xref: /freebsd/sys/netinet/raw_ip.c (revision 5dae51da3da0cc94d17bd67b308fad304ebec7e0)
1 /*-
2  * Copyright (c) 1982, 1986, 1988, 1993
3  *	The Regents of the University of California.
4  * All rights reserved.
5  *
6  * Redistribution and use in source and binary forms, with or without
7  * modification, are permitted provided that the following conditions
8  * are met:
9  * 1. Redistributions of source code must retain the above copyright
10  *    notice, this list of conditions and the following disclaimer.
11  * 2. Redistributions in binary form must reproduce the above copyright
12  *    notice, this list of conditions and the following disclaimer in the
13  *    documentation and/or other materials provided with the distribution.
14  * 4. Neither the name of the University nor the names of its contributors
15  *    may be used to endorse or promote products derived from this software
16  *    without specific prior written permission.
17  *
18  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
19  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
22  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
26  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
27  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28  * SUCH DAMAGE.
29  *
30  *	@(#)raw_ip.c	8.7 (Berkeley) 5/15/95
31  */
32 
33 #include <sys/cdefs.h>
34 __FBSDID("$FreeBSD$");
35 
36 #include "opt_inet.h"
37 #include "opt_inet6.h"
38 #include "opt_ipsec.h"
39 
40 #include <sys/param.h>
41 #include <sys/jail.h>
42 #include <sys/kernel.h>
43 #include <sys/eventhandler.h>
44 #include <sys/lock.h>
45 #include <sys/malloc.h>
46 #include <sys/mbuf.h>
47 #include <sys/priv.h>
48 #include <sys/proc.h>
49 #include <sys/protosw.h>
50 #include <sys/rmlock.h>
51 #include <sys/rwlock.h>
52 #include <sys/signalvar.h>
53 #include <sys/socket.h>
54 #include <sys/socketvar.h>
55 #include <sys/sx.h>
56 #include <sys/sysctl.h>
57 #include <sys/systm.h>
58 
59 #include <vm/uma.h>
60 
61 #include <net/if.h>
62 #include <net/if_var.h>
63 #include <net/route.h>
64 #include <net/vnet.h>
65 
66 #include <netinet/in.h>
67 #include <netinet/in_systm.h>
68 #include <netinet/in_pcb.h>
69 #include <netinet/in_var.h>
70 #include <netinet/if_ether.h>
71 #include <netinet/ip.h>
72 #include <netinet/ip_var.h>
73 #include <netinet/ip_mroute.h>
74 #include <netinet/ip_icmp.h>
75 
76 #ifdef IPSEC
77 #include <netipsec/ipsec.h>
78 #endif /*IPSEC*/
79 
80 #include <machine/stdarg.h>
81 #include <security/mac/mac_framework.h>
82 
83 VNET_DEFINE(int, ip_defttl) = IPDEFTTL;
84 SYSCTL_INT(_net_inet_ip, IPCTL_DEFTTL, ttl, CTLFLAG_VNET | CTLFLAG_RW,
85     &VNET_NAME(ip_defttl), 0,
86     "Maximum TTL on IP packets");
87 
88 VNET_DEFINE(struct inpcbhead, ripcb);
89 VNET_DEFINE(struct inpcbinfo, ripcbinfo);
90 
91 #define	V_ripcb			VNET(ripcb)
92 #define	V_ripcbinfo		VNET(ripcbinfo)
93 
94 /*
95  * Control and data hooks for ipfw, dummynet, divert and so on.
96  * The data hooks are not used here but it is convenient
97  * to keep them all in one place.
98  */
99 VNET_DEFINE(ip_fw_chk_ptr_t, ip_fw_chk_ptr) = NULL;
100 VNET_DEFINE(ip_fw_ctl_ptr_t, ip_fw_ctl_ptr) = NULL;
101 
102 int	(*ip_dn_ctl_ptr)(struct sockopt *);
103 int	(*ip_dn_io_ptr)(struct mbuf **, int, struct ip_fw_args *);
104 void	(*ip_divert_ptr)(struct mbuf *, int);
105 int	(*ng_ipfw_input_p)(struct mbuf **, int,
106 			struct ip_fw_args *, int);
107 
108 #ifdef INET
109 /*
110  * Hooks for multicast routing. They all default to NULL, so leave them not
111  * initialized and rely on BSS being set to 0.
112  */
113 
114 /*
115  * The socket used to communicate with the multicast routing daemon.
116  */
117 VNET_DEFINE(struct socket *, ip_mrouter);
118 
119 /*
120  * The various mrouter and rsvp functions.
121  */
122 int (*ip_mrouter_set)(struct socket *, struct sockopt *);
123 int (*ip_mrouter_get)(struct socket *, struct sockopt *);
124 int (*ip_mrouter_done)(void);
125 int (*ip_mforward)(struct ip *, struct ifnet *, struct mbuf *,
126 		   struct ip_moptions *);
127 int (*mrt_ioctl)(u_long, caddr_t, int);
128 int (*legal_vif_num)(int);
129 u_long (*ip_mcast_src)(int);
130 
131 int (*rsvp_input_p)(struct mbuf **, int *, int);
132 int (*ip_rsvp_vif)(struct socket *, struct sockopt *);
133 void (*ip_rsvp_force_done)(struct socket *);
134 #endif /* INET */
135 
136 extern	struct protosw inetsw[];
137 
138 u_long	rip_sendspace = 9216;
139 SYSCTL_ULONG(_net_inet_raw, OID_AUTO, maxdgram, CTLFLAG_RW,
140     &rip_sendspace, 0, "Maximum outgoing raw IP datagram size");
141 
142 u_long	rip_recvspace = 9216;
143 SYSCTL_ULONG(_net_inet_raw, OID_AUTO, recvspace, CTLFLAG_RW,
144     &rip_recvspace, 0, "Maximum space for incoming raw IP datagrams");
145 
146 /*
147  * Hash functions
148  */
149 
150 #define INP_PCBHASH_RAW_SIZE	256
151 #define INP_PCBHASH_RAW(proto, laddr, faddr, mask) \
152         (((proto) + (laddr) + (faddr)) % (mask) + 1)
153 
154 #ifdef INET
155 static void
156 rip_inshash(struct inpcb *inp)
157 {
158 	struct inpcbinfo *pcbinfo = inp->inp_pcbinfo;
159 	struct inpcbhead *pcbhash;
160 	int hash;
161 
162 	INP_INFO_WLOCK_ASSERT(pcbinfo);
163 	INP_WLOCK_ASSERT(inp);
164 
165 	if (inp->inp_ip_p != 0 &&
166 	    inp->inp_laddr.s_addr != INADDR_ANY &&
167 	    inp->inp_faddr.s_addr != INADDR_ANY) {
168 		hash = INP_PCBHASH_RAW(inp->inp_ip_p, inp->inp_laddr.s_addr,
169 		    inp->inp_faddr.s_addr, pcbinfo->ipi_hashmask);
170 	} else
171 		hash = 0;
172 	pcbhash = &pcbinfo->ipi_hashbase[hash];
173 	LIST_INSERT_HEAD(pcbhash, inp, inp_hash);
174 }
175 
176 static void
177 rip_delhash(struct inpcb *inp)
178 {
179 
180 	INP_INFO_WLOCK_ASSERT(inp->inp_pcbinfo);
181 	INP_WLOCK_ASSERT(inp);
182 
183 	LIST_REMOVE(inp, inp_hash);
184 }
185 #endif /* INET */
186 
187 /*
188  * Raw interface to IP protocol.
189  */
190 
191 /*
192  * Initialize raw connection block q.
193  */
194 static void
195 rip_zone_change(void *tag)
196 {
197 
198 	uma_zone_set_max(V_ripcbinfo.ipi_zone, maxsockets);
199 }
200 
201 static int
202 rip_inpcb_init(void *mem, int size, int flags)
203 {
204 	struct inpcb *inp = mem;
205 
206 	INP_LOCK_INIT(inp, "inp", "rawinp");
207 	return (0);
208 }
209 
210 void
211 rip_init(void)
212 {
213 
214 	in_pcbinfo_init(&V_ripcbinfo, "rip", &V_ripcb, INP_PCBHASH_RAW_SIZE,
215 	    1, "ripcb", rip_inpcb_init, NULL, 0, IPI_HASHFIELDS_NONE);
216 	EVENTHANDLER_REGISTER(maxsockets_change, rip_zone_change, NULL,
217 	    EVENTHANDLER_PRI_ANY);
218 }
219 
220 #ifdef VIMAGE
221 static void
222 rip_destroy(void *unused __unused)
223 {
224 
225 	in_pcbinfo_destroy(&V_ripcbinfo);
226 }
227 VNET_SYSUNINIT(raw_ip, SI_SUB_PROTO_DOMAIN, SI_ORDER_FOURTH, rip_destroy, NULL);
228 #endif
229 
230 #ifdef INET
231 static int
232 rip_append(struct inpcb *last, struct ip *ip, struct mbuf *n,
233     struct sockaddr_in *ripsrc)
234 {
235 	int policyfail = 0;
236 
237 	INP_LOCK_ASSERT(last);
238 
239 #ifdef IPSEC
240 	/* check AH/ESP integrity. */
241 	if (ipsec4_in_reject(n, last)) {
242 		policyfail = 1;
243 	}
244 #endif /* IPSEC */
245 #ifdef MAC
246 	if (!policyfail && mac_inpcb_check_deliver(last, n) != 0)
247 		policyfail = 1;
248 #endif
249 	/* Check the minimum TTL for socket. */
250 	if (last->inp_ip_minttl && last->inp_ip_minttl > ip->ip_ttl)
251 		policyfail = 1;
252 	if (!policyfail) {
253 		struct mbuf *opts = NULL;
254 		struct socket *so;
255 
256 		so = last->inp_socket;
257 		if ((last->inp_flags & INP_CONTROLOPTS) ||
258 		    (so->so_options & (SO_TIMESTAMP | SO_BINTIME)))
259 			ip_savecontrol(last, &opts, ip, n);
260 		SOCKBUF_LOCK(&so->so_rcv);
261 		if (sbappendaddr_locked(&so->so_rcv,
262 		    (struct sockaddr *)ripsrc, n, opts) == 0) {
263 			/* should notify about lost packet */
264 			m_freem(n);
265 			if (opts)
266 				m_freem(opts);
267 			SOCKBUF_UNLOCK(&so->so_rcv);
268 		} else
269 			sorwakeup_locked(so);
270 	} else
271 		m_freem(n);
272 	return (policyfail);
273 }
274 
275 /*
276  * Setup generic address and protocol structures for raw_input routine, then
277  * pass them along with mbuf chain.
278  */
279 int
280 rip_input(struct mbuf **mp, int *offp, int proto)
281 {
282 	struct ifnet *ifp;
283 	struct mbuf *m = *mp;
284 	struct ip *ip = mtod(m, struct ip *);
285 	struct inpcb *inp, *last;
286 	struct sockaddr_in ripsrc;
287 	int hash;
288 
289 	*mp = NULL;
290 
291 	bzero(&ripsrc, sizeof(ripsrc));
292 	ripsrc.sin_len = sizeof(ripsrc);
293 	ripsrc.sin_family = AF_INET;
294 	ripsrc.sin_addr = ip->ip_src;
295 	last = NULL;
296 
297 	ifp = m->m_pkthdr.rcvif;
298 
299 	hash = INP_PCBHASH_RAW(proto, ip->ip_src.s_addr,
300 	    ip->ip_dst.s_addr, V_ripcbinfo.ipi_hashmask);
301 	INP_INFO_RLOCK(&V_ripcbinfo);
302 	LIST_FOREACH(inp, &V_ripcbinfo.ipi_hashbase[hash], inp_hash) {
303 		if (inp->inp_ip_p != proto)
304 			continue;
305 #ifdef INET6
306 		/* XXX inp locking */
307 		if ((inp->inp_vflag & INP_IPV4) == 0)
308 			continue;
309 #endif
310 		if (inp->inp_laddr.s_addr != ip->ip_dst.s_addr)
311 			continue;
312 		if (inp->inp_faddr.s_addr != ip->ip_src.s_addr)
313 			continue;
314 		if (jailed_without_vnet(inp->inp_cred)) {
315 			/*
316 			 * XXX: If faddr was bound to multicast group,
317 			 * jailed raw socket will drop datagram.
318 			 */
319 			if (prison_check_ip4(inp->inp_cred, &ip->ip_dst) != 0)
320 				continue;
321 		}
322 		if (last != NULL) {
323 			struct mbuf *n;
324 
325 			n = m_copym(m, 0, M_COPYALL, M_NOWAIT);
326 			if (n != NULL)
327 		    	    (void) rip_append(last, ip, n, &ripsrc);
328 			/* XXX count dropped packet */
329 			INP_RUNLOCK(last);
330 		}
331 		INP_RLOCK(inp);
332 		last = inp;
333 	}
334 	LIST_FOREACH(inp, &V_ripcbinfo.ipi_hashbase[0], inp_hash) {
335 		if (inp->inp_ip_p && inp->inp_ip_p != proto)
336 			continue;
337 #ifdef INET6
338 		/* XXX inp locking */
339 		if ((inp->inp_vflag & INP_IPV4) == 0)
340 			continue;
341 #endif
342 		if (!in_nullhost(inp->inp_laddr) &&
343 		    !in_hosteq(inp->inp_laddr, ip->ip_dst))
344 			continue;
345 		if (!in_nullhost(inp->inp_faddr) &&
346 		    !in_hosteq(inp->inp_faddr, ip->ip_src))
347 			continue;
348 		if (jailed_without_vnet(inp->inp_cred)) {
349 			/*
350 			 * Allow raw socket in jail to receive multicast;
351 			 * assume process had PRIV_NETINET_RAW at attach,
352 			 * and fall through into normal filter path if so.
353 			 */
354 			if (!IN_MULTICAST(ntohl(ip->ip_dst.s_addr)) &&
355 			    prison_check_ip4(inp->inp_cred, &ip->ip_dst) != 0)
356 				continue;
357 		}
358 		/*
359 		 * If this raw socket has multicast state, and we
360 		 * have received a multicast, check if this socket
361 		 * should receive it, as multicast filtering is now
362 		 * the responsibility of the transport layer.
363 		 */
364 		if (inp->inp_moptions != NULL &&
365 		    IN_MULTICAST(ntohl(ip->ip_dst.s_addr))) {
366 			/*
367 			 * If the incoming datagram is for IGMP, allow it
368 			 * through unconditionally to the raw socket.
369 			 *
370 			 * In the case of IGMPv2, we may not have explicitly
371 			 * joined the group, and may have set IFF_ALLMULTI
372 			 * on the interface. imo_multi_filter() may discard
373 			 * control traffic we actually need to see.
374 			 *
375 			 * Userland multicast routing daemons should continue
376 			 * filter the control traffic appropriately.
377 			 */
378 			int blocked;
379 
380 			blocked = MCAST_PASS;
381 			if (proto != IPPROTO_IGMP) {
382 				struct sockaddr_in group;
383 
384 				bzero(&group, sizeof(struct sockaddr_in));
385 				group.sin_len = sizeof(struct sockaddr_in);
386 				group.sin_family = AF_INET;
387 				group.sin_addr = ip->ip_dst;
388 
389 				blocked = imo_multi_filter(inp->inp_moptions,
390 				    ifp,
391 				    (struct sockaddr *)&group,
392 				    (struct sockaddr *)&ripsrc);
393 			}
394 
395 			if (blocked != MCAST_PASS) {
396 				IPSTAT_INC(ips_notmember);
397 				continue;
398 			}
399 		}
400 		if (last != NULL) {
401 			struct mbuf *n;
402 
403 			n = m_copym(m, 0, M_COPYALL, M_NOWAIT);
404 			if (n != NULL)
405 				(void) rip_append(last, ip, n, &ripsrc);
406 			/* XXX count dropped packet */
407 			INP_RUNLOCK(last);
408 		}
409 		INP_RLOCK(inp);
410 		last = inp;
411 	}
412 	INP_INFO_RUNLOCK(&V_ripcbinfo);
413 	if (last != NULL) {
414 		if (rip_append(last, ip, m, &ripsrc) != 0)
415 			IPSTAT_INC(ips_delivered);
416 		INP_RUNLOCK(last);
417 	} else {
418 		if (inetsw[ip_protox[ip->ip_p]].pr_input == rip_input) {
419 			IPSTAT_INC(ips_noproto);
420 			IPSTAT_DEC(ips_delivered);
421 			icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_PROTOCOL, 0, 0);
422 		} else {
423 			m_freem(m);
424 		}
425 	}
426 	return (IPPROTO_DONE);
427 }
428 
429 /*
430  * Generate IP header and pass packet to ip_output.  Tack on options user may
431  * have setup with control call.
432  */
433 int
434 rip_output(struct mbuf *m, struct socket *so, ...)
435 {
436 	struct ip *ip;
437 	int error;
438 	struct inpcb *inp = sotoinpcb(so);
439 	va_list ap;
440 	u_long dst;
441 	int flags = ((so->so_options & SO_DONTROUTE) ? IP_ROUTETOIF : 0) |
442 	    IP_ALLOWBROADCAST;
443 
444 	va_start(ap, so);
445 	dst = va_arg(ap, u_long);
446 	va_end(ap);
447 
448 	/*
449 	 * If the user handed us a complete IP packet, use it.  Otherwise,
450 	 * allocate an mbuf for a header and fill it in.
451 	 */
452 	if ((inp->inp_flags & INP_HDRINCL) == 0) {
453 		if (m->m_pkthdr.len + sizeof(struct ip) > IP_MAXPACKET) {
454 			m_freem(m);
455 			return(EMSGSIZE);
456 		}
457 		M_PREPEND(m, sizeof(struct ip), M_NOWAIT);
458 		if (m == NULL)
459 			return(ENOBUFS);
460 
461 		INP_RLOCK(inp);
462 		ip = mtod(m, struct ip *);
463 		ip->ip_tos = inp->inp_ip_tos;
464 		if (inp->inp_flags & INP_DONTFRAG)
465 			ip->ip_off = htons(IP_DF);
466 		else
467 			ip->ip_off = htons(0);
468 		ip->ip_p = inp->inp_ip_p;
469 		ip->ip_len = htons(m->m_pkthdr.len);
470 		ip->ip_src = inp->inp_laddr;
471 		ip->ip_dst.s_addr = dst;
472 		if (jailed(inp->inp_cred)) {
473 			/*
474 			 * prison_local_ip4() would be good enough but would
475 			 * let a source of INADDR_ANY pass, which we do not
476 			 * want to see from jails.
477 			 */
478 			if (ip->ip_src.s_addr == INADDR_ANY) {
479 				error = in_pcbladdr(inp, &ip->ip_dst, &ip->ip_src,
480 				    inp->inp_cred);
481 			} else {
482 				error = prison_local_ip4(inp->inp_cred,
483 				    &ip->ip_src);
484 			}
485 			if (error != 0) {
486 				INP_RUNLOCK(inp);
487 				m_freem(m);
488 				return (error);
489 			}
490 		}
491 		ip->ip_ttl = inp->inp_ip_ttl;
492 	} else {
493 		if (m->m_pkthdr.len > IP_MAXPACKET) {
494 			m_freem(m);
495 			return(EMSGSIZE);
496 		}
497 		INP_RLOCK(inp);
498 		ip = mtod(m, struct ip *);
499 		error = prison_check_ip4(inp->inp_cred, &ip->ip_src);
500 		if (error != 0) {
501 			INP_RUNLOCK(inp);
502 			m_freem(m);
503 			return (error);
504 		}
505 
506 		/*
507 		 * Don't allow both user specified and setsockopt options,
508 		 * and don't allow packet length sizes that will crash.
509 		 */
510 		if (((ip->ip_hl != (sizeof (*ip) >> 2)) && inp->inp_options)
511 		    || (ntohs(ip->ip_len) > m->m_pkthdr.len)
512 		    || (ntohs(ip->ip_len) < (ip->ip_hl << 2))) {
513 			INP_RUNLOCK(inp);
514 			m_freem(m);
515 			return (EINVAL);
516 		}
517 		/*
518 		 * This doesn't allow application to specify ID of zero,
519 		 * but we got this limitation from the beginning of history.
520 		 */
521 		if (ip->ip_id == 0)
522 			ip_fillid(ip);
523 
524 		/*
525 		 * XXX prevent ip_output from overwriting header fields.
526 		 */
527 		flags |= IP_RAWOUTPUT;
528 		IPSTAT_INC(ips_rawout);
529 	}
530 
531 	if (inp->inp_flags & INP_ONESBCAST)
532 		flags |= IP_SENDONES;
533 
534 #ifdef MAC
535 	mac_inpcb_create_mbuf(inp, m);
536 #endif
537 
538 	error = ip_output(m, inp->inp_options, NULL, flags,
539 	    inp->inp_moptions, inp);
540 	INP_RUNLOCK(inp);
541 	return (error);
542 }
543 
544 /*
545  * Raw IP socket option processing.
546  *
547  * IMPORTANT NOTE regarding access control: Traditionally, raw sockets could
548  * only be created by a privileged process, and as such, socket option
549  * operations to manage system properties on any raw socket were allowed to
550  * take place without explicit additional access control checks.  However,
551  * raw sockets can now also be created in jail(), and therefore explicit
552  * checks are now required.  Likewise, raw sockets can be used by a process
553  * after it gives up privilege, so some caution is required.  For options
554  * passed down to the IP layer via ip_ctloutput(), checks are assumed to be
555  * performed in ip_ctloutput() and therefore no check occurs here.
556  * Unilaterally checking priv_check() here breaks normal IP socket option
557  * operations on raw sockets.
558  *
559  * When adding new socket options here, make sure to add access control
560  * checks here as necessary.
561  *
562  * XXX-BZ inp locking?
563  */
564 int
565 rip_ctloutput(struct socket *so, struct sockopt *sopt)
566 {
567 	struct	inpcb *inp = sotoinpcb(so);
568 	int	error, optval;
569 
570 	if (sopt->sopt_level != IPPROTO_IP) {
571 		if ((sopt->sopt_level == SOL_SOCKET) &&
572 		    (sopt->sopt_name == SO_SETFIB)) {
573 			inp->inp_inc.inc_fibnum = so->so_fibnum;
574 			return (0);
575 		}
576 		return (EINVAL);
577 	}
578 
579 	error = 0;
580 	switch (sopt->sopt_dir) {
581 	case SOPT_GET:
582 		switch (sopt->sopt_name) {
583 		case IP_HDRINCL:
584 			optval = inp->inp_flags & INP_HDRINCL;
585 			error = sooptcopyout(sopt, &optval, sizeof optval);
586 			break;
587 
588 		case IP_FW3:	/* generic ipfw v.3 functions */
589 		case IP_FW_ADD:	/* ADD actually returns the body... */
590 		case IP_FW_GET:
591 		case IP_FW_TABLE_GETSIZE:
592 		case IP_FW_TABLE_LIST:
593 		case IP_FW_NAT_GET_CONFIG:
594 		case IP_FW_NAT_GET_LOG:
595 			if (V_ip_fw_ctl_ptr != NULL)
596 				error = V_ip_fw_ctl_ptr(sopt);
597 			else
598 				error = ENOPROTOOPT;
599 			break;
600 
601 		case IP_DUMMYNET3:	/* generic dummynet v.3 functions */
602 		case IP_DUMMYNET_GET:
603 			if (ip_dn_ctl_ptr != NULL)
604 				error = ip_dn_ctl_ptr(sopt);
605 			else
606 				error = ENOPROTOOPT;
607 			break ;
608 
609 		case MRT_INIT:
610 		case MRT_DONE:
611 		case MRT_ADD_VIF:
612 		case MRT_DEL_VIF:
613 		case MRT_ADD_MFC:
614 		case MRT_DEL_MFC:
615 		case MRT_VERSION:
616 		case MRT_ASSERT:
617 		case MRT_API_SUPPORT:
618 		case MRT_API_CONFIG:
619 		case MRT_ADD_BW_UPCALL:
620 		case MRT_DEL_BW_UPCALL:
621 			error = priv_check(curthread, PRIV_NETINET_MROUTE);
622 			if (error != 0)
623 				return (error);
624 			error = ip_mrouter_get ? ip_mrouter_get(so, sopt) :
625 				EOPNOTSUPP;
626 			break;
627 
628 		default:
629 			error = ip_ctloutput(so, sopt);
630 			break;
631 		}
632 		break;
633 
634 	case SOPT_SET:
635 		switch (sopt->sopt_name) {
636 		case IP_HDRINCL:
637 			error = sooptcopyin(sopt, &optval, sizeof optval,
638 					    sizeof optval);
639 			if (error)
640 				break;
641 			if (optval)
642 				inp->inp_flags |= INP_HDRINCL;
643 			else
644 				inp->inp_flags &= ~INP_HDRINCL;
645 			break;
646 
647 		case IP_FW3:	/* generic ipfw v.3 functions */
648 		case IP_FW_ADD:
649 		case IP_FW_DEL:
650 		case IP_FW_FLUSH:
651 		case IP_FW_ZERO:
652 		case IP_FW_RESETLOG:
653 		case IP_FW_TABLE_ADD:
654 		case IP_FW_TABLE_DEL:
655 		case IP_FW_TABLE_FLUSH:
656 		case IP_FW_NAT_CFG:
657 		case IP_FW_NAT_DEL:
658 			if (V_ip_fw_ctl_ptr != NULL)
659 				error = V_ip_fw_ctl_ptr(sopt);
660 			else
661 				error = ENOPROTOOPT;
662 			break;
663 
664 		case IP_DUMMYNET3:	/* generic dummynet v.3 functions */
665 		case IP_DUMMYNET_CONFIGURE:
666 		case IP_DUMMYNET_DEL:
667 		case IP_DUMMYNET_FLUSH:
668 			if (ip_dn_ctl_ptr != NULL)
669 				error = ip_dn_ctl_ptr(sopt);
670 			else
671 				error = ENOPROTOOPT ;
672 			break ;
673 
674 		case IP_RSVP_ON:
675 			error = priv_check(curthread, PRIV_NETINET_MROUTE);
676 			if (error != 0)
677 				return (error);
678 			error = ip_rsvp_init(so);
679 			break;
680 
681 		case IP_RSVP_OFF:
682 			error = priv_check(curthread, PRIV_NETINET_MROUTE);
683 			if (error != 0)
684 				return (error);
685 			error = ip_rsvp_done();
686 			break;
687 
688 		case IP_RSVP_VIF_ON:
689 		case IP_RSVP_VIF_OFF:
690 			error = priv_check(curthread, PRIV_NETINET_MROUTE);
691 			if (error != 0)
692 				return (error);
693 			error = ip_rsvp_vif ?
694 				ip_rsvp_vif(so, sopt) : EINVAL;
695 			break;
696 
697 		case MRT_INIT:
698 		case MRT_DONE:
699 		case MRT_ADD_VIF:
700 		case MRT_DEL_VIF:
701 		case MRT_ADD_MFC:
702 		case MRT_DEL_MFC:
703 		case MRT_VERSION:
704 		case MRT_ASSERT:
705 		case MRT_API_SUPPORT:
706 		case MRT_API_CONFIG:
707 		case MRT_ADD_BW_UPCALL:
708 		case MRT_DEL_BW_UPCALL:
709 			error = priv_check(curthread, PRIV_NETINET_MROUTE);
710 			if (error != 0)
711 				return (error);
712 			error = ip_mrouter_set ? ip_mrouter_set(so, sopt) :
713 					EOPNOTSUPP;
714 			break;
715 
716 		default:
717 			error = ip_ctloutput(so, sopt);
718 			break;
719 		}
720 		break;
721 	}
722 
723 	return (error);
724 }
725 
726 /*
727  * This function exists solely to receive the PRC_IFDOWN messages which are
728  * sent by if_down().  It looks for an ifaddr whose ifa_addr is sa, and calls
729  * in_ifadown() to remove all routes corresponding to that address.  It also
730  * receives the PRC_IFUP messages from if_up() and reinstalls the interface
731  * routes.
732  */
733 void
734 rip_ctlinput(int cmd, struct sockaddr *sa, void *vip)
735 {
736 	struct rm_priotracker in_ifa_tracker;
737 	struct in_ifaddr *ia;
738 	struct ifnet *ifp;
739 	int err;
740 	int flags;
741 
742 	switch (cmd) {
743 	case PRC_IFDOWN:
744 		IN_IFADDR_RLOCK(&in_ifa_tracker);
745 		TAILQ_FOREACH(ia, &V_in_ifaddrhead, ia_link) {
746 			if (ia->ia_ifa.ifa_addr == sa
747 			    && (ia->ia_flags & IFA_ROUTE)) {
748 				ifa_ref(&ia->ia_ifa);
749 				IN_IFADDR_RUNLOCK(&in_ifa_tracker);
750 				/*
751 				 * in_scrubprefix() kills the interface route.
752 				 */
753 				in_scrubprefix(ia, 0);
754 				/*
755 				 * in_ifadown gets rid of all the rest of the
756 				 * routes.  This is not quite the right thing
757 				 * to do, but at least if we are running a
758 				 * routing process they will come back.
759 				 */
760 				in_ifadown(&ia->ia_ifa, 0);
761 				ifa_free(&ia->ia_ifa);
762 				break;
763 			}
764 		}
765 		if (ia == NULL)		/* If ia matched, already unlocked. */
766 			IN_IFADDR_RUNLOCK(&in_ifa_tracker);
767 		break;
768 
769 	case PRC_IFUP:
770 		IN_IFADDR_RLOCK(&in_ifa_tracker);
771 		TAILQ_FOREACH(ia, &V_in_ifaddrhead, ia_link) {
772 			if (ia->ia_ifa.ifa_addr == sa)
773 				break;
774 		}
775 		if (ia == NULL || (ia->ia_flags & IFA_ROUTE)) {
776 			IN_IFADDR_RUNLOCK(&in_ifa_tracker);
777 			return;
778 		}
779 		ifa_ref(&ia->ia_ifa);
780 		IN_IFADDR_RUNLOCK(&in_ifa_tracker);
781 		flags = RTF_UP;
782 		ifp = ia->ia_ifa.ifa_ifp;
783 
784 		if ((ifp->if_flags & IFF_LOOPBACK)
785 		    || (ifp->if_flags & IFF_POINTOPOINT))
786 			flags |= RTF_HOST;
787 
788 		err = ifa_del_loopback_route((struct ifaddr *)ia, sa);
789 
790 		err = rtinit(&ia->ia_ifa, RTM_ADD, flags);
791 		if (err == 0)
792 			ia->ia_flags |= IFA_ROUTE;
793 
794 		err = ifa_add_loopback_route((struct ifaddr *)ia, sa);
795 
796 		ifa_free(&ia->ia_ifa);
797 		break;
798 	}
799 }
800 
801 static int
802 rip_attach(struct socket *so, int proto, struct thread *td)
803 {
804 	struct inpcb *inp;
805 	int error;
806 
807 	inp = sotoinpcb(so);
808 	KASSERT(inp == NULL, ("rip_attach: inp != NULL"));
809 
810 	error = priv_check(td, PRIV_NETINET_RAW);
811 	if (error)
812 		return (error);
813 	if (proto >= IPPROTO_MAX || proto < 0)
814 		return EPROTONOSUPPORT;
815 	error = soreserve(so, rip_sendspace, rip_recvspace);
816 	if (error)
817 		return (error);
818 	INP_INFO_WLOCK(&V_ripcbinfo);
819 	error = in_pcballoc(so, &V_ripcbinfo);
820 	if (error) {
821 		INP_INFO_WUNLOCK(&V_ripcbinfo);
822 		return (error);
823 	}
824 	inp = (struct inpcb *)so->so_pcb;
825 	inp->inp_vflag |= INP_IPV4;
826 	inp->inp_ip_p = proto;
827 	inp->inp_ip_ttl = V_ip_defttl;
828 	rip_inshash(inp);
829 	INP_INFO_WUNLOCK(&V_ripcbinfo);
830 	INP_WUNLOCK(inp);
831 	return (0);
832 }
833 
834 static void
835 rip_detach(struct socket *so)
836 {
837 	struct inpcb *inp;
838 
839 	inp = sotoinpcb(so);
840 	KASSERT(inp != NULL, ("rip_detach: inp == NULL"));
841 	KASSERT(inp->inp_faddr.s_addr == INADDR_ANY,
842 	    ("rip_detach: not closed"));
843 
844 	INP_INFO_WLOCK(&V_ripcbinfo);
845 	INP_WLOCK(inp);
846 	rip_delhash(inp);
847 	if (so == V_ip_mrouter && ip_mrouter_done)
848 		ip_mrouter_done();
849 	if (ip_rsvp_force_done)
850 		ip_rsvp_force_done(so);
851 	if (so == V_ip_rsvpd)
852 		ip_rsvp_done();
853 	in_pcbdetach(inp);
854 	in_pcbfree(inp);
855 	INP_INFO_WUNLOCK(&V_ripcbinfo);
856 }
857 
858 static void
859 rip_dodisconnect(struct socket *so, struct inpcb *inp)
860 {
861 	struct inpcbinfo *pcbinfo;
862 
863 	pcbinfo = inp->inp_pcbinfo;
864 	INP_INFO_WLOCK(pcbinfo);
865 	INP_WLOCK(inp);
866 	rip_delhash(inp);
867 	inp->inp_faddr.s_addr = INADDR_ANY;
868 	rip_inshash(inp);
869 	SOCK_LOCK(so);
870 	so->so_state &= ~SS_ISCONNECTED;
871 	SOCK_UNLOCK(so);
872 	INP_WUNLOCK(inp);
873 	INP_INFO_WUNLOCK(pcbinfo);
874 }
875 
876 static void
877 rip_abort(struct socket *so)
878 {
879 	struct inpcb *inp;
880 
881 	inp = sotoinpcb(so);
882 	KASSERT(inp != NULL, ("rip_abort: inp == NULL"));
883 
884 	rip_dodisconnect(so, inp);
885 }
886 
887 static void
888 rip_close(struct socket *so)
889 {
890 	struct inpcb *inp;
891 
892 	inp = sotoinpcb(so);
893 	KASSERT(inp != NULL, ("rip_close: inp == NULL"));
894 
895 	rip_dodisconnect(so, inp);
896 }
897 
898 static int
899 rip_disconnect(struct socket *so)
900 {
901 	struct inpcb *inp;
902 
903 	if ((so->so_state & SS_ISCONNECTED) == 0)
904 		return (ENOTCONN);
905 
906 	inp = sotoinpcb(so);
907 	KASSERT(inp != NULL, ("rip_disconnect: inp == NULL"));
908 
909 	rip_dodisconnect(so, inp);
910 	return (0);
911 }
912 
913 static int
914 rip_bind(struct socket *so, struct sockaddr *nam, struct thread *td)
915 {
916 	struct sockaddr_in *addr = (struct sockaddr_in *)nam;
917 	struct inpcb *inp;
918 	int error;
919 
920 	if (nam->sa_len != sizeof(*addr))
921 		return (EINVAL);
922 
923 	error = prison_check_ip4(td->td_ucred, &addr->sin_addr);
924 	if (error != 0)
925 		return (error);
926 
927 	inp = sotoinpcb(so);
928 	KASSERT(inp != NULL, ("rip_bind: inp == NULL"));
929 
930 	if (TAILQ_EMPTY(&V_ifnet) ||
931 	    (addr->sin_family != AF_INET && addr->sin_family != AF_IMPLINK) ||
932 	    (addr->sin_addr.s_addr &&
933 	     (inp->inp_flags & INP_BINDANY) == 0 &&
934 	     ifa_ifwithaddr_check((struct sockaddr *)addr) == 0))
935 		return (EADDRNOTAVAIL);
936 
937 	INP_INFO_WLOCK(&V_ripcbinfo);
938 	INP_WLOCK(inp);
939 	rip_delhash(inp);
940 	inp->inp_laddr = addr->sin_addr;
941 	rip_inshash(inp);
942 	INP_WUNLOCK(inp);
943 	INP_INFO_WUNLOCK(&V_ripcbinfo);
944 	return (0);
945 }
946 
947 static int
948 rip_connect(struct socket *so, struct sockaddr *nam, struct thread *td)
949 {
950 	struct sockaddr_in *addr = (struct sockaddr_in *)nam;
951 	struct inpcb *inp;
952 
953 	if (nam->sa_len != sizeof(*addr))
954 		return (EINVAL);
955 	if (TAILQ_EMPTY(&V_ifnet))
956 		return (EADDRNOTAVAIL);
957 	if (addr->sin_family != AF_INET && addr->sin_family != AF_IMPLINK)
958 		return (EAFNOSUPPORT);
959 
960 	inp = sotoinpcb(so);
961 	KASSERT(inp != NULL, ("rip_connect: inp == NULL"));
962 
963 	INP_INFO_WLOCK(&V_ripcbinfo);
964 	INP_WLOCK(inp);
965 	rip_delhash(inp);
966 	inp->inp_faddr = addr->sin_addr;
967 	rip_inshash(inp);
968 	soisconnected(so);
969 	INP_WUNLOCK(inp);
970 	INP_INFO_WUNLOCK(&V_ripcbinfo);
971 	return (0);
972 }
973 
974 static int
975 rip_shutdown(struct socket *so)
976 {
977 	struct inpcb *inp;
978 
979 	inp = sotoinpcb(so);
980 	KASSERT(inp != NULL, ("rip_shutdown: inp == NULL"));
981 
982 	INP_WLOCK(inp);
983 	socantsendmore(so);
984 	INP_WUNLOCK(inp);
985 	return (0);
986 }
987 
988 static int
989 rip_send(struct socket *so, int flags, struct mbuf *m, struct sockaddr *nam,
990     struct mbuf *control, struct thread *td)
991 {
992 	struct inpcb *inp;
993 	u_long dst;
994 
995 	inp = sotoinpcb(so);
996 	KASSERT(inp != NULL, ("rip_send: inp == NULL"));
997 
998 	/*
999 	 * Note: 'dst' reads below are unlocked.
1000 	 */
1001 	if (so->so_state & SS_ISCONNECTED) {
1002 		if (nam) {
1003 			m_freem(m);
1004 			return (EISCONN);
1005 		}
1006 		dst = inp->inp_faddr.s_addr;	/* Unlocked read. */
1007 	} else {
1008 		if (nam == NULL) {
1009 			m_freem(m);
1010 			return (ENOTCONN);
1011 		}
1012 		dst = ((struct sockaddr_in *)nam)->sin_addr.s_addr;
1013 	}
1014 	return (rip_output(m, so, dst));
1015 }
1016 #endif /* INET */
1017 
1018 static int
1019 rip_pcblist(SYSCTL_HANDLER_ARGS)
1020 {
1021 	int error, i, n;
1022 	struct inpcb *inp, **inp_list;
1023 	inp_gen_t gencnt;
1024 	struct xinpgen xig;
1025 
1026 	/*
1027 	 * The process of preparing the TCB list is too time-consuming and
1028 	 * resource-intensive to repeat twice on every request.
1029 	 */
1030 	if (req->oldptr == 0) {
1031 		n = V_ripcbinfo.ipi_count;
1032 		n += imax(n / 8, 10);
1033 		req->oldidx = 2 * (sizeof xig) + n * sizeof(struct xinpcb);
1034 		return (0);
1035 	}
1036 
1037 	if (req->newptr != 0)
1038 		return (EPERM);
1039 
1040 	/*
1041 	 * OK, now we're committed to doing something.
1042 	 */
1043 	INP_INFO_RLOCK(&V_ripcbinfo);
1044 	gencnt = V_ripcbinfo.ipi_gencnt;
1045 	n = V_ripcbinfo.ipi_count;
1046 	INP_INFO_RUNLOCK(&V_ripcbinfo);
1047 
1048 	xig.xig_len = sizeof xig;
1049 	xig.xig_count = n;
1050 	xig.xig_gen = gencnt;
1051 	xig.xig_sogen = so_gencnt;
1052 	error = SYSCTL_OUT(req, &xig, sizeof xig);
1053 	if (error)
1054 		return (error);
1055 
1056 	inp_list = malloc(n * sizeof *inp_list, M_TEMP, M_WAITOK);
1057 	if (inp_list == NULL)
1058 		return (ENOMEM);
1059 
1060 	INP_INFO_RLOCK(&V_ripcbinfo);
1061 	for (inp = LIST_FIRST(V_ripcbinfo.ipi_listhead), i = 0; inp && i < n;
1062 	     inp = LIST_NEXT(inp, inp_list)) {
1063 		INP_WLOCK(inp);
1064 		if (inp->inp_gencnt <= gencnt &&
1065 		    cr_canseeinpcb(req->td->td_ucred, inp) == 0) {
1066 			in_pcbref(inp);
1067 			inp_list[i++] = inp;
1068 		}
1069 		INP_WUNLOCK(inp);
1070 	}
1071 	INP_INFO_RUNLOCK(&V_ripcbinfo);
1072 	n = i;
1073 
1074 	error = 0;
1075 	for (i = 0; i < n; i++) {
1076 		inp = inp_list[i];
1077 		INP_RLOCK(inp);
1078 		if (inp->inp_gencnt <= gencnt) {
1079 			struct xinpcb xi;
1080 
1081 			bzero(&xi, sizeof(xi));
1082 			xi.xi_len = sizeof xi;
1083 			/* XXX should avoid extra copy */
1084 			bcopy(inp, &xi.xi_inp, sizeof *inp);
1085 			if (inp->inp_socket)
1086 				sotoxsocket(inp->inp_socket, &xi.xi_socket);
1087 			INP_RUNLOCK(inp);
1088 			error = SYSCTL_OUT(req, &xi, sizeof xi);
1089 		} else
1090 			INP_RUNLOCK(inp);
1091 	}
1092 	INP_INFO_WLOCK(&V_ripcbinfo);
1093 	for (i = 0; i < n; i++) {
1094 		inp = inp_list[i];
1095 		INP_RLOCK(inp);
1096 		if (!in_pcbrele_rlocked(inp))
1097 			INP_RUNLOCK(inp);
1098 	}
1099 	INP_INFO_WUNLOCK(&V_ripcbinfo);
1100 
1101 	if (!error) {
1102 		/*
1103 		 * Give the user an updated idea of our state.  If the
1104 		 * generation differs from what we told her before, she knows
1105 		 * that something happened while we were processing this
1106 		 * request, and it might be necessary to retry.
1107 		 */
1108 		INP_INFO_RLOCK(&V_ripcbinfo);
1109 		xig.xig_gen = V_ripcbinfo.ipi_gencnt;
1110 		xig.xig_sogen = so_gencnt;
1111 		xig.xig_count = V_ripcbinfo.ipi_count;
1112 		INP_INFO_RUNLOCK(&V_ripcbinfo);
1113 		error = SYSCTL_OUT(req, &xig, sizeof xig);
1114 	}
1115 	free(inp_list, M_TEMP);
1116 	return (error);
1117 }
1118 
1119 SYSCTL_PROC(_net_inet_raw, OID_AUTO/*XXX*/, pcblist,
1120     CTLTYPE_OPAQUE | CTLFLAG_RD, NULL, 0,
1121     rip_pcblist, "S,xinpcb", "List of active raw IP sockets");
1122 
1123 #ifdef INET
1124 struct pr_usrreqs rip_usrreqs = {
1125 	.pru_abort =		rip_abort,
1126 	.pru_attach =		rip_attach,
1127 	.pru_bind =		rip_bind,
1128 	.pru_connect =		rip_connect,
1129 	.pru_control =		in_control,
1130 	.pru_detach =		rip_detach,
1131 	.pru_disconnect =	rip_disconnect,
1132 	.pru_peeraddr =		in_getpeeraddr,
1133 	.pru_send =		rip_send,
1134 	.pru_shutdown =		rip_shutdown,
1135 	.pru_sockaddr =		in_getsockaddr,
1136 	.pru_sosetlabel =	in_pcbsosetlabel,
1137 	.pru_close =		rip_close,
1138 };
1139 #endif /* INET */
1140