1/* 2 * Copyright (c) 2003-2012 Apple Inc. All rights reserved. 3 * 4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ 5 * 6 * This file contains Original Code and/or Modifications of Original Code 7 * as defined in and that are subject to the Apple Public Source License 8 * Version 2.0 (the 'License'). You may not use this file except in 9 * compliance with the License. The rights granted to you under the License 10 * may not be used to create, or enable the creation or redistribution of, 11 * unlawful or unlicensed copies of an Apple operating system, or to 12 * circumvent, violate, or enable the circumvention or violation of, any 13 * terms of an Apple operating system software license agreement. 14 * 15 * Please obtain a copy of the License at 16 * http://www.opensource.apple.com/apsl/ and read it before using this file. 17 * 18 * The Original Code and all software distributed under the License are 19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 23 * Please see the License for the specific language governing rights and 24 * limitations under the License. 25 * 26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ 27 */ 28/* $FreeBSD: src/sys/netinet6/ip6_input.c,v 1.11.2.10 2001/07/24 19:10:18 brooks Exp $ */ 29/* $KAME: ip6_input.c,v 1.194 2001/05/27 13:28:35 itojun Exp $ */ 30 31/* 32 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 33 * All rights reserved. 34 * 35 * Redistribution and use in source and binary forms, with or without 36 * modification, are permitted provided that the following conditions 37 * are met: 38 * 1. Redistributions of source code must retain the above copyright 39 * notice, this list of conditions and the following disclaimer. 40 * 2. Redistributions in binary form must reproduce the above copyright 41 * notice, this list of conditions and the following disclaimer in the 42 * documentation and/or other materials provided with the distribution. 43 * 3. Neither the name of the project nor the names of its contributors 44 * may be used to endorse or promote products derived from this software 45 * without specific prior written permission. 46 * 47 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 48 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 49 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 50 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 51 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 52 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 53 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 54 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 55 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 56 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 57 * SUCH DAMAGE. 58 */ 59 60/* 61 * Copyright (c) 1982, 1986, 1988, 1993 62 * The Regents of the University of California. All rights reserved. 63 * 64 * Redistribution and use in source and binary forms, with or without 65 * modification, are permitted provided that the following conditions 66 * are met: 67 * 1. Redistributions of source code must retain the above copyright 68 * notice, this list of conditions and the following disclaimer. 69 * 2. Redistributions in binary form must reproduce the above copyright 70 * notice, this list of conditions and the following disclaimer in the 71 * documentation and/or other materials provided with the distribution. 72 * 3. All advertising materials mentioning features or use of this software 73 * must display the following acknowledgement: 74 * This product includes software developed by the University of 75 * California, Berkeley and its contributors. 76 * 4. Neither the name of the University nor the names of its contributors 77 * may be used to endorse or promote products derived from this software 78 * without specific prior written permission. 79 * 80 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 81 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 82 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 83 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 84 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 85 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 86 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 87 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 88 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 89 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 90 * SUCH DAMAGE. 91 * 92 * @(#)ip_input.c 8.2 (Berkeley) 1/4/94 93 */ 94 95 96#include <sys/param.h> 97#include <sys/systm.h> 98#include <sys/malloc.h> 99#include <sys/mbuf.h> 100#include <sys/domain.h> 101#include <sys/protosw.h> 102#include <sys/socket.h> 103#include <sys/socketvar.h> 104#include <sys/errno.h> 105#include <sys/time.h> 106#include <sys/kernel.h> 107#include <sys/syslog.h> 108#include <sys/sysctl.h> 109#include <sys/proc.h> 110#include <sys/kauth.h> 111#include <sys/mcache.h> 112#include <mach/mach_time.h> 113 114#include <pexpert/pexpert.h> 115 116#include <net/if.h> 117#include <net/if_var.h> 118#include <net/if_types.h> 119#include <net/if_dl.h> 120#include <net/route.h> 121#include <net/kpi_protocol.h> 122#include <net/ntstat.h> 123#include <net/init.h> 124 125#include <netinet/in.h> 126#include <netinet/in_systm.h> 127#if INET 128#include <netinet/ip.h> 129#include <netinet/ip_icmp.h> 130#endif /*INET*/ 131#include <netinet/ip6.h> 132#include <netinet6/in6_var.h> 133#include <netinet6/ip6_var.h> 134#include <netinet/in_pcb.h> 135#include <netinet/icmp6.h> 136#include <netinet6/in6_ifattach.h> 137#include <netinet6/nd6.h> 138#include <netinet6/scope6_var.h> 139#include <mach/sdt.h> 140 141#if IPSEC 142#include <netinet6/ipsec.h> 143#if INET6 144#include <netinet6/ipsec6.h> 145#endif 146extern int ipsec_bypass; 147#endif 148 149#include <netinet6/ip6_fw.h> 150 151#if DUMMYNET 152#include <netinet/ip_fw.h> 153#include <netinet/ip_dummynet.h> 154#endif /* DUMMYNET */ 155 156#include <netinet/kpi_ipfilter_var.h> 157 158#include <netinet6/ip6protosw.h> 159 160/* we need it for NLOOP. */ 161#include "loop.h" 162 163#include <net/net_osdep.h> 164 165#if PF 166#include <net/pfvar.h> 167#endif /* PF */ 168 169extern struct domain inet6domain; 170extern struct ip6protosw inet6sw[]; 171 172struct ip6protosw * ip6_protox[IPPROTO_MAX]; 173static int ip6qmaxlen = IFQ_MAXLEN; 174 175static lck_grp_attr_t *in6_ifaddr_rwlock_grp_attr; 176static lck_grp_t *in6_ifaddr_rwlock_grp; 177static lck_attr_t *in6_ifaddr_rwlock_attr; 178decl_lck_rw_data(, in6_ifaddr_rwlock); 179 180/* Protected by in6_ifaddr_rwlock */ 181struct in6_ifaddr *in6_ifaddrs = NULL; 182 183int ip6_forward_srcrt; /* XXX */ 184int ip6_sourcecheck; /* XXX */ 185int ip6_sourcecheck_interval; /* XXX */ 186const int int6intrq_present = 1; 187 188int ip6_ours_check_algorithm; 189 190#define IN6_IFSTAT_REQUIRE_ALIGNED_64(f) \ 191 _CASSERT(!(offsetof(struct in6_ifstat, f) % sizeof (uint64_t))) 192 193#define ICMP6_IFSTAT_REQUIRE_ALIGNED_64(f) \ 194 _CASSERT(!(offsetof(struct icmp6_ifstat, f) % sizeof (uint64_t))) 195 196#if IPFW2 197/* firewall hooks */ 198ip6_fw_chk_t *ip6_fw_chk_ptr; 199ip6_fw_ctl_t *ip6_fw_ctl_ptr; 200int ip6_fw_enable = 1; 201#endif 202 203struct ip6stat ip6stat; 204 205#ifdef __APPLE__ 206struct ifqueue ip6intrq; 207decl_lck_mtx_data(, ip6_init_mutex); 208decl_lck_mtx_data(, proxy6_lock); 209decl_lck_mtx_data(, dad6_mutex_data); 210decl_lck_mtx_data(, nd6_mutex_data); 211decl_lck_mtx_data(, prefix6_mutex_data); 212decl_lck_mtx_data(, scope6_mutex_data); 213lck_mtx_t *dad6_mutex = &dad6_mutex_data; 214lck_mtx_t *nd6_mutex = &nd6_mutex_data; 215lck_mtx_t *prefix6_mutex = &prefix6_mutex_data; 216lck_mtx_t *scope6_mutex = &scope6_mutex_data; 217#ifdef ENABLE_ADDRSEL 218decl_lck_mtx_data(, addrsel_mutex_data); 219lck_mtx_t *addrsel_mutex = &addrsel_mutex_data; 220#endif 221decl_lck_rw_data(, in6_ifs_rwlock); 222decl_lck_rw_data(, icmp6_ifs_rwlock); 223lck_attr_t *ip6_mutex_attr; 224lck_grp_t *ip6_mutex_grp; 225lck_grp_attr_t *ip6_mutex_grp_attr; 226extern lck_mtx_t *inet6_domain_mutex; 227#endif 228extern int loopattach_done; 229extern void addrsel_policy_init(void); 230 231static void ip6_init_delayed(void); 232static struct ip6aux *ip6_setdstifaddr(struct mbuf *, struct in6_ifaddr *); 233 234static int ip6_hopopts_input(u_int32_t *, u_int32_t *, struct mbuf **, int *); 235#if PULLDOWN_TEST 236static struct mbuf *ip6_pullexthdr(struct mbuf *, size_t, int); 237#endif 238 239#ifdef __APPLE__ 240void gifattach(void); 241void stfattach(void); 242#endif 243 244SYSCTL_DECL(_net_inet6_ip6); 245 246int ip6_doscopedroute = 1; 247SYSCTL_INT(_net_inet6_ip6, OID_AUTO, scopedroute, CTLFLAG_RD | CTLFLAG_LOCKED, 248 &ip6_doscopedroute, 0, "Enable IPv6 scoped routing"); 249 250int ip6_restrictrecvif = 1; 251SYSCTL_INT(_net_inet6_ip6, OID_AUTO, restrictrecvif, 252 CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_restrictrecvif, 0, 253 "Enable inbound interface restrictions"); 254 255/* 256 * On platforms which require strict alignment (currently for anything but 257 * i386 or x86_64), check if the IP header pointer is 32-bit aligned; if not, 258 * copy the contents of the mbuf chain into a new chain, and free the original 259 * one. Create some head room in the first mbuf of the new chain, in case 260 * it's needed later on. 261 * 262 * RFC 2460 says that IPv6 headers are 64-bit aligned, but network interfaces 263 * mostly align to 32-bit boundaries. Care should be taken never to use 64-bit 264 * load/store operations on the fields in IPv6 headers. 265 */ 266#if defined(__i386__) || defined(__x86_64__) 267#define IP6_HDR_ALIGNMENT_FIXUP(_m, _ifp, _action) do { } while (0) 268#else /* !__i386__ && !__x86_64__ */ 269#define IP6_HDR_ALIGNMENT_FIXUP(_m, _ifp, _action) do { \ 270 if (!IP6_HDR_ALIGNED_P(mtod(_m, caddr_t))) { \ 271 struct mbuf *_n; \ 272 struct ifnet *__ifp = (_ifp); \ 273 atomic_add_64(&(__ifp)->if_alignerrs, 1); \ 274 if (((_m)->m_flags & M_PKTHDR) && \ 275 (_m)->m_pkthdr.header != NULL) \ 276 (_m)->m_pkthdr.header = NULL; \ 277 _n = m_defrag_offset(_m, max_linkhdr, M_NOWAIT); \ 278 if (_n == NULL) { \ 279 ip6stat.ip6s_toosmall++; \ 280 m_freem(_m); \ 281 (_m) = NULL; \ 282 _action \ 283 } else { \ 284 VERIFY(_n != (_m)); \ 285 (_m) = _n; \ 286 } \ 287 } \ 288} while (0) 289#endif /* !__i386__ && !__x86_64__ */ 290 291static void 292ip6_proto_input( 293 __unused protocol_family_t protocol, 294 mbuf_t packet) 295{ 296 ip6_input(packet); 297} 298 299/* 300 * IP6 initialization: fill in IP6 protocol switch table. 301 * All protocols not implemented in kernel go to raw IP6 protocol handler. 302 */ 303void 304ip6_init() 305{ 306 struct ip6protosw *pr; 307 int i; 308 struct timeval tv; 309 310 _CASSERT((sizeof(struct ip6_hdr) + sizeof(struct icmp6_hdr)) <= 311 _MHLEN); 312 313 PE_parse_boot_argn("net.inet6.ip6.scopedroute", &ip6_doscopedroute, 314 sizeof (ip6_doscopedroute)); 315 316#if DIAGNOSTIC 317 if (sizeof(struct protosw) != sizeof(struct ip6protosw)) 318 panic("sizeof(protosw) != sizeof(ip6protosw)"); 319#endif 320 pr = (struct ip6protosw *)pffindproto_locked(PF_INET6, IPPROTO_RAW, SOCK_RAW); 321 if (pr == 0) 322 panic("ip6_init"); 323 for (i = 0; i < IPPROTO_MAX; i++) 324 ip6_protox[i] = pr; 325 for (pr = (struct ip6protosw*)inet6domain.dom_protosw; pr; pr = pr->pr_next) { 326 if(!(pr->pr_domain)) continue; /* If uninitialized, skip */ 327 if (pr->pr_domain->dom_family == PF_INET6 && 328 pr->pr_protocol && pr->pr_protocol != IPPROTO_RAW) { 329 ip6_protox[pr->pr_protocol] = pr; 330 } 331 } 332 333 ip6_mutex_grp_attr = lck_grp_attr_alloc_init(); 334 335 ip6_mutex_grp = lck_grp_alloc_init("ip6", ip6_mutex_grp_attr); 336 ip6_mutex_attr = lck_attr_alloc_init(); 337 338 lck_mtx_init(dad6_mutex, ip6_mutex_grp, ip6_mutex_attr); 339 lck_mtx_init(nd6_mutex, ip6_mutex_grp, ip6_mutex_attr); 340 lck_mtx_init(prefix6_mutex, ip6_mutex_grp, ip6_mutex_attr); 341 lck_mtx_init(scope6_mutex, ip6_mutex_grp, ip6_mutex_attr); 342 343#ifdef ENABLE_ADDRSEL 344 lck_mtx_init(addrsel_mutex, ip6_mutex_grp, ip6_mutex_attr); 345#endif 346 347 lck_mtx_init(&proxy6_lock, ip6_mutex_grp, ip6_mutex_attr); 348 lck_mtx_init(&ip6_init_mutex, ip6_mutex_grp, ip6_mutex_attr); 349 350 lck_rw_init(&in6_ifs_rwlock, ip6_mutex_grp, ip6_mutex_attr); 351 lck_rw_init(&icmp6_ifs_rwlock, ip6_mutex_grp, ip6_mutex_attr); 352 353 inet6domain.dom_flags = DOM_REENTRANT; 354 355 ip6intrq.ifq_maxlen = ip6qmaxlen; 356 357 in6_ifaddr_rwlock_grp_attr = lck_grp_attr_alloc_init(); 358 in6_ifaddr_rwlock_grp = lck_grp_alloc_init("in6_ifaddr_rwlock", 359 in6_ifaddr_rwlock_grp_attr); 360 in6_ifaddr_rwlock_attr = lck_attr_alloc_init(); 361 lck_rw_init(&in6_ifaddr_rwlock, in6_ifaddr_rwlock_grp, 362 in6_ifaddr_rwlock_attr); 363 364 IN6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_in_receive); 365 IN6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_in_hdrerr); 366 IN6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_in_toobig); 367 IN6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_in_noroute); 368 IN6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_in_addrerr); 369 IN6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_in_protounknown); 370 IN6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_in_truncated); 371 IN6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_in_discard); 372 IN6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_in_deliver); 373 IN6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_out_forward); 374 IN6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_out_request); 375 IN6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_out_discard); 376 IN6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_out_fragok); 377 IN6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_out_fragfail); 378 IN6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_out_fragcreat); 379 IN6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_reass_reqd); 380 IN6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_reass_ok); 381 IN6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_reass_fail); 382 IN6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_in_mcast); 383 IN6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_out_mcast); 384 385 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_in_msg); 386 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_in_error); 387 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_in_dstunreach); 388 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_in_adminprohib); 389 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_in_timeexceed); 390 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_in_paramprob); 391 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_in_pkttoobig); 392 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_in_echo); 393 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_in_echoreply); 394 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_in_routersolicit); 395 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_in_routeradvert); 396 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_in_neighborsolicit); 397 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_in_neighboradvert); 398 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_in_redirect); 399 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_in_mldquery); 400 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_in_mldreport); 401 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_in_mlddone); 402 403 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_out_msg); 404 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_out_error); 405 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_out_dstunreach); 406 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_out_adminprohib); 407 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_out_timeexceed); 408 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_out_paramprob); 409 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_out_pkttoobig); 410 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_out_echo); 411 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_out_echoreply); 412 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_out_routersolicit); 413 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_out_routeradvert); 414 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_out_neighborsolicit); 415 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_out_neighboradvert); 416 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_out_redirect); 417 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_out_mldquery); 418 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_out_mldreport); 419 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_out_mlddone); 420 421 in6_ifaddr_init(); 422 ip6_moptions_init(); 423 nd6_init(); 424 frag6_init(); 425 icmp6_init(); 426 addrsel_policy_init(); 427 /* 428 * in many cases, random() here does NOT return random number 429 * as initialization during bootstrap time occur in fixed order. 430 */ 431 microtime(&tv); 432 ip6_flow_seq = random() ^ tv.tv_usec; 433 microtime(&tv); 434 ip6_desync_factor = (random() ^ tv.tv_usec) % MAX_TEMP_DESYNC_FACTOR; 435 436 /* 437 * P2P interfaces often route the local address to the loopback 438 * interface. At this point, lo0 hasn't been initialized yet, which 439 * means that we need to delay the IPv6 configuration of lo0. 440 */ 441 net_init_add(ip6_init_delayed); 442 443 domain_proto_mtx_unlock(TRUE); 444 proto_register_input(PF_INET6, ip6_proto_input, NULL, 0); 445 domain_proto_mtx_lock(); 446} 447 448static void 449ip6_init_delayed(void) 450{ 451 (void) in6_ifattach(lo_ifp, NULL, NULL); 452 453#ifdef __APPLE__ 454 /* nd6_timer_init */ 455 timeout(nd6_timer, (caddr_t)0, hz); 456 457 /* timer for regeneranation of temporary addresses randomize ID */ 458 timeout(in6_tmpaddrtimer, (caddr_t)0, 459 (ip6_temp_preferred_lifetime - ip6_desync_factor - 460 ip6_temp_regen_advance) * hz); 461 462#if NGIF 463 gifattach(); 464#endif 465#if NSTF 466 stfattach(); 467#endif 468#endif /* __APPLE__ */ 469} 470 471void 472ip6_input(struct mbuf *m) 473{ 474 struct ip6_hdr *ip6; 475 int off = sizeof(struct ip6_hdr), nest; 476 u_int32_t plen; 477 u_int32_t rtalert = ~0; 478 int nxt = 0, ours = 0; 479 struct ifnet *deliverifp = NULL; 480 ipfilter_t inject_ipfref = 0; 481 int seen; 482 struct in6_ifaddr *ia6 = NULL; 483 struct route_in6 ip6_forward_rt; 484 struct sockaddr_in6 *dst6; 485#if DUMMYNET 486 struct m_tag *tag; 487 struct ip_fw_args args; 488 489 bzero(&args, sizeof(struct ip_fw_args)); 490#endif /* DUMMYNET */ 491 492 bzero(&ip6_forward_rt, sizeof(ip6_forward_rt)); 493 494 /* Check if the packet we received is valid after interface filter 495 * processing 496 */ 497 MBUF_INPUT_CHECK(m, m->m_pkthdr.rcvif); 498 499 /* Perform IP header alignment fixup, if needed */ 500 IP6_HDR_ALIGNMENT_FIXUP(m, m->m_pkthdr.rcvif, return;); 501 502#if DUMMYNET 503 if ((tag = m_tag_locate(m, KERNEL_MODULE_TAG_ID, 504 KERNEL_TAG_TYPE_DUMMYNET, NULL)) != NULL) { 505 struct dn_pkt_tag *dn_tag; 506 507 dn_tag = (struct dn_pkt_tag *)(tag+1); 508 509 args.fwa_pf_rule = dn_tag->dn_pf_rule; 510 511 m_tag_delete(m, tag); 512 } 513 514 if (args.fwa_pf_rule) { 515 ip6 = mtod(m, struct ip6_hdr *); /* In case PF got disabled */ 516 517 goto check_with_pf; 518 } 519#endif /* DUMMYNET */ 520 521 /* 522 * No need to proccess packet twice if we've 523 * already seen it 524 */ 525 inject_ipfref = ipf_get_inject_filter(m); 526 if (inject_ipfref != 0) { 527 ip6 = mtod(m, struct ip6_hdr *); 528 nxt = ip6->ip6_nxt; 529 seen = 0; 530 goto injectit; 531 } else 532 seen = 1; 533 534#if IPSEC 535 /* 536 * should the inner packet be considered authentic? 537 * see comment in ah4_input(). 538 */ 539 if (m) { 540 m->m_flags &= ~M_AUTHIPHDR; 541 m->m_flags &= ~M_AUTHIPDGM; 542 } 543#endif 544 545 /* 546 * make sure we don't have onion peering information into m_aux. 547 */ 548 ip6_delaux(m); 549 550 /* 551 * mbuf statistics 552 */ 553 if (m->m_flags & M_EXT) { 554 if (m->m_next) 555 ip6stat.ip6s_mext2m++; 556 else 557 ip6stat.ip6s_mext1++; 558 } else { 559#define M2MMAX (sizeof(ip6stat.ip6s_m2m)/sizeof(ip6stat.ip6s_m2m[0])) 560 if (m->m_next) { 561 if (m->m_flags & M_LOOP) { 562 ip6stat.ip6s_m2m[ifnet_index(lo_ifp)]++; /* XXX */ 563 } else if (m->m_pkthdr.rcvif->if_index < M2MMAX) 564 ip6stat.ip6s_m2m[m->m_pkthdr.rcvif->if_index]++; 565 else 566 ip6stat.ip6s_m2m[0]++; 567 } else 568 ip6stat.ip6s_m1++; 569#undef M2MMAX 570 } 571 572 /* 573 * Drop the packet if IPv6 operation is disabled on the IF; 574 * accessing the flag is done without acquiring nd_ifinfo lock 575 * for performance reasons. 576 */ 577 lck_rw_lock_shared(nd_if_rwlock); 578 if (m->m_pkthdr.rcvif->if_index < nd_ifinfo_indexlim && 579 (nd_ifinfo[m->m_pkthdr.rcvif->if_index].flags & ND6_IFF_IFDISABLED)) { 580 lck_rw_done(nd_if_rwlock); 581 goto bad; 582 } 583 lck_rw_done(nd_if_rwlock); 584 585 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_receive); 586 ip6stat.ip6s_total++; 587 588#ifndef PULLDOWN_TEST 589 /* 590 * L2 bridge code and some other code can return mbuf chain 591 * that does not conform to KAME requirement. too bad. 592 * XXX: fails to join if interface MTU > MCLBYTES. jumbogram? 593 */ 594 if (m && m->m_next != NULL && m->m_pkthdr.len < MCLBYTES) { 595 struct mbuf *n; 596 597 MGETHDR(n, M_DONTWAIT, MT_HEADER); /* MAC-OK */ 598 if (n) 599 M_COPY_PKTHDR(n, m); 600 if (n && m->m_pkthdr.len > MHLEN) { 601 MCLGET(n, M_DONTWAIT); 602 if ((n->m_flags & M_EXT) == 0) { 603 m_freem(n); 604 n = NULL; 605 } 606 } 607 if (n == NULL) 608 goto bad; 609 610 m_copydata(m, 0, m->m_pkthdr.len, mtod(n, caddr_t)); 611 n->m_len = m->m_pkthdr.len; 612 m_freem(m); 613 m = n; 614 } 615 IP6_EXTHDR_CHECK(m, 0, sizeof(struct ip6_hdr), 616 {goto done;}); 617#endif 618 619 if (m->m_len < sizeof(struct ip6_hdr)) { 620 struct ifnet *inifp; 621 inifp = m->m_pkthdr.rcvif; 622 if ((m = m_pullup(m, sizeof(struct ip6_hdr))) == 0) { 623 ip6stat.ip6s_toosmall++; 624 in6_ifstat_inc(inifp, ifs6_in_hdrerr); 625 goto done; 626 } 627 } 628 629 ip6 = mtod(m, struct ip6_hdr *); 630 631 if ((ip6->ip6_vfc & IPV6_VERSION_MASK) != IPV6_VERSION) { 632 ip6stat.ip6s_badvers++; 633 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_hdrerr); 634 goto bad; 635 } 636 637 ip6stat.ip6s_nxthist[ip6->ip6_nxt]++; 638 639#if IPFW2 640 /* 641 * Check with the firewall... 642 */ 643 if (ip6_fw_enable && ip6_fw_chk_ptr) { 644 u_short port = 0; 645 /* If ipfw says divert, we have to just drop packet */ 646 /* use port as a dummy argument */ 647 if ((*ip6_fw_chk_ptr)(&ip6, NULL, &port, &m)) { 648 m_freem(m); 649 m = NULL; 650 } 651 if (!m) 652 goto done; 653 } 654#endif 655 656 /* 657 * Check against address spoofing/corruption. 658 */ 659 if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_src) || 660 IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_dst)) { 661 /* 662 * XXX: "badscope" is not very suitable for a multicast source. 663 */ 664 ip6stat.ip6s_badscope++; 665 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr); 666 goto bad; 667 } 668 if (IN6_IS_ADDR_MC_INTFACELOCAL(&ip6->ip6_dst) && 669 !(m->m_flags & M_LOOP)) { 670 /* 671 * In this case, the packet should come from the loopback 672 * interface. However, we cannot just check the if_flags, 673 * because ip6_mloopback() passes the "actual" interface 674 * as the outgoing/incoming interface. 675 */ 676 ip6stat.ip6s_badscope++; 677 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr); 678 goto bad; 679 } 680 681 /* 682 * The following check is not documented in specs. A malicious 683 * party may be able to use IPv4 mapped addr to confuse tcp/udp stack 684 * and bypass security checks (act as if it was from 127.0.0.1 by using 685 * IPv6 src ::ffff:127.0.0.1). Be cautious. 686 * 687 * This check chokes if we are in an SIIT cloud. As none of BSDs 688 * support IPv4-less kernel compilation, we cannot support SIIT 689 * environment at all. So, it makes more sense for us to reject any 690 * malicious packets for non-SIIT environment, than try to do a 691 * partial support for SIIT environment. 692 */ 693 if (IN6_IS_ADDR_V4MAPPED(&ip6->ip6_src) || 694 IN6_IS_ADDR_V4MAPPED(&ip6->ip6_dst)) { 695 ip6stat.ip6s_badscope++; 696 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr); 697 goto bad; 698 } 699#if 0 700 /* 701 * Reject packets with IPv4 compatible addresses (auto tunnel). 702 * 703 * The code forbids auto tunnel relay case in RFC1933 (the check is 704 * stronger than RFC1933). We may want to re-enable it if mech-xx 705 * is revised to forbid relaying case. 706 */ 707 if (IN6_IS_ADDR_V4COMPAT(&ip6->ip6_src) || 708 IN6_IS_ADDR_V4COMPAT(&ip6->ip6_dst)) { 709 ip6stat.ip6s_badscope++; 710 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr); 711 goto bad; 712 } 713#endif 714 715 /* 716 * Naively assume we can attribute inbound data to the route we would 717 * use to send to this destination. Asymetric routing breaks this 718 * assumption, but it still allows us to account for traffic from 719 * a remote node in the routing table. 720 * this has a very significant performance impact so we bypass 721 * if nstat_collect is disabled. We may also bypass if the 722 * protocol is tcp in the future because tcp will have a route that 723 * we can use to attribute the data to. That does mean we would not 724 * account for forwarded tcp traffic. 725 */ 726 if (nstat_collect) { 727 struct rtentry *rte = 728 ifnet_cached_rtlookup_inet6(m->m_pkthdr.rcvif, 729 &ip6->ip6_src); 730 if (rte != NULL) { 731 nstat_route_rx(rte, 1, m->m_pkthdr.len, 0); 732 rtfree(rte); 733 } 734 } 735 736#if DUMMYNET 737check_with_pf: 738#endif 739#if PF 740 /* Invoke inbound packet filter */ 741 if (PF_IS_ENABLED) { 742 int error; 743#if DUMMYNET 744 error = pf_af_hook(m->m_pkthdr.rcvif, NULL, &m, AF_INET6, TRUE, &args); 745#else 746 error = pf_af_hook(m->m_pkthdr.rcvif, NULL, &m, AF_INET6, TRUE, NULL); 747#endif 748 if (error != 0 || m == NULL) { 749 if (m != NULL) { 750 panic("%s: unexpected packet %p\n", __func__, m); 751 /* NOTREACHED */ 752 } 753 /* Already freed by callee */ 754 goto done; 755 } 756 ip6 = mtod(m, struct ip6_hdr *); 757 } 758#endif /* PF */ 759 760 /* drop packets if interface ID portion is already filled */ 761 if ((m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK) == 0) { 762 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src) && 763 ip6->ip6_src.s6_addr16[1]) { 764 ip6stat.ip6s_badscope++; 765 goto bad; 766 } 767 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst) && 768 ip6->ip6_dst.s6_addr16[1]) { 769 ip6stat.ip6s_badscope++; 770 goto bad; 771 } 772 } 773 774 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) 775 ip6->ip6_src.s6_addr16[1] 776 = htons(m->m_pkthdr.rcvif->if_index); 777 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) 778 ip6->ip6_dst.s6_addr16[1] 779 = htons(m->m_pkthdr.rcvif->if_index); 780 781 /* 782 * Multicast check 783 */ 784 if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst)) { 785 struct in6_multi *in6m = NULL; 786 struct ifnet *ifp = m->m_pkthdr.rcvif; 787 788 in6_ifstat_inc(ifp, ifs6_in_mcast); 789 /* 790 * See if we belong to the destination multicast group on the 791 * arrival interface. 792 */ 793 in6_multihead_lock_shared(); 794 IN6_LOOKUP_MULTI(&ip6->ip6_dst, ifp, in6m); 795 in6_multihead_lock_done(); 796 if (in6m != NULL) { 797 IN6M_REMREF(in6m); 798 ours = 1; 799 } else if (!nd6_prproxy 800#if MROUTING 801 && !ip6_mrouter 802#endif 803 ) { 804 ip6stat.ip6s_notmember++; 805 ip6stat.ip6s_cantforward++; 806 in6_ifstat_inc(ifp, ifs6_in_discard); 807 goto bad; 808 } 809 deliverifp = ifp; 810 goto hbhcheck; 811 } 812 813 /* 814 * Unicast check 815 */ 816 dst6 = (struct sockaddr_in6 *)&ip6_forward_rt.ro_dst; 817 dst6->sin6_len = sizeof(struct sockaddr_in6); 818 dst6->sin6_family = AF_INET6; 819 dst6->sin6_addr = ip6->ip6_dst; 820 821 rtalloc_scoped_ign((struct route *)&ip6_forward_rt, 822 RTF_PRCLONING, IFSCOPE_NONE); 823 if (ip6_forward_rt.ro_rt != NULL) 824 RT_LOCK(ip6_forward_rt.ro_rt); 825 826#define rt6_key(r) ((struct sockaddr_in6 *)((r)->rt_nodes->rn_key)) 827 828 /* 829 * Accept the packet if the forwarding interface to the destination 830 * according to the routing table is the loopback interface, 831 * unless the associated route has a gateway. 832 * Note that this approach causes to accept a packet if there is a 833 * route to the loopback interface for the destination of the packet. 834 * But we think it's even useful in some situations, e.g. when using 835 * a special daemon which wants to intercept the packet. 836 * 837 * XXX: some OSes automatically make a cloned route for the destination 838 * of an outgoing packet. If the outgoing interface of the packet 839 * is a loopback one, the kernel would consider the packet to be 840 * accepted, even if we have no such address assinged on the interface. 841 * We check the cloned flag of the route entry to reject such cases, 842 * assuming that route entries for our own addresses are not made by 843 * cloning (it should be true because in6_addloop explicitly installs 844 * the host route). However, we might have to do an explicit check 845 * while it would be less efficient. Or, should we rather install a 846 * reject route for such a case? 847 */ 848 if (ip6_forward_rt.ro_rt != NULL && 849 (ip6_forward_rt.ro_rt->rt_flags & 850 (RTF_HOST|RTF_GATEWAY)) == RTF_HOST && 851#if RTF_WASCLONED 852 !(ip6_forward_rt.ro_rt->rt_flags & RTF_WASCLONED) && 853#endif 854#if 0 855 /* 856 * The check below is redundant since the comparison of 857 * the destination and the key of the rtentry has 858 * already done through looking up the routing table. 859 */ 860 IN6_ARE_ADDR_EQUAL(&ip6->ip6_dst, 861 &rt6_key(ip6_forward_rt.ro_rt)->sin6_addr) 862#endif 863 ip6_forward_rt.ro_rt->rt_ifp->if_type == IFT_LOOP) { 864 ia6 = (struct in6_ifaddr *)ip6_forward_rt.ro_rt->rt_ifa; 865 866 /* 867 * record address information into m_aux. 868 */ 869 (void)ip6_setdstifaddr(m, ia6); 870 871 /* 872 * packets to a tentative, duplicated, or somehow invalid 873 * address must not be accepted. 874 */ 875 RT_CONVERT_LOCK(ip6_forward_rt.ro_rt); /* just in case */ 876 IFA_LOCK_SPIN(&ia6->ia_ifa); 877 if (!(ia6->ia6_flags & IN6_IFF_NOTREADY)) { 878 IFA_UNLOCK(&ia6->ia_ifa); 879 /* this address is ready */ 880 ours = 1; 881 deliverifp = ia6->ia_ifp; /* correct? */ 882 /* Count the packet in the ip address stats */ 883 884 RT_UNLOCK(ip6_forward_rt.ro_rt); 885 ia6 = NULL; 886 goto hbhcheck; 887 } 888 IFA_UNLOCK(&ia6->ia_ifa); 889 RT_UNLOCK(ip6_forward_rt.ro_rt); 890 /* address is not ready, so discard the packet. */ 891 nd6log((LOG_INFO, 892 "ip6_input: packet to an unready address %s->%s\n", 893 ip6_sprintf(&ip6->ip6_src), 894 ip6_sprintf(&ip6->ip6_dst))); 895 ia6 = NULL; 896 goto bad; 897 } 898 899 if (ip6_forward_rt.ro_rt != NULL) 900 RT_UNLOCK(ip6_forward_rt.ro_rt); 901 902 /* 903 * Now there is no reason to process the packet if it's not our own 904 * and we're not a router. 905 */ 906 if (!ip6_forwarding) { 907 ip6stat.ip6s_cantforward++; 908 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_discard); 909 goto bad; 910 } 911 912 hbhcheck: 913 /* 914 * record address information into m_aux, if we don't have one yet. 915 * note that we are unable to record it, if the address is not listed 916 * as our interface address (e.g. multicast addresses, etc.) 917 */ 918 if (deliverifp && (ia6 = ip6_getdstifaddr(m)) == NULL) { 919 ia6 = in6_ifawithifp(deliverifp, &ip6->ip6_dst); 920 if (ia6) { 921 if (!ip6_setdstifaddr(m, ia6)) { 922 /* 923 * XXX maybe we should drop the packet here, 924 * as we could not provide enough information 925 * to the upper layers. 926 */ 927 } 928 IFA_REMREF(&ia6->ia_ifa); 929 ia6 = NULL; 930 } 931 } 932 933 if (ia6 != NULL) { 934 IFA_REMREF(&ia6->ia_ifa); 935 ia6 = NULL; 936 } 937 938 /* 939 * Process Hop-by-Hop options header if it's contained. 940 * m may be modified in ip6_hopopts_input(). 941 * If a JumboPayload option is included, plen will also be modified. 942 */ 943 plen = (u_int32_t)ntohs(ip6->ip6_plen); 944 if (ip6->ip6_nxt == IPPROTO_HOPOPTS) { 945 struct ip6_hbh *hbh; 946 947 if (ip6_hopopts_input(&plen, &rtalert, &m, &off)) { 948#if 0 /*touches NULL pointer*/ 949 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_discard); 950#endif 951 goto done; /* m have already been freed */ 952 } 953 954 /* adjust pointer */ 955 ip6 = mtod(m, struct ip6_hdr *); 956 957 /* 958 * if the payload length field is 0 and the next header field 959 * indicates Hop-by-Hop Options header, then a Jumbo Payload 960 * option MUST be included. 961 */ 962 if (ip6->ip6_plen == 0 && plen == 0) { 963 /* 964 * Note that if a valid jumbo payload option is 965 * contained, ip6_hopopts_input() must set a valid 966 * (non-zero) payload length to the variable plen. 967 */ 968 ip6stat.ip6s_badoptions++; 969 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_discard); 970 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_hdrerr); 971 icmp6_error(m, ICMP6_PARAM_PROB, 972 ICMP6_PARAMPROB_HEADER, 973 (caddr_t)&ip6->ip6_plen - (caddr_t)ip6); 974 goto done; 975 } 976#ifndef PULLDOWN_TEST 977 /* ip6_hopopts_input() ensures that mbuf is contiguous */ 978 hbh = (struct ip6_hbh *)(ip6 + 1); 979#else 980 IP6_EXTHDR_GET(hbh, struct ip6_hbh *, m, sizeof(struct ip6_hdr), 981 sizeof(struct ip6_hbh)); 982 if (hbh == NULL) { 983 ip6stat.ip6s_tooshort++; 984 goto done; 985 } 986#endif 987 nxt = hbh->ip6h_nxt; 988 989 /* 990 * If we are acting as a router and the packet contains a 991 * router alert option, see if we know the option value. 992 * Currently, we only support the option value for MLD, in which 993 * case we should pass the packet to the multicast routing 994 * daemon. 995 */ 996 if (rtalert != ~0 && ip6_forwarding) { 997 switch (rtalert) { 998 case IP6OPT_RTALERT_MLD: 999 ours = 1; 1000 break; 1001 default: 1002 /* 1003 * RFC2711 requires unrecognized values must be 1004 * silently ignored. 1005 */ 1006 break; 1007 } 1008 } 1009 } else 1010 nxt = ip6->ip6_nxt; 1011 1012 /* 1013 * Check that the amount of data in the buffers 1014 * is as at least much as the IPv6 header would have us expect. 1015 * Trim mbufs if longer than we expect. 1016 * Drop packet if shorter than we expect. 1017 */ 1018 if (m->m_pkthdr.len - sizeof(struct ip6_hdr) < plen) { 1019 ip6stat.ip6s_tooshort++; 1020 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_truncated); 1021 goto bad; 1022 } 1023 if (m->m_pkthdr.len > sizeof(struct ip6_hdr) + plen) { 1024 if (m->m_len == m->m_pkthdr.len) { 1025 m->m_len = sizeof(struct ip6_hdr) + plen; 1026 m->m_pkthdr.len = sizeof(struct ip6_hdr) + plen; 1027 } else 1028 m_adj(m, sizeof(struct ip6_hdr) + plen - m->m_pkthdr.len); 1029 } 1030 1031 /* 1032 * Forward if desirable. 1033 */ 1034 if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst)) { 1035 /* 1036 * If we are acting as a multicast router, all 1037 * incoming multicast packets are passed to the 1038 * kernel-level multicast forwarding function. 1039 * The packet is returned (relatively) intact; if 1040 * ip6_mforward() returns a non-zero value, the packet 1041 * must be discarded, else it may be accepted below. 1042 */ 1043#if MROUTING 1044 if (ip6_mrouter && ip6_mforward(ip6, m->m_pkthdr.rcvif, m)) { 1045 ip6stat.ip6s_cantforward++; 1046 goto bad; 1047 } 1048#endif 1049 if (!ours && nd6_prproxy) { 1050 /* 1051 * If this isn't for us, this might be a Neighbor 1052 * Solicitation (dst is solicited-node multicast) 1053 * against an address in one of the proxied prefixes; 1054 * if so, claim the packet and let icmp6_input() 1055 * handle the rest. 1056 */ 1057 ours = nd6_prproxy_isours(m, ip6, NULL, IFSCOPE_NONE); 1058 VERIFY(!ours || 1059 (m->m_pkthdr.aux_flags & MAUXF_PROXY_DST)); 1060 } 1061 if (!ours) 1062 goto bad; 1063 } else if (!ours) { 1064 /* 1065 * The unicast forwarding function might return the packet 1066 * if we are proxying prefix(es), and if the packet is an 1067 * ICMPv6 packet that has failed the zone checks, but is 1068 * targetted towards a proxied address (this is optimized by 1069 * way of RTF_PROXY test.) If so, claim the packet as ours 1070 * and let icmp6_input() handle the rest. The packet's hop 1071 * limit value is kept intact (it's not decremented). This 1072 * is for supporting Neighbor Unreachability Detection between 1073 * proxied nodes on different links (src is link-local, dst 1074 * is target address.) 1075 */ 1076 if ((m = ip6_forward(m, &ip6_forward_rt, 0)) == NULL) 1077 goto done; 1078 VERIFY(ip6_forward_rt.ro_rt != NULL); 1079 VERIFY(m->m_pkthdr.aux_flags & MAUXF_PROXY_DST); 1080 deliverifp = ip6_forward_rt.ro_rt->rt_ifp; 1081 ours = 1; 1082 } 1083 1084 ip6 = mtod(m, struct ip6_hdr *); 1085 1086 /* 1087 * Malicious party may be able to use IPv4 mapped addr to confuse 1088 * tcp/udp stack and bypass security checks (act as if it was from 1089 * 127.0.0.1 by using IPv6 src ::ffff:127.0.0.1). Be cautious. 1090 * 1091 * For SIIT end node behavior, you may want to disable the check. 1092 * However, you will become vulnerable to attacks using IPv4 mapped 1093 * source. 1094 */ 1095 if (IN6_IS_ADDR_V4MAPPED(&ip6->ip6_src) || 1096 IN6_IS_ADDR_V4MAPPED(&ip6->ip6_dst)) { 1097 ip6stat.ip6s_badscope++; 1098 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr); 1099 goto bad; 1100 } 1101 1102 /* 1103 * Tell launch routine the next header 1104 */ 1105 ip6stat.ip6s_delivered++; 1106 in6_ifstat_inc(deliverifp, ifs6_in_deliver); 1107 1108injectit: 1109 nest = 0; 1110 1111 /* 1112 * Perform IP header alignment fixup again, if needed. Note that 1113 * we do it once for the outermost protocol, and we assume each 1114 * protocol handler wouldn't mess with the alignment afterwards. 1115 */ 1116 IP6_HDR_ALIGNMENT_FIXUP(m, m->m_pkthdr.rcvif, return;); 1117 1118 while (nxt != IPPROTO_DONE) { 1119 struct ipfilter *filter; 1120 int (*pr_input)(struct mbuf **, int *, int); 1121 1122 if (ip6_hdrnestlimit && (++nest > ip6_hdrnestlimit)) { 1123 ip6stat.ip6s_toomanyhdr++; 1124 goto bad; 1125 } 1126 1127 /* 1128 * protection against faulty packet - there should be 1129 * more sanity checks in header chain processing. 1130 */ 1131 if (m->m_pkthdr.len < off) { 1132 ip6stat.ip6s_tooshort++; 1133 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_truncated); 1134 goto bad; 1135 } 1136 1137 1138#if IPSEC 1139 /* 1140 * enforce IPsec policy checking if we are seeing last header. 1141 * note that we do not visit this with protocols with pcb layer 1142 * code - like udp/tcp/raw ip. 1143 */ 1144 if ((ipsec_bypass == 0) && 1145 (ip6_protox[nxt]->pr_flags & PR_LASTHDR) != 0) { 1146 if (ipsec6_in_reject(m, NULL)) { 1147 IPSEC_STAT_INCREMENT(ipsec6stat.in_polvio); 1148 goto bad; 1149 } 1150 } 1151#endif 1152 1153 /* 1154 * Call IP filter 1155 */ 1156 if (!TAILQ_EMPTY(&ipv6_filters)) { 1157 ipf_ref(); 1158 TAILQ_FOREACH(filter, &ipv6_filters, ipf_link) { 1159 if (seen == 0) { 1160 if ((struct ipfilter *)inject_ipfref == 1161 filter) 1162 seen = 1; 1163 } else if (filter->ipf_filter.ipf_input) { 1164 errno_t result; 1165 1166 result = filter->ipf_filter.ipf_input( 1167 filter->ipf_filter.cookie, 1168 (mbuf_t *)&m, off, nxt); 1169 if (result == EJUSTRETURN) { 1170 ipf_unref(); 1171 goto done; 1172 } 1173 if (result != 0) { 1174 ipf_unref(); 1175 goto bad; 1176 } 1177 } 1178 } 1179 ipf_unref(); 1180 } 1181 1182 DTRACE_IP6(receive, struct mbuf *, m, struct inpcb *, NULL, 1183 struct ip6_hdr *, ip6, struct ifnet *, m->m_pkthdr.rcvif, 1184 struct ip *, NULL, struct ip6_hdr *, ip6); 1185 1186 if ((pr_input = ip6_protox[nxt]->pr_input) == NULL) { 1187 m_freem(m); 1188 m = NULL; 1189 nxt = IPPROTO_DONE; 1190 } else if (!(ip6_protox[nxt]->pr_flags & PR_PROTOLOCK)) { 1191 lck_mtx_lock(inet6_domain_mutex); 1192 nxt = pr_input(&m, &off, nxt); 1193 lck_mtx_unlock(inet6_domain_mutex); 1194 } else { 1195 nxt = pr_input(&m, &off, nxt); 1196 } 1197 } 1198done: 1199 if (ip6_forward_rt.ro_rt != NULL) 1200 rtfree(ip6_forward_rt.ro_rt); 1201 return; 1202 bad: 1203 m_freem(m); 1204 goto done; 1205} 1206 1207/* 1208 * set/grab in6_ifaddr correspond to IPv6 destination address. 1209 * XXX backward compatibility wrapper 1210 */ 1211static struct ip6aux * 1212ip6_setdstifaddr(struct mbuf *m, struct in6_ifaddr *ia6) 1213{ 1214 struct ip6aux *n; 1215 1216 n = ip6_addaux(m); 1217 if (n != NULL) { 1218 if (ia6 != NULL) 1219 IFA_ADDREF(&ia6->ia_ifa); 1220 if (n->ip6a_dstia6 != NULL) 1221 IFA_REMREF(&n->ip6a_dstia6->ia_ifa); 1222 n->ip6a_dstia6 = ia6; 1223 } 1224 return (struct ip6aux *)n; /* NULL if failed to set */ 1225} 1226 1227struct in6_ifaddr * 1228ip6_getdstifaddr(m) 1229 struct mbuf *m; 1230{ 1231 struct ip6aux *n; 1232 1233 n = ip6_findaux(m); 1234 if (n != NULL) { 1235 if (n->ip6a_dstia6 != NULL) 1236 IFA_ADDREF(&n->ip6a_dstia6->ia_ifa); 1237 return (n->ip6a_dstia6); 1238 } 1239 return (NULL); 1240} 1241 1242/* 1243 * Hop-by-Hop options header processing. If a valid jumbo payload option is 1244 * included, the real payload length will be stored in plenp. 1245 */ 1246static int 1247ip6_hopopts_input(uint32_t *plenp, uint32_t *rtalertp, struct mbuf **mp, 1248 int *offp) 1249{ 1250 struct mbuf *m = *mp; 1251 int off = *offp, hbhlen; 1252 struct ip6_hbh *hbh; 1253 u_int8_t *opt; 1254 1255 /* validation of the length of the header */ 1256#ifndef PULLDOWN_TEST 1257 IP6_EXTHDR_CHECK(m, off, sizeof(*hbh), return -1); 1258 hbh = (struct ip6_hbh *)(mtod(m, caddr_t) + off); 1259 hbhlen = (hbh->ip6h_len + 1) << 3; 1260 1261 IP6_EXTHDR_CHECK(m, off, hbhlen, return -1); 1262 hbh = (struct ip6_hbh *)(mtod(m, caddr_t) + off); 1263#else 1264 IP6_EXTHDR_GET(hbh, struct ip6_hbh *, m, 1265 sizeof(struct ip6_hdr), sizeof(struct ip6_hbh)); 1266 if (hbh == NULL) { 1267 ip6stat.ip6s_tooshort++; 1268 return -1; 1269 } 1270 hbhlen = (hbh->ip6h_len + 1) << 3; 1271 IP6_EXTHDR_GET(hbh, struct ip6_hbh *, m, sizeof(struct ip6_hdr), 1272 hbhlen); 1273 if (hbh == NULL) { 1274 ip6stat.ip6s_tooshort++; 1275 return -1; 1276 } 1277#endif 1278 off += hbhlen; 1279 hbhlen -= sizeof(struct ip6_hbh); 1280 opt = (u_int8_t *)hbh + sizeof(struct ip6_hbh); 1281 1282 if (ip6_process_hopopts(m, (u_int8_t *)hbh + sizeof(struct ip6_hbh), 1283 hbhlen, rtalertp, plenp) < 0) 1284 return (-1); 1285 1286 *offp = off; 1287 *mp = m; 1288 return (0); 1289} 1290 1291/* 1292 * Search header for all Hop-by-hop options and process each option. 1293 * This function is separate from ip6_hopopts_input() in order to 1294 * handle a case where the sending node itself process its hop-by-hop 1295 * options header. In such a case, the function is called from ip6_output(). 1296 * 1297 * The function assumes that hbh header is located right after the IPv6 header 1298 * (RFC2460 p7), opthead is pointer into data content in m, and opthead to 1299 * opthead + hbhlen is located in continuous memory region. 1300 */ 1301int 1302ip6_process_hopopts(m, opthead, hbhlen, rtalertp, plenp) 1303 struct mbuf *m; 1304 u_int8_t *opthead; 1305 int hbhlen; 1306 u_int32_t *rtalertp; 1307 u_int32_t *plenp; 1308{ 1309 struct ip6_hdr *ip6; 1310 int optlen = 0; 1311 u_int8_t *opt = opthead; 1312 u_int16_t rtalert_val; 1313 u_int32_t jumboplen; 1314 const int erroff = sizeof(struct ip6_hdr) + sizeof(struct ip6_hbh); 1315 1316 for (; hbhlen > 0; hbhlen -= optlen, opt += optlen) { 1317 switch (*opt) { 1318 case IP6OPT_PAD1: 1319 optlen = 1; 1320 break; 1321 case IP6OPT_PADN: 1322 if (hbhlen < IP6OPT_MINLEN) { 1323 ip6stat.ip6s_toosmall++; 1324 goto bad; 1325 } 1326 optlen = *(opt + 1) + 2; 1327 break; 1328 case IP6OPT_ROUTER_ALERT: 1329 /* XXX may need check for alignment */ 1330 if (hbhlen < IP6OPT_RTALERT_LEN) { 1331 ip6stat.ip6s_toosmall++; 1332 goto bad; 1333 } 1334 if (*(opt + 1) != IP6OPT_RTALERT_LEN - 2) { 1335 /* XXX stat */ 1336 icmp6_error(m, ICMP6_PARAM_PROB, 1337 ICMP6_PARAMPROB_HEADER, 1338 erroff + opt + 1 - opthead); 1339 return(-1); 1340 } 1341 optlen = IP6OPT_RTALERT_LEN; 1342 bcopy((caddr_t)(opt + 2), (caddr_t)&rtalert_val, 2); 1343 *rtalertp = ntohs(rtalert_val); 1344 break; 1345 case IP6OPT_JUMBO: 1346 /* XXX may need check for alignment */ 1347 if (hbhlen < IP6OPT_JUMBO_LEN) { 1348 ip6stat.ip6s_toosmall++; 1349 goto bad; 1350 } 1351 if (*(opt + 1) != IP6OPT_JUMBO_LEN - 2) { 1352 /* XXX stat */ 1353 icmp6_error(m, ICMP6_PARAM_PROB, 1354 ICMP6_PARAMPROB_HEADER, 1355 erroff + opt + 1 - opthead); 1356 return(-1); 1357 } 1358 optlen = IP6OPT_JUMBO_LEN; 1359 1360 /* 1361 * IPv6 packets that have non 0 payload length 1362 * must not contain a jumbo payload option. 1363 */ 1364 ip6 = mtod(m, struct ip6_hdr *); 1365 if (ip6->ip6_plen) { 1366 ip6stat.ip6s_badoptions++; 1367 icmp6_error(m, ICMP6_PARAM_PROB, 1368 ICMP6_PARAMPROB_HEADER, 1369 erroff + opt - opthead); 1370 return(-1); 1371 } 1372 1373 /* 1374 * We may see jumbolen in unaligned location, so 1375 * we'd need to perform bcopy(). 1376 */ 1377 bcopy(opt + 2, &jumboplen, sizeof(jumboplen)); 1378 jumboplen = (u_int32_t)htonl(jumboplen); 1379 1380#if 1 1381 /* 1382 * if there are multiple jumbo payload options, 1383 * *plenp will be non-zero and the packet will be 1384 * rejected. 1385 * the behavior may need some debate in ipngwg - 1386 * multiple options does not make sense, however, 1387 * there's no explicit mention in specification. 1388 */ 1389 if (*plenp != 0) { 1390 ip6stat.ip6s_badoptions++; 1391 icmp6_error(m, ICMP6_PARAM_PROB, 1392 ICMP6_PARAMPROB_HEADER, 1393 erroff + opt + 2 - opthead); 1394 return(-1); 1395 } 1396#endif 1397 1398 /* 1399 * jumbo payload length must be larger than 65535. 1400 */ 1401 if (jumboplen <= IPV6_MAXPACKET) { 1402 ip6stat.ip6s_badoptions++; 1403 icmp6_error(m, ICMP6_PARAM_PROB, 1404 ICMP6_PARAMPROB_HEADER, 1405 erroff + opt + 2 - opthead); 1406 return(-1); 1407 } 1408 *plenp = jumboplen; 1409 1410 break; 1411 default: /* unknown option */ 1412 if (hbhlen < IP6OPT_MINLEN) { 1413 ip6stat.ip6s_toosmall++; 1414 goto bad; 1415 } 1416 optlen = ip6_unknown_opt(opt, m, 1417 erroff + opt - opthead); 1418 if (optlen == -1) { 1419 return(-1); 1420 } 1421 optlen += 2; 1422 break; 1423 } 1424 } 1425 1426 return(0); 1427 1428 bad: 1429 m_freem(m); 1430 return(-1); 1431} 1432 1433/* 1434 * Unknown option processing. 1435 * The third argument `off' is the offset from the IPv6 header to the option, 1436 * which is necessary if the IPv6 header the and option header and IPv6 header 1437 * is not continuous in order to return an ICMPv6 error. 1438 */ 1439int 1440ip6_unknown_opt(uint8_t *optp, struct mbuf *m, int off) 1441{ 1442 struct ip6_hdr *ip6; 1443 1444 switch (IP6OPT_TYPE(*optp)) { 1445 case IP6OPT_TYPE_SKIP: /* ignore the option */ 1446 return((int)*(optp + 1)); 1447 case IP6OPT_TYPE_DISCARD: /* silently discard */ 1448 m_freem(m); 1449 return(-1); 1450 case IP6OPT_TYPE_FORCEICMP: /* send ICMP even if multicasted */ 1451 ip6stat.ip6s_badoptions++; 1452 icmp6_error(m, ICMP6_PARAM_PROB, ICMP6_PARAMPROB_OPTION, off); 1453 return(-1); 1454 case IP6OPT_TYPE_ICMP: /* send ICMP if not multicasted */ 1455 ip6stat.ip6s_badoptions++; 1456 ip6 = mtod(m, struct ip6_hdr *); 1457 if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst) || 1458 (m->m_flags & (M_BCAST|M_MCAST))) 1459 m_freem(m); 1460 else 1461 icmp6_error(m, ICMP6_PARAM_PROB, 1462 ICMP6_PARAMPROB_OPTION, off); 1463 return(-1); 1464 } 1465 1466 m_freem(m); /* XXX: NOTREACHED */ 1467 return (-1); 1468} 1469 1470/* 1471 * Create the "control" list for this pcb. 1472 * These functions will not modify mbuf chain at all. 1473 * 1474 * With KAME mbuf chain restriction: 1475 * The routine will be called from upper layer handlers like tcp6_input(). 1476 * Thus the routine assumes that the caller (tcp6_input) have already 1477 * called IP6_EXTHDR_CHECK() and all the extension headers are located in the 1478 * very first mbuf on the mbuf chain. 1479 * 1480 * ip6_savecontrol_v4 will handle those options that are possible to be 1481 * set on a v4-mapped socket. 1482 * ip6_savecontrol will directly call ip6_savecontrol_v4 to handle those 1483 * options and handle the v6-only ones itself. 1484 */ 1485struct mbuf ** 1486ip6_savecontrol_v4(struct inpcb *inp, struct mbuf *m, struct mbuf **mp, 1487 int *v4only) 1488{ 1489 struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *); 1490 1491 if ((inp->inp_socket->so_options & SO_TIMESTAMP) != 0) { 1492 struct timeval tv; 1493 1494 microtime(&tv); 1495 mp = sbcreatecontrol_mbuf((caddr_t) &tv, sizeof(tv), 1496 SCM_TIMESTAMP, SOL_SOCKET, mp); 1497 if (*mp == NULL) 1498 return NULL; 1499 } 1500 if ((inp->inp_socket->so_options & SO_TIMESTAMP_MONOTONIC) != 0) { 1501 uint64_t time; 1502 1503 time = mach_absolute_time(); 1504 mp = sbcreatecontrol_mbuf((caddr_t) &time, sizeof(time), 1505 SCM_TIMESTAMP_MONOTONIC, SOL_SOCKET, mp); 1506 1507 if (*mp == NULL) 1508 return NULL; 1509 } 1510 if ((inp->inp_socket->so_flags & SOF_RECV_TRAFFIC_CLASS) != 0) { 1511 int tc = m_get_traffic_class(m); 1512 1513 mp = sbcreatecontrol_mbuf((caddr_t) &tc, sizeof(tc), 1514 SO_TRAFFIC_CLASS, SOL_SOCKET, mp); 1515 if (*mp == NULL) 1516 return (NULL); 1517 } 1518 1519 if ((ip6->ip6_vfc & IPV6_VERSION_MASK) != IPV6_VERSION) { 1520 if (v4only != NULL) 1521 *v4only = 1; 1522 return (mp); 1523 } 1524 1525#define IS2292(inp, x, y) (((inp)->inp_flags & IN6P_RFC2292) ? (x) : (y)) 1526 /* RFC 2292 sec. 5 */ 1527 if ((inp->inp_flags & IN6P_PKTINFO) != 0) { 1528 struct in6_pktinfo pi6; 1529 1530 bcopy(&ip6->ip6_dst, &pi6.ipi6_addr, sizeof(struct in6_addr)); 1531 in6_clearscope(&pi6.ipi6_addr); /* XXX */ 1532 pi6.ipi6_ifindex = 1533 (m && m->m_pkthdr.rcvif) ? m->m_pkthdr.rcvif->if_index : 0; 1534 1535 mp = sbcreatecontrol_mbuf((caddr_t) &pi6, 1536 sizeof(struct in6_pktinfo), 1537 IS2292(inp, IPV6_2292PKTINFO, IPV6_PKTINFO), IPPROTO_IPV6, mp); 1538 if (*mp == NULL) 1539 return NULL; 1540 } 1541 1542 if ((inp->inp_flags & IN6P_HOPLIMIT) != 0) { 1543 int hlim = ip6->ip6_hlim & 0xff; 1544 1545 mp = sbcreatecontrol_mbuf((caddr_t) &hlim, sizeof(int), 1546 IS2292(inp, IPV6_2292HOPLIMIT, IPV6_HOPLIMIT), 1547 IPPROTO_IPV6, mp); 1548 if (*mp == NULL) 1549 return NULL; 1550 } 1551 1552 if (v4only != NULL) 1553 *v4only = 0; 1554 return (mp); 1555} 1556 1557int 1558ip6_savecontrol(struct inpcb *in6p, struct mbuf *m, struct mbuf **mp) 1559{ 1560 struct mbuf **np; 1561 struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *); 1562 int v4only = 0; 1563 1564 *mp = NULL; 1565 np = ip6_savecontrol_v4(in6p, m, mp, &v4only); 1566 if (np == NULL) 1567 goto no_mbufs; 1568 1569 mp = np; 1570 if (v4only) 1571 return(0); 1572 1573 if ((in6p->inp_flags & IN6P_TCLASS) != 0) { 1574 u_int32_t flowinfo; 1575 int tclass; 1576 1577 flowinfo = (u_int32_t)ntohl(ip6->ip6_flow & IPV6_FLOWINFO_MASK); 1578 flowinfo >>= 20; 1579 1580 tclass = flowinfo & 0xff; 1581 mp = sbcreatecontrol_mbuf((caddr_t) &tclass, sizeof(tclass), 1582 IPV6_TCLASS, IPPROTO_IPV6, mp); 1583 if (*mp == NULL) 1584 goto no_mbufs; 1585 } 1586 1587 /* 1588 * IPV6_HOPOPTS socket option. Recall that we required super-user 1589 * privilege for the option (see ip6_ctloutput), but it might be too 1590 * strict, since there might be some hop-by-hop options which can be 1591 * returned to normal user. 1592 * See also RFC 2292 section 6 (or RFC 3542 section 8). 1593 */ 1594 if ((in6p->inp_flags & IN6P_HOPOPTS) != 0) { 1595 /* 1596 * Check if a hop-by-hop options header is contatined in the 1597 * received packet, and if so, store the options as ancillary 1598 * data. Note that a hop-by-hop options header must be 1599 * just after the IPv6 header, which is assured through the 1600 * IPv6 input processing. 1601 */ 1602 ip6 = mtod(m, struct ip6_hdr *); 1603 if (ip6->ip6_nxt == IPPROTO_HOPOPTS) { 1604 struct ip6_hbh *hbh; 1605 int hbhlen = 0; 1606#if PULLDOWN_TEST 1607 struct mbuf *ext; 1608#endif 1609 1610#ifndef PULLDOWN_TEST 1611 hbh = (struct ip6_hbh *)(ip6 + 1); 1612 hbhlen = (hbh->ip6h_len + 1) << 3; 1613#else 1614 ext = ip6_pullexthdr(m, sizeof(struct ip6_hdr), 1615 ip6->ip6_nxt); 1616 if (ext == NULL) { 1617 ip6stat.ip6s_tooshort++; 1618 return(0); 1619 } 1620 hbh = mtod(ext, struct ip6_hbh *); 1621 hbhlen = (hbh->ip6h_len + 1) << 3; 1622 if (hbhlen != ext->m_len) { 1623 m_freem(ext); 1624 ip6stat.ip6s_tooshort++; 1625 return(0); 1626 } 1627#endif 1628 1629 /* 1630 * XXX: We copy the whole header even if a 1631 * jumbo payload option is included, the option which 1632 * is to be removed before returning according to 1633 * RFC2292. 1634 * Note: this constraint is removed in RFC3542 1635 */ 1636 mp = sbcreatecontrol_mbuf((caddr_t)hbh, hbhlen, 1637 IS2292(in6p, IPV6_2292HOPOPTS, IPV6_HOPOPTS), 1638 IPPROTO_IPV6, mp); 1639 1640#if PULLDOWN_TEST 1641 m_freem(ext); 1642#endif 1643 if (*mp == NULL) { 1644 goto no_mbufs; 1645 } 1646 } 1647 } 1648 1649 if ((in6p->inp_flags & (IN6P_RTHDR | IN6P_DSTOPTS)) != 0) { 1650 int nxt = ip6->ip6_nxt, off = sizeof(struct ip6_hdr); 1651 1652 /* 1653 * Search for destination options headers or routing 1654 * header(s) through the header chain, and stores each 1655 * header as ancillary data. 1656 * Note that the order of the headers remains in 1657 * the chain of ancillary data. 1658 */ 1659 while (1) { /* is explicit loop prevention necessary? */ 1660 struct ip6_ext *ip6e = NULL; 1661 int elen; 1662#if PULLDOWN_TEST 1663 struct mbuf *ext = NULL; 1664#endif 1665 1666 /* 1667 * if it is not an extension header, don't try to 1668 * pull it from the chain. 1669 */ 1670 switch (nxt) { 1671 case IPPROTO_DSTOPTS: 1672 case IPPROTO_ROUTING: 1673 case IPPROTO_HOPOPTS: 1674 case IPPROTO_AH: /* is it possible? */ 1675 break; 1676 default: 1677 goto loopend; 1678 } 1679 1680#ifndef PULLDOWN_TEST 1681 if (off + sizeof(*ip6e) > m->m_len) 1682 goto loopend; 1683 ip6e = (struct ip6_ext *)(mtod(m, caddr_t) + off); 1684 if (nxt == IPPROTO_AH) 1685 elen = (ip6e->ip6e_len + 2) << 2; 1686 else 1687 elen = (ip6e->ip6e_len + 1) << 3; 1688 if (off + elen > m->m_len) 1689 goto loopend; 1690#else 1691 ext = ip6_pullexthdr(m, off, nxt); 1692 if (ext == NULL) { 1693 ip6stat.ip6s_tooshort++; 1694 return(0); 1695 } 1696 ip6e = mtod(ext, struct ip6_ext *); 1697 if (nxt == IPPROTO_AH) 1698 elen = (ip6e->ip6e_len + 2) << 2; 1699 else 1700 elen = (ip6e->ip6e_len + 1) << 3; 1701 if (elen != ext->m_len) { 1702 m_freem(ext); 1703 ip6stat.ip6s_tooshort++; 1704 return(0); 1705 } 1706#endif 1707 1708 switch (nxt) { 1709 case IPPROTO_DSTOPTS: 1710 if (!(in6p->inp_flags & IN6P_DSTOPTS)) 1711 break; 1712 1713 mp = sbcreatecontrol_mbuf((caddr_t)ip6e, elen, 1714 IS2292(in6p, 1715 IPV6_2292DSTOPTS, IPV6_DSTOPTS), 1716 IPPROTO_IPV6, mp); 1717 if (*mp == NULL) { 1718#if PULLDOWN_TEST 1719 m_freem(ext); 1720#endif 1721 goto no_mbufs; 1722 } 1723 break; 1724 case IPPROTO_ROUTING: 1725 if (!in6p->inp_flags & IN6P_RTHDR) 1726 break; 1727 1728 mp = sbcreatecontrol_mbuf((caddr_t)ip6e, elen, 1729 IS2292(in6p, IPV6_2292RTHDR, IPV6_RTHDR), 1730 IPPROTO_IPV6, mp); 1731 if (*mp == NULL) { 1732#if PULLDOWN_TEST 1733 m_freem(ext); 1734#endif 1735 goto no_mbufs; 1736 } 1737 break; 1738 case IPPROTO_HOPOPTS: 1739 case IPPROTO_AH: /* is it possible? */ 1740 break; 1741 1742 default: 1743 /* 1744 * other cases have been filtered in the above. 1745 * none will visit this case. here we supply 1746 * the code just in case (nxt overwritten or 1747 * other cases). 1748 */ 1749#if PULLDOWN_TEST 1750 m_freem(ext); 1751#endif 1752 goto loopend; 1753 1754 } 1755 1756 /* proceed with the next header. */ 1757 off += elen; 1758 nxt = ip6e->ip6e_nxt; 1759 ip6e = NULL; 1760#if PULLDOWN_TEST 1761 m_freem(ext); 1762 ext = NULL; 1763#endif 1764 } 1765 loopend: 1766 ; 1767 } 1768 return(0); 1769no_mbufs: 1770 ip6stat.ip6s_pktdropcntrl++; 1771 /* XXX increment a stat to show the failure */ 1772 return(ENOBUFS); 1773} 1774#undef IS2292 1775 1776void 1777ip6_notify_pmtu(struct inpcb *in6p, struct sockaddr_in6 *dst, u_int32_t *mtu) 1778{ 1779 struct socket *so; 1780 struct mbuf *m_mtu; 1781 struct ip6_mtuinfo mtuctl; 1782 1783 so = in6p->inp_socket; 1784 1785 if (mtu == NULL) 1786 return; 1787 1788#ifdef DIAGNOSTIC 1789 if (so == NULL) /* I believe this is impossible */ 1790 panic("ip6_notify_pmtu: socket is NULL"); 1791#endif 1792 1793 bzero(&mtuctl, sizeof(mtuctl)); /* zero-clear for safety */ 1794 mtuctl.ip6m_mtu = *mtu; 1795 mtuctl.ip6m_addr = *dst; 1796 if (sa6_recoverscope(&mtuctl.ip6m_addr, TRUE)) 1797 return; 1798 1799 if ((m_mtu = sbcreatecontrol((caddr_t)&mtuctl, sizeof(mtuctl), 1800 IPV6_PATHMTU, IPPROTO_IPV6)) == NULL) 1801 return; 1802 1803 if (sbappendaddr(&so->so_rcv, (struct sockaddr *)dst, NULL, m_mtu, NULL) 1804 == 0) { 1805 m_freem(m_mtu); 1806 /* XXX: should count statistics */ 1807 } else 1808 sorwakeup(so); 1809 1810 return; 1811} 1812 1813#if PULLDOWN_TEST 1814/* 1815 * pull single extension header from mbuf chain. returns single mbuf that 1816 * contains the result, or NULL on error. 1817 */ 1818static struct mbuf * 1819ip6_pullexthdr(m, off, nxt) 1820 struct mbuf *m; 1821 size_t off; 1822 int nxt; 1823{ 1824 struct ip6_ext ip6e; 1825 size_t elen; 1826 struct mbuf *n; 1827 1828#if DIAGNOSTIC 1829 switch (nxt) { 1830 case IPPROTO_DSTOPTS: 1831 case IPPROTO_ROUTING: 1832 case IPPROTO_HOPOPTS: 1833 case IPPROTO_AH: /* is it possible? */ 1834 break; 1835 default: 1836 printf("ip6_pullexthdr: invalid nxt=%d\n", nxt); 1837 } 1838#endif 1839 1840 m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e); 1841 if (nxt == IPPROTO_AH) 1842 elen = (ip6e.ip6e_len + 2) << 2; 1843 else 1844 elen = (ip6e.ip6e_len + 1) << 3; 1845 1846 MGET(n, M_DONTWAIT, MT_DATA); 1847 if (n && elen >= MLEN) { 1848 MCLGET(n, M_DONTWAIT); 1849 if ((n->m_flags & M_EXT) == 0) { 1850 m_free(n); 1851 n = NULL; 1852 } 1853 } 1854 if (!n) 1855 return NULL; 1856 1857 n->m_len = 0; 1858 if (elen >= M_TRAILINGSPACE(n)) { 1859 m_free(n); 1860 return NULL; 1861 } 1862 1863 m_copydata(m, off, elen, mtod(n, caddr_t)); 1864 n->m_len = elen; 1865 return n; 1866} 1867#endif 1868 1869/* 1870 * Get pointer to the previous header followed by the header 1871 * currently processed. 1872 * XXX: This function supposes that 1873 * M includes all headers, 1874 * the next header field and the header length field of each header 1875 * are valid, and 1876 * the sum of each header length equals to OFF. 1877 * Because of these assumptions, this function must be called very 1878 * carefully. Moreover, it will not be used in the near future when 1879 * we develop `neater' mechanism to process extension headers. 1880 */ 1881char * 1882ip6_get_prevhdr(m, off) 1883 struct mbuf *m; 1884 int off; 1885{ 1886 struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *); 1887 1888 if (off == sizeof(struct ip6_hdr)) 1889 return((char *) &ip6->ip6_nxt); 1890 else { 1891 int len, nxt; 1892 struct ip6_ext *ip6e = NULL; 1893 1894 nxt = ip6->ip6_nxt; 1895 len = sizeof(struct ip6_hdr); 1896 while (len < off) { 1897 ip6e = (struct ip6_ext *)(mtod(m, caddr_t) + len); 1898 1899 switch (nxt) { 1900 case IPPROTO_FRAGMENT: 1901 len += sizeof(struct ip6_frag); 1902 break; 1903 case IPPROTO_AH: 1904 len += (ip6e->ip6e_len + 2) << 2; 1905 break; 1906 default: 1907 len += (ip6e->ip6e_len + 1) << 3; 1908 break; 1909 } 1910 nxt = ip6e->ip6e_nxt; 1911 } 1912 if (ip6e) 1913 return((char *) &ip6e->ip6e_nxt); 1914 else 1915 return NULL; 1916 } 1917} 1918 1919/* 1920 * get next header offset. m will be retained. 1921 */ 1922int 1923ip6_nexthdr(m, off, proto, nxtp) 1924 struct mbuf *m; 1925 int off; 1926 int proto; 1927 int *nxtp; 1928{ 1929 struct ip6_hdr ip6; 1930 struct ip6_ext ip6e; 1931 struct ip6_frag fh; 1932 1933 /* just in case */ 1934 if (m == NULL) 1935 panic("ip6_nexthdr: m == NULL"); 1936 if ((m->m_flags & M_PKTHDR) == 0 || m->m_pkthdr.len < off) 1937 return -1; 1938 1939 switch (proto) { 1940 case IPPROTO_IPV6: 1941 if (m->m_pkthdr.len < off + sizeof(ip6)) 1942 return -1; 1943 m_copydata(m, off, sizeof(ip6), (caddr_t)&ip6); 1944 if (nxtp) 1945 *nxtp = ip6.ip6_nxt; 1946 off += sizeof(ip6); 1947 return off; 1948 1949 case IPPROTO_FRAGMENT: 1950 /* 1951 * terminate parsing if it is not the first fragment, 1952 * it does not make sense to parse through it. 1953 */ 1954 if (m->m_pkthdr.len < off + sizeof(fh)) 1955 return -1; 1956 m_copydata(m, off, sizeof(fh), (caddr_t)&fh); 1957 /* IP6F_OFF_MASK = 0xfff8(BigEndian), 0xf8ff(LittleEndian) */ 1958 if (fh.ip6f_offlg & IP6F_OFF_MASK) 1959 return -1; 1960 if (nxtp) 1961 *nxtp = fh.ip6f_nxt; 1962 off += sizeof(struct ip6_frag); 1963 return off; 1964 1965 case IPPROTO_AH: 1966 if (m->m_pkthdr.len < off + sizeof(ip6e)) 1967 return -1; 1968 m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e); 1969 if (nxtp) 1970 *nxtp = ip6e.ip6e_nxt; 1971 off += (ip6e.ip6e_len + 2) << 2; 1972 return off; 1973 1974 case IPPROTO_HOPOPTS: 1975 case IPPROTO_ROUTING: 1976 case IPPROTO_DSTOPTS: 1977 if (m->m_pkthdr.len < off + sizeof(ip6e)) 1978 return -1; 1979 m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e); 1980 if (nxtp) 1981 *nxtp = ip6e.ip6e_nxt; 1982 off += (ip6e.ip6e_len + 1) << 3; 1983 return off; 1984 1985 case IPPROTO_NONE: 1986 case IPPROTO_ESP: 1987 case IPPROTO_IPCOMP: 1988 /* give up */ 1989 return -1; 1990 1991 default: 1992 return -1; 1993 } 1994 1995 return -1; 1996} 1997 1998/* 1999 * get offset for the last header in the chain. m will be kept untainted. 2000 */ 2001int 2002ip6_lasthdr(m, off, proto, nxtp) 2003 struct mbuf *m; 2004 int off; 2005 int proto; 2006 int *nxtp; 2007{ 2008 int newoff; 2009 int nxt; 2010 2011 if (!nxtp) { 2012 nxt = -1; 2013 nxtp = &nxt; 2014 } 2015 while (1) { 2016 newoff = ip6_nexthdr(m, off, proto, nxtp); 2017 if (newoff < 0) 2018 return off; 2019 else if (newoff < off) 2020 return -1; /* invalid */ 2021 else if (newoff == off) 2022 return newoff; 2023 2024 off = newoff; 2025 proto = *nxtp; 2026 } 2027} 2028 2029struct ip6aux * 2030ip6_addaux(struct mbuf *m) 2031{ 2032 struct m_tag *tag; 2033 2034 /* Check if one is already allocated */ 2035 tag = m_tag_locate(m, KERNEL_MODULE_TAG_ID, 2036 KERNEL_TAG_TYPE_INET6, NULL); 2037 if (tag == NULL) { 2038 /* Allocate a tag */ 2039 tag = m_tag_create(KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_INET6, 2040 sizeof (struct ip6aux), M_DONTWAIT, m); 2041 2042 /* Attach it to the mbuf */ 2043 if (tag) { 2044 m_tag_prepend(m, tag); 2045 } 2046 } 2047 2048 return (tag ? (struct ip6aux *)(tag + 1) : NULL); 2049} 2050 2051struct ip6aux * 2052ip6_findaux(struct mbuf *m) 2053{ 2054 struct m_tag *tag; 2055 2056 tag = m_tag_locate(m, KERNEL_MODULE_TAG_ID, 2057 KERNEL_TAG_TYPE_INET6, NULL); 2058 2059 return (tag ? (struct ip6aux *)(tag + 1) : NULL); 2060} 2061 2062void 2063ip6_delaux(struct mbuf *m) 2064{ 2065 struct m_tag *tag; 2066 2067 tag = m_tag_locate(m, KERNEL_MODULE_TAG_ID, 2068 KERNEL_TAG_TYPE_INET6, NULL); 2069 if (tag) { 2070 m_tag_delete(m, tag); 2071 } 2072} 2073 2074/* 2075 * Called by m_tag_free(). 2076 */ 2077void 2078ip6_destroyaux(struct ip6aux *n) 2079{ 2080 if (n->ip6a_dstia6 != NULL) { 2081 IFA_REMREF(&n->ip6a_dstia6->ia_ifa); 2082 n->ip6a_dstia6 = NULL; 2083 } 2084} 2085 2086/* 2087 * Called by m_tag_copy() 2088 */ 2089void 2090ip6_copyaux(struct ip6aux *src, struct ip6aux *dst) 2091{ 2092 bcopy(src, dst, sizeof (*dst)); 2093 if (dst->ip6a_dstia6 != NULL) 2094 IFA_ADDREF(&dst->ip6a_dstia6->ia_ifa); 2095} 2096 2097/* 2098 * System control for IP6 2099 */ 2100 2101u_char inet6ctlerrmap[PRC_NCMDS] = { 2102 0, 0, 0, 0, 2103 0, EMSGSIZE, EHOSTDOWN, EHOSTUNREACH, 2104 EHOSTUNREACH, EHOSTUNREACH, ECONNREFUSED, ECONNREFUSED, 2105 EMSGSIZE, EHOSTUNREACH, 0, 0, 2106 0, 0, 0, 0, 2107 ENOPROTOOPT 2108}; 2109