1 /* $OpenBSD: ip6_input.c,v 1.210 2017/11/23 13:45:46 mpi Exp $ */ 2 /* $KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $ */ 3 4 /* 5 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 3. Neither the name of the project nor the names of its contributors 17 * may be used to endorse or promote products derived from this software 18 * without specific prior written permission. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30 * SUCH DAMAGE. 31 */ 32 33 /* 34 * Copyright (c) 1982, 1986, 1988, 1993 35 * The Regents of the University of California. All rights reserved. 36 * 37 * Redistribution and use in source and binary forms, with or without 38 * modification, are permitted provided that the following conditions 39 * are met: 40 * 1. Redistributions of source code must retain the above copyright 41 * notice, this list of conditions and the following disclaimer. 42 * 2. Redistributions in binary form must reproduce the above copyright 43 * notice, this list of conditions and the following disclaimer in the 44 * documentation and/or other materials provided with the distribution. 45 * 3. Neither the name of the University nor the names of its contributors 46 * may be used to endorse or promote products derived from this software 47 * without specific prior written permission. 48 * 49 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 50 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 51 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 52 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 53 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 54 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 55 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 56 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 57 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 58 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 59 * SUCH DAMAGE. 60 * 61 * @(#)ip_input.c 8.2 (Berkeley) 1/4/94 62 */ 63 64 #include "pf.h" 65 #include "carp.h" 66 67 #include <sys/param.h> 68 #include <sys/systm.h> 69 #include <sys/mbuf.h> 70 #include <sys/domain.h> 71 #include <sys/sysctl.h> 72 #include <sys/protosw.h> 73 #include <sys/socket.h> 74 #include <sys/socketvar.h> 75 #include <sys/errno.h> 76 #include <sys/time.h> 77 #include <sys/timeout.h> 78 #include <sys/kernel.h> 79 #include <sys/syslog.h> 80 #include <sys/task.h> 81 82 #include <net/if.h> 83 #include <net/if_var.h> 84 #include <net/if_types.h> 85 #include <net/route.h> 86 #include <net/netisr.h> 87 88 #include <netinet/in.h> 89 90 #include <netinet/ip.h> 91 92 #include <netinet/in_pcb.h> 93 #include <netinet/ip_var.h> 94 #include <netinet6/in6_var.h> 95 #include <netinet/ip6.h> 96 #include <netinet6/ip6_var.h> 97 #include <netinet/icmp6.h> 98 #include <netinet6/nd6.h> 99 100 #include <netinet6/ip6protosw.h> 101 102 #include "gif.h" 103 #include "bpfilter.h" 104 105 #ifdef MROUTING 106 #include <netinet6/ip6_mroute.h> 107 #endif 108 109 #if NPF > 0 110 #include <net/pfvar.h> 111 #endif 112 113 #if NCARP > 0 114 #include <netinet/ip_carp.h> 115 #endif 116 117 struct niqueue ip6intrq = NIQUEUE_INITIALIZER(IPQ_MAXLEN, NETISR_IPV6); 118 119 struct cpumem *ip6counters; 120 121 int ip6_ours(struct mbuf **, int *, int, int); 122 int ip6_local(struct mbuf **, int *, int, int); 123 int ip6_check_rh0hdr(struct mbuf *, int *); 124 int ip6_hbhchcheck(struct mbuf *, int *, int *, int *); 125 int ip6_hopopts_input(u_int32_t *, u_int32_t *, struct mbuf **, int *); 126 struct mbuf *ip6_pullexthdr(struct mbuf *, size_t, int); 127 128 static struct mbuf_queue ip6send_mq; 129 130 static void ip6_send_dispatch(void *); 131 static struct task ip6send_task = 132 TASK_INITIALIZER(ip6_send_dispatch, &ip6send_mq); 133 134 /* 135 * IP6 initialization: fill in IP6 protocol switch table. 136 * All protocols not implemented in kernel go to raw IP6 protocol handler. 137 */ 138 void 139 ip6_init(void) 140 { 141 const struct protosw *pr; 142 int i; 143 144 pr = pffindproto(PF_INET6, IPPROTO_RAW, SOCK_RAW); 145 if (pr == NULL) 146 panic("ip6_init"); 147 for (i = 0; i < IPPROTO_MAX; i++) 148 ip6_protox[i] = pr - inet6sw; 149 for (pr = inet6domain.dom_protosw; 150 pr < inet6domain.dom_protoswNPROTOSW; pr++) 151 if (pr->pr_domain->dom_family == PF_INET6 && 152 pr->pr_protocol && pr->pr_protocol != IPPROTO_RAW && 153 pr->pr_protocol < IPPROTO_MAX) 154 ip6_protox[pr->pr_protocol] = pr - inet6sw; 155 ip6_randomid_init(); 156 nd6_init(); 157 frag6_init(); 158 159 mq_init(&ip6send_mq, 64, IPL_SOFTNET); 160 161 ip6counters = counters_alloc(ip6s_ncounters); 162 } 163 164 /* 165 * Enqueue packet for local delivery. Queuing is used as a boundary 166 * between the network layer (input/forward path) running without 167 * KERNEL_LOCK() and the transport layer still needing it. 168 */ 169 int 170 ip6_ours(struct mbuf **mp, int *offp, int nxt, int af) 171 { 172 /* We are already in a IPv4/IPv6 local deliver loop. */ 173 if (af != AF_UNSPEC) 174 return ip6_local(mp, offp, nxt, af); 175 176 niq_enqueue(&ip6intrq, *mp); 177 *mp = NULL; 178 return IPPROTO_DONE; 179 } 180 181 /* 182 * Dequeue and process locally delivered packets. 183 */ 184 void 185 ip6intr(void) 186 { 187 struct mbuf *m; 188 int off, nxt; 189 190 while ((m = niq_dequeue(&ip6intrq)) != NULL) { 191 #ifdef DIAGNOSTIC 192 if ((m->m_flags & M_PKTHDR) == 0) 193 panic("ip6intr no HDR"); 194 #endif 195 off = 0; 196 nxt = ip6_local(&m, &off, IPPROTO_IPV6, AF_UNSPEC); 197 KASSERT(nxt == IPPROTO_DONE); 198 } 199 } 200 201 void 202 ipv6_input(struct ifnet *ifp, struct mbuf *m) 203 { 204 int off, nxt; 205 206 off = 0; 207 nxt = ip6_input_if(&m, &off, IPPROTO_IPV6, AF_UNSPEC, ifp); 208 KASSERT(nxt == IPPROTO_DONE); 209 } 210 211 int 212 ip6_input_if(struct mbuf **mp, int *offp, int nxt, int af, struct ifnet *ifp) 213 { 214 struct mbuf *m = *mp; 215 struct ip6_hdr *ip6; 216 struct sockaddr_in6 sin6; 217 struct rtentry *rt = NULL; 218 int ours = 0; 219 u_int16_t src_scope, dst_scope; 220 #if NPF > 0 221 struct in6_addr odst; 222 #endif 223 int srcrt = 0; 224 225 KASSERT(*offp == 0); 226 227 ip6stat_inc(ip6s_total); 228 229 if (m->m_len < sizeof(struct ip6_hdr)) { 230 if ((m = *mp = m_pullup(m, sizeof(struct ip6_hdr))) == NULL) { 231 ip6stat_inc(ip6s_toosmall); 232 goto bad; 233 } 234 } 235 236 ip6 = mtod(m, struct ip6_hdr *); 237 238 if ((ip6->ip6_vfc & IPV6_VERSION_MASK) != IPV6_VERSION) { 239 ip6stat_inc(ip6s_badvers); 240 goto bad; 241 } 242 243 #if NCARP > 0 244 if (ifp->if_type == IFT_CARP && 245 carp_lsdrop(m, AF_INET6, ip6->ip6_src.s6_addr32, 246 ip6->ip6_dst.s6_addr32, (ip6->ip6_nxt == IPPROTO_ICMPV6 ? 0 : 1))) 247 goto bad; 248 #endif 249 ip6stat_inc(ip6s_nxthist + ip6->ip6_nxt); 250 251 /* 252 * Check against address spoofing/corruption. 253 */ 254 if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_src) || 255 IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_dst)) { 256 /* 257 * XXX: "badscope" is not very suitable for a multicast source. 258 */ 259 ip6stat_inc(ip6s_badscope); 260 goto bad; 261 } 262 if ((IN6_IS_ADDR_LOOPBACK(&ip6->ip6_src) || 263 IN6_IS_ADDR_LOOPBACK(&ip6->ip6_dst)) && 264 (ifp->if_flags & IFF_LOOPBACK) == 0) { 265 ip6stat_inc(ip6s_badscope); 266 goto bad; 267 } 268 /* Drop packets if interface ID portion is already filled. */ 269 if (((IN6_IS_SCOPE_EMBED(&ip6->ip6_src) && ip6->ip6_src.s6_addr16[1]) || 270 (IN6_IS_SCOPE_EMBED(&ip6->ip6_dst) && ip6->ip6_dst.s6_addr16[1])) && 271 (ifp->if_flags & IFF_LOOPBACK) == 0) { 272 ip6stat_inc(ip6s_badscope); 273 goto bad; 274 } 275 if (IN6_IS_ADDR_MC_INTFACELOCAL(&ip6->ip6_dst) && 276 !(m->m_flags & M_LOOP)) { 277 /* 278 * In this case, the packet should come from the loopback 279 * interface. However, we cannot just check the if_flags, 280 * because ip6_mloopback() passes the "actual" interface 281 * as the outgoing/incoming interface. 282 */ 283 ip6stat_inc(ip6s_badscope); 284 goto bad; 285 } 286 287 /* 288 * The following check is not documented in specs. A malicious 289 * party may be able to use IPv4 mapped addr to confuse tcp/udp stack 290 * and bypass security checks (act as if it was from 127.0.0.1 by using 291 * IPv6 src ::ffff:127.0.0.1). Be cautious. 292 * 293 * This check chokes if we are in an SIIT cloud. As none of BSDs 294 * support IPv4-less kernel compilation, we cannot support SIIT 295 * environment at all. So, it makes more sense for us to reject any 296 * malicious packets for non-SIIT environment, than try to do a 297 * partial support for SIIT environment. 298 */ 299 if (IN6_IS_ADDR_V4MAPPED(&ip6->ip6_src) || 300 IN6_IS_ADDR_V4MAPPED(&ip6->ip6_dst)) { 301 ip6stat_inc(ip6s_badscope); 302 goto bad; 303 } 304 305 /* 306 * Reject packets with IPv4 compatible addresses (auto tunnel). 307 * 308 * The code forbids automatic tunneling as per RFC4213. 309 */ 310 if (IN6_IS_ADDR_V4COMPAT(&ip6->ip6_src) || 311 IN6_IS_ADDR_V4COMPAT(&ip6->ip6_dst)) { 312 ip6stat_inc(ip6s_badscope); 313 goto bad; 314 } 315 316 /* 317 * If the packet has been received on a loopback interface it 318 * can be destinated to any local address, not necessarily to 319 * an address configured on `ifp'. 320 */ 321 if (ifp->if_flags & IFF_LOOPBACK) { 322 if (IN6_IS_SCOPE_EMBED(&ip6->ip6_src)) { 323 src_scope = ip6->ip6_src.s6_addr16[1]; 324 ip6->ip6_src.s6_addr16[1] = 0; 325 } 326 if (IN6_IS_SCOPE_EMBED(&ip6->ip6_dst)) { 327 dst_scope = ip6->ip6_dst.s6_addr16[1]; 328 ip6->ip6_dst.s6_addr16[1] = 0; 329 } 330 } 331 332 #if NPF > 0 333 /* 334 * Packet filter 335 */ 336 odst = ip6->ip6_dst; 337 if (pf_test(AF_INET6, PF_IN, ifp, mp) != PF_PASS) 338 goto bad; 339 m = *mp; 340 if (m == NULL) 341 goto bad; 342 343 ip6 = mtod(m, struct ip6_hdr *); 344 srcrt = !IN6_ARE_ADDR_EQUAL(&odst, &ip6->ip6_dst); 345 #endif 346 347 /* 348 * Without embedded scope ID we cannot find link-local 349 * addresses in the routing table. 350 */ 351 if (ifp->if_flags & IFF_LOOPBACK) { 352 if (IN6_IS_SCOPE_EMBED(&ip6->ip6_src)) 353 ip6->ip6_src.s6_addr16[1] = src_scope; 354 if (IN6_IS_SCOPE_EMBED(&ip6->ip6_dst)) 355 ip6->ip6_dst.s6_addr16[1] = dst_scope; 356 } else { 357 if (IN6_IS_SCOPE_EMBED(&ip6->ip6_src)) 358 ip6->ip6_src.s6_addr16[1] = htons(ifp->if_index); 359 if (IN6_IS_SCOPE_EMBED(&ip6->ip6_dst)) 360 ip6->ip6_dst.s6_addr16[1] = htons(ifp->if_index); 361 } 362 363 /* 364 * Be more secure than RFC5095 and scan for type 0 routing headers. 365 * If pf has already scanned the header chain, do not do it twice. 366 */ 367 if (!(m->m_pkthdr.pf.flags & PF_TAG_PROCESSED) && 368 ip6_check_rh0hdr(m, offp)) { 369 ip6stat_inc(ip6s_badoptions); 370 icmp6_error(m, ICMP6_PARAM_PROB, ICMP6_PARAMPROB_HEADER, *offp); 371 m = *mp = NULL; 372 goto bad; 373 } 374 375 if (IN6_IS_ADDR_LOOPBACK(&ip6->ip6_src) || 376 IN6_IS_ADDR_LOOPBACK(&ip6->ip6_dst)) { 377 nxt = ip6_ours(mp, offp, nxt, af); 378 goto out; 379 } 380 381 #if NPF > 0 382 if (pf_ouraddr(m) == 1) { 383 nxt = ip6_ours(mp, offp, nxt, af); 384 goto out; 385 } 386 #endif 387 388 /* 389 * Multicast check 390 */ 391 if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst)) { 392 /* 393 * Make sure M_MCAST is set. It should theoretically 394 * already be there, but let's play safe because upper 395 * layers check for this flag. 396 */ 397 m->m_flags |= M_MCAST; 398 399 /* 400 * See if we belong to the destination multicast group on the 401 * arrival interface. 402 */ 403 if (in6_hasmulti(&ip6->ip6_dst, ifp)) 404 ours = 1; 405 406 #ifdef MROUTING 407 if (ip6_mforwarding && ip6_mrouter[ifp->if_rdomain]) { 408 int error; 409 410 if (ip6_hbhchcheck(m, offp, &nxt, &ours)) 411 goto out; 412 413 ip6 = mtod(m, struct ip6_hdr *); 414 415 /* 416 * If we are acting as a multicast router, all 417 * incoming multicast packets are passed to the 418 * kernel-level multicast forwarding function. 419 * The packet is returned (relatively) intact; if 420 * ip6_mforward() returns a non-zero value, the packet 421 * must be discarded, else it may be accepted below. 422 */ 423 KERNEL_LOCK(); 424 error = ip6_mforward(ip6, ifp, m); 425 KERNEL_UNLOCK(); 426 if (error) { 427 ip6stat_inc(ip6s_cantforward); 428 goto bad; 429 } 430 431 if (ours) { 432 if (af == AF_UNSPEC) { 433 KERNEL_LOCK(); 434 nxt = ip_deliver(mp, offp, nxt, 435 AF_INET6); 436 KERNEL_UNLOCK(); 437 } 438 goto out; 439 } 440 goto bad; 441 } 442 #endif 443 if (!ours) { 444 ip6stat_inc(ip6s_notmember); 445 if (!IN6_IS_ADDR_MC_LINKLOCAL(&ip6->ip6_dst)) 446 ip6stat_inc(ip6s_cantforward); 447 goto bad; 448 } 449 nxt = ip6_ours(mp, offp, nxt, af); 450 goto out; 451 } 452 453 454 /* 455 * Unicast check 456 */ 457 memset(&sin6, 0, sizeof(struct sockaddr_in6)); 458 sin6.sin6_len = sizeof(struct sockaddr_in6); 459 sin6.sin6_family = AF_INET6; 460 sin6.sin6_addr = ip6->ip6_dst; 461 rt = rtalloc_mpath(sin6tosa(&sin6), &ip6->ip6_src.s6_addr32[0], 462 m->m_pkthdr.ph_rtableid); 463 464 /* 465 * Accept the packet if the route to the destination is marked 466 * as local. 467 */ 468 if (rtisvalid(rt) && ISSET(rt->rt_flags, RTF_LOCAL)) { 469 struct in6_ifaddr *ia6 = ifatoia6(rt->rt_ifa); 470 if (ia6->ia6_flags & IN6_IFF_ANYCAST) 471 m->m_flags |= M_ACAST; 472 /* 473 * packets to a tentative, duplicated, or somehow invalid 474 * address must not be accepted. 475 */ 476 if ((ia6->ia6_flags & (IN6_IFF_TENTATIVE|IN6_IFF_DUPLICATED))) { 477 char src[INET6_ADDRSTRLEN], dst[INET6_ADDRSTRLEN]; 478 479 inet_ntop(AF_INET6, &ip6->ip6_src, src, sizeof(src)); 480 inet_ntop(AF_INET6, &ip6->ip6_dst, dst, sizeof(dst)); 481 /* address is not ready, so discard the packet. */ 482 nd6log((LOG_INFO, 483 "%s: packet to an unready address %s->%s\n", 484 __func__, src, dst)); 485 486 goto bad; 487 } else { 488 nxt = ip6_ours(mp, offp, nxt, af); 489 goto out; 490 } 491 } 492 493 #if NCARP > 0 494 if (ifp->if_type == IFT_CARP && ip6->ip6_nxt == IPPROTO_ICMPV6 && 495 carp_lsdrop(m, AF_INET6, ip6->ip6_src.s6_addr32, 496 ip6->ip6_dst.s6_addr32, 1)) 497 goto bad; 498 #endif 499 /* 500 * Now there is no reason to process the packet if it's not our own 501 * and we're not a router. 502 */ 503 if (!ip6_forwarding) { 504 ip6stat_inc(ip6s_cantforward); 505 goto bad; 506 } 507 508 if (ip6_hbhchcheck(m, offp, &nxt, &ours)) 509 goto out; 510 511 if (ours) { 512 if (af == AF_UNSPEC) { 513 KERNEL_LOCK(); 514 nxt = ip_deliver(mp, offp, nxt, AF_INET6); 515 KERNEL_UNLOCK(); 516 } 517 goto out; 518 } 519 520 #ifdef IPSEC 521 if (ipsec_in_use) { 522 int rv; 523 524 rv = ipsec_forward_check(m, *offp, AF_INET6); 525 if (rv != 0) { 526 ip6stat_inc(ip6s_cantforward); 527 goto bad; 528 } 529 /* 530 * Fall through, forward packet. Outbound IPsec policy 531 * checking will occur in ip6_forward(). 532 */ 533 } 534 #endif /* IPSEC */ 535 536 ip6_forward(m, rt, srcrt); 537 *mp = NULL; 538 return IPPROTO_DONE; 539 bad: 540 nxt = IPPROTO_DONE; 541 m_freemp(mp); 542 out: 543 rtfree(rt); 544 return nxt; 545 } 546 547 int 548 ip6_local(struct mbuf **mp, int *offp, int nxt, int af) 549 { 550 if (ip6_hbhchcheck(*mp, offp, &nxt, NULL)) 551 return IPPROTO_DONE; 552 553 /* Check wheter we are already in a IPv4/IPv6 local deliver loop. */ 554 if (af == AF_UNSPEC) 555 nxt = ip_deliver(mp, offp, nxt, AF_INET6); 556 return nxt; 557 } 558 559 int 560 ip6_hbhchcheck(struct mbuf *m, int *offp, int *nxtp, int *oursp) 561 { 562 struct ip6_hdr *ip6; 563 u_int32_t plen, rtalert = ~0; 564 565 ip6 = mtod(m, struct ip6_hdr *); 566 567 /* 568 * Process Hop-by-Hop options header if it's contained. 569 * m may be modified in ip6_hopopts_input(). 570 * If a JumboPayload option is included, plen will also be modified. 571 */ 572 plen = (u_int32_t)ntohs(ip6->ip6_plen); 573 *offp = sizeof(struct ip6_hdr); 574 if (ip6->ip6_nxt == IPPROTO_HOPOPTS) { 575 struct ip6_hbh *hbh; 576 577 if (ip6_hopopts_input(&plen, &rtalert, &m, offp)) { 578 goto bad; /* m have already been freed */ 579 } 580 581 /* adjust pointer */ 582 ip6 = mtod(m, struct ip6_hdr *); 583 584 /* 585 * if the payload length field is 0 and the next header field 586 * indicates Hop-by-Hop Options header, then a Jumbo Payload 587 * option MUST be included. 588 */ 589 if (ip6->ip6_plen == 0 && plen == 0) { 590 /* 591 * Note that if a valid jumbo payload option is 592 * contained, ip6_hopopts_input() must set a valid 593 * (non-zero) payload length to the variable plen. 594 */ 595 ip6stat_inc(ip6s_badoptions); 596 icmp6_error(m, ICMP6_PARAM_PROB, 597 ICMP6_PARAMPROB_HEADER, 598 (caddr_t)&ip6->ip6_plen - (caddr_t)ip6); 599 goto bad; 600 } 601 IP6_EXTHDR_GET(hbh, struct ip6_hbh *, m, sizeof(struct ip6_hdr), 602 sizeof(struct ip6_hbh)); 603 if (hbh == NULL) { 604 ip6stat_inc(ip6s_tooshort); 605 goto bad; 606 } 607 *nxtp = hbh->ip6h_nxt; 608 609 /* 610 * accept the packet if a router alert option is included 611 * and we act as an IPv6 router. 612 */ 613 if (rtalert != ~0 && ip6_forwarding && oursp != NULL) 614 *oursp = 1; 615 } else 616 *nxtp = ip6->ip6_nxt; 617 618 /* 619 * Check that the amount of data in the buffers 620 * is as at least much as the IPv6 header would have us expect. 621 * Trim mbufs if longer than we expect. 622 * Drop packet if shorter than we expect. 623 */ 624 if (m->m_pkthdr.len - sizeof(struct ip6_hdr) < plen) { 625 ip6stat_inc(ip6s_tooshort); 626 m_freem(m); 627 goto bad; 628 } 629 if (m->m_pkthdr.len > sizeof(struct ip6_hdr) + plen) { 630 if (m->m_len == m->m_pkthdr.len) { 631 m->m_len = sizeof(struct ip6_hdr) + plen; 632 m->m_pkthdr.len = sizeof(struct ip6_hdr) + plen; 633 } else { 634 m_adj(m, 635 sizeof(struct ip6_hdr) + plen - m->m_pkthdr.len); 636 } 637 } 638 639 return (0); 640 641 bad: 642 *nxtp = IPPROTO_DONE; 643 return (-1); 644 } 645 646 /* scan packet for RH0 routing header. Mostly stolen from pf.c:pf_test() */ 647 int 648 ip6_check_rh0hdr(struct mbuf *m, int *offp) 649 { 650 struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *); 651 struct ip6_rthdr rthdr; 652 struct ip6_ext opt6; 653 u_int8_t proto = ip6->ip6_nxt; 654 int done = 0, lim, off, rh_cnt = 0; 655 656 off = ((caddr_t)ip6 - m->m_data) + sizeof(struct ip6_hdr); 657 lim = min(m->m_pkthdr.len, ntohs(ip6->ip6_plen) + sizeof(*ip6)); 658 do { 659 switch (proto) { 660 case IPPROTO_ROUTING: 661 *offp = off; 662 if (rh_cnt++) { 663 /* more than one rh header present */ 664 return (1); 665 } 666 667 if (off + sizeof(rthdr) > lim) { 668 /* packet to short to make sense */ 669 return (1); 670 } 671 672 m_copydata(m, off, sizeof(rthdr), (caddr_t)&rthdr); 673 674 if (rthdr.ip6r_type == IPV6_RTHDR_TYPE_0) { 675 *offp += offsetof(struct ip6_rthdr, ip6r_type); 676 return (1); 677 } 678 679 off += (rthdr.ip6r_len + 1) * 8; 680 proto = rthdr.ip6r_nxt; 681 break; 682 case IPPROTO_AH: 683 case IPPROTO_HOPOPTS: 684 case IPPROTO_DSTOPTS: 685 /* get next header and header length */ 686 if (off + sizeof(opt6) > lim) { 687 /* 688 * Packet to short to make sense, we could 689 * reject the packet but as a router we 690 * should not do that so forward it. 691 */ 692 return (0); 693 } 694 695 m_copydata(m, off, sizeof(opt6), (caddr_t)&opt6); 696 697 if (proto == IPPROTO_AH) 698 off += (opt6.ip6e_len + 2) * 4; 699 else 700 off += (opt6.ip6e_len + 1) * 8; 701 proto = opt6.ip6e_nxt; 702 break; 703 case IPPROTO_FRAGMENT: 704 default: 705 /* end of header stack */ 706 done = 1; 707 break; 708 } 709 } while (!done); 710 711 return (0); 712 } 713 714 /* 715 * Hop-by-Hop options header processing. If a valid jumbo payload option is 716 * included, the real payload length will be stored in plenp. 717 * 718 * rtalertp - XXX: should be stored in a more smart way 719 */ 720 int 721 ip6_hopopts_input(u_int32_t *plenp, u_int32_t *rtalertp, struct mbuf **mp, 722 int *offp) 723 { 724 struct mbuf *m = *mp; 725 int off = *offp, hbhlen; 726 struct ip6_hbh *hbh; 727 728 /* validation of the length of the header */ 729 IP6_EXTHDR_GET(hbh, struct ip6_hbh *, m, 730 sizeof(struct ip6_hdr), sizeof(struct ip6_hbh)); 731 if (hbh == NULL) { 732 ip6stat_inc(ip6s_tooshort); 733 return -1; 734 } 735 hbhlen = (hbh->ip6h_len + 1) << 3; 736 IP6_EXTHDR_GET(hbh, struct ip6_hbh *, m, sizeof(struct ip6_hdr), 737 hbhlen); 738 if (hbh == NULL) { 739 ip6stat_inc(ip6s_tooshort); 740 return -1; 741 } 742 off += hbhlen; 743 hbhlen -= sizeof(struct ip6_hbh); 744 745 if (ip6_process_hopopts(m, (u_int8_t *)hbh + sizeof(struct ip6_hbh), 746 hbhlen, rtalertp, plenp) < 0) 747 return (-1); 748 749 *offp = off; 750 *mp = m; 751 return (0); 752 } 753 754 /* 755 * Search header for all Hop-by-hop options and process each option. 756 * This function is separate from ip6_hopopts_input() in order to 757 * handle a case where the sending node itself process its hop-by-hop 758 * options header. In such a case, the function is called from ip6_output(). 759 * 760 * The function assumes that hbh header is located right after the IPv6 header 761 * (RFC2460 p7), opthead is pointer into data content in m, and opthead to 762 * opthead + hbhlen is located in continuous memory region. 763 */ 764 int 765 ip6_process_hopopts(struct mbuf *m, u_int8_t *opthead, int hbhlen, 766 u_int32_t *rtalertp, u_int32_t *plenp) 767 { 768 struct ip6_hdr *ip6; 769 int optlen = 0; 770 u_int8_t *opt = opthead; 771 u_int16_t rtalert_val; 772 u_int32_t jumboplen; 773 const int erroff = sizeof(struct ip6_hdr) + sizeof(struct ip6_hbh); 774 775 for (; hbhlen > 0; hbhlen -= optlen, opt += optlen) { 776 switch (*opt) { 777 case IP6OPT_PAD1: 778 optlen = 1; 779 break; 780 case IP6OPT_PADN: 781 if (hbhlen < IP6OPT_MINLEN) { 782 ip6stat_inc(ip6s_toosmall); 783 goto bad; 784 } 785 optlen = *(opt + 1) + 2; 786 break; 787 case IP6OPT_ROUTER_ALERT: 788 /* XXX may need check for alignment */ 789 if (hbhlen < IP6OPT_RTALERT_LEN) { 790 ip6stat_inc(ip6s_toosmall); 791 goto bad; 792 } 793 if (*(opt + 1) != IP6OPT_RTALERT_LEN - 2) { 794 /* XXX stat */ 795 icmp6_error(m, ICMP6_PARAM_PROB, 796 ICMP6_PARAMPROB_HEADER, 797 erroff + opt + 1 - opthead); 798 return (-1); 799 } 800 optlen = IP6OPT_RTALERT_LEN; 801 memcpy((caddr_t)&rtalert_val, (caddr_t)(opt + 2), 2); 802 *rtalertp = ntohs(rtalert_val); 803 break; 804 case IP6OPT_JUMBO: 805 /* XXX may need check for alignment */ 806 if (hbhlen < IP6OPT_JUMBO_LEN) { 807 ip6stat_inc(ip6s_toosmall); 808 goto bad; 809 } 810 if (*(opt + 1) != IP6OPT_JUMBO_LEN - 2) { 811 /* XXX stat */ 812 icmp6_error(m, ICMP6_PARAM_PROB, 813 ICMP6_PARAMPROB_HEADER, 814 erroff + opt + 1 - opthead); 815 return (-1); 816 } 817 optlen = IP6OPT_JUMBO_LEN; 818 819 /* 820 * IPv6 packets that have non 0 payload length 821 * must not contain a jumbo payload option. 822 */ 823 ip6 = mtod(m, struct ip6_hdr *); 824 if (ip6->ip6_plen) { 825 ip6stat_inc(ip6s_badoptions); 826 icmp6_error(m, ICMP6_PARAM_PROB, 827 ICMP6_PARAMPROB_HEADER, 828 erroff + opt - opthead); 829 return (-1); 830 } 831 832 /* 833 * We may see jumbolen in unaligned location, so 834 * we'd need to perform memcpy(). 835 */ 836 memcpy(&jumboplen, opt + 2, sizeof(jumboplen)); 837 jumboplen = (u_int32_t)htonl(jumboplen); 838 839 #if 1 840 /* 841 * if there are multiple jumbo payload options, 842 * *plenp will be non-zero and the packet will be 843 * rejected. 844 * the behavior may need some debate in ipngwg - 845 * multiple options does not make sense, however, 846 * there's no explicit mention in specification. 847 */ 848 if (*plenp != 0) { 849 ip6stat_inc(ip6s_badoptions); 850 icmp6_error(m, ICMP6_PARAM_PROB, 851 ICMP6_PARAMPROB_HEADER, 852 erroff + opt + 2 - opthead); 853 return (-1); 854 } 855 #endif 856 857 /* 858 * jumbo payload length must be larger than 65535. 859 */ 860 if (jumboplen <= IPV6_MAXPACKET) { 861 ip6stat_inc(ip6s_badoptions); 862 icmp6_error(m, ICMP6_PARAM_PROB, 863 ICMP6_PARAMPROB_HEADER, 864 erroff + opt + 2 - opthead); 865 return (-1); 866 } 867 *plenp = jumboplen; 868 869 break; 870 default: /* unknown option */ 871 if (hbhlen < IP6OPT_MINLEN) { 872 ip6stat_inc(ip6s_toosmall); 873 goto bad; 874 } 875 optlen = ip6_unknown_opt(opt, m, 876 erroff + opt - opthead); 877 if (optlen == -1) 878 return (-1); 879 optlen += 2; 880 break; 881 } 882 } 883 884 return (0); 885 886 bad: 887 m_freem(m); 888 return (-1); 889 } 890 891 /* 892 * Unknown option processing. 893 * The third argument `off' is the offset from the IPv6 header to the option, 894 * which allows returning an ICMPv6 error even if the IPv6 header and the 895 * option header are not continuous. 896 */ 897 int 898 ip6_unknown_opt(u_int8_t *optp, struct mbuf *m, int off) 899 { 900 struct ip6_hdr *ip6; 901 902 switch (IP6OPT_TYPE(*optp)) { 903 case IP6OPT_TYPE_SKIP: /* ignore the option */ 904 return ((int)*(optp + 1)); 905 case IP6OPT_TYPE_DISCARD: /* silently discard */ 906 m_freem(m); 907 return (-1); 908 case IP6OPT_TYPE_FORCEICMP: /* send ICMP even if multicasted */ 909 ip6stat_inc(ip6s_badoptions); 910 icmp6_error(m, ICMP6_PARAM_PROB, ICMP6_PARAMPROB_OPTION, off); 911 return (-1); 912 case IP6OPT_TYPE_ICMP: /* send ICMP if not multicasted */ 913 ip6stat_inc(ip6s_badoptions); 914 ip6 = mtod(m, struct ip6_hdr *); 915 if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst) || 916 (m->m_flags & (M_BCAST|M_MCAST))) 917 m_freem(m); 918 else 919 icmp6_error(m, ICMP6_PARAM_PROB, 920 ICMP6_PARAMPROB_OPTION, off); 921 return (-1); 922 } 923 924 m_freem(m); /* XXX: NOTREACHED */ 925 return (-1); 926 } 927 928 /* 929 * Create the "control" list for this pcb. 930 * 931 * The routine will be called from upper layer handlers like udp_input(). 932 * Thus the routine assumes that the caller (udp_input) have already 933 * called IP6_EXTHDR_CHECK() and all the extension headers are located in the 934 * very first mbuf on the mbuf chain. 935 * We may want to add some infinite loop prevention or sanity checks for safety. 936 * (This applies only when you are using KAME mbuf chain restriction, i.e. 937 * you are using IP6_EXTHDR_CHECK() not m_pulldown()) 938 */ 939 void 940 ip6_savecontrol(struct inpcb *in6p, struct mbuf *m, struct mbuf **mp) 941 { 942 struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *); 943 944 if (in6p->inp_socket->so_options & SO_TIMESTAMP) { 945 struct timeval tv; 946 947 microtime(&tv); 948 *mp = sbcreatecontrol((caddr_t) &tv, sizeof(tv), 949 SCM_TIMESTAMP, SOL_SOCKET); 950 if (*mp) 951 mp = &(*mp)->m_next; 952 } 953 954 /* RFC 2292 sec. 5 */ 955 if ((in6p->inp_flags & IN6P_PKTINFO) != 0) { 956 struct in6_pktinfo pi6; 957 memcpy(&pi6.ipi6_addr, &ip6->ip6_dst, sizeof(struct in6_addr)); 958 if (IN6_IS_SCOPE_EMBED(&pi6.ipi6_addr)) 959 pi6.ipi6_addr.s6_addr16[1] = 0; 960 pi6.ipi6_ifindex = m ? m->m_pkthdr.ph_ifidx : 0; 961 *mp = sbcreatecontrol((caddr_t) &pi6, 962 sizeof(struct in6_pktinfo), 963 IPV6_PKTINFO, IPPROTO_IPV6); 964 if (*mp) 965 mp = &(*mp)->m_next; 966 } 967 968 if ((in6p->inp_flags & IN6P_HOPLIMIT) != 0) { 969 int hlim = ip6->ip6_hlim & 0xff; 970 *mp = sbcreatecontrol((caddr_t) &hlim, sizeof(int), 971 IPV6_HOPLIMIT, IPPROTO_IPV6); 972 if (*mp) 973 mp = &(*mp)->m_next; 974 } 975 976 if ((in6p->inp_flags & IN6P_TCLASS) != 0) { 977 u_int32_t flowinfo; 978 int tclass; 979 980 flowinfo = (u_int32_t)ntohl(ip6->ip6_flow & IPV6_FLOWINFO_MASK); 981 flowinfo >>= 20; 982 983 tclass = flowinfo & 0xff; 984 *mp = sbcreatecontrol((caddr_t)&tclass, sizeof(tclass), 985 IPV6_TCLASS, IPPROTO_IPV6); 986 if (*mp) 987 mp = &(*mp)->m_next; 988 } 989 990 /* 991 * IPV6_HOPOPTS socket option. Recall that we required super-user 992 * privilege for the option (see ip6_ctloutput), but it might be too 993 * strict, since there might be some hop-by-hop options which can be 994 * returned to normal user. 995 * See also RFC 2292 section 6 (or RFC 3542 section 8). 996 */ 997 if ((in6p->inp_flags & IN6P_HOPOPTS) != 0) { 998 /* 999 * Check if a hop-by-hop options header is contained in the 1000 * received packet, and if so, store the options as ancillary 1001 * data. Note that a hop-by-hop options header must be 1002 * just after the IPv6 header, which is assured through the 1003 * IPv6 input processing. 1004 */ 1005 struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *); 1006 if (ip6->ip6_nxt == IPPROTO_HOPOPTS) { 1007 struct ip6_hbh *hbh; 1008 int hbhlen = 0; 1009 struct mbuf *ext; 1010 1011 ext = ip6_pullexthdr(m, sizeof(struct ip6_hdr), 1012 ip6->ip6_nxt); 1013 if (ext == NULL) { 1014 ip6stat_inc(ip6s_tooshort); 1015 return; 1016 } 1017 hbh = mtod(ext, struct ip6_hbh *); 1018 hbhlen = (hbh->ip6h_len + 1) << 3; 1019 if (hbhlen != ext->m_len) { 1020 m_freem(ext); 1021 ip6stat_inc(ip6s_tooshort); 1022 return; 1023 } 1024 1025 /* 1026 * XXX: We copy the whole header even if a 1027 * jumbo payload option is included, the option which 1028 * is to be removed before returning according to 1029 * RFC2292. 1030 * Note: this constraint is removed in RFC3542. 1031 */ 1032 *mp = sbcreatecontrol((caddr_t)hbh, hbhlen, 1033 IPV6_HOPOPTS, 1034 IPPROTO_IPV6); 1035 if (*mp) 1036 mp = &(*mp)->m_next; 1037 m_freem(ext); 1038 } 1039 } 1040 1041 /* IPV6_DSTOPTS and IPV6_RTHDR socket options */ 1042 if ((in6p->inp_flags & (IN6P_RTHDR | IN6P_DSTOPTS)) != 0) { 1043 struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *); 1044 int nxt = ip6->ip6_nxt, off = sizeof(struct ip6_hdr); 1045 1046 /* 1047 * Search for destination options headers or routing 1048 * header(s) through the header chain, and stores each 1049 * header as ancillary data. 1050 * Note that the order of the headers remains in 1051 * the chain of ancillary data. 1052 */ 1053 while (1) { /* is explicit loop prevention necessary? */ 1054 struct ip6_ext *ip6e = NULL; 1055 int elen; 1056 struct mbuf *ext = NULL; 1057 1058 /* 1059 * if it is not an extension header, don't try to 1060 * pull it from the chain. 1061 */ 1062 switch (nxt) { 1063 case IPPROTO_DSTOPTS: 1064 case IPPROTO_ROUTING: 1065 case IPPROTO_HOPOPTS: 1066 case IPPROTO_AH: /* is it possible? */ 1067 break; 1068 default: 1069 goto loopend; 1070 } 1071 1072 ext = ip6_pullexthdr(m, off, nxt); 1073 if (ext == NULL) { 1074 ip6stat_inc(ip6s_tooshort); 1075 return; 1076 } 1077 ip6e = mtod(ext, struct ip6_ext *); 1078 if (nxt == IPPROTO_AH) 1079 elen = (ip6e->ip6e_len + 2) << 2; 1080 else 1081 elen = (ip6e->ip6e_len + 1) << 3; 1082 if (elen != ext->m_len) { 1083 m_freem(ext); 1084 ip6stat_inc(ip6s_tooshort); 1085 return; 1086 } 1087 1088 switch (nxt) { 1089 case IPPROTO_DSTOPTS: 1090 if (!(in6p->inp_flags & IN6P_DSTOPTS)) 1091 break; 1092 1093 *mp = sbcreatecontrol((caddr_t)ip6e, elen, 1094 IPV6_DSTOPTS, 1095 IPPROTO_IPV6); 1096 if (*mp) 1097 mp = &(*mp)->m_next; 1098 break; 1099 1100 case IPPROTO_ROUTING: 1101 if (!(in6p->inp_flags & IN6P_RTHDR)) 1102 break; 1103 1104 *mp = sbcreatecontrol((caddr_t)ip6e, elen, 1105 IPV6_RTHDR, 1106 IPPROTO_IPV6); 1107 if (*mp) 1108 mp = &(*mp)->m_next; 1109 break; 1110 1111 case IPPROTO_HOPOPTS: 1112 case IPPROTO_AH: /* is it possible? */ 1113 break; 1114 1115 default: 1116 /* 1117 * other cases have been filtered in the above. 1118 * none will visit this case. here we supply 1119 * the code just in case (nxt overwritten or 1120 * other cases). 1121 */ 1122 m_freem(ext); 1123 goto loopend; 1124 1125 } 1126 1127 /* proceed with the next header. */ 1128 off += elen; 1129 nxt = ip6e->ip6e_nxt; 1130 ip6e = NULL; 1131 m_freem(ext); 1132 ext = NULL; 1133 } 1134 loopend: 1135 ; 1136 } 1137 } 1138 1139 /* 1140 * pull single extension header from mbuf chain. returns single mbuf that 1141 * contains the result, or NULL on error. 1142 */ 1143 struct mbuf * 1144 ip6_pullexthdr(struct mbuf *m, size_t off, int nxt) 1145 { 1146 struct ip6_ext ip6e; 1147 size_t elen; 1148 struct mbuf *n; 1149 1150 #ifdef DIAGNOSTIC 1151 switch (nxt) { 1152 case IPPROTO_DSTOPTS: 1153 case IPPROTO_ROUTING: 1154 case IPPROTO_HOPOPTS: 1155 case IPPROTO_AH: /* is it possible? */ 1156 break; 1157 default: 1158 printf("ip6_pullexthdr: invalid nxt=%d\n", nxt); 1159 } 1160 #endif 1161 1162 m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e); 1163 if (nxt == IPPROTO_AH) 1164 elen = (ip6e.ip6e_len + 2) << 2; 1165 else 1166 elen = (ip6e.ip6e_len + 1) << 3; 1167 1168 MGET(n, M_DONTWAIT, MT_DATA); 1169 if (n && elen >= MLEN) { 1170 MCLGET(n, M_DONTWAIT); 1171 if ((n->m_flags & M_EXT) == 0) { 1172 m_free(n); 1173 n = NULL; 1174 } 1175 } 1176 if (!n) 1177 return NULL; 1178 1179 n->m_len = 0; 1180 if (elen >= M_TRAILINGSPACE(n)) { 1181 m_free(n); 1182 return NULL; 1183 } 1184 1185 m_copydata(m, off, elen, mtod(n, caddr_t)); 1186 n->m_len = elen; 1187 return n; 1188 } 1189 1190 /* 1191 * Get pointer to the previous header followed by the header 1192 * currently processed. 1193 * XXX: This function supposes that 1194 * M includes all headers, 1195 * the next header field and the header length field of each header 1196 * are valid, and 1197 * the sum of each header length equals to OFF. 1198 * Because of these assumptions, this function must be called very 1199 * carefully. Moreover, it will not be used in the near future when 1200 * we develop `neater' mechanism to process extension headers. 1201 */ 1202 u_int8_t * 1203 ip6_get_prevhdr(struct mbuf *m, int off) 1204 { 1205 struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *); 1206 1207 if (off == sizeof(struct ip6_hdr)) 1208 return (&ip6->ip6_nxt); 1209 else { 1210 int len, nxt; 1211 struct ip6_ext *ip6e = NULL; 1212 1213 nxt = ip6->ip6_nxt; 1214 len = sizeof(struct ip6_hdr); 1215 while (len < off) { 1216 ip6e = (struct ip6_ext *)(mtod(m, caddr_t) + len); 1217 1218 switch (nxt) { 1219 case IPPROTO_FRAGMENT: 1220 len += sizeof(struct ip6_frag); 1221 break; 1222 case IPPROTO_AH: 1223 len += (ip6e->ip6e_len + 2) << 2; 1224 break; 1225 default: 1226 len += (ip6e->ip6e_len + 1) << 3; 1227 break; 1228 } 1229 nxt = ip6e->ip6e_nxt; 1230 } 1231 if (ip6e) 1232 return (&ip6e->ip6e_nxt); 1233 else 1234 return NULL; 1235 } 1236 } 1237 1238 /* 1239 * get next header offset. m will be retained. 1240 */ 1241 int 1242 ip6_nexthdr(struct mbuf *m, int off, int proto, int *nxtp) 1243 { 1244 struct ip6_hdr ip6; 1245 struct ip6_ext ip6e; 1246 struct ip6_frag fh; 1247 1248 /* just in case */ 1249 if (m == NULL) 1250 panic("ip6_nexthdr: m == NULL"); 1251 if ((m->m_flags & M_PKTHDR) == 0 || m->m_pkthdr.len < off) 1252 return -1; 1253 1254 switch (proto) { 1255 case IPPROTO_IPV6: 1256 if (m->m_pkthdr.len < off + sizeof(ip6)) 1257 return -1; 1258 m_copydata(m, off, sizeof(ip6), (caddr_t)&ip6); 1259 if (nxtp) 1260 *nxtp = ip6.ip6_nxt; 1261 off += sizeof(ip6); 1262 return off; 1263 1264 case IPPROTO_FRAGMENT: 1265 /* 1266 * terminate parsing if it is not the first fragment, 1267 * it does not make sense to parse through it. 1268 */ 1269 if (m->m_pkthdr.len < off + sizeof(fh)) 1270 return -1; 1271 m_copydata(m, off, sizeof(fh), (caddr_t)&fh); 1272 if ((fh.ip6f_offlg & IP6F_OFF_MASK) != 0) 1273 return -1; 1274 if (nxtp) 1275 *nxtp = fh.ip6f_nxt; 1276 off += sizeof(struct ip6_frag); 1277 return off; 1278 1279 case IPPROTO_AH: 1280 if (m->m_pkthdr.len < off + sizeof(ip6e)) 1281 return -1; 1282 m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e); 1283 if (nxtp) 1284 *nxtp = ip6e.ip6e_nxt; 1285 off += (ip6e.ip6e_len + 2) << 2; 1286 if (m->m_pkthdr.len < off) 1287 return -1; 1288 return off; 1289 1290 case IPPROTO_HOPOPTS: 1291 case IPPROTO_ROUTING: 1292 case IPPROTO_DSTOPTS: 1293 if (m->m_pkthdr.len < off + sizeof(ip6e)) 1294 return -1; 1295 m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e); 1296 if (nxtp) 1297 *nxtp = ip6e.ip6e_nxt; 1298 off += (ip6e.ip6e_len + 1) << 3; 1299 if (m->m_pkthdr.len < off) 1300 return -1; 1301 return off; 1302 1303 case IPPROTO_NONE: 1304 case IPPROTO_ESP: 1305 case IPPROTO_IPCOMP: 1306 /* give up */ 1307 return -1; 1308 1309 default: 1310 return -1; 1311 } 1312 1313 return -1; 1314 } 1315 1316 /* 1317 * get offset for the last header in the chain. m will be kept untainted. 1318 */ 1319 int 1320 ip6_lasthdr(struct mbuf *m, int off, int proto, int *nxtp) 1321 { 1322 int newoff; 1323 int nxt; 1324 1325 if (!nxtp) { 1326 nxt = -1; 1327 nxtp = &nxt; 1328 } 1329 while (1) { 1330 newoff = ip6_nexthdr(m, off, proto, nxtp); 1331 if (newoff < 0) 1332 return off; 1333 else if (newoff < off) 1334 return -1; /* invalid */ 1335 else if (newoff == off) 1336 return newoff; 1337 1338 off = newoff; 1339 proto = *nxtp; 1340 } 1341 } 1342 1343 /* 1344 * System control for IP6 1345 */ 1346 1347 const u_char inet6ctlerrmap[PRC_NCMDS] = { 1348 0, 0, 0, 0, 1349 0, EMSGSIZE, EHOSTDOWN, EHOSTUNREACH, 1350 EHOSTUNREACH, EHOSTUNREACH, ECONNREFUSED, ECONNREFUSED, 1351 EMSGSIZE, EHOSTUNREACH, 0, 0, 1352 0, 0, 0, 0, 1353 ENOPROTOOPT 1354 }; 1355 1356 int *ipv6ctl_vars[IPV6CTL_MAXID] = IPV6CTL_VARS; 1357 1358 int 1359 ip6_sysctl_ip6stat(void *oldp, size_t *oldlenp, void *newp) 1360 { 1361 struct ip6stat *ip6stat; 1362 int ret; 1363 1364 CTASSERT(sizeof(*ip6stat) == (ip6s_ncounters * sizeof(uint64_t))); 1365 1366 ip6stat = malloc(sizeof(*ip6stat), M_TEMP, M_WAITOK); 1367 counters_read(ip6counters, (uint64_t *)ip6stat, ip6s_ncounters); 1368 ret = sysctl_rdstruct(oldp, oldlenp, newp, 1369 ip6stat, sizeof(*ip6stat)); 1370 free(ip6stat, M_TEMP, sizeof(*ip6stat)); 1371 1372 return (ret); 1373 } 1374 1375 int 1376 ip6_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, 1377 void *newp, size_t newlen) 1378 { 1379 #ifdef MROUTING 1380 extern int ip6_mrtproto; 1381 extern struct mrt6stat mrt6stat; 1382 #endif 1383 int error; 1384 1385 /* Almost all sysctl names at this level are terminal. */ 1386 if (namelen != 1 && name[0] != IPV6CTL_IFQUEUE) 1387 return (ENOTDIR); 1388 1389 switch (name[0]) { 1390 case IPV6CTL_DAD_PENDING: 1391 return sysctl_rdint(oldp, oldlenp, newp, ip6_dad_pending); 1392 case IPV6CTL_STATS: 1393 return (ip6_sysctl_ip6stat(oldp, oldlenp, newp)); 1394 #ifdef MROUTING 1395 case IPV6CTL_MRTSTATS: 1396 if (newp != NULL) 1397 return (EPERM); 1398 NET_LOCK(); 1399 error = sysctl_struct(oldp, oldlenp, newp, newlen, 1400 &mrt6stat, sizeof(mrt6stat)); 1401 NET_UNLOCK(); 1402 return (error); 1403 case IPV6CTL_MRTPROTO: 1404 return sysctl_rdint(oldp, oldlenp, newp, ip6_mrtproto); 1405 case IPV6CTL_MRTMIF: 1406 if (newp) 1407 return (EPERM); 1408 NET_LOCK(); 1409 error = mrt6_sysctl_mif(oldp, oldlenp); 1410 NET_UNLOCK(); 1411 return (error); 1412 case IPV6CTL_MRTMFC: 1413 if (newp) 1414 return (EPERM); 1415 NET_LOCK(); 1416 error = mrt6_sysctl_mfc(oldp, oldlenp); 1417 NET_UNLOCK(); 1418 return (error); 1419 #else 1420 case IPV6CTL_MRTSTATS: 1421 case IPV6CTL_MRTPROTO: 1422 case IPV6CTL_MRTMIF: 1423 case IPV6CTL_MRTMFC: 1424 return (EOPNOTSUPP); 1425 #endif 1426 case IPV6CTL_MTUDISCTIMEOUT: 1427 NET_LOCK(); 1428 error = sysctl_int(oldp, oldlenp, newp, newlen, 1429 &ip6_mtudisc_timeout); 1430 if (icmp6_mtudisc_timeout_q != NULL) 1431 rt_timer_queue_change(icmp6_mtudisc_timeout_q, 1432 ip6_mtudisc_timeout); 1433 NET_UNLOCK(); 1434 return (error); 1435 case IPV6CTL_IFQUEUE: 1436 return (sysctl_niq(name + 1, namelen - 1, 1437 oldp, oldlenp, newp, newlen, &ip6intrq)); 1438 default: 1439 if (name[0] < IPV6CTL_MAXID) { 1440 NET_LOCK(); 1441 error = sysctl_int_arr(ipv6ctl_vars, name, namelen, 1442 oldp, oldlenp, newp, newlen); 1443 NET_UNLOCK(); 1444 return (error); 1445 } 1446 return (EOPNOTSUPP); 1447 } 1448 /* NOTREACHED */ 1449 } 1450 1451 void 1452 ip6_send_dispatch(void *xmq) 1453 { 1454 struct mbuf_queue *mq = xmq; 1455 struct mbuf *m; 1456 struct mbuf_list ml; 1457 1458 mq_delist(mq, &ml); 1459 if (ml_empty(&ml)) 1460 return; 1461 1462 NET_RLOCK(); 1463 while ((m = ml_dequeue(&ml)) != NULL) { 1464 /* 1465 * To avoid a "too big" situation at an intermediate router and 1466 * the path MTU discovery process, specify the IPV6_MINMTU 1467 * flag. Note that only echo and node information replies are 1468 * affected, since the length of ICMP6 errors is limited to the 1469 * minimum MTU. 1470 */ 1471 ip6_output(m, NULL, NULL, IPV6_MINMTU, NULL, NULL); 1472 } 1473 NET_RUNLOCK(); 1474 } 1475 1476 void 1477 ip6_send(struct mbuf *m) 1478 { 1479 mq_enqueue(&ip6send_mq, m); 1480 task_add(net_tq(0), &ip6send_task); 1481 } 1482