1 /*- 2 * SPDX-License-Identifier: BSD-3-Clause 3 * 4 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. Neither the name of the project nor the names of its contributors 16 * may be used to endorse or promote products derived from this software 17 * without specific prior written permission. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29 * SUCH DAMAGE. 30 * 31 * $KAME: in6_src.c,v 1.132 2003/08/26 04:42:27 keiichi Exp $ 32 */ 33 34 /*- 35 * Copyright (c) 1982, 1986, 1991, 1993 36 * The Regents of the University of California. All rights reserved. 37 * 38 * Redistribution and use in source and binary forms, with or without 39 * modification, are permitted provided that the following conditions 40 * are met: 41 * 1. Redistributions of source code must retain the above copyright 42 * notice, this list of conditions and the following disclaimer. 43 * 2. Redistributions in binary form must reproduce the above copyright 44 * notice, this list of conditions and the following disclaimer in the 45 * documentation and/or other materials provided with the distribution. 46 * 3. Neither the name of the University nor the names of its contributors 47 * may be used to endorse or promote products derived from this software 48 * without specific prior written permission. 49 * 50 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 51 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 52 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 53 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 54 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 55 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 56 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 57 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 58 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 59 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 60 * SUCH DAMAGE. 61 * 62 * @(#)in_pcb.c 8.2 (Berkeley) 1/4/94 63 */ 64 65 #include <sys/cdefs.h> 66 __FBSDID("$FreeBSD$"); 67 68 #include "opt_inet.h" 69 #include "opt_inet6.h" 70 #include "opt_mpath.h" 71 72 #include <sys/param.h> 73 #include <sys/systm.h> 74 #include <sys/lock.h> 75 #include <sys/malloc.h> 76 #include <sys/mbuf.h> 77 #include <sys/priv.h> 78 #include <sys/protosw.h> 79 #include <sys/socket.h> 80 #include <sys/socketvar.h> 81 #include <sys/sockio.h> 82 #include <sys/sysctl.h> 83 #include <sys/errno.h> 84 #include <sys/time.h> 85 #include <sys/jail.h> 86 #include <sys/kernel.h> 87 #include <sys/rmlock.h> 88 #include <sys/sx.h> 89 90 #include <net/if.h> 91 #include <net/if_var.h> 92 #include <net/if_dl.h> 93 #include <net/route.h> 94 #include <net/route/nhop.h> 95 #include <net/if_llatbl.h> 96 97 #include <netinet/in.h> 98 #include <netinet/in_var.h> 99 #include <netinet/in_systm.h> 100 #include <netinet/ip.h> 101 #include <netinet/in_pcb.h> 102 #include <netinet/ip_var.h> 103 #include <netinet/udp.h> 104 #include <netinet/udp_var.h> 105 106 #include <netinet6/in6_var.h> 107 #include <netinet/ip6.h> 108 #include <netinet6/in6_fib.h> 109 #include <netinet6/in6_pcb.h> 110 #include <netinet6/ip6_var.h> 111 #include <netinet6/scope6_var.h> 112 #include <netinet6/nd6.h> 113 114 static struct mtx addrsel_lock; 115 #define ADDRSEL_LOCK_INIT() mtx_init(&addrsel_lock, "addrsel_lock", NULL, MTX_DEF) 116 #define ADDRSEL_LOCK() mtx_lock(&addrsel_lock) 117 #define ADDRSEL_UNLOCK() mtx_unlock(&addrsel_lock) 118 #define ADDRSEL_LOCK_ASSERT() mtx_assert(&addrsel_lock, MA_OWNED) 119 120 static struct sx addrsel_sxlock; 121 #define ADDRSEL_SXLOCK_INIT() sx_init(&addrsel_sxlock, "addrsel_sxlock") 122 #define ADDRSEL_SLOCK() sx_slock(&addrsel_sxlock) 123 #define ADDRSEL_SUNLOCK() sx_sunlock(&addrsel_sxlock) 124 #define ADDRSEL_XLOCK() sx_xlock(&addrsel_sxlock) 125 #define ADDRSEL_XUNLOCK() sx_xunlock(&addrsel_sxlock) 126 127 #define ADDR_LABEL_NOTAPP (-1) 128 VNET_DEFINE_STATIC(struct in6_addrpolicy, defaultaddrpolicy); 129 #define V_defaultaddrpolicy VNET(defaultaddrpolicy) 130 131 VNET_DEFINE(int, ip6_prefer_tempaddr) = 0; 132 133 static int selectroute(struct sockaddr_in6 *, struct ip6_pktopts *, 134 struct ip6_moptions *, struct route_in6 *, struct ifnet **, 135 struct nhop_object **, int, u_int, uint32_t); 136 static int in6_selectif(struct sockaddr_in6 *, struct ip6_pktopts *, 137 struct ip6_moptions *, struct ifnet **, 138 struct ifnet *, u_int); 139 static int in6_selectsrc(uint32_t, struct sockaddr_in6 *, 140 struct ip6_pktopts *, struct inpcb *, struct ucred *, 141 struct ifnet **, struct in6_addr *); 142 143 static struct in6_addrpolicy *lookup_addrsel_policy(struct sockaddr_in6 *); 144 145 static void init_policy_queue(void); 146 static int add_addrsel_policyent(struct in6_addrpolicy *); 147 static int delete_addrsel_policyent(struct in6_addrpolicy *); 148 static int walk_addrsel_policy(int (*)(struct in6_addrpolicy *, void *), 149 void *); 150 static int dump_addrsel_policyent(struct in6_addrpolicy *, void *); 151 static struct in6_addrpolicy *match_addrsel_policy(struct sockaddr_in6 *); 152 153 /* 154 * Return an IPv6 address, which is the most appropriate for a given 155 * destination and user specified options. 156 * If necessary, this function lookups the routing table and returns 157 * an entry to the caller for later use. 158 */ 159 #define REPLACE(r) do {\ 160 IP6STAT_INC(ip6s_sources_rule[(r)]); \ 161 /* { \ 162 char ip6buf[INET6_ADDRSTRLEN], ip6b[INET6_ADDRSTRLEN]; \ 163 printf("in6_selectsrc: replace %s with %s by %d\n", ia_best ? ip6_sprintf(ip6buf, &ia_best->ia_addr.sin6_addr) : "none", ip6_sprintf(ip6b, &ia->ia_addr.sin6_addr), (r)); \ 164 } */ \ 165 goto replace; \ 166 } while(0) 167 #define NEXT(r) do {\ 168 /* { \ 169 char ip6buf[INET6_ADDRSTRLEN], ip6b[INET6_ADDRSTRLEN]; \ 170 printf("in6_selectsrc: keep %s against %s by %d\n", ia_best ? ip6_sprintf(ip6buf, &ia_best->ia_addr.sin6_addr) : "none", ip6_sprintf(ip6b, &ia->ia_addr.sin6_addr), (r)); \ 171 } */ \ 172 goto next; /* XXX: we can't use 'continue' here */ \ 173 } while(0) 174 #define BREAK(r) do { \ 175 IP6STAT_INC(ip6s_sources_rule[(r)]); \ 176 goto out; /* XXX: we can't use 'break' here */ \ 177 } while(0) 178 179 static int 180 in6_selectsrc(uint32_t fibnum, struct sockaddr_in6 *dstsock, 181 struct ip6_pktopts *opts, struct inpcb *inp, struct ucred *cred, 182 struct ifnet **ifpp, struct in6_addr *srcp) 183 { 184 struct rm_priotracker in6_ifa_tracker; 185 struct in6_addr dst, tmp; 186 struct ifnet *ifp = NULL, *oifp = NULL; 187 struct in6_ifaddr *ia = NULL, *ia_best = NULL; 188 struct in6_pktinfo *pi = NULL; 189 int dst_scope = -1, best_scope = -1, best_matchlen = -1; 190 struct in6_addrpolicy *dst_policy = NULL, *best_policy = NULL; 191 u_int32_t odstzone; 192 int prefer_tempaddr; 193 int error; 194 struct ip6_moptions *mopts; 195 196 KASSERT(srcp != NULL, ("%s: srcp is NULL", __func__)); 197 198 dst = dstsock->sin6_addr; /* make a copy for local operation */ 199 if (ifpp) { 200 /* 201 * Save a possibly passed in ifp for in6_selectsrc. Only 202 * neighbor discovery code should use this feature, where 203 * we may know the interface but not the FIB number holding 204 * the connected subnet in case someone deleted it from the 205 * default FIB and we need to check the interface. 206 */ 207 if (*ifpp != NULL) 208 oifp = *ifpp; 209 *ifpp = NULL; 210 } 211 212 if (inp != NULL) { 213 INP_LOCK_ASSERT(inp); 214 mopts = inp->in6p_moptions; 215 } else { 216 mopts = NULL; 217 } 218 219 /* 220 * If the source address is explicitly specified by the caller, 221 * check if the requested source address is indeed a unicast address 222 * assigned to the node, and can be used as the packet's source 223 * address. If everything is okay, use the address as source. 224 */ 225 if (opts && (pi = opts->ip6po_pktinfo) && 226 !IN6_IS_ADDR_UNSPECIFIED(&pi->ipi6_addr)) { 227 /* get the outgoing interface */ 228 if ((error = in6_selectif(dstsock, opts, mopts, &ifp, oifp, 229 fibnum)) 230 != 0) 231 return (error); 232 233 /* 234 * determine the appropriate zone id of the source based on 235 * the zone of the destination and the outgoing interface. 236 * If the specified address is ambiguous wrt the scope zone, 237 * the interface must be specified; otherwise, ifa_ifwithaddr() 238 * will fail matching the address. 239 */ 240 tmp = pi->ipi6_addr; 241 if (ifp) { 242 error = in6_setscope(&tmp, ifp, &odstzone); 243 if (error) 244 return (error); 245 } 246 if (cred != NULL && (error = prison_local_ip6(cred, 247 &tmp, (inp->inp_flags & IN6P_IPV6_V6ONLY) != 0)) != 0) 248 return (error); 249 250 /* 251 * If IPV6_BINDANY socket option is set, we allow to specify 252 * non local addresses as source address in IPV6_PKTINFO 253 * ancillary data. 254 */ 255 if ((inp->inp_flags & INP_BINDANY) == 0) { 256 ia = in6ifa_ifwithaddr(&tmp, 0 /* XXX */); 257 if (ia == NULL || (ia->ia6_flags & (IN6_IFF_ANYCAST | 258 IN6_IFF_NOTREADY))) { 259 if (ia != NULL) 260 ifa_free(&ia->ia_ifa); 261 return (EADDRNOTAVAIL); 262 } 263 bcopy(&ia->ia_addr.sin6_addr, srcp, sizeof(*srcp)); 264 ifa_free(&ia->ia_ifa); 265 } else 266 bcopy(&tmp, srcp, sizeof(*srcp)); 267 pi->ipi6_addr = tmp; /* XXX: this overrides pi */ 268 if (ifpp) 269 *ifpp = ifp; 270 return (0); 271 } 272 273 /* 274 * Otherwise, if the socket has already bound the source, just use it. 275 */ 276 if (inp != NULL && !IN6_IS_ADDR_UNSPECIFIED(&inp->in6p_laddr)) { 277 if (cred != NULL && 278 (error = prison_local_ip6(cred, &inp->in6p_laddr, 279 ((inp->inp_flags & IN6P_IPV6_V6ONLY) != 0))) != 0) 280 return (error); 281 bcopy(&inp->in6p_laddr, srcp, sizeof(*srcp)); 282 return (0); 283 } 284 285 /* 286 * Bypass source address selection and use the primary jail IP 287 * if requested. 288 */ 289 if (cred != NULL && !prison_saddrsel_ip6(cred, srcp)) 290 return (0); 291 292 /* 293 * If the address is not specified, choose the best one based on 294 * the outgoing interface and the destination address. 295 */ 296 /* get the outgoing interface */ 297 if ((error = in6_selectif(dstsock, opts, mopts, &ifp, oifp, 298 (inp != NULL) ? inp->inp_inc.inc_fibnum : fibnum)) != 0) 299 return (error); 300 301 #ifdef DIAGNOSTIC 302 if (ifp == NULL) /* this should not happen */ 303 panic("in6_selectsrc: NULL ifp"); 304 #endif 305 error = in6_setscope(&dst, ifp, &odstzone); 306 if (error) 307 return (error); 308 309 IN6_IFADDR_RLOCK(&in6_ifa_tracker); 310 CK_STAILQ_FOREACH(ia, &V_in6_ifaddrhead, ia_link) { 311 int new_scope = -1, new_matchlen = -1; 312 struct in6_addrpolicy *new_policy = NULL; 313 u_int32_t srczone, osrczone, dstzone; 314 struct in6_addr src; 315 struct ifnet *ifp1 = ia->ia_ifp; 316 317 /* 318 * We'll never take an address that breaks the scope zone 319 * of the destination. We also skip an address if its zone 320 * does not contain the outgoing interface. 321 * XXX: we should probably use sin6_scope_id here. 322 */ 323 if (in6_setscope(&dst, ifp1, &dstzone) || 324 odstzone != dstzone) { 325 continue; 326 } 327 src = ia->ia_addr.sin6_addr; 328 if (in6_setscope(&src, ifp, &osrczone) || 329 in6_setscope(&src, ifp1, &srczone) || 330 osrczone != srczone) { 331 continue; 332 } 333 334 /* avoid unusable addresses */ 335 if ((ia->ia6_flags & 336 (IN6_IFF_NOTREADY | IN6_IFF_ANYCAST | IN6_IFF_DETACHED))) { 337 continue; 338 } 339 if (!V_ip6_use_deprecated && IFA6_IS_DEPRECATED(ia)) 340 continue; 341 342 /* If jailed only take addresses of the jail into account. */ 343 if (cred != NULL && 344 prison_check_ip6(cred, &ia->ia_addr.sin6_addr) != 0) 345 continue; 346 347 /* Rule 1: Prefer same address */ 348 if (IN6_ARE_ADDR_EQUAL(&dst, &ia->ia_addr.sin6_addr)) { 349 ia_best = ia; 350 BREAK(1); /* there should be no better candidate */ 351 } 352 353 if (ia_best == NULL) 354 REPLACE(0); 355 356 /* Rule 2: Prefer appropriate scope */ 357 if (dst_scope < 0) 358 dst_scope = in6_addrscope(&dst); 359 new_scope = in6_addrscope(&ia->ia_addr.sin6_addr); 360 if (IN6_ARE_SCOPE_CMP(best_scope, new_scope) < 0) { 361 if (IN6_ARE_SCOPE_CMP(best_scope, dst_scope) < 0) 362 REPLACE(2); 363 NEXT(2); 364 } else if (IN6_ARE_SCOPE_CMP(new_scope, best_scope) < 0) { 365 if (IN6_ARE_SCOPE_CMP(new_scope, dst_scope) < 0) 366 NEXT(2); 367 REPLACE(2); 368 } 369 370 /* 371 * Rule 3: Avoid deprecated addresses. Note that the case of 372 * !ip6_use_deprecated is already rejected above. 373 */ 374 if (!IFA6_IS_DEPRECATED(ia_best) && IFA6_IS_DEPRECATED(ia)) 375 NEXT(3); 376 if (IFA6_IS_DEPRECATED(ia_best) && !IFA6_IS_DEPRECATED(ia)) 377 REPLACE(3); 378 379 /* Rule 4: Prefer home addresses */ 380 /* 381 * XXX: This is a TODO. We should probably merge the MIP6 382 * case above. 383 */ 384 385 /* Rule 5: Prefer outgoing interface */ 386 if (!(ND_IFINFO(ifp)->flags & ND6_IFF_NO_PREFER_IFACE)) { 387 if (ia_best->ia_ifp == ifp && ia->ia_ifp != ifp) 388 NEXT(5); 389 if (ia_best->ia_ifp != ifp && ia->ia_ifp == ifp) 390 REPLACE(5); 391 } 392 393 /* 394 * Rule 6: Prefer matching label 395 * Note that best_policy should be non-NULL here. 396 */ 397 if (dst_policy == NULL) 398 dst_policy = lookup_addrsel_policy(dstsock); 399 if (dst_policy->label != ADDR_LABEL_NOTAPP) { 400 new_policy = lookup_addrsel_policy(&ia->ia_addr); 401 if (dst_policy->label == best_policy->label && 402 dst_policy->label != new_policy->label) 403 NEXT(6); 404 if (dst_policy->label != best_policy->label && 405 dst_policy->label == new_policy->label) 406 REPLACE(6); 407 } 408 409 /* 410 * Rule 7: Prefer public addresses. 411 * We allow users to reverse the logic by configuring 412 * a sysctl variable, so that privacy conscious users can 413 * always prefer temporary addresses. 414 */ 415 if (opts == NULL || 416 opts->ip6po_prefer_tempaddr == IP6PO_TEMPADDR_SYSTEM) { 417 prefer_tempaddr = V_ip6_prefer_tempaddr; 418 } else if (opts->ip6po_prefer_tempaddr == 419 IP6PO_TEMPADDR_NOTPREFER) { 420 prefer_tempaddr = 0; 421 } else 422 prefer_tempaddr = 1; 423 if (!(ia_best->ia6_flags & IN6_IFF_TEMPORARY) && 424 (ia->ia6_flags & IN6_IFF_TEMPORARY)) { 425 if (prefer_tempaddr) 426 REPLACE(7); 427 else 428 NEXT(7); 429 } 430 if ((ia_best->ia6_flags & IN6_IFF_TEMPORARY) && 431 !(ia->ia6_flags & IN6_IFF_TEMPORARY)) { 432 if (prefer_tempaddr) 433 NEXT(7); 434 else 435 REPLACE(7); 436 } 437 438 /* 439 * Rule 8: prefer addresses on alive interfaces. 440 * This is a KAME specific rule. 441 */ 442 if ((ia_best->ia_ifp->if_flags & IFF_UP) && 443 !(ia->ia_ifp->if_flags & IFF_UP)) 444 NEXT(8); 445 if (!(ia_best->ia_ifp->if_flags & IFF_UP) && 446 (ia->ia_ifp->if_flags & IFF_UP)) 447 REPLACE(8); 448 449 /* 450 * Rule 9: prefer address with better virtual status. 451 */ 452 if (ifa_preferred(&ia_best->ia_ifa, &ia->ia_ifa)) 453 REPLACE(9); 454 if (ifa_preferred(&ia->ia_ifa, &ia_best->ia_ifa)) 455 NEXT(9); 456 457 /* 458 * Rule 10: prefer address with `prefer_source' flag. 459 */ 460 if ((ia_best->ia6_flags & IN6_IFF_PREFER_SOURCE) == 0 && 461 (ia->ia6_flags & IN6_IFF_PREFER_SOURCE) != 0) 462 REPLACE(10); 463 if ((ia_best->ia6_flags & IN6_IFF_PREFER_SOURCE) != 0 && 464 (ia->ia6_flags & IN6_IFF_PREFER_SOURCE) == 0) 465 NEXT(10); 466 467 /* 468 * Rule 14: Use longest matching prefix. 469 * Note: in the address selection draft, this rule is 470 * documented as "Rule 8". However, since it is also 471 * documented that this rule can be overridden, we assign 472 * a large number so that it is easy to assign smaller numbers 473 * to more preferred rules. 474 */ 475 new_matchlen = in6_matchlen(&ia->ia_addr.sin6_addr, &dst); 476 if (best_matchlen < new_matchlen) 477 REPLACE(14); 478 if (new_matchlen < best_matchlen) 479 NEXT(14); 480 481 /* Rule 15 is reserved. */ 482 483 /* 484 * Last resort: just keep the current candidate. 485 * Or, do we need more rules? 486 */ 487 continue; 488 489 replace: 490 ia_best = ia; 491 best_scope = (new_scope >= 0 ? new_scope : 492 in6_addrscope(&ia_best->ia_addr.sin6_addr)); 493 best_policy = (new_policy ? new_policy : 494 lookup_addrsel_policy(&ia_best->ia_addr)); 495 best_matchlen = (new_matchlen >= 0 ? new_matchlen : 496 in6_matchlen(&ia_best->ia_addr.sin6_addr, 497 &dst)); 498 499 next: 500 continue; 501 502 out: 503 break; 504 } 505 506 if ((ia = ia_best) == NULL) { 507 IN6_IFADDR_RUNLOCK(&in6_ifa_tracker); 508 IP6STAT_INC(ip6s_sources_none); 509 return (EADDRNOTAVAIL); 510 } 511 512 /* 513 * At this point at least one of the addresses belonged to the jail 514 * but it could still be, that we want to further restrict it, e.g. 515 * theoratically IN6_IS_ADDR_LOOPBACK. 516 * It must not be IN6_IS_ADDR_UNSPECIFIED anymore. 517 * prison_local_ip6() will fix an IN6_IS_ADDR_LOOPBACK but should 518 * let all others previously selected pass. 519 * Use tmp to not change ::1 on lo0 to the primary jail address. 520 */ 521 tmp = ia->ia_addr.sin6_addr; 522 if (cred != NULL && prison_local_ip6(cred, &tmp, (inp != NULL && 523 (inp->inp_flags & IN6P_IPV6_V6ONLY) != 0)) != 0) { 524 IN6_IFADDR_RUNLOCK(&in6_ifa_tracker); 525 IP6STAT_INC(ip6s_sources_none); 526 return (EADDRNOTAVAIL); 527 } 528 529 if (ifpp) 530 *ifpp = ifp; 531 532 bcopy(&tmp, srcp, sizeof(*srcp)); 533 if (ia->ia_ifp == ifp) 534 IP6STAT_INC(ip6s_sources_sameif[best_scope]); 535 else 536 IP6STAT_INC(ip6s_sources_otherif[best_scope]); 537 if (dst_scope == best_scope) 538 IP6STAT_INC(ip6s_sources_samescope[best_scope]); 539 else 540 IP6STAT_INC(ip6s_sources_otherscope[best_scope]); 541 if (IFA6_IS_DEPRECATED(ia)) 542 IP6STAT_INC(ip6s_sources_deprecated[best_scope]); 543 IN6_IFADDR_RUNLOCK(&in6_ifa_tracker); 544 return (0); 545 } 546 547 /* 548 * Select source address based on @inp, @dstsock and @opts. 549 * Stores selected address to @srcp. If @scope_ambiguous is set, 550 * embed scope from selected outgoing interface. If @hlim pointer 551 * is provided, stores calculated hop limit there. 552 * Returns 0 on success. 553 */ 554 int 555 in6_selectsrc_socket(struct sockaddr_in6 *dstsock, struct ip6_pktopts *opts, 556 struct inpcb *inp, struct ucred *cred, int scope_ambiguous, 557 struct in6_addr *srcp, int *hlim) 558 { 559 struct ifnet *retifp; 560 uint32_t fibnum; 561 int error; 562 563 fibnum = inp->inp_inc.inc_fibnum; 564 retifp = NULL; 565 566 error = in6_selectsrc(fibnum, dstsock, opts, inp, cred, &retifp, srcp); 567 if (error != 0) 568 return (error); 569 570 if (hlim != NULL) 571 *hlim = in6_selecthlim(inp, retifp); 572 573 if (retifp == NULL || scope_ambiguous == 0) 574 return (0); 575 576 /* 577 * Application should provide a proper zone ID or the use of 578 * default zone IDs should be enabled. Unfortunately, some 579 * applications do not behave as it should, so we need a 580 * workaround. Even if an appropriate ID is not determined 581 * (when it's required), if we can determine the outgoing 582 * interface. determine the zone ID based on the interface. 583 */ 584 error = in6_setscope(&dstsock->sin6_addr, retifp, NULL); 585 586 return (error); 587 } 588 589 /* 590 * Select source address based on @fibnum, @dst and @scopeid. 591 * Stores selected address to @srcp. 592 * Returns 0 on success. 593 * 594 * Used by non-socket based consumers (ND code mostly) 595 */ 596 int 597 in6_selectsrc_addr(uint32_t fibnum, const struct in6_addr *dst, 598 uint32_t scopeid, struct ifnet *ifp, struct in6_addr *srcp, 599 int *hlim) 600 { 601 struct ifnet *retifp; 602 struct sockaddr_in6 dst_sa; 603 int error; 604 605 retifp = ifp; 606 bzero(&dst_sa, sizeof(dst_sa)); 607 dst_sa.sin6_family = AF_INET6; 608 dst_sa.sin6_len = sizeof(dst_sa); 609 dst_sa.sin6_addr = *dst; 610 dst_sa.sin6_scope_id = scopeid; 611 sa6_embedscope(&dst_sa, 0); 612 613 error = in6_selectsrc(fibnum, &dst_sa, NULL, NULL, NULL, &retifp, srcp); 614 if (hlim != NULL) 615 *hlim = in6_selecthlim(NULL, retifp); 616 617 return (error); 618 } 619 620 /* 621 * clone - meaningful only for bsdi and freebsd 622 */ 623 static int 624 selectroute(struct sockaddr_in6 *dstsock, struct ip6_pktopts *opts, 625 struct ip6_moptions *mopts, struct route_in6 *ro, 626 struct ifnet **retifp, struct nhop_object **retnh, int norouteok, 627 u_int fibnum, uint32_t flowid) 628 { 629 int error = 0; 630 struct ifnet *ifp = NULL; 631 struct nhop_object *nh = NULL; 632 struct sockaddr_in6 *sin6_next; 633 struct in6_pktinfo *pi = NULL; 634 struct in6_addr *dst = &dstsock->sin6_addr; 635 uint32_t zoneid; 636 #if 0 637 char ip6buf[INET6_ADDRSTRLEN]; 638 639 if (dstsock->sin6_addr.s6_addr32[0] == 0 && 640 dstsock->sin6_addr.s6_addr32[1] == 0 && 641 !IN6_IS_ADDR_LOOPBACK(&dstsock->sin6_addr)) { 642 printf("%s: strange destination %s\n", __func__, 643 ip6_sprintf(ip6buf, &dstsock->sin6_addr)); 644 } else { 645 printf("%s: destination = %s%%%d\n", __func__, 646 ip6_sprintf(ip6buf, &dstsock->sin6_addr), 647 dstsock->sin6_scope_id); /* for debug */ 648 } 649 #endif 650 651 /* If the caller specify the outgoing interface explicitly, use it. */ 652 if (opts && (pi = opts->ip6po_pktinfo) != NULL && pi->ipi6_ifindex) { 653 /* XXX boundary check is assumed to be already done. */ 654 ifp = ifnet_byindex(pi->ipi6_ifindex); 655 if (ifp != NULL && 656 (norouteok || retnh == NULL || 657 IN6_IS_ADDR_MULTICAST(dst))) { 658 /* 659 * we do not have to check or get the route for 660 * multicast. 661 */ 662 goto done; 663 } else 664 goto getroute; 665 } 666 /* 667 * If the destination address is a multicast address and the outgoing 668 * interface for the address is specified by the caller, use it. 669 */ 670 if (IN6_IS_ADDR_MULTICAST(dst) && 671 mopts != NULL && (ifp = mopts->im6o_multicast_ifp) != NULL) { 672 goto done; /* we do not need a route for multicast. */ 673 } 674 /* 675 * If destination address is LLA or link- or node-local multicast, 676 * use it's embedded scope zone id to determine outgoing interface. 677 */ 678 if (IN6_IS_ADDR_MC_LINKLOCAL(dst) || 679 IN6_IS_ADDR_MC_NODELOCAL(dst)) { 680 zoneid = ntohs(in6_getscope(dst)); 681 if (zoneid > 0) { 682 ifp = in6_getlinkifnet(zoneid); 683 goto done; 684 } 685 } 686 687 getroute: 688 /* 689 * If the next hop address for the packet is specified by the caller, 690 * use it as the gateway. 691 */ 692 if (opts && opts->ip6po_nexthop) { 693 struct route_in6 *ron; 694 695 sin6_next = satosin6(opts->ip6po_nexthop); 696 if (IN6_IS_ADDR_LINKLOCAL(&sin6_next->sin6_addr)) { 697 /* 698 * Next hop is LLA, thus it should be neighbor. 699 * Determine outgoing interface by zone index. 700 */ 701 zoneid = ntohs(in6_getscope(&sin6_next->sin6_addr)); 702 if (zoneid > 0) { 703 ifp = in6_getlinkifnet(zoneid); 704 goto done; 705 } 706 } 707 ron = &opts->ip6po_nextroute; 708 /* Use a cached route if it exists and is valid. */ 709 if (ron->ro_nh != NULL && ( 710 !NH_IS_VALID(ron->ro_nh) || 711 ron->ro_dst.sin6_family != AF_INET6 || 712 !IN6_ARE_ADDR_EQUAL(&ron->ro_dst.sin6_addr, 713 &sin6_next->sin6_addr))) 714 RO_NHFREE(ron); 715 if (ron->ro_nh == NULL) { 716 ron->ro_dst = *sin6_next; 717 /* 718 * sin6_next is not link-local OR scopeid is 0, 719 * no need to clear scope 720 */ 721 ron->ro_nh = fib6_lookup(fibnum, 722 &sin6_next->sin6_addr, 0, NHR_REF, flowid); 723 } 724 /* 725 * The node identified by that address must be a 726 * neighbor of the sending host. 727 */ 728 if (ron->ro_nh == NULL || 729 (ron->ro_nh->nh_flags & NHF_GATEWAY) != 0) 730 error = EHOSTUNREACH; 731 else { 732 nh = ron->ro_nh; 733 ifp = nh->nh_ifp; 734 } 735 goto done; 736 } 737 738 /* 739 * Use a cached route if it exists and is valid, else try to allocate 740 * a new one. Note that we should check the address family of the 741 * cached destination, in case of sharing the cache with IPv4. 742 */ 743 if (ro) { 744 if (ro->ro_nh && 745 (!NH_IS_VALID(ro->ro_nh) || 746 ((struct sockaddr *)(&ro->ro_dst))->sa_family != AF_INET6 || 747 !IN6_ARE_ADDR_EQUAL(&satosin6(&ro->ro_dst)->sin6_addr, 748 dst))) { 749 RO_NHFREE(ro); 750 } 751 if (ro->ro_nh == (struct nhop_object *)NULL) { 752 struct sockaddr_in6 *sa6; 753 754 /* No route yet, so try to acquire one */ 755 bzero(&ro->ro_dst, sizeof(struct sockaddr_in6)); 756 sa6 = (struct sockaddr_in6 *)&ro->ro_dst; 757 *sa6 = *dstsock; 758 sa6->sin6_scope_id = 0; 759 760 /* 761 * Currently dst has scopeid embedded iff it is LL. 762 * New routing API accepts scopeid as a separate argument. 763 * Convert dst before/after doing lookup 764 */ 765 uint32_t scopeid = 0; 766 if (IN6_IS_SCOPE_LINKLOCAL(&sa6->sin6_addr)) { 767 /* Unwrap in6_getscope() and in6_clearscope() */ 768 scopeid = ntohs(sa6->sin6_addr.s6_addr16[1]); 769 sa6->sin6_addr.s6_addr16[1] = 0; 770 771 } 772 773 ro->ro_nh = fib6_lookup(fibnum, 774 &sa6->sin6_addr, scopeid, NHR_REF, flowid); 775 776 if (IN6_IS_SCOPE_LINKLOCAL(&sa6->sin6_addr)) 777 sa6->sin6_addr.s6_addr16[1] = htons(scopeid); 778 } 779 780 /* 781 * do not care about the result if we have the nexthop 782 * explicitly specified. 783 */ 784 if (opts && opts->ip6po_nexthop) 785 goto done; 786 787 if (ro->ro_nh) 788 ifp = ro->ro_nh->nh_ifp; 789 else 790 error = EHOSTUNREACH; 791 nh = ro->ro_nh; 792 793 /* 794 * Check if the outgoing interface conflicts with 795 * the interface specified by ipi6_ifindex (if specified). 796 * Note that loopback interface is always okay. 797 * (this may happen when we are sending a packet to one of 798 * our own addresses.) 799 */ 800 if (ifp && opts && opts->ip6po_pktinfo && 801 opts->ip6po_pktinfo->ipi6_ifindex) { 802 if (!(ifp->if_flags & IFF_LOOPBACK) && 803 ifp->if_index != 804 opts->ip6po_pktinfo->ipi6_ifindex) { 805 error = EHOSTUNREACH; 806 goto done; 807 } 808 } 809 } 810 811 done: 812 if (ifp == NULL && nh == NULL) { 813 /* 814 * This can happen if the caller did not pass a cached route 815 * nor any other hints. We treat this case an error. 816 */ 817 error = EHOSTUNREACH; 818 } 819 if (error == EHOSTUNREACH) 820 IP6STAT_INC(ip6s_noroute); 821 822 if (retifp != NULL) { 823 if (nh != NULL) 824 *retifp = nh->nh_aifp; 825 else 826 *retifp = ifp; 827 } 828 829 if (retnh != NULL) 830 *retnh = nh; /* nh may be NULL */ 831 832 return (error); 833 } 834 835 static int 836 in6_selectif(struct sockaddr_in6 *dstsock, struct ip6_pktopts *opts, 837 struct ip6_moptions *mopts, struct ifnet **retifp, 838 struct ifnet *oifp, u_int fibnum) 839 { 840 int error; 841 struct route_in6 sro; 842 struct nhop_object *nh = NULL; 843 uint16_t nh_flags; 844 845 KASSERT(retifp != NULL, ("%s: retifp is NULL", __func__)); 846 847 bzero(&sro, sizeof(sro)); 848 nh_flags = 0; 849 850 error = selectroute(dstsock, opts, mopts, &sro, retifp, &nh, 1, fibnum, 0); 851 852 if (nh != NULL) 853 nh_flags = nh->nh_flags; 854 if (nh != NULL && nh == sro.ro_nh) 855 NH_FREE(nh); 856 857 if (error != 0) { 858 /* Help ND. See oifp comment in in6_selectsrc(). */ 859 if (oifp != NULL && fibnum == RT_DEFAULT_FIB) { 860 *retifp = oifp; 861 error = 0; 862 } 863 return (error); 864 } 865 866 /* 867 * do not use a rejected or black hole route. 868 * XXX: this check should be done in the L2 output routine. 869 * However, if we skipped this check here, we'd see the following 870 * scenario: 871 * - install a rejected route for a scoped address prefix 872 * (like fe80::/10) 873 * - send a packet to a destination that matches the scoped prefix, 874 * with ambiguity about the scope zone. 875 * - pick the outgoing interface from the route, and disambiguate the 876 * scope zone with the interface. 877 * - ip6_output() would try to get another route with the "new" 878 * destination, which may be valid. 879 * - we'd see no error on output. 880 * Although this may not be very harmful, it should still be confusing. 881 * We thus reject the case here. 882 */ 883 884 if (nh_flags & (NHF_REJECT | NHF_BLACKHOLE)) { 885 error = (nh_flags & NHF_HOST ? EHOSTUNREACH : ENETUNREACH); 886 return (error); 887 } 888 889 return (0); 890 } 891 892 /* Public wrapper function to selectroute(). */ 893 int 894 in6_selectroute(struct sockaddr_in6 *dstsock, struct ip6_pktopts *opts, 895 struct ip6_moptions *mopts, struct route_in6 *ro, 896 struct ifnet **retifp, struct nhop_object **retnh, u_int fibnum, uint32_t flowid) 897 { 898 899 return (selectroute(dstsock, opts, mopts, ro, retifp, 900 retnh, 0, fibnum, flowid)); 901 } 902 903 /* 904 * Default hop limit selection. The precedence is as follows: 905 * 1. Hoplimit value specified via ioctl. 906 * 2. (If the outgoing interface is detected) the current 907 * hop limit of the interface specified by router advertisement. 908 * 3. The system default hoplimit. 909 */ 910 int 911 in6_selecthlim(struct inpcb *inp, struct ifnet *ifp) 912 { 913 914 if (inp && inp->in6p_hops >= 0) 915 return (inp->in6p_hops); 916 else if (ifp) 917 return (ND_IFINFO(ifp)->chlim); 918 else if (inp && !IN6_IS_ADDR_UNSPECIFIED(&inp->in6p_faddr)) { 919 struct nhop_object *nh; 920 struct in6_addr dst; 921 uint32_t fibnum, scopeid; 922 int hlim; 923 924 fibnum = inp->inp_inc.inc_fibnum; 925 in6_splitscope(&inp->in6p_faddr, &dst, &scopeid); 926 nh = fib6_lookup(fibnum, &dst, scopeid, 0, 0); 927 if (nh != NULL) { 928 hlim = ND_IFINFO(nh->nh_ifp)->chlim; 929 return (hlim); 930 } 931 } 932 return (V_ip6_defhlim); 933 } 934 935 /* 936 * XXX: this is borrowed from in6_pcbbind(). If possible, we should 937 * share this function by all *bsd*... 938 */ 939 int 940 in6_pcbsetport(struct in6_addr *laddr, struct inpcb *inp, struct ucred *cred) 941 { 942 struct socket *so = inp->inp_socket; 943 u_int16_t lport = 0; 944 int error, lookupflags = 0; 945 #ifdef INVARIANTS 946 struct inpcbinfo *pcbinfo = inp->inp_pcbinfo; 947 #endif 948 949 INP_WLOCK_ASSERT(inp); 950 INP_HASH_WLOCK_ASSERT(pcbinfo); 951 952 error = prison_local_ip6(cred, laddr, 953 ((inp->inp_flags & IN6P_IPV6_V6ONLY) != 0)); 954 if (error) 955 return(error); 956 957 /* XXX: this is redundant when called from in6_pcbbind */ 958 if ((so->so_options & (SO_REUSEADDR|SO_REUSEPORT|SO_REUSEPORT_LB)) == 0) 959 lookupflags = INPLOOKUP_WILDCARD; 960 961 inp->inp_flags |= INP_ANONPORT; 962 963 error = in_pcb_lport(inp, NULL, &lport, cred, lookupflags); 964 if (error != 0) 965 return (error); 966 967 inp->inp_lport = lport; 968 if (in_pcbinshash(inp) != 0) { 969 inp->in6p_laddr = in6addr_any; 970 inp->inp_lport = 0; 971 return (EAGAIN); 972 } 973 974 return (0); 975 } 976 977 void 978 addrsel_policy_init(void) 979 { 980 981 init_policy_queue(); 982 983 /* initialize the "last resort" policy */ 984 bzero(&V_defaultaddrpolicy, sizeof(V_defaultaddrpolicy)); 985 V_defaultaddrpolicy.label = ADDR_LABEL_NOTAPP; 986 987 if (!IS_DEFAULT_VNET(curvnet)) 988 return; 989 990 ADDRSEL_LOCK_INIT(); 991 ADDRSEL_SXLOCK_INIT(); 992 } 993 994 static struct in6_addrpolicy * 995 lookup_addrsel_policy(struct sockaddr_in6 *key) 996 { 997 struct in6_addrpolicy *match = NULL; 998 999 ADDRSEL_LOCK(); 1000 match = match_addrsel_policy(key); 1001 1002 if (match == NULL) 1003 match = &V_defaultaddrpolicy; 1004 else 1005 match->use++; 1006 ADDRSEL_UNLOCK(); 1007 1008 return (match); 1009 } 1010 1011 /* 1012 * Subroutines to manage the address selection policy table via sysctl. 1013 */ 1014 struct walkarg { 1015 struct sysctl_req *w_req; 1016 }; 1017 1018 static int in6_src_sysctl(SYSCTL_HANDLER_ARGS); 1019 SYSCTL_DECL(_net_inet6_ip6); 1020 static SYSCTL_NODE(_net_inet6_ip6, IPV6CTL_ADDRCTLPOLICY, addrctlpolicy, 1021 CTLFLAG_RD | CTLFLAG_MPSAFE, in6_src_sysctl, 1022 ""); 1023 1024 static int 1025 in6_src_sysctl(SYSCTL_HANDLER_ARGS) 1026 { 1027 struct walkarg w; 1028 1029 if (req->newptr) 1030 return EPERM; 1031 1032 bzero(&w, sizeof(w)); 1033 w.w_req = req; 1034 1035 return (walk_addrsel_policy(dump_addrsel_policyent, &w)); 1036 } 1037 1038 int 1039 in6_src_ioctl(u_long cmd, caddr_t data) 1040 { 1041 struct in6_addrpolicy ent0; 1042 1043 if (cmd != SIOCAADDRCTL_POLICY && cmd != SIOCDADDRCTL_POLICY) 1044 return (EOPNOTSUPP); /* check for safety */ 1045 1046 ent0 = *(struct in6_addrpolicy *)data; 1047 1048 if (ent0.label == ADDR_LABEL_NOTAPP) 1049 return (EINVAL); 1050 /* check if the prefix mask is consecutive. */ 1051 if (in6_mask2len(&ent0.addrmask.sin6_addr, NULL) < 0) 1052 return (EINVAL); 1053 /* clear trailing garbages (if any) of the prefix address. */ 1054 IN6_MASK_ADDR(&ent0.addr.sin6_addr, &ent0.addrmask.sin6_addr); 1055 ent0.use = 0; 1056 1057 switch (cmd) { 1058 case SIOCAADDRCTL_POLICY: 1059 return (add_addrsel_policyent(&ent0)); 1060 case SIOCDADDRCTL_POLICY: 1061 return (delete_addrsel_policyent(&ent0)); 1062 } 1063 1064 return (0); /* XXX: compromise compilers */ 1065 } 1066 1067 /* 1068 * The followings are implementation of the policy table using a 1069 * simple tail queue. 1070 * XXX such details should be hidden. 1071 * XXX implementation using binary tree should be more efficient. 1072 */ 1073 struct addrsel_policyent { 1074 TAILQ_ENTRY(addrsel_policyent) ape_entry; 1075 struct in6_addrpolicy ape_policy; 1076 }; 1077 1078 TAILQ_HEAD(addrsel_policyhead, addrsel_policyent); 1079 1080 VNET_DEFINE_STATIC(struct addrsel_policyhead, addrsel_policytab); 1081 #define V_addrsel_policytab VNET(addrsel_policytab) 1082 1083 static void 1084 init_policy_queue(void) 1085 { 1086 1087 TAILQ_INIT(&V_addrsel_policytab); 1088 } 1089 1090 static int 1091 add_addrsel_policyent(struct in6_addrpolicy *newpolicy) 1092 { 1093 struct addrsel_policyent *new, *pol; 1094 1095 new = malloc(sizeof(*new), M_IFADDR, 1096 M_WAITOK); 1097 ADDRSEL_XLOCK(); 1098 ADDRSEL_LOCK(); 1099 1100 /* duplication check */ 1101 TAILQ_FOREACH(pol, &V_addrsel_policytab, ape_entry) { 1102 if (IN6_ARE_ADDR_EQUAL(&newpolicy->addr.sin6_addr, 1103 &pol->ape_policy.addr.sin6_addr) && 1104 IN6_ARE_ADDR_EQUAL(&newpolicy->addrmask.sin6_addr, 1105 &pol->ape_policy.addrmask.sin6_addr)) { 1106 ADDRSEL_UNLOCK(); 1107 ADDRSEL_XUNLOCK(); 1108 free(new, M_IFADDR); 1109 return (EEXIST); /* or override it? */ 1110 } 1111 } 1112 1113 bzero(new, sizeof(*new)); 1114 1115 /* XXX: should validate entry */ 1116 new->ape_policy = *newpolicy; 1117 1118 TAILQ_INSERT_TAIL(&V_addrsel_policytab, new, ape_entry); 1119 ADDRSEL_UNLOCK(); 1120 ADDRSEL_XUNLOCK(); 1121 1122 return (0); 1123 } 1124 1125 static int 1126 delete_addrsel_policyent(struct in6_addrpolicy *key) 1127 { 1128 struct addrsel_policyent *pol; 1129 1130 ADDRSEL_XLOCK(); 1131 ADDRSEL_LOCK(); 1132 1133 /* search for the entry in the table */ 1134 TAILQ_FOREACH(pol, &V_addrsel_policytab, ape_entry) { 1135 if (IN6_ARE_ADDR_EQUAL(&key->addr.sin6_addr, 1136 &pol->ape_policy.addr.sin6_addr) && 1137 IN6_ARE_ADDR_EQUAL(&key->addrmask.sin6_addr, 1138 &pol->ape_policy.addrmask.sin6_addr)) { 1139 break; 1140 } 1141 } 1142 if (pol == NULL) { 1143 ADDRSEL_UNLOCK(); 1144 ADDRSEL_XUNLOCK(); 1145 return (ESRCH); 1146 } 1147 1148 TAILQ_REMOVE(&V_addrsel_policytab, pol, ape_entry); 1149 ADDRSEL_UNLOCK(); 1150 ADDRSEL_XUNLOCK(); 1151 free(pol, M_IFADDR); 1152 1153 return (0); 1154 } 1155 1156 static int 1157 walk_addrsel_policy(int (*callback)(struct in6_addrpolicy *, void *), void *w) 1158 { 1159 struct addrsel_policyent *pol; 1160 int error = 0; 1161 1162 ADDRSEL_SLOCK(); 1163 TAILQ_FOREACH(pol, &V_addrsel_policytab, ape_entry) { 1164 if ((error = (*callback)(&pol->ape_policy, w)) != 0) { 1165 ADDRSEL_SUNLOCK(); 1166 return (error); 1167 } 1168 } 1169 ADDRSEL_SUNLOCK(); 1170 return (error); 1171 } 1172 1173 static int 1174 dump_addrsel_policyent(struct in6_addrpolicy *pol, void *arg) 1175 { 1176 int error = 0; 1177 struct walkarg *w = arg; 1178 1179 error = SYSCTL_OUT(w->w_req, pol, sizeof(*pol)); 1180 1181 return (error); 1182 } 1183 1184 static struct in6_addrpolicy * 1185 match_addrsel_policy(struct sockaddr_in6 *key) 1186 { 1187 struct addrsel_policyent *pent; 1188 struct in6_addrpolicy *bestpol = NULL, *pol; 1189 int matchlen, bestmatchlen = -1; 1190 u_char *mp, *ep, *k, *p, m; 1191 1192 TAILQ_FOREACH(pent, &V_addrsel_policytab, ape_entry) { 1193 matchlen = 0; 1194 1195 pol = &pent->ape_policy; 1196 mp = (u_char *)&pol->addrmask.sin6_addr; 1197 ep = mp + 16; /* XXX: scope field? */ 1198 k = (u_char *)&key->sin6_addr; 1199 p = (u_char *)&pol->addr.sin6_addr; 1200 for (; mp < ep && *mp; mp++, k++, p++) { 1201 m = *mp; 1202 if ((*k & m) != *p) 1203 goto next; /* not match */ 1204 if (m == 0xff) /* short cut for a typical case */ 1205 matchlen += 8; 1206 else { 1207 while (m >= 0x80) { 1208 matchlen++; 1209 m <<= 1; 1210 } 1211 } 1212 } 1213 1214 /* matched. check if this is better than the current best. */ 1215 if (bestpol == NULL || 1216 matchlen > bestmatchlen) { 1217 bestpol = pol; 1218 bestmatchlen = matchlen; 1219 } 1220 1221 next: 1222 continue; 1223 } 1224 1225 return (bestpol); 1226 } 1227