1 /* 2 * Copyright (c) 1982, 1986, 1988, 1990, 1993 3 * The Regents of the University of California. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. All advertising materials mentioning features or use of this software 14 * must display the following acknowledgement: 15 * This product includes software developed by the University of 16 * California, Berkeley and its contributors. 17 * 4. Neither the name of the University nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 * 33 * @(#)ip_output.c 8.3 (Berkeley) 1/21/94 34 * $FreeBSD$ 35 */ 36 37 #define _IP_VHL 38 39 #include "opt_ipfw.h" 40 #include "opt_ipdn.h" 41 #include "opt_ipdivert.h" 42 #include "opt_ipfilter.h" 43 #include "opt_ipsec.h" 44 #include "opt_pfil_hooks.h" 45 #include "opt_random_ip_id.h" 46 47 #include <sys/param.h> 48 #include <sys/systm.h> 49 #include <sys/kernel.h> 50 #include <sys/malloc.h> 51 #include <sys/mbuf.h> 52 #include <sys/protosw.h> 53 #include <sys/socket.h> 54 #include <sys/socketvar.h> 55 56 #include <net/if.h> 57 #include <net/route.h> 58 59 #include <netinet/in.h> 60 #include <netinet/in_systm.h> 61 #include <netinet/ip.h> 62 #include <netinet/in_pcb.h> 63 #include <netinet/in_var.h> 64 #include <netinet/ip_var.h> 65 66 #include <machine/in_cksum.h> 67 68 static MALLOC_DEFINE(M_IPMOPTS, "ip_moptions", "internet multicast options"); 69 70 #ifdef IPSEC 71 #include <netinet6/ipsec.h> 72 #include <netkey/key.h> 73 #ifdef IPSEC_DEBUG 74 #include <netkey/key_debug.h> 75 #else 76 #define KEYDEBUG(lev,arg) 77 #endif 78 #endif /*IPSEC*/ 79 80 #include <netinet/ip_fw.h> 81 #include <netinet/ip_dummynet.h> 82 83 #ifdef IPFIREWALL_FORWARD_DEBUG 84 #define print_ip(a) printf("%ld.%ld.%ld.%ld",(ntohl(a.s_addr)>>24)&0xFF,\ 85 (ntohl(a.s_addr)>>16)&0xFF,\ 86 (ntohl(a.s_addr)>>8)&0xFF,\ 87 (ntohl(a.s_addr))&0xFF); 88 #endif 89 90 u_short ip_id; 91 92 static struct mbuf *ip_insertoptions __P((struct mbuf *, struct mbuf *, int *)); 93 static struct ifnet *ip_multicast_if __P((struct in_addr *, int *)); 94 static void ip_mloopback 95 __P((struct ifnet *, struct mbuf *, struct sockaddr_in *, int)); 96 static int ip_getmoptions 97 __P((struct sockopt *, struct ip_moptions *)); 98 static int ip_pcbopts __P((int, struct mbuf **, struct mbuf *)); 99 static int ip_setmoptions 100 __P((struct sockopt *, struct ip_moptions **)); 101 102 int ip_optcopy __P((struct ip *, struct ip *)); 103 104 105 extern struct protosw inetsw[]; 106 107 /* 108 * IP output. The packet in mbuf chain m contains a skeletal IP 109 * header (with len, off, ttl, proto, tos, src, dst). 110 * The mbuf chain containing the packet will be freed. 111 * The mbuf opt, if present, will not be freed. 112 */ 113 int 114 ip_output(m0, opt, ro, flags, imo) 115 struct mbuf *m0; 116 struct mbuf *opt; 117 struct route *ro; 118 int flags; 119 struct ip_moptions *imo; 120 { 121 struct ip *ip, *mhip; 122 struct ifnet *ifp; 123 struct mbuf *m = m0; 124 int hlen = sizeof (struct ip); 125 int len, off, error = 0; 126 struct sockaddr_in *dst; 127 struct in_ifaddr *ia; 128 int isbroadcast, sw_csum; 129 #ifdef IPSEC 130 struct route iproute; 131 struct socket *so = NULL; 132 struct secpolicy *sp = NULL; 133 #endif 134 u_int16_t divert_cookie; /* firewall cookie */ 135 #ifdef PFIL_HOOKS 136 struct packet_filter_hook *pfh; 137 struct mbuf *m1; 138 int rv; 139 #endif /* PFIL_HOOKS */ 140 #ifdef IPFIREWALL_FORWARD 141 int fwd_rewrite_src = 0; 142 #endif 143 struct ip_fw *rule = NULL; 144 145 #ifdef IPDIVERT 146 /* Get and reset firewall cookie */ 147 divert_cookie = ip_divert_cookie; 148 ip_divert_cookie = 0; 149 #else 150 divert_cookie = 0; 151 #endif 152 153 /* 154 * dummynet packet are prepended a vestigial mbuf with 155 * m_type = MT_DUMMYNET and m_data pointing to the matching 156 * rule. 157 */ 158 if (m->m_type == MT_DUMMYNET) { 159 /* 160 * the packet was already tagged, so part of the 161 * processing was already done, and we need to go down. 162 * Get parameters from the header. 163 */ 164 rule = (struct ip_fw *)(m->m_data) ; 165 opt = NULL ; 166 ro = & ( ((struct dn_pkt *)m)->ro ) ; 167 imo = NULL ; 168 dst = ((struct dn_pkt *)m)->dn_dst ; 169 ifp = ((struct dn_pkt *)m)->ifp ; 170 flags = ((struct dn_pkt *)m)->flags ; 171 172 m0 = m = m->m_next ; 173 #ifdef IPSEC 174 so = ipsec_getsocket(m); 175 (void)ipsec_setsocket(m, NULL); 176 #endif 177 ip = mtod(m, struct ip *); 178 hlen = IP_VHL_HL(ip->ip_vhl) << 2 ; 179 ia = ifatoia(ro->ro_rt->rt_ifa); 180 goto sendit; 181 } else 182 rule = NULL ; 183 #ifdef IPSEC 184 so = ipsec_getsocket(m); 185 (void)ipsec_setsocket(m, NULL); 186 #endif 187 188 #ifdef DIAGNOSTIC 189 if ((m->m_flags & M_PKTHDR) == 0) 190 panic("ip_output no HDR"); 191 if (!ro) 192 panic("ip_output no route, proto = %d", 193 mtod(m, struct ip *)->ip_p); 194 #endif 195 if (opt) { 196 m = ip_insertoptions(m, opt, &len); 197 hlen = len; 198 } 199 ip = mtod(m, struct ip *); 200 /* 201 * Fill in IP header. 202 */ 203 if ((flags & (IP_FORWARDING|IP_RAWOUTPUT)) == 0) { 204 ip->ip_vhl = IP_MAKE_VHL(IPVERSION, hlen >> 2); 205 ip->ip_off &= IP_DF; 206 #ifdef RANDOM_IP_ID 207 ip->ip_id = ip_randomid(); 208 #else 209 ip->ip_id = htons(ip_id++); 210 #endif 211 ipstat.ips_localout++; 212 } else { 213 hlen = IP_VHL_HL(ip->ip_vhl) << 2; 214 } 215 216 dst = (struct sockaddr_in *)&ro->ro_dst; 217 /* 218 * If there is a cached route, 219 * check that it is to the same destination 220 * and is still up. If not, free it and try again. 221 */ 222 if (ro->ro_rt && ((ro->ro_rt->rt_flags & RTF_UP) == 0 || 223 dst->sin_addr.s_addr != ip->ip_dst.s_addr)) { 224 RTFREE(ro->ro_rt); 225 ro->ro_rt = (struct rtentry *)0; 226 } 227 if (ro->ro_rt == 0) { 228 dst->sin_family = AF_INET; 229 dst->sin_len = sizeof(*dst); 230 dst->sin_addr = ip->ip_dst; 231 } 232 /* 233 * If routing to interface only, 234 * short circuit routing lookup. 235 */ 236 if (flags & IP_ROUTETOIF) { 237 if ((ia = ifatoia(ifa_ifwithdstaddr(sintosa(dst)))) == 0 && 238 (ia = ifatoia(ifa_ifwithnet(sintosa(dst)))) == 0) { 239 ipstat.ips_noroute++; 240 error = ENETUNREACH; 241 goto bad; 242 } 243 ifp = ia->ia_ifp; 244 ip->ip_ttl = 1; 245 isbroadcast = in_broadcast(dst->sin_addr, ifp); 246 } else if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr)) && 247 imo != NULL && imo->imo_multicast_ifp != NULL) { 248 /* 249 * Bypass the normal routing lookup for multicast 250 * packets if the interface is specified. 251 */ 252 ifp = imo->imo_multicast_ifp; 253 IFP_TO_IA(ifp, ia); 254 isbroadcast = 0; /* fool gcc */ 255 } else { 256 /* 257 * If this is the case, we probably don't want to allocate 258 * a protocol-cloned route since we didn't get one from the 259 * ULP. This lets TCP do its thing, while not burdening 260 * forwarding or ICMP with the overhead of cloning a route. 261 * Of course, we still want to do any cloning requested by 262 * the link layer, as this is probably required in all cases 263 * for correct operation (as it is for ARP). 264 */ 265 if (ro->ro_rt == 0) 266 rtalloc_ign(ro, RTF_PRCLONING); 267 if (ro->ro_rt == 0) { 268 ipstat.ips_noroute++; 269 error = EHOSTUNREACH; 270 goto bad; 271 } 272 ia = ifatoia(ro->ro_rt->rt_ifa); 273 ifp = ro->ro_rt->rt_ifp; 274 ro->ro_rt->rt_use++; 275 if (ro->ro_rt->rt_flags & RTF_GATEWAY) 276 dst = (struct sockaddr_in *)ro->ro_rt->rt_gateway; 277 if (ro->ro_rt->rt_flags & RTF_HOST) 278 isbroadcast = (ro->ro_rt->rt_flags & RTF_BROADCAST); 279 else 280 isbroadcast = in_broadcast(dst->sin_addr, ifp); 281 } 282 if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr))) { 283 struct in_multi *inm; 284 285 m->m_flags |= M_MCAST; 286 /* 287 * IP destination address is multicast. Make sure "dst" 288 * still points to the address in "ro". (It may have been 289 * changed to point to a gateway address, above.) 290 */ 291 dst = (struct sockaddr_in *)&ro->ro_dst; 292 /* 293 * See if the caller provided any multicast options 294 */ 295 if (imo != NULL) { 296 ip->ip_ttl = imo->imo_multicast_ttl; 297 if (imo->imo_multicast_vif != -1) 298 ip->ip_src.s_addr = 299 ip_mcast_src(imo->imo_multicast_vif); 300 } else 301 ip->ip_ttl = IP_DEFAULT_MULTICAST_TTL; 302 /* 303 * Confirm that the outgoing interface supports multicast. 304 */ 305 if ((imo == NULL) || (imo->imo_multicast_vif == -1)) { 306 if ((ifp->if_flags & IFF_MULTICAST) == 0) { 307 ipstat.ips_noroute++; 308 error = ENETUNREACH; 309 goto bad; 310 } 311 } 312 /* 313 * If source address not specified yet, use address 314 * of outgoing interface. 315 */ 316 if (ip->ip_src.s_addr == INADDR_ANY) { 317 /* Interface may have no addresses. */ 318 if (ia != NULL) 319 ip->ip_src = IA_SIN(ia)->sin_addr; 320 } 321 322 IN_LOOKUP_MULTI(ip->ip_dst, ifp, inm); 323 if (inm != NULL && 324 (imo == NULL || imo->imo_multicast_loop)) { 325 /* 326 * If we belong to the destination multicast group 327 * on the outgoing interface, and the caller did not 328 * forbid loopback, loop back a copy. 329 */ 330 ip_mloopback(ifp, m, dst, hlen); 331 } 332 else { 333 /* 334 * If we are acting as a multicast router, perform 335 * multicast forwarding as if the packet had just 336 * arrived on the interface to which we are about 337 * to send. The multicast forwarding function 338 * recursively calls this function, using the 339 * IP_FORWARDING flag to prevent infinite recursion. 340 * 341 * Multicasts that are looped back by ip_mloopback(), 342 * above, will be forwarded by the ip_input() routine, 343 * if necessary. 344 */ 345 if (ip_mrouter && (flags & IP_FORWARDING) == 0) { 346 /* 347 * Check if rsvp daemon is running. If not, don't 348 * set ip_moptions. This ensures that the packet 349 * is multicast and not just sent down one link 350 * as prescribed by rsvpd. 351 */ 352 if (!rsvp_on) 353 imo = NULL; 354 if (ip_mforward(ip, ifp, m, imo) != 0) { 355 m_freem(m); 356 goto done; 357 } 358 } 359 } 360 361 /* 362 * Multicasts with a time-to-live of zero may be looped- 363 * back, above, but must not be transmitted on a network. 364 * Also, multicasts addressed to the loopback interface 365 * are not sent -- the above call to ip_mloopback() will 366 * loop back a copy if this host actually belongs to the 367 * destination group on the loopback interface. 368 */ 369 if (ip->ip_ttl == 0 || ifp->if_flags & IFF_LOOPBACK) { 370 m_freem(m); 371 goto done; 372 } 373 374 goto sendit; 375 } 376 #ifndef notdef 377 /* 378 * If source address not specified yet, use address 379 * of outgoing interface. 380 */ 381 if (ip->ip_src.s_addr == INADDR_ANY) { 382 /* Interface may have no addresses. */ 383 if (ia != NULL) { 384 ip->ip_src = IA_SIN(ia)->sin_addr; 385 #ifdef IPFIREWALL_FORWARD 386 /* Keep note that we did this - if the firewall changes 387 * the next-hop, our interface may change, changing the 388 * default source IP. It's a shame so much effort happens 389 * twice. Oh well. 390 */ 391 fwd_rewrite_src++; 392 #endif /* IPFIREWALL_FORWARD */ 393 } 394 } 395 #endif /* notdef */ 396 /* 397 * Verify that we have any chance at all of being able to queue 398 * the packet or packet fragments 399 */ 400 if ((ifp->if_snd.ifq_len + ip->ip_len / ifp->if_mtu + 1) >= 401 ifp->if_snd.ifq_maxlen) { 402 error = ENOBUFS; 403 ipstat.ips_odropped++; 404 goto bad; 405 } 406 407 /* 408 * Look for broadcast address and 409 * and verify user is allowed to send 410 * such a packet. 411 */ 412 if (isbroadcast) { 413 if ((ifp->if_flags & IFF_BROADCAST) == 0) { 414 error = EADDRNOTAVAIL; 415 goto bad; 416 } 417 if ((flags & IP_ALLOWBROADCAST) == 0) { 418 error = EACCES; 419 goto bad; 420 } 421 /* don't allow broadcast messages to be fragmented */ 422 if ((u_short)ip->ip_len > ifp->if_mtu) { 423 error = EMSGSIZE; 424 goto bad; 425 } 426 m->m_flags |= M_BCAST; 427 } else { 428 m->m_flags &= ~M_BCAST; 429 } 430 431 sendit: 432 #ifdef IPSEC 433 /* get SP for this packet */ 434 if (so == NULL) 435 sp = ipsec4_getpolicybyaddr(m, IPSEC_DIR_OUTBOUND, flags, &error); 436 else 437 sp = ipsec4_getpolicybysock(m, IPSEC_DIR_OUTBOUND, so, &error); 438 439 if (sp == NULL) { 440 ipsecstat.out_inval++; 441 goto bad; 442 } 443 444 error = 0; 445 446 /* check policy */ 447 switch (sp->policy) { 448 case IPSEC_POLICY_DISCARD: 449 /* 450 * This packet is just discarded. 451 */ 452 ipsecstat.out_polvio++; 453 goto bad; 454 455 case IPSEC_POLICY_BYPASS: 456 case IPSEC_POLICY_NONE: 457 /* no need to do IPsec. */ 458 goto skip_ipsec; 459 460 case IPSEC_POLICY_IPSEC: 461 if (sp->req == NULL) { 462 /* acquire a policy */ 463 error = key_spdacquire(sp); 464 goto bad; 465 } 466 break; 467 468 case IPSEC_POLICY_ENTRUST: 469 default: 470 printf("ip_output: Invalid policy found. %d\n", sp->policy); 471 } 472 { 473 struct ipsec_output_state state; 474 bzero(&state, sizeof(state)); 475 state.m = m; 476 if (flags & IP_ROUTETOIF) { 477 state.ro = &iproute; 478 bzero(&iproute, sizeof(iproute)); 479 } else 480 state.ro = ro; 481 state.dst = (struct sockaddr *)dst; 482 483 ip->ip_sum = 0; 484 485 /* 486 * XXX 487 * delayed checksums are not currently compatible with IPsec 488 */ 489 if (m->m_pkthdr.csum_flags & CSUM_DELAY_DATA) { 490 in_delayed_cksum(m); 491 m->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA; 492 } 493 494 HTONS(ip->ip_len); 495 HTONS(ip->ip_off); 496 497 error = ipsec4_output(&state, sp, flags); 498 499 m = state.m; 500 if (flags & IP_ROUTETOIF) { 501 /* 502 * if we have tunnel mode SA, we may need to ignore 503 * IP_ROUTETOIF. 504 */ 505 if (state.ro != &iproute || state.ro->ro_rt != NULL) { 506 flags &= ~IP_ROUTETOIF; 507 ro = state.ro; 508 } 509 } else 510 ro = state.ro; 511 dst = (struct sockaddr_in *)state.dst; 512 if (error) { 513 /* mbuf is already reclaimed in ipsec4_output. */ 514 m0 = NULL; 515 switch (error) { 516 case EHOSTUNREACH: 517 case ENETUNREACH: 518 case EMSGSIZE: 519 case ENOBUFS: 520 case ENOMEM: 521 break; 522 default: 523 printf("ip4_output (ipsec): error code %d\n", error); 524 /*fall through*/ 525 case ENOENT: 526 /* don't show these error codes to the user */ 527 error = 0; 528 break; 529 } 530 goto bad; 531 } 532 } 533 534 /* be sure to update variables that are affected by ipsec4_output() */ 535 ip = mtod(m, struct ip *); 536 #ifdef _IP_VHL 537 hlen = IP_VHL_HL(ip->ip_vhl) << 2; 538 #else 539 hlen = ip->ip_hl << 2; 540 #endif 541 if (ro->ro_rt == NULL) { 542 if ((flags & IP_ROUTETOIF) == 0) { 543 printf("ip_output: " 544 "can't update route after IPsec processing\n"); 545 error = EHOSTUNREACH; /*XXX*/ 546 goto bad; 547 } 548 } else { 549 ia = ifatoia(ro->ro_rt->rt_ifa); 550 ifp = ro->ro_rt->rt_ifp; 551 } 552 553 /* make it flipped, again. */ 554 NTOHS(ip->ip_len); 555 NTOHS(ip->ip_off); 556 skip_ipsec: 557 #endif /*IPSEC*/ 558 559 /* 560 * IpHack's section. 561 * - Xlate: translate packet's addr/port (NAT). 562 * - Firewall: deny/allow/etc. 563 * - Wrap: fake packet's addr/port <unimpl.> 564 * - Encapsulate: put it in another IP and send out. <unimp.> 565 */ 566 #ifdef PFIL_HOOKS 567 /* 568 * Run through list of hooks for output packets. 569 */ 570 m1 = m; 571 pfh = pfil_hook_get(PFIL_OUT, &inetsw[ip_protox[IPPROTO_IP]].pr_pfh); 572 for (; pfh; pfh = TAILQ_NEXT(pfh, pfil_link)) 573 if (pfh->pfil_func) { 574 rv = pfh->pfil_func(ip, hlen, ifp, 1, &m1); 575 if (rv) { 576 error = EHOSTUNREACH; 577 goto done; 578 } 579 m = m1; 580 if (m == NULL) 581 goto done; 582 ip = mtod(m, struct ip *); 583 } 584 #endif /* PFIL_HOOKS */ 585 586 /* 587 * Check with the firewall... 588 */ 589 if (fw_enable && IPFW_LOADED) { 590 struct sockaddr_in *old = dst; 591 592 off = ip_fw_chk_ptr(&ip, 593 hlen, ifp, &divert_cookie, &m, &rule, &dst); 594 /* 595 * On return we must do the following: 596 * m == NULL -> drop the pkt (old interface, deprecated) 597 * (off & 0x40000) -> drop the pkt (new interface) 598 * 1<=off<= 0xffff -> DIVERT 599 * (off & 0x10000) -> send to a DUMMYNET pipe 600 * (off & 0x20000) -> TEE the packet 601 * dst != old -> IPFIREWALL_FORWARD 602 * off==0, dst==old -> accept 603 * If some of the above modules is not compiled in, then 604 * we should't have to check the corresponding condition 605 * (because the ipfw control socket should not accept 606 * unsupported rules), but better play safe and drop 607 * packets in case of doubt. 608 */ 609 if (off & IP_FW_PORT_DENY_FLAG) { /* XXX new interface-denied */ 610 if (m) 611 m_freem(m); 612 error = EACCES ; 613 goto done; 614 } 615 if (!m) { /* firewall said to reject */ 616 static int __debug=10; 617 if (__debug >0) { 618 printf("firewall returns NULL, please update!\n"); 619 __debug-- ; 620 } 621 error = EACCES; 622 goto done; 623 } 624 if (off == 0 && dst == old) /* common case */ 625 goto pass ; 626 if (DUMMYNET_LOADED && (off & IP_FW_PORT_DYNT_FLAG) != 0) { 627 /* 628 * pass the pkt to dummynet. Need to include 629 * pipe number, m, ifp, ro, dst because these are 630 * not recomputed in the next pass. 631 * All other parameters have been already used and 632 * so they are not needed anymore. 633 * XXX note: if the ifp or ro entry are deleted 634 * while a pkt is in dummynet, we are in trouble! 635 */ 636 error = ip_dn_io_ptr(off & 0xffff, DN_TO_IP_OUT, m, 637 ifp,ro,dst,rule, flags); 638 goto done; 639 } 640 #ifdef IPDIVERT 641 if (off != 0 && (off & IP_FW_PORT_DYNT_FLAG) == 0) { 642 struct mbuf *clone = NULL; 643 644 /* Clone packet if we're doing a 'tee' */ 645 if ((off & IP_FW_PORT_TEE_FLAG) != 0) 646 clone = m_dup(m, M_DONTWAIT); 647 648 /* 649 * XXX 650 * delayed checksums are not currently compatible 651 * with divert sockets. 652 */ 653 if (m->m_pkthdr.csum_flags & CSUM_DELAY_DATA) { 654 in_delayed_cksum(m); 655 m->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA; 656 } 657 658 /* Restore packet header fields to original values */ 659 HTONS(ip->ip_len); 660 HTONS(ip->ip_off); 661 662 /* Deliver packet to divert input routine */ 663 ip_divert_cookie = divert_cookie; 664 divert_packet(m, 0, off & 0xffff); 665 666 /* If 'tee', continue with original packet */ 667 if (clone != NULL) { 668 m = clone; 669 ip = mtod(m, struct ip *); 670 goto pass; 671 } 672 goto done; 673 } 674 #endif 675 676 #ifdef IPFIREWALL_FORWARD 677 /* Here we check dst to make sure it's directly reachable on the 678 * interface we previously thought it was. 679 * If it isn't (which may be likely in some situations) we have 680 * to re-route it (ie, find a route for the next-hop and the 681 * associated interface) and set them here. This is nested 682 * forwarding which in most cases is undesirable, except where 683 * such control is nigh impossible. So we do it here. 684 * And I'm babbling. 685 */ 686 if (off == 0 && old != dst) { 687 struct in_ifaddr *ia; 688 689 /* It's changed... */ 690 /* There must be a better way to do this next line... */ 691 static struct route sro_fwd, *ro_fwd = &sro_fwd; 692 #ifdef IPFIREWALL_FORWARD_DEBUG 693 printf("IPFIREWALL_FORWARD: New dst ip: "); 694 print_ip(dst->sin_addr); 695 printf("\n"); 696 #endif 697 /* 698 * We need to figure out if we have been forwarded 699 * to a local socket. If so then we should somehow 700 * "loop back" to ip_input, and get directed to the 701 * PCB as if we had received this packet. This is 702 * because it may be dificult to identify the packets 703 * you want to forward until they are being output 704 * and have selected an interface. (e.g. locally 705 * initiated packets) If we used the loopback inteface, 706 * we would not be able to control what happens 707 * as the packet runs through ip_input() as 708 * it is done through a ISR. 709 */ 710 LIST_FOREACH(ia, 711 INADDR_HASH(dst->sin_addr.s_addr), ia_hash) { 712 /* 713 * If the addr to forward to is one 714 * of ours, we pretend to 715 * be the destination for this packet. 716 */ 717 if (IA_SIN(ia)->sin_addr.s_addr == 718 dst->sin_addr.s_addr) 719 break; 720 } 721 if (ia) { 722 /* tell ip_input "dont filter" */ 723 ip_fw_fwd_addr = dst; 724 if (m->m_pkthdr.rcvif == NULL) 725 m->m_pkthdr.rcvif = ifunit("lo0"); 726 if (m->m_pkthdr.csum_flags & CSUM_DELAY_DATA) { 727 m->m_pkthdr.csum_flags |= 728 CSUM_DATA_VALID | CSUM_PSEUDO_HDR; 729 m0->m_pkthdr.csum_data = 0xffff; 730 } 731 m->m_pkthdr.csum_flags |= 732 CSUM_IP_CHECKED | CSUM_IP_VALID; 733 HTONS(ip->ip_len); 734 HTONS(ip->ip_off); 735 ip_input(m); 736 goto done; 737 } 738 /* Some of the logic for this was 739 * nicked from above. 740 * 741 * This rewrites the cached route in a local PCB. 742 * Is this what we want to do? 743 */ 744 bcopy(dst, &ro_fwd->ro_dst, sizeof(*dst)); 745 746 ro_fwd->ro_rt = 0; 747 rtalloc_ign(ro_fwd, RTF_PRCLONING); 748 749 if (ro_fwd->ro_rt == 0) { 750 ipstat.ips_noroute++; 751 error = EHOSTUNREACH; 752 goto bad; 753 } 754 755 ia = ifatoia(ro_fwd->ro_rt->rt_ifa); 756 ifp = ro_fwd->ro_rt->rt_ifp; 757 ro_fwd->ro_rt->rt_use++; 758 if (ro_fwd->ro_rt->rt_flags & RTF_GATEWAY) 759 dst = (struct sockaddr_in *)ro_fwd->ro_rt->rt_gateway; 760 if (ro_fwd->ro_rt->rt_flags & RTF_HOST) 761 isbroadcast = 762 (ro_fwd->ro_rt->rt_flags & RTF_BROADCAST); 763 else 764 isbroadcast = in_broadcast(dst->sin_addr, ifp); 765 RTFREE(ro->ro_rt); 766 ro->ro_rt = ro_fwd->ro_rt; 767 dst = (struct sockaddr_in *)&ro_fwd->ro_dst; 768 769 /* 770 * If we added a default src ip earlier, 771 * which would have been gotten from the-then 772 * interface, do it again, from the new one. 773 */ 774 if (fwd_rewrite_src) 775 ip->ip_src = IA_SIN(ia)->sin_addr; 776 goto pass ; 777 } 778 #endif /* IPFIREWALL_FORWARD */ 779 /* 780 * if we get here, none of the above matches, and 781 * we have to drop the pkt 782 */ 783 m_freem(m); 784 error = EACCES; /* not sure this is the right error msg */ 785 goto done; 786 } 787 788 pass: 789 m->m_pkthdr.csum_flags |= CSUM_IP; 790 sw_csum = m->m_pkthdr.csum_flags & ~ifp->if_hwassist; 791 if (sw_csum & CSUM_DELAY_DATA) { 792 in_delayed_cksum(m); 793 sw_csum &= ~CSUM_DELAY_DATA; 794 } 795 m->m_pkthdr.csum_flags &= ifp->if_hwassist; 796 797 /* 798 * If small enough for interface, or the interface will take 799 * care of the fragmentation for us, can just send directly. 800 */ 801 if ((u_short)ip->ip_len <= ifp->if_mtu || 802 ifp->if_hwassist & CSUM_FRAGMENT) { 803 HTONS(ip->ip_len); 804 HTONS(ip->ip_off); 805 ip->ip_sum = 0; 806 if (sw_csum & CSUM_DELAY_IP) { 807 if (ip->ip_vhl == IP_VHL_BORING) { 808 ip->ip_sum = in_cksum_hdr(ip); 809 } else { 810 ip->ip_sum = in_cksum(m, hlen); 811 } 812 } 813 814 /* Record statistics for this interface address. */ 815 if (!(flags & IP_FORWARDING) && ia) { 816 ia->ia_ifa.if_opackets++; 817 ia->ia_ifa.if_obytes += m->m_pkthdr.len; 818 } 819 820 #ifdef IPSEC 821 /* clean ipsec history once it goes out of the node */ 822 ipsec_delaux(m); 823 #endif 824 825 error = (*ifp->if_output)(ifp, m, 826 (struct sockaddr *)dst, ro->ro_rt); 827 goto done; 828 } 829 /* 830 * Too large for interface; fragment if possible. 831 * Must be able to put at least 8 bytes per fragment. 832 */ 833 if (ip->ip_off & IP_DF) { 834 error = EMSGSIZE; 835 /* 836 * This case can happen if the user changed the MTU 837 * of an interface after enabling IP on it. Because 838 * most netifs don't keep track of routes pointing to 839 * them, there is no way for one to update all its 840 * routes when the MTU is changed. 841 */ 842 if ((ro->ro_rt->rt_flags & (RTF_UP | RTF_HOST)) 843 && !(ro->ro_rt->rt_rmx.rmx_locks & RTV_MTU) 844 && (ro->ro_rt->rt_rmx.rmx_mtu > ifp->if_mtu)) { 845 ro->ro_rt->rt_rmx.rmx_mtu = ifp->if_mtu; 846 } 847 ipstat.ips_cantfrag++; 848 goto bad; 849 } 850 len = (ifp->if_mtu - hlen) &~ 7; 851 if (len < 8) { 852 error = EMSGSIZE; 853 goto bad; 854 } 855 856 /* 857 * if the interface will not calculate checksums on 858 * fragmented packets, then do it here. 859 */ 860 if (m->m_pkthdr.csum_flags & CSUM_DELAY_DATA && 861 (ifp->if_hwassist & CSUM_IP_FRAGS) == 0) { 862 in_delayed_cksum(m); 863 m->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA; 864 } 865 866 { 867 int mhlen, firstlen = len; 868 struct mbuf **mnext = &m->m_nextpkt; 869 int nfrags = 1; 870 871 /* 872 * Loop through length of segment after first fragment, 873 * make new header and copy data of each part and link onto chain. 874 */ 875 m0 = m; 876 mhlen = sizeof (struct ip); 877 for (off = hlen + len; off < (u_short)ip->ip_len; off += len) { 878 MGETHDR(m, M_DONTWAIT, MT_HEADER); 879 if (m == 0) { 880 error = ENOBUFS; 881 ipstat.ips_odropped++; 882 goto sendorfree; 883 } 884 m->m_flags |= (m0->m_flags & M_MCAST) | M_FRAG; 885 m->m_data += max_linkhdr; 886 mhip = mtod(m, struct ip *); 887 *mhip = *ip; 888 if (hlen > sizeof (struct ip)) { 889 mhlen = ip_optcopy(ip, mhip) + sizeof (struct ip); 890 mhip->ip_vhl = IP_MAKE_VHL(IPVERSION, mhlen >> 2); 891 } 892 m->m_len = mhlen; 893 mhip->ip_off = ((off - hlen) >> 3) + ip->ip_off; 894 if (off + len >= (u_short)ip->ip_len) 895 len = (u_short)ip->ip_len - off; 896 else 897 mhip->ip_off |= IP_MF; 898 mhip->ip_len = htons((u_short)(len + mhlen)); 899 m->m_next = m_copy(m0, off, len); 900 if (m->m_next == 0) { 901 (void) m_free(m); 902 error = ENOBUFS; /* ??? */ 903 ipstat.ips_odropped++; 904 goto sendorfree; 905 } 906 m->m_pkthdr.len = mhlen + len; 907 m->m_pkthdr.rcvif = (struct ifnet *)0; 908 m->m_pkthdr.csum_flags = m0->m_pkthdr.csum_flags; 909 HTONS(mhip->ip_off); 910 mhip->ip_sum = 0; 911 if (sw_csum & CSUM_DELAY_IP) { 912 if (mhip->ip_vhl == IP_VHL_BORING) { 913 mhip->ip_sum = in_cksum_hdr(mhip); 914 } else { 915 mhip->ip_sum = in_cksum(m, mhlen); 916 } 917 } 918 *mnext = m; 919 mnext = &m->m_nextpkt; 920 nfrags++; 921 } 922 ipstat.ips_ofragments += nfrags; 923 924 /* set first/last markers for fragment chain */ 925 m->m_flags |= M_LASTFRAG; 926 m0->m_flags |= M_FIRSTFRAG | M_FRAG; 927 m0->m_pkthdr.csum_data = nfrags; 928 929 /* 930 * Update first fragment by trimming what's been copied out 931 * and updating header, then send each fragment (in order). 932 */ 933 m = m0; 934 m_adj(m, hlen + firstlen - (u_short)ip->ip_len); 935 m->m_pkthdr.len = hlen + firstlen; 936 ip->ip_len = htons((u_short)m->m_pkthdr.len); 937 ip->ip_off |= IP_MF; 938 HTONS(ip->ip_off); 939 ip->ip_sum = 0; 940 if (sw_csum & CSUM_DELAY_IP) { 941 if (ip->ip_vhl == IP_VHL_BORING) { 942 ip->ip_sum = in_cksum_hdr(ip); 943 } else { 944 ip->ip_sum = in_cksum(m, hlen); 945 } 946 } 947 sendorfree: 948 for (m = m0; m; m = m0) { 949 m0 = m->m_nextpkt; 950 m->m_nextpkt = 0; 951 #ifdef IPSEC 952 /* clean ipsec history once it goes out of the node */ 953 ipsec_delaux(m); 954 #endif 955 if (error == 0) { 956 /* Record statistics for this interface address. */ 957 if (ia != NULL) { 958 ia->ia_ifa.if_opackets++; 959 ia->ia_ifa.if_obytes += m->m_pkthdr.len; 960 } 961 962 error = (*ifp->if_output)(ifp, m, 963 (struct sockaddr *)dst, ro->ro_rt); 964 } else 965 m_freem(m); 966 } 967 968 if (error == 0) 969 ipstat.ips_fragmented++; 970 } 971 done: 972 #ifdef IPSEC 973 if (ro == &iproute && ro->ro_rt) { 974 RTFREE(ro->ro_rt); 975 ro->ro_rt = NULL; 976 } 977 if (sp != NULL) { 978 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 979 printf("DP ip_output call free SP:%p\n", sp)); 980 key_freesp(sp); 981 } 982 #endif /* IPSEC */ 983 return (error); 984 bad: 985 m_freem(m); 986 goto done; 987 } 988 989 void 990 in_delayed_cksum(struct mbuf *m) 991 { 992 struct ip *ip; 993 u_short csum, offset; 994 995 ip = mtod(m, struct ip *); 996 offset = IP_VHL_HL(ip->ip_vhl) << 2 ; 997 csum = in_cksum_skip(m, ip->ip_len, offset); 998 if (m->m_pkthdr.csum_flags & CSUM_UDP && csum == 0) 999 csum = 0xffff; 1000 offset += m->m_pkthdr.csum_data; /* checksum offset */ 1001 1002 if (offset + sizeof(u_short) > m->m_len) { 1003 printf("delayed m_pullup, m->len: %d off: %d p: %d\n", 1004 m->m_len, offset, ip->ip_p); 1005 /* 1006 * XXX 1007 * this shouldn't happen, but if it does, the 1008 * correct behavior may be to insert the checksum 1009 * in the existing chain instead of rearranging it. 1010 */ 1011 m = m_pullup(m, offset + sizeof(u_short)); 1012 } 1013 *(u_short *)(m->m_data + offset) = csum; 1014 } 1015 1016 /* 1017 * Insert IP options into preformed packet. 1018 * Adjust IP destination as required for IP source routing, 1019 * as indicated by a non-zero in_addr at the start of the options. 1020 * 1021 * XXX This routine assumes that the packet has no options in place. 1022 */ 1023 static struct mbuf * 1024 ip_insertoptions(m, opt, phlen) 1025 register struct mbuf *m; 1026 struct mbuf *opt; 1027 int *phlen; 1028 { 1029 register struct ipoption *p = mtod(opt, struct ipoption *); 1030 struct mbuf *n; 1031 register struct ip *ip = mtod(m, struct ip *); 1032 unsigned optlen; 1033 1034 optlen = opt->m_len - sizeof(p->ipopt_dst); 1035 if (optlen + (u_short)ip->ip_len > IP_MAXPACKET) 1036 return (m); /* XXX should fail */ 1037 if (p->ipopt_dst.s_addr) 1038 ip->ip_dst = p->ipopt_dst; 1039 if (m->m_flags & M_EXT || m->m_data - optlen < m->m_pktdat) { 1040 MGETHDR(n, M_DONTWAIT, MT_HEADER); 1041 if (n == 0) 1042 return (m); 1043 n->m_pkthdr.rcvif = (struct ifnet *)0; 1044 n->m_pkthdr.len = m->m_pkthdr.len + optlen; 1045 m->m_len -= sizeof(struct ip); 1046 m->m_data += sizeof(struct ip); 1047 n->m_next = m; 1048 m = n; 1049 m->m_len = optlen + sizeof(struct ip); 1050 m->m_data += max_linkhdr; 1051 (void)memcpy(mtod(m, void *), ip, sizeof(struct ip)); 1052 } else { 1053 m->m_data -= optlen; 1054 m->m_len += optlen; 1055 m->m_pkthdr.len += optlen; 1056 ovbcopy((caddr_t)ip, mtod(m, caddr_t), sizeof(struct ip)); 1057 } 1058 ip = mtod(m, struct ip *); 1059 bcopy(p->ipopt_list, ip + 1, optlen); 1060 *phlen = sizeof(struct ip) + optlen; 1061 ip->ip_vhl = IP_MAKE_VHL(IPVERSION, *phlen >> 2); 1062 ip->ip_len += optlen; 1063 return (m); 1064 } 1065 1066 /* 1067 * Copy options from ip to jp, 1068 * omitting those not copied during fragmentation. 1069 */ 1070 int 1071 ip_optcopy(ip, jp) 1072 struct ip *ip, *jp; 1073 { 1074 register u_char *cp, *dp; 1075 int opt, optlen, cnt; 1076 1077 cp = (u_char *)(ip + 1); 1078 dp = (u_char *)(jp + 1); 1079 cnt = (IP_VHL_HL(ip->ip_vhl) << 2) - sizeof (struct ip); 1080 for (; cnt > 0; cnt -= optlen, cp += optlen) { 1081 opt = cp[0]; 1082 if (opt == IPOPT_EOL) 1083 break; 1084 if (opt == IPOPT_NOP) { 1085 /* Preserve for IP mcast tunnel's LSRR alignment. */ 1086 *dp++ = IPOPT_NOP; 1087 optlen = 1; 1088 continue; 1089 } 1090 #ifdef DIAGNOSTIC 1091 if (cnt < IPOPT_OLEN + sizeof(*cp)) 1092 panic("malformed IPv4 option passed to ip_optcopy"); 1093 #endif 1094 optlen = cp[IPOPT_OLEN]; 1095 #ifdef DIAGNOSTIC 1096 if (optlen < IPOPT_OLEN + sizeof(*cp) || optlen > cnt) 1097 panic("malformed IPv4 option passed to ip_optcopy"); 1098 #endif 1099 /* bogus lengths should have been caught by ip_dooptions */ 1100 if (optlen > cnt) 1101 optlen = cnt; 1102 if (IPOPT_COPIED(opt)) { 1103 bcopy(cp, dp, optlen); 1104 dp += optlen; 1105 } 1106 } 1107 for (optlen = dp - (u_char *)(jp+1); optlen & 0x3; optlen++) 1108 *dp++ = IPOPT_EOL; 1109 return (optlen); 1110 } 1111 1112 /* 1113 * IP socket option processing. 1114 */ 1115 int 1116 ip_ctloutput(so, sopt) 1117 struct socket *so; 1118 struct sockopt *sopt; 1119 { 1120 struct inpcb *inp = sotoinpcb(so); 1121 int error, optval; 1122 1123 error = optval = 0; 1124 if (sopt->sopt_level != IPPROTO_IP) { 1125 return (EINVAL); 1126 } 1127 1128 switch (sopt->sopt_dir) { 1129 case SOPT_SET: 1130 switch (sopt->sopt_name) { 1131 case IP_OPTIONS: 1132 #ifdef notyet 1133 case IP_RETOPTS: 1134 #endif 1135 { 1136 struct mbuf *m; 1137 if (sopt->sopt_valsize > MLEN) { 1138 error = EMSGSIZE; 1139 break; 1140 } 1141 MGET(m, sopt->sopt_td ? M_TRYWAIT : M_DONTWAIT, MT_HEADER); 1142 if (m == 0) { 1143 error = ENOBUFS; 1144 break; 1145 } 1146 m->m_len = sopt->sopt_valsize; 1147 error = sooptcopyin(sopt, mtod(m, char *), m->m_len, 1148 m->m_len); 1149 1150 return (ip_pcbopts(sopt->sopt_name, &inp->inp_options, 1151 m)); 1152 } 1153 1154 case IP_TOS: 1155 case IP_TTL: 1156 case IP_RECVOPTS: 1157 case IP_RECVRETOPTS: 1158 case IP_RECVDSTADDR: 1159 case IP_RECVIF: 1160 case IP_FAITH: 1161 error = sooptcopyin(sopt, &optval, sizeof optval, 1162 sizeof optval); 1163 if (error) 1164 break; 1165 1166 switch (sopt->sopt_name) { 1167 case IP_TOS: 1168 inp->inp_ip_tos = optval; 1169 break; 1170 1171 case IP_TTL: 1172 inp->inp_ip_ttl = optval; 1173 break; 1174 #define OPTSET(bit) \ 1175 if (optval) \ 1176 inp->inp_flags |= bit; \ 1177 else \ 1178 inp->inp_flags &= ~bit; 1179 1180 case IP_RECVOPTS: 1181 OPTSET(INP_RECVOPTS); 1182 break; 1183 1184 case IP_RECVRETOPTS: 1185 OPTSET(INP_RECVRETOPTS); 1186 break; 1187 1188 case IP_RECVDSTADDR: 1189 OPTSET(INP_RECVDSTADDR); 1190 break; 1191 1192 case IP_RECVIF: 1193 OPTSET(INP_RECVIF); 1194 break; 1195 1196 case IP_FAITH: 1197 OPTSET(INP_FAITH); 1198 break; 1199 } 1200 break; 1201 #undef OPTSET 1202 1203 case IP_MULTICAST_IF: 1204 case IP_MULTICAST_VIF: 1205 case IP_MULTICAST_TTL: 1206 case IP_MULTICAST_LOOP: 1207 case IP_ADD_MEMBERSHIP: 1208 case IP_DROP_MEMBERSHIP: 1209 error = ip_setmoptions(sopt, &inp->inp_moptions); 1210 break; 1211 1212 case IP_PORTRANGE: 1213 error = sooptcopyin(sopt, &optval, sizeof optval, 1214 sizeof optval); 1215 if (error) 1216 break; 1217 1218 switch (optval) { 1219 case IP_PORTRANGE_DEFAULT: 1220 inp->inp_flags &= ~(INP_LOWPORT); 1221 inp->inp_flags &= ~(INP_HIGHPORT); 1222 break; 1223 1224 case IP_PORTRANGE_HIGH: 1225 inp->inp_flags &= ~(INP_LOWPORT); 1226 inp->inp_flags |= INP_HIGHPORT; 1227 break; 1228 1229 case IP_PORTRANGE_LOW: 1230 inp->inp_flags &= ~(INP_HIGHPORT); 1231 inp->inp_flags |= INP_LOWPORT; 1232 break; 1233 1234 default: 1235 error = EINVAL; 1236 break; 1237 } 1238 break; 1239 1240 #ifdef IPSEC 1241 case IP_IPSEC_POLICY: 1242 { 1243 caddr_t req; 1244 size_t len = 0; 1245 int priv; 1246 struct mbuf *m; 1247 int optname; 1248 1249 if ((error = soopt_getm(sopt, &m)) != 0) /* XXX */ 1250 break; 1251 if ((error = soopt_mcopyin(sopt, m)) != 0) /* XXX */ 1252 break; 1253 priv = (sopt->sopt_td != NULL && 1254 suser_td(sopt->sopt_td) != 0) ? 0 : 1; 1255 req = mtod(m, caddr_t); 1256 len = m->m_len; 1257 optname = sopt->sopt_name; 1258 error = ipsec4_set_policy(inp, optname, req, len, priv); 1259 m_freem(m); 1260 break; 1261 } 1262 #endif /*IPSEC*/ 1263 1264 default: 1265 error = ENOPROTOOPT; 1266 break; 1267 } 1268 break; 1269 1270 case SOPT_GET: 1271 switch (sopt->sopt_name) { 1272 case IP_OPTIONS: 1273 case IP_RETOPTS: 1274 if (inp->inp_options) 1275 error = sooptcopyout(sopt, 1276 mtod(inp->inp_options, 1277 char *), 1278 inp->inp_options->m_len); 1279 else 1280 sopt->sopt_valsize = 0; 1281 break; 1282 1283 case IP_TOS: 1284 case IP_TTL: 1285 case IP_RECVOPTS: 1286 case IP_RECVRETOPTS: 1287 case IP_RECVDSTADDR: 1288 case IP_RECVIF: 1289 case IP_PORTRANGE: 1290 case IP_FAITH: 1291 switch (sopt->sopt_name) { 1292 1293 case IP_TOS: 1294 optval = inp->inp_ip_tos; 1295 break; 1296 1297 case IP_TTL: 1298 optval = inp->inp_ip_ttl; 1299 break; 1300 1301 #define OPTBIT(bit) (inp->inp_flags & bit ? 1 : 0) 1302 1303 case IP_RECVOPTS: 1304 optval = OPTBIT(INP_RECVOPTS); 1305 break; 1306 1307 case IP_RECVRETOPTS: 1308 optval = OPTBIT(INP_RECVRETOPTS); 1309 break; 1310 1311 case IP_RECVDSTADDR: 1312 optval = OPTBIT(INP_RECVDSTADDR); 1313 break; 1314 1315 case IP_RECVIF: 1316 optval = OPTBIT(INP_RECVIF); 1317 break; 1318 1319 case IP_PORTRANGE: 1320 if (inp->inp_flags & INP_HIGHPORT) 1321 optval = IP_PORTRANGE_HIGH; 1322 else if (inp->inp_flags & INP_LOWPORT) 1323 optval = IP_PORTRANGE_LOW; 1324 else 1325 optval = 0; 1326 break; 1327 1328 case IP_FAITH: 1329 optval = OPTBIT(INP_FAITH); 1330 break; 1331 } 1332 error = sooptcopyout(sopt, &optval, sizeof optval); 1333 break; 1334 1335 case IP_MULTICAST_IF: 1336 case IP_MULTICAST_VIF: 1337 case IP_MULTICAST_TTL: 1338 case IP_MULTICAST_LOOP: 1339 case IP_ADD_MEMBERSHIP: 1340 case IP_DROP_MEMBERSHIP: 1341 error = ip_getmoptions(sopt, inp->inp_moptions); 1342 break; 1343 1344 #ifdef IPSEC 1345 case IP_IPSEC_POLICY: 1346 { 1347 struct mbuf *m = NULL; 1348 caddr_t req = NULL; 1349 size_t len = 0; 1350 1351 if (m != 0) { 1352 req = mtod(m, caddr_t); 1353 len = m->m_len; 1354 } 1355 error = ipsec4_get_policy(sotoinpcb(so), req, len, &m); 1356 if (error == 0) 1357 error = soopt_mcopyout(sopt, m); /* XXX */ 1358 if (error == 0) 1359 m_freem(m); 1360 break; 1361 } 1362 #endif /*IPSEC*/ 1363 1364 default: 1365 error = ENOPROTOOPT; 1366 break; 1367 } 1368 break; 1369 } 1370 return (error); 1371 } 1372 1373 /* 1374 * Set up IP options in pcb for insertion in output packets. 1375 * Store in mbuf with pointer in pcbopt, adding pseudo-option 1376 * with destination address if source routed. 1377 */ 1378 static int 1379 ip_pcbopts(optname, pcbopt, m) 1380 int optname; 1381 struct mbuf **pcbopt; 1382 register struct mbuf *m; 1383 { 1384 register int cnt, optlen; 1385 register u_char *cp; 1386 u_char opt; 1387 1388 /* turn off any old options */ 1389 if (*pcbopt) 1390 (void)m_free(*pcbopt); 1391 *pcbopt = 0; 1392 if (m == (struct mbuf *)0 || m->m_len == 0) { 1393 /* 1394 * Only turning off any previous options. 1395 */ 1396 if (m) 1397 (void)m_free(m); 1398 return (0); 1399 } 1400 1401 if (m->m_len % sizeof(int32_t)) 1402 goto bad; 1403 /* 1404 * IP first-hop destination address will be stored before 1405 * actual options; move other options back 1406 * and clear it when none present. 1407 */ 1408 if (m->m_data + m->m_len + sizeof(struct in_addr) >= &m->m_dat[MLEN]) 1409 goto bad; 1410 cnt = m->m_len; 1411 m->m_len += sizeof(struct in_addr); 1412 cp = mtod(m, u_char *) + sizeof(struct in_addr); 1413 ovbcopy(mtod(m, caddr_t), (caddr_t)cp, (unsigned)cnt); 1414 bzero(mtod(m, caddr_t), sizeof(struct in_addr)); 1415 1416 for (; cnt > 0; cnt -= optlen, cp += optlen) { 1417 opt = cp[IPOPT_OPTVAL]; 1418 if (opt == IPOPT_EOL) 1419 break; 1420 if (opt == IPOPT_NOP) 1421 optlen = 1; 1422 else { 1423 if (cnt < IPOPT_OLEN + sizeof(*cp)) 1424 goto bad; 1425 optlen = cp[IPOPT_OLEN]; 1426 if (optlen < IPOPT_OLEN + sizeof(*cp) || optlen > cnt) 1427 goto bad; 1428 } 1429 switch (opt) { 1430 1431 default: 1432 break; 1433 1434 case IPOPT_LSRR: 1435 case IPOPT_SSRR: 1436 /* 1437 * user process specifies route as: 1438 * ->A->B->C->D 1439 * D must be our final destination (but we can't 1440 * check that since we may not have connected yet). 1441 * A is first hop destination, which doesn't appear in 1442 * actual IP option, but is stored before the options. 1443 */ 1444 if (optlen < IPOPT_MINOFF - 1 + sizeof(struct in_addr)) 1445 goto bad; 1446 m->m_len -= sizeof(struct in_addr); 1447 cnt -= sizeof(struct in_addr); 1448 optlen -= sizeof(struct in_addr); 1449 cp[IPOPT_OLEN] = optlen; 1450 /* 1451 * Move first hop before start of options. 1452 */ 1453 bcopy((caddr_t)&cp[IPOPT_OFFSET+1], mtod(m, caddr_t), 1454 sizeof(struct in_addr)); 1455 /* 1456 * Then copy rest of options back 1457 * to close up the deleted entry. 1458 */ 1459 ovbcopy((caddr_t)(&cp[IPOPT_OFFSET+1] + 1460 sizeof(struct in_addr)), 1461 (caddr_t)&cp[IPOPT_OFFSET+1], 1462 (unsigned)cnt + sizeof(struct in_addr)); 1463 break; 1464 } 1465 } 1466 if (m->m_len > MAX_IPOPTLEN + sizeof(struct in_addr)) 1467 goto bad; 1468 *pcbopt = m; 1469 return (0); 1470 1471 bad: 1472 (void)m_free(m); 1473 return (EINVAL); 1474 } 1475 1476 /* 1477 * XXX 1478 * The whole multicast option thing needs to be re-thought. 1479 * Several of these options are equally applicable to non-multicast 1480 * transmission, and one (IP_MULTICAST_TTL) totally duplicates a 1481 * standard option (IP_TTL). 1482 */ 1483 1484 /* 1485 * following RFC1724 section 3.3, 0.0.0.0/8 is interpreted as interface index. 1486 */ 1487 static struct ifnet * 1488 ip_multicast_if(a, ifindexp) 1489 struct in_addr *a; 1490 int *ifindexp; 1491 { 1492 int ifindex; 1493 struct ifnet *ifp; 1494 1495 if (ifindexp) 1496 *ifindexp = 0; 1497 if (ntohl(a->s_addr) >> 24 == 0) { 1498 ifindex = ntohl(a->s_addr) & 0xffffff; 1499 if (ifindex < 0 || if_index < ifindex) 1500 return NULL; 1501 ifp = ifnet_byindex(ifindex); 1502 if (ifindexp) 1503 *ifindexp = ifindex; 1504 } else { 1505 INADDR_TO_IFP(*a, ifp); 1506 } 1507 return ifp; 1508 } 1509 1510 /* 1511 * Set the IP multicast options in response to user setsockopt(). 1512 */ 1513 static int 1514 ip_setmoptions(sopt, imop) 1515 struct sockopt *sopt; 1516 struct ip_moptions **imop; 1517 { 1518 int error = 0; 1519 int i; 1520 struct in_addr addr; 1521 struct ip_mreq mreq; 1522 struct ifnet *ifp; 1523 struct ip_moptions *imo = *imop; 1524 struct route ro; 1525 struct sockaddr_in *dst; 1526 int ifindex; 1527 int s; 1528 1529 if (imo == NULL) { 1530 /* 1531 * No multicast option buffer attached to the pcb; 1532 * allocate one and initialize to default values. 1533 */ 1534 imo = (struct ip_moptions*)malloc(sizeof(*imo), M_IPMOPTS, 1535 M_WAITOK); 1536 1537 if (imo == NULL) 1538 return (ENOBUFS); 1539 *imop = imo; 1540 imo->imo_multicast_ifp = NULL; 1541 imo->imo_multicast_addr.s_addr = INADDR_ANY; 1542 imo->imo_multicast_vif = -1; 1543 imo->imo_multicast_ttl = IP_DEFAULT_MULTICAST_TTL; 1544 imo->imo_multicast_loop = IP_DEFAULT_MULTICAST_LOOP; 1545 imo->imo_num_memberships = 0; 1546 } 1547 1548 switch (sopt->sopt_name) { 1549 /* store an index number for the vif you wanna use in the send */ 1550 case IP_MULTICAST_VIF: 1551 if (legal_vif_num == 0) { 1552 error = EOPNOTSUPP; 1553 break; 1554 } 1555 error = sooptcopyin(sopt, &i, sizeof i, sizeof i); 1556 if (error) 1557 break; 1558 if (!legal_vif_num(i) && (i != -1)) { 1559 error = EINVAL; 1560 break; 1561 } 1562 imo->imo_multicast_vif = i; 1563 break; 1564 1565 case IP_MULTICAST_IF: 1566 /* 1567 * Select the interface for outgoing multicast packets. 1568 */ 1569 error = sooptcopyin(sopt, &addr, sizeof addr, sizeof addr); 1570 if (error) 1571 break; 1572 /* 1573 * INADDR_ANY is used to remove a previous selection. 1574 * When no interface is selected, a default one is 1575 * chosen every time a multicast packet is sent. 1576 */ 1577 if (addr.s_addr == INADDR_ANY) { 1578 imo->imo_multicast_ifp = NULL; 1579 break; 1580 } 1581 /* 1582 * The selected interface is identified by its local 1583 * IP address. Find the interface and confirm that 1584 * it supports multicasting. 1585 */ 1586 s = splimp(); 1587 ifp = ip_multicast_if(&addr, &ifindex); 1588 if (ifp == NULL || (ifp->if_flags & IFF_MULTICAST) == 0) { 1589 splx(s); 1590 error = EADDRNOTAVAIL; 1591 break; 1592 } 1593 imo->imo_multicast_ifp = ifp; 1594 if (ifindex) 1595 imo->imo_multicast_addr = addr; 1596 else 1597 imo->imo_multicast_addr.s_addr = INADDR_ANY; 1598 splx(s); 1599 break; 1600 1601 case IP_MULTICAST_TTL: 1602 /* 1603 * Set the IP time-to-live for outgoing multicast packets. 1604 * The original multicast API required a char argument, 1605 * which is inconsistent with the rest of the socket API. 1606 * We allow either a char or an int. 1607 */ 1608 if (sopt->sopt_valsize == 1) { 1609 u_char ttl; 1610 error = sooptcopyin(sopt, &ttl, 1, 1); 1611 if (error) 1612 break; 1613 imo->imo_multicast_ttl = ttl; 1614 } else { 1615 u_int ttl; 1616 error = sooptcopyin(sopt, &ttl, sizeof ttl, 1617 sizeof ttl); 1618 if (error) 1619 break; 1620 if (ttl > 255) 1621 error = EINVAL; 1622 else 1623 imo->imo_multicast_ttl = ttl; 1624 } 1625 break; 1626 1627 case IP_MULTICAST_LOOP: 1628 /* 1629 * Set the loopback flag for outgoing multicast packets. 1630 * Must be zero or one. The original multicast API required a 1631 * char argument, which is inconsistent with the rest 1632 * of the socket API. We allow either a char or an int. 1633 */ 1634 if (sopt->sopt_valsize == 1) { 1635 u_char loop; 1636 error = sooptcopyin(sopt, &loop, 1, 1); 1637 if (error) 1638 break; 1639 imo->imo_multicast_loop = !!loop; 1640 } else { 1641 u_int loop; 1642 error = sooptcopyin(sopt, &loop, sizeof loop, 1643 sizeof loop); 1644 if (error) 1645 break; 1646 imo->imo_multicast_loop = !!loop; 1647 } 1648 break; 1649 1650 case IP_ADD_MEMBERSHIP: 1651 /* 1652 * Add a multicast group membership. 1653 * Group must be a valid IP multicast address. 1654 */ 1655 error = sooptcopyin(sopt, &mreq, sizeof mreq, sizeof mreq); 1656 if (error) 1657 break; 1658 1659 if (!IN_MULTICAST(ntohl(mreq.imr_multiaddr.s_addr))) { 1660 error = EINVAL; 1661 break; 1662 } 1663 s = splimp(); 1664 /* 1665 * If no interface address was provided, use the interface of 1666 * the route to the given multicast address. 1667 */ 1668 if (mreq.imr_interface.s_addr == INADDR_ANY) { 1669 bzero((caddr_t)&ro, sizeof(ro)); 1670 dst = (struct sockaddr_in *)&ro.ro_dst; 1671 dst->sin_len = sizeof(*dst); 1672 dst->sin_family = AF_INET; 1673 dst->sin_addr = mreq.imr_multiaddr; 1674 rtalloc(&ro); 1675 if (ro.ro_rt == NULL) { 1676 error = EADDRNOTAVAIL; 1677 splx(s); 1678 break; 1679 } 1680 ifp = ro.ro_rt->rt_ifp; 1681 rtfree(ro.ro_rt); 1682 } 1683 else { 1684 ifp = ip_multicast_if(&mreq.imr_interface, NULL); 1685 } 1686 1687 /* 1688 * See if we found an interface, and confirm that it 1689 * supports multicast. 1690 */ 1691 if (ifp == NULL || (ifp->if_flags & IFF_MULTICAST) == 0) { 1692 error = EADDRNOTAVAIL; 1693 splx(s); 1694 break; 1695 } 1696 /* 1697 * See if the membership already exists or if all the 1698 * membership slots are full. 1699 */ 1700 for (i = 0; i < imo->imo_num_memberships; ++i) { 1701 if (imo->imo_membership[i]->inm_ifp == ifp && 1702 imo->imo_membership[i]->inm_addr.s_addr 1703 == mreq.imr_multiaddr.s_addr) 1704 break; 1705 } 1706 if (i < imo->imo_num_memberships) { 1707 error = EADDRINUSE; 1708 splx(s); 1709 break; 1710 } 1711 if (i == IP_MAX_MEMBERSHIPS) { 1712 error = ETOOMANYREFS; 1713 splx(s); 1714 break; 1715 } 1716 /* 1717 * Everything looks good; add a new record to the multicast 1718 * address list for the given interface. 1719 */ 1720 if ((imo->imo_membership[i] = 1721 in_addmulti(&mreq.imr_multiaddr, ifp)) == NULL) { 1722 error = ENOBUFS; 1723 splx(s); 1724 break; 1725 } 1726 ++imo->imo_num_memberships; 1727 splx(s); 1728 break; 1729 1730 case IP_DROP_MEMBERSHIP: 1731 /* 1732 * Drop a multicast group membership. 1733 * Group must be a valid IP multicast address. 1734 */ 1735 error = sooptcopyin(sopt, &mreq, sizeof mreq, sizeof mreq); 1736 if (error) 1737 break; 1738 1739 if (!IN_MULTICAST(ntohl(mreq.imr_multiaddr.s_addr))) { 1740 error = EINVAL; 1741 break; 1742 } 1743 1744 s = splimp(); 1745 /* 1746 * If an interface address was specified, get a pointer 1747 * to its ifnet structure. 1748 */ 1749 if (mreq.imr_interface.s_addr == INADDR_ANY) 1750 ifp = NULL; 1751 else { 1752 ifp = ip_multicast_if(&mreq.imr_interface, NULL); 1753 if (ifp == NULL) { 1754 error = EADDRNOTAVAIL; 1755 splx(s); 1756 break; 1757 } 1758 } 1759 /* 1760 * Find the membership in the membership array. 1761 */ 1762 for (i = 0; i < imo->imo_num_memberships; ++i) { 1763 if ((ifp == NULL || 1764 imo->imo_membership[i]->inm_ifp == ifp) && 1765 imo->imo_membership[i]->inm_addr.s_addr == 1766 mreq.imr_multiaddr.s_addr) 1767 break; 1768 } 1769 if (i == imo->imo_num_memberships) { 1770 error = EADDRNOTAVAIL; 1771 splx(s); 1772 break; 1773 } 1774 /* 1775 * Give up the multicast address record to which the 1776 * membership points. 1777 */ 1778 in_delmulti(imo->imo_membership[i]); 1779 /* 1780 * Remove the gap in the membership array. 1781 */ 1782 for (++i; i < imo->imo_num_memberships; ++i) 1783 imo->imo_membership[i-1] = imo->imo_membership[i]; 1784 --imo->imo_num_memberships; 1785 splx(s); 1786 break; 1787 1788 default: 1789 error = EOPNOTSUPP; 1790 break; 1791 } 1792 1793 /* 1794 * If all options have default values, no need to keep the mbuf. 1795 */ 1796 if (imo->imo_multicast_ifp == NULL && 1797 imo->imo_multicast_vif == -1 && 1798 imo->imo_multicast_ttl == IP_DEFAULT_MULTICAST_TTL && 1799 imo->imo_multicast_loop == IP_DEFAULT_MULTICAST_LOOP && 1800 imo->imo_num_memberships == 0) { 1801 free(*imop, M_IPMOPTS); 1802 *imop = NULL; 1803 } 1804 1805 return (error); 1806 } 1807 1808 /* 1809 * Return the IP multicast options in response to user getsockopt(). 1810 */ 1811 static int 1812 ip_getmoptions(sopt, imo) 1813 struct sockopt *sopt; 1814 register struct ip_moptions *imo; 1815 { 1816 struct in_addr addr; 1817 struct in_ifaddr *ia; 1818 int error, optval; 1819 u_char coptval; 1820 1821 error = 0; 1822 switch (sopt->sopt_name) { 1823 case IP_MULTICAST_VIF: 1824 if (imo != NULL) 1825 optval = imo->imo_multicast_vif; 1826 else 1827 optval = -1; 1828 error = sooptcopyout(sopt, &optval, sizeof optval); 1829 break; 1830 1831 case IP_MULTICAST_IF: 1832 if (imo == NULL || imo->imo_multicast_ifp == NULL) 1833 addr.s_addr = INADDR_ANY; 1834 else if (imo->imo_multicast_addr.s_addr) { 1835 /* return the value user has set */ 1836 addr = imo->imo_multicast_addr; 1837 } else { 1838 IFP_TO_IA(imo->imo_multicast_ifp, ia); 1839 addr.s_addr = (ia == NULL) ? INADDR_ANY 1840 : IA_SIN(ia)->sin_addr.s_addr; 1841 } 1842 error = sooptcopyout(sopt, &addr, sizeof addr); 1843 break; 1844 1845 case IP_MULTICAST_TTL: 1846 if (imo == 0) 1847 optval = coptval = IP_DEFAULT_MULTICAST_TTL; 1848 else 1849 optval = coptval = imo->imo_multicast_ttl; 1850 if (sopt->sopt_valsize == 1) 1851 error = sooptcopyout(sopt, &coptval, 1); 1852 else 1853 error = sooptcopyout(sopt, &optval, sizeof optval); 1854 break; 1855 1856 case IP_MULTICAST_LOOP: 1857 if (imo == 0) 1858 optval = coptval = IP_DEFAULT_MULTICAST_LOOP; 1859 else 1860 optval = coptval = imo->imo_multicast_loop; 1861 if (sopt->sopt_valsize == 1) 1862 error = sooptcopyout(sopt, &coptval, 1); 1863 else 1864 error = sooptcopyout(sopt, &optval, sizeof optval); 1865 break; 1866 1867 default: 1868 error = ENOPROTOOPT; 1869 break; 1870 } 1871 return (error); 1872 } 1873 1874 /* 1875 * Discard the IP multicast options. 1876 */ 1877 void 1878 ip_freemoptions(imo) 1879 register struct ip_moptions *imo; 1880 { 1881 register int i; 1882 1883 if (imo != NULL) { 1884 for (i = 0; i < imo->imo_num_memberships; ++i) 1885 in_delmulti(imo->imo_membership[i]); 1886 free(imo, M_IPMOPTS); 1887 } 1888 } 1889 1890 /* 1891 * Routine called from ip_output() to loop back a copy of an IP multicast 1892 * packet to the input queue of a specified interface. Note that this 1893 * calls the output routine of the loopback "driver", but with an interface 1894 * pointer that might NOT be a loopback interface -- evil, but easier than 1895 * replicating that code here. 1896 */ 1897 static void 1898 ip_mloopback(ifp, m, dst, hlen) 1899 struct ifnet *ifp; 1900 register struct mbuf *m; 1901 register struct sockaddr_in *dst; 1902 int hlen; 1903 { 1904 register struct ip *ip; 1905 struct mbuf *copym; 1906 1907 copym = m_copy(m, 0, M_COPYALL); 1908 if (copym != NULL && (copym->m_flags & M_EXT || copym->m_len < hlen)) 1909 copym = m_pullup(copym, hlen); 1910 if (copym != NULL) { 1911 /* 1912 * We don't bother to fragment if the IP length is greater 1913 * than the interface's MTU. Can this possibly matter? 1914 */ 1915 ip = mtod(copym, struct ip *); 1916 HTONS(ip->ip_len); 1917 HTONS(ip->ip_off); 1918 ip->ip_sum = 0; 1919 if (ip->ip_vhl == IP_VHL_BORING) { 1920 ip->ip_sum = in_cksum_hdr(ip); 1921 } else { 1922 ip->ip_sum = in_cksum(copym, hlen); 1923 } 1924 /* 1925 * NB: 1926 * It's not clear whether there are any lingering 1927 * reentrancy problems in other areas which might 1928 * be exposed by using ip_input directly (in 1929 * particular, everything which modifies the packet 1930 * in-place). Yet another option is using the 1931 * protosw directly to deliver the looped back 1932 * packet. For the moment, we'll err on the side 1933 * of safety by using if_simloop(). 1934 */ 1935 #if 1 /* XXX */ 1936 if (dst->sin_family != AF_INET) { 1937 printf("ip_mloopback: bad address family %d\n", 1938 dst->sin_family); 1939 dst->sin_family = AF_INET; 1940 } 1941 #endif 1942 1943 #ifdef notdef 1944 copym->m_pkthdr.rcvif = ifp; 1945 ip_input(copym); 1946 #else 1947 /* if the checksum hasn't been computed, mark it as valid */ 1948 if (copym->m_pkthdr.csum_flags & CSUM_DELAY_DATA) { 1949 copym->m_pkthdr.csum_flags |= 1950 CSUM_DATA_VALID | CSUM_PSEUDO_HDR; 1951 copym->m_pkthdr.csum_data = 0xffff; 1952 } 1953 if_simloop(ifp, copym, dst->sin_family, 0); 1954 #endif 1955 } 1956 } 1957