ip6_forward.c revision 84994 
1/*	$FreeBSD: head/sys/netinet6/ip6_forward.c 84994 2001-10-15 14:16:18Z darrenr $	*/
2/*	$KAME: ip6_forward.c,v 1.69 2001/05/17 03:48:30 itojun Exp $	*/
3
4/*
5 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
6 * All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 * 1. Redistributions of source code must retain the above copyright
12 *    notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 *    notice, this list of conditions and the following disclaimer in the
15 *    documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of the project nor the names of its contributors
17 *    may be used to endorse or promote products derived from this software
18 *    without specific prior written permission.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30 * SUCH DAMAGE.
31 */
32
33#include "opt_ip6fw.h"
34#include "opt_inet.h"
35#include "opt_inet6.h"
36#include "opt_ipsec.h"
37
38#include <sys/param.h>
39#include <sys/systm.h>
40#include <sys/malloc.h>
41#include <sys/mbuf.h>
42#include <sys/domain.h>
43#include <sys/protosw.h>
44#include <sys/socket.h>
45#include <sys/errno.h>
46#include <sys/time.h>
47#include <sys/kernel.h>
48#include <sys/syslog.h>
49
50#include <net/if.h>
51#include <net/route.h>
52#ifdef PFIL_HOOKS
53#include <net/pfil.h>
54#endif
55
56#include <netinet/in.h>
57#include <netinet/in_var.h>
58#include <netinet/in_systm.h>
59#include <netinet/ip.h>
60#include <netinet/ip_var.h>
61#include <netinet6/in6_var.h>
62#include <netinet/ip6.h>
63#include <netinet6/ip6_var.h>
64#include <netinet/icmp6.h>
65#include <netinet6/nd6.h>
66
67#include <netinet/in_pcb.h>
68
69#ifdef IPSEC
70#include <netinet6/ipsec.h>
71#ifdef INET6
72#include <netinet6/ipsec6.h>
73#endif
74#include <netkey/key.h>
75#endif /* IPSEC */
76
77#include <netinet6/ip6_fw.h>
78
79#include <net/net_osdep.h>
80
81#include <netinet6/ip6protosw.h>
82
83extern struct ip6protosw inet6sw[];
84extern u_char ip6_protox[IPPROTO_MAX];
85
86struct	route_in6 ip6_forward_rt;
87
88/*
89 * Forward a packet.  If some error occurs return the sender
90 * an icmp packet.  Note we can't always generate a meaningful
91 * icmp message because icmp doesn't have a large enough repertoire
92 * of codes and types.
93 *
94 * If not forwarding, just drop the packet.  This could be confusing
95 * if ipforwarding was zero but some routing protocol was advancing
96 * us as a gateway to somewhere.  However, we must let the routing
97 * protocol deal with that.
98 *
99 */
100
101void
102ip6_forward(m, srcrt)
103	struct mbuf *m;
104	int srcrt;
105{
106	struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *);
107	struct sockaddr_in6 *dst;
108	struct rtentry *rt;
109	int error, type = 0, code = 0;
110	struct mbuf *mcopy = NULL;
111	struct ifnet *origifp;	/* maybe unnecessary */
112#ifdef PFIL_HOOKS
113	struct packet_filter_hook *pfh;
114	struct mbuf *m1;
115	int rv;
116#endif /* PFIL_HOOKS */
117#ifdef IPSEC
118	struct secpolicy *sp = NULL;
119#endif
120
121#ifdef IPSEC
122	/*
123	 * Check AH/ESP integrity.
124	 */
125	/*
126	 * Don't increment ip6s_cantforward because this is the check
127	 * before forwarding packet actually.
128	 */
129	if (ipsec6_in_reject(m, NULL)) {
130		ipsec6stat.in_polvio++;
131		m_freem(m);
132		return;
133	}
134#endif /*IPSEC*/
135
136	/*
137	 * Do not forward packets to multicast destination (should be handled
138	 * by ip6_mforward().
139	 * Do not forward packets with unspecified source.  It was discussed
140	 * in July 2000, on ipngwg mailing list.
141	 */
142	if ((m->m_flags & (M_BCAST|M_MCAST)) != 0 ||
143	    IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst) ||
144	    IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_src)) {
145		ip6stat.ip6s_cantforward++;
146		/* XXX in6_ifstat_inc(rt->rt_ifp, ifs6_in_discard) */
147		if (ip6_log_time + ip6_log_interval < time_second) {
148			ip6_log_time = time_second;
149			log(LOG_DEBUG,
150			    "cannot forward "
151			    "from %s to %s nxt %d received on %s\n",
152			    ip6_sprintf(&ip6->ip6_src),
153			    ip6_sprintf(&ip6->ip6_dst),
154			    ip6->ip6_nxt,
155			    if_name(m->m_pkthdr.rcvif));
156		}
157		m_freem(m);
158		return;
159	}
160
161	if (ip6->ip6_hlim <= IPV6_HLIMDEC) {
162		/* XXX in6_ifstat_inc(rt->rt_ifp, ifs6_in_discard) */
163		icmp6_error(m, ICMP6_TIME_EXCEEDED,
164				ICMP6_TIME_EXCEED_TRANSIT, 0);
165		return;
166	}
167	ip6->ip6_hlim -= IPV6_HLIMDEC;
168
169	/*
170	 * Save at most ICMPV6_PLD_MAXLEN (= the min IPv6 MTU -
171	 * size of IPv6 + ICMPv6 headers) bytes of the packet in case
172	 * we need to generate an ICMP6 message to the src.
173	 * Thanks to M_EXT, in most cases copy will not occur.
174	 *
175	 * It is important to save it before IPsec processing as IPsec
176	 * processing may modify the mbuf.
177	 */
178	mcopy = m_copy(m, 0, imin(m->m_pkthdr.len, ICMPV6_PLD_MAXLEN));
179
180#ifdef IPSEC
181	/* get a security policy for this packet */
182	sp = ipsec6_getpolicybyaddr(m, IPSEC_DIR_OUTBOUND, IP_FORWARDING,
183	    &error);
184	if (sp == NULL) {
185		ipsec6stat.out_inval++;
186		ip6stat.ip6s_cantforward++;
187		if (mcopy) {
188#if 0
189			/* XXX: what icmp ? */
190#else
191			m_freem(mcopy);
192#endif
193		}
194		m_freem(m);
195		return;
196	}
197
198	error = 0;
199
200	/* check policy */
201	switch (sp->policy) {
202	case IPSEC_POLICY_DISCARD:
203		/*
204		 * This packet is just discarded.
205		 */
206		ipsec6stat.out_polvio++;
207		ip6stat.ip6s_cantforward++;
208		key_freesp(sp);
209		if (mcopy) {
210#if 0
211			/* XXX: what icmp ? */
212#else
213			m_freem(mcopy);
214#endif
215		}
216		m_freem(m);
217		return;
218
219	case IPSEC_POLICY_BYPASS:
220	case IPSEC_POLICY_NONE:
221		/* no need to do IPsec. */
222		key_freesp(sp);
223		goto skip_ipsec;
224
225	case IPSEC_POLICY_IPSEC:
226		if (sp->req == NULL) {
227			/* XXX should be panic ? */
228			printf("ip6_forward: No IPsec request specified.\n");
229			ip6stat.ip6s_cantforward++;
230			key_freesp(sp);
231			if (mcopy) {
232#if 0
233				/* XXX: what icmp ? */
234#else
235				m_freem(mcopy);
236#endif
237			}
238			m_freem(m);
239			return;
240		}
241		/* do IPsec */
242		break;
243
244	case IPSEC_POLICY_ENTRUST:
245	default:
246		/* should be panic ?? */
247		printf("ip6_forward: Invalid policy found. %d\n", sp->policy);
248		key_freesp(sp);
249		goto skip_ipsec;
250	}
251
252    {
253	struct ipsec_output_state state;
254
255	/*
256	 * All the extension headers will become inaccessible
257	 * (since they can be encrypted).
258	 * Don't panic, we need no more updates to extension headers
259	 * on inner IPv6 packet (since they are now encapsulated).
260	 *
261	 * IPv6 [ESP|AH] IPv6 [extension headers] payload
262	 */
263	bzero(&state, sizeof(state));
264	state.m = m;
265	state.ro = NULL;	/* update at ipsec6_output_tunnel() */
266	state.dst = NULL;	/* update at ipsec6_output_tunnel() */
267
268	error = ipsec6_output_tunnel(&state, sp, 0);
269
270	m = state.m;
271	key_freesp(sp);
272
273	if (error) {
274		/* mbuf is already reclaimed in ipsec6_output_tunnel. */
275		switch (error) {
276		case EHOSTUNREACH:
277		case ENETUNREACH:
278		case EMSGSIZE:
279		case ENOBUFS:
280		case ENOMEM:
281			break;
282		default:
283			printf("ip6_output (ipsec): error code %d\n", error);
284			/*fall through*/
285		case ENOENT:
286			/* don't show these error codes to the user */
287			break;
288		}
289		ip6stat.ip6s_cantforward++;
290		if (mcopy) {
291#if 0
292			/* XXX: what icmp ? */
293#else
294			m_freem(mcopy);
295#endif
296		}
297		m_freem(m);
298		return;
299	}
300    }
301    skip_ipsec:
302#endif /* IPSEC */
303
304	dst = (struct sockaddr_in6 *)&ip6_forward_rt.ro_dst;
305	if (!srcrt) {
306		/*
307		 * ip6_forward_rt.ro_dst.sin6_addr is equal to ip6->ip6_dst
308		 */
309		if (ip6_forward_rt.ro_rt == 0 ||
310		    (ip6_forward_rt.ro_rt->rt_flags & RTF_UP) == 0) {
311			if (ip6_forward_rt.ro_rt) {
312				RTFREE(ip6_forward_rt.ro_rt);
313				ip6_forward_rt.ro_rt = 0;
314			}
315			/* this probably fails but give it a try again */
316			rtalloc_ign((struct route *)&ip6_forward_rt,
317				    RTF_PRCLONING);
318		}
319
320		if (ip6_forward_rt.ro_rt == 0) {
321			ip6stat.ip6s_noroute++;
322			in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_noroute);
323			if (mcopy) {
324				icmp6_error(mcopy, ICMP6_DST_UNREACH,
325					    ICMP6_DST_UNREACH_NOROUTE, 0);
326			}
327			m_freem(m);
328			return;
329		}
330	} else if ((rt = ip6_forward_rt.ro_rt) == 0 ||
331		 !IN6_ARE_ADDR_EQUAL(&ip6->ip6_dst, &dst->sin6_addr)) {
332		if (ip6_forward_rt.ro_rt) {
333			RTFREE(ip6_forward_rt.ro_rt);
334			ip6_forward_rt.ro_rt = 0;
335		}
336		bzero(dst, sizeof(*dst));
337		dst->sin6_len = sizeof(struct sockaddr_in6);
338		dst->sin6_family = AF_INET6;
339		dst->sin6_addr = ip6->ip6_dst;
340
341  		rtalloc_ign((struct route *)&ip6_forward_rt, RTF_PRCLONING);
342		if (ip6_forward_rt.ro_rt == 0) {
343			ip6stat.ip6s_noroute++;
344			in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_noroute);
345			if (mcopy) {
346				icmp6_error(mcopy, ICMP6_DST_UNREACH,
347					    ICMP6_DST_UNREACH_NOROUTE, 0);
348			}
349			m_freem(m);
350			return;
351		}
352	}
353	rt = ip6_forward_rt.ro_rt;
354
355	/*
356	 * Scope check: if a packet can't be delivered to its destination
357	 * for the reason that the destination is beyond the scope of the
358	 * source address, discard the packet and return an icmp6 destination
359	 * unreachable error with Code 2 (beyond scope of source address).
360	 * [draft-ietf-ipngwg-icmp-v3-00.txt, Section 3.1]
361	 */
362	if (in6_addr2scopeid(m->m_pkthdr.rcvif, &ip6->ip6_src) !=
363	    in6_addr2scopeid(rt->rt_ifp, &ip6->ip6_src)) {
364		ip6stat.ip6s_cantforward++;
365		ip6stat.ip6s_badscope++;
366		in6_ifstat_inc(rt->rt_ifp, ifs6_in_discard);
367
368		if (ip6_log_time + ip6_log_interval < time_second) {
369			ip6_log_time = time_second;
370			log(LOG_DEBUG,
371			    "cannot forward "
372			    "src %s, dst %s, nxt %d, rcvif %s, outif %s\n",
373			    ip6_sprintf(&ip6->ip6_src),
374			    ip6_sprintf(&ip6->ip6_dst),
375			    ip6->ip6_nxt,
376			    if_name(m->m_pkthdr.rcvif), if_name(rt->rt_ifp));
377		}
378		if (mcopy)
379			icmp6_error(mcopy, ICMP6_DST_UNREACH,
380				    ICMP6_DST_UNREACH_BEYONDSCOPE, 0);
381		m_freem(m);
382		return;
383	}
384
385	if (m->m_pkthdr.len > rt->rt_ifp->if_mtu) {
386		in6_ifstat_inc(rt->rt_ifp, ifs6_in_toobig);
387		if (mcopy) {
388			u_long mtu;
389#ifdef IPSEC
390			struct secpolicy *sp;
391			int ipsecerror;
392			size_t ipsechdrsiz;
393#endif
394
395			mtu = rt->rt_ifp->if_mtu;
396#ifdef IPSEC
397			/*
398			 * When we do IPsec tunnel ingress, we need to play
399			 * with if_mtu value (decrement IPsec header size
400			 * from mtu value).  The code is much simpler than v4
401			 * case, as we have the outgoing interface for
402			 * encapsulated packet as "rt->rt_ifp".
403			 */
404			sp = ipsec6_getpolicybyaddr(mcopy, IPSEC_DIR_OUTBOUND,
405				IP_FORWARDING, &ipsecerror);
406			if (sp) {
407				ipsechdrsiz = ipsec6_hdrsiz(mcopy,
408					IPSEC_DIR_OUTBOUND, NULL);
409				if (ipsechdrsiz < mtu)
410					mtu -= ipsechdrsiz;
411			}
412
413			/*
414			 * if mtu becomes less than minimum MTU,
415			 * tell minimum MTU (and I'll need to fragment it).
416			 */
417			if (mtu < IPV6_MMTU)
418				mtu = IPV6_MMTU;
419#endif
420			icmp6_error(mcopy, ICMP6_PACKET_TOO_BIG, 0, mtu);
421		}
422		m_freem(m);
423		return;
424 	}
425
426	if (rt->rt_flags & RTF_GATEWAY)
427		dst = (struct sockaddr_in6 *)rt->rt_gateway;
428
429	/*
430	 * If we are to forward the packet using the same interface
431	 * as one we got the packet from, perhaps we should send a redirect
432	 * to sender to shortcut a hop.
433	 * Only send redirect if source is sending directly to us,
434	 * and if packet was not source routed (or has any options).
435	 * Also, don't send redirect if forwarding using a route
436	 * modified by a redirect.
437	 */
438	if (rt->rt_ifp == m->m_pkthdr.rcvif && !srcrt &&
439	    (rt->rt_flags & (RTF_DYNAMIC|RTF_MODIFIED)) == 0) {
440		if ((rt->rt_ifp->if_flags & IFF_POINTOPOINT) != 0) {
441			/*
442			 * If the incoming interface is equal to the outgoing
443			 * one, and the link attached to the interface is
444			 * point-to-point, then it will be highly probable
445			 * that a routing loop occurs. Thus, we immediately
446			 * drop the packet and send an ICMPv6 error message.
447			 *
448			 * type/code is based on suggestion by Rich Draves.
449			 * not sure if it is the best pick.
450			 */
451			icmp6_error(mcopy, ICMP6_DST_UNREACH,
452				    ICMP6_DST_UNREACH_ADDR, 0);
453			m_freem(m);
454			return;
455		}
456		type = ND_REDIRECT;
457	}
458
459	/*
460	 * Check with the firewall...
461	 */
462	if (ip6_fw_enable && ip6_fw_chk_ptr) {
463		u_short port = 0;
464		/* If ipfw says divert, we have to just drop packet */
465		if ((*ip6_fw_chk_ptr)(&ip6, rt->rt_ifp, &port, &m)) {
466			m_freem(m);
467			goto freecopy;
468		}
469		if (!m)
470			goto freecopy;
471	}
472
473	/*
474	 * Fake scoped addresses. Note that even link-local source or
475	 * destinaion can appear, if the originating node just sends the
476	 * packet to us (without address resolution for the destination).
477	 * Since both icmp6_error and icmp6_redirect_output fill the embedded
478	 * link identifiers, we can do this stuff after making a copy for
479	 * returning an error.
480	 */
481	if ((rt->rt_ifp->if_flags & IFF_LOOPBACK) != 0) {
482		/*
483		 * See corresponding comments in ip6_output.
484		 * XXX: but is it possible that ip6_forward() sends a packet
485		 *      to a loopback interface? I don't think so, and thus
486		 *      I bark here. (jinmei@kame.net)
487		 * XXX: it is common to route invalid packets to loopback.
488		 *	also, the codepath will be visited on use of ::1 in
489		 *	rthdr. (itojun)
490		 */
491#if 1
492		if (0)
493#else
494		if ((rt->rt_flags & (RTF_BLACKHOLE|RTF_REJECT)) == 0)
495#endif
496		{
497			printf("ip6_forward: outgoing interface is loopback. "
498			       "src %s, dst %s, nxt %d, rcvif %s, outif %s\n",
499			       ip6_sprintf(&ip6->ip6_src),
500			       ip6_sprintf(&ip6->ip6_dst),
501			       ip6->ip6_nxt, if_name(m->m_pkthdr.rcvif),
502			       if_name(rt->rt_ifp));
503		}
504
505		/* we can just use rcvif in forwarding. */
506		origifp = m->m_pkthdr.rcvif;
507	}
508	else
509		origifp = rt->rt_ifp;
510#ifndef SCOPEDROUTING
511	/*
512	 * clear embedded scope identifiers if necessary.
513	 * in6_clearscope will touch the addresses only when necessary.
514	 */
515	in6_clearscope(&ip6->ip6_src);
516	in6_clearscope(&ip6->ip6_dst);
517#endif
518
519#ifdef PFIL_HOOKS
520	/*
521	 * Run through list of hooks for output packets.
522	 */
523	m1 = m;
524	pfh = pfil_hook_get(PFIL_OUT, &inet6sw[ip6_protox[IPPROTO_IPV6]].pr_pfh);
525	for (; pfh; pfh = pfh->pfil_link.tqe_next)
526		if (pfh->pfil_func) {
527			rv = pfh->pfil_func(ip6, sizeof(*ip6),
528					    rt->rt_ifp, 1, &m1);
529			if (rv) {
530				error = EHOSTUNREACH;
531				goto freecopy;
532			}
533			m = m1;
534			if (m == NULL)
535				goto freecopy;
536			ip6 = mtod(m, struct ip6_hdr *);
537		}
538#endif /* PFIL_HOOKS */
539
540	error = nd6_output(rt->rt_ifp, origifp, m, dst, rt);
541	if (error) {
542		in6_ifstat_inc(rt->rt_ifp, ifs6_out_discard);
543		ip6stat.ip6s_cantforward++;
544	} else {
545		ip6stat.ip6s_forward++;
546		in6_ifstat_inc(rt->rt_ifp, ifs6_out_forward);
547		if (type)
548			ip6stat.ip6s_redirectsent++;
549		else {
550			if (mcopy)
551				goto freecopy;
552		}
553	}
554	if (mcopy == NULL)
555		return;
556
557	switch (error) {
558	case 0:
559#if 1
560		if (type == ND_REDIRECT) {
561			icmp6_redirect_output(mcopy, rt);
562			return;
563		}
564#endif
565		goto freecopy;
566
567	case EMSGSIZE:
568		/* xxx MTU is constant in PPP? */
569		goto freecopy;
570
571	case ENOBUFS:
572		/* Tell source to slow down like source quench in IP? */
573		goto freecopy;
574
575	case ENETUNREACH:	/* shouldn't happen, checked above */
576	case EHOSTUNREACH:
577	case ENETDOWN:
578	case EHOSTDOWN:
579	default:
580		type = ICMP6_DST_UNREACH;
581		code = ICMP6_DST_UNREACH_ADDR;
582		break;
583	}
584	icmp6_error(mcopy, type, code, 0);
585	return;
586
587 freecopy:
588	m_freem(mcopy);
589	return;
590}
591