1 /* $OpenBSD: ip6_input.c,v 1.202 2017/08/22 15:02:34 mpi Exp $ */ 2 /* $KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $ */ 3 4 /* 5 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 3. Neither the name of the project nor the names of its contributors 17 * may be used to endorse or promote products derived from this software 18 * without specific prior written permission. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30 * SUCH DAMAGE. 31 */ 32 33 /* 34 * Copyright (c) 1982, 1986, 1988, 1993 35 * The Regents of the University of California. All rights reserved. 36 * 37 * Redistribution and use in source and binary forms, with or without 38 * modification, are permitted provided that the following conditions 39 * are met: 40 * 1. Redistributions of source code must retain the above copyright 41 * notice, this list of conditions and the following disclaimer. 42 * 2. Redistributions in binary form must reproduce the above copyright 43 * notice, this list of conditions and the following disclaimer in the 44 * documentation and/or other materials provided with the distribution. 45 * 3. Neither the name of the University nor the names of its contributors 46 * may be used to endorse or promote products derived from this software 47 * without specific prior written permission. 48 * 49 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 50 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 51 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 52 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 53 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 54 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 55 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 56 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 57 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 58 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 59 * SUCH DAMAGE. 60 * 61 * @(#)ip_input.c 8.2 (Berkeley) 1/4/94 62 */ 63 64 #include "pf.h" 65 #include "carp.h" 66 67 #include <sys/param.h> 68 #include <sys/systm.h> 69 #include <sys/mbuf.h> 70 #include <sys/domain.h> 71 #include <sys/sysctl.h> 72 #include <sys/protosw.h> 73 #include <sys/socket.h> 74 #include <sys/socketvar.h> 75 #include <sys/errno.h> 76 #include <sys/time.h> 77 #include <sys/timeout.h> 78 #include <sys/kernel.h> 79 #include <sys/syslog.h> 80 #include <sys/task.h> 81 82 #include <net/if.h> 83 #include <net/if_var.h> 84 #include <net/if_types.h> 85 #include <net/route.h> 86 #include <net/netisr.h> 87 88 #include <netinet/in.h> 89 90 #include <netinet/ip.h> 91 92 #include <netinet/in_pcb.h> 93 #include <netinet/ip_var.h> 94 #include <netinet6/in6_var.h> 95 #include <netinet/ip6.h> 96 #include <netinet6/ip6_var.h> 97 #include <netinet/icmp6.h> 98 #include <netinet6/nd6.h> 99 100 #include <netinet6/ip6protosw.h> 101 102 #include "gif.h" 103 #include "bpfilter.h" 104 105 #ifdef MROUTING 106 #include <netinet6/ip6_mroute.h> 107 #endif 108 109 #if NPF > 0 110 #include <net/pfvar.h> 111 #endif 112 113 #if NCARP > 0 114 #include <netinet/ip_carp.h> 115 #endif 116 117 struct niqueue ip6intrq = NIQUEUE_INITIALIZER(IPQ_MAXLEN, NETISR_IPV6); 118 119 struct cpumem *ip6counters; 120 121 int ip6_ours(struct mbuf **, int *, int, int); 122 int ip6_local(struct mbuf **, int *, int, int); 123 int ip6_check_rh0hdr(struct mbuf *, int *); 124 int ip6_hbhchcheck(struct mbuf *, int *, int *, int *); 125 int ip6_hopopts_input(u_int32_t *, u_int32_t *, struct mbuf **, int *); 126 struct mbuf *ip6_pullexthdr(struct mbuf *, size_t, int); 127 128 static struct mbuf_queue ip6send_mq; 129 130 static void ip6_send_dispatch(void *); 131 static struct task ip6send_task = 132 TASK_INITIALIZER(ip6_send_dispatch, &ip6send_mq); 133 134 /* 135 * IP6 initialization: fill in IP6 protocol switch table. 136 * All protocols not implemented in kernel go to raw IP6 protocol handler. 137 */ 138 void 139 ip6_init(void) 140 { 141 struct protosw *pr; 142 int i; 143 144 pr = pffindproto(PF_INET6, IPPROTO_RAW, SOCK_RAW); 145 if (pr == NULL) 146 panic("ip6_init"); 147 for (i = 0; i < IPPROTO_MAX; i++) 148 ip6_protox[i] = pr - inet6sw; 149 for (pr = inet6domain.dom_protosw; 150 pr < inet6domain.dom_protoswNPROTOSW; pr++) 151 if (pr->pr_domain->dom_family == PF_INET6 && 152 pr->pr_protocol && pr->pr_protocol != IPPROTO_RAW && 153 pr->pr_protocol < IPPROTO_MAX) 154 ip6_protox[pr->pr_protocol] = pr - inet6sw; 155 ip6_randomid_init(); 156 nd6_init(); 157 frag6_init(); 158 159 mq_init(&ip6send_mq, 64, IPL_SOFTNET); 160 161 ip6counters = counters_alloc(ip6s_ncounters); 162 } 163 164 /* 165 * Enqueue packet for local delivery. Queuing is used as a boundary 166 * between the network layer (input/forward path) running without 167 * KERNEL_LOCK() and the transport layer still needing it. 168 */ 169 int 170 ip6_ours(struct mbuf **mp, int *offp, int nxt, int af) 171 { 172 /* We are already in a IPv4/IPv6 local deliver loop. */ 173 if (af != AF_UNSPEC) 174 return ip6_local(mp, offp, nxt, af); 175 176 niq_enqueue(&ip6intrq, *mp); 177 *mp = NULL; 178 return IPPROTO_DONE; 179 } 180 181 /* 182 * Dequeue and process locally delivered packets. 183 */ 184 void 185 ip6intr(void) 186 { 187 struct mbuf *m; 188 int off, nxt; 189 190 while ((m = niq_dequeue(&ip6intrq)) != NULL) { 191 #ifdef DIAGNOSTIC 192 if ((m->m_flags & M_PKTHDR) == 0) 193 panic("ip6intr no HDR"); 194 #endif 195 off = 0; 196 nxt = ip6_local(&m, &off, IPPROTO_IPV6, AF_UNSPEC); 197 KASSERT(nxt == IPPROTO_DONE); 198 } 199 } 200 201 void 202 ipv6_input(struct ifnet *ifp, struct mbuf *m) 203 { 204 int off, nxt; 205 206 off = 0; 207 nxt = ip6_input_if(&m, &off, IPPROTO_IPV6, AF_UNSPEC, ifp); 208 KASSERT(nxt == IPPROTO_DONE); 209 } 210 211 int 212 ip6_input_if(struct mbuf **mp, int *offp, int nxt, int af, struct ifnet *ifp) 213 { 214 struct mbuf *m = *mp; 215 struct ip6_hdr *ip6; 216 struct sockaddr_in6 sin6; 217 struct rtentry *rt = NULL; 218 int ours = 0; 219 u_int16_t src_scope, dst_scope; 220 #if NPF > 0 221 struct in6_addr odst; 222 #endif 223 int srcrt = 0; 224 225 KASSERT(*offp == 0); 226 227 ip6stat_inc(ip6s_total); 228 229 if (m->m_len < sizeof(struct ip6_hdr)) { 230 if ((m = *mp = m_pullup(m, sizeof(struct ip6_hdr))) == NULL) { 231 ip6stat_inc(ip6s_toosmall); 232 goto bad; 233 } 234 } 235 236 ip6 = mtod(m, struct ip6_hdr *); 237 238 if ((ip6->ip6_vfc & IPV6_VERSION_MASK) != IPV6_VERSION) { 239 ip6stat_inc(ip6s_badvers); 240 goto bad; 241 } 242 243 #if NCARP > 0 244 if (ifp->if_type == IFT_CARP && 245 carp_lsdrop(m, AF_INET6, ip6->ip6_src.s6_addr32, 246 ip6->ip6_dst.s6_addr32, (ip6->ip6_nxt == IPPROTO_ICMPV6 ? 0 : 1))) 247 goto bad; 248 #endif 249 ip6stat_inc(ip6s_nxthist + ip6->ip6_nxt); 250 251 /* 252 * Check against address spoofing/corruption. 253 */ 254 if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_src) || 255 IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_dst)) { 256 /* 257 * XXX: "badscope" is not very suitable for a multicast source. 258 */ 259 ip6stat_inc(ip6s_badscope); 260 goto bad; 261 } 262 if ((IN6_IS_ADDR_LOOPBACK(&ip6->ip6_src) || 263 IN6_IS_ADDR_LOOPBACK(&ip6->ip6_dst)) && 264 (ifp->if_flags & IFF_LOOPBACK) == 0) { 265 ip6stat_inc(ip6s_badscope); 266 goto bad; 267 } 268 /* Drop packets if interface ID portion is already filled. */ 269 if (((IN6_IS_SCOPE_EMBED(&ip6->ip6_src) && ip6->ip6_src.s6_addr16[1]) || 270 (IN6_IS_SCOPE_EMBED(&ip6->ip6_dst) && ip6->ip6_dst.s6_addr16[1])) && 271 (ifp->if_flags & IFF_LOOPBACK) == 0) { 272 ip6stat_inc(ip6s_badscope); 273 goto bad; 274 } 275 if (IN6_IS_ADDR_MC_INTFACELOCAL(&ip6->ip6_dst) && 276 !(m->m_flags & M_LOOP)) { 277 /* 278 * In this case, the packet should come from the loopback 279 * interface. However, we cannot just check the if_flags, 280 * because ip6_mloopback() passes the "actual" interface 281 * as the outgoing/incoming interface. 282 */ 283 ip6stat_inc(ip6s_badscope); 284 goto bad; 285 } 286 287 /* 288 * The following check is not documented in specs. A malicious 289 * party may be able to use IPv4 mapped addr to confuse tcp/udp stack 290 * and bypass security checks (act as if it was from 127.0.0.1 by using 291 * IPv6 src ::ffff:127.0.0.1). Be cautious. 292 * 293 * This check chokes if we are in an SIIT cloud. As none of BSDs 294 * support IPv4-less kernel compilation, we cannot support SIIT 295 * environment at all. So, it makes more sense for us to reject any 296 * malicious packets for non-SIIT environment, than try to do a 297 * partial support for SIIT environment. 298 */ 299 if (IN6_IS_ADDR_V4MAPPED(&ip6->ip6_src) || 300 IN6_IS_ADDR_V4MAPPED(&ip6->ip6_dst)) { 301 ip6stat_inc(ip6s_badscope); 302 goto bad; 303 } 304 305 /* 306 * Reject packets with IPv4 compatible addresses (auto tunnel). 307 * 308 * The code forbids automatic tunneling as per RFC4213. 309 */ 310 if (IN6_IS_ADDR_V4COMPAT(&ip6->ip6_src) || 311 IN6_IS_ADDR_V4COMPAT(&ip6->ip6_dst)) { 312 ip6stat_inc(ip6s_badscope); 313 goto bad; 314 } 315 316 /* 317 * If the packet has been received on a loopback interface it 318 * can be destinated to any local address, not necessarily to 319 * an address configured on `ifp'. 320 */ 321 if (ifp->if_flags & IFF_LOOPBACK) { 322 if (IN6_IS_SCOPE_EMBED(&ip6->ip6_src)) { 323 src_scope = ip6->ip6_src.s6_addr16[1]; 324 ip6->ip6_src.s6_addr16[1] = 0; 325 } 326 if (IN6_IS_SCOPE_EMBED(&ip6->ip6_dst)) { 327 dst_scope = ip6->ip6_dst.s6_addr16[1]; 328 ip6->ip6_dst.s6_addr16[1] = 0; 329 } 330 } 331 332 #if NPF > 0 333 /* 334 * Packet filter 335 */ 336 odst = ip6->ip6_dst; 337 if (pf_test(AF_INET6, PF_IN, ifp, mp) != PF_PASS) 338 goto bad; 339 m = *mp; 340 if (m == NULL) 341 goto bad; 342 343 ip6 = mtod(m, struct ip6_hdr *); 344 srcrt = !IN6_ARE_ADDR_EQUAL(&odst, &ip6->ip6_dst); 345 #endif 346 347 /* 348 * Without embedded scope ID we cannot find link-local 349 * addresses in the routing table. 350 */ 351 if (ifp->if_flags & IFF_LOOPBACK) { 352 if (IN6_IS_SCOPE_EMBED(&ip6->ip6_src)) 353 ip6->ip6_src.s6_addr16[1] = src_scope; 354 if (IN6_IS_SCOPE_EMBED(&ip6->ip6_dst)) 355 ip6->ip6_dst.s6_addr16[1] = dst_scope; 356 } else { 357 if (IN6_IS_SCOPE_EMBED(&ip6->ip6_src)) 358 ip6->ip6_src.s6_addr16[1] = htons(ifp->if_index); 359 if (IN6_IS_SCOPE_EMBED(&ip6->ip6_dst)) 360 ip6->ip6_dst.s6_addr16[1] = htons(ifp->if_index); 361 } 362 363 /* 364 * Be more secure than RFC5095 and scan for type 0 routing headers. 365 * If pf has already scanned the header chain, do not do it twice. 366 */ 367 if (!(m->m_pkthdr.pf.flags & PF_TAG_PROCESSED) && 368 ip6_check_rh0hdr(m, offp)) { 369 ip6stat_inc(ip6s_badoptions); 370 icmp6_error(m, ICMP6_PARAM_PROB, ICMP6_PARAMPROB_HEADER, *offp); 371 m = *mp = NULL; 372 goto bad; 373 } 374 375 if (IN6_IS_ADDR_LOOPBACK(&ip6->ip6_src) || 376 IN6_IS_ADDR_LOOPBACK(&ip6->ip6_dst)) { 377 nxt = ip6_ours(mp, offp, nxt, af); 378 goto out; 379 } 380 381 #if NPF > 0 382 if (pf_ouraddr(m) == 1) { 383 nxt = ip6_ours(mp, offp, nxt, af); 384 goto out; 385 } 386 #endif 387 388 /* 389 * Multicast check 390 */ 391 if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst)) { 392 /* 393 * Make sure M_MCAST is set. It should theoretically 394 * already be there, but let's play safe because upper 395 * layers check for this flag. 396 */ 397 m->m_flags |= M_MCAST; 398 399 /* 400 * See if we belong to the destination multicast group on the 401 * arrival interface. 402 */ 403 if (in6_hasmulti(&ip6->ip6_dst, ifp)) 404 ours = 1; 405 406 #ifdef MROUTING 407 if (ip6_mforwarding && ip6_mrouter[ifp->if_rdomain]) { 408 int error; 409 410 if (ip6_hbhchcheck(m, offp, &nxt, &ours)) 411 goto out; 412 413 ip6 = mtod(m, struct ip6_hdr *); 414 415 /* 416 * If we are acting as a multicast router, all 417 * incoming multicast packets are passed to the 418 * kernel-level multicast forwarding function. 419 * The packet is returned (relatively) intact; if 420 * ip6_mforward() returns a non-zero value, the packet 421 * must be discarded, else it may be accepted below. 422 */ 423 KERNEL_LOCK(); 424 error = ip6_mforward(ip6, ifp, m); 425 KERNEL_UNLOCK(); 426 if (error) { 427 ip6stat_inc(ip6s_cantforward); 428 goto bad; 429 } 430 431 if (ours) { 432 if (af == AF_UNSPEC) { 433 KERNEL_LOCK(); 434 nxt = ip_deliver(mp, offp, nxt, 435 AF_INET6); 436 KERNEL_UNLOCK(); 437 } 438 goto out; 439 } 440 goto bad; 441 } 442 #endif 443 if (!ours) { 444 ip6stat_inc(ip6s_notmember); 445 if (!IN6_IS_ADDR_MC_LINKLOCAL(&ip6->ip6_dst)) 446 ip6stat_inc(ip6s_cantforward); 447 goto bad; 448 } 449 nxt = ip6_ours(mp, offp, nxt, af); 450 goto out; 451 } 452 453 454 /* 455 * Unicast check 456 */ 457 memset(&sin6, 0, sizeof(struct sockaddr_in6)); 458 sin6.sin6_len = sizeof(struct sockaddr_in6); 459 sin6.sin6_family = AF_INET6; 460 sin6.sin6_addr = ip6->ip6_dst; 461 rt = rtalloc_mpath(sin6tosa(&sin6), &ip6->ip6_src.s6_addr32[0], 462 m->m_pkthdr.ph_rtableid); 463 464 /* 465 * Accept the packet if the route to the destination is marked 466 * as local. 467 */ 468 if (rtisvalid(rt) && ISSET(rt->rt_flags, RTF_LOCAL)) { 469 struct in6_ifaddr *ia6 = ifatoia6(rt->rt_ifa); 470 if (ia6->ia6_flags & IN6_IFF_ANYCAST) 471 m->m_flags |= M_ACAST; 472 /* 473 * packets to a tentative, duplicated, or somehow invalid 474 * address must not be accepted. 475 */ 476 if ((ia6->ia6_flags & (IN6_IFF_TENTATIVE|IN6_IFF_DUPLICATED))) { 477 char src[INET6_ADDRSTRLEN], dst[INET6_ADDRSTRLEN]; 478 479 inet_ntop(AF_INET6, &ip6->ip6_src, src, sizeof(src)); 480 inet_ntop(AF_INET6, &ip6->ip6_dst, dst, sizeof(dst)); 481 /* address is not ready, so discard the packet. */ 482 nd6log((LOG_INFO, 483 "%s: packet to an unready address %s->%s\n", 484 __func__, src, dst)); 485 486 goto bad; 487 } else { 488 nxt = ip6_ours(mp, offp, nxt, af); 489 goto out; 490 } 491 } 492 493 #if NCARP > 0 494 if (ifp->if_type == IFT_CARP && ip6->ip6_nxt == IPPROTO_ICMPV6 && 495 carp_lsdrop(m, AF_INET6, ip6->ip6_src.s6_addr32, 496 ip6->ip6_dst.s6_addr32, 1)) 497 goto bad; 498 #endif 499 /* 500 * Now there is no reason to process the packet if it's not our own 501 * and we're not a router. 502 */ 503 if (!ip6_forwarding) { 504 ip6stat_inc(ip6s_cantforward); 505 goto bad; 506 } 507 508 if (ip6_hbhchcheck(m, offp, &nxt, &ours)) 509 goto out; 510 511 if (ours) { 512 if (af == AF_UNSPEC) { 513 KERNEL_LOCK(); 514 nxt = ip_deliver(mp, offp, nxt, AF_INET6); 515 KERNEL_UNLOCK(); 516 } 517 goto out; 518 } 519 520 #ifdef IPSEC 521 if (ipsec_in_use) { 522 int rv; 523 524 KERNEL_ASSERT_LOCKED(); 525 rv = ipsec_forward_check(m, *offp, AF_INET6); 526 if (rv != 0) { 527 ip6stat_inc(ip6s_cantforward); 528 goto bad; 529 } 530 /* 531 * Fall through, forward packet. Outbound IPsec policy 532 * checking will occur in ip6_forward(). 533 */ 534 } 535 #endif /* IPSEC */ 536 537 ip6_forward(m, rt, srcrt); 538 *mp = NULL; 539 return IPPROTO_DONE; 540 bad: 541 nxt = IPPROTO_DONE; 542 m_freemp(mp); 543 out: 544 rtfree(rt); 545 return nxt; 546 } 547 548 int 549 ip6_local(struct mbuf **mp, int *offp, int nxt, int af) 550 { 551 if (ip6_hbhchcheck(*mp, offp, &nxt, NULL)) 552 return IPPROTO_DONE; 553 554 /* Check wheter we are already in a IPv4/IPv6 local deliver loop. */ 555 if (af == AF_UNSPEC) 556 nxt = ip_deliver(mp, offp, nxt, AF_INET6); 557 return nxt; 558 } 559 560 int 561 ip6_hbhchcheck(struct mbuf *m, int *offp, int *nxtp, int *oursp) 562 { 563 struct ip6_hdr *ip6; 564 u_int32_t plen, rtalert = ~0; 565 566 ip6 = mtod(m, struct ip6_hdr *); 567 568 /* 569 * Process Hop-by-Hop options header if it's contained. 570 * m may be modified in ip6_hopopts_input(). 571 * If a JumboPayload option is included, plen will also be modified. 572 */ 573 plen = (u_int32_t)ntohs(ip6->ip6_plen); 574 *offp = sizeof(struct ip6_hdr); 575 if (ip6->ip6_nxt == IPPROTO_HOPOPTS) { 576 struct ip6_hbh *hbh; 577 578 if (ip6_hopopts_input(&plen, &rtalert, &m, offp)) { 579 goto bad; /* m have already been freed */ 580 } 581 582 /* adjust pointer */ 583 ip6 = mtod(m, struct ip6_hdr *); 584 585 /* 586 * if the payload length field is 0 and the next header field 587 * indicates Hop-by-Hop Options header, then a Jumbo Payload 588 * option MUST be included. 589 */ 590 if (ip6->ip6_plen == 0 && plen == 0) { 591 /* 592 * Note that if a valid jumbo payload option is 593 * contained, ip6_hopopts_input() must set a valid 594 * (non-zero) payload length to the variable plen. 595 */ 596 ip6stat_inc(ip6s_badoptions); 597 icmp6_error(m, ICMP6_PARAM_PROB, 598 ICMP6_PARAMPROB_HEADER, 599 (caddr_t)&ip6->ip6_plen - (caddr_t)ip6); 600 goto bad; 601 } 602 IP6_EXTHDR_GET(hbh, struct ip6_hbh *, m, sizeof(struct ip6_hdr), 603 sizeof(struct ip6_hbh)); 604 if (hbh == NULL) { 605 ip6stat_inc(ip6s_tooshort); 606 goto bad; 607 } 608 *nxtp = hbh->ip6h_nxt; 609 610 /* 611 * accept the packet if a router alert option is included 612 * and we act as an IPv6 router. 613 */ 614 if (rtalert != ~0 && ip6_forwarding && oursp != NULL) 615 *oursp = 1; 616 } else 617 *nxtp = ip6->ip6_nxt; 618 619 /* 620 * Check that the amount of data in the buffers 621 * is as at least much as the IPv6 header would have us expect. 622 * Trim mbufs if longer than we expect. 623 * Drop packet if shorter than we expect. 624 */ 625 if (m->m_pkthdr.len - sizeof(struct ip6_hdr) < plen) { 626 ip6stat_inc(ip6s_tooshort); 627 m_freem(m); 628 goto bad; 629 } 630 if (m->m_pkthdr.len > sizeof(struct ip6_hdr) + plen) { 631 if (m->m_len == m->m_pkthdr.len) { 632 m->m_len = sizeof(struct ip6_hdr) + plen; 633 m->m_pkthdr.len = sizeof(struct ip6_hdr) + plen; 634 } else { 635 m_adj(m, 636 sizeof(struct ip6_hdr) + plen - m->m_pkthdr.len); 637 } 638 } 639 640 return (0); 641 642 bad: 643 *nxtp = IPPROTO_DONE; 644 return (-1); 645 } 646 647 /* scan packet for RH0 routing header. Mostly stolen from pf.c:pf_test() */ 648 int 649 ip6_check_rh0hdr(struct mbuf *m, int *offp) 650 { 651 struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *); 652 struct ip6_rthdr rthdr; 653 struct ip6_ext opt6; 654 u_int8_t proto = ip6->ip6_nxt; 655 int done = 0, lim, off, rh_cnt = 0; 656 657 off = ((caddr_t)ip6 - m->m_data) + sizeof(struct ip6_hdr); 658 lim = min(m->m_pkthdr.len, ntohs(ip6->ip6_plen) + sizeof(*ip6)); 659 do { 660 switch (proto) { 661 case IPPROTO_ROUTING: 662 *offp = off; 663 if (rh_cnt++) { 664 /* more than one rh header present */ 665 return (1); 666 } 667 668 if (off + sizeof(rthdr) > lim) { 669 /* packet to short to make sense */ 670 return (1); 671 } 672 673 m_copydata(m, off, sizeof(rthdr), (caddr_t)&rthdr); 674 675 if (rthdr.ip6r_type == IPV6_RTHDR_TYPE_0) { 676 *offp += offsetof(struct ip6_rthdr, ip6r_type); 677 return (1); 678 } 679 680 off += (rthdr.ip6r_len + 1) * 8; 681 proto = rthdr.ip6r_nxt; 682 break; 683 case IPPROTO_AH: 684 case IPPROTO_HOPOPTS: 685 case IPPROTO_DSTOPTS: 686 /* get next header and header length */ 687 if (off + sizeof(opt6) > lim) { 688 /* 689 * Packet to short to make sense, we could 690 * reject the packet but as a router we 691 * should not do that so forward it. 692 */ 693 return (0); 694 } 695 696 m_copydata(m, off, sizeof(opt6), (caddr_t)&opt6); 697 698 if (proto == IPPROTO_AH) 699 off += (opt6.ip6e_len + 2) * 4; 700 else 701 off += (opt6.ip6e_len + 1) * 8; 702 proto = opt6.ip6e_nxt; 703 break; 704 case IPPROTO_FRAGMENT: 705 default: 706 /* end of header stack */ 707 done = 1; 708 break; 709 } 710 } while (!done); 711 712 return (0); 713 } 714 715 /* 716 * Hop-by-Hop options header processing. If a valid jumbo payload option is 717 * included, the real payload length will be stored in plenp. 718 * 719 * rtalertp - XXX: should be stored in a more smart way 720 */ 721 int 722 ip6_hopopts_input(u_int32_t *plenp, u_int32_t *rtalertp, struct mbuf **mp, 723 int *offp) 724 { 725 struct mbuf *m = *mp; 726 int off = *offp, hbhlen; 727 struct ip6_hbh *hbh; 728 729 /* validation of the length of the header */ 730 IP6_EXTHDR_GET(hbh, struct ip6_hbh *, m, 731 sizeof(struct ip6_hdr), sizeof(struct ip6_hbh)); 732 if (hbh == NULL) { 733 ip6stat_inc(ip6s_tooshort); 734 return -1; 735 } 736 hbhlen = (hbh->ip6h_len + 1) << 3; 737 IP6_EXTHDR_GET(hbh, struct ip6_hbh *, m, sizeof(struct ip6_hdr), 738 hbhlen); 739 if (hbh == NULL) { 740 ip6stat_inc(ip6s_tooshort); 741 return -1; 742 } 743 off += hbhlen; 744 hbhlen -= sizeof(struct ip6_hbh); 745 746 if (ip6_process_hopopts(m, (u_int8_t *)hbh + sizeof(struct ip6_hbh), 747 hbhlen, rtalertp, plenp) < 0) 748 return (-1); 749 750 *offp = off; 751 *mp = m; 752 return (0); 753 } 754 755 /* 756 * Search header for all Hop-by-hop options and process each option. 757 * This function is separate from ip6_hopopts_input() in order to 758 * handle a case where the sending node itself process its hop-by-hop 759 * options header. In such a case, the function is called from ip6_output(). 760 * 761 * The function assumes that hbh header is located right after the IPv6 header 762 * (RFC2460 p7), opthead is pointer into data content in m, and opthead to 763 * opthead + hbhlen is located in continuous memory region. 764 */ 765 int 766 ip6_process_hopopts(struct mbuf *m, u_int8_t *opthead, int hbhlen, 767 u_int32_t *rtalertp, u_int32_t *plenp) 768 { 769 struct ip6_hdr *ip6; 770 int optlen = 0; 771 u_int8_t *opt = opthead; 772 u_int16_t rtalert_val; 773 u_int32_t jumboplen; 774 const int erroff = sizeof(struct ip6_hdr) + sizeof(struct ip6_hbh); 775 776 for (; hbhlen > 0; hbhlen -= optlen, opt += optlen) { 777 switch (*opt) { 778 case IP6OPT_PAD1: 779 optlen = 1; 780 break; 781 case IP6OPT_PADN: 782 if (hbhlen < IP6OPT_MINLEN) { 783 ip6stat_inc(ip6s_toosmall); 784 goto bad; 785 } 786 optlen = *(opt + 1) + 2; 787 break; 788 case IP6OPT_ROUTER_ALERT: 789 /* XXX may need check for alignment */ 790 if (hbhlen < IP6OPT_RTALERT_LEN) { 791 ip6stat_inc(ip6s_toosmall); 792 goto bad; 793 } 794 if (*(opt + 1) != IP6OPT_RTALERT_LEN - 2) { 795 /* XXX stat */ 796 icmp6_error(m, ICMP6_PARAM_PROB, 797 ICMP6_PARAMPROB_HEADER, 798 erroff + opt + 1 - opthead); 799 return (-1); 800 } 801 optlen = IP6OPT_RTALERT_LEN; 802 memcpy((caddr_t)&rtalert_val, (caddr_t)(opt + 2), 2); 803 *rtalertp = ntohs(rtalert_val); 804 break; 805 case IP6OPT_JUMBO: 806 /* XXX may need check for alignment */ 807 if (hbhlen < IP6OPT_JUMBO_LEN) { 808 ip6stat_inc(ip6s_toosmall); 809 goto bad; 810 } 811 if (*(opt + 1) != IP6OPT_JUMBO_LEN - 2) { 812 /* XXX stat */ 813 icmp6_error(m, ICMP6_PARAM_PROB, 814 ICMP6_PARAMPROB_HEADER, 815 erroff + opt + 1 - opthead); 816 return (-1); 817 } 818 optlen = IP6OPT_JUMBO_LEN; 819 820 /* 821 * IPv6 packets that have non 0 payload length 822 * must not contain a jumbo payload option. 823 */ 824 ip6 = mtod(m, struct ip6_hdr *); 825 if (ip6->ip6_plen) { 826 ip6stat_inc(ip6s_badoptions); 827 icmp6_error(m, ICMP6_PARAM_PROB, 828 ICMP6_PARAMPROB_HEADER, 829 erroff + opt - opthead); 830 return (-1); 831 } 832 833 /* 834 * We may see jumbolen in unaligned location, so 835 * we'd need to perform memcpy(). 836 */ 837 memcpy(&jumboplen, opt + 2, sizeof(jumboplen)); 838 jumboplen = (u_int32_t)htonl(jumboplen); 839 840 #if 1 841 /* 842 * if there are multiple jumbo payload options, 843 * *plenp will be non-zero and the packet will be 844 * rejected. 845 * the behavior may need some debate in ipngwg - 846 * multiple options does not make sense, however, 847 * there's no explicit mention in specification. 848 */ 849 if (*plenp != 0) { 850 ip6stat_inc(ip6s_badoptions); 851 icmp6_error(m, ICMP6_PARAM_PROB, 852 ICMP6_PARAMPROB_HEADER, 853 erroff + opt + 2 - opthead); 854 return (-1); 855 } 856 #endif 857 858 /* 859 * jumbo payload length must be larger than 65535. 860 */ 861 if (jumboplen <= IPV6_MAXPACKET) { 862 ip6stat_inc(ip6s_badoptions); 863 icmp6_error(m, ICMP6_PARAM_PROB, 864 ICMP6_PARAMPROB_HEADER, 865 erroff + opt + 2 - opthead); 866 return (-1); 867 } 868 *plenp = jumboplen; 869 870 break; 871 default: /* unknown option */ 872 if (hbhlen < IP6OPT_MINLEN) { 873 ip6stat_inc(ip6s_toosmall); 874 goto bad; 875 } 876 optlen = ip6_unknown_opt(opt, m, 877 erroff + opt - opthead); 878 if (optlen == -1) 879 return (-1); 880 optlen += 2; 881 break; 882 } 883 } 884 885 return (0); 886 887 bad: 888 m_freem(m); 889 return (-1); 890 } 891 892 /* 893 * Unknown option processing. 894 * The third argument `off' is the offset from the IPv6 header to the option, 895 * which allows returning an ICMPv6 error even if the IPv6 header and the 896 * option header are not continuous. 897 */ 898 int 899 ip6_unknown_opt(u_int8_t *optp, struct mbuf *m, int off) 900 { 901 struct ip6_hdr *ip6; 902 903 switch (IP6OPT_TYPE(*optp)) { 904 case IP6OPT_TYPE_SKIP: /* ignore the option */ 905 return ((int)*(optp + 1)); 906 case IP6OPT_TYPE_DISCARD: /* silently discard */ 907 m_freem(m); 908 return (-1); 909 case IP6OPT_TYPE_FORCEICMP: /* send ICMP even if multicasted */ 910 ip6stat_inc(ip6s_badoptions); 911 icmp6_error(m, ICMP6_PARAM_PROB, ICMP6_PARAMPROB_OPTION, off); 912 return (-1); 913 case IP6OPT_TYPE_ICMP: /* send ICMP if not multicasted */ 914 ip6stat_inc(ip6s_badoptions); 915 ip6 = mtod(m, struct ip6_hdr *); 916 if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst) || 917 (m->m_flags & (M_BCAST|M_MCAST))) 918 m_freem(m); 919 else 920 icmp6_error(m, ICMP6_PARAM_PROB, 921 ICMP6_PARAMPROB_OPTION, off); 922 return (-1); 923 } 924 925 m_freem(m); /* XXX: NOTREACHED */ 926 return (-1); 927 } 928 929 /* 930 * Create the "control" list for this pcb. 931 * 932 * The routine will be called from upper layer handlers like udp_input(). 933 * Thus the routine assumes that the caller (udp_input) have already 934 * called IP6_EXTHDR_CHECK() and all the extension headers are located in the 935 * very first mbuf on the mbuf chain. 936 * We may want to add some infinite loop prevention or sanity checks for safety. 937 * (This applies only when you are using KAME mbuf chain restriction, i.e. 938 * you are using IP6_EXTHDR_CHECK() not m_pulldown()) 939 */ 940 void 941 ip6_savecontrol(struct inpcb *in6p, struct mbuf *m, struct mbuf **mp) 942 { 943 struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *); 944 945 if (in6p->inp_socket->so_options & SO_TIMESTAMP) { 946 struct timeval tv; 947 948 microtime(&tv); 949 *mp = sbcreatecontrol((caddr_t) &tv, sizeof(tv), 950 SCM_TIMESTAMP, SOL_SOCKET); 951 if (*mp) 952 mp = &(*mp)->m_next; 953 } 954 955 /* RFC 2292 sec. 5 */ 956 if ((in6p->inp_flags & IN6P_PKTINFO) != 0) { 957 struct in6_pktinfo pi6; 958 memcpy(&pi6.ipi6_addr, &ip6->ip6_dst, sizeof(struct in6_addr)); 959 if (IN6_IS_SCOPE_EMBED(&pi6.ipi6_addr)) 960 pi6.ipi6_addr.s6_addr16[1] = 0; 961 pi6.ipi6_ifindex = m ? m->m_pkthdr.ph_ifidx : 0; 962 *mp = sbcreatecontrol((caddr_t) &pi6, 963 sizeof(struct in6_pktinfo), 964 IPV6_PKTINFO, IPPROTO_IPV6); 965 if (*mp) 966 mp = &(*mp)->m_next; 967 } 968 969 if ((in6p->inp_flags & IN6P_HOPLIMIT) != 0) { 970 int hlim = ip6->ip6_hlim & 0xff; 971 *mp = sbcreatecontrol((caddr_t) &hlim, sizeof(int), 972 IPV6_HOPLIMIT, IPPROTO_IPV6); 973 if (*mp) 974 mp = &(*mp)->m_next; 975 } 976 977 if ((in6p->inp_flags & IN6P_TCLASS) != 0) { 978 u_int32_t flowinfo; 979 int tclass; 980 981 flowinfo = (u_int32_t)ntohl(ip6->ip6_flow & IPV6_FLOWINFO_MASK); 982 flowinfo >>= 20; 983 984 tclass = flowinfo & 0xff; 985 *mp = sbcreatecontrol((caddr_t)&tclass, sizeof(tclass), 986 IPV6_TCLASS, IPPROTO_IPV6); 987 if (*mp) 988 mp = &(*mp)->m_next; 989 } 990 991 /* 992 * IPV6_HOPOPTS socket option. Recall that we required super-user 993 * privilege for the option (see ip6_ctloutput), but it might be too 994 * strict, since there might be some hop-by-hop options which can be 995 * returned to normal user. 996 * See also RFC 2292 section 6 (or RFC 3542 section 8). 997 */ 998 if ((in6p->inp_flags & IN6P_HOPOPTS) != 0) { 999 /* 1000 * Check if a hop-by-hop options header is contained in the 1001 * received packet, and if so, store the options as ancillary 1002 * data. Note that a hop-by-hop options header must be 1003 * just after the IPv6 header, which is assured through the 1004 * IPv6 input processing. 1005 */ 1006 struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *); 1007 if (ip6->ip6_nxt == IPPROTO_HOPOPTS) { 1008 struct ip6_hbh *hbh; 1009 int hbhlen = 0; 1010 struct mbuf *ext; 1011 1012 ext = ip6_pullexthdr(m, sizeof(struct ip6_hdr), 1013 ip6->ip6_nxt); 1014 if (ext == NULL) { 1015 ip6stat_inc(ip6s_tooshort); 1016 return; 1017 } 1018 hbh = mtod(ext, struct ip6_hbh *); 1019 hbhlen = (hbh->ip6h_len + 1) << 3; 1020 if (hbhlen != ext->m_len) { 1021 m_freem(ext); 1022 ip6stat_inc(ip6s_tooshort); 1023 return; 1024 } 1025 1026 /* 1027 * XXX: We copy the whole header even if a 1028 * jumbo payload option is included, the option which 1029 * is to be removed before returning according to 1030 * RFC2292. 1031 * Note: this constraint is removed in RFC3542. 1032 */ 1033 *mp = sbcreatecontrol((caddr_t)hbh, hbhlen, 1034 IPV6_HOPOPTS, 1035 IPPROTO_IPV6); 1036 if (*mp) 1037 mp = &(*mp)->m_next; 1038 m_freem(ext); 1039 } 1040 } 1041 1042 /* IPV6_DSTOPTS and IPV6_RTHDR socket options */ 1043 if ((in6p->inp_flags & (IN6P_RTHDR | IN6P_DSTOPTS)) != 0) { 1044 struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *); 1045 int nxt = ip6->ip6_nxt, off = sizeof(struct ip6_hdr); 1046 1047 /* 1048 * Search for destination options headers or routing 1049 * header(s) through the header chain, and stores each 1050 * header as ancillary data. 1051 * Note that the order of the headers remains in 1052 * the chain of ancillary data. 1053 */ 1054 while (1) { /* is explicit loop prevention necessary? */ 1055 struct ip6_ext *ip6e = NULL; 1056 int elen; 1057 struct mbuf *ext = NULL; 1058 1059 /* 1060 * if it is not an extension header, don't try to 1061 * pull it from the chain. 1062 */ 1063 switch (nxt) { 1064 case IPPROTO_DSTOPTS: 1065 case IPPROTO_ROUTING: 1066 case IPPROTO_HOPOPTS: 1067 case IPPROTO_AH: /* is it possible? */ 1068 break; 1069 default: 1070 goto loopend; 1071 } 1072 1073 ext = ip6_pullexthdr(m, off, nxt); 1074 if (ext == NULL) { 1075 ip6stat_inc(ip6s_tooshort); 1076 return; 1077 } 1078 ip6e = mtod(ext, struct ip6_ext *); 1079 if (nxt == IPPROTO_AH) 1080 elen = (ip6e->ip6e_len + 2) << 2; 1081 else 1082 elen = (ip6e->ip6e_len + 1) << 3; 1083 if (elen != ext->m_len) { 1084 m_freem(ext); 1085 ip6stat_inc(ip6s_tooshort); 1086 return; 1087 } 1088 1089 switch (nxt) { 1090 case IPPROTO_DSTOPTS: 1091 if (!(in6p->inp_flags & IN6P_DSTOPTS)) 1092 break; 1093 1094 *mp = sbcreatecontrol((caddr_t)ip6e, elen, 1095 IPV6_DSTOPTS, 1096 IPPROTO_IPV6); 1097 if (*mp) 1098 mp = &(*mp)->m_next; 1099 break; 1100 1101 case IPPROTO_ROUTING: 1102 if (!(in6p->inp_flags & IN6P_RTHDR)) 1103 break; 1104 1105 *mp = sbcreatecontrol((caddr_t)ip6e, elen, 1106 IPV6_RTHDR, 1107 IPPROTO_IPV6); 1108 if (*mp) 1109 mp = &(*mp)->m_next; 1110 break; 1111 1112 case IPPROTO_HOPOPTS: 1113 case IPPROTO_AH: /* is it possible? */ 1114 break; 1115 1116 default: 1117 /* 1118 * other cases have been filtered in the above. 1119 * none will visit this case. here we supply 1120 * the code just in case (nxt overwritten or 1121 * other cases). 1122 */ 1123 m_freem(ext); 1124 goto loopend; 1125 1126 } 1127 1128 /* proceed with the next header. */ 1129 off += elen; 1130 nxt = ip6e->ip6e_nxt; 1131 ip6e = NULL; 1132 m_freem(ext); 1133 ext = NULL; 1134 } 1135 loopend: 1136 ; 1137 } 1138 } 1139 1140 /* 1141 * pull single extension header from mbuf chain. returns single mbuf that 1142 * contains the result, or NULL on error. 1143 */ 1144 struct mbuf * 1145 ip6_pullexthdr(struct mbuf *m, size_t off, int nxt) 1146 { 1147 struct ip6_ext ip6e; 1148 size_t elen; 1149 struct mbuf *n; 1150 1151 #ifdef DIAGNOSTIC 1152 switch (nxt) { 1153 case IPPROTO_DSTOPTS: 1154 case IPPROTO_ROUTING: 1155 case IPPROTO_HOPOPTS: 1156 case IPPROTO_AH: /* is it possible? */ 1157 break; 1158 default: 1159 printf("ip6_pullexthdr: invalid nxt=%d\n", nxt); 1160 } 1161 #endif 1162 1163 m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e); 1164 if (nxt == IPPROTO_AH) 1165 elen = (ip6e.ip6e_len + 2) << 2; 1166 else 1167 elen = (ip6e.ip6e_len + 1) << 3; 1168 1169 MGET(n, M_DONTWAIT, MT_DATA); 1170 if (n && elen >= MLEN) { 1171 MCLGET(n, M_DONTWAIT); 1172 if ((n->m_flags & M_EXT) == 0) { 1173 m_free(n); 1174 n = NULL; 1175 } 1176 } 1177 if (!n) 1178 return NULL; 1179 1180 n->m_len = 0; 1181 if (elen >= M_TRAILINGSPACE(n)) { 1182 m_free(n); 1183 return NULL; 1184 } 1185 1186 m_copydata(m, off, elen, mtod(n, caddr_t)); 1187 n->m_len = elen; 1188 return n; 1189 } 1190 1191 /* 1192 * Get pointer to the previous header followed by the header 1193 * currently processed. 1194 * XXX: This function supposes that 1195 * M includes all headers, 1196 * the next header field and the header length field of each header 1197 * are valid, and 1198 * the sum of each header length equals to OFF. 1199 * Because of these assumptions, this function must be called very 1200 * carefully. Moreover, it will not be used in the near future when 1201 * we develop `neater' mechanism to process extension headers. 1202 */ 1203 u_int8_t * 1204 ip6_get_prevhdr(struct mbuf *m, int off) 1205 { 1206 struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *); 1207 1208 if (off == sizeof(struct ip6_hdr)) 1209 return (&ip6->ip6_nxt); 1210 else { 1211 int len, nxt; 1212 struct ip6_ext *ip6e = NULL; 1213 1214 nxt = ip6->ip6_nxt; 1215 len = sizeof(struct ip6_hdr); 1216 while (len < off) { 1217 ip6e = (struct ip6_ext *)(mtod(m, caddr_t) + len); 1218 1219 switch (nxt) { 1220 case IPPROTO_FRAGMENT: 1221 len += sizeof(struct ip6_frag); 1222 break; 1223 case IPPROTO_AH: 1224 len += (ip6e->ip6e_len + 2) << 2; 1225 break; 1226 default: 1227 len += (ip6e->ip6e_len + 1) << 3; 1228 break; 1229 } 1230 nxt = ip6e->ip6e_nxt; 1231 } 1232 if (ip6e) 1233 return (&ip6e->ip6e_nxt); 1234 else 1235 return NULL; 1236 } 1237 } 1238 1239 /* 1240 * get next header offset. m will be retained. 1241 */ 1242 int 1243 ip6_nexthdr(struct mbuf *m, int off, int proto, int *nxtp) 1244 { 1245 struct ip6_hdr ip6; 1246 struct ip6_ext ip6e; 1247 struct ip6_frag fh; 1248 1249 /* just in case */ 1250 if (m == NULL) 1251 panic("ip6_nexthdr: m == NULL"); 1252 if ((m->m_flags & M_PKTHDR) == 0 || m->m_pkthdr.len < off) 1253 return -1; 1254 1255 switch (proto) { 1256 case IPPROTO_IPV6: 1257 if (m->m_pkthdr.len < off + sizeof(ip6)) 1258 return -1; 1259 m_copydata(m, off, sizeof(ip6), (caddr_t)&ip6); 1260 if (nxtp) 1261 *nxtp = ip6.ip6_nxt; 1262 off += sizeof(ip6); 1263 return off; 1264 1265 case IPPROTO_FRAGMENT: 1266 /* 1267 * terminate parsing if it is not the first fragment, 1268 * it does not make sense to parse through it. 1269 */ 1270 if (m->m_pkthdr.len < off + sizeof(fh)) 1271 return -1; 1272 m_copydata(m, off, sizeof(fh), (caddr_t)&fh); 1273 if ((fh.ip6f_offlg & IP6F_OFF_MASK) != 0) 1274 return -1; 1275 if (nxtp) 1276 *nxtp = fh.ip6f_nxt; 1277 off += sizeof(struct ip6_frag); 1278 return off; 1279 1280 case IPPROTO_AH: 1281 if (m->m_pkthdr.len < off + sizeof(ip6e)) 1282 return -1; 1283 m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e); 1284 if (nxtp) 1285 *nxtp = ip6e.ip6e_nxt; 1286 off += (ip6e.ip6e_len + 2) << 2; 1287 if (m->m_pkthdr.len < off) 1288 return -1; 1289 return off; 1290 1291 case IPPROTO_HOPOPTS: 1292 case IPPROTO_ROUTING: 1293 case IPPROTO_DSTOPTS: 1294 if (m->m_pkthdr.len < off + sizeof(ip6e)) 1295 return -1; 1296 m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e); 1297 if (nxtp) 1298 *nxtp = ip6e.ip6e_nxt; 1299 off += (ip6e.ip6e_len + 1) << 3; 1300 if (m->m_pkthdr.len < off) 1301 return -1; 1302 return off; 1303 1304 case IPPROTO_NONE: 1305 case IPPROTO_ESP: 1306 case IPPROTO_IPCOMP: 1307 /* give up */ 1308 return -1; 1309 1310 default: 1311 return -1; 1312 } 1313 1314 return -1; 1315 } 1316 1317 /* 1318 * get offset for the last header in the chain. m will be kept untainted. 1319 */ 1320 int 1321 ip6_lasthdr(struct mbuf *m, int off, int proto, int *nxtp) 1322 { 1323 int newoff; 1324 int nxt; 1325 1326 if (!nxtp) { 1327 nxt = -1; 1328 nxtp = &nxt; 1329 } 1330 while (1) { 1331 newoff = ip6_nexthdr(m, off, proto, nxtp); 1332 if (newoff < 0) 1333 return off; 1334 else if (newoff < off) 1335 return -1; /* invalid */ 1336 else if (newoff == off) 1337 return newoff; 1338 1339 off = newoff; 1340 proto = *nxtp; 1341 } 1342 } 1343 1344 /* 1345 * System control for IP6 1346 */ 1347 1348 u_char inet6ctlerrmap[PRC_NCMDS] = { 1349 0, 0, 0, 0, 1350 0, EMSGSIZE, EHOSTDOWN, EHOSTUNREACH, 1351 EHOSTUNREACH, EHOSTUNREACH, ECONNREFUSED, ECONNREFUSED, 1352 EMSGSIZE, EHOSTUNREACH, 0, 0, 1353 0, 0, 0, 0, 1354 ENOPROTOOPT 1355 }; 1356 1357 int *ipv6ctl_vars[IPV6CTL_MAXID] = IPV6CTL_VARS; 1358 1359 int 1360 ip6_sysctl_ip6stat(void *oldp, size_t *oldlenp, void *newp) 1361 { 1362 struct ip6stat *ip6stat; 1363 int ret; 1364 1365 CTASSERT(sizeof(*ip6stat) == (ip6s_ncounters * sizeof(uint64_t))); 1366 1367 ip6stat = malloc(sizeof(*ip6stat), M_TEMP, M_WAITOK); 1368 counters_read(ip6counters, (uint64_t *)ip6stat, ip6s_ncounters); 1369 ret = sysctl_rdstruct(oldp, oldlenp, newp, 1370 ip6stat, sizeof(*ip6stat)); 1371 free(ip6stat, M_TEMP, sizeof(*ip6stat)); 1372 1373 return (ret); 1374 } 1375 1376 int 1377 ip6_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, 1378 void *newp, size_t newlen) 1379 { 1380 #ifdef MROUTING 1381 extern int ip6_mrtproto; 1382 extern struct mrt6stat mrt6stat; 1383 #endif 1384 int error; 1385 1386 NET_ASSERT_LOCKED(); 1387 1388 /* Almost all sysctl names at this level are terminal. */ 1389 if (namelen != 1 && name[0] != IPV6CTL_IFQUEUE) 1390 return (ENOTDIR); 1391 1392 switch (name[0]) { 1393 case IPV6CTL_DAD_PENDING: 1394 return sysctl_rdint(oldp, oldlenp, newp, ip6_dad_pending); 1395 case IPV6CTL_STATS: 1396 return (ip6_sysctl_ip6stat(oldp, oldlenp, newp)); 1397 #ifdef MROUTING 1398 case IPV6CTL_MRTSTATS: 1399 if (newp != NULL) 1400 return (EPERM); 1401 return (sysctl_struct(oldp, oldlenp, newp, newlen, 1402 &mrt6stat, sizeof(mrt6stat))); 1403 case IPV6CTL_MRTPROTO: 1404 return sysctl_rdint(oldp, oldlenp, newp, ip6_mrtproto); 1405 case IPV6CTL_MRTMIF: 1406 if (newp) 1407 return (EPERM); 1408 return mrt6_sysctl_mif(oldp, oldlenp); 1409 case IPV6CTL_MRTMFC: 1410 if (newp) 1411 return (EPERM); 1412 return mrt6_sysctl_mfc(oldp, oldlenp); 1413 #else 1414 case IPV6CTL_MRTSTATS: 1415 case IPV6CTL_MRTPROTO: 1416 case IPV6CTL_MRTMIF: 1417 case IPV6CTL_MRTMFC: 1418 return (EOPNOTSUPP); 1419 #endif 1420 case IPV6CTL_MTUDISCTIMEOUT: 1421 error = sysctl_int(oldp, oldlenp, newp, newlen, 1422 &ip6_mtudisc_timeout); 1423 if (icmp6_mtudisc_timeout_q != NULL) 1424 rt_timer_queue_change(icmp6_mtudisc_timeout_q, 1425 ip6_mtudisc_timeout); 1426 return (error); 1427 case IPV6CTL_IFQUEUE: 1428 return (sysctl_niq(name + 1, namelen - 1, 1429 oldp, oldlenp, newp, newlen, &ip6intrq)); 1430 default: 1431 if (name[0] < IPV6CTL_MAXID) 1432 return (sysctl_int_arr(ipv6ctl_vars, name, namelen, 1433 oldp, oldlenp, newp, newlen)); 1434 return (EOPNOTSUPP); 1435 } 1436 /* NOTREACHED */ 1437 } 1438 1439 void 1440 ip6_send_dispatch(void *xmq) 1441 { 1442 struct mbuf_queue *mq = xmq; 1443 struct mbuf *m; 1444 struct mbuf_list ml; 1445 #ifdef IPSEC 1446 int locked = 0; 1447 #endif /* IPSEC */ 1448 1449 mq_delist(mq, &ml); 1450 if (ml_empty(&ml)) 1451 return; 1452 1453 NET_LOCK(); 1454 1455 #ifdef IPSEC 1456 /* 1457 * IPsec is not ready to run without KERNEL_LOCK(). So all 1458 * the traffic on your machine is punished if you have IPsec 1459 * enabled. 1460 */ 1461 extern int ipsec_in_use; 1462 if (ipsec_in_use) { 1463 NET_UNLOCK(); 1464 KERNEL_LOCK(); 1465 NET_LOCK(); 1466 locked = 1; 1467 } 1468 #endif /* IPSEC */ 1469 1470 while ((m = ml_dequeue(&ml)) != NULL) { 1471 ip6_output(m, NULL, NULL, IPV6_MINMTU, NULL, NULL); 1472 } 1473 NET_UNLOCK(); 1474 1475 #ifdef IPSEC 1476 if (locked) 1477 KERNEL_UNLOCK(); 1478 #endif /* IPSEC */ 1479 } 1480 1481 void 1482 ip6_send(struct mbuf *m) 1483 { 1484 mq_enqueue(&ip6send_mq, m); 1485 task_add(softnettq, &ip6send_task); 1486 } 1487