaddr(sintosa(dst), 382 m->m_pkthdr.rdomain))) == 0 && 383 (ia = ifatoia(ifa_ifwithnet(sintosa(dst), 384 m->m_pkthdr.rdomain))) == 0) { 385 ipstat.ips_noroute++; 386 error = ENETUNREACH; 387 goto bad; 388 } 389 390 ifp = ia->ia_ifp; 391 mtu = ifp->if_mtu; 392 ip->ip_ttl = 1; 393 } else if ((IN_MULTICAST(ip->ip_dst.s_addr) || 394 (ip->ip_dst.s_addr == INADDR_BROADCAST)) && 395 imo != NULL && imo->imo_multicast_ifp != NULL) { 396 ifp = imo->imo_multicast_ifp; 397 mtu = ifp->if_mtu; 398 IFP_TO_IA(ifp, ia); 399 } else { 400 if (ro->ro_rt == 0) 401 rtalloc_mpath(ro, &ip->ip_src.s_addr, 402 m->m_pkthdr.rdomain); 403 404 if (ro->ro_rt == 0) { 405 ipstat.ips_noroute++; 406 error = EHOSTUNREACH; 407 goto bad; 408 } 409 410 ia = ifatoia(ro->ro_rt->rt_ifa); 411 ifp = ro->ro_rt->rt_ifp; 412 if ((mtu = ro->ro_rt->rt_rmx.rmx_mtu) == 0) 413 mtu = ifp->if_mtu; 414 ro->ro_rt->rt_use++; 415 416 if (ro->ro_rt->rt_flags & RTF_GATEWAY) 417 dst = satosin(ro->ro_rt->rt_gateway); 418 } 419 420 /* Set the source IP address */ 421 if (ip->ip_src.s_addr == INADDR_ANY) 422 ip->ip_src = ia->ia_addr.sin_addr; 423 } 424 425 if (IN_MULTICAST(ip->ip_dst.s_addr) || 426 (ip->ip_dst.s_addr == INADDR_BROADCAST)) { 427 struct in_multi *inm; 428 429 m->m_flags |= (ip->ip_dst.s_addr == INADDR_BROADCAST) ? 430 M_BCAST : M_MCAST; 431 432 /* 433 * IP destination address is multicast. Make sure "dst" 434 * still points to the address in "ro". (It may have been 435 * changed to point to a gateway address, above.) 436 */ 437 dst = satosin(&ro->ro_dst); 438 439 /* 440 * See if the caller provided any multicast options 441 */ 442 if (imo != NULL) 443 ip->ip_ttl = imo->imo_multicast_ttl; 444 else 445 ip->ip_ttl = IP_DEFAULT_MULTICAST_TTL; 446 447 /* 448 * if we don't know the outgoing ifp yet, we can't generate 449 * output 450 */ 451 if (!ifp) { 452 ipstat.ips_noroute++; 453 error = EHOSTUNREACH; 454 goto bad; 455 } 456 457 /* 458 * Confirm that the outgoing interface supports multicast, 459 * but only if the packet actually is going out on that 460 * interface (i.e., no IPsec is applied). 461 */ 462 if ((((m->m_flags & M_MCAST) && 463 (ifp->if_flags & IFF_MULTICAST) == 0) || 464 ((m->m_flags & M_BCAST) && 465 (ifp->if_flags & IFF_BROADCAST) == 0)) && (sproto == 0)) { 466 ipstat.ips_noroute++; 467 error = ENETUNREACH; 468 goto bad; 469 } 470 471 /* 472 * If source address not specified yet, use address 473 * of outgoing interface. 474 */ 475 if (ip->ip_src.s_addr == INADDR_ANY) { 476 struct in_ifaddr *ia; 477 478 TAILQ_FOREACH(ia, &in_ifaddr, ia_list) 479 if (ia->ia_ifp == ifp) { 480 ip->ip_src = ia->ia_addr.sin_addr; 481 break; 482 } 483 } 484 485 IN_LOOKUP_MULTI(ip->ip_dst, ifp, inm); 486 if (inm != NULL && 487 (imo == NULL || imo->imo_multicast_loop)) { 488 /* 489 * If we belong to the destination multicast group 490 * on the outgoing interface, and the caller did not 491 * forbid loopback, loop back a copy. 492 * Can't defer TCP/UDP checksumming, do the 493 * computation now. 494 */ 495 if (m->m_pkthdr.csum_flags & 496 (M_TCPV4_CSUM_OUT | M_UDPV4_CSUM_OUT)) { 497 in_delayed_cksum(m); 498 m->m_pkthdr.csum_flags &= 499 ~(M_UDPV4_CSUM_OUT | M_TCPV4_CSUM_OUT); 500 } 501 ip_mloopback(ifp, m, dst); 502 } 503 #ifdef MROUTING 504 else { 505 /* 506 * If we are acting as a multicast router, perform 507 * multicast forwarding as if the packet had just 508 * arrived on the interface to which we are about 509 * to send. The multicast forwarding function 510 * recursively calls this function, using the 511 * IP_FORWARDING flag to prevent infinite recursion. 512 * 513 * Multicasts that are looped back by ip_mloopback(), 514 * above, will be forwarded by the ip_input() routine, 515 * if necessary. 516 */ 517 extern struct socket *ip_mrouter; 518 519 if (ipmforwarding && ip_mrouter && 520 (flags & IP_FORWARDING) == 0) { 521 if (ip_mforward(m, ifp) != 0) { 522 m_freem(m); 523 goto done; 524 } 525 } 526 } 527 #endif 528 /* 529 * Multicasts with a time-to-live of zero may be looped- 530 * back, above, but must not be transmitted on a network. 531 * Also, multicasts addressed to the loopback interface 532 * are not sent -- the above call to ip_mloopback() will 533 * loop back a copy if this host actually belongs to the 534 * destination group on the loopback interface. 535 */ 536 if (ip->ip_ttl == 0 || (ifp->if_flags & IFF_LOOPBACK) != 0) { 537 m_freem(m); 538 goto done; 539 } 540 541 goto sendit; 542 } 543 544 /* 545 * Look for broadcast address and and verify user is allowed to send 546 * such a packet; if the packet is going in an IPsec tunnel, skip 547 * this check. 548 */ 549 if ((sproto == 0) && (in_broadcast(dst->sin_addr, ifp))) { 550 if ((ifp->if_flags & IFF_BROADCAST) == 0) { 551 error = EADDRNOTAVAIL; 552 goto bad; 553 } 554 if ((flags & IP_ALLOWBROADCAST) == 0) { 555 error = EACCES; 556 goto bad; 557 } 558 559 /* Don't allow broadcast messages to be fragmented */ 560 if (ntohs(ip->ip_len) > ifp->if_mtu) { 561 error = EMSGSIZE; 562 goto bad; 563 } 564 m->m_flags |= M_BCAST; 565 } else 566 m->m_flags &= ~M_BCAST; 567 568 sendit: 569 /* 570 * If we're doing Path MTU discovery, we need to set DF unless 571 * the route's MTU is locked. 572 */ 573 if ((flags & IP_MTUDISC) && ro && ro->ro_rt && 574 (ro->ro_rt->rt_rmx.rmx_locks & RTV_MTU) == 0) 575 ip->ip_off |= htons(IP_DF); 576 577 #ifdef IPSEC 578 /* 579 * Check if the packet needs encapsulation. 580 */ 581 if (sproto != 0) { 582 s = splnet(); 583 584 /* 585 * Packet filter 586 */ 587 #if NPF > 0 588 589 if (pf_test(PF_OUT, &encif[0].sc_if, &m, NULL) != PF_PASS) { 590 error = EHOSTUNREACH; 591 splx(s); 592 m_freem(m); 593 goto done; 594 } 595 if (m == NULL) { 596 splx(s); 597 goto done; 598 } 599 ip = mtod(m, struct ip *); 600 hlen = ip->ip_hl << 2; 601 /* 602 * PF_TAG_REROUTE handling or not... 603 * Packet is entering IPsec so the routing is 604 * already overruled by the IPsec policy. 605 * Until now the change was not reconsidered. 606 * What's the behaviour? 607 */ 608 #endif 609 610 tdb = gettdb(sspi, &sdst, sproto); 611 if (tdb == NULL) { 612 DPRINTF(("ip_output: unknown TDB")); 613 error = EHOSTUNREACH; 614 splx(s); 615 m_freem(m); 616 goto done; 617 } 618 619 /* Check if we are allowed to fragment */ 620 if (ip_mtudisc && (ip->ip_off & htons(IP_DF)) && tdb->tdb_mtu && 621 ntohs(ip->ip_len) > tdb->tdb_mtu && 622 tdb->tdb_mtutimeout > time_second) { 623 struct rtentry *rt = NULL; 624 int rt_mtucloned = 0; 625 int transportmode = 0; 626 627 transportmode = (tdb->tdb_dst.sa.sa_family == AF_INET) && 628 (tdb->tdb_dst.sin.sin_addr.s_addr == 629 ip->ip_dst.s_addr); 630 icmp_mtu = tdb->tdb_mtu; 631 splx(s); 632 633 /* Find a host route to store the mtu in */ 634 if (ro != NULL) 635 rt = ro->ro_rt; 636 /* but don't add a PMTU route for transport mode SAs */ 637 if (transportmode) 638 rt = NULL; 639 else if (rt == NULL || (rt->rt_flags & RTF_HOST) == 0) { 640 struct sockaddr_in dst = { 641 sizeof(struct sockaddr_in), AF_INET}; 642 dst.sin_addr = ip->ip_dst; 643 rt = icmp_mtudisc_clone((struct sockaddr *)&dst, 644 m->m_pkthdr.rdomain); 645 rt_mtucloned = 1; 646 } 647 DPRINTF(("ip_output: spi %08x mtu %d rt %p cloned %d\n", 648 ntohl(tdb->tdb_spi), icmp_mtu, rt, rt_mtucloned)); 649 if (rt != NULL) { 650 rt->rt_rmx.rmx_mtu = icmp_mtu; 651 if (ro && ro->ro_rt != NULL) { 652 RTFREE(ro->ro_rt); 653 ro->ro_rt = NULL; 654 rtalloc1(&ro->ro_dst, 1, 655 m->m_pkthdr.rdomain); 656 } 657 if (rt_mtucloned) 658 rtfree(rt); 659 } 660 error = EMSGSIZE; 661 goto bad; 662 } 663 664 /* 665 * Clear these -- they'll be set in the recursive invocation 666 * as needed. 667 */ 668 m->m_flags &= ~(M_MCAST | M_BCAST); 669 670 /* Callee frees mbuf */ 671 error = ipsp_process_packet(m, tdb, AF_INET, 0); 672 splx(s); 673 return error; /* Nothing more to be done */ 674 } 675 676 /* 677 * If deferred crypto processing is needed, check that the 678 * interface supports it. 679 */ 680 if (ipsec_in_use && (mtag = m_tag_find(m, 681 PACKET_TAG_IPSEC_OUT_CRYPTO_NEEDED, NULL)) != NULL && 682 (ifp->if_capabilities & IFCAP_IPSEC) == 0) { 683 /* Notify IPsec to do its own crypto. */ 684 ipsp_skipcrypto_unmark((struct tdb_ident *)(mtag + 1)); 685 m_freem(m); 686 error = EHOSTUNREACH; 687 goto done; 688 } 689 #endif /* IPSEC */ 690 691 /* Catch routing changes wrt. hardware checksumming for TCP or UDP. */ 692 if (m->m_pkthdr.csum_flags & M_TCPV4_CSUM_OUT) { 693 if (!(ifp->if_capabilities & IFCAP_CSUM_TCPv4) || 694 ifp->if_bridge != NULL) { 695 in_delayed_cksum(m); 696 m->m_pkthdr.csum_flags &= ~M_TCPV4_CSUM_OUT; /* Clear */ 697 } 698 } else if (m->m_pkthdr.csum_flags & M_UDPV4_CSUM_OUT) { 699 if (!(ifp->if_capabilities & IFCAP_CSUM_UDPv4) || 700 ifp->if_bridge != NULL) { 701 in_delayed_cksum(m); 702 m->m_pkthdr.csum_flags &= ~M_UDPV4_CSUM_OUT; /* Clear */ 703 } 704 } 705 706 /* 707 * Packet filter 708 */ 709 #if NPF > 0 710 if (pf_test(PF_OUT, ifp, &m, NULL) != PF_PASS) { 711 error = EHOSTUNREACH; 712 m_freem(m); 713 goto done; 714 } 715 if (m == NULL) 716 goto done; 717 ip = mtod(m, struct ip *); 718 hlen = ip->ip_hl << 2; 719 if ((m->m_pkthdr.pf.flags & (PF_TAG_REROUTE | PF_TAG_GENERATED)) == 720 (PF_TAG_REROUTE | PF_TAG_GENERATED)) 721 /* already rerun the route lookup, go on */ 722 m->m_pkthdr.pf.flags &= ~(PF_TAG_GENERATED | PF_TAG_REROUTE); 723 else if (m->m_pkthdr.pf.flags & PF_TAG_REROUTE) { 724 /* tag as generated to skip over pf_test on rerun */ 725 m->m_pkthdr.pf.flags |= PF_TAG_GENERATED; 726 ro = NULL; 727 donerouting = 0; 728 goto reroute; 729 } 730 #endif 731 732 #ifdef IPSEC 733 if (ipsec_in_use && (flags & IP_FORWARDING) && (ipforwarding == 2) && 734 (m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL) == NULL)) { 735 error = EHOSTUNREACH; 736 m_freem(m); 737 goto done; 738 } 739 #endif 740 741 /* XXX 742 * Try to use jumbograms based on socket option, or the route 743 * or... for other reasons later on. 744 */ 745 if ((flags & IP_JUMBO) && ro->ro_rt && (ro->ro_rt->rt_flags & RTF_JUMBO) && 746 ro->ro_rt->rt_ifp) 747 mtu = ro->ro_rt->rt_ifp->if_hardmtu; 748 749 /* 750 * If small enough for interface, can just send directly. 751 */ 752 if (ntohs(ip->ip_len) <= mtu) { 753 ip->ip_sum = 0; 754 if ((ifp->if_capabilities & IFCAP_CSUM_IPv4) && 755 ifp->if_bridge == NULL) { 756 m->m_pkthdr.csum_flags |= M_IPV4_CSUM_OUT; 757 ipstat.ips_outhwcsum++; 758 } else 759 ip->ip_sum = in_cksum(m, hlen); 760 /* Update relevant hardware checksum stats for TCP/UDP */ 761 if (m->m_pkthdr.csum_flags & M_TCPV4_CSUM_OUT) 762 tcpstat.tcps_outhwcsum++; 763 else if (m->m_pkthdr.csum_flags & M_UDPV4_CSUM_OUT) 764 udpstat.udps_outhwcsum++; 765 error = (*ifp->if_output)(ifp, m, sintosa(dst), ro->ro_rt); 766 goto done; 767 } 768 769 /* 770 * Too large for interface; fragment if possible. 771 * Must be able to put at least 8 bytes per fragment. 772 */ 773 if (ip->ip_off & htons(IP_DF)) { 774 #ifdef IPSEC 775 icmp_mtu = ifp->if_mtu; 776 #endif 777 error = EMSGSIZE; 778 /* 779 * This case can happen if the user changed the MTU 780 * of an interface after enabling IP on it. Because 781 * most netifs don't keep track of routes pointing to 782 * them, there is no way for one to update all its 783 * routes when the MTU is changed. 784 */ 785 if (ro->ro_rt != NULL && 786 (ro->ro_rt->rt_flags & (RTF_UP | RTF_HOST)) && 787 !(ro->ro_rt->rt_rmx.rmx_locks & RTV_MTU) && 788 (ro->ro_rt->rt_rmx.rmx_mtu > ifp->if_mtu)) { 789 ro->ro_rt->rt_rmx.rmx_mtu = ifp->if_mtu; 790 } 791 ipstat.ips_cantfrag++; 792 goto bad; 793 } 794 795 error = ip_fragment(m, ifp, mtu); 796 if (error) { 797 m = m0 = NULL; 798 goto bad; 799 } 800 801 for (; m; m = m0) { 802 m0 = m->m_nextpkt; 803 m->m_nextpkt = 0; 804 if (error == 0) 805 error = (*ifp->if_output)(ifp, m, sintosa(dst), 806 ro->ro_rt); 807 else 808 m_freem(m); 809 } 810 811 if (error == 0) 812 ipstat.ips_fragmented++; 813 814 done: 815 if (ro == &iproute && (flags & IP_ROUTETOIF) == 0 && ro->ro_rt) 816 RTFREE(ro->ro_rt); 817 return (error); 818 bad: 819 #ifdef IPSEC 820 if (error == EMSGSIZE && ip_mtudisc && icmp_mtu != 0 && m != NULL) 821 ipsec_adjust_mtu(m, icmp_mtu); 822 #endif 823 m_freem(m0); 824 goto done; 825 } 826 827 int 828 ip_fragment(struct mbuf *m, struct ifnet *ifp, u_long mtu) 829 { 830 struct ip *ip, *mhip; 831 struct mbuf *m0; 832 int len, hlen, off; 833 int mhlen, firstlen; 834 struct mbuf **mnext; 835 int fragments = 0; 836 int s; 837 int error = 0; 838 839 ip = mtod(m, struct ip *); 840 hlen = ip->ip_hl << 2; 841 842 len = (mtu - hlen) &~ 7; 843 if (len < 8) { 844 m_freem(m); 845 return (EMSGSIZE); 846 } 847 848 /* 849 * If we are doing fragmentation, we can't defer TCP/UDP 850 * checksumming; compute the checksum and clear the flag. 851 */ 852 if (m->m_pkthdr.csum_flags & (M_TCPV4_CSUM_OUT | M_UDPV4_CSUM_OUT)) { 853 in_delayed_cksum(m); 854 m->m_pkthdr.csum_flags &= ~(M_UDPV4_CSUM_OUT | M_TCPV4_CSUM_OUT); 855 } 856 857 firstlen = len; 858 mnext = &m->m_nextpkt; 859 860 /* 861 * Loop through length of segment after first fragment, 862 * make new header and copy data of each part and link onto chain. 863 */ 864 m0 = m; 865 mhlen = sizeof (struct ip); 866 for (off = hlen + len; off < ntohs(ip->ip_len); off += len) { 867 MGETHDR(m, M_DONTWAIT, MT_HEADER); 868 if (m == 0) { 869 ipstat.ips_odropped++; 870 error = ENOBUFS; 871 goto sendorfree; 872 } 873 *mnext = m; 874 mnext = &m->m_nextpkt; 875 m->m_data += max_linkhdr; 876 mhip = mtod(m, struct ip *); 877 *mhip = *ip; 878 /* we must inherit MCAST and BCAST flags and rdomain */ 879 m->m_flags |= m0->m_flags & (M_MCAST|M_BCAST); 880 m->m_pkthdr.rdomain = m0->m_pkthdr.rdomain; 881 if (hlen > sizeof (struct ip)) { 882 mhlen = ip_optcopy(ip, mhip) + sizeof (struct ip); 883 mhip->ip_hl = mhlen >> 2; 884 } 885 m->m_len = mhlen; 886 mhip->ip_off = ((off - hlen) >> 3) + 887 (ntohs(ip->ip_off) & ~IP_MF); 888 if (ip->ip_off & htons(IP_MF)) 889 mhip->ip_off |= IP_MF; 890 if (off + len >= ntohs(ip->ip_len)) 891 len = ntohs(ip->ip_len) - off; 892 else 893 mhip->ip_off |= IP_MF; 894 mhip->ip_len = htons((u_int16_t)(len + mhlen)); 895 m->m_next = m_copy(m0, off, len); 896 if (m->m_next == 0) { 897 ipstat.ips_odropped++; 898 error = ENOBUFS; 899 goto sendorfree; 900 } 901 m->m_pkthdr.len = mhlen + len; 902 m->m_pkthdr.rcvif = (struct ifnet *)0; 903 mhip->ip_off = htons((u_int16_t)mhip->ip_off); 904 mhip->ip_sum = 0; 905 if ((ifp != NULL) && 906 (ifp->if_capabilities & IFCAP_CSUM_IPv4) && 907 ifp->if_bridge == NULL) { 908 m->m_pkthdr.csum_flags |= M_IPV4_CSUM_OUT; 909 ipstat.ips_outhwcsum++; 910 } else 911 mhip->ip_sum = in_cksum(m, mhlen); 912 ipstat.ips_ofragments++; 913 fragments++; 914 } 915 /* 916 * Update first fragment by trimming what's been copied out 917 * and updating header, then send each fragment (in order). 918 */ 919 m = m0; 920 m_adj(m, hlen + firstlen - ntohs(ip->ip_len)); 921 m->m_pkthdr.len = hlen + firstlen; 922 ip->ip_len = htons((u_int16_t)m->m_pkthdr.len); 923 ip->ip_off |= htons(IP_MF); 924 ip->ip_sum = 0; 925 if ((ifp != NULL) && 926 (ifp->if_capabilities & IFCAP_CSUM_IPv4) && 927 ifp->if_bridge == NULL) { 928 m->m_pkthdr.csum_flags |= M_IPV4_CSUM_OUT; 929 ipstat.ips_outhwcsum++; 930 } else 931 ip->ip_sum = in_cksum(m, hlen); 932 sendorfree: 933 /* 934 * If there is no room for all the fragments, don't queue 935 * any of them. 936 */ 937 if (ifp != NULL) { 938 s = splnet(); 939 if (ifp->if_snd.ifq_maxlen - ifp->if_snd.ifq_len < fragments && 940 error == 0) { 941 error = ENOBUFS; 942 ipstat.ips_odropped++; 943 IFQ_INC_DROPS(&ifp->if_snd); 944 } 945 splx(s); 946 } 947 if (error) { 948 for (m = m0; m; m = m0) { 949 m0 = m->m_nextpkt; 950 m->m_nextpkt = NULL; 951 m_freem(m); 952 } 953 } 954 955 return (error); 956 } 957 958 /* 959 * Insert IP options into preformed packet. 960 * Adjust IP destination as required for IP source routing, 961 * as indicated by a non-zero in_addr at the start of the options. 962 */ 963 struct mbuf * 964 ip_insertoptions(m, opt, phlen) 965 struct mbuf *m; 966 struct mbuf *opt; 967 int *phlen; 968 { 969 struct ipoption *p = mtod(opt, struct ipoption *); 970 struct mbuf *n; 971 struct ip *ip = mtod(m, struct ip *); 972 unsigned optlen; 973 974 optlen = opt->m_len - sizeof(p->ipopt_dst); 975 if (optlen + ntohs(ip->ip_len) > IP_MAXPACKET) 976 return (m); /* XXX should fail */ 977 if (p->ipopt_dst.s_addr) 978 ip->ip_dst = p->ipopt_dst; 979 if (m->m_flags & M_EXT || m->m_data - optlen < m->m_pktdat) { 980 MGETHDR(n, M_DONTWAIT, MT_HEADER); 981 if (n == 0) 982 return (m); 983 M_MOVE_HDR(n, m); 984 n->m_pkthdr.len += optlen; 985 m->m_len -= sizeof(struct ip); 986 m->m_data += sizeof(struct ip); 987 n->m_next = m; 988 m = n; 989 m->m_len = optlen + sizeof(struct ip); 990 m->m_data += max_linkhdr; 991 bcopy((caddr_t)ip, mtod(m, caddr_t), sizeof(struct ip)); 992 } else { 993 m->m_data -= optlen; 994 m->m_len += optlen; 995 m->m_pkthdr.len += optlen; 996 ovbcopy((caddr_t)ip, mtod(m, caddr_t), sizeof(struct ip)); 997 } 998 ip = mtod(m, struct ip *); 999 bcopy((caddr_t)p->ipopt_list, (caddr_t)(ip + 1), (unsigned)optlen); 1000 *phlen = sizeof(struct ip) + optlen; 1001 ip->ip_len = htons(ntohs(ip->ip_len) + optlen); 1002 return (m); 1003 } 1004 1005 /* 1006 * Copy options from ip to jp, 1007 * omitting those not copied during fragmentation. 1008 */ 1009 int 1010 ip_optcopy(ip, jp) 1011 struct ip *ip, *jp; 1012 { 1013 u_char *cp, *dp; 1014 int opt, optlen, cnt; 1015 1016 cp = (u_char *)(ip + 1); 1017 dp = (u_char *)(jp + 1); 1018 cnt = (ip->ip_hl << 2) - sizeof (struct ip); 1019 for (; cnt > 0; cnt -= optlen, cp += optlen) { 1020 opt = cp[0]; 1021 if (opt == IPOPT_EOL) 1022 break; 1023 if (opt == IPOPT_NOP) { 1024 /* Preserve for IP mcast tunnel's LSRR alignment. */ 1025 *dp++ = IPOPT_NOP; 1026 optlen = 1; 1027 continue; 1028 } 1029 #ifdef DIAGNOSTIC 1030 if (cnt < IPOPT_OLEN + sizeof(*cp)) 1031 panic("malformed IPv4 option passed to ip_optcopy"); 1032 #endif 1033 optlen = cp[IPOPT_OLEN]; 1034 #ifdef DIAGNOSTIC 1035 if (optlen < IPOPT_OLEN + sizeof(*cp) || optlen > cnt) 1036 panic("malformed IPv4 option passed to ip_optcopy"); 1037 #endif 1038 /* bogus lengths should have been caught by ip_dooptions */ 1039 if (optlen > cnt) 1040 optlen = cnt; 1041 if (IPOPT_COPIED(opt)) { 1042 bcopy((caddr_t)cp, (caddr_t)dp, (unsigned)optlen); 1043 dp += optlen; 1044 } 1045 } 1046 for (optlen = dp - (u_char *)(jp+1); optlen & 0x3; optlen++) 1047 *dp++ = IPOPT_EOL; 1048 return (optlen); 1049 } 1050 1051 /* 1052 * IP socket option processing. 1053 */ 1054 int 1055 ip_ctloutput(op, so, level, optname, mp) 1056 int op; 1057 struct socket *so; 1058 int level, optname; 1059 struct mbuf **mp; 1060 { 1061 struct inpcb *inp = sotoinpcb(so); 1062 struct mbuf *m = *mp; 1063 int optval = 0; 1064 #ifdef IPSEC 1065 struct proc *p = curproc; /* XXX */ 1066 struct ipsec_ref *ipr; 1067 u_int16_t opt16val; 1068 #endif 1069 int error = 0; 1070 u_int rtid = 0; 1071 1072 if (level != IPPROTO_IP) { 1073 error = EINVAL; 1074 if (op == PRCO_SETOPT && *mp) 1075 (void) m_free(*mp); 1076 } else switch (op) { 1077 case PRCO_SETOPT: 1078 switch (optname) { 1079 case IP_OPTIONS: 1080 #ifdef notyet 1081 case IP_RETOPTS: 1082 return (ip_pcbopts(optname, &inp->inp_options, m)); 1083 #else 1084 return (ip_pcbopts(&inp->inp_options, m)); 1085 #endif 1086 1087 case IP_TOS: 1088 case IP_TTL: 1089 case IP_MINTTL: 1090 case IP_RECVOPTS: 1091 case IP_RECVRETOPTS: 1092 case IP_RECVDSTADDR: 1093 case IP_RECVIF: 1094 case IP_RECVTTL: 1095 case IP_RECVDSTPORT: 1096 if (m == NULL || m->m_len != sizeof(int)) 1097 error = EINVAL; 1098 else { 1099 optval = *mtod(m, int *); 1100 switch (optname) { 1101 1102 case IP_TOS: 1103 inp->inp_ip.ip_tos = optval; 1104 break; 1105 1106 case IP_TTL: 1107 if (optval > 0 && optval <= MAXTTL) 1108 inp->inp_ip.ip_ttl = optval; 1109 else 1110 error = EINVAL; 1111 break; 1112 1113 case IP_MINTTL: 1114 if (optval > 0 && optval <= MAXTTL) 1115 inp->inp_ip_minttl = optval; 1116 else 1117 error = EINVAL; 1118 break; 1119 #define OPTSET(bit) \ 1120 if (optval) \ 1121 inp->inp_flags |= bit; \ 1122 else \ 1123 inp->inp_flags &= ~bit; 1124 1125 case IP_RECVOPTS: 1126 OPTSET(INP_RECVOPTS); 1127 break; 1128 1129 case IP_RECVRETOPTS: 1130 OPTSET(INP_RECVRETOPTS); 1131 break; 1132 1133 case IP_RECVDSTADDR: 1134 OPTSET(INP_RECVDSTADDR); 1135 break; 1136 case IP_RECVIF: 1137 OPTSET(INP_RECVIF); 1138 break; 1139 case IP_RECVTTL: 1140 OPTSET(INP_RECVTTL); 1141 break; 1142 case IP_RECVDSTPORT: 1143 OPTSET(INP_RECVDSTPORT); 1144 break; 1145 } 1146 } 1147 break; 1148 #undef OPTSET 1149 1150 case IP_MULTICAST_IF: 1151 case IP_MULTICAST_TTL: 1152 case IP_MULTICAST_LOOP: 1153 case IP_ADD_MEMBERSHIP: 1154 case IP_DROP_MEMBERSHIP: 1155 error = ip_setmoptions(optname, &inp->inp_moptions, m, 1156 inp->inp_rdomain); 1157 break; 1158 1159 case IP_PORTRANGE: 1160 if (m == 0 || m->m_len != sizeof(int)) 1161 error = EINVAL; 1162 else { 1163 optval = *mtod(m, int *); 1164 1165 switch (optval) { 1166 1167 case IP_PORTRANGE_DEFAULT: 1168 inp->inp_flags &= ~(INP_LOWPORT); 1169 inp->inp_flags &= ~(INP_HIGHPORT); 1170 break; 1171 1172 case IP_PORTRANGE_HIGH: 1173 inp->inp_flags &= ~(INP_LOWPORT); 1174 inp->inp_flags |= INP_HIGHPORT; 1175 break; 1176 1177 case IP_PORTRANGE_LOW: 1178 inp->inp_flags &= ~(INP_HIGHPORT); 1179 inp->inp_flags |= INP_LOWPORT; 1180 break; 1181 1182 default: 1183 1184 error = EINVAL; 1185 break; 1186 } 1187 } 1188 break; 1189 case IP_AUTH_LEVEL: 1190 case IP_ESP_TRANS_LEVEL: 1191 case IP_ESP_NETWORK_LEVEL: 1192 case IP_IPCOMP_LEVEL: 1193 #ifndef IPSEC 1194 error = EOPNOTSUPP; 1195 #else 1196 if (m == 0 || m->m_len != sizeof(int)) { 1197 error = EINVAL; 1198 break; 1199 } 1200 optval = *mtod(m, int *); 1201 1202 if (optval < IPSEC_LEVEL_BYPASS || 1203 optval > IPSEC_LEVEL_UNIQUE) { 1204 error = EINVAL; 1205 break; 1206 } 1207 1208 /* Unlink cached output TDB to force a re-search */ 1209 if (inp->inp_tdb_out) { 1210 int s = spltdb(); 1211 TAILQ_REMOVE(&inp->inp_tdb_out->tdb_inp_out, 1212 inp, inp_tdb_out_next); 1213 splx(s); 1214 } 1215 1216 if (inp->inp_tdb_in) { 1217 int s = spltdb(); 1218 TAILQ_REMOVE(&inp->inp_tdb_in->tdb_inp_in, 1219 inp, inp_tdb_in_next); 1220 splx(s); 1221 } 1222 1223 switch (optname) { 1224 case IP_AUTH_LEVEL: 1225 if (optval < ipsec_auth_default_level && 1226 suser(p, 0)) { 1227 error = EACCES; 1228 break; 1229 } 1230 inp->inp_seclevel[SL_AUTH] = optval; 1231 break; 1232 1233 case IP_ESP_TRANS_LEVEL: 1234 if (optval < ipsec_esp_trans_default_level && 1235 suser(p, 0)) { 1236 error = EACCES; 1237 break; 1238 } 1239 inp->inp_seclevel[SL_ESP_TRANS] = optval; 1240 break; 1241 1242 case IP_ESP_NETWORK_LEVEL: 1243 if (optval < ipsec_esp_network_default_level && 1244 suser(p, 0)) { 1245 error = EACCES; 1246 break; 1247 } 1248 inp->inp_seclevel[SL_ESP_NETWORK] = optval; 1249 break; 1250 case IP_IPCOMP_LEVEL: 1251 if (optval < ipsec_ipcomp_default_level && 1252 suser(p, 0)) { 1253 error = EACCES; 1254 break; 1255 } 1256 inp->inp_seclevel[SL_IPCOMP] = optval; 1257 break; 1258 } 1259 if (!error) 1260 inp->inp_secrequire = get_sa_require(inp); 1261 #endif 1262 break; 1263 1264 case IP_IPSEC_REMOTE_CRED: 1265 case IP_IPSEC_REMOTE_AUTH: 1266 /* Can't set the remote credential or key */ 1267 error = EOPNOTSUPP; 1268 break; 1269 1270 case IP_IPSEC_LOCAL_ID: 1271 case IP_IPSEC_REMOTE_ID: 1272 case IP_IPSEC_LOCAL_CRED: 1273 case IP_IPSEC_LOCAL_AUTH: 1274 #ifndef IPSEC 1275 error = EOPNOTSUPP; 1276 #else 1277 if (m->m_len < 2) { 1278 error = EINVAL; 1279 break; 1280 } 1281 1282 m_copydata(m, 0, 2, (caddr_t) &opt16val); 1283 1284 /* If the type is 0, then we cleanup and return */ 1285 if (opt16val == 0) { 1286 switch (optname) { 1287 case IP_IPSEC_LOCAL_ID: 1288 if (inp->inp_ipo != NULL && 1289 inp->inp_ipo->ipo_srcid != NULL) { 1290 ipsp_reffree(inp->inp_ipo->ipo_srcid); 1291 inp->inp_ipo->ipo_srcid = NULL; 1292 } 1293 break; 1294 1295 case IP_IPSEC_REMOTE_ID: 1296 if (inp->inp_ipo != NULL && 1297 inp->inp_ipo->ipo_dstid != NULL) { 1298 ipsp_reffree(inp->inp_ipo->ipo_dstid); 1299 inp->inp_ipo->ipo_dstid = NULL; 1300 } 1301 break; 1302 1303 case IP_IPSEC_LOCAL_CRED: 1304 if (inp->inp_ipo != NULL && 1305 inp->inp_ipo->ipo_local_cred != NULL) { 1306 ipsp_reffree(inp->inp_ipo->ipo_local_cred); 1307 inp->inp_ipo->ipo_local_cred = NULL; 1308 } 1309 break; 1310 1311 case IP_IPSEC_LOCAL_AUTH: 1312 if (inp->inp_ipo != NULL && 1313 inp->inp_ipo->ipo_local_auth != NULL) { 1314 ipsp_reffree(inp->inp_ipo->ipo_local_auth); 1315 inp->inp_ipo->ipo_local_auth = NULL; 1316 } 1317 break; 1318 } 1319 1320 error = 0; 1321 break; 1322 } 1323 1324 /* Can't have an empty payload */ 1325 if (m->m_len == 2) { 1326 error = EINVAL; 1327 break; 1328 } 1329 1330 /* Allocate if needed */ 1331 if (inp->inp_ipo == NULL) { 1332 inp->inp_ipo = ipsec_add_policy(inp, 1333 AF_INET, IPSP_DIRECTION_OUT); 1334 if (inp->inp_ipo == NULL) { 1335 error = ENOBUFS; 1336 break; 1337 } 1338 } 1339 1340 ipr = malloc(sizeof(struct ipsec_ref) + m->m_len - 2, 1341 M_CREDENTIALS, M_NOWAIT); 1342 if (ipr == NULL) { 1343 error = ENOBUFS; 1344 break; 1345 } 1346 1347 ipr->ref_count = 1; 1348 ipr->ref_malloctype = M_CREDENTIALS; 1349 ipr->ref_len = m->m_len - 2; 1350 ipr->ref_type = opt16val; 1351 m_copydata(m, 2, m->m_len - 2, (caddr_t)(ipr + 1)); 1352 1353 switch (optname) { 1354 case IP_IPSEC_LOCAL_ID: 1355 /* Check valid types and NUL-termination */ 1356 if (ipr->ref_type < IPSP_IDENTITY_PREFIX || 1357 ipr->ref_type > IPSP_IDENTITY_CONNECTION || 1358 ((char *)(ipr + 1))[ipr->ref_len - 1]) { 1359 free(ipr, M_CREDENTIALS); 1360 error = EINVAL; 1361 } else { 1362 if (inp->inp_ipo->ipo_srcid != NULL) 1363 ipsp_reffree(inp->inp_ipo->ipo_srcid); 1364 inp->inp_ipo->ipo_srcid = ipr; 1365 } 1366 break; 1367 case IP_IPSEC_REMOTE_ID: 1368 /* Check valid types and NUL-termination */ 1369 if (ipr->ref_type < IPSP_IDENTITY_PREFIX || 1370 ipr->ref_type > IPSP_IDENTITY_CONNECTION || 1371 ((char *)(ipr + 1))[ipr->ref_len - 1]) { 1372 free(ipr, M_CREDENTIALS); 1373 error = EINVAL; 1374 } else { 1375 if (inp->inp_ipo->ipo_dstid != NULL) 1376 ipsp_reffree(inp->inp_ipo->ipo_dstid); 1377 inp->inp_ipo->ipo_dstid = ipr; 1378 } 1379 break; 1380 case IP_IPSEC_LOCAL_CRED: 1381 if (ipr->ref_type < IPSP_CRED_KEYNOTE || 1382 ipr->ref_type > IPSP_CRED_X509) { 1383 free(ipr, M_CREDENTIALS); 1384 error = EINVAL; 1385 } else { 1386 if (inp->inp_ipo->ipo_local_cred != NULL) 1387 ipsp_reffree(inp->inp_ipo->ipo_local_cred); 1388 inp->inp_ipo->ipo_local_cred = ipr; 1389 } 1390 break; 1391 case IP_IPSEC_LOCAL_AUTH: 1392 if (ipr->ref_type < IPSP_AUTH_PASSPHRASE || 1393 ipr->ref_type > IPSP_AUTH_RSA) { 1394 free(ipr, M_CREDENTIALS); 1395 error = EINVAL; 1396 } else { 1397 if (inp->inp_ipo->ipo_local_auth != NULL) 1398 ipsp_reffree(inp->inp_ipo->ipo_local_auth); 1399 inp->inp_ipo->ipo_local_auth = ipr; 1400 } 1401 break; 1402 } 1403 1404 /* Unlink cached output TDB to force a re-search */ 1405 if (inp->inp_tdb_out) { 1406 int s = spltdb(); 1407 TAILQ_REMOVE(&inp->inp_tdb_out->tdb_inp_out, 1408 inp, inp_tdb_out_next); 1409 splx(s); 1410 } 1411 1412 if (inp->inp_tdb_in) { 1413 int s = spltdb(); 1414 TAILQ_REMOVE(&inp->inp_tdb_in->tdb_inp_in, 1415 inp, inp_tdb_in_next); 1416 splx(s); 1417 } 1418 #endif 1419 break; 1420 case SO_RDOMAIN: 1421 if (m == NULL || m->m_len < sizeof(u_int)) { 1422 error = EINVAL; 1423 break; 1424 } 1425 rtid = *mtod(m, u_int *); 1426 /* table must exist and be a domain */ 1427 if (!rtable_exists(rtid) || rtid != rtable_l2(rtid)) { 1428 error = EINVAL; 1429 break; 1430 } 1431 inp->inp_rdomain = rtid; 1432 break; 1433 default: 1434 error = ENOPROTOOPT; 1435 break; 1436 } 1437 if (m) 1438 (void)m_free(m); 1439 break; 1440 1441 case PRCO_GETOPT: 1442 switch (optname) { 1443 case IP_OPTIONS: 1444 case IP_RETOPTS: 1445 *mp = m = m_get(M_WAIT, MT_SOOPTS); 1446 if (inp->inp_options) { 1447 m->m_len = inp->inp_options->m_len; 1448 bcopy(mtod(inp->inp_options, caddr_t), 1449 mtod(m, caddr_t), (unsigned)m->m_len); 1450 } else 1451 m->m_len = 0; 1452 break; 1453 1454 case IP_TOS: 1455 case IP_TTL: 1456 case IP_MINTTL: 1457 case IP_RECVOPTS: 1458 case IP_RECVRETOPTS: 1459 case IP_RECVDSTADDR: 1460 case IP_RECVIF: 1461 case IP_RECVTTL: 1462 case IP_RECVDSTPORT: 1463 *mp = m = m_get(M_WAIT, MT_SOOPTS); 1464 m->m_len = sizeof(int); 1465 switch (optname) { 1466 1467 case IP_TOS: 1468 optval = inp->inp_ip.ip_tos; 1469 break; 1470 1471 case IP_TTL: 1472 optval = inp->inp_ip.ip_ttl; 1473 break; 1474 1475 case IP_MINTTL: 1476 optval = inp->inp_ip_minttl; 1477 break; 1478 1479 #define OPTBIT(bit) (inp->inp_flags & bit ? 1 : 0) 1480 1481 case IP_RECVOPTS: 1482 optval = OPTBIT(INP_RECVOPTS); 1483 break; 1484 1485 case IP_RECVRETOPTS: 1486 optval = OPTBIT(INP_RECVRETOPTS); 1487 break; 1488 1489 case IP_RECVDSTADDR: 1490 optval = OPTBIT(INP_RECVDSTADDR); 1491 break; 1492 case IP_RECVIF: 1493 optval = OPTBIT(INP_RECVIF); 1494 break; 1495 case IP_RECVTTL: 1496 optval = OPTBIT(INP_RECVTTL); 1497 break; 1498 case IP_RECVDSTPORT: 1499 optval = OPTBIT(INP_RECVDSTPORT); 1500 break; 1501 } 1502 *mtod(m, int *) = optval; 1503 break; 1504 1505 case IP_MULTICAST_IF: 1506 case IP_MULTICAST_TTL: 1507 case IP_MULTICAST_LOOP: 1508 case IP_ADD_MEMBERSHIP: 1509 case IP_DROP_MEMBERSHIP: 1510 error = ip_getmoptions(optname, inp->inp_moptions, mp); 1511 break; 1512 1513 case IP_PORTRANGE: 1514 *mp = m = m_get(M_WAIT, MT_SOOPTS); 1515 m->m_len = sizeof(int); 1516 1517 if (inp->inp_flags & INP_HIGHPORT) 1518 optval = IP_PORTRANGE_HIGH; 1519 else if (inp->inp_flags & INP_LOWPORT) 1520 optval = IP_PORTRANGE_LOW; 1521 else 1522 optval = 0; 1523 1524 *mtod(m, int *) = optval; 1525 break; 1526 1527 case IP_AUTH_LEVEL: 1528 case IP_ESP_TRANS_LEVEL: 1529 case IP_ESP_NETWORK_LEVEL: 1530 case IP_IPCOMP_LEVEL: 1531 *mp = m = m_get(M_WAIT, MT_SOOPTS); 1532 #ifndef IPSEC 1533 m->m_len = sizeof(int); 1534 *mtod(m, int *) = IPSEC_LEVEL_NONE; 1535 #else 1536 m->m_len = sizeof(int); 1537 switch (optname) { 1538 case IP_AUTH_LEVEL: 1539 optval = inp->inp_seclevel[SL_AUTH]; 1540 break; 1541 1542 case IP_ESP_TRANS_LEVEL: 1543 optval = inp->inp_seclevel[SL_ESP_TRANS]; 1544 break; 1545 1546 case IP_ESP_NETWORK_LEVEL: 1547 optval = inp->inp_seclevel[SL_ESP_NETWORK]; 1548 break; 1549 case IP_IPCOMP_LEVEL: 1550 optval = inp->inp_seclevel[SL_IPCOMP]; 1551 break; 1552 } 1553 *mtod(m, int *) = optval; 1554 #endif 1555 break; 1556 case IP_IPSEC_LOCAL_ID: 1557 case IP_IPSEC_REMOTE_ID: 1558 case IP_IPSEC_LOCAL_CRED: 1559 case IP_IPSEC_REMOTE_CRED: 1560 case IP_IPSEC_LOCAL_AUTH: 1561 case IP_IPSEC_REMOTE_AUTH: 1562 #ifndef IPSEC 1563 error = EOPNOTSUPP; 1564 #else 1565 *mp = m = m_get(M_WAIT, MT_SOOPTS); 1566 m->m_len = sizeof(u_int16_t); 1567 ipr = NULL; 1568 switch (optname) { 1569 case IP_IPSEC_LOCAL_ID: 1570 if (inp->inp_ipo != NULL) 1571 ipr = inp->inp_ipo->ipo_srcid; 1572 opt16val = IPSP_IDENTITY_NONE; 1573 break; 1574 case IP_IPSEC_REMOTE_ID: 1575 if (inp->inp_ipo != NULL) 1576 ipr = inp->inp_ipo->ipo_dstid; 1577 opt16val = IPSP_IDENTITY_NONE; 1578 break; 1579 case IP_IPSEC_LOCAL_CRED: 1580 if (inp->inp_ipo != NULL) 1581 ipr = inp->inp_ipo->ipo_local_cred; 1582 opt16val = IPSP_CRED_NONE; 1583 break; 1584 case IP_IPSEC_REMOTE_CRED: 1585 ipr = inp->inp_ipsec_remotecred; 1586 opt16val = IPSP_CRED_NONE; 1587 break; 1588 case IP_IPSEC_LOCAL_AUTH: 1589 if (inp->inp_ipo != NULL) 1590 ipr = inp->inp_ipo->ipo_local_auth; 1591 break; 1592 case IP_IPSEC_REMOTE_AUTH: 1593 ipr = inp->inp_ipsec_remoteauth; 1594 break; 1595 } 1596 if (ipr == NULL) 1597 *mtod(m, u_int16_t *) = opt16val; 1598 else { 1599 size_t len; 1600 1601 len = m->m_len + ipr->ref_len; 1602 if (len > MCLBYTES) { 1603 m_free(m); 1604 error = EINVAL; 1605 break; 1606 } 1607 /* allocate mbuf cluster for larger option */ 1608 if (len > MLEN) { 1609 MCLGET(m, M_WAITOK); 1610 if ((m->m_flags & M_EXT) == 0) { 1611 m_free(m); 1612 error = ENOBUFS; 1613 break; 1614 } 1615 1616 } 1617 m->m_len = len; 1618 *mtod(m, u_int16_t *) = ipr->ref_type; 1619 m_copyback(m, sizeof(u_int16_t), ipr->ref_len, 1620 ipr + 1); 1621 } 1622 #endif 1623 break; 1624 case SO_RDOMAIN: 1625 *mp = m = m_get(M_WAIT, MT_SOOPTS); 1626 m->m_len = sizeof(u_int); 1627 *mtod(m, u_int *) = inp->inp_rdomain; 1628 break; 1629 default: 1630 error = ENOPROTOOPT; 1631 break; 1632 } 1633 break; 1634 } 1635 return (error); 1636 } 1637 1638 /* 1639 * Set up IP options in pcb for insertion in output packets. 1640 * Store in mbuf with pointer in pcbopt, adding pseudo-option 1641 * with destination address if source routed. 1642 */ 1643 int 1644 #ifdef notyet 1645 ip_pcbopts(optname, pcbopt, m) 1646 int optname; 1647 #else 1648 ip_pcbopts(pcbopt, m) 1649 #endif 1650 struct mbuf **pcbopt; 1651 struct mbuf *m; 1652 { 1653 int cnt, optlen; 1654 u_char *cp; 1655 u_char opt; 1656 1657 /* turn off any old options */ 1658 if (*pcbopt) 1659 (void)m_free(*pcbopt); 1660 *pcbopt = 0; 1661 if (m == (struct mbuf *)0 || m->m_len == 0) { 1662 /* 1663 * Only turning off any previous options. 1664 */ 1665 if (m) 1666 (void)m_free(m); 1667 return (0); 1668 } 1669 1670 if (m->m_len % sizeof(int32_t)) 1671 goto bad; 1672 1673 /* 1674 * IP first-hop destination address will be stored before 1675 * actual options; move other options back 1676 * and clear it when none present. 1677 */ 1678 if (m->m_data + m->m_len + sizeof(struct in_addr) >= &m->m_dat[MLEN]) 1679 goto bad; 1680 cnt = m->m_len; 1681 m->m_len += sizeof(struct in_addr); 1682 cp = mtod(m, u_char *) + sizeof(struct in_addr); 1683 ovbcopy(mtod(m, caddr_t), (caddr_t)cp, (unsigned)cnt); 1684 bzero(mtod(m, caddr_t), sizeof(struct in_addr)); 1685 1686 for (; cnt > 0; cnt -= optlen, cp += optlen) { 1687 opt = cp[IPOPT_OPTVAL]; 1688 if (opt == IPOPT_EOL) 1689 break; 1690 if (opt == IPOPT_NOP) 1691 optlen = 1; 1692 else { 1693 if (cnt < IPOPT_OLEN + sizeof(*cp)) 1694 goto bad; 1695 optlen = cp[IPOPT_OLEN]; 1696 if (optlen < IPOPT_OLEN + sizeof(*cp) || optlen > cnt) 1697 goto bad; 1698 } 1699 switch (opt) { 1700 1701 default: 1702 break; 1703 1704 case IPOPT_LSRR: 1705 case IPOPT_SSRR: 1706 /* 1707 * user process specifies route as: 1708 * ->A->B->C->D 1709 * D must be our final destination (but we can't 1710 * check that since we may not have connected yet). 1711 * A is first hop destination, which doesn't appear in 1712 * actual IP option, but is stored before the options. 1713 */ 1714 if (optlen < IPOPT_MINOFF - 1 + sizeof(struct in_addr)) 1715 goto bad; 1716 m->m_len -= sizeof(struct in_addr); 1717 cnt -= sizeof(struct in_addr); 1718 optlen -= sizeof(struct in_addr); 1719 cp[IPOPT_OLEN] = optlen; 1720 /* 1721 * Move first hop before start of options. 1722 */ 1723 bcopy((caddr_t)&cp[IPOPT_OFFSET+1], mtod(m, caddr_t), 1724 sizeof(struct in_addr)); 1725 /* 1726 * Then copy rest of options back 1727 * to close up the deleted entry. 1728 */ 1729 ovbcopy((caddr_t)(&cp[IPOPT_OFFSET+1] + 1730 sizeof(struct in_addr)), 1731 (caddr_t)&cp[IPOPT_OFFSET+1], 1732 (unsigned)cnt - (IPOPT_OFFSET+1)); 1733 break; 1734 } 1735 } 1736 if (m->m_len > MAX_IPOPTLEN + sizeof(struct in_addr)) 1737 goto bad; 1738 *pcbopt = m; 1739 return (0); 1740 1741 bad: 1742 (void)m_free(m); 1743 return (EINVAL); 1744 } 1745 1746 /* 1747 * Set the IP multicast options in response to user setsockopt(). 1748 */ 1749 int 1750 ip_setmoptions(int optname, struct ip_moptions **imop, struct mbuf *m, 1751 u_int rdomain) 1752 { 1753 int error = 0; 1754 u_char loop; 1755 int i; 1756 struct in_addr addr; 1757 struct ip_mreq *mreq; 1758 struct ifnet *ifp; 1759 struct ip_moptions *imo = *imop; 1760 struct in_multi **immp; 1761 struct route ro; 1762 struct sockaddr_in *dst; 1763 1764 if (imo == NULL) { 1765 /* 1766 * No multicast option buffer attached to the pcb; 1767 * allocate one and initialize to default values. 1768 */ 1769 imo = (struct ip_moptions *)malloc(sizeof(*imo), M_IPMOPTS, 1770 M_WAITOK|M_ZERO); 1771 immp = (struct in_multi **)malloc( 1772 (sizeof(*immp) * IP_MIN_MEMBERSHIPS), M_IPMOPTS, 1773 M_WAITOK|M_ZERO); 1774 *imop = imo; 1775 imo->imo_multicast_ifp = NULL; 1776 imo->imo_multicast_ttl = IP_DEFAULT_MULTICAST_TTL; 1777 imo->imo_multicast_loop = IP_DEFAULT_MULTICAST_LOOP; 1778 imo->imo_num_memberships = 0; 1779 imo->imo_max_memberships = IP_MIN_MEMBERSHIPS; 1780 imo->imo_membership = immp; 1781 } 1782 1783 switch (optname) { 1784 1785 case IP_MULTICAST_IF: 1786 /* 1787 * Select the interface for outgoing multicast packets. 1788 */ 1789 if (m == NULL || m->m_len != sizeof(struct in_addr)) { 1790 error = EINVAL; 1791 break; 1792 } 1793 addr = *(mtod(m, struct in_addr *)); 1794 /* 1795 * INADDR_ANY is used to remove a previous selection. 1796 * When no interface is selected, a default one is 1797 * chosen every time a multicast packet is sent. 1798 */ 1799 if (addr.s_addr == INADDR_ANY) { 1800 imo->imo_multicast_ifp = NULL; 1801 break; 1802 } 1803 /* 1804 * The selected interface is identified by its local 1805 * IP address. Find the interface and confirm that 1806 * it supports multicasting. 1807 */ 1808 INADDR_TO_IFP(addr, ifp, rdomain); 1809 if (ifp == NULL || (ifp->if_flags & IFF_MULTICAST) == 0) { 1810 error = EADDRNOTAVAIL; 1811 break; 1812 } 1813 imo->imo_multicast_ifp = ifp; 1814 break; 1815 1816 case IP_MULTICAST_TTL: 1817 /* 1818 * Set the IP time-to-live for outgoing multicast packets. 1819 */ 1820 if (m == NULL || m->m_len != 1) { 1821 error = EINVAL; 1822 break; 1823 } 1824 imo->imo_multicast_ttl = *(mtod(m, u_char *)); 1825 break; 1826 1827 case IP_MULTICAST_LOOP: 1828 /* 1829 * Set the loopback flag for outgoing multicast packets. 1830 * Must be zero or one. 1831 */ 1832 if (m == NULL || m->m_len != 1 || 1833 (loop = *(mtod(m, u_char *))) > 1) { 1834 error = EINVAL; 1835 break; 1836 } 1837 imo->imo_multicast_loop = loop; 1838 break; 1839 1840 case IP_ADD_MEMBERSHIP: 1841 /* 1842 * Add a multicast group membership. 1843 * Group must be a valid IP multicast address. 1844 */ 1845 if (m == NULL || m->m_len != sizeof(struct ip_mreq)) { 1846 error = EINVAL; 1847 break; 1848 } 1849 mreq = mtod(m, struct ip_mreq *); 1850 if (!IN_MULTICAST(mreq->imr_multiaddr.s_addr)) { 1851 error = EINVAL; 1852 break; 1853 } 1854 /* 1855 * If no interface address was provided, use the interface of 1856 * the route to the given multicast address. 1857 */ 1858 if (mreq->imr_interface.s_addr == INADDR_ANY) { 1859 ro.ro_rt = NULL; 1860 dst = satosin(&ro.ro_dst); 1861 dst->sin_len = sizeof(*dst); 1862 dst->sin_family = AF_INET; 1863 dst->sin_addr = mreq->imr_multiaddr; 1864 if (!(ro.ro_rt && ro.ro_rt->rt_ifp && 1865 (ro.ro_rt->rt_flags & RTF_UP))) 1866 ro.ro_rt = rtalloc1(&ro.ro_dst, 1, rdomain); 1867 if (ro.ro_rt == NULL) { 1868 error = EADDRNOTAVAIL; 1869 break; 1870 } 1871 ifp = ro.ro_rt->rt_ifp; 1872 rtfree(ro.ro_rt); 1873 } else { 1874 INADDR_TO_IFP(mreq->imr_interface, ifp, rdomain); 1875 } 1876 /* 1877 * See if we found an interface, and confirm that it 1878 * supports multicast. 1879 */ 1880 if (ifp == NULL || (ifp->if_flags & IFF_MULTICAST) == 0) { 1881 error = EADDRNOTAVAIL; 1882 break; 1883 } 1884 /* 1885 * See if the membership already exists or if all the 1886 * membership slots are full. 1887 */ 1888 for (i = 0; i < imo->imo_num_memberships; ++i) { 1889 if (imo->imo_membership[i]->inm_ia->ia_ifp == ifp && 1890 imo->imo_membership[i]->inm_addr.s_addr 1891 == mreq->imr_multiaddr.s_addr) 1892 break; 1893 } 1894 if (i < imo->imo_num_memberships) { 1895 error = EADDRINUSE; 1896 break; 1897 } 1898 if (imo->imo_num_memberships == imo->imo_max_memberships) { 1899 struct in_multi **nmships, **omships; 1900 size_t newmax; 1901 /* 1902 * Resize the vector to next power-of-two minus 1. If the 1903 * size would exceed the maximum then we know we've really 1904 * run out of entries. Otherwise, we reallocate the vector. 1905 */ 1906 nmships = NULL; 1907 omships = imo->imo_membership; 1908 newmax = ((imo->imo_max_memberships + 1) * 2) - 1; 1909 if (newmax <= IP_MAX_MEMBERSHIPS) { 1910 nmships = (struct in_multi **)malloc( 1911 sizeof(*nmships) * newmax, M_IPMOPTS, 1912 M_NOWAIT|M_ZERO); 1913 if (nmships != NULL) { 1914 bcopy(omships, nmships, 1915 sizeof(*omships) * 1916 imo->imo_max_memberships); 1917 free(omships, M_IPMOPTS); 1918 imo->imo_membership = nmships; 1919 imo->imo_max_memberships = newmax; 1920 } 1921 } 1922 if (nmships == NULL) { 1923 error = ETOOMANYREFS; 1924 break; 1925 } 1926 } 1927 /* 1928 * Everything looks good; add a new record to the multicast 1929 * address list for the given interface. 1930 */ 1931 if ((imo->imo_membership[i] = 1932 in_addmulti(&mreq->imr_multiaddr, ifp)) == NULL) { 1933 error = ENOBUFS; 1934 break; 1935 } 1936 ++imo->imo_num_memberships; 1937 break; 1938 1939 case IP_DROP_MEMBERSHIP: 1940 /* 1941 * Drop a multicast group membership. 1942 * Group must be a valid IP multicast address. 1943 */ 1944 if (m == NULL || m->m_len != sizeof(struct ip_mreq)) { 1945 error = EINVAL; 1946 break; 1947 } 1948 mreq = mtod(m, struct ip_mreq *); 1949 if (!IN_MULTICAST(mreq->imr_multiaddr.s_addr)) { 1950 error = EINVAL; 1951 break; 1952 } 1953 /* 1954 * If an interface address was specified, get a pointer 1955 * to its ifnet structure. 1956 */ 1957 if (mreq->imr_interface.s_addr == INADDR_ANY) 1958 ifp = NULL; 1959 else { 1960 INADDR_TO_IFP(mreq->imr_interface, ifp, rdomain); 1961 if (ifp == NULL) { 1962 error = EADDRNOTAVAIL; 1963 break; 1964 } 1965 } 1966 /* 1967 * Find the membership in the membership array. 1968 */ 1969 for (i = 0; i < imo->imo_num_memberships; ++i) { 1970 if ((ifp == NULL || 1971 imo->imo_membership[i]->inm_ia->ia_ifp == ifp) && 1972 imo->imo_membership[i]->inm_addr.s_addr == 1973 mreq->imr_multiaddr.s_addr) 1974 break; 1975 } 1976 if (i == imo->imo_num_memberships) { 1977 error = EADDRNOTAVAIL; 1978 break; 1979 } 1980 /* 1981 * Give up the multicast address record to which the 1982 * membership points. 1983 */ 1984 in_delmulti(imo->imo_membership[i]); 1985 /* 1986 * Remove the gap in the membership array. 1987 */ 1988 for (++i; i < imo->imo_num_memberships; ++i) 1989 imo->imo_membership[i-1] = imo->imo_membership[i]; 1990 --imo->imo_num_memberships; 1991 break; 1992 1993 default: 1994 error = EOPNOTSUPP; 1995 break; 1996 } 1997 1998 /* 1999 * If all options have default values, no need to keep the data. 2000 */ 2001 if (imo->imo_multicast_ifp == NULL && 2002 imo->imo_multicast_ttl == IP_DEFAULT_MULTICAST_TTL && 2003 imo->imo_multicast_loop == IP_DEFAULT_MULTICAST_LOOP && 2004 imo->imo_num_memberships == 0) { 2005 free(imo->imo_membership , M_IPMOPTS); 2006 free(*imop, M_IPMOPTS); 2007 *imop = NULL; 2008 } 2009 2010 return (error); 2011 } 2012 2013 /* 2014 * Return the IP multicast options in response to user getsockopt(). 2015 */ 2016 int 2017 ip_getmoptions(optname, imo, mp) 2018 int optname; 2019 struct ip_moptions *imo; 2020 struct mbuf **mp; 2021 { 2022 u_char *ttl; 2023 u_char *loop; 2024 struct in_addr *addr; 2025 struct in_ifaddr *ia; 2026 2027 *mp = m_get(M_WAIT, MT_SOOPTS); 2028 2029 switch (optname) { 2030 2031 case IP_MULTICAST_IF: 2032 addr = mtod(*mp, struct in_addr *); 2033 (*mp)->m_len = sizeof(struct in_addr); 2034 if (imo == NULL || imo->imo_multicast_ifp == NULL) 2035 addr->s_addr = INADDR_ANY; 2036 else { 2037 IFP_TO_IA(imo->imo_multicast_ifp, ia); 2038 addr->s_addr = (ia == NULL) ? INADDR_ANY 2039 : ia->ia_addr.sin_addr.s_addr; 2040 } 2041 return (0); 2042 2043 case IP_MULTICAST_TTL: 2044 ttl = mtod(*mp, u_char *); 2045 (*mp)->m_len = 1; 2046 *ttl = (imo == NULL) ? IP_DEFAULT_MULTICAST_TTL 2047 : imo->imo_multicast_ttl; 2048 return (0); 2049 2050 case IP_MULTICAST_LOOP: 2051 loop = mtod(*mp, u_char *); 2052 (*mp)->m_len = 1; 2053 *loop = (imo == NULL) ? IP_DEFAULT_MULTICAST_LOOP 2054 : imo->imo_multicast_loop; 2055 return (0); 2056 2057 default: 2058 return (EOPNOTSUPP); 2059 } 2060 } 2061 2062 /* 2063 * Discard the IP multicast options. 2064 */ 2065 void 2066 ip_freemoptions(imo) 2067 struct ip_moptions *imo; 2068 { 2069 int i; 2070 2071 if (imo != NULL) { 2072 for (i = 0; i < imo->imo_num_memberships; ++i) 2073 in_delmulti(imo->imo_membership[i]); 2074 free(imo->imo_membership, M_IPMOPTS); 2075 free(imo, M_IPMOPTS); 2076 } 2077 } 2078 2079 /* 2080 * Routine called from ip_output() to loop back a copy of an IP multicast 2081 * packet to the input queue of a specified interface. Note that this 2082 * calls the output routine of the loopback "driver", but with an interface 2083 * pointer that might NOT be &loif -- easier than replicating that code here. 2084 */ 2085 void 2086 ip_mloopback(ifp, m, dst) 2087 struct ifnet *ifp; 2088 struct mbuf *m; 2089 struct sockaddr_in *dst; 2090 { 2091 struct ip *ip; 2092 struct mbuf *copym; 2093 2094 copym = m_copym2(m, 0, M_COPYALL, M_DONTWAIT); 2095 if (copym != NULL) { 2096 /* 2097 * We don't bother to fragment if the IP length is greater 2098 * than the interface's MTU. Can this possibly matter? 2099 */ 2100 ip = mtod(copym, struct ip *); 2101 ip->ip_sum = 0; 2102 ip->ip_sum = in_cksum(copym, ip->ip_hl << 2); 2103 (void) looutput(ifp, copym, sintosa(dst), NULL); 2104 } 2105 } 2106 2107 /* 2108 * Process a delayed payload checksum calculation. 2109 */ 2110 void 2111 in_delayed_cksum(struct mbuf *m) 2112 { 2113 struct ip *ip; 2114 u_int16_t csum, offset; 2115 2116 ip = mtod(m, struct ip *); 2117 offset = ip->ip_hl << 2; 2118 csum = in4_cksum(m, 0, offset, m->m_pkthdr.len - offset); 2119 if (csum == 0 && ip->ip_p == IPPROTO_UDP) 2120 csum = 0xffff; 2121 2122 switch (ip->ip_p) { 2123 case IPPROTO_TCP: 2124 offset += offsetof(struct tcphdr, th_sum); 2125 break; 2126 2127 case IPPROTO_UDP: 2128 offset += offsetof(struct udphdr, uh_sum); 2129 break; 2130 2131 default: 2132 return; 2133 } 2134 2135 if ((offset + sizeof(u_int16_t)) > m->m_len) 2136 m_copyback(m, offset, sizeof(csum), &csum); 2137 else 2138 *(u_int16_t *)(mtod(m, caddr_t) + offset) = csum; 2139 } 2140