1 /* $OpenBSD: ip6_input.c,v 1.230 2020/11/16 06:44:39 gnezdo Exp $ */ 2 /* $KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $ */ 3 4 /* 5 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 3. Neither the name of the project nor the names of its contributors 17 * may be used to endorse or promote products derived from this software 18 * without specific prior written permission. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30 * SUCH DAMAGE. 31 */ 32 33 /* 34 * Copyright (c) 1982, 1986, 1988, 1993 35 * The Regents of the University of California. All rights reserved. 36 * 37 * Redistribution and use in source and binary forms, with or without 38 * modification, are permitted provided that the following conditions 39 * are met: 40 * 1. Redistributions of source code must retain the above copyright 41 * notice, this list of conditions and the following disclaimer. 42 * 2. Redistributions in binary form must reproduce the above copyright 43 * notice, this list of conditions and the following disclaimer in the 44 * documentation and/or other materials provided with the distribution. 45 * 3. Neither the name of the University nor the names of its contributors 46 * may be used to endorse or promote products derived from this software 47 * without specific prior written permission. 48 * 49 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 50 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 51 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 52 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 53 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 54 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 55 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 56 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 57 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 58 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 59 * SUCH DAMAGE. 60 * 61 * @(#)ip_input.c 8.2 (Berkeley) 1/4/94 62 */ 63 64 #include "pf.h" 65 #include "carp.h" 66 67 #include <sys/param.h> 68 #include <sys/systm.h> 69 #include <sys/mbuf.h> 70 #include <sys/domain.h> 71 #include <sys/sysctl.h> 72 #include <sys/protosw.h> 73 #include <sys/socket.h> 74 #include <sys/socketvar.h> 75 #include <sys/errno.h> 76 #include <sys/time.h> 77 #include <sys/timeout.h> 78 #include <sys/kernel.h> 79 #include <sys/syslog.h> 80 #include <sys/task.h> 81 82 #include <net/if.h> 83 #include <net/if_var.h> 84 #include <net/if_types.h> 85 #include <net/route.h> 86 #include <net/netisr.h> 87 88 #include <netinet/in.h> 89 90 #include <netinet/ip.h> 91 92 #include <netinet/in_pcb.h> 93 #include <netinet/ip_var.h> 94 #include <netinet6/in6_var.h> 95 #include <netinet6/in6_ifattach.h> 96 #include <netinet/ip6.h> 97 #include <netinet6/ip6_var.h> 98 #include <netinet/icmp6.h> 99 #include <netinet6/nd6.h> 100 101 #include <netinet6/ip6protosw.h> 102 103 #include "gif.h" 104 #include "bpfilter.h" 105 106 #ifdef MROUTING 107 #include <netinet6/ip6_mroute.h> 108 #endif 109 110 #if NPF > 0 111 #include <net/pfvar.h> 112 #endif 113 114 #if NCARP > 0 115 #include <netinet/ip_carp.h> 116 #endif 117 118 struct cpumem *ip6counters; 119 120 uint8_t ip6_soiikey[IP6_SOIIKEY_LEN]; 121 122 int ip6_ours(struct mbuf **, int *, int, int); 123 int ip6_check_rh0hdr(struct mbuf *, int *); 124 int ip6_hbhchcheck(struct mbuf *, int *, int *, int *); 125 int ip6_hopopts_input(u_int32_t *, u_int32_t *, struct mbuf **, int *); 126 struct mbuf *ip6_pullexthdr(struct mbuf *, size_t, int); 127 int ip6_sysctl_soiikey(void *, size_t *, void *, size_t); 128 129 static struct mbuf_queue ip6send_mq; 130 131 static void ip6_send_dispatch(void *); 132 static struct task ip6send_task = 133 TASK_INITIALIZER(ip6_send_dispatch, &ip6send_mq); 134 135 /* 136 * IP6 initialization: fill in IP6 protocol switch table. 137 * All protocols not implemented in kernel go to raw IP6 protocol handler. 138 */ 139 void 140 ip6_init(void) 141 { 142 const struct protosw *pr; 143 int i; 144 145 pr = pffindproto(PF_INET6, IPPROTO_RAW, SOCK_RAW); 146 if (pr == NULL) 147 panic("%s", __func__); 148 for (i = 0; i < IPPROTO_MAX; i++) 149 ip6_protox[i] = pr - inet6sw; 150 for (pr = inet6domain.dom_protosw; 151 pr < inet6domain.dom_protoswNPROTOSW; pr++) 152 if (pr->pr_domain->dom_family == PF_INET6 && 153 pr->pr_protocol && pr->pr_protocol != IPPROTO_RAW && 154 pr->pr_protocol < IPPROTO_MAX) 155 ip6_protox[pr->pr_protocol] = pr - inet6sw; 156 ip6_randomid_init(); 157 nd6_init(); 158 frag6_init(); 159 160 mq_init(&ip6send_mq, 64, IPL_SOFTNET); 161 162 ip6counters = counters_alloc(ip6s_ncounters); 163 } 164 165 void 166 ipv6_input(struct ifnet *ifp, struct mbuf *m) 167 { 168 int off, nxt; 169 170 off = 0; 171 nxt = ip6_input_if(&m, &off, IPPROTO_IPV6, AF_UNSPEC, ifp); 172 KASSERT(nxt == IPPROTO_DONE); 173 } 174 175 int 176 ip6_input_if(struct mbuf **mp, int *offp, int nxt, int af, struct ifnet *ifp) 177 { 178 struct mbuf *m = *mp; 179 struct ip6_hdr *ip6; 180 struct sockaddr_in6 sin6; 181 struct rtentry *rt = NULL; 182 int ours = 0; 183 u_int16_t src_scope, dst_scope; 184 #if NPF > 0 185 struct in6_addr odst; 186 #endif 187 int srcrt = 0; 188 189 KASSERT(*offp == 0); 190 191 ip6stat_inc(ip6s_total); 192 193 if (m->m_len < sizeof(struct ip6_hdr)) { 194 if ((m = *mp = m_pullup(m, sizeof(struct ip6_hdr))) == NULL) { 195 ip6stat_inc(ip6s_toosmall); 196 goto bad; 197 } 198 } 199 200 ip6 = mtod(m, struct ip6_hdr *); 201 202 if ((ip6->ip6_vfc & IPV6_VERSION_MASK) != IPV6_VERSION) { 203 ip6stat_inc(ip6s_badvers); 204 goto bad; 205 } 206 207 #if NCARP > 0 208 if (carp_lsdrop(ifp, m, AF_INET6, ip6->ip6_src.s6_addr32, 209 ip6->ip6_dst.s6_addr32, (ip6->ip6_nxt == IPPROTO_ICMPV6 ? 0 : 1))) 210 goto bad; 211 #endif 212 ip6stat_inc(ip6s_nxthist + ip6->ip6_nxt); 213 214 /* 215 * Check against address spoofing/corruption. 216 */ 217 if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_src) || 218 IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_dst)) { 219 /* 220 * XXX: "badscope" is not very suitable for a multicast source. 221 */ 222 ip6stat_inc(ip6s_badscope); 223 goto bad; 224 } 225 if ((IN6_IS_ADDR_LOOPBACK(&ip6->ip6_src) || 226 IN6_IS_ADDR_LOOPBACK(&ip6->ip6_dst)) && 227 (ifp->if_flags & IFF_LOOPBACK) == 0) { 228 ip6stat_inc(ip6s_badscope); 229 goto bad; 230 } 231 /* Drop packets if interface ID portion is already filled. */ 232 if (((IN6_IS_SCOPE_EMBED(&ip6->ip6_src) && ip6->ip6_src.s6_addr16[1]) || 233 (IN6_IS_SCOPE_EMBED(&ip6->ip6_dst) && ip6->ip6_dst.s6_addr16[1])) && 234 (ifp->if_flags & IFF_LOOPBACK) == 0) { 235 ip6stat_inc(ip6s_badscope); 236 goto bad; 237 } 238 if (IN6_IS_ADDR_MC_INTFACELOCAL(&ip6->ip6_dst) && 239 !(m->m_flags & M_LOOP)) { 240 /* 241 * In this case, the packet should come from the loopback 242 * interface. However, we cannot just check the if_flags, 243 * because ip6_mloopback() passes the "actual" interface 244 * as the outgoing/incoming interface. 245 */ 246 ip6stat_inc(ip6s_badscope); 247 goto bad; 248 } 249 250 /* 251 * The following check is not documented in specs. A malicious 252 * party may be able to use IPv4 mapped addr to confuse tcp/udp stack 253 * and bypass security checks (act as if it was from 127.0.0.1 by using 254 * IPv6 src ::ffff:127.0.0.1). Be cautious. 255 * 256 * This check chokes if we are in an SIIT cloud. As none of BSDs 257 * support IPv4-less kernel compilation, we cannot support SIIT 258 * environment at all. So, it makes more sense for us to reject any 259 * malicious packets for non-SIIT environment, than try to do a 260 * partial support for SIIT environment. 261 */ 262 if (IN6_IS_ADDR_V4MAPPED(&ip6->ip6_src) || 263 IN6_IS_ADDR_V4MAPPED(&ip6->ip6_dst)) { 264 ip6stat_inc(ip6s_badscope); 265 goto bad; 266 } 267 268 /* 269 * Reject packets with IPv4 compatible addresses (auto tunnel). 270 * 271 * The code forbids automatic tunneling as per RFC4213. 272 */ 273 if (IN6_IS_ADDR_V4COMPAT(&ip6->ip6_src) || 274 IN6_IS_ADDR_V4COMPAT(&ip6->ip6_dst)) { 275 ip6stat_inc(ip6s_badscope); 276 goto bad; 277 } 278 279 /* 280 * If the packet has been received on a loopback interface it 281 * can be destinated to any local address, not necessarily to 282 * an address configured on `ifp'. 283 */ 284 if (ifp->if_flags & IFF_LOOPBACK) { 285 if (IN6_IS_SCOPE_EMBED(&ip6->ip6_src)) { 286 src_scope = ip6->ip6_src.s6_addr16[1]; 287 ip6->ip6_src.s6_addr16[1] = 0; 288 } 289 if (IN6_IS_SCOPE_EMBED(&ip6->ip6_dst)) { 290 dst_scope = ip6->ip6_dst.s6_addr16[1]; 291 ip6->ip6_dst.s6_addr16[1] = 0; 292 } 293 } 294 295 #if NPF > 0 296 /* 297 * Packet filter 298 */ 299 odst = ip6->ip6_dst; 300 if (pf_test(AF_INET6, PF_IN, ifp, mp) != PF_PASS) 301 goto bad; 302 m = *mp; 303 if (m == NULL) 304 goto bad; 305 306 ip6 = mtod(m, struct ip6_hdr *); 307 srcrt = !IN6_ARE_ADDR_EQUAL(&odst, &ip6->ip6_dst); 308 #endif 309 310 /* 311 * Without embedded scope ID we cannot find link-local 312 * addresses in the routing table. 313 */ 314 if (ifp->if_flags & IFF_LOOPBACK) { 315 if (IN6_IS_SCOPE_EMBED(&ip6->ip6_src)) 316 ip6->ip6_src.s6_addr16[1] = src_scope; 317 if (IN6_IS_SCOPE_EMBED(&ip6->ip6_dst)) 318 ip6->ip6_dst.s6_addr16[1] = dst_scope; 319 } else { 320 if (IN6_IS_SCOPE_EMBED(&ip6->ip6_src)) 321 ip6->ip6_src.s6_addr16[1] = htons(ifp->if_index); 322 if (IN6_IS_SCOPE_EMBED(&ip6->ip6_dst)) 323 ip6->ip6_dst.s6_addr16[1] = htons(ifp->if_index); 324 } 325 326 /* 327 * Be more secure than RFC5095 and scan for type 0 routing headers. 328 * If pf has already scanned the header chain, do not do it twice. 329 */ 330 if (!(m->m_pkthdr.pf.flags & PF_TAG_PROCESSED) && 331 ip6_check_rh0hdr(m, offp)) { 332 ip6stat_inc(ip6s_badoptions); 333 icmp6_error(m, ICMP6_PARAM_PROB, ICMP6_PARAMPROB_HEADER, *offp); 334 m = *mp = NULL; 335 goto bad; 336 } 337 338 #if NPF > 0 339 if (pf_ouraddr(m) == 1) { 340 nxt = ip6_ours(mp, offp, nxt, af); 341 goto out; 342 } 343 #endif 344 345 /* 346 * Multicast check 347 */ 348 if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst)) { 349 /* 350 * Make sure M_MCAST is set. It should theoretically 351 * already be there, but let's play safe because upper 352 * layers check for this flag. 353 */ 354 m->m_flags |= M_MCAST; 355 356 /* 357 * See if we belong to the destination multicast group on the 358 * arrival interface. 359 */ 360 if (in6_hasmulti(&ip6->ip6_dst, ifp)) 361 ours = 1; 362 363 #ifdef MROUTING 364 if (ip6_mforwarding && ip6_mrouter[ifp->if_rdomain]) { 365 int error; 366 367 if (ip6_hbhchcheck(m, offp, &nxt, &ours)) 368 goto out; 369 370 ip6 = mtod(m, struct ip6_hdr *); 371 372 /* 373 * If we are acting as a multicast router, all 374 * incoming multicast packets are passed to the 375 * kernel-level multicast forwarding function. 376 * The packet is returned (relatively) intact; if 377 * ip6_mforward() returns a non-zero value, the packet 378 * must be discarded, else it may be accepted below. 379 */ 380 KERNEL_LOCK(); 381 error = ip6_mforward(ip6, ifp, m); 382 KERNEL_UNLOCK(); 383 if (error) { 384 ip6stat_inc(ip6s_cantforward); 385 goto bad; 386 } 387 388 if (ours) { 389 if (af == AF_UNSPEC) { 390 KERNEL_LOCK(); 391 nxt = ip_deliver(mp, offp, nxt, 392 AF_INET6); 393 KERNEL_UNLOCK(); 394 } 395 goto out; 396 } 397 goto bad; 398 } 399 #endif 400 if (!ours) { 401 ip6stat_inc(ip6s_notmember); 402 if (!IN6_IS_ADDR_MC_LINKLOCAL(&ip6->ip6_dst)) 403 ip6stat_inc(ip6s_cantforward); 404 goto bad; 405 } 406 nxt = ip6_ours(mp, offp, nxt, af); 407 goto out; 408 } 409 410 411 /* 412 * Unicast check 413 */ 414 memset(&sin6, 0, sizeof(struct sockaddr_in6)); 415 sin6.sin6_len = sizeof(struct sockaddr_in6); 416 sin6.sin6_family = AF_INET6; 417 sin6.sin6_addr = ip6->ip6_dst; 418 rt = rtalloc_mpath(sin6tosa(&sin6), &ip6->ip6_src.s6_addr32[0], 419 m->m_pkthdr.ph_rtableid); 420 421 /* 422 * Accept the packet if the route to the destination is marked 423 * as local. 424 */ 425 if (rtisvalid(rt) && ISSET(rt->rt_flags, RTF_LOCAL)) { 426 struct in6_ifaddr *ia6 = ifatoia6(rt->rt_ifa); 427 428 if (ip6_forwarding == 0 && rt->rt_ifidx != ifp->if_index && 429 !((ifp->if_flags & IFF_LOOPBACK) || 430 (ifp->if_type == IFT_ENC) || 431 (m->m_pkthdr.pf.flags & PF_TAG_TRANSLATE_LOCALHOST))) { 432 /* received on wrong interface */ 433 #if NCARP > 0 434 struct ifnet *out_if; 435 436 /* 437 * Virtual IPs on carp interfaces need to be checked 438 * also against the parent interface and other carp 439 * interfaces sharing the same parent. 440 */ 441 out_if = if_get(rt->rt_ifidx); 442 if (!(out_if && carp_strict_addr_chk(out_if, ifp))) { 443 ip6stat_inc(ip6s_wrongif); 444 if_put(out_if); 445 goto bad; 446 } 447 if_put(out_if); 448 #else 449 ip6stat_inc(ip6s_wrongif); 450 goto bad; 451 #endif 452 } 453 /* 454 * packets to a tentative, duplicated, or somehow invalid 455 * address must not be accepted. 456 */ 457 if ((ia6->ia6_flags & (IN6_IFF_TENTATIVE|IN6_IFF_DUPLICATED))) { 458 char src[INET6_ADDRSTRLEN], dst[INET6_ADDRSTRLEN]; 459 460 inet_ntop(AF_INET6, &ip6->ip6_src, src, sizeof(src)); 461 inet_ntop(AF_INET6, &ip6->ip6_dst, dst, sizeof(dst)); 462 /* address is not ready, so discard the packet. */ 463 nd6log((LOG_INFO, 464 "%s: packet to an unready address %s->%s\n", 465 __func__, src, dst)); 466 467 goto bad; 468 } else { 469 nxt = ip6_ours(mp, offp, nxt, af); 470 goto out; 471 } 472 } 473 474 #if NCARP > 0 475 if (ip6->ip6_nxt == IPPROTO_ICMPV6 && 476 carp_lsdrop(ifp, m, AF_INET6, ip6->ip6_src.s6_addr32, 477 ip6->ip6_dst.s6_addr32, 1)) 478 goto bad; 479 #endif 480 /* 481 * Now there is no reason to process the packet if it's not our own 482 * and we're not a router. 483 */ 484 if (!ip6_forwarding) { 485 ip6stat_inc(ip6s_cantforward); 486 goto bad; 487 } 488 489 if (ip6_hbhchcheck(m, offp, &nxt, &ours)) 490 goto out; 491 492 if (ours) { 493 if (af == AF_UNSPEC) { 494 KERNEL_LOCK(); 495 nxt = ip_deliver(mp, offp, nxt, AF_INET6); 496 KERNEL_UNLOCK(); 497 } 498 goto out; 499 } 500 501 #ifdef IPSEC 502 if (ipsec_in_use) { 503 int rv; 504 505 rv = ipsec_forward_check(m, *offp, AF_INET6); 506 if (rv != 0) { 507 ip6stat_inc(ip6s_cantforward); 508 goto bad; 509 } 510 /* 511 * Fall through, forward packet. Outbound IPsec policy 512 * checking will occur in ip6_forward(). 513 */ 514 } 515 #endif /* IPSEC */ 516 517 ip6_forward(m, rt, srcrt); 518 *mp = NULL; 519 return IPPROTO_DONE; 520 bad: 521 nxt = IPPROTO_DONE; 522 m_freemp(mp); 523 out: 524 rtfree(rt); 525 return nxt; 526 } 527 528 int 529 ip6_ours(struct mbuf **mp, int *offp, int nxt, int af) 530 { 531 if (ip6_hbhchcheck(*mp, offp, &nxt, NULL)) 532 return IPPROTO_DONE; 533 534 /* Check wheter we are already in a IPv4/IPv6 local deliver loop. */ 535 if (af == AF_UNSPEC) 536 nxt = ip_deliver(mp, offp, nxt, AF_INET6); 537 return nxt; 538 } 539 540 int 541 ip6_hbhchcheck(struct mbuf *m, int *offp, int *nxtp, int *oursp) 542 { 543 struct ip6_hdr *ip6; 544 u_int32_t plen, rtalert = ~0; 545 546 ip6 = mtod(m, struct ip6_hdr *); 547 548 /* 549 * Process Hop-by-Hop options header if it's contained. 550 * m may be modified in ip6_hopopts_input(). 551 * If a JumboPayload option is included, plen will also be modified. 552 */ 553 plen = (u_int32_t)ntohs(ip6->ip6_plen); 554 *offp = sizeof(struct ip6_hdr); 555 if (ip6->ip6_nxt == IPPROTO_HOPOPTS) { 556 struct ip6_hbh *hbh; 557 558 if (ip6_hopopts_input(&plen, &rtalert, &m, offp)) { 559 goto bad; /* m have already been freed */ 560 } 561 562 /* adjust pointer */ 563 ip6 = mtod(m, struct ip6_hdr *); 564 565 /* 566 * if the payload length field is 0 and the next header field 567 * indicates Hop-by-Hop Options header, then a Jumbo Payload 568 * option MUST be included. 569 */ 570 if (ip6->ip6_plen == 0 && plen == 0) { 571 /* 572 * Note that if a valid jumbo payload option is 573 * contained, ip6_hopopts_input() must set a valid 574 * (non-zero) payload length to the variable plen. 575 */ 576 ip6stat_inc(ip6s_badoptions); 577 icmp6_error(m, ICMP6_PARAM_PROB, 578 ICMP6_PARAMPROB_HEADER, 579 (caddr_t)&ip6->ip6_plen - (caddr_t)ip6); 580 goto bad; 581 } 582 IP6_EXTHDR_GET(hbh, struct ip6_hbh *, m, sizeof(struct ip6_hdr), 583 sizeof(struct ip6_hbh)); 584 if (hbh == NULL) { 585 ip6stat_inc(ip6s_tooshort); 586 goto bad; 587 } 588 *nxtp = hbh->ip6h_nxt; 589 590 /* 591 * accept the packet if a router alert option is included 592 * and we act as an IPv6 router. 593 */ 594 if (rtalert != ~0 && ip6_forwarding && oursp != NULL) 595 *oursp = 1; 596 } else 597 *nxtp = ip6->ip6_nxt; 598 599 /* 600 * Check that the amount of data in the buffers 601 * is as at least much as the IPv6 header would have us expect. 602 * Trim mbufs if longer than we expect. 603 * Drop packet if shorter than we expect. 604 */ 605 if (m->m_pkthdr.len - sizeof(struct ip6_hdr) < plen) { 606 ip6stat_inc(ip6s_tooshort); 607 m_freem(m); 608 goto bad; 609 } 610 if (m->m_pkthdr.len > sizeof(struct ip6_hdr) + plen) { 611 if (m->m_len == m->m_pkthdr.len) { 612 m->m_len = sizeof(struct ip6_hdr) + plen; 613 m->m_pkthdr.len = sizeof(struct ip6_hdr) + plen; 614 } else { 615 m_adj(m, 616 sizeof(struct ip6_hdr) + plen - m->m_pkthdr.len); 617 } 618 } 619 620 return (0); 621 622 bad: 623 *nxtp = IPPROTO_DONE; 624 return (-1); 625 } 626 627 /* scan packet for RH0 routing header. Mostly stolen from pf.c:pf_test() */ 628 int 629 ip6_check_rh0hdr(struct mbuf *m, int *offp) 630 { 631 struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *); 632 struct ip6_rthdr rthdr; 633 struct ip6_ext opt6; 634 u_int8_t proto = ip6->ip6_nxt; 635 int done = 0, lim, off, rh_cnt = 0; 636 637 off = ((caddr_t)ip6 - m->m_data) + sizeof(struct ip6_hdr); 638 lim = min(m->m_pkthdr.len, ntohs(ip6->ip6_plen) + sizeof(*ip6)); 639 do { 640 switch (proto) { 641 case IPPROTO_ROUTING: 642 *offp = off; 643 if (rh_cnt++) { 644 /* more than one rh header present */ 645 return (1); 646 } 647 648 if (off + sizeof(rthdr) > lim) { 649 /* packet to short to make sense */ 650 return (1); 651 } 652 653 m_copydata(m, off, sizeof(rthdr), (caddr_t)&rthdr); 654 655 if (rthdr.ip6r_type == IPV6_RTHDR_TYPE_0) { 656 *offp += offsetof(struct ip6_rthdr, ip6r_type); 657 return (1); 658 } 659 660 off += (rthdr.ip6r_len + 1) * 8; 661 proto = rthdr.ip6r_nxt; 662 break; 663 case IPPROTO_AH: 664 case IPPROTO_HOPOPTS: 665 case IPPROTO_DSTOPTS: 666 /* get next header and header length */ 667 if (off + sizeof(opt6) > lim) { 668 /* 669 * Packet to short to make sense, we could 670 * reject the packet but as a router we 671 * should not do that so forward it. 672 */ 673 return (0); 674 } 675 676 m_copydata(m, off, sizeof(opt6), (caddr_t)&opt6); 677 678 if (proto == IPPROTO_AH) 679 off += (opt6.ip6e_len + 2) * 4; 680 else 681 off += (opt6.ip6e_len + 1) * 8; 682 proto = opt6.ip6e_nxt; 683 break; 684 case IPPROTO_FRAGMENT: 685 default: 686 /* end of header stack */ 687 done = 1; 688 break; 689 } 690 } while (!done); 691 692 return (0); 693 } 694 695 /* 696 * Hop-by-Hop options header processing. If a valid jumbo payload option is 697 * included, the real payload length will be stored in plenp. 698 * 699 * rtalertp - XXX: should be stored in a more smart way 700 */ 701 int 702 ip6_hopopts_input(u_int32_t *plenp, u_int32_t *rtalertp, struct mbuf **mp, 703 int *offp) 704 { 705 struct mbuf *m = *mp; 706 int off = *offp, hbhlen; 707 struct ip6_hbh *hbh; 708 709 /* validation of the length of the header */ 710 IP6_EXTHDR_GET(hbh, struct ip6_hbh *, m, 711 sizeof(struct ip6_hdr), sizeof(struct ip6_hbh)); 712 if (hbh == NULL) { 713 ip6stat_inc(ip6s_tooshort); 714 return -1; 715 } 716 hbhlen = (hbh->ip6h_len + 1) << 3; 717 IP6_EXTHDR_GET(hbh, struct ip6_hbh *, m, sizeof(struct ip6_hdr), 718 hbhlen); 719 if (hbh == NULL) { 720 ip6stat_inc(ip6s_tooshort); 721 return -1; 722 } 723 off += hbhlen; 724 hbhlen -= sizeof(struct ip6_hbh); 725 726 if (ip6_process_hopopts(m, (u_int8_t *)hbh + sizeof(struct ip6_hbh), 727 hbhlen, rtalertp, plenp) < 0) 728 return (-1); 729 730 *offp = off; 731 *mp = m; 732 return (0); 733 } 734 735 /* 736 * Search header for all Hop-by-hop options and process each option. 737 * This function is separate from ip6_hopopts_input() in order to 738 * handle a case where the sending node itself process its hop-by-hop 739 * options header. In such a case, the function is called from ip6_output(). 740 * 741 * The function assumes that hbh header is located right after the IPv6 header 742 * (RFC2460 p7), opthead is pointer into data content in m, and opthead to 743 * opthead + hbhlen is located in continuous memory region. 744 */ 745 int 746 ip6_process_hopopts(struct mbuf *m, u_int8_t *opthead, int hbhlen, 747 u_int32_t *rtalertp, u_int32_t *plenp) 748 { 749 struct ip6_hdr *ip6; 750 int optlen = 0; 751 u_int8_t *opt = opthead; 752 u_int16_t rtalert_val; 753 u_int32_t jumboplen; 754 const int erroff = sizeof(struct ip6_hdr) + sizeof(struct ip6_hbh); 755 756 for (; hbhlen > 0; hbhlen -= optlen, opt += optlen) { 757 switch (*opt) { 758 case IP6OPT_PAD1: 759 optlen = 1; 760 break; 761 case IP6OPT_PADN: 762 if (hbhlen < IP6OPT_MINLEN) { 763 ip6stat_inc(ip6s_toosmall); 764 goto bad; 765 } 766 optlen = *(opt + 1) + 2; 767 break; 768 case IP6OPT_ROUTER_ALERT: 769 /* XXX may need check for alignment */ 770 if (hbhlen < IP6OPT_RTALERT_LEN) { 771 ip6stat_inc(ip6s_toosmall); 772 goto bad; 773 } 774 if (*(opt + 1) != IP6OPT_RTALERT_LEN - 2) { 775 /* XXX stat */ 776 icmp6_error(m, ICMP6_PARAM_PROB, 777 ICMP6_PARAMPROB_HEADER, 778 erroff + opt + 1 - opthead); 779 return (-1); 780 } 781 optlen = IP6OPT_RTALERT_LEN; 782 memcpy((caddr_t)&rtalert_val, (caddr_t)(opt + 2), 2); 783 *rtalertp = ntohs(rtalert_val); 784 break; 785 case IP6OPT_JUMBO: 786 /* XXX may need check for alignment */ 787 if (hbhlen < IP6OPT_JUMBO_LEN) { 788 ip6stat_inc(ip6s_toosmall); 789 goto bad; 790 } 791 if (*(opt + 1) != IP6OPT_JUMBO_LEN - 2) { 792 /* XXX stat */ 793 icmp6_error(m, ICMP6_PARAM_PROB, 794 ICMP6_PARAMPROB_HEADER, 795 erroff + opt + 1 - opthead); 796 return (-1); 797 } 798 optlen = IP6OPT_JUMBO_LEN; 799 800 /* 801 * IPv6 packets that have non 0 payload length 802 * must not contain a jumbo payload option. 803 */ 804 ip6 = mtod(m, struct ip6_hdr *); 805 if (ip6->ip6_plen) { 806 ip6stat_inc(ip6s_badoptions); 807 icmp6_error(m, ICMP6_PARAM_PROB, 808 ICMP6_PARAMPROB_HEADER, 809 erroff + opt - opthead); 810 return (-1); 811 } 812 813 /* 814 * We may see jumbolen in unaligned location, so 815 * we'd need to perform memcpy(). 816 */ 817 memcpy(&jumboplen, opt + 2, sizeof(jumboplen)); 818 jumboplen = (u_int32_t)htonl(jumboplen); 819 820 #if 1 821 /* 822 * if there are multiple jumbo payload options, 823 * *plenp will be non-zero and the packet will be 824 * rejected. 825 * the behavior may need some debate in ipngwg - 826 * multiple options does not make sense, however, 827 * there's no explicit mention in specification. 828 */ 829 if (*plenp != 0) { 830 ip6stat_inc(ip6s_badoptions); 831 icmp6_error(m, ICMP6_PARAM_PROB, 832 ICMP6_PARAMPROB_HEADER, 833 erroff + opt + 2 - opthead); 834 return (-1); 835 } 836 #endif 837 838 /* 839 * jumbo payload length must be larger than 65535. 840 */ 841 if (jumboplen <= IPV6_MAXPACKET) { 842 ip6stat_inc(ip6s_badoptions); 843 icmp6_error(m, ICMP6_PARAM_PROB, 844 ICMP6_PARAMPROB_HEADER, 845 erroff + opt + 2 - opthead); 846 return (-1); 847 } 848 *plenp = jumboplen; 849 850 break; 851 default: /* unknown option */ 852 if (hbhlen < IP6OPT_MINLEN) { 853 ip6stat_inc(ip6s_toosmall); 854 goto bad; 855 } 856 optlen = ip6_unknown_opt(opt, m, 857 erroff + opt - opthead); 858 if (optlen == -1) 859 return (-1); 860 optlen += 2; 861 break; 862 } 863 } 864 865 return (0); 866 867 bad: 868 m_freem(m); 869 return (-1); 870 } 871 872 /* 873 * Unknown option processing. 874 * The third argument `off' is the offset from the IPv6 header to the option, 875 * which allows returning an ICMPv6 error even if the IPv6 header and the 876 * option header are not continuous. 877 */ 878 int 879 ip6_unknown_opt(u_int8_t *optp, struct mbuf *m, int off) 880 { 881 struct ip6_hdr *ip6; 882 883 switch (IP6OPT_TYPE(*optp)) { 884 case IP6OPT_TYPE_SKIP: /* ignore the option */ 885 return ((int)*(optp + 1)); 886 case IP6OPT_TYPE_DISCARD: /* silently discard */ 887 m_freem(m); 888 return (-1); 889 case IP6OPT_TYPE_FORCEICMP: /* send ICMP even if multicasted */ 890 ip6stat_inc(ip6s_badoptions); 891 icmp6_error(m, ICMP6_PARAM_PROB, ICMP6_PARAMPROB_OPTION, off); 892 return (-1); 893 case IP6OPT_TYPE_ICMP: /* send ICMP if not multicasted */ 894 ip6stat_inc(ip6s_badoptions); 895 ip6 = mtod(m, struct ip6_hdr *); 896 if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst) || 897 (m->m_flags & (M_BCAST|M_MCAST))) 898 m_freem(m); 899 else 900 icmp6_error(m, ICMP6_PARAM_PROB, 901 ICMP6_PARAMPROB_OPTION, off); 902 return (-1); 903 } 904 905 m_freem(m); /* XXX: NOTREACHED */ 906 return (-1); 907 } 908 909 /* 910 * Create the "control" list for this pcb. 911 * 912 * The routine will be called from upper layer handlers like udp_input(). 913 * Thus the routine assumes that the caller (udp_input) have already 914 * called IP6_EXTHDR_CHECK() and all the extension headers are located in the 915 * very first mbuf on the mbuf chain. 916 * We may want to add some infinite loop prevention or sanity checks for safety. 917 * (This applies only when you are using KAME mbuf chain restriction, i.e. 918 * you are using IP6_EXTHDR_CHECK() not m_pulldown()) 919 */ 920 void 921 ip6_savecontrol(struct inpcb *in6p, struct mbuf *m, struct mbuf **mp) 922 { 923 struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *); 924 925 if (in6p->inp_socket->so_options & SO_TIMESTAMP) { 926 struct timeval tv; 927 928 m_microtime(m, &tv); 929 *mp = sbcreatecontrol((caddr_t) &tv, sizeof(tv), 930 SCM_TIMESTAMP, SOL_SOCKET); 931 if (*mp) 932 mp = &(*mp)->m_next; 933 } 934 935 /* RFC 2292 sec. 5 */ 936 if ((in6p->inp_flags & IN6P_PKTINFO) != 0) { 937 struct in6_pktinfo pi6; 938 memcpy(&pi6.ipi6_addr, &ip6->ip6_dst, sizeof(struct in6_addr)); 939 if (IN6_IS_SCOPE_EMBED(&pi6.ipi6_addr)) 940 pi6.ipi6_addr.s6_addr16[1] = 0; 941 pi6.ipi6_ifindex = m ? m->m_pkthdr.ph_ifidx : 0; 942 *mp = sbcreatecontrol((caddr_t) &pi6, 943 sizeof(struct in6_pktinfo), 944 IPV6_PKTINFO, IPPROTO_IPV6); 945 if (*mp) 946 mp = &(*mp)->m_next; 947 } 948 949 if ((in6p->inp_flags & IN6P_HOPLIMIT) != 0) { 950 int hlim = ip6->ip6_hlim & 0xff; 951 *mp = sbcreatecontrol((caddr_t) &hlim, sizeof(int), 952 IPV6_HOPLIMIT, IPPROTO_IPV6); 953 if (*mp) 954 mp = &(*mp)->m_next; 955 } 956 957 if ((in6p->inp_flags & IN6P_TCLASS) != 0) { 958 u_int32_t flowinfo; 959 int tclass; 960 961 flowinfo = (u_int32_t)ntohl(ip6->ip6_flow & IPV6_FLOWINFO_MASK); 962 flowinfo >>= 20; 963 964 tclass = flowinfo & 0xff; 965 *mp = sbcreatecontrol((caddr_t)&tclass, sizeof(tclass), 966 IPV6_TCLASS, IPPROTO_IPV6); 967 if (*mp) 968 mp = &(*mp)->m_next; 969 } 970 971 /* 972 * IPV6_HOPOPTS socket option. Recall that we required super-user 973 * privilege for the option (see ip6_ctloutput), but it might be too 974 * strict, since there might be some hop-by-hop options which can be 975 * returned to normal user. 976 * See also RFC 2292 section 6 (or RFC 3542 section 8). 977 */ 978 if ((in6p->inp_flags & IN6P_HOPOPTS) != 0) { 979 /* 980 * Check if a hop-by-hop options header is contained in the 981 * received packet, and if so, store the options as ancillary 982 * data. Note that a hop-by-hop options header must be 983 * just after the IPv6 header, which is assured through the 984 * IPv6 input processing. 985 */ 986 struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *); 987 if (ip6->ip6_nxt == IPPROTO_HOPOPTS) { 988 struct ip6_hbh *hbh; 989 int hbhlen = 0; 990 struct mbuf *ext; 991 992 ext = ip6_pullexthdr(m, sizeof(struct ip6_hdr), 993 ip6->ip6_nxt); 994 if (ext == NULL) { 995 ip6stat_inc(ip6s_tooshort); 996 return; 997 } 998 hbh = mtod(ext, struct ip6_hbh *); 999 hbhlen = (hbh->ip6h_len + 1) << 3; 1000 if (hbhlen != ext->m_len) { 1001 m_freem(ext); 1002 ip6stat_inc(ip6s_tooshort); 1003 return; 1004 } 1005 1006 /* 1007 * XXX: We copy the whole header even if a 1008 * jumbo payload option is included, the option which 1009 * is to be removed before returning according to 1010 * RFC2292. 1011 * Note: this constraint is removed in RFC3542. 1012 */ 1013 *mp = sbcreatecontrol((caddr_t)hbh, hbhlen, 1014 IPV6_HOPOPTS, 1015 IPPROTO_IPV6); 1016 if (*mp) 1017 mp = &(*mp)->m_next; 1018 m_freem(ext); 1019 } 1020 } 1021 1022 /* IPV6_DSTOPTS and IPV6_RTHDR socket options */ 1023 if ((in6p->inp_flags & (IN6P_RTHDR | IN6P_DSTOPTS)) != 0) { 1024 struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *); 1025 int nxt = ip6->ip6_nxt, off = sizeof(struct ip6_hdr); 1026 1027 /* 1028 * Search for destination options headers or routing 1029 * header(s) through the header chain, and stores each 1030 * header as ancillary data. 1031 * Note that the order of the headers remains in 1032 * the chain of ancillary data. 1033 */ 1034 while (1) { /* is explicit loop prevention necessary? */ 1035 struct ip6_ext *ip6e = NULL; 1036 int elen; 1037 struct mbuf *ext = NULL; 1038 1039 /* 1040 * if it is not an extension header, don't try to 1041 * pull it from the chain. 1042 */ 1043 switch (nxt) { 1044 case IPPROTO_DSTOPTS: 1045 case IPPROTO_ROUTING: 1046 case IPPROTO_HOPOPTS: 1047 case IPPROTO_AH: /* is it possible? */ 1048 break; 1049 default: 1050 goto loopend; 1051 } 1052 1053 ext = ip6_pullexthdr(m, off, nxt); 1054 if (ext == NULL) { 1055 ip6stat_inc(ip6s_tooshort); 1056 return; 1057 } 1058 ip6e = mtod(ext, struct ip6_ext *); 1059 if (nxt == IPPROTO_AH) 1060 elen = (ip6e->ip6e_len + 2) << 2; 1061 else 1062 elen = (ip6e->ip6e_len + 1) << 3; 1063 if (elen != ext->m_len) { 1064 m_freem(ext); 1065 ip6stat_inc(ip6s_tooshort); 1066 return; 1067 } 1068 1069 switch (nxt) { 1070 case IPPROTO_DSTOPTS: 1071 if (!(in6p->inp_flags & IN6P_DSTOPTS)) 1072 break; 1073 1074 *mp = sbcreatecontrol((caddr_t)ip6e, elen, 1075 IPV6_DSTOPTS, 1076 IPPROTO_IPV6); 1077 if (*mp) 1078 mp = &(*mp)->m_next; 1079 break; 1080 1081 case IPPROTO_ROUTING: 1082 if (!(in6p->inp_flags & IN6P_RTHDR)) 1083 break; 1084 1085 *mp = sbcreatecontrol((caddr_t)ip6e, elen, 1086 IPV6_RTHDR, 1087 IPPROTO_IPV6); 1088 if (*mp) 1089 mp = &(*mp)->m_next; 1090 break; 1091 1092 case IPPROTO_HOPOPTS: 1093 case IPPROTO_AH: /* is it possible? */ 1094 break; 1095 1096 default: 1097 /* 1098 * other cases have been filtered in the above. 1099 * none will visit this case. here we supply 1100 * the code just in case (nxt overwritten or 1101 * other cases). 1102 */ 1103 m_freem(ext); 1104 goto loopend; 1105 1106 } 1107 1108 /* proceed with the next header. */ 1109 off += elen; 1110 nxt = ip6e->ip6e_nxt; 1111 ip6e = NULL; 1112 m_freem(ext); 1113 ext = NULL; 1114 } 1115 loopend: 1116 ; 1117 } 1118 } 1119 1120 /* 1121 * pull single extension header from mbuf chain. returns single mbuf that 1122 * contains the result, or NULL on error. 1123 */ 1124 struct mbuf * 1125 ip6_pullexthdr(struct mbuf *m, size_t off, int nxt) 1126 { 1127 struct ip6_ext ip6e; 1128 size_t elen; 1129 struct mbuf *n; 1130 1131 #ifdef DIAGNOSTIC 1132 switch (nxt) { 1133 case IPPROTO_DSTOPTS: 1134 case IPPROTO_ROUTING: 1135 case IPPROTO_HOPOPTS: 1136 case IPPROTO_AH: /* is it possible? */ 1137 break; 1138 default: 1139 printf("ip6_pullexthdr: invalid nxt=%d\n", nxt); 1140 } 1141 #endif 1142 1143 if (off + sizeof(ip6e) > m->m_pkthdr.len) 1144 return NULL; 1145 1146 m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e); 1147 if (nxt == IPPROTO_AH) 1148 elen = (ip6e.ip6e_len + 2) << 2; 1149 else 1150 elen = (ip6e.ip6e_len + 1) << 3; 1151 1152 if (off + elen > m->m_pkthdr.len) 1153 return NULL; 1154 1155 MGET(n, M_DONTWAIT, MT_DATA); 1156 if (n && elen >= MLEN) { 1157 MCLGET(n, M_DONTWAIT); 1158 if ((n->m_flags & M_EXT) == 0) { 1159 m_free(n); 1160 n = NULL; 1161 } 1162 } 1163 if (!n) 1164 return NULL; 1165 1166 n->m_len = 0; 1167 if (elen >= m_trailingspace(n)) { 1168 m_free(n); 1169 return NULL; 1170 } 1171 1172 m_copydata(m, off, elen, mtod(n, caddr_t)); 1173 n->m_len = elen; 1174 return n; 1175 } 1176 1177 /* 1178 * Get offset to the previous header followed by the header 1179 * currently processed. 1180 */ 1181 int 1182 ip6_get_prevhdr(struct mbuf *m, int off) 1183 { 1184 struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *); 1185 1186 if (off == sizeof(struct ip6_hdr)) { 1187 return offsetof(struct ip6_hdr, ip6_nxt); 1188 } else if (off < sizeof(struct ip6_hdr)) { 1189 panic("%s: off < sizeof(struct ip6_hdr)", __func__); 1190 } else { 1191 int len, nlen, nxt; 1192 struct ip6_ext ip6e; 1193 1194 nxt = ip6->ip6_nxt; 1195 len = sizeof(struct ip6_hdr); 1196 nlen = 0; 1197 while (len < off) { 1198 m_copydata(m, len, sizeof(ip6e), (caddr_t)&ip6e); 1199 1200 switch (nxt) { 1201 case IPPROTO_FRAGMENT: 1202 nlen = sizeof(struct ip6_frag); 1203 break; 1204 case IPPROTO_AH: 1205 nlen = (ip6e.ip6e_len + 2) << 2; 1206 break; 1207 default: 1208 nlen = (ip6e.ip6e_len + 1) << 3; 1209 break; 1210 } 1211 len += nlen; 1212 nxt = ip6e.ip6e_nxt; 1213 } 1214 1215 return (len - nlen); 1216 } 1217 } 1218 1219 /* 1220 * get next header offset. m will be retained. 1221 */ 1222 int 1223 ip6_nexthdr(struct mbuf *m, int off, int proto, int *nxtp) 1224 { 1225 struct ip6_hdr ip6; 1226 struct ip6_ext ip6e; 1227 struct ip6_frag fh; 1228 1229 /* just in case */ 1230 if (m == NULL) 1231 panic("%s: m == NULL", __func__); 1232 if ((m->m_flags & M_PKTHDR) == 0 || m->m_pkthdr.len < off) 1233 return -1; 1234 1235 switch (proto) { 1236 case IPPROTO_IPV6: 1237 if (m->m_pkthdr.len < off + sizeof(ip6)) 1238 return -1; 1239 m_copydata(m, off, sizeof(ip6), (caddr_t)&ip6); 1240 if (nxtp) 1241 *nxtp = ip6.ip6_nxt; 1242 off += sizeof(ip6); 1243 return off; 1244 1245 case IPPROTO_FRAGMENT: 1246 /* 1247 * terminate parsing if it is not the first fragment, 1248 * it does not make sense to parse through it. 1249 */ 1250 if (m->m_pkthdr.len < off + sizeof(fh)) 1251 return -1; 1252 m_copydata(m, off, sizeof(fh), (caddr_t)&fh); 1253 if ((fh.ip6f_offlg & IP6F_OFF_MASK) != 0) 1254 return -1; 1255 if (nxtp) 1256 *nxtp = fh.ip6f_nxt; 1257 off += sizeof(struct ip6_frag); 1258 return off; 1259 1260 case IPPROTO_AH: 1261 if (m->m_pkthdr.len < off + sizeof(ip6e)) 1262 return -1; 1263 m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e); 1264 if (nxtp) 1265 *nxtp = ip6e.ip6e_nxt; 1266 off += (ip6e.ip6e_len + 2) << 2; 1267 if (m->m_pkthdr.len < off) 1268 return -1; 1269 return off; 1270 1271 case IPPROTO_HOPOPTS: 1272 case IPPROTO_ROUTING: 1273 case IPPROTO_DSTOPTS: 1274 if (m->m_pkthdr.len < off + sizeof(ip6e)) 1275 return -1; 1276 m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e); 1277 if (nxtp) 1278 *nxtp = ip6e.ip6e_nxt; 1279 off += (ip6e.ip6e_len + 1) << 3; 1280 if (m->m_pkthdr.len < off) 1281 return -1; 1282 return off; 1283 1284 case IPPROTO_NONE: 1285 case IPPROTO_ESP: 1286 case IPPROTO_IPCOMP: 1287 /* give up */ 1288 return -1; 1289 1290 default: 1291 return -1; 1292 } 1293 1294 return -1; 1295 } 1296 1297 /* 1298 * get offset for the last header in the chain. m will be kept untainted. 1299 */ 1300 int 1301 ip6_lasthdr(struct mbuf *m, int off, int proto, int *nxtp) 1302 { 1303 int newoff; 1304 int nxt; 1305 1306 if (!nxtp) { 1307 nxt = -1; 1308 nxtp = &nxt; 1309 } 1310 while (1) { 1311 newoff = ip6_nexthdr(m, off, proto, nxtp); 1312 if (newoff < 0) 1313 return off; 1314 else if (newoff < off) 1315 return -1; /* invalid */ 1316 else if (newoff == off) 1317 return newoff; 1318 1319 off = newoff; 1320 proto = *nxtp; 1321 } 1322 } 1323 1324 /* 1325 * System control for IP6 1326 */ 1327 1328 const u_char inet6ctlerrmap[PRC_NCMDS] = { 1329 0, 0, 0, 0, 1330 0, EMSGSIZE, EHOSTDOWN, EHOSTUNREACH, 1331 EHOSTUNREACH, EHOSTUNREACH, ECONNREFUSED, ECONNREFUSED, 1332 EMSGSIZE, EHOSTUNREACH, 0, 0, 1333 0, 0, 0, 0, 1334 ENOPROTOOPT 1335 }; 1336 1337 #ifdef MROUTING 1338 extern int ip6_mrtproto; 1339 #endif 1340 1341 const struct sysctl_bounded_args ipv6ctl_vars[] = { 1342 { IPV6CTL_DAD_PENDING, &ip6_dad_pending, 1, 0 }, 1343 #ifdef MROUTING 1344 { IPV6CTL_MRTPROTO, &ip6_mrtproto, 1, 0 }, 1345 #endif 1346 { IPV6CTL_FORWARDING, &ip6_forwarding, 0, 1 }, 1347 { IPV6CTL_SENDREDIRECTS, &ip6_sendredirects, 0, 1 }, 1348 { IPV6CTL_DEFHLIM, &ip6_defhlim, 0, 255 }, 1349 { IPV6CTL_MAXFRAGPACKETS, &ip6_maxfragpackets, 0, 1000 }, 1350 { IPV6CTL_LOG_INTERVAL, &ip6_log_interval, 0, INT_MAX }, 1351 { IPV6CTL_HDRNESTLIMIT, &ip6_hdrnestlimit, 0, 100 }, 1352 { IPV6CTL_DAD_COUNT, &ip6_dad_count, 0, 10 }, 1353 { IPV6CTL_AUTO_FLOWLABEL, &ip6_auto_flowlabel, 0, 1 }, 1354 { IPV6CTL_DEFMCASTHLIM, &ip6_defmcasthlim, 0, 255 }, 1355 { IPV6CTL_USE_DEPRECATED, &ip6_use_deprecated, 0, 1 }, 1356 { IPV6CTL_MAXFRAGS, &ip6_maxfrags, 0, 1000 }, 1357 { IPV6CTL_MFORWARDING, &ip6_mforwarding, 0, 1 }, 1358 { IPV6CTL_MULTIPATH, &ip6_multipath, 0, 1 }, 1359 { IPV6CTL_MCAST_PMTU, &ip6_mcast_pmtu, 0, 1 }, 1360 { IPV6CTL_NEIGHBORGCTHRESH, &ip6_neighborgcthresh, -1, 5 * 2048 }, 1361 { IPV6CTL_MAXDYNROUTES, &ip6_maxdynroutes, -1, 5 * 4096 }, 1362 }; 1363 1364 int 1365 ip6_sysctl_ip6stat(void *oldp, size_t *oldlenp, void *newp) 1366 { 1367 struct ip6stat *ip6stat; 1368 int ret; 1369 1370 CTASSERT(sizeof(*ip6stat) == (ip6s_ncounters * sizeof(uint64_t))); 1371 1372 ip6stat = malloc(sizeof(*ip6stat), M_TEMP, M_WAITOK); 1373 counters_read(ip6counters, (uint64_t *)ip6stat, ip6s_ncounters); 1374 ret = sysctl_rdstruct(oldp, oldlenp, newp, 1375 ip6stat, sizeof(*ip6stat)); 1376 free(ip6stat, M_TEMP, sizeof(*ip6stat)); 1377 1378 return (ret); 1379 } 1380 1381 int 1382 ip6_sysctl_soiikey(void *oldp, size_t *oldlenp, void *newp, size_t newlen) 1383 { 1384 uint8_t oldkey[IP6_SOIIKEY_LEN]; 1385 int error; 1386 1387 error = suser(curproc); 1388 if (error != 0) 1389 return (error); 1390 1391 memcpy(oldkey, ip6_soiikey, sizeof(oldkey)); 1392 1393 error = sysctl_struct(oldp, oldlenp, newp, newlen, ip6_soiikey, 1394 sizeof(ip6_soiikey)); 1395 1396 return (error); 1397 } 1398 1399 int 1400 ip6_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, 1401 void *newp, size_t newlen) 1402 { 1403 #ifdef MROUTING 1404 extern struct mrt6stat mrt6stat; 1405 #endif 1406 int error; 1407 1408 /* Almost all sysctl names at this level are terminal. */ 1409 if (namelen != 1 && name[0] != IPV6CTL_IFQUEUE) 1410 return (ENOTDIR); 1411 1412 switch (name[0]) { 1413 case IPV6CTL_STATS: 1414 return (ip6_sysctl_ip6stat(oldp, oldlenp, newp)); 1415 #ifdef MROUTING 1416 case IPV6CTL_MRTSTATS: 1417 if (newp != NULL) 1418 return (EPERM); 1419 NET_LOCK(); 1420 error = sysctl_struct(oldp, oldlenp, newp, newlen, 1421 &mrt6stat, sizeof(mrt6stat)); 1422 NET_UNLOCK(); 1423 return (error); 1424 case IPV6CTL_MRTMIF: 1425 if (newp) 1426 return (EPERM); 1427 NET_LOCK(); 1428 error = mrt6_sysctl_mif(oldp, oldlenp); 1429 NET_UNLOCK(); 1430 return (error); 1431 case IPV6CTL_MRTMFC: 1432 if (newp) 1433 return (EPERM); 1434 NET_LOCK(); 1435 error = mrt6_sysctl_mfc(oldp, oldlenp); 1436 NET_UNLOCK(); 1437 return (error); 1438 #else 1439 case IPV6CTL_MRTSTATS: 1440 case IPV6CTL_MRTPROTO: 1441 case IPV6CTL_MRTMIF: 1442 case IPV6CTL_MRTMFC: 1443 return (EOPNOTSUPP); 1444 #endif 1445 case IPV6CTL_MTUDISCTIMEOUT: 1446 NET_LOCK(); 1447 error = sysctl_int(oldp, oldlenp, newp, newlen, 1448 &ip6_mtudisc_timeout); 1449 if (icmp6_mtudisc_timeout_q != NULL) 1450 rt_timer_queue_change(icmp6_mtudisc_timeout_q, 1451 ip6_mtudisc_timeout); 1452 NET_UNLOCK(); 1453 return (error); 1454 case IPV6CTL_IFQUEUE: 1455 return (EOPNOTSUPP); 1456 case IPV6CTL_SOIIKEY: 1457 return (ip6_sysctl_soiikey(oldp, oldlenp, newp, newlen)); 1458 default: 1459 NET_LOCK(); 1460 error = sysctl_bounded_arr(ipv6ctl_vars, nitems(ipv6ctl_vars), 1461 name, namelen, oldp, oldlenp, newp, newlen); 1462 NET_UNLOCK(); 1463 return (error); 1464 } 1465 /* NOTREACHED */ 1466 } 1467 1468 void 1469 ip6_send_dispatch(void *xmq) 1470 { 1471 struct mbuf_queue *mq = xmq; 1472 struct mbuf *m; 1473 struct mbuf_list ml; 1474 1475 mq_delist(mq, &ml); 1476 if (ml_empty(&ml)) 1477 return; 1478 1479 NET_LOCK(); 1480 while ((m = ml_dequeue(&ml)) != NULL) { 1481 /* 1482 * To avoid a "too big" situation at an intermediate router and 1483 * the path MTU discovery process, specify the IPV6_MINMTU 1484 * flag. Note that only echo and node information replies are 1485 * affected, since the length of ICMP6 errors is limited to the 1486 * minimum MTU. 1487 */ 1488 ip6_output(m, NULL, NULL, IPV6_MINMTU, NULL, NULL); 1489 } 1490 NET_UNLOCK(); 1491 } 1492 1493 void 1494 ip6_send(struct mbuf *m) 1495 { 1496 mq_enqueue(&ip6send_mq, m); 1497 task_add(net_tq(0), &ip6send_task); 1498 } 1499