ip6_input.c revision 1.153
1 /* $NetBSD: ip6_input.c,v 1.153 2015/12/12 23:34:25 christos Exp $ */ 2 /* $KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $ */ 3 4 /* 5 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 3. Neither the name of the project nor the names of its contributors 17 * may be used to endorse or promote products derived from this software 18 * without specific prior written permission. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30 * SUCH DAMAGE. 31 */ 32 33 /* 34 * Copyright (c) 1982, 1986, 1988, 1993 35 * The Regents of the University of California. All rights reserved. 36 * 37 * Redistribution and use in source and binary forms, with or without 38 * modification, are permitted provided that the following conditions 39 * are met: 40 * 1. Redistributions of source code must retain the above copyright 41 * notice, this list of conditions and the following disclaimer. 42 * 2. Redistributions in binary form must reproduce the above copyright 43 * notice, this list of conditions and the following disclaimer in the 44 * documentation and/or other materials provided with the distribution. 45 * 3. Neither the name of the University nor the names of its contributors 46 * may be used to endorse or promote products derived from this software 47 * without specific prior written permission. 48 * 49 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 50 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 51 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 52 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 53 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 54 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 55 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 56 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 57 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 58 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 59 * SUCH DAMAGE. 60 * 61 * @(#)ip_input.c 8.2 (Berkeley) 1/4/94 62 */ 63 64 #include <sys/cdefs.h> 65 __KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.153 2015/12/12 23:34:25 christos Exp $"); 66 67 #ifdef _KERNEL_OPT 68 #include "opt_gateway.h" 69 #include "opt_inet.h" 70 #include "opt_inet6.h" 71 #include "opt_ipsec.h" 72 #include "opt_compat_netbsd.h" 73 #endif 74 75 #include <sys/param.h> 76 #include <sys/systm.h> 77 #include <sys/malloc.h> 78 #include <sys/mbuf.h> 79 #include <sys/domain.h> 80 #include <sys/protosw.h> 81 #include <sys/socket.h> 82 #include <sys/socketvar.h> 83 #include <sys/errno.h> 84 #include <sys/time.h> 85 #include <sys/kernel.h> 86 #include <sys/syslog.h> 87 #include <sys/proc.h> 88 #include <sys/sysctl.h> 89 #include <sys/cprng.h> 90 91 #include <net/if.h> 92 #include <net/if_types.h> 93 #include <net/if_dl.h> 94 #include <net/route.h> 95 #include <net/pktqueue.h> 96 #include <net/pfil.h> 97 98 #include <netinet/in.h> 99 #include <netinet/in_systm.h> 100 #ifdef INET 101 #include <netinet/ip.h> 102 #include <netinet/ip_var.h> 103 #include <netinet/ip_icmp.h> 104 #endif /* INET */ 105 #include <netinet/ip6.h> 106 #include <netinet/portalgo.h> 107 #include <netinet6/in6_var.h> 108 #include <netinet6/ip6_var.h> 109 #include <netinet6/ip6_private.h> 110 #include <netinet6/in6_pcb.h> 111 #include <netinet/icmp6.h> 112 #include <netinet6/scope6_var.h> 113 #include <netinet6/in6_ifattach.h> 114 #include <netinet6/nd6.h> 115 116 #ifdef IPSEC 117 #include <netipsec/ipsec.h> 118 #include <netipsec/ipsec6.h> 119 #include <netipsec/key.h> 120 #endif /* IPSEC */ 121 122 #ifdef COMPAT_50 123 #include <compat/sys/time.h> 124 #include <compat/sys/socket.h> 125 #endif 126 127 #include <netinet6/ip6protosw.h> 128 129 #include "faith.h" 130 #include "gif.h" 131 132 #if NGIF > 0 133 #include <netinet6/in6_gif.h> 134 #endif 135 136 #include <net/net_osdep.h> 137 138 extern struct domain inet6domain; 139 140 u_char ip6_protox[IPPROTO_MAX]; 141 struct in6_ifaddr *in6_ifaddr; 142 pktqueue_t *ip6_pktq __read_mostly; 143 144 extern callout_t in6_tmpaddrtimer_ch; 145 146 int ip6_forward_srcrt; /* XXX */ 147 int ip6_sourcecheck; /* XXX */ 148 int ip6_sourcecheck_interval; /* XXX */ 149 150 pfil_head_t *inet6_pfil_hook; 151 152 percpu_t *ip6stat_percpu; 153 154 static void ip6_init2(void *); 155 static void ip6intr(void *); 156 static struct m_tag *ip6_setdstifaddr(struct mbuf *, const struct in6_ifaddr *); 157 158 static int ip6_process_hopopts(struct mbuf *, u_int8_t *, int, u_int32_t *, 159 u_int32_t *); 160 static struct mbuf *ip6_pullexthdr(struct mbuf *, size_t, int); 161 static void sysctl_net_inet6_ip6_setup(struct sysctllog **); 162 163 /* 164 * IP6 initialization: fill in IP6 protocol switch table. 165 * All protocols not implemented in kernel go to raw IP6 protocol handler. 166 */ 167 void 168 ip6_init(void) 169 { 170 const struct ip6protosw *pr; 171 int i; 172 173 sysctl_net_inet6_ip6_setup(NULL); 174 pr = (const struct ip6protosw *)pffindproto(PF_INET6, IPPROTO_RAW, SOCK_RAW); 175 if (pr == 0) 176 panic("ip6_init"); 177 for (i = 0; i < IPPROTO_MAX; i++) 178 ip6_protox[i] = pr - inet6sw; 179 for (pr = (const struct ip6protosw *)inet6domain.dom_protosw; 180 pr < (const struct ip6protosw *)inet6domain.dom_protoswNPROTOSW; pr++) 181 if (pr->pr_domain->dom_family == PF_INET6 && 182 pr->pr_protocol && pr->pr_protocol != IPPROTO_RAW) 183 ip6_protox[pr->pr_protocol] = pr - inet6sw; 184 185 ip6_pktq = pktq_create(IFQ_MAXLEN, ip6intr, NULL); 186 KASSERT(ip6_pktq != NULL); 187 188 scope6_init(); 189 addrsel_policy_init(); 190 nd6_init(); 191 frag6_init(); 192 ip6_desync_factor = cprng_fast32() % MAX_TEMP_DESYNC_FACTOR; 193 194 ip6_init2(NULL); 195 #ifdef GATEWAY 196 ip6flow_init(ip6_hashsize); 197 #endif 198 /* Register our Packet Filter hook. */ 199 inet6_pfil_hook = pfil_head_create(PFIL_TYPE_AF, (void *)AF_INET6); 200 KASSERT(inet6_pfil_hook != NULL); 201 202 ip6stat_percpu = percpu_alloc(sizeof(uint64_t) * IP6_NSTATS); 203 } 204 205 static void 206 ip6_init2(void *dummy) 207 { 208 209 /* nd6_timer_init */ 210 callout_init(&nd6_timer_ch, CALLOUT_MPSAFE); 211 callout_reset(&nd6_timer_ch, hz, nd6_timer, NULL); 212 213 /* timer for regeneranation of temporary addresses randomize ID */ 214 callout_init(&in6_tmpaddrtimer_ch, CALLOUT_MPSAFE); 215 callout_reset(&in6_tmpaddrtimer_ch, 216 (ip6_temp_preferred_lifetime - ip6_desync_factor - 217 ip6_temp_regen_advance) * hz, 218 in6_tmpaddrtimer, NULL); 219 } 220 221 /* 222 * IP6 input interrupt handling. Just pass the packet to ip6_input. 223 */ 224 static void 225 ip6intr(void *arg __unused) 226 { 227 struct mbuf *m; 228 229 mutex_enter(softnet_lock); 230 while ((m = pktq_dequeue(ip6_pktq)) != NULL) { 231 const ifnet_t *ifp = m->m_pkthdr.rcvif; 232 233 /* 234 * Drop the packet if IPv6 is disabled on the interface. 235 */ 236 if ((ND_IFINFO(ifp)->flags & ND6_IFF_IFDISABLED)) { 237 m_freem(m); 238 continue; 239 } 240 ip6_input(m); 241 } 242 mutex_exit(softnet_lock); 243 } 244 245 extern struct route ip6_forward_rt; 246 247 void 248 ip6_input(struct mbuf *m) 249 { 250 struct ip6_hdr *ip6; 251 int hit, off = sizeof(struct ip6_hdr), nest; 252 u_int32_t plen; 253 u_int32_t rtalert = ~0; 254 int nxt, ours = 0, rh_present = 0; 255 struct ifnet *deliverifp = NULL; 256 int srcrt = 0; 257 const struct rtentry *rt; 258 union { 259 struct sockaddr dst; 260 struct sockaddr_in6 dst6; 261 } u; 262 263 /* 264 * make sure we don't have onion peering information into m_tag. 265 */ 266 ip6_delaux(m); 267 268 /* 269 * mbuf statistics 270 */ 271 if (m->m_flags & M_EXT) { 272 if (m->m_next) 273 IP6_STATINC(IP6_STAT_MEXT2M); 274 else 275 IP6_STATINC(IP6_STAT_MEXT1); 276 } else { 277 #define M2MMAX 32 278 if (m->m_next) { 279 if (m->m_flags & M_LOOP) { 280 /*XXX*/ IP6_STATINC(IP6_STAT_M2M + lo0ifp->if_index); 281 } else if (m->m_pkthdr.rcvif->if_index < M2MMAX) { 282 IP6_STATINC(IP6_STAT_M2M + 283 m->m_pkthdr.rcvif->if_index); 284 } else 285 IP6_STATINC(IP6_STAT_M2M); 286 } else 287 IP6_STATINC(IP6_STAT_M1); 288 #undef M2MMAX 289 } 290 291 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_receive); 292 IP6_STATINC(IP6_STAT_TOTAL); 293 294 /* 295 * If the IPv6 header is not aligned, slurp it up into a new 296 * mbuf with space for link headers, in the event we forward 297 * it. Otherwise, if it is aligned, make sure the entire base 298 * IPv6 header is in the first mbuf of the chain. 299 */ 300 if (IP6_HDR_ALIGNED_P(mtod(m, void *)) == 0) { 301 struct ifnet *inifp = m->m_pkthdr.rcvif; 302 if ((m = m_copyup(m, sizeof(struct ip6_hdr), 303 (max_linkhdr + 3) & ~3)) == NULL) { 304 /* XXXJRT new stat, please */ 305 IP6_STATINC(IP6_STAT_TOOSMALL); 306 in6_ifstat_inc(inifp, ifs6_in_hdrerr); 307 return; 308 } 309 } else if (__predict_false(m->m_len < sizeof(struct ip6_hdr))) { 310 struct ifnet *inifp = m->m_pkthdr.rcvif; 311 if ((m = m_pullup(m, sizeof(struct ip6_hdr))) == NULL) { 312 IP6_STATINC(IP6_STAT_TOOSMALL); 313 in6_ifstat_inc(inifp, ifs6_in_hdrerr); 314 return; 315 } 316 } 317 318 ip6 = mtod(m, struct ip6_hdr *); 319 320 if ((ip6->ip6_vfc & IPV6_VERSION_MASK) != IPV6_VERSION) { 321 IP6_STATINC(IP6_STAT_BADVERS); 322 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_hdrerr); 323 goto bad; 324 } 325 326 /* 327 * Assume that we can create a fast-forward IP flow entry 328 * based on this packet. 329 */ 330 m->m_flags |= M_CANFASTFWD; 331 332 /* 333 * Run through list of hooks for input packets. If there are any 334 * filters which require that additional packets in the flow are 335 * not fast-forwarded, they must clear the M_CANFASTFWD flag. 336 * Note that filters must _never_ set this flag, as another filter 337 * in the list may have previously cleared it. 338 */ 339 /* 340 * let ipfilter look at packet on the wire, 341 * not the decapsulated packet. 342 */ 343 #if defined(IPSEC) 344 if (!ipsec_used || !ipsec_indone(m)) 345 #else 346 if (1) 347 #endif 348 { 349 struct in6_addr odst; 350 351 odst = ip6->ip6_dst; 352 if (pfil_run_hooks(inet6_pfil_hook, &m, m->m_pkthdr.rcvif, 353 PFIL_IN) != 0) 354 return; 355 if (m == NULL) 356 return; 357 ip6 = mtod(m, struct ip6_hdr *); 358 srcrt = !IN6_ARE_ADDR_EQUAL(&odst, &ip6->ip6_dst); 359 } 360 361 IP6_STATINC(IP6_STAT_NXTHIST + ip6->ip6_nxt); 362 363 #ifdef ALTQ 364 if (altq_input != NULL && (*altq_input)(m, AF_INET6) == 0) { 365 /* packet is dropped by traffic conditioner */ 366 return; 367 } 368 #endif 369 370 /* 371 * Check against address spoofing/corruption. 372 */ 373 if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_src) || 374 IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_dst)) { 375 /* 376 * XXX: "badscope" is not very suitable for a multicast source. 377 */ 378 IP6_STATINC(IP6_STAT_BADSCOPE); 379 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr); 380 goto bad; 381 } 382 /* 383 * The following check is not documented in specs. A malicious 384 * party may be able to use IPv4 mapped addr to confuse tcp/udp stack 385 * and bypass security checks (act as if it was from 127.0.0.1 by using 386 * IPv6 src ::ffff:127.0.0.1). Be cautious. 387 * 388 * This check chokes if we are in an SIIT cloud. As none of BSDs 389 * support IPv4-less kernel compilation, we cannot support SIIT 390 * environment at all. So, it makes more sense for us to reject any 391 * malicious packets for non-SIIT environment, than try to do a 392 * partial support for SIIT environment. 393 */ 394 if (IN6_IS_ADDR_V4MAPPED(&ip6->ip6_src) || 395 IN6_IS_ADDR_V4MAPPED(&ip6->ip6_dst)) { 396 IP6_STATINC(IP6_STAT_BADSCOPE); 397 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr); 398 goto bad; 399 } 400 #if 0 401 /* 402 * Reject packets with IPv4 compatible addresses (auto tunnel). 403 * 404 * The code forbids auto tunnel relay case in RFC1933 (the check is 405 * stronger than RFC1933). We may want to re-enable it if mech-xx 406 * is revised to forbid relaying case. 407 */ 408 if (IN6_IS_ADDR_V4COMPAT(&ip6->ip6_src) || 409 IN6_IS_ADDR_V4COMPAT(&ip6->ip6_dst)) { 410 IP6_STATINC(IP6_STAT_BADSCOPE); 411 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr); 412 goto bad; 413 } 414 #endif 415 416 /* 417 * Disambiguate address scope zones (if there is ambiguity). 418 * We first make sure that the original source or destination address 419 * is not in our internal form for scoped addresses. Such addresses 420 * are not necessarily invalid spec-wise, but we cannot accept them due 421 * to the usage conflict. 422 * in6_setscope() then also checks and rejects the cases where src or 423 * dst are the loopback address and the receiving interface 424 * is not loopback. 425 */ 426 if (__predict_false( 427 m_makewritable(&m, 0, sizeof(struct ip6_hdr), M_DONTWAIT))) 428 goto bad; 429 ip6 = mtod(m, struct ip6_hdr *); 430 if (in6_clearscope(&ip6->ip6_src) || in6_clearscope(&ip6->ip6_dst)) { 431 IP6_STATINC(IP6_STAT_BADSCOPE); /* XXX */ 432 goto bad; 433 } 434 if (in6_setscope(&ip6->ip6_src, m->m_pkthdr.rcvif, NULL) || 435 in6_setscope(&ip6->ip6_dst, m->m_pkthdr.rcvif, NULL)) { 436 IP6_STATINC(IP6_STAT_BADSCOPE); 437 goto bad; 438 } 439 440 /* 441 * Multicast check 442 */ 443 if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst)) { 444 struct in6_multi *in6m = 0; 445 446 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_mcast); 447 /* 448 * See if we belong to the destination multicast group on the 449 * arrival interface. 450 */ 451 IN6_LOOKUP_MULTI(ip6->ip6_dst, m->m_pkthdr.rcvif, in6m); 452 if (in6m) 453 ours = 1; 454 else if (!ip6_mrouter) { 455 uint64_t *ip6s = IP6_STAT_GETREF(); 456 ip6s[IP6_STAT_NOTMEMBER]++; 457 ip6s[IP6_STAT_CANTFORWARD]++; 458 IP6_STAT_PUTREF(); 459 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_discard); 460 goto bad; 461 } 462 deliverifp = m->m_pkthdr.rcvif; 463 goto hbhcheck; 464 } 465 466 sockaddr_in6_init(&u.dst6, &ip6->ip6_dst, 0, 0, 0); 467 468 /* 469 * Unicast check 470 */ 471 rt = rtcache_lookup2(&ip6_forward_rt, &u.dst, 1, &hit); 472 if (hit) 473 IP6_STATINC(IP6_STAT_FORWARD_CACHEHIT); 474 else 475 IP6_STATINC(IP6_STAT_FORWARD_CACHEMISS); 476 477 #define rt6_getkey(__rt) satocsin6(rt_getkey(__rt)) 478 479 /* 480 * Accept the packet if the forwarding interface to the destination 481 * according to the routing table is the loopback interface, 482 * unless the associated route has a gateway. 483 * Note that this approach causes to accept a packet if there is a 484 * route to the loopback interface for the destination of the packet. 485 * But we think it's even useful in some situations, e.g. when using 486 * a special daemon which wants to intercept the packet. 487 */ 488 if (rt != NULL && 489 (rt->rt_flags & (RTF_HOST|RTF_GATEWAY)) == RTF_HOST && 490 !(rt->rt_flags & RTF_CLONED) && 491 #if 0 492 /* 493 * The check below is redundant since the comparison of 494 * the destination and the key of the rtentry has 495 * already done through looking up the routing table. 496 */ 497 IN6_ARE_ADDR_EQUAL(&ip6->ip6_dst, &rt6_getkey(rt)->sin6_addr) && 498 #endif 499 rt->rt_ifp->if_type == IFT_LOOP) { 500 struct in6_ifaddr *ia6 = (struct in6_ifaddr *)rt->rt_ifa; 501 if (ia6->ia6_flags & IN6_IFF_ANYCAST) 502 m->m_flags |= M_ANYCAST6; 503 /* 504 * packets to a tentative, duplicated, or somehow invalid 505 * address must not be accepted. 506 */ 507 if (!(ia6->ia6_flags & IN6_IFF_NOTREADY)) { 508 /* this address is ready */ 509 ours = 1; 510 deliverifp = ia6->ia_ifp; /* correct? */ 511 goto hbhcheck; 512 } else { 513 /* address is not ready, so discard the packet. */ 514 nd6log((LOG_INFO, 515 "ip6_input: packet to an unready address %s->%s\n", 516 ip6_sprintf(&ip6->ip6_src), 517 ip6_sprintf(&ip6->ip6_dst))); 518 519 goto bad; 520 } 521 } 522 523 /* 524 * FAITH (Firewall Aided Internet Translator) 525 */ 526 #if defined(NFAITH) && 0 < NFAITH 527 if (ip6_keepfaith) { 528 if (rt != NULL && rt->rt_ifp != NULL && 529 rt->rt_ifp->if_type == IFT_FAITH) { 530 /* XXX do we need more sanity checks? */ 531 ours = 1; 532 deliverifp = rt->rt_ifp; /* faith */ 533 goto hbhcheck; 534 } 535 } 536 #endif 537 538 #if 0 539 { 540 /* 541 * Last resort: check in6_ifaddr for incoming interface. 542 * The code is here until I update the "goto ours hack" code above 543 * working right. 544 */ 545 struct ifaddr *ifa; 546 IFADDR_FOREACH(ifa, m->m_pkthdr.rcvif) { 547 if (ifa->ifa_addr == NULL) 548 continue; /* just for safety */ 549 if (ifa->ifa_addr->sa_family != AF_INET6) 550 continue; 551 if (IN6_ARE_ADDR_EQUAL(IFA_IN6(ifa), &ip6->ip6_dst)) { 552 ours = 1; 553 deliverifp = ifa->ifa_ifp; 554 goto hbhcheck; 555 } 556 } 557 } 558 #endif 559 560 /* 561 * Now there is no reason to process the packet if it's not our own 562 * and we're not a router. 563 */ 564 if (!ip6_forwarding) { 565 IP6_STATINC(IP6_STAT_CANTFORWARD); 566 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_discard); 567 goto bad; 568 } 569 570 hbhcheck: 571 /* 572 * record address information into m_tag, if we don't have one yet. 573 * note that we are unable to record it, if the address is not listed 574 * as our interface address (e.g. multicast addresses, addresses 575 * within FAITH prefixes and such). 576 */ 577 if (deliverifp && ip6_getdstifaddr(m) == NULL) { 578 struct in6_ifaddr *ia6; 579 580 ia6 = in6_ifawithifp(deliverifp, &ip6->ip6_dst); 581 if (ia6 != NULL && ip6_setdstifaddr(m, ia6) == NULL) { 582 /* 583 * XXX maybe we should drop the packet here, 584 * as we could not provide enough information 585 * to the upper layers. 586 */ 587 } 588 } 589 590 /* 591 * Process Hop-by-Hop options header if it's contained. 592 * m may be modified in ip6_hopopts_input(). 593 * If a JumboPayload option is included, plen will also be modified. 594 */ 595 plen = (u_int32_t)ntohs(ip6->ip6_plen); 596 if (ip6->ip6_nxt == IPPROTO_HOPOPTS) { 597 struct ip6_hbh *hbh; 598 599 if (ip6_hopopts_input(&plen, &rtalert, &m, &off)) { 600 #if 0 /*touches NULL pointer*/ 601 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_discard); 602 #endif 603 return; /* m have already been freed */ 604 } 605 606 /* adjust pointer */ 607 ip6 = mtod(m, struct ip6_hdr *); 608 609 /* 610 * if the payload length field is 0 and the next header field 611 * indicates Hop-by-Hop Options header, then a Jumbo Payload 612 * option MUST be included. 613 */ 614 if (ip6->ip6_plen == 0 && plen == 0) { 615 /* 616 * Note that if a valid jumbo payload option is 617 * contained, ip6_hopopts_input() must set a valid 618 * (non-zero) payload length to the variable plen. 619 */ 620 IP6_STATINC(IP6_STAT_BADOPTIONS); 621 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_discard); 622 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_hdrerr); 623 icmp6_error(m, ICMP6_PARAM_PROB, 624 ICMP6_PARAMPROB_HEADER, 625 (char *)&ip6->ip6_plen - (char *)ip6); 626 return; 627 } 628 IP6_EXTHDR_GET(hbh, struct ip6_hbh *, m, sizeof(struct ip6_hdr), 629 sizeof(struct ip6_hbh)); 630 if (hbh == NULL) { 631 IP6_STATINC(IP6_STAT_TOOSHORT); 632 return; 633 } 634 KASSERT(IP6_HDR_ALIGNED_P(hbh)); 635 nxt = hbh->ip6h_nxt; 636 637 /* 638 * accept the packet if a router alert option is included 639 * and we act as an IPv6 router. 640 */ 641 if (rtalert != ~0 && ip6_forwarding) 642 ours = 1; 643 } else 644 nxt = ip6->ip6_nxt; 645 646 /* 647 * Check that the amount of data in the buffers 648 * is as at least much as the IPv6 header would have us expect. 649 * Trim mbufs if longer than we expect. 650 * Drop packet if shorter than we expect. 651 */ 652 if (m->m_pkthdr.len - sizeof(struct ip6_hdr) < plen) { 653 IP6_STATINC(IP6_STAT_TOOSHORT); 654 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_truncated); 655 goto bad; 656 } 657 if (m->m_pkthdr.len > sizeof(struct ip6_hdr) + plen) { 658 if (m->m_len == m->m_pkthdr.len) { 659 m->m_len = sizeof(struct ip6_hdr) + plen; 660 m->m_pkthdr.len = sizeof(struct ip6_hdr) + plen; 661 } else 662 m_adj(m, sizeof(struct ip6_hdr) + plen - m->m_pkthdr.len); 663 } 664 665 /* 666 * Forward if desirable. 667 */ 668 if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst)) { 669 /* 670 * If we are acting as a multicast router, all 671 * incoming multicast packets are passed to the 672 * kernel-level multicast forwarding function. 673 * The packet is returned (relatively) intact; if 674 * ip6_mforward() returns a non-zero value, the packet 675 * must be discarded, else it may be accepted below. 676 */ 677 if (ip6_mrouter && ip6_mforward(ip6, m->m_pkthdr.rcvif, m)) { 678 IP6_STATINC(IP6_STAT_CANTFORWARD); 679 m_freem(m); 680 return; 681 } 682 if (!ours) { 683 m_freem(m); 684 return; 685 } 686 } else if (!ours) { 687 ip6_forward(m, srcrt); 688 return; 689 } 690 691 ip6 = mtod(m, struct ip6_hdr *); 692 693 /* 694 * Malicious party may be able to use IPv4 mapped addr to confuse 695 * tcp/udp stack and bypass security checks (act as if it was from 696 * 127.0.0.1 by using IPv6 src ::ffff:127.0.0.1). Be cautious. 697 * 698 * For SIIT end node behavior, you may want to disable the check. 699 * However, you will become vulnerable to attacks using IPv4 mapped 700 * source. 701 */ 702 if (IN6_IS_ADDR_V4MAPPED(&ip6->ip6_src) || 703 IN6_IS_ADDR_V4MAPPED(&ip6->ip6_dst)) { 704 IP6_STATINC(IP6_STAT_BADSCOPE); 705 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr); 706 goto bad; 707 } 708 709 /* 710 * Tell launch routine the next header 711 */ 712 #ifdef IFA_STATS 713 if (deliverifp != NULL) { 714 struct in6_ifaddr *ia6; 715 ia6 = in6_ifawithifp(deliverifp, &ip6->ip6_dst); 716 if (ia6) 717 ia6->ia_ifa.ifa_data.ifad_inbytes += m->m_pkthdr.len; 718 } 719 #endif 720 IP6_STATINC(IP6_STAT_DELIVERED); 721 in6_ifstat_inc(deliverifp, ifs6_in_deliver); 722 nest = 0; 723 724 rh_present = 0; 725 while (nxt != IPPROTO_DONE) { 726 if (ip6_hdrnestlimit && (++nest > ip6_hdrnestlimit)) { 727 IP6_STATINC(IP6_STAT_TOOMANYHDR); 728 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_hdrerr); 729 goto bad; 730 } 731 732 /* 733 * protection against faulty packet - there should be 734 * more sanity checks in header chain processing. 735 */ 736 if (m->m_pkthdr.len < off) { 737 IP6_STATINC(IP6_STAT_TOOSHORT); 738 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_truncated); 739 goto bad; 740 } 741 742 if (nxt == IPPROTO_ROUTING) { 743 if (rh_present++) { 744 in6_ifstat_inc(m->m_pkthdr.rcvif, 745 ifs6_in_hdrerr); 746 IP6_STATINC(IP6_STAT_BADOPTIONS); 747 goto bad; 748 } 749 } 750 751 #ifdef IPSEC 752 if (ipsec_used) { 753 /* 754 * enforce IPsec policy checking if we are seeing last 755 * header. note that we do not visit this with 756 * protocols with pcb layer code - like udp/tcp/raw ip. 757 */ 758 if ((inet6sw[ip_protox[nxt]].pr_flags 759 & PR_LASTHDR) != 0) { 760 int error = ipsec6_input(m); 761 if (error) 762 goto bad; 763 } 764 } 765 #endif /* IPSEC */ 766 767 nxt = (*inet6sw[ip6_protox[nxt]].pr_input)(&m, &off, nxt); 768 } 769 return; 770 bad: 771 m_freem(m); 772 } 773 774 /* 775 * set/grab in6_ifaddr correspond to IPv6 destination address. 776 */ 777 static struct m_tag * 778 ip6_setdstifaddr(struct mbuf *m, const struct in6_ifaddr *ia) 779 { 780 struct m_tag *mtag; 781 struct ip6aux *ip6a; 782 783 mtag = ip6_addaux(m); 784 if (mtag == NULL) 785 return NULL; 786 787 ip6a = (struct ip6aux *)(mtag + 1); 788 if (in6_setscope(&ip6a->ip6a_src, ia->ia_ifp, &ip6a->ip6a_scope_id)) { 789 IP6_STATINC(IP6_STAT_BADSCOPE); 790 return NULL; 791 } 792 793 ip6a->ip6a_src = ia->ia_addr.sin6_addr; 794 ip6a->ip6a_flags = ia->ia6_flags; 795 return mtag; 796 } 797 798 const struct ip6aux * 799 ip6_getdstifaddr(struct mbuf *m) 800 { 801 struct m_tag *mtag; 802 803 mtag = ip6_findaux(m); 804 if (mtag != NULL) 805 return (struct ip6aux *)(mtag + 1); 806 else 807 return NULL; 808 } 809 810 /* 811 * Hop-by-Hop options header processing. If a valid jumbo payload option is 812 * included, the real payload length will be stored in plenp. 813 * 814 * rtalertp - XXX: should be stored more smart way 815 */ 816 int 817 ip6_hopopts_input(u_int32_t *plenp, u_int32_t *rtalertp, 818 struct mbuf **mp, int *offp) 819 { 820 struct mbuf *m = *mp; 821 int off = *offp, hbhlen; 822 struct ip6_hbh *hbh; 823 824 /* validation of the length of the header */ 825 IP6_EXTHDR_GET(hbh, struct ip6_hbh *, m, 826 sizeof(struct ip6_hdr), sizeof(struct ip6_hbh)); 827 if (hbh == NULL) { 828 IP6_STATINC(IP6_STAT_TOOSHORT); 829 return -1; 830 } 831 hbhlen = (hbh->ip6h_len + 1) << 3; 832 IP6_EXTHDR_GET(hbh, struct ip6_hbh *, m, sizeof(struct ip6_hdr), 833 hbhlen); 834 if (hbh == NULL) { 835 IP6_STATINC(IP6_STAT_TOOSHORT); 836 return -1; 837 } 838 KASSERT(IP6_HDR_ALIGNED_P(hbh)); 839 off += hbhlen; 840 hbhlen -= sizeof(struct ip6_hbh); 841 842 if (ip6_process_hopopts(m, (u_int8_t *)hbh + sizeof(struct ip6_hbh), 843 hbhlen, rtalertp, plenp) < 0) 844 return (-1); 845 846 *offp = off; 847 *mp = m; 848 return (0); 849 } 850 851 /* 852 * Search header for all Hop-by-hop options and process each option. 853 * This function is separate from ip6_hopopts_input() in order to 854 * handle a case where the sending node itself process its hop-by-hop 855 * options header. In such a case, the function is called from ip6_output(). 856 * 857 * The function assumes that hbh header is located right after the IPv6 header 858 * (RFC2460 p7), opthead is pointer into data content in m, and opthead to 859 * opthead + hbhlen is located in continuous memory region. 860 */ 861 static int 862 ip6_process_hopopts(struct mbuf *m, u_int8_t *opthead, int hbhlen, 863 u_int32_t *rtalertp, u_int32_t *plenp) 864 { 865 struct ip6_hdr *ip6; 866 int optlen = 0; 867 u_int8_t *opt = opthead; 868 u_int16_t rtalert_val; 869 u_int32_t jumboplen; 870 const int erroff = sizeof(struct ip6_hdr) + sizeof(struct ip6_hbh); 871 872 for (; hbhlen > 0; hbhlen -= optlen, opt += optlen) { 873 switch (*opt) { 874 case IP6OPT_PAD1: 875 optlen = 1; 876 break; 877 case IP6OPT_PADN: 878 if (hbhlen < IP6OPT_MINLEN) { 879 IP6_STATINC(IP6_STAT_TOOSMALL); 880 goto bad; 881 } 882 optlen = *(opt + 1) + 2; 883 break; 884 case IP6OPT_RTALERT: 885 /* XXX may need check for alignment */ 886 if (hbhlen < IP6OPT_RTALERT_LEN) { 887 IP6_STATINC(IP6_STAT_TOOSMALL); 888 goto bad; 889 } 890 if (*(opt + 1) != IP6OPT_RTALERT_LEN - 2) { 891 /* XXX stat */ 892 icmp6_error(m, ICMP6_PARAM_PROB, 893 ICMP6_PARAMPROB_HEADER, 894 erroff + opt + 1 - opthead); 895 return (-1); 896 } 897 optlen = IP6OPT_RTALERT_LEN; 898 memcpy((void *)&rtalert_val, (void *)(opt + 2), 2); 899 *rtalertp = ntohs(rtalert_val); 900 break; 901 case IP6OPT_JUMBO: 902 /* XXX may need check for alignment */ 903 if (hbhlen < IP6OPT_JUMBO_LEN) { 904 IP6_STATINC(IP6_STAT_TOOSMALL); 905 goto bad; 906 } 907 if (*(opt + 1) != IP6OPT_JUMBO_LEN - 2) { 908 /* XXX stat */ 909 icmp6_error(m, ICMP6_PARAM_PROB, 910 ICMP6_PARAMPROB_HEADER, 911 erroff + opt + 1 - opthead); 912 return (-1); 913 } 914 optlen = IP6OPT_JUMBO_LEN; 915 916 /* 917 * IPv6 packets that have non 0 payload length 918 * must not contain a jumbo payload option. 919 */ 920 ip6 = mtod(m, struct ip6_hdr *); 921 if (ip6->ip6_plen) { 922 IP6_STATINC(IP6_STAT_BADOPTIONS); 923 icmp6_error(m, ICMP6_PARAM_PROB, 924 ICMP6_PARAMPROB_HEADER, 925 erroff + opt - opthead); 926 return (-1); 927 } 928 929 /* 930 * We may see jumbolen in unaligned location, so 931 * we'd need to perform bcopy(). 932 */ 933 memcpy(&jumboplen, opt + 2, sizeof(jumboplen)); 934 jumboplen = (u_int32_t)htonl(jumboplen); 935 936 #if 1 937 /* 938 * if there are multiple jumbo payload options, 939 * *plenp will be non-zero and the packet will be 940 * rejected. 941 * the behavior may need some debate in ipngwg - 942 * multiple options does not make sense, however, 943 * there's no explicit mention in specification. 944 */ 945 if (*plenp != 0) { 946 IP6_STATINC(IP6_STAT_BADOPTIONS); 947 icmp6_error(m, ICMP6_PARAM_PROB, 948 ICMP6_PARAMPROB_HEADER, 949 erroff + opt + 2 - opthead); 950 return (-1); 951 } 952 #endif 953 954 /* 955 * jumbo payload length must be larger than 65535. 956 */ 957 if (jumboplen <= IPV6_MAXPACKET) { 958 IP6_STATINC(IP6_STAT_BADOPTIONS); 959 icmp6_error(m, ICMP6_PARAM_PROB, 960 ICMP6_PARAMPROB_HEADER, 961 erroff + opt + 2 - opthead); 962 return (-1); 963 } 964 *plenp = jumboplen; 965 966 break; 967 default: /* unknown option */ 968 if (hbhlen < IP6OPT_MINLEN) { 969 IP6_STATINC(IP6_STAT_TOOSMALL); 970 goto bad; 971 } 972 optlen = ip6_unknown_opt(opt, m, 973 erroff + opt - opthead); 974 if (optlen == -1) 975 return (-1); 976 optlen += 2; 977 break; 978 } 979 } 980 981 return (0); 982 983 bad: 984 m_freem(m); 985 return (-1); 986 } 987 988 /* 989 * Unknown option processing. 990 * The third argument `off' is the offset from the IPv6 header to the option, 991 * which is necessary if the IPv6 header the and option header and IPv6 header 992 * is not continuous in order to return an ICMPv6 error. 993 */ 994 int 995 ip6_unknown_opt(u_int8_t *optp, struct mbuf *m, int off) 996 { 997 struct ip6_hdr *ip6; 998 999 switch (IP6OPT_TYPE(*optp)) { 1000 case IP6OPT_TYPE_SKIP: /* ignore the option */ 1001 return ((int)*(optp + 1)); 1002 case IP6OPT_TYPE_DISCARD: /* silently discard */ 1003 m_freem(m); 1004 return (-1); 1005 case IP6OPT_TYPE_FORCEICMP: /* send ICMP even if multicasted */ 1006 IP6_STATINC(IP6_STAT_BADOPTIONS); 1007 icmp6_error(m, ICMP6_PARAM_PROB, ICMP6_PARAMPROB_OPTION, off); 1008 return (-1); 1009 case IP6OPT_TYPE_ICMP: /* send ICMP if not multicasted */ 1010 IP6_STATINC(IP6_STAT_BADOPTIONS); 1011 ip6 = mtod(m, struct ip6_hdr *); 1012 if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst) || 1013 (m->m_flags & (M_BCAST|M_MCAST))) 1014 m_freem(m); 1015 else 1016 icmp6_error(m, ICMP6_PARAM_PROB, 1017 ICMP6_PARAMPROB_OPTION, off); 1018 return (-1); 1019 } 1020 1021 m_freem(m); /* XXX: NOTREACHED */ 1022 return (-1); 1023 } 1024 1025 /* 1026 * Create the "control" list for this pcb. 1027 * 1028 * The routine will be called from upper layer handlers like tcp6_input(). 1029 * Thus the routine assumes that the caller (tcp6_input) have already 1030 * called IP6_EXTHDR_CHECK() and all the extension headers are located in the 1031 * very first mbuf on the mbuf chain. 1032 * We may want to add some infinite loop prevention or sanity checks for safety. 1033 * (This applies only when you are using KAME mbuf chain restriction, i.e. 1034 * you are using IP6_EXTHDR_CHECK() not m_pulldown()) 1035 */ 1036 void 1037 ip6_savecontrol(struct in6pcb *in6p, struct mbuf **mp, 1038 struct ip6_hdr *ip6, struct mbuf *m) 1039 { 1040 #ifdef RFC2292 1041 #define IS2292(x, y) ((in6p->in6p_flags & IN6P_RFC2292) ? (x) : (y)) 1042 #else 1043 #define IS2292(x, y) (y) 1044 #endif 1045 1046 if (in6p->in6p_socket->so_options & SO_TIMESTAMP 1047 #ifdef SO_OTIMESTAMP 1048 || in6p->in6p_socket->so_options & SO_OTIMESTAMP 1049 #endif 1050 ) { 1051 struct timeval tv; 1052 1053 microtime(&tv); 1054 #ifdef SO_OTIMESTAMP 1055 if (in6p->in6p_socket->so_options & SO_OTIMESTAMP) { 1056 struct timeval50 tv50; 1057 timeval_to_timeval50(&tv, &tv50); 1058 *mp = sbcreatecontrol((void *) &tv50, sizeof(tv50), 1059 SCM_OTIMESTAMP, SOL_SOCKET); 1060 } else 1061 #endif 1062 *mp = sbcreatecontrol((void *) &tv, sizeof(tv), 1063 SCM_TIMESTAMP, SOL_SOCKET); 1064 if (*mp) 1065 mp = &(*mp)->m_next; 1066 } 1067 1068 /* some OSes call this logic with IPv4 packet, for SO_TIMESTAMP */ 1069 if ((ip6->ip6_vfc & IPV6_VERSION_MASK) != IPV6_VERSION) 1070 return; 1071 1072 /* RFC 2292 sec. 5 */ 1073 if ((in6p->in6p_flags & IN6P_PKTINFO) != 0) { 1074 struct in6_pktinfo pi6; 1075 1076 memcpy(&pi6.ipi6_addr, &ip6->ip6_dst, sizeof(struct in6_addr)); 1077 in6_clearscope(&pi6.ipi6_addr); /* XXX */ 1078 pi6.ipi6_ifindex = m->m_pkthdr.rcvif ? 1079 m->m_pkthdr.rcvif->if_index : 0; 1080 *mp = sbcreatecontrol((void *) &pi6, 1081 sizeof(struct in6_pktinfo), 1082 IS2292(IPV6_2292PKTINFO, IPV6_PKTINFO), IPPROTO_IPV6); 1083 if (*mp) 1084 mp = &(*mp)->m_next; 1085 } 1086 1087 if (in6p->in6p_flags & IN6P_HOPLIMIT) { 1088 int hlim = ip6->ip6_hlim & 0xff; 1089 1090 *mp = sbcreatecontrol((void *) &hlim, sizeof(int), 1091 IS2292(IPV6_2292HOPLIMIT, IPV6_HOPLIMIT), IPPROTO_IPV6); 1092 if (*mp) 1093 mp = &(*mp)->m_next; 1094 } 1095 1096 if ((in6p->in6p_flags & IN6P_TCLASS) != 0) { 1097 u_int32_t flowinfo; 1098 int tclass; 1099 1100 flowinfo = (u_int32_t)ntohl(ip6->ip6_flow & IPV6_FLOWINFO_MASK); 1101 flowinfo >>= 20; 1102 1103 tclass = flowinfo & 0xff; 1104 *mp = sbcreatecontrol((void *)&tclass, sizeof(tclass), 1105 IPV6_TCLASS, IPPROTO_IPV6); 1106 1107 if (*mp) 1108 mp = &(*mp)->m_next; 1109 } 1110 1111 /* 1112 * IPV6_HOPOPTS socket option. Recall that we required super-user 1113 * privilege for the option (see ip6_ctloutput), but it might be too 1114 * strict, since there might be some hop-by-hop options which can be 1115 * returned to normal user. 1116 * See also RFC3542 section 8 (or RFC2292 section 6). 1117 */ 1118 if ((in6p->in6p_flags & IN6P_HOPOPTS) != 0) { 1119 /* 1120 * Check if a hop-by-hop options header is contatined in the 1121 * received packet, and if so, store the options as ancillary 1122 * data. Note that a hop-by-hop options header must be 1123 * just after the IPv6 header, which fact is assured through 1124 * the IPv6 input processing. 1125 */ 1126 struct ip6_hdr *xip6 = mtod(m, struct ip6_hdr *); 1127 if (xip6->ip6_nxt == IPPROTO_HOPOPTS) { 1128 struct ip6_hbh *hbh; 1129 int hbhlen; 1130 struct mbuf *ext; 1131 1132 ext = ip6_pullexthdr(m, sizeof(struct ip6_hdr), 1133 xip6->ip6_nxt); 1134 if (ext == NULL) { 1135 IP6_STATINC(IP6_STAT_TOOSHORT); 1136 return; 1137 } 1138 hbh = mtod(ext, struct ip6_hbh *); 1139 hbhlen = (hbh->ip6h_len + 1) << 3; 1140 if (hbhlen != ext->m_len) { 1141 m_freem(ext); 1142 IP6_STATINC(IP6_STAT_TOOSHORT); 1143 return; 1144 } 1145 1146 /* 1147 * XXX: We copy whole the header even if a jumbo 1148 * payload option is included, which option is to 1149 * be removed before returning in the RFC 2292. 1150 * Note: this constraint is removed in RFC3542. 1151 */ 1152 *mp = sbcreatecontrol((void *)hbh, hbhlen, 1153 IS2292(IPV6_2292HOPOPTS, IPV6_HOPOPTS), 1154 IPPROTO_IPV6); 1155 if (*mp) 1156 mp = &(*mp)->m_next; 1157 m_freem(ext); 1158 } 1159 } 1160 1161 /* IPV6_DSTOPTS and IPV6_RTHDR socket options */ 1162 if (in6p->in6p_flags & (IN6P_DSTOPTS | IN6P_RTHDR)) { 1163 struct ip6_hdr *xip6 = mtod(m, struct ip6_hdr *); 1164 int nxt = xip6->ip6_nxt, off = sizeof(struct ip6_hdr); 1165 1166 /* 1167 * Search for destination options headers or routing 1168 * header(s) through the header chain, and stores each 1169 * header as ancillary data. 1170 * Note that the order of the headers remains in 1171 * the chain of ancillary data. 1172 */ 1173 for (;;) { /* is explicit loop prevention necessary? */ 1174 struct ip6_ext *ip6e = NULL; 1175 int elen; 1176 struct mbuf *ext = NULL; 1177 1178 /* 1179 * if it is not an extension header, don't try to 1180 * pull it from the chain. 1181 */ 1182 switch (nxt) { 1183 case IPPROTO_DSTOPTS: 1184 case IPPROTO_ROUTING: 1185 case IPPROTO_HOPOPTS: 1186 case IPPROTO_AH: /* is it possible? */ 1187 break; 1188 default: 1189 goto loopend; 1190 } 1191 1192 ext = ip6_pullexthdr(m, off, nxt); 1193 if (ext == NULL) { 1194 IP6_STATINC(IP6_STAT_TOOSHORT); 1195 return; 1196 } 1197 ip6e = mtod(ext, struct ip6_ext *); 1198 if (nxt == IPPROTO_AH) 1199 elen = (ip6e->ip6e_len + 2) << 2; 1200 else 1201 elen = (ip6e->ip6e_len + 1) << 3; 1202 if (elen != ext->m_len) { 1203 m_freem(ext); 1204 IP6_STATINC(IP6_STAT_TOOSHORT); 1205 return; 1206 } 1207 KASSERT(IP6_HDR_ALIGNED_P(ip6e)); 1208 1209 switch (nxt) { 1210 case IPPROTO_DSTOPTS: 1211 if (!(in6p->in6p_flags & IN6P_DSTOPTS)) 1212 break; 1213 1214 *mp = sbcreatecontrol((void *)ip6e, elen, 1215 IS2292(IPV6_2292DSTOPTS, IPV6_DSTOPTS), 1216 IPPROTO_IPV6); 1217 if (*mp) 1218 mp = &(*mp)->m_next; 1219 break; 1220 1221 case IPPROTO_ROUTING: 1222 if (!(in6p->in6p_flags & IN6P_RTHDR)) 1223 break; 1224 1225 *mp = sbcreatecontrol((void *)ip6e, elen, 1226 IS2292(IPV6_2292RTHDR, IPV6_RTHDR), 1227 IPPROTO_IPV6); 1228 if (*mp) 1229 mp = &(*mp)->m_next; 1230 break; 1231 1232 case IPPROTO_HOPOPTS: 1233 case IPPROTO_AH: /* is it possible? */ 1234 break; 1235 1236 default: 1237 /* 1238 * other cases have been filtered in the above. 1239 * none will visit this case. here we supply 1240 * the code just in case (nxt overwritten or 1241 * other cases). 1242 */ 1243 m_freem(ext); 1244 goto loopend; 1245 1246 } 1247 1248 /* proceed with the next header. */ 1249 off += elen; 1250 nxt = ip6e->ip6e_nxt; 1251 ip6e = NULL; 1252 m_freem(ext); 1253 ext = NULL; 1254 } 1255 loopend: 1256 ; 1257 } 1258 } 1259 #undef IS2292 1260 1261 1262 void 1263 ip6_notify_pmtu(struct in6pcb *in6p, const struct sockaddr_in6 *dst, 1264 uint32_t *mtu) 1265 { 1266 struct socket *so; 1267 struct mbuf *m_mtu; 1268 struct ip6_mtuinfo mtuctl; 1269 1270 so = in6p->in6p_socket; 1271 1272 if (mtu == NULL) 1273 return; 1274 1275 #ifdef DIAGNOSTIC 1276 if (so == NULL) /* I believe this is impossible */ 1277 panic("ip6_notify_pmtu: socket is NULL"); 1278 #endif 1279 1280 memset(&mtuctl, 0, sizeof(mtuctl)); /* zero-clear for safety */ 1281 mtuctl.ip6m_mtu = *mtu; 1282 mtuctl.ip6m_addr = *dst; 1283 if (sa6_recoverscope(&mtuctl.ip6m_addr)) 1284 return; 1285 1286 if ((m_mtu = sbcreatecontrol((void *)&mtuctl, sizeof(mtuctl), 1287 IPV6_PATHMTU, IPPROTO_IPV6)) == NULL) 1288 return; 1289 1290 if (sbappendaddr(&so->so_rcv, (const struct sockaddr *)dst, NULL, m_mtu) 1291 == 0) { 1292 m_freem(m_mtu); 1293 /* XXX: should count statistics */ 1294 } else 1295 sorwakeup(so); 1296 1297 return; 1298 } 1299 1300 /* 1301 * pull single extension header from mbuf chain. returns single mbuf that 1302 * contains the result, or NULL on error. 1303 */ 1304 static struct mbuf * 1305 ip6_pullexthdr(struct mbuf *m, size_t off, int nxt) 1306 { 1307 struct ip6_ext ip6e; 1308 size_t elen; 1309 struct mbuf *n; 1310 1311 #ifdef DIAGNOSTIC 1312 switch (nxt) { 1313 case IPPROTO_DSTOPTS: 1314 case IPPROTO_ROUTING: 1315 case IPPROTO_HOPOPTS: 1316 case IPPROTO_AH: /* is it possible? */ 1317 break; 1318 default: 1319 printf("ip6_pullexthdr: invalid nxt=%d\n", nxt); 1320 } 1321 #endif 1322 1323 m_copydata(m, off, sizeof(ip6e), (void *)&ip6e); 1324 if (nxt == IPPROTO_AH) 1325 elen = (ip6e.ip6e_len + 2) << 2; 1326 else 1327 elen = (ip6e.ip6e_len + 1) << 3; 1328 1329 MGET(n, M_DONTWAIT, MT_DATA); 1330 if (n && elen >= MLEN) { 1331 MCLGET(n, M_DONTWAIT); 1332 if ((n->m_flags & M_EXT) == 0) { 1333 m_free(n); 1334 n = NULL; 1335 } 1336 } 1337 if (!n) 1338 return NULL; 1339 1340 n->m_len = 0; 1341 if (elen >= M_TRAILINGSPACE(n)) { 1342 m_free(n); 1343 return NULL; 1344 } 1345 1346 m_copydata(m, off, elen, mtod(n, void *)); 1347 n->m_len = elen; 1348 return n; 1349 } 1350 1351 /* 1352 * Get pointer to the previous header followed by the header 1353 * currently processed. 1354 * XXX: This function supposes that 1355 * M includes all headers, 1356 * the next header field and the header length field of each header 1357 * are valid, and 1358 * the sum of each header length equals to OFF. 1359 * Because of these assumptions, this function must be called very 1360 * carefully. Moreover, it will not be used in the near future when 1361 * we develop `neater' mechanism to process extension headers. 1362 */ 1363 u_int8_t * 1364 ip6_get_prevhdr(struct mbuf *m, int off) 1365 { 1366 struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *); 1367 1368 if (off == sizeof(struct ip6_hdr)) 1369 return (&ip6->ip6_nxt); 1370 else { 1371 int len, nxt; 1372 struct ip6_ext *ip6e = NULL; 1373 1374 nxt = ip6->ip6_nxt; 1375 len = sizeof(struct ip6_hdr); 1376 while (len < off) { 1377 ip6e = (struct ip6_ext *)(mtod(m, char *) + len); 1378 1379 switch (nxt) { 1380 case IPPROTO_FRAGMENT: 1381 len += sizeof(struct ip6_frag); 1382 break; 1383 case IPPROTO_AH: 1384 len += (ip6e->ip6e_len + 2) << 2; 1385 break; 1386 default: 1387 len += (ip6e->ip6e_len + 1) << 3; 1388 break; 1389 } 1390 nxt = ip6e->ip6e_nxt; 1391 } 1392 if (ip6e) 1393 return (&ip6e->ip6e_nxt); 1394 else 1395 return NULL; 1396 } 1397 } 1398 1399 /* 1400 * get next header offset. m will be retained. 1401 */ 1402 int 1403 ip6_nexthdr(struct mbuf *m, int off, int proto, int *nxtp) 1404 { 1405 struct ip6_hdr ip6; 1406 struct ip6_ext ip6e; 1407 struct ip6_frag fh; 1408 1409 /* just in case */ 1410 if (m == NULL) 1411 panic("ip6_nexthdr: m == NULL"); 1412 if ((m->m_flags & M_PKTHDR) == 0 || m->m_pkthdr.len < off) 1413 return -1; 1414 1415 switch (proto) { 1416 case IPPROTO_IPV6: 1417 /* do not chase beyond intermediate IPv6 headers */ 1418 if (off != 0) 1419 return -1; 1420 if (m->m_pkthdr.len < off + sizeof(ip6)) 1421 return -1; 1422 m_copydata(m, off, sizeof(ip6), (void *)&ip6); 1423 if (nxtp) 1424 *nxtp = ip6.ip6_nxt; 1425 off += sizeof(ip6); 1426 return off; 1427 1428 case IPPROTO_FRAGMENT: 1429 /* 1430 * terminate parsing if it is not the first fragment, 1431 * it does not make sense to parse through it. 1432 */ 1433 if (m->m_pkthdr.len < off + sizeof(fh)) 1434 return -1; 1435 m_copydata(m, off, sizeof(fh), (void *)&fh); 1436 if ((fh.ip6f_offlg & IP6F_OFF_MASK) != 0) 1437 return -1; 1438 if (nxtp) 1439 *nxtp = fh.ip6f_nxt; 1440 off += sizeof(struct ip6_frag); 1441 return off; 1442 1443 case IPPROTO_AH: 1444 if (m->m_pkthdr.len < off + sizeof(ip6e)) 1445 return -1; 1446 m_copydata(m, off, sizeof(ip6e), (void *)&ip6e); 1447 if (nxtp) 1448 *nxtp = ip6e.ip6e_nxt; 1449 off += (ip6e.ip6e_len + 2) << 2; 1450 if (m->m_pkthdr.len < off) 1451 return -1; 1452 return off; 1453 1454 case IPPROTO_HOPOPTS: 1455 case IPPROTO_ROUTING: 1456 case IPPROTO_DSTOPTS: 1457 if (m->m_pkthdr.len < off + sizeof(ip6e)) 1458 return -1; 1459 m_copydata(m, off, sizeof(ip6e), (void *)&ip6e); 1460 if (nxtp) 1461 *nxtp = ip6e.ip6e_nxt; 1462 off += (ip6e.ip6e_len + 1) << 3; 1463 if (m->m_pkthdr.len < off) 1464 return -1; 1465 return off; 1466 1467 case IPPROTO_NONE: 1468 case IPPROTO_ESP: 1469 case IPPROTO_IPCOMP: 1470 /* give up */ 1471 return -1; 1472 1473 default: 1474 return -1; 1475 } 1476 } 1477 1478 /* 1479 * get offset for the last header in the chain. m will be kept untainted. 1480 */ 1481 int 1482 ip6_lasthdr(struct mbuf *m, int off, int proto, int *nxtp) 1483 { 1484 int newoff; 1485 int nxt; 1486 1487 if (!nxtp) { 1488 nxt = -1; 1489 nxtp = &nxt; 1490 } 1491 for (;;) { 1492 newoff = ip6_nexthdr(m, off, proto, nxtp); 1493 if (newoff < 0) 1494 return off; 1495 else if (newoff < off) 1496 return -1; /* invalid */ 1497 else if (newoff == off) 1498 return newoff; 1499 1500 off = newoff; 1501 proto = *nxtp; 1502 } 1503 } 1504 1505 struct m_tag * 1506 ip6_addaux(struct mbuf *m) 1507 { 1508 struct m_tag *mtag; 1509 1510 mtag = m_tag_find(m, PACKET_TAG_INET6, NULL); 1511 if (!mtag) { 1512 mtag = m_tag_get(PACKET_TAG_INET6, sizeof(struct ip6aux), 1513 M_NOWAIT); 1514 if (mtag) { 1515 m_tag_prepend(m, mtag); 1516 memset(mtag + 1, 0, sizeof(struct ip6aux)); 1517 } 1518 } 1519 return mtag; 1520 } 1521 1522 struct m_tag * 1523 ip6_findaux(struct mbuf *m) 1524 { 1525 struct m_tag *mtag; 1526 1527 mtag = m_tag_find(m, PACKET_TAG_INET6, NULL); 1528 return mtag; 1529 } 1530 1531 void 1532 ip6_delaux(struct mbuf *m) 1533 { 1534 struct m_tag *mtag; 1535 1536 mtag = m_tag_find(m, PACKET_TAG_INET6, NULL); 1537 if (mtag) 1538 m_tag_delete(m, mtag); 1539 } 1540 1541 #ifdef GATEWAY 1542 /* 1543 * sysctl helper routine for net.inet.ip6.maxflows. Since 1544 * we could reduce this value, call ip6flow_reap(); 1545 */ 1546 static int 1547 sysctl_net_inet6_ip6_maxflows(SYSCTLFN_ARGS) 1548 { 1549 int error; 1550 1551 error = sysctl_lookup(SYSCTLFN_CALL(rnode)); 1552 if (error || newp == NULL) 1553 return (error); 1554 1555 mutex_enter(softnet_lock); 1556 KERNEL_LOCK(1, NULL); 1557 1558 ip6flow_reap(0); 1559 1560 KERNEL_UNLOCK_ONE(NULL); 1561 mutex_exit(softnet_lock); 1562 1563 return (0); 1564 } 1565 1566 static int 1567 sysctl_net_inet6_ip6_hashsize(SYSCTLFN_ARGS) 1568 { 1569 int error, tmp; 1570 struct sysctlnode node; 1571 1572 node = *rnode; 1573 tmp = ip6_hashsize; 1574 node.sysctl_data = &tmp; 1575 error = sysctl_lookup(SYSCTLFN_CALL(&node)); 1576 if (error || newp == NULL) 1577 return (error); 1578 1579 if ((tmp & (tmp - 1)) == 0 && tmp != 0) { 1580 /* 1581 * Can only fail due to malloc() 1582 */ 1583 mutex_enter(softnet_lock); 1584 KERNEL_LOCK(1, NULL); 1585 1586 error = ip6flow_invalidate_all(tmp); 1587 1588 KERNEL_UNLOCK_ONE(NULL); 1589 mutex_exit(softnet_lock); 1590 } else { 1591 /* 1592 * EINVAL if not a power of 2 1593 */ 1594 error = EINVAL; 1595 } 1596 1597 return error; 1598 } 1599 #endif /* GATEWAY */ 1600 1601 /* 1602 * System control for IP6 1603 */ 1604 1605 const u_char inet6ctlerrmap[PRC_NCMDS] = { 1606 0, 0, 0, 0, 1607 0, EMSGSIZE, EHOSTDOWN, EHOSTUNREACH, 1608 EHOSTUNREACH, EHOSTUNREACH, ECONNREFUSED, ECONNREFUSED, 1609 EMSGSIZE, EHOSTUNREACH, 0, 0, 1610 0, 0, 0, 0, 1611 ENOPROTOOPT 1612 }; 1613 1614 extern int sysctl_net_inet6_addrctlpolicy(SYSCTLFN_ARGS); 1615 1616 static int 1617 sysctl_net_inet6_ip6_stats(SYSCTLFN_ARGS) 1618 { 1619 1620 return (NETSTAT_SYSCTL(ip6stat_percpu, IP6_NSTATS)); 1621 } 1622 1623 static void 1624 sysctl_net_inet6_ip6_setup(struct sysctllog **clog) 1625 { 1626 #ifdef RFC2292 1627 #define IS2292(x, y) ((in6p->in6p_flags & IN6P_RFC2292) ? (x) : (y)) 1628 #else 1629 #define IS2292(x, y) (y) 1630 #endif 1631 1632 sysctl_createv(clog, 0, NULL, NULL, 1633 CTLFLAG_PERMANENT, 1634 CTLTYPE_NODE, "inet6", 1635 SYSCTL_DESCR("PF_INET6 related settings"), 1636 NULL, 0, NULL, 0, 1637 CTL_NET, PF_INET6, CTL_EOL); 1638 sysctl_createv(clog, 0, NULL, NULL, 1639 CTLFLAG_PERMANENT, 1640 CTLTYPE_NODE, "ip6", 1641 SYSCTL_DESCR("IPv6 related settings"), 1642 NULL, 0, NULL, 0, 1643 CTL_NET, PF_INET6, IPPROTO_IPV6, CTL_EOL); 1644 1645 sysctl_createv(clog, 0, NULL, NULL, 1646 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 1647 CTLTYPE_INT, "forwarding", 1648 SYSCTL_DESCR("Enable forwarding of INET6 datagrams"), 1649 NULL, 0, &ip6_forwarding, 0, 1650 CTL_NET, PF_INET6, IPPROTO_IPV6, 1651 IPV6CTL_FORWARDING, CTL_EOL); 1652 sysctl_createv(clog, 0, NULL, NULL, 1653 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 1654 CTLTYPE_INT, "redirect", 1655 SYSCTL_DESCR("Enable sending of ICMPv6 redirect messages"), 1656 NULL, 0, &ip6_sendredirects, 0, 1657 CTL_NET, PF_INET6, IPPROTO_IPV6, 1658 IPV6CTL_SENDREDIRECTS, CTL_EOL); 1659 sysctl_createv(clog, 0, NULL, NULL, 1660 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 1661 CTLTYPE_INT, "hlim", 1662 SYSCTL_DESCR("Hop limit for an INET6 datagram"), 1663 NULL, 0, &ip6_defhlim, 0, 1664 CTL_NET, PF_INET6, IPPROTO_IPV6, 1665 IPV6CTL_DEFHLIM, CTL_EOL); 1666 #ifdef notyet 1667 sysctl_createv(clog, 0, NULL, NULL, 1668 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 1669 CTLTYPE_INT, "mtu", NULL, 1670 NULL, 0, &, 0, 1671 CTL_NET, PF_INET6, IPPROTO_IPV6, 1672 IPV6CTL_DEFMTU, CTL_EOL); 1673 #endif 1674 #ifdef __no_idea__ 1675 sysctl_createv(clog, 0, NULL, NULL, 1676 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 1677 CTLTYPE_INT, "forwsrcrt", NULL, 1678 NULL, 0, &?, 0, 1679 CTL_NET, PF_INET6, IPPROTO_IPV6, 1680 IPV6CTL_FORWSRCRT, CTL_EOL); 1681 sysctl_createv(clog, 0, NULL, NULL, 1682 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 1683 CTLTYPE_STRUCT, "mrtstats", NULL, 1684 NULL, 0, &?, sizeof(?), 1685 CTL_NET, PF_INET6, IPPROTO_IPV6, 1686 IPV6CTL_MRTSTATS, CTL_EOL); 1687 sysctl_createv(clog, 0, NULL, NULL, 1688 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 1689 CTLTYPE_?, "mrtproto", NULL, 1690 NULL, 0, &?, sizeof(?), 1691 CTL_NET, PF_INET6, IPPROTO_IPV6, 1692 IPV6CTL_MRTPROTO, CTL_EOL); 1693 #endif 1694 sysctl_createv(clog, 0, NULL, NULL, 1695 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 1696 CTLTYPE_INT, "maxfragpackets", 1697 SYSCTL_DESCR("Maximum number of fragments to buffer " 1698 "for reassembly"), 1699 NULL, 0, &ip6_maxfragpackets, 0, 1700 CTL_NET, PF_INET6, IPPROTO_IPV6, 1701 IPV6CTL_MAXFRAGPACKETS, CTL_EOL); 1702 #ifdef __no_idea__ 1703 sysctl_createv(clog, 0, NULL, NULL, 1704 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 1705 CTLTYPE_INT, "sourcecheck", NULL, 1706 NULL, 0, &?, 0, 1707 CTL_NET, PF_INET6, IPPROTO_IPV6, 1708 IPV6CTL_SOURCECHECK, CTL_EOL); 1709 sysctl_createv(clog, 0, NULL, NULL, 1710 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 1711 CTLTYPE_INT, "sourcecheck_logint", NULL, 1712 NULL, 0, &?, 0, 1713 CTL_NET, PF_INET6, IPPROTO_IPV6, 1714 IPV6CTL_SOURCECHECK_LOGINT, CTL_EOL); 1715 #endif 1716 sysctl_createv(clog, 0, NULL, NULL, 1717 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 1718 CTLTYPE_INT, "accept_rtadv", 1719 SYSCTL_DESCR("Accept router advertisements"), 1720 NULL, 0, &ip6_accept_rtadv, 0, 1721 CTL_NET, PF_INET6, IPPROTO_IPV6, 1722 IPV6CTL_ACCEPT_RTADV, CTL_EOL); 1723 sysctl_createv(clog, 0, NULL, NULL, 1724 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 1725 CTLTYPE_INT, "rtadv_maxroutes", 1726 SYSCTL_DESCR("Maximum number of routes accepted via router advertisements"), 1727 NULL, 0, &ip6_rtadv_maxroutes, 0, 1728 CTL_NET, PF_INET6, IPPROTO_IPV6, 1729 IPV6CTL_RTADV_MAXROUTES, CTL_EOL); 1730 sysctl_createv(clog, 0, NULL, NULL, 1731 CTLFLAG_PERMANENT, 1732 CTLTYPE_INT, "rtadv_numroutes", 1733 SYSCTL_DESCR("Current number of routes accepted via router advertisements"), 1734 NULL, 0, &nd6_numroutes, 0, 1735 CTL_NET, PF_INET6, IPPROTO_IPV6, 1736 IPV6CTL_RTADV_NUMROUTES, CTL_EOL); 1737 sysctl_createv(clog, 0, NULL, NULL, 1738 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 1739 CTLTYPE_INT, "keepfaith", 1740 SYSCTL_DESCR("Activate faith interface"), 1741 NULL, 0, &ip6_keepfaith, 0, 1742 CTL_NET, PF_INET6, IPPROTO_IPV6, 1743 IPV6CTL_KEEPFAITH, CTL_EOL); 1744 sysctl_createv(clog, 0, NULL, NULL, 1745 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 1746 CTLTYPE_INT, "log_interval", 1747 SYSCTL_DESCR("Minumum interval between logging " 1748 "unroutable packets"), 1749 NULL, 0, &ip6_log_interval, 0, 1750 CTL_NET, PF_INET6, IPPROTO_IPV6, 1751 IPV6CTL_LOG_INTERVAL, CTL_EOL); 1752 sysctl_createv(clog, 0, NULL, NULL, 1753 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 1754 CTLTYPE_INT, "hdrnestlimit", 1755 SYSCTL_DESCR("Maximum number of nested IPv6 headers"), 1756 NULL, 0, &ip6_hdrnestlimit, 0, 1757 CTL_NET, PF_INET6, IPPROTO_IPV6, 1758 IPV6CTL_HDRNESTLIMIT, CTL_EOL); 1759 sysctl_createv(clog, 0, NULL, NULL, 1760 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 1761 CTLTYPE_INT, "dad_count", 1762 SYSCTL_DESCR("Number of Duplicate Address Detection " 1763 "probes to send"), 1764 NULL, 0, &ip6_dad_count, 0, 1765 CTL_NET, PF_INET6, IPPROTO_IPV6, 1766 IPV6CTL_DAD_COUNT, CTL_EOL); 1767 sysctl_createv(clog, 0, NULL, NULL, 1768 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 1769 CTLTYPE_INT, "auto_flowlabel", 1770 SYSCTL_DESCR("Assign random IPv6 flow labels"), 1771 NULL, 0, &ip6_auto_flowlabel, 0, 1772 CTL_NET, PF_INET6, IPPROTO_IPV6, 1773 IPV6CTL_AUTO_FLOWLABEL, CTL_EOL); 1774 sysctl_createv(clog, 0, NULL, NULL, 1775 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 1776 CTLTYPE_INT, "defmcasthlim", 1777 SYSCTL_DESCR("Default multicast hop limit"), 1778 NULL, 0, &ip6_defmcasthlim, 0, 1779 CTL_NET, PF_INET6, IPPROTO_IPV6, 1780 IPV6CTL_DEFMCASTHLIM, CTL_EOL); 1781 #if NGIF > 0 1782 sysctl_createv(clog, 0, NULL, NULL, 1783 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 1784 CTLTYPE_INT, "gifhlim", 1785 SYSCTL_DESCR("Default hop limit for a gif tunnel datagram"), 1786 NULL, 0, &ip6_gif_hlim, 0, 1787 CTL_NET, PF_INET6, IPPROTO_IPV6, 1788 IPV6CTL_GIF_HLIM, CTL_EOL); 1789 #endif /* NGIF */ 1790 sysctl_createv(clog, 0, NULL, NULL, 1791 CTLFLAG_PERMANENT, 1792 CTLTYPE_STRING, "kame_version", 1793 SYSCTL_DESCR("KAME Version"), 1794 NULL, 0, __UNCONST(__KAME_VERSION), 0, 1795 CTL_NET, PF_INET6, IPPROTO_IPV6, 1796 IPV6CTL_KAME_VERSION, CTL_EOL); 1797 sysctl_createv(clog, 0, NULL, NULL, 1798 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 1799 CTLTYPE_INT, "use_deprecated", 1800 SYSCTL_DESCR("Allow use of deprecated addresses as " 1801 "source addresses"), 1802 NULL, 0, &ip6_use_deprecated, 0, 1803 CTL_NET, PF_INET6, IPPROTO_IPV6, 1804 IPV6CTL_USE_DEPRECATED, CTL_EOL); 1805 sysctl_createv(clog, 0, NULL, NULL, 1806 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 1807 CTLTYPE_INT, "rr_prune", NULL, 1808 NULL, 0, &ip6_rr_prune, 0, 1809 CTL_NET, PF_INET6, IPPROTO_IPV6, 1810 IPV6CTL_RR_PRUNE, CTL_EOL); 1811 sysctl_createv(clog, 0, NULL, NULL, 1812 CTLFLAG_PERMANENT 1813 #ifndef INET6_BINDV6ONLY 1814 |CTLFLAG_READWRITE, 1815 #endif 1816 CTLTYPE_INT, "v6only", 1817 SYSCTL_DESCR("Disallow PF_INET6 sockets from connecting " 1818 "to PF_INET sockets"), 1819 NULL, 0, &ip6_v6only, 0, 1820 CTL_NET, PF_INET6, IPPROTO_IPV6, 1821 IPV6CTL_V6ONLY, CTL_EOL); 1822 sysctl_createv(clog, 0, NULL, NULL, 1823 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 1824 CTLTYPE_INT, "anonportmin", 1825 SYSCTL_DESCR("Lowest ephemeral port number to assign"), 1826 sysctl_net_inet_ip_ports, 0, &ip6_anonportmin, 0, 1827 CTL_NET, PF_INET6, IPPROTO_IPV6, 1828 IPV6CTL_ANONPORTMIN, CTL_EOL); 1829 sysctl_createv(clog, 0, NULL, NULL, 1830 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 1831 CTLTYPE_INT, "anonportmax", 1832 SYSCTL_DESCR("Highest ephemeral port number to assign"), 1833 sysctl_net_inet_ip_ports, 0, &ip6_anonportmax, 0, 1834 CTL_NET, PF_INET6, IPPROTO_IPV6, 1835 IPV6CTL_ANONPORTMAX, CTL_EOL); 1836 #ifndef IPNOPRIVPORTS 1837 sysctl_createv(clog, 0, NULL, NULL, 1838 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 1839 CTLTYPE_INT, "lowportmin", 1840 SYSCTL_DESCR("Lowest privileged ephemeral port number " 1841 "to assign"), 1842 sysctl_net_inet_ip_ports, 0, &ip6_lowportmin, 0, 1843 CTL_NET, PF_INET6, IPPROTO_IPV6, 1844 IPV6CTL_LOWPORTMIN, CTL_EOL); 1845 sysctl_createv(clog, 0, NULL, NULL, 1846 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 1847 CTLTYPE_INT, "lowportmax", 1848 SYSCTL_DESCR("Highest privileged ephemeral port number " 1849 "to assign"), 1850 sysctl_net_inet_ip_ports, 0, &ip6_lowportmax, 0, 1851 CTL_NET, PF_INET6, IPPROTO_IPV6, 1852 IPV6CTL_LOWPORTMAX, CTL_EOL); 1853 #endif /* IPNOPRIVPORTS */ 1854 sysctl_createv(clog, 0, NULL, NULL, 1855 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 1856 CTLTYPE_INT, "auto_linklocal", 1857 SYSCTL_DESCR("Default value of per-interface flag for " 1858 "adding an IPv6 link-local address to " 1859 "interfaces when attached"), 1860 NULL, 0, &ip6_auto_linklocal, 0, 1861 CTL_NET, PF_INET6, IPPROTO_IPV6, 1862 IPV6CTL_AUTO_LINKLOCAL, CTL_EOL); 1863 sysctl_createv(clog, 0, NULL, NULL, 1864 CTLFLAG_PERMANENT|CTLFLAG_READONLY, 1865 CTLTYPE_STRUCT, "addctlpolicy", 1866 SYSCTL_DESCR("Return the current address control" 1867 " policy"), 1868 sysctl_net_inet6_addrctlpolicy, 0, NULL, 0, 1869 CTL_NET, PF_INET6, IPPROTO_IPV6, 1870 IPV6CTL_ADDRCTLPOLICY, CTL_EOL); 1871 sysctl_createv(clog, 0, NULL, NULL, 1872 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 1873 CTLTYPE_INT, "use_tempaddr", 1874 SYSCTL_DESCR("Use temporary address"), 1875 NULL, 0, &ip6_use_tempaddr, 0, 1876 CTL_NET, PF_INET6, IPPROTO_IPV6, 1877 CTL_CREATE, CTL_EOL); 1878 sysctl_createv(clog, 0, NULL, NULL, 1879 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 1880 CTLTYPE_INT, "prefer_tempaddr", 1881 SYSCTL_DESCR("Prefer temporary address as source " 1882 "address"), 1883 NULL, 0, &ip6_prefer_tempaddr, 0, 1884 CTL_NET, PF_INET6, IPPROTO_IPV6, 1885 CTL_CREATE, CTL_EOL); 1886 sysctl_createv(clog, 0, NULL, NULL, 1887 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 1888 CTLTYPE_INT, "temppltime", 1889 SYSCTL_DESCR("preferred lifetime of a temporary address"), 1890 NULL, 0, &ip6_temp_preferred_lifetime, 0, 1891 CTL_NET, PF_INET6, IPPROTO_IPV6, 1892 CTL_CREATE, CTL_EOL); 1893 sysctl_createv(clog, 0, NULL, NULL, 1894 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 1895 CTLTYPE_INT, "tempvltime", 1896 SYSCTL_DESCR("valid lifetime of a temporary address"), 1897 NULL, 0, &ip6_temp_valid_lifetime, 0, 1898 CTL_NET, PF_INET6, IPPROTO_IPV6, 1899 CTL_CREATE, CTL_EOL); 1900 sysctl_createv(clog, 0, NULL, NULL, 1901 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 1902 CTLTYPE_INT, "maxfrags", 1903 SYSCTL_DESCR("Maximum fragments in reassembly queue"), 1904 NULL, 0, &ip6_maxfrags, 0, 1905 CTL_NET, PF_INET6, IPPROTO_IPV6, 1906 IPV6CTL_MAXFRAGS, CTL_EOL); 1907 sysctl_createv(clog, 0, NULL, NULL, 1908 CTLFLAG_PERMANENT, 1909 CTLTYPE_STRUCT, "stats", 1910 SYSCTL_DESCR("IPv6 statistics"), 1911 sysctl_net_inet6_ip6_stats, 0, NULL, 0, 1912 CTL_NET, PF_INET6, IPPROTO_IPV6, 1913 IPV6CTL_STATS, CTL_EOL); 1914 sysctl_createv(clog, 0, NULL, NULL, 1915 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 1916 CTLTYPE_INT, "use_defaultzone", 1917 SYSCTL_DESCR("Whether to use the default scope zones"), 1918 NULL, 0, &ip6_use_defzone, 0, 1919 CTL_NET, PF_INET6, IPPROTO_IPV6, 1920 IPV6CTL_USE_DEFAULTZONE, CTL_EOL); 1921 sysctl_createv(clog, 0, NULL, NULL, 1922 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 1923 CTLTYPE_INT, "mcast_pmtu", 1924 SYSCTL_DESCR("Enable pMTU discovery for multicast packet"), 1925 NULL, 0, &ip6_mcast_pmtu, 0, 1926 CTL_NET, PF_INET6, IPPROTO_IPV6, 1927 CTL_CREATE, CTL_EOL); 1928 #ifdef GATEWAY 1929 sysctl_createv(clog, 0, NULL, NULL, 1930 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 1931 CTLTYPE_INT, "maxflows", 1932 SYSCTL_DESCR("Number of flows for fast forwarding (IPv6)"), 1933 sysctl_net_inet6_ip6_maxflows, 0, &ip6_maxflows, 0, 1934 CTL_NET, PF_INET6, IPPROTO_IPV6, 1935 CTL_CREATE, CTL_EOL); 1936 sysctl_createv(clog, 0, NULL, NULL, 1937 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 1938 CTLTYPE_INT, "hashsize", 1939 SYSCTL_DESCR("Size of hash table for fast forwarding (IPv6)"), 1940 sysctl_net_inet6_ip6_hashsize, 0, &ip6_hashsize, 0, 1941 CTL_NET, PF_INET6, IPPROTO_IPV6, 1942 CTL_CREATE, CTL_EOL); 1943 #endif 1944 /* anonportalgo RFC6056 subtree */ 1945 const struct sysctlnode *portalgo_node; 1946 sysctl_createv(clog, 0, NULL, &portalgo_node, 1947 CTLFLAG_PERMANENT, 1948 CTLTYPE_NODE, "anonportalgo", 1949 SYSCTL_DESCR("Anonymous port algorithm selection (RFC 6056)"), 1950 NULL, 0, NULL, 0, 1951 CTL_NET, PF_INET6, IPPROTO_IPV6, CTL_CREATE, CTL_EOL); 1952 sysctl_createv(clog, 0, &portalgo_node, NULL, 1953 CTLFLAG_PERMANENT, 1954 CTLTYPE_STRING, "available", 1955 SYSCTL_DESCR("available algorithms"), 1956 sysctl_portalgo_available, 0, NULL, PORTALGO_MAXLEN, 1957 CTL_CREATE, CTL_EOL); 1958 sysctl_createv(clog, 0, &portalgo_node, NULL, 1959 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 1960 CTLTYPE_STRING, "selected", 1961 SYSCTL_DESCR("selected algorithm"), 1962 sysctl_portalgo_selected6, 0, NULL, PORTALGO_MAXLEN, 1963 CTL_CREATE, CTL_EOL); 1964 sysctl_createv(clog, 0, &portalgo_node, NULL, 1965 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 1966 CTLTYPE_STRUCT, "reserve", 1967 SYSCTL_DESCR("bitmap of reserved ports"), 1968 sysctl_portalgo_reserve6, 0, NULL, 0, 1969 CTL_CREATE, CTL_EOL); 1970 sysctl_createv(clog, 0, NULL, NULL, 1971 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 1972 CTLTYPE_INT, "neighborgcthresh", 1973 SYSCTL_DESCR("Maximum number of entries in neighbor" 1974 " cache"), 1975 NULL, 1, &ip6_neighborgcthresh, 0, 1976 CTL_NET, PF_INET6, IPPROTO_IPV6, 1977 CTL_CREATE, CTL_EOL); 1978 sysctl_createv(clog, 0, NULL, NULL, 1979 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 1980 CTLTYPE_INT, "maxifprefixes", 1981 SYSCTL_DESCR("Maximum number of prefixes created by" 1982 " route advertisement per interface"), 1983 NULL, 1, &ip6_maxifprefixes, 0, 1984 CTL_NET, PF_INET6, IPPROTO_IPV6, 1985 CTL_CREATE, CTL_EOL); 1986 sysctl_createv(clog, 0, NULL, NULL, 1987 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 1988 CTLTYPE_INT, "maxifdefrouters", 1989 SYSCTL_DESCR("Maximum number of default routers created" 1990 " by route advertisement per interface"), 1991 NULL, 1, &ip6_maxifdefrouters, 0, 1992 CTL_NET, PF_INET6, IPPROTO_IPV6, 1993 CTL_CREATE, CTL_EOL); 1994 sysctl_createv(clog, 0, NULL, NULL, 1995 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 1996 CTLTYPE_INT, "maxdynroutes", 1997 SYSCTL_DESCR("Maximum number of routes created via" 1998 " redirect"), 1999 NULL, 1, &ip6_maxdynroutes, 0, 2000 CTL_NET, PF_INET6, IPPROTO_IPV6, 2001 CTL_CREATE, CTL_EOL); 2002 } 2003 2004 void 2005 ip6_statinc(u_int stat) 2006 { 2007 2008 KASSERT(stat < IP6_NSTATS); 2009 IP6_STATINC(stat); 2010 } 2011
Indexes created Wed Sep 24 15:09:51 GMT 2025