]>
Commit | Line | Data |
---|---|---|
1 | /* $KAME: ip6_forward.c,v 1.29 2000/02/26 18:08:38 itojun Exp $ */ | |
2 | ||
3 | /* | |
4 | * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. | |
5 | * All rights reserved. | |
6 | * | |
7 | * Redistribution and use in source and binary forms, with or without | |
8 | * modification, are permitted provided that the following conditions | |
9 | * are met: | |
10 | * 1. Redistributions of source code must retain the above copyright | |
11 | * notice, this list of conditions and the following disclaimer. | |
12 | * 2. Redistributions in binary form must reproduce the above copyright | |
13 | * notice, this list of conditions and the following disclaimer in the | |
14 | * documentation and/or other materials provided with the distribution. | |
15 | * 3. Neither the name of the project nor the names of its contributors | |
16 | * may be used to endorse or promote products derived from this software | |
17 | * without specific prior written permission. | |
18 | * | |
19 | * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND | |
20 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
21 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | |
22 | * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE | |
23 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
24 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | |
25 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
26 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | |
27 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | |
28 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | |
29 | * SUCH DAMAGE. | |
30 | */ | |
31 | ||
32 | #if (defined(__FreeBSD__) && __FreeBSD__ >= 3) | |
33 | #include "opt_ip6fw.h" | |
34 | #include "opt_inet.h" | |
35 | #endif | |
36 | ||
37 | #include <sys/param.h> | |
38 | #include <sys/systm.h> | |
39 | #include <sys/malloc.h> | |
40 | #include <sys/mbuf.h> | |
41 | #include <sys/domain.h> | |
42 | #include <sys/protosw.h> | |
43 | #include <sys/socket.h> | |
44 | #include <sys/errno.h> | |
45 | #include <sys/time.h> | |
46 | #include <sys/kernel.h> | |
47 | #include <sys/syslog.h> | |
48 | ||
49 | #include <net/if.h> | |
50 | #include <net/route.h> | |
51 | ||
52 | #include <netinet/in.h> | |
53 | #include <netinet/in_var.h> | |
54 | #include <netinet/ip_var.h> | |
55 | #include <netinet/ip6.h> | |
56 | #include <netinet6/ip6_var.h> | |
57 | #include <netinet/icmp6.h> | |
58 | #include <netinet6/nd6.h> | |
59 | ||
60 | #if IPSEC_IPV6FWD | |
61 | #include <netinet6/ipsec.h> | |
62 | #include <netkey/key.h> | |
63 | #include <netkey/key_debug.h> | |
64 | #endif /* IPSEC_IPV6FWD */ | |
65 | ||
66 | #if IPV6FIREWALL | |
67 | #include <netinet6/ip6_fw.h> | |
68 | #endif | |
69 | ||
70 | #if MIP6 | |
71 | #include <netinet6/mip6.h> | |
72 | #endif | |
73 | ||
74 | #include <net/net_osdep.h> | |
75 | ||
76 | struct route_in6 ip6_forward_rt; | |
77 | ||
78 | /* | |
79 | * Forward a packet. If some error occurs return the sender | |
80 | * an icmp packet. Note we can't always generate a meaningful | |
81 | * icmp message because icmp doesn't have a large enough repertoire | |
82 | * of codes and types. | |
83 | * | |
84 | * If not forwarding, just drop the packet. This could be confusing | |
85 | * if ipforwarding was zero but some routing protocol was advancing | |
86 | * us as a gateway to somewhere. However, we must let the routing | |
87 | * protocol deal with that. | |
88 | * | |
89 | */ | |
90 | ||
91 | void | |
92 | ip6_forward(m, srcrt) | |
93 | struct mbuf *m; | |
94 | int srcrt; | |
95 | { | |
96 | struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *); | |
97 | register struct sockaddr_in6 *dst; | |
98 | register struct rtentry *rt; | |
99 | int error, type = 0, code = 0; | |
100 | struct mbuf *mcopy = NULL; | |
101 | #if IPSEC_IPV6FWD | |
102 | struct secpolicy *sp = NULL; | |
103 | #endif | |
104 | #if !(defined(__FreeBSD__) && __FreeBSD__ >= 3) && !defined(__APPLE__) | |
105 | long time_second = time.tv_sec; | |
106 | #endif | |
107 | ||
108 | #if IPSEC_IPV6FWD | |
109 | /* | |
110 | * Check AH/ESP integrity. | |
111 | */ | |
112 | /* | |
113 | * Don't increment ip6s_cantforward because this is the check | |
114 | * before forwarding packet actually. | |
115 | */ | |
116 | if (ipsec6_in_reject(m, NULL)) { | |
117 | ipsec6stat.in_polvio++; | |
118 | m_freem(m); | |
119 | return; | |
120 | } | |
121 | #endif /*IPSEC_IPV6FWD*/ | |
122 | ||
123 | if ((m->m_flags & (M_BCAST|M_MCAST)) != 0 || | |
124 | IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst)) { | |
125 | ip6stat.ip6s_cantforward++; | |
126 | /* XXX in6_ifstat_inc(rt->rt_ifp, ifs6_in_discard) */ | |
127 | if (ip6_log_time + ip6_log_interval < time_second) { | |
128 | ip6_log_time = time_second; | |
129 | log(LOG_DEBUG, | |
130 | "cannot forward " | |
131 | "from %s to %s nxt %d received on %s\n", | |
132 | ip6_sprintf(&ip6->ip6_src), | |
133 | ip6_sprintf(&ip6->ip6_dst), | |
134 | ip6->ip6_nxt, | |
135 | if_name(m->m_pkthdr.rcvif)); | |
136 | } | |
137 | m_freem(m); | |
138 | return; | |
139 | } | |
140 | ||
141 | if (ip6->ip6_hlim <= IPV6_HLIMDEC) { | |
142 | /* XXX in6_ifstat_inc(rt->rt_ifp, ifs6_in_discard) */ | |
143 | icmp6_error(m, ICMP6_TIME_EXCEEDED, | |
144 | ICMP6_TIME_EXCEED_TRANSIT, 0); | |
145 | return; | |
146 | } | |
147 | ip6->ip6_hlim -= IPV6_HLIMDEC; | |
148 | ||
149 | /* | |
150 | * Save at most ICMPV6_PLD_MAXLEN (= the min IPv6 MTU - | |
151 | * size of IPv6 + ICMPv6 headers) bytes of the packet in case | |
152 | * we need to generate an ICMP6 message to the src. | |
153 | * Thanks to M_EXT, in most cases copy will not occur. | |
154 | * | |
155 | * It is important to save it before IPsec processing as IPsec | |
156 | * processing may modify the mbuf. | |
157 | */ | |
158 | mcopy = m_copy(m, 0, imin(m->m_pkthdr.len, ICMPV6_PLD_MAXLEN)); | |
159 | ||
160 | ||
161 | #if IPSEC_IPV6FWD | |
162 | /* get a security policy for this packet */ | |
163 | sp = ipsec6_getpolicybyaddr(m, IPSEC_DIR_OUTBOUND, 0, &error); | |
164 | if (sp == NULL) { | |
165 | ipsec6stat.out_inval++; | |
166 | ip6stat.ip6s_cantforward++; | |
167 | if (mcopy) { | |
168 | #if 0 | |
169 | /* XXX: what icmp ? */ | |
170 | #else | |
171 | m_freem(mcopy); | |
172 | #endif | |
173 | } | |
174 | m_freem(m); | |
175 | return; | |
176 | } | |
177 | ||
178 | error = 0; | |
179 | ||
180 | /* check policy */ | |
181 | switch (sp->policy) { | |
182 | case IPSEC_POLICY_DISCARD: | |
183 | /* | |
184 | * This packet is just discarded. | |
185 | */ | |
186 | ipsec6stat.out_polvio++; | |
187 | ip6stat.ip6s_cantforward++; | |
188 | key_freesp(sp); | |
189 | if (mcopy) { | |
190 | #if 0 | |
191 | /* XXX: what icmp ? */ | |
192 | #else | |
193 | m_freem(mcopy); | |
194 | #endif | |
195 | } | |
196 | m_freem(m); | |
197 | return; | |
198 | ||
199 | case IPSEC_POLICY_BYPASS: | |
200 | case IPSEC_POLICY_NONE: | |
201 | /* no need to do IPsec. */ | |
202 | key_freesp(sp); | |
203 | goto skip_ipsec; | |
204 | ||
205 | case IPSEC_POLICY_IPSEC: | |
206 | if (sp->req == NULL) { | |
207 | /* XXX should be panic ? */ | |
208 | printf("ip6_forward: No IPsec request specified.\n"); | |
209 | ip6stat.ip6s_cantforward++; | |
210 | key_freesp(sp); | |
211 | if (mcopy) { | |
212 | #if 0 | |
213 | /* XXX: what icmp ? */ | |
214 | #else | |
215 | m_freem(mcopy); | |
216 | #endif | |
217 | } | |
218 | m_freem(m); | |
219 | return; | |
220 | } | |
221 | /* do IPsec */ | |
222 | break; | |
223 | ||
224 | case IPSEC_POLICY_ENTRUST: | |
225 | default: | |
226 | /* should be panic ?? */ | |
227 | printf("ip6_forward: Invalid policy found. %d\n", sp->policy); | |
228 | key_freesp(sp); | |
229 | goto skip_ipsec; | |
230 | } | |
231 | ||
232 | { | |
233 | struct ipsec_output_state state; | |
234 | ||
235 | /* | |
236 | * All the extension headers will become inaccessible | |
237 | * (since they can be encrypted). | |
238 | * Don't panic, we need no more updates to extension headers | |
239 | * on inner IPv6 packet (since they are now encapsulated). | |
240 | * | |
241 | * IPv6 [ESP|AH] IPv6 [extension headers] payload | |
242 | */ | |
243 | bzero(&state, sizeof(state)); | |
244 | state.m = m; | |
245 | state.ro = NULL; /* update at ipsec6_output_tunnel() */ | |
246 | state.dst = NULL; /* update at ipsec6_output_tunnel() */ | |
247 | ||
248 | error = ipsec6_output_tunnel(&state, sp, 0); | |
249 | ||
250 | m = state.m; | |
251 | #if 0 /* XXX allocate a route (ro, dst) again later */ | |
252 | ro = (struct route_in6 *)state.ro; | |
253 | dst = (struct sockaddr_in6 *)state.dst; | |
254 | #endif | |
255 | key_freesp(sp); | |
256 | ||
257 | if (error) { | |
258 | /* mbuf is already reclaimed in ipsec6_output_tunnel. */ | |
259 | switch (error) { | |
260 | case EHOSTUNREACH: | |
261 | case ENETUNREACH: | |
262 | case EMSGSIZE: | |
263 | case ENOBUFS: | |
264 | case ENOMEM: | |
265 | break; | |
266 | default: | |
267 | printf("ip6_output (ipsec): error code %d\n", error); | |
268 | /*fall through*/ | |
269 | case ENOENT: | |
270 | /* don't show these error codes to the user */ | |
271 | break; | |
272 | } | |
273 | ip6stat.ip6s_cantforward++; | |
274 | if (mcopy) { | |
275 | #if 0 | |
276 | /* XXX: what icmp ? */ | |
277 | #else | |
278 | m_freem(mcopy); | |
279 | #endif | |
280 | } | |
281 | m_freem(m); | |
282 | return; | |
283 | } | |
284 | } | |
285 | skip_ipsec: | |
286 | #endif /* IPSEC_IPV6FWD */ | |
287 | ||
288 | #if MIP6 | |
289 | { | |
290 | struct mip6_bc *bc; | |
291 | ||
292 | bc = mip6_bc_find(&ip6->ip6_dst); | |
293 | if ((bc != NULL) && (bc->hr_flag)) { | |
294 | if (mip6_tunnel_output(&m, bc) != 0) { | |
295 | ip6stat.ip6s_cantforward++; | |
296 | if (mcopy) | |
297 | m_freem(mcopy); | |
298 | m_freem(m); | |
299 | return; | |
300 | } | |
301 | } | |
302 | ip6 = mtod(m, struct ip6_hdr *); /* m has changed */ | |
303 | } | |
304 | #endif | |
305 | ||
306 | dst = &ip6_forward_rt.ro_dst; | |
307 | if (!srcrt) { | |
308 | /* | |
309 | * ip6_forward_rt.ro_dst.sin6_addr is equal to ip6->ip6_dst | |
310 | */ | |
311 | if (ip6_forward_rt.ro_rt == 0 || | |
312 | (ip6_forward_rt.ro_rt->rt_flags & RTF_UP) == 0) { | |
313 | if (ip6_forward_rt.ro_rt) { | |
314 | RTFREE(ip6_forward_rt.ro_rt); | |
315 | ip6_forward_rt.ro_rt = 0; | |
316 | } | |
317 | /* this probably fails but give it a try again */ | |
318 | #if __FreeBSD__ || defined(__APPLE__) | |
319 | rtalloc_ign((struct route *)&ip6_forward_rt, | |
320 | RTF_PRCLONING); | |
321 | #else | |
322 | rtalloc((struct route *)&ip6_forward_rt); | |
323 | #endif | |
324 | } | |
325 | ||
326 | if (ip6_forward_rt.ro_rt == 0) { | |
327 | ip6stat.ip6s_noroute++; | |
328 | /* XXX in6_ifstat_inc(rt->rt_ifp, ifs6_in_noroute) */ | |
329 | if (mcopy) { | |
330 | icmp6_error(mcopy, ICMP6_DST_UNREACH, | |
331 | ICMP6_DST_UNREACH_NOROUTE, 0); | |
332 | } | |
333 | m_freem(m); | |
334 | return; | |
335 | } | |
336 | } else if ((rt = ip6_forward_rt.ro_rt) == 0 || | |
337 | !IN6_ARE_ADDR_EQUAL(&ip6->ip6_dst, &dst->sin6_addr)) { | |
338 | if (ip6_forward_rt.ro_rt) { | |
339 | RTFREE(ip6_forward_rt.ro_rt); | |
340 | ip6_forward_rt.ro_rt = 0; | |
341 | } | |
342 | bzero(dst, sizeof(*dst)); | |
343 | dst->sin6_len = sizeof(struct sockaddr_in6); | |
344 | dst->sin6_family = AF_INET6; | |
345 | dst->sin6_addr = ip6->ip6_dst; | |
346 | ||
347 | #if __FreeBSD__ || defined(__APPLE__) | |
348 | rtalloc_ign((struct route *)&ip6_forward_rt, RTF_PRCLONING); | |
349 | #else | |
350 | rtalloc((struct route *)&ip6_forward_rt); | |
351 | #endif | |
352 | if (ip6_forward_rt.ro_rt == 0) { | |
353 | ip6stat.ip6s_noroute++; | |
354 | /* XXX in6_ifstat_inc(rt->rt_ifp, ifs6_in_noroute) */ | |
355 | if (mcopy) { | |
356 | icmp6_error(mcopy, ICMP6_DST_UNREACH, | |
357 | ICMP6_DST_UNREACH_NOROUTE, 0); | |
358 | } | |
359 | m_freem(m); | |
360 | return; | |
361 | } | |
362 | } | |
363 | rt = ip6_forward_rt.ro_rt; | |
364 | ||
365 | /* | |
366 | * Scope check: if a packet can't be delivered to its destination | |
367 | * for the reason that the destination is beyond the scope of the | |
368 | * source address, discard the packet and return an icmp6 destination | |
369 | * unreachable error with Code 2 (beyond scope of source address). | |
370 | * [draft-ietf-ipngwg-icmp-v3-00.txt, Section 3.1] | |
371 | */ | |
372 | if (in6_addr2scopeid(m->m_pkthdr.rcvif, &ip6->ip6_src) != | |
373 | in6_addr2scopeid(rt->rt_ifp, &ip6->ip6_src)) { | |
374 | ip6stat.ip6s_cantforward++; | |
375 | ip6stat.ip6s_badscope++; | |
376 | in6_ifstat_inc(rt->rt_ifp, ifs6_in_discard); | |
377 | ||
378 | if (ip6_log_time + ip6_log_interval < time_second) { | |
379 | ip6_log_time = time_second; | |
380 | log(LOG_DEBUG, | |
381 | "cannot forward " | |
382 | "src %s, dst %s, nxt %d, rcvif %s, outif %s\n", | |
383 | ip6_sprintf(&ip6->ip6_src), | |
384 | ip6_sprintf(&ip6->ip6_dst), | |
385 | ip6->ip6_nxt, | |
386 | if_name(m->m_pkthdr.rcvif), if_name(rt->rt_ifp)); | |
387 | } | |
388 | if (mcopy) | |
389 | icmp6_error(mcopy, ICMP6_DST_UNREACH, | |
390 | ICMP6_DST_UNREACH_BEYONDSCOPE, 0); | |
391 | m_freem(m); | |
392 | return; | |
393 | } | |
394 | ||
395 | if (m->m_pkthdr.len > rt->rt_ifp->if_mtu) { | |
396 | in6_ifstat_inc(rt->rt_ifp, ifs6_in_toobig); | |
397 | if (mcopy) { | |
398 | u_long mtu; | |
399 | #if IPSEC_IPV6FWD | |
400 | struct secpolicy *sp; | |
401 | int ipsecerror; | |
402 | size_t ipsechdrsiz; | |
403 | #endif | |
404 | ||
405 | mtu = rt->rt_ifp->if_mtu; | |
406 | #if IPSEC_IPV6FWD | |
407 | /* | |
408 | * When we do IPsec tunnel ingress, we need to play | |
409 | * with if_mtu value (decrement IPsec header size | |
410 | * from mtu value). The code is much simpler than v4 | |
411 | * case, as we have the outgoing interface for | |
412 | * encapsulated packet as "rt->rt_ifp". | |
413 | */ | |
414 | sp = ipsec6_getpolicybyaddr(mcopy, IPSEC_DIR_OUTBOUND, | |
415 | IP_FORWARDING, &ipsecerror); | |
416 | if (sp) { | |
417 | ipsechdrsiz = ipsec6_hdrsiz(mcopy, | |
418 | IPSEC_DIR_OUTBOUND, NULL); | |
419 | if (ipsechdrsiz < mtu) | |
420 | mtu -= ipsechdrsiz; | |
421 | } | |
422 | ||
423 | /* | |
424 | * if mtu becomes less than minimum MTU, | |
425 | * tell minimum MTU (and I'll need to fragment it). | |
426 | */ | |
427 | if (mtu < IPV6_MMTU) | |
428 | mtu = IPV6_MMTU; | |
429 | #endif | |
430 | icmp6_error(mcopy, ICMP6_PACKET_TOO_BIG, 0, mtu); | |
431 | } | |
432 | m_freem(m); | |
433 | return; | |
434 | } | |
435 | ||
436 | if (rt->rt_flags & RTF_GATEWAY) | |
437 | dst = (struct sockaddr_in6 *)rt->rt_gateway; | |
438 | ||
439 | /* | |
440 | * If we are to forward the packet using the same interface | |
441 | * as one we got the packet from, perhaps we should send a redirect | |
442 | * to sender to shortcut a hop. | |
443 | * Only send redirect if source is sending directly to us, | |
444 | * and if packet was not source routed (or has any options). | |
445 | * Also, don't send redirect if forwarding using a route | |
446 | * modified by a redirect. | |
447 | */ | |
448 | if (rt->rt_ifp == m->m_pkthdr.rcvif && !srcrt && | |
449 | (rt->rt_flags & (RTF_DYNAMIC|RTF_MODIFIED)) == 0) | |
450 | type = ND_REDIRECT; | |
451 | ||
452 | #if IPV6FIREWALL | |
453 | /* | |
454 | * Check with the firewall... | |
455 | */ | |
456 | if (ip6_fw_chk_ptr) { | |
457 | u_short port = 0; | |
458 | /* If ipfw says divert, we have to just drop packet */ | |
459 | if ((*ip6_fw_chk_ptr)(&ip6, rt->rt_ifp, &port, &m)) { | |
460 | m_freem(m); | |
461 | goto freecopy; | |
462 | } | |
463 | if (!m) | |
464 | goto freecopy; | |
465 | } | |
466 | #endif | |
467 | ||
468 | #if OLDIP6OUTPUT | |
469 | error = (*rt->rt_ifp->if_output)(rt->rt_ifp, m, | |
470 | (struct sockaddr *)dst, | |
471 | ip6_forward_rt.ro_rt); | |
472 | #else | |
473 | error = nd6_output(rt->rt_ifp, m, dst, rt); | |
474 | #endif | |
475 | if (error) { | |
476 | in6_ifstat_inc(rt->rt_ifp, ifs6_out_discard); | |
477 | ip6stat.ip6s_cantforward++; | |
478 | } else { | |
479 | ip6stat.ip6s_forward++; | |
480 | in6_ifstat_inc(rt->rt_ifp, ifs6_out_forward); | |
481 | if (type) | |
482 | ip6stat.ip6s_redirectsent++; | |
483 | else { | |
484 | if (mcopy) | |
485 | goto freecopy; | |
486 | } | |
487 | } | |
488 | if (mcopy == NULL) | |
489 | return; | |
490 | ||
491 | switch (error) { | |
492 | case 0: | |
493 | #if 1 | |
494 | if (type == ND_REDIRECT) { | |
495 | icmp6_redirect_output(mcopy, rt); | |
496 | return; | |
497 | } | |
498 | #endif | |
499 | goto freecopy; | |
500 | ||
501 | case EMSGSIZE: | |
502 | /* xxx MTU is constant in PPP? */ | |
503 | goto freecopy; | |
504 | ||
505 | case ENOBUFS: | |
506 | /* Tell source to slow down like source quench in IP? */ | |
507 | goto freecopy; | |
508 | ||
509 | case ENETUNREACH: /* shouldn't happen, checked above */ | |
510 | case EHOSTUNREACH: | |
511 | case ENETDOWN: | |
512 | case EHOSTDOWN: | |
513 | default: | |
514 | type = ICMP6_DST_UNREACH; | |
515 | code = ICMP6_DST_UNREACH_ADDR; | |
516 | break; | |
517 | } | |
518 | icmp6_error(mcopy, type, code, 0); | |
519 | return; | |
520 | ||
521 | freecopy: | |
522 | m_freem(mcopy); | |
523 | return; | |
524 | } |