1 /* $OpenBSD: ip_output.c,v 1.223 2011/07/04 06:54:49 claudio Exp $ */ 2 /* $NetBSD: ip_output.c,v 1.28 1996/02/13 23:43:07 christos Exp $ */ 3 4 /* 5 * Copyright (c) 1982, 1986, 1988, 1990, 1993 6 * The Regents of the University of California. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 3. Neither the name of the University nor the names of its contributors 17 * may be used to endorse or promote products derived from this software 18 * without specific prior written permission. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30 * SUCH DAMAGE. 31 * 32 * @(#)ip_output.c 8.3 (Berkeley) 1/21/94 33 */ 34 35 #include "pf.h" 36 37 #include <sys/param.h> 38 #include <sys/systm.h> 39 #include <sys/mbuf.h> 40 #include <sys/protosw.h> 41 #include <sys/socket.h> 42 #include <sys/socketvar.h> 43 #include <sys/proc.h> 44 #include <sys/kernel.h> 45 46 #include <net/if.h> 47 #include <net/if_enc.h> 48 #include <net/route.h> 49 50 #include <netinet/in.h> 51 #include <netinet/in_systm.h> 52 #include <netinet/ip.h> 53 #include <netinet/in_pcb.h> 54 #include <netinet/in_var.h> 55 #include <netinet/ip_var.h> 56 #include <netinet/ip_icmp.h> 57 #include <netinet/tcp.h> 58 #include <netinet/udp.h> 59 #include <netinet/tcp_timer.h> 60 #include <netinet/tcp_var.h> 61 #include <netinet/udp_var.h> 62 63 #if NPF > 0 64 #include <net/pfvar.h> 65 #endif 66 67 #ifdef IPSEC 68 #ifdef ENCDEBUG 69 #define DPRINTF(x) do { if (encdebug) printf x ; } while (0) 70 #else 71 #define DPRINTF(x) 72 #endif 73 74 extern u_int8_t get_sa_require(struct inpcb *); 75 76 extern int ipsec_auth_default_level; 77 extern int ipsec_esp_trans_default_level; 78 extern int ipsec_esp_network_default_level; 79 extern int ipsec_ipcomp_default_level; 80 extern int ipforwarding; 81 #endif /* IPSEC */ 82 83 #ifdef MROUTING 84 extern int ipmforwarding; 85 #endif 86 87 struct mbuf *ip_insertoptions(struct mbuf *, struct mbuf *, int *); 88 void ip_mloopback(struct ifnet *, struct mbuf *, struct sockaddr_in *); 89 90 /* 91 * IP output. The packet in mbuf chain m contains a skeletal IP 92 * header (with len, off, ttl, proto, tos, src, dst). 93 * The mbuf chain containing the packet will be freed. 94 * The mbuf opt, if present, will not be freed. 95 */ 96 int 97 ip_output(struct mbuf *m0, ...) 98 { 99 struct ip *ip; 100 struct ifnet *ifp; 101 struct mbuf *m = m0; 102 int hlen = sizeof (struct ip); 103 int len, error = 0; 104 struct route iproute; 105 struct sockaddr_in *dst; 106 struct in_ifaddr *ia; 107 struct mbuf *opt; 108 struct route *ro; 109 int flags; 110 struct ip_moptions *imo; 111 va_list ap; 112 u_int8_t sproto = 0, donerouting = 0; 113 u_long mtu; 114 #ifdef IPSEC 115 u_int32_t icmp_mtu = 0; 116 union sockaddr_union sdst; 117 u_int32_t sspi; 118 struct m_tag *mtag; 119 struct tdb_ident *tdbi; 120 121 struct inpcb *inp; 122 struct tdb *tdb; 123 int s; 124 #if NPF > 0 125 struct ifnet *encif; 126 #endif 127 #endif /* IPSEC */ 128 129 va_start(ap, m0); 130 opt = va_arg(ap, struct mbuf *); 131 ro = va_arg(ap, struct route *); 132 flags = va_arg(ap, int); 133 imo = va_arg(ap, struct ip_moptions *); 134 #ifdef IPSEC 135 inp = va_arg(ap, struct inpcb *); 136 if (inp && (inp->inp_flags & INP_IPV6) != 0) 137 panic("ip_output: IPv6 pcb is passed"); 138 #endif /* IPSEC */ 139 va_end(ap); 140 141 #ifdef DIAGNOSTIC 142 if ((m->m_flags & M_PKTHDR) == 0) 143 panic("ip_output no HDR"); 144 #endif 145 if (opt) { 146 m = ip_insertoptions(m, opt, &len); 147 hlen = len; 148 } 149 150 ip = mtod(m, struct ip *); 151 152 /* 153 * Fill in IP header. 154 */ 155 if ((flags & (IP_FORWARDING|IP_RAWOUTPUT)) == 0) { 156 ip->ip_v = IPVERSION; 157 ip->ip_off &= htons(IP_DF); 158 ip->ip_id = htons(ip_randomid()); 159 ip->ip_hl = hlen >> 2; 160 ipstat.ips_localout++; 161 } else { 162 hlen = ip->ip_hl << 2; 163 } 164 165 /* 166 * We should not send traffic to 0/8 say both Stevens and RFCs 167 * 5735 section 3 and 1122 sections 3.2.1.3 and 3.3.6. 168 */ 169 if ((ntohl(ip->ip_dst.s_addr) >> IN_CLASSA_NSHIFT) == 0) { 170 error = ENETUNREACH; 171 goto bad; 172 } 173 174 /* 175 * If we're missing the IP source address, do a route lookup. We'll 176 * remember this result, in case we don't need to do any IPsec 177 * processing on the packet. We need the source address so we can 178 * do an SPD lookup in IPsec; for most packets, the source address 179 * is set at a higher level protocol. ICMPs and other packets 180 * though (e.g., traceroute) have a source address of zeroes. 181 */ 182 if (ip->ip_src.s_addr == INADDR_ANY) { 183 if (flags & IP_ROUTETOETHER) { 184 error = EINVAL; 185 goto bad; 186 } 187 donerouting = 1; 188 189 if (ro == 0) { 190 ro = &iproute; 191 bzero((caddr_t)ro, sizeof (*ro)); 192 } 193 194 dst = satosin(&ro->ro_dst); 195 196 /* 197 * If there is a cached route, check that it is to the same 198 * destination and is still up. If not, free it and try again. 199 */ 200 if (ro->ro_rt && ((ro->ro_rt->rt_flags & RTF_UP) == 0 || 201 dst->sin_addr.s_addr != ip->ip_dst.s_addr || 202 ro->ro_tableid != m->m_pkthdr.rdomain)) { 203 RTFREE(ro->ro_rt); 204 ro->ro_rt = (struct rtentry *)0; 205 } 206 207 if (ro->ro_rt == 0) { 208 dst->sin_family = AF_INET; 209 dst->sin_len = sizeof(*dst); 210 dst->sin_addr = ip->ip_dst; 211 ro->ro_tableid = m->m_pkthdr.rdomain; 212 } 213 214 /* 215 * If routing to interface only, short-circuit routing lookup. 216 */ 217 if (flags & IP_ROUTETOIF) { 218 if ((ia = ifatoia(ifa_ifwithdstaddr(sintosa(dst), 219 m->m_pkthdr.rdomain))) == 0 && 220 (ia = ifatoia(ifa_ifwithnet(sintosa(dst), 221 m->m_pkthdr.rdomain))) == 0) { 222 ipstat.ips_noroute++; 223 error = ENETUNREACH; 224 goto bad; 225 } 226 227 ifp = ia->ia_ifp; 228 mtu = ifp->if_mtu; 229 ip->ip_ttl = 1; 230 } else if ((IN_MULTICAST(ip->ip_dst.s_addr) || 231 (ip->ip_dst.s_addr == INADDR_BROADCAST)) && 232 imo != NULL && imo->imo_multicast_ifp != NULL) { 233 ifp = imo->imo_multicast_ifp; 234 mtu = ifp->if_mtu; 235 IFP_TO_IA(ifp, ia); 236 } else { 237 if (ro->ro_rt == 0) 238 rtalloc_mpath(ro, NULL); 239 240 if (ro->ro_rt == 0) { 241 ipstat.ips_noroute++; 242 error = EHOSTUNREACH; 243 goto bad; 244 } 245 246 ia = ifatoia(ro->ro_rt->rt_ifa); 247 ifp = ro->ro_rt->rt_ifp; 248 if ((mtu = ro->ro_rt->rt_rmx.rmx_mtu) == 0) 249 mtu = ifp->if_mtu; 250 ro->ro_rt->rt_use++; 251 252 if (ro->ro_rt->rt_flags & RTF_GATEWAY) 253 dst = satosin(ro->ro_rt->rt_gateway); 254 } 255 256 /* Set the source IP address */ 257 if (!IN_MULTICAST(ip->ip_dst.s_addr)) 258 ip->ip_src = ia->ia_addr.sin_addr; 259 } 260 261 #if NPF > 0 262 reroute: 263 #endif 264 265 #ifdef IPSEC 266 if (!ipsec_in_use && inp == NULL) 267 goto done_spd; 268 269 /* 270 * splnet is chosen over spltdb because we are not allowed to 271 * lower the level, and udp_output calls us in splnet(). 272 */ 273 s = splnet(); 274 275 /* Do we have any pending SAs to apply ? */ 276 mtag = m_tag_find(m, PACKET_TAG_IPSEC_PENDING_TDB, NULL); 277 if (mtag != NULL) { 278 #ifdef DIAGNOSTIC 279 if (mtag->m_tag_len != sizeof (struct tdb_ident)) 280 panic("ip_output: tag of length %d (should be %d", 281 mtag->m_tag_len, sizeof (struct tdb_ident)); 282 #endif 283 tdbi = (struct tdb_ident *)(mtag + 1); 284 tdb = gettdb(tdbi->rdomain, 285 tdbi->spi, &tdbi->dst, tdbi->proto); 286 if (tdb == NULL) 287 error = -EINVAL; 288 m_tag_delete(m, mtag); 289 } 290 else 291 tdb = ipsp_spd_lookup(m, AF_INET, hlen, &error, 292 IPSP_DIRECTION_OUT, NULL, inp); 293 294 if (tdb == NULL) { 295 splx(s); 296 297 if (error == 0) { 298 /* 299 * No IPsec processing required, we'll just send the 300 * packet out. 301 */ 302 sproto = 0; 303 304 /* Fall through to routing/multicast handling */ 305 } else { 306 /* 307 * -EINVAL is used to indicate that the packet should 308 * be silently dropped, typically because we've asked 309 * key management for an SA. 310 */ 311 if (error == -EINVAL) /* Should silently drop packet */ 312 error = 0; 313 314 m_freem(m); 315 goto done; 316 } 317 } else { 318 /* Loop detection */ 319 for (mtag = m_tag_first(m); mtag != NULL; 320 mtag = m_tag_next(m, mtag)) { 321 if (mtag->m_tag_id != PACKET_TAG_IPSEC_OUT_DONE && 322 mtag->m_tag_id != 323 PACKET_TAG_IPSEC_OUT_CRYPTO_NEEDED) 324 continue; 325 tdbi = (struct tdb_ident *)(mtag + 1); 326 if (tdbi->spi == tdb->tdb_spi && 327 tdbi->proto == tdb->tdb_sproto && 328 tdbi->rdomain == tdb->tdb_rdomain && 329 !bcmp(&tdbi->dst, &tdb->tdb_dst, 330 sizeof(union sockaddr_union))) { 331 splx(s); 332 sproto = 0; /* mark as no-IPsec-needed */ 333 goto done_spd; 334 } 335 } 336 337 /* We need to do IPsec */ 338 bcopy(&tdb->tdb_dst, &sdst, sizeof(sdst)); 339 sspi = tdb->tdb_spi; 340 sproto = tdb->tdb_sproto; 341 splx(s); 342 343 /* 344 * If it needs TCP/UDP hardware-checksumming, do the 345 * computation now. 346 */ 347 in_proto_cksum_out(m, NULL); 348 349 /* If it's not a multicast packet, try to fast-path */ 350 if (!IN_MULTICAST(ip->ip_dst.s_addr)) { 351 goto sendit; 352 } 353 } 354 355 /* Fall through to the routing/multicast handling code */ 356 done_spd: 357 #endif /* IPSEC */ 358 359 if (flags & IP_ROUTETOETHER) { 360 dst = satosin(&ro->ro_dst); 361 ifp = ro->ro_rt->rt_ifp; 362 mtu = ifp->if_mtu; 363 ro->ro_rt = NULL; 364 } else if (donerouting == 0) { 365 if (ro == 0) { 366 ro = &iproute; 367 bzero((caddr_t)ro, sizeof (*ro)); 368 } 369 370 dst = satosin(&ro->ro_dst); 371 372 /* 373 * If there is a cached route, check that it is to the same 374 * destination and is still up. If not, free it and try again. 375 */ 376 if (ro->ro_rt && ((ro->ro_rt->rt_flags & RTF_UP) == 0 || 377 dst->sin_addr.s_addr != ip->ip_dst.s_addr || 378 ro->ro_tableid != m->m_pkthdr.rdomain)) { 379 RTFREE(ro->ro_rt); 380 ro->ro_rt = (struct rtentry *)0; 381 } 382 383 if (ro->ro_rt == 0) { 384 dst->sin_family = AF_INET; 385 dst->sin_len = sizeof(*dst); 386 dst->sin_addr = ip->ip_dst; 387 ro->ro_tableid = m->m_pkthdr.rdomain; 388 } 389 390 /* 391 * If routing to interface only, short-circuit routing lookup. 392 */ 393 if (flags & IP_ROUTETOIF) { 394 if ((ia = ifatoia(ifa_ifwithdstaddr(sintosa(dst), 395 m->m_pkthdr.rdomain))) == 0 && 396 (ia = ifatoia(ifa_ifwithnet(sintosa(dst), 397 m->m_pkthdr.rdomain))) == 0) { 398 ipstat.ips_noroute++; 399 error = ENETUNREACH; 400 goto bad; 401 } 402 403 ifp = ia->ia_ifp; 404 mtu = ifp->if_mtu; 405 ip->ip_ttl = 1; 406 } else if ((IN_MULTICAST(ip->ip_dst.s_addr) || 407 (ip->ip_dst.s_addr == INADDR_BROADCAST)) && 408 imo != NULL && imo->imo_multicast_ifp != NULL) { 409 ifp = imo->imo_multicast_ifp; 410 mtu = ifp->if_mtu; 411 IFP_TO_IA(ifp, ia); 412 } else { 413 if (ro->ro_rt == 0) 414 rtalloc_mpath(ro, &ip->ip_src.s_addr); 415 416 if (ro->ro_rt == 0) { 417 ipstat.ips_noroute++; 418 error = EHOSTUNREACH; 419 goto bad; 420 } 421 422 ia = ifatoia(ro->ro_rt->rt_ifa); 423 ifp = ro->ro_rt->rt_ifp; 424 if ((mtu = ro->ro_rt->rt_rmx.rmx_mtu) == 0) 425 mtu = ifp->if_mtu; 426 ro->ro_rt->rt_use++; 427 428 if (ro->ro_rt->rt_flags & RTF_GATEWAY) 429 dst = satosin(ro->ro_rt->rt_gateway); 430 } 431 432 /* Set the source IP address */ 433 if (ip->ip_src.s_addr == INADDR_ANY) 434 ip->ip_src = ia->ia_addr.sin_addr; 435 } 436 437 if (IN_MULTICAST(ip->ip_dst.s_addr) || 438 (ip->ip_dst.s_addr == INADDR_BROADCAST)) { 439 struct in_multi *inm; 440 441 m->m_flags |= (ip->ip_dst.s_addr == INADDR_BROADCAST) ? 442 M_BCAST : M_MCAST; 443 444 /* 445 * IP destination address is multicast. Make sure "dst" 446 * still points to the address in "ro". (It may have been 447 * changed to point to a gateway address, above.) 448 */ 449 dst = satosin(&ro->ro_dst); 450 451 /* 452 * See if the caller provided any multicast options 453 */ 454 if (imo != NULL) 455 ip->ip_ttl = imo->imo_multicast_ttl; 456 else 457 ip->ip_ttl = IP_DEFAULT_MULTICAST_TTL; 458 459 /* 460 * if we don't know the outgoing ifp yet, we can't generate 461 * output 462 */ 463 if (!ifp) { 464 ipstat.ips_noroute++; 465 error = EHOSTUNREACH; 466 goto bad; 467 } 468 469 /* 470 * Confirm that the outgoing interface supports multicast, 471 * but only if the packet actually is going out on that 472 * interface (i.e., no IPsec is applied). 473 */ 474 if ((((m->m_flags & M_MCAST) && 475 (ifp->if_flags & IFF_MULTICAST) == 0) || 476 ((m->m_flags & M_BCAST) && 477 (ifp->if_flags & IFF_BROADCAST) == 0)) && (sproto == 0)) { 478 ipstat.ips_noroute++; 479 error = ENETUNREACH; 480 goto bad; 481 } 482 483 /* 484 * If source address not specified yet, use address 485 * of outgoing interface. 486 */ 487 if (ip->ip_src.s_addr == INADDR_ANY) { 488 struct in_ifaddr *ia; 489 490 TAILQ_FOREACH(ia, &in_ifaddr, ia_list) 491 if (ia->ia_ifp == ifp) { 492 ip->ip_src = ia->ia_addr.sin_addr; 493 break; 494 } 495 } 496 497 IN_LOOKUP_MULTI(ip->ip_dst, ifp, inm); 498 if (inm != NULL && 499 (imo == NULL || imo->imo_multicast_loop)) { 500 /* 501 * If we belong to the destination multicast group 502 * on the outgoing interface, and the caller did not 503 * forbid loopback, loop back a copy. 504 * Can't defer TCP/UDP checksumming, do the 505 * computation now. 506 */ 507 in_proto_cksum_out(m, NULL); 508 ip_mloopback(ifp, m, dst); 509 } 510 #ifdef MROUTING 511 else { 512 /* 513 * If we are acting as a multicast router, perform 514 * multicast forwarding as if the packet had just 515 * arrived on the interface to which we are about 516 * to send. The multicast forwarding function 517 * recursively calls this function, using the 518 * IP_FORWARDING flag to prevent infinite recursion. 519 * 520 * Multicasts that are looped back by ip_mloopback(), 521 * above, will be forwarded by the ip_input() routine, 522 * if necessary. 523 */ 524 extern struct socket *ip_mrouter; 525 526 if (ipmforwarding && ip_mrouter && 527 (flags & IP_FORWARDING) == 0) { 528 if (ip_mforward(m, ifp) != 0) { 529 m_freem(m); 530 goto done; 531 } 532 } 533 } 534 #endif 535 /* 536 * Multicasts with a time-to-live of zero may be looped- 537 * back, above, but must not be transmitted on a network. 538 * Also, multicasts addressed to the loopback interface 539 * are not sent -- the above call to ip_mloopback() will 540 * loop back a copy if this host actually belongs to the 541 * destination group on the loopback interface. 542 */ 543 if (ip->ip_ttl == 0 || (ifp->if_flags & IFF_LOOPBACK) != 0) { 544 m_freem(m); 545 goto done; 546 } 547 548 goto sendit; 549 } 550 551 /* 552 * Look for broadcast address and verify user is allowed to send 553 * such a packet; if the packet is going in an IPsec tunnel, skip 554 * this check. 555 */ 556 if ((sproto == 0) && (in_broadcast(dst->sin_addr, ifp, 557 m->m_pkthdr.rdomain))) { 558 if ((ifp->if_flags & IFF_BROADCAST) == 0) { 559 error = EADDRNOTAVAIL; 560 goto bad; 561 } 562 if ((flags & IP_ALLOWBROADCAST) == 0) { 563 error = EACCES; 564 goto bad; 565 } 566 567 /* Don't allow broadcast messages to be fragmented */ 568 if (ntohs(ip->ip_len) > ifp->if_mtu) { 569 error = EMSGSIZE; 570 goto bad; 571 } 572 m->m_flags |= M_BCAST; 573 } else 574 m->m_flags &= ~M_BCAST; 575 576 sendit: 577 /* 578 * If we're doing Path MTU discovery, we need to set DF unless 579 * the route's MTU is locked. 580 */ 581 if ((flags & IP_MTUDISC) && ro && ro->ro_rt && 582 (ro->ro_rt->rt_rmx.rmx_locks & RTV_MTU) == 0) 583 ip->ip_off |= htons(IP_DF); 584 585 #ifdef IPSEC 586 /* 587 * Check if the packet needs encapsulation. 588 */ 589 if (sproto != 0) { 590 s = splnet(); 591 592 tdb = gettdb(rtable_l2(m->m_pkthdr.rdomain), 593 sspi, &sdst, sproto); 594 if (tdb == NULL) { 595 DPRINTF(("ip_output: unknown TDB")); 596 error = EHOSTUNREACH; 597 splx(s); 598 m_freem(m); 599 goto done; 600 } 601 602 /* 603 * Packet filter 604 */ 605 #if NPF > 0 606 if ((encif = enc_getif(tdb->tdb_rdomain, 607 tdb->tdb_tap)) == NULL || 608 pf_test(AF_INET, PF_OUT, encif, &m, NULL) != PF_PASS) { 609 error = EACCES; 610 splx(s); 611 m_freem(m); 612 goto done; 613 } 614 if (m == NULL) { 615 splx(s); 616 goto done; 617 } 618 ip = mtod(m, struct ip *); 619 hlen = ip->ip_hl << 2; 620 /* 621 * PF_TAG_REROUTE handling or not... 622 * Packet is entering IPsec so the routing is 623 * already overruled by the IPsec policy. 624 * Until now the change was not reconsidered. 625 * What's the behaviour? 626 */ 627 #endif 628 629 /* Check if we are allowed to fragment */ 630 if (ip_mtudisc && (ip->ip_off & htons(IP_DF)) && tdb->tdb_mtu && 631 ntohs(ip->ip_len) > tdb->tdb_mtu && 632 tdb->tdb_mtutimeout > time_second) { 633 struct rtentry *rt = NULL; 634 int rt_mtucloned = 0; 635 int transportmode = 0; 636 637 transportmode = (tdb->tdb_dst.sa.sa_family == AF_INET) && 638 (tdb->tdb_dst.sin.sin_addr.s_addr == 639 ip->ip_dst.s_addr); 640 icmp_mtu = tdb->tdb_mtu; 641 splx(s); 642 643 /* Find a host route to store the mtu in */ 644 if (ro != NULL) 645 rt = ro->ro_rt; 646 /* but don't add a PMTU route for transport mode SAs */ 647 if (transportmode) 648 rt = NULL; 649 else if (rt == NULL || (rt->rt_flags & RTF_HOST) == 0) { 650 struct sockaddr_in dst = { 651 sizeof(struct sockaddr_in), AF_INET}; 652 dst.sin_addr = ip->ip_dst; 653 rt = icmp_mtudisc_clone((struct sockaddr *)&dst, 654 m->m_pkthdr.rdomain); 655 rt_mtucloned = 1; 656 } 657 DPRINTF(("ip_output: spi %08x mtu %d rt %p cloned %d\n", 658 ntohl(tdb->tdb_spi), icmp_mtu, rt, rt_mtucloned)); 659 if (rt != NULL) { 660 rt->rt_rmx.rmx_mtu = icmp_mtu; 661 if (ro && ro->ro_rt != NULL) { 662 RTFREE(ro->ro_rt); 663 ro->ro_rt = NULL; 664 rtalloc1(&ro->ro_dst, RT_REPORT, 665 m->m_pkthdr.rdomain); 666 } 667 if (rt_mtucloned) 668 rtfree(rt); 669 } 670 error = EMSGSIZE; 671 goto bad; 672 } 673 674 /* 675 * Clear these -- they'll be set in the recursive invocation 676 * as needed. 677 */ 678 m->m_flags &= ~(M_MCAST | M_BCAST); 679 680 /* Callee frees mbuf */ 681 error = ipsp_process_packet(m, tdb, AF_INET, 0); 682 splx(s); 683 return error; /* Nothing more to be done */ 684 } 685 686 /* 687 * If deferred crypto processing is needed, check that the 688 * interface supports it. 689 */ 690 if (ipsec_in_use && (mtag = m_tag_find(m, 691 PACKET_TAG_IPSEC_OUT_CRYPTO_NEEDED, NULL)) != NULL && 692 (ifp->if_capabilities & IFCAP_IPSEC) == 0) { 693 /* Notify IPsec to do its own crypto. */ 694 ipsp_skipcrypto_unmark((struct tdb_ident *)(mtag + 1)); 695 m_freem(m); 696 error = EHOSTUNREACH; 697 goto done; 698 } 699 #endif /* IPSEC */ 700 701 in_proto_cksum_out(m, ifp); 702 703 /* 704 * Packet filter 705 */ 706 #if NPF > 0 707 if (pf_test(AF_INET, PF_OUT, ifp, &m, NULL) != PF_PASS) { 708 error = EHOSTUNREACH; 709 m_freem(m); 710 goto done; 711 } 712 if (m == NULL) 713 goto done; 714 ip = mtod(m, struct ip *); 715 hlen = ip->ip_hl << 2; 716 if ((m->m_pkthdr.pf.flags & (PF_TAG_REROUTE | PF_TAG_GENERATED)) == 717 (PF_TAG_REROUTE | PF_TAG_GENERATED)) 718 /* already rerun the route lookup, go on */ 719 m->m_pkthdr.pf.flags &= ~(PF_TAG_GENERATED | PF_TAG_REROUTE); 720 else if (m->m_pkthdr.pf.flags & PF_TAG_REROUTE) { 721 /* tag as generated to skip over pf_test on rerun */ 722 m->m_pkthdr.pf.flags |= PF_TAG_GENERATED; 723 ro = NULL; 724 donerouting = 0; 725 goto reroute; 726 } 727 #endif 728 729 #ifdef IPSEC 730 if (ipsec_in_use && (flags & IP_FORWARDING) && (ipforwarding == 2) && 731 (m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL) == NULL)) { 732 error = EHOSTUNREACH; 733 m_freem(m); 734 goto done; 735 } 736 #endif 737 738 /* XXX 739 * Try to use jumbograms based on socket option, or the route 740 * or... for other reasons later on. 741 */ 742 if ((flags & IP_JUMBO) && ro->ro_rt && (ro->ro_rt->rt_flags & RTF_JUMBO) && 743 ro->ro_rt->rt_ifp) 744 mtu = ro->ro_rt->rt_ifp->if_hardmtu; 745 746 /* 747 * If small enough for interface, can just send directly. 748 */ 749 if (ntohs(ip->ip_len) <= mtu) { 750 ip->ip_sum = 0; 751 if ((ifp->if_capabilities & IFCAP_CSUM_IPv4)) { 752 m->m_pkthdr.csum_flags |= M_IPV4_CSUM_OUT; 753 ipstat.ips_outhwcsum++; 754 } else 755 ip->ip_sum = in_cksum(m, hlen); 756 /* Update relevant hardware checksum stats for TCP/UDP */ 757 if (m->m_pkthdr.csum_flags & M_TCP_CSUM_OUT) 758 tcpstat.tcps_outhwcsum++; 759 else if (m->m_pkthdr.csum_flags & M_UDP_CSUM_OUT) 760 udpstat.udps_outhwcsum++; 761 error = (*ifp->if_output)(ifp, m, sintosa(dst), ro->ro_rt); 762 goto done; 763 } 764 765 /* 766 * Too large for interface; fragment if possible. 767 * Must be able to put at least 8 bytes per fragment. 768 */ 769 if (ip->ip_off & htons(IP_DF)) { 770 #ifdef IPSEC 771 icmp_mtu = ifp->if_mtu; 772 #endif 773 error = EMSGSIZE; 774 /* 775 * This case can happen if the user changed the MTU 776 * of an interface after enabling IP on it. Because 777 * most netifs don't keep track of routes pointing to 778 * them, there is no way for one to update all its 779 * routes when the MTU is changed. 780 */ 781 if (ro->ro_rt != NULL && 782 (ro->ro_rt->rt_flags & (RTF_UP | RTF_HOST)) && 783 !(ro->ro_rt->rt_rmx.rmx_locks & RTV_MTU) && 784 (ro->ro_rt->rt_rmx.rmx_mtu > ifp->if_mtu)) { 785 ro->ro_rt->rt_rmx.rmx_mtu = ifp->if_mtu; 786 } 787 ipstat.ips_cantfrag++; 788 goto bad; 789 } 790 791 error = ip_fragment(m, ifp, mtu); 792 if (error) { 793 m = m0 = NULL; 794 goto bad; 795 } 796 797 for (; m; m = m0) { 798 m0 = m->m_nextpkt; 799 m->m_nextpkt = 0; 800 if (error == 0) 801 error = (*ifp->if_output)(ifp, m, sintosa(dst), 802 ro->ro_rt); 803 else 804 m_freem(m); 805 } 806 807 if (error == 0) 808 ipstat.ips_fragmented++; 809 810 done: 811 if (ro == &iproute && (flags & IP_ROUTETOIF) == 0 && ro->ro_rt) 812 RTFREE(ro->ro_rt); 813 return (error); 814 bad: 815 #ifdef IPSEC 816 if (error == EMSGSIZE && ip_mtudisc && icmp_mtu != 0 && m != NULL) 817 ipsec_adjust_mtu(m, icmp_mtu); 818 #endif 819 m_freem(m0); 820 goto done; 821 } 822 823 int 824 ip_fragment(struct mbuf *m, struct ifnet *ifp, u_long mtu) 825 { 826 struct ip *ip, *mhip; 827 struct mbuf *m0; 828 int len, hlen, off; 829 int mhlen, firstlen; 830 struct mbuf **mnext; 831 int fragments = 0; 832 int error = 0; 833 834 ip = mtod(m, struct ip *); 835 hlen = ip->ip_hl << 2; 836 837 len = (mtu - hlen) &~ 7; 838 if (len < 8) { 839 m_freem(m); 840 return (EMSGSIZE); 841 } 842 843 /* 844 * If we are doing fragmentation, we can't defer TCP/UDP 845 * checksumming; compute the checksum and clear the flag. 846 */ 847 in_proto_cksum_out(m, NULL); 848 firstlen = len; 849 mnext = &m->m_nextpkt; 850 851 /* 852 * Loop through length of segment after first fragment, 853 * make new header and copy data of each part and link onto chain. 854 */ 855 m0 = m; 856 mhlen = sizeof (struct ip); 857 for (off = hlen + len; off < ntohs(ip->ip_len); off += len) { 858 MGETHDR(m, M_DONTWAIT, MT_HEADER); 859 if (m == 0) { 860 ipstat.ips_odropped++; 861 error = ENOBUFS; 862 goto sendorfree; 863 } 864 *mnext = m; 865 mnext = &m->m_nextpkt; 866 m->m_data += max_linkhdr; 867 mhip = mtod(m, struct ip *); 868 *mhip = *ip; 869 /* we must inherit MCAST and BCAST flags and rdomain */ 870 m->m_flags |= m0->m_flags & (M_MCAST|M_BCAST); 871 m->m_pkthdr.rdomain = m0->m_pkthdr.rdomain; 872 if (hlen > sizeof (struct ip)) { 873 mhlen = ip_optcopy(ip, mhip) + sizeof (struct ip); 874 mhip->ip_hl = mhlen >> 2; 875 } 876 m->m_len = mhlen; 877 mhip->ip_off = ((off - hlen) >> 3) + 878 (ntohs(ip->ip_off) & ~IP_MF); 879 if (ip->ip_off & htons(IP_MF)) 880 mhip->ip_off |= IP_MF; 881 if (off + len >= ntohs(ip->ip_len)) 882 len = ntohs(ip->ip_len) - off; 883 else 884 mhip->ip_off |= IP_MF; 885 mhip->ip_len = htons((u_int16_t)(len + mhlen)); 886 m->m_next = m_copy(m0, off, len); 887 if (m->m_next == 0) { 888 ipstat.ips_odropped++; 889 error = ENOBUFS; 890 goto sendorfree; 891 } 892 m->m_pkthdr.len = mhlen + len; 893 m->m_pkthdr.rcvif = (struct ifnet *)0; 894 mhip->ip_off = htons((u_int16_t)mhip->ip_off); 895 mhip->ip_sum = 0; 896 if ((ifp != NULL) && 897 (ifp->if_capabilities & IFCAP_CSUM_IPv4)) { 898 m->m_pkthdr.csum_flags |= M_IPV4_CSUM_OUT; 899 ipstat.ips_outhwcsum++; 900 } else 901 mhip->ip_sum = in_cksum(m, mhlen); 902 ipstat.ips_ofragments++; 903 fragments++; 904 } 905 /* 906 * Update first fragment by trimming what's been copied out 907 * and updating header, then send each fragment (in order). 908 */ 909 m = m0; 910 m_adj(m, hlen + firstlen - ntohs(ip->ip_len)); 911 m->m_pkthdr.len = hlen + firstlen; 912 ip->ip_len = htons((u_int16_t)m->m_pkthdr.len); 913 ip->ip_off |= htons(IP_MF); 914 ip->ip_sum = 0; 915 if ((ifp != NULL) && 916 (ifp->if_capabilities & IFCAP_CSUM_IPv4)) { 917 m->m_pkthdr.csum_flags |= M_IPV4_CSUM_OUT; 918 ipstat.ips_outhwcsum++; 919 } else 920 ip->ip_sum = in_cksum(m, hlen); 921 sendorfree: 922 if (error) { 923 for (m = m0; m; m = m0) { 924 m0 = m->m_nextpkt; 925 m->m_nextpkt = NULL; 926 m_freem(m); 927 } 928 } 929 930 return (error); 931 } 932 933 /* 934 * Insert IP options into preformed packet. 935 * Adjust IP destination as required for IP source routing, 936 * as indicated by a non-zero in_addr at the start of the options. 937 */ 938 struct mbuf * 939 ip_insertoptions(m, opt, phlen) 940 struct mbuf *m; 941 struct mbuf *opt; 942 int *phlen; 943 { 944 struct ipoption *p = mtod(opt, struct ipoption *); 945 struct mbuf *n; 946 struct ip *ip = mtod(m, struct ip *); 947 unsigned optlen; 948 949 optlen = opt->m_len - sizeof(p->ipopt_dst); 950 if (optlen + ntohs(ip->ip_len) > IP_MAXPACKET) 951 return (m); /* XXX should fail */ 952 if (p->ipopt_dst.s_addr) 953 ip->ip_dst = p->ipopt_dst; 954 if (m->m_flags & M_EXT || m->m_data - optlen < m->m_pktdat) { 955 MGETHDR(n, M_DONTWAIT, MT_HEADER); 956 if (n == 0) 957 return (m); 958 M_MOVE_HDR(n, m); 959 n->m_pkthdr.len += optlen; 960 m->m_len -= sizeof(struct ip); 961 m->m_data += sizeof(struct ip); 962 n->m_next = m; 963 m = n; 964 m->m_len = optlen + sizeof(struct ip); 965 m->m_data += max_linkhdr; 966 bcopy((caddr_t)ip, mtod(m, caddr_t), sizeof(struct ip)); 967 } else { 968 m->m_data -= optlen; 969 m->m_len += optlen; 970 m->m_pkthdr.len += optlen; 971 ovbcopy((caddr_t)ip, mtod(m, caddr_t), sizeof(struct ip)); 972 } 973 ip = mtod(m, struct ip *); 974 bcopy((caddr_t)p->ipopt_list, (caddr_t)(ip + 1), (unsigned)optlen); 975 *phlen = sizeof(struct ip) + optlen; 976 ip->ip_len = htons(ntohs(ip->ip_len) + optlen); 977 return (m); 978 } 979 980 /* 981 * Copy options from ip to jp, 982 * omitting those not copied during fragmentation. 983 */ 984 int 985 ip_optcopy(ip, jp) 986 struct ip *ip, *jp; 987 { 988 u_char *cp, *dp; 989 int opt, optlen, cnt; 990 991 cp = (u_char *)(ip + 1); 992 dp = (u_char *)(jp + 1); 993 cnt = (ip->ip_hl << 2) - sizeof (struct ip); 994 for (; cnt > 0; cnt -= optlen, cp += optlen) { 995 opt = cp[0]; 996 if (opt == IPOPT_EOL) 997 break; 998 if (opt == IPOPT_NOP) { 999 /* Preserve for IP mcast tunnel's LSRR alignment. */ 1000 *dp++ = IPOPT_NOP; 1001 optlen = 1; 1002 continue; 1003 } 1004 #ifdef DIAGNOSTIC 1005 if (cnt < IPOPT_OLEN + sizeof(*cp)) 1006 panic("malformed IPv4 option passed to ip_optcopy"); 1007 #endif 1008 optlen = cp[IPOPT_OLEN]; 1009 #ifdef DIAGNOSTIC 1010 if (optlen < IPOPT_OLEN + sizeof(*cp) || optlen > cnt) 1011 panic("malformed IPv4 option passed to ip_optcopy"); 1012 #endif 1013 /* bogus lengths should have been caught by ip_dooptions */ 1014 if (optlen > cnt) 1015 optlen = cnt; 1016 if (IPOPT_COPIED(opt)) { 1017 bcopy((caddr_t)cp, (caddr_t)dp, (unsigned)optlen); 1018 dp += optlen; 1019 } 1020 } 1021 for (optlen = dp - (u_char *)(jp+1); optlen & 0x3; optlen++) 1022 *dp++ = IPOPT_EOL; 1023 return (optlen); 1024 } 1025 1026 /* 1027 * IP socket option processing. 1028 */ 1029 int 1030 ip_ctloutput(op, so, level, optname, mp) 1031 int op; 1032 struct socket *so; 1033 int level, optname; 1034 struct mbuf **mp; 1035 { 1036 struct inpcb *inp = sotoinpcb(so); 1037 struct mbuf *m = *mp; 1038 int optval = 0; 1039 struct proc *p = curproc; /* XXX */ 1040 #ifdef IPSEC 1041 struct ipsec_ref *ipr; 1042 u_int16_t opt16val; 1043 #endif 1044 int error = 0; 1045 u_int rtid = 0; 1046 1047 if (level != IPPROTO_IP) { 1048 error = EINVAL; 1049 if (op == PRCO_SETOPT && *mp) 1050 (void) m_free(*mp); 1051 } else switch (op) { 1052 case PRCO_SETOPT: 1053 switch (optname) { 1054 case IP_OPTIONS: 1055 #ifdef notyet 1056 case IP_RETOPTS: 1057 return (ip_pcbopts(optname, &inp->inp_options, m)); 1058 #else 1059 return (ip_pcbopts(&inp->inp_options, m)); 1060 #endif 1061 1062 case IP_TOS: 1063 case IP_TTL: 1064 case IP_MINTTL: 1065 case IP_RECVOPTS: 1066 case IP_RECVRETOPTS: 1067 case IP_RECVDSTADDR: 1068 case IP_RECVIF: 1069 case IP_RECVTTL: 1070 case IP_RECVDSTPORT: 1071 case IP_RECVRTABLE: 1072 if (m == NULL || m->m_len != sizeof(int)) 1073 error = EINVAL; 1074 else { 1075 optval = *mtod(m, int *); 1076 switch (optname) { 1077 1078 case IP_TOS: 1079 inp->inp_ip.ip_tos = optval; 1080 break; 1081 1082 case IP_TTL: 1083 if (optval > 0 && optval <= MAXTTL) 1084 inp->inp_ip.ip_ttl = optval; 1085 else 1086 error = EINVAL; 1087 break; 1088 1089 case IP_MINTTL: 1090 if (optval > 0 && optval <= MAXTTL) 1091 inp->inp_ip_minttl = optval; 1092 else 1093 error = EINVAL; 1094 break; 1095 #define OPTSET(bit) \ 1096 if (optval) \ 1097 inp->inp_flags |= bit; \ 1098 else \ 1099 inp->inp_flags &= ~bit; 1100 1101 case IP_RECVOPTS: 1102 OPTSET(INP_RECVOPTS); 1103 break; 1104 1105 case IP_RECVRETOPTS: 1106 OPTSET(INP_RECVRETOPTS); 1107 break; 1108 1109 case IP_RECVDSTADDR: 1110 OPTSET(INP_RECVDSTADDR); 1111 break; 1112 case IP_RECVIF: 1113 OPTSET(INP_RECVIF); 1114 break; 1115 case IP_RECVTTL: 1116 OPTSET(INP_RECVTTL); 1117 break; 1118 case IP_RECVDSTPORT: 1119 OPTSET(INP_RECVDSTPORT); 1120 break; 1121 case IP_RECVRTABLE: 1122 OPTSET(INP_RECVRTABLE); 1123 break; 1124 } 1125 } 1126 break; 1127 #undef OPTSET 1128 1129 case IP_MULTICAST_IF: 1130 case IP_MULTICAST_TTL: 1131 case IP_MULTICAST_LOOP: 1132 case IP_ADD_MEMBERSHIP: 1133 case IP_DROP_MEMBERSHIP: 1134 error = ip_setmoptions(optname, &inp->inp_moptions, m, 1135 inp->inp_rtableid); 1136 break; 1137 1138 case IP_PORTRANGE: 1139 if (m == 0 || m->m_len != sizeof(int)) 1140 error = EINVAL; 1141 else { 1142 optval = *mtod(m, int *); 1143 1144 switch (optval) { 1145 1146 case IP_PORTRANGE_DEFAULT: 1147 inp->inp_flags &= ~(INP_LOWPORT); 1148 inp->inp_flags &= ~(INP_HIGHPORT); 1149 break; 1150 1151 case IP_PORTRANGE_HIGH: 1152 inp->inp_flags &= ~(INP_LOWPORT); 1153 inp->inp_flags |= INP_HIGHPORT; 1154 break; 1155 1156 case IP_PORTRANGE_LOW: 1157 inp->inp_flags &= ~(INP_HIGHPORT); 1158 inp->inp_flags |= INP_LOWPORT; 1159 break; 1160 1161 default: 1162 1163 error = EINVAL; 1164 break; 1165 } 1166 } 1167 break; 1168 case IP_AUTH_LEVEL: 1169 case IP_ESP_TRANS_LEVEL: 1170 case IP_ESP_NETWORK_LEVEL: 1171 case IP_IPCOMP_LEVEL: 1172 #ifndef IPSEC 1173 error = EOPNOTSUPP; 1174 #else 1175 if (m == 0 || m->m_len != sizeof(int)) { 1176 error = EINVAL; 1177 break; 1178 } 1179 optval = *mtod(m, int *); 1180 1181 if (optval < IPSEC_LEVEL_BYPASS || 1182 optval > IPSEC_LEVEL_UNIQUE) { 1183 error = EINVAL; 1184 break; 1185 } 1186 1187 /* Unlink cached output TDB to force a re-search */ 1188 if (inp->inp_tdb_out) { 1189 int s = spltdb(); 1190 TAILQ_REMOVE(&inp->inp_tdb_out->tdb_inp_out, 1191 inp, inp_tdb_out_next); 1192 splx(s); 1193 } 1194 1195 if (inp->inp_tdb_in) { 1196 int s = spltdb(); 1197 TAILQ_REMOVE(&inp->inp_tdb_in->tdb_inp_in, 1198 inp, inp_tdb_in_next); 1199 splx(s); 1200 } 1201 1202 switch (optname) { 1203 case IP_AUTH_LEVEL: 1204 if (optval < ipsec_auth_default_level && 1205 suser(p, 0)) { 1206 error = EACCES; 1207 break; 1208 } 1209 inp->inp_seclevel[SL_AUTH] = optval; 1210 break; 1211 1212 case IP_ESP_TRANS_LEVEL: 1213 if (optval < ipsec_esp_trans_default_level && 1214 suser(p, 0)) { 1215 error = EACCES; 1216 break; 1217 } 1218 inp->inp_seclevel[SL_ESP_TRANS] = optval; 1219 break; 1220 1221 case IP_ESP_NETWORK_LEVEL: 1222 if (optval < ipsec_esp_network_default_level && 1223 suser(p, 0)) { 1224 error = EACCES; 1225 break; 1226 } 1227 inp->inp_seclevel[SL_ESP_NETWORK] = optval; 1228 break; 1229 case IP_IPCOMP_LEVEL: 1230 if (optval < ipsec_ipcomp_default_level && 1231 suser(p, 0)) { 1232 error = EACCES; 1233 break; 1234 } 1235 inp->inp_seclevel[SL_IPCOMP] = optval; 1236 break; 1237 } 1238 if (!error) 1239 inp->inp_secrequire = get_sa_require(inp); 1240 #endif 1241 break; 1242 1243 case IP_IPSEC_REMOTE_CRED: 1244 case IP_IPSEC_REMOTE_AUTH: 1245 /* Can't set the remote credential or key */ 1246 error = EOPNOTSUPP; 1247 break; 1248 1249 case IP_IPSEC_LOCAL_ID: 1250 case IP_IPSEC_REMOTE_ID: 1251 case IP_IPSEC_LOCAL_CRED: 1252 case IP_IPSEC_LOCAL_AUTH: 1253 #ifndef IPSEC 1254 error = EOPNOTSUPP; 1255 #else 1256 if (m == NULL || m->m_len < 2) { 1257 error = EINVAL; 1258 break; 1259 } 1260 1261 m_copydata(m, 0, 2, (caddr_t) &opt16val); 1262 1263 /* If the type is 0, then we cleanup and return */ 1264 if (opt16val == 0) { 1265 switch (optname) { 1266 case IP_IPSEC_LOCAL_ID: 1267 if (inp->inp_ipo != NULL && 1268 inp->inp_ipo->ipo_srcid != NULL) { 1269 ipsp_reffree(inp->inp_ipo->ipo_srcid); 1270 inp->inp_ipo->ipo_srcid = NULL; 1271 } 1272 break; 1273 1274 case IP_IPSEC_REMOTE_ID: 1275 if (inp->inp_ipo != NULL && 1276 inp->inp_ipo->ipo_dstid != NULL) { 1277 ipsp_reffree(inp->inp_ipo->ipo_dstid); 1278 inp->inp_ipo->ipo_dstid = NULL; 1279 } 1280 break; 1281 1282 case IP_IPSEC_LOCAL_CRED: 1283 if (inp->inp_ipo != NULL && 1284 inp->inp_ipo->ipo_local_cred != NULL) { 1285 ipsp_reffree(inp->inp_ipo->ipo_local_cred); 1286 inp->inp_ipo->ipo_local_cred = NULL; 1287 } 1288 break; 1289 1290 case IP_IPSEC_LOCAL_AUTH: 1291 if (inp->inp_ipo != NULL && 1292 inp->inp_ipo->ipo_local_auth != NULL) { 1293 ipsp_reffree(inp->inp_ipo->ipo_local_auth); 1294 inp->inp_ipo->ipo_local_auth = NULL; 1295 } 1296 break; 1297 } 1298 1299 error = 0; 1300 break; 1301 } 1302 1303 /* Can't have an empty payload */ 1304 if (m->m_len == 2) { 1305 error = EINVAL; 1306 break; 1307 } 1308 1309 /* Allocate if needed */ 1310 if (inp->inp_ipo == NULL) { 1311 inp->inp_ipo = ipsec_add_policy(inp, 1312 AF_INET, IPSP_DIRECTION_OUT); 1313 if (inp->inp_ipo == NULL) { 1314 error = ENOBUFS; 1315 break; 1316 } 1317 } 1318 1319 ipr = malloc(sizeof(struct ipsec_ref) + m->m_len - 2, 1320 M_CREDENTIALS, M_NOWAIT); 1321 if (ipr == NULL) { 1322 error = ENOBUFS; 1323 break; 1324 } 1325 1326 ipr->ref_count = 1; 1327 ipr->ref_malloctype = M_CREDENTIALS; 1328 ipr->ref_len = m->m_len - 2; 1329 ipr->ref_type = opt16val; 1330 m_copydata(m, 2, m->m_len - 2, (caddr_t)(ipr + 1)); 1331 1332 switch (optname) { 1333 case IP_IPSEC_LOCAL_ID: 1334 /* Check valid types and NUL-termination */ 1335 if (ipr->ref_type < IPSP_IDENTITY_PREFIX || 1336 ipr->ref_type > IPSP_IDENTITY_CONNECTION || 1337 ((char *)(ipr + 1))[ipr->ref_len - 1]) { 1338 free(ipr, M_CREDENTIALS); 1339 error = EINVAL; 1340 } else { 1341 if (inp->inp_ipo->ipo_srcid != NULL) 1342 ipsp_reffree(inp->inp_ipo->ipo_srcid); 1343 inp->inp_ipo->ipo_srcid = ipr; 1344 } 1345 break; 1346 case IP_IPSEC_REMOTE_ID: 1347 /* Check valid types and NUL-termination */ 1348 if (ipr->ref_type < IPSP_IDENTITY_PREFIX || 1349 ipr->ref_type > IPSP_IDENTITY_CONNECTION || 1350 ((char *)(ipr + 1))[ipr->ref_len - 1]) { 1351 free(ipr, M_CREDENTIALS); 1352 error = EINVAL; 1353 } else { 1354 if (inp->inp_ipo->ipo_dstid != NULL) 1355 ipsp_reffree(inp->inp_ipo->ipo_dstid); 1356 inp->inp_ipo->ipo_dstid = ipr; 1357 } 1358 break; 1359 case IP_IPSEC_LOCAL_CRED: 1360 if (ipr->ref_type < IPSP_CRED_KEYNOTE || 1361 ipr->ref_type > IPSP_CRED_X509) { 1362 free(ipr, M_CREDENTIALS); 1363 error = EINVAL; 1364 } else { 1365 if (inp->inp_ipo->ipo_local_cred != NULL) 1366 ipsp_reffree(inp->inp_ipo->ipo_local_cred); 1367 inp->inp_ipo->ipo_local_cred = ipr; 1368 } 1369 break; 1370 case IP_IPSEC_LOCAL_AUTH: 1371 if (ipr->ref_type < IPSP_AUTH_PASSPHRASE || 1372 ipr->ref_type > IPSP_AUTH_RSA) { 1373 free(ipr, M_CREDENTIALS); 1374 error = EINVAL; 1375 } else { 1376 if (inp->inp_ipo->ipo_local_auth != NULL) 1377 ipsp_reffree(inp->inp_ipo->ipo_local_auth); 1378 inp->inp_ipo->ipo_local_auth = ipr; 1379 } 1380 break; 1381 } 1382 1383 /* Unlink cached output TDB to force a re-search */ 1384 if (inp->inp_tdb_out) { 1385 int s = spltdb(); 1386 TAILQ_REMOVE(&inp->inp_tdb_out->tdb_inp_out, 1387 inp, inp_tdb_out_next); 1388 splx(s); 1389 } 1390 1391 if (inp->inp_tdb_in) { 1392 int s = spltdb(); 1393 TAILQ_REMOVE(&inp->inp_tdb_in->tdb_inp_in, 1394 inp, inp_tdb_in_next); 1395 splx(s); 1396 } 1397 #endif 1398 break; 1399 case IP_RTABLE: 1400 if (m == NULL || m->m_len < sizeof(u_int)) { 1401 error = EINVAL; 1402 break; 1403 } 1404 rtid = *mtod(m, u_int *); 1405 /* table must exist */ 1406 if (!rtable_exists(rtid)) { 1407 error = EINVAL; 1408 break; 1409 } 1410 /* needs priviledges to switch when already set */ 1411 if (p->p_p->ps_rtableid != rtid && 1412 p->p_p->ps_rtableid != 0 && suser(p, 0) != 0) { 1413 error = EACCES; 1414 break; 1415 } 1416 inp->inp_rtableid = rtid; 1417 break; 1418 case IP_PIPEX: 1419 if (m != NULL && m->m_len == sizeof(int)) 1420 inp->inp_pipex = *mtod(m, int *); 1421 else 1422 error = EINVAL; 1423 break; 1424 1425 default: 1426 error = ENOPROTOOPT; 1427 break; 1428 } 1429 if (m) 1430 (void)m_free(m); 1431 break; 1432 1433 case PRCO_GETOPT: 1434 switch (optname) { 1435 case IP_OPTIONS: 1436 case IP_RETOPTS: 1437 *mp = m = m_get(M_WAIT, MT_SOOPTS); 1438 if (inp->inp_options) { 1439 m->m_len = inp->inp_options->m_len; 1440 bcopy(mtod(inp->inp_options, caddr_t), 1441 mtod(m, caddr_t), (unsigned)m->m_len); 1442 } else 1443 m->m_len = 0; 1444 break; 1445 1446 case IP_TOS: 1447 case IP_TTL: 1448 case IP_MINTTL: 1449 case IP_RECVOPTS: 1450 case IP_RECVRETOPTS: 1451 case IP_RECVDSTADDR: 1452 case IP_RECVIF: 1453 case IP_RECVTTL: 1454 case IP_RECVDSTPORT: 1455 case IP_RECVRTABLE: 1456 *mp = m = m_get(M_WAIT, MT_SOOPTS); 1457 m->m_len = sizeof(int); 1458 switch (optname) { 1459 1460 case IP_TOS: 1461 optval = inp->inp_ip.ip_tos; 1462 break; 1463 1464 case IP_TTL: 1465 optval = inp->inp_ip.ip_ttl; 1466 break; 1467 1468 case IP_MINTTL: 1469 optval = inp->inp_ip_minttl; 1470 break; 1471 1472 #define OPTBIT(bit) (inp->inp_flags & bit ? 1 : 0) 1473 1474 case IP_RECVOPTS: 1475 optval = OPTBIT(INP_RECVOPTS); 1476 break; 1477 1478 case IP_RECVRETOPTS: 1479 optval = OPTBIT(INP_RECVRETOPTS); 1480 break; 1481 1482 case IP_RECVDSTADDR: 1483 optval = OPTBIT(INP_RECVDSTADDR); 1484 break; 1485 case IP_RECVIF: 1486 optval = OPTBIT(INP_RECVIF); 1487 break; 1488 case IP_RECVTTL: 1489 optval = OPTBIT(INP_RECVTTL); 1490 break; 1491 case IP_RECVDSTPORT: 1492 optval = OPTBIT(INP_RECVDSTPORT); 1493 break; 1494 case IP_RECVRTABLE: 1495 optval = OPTBIT(INP_RECVRTABLE); 1496 break; 1497 } 1498 *mtod(m, int *) = optval; 1499 break; 1500 1501 case IP_MULTICAST_IF: 1502 case IP_MULTICAST_TTL: 1503 case IP_MULTICAST_LOOP: 1504 case IP_ADD_MEMBERSHIP: 1505 case IP_DROP_MEMBERSHIP: 1506 error = ip_getmoptions(optname, inp->inp_moptions, mp); 1507 break; 1508 1509 case IP_PORTRANGE: 1510 *mp = m = m_get(M_WAIT, MT_SOOPTS); 1511 m->m_len = sizeof(int); 1512 1513 if (inp->inp_flags & INP_HIGHPORT) 1514 optval = IP_PORTRANGE_HIGH; 1515 else if (inp->inp_flags & INP_LOWPORT) 1516 optval = IP_PORTRANGE_LOW; 1517 else 1518 optval = 0; 1519 1520 *mtod(m, int *) = optval; 1521 break; 1522 1523 case IP_AUTH_LEVEL: 1524 case IP_ESP_TRANS_LEVEL: 1525 case IP_ESP_NETWORK_LEVEL: 1526 case IP_IPCOMP_LEVEL: 1527 *mp = m = m_get(M_WAIT, MT_SOOPTS); 1528 #ifndef IPSEC 1529 m->m_len = sizeof(int); 1530 *mtod(m, int *) = IPSEC_LEVEL_NONE; 1531 #else 1532 m->m_len = sizeof(int); 1533 switch (optname) { 1534 case IP_AUTH_LEVEL: 1535 optval = inp->inp_seclevel[SL_AUTH]; 1536 break; 1537 1538 case IP_ESP_TRANS_LEVEL: 1539 optval = inp->inp_seclevel[SL_ESP_TRANS]; 1540 break; 1541 1542 case IP_ESP_NETWORK_LEVEL: 1543 optval = inp->inp_seclevel[SL_ESP_NETWORK]; 1544 break; 1545 case IP_IPCOMP_LEVEL: 1546 optval = inp->inp_seclevel[SL_IPCOMP]; 1547 break; 1548 } 1549 *mtod(m, int *) = optval; 1550 #endif 1551 break; 1552 case IP_IPSEC_LOCAL_ID: 1553 case IP_IPSEC_REMOTE_ID: 1554 case IP_IPSEC_LOCAL_CRED: 1555 case IP_IPSEC_REMOTE_CRED: 1556 case IP_IPSEC_LOCAL_AUTH: 1557 case IP_IPSEC_REMOTE_AUTH: 1558 #ifndef IPSEC 1559 error = EOPNOTSUPP; 1560 #else 1561 *mp = m = m_get(M_WAIT, MT_SOOPTS); 1562 m->m_len = sizeof(u_int16_t); 1563 ipr = NULL; 1564 switch (optname) { 1565 case IP_IPSEC_LOCAL_ID: 1566 if (inp->inp_ipo != NULL) 1567 ipr = inp->inp_ipo->ipo_srcid; 1568 opt16val = IPSP_IDENTITY_NONE; 1569 break; 1570 case IP_IPSEC_REMOTE_ID: 1571 if (inp->inp_ipo != NULL) 1572 ipr = inp->inp_ipo->ipo_dstid; 1573 opt16val = IPSP_IDENTITY_NONE; 1574 break; 1575 case IP_IPSEC_LOCAL_CRED: 1576 if (inp->inp_ipo != NULL) 1577 ipr = inp->inp_ipo->ipo_local_cred; 1578 opt16val = IPSP_CRED_NONE; 1579 break; 1580 case IP_IPSEC_REMOTE_CRED: 1581 ipr = inp->inp_ipsec_remotecred; 1582 opt16val = IPSP_CRED_NONE; 1583 break; 1584 case IP_IPSEC_LOCAL_AUTH: 1585 if (inp->inp_ipo != NULL) 1586 ipr = inp->inp_ipo->ipo_local_auth; 1587 opt16val = IPSP_AUTH_NONE; 1588 break; 1589 case IP_IPSEC_REMOTE_AUTH: 1590 ipr = inp->inp_ipsec_remoteauth; 1591 opt16val = IPSP_AUTH_NONE; 1592 break; 1593 } 1594 if (ipr == NULL) 1595 *mtod(m, u_int16_t *) = opt16val; 1596 else { 1597 size_t len; 1598 1599 len = m->m_len + ipr->ref_len; 1600 if (len > MCLBYTES) { 1601 m_free(m); 1602 error = EINVAL; 1603 break; 1604 } 1605 /* allocate mbuf cluster for larger option */ 1606 if (len > MLEN) { 1607 MCLGET(m, M_WAITOK); 1608 if ((m->m_flags & M_EXT) == 0) { 1609 m_free(m); 1610 error = ENOBUFS; 1611 break; 1612 } 1613 1614 } 1615 m->m_len = len; 1616 *mtod(m, u_int16_t *) = ipr->ref_type; 1617 m_copyback(m, sizeof(u_int16_t), ipr->ref_len, 1618 ipr + 1, M_NOWAIT); 1619 } 1620 #endif 1621 break; 1622 case SO_RTABLE: 1623 *mp = m = m_get(M_WAIT, MT_SOOPTS); 1624 m->m_len = sizeof(u_int); 1625 *mtod(m, u_int *) = inp->inp_rtableid; 1626 break; 1627 case IP_PIPEX: 1628 *mp = m = m_get(M_WAIT, MT_SOOPTS); 1629 m->m_len = sizeof(int); 1630 *mtod(m, int *) = inp->inp_pipex; 1631 break; 1632 default: 1633 error = ENOPROTOOPT; 1634 break; 1635 } 1636 break; 1637 } 1638 return (error); 1639 } 1640 1641 /* 1642 * Set up IP options in pcb for insertion in output packets. 1643 * Store in mbuf with pointer in pcbopt, adding pseudo-option 1644 * with destination address if source routed. 1645 */ 1646 int 1647 #ifdef notyet 1648 ip_pcbopts(optname, pcbopt, m) 1649 int optname; 1650 #else 1651 ip_pcbopts(pcbopt, m) 1652 #endif 1653 struct mbuf **pcbopt; 1654 struct mbuf *m; 1655 { 1656 int cnt, optlen; 1657 u_char *cp; 1658 u_char opt; 1659 1660 /* turn off any old options */ 1661 if (*pcbopt) 1662 (void)m_free(*pcbopt); 1663 *pcbopt = 0; 1664 if (m == (struct mbuf *)0 || m->m_len == 0) { 1665 /* 1666 * Only turning off any previous options. 1667 */ 1668 if (m) 1669 (void)m_free(m); 1670 return (0); 1671 } 1672 1673 if (m->m_len % sizeof(int32_t)) 1674 goto bad; 1675 1676 /* 1677 * IP first-hop destination address will be stored before 1678 * actual options; move other options back 1679 * and clear it when none present. 1680 */ 1681 if (m->m_data + m->m_len + sizeof(struct in_addr) >= &m->m_dat[MLEN]) 1682 goto bad; 1683 cnt = m->m_len; 1684 m->m_len += sizeof(struct in_addr); 1685 cp = mtod(m, u_char *) + sizeof(struct in_addr); 1686 ovbcopy(mtod(m, caddr_t), (caddr_t)cp, (unsigned)cnt); 1687 bzero(mtod(m, caddr_t), sizeof(struct in_addr)); 1688 1689 for (; cnt > 0; cnt -= optlen, cp += optlen) { 1690 opt = cp[IPOPT_OPTVAL]; 1691 if (opt == IPOPT_EOL) 1692 break; 1693 if (opt == IPOPT_NOP) 1694 optlen = 1; 1695 else { 1696 if (cnt < IPOPT_OLEN + sizeof(*cp)) 1697 goto bad; 1698 optlen = cp[IPOPT_OLEN]; 1699 if (optlen < IPOPT_OLEN + sizeof(*cp) || optlen > cnt) 1700 goto bad; 1701 } 1702 switch (opt) { 1703 1704 default: 1705 break; 1706 1707 case IPOPT_LSRR: 1708 case IPOPT_SSRR: 1709 /* 1710 * user process specifies route as: 1711 * ->A->B->C->D 1712 * D must be our final destination (but we can't 1713 * check that since we may not have connected yet). 1714 * A is first hop destination, which doesn't appear in 1715 * actual IP option, but is stored before the options. 1716 */ 1717 if (optlen < IPOPT_MINOFF - 1 + sizeof(struct in_addr)) 1718 goto bad; 1719 m->m_len -= sizeof(struct in_addr); 1720 cnt -= sizeof(struct in_addr); 1721 optlen -= sizeof(struct in_addr); 1722 cp[IPOPT_OLEN] = optlen; 1723 /* 1724 * Move first hop before start of options. 1725 */ 1726 bcopy((caddr_t)&cp[IPOPT_OFFSET+1], mtod(m, caddr_t), 1727 sizeof(struct in_addr)); 1728 /* 1729 * Then copy rest of options back 1730 * to close up the deleted entry. 1731 */ 1732 ovbcopy((caddr_t)(&cp[IPOPT_OFFSET+1] + 1733 sizeof(struct in_addr)), 1734 (caddr_t)&cp[IPOPT_OFFSET+1], 1735 (unsigned)cnt - (IPOPT_OFFSET+1)); 1736 break; 1737 } 1738 } 1739 if (m->m_len > MAX_IPOPTLEN + sizeof(struct in_addr)) 1740 goto bad; 1741 *pcbopt = m; 1742 return (0); 1743 1744 bad: 1745 (void)m_free(m); 1746 return (EINVAL); 1747 } 1748 1749 /* 1750 * Set the IP multicast options in response to user setsockopt(). 1751 */ 1752 int 1753 ip_setmoptions(int optname, struct ip_moptions **imop, struct mbuf *m, 1754 u_int rtableid) 1755 { 1756 int error = 0; 1757 u_char loop; 1758 int i; 1759 struct in_addr addr; 1760 struct ip_mreq *mreq; 1761 struct ifnet *ifp; 1762 struct ip_moptions *imo = *imop; 1763 struct in_multi **immp; 1764 struct route ro; 1765 struct sockaddr_in *dst; 1766 1767 if (imo == NULL) { 1768 /* 1769 * No multicast option buffer attached to the pcb; 1770 * allocate one and initialize to default values. 1771 */ 1772 imo = (struct ip_moptions *)malloc(sizeof(*imo), M_IPMOPTS, 1773 M_WAITOK|M_ZERO); 1774 immp = (struct in_multi **)malloc( 1775 (sizeof(*immp) * IP_MIN_MEMBERSHIPS), M_IPMOPTS, 1776 M_WAITOK|M_ZERO); 1777 *imop = imo; 1778 imo->imo_multicast_ifp = NULL; 1779 imo->imo_multicast_ttl = IP_DEFAULT_MULTICAST_TTL; 1780 imo->imo_multicast_loop = IP_DEFAULT_MULTICAST_LOOP; 1781 imo->imo_num_memberships = 0; 1782 imo->imo_max_memberships = IP_MIN_MEMBERSHIPS; 1783 imo->imo_membership = immp; 1784 } 1785 1786 switch (optname) { 1787 1788 case IP_MULTICAST_IF: 1789 /* 1790 * Select the interface for outgoing multicast packets. 1791 */ 1792 if (m == NULL || m->m_len != sizeof(struct in_addr)) { 1793 error = EINVAL; 1794 break; 1795 } 1796 addr = *(mtod(m, struct in_addr *)); 1797 /* 1798 * INADDR_ANY is used to remove a previous selection. 1799 * When no interface is selected, a default one is 1800 * chosen every time a multicast packet is sent. 1801 */ 1802 if (addr.s_addr == INADDR_ANY) { 1803 imo->imo_multicast_ifp = NULL; 1804 break; 1805 } 1806 /* 1807 * The selected interface is identified by its local 1808 * IP address. Find the interface and confirm that 1809 * it supports multicasting. 1810 */ 1811 INADDR_TO_IFP(addr, ifp, rtableid); 1812 if (ifp == NULL || (ifp->if_flags & IFF_MULTICAST) == 0) { 1813 error = EADDRNOTAVAIL; 1814 break; 1815 } 1816 imo->imo_multicast_ifp = ifp; 1817 break; 1818 1819 case IP_MULTICAST_TTL: 1820 /* 1821 * Set the IP time-to-live for outgoing multicast packets. 1822 */ 1823 if (m == NULL || m->m_len != 1) { 1824 error = EINVAL; 1825 break; 1826 } 1827 imo->imo_multicast_ttl = *(mtod(m, u_char *)); 1828 break; 1829 1830 case IP_MULTICAST_LOOP: 1831 /* 1832 * Set the loopback flag for outgoing multicast packets. 1833 * Must be zero or one. 1834 */ 1835 if (m == NULL || m->m_len != 1 || 1836 (loop = *(mtod(m, u_char *))) > 1) { 1837 error = EINVAL; 1838 break; 1839 } 1840 imo->imo_multicast_loop = loop; 1841 break; 1842 1843 case IP_ADD_MEMBERSHIP: 1844 /* 1845 * Add a multicast group membership. 1846 * Group must be a valid IP multicast address. 1847 */ 1848 if (m == NULL || m->m_len != sizeof(struct ip_mreq)) { 1849 error = EINVAL; 1850 break; 1851 } 1852 mreq = mtod(m, struct ip_mreq *); 1853 if (!IN_MULTICAST(mreq->imr_multiaddr.s_addr)) { 1854 error = EINVAL; 1855 break; 1856 } 1857 /* 1858 * If no interface address was provided, use the interface of 1859 * the route to the given multicast address. 1860 */ 1861 if (mreq->imr_interface.s_addr == INADDR_ANY) { 1862 ro.ro_rt = NULL; 1863 dst = satosin(&ro.ro_dst); 1864 dst->sin_len = sizeof(*dst); 1865 dst->sin_family = AF_INET; 1866 dst->sin_addr = mreq->imr_multiaddr; 1867 if (!(ro.ro_rt && ro.ro_rt->rt_ifp && 1868 (ro.ro_rt->rt_flags & RTF_UP))) 1869 ro.ro_rt = rtalloc1(&ro.ro_dst, RT_REPORT, 1870 rtableid); 1871 if (ro.ro_rt == NULL) { 1872 error = EADDRNOTAVAIL; 1873 break; 1874 } 1875 ifp = ro.ro_rt->rt_ifp; 1876 rtfree(ro.ro_rt); 1877 } else { 1878 INADDR_TO_IFP(mreq->imr_interface, ifp, rtableid); 1879 } 1880 /* 1881 * See if we found an interface, and confirm that it 1882 * supports multicast. 1883 */ 1884 if (ifp == NULL || (ifp->if_flags & IFF_MULTICAST) == 0) { 1885 error = EADDRNOTAVAIL; 1886 break; 1887 } 1888 /* 1889 * See if the membership already exists or if all the 1890 * membership slots are full. 1891 */ 1892 for (i = 0; i < imo->imo_num_memberships; ++i) { 1893 if (imo->imo_membership[i]->inm_ia->ia_ifp == ifp && 1894 imo->imo_membership[i]->inm_addr.s_addr 1895 == mreq->imr_multiaddr.s_addr) 1896 break; 1897 } 1898 if (i < imo->imo_num_memberships) { 1899 error = EADDRINUSE; 1900 break; 1901 } 1902 if (imo->imo_num_memberships == imo->imo_max_memberships) { 1903 struct in_multi **nmships, **omships; 1904 size_t newmax; 1905 /* 1906 * Resize the vector to next power-of-two minus 1. If the 1907 * size would exceed the maximum then we know we've really 1908 * run out of entries. Otherwise, we reallocate the vector. 1909 */ 1910 nmships = NULL; 1911 omships = imo->imo_membership; 1912 newmax = ((imo->imo_max_memberships + 1) * 2) - 1; 1913 if (newmax <= IP_MAX_MEMBERSHIPS) { 1914 nmships = (struct in_multi **)malloc( 1915 sizeof(*nmships) * newmax, M_IPMOPTS, 1916 M_NOWAIT|M_ZERO); 1917 if (nmships != NULL) { 1918 bcopy(omships, nmships, 1919 sizeof(*omships) * 1920 imo->imo_max_memberships); 1921 free(omships, M_IPMOPTS); 1922 imo->imo_membership = nmships; 1923 imo->imo_max_memberships = newmax; 1924 } 1925 } 1926 if (nmships == NULL) { 1927 error = ETOOMANYREFS; 1928 break; 1929 } 1930 } 1931 /* 1932 * Everything looks good; add a new record to the multicast 1933 * address list for the given interface. 1934 */ 1935 if ((imo->imo_membership[i] = 1936 in_addmulti(&mreq->imr_multiaddr, ifp)) == NULL) { 1937 error = ENOBUFS; 1938 break; 1939 } 1940 ++imo->imo_num_memberships; 1941 break; 1942 1943 case IP_DROP_MEMBERSHIP: 1944 /* 1945 * Drop a multicast group membership. 1946 * Group must be a valid IP multicast address. 1947 */ 1948 if (m == NULL || m->m_len != sizeof(struct ip_mreq)) { 1949 error = EINVAL; 1950 break; 1951 } 1952 mreq = mtod(m, struct ip_mreq *); 1953 if (!IN_MULTICAST(mreq->imr_multiaddr.s_addr)) { 1954 error = EINVAL; 1955 break; 1956 } 1957 /* 1958 * If an interface address was specified, get a pointer 1959 * to its ifnet structure. 1960 */ 1961 if (mreq->imr_interface.s_addr == INADDR_ANY) 1962 ifp = NULL; 1963 else { 1964 INADDR_TO_IFP(mreq->imr_interface, ifp, rtableid); 1965 if (ifp == NULL) { 1966 error = EADDRNOTAVAIL; 1967 break; 1968 } 1969 } 1970 /* 1971 * Find the membership in the membership array. 1972 */ 1973 for (i = 0; i < imo->imo_num_memberships; ++i) { 1974 if ((ifp == NULL || 1975 imo->imo_membership[i]->inm_ia->ia_ifp == ifp) && 1976 imo->imo_membership[i]->inm_addr.s_addr == 1977 mreq->imr_multiaddr.s_addr) 1978 break; 1979 } 1980 if (i == imo->imo_num_memberships) { 1981 error = EADDRNOTAVAIL; 1982 break; 1983 } 1984 /* 1985 * Give up the multicast address record to which the 1986 * membership points. 1987 */ 1988 in_delmulti(imo->imo_membership[i]); 1989 /* 1990 * Remove the gap in the membership array. 1991 */ 1992 for (++i; i < imo->imo_num_memberships; ++i) 1993 imo->imo_membership[i-1] = imo->imo_membership[i]; 1994 --imo->imo_num_memberships; 1995 break; 1996 1997 default: 1998 error = EOPNOTSUPP; 1999 break; 2000 } 2001 2002 /* 2003 * If all options have default values, no need to keep the data. 2004 */ 2005 if (imo->imo_multicast_ifp == NULL && 2006 imo->imo_multicast_ttl == IP_DEFAULT_MULTICAST_TTL && 2007 imo->imo_multicast_loop == IP_DEFAULT_MULTICAST_LOOP && 2008 imo->imo_num_memberships == 0) { 2009 free(imo->imo_membership , M_IPMOPTS); 2010 free(*imop, M_IPMOPTS); 2011 *imop = NULL; 2012 } 2013 2014 return (error); 2015 } 2016 2017 /* 2018 * Return the IP multicast options in response to user getsockopt(). 2019 */ 2020 int 2021 ip_getmoptions(optname, imo, mp) 2022 int optname; 2023 struct ip_moptions *imo; 2024 struct mbuf **mp; 2025 { 2026 u_char *ttl; 2027 u_char *loop; 2028 struct in_addr *addr; 2029 struct in_ifaddr *ia; 2030 2031 *mp = m_get(M_WAIT, MT_SOOPTS); 2032 2033 switch (optname) { 2034 2035 case IP_MULTICAST_IF: 2036 addr = mtod(*mp, struct in_addr *); 2037 (*mp)->m_len = sizeof(struct in_addr); 2038 if (imo == NULL || imo->imo_multicast_ifp == NULL) 2039 addr->s_addr = INADDR_ANY; 2040 else { 2041 IFP_TO_IA(imo->imo_multicast_ifp, ia); 2042 addr->s_addr = (ia == NULL) ? INADDR_ANY 2043 : ia->ia_addr.sin_addr.s_addr; 2044 } 2045 return (0); 2046 2047 case IP_MULTICAST_TTL: 2048 ttl = mtod(*mp, u_char *); 2049 (*mp)->m_len = 1; 2050 *ttl = (imo == NULL) ? IP_DEFAULT_MULTICAST_TTL 2051 : imo->imo_multicast_ttl; 2052 return (0); 2053 2054 case IP_MULTICAST_LOOP: 2055 loop = mtod(*mp, u_char *); 2056 (*mp)->m_len = 1; 2057 *loop = (imo == NULL) ? IP_DEFAULT_MULTICAST_LOOP 2058 : imo->imo_multicast_loop; 2059 return (0); 2060 2061 default: 2062 return (EOPNOTSUPP); 2063 } 2064 } 2065 2066 /* 2067 * Discard the IP multicast options. 2068 */ 2069 void 2070 ip_freemoptions(imo) 2071 struct ip_moptions *imo; 2072 { 2073 int i; 2074 2075 if (imo != NULL) { 2076 for (i = 0; i < imo->imo_num_memberships; ++i) 2077 in_delmulti(imo->imo_membership[i]); 2078 free(imo->imo_membership, M_IPMOPTS); 2079 free(imo, M_IPMOPTS); 2080 } 2081 } 2082 2083 /* 2084 * Routine called from ip_output() to loop back a copy of an IP multicast 2085 * packet to the input queue of a specified interface. Note that this 2086 * calls the output routine of the loopback "driver", but with an interface 2087 * pointer that might NOT be &loif -- easier than replicating that code here. 2088 */ 2089 void 2090 ip_mloopback(ifp, m, dst) 2091 struct ifnet *ifp; 2092 struct mbuf *m; 2093 struct sockaddr_in *dst; 2094 { 2095 struct ip *ip; 2096 struct mbuf *copym; 2097 2098 copym = m_copym2(m, 0, M_COPYALL, M_DONTWAIT); 2099 if (copym != NULL) { 2100 /* 2101 * We don't bother to fragment if the IP length is greater 2102 * than the interface's MTU. Can this possibly matter? 2103 */ 2104 ip = mtod(copym, struct ip *); 2105 ip->ip_sum = 0; 2106 ip->ip_sum = in_cksum(copym, ip->ip_hl << 2); 2107 (void) looutput(ifp, copym, sintosa(dst), NULL); 2108 } 2109 } 2110 2111 /* 2112 * Process a delayed payload checksum calculation. 2113 */ 2114 void 2115 in_delayed_cksum(struct mbuf *m) 2116 { 2117 struct ip *ip; 2118 u_int16_t csum, offset; 2119 2120 ip = mtod(m, struct ip *); 2121 offset = ip->ip_hl << 2; 2122 csum = in4_cksum(m, 0, offset, m->m_pkthdr.len - offset); 2123 if (csum == 0 && ip->ip_p == IPPROTO_UDP) 2124 csum = 0xffff; 2125 2126 switch (ip->ip_p) { 2127 case IPPROTO_TCP: 2128 offset += offsetof(struct tcphdr, th_sum); 2129 break; 2130 2131 case IPPROTO_UDP: 2132 offset += offsetof(struct udphdr, uh_sum); 2133 break; 2134 2135 default: 2136 return; 2137 } 2138 2139 if ((offset + sizeof(u_int16_t)) > m->m_len) 2140 m_copyback(m, offset, sizeof(csum), &csum, M_NOWAIT); 2141 else 2142 *(u_int16_t *)(mtod(m, caddr_t) + offset) = csum; 2143 } 2144 2145 void 2146 in_proto_cksum_out(struct mbuf *m, struct ifnet *ifp) 2147 { 2148 if (m->m_pkthdr.csum_flags & M_TCP_CSUM_OUT) { 2149 if (!ifp || !(ifp->if_capabilities & IFCAP_CSUM_TCPv4) || 2150 ifp->if_bridge != NULL) { 2151 in_delayed_cksum(m); 2152 m->m_pkthdr.csum_flags &= ~M_TCP_CSUM_OUT; /* Clear */ 2153 } 2154 } else if (m->m_pkthdr.csum_flags & M_UDP_CSUM_OUT) { 2155 if (!ifp || !(ifp->if_capabilities & IFCAP_CSUM_UDPv4) || 2156 ifp->if_bridge != NULL) { 2157 in_delayed_cksum(m); 2158 m->m_pkthdr.csum_flags &= ~M_UDP_CSUM_OUT; /* Clear */ 2159 } 2160 } else if (m->m_pkthdr.csum_flags & M_ICMP_CSUM_OUT) { 2161 struct ip *ip = mtod(m, struct ip *); 2162 int hlen; 2163 struct icmp *icp; 2164 2165 hlen = ip->ip_hl << 2; 2166 m->m_data += hlen; 2167 m->m_len -= hlen; 2168 icp = mtod(m, struct icmp *); 2169 icp->icmp_cksum = 0; 2170 icp->icmp_cksum = in_cksum(m, ntohs(ip->ip_len) - hlen); 2171 m->m_data -= hlen; 2172 m->m_len += hlen; 2173 m->m_pkthdr.csum_flags &= ~M_ICMP_CSUM_OUT; /* Clear */ 2174 } 2175 } 2176