1 /* $FreeBSD: src/sys/netinet6/ip6_input.c,v 1.11.2.15 2003/01/24 05:11:35 sam Exp $ */ 2 /* $DragonFly: src/sys/netinet6/ip6_input.c,v 1.38 2008/09/24 14:26:39 sephe Exp $ */ 3 /* $KAME: ip6_input.c,v 1.259 2002/01/21 04:58:09 jinmei Exp $ */ 4 5 /* 6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. Neither the name of the project nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 /* 35 * Copyright (c) 1982, 1986, 1988, 1993 36 * The Regents of the University of California. All rights reserved. 37 * 38 * Redistribution and use in source and binary forms, with or without 39 * modification, are permitted provided that the following conditions 40 * are met: 41 * 1. Redistributions of source code must retain the above copyright 42 * notice, this list of conditions and the following disclaimer. 43 * 2. Redistributions in binary form must reproduce the above copyright 44 * notice, this list of conditions and the following disclaimer in the 45 * documentation and/or other materials provided with the distribution. 46 * 3. All advertising materials mentioning features or use of this software 47 * must display the following acknowledgement: 48 * This product includes software developed by the University of 49 * California, Berkeley and its contributors. 50 * 4. Neither the name of the University nor the names of its contributors 51 * may be used to endorse or promote products derived from this software 52 * without specific prior written permission. 53 * 54 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 55 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 56 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 57 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 58 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 59 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 60 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 61 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 62 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 63 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 64 * SUCH DAMAGE. 65 * 66 * @(#)ip_input.c 8.2 (Berkeley) 1/4/94 67 */ 68 69 #include "opt_ip6fw.h" 70 #include "opt_inet.h" 71 #include "opt_inet6.h" 72 #include "opt_ipsec.h" 73 74 #include <sys/param.h> 75 #include <sys/systm.h> 76 #include <sys/malloc.h> 77 #include <sys/mbuf.h> 78 #include <sys/domain.h> 79 #include <sys/protosw.h> 80 #include <sys/socket.h> 81 #include <sys/socketvar.h> 82 #include <sys/errno.h> 83 #include <sys/time.h> 84 #include <sys/kernel.h> 85 #include <sys/syslog.h> 86 #include <sys/proc.h> 87 88 #include <sys/thread2.h> 89 #include <sys/msgport2.h> 90 91 #include <net/if.h> 92 #include <net/if_types.h> 93 #include <net/if_dl.h> 94 #include <net/route.h> 95 #include <net/netisr.h> 96 #include <net/pfil.h> 97 98 #include <netinet/in.h> 99 #include <netinet/in_systm.h> 100 #ifdef INET 101 #include <netinet/ip.h> 102 #include <netinet/ip_icmp.h> 103 #endif /* INET */ 104 #include <netinet/ip6.h> 105 #include <netinet6/in6_var.h> 106 #include <netinet6/ip6_var.h> 107 #include <netinet/in_pcb.h> 108 #include <netinet/icmp6.h> 109 #include <netinet6/scope6_var.h> 110 #include <netinet6/in6_ifattach.h> 111 #include <netinet6/nd6.h> 112 #include <netinet6/in6_prefix.h> 113 114 #ifdef IPSEC 115 #include <netinet6/ipsec.h> 116 #ifdef INET6 117 #include <netinet6/ipsec6.h> 118 #endif 119 #endif 120 121 #ifdef FAST_IPSEC 122 #include <netproto/ipsec/ipsec.h> 123 #include <netproto/ipsec/ipsec6.h> 124 #define IPSEC 125 #endif /* FAST_IPSEC */ 126 127 #include <net/ip6fw/ip6_fw.h> 128 129 #include <netinet6/ip6protosw.h> 130 131 /* we need it for NLOOP. */ 132 #include "use_loop.h" 133 134 #include <net/net_osdep.h> 135 136 extern struct domain inet6domain; 137 extern struct ip6protosw inet6sw[]; 138 139 u_char ip6_protox[IPPROTO_MAX]; 140 struct in6_ifaddr *in6_ifaddr; 141 142 extern struct callout in6_tmpaddrtimer_ch; 143 144 int ip6_forward_srcrt; /* XXX */ 145 int ip6_sourcecheck; /* XXX */ 146 int ip6_sourcecheck_interval; /* XXX */ 147 148 int ip6_ours_check_algorithm; 149 150 struct pfil_head inet6_pfil_hook; 151 152 /* firewall hooks */ 153 ip6_fw_chk_t *ip6_fw_chk_ptr; 154 ip6_fw_ctl_t *ip6_fw_ctl_ptr; 155 int ip6_fw_enable = 1; 156 157 struct ip6stat ip6stat; 158 159 static void ip6_init2 (void *); 160 static struct ip6aux *ip6_setdstifaddr (struct mbuf *, struct in6_ifaddr *); 161 static int ip6_hopopts_input (u_int32_t *, u_int32_t *, struct mbuf **, int *); 162 static void ip6_input(struct netmsg *msg); 163 #ifdef PULLDOWN_TEST 164 static struct mbuf *ip6_pullexthdr (struct mbuf *, size_t, int); 165 #endif 166 167 /* 168 * IP6 initialization: fill in IP6 protocol switch table. 169 * All protocols not implemented in kernel go to raw IP6 protocol handler. 170 */ 171 void 172 ip6_init(void) 173 { 174 struct ip6protosw *pr; 175 int i; 176 struct timeval tv; 177 178 #ifdef DIAGNOSTIC 179 if (sizeof(struct protosw) != sizeof(struct ip6protosw)) 180 panic("sizeof(protosw) != sizeof(ip6protosw)"); 181 #endif 182 pr = (struct ip6protosw *)pffindproto(PF_INET6, IPPROTO_RAW, SOCK_RAW); 183 if (pr == 0) 184 panic("ip6_init"); 185 for (i = 0; i < IPPROTO_MAX; i++) 186 ip6_protox[i] = pr - inet6sw; 187 for (pr = (struct ip6protosw *)inet6domain.dom_protosw; 188 pr < (struct ip6protosw *)inet6domain.dom_protoswNPROTOSW; pr++) 189 if (pr->pr_domain->dom_family == PF_INET6 && 190 pr->pr_protocol && pr->pr_protocol != IPPROTO_RAW) 191 ip6_protox[pr->pr_protocol] = pr - inet6sw; 192 193 inet6_pfil_hook.ph_type = PFIL_TYPE_AF; 194 inet6_pfil_hook.ph_af = AF_INET6; 195 if ((i = pfil_head_register(&inet6_pfil_hook)) != 0) { 196 kprintf("%s: WARNING: unable to register pfil hook, " 197 "error %d\n", __func__, i); 198 } 199 200 netisr_register(NETISR_IPV6, cpu0_portfn, ip6_input, 201 NETISR_FLAG_NOTMPSAFE); 202 scope6_init(); 203 nd6_init(); 204 frag6_init(); 205 /* 206 * in many cases, random() here does NOT return random number 207 * as initialization during bootstrap time occur in fixed order. 208 */ 209 microtime(&tv); 210 ip6_flow_seq = krandom() ^ tv.tv_usec; 211 microtime(&tv); 212 ip6_desync_factor = (krandom() ^ tv.tv_usec) % MAX_TEMP_DESYNC_FACTOR; 213 } 214 215 static void 216 ip6_init2(void *dummy) 217 { 218 /* nd6_timer_init */ 219 callout_init(&nd6_timer_ch); 220 callout_reset(&nd6_timer_ch, hz, nd6_timer, NULL); 221 222 /* router renumbering prefix list maintenance */ 223 callout_init(&in6_rr_timer_ch); 224 callout_reset(&in6_rr_timer_ch, hz, in6_rr_timer, NULL); 225 226 /* timer for regeneranation of temporary addresses randomize ID */ 227 callout_init(&in6_tmpaddrtimer_ch); 228 callout_reset(&in6_tmpaddrtimer_ch, 229 (ip6_temp_preferred_lifetime - ip6_desync_factor - 230 ip6_temp_regen_advance) * hz, 231 in6_tmpaddrtimer, NULL); 232 } 233 234 /* cheat */ 235 /* This must be after route_init(), which is now SI_ORDER_THIRD */ 236 SYSINIT(netinet6init2, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, ip6_init2, NULL); 237 238 extern struct route_in6 ip6_forward_rt; 239 240 static 241 void 242 ip6_input(struct netmsg *msg) 243 { 244 struct mbuf *m = ((struct netmsg_packet *)msg)->nm_packet; 245 struct ip6_hdr *ip6; 246 int off = sizeof(struct ip6_hdr), nest; 247 u_int32_t plen; 248 u_int32_t rtalert = ~0; 249 int nxt, ours = 0, rh_present = 0; 250 struct ifnet *deliverifp = NULL; 251 struct in6_addr odst; 252 int srcrt = 0; 253 254 #ifdef IPSEC 255 /* 256 * should the inner packet be considered authentic? 257 * see comment in ah4_input(). 258 */ 259 if (m) { 260 m->m_flags &= ~M_AUTHIPHDR; 261 m->m_flags &= ~M_AUTHIPDGM; 262 } 263 #endif 264 265 /* 266 * make sure we don't have onion peering information into m_aux. 267 */ 268 ip6_delaux(m); 269 270 /* 271 * mbuf statistics 272 */ 273 if (m->m_flags & M_EXT) { 274 if (m->m_next) 275 ip6stat.ip6s_mext2m++; 276 else 277 ip6stat.ip6s_mext1++; 278 } else { 279 #define M2MMAX (sizeof(ip6stat.ip6s_m2m)/sizeof(ip6stat.ip6s_m2m[0])) 280 if (m->m_next) { 281 if (m->m_flags & M_LOOP) { 282 ip6stat.ip6s_m2m[loif[0].if_index]++; /* XXX */ 283 } else if (m->m_pkthdr.rcvif->if_index < M2MMAX) 284 ip6stat.ip6s_m2m[m->m_pkthdr.rcvif->if_index]++; 285 else 286 ip6stat.ip6s_m2m[0]++; 287 } else 288 ip6stat.ip6s_m1++; 289 #undef M2MMAX 290 } 291 292 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_receive); 293 ip6stat.ip6s_total++; 294 295 #ifndef PULLDOWN_TEST 296 /* 297 * L2 bridge code and some other code can return mbuf chain 298 * that does not conform to KAME requirement. too bad. 299 * XXX: fails to join if interface MTU > MCLBYTES. jumbogram? 300 */ 301 if (m && m->m_next != NULL && m->m_pkthdr.len < MCLBYTES) { 302 struct mbuf *n; 303 304 n = m_getb(m->m_pkthdr.len, MB_DONTWAIT, MT_HEADER, M_PKTHDR); 305 if (n == NULL) 306 goto bad; 307 M_MOVE_PKTHDR(n, m); 308 309 m_copydata(m, 0, n->m_pkthdr.len, mtod(n, caddr_t)); 310 n->m_len = n->m_pkthdr.len; 311 m_freem(m); 312 m = n; 313 } 314 IP6_EXTHDR_CHECK_VOIDRET(m, 0, sizeof(struct ip6_hdr)); 315 #endif 316 317 if (m->m_len < sizeof(struct ip6_hdr)) { 318 struct ifnet *inifp; 319 inifp = m->m_pkthdr.rcvif; 320 if ((m = m_pullup(m, sizeof(struct ip6_hdr))) == 0) { 321 ip6stat.ip6s_toosmall++; 322 in6_ifstat_inc(inifp, ifs6_in_hdrerr); 323 goto bad2; 324 } 325 } 326 327 ip6 = mtod(m, struct ip6_hdr *); 328 329 if ((ip6->ip6_vfc & IPV6_VERSION_MASK) != IPV6_VERSION) { 330 ip6stat.ip6s_badvers++; 331 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_hdrerr); 332 goto bad; 333 } 334 335 /* 336 * Run through list of hooks for input packets. 337 * 338 * NB: Beware of the destination address changing 339 * (e.g. by NAT rewriting). When this happens, 340 * tell ip6_forward to do the right thing. 341 */ 342 if (pfil_has_hooks(&inet6_pfil_hook)) { 343 odst = ip6->ip6_dst; 344 if (pfil_run_hooks(&inet6_pfil_hook, &m, 345 m->m_pkthdr.rcvif, PFIL_IN)) { 346 goto bad2; 347 } 348 if (m == NULL) /* consumed by filter */ 349 goto bad2; 350 ip6 = mtod(m, struct ip6_hdr *); 351 srcrt = !IN6_ARE_ADDR_EQUAL(&odst, &ip6->ip6_dst); 352 } 353 354 ip6stat.ip6s_nxthist[ip6->ip6_nxt]++; 355 356 #ifdef ALTQ 357 if (altq_input != NULL && (*altq_input)(m, AF_INET6) == 0) { 358 /* packet is dropped by traffic conditioner */ 359 return; 360 } 361 #endif 362 363 /* 364 * Check with the firewall... 365 */ 366 if (ip6_fw_enable && ip6_fw_chk_ptr) { 367 u_short port = 0; 368 /* If ipfw says divert, we have to just drop packet */ 369 /* use port as a dummy argument */ 370 if ((*ip6_fw_chk_ptr)(&ip6, NULL, &port, &m)) { 371 m_freem(m); 372 m = NULL; 373 } 374 if (!m) 375 goto bad2; 376 } 377 378 /* 379 * Check against address spoofing/corruption. 380 */ 381 if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_src) || 382 IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_dst)) { 383 /* 384 * XXX: "badscope" is not very suitable for a multicast source. 385 */ 386 ip6stat.ip6s_badscope++; 387 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr); 388 goto bad; 389 } 390 if ((IN6_IS_ADDR_LOOPBACK(&ip6->ip6_src) || 391 IN6_IS_ADDR_LOOPBACK(&ip6->ip6_dst)) && 392 (m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK) == 0) { 393 ip6stat.ip6s_badscope++; 394 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr); 395 goto bad; 396 } 397 398 /* 399 * The following check is not documented in specs. A malicious 400 * party may be able to use IPv4 mapped addr to confuse tcp/udp stack 401 * and bypass security checks (act as if it was from 127.0.0.1 by using 402 * IPv6 src ::ffff:127.0.0.1). Be cautious. 403 * 404 * This check chokes if we are in an SIIT cloud. As none of BSDs 405 * support IPv4-less kernel compilation, we cannot support SIIT 406 * environment at all. So, it makes more sense for us to reject any 407 * malicious packets for non-SIIT environment, than try to do a 408 * partical support for SIIT environment. 409 */ 410 if (IN6_IS_ADDR_V4MAPPED(&ip6->ip6_src) || 411 IN6_IS_ADDR_V4MAPPED(&ip6->ip6_dst)) { 412 ip6stat.ip6s_badscope++; 413 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr); 414 goto bad; 415 } 416 #if 0 417 /* 418 * Reject packets with IPv4 compatible addresses (auto tunnel). 419 * 420 * The code forbids auto tunnel relay case in RFC1933 (the check is 421 * stronger than RFC1933). We may want to re-enable it if mech-xx 422 * is revised to forbid relaying case. 423 */ 424 if (IN6_IS_ADDR_V4COMPAT(&ip6->ip6_src) || 425 IN6_IS_ADDR_V4COMPAT(&ip6->ip6_dst)) { 426 ip6stat.ip6s_badscope++; 427 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr); 428 goto bad; 429 } 430 #endif 431 432 /* drop packets if interface ID portion is already filled */ 433 if ((m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK) == 0) { 434 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src) && 435 ip6->ip6_src.s6_addr16[1]) { 436 ip6stat.ip6s_badscope++; 437 goto bad; 438 } 439 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst) && 440 ip6->ip6_dst.s6_addr16[1]) { 441 ip6stat.ip6s_badscope++; 442 goto bad; 443 } 444 } 445 446 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) 447 ip6->ip6_src.s6_addr16[1] 448 = htons(m->m_pkthdr.rcvif->if_index); 449 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) 450 ip6->ip6_dst.s6_addr16[1] 451 = htons(m->m_pkthdr.rcvif->if_index); 452 453 #if 0 /* this case seems to be unnecessary. (jinmei, 20010401) */ 454 /* 455 * We use rt->rt_ifp to determine if the address is ours or not. 456 * If rt_ifp is lo0, the address is ours. 457 * The problem here is, rt->rt_ifp for fe80::%lo0/64 is set to lo0, 458 * so any address under fe80::%lo0/64 will be mistakenly considered 459 * local. The special case is supplied to handle the case properly 460 * by actually looking at interface addresses 461 * (using in6ifa_ifpwithaddr). 462 */ 463 if ((m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK) && 464 IN6_IS_ADDR_LINKLOCAL(&ip6->ip6_dst)) { 465 if (!in6ifa_ifpwithaddr(m->m_pkthdr.rcvif, &ip6->ip6_dst)) { 466 icmp6_error(m, ICMP6_DST_UNREACH, 467 ICMP6_DST_UNREACH_ADDR, 0); 468 /* m is already freed */ 469 goto bad2; 470 } 471 472 ours = 1; 473 deliverifp = m->m_pkthdr.rcvif; 474 goto hbhcheck; 475 } 476 #endif 477 478 /* 479 * Multicast check 480 */ 481 if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst)) { 482 struct in6_multi *in6m = 0; 483 484 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_mcast); 485 /* 486 * See if we belong to the destination multicast group on the 487 * arrival interface. 488 */ 489 IN6_LOOKUP_MULTI(ip6->ip6_dst, m->m_pkthdr.rcvif, in6m); 490 if (in6m) 491 ours = 1; 492 else if (!ip6_mrouter) { 493 ip6stat.ip6s_notmember++; 494 ip6stat.ip6s_cantforward++; 495 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_discard); 496 goto bad; 497 } 498 deliverifp = m->m_pkthdr.rcvif; 499 goto hbhcheck; 500 } 501 502 /* 503 * Unicast check 504 */ 505 switch (ip6_ours_check_algorithm) { 506 default: 507 /* 508 * XXX: I intentionally broke our indentation rule here, 509 * since this switch-case is just for measurement and 510 * therefore should soon be removed. 511 */ 512 if (ip6_forward_rt.ro_rt != NULL && 513 (ip6_forward_rt.ro_rt->rt_flags & RTF_UP) && 514 IN6_ARE_ADDR_EQUAL(&ip6->ip6_dst, 515 &((struct sockaddr_in6 *)(&ip6_forward_rt.ro_dst))->sin6_addr)) 516 ip6stat.ip6s_forward_cachehit++; 517 else { 518 struct sockaddr_in6 *dst6; 519 520 if (ip6_forward_rt.ro_rt) { 521 /* route is down or destination is different */ 522 ip6stat.ip6s_forward_cachemiss++; 523 RTFREE(ip6_forward_rt.ro_rt); 524 ip6_forward_rt.ro_rt = 0; 525 } 526 527 bzero(&ip6_forward_rt.ro_dst, sizeof(struct sockaddr_in6)); 528 dst6 = &ip6_forward_rt.ro_dst; 529 dst6->sin6_len = sizeof(struct sockaddr_in6); 530 dst6->sin6_family = AF_INET6; 531 dst6->sin6_addr = ip6->ip6_dst; 532 533 rtalloc_ign((struct route *)&ip6_forward_rt, RTF_PRCLONING); 534 } 535 536 #define rt6_key(r) ((struct sockaddr_in6 *)((r)->rt_nodes->rn_key)) 537 538 /* 539 * Accept the packet if the forwarding interface to the destination 540 * according to the routing table is the loopback interface, 541 * unless the associated route has a gateway. 542 * Note that this approach causes to accept a packet if there is a 543 * route to the loopback interface for the destination of the packet. 544 * But we think it's even useful in some situations, e.g. when using 545 * a special daemon which wants to intercept the packet. 546 * 547 * XXX: some OSes automatically make a cloned route for the destination 548 * of an outgoing packet. If the outgoing interface of the packet 549 * is a loopback one, the kernel would consider the packet to be 550 * accepted, even if we have no such address assinged on the interface. 551 * We check the cloned flag of the route entry to reject such cases, 552 * assuming that route entries for our own addresses are not made by 553 * cloning (it should be true because in6_addloop explicitly installs 554 * the host route). However, we might have to do an explicit check 555 * while it would be less efficient. Or, should we rather install a 556 * reject route for such a case? 557 */ 558 if (ip6_forward_rt.ro_rt && 559 (ip6_forward_rt.ro_rt->rt_flags & 560 (RTF_HOST|RTF_GATEWAY)) == RTF_HOST && 561 #ifdef RTF_WASCLONED 562 !(ip6_forward_rt.ro_rt->rt_flags & RTF_WASCLONED) && 563 #endif 564 #ifdef RTF_CLONED 565 !(ip6_forward_rt.ro_rt->rt_flags & RTF_CLONED) && 566 #endif 567 #if 0 568 /* 569 * The check below is redundant since the comparison of 570 * the destination and the key of the rtentry has 571 * already done through looking up the routing table. 572 */ 573 IN6_ARE_ADDR_EQUAL(&ip6->ip6_dst, 574 &rt6_key(ip6_forward_rt.ro_rt)->sin6_addr) 575 #endif 576 ip6_forward_rt.ro_rt->rt_ifp->if_type == IFT_LOOP) { 577 struct in6_ifaddr *ia6 = 578 (struct in6_ifaddr *)ip6_forward_rt.ro_rt->rt_ifa; 579 580 /* 581 * record address information into m_aux. 582 */ 583 ip6_setdstifaddr(m, ia6); 584 585 /* 586 * packets to a tentative, duplicated, or somehow invalid 587 * address must not be accepted. 588 */ 589 if (!(ia6->ia6_flags & IN6_IFF_NOTREADY)) { 590 /* this address is ready */ 591 ours = 1; 592 deliverifp = ia6->ia_ifp; /* correct? */ 593 /* Count the packet in the ip address stats */ 594 ia6->ia_ifa.if_ipackets++; 595 ia6->ia_ifa.if_ibytes += m->m_pkthdr.len; 596 goto hbhcheck; 597 } else { 598 /* address is not ready, so discard the packet. */ 599 nd6log((LOG_INFO, 600 "ip6_input: packet to an unready address %s->%s\n", 601 ip6_sprintf(&ip6->ip6_src), 602 ip6_sprintf(&ip6->ip6_dst))); 603 604 goto bad; 605 } 606 } 607 } /* XXX indentation (see above) */ 608 609 /* 610 * FAITH(Firewall Aided Internet Translator) 611 */ 612 if (ip6_keepfaith) { 613 if (ip6_forward_rt.ro_rt && ip6_forward_rt.ro_rt->rt_ifp 614 && ip6_forward_rt.ro_rt->rt_ifp->if_type == IFT_FAITH) { 615 /* XXX do we need more sanity checks? */ 616 ours = 1; 617 deliverifp = ip6_forward_rt.ro_rt->rt_ifp; /* faith */ 618 goto hbhcheck; 619 } 620 } 621 622 /* 623 * Now there is no reason to process the packet if it's not our own 624 * and we're not a router. 625 */ 626 if (!ip6_forwarding) { 627 ip6stat.ip6s_cantforward++; 628 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_discard); 629 goto bad; 630 } 631 632 hbhcheck: 633 /* 634 * record address information into m_aux, if we don't have one yet. 635 * note that we are unable to record it, if the address is not listed 636 * as our interface address (e.g. multicast addresses, addresses 637 * within FAITH prefixes and such). 638 */ 639 if (deliverifp && !ip6_getdstifaddr(m)) { 640 struct in6_ifaddr *ia6; 641 642 ia6 = in6_ifawithifp(deliverifp, &ip6->ip6_dst); 643 if (ia6) { 644 if (!ip6_setdstifaddr(m, ia6)) { 645 /* 646 * XXX maybe we should drop the packet here, 647 * as we could not provide enough information 648 * to the upper layers. 649 */ 650 } 651 } 652 } 653 654 /* 655 * Process Hop-by-Hop options header if it's contained. 656 * m may be modified in ip6_hopopts_input(). 657 * If a JumboPayload option is included, plen will also be modified. 658 */ 659 plen = (u_int32_t)ntohs(ip6->ip6_plen); 660 if (ip6->ip6_nxt == IPPROTO_HOPOPTS) { 661 struct ip6_hbh *hbh; 662 663 if (ip6_hopopts_input(&plen, &rtalert, &m, &off)) { 664 #if 0 /*touches NULL pointer*/ 665 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_discard); 666 #endif 667 goto bad2; /* m have already been freed */ 668 } 669 670 /* adjust pointer */ 671 ip6 = mtod(m, struct ip6_hdr *); 672 673 /* 674 * if the payload length field is 0 and the next header field 675 * indicates Hop-by-Hop Options header, then a Jumbo Payload 676 * option MUST be included. 677 */ 678 if (ip6->ip6_plen == 0 && plen == 0) { 679 /* 680 * Note that if a valid jumbo payload option is 681 * contained, ip6_hoptops_input() must set a valid 682 * (non-zero) payload length to the variable plen. 683 */ 684 ip6stat.ip6s_badoptions++; 685 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_discard); 686 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_hdrerr); 687 icmp6_error(m, ICMP6_PARAM_PROB, 688 ICMP6_PARAMPROB_HEADER, 689 (caddr_t)&ip6->ip6_plen - (caddr_t)ip6); 690 goto bad2; 691 } 692 #ifndef PULLDOWN_TEST 693 /* ip6_hopopts_input() ensures that mbuf is contiguous */ 694 hbh = (struct ip6_hbh *)(ip6 + 1); 695 #else 696 IP6_EXTHDR_GET(hbh, struct ip6_hbh *, m, sizeof(struct ip6_hdr), 697 sizeof(struct ip6_hbh)); 698 if (hbh == NULL) { 699 ip6stat.ip6s_tooshort++; 700 goto bad2; 701 } 702 #endif 703 nxt = hbh->ip6h_nxt; 704 705 /* 706 * If we are acting as a router and the packet contains a 707 * router alert option, see if we know the option value. 708 * Currently, we only support the option value for MLD, in which 709 * case we should pass the packet to the multicast routing 710 * daemon. 711 */ 712 if (rtalert != ~0 && ip6_forwarding) { 713 switch (rtalert) { 714 case IP6OPT_RTALERT_MLD: 715 ours = 1; 716 break; 717 default: 718 /* 719 * RFC2711 requires unrecognized values must be 720 * silently ignored. 721 */ 722 break; 723 } 724 } 725 } else 726 nxt = ip6->ip6_nxt; 727 728 /* 729 * Check that the amount of data in the buffers 730 * is as at least much as the IPv6 header would have us expect. 731 * Trim mbufs if longer than we expect. 732 * Drop packet if shorter than we expect. 733 */ 734 if (m->m_pkthdr.len - sizeof(struct ip6_hdr) < plen) { 735 ip6stat.ip6s_tooshort++; 736 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_truncated); 737 goto bad; 738 } 739 if (m->m_pkthdr.len > sizeof(struct ip6_hdr) + plen) { 740 if (m->m_len == m->m_pkthdr.len) { 741 m->m_len = sizeof(struct ip6_hdr) + plen; 742 m->m_pkthdr.len = sizeof(struct ip6_hdr) + plen; 743 } else 744 m_adj(m, sizeof(struct ip6_hdr) + plen - m->m_pkthdr.len); 745 } 746 747 /* 748 * Forward if desirable. 749 */ 750 if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst)) { 751 /* 752 * If we are acting as a multicast router, all 753 * incoming multicast packets are passed to the 754 * kernel-level multicast forwarding function. 755 * The packet is returned (relatively) intact; if 756 * ip6_mforward() returns a non-zero value, the packet 757 * must be discarded, else it may be accepted below. 758 */ 759 if (ip6_mrouter && ip6_mforward(ip6, m->m_pkthdr.rcvif, m)) { 760 ip6stat.ip6s_cantforward++; 761 goto bad; 762 } 763 if (!ours) 764 goto bad; 765 } else if (!ours) { 766 ip6_forward(m, srcrt); 767 goto bad2; 768 } 769 770 ip6 = mtod(m, struct ip6_hdr *); 771 772 /* 773 * Malicious party may be able to use IPv4 mapped addr to confuse 774 * tcp/udp stack and bypass security checks (act as if it was from 775 * 127.0.0.1 by using IPv6 src ::ffff:127.0.0.1). Be cautious. 776 * 777 * For SIIT end node behavior, you may want to disable the check. 778 * However, you will become vulnerable to attacks using IPv4 mapped 779 * source. 780 */ 781 if (IN6_IS_ADDR_V4MAPPED(&ip6->ip6_src) || 782 IN6_IS_ADDR_V4MAPPED(&ip6->ip6_dst)) { 783 ip6stat.ip6s_badscope++; 784 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr); 785 goto bad; 786 } 787 788 /* 789 * Tell launch routine the next header 790 */ 791 ip6stat.ip6s_delivered++; 792 in6_ifstat_inc(deliverifp, ifs6_in_deliver); 793 nest = 0; 794 795 rh_present = 0; 796 while (nxt != IPPROTO_DONE) { 797 if (ip6_hdrnestlimit && (++nest > ip6_hdrnestlimit)) { 798 ip6stat.ip6s_toomanyhdr++; 799 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_hdrerr); 800 goto bad; 801 } 802 803 /* 804 * protection against faulty packet - there should be 805 * more sanity checks in header chain processing. 806 */ 807 if (m->m_pkthdr.len < off) { 808 ip6stat.ip6s_tooshort++; 809 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_truncated); 810 goto bad; 811 } 812 813 #if 0 814 /* 815 * do we need to do it for every header? yeah, other 816 * functions can play with it (like re-allocate and copy). 817 */ 818 mhist = ip6_addaux(m); 819 if (mhist && M_TRAILINGSPACE(mhist) >= sizeof(nxt)) { 820 hist = mtod(mhist, caddr_t) + mhist->m_len; 821 bcopy(&nxt, hist, sizeof(nxt)); 822 mhist->m_len += sizeof(nxt); 823 } else { 824 ip6stat.ip6s_toomanyhdr++; 825 goto bad; 826 } 827 #endif 828 829 if (nxt == IPPROTO_ROUTING) { 830 if (rh_present++) { 831 in6_ifstat_inc(m->m_pkthdr.rcvif, 832 ifs6_in_hdrerr); 833 ip6stat.ip6s_badoptions++; 834 goto bad; 835 } 836 } 837 838 #ifdef IPSEC 839 /* 840 * enforce IPsec policy checking if we are seeing last header. 841 * note that we do not visit this with protocols with pcb layer 842 * code - like udp/tcp/raw ip. 843 */ 844 if ((inet6sw[ip6_protox[nxt]].pr_flags & PR_LASTHDR) && 845 ipsec6_in_reject(m, NULL)) { 846 ipsec6stat.in_polvio++; 847 goto bad; 848 } 849 #endif 850 851 nxt = (*inet6sw[ip6_protox[nxt]].pr_input)(&m, &off, nxt); 852 } 853 goto bad2; 854 bad: 855 m_freem(m); 856 bad2: 857 ; 858 /* msg was embedded in the mbuf, do not reply! */ 859 } 860 861 /* 862 * set/grab in6_ifaddr correspond to IPv6 destination address. 863 * XXX backward compatibility wrapper 864 */ 865 static struct ip6aux * 866 ip6_setdstifaddr(struct mbuf *m, struct in6_ifaddr *ia6) 867 { 868 struct ip6aux *n; 869 870 n = ip6_addaux(m); 871 if (n) 872 n->ip6a_dstia6 = ia6; 873 return n; /* NULL if failed to set */ 874 } 875 876 struct in6_ifaddr * 877 ip6_getdstifaddr(struct mbuf *m) 878 { 879 struct ip6aux *n; 880 881 n = ip6_findaux(m); 882 if (n) 883 return n->ip6a_dstia6; 884 else 885 return NULL; 886 } 887 888 /* 889 * Hop-by-Hop options header processing. If a valid jumbo payload option is 890 * included, the real payload length will be stored in plenp. 891 */ 892 static int 893 ip6_hopopts_input(u_int32_t *plenp, 894 u_int32_t *rtalertp,/* XXX: should be stored more smart way */ 895 struct mbuf **mp, 896 int *offp) 897 { 898 struct mbuf *m = *mp; 899 int off = *offp, hbhlen; 900 struct ip6_hbh *hbh; 901 u_int8_t *opt; 902 903 /* validation of the length of the header */ 904 #ifndef PULLDOWN_TEST 905 IP6_EXTHDR_CHECK(m, off, sizeof(*hbh), -1); 906 hbh = (struct ip6_hbh *)(mtod(m, caddr_t) + off); 907 hbhlen = (hbh->ip6h_len + 1) << 3; 908 909 IP6_EXTHDR_CHECK(m, off, hbhlen, -1); 910 hbh = (struct ip6_hbh *)(mtod(m, caddr_t) + off); 911 #else 912 IP6_EXTHDR_GET(hbh, struct ip6_hbh *, m, 913 sizeof(struct ip6_hdr), sizeof(struct ip6_hbh)); 914 if (hbh == NULL) { 915 ip6stat.ip6s_tooshort++; 916 return -1; 917 } 918 hbhlen = (hbh->ip6h_len + 1) << 3; 919 IP6_EXTHDR_GET(hbh, struct ip6_hbh *, m, sizeof(struct ip6_hdr), 920 hbhlen); 921 if (hbh == NULL) { 922 ip6stat.ip6s_tooshort++; 923 return -1; 924 } 925 #endif 926 off += hbhlen; 927 hbhlen -= sizeof(struct ip6_hbh); 928 opt = (u_int8_t *)hbh + sizeof(struct ip6_hbh); 929 930 if (ip6_process_hopopts(m, (u_int8_t *)hbh + sizeof(struct ip6_hbh), 931 hbhlen, rtalertp, plenp) < 0) 932 return (-1); 933 934 *offp = off; 935 *mp = m; 936 return (0); 937 } 938 939 /* 940 * Search header for all Hop-by-hop options and process each option. 941 * This function is separate from ip6_hopopts_input() in order to 942 * handle a case where the sending node itself process its hop-by-hop 943 * options header. In such a case, the function is called from ip6_output(). 944 * 945 * The function assumes that hbh header is located right after the IPv6 header 946 * (RFC2460 p7), opthead is pointer into data content in m, and opthead to 947 * opthead + hbhlen is located in continuous memory region. 948 */ 949 int 950 ip6_process_hopopts(struct mbuf *m, u_int8_t *opthead, int hbhlen, 951 u_int32_t *rtalertp, u_int32_t *plenp) 952 { 953 struct ip6_hdr *ip6; 954 int optlen = 0; 955 u_int8_t *opt = opthead; 956 u_int16_t rtalert_val; 957 u_int32_t jumboplen; 958 const int erroff = sizeof(struct ip6_hdr) + sizeof(struct ip6_hbh); 959 960 for (; hbhlen > 0; hbhlen -= optlen, opt += optlen) { 961 switch (*opt) { 962 case IP6OPT_PAD1: 963 optlen = 1; 964 break; 965 case IP6OPT_PADN: 966 if (hbhlen < IP6OPT_MINLEN) { 967 ip6stat.ip6s_toosmall++; 968 goto bad; 969 } 970 optlen = *(opt + 1) + 2; 971 break; 972 case IP6OPT_RTALERT: 973 /* XXX may need check for alignment */ 974 if (hbhlen < IP6OPT_RTALERT_LEN) { 975 ip6stat.ip6s_toosmall++; 976 goto bad; 977 } 978 if (*(opt + 1) != IP6OPT_RTALERT_LEN - 2) { 979 /* XXX stat */ 980 icmp6_error(m, ICMP6_PARAM_PROB, 981 ICMP6_PARAMPROB_HEADER, 982 erroff + opt + 1 - opthead); 983 return (-1); 984 } 985 optlen = IP6OPT_RTALERT_LEN; 986 bcopy((caddr_t)(opt + 2), (caddr_t)&rtalert_val, 2); 987 *rtalertp = ntohs(rtalert_val); 988 break; 989 case IP6OPT_JUMBO: 990 /* XXX may need check for alignment */ 991 if (hbhlen < IP6OPT_JUMBO_LEN) { 992 ip6stat.ip6s_toosmall++; 993 goto bad; 994 } 995 if (*(opt + 1) != IP6OPT_JUMBO_LEN - 2) { 996 /* XXX stat */ 997 icmp6_error(m, ICMP6_PARAM_PROB, 998 ICMP6_PARAMPROB_HEADER, 999 erroff + opt + 1 - opthead); 1000 return (-1); 1001 } 1002 optlen = IP6OPT_JUMBO_LEN; 1003 1004 /* 1005 * IPv6 packets that have non 0 payload length 1006 * must not contain a jumbo payload option. 1007 */ 1008 ip6 = mtod(m, struct ip6_hdr *); 1009 if (ip6->ip6_plen) { 1010 ip6stat.ip6s_badoptions++; 1011 icmp6_error(m, ICMP6_PARAM_PROB, 1012 ICMP6_PARAMPROB_HEADER, 1013 erroff + opt - opthead); 1014 return (-1); 1015 } 1016 1017 /* 1018 * We may see jumbolen in unaligned location, so 1019 * we'd need to perform bcopy(). 1020 */ 1021 bcopy(opt + 2, &jumboplen, sizeof(jumboplen)); 1022 jumboplen = (u_int32_t)htonl(jumboplen); 1023 1024 #if 1 1025 /* 1026 * if there are multiple jumbo payload options, 1027 * *plenp will be non-zero and the packet will be 1028 * rejected. 1029 * the behavior may need some debate in ipngwg - 1030 * multiple options does not make sense, however, 1031 * there's no explicit mention in specification. 1032 */ 1033 if (*plenp != 0) { 1034 ip6stat.ip6s_badoptions++; 1035 icmp6_error(m, ICMP6_PARAM_PROB, 1036 ICMP6_PARAMPROB_HEADER, 1037 erroff + opt + 2 - opthead); 1038 return (-1); 1039 } 1040 #endif 1041 1042 /* 1043 * jumbo payload length must be larger than 65535. 1044 */ 1045 if (jumboplen <= IPV6_MAXPACKET) { 1046 ip6stat.ip6s_badoptions++; 1047 icmp6_error(m, ICMP6_PARAM_PROB, 1048 ICMP6_PARAMPROB_HEADER, 1049 erroff + opt + 2 - opthead); 1050 return (-1); 1051 } 1052 *plenp = jumboplen; 1053 1054 break; 1055 default: /* unknown option */ 1056 if (hbhlen < IP6OPT_MINLEN) { 1057 ip6stat.ip6s_toosmall++; 1058 goto bad; 1059 } 1060 optlen = ip6_unknown_opt(opt, m, 1061 erroff + opt - opthead); 1062 if (optlen == -1) 1063 return (-1); 1064 optlen += 2; 1065 break; 1066 } 1067 } 1068 1069 return (0); 1070 1071 bad: 1072 m_freem(m); 1073 return (-1); 1074 } 1075 1076 /* 1077 * Unknown option processing. 1078 * The third argument `off' is the offset from the IPv6 header to the option, 1079 * which is necessary if the IPv6 header the and option header and IPv6 header 1080 * is not continuous in order to return an ICMPv6 error. 1081 */ 1082 int 1083 ip6_unknown_opt(u_int8_t *optp, struct mbuf *m, int off) 1084 { 1085 struct ip6_hdr *ip6; 1086 1087 switch (IP6OPT_TYPE(*optp)) { 1088 case IP6OPT_TYPE_SKIP: /* ignore the option */ 1089 return ((int)*(optp + 1)); 1090 case IP6OPT_TYPE_DISCARD: /* silently discard */ 1091 m_freem(m); 1092 return (-1); 1093 case IP6OPT_TYPE_FORCEICMP: /* send ICMP even if multicasted */ 1094 ip6stat.ip6s_badoptions++; 1095 icmp6_error(m, ICMP6_PARAM_PROB, ICMP6_PARAMPROB_OPTION, off); 1096 return (-1); 1097 case IP6OPT_TYPE_ICMP: /* send ICMP if not multicasted */ 1098 ip6stat.ip6s_badoptions++; 1099 ip6 = mtod(m, struct ip6_hdr *); 1100 if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst) || 1101 (m->m_flags & (M_BCAST|M_MCAST))) 1102 m_freem(m); 1103 else 1104 icmp6_error(m, ICMP6_PARAM_PROB, 1105 ICMP6_PARAMPROB_OPTION, off); 1106 return (-1); 1107 } 1108 1109 m_freem(m); /* XXX: NOTREACHED */ 1110 return (-1); 1111 } 1112 1113 /* 1114 * Create the "control" list for this pcb. 1115 * The function will not modify mbuf chain at all. 1116 * 1117 * with KAME mbuf chain restriction: 1118 * The routine will be called from upper layer handlers like tcp6_input(). 1119 * Thus the routine assumes that the caller (tcp6_input) have already 1120 * called IP6_EXTHDR_CHECK() and all the extension headers are located in the 1121 * very first mbuf on the mbuf chain. 1122 */ 1123 void 1124 ip6_savecontrol(struct inpcb *in6p, struct mbuf **mp, struct ip6_hdr *ip6, 1125 struct mbuf *m) 1126 { 1127 #define IS2292(x, y) ((in6p->in6p_flags & IN6P_RFC2292) ? (x) : (y)) 1128 struct thread *td = curthread; /* XXX */ 1129 int privileged = 0; 1130 int rthdr_exist = 0; 1131 1132 1133 if (suser(td) == 0) 1134 privileged++; 1135 1136 #ifdef SO_TIMESTAMP 1137 if (in6p->in6p_socket->so_options & SO_TIMESTAMP) { 1138 struct timeval tv; 1139 1140 microtime(&tv); 1141 *mp = sbcreatecontrol((caddr_t) &tv, sizeof(tv), 1142 SCM_TIMESTAMP, SOL_SOCKET); 1143 if (*mp) { 1144 mp = &(*mp)->m_next; 1145 } 1146 } 1147 #endif 1148 1149 /* RFC 2292 sec. 5 */ 1150 if (in6p->in6p_flags & IN6P_PKTINFO) { 1151 struct in6_pktinfo pi6; 1152 bcopy(&ip6->ip6_dst, &pi6.ipi6_addr, sizeof(struct in6_addr)); 1153 if (IN6_IS_SCOPE_LINKLOCAL(&pi6.ipi6_addr)) 1154 pi6.ipi6_addr.s6_addr16[1] = 0; 1155 pi6.ipi6_ifindex = (m && m->m_pkthdr.rcvif) 1156 ? m->m_pkthdr.rcvif->if_index 1157 : 0; 1158 *mp = sbcreatecontrol((caddr_t) &pi6, 1159 sizeof(struct in6_pktinfo), IS2292(IPV6_2292PKTINFO, IPV6_PKTINFO), 1160 IPPROTO_IPV6); 1161 if (*mp) 1162 mp = &(*mp)->m_next; 1163 } 1164 1165 if (in6p->in6p_flags & IN6P_HOPLIMIT) { 1166 int hlim = ip6->ip6_hlim & 0xff; 1167 *mp = sbcreatecontrol((caddr_t) &hlim, 1168 sizeof(int), IS2292(IPV6_2292HOPLIMIT, IPV6_HOPLIMIT), IPPROTO_IPV6); 1169 if (*mp) 1170 mp = &(*mp)->m_next; 1171 } 1172 1173 if ((in6p->in6p_flags & IN6P_TCLASS) != 0) { 1174 u_int32_t flowinfo; 1175 int tclass; 1176 1177 flowinfo = (u_int32_t)ntohl(ip6->ip6_flow & IPV6_FLOWINFO_MASK); 1178 flowinfo >>= 20; 1179 1180 tclass = flowinfo & 0xff; 1181 *mp = sbcreatecontrol((caddr_t) &tclass, sizeof(tclass), 1182 IPV6_TCLASS, IPPROTO_IPV6); 1183 if (*mp) 1184 mp = &(*mp)->m_next; 1185 } 1186 1187 /* 1188 * IPV6_HOPOPTS socket option. We require super-user privilege 1189 * for the option, but it might be too strict, since there might 1190 * be some hop-by-hop options which can be returned to normal user. 1191 * See RFC 2292 section 6. 1192 */ 1193 if ((in6p->in6p_flags & IN6P_HOPOPTS) && privileged) { 1194 /* 1195 * Check if a hop-by-hop options header is contatined in the 1196 * received packet, and if so, store the options as ancillary 1197 * data. Note that a hop-by-hop options header must be 1198 * just after the IPv6 header, which fact is assured through 1199 * the IPv6 input processing. 1200 */ 1201 struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *); 1202 if (ip6->ip6_nxt == IPPROTO_HOPOPTS) { 1203 struct ip6_hbh *hbh; 1204 int hbhlen = 0; 1205 #ifdef PULLDOWN_TEST 1206 struct mbuf *ext; 1207 #endif 1208 1209 #ifndef PULLDOWN_TEST 1210 hbh = (struct ip6_hbh *)(ip6 + 1); 1211 hbhlen = (hbh->ip6h_len + 1) << 3; 1212 #else 1213 ext = ip6_pullexthdr(m, sizeof(struct ip6_hdr), 1214 ip6->ip6_nxt); 1215 if (ext == NULL) { 1216 ip6stat.ip6s_tooshort++; 1217 return; 1218 } 1219 hbh = mtod(ext, struct ip6_hbh *); 1220 hbhlen = (hbh->ip6h_len + 1) << 3; 1221 if (hbhlen != ext->m_len) { 1222 m_freem(ext); 1223 ip6stat.ip6s_tooshort++; 1224 return; 1225 } 1226 #endif 1227 1228 /* 1229 * XXX: We copy whole the header even if a jumbo 1230 * payload option is included, which option is to 1231 * be removed before returning in the RFC 2292. 1232 * Note: this constraint is removed in 2292bis. 1233 */ 1234 *mp = sbcreatecontrol((caddr_t)hbh, hbhlen, 1235 IS2292(IPV6_2292HOPOPTS, IPV6_HOPOPTS), IPPROTO_IPV6); 1236 if (*mp) 1237 mp = &(*mp)->m_next; 1238 #ifdef PULLDOWN_TEST 1239 m_freem(ext); 1240 #endif 1241 } 1242 } 1243 1244 /* IPV6_DSTOPTS and IPV6_RTHDR socket options */ 1245 if ((in6p->in6p_flags & (IN6P_DSTOPTS | IN6P_RTHDRDSTOPTS)) != 0) { 1246 int proto, off, nxt; 1247 1248 /* 1249 * go through the header chain to see if a routing header is 1250 * contained in the packet. We need this information to store 1251 * destination options headers (if any) properly. 1252 * XXX: performance issue. We should record this info when 1253 * processing extension headers in incoming routine. 1254 * (todo) use m_aux? 1255 */ 1256 proto = IPPROTO_IPV6; 1257 off = 0; 1258 nxt = -1; 1259 while (1) { 1260 int newoff; 1261 1262 newoff = ip6_nexthdr(m, off, proto, &nxt); 1263 if (newoff < 0) 1264 break; 1265 if (newoff < off) /* invalid, check for safety */ 1266 break; 1267 if ((proto = nxt) == IPPROTO_ROUTING) { 1268 rthdr_exist = 1; 1269 break; 1270 } 1271 off = newoff; 1272 } 1273 } 1274 1275 if ((in6p->in6p_flags & 1276 (IN6P_RTHDR | IN6P_DSTOPTS | IN6P_RTHDRDSTOPTS)) != 0) { 1277 struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *); 1278 int nxt = ip6->ip6_nxt, off = sizeof(struct ip6_hdr); 1279 1280 /* 1281 * Search for destination options headers or routing 1282 * header(s) through the header chain, and stores each 1283 * header as ancillary data. 1284 * Note that the order of the headers remains in 1285 * the chain of ancillary data. 1286 */ 1287 while (1) { /* is explicit loop prevention necessary? */ 1288 struct ip6_ext *ip6e = NULL; 1289 int elen; 1290 #ifdef PULLDOWN_TEST 1291 struct mbuf *ext = NULL; 1292 #endif 1293 1294 /* 1295 * if it is not an extension header, don't try to 1296 * pull it from the chain. 1297 */ 1298 switch (nxt) { 1299 case IPPROTO_DSTOPTS: 1300 case IPPROTO_ROUTING: 1301 case IPPROTO_HOPOPTS: 1302 case IPPROTO_AH: /* is it possible? */ 1303 break; 1304 default: 1305 goto loopend; 1306 } 1307 1308 #ifndef PULLDOWN_TEST 1309 if (off + sizeof(*ip6e) > m->m_len) 1310 goto loopend; 1311 ip6e = (struct ip6_ext *)(mtod(m, caddr_t) + off); 1312 if (nxt == IPPROTO_AH) 1313 elen = (ip6e->ip6e_len + 2) << 2; 1314 else 1315 elen = (ip6e->ip6e_len + 1) << 3; 1316 if (off + elen > m->m_len) 1317 goto loopend; 1318 #else 1319 ext = ip6_pullexthdr(m, off, nxt); 1320 if (ext == NULL) { 1321 ip6stat.ip6s_tooshort++; 1322 return; 1323 } 1324 ip6e = mtod(ext, struct ip6_ext *); 1325 if (nxt == IPPROTO_AH) 1326 elen = (ip6e->ip6e_len + 2) << 2; 1327 else 1328 elen = (ip6e->ip6e_len + 1) << 3; 1329 if (elen != ext->m_len) { 1330 m_freem(ext); 1331 ip6stat.ip6s_tooshort++; 1332 return; 1333 } 1334 #endif 1335 1336 switch (nxt) { 1337 case IPPROTO_DSTOPTS: 1338 if ((in6p->in6p_flags & IN6P_DSTOPTS) == 0) 1339 break; 1340 1341 /* 1342 * We also require super-user privilege for 1343 * the option. 1344 * See the comments on IN6_HOPOPTS. 1345 */ 1346 if (!privileged) 1347 break; 1348 1349 *mp = sbcreatecontrol((caddr_t)ip6e, elen, 1350 IS2292(IPV6_2292DSTOPTS, IPV6_DSTOPTS), 1351 IPPROTO_IPV6); 1352 if (*mp) 1353 mp = &(*mp)->m_next; 1354 break; 1355 case IPPROTO_ROUTING: 1356 if (!in6p->in6p_flags & IN6P_RTHDR) 1357 break; 1358 1359 *mp = sbcreatecontrol((caddr_t)ip6e, elen, 1360 IS2292(IPV6_2292RTHDR, IPV6_RTHDR), 1361 IPPROTO_IPV6); 1362 if (*mp) 1363 mp = &(*mp)->m_next; 1364 break; 1365 case IPPROTO_HOPOPTS: 1366 case IPPROTO_AH: /* is it possible? */ 1367 break; 1368 1369 default: 1370 /* 1371 * other cases have been filtered in the above. 1372 * none will visit this case. here we supply 1373 * the code just in case (nxt overwritten or 1374 * other cases). 1375 */ 1376 #ifdef PULLDOWN_TEST 1377 m_freem(ext); 1378 #endif 1379 goto loopend; 1380 1381 } 1382 1383 /* proceed with the next header. */ 1384 off += elen; 1385 nxt = ip6e->ip6e_nxt; 1386 ip6e = NULL; 1387 #ifdef PULLDOWN_TEST 1388 m_freem(ext); 1389 ext = NULL; 1390 #endif 1391 } 1392 loopend: 1393 ; 1394 } 1395 #undef IS2292 1396 } 1397 1398 void 1399 ip6_notify_pmtu(struct inpcb *in6p, struct sockaddr_in6 *dst, u_int32_t *mtu) 1400 { 1401 struct socket *so; 1402 struct mbuf *m_mtu; 1403 struct ip6_mtuinfo mtuctl; 1404 1405 so = in6p->inp_socket; 1406 1407 if (mtu == NULL) 1408 return; 1409 1410 #ifdef DIAGNOSTIC 1411 if (so == NULL) /* I believe this is impossible */ 1412 panic("ip6_notify_pmtu: socket is NULL"); 1413 #endif 1414 1415 bzero(&mtuctl, sizeof(mtuctl)); /* zero-clear for safety */ 1416 mtuctl.ip6m_mtu = *mtu; 1417 mtuctl.ip6m_addr = *dst; 1418 1419 if ((m_mtu = sbcreatecontrol((caddr_t)&mtuctl, sizeof(mtuctl), 1420 IPV6_PATHMTU, IPPROTO_IPV6)) == NULL) 1421 return; 1422 1423 if (sbappendaddr(&so->so_rcv, (struct sockaddr *)dst, NULL, m_mtu) 1424 == 0) { 1425 m_freem(m_mtu); 1426 /* XXX: should count statistics */ 1427 } else 1428 sorwakeup(so); 1429 1430 return; 1431 } 1432 1433 #ifdef PULLDOWN_TEST 1434 /* 1435 * pull single extension header from mbuf chain. returns single mbuf that 1436 * contains the result, or NULL on error. 1437 */ 1438 static struct mbuf * 1439 ip6_pullexthdr(struct mbuf *m, size_t off, int nxt) 1440 { 1441 struct ip6_ext ip6e; 1442 size_t elen; 1443 struct mbuf *n; 1444 1445 #ifdef DIAGNOSTIC 1446 switch (nxt) { 1447 case IPPROTO_DSTOPTS: 1448 case IPPROTO_ROUTING: 1449 case IPPROTO_HOPOPTS: 1450 case IPPROTO_AH: /* is it possible? */ 1451 break; 1452 default: 1453 kprintf("ip6_pullexthdr: invalid nxt=%d\n", nxt); 1454 } 1455 #endif 1456 1457 m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e); 1458 if (nxt == IPPROTO_AH) 1459 elen = (ip6e.ip6e_len + 2) << 2; 1460 else 1461 elen = (ip6e.ip6e_len + 1) << 3; 1462 1463 n = m_getb(elen, MB_DONTWAIT, MT_DATA, 0); 1464 if (n == NULL) 1465 return NULL; 1466 n->m_len = 0; 1467 1468 if (elen >= M_TRAILINGSPACE(n)) { 1469 m_free(n); 1470 return NULL; 1471 } 1472 1473 m_copydata(m, off, elen, mtod(n, caddr_t)); 1474 n->m_len = elen; 1475 return n; 1476 } 1477 #endif 1478 1479 /* 1480 * Get pointer to the previous header followed by the header 1481 * currently processed. 1482 * XXX: This function supposes that 1483 * M includes all headers, 1484 * the next header field and the header length field of each header 1485 * are valid, and 1486 * the sum of each header length equals to OFF. 1487 * Because of these assumptions, this function must be called very 1488 * carefully. Moreover, it will not be used in the near future when 1489 * we develop `neater' mechanism to process extension headers. 1490 */ 1491 char * 1492 ip6_get_prevhdr(struct mbuf *m, int off) 1493 { 1494 struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *); 1495 1496 if (off == sizeof(struct ip6_hdr)) 1497 return (&ip6->ip6_nxt); 1498 else { 1499 int len, nxt; 1500 struct ip6_ext *ip6e = NULL; 1501 1502 nxt = ip6->ip6_nxt; 1503 len = sizeof(struct ip6_hdr); 1504 while (len < off) { 1505 ip6e = (struct ip6_ext *)(mtod(m, caddr_t) + len); 1506 1507 switch (nxt) { 1508 case IPPROTO_FRAGMENT: 1509 len += sizeof(struct ip6_frag); 1510 break; 1511 case IPPROTO_AH: 1512 len += (ip6e->ip6e_len + 2) << 2; 1513 break; 1514 default: 1515 len += (ip6e->ip6e_len + 1) << 3; 1516 break; 1517 } 1518 nxt = ip6e->ip6e_nxt; 1519 } 1520 if (ip6e) 1521 return (&ip6e->ip6e_nxt); 1522 else 1523 return NULL; 1524 } 1525 } 1526 1527 /* 1528 * get next header offset. m will be retained. 1529 */ 1530 int 1531 ip6_nexthdr(struct mbuf *m, int off, int proto, int *nxtp) 1532 { 1533 struct ip6_hdr ip6; 1534 struct ip6_ext ip6e; 1535 struct ip6_frag fh; 1536 1537 /* just in case */ 1538 if (m == NULL) 1539 panic("ip6_nexthdr: m == NULL"); 1540 if ((m->m_flags & M_PKTHDR) == 0 || m->m_pkthdr.len < off) 1541 return -1; 1542 1543 switch (proto) { 1544 case IPPROTO_IPV6: 1545 if (m->m_pkthdr.len < off + sizeof(ip6)) 1546 return -1; 1547 m_copydata(m, off, sizeof(ip6), (caddr_t)&ip6); 1548 if (nxtp) 1549 *nxtp = ip6.ip6_nxt; 1550 off += sizeof(ip6); 1551 return off; 1552 1553 case IPPROTO_FRAGMENT: 1554 /* 1555 * terminate parsing if it is not the first fragment, 1556 * it does not make sense to parse through it. 1557 */ 1558 if (m->m_pkthdr.len < off + sizeof(fh)) 1559 return -1; 1560 m_copydata(m, off, sizeof(fh), (caddr_t)&fh); 1561 /* IP6F_OFF_MASK = 0xfff8(BigEndian), 0xf8ff(LittleEndian) */ 1562 if (fh.ip6f_offlg & IP6F_OFF_MASK) 1563 return -1; 1564 if (nxtp) 1565 *nxtp = fh.ip6f_nxt; 1566 off += sizeof(struct ip6_frag); 1567 return off; 1568 1569 case IPPROTO_AH: 1570 if (m->m_pkthdr.len < off + sizeof(ip6e)) 1571 return -1; 1572 m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e); 1573 if (nxtp) 1574 *nxtp = ip6e.ip6e_nxt; 1575 off += (ip6e.ip6e_len + 2) << 2; 1576 return off; 1577 1578 case IPPROTO_HOPOPTS: 1579 case IPPROTO_ROUTING: 1580 case IPPROTO_DSTOPTS: 1581 if (m->m_pkthdr.len < off + sizeof(ip6e)) 1582 return -1; 1583 m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e); 1584 if (nxtp) 1585 *nxtp = ip6e.ip6e_nxt; 1586 off += (ip6e.ip6e_len + 1) << 3; 1587 return off; 1588 1589 case IPPROTO_NONE: 1590 case IPPROTO_ESP: 1591 case IPPROTO_IPCOMP: 1592 /* give up */ 1593 return -1; 1594 1595 default: 1596 return -1; 1597 } 1598 1599 return -1; 1600 } 1601 1602 /* 1603 * get offset for the last header in the chain. m will be kept untainted. 1604 */ 1605 int 1606 ip6_lasthdr(struct mbuf *m, int off, int proto, int *nxtp) 1607 { 1608 int newoff; 1609 int nxt; 1610 1611 if (!nxtp) { 1612 nxt = -1; 1613 nxtp = &nxt; 1614 } 1615 while (1) { 1616 newoff = ip6_nexthdr(m, off, proto, nxtp); 1617 if (newoff < 0) 1618 return off; 1619 else if (newoff < off) 1620 return -1; /* invalid */ 1621 else if (newoff == off) 1622 return newoff; 1623 1624 off = newoff; 1625 proto = *nxtp; 1626 } 1627 } 1628 1629 struct ip6aux * 1630 ip6_addaux(struct mbuf *m) 1631 { 1632 struct m_tag *tag = m_tag_find(m, PACKET_TAG_IPV6_INPUT, NULL); 1633 if (!tag) { 1634 tag = m_tag_get(PACKET_TAG_IPV6_INPUT, 1635 sizeof (struct ip6aux), 1636 MB_DONTWAIT); 1637 if (tag) 1638 m_tag_prepend(m, tag); 1639 } 1640 if (tag) 1641 bzero(m_tag_data(tag), sizeof (struct ip6aux)); 1642 return tag ? (struct ip6aux *)m_tag_data(tag) : NULL; 1643 } 1644 1645 struct ip6aux * 1646 ip6_findaux(struct mbuf *m) 1647 { 1648 struct m_tag *tag = m_tag_find(m, PACKET_TAG_IPV6_INPUT, NULL); 1649 return tag ? (struct ip6aux*)(tag+1) : NULL; 1650 } 1651 1652 void 1653 ip6_delaux(struct mbuf *m) 1654 { 1655 struct m_tag *tag = m_tag_find(m, PACKET_TAG_IPV6_INPUT, NULL); 1656 if (tag) 1657 m_tag_delete(m, tag); 1658 } 1659 1660 /* 1661 * System control for IP6 1662 */ 1663 1664 u_char inet6ctlerrmap[PRC_NCMDS] = { 1665 0, 0, 0, 0, 1666 0, EMSGSIZE, EHOSTDOWN, EHOSTUNREACH, 1667 EHOSTUNREACH, EHOSTUNREACH, ECONNREFUSED, ECONNREFUSED, 1668 EMSGSIZE, EHOSTUNREACH, 0, 0, 1669 0, 0, 0, 0, 1670 ENOPROTOOPT 1671 }; 1672