| ip6_forward.c (242463) | ip6_forward.c (249294) |
|---|---|
| 1/*- 2 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright --- 16 unchanged lines hidden (view full) --- 25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27 * SUCH DAMAGE. 28 * 29 * $KAME: ip6_forward.c,v 1.69 2001/05/17 03:48:30 itojun Exp $ 30 */ 31 32#include <sys/cdefs.h> | 1/*- 2 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright --- 16 unchanged lines hidden (view full) --- 25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27 * SUCH DAMAGE. 28 * 29 * $KAME: ip6_forward.c,v 1.69 2001/05/17 03:48:30 itojun Exp $ 30 */ 31 32#include <sys/cdefs.h> |
| 33__FBSDID("$FreeBSD: head/sys/netinet6/ip6_forward.c 242463 2012-11-02 01:20:55Z ae $"); | 33__FBSDID("$FreeBSD: head/sys/netinet6/ip6_forward.c 249294 2013-04-09 07:11:22Z ae $"); |
| 34 35#include "opt_inet.h" 36#include "opt_inet6.h" 37#include "opt_ipfw.h" 38#include "opt_ipsec.h" 39#include "opt_ipstealth.h" 40 41#include <sys/param.h> --- 88 unchanged lines hidden (view full) --- 130 * Do not forward packets to multicast destination (should be handled 131 * by ip6_mforward(). 132 * Do not forward packets with unspecified source. It was discussed 133 * in July 2000, on the ipngwg mailing list. 134 */ 135 if ((m->m_flags & (M_BCAST|M_MCAST)) != 0 || 136 IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst) || 137 IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_src)) { | 34 35#include "opt_inet.h" 36#include "opt_inet6.h" 37#include "opt_ipfw.h" 38#include "opt_ipsec.h" 39#include "opt_ipstealth.h" 40 41#include <sys/param.h> --- 88 unchanged lines hidden (view full) --- 130 * Do not forward packets to multicast destination (should be handled 131 * by ip6_mforward(). 132 * Do not forward packets with unspecified source. It was discussed 133 * in July 2000, on the ipngwg mailing list. 134 */ 135 if ((m->m_flags & (M_BCAST|M_MCAST)) != 0 || 136 IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst) || 137 IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_src)) { |
| 138 V_ip6stat.ip6s_cantforward++; | 138 IP6STAT_INC(ip6s_cantforward); |
| 139 /* XXX in6_ifstat_inc(rt->rt_ifp, ifs6_in_discard) */ 140 if (V_ip6_log_time + V_ip6_log_interval < time_second) { 141 V_ip6_log_time = time_second; 142 log(LOG_DEBUG, 143 "cannot forward " 144 "from %s to %s nxt %d received on %s\n", 145 ip6_sprintf(ip6bufs, &ip6->ip6_src), 146 ip6_sprintf(ip6bufd, &ip6->ip6_dst), --- 31 unchanged lines hidden (view full) --- 178 mcopy = m_copy(m, 0, imin(m->m_pkthdr.len, ICMPV6_PLD_MAXLEN)); 179 180#ifdef IPSEC 181 /* get a security policy for this packet */ 182 sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_OUTBOUND, 183 IP_FORWARDING, &error); 184 if (sp == NULL) { 185 V_ipsec6stat.out_inval++; | 139 /* XXX in6_ifstat_inc(rt->rt_ifp, ifs6_in_discard) */ 140 if (V_ip6_log_time + V_ip6_log_interval < time_second) { 141 V_ip6_log_time = time_second; 142 log(LOG_DEBUG, 143 "cannot forward " 144 "from %s to %s nxt %d received on %s\n", 145 ip6_sprintf(ip6bufs, &ip6->ip6_src), 146 ip6_sprintf(ip6bufd, &ip6->ip6_dst), --- 31 unchanged lines hidden (view full) --- 178 mcopy = m_copy(m, 0, imin(m->m_pkthdr.len, ICMPV6_PLD_MAXLEN)); 179 180#ifdef IPSEC 181 /* get a security policy for this packet */ 182 sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_OUTBOUND, 183 IP_FORWARDING, &error); 184 if (sp == NULL) { 185 V_ipsec6stat.out_inval++; |
| 186 V_ip6stat.ip6s_cantforward++; | 186 IP6STAT_INC(ip6s_cantforward); |
| 187 if (mcopy) { 188#if 0 189 /* XXX: what icmp ? */ 190#else 191 m_freem(mcopy); 192#endif 193 } 194 m_freem(m); --- 4 unchanged lines hidden (view full) --- 199 200 /* check policy */ 201 switch (sp->policy) { 202 case IPSEC_POLICY_DISCARD: 203 /* 204 * This packet is just discarded. 205 */ 206 V_ipsec6stat.out_polvio++; | 187 if (mcopy) { 188#if 0 189 /* XXX: what icmp ? */ 190#else 191 m_freem(mcopy); 192#endif 193 } 194 m_freem(m); --- 4 unchanged lines hidden (view full) --- 199 200 /* check policy */ 201 switch (sp->policy) { 202 case IPSEC_POLICY_DISCARD: 203 /* 204 * This packet is just discarded. 205 */ 206 V_ipsec6stat.out_polvio++; |
| 207 V_ip6stat.ip6s_cantforward++; | 207 IP6STAT_INC(ip6s_cantforward); |
| 208 KEY_FREESP(&sp); 209 if (mcopy) { 210#if 0 211 /* XXX: what icmp ? */ 212#else 213 m_freem(mcopy); 214#endif 215 } --- 5 unchanged lines hidden (view full) --- 221 /* no need to do IPsec. */ 222 KEY_FREESP(&sp); 223 goto skip_ipsec; 224 225 case IPSEC_POLICY_IPSEC: 226 if (sp->req == NULL) { 227 /* XXX should be panic ? */ 228 printf("ip6_forward: No IPsec request specified.\n"); | 208 KEY_FREESP(&sp); 209 if (mcopy) { 210#if 0 211 /* XXX: what icmp ? */ 212#else 213 m_freem(mcopy); 214#endif 215 } --- 5 unchanged lines hidden (view full) --- 221 /* no need to do IPsec. */ 222 KEY_FREESP(&sp); 223 goto skip_ipsec; 224 225 case IPSEC_POLICY_IPSEC: 226 if (sp->req == NULL) { 227 /* XXX should be panic ? */ 228 printf("ip6_forward: No IPsec request specified.\n"); |
| 229 V_ip6stat.ip6s_cantforward++; | 229 IP6STAT_INC(ip6s_cantforward); |
| 230 KEY_FREESP(&sp); 231 if (mcopy) { 232#if 0 233 /* XXX: what icmp ? */ 234#else 235 m_freem(mcopy); 236#endif 237 } --- 67 unchanged lines hidden (view full) --- 305 break; 306 default: 307 printf("ip6_output (ipsec): error code %d\n", error); 308 /* FALLTHROUGH */ 309 case ENOENT: 310 /* don't show these error codes to the user */ 311 break; 312 } | 230 KEY_FREESP(&sp); 231 if (mcopy) { 232#if 0 233 /* XXX: what icmp ? */ 234#else 235 m_freem(mcopy); 236#endif 237 } --- 67 unchanged lines hidden (view full) --- 305 break; 306 default: 307 printf("ip6_output (ipsec): error code %d\n", error); 308 /* FALLTHROUGH */ 309 case ENOENT: 310 /* don't show these error codes to the user */ 311 break; 312 } |
| 313 V_ip6stat.ip6s_cantforward++; | 313 IP6STAT_INC(ip6s_cantforward); |
| 314 if (mcopy) { 315#if 0 316 /* XXX: what icmp ? */ 317#else 318 m_freem(mcopy); 319#endif 320 } 321 m_freem(m); --- 35 unchanged lines hidden (view full) --- 357 dst->sin6_len = sizeof(struct sockaddr_in6); 358 dst->sin6_family = AF_INET6; 359 dst->sin6_addr = ip6->ip6_dst; 360again2: 361 rin6.ro_rt = in6_rtalloc1((struct sockaddr *)dst, 0, 0, M_GETFIB(m)); 362 if (rin6.ro_rt != NULL) 363 RT_UNLOCK(rin6.ro_rt); 364 else { | 314 if (mcopy) { 315#if 0 316 /* XXX: what icmp ? */ 317#else 318 m_freem(mcopy); 319#endif 320 } 321 m_freem(m); --- 35 unchanged lines hidden (view full) --- 357 dst->sin6_len = sizeof(struct sockaddr_in6); 358 dst->sin6_family = AF_INET6; 359 dst->sin6_addr = ip6->ip6_dst; 360again2: 361 rin6.ro_rt = in6_rtalloc1((struct sockaddr *)dst, 0, 0, M_GETFIB(m)); 362 if (rin6.ro_rt != NULL) 363 RT_UNLOCK(rin6.ro_rt); 364 else { |
| 365 V_ip6stat.ip6s_noroute++; | 365 IP6STAT_INC(ip6s_noroute); |
| 366 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_noroute); 367 if (mcopy) { 368 icmp6_error(mcopy, ICMP6_DST_UNREACH, 369 ICMP6_DST_UNREACH_NOROUTE, 0); 370 } 371 goto bad; 372 } 373 rt = rin6.ro_rt; --- 8 unchanged lines hidden (view full) --- 382 * destination unreachable error with Code 2 (beyond scope of source 383 * address). We use a local copy of ip6_src, since in6_setscope() 384 * will possibly modify its first argument. 385 * [draft-ietf-ipngwg-icmp-v3-04.txt, Section 3.1] 386 */ 387 src_in6 = ip6->ip6_src; 388 if (in6_setscope(&src_in6, rt->rt_ifp, &outzone)) { 389 /* XXX: this should not happen */ | 366 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_noroute); 367 if (mcopy) { 368 icmp6_error(mcopy, ICMP6_DST_UNREACH, 369 ICMP6_DST_UNREACH_NOROUTE, 0); 370 } 371 goto bad; 372 } 373 rt = rin6.ro_rt; --- 8 unchanged lines hidden (view full) --- 382 * destination unreachable error with Code 2 (beyond scope of source 383 * address). We use a local copy of ip6_src, since in6_setscope() 384 * will possibly modify its first argument. 385 * [draft-ietf-ipngwg-icmp-v3-04.txt, Section 3.1] 386 */ 387 src_in6 = ip6->ip6_src; 388 if (in6_setscope(&src_in6, rt->rt_ifp, &outzone)) { 389 /* XXX: this should not happen */ |
| 390 V_ip6stat.ip6s_cantforward++; 391 V_ip6stat.ip6s_badscope++; | 390 IP6STAT_INC(ip6s_cantforward); 391 IP6STAT_INC(ip6s_badscope); |
| 392 goto bad; 393 } 394 if (in6_setscope(&src_in6, m->m_pkthdr.rcvif, &inzone)) { | 392 goto bad; 393 } 394 if (in6_setscope(&src_in6, m->m_pkthdr.rcvif, &inzone)) { |
| 395 V_ip6stat.ip6s_cantforward++; 396 V_ip6stat.ip6s_badscope++; | 395 IP6STAT_INC(ip6s_cantforward); 396 IP6STAT_INC(ip6s_badscope); |
| 397 goto bad; 398 } 399 if (inzone != outzone 400#ifdef IPSEC 401 && !ipsecrt 402#endif 403 ) { | 397 goto bad; 398 } 399 if (inzone != outzone 400#ifdef IPSEC 401 && !ipsecrt 402#endif 403 ) { |
| 404 V_ip6stat.ip6s_cantforward++; 405 V_ip6stat.ip6s_badscope++; | 404 IP6STAT_INC(ip6s_cantforward); 405 IP6STAT_INC(ip6s_badscope); |
| 406 in6_ifstat_inc(rt->rt_ifp, ifs6_in_discard); 407 408 if (V_ip6_log_time + V_ip6_log_interval < time_second) { 409 V_ip6_log_time = time_second; 410 log(LOG_DEBUG, 411 "cannot forward " 412 "src %s, dst %s, nxt %d, rcvif %s, outif %s\n", 413 ip6_sprintf(ip6bufs, &ip6->ip6_src), --- 13 unchanged lines hidden (view full) --- 427 * usually be prevented by appropriately-configured routing table, but 428 * we need an explicit check because we may mistakenly forward the 429 * packet to a different zone by (e.g.) a default route. 430 */ 431 dst_in6 = ip6->ip6_dst; 432 if (in6_setscope(&dst_in6, m->m_pkthdr.rcvif, &inzone) != 0 || 433 in6_setscope(&dst_in6, rt->rt_ifp, &outzone) != 0 || 434 inzone != outzone) { | 406 in6_ifstat_inc(rt->rt_ifp, ifs6_in_discard); 407 408 if (V_ip6_log_time + V_ip6_log_interval < time_second) { 409 V_ip6_log_time = time_second; 410 log(LOG_DEBUG, 411 "cannot forward " 412 "src %s, dst %s, nxt %d, rcvif %s, outif %s\n", 413 ip6_sprintf(ip6bufs, &ip6->ip6_src), --- 13 unchanged lines hidden (view full) --- 427 * usually be prevented by appropriately-configured routing table, but 428 * we need an explicit check because we may mistakenly forward the 429 * packet to a different zone by (e.g.) a default route. 430 */ 431 dst_in6 = ip6->ip6_dst; 432 if (in6_setscope(&dst_in6, m->m_pkthdr.rcvif, &inzone) != 0 || 433 in6_setscope(&dst_in6, rt->rt_ifp, &outzone) != 0 || 434 inzone != outzone) { |
| 435 V_ip6stat.ip6s_cantforward++; 436 V_ip6stat.ip6s_badscope++; | 435 IP6STAT_INC(ip6s_cantforward); 436 IP6STAT_INC(ip6s_badscope); |
| 437 goto bad; 438 } 439 440 if (m->m_pkthdr.len > IN6_LINKMTU(rt->rt_ifp)) { 441 in6_ifstat_inc(rt->rt_ifp, ifs6_in_toobig); 442 if (mcopy) { 443 u_long mtu; 444#ifdef IPSEC --- 173 unchanged lines hidden (view full) --- 618 m_tag_delete(m, fwd_tag); 619 goto again2; 620 } 621 622pass: 623 error = nd6_output(rt->rt_ifp, origifp, m, dst, rt); 624 if (error) { 625 in6_ifstat_inc(rt->rt_ifp, ifs6_out_discard); | 437 goto bad; 438 } 439 440 if (m->m_pkthdr.len > IN6_LINKMTU(rt->rt_ifp)) { 441 in6_ifstat_inc(rt->rt_ifp, ifs6_in_toobig); 442 if (mcopy) { 443 u_long mtu; 444#ifdef IPSEC --- 173 unchanged lines hidden (view full) --- 618 m_tag_delete(m, fwd_tag); 619 goto again2; 620 } 621 622pass: 623 error = nd6_output(rt->rt_ifp, origifp, m, dst, rt); 624 if (error) { 625 in6_ifstat_inc(rt->rt_ifp, ifs6_out_discard); |
| 626 V_ip6stat.ip6s_cantforward++; | 626 IP6STAT_INC(ip6s_cantforward); |
| 627 } else { | 627 } else { |
| 628 V_ip6stat.ip6s_forward++; | 628 IP6STAT_INC(ip6s_forward); |
| 629 in6_ifstat_inc(rt->rt_ifp, ifs6_out_forward); 630 if (type) | 629 in6_ifstat_inc(rt->rt_ifp, ifs6_out_forward); 630 if (type) |
| 631 V_ip6stat.ip6s_redirectsent++; | 631 IP6STAT_INC(ip6s_redirectsent); |
| 632 else { 633 if (mcopy) 634 goto freecopy; 635 } 636 } 637 638senderr: 639 if (mcopy == NULL) --- 42 unchanged lines hidden --- | 632 else { 633 if (mcopy) 634 goto freecopy; 635 } 636 } 637 638senderr: 639 if (mcopy == NULL) --- 42 unchanged lines hidden --- |