xref: /freebsd/sys/netinet6/ip6_input.c (revision 3ac125068a211377f0b3817c37cf1db95a87e8fb)
1 /*-
2  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
3  * All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  *    notice, this list of conditions and the following disclaimer in the
12  *    documentation and/or other materials provided with the distribution.
13  * 3. Neither the name of the project nor the names of its contributors
14  *    may be used to endorse or promote products derived from this software
15  *    without specific prior written permission.
16  *
17  * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
18  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20  * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
21  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27  * SUCH DAMAGE.
28  *
29  *	$KAME: ip6_input.c,v 1.259 2002/01/21 04:58:09 jinmei Exp $
30  */
31 
32 /*-
33  * Copyright (c) 1982, 1986, 1988, 1993
34  *	The Regents of the University of California.  All rights reserved.
35  *
36  * Redistribution and use in source and binary forms, with or without
37  * modification, are permitted provided that the following conditions
38  * are met:
39  * 1. Redistributions of source code must retain the above copyright
40  *    notice, this list of conditions and the following disclaimer.
41  * 2. Redistributions in binary form must reproduce the above copyright
42  *    notice, this list of conditions and the following disclaimer in the
43  *    documentation and/or other materials provided with the distribution.
44  * 4. Neither the name of the University nor the names of its contributors
45  *    may be used to endorse or promote products derived from this software
46  *    without specific prior written permission.
47  *
48  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
49  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
50  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
51  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
52  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
53  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
54  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
55  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
56  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
57  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
58  * SUCH DAMAGE.
59  *
60  *	@(#)ip_input.c	8.2 (Berkeley) 1/4/94
61  */
62 
63 #include <sys/cdefs.h>
64 __FBSDID("$FreeBSD$");
65 
66 #include "opt_inet.h"
67 #include "opt_inet6.h"
68 #include "opt_ipsec.h"
69 #include "opt_route.h"
70 #include "opt_rss.h"
71 
72 #include <sys/param.h>
73 #include <sys/systm.h>
74 #include <sys/hhook.h>
75 #include <sys/malloc.h>
76 #include <sys/mbuf.h>
77 #include <sys/proc.h>
78 #include <sys/domain.h>
79 #include <sys/protosw.h>
80 #include <sys/sdt.h>
81 #include <sys/socket.h>
82 #include <sys/socketvar.h>
83 #include <sys/errno.h>
84 #include <sys/time.h>
85 #include <sys/kernel.h>
86 #include <sys/lock.h>
87 #include <sys/rmlock.h>
88 #include <sys/syslog.h>
89 #include <sys/sysctl.h>
90 
91 #include <net/if.h>
92 #include <net/if_var.h>
93 #include <net/if_types.h>
94 #include <net/if_dl.h>
95 #include <net/route.h>
96 #include <net/netisr.h>
97 #include <net/rss_config.h>
98 #include <net/pfil.h>
99 #include <net/vnet.h>
100 
101 #include <netinet/in.h>
102 #include <netinet/in_kdtrace.h>
103 #include <netinet/ip_var.h>
104 #include <netinet/in_systm.h>
105 #include <net/if_llatbl.h>
106 #ifdef INET
107 #include <netinet/ip.h>
108 #include <netinet/ip_icmp.h>
109 #endif /* INET */
110 #include <netinet/ip6.h>
111 #include <netinet6/in6_var.h>
112 #include <netinet6/ip6_var.h>
113 #include <netinet/in_pcb.h>
114 #include <netinet/icmp6.h>
115 #include <netinet6/scope6_var.h>
116 #include <netinet6/in6_ifattach.h>
117 #include <netinet6/mld6_var.h>
118 #include <netinet6/nd6.h>
119 #include <netinet6/in6_rss.h>
120 
121 #ifdef IPSEC
122 #include <netipsec/ipsec.h>
123 #include <netinet6/ip6_ipsec.h>
124 #include <netipsec/ipsec6.h>
125 #endif /* IPSEC */
126 
127 #include <netinet6/ip6protosw.h>
128 
129 extern struct domain inet6domain;
130 
131 u_char ip6_protox[IPPROTO_MAX];
132 VNET_DEFINE(struct in6_ifaddrhead, in6_ifaddrhead);
133 VNET_DEFINE(struct in6_ifaddrlisthead *, in6_ifaddrhashtbl);
134 VNET_DEFINE(u_long, in6_ifaddrhmask);
135 
136 static struct netisr_handler ip6_nh = {
137 	.nh_name = "ip6",
138 	.nh_handler = ip6_input,
139 	.nh_proto = NETISR_IPV6,
140 #ifdef RSS
141 	.nh_m2cpuid = rss_soft_m2cpuid_v6,
142 	.nh_policy = NETISR_POLICY_CPU,
143 	.nh_dispatch = NETISR_DISPATCH_HYBRID,
144 #else
145 	.nh_policy = NETISR_POLICY_FLOW,
146 #endif
147 };
148 
149 static int
150 sysctl_netinet6_intr_queue_maxlen(SYSCTL_HANDLER_ARGS)
151 {
152 	int error, qlimit;
153 
154 	netisr_getqlimit(&ip6_nh, &qlimit);
155 	error = sysctl_handle_int(oidp, &qlimit, 0, req);
156 	if (error || !req->newptr)
157 		return (error);
158 	if (qlimit < 1)
159 		return (EINVAL);
160 	return (netisr_setqlimit(&ip6_nh, qlimit));
161 }
162 SYSCTL_DECL(_net_inet6_ip6);
163 SYSCTL_PROC(_net_inet6_ip6, IPV6CTL_INTRQMAXLEN, intr_queue_maxlen,
164     CTLTYPE_INT|CTLFLAG_RW, 0, 0, sysctl_netinet6_intr_queue_maxlen, "I",
165     "Maximum size of the IPv6 input queue");
166 
167 #ifdef RSS
168 static struct netisr_handler ip6_direct_nh = {
169 	.nh_name = "ip6_direct",
170 	.nh_handler = ip6_direct_input,
171 	.nh_proto = NETISR_IPV6_DIRECT,
172 	.nh_m2cpuid = rss_soft_m2cpuid_v6,
173 	.nh_policy = NETISR_POLICY_CPU,
174 	.nh_dispatch = NETISR_DISPATCH_HYBRID,
175 };
176 
177 static int
178 sysctl_netinet6_intr_direct_queue_maxlen(SYSCTL_HANDLER_ARGS)
179 {
180 	int error, qlimit;
181 
182 	netisr_getqlimit(&ip6_direct_nh, &qlimit);
183 	error = sysctl_handle_int(oidp, &qlimit, 0, req);
184 	if (error || !req->newptr)
185 		return (error);
186 	if (qlimit < 1)
187 		return (EINVAL);
188 	return (netisr_setqlimit(&ip6_direct_nh, qlimit));
189 }
190 SYSCTL_PROC(_net_inet6_ip6, IPV6CTL_INTRDQMAXLEN, intr_direct_queue_maxlen,
191     CTLTYPE_INT|CTLFLAG_RW, 0, 0, sysctl_netinet6_intr_direct_queue_maxlen,
192     "I", "Maximum size of the IPv6 direct input queue");
193 
194 #endif
195 
196 VNET_DEFINE(struct pfil_head, inet6_pfil_hook);
197 
198 VNET_PCPUSTAT_DEFINE(struct ip6stat, ip6stat);
199 VNET_PCPUSTAT_SYSINIT(ip6stat);
200 #ifdef VIMAGE
201 VNET_PCPUSTAT_SYSUNINIT(ip6stat);
202 #endif /* VIMAGE */
203 
204 struct rmlock in6_ifaddr_lock;
205 RM_SYSINIT(in6_ifaddr_lock, &in6_ifaddr_lock, "in6_ifaddr_lock");
206 
207 static int ip6_hopopts_input(u_int32_t *, u_int32_t *, struct mbuf **, int *);
208 #ifdef PULLDOWN_TEST
209 static struct mbuf *ip6_pullexthdr(struct mbuf *, size_t, int);
210 #endif
211 
212 /*
213  * IP6 initialization: fill in IP6 protocol switch table.
214  * All protocols not implemented in kernel go to raw IP6 protocol handler.
215  */
216 void
217 ip6_init(void)
218 {
219 	struct protosw *pr;
220 	int i;
221 
222 	TUNABLE_INT_FETCH("net.inet6.ip6.auto_linklocal",
223 	    &V_ip6_auto_linklocal);
224 	TUNABLE_INT_FETCH("net.inet6.ip6.accept_rtadv", &V_ip6_accept_rtadv);
225 	TUNABLE_INT_FETCH("net.inet6.ip6.no_radr", &V_ip6_no_radr);
226 
227 	TAILQ_INIT(&V_in6_ifaddrhead);
228 	V_in6_ifaddrhashtbl = hashinit(IN6ADDR_NHASH, M_IFADDR,
229 	    &V_in6_ifaddrhmask);
230 
231 	/* Initialize packet filter hooks. */
232 	V_inet6_pfil_hook.ph_type = PFIL_TYPE_AF;
233 	V_inet6_pfil_hook.ph_af = AF_INET6;
234 	if ((i = pfil_head_register(&V_inet6_pfil_hook)) != 0)
235 		printf("%s: WARNING: unable to register pfil hook, "
236 			"error %d\n", __func__, i);
237 
238 	if (hhook_head_register(HHOOK_TYPE_IPSEC_IN, AF_INET6,
239 	    &V_ipsec_hhh_in[HHOOK_IPSEC_INET6],
240 	    HHOOK_WAITOK | HHOOK_HEADISINVNET) != 0)
241 		printf("%s: WARNING: unable to register input helper hook\n",
242 		    __func__);
243 	if (hhook_head_register(HHOOK_TYPE_IPSEC_OUT, AF_INET6,
244 	    &V_ipsec_hhh_out[HHOOK_IPSEC_INET6],
245 	    HHOOK_WAITOK | HHOOK_HEADISINVNET) != 0)
246 		printf("%s: WARNING: unable to register output helper hook\n",
247 		    __func__);
248 
249 	scope6_init();
250 	addrsel_policy_init();
251 	nd6_init();
252 	frag6_init();
253 
254 	V_ip6_desync_factor = arc4random() % MAX_TEMP_DESYNC_FACTOR;
255 
256 	/* Skip global initialization stuff for non-default instances. */
257 #ifdef VIMAGE
258 	if (!IS_DEFAULT_VNET(curvnet)) {
259 		netisr_register_vnet(&ip6_nh);
260 #ifdef RSS
261 		netisr_register_vnet(&ip6_direct_nh);
262 #endif
263 		return;
264 	}
265 #endif
266 
267 	pr = pffindproto(PF_INET6, IPPROTO_RAW, SOCK_RAW);
268 	if (pr == NULL)
269 		panic("ip6_init");
270 
271 	/* Initialize the entire ip6_protox[] array to IPPROTO_RAW. */
272 	for (i = 0; i < IPPROTO_MAX; i++)
273 		ip6_protox[i] = pr - inet6sw;
274 	/*
275 	 * Cycle through IP protocols and put them into the appropriate place
276 	 * in ip6_protox[].
277 	 */
278 	for (pr = inet6domain.dom_protosw;
279 	    pr < inet6domain.dom_protoswNPROTOSW; pr++)
280 		if (pr->pr_domain->dom_family == PF_INET6 &&
281 		    pr->pr_protocol && pr->pr_protocol != IPPROTO_RAW) {
282 			/* Be careful to only index valid IP protocols. */
283 			if (pr->pr_protocol < IPPROTO_MAX)
284 				ip6_protox[pr->pr_protocol] = pr - inet6sw;
285 		}
286 
287 	netisr_register(&ip6_nh);
288 #ifdef RSS
289 	netisr_register(&ip6_direct_nh);
290 #endif
291 }
292 
293 /*
294  * The protocol to be inserted into ip6_protox[] must be already registered
295  * in inet6sw[], either statically or through pf_proto_register().
296  */
297 int
298 ip6proto_register(short ip6proto)
299 {
300 	struct protosw *pr;
301 
302 	/* Sanity checks. */
303 	if (ip6proto <= 0 || ip6proto >= IPPROTO_MAX)
304 		return (EPROTONOSUPPORT);
305 
306 	/*
307 	 * The protocol slot must not be occupied by another protocol
308 	 * already.  An index pointing to IPPROTO_RAW is unused.
309 	 */
310 	pr = pffindproto(PF_INET6, IPPROTO_RAW, SOCK_RAW);
311 	if (pr == NULL)
312 		return (EPFNOSUPPORT);
313 	if (ip6_protox[ip6proto] != pr - inet6sw)	/* IPPROTO_RAW */
314 		return (EEXIST);
315 
316 	/*
317 	 * Find the protocol position in inet6sw[] and set the index.
318 	 */
319 	for (pr = inet6domain.dom_protosw;
320 	    pr < inet6domain.dom_protoswNPROTOSW; pr++) {
321 		if (pr->pr_domain->dom_family == PF_INET6 &&
322 		    pr->pr_protocol && pr->pr_protocol == ip6proto) {
323 			ip6_protox[pr->pr_protocol] = pr - inet6sw;
324 			return (0);
325 		}
326 	}
327 	return (EPROTONOSUPPORT);
328 }
329 
330 int
331 ip6proto_unregister(short ip6proto)
332 {
333 	struct protosw *pr;
334 
335 	/* Sanity checks. */
336 	if (ip6proto <= 0 || ip6proto >= IPPROTO_MAX)
337 		return (EPROTONOSUPPORT);
338 
339 	/* Check if the protocol was indeed registered. */
340 	pr = pffindproto(PF_INET6, IPPROTO_RAW, SOCK_RAW);
341 	if (pr == NULL)
342 		return (EPFNOSUPPORT);
343 	if (ip6_protox[ip6proto] == pr - inet6sw)	/* IPPROTO_RAW */
344 		return (ENOENT);
345 
346 	/* Reset the protocol slot to IPPROTO_RAW. */
347 	ip6_protox[ip6proto] = pr - inet6sw;
348 	return (0);
349 }
350 
351 #ifdef VIMAGE
352 static void
353 ip6_destroy(void *unused __unused)
354 {
355 	struct ifaddr *ifa, *nifa;
356 	struct ifnet *ifp;
357 	int error;
358 
359 #ifdef RSS
360 	netisr_unregister_vnet(&ip6_direct_nh);
361 #endif
362 	netisr_unregister_vnet(&ip6_nh);
363 
364 	if ((error = pfil_head_unregister(&V_inet6_pfil_hook)) != 0)
365 		printf("%s: WARNING: unable to unregister pfil hook, "
366 		    "error %d\n", __func__, error);
367 	error = hhook_head_deregister(V_ipsec_hhh_in[HHOOK_IPSEC_INET6]);
368 	if (error != 0) {
369 		printf("%s: WARNING: unable to deregister input helper hook "
370 		    "type HHOOK_TYPE_IPSEC_IN, id HHOOK_IPSEC_INET6: "
371 		    "error %d returned\n", __func__, error);
372 	}
373 	error = hhook_head_deregister(V_ipsec_hhh_out[HHOOK_IPSEC_INET6]);
374 	if (error != 0) {
375 		printf("%s: WARNING: unable to deregister output helper hook "
376 		    "type HHOOK_TYPE_IPSEC_OUT, id HHOOK_IPSEC_INET6: "
377 		    "error %d returned\n", __func__, error);
378 	}
379 
380 	/* Cleanup addresses. */
381 	IFNET_RLOCK();
382 	TAILQ_FOREACH(ifp, &V_ifnet, if_link) {
383 		/* Cannot lock here - lock recursion. */
384 		/* IF_ADDR_LOCK(ifp); */
385 		TAILQ_FOREACH_SAFE(ifa, &ifp->if_addrhead, ifa_link, nifa) {
386 
387 			if (ifa->ifa_addr->sa_family != AF_INET6)
388 				continue;
389 			in6_purgeaddr(ifa);
390 		}
391 		/* IF_ADDR_UNLOCK(ifp); */
392 		in6_ifdetach_destroy(ifp);
393 		mld_domifdetach(ifp);
394 		/* Make sure any routes are gone as well. */
395 		rt_flushifroutes_af(ifp, AF_INET6);
396 	}
397 	IFNET_RUNLOCK();
398 
399 	nd6_destroy();
400 	in6_ifattach_destroy();
401 
402 	hashdestroy(V_in6_ifaddrhashtbl, M_IFADDR, V_in6_ifaddrhmask);
403 }
404 
405 VNET_SYSUNINIT(inet6, SI_SUB_PROTO_DOMAIN, SI_ORDER_THIRD, ip6_destroy, NULL);
406 #endif
407 
408 static int
409 ip6_input_hbh(struct mbuf *m, uint32_t *plen, uint32_t *rtalert, int *off,
410     int *nxt, int *ours)
411 {
412 	struct ip6_hdr *ip6;
413 	struct ip6_hbh *hbh;
414 
415 	if (ip6_hopopts_input(plen, rtalert, &m, off)) {
416 #if 0	/*touches NULL pointer*/
417 		in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_discard);
418 #endif
419 		goto out;	/* m have already been freed */
420 	}
421 
422 	/* adjust pointer */
423 	ip6 = mtod(m, struct ip6_hdr *);
424 
425 	/*
426 	 * if the payload length field is 0 and the next header field
427 	 * indicates Hop-by-Hop Options header, then a Jumbo Payload
428 	 * option MUST be included.
429 	 */
430 	if (ip6->ip6_plen == 0 && *plen == 0) {
431 		/*
432 		 * Note that if a valid jumbo payload option is
433 		 * contained, ip6_hopopts_input() must set a valid
434 		 * (non-zero) payload length to the variable plen.
435 		 */
436 		IP6STAT_INC(ip6s_badoptions);
437 		in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_discard);
438 		in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_hdrerr);
439 		icmp6_error(m, ICMP6_PARAM_PROB,
440 			    ICMP6_PARAMPROB_HEADER,
441 			    (caddr_t)&ip6->ip6_plen - (caddr_t)ip6);
442 		goto out;
443 	}
444 #ifndef PULLDOWN_TEST
445 	/* ip6_hopopts_input() ensures that mbuf is contiguous */
446 	hbh = (struct ip6_hbh *)(ip6 + 1);
447 #else
448 	IP6_EXTHDR_GET(hbh, struct ip6_hbh *, m, sizeof(struct ip6_hdr),
449 		sizeof(struct ip6_hbh));
450 	if (hbh == NULL) {
451 		IP6STAT_INC(ip6s_tooshort);
452 		goto out;
453 	}
454 #endif
455 	*nxt = hbh->ip6h_nxt;
456 
457 	/*
458 	 * If we are acting as a router and the packet contains a
459 	 * router alert option, see if we know the option value.
460 	 * Currently, we only support the option value for MLD, in which
461 	 * case we should pass the packet to the multicast routing
462 	 * daemon.
463 	 */
464 	if (*rtalert != ~0) {
465 		switch (*rtalert) {
466 		case IP6OPT_RTALERT_MLD:
467 			if (V_ip6_forwarding)
468 				*ours = 1;
469 			break;
470 		default:
471 			/*
472 			 * RFC2711 requires unrecognized values must be
473 			 * silently ignored.
474 			 */
475 			break;
476 		}
477 	}
478 
479 	return (0);
480 
481 out:
482 	return (1);
483 }
484 
485 #ifdef RSS
486 /*
487  * IPv6 direct input routine.
488  *
489  * This is called when reinjecting completed fragments where
490  * all of the previous checking and book-keeping has been done.
491  */
492 void
493 ip6_direct_input(struct mbuf *m)
494 {
495 	int off, nxt;
496 	int nest;
497 	struct m_tag *mtag;
498 	struct ip6_direct_ctx *ip6dc;
499 
500 	mtag = m_tag_locate(m, MTAG_ABI_IPV6, IPV6_TAG_DIRECT, NULL);
501 	KASSERT(mtag != NULL, ("Reinjected packet w/o direct ctx tag!"));
502 
503 	ip6dc = (struct ip6_direct_ctx *)(mtag + 1);
504 	nxt = ip6dc->ip6dc_nxt;
505 	off = ip6dc->ip6dc_off;
506 
507 	nest = 0;
508 
509 	m_tag_delete(m, mtag);
510 
511 	while (nxt != IPPROTO_DONE) {
512 		if (V_ip6_hdrnestlimit && (++nest > V_ip6_hdrnestlimit)) {
513 			IP6STAT_INC(ip6s_toomanyhdr);
514 			goto bad;
515 		}
516 
517 		/*
518 		 * protection against faulty packet - there should be
519 		 * more sanity checks in header chain processing.
520 		 */
521 		if (m->m_pkthdr.len < off) {
522 			IP6STAT_INC(ip6s_tooshort);
523 			in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_truncated);
524 			goto bad;
525 		}
526 
527 #ifdef IPSEC
528 		/*
529 		 * enforce IPsec policy checking if we are seeing last header.
530 		 * note that we do not visit this with protocols with pcb layer
531 		 * code - like udp/tcp/raw ip.
532 		 */
533 		if (ip6_ipsec_input(m, nxt))
534 			goto bad;
535 #endif /* IPSEC */
536 
537 		nxt = (*inet6sw[ip6_protox[nxt]].pr_input)(&m, &off, nxt);
538 	}
539 	return;
540 bad:
541 	m_freem(m);
542 }
543 #endif
544 
545 void
546 ip6_input(struct mbuf *m)
547 {
548 	struct in6_addr odst;
549 	struct ip6_hdr *ip6;
550 	struct in6_ifaddr *ia;
551 	u_int32_t plen;
552 	u_int32_t rtalert = ~0;
553 	int off = sizeof(struct ip6_hdr), nest;
554 	int nxt, ours = 0;
555 	int srcrt = 0;
556 
557 #ifdef IPSEC
558 	/*
559 	 * should the inner packet be considered authentic?
560 	 * see comment in ah4_input().
561 	 * NB: m cannot be NULL when passed to the input routine
562 	 */
563 
564 	m->m_flags &= ~M_AUTHIPHDR;
565 	m->m_flags &= ~M_AUTHIPDGM;
566 
567 #endif /* IPSEC */
568 
569 	if (m->m_flags & M_FASTFWD_OURS) {
570 		/*
571 		 * Firewall changed destination to local.
572 		 */
573 		m->m_flags &= ~M_FASTFWD_OURS;
574 		ours = 1;
575 		ip6 = mtod(m, struct ip6_hdr *);
576 		goto hbhcheck;
577 	}
578 
579 	/*
580 	 * mbuf statistics
581 	 */
582 	if (m->m_flags & M_EXT) {
583 		if (m->m_next)
584 			IP6STAT_INC(ip6s_mext2m);
585 		else
586 			IP6STAT_INC(ip6s_mext1);
587 	} else {
588 		if (m->m_next) {
589 			if (m->m_flags & M_LOOP) {
590 				IP6STAT_INC(ip6s_m2m[V_loif->if_index]);
591 			} else if (m->m_pkthdr.rcvif->if_index < IP6S_M2MMAX)
592 				IP6STAT_INC(
593 				    ip6s_m2m[m->m_pkthdr.rcvif->if_index]);
594 			else
595 				IP6STAT_INC(ip6s_m2m[0]);
596 		} else
597 			IP6STAT_INC(ip6s_m1);
598 	}
599 
600 	/* drop the packet if IPv6 operation is disabled on the IF */
601 	if ((ND_IFINFO(m->m_pkthdr.rcvif)->flags & ND6_IFF_IFDISABLED))
602 		goto bad;
603 
604 	in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_receive);
605 	IP6STAT_INC(ip6s_total);
606 
607 #ifndef PULLDOWN_TEST
608 	/*
609 	 * L2 bridge code and some other code can return mbuf chain
610 	 * that does not conform to KAME requirement.  too bad.
611 	 * XXX: fails to join if interface MTU > MCLBYTES.  jumbogram?
612 	 */
613 	if (m && m->m_next != NULL && m->m_pkthdr.len < MCLBYTES) {
614 		struct mbuf *n;
615 
616 		if (m->m_pkthdr.len > MHLEN)
617 			n = m_getcl(M_NOWAIT, MT_DATA, M_PKTHDR);
618 		else
619 			n = m_gethdr(M_NOWAIT, MT_DATA);
620 		if (n == NULL) {
621 			m_freem(m);
622 			return;	/* ENOBUFS */
623 		}
624 
625 		m_move_pkthdr(n, m);
626 		m_copydata(m, 0, n->m_pkthdr.len, mtod(n, caddr_t));
627 		n->m_len = n->m_pkthdr.len;
628 		m_freem(m);
629 		m = n;
630 	}
631 	IP6_EXTHDR_CHECK(m, 0, sizeof(struct ip6_hdr), /* nothing */);
632 #endif
633 
634 	if (m->m_len < sizeof(struct ip6_hdr)) {
635 		struct ifnet *inifp;
636 		inifp = m->m_pkthdr.rcvif;
637 		if ((m = m_pullup(m, sizeof(struct ip6_hdr))) == NULL) {
638 			IP6STAT_INC(ip6s_toosmall);
639 			in6_ifstat_inc(inifp, ifs6_in_hdrerr);
640 			return;
641 		}
642 	}
643 
644 	ip6 = mtod(m, struct ip6_hdr *);
645 
646 	if ((ip6->ip6_vfc & IPV6_VERSION_MASK) != IPV6_VERSION) {
647 		IP6STAT_INC(ip6s_badvers);
648 		in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_hdrerr);
649 		goto bad;
650 	}
651 
652 	IP6STAT_INC(ip6s_nxthist[ip6->ip6_nxt]);
653 
654 	IP_PROBE(receive, NULL, NULL, ip6, m->m_pkthdr.rcvif, NULL, ip6);
655 
656 	/*
657 	 * Check against address spoofing/corruption.
658 	 */
659 	if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_src) ||
660 	    IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_dst)) {
661 		/*
662 		 * XXX: "badscope" is not very suitable for a multicast source.
663 		 */
664 		IP6STAT_INC(ip6s_badscope);
665 		in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr);
666 		goto bad;
667 	}
668 	if (IN6_IS_ADDR_MC_INTFACELOCAL(&ip6->ip6_dst) &&
669 	    !(m->m_flags & M_LOOP)) {
670 		/*
671 		 * In this case, the packet should come from the loopback
672 		 * interface.  However, we cannot just check the if_flags,
673 		 * because ip6_mloopback() passes the "actual" interface
674 		 * as the outgoing/incoming interface.
675 		 */
676 		IP6STAT_INC(ip6s_badscope);
677 		in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr);
678 		goto bad;
679 	}
680 	if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst) &&
681 	    IPV6_ADDR_MC_SCOPE(&ip6->ip6_dst) == 0) {
682 		/*
683 		 * RFC4291 2.7:
684 		 * Nodes must not originate a packet to a multicast address
685 		 * whose scop field contains the reserved value 0; if such
686 		 * a packet is received, it must be silently dropped.
687 		 */
688 		IP6STAT_INC(ip6s_badscope);
689 		in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr);
690 		goto bad;
691 	}
692 #ifdef ALTQ
693 	if (altq_input != NULL && (*altq_input)(m, AF_INET6) == 0) {
694 		/* packet is dropped by traffic conditioner */
695 		return;
696 	}
697 #endif
698 	/*
699 	 * The following check is not documented in specs.  A malicious
700 	 * party may be able to use IPv4 mapped addr to confuse tcp/udp stack
701 	 * and bypass security checks (act as if it was from 127.0.0.1 by using
702 	 * IPv6 src ::ffff:127.0.0.1).  Be cautious.
703 	 *
704 	 * This check chokes if we are in an SIIT cloud.  As none of BSDs
705 	 * support IPv4-less kernel compilation, we cannot support SIIT
706 	 * environment at all.  So, it makes more sense for us to reject any
707 	 * malicious packets for non-SIIT environment, than try to do a
708 	 * partial support for SIIT environment.
709 	 */
710 	if (IN6_IS_ADDR_V4MAPPED(&ip6->ip6_src) ||
711 	    IN6_IS_ADDR_V4MAPPED(&ip6->ip6_dst)) {
712 		IP6STAT_INC(ip6s_badscope);
713 		in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr);
714 		goto bad;
715 	}
716 #if 0
717 	/*
718 	 * Reject packets with IPv4 compatible addresses (auto tunnel).
719 	 *
720 	 * The code forbids auto tunnel relay case in RFC1933 (the check is
721 	 * stronger than RFC1933).  We may want to re-enable it if mech-xx
722 	 * is revised to forbid relaying case.
723 	 */
724 	if (IN6_IS_ADDR_V4COMPAT(&ip6->ip6_src) ||
725 	    IN6_IS_ADDR_V4COMPAT(&ip6->ip6_dst)) {
726 		IP6STAT_INC(ip6s_badscope);
727 		in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr);
728 		goto bad;
729 	}
730 #endif
731 #ifdef IPSEC
732 	/*
733 	 * Bypass packet filtering for packets previously handled by IPsec.
734 	 */
735 	if (ip6_ipsec_filtertunnel(m))
736 		goto passin;
737 #endif /* IPSEC */
738 
739 	/*
740 	 * Run through list of hooks for input packets.
741 	 *
742 	 * NB: Beware of the destination address changing
743 	 *     (e.g. by NAT rewriting).  When this happens,
744 	 *     tell ip6_forward to do the right thing.
745 	 */
746 	odst = ip6->ip6_dst;
747 
748 	/* Jump over all PFIL processing if hooks are not active. */
749 	if (!PFIL_HOOKED(&V_inet6_pfil_hook))
750 		goto passin;
751 
752 	if (pfil_run_hooks(&V_inet6_pfil_hook, &m,
753 	    m->m_pkthdr.rcvif, PFIL_IN, NULL))
754 		return;
755 	if (m == NULL)			/* consumed by filter */
756 		return;
757 	ip6 = mtod(m, struct ip6_hdr *);
758 	srcrt = !IN6_ARE_ADDR_EQUAL(&odst, &ip6->ip6_dst);
759 
760 	if (m->m_flags & M_FASTFWD_OURS) {
761 		m->m_flags &= ~M_FASTFWD_OURS;
762 		ours = 1;
763 		goto hbhcheck;
764 	}
765 	if ((m->m_flags & M_IP6_NEXTHOP) &&
766 	    m_tag_find(m, PACKET_TAG_IPFORWARD, NULL) != NULL) {
767 		/*
768 		 * Directly ship the packet on.  This allows forwarding
769 		 * packets originally destined to us to some other directly
770 		 * connected host.
771 		 */
772 		ip6_forward(m, 1);
773 		return;
774 	}
775 
776 passin:
777 	/*
778 	 * Disambiguate address scope zones (if there is ambiguity).
779 	 * We first make sure that the original source or destination address
780 	 * is not in our internal form for scoped addresses.  Such addresses
781 	 * are not necessarily invalid spec-wise, but we cannot accept them due
782 	 * to the usage conflict.
783 	 * in6_setscope() then also checks and rejects the cases where src or
784 	 * dst are the loopback address and the receiving interface
785 	 * is not loopback.
786 	 */
787 	if (in6_clearscope(&ip6->ip6_src) || in6_clearscope(&ip6->ip6_dst)) {
788 		IP6STAT_INC(ip6s_badscope); /* XXX */
789 		goto bad;
790 	}
791 	if (in6_setscope(&ip6->ip6_src, m->m_pkthdr.rcvif, NULL) ||
792 	    in6_setscope(&ip6->ip6_dst, m->m_pkthdr.rcvif, NULL)) {
793 		IP6STAT_INC(ip6s_badscope);
794 		goto bad;
795 	}
796 	/*
797 	 * Multicast check. Assume packet is for us to avoid
798 	 * prematurely taking locks.
799 	 */
800 	if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst)) {
801 		ours = 1;
802 		in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_mcast);
803 		goto hbhcheck;
804 	}
805 	/*
806 	 * Unicast check
807 	 * XXX: For now we keep link-local IPv6 addresses with embedded
808 	 *      scope zone id, therefore we use zero zoneid here.
809 	 */
810 	ia = in6ifa_ifwithaddr(&ip6->ip6_dst, 0 /* XXX */);
811 	if (ia != NULL) {
812 		if (ia->ia6_flags & IN6_IFF_NOTREADY) {
813 			char ip6bufs[INET6_ADDRSTRLEN];
814 			char ip6bufd[INET6_ADDRSTRLEN];
815 			/* address is not ready, so discard the packet. */
816 			nd6log((LOG_INFO,
817 			    "ip6_input: packet to an unready address %s->%s\n",
818 			    ip6_sprintf(ip6bufs, &ip6->ip6_src),
819 			    ip6_sprintf(ip6bufd, &ip6->ip6_dst)));
820 			ifa_free(&ia->ia_ifa);
821 			goto bad;
822 		}
823 		/* Count the packet in the ip address stats */
824 		counter_u64_add(ia->ia_ifa.ifa_ipackets, 1);
825 		counter_u64_add(ia->ia_ifa.ifa_ibytes, m->m_pkthdr.len);
826 		ifa_free(&ia->ia_ifa);
827 		ours = 1;
828 		goto hbhcheck;
829 	}
830 
831 	/*
832 	 * Now there is no reason to process the packet if it's not our own
833 	 * and we're not a router.
834 	 */
835 	if (!V_ip6_forwarding) {
836 		IP6STAT_INC(ip6s_cantforward);
837 		in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_discard);
838 		goto bad;
839 	}
840 
841   hbhcheck:
842 	/*
843 	 * Process Hop-by-Hop options header if it's contained.
844 	 * m may be modified in ip6_hopopts_input().
845 	 * If a JumboPayload option is included, plen will also be modified.
846 	 */
847 	plen = (u_int32_t)ntohs(ip6->ip6_plen);
848 	if (ip6->ip6_nxt == IPPROTO_HOPOPTS) {
849 		if (ip6_input_hbh(m, &plen, &rtalert, &off, &nxt, &ours) != 0)
850 			return;
851 	} else
852 		nxt = ip6->ip6_nxt;
853 
854 	/*
855 	 * Use mbuf flags to propagate Router Alert option to
856 	 * ICMPv6 layer, as hop-by-hop options have been stripped.
857 	 */
858 	if (rtalert != ~0)
859 		m->m_flags |= M_RTALERT_MLD;
860 
861 	/*
862 	 * Check that the amount of data in the buffers
863 	 * is as at least much as the IPv6 header would have us expect.
864 	 * Trim mbufs if longer than we expect.
865 	 * Drop packet if shorter than we expect.
866 	 */
867 	if (m->m_pkthdr.len - sizeof(struct ip6_hdr) < plen) {
868 		IP6STAT_INC(ip6s_tooshort);
869 		in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_truncated);
870 		goto bad;
871 	}
872 	if (m->m_pkthdr.len > sizeof(struct ip6_hdr) + plen) {
873 		if (m->m_len == m->m_pkthdr.len) {
874 			m->m_len = sizeof(struct ip6_hdr) + plen;
875 			m->m_pkthdr.len = sizeof(struct ip6_hdr) + plen;
876 		} else
877 			m_adj(m, sizeof(struct ip6_hdr) + plen - m->m_pkthdr.len);
878 	}
879 
880 	/*
881 	 * Forward if desirable.
882 	 */
883 	if (V_ip6_mrouter &&
884 	    IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst)) {
885 		/*
886 		 * If we are acting as a multicast router, all
887 		 * incoming multicast packets are passed to the
888 		 * kernel-level multicast forwarding function.
889 		 * The packet is returned (relatively) intact; if
890 		 * ip6_mforward() returns a non-zero value, the packet
891 		 * must be discarded, else it may be accepted below.
892 		 *
893 		 * XXX TODO: Check hlim and multicast scope here to avoid
894 		 * unnecessarily calling into ip6_mforward().
895 		 */
896 		if (ip6_mforward &&
897 		    ip6_mforward(ip6, m->m_pkthdr.rcvif, m)) {
898 			IP6STAT_INC(ip6s_cantforward);
899 			in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_discard);
900 			goto bad;
901 		}
902 	} else if (!ours) {
903 		ip6_forward(m, srcrt);
904 		return;
905 	}
906 
907 	ip6 = mtod(m, struct ip6_hdr *);
908 
909 	/*
910 	 * Malicious party may be able to use IPv4 mapped addr to confuse
911 	 * tcp/udp stack and bypass security checks (act as if it was from
912 	 * 127.0.0.1 by using IPv6 src ::ffff:127.0.0.1).  Be cautious.
913 	 *
914 	 * For SIIT end node behavior, you may want to disable the check.
915 	 * However, you will  become vulnerable to attacks using IPv4 mapped
916 	 * source.
917 	 */
918 	if (IN6_IS_ADDR_V4MAPPED(&ip6->ip6_src) ||
919 	    IN6_IS_ADDR_V4MAPPED(&ip6->ip6_dst)) {
920 		IP6STAT_INC(ip6s_badscope);
921 		in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr);
922 		goto bad;
923 	}
924 
925 	/*
926 	 * Tell launch routine the next header
927 	 */
928 	IP6STAT_INC(ip6s_delivered);
929 	in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_deliver);
930 	nest = 0;
931 
932 	while (nxt != IPPROTO_DONE) {
933 		if (V_ip6_hdrnestlimit && (++nest > V_ip6_hdrnestlimit)) {
934 			IP6STAT_INC(ip6s_toomanyhdr);
935 			goto bad;
936 		}
937 
938 		/*
939 		 * protection against faulty packet - there should be
940 		 * more sanity checks in header chain processing.
941 		 */
942 		if (m->m_pkthdr.len < off) {
943 			IP6STAT_INC(ip6s_tooshort);
944 			in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_truncated);
945 			goto bad;
946 		}
947 
948 #ifdef IPSEC
949 		/*
950 		 * enforce IPsec policy checking if we are seeing last header.
951 		 * note that we do not visit this with protocols with pcb layer
952 		 * code - like udp/tcp/raw ip.
953 		 */
954 		if (ip6_ipsec_input(m, nxt))
955 			goto bad;
956 #endif /* IPSEC */
957 
958 		nxt = (*inet6sw[ip6_protox[nxt]].pr_input)(&m, &off, nxt);
959 	}
960 	return;
961 bad:
962 	m_freem(m);
963 }
964 
965 /*
966  * Hop-by-Hop options header processing. If a valid jumbo payload option is
967  * included, the real payload length will be stored in plenp.
968  *
969  * rtalertp - XXX: should be stored more smart way
970  */
971 static int
972 ip6_hopopts_input(u_int32_t *plenp, u_int32_t *rtalertp,
973     struct mbuf **mp, int *offp)
974 {
975 	struct mbuf *m = *mp;
976 	int off = *offp, hbhlen;
977 	struct ip6_hbh *hbh;
978 
979 	/* validation of the length of the header */
980 #ifndef PULLDOWN_TEST
981 	IP6_EXTHDR_CHECK(m, off, sizeof(*hbh), -1);
982 	hbh = (struct ip6_hbh *)(mtod(m, caddr_t) + off);
983 	hbhlen = (hbh->ip6h_len + 1) << 3;
984 
985 	IP6_EXTHDR_CHECK(m, off, hbhlen, -1);
986 	hbh = (struct ip6_hbh *)(mtod(m, caddr_t) + off);
987 #else
988 	IP6_EXTHDR_GET(hbh, struct ip6_hbh *, m,
989 		sizeof(struct ip6_hdr), sizeof(struct ip6_hbh));
990 	if (hbh == NULL) {
991 		IP6STAT_INC(ip6s_tooshort);
992 		return -1;
993 	}
994 	hbhlen = (hbh->ip6h_len + 1) << 3;
995 	IP6_EXTHDR_GET(hbh, struct ip6_hbh *, m, sizeof(struct ip6_hdr),
996 		hbhlen);
997 	if (hbh == NULL) {
998 		IP6STAT_INC(ip6s_tooshort);
999 		return -1;
1000 	}
1001 #endif
1002 	off += hbhlen;
1003 	hbhlen -= sizeof(struct ip6_hbh);
1004 	if (ip6_process_hopopts(m, (u_int8_t *)hbh + sizeof(struct ip6_hbh),
1005 				hbhlen, rtalertp, plenp) < 0)
1006 		return (-1);
1007 
1008 	*offp = off;
1009 	*mp = m;
1010 	return (0);
1011 }
1012 
1013 /*
1014  * Search header for all Hop-by-hop options and process each option.
1015  * This function is separate from ip6_hopopts_input() in order to
1016  * handle a case where the sending node itself process its hop-by-hop
1017  * options header. In such a case, the function is called from ip6_output().
1018  *
1019  * The function assumes that hbh header is located right after the IPv6 header
1020  * (RFC2460 p7), opthead is pointer into data content in m, and opthead to
1021  * opthead + hbhlen is located in contiguous memory region.
1022  */
1023 int
1024 ip6_process_hopopts(struct mbuf *m, u_int8_t *opthead, int hbhlen,
1025     u_int32_t *rtalertp, u_int32_t *plenp)
1026 {
1027 	struct ip6_hdr *ip6;
1028 	int optlen = 0;
1029 	u_int8_t *opt = opthead;
1030 	u_int16_t rtalert_val;
1031 	u_int32_t jumboplen;
1032 	const int erroff = sizeof(struct ip6_hdr) + sizeof(struct ip6_hbh);
1033 
1034 	for (; hbhlen > 0; hbhlen -= optlen, opt += optlen) {
1035 		switch (*opt) {
1036 		case IP6OPT_PAD1:
1037 			optlen = 1;
1038 			break;
1039 		case IP6OPT_PADN:
1040 			if (hbhlen < IP6OPT_MINLEN) {
1041 				IP6STAT_INC(ip6s_toosmall);
1042 				goto bad;
1043 			}
1044 			optlen = *(opt + 1) + 2;
1045 			break;
1046 		case IP6OPT_ROUTER_ALERT:
1047 			/* XXX may need check for alignment */
1048 			if (hbhlen < IP6OPT_RTALERT_LEN) {
1049 				IP6STAT_INC(ip6s_toosmall);
1050 				goto bad;
1051 			}
1052 			if (*(opt + 1) != IP6OPT_RTALERT_LEN - 2) {
1053 				/* XXX stat */
1054 				icmp6_error(m, ICMP6_PARAM_PROB,
1055 				    ICMP6_PARAMPROB_HEADER,
1056 				    erroff + opt + 1 - opthead);
1057 				return (-1);
1058 			}
1059 			optlen = IP6OPT_RTALERT_LEN;
1060 			bcopy((caddr_t)(opt + 2), (caddr_t)&rtalert_val, 2);
1061 			*rtalertp = ntohs(rtalert_val);
1062 			break;
1063 		case IP6OPT_JUMBO:
1064 			/* XXX may need check for alignment */
1065 			if (hbhlen < IP6OPT_JUMBO_LEN) {
1066 				IP6STAT_INC(ip6s_toosmall);
1067 				goto bad;
1068 			}
1069 			if (*(opt + 1) != IP6OPT_JUMBO_LEN - 2) {
1070 				/* XXX stat */
1071 				icmp6_error(m, ICMP6_PARAM_PROB,
1072 				    ICMP6_PARAMPROB_HEADER,
1073 				    erroff + opt + 1 - opthead);
1074 				return (-1);
1075 			}
1076 			optlen = IP6OPT_JUMBO_LEN;
1077 
1078 			/*
1079 			 * IPv6 packets that have non 0 payload length
1080 			 * must not contain a jumbo payload option.
1081 			 */
1082 			ip6 = mtod(m, struct ip6_hdr *);
1083 			if (ip6->ip6_plen) {
1084 				IP6STAT_INC(ip6s_badoptions);
1085 				icmp6_error(m, ICMP6_PARAM_PROB,
1086 				    ICMP6_PARAMPROB_HEADER,
1087 				    erroff + opt - opthead);
1088 				return (-1);
1089 			}
1090 
1091 			/*
1092 			 * We may see jumbolen in unaligned location, so
1093 			 * we'd need to perform bcopy().
1094 			 */
1095 			bcopy(opt + 2, &jumboplen, sizeof(jumboplen));
1096 			jumboplen = (u_int32_t)htonl(jumboplen);
1097 
1098 #if 1
1099 			/*
1100 			 * if there are multiple jumbo payload options,
1101 			 * *plenp will be non-zero and the packet will be
1102 			 * rejected.
1103 			 * the behavior may need some debate in ipngwg -
1104 			 * multiple options does not make sense, however,
1105 			 * there's no explicit mention in specification.
1106 			 */
1107 			if (*plenp != 0) {
1108 				IP6STAT_INC(ip6s_badoptions);
1109 				icmp6_error(m, ICMP6_PARAM_PROB,
1110 				    ICMP6_PARAMPROB_HEADER,
1111 				    erroff + opt + 2 - opthead);
1112 				return (-1);
1113 			}
1114 #endif
1115 
1116 			/*
1117 			 * jumbo payload length must be larger than 65535.
1118 			 */
1119 			if (jumboplen <= IPV6_MAXPACKET) {
1120 				IP6STAT_INC(ip6s_badoptions);
1121 				icmp6_error(m, ICMP6_PARAM_PROB,
1122 				    ICMP6_PARAMPROB_HEADER,
1123 				    erroff + opt + 2 - opthead);
1124 				return (-1);
1125 			}
1126 			*plenp = jumboplen;
1127 
1128 			break;
1129 		default:		/* unknown option */
1130 			if (hbhlen < IP6OPT_MINLEN) {
1131 				IP6STAT_INC(ip6s_toosmall);
1132 				goto bad;
1133 			}
1134 			optlen = ip6_unknown_opt(opt, m,
1135 			    erroff + opt - opthead);
1136 			if (optlen == -1)
1137 				return (-1);
1138 			optlen += 2;
1139 			break;
1140 		}
1141 	}
1142 
1143 	return (0);
1144 
1145   bad:
1146 	m_freem(m);
1147 	return (-1);
1148 }
1149 
1150 /*
1151  * Unknown option processing.
1152  * The third argument `off' is the offset from the IPv6 header to the option,
1153  * which is necessary if the IPv6 header the and option header and IPv6 header
1154  * is not contiguous in order to return an ICMPv6 error.
1155  */
1156 int
1157 ip6_unknown_opt(u_int8_t *optp, struct mbuf *m, int off)
1158 {
1159 	struct ip6_hdr *ip6;
1160 
1161 	switch (IP6OPT_TYPE(*optp)) {
1162 	case IP6OPT_TYPE_SKIP: /* ignore the option */
1163 		return ((int)*(optp + 1));
1164 	case IP6OPT_TYPE_DISCARD:	/* silently discard */
1165 		m_freem(m);
1166 		return (-1);
1167 	case IP6OPT_TYPE_FORCEICMP: /* send ICMP even if multicasted */
1168 		IP6STAT_INC(ip6s_badoptions);
1169 		icmp6_error(m, ICMP6_PARAM_PROB, ICMP6_PARAMPROB_OPTION, off);
1170 		return (-1);
1171 	case IP6OPT_TYPE_ICMP: /* send ICMP if not multicasted */
1172 		IP6STAT_INC(ip6s_badoptions);
1173 		ip6 = mtod(m, struct ip6_hdr *);
1174 		if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst) ||
1175 		    (m->m_flags & (M_BCAST|M_MCAST)))
1176 			m_freem(m);
1177 		else
1178 			icmp6_error(m, ICMP6_PARAM_PROB,
1179 				    ICMP6_PARAMPROB_OPTION, off);
1180 		return (-1);
1181 	}
1182 
1183 	m_freem(m);		/* XXX: NOTREACHED */
1184 	return (-1);
1185 }
1186 
1187 /*
1188  * Create the "control" list for this pcb.
1189  * These functions will not modify mbuf chain at all.
1190  *
1191  * With KAME mbuf chain restriction:
1192  * The routine will be called from upper layer handlers like tcp6_input().
1193  * Thus the routine assumes that the caller (tcp6_input) have already
1194  * called IP6_EXTHDR_CHECK() and all the extension headers are located in the
1195  * very first mbuf on the mbuf chain.
1196  *
1197  * ip6_savecontrol_v4 will handle those options that are possible to be
1198  * set on a v4-mapped socket.
1199  * ip6_savecontrol will directly call ip6_savecontrol_v4 to handle those
1200  * options and handle the v6-only ones itself.
1201  */
1202 struct mbuf **
1203 ip6_savecontrol_v4(struct inpcb *inp, struct mbuf *m, struct mbuf **mp,
1204     int *v4only)
1205 {
1206 	struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *);
1207 
1208 #ifdef SO_TIMESTAMP
1209 	if ((inp->inp_socket->so_options & SO_TIMESTAMP) != 0) {
1210 		struct timeval tv;
1211 
1212 		microtime(&tv);
1213 		*mp = sbcreatecontrol((caddr_t) &tv, sizeof(tv),
1214 		    SCM_TIMESTAMP, SOL_SOCKET);
1215 		if (*mp)
1216 			mp = &(*mp)->m_next;
1217 	}
1218 #endif
1219 
1220 #define IS2292(inp, x, y)	(((inp)->inp_flags & IN6P_RFC2292) ? (x) : (y))
1221 	/* RFC 2292 sec. 5 */
1222 	if ((inp->inp_flags & IN6P_PKTINFO) != 0) {
1223 		struct in6_pktinfo pi6;
1224 
1225 		if ((ip6->ip6_vfc & IPV6_VERSION_MASK) != IPV6_VERSION) {
1226 #ifdef INET
1227 			struct ip *ip;
1228 
1229 			ip = mtod(m, struct ip *);
1230 			pi6.ipi6_addr.s6_addr32[0] = 0;
1231 			pi6.ipi6_addr.s6_addr32[1] = 0;
1232 			pi6.ipi6_addr.s6_addr32[2] = IPV6_ADDR_INT32_SMP;
1233 			pi6.ipi6_addr.s6_addr32[3] = ip->ip_dst.s_addr;
1234 #else
1235 			/* We won't hit this code */
1236 			bzero(&pi6.ipi6_addr, sizeof(struct in6_addr));
1237 #endif
1238 		} else {
1239 			bcopy(&ip6->ip6_dst, &pi6.ipi6_addr, sizeof(struct in6_addr));
1240 			in6_clearscope(&pi6.ipi6_addr);	/* XXX */
1241 		}
1242 		pi6.ipi6_ifindex =
1243 		    (m && m->m_pkthdr.rcvif) ? m->m_pkthdr.rcvif->if_index : 0;
1244 
1245 		*mp = sbcreatecontrol((caddr_t) &pi6,
1246 		    sizeof(struct in6_pktinfo),
1247 		    IS2292(inp, IPV6_2292PKTINFO, IPV6_PKTINFO), IPPROTO_IPV6);
1248 		if (*mp)
1249 			mp = &(*mp)->m_next;
1250 	}
1251 
1252 	if ((inp->inp_flags & IN6P_HOPLIMIT) != 0) {
1253 		int hlim;
1254 
1255 		if ((ip6->ip6_vfc & IPV6_VERSION_MASK) != IPV6_VERSION) {
1256 #ifdef INET
1257 			struct ip *ip;
1258 
1259 			ip = mtod(m, struct ip *);
1260 			hlim = ip->ip_ttl;
1261 #else
1262 			/* We won't hit this code */
1263 			hlim = 0;
1264 #endif
1265 		} else {
1266 			hlim = ip6->ip6_hlim & 0xff;
1267 		}
1268 		*mp = sbcreatecontrol((caddr_t) &hlim, sizeof(int),
1269 		    IS2292(inp, IPV6_2292HOPLIMIT, IPV6_HOPLIMIT),
1270 		    IPPROTO_IPV6);
1271 		if (*mp)
1272 			mp = &(*mp)->m_next;
1273 	}
1274 
1275 	if ((inp->inp_flags & IN6P_TCLASS) != 0) {
1276 		int tclass;
1277 
1278 		if ((ip6->ip6_vfc & IPV6_VERSION_MASK) != IPV6_VERSION) {
1279 #ifdef INET
1280 			struct ip *ip;
1281 
1282 			ip = mtod(m, struct ip *);
1283 			tclass = ip->ip_tos;
1284 #else
1285 			/* We won't hit this code */
1286 			tclass = 0;
1287 #endif
1288 		} else {
1289 			u_int32_t flowinfo;
1290 
1291 			flowinfo = (u_int32_t)ntohl(ip6->ip6_flow & IPV6_FLOWINFO_MASK);
1292 			flowinfo >>= 20;
1293 			tclass = flowinfo & 0xff;
1294 		}
1295 		*mp = sbcreatecontrol((caddr_t) &tclass, sizeof(int),
1296 		    IPV6_TCLASS, IPPROTO_IPV6);
1297 		if (*mp)
1298 			mp = &(*mp)->m_next;
1299 	}
1300 
1301 	if (v4only != NULL) {
1302 		if ((ip6->ip6_vfc & IPV6_VERSION_MASK) != IPV6_VERSION) {
1303 			*v4only = 1;
1304 		} else {
1305 			*v4only = 0;
1306 		}
1307 	}
1308 
1309 	return (mp);
1310 }
1311 
1312 void
1313 ip6_savecontrol(struct inpcb *in6p, struct mbuf *m, struct mbuf **mp)
1314 {
1315 	struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *);
1316 	int v4only = 0;
1317 
1318 	mp = ip6_savecontrol_v4(in6p, m, mp, &v4only);
1319 	if (v4only)
1320 		return;
1321 
1322 	/*
1323 	 * IPV6_HOPOPTS socket option.  Recall that we required super-user
1324 	 * privilege for the option (see ip6_ctloutput), but it might be too
1325 	 * strict, since there might be some hop-by-hop options which can be
1326 	 * returned to normal user.
1327 	 * See also RFC 2292 section 6 (or RFC 3542 section 8).
1328 	 */
1329 	if ((in6p->inp_flags & IN6P_HOPOPTS) != 0) {
1330 		/*
1331 		 * Check if a hop-by-hop options header is contatined in the
1332 		 * received packet, and if so, store the options as ancillary
1333 		 * data. Note that a hop-by-hop options header must be
1334 		 * just after the IPv6 header, which is assured through the
1335 		 * IPv6 input processing.
1336 		 */
1337 		if (ip6->ip6_nxt == IPPROTO_HOPOPTS) {
1338 			struct ip6_hbh *hbh;
1339 			int hbhlen = 0;
1340 #ifdef PULLDOWN_TEST
1341 			struct mbuf *ext;
1342 #endif
1343 
1344 #ifndef PULLDOWN_TEST
1345 			hbh = (struct ip6_hbh *)(ip6 + 1);
1346 			hbhlen = (hbh->ip6h_len + 1) << 3;
1347 #else
1348 			ext = ip6_pullexthdr(m, sizeof(struct ip6_hdr),
1349 			    ip6->ip6_nxt);
1350 			if (ext == NULL) {
1351 				IP6STAT_INC(ip6s_tooshort);
1352 				return;
1353 			}
1354 			hbh = mtod(ext, struct ip6_hbh *);
1355 			hbhlen = (hbh->ip6h_len + 1) << 3;
1356 			if (hbhlen != ext->m_len) {
1357 				m_freem(ext);
1358 				IP6STAT_INC(ip6s_tooshort);
1359 				return;
1360 			}
1361 #endif
1362 
1363 			/*
1364 			 * XXX: We copy the whole header even if a
1365 			 * jumbo payload option is included, the option which
1366 			 * is to be removed before returning according to
1367 			 * RFC2292.
1368 			 * Note: this constraint is removed in RFC3542
1369 			 */
1370 			*mp = sbcreatecontrol((caddr_t)hbh, hbhlen,
1371 			    IS2292(in6p, IPV6_2292HOPOPTS, IPV6_HOPOPTS),
1372 			    IPPROTO_IPV6);
1373 			if (*mp)
1374 				mp = &(*mp)->m_next;
1375 #ifdef PULLDOWN_TEST
1376 			m_freem(ext);
1377 #endif
1378 		}
1379 	}
1380 
1381 	if ((in6p->inp_flags & (IN6P_RTHDR | IN6P_DSTOPTS)) != 0) {
1382 		int nxt = ip6->ip6_nxt, off = sizeof(struct ip6_hdr);
1383 
1384 		/*
1385 		 * Search for destination options headers or routing
1386 		 * header(s) through the header chain, and stores each
1387 		 * header as ancillary data.
1388 		 * Note that the order of the headers remains in
1389 		 * the chain of ancillary data.
1390 		 */
1391 		while (1) {	/* is explicit loop prevention necessary? */
1392 			struct ip6_ext *ip6e = NULL;
1393 			int elen;
1394 #ifdef PULLDOWN_TEST
1395 			struct mbuf *ext = NULL;
1396 #endif
1397 
1398 			/*
1399 			 * if it is not an extension header, don't try to
1400 			 * pull it from the chain.
1401 			 */
1402 			switch (nxt) {
1403 			case IPPROTO_DSTOPTS:
1404 			case IPPROTO_ROUTING:
1405 			case IPPROTO_HOPOPTS:
1406 			case IPPROTO_AH: /* is it possible? */
1407 				break;
1408 			default:
1409 				goto loopend;
1410 			}
1411 
1412 #ifndef PULLDOWN_TEST
1413 			if (off + sizeof(*ip6e) > m->m_len)
1414 				goto loopend;
1415 			ip6e = (struct ip6_ext *)(mtod(m, caddr_t) + off);
1416 			if (nxt == IPPROTO_AH)
1417 				elen = (ip6e->ip6e_len + 2) << 2;
1418 			else
1419 				elen = (ip6e->ip6e_len + 1) << 3;
1420 			if (off + elen > m->m_len)
1421 				goto loopend;
1422 #else
1423 			ext = ip6_pullexthdr(m, off, nxt);
1424 			if (ext == NULL) {
1425 				IP6STAT_INC(ip6s_tooshort);
1426 				return;
1427 			}
1428 			ip6e = mtod(ext, struct ip6_ext *);
1429 			if (nxt == IPPROTO_AH)
1430 				elen = (ip6e->ip6e_len + 2) << 2;
1431 			else
1432 				elen = (ip6e->ip6e_len + 1) << 3;
1433 			if (elen != ext->m_len) {
1434 				m_freem(ext);
1435 				IP6STAT_INC(ip6s_tooshort);
1436 				return;
1437 			}
1438 #endif
1439 
1440 			switch (nxt) {
1441 			case IPPROTO_DSTOPTS:
1442 				if (!(in6p->inp_flags & IN6P_DSTOPTS))
1443 					break;
1444 
1445 				*mp = sbcreatecontrol((caddr_t)ip6e, elen,
1446 				    IS2292(in6p,
1447 					IPV6_2292DSTOPTS, IPV6_DSTOPTS),
1448 				    IPPROTO_IPV6);
1449 				if (*mp)
1450 					mp = &(*mp)->m_next;
1451 				break;
1452 			case IPPROTO_ROUTING:
1453 				if (!(in6p->inp_flags & IN6P_RTHDR))
1454 					break;
1455 
1456 				*mp = sbcreatecontrol((caddr_t)ip6e, elen,
1457 				    IS2292(in6p, IPV6_2292RTHDR, IPV6_RTHDR),
1458 				    IPPROTO_IPV6);
1459 				if (*mp)
1460 					mp = &(*mp)->m_next;
1461 				break;
1462 			case IPPROTO_HOPOPTS:
1463 			case IPPROTO_AH: /* is it possible? */
1464 				break;
1465 
1466 			default:
1467 				/*
1468 				 * other cases have been filtered in the above.
1469 				 * none will visit this case.  here we supply
1470 				 * the code just in case (nxt overwritten or
1471 				 * other cases).
1472 				 */
1473 #ifdef PULLDOWN_TEST
1474 				m_freem(ext);
1475 #endif
1476 				goto loopend;
1477 
1478 			}
1479 
1480 			/* proceed with the next header. */
1481 			off += elen;
1482 			nxt = ip6e->ip6e_nxt;
1483 			ip6e = NULL;
1484 #ifdef PULLDOWN_TEST
1485 			m_freem(ext);
1486 			ext = NULL;
1487 #endif
1488 		}
1489 	  loopend:
1490 		;
1491 	}
1492 
1493 	if (in6p->inp_flags2 & INP_RECVFLOWID) {
1494 		uint32_t flowid, flow_type;
1495 
1496 		flowid = m->m_pkthdr.flowid;
1497 		flow_type = M_HASHTYPE_GET(m);
1498 
1499 		/*
1500 		 * XXX should handle the failure of one or the
1501 		 * other - don't populate both?
1502 		 */
1503 		*mp = sbcreatecontrol((caddr_t) &flowid,
1504 		    sizeof(uint32_t), IPV6_FLOWID, IPPROTO_IPV6);
1505 		if (*mp)
1506 			mp = &(*mp)->m_next;
1507 		*mp = sbcreatecontrol((caddr_t) &flow_type,
1508 		    sizeof(uint32_t), IPV6_FLOWTYPE, IPPROTO_IPV6);
1509 		if (*mp)
1510 			mp = &(*mp)->m_next;
1511 	}
1512 
1513 #ifdef	RSS
1514 	if (in6p->inp_flags2 & INP_RECVRSSBUCKETID) {
1515 		uint32_t flowid, flow_type;
1516 		uint32_t rss_bucketid;
1517 
1518 		flowid = m->m_pkthdr.flowid;
1519 		flow_type = M_HASHTYPE_GET(m);
1520 
1521 		if (rss_hash2bucket(flowid, flow_type, &rss_bucketid) == 0) {
1522 			*mp = sbcreatecontrol((caddr_t) &rss_bucketid,
1523 			   sizeof(uint32_t), IPV6_RSSBUCKETID, IPPROTO_IPV6);
1524 			if (*mp)
1525 				mp = &(*mp)->m_next;
1526 		}
1527 	}
1528 #endif
1529 
1530 }
1531 #undef IS2292
1532 
1533 void
1534 ip6_notify_pmtu(struct inpcb *inp, struct sockaddr_in6 *dst, u_int32_t mtu)
1535 {
1536 	struct socket *so;
1537 	struct mbuf *m_mtu;
1538 	struct ip6_mtuinfo mtuctl;
1539 
1540 	KASSERT(inp != NULL, ("%s: inp == NULL", __func__));
1541 	/*
1542 	 * Notify the error by sending IPV6_PATHMTU ancillary data if
1543 	 * application wanted to know the MTU value.
1544 	 * NOTE: we notify disconnected sockets, because some udp
1545 	 * applications keep sending sockets disconnected.
1546 	 * NOTE: our implementation doesn't notify connected sockets that has
1547 	 * foreign address that is different than given destination addresses
1548 	 * (this is permitted by RFC 3542).
1549 	 */
1550 	if ((inp->inp_flags & IN6P_MTU) == 0 || (
1551 	    !IN6_IS_ADDR_UNSPECIFIED(&inp->in6p_faddr) &&
1552 	    !IN6_ARE_ADDR_EQUAL(&inp->in6p_faddr, &dst->sin6_addr)))
1553 		return;
1554 
1555 	mtuctl.ip6m_mtu = mtu;
1556 	mtuctl.ip6m_addr = *dst;
1557 	if (sa6_recoverscope(&mtuctl.ip6m_addr))
1558 		return;
1559 
1560 	if ((m_mtu = sbcreatecontrol((caddr_t)&mtuctl, sizeof(mtuctl),
1561 	    IPV6_PATHMTU, IPPROTO_IPV6)) == NULL)
1562 		return;
1563 
1564 	so =  inp->inp_socket;
1565 	if (sbappendaddr(&so->so_rcv, (struct sockaddr *)dst, NULL, m_mtu)
1566 	    == 0) {
1567 		m_freem(m_mtu);
1568 		/* XXX: should count statistics */
1569 	} else
1570 		sorwakeup(so);
1571 }
1572 
1573 #ifdef PULLDOWN_TEST
1574 /*
1575  * pull single extension header from mbuf chain.  returns single mbuf that
1576  * contains the result, or NULL on error.
1577  */
1578 static struct mbuf *
1579 ip6_pullexthdr(struct mbuf *m, size_t off, int nxt)
1580 {
1581 	struct ip6_ext ip6e;
1582 	size_t elen;
1583 	struct mbuf *n;
1584 
1585 #ifdef DIAGNOSTIC
1586 	switch (nxt) {
1587 	case IPPROTO_DSTOPTS:
1588 	case IPPROTO_ROUTING:
1589 	case IPPROTO_HOPOPTS:
1590 	case IPPROTO_AH: /* is it possible? */
1591 		break;
1592 	default:
1593 		printf("ip6_pullexthdr: invalid nxt=%d\n", nxt);
1594 	}
1595 #endif
1596 
1597 	m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e);
1598 	if (nxt == IPPROTO_AH)
1599 		elen = (ip6e.ip6e_len + 2) << 2;
1600 	else
1601 		elen = (ip6e.ip6e_len + 1) << 3;
1602 
1603 	if (elen > MLEN)
1604 		n = m_getcl(M_NOWAIT, MT_DATA, 0);
1605 	else
1606 		n = m_get(M_NOWAIT, MT_DATA);
1607 	if (n == NULL)
1608 		return NULL;
1609 
1610 	m_copydata(m, off, elen, mtod(n, caddr_t));
1611 	n->m_len = elen;
1612 	return n;
1613 }
1614 #endif
1615 
1616 /*
1617  * Get pointer to the previous header followed by the header
1618  * currently processed.
1619  * XXX: This function supposes that
1620  *	M includes all headers,
1621  *	the next header field and the header length field of each header
1622  *	are valid, and
1623  *	the sum of each header length equals to OFF.
1624  * Because of these assumptions, this function must be called very
1625  * carefully. Moreover, it will not be used in the near future when
1626  * we develop `neater' mechanism to process extension headers.
1627  */
1628 char *
1629 ip6_get_prevhdr(const struct mbuf *m, int off)
1630 {
1631 	struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *);
1632 
1633 	if (off == sizeof(struct ip6_hdr))
1634 		return (&ip6->ip6_nxt);
1635 	else {
1636 		int len, nxt;
1637 		struct ip6_ext *ip6e = NULL;
1638 
1639 		nxt = ip6->ip6_nxt;
1640 		len = sizeof(struct ip6_hdr);
1641 		while (len < off) {
1642 			ip6e = (struct ip6_ext *)(mtod(m, caddr_t) + len);
1643 
1644 			switch (nxt) {
1645 			case IPPROTO_FRAGMENT:
1646 				len += sizeof(struct ip6_frag);
1647 				break;
1648 			case IPPROTO_AH:
1649 				len += (ip6e->ip6e_len + 2) << 2;
1650 				break;
1651 			default:
1652 				len += (ip6e->ip6e_len + 1) << 3;
1653 				break;
1654 			}
1655 			nxt = ip6e->ip6e_nxt;
1656 		}
1657 		if (ip6e)
1658 			return (&ip6e->ip6e_nxt);
1659 		else
1660 			return NULL;
1661 	}
1662 }
1663 
1664 /*
1665  * get next header offset.  m will be retained.
1666  */
1667 int
1668 ip6_nexthdr(const struct mbuf *m, int off, int proto, int *nxtp)
1669 {
1670 	struct ip6_hdr ip6;
1671 	struct ip6_ext ip6e;
1672 	struct ip6_frag fh;
1673 
1674 	/* just in case */
1675 	if (m == NULL)
1676 		panic("ip6_nexthdr: m == NULL");
1677 	if ((m->m_flags & M_PKTHDR) == 0 || m->m_pkthdr.len < off)
1678 		return -1;
1679 
1680 	switch (proto) {
1681 	case IPPROTO_IPV6:
1682 		if (m->m_pkthdr.len < off + sizeof(ip6))
1683 			return -1;
1684 		m_copydata(m, off, sizeof(ip6), (caddr_t)&ip6);
1685 		if (nxtp)
1686 			*nxtp = ip6.ip6_nxt;
1687 		off += sizeof(ip6);
1688 		return off;
1689 
1690 	case IPPROTO_FRAGMENT:
1691 		/*
1692 		 * terminate parsing if it is not the first fragment,
1693 		 * it does not make sense to parse through it.
1694 		 */
1695 		if (m->m_pkthdr.len < off + sizeof(fh))
1696 			return -1;
1697 		m_copydata(m, off, sizeof(fh), (caddr_t)&fh);
1698 		/* IP6F_OFF_MASK = 0xfff8(BigEndian), 0xf8ff(LittleEndian) */
1699 		if (fh.ip6f_offlg & IP6F_OFF_MASK)
1700 			return -1;
1701 		if (nxtp)
1702 			*nxtp = fh.ip6f_nxt;
1703 		off += sizeof(struct ip6_frag);
1704 		return off;
1705 
1706 	case IPPROTO_AH:
1707 		if (m->m_pkthdr.len < off + sizeof(ip6e))
1708 			return -1;
1709 		m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e);
1710 		if (nxtp)
1711 			*nxtp = ip6e.ip6e_nxt;
1712 		off += (ip6e.ip6e_len + 2) << 2;
1713 		return off;
1714 
1715 	case IPPROTO_HOPOPTS:
1716 	case IPPROTO_ROUTING:
1717 	case IPPROTO_DSTOPTS:
1718 		if (m->m_pkthdr.len < off + sizeof(ip6e))
1719 			return -1;
1720 		m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e);
1721 		if (nxtp)
1722 			*nxtp = ip6e.ip6e_nxt;
1723 		off += (ip6e.ip6e_len + 1) << 3;
1724 		return off;
1725 
1726 	case IPPROTO_NONE:
1727 	case IPPROTO_ESP:
1728 	case IPPROTO_IPCOMP:
1729 		/* give up */
1730 		return -1;
1731 
1732 	default:
1733 		return -1;
1734 	}
1735 
1736 	/* NOTREACHED */
1737 }
1738 
1739 /*
1740  * get offset for the last header in the chain.  m will be kept untainted.
1741  */
1742 int
1743 ip6_lasthdr(const struct mbuf *m, int off, int proto, int *nxtp)
1744 {
1745 	int newoff;
1746 	int nxt;
1747 
1748 	if (!nxtp) {
1749 		nxt = -1;
1750 		nxtp = &nxt;
1751 	}
1752 	while (1) {
1753 		newoff = ip6_nexthdr(m, off, proto, nxtp);
1754 		if (newoff < 0)
1755 			return off;
1756 		else if (newoff < off)
1757 			return -1;	/* invalid */
1758 		else if (newoff == off)
1759 			return newoff;
1760 
1761 		off = newoff;
1762 		proto = *nxtp;
1763 	}
1764 }
1765 
1766 /*
1767  * System control for IP6
1768  */
1769 
1770 u_char	inet6ctlerrmap[PRC_NCMDS] = {
1771 	0,		0,		0,		0,
1772 	0,		EMSGSIZE,	EHOSTDOWN,	EHOSTUNREACH,
1773 	EHOSTUNREACH,	EHOSTUNREACH,	ECONNREFUSED,	ECONNREFUSED,
1774 	EMSGSIZE,	EHOSTUNREACH,	0,		0,
1775 	0,		0,		0,		0,
1776 	ENOPROTOOPT
1777 };
1778