icmp6.c revision 55009
1/*
2 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 *    notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 *    notice, this list of conditions and the following disclaimer in the
12 *    documentation and/or other materials provided with the distribution.
13 * 3. Neither the name of the project nor the names of its contributors
14 *    may be used to endorse or promote products derived from this software
15 *    without specific prior written permission.
16 *
17 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27 * SUCH DAMAGE.
28 *
29 * $FreeBSD: head/sys/netinet6/icmp6.c 55009 1999-12-22 19:13:38Z shin $
30 */
31
32/*
33 * Copyright (c) 1982, 1986, 1988, 1993
34 *	The Regents of the University of California.  All rights reserved.
35 *
36 * Redistribution and use in source and binary forms, with or without
37 * modification, are permitted provided that the following conditions
38 * are met:
39 * 1. Redistributions of source code must retain the above copyright
40 *    notice, this list of conditions and the following disclaimer.
41 * 2. Redistributions in binary form must reproduce the above copyright
42 *    notice, this list of conditions and the following disclaimer in the
43 *    documentation and/or other materials provided with the distribution.
44 * 3. All advertising materials mentioning features or use of this software
45 *    must display the following acknowledgement:
46 *	This product includes software developed by the University of
47 *	California, Berkeley and its contributors.
48 * 4. Neither the name of the University nor the names of its contributors
49 *    may be used to endorse or promote products derived from this software
50 *    without specific prior written permission.
51 *
52 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
53 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
54 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
55 * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
56 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
57 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
58 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
59 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
60 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
61 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
62 * SUCH DAMAGE.
63 *
64 *	@(#)ip_icmp.c	8.2 (Berkeley) 1/4/94
65 */
66
67#include "opt_ipsec.h"
68
69#include <sys/param.h>
70#include <sys/systm.h>
71#include <sys/malloc.h>
72#include <sys/mbuf.h>
73#include <sys/protosw.h>
74#include <sys/socket.h>
75#include <sys/socketvar.h>
76#include <sys/time.h>
77#include <sys/kernel.h>
78#include <sys/syslog.h>
79#include <sys/domain.h>
80
81#include <net/if.h>
82#include <net/route.h>
83#include <net/if_dl.h>
84#include <net/if_types.h>
85
86#include <netinet/in.h>
87#include <netinet/in_var.h>
88#include <netinet6/ip6.h>
89#include <netinet6/ip6_var.h>
90#include <netinet6/icmp6.h>
91#include <netinet6/mld6_var.h>
92#include <netinet/in_pcb.h>
93#include <netinet6/nd6.h>
94#include <netinet6/in6_ifattach.h>
95#include <netinet6/ip6protosw.h>
96
97#ifdef IPSEC
98#include <netinet6/ipsec.h>
99#include <netinet6/ah.h>
100#include <netinet6/ipsec6.h>
101#include <netinet6/ah6.h>
102#include <netkey/key.h>
103#ifdef IPSEC_DEBUG
104#include <netkey/key_debug.h>
105#else
106#define KEYDEBUG(lev,arg)
107#endif
108#endif /* IPSEC */
109
110#include "faith.h"
111
112#include <net/net_osdep.h>
113
114extern struct	domain inet6domain;
115extern struct	ip6protosw inet6sw[];
116extern u_char	ip6_protox[];
117
118struct	icmp6stat icmp6stat;
119
120extern struct	inpcbhead ripcb;
121extern u_int	icmp6errratelim;
122
123static int	icmp6_rip6_input __P((struct mbuf **, int));
124static int	icmp6_ratelimit __P((const struct in6_addr *, const int, const int));
125static const char	*icmp6_redirect_diag __P((struct in6_addr *,
126						  struct in6_addr *,
127						  struct in6_addr *));
128static struct	mbuf *ni6_input __P((struct mbuf *, int));
129static int	ni6_addrs __P((struct icmp6_nodeinfo *, struct mbuf *,
130			       struct ifnet **));
131static int	ni6_store_addrs __P((struct icmp6_nodeinfo *,
132				     struct icmp6_nodeinfo *,
133				     struct ifnet *, int));
134
135#ifdef COMPAT_RFC1885
136static struct	route_in6 icmp6_reflect_rt;
137#endif
138static struct	timeval icmp6_nextsend = {0, 0};
139
140void
141icmp6_init()
142{
143	mld6_init();
144}
145
146/*
147 * Generate an error packet of type error in response to bad IP6 packet.
148 */
149void
150icmp6_error(m, type, code, param)
151	struct mbuf *m;
152	int type, code, param;
153{
154	struct ip6_hdr *oip6, *nip6;
155	struct icmp6_hdr *icmp6;
156	u_int prep;
157	int off;
158	u_char nxt;
159
160	icmp6stat.icp6s_error++;
161
162	if (m->m_flags & M_DECRYPTED)
163		goto freeit;
164
165	oip6 = mtod(m, struct ip6_hdr *);
166
167	/*
168	 * Multicast destination check. For unrecognized option errors,
169	 * this check has already done in ip6_unknown_opt(), so we can
170	 * check only for other errors.
171	 */
172	if ((m->m_flags & (M_BCAST|M_MCAST) ||
173	     IN6_IS_ADDR_MULTICAST(&oip6->ip6_dst)) &&
174	    (type != ICMP6_PACKET_TOO_BIG &&
175	     (type != ICMP6_PARAM_PROB ||
176	      code != ICMP6_PARAMPROB_OPTION)))
177		goto freeit;
178
179	/* Source address check. XXX: the case of anycast source? */
180	if (IN6_IS_ADDR_UNSPECIFIED(&oip6->ip6_src) ||
181	    IN6_IS_ADDR_MULTICAST(&oip6->ip6_src))
182		goto freeit;
183
184	/*
185	 * If the erroneous packet is also an ICMP error, discard it.
186	 */
187	IP6_EXTHDR_CHECK(m, 0, sizeof(struct ip6_hdr), );
188	off = sizeof(struct ip6_hdr);
189	nxt = oip6->ip6_nxt;
190	while(1) {		/* XXX: should avoid inf. loop explicitly? */
191		struct ip6_ext *ip6e;
192		struct icmp6_hdr *icp;
193
194		switch(nxt) {
195		case IPPROTO_IPV6:
196		case IPPROTO_IPV4:
197		case IPPROTO_UDP:
198		case IPPROTO_TCP:
199		case IPPROTO_ESP:
200		case IPPROTO_FRAGMENT:
201			/*
202			 * ICMPv6 error must not be fragmented.
203			 * XXX: but can we trust the sender?
204			 */
205		default:
206			/* What if unknown header followed by ICMP error? */
207			goto generate;
208		case IPPROTO_ICMPV6:
209			IP6_EXTHDR_CHECK(m, 0, off + sizeof(struct icmp6_hdr), );
210			icp = (struct icmp6_hdr *)(mtod(m, caddr_t) + off);
211			if (icp->icmp6_type < ICMP6_ECHO_REQUEST
212			 || icp->icmp6_type == ND_REDIRECT) {
213				/*
214				 * ICMPv6 error
215				 * Special case: for redirect (which is
216				 * informational) we must not send icmp6 error.
217				 */
218				icmp6stat.icp6s_canterror++;
219				goto freeit;
220			} else {
221				/* ICMPv6 informational */
222				goto generate;
223			}
224		case IPPROTO_HOPOPTS:
225		case IPPROTO_DSTOPTS:
226		case IPPROTO_ROUTING:
227		case IPPROTO_AH:
228			IP6_EXTHDR_CHECK(m, 0, off + sizeof(struct ip6_ext), );
229			ip6e = (struct ip6_ext *)(mtod(m, caddr_t) + off);
230			if (nxt == IPPROTO_AH)
231				off += (ip6e->ip6e_len + 2) << 2;
232			else
233				off += (ip6e->ip6e_len + 1) << 3;
234			nxt = ip6e->ip6e_nxt;
235			break;
236		}
237	}
238
239  freeit:
240	/*
241	 * If we can't tell wheter or not we can generate ICMP6, free it.
242	 */
243	m_freem(m);
244	return;
245
246  generate:
247	oip6 = mtod(m, struct ip6_hdr *); /* adjust pointer */
248
249	/* Finally, do rate limitation check. */
250	if (icmp6_ratelimit(&oip6->ip6_src, type, code)) {
251		icmp6stat.icp6s_toofreq++;
252		goto freeit;
253	}
254
255	/*
256	 * OK, ICMP6 can be generated.
257	 */
258
259	if (m->m_pkthdr.len >= ICMPV6_PLD_MAXLEN)
260		m_adj(m, ICMPV6_PLD_MAXLEN - m->m_pkthdr.len);
261
262	prep = sizeof(struct ip6_hdr) + sizeof(struct icmp6_hdr);
263	M_PREPEND(m, prep, M_DONTWAIT);
264	if (m && m->m_len < prep)
265		m = m_pullup(m, prep);
266	if (m == NULL) {
267		printf("ENOBUFS in icmp6_error %d\n", __LINE__);
268		return;
269	}
270
271	nip6 = mtod(m, struct ip6_hdr *);
272	nip6->ip6_src  = oip6->ip6_src;
273	nip6->ip6_dst  = oip6->ip6_dst;
274
275	if (IN6_IS_SCOPE_LINKLOCAL(&oip6->ip6_src))
276		oip6->ip6_src.s6_addr16[1] = 0;
277	if (IN6_IS_SCOPE_LINKLOCAL(&oip6->ip6_dst))
278		oip6->ip6_dst.s6_addr16[1] = 0;
279
280	icmp6 = (struct icmp6_hdr *)(nip6 + 1);
281	icmp6->icmp6_type = type;
282	icmp6->icmp6_code = code;
283	icmp6->icmp6_pptr = htonl((u_int32_t)param);
284
285	icmp6stat.icp6s_outhist[type]++;
286	icmp6_reflect(m, sizeof(struct ip6_hdr)); /*header order: IPv6 - ICMPv6*/
287}
288
289/*
290 * Process a received ICMP6 message.
291 */
292int
293icmp6_input(mp, offp, proto)
294	struct mbuf **mp;
295	int *offp, proto;
296{
297	struct mbuf *m = *mp, *n;
298	struct ip6_hdr *ip6, *nip6;
299	struct icmp6_hdr *icmp6, *nicmp6;
300	int off = *offp;
301	int icmp6len = m->m_pkthdr.len - *offp;
302	int code, sum, noff;
303	struct sockaddr_in6 icmp6src;
304
305	IP6_EXTHDR_CHECK(m, off, sizeof(struct icmp6_hdr), IPPROTO_DONE);
306	/* m might change if M_LOOP. So, call mtod after this */
307
308	/*
309	 * Locate icmp6 structure in mbuf, and check
310	 * that not corrupted and of at least minimum length
311	 */
312
313	ip6 = mtod(m, struct ip6_hdr *);
314	if (icmp6len < sizeof(struct icmp6_hdr)) {
315		icmp6stat.icp6s_tooshort++;
316		goto freeit;
317	}
318
319	/*
320	 * calculate the checksum
321	 */
322
323	icmp6 = (struct icmp6_hdr *)((caddr_t)ip6 + off);
324	code = icmp6->icmp6_code;
325
326	if ((sum = in6_cksum(m, IPPROTO_ICMPV6, off, icmp6len)) != 0) {
327		log(LOG_ERR,
328		    "ICMP6 checksum error(%d|%x) %s\n",
329		    icmp6->icmp6_type,
330		    sum,
331		    ip6_sprintf(&ip6->ip6_src));
332		icmp6stat.icp6s_checksum++;
333		goto freeit;
334	}
335
336#if defined(NFAITH) && 0 < NFAITH
337	if (m->m_pkthdr.rcvif && m->m_pkthdr.rcvif->if_type == IFT_FAITH) {
338		/*
339		 * Deliver very specific ICMP6 type only.
340		 * This is important to deilver TOOBIG.  Otherwise PMTUD
341		 * will not work.
342		 */
343		switch (icmp6->icmp6_type) {
344		case ICMP6_DST_UNREACH:
345		case ICMP6_PACKET_TOO_BIG:
346		case ICMP6_TIME_EXCEEDED:
347			break;
348		default:
349			goto freeit;
350		}
351	}
352#endif
353
354#ifdef IPSEC
355	/* drop it if it does not match the default policy */
356	if (ipsec6_in_reject(m, NULL)) {
357		ipsecstat.in_polvio++;
358		goto freeit;
359	}
360#endif
361
362	icmp6stat.icp6s_inhist[icmp6->icmp6_type]++;
363	icmp6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_msg);
364	if (icmp6->icmp6_type < ICMP6_INFOMSG_MASK)
365		icmp6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_error);
366
367	switch (icmp6->icmp6_type) {
368
369	case ICMP6_DST_UNREACH:
370		icmp6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_dstunreach);
371		switch (code) {
372		case ICMP6_DST_UNREACH_NOROUTE:
373			code = PRC_UNREACH_NET;
374			break;
375		case ICMP6_DST_UNREACH_ADMIN:
376			icmp6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_adminprohib);
377		case ICMP6_DST_UNREACH_ADDR:
378			code = PRC_UNREACH_HOST;
379			break;
380		case ICMP6_DST_UNREACH_NOTNEIGHBOR:
381			code = PRC_UNREACH_SRCFAIL;
382			break;
383		case ICMP6_DST_UNREACH_NOPORT:
384			code = PRC_UNREACH_PORT;
385			break;
386		default:
387			goto badcode;
388		}
389		goto deliver;
390		break;
391
392	case ICMP6_PACKET_TOO_BIG:
393		icmp6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_pkttoobig);
394		if (code != 0)
395			goto badcode;
396	    {
397		u_int mtu = ntohl(icmp6->icmp6_mtu);
398		struct rtentry *rt = NULL;
399		struct sockaddr_in6 sin6;
400
401		code = PRC_MSGSIZE;
402		bzero(&sin6, sizeof(sin6));
403		sin6.sin6_family = PF_INET6;
404		sin6.sin6_len = sizeof(struct sockaddr_in6);
405		sin6.sin6_addr = ((struct ip6_hdr *)(icmp6 + 1))->ip6_dst;
406		rt = rtalloc1((struct sockaddr *)&sin6, 0,
407			RTF_CLONING | RTF_PRCLONING);
408		if (rt && (rt->rt_flags & RTF_HOST)
409		    && !(rt->rt_rmx.rmx_locks & RTV_MTU)) {
410			if (mtu < IPV6_MMTU) {
411				/* xxx */
412				rt->rt_rmx.rmx_locks |= RTV_MTU;
413			} else if (mtu < rt->rt_ifp->if_mtu &&
414				   rt->rt_rmx.rmx_mtu > mtu) {
415				rt->rt_rmx.rmx_mtu = mtu;
416			}
417		}
418		if (rt)
419			RTFREE(rt);
420
421		goto deliver;
422	    }
423		break;
424
425	case ICMP6_TIME_EXCEEDED:
426		icmp6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_timeexceed);
427		switch (code) {
428		case ICMP6_TIME_EXCEED_TRANSIT:
429		case ICMP6_TIME_EXCEED_REASSEMBLY:
430			code += PRC_TIMXCEED_INTRANS;
431			break;
432		default:
433			goto badcode;
434		}
435		goto deliver;
436		break;
437
438	case ICMP6_PARAM_PROB:
439		icmp6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_paramprob);
440		switch (code) {
441		case ICMP6_PARAMPROB_NEXTHEADER:
442			code = PRC_UNREACH_PROTOCOL;
443			break;
444		case ICMP6_PARAMPROB_HEADER:
445		case ICMP6_PARAMPROB_OPTION:
446			code = PRC_PARAMPROB;
447			break;
448		default:
449			goto badcode;
450		}
451		goto deliver;
452		break;
453
454	case ICMP6_ECHO_REQUEST:
455		icmp6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_echo);
456		if (code != 0)
457			goto badcode;
458		if ((n = m_copy(m, 0, M_COPYALL)) == NULL) {
459			/* Give up remote */
460			break;
461		}
462		if (n->m_flags & M_EXT) {
463			int gap, move;
464			struct mbuf *n0 = n;
465
466			/*
467			 * Prepare an internal mbuf. m_pullup() doesn't
468			 * always copy the length we specified.
469			 */
470			MGETHDR(n, M_DONTWAIT, n0->m_type);
471			if (n == NULL) {
472				/* Give up remote */
473				m_freem(n0);
474				break;
475			}
476			M_COPY_PKTHDR(n, n0);
477			n0->m_flags &= ~M_PKTHDR;
478			n->m_next = n0;
479			/*
480			 * Copy IPv6 and ICMPv6 only.
481			 */
482			nip6 = mtod(n, struct ip6_hdr *);
483			bcopy(ip6, nip6, sizeof(struct ip6_hdr));
484			nicmp6 = (struct icmp6_hdr *)(nip6 + 1);
485			bcopy(icmp6, nicmp6, sizeof(struct icmp6_hdr));
486			/*
487			 * Adjust mbuf. ip6_plen will be adjusted.
488			 */
489			noff = sizeof(struct ip6_hdr);
490			n->m_len = noff + sizeof(struct icmp6_hdr);
491			move = off + sizeof(struct icmp6_hdr);
492			n0->m_len -= move;
493			n0->m_data += move;
494			gap = off - noff;
495			n->m_pkthdr.len -= gap;
496		} else {
497			nip6 = mtod(n, struct ip6_hdr *);
498			nicmp6 = (struct icmp6_hdr *)((caddr_t)nip6 + off);
499			noff = off;
500		}
501		nicmp6->icmp6_type = ICMP6_ECHO_REPLY;
502		nicmp6->icmp6_code = 0;
503		if (n) {
504			icmp6stat.icp6s_reflect++;
505			icmp6stat.icp6s_outhist[ICMP6_ECHO_REPLY]++;
506			icmp6_reflect(n, noff);
507		}
508		break;
509
510	case ICMP6_ECHO_REPLY:
511		icmp6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_echoreply);
512		if (code != 0)
513			goto badcode;
514		break;
515
516	case MLD6_LISTENER_QUERY:
517	case MLD6_LISTENER_REPORT:
518		if (icmp6len < sizeof(struct mld6_hdr))
519			goto badlen;
520		if (icmp6->icmp6_type == MLD6_LISTENER_QUERY) /* XXX: ugly... */
521			icmp6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_mldquery);
522		else
523			icmp6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_mldreport);
524		IP6_EXTHDR_CHECK(m, off, icmp6len, IPPROTO_DONE);
525		mld6_input(m, off);
526		/* m stays. */
527		break;
528
529	case MLD6_LISTENER_DONE:
530		icmp6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_mlddone);
531		if (icmp6len < sizeof(struct mld6_hdr))	/* necessary? */
532			goto badlen;
533		break;		/* nothing to be done in kernel */
534
535	case MLD6_MTRACE_RESP:
536	case MLD6_MTRACE:
537		/* XXX: these two are experimental. not officially defind. */
538		/* XXX: per-interface statistics? */
539		break;		/* just pass it to the userland daemon */
540
541	case ICMP6_WRUREQUEST:	/* ICMP6_FQDN_QUERY */
542	    {
543		enum { WRU, FQDN } mode;
544
545		if (code != 0)
546			goto badcode;
547		if (icmp6len == sizeof(struct icmp6_hdr) + 4)
548			mode = WRU;
549		else if (icmp6len >= sizeof(struct icmp6_hdr) + 8) /* XXX */
550			mode = FQDN;
551		else
552			goto badlen;
553
554#define hostnamelen	strlen(hostname)
555		if (mode == FQDN) {
556			IP6_EXTHDR_CHECK(m, off, sizeof(struct icmp6_nodeinfo),
557					 IPPROTO_DONE);
558			n = ni6_input(m, off);
559			noff = sizeof(struct ip6_hdr);
560		} else {
561			u_char *p;
562
563			MGETHDR(n, M_DONTWAIT, m->m_type);
564			if (n == NULL) {
565				/* Give up remote */
566				break;
567			}
568			/*
569			 * Copy IPv6 and ICMPv6 only.
570			 */
571			nip6 = mtod(n, struct ip6_hdr *);
572			bcopy(ip6, nip6, sizeof(struct ip6_hdr));
573			nicmp6 = (struct icmp6_hdr *)(nip6 + 1);
574			bcopy(icmp6, nicmp6, sizeof(struct icmp6_hdr));
575			p = (u_char *)(nicmp6 + 1);
576			bzero(p, 4);
577			bcopy(hostname, p + 4, hostnamelen);
578			noff = sizeof(struct ip6_hdr);
579			M_COPY_PKTHDR(n, m); /* just for recvif */
580			n->m_pkthdr.len = n->m_len = sizeof(struct ip6_hdr) +
581				sizeof(struct icmp6_hdr) + 4 + hostnamelen;
582			nicmp6->icmp6_type = ICMP6_WRUREPLY;
583			nicmp6->icmp6_code = 0;
584		}
585#undef hostnamelen
586		if (n) {
587			icmp6stat.icp6s_reflect++;
588			icmp6stat.icp6s_outhist[ICMP6_WRUREPLY]++;
589			icmp6_reflect(n, noff);
590		}
591		break;
592	    }
593
594	case ICMP6_WRUREPLY:
595		if (code != 0)
596			goto badcode;
597		break;
598
599	case ND_ROUTER_SOLICIT:
600		icmp6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_routersolicit);
601		if (code != 0)
602			goto badcode;
603		if (icmp6len < sizeof(struct nd_router_solicit))
604			goto badlen;
605		IP6_EXTHDR_CHECK(m, off, icmp6len, IPPROTO_DONE);
606		nd6_rs_input(m, off, icmp6len);
607		/* m stays. */
608		break;
609
610	case ND_ROUTER_ADVERT:
611		icmp6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_routeradvert);
612		if (code != 0)
613			goto badcode;
614		if (icmp6len < sizeof(struct nd_router_advert))
615			goto badlen;
616		IP6_EXTHDR_CHECK(m, off, icmp6len, IPPROTO_DONE);
617		nd6_ra_input(m, off, icmp6len);
618		/* m stays. */
619		break;
620
621	case ND_NEIGHBOR_SOLICIT:
622		icmp6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_neighborsolicit);
623		if (code != 0)
624			goto badcode;
625		if (icmp6len < sizeof(struct nd_neighbor_solicit))
626			goto badlen;
627		IP6_EXTHDR_CHECK(m, off, icmp6len, IPPROTO_DONE);
628		nd6_ns_input(m, off, icmp6len);
629		/* m stays. */
630		break;
631
632	case ND_NEIGHBOR_ADVERT:
633		icmp6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_neighboradvert);
634		if (code != 0)
635			goto badcode;
636		if (icmp6len < sizeof(struct nd_neighbor_advert))
637			goto badlen;
638		IP6_EXTHDR_CHECK(m, off, icmp6len, IPPROTO_DONE);
639		nd6_na_input(m, off, icmp6len);
640		/* m stays. */
641		break;
642
643	case ND_REDIRECT:
644		icmp6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_redirect);
645		if (code != 0)
646			goto badcode;
647		if (icmp6len < sizeof(struct nd_redirect))
648			goto badlen;
649		icmp6_redirect_input(m, off);
650		/* m stays. */
651		break;
652
653	case ICMP6_ROUTER_RENUMBERING:
654		if (code != ICMP6_ROUTER_RENUMBERING_COMMAND &&
655		    code != ICMP6_ROUTER_RENUMBERING_RESULT)
656			goto badcode;
657		if (icmp6len < sizeof(struct icmp6_router_renum))
658			goto badlen;
659		break;
660
661	default:
662		printf("icmp6_input: unknown type %d(src=%s, dst=%s, ifid=%d)\n",
663		       icmp6->icmp6_type, ip6_sprintf(&ip6->ip6_src),
664		       ip6_sprintf(&ip6->ip6_dst),
665		       m->m_pkthdr.rcvif ? m->m_pkthdr.rcvif->if_index : 0);
666		if (icmp6->icmp6_type < ICMP6_ECHO_REQUEST) {
667			/* ICMPv6 error: MUST deliver it by spec... */
668			code = PRC_NCMDS;
669			/* deliver */
670		} else {
671			/* ICMPv6 informational: MUST not deliver */
672			break;
673		}
674	deliver:
675		if (icmp6len < sizeof(struct icmp6_hdr) + sizeof(struct ip6_hdr)) {
676			icmp6stat.icp6s_tooshort++;
677			goto freeit;
678		}
679		IP6_EXTHDR_CHECK(m, off,
680			sizeof(struct icmp6_hdr) + sizeof(struct ip6_hdr),
681			IPPROTO_DONE);
682		icmp6 = (struct icmp6_hdr *)(mtod(m, caddr_t) + off);
683		bzero(&icmp6src, sizeof(icmp6src));
684		icmp6src.sin6_len = sizeof(struct sockaddr_in6);
685		icmp6src.sin6_family = AF_INET6;
686		icmp6src.sin6_addr = ((struct ip6_hdr *)(icmp6 + 1))->ip6_dst;
687
688		/* Detect the upper level protocol */
689	    {
690		void (*ctlfunc) __P((int, struct sockaddr *, void *));
691		struct ip6_hdr *eip6 = (struct ip6_hdr *)(icmp6 + 1);
692		u_int8_t nxt = eip6->ip6_nxt;
693		int eoff = off + sizeof(struct icmp6_hdr) +
694			sizeof(struct ip6_hdr);
695		struct ip6ctlparam ip6cp;
696
697		while (1) { /* XXX: should avoid inf. loop explicitly? */
698			struct ip6_ext *eh;
699
700			switch(nxt) {
701			case IPPROTO_ESP:
702			case IPPROTO_NONE:
703				goto passit;
704			case IPPROTO_HOPOPTS:
705			case IPPROTO_DSTOPTS:
706			case IPPROTO_ROUTING:
707			case IPPROTO_AH:
708			case IPPROTO_FRAGMENT:
709				IP6_EXTHDR_CHECK(m, 0, eoff +
710						 sizeof(struct ip6_ext),
711						 IPPROTO_DONE);
712				eh = (struct ip6_ext *)(mtod(m, caddr_t)
713							+ eoff);
714				if (nxt == IPPROTO_AH)
715					eoff += (eh->ip6e_len + 2) << 2;
716				else if (nxt == IPPROTO_FRAGMENT)
717					eoff += sizeof(struct ip6_frag);
718				else
719					eoff += (eh->ip6e_len + 1) << 3;
720				nxt = eh->ip6e_nxt;
721				break;
722			default:
723				goto notify;
724			}
725		}
726	    notify:
727		icmp6 = (struct icmp6_hdr *)(mtod(m, caddr_t) + off);
728		ctlfunc = (void (*) __P((int, struct sockaddr *, void *)))
729			(inet6sw[ip6_protox[nxt]].pr_ctlinput);
730		if (ctlfunc) {
731			ip6cp.ip6c_m = m;
732			ip6cp.ip6c_ip6 = (struct ip6_hdr *)(icmp6 + 1);
733			ip6cp.ip6c_off = eoff;
734			(*ctlfunc)(code, (struct sockaddr *)&icmp6src, &ip6cp);
735		}
736	    }
737		break;
738
739	badcode:
740		icmp6stat.icp6s_badcode++;
741		break;
742
743	badlen:
744		icmp6stat.icp6s_badlen++;
745		break;
746	}
747
748 passit:
749	icmp6_rip6_input(&m, *offp);
750	return IPPROTO_DONE;
751
752 freeit:
753	m_freem(m);
754	return IPPROTO_DONE;
755}
756
757/*
758 * Process a Node Information Query
759 */
760#define	hostnamelen	strlen(hostname)
761#ifndef offsetof		/* XXX */
762#define	offsetof(type, member)	((size_t)(&((type *)0)->member))
763#endif
764
765static struct mbuf *
766ni6_input(m, off)
767	struct mbuf *m;
768	int off;
769{
770	struct icmp6_nodeinfo *ni6 =
771		(struct icmp6_nodeinfo *)(mtod(m, caddr_t) + off), *nni6;
772	struct mbuf *n = NULL;
773	u_int16_t qtype = ntohs(ni6->ni_qtype);
774	int replylen = sizeof(struct ip6_hdr) + sizeof(struct icmp6_nodeinfo);
775	struct ni_reply_fqdn *fqdn;
776	int addrs;		/* for NI_QTYPE_NODEADDR */
777	struct ifnet *ifp = NULL; /* for NI_QTYPE_NODEADDR */
778
779	switch(qtype) {
780	 case NI_QTYPE_NOOP:
781		 break;		/* no reply data */
782	 case NI_QTYPE_SUPTYPES:
783		 goto bad;	/* xxx: to be implemented */
784		 break;
785	 case NI_QTYPE_FQDN:
786		 replylen += offsetof(struct ni_reply_fqdn, ni_fqdn_name) +
787			 hostnamelen;
788		 break;
789	 case NI_QTYPE_NODEADDR:
790		 addrs = ni6_addrs(ni6, m, &ifp);
791		 if ((replylen += addrs * sizeof(struct in6_addr)) > MCLBYTES)
792			 replylen = MCLBYTES; /* XXX: we'll truncate later */
793
794		 break;
795	 default:
796		 /*
797		  * XXX: We must return a reply with the ICMP6 code
798		  * `unknown Qtype' in this case. However we regard the case
799		  * as an FQDN query for backward compatibility.
800		  * Older versions set a random value to this field,
801		  * so it rarely varies in the defined qtypes.
802		  * But the mechanism is not reliable...
803		  * maybe we should obsolete older versions.
804		  */
805		 qtype = NI_QTYPE_FQDN;
806		 replylen += offsetof(struct ni_reply_fqdn, ni_fqdn_name) +
807			 hostnamelen;
808		 break;
809	}
810
811	/* allocate a mbuf to reply. */
812	MGETHDR(n, M_DONTWAIT, m->m_type);
813	if (n == NULL)
814		return(NULL);
815	M_COPY_PKTHDR(n, m); /* just for recvif */
816	if (replylen > MHLEN) {
817		if (replylen > MCLBYTES)
818			 /*
819			  * XXX: should we try to allocate more? But MCLBYTES is
820			  * probably much larger than IPV6_MMTU...
821			  */
822			goto bad;
823		MCLGET(n, M_DONTWAIT);
824		if ((n->m_flags & M_EXT) == 0) {
825			goto bad;
826		}
827	}
828	n->m_pkthdr.len = n->m_len = replylen;
829
830	/* copy mbuf header and IPv6 + Node Information base headers */
831	bcopy(mtod(m, caddr_t), mtod(n, caddr_t), sizeof(struct ip6_hdr));
832	nni6 = (struct icmp6_nodeinfo *)(mtod(n, struct ip6_hdr *) + 1);
833	bcopy(mtod(m, caddr_t) + off, (caddr_t)nni6, sizeof(struct icmp6_nodeinfo));
834
835	/* qtype dependent procedure */
836	switch (qtype) {
837	 case NI_QTYPE_NOOP:
838		 nni6->ni_flags = 0;
839		 break;
840	 case NI_QTYPE_SUPTYPES:
841		 goto bad;	/* xxx: to be implemented */
842		 break;
843	 case NI_QTYPE_FQDN:
844		 if (hostnamelen > 255) { /* XXX: rare case, but may happen */
845			 printf("ni6_input: "
846				"hostname length(%d) is too large for reply\n",
847				hostnamelen);
848			 goto bad;
849		 }
850		 fqdn = (struct ni_reply_fqdn *)(mtod(n, caddr_t) +
851						 sizeof(struct ip6_hdr) +
852						 sizeof(struct icmp6_nodeinfo));
853		 nni6->ni_flags = 0; /* XXX: meaningless TTL */
854		 fqdn->ni_fqdn_ttl = 0;	/* ditto. */
855		 fqdn->ni_fqdn_namelen = hostnamelen;
856		 bcopy(hostname, &fqdn->ni_fqdn_name[0], hostnamelen);
857		 break;
858	 case NI_QTYPE_NODEADDR:
859	 {
860		 int lenlim, copied;
861
862		 if (n->m_flags & M_EXT)
863			 lenlim = MCLBYTES - sizeof(struct ip6_hdr) -
864				 sizeof(struct icmp6_nodeinfo);
865		 else
866			 lenlim = MHLEN - sizeof(struct ip6_hdr) -
867				 sizeof(struct icmp6_nodeinfo);
868		 copied = ni6_store_addrs(ni6, nni6, ifp, lenlim);
869		 /* XXX: reset mbuf length */
870		 n->m_pkthdr.len = n->m_len = sizeof(struct ip6_hdr) +
871			 sizeof(struct icmp6_nodeinfo) + copied;
872		 break;
873	 }
874	 default:
875		 break;		/* XXX impossible! */
876	}
877
878	nni6->ni_type = ICMP6_NI_REPLY;
879	nni6->ni_code = ICMP6_NI_SUCESS;
880	return(n);
881
882  bad:
883	if (n)
884		m_freem(n);
885	return(NULL);
886}
887#undef hostnamelen
888
889/*
890 * calculate the number of addresses to be returned in the node info reply.
891 */
892static int
893ni6_addrs(ni6, m, ifpp)
894	struct icmp6_nodeinfo *ni6;
895	struct mbuf *m;
896	struct ifnet **ifpp;
897{
898	register struct ifnet *ifp;
899	register struct in6_ifaddr *ifa6;
900	register struct ifaddr *ifa;
901	struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *);
902	int addrs = 0, addrsofif, iffound = 0;
903
904	for (ifp = TAILQ_FIRST(&ifnet); ifp; ifp = TAILQ_NEXT(ifp, if_list))
905	{
906		addrsofif = 0;
907		TAILQ_FOREACH(ifa, &ifp->if_addrlist, ifa_list)
908		{
909			if (ifa->ifa_addr->sa_family != AF_INET6)
910				continue;
911			ifa6 = (struct in6_ifaddr *)ifa;
912
913			if (!(ni6->ni_flags & NI_NODEADDR_FLAG_ALL) &&
914			    IN6_ARE_ADDR_EQUAL(&ip6->ip6_dst,
915					       &ifa6->ia_addr.sin6_addr))
916				iffound = 1;
917
918			if (ifa6->ia6_flags & IN6_IFF_ANYCAST)
919				continue; /* we need only unicast addresses */
920
921			if ((ni6->ni_flags & (NI_NODEADDR_FLAG_LINKLOCAL |
922					      NI_NODEADDR_FLAG_SITELOCAL |
923					      NI_NODEADDR_FLAG_GLOBAL)) == 0)
924				continue;
925
926			/* What do we have to do about ::1? */
927			switch(in6_addrscope(&ifa6->ia_addr.sin6_addr)) {
928			 case IPV6_ADDR_SCOPE_LINKLOCAL:
929				if (ni6->ni_flags & NI_NODEADDR_FLAG_LINKLOCAL)
930					addrsofif++;
931				break;
932			 case IPV6_ADDR_SCOPE_SITELOCAL:
933				if (ni6->ni_flags & NI_NODEADDR_FLAG_SITELOCAL)
934					addrsofif++;
935				break;
936			 case IPV6_ADDR_SCOPE_GLOBAL:
937				 if (ni6->ni_flags & NI_NODEADDR_FLAG_GLOBAL)
938					 addrsofif++;
939				 break;
940			 default:
941				 continue;
942			}
943		}
944		if (iffound) {
945			*ifpp = ifp;
946			return(addrsofif);
947		}
948
949		addrs += addrsofif;
950	}
951
952	return(addrs);
953}
954
955static int
956ni6_store_addrs(ni6, nni6, ifp0, resid)
957	struct icmp6_nodeinfo *ni6, *nni6;
958	struct ifnet *ifp0;
959	int resid;
960{
961	register struct ifnet *ifp = ifp0 ? ifp0 : TAILQ_FIRST(&ifnet);
962	register struct in6_ifaddr *ifa6;
963	register struct ifaddr *ifa;
964	int docopy, copied = 0;
965	u_char *cp = (u_char *)(nni6 + 1);
966
967	if (ifp0 == NULL && !(ni6->ni_flags & NI_NODEADDR_FLAG_ALL))
968		return(0);	/* needless to copy */
969
970	for (; ifp; ifp = TAILQ_NEXT(ifp, if_list))
971	{
972		TAILQ_FOREACH(ifa, &ifp->if_addrlist, ifa_list)
973		{
974			docopy = 0;
975
976			if (ifa->ifa_addr->sa_family != AF_INET6)
977				continue;
978			ifa6 = (struct in6_ifaddr *)ifa;
979
980			if (ifa6->ia6_flags & IN6_IFF_ANYCAST) {
981				/* just experimental. not in the spec. */
982				if (ni6->ni_flags & NI_NODEADDR_FLAG_ANYCAST)
983					docopy = 1;
984				else
985					continue;
986			} else {	/* unicast address */
987				if (ni6->ni_flags & NI_NODEADDR_FLAG_ANYCAST)
988					continue;
989				else
990					docopy = 1;
991			}
992
993			/* What do we have to do about ::1? */
994			switch(in6_addrscope(&ifa6->ia_addr.sin6_addr)) {
995			 case IPV6_ADDR_SCOPE_LINKLOCAL:
996				if (ni6->ni_flags & NI_NODEADDR_FLAG_LINKLOCAL)
997					docopy = 1;
998				break;
999			 case IPV6_ADDR_SCOPE_SITELOCAL:
1000				if (ni6->ni_flags & NI_NODEADDR_FLAG_SITELOCAL)
1001					docopy = 1;
1002				break;
1003			 case IPV6_ADDR_SCOPE_GLOBAL:
1004				 if (ni6->ni_flags & NI_NODEADDR_FLAG_GLOBAL)
1005					 docopy = 1;
1006				 break;
1007			 default:
1008				 continue;
1009			}
1010
1011			if (docopy) {
1012				if (resid < sizeof(struct in6_addr)) {
1013					/*
1014					 * We give up much more copy.
1015					 * Set the truncate flag and return.
1016					 */
1017					nni6->ni_flags |=
1018						NI_NODEADDR_FLAG_TRUNCATE;
1019					return(copied);
1020				}
1021				bcopy(&ifa6->ia_addr.sin6_addr, cp,
1022				      sizeof(struct in6_addr));
1023				/* XXX: KAME link-local hack; remove ifindex */
1024				if (IN6_IS_ADDR_LINKLOCAL(&ifa6->ia_addr.sin6_addr))
1025					((struct in6_addr *)cp)->s6_addr16[1] = 0;
1026				cp += sizeof(struct in6_addr);
1027				resid -= sizeof(struct in6_addr);
1028				copied += sizeof(struct in6_addr);
1029			}
1030		}
1031		if (ifp0)	/* we need search only on the specified IF */
1032			break;
1033	}
1034
1035	return(copied);
1036}
1037
1038/*
1039 * XXX almost dup'ed code with rip6_input.
1040 */
1041static int
1042icmp6_rip6_input(mp, off)
1043	struct	mbuf **mp;
1044	int	off;
1045{
1046	struct mbuf *m = *mp;
1047	register struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *);
1048	register struct in6pcb *in6p;
1049	struct in6pcb *last = NULL;
1050	struct sockaddr_in6 rip6src;
1051	struct icmp6_hdr *icmp6;
1052	struct mbuf *opts = NULL;
1053
1054	/* this is assumed to be safe. */
1055	icmp6 = (struct icmp6_hdr *)((caddr_t)ip6 + off);
1056
1057	bzero(&rip6src, sizeof(rip6src));
1058	rip6src.sin6_len = sizeof(struct sockaddr_in6);
1059	rip6src.sin6_family = AF_INET6;
1060	rip6src.sin6_addr = ip6->ip6_src;
1061	if (IN6_IS_SCOPE_LINKLOCAL(&rip6src.sin6_addr))
1062		rip6src.sin6_addr.s6_addr16[1] = 0;
1063	if (m->m_pkthdr.rcvif) {
1064		if (IN6_IS_SCOPE_LINKLOCAL(&rip6src.sin6_addr))
1065			rip6src.sin6_scope_id = m->m_pkthdr.rcvif->if_index;
1066		else
1067			rip6src.sin6_scope_id = 0;
1068	} else
1069		rip6src.sin6_scope_id = 0;
1070
1071	LIST_FOREACH(in6p, &ripcb, inp_list)
1072	{
1073		if ((in6p->inp_vflag & INP_IPV6) == 0)
1074			continue;
1075		if (in6p->in6p_ip6_nxt != IPPROTO_ICMPV6)
1076			continue;
1077		if (!IN6_IS_ADDR_UNSPECIFIED(&in6p->in6p_laddr) &&
1078		   !IN6_ARE_ADDR_EQUAL(&in6p->in6p_laddr, &ip6->ip6_dst))
1079			continue;
1080		if (!IN6_IS_ADDR_UNSPECIFIED(&in6p->in6p_faddr) &&
1081		   !IN6_ARE_ADDR_EQUAL(&in6p->in6p_faddr, &ip6->ip6_src))
1082			continue;
1083		if (in6p->in6p_icmp6filt
1084		    && ICMP6_FILTER_WILLBLOCK(icmp6->icmp6_type,
1085				 in6p->in6p_icmp6filt))
1086			continue;
1087		if (last) {
1088			struct	mbuf *n;
1089			if ((n = m_copy(m, 0, (int)M_COPYALL)) != NULL) {
1090				if (last->in6p_flags & IN6P_CONTROLOPTS)
1091					ip6_savecontrol(last, &opts, ip6, n);
1092				/* strip intermediate headers */
1093				m_adj(n, off);
1094				if (sbappendaddr(&last->in6p_socket->so_rcv,
1095						 (struct sockaddr *)&rip6src,
1096						 n, opts) == 0) {
1097					/* should notify about lost packet */
1098					m_freem(n);
1099					if (opts)
1100						m_freem(opts);
1101				} else
1102					sorwakeup(last->in6p_socket);
1103				opts = NULL;
1104			}
1105		}
1106		last = in6p;
1107	}
1108	if (last) {
1109		if (last->in6p_flags & IN6P_CONTROLOPTS)
1110			ip6_savecontrol(last, &opts, ip6, m);
1111		/* strip intermediate headers */
1112		m_adj(m, off);
1113		if (sbappendaddr(&last->in6p_socket->so_rcv,
1114				(struct sockaddr *)&rip6src, m, opts) == 0) {
1115			m_freem(m);
1116			if (opts)
1117				m_freem(opts);
1118		} else
1119			sorwakeup(last->in6p_socket);
1120	} else {
1121		m_freem(m);
1122		ip6stat.ip6s_delivered--;
1123	}
1124	return IPPROTO_DONE;
1125}
1126
1127/*
1128 * Reflect the ip6 packet back to the source.
1129 * The caller MUST check if the destination is multicast or not.
1130 * This function is usually called with a unicast destination which
1131 * can be safely the source of the reply packet. But some exceptions
1132 * exist(e.g. ECHOREPLY, PATCKET_TOOBIG, "10" in OPTION type).
1133 * ``off'' points to the icmp6 header, counted from the top of the mbuf.
1134 */
1135void
1136icmp6_reflect(m, off)
1137	struct	mbuf *m;
1138	size_t off;
1139{
1140	struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *);
1141	struct icmp6_hdr *icmp6;
1142	struct in6_ifaddr *ia;
1143	struct in6_addr t, *src = 0;
1144	int plen = m->m_pkthdr.len - sizeof(struct ip6_hdr);
1145	int type, code;
1146	struct ifnet *outif = NULL;
1147#ifdef COMPAT_RFC1885
1148	int mtu = IPV6_MMTU;
1149	struct sockaddr_in6 *sin6 = &icmp6_reflect_rt.ro_dst;
1150#endif
1151
1152	/*
1153	 * If there are extra headers between IPv6 and ICMPv6, strip
1154	 * off that header first.
1155	 */
1156	if (off != sizeof(struct ip6_hdr)) {
1157		size_t siz;
1158
1159		/* sanity checks */
1160		if (off < sizeof(struct ip6_hdr)) {
1161			printf("sanity fail: off=%x, sizeof(ip6)=%x in %s:%d\n",
1162			       (unsigned int)off,
1163			       (unsigned int)sizeof(struct ip6_hdr),
1164			       __FILE__, __LINE__);
1165			goto bad;
1166		}
1167		siz = off - sizeof(struct ip6_hdr);
1168		if (plen < siz) {
1169			printf("sanity fail: siz=%x, payloadlen=%x in %s:%d\n",
1170			       (unsigned int)siz, plen, __FILE__, __LINE__);
1171			goto bad;
1172		}
1173		IP6_EXTHDR_CHECK(m, 0, off, /*nothing*/);
1174		IP6_EXTHDR_CHECK(m, off, sizeof(struct icmp6_hdr), /*nothing*/);
1175
1176		ovbcopy((caddr_t)ip6,
1177			(caddr_t)(mtod(m, u_char *) + siz),
1178			sizeof(struct ip6_hdr));
1179		m->m_data += siz;
1180		m->m_len -= siz;
1181		m->m_pkthdr.len -= siz;
1182		ip6 = mtod(m, struct ip6_hdr *);
1183		ip6->ip6_nxt = IPPROTO_ICMPV6;
1184		plen -= siz;
1185	}
1186
1187	icmp6 = (struct icmp6_hdr *)(ip6 + 1);
1188	type = icmp6->icmp6_type; /* keep type for statistics */
1189	code = icmp6->icmp6_code; /* ditto. */
1190
1191	t = ip6->ip6_dst;
1192	/*
1193	 * ip6_input() drops a packet if its src is multicast.
1194	 * So, the src is never multicast.
1195	 */
1196	ip6->ip6_dst = ip6->ip6_src;
1197
1198	/* XXX hack for link-local addresses */
1199	if (IN6_IS_ADDR_LINKLOCAL(&ip6->ip6_dst))
1200		ip6->ip6_dst.s6_addr16[1] =
1201			htons(m->m_pkthdr.rcvif->if_index);
1202	if (IN6_IS_ADDR_LINKLOCAL(&t))
1203		t.s6_addr16[1] = htons(m->m_pkthdr.rcvif->if_index);
1204
1205#ifdef COMPAT_RFC1885
1206	/*
1207	 * xxx guess MTU
1208	 * RFC 1885 requires that echo reply should be truncated if it
1209	 * does not fit in with (return) path MTU, but the description was
1210	 * removed in the new spec.
1211	 */
1212	if (icmp6_reflect_rt.ro_rt == 0 ||
1213	    ! (IN6_ARE_ADDR_EQUAL(&sin6->sin6_addr, &ip6->ip6_dst))) {
1214		if (icmp6_reflect_rt.ro_rt) {
1215			RTFREE(icmp6_reflect_rt.ro_rt);
1216			icmp6_reflect_rt.ro_rt = 0;
1217		}
1218		bzero(sin6, sizeof(*sin6));
1219		sin6->sin6_family = PF_INET6;
1220		sin6->sin6_len = sizeof(struct sockaddr_in6);
1221		sin6->sin6_addr = ip6->ip6_dst;
1222
1223		rtalloc_ign((struct route *)&icmp6_reflect_rt.ro_rt,
1224			    RTF_PRCLONING);
1225	}
1226
1227	if (icmp6_reflect_rt.ro_rt == 0)
1228		goto bad;
1229
1230	if ((icmp6_reflect_rt.ro_rt->rt_flags & RTF_HOST)
1231	    && mtu < icmp6_reflect_rt.ro_rt->rt_ifp->if_mtu)
1232		mtu = icmp6_reflect_rt.ro_rt->rt_rmx.rmx_mtu;
1233
1234	if (mtu < m->m_pkthdr.len) {
1235		plen -= (m->m_pkthdr.len - mtu);
1236		m_adj(m, mtu - m->m_pkthdr.len);
1237	}
1238#endif
1239	/*
1240	 * If the incoming packet was addressed directly to us(i.e. unicast),
1241	 * use dst as the src for the reply.
1242	 */
1243	for (ia = in6_ifaddr; ia; ia = ia->ia_next)
1244		if (IN6_ARE_ADDR_EQUAL(&t, &ia->ia_addr.sin6_addr) &&
1245		    (ia->ia6_flags & IN6_IFF_ANYCAST) == 0) {
1246			src = &t;
1247			break;
1248		}
1249	if (ia == NULL && IN6_IS_ADDR_LINKLOCAL(&t) && (m->m_flags & M_LOOP)) {
1250		/*
1251		 * This is the case if the dst is our link-local address
1252		 * and the sender is also ourseleves.
1253		 */
1254		src = &t;
1255	}
1256
1257	if (src == 0)
1258		/*
1259		 * We have not multicast routing yet. So this case matches
1260		 * to our multicast, our anycast or not to our unicast.
1261		 * Select a source address which has the same scope.
1262		 */
1263		if ((ia = in6_ifawithscope(m->m_pkthdr.rcvif, &t)) != 0)
1264			src = &IA6_SIN6(ia)->sin6_addr;
1265
1266	if (src == 0)
1267		goto bad;
1268
1269	ip6->ip6_src = *src;
1270
1271	ip6->ip6_flow = 0;
1272	ip6->ip6_vfc = IPV6_VERSION;
1273	ip6->ip6_nxt = IPPROTO_ICMPV6;
1274	if (m->m_pkthdr.rcvif) {
1275		/* XXX: This may not be the outgoing interface */
1276		ip6->ip6_hlim = nd_ifinfo[m->m_pkthdr.rcvif->if_index].chlim;
1277	}
1278
1279	icmp6->icmp6_cksum = 0;
1280	icmp6->icmp6_cksum = in6_cksum(m, IPPROTO_ICMPV6,
1281					sizeof(struct ip6_hdr), plen);
1282
1283	/*
1284	 * xxx option handling
1285	 */
1286
1287	m->m_flags &= ~(M_BCAST|M_MCAST);
1288
1289#ifdef COMPAT_RFC1885
1290	ip6_output(m, NULL, &icmp6_reflect_rt, 0, NULL, &outif);
1291#else
1292	ip6_output(m, NULL, NULL, 0, NULL, &outif);
1293#endif
1294	if (outif)
1295		icmp6_ifoutstat_inc(outif, type, code);
1296
1297	return;
1298
1299 bad:
1300	m_freem(m);
1301	return;
1302}
1303
1304void
1305icmp6_fasttimo()
1306{
1307	mld6_fasttimeo();
1308}
1309
1310static const char *
1311icmp6_redirect_diag(src6, dst6, tgt6)
1312	struct in6_addr *src6;
1313	struct in6_addr *dst6;
1314	struct in6_addr *tgt6;
1315{
1316	static char buf[1024];
1317	snprintf(buf, sizeof(buf), "(src=%s dst=%s tgt=%s)",
1318		ip6_sprintf(src6), ip6_sprintf(dst6), ip6_sprintf(tgt6));
1319	return buf;
1320}
1321
1322void
1323icmp6_redirect_input(m, off)
1324	register struct mbuf *m;
1325	int off;
1326{
1327	struct ifnet *ifp = m->m_pkthdr.rcvif;
1328	struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *);
1329	struct nd_redirect *nd_rd = (struct nd_redirect *)((caddr_t)ip6 + off);
1330	int icmp6len = ntohs(ip6->ip6_plen);
1331	char *lladdr = NULL;
1332	int lladdrlen = 0;
1333	u_char *redirhdr = NULL;
1334	int redirhdrlen = 0;
1335	struct rtentry *rt = NULL;
1336	int is_router;
1337	int is_onlink;
1338	struct in6_addr src6 = ip6->ip6_src;
1339	struct in6_addr redtgt6 = nd_rd->nd_rd_target;
1340	struct in6_addr reddst6 = nd_rd->nd_rd_dst;
1341	union nd_opts ndopts;
1342
1343	if (!m || !ifp)
1344		return;
1345
1346	/* XXX if we are router, we don't update route by icmp6 redirect */
1347	if (ip6_forwarding)
1348		return;
1349	if (!icmp6_rediraccept)
1350		return;
1351
1352	if (IN6_IS_ADDR_LINKLOCAL(&redtgt6))
1353		redtgt6.s6_addr16[1] = htons(ifp->if_index);
1354	if (IN6_IS_ADDR_LINKLOCAL(&reddst6))
1355		reddst6.s6_addr16[1] = htons(ifp->if_index);
1356
1357	/* validation */
1358	if (!IN6_IS_ADDR_LINKLOCAL(&src6)) {
1359		log(LOG_ERR,
1360			"ICMP6 redirect sent from %s rejected; "
1361			"must be from linklocal\n", ip6_sprintf(&src6));
1362		return;
1363	}
1364	if (ip6->ip6_hlim != 255) {
1365		log(LOG_ERR,
1366			"ICMP6 redirect sent from %s rejected; "
1367			"hlim=%d (must be 255)\n",
1368			ip6_sprintf(&src6), ip6->ip6_hlim);
1369		return;
1370	}
1371    {
1372	/* ip6->ip6_src must be equal to gw for icmp6->icmp6_reddst */
1373	struct sockaddr_in6 sin6;
1374	struct in6_addr *gw6;
1375
1376	bzero(&sin6, sizeof(sin6));
1377	sin6.sin6_family = AF_INET6;
1378	sin6.sin6_len = sizeof(struct sockaddr_in6);
1379	bcopy(&reddst6, &sin6.sin6_addr, sizeof(reddst6));
1380	rt = rtalloc1((struct sockaddr *)&sin6, 0, 0UL);
1381	if (rt) {
1382		gw6 = &(((struct sockaddr_in6 *)rt->rt_gateway)->sin6_addr);
1383		if (bcmp(&src6, gw6, sizeof(struct in6_addr)) != 0) {
1384			log(LOG_ERR,
1385				"ICMP6 redirect rejected; "
1386				"not equal to gw-for-src=%s (must be same): "
1387				"%s\n",
1388				ip6_sprintf(gw6),
1389				icmp6_redirect_diag(&src6, &reddst6, &redtgt6));
1390			RTFREE(rt);
1391			return;
1392		}
1393	} else {
1394		log(LOG_ERR,
1395			"ICMP6 redirect rejected; "
1396			"no route found for redirect dst: %s\n",
1397			icmp6_redirect_diag(&src6, &reddst6, &redtgt6));
1398		return;
1399	}
1400	RTFREE(rt);
1401	rt = NULL;
1402    }
1403	if (IN6_IS_ADDR_MULTICAST(&reddst6)) {
1404		log(LOG_ERR,
1405			"ICMP6 redirect rejected; "
1406			"redirect dst must be unicast: %s\n",
1407			icmp6_redirect_diag(&src6, &reddst6, &redtgt6));
1408		return;
1409	}
1410
1411	is_router = is_onlink = 0;
1412	if (IN6_IS_ADDR_LINKLOCAL(&redtgt6))
1413		is_router = 1;	/* router case */
1414	if (bcmp(&redtgt6, &reddst6, sizeof(redtgt6)) == 0)
1415		is_onlink = 1;	/* on-link destination case */
1416	if (!is_router && !is_onlink) {
1417		log(LOG_ERR,
1418			"ICMP6 redirect rejected; "
1419			"neither router case nor onlink case: %s\n",
1420			icmp6_redirect_diag(&src6, &reddst6, &redtgt6));
1421		return;
1422	}
1423	/* validation passed */
1424
1425	icmp6len -= sizeof(*nd_rd);
1426	nd6_option_init(nd_rd + 1, icmp6len, &ndopts);
1427	if (nd6_options(&ndopts) < 0) {
1428		log(LOG_INFO, "icmp6_redirect_input: "
1429			"invalid ND option, rejected: %s\n",
1430			icmp6_redirect_diag(&src6, &reddst6, &redtgt6));
1431		return;
1432	}
1433
1434	if (ndopts.nd_opts_tgt_lladdr) {
1435		lladdr = (char *)(ndopts.nd_opts_tgt_lladdr + 1);
1436		lladdrlen = ndopts.nd_opts_tgt_lladdr->nd_opt_len << 3;
1437	}
1438
1439	if (ndopts.nd_opts_rh) {
1440		redirhdrlen = ndopts.nd_opts_rh->nd_opt_rh_len;
1441		redirhdr = (u_char *)(ndopts.nd_opts_rh + 1); /* xxx */
1442	}
1443
1444	if (lladdr && ((ifp->if_addrlen + 2 + 7) & ~7) != lladdrlen) {
1445		log(LOG_INFO,
1446			"icmp6_redirect_input: lladdrlen mismatch for %s "
1447			"(if %d, icmp6 packet %d): %s\n",
1448			ip6_sprintf(&redtgt6), ifp->if_addrlen, lladdrlen - 2,
1449			icmp6_redirect_diag(&src6, &reddst6, &redtgt6));
1450	}
1451
1452	/* RFC 2461 8.3 */
1453	nd6_cache_lladdr(ifp, &redtgt6, lladdr, lladdrlen, ND_REDIRECT,
1454			 is_onlink ? ND_REDIRECT_ONLINK : ND_REDIRECT_ROUTER);
1455
1456	if (!is_onlink) {	/* better router case. perform rtredirect. */
1457		/* perform rtredirect */
1458		struct sockaddr_in6 sdst;
1459		struct sockaddr_in6 sgw;
1460		struct sockaddr_in6 ssrc;
1461
1462		bzero(&sdst, sizeof(sdst));
1463		bzero(&sgw, sizeof(sgw));
1464		bzero(&ssrc, sizeof(ssrc));
1465		sdst.sin6_family = sgw.sin6_family = ssrc.sin6_family = AF_INET6;
1466		sdst.sin6_len = sgw.sin6_len = ssrc.sin6_len =
1467			sizeof(struct sockaddr_in6);
1468		bcopy(&redtgt6, &sgw.sin6_addr, sizeof(struct in6_addr));
1469		bcopy(&reddst6, &sdst.sin6_addr, sizeof(struct in6_addr));
1470		bcopy(&src6, &ssrc.sin6_addr, sizeof(struct in6_addr));
1471		rtredirect((struct sockaddr *)&sdst, (struct sockaddr *)&sgw,
1472			   (struct sockaddr *)NULL, RTF_GATEWAY | RTF_HOST,
1473			   (struct sockaddr *)&ssrc,
1474			   (struct rtentry **)NULL);
1475	}
1476	/* finally update cached route in each socket via pfctlinput */
1477    {
1478	struct sockaddr_in6 sdst;
1479
1480	bzero(&sdst, sizeof(sdst));
1481	sdst.sin6_family = AF_INET6;
1482	sdst.sin6_len = sizeof(struct sockaddr_in6);
1483	bcopy(&reddst6, &sdst.sin6_addr, sizeof(struct in6_addr));
1484	pfctlinput(PRC_REDIRECT_HOST, (struct sockaddr *)&sdst);
1485#ifdef IPSEC
1486	key_sa_routechange((struct sockaddr *)&sdst);
1487#endif
1488    }
1489}
1490
1491void
1492icmp6_redirect_output(m0, rt)
1493	struct mbuf *m0;
1494	struct rtentry *rt;
1495{
1496	struct ifnet *ifp;	/* my outgoing interface */
1497	struct in6_addr *ifp_ll6;
1498	struct in6_addr *router_ll6;
1499	struct ip6_hdr *sip6;	/* m0 as struct ip6_hdr */
1500	struct mbuf *m = NULL;	/* newly allocated one */
1501	struct ip6_hdr *ip6;	/* m as struct ip6_hdr */
1502	struct nd_redirect *nd_rd;
1503	size_t maxlen;
1504	u_char *p;
1505	struct ifnet *outif = NULL;
1506
1507	/* if we are not router, we don't send icmp6 redirect */
1508	if (!ip6_forwarding || ip6_accept_rtadv)
1509		goto fail;
1510
1511	/* sanity check */
1512	if (!m0 || !rt || !(rt->rt_flags & RTF_UP) || !(ifp = rt->rt_ifp))
1513		goto fail;
1514
1515	/*
1516	 * Address check:
1517	 *  the source address must identify a neighbor, and
1518	 *  the destination address must not be a multicast address
1519	 *  [RFC 2461, sec 8.2]
1520	 */
1521	sip6 = mtod(m0, struct ip6_hdr *);
1522	if (nd6_is_addr_neighbor(&sip6->ip6_src, ifp) == 0)
1523		goto fail;
1524	if (IN6_IS_ADDR_MULTICAST(&sip6->ip6_dst))
1525		goto fail;	/* what should we do here? */
1526
1527	/* rate limit */
1528	if (icmp6_ratelimit(&sip6->ip6_src, ND_REDIRECT, 0))
1529		goto fail;
1530
1531	/*
1532	 * Since we are going to append up to 1280 bytes (= IPV6_MMTU),
1533	 * we almost always ask for an mbuf cluster for simplicity.
1534	 * (MHLEN < IPV6_MMTU is almost always true)
1535	 */
1536	MGETHDR(m, M_DONTWAIT, MT_HEADER);
1537	if (!m)
1538		goto fail;
1539	if (MHLEN < IPV6_MMTU)
1540		MCLGET(m, M_DONTWAIT);
1541	maxlen = (m->m_flags & M_EXT) ? MCLBYTES : MHLEN;
1542	maxlen = min(IPV6_MMTU, maxlen);
1543	/* just for safety */
1544	if (maxlen < sizeof(struct ip6_hdr) + sizeof(struct icmp6_hdr))
1545		goto fail;
1546
1547	{
1548		/* get ip6 linklocal address for ifp(my outgoing interface). */
1549		struct in6_ifaddr *ia = in6ifa_ifpforlinklocal(ifp);
1550		if (ia == NULL)
1551			goto fail;
1552		ifp_ll6 = &ia->ia_addr.sin6_addr;
1553	}
1554
1555	/* get ip6 linklocal address for the router. */
1556	if (rt->rt_gateway && (rt->rt_flags & RTF_GATEWAY)) {
1557		struct sockaddr_in6 *sin6;
1558		sin6 = (struct sockaddr_in6 *)rt->rt_gateway;
1559		router_ll6 = &sin6->sin6_addr;
1560		if (!IN6_IS_ADDR_LINKLOCAL(router_ll6))
1561			router_ll6 = (struct in6_addr *)NULL;
1562	} else
1563		router_ll6 = (struct in6_addr *)NULL;
1564
1565	/* ip6 */
1566	ip6 = mtod(m, struct ip6_hdr *);
1567	ip6->ip6_flow = 0;
1568	ip6->ip6_vfc = IPV6_VERSION;
1569	/* ip6->ip6_plen will be set later */
1570	ip6->ip6_nxt = IPPROTO_ICMPV6;
1571	ip6->ip6_hlim = 255;
1572	/* ip6->ip6_src must be linklocal addr for my outgoing if. */
1573	bcopy(ifp_ll6, &ip6->ip6_src, sizeof(struct in6_addr));
1574	bcopy(&sip6->ip6_src, &ip6->ip6_dst, sizeof(struct in6_addr));
1575
1576	/* ND Redirect */
1577	nd_rd = (struct nd_redirect *)(ip6 + 1);
1578	nd_rd->nd_rd_type = ND_REDIRECT;
1579	nd_rd->nd_rd_code = 0;
1580	nd_rd->nd_rd_reserved = 0;
1581	if (rt->rt_flags & RTF_GATEWAY) {
1582		/*
1583		 * nd_rd->nd_rd_target must be a link-local address in
1584		 * better router cases.
1585		 */
1586		if (!router_ll6)
1587			goto fail;
1588		bcopy(router_ll6, &nd_rd->nd_rd_target,
1589		      sizeof(nd_rd->nd_rd_target));
1590		bcopy(&sip6->ip6_dst, &nd_rd->nd_rd_dst,
1591		      sizeof(nd_rd->nd_rd_dst));
1592	} else {
1593		/* make sure redtgt == reddst */
1594		bcopy(&sip6->ip6_dst, &nd_rd->nd_rd_target,
1595		      sizeof(nd_rd->nd_rd_target));
1596		bcopy(&sip6->ip6_dst, &nd_rd->nd_rd_dst,
1597		      sizeof(nd_rd->nd_rd_dst));
1598	}
1599
1600	p = (u_char *)(nd_rd + 1);
1601
1602	if (!router_ll6)
1603		goto nolladdropt;
1604
1605    {
1606	/* target lladdr option */
1607	struct rtentry *rt_router = NULL;
1608	int len;
1609	struct sockaddr_dl *sdl;
1610	struct nd_opt_hdr *nd_opt;
1611	char *lladdr;
1612
1613	rt_router = nd6_lookup(router_ll6, 0, ifp);
1614	if (!rt_router)
1615		goto nolladdropt;
1616	if (!(rt_router->rt_flags & RTF_GATEWAY)
1617	 && (rt_router->rt_flags & RTF_LLINFO)
1618	 && (rt_router->rt_gateway->sa_family == AF_LINK)
1619	 && (sdl = (struct sockaddr_dl *)rt_router->rt_gateway)) {
1620		nd_opt = (struct nd_opt_hdr *)p;
1621		nd_opt->nd_opt_type = ND_OPT_TARGET_LINKADDR;
1622		len = 2 + ifp->if_addrlen;
1623		len = (len + 7) & ~7;	/*round by 8*/
1624		nd_opt->nd_opt_len = len >> 3;
1625		p += len;
1626		lladdr = (char *)(nd_opt + 1);
1627		bcopy(LLADDR(sdl), lladdr, ifp->if_addrlen);
1628	}
1629    }
1630nolladdropt:;
1631
1632	m->m_pkthdr.len = m->m_len = p - (u_char *)ip6;
1633
1634	/* just to be safe */
1635	if (m0->m_flags & M_DECRYPTED)
1636		goto noredhdropt;
1637
1638    {
1639	/* redirected header option */
1640	int len;
1641	struct nd_opt_rd_hdr *nd_opt_rh;
1642
1643	/*
1644	 * compute the maximum size for icmp6 redirect header option.
1645	 * XXX room for auth header?
1646	 */
1647	len = maxlen - (p - (u_char *)ip6);
1648	len &= ~7;
1649
1650	/* This is just for simplicity. */
1651	if (m0->m_pkthdr.len != m0->m_len) {
1652		if (m0->m_next) {
1653			m_freem(m0->m_next);
1654			m0->m_next = NULL;
1655		}
1656		m0->m_pkthdr.len = m0->m_len;
1657	}
1658
1659	/*
1660	 * Redirected header option spec (RFC2461 4.6.3) talks nothing
1661	 * about padding/truncate rule for the original IP packet.
1662	 * From the discussion on IPv6imp in Feb 1999, the consensus was:
1663	 * - "attach as much as possible" is the goal
1664	 * - pad if not aligned (original size can be guessed by original
1665	 *   ip6 header)
1666	 * Following code adds the padding if it is simple enough,
1667	 * and truncates if not.
1668	 */
1669	if (m0->m_next || m0->m_pkthdr.len != m0->m_len)
1670		panic("assumption failed in %s:%d\n", __FILE__, __LINE__);
1671
1672	if (len - sizeof(*nd_opt_rh) < m0->m_pkthdr.len) {
1673		/* not enough room, truncate */
1674		m0->m_pkthdr.len = m0->m_len = len - sizeof(*nd_opt_rh);
1675	} else {
1676		/* enough room, pad or truncate */
1677		size_t extra;
1678
1679		extra = m0->m_pkthdr.len % 8;
1680		if (extra) {
1681			/* pad if easy enough, truncate if not */
1682			if (8 - extra <= M_TRAILINGSPACE(m0)) {
1683				/* pad */
1684				m0->m_len += (8 - extra);
1685				m0->m_pkthdr.len += (8 - extra);
1686			} else {
1687				/* truncate */
1688				m0->m_pkthdr.len -= extra;
1689				m0->m_len -= extra;
1690			}
1691		}
1692		len = m0->m_pkthdr.len + sizeof(*nd_opt_rh);
1693		m0->m_pkthdr.len = m0->m_len = len - sizeof(*nd_opt_rh);
1694	}
1695
1696	nd_opt_rh = (struct nd_opt_rd_hdr *)p;
1697	bzero(nd_opt_rh, sizeof(*nd_opt_rh));
1698	nd_opt_rh->nd_opt_rh_type = ND_OPT_REDIRECTED_HEADER;
1699	nd_opt_rh->nd_opt_rh_len = len >> 3;
1700	p += sizeof(*nd_opt_rh);
1701	m->m_pkthdr.len = m->m_len = p - (u_char *)ip6;
1702
1703	/* connect m0 to m */
1704	m->m_next = m0;
1705	m->m_pkthdr.len = m->m_len + m0->m_len;
1706    }
1707noredhdropt:;
1708
1709	if (IN6_IS_ADDR_LINKLOCAL(&sip6->ip6_src))
1710		sip6->ip6_src.s6_addr16[1] = 0;
1711	if (IN6_IS_ADDR_LINKLOCAL(&sip6->ip6_dst))
1712		sip6->ip6_dst.s6_addr16[1] = 0;
1713	if (IN6_IS_ADDR_LINKLOCAL(&nd_rd->nd_rd_target))
1714		nd_rd->nd_rd_target.s6_addr16[1] = 0;
1715	if (IN6_IS_ADDR_LINKLOCAL(&nd_rd->nd_rd_dst))
1716		nd_rd->nd_rd_dst.s6_addr16[1] = 0;
1717
1718	ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(struct ip6_hdr));
1719
1720	nd_rd->nd_rd_cksum = 0;
1721	nd_rd->nd_rd_cksum
1722		= in6_cksum(m, IPPROTO_ICMPV6, sizeof(*ip6), ntohs(ip6->ip6_plen));
1723
1724	/* send the packet to outside... */
1725	ip6_output(m, NULL, NULL, 0, NULL, &outif);
1726	if (outif) {
1727		icmp6_ifstat_inc(outif, ifs6_out_msg);
1728		icmp6_ifstat_inc(outif, ifs6_out_redirect);
1729	}
1730	icmp6stat.icp6s_outhist[ND_REDIRECT]++;
1731
1732	return;
1733
1734fail:
1735	if (m)
1736		m_freem(m);
1737	if (m0)
1738		m_freem(m0);
1739}
1740
1741/*
1742 * ICMPv6 socket option processing.
1743 */
1744int
1745icmp6_ctloutput(so, sopt)
1746	struct socket *so;
1747	struct sockopt *sopt;
1748{
1749	int error = 0;
1750	int optlen;
1751	register struct inpcb *inp = sotoinpcb(so);
1752	int level, op, optname;
1753
1754	if (sopt) {
1755		level = sopt->sopt_level;
1756		op = sopt->sopt_dir;
1757		optname = sopt->sopt_name;
1758		optlen = sopt->sopt_valsize;
1759	} else
1760		level = op = optname = optlen = 0;
1761	if (level != IPPROTO_ICMPV6) {
1762		return EINVAL;
1763	}
1764
1765	switch(op) {
1766	case PRCO_SETOPT:
1767		switch (optname) {
1768		case ICMP6_FILTER:
1769		    {
1770			struct icmp6_filter *p;
1771
1772			if (optlen != sizeof(*p)) {
1773				error = EMSGSIZE;
1774				break;
1775			}
1776			if (inp->in6p_icmp6filt == NULL) {
1777				error = EINVAL;
1778				break;
1779			}
1780			error = sooptcopyin(sopt, inp->in6p_icmp6filt, optlen,
1781				optlen);
1782			break;
1783		    }
1784
1785		default:
1786			error = ENOPROTOOPT;
1787			break;
1788		}
1789		break;
1790
1791	case PRCO_GETOPT:
1792		switch (optname) {
1793		case ICMP6_FILTER:
1794		    {
1795			if (inp->in6p_icmp6filt == NULL) {
1796				error = EINVAL;
1797				break;
1798			}
1799			error = sooptcopyout(sopt, inp->in6p_icmp6filt,
1800				sizeof(struct icmp6_filter));
1801			break;
1802		    }
1803
1804		default:
1805			error = ENOPROTOOPT;
1806			break;
1807		}
1808		break;
1809	}
1810
1811	return(error);
1812}
1813
1814/*
1815 * Perform rate limit check.
1816 * Returns 0 if it is okay to send the icmp6 packet.
1817 * Returns 1 if the router SHOULD NOT send this icmp6 packet due to rate
1818 * limitation.
1819 *
1820 * XXX per-destination/type check necessary?
1821 */
1822static int
1823icmp6_ratelimit(dst, type, code)
1824	const struct in6_addr *dst;	/* not used at this moment */
1825	const int type;			/* not used at this moment */
1826	const int code;			/* not used at this moment */
1827{
1828	struct timeval tp;
1829	long sec_diff, usec_diff;
1830
1831	/* If we are not doing rate limitation, it is always okay to send */
1832	if (!icmp6errratelim)
1833		return 0;
1834
1835	microtime(&tp);
1836	tp.tv_sec = time_second;
1837	if (tp.tv_sec < icmp6_nextsend.tv_sec
1838	 || (tp.tv_sec == icmp6_nextsend.tv_sec
1839	  && tp.tv_usec < icmp6_nextsend.tv_usec)) {
1840		/* The packet is subject to rate limit */
1841		return 1;
1842	}
1843	sec_diff = icmp6errratelim / 1000000;
1844	usec_diff = icmp6errratelim % 1000000;
1845	icmp6_nextsend.tv_sec = tp.tv_sec + sec_diff;
1846	if ((tp.tv_usec = tp.tv_usec + usec_diff) >= 1000000) {
1847		icmp6_nextsend.tv_sec++;
1848		icmp6_nextsend.tv_usec -= 1000000;
1849	}
1850
1851	/* it is okay to send this */
1852	return 0;
1853}
1854