1 /* $FreeBSD$ */ 2 /* $KAME: ip6_forward.c,v 1.69 2001/05/17 03:48:30 itojun Exp $ */ 3 4 /* 5 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 3. Neither the name of the project nor the names of its contributors 17 * may be used to endorse or promote products derived from this software 18 * without specific prior written permission. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30 * SUCH DAMAGE. 31 */ 32 33 #include "opt_ip6fw.h" 34 #include "opt_inet.h" 35 #include "opt_inet6.h" 36 #include "opt_ipsec.h" 37 #include "opt_pfil_hooks.h" 38 39 #include <sys/param.h> 40 #include <sys/systm.h> 41 #include <sys/malloc.h> 42 #include <sys/mbuf.h> 43 #include <sys/domain.h> 44 #include <sys/protosw.h> 45 #include <sys/socket.h> 46 #include <sys/errno.h> 47 #include <sys/time.h> 48 #include <sys/kernel.h> 49 #include <sys/syslog.h> 50 51 #include <net/if.h> 52 #include <net/route.h> 53 #ifdef PFIL_HOOKS 54 #include <net/pfil.h> 55 #endif 56 57 #include <netinet/in.h> 58 #include <netinet/in_var.h> 59 #include <netinet/in_systm.h> 60 #include <netinet/ip.h> 61 #include <netinet/ip_var.h> 62 #include <netinet6/in6_var.h> 63 #include <netinet/ip6.h> 64 #include <netinet6/ip6_var.h> 65 #include <netinet/icmp6.h> 66 #include <netinet6/nd6.h> 67 68 #include <netinet/in_pcb.h> 69 70 #ifdef IPSEC 71 #include <netinet6/ipsec.h> 72 #ifdef INET6 73 #include <netinet6/ipsec6.h> 74 #endif 75 #include <netkey/key.h> 76 #endif /* IPSEC */ 77 78 #ifdef FAST_IPSEC 79 #include <netipsec/ipsec.h> 80 #include <netipsec/ipsec6.h> 81 #include <netipsec/key.h> 82 #define IPSEC 83 #endif /* FAST_IPSEC */ 84 85 #include <netinet6/ip6_fw.h> 86 87 #include <net/net_osdep.h> 88 89 #include <netinet6/ip6protosw.h> 90 91 struct route_in6 ip6_forward_rt; 92 93 /* 94 * Forward a packet. If some error occurs return the sender 95 * an icmp packet. Note we can't always generate a meaningful 96 * icmp message because icmp doesn't have a large enough repertoire 97 * of codes and types. 98 * 99 * If not forwarding, just drop the packet. This could be confusing 100 * if ipforwarding was zero but some routing protocol was advancing 101 * us as a gateway to somewhere. However, we must let the routing 102 * protocol deal with that. 103 * 104 */ 105 106 void 107 ip6_forward(m, srcrt) 108 struct mbuf *m; 109 int srcrt; 110 { 111 struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *); 112 struct sockaddr_in6 *dst = NULL; 113 struct rtentry *rt = NULL; 114 int error, type = 0, code = 0; 115 struct mbuf *mcopy = NULL; 116 struct ifnet *origifp; /* maybe unnecessary */ 117 u_int32_t srczone, dstzone; 118 #ifdef IPSEC 119 struct secpolicy *sp = NULL; 120 int ipsecrt = 0; 121 #endif 122 123 #ifdef IPSEC 124 /* 125 * Check AH/ESP integrity. 126 */ 127 /* 128 * Don't increment ip6s_cantforward because this is the check 129 * before forwarding packet actually. 130 */ 131 if (ipsec6_in_reject(m, NULL)) { 132 #if !defined(FAST_IPSEC) 133 ipsec6stat.in_polvio++; 134 #endif 135 m_freem(m); 136 return; 137 } 138 #endif /* IPSEC */ 139 140 /* 141 * Do not forward packets to multicast destination (should be handled 142 * by ip6_mforward(). 143 * Do not forward packets with unspecified source. It was discussed 144 * in July 2000, on the ipngwg mailing list. 145 */ 146 if ((m->m_flags & (M_BCAST|M_MCAST)) != 0 || 147 IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst) || 148 IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_src)) { 149 ip6stat.ip6s_cantforward++; 150 /* XXX in6_ifstat_inc(rt->rt_ifp, ifs6_in_discard) */ 151 if (ip6_log_time + ip6_log_interval < time_second) { 152 ip6_log_time = time_second; 153 log(LOG_DEBUG, 154 "cannot forward " 155 "from %s to %s nxt %d received on %s\n", 156 ip6_sprintf(&ip6->ip6_src), 157 ip6_sprintf(&ip6->ip6_dst), 158 ip6->ip6_nxt, 159 if_name(m->m_pkthdr.rcvif)); 160 } 161 m_freem(m); 162 return; 163 } 164 165 if (ip6->ip6_hlim <= IPV6_HLIMDEC) { 166 /* XXX in6_ifstat_inc(rt->rt_ifp, ifs6_in_discard) */ 167 icmp6_error(m, ICMP6_TIME_EXCEEDED, 168 ICMP6_TIME_EXCEED_TRANSIT, 0); 169 return; 170 } 171 ip6->ip6_hlim -= IPV6_HLIMDEC; 172 173 /* 174 * Save at most ICMPV6_PLD_MAXLEN (= the min IPv6 MTU - 175 * size of IPv6 + ICMPv6 headers) bytes of the packet in case 176 * we need to generate an ICMP6 message to the src. 177 * Thanks to M_EXT, in most cases copy will not occur. 178 * 179 * It is important to save it before IPsec processing as IPsec 180 * processing may modify the mbuf. 181 */ 182 mcopy = m_copy(m, 0, imin(m->m_pkthdr.len, ICMPV6_PLD_MAXLEN)); 183 184 #ifdef IPSEC 185 /* get a security policy for this packet */ 186 sp = ipsec6_getpolicybyaddr(m, IPSEC_DIR_OUTBOUND, 187 IP_FORWARDING, &error); 188 if (sp == NULL) { 189 ipsec6stat.out_inval++; 190 ip6stat.ip6s_cantforward++; 191 if (mcopy) { 192 #if 0 193 /* XXX: what icmp ? */ 194 #else 195 m_freem(mcopy); 196 #endif 197 } 198 m_freem(m); 199 return; 200 } 201 202 error = 0; 203 204 /* check policy */ 205 switch (sp->policy) { 206 case IPSEC_POLICY_DISCARD: 207 /* 208 * This packet is just discarded. 209 */ 210 ipsec6stat.out_polvio++; 211 ip6stat.ip6s_cantforward++; 212 key_freesp(sp); 213 if (mcopy) { 214 #if 0 215 /* XXX: what icmp ? */ 216 #else 217 m_freem(mcopy); 218 #endif 219 } 220 m_freem(m); 221 return; 222 223 case IPSEC_POLICY_BYPASS: 224 case IPSEC_POLICY_NONE: 225 /* no need to do IPsec. */ 226 key_freesp(sp); 227 goto skip_ipsec; 228 229 case IPSEC_POLICY_IPSEC: 230 if (sp->req == NULL) { 231 /* XXX should be panic ? */ 232 printf("ip6_forward: No IPsec request specified.\n"); 233 ip6stat.ip6s_cantforward++; 234 key_freesp(sp); 235 if (mcopy) { 236 #if 0 237 /* XXX: what icmp ? */ 238 #else 239 m_freem(mcopy); 240 #endif 241 } 242 m_freem(m); 243 return; 244 } 245 /* do IPsec */ 246 break; 247 248 case IPSEC_POLICY_ENTRUST: 249 default: 250 /* should be panic ?? */ 251 printf("ip6_forward: Invalid policy found. %d\n", sp->policy); 252 key_freesp(sp); 253 goto skip_ipsec; 254 } 255 256 { 257 struct ipsecrequest *isr = NULL; 258 struct ipsec_output_state state; 259 260 /* 261 * when the kernel forwards a packet, it is not proper to apply 262 * IPsec transport mode to the packet is not proper. this check 263 * avoid from this. 264 * at present, if there is even a transport mode SA request in the 265 * security policy, the kernel does not apply IPsec to the packet. 266 * this check is not enough because the following case is valid. 267 * ipsec esp/tunnel/xxx-xxx/require esp/transport//require; 268 */ 269 for (isr = sp->req; isr; isr = isr->next) { 270 if (isr->saidx.mode == IPSEC_MODE_ANY) 271 goto doipsectunnel; 272 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) 273 goto doipsectunnel; 274 } 275 276 /* 277 * if there's no need for tunnel mode IPsec, skip. 278 */ 279 if (!isr) 280 goto skip_ipsec; 281 282 doipsectunnel: 283 /* 284 * All the extension headers will become inaccessible 285 * (since they can be encrypted). 286 * Don't panic, we need no more updates to extension headers 287 * on inner IPv6 packet (since they are now encapsulated). 288 * 289 * IPv6 [ESP|AH] IPv6 [extension headers] payload 290 */ 291 bzero(&state, sizeof(state)); 292 state.m = m; 293 state.ro = NULL; /* update at ipsec6_output_tunnel() */ 294 state.dst = NULL; /* update at ipsec6_output_tunnel() */ 295 296 error = ipsec6_output_tunnel(&state, sp, 0); 297 298 m = state.m; 299 key_freesp(sp); 300 301 if (error) { 302 /* mbuf is already reclaimed in ipsec6_output_tunnel. */ 303 switch (error) { 304 case EHOSTUNREACH: 305 case ENETUNREACH: 306 case EMSGSIZE: 307 case ENOBUFS: 308 case ENOMEM: 309 break; 310 default: 311 printf("ip6_output (ipsec): error code %d\n", error); 312 /* FALLTHROUGH */ 313 case ENOENT: 314 /* don't show these error codes to the user */ 315 break; 316 } 317 ip6stat.ip6s_cantforward++; 318 if (mcopy) { 319 #if 0 320 /* XXX: what icmp ? */ 321 #else 322 m_freem(mcopy); 323 #endif 324 } 325 m_freem(m); 326 return; 327 } 328 329 if (ip6 != mtod(m, struct ip6_hdr *)) { 330 /* 331 * now tunnel mode headers are added. we are originating 332 * packet instead of forwarding the packet. 333 */ 334 ip6_output(m, NULL, NULL, IPV6_FORWARDING/*XXX*/, NULL, NULL, 335 NULL); 336 goto freecopy; 337 } 338 339 /* adjust pointer */ 340 dst = (struct sockaddr_in6 *)state.dst; 341 rt = state.ro ? state.ro->ro_rt : NULL; 342 if (dst != NULL && rt != NULL) 343 ipsecrt = 1; 344 } 345 skip_ipsec: 346 #endif /* IPSEC */ 347 348 #ifdef IPSEC 349 if (ipsecrt) 350 goto skip_routing; 351 #endif 352 353 dst = (struct sockaddr_in6 *)&ip6_forward_rt.ro_dst; 354 if (!srcrt) { 355 /* ip6_forward_rt.ro_dst.sin6_addr is equal to ip6->ip6_dst */ 356 if (ip6_forward_rt.ro_rt == 0 || 357 (ip6_forward_rt.ro_rt->rt_flags & RTF_UP) == 0) { 358 if (ip6_forward_rt.ro_rt) { 359 RTFREE(ip6_forward_rt.ro_rt); 360 ip6_forward_rt.ro_rt = 0; 361 } 362 363 /* this probably fails but give it a try again */ 364 rtalloc((struct route *)&ip6_forward_rt); 365 } 366 367 if (ip6_forward_rt.ro_rt == 0) { 368 ip6stat.ip6s_noroute++; 369 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_noroute); 370 if (mcopy) { 371 icmp6_error(mcopy, ICMP6_DST_UNREACH, 372 ICMP6_DST_UNREACH_NOROUTE, 0); 373 } 374 m_freem(m); 375 return; 376 } 377 } else if ((rt = ip6_forward_rt.ro_rt) == 0 || 378 !IN6_ARE_ADDR_EQUAL(&ip6->ip6_dst, &dst->sin6_addr)) { 379 if (ip6_forward_rt.ro_rt) { 380 RTFREE(ip6_forward_rt.ro_rt); 381 ip6_forward_rt.ro_rt = 0; 382 } 383 bzero(dst, sizeof(*dst)); 384 dst->sin6_len = sizeof(struct sockaddr_in6); 385 dst->sin6_family = AF_INET6; 386 dst->sin6_addr = ip6->ip6_dst; 387 388 rtalloc((struct route *)&ip6_forward_rt); 389 if (ip6_forward_rt.ro_rt == 0) { 390 ip6stat.ip6s_noroute++; 391 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_noroute); 392 if (mcopy) { 393 icmp6_error(mcopy, ICMP6_DST_UNREACH, 394 ICMP6_DST_UNREACH_NOROUTE, 0); 395 } 396 m_freem(m); 397 return; 398 } 399 } 400 rt = ip6_forward_rt.ro_rt; 401 #ifdef IPSEC 402 skip_routing:; 403 #endif 404 405 /* 406 * Scope check: if a packet can't be delivered to its destination 407 * for the reason that the destination is beyond the scope of the 408 * source address, discard the packet and return an icmp6 destination 409 * unreachable error with Code 2 (beyond scope of source address). 410 * [draft-ietf-ipngwg-icmp-v3-02.txt, Section 3.1] 411 */ 412 if (in6_addr2zoneid(m->m_pkthdr.rcvif, &ip6->ip6_src, &srczone) || 413 in6_addr2zoneid(rt->rt_ifp, &ip6->ip6_src, &dstzone)) { 414 /* XXX: this should not happen */ 415 ip6stat.ip6s_cantforward++; 416 ip6stat.ip6s_badscope++; 417 m_freem(m); 418 return; 419 } 420 if (srczone != dstzone 421 #ifdef IPSEC 422 && !ipsecrt 423 #endif 424 ) { 425 ip6stat.ip6s_cantforward++; 426 ip6stat.ip6s_badscope++; 427 in6_ifstat_inc(rt->rt_ifp, ifs6_in_discard); 428 429 if (ip6_log_time + ip6_log_interval < time_second) { 430 ip6_log_time = time_second; 431 log(LOG_DEBUG, 432 "cannot forward " 433 "src %s, dst %s, nxt %d, rcvif %s, outif %s\n", 434 ip6_sprintf(&ip6->ip6_src), 435 ip6_sprintf(&ip6->ip6_dst), 436 ip6->ip6_nxt, 437 if_name(m->m_pkthdr.rcvif), if_name(rt->rt_ifp)); 438 } 439 if (mcopy) 440 icmp6_error(mcopy, ICMP6_DST_UNREACH, 441 ICMP6_DST_UNREACH_BEYONDSCOPE, 0); 442 m_freem(m); 443 return; 444 } 445 446 if (m->m_pkthdr.len > IN6_LINKMTU(rt->rt_ifp)) { 447 in6_ifstat_inc(rt->rt_ifp, ifs6_in_toobig); 448 if (mcopy) { 449 u_long mtu; 450 #ifdef IPSEC 451 struct secpolicy *sp; 452 int ipsecerror; 453 size_t ipsechdrsiz; 454 #endif 455 456 mtu = IN6_LINKMTU(rt->rt_ifp); 457 #ifdef IPSEC 458 /* 459 * When we do IPsec tunnel ingress, we need to play 460 * with the link value (decrement IPsec header size 461 * from mtu value). The code is much simpler than v4 462 * case, as we have the outgoing interface for 463 * encapsulated packet as "rt->rt_ifp". 464 */ 465 sp = ipsec6_getpolicybyaddr(mcopy, IPSEC_DIR_OUTBOUND, 466 IP_FORWARDING, &ipsecerror); 467 if (sp) { 468 ipsechdrsiz = ipsec6_hdrsiz(mcopy, 469 IPSEC_DIR_OUTBOUND, NULL); 470 if (ipsechdrsiz < mtu) 471 mtu -= ipsechdrsiz; 472 } 473 474 /* 475 * if mtu becomes less than minimum MTU, 476 * tell minimum MTU (and I'll need to fragment it). 477 */ 478 if (mtu < IPV6_MMTU) 479 mtu = IPV6_MMTU; 480 #endif 481 icmp6_error(mcopy, ICMP6_PACKET_TOO_BIG, 0, mtu); 482 } 483 m_freem(m); 484 return; 485 } 486 487 if (rt->rt_flags & RTF_GATEWAY) 488 dst = (struct sockaddr_in6 *)rt->rt_gateway; 489 490 /* 491 * If we are to forward the packet using the same interface 492 * as one we got the packet from, perhaps we should send a redirect 493 * to sender to shortcut a hop. 494 * Only send redirect if source is sending directly to us, 495 * and if packet was not source routed (or has any options). 496 * Also, don't send redirect if forwarding using a route 497 * modified by a redirect. 498 */ 499 if (rt->rt_ifp == m->m_pkthdr.rcvif && !srcrt && 500 #ifdef IPSEC 501 !ipsecrt && 502 #endif 503 (rt->rt_flags & (RTF_DYNAMIC|RTF_MODIFIED)) == 0) { 504 if ((rt->rt_ifp->if_flags & IFF_POINTOPOINT) != 0) { 505 /* 506 * If the incoming interface is equal to the outgoing 507 * one, and the link attached to the interface is 508 * point-to-point, then it will be highly probable 509 * that a routing loop occurs. Thus, we immediately 510 * drop the packet and send an ICMPv6 error message. 511 * 512 * type/code is based on suggestion by Rich Draves. 513 * not sure if it is the best pick. 514 */ 515 icmp6_error(mcopy, ICMP6_DST_UNREACH, 516 ICMP6_DST_UNREACH_ADDR, 0); 517 m_freem(m); 518 return; 519 } 520 type = ND_REDIRECT; 521 } 522 523 /* 524 * Check with the firewall... 525 */ 526 if (ip6_fw_enable && ip6_fw_chk_ptr) { 527 u_short port = 0; 528 /* If ipfw says divert, we have to just drop packet */ 529 if ((*ip6_fw_chk_ptr)(&ip6, rt->rt_ifp, &port, &m)) { 530 m_freem(m); 531 goto freecopy; 532 } 533 if (!m) 534 goto freecopy; 535 } 536 537 /* 538 * Fake scoped addresses. Note that even link-local source or 539 * destinaion can appear, if the originating node just sends the 540 * packet to us (without address resolution for the destination). 541 * Since both icmp6_error and icmp6_redirect_output fill the embedded 542 * link identifiers, we can do this stuff after making a copy for 543 * returning an error. 544 */ 545 if ((rt->rt_ifp->if_flags & IFF_LOOPBACK) != 0) { 546 /* 547 * See corresponding comments in ip6_output. 548 * XXX: but is it possible that ip6_forward() sends a packet 549 * to a loopback interface? I don't think so, and thus 550 * I bark here. (jinmei@kame.net) 551 * XXX: it is common to route invalid packets to loopback. 552 * also, the codepath will be visited on use of ::1 in 553 * rthdr. (itojun) 554 */ 555 #if 1 556 if (0) 557 #else 558 if ((rt->rt_flags & (RTF_BLACKHOLE|RTF_REJECT)) == 0) 559 #endif 560 { 561 printf("ip6_forward: outgoing interface is loopback. " 562 "src %s, dst %s, nxt %d, rcvif %s, outif %s\n", 563 ip6_sprintf(&ip6->ip6_src), 564 ip6_sprintf(&ip6->ip6_dst), 565 ip6->ip6_nxt, if_name(m->m_pkthdr.rcvif), 566 if_name(rt->rt_ifp)); 567 } 568 569 /* we can just use rcvif in forwarding. */ 570 origifp = m->m_pkthdr.rcvif; 571 } 572 else 573 origifp = rt->rt_ifp; 574 /* 575 * clear embedded scope identifiers if necessary. 576 * in6_clearscope will touch the addresses only when necessary. 577 */ 578 in6_clearscope(&ip6->ip6_src); 579 in6_clearscope(&ip6->ip6_dst); 580 581 #ifdef PFIL_HOOKS 582 /* 583 * Run through list of hooks for output packets. 584 */ 585 error = pfil_run_hooks(&inet6_pfil_hook, &m, rt->rt_ifp, PFIL_OUT); 586 if (error != 0) 587 goto senderr; 588 if (m == NULL) 589 goto freecopy; 590 ip6 = mtod(m, struct ip6_hdr *); 591 #endif /* PFIL_HOOKS */ 592 593 error = nd6_output(rt->rt_ifp, origifp, m, dst, rt); 594 if (error) { 595 in6_ifstat_inc(rt->rt_ifp, ifs6_out_discard); 596 ip6stat.ip6s_cantforward++; 597 } else { 598 ip6stat.ip6s_forward++; 599 in6_ifstat_inc(rt->rt_ifp, ifs6_out_forward); 600 if (type) 601 ip6stat.ip6s_redirectsent++; 602 else { 603 if (mcopy) 604 goto freecopy; 605 } 606 } 607 608 #ifdef PFIL_HOOKS 609 senderr: 610 #endif 611 if (mcopy == NULL) 612 return; 613 switch (error) { 614 case 0: 615 if (type == ND_REDIRECT) { 616 icmp6_redirect_output(mcopy, rt); 617 return; 618 } 619 goto freecopy; 620 621 case EMSGSIZE: 622 /* xxx MTU is constant in PPP? */ 623 goto freecopy; 624 625 case ENOBUFS: 626 /* Tell source to slow down like source quench in IP? */ 627 goto freecopy; 628 629 case ENETUNREACH: /* shouldn't happen, checked above */ 630 case EHOSTUNREACH: 631 case ENETDOWN: 632 case EHOSTDOWN: 633 default: 634 type = ICMP6_DST_UNREACH; 635 code = ICMP6_DST_UNREACH_ADDR; 636 break; 637 } 638 icmp6_error(mcopy, type, code, 0); 639 return; 640 641 freecopy: 642 m_freem(mcopy); 643 return; 644 } 645