1 /* $OpenBSD: ip_output.c,v 1.193 2009/01/30 20:46:33 claudio Exp $ */ 2 /* $NetBSD: ip_output.c,v 1.28 1996/02/13 23:43:07 christos Exp $ */ 3 4 /* 5 * Copyright (c) 1982, 1986, 1988, 1990, 1993 6 * The Regents of the University of California. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 3. Neither the name of the University nor the names of its contributors 17 * may be used to endorse or promote products derived from this software 18 * without specific prior written permission. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30 * SUCH DAMAGE. 31 * 32 * @(#)ip_output.c 8.3 (Berkeley) 1/21/94 33 */ 34 35 #include "pf.h" 36 37 #include <sys/param.h> 38 #include <sys/systm.h> 39 #include <sys/mbuf.h> 40 #include <sys/protosw.h> 41 #include <sys/socket.h> 42 #include <sys/socketvar.h> 43 #include <sys/proc.h> 44 #include <sys/kernel.h> 45 46 #include <net/if.h> 47 #include <net/if_enc.h> 48 #include <net/route.h> 49 50 #include <netinet/in.h> 51 #include <netinet/in_systm.h> 52 #include <netinet/ip.h> 53 #include <netinet/in_pcb.h> 54 #include <netinet/in_var.h> 55 #include <netinet/ip_var.h> 56 #include <netinet/ip_icmp.h> 57 #include <netinet/tcp.h> 58 #include <netinet/udp.h> 59 #include <netinet/tcp_timer.h> 60 #include <netinet/tcp_var.h> 61 #include <netinet/udp_var.h> 62 63 #if NPF > 0 64 #include <net/pfvar.h> 65 #endif 66 67 #ifdef IPSEC 68 #ifdef ENCDEBUG 69 #define DPRINTF(x) do { if (encdebug) printf x ; } while (0) 70 #else 71 #define DPRINTF(x) 72 #endif 73 74 extern u_int8_t get_sa_require(struct inpcb *); 75 76 extern int ipsec_auth_default_level; 77 extern int ipsec_esp_trans_default_level; 78 extern int ipsec_esp_network_default_level; 79 extern int ipsec_ipcomp_default_level; 80 extern int ipforwarding; 81 #endif /* IPSEC */ 82 83 #ifdef MROUTING 84 extern int ipmforwarding; 85 #endif 86 87 struct mbuf *ip_insertoptions(struct mbuf *, struct mbuf *, int *); 88 void ip_mloopback(struct ifnet *, struct mbuf *, struct sockaddr_in *); 89 90 /* 91 * IP output. The packet in mbuf chain m contains a skeletal IP 92 * header (with len, off, ttl, proto, tos, src, dst). 93 * The mbuf chain containing the packet will be freed. 94 * The mbuf opt, if present, will not be freed. 95 */ 96 int 97 ip_output(struct mbuf *m0, ...) 98 { 99 struct ip *ip; 100 struct ifnet *ifp; 101 struct mbuf *m = m0; 102 int hlen = sizeof (struct ip); 103 int len, error = 0; 104 struct route iproute; 105 struct sockaddr_in *dst; 106 struct in_ifaddr *ia; 107 struct mbuf *opt; 108 struct route *ro; 109 int flags; 110 struct ip_moptions *imo; 111 va_list ap; 112 u_int8_t sproto = 0, donerouting = 0; 113 u_long mtu; 114 #ifdef IPSEC 115 u_int32_t icmp_mtu = 0; 116 union sockaddr_union sdst; 117 u_int32_t sspi; 118 struct m_tag *mtag; 119 struct tdb_ident *tdbi; 120 121 struct inpcb *inp; 122 struct tdb *tdb; 123 int s; 124 #endif /* IPSEC */ 125 126 va_start(ap, m0); 127 opt = va_arg(ap, struct mbuf *); 128 ro = va_arg(ap, struct route *); 129 flags = va_arg(ap, int); 130 imo = va_arg(ap, struct ip_moptions *); 131 #ifdef IPSEC 132 inp = va_arg(ap, struct inpcb *); 133 if (inp && (inp->inp_flags & INP_IPV6) != 0) 134 panic("ip_output: IPv6 pcb is passed"); 135 #endif /* IPSEC */ 136 va_end(ap); 137 138 #ifdef DIAGNOSTIC 139 if ((m->m_flags & M_PKTHDR) == 0) 140 panic("ip_output no HDR"); 141 #endif 142 if (opt) { 143 m = ip_insertoptions(m, opt, &len); 144 hlen = len; 145 } 146 147 ip = mtod(m, struct ip *); 148 149 /* 150 * Fill in IP header. 151 */ 152 if ((flags & (IP_FORWARDING|IP_RAWOUTPUT)) == 0) { 153 ip->ip_v = IPVERSION; 154 ip->ip_off &= htons(IP_DF); 155 ip->ip_id = htons(ip_randomid()); 156 ip->ip_hl = hlen >> 2; 157 ipstat.ips_localout++; 158 } else { 159 hlen = ip->ip_hl << 2; 160 } 161 162 /* 163 * If we're missing the IP source address, do a route lookup. We'll 164 * remember this result, in case we don't need to do any IPsec 165 * processing on the packet. We need the source address so we can 166 * do an SPD lookup in IPsec; for most packets, the source address 167 * is set at a higher level protocol. ICMPs and other packets 168 * though (e.g., traceroute) have a source address of zeroes. 169 */ 170 if (ip->ip_src.s_addr == INADDR_ANY) { 171 if (flags & IP_ROUTETOETHER) { 172 error = EINVAL; 173 goto bad; 174 } 175 donerouting = 1; 176 177 if (ro == 0) { 178 ro = &iproute; 179 bzero((caddr_t)ro, sizeof (*ro)); 180 } 181 182 dst = satosin(&ro->ro_dst); 183 184 /* 185 * If there is a cached route, check that it is to the same 186 * destination and is still up. If not, free it and try again. 187 */ 188 if (ro->ro_rt && ((ro->ro_rt->rt_flags & RTF_UP) == 0 || 189 dst->sin_addr.s_addr != ip->ip_dst.s_addr)) { 190 RTFREE(ro->ro_rt); 191 ro->ro_rt = (struct rtentry *)0; 192 } 193 194 if (ro->ro_rt == 0) { 195 dst->sin_family = AF_INET; 196 dst->sin_len = sizeof(*dst); 197 dst->sin_addr = ip->ip_dst; 198 } 199 200 /* 201 * If routing to interface only, short-circuit routing lookup. 202 */ 203 if (flags & IP_ROUTETOIF) { 204 if ((ia = ifatoia(ifa_ifwithdstaddr(sintosa(dst)))) == 0 && 205 (ia = ifatoia(ifa_ifwithnet(sintosa(dst)))) == 0) { 206 ipstat.ips_noroute++; 207 error = ENETUNREACH; 208 goto bad; 209 } 210 211 ifp = ia->ia_ifp; 212 mtu = ifp->if_mtu; 213 ip->ip_ttl = 1; 214 } else if ((IN_MULTICAST(ip->ip_dst.s_addr) || 215 (ip->ip_dst.s_addr == INADDR_BROADCAST)) && 216 imo != NULL && imo->imo_multicast_ifp != NULL) { 217 ifp = imo->imo_multicast_ifp; 218 mtu = ifp->if_mtu; 219 IFP_TO_IA(ifp, ia); 220 } else { 221 if (ro->ro_rt == 0) 222 rtalloc_mpath(ro, NULL, 0); 223 224 if (ro->ro_rt == 0) { 225 ipstat.ips_noroute++; 226 error = EHOSTUNREACH; 227 goto bad; 228 } 229 230 ia = ifatoia(ro->ro_rt->rt_ifa); 231 ifp = ro->ro_rt->rt_ifp; 232 if ((mtu = ro->ro_rt->rt_rmx.rmx_mtu) == 0) 233 mtu = ifp->if_mtu; 234 ro->ro_rt->rt_use++; 235 236 if (ro->ro_rt->rt_flags & RTF_GATEWAY) 237 dst = satosin(ro->ro_rt->rt_gateway); 238 } 239 240 /* Set the source IP address */ 241 if (!IN_MULTICAST(ip->ip_dst.s_addr)) 242 ip->ip_src = ia->ia_addr.sin_addr; 243 } 244 245 #ifdef IPSEC 246 if (!ipsec_in_use && inp == NULL) 247 goto done_spd; 248 249 /* 250 * splnet is chosen over spltdb because we are not allowed to 251 * lower the level, and udp_output calls us in splnet(). 252 */ 253 s = splnet(); 254 255 /* Do we have any pending SAs to apply ? */ 256 mtag = m_tag_find(m, PACKET_TAG_IPSEC_PENDING_TDB, NULL); 257 if (mtag != NULL) { 258 #ifdef DIAGNOSTIC 259 if (mtag->m_tag_len != sizeof (struct tdb_ident)) 260 panic("ip_output: tag of length %d (should be %d", 261 mtag->m_tag_len, sizeof (struct tdb_ident)); 262 #endif 263 tdbi = (struct tdb_ident *)(mtag + 1); 264 tdb = gettdb(tdbi->spi, &tdbi->dst, tdbi->proto); 265 if (tdb == NULL) 266 error = -EINVAL; 267 m_tag_delete(m, mtag); 268 } 269 else 270 tdb = ipsp_spd_lookup(m, AF_INET, hlen, &error, 271 IPSP_DIRECTION_OUT, NULL, inp); 272 273 if (tdb == NULL) { 274 splx(s); 275 276 if (error == 0) { 277 /* 278 * No IPsec processing required, we'll just send the 279 * packet out. 280 */ 281 sproto = 0; 282 283 /* Fall through to routing/multicast handling */ 284 } else { 285 /* 286 * -EINVAL is used to indicate that the packet should 287 * be silently dropped, typically because we've asked 288 * key management for an SA. 289 */ 290 if (error == -EINVAL) /* Should silently drop packet */ 291 error = 0; 292 293 m_freem(m); 294 goto done; 295 } 296 } else { 297 /* Loop detection */ 298 for (mtag = m_tag_first(m); mtag != NULL; 299 mtag = m_tag_next(m, mtag)) { 300 if (mtag->m_tag_id != PACKET_TAG_IPSEC_OUT_DONE && 301 mtag->m_tag_id != 302 PACKET_TAG_IPSEC_OUT_CRYPTO_NEEDED) 303 continue; 304 tdbi = (struct tdb_ident *)(mtag + 1); 305 if (tdbi->spi == tdb->tdb_spi && 306 tdbi->proto == tdb->tdb_sproto && 307 !bcmp(&tdbi->dst, &tdb->tdb_dst, 308 sizeof(union sockaddr_union))) { 309 splx(s); 310 sproto = 0; /* mark as no-IPsec-needed */ 311 goto done_spd; 312 } 313 } 314 315 /* We need to do IPsec */ 316 bcopy(&tdb->tdb_dst, &sdst, sizeof(sdst)); 317 sspi = tdb->tdb_spi; 318 sproto = tdb->tdb_sproto; 319 splx(s); 320 321 /* 322 * If it needs TCP/UDP hardware-checksumming, do the 323 * computation now. 324 */ 325 if (m->m_pkthdr.csum_flags & (M_TCPV4_CSUM_OUT | M_UDPV4_CSUM_OUT)) { 326 in_delayed_cksum(m); 327 m->m_pkthdr.csum_flags &= 328 ~(M_UDPV4_CSUM_OUT | M_TCPV4_CSUM_OUT); 329 } 330 331 /* If it's not a multicast packet, try to fast-path */ 332 if (!IN_MULTICAST(ip->ip_dst.s_addr)) { 333 goto sendit; 334 } 335 } 336 337 /* Fall through to the routing/multicast handling code */ 338 done_spd: 339 #endif /* IPSEC */ 340 341 if (flags & IP_ROUTETOETHER) { 342 dst = satosin(&ro->ro_dst); 343 ifp = ro->ro_rt->rt_ifp; 344 mtu = ifp->if_mtu; 345 ro->ro_rt = NULL; 346 } else if (donerouting == 0) { 347 if (ro == 0) { 348 ro = &iproute; 349 bzero((caddr_t)ro, sizeof (*ro)); 350 } 351 352 dst = satosin(&ro->ro_dst); 353 354 /* 355 * If there is a cached route, check that it is to the same 356 * destination and is still up. If not, free it and try again. 357 */ 358 if (ro->ro_rt && ((ro->ro_rt->rt_flags & RTF_UP) == 0 || 359 dst->sin_addr.s_addr != ip->ip_dst.s_addr)) { 360 RTFREE(ro->ro_rt); 361 ro->ro_rt = (struct rtentry *)0; 362 } 363 364 if (ro->ro_rt == 0) { 365 dst->sin_family = AF_INET; 366 dst->sin_len = sizeof(*dst); 367 dst->sin_addr = ip->ip_dst; 368 } 369 370 /* 371 * If routing to interface only, short-circuit routing lookup. 372 */ 373 if (flags & IP_ROUTETOIF) { 374 if ((ia = ifatoia(ifa_ifwithdstaddr(sintosa(dst)))) == 0 && 375 (ia = ifatoia(ifa_ifwithnet(sintosa(dst)))) == 0) { 376 ipstat.ips_noroute++; 377 error = ENETUNREACH; 378 goto bad; 379 } 380 381 ifp = ia->ia_ifp; 382 mtu = ifp->if_mtu; 383 ip->ip_ttl = 1; 384 } else if ((IN_MULTICAST(ip->ip_dst.s_addr) || 385 (ip->ip_dst.s_addr == INADDR_BROADCAST)) && 386 imo != NULL && imo->imo_multicast_ifp != NULL) { 387 ifp = imo->imo_multicast_ifp; 388 mtu = ifp->if_mtu; 389 IFP_TO_IA(ifp, ia); 390 } else { 391 if (ro->ro_rt == 0) 392 rtalloc_mpath(ro, &ip->ip_src.s_addr, 0); 393 394 if (ro->ro_rt == 0) { 395 ipstat.ips_noroute++; 396 error = EHOSTUNREACH; 397 goto bad; 398 } 399 400 ia = ifatoia(ro->ro_rt->rt_ifa); 401 ifp = ro->ro_rt->rt_ifp; 402 if ((mtu = ro->ro_rt->rt_rmx.rmx_mtu) == 0) 403 mtu = ifp->if_mtu; 404 ro->ro_rt->rt_use++; 405 406 if (ro->ro_rt->rt_flags & RTF_GATEWAY) 407 dst = satosin(ro->ro_rt->rt_gateway); 408 } 409 410 /* Set the source IP address */ 411 if (ip->ip_src.s_addr == INADDR_ANY) 412 ip->ip_src = ia->ia_addr.sin_addr; 413 } 414 415 if (IN_MULTICAST(ip->ip_dst.s_addr) || 416 (ip->ip_dst.s_addr == INADDR_BROADCAST)) { 417 struct in_multi *inm; 418 419 m->m_flags |= (ip->ip_dst.s_addr == INADDR_BROADCAST) ? 420 M_BCAST : M_MCAST; 421 422 /* 423 * IP destination address is multicast. Make sure "dst" 424 * still points to the address in "ro". (It may have been 425 * changed to point to a gateway address, above.) 426 */ 427 dst = satosin(&ro->ro_dst); 428 429 /* 430 * See if the caller provided any multicast options 431 */ 432 if (imo != NULL) 433 ip->ip_ttl = imo->imo_multicast_ttl; 434 else 435 ip->ip_ttl = IP_DEFAULT_MULTICAST_TTL; 436 437 /* 438 * if we don't know the outgoing ifp yet, we can't generate 439 * output 440 */ 441 if (!ifp) { 442 ipstat.ips_noroute++; 443 error = EHOSTUNREACH; 444 goto bad; 445 } 446 447 /* 448 * Confirm that the outgoing interface supports multicast, 449 * but only if the packet actually is going out on that 450 * interface (i.e., no IPsec is applied). 451 */ 452 if ((((m->m_flags & M_MCAST) && 453 (ifp->if_flags & IFF_MULTICAST) == 0) || 454 ((m->m_flags & M_BCAST) && 455 (ifp->if_flags & IFF_BROADCAST) == 0)) && (sproto == 0)) { 456 ipstat.ips_noroute++; 457 error = ENETUNREACH; 458 goto bad; 459 } 460 461 /* 462 * If source address not specified yet, use address 463 * of outgoing interface. 464 */ 465 if (ip->ip_src.s_addr == INADDR_ANY) { 466 struct in_ifaddr *ia; 467 468 TAILQ_FOREACH(ia, &in_ifaddr, ia_list) 469 if (ia->ia_ifp == ifp) { 470 ip->ip_src = ia->ia_addr.sin_addr; 471 break; 472 } 473 } 474 475 IN_LOOKUP_MULTI(ip->ip_dst, ifp, inm); 476 if (inm != NULL && 477 (imo == NULL || imo->imo_multicast_loop)) { 478 /* 479 * If we belong to the destination multicast group 480 * on the outgoing interface, and the caller did not 481 * forbid loopback, loop back a copy. 482 * Can't defer TCP/UDP checksumming, do the 483 * computation now. 484 */ 485 if (m->m_pkthdr.csum_flags & 486 (M_TCPV4_CSUM_OUT | M_UDPV4_CSUM_OUT)) { 487 in_delayed_cksum(m); 488 m->m_pkthdr.csum_flags &= 489 ~(M_UDPV4_CSUM_OUT | M_TCPV4_CSUM_OUT); 490 } 491 ip_mloopback(ifp, m, dst); 492 } 493 #ifdef MROUTING 494 else { 495 /* 496 * If we are acting as a multicast router, perform 497 * multicast forwarding as if the packet had just 498 * arrived on the interface to which we are about 499 * to send. The multicast forwarding function 500 * recursively calls this function, using the 501 * IP_FORWARDING flag to prevent infinite recursion. 502 * 503 * Multicasts that are looped back by ip_mloopback(), 504 * above, will be forwarded by the ip_input() routine, 505 * if necessary. 506 */ 507 extern struct socket *ip_mrouter; 508 509 if (ipmforwarding && ip_mrouter && 510 (flags & IP_FORWARDING) == 0) { 511 if (ip_mforward(m, ifp) != 0) { 512 m_freem(m); 513 goto done; 514 } 515 } 516 } 517 #endif 518 /* 519 * Multicasts with a time-to-live of zero may be looped- 520 * back, above, but must not be transmitted on a network. 521 * Also, multicasts addressed to the loopback interface 522 * are not sent -- the above call to ip_mloopback() will 523 * loop back a copy if this host actually belongs to the 524 * destination group on the loopback interface. 525 */ 526 if (ip->ip_ttl == 0 || (ifp->if_flags & IFF_LOOPBACK) != 0) { 527 m_freem(m); 528 goto done; 529 } 530 531 goto sendit; 532 } 533 534 /* 535 * Look for broadcast address and and verify user is allowed to send 536 * such a packet; if the packet is going in an IPsec tunnel, skip 537 * this check. 538 */ 539 if ((sproto == 0) && (in_broadcast(dst->sin_addr, ifp))) { 540 if ((ifp->if_flags & IFF_BROADCAST) == 0) { 541 error = EADDRNOTAVAIL; 542 goto bad; 543 } 544 if ((flags & IP_ALLOWBROADCAST) == 0) { 545 error = EACCES; 546 goto bad; 547 } 548 549 /* Don't allow broadcast messages to be fragmented */ 550 if (ntohs(ip->ip_len) > ifp->if_mtu) { 551 error = EMSGSIZE; 552 goto bad; 553 } 554 m->m_flags |= M_BCAST; 555 } else 556 m->m_flags &= ~M_BCAST; 557 558 sendit: 559 /* 560 * If we're doing Path MTU discovery, we need to set DF unless 561 * the route's MTU is locked. 562 */ 563 if ((flags & IP_MTUDISC) && ro && ro->ro_rt && 564 (ro->ro_rt->rt_rmx.rmx_locks & RTV_MTU) == 0) 565 ip->ip_off |= htons(IP_DF); 566 567 #ifdef IPSEC 568 /* 569 * Check if the packet needs encapsulation. 570 */ 571 if (sproto != 0) { 572 s = splnet(); 573 574 /* 575 * Packet filter 576 */ 577 #if NPF > 0 578 579 if (pf_test(PF_OUT, &encif[0].sc_if, &m, NULL) != PF_PASS) { 580 error = EHOSTUNREACH; 581 splx(s); 582 m_freem(m); 583 goto done; 584 } 585 if (m == NULL) { 586 splx(s); 587 goto done; 588 } 589 ip = mtod(m, struct ip *); 590 hlen = ip->ip_hl << 2; 591 #endif 592 593 tdb = gettdb(sspi, &sdst, sproto); 594 if (tdb == NULL) { 595 DPRINTF(("ip_output: unknown TDB")); 596 error = EHOSTUNREACH; 597 splx(s); 598 m_freem(m); 599 goto done; 600 } 601 602 /* Check if we are allowed to fragment */ 603 if (ip_mtudisc && (ip->ip_off & htons(IP_DF)) && tdb->tdb_mtu && 604 ntohs(ip->ip_len) > tdb->tdb_mtu && 605 tdb->tdb_mtutimeout > time_second) { 606 struct rtentry *rt = NULL; 607 int rt_mtucloned = 0; 608 int transportmode = 0; 609 610 transportmode = (tdb->tdb_dst.sa.sa_family == AF_INET) && 611 (tdb->tdb_dst.sin.sin_addr.s_addr == 612 ip->ip_dst.s_addr); 613 icmp_mtu = tdb->tdb_mtu; 614 splx(s); 615 616 /* Find a host route to store the mtu in */ 617 if (ro != NULL) 618 rt = ro->ro_rt; 619 /* but don't add a PMTU route for transport mode SAs */ 620 if (transportmode) 621 rt = NULL; 622 else if (rt == NULL || (rt->rt_flags & RTF_HOST) == 0) { 623 struct sockaddr_in dst = { 624 sizeof(struct sockaddr_in), AF_INET}; 625 dst.sin_addr = ip->ip_dst; 626 rt = icmp_mtudisc_clone((struct sockaddr *)&dst); 627 rt_mtucloned = 1; 628 } 629 DPRINTF(("ip_output: spi %08x mtu %d rt %p cloned %d\n", 630 ntohl(tdb->tdb_spi), icmp_mtu, rt, rt_mtucloned)); 631 if (rt != NULL) { 632 rt->rt_rmx.rmx_mtu = icmp_mtu; 633 if (ro && ro->ro_rt != NULL) { 634 RTFREE(ro->ro_rt); 635 ro->ro_rt = (struct rtentry *) 0; 636 rtalloc(ro); 637 } 638 if (rt_mtucloned) 639 rtfree(rt); 640 } 641 error = EMSGSIZE; 642 goto bad; 643 } 644 645 /* 646 * Clear these -- they'll be set in the recursive invocation 647 * as needed. 648 */ 649 m->m_flags &= ~(M_MCAST | M_BCAST); 650 651 /* Callee frees mbuf */ 652 error = ipsp_process_packet(m, tdb, AF_INET, 0); 653 splx(s); 654 return error; /* Nothing more to be done */ 655 } 656 657 /* 658 * If deferred crypto processing is needed, check that the 659 * interface supports it. 660 */ 661 if (ipsec_in_use && (mtag = m_tag_find(m, 662 PACKET_TAG_IPSEC_OUT_CRYPTO_NEEDED, NULL)) != NULL && 663 (ifp->if_capabilities & IFCAP_IPSEC) == 0) { 664 /* Notify IPsec to do its own crypto. */ 665 ipsp_skipcrypto_unmark((struct tdb_ident *)(mtag + 1)); 666 m_freem(m); 667 error = EHOSTUNREACH; 668 goto done; 669 } 670 #endif /* IPSEC */ 671 672 /* Catch routing changes wrt. hardware checksumming for TCP or UDP. */ 673 if (m->m_pkthdr.csum_flags & M_TCPV4_CSUM_OUT) { 674 if (!(ifp->if_capabilities & IFCAP_CSUM_TCPv4) || 675 ifp->if_bridge != NULL) { 676 in_delayed_cksum(m); 677 m->m_pkthdr.csum_flags &= ~M_TCPV4_CSUM_OUT; /* Clear */ 678 } 679 } else if (m->m_pkthdr.csum_flags & M_UDPV4_CSUM_OUT) { 680 if (!(ifp->if_capabilities & IFCAP_CSUM_UDPv4) || 681 ifp->if_bridge != NULL) { 682 in_delayed_cksum(m); 683 m->m_pkthdr.csum_flags &= ~M_UDPV4_CSUM_OUT; /* Clear */ 684 } 685 } 686 687 /* 688 * Packet filter 689 */ 690 #if NPF > 0 691 if (pf_test(PF_OUT, ifp, &m, NULL) != PF_PASS) { 692 error = EHOSTUNREACH; 693 m_freem(m); 694 goto done; 695 } 696 if (m == NULL) 697 goto done; 698 699 ip = mtod(m, struct ip *); 700 hlen = ip->ip_hl << 2; 701 #endif 702 703 #ifdef IPSEC 704 if (ipsec_in_use && (flags & IP_FORWARDING) && (ipforwarding == 2) && 705 (m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL) == NULL)) { 706 error = EHOSTUNREACH; 707 m_freem(m); 708 goto done; 709 } 710 #endif 711 712 /* XXX 713 * Try to use jumbograms based on socket option, or the route 714 * or... for other reasons later on. 715 */ 716 if ((flags & IP_JUMBO) && ro->ro_rt && (ro->ro_rt->rt_flags & RTF_JUMBO) && 717 ro->ro_rt->rt_ifp) 718 mtu = ro->ro_rt->rt_ifp->if_hardmtu; 719 720 /* 721 * If small enough for interface, can just send directly. 722 */ 723 if (ntohs(ip->ip_len) <= mtu) { 724 ip->ip_sum = 0; 725 if ((ifp->if_capabilities & IFCAP_CSUM_IPv4) && 726 ifp->if_bridge == NULL) { 727 m->m_pkthdr.csum_flags |= M_IPV4_CSUM_OUT; 728 ipstat.ips_outhwcsum++; 729 } else 730 ip->ip_sum = in_cksum(m, hlen); 731 /* Update relevant hardware checksum stats for TCP/UDP */ 732 if (m->m_pkthdr.csum_flags & M_TCPV4_CSUM_OUT) 733 tcpstat.tcps_outhwcsum++; 734 else if (m->m_pkthdr.csum_flags & M_UDPV4_CSUM_OUT) 735 udpstat.udps_outhwcsum++; 736 error = (*ifp->if_output)(ifp, m, sintosa(dst), ro->ro_rt); 737 goto done; 738 } 739 740 /* 741 * Too large for interface; fragment if possible. 742 * Must be able to put at least 8 bytes per fragment. 743 */ 744 if (ip->ip_off & htons(IP_DF)) { 745 #ifdef IPSEC 746 icmp_mtu = ifp->if_mtu; 747 #endif 748 error = EMSGSIZE; 749 /* 750 * This case can happen if the user changed the MTU 751 * of an interface after enabling IP on it. Because 752 * most netifs don't keep track of routes pointing to 753 * them, there is no way for one to update all its 754 * routes when the MTU is changed. 755 */ 756 if (ro->ro_rt != NULL && 757 (ro->ro_rt->rt_flags & (RTF_UP | RTF_HOST)) && 758 !(ro->ro_rt->rt_rmx.rmx_locks & RTV_MTU) && 759 (ro->ro_rt->rt_rmx.rmx_mtu > ifp->if_mtu)) { 760 ro->ro_rt->rt_rmx.rmx_mtu = ifp->if_mtu; 761 } 762 ipstat.ips_cantfrag++; 763 goto bad; 764 } 765 766 error = ip_fragment(m, ifp, mtu); 767 if (error) { 768 m = m0 = NULL; 769 goto bad; 770 } 771 772 for (; m; m = m0) { 773 m0 = m->m_nextpkt; 774 m->m_nextpkt = 0; 775 if (error == 0) 776 error = (*ifp->if_output)(ifp, m, sintosa(dst), 777 ro->ro_rt); 778 else 779 m_freem(m); 780 } 781 782 if (error == 0) 783 ipstat.ips_fragmented++; 784 785 done: 786 if (ro == &iproute && (flags & IP_ROUTETOIF) == 0 && ro->ro_rt) 787 RTFREE(ro->ro_rt); 788 return (error); 789 bad: 790 #ifdef IPSEC 791 if (error == EMSGSIZE && ip_mtudisc && icmp_mtu != 0 && m != NULL) 792 ipsec_adjust_mtu(m, icmp_mtu); 793 #endif 794 m_freem(m0); 795 goto done; 796 } 797 798 int 799 ip_fragment(struct mbuf *m, struct ifnet *ifp, u_long mtu) 800 { 801 struct ip *ip, *mhip; 802 struct mbuf *m0; 803 int len, hlen, off; 804 int mhlen, firstlen; 805 struct mbuf **mnext; 806 int fragments = 0; 807 int s; 808 int error = 0; 809 810 ip = mtod(m, struct ip *); 811 hlen = ip->ip_hl << 2; 812 813 len = (mtu - hlen) &~ 7; 814 if (len < 8) { 815 m_freem(m); 816 return (EMSGSIZE); 817 } 818 819 /* 820 * If we are doing fragmentation, we can't defer TCP/UDP 821 * checksumming; compute the checksum and clear the flag. 822 */ 823 if (m->m_pkthdr.csum_flags & (M_TCPV4_CSUM_OUT | M_UDPV4_CSUM_OUT)) { 824 in_delayed_cksum(m); 825 m->m_pkthdr.csum_flags &= ~(M_UDPV4_CSUM_OUT | M_TCPV4_CSUM_OUT); 826 } 827 828 firstlen = len; 829 mnext = &m->m_nextpkt; 830 831 /* 832 * Loop through length of segment after first fragment, 833 * make new header and copy data of each part and link onto chain. 834 */ 835 m0 = m; 836 mhlen = sizeof (struct ip); 837 for (off = hlen + len; off < ntohs(ip->ip_len); off += len) { 838 MGETHDR(m, M_DONTWAIT, MT_HEADER); 839 if (m == 0) { 840 ipstat.ips_odropped++; 841 error = ENOBUFS; 842 goto sendorfree; 843 } 844 *mnext = m; 845 mnext = &m->m_nextpkt; 846 m->m_data += max_linkhdr; 847 mhip = mtod(m, struct ip *); 848 *mhip = *ip; 849 /* we must inherit MCAST and BCAST flags */ 850 m->m_flags |= m0->m_flags & (M_MCAST|M_BCAST); 851 if (hlen > sizeof (struct ip)) { 852 mhlen = ip_optcopy(ip, mhip) + sizeof (struct ip); 853 mhip->ip_hl = mhlen >> 2; 854 } 855 m->m_len = mhlen; 856 mhip->ip_off = ((off - hlen) >> 3) + 857 (ntohs(ip->ip_off) & ~IP_MF); 858 if (ip->ip_off & htons(IP_MF)) 859 mhip->ip_off |= IP_MF; 860 if (off + len >= ntohs(ip->ip_len)) 861 len = ntohs(ip->ip_len) - off; 862 else 863 mhip->ip_off |= IP_MF; 864 mhip->ip_len = htons((u_int16_t)(len + mhlen)); 865 m->m_next = m_copy(m0, off, len); 866 if (m->m_next == 0) { 867 ipstat.ips_odropped++; 868 error = ENOBUFS; 869 goto sendorfree; 870 } 871 m->m_pkthdr.len = mhlen + len; 872 m->m_pkthdr.rcvif = (struct ifnet *)0; 873 mhip->ip_off = htons((u_int16_t)mhip->ip_off); 874 mhip->ip_sum = 0; 875 if ((ifp != NULL) && 876 (ifp->if_capabilities & IFCAP_CSUM_IPv4) && 877 ifp->if_bridge == NULL) { 878 m->m_pkthdr.csum_flags |= M_IPV4_CSUM_OUT; 879 ipstat.ips_outhwcsum++; 880 } else 881 mhip->ip_sum = in_cksum(m, mhlen); 882 ipstat.ips_ofragments++; 883 fragments++; 884 } 885 /* 886 * Update first fragment by trimming what's been copied out 887 * and updating header, then send each fragment (in order). 888 */ 889 m = m0; 890 m_adj(m, hlen + firstlen - ntohs(ip->ip_len)); 891 m->m_pkthdr.len = hlen + firstlen; 892 ip->ip_len = htons((u_int16_t)m->m_pkthdr.len); 893 ip->ip_off |= htons(IP_MF); 894 ip->ip_sum = 0; 895 if ((ifp != NULL) && 896 (ifp->if_capabilities & IFCAP_CSUM_IPv4) && 897 ifp->if_bridge == NULL) { 898 m->m_pkthdr.csum_flags |= M_IPV4_CSUM_OUT; 899 ipstat.ips_outhwcsum++; 900 } else 901 ip->ip_sum = in_cksum(m, hlen); 902 sendorfree: 903 /* 904 * If there is no room for all the fragments, don't queue 905 * any of them. 906 */ 907 if (ifp != NULL) { 908 s = splnet(); 909 if (ifp->if_snd.ifq_maxlen - ifp->if_snd.ifq_len < fragments && 910 error == 0) { 911 error = ENOBUFS; 912 ipstat.ips_odropped++; 913 IFQ_INC_DROPS(&ifp->if_snd); 914 } 915 splx(s); 916 } 917 if (error) { 918 for (m = m0; m; m = m0) { 919 m0 = m->m_nextpkt; 920 m->m_nextpkt = NULL; 921 m_freem(m); 922 } 923 } 924 925 return (error); 926 } 927 928 /* 929 * Insert IP options into preformed packet. 930 * Adjust IP destination as required for IP source routing, 931 * as indicated by a non-zero in_addr at the start of the options. 932 */ 933 struct mbuf * 934 ip_insertoptions(m, opt, phlen) 935 struct mbuf *m; 936 struct mbuf *opt; 937 int *phlen; 938 { 939 struct ipoption *p = mtod(opt, struct ipoption *); 940 struct mbuf *n; 941 struct ip *ip = mtod(m, struct ip *); 942 unsigned optlen; 943 944 optlen = opt->m_len - sizeof(p->ipopt_dst); 945 if (optlen + ntohs(ip->ip_len) > IP_MAXPACKET) 946 return (m); /* XXX should fail */ 947 if (p->ipopt_dst.s_addr) 948 ip->ip_dst = p->ipopt_dst; 949 if (m->m_flags & M_EXT || m->m_data - optlen < m->m_pktdat) { 950 MGETHDR(n, M_DONTWAIT, MT_HEADER); 951 if (n == 0) 952 return (m); 953 M_MOVE_HDR(n, m); 954 n->m_pkthdr.len += optlen; 955 m->m_len -= sizeof(struct ip); 956 m->m_data += sizeof(struct ip); 957 n->m_next = m; 958 m = n; 959 m->m_len = optlen + sizeof(struct ip); 960 m->m_data += max_linkhdr; 961 bcopy((caddr_t)ip, mtod(m, caddr_t), sizeof(struct ip)); 962 } else { 963 m->m_data -= optlen; 964 m->m_len += optlen; 965 m->m_pkthdr.len += optlen; 966 ovbcopy((caddr_t)ip, mtod(m, caddr_t), sizeof(struct ip)); 967 } 968 ip = mtod(m, struct ip *); 969 bcopy((caddr_t)p->ipopt_list, (caddr_t)(ip + 1), (unsigned)optlen); 970 *phlen = sizeof(struct ip) + optlen; 971 ip->ip_len = htons(ntohs(ip->ip_len) + optlen); 972 return (m); 973 } 974 975 /* 976 * Copy options from ip to jp, 977 * omitting those not copied during fragmentation. 978 */ 979 int 980 ip_optcopy(ip, jp) 981 struct ip *ip, *jp; 982 { 983 u_char *cp, *dp; 984 int opt, optlen, cnt; 985 986 cp = (u_char *)(ip + 1); 987 dp = (u_char *)(jp + 1); 988 cnt = (ip->ip_hl << 2) - sizeof (struct ip); 989 for (; cnt > 0; cnt -= optlen, cp += optlen) { 990 opt = cp[0]; 991 if (opt == IPOPT_EOL) 992 break; 993 if (opt == IPOPT_NOP) { 994 /* Preserve for IP mcast tunnel's LSRR alignment. */ 995 *dp++ = IPOPT_NOP; 996 optlen = 1; 997 continue; 998 } 999 #ifdef DIAGNOSTIC 1000 if (cnt < IPOPT_OLEN + sizeof(*cp)) 1001 panic("malformed IPv4 option passed to ip_optcopy"); 1002 #endif 1003 optlen = cp[IPOPT_OLEN]; 1004 #ifdef DIAGNOSTIC 1005 if (optlen < IPOPT_OLEN + sizeof(*cp) || optlen > cnt) 1006 panic("malformed IPv4 option passed to ip_optcopy"); 1007 #endif 1008 /* bogus lengths should have been caught by ip_dooptions */ 1009 if (optlen > cnt) 1010 optlen = cnt; 1011 if (IPOPT_COPIED(opt)) { 1012 bcopy((caddr_t)cp, (caddr_t)dp, (unsigned)optlen); 1013 dp += optlen; 1014 } 1015 } 1016 for (optlen = dp - (u_char *)(jp+1); optlen & 0x3; optlen++) 1017 *dp++ = IPOPT_EOL; 1018 return (optlen); 1019 } 1020 1021 /* 1022 * IP socket option processing. 1023 */ 1024 int 1025 ip_ctloutput(op, so, level, optname, mp) 1026 int op; 1027 struct socket *so; 1028 int level, optname; 1029 struct mbuf **mp; 1030 { 1031 struct inpcb *inp = sotoinpcb(so); 1032 struct mbuf *m = *mp; 1033 int optval = 0; 1034 #ifdef IPSEC 1035 struct proc *p = curproc; /* XXX */ 1036 struct ipsec_ref *ipr; 1037 u_int16_t opt16val; 1038 #endif 1039 int error = 0; 1040 1041 if (level != IPPROTO_IP) { 1042 error = EINVAL; 1043 if (op == PRCO_SETOPT && *mp) 1044 (void) m_free(*mp); 1045 } else switch (op) { 1046 case PRCO_SETOPT: 1047 switch (optname) { 1048 case IP_OPTIONS: 1049 #ifdef notyet 1050 case IP_RETOPTS: 1051 return (ip_pcbopts(optname, &inp->inp_options, m)); 1052 #else 1053 return (ip_pcbopts(&inp->inp_options, m)); 1054 #endif 1055 1056 case IP_TOS: 1057 case IP_TTL: 1058 case IP_MINTTL: 1059 case IP_RECVOPTS: 1060 case IP_RECVRETOPTS: 1061 case IP_RECVDSTADDR: 1062 case IP_RECVIF: 1063 case IP_RECVTTL: 1064 case IP_RECVDSTPORT: 1065 if (m == NULL || m->m_len != sizeof(int)) 1066 error = EINVAL; 1067 else { 1068 optval = *mtod(m, int *); 1069 switch (optname) { 1070 1071 case IP_TOS: 1072 inp->inp_ip.ip_tos = optval; 1073 break; 1074 1075 case IP_TTL: 1076 if (optval > 0 && optval <= MAXTTL) 1077 inp->inp_ip.ip_ttl = optval; 1078 else 1079 error = EINVAL; 1080 break; 1081 1082 case IP_MINTTL: 1083 if (optval > 0 && optval <= MAXTTL) 1084 inp->inp_ip_minttl = optval; 1085 else 1086 error = EINVAL; 1087 break; 1088 #define OPTSET(bit) \ 1089 if (optval) \ 1090 inp->inp_flags |= bit; \ 1091 else \ 1092 inp->inp_flags &= ~bit; 1093 1094 case IP_RECVOPTS: 1095 OPTSET(INP_RECVOPTS); 1096 break; 1097 1098 case IP_RECVRETOPTS: 1099 OPTSET(INP_RECVRETOPTS); 1100 break; 1101 1102 case IP_RECVDSTADDR: 1103 OPTSET(INP_RECVDSTADDR); 1104 break; 1105 case IP_RECVIF: 1106 OPTSET(INP_RECVIF); 1107 break; 1108 case IP_RECVTTL: 1109 OPTSET(INP_RECVTTL); 1110 break; 1111 case IP_RECVDSTPORT: 1112 OPTSET(INP_RECVDSTPORT); 1113 break; 1114 } 1115 } 1116 break; 1117 #undef OPTSET 1118 1119 case IP_MULTICAST_IF: 1120 case IP_MULTICAST_TTL: 1121 case IP_MULTICAST_LOOP: 1122 case IP_ADD_MEMBERSHIP: 1123 case IP_DROP_MEMBERSHIP: 1124 error = ip_setmoptions(optname, &inp->inp_moptions, m); 1125 break; 1126 1127 case IP_PORTRANGE: 1128 if (m == 0 || m->m_len != sizeof(int)) 1129 error = EINVAL; 1130 else { 1131 optval = *mtod(m, int *); 1132 1133 switch (optval) { 1134 1135 case IP_PORTRANGE_DEFAULT: 1136 inp->inp_flags &= ~(INP_LOWPORT); 1137 inp->inp_flags &= ~(INP_HIGHPORT); 1138 break; 1139 1140 case IP_PORTRANGE_HIGH: 1141 inp->inp_flags &= ~(INP_LOWPORT); 1142 inp->inp_flags |= INP_HIGHPORT; 1143 break; 1144 1145 case IP_PORTRANGE_LOW: 1146 inp->inp_flags &= ~(INP_HIGHPORT); 1147 inp->inp_flags |= INP_LOWPORT; 1148 break; 1149 1150 default: 1151 1152 error = EINVAL; 1153 break; 1154 } 1155 } 1156 break; 1157 case IP_AUTH_LEVEL: 1158 case IP_ESP_TRANS_LEVEL: 1159 case IP_ESP_NETWORK_LEVEL: 1160 case IP_IPCOMP_LEVEL: 1161 #ifndef IPSEC 1162 error = EOPNOTSUPP; 1163 #else 1164 if (m == 0 || m->m_len != sizeof(int)) { 1165 error = EINVAL; 1166 break; 1167 } 1168 optval = *mtod(m, int *); 1169 1170 if (optval < IPSEC_LEVEL_BYPASS || 1171 optval > IPSEC_LEVEL_UNIQUE) { 1172 error = EINVAL; 1173 break; 1174 } 1175 1176 /* Unlink cached output TDB to force a re-search */ 1177 if (inp->inp_tdb_out) { 1178 int s = spltdb(); 1179 TAILQ_REMOVE(&inp->inp_tdb_out->tdb_inp_out, 1180 inp, inp_tdb_out_next); 1181 splx(s); 1182 } 1183 1184 if (inp->inp_tdb_in) { 1185 int s = spltdb(); 1186 TAILQ_REMOVE(&inp->inp_tdb_in->tdb_inp_in, 1187 inp, inp_tdb_in_next); 1188 splx(s); 1189 } 1190 1191 switch (optname) { 1192 case IP_AUTH_LEVEL: 1193 if (optval < ipsec_auth_default_level && 1194 suser(p, 0)) { 1195 error = EACCES; 1196 break; 1197 } 1198 inp->inp_seclevel[SL_AUTH] = optval; 1199 break; 1200 1201 case IP_ESP_TRANS_LEVEL: 1202 if (optval < ipsec_esp_trans_default_level && 1203 suser(p, 0)) { 1204 error = EACCES; 1205 break; 1206 } 1207 inp->inp_seclevel[SL_ESP_TRANS] = optval; 1208 break; 1209 1210 case IP_ESP_NETWORK_LEVEL: 1211 if (optval < ipsec_esp_network_default_level && 1212 suser(p, 0)) { 1213 error = EACCES; 1214 break; 1215 } 1216 inp->inp_seclevel[SL_ESP_NETWORK] = optval; 1217 break; 1218 case IP_IPCOMP_LEVEL: 1219 if (optval < ipsec_ipcomp_default_level && 1220 suser(p, 0)) { 1221 error = EACCES; 1222 break; 1223 } 1224 inp->inp_seclevel[SL_IPCOMP] = optval; 1225 break; 1226 } 1227 if (!error) 1228 inp->inp_secrequire = get_sa_require(inp); 1229 #endif 1230 break; 1231 1232 case IP_IPSEC_REMOTE_CRED: 1233 case IP_IPSEC_REMOTE_AUTH: 1234 /* Can't set the remote credential or key */ 1235 error = EOPNOTSUPP; 1236 break; 1237 1238 case IP_IPSEC_LOCAL_ID: 1239 case IP_IPSEC_REMOTE_ID: 1240 case IP_IPSEC_LOCAL_CRED: 1241 case IP_IPSEC_LOCAL_AUTH: 1242 #ifndef IPSEC 1243 error = EOPNOTSUPP; 1244 #else 1245 if (m->m_len < 2) { 1246 error = EINVAL; 1247 break; 1248 } 1249 1250 m_copydata(m, 0, 2, (caddr_t) &opt16val); 1251 1252 /* If the type is 0, then we cleanup and return */ 1253 if (opt16val == 0) { 1254 switch (optname) { 1255 case IP_IPSEC_LOCAL_ID: 1256 if (inp->inp_ipo != NULL && 1257 inp->inp_ipo->ipo_srcid != NULL) { 1258 ipsp_reffree(inp->inp_ipo->ipo_srcid); 1259 inp->inp_ipo->ipo_srcid = NULL; 1260 } 1261 break; 1262 1263 case IP_IPSEC_REMOTE_ID: 1264 if (inp->inp_ipo != NULL && 1265 inp->inp_ipo->ipo_dstid != NULL) { 1266 ipsp_reffree(inp->inp_ipo->ipo_dstid); 1267 inp->inp_ipo->ipo_dstid = NULL; 1268 } 1269 break; 1270 1271 case IP_IPSEC_LOCAL_CRED: 1272 if (inp->inp_ipo != NULL && 1273 inp->inp_ipo->ipo_local_cred != NULL) { 1274 ipsp_reffree(inp->inp_ipo->ipo_local_cred); 1275 inp->inp_ipo->ipo_local_cred = NULL; 1276 } 1277 break; 1278 1279 case IP_IPSEC_LOCAL_AUTH: 1280 if (inp->inp_ipo != NULL && 1281 inp->inp_ipo->ipo_local_auth != NULL) { 1282 ipsp_reffree(inp->inp_ipo->ipo_local_auth); 1283 inp->inp_ipo->ipo_local_auth = NULL; 1284 } 1285 break; 1286 } 1287 1288 error = 0; 1289 break; 1290 } 1291 1292 /* Can't have an empty payload */ 1293 if (m->m_len == 2) { 1294 error = EINVAL; 1295 break; 1296 } 1297 1298 /* Allocate if needed */ 1299 if (inp->inp_ipo == NULL) { 1300 inp->inp_ipo = ipsec_add_policy(inp, 1301 AF_INET, IPSP_DIRECTION_OUT); 1302 if (inp->inp_ipo == NULL) { 1303 error = ENOBUFS; 1304 break; 1305 } 1306 } 1307 1308 ipr = malloc(sizeof(struct ipsec_ref) + m->m_len - 2, 1309 M_CREDENTIALS, M_NOWAIT); 1310 if (ipr == NULL) { 1311 error = ENOBUFS; 1312 break; 1313 } 1314 1315 ipr->ref_count = 1; 1316 ipr->ref_malloctype = M_CREDENTIALS; 1317 ipr->ref_len = m->m_len - 2; 1318 ipr->ref_type = opt16val; 1319 m_copydata(m, 2, m->m_len - 2, (caddr_t)(ipr + 1)); 1320 1321 switch (optname) { 1322 case IP_IPSEC_LOCAL_ID: 1323 /* Check valid types and NUL-termination */ 1324 if (ipr->ref_type < IPSP_IDENTITY_PREFIX || 1325 ipr->ref_type > IPSP_IDENTITY_CONNECTION || 1326 ((char *)(ipr + 1))[ipr->ref_len - 1]) { 1327 free(ipr, M_CREDENTIALS); 1328 error = EINVAL; 1329 } else { 1330 if (inp->inp_ipo->ipo_srcid != NULL) 1331 ipsp_reffree(inp->inp_ipo->ipo_srcid); 1332 inp->inp_ipo->ipo_srcid = ipr; 1333 } 1334 break; 1335 case IP_IPSEC_REMOTE_ID: 1336 /* Check valid types and NUL-termination */ 1337 if (ipr->ref_type < IPSP_IDENTITY_PREFIX || 1338 ipr->ref_type > IPSP_IDENTITY_CONNECTION || 1339 ((char *)(ipr + 1))[ipr->ref_len - 1]) { 1340 free(ipr, M_CREDENTIALS); 1341 error = EINVAL; 1342 } else { 1343 if (inp->inp_ipo->ipo_dstid != NULL) 1344 ipsp_reffree(inp->inp_ipo->ipo_dstid); 1345 inp->inp_ipo->ipo_dstid = ipr; 1346 } 1347 break; 1348 case IP_IPSEC_LOCAL_CRED: 1349 if (ipr->ref_type < IPSP_CRED_KEYNOTE || 1350 ipr->ref_type > IPSP_CRED_X509) { 1351 free(ipr, M_CREDENTIALS); 1352 error = EINVAL; 1353 } else { 1354 if (inp->inp_ipo->ipo_local_cred != NULL) 1355 ipsp_reffree(inp->inp_ipo->ipo_local_cred); 1356 inp->inp_ipo->ipo_local_cred = ipr; 1357 } 1358 break; 1359 case IP_IPSEC_LOCAL_AUTH: 1360 if (ipr->ref_type < IPSP_AUTH_PASSPHRASE || 1361 ipr->ref_type > IPSP_AUTH_RSA) { 1362 free(ipr, M_CREDENTIALS); 1363 error = EINVAL; 1364 } else { 1365 if (inp->inp_ipo->ipo_local_auth != NULL) 1366 ipsp_reffree(inp->inp_ipo->ipo_local_auth); 1367 inp->inp_ipo->ipo_local_auth = ipr; 1368 } 1369 break; 1370 } 1371 1372 /* Unlink cached output TDB to force a re-search */ 1373 if (inp->inp_tdb_out) { 1374 int s = spltdb(); 1375 TAILQ_REMOVE(&inp->inp_tdb_out->tdb_inp_out, 1376 inp, inp_tdb_out_next); 1377 splx(s); 1378 } 1379 1380 if (inp->inp_tdb_in) { 1381 int s = spltdb(); 1382 TAILQ_REMOVE(&inp->inp_tdb_in->tdb_inp_in, 1383 inp, inp_tdb_in_next); 1384 splx(s); 1385 } 1386 #endif 1387 break; 1388 default: 1389 error = ENOPROTOOPT; 1390 break; 1391 } 1392 if (m) 1393 (void)m_free(m); 1394 break; 1395 1396 case PRCO_GETOPT: 1397 switch (optname) { 1398 case IP_OPTIONS: 1399 case IP_RETOPTS: 1400 *mp = m = m_get(M_WAIT, MT_SOOPTS); 1401 if (inp->inp_options) { 1402 m->m_len = inp->inp_options->m_len; 1403 bcopy(mtod(inp->inp_options, caddr_t), 1404 mtod(m, caddr_t), (unsigned)m->m_len); 1405 } else 1406 m->m_len = 0; 1407 break; 1408 1409 case IP_TOS: 1410 case IP_TTL: 1411 case IP_MINTTL: 1412 case IP_RECVOPTS: 1413 case IP_RECVRETOPTS: 1414 case IP_RECVDSTADDR: 1415 case IP_RECVIF: 1416 case IP_RECVTTL: 1417 case IP_RECVDSTPORT: 1418 *mp = m = m_get(M_WAIT, MT_SOOPTS); 1419 m->m_len = sizeof(int); 1420 switch (optname) { 1421 1422 case IP_TOS: 1423 optval = inp->inp_ip.ip_tos; 1424 break; 1425 1426 case IP_TTL: 1427 optval = inp->inp_ip.ip_ttl; 1428 break; 1429 1430 case IP_MINTTL: 1431 optval = inp->inp_ip_minttl; 1432 break; 1433 1434 #define OPTBIT(bit) (inp->inp_flags & bit ? 1 : 0) 1435 1436 case IP_RECVOPTS: 1437 optval = OPTBIT(INP_RECVOPTS); 1438 break; 1439 1440 case IP_RECVRETOPTS: 1441 optval = OPTBIT(INP_RECVRETOPTS); 1442 break; 1443 1444 case IP_RECVDSTADDR: 1445 optval = OPTBIT(INP_RECVDSTADDR); 1446 break; 1447 case IP_RECVIF: 1448 optval = OPTBIT(INP_RECVIF); 1449 break; 1450 case IP_RECVTTL: 1451 optval = OPTBIT(INP_RECVTTL); 1452 break; 1453 case IP_RECVDSTPORT: 1454 optval = OPTBIT(INP_RECVDSTPORT); 1455 break; 1456 } 1457 *mtod(m, int *) = optval; 1458 break; 1459 1460 case IP_MULTICAST_IF: 1461 case IP_MULTICAST_TTL: 1462 case IP_MULTICAST_LOOP: 1463 case IP_ADD_MEMBERSHIP: 1464 case IP_DROP_MEMBERSHIP: 1465 error = ip_getmoptions(optname, inp->inp_moptions, mp); 1466 break; 1467 1468 case IP_PORTRANGE: 1469 *mp = m = m_get(M_WAIT, MT_SOOPTS); 1470 m->m_len = sizeof(int); 1471 1472 if (inp->inp_flags & INP_HIGHPORT) 1473 optval = IP_PORTRANGE_HIGH; 1474 else if (inp->inp_flags & INP_LOWPORT) 1475 optval = IP_PORTRANGE_LOW; 1476 else 1477 optval = 0; 1478 1479 *mtod(m, int *) = optval; 1480 break; 1481 1482 case IP_AUTH_LEVEL: 1483 case IP_ESP_TRANS_LEVEL: 1484 case IP_ESP_NETWORK_LEVEL: 1485 case IP_IPCOMP_LEVEL: 1486 #ifndef IPSEC 1487 m->m_len = sizeof(int); 1488 *mtod(m, int *) = IPSEC_LEVEL_NONE; 1489 #else 1490 m->m_len = sizeof(int); 1491 switch (optname) { 1492 case IP_AUTH_LEVEL: 1493 optval = inp->inp_seclevel[SL_AUTH]; 1494 break; 1495 1496 case IP_ESP_TRANS_LEVEL: 1497 optval = inp->inp_seclevel[SL_ESP_TRANS]; 1498 break; 1499 1500 case IP_ESP_NETWORK_LEVEL: 1501 optval = inp->inp_seclevel[SL_ESP_NETWORK]; 1502 break; 1503 case IP_IPCOMP_LEVEL: 1504 optval = inp->inp_seclevel[SL_IPCOMP]; 1505 break; 1506 } 1507 *mtod(m, int *) = optval; 1508 #endif 1509 break; 1510 case IP_IPSEC_LOCAL_ID: 1511 case IP_IPSEC_REMOTE_ID: 1512 case IP_IPSEC_LOCAL_CRED: 1513 case IP_IPSEC_REMOTE_CRED: 1514 case IP_IPSEC_LOCAL_AUTH: 1515 case IP_IPSEC_REMOTE_AUTH: 1516 #ifndef IPSEC 1517 error = EOPNOTSUPP; 1518 #else 1519 *mp = m = m_get(M_WAIT, MT_SOOPTS); 1520 m->m_len = sizeof(u_int16_t); 1521 ipr = NULL; 1522 switch (optname) { 1523 case IP_IPSEC_LOCAL_ID: 1524 if (inp->inp_ipo != NULL) 1525 ipr = inp->inp_ipo->ipo_srcid; 1526 opt16val = IPSP_IDENTITY_NONE; 1527 break; 1528 case IP_IPSEC_REMOTE_ID: 1529 if (inp->inp_ipo != NULL) 1530 ipr = inp->inp_ipo->ipo_dstid; 1531 opt16val = IPSP_IDENTITY_NONE; 1532 break; 1533 case IP_IPSEC_LOCAL_CRED: 1534 if (inp->inp_ipo != NULL) 1535 ipr = inp->inp_ipo->ipo_local_cred; 1536 opt16val = IPSP_CRED_NONE; 1537 break; 1538 case IP_IPSEC_REMOTE_CRED: 1539 ipr = inp->inp_ipsec_remotecred; 1540 opt16val = IPSP_CRED_NONE; 1541 break; 1542 case IP_IPSEC_LOCAL_AUTH: 1543 if (inp->inp_ipo != NULL) 1544 ipr = inp->inp_ipo->ipo_local_auth; 1545 break; 1546 case IP_IPSEC_REMOTE_AUTH: 1547 ipr = inp->inp_ipsec_remoteauth; 1548 break; 1549 } 1550 if (ipr == NULL) 1551 *mtod(m, u_int16_t *) = opt16val; 1552 else { 1553 size_t len; 1554 1555 len = m->m_len + ipr->ref_len; 1556 if (len > MCLBYTES) { 1557 m_free(m); 1558 error = EINVAL; 1559 break; 1560 } 1561 /* allocate mbuf cluster for larger option */ 1562 if (len > MLEN) { 1563 MCLGET(m, M_WAITOK); 1564 if ((m->m_flags & M_EXT) == 0) { 1565 m_free(m); 1566 error = ENOBUFS; 1567 break; 1568 } 1569 1570 } 1571 m->m_len = len; 1572 *mtod(m, u_int16_t *) = ipr->ref_type; 1573 m_copyback(m, sizeof(u_int16_t), ipr->ref_len, 1574 ipr + 1); 1575 } 1576 #endif 1577 break; 1578 default: 1579 error = ENOPROTOOPT; 1580 break; 1581 } 1582 break; 1583 } 1584 return (error); 1585 } 1586 1587 /* 1588 * Set up IP options in pcb for insertion in output packets. 1589 * Store in mbuf with pointer in pcbopt, adding pseudo-option 1590 * with destination address if source routed. 1591 */ 1592 int 1593 #ifdef notyet 1594 ip_pcbopts(optname, pcbopt, m) 1595 int optname; 1596 #else 1597 ip_pcbopts(pcbopt, m) 1598 #endif 1599 struct mbuf **pcbopt; 1600 struct mbuf *m; 1601 { 1602 int cnt, optlen; 1603 u_char *cp; 1604 u_char opt; 1605 1606 /* turn off any old options */ 1607 if (*pcbopt) 1608 (void)m_free(*pcbopt); 1609 *pcbopt = 0; 1610 if (m == (struct mbuf *)0 || m->m_len == 0) { 1611 /* 1612 * Only turning off any previous options. 1613 */ 1614 if (m) 1615 (void)m_free(m); 1616 return (0); 1617 } 1618 1619 if (m->m_len % sizeof(int32_t)) 1620 goto bad; 1621 1622 /* 1623 * IP first-hop destination address will be stored before 1624 * actual options; move other options back 1625 * and clear it when none present. 1626 */ 1627 if (m->m_data + m->m_len + sizeof(struct in_addr) >= &m->m_dat[MLEN]) 1628 goto bad; 1629 cnt = m->m_len; 1630 m->m_len += sizeof(struct in_addr); 1631 cp = mtod(m, u_char *) + sizeof(struct in_addr); 1632 ovbcopy(mtod(m, caddr_t), (caddr_t)cp, (unsigned)cnt); 1633 bzero(mtod(m, caddr_t), sizeof(struct in_addr)); 1634 1635 for (; cnt > 0; cnt -= optlen, cp += optlen) { 1636 opt = cp[IPOPT_OPTVAL]; 1637 if (opt == IPOPT_EOL) 1638 break; 1639 if (opt == IPOPT_NOP) 1640 optlen = 1; 1641 else { 1642 if (cnt < IPOPT_OLEN + sizeof(*cp)) 1643 goto bad; 1644 optlen = cp[IPOPT_OLEN]; 1645 if (optlen < IPOPT_OLEN + sizeof(*cp) || optlen > cnt) 1646 goto bad; 1647 } 1648 switch (opt) { 1649 1650 default: 1651 break; 1652 1653 case IPOPT_LSRR: 1654 case IPOPT_SSRR: 1655 /* 1656 * user process specifies route as: 1657 * ->A->B->C->D 1658 * D must be our final destination (but we can't 1659 * check that since we may not have connected yet). 1660 * A is first hop destination, which doesn't appear in 1661 * actual IP option, but is stored before the options. 1662 */ 1663 if (optlen < IPOPT_MINOFF - 1 + sizeof(struct in_addr)) 1664 goto bad; 1665 m->m_len -= sizeof(struct in_addr); 1666 cnt -= sizeof(struct in_addr); 1667 optlen -= sizeof(struct in_addr); 1668 cp[IPOPT_OLEN] = optlen; 1669 /* 1670 * Move first hop before start of options. 1671 */ 1672 bcopy((caddr_t)&cp[IPOPT_OFFSET+1], mtod(m, caddr_t), 1673 sizeof(struct in_addr)); 1674 /* 1675 * Then copy rest of options back 1676 * to close up the deleted entry. 1677 */ 1678 ovbcopy((caddr_t)(&cp[IPOPT_OFFSET+1] + 1679 sizeof(struct in_addr)), 1680 (caddr_t)&cp[IPOPT_OFFSET+1], 1681 (unsigned)cnt - (IPOPT_OFFSET+1)); 1682 break; 1683 } 1684 } 1685 if (m->m_len > MAX_IPOPTLEN + sizeof(struct in_addr)) 1686 goto bad; 1687 *pcbopt = m; 1688 return (0); 1689 1690 bad: 1691 (void)m_free(m); 1692 return (EINVAL); 1693 } 1694 1695 /* 1696 * Set the IP multicast options in response to user setsockopt(). 1697 */ 1698 int 1699 ip_setmoptions(optname, imop, m) 1700 int optname; 1701 struct ip_moptions **imop; 1702 struct mbuf *m; 1703 { 1704 int error = 0; 1705 u_char loop; 1706 int i; 1707 struct in_addr addr; 1708 struct ip_mreq *mreq; 1709 struct ifnet *ifp; 1710 struct ip_moptions *imo = *imop; 1711 struct in_multi **immp; 1712 struct route ro; 1713 struct sockaddr_in *dst; 1714 1715 if (imo == NULL) { 1716 /* 1717 * No multicast option buffer attached to the pcb; 1718 * allocate one and initialize to default values. 1719 */ 1720 imo = (struct ip_moptions *)malloc(sizeof(*imo), M_IPMOPTS, 1721 M_WAITOK|M_ZERO); 1722 immp = (struct in_multi **)malloc( 1723 (sizeof(*immp) * IP_MIN_MEMBERSHIPS), M_IPMOPTS, 1724 M_WAITOK|M_ZERO); 1725 *imop = imo; 1726 imo->imo_multicast_ifp = NULL; 1727 imo->imo_multicast_ttl = IP_DEFAULT_MULTICAST_TTL; 1728 imo->imo_multicast_loop = IP_DEFAULT_MULTICAST_LOOP; 1729 imo->imo_num_memberships = 0; 1730 imo->imo_max_memberships = IP_MIN_MEMBERSHIPS; 1731 imo->imo_membership = immp; 1732 } 1733 1734 switch (optname) { 1735 1736 case IP_MULTICAST_IF: 1737 /* 1738 * Select the interface for outgoing multicast packets. 1739 */ 1740 if (m == NULL || m->m_len != sizeof(struct in_addr)) { 1741 error = EINVAL; 1742 break; 1743 } 1744 addr = *(mtod(m, struct in_addr *)); 1745 /* 1746 * INADDR_ANY is used to remove a previous selection. 1747 * When no interface is selected, a default one is 1748 * chosen every time a multicast packet is sent. 1749 */ 1750 if (addr.s_addr == INADDR_ANY) { 1751 imo->imo_multicast_ifp = NULL; 1752 break; 1753 } 1754 /* 1755 * The selected interface is identified by its local 1756 * IP address. Find the interface and confirm that 1757 * it supports multicasting. 1758 */ 1759 INADDR_TO_IFP(addr, ifp); 1760 if (ifp == NULL || (ifp->if_flags & IFF_MULTICAST) == 0) { 1761 error = EADDRNOTAVAIL; 1762 break; 1763 } 1764 imo->imo_multicast_ifp = ifp; 1765 break; 1766 1767 case IP_MULTICAST_TTL: 1768 /* 1769 * Set the IP time-to-live for outgoing multicast packets. 1770 */ 1771 if (m == NULL || m->m_len != 1) { 1772 error = EINVAL; 1773 break; 1774 } 1775 imo->imo_multicast_ttl = *(mtod(m, u_char *)); 1776 break; 1777 1778 case IP_MULTICAST_LOOP: 1779 /* 1780 * Set the loopback flag for outgoing multicast packets. 1781 * Must be zero or one. 1782 */ 1783 if (m == NULL || m->m_len != 1 || 1784 (loop = *(mtod(m, u_char *))) > 1) { 1785 error = EINVAL; 1786 break; 1787 } 1788 imo->imo_multicast_loop = loop; 1789 break; 1790 1791 case IP_ADD_MEMBERSHIP: 1792 /* 1793 * Add a multicast group membership. 1794 * Group must be a valid IP multicast address. 1795 */ 1796 if (m == NULL || m->m_len != sizeof(struct ip_mreq)) { 1797 error = EINVAL; 1798 break; 1799 } 1800 mreq = mtod(m, struct ip_mreq *); 1801 if (!IN_MULTICAST(mreq->imr_multiaddr.s_addr)) { 1802 error = EINVAL; 1803 break; 1804 } 1805 /* 1806 * If no interface address was provided, use the interface of 1807 * the route to the given multicast address. 1808 */ 1809 if (mreq->imr_interface.s_addr == INADDR_ANY) { 1810 ro.ro_rt = NULL; 1811 dst = satosin(&ro.ro_dst); 1812 dst->sin_len = sizeof(*dst); 1813 dst->sin_family = AF_INET; 1814 dst->sin_addr = mreq->imr_multiaddr; 1815 rtalloc(&ro); 1816 if (ro.ro_rt == NULL) { 1817 error = EADDRNOTAVAIL; 1818 break; 1819 } 1820 ifp = ro.ro_rt->rt_ifp; 1821 rtfree(ro.ro_rt); 1822 } else { 1823 INADDR_TO_IFP(mreq->imr_interface, ifp); 1824 } 1825 /* 1826 * See if we found an interface, and confirm that it 1827 * supports multicast. 1828 */ 1829 if (ifp == NULL || (ifp->if_flags & IFF_MULTICAST) == 0) { 1830 error = EADDRNOTAVAIL; 1831 break; 1832 } 1833 /* 1834 * See if the membership already exists or if all the 1835 * membership slots are full. 1836 */ 1837 for (i = 0; i < imo->imo_num_memberships; ++i) { 1838 if (imo->imo_membership[i]->inm_ia->ia_ifp == ifp && 1839 imo->imo_membership[i]->inm_addr.s_addr 1840 == mreq->imr_multiaddr.s_addr) 1841 break; 1842 } 1843 if (i < imo->imo_num_memberships) { 1844 error = EADDRINUSE; 1845 break; 1846 } 1847 if (imo->imo_num_memberships == imo->imo_max_memberships) { 1848 struct in_multi **nmships, **omships; 1849 size_t newmax; 1850 /* 1851 * Resize the vector to next power-of-two minus 1. If the 1852 * size would exceed the maximum then we know we've really 1853 * run out of entries. Otherwise, we reallocate the vector. 1854 */ 1855 nmships = NULL; 1856 omships = imo->imo_membership; 1857 newmax = ((imo->imo_max_memberships + 1) * 2) - 1; 1858 if (newmax <= IP_MAX_MEMBERSHIPS) { 1859 nmships = (struct in_multi **)malloc( 1860 sizeof(*nmships) * newmax, M_IPMOPTS, 1861 M_NOWAIT|M_ZERO); 1862 if (nmships != NULL) { 1863 bcopy(omships, nmships, 1864 sizeof(*omships) * 1865 imo->imo_max_memberships); 1866 free(omships, M_IPMOPTS); 1867 imo->imo_membership = nmships; 1868 imo->imo_max_memberships = newmax; 1869 } 1870 } 1871 if (nmships == NULL) { 1872 error = ETOOMANYREFS; 1873 break; 1874 } 1875 } 1876 /* 1877 * Everything looks good; add a new record to the multicast 1878 * address list for the given interface. 1879 */ 1880 if ((imo->imo_membership[i] = 1881 in_addmulti(&mreq->imr_multiaddr, ifp)) == NULL) { 1882 error = ENOBUFS; 1883 break; 1884 } 1885 ++imo->imo_num_memberships; 1886 break; 1887 1888 case IP_DROP_MEMBERSHIP: 1889 /* 1890 * Drop a multicast group membership. 1891 * Group must be a valid IP multicast address. 1892 */ 1893 if (m == NULL || m->m_len != sizeof(struct ip_mreq)) { 1894 error = EINVAL; 1895 break; 1896 } 1897 mreq = mtod(m, struct ip_mreq *); 1898 if (!IN_MULTICAST(mreq->imr_multiaddr.s_addr)) { 1899 error = EINVAL; 1900 break; 1901 } 1902 /* 1903 * If an interface address was specified, get a pointer 1904 * to its ifnet structure. 1905 */ 1906 if (mreq->imr_interface.s_addr == INADDR_ANY) 1907 ifp = NULL; 1908 else { 1909 INADDR_TO_IFP(mreq->imr_interface, ifp); 1910 if (ifp == NULL) { 1911 error = EADDRNOTAVAIL; 1912 break; 1913 } 1914 } 1915 /* 1916 * Find the membership in the membership array. 1917 */ 1918 for (i = 0; i < imo->imo_num_memberships; ++i) { 1919 if ((ifp == NULL || 1920 imo->imo_membership[i]->inm_ia->ia_ifp == ifp) && 1921 imo->imo_membership[i]->inm_addr.s_addr == 1922 mreq->imr_multiaddr.s_addr) 1923 break; 1924 } 1925 if (i == imo->imo_num_memberships) { 1926 error = EADDRNOTAVAIL; 1927 break; 1928 } 1929 /* 1930 * Give up the multicast address record to which the 1931 * membership points. 1932 */ 1933 in_delmulti(imo->imo_membership[i]); 1934 /* 1935 * Remove the gap in the membership array. 1936 */ 1937 for (++i; i < imo->imo_num_memberships; ++i) 1938 imo->imo_membership[i-1] = imo->imo_membership[i]; 1939 --imo->imo_num_memberships; 1940 break; 1941 1942 default: 1943 error = EOPNOTSUPP; 1944 break; 1945 } 1946 1947 /* 1948 * If all options have default values, no need to keep the data. 1949 */ 1950 if (imo->imo_multicast_ifp == NULL && 1951 imo->imo_multicast_ttl == IP_DEFAULT_MULTICAST_TTL && 1952 imo->imo_multicast_loop == IP_DEFAULT_MULTICAST_LOOP && 1953 imo->imo_num_memberships == 0) { 1954 free(imo->imo_membership , M_IPMOPTS); 1955 free(*imop, M_IPMOPTS); 1956 *imop = NULL; 1957 } 1958 1959 return (error); 1960 } 1961 1962 /* 1963 * Return the IP multicast options in response to user getsockopt(). 1964 */ 1965 int 1966 ip_getmoptions(optname, imo, mp) 1967 int optname; 1968 struct ip_moptions *imo; 1969 struct mbuf **mp; 1970 { 1971 u_char *ttl; 1972 u_char *loop; 1973 struct in_addr *addr; 1974 struct in_ifaddr *ia; 1975 1976 *mp = m_get(M_WAIT, MT_SOOPTS); 1977 1978 switch (optname) { 1979 1980 case IP_MULTICAST_IF: 1981 addr = mtod(*mp, struct in_addr *); 1982 (*mp)->m_len = sizeof(struct in_addr); 1983 if (imo == NULL || imo->imo_multicast_ifp == NULL) 1984 addr->s_addr = INADDR_ANY; 1985 else { 1986 IFP_TO_IA(imo->imo_multicast_ifp, ia); 1987 addr->s_addr = (ia == NULL) ? INADDR_ANY 1988 : ia->ia_addr.sin_addr.s_addr; 1989 } 1990 return (0); 1991 1992 case IP_MULTICAST_TTL: 1993 ttl = mtod(*mp, u_char *); 1994 (*mp)->m_len = 1; 1995 *ttl = (imo == NULL) ? IP_DEFAULT_MULTICAST_TTL 1996 : imo->imo_multicast_ttl; 1997 return (0); 1998 1999 case IP_MULTICAST_LOOP: 2000 loop = mtod(*mp, u_char *); 2001 (*mp)->m_len = 1; 2002 *loop = (imo == NULL) ? IP_DEFAULT_MULTICAST_LOOP 2003 : imo->imo_multicast_loop; 2004 return (0); 2005 2006 default: 2007 return (EOPNOTSUPP); 2008 } 2009 } 2010 2011 /* 2012 * Discard the IP multicast options. 2013 */ 2014 void 2015 ip_freemoptions(imo) 2016 struct ip_moptions *imo; 2017 { 2018 int i; 2019 2020 if (imo != NULL) { 2021 for (i = 0; i < imo->imo_num_memberships; ++i) 2022 in_delmulti(imo->imo_membership[i]); 2023 free(imo->imo_membership, M_IPMOPTS); 2024 free(imo, M_IPMOPTS); 2025 } 2026 } 2027 2028 /* 2029 * Routine called from ip_output() to loop back a copy of an IP multicast 2030 * packet to the input queue of a specified interface. Note that this 2031 * calls the output routine of the loopback "driver", but with an interface 2032 * pointer that might NOT be &loif -- easier than replicating that code here. 2033 */ 2034 void 2035 ip_mloopback(ifp, m, dst) 2036 struct ifnet *ifp; 2037 struct mbuf *m; 2038 struct sockaddr_in *dst; 2039 { 2040 struct ip *ip; 2041 struct mbuf *copym; 2042 2043 copym = m_copym2(m, 0, M_COPYALL, M_DONTWAIT); 2044 if (copym != NULL) { 2045 /* 2046 * We don't bother to fragment if the IP length is greater 2047 * than the interface's MTU. Can this possibly matter? 2048 */ 2049 ip = mtod(copym, struct ip *); 2050 ip->ip_sum = 0; 2051 ip->ip_sum = in_cksum(copym, ip->ip_hl << 2); 2052 (void) looutput(ifp, copym, sintosa(dst), NULL); 2053 } 2054 } 2055 2056 /* 2057 * Process a delayed payload checksum calculation. 2058 */ 2059 void 2060 in_delayed_cksum(struct mbuf *m) 2061 { 2062 struct ip *ip; 2063 u_int16_t csum, offset; 2064 2065 ip = mtod(m, struct ip *); 2066 offset = ip->ip_hl << 2; 2067 csum = in4_cksum(m, 0, offset, m->m_pkthdr.len - offset); 2068 if (csum == 0 && ip->ip_p == IPPROTO_UDP) 2069 csum = 0xffff; 2070 2071 switch (ip->ip_p) { 2072 case IPPROTO_TCP: 2073 offset += offsetof(struct tcphdr, th_sum); 2074 break; 2075 2076 case IPPROTO_UDP: 2077 offset += offsetof(struct udphdr, uh_sum); 2078 break; 2079 2080 default: 2081 return; 2082 } 2083 2084 if ((offset + sizeof(u_int16_t)) > m->m_len) 2085 m_copyback(m, offset, sizeof(csum), &csum); 2086 else 2087 *(u_int16_t *)(mtod(m, caddr_t) + offset) = csum; 2088 } 2089