[apple/xnu.git] / bsd / netinet6 / route6.c

/*
 * Copyright (c) 2000-2010 Apple Inc. All rights reserved.
 *
 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
 * 
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. The rights granted to you under the License
 * may not be used to create, or enable the creation or redistribution of,
 * unlawful or unlicensed copies of an Apple operating system, or to
 * circumvent, violate, or enable the circumvention or violation of, any
 * terms of an Apple operating system software license agreement.
 * 
 * Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this file.
 * 
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 * 
 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
 */

/*	$FreeBSD: src/sys/netinet6/route6.c,v 1.1.2.3 2001/07/03 11:01:55 ume Exp $	*/
/*	$KAME: route6.c,v 1.24 2001/03/14 03:07:05 itojun Exp $	*/

/*
 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. Neither the name of the project nor the names of its contributors
 *    may be used to endorse or promote products derived from this software
 *    without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 */

#include <sys/param.h>
#include <sys/mbuf.h>
#include <sys/socket.h>
#include <sys/queue.h>
#include <string.h>

#include <net/if.h>
#include <net/route.h>

#include <netinet/in.h>
#include <netinet6/in6_var.h>
#include <netinet/ip6.h>
#include <netinet6/ip6_var.h>

#include <netinet/icmp6.h>

#if IP6_RTHDR0_ALLOWED
static int ip6_rthdr0(struct mbuf *, struct ip6_hdr *,
    struct ip6_rthdr0 *);
#endif /* IP6_RTHDR0_ALLOWED */

int
route6_input(struct mbuf **mp, int *offp, int proto)
{
#pragma unused(proto)
	struct ip6_hdr *ip6;
	struct mbuf *m = *mp;
	struct ip6_rthdr *rh;
	int off = *offp, rhlen;
	struct ip6aux *ip6a;

	ip6a = ip6_findaux(m);
	if (ip6a) {
		/* XXX reject home-address option before rthdr */
		if (ip6a->ip6a_flags & IP6A_SWAP) {
			ip6stat.ip6s_badoptions++;
			m_freem(m);
			return IPPROTO_DONE;
		}
	}

#ifndef PULLDOWN_TEST
	IP6_EXTHDR_CHECK(m, off, sizeof(*rh), return IPPROTO_DONE);
	ip6 = mtod(m, struct ip6_hdr *);
	rh = (struct ip6_rthdr *)((caddr_t)ip6 + off);
#else
	ip6 = mtod(m, struct ip6_hdr *);
	IP6_EXTHDR_GET(rh, struct ip6_rthdr *, m, off, sizeof(*rh));
	if (rh == NULL) {
		ip6stat.ip6s_tooshort++;
		return IPPROTO_DONE;
	}
#endif

	switch (rh->ip6r_type) {
#if IP6_RTHDR0_ALLOWED
	case IPV6_RTHDR_TYPE_0:
		rhlen = (rh->ip6r_len + 1) << 3;
#ifndef PULLDOWN_TEST
		/*
		 * note on option length:
		 * due to IP6_EXTHDR_CHECK assumption, we cannot handle
		 * very big routing header (max rhlen == 2048).
		 */
		IP6_EXTHDR_CHECK(m, off, rhlen, return IPPROTO_DONE);
#else
		/*
		 * note on option length:
		 * maximum rhlen: 2048
		 * max mbuf m_pulldown can handle: MCLBYTES == usually 2048
		 * so, here we are assuming that m_pulldown can handle
		 * rhlen == 2048 case.  this may not be a good thing to
		 * assume - we may want to avoid pulling it up altogether.
		 */
		IP6_EXTHDR_GET(rh, struct ip6_rthdr *, m, off, rhlen);
		if (rh == NULL) {
			ip6stat.ip6s_tooshort++;
			return IPPROTO_DONE;
		}
#endif
		if (ip6_rthdr0(m, ip6, (struct ip6_rthdr0 *)rh))
			return(IPPROTO_DONE);
		break;
#endif /* IP6_RTHDR0_ALLOWED */
	default:
		/* unknown routing type */
		if (rh->ip6r_segleft == 0) {
			rhlen = (rh->ip6r_len + 1) << 3;
			break;	/* Final dst. Just ignore the header. */
		}
		ip6stat.ip6s_badoptions++;
		icmp6_error(m, ICMP6_PARAM_PROB, ICMP6_PARAMPROB_HEADER,
			    (caddr_t)&rh->ip6r_type - (caddr_t)ip6);
		return(IPPROTO_DONE);
	}

	*offp += rhlen;
	return(rh->ip6r_nxt);
}

#if IP6_RTHDR0_ALLOWED
/*
 * Type0 routing header processing
 *
 * RFC2292 backward compatibility warning: no support for strict/loose bitmap,
 * as it was dropped between RFC1883 and RFC2460.
 */
static int
ip6_rthdr0(m, ip6, rh0)
	struct mbuf *m;
	struct ip6_hdr *ip6;
	struct ip6_rthdr0 *rh0;
{
	int addrs, index;
	struct in6_addr *nextaddr, tmpaddr, ia6 = NULL;
	struct route_in6 ip6forward_rt;

	if (rh0->ip6r0_segleft == 0)
		return(0);

	if (rh0->ip6r0_len % 2
#if COMPAT_RFC1883
	    || rh0->ip6r0_len > 46
#endif
		) {
		/*
		 * Type 0 routing header can't contain more than 23 addresses.
		 * RFC 2462: this limitation was removed since strict/loose
		 * bitmap field was deleted.
		 */
		ip6stat.ip6s_badoptions++;
		icmp6_error(m, ICMP6_PARAM_PROB, ICMP6_PARAMPROB_HEADER,
			    (caddr_t)&rh0->ip6r0_len - (caddr_t)ip6);
		return (-1);
	}

	if ((addrs = rh0->ip6r0_len / 2) < rh0->ip6r0_segleft) {
		ip6stat.ip6s_badoptions++;
		icmp6_error(m, ICMP6_PARAM_PROB, ICMP6_PARAMPROB_HEADER,
			    (caddr_t)&rh0->ip6r0_segleft - (caddr_t)ip6);
		return (-1);
	}

	index = addrs - rh0->ip6r0_segleft;
	rh0->ip6r0_segleft--;
	/* note that ip6r0_addr does not exist in RFC2292bis */
	nextaddr = rh0->ip6r0_addr + index;

	/*
	 * reject invalid addresses.  be proactive about malicious use of
	 * IPv4 mapped/compat address.
	 * XXX need more checks?
	 */
	if (IN6_IS_ADDR_MULTICAST(nextaddr) ||
	    IN6_IS_ADDR_UNSPECIFIED(nextaddr) ||
	    IN6_IS_ADDR_V4MAPPED(nextaddr) ||
	    IN6_IS_ADDR_V4COMPAT(nextaddr)) {
		ip6stat.ip6s_badoptions++;
		m_freem(m);
		return (-1);
	}
	if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst) ||
	    IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_dst) ||
	    IN6_IS_ADDR_V4MAPPED(&ip6->ip6_dst) ||
	    IN6_IS_ADDR_V4COMPAT(&ip6->ip6_dst)) {
		ip6stat.ip6s_badoptions++;
		m_freem(m);
		return (-1);
	}

	/*
	 * Determine the scope zone of the next hop, based on the interface
	 * of the current hop. [RFC4007, Section 9]
	 * Then disambiguate the scope zone for the next hop (if necessary).
	 */
	if ((ia6 = ip6_getdstifaddr(m)) == NULL)
		goto bad;
	if (in6_setscope(nextaddr, ia6->ia_ifp, NULL) != 0) {
		ip6stat.ip6s_badscope++;
		IFA_REMREF(&ia6->ia_ifa);
		ia6 = NULL;
		goto bad;
	}
	IFA_REMREF(&ia6->ia_ifa);
	ia6 = NULL;

	/*
	 * Swap the IPv6 destination address and nextaddr. Forward the packet.
	 */
	tmpaddr = *nextaddr;
	*nextaddr = ip6->ip6_dst;
	in6_clearscope(nextaddr); /* XXX */
	ip6->ip6_dst = tmpaddr;
	if (IN6_IS_ADDR_LINKLOCAL(&ip6->ip6_dst))
		ip6->ip6_dst.s6_addr16[1] = htons(m->m_pkthdr.rcvif->if_index);

	/*
	 * Don't use the globally cached route to forward packet having
	 * Type 0 routing header(s); instead, do an explicit lookup using
	 * a local route entry variable, in case the next address in the
	 * packet is bogus (which would otherwise unnecessarily invalidate
	 * the globally cached route).
	 */
	bzero(&ip6forward_rt, sizeof (ip6forward_rt));

#if COMPAT_RFC1883
	if (rh0->ip6r0_slmap[index / 8] & (1 << (7 - (index % 8))))
		ip6_forward(m, &ip6forward_rt, IPV6_SRCRT_NEIGHBOR, 0);
	else
		ip6_forward(m, &ip6forward_rt, IPV6_SRCRT_NOTNEIGHBOR, 0);
#else
	ip6_forward(m, &ip6forward_rt, 1, 0);
#endif

	/* Release reference to the looked up route */
	if (ip6forward_rt.ro_rt != NULL) {
		rtfree(ip6forward_rt.ro_rt);
		ip6forward_rt.ro_rt = NULL;
	}

	return(-1);			/* m would be freed in ip6_forward() */
}
#endif /* IP6_RTHDR0_ALLOWED */
Commit	Line	Data
6d2010ae A	1	/*
	2	* Copyright (c) 2000-2010 Apple Inc. All rights reserved.
	3	*
	4	* @APPLE_OSREFERENCE_LICENSE_HEADER_START@
	5	*
	6	* This file contains Original Code and/or Modifications of Original Code
	7	* as defined in and that are subject to the Apple Public Source License
	8	* Version 2.0 (the 'License'). You may not use this file except in
	9	* compliance with the License. The rights granted to you under the License
	10	* may not be used to create, or enable the creation or redistribution of,
	11	* unlawful or unlicensed copies of an Apple operating system, or to
	12	* circumvent, violate, or enable the circumvention or violation of, any
	13	* terms of an Apple operating system software license agreement.
	14	*
	15	* Please obtain a copy of the License at
	16	* http://www.opensource.apple.com/apsl/ and read it before using this file.
	17	*
	18	* The Original Code and all software distributed under the License are
	19	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	20	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	21	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	22	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	23	* Please see the License for the specific language governing rights and
	24	* limitations under the License.
	25	*
	26	* @APPLE_OSREFERENCE_LICENSE_HEADER_END@
	27	*/
	28
9bccf70c A	29	/* $FreeBSD: src/sys/netinet6/route6.c,v 1.1.2.3 2001/07/03 11:01:55 ume Exp $ */
9bccf70c A	30	/* $KAME: route6.c,v 1.24 2001/03/14 03:07:05 itojun Exp $ */
1c79356b A	31
	32	/*
	33	* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
	34	* All rights reserved.
	35	*
	36	* Redistribution and use in source and binary forms, with or without
	37	* modification, are permitted provided that the following conditions
	38	* are met:
	39	* 1. Redistributions of source code must retain the above copyright
	40	* notice, this list of conditions and the following disclaimer.
	41	* 2. Redistributions in binary form must reproduce the above copyright
	42	* notice, this list of conditions and the following disclaimer in the
	43	* documentation and/or other materials provided with the distribution.
	44	* 3. Neither the name of the project nor the names of its contributors
	45	* may be used to endorse or promote products derived from this software
	46	* without specific prior written permission.
	47	*
	48	* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
	49	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	50	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
	51	* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
	52	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
	53	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
	54	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	55	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
	56	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
	57	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
	58	* SUCH DAMAGE.
	59	*/
	60
	61	#include <sys/param.h>
	62	#include <sys/mbuf.h>
	63	#include <sys/socket.h>
9bccf70c	64	#include <sys/queue.h>
2d21ac55	65	#include <string.h>
1c79356b A	66
1c79356b A	67	#include <net/if.h>
2d21ac55	68	#include <net/route.h>
1c79356b A	69
	70	#include <netinet/in.h>
	71	#include <netinet6/in6_var.h>
	72	#include <netinet/ip6.h>
	73	#include <netinet6/ip6_var.h>
	74
	75	#include <netinet/icmp6.h>
	76
21362eb3	77	#if IP6_RTHDR0_ALLOWED
91447636 A	78	static int ip6_rthdr0(struct mbuf , struct ip6_hdr ,
91447636 A	79	struct ip6_rthdr0 *);
21362eb3	80	#endif /* IP6_RTHDR0_ALLOWED */
1c79356b	81
1c79356b	82	int
6d2010ae	83	route6_input(struct mbuf *mp, int offp, int proto)
1c79356b	84	{
6d2010ae	85	#pragma unused(proto)
9bccf70c A	86	struct ip6_hdr *ip6;
	87	struct mbuf m = mp;
	88	struct ip6_rthdr *rh;
1c79356b	89	int off = *offp, rhlen;
2d21ac55	90	struct ip6aux *ip6a;
9bccf70c	91
2d21ac55 A	92	ip6a = ip6_findaux(m);
2d21ac55 A	93	if (ip6a) {
9bccf70c A	94	/* XXX reject home-address option before rthdr */
	95	if (ip6a->ip6a_flags & IP6A_SWAP) {
	96	ip6stat.ip6s_badoptions++;
	97	m_freem(m);
	98	return IPPROTO_DONE;
	99	}
	100	}
1c79356b A	101
1c79356b A	102	#ifndef PULLDOWN_TEST
91447636	103	IP6_EXTHDR_CHECK(m, off, sizeof(*rh), return IPPROTO_DONE);
1c79356b A	104	ip6 = mtod(m, struct ip6_hdr *);
	105	rh = (struct ip6_rthdr *)((caddr_t)ip6 + off);
	106	#else
	107	ip6 = mtod(m, struct ip6_hdr *);
	108	IP6_EXTHDR_GET(rh, struct ip6_rthdr , m, off, sizeof(rh));
	109	if (rh == NULL) {
	110	ip6stat.ip6s_tooshort++;
	111	return IPPROTO_DONE;
	112	}
	113	#endif
	114
9bccf70c	115	switch (rh->ip6r_type) {
21362eb3	116	#if IP6_RTHDR0_ALLOWED
9bccf70c A	117	case IPV6_RTHDR_TYPE_0:
9bccf70c A	118	rhlen = (rh->ip6r_len + 1) << 3;
1c79356b	119	#ifndef PULLDOWN_TEST
9bccf70c A	120	/*
	121	* note on option length:
	122	* due to IP6_EXTHDR_CHECK assumption, we cannot handle
	123	* very big routing header (max rhlen == 2048).
	124	*/
91447636	125	IP6_EXTHDR_CHECK(m, off, rhlen, return IPPROTO_DONE);
1c79356b	126	#else
9bccf70c A	127	/*
	128	* note on option length:
	129	* maximum rhlen: 2048
	130	* max mbuf m_pulldown can handle: MCLBYTES == usually 2048
	131	* so, here we are assuming that m_pulldown can handle
	132	* rhlen == 2048 case. this may not be a good thing to
	133	* assume - we may want to avoid pulling it up altogether.
	134	*/
	135	IP6_EXTHDR_GET(rh, struct ip6_rthdr *, m, off, rhlen);
	136	if (rh == NULL) {
1c79356b A	137	ip6stat.ip6s_tooshort++;
1c79356b A	138	return IPPROTO_DONE;
9bccf70c	139	}
1c79356b	140	#endif
9bccf70c A	141	if (ip6_rthdr0(m, ip6, (struct ip6_rthdr0 *)rh))
	142	return(IPPROTO_DONE);
	143	break;
21362eb3	144	#endif /* IP6_RTHDR0_ALLOWED */
9bccf70c A	145	default:
	146	/* unknown routing type */
	147	if (rh->ip6r_segleft == 0) {
	148	rhlen = (rh->ip6r_len + 1) << 3;
	149	break; /* Final dst. Just ignore the header. */
	150	}
	151	ip6stat.ip6s_badoptions++;
	152	icmp6_error(m, ICMP6_PARAM_PROB, ICMP6_PARAMPROB_HEADER,
	153	(caddr_t)&rh->ip6r_type - (caddr_t)ip6);
	154	return(IPPROTO_DONE);
	155	}
	156
1c79356b A	157	*offp += rhlen;
	158	return(rh->ip6r_nxt);
	159	}
	160
21362eb3	161	#if IP6_RTHDR0_ALLOWED
1c79356b A	162	/*
1c79356b A	163	* Type0 routing header processing
9bccf70c A	164	*
	165	* RFC2292 backward compatibility warning: no support for strict/loose bitmap,
	166	* as it was dropped between RFC1883 and RFC2460.
1c79356b A	167	*/
	168	static int
	169	ip6_rthdr0(m, ip6, rh0)
	170	struct mbuf *m;
	171	struct ip6_hdr *ip6;
	172	struct ip6_rthdr0 *rh0;
	173	{
	174	int addrs, index;
6d2010ae	175	struct in6_addr *nextaddr, tmpaddr, ia6 = NULL;
2d21ac55	176	struct route_in6 ip6forward_rt;
1c79356b A	177
	178	if (rh0->ip6r0_segleft == 0)
	179	return(0);
	180
	181	if (rh0->ip6r0_len % 2
	182	#if COMPAT_RFC1883
	183	\|\| rh0->ip6r0_len > 46
	184	#endif
	185	) {
	186	/*
	187	* Type 0 routing header can't contain more than 23 addresses.
6d2010ae	188	* RFC 2462: this limitation was removed since strict/loose
1c79356b A	189	* bitmap field was deleted.
	190	*/
	191	ip6stat.ip6s_badoptions++;
	192	icmp6_error(m, ICMP6_PARAM_PROB, ICMP6_PARAMPROB_HEADER,
	193	(caddr_t)&rh0->ip6r0_len - (caddr_t)ip6);
6d2010ae	194	return (-1);
1c79356b A	195	}
	196
	197	if ((addrs = rh0->ip6r0_len / 2) < rh0->ip6r0_segleft) {
	198	ip6stat.ip6s_badoptions++;
	199	icmp6_error(m, ICMP6_PARAM_PROB, ICMP6_PARAMPROB_HEADER,
	200	(caddr_t)&rh0->ip6r0_segleft - (caddr_t)ip6);
6d2010ae	201	return (-1);
1c79356b A	202	}
	203
	204	index = addrs - rh0->ip6r0_segleft;
	205	rh0->ip6r0_segleft--;
9bccf70c A	206	/* note that ip6r0_addr does not exist in RFC2292bis */
9bccf70c A	207	nextaddr = rh0->ip6r0_addr + index;
1c79356b A	208
	209	/*
	210	* reject invalid addresses. be proactive about malicious use of
	211	* IPv4 mapped/compat address.
	212	* XXX need more checks?
	213	*/
	214	if (IN6_IS_ADDR_MULTICAST(nextaddr) \|\|
	215	IN6_IS_ADDR_UNSPECIFIED(nextaddr) \|\|
	216	IN6_IS_ADDR_V4MAPPED(nextaddr) \|\|
	217	IN6_IS_ADDR_V4COMPAT(nextaddr)) {
	218	ip6stat.ip6s_badoptions++;
	219	m_freem(m);
6d2010ae	220	return (-1);
1c79356b A	221	}
	222	if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst) \|\|
	223	IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_dst) \|\|
	224	IN6_IS_ADDR_V4MAPPED(&ip6->ip6_dst) \|\|
9bccf70c	225	IN6_IS_ADDR_V4COMPAT(&ip6->ip6_dst)) {
1c79356b A	226	ip6stat.ip6s_badoptions++;
1c79356b A	227	m_freem(m);
6d2010ae A	228	return (-1);
	229	}
	230
	231	/*
	232	* Determine the scope zone of the next hop, based on the interface
	233	* of the current hop. [RFC4007, Section 9]
	234	* Then disambiguate the scope zone for the next hop (if necessary).
	235	*/
	236	if ((ia6 = ip6_getdstifaddr(m)) == NULL)
	237	goto bad;
	238	if (in6_setscope(nextaddr, ia6->ia_ifp, NULL) != 0) {
	239	ip6stat.ip6s_badscope++;
	240	IFA_REMREF(&ia6->ia_ifa);
	241	ia6 = NULL;
	242	goto bad;
1c79356b	243	}
6d2010ae A	244	IFA_REMREF(&ia6->ia_ifa);
6d2010ae A	245	ia6 = NULL;
1c79356b A	246
	247	/*
	248	* Swap the IPv6 destination address and nextaddr. Forward the packet.
	249	*/
	250	tmpaddr = *nextaddr;
	251	*nextaddr = ip6->ip6_dst;
6d2010ae	252	in6_clearscope(nextaddr); /* XXX */
1c79356b A	253	ip6->ip6_dst = tmpaddr;
	254	if (IN6_IS_ADDR_LINKLOCAL(&ip6->ip6_dst))
	255	ip6->ip6_dst.s6_addr16[1] = htons(m->m_pkthdr.rcvif->if_index);
	256
2d21ac55 A	257	/*
	258	* Don't use the globally cached route to forward packet having
	259	* Type 0 routing header(s); instead, do an explicit lookup using
	260	* a local route entry variable, in case the next address in the
	261	* packet is bogus (which would otherwise unnecessarily invalidate
	262	* the globally cached route).
	263	*/
	264	bzero(&ip6forward_rt, sizeof (ip6forward_rt));
	265
1c79356b A	266	#if COMPAT_RFC1883
1c79356b A	267	if (rh0->ip6r0_slmap[index / 8] & (1 << (7 - (index % 8))))
2d21ac55	268	ip6_forward(m, &ip6forward_rt, IPV6_SRCRT_NEIGHBOR, 0);
1c79356b	269	else
2d21ac55	270	ip6_forward(m, &ip6forward_rt, IPV6_SRCRT_NOTNEIGHBOR, 0);
1c79356b	271	#else
2d21ac55	272	ip6_forward(m, &ip6forward_rt, 1, 0);
1c79356b A	273	#endif
1c79356b A	274
2d21ac55 A	275	/* Release reference to the looked up route */
	276	if (ip6forward_rt.ro_rt != NULL) {
	277	rtfree(ip6forward_rt.ro_rt);
	278	ip6forward_rt.ro_rt = NULL;
	279	}
	280
1c79356b A	281	return(-1); /* m would be freed in ip6_forward() */
1c79356b A	282	}
21362eb3	283	#endif /* IP6_RTHDR0_ALLOWED */
2d21ac55	284