1 /* $OpenBSD: ip6_input.c,v 1.237 2021/06/03 04:47:54 dlg Exp $ */ 2 /* $KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $ */ 3 4 /* 5 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 3. Neither the name of the project nor the names of its contributors 17 * may be used to endorse or promote products derived from this software 18 * without specific prior written permission. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30 * SUCH DAMAGE. 31 */ 32 33 /* 34 * Copyright (c) 1982, 1986, 1988, 1993 35 * The Regents of the University of California. All rights reserved. 36 * 37 * Redistribution and use in source and binary forms, with or without 38 * modification, are permitted provided that the following conditions 39 * are met: 40 * 1. Redistributions of source code must retain the above copyright 41 * notice, this list of conditions and the following disclaimer. 42 * 2. Redistributions in binary form must reproduce the above copyright 43 * notice, this list of conditions and the following disclaimer in the 44 * documentation and/or other materials provided with the distribution. 45 * 3. Neither the name of the University nor the names of its contributors 46 * may be used to endorse or promote products derived from this software 47 * without specific prior written permission. 48 * 49 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 50 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 51 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 52 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 53 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 54 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 55 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 56 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 57 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 58 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 59 * SUCH DAMAGE. 60 * 61 * @(#)ip_input.c 8.2 (Berkeley) 1/4/94 62 */ 63 64 #include "pf.h" 65 #include "carp.h" 66 67 #include <sys/param.h> 68 #include <sys/systm.h> 69 #include <sys/mbuf.h> 70 #include <sys/domain.h> 71 #include <sys/sysctl.h> 72 #include <sys/protosw.h> 73 #include <sys/socket.h> 74 #include <sys/socketvar.h> 75 #include <sys/errno.h> 76 #include <sys/time.h> 77 #include <sys/timeout.h> 78 #include <sys/kernel.h> 79 #include <sys/syslog.h> 80 #include <sys/task.h> 81 82 #include <net/if.h> 83 #include <net/if_var.h> 84 #include <net/if_types.h> 85 #include <net/route.h> 86 #include <net/netisr.h> 87 88 #include <netinet/in.h> 89 90 #include <netinet/ip.h> 91 92 #include <netinet/in_pcb.h> 93 #include <netinet/ip_var.h> 94 #include <netinet6/in6_var.h> 95 #include <netinet6/in6_ifattach.h> 96 #include <netinet/ip6.h> 97 #include <netinet6/ip6_var.h> 98 #include <netinet/icmp6.h> 99 #include <netinet6/nd6.h> 100 101 #include <netinet6/ip6protosw.h> 102 103 #include "gif.h" 104 #include "bpfilter.h" 105 106 #ifdef MROUTING 107 #include <netinet6/ip6_mroute.h> 108 #endif 109 110 #if NPF > 0 111 #include <net/pfvar.h> 112 #endif 113 114 #if NCARP > 0 115 #include <netinet/ip_carp.h> 116 #endif 117 118 struct cpumem *ip6counters; 119 120 uint8_t ip6_soiikey[IP6_SOIIKEY_LEN]; 121 122 int ip6_ours(struct mbuf **, int *, int, int); 123 int ip6_check_rh0hdr(struct mbuf *, int *); 124 int ip6_hbhchcheck(struct mbuf *, int *, int *, int *); 125 int ip6_hopopts_input(u_int32_t *, u_int32_t *, struct mbuf **, int *); 126 struct mbuf *ip6_pullexthdr(struct mbuf *, size_t, int); 127 int ip6_sysctl_soiikey(void *, size_t *, void *, size_t); 128 129 static struct mbuf_queue ip6send_mq; 130 131 static void ip6_send_dispatch(void *); 132 static struct task ip6send_task = 133 TASK_INITIALIZER(ip6_send_dispatch, &ip6send_mq); 134 135 /* 136 * IP6 initialization: fill in IP6 protocol switch table. 137 * All protocols not implemented in kernel go to raw IP6 protocol handler. 138 */ 139 void 140 ip6_init(void) 141 { 142 const struct protosw *pr; 143 int i; 144 145 pr = pffindproto(PF_INET6, IPPROTO_RAW, SOCK_RAW); 146 if (pr == NULL) 147 panic("%s", __func__); 148 for (i = 0; i < IPPROTO_MAX; i++) 149 ip6_protox[i] = pr - inet6sw; 150 for (pr = inet6domain.dom_protosw; 151 pr < inet6domain.dom_protoswNPROTOSW; pr++) 152 if (pr->pr_domain->dom_family == PF_INET6 && 153 pr->pr_protocol && pr->pr_protocol != IPPROTO_RAW && 154 pr->pr_protocol < IPPROTO_MAX) 155 ip6_protox[pr->pr_protocol] = pr - inet6sw; 156 ip6_randomid_init(); 157 nd6_init(); 158 frag6_init(); 159 160 mq_init(&ip6send_mq, 64, IPL_SOFTNET); 161 162 ip6counters = counters_alloc(ip6s_ncounters); 163 } 164 165 void 166 ipv6_input(struct ifnet *ifp, struct mbuf *m) 167 { 168 int off, nxt; 169 170 off = 0; 171 nxt = ip6_input_if(&m, &off, IPPROTO_IPV6, AF_UNSPEC, ifp); 172 KASSERT(nxt == IPPROTO_DONE); 173 } 174 175 struct mbuf * 176 ipv6_check(struct ifnet *ifp, struct mbuf *m) 177 { 178 struct ip6_hdr *ip6; 179 180 if (m->m_len < sizeof(*ip6)) { 181 m = m_pullup(m, sizeof(*ip6)); 182 if (m == NULL) { 183 ip6stat_inc(ip6s_toosmall); 184 return (NULL); 185 } 186 } 187 188 ip6 = mtod(m, struct ip6_hdr *); 189 190 if ((ip6->ip6_vfc & IPV6_VERSION_MASK) != IPV6_VERSION) { 191 ip6stat_inc(ip6s_badvers); 192 goto bad; 193 } 194 195 /* 196 * Check against address spoofing/corruption. 197 */ 198 if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_src) || 199 IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_dst)) { 200 /* 201 * XXX: "badscope" is not very suitable for a multicast source. 202 */ 203 ip6stat_inc(ip6s_badscope); 204 goto bad; 205 } 206 if ((IN6_IS_ADDR_LOOPBACK(&ip6->ip6_src) || 207 IN6_IS_ADDR_LOOPBACK(&ip6->ip6_dst)) && 208 (ifp->if_flags & IFF_LOOPBACK) == 0) { 209 ip6stat_inc(ip6s_badscope); 210 goto bad; 211 } 212 /* Drop packets if interface ID portion is already filled. */ 213 if (((IN6_IS_SCOPE_EMBED(&ip6->ip6_src) && ip6->ip6_src.s6_addr16[1]) || 214 (IN6_IS_SCOPE_EMBED(&ip6->ip6_dst) && ip6->ip6_dst.s6_addr16[1])) && 215 (ifp->if_flags & IFF_LOOPBACK) == 0) { 216 ip6stat_inc(ip6s_badscope); 217 goto bad; 218 } 219 if (IN6_IS_ADDR_MC_INTFACELOCAL(&ip6->ip6_dst) && 220 !(m->m_flags & M_LOOP)) { 221 /* 222 * In this case, the packet should come from the loopback 223 * interface. However, we cannot just check the if_flags, 224 * because ip6_mloopback() passes the "actual" interface 225 * as the outgoing/incoming interface. 226 */ 227 ip6stat_inc(ip6s_badscope); 228 goto bad; 229 } 230 231 /* 232 * The following check is not documented in specs. A malicious 233 * party may be able to use IPv4 mapped addr to confuse tcp/udp stack 234 * and bypass security checks (act as if it was from 127.0.0.1 by using 235 * IPv6 src ::ffff:127.0.0.1). Be cautious. 236 * 237 * This check chokes if we are in an SIIT cloud. As none of BSDs 238 * support IPv4-less kernel compilation, we cannot support SIIT 239 * environment at all. So, it makes more sense for us to reject any 240 * malicious packets for non-SIIT environment, than try to do a 241 * partial support for SIIT environment. 242 */ 243 if (IN6_IS_ADDR_V4MAPPED(&ip6->ip6_src) || 244 IN6_IS_ADDR_V4MAPPED(&ip6->ip6_dst)) { 245 ip6stat_inc(ip6s_badscope); 246 goto bad; 247 } 248 249 /* 250 * Reject packets with IPv4 compatible addresses (auto tunnel). 251 * 252 * The code forbids automatic tunneling as per RFC4213. 253 */ 254 if (IN6_IS_ADDR_V4COMPAT(&ip6->ip6_src) || 255 IN6_IS_ADDR_V4COMPAT(&ip6->ip6_dst)) { 256 ip6stat_inc(ip6s_badscope); 257 goto bad; 258 } 259 260 return (m); 261 bad: 262 m_freem(m); 263 return (NULL); 264 } 265 266 int 267 ip6_input_if(struct mbuf **mp, int *offp, int nxt, int af, struct ifnet *ifp) 268 { 269 struct mbuf *m; 270 struct ip6_hdr *ip6; 271 struct sockaddr_in6 sin6; 272 struct rtentry *rt = NULL; 273 int ours = 0; 274 u_int16_t src_scope, dst_scope; 275 #if NPF > 0 276 struct in6_addr odst; 277 #endif 278 int srcrt = 0; 279 280 KASSERT(*offp == 0); 281 282 ip6stat_inc(ip6s_total); 283 284 m = *mp = ipv6_check(ifp, *mp); 285 if (m == NULL) 286 goto bad; 287 288 ip6 = mtod(m, struct ip6_hdr *); 289 290 #if NCARP > 0 291 if (carp_lsdrop(ifp, m, AF_INET6, ip6->ip6_src.s6_addr32, 292 ip6->ip6_dst.s6_addr32, (ip6->ip6_nxt == IPPROTO_ICMPV6 ? 0 : 1))) 293 goto bad; 294 #endif 295 ip6stat_inc(ip6s_nxthist + ip6->ip6_nxt); 296 297 /* 298 * If the packet has been received on a loopback interface it 299 * can be destinated to any local address, not necessarily to 300 * an address configured on `ifp'. 301 */ 302 if (ifp->if_flags & IFF_LOOPBACK) { 303 if (IN6_IS_SCOPE_EMBED(&ip6->ip6_src)) { 304 src_scope = ip6->ip6_src.s6_addr16[1]; 305 ip6->ip6_src.s6_addr16[1] = 0; 306 } 307 if (IN6_IS_SCOPE_EMBED(&ip6->ip6_dst)) { 308 dst_scope = ip6->ip6_dst.s6_addr16[1]; 309 ip6->ip6_dst.s6_addr16[1] = 0; 310 } 311 } 312 313 #if NPF > 0 314 /* 315 * Packet filter 316 */ 317 odst = ip6->ip6_dst; 318 if (pf_test(AF_INET6, PF_IN, ifp, mp) != PF_PASS) 319 goto bad; 320 m = *mp; 321 if (m == NULL) 322 goto bad; 323 324 ip6 = mtod(m, struct ip6_hdr *); 325 srcrt = !IN6_ARE_ADDR_EQUAL(&odst, &ip6->ip6_dst); 326 #endif 327 328 /* 329 * Without embedded scope ID we cannot find link-local 330 * addresses in the routing table. 331 */ 332 if (ifp->if_flags & IFF_LOOPBACK) { 333 if (IN6_IS_SCOPE_EMBED(&ip6->ip6_src)) 334 ip6->ip6_src.s6_addr16[1] = src_scope; 335 if (IN6_IS_SCOPE_EMBED(&ip6->ip6_dst)) 336 ip6->ip6_dst.s6_addr16[1] = dst_scope; 337 } else { 338 if (IN6_IS_SCOPE_EMBED(&ip6->ip6_src)) 339 ip6->ip6_src.s6_addr16[1] = htons(ifp->if_index); 340 if (IN6_IS_SCOPE_EMBED(&ip6->ip6_dst)) 341 ip6->ip6_dst.s6_addr16[1] = htons(ifp->if_index); 342 } 343 344 /* 345 * Be more secure than RFC5095 and scan for type 0 routing headers. 346 * If pf has already scanned the header chain, do not do it twice. 347 */ 348 if (!(m->m_pkthdr.pf.flags & PF_TAG_PROCESSED) && 349 ip6_check_rh0hdr(m, offp)) { 350 ip6stat_inc(ip6s_badoptions); 351 icmp6_error(m, ICMP6_PARAM_PROB, ICMP6_PARAMPROB_HEADER, *offp); 352 m = *mp = NULL; 353 goto bad; 354 } 355 356 #if NPF > 0 357 if (pf_ouraddr(m) == 1) { 358 nxt = ip6_ours(mp, offp, nxt, af); 359 goto out; 360 } 361 #endif 362 363 /* 364 * Multicast check 365 */ 366 if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst)) { 367 /* 368 * Make sure M_MCAST is set. It should theoretically 369 * already be there, but let's play safe because upper 370 * layers check for this flag. 371 */ 372 m->m_flags |= M_MCAST; 373 374 /* 375 * See if we belong to the destination multicast group on the 376 * arrival interface. 377 */ 378 if (in6_hasmulti(&ip6->ip6_dst, ifp)) 379 ours = 1; 380 381 #ifdef MROUTING 382 if (ip6_mforwarding && ip6_mrouter[ifp->if_rdomain]) { 383 int error; 384 385 if (ip6_hbhchcheck(m, offp, &nxt, &ours)) 386 goto out; 387 388 ip6 = mtod(m, struct ip6_hdr *); 389 390 /* 391 * If we are acting as a multicast router, all 392 * incoming multicast packets are passed to the 393 * kernel-level multicast forwarding function. 394 * The packet is returned (relatively) intact; if 395 * ip6_mforward() returns a non-zero value, the packet 396 * must be discarded, else it may be accepted below. 397 */ 398 KERNEL_LOCK(); 399 error = ip6_mforward(ip6, ifp, m); 400 KERNEL_UNLOCK(); 401 if (error) { 402 ip6stat_inc(ip6s_cantforward); 403 goto bad; 404 } 405 406 if (ours) { 407 if (af == AF_UNSPEC) { 408 KERNEL_LOCK(); 409 nxt = ip_deliver(mp, offp, nxt, 410 AF_INET6); 411 KERNEL_UNLOCK(); 412 } 413 goto out; 414 } 415 goto bad; 416 } 417 #endif 418 if (!ours) { 419 ip6stat_inc(ip6s_notmember); 420 if (!IN6_IS_ADDR_MC_LINKLOCAL(&ip6->ip6_dst)) 421 ip6stat_inc(ip6s_cantforward); 422 goto bad; 423 } 424 nxt = ip6_ours(mp, offp, nxt, af); 425 goto out; 426 } 427 428 429 /* 430 * Unicast check 431 */ 432 memset(&sin6, 0, sizeof(struct sockaddr_in6)); 433 sin6.sin6_len = sizeof(struct sockaddr_in6); 434 sin6.sin6_family = AF_INET6; 435 sin6.sin6_addr = ip6->ip6_dst; 436 rt = rtalloc_mpath(sin6tosa(&sin6), &ip6->ip6_src.s6_addr32[0], 437 m->m_pkthdr.ph_rtableid); 438 439 /* 440 * Accept the packet if the route to the destination is marked 441 * as local. 442 */ 443 if (rtisvalid(rt) && ISSET(rt->rt_flags, RTF_LOCAL)) { 444 struct in6_ifaddr *ia6 = ifatoia6(rt->rt_ifa); 445 446 if (ip6_forwarding == 0 && rt->rt_ifidx != ifp->if_index && 447 !((ifp->if_flags & IFF_LOOPBACK) || 448 (ifp->if_type == IFT_ENC) || 449 (m->m_pkthdr.pf.flags & PF_TAG_TRANSLATE_LOCALHOST))) { 450 /* received on wrong interface */ 451 #if NCARP > 0 452 struct ifnet *out_if; 453 454 /* 455 * Virtual IPs on carp interfaces need to be checked 456 * also against the parent interface and other carp 457 * interfaces sharing the same parent. 458 */ 459 out_if = if_get(rt->rt_ifidx); 460 if (!(out_if && carp_strict_addr_chk(out_if, ifp))) { 461 ip6stat_inc(ip6s_wrongif); 462 if_put(out_if); 463 goto bad; 464 } 465 if_put(out_if); 466 #else 467 ip6stat_inc(ip6s_wrongif); 468 goto bad; 469 #endif 470 } 471 /* 472 * packets to a tentative, duplicated, or somehow invalid 473 * address must not be accepted. 474 */ 475 if ((ia6->ia6_flags & (IN6_IFF_TENTATIVE|IN6_IFF_DUPLICATED))) { 476 char src[INET6_ADDRSTRLEN], dst[INET6_ADDRSTRLEN]; 477 478 inet_ntop(AF_INET6, &ip6->ip6_src, src, sizeof(src)); 479 inet_ntop(AF_INET6, &ip6->ip6_dst, dst, sizeof(dst)); 480 /* address is not ready, so discard the packet. */ 481 nd6log((LOG_INFO, 482 "%s: packet to an unready address %s->%s\n", 483 __func__, src, dst)); 484 485 goto bad; 486 } else { 487 nxt = ip6_ours(mp, offp, nxt, af); 488 goto out; 489 } 490 } 491 492 #if NCARP > 0 493 if (ip6->ip6_nxt == IPPROTO_ICMPV6 && 494 carp_lsdrop(ifp, m, AF_INET6, ip6->ip6_src.s6_addr32, 495 ip6->ip6_dst.s6_addr32, 1)) 496 goto bad; 497 #endif 498 /* 499 * Now there is no reason to process the packet if it's not our own 500 * and we're not a router. 501 */ 502 if (!ip6_forwarding) { 503 ip6stat_inc(ip6s_cantforward); 504 goto bad; 505 } 506 507 if (ip6_hbhchcheck(m, offp, &nxt, &ours)) 508 goto out; 509 510 if (ours) { 511 if (af == AF_UNSPEC) { 512 KERNEL_LOCK(); 513 nxt = ip_deliver(mp, offp, nxt, AF_INET6); 514 KERNEL_UNLOCK(); 515 } 516 goto out; 517 } 518 519 #ifdef IPSEC 520 if (ipsec_in_use) { 521 int rv; 522 523 rv = ipsec_forward_check(m, *offp, AF_INET6); 524 if (rv != 0) { 525 ip6stat_inc(ip6s_cantforward); 526 goto bad; 527 } 528 /* 529 * Fall through, forward packet. Outbound IPsec policy 530 * checking will occur in ip6_forward(). 531 */ 532 } 533 #endif /* IPSEC */ 534 535 ip6_forward(m, rt, srcrt); 536 *mp = NULL; 537 return IPPROTO_DONE; 538 bad: 539 nxt = IPPROTO_DONE; 540 m_freemp(mp); 541 out: 542 rtfree(rt); 543 return nxt; 544 } 545 546 int 547 ip6_ours(struct mbuf **mp, int *offp, int nxt, int af) 548 { 549 if (ip6_hbhchcheck(*mp, offp, &nxt, NULL)) 550 return IPPROTO_DONE; 551 552 /* Check whether we are already in a IPv4/IPv6 local deliver loop. */ 553 if (af == AF_UNSPEC) 554 nxt = ip_deliver(mp, offp, nxt, AF_INET6); 555 return nxt; 556 } 557 558 int 559 ip6_hbhchcheck(struct mbuf *m, int *offp, int *nxtp, int *oursp) 560 { 561 struct ip6_hdr *ip6; 562 u_int32_t plen, rtalert = ~0; 563 564 ip6 = mtod(m, struct ip6_hdr *); 565 566 /* 567 * Process Hop-by-Hop options header if it's contained. 568 * m may be modified in ip6_hopopts_input(). 569 * If a JumboPayload option is included, plen will also be modified. 570 */ 571 plen = (u_int32_t)ntohs(ip6->ip6_plen); 572 *offp = sizeof(struct ip6_hdr); 573 if (ip6->ip6_nxt == IPPROTO_HOPOPTS) { 574 struct ip6_hbh *hbh; 575 576 if (ip6_hopopts_input(&plen, &rtalert, &m, offp)) { 577 goto bad; /* m have already been freed */ 578 } 579 580 /* adjust pointer */ 581 ip6 = mtod(m, struct ip6_hdr *); 582 583 /* 584 * if the payload length field is 0 and the next header field 585 * indicates Hop-by-Hop Options header, then a Jumbo Payload 586 * option MUST be included. 587 */ 588 if (ip6->ip6_plen == 0 && plen == 0) { 589 /* 590 * Note that if a valid jumbo payload option is 591 * contained, ip6_hopopts_input() must set a valid 592 * (non-zero) payload length to the variable plen. 593 */ 594 ip6stat_inc(ip6s_badoptions); 595 icmp6_error(m, ICMP6_PARAM_PROB, 596 ICMP6_PARAMPROB_HEADER, 597 (caddr_t)&ip6->ip6_plen - (caddr_t)ip6); 598 goto bad; 599 } 600 IP6_EXTHDR_GET(hbh, struct ip6_hbh *, m, sizeof(struct ip6_hdr), 601 sizeof(struct ip6_hbh)); 602 if (hbh == NULL) { 603 ip6stat_inc(ip6s_tooshort); 604 goto bad; 605 } 606 *nxtp = hbh->ip6h_nxt; 607 608 /* 609 * accept the packet if a router alert option is included 610 * and we act as an IPv6 router. 611 */ 612 if (rtalert != ~0 && ip6_forwarding && oursp != NULL) 613 *oursp = 1; 614 } else 615 *nxtp = ip6->ip6_nxt; 616 617 /* 618 * Check that the amount of data in the buffers 619 * is as at least much as the IPv6 header would have us expect. 620 * Trim mbufs if longer than we expect. 621 * Drop packet if shorter than we expect. 622 */ 623 if (m->m_pkthdr.len - sizeof(struct ip6_hdr) < plen) { 624 ip6stat_inc(ip6s_tooshort); 625 m_freem(m); 626 goto bad; 627 } 628 if (m->m_pkthdr.len > sizeof(struct ip6_hdr) + plen) { 629 if (m->m_len == m->m_pkthdr.len) { 630 m->m_len = sizeof(struct ip6_hdr) + plen; 631 m->m_pkthdr.len = sizeof(struct ip6_hdr) + plen; 632 } else { 633 m_adj(m, 634 sizeof(struct ip6_hdr) + plen - m->m_pkthdr.len); 635 } 636 } 637 638 return (0); 639 640 bad: 641 *nxtp = IPPROTO_DONE; 642 return (-1); 643 } 644 645 /* scan packet for RH0 routing header. Mostly stolen from pf.c:pf_test() */ 646 int 647 ip6_check_rh0hdr(struct mbuf *m, int *offp) 648 { 649 struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *); 650 struct ip6_rthdr rthdr; 651 struct ip6_ext opt6; 652 u_int8_t proto = ip6->ip6_nxt; 653 int done = 0, lim, off, rh_cnt = 0; 654 655 off = ((caddr_t)ip6 - m->m_data) + sizeof(struct ip6_hdr); 656 lim = min(m->m_pkthdr.len, ntohs(ip6->ip6_plen) + sizeof(*ip6)); 657 do { 658 switch (proto) { 659 case IPPROTO_ROUTING: 660 *offp = off; 661 if (rh_cnt++) { 662 /* more than one rh header present */ 663 return (1); 664 } 665 666 if (off + sizeof(rthdr) > lim) { 667 /* packet to short to make sense */ 668 return (1); 669 } 670 671 m_copydata(m, off, sizeof(rthdr), &rthdr); 672 673 if (rthdr.ip6r_type == IPV6_RTHDR_TYPE_0) { 674 *offp += offsetof(struct ip6_rthdr, ip6r_type); 675 return (1); 676 } 677 678 off += (rthdr.ip6r_len + 1) * 8; 679 proto = rthdr.ip6r_nxt; 680 break; 681 case IPPROTO_AH: 682 case IPPROTO_HOPOPTS: 683 case IPPROTO_DSTOPTS: 684 /* get next header and header length */ 685 if (off + sizeof(opt6) > lim) { 686 /* 687 * Packet to short to make sense, we could 688 * reject the packet but as a router we 689 * should not do that so forward it. 690 */ 691 return (0); 692 } 693 694 m_copydata(m, off, sizeof(opt6), &opt6); 695 696 if (proto == IPPROTO_AH) 697 off += (opt6.ip6e_len + 2) * 4; 698 else 699 off += (opt6.ip6e_len + 1) * 8; 700 proto = opt6.ip6e_nxt; 701 break; 702 case IPPROTO_FRAGMENT: 703 default: 704 /* end of header stack */ 705 done = 1; 706 break; 707 } 708 } while (!done); 709 710 return (0); 711 } 712 713 /* 714 * Hop-by-Hop options header processing. If a valid jumbo payload option is 715 * included, the real payload length will be stored in plenp. 716 * 717 * rtalertp - XXX: should be stored in a more smart way 718 */ 719 int 720 ip6_hopopts_input(u_int32_t *plenp, u_int32_t *rtalertp, struct mbuf **mp, 721 int *offp) 722 { 723 struct mbuf *m = *mp; 724 int off = *offp, hbhlen; 725 struct ip6_hbh *hbh; 726 727 /* validation of the length of the header */ 728 IP6_EXTHDR_GET(hbh, struct ip6_hbh *, m, 729 sizeof(struct ip6_hdr), sizeof(struct ip6_hbh)); 730 if (hbh == NULL) { 731 ip6stat_inc(ip6s_tooshort); 732 return -1; 733 } 734 hbhlen = (hbh->ip6h_len + 1) << 3; 735 IP6_EXTHDR_GET(hbh, struct ip6_hbh *, m, sizeof(struct ip6_hdr), 736 hbhlen); 737 if (hbh == NULL) { 738 ip6stat_inc(ip6s_tooshort); 739 return -1; 740 } 741 off += hbhlen; 742 hbhlen -= sizeof(struct ip6_hbh); 743 744 if (ip6_process_hopopts(m, (u_int8_t *)hbh + sizeof(struct ip6_hbh), 745 hbhlen, rtalertp, plenp) < 0) 746 return (-1); 747 748 *offp = off; 749 *mp = m; 750 return (0); 751 } 752 753 /* 754 * Search header for all Hop-by-hop options and process each option. 755 * This function is separate from ip6_hopopts_input() in order to 756 * handle a case where the sending node itself process its hop-by-hop 757 * options header. In such a case, the function is called from ip6_output(). 758 * 759 * The function assumes that hbh header is located right after the IPv6 header 760 * (RFC2460 p7), opthead is pointer into data content in m, and opthead to 761 * opthead + hbhlen is located in continuous memory region. 762 */ 763 int 764 ip6_process_hopopts(struct mbuf *m, u_int8_t *opthead, int hbhlen, 765 u_int32_t *rtalertp, u_int32_t *plenp) 766 { 767 struct ip6_hdr *ip6; 768 int optlen = 0; 769 u_int8_t *opt = opthead; 770 u_int16_t rtalert_val; 771 u_int32_t jumboplen; 772 const int erroff = sizeof(struct ip6_hdr) + sizeof(struct ip6_hbh); 773 774 for (; hbhlen > 0; hbhlen -= optlen, opt += optlen) { 775 switch (*opt) { 776 case IP6OPT_PAD1: 777 optlen = 1; 778 break; 779 case IP6OPT_PADN: 780 if (hbhlen < IP6OPT_MINLEN) { 781 ip6stat_inc(ip6s_toosmall); 782 goto bad; 783 } 784 optlen = *(opt + 1) + 2; 785 break; 786 case IP6OPT_ROUTER_ALERT: 787 /* XXX may need check for alignment */ 788 if (hbhlen < IP6OPT_RTALERT_LEN) { 789 ip6stat_inc(ip6s_toosmall); 790 goto bad; 791 } 792 if (*(opt + 1) != IP6OPT_RTALERT_LEN - 2) { 793 /* XXX stat */ 794 icmp6_error(m, ICMP6_PARAM_PROB, 795 ICMP6_PARAMPROB_HEADER, 796 erroff + opt + 1 - opthead); 797 return (-1); 798 } 799 optlen = IP6OPT_RTALERT_LEN; 800 memcpy((caddr_t)&rtalert_val, (caddr_t)(opt + 2), 2); 801 *rtalertp = ntohs(rtalert_val); 802 break; 803 case IP6OPT_JUMBO: 804 /* XXX may need check for alignment */ 805 if (hbhlen < IP6OPT_JUMBO_LEN) { 806 ip6stat_inc(ip6s_toosmall); 807 goto bad; 808 } 809 if (*(opt + 1) != IP6OPT_JUMBO_LEN - 2) { 810 /* XXX stat */ 811 icmp6_error(m, ICMP6_PARAM_PROB, 812 ICMP6_PARAMPROB_HEADER, 813 erroff + opt + 1 - opthead); 814 return (-1); 815 } 816 optlen = IP6OPT_JUMBO_LEN; 817 818 /* 819 * IPv6 packets that have non 0 payload length 820 * must not contain a jumbo payload option. 821 */ 822 ip6 = mtod(m, struct ip6_hdr *); 823 if (ip6->ip6_plen) { 824 ip6stat_inc(ip6s_badoptions); 825 icmp6_error(m, ICMP6_PARAM_PROB, 826 ICMP6_PARAMPROB_HEADER, 827 erroff + opt - opthead); 828 return (-1); 829 } 830 831 /* 832 * We may see jumbolen in unaligned location, so 833 * we'd need to perform memcpy(). 834 */ 835 memcpy(&jumboplen, opt + 2, sizeof(jumboplen)); 836 jumboplen = (u_int32_t)htonl(jumboplen); 837 838 #if 1 839 /* 840 * if there are multiple jumbo payload options, 841 * *plenp will be non-zero and the packet will be 842 * rejected. 843 * the behavior may need some debate in ipngwg - 844 * multiple options does not make sense, however, 845 * there's no explicit mention in specification. 846 */ 847 if (*plenp != 0) { 848 ip6stat_inc(ip6s_badoptions); 849 icmp6_error(m, ICMP6_PARAM_PROB, 850 ICMP6_PARAMPROB_HEADER, 851 erroff + opt + 2 - opthead); 852 return (-1); 853 } 854 #endif 855 856 /* 857 * jumbo payload length must be larger than 65535. 858 */ 859 if (jumboplen <= IPV6_MAXPACKET) { 860 ip6stat_inc(ip6s_badoptions); 861 icmp6_error(m, ICMP6_PARAM_PROB, 862 ICMP6_PARAMPROB_HEADER, 863 erroff + opt + 2 - opthead); 864 return (-1); 865 } 866 *plenp = jumboplen; 867 868 break; 869 default: /* unknown option */ 870 if (hbhlen < IP6OPT_MINLEN) { 871 ip6stat_inc(ip6s_toosmall); 872 goto bad; 873 } 874 optlen = ip6_unknown_opt(opt, m, 875 erroff + opt - opthead); 876 if (optlen == -1) 877 return (-1); 878 optlen += 2; 879 break; 880 } 881 } 882 883 return (0); 884 885 bad: 886 m_freem(m); 887 return (-1); 888 } 889 890 /* 891 * Unknown option processing. 892 * The third argument `off' is the offset from the IPv6 header to the option, 893 * which allows returning an ICMPv6 error even if the IPv6 header and the 894 * option header are not continuous. 895 */ 896 int 897 ip6_unknown_opt(u_int8_t *optp, struct mbuf *m, int off) 898 { 899 struct ip6_hdr *ip6; 900 901 switch (IP6OPT_TYPE(*optp)) { 902 case IP6OPT_TYPE_SKIP: /* ignore the option */ 903 return ((int)*(optp + 1)); 904 case IP6OPT_TYPE_DISCARD: /* silently discard */ 905 m_freem(m); 906 return (-1); 907 case IP6OPT_TYPE_FORCEICMP: /* send ICMP even if multicasted */ 908 ip6stat_inc(ip6s_badoptions); 909 icmp6_error(m, ICMP6_PARAM_PROB, ICMP6_PARAMPROB_OPTION, off); 910 return (-1); 911 case IP6OPT_TYPE_ICMP: /* send ICMP if not multicasted */ 912 ip6stat_inc(ip6s_badoptions); 913 ip6 = mtod(m, struct ip6_hdr *); 914 if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst) || 915 (m->m_flags & (M_BCAST|M_MCAST))) 916 m_freem(m); 917 else 918 icmp6_error(m, ICMP6_PARAM_PROB, 919 ICMP6_PARAMPROB_OPTION, off); 920 return (-1); 921 } 922 923 m_freem(m); /* XXX: NOTREACHED */ 924 return (-1); 925 } 926 927 /* 928 * Create the "control" list for this pcb. 929 * 930 * The routine will be called from upper layer handlers like udp_input(). 931 * Thus the routine assumes that the caller (udp_input) have already 932 * called IP6_EXTHDR_CHECK() and all the extension headers are located in the 933 * very first mbuf on the mbuf chain. 934 * We may want to add some infinite loop prevention or sanity checks for safety. 935 * (This applies only when you are using KAME mbuf chain restriction, i.e. 936 * you are using IP6_EXTHDR_CHECK() not m_pulldown()) 937 */ 938 void 939 ip6_savecontrol(struct inpcb *in6p, struct mbuf *m, struct mbuf **mp) 940 { 941 struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *); 942 943 if (in6p->inp_socket->so_options & SO_TIMESTAMP) { 944 struct timeval tv; 945 946 m_microtime(m, &tv); 947 *mp = sbcreatecontrol((caddr_t) &tv, sizeof(tv), 948 SCM_TIMESTAMP, SOL_SOCKET); 949 if (*mp) 950 mp = &(*mp)->m_next; 951 } 952 953 /* RFC 2292 sec. 5 */ 954 if ((in6p->inp_flags & IN6P_PKTINFO) != 0) { 955 struct in6_pktinfo pi6; 956 memcpy(&pi6.ipi6_addr, &ip6->ip6_dst, sizeof(struct in6_addr)); 957 if (IN6_IS_SCOPE_EMBED(&pi6.ipi6_addr)) 958 pi6.ipi6_addr.s6_addr16[1] = 0; 959 pi6.ipi6_ifindex = m ? m->m_pkthdr.ph_ifidx : 0; 960 *mp = sbcreatecontrol((caddr_t) &pi6, 961 sizeof(struct in6_pktinfo), 962 IPV6_PKTINFO, IPPROTO_IPV6); 963 if (*mp) 964 mp = &(*mp)->m_next; 965 } 966 967 if ((in6p->inp_flags & IN6P_HOPLIMIT) != 0) { 968 int hlim = ip6->ip6_hlim & 0xff; 969 *mp = sbcreatecontrol((caddr_t) &hlim, sizeof(int), 970 IPV6_HOPLIMIT, IPPROTO_IPV6); 971 if (*mp) 972 mp = &(*mp)->m_next; 973 } 974 975 if ((in6p->inp_flags & IN6P_TCLASS) != 0) { 976 u_int32_t flowinfo; 977 int tclass; 978 979 flowinfo = (u_int32_t)ntohl(ip6->ip6_flow & IPV6_FLOWINFO_MASK); 980 flowinfo >>= 20; 981 982 tclass = flowinfo & 0xff; 983 *mp = sbcreatecontrol((caddr_t)&tclass, sizeof(tclass), 984 IPV6_TCLASS, IPPROTO_IPV6); 985 if (*mp) 986 mp = &(*mp)->m_next; 987 } 988 989 /* 990 * IPV6_HOPOPTS socket option. Recall that we required super-user 991 * privilege for the option (see ip6_ctloutput), but it might be too 992 * strict, since there might be some hop-by-hop options which can be 993 * returned to normal user. 994 * See also RFC 2292 section 6 (or RFC 3542 section 8). 995 */ 996 if ((in6p->inp_flags & IN6P_HOPOPTS) != 0) { 997 /* 998 * Check if a hop-by-hop options header is contained in the 999 * received packet, and if so, store the options as ancillary 1000 * data. Note that a hop-by-hop options header must be 1001 * just after the IPv6 header, which is assured through the 1002 * IPv6 input processing. 1003 */ 1004 struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *); 1005 if (ip6->ip6_nxt == IPPROTO_HOPOPTS) { 1006 struct ip6_hbh *hbh; 1007 int hbhlen = 0; 1008 struct mbuf *ext; 1009 1010 ext = ip6_pullexthdr(m, sizeof(struct ip6_hdr), 1011 ip6->ip6_nxt); 1012 if (ext == NULL) { 1013 ip6stat_inc(ip6s_tooshort); 1014 return; 1015 } 1016 hbh = mtod(ext, struct ip6_hbh *); 1017 hbhlen = (hbh->ip6h_len + 1) << 3; 1018 if (hbhlen != ext->m_len) { 1019 m_freem(ext); 1020 ip6stat_inc(ip6s_tooshort); 1021 return; 1022 } 1023 1024 /* 1025 * XXX: We copy the whole header even if a 1026 * jumbo payload option is included, the option which 1027 * is to be removed before returning according to 1028 * RFC2292. 1029 * Note: this constraint is removed in RFC3542. 1030 */ 1031 *mp = sbcreatecontrol((caddr_t)hbh, hbhlen, 1032 IPV6_HOPOPTS, 1033 IPPROTO_IPV6); 1034 if (*mp) 1035 mp = &(*mp)->m_next; 1036 m_freem(ext); 1037 } 1038 } 1039 1040 /* IPV6_DSTOPTS and IPV6_RTHDR socket options */ 1041 if ((in6p->inp_flags & (IN6P_RTHDR | IN6P_DSTOPTS)) != 0) { 1042 struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *); 1043 int nxt = ip6->ip6_nxt, off = sizeof(struct ip6_hdr); 1044 1045 /* 1046 * Search for destination options headers or routing 1047 * header(s) through the header chain, and stores each 1048 * header as ancillary data. 1049 * Note that the order of the headers remains in 1050 * the chain of ancillary data. 1051 */ 1052 while (1) { /* is explicit loop prevention necessary? */ 1053 struct ip6_ext *ip6e = NULL; 1054 int elen; 1055 struct mbuf *ext = NULL; 1056 1057 /* 1058 * if it is not an extension header, don't try to 1059 * pull it from the chain. 1060 */ 1061 switch (nxt) { 1062 case IPPROTO_DSTOPTS: 1063 case IPPROTO_ROUTING: 1064 case IPPROTO_HOPOPTS: 1065 case IPPROTO_AH: /* is it possible? */ 1066 break; 1067 default: 1068 goto loopend; 1069 } 1070 1071 ext = ip6_pullexthdr(m, off, nxt); 1072 if (ext == NULL) { 1073 ip6stat_inc(ip6s_tooshort); 1074 return; 1075 } 1076 ip6e = mtod(ext, struct ip6_ext *); 1077 if (nxt == IPPROTO_AH) 1078 elen = (ip6e->ip6e_len + 2) << 2; 1079 else 1080 elen = (ip6e->ip6e_len + 1) << 3; 1081 if (elen != ext->m_len) { 1082 m_freem(ext); 1083 ip6stat_inc(ip6s_tooshort); 1084 return; 1085 } 1086 1087 switch (nxt) { 1088 case IPPROTO_DSTOPTS: 1089 if (!(in6p->inp_flags & IN6P_DSTOPTS)) 1090 break; 1091 1092 *mp = sbcreatecontrol((caddr_t)ip6e, elen, 1093 IPV6_DSTOPTS, 1094 IPPROTO_IPV6); 1095 if (*mp) 1096 mp = &(*mp)->m_next; 1097 break; 1098 1099 case IPPROTO_ROUTING: 1100 if (!(in6p->inp_flags & IN6P_RTHDR)) 1101 break; 1102 1103 *mp = sbcreatecontrol((caddr_t)ip6e, elen, 1104 IPV6_RTHDR, 1105 IPPROTO_IPV6); 1106 if (*mp) 1107 mp = &(*mp)->m_next; 1108 break; 1109 1110 case IPPROTO_HOPOPTS: 1111 case IPPROTO_AH: /* is it possible? */ 1112 break; 1113 1114 default: 1115 /* 1116 * other cases have been filtered in the above. 1117 * none will visit this case. here we supply 1118 * the code just in case (nxt overwritten or 1119 * other cases). 1120 */ 1121 m_freem(ext); 1122 goto loopend; 1123 1124 } 1125 1126 /* proceed with the next header. */ 1127 off += elen; 1128 nxt = ip6e->ip6e_nxt; 1129 ip6e = NULL; 1130 m_freem(ext); 1131 ext = NULL; 1132 } 1133 loopend: 1134 ; 1135 } 1136 } 1137 1138 /* 1139 * pull single extension header from mbuf chain. returns single mbuf that 1140 * contains the result, or NULL on error. 1141 */ 1142 struct mbuf * 1143 ip6_pullexthdr(struct mbuf *m, size_t off, int nxt) 1144 { 1145 struct ip6_ext ip6e; 1146 size_t elen; 1147 struct mbuf *n; 1148 1149 #ifdef DIAGNOSTIC 1150 switch (nxt) { 1151 case IPPROTO_DSTOPTS: 1152 case IPPROTO_ROUTING: 1153 case IPPROTO_HOPOPTS: 1154 case IPPROTO_AH: /* is it possible? */ 1155 break; 1156 default: 1157 printf("ip6_pullexthdr: invalid nxt=%d\n", nxt); 1158 } 1159 #endif 1160 1161 if (off + sizeof(ip6e) > m->m_pkthdr.len) 1162 return NULL; 1163 1164 m_copydata(m, off, sizeof(ip6e), &ip6e); 1165 if (nxt == IPPROTO_AH) 1166 elen = (ip6e.ip6e_len + 2) << 2; 1167 else 1168 elen = (ip6e.ip6e_len + 1) << 3; 1169 1170 if (off + elen > m->m_pkthdr.len) 1171 return NULL; 1172 1173 MGET(n, M_DONTWAIT, MT_DATA); 1174 if (n && elen >= MLEN) { 1175 MCLGET(n, M_DONTWAIT); 1176 if ((n->m_flags & M_EXT) == 0) { 1177 m_free(n); 1178 n = NULL; 1179 } 1180 } 1181 if (!n) 1182 return NULL; 1183 1184 n->m_len = 0; 1185 if (elen >= m_trailingspace(n)) { 1186 m_free(n); 1187 return NULL; 1188 } 1189 1190 m_copydata(m, off, elen, mtod(n, caddr_t)); 1191 n->m_len = elen; 1192 return n; 1193 } 1194 1195 /* 1196 * Get offset to the previous header followed by the header 1197 * currently processed. 1198 */ 1199 int 1200 ip6_get_prevhdr(struct mbuf *m, int off) 1201 { 1202 struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *); 1203 1204 if (off == sizeof(struct ip6_hdr)) { 1205 return offsetof(struct ip6_hdr, ip6_nxt); 1206 } else if (off < sizeof(struct ip6_hdr)) { 1207 panic("%s: off < sizeof(struct ip6_hdr)", __func__); 1208 } else { 1209 int len, nlen, nxt; 1210 struct ip6_ext ip6e; 1211 1212 nxt = ip6->ip6_nxt; 1213 len = sizeof(struct ip6_hdr); 1214 nlen = 0; 1215 while (len < off) { 1216 m_copydata(m, len, sizeof(ip6e), &ip6e); 1217 1218 switch (nxt) { 1219 case IPPROTO_FRAGMENT: 1220 nlen = sizeof(struct ip6_frag); 1221 break; 1222 case IPPROTO_AH: 1223 nlen = (ip6e.ip6e_len + 2) << 2; 1224 break; 1225 default: 1226 nlen = (ip6e.ip6e_len + 1) << 3; 1227 break; 1228 } 1229 len += nlen; 1230 nxt = ip6e.ip6e_nxt; 1231 } 1232 1233 return (len - nlen); 1234 } 1235 } 1236 1237 /* 1238 * get next header offset. m will be retained. 1239 */ 1240 int 1241 ip6_nexthdr(struct mbuf *m, int off, int proto, int *nxtp) 1242 { 1243 struct ip6_hdr ip6; 1244 struct ip6_ext ip6e; 1245 struct ip6_frag fh; 1246 1247 /* just in case */ 1248 if (m == NULL) 1249 panic("%s: m == NULL", __func__); 1250 if ((m->m_flags & M_PKTHDR) == 0 || m->m_pkthdr.len < off) 1251 return -1; 1252 1253 switch (proto) { 1254 case IPPROTO_IPV6: 1255 if (m->m_pkthdr.len < off + sizeof(ip6)) 1256 return -1; 1257 m_copydata(m, off, sizeof(ip6), &ip6); 1258 if (nxtp) 1259 *nxtp = ip6.ip6_nxt; 1260 off += sizeof(ip6); 1261 return off; 1262 1263 case IPPROTO_FRAGMENT: 1264 /* 1265 * terminate parsing if it is not the first fragment, 1266 * it does not make sense to parse through it. 1267 */ 1268 if (m->m_pkthdr.len < off + sizeof(fh)) 1269 return -1; 1270 m_copydata(m, off, sizeof(fh), &fh); 1271 if ((fh.ip6f_offlg & IP6F_OFF_MASK) != 0) 1272 return -1; 1273 if (nxtp) 1274 *nxtp = fh.ip6f_nxt; 1275 off += sizeof(struct ip6_frag); 1276 return off; 1277 1278 case IPPROTO_AH: 1279 if (m->m_pkthdr.len < off + sizeof(ip6e)) 1280 return -1; 1281 m_copydata(m, off, sizeof(ip6e), &ip6e); 1282 if (nxtp) 1283 *nxtp = ip6e.ip6e_nxt; 1284 off += (ip6e.ip6e_len + 2) << 2; 1285 if (m->m_pkthdr.len < off) 1286 return -1; 1287 return off; 1288 1289 case IPPROTO_HOPOPTS: 1290 case IPPROTO_ROUTING: 1291 case IPPROTO_DSTOPTS: 1292 if (m->m_pkthdr.len < off + sizeof(ip6e)) 1293 return -1; 1294 m_copydata(m, off, sizeof(ip6e), &ip6e); 1295 if (nxtp) 1296 *nxtp = ip6e.ip6e_nxt; 1297 off += (ip6e.ip6e_len + 1) << 3; 1298 if (m->m_pkthdr.len < off) 1299 return -1; 1300 return off; 1301 1302 case IPPROTO_NONE: 1303 case IPPROTO_ESP: 1304 case IPPROTO_IPCOMP: 1305 /* give up */ 1306 return -1; 1307 1308 default: 1309 return -1; 1310 } 1311 1312 return -1; 1313 } 1314 1315 /* 1316 * get offset for the last header in the chain. m will be kept untainted. 1317 */ 1318 int 1319 ip6_lasthdr(struct mbuf *m, int off, int proto, int *nxtp) 1320 { 1321 int newoff; 1322 int nxt; 1323 1324 if (!nxtp) { 1325 nxt = -1; 1326 nxtp = &nxt; 1327 } 1328 while (1) { 1329 newoff = ip6_nexthdr(m, off, proto, nxtp); 1330 if (newoff < 0) 1331 return off; 1332 else if (newoff < off) 1333 return -1; /* invalid */ 1334 else if (newoff == off) 1335 return newoff; 1336 1337 off = newoff; 1338 proto = *nxtp; 1339 } 1340 } 1341 1342 /* 1343 * System control for IP6 1344 */ 1345 1346 const u_char inet6ctlerrmap[PRC_NCMDS] = { 1347 0, 0, 0, 0, 1348 0, EMSGSIZE, EHOSTDOWN, EHOSTUNREACH, 1349 EHOSTUNREACH, EHOSTUNREACH, ECONNREFUSED, ECONNREFUSED, 1350 EMSGSIZE, EHOSTUNREACH, 0, 0, 1351 0, 0, 0, 0, 1352 ENOPROTOOPT 1353 }; 1354 1355 #ifdef MROUTING 1356 extern int ip6_mrtproto; 1357 #endif 1358 1359 const struct sysctl_bounded_args ipv6ctl_vars[] = { 1360 { IPV6CTL_DAD_PENDING, &ip6_dad_pending, SYSCTL_INT_READONLY }, 1361 #ifdef MROUTING 1362 { IPV6CTL_MRTPROTO, &ip6_mrtproto, SYSCTL_INT_READONLY }, 1363 #endif 1364 { IPV6CTL_FORWARDING, &ip6_forwarding, 0, 1 }, 1365 { IPV6CTL_SENDREDIRECTS, &ip6_sendredirects, 0, 1 }, 1366 { IPV6CTL_DEFHLIM, &ip6_defhlim, 0, 255 }, 1367 { IPV6CTL_MAXFRAGPACKETS, &ip6_maxfragpackets, 0, 1000 }, 1368 { IPV6CTL_LOG_INTERVAL, &ip6_log_interval, 0, INT_MAX }, 1369 { IPV6CTL_HDRNESTLIMIT, &ip6_hdrnestlimit, 0, 100 }, 1370 { IPV6CTL_DAD_COUNT, &ip6_dad_count, 0, 10 }, 1371 { IPV6CTL_AUTO_FLOWLABEL, &ip6_auto_flowlabel, 0, 1 }, 1372 { IPV6CTL_DEFMCASTHLIM, &ip6_defmcasthlim, 0, 255 }, 1373 { IPV6CTL_USE_DEPRECATED, &ip6_use_deprecated, 0, 1 }, 1374 { IPV6CTL_MAXFRAGS, &ip6_maxfrags, 0, 1000 }, 1375 { IPV6CTL_MFORWARDING, &ip6_mforwarding, 0, 1 }, 1376 { IPV6CTL_MULTIPATH, &ip6_multipath, 0, 1 }, 1377 { IPV6CTL_MCAST_PMTU, &ip6_mcast_pmtu, 0, 1 }, 1378 { IPV6CTL_NEIGHBORGCTHRESH, &ip6_neighborgcthresh, -1, 5 * 2048 }, 1379 { IPV6CTL_MAXDYNROUTES, &ip6_maxdynroutes, -1, 5 * 4096 }, 1380 }; 1381 1382 int 1383 ip6_sysctl_ip6stat(void *oldp, size_t *oldlenp, void *newp) 1384 { 1385 struct ip6stat *ip6stat; 1386 int ret; 1387 1388 CTASSERT(sizeof(*ip6stat) == (ip6s_ncounters * sizeof(uint64_t))); 1389 1390 ip6stat = malloc(sizeof(*ip6stat), M_TEMP, M_WAITOK); 1391 counters_read(ip6counters, (uint64_t *)ip6stat, ip6s_ncounters); 1392 ret = sysctl_rdstruct(oldp, oldlenp, newp, 1393 ip6stat, sizeof(*ip6stat)); 1394 free(ip6stat, M_TEMP, sizeof(*ip6stat)); 1395 1396 return (ret); 1397 } 1398 1399 int 1400 ip6_sysctl_soiikey(void *oldp, size_t *oldlenp, void *newp, size_t newlen) 1401 { 1402 uint8_t oldkey[IP6_SOIIKEY_LEN]; 1403 int error; 1404 1405 error = suser(curproc); 1406 if (error != 0) 1407 return (error); 1408 1409 memcpy(oldkey, ip6_soiikey, sizeof(oldkey)); 1410 1411 error = sysctl_struct(oldp, oldlenp, newp, newlen, ip6_soiikey, 1412 sizeof(ip6_soiikey)); 1413 1414 return (error); 1415 } 1416 1417 int 1418 ip6_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, 1419 void *newp, size_t newlen) 1420 { 1421 #ifdef MROUTING 1422 extern struct mrt6stat mrt6stat; 1423 #endif 1424 int error; 1425 1426 /* Almost all sysctl names at this level are terminal. */ 1427 if (namelen != 1 && name[0] != IPV6CTL_IFQUEUE) 1428 return (ENOTDIR); 1429 1430 switch (name[0]) { 1431 case IPV6CTL_STATS: 1432 return (ip6_sysctl_ip6stat(oldp, oldlenp, newp)); 1433 #ifdef MROUTING 1434 case IPV6CTL_MRTSTATS: 1435 if (newp != NULL) 1436 return (EPERM); 1437 NET_LOCK(); 1438 error = sysctl_struct(oldp, oldlenp, newp, newlen, 1439 &mrt6stat, sizeof(mrt6stat)); 1440 NET_UNLOCK(); 1441 return (error); 1442 case IPV6CTL_MRTMIF: 1443 if (newp) 1444 return (EPERM); 1445 NET_LOCK(); 1446 error = mrt6_sysctl_mif(oldp, oldlenp); 1447 NET_UNLOCK(); 1448 return (error); 1449 case IPV6CTL_MRTMFC: 1450 if (newp) 1451 return (EPERM); 1452 NET_LOCK(); 1453 error = mrt6_sysctl_mfc(oldp, oldlenp); 1454 NET_UNLOCK(); 1455 return (error); 1456 #else 1457 case IPV6CTL_MRTSTATS: 1458 case IPV6CTL_MRTPROTO: 1459 case IPV6CTL_MRTMIF: 1460 case IPV6CTL_MRTMFC: 1461 return (EOPNOTSUPP); 1462 #endif 1463 case IPV6CTL_MTUDISCTIMEOUT: 1464 NET_LOCK(); 1465 error = sysctl_int(oldp, oldlenp, newp, newlen, 1466 &ip6_mtudisc_timeout); 1467 if (icmp6_mtudisc_timeout_q != NULL) 1468 rt_timer_queue_change(icmp6_mtudisc_timeout_q, 1469 ip6_mtudisc_timeout); 1470 NET_UNLOCK(); 1471 return (error); 1472 case IPV6CTL_IFQUEUE: 1473 return (EOPNOTSUPP); 1474 case IPV6CTL_SOIIKEY: 1475 return (ip6_sysctl_soiikey(oldp, oldlenp, newp, newlen)); 1476 default: 1477 NET_LOCK(); 1478 error = sysctl_bounded_arr(ipv6ctl_vars, nitems(ipv6ctl_vars), 1479 name, namelen, oldp, oldlenp, newp, newlen); 1480 NET_UNLOCK(); 1481 return (error); 1482 } 1483 /* NOTREACHED */ 1484 } 1485 1486 void 1487 ip6_send_dispatch(void *xmq) 1488 { 1489 struct mbuf_queue *mq = xmq; 1490 struct mbuf *m; 1491 struct mbuf_list ml; 1492 1493 mq_delist(mq, &ml); 1494 if (ml_empty(&ml)) 1495 return; 1496 1497 NET_LOCK(); 1498 while ((m = ml_dequeue(&ml)) != NULL) { 1499 ip6_output(m, NULL, NULL, 0, NULL, NULL); 1500 } 1501 NET_UNLOCK(); 1502 } 1503 1504 void 1505 ip6_send(struct mbuf *m) 1506 { 1507 mq_enqueue(&ip6send_mq, m); 1508 task_add(net_tq(0), &ip6send_task); 1509 } 1510