1 /* $NetBSD: ip_output.c,v 1.167.2.2 2007/03/28 20:46:13 jdc Exp $ */
2
3 /*
4 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. Neither the name of the project nor the names of its contributors
16 * may be used to endorse or promote products derived from this software
17 * without specific prior written permission.
18 *
19 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 * SUCH DAMAGE.
30 */
31
32 /*-
33 * Copyright (c) 1998 The NetBSD Foundation, Inc.
34 * All rights reserved.
35 *
36 * This code is derived from software contributed to The NetBSD Foundation
37 * by Public Access Networks Corporation ("Panix"). It was developed under
38 * contract to Panix by Eric Haszlakiewicz and Thor Lancelot Simon.
39 *
40 * Redistribution and use in source and binary forms, with or without
41 * modification, are permitted provided that the following conditions
42 * are met:
43 * 1. Redistributions of source code must retain the above copyright
44 * notice, this list of conditions and the following disclaimer.
45 * 2. Redistributions in binary form must reproduce the above copyright
46 * notice, this list of conditions and the following disclaimer in the
47 * documentation and/or other materials provided with the distribution.
48 * 3. All advertising materials mentioning features or use of this software
49 * must display the following acknowledgement:
50 * This product includes software developed by the NetBSD
51 * Foundation, Inc. and its contributors.
52 * 4. Neither the name of The NetBSD Foundation nor the names of its
53 * contributors may be used to endorse or promote products derived
54 * from this software without specific prior written permission.
55 *
56 * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
57 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
58 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
59 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
60 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
61 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
62 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
63 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
64 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
65 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
66 * POSSIBILITY OF SUCH DAMAGE.
67 */
68
69 /*
70 * Copyright (c) 1982, 1986, 1988, 1990, 1993
71 * The Regents of the University of California. All rights reserved.
72 *
73 * Redistribution and use in source and binary forms, with or without
74 * modification, are permitted provided that the following conditions
75 * are met:
76 * 1. Redistributions of source code must retain the above copyright
77 * notice, this list of conditions and the following disclaimer.
78 * 2. Redistributions in binary form must reproduce the above copyright
79 * notice, this list of conditions and the following disclaimer in the
80 * documentation and/or other materials provided with the distribution.
81 * 3. Neither the name of the University nor the names of its contributors
82 * may be used to endorse or promote products derived from this software
83 * without specific prior written permission.
84 *
85 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
86 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
87 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
88 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
89 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
90 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
91 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
92 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
93 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
94 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
95 * SUCH DAMAGE.
96 *
97 * @(#)ip_output.c 8.3 (Berkeley) 1/21/94
98 */
99
100 #include <sys/cdefs.h>
101 __KERNEL_RCSID(0, "$NetBSD: ip_output.c,v 1.167.2.2 2007/03/28 20:46:13 jdc Exp $");
102
103 #include "opt_pfil_hooks.h"
104 #include "opt_inet.h"
105 #include "opt_ipsec.h"
106 #include "opt_mrouting.h"
107
108 #include <sys/param.h>
109 #include <sys/malloc.h>
110 #include <sys/mbuf.h>
111 #include <sys/errno.h>
112 #include <sys/protosw.h>
113 #include <sys/socket.h>
114 #include <sys/socketvar.h>
115 #include <sys/kauth.h>
116 #ifdef FAST_IPSEC
117 #include <sys/domain.h>
118 #endif
119 #include <sys/systm.h>
120 #include <sys/proc.h>
121
122 #include <net/if.h>
123 #include <net/route.h>
124 #include <net/pfil.h>
125
126 #include <netinet/in.h>
127 #include <netinet/in_systm.h>
128 #include <netinet/ip.h>
129 #include <netinet/in_pcb.h>
130 #include <netinet/in_var.h>
131 #include <netinet/ip_var.h>
132 #include <netinet/in_offload.h>
133
134 #ifdef MROUTING
135 #include <netinet/ip_mroute.h>
136 #endif
137
138 #include <machine/stdarg.h>
139
140 #ifdef IPSEC
141 #include <netinet6/ipsec.h>
142 #include <netkey/key.h>
143 #include <netkey/key_debug.h>
144 #endif /*IPSEC*/
145
146 #ifdef FAST_IPSEC
147 #include <netipsec/ipsec.h>
148 #include <netipsec/key.h>
149 #include <netipsec/xform.h>
150 #endif /* FAST_IPSEC*/
151
152 #ifdef IPSEC_NAT_T
153 #include <netinet/udp.h>
154 #endif
155
156 static struct mbuf *ip_insertoptions(struct mbuf *, struct mbuf *, int *);
157 static struct ifnet *ip_multicast_if(struct in_addr *, int *);
158 static void ip_mloopback(struct ifnet *, struct mbuf *, struct sockaddr_in *);
159 static int ip_getoptval(struct mbuf *, u_int8_t *, u_int);
160
161 #ifdef PFIL_HOOKS
162 extern struct pfil_head inet_pfil_hook; /* XXX */
163 #endif
164
165 int ip_do_loopback_cksum = 0;
166
167 #define IN_NEED_CHECKSUM(ifp, csum_flags) \
168 (__predict_true(((ifp)->if_flags & IFF_LOOPBACK) == 0 || \
169 (((csum_flags) & M_CSUM_UDPv4) != 0 && udp_do_loopback_cksum) || \
170 (((csum_flags) & M_CSUM_TCPv4) != 0 && tcp_do_loopback_cksum) || \
171 (((csum_flags) & M_CSUM_IPv4) != 0 && ip_do_loopback_cksum)))
172
173 /*
174 * IP output. The packet in mbuf chain m contains a skeletal IP
175 * header (with len, off, ttl, proto, tos, src, dst).
176 * The mbuf chain containing the packet will be freed.
177 * The mbuf opt, if present, will not be freed.
178 */
179 int
180 ip_output(struct mbuf *m0, ...)
181 {
182 struct ip *ip;
183 struct ifnet *ifp;
184 struct mbuf *m = m0;
185 int hlen = sizeof (struct ip);
186 int len, error = 0;
187 struct route iproute;
188 struct sockaddr_in *dst;
189 struct in_ifaddr *ia;
190 struct ifaddr *xifa;
191 struct mbuf *opt;
192 struct route *ro;
193 int flags, sw_csum;
194 int *mtu_p;
195 u_long mtu;
196 struct ip_moptions *imo;
197 struct socket *so;
198 va_list ap;
199 #ifdef IPSEC_NAT_T
200 int natt_frag = 0;
201 #endif
202 #ifdef IPSEC
203 struct secpolicy *sp = NULL;
204 #endif /*IPSEC*/
205 #ifdef FAST_IPSEC
206 struct inpcb *inp;
207 struct m_tag *mtag;
208 struct secpolicy *sp = NULL;
209 struct tdb_ident *tdbi;
210 int s;
211 #endif
212 u_int16_t ip_len;
213
214 len = 0;
215 va_start(ap, m0);
216 opt = va_arg(ap, struct mbuf *);
217 ro = va_arg(ap, struct route *);
218 flags = va_arg(ap, int);
219 imo = va_arg(ap, struct ip_moptions *);
220 so = va_arg(ap, struct socket *);
221 if (flags & IP_RETURNMTU)
222 mtu_p = va_arg(ap, int *);
223 else
224 mtu_p = NULL;
225 va_end(ap);
226
227 MCLAIM(m, &ip_tx_mowner);
228 #ifdef FAST_IPSEC
229 if (so != NULL && so->so_proto->pr_domain->dom_family == AF_INET)
230 inp = (struct inpcb *)so->so_pcb;
231 else
232 inp = NULL;
233 #endif /* FAST_IPSEC */
234
235 #ifdef DIAGNOSTIC
236 if ((m->m_flags & M_PKTHDR) == 0)
237 panic("ip_output: no HDR");
238
239 if ((m->m_pkthdr.csum_flags & (M_CSUM_TCPv6|M_CSUM_UDPv6)) != 0) {
240 panic("ip_output: IPv6 checksum offload flags: %d",
241 m->m_pkthdr.csum_flags);
242 }
243
244 if ((m->m_pkthdr.csum_flags & (M_CSUM_TCPv4|M_CSUM_UDPv4)) ==
245 (M_CSUM_TCPv4|M_CSUM_UDPv4)) {
246 panic("ip_output: conflicting checksum offload flags: %d",
247 m->m_pkthdr.csum_flags);
248 }
249 #endif
250 if (opt) {
251 m = ip_insertoptions(m, opt, &len);
252 if (len >= sizeof(struct ip))
253 hlen = len;
254 }
255 ip = mtod(m, struct ip *);
256 /*
257 * Fill in IP header.
258 */
259 if ((flags & (IP_FORWARDING|IP_RAWOUTPUT)) == 0) {
260 ip->ip_v = IPVERSION;
261 ip->ip_off = htons(0);
262 if ((m->m_pkthdr.csum_flags & M_CSUM_TSOv4) == 0) {
263 ip->ip_id = ip_newid();
264 } else {
265
266 /*
267 * TSO capable interfaces (typically?) increment
268 * ip_id for each segment.
269 * "allocate" enough ids here to increase the chance
270 * for them to be unique.
271 *
272 * note that the following calculation is not
273 * needed to be precise. wasting some ip_id is fine.
274 */
275
276 unsigned int segsz = m->m_pkthdr.segsz;
277 unsigned int datasz = ntohs(ip->ip_len) - hlen;
278 unsigned int num = howmany(datasz, segsz);
279
280 ip->ip_id = ip_newid_range(num);
281 }
282 ip->ip_hl = hlen >> 2;
283 ipstat.ips_localout++;
284 } else {
285 hlen = ip->ip_hl << 2;
286 }
287 /*
288 * Route packet.
289 */
290 bzero(&iproute, sizeof(iproute));
291 if (ro == NULL)
292 ro = &iproute;
293 dst = satosin(&ro->ro_dst);
294 /*
295 * If there is a cached route,
296 * check that it is to the same destination
297 * and is still up. If not, free it and try again.
298 * The address family should also be checked in case of sharing the
299 * cache with IPv6.
300 */
301 if (ro->ro_rt && ((ro->ro_rt->rt_flags & RTF_UP) == 0 ||
302 dst->sin_family != AF_INET ||
303 !in_hosteq(dst->sin_addr, ip->ip_dst))) {
304 RTFREE(ro->ro_rt);
305 ro->ro_rt = (struct rtentry *)0;
306 }
307 if (ro->ro_rt == 0) {
308 bzero(dst, sizeof(*dst));
309 dst->sin_family = AF_INET;
310 dst->sin_len = sizeof(*dst);
311 dst->sin_addr = ip->ip_dst;
312 }
313 /*
314 * If routing to interface only,
315 * short circuit routing lookup.
316 */
317 if (flags & IP_ROUTETOIF) {
318 if ((ia = ifatoia(ifa_ifwithladdr(sintosa(dst)))) == 0) {
319 ipstat.ips_noroute++;
320 error = ENETUNREACH;
321 goto bad;
322 }
323 ifp = ia->ia_ifp;
324 mtu = ifp->if_mtu;
325 ip->ip_ttl = 1;
326 } else if ((IN_MULTICAST(ip->ip_dst.s_addr) ||
327 ip->ip_dst.s_addr == INADDR_BROADCAST) &&
328 imo != NULL && imo->imo_multicast_ifp != NULL) {
329 ifp = imo->imo_multicast_ifp;
330 mtu = ifp->if_mtu;
331 IFP_TO_IA(ifp, ia);
332 } else {
333 if (ro->ro_rt == 0)
334 rtalloc(ro);
335 if (ro->ro_rt == 0) {
336 ipstat.ips_noroute++;
337 error = EHOSTUNREACH;
338 goto bad;
339 }
340 ia = ifatoia(ro->ro_rt->rt_ifa);
341 ifp = ro->ro_rt->rt_ifp;
342 if ((mtu = ro->ro_rt->rt_rmx.rmx_mtu) == 0)
343 mtu = ifp->if_mtu;
344 ro->ro_rt->rt_use++;
345 if (ro->ro_rt->rt_flags & RTF_GATEWAY)
346 dst = satosin(ro->ro_rt->rt_gateway);
347 }
348 if (IN_MULTICAST(ip->ip_dst.s_addr) ||
349 (ip->ip_dst.s_addr == INADDR_BROADCAST)) {
350 struct in_multi *inm;
351
352 m->m_flags |= (ip->ip_dst.s_addr == INADDR_BROADCAST) ?
353 M_BCAST : M_MCAST;
354 /*
355 * IP destination address is multicast. Make sure "dst"
356 * still points to the address in "ro". (It may have been
357 * changed to point to a gateway address, above.)
358 */
359 dst = satosin(&ro->ro_dst);
360 /*
361 * See if the caller provided any multicast options
362 */
363 if (imo != NULL)
364 ip->ip_ttl = imo->imo_multicast_ttl;
365 else
366 ip->ip_ttl = IP_DEFAULT_MULTICAST_TTL;
367
368 /*
369 * if we don't know the outgoing ifp yet, we can't generate
370 * output
371 */
372 if (!ifp) {
373 ipstat.ips_noroute++;
374 error = ENETUNREACH;
375 goto bad;
376 }
377
378 /*
379 * If the packet is multicast or broadcast, confirm that
380 * the outgoing interface can transmit it.
381 */
382 if (((m->m_flags & M_MCAST) &&
383 (ifp->if_flags & IFF_MULTICAST) == 0) ||
384 ((m->m_flags & M_BCAST) &&
385 (ifp->if_flags & (IFF_BROADCAST|IFF_POINTOPOINT)) == 0)) {
386 ipstat.ips_noroute++;
387 error = ENETUNREACH;
388 goto bad;
389 }
390 /*
391 * If source address not specified yet, use an address
392 * of outgoing interface.
393 */
394 if (in_nullhost(ip->ip_src)) {
395 struct in_ifaddr *xia;
396
397 IFP_TO_IA(ifp, xia);
398 if (!xia) {
399 error = EADDRNOTAVAIL;
400 goto bad;
401 }
402 xifa = &xia->ia_ifa;
403 if (xifa->ifa_getifa != NULL) {
404 xia = ifatoia((*xifa->ifa_getifa)(xifa,
405 &ro->ro_dst));
406 }
407 ip->ip_src = xia->ia_addr.sin_addr;
408 }
409
410 IN_LOOKUP_MULTI(ip->ip_dst, ifp, inm);
411 if (inm != NULL &&
412 (imo == NULL || imo->imo_multicast_loop)) {
413 /*
414 * If we belong to the destination multicast group
415 * on the outgoing interface, and the caller did not
416 * forbid loopback, loop back a copy.
417 */
418 ip_mloopback(ifp, m, dst);
419 }
420 #ifdef MROUTING
421 else {
422 /*
423 * If we are acting as a multicast router, perform
424 * multicast forwarding as if the packet had just
425 * arrived on the interface to which we are about
426 * to send. The multicast forwarding function
427 * recursively calls this function, using the
428 * IP_FORWARDING flag to prevent infinite recursion.
429 *
430 * Multicasts that are looped back by ip_mloopback(),
431 * above, will be forwarded by the ip_input() routine,
432 * if necessary.
433 */
434 extern struct socket *ip_mrouter;
435
436 if (ip_mrouter && (flags & IP_FORWARDING) == 0) {
437 if (ip_mforward(m, ifp) != 0) {
438 m_freem(m);
439 goto done;
440 }
441 }
442 }
443 #endif
444 /*
445 * Multicasts with a time-to-live of zero may be looped-
446 * back, above, but must not be transmitted on a network.
447 * Also, multicasts addressed to the loopback interface
448 * are not sent -- the above call to ip_mloopback() will
449 * loop back a copy if this host actually belongs to the
450 * destination group on the loopback interface.
451 */
452 if (ip->ip_ttl == 0 || (ifp->if_flags & IFF_LOOPBACK) != 0) {
453 m_freem(m);
454 goto done;
455 }
456
457 goto sendit;
458 }
459 /*
460 * If source address not specified yet, use address
461 * of outgoing interface.
462 */
463 if (in_nullhost(ip->ip_src)) {
464 xifa = &ia->ia_ifa;
465 if (xifa->ifa_getifa != NULL)
466 ia = ifatoia((*xifa->ifa_getifa)(xifa, &ro->ro_dst));
467 ip->ip_src = ia->ia_addr.sin_addr;
468 }
469
470 /*
471 * packets with Class-D address as source are not valid per
472 * RFC 1112
473 */
474 if (IN_MULTICAST(ip->ip_src.s_addr)) {
475 ipstat.ips_odropped++;
476 error = EADDRNOTAVAIL;
477 goto bad;
478 }
479
480 /*
481 * Look for broadcast address and
482 * and verify user is allowed to send
483 * such a packet.
484 */
485 if (in_broadcast(dst->sin_addr, ifp)) {
486 if ((ifp->if_flags & IFF_BROADCAST) == 0) {
487 error = EADDRNOTAVAIL;
488 goto bad;
489 }
490 if ((flags & IP_ALLOWBROADCAST) == 0) {
491 error = EACCES;
492 goto bad;
493 }
494 /* don't allow broadcast messages to be fragmented */
495 if (ntohs(ip->ip_len) > ifp->if_mtu) {
496 error = EMSGSIZE;
497 goto bad;
498 }
499 m->m_flags |= M_BCAST;
500 } else
501 m->m_flags &= ~M_BCAST;
502
503 sendit:
504 /*
505 * If we're doing Path MTU Discovery, we need to set DF unless
506 * the route's MTU is locked.
507 */
508 if ((flags & IP_MTUDISC) != 0 && ro->ro_rt != NULL &&
509 (ro->ro_rt->rt_rmx.rmx_locks & RTV_MTU) == 0)
510 ip->ip_off |= htons(IP_DF);
511
512 /* Remember the current ip_len */
513 ip_len = ntohs(ip->ip_len);
514
515 #ifdef IPSEC
516 /* get SP for this packet */
517 if (so == NULL)
518 sp = ipsec4_getpolicybyaddr(m, IPSEC_DIR_OUTBOUND,
519 flags, &error);
520 else {
521 if (IPSEC_PCB_SKIP_IPSEC(sotoinpcb_hdr(so)->inph_sp,
522 IPSEC_DIR_OUTBOUND))
523 goto skip_ipsec;
524 sp = ipsec4_getpolicybysock(m, IPSEC_DIR_OUTBOUND, so, &error);
525 }
526
527 if (sp == NULL) {
528 ipsecstat.out_inval++;
529 goto bad;
530 }
531
532 error = 0;
533
534 /* check policy */
535 switch (sp->policy) {
536 case IPSEC_POLICY_DISCARD:
537 /*
538 * This packet is just discarded.
539 */
540 ipsecstat.out_polvio++;
541 goto bad;
542
543 case IPSEC_POLICY_BYPASS:
544 case IPSEC_POLICY_NONE:
545 /* no need to do IPsec. */
546 goto skip_ipsec;
547
548 case IPSEC_POLICY_IPSEC:
549 if (sp->req == NULL) {
550 /* XXX should be panic ? */
551 printf("ip_output: No IPsec request specified.\n");
552 error = EINVAL;
553 goto bad;
554 }
555 break;
556
557 case IPSEC_POLICY_ENTRUST:
558 default:
559 printf("ip_output: Invalid policy found. %d\n", sp->policy);
560 }
561
562 #ifdef IPSEC_NAT_T
563 /*
564 * NAT-T ESP fragmentation: don't do IPSec processing now,
565 * we'll do it on each fragmented packet.
566 */
567 if (sp->req->sav &&
568 ((sp->req->sav->natt_type & UDP_ENCAP_ESPINUDP) ||
569 (sp->req->sav->natt_type & UDP_ENCAP_ESPINUDP_NON_IKE))) {
570 if (ntohs(ip->ip_len) > sp->req->sav->esp_frag) {
571 natt_frag = 1;
572 mtu = sp->req->sav->esp_frag;
573 goto skip_ipsec;
574 }
575 }
576 #endif /* IPSEC_NAT_T */
577
578 /*
579 * ipsec4_output() expects ip_len and ip_off in network
580 * order. They have been set to network order above.
581 */
582
583 {
584 struct ipsec_output_state state;
585 bzero(&state, sizeof(state));
586 state.m = m;
587 if (flags & IP_ROUTETOIF) {
588 state.ro = &iproute;
589 bzero(&iproute, sizeof(iproute));
590 } else
591 state.ro = ro;
592 state.dst = (struct sockaddr *)dst;
593
594 /*
595 * We can't defer the checksum of payload data if
596 * we're about to encrypt/authenticate it.
597 *
598 * XXX When we support crypto offloading functions of
599 * XXX network interfaces, we need to reconsider this,
600 * XXX since it's likely that they'll support checksumming,
601 * XXX as well.
602 */
603 if (m->m_pkthdr.csum_flags & (M_CSUM_TCPv4|M_CSUM_UDPv4)) {
604 in_delayed_cksum(m);
605 m->m_pkthdr.csum_flags &= ~(M_CSUM_TCPv4|M_CSUM_UDPv4);
606 }
607
608 error = ipsec4_output(&state, sp, flags);
609
610 m = state.m;
611 if (flags & IP_ROUTETOIF) {
612 /*
613 * if we have tunnel mode SA, we may need to ignore
614 * IP_ROUTETOIF.
615 */
616 if (state.ro != &iproute || state.ro->ro_rt != NULL) {
617 flags &= ~IP_ROUTETOIF;
618 ro = state.ro;
619 }
620 } else
621 ro = state.ro;
622 dst = (struct sockaddr_in *)state.dst;
623 if (error) {
624 /* mbuf is already reclaimed in ipsec4_output. */
625 m0 = NULL;
626 switch (error) {
627 case EHOSTUNREACH:
628 case ENETUNREACH:
629 case EMSGSIZE:
630 case ENOBUFS:
631 case ENOMEM:
632 break;
633 default:
634 printf("ip4_output (ipsec): error code %d\n", error);
635 /*fall through*/
636 case ENOENT:
637 /* don't show these error codes to the user */
638 error = 0;
639 break;
640 }
641 goto bad;
642 }
643
644 /* be sure to update variables that are affected by ipsec4_output() */
645 ip = mtod(m, struct ip *);
646 hlen = ip->ip_hl << 2;
647 ip_len = ntohs(ip->ip_len);
648
649 if (ro->ro_rt == NULL) {
650 if ((flags & IP_ROUTETOIF) == 0) {
651 printf("ip_output: "
652 "can't update route after IPsec processing\n");
653 error = EHOSTUNREACH; /*XXX*/
654 goto bad;
655 }
656 } else {
657 /* nobody uses ia beyond here */
658 if (state.encap) {
659 ifp = ro->ro_rt->rt_ifp;
660 if ((mtu = ro->ro_rt->rt_rmx.rmx_mtu) == 0)
661 mtu = ifp->if_mtu;
662 }
663 }
664 }
665 skip_ipsec:
666 #endif /*IPSEC*/
667 #ifdef FAST_IPSEC
668 /*
669 * Check the security policy (SP) for the packet and, if
670 * required, do IPsec-related processing. There are two
671 * cases here; the first time a packet is sent through
672 * it will be untagged and handled by ipsec4_checkpolicy.
673 * If the packet is resubmitted to ip_output (e.g. after
674 * AH, ESP, etc. processing), there will be a tag to bypass
675 * the lookup and related policy checking.
676 */
677 mtag = m_tag_find(m, PACKET_TAG_IPSEC_PENDING_TDB, NULL);
678 s = splsoftnet();
679 if (mtag != NULL) {
680 tdbi = (struct tdb_ident *)(mtag + 1);
681 sp = ipsec_getpolicy(tdbi, IPSEC_DIR_OUTBOUND);
682 if (sp == NULL)
683 error = -EINVAL; /* force silent drop */
684 m_tag_delete(m, mtag);
685 } else {
686 if (inp != NULL &&
687 IPSEC_PCB_SKIP_IPSEC(inp->inp_sp, IPSEC_DIR_OUTBOUND))
688 goto spd_done;
689 sp = ipsec4_checkpolicy(m, IPSEC_DIR_OUTBOUND, flags,
690 &error, inp);
691 }
692 /*
693 * There are four return cases:
694 * sp != NULL apply IPsec policy
695 * sp == NULL, error == 0 no IPsec handling needed
696 * sp == NULL, error == -EINVAL discard packet w/o error
697 * sp == NULL, error != 0 discard packet, report error
698 */
699 if (sp != NULL) {
700 #ifdef IPSEC_NAT_T
701 /*
702 * NAT-T ESP fragmentation: don't do IPSec processing now,
703 * we'll do it on each fragmented packet.
704 */
705 if (sp->req->sav &&
706 ((sp->req->sav->natt_type & UDP_ENCAP_ESPINUDP) ||
707 (sp->req->sav->natt_type & UDP_ENCAP_ESPINUDP_NON_IKE))) {
708 if (ntohs(ip->ip_len) > sp->req->sav->esp_frag) {
709 natt_frag = 1;
710 mtu = sp->req->sav->esp_frag;
711 goto spd_done;
712 }
713 }
714 #endif /* IPSEC_NAT_T */
715 /* Loop detection, check if ipsec processing already done */
716 IPSEC_ASSERT(sp->req != NULL, ("ip_output: no ipsec request"));
717 for (mtag = m_tag_first(m); mtag != NULL;
718 mtag = m_tag_next(m, mtag)) {
719 #ifdef MTAG_ABI_COMPAT
720 if (mtag->m_tag_cookie != MTAG_ABI_COMPAT)
721 continue;
722 #endif
723 if (mtag->m_tag_id != PACKET_TAG_IPSEC_OUT_DONE &&
724 mtag->m_tag_id != PACKET_TAG_IPSEC_OUT_CRYPTO_NEEDED)
725 continue;
726 /*
727 * Check if policy has an SA associated with it.
728 * This can happen when an SP has yet to acquire
729 * an SA; e.g. on first reference. If it occurs,
730 * then we let ipsec4_process_packet do its thing.
731 */
732 if (sp->req->sav == NULL)
733 break;
734 tdbi = (struct tdb_ident *)(mtag + 1);
735 if (tdbi->spi == sp->req->sav->spi &&
736 tdbi->proto == sp->req->sav->sah->saidx.proto &&
737 bcmp(&tdbi->dst, &sp->req->sav->sah->saidx.dst,
738 sizeof (union sockaddr_union)) == 0) {
739 /*
740 * No IPsec processing is needed, free
741 * reference to SP.
742 *
743 * NB: null pointer to avoid free at
744 * done: below.
745 */
746 KEY_FREESP(&sp), sp = NULL;
747 splx(s);
748 goto spd_done;
749 }
750 }
751
752 /*
753 * Do delayed checksums now because we send before
754 * this is done in the normal processing path.
755 */
756 if (m->m_pkthdr.csum_flags & (M_CSUM_TCPv4|M_CSUM_UDPv4)) {
757 in_delayed_cksum(m);
758 m->m_pkthdr.csum_flags &= ~(M_CSUM_TCPv4|M_CSUM_UDPv4);
759 }
760
761 #ifdef __FreeBSD__
762 ip->ip_len = htons(ip->ip_len);
763 ip->ip_off = htons(ip->ip_off);
764 #endif
765
766 /* NB: callee frees mbuf */
767 error = ipsec4_process_packet(m, sp->req, flags, 0);
768 /*
769 * Preserve KAME behaviour: ENOENT can be returned
770 * when an SA acquire is in progress. Don't propagate
771 * this to user-level; it confuses applications.
772 *
773 * XXX this will go away when the SADB is redone.
774 */
775 if (error == ENOENT)
776 error = 0;
777 splx(s);
778 goto done;
779 } else {
780 splx(s);
781
782 if (error != 0) {
783 /*
784 * Hack: -EINVAL is used to signal that a packet
785 * should be silently discarded. This is typically
786 * because we asked key management for an SA and
787 * it was delayed (e.g. kicked up to IKE).
788 */
789 if (error == -EINVAL)
790 error = 0;
791 goto bad;
792 } else {
793 /* No IPsec processing for this packet. */
794 }
795 #ifdef notyet
796 /*
797 * If deferred crypto processing is needed, check that
798 * the interface supports it.
799 */
800 mtag = m_tag_find(m, PACKET_TAG_IPSEC_OUT_CRYPTO_NEEDED, NULL);
801 if (mtag != NULL && (ifp->if_capenable & IFCAP_IPSEC) == 0) {
802 /* notify IPsec to do its own crypto */
803 ipsp_skipcrypto_unmark((struct tdb_ident *)(mtag + 1));
804 error = EHOSTUNREACH;
805 goto bad;
806 }
807 #endif
808 }
809 spd_done:
810 #endif /* FAST_IPSEC */
811
812 #ifdef PFIL_HOOKS
813 /*
814 * Run through list of hooks for output packets.
815 */
816 if ((error = pfil_run_hooks(&inet_pfil_hook, &m, ifp, PFIL_OUT)) != 0)
817 goto done;
818 if (m == NULL)
819 goto done;
820
821 ip = mtod(m, struct ip *);
822 hlen = ip->ip_hl << 2;
823 ip_len = ntohs(ip->ip_len);
824 #endif /* PFIL_HOOKS */
825
826 m->m_pkthdr.csum_data |= hlen << 16;
827
828 #if IFA_STATS
829 /*
830 * search for the source address structure to
831 * maintain output statistics.
832 */
833 INADDR_TO_IA(ip->ip_src, ia);
834 #endif
835
836 /* Maybe skip checksums on loopback interfaces. */
837 if (IN_NEED_CHECKSUM(ifp, M_CSUM_IPv4)) {
838 m->m_pkthdr.csum_flags |= M_CSUM_IPv4;
839 }
840 sw_csum = m->m_pkthdr.csum_flags & ~ifp->if_csum_flags_tx;
841 /*
842 * If small enough for mtu of path, or if using TCP segmentation
843 * offload, can just send directly.
844 */
845 if (ip_len <= mtu ||
846 (m->m_pkthdr.csum_flags & M_CSUM_TSOv4) != 0) {
847 #if IFA_STATS
848 if (ia)
849 ia->ia_ifa.ifa_data.ifad_outbytes += ip_len;
850 #endif
851 /*
852 * Always initialize the sum to 0! Some HW assisted
853 * checksumming requires this.
854 */
855 ip->ip_sum = 0;
856
857 if ((m->m_pkthdr.csum_flags & M_CSUM_TSOv4) == 0) {
858 /*
859 * Perform any checksums that the hardware can't do
860 * for us.
861 *
862 * XXX Does any hardware require the {th,uh}_sum
863 * XXX fields to be 0?
864 */
865 if (sw_csum & M_CSUM_IPv4) {
866 KASSERT(IN_NEED_CHECKSUM(ifp, M_CSUM_IPv4));
867 ip->ip_sum = in_cksum(m, hlen);
868 m->m_pkthdr.csum_flags &= ~M_CSUM_IPv4;
869 }
870 if (sw_csum & (M_CSUM_TCPv4|M_CSUM_UDPv4)) {
871 if (IN_NEED_CHECKSUM(ifp,
872 sw_csum & (M_CSUM_TCPv4|M_CSUM_UDPv4))) {
873 in_delayed_cksum(m);
874 }
875 m->m_pkthdr.csum_flags &=
876 ~(M_CSUM_TCPv4|M_CSUM_UDPv4);
877 }
878 }
879
880 #ifdef IPSEC
881 /* clean ipsec history once it goes out of the node */
882 ipsec_delaux(m);
883 #endif
884
885 if (__predict_true(
886 (m->m_pkthdr.csum_flags & M_CSUM_TSOv4) == 0 ||
887 (ifp->if_capenable & IFCAP_TSOv4) != 0)) {
888 error =
889 (*ifp->if_output)(ifp, m, sintosa(dst), ro->ro_rt);
890 } else {
891 error =
892 ip_tso_output(ifp, m, sintosa(dst), ro->ro_rt);
893 }
894 goto done;
895 }
896
897 /*
898 * We can't use HW checksumming if we're about to
899 * to fragment the packet.
900 *
901 * XXX Some hardware can do this.
902 */
903 if (m->m_pkthdr.csum_flags & (M_CSUM_TCPv4|M_CSUM_UDPv4)) {
904 if (IN_NEED_CHECKSUM(ifp,
905 m->m_pkthdr.csum_flags & (M_CSUM_TCPv4|M_CSUM_UDPv4))) {
906 in_delayed_cksum(m);
907 }
908 m->m_pkthdr.csum_flags &= ~(M_CSUM_TCPv4|M_CSUM_UDPv4);
909 }
910
911 /*
912 * Too large for interface; fragment if possible.
913 * Must be able to put at least 8 bytes per fragment.
914 */
915 if (ntohs(ip->ip_off) & IP_DF) {
916 if (flags & IP_RETURNMTU)
917 *mtu_p = mtu;
918 error = EMSGSIZE;
919 ipstat.ips_cantfrag++;
920 goto bad;
921 }
922
923 error = ip_fragment(m, ifp, mtu);
924 if (error) {
925 m = NULL;
926 goto bad;
927 }
928
929 for (; m; m = m0) {
930 m0 = m->m_nextpkt;
931 m->m_nextpkt = 0;
932 if (error == 0) {
933 #if IFA_STATS
934 if (ia)
935 ia->ia_ifa.ifa_data.ifad_outbytes +=
936 ntohs(ip->ip_len);
937 #endif
938 #ifdef IPSEC
939 /* clean ipsec history once it goes out of the node */
940 ipsec_delaux(m);
941 #endif /* IPSEC */
942
943 #ifdef IPSEC_NAT_T
944 /*
945 * If we get there, the packet has not been handeld by
946 * IPSec whereas it should have. Now that it has been
947 * fragmented, re-inject it in ip_output so that IPsec
948 * processing can occur.
949 */
950 if (natt_frag) {
951 error = ip_output(m, opt,
952 ro, flags, imo, so, mtu_p);
953 } else
954 #endif /* IPSEC_NAT_T */
955 {
956 KASSERT((m->m_pkthdr.csum_flags &
957 (M_CSUM_UDPv4 | M_CSUM_TCPv4)) == 0);
958 error = (*ifp->if_output)(ifp, m, sintosa(dst),
959 ro->ro_rt);
960 }
961 } else
962 m_freem(m);
963 }
964
965 if (error == 0)
966 ipstat.ips_fragmented++;
967 done:
968 if (iproute.ro_rt != NULL)
969 RTFREE(iproute.ro_rt);
970
971 #ifdef IPSEC
972 if (sp != NULL) {
973 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
974 printf("DP ip_output call free SP:%p\n", sp));
975 key_freesp(sp);
976 }
977 #endif /* IPSEC */
978 #ifdef FAST_IPSEC
979 if (sp != NULL)
980 KEY_FREESP(&sp);
981 #endif /* FAST_IPSEC */
982
983 return (error);
984 bad:
985 m_freem(m);
986 goto done;
987 }
988
989 int
990 ip_fragment(struct mbuf *m, struct ifnet *ifp, u_long mtu)
991 {
992 struct ip *ip, *mhip;
993 struct mbuf *m0;
994 int len, hlen, off;
995 int mhlen, firstlen;
996 struct mbuf **mnext;
997 int sw_csum = m->m_pkthdr.csum_flags;
998 int fragments = 0;
999 int s;
1000 int error = 0;
1001
1002 ip = mtod(m, struct ip *);
1003 hlen = ip->ip_hl << 2;
1004 if (ifp != NULL)
1005 sw_csum &= ~ifp->if_csum_flags_tx;
1006
1007 len = (mtu - hlen) &~ 7;
1008 if (len < 8) {
1009 m_freem(m);
1010 return (EMSGSIZE);
1011 }
1012
1013 firstlen = len;
1014 mnext = &m->m_nextpkt;
1015
1016 /*
1017 * Loop through length of segment after first fragment,
1018 * make new header and copy data of each part and link onto chain.
1019 */
1020 m0 = m;
1021 mhlen = sizeof (struct ip);
1022 for (off = hlen + len; off < ntohs(ip->ip_len); off += len) {
1023 MGETHDR(m, M_DONTWAIT, MT_HEADER);
1024 if (m == 0) {
1025 error = ENOBUFS;
1026 ipstat.ips_odropped++;
1027 goto sendorfree;
1028 }
1029 MCLAIM(m, m0->m_owner);
1030 *mnext = m;
1031 mnext = &m->m_nextpkt;
1032 m->m_data += max_linkhdr;
1033 mhip = mtod(m, struct ip *);
1034 *mhip = *ip;
1035 /* we must inherit MCAST and BCAST flags */
1036 m->m_flags |= m0->m_flags & (M_MCAST|M_BCAST);
1037 if (hlen > sizeof (struct ip)) {
1038 mhlen = ip_optcopy(ip, mhip) + sizeof (struct ip);
1039 mhip->ip_hl = mhlen >> 2;
1040 }
1041 m->m_len = mhlen;
1042 mhip->ip_off = ((off - hlen) >> 3) +
1043 (ntohs(ip->ip_off) & ~IP_MF);
1044 if (ip->ip_off & htons(IP_MF))
1045 mhip->ip_off |= IP_MF;
1046 if (off + len >= ntohs(ip->ip_len))
1047 len = ntohs(ip->ip_len) - off;
1048 else
1049 mhip->ip_off |= IP_MF;
1050 HTONS(mhip->ip_off);
1051 mhip->ip_len = htons((u_int16_t)(len + mhlen));
1052 m->m_next = m_copy(m0, off, len);
1053 if (m->m_next == 0) {
1054 error = ENOBUFS; /* ??? */
1055 ipstat.ips_odropped++;
1056 goto sendorfree;
1057 }
1058 m->m_pkthdr.len = mhlen + len;
1059 m->m_pkthdr.rcvif = (struct ifnet *)0;
1060 mhip->ip_sum = 0;
1061 if (sw_csum & M_CSUM_IPv4) {
1062 mhip->ip_sum = in_cksum(m, mhlen);
1063 KASSERT((m->m_pkthdr.csum_flags & M_CSUM_IPv4) == 0);
1064 } else {
1065 m->m_pkthdr.csum_flags |= M_CSUM_IPv4;
1066 m->m_pkthdr.csum_data |= mhlen << 16;
1067 }
1068 ipstat.ips_ofragments++;
1069 fragments++;
1070 }
1071 /*
1072 * Update first fragment by trimming what's been copied out
1073 * and updating header, then send each fragment (in order).
1074 */
1075 m = m0;
1076 m_adj(m, hlen + firstlen - ntohs(ip->ip_len));
1077 m->m_pkthdr.len = hlen + firstlen;
1078 ip->ip_len = htons((u_int16_t)m->m_pkthdr.len);
1079 ip->ip_off |= htons(IP_MF);
1080 ip->ip_sum = 0;
1081 if (sw_csum & M_CSUM_IPv4) {
1082 ip->ip_sum = in_cksum(m, hlen);
1083 m->m_pkthdr.csum_flags &= ~M_CSUM_IPv4;
1084 } else {
1085 KASSERT(m->m_pkthdr.csum_flags & M_CSUM_IPv4);
1086 KASSERT(M_CSUM_DATA_IPv4_IPHL(m->m_pkthdr.csum_data) >=
1087 sizeof(struct ip));
1088 }
1089 sendorfree:
1090 /*
1091 * If there is no room for all the fragments, don't queue
1092 * any of them.
1093 */
1094 if (ifp != NULL) {
1095 s = splnet();
1096 if (ifp->if_snd.ifq_maxlen - ifp->if_snd.ifq_len < fragments &&
1097 error == 0) {
1098 error = ENOBUFS;
1099 ipstat.ips_odropped++;
1100 IFQ_INC_DROPS(&ifp->if_snd);
1101 }
1102 splx(s);
1103 }
1104 if (error) {
1105 for (m = m0; m; m = m0) {
1106 m0 = m->m_nextpkt;
1107 m->m_nextpkt = NULL;
1108 m_freem(m);
1109 }
1110 }
1111 return (error);
1112 }
1113
1114 /*
1115 * Process a delayed payload checksum calculation.
1116 */
1117 void
1118 in_delayed_cksum(struct mbuf *m)
1119 {
1120 struct ip *ip;
1121 u_int16_t csum, offset;
1122
1123 ip = mtod(m, struct ip *);
1124 offset = ip->ip_hl << 2;
1125 csum = in4_cksum(m, 0, offset, ntohs(ip->ip_len) - offset);
1126 if (csum == 0 && (m->m_pkthdr.csum_flags & M_CSUM_UDPv4) != 0)
1127 csum = 0xffff;
1128
1129 offset += M_CSUM_DATA_IPv4_OFFSET(m->m_pkthdr.csum_data);
1130
1131 if ((offset + sizeof(u_int16_t)) > m->m_len) {
1132 /* This happen when ip options were inserted
1133 printf("in_delayed_cksum: pullup len %d off %d proto %d\n",
1134 m->m_len, offset, ip->ip_p);
1135 */
1136 m_copyback(m, offset, sizeof(csum), (caddr_t) &csum);
1137 } else
1138 *(u_int16_t *)(mtod(m, caddr_t) + offset) = csum;
1139 }
1140
1141 /*
1142 * Determine the maximum length of the options to be inserted;
1143 * we would far rather allocate too much space rather than too little.
1144 */
1145
1146 u_int
1147 ip_optlen(struct inpcb *inp)
1148 {
1149 struct mbuf *m = inp->inp_options;
1150
1151 if (m && m->m_len > offsetof(struct ipoption, ipopt_dst))
1152 return (m->m_len - offsetof(struct ipoption, ipopt_dst));
1153 else
1154 return 0;
1155 }
1156
1157
1158 /*
1159 * Insert IP options into preformed packet.
1160 * Adjust IP destination as required for IP source routing,
1161 * as indicated by a non-zero in_addr at the start of the options.
1162 */
1163 static struct mbuf *
1164 ip_insertoptions(struct mbuf *m, struct mbuf *opt, int *phlen)
1165 {
1166 struct ipoption *p = mtod(opt, struct ipoption *);
1167 struct mbuf *n;
1168 struct ip *ip = mtod(m, struct ip *);
1169 unsigned optlen;
1170
1171 optlen = opt->m_len - sizeof(p->ipopt_dst);
1172 if (optlen + ntohs(ip->ip_len) > IP_MAXPACKET)
1173 return (m); /* XXX should fail */
1174 if (!in_nullhost(p->ipopt_dst))
1175 ip->ip_dst = p->ipopt_dst;
1176 if (M_READONLY(m) || M_LEADINGSPACE(m) < optlen) {
1177 MGETHDR(n, M_DONTWAIT, MT_HEADER);
1178 if (n == 0)
1179 return (m);
1180 MCLAIM(n, m->m_owner);
1181 M_MOVE_PKTHDR(n, m);
1182 m->m_len -= sizeof(struct ip);
1183 m->m_data += sizeof(struct ip);
1184 n->m_next = m;
1185 m = n;
1186 m->m_len = optlen + sizeof(struct ip);
1187 m->m_data += max_linkhdr;
1188 bcopy((caddr_t)ip, mtod(m, caddr_t), sizeof(struct ip));
1189 } else {
1190 m->m_data -= optlen;
1191 m->m_len += optlen;
1192 memmove(mtod(m, caddr_t), ip, sizeof(struct ip));
1193 }
1194 m->m_pkthdr.len += optlen;
1195 ip = mtod(m, struct ip *);
1196 bcopy((caddr_t)p->ipopt_list, (caddr_t)(ip + 1), (unsigned)optlen);
1197 *phlen = sizeof(struct ip) + optlen;
1198 ip->ip_len = htons(ntohs(ip->ip_len) + optlen);
1199 return (m);
1200 }
1201
1202 /*
1203 * Copy options from ip to jp,
1204 * omitting those not copied during fragmentation.
1205 */
1206 int
1207 ip_optcopy(struct ip *ip, struct ip *jp)
1208 {
1209 u_char *cp, *dp;
1210 int opt, optlen, cnt;
1211
1212 cp = (u_char *)(ip + 1);
1213 dp = (u_char *)(jp + 1);
1214 cnt = (ip->ip_hl << 2) - sizeof (struct ip);
1215 for (; cnt > 0; cnt -= optlen, cp += optlen) {
1216 opt = cp[0];
1217 if (opt == IPOPT_EOL)
1218 break;
1219 if (opt == IPOPT_NOP) {
1220 /* Preserve for IP mcast tunnel's LSRR alignment. */
1221 *dp++ = IPOPT_NOP;
1222 optlen = 1;
1223 continue;
1224 }
1225 #ifdef DIAGNOSTIC
1226 if (cnt < IPOPT_OLEN + sizeof(*cp))
1227 panic("malformed IPv4 option passed to ip_optcopy");
1228 #endif
1229 optlen = cp[IPOPT_OLEN];
1230 #ifdef DIAGNOSTIC
1231 if (optlen < IPOPT_OLEN + sizeof(*cp) || optlen > cnt)
1232 panic("malformed IPv4 option passed to ip_optcopy");
1233 #endif
1234 /* bogus lengths should have been caught by ip_dooptions */
1235 if (optlen > cnt)
1236 optlen = cnt;
1237 if (IPOPT_COPIED(opt)) {
1238 bcopy((caddr_t)cp, (caddr_t)dp, (unsigned)optlen);
1239 dp += optlen;
1240 }
1241 }
1242 for (optlen = dp - (u_char *)(jp+1); optlen & 0x3; optlen++)
1243 *dp++ = IPOPT_EOL;
1244 return (optlen);
1245 }
1246
1247 /*
1248 * IP socket option processing.
1249 */
1250 int
1251 ip_ctloutput(int op, struct socket *so, int level, int optname,
1252 struct mbuf **mp)
1253 {
1254 struct inpcb *inp = sotoinpcb(so);
1255 struct mbuf *m = *mp;
1256 int optval = 0;
1257 int error = 0;
1258 #if defined(IPSEC) || defined(FAST_IPSEC)
1259 struct lwp *l = curlwp; /*XXX*/
1260 #endif
1261
1262 if (level != IPPROTO_IP) {
1263 error = EINVAL;
1264 if (op == PRCO_SETOPT && *mp)
1265 (void) m_free(*mp);
1266 } else switch (op) {
1267
1268 case PRCO_SETOPT:
1269 switch (optname) {
1270 case IP_OPTIONS:
1271 #ifdef notyet
1272 case IP_RETOPTS:
1273 return (ip_pcbopts(optname, &inp->inp_options, m));
1274 #else
1275 return (ip_pcbopts(&inp->inp_options, m));
1276 #endif
1277
1278 case IP_TOS:
1279 case IP_TTL:
1280 case IP_RECVOPTS:
1281 case IP_RECVRETOPTS:
1282 case IP_RECVDSTADDR:
1283 case IP_RECVIF:
1284 if (m == NULL || m->m_len != sizeof(int))
1285 error = EINVAL;
1286 else {
1287 optval = *mtod(m, int *);
1288 switch (optname) {
1289
1290 case IP_TOS:
1291 inp->inp_ip.ip_tos = optval;
1292 break;
1293
1294 case IP_TTL:
1295 inp->inp_ip.ip_ttl = optval;
1296 break;
1297 #define OPTSET(bit) \
1298 if (optval) \
1299 inp->inp_flags |= bit; \
1300 else \
1301 inp->inp_flags &= ~bit;
1302
1303 case IP_RECVOPTS:
1304 OPTSET(INP_RECVOPTS);
1305 break;
1306
1307 case IP_RECVRETOPTS:
1308 OPTSET(INP_RECVRETOPTS);
1309 break;
1310
1311 case IP_RECVDSTADDR:
1312 OPTSET(INP_RECVDSTADDR);
1313 break;
1314
1315 case IP_RECVIF:
1316 OPTSET(INP_RECVIF);
1317 break;
1318 }
1319 }
1320 break;
1321 #undef OPTSET
1322
1323 case IP_MULTICAST_IF:
1324 case IP_MULTICAST_TTL:
1325 case IP_MULTICAST_LOOP:
1326 case IP_ADD_MEMBERSHIP:
1327 case IP_DROP_MEMBERSHIP:
1328 error = ip_setmoptions(optname, &inp->inp_moptions, m);
1329 break;
1330
1331 case IP_PORTRANGE:
1332 if (m == 0 || m->m_len != sizeof(int))
1333 error = EINVAL;
1334 else {
1335 optval = *mtod(m, int *);
1336
1337 switch (optval) {
1338
1339 case IP_PORTRANGE_DEFAULT:
1340 case IP_PORTRANGE_HIGH:
1341 inp->inp_flags &= ~(INP_LOWPORT);
1342 break;
1343
1344 case IP_PORTRANGE_LOW:
1345 inp->inp_flags |= INP_LOWPORT;
1346 break;
1347
1348 default:
1349 error = EINVAL;
1350 break;
1351 }
1352 }
1353 break;
1354
1355 #if defined(IPSEC) || defined(FAST_IPSEC)
1356 case IP_IPSEC_POLICY:
1357 {
1358 caddr_t req = NULL;
1359 size_t len = 0;
1360 int priv = 0;
1361
1362 #ifdef __NetBSD__
1363 if (l == 0 || kauth_authorize_generic(l->l_cred,
1364 KAUTH_GENERIC_ISSUSER, &l->l_acflag))
1365 priv = 0;
1366 else
1367 priv = 1;
1368 #else
1369 priv = (in6p->in6p_socket->so_state & SS_PRIV);
1370 #endif
1371 if (m) {
1372 req = mtod(m, caddr_t);
1373 len = m->m_len;
1374 }
1375 error = ipsec4_set_policy(inp, optname, req, len, priv);
1376 break;
1377 }
1378 #endif /*IPSEC*/
1379
1380 default:
1381 error = ENOPROTOOPT;
1382 break;
1383 }
1384 if (m)
1385 (void)m_free(m);
1386 break;
1387
1388 case PRCO_GETOPT:
1389 switch (optname) {
1390 case IP_OPTIONS:
1391 case IP_RETOPTS:
1392 *mp = m = m_get(M_WAIT, MT_SOOPTS);
1393 MCLAIM(m, so->so_mowner);
1394 if (inp->inp_options) {
1395 m->m_len = inp->inp_options->m_len;
1396 bcopy(mtod(inp->inp_options, caddr_t),
1397 mtod(m, caddr_t), (unsigned)m->m_len);
1398 } else
1399 m->m_len = 0;
1400 break;
1401
1402 case IP_TOS:
1403 case IP_TTL:
1404 case IP_RECVOPTS:
1405 case IP_RECVRETOPTS:
1406 case IP_RECVDSTADDR:
1407 case IP_RECVIF:
1408 case IP_ERRORMTU:
1409 *mp = m = m_get(M_WAIT, MT_SOOPTS);
1410 MCLAIM(m, so->so_mowner);
1411 m->m_len = sizeof(int);
1412 switch (optname) {
1413
1414 case IP_TOS:
1415 optval = inp->inp_ip.ip_tos;
1416 break;
1417
1418 case IP_TTL:
1419 optval = inp->inp_ip.ip_ttl;
1420 break;
1421
1422 case IP_ERRORMTU:
1423 optval = inp->inp_errormtu;
1424 break;
1425
1426 #define OPTBIT(bit) (inp->inp_flags & bit ? 1 : 0)
1427
1428 case IP_RECVOPTS:
1429 optval = OPTBIT(INP_RECVOPTS);
1430 break;
1431
1432 case IP_RECVRETOPTS:
1433 optval = OPTBIT(INP_RECVRETOPTS);
1434 break;
1435
1436 case IP_RECVDSTADDR:
1437 optval = OPTBIT(INP_RECVDSTADDR);
1438 break;
1439
1440 case IP_RECVIF:
1441 optval = OPTBIT(INP_RECVIF);
1442 break;
1443 }
1444 *mtod(m, int *) = optval;
1445 break;
1446
1447 #if 0 /* defined(IPSEC) || defined(FAST_IPSEC) */
1448 /* XXX: code broken */
1449 case IP_IPSEC_POLICY:
1450 {
1451 caddr_t req = NULL;
1452 size_t len = 0;
1453
1454 if (m) {
1455 req = mtod(m, caddr_t);
1456 len = m->m_len;
1457 }
1458 error = ipsec4_get_policy(inp, req, len, mp);
1459 break;
1460 }
1461 #endif /*IPSEC*/
1462
1463 case IP_MULTICAST_IF:
1464 case IP_MULTICAST_TTL:
1465 case IP_MULTICAST_LOOP:
1466 case IP_ADD_MEMBERSHIP:
1467 case IP_DROP_MEMBERSHIP:
1468 error = ip_getmoptions(optname, inp->inp_moptions, mp);
1469 if (*mp)
1470 MCLAIM(*mp, so->so_mowner);
1471 break;
1472
1473 case IP_PORTRANGE:
1474 *mp = m = m_get(M_WAIT, MT_SOOPTS);
1475 MCLAIM(m, so->so_mowner);
1476 m->m_len = sizeof(int);
1477
1478 if (inp->inp_flags & INP_LOWPORT)
1479 optval = IP_PORTRANGE_LOW;
1480 else
1481 optval = IP_PORTRANGE_DEFAULT;
1482
1483 *mtod(m, int *) = optval;
1484 break;
1485
1486 default:
1487 error = ENOPROTOOPT;
1488 break;
1489 }
1490 break;
1491 }
1492 return (error);
1493 }
1494
1495 /*
1496 * Set up IP options in pcb for insertion in output packets.
1497 * Store in mbuf with pointer in pcbopt, adding pseudo-option
1498 * with destination address if source routed.
1499 */
1500 int
1501 #ifdef notyet
1502 ip_pcbopts(int optname, struct mbuf **pcbopt, struct mbuf *m)
1503 #else
1504 ip_pcbopts(struct mbuf **pcbopt, struct mbuf *m)
1505 #endif
1506 {
1507 int cnt, optlen;
1508 u_char *cp;
1509 u_char opt;
1510
1511 /* turn off any old options */
1512 if (*pcbopt)
1513 (void)m_free(*pcbopt);
1514 *pcbopt = 0;
1515 if (m == (struct mbuf *)0 || m->m_len == 0) {
1516 /*
1517 * Only turning off any previous options.
1518 */
1519 if (m)
1520 (void)m_free(m);
1521 return (0);
1522 }
1523
1524 #ifndef __vax__
1525 if (m->m_len % sizeof(int32_t))
1526 goto bad;
1527 #endif
1528 /*
1529 * IP first-hop destination address will be stored before
1530 * actual options; move other options back
1531 * and clear it when none present.
1532 */
1533 if (m->m_data + m->m_len + sizeof(struct in_addr) >= &m->m_dat[MLEN])
1534 goto bad;
1535 cnt = m->m_len;
1536 m->m_len += sizeof(struct in_addr);
1537 cp = mtod(m, u_char *) + sizeof(struct in_addr);
1538 memmove(cp, mtod(m, caddr_t), (unsigned)cnt);
1539 bzero(mtod(m, caddr_t), sizeof(struct in_addr));
1540
1541 for (; cnt > 0; cnt -= optlen, cp += optlen) {
1542 opt = cp[IPOPT_OPTVAL];
1543 if (opt == IPOPT_EOL)
1544 break;
1545 if (opt == IPOPT_NOP)
1546 optlen = 1;
1547 else {
1548 if (cnt < IPOPT_OLEN + sizeof(*cp))
1549 goto bad;
1550 optlen = cp[IPOPT_OLEN];
1551 if (optlen < IPOPT_OLEN + sizeof(*cp) || optlen > cnt)
1552 goto bad;
1553 }
1554 switch (opt) {
1555
1556 default:
1557 break;
1558
1559 case IPOPT_LSRR:
1560 case IPOPT_SSRR:
1561 /*
1562 * user process specifies route as:
1563 * ->A->B->C->D
1564 * D must be our final destination (but we can't
1565 * check that since we may not have connected yet).
1566 * A is first hop destination, which doesn't appear in
1567 * actual IP option, but is stored before the options.
1568 */
1569 if (optlen < IPOPT_MINOFF - 1 + sizeof(struct in_addr))
1570 goto bad;
1571 m->m_len -= sizeof(struct in_addr);
1572 cnt -= sizeof(struct in_addr);
1573 optlen -= sizeof(struct in_addr);
1574 cp[IPOPT_OLEN] = optlen;
1575 /*
1576 * Move first hop before start of options.
1577 */
1578 bcopy((caddr_t)&cp[IPOPT_OFFSET+1], mtod(m, caddr_t),
1579 sizeof(struct in_addr));
1580 /*
1581 * Then copy rest of options back
1582 * to close up the deleted entry.
1583 */
1584 (void)memmove(&cp[IPOPT_OFFSET+1],
1585 &cp[IPOPT_OFFSET+1] + sizeof(struct in_addr),
1586 (unsigned)cnt - (IPOPT_MINOFF - 1));
1587 break;
1588 }
1589 }
1590 if (m->m_len > MAX_IPOPTLEN + sizeof(struct in_addr))
1591 goto bad;
1592 *pcbopt = m;
1593 return (0);
1594
1595 bad:
1596 (void)m_free(m);
1597 return (EINVAL);
1598 }
1599
1600 /*
1601 * following RFC1724 section 3.3, 0.0.0.0/8 is interpreted as interface index.
1602 */
1603 static struct ifnet *
1604 ip_multicast_if(struct in_addr *a, int *ifindexp)
1605 {
1606 int ifindex;
1607 struct ifnet *ifp = NULL;
1608 struct in_ifaddr *ia;
1609
1610 if (ifindexp)
1611 *ifindexp = 0;
1612 if (ntohl(a->s_addr) >> 24 == 0) {
1613 ifindex = ntohl(a->s_addr) & 0xffffff;
1614 if (ifindex < 0 || if_indexlim <= ifindex)
1615 return NULL;
1616 ifp = ifindex2ifnet[ifindex];
1617 if (!ifp)
1618 return NULL;
1619 if (ifindexp)
1620 *ifindexp = ifindex;
1621 } else {
1622 LIST_FOREACH(ia, &IN_IFADDR_HASH(a->s_addr), ia_hash) {
1623 if (in_hosteq(ia->ia_addr.sin_addr, *a) &&
1624 (ia->ia_ifp->if_flags & IFF_MULTICAST) != 0) {
1625 ifp = ia->ia_ifp;
1626 break;
1627 }
1628 }
1629 }
1630 return ifp;
1631 }
1632
1633 static int
1634 ip_getoptval(struct mbuf *m, u_int8_t *val, u_int maxval)
1635 {
1636 u_int tval;
1637
1638 if (m == NULL)
1639 return EINVAL;
1640
1641 switch (m->m_len) {
1642 case sizeof(u_char):
1643 tval = *(mtod(m, u_char *));
1644 break;
1645 case sizeof(u_int):
1646 tval = *(mtod(m, u_int *));
1647 break;
1648 default:
1649 return EINVAL;
1650 }
1651
1652 if (tval > maxval)
1653 return EINVAL;
1654
1655 *val = tval;
1656 return 0;
1657 }
1658
1659 /*
1660 * Set the IP multicast options in response to user setsockopt().
1661 */
1662 int
1663 ip_setmoptions(int optname, struct ip_moptions **imop, struct mbuf *m)
1664 {
1665 int error = 0;
1666 int i;
1667 struct in_addr addr;
1668 struct ip_mreq *mreq;
1669 struct ifnet *ifp;
1670 struct ip_moptions *imo = *imop;
1671 struct route ro;
1672 struct sockaddr_in *dst;
1673 int ifindex;
1674
1675 if (imo == NULL) {
1676 /*
1677 * No multicast option buffer attached to the pcb;
1678 * allocate one and initialize to default values.
1679 */
1680 imo = (struct ip_moptions *)malloc(sizeof(*imo), M_IPMOPTS,
1681 M_WAITOK);
1682
1683 if (imo == NULL)
1684 return (ENOBUFS);
1685 *imop = imo;
1686 imo->imo_multicast_ifp = NULL;
1687 imo->imo_multicast_addr.s_addr = INADDR_ANY;
1688 imo->imo_multicast_ttl = IP_DEFAULT_MULTICAST_TTL;
1689 imo->imo_multicast_loop = IP_DEFAULT_MULTICAST_LOOP;
1690 imo->imo_num_memberships = 0;
1691 }
1692
1693 switch (optname) {
1694
1695 case IP_MULTICAST_IF:
1696 /*
1697 * Select the interface for outgoing multicast packets.
1698 */
1699 if (m == NULL || m->m_len != sizeof(struct in_addr)) {
1700 error = EINVAL;
1701 break;
1702 }
1703 addr = *(mtod(m, struct in_addr *));
1704 /*
1705 * INADDR_ANY is used to remove a previous selection.
1706 * When no interface is selected, a default one is
1707 * chosen every time a multicast packet is sent.
1708 */
1709 if (in_nullhost(addr)) {
1710 imo->imo_multicast_ifp = NULL;
1711 break;
1712 }
1713 /*
1714 * The selected interface is identified by its local
1715 * IP address. Find the interface and confirm that
1716 * it supports multicasting.
1717 */
1718 ifp = ip_multicast_if(&addr, &ifindex);
1719 if (ifp == NULL || (ifp->if_flags & IFF_MULTICAST) == 0) {
1720 error = EADDRNOTAVAIL;
1721 break;
1722 }
1723 imo->imo_multicast_ifp = ifp;
1724 if (ifindex)
1725 imo->imo_multicast_addr = addr;
1726 else
1727 imo->imo_multicast_addr.s_addr = INADDR_ANY;
1728 break;
1729
1730 case IP_MULTICAST_TTL:
1731 /*
1732 * Set the IP time-to-live for outgoing multicast packets.
1733 */
1734 error = ip_getoptval(m, &imo->imo_multicast_ttl, MAXTTL);
1735 break;
1736
1737 case IP_MULTICAST_LOOP:
1738 /*
1739 * Set the loopback flag for outgoing multicast packets.
1740 * Must be zero or one.
1741 */
1742 error = ip_getoptval(m, &imo->imo_multicast_loop, 1);
1743 break;
1744
1745 case IP_ADD_MEMBERSHIP:
1746 /*
1747 * Add a multicast group membership.
1748 * Group must be a valid IP multicast address.
1749 */
1750 if (m == NULL || m->m_len != sizeof(struct ip_mreq)) {
1751 error = EINVAL;
1752 break;
1753 }
1754 mreq = mtod(m, struct ip_mreq *);
1755 if (!IN_MULTICAST(mreq->imr_multiaddr.s_addr)) {
1756 error = EINVAL;
1757 break;
1758 }
1759 /*
1760 * If no interface address was provided, use the interface of
1761 * the route to the given multicast address.
1762 */
1763 if (in_nullhost(mreq->imr_interface)) {
1764 bzero((caddr_t)&ro, sizeof(ro));
1765 ro.ro_rt = NULL;
1766 dst = satosin(&ro.ro_dst);
1767 dst->sin_len = sizeof(*dst);
1768 dst->sin_family = AF_INET;
1769 dst->sin_addr = mreq->imr_multiaddr;
1770 rtalloc(&ro);
1771 if (ro.ro_rt == NULL) {
1772 error = EADDRNOTAVAIL;
1773 break;
1774 }
1775 ifp = ro.ro_rt->rt_ifp;
1776 rtfree(ro.ro_rt);
1777 } else {
1778 ifp = ip_multicast_if(&mreq->imr_interface, NULL);
1779 }
1780 /*
1781 * See if we found an interface, and confirm that it
1782 * supports multicast.
1783 */
1784 if (ifp == NULL || (ifp->if_flags & IFF_MULTICAST) == 0) {
1785 error = EADDRNOTAVAIL;
1786 break;
1787 }
1788 /*
1789 * See if the membership already exists or if all the
1790 * membership slots are full.
1791 */
1792 for (i = 0; i < imo->imo_num_memberships; ++i) {
1793 if (imo->imo_membership[i]->inm_ifp == ifp &&
1794 in_hosteq(imo->imo_membership[i]->inm_addr,
1795 mreq->imr_multiaddr))
1796 break;
1797 }
1798 if (i < imo->imo_num_memberships) {
1799 error = EADDRINUSE;
1800 break;
1801 }
1802 if (i == IP_MAX_MEMBERSHIPS) {
1803 error = ETOOMANYREFS;
1804 break;
1805 }
1806 /*
1807 * Everything looks good; add a new record to the multicast
1808 * address list for the given interface.
1809 */
1810 if ((imo->imo_membership[i] =
1811 in_addmulti(&mreq->imr_multiaddr, ifp)) == NULL) {
1812 error = ENOBUFS;
1813 break;
1814 }
1815 ++imo->imo_num_memberships;
1816 break;
1817
1818 case IP_DROP_MEMBERSHIP:
1819 /*
1820 * Drop a multicast group membership.
1821 * Group must be a valid IP multicast address.
1822 */
1823 if (m == NULL || m->m_len != sizeof(struct ip_mreq)) {
1824 error = EINVAL;
1825 break;
1826 }
1827 mreq = mtod(m, struct ip_mreq *);
1828 if (!IN_MULTICAST(mreq->imr_multiaddr.s_addr)) {
1829 error = EINVAL;
1830 break;
1831 }
1832 /*
1833 * If an interface address was specified, get a pointer
1834 * to its ifnet structure.
1835 */
1836 if (in_nullhost(mreq->imr_interface))
1837 ifp = NULL;
1838 else {
1839 ifp = ip_multicast_if(&mreq->imr_interface, NULL);
1840 if (ifp == NULL) {
1841 error = EADDRNOTAVAIL;
1842 break;
1843 }
1844 }
1845 /*
1846 * Find the membership in the membership array.
1847 */
1848 for (i = 0; i < imo->imo_num_memberships; ++i) {
1849 if ((ifp == NULL ||
1850 imo->imo_membership[i]->inm_ifp == ifp) &&
1851 in_hosteq(imo->imo_membership[i]->inm_addr,
1852 mreq->imr_multiaddr))
1853 break;
1854 }
1855 if (i == imo->imo_num_memberships) {
1856 error = EADDRNOTAVAIL;
1857 break;
1858 }
1859 /*
1860 * Give up the multicast address record to which the
1861 * membership points.
1862 */
1863 in_delmulti(imo->imo_membership[i]);
1864 /*
1865 * Remove the gap in the membership array.
1866 */
1867 for (++i; i < imo->imo_num_memberships; ++i)
1868 imo->imo_membership[i-1] = imo->imo_membership[i];
1869 --imo->imo_num_memberships;
1870 break;
1871
1872 default:
1873 error = EOPNOTSUPP;
1874 break;
1875 }
1876
1877 /*
1878 * If all options have default values, no need to keep the mbuf.
1879 */
1880 if (imo->imo_multicast_ifp == NULL &&
1881 imo->imo_multicast_ttl == IP_DEFAULT_MULTICAST_TTL &&
1882 imo->imo_multicast_loop == IP_DEFAULT_MULTICAST_LOOP &&
1883 imo->imo_num_memberships == 0) {
1884 free(*imop, M_IPMOPTS);
1885 *imop = NULL;
1886 }
1887
1888 return (error);
1889 }
1890
1891 /*
1892 * Return the IP multicast options in response to user getsockopt().
1893 */
1894 int
1895 ip_getmoptions(int optname, struct ip_moptions *imo, struct mbuf **mp)
1896 {
1897 u_char *ttl;
1898 u_char *loop;
1899 struct in_addr *addr;
1900 struct in_ifaddr *ia;
1901
1902 *mp = m_get(M_WAIT, MT_SOOPTS);
1903
1904 switch (optname) {
1905
1906 case IP_MULTICAST_IF:
1907 addr = mtod(*mp, struct in_addr *);
1908 (*mp)->m_len = sizeof(struct in_addr);
1909 if (imo == NULL || imo->imo_multicast_ifp == NULL)
1910 *addr = zeroin_addr;
1911 else if (imo->imo_multicast_addr.s_addr) {
1912 /* return the value user has set */
1913 *addr = imo->imo_multicast_addr;
1914 } else {
1915 IFP_TO_IA(imo->imo_multicast_ifp, ia);
1916 *addr = ia ? ia->ia_addr.sin_addr : zeroin_addr;
1917 }
1918 return (0);
1919
1920 case IP_MULTICAST_TTL:
1921 ttl = mtod(*mp, u_char *);
1922 (*mp)->m_len = 1;
1923 *ttl = imo ? imo->imo_multicast_ttl
1924 : IP_DEFAULT_MULTICAST_TTL;
1925 return (0);
1926
1927 case IP_MULTICAST_LOOP:
1928 loop = mtod(*mp, u_char *);
1929 (*mp)->m_len = 1;
1930 *loop = imo ? imo->imo_multicast_loop
1931 : IP_DEFAULT_MULTICAST_LOOP;
1932 return (0);
1933
1934 default:
1935 return (EOPNOTSUPP);
1936 }
1937 }
1938
1939 /*
1940 * Discard the IP multicast options.
1941 */
1942 void
1943 ip_freemoptions(struct ip_moptions *imo)
1944 {
1945 int i;
1946
1947 if (imo != NULL) {
1948 for (i = 0; i < imo->imo_num_memberships; ++i)
1949 in_delmulti(imo->imo_membership[i]);
1950 free(imo, M_IPMOPTS);
1951 }
1952 }
1953
1954 /*
1955 * Routine called from ip_output() to loop back a copy of an IP multicast
1956 * packet to the input queue of a specified interface. Note that this
1957 * calls the output routine of the loopback "driver", but with an interface
1958 * pointer that might NOT be lo0ifp -- easier than replicating that code here.
1959 */
1960 static void
1961 ip_mloopback(struct ifnet *ifp, struct mbuf *m, struct sockaddr_in *dst)
1962 {
1963 struct ip *ip;
1964 struct mbuf *copym;
1965
1966 copym = m_copy(m, 0, M_COPYALL);
1967 if (copym != NULL
1968 && (copym->m_flags & M_EXT || copym->m_len < sizeof(struct ip)))
1969 copym = m_pullup(copym, sizeof(struct ip));
1970 if (copym != NULL) {
1971 /*
1972 * We don't bother to fragment if the IP length is greater
1973 * than the interface's MTU. Can this possibly matter?
1974 */
1975 ip = mtod(copym, struct ip *);
1976
1977 if (copym->m_pkthdr.csum_flags & (M_CSUM_TCPv4|M_CSUM_UDPv4)) {
1978 in_delayed_cksum(copym);
1979 copym->m_pkthdr.csum_flags &=
1980 ~(M_CSUM_TCPv4|M_CSUM_UDPv4);
1981 }
1982
1983 ip->ip_sum = 0;
1984 ip->ip_sum = in_cksum(copym, ip->ip_hl << 2);
1985 (void) looutput(ifp, copym, sintosa(dst), NULL);
1986 }
1987 }
Cache object: 296faa85805041344b435412d00a2220
|