The Design and Implementation of the FreeBSD Operating System, Second Edition
[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]

FreeBSD/Linux Kernel Cross Reference
sys/netinet/ip_output.c

Version: -  FREEBSD  -  FREEBSD10  -  FREEBSD9  -  FREEBSD92  -  FREEBSD91  -  FREEBSD90  -  FREEBSD8  -  FREEBSD82  -  FREEBSD81  -  FREEBSD80  -  FREEBSD7  -  FREEBSD74  -  FREEBSD73  -  FREEBSD72  -  FREEBSD71  -  FREEBSD70  -  FREEBSD6  -  FREEBSD64  -  FREEBSD63  -  FREEBSD62  -  FREEBSD61  -  FREEBSD60  -  FREEBSD5  -  FREEBSD55  -  FREEBSD54  -  FREEBSD53  -  FREEBSD52  -  FREEBSD51  -  FREEBSD50  -  FREEBSD4  -  FREEBSD3  -  FREEBSD22  -  cheribsd  -  linux-2.6  -  linux-2.4.22  -  MK83  -  MK84  -  PLAN9  -  DFBSD  -  NETBSD  -  NETBSD5  -  NETBSD4  -  NETBSD3  -  NETBSD20  -  OPENBSD  -  xnu-517  -  xnu-792  -  xnu-792.6.70  -  xnu-1228  -  xnu-1456.1.26  -  xnu-1699.24.8  -  xnu-2050.18.24  -  OPENSOLARIS  -  minix-3-1-1  -  FREEBSD-LIBC  -  FREEBSD8-LIBC  -  FREEBSD7-LIBC  -  FREEBSD6-LIBC  -  GLIBC27 
SearchContext: -  none  -  3  -  10 

    1 /*      $OpenBSD: ip_output.c,v 1.191 2008/05/09 02:56:36 markus Exp $  */
    2 /*      $NetBSD: ip_output.c,v 1.28 1996/02/13 23:43:07 christos Exp $  */
    3 
    4 /*
    5  * Copyright (c) 1982, 1986, 1988, 1990, 1993
    6  *      The Regents of the University of California.  All rights reserved.
    7  *
    8  * Redistribution and use in source and binary forms, with or without
    9  * modification, are permitted provided that the following conditions
   10  * are met:
   11  * 1. Redistributions of source code must retain the above copyright
   12  *    notice, this list of conditions and the following disclaimer.
   13  * 2. Redistributions in binary form must reproduce the above copyright
   14  *    notice, this list of conditions and the following disclaimer in the
   15  *    documentation and/or other materials provided with the distribution.
   16  * 3. Neither the name of the University nor the names of its contributors
   17  *    may be used to endorse or promote products derived from this software
   18  *    without specific prior written permission.
   19  *
   20  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
   21  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
   22  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
   23  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
   24  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
   25  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
   26  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
   27  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
   28  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
   29  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
   30  * SUCH DAMAGE.
   31  *
   32  *      @(#)ip_output.c 8.3 (Berkeley) 1/21/94
   33  */
   34 
   35 #include "pf.h"
   36 
   37 #include <sys/param.h>
   38 #include <sys/systm.h>
   39 #include <sys/mbuf.h>
   40 #include <sys/protosw.h>
   41 #include <sys/socket.h>
   42 #include <sys/socketvar.h>
   43 #include <sys/proc.h>
   44 #include <sys/kernel.h>
   45 
   46 #include <net/if.h>
   47 #include <net/if_enc.h>
   48 #include <net/route.h>
   49 
   50 #include <netinet/in.h>
   51 #include <netinet/in_systm.h>
   52 #include <netinet/ip.h>
   53 #include <netinet/in_pcb.h>
   54 #include <netinet/in_var.h>
   55 #include <netinet/ip_var.h>
   56 #include <netinet/ip_icmp.h>
   57 #include <netinet/tcp.h>
   58 #include <netinet/udp.h>
   59 #include <netinet/tcp_timer.h>
   60 #include <netinet/tcp_var.h>
   61 #include <netinet/udp_var.h>
   62 
   63 #if NPF > 0
   64 #include <net/pfvar.h>
   65 #endif
   66 
   67 #ifdef IPSEC
   68 #ifdef ENCDEBUG
   69 #define DPRINTF(x)    do { if (encdebug) printf x ; } while (0)
   70 #else
   71 #define DPRINTF(x)
   72 #endif
   73 
   74 extern u_int8_t get_sa_require(struct inpcb *);
   75 
   76 extern int ipsec_auth_default_level;
   77 extern int ipsec_esp_trans_default_level;
   78 extern int ipsec_esp_network_default_level;
   79 extern int ipsec_ipcomp_default_level;
   80 extern int ipforwarding;
   81 #endif /* IPSEC */
   82 
   83 #ifdef MROUTING
   84 extern int ipmforwarding;
   85 #endif
   86 
   87 struct mbuf *ip_insertoptions(struct mbuf *, struct mbuf *, int *);
   88 void ip_mloopback(struct ifnet *, struct mbuf *, struct sockaddr_in *);
   89 
   90 /*
   91  * IP output.  The packet in mbuf chain m contains a skeletal IP
   92  * header (with len, off, ttl, proto, tos, src, dst).
   93  * The mbuf chain containing the packet will be freed.
   94  * The mbuf opt, if present, will not be freed.
   95  */
   96 int
   97 ip_output(struct mbuf *m0, ...)
   98 {
   99         struct ip *ip;
  100         struct ifnet *ifp;
  101         struct mbuf *m = m0;
  102         int hlen = sizeof (struct ip);
  103         int len, error = 0;
  104         struct route iproute;
  105         struct sockaddr_in *dst;
  106         struct in_ifaddr *ia;
  107         struct mbuf *opt;
  108         struct route *ro;
  109         int flags;
  110         struct ip_moptions *imo;
  111         va_list ap;
  112         u_int8_t sproto = 0, donerouting = 0;
  113         u_long mtu;
  114 #ifdef IPSEC
  115         u_int32_t icmp_mtu = 0;
  116         union sockaddr_union sdst;
  117         u_int32_t sspi;
  118         struct m_tag *mtag;
  119         struct tdb_ident *tdbi;
  120 
  121         struct inpcb *inp;
  122         struct tdb *tdb;
  123         int s;
  124 #endif /* IPSEC */
  125 
  126         va_start(ap, m0);
  127         opt = va_arg(ap, struct mbuf *);
  128         ro = va_arg(ap, struct route *);
  129         flags = va_arg(ap, int);
  130         imo = va_arg(ap, struct ip_moptions *);
  131 #ifdef IPSEC
  132         inp = va_arg(ap, struct inpcb *);
  133         if (inp && (inp->inp_flags & INP_IPV6) != 0)
  134                 panic("ip_output: IPv6 pcb is passed");
  135 #endif /* IPSEC */
  136         va_end(ap);
  137 
  138 #ifdef  DIAGNOSTIC
  139         if ((m->m_flags & M_PKTHDR) == 0)
  140                 panic("ip_output no HDR");
  141 #endif
  142         if (opt) {
  143                 m = ip_insertoptions(m, opt, &len);
  144                 hlen = len;
  145         }
  146 
  147         ip = mtod(m, struct ip *);
  148 
  149         /*
  150          * Fill in IP header.
  151          */
  152         if ((flags & (IP_FORWARDING|IP_RAWOUTPUT)) == 0) {
  153                 ip->ip_v = IPVERSION;
  154                 ip->ip_off &= htons(IP_DF);
  155                 ip->ip_id = htons(ip_randomid());
  156                 ip->ip_hl = hlen >> 2;
  157                 ipstat.ips_localout++;
  158         } else {
  159                 hlen = ip->ip_hl << 2;
  160         }
  161 
  162         /*
  163          * If we're missing the IP source address, do a route lookup. We'll
  164          * remember this result, in case we don't need to do any IPsec
  165          * processing on the packet. We need the source address so we can
  166          * do an SPD lookup in IPsec; for most packets, the source address
  167          * is set at a higher level protocol. ICMPs and other packets
  168          * though (e.g., traceroute) have a source address of zeroes.
  169          */
  170         if (ip->ip_src.s_addr == INADDR_ANY) {
  171                 if (flags & IP_ROUTETOETHER) {
  172                         error = EINVAL;
  173                         goto bad;
  174                 }
  175                 donerouting = 1;
  176 
  177                 if (ro == 0) {
  178                         ro = &iproute;
  179                         bzero((caddr_t)ro, sizeof (*ro));
  180                 }
  181 
  182                 dst = satosin(&ro->ro_dst);
  183 
  184                 /*
  185                  * If there is a cached route, check that it is to the same
  186                  * destination and is still up.  If not, free it and try again.
  187                  */
  188                 if (ro->ro_rt && ((ro->ro_rt->rt_flags & RTF_UP) == 0 ||
  189                                   dst->sin_addr.s_addr != ip->ip_dst.s_addr)) {
  190                         RTFREE(ro->ro_rt);
  191                         ro->ro_rt = (struct rtentry *)0;
  192                 }
  193 
  194                 if (ro->ro_rt == 0) {
  195                         dst->sin_family = AF_INET;
  196                         dst->sin_len = sizeof(*dst);
  197                         dst->sin_addr = ip->ip_dst;
  198                 }
  199 
  200                 /*
  201                  * If routing to interface only, short-circuit routing lookup.
  202                  */
  203                 if (flags & IP_ROUTETOIF) {
  204                         if ((ia = ifatoia(ifa_ifwithdstaddr(sintosa(dst)))) == 0 &&
  205                             (ia = ifatoia(ifa_ifwithnet(sintosa(dst)))) == 0) {
  206                             ipstat.ips_noroute++;
  207                             error = ENETUNREACH;
  208                             goto bad;
  209                         }
  210 
  211                         ifp = ia->ia_ifp;
  212                         mtu = ifp->if_mtu;
  213                         ip->ip_ttl = 1;
  214                 } else if ((IN_MULTICAST(ip->ip_dst.s_addr) ||
  215                     (ip->ip_dst.s_addr == INADDR_BROADCAST)) &&
  216                     imo != NULL && imo->imo_multicast_ifp != NULL) {
  217                         ifp = imo->imo_multicast_ifp;
  218                         mtu = ifp->if_mtu;
  219                         IFP_TO_IA(ifp, ia);
  220                 } else {
  221                         if (ro->ro_rt == 0)
  222                                 rtalloc_mpath(ro, NULL, 0);
  223 
  224                         if (ro->ro_rt == 0) {
  225                                 ipstat.ips_noroute++;
  226                                 error = EHOSTUNREACH;
  227                                 goto bad;
  228                         }
  229 
  230                         ia = ifatoia(ro->ro_rt->rt_ifa);
  231                         ifp = ro->ro_rt->rt_ifp;
  232                         if ((mtu = ro->ro_rt->rt_rmx.rmx_mtu) == 0)
  233                                 mtu = ifp->if_mtu;
  234                         ro->ro_rt->rt_use++;
  235 
  236                         if (ro->ro_rt->rt_flags & RTF_GATEWAY)
  237                                 dst = satosin(ro->ro_rt->rt_gateway);
  238                 }
  239 
  240                 /* Set the source IP address */
  241                 if (!IN_MULTICAST(ip->ip_dst.s_addr))
  242                         ip->ip_src = ia->ia_addr.sin_addr;
  243         }
  244 
  245 #ifdef IPSEC
  246         if (!ipsec_in_use && inp == NULL)
  247                 goto done_spd;
  248 
  249         /*
  250          * splnet is chosen over spltdb because we are not allowed to
  251          * lower the level, and udp_output calls us in splnet().
  252          */
  253         s = splnet();
  254 
  255         /* Do we have any pending SAs to apply ? */
  256         mtag = m_tag_find(m, PACKET_TAG_IPSEC_PENDING_TDB, NULL);
  257         if (mtag != NULL) {
  258 #ifdef DIAGNOSTIC
  259                 if (mtag->m_tag_len != sizeof (struct tdb_ident))
  260                         panic("ip_output: tag of length %d (should be %d",
  261                             mtag->m_tag_len, sizeof (struct tdb_ident));
  262 #endif
  263                 tdbi = (struct tdb_ident *)(mtag + 1);
  264                 tdb = gettdb(tdbi->spi, &tdbi->dst, tdbi->proto);
  265                 if (tdb == NULL)
  266                         error = -EINVAL;
  267                 m_tag_delete(m, mtag);
  268         }
  269         else
  270                 tdb = ipsp_spd_lookup(m, AF_INET, hlen, &error,
  271                     IPSP_DIRECTION_OUT, NULL, inp);
  272 
  273         if (tdb == NULL) {
  274                 splx(s);
  275 
  276                 if (error == 0) {
  277                         /*
  278                          * No IPsec processing required, we'll just send the
  279                          * packet out.
  280                          */
  281                         sproto = 0;
  282 
  283                         /* Fall through to routing/multicast handling */
  284                 } else {
  285                         /*
  286                          * -EINVAL is used to indicate that the packet should
  287                          * be silently dropped, typically because we've asked
  288                          * key management for an SA.
  289                          */
  290                         if (error == -EINVAL) /* Should silently drop packet */
  291                           error = 0;
  292 
  293                         m_freem(m);
  294                         goto done;
  295                 }
  296         } else {
  297                 /* Loop detection */
  298                 for (mtag = m_tag_first(m); mtag != NULL;
  299                     mtag = m_tag_next(m, mtag)) {
  300                         if (mtag->m_tag_id != PACKET_TAG_IPSEC_OUT_DONE &&
  301                             mtag->m_tag_id !=
  302                             PACKET_TAG_IPSEC_OUT_CRYPTO_NEEDED)
  303                                 continue;
  304                         tdbi = (struct tdb_ident *)(mtag + 1);
  305                         if (tdbi->spi == tdb->tdb_spi &&
  306                             tdbi->proto == tdb->tdb_sproto &&
  307                             !bcmp(&tdbi->dst, &tdb->tdb_dst,
  308                             sizeof(union sockaddr_union))) {
  309                                 splx(s);
  310                                 sproto = 0; /* mark as no-IPsec-needed */
  311                                 goto done_spd;
  312                         }
  313                 }
  314 
  315                 /* We need to do IPsec */
  316                 bcopy(&tdb->tdb_dst, &sdst, sizeof(sdst));
  317                 sspi = tdb->tdb_spi;
  318                 sproto = tdb->tdb_sproto;
  319                 splx(s);
  320 
  321                 /*
  322                  * If it needs TCP/UDP hardware-checksumming, do the
  323                  * computation now.
  324                  */
  325                 if (m->m_pkthdr.csum_flags & (M_TCPV4_CSUM_OUT | M_UDPV4_CSUM_OUT)) {
  326                         in_delayed_cksum(m);
  327                         m->m_pkthdr.csum_flags &=
  328                             ~(M_UDPV4_CSUM_OUT | M_TCPV4_CSUM_OUT);
  329                 }
  330 
  331                 /* If it's not a multicast packet, try to fast-path */
  332                 if (!IN_MULTICAST(ip->ip_dst.s_addr)) {
  333                         goto sendit;
  334                 }
  335         }
  336 
  337         /* Fall through to the routing/multicast handling code */
  338  done_spd:
  339 #endif /* IPSEC */
  340 
  341         if (flags & IP_ROUTETOETHER) {
  342                 dst = satosin(&ro->ro_dst);
  343                 ifp = ro->ro_rt->rt_ifp;
  344                 mtu = ifp->if_mtu;
  345                 ro->ro_rt = NULL;
  346         } else if (donerouting == 0) {
  347                 if (ro == 0) {
  348                         ro = &iproute;
  349                         bzero((caddr_t)ro, sizeof (*ro));
  350                 }
  351 
  352                 dst = satosin(&ro->ro_dst);
  353 
  354                 /*
  355                  * If there is a cached route, check that it is to the same
  356                  * destination and is still up.  If not, free it and try again.
  357                  */
  358                 if (ro->ro_rt && ((ro->ro_rt->rt_flags & RTF_UP) == 0 ||
  359                                   dst->sin_addr.s_addr != ip->ip_dst.s_addr)) {
  360                         RTFREE(ro->ro_rt);
  361                         ro->ro_rt = (struct rtentry *)0;
  362                 }
  363 
  364                 if (ro->ro_rt == 0) {
  365                         dst->sin_family = AF_INET;
  366                         dst->sin_len = sizeof(*dst);
  367                         dst->sin_addr = ip->ip_dst;
  368                 }
  369 
  370                 /*
  371                  * If routing to interface only, short-circuit routing lookup.
  372                  */
  373                 if (flags & IP_ROUTETOIF) {
  374                         if ((ia = ifatoia(ifa_ifwithdstaddr(sintosa(dst)))) == 0 &&
  375                             (ia = ifatoia(ifa_ifwithnet(sintosa(dst)))) == 0) {
  376                             ipstat.ips_noroute++;
  377                             error = ENETUNREACH;
  378                             goto bad;
  379                         }
  380 
  381                         ifp = ia->ia_ifp;
  382                         mtu = ifp->if_mtu;
  383                         ip->ip_ttl = 1;
  384                 } else if ((IN_MULTICAST(ip->ip_dst.s_addr) ||
  385                     (ip->ip_dst.s_addr == INADDR_BROADCAST)) &&
  386                     imo != NULL && imo->imo_multicast_ifp != NULL) {
  387                         ifp = imo->imo_multicast_ifp;
  388                         mtu = ifp->if_mtu;
  389                         IFP_TO_IA(ifp, ia);
  390                 } else {
  391                         if (ro->ro_rt == 0)
  392                                 rtalloc_mpath(ro, &ip->ip_src.s_addr, 0);
  393 
  394                         if (ro->ro_rt == 0) {
  395                                 ipstat.ips_noroute++;
  396                                 error = EHOSTUNREACH;
  397                                 goto bad;
  398                         }
  399 
  400                         ia = ifatoia(ro->ro_rt->rt_ifa);
  401                         ifp = ro->ro_rt->rt_ifp;
  402                         if ((mtu = ro->ro_rt->rt_rmx.rmx_mtu) == 0)
  403                                 mtu = ifp->if_mtu;
  404                         ro->ro_rt->rt_use++;
  405 
  406                         if (ro->ro_rt->rt_flags & RTF_GATEWAY)
  407                                 dst = satosin(ro->ro_rt->rt_gateway);
  408                 }
  409 
  410                 /* Set the source IP address */
  411                 if (ip->ip_src.s_addr == INADDR_ANY)
  412                         ip->ip_src = ia->ia_addr.sin_addr;
  413         }
  414 
  415         if (IN_MULTICAST(ip->ip_dst.s_addr) ||
  416             (ip->ip_dst.s_addr == INADDR_BROADCAST)) {
  417                 struct in_multi *inm;
  418 
  419                 m->m_flags |= (ip->ip_dst.s_addr == INADDR_BROADCAST) ?
  420                         M_BCAST : M_MCAST;
  421 
  422                 /*
  423                  * IP destination address is multicast.  Make sure "dst"
  424                  * still points to the address in "ro".  (It may have been
  425                  * changed to point to a gateway address, above.)
  426                  */
  427                 dst = satosin(&ro->ro_dst);
  428 
  429                 /*
  430                  * See if the caller provided any multicast options
  431                  */
  432                 if (imo != NULL)
  433                         ip->ip_ttl = imo->imo_multicast_ttl;
  434                 else
  435                         ip->ip_ttl = IP_DEFAULT_MULTICAST_TTL;
  436 
  437                 /*
  438                  * if we don't know the outgoing ifp yet, we can't generate
  439                  * output
  440                  */
  441                 if (!ifp) {
  442                         ipstat.ips_noroute++;
  443                         error = EHOSTUNREACH;
  444                         goto bad;
  445                 }
  446 
  447                 /*
  448                  * Confirm that the outgoing interface supports multicast,
  449                  * but only if the packet actually is going out on that
  450                  * interface (i.e., no IPsec is applied).
  451                  */
  452                 if ((((m->m_flags & M_MCAST) &&
  453                       (ifp->if_flags & IFF_MULTICAST) == 0) ||
  454                      ((m->m_flags & M_BCAST) &&
  455                       (ifp->if_flags & IFF_BROADCAST) == 0)) && (sproto == 0)) {
  456                         ipstat.ips_noroute++;
  457                         error = ENETUNREACH;
  458                         goto bad;
  459                 }
  460 
  461                 /*
  462                  * If source address not specified yet, use address
  463                  * of outgoing interface.
  464                  */
  465                 if (ip->ip_src.s_addr == INADDR_ANY) {
  466                         struct in_ifaddr *ia;
  467 
  468                         TAILQ_FOREACH(ia, &in_ifaddr, ia_list)
  469                                 if (ia->ia_ifp == ifp) {
  470                                         ip->ip_src = ia->ia_addr.sin_addr;
  471                                         break;
  472                                 }
  473                 }
  474 
  475                 IN_LOOKUP_MULTI(ip->ip_dst, ifp, inm);
  476                 if (inm != NULL &&
  477                    (imo == NULL || imo->imo_multicast_loop)) {
  478                         /*
  479                          * If we belong to the destination multicast group
  480                          * on the outgoing interface, and the caller did not
  481                          * forbid loopback, loop back a copy.
  482                          * Can't defer TCP/UDP checksumming, do the
  483                          * computation now.
  484                          */
  485                         if (m->m_pkthdr.csum_flags &
  486                             (M_TCPV4_CSUM_OUT | M_UDPV4_CSUM_OUT)) {
  487                                 in_delayed_cksum(m);
  488                                 m->m_pkthdr.csum_flags &=
  489                                     ~(M_UDPV4_CSUM_OUT | M_TCPV4_CSUM_OUT);
  490                         }
  491                         ip_mloopback(ifp, m, dst);
  492                 }
  493 #ifdef MROUTING
  494                 else {
  495                         /*
  496                          * If we are acting as a multicast router, perform
  497                          * multicast forwarding as if the packet had just
  498                          * arrived on the interface to which we are about
  499                          * to send.  The multicast forwarding function
  500                          * recursively calls this function, using the
  501                          * IP_FORWARDING flag to prevent infinite recursion.
  502                          *
  503                          * Multicasts that are looped back by ip_mloopback(),
  504                          * above, will be forwarded by the ip_input() routine,
  505                          * if necessary.
  506                          */
  507                         extern struct socket *ip_mrouter;
  508 
  509                         if (ipmforwarding && ip_mrouter &&
  510                             (flags & IP_FORWARDING) == 0) {
  511                                 if (ip_mforward(m, ifp) != 0) {
  512                                         m_freem(m);
  513                                         goto done;
  514                                 }
  515                         }
  516                 }
  517 #endif
  518                 /*
  519                  * Multicasts with a time-to-live of zero may be looped-
  520                  * back, above, but must not be transmitted on a network.
  521                  * Also, multicasts addressed to the loopback interface
  522                  * are not sent -- the above call to ip_mloopback() will
  523                  * loop back a copy if this host actually belongs to the
  524                  * destination group on the loopback interface.
  525                  */
  526                 if (ip->ip_ttl == 0 || (ifp->if_flags & IFF_LOOPBACK) != 0) {
  527                         m_freem(m);
  528                         goto done;
  529                 }
  530 
  531                 goto sendit;
  532         }
  533 
  534         /*
  535          * Look for broadcast address and and verify user is allowed to send
  536          * such a packet; if the packet is going in an IPsec tunnel, skip
  537          * this check.
  538          */
  539         if ((sproto == 0) && (in_broadcast(dst->sin_addr, ifp))) {
  540                 if ((ifp->if_flags & IFF_BROADCAST) == 0) {
  541                         error = EADDRNOTAVAIL;
  542                         goto bad;
  543                 }
  544                 if ((flags & IP_ALLOWBROADCAST) == 0) {
  545                         error = EACCES;
  546                         goto bad;
  547                 }
  548 
  549                 /* Don't allow broadcast messages to be fragmented */
  550                 if (ntohs(ip->ip_len) > ifp->if_mtu) {
  551                         error = EMSGSIZE;
  552                         goto bad;
  553                 }
  554                 m->m_flags |= M_BCAST;
  555         } else
  556                 m->m_flags &= ~M_BCAST;
  557 
  558 sendit:
  559         /*
  560          * If we're doing Path MTU discovery, we need to set DF unless
  561          * the route's MTU is locked.
  562          */
  563         if ((flags & IP_MTUDISC) && ro && ro->ro_rt &&
  564             (ro->ro_rt->rt_rmx.rmx_locks & RTV_MTU) == 0)
  565                 ip->ip_off |= htons(IP_DF);
  566 
  567 #ifdef IPSEC
  568         /*
  569          * Check if the packet needs encapsulation.
  570          */
  571         if (sproto != 0) {
  572                 s = splnet();
  573 
  574                 /*
  575                  * Packet filter
  576                  */
  577 #if NPF > 0
  578 
  579                 if (pf_test(PF_OUT, &encif[0].sc_if, &m, NULL) != PF_PASS) {
  580                         error = EHOSTUNREACH;
  581                         splx(s);
  582                         m_freem(m);
  583                         goto done;
  584                 }
  585                 if (m == NULL) {
  586                         splx(s);
  587                         goto done;
  588                 }
  589                 ip = mtod(m, struct ip *);
  590                 hlen = ip->ip_hl << 2;
  591 #endif
  592 
  593                 tdb = gettdb(sspi, &sdst, sproto);
  594                 if (tdb == NULL) {
  595                         DPRINTF(("ip_output: unknown TDB"));
  596                         error = EHOSTUNREACH;
  597                         splx(s);
  598                         m_freem(m);
  599                         goto done;
  600                 }
  601 
  602                 /* Check if we are allowed to fragment */
  603                 if (ip_mtudisc && (ip->ip_off & htons(IP_DF)) && tdb->tdb_mtu &&
  604                     ntohs(ip->ip_len) > tdb->tdb_mtu &&
  605                     tdb->tdb_mtutimeout > time_second) {
  606                         struct rtentry *rt = NULL;
  607                         int rt_mtucloned = 0;
  608                         int transportmode = 0;
  609 
  610                         transportmode = (tdb->tdb_dst.sa.sa_family == AF_INET) &&
  611                             (tdb->tdb_dst.sin.sin_addr.s_addr ==
  612                             ip->ip_dst.s_addr);
  613                         icmp_mtu = tdb->tdb_mtu;
  614                         splx(s);
  615 
  616                         /* Find a host route to store the mtu in */
  617                         if (ro != NULL)
  618                                 rt = ro->ro_rt;
  619                         /* but don't add a PMTU route for transport mode SAs */
  620                         if (transportmode)
  621                                 rt = NULL;
  622                         else if (rt == NULL || (rt->rt_flags & RTF_HOST) == 0) {
  623                                 struct sockaddr_in dst = {
  624                                         sizeof(struct sockaddr_in), AF_INET};
  625                                 dst.sin_addr = ip->ip_dst;
  626                                 rt = icmp_mtudisc_clone((struct sockaddr *)&dst);
  627                                 rt_mtucloned = 1;
  628                         }
  629                         DPRINTF(("ip_output: spi %08x mtu %d rt %p cloned %d\n",
  630                             ntohl(tdb->tdb_spi), icmp_mtu, rt, rt_mtucloned));
  631                         if (rt != NULL) {
  632                                 rt->rt_rmx.rmx_mtu = icmp_mtu;
  633                                 if (ro && ro->ro_rt != NULL) {
  634                                         RTFREE(ro->ro_rt);
  635                                         ro->ro_rt = (struct rtentry *) 0;
  636                                         rtalloc(ro);
  637                                 }
  638                                 if (rt_mtucloned)
  639                                         rtfree(rt);
  640                         }
  641                         error = EMSGSIZE;
  642                         goto bad;
  643                 }
  644 
  645                 /*
  646                  * Clear these -- they'll be set in the recursive invocation
  647                  * as needed.
  648                  */
  649                 m->m_flags &= ~(M_MCAST | M_BCAST);
  650 
  651                 /* Callee frees mbuf */
  652                 error = ipsp_process_packet(m, tdb, AF_INET, 0);
  653                 splx(s);
  654                 return error;  /* Nothing more to be done */
  655         }
  656 
  657         /*
  658          * If deferred crypto processing is needed, check that the
  659          * interface supports it.
  660          */
  661         if (ipsec_in_use && (mtag = m_tag_find(m,
  662             PACKET_TAG_IPSEC_OUT_CRYPTO_NEEDED, NULL)) != NULL &&
  663             (ifp->if_capabilities & IFCAP_IPSEC) == 0) {
  664                 /* Notify IPsec to do its own crypto. */
  665                 ipsp_skipcrypto_unmark((struct tdb_ident *)(mtag + 1));
  666                 m_freem(m);
  667                 error = EHOSTUNREACH;
  668                 goto done;
  669         }
  670 #endif /* IPSEC */
  671 
  672         /* Catch routing changes wrt. hardware checksumming for TCP or UDP. */
  673         if (m->m_pkthdr.csum_flags & M_TCPV4_CSUM_OUT) {
  674                 if (!(ifp->if_capabilities & IFCAP_CSUM_TCPv4) ||
  675                     ifp->if_bridge != NULL) {
  676                         in_delayed_cksum(m);
  677                         m->m_pkthdr.csum_flags &= ~M_TCPV4_CSUM_OUT; /* Clear */
  678                 }
  679         } else if (m->m_pkthdr.csum_flags & M_UDPV4_CSUM_OUT) {
  680                 if (!(ifp->if_capabilities & IFCAP_CSUM_UDPv4) ||
  681                     ifp->if_bridge != NULL) {
  682                         in_delayed_cksum(m);
  683                         m->m_pkthdr.csum_flags &= ~M_UDPV4_CSUM_OUT; /* Clear */
  684                 }
  685         }
  686 
  687         /*
  688          * Packet filter
  689          */
  690 #if NPF > 0
  691         if (pf_test(PF_OUT, ifp, &m, NULL) != PF_PASS) {
  692                 error = EHOSTUNREACH;
  693                 m_freem(m);
  694                 goto done;
  695         }
  696         if (m == NULL)
  697                 goto done;
  698 
  699         ip = mtod(m, struct ip *);
  700         hlen = ip->ip_hl << 2;
  701 #endif
  702 
  703 #ifdef IPSEC
  704         if (ipsec_in_use && (flags & IP_FORWARDING) && (ipforwarding == 2) &&
  705             (m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL) == NULL)) {
  706                 error = EHOSTUNREACH;
  707                 m_freem(m);
  708                 goto done;
  709         }
  710 #endif
  711 
  712         /* XXX
  713          * Try to use jumbograms based on socket option, or the route
  714          * or... for other reasons later on. 
  715          */
  716         if ((flags & IP_JUMBO) && ro->ro_rt && (ro->ro_rt->rt_flags & RTF_JUMBO) &&
  717             ro->ro_rt->rt_ifp)
  718                 mtu = ro->ro_rt->rt_ifp->if_hardmtu;
  719 
  720         /*
  721          * If small enough for interface, can just send directly.
  722          */
  723         if (ntohs(ip->ip_len) <= mtu) {
  724                 if ((ifp->if_capabilities & IFCAP_CSUM_IPv4) &&
  725                     ifp->if_bridge == NULL) {
  726                         m->m_pkthdr.csum_flags |= M_IPV4_CSUM_OUT;
  727                         ipstat.ips_outhwcsum++;
  728                 } else {
  729                         ip->ip_sum = 0;
  730                         ip->ip_sum = in_cksum(m, hlen);
  731                 }
  732                 /* Update relevant hardware checksum stats for TCP/UDP */
  733                 if (m->m_pkthdr.csum_flags & M_TCPV4_CSUM_OUT)
  734                         tcpstat.tcps_outhwcsum++;
  735                 else if (m->m_pkthdr.csum_flags & M_UDPV4_CSUM_OUT)
  736                         udpstat.udps_outhwcsum++;
  737                 error = (*ifp->if_output)(ifp, m, sintosa(dst), ro->ro_rt);
  738                 goto done;
  739         }
  740 
  741         /*
  742          * Too large for interface; fragment if possible.
  743          * Must be able to put at least 8 bytes per fragment.
  744          */
  745         if (ip->ip_off & htons(IP_DF)) {
  746 #ifdef IPSEC
  747                 icmp_mtu = ifp->if_mtu;
  748 #endif
  749                 error = EMSGSIZE;
  750                 /*
  751                  * This case can happen if the user changed the MTU
  752                  * of an interface after enabling IP on it.  Because
  753                  * most netifs don't keep track of routes pointing to
  754                  * them, there is no way for one to update all its
  755                  * routes when the MTU is changed.
  756                  */
  757                 if ((ro->ro_rt->rt_flags & (RTF_UP | RTF_HOST)) &&
  758                     !(ro->ro_rt->rt_rmx.rmx_locks & RTV_MTU) &&
  759                     (ro->ro_rt->rt_rmx.rmx_mtu > ifp->if_mtu)) {
  760                         ro->ro_rt->rt_rmx.rmx_mtu = ifp->if_mtu;
  761                 }
  762                 ipstat.ips_cantfrag++;
  763                 goto bad;
  764         }
  765 
  766         error = ip_fragment(m, ifp, mtu);
  767         if (error) {
  768                 m = m0 = NULL;
  769                 goto bad;
  770         }
  771 
  772         for (; m; m = m0) {
  773                 m0 = m->m_nextpkt;
  774                 m->m_nextpkt = 0;
  775                 if (error == 0)
  776                         error = (*ifp->if_output)(ifp, m, sintosa(dst),
  777                             ro->ro_rt);
  778                 else
  779                         m_freem(m);
  780         }
  781 
  782         if (error == 0)
  783                 ipstat.ips_fragmented++;
  784 
  785 done:
  786         if (ro == &iproute && (flags & IP_ROUTETOIF) == 0 && ro->ro_rt)
  787                 RTFREE(ro->ro_rt);
  788         return (error);
  789 bad:
  790 #ifdef IPSEC
  791         if (error == EMSGSIZE && ip_mtudisc && icmp_mtu != 0 && m != NULL)
  792                 ipsec_adjust_mtu(m, icmp_mtu);
  793 #endif
  794         m_freem(m0);
  795         goto done;
  796 }
  797 
  798 int
  799 ip_fragment(struct mbuf *m, struct ifnet *ifp, u_long mtu)
  800 {
  801         struct ip *ip, *mhip;
  802         struct mbuf *m0;
  803         int len, hlen, off;
  804         int mhlen, firstlen;
  805         struct mbuf **mnext;
  806         int fragments = 0;
  807         int s;
  808         int error = 0;
  809 
  810         ip = mtod(m, struct ip *);
  811         hlen = ip->ip_hl << 2;
  812 
  813         len = (mtu - hlen) &~ 7;
  814         if (len < 8) {
  815                 m_freem(m);
  816                 return (EMSGSIZE);
  817         }
  818 
  819         /*
  820          * If we are doing fragmentation, we can't defer TCP/UDP
  821          * checksumming; compute the checksum and clear the flag.
  822          */
  823         if (m->m_pkthdr.csum_flags & (M_TCPV4_CSUM_OUT | M_UDPV4_CSUM_OUT)) {
  824                 in_delayed_cksum(m);
  825                 m->m_pkthdr.csum_flags &= ~(M_UDPV4_CSUM_OUT | M_TCPV4_CSUM_OUT);
  826         }
  827 
  828         firstlen = len;
  829         mnext = &m->m_nextpkt;
  830 
  831         /*
  832          * Loop through length of segment after first fragment,
  833          * make new header and copy data of each part and link onto chain.
  834          */
  835         m0 = m;
  836         mhlen = sizeof (struct ip);
  837         for (off = hlen + len; off < ntohs(ip->ip_len); off += len) {
  838                 MGETHDR(m, M_DONTWAIT, MT_HEADER);
  839                 if (m == 0) {
  840                         ipstat.ips_odropped++;
  841                         error = ENOBUFS;
  842                         goto sendorfree;
  843                 }
  844                 *mnext = m;
  845                 mnext = &m->m_nextpkt;
  846                 m->m_data += max_linkhdr;
  847                 mhip = mtod(m, struct ip *);
  848                 *mhip = *ip;
  849                 /* we must inherit MCAST and BCAST flags */
  850                 m->m_flags |= m0->m_flags & (M_MCAST|M_BCAST);
  851                 if (hlen > sizeof (struct ip)) {
  852                         mhlen = ip_optcopy(ip, mhip) + sizeof (struct ip);
  853                         mhip->ip_hl = mhlen >> 2;
  854                 }
  855                 m->m_len = mhlen;
  856                 mhip->ip_off = ((off - hlen) >> 3) +
  857                     (ntohs(ip->ip_off) & ~IP_MF);
  858                 if (ip->ip_off & htons(IP_MF))
  859                         mhip->ip_off |= IP_MF;
  860                 if (off + len >= ntohs(ip->ip_len))
  861                         len = ntohs(ip->ip_len) - off;
  862                 else
  863                         mhip->ip_off |= IP_MF;
  864                 mhip->ip_len = htons((u_int16_t)(len + mhlen));
  865                 m->m_next = m_copy(m0, off, len);
  866                 if (m->m_next == 0) {
  867                         ipstat.ips_odropped++;
  868                         error = ENOBUFS;
  869                         goto sendorfree;
  870                 }
  871                 m->m_pkthdr.len = mhlen + len;
  872                 m->m_pkthdr.rcvif = (struct ifnet *)0;
  873                 mhip->ip_off = htons((u_int16_t)mhip->ip_off);
  874                 if ((ifp != NULL) &&
  875                     (ifp->if_capabilities & IFCAP_CSUM_IPv4) &&
  876                     ifp->if_bridge == NULL) {
  877                         m->m_pkthdr.csum_flags |= M_IPV4_CSUM_OUT;
  878                         ipstat.ips_outhwcsum++;
  879                 } else {
  880                         mhip->ip_sum = 0;
  881                         mhip->ip_sum = in_cksum(m, mhlen);
  882                 }
  883                 ipstat.ips_ofragments++;
  884                 fragments++;
  885         }
  886         /*
  887          * Update first fragment by trimming what's been copied out
  888          * and updating header, then send each fragment (in order).
  889          */
  890         m = m0;
  891         m_adj(m, hlen + firstlen - ntohs(ip->ip_len));
  892         m->m_pkthdr.len = hlen + firstlen;
  893         ip->ip_len = htons((u_int16_t)m->m_pkthdr.len);
  894         ip->ip_off |= htons(IP_MF);
  895         if ((ifp != NULL) &&
  896             (ifp->if_capabilities & IFCAP_CSUM_IPv4) &&
  897             ifp->if_bridge == NULL) {
  898                 m->m_pkthdr.csum_flags |= M_IPV4_CSUM_OUT;
  899                 ipstat.ips_outhwcsum++;
  900         } else {
  901                 ip->ip_sum = 0;
  902                 ip->ip_sum = in_cksum(m, hlen);
  903         }
  904 sendorfree:
  905         /*
  906          * If there is no room for all the fragments, don't queue
  907          * any of them.
  908          */
  909         if (ifp != NULL) {
  910                 s = splnet();
  911                 if (ifp->if_snd.ifq_maxlen - ifp->if_snd.ifq_len < fragments &&
  912                     error == 0) {
  913                         error = ENOBUFS;
  914                         ipstat.ips_odropped++;
  915                         IFQ_INC_DROPS(&ifp->if_snd);
  916                 }
  917                 splx(s);
  918         }
  919         if (error) {
  920                 for (m = m0; m; m = m0) {
  921                         m0 = m->m_nextpkt;
  922                         m->m_nextpkt = NULL;
  923                         m_freem(m);
  924                 }
  925         }
  926 
  927         return (error);
  928 }
  929 
  930 /*
  931  * Insert IP options into preformed packet.
  932  * Adjust IP destination as required for IP source routing,
  933  * as indicated by a non-zero in_addr at the start of the options.
  934  */
  935 struct mbuf *
  936 ip_insertoptions(m, opt, phlen)
  937         struct mbuf *m;
  938         struct mbuf *opt;
  939         int *phlen;
  940 {
  941         struct ipoption *p = mtod(opt, struct ipoption *);
  942         struct mbuf *n;
  943         struct ip *ip = mtod(m, struct ip *);
  944         unsigned optlen;
  945 
  946         optlen = opt->m_len - sizeof(p->ipopt_dst);
  947         if (optlen + ntohs(ip->ip_len) > IP_MAXPACKET)
  948                 return (m);             /* XXX should fail */
  949         if (p->ipopt_dst.s_addr)
  950                 ip->ip_dst = p->ipopt_dst;
  951         if (m->m_flags & M_EXT || m->m_data - optlen < m->m_pktdat) {
  952                 MGETHDR(n, M_DONTWAIT, MT_HEADER);
  953                 if (n == 0)
  954                         return (m);
  955                 M_MOVE_HDR(n, m);
  956                 n->m_pkthdr.len += optlen;
  957                 m->m_len -= sizeof(struct ip);
  958                 m->m_data += sizeof(struct ip);
  959                 n->m_next = m;
  960                 m = n;
  961                 m->m_len = optlen + sizeof(struct ip);
  962                 m->m_data += max_linkhdr;
  963                 bcopy((caddr_t)ip, mtod(m, caddr_t), sizeof(struct ip));
  964         } else {
  965                 m->m_data -= optlen;
  966                 m->m_len += optlen;
  967                 m->m_pkthdr.len += optlen;
  968                 ovbcopy((caddr_t)ip, mtod(m, caddr_t), sizeof(struct ip));
  969         }
  970         ip = mtod(m, struct ip *);
  971         bcopy((caddr_t)p->ipopt_list, (caddr_t)(ip + 1), (unsigned)optlen);
  972         *phlen = sizeof(struct ip) + optlen;
  973         ip->ip_len = htons(ntohs(ip->ip_len) + optlen);
  974         return (m);
  975 }
  976 
  977 /*
  978  * Copy options from ip to jp,
  979  * omitting those not copied during fragmentation.
  980  */
  981 int
  982 ip_optcopy(ip, jp)
  983         struct ip *ip, *jp;
  984 {
  985         u_char *cp, *dp;
  986         int opt, optlen, cnt;
  987 
  988         cp = (u_char *)(ip + 1);
  989         dp = (u_char *)(jp + 1);
  990         cnt = (ip->ip_hl << 2) - sizeof (struct ip);
  991         for (; cnt > 0; cnt -= optlen, cp += optlen) {
  992                 opt = cp[0];
  993                 if (opt == IPOPT_EOL)
  994                         break;
  995                 if (opt == IPOPT_NOP) {
  996                         /* Preserve for IP mcast tunnel's LSRR alignment. */
  997                         *dp++ = IPOPT_NOP;
  998                         optlen = 1;
  999                         continue;
 1000                 }
 1001 #ifdef DIAGNOSTIC
 1002                 if (cnt < IPOPT_OLEN + sizeof(*cp))
 1003                         panic("malformed IPv4 option passed to ip_optcopy");
 1004 #endif
 1005                 optlen = cp[IPOPT_OLEN];
 1006 #ifdef DIAGNOSTIC
 1007                 if (optlen < IPOPT_OLEN + sizeof(*cp) || optlen > cnt)
 1008                         panic("malformed IPv4 option passed to ip_optcopy");
 1009 #endif
 1010                 /* bogus lengths should have been caught by ip_dooptions */
 1011                 if (optlen > cnt)
 1012                         optlen = cnt;
 1013                 if (IPOPT_COPIED(opt)) {
 1014                         bcopy((caddr_t)cp, (caddr_t)dp, (unsigned)optlen);
 1015                         dp += optlen;
 1016                 }
 1017         }
 1018         for (optlen = dp - (u_char *)(jp+1); optlen & 0x3; optlen++)
 1019                 *dp++ = IPOPT_EOL;
 1020         return (optlen);
 1021 }
 1022 
 1023 /*
 1024  * IP socket option processing.
 1025  */
 1026 int
 1027 ip_ctloutput(op, so, level, optname, mp)
 1028         int op;
 1029         struct socket *so;
 1030         int level, optname;
 1031         struct mbuf **mp;
 1032 {
 1033         struct inpcb *inp = sotoinpcb(so);
 1034         struct mbuf *m = *mp;
 1035         int optval = 0;
 1036 #ifdef IPSEC
 1037         struct proc *p = curproc; /* XXX */
 1038         struct ipsec_ref *ipr;
 1039         u_int16_t opt16val;
 1040 #endif
 1041         int error = 0;
 1042 
 1043         if (level != IPPROTO_IP) {
 1044                 error = EINVAL;
 1045                 if (op == PRCO_SETOPT && *mp)
 1046                         (void) m_free(*mp);
 1047         } else switch (op) {
 1048         case PRCO_SETOPT:
 1049                 switch (optname) {
 1050                 case IP_OPTIONS:
 1051 #ifdef notyet
 1052                 case IP_RETOPTS:
 1053                         return (ip_pcbopts(optname, &inp->inp_options, m));
 1054 #else
 1055                         return (ip_pcbopts(&inp->inp_options, m));
 1056 #endif
 1057 
 1058                 case IP_TOS:
 1059                 case IP_TTL:
 1060                 case IP_MINTTL:
 1061                 case IP_RECVOPTS:
 1062                 case IP_RECVRETOPTS:
 1063                 case IP_RECVDSTADDR:
 1064                 case IP_RECVIF:
 1065                 case IP_RECVTTL:
 1066                 case IP_RECVDSTPORT:
 1067                         if (m == NULL || m->m_len != sizeof(int))
 1068                                 error = EINVAL;
 1069                         else {
 1070                                 optval = *mtod(m, int *);
 1071                                 switch (optname) {
 1072 
 1073                                 case IP_TOS:
 1074                                         inp->inp_ip.ip_tos = optval;
 1075                                         break;
 1076 
 1077                                 case IP_TTL:
 1078                                         if (optval > 0 && optval <= MAXTTL)
 1079                                                 inp->inp_ip.ip_ttl = optval;
 1080                                         else
 1081                                                 error = EINVAL;
 1082                                         break;
 1083 
 1084                                 case IP_MINTTL:
 1085                                         if (optval > 0 && optval <= MAXTTL)
 1086                                                 inp->inp_ip_minttl = optval;
 1087                                         else
 1088                                                 error = EINVAL;
 1089                                         break;
 1090 #define OPTSET(bit) \
 1091         if (optval) \
 1092                 inp->inp_flags |= bit; \
 1093         else \
 1094                 inp->inp_flags &= ~bit;
 1095 
 1096                                 case IP_RECVOPTS:
 1097                                         OPTSET(INP_RECVOPTS);
 1098                                         break;
 1099 
 1100                                 case IP_RECVRETOPTS:
 1101                                         OPTSET(INP_RECVRETOPTS);
 1102                                         break;
 1103 
 1104                                 case IP_RECVDSTADDR:
 1105                                         OPTSET(INP_RECVDSTADDR);
 1106                                         break;
 1107                                 case IP_RECVIF:
 1108                                         OPTSET(INP_RECVIF);
 1109                                         break;
 1110                                 case IP_RECVTTL:
 1111                                         OPTSET(INP_RECVTTL);
 1112                                         break;
 1113                                 case IP_RECVDSTPORT:
 1114                                         OPTSET(INP_RECVDSTPORT);
 1115                                         break;
 1116                                 }
 1117                         }
 1118                         break;
 1119 #undef OPTSET
 1120 
 1121                 case IP_MULTICAST_IF:
 1122                 case IP_MULTICAST_TTL:
 1123                 case IP_MULTICAST_LOOP:
 1124                 case IP_ADD_MEMBERSHIP:
 1125                 case IP_DROP_MEMBERSHIP:
 1126                         error = ip_setmoptions(optname, &inp->inp_moptions, m);
 1127                         break;
 1128 
 1129                 case IP_PORTRANGE:
 1130                         if (m == 0 || m->m_len != sizeof(int))
 1131                                 error = EINVAL;
 1132                         else {
 1133                                 optval = *mtod(m, int *);
 1134 
 1135                                 switch (optval) {
 1136 
 1137                                 case IP_PORTRANGE_DEFAULT:
 1138                                         inp->inp_flags &= ~(INP_LOWPORT);
 1139                                         inp->inp_flags &= ~(INP_HIGHPORT);
 1140                                         break;
 1141 
 1142                                 case IP_PORTRANGE_HIGH:
 1143                                         inp->inp_flags &= ~(INP_LOWPORT);
 1144                                         inp->inp_flags |= INP_HIGHPORT;
 1145                                         break;
 1146 
 1147                                 case IP_PORTRANGE_LOW:
 1148                                         inp->inp_flags &= ~(INP_HIGHPORT);
 1149                                         inp->inp_flags |= INP_LOWPORT;
 1150                                         break;
 1151 
 1152                                 default:
 1153 
 1154                                         error = EINVAL;
 1155                                         break;
 1156                                 }
 1157                         }
 1158                         break;
 1159                 case IP_AUTH_LEVEL:
 1160                 case IP_ESP_TRANS_LEVEL:
 1161                 case IP_ESP_NETWORK_LEVEL:
 1162                 case IP_IPCOMP_LEVEL:
 1163 #ifndef IPSEC
 1164                         error = EOPNOTSUPP;
 1165 #else
 1166                         if (m == 0 || m->m_len != sizeof(int)) {
 1167                                 error = EINVAL;
 1168                                 break;
 1169                         }
 1170                         optval = *mtod(m, int *);
 1171 
 1172                         if (optval < IPSEC_LEVEL_BYPASS ||
 1173                             optval > IPSEC_LEVEL_UNIQUE) {
 1174                                 error = EINVAL;
 1175                                 break;
 1176                         }
 1177 
 1178                         /* Unlink cached output TDB to force a re-search */
 1179                         if (inp->inp_tdb_out) {
 1180                                 int s = spltdb();
 1181                                 TAILQ_REMOVE(&inp->inp_tdb_out->tdb_inp_out,
 1182                                     inp, inp_tdb_out_next);
 1183                                 splx(s);
 1184                         }
 1185 
 1186                         if (inp->inp_tdb_in) {
 1187                                 int s = spltdb();
 1188                                 TAILQ_REMOVE(&inp->inp_tdb_in->tdb_inp_in,
 1189                                     inp, inp_tdb_in_next);
 1190                                 splx(s);
 1191                         }
 1192 
 1193                         switch (optname) {
 1194                         case IP_AUTH_LEVEL:
 1195                                 if (optval < ipsec_auth_default_level &&
 1196                                     suser(p, 0)) {
 1197                                         error = EACCES;
 1198                                         break;
 1199                                 }
 1200                                 inp->inp_seclevel[SL_AUTH] = optval;
 1201                                 break;
 1202 
 1203                         case IP_ESP_TRANS_LEVEL:
 1204                                 if (optval < ipsec_esp_trans_default_level &&
 1205                                     suser(p, 0)) {
 1206                                         error = EACCES;
 1207                                         break;
 1208                                 }
 1209                                 inp->inp_seclevel[SL_ESP_TRANS] = optval;
 1210                                 break;
 1211 
 1212                         case IP_ESP_NETWORK_LEVEL:
 1213                                 if (optval < ipsec_esp_network_default_level &&
 1214                                     suser(p, 0)) {
 1215                                         error = EACCES;
 1216                                         break;
 1217                                 }
 1218                                 inp->inp_seclevel[SL_ESP_NETWORK] = optval;
 1219                                 break;
 1220                         case IP_IPCOMP_LEVEL:
 1221                                 if (optval < ipsec_ipcomp_default_level &&
 1222                                     suser(p, 0)) {
 1223                                         error = EACCES;
 1224                                         break;
 1225                                 }
 1226                                 inp->inp_seclevel[SL_IPCOMP] = optval;
 1227                                 break;
 1228                         }
 1229                         if (!error)
 1230                                 inp->inp_secrequire = get_sa_require(inp);
 1231 #endif
 1232                         break;
 1233 
 1234                 case IP_IPSEC_REMOTE_CRED:
 1235                 case IP_IPSEC_REMOTE_AUTH:
 1236                         /* Can't set the remote credential or key */
 1237                         error = EOPNOTSUPP;
 1238                         break;
 1239 
 1240                 case IP_IPSEC_LOCAL_ID:
 1241                 case IP_IPSEC_REMOTE_ID:
 1242                 case IP_IPSEC_LOCAL_CRED:
 1243                 case IP_IPSEC_LOCAL_AUTH:
 1244 #ifndef IPSEC
 1245                         error = EOPNOTSUPP;
 1246 #else
 1247                         if (m->m_len < 2) {
 1248                                 error = EINVAL;
 1249                                 break;
 1250                         }
 1251 
 1252                         m_copydata(m, 0, 2, (caddr_t) &opt16val);
 1253 
 1254                         /* If the type is 0, then we cleanup and return */
 1255                         if (opt16val == 0) {
 1256                                 switch (optname) {
 1257                                 case IP_IPSEC_LOCAL_ID:
 1258                                         if (inp->inp_ipo != NULL &&
 1259                                             inp->inp_ipo->ipo_srcid != NULL) {
 1260                                                 ipsp_reffree(inp->inp_ipo->ipo_srcid);
 1261                                                 inp->inp_ipo->ipo_srcid = NULL;
 1262                                         }
 1263                                         break;
 1264 
 1265                                 case IP_IPSEC_REMOTE_ID:
 1266                                         if (inp->inp_ipo != NULL &&
 1267                                             inp->inp_ipo->ipo_dstid != NULL) {
 1268                                                 ipsp_reffree(inp->inp_ipo->ipo_dstid);
 1269                                                 inp->inp_ipo->ipo_dstid = NULL;
 1270                                         }
 1271                                         break;
 1272 
 1273                                 case IP_IPSEC_LOCAL_CRED:
 1274                                         if (inp->inp_ipo != NULL &&
 1275                                             inp->inp_ipo->ipo_local_cred != NULL) {
 1276                                                 ipsp_reffree(inp->inp_ipo->ipo_local_cred);
 1277                                                 inp->inp_ipo->ipo_local_cred = NULL;
 1278                                         }
 1279                                         break;
 1280 
 1281                                 case IP_IPSEC_LOCAL_AUTH:
 1282                                         if (inp->inp_ipo != NULL &&
 1283                                             inp->inp_ipo->ipo_local_auth != NULL) {
 1284                                                 ipsp_reffree(inp->inp_ipo->ipo_local_auth);
 1285                                                 inp->inp_ipo->ipo_local_auth = NULL;
 1286                                         }
 1287                                         break;
 1288                                 }
 1289 
 1290                                 error = 0;
 1291                                 break;
 1292                         }
 1293 
 1294                         /* Can't have an empty payload */
 1295                         if (m->m_len == 2) {
 1296                                 error = EINVAL;
 1297                                 break;
 1298                         }
 1299 
 1300                         /* Allocate if needed */
 1301                         if (inp->inp_ipo == NULL) {
 1302                                 inp->inp_ipo = ipsec_add_policy(inp,
 1303                                     AF_INET, IPSP_DIRECTION_OUT);
 1304                                 if (inp->inp_ipo == NULL) {
 1305                                         error = ENOBUFS;
 1306                                         break;
 1307                                 }
 1308                         }
 1309 
 1310                         ipr = malloc(sizeof(struct ipsec_ref) + m->m_len - 2,
 1311                                M_CREDENTIALS, M_NOWAIT);
 1312                         if (ipr == NULL) {
 1313                                 error = ENOBUFS;
 1314                                 break;
 1315                         }
 1316 
 1317                         ipr->ref_count = 1;
 1318                         ipr->ref_malloctype = M_CREDENTIALS;
 1319                         ipr->ref_len = m->m_len - 2;
 1320                         ipr->ref_type = opt16val;
 1321                         m_copydata(m, 2, m->m_len - 2, (caddr_t)(ipr + 1));
 1322 
 1323                         switch (optname) {
 1324                         case IP_IPSEC_LOCAL_ID:
 1325                                 /* Check valid types and NUL-termination */
 1326                                 if (ipr->ref_type < IPSP_IDENTITY_PREFIX ||
 1327                                     ipr->ref_type > IPSP_IDENTITY_CONNECTION ||
 1328                                     ((char *)(ipr + 1))[ipr->ref_len - 1]) {
 1329                                         free(ipr, M_CREDENTIALS);
 1330                                         error = EINVAL;
 1331                                 } else {
 1332                                         if (inp->inp_ipo->ipo_srcid != NULL)
 1333                                                 ipsp_reffree(inp->inp_ipo->ipo_srcid);
 1334                                         inp->inp_ipo->ipo_srcid = ipr;
 1335                                 }
 1336                                 break;
 1337                         case IP_IPSEC_REMOTE_ID:
 1338                                 /* Check valid types and NUL-termination */
 1339                                 if (ipr->ref_type < IPSP_IDENTITY_PREFIX ||
 1340                                     ipr->ref_type > IPSP_IDENTITY_CONNECTION ||
 1341                                     ((char *)(ipr + 1))[ipr->ref_len - 1]) {
 1342                                         free(ipr, M_CREDENTIALS);
 1343                                         error = EINVAL;
 1344                                 } else {
 1345                                         if (inp->inp_ipo->ipo_dstid != NULL)
 1346                                                 ipsp_reffree(inp->inp_ipo->ipo_dstid);
 1347                                         inp->inp_ipo->ipo_dstid = ipr;
 1348                                 }
 1349                                 break;
 1350                         case IP_IPSEC_LOCAL_CRED:
 1351                                 if (ipr->ref_type < IPSP_CRED_KEYNOTE ||
 1352                                     ipr->ref_type > IPSP_CRED_X509) {
 1353                                         free(ipr, M_CREDENTIALS);
 1354                                         error = EINVAL;
 1355                                 } else {
 1356                                         if (inp->inp_ipo->ipo_local_cred != NULL)
 1357                                                 ipsp_reffree(inp->inp_ipo->ipo_local_cred);
 1358                                         inp->inp_ipo->ipo_local_cred = ipr;
 1359                                 }
 1360                                 break;
 1361                         case IP_IPSEC_LOCAL_AUTH:
 1362                                 if (ipr->ref_type < IPSP_AUTH_PASSPHRASE ||
 1363                                     ipr->ref_type > IPSP_AUTH_RSA) {
 1364                                         free(ipr, M_CREDENTIALS);
 1365                                         error = EINVAL;
 1366                                 } else {
 1367                                         if (inp->inp_ipo->ipo_local_auth != NULL)
 1368                                                 ipsp_reffree(inp->inp_ipo->ipo_local_auth);
 1369                                         inp->inp_ipo->ipo_local_auth = ipr;
 1370                                 }
 1371                                 break;
 1372                         }
 1373 
 1374                         /* Unlink cached output TDB to force a re-search */
 1375                         if (inp->inp_tdb_out) {
 1376                                 int s = spltdb();
 1377                                 TAILQ_REMOVE(&inp->inp_tdb_out->tdb_inp_out,
 1378                                     inp, inp_tdb_out_next);
 1379                                 splx(s);
 1380                         }
 1381 
 1382                         if (inp->inp_tdb_in) {
 1383                                 int s = spltdb();
 1384                                 TAILQ_REMOVE(&inp->inp_tdb_in->tdb_inp_in,
 1385                                     inp, inp_tdb_in_next);
 1386                                 splx(s);
 1387                         }
 1388 #endif
 1389                         break;
 1390                 default:
 1391                         error = ENOPROTOOPT;
 1392                         break;
 1393                 }
 1394                 if (m)
 1395                         (void)m_free(m);
 1396                 break;
 1397 
 1398         case PRCO_GETOPT:
 1399                 switch (optname) {
 1400                 case IP_OPTIONS:
 1401                 case IP_RETOPTS:
 1402                         *mp = m = m_get(M_WAIT, MT_SOOPTS);
 1403                         if (inp->inp_options) {
 1404                                 m->m_len = inp->inp_options->m_len;
 1405                                 bcopy(mtod(inp->inp_options, caddr_t),
 1406                                     mtod(m, caddr_t), (unsigned)m->m_len);
 1407                         } else
 1408                                 m->m_len = 0;
 1409                         break;
 1410 
 1411                 case IP_TOS:
 1412                 case IP_TTL:
 1413                 case IP_MINTTL:
 1414                 case IP_RECVOPTS:
 1415                 case IP_RECVRETOPTS:
 1416                 case IP_RECVDSTADDR:
 1417                 case IP_RECVIF:
 1418                 case IP_RECVTTL:
 1419                 case IP_RECVDSTPORT:
 1420                         *mp = m = m_get(M_WAIT, MT_SOOPTS);
 1421                         m->m_len = sizeof(int);
 1422                         switch (optname) {
 1423 
 1424                         case IP_TOS:
 1425                                 optval = inp->inp_ip.ip_tos;
 1426                                 break;
 1427 
 1428                         case IP_TTL:
 1429                                 optval = inp->inp_ip.ip_ttl;
 1430                                 break;
 1431 
 1432                         case IP_MINTTL:
 1433                                 optval = inp->inp_ip_minttl;
 1434                                 break;
 1435 
 1436 #define OPTBIT(bit)     (inp->inp_flags & bit ? 1 : 0)
 1437 
 1438                         case IP_RECVOPTS:
 1439                                 optval = OPTBIT(INP_RECVOPTS);
 1440                                 break;
 1441 
 1442                         case IP_RECVRETOPTS:
 1443                                 optval = OPTBIT(INP_RECVRETOPTS);
 1444                                 break;
 1445 
 1446                         case IP_RECVDSTADDR:
 1447                                 optval = OPTBIT(INP_RECVDSTADDR);
 1448                                 break;
 1449                         case IP_RECVIF:
 1450                                 optval = OPTBIT(INP_RECVIF);
 1451                                 break;
 1452                         case IP_RECVTTL:
 1453                                 optval = OPTBIT(INP_RECVTTL);
 1454                                 break;
 1455                         case IP_RECVDSTPORT:
 1456                                 optval = OPTBIT(INP_RECVDSTPORT);
 1457                                 break;
 1458                         }
 1459                         *mtod(m, int *) = optval;
 1460                         break;
 1461 
 1462                 case IP_MULTICAST_IF:
 1463                 case IP_MULTICAST_TTL:
 1464                 case IP_MULTICAST_LOOP:
 1465                 case IP_ADD_MEMBERSHIP:
 1466                 case IP_DROP_MEMBERSHIP:
 1467                         error = ip_getmoptions(optname, inp->inp_moptions, mp);
 1468                         break;
 1469 
 1470                 case IP_PORTRANGE:
 1471                         *mp = m = m_get(M_WAIT, MT_SOOPTS);
 1472                         m->m_len = sizeof(int);
 1473 
 1474                         if (inp->inp_flags & INP_HIGHPORT)
 1475                                 optval = IP_PORTRANGE_HIGH;
 1476                         else if (inp->inp_flags & INP_LOWPORT)
 1477                                 optval = IP_PORTRANGE_LOW;
 1478                         else
 1479                                 optval = 0;
 1480 
 1481                         *mtod(m, int *) = optval;
 1482                         break;
 1483 
 1484                 case IP_AUTH_LEVEL:
 1485                 case IP_ESP_TRANS_LEVEL:
 1486                 case IP_ESP_NETWORK_LEVEL:
 1487                 case IP_IPCOMP_LEVEL:
 1488 #ifndef IPSEC
 1489                         m->m_len = sizeof(int);
 1490                         *mtod(m, int *) = IPSEC_LEVEL_NONE;
 1491 #else
 1492                         m->m_len = sizeof(int);
 1493                         switch (optname) {
 1494                         case IP_AUTH_LEVEL:
 1495                                 optval = inp->inp_seclevel[SL_AUTH];
 1496                                 break;
 1497 
 1498                         case IP_ESP_TRANS_LEVEL:
 1499                                 optval = inp->inp_seclevel[SL_ESP_TRANS];
 1500                                 break;
 1501 
 1502                         case IP_ESP_NETWORK_LEVEL:
 1503                                 optval = inp->inp_seclevel[SL_ESP_NETWORK];
 1504                                 break;
 1505                         case IP_IPCOMP_LEVEL:
 1506                                 optval = inp->inp_seclevel[SL_IPCOMP];
 1507                                 break;
 1508                         }
 1509                         *mtod(m, int *) = optval;
 1510 #endif
 1511                         break;
 1512                 case IP_IPSEC_LOCAL_ID:
 1513                 case IP_IPSEC_REMOTE_ID:
 1514                 case IP_IPSEC_LOCAL_CRED:
 1515                 case IP_IPSEC_REMOTE_CRED:
 1516                 case IP_IPSEC_LOCAL_AUTH:
 1517                 case IP_IPSEC_REMOTE_AUTH:
 1518 #ifndef IPSEC
 1519                         error = EOPNOTSUPP;
 1520 #else
 1521                         *mp = m = m_get(M_WAIT, MT_SOOPTS);
 1522                         m->m_len = sizeof(u_int16_t);
 1523                         ipr = NULL;
 1524                         switch (optname) {
 1525                         case IP_IPSEC_LOCAL_ID:
 1526                                 if (inp->inp_ipo != NULL)
 1527                                         ipr = inp->inp_ipo->ipo_srcid;
 1528                                 opt16val = IPSP_IDENTITY_NONE;
 1529                                 break;
 1530                         case IP_IPSEC_REMOTE_ID:
 1531                                 if (inp->inp_ipo != NULL)
 1532                                         ipr = inp->inp_ipo->ipo_dstid;
 1533                                 opt16val = IPSP_IDENTITY_NONE;
 1534                                 break;
 1535                         case IP_IPSEC_LOCAL_CRED:
 1536                                 if (inp->inp_ipo != NULL)
 1537                                         ipr = inp->inp_ipo->ipo_local_cred;
 1538                                 opt16val = IPSP_CRED_NONE;
 1539                                 break;
 1540                         case IP_IPSEC_REMOTE_CRED:
 1541                                 ipr = inp->inp_ipsec_remotecred;
 1542                                 opt16val = IPSP_CRED_NONE;
 1543                                 break;
 1544                         case IP_IPSEC_LOCAL_AUTH:
 1545                                 if (inp->inp_ipo != NULL)
 1546                                         ipr = inp->inp_ipo->ipo_local_auth;
 1547                                 break;
 1548                         case IP_IPSEC_REMOTE_AUTH:
 1549                                 ipr = inp->inp_ipsec_remoteauth;
 1550                                 break;
 1551                         }
 1552                         if (ipr == NULL)
 1553                                 *mtod(m, u_int16_t *) = opt16val;
 1554                         else {
 1555                                 size_t len;
 1556 
 1557                                 len = m->m_len + ipr->ref_len;
 1558                                 if (len > MCLBYTES) {
 1559                                          m_free(m);
 1560                                          error = EINVAL;
 1561                                          break;
 1562                                 }
 1563                                 /* allocate mbuf cluster for larger option */
 1564                                 if (len > MLEN) {
 1565                                          MCLGET(m, M_WAITOK);
 1566                                          if ((m->m_flags & M_EXT) == 0) {
 1567                                                  m_free(m);
 1568                                                  error = ENOBUFS;
 1569                                                  break;
 1570                                          }
 1571 
 1572                                 }
 1573                                 m->m_len = len;
 1574                                 *mtod(m, u_int16_t *) = ipr->ref_type;
 1575                                 m_copyback(m, sizeof(u_int16_t), ipr->ref_len,
 1576                                     ipr + 1);
 1577                         }
 1578 #endif
 1579                         break;
 1580                 default:
 1581                         error = ENOPROTOOPT;
 1582                         break;
 1583                 }
 1584                 break;
 1585         }
 1586         return (error);
 1587 }
 1588 
 1589 /*
 1590  * Set up IP options in pcb for insertion in output packets.
 1591  * Store in mbuf with pointer in pcbopt, adding pseudo-option
 1592  * with destination address if source routed.
 1593  */
 1594 int
 1595 #ifdef notyet
 1596 ip_pcbopts(optname, pcbopt, m)
 1597         int optname;
 1598 #else
 1599 ip_pcbopts(pcbopt, m)
 1600 #endif
 1601         struct mbuf **pcbopt;
 1602         struct mbuf *m;
 1603 {
 1604         int cnt, optlen;
 1605         u_char *cp;
 1606         u_char opt;
 1607 
 1608         /* turn off any old options */
 1609         if (*pcbopt)
 1610                 (void)m_free(*pcbopt);
 1611         *pcbopt = 0;
 1612         if (m == (struct mbuf *)0 || m->m_len == 0) {
 1613                 /*
 1614                  * Only turning off any previous options.
 1615                  */
 1616                 if (m)
 1617                         (void)m_free(m);
 1618                 return (0);
 1619         }
 1620 
 1621         if (m->m_len % sizeof(int32_t))
 1622                 goto bad;
 1623 
 1624         /*
 1625          * IP first-hop destination address will be stored before
 1626          * actual options; move other options back
 1627          * and clear it when none present.
 1628          */
 1629         if (m->m_data + m->m_len + sizeof(struct in_addr) >= &m->m_dat[MLEN])
 1630                 goto bad;
 1631         cnt = m->m_len;
 1632         m->m_len += sizeof(struct in_addr);
 1633         cp = mtod(m, u_char *) + sizeof(struct in_addr);
 1634         ovbcopy(mtod(m, caddr_t), (caddr_t)cp, (unsigned)cnt);
 1635         bzero(mtod(m, caddr_t), sizeof(struct in_addr));
 1636 
 1637         for (; cnt > 0; cnt -= optlen, cp += optlen) {
 1638                 opt = cp[IPOPT_OPTVAL];
 1639                 if (opt == IPOPT_EOL)
 1640                         break;
 1641                 if (opt == IPOPT_NOP)
 1642                         optlen = 1;
 1643                 else {
 1644                         if (cnt < IPOPT_OLEN + sizeof(*cp))
 1645                                 goto bad;
 1646                         optlen = cp[IPOPT_OLEN];
 1647                         if (optlen < IPOPT_OLEN  + sizeof(*cp) || optlen > cnt)
 1648                                 goto bad;
 1649                 }
 1650                 switch (opt) {
 1651 
 1652                 default:
 1653                         break;
 1654 
 1655                 case IPOPT_LSRR:
 1656                 case IPOPT_SSRR:
 1657                         /*
 1658                          * user process specifies route as:
 1659                          *      ->A->B->C->D
 1660                          * D must be our final destination (but we can't
 1661                          * check that since we may not have connected yet).
 1662                          * A is first hop destination, which doesn't appear in
 1663                          * actual IP option, but is stored before the options.
 1664                          */
 1665                         if (optlen < IPOPT_MINOFF - 1 + sizeof(struct in_addr))
 1666                                 goto bad;
 1667                         m->m_len -= sizeof(struct in_addr);
 1668                         cnt -= sizeof(struct in_addr);
 1669                         optlen -= sizeof(struct in_addr);
 1670                         cp[IPOPT_OLEN] = optlen;
 1671                         /*
 1672                          * Move first hop before start of options.
 1673                          */
 1674                         bcopy((caddr_t)&cp[IPOPT_OFFSET+1], mtod(m, caddr_t),
 1675                             sizeof(struct in_addr));
 1676                         /*
 1677                          * Then copy rest of options back
 1678                          * to close up the deleted entry.
 1679                          */
 1680                         ovbcopy((caddr_t)(&cp[IPOPT_OFFSET+1] +
 1681                             sizeof(struct in_addr)),
 1682                             (caddr_t)&cp[IPOPT_OFFSET+1],
 1683                             (unsigned)cnt - (IPOPT_OFFSET+1));
 1684                         break;
 1685                 }
 1686         }
 1687         if (m->m_len > MAX_IPOPTLEN + sizeof(struct in_addr))
 1688                 goto bad;
 1689         *pcbopt = m;
 1690         return (0);
 1691 
 1692 bad:
 1693         (void)m_free(m);
 1694         return (EINVAL);
 1695 }
 1696 
 1697 /*
 1698  * Set the IP multicast options in response to user setsockopt().
 1699  */
 1700 int
 1701 ip_setmoptions(optname, imop, m)
 1702         int optname;
 1703         struct ip_moptions **imop;
 1704         struct mbuf *m;
 1705 {
 1706         int error = 0;
 1707         u_char loop;
 1708         int i;
 1709         struct in_addr addr;
 1710         struct ip_mreq *mreq;
 1711         struct ifnet *ifp;
 1712         struct ip_moptions *imo = *imop;
 1713         struct in_multi **immp;
 1714         struct route ro;
 1715         struct sockaddr_in *dst;
 1716 
 1717         if (imo == NULL) {
 1718                 /*
 1719                  * No multicast option buffer attached to the pcb;
 1720                  * allocate one and initialize to default values.
 1721                  */
 1722                 imo = (struct ip_moptions *)malloc(sizeof(*imo), M_IPMOPTS,
 1723                     M_WAITOK|M_ZERO);
 1724                 immp = (struct in_multi **)malloc(
 1725                     (sizeof(*immp) * IP_MIN_MEMBERSHIPS), M_IPMOPTS,
 1726                     M_WAITOK|M_ZERO);
 1727                 *imop = imo;
 1728                 imo->imo_multicast_ifp = NULL;
 1729                 imo->imo_multicast_ttl = IP_DEFAULT_MULTICAST_TTL;
 1730                 imo->imo_multicast_loop = IP_DEFAULT_MULTICAST_LOOP;
 1731                 imo->imo_num_memberships = 0;
 1732                 imo->imo_max_memberships = IP_MIN_MEMBERSHIPS;
 1733                 imo->imo_membership = immp;
 1734         }
 1735 
 1736         switch (optname) {
 1737 
 1738         case IP_MULTICAST_IF:
 1739                 /*
 1740                  * Select the interface for outgoing multicast packets.
 1741                  */
 1742                 if (m == NULL || m->m_len != sizeof(struct in_addr)) {
 1743                         error = EINVAL;
 1744                         break;
 1745                 }
 1746                 addr = *(mtod(m, struct in_addr *));
 1747                 /*
 1748                  * INADDR_ANY is used to remove a previous selection.
 1749                  * When no interface is selected, a default one is
 1750                  * chosen every time a multicast packet is sent.
 1751                  */
 1752                 if (addr.s_addr == INADDR_ANY) {
 1753                         imo->imo_multicast_ifp = NULL;
 1754                         break;
 1755                 }
 1756                 /*
 1757                  * The selected interface is identified by its local
 1758                  * IP address.  Find the interface and confirm that
 1759                  * it supports multicasting.
 1760                  */
 1761                 INADDR_TO_IFP(addr, ifp);
 1762                 if (ifp == NULL || (ifp->if_flags & IFF_MULTICAST) == 0) {
 1763                         error = EADDRNOTAVAIL;
 1764                         break;
 1765                 }
 1766                 imo->imo_multicast_ifp = ifp;
 1767                 break;
 1768 
 1769         case IP_MULTICAST_TTL:
 1770                 /*
 1771                  * Set the IP time-to-live for outgoing multicast packets.
 1772                  */
 1773                 if (m == NULL || m->m_len != 1) {
 1774                         error = EINVAL;
 1775                         break;
 1776                 }
 1777                 imo->imo_multicast_ttl = *(mtod(m, u_char *));
 1778                 break;
 1779 
 1780         case IP_MULTICAST_LOOP:
 1781                 /*
 1782                  * Set the loopback flag for outgoing multicast packets.
 1783                  * Must be zero or one.
 1784                  */
 1785                 if (m == NULL || m->m_len != 1 ||
 1786                    (loop = *(mtod(m, u_char *))) > 1) {
 1787                         error = EINVAL;
 1788                         break;
 1789                 }
 1790                 imo->imo_multicast_loop = loop;
 1791                 break;
 1792 
 1793         case IP_ADD_MEMBERSHIP:
 1794                 /*
 1795                  * Add a multicast group membership.
 1796                  * Group must be a valid IP multicast address.
 1797                  */
 1798                 if (m == NULL || m->m_len != sizeof(struct ip_mreq)) {
 1799                         error = EINVAL;
 1800                         break;
 1801                 }
 1802                 mreq = mtod(m, struct ip_mreq *);
 1803                 if (!IN_MULTICAST(mreq->imr_multiaddr.s_addr)) {
 1804                         error = EINVAL;
 1805                         break;
 1806                 }
 1807                 /*
 1808                  * If no interface address was provided, use the interface of
 1809                  * the route to the given multicast address.
 1810                  */
 1811                 if (mreq->imr_interface.s_addr == INADDR_ANY) {
 1812                         ro.ro_rt = NULL;
 1813                         dst = satosin(&ro.ro_dst);
 1814                         dst->sin_len = sizeof(*dst);
 1815                         dst->sin_family = AF_INET;
 1816                         dst->sin_addr = mreq->imr_multiaddr;
 1817                         rtalloc(&ro);
 1818                         if (ro.ro_rt == NULL) {
 1819                                 error = EADDRNOTAVAIL;
 1820                                 break;
 1821                         }
 1822                         ifp = ro.ro_rt->rt_ifp;
 1823                         rtfree(ro.ro_rt);
 1824                 } else {
 1825                         INADDR_TO_IFP(mreq->imr_interface, ifp);
 1826                 }
 1827                 /*
 1828                  * See if we found an interface, and confirm that it
 1829                  * supports multicast.
 1830                  */
 1831                 if (ifp == NULL || (ifp->if_flags & IFF_MULTICAST) == 0) {
 1832                         error = EADDRNOTAVAIL;
 1833                         break;
 1834                 }
 1835                 /*
 1836                  * See if the membership already exists or if all the
 1837                  * membership slots are full.
 1838                  */
 1839                 for (i = 0; i < imo->imo_num_memberships; ++i) {
 1840                         if (imo->imo_membership[i]->inm_ia->ia_ifp == ifp &&
 1841                             imo->imo_membership[i]->inm_addr.s_addr
 1842                                                 == mreq->imr_multiaddr.s_addr)
 1843                                 break;
 1844                 }
 1845                 if (i < imo->imo_num_memberships) {
 1846                         error = EADDRINUSE;
 1847                         break;
 1848                 }
 1849                 if (imo->imo_num_memberships == imo->imo_max_memberships) {
 1850                         struct in_multi **nmships, **omships;
 1851                         size_t newmax;
 1852                         /*
 1853                          * Resize the vector to next power-of-two minus 1. If the
 1854                          * size would exceed the maximum then we know we've really
 1855                          * run out of entries. Otherwise, we reallocate the vector.
 1856                          */
 1857                         nmships = NULL;
 1858                         omships = imo->imo_membership;
 1859                         newmax = ((imo->imo_max_memberships + 1) * 2) - 1;
 1860                         if (newmax <= IP_MAX_MEMBERSHIPS) {
 1861                                 nmships = (struct in_multi **)malloc(
 1862                                     sizeof(*nmships) * newmax, M_IPMOPTS,
 1863                                     M_NOWAIT|M_ZERO);
 1864                                 if (nmships != NULL) {
 1865                                         bcopy(omships, nmships,
 1866                                             sizeof(*omships) *
 1867                                             imo->imo_max_memberships);
 1868                                         free(omships, M_IPMOPTS);
 1869                                         imo->imo_membership = nmships;
 1870                                         imo->imo_max_memberships = newmax;
 1871                                 }
 1872                         }
 1873                         if (nmships == NULL) {
 1874                                 error = ETOOMANYREFS;
 1875                                 break;
 1876                         }
 1877                 }
 1878                 /*
 1879                  * Everything looks good; add a new record to the multicast
 1880                  * address list for the given interface.
 1881                  */
 1882                 if ((imo->imo_membership[i] =
 1883                     in_addmulti(&mreq->imr_multiaddr, ifp)) == NULL) {
 1884                         error = ENOBUFS;
 1885                         break;
 1886                 }
 1887                 ++imo->imo_num_memberships;
 1888                 break;
 1889 
 1890         case IP_DROP_MEMBERSHIP:
 1891                 /*
 1892                  * Drop a multicast group membership.
 1893                  * Group must be a valid IP multicast address.
 1894                  */
 1895                 if (m == NULL || m->m_len != sizeof(struct ip_mreq)) {
 1896                         error = EINVAL;
 1897                         break;
 1898                 }
 1899                 mreq = mtod(m, struct ip_mreq *);
 1900                 if (!IN_MULTICAST(mreq->imr_multiaddr.s_addr)) {
 1901                         error = EINVAL;
 1902                         break;
 1903                 }
 1904                 /*
 1905                  * If an interface address was specified, get a pointer
 1906                  * to its ifnet structure.
 1907                  */
 1908                 if (mreq->imr_interface.s_addr == INADDR_ANY)
 1909                         ifp = NULL;
 1910                 else {
 1911                         INADDR_TO_IFP(mreq->imr_interface, ifp);
 1912                         if (ifp == NULL) {
 1913                                 error = EADDRNOTAVAIL;
 1914                                 break;
 1915                         }
 1916                 }
 1917                 /*
 1918                  * Find the membership in the membership array.
 1919                  */
 1920                 for (i = 0; i < imo->imo_num_memberships; ++i) {
 1921                         if ((ifp == NULL ||
 1922                              imo->imo_membership[i]->inm_ia->ia_ifp == ifp) &&
 1923                              imo->imo_membership[i]->inm_addr.s_addr ==
 1924                              mreq->imr_multiaddr.s_addr)
 1925                                 break;
 1926                 }
 1927                 if (i == imo->imo_num_memberships) {
 1928                         error = EADDRNOTAVAIL;
 1929                         break;
 1930                 }
 1931                 /*
 1932                  * Give up the multicast address record to which the
 1933                  * membership points.
 1934                  */
 1935                 in_delmulti(imo->imo_membership[i]);
 1936                 /*
 1937                  * Remove the gap in the membership array.
 1938                  */
 1939                 for (++i; i < imo->imo_num_memberships; ++i)
 1940                         imo->imo_membership[i-1] = imo->imo_membership[i];
 1941                 --imo->imo_num_memberships;
 1942                 break;
 1943 
 1944         default:
 1945                 error = EOPNOTSUPP;
 1946                 break;
 1947         }
 1948 
 1949         /*
 1950          * If all options have default values, no need to keep the data.
 1951          */
 1952         if (imo->imo_multicast_ifp == NULL &&
 1953             imo->imo_multicast_ttl == IP_DEFAULT_MULTICAST_TTL &&
 1954             imo->imo_multicast_loop == IP_DEFAULT_MULTICAST_LOOP &&
 1955             imo->imo_num_memberships == 0) {
 1956                 free(imo->imo_membership , M_IPMOPTS);
 1957                 free(*imop, M_IPMOPTS);
 1958                 *imop = NULL;
 1959         }
 1960 
 1961         return (error);
 1962 }
 1963 
 1964 /*
 1965  * Return the IP multicast options in response to user getsockopt().
 1966  */
 1967 int
 1968 ip_getmoptions(optname, imo, mp)
 1969         int optname;
 1970         struct ip_moptions *imo;
 1971         struct mbuf **mp;
 1972 {
 1973         u_char *ttl;
 1974         u_char *loop;
 1975         struct in_addr *addr;
 1976         struct in_ifaddr *ia;
 1977 
 1978         *mp = m_get(M_WAIT, MT_SOOPTS);
 1979 
 1980         switch (optname) {
 1981 
 1982         case IP_MULTICAST_IF:
 1983                 addr = mtod(*mp, struct in_addr *);
 1984                 (*mp)->m_len = sizeof(struct in_addr);
 1985                 if (imo == NULL || imo->imo_multicast_ifp == NULL)
 1986                         addr->s_addr = INADDR_ANY;
 1987                 else {
 1988                         IFP_TO_IA(imo->imo_multicast_ifp, ia);
 1989                         addr->s_addr = (ia == NULL) ? INADDR_ANY
 1990                                         : ia->ia_addr.sin_addr.s_addr;
 1991                 }
 1992                 return (0);
 1993 
 1994         case IP_MULTICAST_TTL:
 1995                 ttl = mtod(*mp, u_char *);
 1996                 (*mp)->m_len = 1;
 1997                 *ttl = (imo == NULL) ? IP_DEFAULT_MULTICAST_TTL
 1998                                      : imo->imo_multicast_ttl;
 1999                 return (0);
 2000 
 2001         case IP_MULTICAST_LOOP:
 2002                 loop = mtod(*mp, u_char *);
 2003                 (*mp)->m_len = 1;
 2004                 *loop = (imo == NULL) ? IP_DEFAULT_MULTICAST_LOOP
 2005                                       : imo->imo_multicast_loop;
 2006                 return (0);
 2007 
 2008         default:
 2009                 return (EOPNOTSUPP);
 2010         }
 2011 }
 2012 
 2013 /*
 2014  * Discard the IP multicast options.
 2015  */
 2016 void
 2017 ip_freemoptions(imo)
 2018         struct ip_moptions *imo;
 2019 {
 2020         int i;
 2021 
 2022         if (imo != NULL) {
 2023                 for (i = 0; i < imo->imo_num_memberships; ++i)
 2024                         in_delmulti(imo->imo_membership[i]);
 2025                 free(imo->imo_membership, M_IPMOPTS);
 2026                 free(imo, M_IPMOPTS);
 2027         }
 2028 }
 2029 
 2030 /*
 2031  * Routine called from ip_output() to loop back a copy of an IP multicast
 2032  * packet to the input queue of a specified interface.  Note that this
 2033  * calls the output routine of the loopback "driver", but with an interface
 2034  * pointer that might NOT be &loif -- easier than replicating that code here.
 2035  */
 2036 void
 2037 ip_mloopback(ifp, m, dst)
 2038         struct ifnet *ifp;
 2039         struct mbuf *m;
 2040         struct sockaddr_in *dst;
 2041 {
 2042         struct ip *ip;
 2043         struct mbuf *copym;
 2044 
 2045         copym = m_copym2(m, 0, M_COPYALL, M_DONTWAIT);
 2046         if (copym != NULL) {
 2047                 /*
 2048                  * We don't bother to fragment if the IP length is greater
 2049                  * than the interface's MTU.  Can this possibly matter?
 2050                  */
 2051                 ip = mtod(copym, struct ip *);
 2052                 ip->ip_sum = 0;
 2053                 ip->ip_sum = in_cksum(copym, ip->ip_hl << 2);
 2054                 (void) looutput(ifp, copym, sintosa(dst), NULL);
 2055         }
 2056 }
 2057 
 2058 /*
 2059  * Process a delayed payload checksum calculation.
 2060  */
 2061 void
 2062 in_delayed_cksum(struct mbuf *m)
 2063 {
 2064         struct ip *ip;
 2065         u_int16_t csum, offset;
 2066 
 2067         ip = mtod(m, struct ip *);
 2068         offset = ip->ip_hl << 2;
 2069         csum = in4_cksum(m, 0, offset, m->m_pkthdr.len - offset);
 2070         if (csum == 0 && ip->ip_p == IPPROTO_UDP)
 2071                 csum = 0xffff;
 2072 
 2073         switch (ip->ip_p) {
 2074         case IPPROTO_TCP:
 2075                 offset += offsetof(struct tcphdr, th_sum);
 2076                 break;
 2077 
 2078         case IPPROTO_UDP:
 2079                 offset += offsetof(struct udphdr, uh_sum);
 2080                 break;
 2081 
 2082         default:
 2083                 return;
 2084         }
 2085 
 2086         if ((offset + sizeof(u_int16_t)) > m->m_len)
 2087                 m_copyback(m, offset, sizeof(csum), &csum);
 2088         else
 2089                 *(u_int16_t *)(mtod(m, caddr_t) + offset) = csum;
 2090 }

Cache object: ad4acf3e2d1d152308066bc93ce7e0b0


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]


This page is part of the FreeBSD/Linux Linux Kernel Cross-Reference, and was automatically generated using a modified version of the LXR engine.