]> git.saurik.com Git - apple/xnu.git/blob - bsd/netinet6/ip6_input.c
projects / apple / xnu.git / blob
? search:


ae8fecd689a080106caa62721d80281c2b655e04
[apple/xnu.git] / bsd / netinet6 / ip6_input.c
1 /*
2 * Copyright (c) 2003-2011 Apple Inc. All rights reserved.
3 *
4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
14 *
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 *
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
25 *
26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27 */
28 /* $FreeBSD: src/sys/netinet6/ip6_input.c,v 1.11.2.10 2001/07/24 19:10:18 brooks Exp $ */
29 /* $KAME: ip6_input.c,v 1.194 2001/05/27 13:28:35 itojun Exp $ */
30
31 /*
32 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
33 * All rights reserved.
34 *
35 * Redistribution and use in source and binary forms, with or without
36 * modification, are permitted provided that the following conditions
37 * are met:
38 * 1. Redistributions of source code must retain the above copyright
39 * notice, this list of conditions and the following disclaimer.
40 * 2. Redistributions in binary form must reproduce the above copyright
41 * notice, this list of conditions and the following disclaimer in the
42 * documentation and/or other materials provided with the distribution.
43 * 3. Neither the name of the project nor the names of its contributors
44 * may be used to endorse or promote products derived from this software
45 * without specific prior written permission.
46 *
47 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
48 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
49 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
50 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
51 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
52 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
53 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
54 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
55 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
56 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
57 * SUCH DAMAGE.
58 */
59
60 /*
61 * Copyright (c) 1982, 1986, 1988, 1993
62 * The Regents of the University of California. All rights reserved.
63 *
64 * Redistribution and use in source and binary forms, with or without
65 * modification, are permitted provided that the following conditions
66 * are met:
67 * 1. Redistributions of source code must retain the above copyright
68 * notice, this list of conditions and the following disclaimer.
69 * 2. Redistributions in binary form must reproduce the above copyright
70 * notice, this list of conditions and the following disclaimer in the
71 * documentation and/or other materials provided with the distribution.
72 * 3. All advertising materials mentioning features or use of this software
73 * must display the following acknowledgement:
74 * This product includes software developed by the University of
75 * California, Berkeley and its contributors.
76 * 4. Neither the name of the University nor the names of its contributors
77 * may be used to endorse or promote products derived from this software
78 * without specific prior written permission.
79 *
80 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
81 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
82 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
83 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
84 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
85 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
86 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
87 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
88 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
89 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
90 * SUCH DAMAGE.
91 *
92 * @(#)ip_input.c 8.2 (Berkeley) 1/4/94
93 */
94
95
96 #include <sys/param.h>
97 #include <sys/systm.h>
98 #include <sys/malloc.h>
99 #include <sys/mbuf.h>
100 #include <sys/domain.h>
101 #include <sys/protosw.h>
102 #include <sys/socket.h>
103 #include <sys/socketvar.h>
104 #include <sys/errno.h>
105 #include <sys/time.h>
106 #include <sys/kernel.h>
107 #include <sys/syslog.h>
108 #include <sys/sysctl.h>
109 #include <sys/proc.h>
110 #include <sys/kauth.h>
111 #include <sys/mcache.h>
112 #include <mach/mach_time.h>
113
114 #include <pexpert/pexpert.h>
115
116 #include <net/if.h>
117 #include <net/if_var.h>
118 #include <net/if_types.h>
119 #include <net/if_dl.h>
120 #include <net/route.h>
121 #include <net/kpi_protocol.h>
122 #include <net/ntstat.h>
123
124 #include <netinet/in.h>
125 #include <netinet/in_systm.h>
126 #if INET
127 #include <netinet/ip.h>
128 #include <netinet/ip_icmp.h>
129 #endif /*INET*/
130 #include <netinet/ip6.h>
131 #include <netinet6/in6_var.h>
132 #include <netinet6/ip6_var.h>
133 #include <netinet/in_pcb.h>
134 #include <netinet/icmp6.h>
135 #include <netinet6/in6_ifattach.h>
136 #include <netinet6/nd6.h>
137 #include <netinet6/scope6_var.h>
138 #include <mach/sdt.h>
139
140 #if IPSEC
141 #include <netinet6/ipsec.h>
142 #if INET6
143 #include <netinet6/ipsec6.h>
144 #endif
145 extern int ipsec_bypass;
146 #endif
147
148 #include <netinet6/ip6_fw.h>
149
150 #include <netinet/kpi_ipfilter_var.h>
151
152 #include <netinet6/ip6protosw.h>
153
154 /* we need it for NLOOP. */
155 #include "loop.h"
156 #include "faith.h"
157
158 #include <net/net_osdep.h>
159
160 #if PF
161 #include <net/pfvar.h>
162 #endif /* PF */
163
164 extern struct domain inet6domain;
165 extern struct ip6protosw inet6sw[];
166
167 struct ip6protosw * ip6_protox[IPPROTO_MAX];
168 static int ip6qmaxlen = IFQ_MAXLEN;
169
170 static lck_grp_attr_t *in6_ifaddr_rwlock_grp_attr;
171 static lck_grp_t *in6_ifaddr_rwlock_grp;
172 static lck_attr_t *in6_ifaddr_rwlock_attr;
173 decl_lck_rw_data(, in6_ifaddr_rwlock);
174
175 /* Protected by in6_ifaddr_rwlock */
176 struct in6_ifaddr *in6_ifaddrs = NULL;
177
178 int ip6_forward_srcrt; /* XXX */
179 int ip6_sourcecheck; /* XXX */
180 int ip6_sourcecheck_interval; /* XXX */
181 const int int6intrq_present = 1;
182
183 int ip6_ours_check_algorithm;
184 int in6_init2done = 0;
185 int in6_init_done = 0;
186
187 #define _CASSERT(x) \
188 switch (0) { case 0: case (x): ; }
189 #define IN6_IFSTAT_REQUIRE_ALIGNED_64(f) \
190 _CASSERT(!(offsetof(struct in6_ifstat, f) % sizeof (uint64_t)))
191 #define ICMP6_IFSTAT_REQUIRE_ALIGNED_64(f) \
192 _CASSERT(!(offsetof(struct icmp6_ifstat, f) % sizeof (uint64_t)))
193
194 #if IPFW2
195 /* firewall hooks */
196 ip6_fw_chk_t *ip6_fw_chk_ptr;
197 ip6_fw_ctl_t *ip6_fw_ctl_ptr;
198 int ip6_fw_enable = 1;
199 #endif
200
201 struct ip6stat ip6stat;
202
203 #ifdef __APPLE__
204 struct ifqueue ip6intrq;
205 decl_lck_mtx_data(, ip6_init_mutex);
206 lck_mtx_t *dad6_mutex;
207 lck_mtx_t *nd6_mutex;
208 lck_mtx_t *prefix6_mutex;
209 lck_mtx_t *scope6_mutex;
210 #ifdef ENABLE_ADDRSEL
211 lck_mtx_t *addrsel_mutex;
212 #endif
213 decl_lck_rw_data(, in6_ifs_rwlock);
214 decl_lck_rw_data(, icmp6_ifs_rwlock);
215 lck_attr_t *ip6_mutex_attr;
216 lck_grp_t *ip6_mutex_grp;
217 lck_grp_attr_t *ip6_mutex_grp_attr;
218 extern lck_mtx_t *inet6_domain_mutex;
219 #endif
220 extern int loopattach_done;
221 extern void addrsel_policy_init(void);
222
223 static void ip6_init2(void *);
224 static struct ip6aux *ip6_setdstifaddr(struct mbuf *, struct in6_ifaddr *);
225
226 static int ip6_hopopts_input(u_int32_t *, u_int32_t *, struct mbuf **, int *);
227 #if PULLDOWN_TEST
228 static struct mbuf *ip6_pullexthdr(struct mbuf *, size_t, int);
229 #endif
230
231 #ifdef __APPLE__
232 void gifattach(void);
233 void faithattach(void);
234 void stfattach(void);
235 #endif
236
237 extern lck_mtx_t *domain_proto_mtx;
238
239 SYSCTL_DECL(_net_inet6_ip6);
240
241 int ip6_doscopedroute = 1;
242 SYSCTL_INT(_net_inet6_ip6, OID_AUTO, scopedroute, CTLFLAG_RD | CTLFLAG_LOCKED,
243 &ip6_doscopedroute, 0, "Enable IPv6 scoped routing");
244
245 static void
246 ip6_proto_input(
247 __unused protocol_family_t protocol,
248 mbuf_t packet)
249 {
250 ip6_input(packet);
251 }
252
253 /*
254 * IP6 initialization: fill in IP6 protocol switch table.
255 * All protocols not implemented in kernel go to raw IP6 protocol handler.
256 */
257 void
258 ip6_init()
259 {
260 struct ip6protosw *pr;
261 int i;
262 struct timeval tv;
263
264 PE_parse_boot_argn("net.inet6.ip6.scopedroute", &ip6_doscopedroute,
265 sizeof (ip6_doscopedroute));
266
267 #if DIAGNOSTIC
268 if (sizeof(struct protosw) != sizeof(struct ip6protosw))
269 panic("sizeof(protosw) != sizeof(ip6protosw)");
270 #endif
271 pr = (struct ip6protosw *)pffindproto_locked(PF_INET6, IPPROTO_RAW, SOCK_RAW);
272 if (pr == 0)
273 panic("ip6_init");
274 for (i = 0; i < IPPROTO_MAX; i++)
275 ip6_protox[i] = pr;
276 for (pr = (struct ip6protosw*)inet6domain.dom_protosw; pr; pr = pr->pr_next) {
277 if(!(pr->pr_domain)) continue; /* If uninitialized, skip */
278 if (pr->pr_domain->dom_family == PF_INET6 &&
279 pr->pr_protocol && pr->pr_protocol != IPPROTO_RAW) {
280 ip6_protox[pr->pr_protocol] = pr;
281 }
282 }
283
284 ip6_mutex_grp_attr = lck_grp_attr_alloc_init();
285
286 ip6_mutex_grp = lck_grp_alloc_init("ip6", ip6_mutex_grp_attr);
287 ip6_mutex_attr = lck_attr_alloc_init();
288
289 if ((dad6_mutex = lck_mtx_alloc_init(ip6_mutex_grp, ip6_mutex_attr)) == NULL) {
290 panic("ip6_init: can't alloc dad6_mutex\n");
291 }
292 if ((nd6_mutex = lck_mtx_alloc_init(ip6_mutex_grp, ip6_mutex_attr)) == NULL) {
293 panic("ip6_init: can't alloc nd6_mutex\n");
294 }
295
296 if ((prefix6_mutex = lck_mtx_alloc_init(ip6_mutex_grp, ip6_mutex_attr)) == NULL) {
297 panic("ip6_init: can't alloc prefix6_mutex\n");
298 }
299
300 if ((scope6_mutex = lck_mtx_alloc_init(ip6_mutex_grp, ip6_mutex_attr)) == NULL) {
301 panic("ip6_init: can't alloc scope6_mutex\n");
302 }
303
304 #ifdef ENABLE_ADDRSEL
305 if ((addrsel_mutex = lck_mtx_alloc_init(ip6_mutex_grp, ip6_mutex_attr)) == NULL) {
306 panic("ip6_init: can't alloc addrsel_mutex\n");
307 }
308 #endif
309
310 lck_rw_init(&in6_ifs_rwlock, ip6_mutex_grp, ip6_mutex_attr);
311 lck_rw_init(&icmp6_ifs_rwlock, ip6_mutex_grp, ip6_mutex_attr);
312 lck_mtx_init(&ip6_init_mutex, ip6_mutex_grp, ip6_mutex_attr);
313
314 inet6domain.dom_flags = DOM_REENTRANT;
315
316 ip6intrq.ifq_maxlen = ip6qmaxlen;
317
318 in6_ifaddr_rwlock_grp_attr = lck_grp_attr_alloc_init();
319 in6_ifaddr_rwlock_grp = lck_grp_alloc_init("in6_ifaddr_rwlock",
320 in6_ifaddr_rwlock_grp_attr);
321 in6_ifaddr_rwlock_attr = lck_attr_alloc_init();
322 lck_rw_init(&in6_ifaddr_rwlock, in6_ifaddr_rwlock_grp,
323 in6_ifaddr_rwlock_attr);
324
325 IN6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_in_receive);
326 IN6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_in_hdrerr);
327 IN6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_in_toobig);
328 IN6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_in_noroute);
329 IN6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_in_addrerr);
330 IN6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_in_protounknown);
331 IN6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_in_truncated);
332 IN6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_in_discard);
333 IN6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_in_deliver);
334 IN6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_out_forward);
335 IN6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_out_request);
336 IN6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_out_discard);
337 IN6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_out_fragok);
338 IN6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_out_fragfail);
339 IN6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_out_fragcreat);
340 IN6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_reass_reqd);
341 IN6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_reass_ok);
342 IN6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_reass_fail);
343 IN6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_in_mcast);
344 IN6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_out_mcast);
345
346 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_in_msg);
347 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_in_error);
348 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_in_dstunreach);
349 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_in_adminprohib);
350 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_in_timeexceed);
351 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_in_paramprob);
352 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_in_pkttoobig);
353 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_in_echo);
354 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_in_echoreply);
355 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_in_routersolicit);
356 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_in_routeradvert);
357 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_in_neighborsolicit);
358 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_in_neighboradvert);
359 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_in_redirect);
360 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_in_mldquery);
361 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_in_mldreport);
362 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_in_mlddone);
363
364 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_out_msg);
365 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_out_error);
366 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_out_dstunreach);
367 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_out_adminprohib);
368 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_out_timeexceed);
369 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_out_paramprob);
370 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_out_pkttoobig);
371 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_out_echo);
372 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_out_echoreply);
373 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_out_routersolicit);
374 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_out_routeradvert);
375 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_out_neighborsolicit);
376 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_out_neighboradvert);
377 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_out_redirect);
378 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_out_mldquery);
379 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_out_mldreport);
380 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_out_mlddone);
381
382 in6_ifaddr_init();
383 ip6_moptions_init();
384 nd6_init();
385 frag6_init();
386 icmp6_init();
387 addrsel_policy_init();
388 /*
389 * in many cases, random() here does NOT return random number
390 * as initialization during bootstrap time occur in fixed order.
391 */
392 microtime(&tv);
393 ip6_flow_seq = random() ^ tv.tv_usec;
394 microtime(&tv);
395 ip6_desync_factor = (random() ^ tv.tv_usec) % MAX_TEMP_DESYNC_FACTOR;
396 timeout(ip6_init2, (caddr_t)0, 1 * hz);
397
398 lck_mtx_unlock(domain_proto_mtx);
399 proto_register_input(PF_INET6, ip6_proto_input, NULL, 0);
400 lck_mtx_lock(domain_proto_mtx);
401 }
402
403 static void
404 ip6_init2(
405 __unused void *dummy)
406 {
407 /*
408 * to route local address of p2p link to loopback,
409 * assign loopback address first.
410 */
411 if (loopattach_done == 0) {
412 timeout(ip6_init2, (caddr_t)0, 1 * hz);
413 return;
414 }
415 (void) in6_ifattach(lo_ifp, NULL, NULL);
416
417 #ifdef __APPLE__
418 /* nd6_timer_init */
419 timeout(nd6_timer, (caddr_t)0, hz);
420
421 /* timer for regeneranation of temporary addresses randomize ID */
422 timeout(in6_tmpaddrtimer, (caddr_t)0,
423 (ip6_temp_preferred_lifetime - ip6_desync_factor -
424 ip6_temp_regen_advance) * hz);
425
426 #if NGIF
427 gifattach();
428 #endif
429 #if NFAITH
430 faithattach();
431 #endif
432 #if NSTF
433 stfattach();
434 #endif
435 #endif
436 in6_init2done = 1;
437
438 lck_mtx_lock(&ip6_init_mutex);
439 in6_init_done = 1;
440 wakeup(&in6_init_done);
441 lck_mtx_unlock(&ip6_init_mutex);
442 }
443
444 void
445 ip6_fin()
446 {
447 lck_mtx_lock(&ip6_init_mutex);
448 while (in6_init_done == 0) {
449 (void) msleep(&in6_init_done, &ip6_init_mutex, 0, "ip6_fin()", NULL);
450 }
451 lck_mtx_unlock(&ip6_init_mutex);
452 }
453
454 void
455 ip6_input(struct mbuf *m)
456 {
457 struct ip6_hdr *ip6;
458 int off = sizeof(struct ip6_hdr), nest;
459 u_int32_t plen;
460 u_int32_t rtalert = ~0;
461 int nxt = 0, ours = 0;
462 struct ifnet *deliverifp = NULL;
463 ipfilter_t inject_ipfref = 0;
464 int seen;
465 struct in6_ifaddr *ia6 = NULL;
466 struct route_in6 ip6_forward_rt;
467 struct sockaddr_in6 *dst6;
468
469 bzero(&ip6_forward_rt, sizeof(ip6_forward_rt));
470
471 /* Check if the packet we received is valid after interface filter
472 * processing
473 */
474 MBUF_INPUT_CHECK(m, m->m_pkthdr.rcvif);
475
476 /*
477 * No need to proccess packet twice if we've
478 * already seen it
479 */
480 inject_ipfref = ipf_get_inject_filter(m);
481 if (inject_ipfref != 0) {
482 ip6 = mtod(m, struct ip6_hdr *);
483 nxt = ip6->ip6_nxt;
484 seen = 0;
485 goto injectit;
486 } else
487 seen = 1;
488
489 #if IPSEC
490 /*
491 * should the inner packet be considered authentic?
492 * see comment in ah4_input().
493 */
494 if (m) {
495 m->m_flags &= ~M_AUTHIPHDR;
496 m->m_flags &= ~M_AUTHIPDGM;
497 }
498 #endif
499
500 /*
501 * make sure we don't have onion peering information into m_aux.
502 */
503 ip6_delaux(m);
504
505 /*
506 * mbuf statistics
507 */
508 if (m->m_flags & M_EXT) {
509 if (m->m_next)
510 ip6stat.ip6s_mext2m++;
511 else
512 ip6stat.ip6s_mext1++;
513 } else {
514 #define M2MMAX (sizeof(ip6stat.ip6s_m2m)/sizeof(ip6stat.ip6s_m2m[0]))
515 if (m->m_next) {
516 if (m->m_flags & M_LOOP) {
517 ip6stat.ip6s_m2m[ifnet_index(lo_ifp)]++; /* XXX */
518 } else if (m->m_pkthdr.rcvif->if_index < M2MMAX)
519 ip6stat.ip6s_m2m[m->m_pkthdr.rcvif->if_index]++;
520 else
521 ip6stat.ip6s_m2m[0]++;
522 } else
523 ip6stat.ip6s_m1++;
524 #undef M2MMAX
525 }
526
527 /* drop the packet if IPv6 operation is disabled on the IF */
528 lck_rw_lock_shared(nd_if_rwlock);
529 if (m->m_pkthdr.rcvif->if_index < nd_ifinfo_indexlim &&
530 (nd_ifinfo[m->m_pkthdr.rcvif->if_index].flags & ND6_IFF_IFDISABLED)) {
531 lck_rw_done(nd_if_rwlock);
532 goto bad;
533 }
534 lck_rw_done(nd_if_rwlock);
535
536 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_receive);
537 ip6stat.ip6s_total++;
538
539 #ifndef PULLDOWN_TEST
540 /*
541 * L2 bridge code and some other code can return mbuf chain
542 * that does not conform to KAME requirement. too bad.
543 * XXX: fails to join if interface MTU > MCLBYTES. jumbogram?
544 */
545 if (m && m->m_next != NULL && m->m_pkthdr.len < MCLBYTES) {
546 struct mbuf *n;
547
548 MGETHDR(n, M_DONTWAIT, MT_HEADER); /* MAC-OK */
549 if (n)
550 M_COPY_PKTHDR(n, m);
551 if (n && m->m_pkthdr.len > MHLEN) {
552 MCLGET(n, M_DONTWAIT);
553 if ((n->m_flags & M_EXT) == 0) {
554 m_freem(n);
555 n = NULL;
556 }
557 }
558 if (n == NULL)
559 goto bad;
560
561 m_copydata(m, 0, m->m_pkthdr.len, mtod(n, caddr_t));
562 n->m_len = m->m_pkthdr.len;
563 m_freem(m);
564 m = n;
565 }
566 IP6_EXTHDR_CHECK(m, 0, sizeof(struct ip6_hdr),
567 {goto done;});
568 #endif
569
570 if (m->m_len < sizeof(struct ip6_hdr)) {
571 struct ifnet *inifp;
572 inifp = m->m_pkthdr.rcvif;
573 if ((m = m_pullup(m, sizeof(struct ip6_hdr))) == 0) {
574 ip6stat.ip6s_toosmall++;
575 in6_ifstat_inc(inifp, ifs6_in_hdrerr);
576 goto done;
577 }
578 }
579
580 ip6 = mtod(m, struct ip6_hdr *);
581
582 if ((ip6->ip6_vfc & IPV6_VERSION_MASK) != IPV6_VERSION) {
583 ip6stat.ip6s_badvers++;
584 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_hdrerr);
585 goto bad;
586 }
587
588 ip6stat.ip6s_nxthist[ip6->ip6_nxt]++;
589
590 #if IPFW2
591 /*
592 * Check with the firewall...
593 */
594 if (ip6_fw_enable && ip6_fw_chk_ptr) {
595 u_short port = 0;
596 /* If ipfw says divert, we have to just drop packet */
597 /* use port as a dummy argument */
598 if ((*ip6_fw_chk_ptr)(&ip6, NULL, &port, &m)) {
599 m_freem(m);
600 m = NULL;
601 }
602 if (!m)
603 goto done;
604 }
605 #endif
606
607 /*
608 * Check against address spoofing/corruption.
609 */
610 if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_src) ||
611 IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_dst)) {
612 /*
613 * XXX: "badscope" is not very suitable for a multicast source.
614 */
615 ip6stat.ip6s_badscope++;
616 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr);
617 goto bad;
618 }
619 if (IN6_IS_ADDR_MC_INTFACELOCAL(&ip6->ip6_dst) &&
620 !(m->m_flags & M_LOOP)) {
621 /*
622 * In this case, the packet should come from the loopback
623 * interface. However, we cannot just check the if_flags,
624 * because ip6_mloopback() passes the "actual" interface
625 * as the outgoing/incoming interface.
626 */
627 ip6stat.ip6s_badscope++;
628 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr);
629 goto bad;
630 }
631
632 /*
633 * The following check is not documented in specs. A malicious
634 * party may be able to use IPv4 mapped addr to confuse tcp/udp stack
635 * and bypass security checks (act as if it was from 127.0.0.1 by using
636 * IPv6 src ::ffff:127.0.0.1). Be cautious.
637 *
638 * This check chokes if we are in an SIIT cloud. As none of BSDs
639 * support IPv4-less kernel compilation, we cannot support SIIT
640 * environment at all. So, it makes more sense for us to reject any
641 * malicious packets for non-SIIT environment, than try to do a
642 * partial support for SIIT environment.
643 */
644 if (IN6_IS_ADDR_V4MAPPED(&ip6->ip6_src) ||
645 IN6_IS_ADDR_V4MAPPED(&ip6->ip6_dst)) {
646 ip6stat.ip6s_badscope++;
647 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr);
648 goto bad;
649 }
650 #if 0
651 /*
652 * Reject packets with IPv4 compatible addresses (auto tunnel).
653 *
654 * The code forbids auto tunnel relay case in RFC1933 (the check is
655 * stronger than RFC1933). We may want to re-enable it if mech-xx
656 * is revised to forbid relaying case.
657 */
658 if (IN6_IS_ADDR_V4COMPAT(&ip6->ip6_src) ||
659 IN6_IS_ADDR_V4COMPAT(&ip6->ip6_dst)) {
660 ip6stat.ip6s_badscope++;
661 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr);
662 goto bad;
663 }
664 #endif
665
666 /*
667 * Naively assume we can attribute inbound data to the route we would
668 * use to send to this destination. Asymetric routing breaks this
669 * assumption, but it still allows us to account for traffic from
670 * a remote node in the routing table.
671 * this has a very significant performance impact so we bypass
672 * if nstat_collect is disabled. We may also bypass if the
673 * protocol is tcp in the future because tcp will have a route that
674 * we can use to attribute the data to. That does mean we would not
675 * account for forwarded tcp traffic.
676 */
677 if (nstat_collect) {
678 struct rtentry *rte =
679 ifnet_cached_rtlookup_inet6(m->m_pkthdr.rcvif,
680 &ip6->ip6_src);
681 if (rte != NULL) {
682 nstat_route_rx(rte, 1, m->m_pkthdr.len, 0);
683 rtfree(rte);
684 }
685 }
686
687 #if PF
688 /* Invoke inbound packet filter */
689 if (PF_IS_ENABLED) {
690 int error;
691 error = pf_af_hook(m->m_pkthdr.rcvif, NULL, &m, AF_INET6, TRUE);
692 if (error != 0) {
693 if (m != NULL) {
694 panic("%s: unexpected packet %p\n", __func__, m);
695 /* NOTREACHED */
696 }
697 /* Already freed by callee */
698 goto done;
699 }
700 ip6 = mtod(m, struct ip6_hdr *);
701 }
702 #endif /* PF */
703
704 /* drop packets if interface ID portion is already filled */
705 if ((m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK) == 0) {
706 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src) &&
707 ip6->ip6_src.s6_addr16[1]) {
708 ip6stat.ip6s_badscope++;
709 goto bad;
710 }
711 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst) &&
712 ip6->ip6_dst.s6_addr16[1]) {
713 ip6stat.ip6s_badscope++;
714 goto bad;
715 }
716 }
717
718 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src))
719 ip6->ip6_src.s6_addr16[1]
720 = htons(m->m_pkthdr.rcvif->if_index);
721 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst))
722 ip6->ip6_dst.s6_addr16[1]
723 = htons(m->m_pkthdr.rcvif->if_index);
724
725 /*
726 * Multicast check
727 */
728 if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst)) {
729 struct in6_multi *in6m = NULL;
730 struct ifnet *ifp = m->m_pkthdr.rcvif;
731
732 in6_ifstat_inc(ifp, ifs6_in_mcast);
733 /*
734 * See if we belong to the destination multicast group on the
735 * arrival interface.
736 */
737 in6_multihead_lock_shared();
738 IN6_LOOKUP_MULTI(&ip6->ip6_dst, ifp, in6m);
739 in6_multihead_lock_done();
740 if (in6m != NULL) {
741 IN6M_REMREF(in6m);
742 ours = 1;
743 }
744 else
745 #if MROUTING
746 if (!ip6_mrouter)
747 #endif
748 {
749 ip6stat.ip6s_notmember++;
750 ip6stat.ip6s_cantforward++;
751 in6_ifstat_inc(ifp, ifs6_in_discard);
752 goto bad;
753 }
754 deliverifp = ifp;
755 goto hbhcheck;
756 }
757
758 /*
759 * Unicast check
760 */
761 dst6 = (struct sockaddr_in6 *)&ip6_forward_rt.ro_dst;
762 dst6->sin6_len = sizeof(struct sockaddr_in6);
763 dst6->sin6_family = AF_INET6;
764 dst6->sin6_addr = ip6->ip6_dst;
765
766 rtalloc_scoped_ign((struct route *)&ip6_forward_rt,
767 RTF_PRCLONING, IFSCOPE_NONE);
768 if (ip6_forward_rt.ro_rt != NULL)
769 RT_LOCK(ip6_forward_rt.ro_rt);
770
771 #define rt6_key(r) ((struct sockaddr_in6 *)((r)->rt_nodes->rn_key))
772
773 /*
774 * Accept the packet if the forwarding interface to the destination
775 * according to the routing table is the loopback interface,
776 * unless the associated route has a gateway.
777 * Note that this approach causes to accept a packet if there is a
778 * route to the loopback interface for the destination of the packet.
779 * But we think it's even useful in some situations, e.g. when using
780 * a special daemon which wants to intercept the packet.
781 *
782 * XXX: some OSes automatically make a cloned route for the destination
783 * of an outgoing packet. If the outgoing interface of the packet
784 * is a loopback one, the kernel would consider the packet to be
785 * accepted, even if we have no such address assinged on the interface.
786 * We check the cloned flag of the route entry to reject such cases,
787 * assuming that route entries for our own addresses are not made by
788 * cloning (it should be true because in6_addloop explicitly installs
789 * the host route). However, we might have to do an explicit check
790 * while it would be less efficient. Or, should we rather install a
791 * reject route for such a case?
792 */
793 if (ip6_forward_rt.ro_rt != NULL &&
794 (ip6_forward_rt.ro_rt->rt_flags &
795 (RTF_HOST|RTF_GATEWAY)) == RTF_HOST &&
796 #if RTF_WASCLONED
797 !(ip6_forward_rt.ro_rt->rt_flags & RTF_WASCLONED) &&
798 #endif
799 #if 0
800 /*
801 * The check below is redundant since the comparison of
802 * the destination and the key of the rtentry has
803 * already done through looking up the routing table.
804 */
805 IN6_ARE_ADDR_EQUAL(&ip6->ip6_dst,
806 &rt6_key(ip6_forward_rt.ro_rt)->sin6_addr)
807 #endif
808 ip6_forward_rt.ro_rt->rt_ifp->if_type == IFT_LOOP) {
809 ia6 = (struct in6_ifaddr *)ip6_forward_rt.ro_rt->rt_ifa;
810
811 /*
812 * record address information into m_aux.
813 */
814 (void)ip6_setdstifaddr(m, ia6);
815
816 /*
817 * packets to a tentative, duplicated, or somehow invalid
818 * address must not be accepted.
819 */
820 RT_CONVERT_LOCK(ip6_forward_rt.ro_rt); /* just in case */
821 IFA_LOCK_SPIN(&ia6->ia_ifa);
822 if (!(ia6->ia6_flags & IN6_IFF_NOTREADY)) {
823 IFA_UNLOCK(&ia6->ia_ifa);
824 /* this address is ready */
825 ours = 1;
826 deliverifp = ia6->ia_ifp; /* correct? */
827 /* Count the packet in the ip address stats */
828
829 RT_UNLOCK(ip6_forward_rt.ro_rt);
830 ia6 = NULL;
831 goto hbhcheck;
832 }
833 IFA_UNLOCK(&ia6->ia_ifa);
834 RT_UNLOCK(ip6_forward_rt.ro_rt);
835 /* address is not ready, so discard the packet. */
836 nd6log((LOG_INFO,
837 "ip6_input: packet to an unready address %s->%s\n",
838 ip6_sprintf(&ip6->ip6_src),
839 ip6_sprintf(&ip6->ip6_dst)));
840 ia6 = NULL;
841 goto bad;
842 }
843
844 /*
845 * FAITH (Firewall Aided Internet Translator)
846 */
847 #if defined(NFAITH) && 0 < NFAITH
848 if (ip6_keepfaith) {
849 if (ip6_forward_rt.ro_rt && ip6_forward_rt.ro_rt->rt_ifp
850 && ip6_forward_rt.ro_rt->rt_ifp->if_type == IFT_FAITH) {
851 /* XXX do we need more sanity checks? */
852 ours = 1;
853 deliverifp = ip6_forward_rt.ro_rt->rt_ifp; /* faith */
854 RT_UNLOCK(ip6_forward_rt.ro_rt);
855 goto hbhcheck;
856 }
857 }
858 #endif
859 if (ip6_forward_rt.ro_rt != NULL)
860 RT_UNLOCK(ip6_forward_rt.ro_rt);
861
862 /*
863 * Now there is no reason to process the packet if it's not our own
864 * and we're not a router.
865 */
866 if (!ip6_forwarding) {
867 ip6stat.ip6s_cantforward++;
868 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_discard);
869 goto bad;
870 }
871
872 hbhcheck:
873 /*
874 * record address information into m_aux, if we don't have one yet.
875 * note that we are unable to record it, if the address is not listed
876 * as our interface address (e.g. multicast addresses, addresses
877 * within FAITH prefixes and such).
878 */
879 if (deliverifp && (ia6 = ip6_getdstifaddr(m)) == NULL) {
880 ia6 = in6_ifawithifp(deliverifp, &ip6->ip6_dst);
881 if (ia6) {
882 if (!ip6_setdstifaddr(m, ia6)) {
883 /*
884 * XXX maybe we should drop the packet here,
885 * as we could not provide enough information
886 * to the upper layers.
887 */
888 }
889 IFA_REMREF(&ia6->ia_ifa);
890 ia6 = NULL;
891 }
892 }
893
894 if (ia6 != NULL) {
895 IFA_REMREF(&ia6->ia_ifa);
896 ia6 = NULL;
897 }
898
899 /*
900 * Process Hop-by-Hop options header if it's contained.
901 * m may be modified in ip6_hopopts_input().
902 * If a JumboPayload option is included, plen will also be modified.
903 */
904 plen = (u_int32_t)ntohs(ip6->ip6_plen);
905 if (ip6->ip6_nxt == IPPROTO_HOPOPTS) {
906 struct ip6_hbh *hbh;
907
908 if (ip6_hopopts_input(&plen, &rtalert, &m, &off)) {
909 #if 0 /*touches NULL pointer*/
910 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_discard);
911 #endif
912 goto done; /* m have already been freed */
913 }
914
915 /* adjust pointer */
916 ip6 = mtod(m, struct ip6_hdr *);
917
918 /*
919 * if the payload length field is 0 and the next header field
920 * indicates Hop-by-Hop Options header, then a Jumbo Payload
921 * option MUST be included.
922 */
923 if (ip6->ip6_plen == 0 && plen == 0) {
924 /*
925 * Note that if a valid jumbo payload option is
926 * contained, ip6_hopopts_input() must set a valid
927 * (non-zero) payload length to the variable plen.
928 */
929 ip6stat.ip6s_badoptions++;
930 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_discard);
931 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_hdrerr);
932 icmp6_error(m, ICMP6_PARAM_PROB,
933 ICMP6_PARAMPROB_HEADER,
934 (caddr_t)&ip6->ip6_plen - (caddr_t)ip6);
935 goto done;
936 }
937 #ifndef PULLDOWN_TEST
938 /* ip6_hopopts_input() ensures that mbuf is contiguous */
939 hbh = (struct ip6_hbh *)(ip6 + 1);
940 #else
941 IP6_EXTHDR_GET(hbh, struct ip6_hbh *, m, sizeof(struct ip6_hdr),
942 sizeof(struct ip6_hbh));
943 if (hbh == NULL) {
944 ip6stat.ip6s_tooshort++;
945 goto done;
946 }
947 #endif
948 nxt = hbh->ip6h_nxt;
949
950 /*
951 * If we are acting as a router and the packet contains a
952 * router alert option, see if we know the option value.
953 * Currently, we only support the option value for MLD, in which
954 * case we should pass the packet to the multicast routing
955 * daemon.
956 */
957 if (rtalert != ~0 && ip6_forwarding) {
958 switch (rtalert) {
959 case IP6OPT_RTALERT_MLD:
960 ours = 1;
961 break;
962 default:
963 /*
964 * RFC2711 requires unrecognized values must be
965 * silently ignored.
966 */
967 break;
968 }
969 }
970 } else
971 nxt = ip6->ip6_nxt;
972
973 /*
974 * Check that the amount of data in the buffers
975 * is as at least much as the IPv6 header would have us expect.
976 * Trim mbufs if longer than we expect.
977 * Drop packet if shorter than we expect.
978 */
979 if (m->m_pkthdr.len - sizeof(struct ip6_hdr) < plen) {
980 ip6stat.ip6s_tooshort++;
981 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_truncated);
982 goto bad;
983 }
984 if (m->m_pkthdr.len > sizeof(struct ip6_hdr) + plen) {
985 if (m->m_len == m->m_pkthdr.len) {
986 m->m_len = sizeof(struct ip6_hdr) + plen;
987 m->m_pkthdr.len = sizeof(struct ip6_hdr) + plen;
988 } else
989 m_adj(m, sizeof(struct ip6_hdr) + plen - m->m_pkthdr.len);
990 }
991
992 /*
993 * Forward if desirable.
994 */
995 if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst)) {
996 /*
997 * If we are acting as a multicast router, all
998 * incoming multicast packets are passed to the
999 * kernel-level multicast forwarding function.
1000 * The packet is returned (relatively) intact; if
1001 * ip6_mforward() returns a non-zero value, the packet
1002 * must be discarded, else it may be accepted below.
1003 */
1004 #if MROUTING
1005 if (ip6_mrouter && ip6_mforward(ip6, m->m_pkthdr.rcvif, m)) {
1006 ip6stat.ip6s_cantforward++;
1007 goto bad;
1008 }
1009 #endif
1010 if (!ours)
1011 goto bad;
1012 } else if (!ours) {
1013 ip6_forward(m, &ip6_forward_rt, 0);
1014 goto done;
1015 }
1016
1017 ip6 = mtod(m, struct ip6_hdr *);
1018
1019 /*
1020 * Malicious party may be able to use IPv4 mapped addr to confuse
1021 * tcp/udp stack and bypass security checks (act as if it was from
1022 * 127.0.0.1 by using IPv6 src ::ffff:127.0.0.1). Be cautious.
1023 *
1024 * For SIIT end node behavior, you may want to disable the check.
1025 * However, you will become vulnerable to attacks using IPv4 mapped
1026 * source.
1027 */
1028 if (IN6_IS_ADDR_V4MAPPED(&ip6->ip6_src) ||
1029 IN6_IS_ADDR_V4MAPPED(&ip6->ip6_dst)) {
1030 ip6stat.ip6s_badscope++;
1031 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr);
1032 goto bad;
1033 }
1034
1035 /*
1036 * Tell launch routine the next header
1037 */
1038 ip6stat.ip6s_delivered++;
1039 in6_ifstat_inc(deliverifp, ifs6_in_deliver);
1040
1041 injectit:
1042 nest = 0;
1043
1044 while (nxt != IPPROTO_DONE) {
1045 struct ipfilter *filter;
1046 int (*pr_input)(struct mbuf **, int *, int);
1047
1048 if (ip6_hdrnestlimit && (++nest > ip6_hdrnestlimit)) {
1049 ip6stat.ip6s_toomanyhdr++;
1050 goto bad;
1051 }
1052
1053 /*
1054 * protection against faulty packet - there should be
1055 * more sanity checks in header chain processing.
1056 */
1057 if (m->m_pkthdr.len < off) {
1058 ip6stat.ip6s_tooshort++;
1059 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_truncated);
1060 goto bad;
1061 }
1062
1063
1064 #if IPSEC
1065 /*
1066 * enforce IPsec policy checking if we are seeing last header.
1067 * note that we do not visit this with protocols with pcb layer
1068 * code - like udp/tcp/raw ip.
1069 */
1070 if ((ipsec_bypass == 0) && (ip6_protox[nxt]->pr_flags & PR_LASTHDR) != 0) {
1071 if (ipsec6_in_reject(m, NULL)) {
1072 IPSEC_STAT_INCREMENT(ipsec6stat.in_polvio);
1073 goto bad;
1074 }
1075 }
1076 #endif
1077
1078 /*
1079 * Call IP filter
1080 */
1081 if (!TAILQ_EMPTY(&ipv6_filters)) {
1082 ipf_ref();
1083 TAILQ_FOREACH(filter, &ipv6_filters, ipf_link) {
1084 if (seen == 0) {
1085 if ((struct ipfilter *)inject_ipfref == filter)
1086 seen = 1;
1087 } else if (filter->ipf_filter.ipf_input) {
1088 errno_t result;
1089
1090 result = filter->ipf_filter.ipf_input(
1091 filter->ipf_filter.cookie, (mbuf_t*)&m, off, nxt);
1092 if (result == EJUSTRETURN) {
1093 ipf_unref();
1094 goto done;
1095 }
1096 if (result != 0) {
1097 ipf_unref();
1098 goto bad;
1099 }
1100 }
1101 }
1102 ipf_unref();
1103 }
1104
1105 DTRACE_IP6(receive, struct mbuf *, m, struct inpcb *, NULL,
1106 struct ip6_hdr *, ip6, struct ifnet *, m->m_pkthdr.rcvif,
1107 struct ip *, NULL, struct ip6_hdr *, ip6);
1108
1109 if ((pr_input = ip6_protox[nxt]->pr_input) == NULL) {
1110 m_freem(m);
1111 m = NULL;
1112 nxt = IPPROTO_DONE;
1113 } else if (!(ip6_protox[nxt]->pr_flags & PR_PROTOLOCK)) {
1114 lck_mtx_lock(inet6_domain_mutex);
1115 nxt = pr_input(&m, &off, nxt);
1116 lck_mtx_unlock(inet6_domain_mutex);
1117 } else {
1118 nxt = pr_input(&m, &off, nxt);
1119 }
1120 }
1121 done:
1122 if (ip6_forward_rt.ro_rt != NULL)
1123 rtfree(ip6_forward_rt.ro_rt);
1124 return;
1125 bad:
1126 m_freem(m);
1127 goto done;
1128 }
1129
1130 /*
1131 * set/grab in6_ifaddr correspond to IPv6 destination address.
1132 * XXX backward compatibility wrapper
1133 */
1134 static struct ip6aux *
1135 ip6_setdstifaddr(struct mbuf *m, struct in6_ifaddr *ia6)
1136 {
1137 struct ip6aux *n;
1138
1139 n = ip6_addaux(m);
1140 if (n != NULL) {
1141 if (ia6 != NULL)
1142 IFA_ADDREF(&ia6->ia_ifa);
1143 if (n->ip6a_dstia6 != NULL)
1144 IFA_REMREF(&n->ip6a_dstia6->ia_ifa);
1145 n->ip6a_dstia6 = ia6;
1146 }
1147 return (struct ip6aux *)n; /* NULL if failed to set */
1148 }
1149
1150 struct in6_ifaddr *
1151 ip6_getdstifaddr(m)
1152 struct mbuf *m;
1153 {
1154 struct ip6aux *n;
1155
1156 n = ip6_findaux(m);
1157 if (n != NULL) {
1158 if (n->ip6a_dstia6 != NULL)
1159 IFA_ADDREF(&n->ip6a_dstia6->ia_ifa);
1160 return (n->ip6a_dstia6);
1161 }
1162 return (NULL);
1163 }
1164
1165 /*
1166 * Hop-by-Hop options header processing. If a valid jumbo payload option is
1167 * included, the real payload length will be stored in plenp.
1168 */
1169 static int
1170 ip6_hopopts_input(uint32_t *plenp, uint32_t *rtalertp, struct mbuf **mp,
1171 int *offp)
1172 {
1173 struct mbuf *m = *mp;
1174 int off = *offp, hbhlen;
1175 struct ip6_hbh *hbh;
1176 u_int8_t *opt;
1177
1178 /* validation of the length of the header */
1179 #ifndef PULLDOWN_TEST
1180 IP6_EXTHDR_CHECK(m, off, sizeof(*hbh), return -1);
1181 hbh = (struct ip6_hbh *)(mtod(m, caddr_t) + off);
1182 hbhlen = (hbh->ip6h_len + 1) << 3;
1183
1184 IP6_EXTHDR_CHECK(m, off, hbhlen, return -1);
1185 hbh = (struct ip6_hbh *)(mtod(m, caddr_t) + off);
1186 #else
1187 IP6_EXTHDR_GET(hbh, struct ip6_hbh *, m,
1188 sizeof(struct ip6_hdr), sizeof(struct ip6_hbh));
1189 if (hbh == NULL) {
1190 ip6stat.ip6s_tooshort++;
1191 return -1;
1192 }
1193 hbhlen = (hbh->ip6h_len + 1) << 3;
1194 IP6_EXTHDR_GET(hbh, struct ip6_hbh *, m, sizeof(struct ip6_hdr),
1195 hbhlen);
1196 if (hbh == NULL) {
1197 ip6stat.ip6s_tooshort++;
1198 return -1;
1199 }
1200 #endif
1201 off += hbhlen;
1202 hbhlen -= sizeof(struct ip6_hbh);
1203 opt = (u_int8_t *)hbh + sizeof(struct ip6_hbh);
1204
1205 if (ip6_process_hopopts(m, (u_int8_t *)hbh + sizeof(struct ip6_hbh),
1206 hbhlen, rtalertp, plenp) < 0)
1207 return (-1);
1208
1209 *offp = off;
1210 *mp = m;
1211 return (0);
1212 }
1213
1214 /*
1215 * Search header for all Hop-by-hop options and process each option.
1216 * This function is separate from ip6_hopopts_input() in order to
1217 * handle a case where the sending node itself process its hop-by-hop
1218 * options header. In such a case, the function is called from ip6_output().
1219 *
1220 * The function assumes that hbh header is located right after the IPv6 header
1221 * (RFC2460 p7), opthead is pointer into data content in m, and opthead to
1222 * opthead + hbhlen is located in continuous memory region.
1223 */
1224 int
1225 ip6_process_hopopts(m, opthead, hbhlen, rtalertp, plenp)
1226 struct mbuf *m;
1227 u_int8_t *opthead;
1228 int hbhlen;
1229 u_int32_t *rtalertp;
1230 u_int32_t *plenp;
1231 {
1232 struct ip6_hdr *ip6;
1233 int optlen = 0;
1234 u_int8_t *opt = opthead;
1235 u_int16_t rtalert_val;
1236 u_int32_t jumboplen;
1237 const int erroff = sizeof(struct ip6_hdr) + sizeof(struct ip6_hbh);
1238
1239 for (; hbhlen > 0; hbhlen -= optlen, opt += optlen) {
1240 switch (*opt) {
1241 case IP6OPT_PAD1:
1242 optlen = 1;
1243 break;
1244 case IP6OPT_PADN:
1245 if (hbhlen < IP6OPT_MINLEN) {
1246 ip6stat.ip6s_toosmall++;
1247 goto bad;
1248 }
1249 optlen = *(opt + 1) + 2;
1250 break;
1251 case IP6OPT_ROUTER_ALERT:
1252 /* XXX may need check for alignment */
1253 if (hbhlen < IP6OPT_RTALERT_LEN) {
1254 ip6stat.ip6s_toosmall++;
1255 goto bad;
1256 }
1257 if (*(opt + 1) != IP6OPT_RTALERT_LEN - 2) {
1258 /* XXX stat */
1259 icmp6_error(m, ICMP6_PARAM_PROB,
1260 ICMP6_PARAMPROB_HEADER,
1261 erroff + opt + 1 - opthead);
1262 return(-1);
1263 }
1264 optlen = IP6OPT_RTALERT_LEN;
1265 bcopy((caddr_t)(opt + 2), (caddr_t)&rtalert_val, 2);
1266 *rtalertp = ntohs(rtalert_val);
1267 break;
1268 case IP6OPT_JUMBO:
1269 /* XXX may need check for alignment */
1270 if (hbhlen < IP6OPT_JUMBO_LEN) {
1271 ip6stat.ip6s_toosmall++;
1272 goto bad;
1273 }
1274 if (*(opt + 1) != IP6OPT_JUMBO_LEN - 2) {
1275 /* XXX stat */
1276 icmp6_error(m, ICMP6_PARAM_PROB,
1277 ICMP6_PARAMPROB_HEADER,
1278 erroff + opt + 1 - opthead);
1279 return(-1);
1280 }
1281 optlen = IP6OPT_JUMBO_LEN;
1282
1283 /*
1284 * IPv6 packets that have non 0 payload length
1285 * must not contain a jumbo payload option.
1286 */
1287 ip6 = mtod(m, struct ip6_hdr *);
1288 if (ip6->ip6_plen) {
1289 ip6stat.ip6s_badoptions++;
1290 icmp6_error(m, ICMP6_PARAM_PROB,
1291 ICMP6_PARAMPROB_HEADER,
1292 erroff + opt - opthead);
1293 return(-1);
1294 }
1295
1296 /*
1297 * We may see jumbolen in unaligned location, so
1298 * we'd need to perform bcopy().
1299 */
1300 bcopy(opt + 2, &jumboplen, sizeof(jumboplen));
1301 jumboplen = (u_int32_t)htonl(jumboplen);
1302
1303 #if 1
1304 /*
1305 * if there are multiple jumbo payload options,
1306 * *plenp will be non-zero and the packet will be
1307 * rejected.
1308 * the behavior may need some debate in ipngwg -
1309 * multiple options does not make sense, however,
1310 * there's no explicit mention in specification.
1311 */
1312 if (*plenp != 0) {
1313 ip6stat.ip6s_badoptions++;
1314 icmp6_error(m, ICMP6_PARAM_PROB,
1315 ICMP6_PARAMPROB_HEADER,
1316 erroff + opt + 2 - opthead);
1317 return(-1);
1318 }
1319 #endif
1320
1321 /*
1322 * jumbo payload length must be larger than 65535.
1323 */
1324 if (jumboplen <= IPV6_MAXPACKET) {
1325 ip6stat.ip6s_badoptions++;
1326 icmp6_error(m, ICMP6_PARAM_PROB,
1327 ICMP6_PARAMPROB_HEADER,
1328 erroff + opt + 2 - opthead);
1329 return(-1);
1330 }
1331 *plenp = jumboplen;
1332
1333 break;
1334 default: /* unknown option */
1335 if (hbhlen < IP6OPT_MINLEN) {
1336 ip6stat.ip6s_toosmall++;
1337 goto bad;
1338 }
1339 optlen = ip6_unknown_opt(opt, m,
1340 erroff + opt - opthead);
1341 if (optlen == -1) {
1342 return(-1);
1343 }
1344 optlen += 2;
1345 break;
1346 }
1347 }
1348
1349 return(0);
1350
1351 bad:
1352 m_freem(m);
1353 return(-1);
1354 }
1355
1356 /*
1357 * Unknown option processing.
1358 * The third argument `off' is the offset from the IPv6 header to the option,
1359 * which is necessary if the IPv6 header the and option header and IPv6 header
1360 * is not continuous in order to return an ICMPv6 error.
1361 */
1362 int
1363 ip6_unknown_opt(uint8_t *optp, struct mbuf *m, int off)
1364 {
1365 struct ip6_hdr *ip6;
1366
1367 switch (IP6OPT_TYPE(*optp)) {
1368 case IP6OPT_TYPE_SKIP: /* ignore the option */
1369 return((int)*(optp + 1));
1370 case IP6OPT_TYPE_DISCARD: /* silently discard */
1371 m_freem(m);
1372 return(-1);
1373 case IP6OPT_TYPE_FORCEICMP: /* send ICMP even if multicasted */
1374 ip6stat.ip6s_badoptions++;
1375 icmp6_error(m, ICMP6_PARAM_PROB, ICMP6_PARAMPROB_OPTION, off);
1376 return(-1);
1377 case IP6OPT_TYPE_ICMP: /* send ICMP if not multicasted */
1378 ip6stat.ip6s_badoptions++;
1379 ip6 = mtod(m, struct ip6_hdr *);
1380 if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst) ||
1381 (m->m_flags & (M_BCAST|M_MCAST)))
1382 m_freem(m);
1383 else
1384 icmp6_error(m, ICMP6_PARAM_PROB,
1385 ICMP6_PARAMPROB_OPTION, off);
1386 return(-1);
1387 }
1388
1389 m_freem(m); /* XXX: NOTREACHED */
1390 return (-1);
1391 }
1392
1393 /*
1394 * Create the "control" list for this pcb.
1395 * These functions will not modify mbuf chain at all.
1396 *
1397 * With KAME mbuf chain restriction:
1398 * The routine will be called from upper layer handlers like tcp6_input().
1399 * Thus the routine assumes that the caller (tcp6_input) have already
1400 * called IP6_EXTHDR_CHECK() and all the extension headers are located in the
1401 * very first mbuf on the mbuf chain.
1402 *
1403 * ip6_savecontrol_v4 will handle those options that are possible to be
1404 * set on a v4-mapped socket.
1405 * ip6_savecontrol will directly call ip6_savecontrol_v4 to handle those
1406 * options and handle the v6-only ones itself.
1407 */
1408 struct mbuf **
1409 ip6_savecontrol_v4(struct inpcb *inp, struct mbuf *m, struct mbuf **mp,
1410 int *v4only)
1411 {
1412 struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *);
1413
1414 if ((inp->inp_socket->so_options & SO_TIMESTAMP) != 0) {
1415 struct timeval tv;
1416
1417 microtime(&tv);
1418 mp = sbcreatecontrol_mbuf((caddr_t) &tv, sizeof(tv),
1419 SCM_TIMESTAMP, SOL_SOCKET, mp);
1420 if (*mp == NULL)
1421 return NULL;
1422 }
1423 if ((inp->inp_socket->so_options & SO_TIMESTAMP_MONOTONIC) != 0) {
1424 uint64_t time;
1425
1426 time = mach_absolute_time();
1427 mp = sbcreatecontrol_mbuf((caddr_t) &time, sizeof(time),
1428 SCM_TIMESTAMP_MONOTONIC, SOL_SOCKET, mp);
1429
1430 if (*mp == NULL)
1431 return NULL;
1432 }
1433 if ((inp->inp_socket->so_flags & SOF_RECV_TRAFFIC_CLASS) != 0) {
1434 int tc = m->m_pkthdr.prio;
1435
1436 mp = sbcreatecontrol_mbuf((caddr_t) &tc, sizeof(tc),
1437 SO_TRAFFIC_CLASS, SOL_SOCKET, mp);
1438 if (*mp == NULL)
1439 return NULL;
1440 }
1441
1442 if ((ip6->ip6_vfc & IPV6_VERSION_MASK) != IPV6_VERSION) {
1443 if (v4only != NULL)
1444 *v4only = 1;
1445 return (mp);
1446 }
1447
1448 #define IS2292(inp, x, y) (((inp)->inp_flags & IN6P_RFC2292) ? (x) : (y))
1449 /* RFC 2292 sec. 5 */
1450 if ((inp->inp_flags & IN6P_PKTINFO) != 0) {
1451 struct in6_pktinfo pi6;
1452
1453 bcopy(&ip6->ip6_dst, &pi6.ipi6_addr, sizeof(struct in6_addr));
1454 in6_clearscope(&pi6.ipi6_addr); /* XXX */
1455 pi6.ipi6_ifindex =
1456 (m && m->m_pkthdr.rcvif) ? m->m_pkthdr.rcvif->if_index : 0;
1457
1458 mp = sbcreatecontrol_mbuf((caddr_t) &pi6,
1459 sizeof(struct in6_pktinfo),
1460 IS2292(inp, IPV6_2292PKTINFO, IPV6_PKTINFO), IPPROTO_IPV6, mp);
1461 if (*mp == NULL)
1462 return NULL;
1463 }
1464
1465 if ((inp->inp_flags & IN6P_HOPLIMIT) != 0) {
1466 int hlim = ip6->ip6_hlim & 0xff;
1467
1468 mp = sbcreatecontrol_mbuf((caddr_t) &hlim, sizeof(int),
1469 IS2292(inp, IPV6_2292HOPLIMIT, IPV6_HOPLIMIT),
1470 IPPROTO_IPV6, mp);
1471 if (*mp == NULL)
1472 return NULL;
1473 }
1474
1475 if (v4only != NULL)
1476 *v4only = 0;
1477 return (mp);
1478 }
1479
1480 int
1481 ip6_savecontrol(struct inpcb *in6p, struct mbuf *m, struct mbuf **mp)
1482 {
1483 struct mbuf **np;
1484 struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *);
1485 int v4only = 0;
1486
1487 *mp = NULL;
1488 np = ip6_savecontrol_v4(in6p, m, mp, &v4only);
1489 if (np == NULL)
1490 goto no_mbufs;
1491
1492 mp = np;
1493 if (v4only)
1494 return(0);
1495
1496 if ((in6p->inp_flags & IN6P_TCLASS) != 0) {
1497 u_int32_t flowinfo;
1498 int tclass;
1499
1500 flowinfo = (u_int32_t)ntohl(ip6->ip6_flow & IPV6_FLOWINFO_MASK);
1501 flowinfo >>= 20;
1502
1503 tclass = flowinfo & 0xff;
1504 mp = sbcreatecontrol_mbuf((caddr_t) &tclass, sizeof(tclass),
1505 IPV6_TCLASS, IPPROTO_IPV6, mp);
1506 if (*mp == NULL)
1507 goto no_mbufs;
1508 }
1509
1510 /*
1511 * IPV6_HOPOPTS socket option. Recall that we required super-user
1512 * privilege for the option (see ip6_ctloutput), but it might be too
1513 * strict, since there might be some hop-by-hop options which can be
1514 * returned to normal user.
1515 * See also RFC 2292 section 6 (or RFC 3542 section 8).
1516 */
1517 if ((in6p->inp_flags & IN6P_HOPOPTS) != 0) {
1518 /*
1519 * Check if a hop-by-hop options header is contatined in the
1520 * received packet, and if so, store the options as ancillary
1521 * data. Note that a hop-by-hop options header must be
1522 * just after the IPv6 header, which is assured through the
1523 * IPv6 input processing.
1524 */
1525 ip6 = mtod(m, struct ip6_hdr *);
1526 if (ip6->ip6_nxt == IPPROTO_HOPOPTS) {
1527 struct ip6_hbh *hbh;
1528 int hbhlen = 0;
1529 #if PULLDOWN_TEST
1530 struct mbuf *ext;
1531 #endif
1532
1533 #ifndef PULLDOWN_TEST
1534 hbh = (struct ip6_hbh *)(ip6 + 1);
1535 hbhlen = (hbh->ip6h_len + 1) << 3;
1536 #else
1537 ext = ip6_pullexthdr(m, sizeof(struct ip6_hdr),
1538 ip6->ip6_nxt);
1539 if (ext == NULL) {
1540 ip6stat.ip6s_tooshort++;
1541 return(0);
1542 }
1543 hbh = mtod(ext, struct ip6_hbh *);
1544 hbhlen = (hbh->ip6h_len + 1) << 3;
1545 if (hbhlen != ext->m_len) {
1546 m_freem(ext);
1547 ip6stat.ip6s_tooshort++;
1548 return(0);
1549 }
1550 #endif
1551
1552 /*
1553 * XXX: We copy the whole header even if a
1554 * jumbo payload option is included, the option which
1555 * is to be removed before returning according to
1556 * RFC2292.
1557 * Note: this constraint is removed in RFC3542
1558 */
1559 mp = sbcreatecontrol_mbuf((caddr_t)hbh, hbhlen,
1560 IS2292(in6p, IPV6_2292HOPOPTS, IPV6_HOPOPTS),
1561 IPPROTO_IPV6, mp);
1562
1563 #if PULLDOWN_TEST
1564 m_freem(ext);
1565 #endif
1566 if (*mp == NULL) {
1567 goto no_mbufs;
1568 }
1569 }
1570 }
1571
1572 if ((in6p->inp_flags & (IN6P_RTHDR | IN6P_DSTOPTS)) != 0) {
1573 int nxt = ip6->ip6_nxt, off = sizeof(struct ip6_hdr);
1574
1575 /*
1576 * Search for destination options headers or routing
1577 * header(s) through the header chain, and stores each
1578 * header as ancillary data.
1579 * Note that the order of the headers remains in
1580 * the chain of ancillary data.
1581 */
1582 while (1) { /* is explicit loop prevention necessary? */
1583 struct ip6_ext *ip6e = NULL;
1584 int elen;
1585 #if PULLDOWN_TEST
1586 struct mbuf *ext = NULL;
1587 #endif
1588
1589 /*
1590 * if it is not an extension header, don't try to
1591 * pull it from the chain.
1592 */
1593 switch (nxt) {
1594 case IPPROTO_DSTOPTS:
1595 case IPPROTO_ROUTING:
1596 case IPPROTO_HOPOPTS:
1597 case IPPROTO_AH: /* is it possible? */
1598 break;
1599 default:
1600 goto loopend;
1601 }
1602
1603 #ifndef PULLDOWN_TEST
1604 if (off + sizeof(*ip6e) > m->m_len)
1605 goto loopend;
1606 ip6e = (struct ip6_ext *)(mtod(m, caddr_t) + off);
1607 if (nxt == IPPROTO_AH)
1608 elen = (ip6e->ip6e_len + 2) << 2;
1609 else
1610 elen = (ip6e->ip6e_len + 1) << 3;
1611 if (off + elen > m->m_len)
1612 goto loopend;
1613 #else
1614 ext = ip6_pullexthdr(m, off, nxt);
1615 if (ext == NULL) {
1616 ip6stat.ip6s_tooshort++;
1617 return(0);
1618 }
1619 ip6e = mtod(ext, struct ip6_ext *);
1620 if (nxt == IPPROTO_AH)
1621 elen = (ip6e->ip6e_len + 2) << 2;
1622 else
1623 elen = (ip6e->ip6e_len + 1) << 3;
1624 if (elen != ext->m_len) {
1625 m_freem(ext);
1626 ip6stat.ip6s_tooshort++;
1627 return(0);
1628 }
1629 #endif
1630
1631 switch (nxt) {
1632 case IPPROTO_DSTOPTS:
1633 if (!(in6p->inp_flags & IN6P_DSTOPTS))
1634 break;
1635
1636 mp = sbcreatecontrol_mbuf((caddr_t)ip6e, elen,
1637 IS2292(in6p,
1638 IPV6_2292DSTOPTS, IPV6_DSTOPTS),
1639 IPPROTO_IPV6, mp);
1640 if (*mp == NULL) {
1641 #if PULLDOWN_TEST
1642 m_freem(ext);
1643 #endif
1644 goto no_mbufs;
1645 }
1646 break;
1647 case IPPROTO_ROUTING:
1648 if (!in6p->inp_flags & IN6P_RTHDR)
1649 break;
1650
1651 mp = sbcreatecontrol_mbuf((caddr_t)ip6e, elen,
1652 IS2292(in6p, IPV6_2292RTHDR, IPV6_RTHDR),
1653 IPPROTO_IPV6, mp);
1654 if (*mp == NULL) {
1655 #if PULLDOWN_TEST
1656 m_freem(ext);
1657 #endif
1658 goto no_mbufs;
1659 }
1660 break;
1661 case IPPROTO_HOPOPTS:
1662 case IPPROTO_AH: /* is it possible? */
1663 break;
1664
1665 default:
1666 /*
1667 * other cases have been filtered in the above.
1668 * none will visit this case. here we supply
1669 * the code just in case (nxt overwritten or
1670 * other cases).
1671 */
1672 #if PULLDOWN_TEST
1673 m_freem(ext);
1674 #endif
1675 goto loopend;
1676
1677 }
1678
1679 /* proceed with the next header. */
1680 off += elen;
1681 nxt = ip6e->ip6e_nxt;
1682 ip6e = NULL;
1683 #if PULLDOWN_TEST
1684 m_freem(ext);
1685 ext = NULL;
1686 #endif
1687 }
1688 loopend:
1689 ;
1690 }
1691 return(0);
1692 no_mbufs:
1693 ip6stat.ip6s_pktdropcntrl++;
1694 /* XXX increment a stat to show the failure */
1695 return(ENOBUFS);
1696 }
1697 #undef IS2292
1698
1699 void
1700 ip6_notify_pmtu(struct inpcb *in6p, struct sockaddr_in6 *dst, u_int32_t *mtu)
1701 {
1702 struct socket *so;
1703 struct mbuf *m_mtu;
1704 struct ip6_mtuinfo mtuctl;
1705
1706 so = in6p->inp_socket;
1707
1708 if (mtu == NULL)
1709 return;
1710
1711 #ifdef DIAGNOSTIC
1712 if (so == NULL) /* I believe this is impossible */
1713 panic("ip6_notify_pmtu: socket is NULL");
1714 #endif
1715
1716 bzero(&mtuctl, sizeof(mtuctl)); /* zero-clear for safety */
1717 mtuctl.ip6m_mtu = *mtu;
1718 mtuctl.ip6m_addr = *dst;
1719 if (sa6_recoverscope(&mtuctl.ip6m_addr))
1720 return;
1721
1722 if ((m_mtu = sbcreatecontrol((caddr_t)&mtuctl, sizeof(mtuctl),
1723 IPV6_PATHMTU, IPPROTO_IPV6)) == NULL)
1724 return;
1725
1726 if (sbappendaddr(&so->so_rcv, (struct sockaddr *)dst, NULL, m_mtu, NULL)
1727 == 0) {
1728 m_freem(m_mtu);
1729 /* XXX: should count statistics */
1730 } else
1731 sorwakeup(so);
1732
1733 return;
1734 }
1735
1736 #if PULLDOWN_TEST
1737 /*
1738 * pull single extension header from mbuf chain. returns single mbuf that
1739 * contains the result, or NULL on error.
1740 */
1741 static struct mbuf *
1742 ip6_pullexthdr(m, off, nxt)
1743 struct mbuf *m;
1744 size_t off;
1745 int nxt;
1746 {
1747 struct ip6_ext ip6e;
1748 size_t elen;
1749 struct mbuf *n;
1750
1751 #if DIAGNOSTIC
1752 switch (nxt) {
1753 case IPPROTO_DSTOPTS:
1754 case IPPROTO_ROUTING:
1755 case IPPROTO_HOPOPTS:
1756 case IPPROTO_AH: /* is it possible? */
1757 break;
1758 default:
1759 printf("ip6_pullexthdr: invalid nxt=%d\n", nxt);
1760 }
1761 #endif
1762
1763 m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e);
1764 if (nxt == IPPROTO_AH)
1765 elen = (ip6e.ip6e_len + 2) << 2;
1766 else
1767 elen = (ip6e.ip6e_len + 1) << 3;
1768
1769 MGET(n, M_DONTWAIT, MT_DATA);
1770 if (n && elen >= MLEN) {
1771 MCLGET(n, M_DONTWAIT);
1772 if ((n->m_flags & M_EXT) == 0) {
1773 m_free(n);
1774 n = NULL;
1775 }
1776 }
1777 if (!n)
1778 return NULL;
1779
1780 n->m_len = 0;
1781 if (elen >= M_TRAILINGSPACE(n)) {
1782 m_free(n);
1783 return NULL;
1784 }
1785
1786 m_copydata(m, off, elen, mtod(n, caddr_t));
1787 n->m_len = elen;
1788 return n;
1789 }
1790 #endif
1791
1792 /*
1793 * Get pointer to the previous header followed by the header
1794 * currently processed.
1795 * XXX: This function supposes that
1796 * M includes all headers,
1797 * the next header field and the header length field of each header
1798 * are valid, and
1799 * the sum of each header length equals to OFF.
1800 * Because of these assumptions, this function must be called very
1801 * carefully. Moreover, it will not be used in the near future when
1802 * we develop `neater' mechanism to process extension headers.
1803 */
1804 char *
1805 ip6_get_prevhdr(m, off)
1806 struct mbuf *m;
1807 int off;
1808 {
1809 struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *);
1810
1811 if (off == sizeof(struct ip6_hdr))
1812 return((char *) &ip6->ip6_nxt);
1813 else {
1814 int len, nxt;
1815 struct ip6_ext *ip6e = NULL;
1816
1817 nxt = ip6->ip6_nxt;
1818 len = sizeof(struct ip6_hdr);
1819 while (len < off) {
1820 ip6e = (struct ip6_ext *)(mtod(m, caddr_t) + len);
1821
1822 switch (nxt) {
1823 case IPPROTO_FRAGMENT:
1824 len += sizeof(struct ip6_frag);
1825 break;
1826 case IPPROTO_AH:
1827 len += (ip6e->ip6e_len + 2) << 2;
1828 break;
1829 default:
1830 len += (ip6e->ip6e_len + 1) << 3;
1831 break;
1832 }
1833 nxt = ip6e->ip6e_nxt;
1834 }
1835 if (ip6e)
1836 return((char *) &ip6e->ip6e_nxt);
1837 else
1838 return NULL;
1839 }
1840 }
1841
1842 /*
1843 * get next header offset. m will be retained.
1844 */
1845 int
1846 ip6_nexthdr(m, off, proto, nxtp)
1847 struct mbuf *m;
1848 int off;
1849 int proto;
1850 int *nxtp;
1851 {
1852 struct ip6_hdr ip6;
1853 struct ip6_ext ip6e;
1854 struct ip6_frag fh;
1855
1856 /* just in case */
1857 if (m == NULL)
1858 panic("ip6_nexthdr: m == NULL");
1859 if ((m->m_flags & M_PKTHDR) == 0 || m->m_pkthdr.len < off)
1860 return -1;
1861
1862 switch (proto) {
1863 case IPPROTO_IPV6:
1864 if (m->m_pkthdr.len < off + sizeof(ip6))
1865 return -1;
1866 m_copydata(m, off, sizeof(ip6), (caddr_t)&ip6);
1867 if (nxtp)
1868 *nxtp = ip6.ip6_nxt;
1869 off += sizeof(ip6);
1870 return off;
1871
1872 case IPPROTO_FRAGMENT:
1873 /*
1874 * terminate parsing if it is not the first fragment,
1875 * it does not make sense to parse through it.
1876 */
1877 if (m->m_pkthdr.len < off + sizeof(fh))
1878 return -1;
1879 m_copydata(m, off, sizeof(fh), (caddr_t)&fh);
1880 /* IP6F_OFF_MASK = 0xfff8(BigEndian), 0xf8ff(LittleEndian) */
1881 if (fh.ip6f_offlg & IP6F_OFF_MASK)
1882 return -1;
1883 if (nxtp)
1884 *nxtp = fh.ip6f_nxt;
1885 off += sizeof(struct ip6_frag);
1886 return off;
1887
1888 case IPPROTO_AH:
1889 if (m->m_pkthdr.len < off + sizeof(ip6e))
1890 return -1;
1891 m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e);
1892 if (nxtp)
1893 *nxtp = ip6e.ip6e_nxt;
1894 off += (ip6e.ip6e_len + 2) << 2;
1895 return off;
1896
1897 case IPPROTO_HOPOPTS:
1898 case IPPROTO_ROUTING:
1899 case IPPROTO_DSTOPTS:
1900 if (m->m_pkthdr.len < off + sizeof(ip6e))
1901 return -1;
1902 m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e);
1903 if (nxtp)
1904 *nxtp = ip6e.ip6e_nxt;
1905 off += (ip6e.ip6e_len + 1) << 3;
1906 return off;
1907
1908 case IPPROTO_NONE:
1909 case IPPROTO_ESP:
1910 case IPPROTO_IPCOMP:
1911 /* give up */
1912 return -1;
1913
1914 default:
1915 return -1;
1916 }
1917
1918 return -1;
1919 }
1920
1921 /*
1922 * get offset for the last header in the chain. m will be kept untainted.
1923 */
1924 int
1925 ip6_lasthdr(m, off, proto, nxtp)
1926 struct mbuf *m;
1927 int off;
1928 int proto;
1929 int *nxtp;
1930 {
1931 int newoff;
1932 int nxt;
1933
1934 if (!nxtp) {
1935 nxt = -1;
1936 nxtp = &nxt;
1937 }
1938 while (1) {
1939 newoff = ip6_nexthdr(m, off, proto, nxtp);
1940 if (newoff < 0)
1941 return off;
1942 else if (newoff < off)
1943 return -1; /* invalid */
1944 else if (newoff == off)
1945 return newoff;
1946
1947 off = newoff;
1948 proto = *nxtp;
1949 }
1950 }
1951
1952 struct ip6aux *
1953 ip6_addaux(
1954 struct mbuf *m)
1955 {
1956 struct m_tag *tag;
1957
1958 /* Check if one is already allocated */
1959 tag = m_tag_locate(m, KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_INET6, NULL);
1960 if (tag == NULL) {
1961 /* Allocate a tag */
1962 tag = m_tag_create(KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_INET6,
1963 sizeof (struct ip6aux), M_DONTWAIT, m);
1964
1965 /* Attach it to the mbuf */
1966 if (tag) {
1967 m_tag_prepend(m, tag);
1968 }
1969 }
1970
1971 return tag ? (struct ip6aux*)(tag + 1) : NULL;
1972 }
1973
1974 struct ip6aux *
1975 ip6_findaux(
1976 struct mbuf *m)
1977 {
1978 struct m_tag *tag;
1979
1980 tag = m_tag_locate(m, KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_INET6, NULL);
1981
1982 return tag ? (struct ip6aux*)(tag + 1) : NULL;
1983 }
1984
1985 void
1986 ip6_delaux(
1987 struct mbuf *m)
1988 {
1989 struct m_tag *tag;
1990
1991 tag = m_tag_locate(m, KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_INET6, NULL);
1992 if (tag) {
1993 m_tag_delete(m, tag);
1994 }
1995 }
1996
1997 /*
1998 * Called by m_tag_free().
1999 */
2000 void
2001 ip6_destroyaux(struct ip6aux *n)
2002 {
2003 if (n->ip6a_dstia6 != NULL) {
2004 IFA_REMREF(&n->ip6a_dstia6->ia_ifa);
2005 n->ip6a_dstia6 = NULL;
2006 }
2007 }
2008
2009 /*
2010 * Called by m_tag_copy()
2011 */
2012 void
2013 ip6_copyaux(struct ip6aux *src, struct ip6aux *dst)
2014 {
2015 bcopy(src, dst, sizeof (*dst));
2016 if (dst->ip6a_dstia6 != NULL)
2017 IFA_ADDREF(&dst->ip6a_dstia6->ia_ifa);
2018 }
2019
2020 /*
2021 * System control for IP6
2022 */
2023
2024 u_char inet6ctlerrmap[PRC_NCMDS] = {
2025 0, 0, 0, 0,
2026 0, EMSGSIZE, EHOSTDOWN, EHOSTUNREACH,
2027 EHOSTUNREACH, EHOSTUNREACH, ECONNREFUSED, ECONNREFUSED,
2028 EMSGSIZE, EHOSTUNREACH, 0, 0,
2029 0, 0, 0, 0,
2030 ENOPROTOOPT
2031 };
mirror of XNU