1 /* $OpenBSD: ip_output.c,v 1.191 2008/05/09 02:56:36 markus Exp $ */
2 /* $NetBSD: ip_output.c,v 1.28 1996/02/13 23:43:07 christos Exp $ */
3
4 /*
5 * Copyright (c) 1982, 1986, 1988, 1990, 1993
6 * The Regents of the University of California. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of the University nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30 * SUCH DAMAGE.
31 *
32 * @(#)ip_output.c 8.3 (Berkeley) 1/21/94
33 */
34
35 #include "pf.h"
36
37 #include <sys/param.h>
38 #include <sys/systm.h>
39 #include <sys/mbuf.h>
40 #include <sys/protosw.h>
41 #include <sys/socket.h>
42 #include <sys/socketvar.h>
43 #include <sys/proc.h>
44 #include <sys/kernel.h>
45
46 #include <net/if.h>
47 #include <net/if_enc.h>
48 #include <net/route.h>
49
50 #include <netinet/in.h>
51 #include <netinet/in_systm.h>
52 #include <netinet/ip.h>
53 #include <netinet/in_pcb.h>
54 #include <netinet/in_var.h>
55 #include <netinet/ip_var.h>
56 #include <netinet/ip_icmp.h>
57 #include <netinet/tcp.h>
58 #include <netinet/udp.h>
59 #include <netinet/tcp_timer.h>
60 #include <netinet/tcp_var.h>
61 #include <netinet/udp_var.h>
62
63 #if NPF > 0
64 #include <net/pfvar.h>
65 #endif
66
67 #ifdef IPSEC
68 #ifdef ENCDEBUG
69 #define DPRINTF(x) do { if (encdebug) printf x ; } while (0)
70 #else
71 #define DPRINTF(x)
72 #endif
73
74 extern u_int8_t get_sa_require(struct inpcb *);
75
76 extern int ipsec_auth_default_level;
77 extern int ipsec_esp_trans_default_level;
78 extern int ipsec_esp_network_default_level;
79 extern int ipsec_ipcomp_default_level;
80 extern int ipforwarding;
81 #endif /* IPSEC */
82
83 #ifdef MROUTING
84 extern int ipmforwarding;
85 #endif
86
87 struct mbuf *ip_insertoptions(struct mbuf *, struct mbuf *, int *);
88 void ip_mloopback(struct ifnet *, struct mbuf *, struct sockaddr_in *);
89
90 /*
91 * IP output. The packet in mbuf chain m contains a skeletal IP
92 * header (with len, off, ttl, proto, tos, src, dst).
93 * The mbuf chain containing the packet will be freed.
94 * The mbuf opt, if present, will not be freed.
95 */
96 int
97 ip_output(struct mbuf *m0, ...)
98 {
99 struct ip *ip;
100 struct ifnet *ifp;
101 struct mbuf *m = m0;
102 int hlen = sizeof (struct ip);
103 int len, error = 0;
104 struct route iproute;
105 struct sockaddr_in *dst;
106 struct in_ifaddr *ia;
107 struct mbuf *opt;
108 struct route *ro;
109 int flags;
110 struct ip_moptions *imo;
111 va_list ap;
112 u_int8_t sproto = 0, donerouting = 0;
113 u_long mtu;
114 #ifdef IPSEC
115 u_int32_t icmp_mtu = 0;
116 union sockaddr_union sdst;
117 u_int32_t sspi;
118 struct m_tag *mtag;
119 struct tdb_ident *tdbi;
120
121 struct inpcb *inp;
122 struct tdb *tdb;
123 int s;
124 #endif /* IPSEC */
125
126 va_start(ap, m0);
127 opt = va_arg(ap, struct mbuf *);
128 ro = va_arg(ap, struct route *);
129 flags = va_arg(ap, int);
130 imo = va_arg(ap, struct ip_moptions *);
131 #ifdef IPSEC
132 inp = va_arg(ap, struct inpcb *);
133 if (inp && (inp->inp_flags & INP_IPV6) != 0)
134 panic("ip_output: IPv6 pcb is passed");
135 #endif /* IPSEC */
136 va_end(ap);
137
138 #ifdef DIAGNOSTIC
139 if ((m->m_flags & M_PKTHDR) == 0)
140 panic("ip_output no HDR");
141 #endif
142 if (opt) {
143 m = ip_insertoptions(m, opt, &len);
144 hlen = len;
145 }
146
147 ip = mtod(m, struct ip *);
148
149 /*
150 * Fill in IP header.
151 */
152 if ((flags & (IP_FORWARDING|IP_RAWOUTPUT)) == 0) {
153 ip->ip_v = IPVERSION;
154 ip->ip_off &= htons(IP_DF);
155 ip->ip_id = htons(ip_randomid());
156 ip->ip_hl = hlen >> 2;
157 ipstat.ips_localout++;
158 } else {
159 hlen = ip->ip_hl << 2;
160 }
161
162 /*
163 * If we're missing the IP source address, do a route lookup. We'll
164 * remember this result, in case we don't need to do any IPsec
165 * processing on the packet. We need the source address so we can
166 * do an SPD lookup in IPsec; for most packets, the source address
167 * is set at a higher level protocol. ICMPs and other packets
168 * though (e.g., traceroute) have a source address of zeroes.
169 */
170 if (ip->ip_src.s_addr == INADDR_ANY) {
171 if (flags & IP_ROUTETOETHER) {
172 error = EINVAL;
173 goto bad;
174 }
175 donerouting = 1;
176
177 if (ro == 0) {
178 ro = &iproute;
179 bzero((caddr_t)ro, sizeof (*ro));
180 }
181
182 dst = satosin(&ro->ro_dst);
183
184 /*
185 * If there is a cached route, check that it is to the same
186 * destination and is still up. If not, free it and try again.
187 */
188 if (ro->ro_rt && ((ro->ro_rt->rt_flags & RTF_UP) == 0 ||
189 dst->sin_addr.s_addr != ip->ip_dst.s_addr)) {
190 RTFREE(ro->ro_rt);
191 ro->ro_rt = (struct rtentry *)0;
192 }
193
194 if (ro->ro_rt == 0) {
195 dst->sin_family = AF_INET;
196 dst->sin_len = sizeof(*dst);
197 dst->sin_addr = ip->ip_dst;
198 }
199
200 /*
201 * If routing to interface only, short-circuit routing lookup.
202 */
203 if (flags & IP_ROUTETOIF) {
204 if ((ia = ifatoia(ifa_ifwithdstaddr(sintosa(dst)))) == 0 &&
205 (ia = ifatoia(ifa_ifwithnet(sintosa(dst)))) == 0) {
206 ipstat.ips_noroute++;
207 error = ENETUNREACH;
208 goto bad;
209 }
210
211 ifp = ia->ia_ifp;
212 mtu = ifp->if_mtu;
213 ip->ip_ttl = 1;
214 } else if ((IN_MULTICAST(ip->ip_dst.s_addr) ||
215 (ip->ip_dst.s_addr == INADDR_BROADCAST)) &&
216 imo != NULL && imo->imo_multicast_ifp != NULL) {
217 ifp = imo->imo_multicast_ifp;
218 mtu = ifp->if_mtu;
219 IFP_TO_IA(ifp, ia);
220 } else {
221 if (ro->ro_rt == 0)
222 rtalloc_mpath(ro, NULL, 0);
223
224 if (ro->ro_rt == 0) {
225 ipstat.ips_noroute++;
226 error = EHOSTUNREACH;
227 goto bad;
228 }
229
230 ia = ifatoia(ro->ro_rt->rt_ifa);
231 ifp = ro->ro_rt->rt_ifp;
232 if ((mtu = ro->ro_rt->rt_rmx.rmx_mtu) == 0)
233 mtu = ifp->if_mtu;
234 ro->ro_rt->rt_use++;
235
236 if (ro->ro_rt->rt_flags & RTF_GATEWAY)
237 dst = satosin(ro->ro_rt->rt_gateway);
238 }
239
240 /* Set the source IP address */
241 if (!IN_MULTICAST(ip->ip_dst.s_addr))
242 ip->ip_src = ia->ia_addr.sin_addr;
243 }
244
245 #ifdef IPSEC
246 if (!ipsec_in_use && inp == NULL)
247 goto done_spd;
248
249 /*
250 * splnet is chosen over spltdb because we are not allowed to
251 * lower the level, and udp_output calls us in splnet().
252 */
253 s = splnet();
254
255 /* Do we have any pending SAs to apply ? */
256 mtag = m_tag_find(m, PACKET_TAG_IPSEC_PENDING_TDB, NULL);
257 if (mtag != NULL) {
258 #ifdef DIAGNOSTIC
259 if (mtag->m_tag_len != sizeof (struct tdb_ident))
260 panic("ip_output: tag of length %d (should be %d",
261 mtag->m_tag_len, sizeof (struct tdb_ident));
262 #endif
263 tdbi = (struct tdb_ident *)(mtag + 1);
264 tdb = gettdb(tdbi->spi, &tdbi->dst, tdbi->proto);
265 if (tdb == NULL)
266 error = -EINVAL;
267 m_tag_delete(m, mtag);
268 }
269 else
270 tdb = ipsp_spd_lookup(m, AF_INET, hlen, &error,
271 IPSP_DIRECTION_OUT, NULL, inp);
272
273 if (tdb == NULL) {
274 splx(s);
275
276 if (error == 0) {
277 /*
278 * No IPsec processing required, we'll just send the
279 * packet out.
280 */
281 sproto = 0;
282
283 /* Fall through to routing/multicast handling */
284 } else {
285 /*
286 * -EINVAL is used to indicate that the packet should
287 * be silently dropped, typically because we've asked
288 * key management for an SA.
289 */
290 if (error == -EINVAL) /* Should silently drop packet */
291 error = 0;
292
293 m_freem(m);
294 goto done;
295 }
296 } else {
297 /* Loop detection */
298 for (mtag = m_tag_first(m); mtag != NULL;
299 mtag = m_tag_next(m, mtag)) {
300 if (mtag->m_tag_id != PACKET_TAG_IPSEC_OUT_DONE &&
301 mtag->m_tag_id !=
302 PACKET_TAG_IPSEC_OUT_CRYPTO_NEEDED)
303 continue;
304 tdbi = (struct tdb_ident *)(mtag + 1);
305 if (tdbi->spi == tdb->tdb_spi &&
306 tdbi->proto == tdb->tdb_sproto &&
307 !bcmp(&tdbi->dst, &tdb->tdb_dst,
308 sizeof(union sockaddr_union))) {
309 splx(s);
310 sproto = 0; /* mark as no-IPsec-needed */
311 goto done_spd;
312 }
313 }
314
315 /* We need to do IPsec */
316 bcopy(&tdb->tdb_dst, &sdst, sizeof(sdst));
317 sspi = tdb->tdb_spi;
318 sproto = tdb->tdb_sproto;
319 splx(s);
320
321 /*
322 * If it needs TCP/UDP hardware-checksumming, do the
323 * computation now.
324 */
325 if (m->m_pkthdr.csum_flags & (M_TCPV4_CSUM_OUT | M_UDPV4_CSUM_OUT)) {
326 in_delayed_cksum(m);
327 m->m_pkthdr.csum_flags &=
328 ~(M_UDPV4_CSUM_OUT | M_TCPV4_CSUM_OUT);
329 }
330
331 /* If it's not a multicast packet, try to fast-path */
332 if (!IN_MULTICAST(ip->ip_dst.s_addr)) {
333 goto sendit;
334 }
335 }
336
337 /* Fall through to the routing/multicast handling code */
338 done_spd:
339 #endif /* IPSEC */
340
341 if (flags & IP_ROUTETOETHER) {
342 dst = satosin(&ro->ro_dst);
343 ifp = ro->ro_rt->rt_ifp;
344 mtu = ifp->if_mtu;
345 ro->ro_rt = NULL;
346 } else if (donerouting == 0) {
347 if (ro == 0) {
348 ro = &iproute;
349 bzero((caddr_t)ro, sizeof (*ro));
350 }
351
352 dst = satosin(&ro->ro_dst);
353
354 /*
355 * If there is a cached route, check that it is to the same
356 * destination and is still up. If not, free it and try again.
357 */
358 if (ro->ro_rt && ((ro->ro_rt->rt_flags & RTF_UP) == 0 ||
359 dst->sin_addr.s_addr != ip->ip_dst.s_addr)) {
360 RTFREE(ro->ro_rt);
361 ro->ro_rt = (struct rtentry *)0;
362 }
363
364 if (ro->ro_rt == 0) {
365 dst->sin_family = AF_INET;
366 dst->sin_len = sizeof(*dst);
367 dst->sin_addr = ip->ip_dst;
368 }
369
370 /*
371 * If routing to interface only, short-circuit routing lookup.
372 */
373 if (flags & IP_ROUTETOIF) {
374 if ((ia = ifatoia(ifa_ifwithdstaddr(sintosa(dst)))) == 0 &&
375 (ia = ifatoia(ifa_ifwithnet(sintosa(dst)))) == 0) {
376 ipstat.ips_noroute++;
377 error = ENETUNREACH;
378 goto bad;
379 }
380
381 ifp = ia->ia_ifp;
382 mtu = ifp->if_mtu;
383 ip->ip_ttl = 1;
384 } else if ((IN_MULTICAST(ip->ip_dst.s_addr) ||
385 (ip->ip_dst.s_addr == INADDR_BROADCAST)) &&
386 imo != NULL && imo->imo_multicast_ifp != NULL) {
387 ifp = imo->imo_multicast_ifp;
388 mtu = ifp->if_mtu;
389 IFP_TO_IA(ifp, ia);
390 } else {
391 if (ro->ro_rt == 0)
392 rtalloc_mpath(ro, &ip->ip_src.s_addr, 0);
393
394 if (ro->ro_rt == 0) {
395 ipstat.ips_noroute++;
396 error = EHOSTUNREACH;
397 goto bad;
398 }
399
400 ia = ifatoia(ro->ro_rt->rt_ifa);
401 ifp = ro->ro_rt->rt_ifp;
402 if ((mtu = ro->ro_rt->rt_rmx.rmx_mtu) == 0)
403 mtu = ifp->if_mtu;
404 ro->ro_rt->rt_use++;
405
406 if (ro->ro_rt->rt_flags & RTF_GATEWAY)
407 dst = satosin(ro->ro_rt->rt_gateway);
408 }
409
410 /* Set the source IP address */
411 if (ip->ip_src.s_addr == INADDR_ANY)
412 ip->ip_src = ia->ia_addr.sin_addr;
413 }
414
415 if (IN_MULTICAST(ip->ip_dst.s_addr) ||
416 (ip->ip_dst.s_addr == INADDR_BROADCAST)) {
417 struct in_multi *inm;
418
419 m->m_flags |= (ip->ip_dst.s_addr == INADDR_BROADCAST) ?
420 M_BCAST : M_MCAST;
421
422 /*
423 * IP destination address is multicast. Make sure "dst"
424 * still points to the address in "ro". (It may have been
425 * changed to point to a gateway address, above.)
426 */
427 dst = satosin(&ro->ro_dst);
428
429 /*
430 * See if the caller provided any multicast options
431 */
432 if (imo != NULL)
433 ip->ip_ttl = imo->imo_multicast_ttl;
434 else
435 ip->ip_ttl = IP_DEFAULT_MULTICAST_TTL;
436
437 /*
438 * if we don't know the outgoing ifp yet, we can't generate
439 * output
440 */
441 if (!ifp) {
442 ipstat.ips_noroute++;
443 error = EHOSTUNREACH;
444 goto bad;
445 }
446
447 /*
448 * Confirm that the outgoing interface supports multicast,
449 * but only if the packet actually is going out on that
450 * interface (i.e., no IPsec is applied).
451 */
452 if ((((m->m_flags & M_MCAST) &&
453 (ifp->if_flags & IFF_MULTICAST) == 0) ||
454 ((m->m_flags & M_BCAST) &&
455 (ifp->if_flags & IFF_BROADCAST) == 0)) && (sproto == 0)) {
456 ipstat.ips_noroute++;
457 error = ENETUNREACH;
458 goto bad;
459 }
460
461 /*
462 * If source address not specified yet, use address
463 * of outgoing interface.
464 */
465 if (ip->ip_src.s_addr == INADDR_ANY) {
466 struct in_ifaddr *ia;
467
468 TAILQ_FOREACH(ia, &in_ifaddr, ia_list)
469 if (ia->ia_ifp == ifp) {
470 ip->ip_src = ia->ia_addr.sin_addr;
471 break;
472 }
473 }
474
475 IN_LOOKUP_MULTI(ip->ip_dst, ifp, inm);
476 if (inm != NULL &&
477 (imo == NULL || imo->imo_multicast_loop)) {
478 /*
479 * If we belong to the destination multicast group
480 * on the outgoing interface, and the caller did not
481 * forbid loopback, loop back a copy.
482 * Can't defer TCP/UDP checksumming, do the
483 * computation now.
484 */
485 if (m->m_pkthdr.csum_flags &
486 (M_TCPV4_CSUM_OUT | M_UDPV4_CSUM_OUT)) {
487 in_delayed_cksum(m);
488 m->m_pkthdr.csum_flags &=
489 ~(M_UDPV4_CSUM_OUT | M_TCPV4_CSUM_OUT);
490 }
491 ip_mloopback(ifp, m, dst);
492 }
493 #ifdef MROUTING
494 else {
495 /*
496 * If we are acting as a multicast router, perform
497 * multicast forwarding as if the packet had just
498 * arrived on the interface to which we are about
499 * to send. The multicast forwarding function
500 * recursively calls this function, using the
501 * IP_FORWARDING flag to prevent infinite recursion.
502 *
503 * Multicasts that are looped back by ip_mloopback(),
504 * above, will be forwarded by the ip_input() routine,
505 * if necessary.
506 */
507 extern struct socket *ip_mrouter;
508
509 if (ipmforwarding && ip_mrouter &&
510 (flags & IP_FORWARDING) == 0) {
511 if (ip_mforward(m, ifp) != 0) {
512 m_freem(m);
513 goto done;
514 }
515 }
516 }
517 #endif
518 /*
519 * Multicasts with a time-to-live of zero may be looped-
520 * back, above, but must not be transmitted on a network.
521 * Also, multicasts addressed to the loopback interface
522 * are not sent -- the above call to ip_mloopback() will
523 * loop back a copy if this host actually belongs to the
524 * destination group on the loopback interface.
525 */
526 if (ip->ip_ttl == 0 || (ifp->if_flags & IFF_LOOPBACK) != 0) {
527 m_freem(m);
528 goto done;
529 }
530
531 goto sendit;
532 }
533
534 /*
535 * Look for broadcast address and and verify user is allowed to send
536 * such a packet; if the packet is going in an IPsec tunnel, skip
537 * this check.
538 */
539 if ((sproto == 0) && (in_broadcast(dst->sin_addr, ifp))) {
540 if ((ifp->if_flags & IFF_BROADCAST) == 0) {
541 error = EADDRNOTAVAIL;
542 goto bad;
543 }
544 if ((flags & IP_ALLOWBROADCAST) == 0) {
545 error = EACCES;
546 goto bad;
547 }
548
549 /* Don't allow broadcast messages to be fragmented */
550 if (ntohs(ip->ip_len) > ifp->if_mtu) {
551 error = EMSGSIZE;
552 goto bad;
553 }
554 m->m_flags |= M_BCAST;
555 } else
556 m->m_flags &= ~M_BCAST;
557
558 sendit:
559 /*
560 * If we're doing Path MTU discovery, we need to set DF unless
561 * the route's MTU is locked.
562 */
563 if ((flags & IP_MTUDISC) && ro && ro->ro_rt &&
564 (ro->ro_rt->rt_rmx.rmx_locks & RTV_MTU) == 0)
565 ip->ip_off |= htons(IP_DF);
566
567 #ifdef IPSEC
568 /*
569 * Check if the packet needs encapsulation.
570 */
571 if (sproto != 0) {
572 s = splnet();
573
574 /*
575 * Packet filter
576 */
577 #if NPF > 0
578
579 if (pf_test(PF_OUT, &encif[0].sc_if, &m, NULL) != PF_PASS) {
580 error = EHOSTUNREACH;
581 splx(s);
582 m_freem(m);
583 goto done;
584 }
585 if (m == NULL) {
586 splx(s);
587 goto done;
588 }
589 ip = mtod(m, struct ip *);
590 hlen = ip->ip_hl << 2;
591 #endif
592
593 tdb = gettdb(sspi, &sdst, sproto);
594 if (tdb == NULL) {
595 DPRINTF(("ip_output: unknown TDB"));
596 error = EHOSTUNREACH;
597 splx(s);
598 m_freem(m);
599 goto done;
600 }
601
602 /* Check if we are allowed to fragment */
603 if (ip_mtudisc && (ip->ip_off & htons(IP_DF)) && tdb->tdb_mtu &&
604 ntohs(ip->ip_len) > tdb->tdb_mtu &&
605 tdb->tdb_mtutimeout > time_second) {
606 struct rtentry *rt = NULL;
607 int rt_mtucloned = 0;
608 int transportmode = 0;
609
610 transportmode = (tdb->tdb_dst.sa.sa_family == AF_INET) &&
611 (tdb->tdb_dst.sin.sin_addr.s_addr ==
612 ip->ip_dst.s_addr);
613 icmp_mtu = tdb->tdb_mtu;
614 splx(s);
615
616 /* Find a host route to store the mtu in */
617 if (ro != NULL)
618 rt = ro->ro_rt;
619 /* but don't add a PMTU route for transport mode SAs */
620 if (transportmode)
621 rt = NULL;
622 else if (rt == NULL || (rt->rt_flags & RTF_HOST) == 0) {
623 struct sockaddr_in dst = {
624 sizeof(struct sockaddr_in), AF_INET};
625 dst.sin_addr = ip->ip_dst;
626 rt = icmp_mtudisc_clone((struct sockaddr *)&dst);
627 rt_mtucloned = 1;
628 }
629 DPRINTF(("ip_output: spi %08x mtu %d rt %p cloned %d\n",
630 ntohl(tdb->tdb_spi), icmp_mtu, rt, rt_mtucloned));
631 if (rt != NULL) {
632 rt->rt_rmx.rmx_mtu = icmp_mtu;
633 if (ro && ro->ro_rt != NULL) {
634 RTFREE(ro->ro_rt);
635 ro->ro_rt = (struct rtentry *) 0;
636 rtalloc(ro);
637 }
638 if (rt_mtucloned)
639 rtfree(rt);
640 }
641 error = EMSGSIZE;
642 goto bad;
643 }
644
645 /*
646 * Clear these -- they'll be set in the recursive invocation
647 * as needed.
648 */
649 m->m_flags &= ~(M_MCAST | M_BCAST);
650
651 /* Callee frees mbuf */
652 error = ipsp_process_packet(m, tdb, AF_INET, 0);
653 splx(s);
654 return error; /* Nothing more to be done */
655 }
656
657 /*
658 * If deferred crypto processing is needed, check that the
659 * interface supports it.
660 */
661 if (ipsec_in_use && (mtag = m_tag_find(m,
662 PACKET_TAG_IPSEC_OUT_CRYPTO_NEEDED, NULL)) != NULL &&
663 (ifp->if_capabilities & IFCAP_IPSEC) == 0) {
664 /* Notify IPsec to do its own crypto. */
665 ipsp_skipcrypto_unmark((struct tdb_ident *)(mtag + 1));
666 m_freem(m);
667 error = EHOSTUNREACH;
668 goto done;
669 }
670 #endif /* IPSEC */
671
672 /* Catch routing changes wrt. hardware checksumming for TCP or UDP. */
673 if (m->m_pkthdr.csum_flags & M_TCPV4_CSUM_OUT) {
674 if (!(ifp->if_capabilities & IFCAP_CSUM_TCPv4) ||
675 ifp->if_bridge != NULL) {
676 in_delayed_cksum(m);
677 m->m_pkthdr.csum_flags &= ~M_TCPV4_CSUM_OUT; /* Clear */
678 }
679 } else if (m->m_pkthdr.csum_flags & M_UDPV4_CSUM_OUT) {
680 if (!(ifp->if_capabilities & IFCAP_CSUM_UDPv4) ||
681 ifp->if_bridge != NULL) {
682 in_delayed_cksum(m);
683 m->m_pkthdr.csum_flags &= ~M_UDPV4_CSUM_OUT; /* Clear */
684 }
685 }
686
687 /*
688 * Packet filter
689 */
690 #if NPF > 0
691 if (pf_test(PF_OUT, ifp, &m, NULL) != PF_PASS) {
692 error = EHOSTUNREACH;
693 m_freem(m);
694 goto done;
695 }
696 if (m == NULL)
697 goto done;
698
699 ip = mtod(m, struct ip *);
700 hlen = ip->ip_hl << 2;
701 #endif
702
703 #ifdef IPSEC
704 if (ipsec_in_use && (flags & IP_FORWARDING) && (ipforwarding == 2) &&
705 (m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL) == NULL)) {
706 error = EHOSTUNREACH;
707 m_freem(m);
708 goto done;
709 }
710 #endif
711
712 /* XXX
713 * Try to use jumbograms based on socket option, or the route
714 * or... for other reasons later on.
715 */
716 if ((flags & IP_JUMBO) && ro->ro_rt && (ro->ro_rt->rt_flags & RTF_JUMBO) &&
717 ro->ro_rt->rt_ifp)
718 mtu = ro->ro_rt->rt_ifp->if_hardmtu;
719
720 /*
721 * If small enough for interface, can just send directly.
722 */
723 if (ntohs(ip->ip_len) <= mtu) {
724 if ((ifp->if_capabilities & IFCAP_CSUM_IPv4) &&
725 ifp->if_bridge == NULL) {
726 m->m_pkthdr.csum_flags |= M_IPV4_CSUM_OUT;
727 ipstat.ips_outhwcsum++;
728 } else {
729 ip->ip_sum = 0;
730 ip->ip_sum = in_cksum(m, hlen);
731 }
732 /* Update relevant hardware checksum stats for TCP/UDP */
733 if (m->m_pkthdr.csum_flags & M_TCPV4_CSUM_OUT)
734 tcpstat.tcps_outhwcsum++;
735 else if (m->m_pkthdr.csum_flags & M_UDPV4_CSUM_OUT)
736 udpstat.udps_outhwcsum++;
737 error = (*ifp->if_output)(ifp, m, sintosa(dst), ro->ro_rt);
738 goto done;
739 }
740
741 /*
742 * Too large for interface; fragment if possible.
743 * Must be able to put at least 8 bytes per fragment.
744 */
745 if (ip->ip_off & htons(IP_DF)) {
746 #ifdef IPSEC
747 icmp_mtu = ifp->if_mtu;
748 #endif
749 error = EMSGSIZE;
750 /*
751 * This case can happen if the user changed the MTU
752 * of an interface after enabling IP on it. Because
753 * most netifs don't keep track of routes pointing to
754 * them, there is no way for one to update all its
755 * routes when the MTU is changed.
756 */
757 if ((ro->ro_rt->rt_flags & (RTF_UP | RTF_HOST)) &&
758 !(ro->ro_rt->rt_rmx.rmx_locks & RTV_MTU) &&
759 (ro->ro_rt->rt_rmx.rmx_mtu > ifp->if_mtu)) {
760 ro->ro_rt->rt_rmx.rmx_mtu = ifp->if_mtu;
761 }
762 ipstat.ips_cantfrag++;
763 goto bad;
764 }
765
766 error = ip_fragment(m, ifp, mtu);
767 if (error) {
768 m = m0 = NULL;
769 goto bad;
770 }
771
772 for (; m; m = m0) {
773 m0 = m->m_nextpkt;
774 m->m_nextpkt = 0;
775 if (error == 0)
776 error = (*ifp->if_output)(ifp, m, sintosa(dst),
777 ro->ro_rt);
778 else
779 m_freem(m);
780 }
781
782 if (error == 0)
783 ipstat.ips_fragmented++;
784
785 done:
786 if (ro == &iproute && (flags & IP_ROUTETOIF) == 0 && ro->ro_rt)
787 RTFREE(ro->ro_rt);
788 return (error);
789 bad:
790 #ifdef IPSEC
791 if (error == EMSGSIZE && ip_mtudisc && icmp_mtu != 0 && m != NULL)
792 ipsec_adjust_mtu(m, icmp_mtu);
793 #endif
794 m_freem(m0);
795 goto done;
796 }
797
798 int
799 ip_fragment(struct mbuf *m, struct ifnet *ifp, u_long mtu)
800 {
801 struct ip *ip, *mhip;
802 struct mbuf *m0;
803 int len, hlen, off;
804 int mhlen, firstlen;
805 struct mbuf **mnext;
806 int fragments = 0;
807 int s;
808 int error = 0;
809
810 ip = mtod(m, struct ip *);
811 hlen = ip->ip_hl << 2;
812
813 len = (mtu - hlen) &~ 7;
814 if (len < 8) {
815 m_freem(m);
816 return (EMSGSIZE);
817 }
818
819 /*
820 * If we are doing fragmentation, we can't defer TCP/UDP
821 * checksumming; compute the checksum and clear the flag.
822 */
823 if (m->m_pkthdr.csum_flags & (M_TCPV4_CSUM_OUT | M_UDPV4_CSUM_OUT)) {
824 in_delayed_cksum(m);
825 m->m_pkthdr.csum_flags &= ~(M_UDPV4_CSUM_OUT | M_TCPV4_CSUM_OUT);
826 }
827
828 firstlen = len;
829 mnext = &m->m_nextpkt;
830
831 /*
832 * Loop through length of segment after first fragment,
833 * make new header and copy data of each part and link onto chain.
834 */
835 m0 = m;
836 mhlen = sizeof (struct ip);
837 for (off = hlen + len; off < ntohs(ip->ip_len); off += len) {
838 MGETHDR(m, M_DONTWAIT, MT_HEADER);
839 if (m == 0) {
840 ipstat.ips_odropped++;
841 error = ENOBUFS;
842 goto sendorfree;
843 }
844 *mnext = m;
845 mnext = &m->m_nextpkt;
846 m->m_data += max_linkhdr;
847 mhip = mtod(m, struct ip *);
848 *mhip = *ip;
849 /* we must inherit MCAST and BCAST flags */
850 m->m_flags |= m0->m_flags & (M_MCAST|M_BCAST);
851 if (hlen > sizeof (struct ip)) {
852 mhlen = ip_optcopy(ip, mhip) + sizeof (struct ip);
853 mhip->ip_hl = mhlen >> 2;
854 }
855 m->m_len = mhlen;
856 mhip->ip_off = ((off - hlen) >> 3) +
857 (ntohs(ip->ip_off) & ~IP_MF);
858 if (ip->ip_off & htons(IP_MF))
859 mhip->ip_off |= IP_MF;
860 if (off + len >= ntohs(ip->ip_len))
861 len = ntohs(ip->ip_len) - off;
862 else
863 mhip->ip_off |= IP_MF;
864 mhip->ip_len = htons((u_int16_t)(len + mhlen));
865 m->m_next = m_copy(m0, off, len);
866 if (m->m_next == 0) {
867 ipstat.ips_odropped++;
868 error = ENOBUFS;
869 goto sendorfree;
870 }
871 m->m_pkthdr.len = mhlen + len;
872 m->m_pkthdr.rcvif = (struct ifnet *)0;
873 mhip->ip_off = htons((u_int16_t)mhip->ip_off);
874 if ((ifp != NULL) &&
875 (ifp->if_capabilities & IFCAP_CSUM_IPv4) &&
876 ifp->if_bridge == NULL) {
877 m->m_pkthdr.csum_flags |= M_IPV4_CSUM_OUT;
878 ipstat.ips_outhwcsum++;
879 } else {
880 mhip->ip_sum = 0;
881 mhip->ip_sum = in_cksum(m, mhlen);
882 }
883 ipstat.ips_ofragments++;
884 fragments++;
885 }
886 /*
887 * Update first fragment by trimming what's been copied out
888 * and updating header, then send each fragment (in order).
889 */
890 m = m0;
891 m_adj(m, hlen + firstlen - ntohs(ip->ip_len));
892 m->m_pkthdr.len = hlen + firstlen;
893 ip->ip_len = htons((u_int16_t)m->m_pkthdr.len);
894 ip->ip_off |= htons(IP_MF);
895 if ((ifp != NULL) &&
896 (ifp->if_capabilities & IFCAP_CSUM_IPv4) &&
897 ifp->if_bridge == NULL) {
898 m->m_pkthdr.csum_flags |= M_IPV4_CSUM_OUT;
899 ipstat.ips_outhwcsum++;
900 } else {
901 ip->ip_sum = 0;
902 ip->ip_sum = in_cksum(m, hlen);
903 }
904 sendorfree:
905 /*
906 * If there is no room for all the fragments, don't queue
907 * any of them.
908 */
909 if (ifp != NULL) {
910 s = splnet();
911 if (ifp->if_snd.ifq_maxlen - ifp->if_snd.ifq_len < fragments &&
912 error == 0) {
913 error = ENOBUFS;
914 ipstat.ips_odropped++;
915 IFQ_INC_DROPS(&ifp->if_snd);
916 }
917 splx(s);
918 }
919 if (error) {
920 for (m = m0; m; m = m0) {
921 m0 = m->m_nextpkt;
922 m->m_nextpkt = NULL;
923 m_freem(m);
924 }
925 }
926
927 return (error);
928 }
929
930 /*
931 * Insert IP options into preformed packet.
932 * Adjust IP destination as required for IP source routing,
933 * as indicated by a non-zero in_addr at the start of the options.
934 */
935 struct mbuf *
936 ip_insertoptions(m, opt, phlen)
937 struct mbuf *m;
938 struct mbuf *opt;
939 int *phlen;
940 {
941 struct ipoption *p = mtod(opt, struct ipoption *);
942 struct mbuf *n;
943 struct ip *ip = mtod(m, struct ip *);
944 unsigned optlen;
945
946 optlen = opt->m_len - sizeof(p->ipopt_dst);
947 if (optlen + ntohs(ip->ip_len) > IP_MAXPACKET)
948 return (m); /* XXX should fail */
949 if (p->ipopt_dst.s_addr)
950 ip->ip_dst = p->ipopt_dst;
951 if (m->m_flags & M_EXT || m->m_data - optlen < m->m_pktdat) {
952 MGETHDR(n, M_DONTWAIT, MT_HEADER);
953 if (n == 0)
954 return (m);
955 M_MOVE_HDR(n, m);
956 n->m_pkthdr.len += optlen;
957 m->m_len -= sizeof(struct ip);
958 m->m_data += sizeof(struct ip);
959 n->m_next = m;
960 m = n;
961 m->m_len = optlen + sizeof(struct ip);
962 m->m_data += max_linkhdr;
963 bcopy((caddr_t)ip, mtod(m, caddr_t), sizeof(struct ip));
964 } else {
965 m->m_data -= optlen;
966 m->m_len += optlen;
967 m->m_pkthdr.len += optlen;
968 ovbcopy((caddr_t)ip, mtod(m, caddr_t), sizeof(struct ip));
969 }
970 ip = mtod(m, struct ip *);
971 bcopy((caddr_t)p->ipopt_list, (caddr_t)(ip + 1), (unsigned)optlen);
972 *phlen = sizeof(struct ip) + optlen;
973 ip->ip_len = htons(ntohs(ip->ip_len) + optlen);
974 return (m);
975 }
976
977 /*
978 * Copy options from ip to jp,
979 * omitting those not copied during fragmentation.
980 */
981 int
982 ip_optcopy(ip, jp)
983 struct ip *ip, *jp;
984 {
985 u_char *cp, *dp;
986 int opt, optlen, cnt;
987
988 cp = (u_char *)(ip + 1);
989 dp = (u_char *)(jp + 1);
990 cnt = (ip->ip_hl << 2) - sizeof (struct ip);
991 for (; cnt > 0; cnt -= optlen, cp += optlen) {
992 opt = cp[0];
993 if (opt == IPOPT_EOL)
994 break;
995 if (opt == IPOPT_NOP) {
996 /* Preserve for IP mcast tunnel's LSRR alignment. */
997 *dp++ = IPOPT_NOP;
998 optlen = 1;
999 continue;
1000 }
1001 #ifdef DIAGNOSTIC
1002 if (cnt < IPOPT_OLEN + sizeof(*cp))
1003 panic("malformed IPv4 option passed to ip_optcopy");
1004 #endif
1005 optlen = cp[IPOPT_OLEN];
1006 #ifdef DIAGNOSTIC
1007 if (optlen < IPOPT_OLEN + sizeof(*cp) || optlen > cnt)
1008 panic("malformed IPv4 option passed to ip_optcopy");
1009 #endif
1010 /* bogus lengths should have been caught by ip_dooptions */
1011 if (optlen > cnt)
1012 optlen = cnt;
1013 if (IPOPT_COPIED(opt)) {
1014 bcopy((caddr_t)cp, (caddr_t)dp, (unsigned)optlen);
1015 dp += optlen;
1016 }
1017 }
1018 for (optlen = dp - (u_char *)(jp+1); optlen & 0x3; optlen++)
1019 *dp++ = IPOPT_EOL;
1020 return (optlen);
1021 }
1022
1023 /*
1024 * IP socket option processing.
1025 */
1026 int
1027 ip_ctloutput(op, so, level, optname, mp)
1028 int op;
1029 struct socket *so;
1030 int level, optname;
1031 struct mbuf **mp;
1032 {
1033 struct inpcb *inp = sotoinpcb(so);
1034 struct mbuf *m = *mp;
1035 int optval = 0;
1036 #ifdef IPSEC
1037 struct proc *p = curproc; /* XXX */
1038 struct ipsec_ref *ipr;
1039 u_int16_t opt16val;
1040 #endif
1041 int error = 0;
1042
1043 if (level != IPPROTO_IP) {
1044 error = EINVAL;
1045 if (op == PRCO_SETOPT && *mp)
1046 (void) m_free(*mp);
1047 } else switch (op) {
1048 case PRCO_SETOPT:
1049 switch (optname) {
1050 case IP_OPTIONS:
1051 #ifdef notyet
1052 case IP_RETOPTS:
1053 return (ip_pcbopts(optname, &inp->inp_options, m));
1054 #else
1055 return (ip_pcbopts(&inp->inp_options, m));
1056 #endif
1057
1058 case IP_TOS:
1059 case IP_TTL:
1060 case IP_MINTTL:
1061 case IP_RECVOPTS:
1062 case IP_RECVRETOPTS:
1063 case IP_RECVDSTADDR:
1064 case IP_RECVIF:
1065 case IP_RECVTTL:
1066 case IP_RECVDSTPORT:
1067 if (m == NULL || m->m_len != sizeof(int))
1068 error = EINVAL;
1069 else {
1070 optval = *mtod(m, int *);
1071 switch (optname) {
1072
1073 case IP_TOS:
1074 inp->inp_ip.ip_tos = optval;
1075 break;
1076
1077 case IP_TTL:
1078 if (optval > 0 && optval <= MAXTTL)
1079 inp->inp_ip.ip_ttl = optval;
1080 else
1081 error = EINVAL;
1082 break;
1083
1084 case IP_MINTTL:
1085 if (optval > 0 && optval <= MAXTTL)
1086 inp->inp_ip_minttl = optval;
1087 else
1088 error = EINVAL;
1089 break;
1090 #define OPTSET(bit) \
1091 if (optval) \
1092 inp->inp_flags |= bit; \
1093 else \
1094 inp->inp_flags &= ~bit;
1095
1096 case IP_RECVOPTS:
1097 OPTSET(INP_RECVOPTS);
1098 break;
1099
1100 case IP_RECVRETOPTS:
1101 OPTSET(INP_RECVRETOPTS);
1102 break;
1103
1104 case IP_RECVDSTADDR:
1105 OPTSET(INP_RECVDSTADDR);
1106 break;
1107 case IP_RECVIF:
1108 OPTSET(INP_RECVIF);
1109 break;
1110 case IP_RECVTTL:
1111 OPTSET(INP_RECVTTL);
1112 break;
1113 case IP_RECVDSTPORT:
1114 OPTSET(INP_RECVDSTPORT);
1115 break;
1116 }
1117 }
1118 break;
1119 #undef OPTSET
1120
1121 case IP_MULTICAST_IF:
1122 case IP_MULTICAST_TTL:
1123 case IP_MULTICAST_LOOP:
1124 case IP_ADD_MEMBERSHIP:
1125 case IP_DROP_MEMBERSHIP:
1126 error = ip_setmoptions(optname, &inp->inp_moptions, m);
1127 break;
1128
1129 case IP_PORTRANGE:
1130 if (m == 0 || m->m_len != sizeof(int))
1131 error = EINVAL;
1132 else {
1133 optval = *mtod(m, int *);
1134
1135 switch (optval) {
1136
1137 case IP_PORTRANGE_DEFAULT:
1138 inp->inp_flags &= ~(INP_LOWPORT);
1139 inp->inp_flags &= ~(INP_HIGHPORT);
1140 break;
1141
1142 case IP_PORTRANGE_HIGH:
1143 inp->inp_flags &= ~(INP_LOWPORT);
1144 inp->inp_flags |= INP_HIGHPORT;
1145 break;
1146
1147 case IP_PORTRANGE_LOW:
1148 inp->inp_flags &= ~(INP_HIGHPORT);
1149 inp->inp_flags |= INP_LOWPORT;
1150 break;
1151
1152 default:
1153
1154 error = EINVAL;
1155 break;
1156 }
1157 }
1158 break;
1159 case IP_AUTH_LEVEL:
1160 case IP_ESP_TRANS_LEVEL:
1161 case IP_ESP_NETWORK_LEVEL:
1162 case IP_IPCOMP_LEVEL:
1163 #ifndef IPSEC
1164 error = EOPNOTSUPP;
1165 #else
1166 if (m == 0 || m->m_len != sizeof(int)) {
1167 error = EINVAL;
1168 break;
1169 }
1170 optval = *mtod(m, int *);
1171
1172 if (optval < IPSEC_LEVEL_BYPASS ||
1173 optval > IPSEC_LEVEL_UNIQUE) {
1174 error = EINVAL;
1175 break;
1176 }
1177
1178 /* Unlink cached output TDB to force a re-search */
1179 if (inp->inp_tdb_out) {
1180 int s = spltdb();
1181 TAILQ_REMOVE(&inp->inp_tdb_out->tdb_inp_out,
1182 inp, inp_tdb_out_next);
1183 splx(s);
1184 }
1185
1186 if (inp->inp_tdb_in) {
1187 int s = spltdb();
1188 TAILQ_REMOVE(&inp->inp_tdb_in->tdb_inp_in,
1189 inp, inp_tdb_in_next);
1190 splx(s);
1191 }
1192
1193 switch (optname) {
1194 case IP_AUTH_LEVEL:
1195 if (optval < ipsec_auth_default_level &&
1196 suser(p, 0)) {
1197 error = EACCES;
1198 break;
1199 }
1200 inp->inp_seclevel[SL_AUTH] = optval;
1201 break;
1202
1203 case IP_ESP_TRANS_LEVEL:
1204 if (optval < ipsec_esp_trans_default_level &&
1205 suser(p, 0)) {
1206 error = EACCES;
1207 break;
1208 }
1209 inp->inp_seclevel[SL_ESP_TRANS] = optval;
1210 break;
1211
1212 case IP_ESP_NETWORK_LEVEL:
1213 if (optval < ipsec_esp_network_default_level &&
1214 suser(p, 0)) {
1215 error = EACCES;
1216 break;
1217 }
1218 inp->inp_seclevel[SL_ESP_NETWORK] = optval;
1219 break;
1220 case IP_IPCOMP_LEVEL:
1221 if (optval < ipsec_ipcomp_default_level &&
1222 suser(p, 0)) {
1223 error = EACCES;
1224 break;
1225 }
1226 inp->inp_seclevel[SL_IPCOMP] = optval;
1227 break;
1228 }
1229 if (!error)
1230 inp->inp_secrequire = get_sa_require(inp);
1231 #endif
1232 break;
1233
1234 case IP_IPSEC_REMOTE_CRED:
1235 case IP_IPSEC_REMOTE_AUTH:
1236 /* Can't set the remote credential or key */
1237 error = EOPNOTSUPP;
1238 break;
1239
1240 case IP_IPSEC_LOCAL_ID:
1241 case IP_IPSEC_REMOTE_ID:
1242 case IP_IPSEC_LOCAL_CRED:
1243 case IP_IPSEC_LOCAL_AUTH:
1244 #ifndef IPSEC
1245 error = EOPNOTSUPP;
1246 #else
1247 if (m->m_len < 2) {
1248 error = EINVAL;
1249 break;
1250 }
1251
1252 m_copydata(m, 0, 2, (caddr_t) &opt16val);
1253
1254 /* If the type is 0, then we cleanup and return */
1255 if (opt16val == 0) {
1256 switch (optname) {
1257 case IP_IPSEC_LOCAL_ID:
1258 if (inp->inp_ipo != NULL &&
1259 inp->inp_ipo->ipo_srcid != NULL) {
1260 ipsp_reffree(inp->inp_ipo->ipo_srcid);
1261 inp->inp_ipo->ipo_srcid = NULL;
1262 }
1263 break;
1264
1265 case IP_IPSEC_REMOTE_ID:
1266 if (inp->inp_ipo != NULL &&
1267 inp->inp_ipo->ipo_dstid != NULL) {
1268 ipsp_reffree(inp->inp_ipo->ipo_dstid);
1269 inp->inp_ipo->ipo_dstid = NULL;
1270 }
1271 break;
1272
1273 case IP_IPSEC_LOCAL_CRED:
1274 if (inp->inp_ipo != NULL &&
1275 inp->inp_ipo->ipo_local_cred != NULL) {
1276 ipsp_reffree(inp->inp_ipo->ipo_local_cred);
1277 inp->inp_ipo->ipo_local_cred = NULL;
1278 }
1279 break;
1280
1281 case IP_IPSEC_LOCAL_AUTH:
1282 if (inp->inp_ipo != NULL &&
1283 inp->inp_ipo->ipo_local_auth != NULL) {
1284 ipsp_reffree(inp->inp_ipo->ipo_local_auth);
1285 inp->inp_ipo->ipo_local_auth = NULL;
1286 }
1287 break;
1288 }
1289
1290 error = 0;
1291 break;
1292 }
1293
1294 /* Can't have an empty payload */
1295 if (m->m_len == 2) {
1296 error = EINVAL;
1297 break;
1298 }
1299
1300 /* Allocate if needed */
1301 if (inp->inp_ipo == NULL) {
1302 inp->inp_ipo = ipsec_add_policy(inp,
1303 AF_INET, IPSP_DIRECTION_OUT);
1304 if (inp->inp_ipo == NULL) {
1305 error = ENOBUFS;
1306 break;
1307 }
1308 }
1309
1310 ipr = malloc(sizeof(struct ipsec_ref) + m->m_len - 2,
1311 M_CREDENTIALS, M_NOWAIT);
1312 if (ipr == NULL) {
1313 error = ENOBUFS;
1314 break;
1315 }
1316
1317 ipr->ref_count = 1;
1318 ipr->ref_malloctype = M_CREDENTIALS;
1319 ipr->ref_len = m->m_len - 2;
1320 ipr->ref_type = opt16val;
1321 m_copydata(m, 2, m->m_len - 2, (caddr_t)(ipr + 1));
1322
1323 switch (optname) {
1324 case IP_IPSEC_LOCAL_ID:
1325 /* Check valid types and NUL-termination */
1326 if (ipr->ref_type < IPSP_IDENTITY_PREFIX ||
1327 ipr->ref_type > IPSP_IDENTITY_CONNECTION ||
1328 ((char *)(ipr + 1))[ipr->ref_len - 1]) {
1329 free(ipr, M_CREDENTIALS);
1330 error = EINVAL;
1331 } else {
1332 if (inp->inp_ipo->ipo_srcid != NULL)
1333 ipsp_reffree(inp->inp_ipo->ipo_srcid);
1334 inp->inp_ipo->ipo_srcid = ipr;
1335 }
1336 break;
1337 case IP_IPSEC_REMOTE_ID:
1338 /* Check valid types and NUL-termination */
1339 if (ipr->ref_type < IPSP_IDENTITY_PREFIX ||
1340 ipr->ref_type > IPSP_IDENTITY_CONNECTION ||
1341 ((char *)(ipr + 1))[ipr->ref_len - 1]) {
1342 free(ipr, M_CREDENTIALS);
1343 error = EINVAL;
1344 } else {
1345 if (inp->inp_ipo->ipo_dstid != NULL)
1346 ipsp_reffree(inp->inp_ipo->ipo_dstid);
1347 inp->inp_ipo->ipo_dstid = ipr;
1348 }
1349 break;
1350 case IP_IPSEC_LOCAL_CRED:
1351 if (ipr->ref_type < IPSP_CRED_KEYNOTE ||
1352 ipr->ref_type > IPSP_CRED_X509) {
1353 free(ipr, M_CREDENTIALS);
1354 error = EINVAL;
1355 } else {
1356 if (inp->inp_ipo->ipo_local_cred != NULL)
1357 ipsp_reffree(inp->inp_ipo->ipo_local_cred);
1358 inp->inp_ipo->ipo_local_cred = ipr;
1359 }
1360 break;
1361 case IP_IPSEC_LOCAL_AUTH:
1362 if (ipr->ref_type < IPSP_AUTH_PASSPHRASE ||
1363 ipr->ref_type > IPSP_AUTH_RSA) {
1364 free(ipr, M_CREDENTIALS);
1365 error = EINVAL;
1366 } else {
1367 if (inp->inp_ipo->ipo_local_auth != NULL)
1368 ipsp_reffree(inp->inp_ipo->ipo_local_auth);
1369 inp->inp_ipo->ipo_local_auth = ipr;
1370 }
1371 break;
1372 }
1373
1374 /* Unlink cached output TDB to force a re-search */
1375 if (inp->inp_tdb_out) {
1376 int s = spltdb();
1377 TAILQ_REMOVE(&inp->inp_tdb_out->tdb_inp_out,
1378 inp, inp_tdb_out_next);
1379 splx(s);
1380 }
1381
1382 if (inp->inp_tdb_in) {
1383 int s = spltdb();
1384 TAILQ_REMOVE(&inp->inp_tdb_in->tdb_inp_in,
1385 inp, inp_tdb_in_next);
1386 splx(s);
1387 }
1388 #endif
1389 break;
1390 default:
1391 error = ENOPROTOOPT;
1392 break;
1393 }
1394 if (m)
1395 (void)m_free(m);
1396 break;
1397
1398 case PRCO_GETOPT:
1399 switch (optname) {
1400 case IP_OPTIONS:
1401 case IP_RETOPTS:
1402 *mp = m = m_get(M_WAIT, MT_SOOPTS);
1403 if (inp->inp_options) {
1404 m->m_len = inp->inp_options->m_len;
1405 bcopy(mtod(inp->inp_options, caddr_t),
1406 mtod(m, caddr_t), (unsigned)m->m_len);
1407 } else
1408 m->m_len = 0;
1409 break;
1410
1411 case IP_TOS:
1412 case IP_TTL:
1413 case IP_MINTTL:
1414 case IP_RECVOPTS:
1415 case IP_RECVRETOPTS:
1416 case IP_RECVDSTADDR:
1417 case IP_RECVIF:
1418 case IP_RECVTTL:
1419 case IP_RECVDSTPORT:
1420 *mp = m = m_get(M_WAIT, MT_SOOPTS);
1421 m->m_len = sizeof(int);
1422 switch (optname) {
1423
1424 case IP_TOS:
1425 optval = inp->inp_ip.ip_tos;
1426 break;
1427
1428 case IP_TTL:
1429 optval = inp->inp_ip.ip_ttl;
1430 break;
1431
1432 case IP_MINTTL:
1433 optval = inp->inp_ip_minttl;
1434 break;
1435
1436 #define OPTBIT(bit) (inp->inp_flags & bit ? 1 : 0)
1437
1438 case IP_RECVOPTS:
1439 optval = OPTBIT(INP_RECVOPTS);
1440 break;
1441
1442 case IP_RECVRETOPTS:
1443 optval = OPTBIT(INP_RECVRETOPTS);
1444 break;
1445
1446 case IP_RECVDSTADDR:
1447 optval = OPTBIT(INP_RECVDSTADDR);
1448 break;
1449 case IP_RECVIF:
1450 optval = OPTBIT(INP_RECVIF);
1451 break;
1452 case IP_RECVTTL:
1453 optval = OPTBIT(INP_RECVTTL);
1454 break;
1455 case IP_RECVDSTPORT:
1456 optval = OPTBIT(INP_RECVDSTPORT);
1457 break;
1458 }
1459 *mtod(m, int *) = optval;
1460 break;
1461
1462 case IP_MULTICAST_IF:
1463 case IP_MULTICAST_TTL:
1464 case IP_MULTICAST_LOOP:
1465 case IP_ADD_MEMBERSHIP:
1466 case IP_DROP_MEMBERSHIP:
1467 error = ip_getmoptions(optname, inp->inp_moptions, mp);
1468 break;
1469
1470 case IP_PORTRANGE:
1471 *mp = m = m_get(M_WAIT, MT_SOOPTS);
1472 m->m_len = sizeof(int);
1473
1474 if (inp->inp_flags & INP_HIGHPORT)
1475 optval = IP_PORTRANGE_HIGH;
1476 else if (inp->inp_flags & INP_LOWPORT)
1477 optval = IP_PORTRANGE_LOW;
1478 else
1479 optval = 0;
1480
1481 *mtod(m, int *) = optval;
1482 break;
1483
1484 case IP_AUTH_LEVEL:
1485 case IP_ESP_TRANS_LEVEL:
1486 case IP_ESP_NETWORK_LEVEL:
1487 case IP_IPCOMP_LEVEL:
1488 #ifndef IPSEC
1489 m->m_len = sizeof(int);
1490 *mtod(m, int *) = IPSEC_LEVEL_NONE;
1491 #else
1492 m->m_len = sizeof(int);
1493 switch (optname) {
1494 case IP_AUTH_LEVEL:
1495 optval = inp->inp_seclevel[SL_AUTH];
1496 break;
1497
1498 case IP_ESP_TRANS_LEVEL:
1499 optval = inp->inp_seclevel[SL_ESP_TRANS];
1500 break;
1501
1502 case IP_ESP_NETWORK_LEVEL:
1503 optval = inp->inp_seclevel[SL_ESP_NETWORK];
1504 break;
1505 case IP_IPCOMP_LEVEL:
1506 optval = inp->inp_seclevel[SL_IPCOMP];
1507 break;
1508 }
1509 *mtod(m, int *) = optval;
1510 #endif
1511 break;
1512 case IP_IPSEC_LOCAL_ID:
1513 case IP_IPSEC_REMOTE_ID:
1514 case IP_IPSEC_LOCAL_CRED:
1515 case IP_IPSEC_REMOTE_CRED:
1516 case IP_IPSEC_LOCAL_AUTH:
1517 case IP_IPSEC_REMOTE_AUTH:
1518 #ifndef IPSEC
1519 error = EOPNOTSUPP;
1520 #else
1521 *mp = m = m_get(M_WAIT, MT_SOOPTS);
1522 m->m_len = sizeof(u_int16_t);
1523 ipr = NULL;
1524 switch (optname) {
1525 case IP_IPSEC_LOCAL_ID:
1526 if (inp->inp_ipo != NULL)
1527 ipr = inp->inp_ipo->ipo_srcid;
1528 opt16val = IPSP_IDENTITY_NONE;
1529 break;
1530 case IP_IPSEC_REMOTE_ID:
1531 if (inp->inp_ipo != NULL)
1532 ipr = inp->inp_ipo->ipo_dstid;
1533 opt16val = IPSP_IDENTITY_NONE;
1534 break;
1535 case IP_IPSEC_LOCAL_CRED:
1536 if (inp->inp_ipo != NULL)
1537 ipr = inp->inp_ipo->ipo_local_cred;
1538 opt16val = IPSP_CRED_NONE;
1539 break;
1540 case IP_IPSEC_REMOTE_CRED:
1541 ipr = inp->inp_ipsec_remotecred;
1542 opt16val = IPSP_CRED_NONE;
1543 break;
1544 case IP_IPSEC_LOCAL_AUTH:
1545 if (inp->inp_ipo != NULL)
1546 ipr = inp->inp_ipo->ipo_local_auth;
1547 break;
1548 case IP_IPSEC_REMOTE_AUTH:
1549 ipr = inp->inp_ipsec_remoteauth;
1550 break;
1551 }
1552 if (ipr == NULL)
1553 *mtod(m, u_int16_t *) = opt16val;
1554 else {
1555 size_t len;
1556
1557 len = m->m_len + ipr->ref_len;
1558 if (len > MCLBYTES) {
1559 m_free(m);
1560 error = EINVAL;
1561 break;
1562 }
1563 /* allocate mbuf cluster for larger option */
1564 if (len > MLEN) {
1565 MCLGET(m, M_WAITOK);
1566 if ((m->m_flags & M_EXT) == 0) {
1567 m_free(m);
1568 error = ENOBUFS;
1569 break;
1570 }
1571
1572 }
1573 m->m_len = len;
1574 *mtod(m, u_int16_t *) = ipr->ref_type;
1575 m_copyback(m, sizeof(u_int16_t), ipr->ref_len,
1576 ipr + 1);
1577 }
1578 #endif
1579 break;
1580 default:
1581 error = ENOPROTOOPT;
1582 break;
1583 }
1584 break;
1585 }
1586 return (error);
1587 }
1588
1589 /*
1590 * Set up IP options in pcb for insertion in output packets.
1591 * Store in mbuf with pointer in pcbopt, adding pseudo-option
1592 * with destination address if source routed.
1593 */
1594 int
1595 #ifdef notyet
1596 ip_pcbopts(optname, pcbopt, m)
1597 int optname;
1598 #else
1599 ip_pcbopts(pcbopt, m)
1600 #endif
1601 struct mbuf **pcbopt;
1602 struct mbuf *m;
1603 {
1604 int cnt, optlen;
1605 u_char *cp;
1606 u_char opt;
1607
1608 /* turn off any old options */
1609 if (*pcbopt)
1610 (void)m_free(*pcbopt);
1611 *pcbopt = 0;
1612 if (m == (struct mbuf *)0 || m->m_len == 0) {
1613 /*
1614 * Only turning off any previous options.
1615 */
1616 if (m)
1617 (void)m_free(m);
1618 return (0);
1619 }
1620
1621 if (m->m_len % sizeof(int32_t))
1622 goto bad;
1623
1624 /*
1625 * IP first-hop destination address will be stored before
1626 * actual options; move other options back
1627 * and clear it when none present.
1628 */
1629 if (m->m_data + m->m_len + sizeof(struct in_addr) >= &m->m_dat[MLEN])
1630 goto bad;
1631 cnt = m->m_len;
1632 m->m_len += sizeof(struct in_addr);
1633 cp = mtod(m, u_char *) + sizeof(struct in_addr);
1634 ovbcopy(mtod(m, caddr_t), (caddr_t)cp, (unsigned)cnt);
1635 bzero(mtod(m, caddr_t), sizeof(struct in_addr));
1636
1637 for (; cnt > 0; cnt -= optlen, cp += optlen) {
1638 opt = cp[IPOPT_OPTVAL];
1639 if (opt == IPOPT_EOL)
1640 break;
1641 if (opt == IPOPT_NOP)
1642 optlen = 1;
1643 else {
1644 if (cnt < IPOPT_OLEN + sizeof(*cp))
1645 goto bad;
1646 optlen = cp[IPOPT_OLEN];
1647 if (optlen < IPOPT_OLEN + sizeof(*cp) || optlen > cnt)
1648 goto bad;
1649 }
1650 switch (opt) {
1651
1652 default:
1653 break;
1654
1655 case IPOPT_LSRR:
1656 case IPOPT_SSRR:
1657 /*
1658 * user process specifies route as:
1659 * ->A->B->C->D
1660 * D must be our final destination (but we can't
1661 * check that since we may not have connected yet).
1662 * A is first hop destination, which doesn't appear in
1663 * actual IP option, but is stored before the options.
1664 */
1665 if (optlen < IPOPT_MINOFF - 1 + sizeof(struct in_addr))
1666 goto bad;
1667 m->m_len -= sizeof(struct in_addr);
1668 cnt -= sizeof(struct in_addr);
1669 optlen -= sizeof(struct in_addr);
1670 cp[IPOPT_OLEN] = optlen;
1671 /*
1672 * Move first hop before start of options.
1673 */
1674 bcopy((caddr_t)&cp[IPOPT_OFFSET+1], mtod(m, caddr_t),
1675 sizeof(struct in_addr));
1676 /*
1677 * Then copy rest of options back
1678 * to close up the deleted entry.
1679 */
1680 ovbcopy((caddr_t)(&cp[IPOPT_OFFSET+1] +
1681 sizeof(struct in_addr)),
1682 (caddr_t)&cp[IPOPT_OFFSET+1],
1683 (unsigned)cnt - (IPOPT_OFFSET+1));
1684 break;
1685 }
1686 }
1687 if (m->m_len > MAX_IPOPTLEN + sizeof(struct in_addr))
1688 goto bad;
1689 *pcbopt = m;
1690 return (0);
1691
1692 bad:
1693 (void)m_free(m);
1694 return (EINVAL);
1695 }
1696
1697 /*
1698 * Set the IP multicast options in response to user setsockopt().
1699 */
1700 int
1701 ip_setmoptions(optname, imop, m)
1702 int optname;
1703 struct ip_moptions **imop;
1704 struct mbuf *m;
1705 {
1706 int error = 0;
1707 u_char loop;
1708 int i;
1709 struct in_addr addr;
1710 struct ip_mreq *mreq;
1711 struct ifnet *ifp;
1712 struct ip_moptions *imo = *imop;
1713 struct in_multi **immp;
1714 struct route ro;
1715 struct sockaddr_in *dst;
1716
1717 if (imo == NULL) {
1718 /*
1719 * No multicast option buffer attached to the pcb;
1720 * allocate one and initialize to default values.
1721 */
1722 imo = (struct ip_moptions *)malloc(sizeof(*imo), M_IPMOPTS,
1723 M_WAITOK|M_ZERO);
1724 immp = (struct in_multi **)malloc(
1725 (sizeof(*immp) * IP_MIN_MEMBERSHIPS), M_IPMOPTS,
1726 M_WAITOK|M_ZERO);
1727 *imop = imo;
1728 imo->imo_multicast_ifp = NULL;
1729 imo->imo_multicast_ttl = IP_DEFAULT_MULTICAST_TTL;
1730 imo->imo_multicast_loop = IP_DEFAULT_MULTICAST_LOOP;
1731 imo->imo_num_memberships = 0;
1732 imo->imo_max_memberships = IP_MIN_MEMBERSHIPS;
1733 imo->imo_membership = immp;
1734 }
1735
1736 switch (optname) {
1737
1738 case IP_MULTICAST_IF:
1739 /*
1740 * Select the interface for outgoing multicast packets.
1741 */
1742 if (m == NULL || m->m_len != sizeof(struct in_addr)) {
1743 error = EINVAL;
1744 break;
1745 }
1746 addr = *(mtod(m, struct in_addr *));
1747 /*
1748 * INADDR_ANY is used to remove a previous selection.
1749 * When no interface is selected, a default one is
1750 * chosen every time a multicast packet is sent.
1751 */
1752 if (addr.s_addr == INADDR_ANY) {
1753 imo->imo_multicast_ifp = NULL;
1754 break;
1755 }
1756 /*
1757 * The selected interface is identified by its local
1758 * IP address. Find the interface and confirm that
1759 * it supports multicasting.
1760 */
1761 INADDR_TO_IFP(addr, ifp);
1762 if (ifp == NULL || (ifp->if_flags & IFF_MULTICAST) == 0) {
1763 error = EADDRNOTAVAIL;
1764 break;
1765 }
1766 imo->imo_multicast_ifp = ifp;
1767 break;
1768
1769 case IP_MULTICAST_TTL:
1770 /*
1771 * Set the IP time-to-live for outgoing multicast packets.
1772 */
1773 if (m == NULL || m->m_len != 1) {
1774 error = EINVAL;
1775 break;
1776 }
1777 imo->imo_multicast_ttl = *(mtod(m, u_char *));
1778 break;
1779
1780 case IP_MULTICAST_LOOP:
1781 /*
1782 * Set the loopback flag for outgoing multicast packets.
1783 * Must be zero or one.
1784 */
1785 if (m == NULL || m->m_len != 1 ||
1786 (loop = *(mtod(m, u_char *))) > 1) {
1787 error = EINVAL;
1788 break;
1789 }
1790 imo->imo_multicast_loop = loop;
1791 break;
1792
1793 case IP_ADD_MEMBERSHIP:
1794 /*
1795 * Add a multicast group membership.
1796 * Group must be a valid IP multicast address.
1797 */
1798 if (m == NULL || m->m_len != sizeof(struct ip_mreq)) {
1799 error = EINVAL;
1800 break;
1801 }
1802 mreq = mtod(m, struct ip_mreq *);
1803 if (!IN_MULTICAST(mreq->imr_multiaddr.s_addr)) {
1804 error = EINVAL;
1805 break;
1806 }
1807 /*
1808 * If no interface address was provided, use the interface of
1809 * the route to the given multicast address.
1810 */
1811 if (mreq->imr_interface.s_addr == INADDR_ANY) {
1812 ro.ro_rt = NULL;
1813 dst = satosin(&ro.ro_dst);
1814 dst->sin_len = sizeof(*dst);
1815 dst->sin_family = AF_INET;
1816 dst->sin_addr = mreq->imr_multiaddr;
1817 rtalloc(&ro);
1818 if (ro.ro_rt == NULL) {
1819 error = EADDRNOTAVAIL;
1820 break;
1821 }
1822 ifp = ro.ro_rt->rt_ifp;
1823 rtfree(ro.ro_rt);
1824 } else {
1825 INADDR_TO_IFP(mreq->imr_interface, ifp);
1826 }
1827 /*
1828 * See if we found an interface, and confirm that it
1829 * supports multicast.
1830 */
1831 if (ifp == NULL || (ifp->if_flags & IFF_MULTICAST) == 0) {
1832 error = EADDRNOTAVAIL;
1833 break;
1834 }
1835 /*
1836 * See if the membership already exists or if all the
1837 * membership slots are full.
1838 */
1839 for (i = 0; i < imo->imo_num_memberships; ++i) {
1840 if (imo->imo_membership[i]->inm_ia->ia_ifp == ifp &&
1841 imo->imo_membership[i]->inm_addr.s_addr
1842 == mreq->imr_multiaddr.s_addr)
1843 break;
1844 }
1845 if (i < imo->imo_num_memberships) {
1846 error = EADDRINUSE;
1847 break;
1848 }
1849 if (imo->imo_num_memberships == imo->imo_max_memberships) {
1850 struct in_multi **nmships, **omships;
1851 size_t newmax;
1852 /*
1853 * Resize the vector to next power-of-two minus 1. If the
1854 * size would exceed the maximum then we know we've really
1855 * run out of entries. Otherwise, we reallocate the vector.
1856 */
1857 nmships = NULL;
1858 omships = imo->imo_membership;
1859 newmax = ((imo->imo_max_memberships + 1) * 2) - 1;
1860 if (newmax <= IP_MAX_MEMBERSHIPS) {
1861 nmships = (struct in_multi **)malloc(
1862 sizeof(*nmships) * newmax, M_IPMOPTS,
1863 M_NOWAIT|M_ZERO);
1864 if (nmships != NULL) {
1865 bcopy(omships, nmships,
1866 sizeof(*omships) *
1867 imo->imo_max_memberships);
1868 free(omships, M_IPMOPTS);
1869 imo->imo_membership = nmships;
1870 imo->imo_max_memberships = newmax;
1871 }
1872 }
1873 if (nmships == NULL) {
1874 error = ETOOMANYREFS;
1875 break;
1876 }
1877 }
1878 /*
1879 * Everything looks good; add a new record to the multicast
1880 * address list for the given interface.
1881 */
1882 if ((imo->imo_membership[i] =
1883 in_addmulti(&mreq->imr_multiaddr, ifp)) == NULL) {
1884 error = ENOBUFS;
1885 break;
1886 }
1887 ++imo->imo_num_memberships;
1888 break;
1889
1890 case IP_DROP_MEMBERSHIP:
1891 /*
1892 * Drop a multicast group membership.
1893 * Group must be a valid IP multicast address.
1894 */
1895 if (m == NULL || m->m_len != sizeof(struct ip_mreq)) {
1896 error = EINVAL;
1897 break;
1898 }
1899 mreq = mtod(m, struct ip_mreq *);
1900 if (!IN_MULTICAST(mreq->imr_multiaddr.s_addr)) {
1901 error = EINVAL;
1902 break;
1903 }
1904 /*
1905 * If an interface address was specified, get a pointer
1906 * to its ifnet structure.
1907 */
1908 if (mreq->imr_interface.s_addr == INADDR_ANY)
1909 ifp = NULL;
1910 else {
1911 INADDR_TO_IFP(mreq->imr_interface, ifp);
1912 if (ifp == NULL) {
1913 error = EADDRNOTAVAIL;
1914 break;
1915 }
1916 }
1917 /*
1918 * Find the membership in the membership array.
1919 */
1920 for (i = 0; i < imo->imo_num_memberships; ++i) {
1921 if ((ifp == NULL ||
1922 imo->imo_membership[i]->inm_ia->ia_ifp == ifp) &&
1923 imo->imo_membership[i]->inm_addr.s_addr ==
1924 mreq->imr_multiaddr.s_addr)
1925 break;
1926 }
1927 if (i == imo->imo_num_memberships) {
1928 error = EADDRNOTAVAIL;
1929 break;
1930 }
1931 /*
1932 * Give up the multicast address record to which the
1933 * membership points.
1934 */
1935 in_delmulti(imo->imo_membership[i]);
1936 /*
1937 * Remove the gap in the membership array.
1938 */
1939 for (++i; i < imo->imo_num_memberships; ++i)
1940 imo->imo_membership[i-1] = imo->imo_membership[i];
1941 --imo->imo_num_memberships;
1942 break;
1943
1944 default:
1945 error = EOPNOTSUPP;
1946 break;
1947 }
1948
1949 /*
1950 * If all options have default values, no need to keep the data.
1951 */
1952 if (imo->imo_multicast_ifp == NULL &&
1953 imo->imo_multicast_ttl == IP_DEFAULT_MULTICAST_TTL &&
1954 imo->imo_multicast_loop == IP_DEFAULT_MULTICAST_LOOP &&
1955 imo->imo_num_memberships == 0) {
1956 free(imo->imo_membership , M_IPMOPTS);
1957 free(*imop, M_IPMOPTS);
1958 *imop = NULL;
1959 }
1960
1961 return (error);
1962 }
1963
1964 /*
1965 * Return the IP multicast options in response to user getsockopt().
1966 */
1967 int
1968 ip_getmoptions(optname, imo, mp)
1969 int optname;
1970 struct ip_moptions *imo;
1971 struct mbuf **mp;
1972 {
1973 u_char *ttl;
1974 u_char *loop;
1975 struct in_addr *addr;
1976 struct in_ifaddr *ia;
1977
1978 *mp = m_get(M_WAIT, MT_SOOPTS);
1979
1980 switch (optname) {
1981
1982 case IP_MULTICAST_IF:
1983 addr = mtod(*mp, struct in_addr *);
1984 (*mp)->m_len = sizeof(struct in_addr);
1985 if (imo == NULL || imo->imo_multicast_ifp == NULL)
1986 addr->s_addr = INADDR_ANY;
1987 else {
1988 IFP_TO_IA(imo->imo_multicast_ifp, ia);
1989 addr->s_addr = (ia == NULL) ? INADDR_ANY
1990 : ia->ia_addr.sin_addr.s_addr;
1991 }
1992 return (0);
1993
1994 case IP_MULTICAST_TTL:
1995 ttl = mtod(*mp, u_char *);
1996 (*mp)->m_len = 1;
1997 *ttl = (imo == NULL) ? IP_DEFAULT_MULTICAST_TTL
1998 : imo->imo_multicast_ttl;
1999 return (0);
2000
2001 case IP_MULTICAST_LOOP:
2002 loop = mtod(*mp, u_char *);
2003 (*mp)->m_len = 1;
2004 *loop = (imo == NULL) ? IP_DEFAULT_MULTICAST_LOOP
2005 : imo->imo_multicast_loop;
2006 return (0);
2007
2008 default:
2009 return (EOPNOTSUPP);
2010 }
2011 }
2012
2013 /*
2014 * Discard the IP multicast options.
2015 */
2016 void
2017 ip_freemoptions(imo)
2018 struct ip_moptions *imo;
2019 {
2020 int i;
2021
2022 if (imo != NULL) {
2023 for (i = 0; i < imo->imo_num_memberships; ++i)
2024 in_delmulti(imo->imo_membership[i]);
2025 free(imo->imo_membership, M_IPMOPTS);
2026 free(imo, M_IPMOPTS);
2027 }
2028 }
2029
2030 /*
2031 * Routine called from ip_output() to loop back a copy of an IP multicast
2032 * packet to the input queue of a specified interface. Note that this
2033 * calls the output routine of the loopback "driver", but with an interface
2034 * pointer that might NOT be &loif -- easier than replicating that code here.
2035 */
2036 void
2037 ip_mloopback(ifp, m, dst)
2038 struct ifnet *ifp;
2039 struct mbuf *m;
2040 struct sockaddr_in *dst;
2041 {
2042 struct ip *ip;
2043 struct mbuf *copym;
2044
2045 copym = m_copym2(m, 0, M_COPYALL, M_DONTWAIT);
2046 if (copym != NULL) {
2047 /*
2048 * We don't bother to fragment if the IP length is greater
2049 * than the interface's MTU. Can this possibly matter?
2050 */
2051 ip = mtod(copym, struct ip *);
2052 ip->ip_sum = 0;
2053 ip->ip_sum = in_cksum(copym, ip->ip_hl << 2);
2054 (void) looutput(ifp, copym, sintosa(dst), NULL);
2055 }
2056 }
2057
2058 /*
2059 * Process a delayed payload checksum calculation.
2060 */
2061 void
2062 in_delayed_cksum(struct mbuf *m)
2063 {
2064 struct ip *ip;
2065 u_int16_t csum, offset;
2066
2067 ip = mtod(m, struct ip *);
2068 offset = ip->ip_hl << 2;
2069 csum = in4_cksum(m, 0, offset, m->m_pkthdr.len - offset);
2070 if (csum == 0 && ip->ip_p == IPPROTO_UDP)
2071 csum = 0xffff;
2072
2073 switch (ip->ip_p) {
2074 case IPPROTO_TCP:
2075 offset += offsetof(struct tcphdr, th_sum);
2076 break;
2077
2078 case IPPROTO_UDP:
2079 offset += offsetof(struct udphdr, uh_sum);
2080 break;
2081
2082 default:
2083 return;
2084 }
2085
2086 if ((offset + sizeof(u_int16_t)) > m->m_len)
2087 m_copyback(m, offset, sizeof(csum), &csum);
2088 else
2089 *(u_int16_t *)(mtod(m, caddr_t) + offset) = csum;
2090 }
Cache object: ad4acf3e2d1d152308066bc93ce7e0b0
|