1 /*- 2 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. Neither the name of the project nor the names of its contributors 14 * may be used to endorse or promote products derived from this software 15 * without specific prior written permission. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27 * SUCH DAMAGE. 28 * 29 * $KAME: ip6_input.c,v 1.259 2002/01/21 04:58:09 jinmei Exp $ 30 */ 31 32 /*- 33 * Copyright (c) 1982, 1986, 1988, 1993 34 * The Regents of the University of California. All rights reserved. 35 * 36 * Redistribution and use in source and binary forms, with or without 37 * modification, are permitted provided that the following conditions 38 * are met: 39 * 1. Redistributions of source code must retain the above copyright 40 * notice, this list of conditions and the following disclaimer. 41 * 2. Redistributions in binary form must reproduce the above copyright 42 * notice, this list of conditions and the following disclaimer in the 43 * documentation and/or other materials provided with the distribution. 44 * 4. Neither the name of the University nor the names of its contributors 45 * may be used to endorse or promote products derived from this software 46 * without specific prior written permission. 47 * 48 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 49 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 50 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 51 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 52 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 53 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 54 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 55 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 56 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 57 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 58 * SUCH DAMAGE. 59 * 60 * @(#)ip_input.c 8.2 (Berkeley) 1/4/94 61 */ 62 63 #include <sys/cdefs.h> 64 __FBSDID("$FreeBSD$"); 65 66 #include "opt_inet.h" 67 #include "opt_inet6.h" 68 #include "opt_ipfw.h" 69 #include "opt_ipsec.h" 70 #include "opt_route.h" 71 72 #include <sys/param.h> 73 #include <sys/systm.h> 74 #include <sys/malloc.h> 75 #include <sys/mbuf.h> 76 #include <sys/proc.h> 77 #include <sys/domain.h> 78 #include <sys/protosw.h> 79 #include <sys/sdt.h> 80 #include <sys/socket.h> 81 #include <sys/socketvar.h> 82 #include <sys/errno.h> 83 #include <sys/time.h> 84 #include <sys/kernel.h> 85 #include <sys/lock.h> 86 #include <sys/rmlock.h> 87 #include <sys/syslog.h> 88 89 #include <net/if.h> 90 #include <net/if_var.h> 91 #include <net/if_types.h> 92 #include <net/if_dl.h> 93 #include <net/route.h> 94 #include <net/netisr.h> 95 #include <net/pfil.h> 96 #include <net/vnet.h> 97 98 #include <netinet/in.h> 99 #include <netinet/in_kdtrace.h> 100 #include <netinet/ip_var.h> 101 #include <netinet/in_systm.h> 102 #include <net/if_llatbl.h> 103 #ifdef INET 104 #include <netinet/ip.h> 105 #include <netinet/ip_icmp.h> 106 #endif /* INET */ 107 #include <netinet/ip6.h> 108 #include <netinet6/in6_var.h> 109 #include <netinet6/ip6_var.h> 110 #include <netinet/in_pcb.h> 111 #include <netinet/icmp6.h> 112 #include <netinet6/scope6_var.h> 113 #include <netinet6/in6_ifattach.h> 114 #include <netinet6/nd6.h> 115 116 #ifdef IPSEC 117 #include <netipsec/ipsec.h> 118 #include <netinet6/ip6_ipsec.h> 119 #include <netipsec/ipsec6.h> 120 #endif /* IPSEC */ 121 122 #include <netinet6/ip6protosw.h> 123 124 extern struct domain inet6domain; 125 126 u_char ip6_protox[IPPROTO_MAX]; 127 VNET_DEFINE(struct in6_ifaddrhead, in6_ifaddrhead); 128 VNET_DEFINE(struct in6_ifaddrlisthead *, in6_ifaddrhashtbl); 129 VNET_DEFINE(u_long, in6_ifaddrhmask); 130 131 static struct netisr_handler ip6_nh = { 132 .nh_name = "ip6", 133 .nh_handler = ip6_input, 134 .nh_proto = NETISR_IPV6, 135 .nh_policy = NETISR_POLICY_FLOW, 136 }; 137 138 VNET_DECLARE(struct callout, in6_tmpaddrtimer_ch); 139 #define V_in6_tmpaddrtimer_ch VNET(in6_tmpaddrtimer_ch) 140 141 VNET_DEFINE(struct pfil_head, inet6_pfil_hook); 142 143 VNET_PCPUSTAT_DEFINE(struct ip6stat, ip6stat); 144 VNET_PCPUSTAT_SYSINIT(ip6stat); 145 #ifdef VIMAGE 146 VNET_PCPUSTAT_SYSUNINIT(ip6stat); 147 #endif /* VIMAGE */ 148 149 struct rmlock in6_ifaddr_lock; 150 RM_SYSINIT(in6_ifaddr_lock, &in6_ifaddr_lock, "in6_ifaddr_lock"); 151 152 static void ip6_init2(void *); 153 static int ip6_hopopts_input(u_int32_t *, u_int32_t *, struct mbuf **, int *); 154 #ifdef PULLDOWN_TEST 155 static struct mbuf *ip6_pullexthdr(struct mbuf *, size_t, int); 156 #endif 157 158 /* 159 * IP6 initialization: fill in IP6 protocol switch table. 160 * All protocols not implemented in kernel go to raw IP6 protocol handler. 161 */ 162 void 163 ip6_init(void) 164 { 165 struct protosw *pr; 166 int i; 167 168 TUNABLE_INT_FETCH("net.inet6.ip6.auto_linklocal", 169 &V_ip6_auto_linklocal); 170 TUNABLE_INT_FETCH("net.inet6.ip6.accept_rtadv", &V_ip6_accept_rtadv); 171 TUNABLE_INT_FETCH("net.inet6.ip6.no_radr", &V_ip6_no_radr); 172 173 TAILQ_INIT(&V_in6_ifaddrhead); 174 V_in6_ifaddrhashtbl = hashinit(IN6ADDR_NHASH, M_IFADDR, 175 &V_in6_ifaddrhmask); 176 177 /* Initialize packet filter hooks. */ 178 V_inet6_pfil_hook.ph_type = PFIL_TYPE_AF; 179 V_inet6_pfil_hook.ph_af = AF_INET6; 180 if ((i = pfil_head_register(&V_inet6_pfil_hook)) != 0) 181 printf("%s: WARNING: unable to register pfil hook, " 182 "error %d\n", __func__, i); 183 184 scope6_init(); 185 addrsel_policy_init(); 186 nd6_init(); 187 frag6_init(); 188 189 V_ip6_desync_factor = arc4random() % MAX_TEMP_DESYNC_FACTOR; 190 191 /* Skip global initialization stuff for non-default instances. */ 192 if (!IS_DEFAULT_VNET(curvnet)) 193 return; 194 195 pr = pffindproto(PF_INET6, IPPROTO_RAW, SOCK_RAW); 196 if (pr == NULL) 197 panic("ip6_init"); 198 199 /* Initialize the entire ip6_protox[] array to IPPROTO_RAW. */ 200 for (i = 0; i < IPPROTO_MAX; i++) 201 ip6_protox[i] = pr - inet6sw; 202 /* 203 * Cycle through IP protocols and put them into the appropriate place 204 * in ip6_protox[]. 205 */ 206 for (pr = inet6domain.dom_protosw; 207 pr < inet6domain.dom_protoswNPROTOSW; pr++) 208 if (pr->pr_domain->dom_family == PF_INET6 && 209 pr->pr_protocol && pr->pr_protocol != IPPROTO_RAW) { 210 /* Be careful to only index valid IP protocols. */ 211 if (pr->pr_protocol < IPPROTO_MAX) 212 ip6_protox[pr->pr_protocol] = pr - inet6sw; 213 } 214 215 netisr_register(&ip6_nh); 216 } 217 218 /* 219 * The protocol to be inserted into ip6_protox[] must be already registered 220 * in inet6sw[], either statically or through pf_proto_register(). 221 */ 222 int 223 ip6proto_register(short ip6proto) 224 { 225 struct protosw *pr; 226 227 /* Sanity checks. */ 228 if (ip6proto <= 0 || ip6proto >= IPPROTO_MAX) 229 return (EPROTONOSUPPORT); 230 231 /* 232 * The protocol slot must not be occupied by another protocol 233 * already. An index pointing to IPPROTO_RAW is unused. 234 */ 235 pr = pffindproto(PF_INET6, IPPROTO_RAW, SOCK_RAW); 236 if (pr == NULL) 237 return (EPFNOSUPPORT); 238 if (ip6_protox[ip6proto] != pr - inet6sw) /* IPPROTO_RAW */ 239 return (EEXIST); 240 241 /* 242 * Find the protocol position in inet6sw[] and set the index. 243 */ 244 for (pr = inet6domain.dom_protosw; 245 pr < inet6domain.dom_protoswNPROTOSW; pr++) { 246 if (pr->pr_domain->dom_family == PF_INET6 && 247 pr->pr_protocol && pr->pr_protocol == ip6proto) { 248 ip6_protox[pr->pr_protocol] = pr - inet6sw; 249 return (0); 250 } 251 } 252 return (EPROTONOSUPPORT); 253 } 254 255 int 256 ip6proto_unregister(short ip6proto) 257 { 258 struct protosw *pr; 259 260 /* Sanity checks. */ 261 if (ip6proto <= 0 || ip6proto >= IPPROTO_MAX) 262 return (EPROTONOSUPPORT); 263 264 /* Check if the protocol was indeed registered. */ 265 pr = pffindproto(PF_INET6, IPPROTO_RAW, SOCK_RAW); 266 if (pr == NULL) 267 return (EPFNOSUPPORT); 268 if (ip6_protox[ip6proto] == pr - inet6sw) /* IPPROTO_RAW */ 269 return (ENOENT); 270 271 /* Reset the protocol slot to IPPROTO_RAW. */ 272 ip6_protox[ip6proto] = pr - inet6sw; 273 return (0); 274 } 275 276 #ifdef VIMAGE 277 void 278 ip6_destroy() 279 { 280 int i; 281 282 if ((i = pfil_head_unregister(&V_inet6_pfil_hook)) != 0) 283 printf("%s: WARNING: unable to unregister pfil hook, " 284 "error %d\n", __func__, i); 285 hashdestroy(V_in6_ifaddrhashtbl, M_IFADDR, V_in6_ifaddrhmask); 286 nd6_destroy(); 287 callout_drain(&V_in6_tmpaddrtimer_ch); 288 } 289 #endif 290 291 static int 292 ip6_init2_vnet(const void *unused __unused) 293 { 294 295 /* nd6_timer_init */ 296 callout_init(&V_nd6_timer_ch, 0); 297 callout_reset(&V_nd6_timer_ch, hz, nd6_timer, curvnet); 298 299 /* timer for regeneranation of temporary addresses randomize ID */ 300 callout_init(&V_in6_tmpaddrtimer_ch, 0); 301 callout_reset(&V_in6_tmpaddrtimer_ch, 302 (V_ip6_temp_preferred_lifetime - V_ip6_desync_factor - 303 V_ip6_temp_regen_advance) * hz, 304 in6_tmpaddrtimer, curvnet); 305 306 return (0); 307 } 308 309 static void 310 ip6_init2(void *dummy) 311 { 312 313 ip6_init2_vnet(NULL); 314 } 315 316 /* cheat */ 317 /* This must be after route_init(), which is now SI_ORDER_THIRD */ 318 SYSINIT(netinet6init2, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, ip6_init2, NULL); 319 320 static int 321 ip6_input_hbh(struct mbuf *m, uint32_t *plen, uint32_t *rtalert, int *off, 322 int *nxt, int *ours) 323 { 324 struct ip6_hdr *ip6; 325 struct ip6_hbh *hbh; 326 327 if (ip6_hopopts_input(plen, rtalert, &m, off)) { 328 #if 0 /*touches NULL pointer*/ 329 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_discard); 330 #endif 331 goto out; /* m have already been freed */ 332 } 333 334 /* adjust pointer */ 335 ip6 = mtod(m, struct ip6_hdr *); 336 337 /* 338 * if the payload length field is 0 and the next header field 339 * indicates Hop-by-Hop Options header, then a Jumbo Payload 340 * option MUST be included. 341 */ 342 if (ip6->ip6_plen == 0 && *plen == 0) { 343 /* 344 * Note that if a valid jumbo payload option is 345 * contained, ip6_hopopts_input() must set a valid 346 * (non-zero) payload length to the variable plen. 347 */ 348 IP6STAT_INC(ip6s_badoptions); 349 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_discard); 350 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_hdrerr); 351 icmp6_error(m, ICMP6_PARAM_PROB, 352 ICMP6_PARAMPROB_HEADER, 353 (caddr_t)&ip6->ip6_plen - (caddr_t)ip6); 354 goto out; 355 } 356 #ifndef PULLDOWN_TEST 357 /* ip6_hopopts_input() ensures that mbuf is contiguous */ 358 hbh = (struct ip6_hbh *)(ip6 + 1); 359 #else 360 IP6_EXTHDR_GET(hbh, struct ip6_hbh *, m, sizeof(struct ip6_hdr), 361 sizeof(struct ip6_hbh)); 362 if (hbh == NULL) { 363 IP6STAT_INC(ip6s_tooshort); 364 goto out; 365 } 366 #endif 367 *nxt = hbh->ip6h_nxt; 368 369 /* 370 * If we are acting as a router and the packet contains a 371 * router alert option, see if we know the option value. 372 * Currently, we only support the option value for MLD, in which 373 * case we should pass the packet to the multicast routing 374 * daemon. 375 */ 376 if (*rtalert != ~0) { 377 switch (*rtalert) { 378 case IP6OPT_RTALERT_MLD: 379 if (V_ip6_forwarding) 380 *ours = 1; 381 break; 382 default: 383 /* 384 * RFC2711 requires unrecognized values must be 385 * silently ignored. 386 */ 387 break; 388 } 389 } 390 391 return (0); 392 393 out: 394 return (1); 395 } 396 397 void 398 ip6_input(struct mbuf *m) 399 { 400 struct in6_addr odst; 401 struct ip6_hdr *ip6; 402 struct in6_ifaddr *ia; 403 u_int32_t plen; 404 u_int32_t rtalert = ~0; 405 int off = sizeof(struct ip6_hdr), nest; 406 int nxt, ours = 0; 407 int srcrt = 0; 408 409 #ifdef IPSEC 410 /* 411 * should the inner packet be considered authentic? 412 * see comment in ah4_input(). 413 * NB: m cannot be NULL when passed to the input routine 414 */ 415 416 m->m_flags &= ~M_AUTHIPHDR; 417 m->m_flags &= ~M_AUTHIPDGM; 418 419 #endif /* IPSEC */ 420 421 if (m->m_flags & M_FASTFWD_OURS) { 422 /* 423 * Firewall changed destination to local. 424 */ 425 m->m_flags &= ~M_FASTFWD_OURS; 426 ours = 1; 427 ip6 = mtod(m, struct ip6_hdr *); 428 goto hbhcheck; 429 } 430 431 /* 432 * mbuf statistics 433 */ 434 if (m->m_flags & M_EXT) { 435 if (m->m_next) 436 IP6STAT_INC(ip6s_mext2m); 437 else 438 IP6STAT_INC(ip6s_mext1); 439 } else { 440 if (m->m_next) { 441 if (m->m_flags & M_LOOP) { 442 IP6STAT_INC(ip6s_m2m[V_loif->if_index]); 443 } else if (m->m_pkthdr.rcvif->if_index < IP6S_M2MMAX) 444 IP6STAT_INC( 445 ip6s_m2m[m->m_pkthdr.rcvif->if_index]); 446 else 447 IP6STAT_INC(ip6s_m2m[0]); 448 } else 449 IP6STAT_INC(ip6s_m1); 450 } 451 452 /* drop the packet if IPv6 operation is disabled on the IF */ 453 if ((ND_IFINFO(m->m_pkthdr.rcvif)->flags & ND6_IFF_IFDISABLED)) 454 goto bad; 455 456 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_receive); 457 IP6STAT_INC(ip6s_total); 458 459 #ifndef PULLDOWN_TEST 460 /* 461 * L2 bridge code and some other code can return mbuf chain 462 * that does not conform to KAME requirement. too bad. 463 * XXX: fails to join if interface MTU > MCLBYTES. jumbogram? 464 */ 465 if (m && m->m_next != NULL && m->m_pkthdr.len < MCLBYTES) { 466 struct mbuf *n; 467 468 if (m->m_pkthdr.len > MHLEN) 469 n = m_getcl(M_NOWAIT, MT_DATA, M_PKTHDR); 470 else 471 n = m_gethdr(M_NOWAIT, MT_DATA); 472 if (n == NULL) { 473 m_freem(m); 474 return; /* ENOBUFS */ 475 } 476 477 m_move_pkthdr(n, m); 478 m_copydata(m, 0, n->m_pkthdr.len, mtod(n, caddr_t)); 479 n->m_len = n->m_pkthdr.len; 480 m_freem(m); 481 m = n; 482 } 483 IP6_EXTHDR_CHECK(m, 0, sizeof(struct ip6_hdr), /* nothing */); 484 #endif 485 486 if (m->m_len < sizeof(struct ip6_hdr)) { 487 struct ifnet *inifp; 488 inifp = m->m_pkthdr.rcvif; 489 if ((m = m_pullup(m, sizeof(struct ip6_hdr))) == NULL) { 490 IP6STAT_INC(ip6s_toosmall); 491 in6_ifstat_inc(inifp, ifs6_in_hdrerr); 492 return; 493 } 494 } 495 496 ip6 = mtod(m, struct ip6_hdr *); 497 498 if ((ip6->ip6_vfc & IPV6_VERSION_MASK) != IPV6_VERSION) { 499 IP6STAT_INC(ip6s_badvers); 500 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_hdrerr); 501 goto bad; 502 } 503 504 IP6STAT_INC(ip6s_nxthist[ip6->ip6_nxt]); 505 506 IP_PROBE(receive, NULL, NULL, ip6, m->m_pkthdr.rcvif, NULL, ip6); 507 508 /* 509 * Check against address spoofing/corruption. 510 */ 511 if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_src) || 512 IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_dst)) { 513 /* 514 * XXX: "badscope" is not very suitable for a multicast source. 515 */ 516 IP6STAT_INC(ip6s_badscope); 517 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr); 518 goto bad; 519 } 520 if (IN6_IS_ADDR_MC_INTFACELOCAL(&ip6->ip6_dst) && 521 !(m->m_flags & M_LOOP)) { 522 /* 523 * In this case, the packet should come from the loopback 524 * interface. However, we cannot just check the if_flags, 525 * because ip6_mloopback() passes the "actual" interface 526 * as the outgoing/incoming interface. 527 */ 528 IP6STAT_INC(ip6s_badscope); 529 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr); 530 goto bad; 531 } 532 if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst) && 533 IPV6_ADDR_MC_SCOPE(&ip6->ip6_dst) == 0) { 534 /* 535 * RFC4291 2.7: 536 * Nodes must not originate a packet to a multicast address 537 * whose scop field contains the reserved value 0; if such 538 * a packet is received, it must be silently dropped. 539 */ 540 IP6STAT_INC(ip6s_badscope); 541 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr); 542 goto bad; 543 } 544 #ifdef ALTQ 545 if (altq_input != NULL && (*altq_input)(m, AF_INET6) == 0) { 546 /* packet is dropped by traffic conditioner */ 547 return; 548 } 549 #endif 550 /* 551 * The following check is not documented in specs. A malicious 552 * party may be able to use IPv4 mapped addr to confuse tcp/udp stack 553 * and bypass security checks (act as if it was from 127.0.0.1 by using 554 * IPv6 src ::ffff:127.0.0.1). Be cautious. 555 * 556 * This check chokes if we are in an SIIT cloud. As none of BSDs 557 * support IPv4-less kernel compilation, we cannot support SIIT 558 * environment at all. So, it makes more sense for us to reject any 559 * malicious packets for non-SIIT environment, than try to do a 560 * partial support for SIIT environment. 561 */ 562 if (IN6_IS_ADDR_V4MAPPED(&ip6->ip6_src) || 563 IN6_IS_ADDR_V4MAPPED(&ip6->ip6_dst)) { 564 IP6STAT_INC(ip6s_badscope); 565 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr); 566 goto bad; 567 } 568 #if 0 569 /* 570 * Reject packets with IPv4 compatible addresses (auto tunnel). 571 * 572 * The code forbids auto tunnel relay case in RFC1933 (the check is 573 * stronger than RFC1933). We may want to re-enable it if mech-xx 574 * is revised to forbid relaying case. 575 */ 576 if (IN6_IS_ADDR_V4COMPAT(&ip6->ip6_src) || 577 IN6_IS_ADDR_V4COMPAT(&ip6->ip6_dst)) { 578 IP6STAT_INC(ip6s_badscope); 579 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr); 580 goto bad; 581 } 582 #endif 583 #ifdef IPSEC 584 /* 585 * Bypass packet filtering for packets previously handled by IPsec. 586 */ 587 if (ip6_ipsec_filtertunnel(m)) 588 goto passin; 589 #endif /* IPSEC */ 590 591 /* 592 * Run through list of hooks for input packets. 593 * 594 * NB: Beware of the destination address changing 595 * (e.g. by NAT rewriting). When this happens, 596 * tell ip6_forward to do the right thing. 597 */ 598 odst = ip6->ip6_dst; 599 600 /* Jump over all PFIL processing if hooks are not active. */ 601 if (!PFIL_HOOKED(&V_inet6_pfil_hook)) 602 goto passin; 603 604 if (pfil_run_hooks(&V_inet6_pfil_hook, &m, 605 m->m_pkthdr.rcvif, PFIL_IN, NULL)) 606 return; 607 if (m == NULL) /* consumed by filter */ 608 return; 609 ip6 = mtod(m, struct ip6_hdr *); 610 srcrt = !IN6_ARE_ADDR_EQUAL(&odst, &ip6->ip6_dst); 611 612 if (m->m_flags & M_FASTFWD_OURS) { 613 m->m_flags &= ~M_FASTFWD_OURS; 614 ours = 1; 615 goto hbhcheck; 616 } 617 if ((m->m_flags & M_IP6_NEXTHOP) && 618 m_tag_find(m, PACKET_TAG_IPFORWARD, NULL) != NULL) { 619 /* 620 * Directly ship the packet on. This allows forwarding 621 * packets originally destined to us to some other directly 622 * connected host. 623 */ 624 ip6_forward(m, 1); 625 return; 626 } 627 628 passin: 629 /* 630 * Disambiguate address scope zones (if there is ambiguity). 631 * We first make sure that the original source or destination address 632 * is not in our internal form for scoped addresses. Such addresses 633 * are not necessarily invalid spec-wise, but we cannot accept them due 634 * to the usage conflict. 635 * in6_setscope() then also checks and rejects the cases where src or 636 * dst are the loopback address and the receiving interface 637 * is not loopback. 638 */ 639 if (in6_clearscope(&ip6->ip6_src) || in6_clearscope(&ip6->ip6_dst)) { 640 IP6STAT_INC(ip6s_badscope); /* XXX */ 641 goto bad; 642 } 643 if (in6_setscope(&ip6->ip6_src, m->m_pkthdr.rcvif, NULL) || 644 in6_setscope(&ip6->ip6_dst, m->m_pkthdr.rcvif, NULL)) { 645 IP6STAT_INC(ip6s_badscope); 646 goto bad; 647 } 648 /* 649 * Multicast check. Assume packet is for us to avoid 650 * prematurely taking locks. 651 */ 652 if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst)) { 653 ours = 1; 654 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_mcast); 655 goto hbhcheck; 656 } 657 /* 658 * Unicast check 659 * XXX: For now we keep link-local IPv6 addresses with embedded 660 * scope zone id, therefore we use zero zoneid here. 661 */ 662 ia = in6ifa_ifwithaddr(&ip6->ip6_dst, 0 /* XXX */); 663 if (ia != NULL) { 664 if (ia->ia6_flags & IN6_IFF_NOTREADY) { 665 char ip6bufs[INET6_ADDRSTRLEN]; 666 char ip6bufd[INET6_ADDRSTRLEN]; 667 /* address is not ready, so discard the packet. */ 668 nd6log((LOG_INFO, 669 "ip6_input: packet to an unready address %s->%s\n", 670 ip6_sprintf(ip6bufs, &ip6->ip6_src), 671 ip6_sprintf(ip6bufd, &ip6->ip6_dst))); 672 ifa_free(&ia->ia_ifa); 673 goto bad; 674 } 675 /* Count the packet in the ip address stats */ 676 counter_u64_add(ia->ia_ifa.ifa_ipackets, 1); 677 counter_u64_add(ia->ia_ifa.ifa_ibytes, m->m_pkthdr.len); 678 ifa_free(&ia->ia_ifa); 679 ours = 1; 680 goto hbhcheck; 681 } 682 683 /* 684 * Now there is no reason to process the packet if it's not our own 685 * and we're not a router. 686 */ 687 if (!V_ip6_forwarding) { 688 IP6STAT_INC(ip6s_cantforward); 689 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_discard); 690 goto bad; 691 } 692 693 hbhcheck: 694 /* 695 * Process Hop-by-Hop options header if it's contained. 696 * m may be modified in ip6_hopopts_input(). 697 * If a JumboPayload option is included, plen will also be modified. 698 */ 699 plen = (u_int32_t)ntohs(ip6->ip6_plen); 700 if (ip6->ip6_nxt == IPPROTO_HOPOPTS) { 701 if (ip6_input_hbh(m, &plen, &rtalert, &off, &nxt, &ours) != 0) 702 return; 703 } else 704 nxt = ip6->ip6_nxt; 705 706 /* 707 * Check that the amount of data in the buffers 708 * is as at least much as the IPv6 header would have us expect. 709 * Trim mbufs if longer than we expect. 710 * Drop packet if shorter than we expect. 711 */ 712 if (m->m_pkthdr.len - sizeof(struct ip6_hdr) < plen) { 713 IP6STAT_INC(ip6s_tooshort); 714 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_truncated); 715 goto bad; 716 } 717 if (m->m_pkthdr.len > sizeof(struct ip6_hdr) + plen) { 718 if (m->m_len == m->m_pkthdr.len) { 719 m->m_len = sizeof(struct ip6_hdr) + plen; 720 m->m_pkthdr.len = sizeof(struct ip6_hdr) + plen; 721 } else 722 m_adj(m, sizeof(struct ip6_hdr) + plen - m->m_pkthdr.len); 723 } 724 725 /* 726 * Forward if desirable. 727 */ 728 if (V_ip6_mrouter && 729 IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst)) { 730 /* 731 * If we are acting as a multicast router, all 732 * incoming multicast packets are passed to the 733 * kernel-level multicast forwarding function. 734 * The packet is returned (relatively) intact; if 735 * ip6_mforward() returns a non-zero value, the packet 736 * must be discarded, else it may be accepted below. 737 * 738 * XXX TODO: Check hlim and multicast scope here to avoid 739 * unnecessarily calling into ip6_mforward(). 740 */ 741 if (ip6_mforward && 742 ip6_mforward(ip6, m->m_pkthdr.rcvif, m)) { 743 IP6STAT_INC(ip6s_cantforward); 744 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_discard); 745 goto bad; 746 } 747 } else if (!ours) { 748 ip6_forward(m, srcrt); 749 return; 750 } 751 752 ip6 = mtod(m, struct ip6_hdr *); 753 754 /* 755 * Malicious party may be able to use IPv4 mapped addr to confuse 756 * tcp/udp stack and bypass security checks (act as if it was from 757 * 127.0.0.1 by using IPv6 src ::ffff:127.0.0.1). Be cautious. 758 * 759 * For SIIT end node behavior, you may want to disable the check. 760 * However, you will become vulnerable to attacks using IPv4 mapped 761 * source. 762 */ 763 if (IN6_IS_ADDR_V4MAPPED(&ip6->ip6_src) || 764 IN6_IS_ADDR_V4MAPPED(&ip6->ip6_dst)) { 765 IP6STAT_INC(ip6s_badscope); 766 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr); 767 goto bad; 768 } 769 770 /* 771 * Tell launch routine the next header 772 */ 773 IP6STAT_INC(ip6s_delivered); 774 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_deliver); 775 nest = 0; 776 777 while (nxt != IPPROTO_DONE) { 778 if (V_ip6_hdrnestlimit && (++nest > V_ip6_hdrnestlimit)) { 779 IP6STAT_INC(ip6s_toomanyhdr); 780 goto bad; 781 } 782 783 /* 784 * protection against faulty packet - there should be 785 * more sanity checks in header chain processing. 786 */ 787 if (m->m_pkthdr.len < off) { 788 IP6STAT_INC(ip6s_tooshort); 789 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_truncated); 790 goto bad; 791 } 792 793 #ifdef IPSEC 794 /* 795 * enforce IPsec policy checking if we are seeing last header. 796 * note that we do not visit this with protocols with pcb layer 797 * code - like udp/tcp/raw ip. 798 */ 799 if (ip6_ipsec_input(m, nxt)) 800 goto bad; 801 #endif /* IPSEC */ 802 803 /* 804 * Use mbuf flags to propagate Router Alert option to 805 * ICMPv6 layer, as hop-by-hop options have been stripped. 806 */ 807 if (nxt == IPPROTO_ICMPV6 && rtalert != ~0) 808 m->m_flags |= M_RTALERT_MLD; 809 810 nxt = (*inet6sw[ip6_protox[nxt]].pr_input)(&m, &off, nxt); 811 } 812 return; 813 bad: 814 m_freem(m); 815 } 816 817 /* 818 * Hop-by-Hop options header processing. If a valid jumbo payload option is 819 * included, the real payload length will be stored in plenp. 820 * 821 * rtalertp - XXX: should be stored more smart way 822 */ 823 static int 824 ip6_hopopts_input(u_int32_t *plenp, u_int32_t *rtalertp, 825 struct mbuf **mp, int *offp) 826 { 827 struct mbuf *m = *mp; 828 int off = *offp, hbhlen; 829 struct ip6_hbh *hbh; 830 831 /* validation of the length of the header */ 832 #ifndef PULLDOWN_TEST 833 IP6_EXTHDR_CHECK(m, off, sizeof(*hbh), -1); 834 hbh = (struct ip6_hbh *)(mtod(m, caddr_t) + off); 835 hbhlen = (hbh->ip6h_len + 1) << 3; 836 837 IP6_EXTHDR_CHECK(m, off, hbhlen, -1); 838 hbh = (struct ip6_hbh *)(mtod(m, caddr_t) + off); 839 #else 840 IP6_EXTHDR_GET(hbh, struct ip6_hbh *, m, 841 sizeof(struct ip6_hdr), sizeof(struct ip6_hbh)); 842 if (hbh == NULL) { 843 IP6STAT_INC(ip6s_tooshort); 844 return -1; 845 } 846 hbhlen = (hbh->ip6h_len + 1) << 3; 847 IP6_EXTHDR_GET(hbh, struct ip6_hbh *, m, sizeof(struct ip6_hdr), 848 hbhlen); 849 if (hbh == NULL) { 850 IP6STAT_INC(ip6s_tooshort); 851 return -1; 852 } 853 #endif 854 off += hbhlen; 855 hbhlen -= sizeof(struct ip6_hbh); 856 if (ip6_process_hopopts(m, (u_int8_t *)hbh + sizeof(struct ip6_hbh), 857 hbhlen, rtalertp, plenp) < 0) 858 return (-1); 859 860 *offp = off; 861 *mp = m; 862 return (0); 863 } 864 865 /* 866 * Search header for all Hop-by-hop options and process each option. 867 * This function is separate from ip6_hopopts_input() in order to 868 * handle a case where the sending node itself process its hop-by-hop 869 * options header. In such a case, the function is called from ip6_output(). 870 * 871 * The function assumes that hbh header is located right after the IPv6 header 872 * (RFC2460 p7), opthead is pointer into data content in m, and opthead to 873 * opthead + hbhlen is located in contiguous memory region. 874 */ 875 int 876 ip6_process_hopopts(struct mbuf *m, u_int8_t *opthead, int hbhlen, 877 u_int32_t *rtalertp, u_int32_t *plenp) 878 { 879 struct ip6_hdr *ip6; 880 int optlen = 0; 881 u_int8_t *opt = opthead; 882 u_int16_t rtalert_val; 883 u_int32_t jumboplen; 884 const int erroff = sizeof(struct ip6_hdr) + sizeof(struct ip6_hbh); 885 886 for (; hbhlen > 0; hbhlen -= optlen, opt += optlen) { 887 switch (*opt) { 888 case IP6OPT_PAD1: 889 optlen = 1; 890 break; 891 case IP6OPT_PADN: 892 if (hbhlen < IP6OPT_MINLEN) { 893 IP6STAT_INC(ip6s_toosmall); 894 goto bad; 895 } 896 optlen = *(opt + 1) + 2; 897 break; 898 case IP6OPT_ROUTER_ALERT: 899 /* XXX may need check for alignment */ 900 if (hbhlen < IP6OPT_RTALERT_LEN) { 901 IP6STAT_INC(ip6s_toosmall); 902 goto bad; 903 } 904 if (*(opt + 1) != IP6OPT_RTALERT_LEN - 2) { 905 /* XXX stat */ 906 icmp6_error(m, ICMP6_PARAM_PROB, 907 ICMP6_PARAMPROB_HEADER, 908 erroff + opt + 1 - opthead); 909 return (-1); 910 } 911 optlen = IP6OPT_RTALERT_LEN; 912 bcopy((caddr_t)(opt + 2), (caddr_t)&rtalert_val, 2); 913 *rtalertp = ntohs(rtalert_val); 914 break; 915 case IP6OPT_JUMBO: 916 /* XXX may need check for alignment */ 917 if (hbhlen < IP6OPT_JUMBO_LEN) { 918 IP6STAT_INC(ip6s_toosmall); 919 goto bad; 920 } 921 if (*(opt + 1) != IP6OPT_JUMBO_LEN - 2) { 922 /* XXX stat */ 923 icmp6_error(m, ICMP6_PARAM_PROB, 924 ICMP6_PARAMPROB_HEADER, 925 erroff + opt + 1 - opthead); 926 return (-1); 927 } 928 optlen = IP6OPT_JUMBO_LEN; 929 930 /* 931 * IPv6 packets that have non 0 payload length 932 * must not contain a jumbo payload option. 933 */ 934 ip6 = mtod(m, struct ip6_hdr *); 935 if (ip6->ip6_plen) { 936 IP6STAT_INC(ip6s_badoptions); 937 icmp6_error(m, ICMP6_PARAM_PROB, 938 ICMP6_PARAMPROB_HEADER, 939 erroff + opt - opthead); 940 return (-1); 941 } 942 943 /* 944 * We may see jumbolen in unaligned location, so 945 * we'd need to perform bcopy(). 946 */ 947 bcopy(opt + 2, &jumboplen, sizeof(jumboplen)); 948 jumboplen = (u_int32_t)htonl(jumboplen); 949 950 #if 1 951 /* 952 * if there are multiple jumbo payload options, 953 * *plenp will be non-zero and the packet will be 954 * rejected. 955 * the behavior may need some debate in ipngwg - 956 * multiple options does not make sense, however, 957 * there's no explicit mention in specification. 958 */ 959 if (*plenp != 0) { 960 IP6STAT_INC(ip6s_badoptions); 961 icmp6_error(m, ICMP6_PARAM_PROB, 962 ICMP6_PARAMPROB_HEADER, 963 erroff + opt + 2 - opthead); 964 return (-1); 965 } 966 #endif 967 968 /* 969 * jumbo payload length must be larger than 65535. 970 */ 971 if (jumboplen <= IPV6_MAXPACKET) { 972 IP6STAT_INC(ip6s_badoptions); 973 icmp6_error(m, ICMP6_PARAM_PROB, 974 ICMP6_PARAMPROB_HEADER, 975 erroff + opt + 2 - opthead); 976 return (-1); 977 } 978 *plenp = jumboplen; 979 980 break; 981 default: /* unknown option */ 982 if (hbhlen < IP6OPT_MINLEN) { 983 IP6STAT_INC(ip6s_toosmall); 984 goto bad; 985 } 986 optlen = ip6_unknown_opt(opt, m, 987 erroff + opt - opthead); 988 if (optlen == -1) 989 return (-1); 990 optlen += 2; 991 break; 992 } 993 } 994 995 return (0); 996 997 bad: 998 m_freem(m); 999 return (-1); 1000 } 1001 1002 /* 1003 * Unknown option processing. 1004 * The third argument `off' is the offset from the IPv6 header to the option, 1005 * which is necessary if the IPv6 header the and option header and IPv6 header 1006 * is not contiguous in order to return an ICMPv6 error. 1007 */ 1008 int 1009 ip6_unknown_opt(u_int8_t *optp, struct mbuf *m, int off) 1010 { 1011 struct ip6_hdr *ip6; 1012 1013 switch (IP6OPT_TYPE(*optp)) { 1014 case IP6OPT_TYPE_SKIP: /* ignore the option */ 1015 return ((int)*(optp + 1)); 1016 case IP6OPT_TYPE_DISCARD: /* silently discard */ 1017 m_freem(m); 1018 return (-1); 1019 case IP6OPT_TYPE_FORCEICMP: /* send ICMP even if multicasted */ 1020 IP6STAT_INC(ip6s_badoptions); 1021 icmp6_error(m, ICMP6_PARAM_PROB, ICMP6_PARAMPROB_OPTION, off); 1022 return (-1); 1023 case IP6OPT_TYPE_ICMP: /* send ICMP if not multicasted */ 1024 IP6STAT_INC(ip6s_badoptions); 1025 ip6 = mtod(m, struct ip6_hdr *); 1026 if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst) || 1027 (m->m_flags & (M_BCAST|M_MCAST))) 1028 m_freem(m); 1029 else 1030 icmp6_error(m, ICMP6_PARAM_PROB, 1031 ICMP6_PARAMPROB_OPTION, off); 1032 return (-1); 1033 } 1034 1035 m_freem(m); /* XXX: NOTREACHED */ 1036 return (-1); 1037 } 1038 1039 /* 1040 * Create the "control" list for this pcb. 1041 * These functions will not modify mbuf chain at all. 1042 * 1043 * With KAME mbuf chain restriction: 1044 * The routine will be called from upper layer handlers like tcp6_input(). 1045 * Thus the routine assumes that the caller (tcp6_input) have already 1046 * called IP6_EXTHDR_CHECK() and all the extension headers are located in the 1047 * very first mbuf on the mbuf chain. 1048 * 1049 * ip6_savecontrol_v4 will handle those options that are possible to be 1050 * set on a v4-mapped socket. 1051 * ip6_savecontrol will directly call ip6_savecontrol_v4 to handle those 1052 * options and handle the v6-only ones itself. 1053 */ 1054 struct mbuf ** 1055 ip6_savecontrol_v4(struct inpcb *inp, struct mbuf *m, struct mbuf **mp, 1056 int *v4only) 1057 { 1058 struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *); 1059 1060 #ifdef SO_TIMESTAMP 1061 if ((inp->inp_socket->so_options & SO_TIMESTAMP) != 0) { 1062 struct timeval tv; 1063 1064 microtime(&tv); 1065 *mp = sbcreatecontrol((caddr_t) &tv, sizeof(tv), 1066 SCM_TIMESTAMP, SOL_SOCKET); 1067 if (*mp) 1068 mp = &(*mp)->m_next; 1069 } 1070 #endif 1071 1072 #define IS2292(inp, x, y) (((inp)->inp_flags & IN6P_RFC2292) ? (x) : (y)) 1073 /* RFC 2292 sec. 5 */ 1074 if ((inp->inp_flags & IN6P_PKTINFO) != 0) { 1075 struct in6_pktinfo pi6; 1076 1077 if ((ip6->ip6_vfc & IPV6_VERSION_MASK) != IPV6_VERSION) { 1078 #ifdef INET 1079 struct ip *ip; 1080 1081 ip = mtod(m, struct ip *); 1082 pi6.ipi6_addr.s6_addr32[0] = 0; 1083 pi6.ipi6_addr.s6_addr32[1] = 0; 1084 pi6.ipi6_addr.s6_addr32[2] = IPV6_ADDR_INT32_SMP; 1085 pi6.ipi6_addr.s6_addr32[3] = ip->ip_dst.s_addr; 1086 #else 1087 /* We won't hit this code */ 1088 bzero(&pi6.ipi6_addr, sizeof(struct in6_addr)); 1089 #endif 1090 } else { 1091 bcopy(&ip6->ip6_dst, &pi6.ipi6_addr, sizeof(struct in6_addr)); 1092 in6_clearscope(&pi6.ipi6_addr); /* XXX */ 1093 } 1094 pi6.ipi6_ifindex = 1095 (m && m->m_pkthdr.rcvif) ? m->m_pkthdr.rcvif->if_index : 0; 1096 1097 *mp = sbcreatecontrol((caddr_t) &pi6, 1098 sizeof(struct in6_pktinfo), 1099 IS2292(inp, IPV6_2292PKTINFO, IPV6_PKTINFO), IPPROTO_IPV6); 1100 if (*mp) 1101 mp = &(*mp)->m_next; 1102 } 1103 1104 if ((inp->inp_flags & IN6P_HOPLIMIT) != 0) { 1105 int hlim; 1106 1107 if ((ip6->ip6_vfc & IPV6_VERSION_MASK) != IPV6_VERSION) { 1108 #ifdef INET 1109 struct ip *ip; 1110 1111 ip = mtod(m, struct ip *); 1112 hlim = ip->ip_ttl; 1113 #else 1114 /* We won't hit this code */ 1115 hlim = 0; 1116 #endif 1117 } else { 1118 hlim = ip6->ip6_hlim & 0xff; 1119 } 1120 *mp = sbcreatecontrol((caddr_t) &hlim, sizeof(int), 1121 IS2292(inp, IPV6_2292HOPLIMIT, IPV6_HOPLIMIT), 1122 IPPROTO_IPV6); 1123 if (*mp) 1124 mp = &(*mp)->m_next; 1125 } 1126 1127 if ((inp->inp_flags & IN6P_TCLASS) != 0) { 1128 int tclass; 1129 1130 if ((ip6->ip6_vfc & IPV6_VERSION_MASK) != IPV6_VERSION) { 1131 #ifdef INET 1132 struct ip *ip; 1133 1134 ip = mtod(m, struct ip *); 1135 tclass = ip->ip_tos; 1136 #else 1137 /* We won't hit this code */ 1138 tclass = 0; 1139 #endif 1140 } else { 1141 u_int32_t flowinfo; 1142 1143 flowinfo = (u_int32_t)ntohl(ip6->ip6_flow & IPV6_FLOWINFO_MASK); 1144 flowinfo >>= 20; 1145 tclass = flowinfo & 0xff; 1146 } 1147 *mp = sbcreatecontrol((caddr_t) &tclass, sizeof(int), 1148 IPV6_TCLASS, IPPROTO_IPV6); 1149 if (*mp) 1150 mp = &(*mp)->m_next; 1151 } 1152 1153 if (v4only != NULL) { 1154 if ((ip6->ip6_vfc & IPV6_VERSION_MASK) != IPV6_VERSION) { 1155 *v4only = 1; 1156 } else { 1157 *v4only = 0; 1158 } 1159 } 1160 1161 return (mp); 1162 } 1163 1164 void 1165 ip6_savecontrol(struct inpcb *in6p, struct mbuf *m, struct mbuf **mp) 1166 { 1167 struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *); 1168 int v4only = 0; 1169 1170 mp = ip6_savecontrol_v4(in6p, m, mp, &v4only); 1171 if (v4only) 1172 return; 1173 1174 /* 1175 * IPV6_HOPOPTS socket option. Recall that we required super-user 1176 * privilege for the option (see ip6_ctloutput), but it might be too 1177 * strict, since there might be some hop-by-hop options which can be 1178 * returned to normal user. 1179 * See also RFC 2292 section 6 (or RFC 3542 section 8). 1180 */ 1181 if ((in6p->inp_flags & IN6P_HOPOPTS) != 0) { 1182 /* 1183 * Check if a hop-by-hop options header is contatined in the 1184 * received packet, and if so, store the options as ancillary 1185 * data. Note that a hop-by-hop options header must be 1186 * just after the IPv6 header, which is assured through the 1187 * IPv6 input processing. 1188 */ 1189 if (ip6->ip6_nxt == IPPROTO_HOPOPTS) { 1190 struct ip6_hbh *hbh; 1191 int hbhlen = 0; 1192 #ifdef PULLDOWN_TEST 1193 struct mbuf *ext; 1194 #endif 1195 1196 #ifndef PULLDOWN_TEST 1197 hbh = (struct ip6_hbh *)(ip6 + 1); 1198 hbhlen = (hbh->ip6h_len + 1) << 3; 1199 #else 1200 ext = ip6_pullexthdr(m, sizeof(struct ip6_hdr), 1201 ip6->ip6_nxt); 1202 if (ext == NULL) { 1203 IP6STAT_INC(ip6s_tooshort); 1204 return; 1205 } 1206 hbh = mtod(ext, struct ip6_hbh *); 1207 hbhlen = (hbh->ip6h_len + 1) << 3; 1208 if (hbhlen != ext->m_len) { 1209 m_freem(ext); 1210 IP6STAT_INC(ip6s_tooshort); 1211 return; 1212 } 1213 #endif 1214 1215 /* 1216 * XXX: We copy the whole header even if a 1217 * jumbo payload option is included, the option which 1218 * is to be removed before returning according to 1219 * RFC2292. 1220 * Note: this constraint is removed in RFC3542 1221 */ 1222 *mp = sbcreatecontrol((caddr_t)hbh, hbhlen, 1223 IS2292(in6p, IPV6_2292HOPOPTS, IPV6_HOPOPTS), 1224 IPPROTO_IPV6); 1225 if (*mp) 1226 mp = &(*mp)->m_next; 1227 #ifdef PULLDOWN_TEST 1228 m_freem(ext); 1229 #endif 1230 } 1231 } 1232 1233 if ((in6p->inp_flags & (IN6P_RTHDR | IN6P_DSTOPTS)) != 0) { 1234 int nxt = ip6->ip6_nxt, off = sizeof(struct ip6_hdr); 1235 1236 /* 1237 * Search for destination options headers or routing 1238 * header(s) through the header chain, and stores each 1239 * header as ancillary data. 1240 * Note that the order of the headers remains in 1241 * the chain of ancillary data. 1242 */ 1243 while (1) { /* is explicit loop prevention necessary? */ 1244 struct ip6_ext *ip6e = NULL; 1245 int elen; 1246 #ifdef PULLDOWN_TEST 1247 struct mbuf *ext = NULL; 1248 #endif 1249 1250 /* 1251 * if it is not an extension header, don't try to 1252 * pull it from the chain. 1253 */ 1254 switch (nxt) { 1255 case IPPROTO_DSTOPTS: 1256 case IPPROTO_ROUTING: 1257 case IPPROTO_HOPOPTS: 1258 case IPPROTO_AH: /* is it possible? */ 1259 break; 1260 default: 1261 goto loopend; 1262 } 1263 1264 #ifndef PULLDOWN_TEST 1265 if (off + sizeof(*ip6e) > m->m_len) 1266 goto loopend; 1267 ip6e = (struct ip6_ext *)(mtod(m, caddr_t) + off); 1268 if (nxt == IPPROTO_AH) 1269 elen = (ip6e->ip6e_len + 2) << 2; 1270 else 1271 elen = (ip6e->ip6e_len + 1) << 3; 1272 if (off + elen > m->m_len) 1273 goto loopend; 1274 #else 1275 ext = ip6_pullexthdr(m, off, nxt); 1276 if (ext == NULL) { 1277 IP6STAT_INC(ip6s_tooshort); 1278 return; 1279 } 1280 ip6e = mtod(ext, struct ip6_ext *); 1281 if (nxt == IPPROTO_AH) 1282 elen = (ip6e->ip6e_len + 2) << 2; 1283 else 1284 elen = (ip6e->ip6e_len + 1) << 3; 1285 if (elen != ext->m_len) { 1286 m_freem(ext); 1287 IP6STAT_INC(ip6s_tooshort); 1288 return; 1289 } 1290 #endif 1291 1292 switch (nxt) { 1293 case IPPROTO_DSTOPTS: 1294 if (!(in6p->inp_flags & IN6P_DSTOPTS)) 1295 break; 1296 1297 *mp = sbcreatecontrol((caddr_t)ip6e, elen, 1298 IS2292(in6p, 1299 IPV6_2292DSTOPTS, IPV6_DSTOPTS), 1300 IPPROTO_IPV6); 1301 if (*mp) 1302 mp = &(*mp)->m_next; 1303 break; 1304 case IPPROTO_ROUTING: 1305 if (!(in6p->inp_flags & IN6P_RTHDR)) 1306 break; 1307 1308 *mp = sbcreatecontrol((caddr_t)ip6e, elen, 1309 IS2292(in6p, IPV6_2292RTHDR, IPV6_RTHDR), 1310 IPPROTO_IPV6); 1311 if (*mp) 1312 mp = &(*mp)->m_next; 1313 break; 1314 case IPPROTO_HOPOPTS: 1315 case IPPROTO_AH: /* is it possible? */ 1316 break; 1317 1318 default: 1319 /* 1320 * other cases have been filtered in the above. 1321 * none will visit this case. here we supply 1322 * the code just in case (nxt overwritten or 1323 * other cases). 1324 */ 1325 #ifdef PULLDOWN_TEST 1326 m_freem(ext); 1327 #endif 1328 goto loopend; 1329 1330 } 1331 1332 /* proceed with the next header. */ 1333 off += elen; 1334 nxt = ip6e->ip6e_nxt; 1335 ip6e = NULL; 1336 #ifdef PULLDOWN_TEST 1337 m_freem(ext); 1338 ext = NULL; 1339 #endif 1340 } 1341 loopend: 1342 ; 1343 } 1344 } 1345 #undef IS2292 1346 1347 void 1348 ip6_notify_pmtu(struct inpcb *inp, struct sockaddr_in6 *dst, u_int32_t mtu) 1349 { 1350 struct socket *so; 1351 struct mbuf *m_mtu; 1352 struct ip6_mtuinfo mtuctl; 1353 1354 KASSERT(inp != NULL, ("%s: inp == NULL", __func__)); 1355 /* 1356 * Notify the error by sending IPV6_PATHMTU ancillary data if 1357 * application wanted to know the MTU value. 1358 * NOTE: we notify disconnected sockets, because some udp 1359 * applications keep sending sockets disconnected. 1360 * NOTE: our implementation doesn't notify connected sockets that has 1361 * foreign address that is different than given destination addresses 1362 * (this is permitted by RFC 3542). 1363 */ 1364 if ((inp->inp_flags & IN6P_MTU) == 0 || ( 1365 !IN6_IS_ADDR_UNSPECIFIED(&inp->in6p_faddr) && 1366 !IN6_ARE_ADDR_EQUAL(&inp->in6p_faddr, &dst->sin6_addr))) 1367 return; 1368 1369 mtuctl.ip6m_mtu = mtu; 1370 mtuctl.ip6m_addr = *dst; 1371 if (sa6_recoverscope(&mtuctl.ip6m_addr)) 1372 return; 1373 1374 if ((m_mtu = sbcreatecontrol((caddr_t)&mtuctl, sizeof(mtuctl), 1375 IPV6_PATHMTU, IPPROTO_IPV6)) == NULL) 1376 return; 1377 1378 so = inp->inp_socket; 1379 if (sbappendaddr(&so->so_rcv, (struct sockaddr *)dst, NULL, m_mtu) 1380 == 0) { 1381 m_freem(m_mtu); 1382 /* XXX: should count statistics */ 1383 } else 1384 sorwakeup(so); 1385 } 1386 1387 #ifdef PULLDOWN_TEST 1388 /* 1389 * pull single extension header from mbuf chain. returns single mbuf that 1390 * contains the result, or NULL on error. 1391 */ 1392 static struct mbuf * 1393 ip6_pullexthdr(struct mbuf *m, size_t off, int nxt) 1394 { 1395 struct ip6_ext ip6e; 1396 size_t elen; 1397 struct mbuf *n; 1398 1399 #ifdef DIAGNOSTIC 1400 switch (nxt) { 1401 case IPPROTO_DSTOPTS: 1402 case IPPROTO_ROUTING: 1403 case IPPROTO_HOPOPTS: 1404 case IPPROTO_AH: /* is it possible? */ 1405 break; 1406 default: 1407 printf("ip6_pullexthdr: invalid nxt=%d\n", nxt); 1408 } 1409 #endif 1410 1411 m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e); 1412 if (nxt == IPPROTO_AH) 1413 elen = (ip6e.ip6e_len + 2) << 2; 1414 else 1415 elen = (ip6e.ip6e_len + 1) << 3; 1416 1417 if (elen > MLEN) 1418 n = m_getcl(M_NOWAIT, MT_DATA, 0); 1419 else 1420 n = m_get(M_NOWAIT, MT_DATA); 1421 if (n == NULL) 1422 return NULL; 1423 1424 m_copydata(m, off, elen, mtod(n, caddr_t)); 1425 n->m_len = elen; 1426 return n; 1427 } 1428 #endif 1429 1430 /* 1431 * Get pointer to the previous header followed by the header 1432 * currently processed. 1433 * XXX: This function supposes that 1434 * M includes all headers, 1435 * the next header field and the header length field of each header 1436 * are valid, and 1437 * the sum of each header length equals to OFF. 1438 * Because of these assumptions, this function must be called very 1439 * carefully. Moreover, it will not be used in the near future when 1440 * we develop `neater' mechanism to process extension headers. 1441 */ 1442 char * 1443 ip6_get_prevhdr(struct mbuf *m, int off) 1444 { 1445 struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *); 1446 1447 if (off == sizeof(struct ip6_hdr)) 1448 return (&ip6->ip6_nxt); 1449 else { 1450 int len, nxt; 1451 struct ip6_ext *ip6e = NULL; 1452 1453 nxt = ip6->ip6_nxt; 1454 len = sizeof(struct ip6_hdr); 1455 while (len < off) { 1456 ip6e = (struct ip6_ext *)(mtod(m, caddr_t) + len); 1457 1458 switch (nxt) { 1459 case IPPROTO_FRAGMENT: 1460 len += sizeof(struct ip6_frag); 1461 break; 1462 case IPPROTO_AH: 1463 len += (ip6e->ip6e_len + 2) << 2; 1464 break; 1465 default: 1466 len += (ip6e->ip6e_len + 1) << 3; 1467 break; 1468 } 1469 nxt = ip6e->ip6e_nxt; 1470 } 1471 if (ip6e) 1472 return (&ip6e->ip6e_nxt); 1473 else 1474 return NULL; 1475 } 1476 } 1477 1478 /* 1479 * get next header offset. m will be retained. 1480 */ 1481 int 1482 ip6_nexthdr(struct mbuf *m, int off, int proto, int *nxtp) 1483 { 1484 struct ip6_hdr ip6; 1485 struct ip6_ext ip6e; 1486 struct ip6_frag fh; 1487 1488 /* just in case */ 1489 if (m == NULL) 1490 panic("ip6_nexthdr: m == NULL"); 1491 if ((m->m_flags & M_PKTHDR) == 0 || m->m_pkthdr.len < off) 1492 return -1; 1493 1494 switch (proto) { 1495 case IPPROTO_IPV6: 1496 if (m->m_pkthdr.len < off + sizeof(ip6)) 1497 return -1; 1498 m_copydata(m, off, sizeof(ip6), (caddr_t)&ip6); 1499 if (nxtp) 1500 *nxtp = ip6.ip6_nxt; 1501 off += sizeof(ip6); 1502 return off; 1503 1504 case IPPROTO_FRAGMENT: 1505 /* 1506 * terminate parsing if it is not the first fragment, 1507 * it does not make sense to parse through it. 1508 */ 1509 if (m->m_pkthdr.len < off + sizeof(fh)) 1510 return -1; 1511 m_copydata(m, off, sizeof(fh), (caddr_t)&fh); 1512 /* IP6F_OFF_MASK = 0xfff8(BigEndian), 0xf8ff(LittleEndian) */ 1513 if (fh.ip6f_offlg & IP6F_OFF_MASK) 1514 return -1; 1515 if (nxtp) 1516 *nxtp = fh.ip6f_nxt; 1517 off += sizeof(struct ip6_frag); 1518 return off; 1519 1520 case IPPROTO_AH: 1521 if (m->m_pkthdr.len < off + sizeof(ip6e)) 1522 return -1; 1523 m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e); 1524 if (nxtp) 1525 *nxtp = ip6e.ip6e_nxt; 1526 off += (ip6e.ip6e_len + 2) << 2; 1527 return off; 1528 1529 case IPPROTO_HOPOPTS: 1530 case IPPROTO_ROUTING: 1531 case IPPROTO_DSTOPTS: 1532 if (m->m_pkthdr.len < off + sizeof(ip6e)) 1533 return -1; 1534 m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e); 1535 if (nxtp) 1536 *nxtp = ip6e.ip6e_nxt; 1537 off += (ip6e.ip6e_len + 1) << 3; 1538 return off; 1539 1540 case IPPROTO_NONE: 1541 case IPPROTO_ESP: 1542 case IPPROTO_IPCOMP: 1543 /* give up */ 1544 return -1; 1545 1546 default: 1547 return -1; 1548 } 1549 1550 return -1; 1551 } 1552 1553 /* 1554 * get offset for the last header in the chain. m will be kept untainted. 1555 */ 1556 int 1557 ip6_lasthdr(struct mbuf *m, int off, int proto, int *nxtp) 1558 { 1559 int newoff; 1560 int nxt; 1561 1562 if (!nxtp) { 1563 nxt = -1; 1564 nxtp = &nxt; 1565 } 1566 while (1) { 1567 newoff = ip6_nexthdr(m, off, proto, nxtp); 1568 if (newoff < 0) 1569 return off; 1570 else if (newoff < off) 1571 return -1; /* invalid */ 1572 else if (newoff == off) 1573 return newoff; 1574 1575 off = newoff; 1576 proto = *nxtp; 1577 } 1578 } 1579 1580 /* 1581 * System control for IP6 1582 */ 1583 1584 u_char inet6ctlerrmap[PRC_NCMDS] = { 1585 0, 0, 0, 0, 1586 0, EMSGSIZE, EHOSTDOWN, EHOSTUNREACH, 1587 EHOSTUNREACH, EHOSTUNREACH, ECONNREFUSED, ECONNREFUSED, 1588 EMSGSIZE, EHOSTUNREACH, 0, 0, 1589 0, 0, 0, 0, 1590 ENOPROTOOPT 1591 }; 1592