The Design and Implementation of the FreeBSD Operating System, Second Edition
Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]

FreeBSD/Linux Kernel Cross Reference
sys/netinet6/ip6_input.c

Version: -  FREEBSD  -  FREEBSD-13-STABLE  -  FREEBSD-13-0  -  FREEBSD-12-STABLE  -  FREEBSD-12-0  -  FREEBSD-11-STABLE  -  FREEBSD-11-0  -  FREEBSD-10-STABLE  -  FREEBSD-10-0  -  FREEBSD-9-STABLE  -  FREEBSD-9-0  -  FREEBSD-8-STABLE  -  FREEBSD-8-0  -  FREEBSD-7-STABLE  -  FREEBSD-7-0  -  FREEBSD-6-STABLE  -  FREEBSD-6-0  -  FREEBSD-5-STABLE  -  FREEBSD-5-0  -  FREEBSD-4-STABLE  -  FREEBSD-3-STABLE  -  FREEBSD22  -  l41  -  OPENBSD  -  linux-2.6  -  MK84  -  PLAN9  -  xnu-8792 
SearchContext: -  none  -  3  -  10 

    1 /*      $FreeBSD: releng/5.4/sys/netinet6/ip6_input.c 141090 2005-01-31 23:27:04Z imp $ */
    2 /*      $KAME: ip6_input.c,v 1.259 2002/01/21 04:58:09 jinmei Exp $     */
    3 
    4 /*-
    5  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
    6  * All rights reserved.
    7  *
    8  * Redistribution and use in source and binary forms, with or without
    9  * modification, are permitted provided that the following conditions
   10  * are met:
   11  * 1. Redistributions of source code must retain the above copyright
   12  *    notice, this list of conditions and the following disclaimer.
   13  * 2. Redistributions in binary form must reproduce the above copyright
   14  *    notice, this list of conditions and the following disclaimer in the
   15  *    documentation and/or other materials provided with the distribution.
   16  * 3. Neither the name of the project nor the names of its contributors
   17  *    may be used to endorse or promote products derived from this software
   18  *    without specific prior written permission.
   19  *
   20  * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
   21  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
   22  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
   23  * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
   24  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
   25  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
   26  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
   27  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
   28  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
   29  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
   30  * SUCH DAMAGE.
   31  */
   32 
   33 /*-
   34  * Copyright (c) 1982, 1986, 1988, 1993
   35  *      The Regents of the University of California.  All rights reserved.
   36  *
   37  * Redistribution and use in source and binary forms, with or without
   38  * modification, are permitted provided that the following conditions
   39  * are met:
   40  * 1. Redistributions of source code must retain the above copyright
   41  *    notice, this list of conditions and the following disclaimer.
   42  * 2. Redistributions in binary form must reproduce the above copyright
   43  *    notice, this list of conditions and the following disclaimer in the
   44  *    documentation and/or other materials provided with the distribution.
   45  * 4. Neither the name of the University nor the names of its contributors
   46  *    may be used to endorse or promote products derived from this software
   47  *    without specific prior written permission.
   48  *
   49  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
   50  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
   51  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
   52  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
   53  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
   54  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
   55  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
   56  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
   57  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
   58  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
   59  * SUCH DAMAGE.
   60  *
   61  *      @(#)ip_input.c  8.2 (Berkeley) 1/4/94
   62  */
   63 
   64 #include "opt_ip6fw.h"
   65 #include "opt_inet.h"
   66 #include "opt_inet6.h"
   67 #include "opt_ipsec.h"
   68 
   69 #include <sys/param.h>
   70 #include <sys/systm.h>
   71 #include <sys/malloc.h>
   72 #include <sys/mbuf.h>
   73 #include <sys/proc.h>
   74 #include <sys/domain.h>
   75 #include <sys/protosw.h>
   76 #include <sys/socket.h>
   77 #include <sys/socketvar.h>
   78 #include <sys/errno.h>
   79 #include <sys/time.h>
   80 #include <sys/kernel.h>
   81 #include <sys/syslog.h>
   82 
   83 #include <net/if.h>
   84 #include <net/if_types.h>
   85 #include <net/if_dl.h>
   86 #include <net/route.h>
   87 #include <net/netisr.h>
   88 #include <net/pfil.h>
   89 
   90 #include <netinet/in.h>
   91 #include <netinet/in_systm.h>
   92 #ifdef INET
   93 #include <netinet/ip.h>
   94 #include <netinet/ip_icmp.h>
   95 #endif /* INET */
   96 #include <netinet/ip6.h>
   97 #include <netinet6/in6_var.h>
   98 #include <netinet6/ip6_var.h>
   99 #include <netinet/in_pcb.h>
  100 #include <netinet/icmp6.h>
  101 #include <netinet6/scope6_var.h>
  102 #include <netinet6/in6_ifattach.h>
  103 #include <netinet6/nd6.h>
  104 
  105 #ifdef IPSEC
  106 #include <netinet6/ipsec.h>
  107 #ifdef INET6
  108 #include <netinet6/ipsec6.h>
  109 #endif
  110 #endif
  111 
  112 #ifdef FAST_IPSEC
  113 #include <netipsec/ipsec.h>
  114 #include <netipsec/ipsec6.h>
  115 #define IPSEC
  116 #endif /* FAST_IPSEC */
  117 
  118 #include <netinet6/ip6_fw.h>
  119 
  120 #include <netinet6/ip6protosw.h>
  121 
  122 #include <net/net_osdep.h>
  123 
  124 extern struct domain inet6domain;
  125 
  126 u_char ip6_protox[IPPROTO_MAX];
  127 static struct ifqueue ip6intrq;
  128 static int ip6qmaxlen = IFQ_MAXLEN;
  129 struct in6_ifaddr *in6_ifaddr;
  130 
  131 extern struct callout in6_tmpaddrtimer_ch;
  132 
  133 int ip6_forward_srcrt;                  /* XXX */
  134 int ip6_sourcecheck;                    /* XXX */
  135 int ip6_sourcecheck_interval;           /* XXX */
  136 
  137 int ip6_ours_check_algorithm;
  138 
  139 struct pfil_head inet6_pfil_hook;
  140 
  141 /* firewall hooks */
  142 ip6_fw_chk_t *ip6_fw_chk_ptr;
  143 ip6_fw_ctl_t *ip6_fw_ctl_ptr;
  144 int ip6_fw_enable = 1;
  145 
  146 struct ip6stat ip6stat;
  147 
  148 static void ip6_init2 __P((void *));
  149 static struct ip6aux *ip6_setdstifaddr __P((struct mbuf *, struct in6_ifaddr *));
  150 static int ip6_hopopts_input __P((u_int32_t *, u_int32_t *, struct mbuf **, int *));
  151 #ifdef PULLDOWN_TEST
  152 static struct mbuf *ip6_pullexthdr __P((struct mbuf *, size_t, int));
  153 #endif
  154 
  155 /*
  156  * IP6 initialization: fill in IP6 protocol switch table.
  157  * All protocols not implemented in kernel go to raw IP6 protocol handler.
  158  */
  159 void
  160 ip6_init()
  161 {
  162         struct ip6protosw *pr;
  163         int i;
  164 
  165 #ifdef DIAGNOSTIC
  166         if (sizeof(struct protosw) != sizeof(struct ip6protosw))
  167                 panic("sizeof(protosw) != sizeof(ip6protosw)");
  168 #endif
  169         pr = (struct ip6protosw *)pffindproto(PF_INET6, IPPROTO_RAW, SOCK_RAW);
  170         if (pr == 0)
  171                 panic("ip6_init");
  172         for (i = 0; i < IPPROTO_MAX; i++)
  173                 ip6_protox[i] = pr - inet6sw;
  174         for (pr = (struct ip6protosw *)inet6domain.dom_protosw;
  175             pr < (struct ip6protosw *)inet6domain.dom_protoswNPROTOSW; pr++)
  176                 if (pr->pr_domain->dom_family == PF_INET6 &&
  177                     pr->pr_protocol && pr->pr_protocol != IPPROTO_RAW)
  178                         ip6_protox[pr->pr_protocol] = pr - inet6sw;
  179 
  180         /* Initialize packet filter hooks. */
  181         inet6_pfil_hook.ph_type = PFIL_TYPE_AF;
  182         inet6_pfil_hook.ph_af = AF_INET6;
  183         if ((i = pfil_head_register(&inet6_pfil_hook)) != 0)
  184                 printf("%s: WARNING: unable to register pfil hook, "
  185                         "error %d\n", __func__, i);
  186 
  187         ip6intrq.ifq_maxlen = ip6qmaxlen;
  188         mtx_init(&ip6intrq.ifq_mtx, "ip6_inq", NULL, MTX_DEF);
  189         netisr_register(NETISR_IPV6, ip6_input, &ip6intrq, 0);
  190         scope6_init();
  191         addrsel_policy_init();
  192         nd6_init();
  193         frag6_init();
  194         ip6_desync_factor = arc4random() % MAX_TEMP_DESYNC_FACTOR;
  195 }
  196 
  197 static void
  198 ip6_init2(dummy)
  199         void *dummy;
  200 {
  201 
  202         /* nd6_timer_init */
  203         callout_init(&nd6_timer_ch, 0);
  204         callout_reset(&nd6_timer_ch, hz, nd6_timer, NULL);
  205 
  206         /* timer for regeneranation of temporary addresses randomize ID */
  207         callout_init(&in6_tmpaddrtimer_ch, 0);
  208         callout_reset(&in6_tmpaddrtimer_ch,
  209                       (ip6_temp_preferred_lifetime - ip6_desync_factor -
  210                        ip6_temp_regen_advance) * hz,
  211                       in6_tmpaddrtimer, NULL);
  212 }
  213 
  214 /* cheat */
  215 /* This must be after route_init(), which is now SI_ORDER_THIRD */
  216 SYSINIT(netinet6init2, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, ip6_init2, NULL);
  217 
  218 extern struct   route_in6 ip6_forward_rt;
  219 
  220 void
  221 ip6_input(m)
  222         struct mbuf *m;
  223 {
  224         struct ip6_hdr *ip6;
  225         int off = sizeof(struct ip6_hdr), nest;
  226         u_int32_t plen;
  227         u_int32_t rtalert = ~0;
  228         int nxt, ours = 0;
  229         struct ifnet *deliverifp = NULL;
  230         struct sockaddr_in6 sa6;
  231         u_int32_t srczone, dstzone;
  232         struct in6_addr odst;
  233         int srcrt = 0;
  234 
  235         GIANT_REQUIRED;                 /* XXX for now */
  236 #ifdef IPSEC
  237         /*
  238          * should the inner packet be considered authentic?
  239          * see comment in ah4_input().
  240          */
  241         if (m) {
  242                 m->m_flags &= ~M_AUTHIPHDR;
  243                 m->m_flags &= ~M_AUTHIPDGM;
  244         }
  245 #endif
  246 
  247         /*
  248          * make sure we don't have onion peering information into m_tag.
  249          */
  250         ip6_delaux(m);
  251 
  252         /*
  253          * mbuf statistics
  254          */
  255         if (m->m_flags & M_EXT) {
  256                 if (m->m_next)
  257                         ip6stat.ip6s_mext2m++;
  258                 else
  259                         ip6stat.ip6s_mext1++;
  260         } else {
  261 #define M2MMAX  (sizeof(ip6stat.ip6s_m2m)/sizeof(ip6stat.ip6s_m2m[0]))
  262                 if (m->m_next) {
  263                         if (m->m_flags & M_LOOP) {
  264                                 ip6stat.ip6s_m2m[loif[0].if_index]++; /* XXX */
  265                         } else if (m->m_pkthdr.rcvif->if_index < M2MMAX)
  266                                 ip6stat.ip6s_m2m[m->m_pkthdr.rcvif->if_index]++;
  267                         else
  268                                 ip6stat.ip6s_m2m[0]++;
  269                 } else
  270                         ip6stat.ip6s_m1++;
  271 #undef M2MMAX
  272         }
  273 
  274         in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_receive);
  275         ip6stat.ip6s_total++;
  276 
  277 #ifndef PULLDOWN_TEST
  278         /*
  279          * L2 bridge code and some other code can return mbuf chain
  280          * that does not conform to KAME requirement.  too bad.
  281          * XXX: fails to join if interface MTU > MCLBYTES.  jumbogram?
  282          */
  283         if (m && m->m_next != NULL && m->m_pkthdr.len < MCLBYTES) {
  284                 struct mbuf *n;
  285 
  286                 MGETHDR(n, M_DONTWAIT, MT_HEADER);
  287                 if (n)
  288                         M_MOVE_PKTHDR(n, m);
  289                 if (n && n->m_pkthdr.len > MHLEN) {
  290                         MCLGET(n, M_DONTWAIT);
  291                         if ((n->m_flags & M_EXT) == 0) {
  292                                 m_freem(n);
  293                                 n = NULL;
  294                         }
  295                 }
  296                 if (n == NULL) {
  297                         m_freem(m);
  298                         return; /* ENOBUFS */
  299                 }
  300 
  301                 m_copydata(m, 0, n->m_pkthdr.len, mtod(n, caddr_t));
  302                 n->m_len = n->m_pkthdr.len;
  303                 m_freem(m);
  304                 m = n;
  305         }
  306         IP6_EXTHDR_CHECK(m, 0, sizeof(struct ip6_hdr), /* nothing */);
  307 #endif
  308 
  309         if (m->m_len < sizeof(struct ip6_hdr)) {
  310                 struct ifnet *inifp;
  311                 inifp = m->m_pkthdr.rcvif;
  312                 if ((m = m_pullup(m, sizeof(struct ip6_hdr))) == NULL) {
  313                         ip6stat.ip6s_toosmall++;
  314                         in6_ifstat_inc(inifp, ifs6_in_hdrerr);
  315                         return;
  316                 }
  317         }
  318 
  319         ip6 = mtod(m, struct ip6_hdr *);
  320 
  321         if ((ip6->ip6_vfc & IPV6_VERSION_MASK) != IPV6_VERSION) {
  322                 ip6stat.ip6s_badvers++;
  323                 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_hdrerr);
  324                 goto bad;
  325         }
  326 
  327         ip6stat.ip6s_nxthist[ip6->ip6_nxt]++;
  328 
  329         /*
  330          * Check against address spoofing/corruption.
  331          */
  332         if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_src) ||
  333             IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_dst)) {
  334                 /*
  335                  * XXX: "badscope" is not very suitable for a multicast source.
  336                  */
  337                 ip6stat.ip6s_badscope++;
  338                 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr);
  339                 goto bad;
  340         }
  341         if (IN6_IS_ADDR_MC_INTFACELOCAL(&ip6->ip6_dst) &&
  342             !(m->m_flags & M_LOOP)) {
  343                 /*
  344                  * In this case, the packet should come from the loopback
  345                  * interface.  However, we cannot just check the if_flags,
  346                  * because ip6_mloopback() passes the "actual" interface
  347                  * as the outgoing/incoming interface.
  348                  */
  349                 ip6stat.ip6s_badscope++;
  350                 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr);
  351                 goto bad;
  352         }
  353 
  354 #ifdef ALTQ
  355         if (altq_input != NULL && (*altq_input)(m, AF_INET6) == 0) {
  356                 /* packet is dropped by traffic conditioner */
  357                 return;
  358         }
  359 #endif
  360         /*
  361          * The following check is not documented in specs.  A malicious
  362          * party may be able to use IPv4 mapped addr to confuse tcp/udp stack
  363          * and bypass security checks (act as if it was from 127.0.0.1 by using
  364          * IPv6 src ::ffff:127.0.0.1).  Be cautious.
  365          *
  366          * This check chokes if we are in an SIIT cloud.  As none of BSDs
  367          * support IPv4-less kernel compilation, we cannot support SIIT
  368          * environment at all.  So, it makes more sense for us to reject any
  369          * malicious packets for non-SIIT environment, than try to do a
  370          * partial support for SIIT environment.
  371          */
  372         if (IN6_IS_ADDR_V4MAPPED(&ip6->ip6_src) ||
  373             IN6_IS_ADDR_V4MAPPED(&ip6->ip6_dst)) {
  374                 ip6stat.ip6s_badscope++;
  375                 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr);
  376                 goto bad;
  377         }
  378 #if 0
  379         /*
  380          * Reject packets with IPv4 compatible addresses (auto tunnel).
  381          *
  382          * The code forbids auto tunnel relay case in RFC1933 (the check is
  383          * stronger than RFC1933).  We may want to re-enable it if mech-xx
  384          * is revised to forbid relaying case.
  385          */
  386         if (IN6_IS_ADDR_V4COMPAT(&ip6->ip6_src) ||
  387             IN6_IS_ADDR_V4COMPAT(&ip6->ip6_dst)) {
  388                 ip6stat.ip6s_badscope++;
  389                 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr);
  390                 goto bad;
  391         }
  392 #endif
  393 
  394         /*
  395          * Drop packets if the link ID portion is already filled.
  396          * XXX: this is technically not a good behavior.  But, we internally
  397          * use the field to disambiguate link-local addresses, so we cannot
  398          * be generous against those a bit strange addresses.
  399          */
  400         if ((m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK) == 0) {
  401                 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src) &&
  402                     ip6->ip6_src.s6_addr16[1]) {
  403                         ip6stat.ip6s_badscope++;
  404                         goto bad;
  405                 }
  406                 if ((IN6_IS_ADDR_MC_INTFACELOCAL(&ip6->ip6_dst) ||
  407                      IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) &&
  408                     ip6->ip6_dst.s6_addr16[1]) {
  409                         ip6stat.ip6s_badscope++;
  410                         goto bad;
  411                 }
  412         }
  413 
  414         /*
  415          * Run through list of hooks for input packets.
  416          *
  417          * NB: Beware of the destination address changing
  418          *     (e.g. by NAT rewriting).  When this happens,
  419          *     tell ip6_forward to do the right thing.
  420          */
  421         odst = ip6->ip6_dst;
  422 
  423         /* Jump over all PFIL processing if hooks are not active. */
  424         if (inet6_pfil_hook.ph_busy_count == -1)
  425                 goto passin;
  426 
  427         if (pfil_run_hooks(&inet6_pfil_hook, &m, m->m_pkthdr.rcvif, PFIL_IN, NULL))
  428                 return;
  429         if (m == NULL)                  /* consumed by filter */
  430                 return;
  431         ip6 = mtod(m, struct ip6_hdr *);
  432         srcrt = !IN6_ARE_ADDR_EQUAL(&odst, &ip6->ip6_dst);
  433 
  434 passin:
  435         /*
  436          * Check with the firewall...
  437          */
  438         if (ip6_fw_enable && ip6_fw_chk_ptr) {
  439                 u_short port = 0;
  440                 /* If ipfw says divert, we have to just drop packet */
  441                 /* use port as a dummy argument */
  442                 if ((*ip6_fw_chk_ptr)(&ip6, NULL, &port, &m)) {
  443                         m_freem(m);
  444                         m = NULL;
  445                 }
  446                 if (!m)
  447                         return;
  448         }
  449 
  450         /*
  451          * construct source and destination address structures with
  452          * disambiguating their scope zones (if there is ambiguity).
  453          * XXX: sin6_family and sin6_len will NOT be referred to, but we fill
  454          * in these fields just in case.
  455          */
  456         if (in6_addr2zoneid(m->m_pkthdr.rcvif, &ip6->ip6_src, &srczone) ||
  457             in6_addr2zoneid(m->m_pkthdr.rcvif, &ip6->ip6_dst, &dstzone)) {
  458                 /*
  459                  * Note that these generic checks cover cases that src or
  460                  * dst are the loopback address and the receiving interface
  461                  * is not loopback.
  462                  */
  463                 ip6stat.ip6s_badscope++;
  464                 goto bad;
  465         }
  466 
  467         bzero(&sa6, sizeof(sa6));
  468         sa6.sin6_family = AF_INET6;
  469         sa6.sin6_len = sizeof(struct sockaddr_in6);
  470 
  471         sa6.sin6_addr = ip6->ip6_src;
  472         sa6.sin6_scope_id = srczone;
  473         if (in6_embedscope(&ip6->ip6_src, &sa6, NULL, NULL)) {
  474                 /* XXX: should not happen */
  475                 ip6stat.ip6s_badscope++;
  476                 goto bad;
  477         }
  478 
  479         sa6.sin6_addr = ip6->ip6_dst;
  480         sa6.sin6_scope_id = dstzone;
  481         if (in6_embedscope(&ip6->ip6_dst, &sa6, NULL, NULL)) {
  482                 /* XXX: should not happen */
  483                 ip6stat.ip6s_badscope++;
  484                 goto bad;
  485         }
  486 
  487         /* XXX: ff01::%ifN awareness is not merged, yet. */
  488         if (IN6_IS_ADDR_MC_INTFACELOCAL(&ip6->ip6_src))
  489                 ip6->ip6_src.s6_addr16[1] = 0;
  490         if (IN6_IS_ADDR_MC_INTFACELOCAL(&ip6->ip6_dst))
  491                 ip6->ip6_dst.s6_addr16[1] = 0;
  492 
  493         /*
  494          * Multicast check
  495          */
  496         if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst)) {
  497                 struct in6_multi *in6m = 0;
  498 
  499                 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_mcast);
  500                 /*
  501                  * See if we belong to the destination multicast group on the
  502                  * arrival interface.
  503                  */
  504                 IN6_LOOKUP_MULTI(ip6->ip6_dst, m->m_pkthdr.rcvif, in6m);
  505                 if (in6m)
  506                         ours = 1;
  507                 else if (!ip6_mrouter) {
  508                         ip6stat.ip6s_notmember++;
  509                         ip6stat.ip6s_cantforward++;
  510                         in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_discard);
  511                         goto bad;
  512                 }
  513                 deliverifp = m->m_pkthdr.rcvif;
  514                 goto hbhcheck;
  515         }
  516 
  517         /*
  518          *  Unicast check
  519          */
  520         if (ip6_forward_rt.ro_rt != NULL &&
  521             (ip6_forward_rt.ro_rt->rt_flags & RTF_UP) != 0 &&
  522             IN6_ARE_ADDR_EQUAL(&ip6->ip6_dst,
  523             &((struct sockaddr_in6 *)(&ip6_forward_rt.ro_dst))->sin6_addr))
  524                 ip6stat.ip6s_forward_cachehit++;
  525         else {
  526                 struct sockaddr_in6 *dst6;
  527 
  528                 if (ip6_forward_rt.ro_rt) {
  529                         /* route is down or destination is different */
  530                         ip6stat.ip6s_forward_cachemiss++;
  531                         RTFREE(ip6_forward_rt.ro_rt);
  532                         ip6_forward_rt.ro_rt = 0;
  533                 }
  534 
  535                 bzero(&ip6_forward_rt.ro_dst, sizeof(struct sockaddr_in6));
  536                 dst6 = (struct sockaddr_in6 *)&ip6_forward_rt.ro_dst;
  537                 dst6->sin6_len = sizeof(struct sockaddr_in6);
  538                 dst6->sin6_family = AF_INET6;
  539                 dst6->sin6_addr = ip6->ip6_dst;
  540 
  541                 rtalloc((struct route *)&ip6_forward_rt);
  542         }
  543 
  544 #define rt6_key(r) ((struct sockaddr_in6 *)((r)->rt_nodes->rn_key))
  545 
  546         /*
  547          * Accept the packet if the forwarding interface to the destination
  548          * according to the routing table is the loopback interface,
  549          * unless the associated route has a gateway.
  550          * Note that this approach causes to accept a packet if there is a
  551          * route to the loopback interface for the destination of the packet.
  552          * But we think it's even useful in some situations, e.g. when using
  553          * a special daemon which wants to intercept the packet.
  554          *
  555          * XXX: some OSes automatically make a cloned route for the destination
  556          * of an outgoing packet.  If the outgoing interface of the packet
  557          * is a loopback one, the kernel would consider the packet to be
  558          * accepted, even if we have no such address assinged on the interface.
  559          * We check the cloned flag of the route entry to reject such cases,
  560          * assuming that route entries for our own addresses are not made by
  561          * cloning (it should be true because in6_addloop explicitly installs
  562          * the host route).  However, we might have to do an explicit check
  563          * while it would be less efficient.  Or, should we rather install a
  564          * reject route for such a case?
  565          */
  566         if (ip6_forward_rt.ro_rt &&
  567             (ip6_forward_rt.ro_rt->rt_flags &
  568              (RTF_HOST|RTF_GATEWAY)) == RTF_HOST &&
  569 #ifdef RTF_WASCLONED
  570             !(ip6_forward_rt.ro_rt->rt_flags & RTF_WASCLONED) &&
  571 #endif
  572 #ifdef RTF_CLONED
  573             !(ip6_forward_rt.ro_rt->rt_flags & RTF_CLONED) &&
  574 #endif
  575 #if 0
  576             /*
  577              * The check below is redundant since the comparison of
  578              * the destination and the key of the rtentry has
  579              * already done through looking up the routing table.
  580              */
  581             IN6_ARE_ADDR_EQUAL(&ip6->ip6_dst,
  582             &rt6_key(ip6_forward_rt.ro_rt)->sin6_addr)
  583 #endif
  584             ip6_forward_rt.ro_rt->rt_ifp->if_type == IFT_LOOP) {
  585                 struct in6_ifaddr *ia6 =
  586                         (struct in6_ifaddr *)ip6_forward_rt.ro_rt->rt_ifa;
  587 
  588                 /*
  589                  * record address information into m_tag.
  590                  */
  591                 (void)ip6_setdstifaddr(m, ia6);
  592 
  593                 /*
  594                  * packets to a tentative, duplicated, or somehow invalid
  595                  * address must not be accepted.
  596                  */
  597                 if (!(ia6->ia6_flags & IN6_IFF_NOTREADY)) {
  598                         /* this address is ready */
  599                         ours = 1;
  600                         deliverifp = ia6->ia_ifp;       /* correct? */
  601                         /* Count the packet in the ip address stats */
  602                         ia6->ia_ifa.if_ipackets++;
  603                         ia6->ia_ifa.if_ibytes += m->m_pkthdr.len;
  604                         goto hbhcheck;
  605                 } else {
  606                         /* address is not ready, so discard the packet. */
  607                         nd6log((LOG_INFO,
  608                             "ip6_input: packet to an unready address %s->%s\n",
  609                             ip6_sprintf(&ip6->ip6_src),
  610                             ip6_sprintf(&ip6->ip6_dst)));
  611 
  612                         goto bad;
  613                 }
  614         }
  615 
  616         /*
  617          * FAITH (Firewall Aided Internet Translator)
  618          */
  619         if (ip6_keepfaith) {
  620                 if (ip6_forward_rt.ro_rt && ip6_forward_rt.ro_rt->rt_ifp
  621                  && ip6_forward_rt.ro_rt->rt_ifp->if_type == IFT_FAITH) {
  622                         /* XXX do we need more sanity checks? */
  623                         ours = 1;
  624                         deliverifp = ip6_forward_rt.ro_rt->rt_ifp; /* faith */
  625                         goto hbhcheck;
  626                 }
  627         }
  628 
  629         /*
  630          * Now there is no reason to process the packet if it's not our own
  631          * and we're not a router.
  632          */
  633         if (!ip6_forwarding) {
  634                 ip6stat.ip6s_cantforward++;
  635                 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_discard);
  636                 goto bad;
  637         }
  638 
  639   hbhcheck:
  640         /*
  641          * record address information into m_tag, if we don't have one yet.
  642          * note that we are unable to record it, if the address is not listed
  643          * as our interface address (e.g. multicast addresses, addresses
  644          * within FAITH prefixes and such).
  645          */
  646         if (deliverifp && !ip6_getdstifaddr(m)) {
  647                 struct in6_ifaddr *ia6;
  648 
  649                 ia6 = in6_ifawithifp(deliverifp, &ip6->ip6_dst);
  650                 if (ia6) {
  651                         if (!ip6_setdstifaddr(m, ia6)) {
  652                                 /*
  653                                  * XXX maybe we should drop the packet here,
  654                                  * as we could not provide enough information
  655                                  * to the upper layers.
  656                                  */
  657                         }
  658                 }
  659         }
  660 
  661         /*
  662          * Process Hop-by-Hop options header if it's contained.
  663          * m may be modified in ip6_hopopts_input().
  664          * If a JumboPayload option is included, plen will also be modified.
  665          */
  666         plen = (u_int32_t)ntohs(ip6->ip6_plen);
  667         if (ip6->ip6_nxt == IPPROTO_HOPOPTS) {
  668                 struct ip6_hbh *hbh;
  669 
  670                 if (ip6_hopopts_input(&plen, &rtalert, &m, &off)) {
  671 #if 0   /*touches NULL pointer*/
  672                         in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_discard);
  673 #endif
  674                         return; /* m have already been freed */
  675                 }
  676 
  677                 /* adjust pointer */
  678                 ip6 = mtod(m, struct ip6_hdr *);
  679 
  680                 /*
  681                  * if the payload length field is 0 and the next header field
  682                  * indicates Hop-by-Hop Options header, then a Jumbo Payload
  683                  * option MUST be included.
  684                  */
  685                 if (ip6->ip6_plen == 0 && plen == 0) {
  686                         /*
  687                          * Note that if a valid jumbo payload option is
  688                          * contained, ip6_hopopts_input() must set a valid
  689                          * (non-zero) payload length to the variable plen.
  690                          */
  691                         ip6stat.ip6s_badoptions++;
  692                         in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_discard);
  693                         in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_hdrerr);
  694                         icmp6_error(m, ICMP6_PARAM_PROB,
  695                                     ICMP6_PARAMPROB_HEADER,
  696                                     (caddr_t)&ip6->ip6_plen - (caddr_t)ip6);
  697                         return;
  698                 }
  699 #ifndef PULLDOWN_TEST
  700                 /* ip6_hopopts_input() ensures that mbuf is contiguous */
  701                 hbh = (struct ip6_hbh *)(ip6 + 1);
  702 #else
  703                 IP6_EXTHDR_GET(hbh, struct ip6_hbh *, m, sizeof(struct ip6_hdr),
  704                         sizeof(struct ip6_hbh));
  705                 if (hbh == NULL) {
  706                         ip6stat.ip6s_tooshort++;
  707                         return;
  708                 }
  709 #endif
  710                 nxt = hbh->ip6h_nxt;
  711 
  712                 /*
  713                  * accept the packet if a router alert option is included
  714                  * and we act as an IPv6 router.
  715                  */
  716                 if (rtalert != ~0 && ip6_forwarding)
  717                         ours = 1;
  718         } else
  719                 nxt = ip6->ip6_nxt;
  720 
  721         /*
  722          * Check that the amount of data in the buffers
  723          * is as at least much as the IPv6 header would have us expect.
  724          * Trim mbufs if longer than we expect.
  725          * Drop packet if shorter than we expect.
  726          */
  727         if (m->m_pkthdr.len - sizeof(struct ip6_hdr) < plen) {
  728                 ip6stat.ip6s_tooshort++;
  729                 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_truncated);
  730                 goto bad;
  731         }
  732         if (m->m_pkthdr.len > sizeof(struct ip6_hdr) + plen) {
  733                 if (m->m_len == m->m_pkthdr.len) {
  734                         m->m_len = sizeof(struct ip6_hdr) + plen;
  735                         m->m_pkthdr.len = sizeof(struct ip6_hdr) + plen;
  736                 } else
  737                         m_adj(m, sizeof(struct ip6_hdr) + plen - m->m_pkthdr.len);
  738         }
  739 
  740         /*
  741          * Forward if desirable.
  742          */
  743         if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst)) {
  744                 /*
  745                  * If we are acting as a multicast router, all
  746                  * incoming multicast packets are passed to the
  747                  * kernel-level multicast forwarding function.
  748                  * The packet is returned (relatively) intact; if
  749                  * ip6_mforward() returns a non-zero value, the packet
  750                  * must be discarded, else it may be accepted below.
  751                  */
  752                 if (ip6_mrouter && ip6_mforward(ip6, m->m_pkthdr.rcvif, m)) {
  753                         ip6stat.ip6s_cantforward++;
  754                         m_freem(m);
  755                         return;
  756                 }
  757                 if (!ours) {
  758                         m_freem(m);
  759                         return;
  760                 }
  761         } else if (!ours) {
  762                 ip6_forward(m, srcrt);
  763                 return;
  764         }
  765 
  766         ip6 = mtod(m, struct ip6_hdr *);
  767 
  768         /*
  769          * Malicious party may be able to use IPv4 mapped addr to confuse
  770          * tcp/udp stack and bypass security checks (act as if it was from
  771          * 127.0.0.1 by using IPv6 src ::ffff:127.0.0.1).  Be cautious.
  772          *
  773          * For SIIT end node behavior, you may want to disable the check.
  774          * However, you will  become vulnerable to attacks using IPv4 mapped
  775          * source.
  776          */
  777         if (IN6_IS_ADDR_V4MAPPED(&ip6->ip6_src) ||
  778             IN6_IS_ADDR_V4MAPPED(&ip6->ip6_dst)) {
  779                 ip6stat.ip6s_badscope++;
  780                 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr);
  781                 goto bad;
  782         }
  783 
  784         /*
  785          * Tell launch routine the next header
  786          */
  787         ip6stat.ip6s_delivered++;
  788         in6_ifstat_inc(deliverifp, ifs6_in_deliver);
  789         nest = 0;
  790 
  791         while (nxt != IPPROTO_DONE) {
  792                 if (ip6_hdrnestlimit && (++nest > ip6_hdrnestlimit)) {
  793                         ip6stat.ip6s_toomanyhdr++;
  794                         goto bad;
  795                 }
  796 
  797                 /*
  798                  * protection against faulty packet - there should be
  799                  * more sanity checks in header chain processing.
  800                  */
  801                 if (m->m_pkthdr.len < off) {
  802                         ip6stat.ip6s_tooshort++;
  803                         in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_truncated);
  804                         goto bad;
  805                 }
  806 
  807 #ifdef IPSEC
  808                 /*
  809                  * enforce IPsec policy checking if we are seeing last header.
  810                  * note that we do not visit this with protocols with pcb layer
  811                  * code - like udp/tcp/raw ip.
  812                  */
  813                 if ((inet6sw[ip6_protox[nxt]].pr_flags & PR_LASTHDR) != 0 &&
  814                     ipsec6_in_reject(m, NULL)) {
  815                         ipsec6stat.in_polvio++;
  816                         goto bad;
  817                 }
  818 #endif
  819                 nxt = (*inet6sw[ip6_protox[nxt]].pr_input)(&m, &off, nxt);
  820         }
  821         return;
  822  bad:
  823         m_freem(m);
  824 }
  825 
  826 /*
  827  * set/grab in6_ifaddr correspond to IPv6 destination address.
  828  * XXX backward compatibility wrapper
  829  */
  830 static struct ip6aux *
  831 ip6_setdstifaddr(m, ia6)
  832         struct mbuf *m;
  833         struct in6_ifaddr *ia6;
  834 {
  835         struct ip6aux *ip6a;
  836 
  837         ip6a = ip6_addaux(m);
  838         if (ip6a)
  839                 ip6a->ip6a_dstia6 = ia6;
  840         return ip6a;    /* NULL if failed to set */
  841 }
  842 
  843 struct in6_ifaddr *
  844 ip6_getdstifaddr(m)
  845         struct mbuf *m;
  846 {
  847         struct ip6aux *ip6a;
  848 
  849         ip6a = ip6_findaux(m);
  850         if (ip6a)
  851                 return ip6a->ip6a_dstia6;
  852         else
  853                 return NULL;
  854 }
  855 
  856 /*
  857  * Hop-by-Hop options header processing. If a valid jumbo payload option is
  858  * included, the real payload length will be stored in plenp.
  859  */
  860 static int
  861 ip6_hopopts_input(plenp, rtalertp, mp, offp)
  862         u_int32_t *plenp;
  863         u_int32_t *rtalertp;    /* XXX: should be stored more smart way */
  864         struct mbuf **mp;
  865         int *offp;
  866 {
  867         struct mbuf *m = *mp;
  868         int off = *offp, hbhlen;
  869         struct ip6_hbh *hbh;
  870         u_int8_t *opt;
  871 
  872         /* validation of the length of the header */
  873 #ifndef PULLDOWN_TEST
  874         IP6_EXTHDR_CHECK(m, off, sizeof(*hbh), -1);
  875         hbh = (struct ip6_hbh *)(mtod(m, caddr_t) + off);
  876         hbhlen = (hbh->ip6h_len + 1) << 3;
  877 
  878         IP6_EXTHDR_CHECK(m, off, hbhlen, -1);
  879         hbh = (struct ip6_hbh *)(mtod(m, caddr_t) + off);
  880 #else
  881         IP6_EXTHDR_GET(hbh, struct ip6_hbh *, m,
  882                 sizeof(struct ip6_hdr), sizeof(struct ip6_hbh));
  883         if (hbh == NULL) {
  884                 ip6stat.ip6s_tooshort++;
  885                 return -1;
  886         }
  887         hbhlen = (hbh->ip6h_len + 1) << 3;
  888         IP6_EXTHDR_GET(hbh, struct ip6_hbh *, m, sizeof(struct ip6_hdr),
  889                 hbhlen);
  890         if (hbh == NULL) {
  891                 ip6stat.ip6s_tooshort++;
  892                 return -1;
  893         }
  894 #endif
  895         off += hbhlen;
  896         hbhlen -= sizeof(struct ip6_hbh);
  897         opt = (u_int8_t *)hbh + sizeof(struct ip6_hbh);
  898 
  899         if (ip6_process_hopopts(m, (u_int8_t *)hbh + sizeof(struct ip6_hbh),
  900                                 hbhlen, rtalertp, plenp) < 0)
  901                 return (-1);
  902 
  903         *offp = off;
  904         *mp = m;
  905         return (0);
  906 }
  907 
  908 /*
  909  * Search header for all Hop-by-hop options and process each option.
  910  * This function is separate from ip6_hopopts_input() in order to
  911  * handle a case where the sending node itself process its hop-by-hop
  912  * options header. In such a case, the function is called from ip6_output().
  913  *
  914  * The function assumes that hbh header is located right after the IPv6 header
  915  * (RFC2460 p7), opthead is pointer into data content in m, and opthead to
  916  * opthead + hbhlen is located in continuous memory region.
  917  */
  918 int
  919 ip6_process_hopopts(m, opthead, hbhlen, rtalertp, plenp)
  920         struct mbuf *m;
  921         u_int8_t *opthead;
  922         int hbhlen;
  923         u_int32_t *rtalertp;
  924         u_int32_t *plenp;
  925 {
  926         struct ip6_hdr *ip6;
  927         int optlen = 0;
  928         u_int8_t *opt = opthead;
  929         u_int16_t rtalert_val;
  930         u_int32_t jumboplen;
  931         const int erroff = sizeof(struct ip6_hdr) + sizeof(struct ip6_hbh);
  932 
  933         for (; hbhlen > 0; hbhlen -= optlen, opt += optlen) {
  934                 switch (*opt) {
  935                 case IP6OPT_PAD1:
  936                         optlen = 1;
  937                         break;
  938                 case IP6OPT_PADN:
  939                         if (hbhlen < IP6OPT_MINLEN) {
  940                                 ip6stat.ip6s_toosmall++;
  941                                 goto bad;
  942                         }
  943                         optlen = *(opt + 1) + 2;
  944                         break;
  945                 case IP6OPT_ROUTER_ALERT:
  946                         /* XXX may need check for alignment */
  947                         if (hbhlen < IP6OPT_RTALERT_LEN) {
  948                                 ip6stat.ip6s_toosmall++;
  949                                 goto bad;
  950                         }
  951                         if (*(opt + 1) != IP6OPT_RTALERT_LEN - 2) {
  952                                 /* XXX stat */
  953                                 icmp6_error(m, ICMP6_PARAM_PROB,
  954                                     ICMP6_PARAMPROB_HEADER,
  955                                     erroff + opt + 1 - opthead);
  956                                 return (-1);
  957                         }
  958                         optlen = IP6OPT_RTALERT_LEN;
  959                         bcopy((caddr_t)(opt + 2), (caddr_t)&rtalert_val, 2);
  960                         *rtalertp = ntohs(rtalert_val);
  961                         break;
  962                 case IP6OPT_JUMBO:
  963                         /* XXX may need check for alignment */
  964                         if (hbhlen < IP6OPT_JUMBO_LEN) {
  965                                 ip6stat.ip6s_toosmall++;
  966                                 goto bad;
  967                         }
  968                         if (*(opt + 1) != IP6OPT_JUMBO_LEN - 2) {
  969                                 /* XXX stat */
  970                                 icmp6_error(m, ICMP6_PARAM_PROB,
  971                                     ICMP6_PARAMPROB_HEADER,
  972                                     erroff + opt + 1 - opthead);
  973                                 return (-1);
  974                         }
  975                         optlen = IP6OPT_JUMBO_LEN;
  976 
  977                         /*
  978                          * IPv6 packets that have non 0 payload length
  979                          * must not contain a jumbo payload option.
  980                          */
  981                         ip6 = mtod(m, struct ip6_hdr *);
  982                         if (ip6->ip6_plen) {
  983                                 ip6stat.ip6s_badoptions++;
  984                                 icmp6_error(m, ICMP6_PARAM_PROB,
  985                                     ICMP6_PARAMPROB_HEADER,
  986                                     erroff + opt - opthead);
  987                                 return (-1);
  988                         }
  989 
  990                         /*
  991                          * We may see jumbolen in unaligned location, so
  992                          * we'd need to perform bcopy().
  993                          */
  994                         bcopy(opt + 2, &jumboplen, sizeof(jumboplen));
  995                         jumboplen = (u_int32_t)htonl(jumboplen);
  996 
  997 #if 1
  998                         /*
  999                          * if there are multiple jumbo payload options,
 1000                          * *plenp will be non-zero and the packet will be
 1001                          * rejected.
 1002                          * the behavior may need some debate in ipngwg -
 1003                          * multiple options does not make sense, however,
 1004                          * there's no explicit mention in specification.
 1005                          */
 1006                         if (*plenp != 0) {
 1007                                 ip6stat.ip6s_badoptions++;
 1008                                 icmp6_error(m, ICMP6_PARAM_PROB,
 1009                                     ICMP6_PARAMPROB_HEADER,
 1010                                     erroff + opt + 2 - opthead);
 1011                                 return (-1);
 1012                         }
 1013 #endif
 1014 
 1015                         /*
 1016                          * jumbo payload length must be larger than 65535.
 1017                          */
 1018                         if (jumboplen <= IPV6_MAXPACKET) {
 1019                                 ip6stat.ip6s_badoptions++;
 1020                                 icmp6_error(m, ICMP6_PARAM_PROB,
 1021                                     ICMP6_PARAMPROB_HEADER,
 1022                                     erroff + opt + 2 - opthead);
 1023                                 return (-1);
 1024                         }
 1025                         *plenp = jumboplen;
 1026 
 1027                         break;
 1028                 default:                /* unknown option */
 1029                         if (hbhlen < IP6OPT_MINLEN) {
 1030                                 ip6stat.ip6s_toosmall++;
 1031                                 goto bad;
 1032                         }
 1033                         optlen = ip6_unknown_opt(opt, m,
 1034                             erroff + opt - opthead);
 1035                         if (optlen == -1)
 1036                                 return (-1);
 1037                         optlen += 2;
 1038                         break;
 1039                 }
 1040         }
 1041 
 1042         return (0);
 1043 
 1044   bad:
 1045         m_freem(m);
 1046         return (-1);
 1047 }
 1048 
 1049 /*
 1050  * Unknown option processing.
 1051  * The third argument `off' is the offset from the IPv6 header to the option,
 1052  * which is necessary if the IPv6 header the and option header and IPv6 header
 1053  * is not continuous in order to return an ICMPv6 error.
 1054  */
 1055 int
 1056 ip6_unknown_opt(optp, m, off)
 1057         u_int8_t *optp;
 1058         struct mbuf *m;
 1059         int off;
 1060 {
 1061         struct ip6_hdr *ip6;
 1062 
 1063         switch (IP6OPT_TYPE(*optp)) {
 1064         case IP6OPT_TYPE_SKIP: /* ignore the option */
 1065                 return ((int)*(optp + 1));
 1066         case IP6OPT_TYPE_DISCARD:       /* silently discard */
 1067                 m_freem(m);
 1068                 return (-1);
 1069         case IP6OPT_TYPE_FORCEICMP: /* send ICMP even if multicasted */
 1070                 ip6stat.ip6s_badoptions++;
 1071                 icmp6_error(m, ICMP6_PARAM_PROB, ICMP6_PARAMPROB_OPTION, off);
 1072                 return (-1);
 1073         case IP6OPT_TYPE_ICMP: /* send ICMP if not multicasted */
 1074                 ip6stat.ip6s_badoptions++;
 1075                 ip6 = mtod(m, struct ip6_hdr *);
 1076                 if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst) ||
 1077                     (m->m_flags & (M_BCAST|M_MCAST)))
 1078                         m_freem(m);
 1079                 else
 1080                         icmp6_error(m, ICMP6_PARAM_PROB,
 1081                                     ICMP6_PARAMPROB_OPTION, off);
 1082                 return (-1);
 1083         }
 1084 
 1085         m_freem(m);             /* XXX: NOTREACHED */
 1086         return (-1);
 1087 }
 1088 
 1089 /*
 1090  * Create the "control" list for this pcb.
 1091  * The function will not modify mbuf chain at all.
 1092  *
 1093  * with KAME mbuf chain restriction:
 1094  * The routine will be called from upper layer handlers like tcp6_input().
 1095  * Thus the routine assumes that the caller (tcp6_input) have already
 1096  * called IP6_EXTHDR_CHECK() and all the extension headers are located in the
 1097  * very first mbuf on the mbuf chain.
 1098  */
 1099 void
 1100 ip6_savecontrol(in6p, m, mp)
 1101         struct inpcb *in6p;
 1102         struct mbuf *m, **mp;
 1103 {
 1104 #define IS2292(x, y)    ((in6p->in6p_flags & IN6P_RFC2292) ? (x) : (y))
 1105         struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *);
 1106 
 1107 #ifdef SO_TIMESTAMP
 1108         if ((in6p->in6p_socket->so_options & SO_TIMESTAMP) != 0) {
 1109                 struct timeval tv;
 1110 
 1111                 microtime(&tv);
 1112                 *mp = sbcreatecontrol((caddr_t) &tv, sizeof(tv),
 1113                     SCM_TIMESTAMP, SOL_SOCKET);
 1114                 if (*mp)
 1115                         mp = &(*mp)->m_next;
 1116         }
 1117 #endif
 1118 
 1119         if ((ip6->ip6_vfc & IPV6_VERSION_MASK) != IPV6_VERSION)
 1120                 return;
 1121 
 1122         /* RFC 2292 sec. 5 */
 1123         if ((in6p->in6p_flags & IN6P_PKTINFO) != 0) {
 1124                 struct in6_pktinfo pi6;
 1125 
 1126                 bcopy(&ip6->ip6_dst, &pi6.ipi6_addr, sizeof(struct in6_addr));
 1127                 in6_clearscope(&pi6.ipi6_addr); /* XXX */
 1128                 pi6.ipi6_ifindex =
 1129                     (m && m->m_pkthdr.rcvif) ? m->m_pkthdr.rcvif->if_index : 0;
 1130 
 1131                 *mp = sbcreatecontrol((caddr_t) &pi6,
 1132                     sizeof(struct in6_pktinfo),
 1133                     IS2292(IPV6_2292PKTINFO, IPV6_PKTINFO), IPPROTO_IPV6);
 1134                 if (*mp)
 1135                         mp = &(*mp)->m_next;
 1136         }
 1137 
 1138         if ((in6p->in6p_flags & IN6P_HOPLIMIT) != 0) {
 1139                 int hlim = ip6->ip6_hlim & 0xff;
 1140 
 1141                 *mp = sbcreatecontrol((caddr_t) &hlim, sizeof(int),
 1142                     IS2292(IPV6_2292HOPLIMIT, IPV6_HOPLIMIT), IPPROTO_IPV6);
 1143                 if (*mp)
 1144                         mp = &(*mp)->m_next;
 1145         }
 1146 
 1147         if ((in6p->in6p_flags & IN6P_TCLASS) != 0) {
 1148                 u_int32_t flowinfo;
 1149                 int tclass;
 1150 
 1151                 flowinfo = (u_int32_t)ntohl(ip6->ip6_flow & IPV6_FLOWINFO_MASK);
 1152                 flowinfo >>= 20;
 1153 
 1154                 tclass = flowinfo & 0xff;
 1155                 *mp = sbcreatecontrol((caddr_t) &tclass, sizeof(tclass),
 1156                     IPV6_TCLASS, IPPROTO_IPV6);
 1157                 if (*mp)
 1158                         mp = &(*mp)->m_next;
 1159         }
 1160 
 1161         /*
 1162          * IPV6_HOPOPTS socket option.  Recall that we required super-user
 1163          * privilege for the option (see ip6_ctloutput), but it might be too
 1164          * strict, since there might be some hop-by-hop options which can be
 1165          * returned to normal user.
 1166          * See also RFC 2292 section 6 (or RFC 3542 section 8).
 1167          */
 1168         if ((in6p->in6p_flags & IN6P_HOPOPTS) != 0) {
 1169                 /*
 1170                  * Check if a hop-by-hop options header is contatined in the
 1171                  * received packet, and if so, store the options as ancillary
 1172                  * data. Note that a hop-by-hop options header must be
 1173                  * just after the IPv6 header, which is assured through the
 1174                  * IPv6 input processing.
 1175                  */
 1176                 if (ip6->ip6_nxt == IPPROTO_HOPOPTS) {
 1177                         struct ip6_hbh *hbh;
 1178                         int hbhlen = 0;
 1179 #ifdef PULLDOWN_TEST
 1180                         struct mbuf *ext;
 1181 #endif
 1182 
 1183 #ifndef PULLDOWN_TEST
 1184                         hbh = (struct ip6_hbh *)(ip6 + 1);
 1185                         hbhlen = (hbh->ip6h_len + 1) << 3;
 1186 #else
 1187                         ext = ip6_pullexthdr(m, sizeof(struct ip6_hdr),
 1188                             ip6->ip6_nxt);
 1189                         if (ext == NULL) {
 1190                                 ip6stat.ip6s_tooshort++;
 1191                                 return;
 1192                         }
 1193                         hbh = mtod(ext, struct ip6_hbh *);
 1194                         hbhlen = (hbh->ip6h_len + 1) << 3;
 1195                         if (hbhlen != ext->m_len) {
 1196                                 m_freem(ext);
 1197                                 ip6stat.ip6s_tooshort++;
 1198                                 return;
 1199                         }
 1200 #endif
 1201 
 1202                         /*
 1203                          * XXX: We copy the whole header even if a
 1204                          * jumbo payload option is included, the option which
 1205                          * is to be removed before returning according to
 1206                          * RFC2292.
 1207                          * Note: this constraint is removed in 2292bis.
 1208                          */
 1209                         *mp = sbcreatecontrol((caddr_t)hbh, hbhlen,
 1210                             IS2292(IPV6_2292HOPOPTS, IPV6_HOPOPTS),
 1211                             IPPROTO_IPV6);
 1212                         if (*mp)
 1213                                 mp = &(*mp)->m_next;
 1214 #ifdef PULLDOWN_TEST
 1215                         m_freem(ext);
 1216 #endif
 1217                 }
 1218         }
 1219 
 1220         if ((in6p->in6p_flags & (IN6P_RTHDR | IN6P_DSTOPTS)) != 0) {
 1221                 int nxt = ip6->ip6_nxt, off = sizeof(struct ip6_hdr);
 1222 
 1223                 /*
 1224                  * Search for destination options headers or routing
 1225                  * header(s) through the header chain, and stores each
 1226                  * header as ancillary data.
 1227                  * Note that the order of the headers remains in
 1228                  * the chain of ancillary data.
 1229                  */
 1230                 while (1) {     /* is explicit loop prevention necessary? */
 1231                         struct ip6_ext *ip6e = NULL;
 1232                         int elen;
 1233 #ifdef PULLDOWN_TEST
 1234                         struct mbuf *ext = NULL;
 1235 #endif
 1236 
 1237                         /*
 1238                          * if it is not an extension header, don't try to
 1239                          * pull it from the chain.
 1240                          */
 1241                         switch (nxt) {
 1242                         case IPPROTO_DSTOPTS:
 1243                         case IPPROTO_ROUTING:
 1244                         case IPPROTO_HOPOPTS:
 1245                         case IPPROTO_AH: /* is it possible? */
 1246                                 break;
 1247                         default:
 1248                                 goto loopend;
 1249                         }
 1250 
 1251 #ifndef PULLDOWN_TEST
 1252                         if (off + sizeof(*ip6e) > m->m_len)
 1253                                 goto loopend;
 1254                         ip6e = (struct ip6_ext *)(mtod(m, caddr_t) + off);
 1255                         if (nxt == IPPROTO_AH)
 1256                                 elen = (ip6e->ip6e_len + 2) << 2;
 1257                         else
 1258                                 elen = (ip6e->ip6e_len + 1) << 3;
 1259                         if (off + elen > m->m_len)
 1260                                 goto loopend;
 1261 #else
 1262                         ext = ip6_pullexthdr(m, off, nxt);
 1263                         if (ext == NULL) {
 1264                                 ip6stat.ip6s_tooshort++;
 1265                                 return;
 1266                         }
 1267                         ip6e = mtod(ext, struct ip6_ext *);
 1268                         if (nxt == IPPROTO_AH)
 1269                                 elen = (ip6e->ip6e_len + 2) << 2;
 1270                         else
 1271                                 elen = (ip6e->ip6e_len + 1) << 3;
 1272                         if (elen != ext->m_len) {
 1273                                 m_freem(ext);
 1274                                 ip6stat.ip6s_tooshort++;
 1275                                 return;
 1276                         }
 1277 #endif
 1278 
 1279                         switch (nxt) {
 1280                         case IPPROTO_DSTOPTS:
 1281                                 if (!(in6p->in6p_flags & IN6P_DSTOPTS))
 1282                                         break;
 1283 
 1284                                 *mp = sbcreatecontrol((caddr_t)ip6e, elen,
 1285                                     IS2292(IPV6_2292DSTOPTS, IPV6_DSTOPTS),
 1286                                     IPPROTO_IPV6);
 1287                                 if (*mp)
 1288                                         mp = &(*mp)->m_next;
 1289                                 break;
 1290                         case IPPROTO_ROUTING:
 1291                                 if (!in6p->in6p_flags & IN6P_RTHDR)
 1292                                         break;
 1293 
 1294                                 *mp = sbcreatecontrol((caddr_t)ip6e, elen,
 1295                                     IS2292(IPV6_2292RTHDR, IPV6_RTHDR),
 1296                                     IPPROTO_IPV6);
 1297                                 if (*mp)
 1298                                         mp = &(*mp)->m_next;
 1299                                 break;
 1300                         case IPPROTO_HOPOPTS:
 1301                         case IPPROTO_AH: /* is it possible? */
 1302                                 break;
 1303 
 1304                         default:
 1305                                 /*
 1306                                  * other cases have been filtered in the above.
 1307                                  * none will visit this case.  here we supply
 1308                                  * the code just in case (nxt overwritten or
 1309                                  * other cases).
 1310                                  */
 1311 #ifdef PULLDOWN_TEST
 1312                                 m_freem(ext);
 1313 #endif
 1314                                 goto loopend;
 1315 
 1316                         }
 1317 
 1318                         /* proceed with the next header. */
 1319                         off += elen;
 1320                         nxt = ip6e->ip6e_nxt;
 1321                         ip6e = NULL;
 1322 #ifdef PULLDOWN_TEST
 1323                         m_freem(ext);
 1324                         ext = NULL;
 1325 #endif
 1326                 }
 1327           loopend:
 1328                 ;
 1329         }
 1330 
 1331 #undef IS2292
 1332 }
 1333 
 1334 void
 1335 ip6_notify_pmtu(in6p, dst, mtu)
 1336         struct inpcb *in6p;
 1337         struct sockaddr_in6 *dst;
 1338         u_int32_t *mtu;
 1339 {
 1340         struct socket *so;
 1341         struct mbuf *m_mtu;
 1342         struct ip6_mtuinfo mtuctl;
 1343 
 1344         so =  in6p->inp_socket;
 1345 
 1346         if (mtu == NULL)
 1347                 return;
 1348 
 1349 #ifdef DIAGNOSTIC
 1350         if (so == NULL)         /* I believe this is impossible */
 1351                 panic("ip6_notify_pmtu: socket is NULL");
 1352 #endif
 1353 
 1354         bzero(&mtuctl, sizeof(mtuctl)); /* zero-clear for safety */
 1355         mtuctl.ip6m_mtu = *mtu;
 1356         mtuctl.ip6m_addr = *dst;
 1357         in6_recoverscope(&mtuctl.ip6m_addr, &mtuctl.ip6m_addr.sin6_addr, NULL);
 1358 
 1359         if ((m_mtu = sbcreatecontrol((caddr_t)&mtuctl, sizeof(mtuctl),
 1360             IPV6_PATHMTU, IPPROTO_IPV6)) == NULL)
 1361                 return;
 1362 
 1363         if (sbappendaddr(&so->so_rcv, (struct sockaddr *)dst, NULL, m_mtu)
 1364             == 0) {
 1365                 m_freem(m_mtu);
 1366                 /* XXX: should count statistics */
 1367         } else
 1368                 sorwakeup(so);
 1369 
 1370         return;
 1371 }
 1372 
 1373 #ifdef PULLDOWN_TEST
 1374 /*
 1375  * pull single extension header from mbuf chain.  returns single mbuf that
 1376  * contains the result, or NULL on error.
 1377  */
 1378 static struct mbuf *
 1379 ip6_pullexthdr(m, off, nxt)
 1380         struct mbuf *m;
 1381         size_t off;
 1382         int nxt;
 1383 {
 1384         struct ip6_ext ip6e;
 1385         size_t elen;
 1386         struct mbuf *n;
 1387 
 1388 #ifdef DIAGNOSTIC
 1389         switch (nxt) {
 1390         case IPPROTO_DSTOPTS:
 1391         case IPPROTO_ROUTING:
 1392         case IPPROTO_HOPOPTS:
 1393         case IPPROTO_AH: /* is it possible? */
 1394                 break;
 1395         default:
 1396                 printf("ip6_pullexthdr: invalid nxt=%d\n", nxt);
 1397         }
 1398 #endif
 1399 
 1400         m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e);
 1401         if (nxt == IPPROTO_AH)
 1402                 elen = (ip6e.ip6e_len + 2) << 2;
 1403         else
 1404                 elen = (ip6e.ip6e_len + 1) << 3;
 1405 
 1406         MGET(n, M_DONTWAIT, MT_DATA);
 1407         if (n && elen >= MLEN) {
 1408                 MCLGET(n, M_DONTWAIT);
 1409                 if ((n->m_flags & M_EXT) == 0) {
 1410                         m_free(n);
 1411                         n = NULL;
 1412                 }
 1413         }
 1414         if (!n)
 1415                 return NULL;
 1416 
 1417         n->m_len = 0;
 1418         if (elen >= M_TRAILINGSPACE(n)) {
 1419                 m_free(n);
 1420                 return NULL;
 1421         }
 1422 
 1423         m_copydata(m, off, elen, mtod(n, caddr_t));
 1424         n->m_len = elen;
 1425         return n;
 1426 }
 1427 #endif
 1428 
 1429 /*
 1430  * Get pointer to the previous header followed by the header
 1431  * currently processed.
 1432  * XXX: This function supposes that
 1433  *      M includes all headers,
 1434  *      the next header field and the header length field of each header
 1435  *      are valid, and
 1436  *      the sum of each header length equals to OFF.
 1437  * Because of these assumptions, this function must be called very
 1438  * carefully. Moreover, it will not be used in the near future when
 1439  * we develop `neater' mechanism to process extension headers.
 1440  */
 1441 char *
 1442 ip6_get_prevhdr(m, off)
 1443         struct mbuf *m;
 1444         int off;
 1445 {
 1446         struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *);
 1447 
 1448         if (off == sizeof(struct ip6_hdr))
 1449                 return (&ip6->ip6_nxt);
 1450         else {
 1451                 int len, nxt;
 1452                 struct ip6_ext *ip6e = NULL;
 1453 
 1454                 nxt = ip6->ip6_nxt;
 1455                 len = sizeof(struct ip6_hdr);
 1456                 while (len < off) {
 1457                         ip6e = (struct ip6_ext *)(mtod(m, caddr_t) + len);
 1458 
 1459                         switch (nxt) {
 1460                         case IPPROTO_FRAGMENT:
 1461                                 len += sizeof(struct ip6_frag);
 1462                                 break;
 1463                         case IPPROTO_AH:
 1464                                 len += (ip6e->ip6e_len + 2) << 2;
 1465                                 break;
 1466                         default:
 1467                                 len += (ip6e->ip6e_len + 1) << 3;
 1468                                 break;
 1469                         }
 1470                         nxt = ip6e->ip6e_nxt;
 1471                 }
 1472                 if (ip6e)
 1473                         return (&ip6e->ip6e_nxt);
 1474                 else
 1475                         return NULL;
 1476         }
 1477 }
 1478 
 1479 /*
 1480  * get next header offset.  m will be retained.
 1481  */
 1482 int
 1483 ip6_nexthdr(m, off, proto, nxtp)
 1484         struct mbuf *m;
 1485         int off;
 1486         int proto;
 1487         int *nxtp;
 1488 {
 1489         struct ip6_hdr ip6;
 1490         struct ip6_ext ip6e;
 1491         struct ip6_frag fh;
 1492 
 1493         /* just in case */
 1494         if (m == NULL)
 1495                 panic("ip6_nexthdr: m == NULL");
 1496         if ((m->m_flags & M_PKTHDR) == 0 || m->m_pkthdr.len < off)
 1497                 return -1;
 1498 
 1499         switch (proto) {
 1500         case IPPROTO_IPV6:
 1501                 if (m->m_pkthdr.len < off + sizeof(ip6))
 1502                         return -1;
 1503                 m_copydata(m, off, sizeof(ip6), (caddr_t)&ip6);
 1504                 if (nxtp)
 1505                         *nxtp = ip6.ip6_nxt;
 1506                 off += sizeof(ip6);
 1507                 return off;
 1508 
 1509         case IPPROTO_FRAGMENT:
 1510                 /*
 1511                  * terminate parsing if it is not the first fragment,
 1512                  * it does not make sense to parse through it.
 1513                  */
 1514                 if (m->m_pkthdr.len < off + sizeof(fh))
 1515                         return -1;
 1516                 m_copydata(m, off, sizeof(fh), (caddr_t)&fh);
 1517                 /* IP6F_OFF_MASK = 0xfff8(BigEndian), 0xf8ff(LittleEndian) */
 1518                 if (fh.ip6f_offlg & IP6F_OFF_MASK)
 1519                         return -1;
 1520                 if (nxtp)
 1521                         *nxtp = fh.ip6f_nxt;
 1522                 off += sizeof(struct ip6_frag);
 1523                 return off;
 1524 
 1525         case IPPROTO_AH:
 1526                 if (m->m_pkthdr.len < off + sizeof(ip6e))
 1527                         return -1;
 1528                 m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e);
 1529                 if (nxtp)
 1530                         *nxtp = ip6e.ip6e_nxt;
 1531                 off += (ip6e.ip6e_len + 2) << 2;
 1532                 return off;
 1533 
 1534         case IPPROTO_HOPOPTS:
 1535         case IPPROTO_ROUTING:
 1536         case IPPROTO_DSTOPTS:
 1537                 if (m->m_pkthdr.len < off + sizeof(ip6e))
 1538                         return -1;
 1539                 m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e);
 1540                 if (nxtp)
 1541                         *nxtp = ip6e.ip6e_nxt;
 1542                 off += (ip6e.ip6e_len + 1) << 3;
 1543                 return off;
 1544 
 1545         case IPPROTO_NONE:
 1546         case IPPROTO_ESP:
 1547         case IPPROTO_IPCOMP:
 1548                 /* give up */
 1549                 return -1;
 1550 
 1551         default:
 1552                 return -1;
 1553         }
 1554 
 1555         return -1;
 1556 }
 1557 
 1558 /*
 1559  * get offset for the last header in the chain.  m will be kept untainted.
 1560  */
 1561 int
 1562 ip6_lasthdr(m, off, proto, nxtp)
 1563         struct mbuf *m;
 1564         int off;
 1565         int proto;
 1566         int *nxtp;
 1567 {
 1568         int newoff;
 1569         int nxt;
 1570 
 1571         if (!nxtp) {
 1572                 nxt = -1;
 1573                 nxtp = &nxt;
 1574         }
 1575         while (1) {
 1576                 newoff = ip6_nexthdr(m, off, proto, nxtp);
 1577                 if (newoff < 0)
 1578                         return off;
 1579                 else if (newoff < off)
 1580                         return -1;      /* invalid */
 1581                 else if (newoff == off)
 1582                         return newoff;
 1583 
 1584                 off = newoff;
 1585                 proto = *nxtp;
 1586         }
 1587 }
 1588 
 1589 struct ip6aux *
 1590 ip6_addaux(m)
 1591         struct mbuf *m;
 1592 {
 1593         struct m_tag *mtag;
 1594 
 1595         mtag = m_tag_find(m, PACKET_TAG_IPV6_INPUT, NULL);
 1596         if (!mtag) {
 1597                 mtag = m_tag_get(PACKET_TAG_IPV6_INPUT, sizeof(struct ip6aux),
 1598                     M_NOWAIT);
 1599                 if (mtag) {
 1600                         m_tag_prepend(m, mtag);
 1601                         bzero(mtag + 1, sizeof(struct ip6aux));
 1602                 }
 1603         }
 1604         return mtag ? (struct ip6aux *)(mtag + 1) : NULL;
 1605 }
 1606 
 1607 struct ip6aux *
 1608 ip6_findaux(m)
 1609         struct mbuf *m;
 1610 {
 1611         struct m_tag *mtag;
 1612 
 1613         mtag = m_tag_find(m, PACKET_TAG_IPV6_INPUT, NULL);
 1614         return mtag ? (struct ip6aux *)(mtag + 1) : NULL;
 1615 }
 1616 
 1617 void
 1618 ip6_delaux(m)
 1619         struct mbuf *m;
 1620 {
 1621         struct m_tag *mtag;
 1622 
 1623         mtag = m_tag_find(m, PACKET_TAG_IPV6_INPUT, NULL);
 1624         if (mtag)
 1625                 m_tag_delete(m, mtag);
 1626 }
 1627 
 1628 /*
 1629  * System control for IP6
 1630  */
 1631 
 1632 u_char  inet6ctlerrmap[PRC_NCMDS] = {
 1633         0,              0,              0,              0,
 1634         0,              EMSGSIZE,       EHOSTDOWN,      EHOSTUNREACH,
 1635         EHOSTUNREACH,   EHOSTUNREACH,   ECONNREFUSED,   ECONNREFUSED,
 1636         EMSGSIZE,       EHOSTUNREACH,   0,              0,
 1637         0,              0,              0,              0,
 1638         ENOPROTOOPT
 1639 };

Cache object: 3177542cb26d1b15f3656f18f36353f6


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]


This page is part of the FreeBSD/Linux Linux Kernel Cross-Reference, and was automatically generated using a modified version of the LXR engine.