]> git.saurik.com Git - apple/xnu.git/blob - bsd/netinet6/ip6_input.c
projects / apple / xnu.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
xnu-2050.48.11.tar.gz
[apple/xnu.git] / bsd / netinet6 / ip6_input.c
1 /*
2 * Copyright (c) 2003-2012 Apple Inc. All rights reserved.
3 *
4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
14 *
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 *
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
25 *
26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27 */
28 /* $FreeBSD: src/sys/netinet6/ip6_input.c,v 1.11.2.10 2001/07/24 19:10:18 brooks Exp $ */
29 /* $KAME: ip6_input.c,v 1.194 2001/05/27 13:28:35 itojun Exp $ */
30
31 /*
32 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
33 * All rights reserved.
34 *
35 * Redistribution and use in source and binary forms, with or without
36 * modification, are permitted provided that the following conditions
37 * are met:
38 * 1. Redistributions of source code must retain the above copyright
39 * notice, this list of conditions and the following disclaimer.
40 * 2. Redistributions in binary form must reproduce the above copyright
41 * notice, this list of conditions and the following disclaimer in the
42 * documentation and/or other materials provided with the distribution.
43 * 3. Neither the name of the project nor the names of its contributors
44 * may be used to endorse or promote products derived from this software
45 * without specific prior written permission.
46 *
47 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
48 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
49 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
50 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
51 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
52 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
53 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
54 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
55 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
56 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
57 * SUCH DAMAGE.
58 */
59
60 /*
61 * Copyright (c) 1982, 1986, 1988, 1993
62 * The Regents of the University of California. All rights reserved.
63 *
64 * Redistribution and use in source and binary forms, with or without
65 * modification, are permitted provided that the following conditions
66 * are met:
67 * 1. Redistributions of source code must retain the above copyright
68 * notice, this list of conditions and the following disclaimer.
69 * 2. Redistributions in binary form must reproduce the above copyright
70 * notice, this list of conditions and the following disclaimer in the
71 * documentation and/or other materials provided with the distribution.
72 * 3. All advertising materials mentioning features or use of this software
73 * must display the following acknowledgement:
74 * This product includes software developed by the University of
75 * California, Berkeley and its contributors.
76 * 4. Neither the name of the University nor the names of its contributors
77 * may be used to endorse or promote products derived from this software
78 * without specific prior written permission.
79 *
80 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
81 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
82 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
83 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
84 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
85 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
86 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
87 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
88 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
89 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
90 * SUCH DAMAGE.
91 *
92 * @(#)ip_input.c 8.2 (Berkeley) 1/4/94
93 */
94
95
96 #include <sys/param.h>
97 #include <sys/systm.h>
98 #include <sys/malloc.h>
99 #include <sys/mbuf.h>
100 #include <sys/domain.h>
101 #include <sys/protosw.h>
102 #include <sys/socket.h>
103 #include <sys/socketvar.h>
104 #include <sys/errno.h>
105 #include <sys/time.h>
106 #include <sys/kernel.h>
107 #include <sys/syslog.h>
108 #include <sys/sysctl.h>
109 #include <sys/proc.h>
110 #include <sys/kauth.h>
111 #include <sys/mcache.h>
112 #include <mach/mach_time.h>
113
114 #include <pexpert/pexpert.h>
115
116 #include <net/if.h>
117 #include <net/if_var.h>
118 #include <net/if_types.h>
119 #include <net/if_dl.h>
120 #include <net/route.h>
121 #include <net/kpi_protocol.h>
122 #include <net/ntstat.h>
123 #include <net/init.h>
124
125 #include <netinet/in.h>
126 #include <netinet/in_systm.h>
127 #if INET
128 #include <netinet/ip.h>
129 #include <netinet/ip_icmp.h>
130 #endif /*INET*/
131 #include <netinet/ip6.h>
132 #include <netinet6/in6_var.h>
133 #include <netinet6/ip6_var.h>
134 #include <netinet/in_pcb.h>
135 #include <netinet/icmp6.h>
136 #include <netinet6/in6_ifattach.h>
137 #include <netinet6/nd6.h>
138 #include <netinet6/scope6_var.h>
139 #include <mach/sdt.h>
140
141 #if IPSEC
142 #include <netinet6/ipsec.h>
143 #if INET6
144 #include <netinet6/ipsec6.h>
145 #endif
146 extern int ipsec_bypass;
147 #endif
148
149 #include <netinet6/ip6_fw.h>
150
151 #if DUMMYNET
152 #include <netinet/ip_fw.h>
153 #include <netinet/ip_dummynet.h>
154 #endif /* DUMMYNET */
155
156 #include <netinet/kpi_ipfilter_var.h>
157
158 #include <netinet6/ip6protosw.h>
159
160 /* we need it for NLOOP. */
161 #include "loop.h"
162
163 #include <net/net_osdep.h>
164
165 #if PF
166 #include <net/pfvar.h>
167 #endif /* PF */
168
169 extern struct domain inet6domain;
170 extern struct ip6protosw inet6sw[];
171
172 struct ip6protosw * ip6_protox[IPPROTO_MAX];
173 static int ip6qmaxlen = IFQ_MAXLEN;
174
175 static lck_grp_attr_t *in6_ifaddr_rwlock_grp_attr;
176 static lck_grp_t *in6_ifaddr_rwlock_grp;
177 static lck_attr_t *in6_ifaddr_rwlock_attr;
178 decl_lck_rw_data(, in6_ifaddr_rwlock);
179
180 /* Protected by in6_ifaddr_rwlock */
181 struct in6_ifaddr *in6_ifaddrs = NULL;
182
183 int ip6_forward_srcrt; /* XXX */
184 int ip6_sourcecheck; /* XXX */
185 int ip6_sourcecheck_interval; /* XXX */
186 const int int6intrq_present = 1;
187
188 int ip6_ours_check_algorithm;
189
190 #define IN6_IFSTAT_REQUIRE_ALIGNED_64(f) \
191 _CASSERT(!(offsetof(struct in6_ifstat, f) % sizeof (uint64_t)))
192
193 #define ICMP6_IFSTAT_REQUIRE_ALIGNED_64(f) \
194 _CASSERT(!(offsetof(struct icmp6_ifstat, f) % sizeof (uint64_t)))
195
196 #if IPFW2
197 /* firewall hooks */
198 ip6_fw_chk_t *ip6_fw_chk_ptr;
199 ip6_fw_ctl_t *ip6_fw_ctl_ptr;
200 int ip6_fw_enable = 1;
201 #endif
202
203 struct ip6stat ip6stat;
204
205 #ifdef __APPLE__
206 struct ifqueue ip6intrq;
207 decl_lck_mtx_data(, ip6_init_mutex);
208 decl_lck_mtx_data(, proxy6_lock);
209 decl_lck_mtx_data(, dad6_mutex_data);
210 decl_lck_mtx_data(, nd6_mutex_data);
211 decl_lck_mtx_data(, prefix6_mutex_data);
212 decl_lck_mtx_data(, scope6_mutex_data);
213 lck_mtx_t *dad6_mutex = &dad6_mutex_data;
214 lck_mtx_t *nd6_mutex = &nd6_mutex_data;
215 lck_mtx_t *prefix6_mutex = &prefix6_mutex_data;
216 lck_mtx_t *scope6_mutex = &scope6_mutex_data;
217 #ifdef ENABLE_ADDRSEL
218 decl_lck_mtx_data(, addrsel_mutex_data);
219 lck_mtx_t *addrsel_mutex = &addrsel_mutex_data;
220 #endif
221 decl_lck_rw_data(, in6_ifs_rwlock);
222 decl_lck_rw_data(, icmp6_ifs_rwlock);
223 lck_attr_t *ip6_mutex_attr;
224 lck_grp_t *ip6_mutex_grp;
225 lck_grp_attr_t *ip6_mutex_grp_attr;
226 extern lck_mtx_t *inet6_domain_mutex;
227 #endif
228 extern int loopattach_done;
229 extern void addrsel_policy_init(void);
230
231 static void ip6_init_delayed(void);
232 static struct ip6aux *ip6_setdstifaddr(struct mbuf *, struct in6_ifaddr *);
233
234 static int ip6_hopopts_input(u_int32_t *, u_int32_t *, struct mbuf **, int *);
235 #if PULLDOWN_TEST
236 static struct mbuf *ip6_pullexthdr(struct mbuf *, size_t, int);
237 #endif
238
239 #ifdef __APPLE__
240 void gifattach(void);
241 void stfattach(void);
242 #endif
243
244 SYSCTL_DECL(_net_inet6_ip6);
245
246 int ip6_doscopedroute = 1;
247 SYSCTL_INT(_net_inet6_ip6, OID_AUTO, scopedroute, CTLFLAG_RD | CTLFLAG_LOCKED,
248 &ip6_doscopedroute, 0, "Enable IPv6 scoped routing");
249
250 int ip6_restrictrecvif = 1;
251 SYSCTL_INT(_net_inet6_ip6, OID_AUTO, restrictrecvif,
252 CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_restrictrecvif, 0,
253 "Enable inbound interface restrictions");
254
255 /*
256 * On platforms which require strict alignment (currently for anything but
257 * i386 or x86_64), check if the IP header pointer is 32-bit aligned; if not,
258 * copy the contents of the mbuf chain into a new chain, and free the original
259 * one. Create some head room in the first mbuf of the new chain, in case
260 * it's needed later on.
261 *
262 * RFC 2460 says that IPv6 headers are 64-bit aligned, but network interfaces
263 * mostly align to 32-bit boundaries. Care should be taken never to use 64-bit
264 * load/store operations on the fields in IPv6 headers.
265 */
266 #if defined(__i386__) || defined(__x86_64__)
267 #define IP6_HDR_ALIGNMENT_FIXUP(_m, _ifp, _action) do { } while (0)
268 #else /* !__i386__ && !__x86_64__ */
269 #define IP6_HDR_ALIGNMENT_FIXUP(_m, _ifp, _action) do { \
270 if (!IP6_HDR_ALIGNED_P(mtod(_m, caddr_t))) { \
271 struct mbuf *_n; \
272 struct ifnet *__ifp = (_ifp); \
273 atomic_add_64(&(__ifp)->if_alignerrs, 1); \
274 if (((_m)->m_flags & M_PKTHDR) && \
275 (_m)->m_pkthdr.header != NULL) \
276 (_m)->m_pkthdr.header = NULL; \
277 _n = m_defrag_offset(_m, max_linkhdr, M_NOWAIT); \
278 if (_n == NULL) { \
279 ip6stat.ip6s_toosmall++; \
280 m_freem(_m); \
281 (_m) = NULL; \
282 _action \
283 } else { \
284 VERIFY(_n != (_m)); \
285 (_m) = _n; \
286 } \
287 } \
288 } while (0)
289 #endif /* !__i386__ && !__x86_64__ */
290
291 static void
292 ip6_proto_input(
293 __unused protocol_family_t protocol,
294 mbuf_t packet)
295 {
296 ip6_input(packet);
297 }
298
299 /*
300 * IP6 initialization: fill in IP6 protocol switch table.
301 * All protocols not implemented in kernel go to raw IP6 protocol handler.
302 */
303 void
304 ip6_init()
305 {
306 struct ip6protosw *pr;
307 int i;
308 struct timeval tv;
309
310 _CASSERT((sizeof(struct ip6_hdr) + sizeof(struct icmp6_hdr)) <=
311 _MHLEN);
312
313 PE_parse_boot_argn("net.inet6.ip6.scopedroute", &ip6_doscopedroute,
314 sizeof (ip6_doscopedroute));
315
316 #if DIAGNOSTIC
317 if (sizeof(struct protosw) != sizeof(struct ip6protosw))
318 panic("sizeof(protosw) != sizeof(ip6protosw)");
319 #endif
320 pr = (struct ip6protosw *)pffindproto_locked(PF_INET6, IPPROTO_RAW, SOCK_RAW);
321 if (pr == 0)
322 panic("ip6_init");
323 for (i = 0; i < IPPROTO_MAX; i++)
324 ip6_protox[i] = pr;
325 for (pr = (struct ip6protosw*)inet6domain.dom_protosw; pr; pr = pr->pr_next) {
326 if(!(pr->pr_domain)) continue; /* If uninitialized, skip */
327 if (pr->pr_domain->dom_family == PF_INET6 &&
328 pr->pr_protocol && pr->pr_protocol != IPPROTO_RAW) {
329 ip6_protox[pr->pr_protocol] = pr;
330 }
331 }
332
333 ip6_mutex_grp_attr = lck_grp_attr_alloc_init();
334
335 ip6_mutex_grp = lck_grp_alloc_init("ip6", ip6_mutex_grp_attr);
336 ip6_mutex_attr = lck_attr_alloc_init();
337
338 lck_mtx_init(dad6_mutex, ip6_mutex_grp, ip6_mutex_attr);
339 lck_mtx_init(nd6_mutex, ip6_mutex_grp, ip6_mutex_attr);
340 lck_mtx_init(prefix6_mutex, ip6_mutex_grp, ip6_mutex_attr);
341 lck_mtx_init(scope6_mutex, ip6_mutex_grp, ip6_mutex_attr);
342
343 #ifdef ENABLE_ADDRSEL
344 lck_mtx_init(addrsel_mutex, ip6_mutex_grp, ip6_mutex_attr);
345 #endif
346
347 lck_mtx_init(&proxy6_lock, ip6_mutex_grp, ip6_mutex_attr);
348 lck_mtx_init(&ip6_init_mutex, ip6_mutex_grp, ip6_mutex_attr);
349
350 lck_rw_init(&in6_ifs_rwlock, ip6_mutex_grp, ip6_mutex_attr);
351 lck_rw_init(&icmp6_ifs_rwlock, ip6_mutex_grp, ip6_mutex_attr);
352
353 inet6domain.dom_flags = DOM_REENTRANT;
354
355 ip6intrq.ifq_maxlen = ip6qmaxlen;
356
357 in6_ifaddr_rwlock_grp_attr = lck_grp_attr_alloc_init();
358 in6_ifaddr_rwlock_grp = lck_grp_alloc_init("in6_ifaddr_rwlock",
359 in6_ifaddr_rwlock_grp_attr);
360 in6_ifaddr_rwlock_attr = lck_attr_alloc_init();
361 lck_rw_init(&in6_ifaddr_rwlock, in6_ifaddr_rwlock_grp,
362 in6_ifaddr_rwlock_attr);
363
364 IN6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_in_receive);
365 IN6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_in_hdrerr);
366 IN6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_in_toobig);
367 IN6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_in_noroute);
368 IN6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_in_addrerr);
369 IN6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_in_protounknown);
370 IN6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_in_truncated);
371 IN6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_in_discard);
372 IN6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_in_deliver);
373 IN6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_out_forward);
374 IN6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_out_request);
375 IN6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_out_discard);
376 IN6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_out_fragok);
377 IN6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_out_fragfail);
378 IN6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_out_fragcreat);
379 IN6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_reass_reqd);
380 IN6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_reass_ok);
381 IN6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_reass_fail);
382 IN6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_in_mcast);
383 IN6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_out_mcast);
384
385 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_in_msg);
386 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_in_error);
387 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_in_dstunreach);
388 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_in_adminprohib);
389 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_in_timeexceed);
390 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_in_paramprob);
391 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_in_pkttoobig);
392 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_in_echo);
393 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_in_echoreply);
394 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_in_routersolicit);
395 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_in_routeradvert);
396 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_in_neighborsolicit);
397 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_in_neighboradvert);
398 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_in_redirect);
399 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_in_mldquery);
400 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_in_mldreport);
401 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_in_mlddone);
402
403 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_out_msg);
404 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_out_error);
405 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_out_dstunreach);
406 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_out_adminprohib);
407 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_out_timeexceed);
408 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_out_paramprob);
409 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_out_pkttoobig);
410 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_out_echo);
411 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_out_echoreply);
412 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_out_routersolicit);
413 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_out_routeradvert);
414 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_out_neighborsolicit);
415 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_out_neighboradvert);
416 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_out_redirect);
417 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_out_mldquery);
418 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_out_mldreport);
419 ICMP6_IFSTAT_REQUIRE_ALIGNED_64(ifs6_out_mlddone);
420
421 in6_ifaddr_init();
422 ip6_moptions_init();
423 nd6_init();
424 frag6_init();
425 icmp6_init();
426 addrsel_policy_init();
427 /*
428 * in many cases, random() here does NOT return random number
429 * as initialization during bootstrap time occur in fixed order.
430 */
431 microtime(&tv);
432 ip6_flow_seq = random() ^ tv.tv_usec;
433 microtime(&tv);
434 ip6_desync_factor = (random() ^ tv.tv_usec) % MAX_TEMP_DESYNC_FACTOR;
435
436 /*
437 * P2P interfaces often route the local address to the loopback
438 * interface. At this point, lo0 hasn't been initialized yet, which
439 * means that we need to delay the IPv6 configuration of lo0.
440 */
441 net_init_add(ip6_init_delayed);
442
443 domain_proto_mtx_unlock(TRUE);
444 proto_register_input(PF_INET6, ip6_proto_input, NULL, 0);
445 domain_proto_mtx_lock();
446 }
447
448 static void
449 ip6_init_delayed(void)
450 {
451 (void) in6_ifattach(lo_ifp, NULL, NULL);
452
453 #ifdef __APPLE__
454 /* nd6_timer_init */
455 timeout(nd6_timer, (caddr_t)0, hz);
456
457 /* timer for regeneranation of temporary addresses randomize ID */
458 timeout(in6_tmpaddrtimer, (caddr_t)0,
459 (ip6_temp_preferred_lifetime - ip6_desync_factor -
460 ip6_temp_regen_advance) * hz);
461
462 #if NGIF
463 gifattach();
464 #endif
465 #if NSTF
466 stfattach();
467 #endif
468 #endif /* __APPLE__ */
469 }
470
471 void
472 ip6_input(struct mbuf *m)
473 {
474 struct ip6_hdr *ip6;
475 int off = sizeof(struct ip6_hdr), nest;
476 u_int32_t plen;
477 u_int32_t rtalert = ~0;
478 int nxt = 0, ours = 0;
479 struct ifnet *deliverifp = NULL;
480 ipfilter_t inject_ipfref = 0;
481 int seen;
482 struct in6_ifaddr *ia6 = NULL;
483 struct route_in6 ip6_forward_rt;
484 struct sockaddr_in6 *dst6;
485 #if DUMMYNET
486 struct m_tag *tag;
487 struct ip_fw_args args;
488
489 bzero(&args, sizeof(struct ip_fw_args));
490 #endif /* DUMMYNET */
491
492 bzero(&ip6_forward_rt, sizeof(ip6_forward_rt));
493
494 /* Check if the packet we received is valid after interface filter
495 * processing
496 */
497 MBUF_INPUT_CHECK(m, m->m_pkthdr.rcvif);
498
499 /* Perform IP header alignment fixup, if needed */
500 IP6_HDR_ALIGNMENT_FIXUP(m, m->m_pkthdr.rcvif, return;);
501
502 #if DUMMYNET
503 if ((tag = m_tag_locate(m, KERNEL_MODULE_TAG_ID,
504 KERNEL_TAG_TYPE_DUMMYNET, NULL)) != NULL) {
505 struct dn_pkt_tag *dn_tag;
506
507 dn_tag = (struct dn_pkt_tag *)(tag+1);
508
509 args.fwa_pf_rule = dn_tag->dn_pf_rule;
510
511 m_tag_delete(m, tag);
512 }
513
514 if (args.fwa_pf_rule) {
515 ip6 = mtod(m, struct ip6_hdr *); /* In case PF got disabled */
516
517 goto check_with_pf;
518 }
519 #endif /* DUMMYNET */
520
521 /*
522 * No need to proccess packet twice if we've
523 * already seen it
524 */
525 inject_ipfref = ipf_get_inject_filter(m);
526 if (inject_ipfref != 0) {
527 ip6 = mtod(m, struct ip6_hdr *);
528 nxt = ip6->ip6_nxt;
529 seen = 0;
530 goto injectit;
531 } else
532 seen = 1;
533
534 #if IPSEC
535 /*
536 * should the inner packet be considered authentic?
537 * see comment in ah4_input().
538 */
539 if (m) {
540 m->m_flags &= ~M_AUTHIPHDR;
541 m->m_flags &= ~M_AUTHIPDGM;
542 }
543 #endif
544
545 /*
546 * make sure we don't have onion peering information into m_aux.
547 */
548 ip6_delaux(m);
549
550 /*
551 * mbuf statistics
552 */
553 if (m->m_flags & M_EXT) {
554 if (m->m_next)
555 ip6stat.ip6s_mext2m++;
556 else
557 ip6stat.ip6s_mext1++;
558 } else {
559 #define M2MMAX (sizeof(ip6stat.ip6s_m2m)/sizeof(ip6stat.ip6s_m2m[0]))
560 if (m->m_next) {
561 if (m->m_flags & M_LOOP) {
562 ip6stat.ip6s_m2m[ifnet_index(lo_ifp)]++; /* XXX */
563 } else if (m->m_pkthdr.rcvif->if_index < M2MMAX)
564 ip6stat.ip6s_m2m[m->m_pkthdr.rcvif->if_index]++;
565 else
566 ip6stat.ip6s_m2m[0]++;
567 } else
568 ip6stat.ip6s_m1++;
569 #undef M2MMAX
570 }
571
572 /*
573 * Drop the packet if IPv6 operation is disabled on the IF;
574 * accessing the flag is done without acquiring nd_ifinfo lock
575 * for performance reasons.
576 */
577 lck_rw_lock_shared(nd_if_rwlock);
578 if (m->m_pkthdr.rcvif->if_index < nd_ifinfo_indexlim &&
579 (nd_ifinfo[m->m_pkthdr.rcvif->if_index].flags & ND6_IFF_IFDISABLED)) {
580 lck_rw_done(nd_if_rwlock);
581 goto bad;
582 }
583 lck_rw_done(nd_if_rwlock);
584
585 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_receive);
586 ip6stat.ip6s_total++;
587
588 #ifndef PULLDOWN_TEST
589 /*
590 * L2 bridge code and some other code can return mbuf chain
591 * that does not conform to KAME requirement. too bad.
592 * XXX: fails to join if interface MTU > MCLBYTES. jumbogram?
593 */
594 if (m && m->m_next != NULL && m->m_pkthdr.len < MCLBYTES) {
595 struct mbuf *n;
596
597 MGETHDR(n, M_DONTWAIT, MT_HEADER); /* MAC-OK */
598 if (n)
599 M_COPY_PKTHDR(n, m);
600 if (n && m->m_pkthdr.len > MHLEN) {
601 MCLGET(n, M_DONTWAIT);
602 if ((n->m_flags & M_EXT) == 0) {
603 m_freem(n);
604 n = NULL;
605 }
606 }
607 if (n == NULL)
608 goto bad;
609
610 m_copydata(m, 0, m->m_pkthdr.len, mtod(n, caddr_t));
611 n->m_len = m->m_pkthdr.len;
612 m_freem(m);
613 m = n;
614 }
615 IP6_EXTHDR_CHECK(m, 0, sizeof(struct ip6_hdr),
616 {goto done;});
617 #endif
618
619 if (m->m_len < sizeof(struct ip6_hdr)) {
620 struct ifnet *inifp;
621 inifp = m->m_pkthdr.rcvif;
622 if ((m = m_pullup(m, sizeof(struct ip6_hdr))) == 0) {
623 ip6stat.ip6s_toosmall++;
624 in6_ifstat_inc(inifp, ifs6_in_hdrerr);
625 goto done;
626 }
627 }
628
629 ip6 = mtod(m, struct ip6_hdr *);
630
631 if ((ip6->ip6_vfc & IPV6_VERSION_MASK) != IPV6_VERSION) {
632 ip6stat.ip6s_badvers++;
633 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_hdrerr);
634 goto bad;
635 }
636
637 ip6stat.ip6s_nxthist[ip6->ip6_nxt]++;
638
639 #if IPFW2
640 /*
641 * Check with the firewall...
642 */
643 if (ip6_fw_enable && ip6_fw_chk_ptr) {
644 u_short port = 0;
645 /* If ipfw says divert, we have to just drop packet */
646 /* use port as a dummy argument */
647 if ((*ip6_fw_chk_ptr)(&ip6, NULL, &port, &m)) {
648 m_freem(m);
649 m = NULL;
650 }
651 if (!m)
652 goto done;
653 }
654 #endif
655
656 /*
657 * Check against address spoofing/corruption.
658 */
659 if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_src) ||
660 IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_dst)) {
661 /*
662 * XXX: "badscope" is not very suitable for a multicast source.
663 */
664 ip6stat.ip6s_badscope++;
665 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr);
666 goto bad;
667 }
668 if (IN6_IS_ADDR_MC_INTFACELOCAL(&ip6->ip6_dst) &&
669 !(m->m_flags & M_LOOP)) {
670 /*
671 * In this case, the packet should come from the loopback
672 * interface. However, we cannot just check the if_flags,
673 * because ip6_mloopback() passes the "actual" interface
674 * as the outgoing/incoming interface.
675 */
676 ip6stat.ip6s_badscope++;
677 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr);
678 goto bad;
679 }
680
681 /*
682 * The following check is not documented in specs. A malicious
683 * party may be able to use IPv4 mapped addr to confuse tcp/udp stack
684 * and bypass security checks (act as if it was from 127.0.0.1 by using
685 * IPv6 src ::ffff:127.0.0.1). Be cautious.
686 *
687 * This check chokes if we are in an SIIT cloud. As none of BSDs
688 * support IPv4-less kernel compilation, we cannot support SIIT
689 * environment at all. So, it makes more sense for us to reject any
690 * malicious packets for non-SIIT environment, than try to do a
691 * partial support for SIIT environment.
692 */
693 if (IN6_IS_ADDR_V4MAPPED(&ip6->ip6_src) ||
694 IN6_IS_ADDR_V4MAPPED(&ip6->ip6_dst)) {
695 ip6stat.ip6s_badscope++;
696 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr);
697 goto bad;
698 }
699 #if 0
700 /*
701 * Reject packets with IPv4 compatible addresses (auto tunnel).
702 *
703 * The code forbids auto tunnel relay case in RFC1933 (the check is
704 * stronger than RFC1933). We may want to re-enable it if mech-xx
705 * is revised to forbid relaying case.
706 */
707 if (IN6_IS_ADDR_V4COMPAT(&ip6->ip6_src) ||
708 IN6_IS_ADDR_V4COMPAT(&ip6->ip6_dst)) {
709 ip6stat.ip6s_badscope++;
710 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr);
711 goto bad;
712 }
713 #endif
714
715 /*
716 * Naively assume we can attribute inbound data to the route we would
717 * use to send to this destination. Asymetric routing breaks this
718 * assumption, but it still allows us to account for traffic from
719 * a remote node in the routing table.
720 * this has a very significant performance impact so we bypass
721 * if nstat_collect is disabled. We may also bypass if the
722 * protocol is tcp in the future because tcp will have a route that
723 * we can use to attribute the data to. That does mean we would not
724 * account for forwarded tcp traffic.
725 */
726 if (nstat_collect) {
727 struct rtentry *rte =
728 ifnet_cached_rtlookup_inet6(m->m_pkthdr.rcvif,
729 &ip6->ip6_src);
730 if (rte != NULL) {
731 nstat_route_rx(rte, 1, m->m_pkthdr.len, 0);
732 rtfree(rte);
733 }
734 }
735
736 #if DUMMYNET
737 check_with_pf:
738 #endif
739 #if PF
740 /* Invoke inbound packet filter */
741 if (PF_IS_ENABLED) {
742 int error;
743 #if DUMMYNET
744 error = pf_af_hook(m->m_pkthdr.rcvif, NULL, &m, AF_INET6, TRUE, &args);
745 #else
746 error = pf_af_hook(m->m_pkthdr.rcvif, NULL, &m, AF_INET6, TRUE, NULL);
747 #endif
748 if (error != 0 || m == NULL) {
749 if (m != NULL) {
750 panic("%s: unexpected packet %p\n", __func__, m);
751 /* NOTREACHED */
752 }
753 /* Already freed by callee */
754 goto done;
755 }
756 ip6 = mtod(m, struct ip6_hdr *);
757 }
758 #endif /* PF */
759
760 /* drop packets if interface ID portion is already filled */
761 if ((m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK) == 0) {
762 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src) &&
763 ip6->ip6_src.s6_addr16[1]) {
764 ip6stat.ip6s_badscope++;
765 goto bad;
766 }
767 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst) &&
768 ip6->ip6_dst.s6_addr16[1]) {
769 ip6stat.ip6s_badscope++;
770 goto bad;
771 }
772 }
773
774 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src))
775 ip6->ip6_src.s6_addr16[1]
776 = htons(m->m_pkthdr.rcvif->if_index);
777 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst))
778 ip6->ip6_dst.s6_addr16[1]
779 = htons(m->m_pkthdr.rcvif->if_index);
780
781 /*
782 * Multicast check
783 */
784 if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst)) {
785 struct in6_multi *in6m = NULL;
786 struct ifnet *ifp = m->m_pkthdr.rcvif;
787
788 in6_ifstat_inc(ifp, ifs6_in_mcast);
789 /*
790 * See if we belong to the destination multicast group on the
791 * arrival interface.
792 */
793 in6_multihead_lock_shared();
794 IN6_LOOKUP_MULTI(&ip6->ip6_dst, ifp, in6m);
795 in6_multihead_lock_done();
796 if (in6m != NULL) {
797 IN6M_REMREF(in6m);
798 ours = 1;
799 } else if (!nd6_prproxy
800 #if MROUTING
801 && !ip6_mrouter
802 #endif
803 ) {
804 ip6stat.ip6s_notmember++;
805 ip6stat.ip6s_cantforward++;
806 in6_ifstat_inc(ifp, ifs6_in_discard);
807 goto bad;
808 }
809 deliverifp = ifp;
810 goto hbhcheck;
811 }
812
813 /*
814 * Unicast check
815 */
816 dst6 = (struct sockaddr_in6 *)&ip6_forward_rt.ro_dst;
817 dst6->sin6_len = sizeof(struct sockaddr_in6);
818 dst6->sin6_family = AF_INET6;
819 dst6->sin6_addr = ip6->ip6_dst;
820
821 rtalloc_scoped_ign((struct route *)&ip6_forward_rt,
822 RTF_PRCLONING, IFSCOPE_NONE);
823 if (ip6_forward_rt.ro_rt != NULL)
824 RT_LOCK(ip6_forward_rt.ro_rt);
825
826 #define rt6_key(r) ((struct sockaddr_in6 *)((r)->rt_nodes->rn_key))
827
828 /*
829 * Accept the packet if the forwarding interface to the destination
830 * according to the routing table is the loopback interface,
831 * unless the associated route has a gateway.
832 * Note that this approach causes to accept a packet if there is a
833 * route to the loopback interface for the destination of the packet.
834 * But we think it's even useful in some situations, e.g. when using
835 * a special daemon which wants to intercept the packet.
836 *
837 * XXX: some OSes automatically make a cloned route for the destination
838 * of an outgoing packet. If the outgoing interface of the packet
839 * is a loopback one, the kernel would consider the packet to be
840 * accepted, even if we have no such address assinged on the interface.
841 * We check the cloned flag of the route entry to reject such cases,
842 * assuming that route entries for our own addresses are not made by
843 * cloning (it should be true because in6_addloop explicitly installs
844 * the host route). However, we might have to do an explicit check
845 * while it would be less efficient. Or, should we rather install a
846 * reject route for such a case?
847 */
848 if (ip6_forward_rt.ro_rt != NULL &&
849 (ip6_forward_rt.ro_rt->rt_flags &
850 (RTF_HOST|RTF_GATEWAY)) == RTF_HOST &&
851 #if RTF_WASCLONED
852 !(ip6_forward_rt.ro_rt->rt_flags & RTF_WASCLONED) &&
853 #endif
854 #if 0
855 /*
856 * The check below is redundant since the comparison of
857 * the destination and the key of the rtentry has
858 * already done through looking up the routing table.
859 */
860 IN6_ARE_ADDR_EQUAL(&ip6->ip6_dst,
861 &rt6_key(ip6_forward_rt.ro_rt)->sin6_addr)
862 #endif
863 ip6_forward_rt.ro_rt->rt_ifp->if_type == IFT_LOOP) {
864 ia6 = (struct in6_ifaddr *)ip6_forward_rt.ro_rt->rt_ifa;
865
866 /*
867 * record address information into m_aux.
868 */
869 (void)ip6_setdstifaddr(m, ia6);
870
871 /*
872 * packets to a tentative, duplicated, or somehow invalid
873 * address must not be accepted.
874 */
875 RT_CONVERT_LOCK(ip6_forward_rt.ro_rt); /* just in case */
876 IFA_LOCK_SPIN(&ia6->ia_ifa);
877 if (!(ia6->ia6_flags & IN6_IFF_NOTREADY)) {
878 IFA_UNLOCK(&ia6->ia_ifa);
879 /* this address is ready */
880 ours = 1;
881 deliverifp = ia6->ia_ifp; /* correct? */
882 /* Count the packet in the ip address stats */
883
884 RT_UNLOCK(ip6_forward_rt.ro_rt);
885 ia6 = NULL;
886 goto hbhcheck;
887 }
888 IFA_UNLOCK(&ia6->ia_ifa);
889 RT_UNLOCK(ip6_forward_rt.ro_rt);
890 /* address is not ready, so discard the packet. */
891 nd6log((LOG_INFO,
892 "ip6_input: packet to an unready address %s->%s\n",
893 ip6_sprintf(&ip6->ip6_src),
894 ip6_sprintf(&ip6->ip6_dst)));
895 ia6 = NULL;
896 goto bad;
897 }
898
899 if (ip6_forward_rt.ro_rt != NULL)
900 RT_UNLOCK(ip6_forward_rt.ro_rt);
901
902 /*
903 * Now there is no reason to process the packet if it's not our own
904 * and we're not a router.
905 */
906 if (!ip6_forwarding) {
907 ip6stat.ip6s_cantforward++;
908 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_discard);
909 goto bad;
910 }
911
912 hbhcheck:
913 /*
914 * record address information into m_aux, if we don't have one yet.
915 * note that we are unable to record it, if the address is not listed
916 * as our interface address (e.g. multicast addresses, etc.)
917 */
918 if (deliverifp && (ia6 = ip6_getdstifaddr(m)) == NULL) {
919 ia6 = in6_ifawithifp(deliverifp, &ip6->ip6_dst);
920 if (ia6) {
921 if (!ip6_setdstifaddr(m, ia6)) {
922 /*
923 * XXX maybe we should drop the packet here,
924 * as we could not provide enough information
925 * to the upper layers.
926 */
927 }
928 IFA_REMREF(&ia6->ia_ifa);
929 ia6 = NULL;
930 }
931 }
932
933 if (ia6 != NULL) {
934 IFA_REMREF(&ia6->ia_ifa);
935 ia6 = NULL;
936 }
937
938 /*
939 * Process Hop-by-Hop options header if it's contained.
940 * m may be modified in ip6_hopopts_input().
941 * If a JumboPayload option is included, plen will also be modified.
942 */
943 plen = (u_int32_t)ntohs(ip6->ip6_plen);
944 if (ip6->ip6_nxt == IPPROTO_HOPOPTS) {
945 struct ip6_hbh *hbh;
946
947 if (ip6_hopopts_input(&plen, &rtalert, &m, &off)) {
948 #if 0 /*touches NULL pointer*/
949 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_discard);
950 #endif
951 goto done; /* m have already been freed */
952 }
953
954 /* adjust pointer */
955 ip6 = mtod(m, struct ip6_hdr *);
956
957 /*
958 * if the payload length field is 0 and the next header field
959 * indicates Hop-by-Hop Options header, then a Jumbo Payload
960 * option MUST be included.
961 */
962 if (ip6->ip6_plen == 0 && plen == 0) {
963 /*
964 * Note that if a valid jumbo payload option is
965 * contained, ip6_hopopts_input() must set a valid
966 * (non-zero) payload length to the variable plen.
967 */
968 ip6stat.ip6s_badoptions++;
969 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_discard);
970 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_hdrerr);
971 icmp6_error(m, ICMP6_PARAM_PROB,
972 ICMP6_PARAMPROB_HEADER,
973 (caddr_t)&ip6->ip6_plen - (caddr_t)ip6);
974 goto done;
975 }
976 #ifndef PULLDOWN_TEST
977 /* ip6_hopopts_input() ensures that mbuf is contiguous */
978 hbh = (struct ip6_hbh *)(ip6 + 1);
979 #else
980 IP6_EXTHDR_GET(hbh, struct ip6_hbh *, m, sizeof(struct ip6_hdr),
981 sizeof(struct ip6_hbh));
982 if (hbh == NULL) {
983 ip6stat.ip6s_tooshort++;
984 goto done;
985 }
986 #endif
987 nxt = hbh->ip6h_nxt;
988
989 /*
990 * If we are acting as a router and the packet contains a
991 * router alert option, see if we know the option value.
992 * Currently, we only support the option value for MLD, in which
993 * case we should pass the packet to the multicast routing
994 * daemon.
995 */
996 if (rtalert != ~0 && ip6_forwarding) {
997 switch (rtalert) {
998 case IP6OPT_RTALERT_MLD:
999 ours = 1;
1000 break;
1001 default:
1002 /*
1003 * RFC2711 requires unrecognized values must be
1004 * silently ignored.
1005 */
1006 break;
1007 }
1008 }
1009 } else
1010 nxt = ip6->ip6_nxt;
1011
1012 /*
1013 * Check that the amount of data in the buffers
1014 * is as at least much as the IPv6 header would have us expect.
1015 * Trim mbufs if longer than we expect.
1016 * Drop packet if shorter than we expect.
1017 */
1018 if (m->m_pkthdr.len - sizeof(struct ip6_hdr) < plen) {
1019 ip6stat.ip6s_tooshort++;
1020 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_truncated);
1021 goto bad;
1022 }
1023 if (m->m_pkthdr.len > sizeof(struct ip6_hdr) + plen) {
1024 if (m->m_len == m->m_pkthdr.len) {
1025 m->m_len = sizeof(struct ip6_hdr) + plen;
1026 m->m_pkthdr.len = sizeof(struct ip6_hdr) + plen;
1027 } else
1028 m_adj(m, sizeof(struct ip6_hdr) + plen - m->m_pkthdr.len);
1029 }
1030
1031 /*
1032 * Forward if desirable.
1033 */
1034 if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst)) {
1035 /*
1036 * If we are acting as a multicast router, all
1037 * incoming multicast packets are passed to the
1038 * kernel-level multicast forwarding function.
1039 * The packet is returned (relatively) intact; if
1040 * ip6_mforward() returns a non-zero value, the packet
1041 * must be discarded, else it may be accepted below.
1042 */
1043 #if MROUTING
1044 if (ip6_mrouter && ip6_mforward(ip6, m->m_pkthdr.rcvif, m)) {
1045 ip6stat.ip6s_cantforward++;
1046 goto bad;
1047 }
1048 #endif
1049 if (!ours && nd6_prproxy) {
1050 /*
1051 * If this isn't for us, this might be a Neighbor
1052 * Solicitation (dst is solicited-node multicast)
1053 * against an address in one of the proxied prefixes;
1054 * if so, claim the packet and let icmp6_input()
1055 * handle the rest.
1056 */
1057 ours = nd6_prproxy_isours(m, ip6, NULL, IFSCOPE_NONE);
1058 VERIFY(!ours ||
1059 (m->m_pkthdr.aux_flags & MAUXF_PROXY_DST));
1060 }
1061 if (!ours)
1062 goto bad;
1063 } else if (!ours) {
1064 /*
1065 * The unicast forwarding function might return the packet
1066 * if we are proxying prefix(es), and if the packet is an
1067 * ICMPv6 packet that has failed the zone checks, but is
1068 * targetted towards a proxied address (this is optimized by
1069 * way of RTF_PROXY test.) If so, claim the packet as ours
1070 * and let icmp6_input() handle the rest. The packet's hop
1071 * limit value is kept intact (it's not decremented). This
1072 * is for supporting Neighbor Unreachability Detection between
1073 * proxied nodes on different links (src is link-local, dst
1074 * is target address.)
1075 */
1076 if ((m = ip6_forward(m, &ip6_forward_rt, 0)) == NULL)
1077 goto done;
1078 VERIFY(ip6_forward_rt.ro_rt != NULL);
1079 VERIFY(m->m_pkthdr.aux_flags & MAUXF_PROXY_DST);
1080 deliverifp = ip6_forward_rt.ro_rt->rt_ifp;
1081 ours = 1;
1082 }
1083
1084 ip6 = mtod(m, struct ip6_hdr *);
1085
1086 /*
1087 * Malicious party may be able to use IPv4 mapped addr to confuse
1088 * tcp/udp stack and bypass security checks (act as if it was from
1089 * 127.0.0.1 by using IPv6 src ::ffff:127.0.0.1). Be cautious.
1090 *
1091 * For SIIT end node behavior, you may want to disable the check.
1092 * However, you will become vulnerable to attacks using IPv4 mapped
1093 * source.
1094 */
1095 if (IN6_IS_ADDR_V4MAPPED(&ip6->ip6_src) ||
1096 IN6_IS_ADDR_V4MAPPED(&ip6->ip6_dst)) {
1097 ip6stat.ip6s_badscope++;
1098 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr);
1099 goto bad;
1100 }
1101
1102 /*
1103 * Tell launch routine the next header
1104 */
1105 ip6stat.ip6s_delivered++;
1106 in6_ifstat_inc(deliverifp, ifs6_in_deliver);
1107
1108 injectit:
1109 nest = 0;
1110
1111 /*
1112 * Perform IP header alignment fixup again, if needed. Note that
1113 * we do it once for the outermost protocol, and we assume each
1114 * protocol handler wouldn't mess with the alignment afterwards.
1115 */
1116 IP6_HDR_ALIGNMENT_FIXUP(m, m->m_pkthdr.rcvif, return;);
1117
1118 while (nxt != IPPROTO_DONE) {
1119 struct ipfilter *filter;
1120 int (*pr_input)(struct mbuf **, int *, int);
1121
1122 if (ip6_hdrnestlimit && (++nest > ip6_hdrnestlimit)) {
1123 ip6stat.ip6s_toomanyhdr++;
1124 goto bad;
1125 }
1126
1127 /*
1128 * protection against faulty packet - there should be
1129 * more sanity checks in header chain processing.
1130 */
1131 if (m->m_pkthdr.len < off) {
1132 ip6stat.ip6s_tooshort++;
1133 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_truncated);
1134 goto bad;
1135 }
1136
1137
1138 #if IPSEC
1139 /*
1140 * enforce IPsec policy checking if we are seeing last header.
1141 * note that we do not visit this with protocols with pcb layer
1142 * code - like udp/tcp/raw ip.
1143 */
1144 if ((ipsec_bypass == 0) &&
1145 (ip6_protox[nxt]->pr_flags & PR_LASTHDR) != 0) {
1146 if (ipsec6_in_reject(m, NULL)) {
1147 IPSEC_STAT_INCREMENT(ipsec6stat.in_polvio);
1148 goto bad;
1149 }
1150 }
1151 #endif
1152
1153 /*
1154 * Call IP filter
1155 */
1156 if (!TAILQ_EMPTY(&ipv6_filters)) {
1157 ipf_ref();
1158 TAILQ_FOREACH(filter, &ipv6_filters, ipf_link) {
1159 if (seen == 0) {
1160 if ((struct ipfilter *)inject_ipfref ==
1161 filter)
1162 seen = 1;
1163 } else if (filter->ipf_filter.ipf_input) {
1164 errno_t result;
1165
1166 result = filter->ipf_filter.ipf_input(
1167 filter->ipf_filter.cookie,
1168 (mbuf_t *)&m, off, nxt);
1169 if (result == EJUSTRETURN) {
1170 ipf_unref();
1171 goto done;
1172 }
1173 if (result != 0) {
1174 ipf_unref();
1175 goto bad;
1176 }
1177 }
1178 }
1179 ipf_unref();
1180 }
1181
1182 DTRACE_IP6(receive, struct mbuf *, m, struct inpcb *, NULL,
1183 struct ip6_hdr *, ip6, struct ifnet *, m->m_pkthdr.rcvif,
1184 struct ip *, NULL, struct ip6_hdr *, ip6);
1185
1186 if ((pr_input = ip6_protox[nxt]->pr_input) == NULL) {
1187 m_freem(m);
1188 m = NULL;
1189 nxt = IPPROTO_DONE;
1190 } else if (!(ip6_protox[nxt]->pr_flags & PR_PROTOLOCK)) {
1191 lck_mtx_lock(inet6_domain_mutex);
1192 nxt = pr_input(&m, &off, nxt);
1193 lck_mtx_unlock(inet6_domain_mutex);
1194 } else {
1195 nxt = pr_input(&m, &off, nxt);
1196 }
1197 }
1198 done:
1199 if (ip6_forward_rt.ro_rt != NULL)
1200 rtfree(ip6_forward_rt.ro_rt);
1201 return;
1202 bad:
1203 m_freem(m);
1204 goto done;
1205 }
1206
1207 /*
1208 * set/grab in6_ifaddr correspond to IPv6 destination address.
1209 * XXX backward compatibility wrapper
1210 */
1211 static struct ip6aux *
1212 ip6_setdstifaddr(struct mbuf *m, struct in6_ifaddr *ia6)
1213 {
1214 struct ip6aux *n;
1215
1216 n = ip6_addaux(m);
1217 if (n != NULL) {
1218 if (ia6 != NULL)
1219 IFA_ADDREF(&ia6->ia_ifa);
1220 if (n->ip6a_dstia6 != NULL)
1221 IFA_REMREF(&n->ip6a_dstia6->ia_ifa);
1222 n->ip6a_dstia6 = ia6;
1223 }
1224 return (struct ip6aux *)n; /* NULL if failed to set */
1225 }
1226
1227 struct in6_ifaddr *
1228 ip6_getdstifaddr(m)
1229 struct mbuf *m;
1230 {
1231 struct ip6aux *n;
1232
1233 n = ip6_findaux(m);
1234 if (n != NULL) {
1235 if (n->ip6a_dstia6 != NULL)
1236 IFA_ADDREF(&n->ip6a_dstia6->ia_ifa);
1237 return (n->ip6a_dstia6);
1238 }
1239 return (NULL);
1240 }
1241
1242 /*
1243 * Hop-by-Hop options header processing. If a valid jumbo payload option is
1244 * included, the real payload length will be stored in plenp.
1245 */
1246 static int
1247 ip6_hopopts_input(uint32_t *plenp, uint32_t *rtalertp, struct mbuf **mp,
1248 int *offp)
1249 {
1250 struct mbuf *m = *mp;
1251 int off = *offp, hbhlen;
1252 struct ip6_hbh *hbh;
1253 u_int8_t *opt;
1254
1255 /* validation of the length of the header */
1256 #ifndef PULLDOWN_TEST
1257 IP6_EXTHDR_CHECK(m, off, sizeof(*hbh), return -1);
1258 hbh = (struct ip6_hbh *)(mtod(m, caddr_t) + off);
1259 hbhlen = (hbh->ip6h_len + 1) << 3;
1260
1261 IP6_EXTHDR_CHECK(m, off, hbhlen, return -1);
1262 hbh = (struct ip6_hbh *)(mtod(m, caddr_t) + off);
1263 #else
1264 IP6_EXTHDR_GET(hbh, struct ip6_hbh *, m,
1265 sizeof(struct ip6_hdr), sizeof(struct ip6_hbh));
1266 if (hbh == NULL) {
1267 ip6stat.ip6s_tooshort++;
1268 return -1;
1269 }
1270 hbhlen = (hbh->ip6h_len + 1) << 3;
1271 IP6_EXTHDR_GET(hbh, struct ip6_hbh *, m, sizeof(struct ip6_hdr),
1272 hbhlen);
1273 if (hbh == NULL) {
1274 ip6stat.ip6s_tooshort++;
1275 return -1;
1276 }
1277 #endif
1278 off += hbhlen;
1279 hbhlen -= sizeof(struct ip6_hbh);
1280 opt = (u_int8_t *)hbh + sizeof(struct ip6_hbh);
1281
1282 if (ip6_process_hopopts(m, (u_int8_t *)hbh + sizeof(struct ip6_hbh),
1283 hbhlen, rtalertp, plenp) < 0)
1284 return (-1);
1285
1286 *offp = off;
1287 *mp = m;
1288 return (0);
1289 }
1290
1291 /*
1292 * Search header for all Hop-by-hop options and process each option.
1293 * This function is separate from ip6_hopopts_input() in order to
1294 * handle a case where the sending node itself process its hop-by-hop
1295 * options header. In such a case, the function is called from ip6_output().
1296 *
1297 * The function assumes that hbh header is located right after the IPv6 header
1298 * (RFC2460 p7), opthead is pointer into data content in m, and opthead to
1299 * opthead + hbhlen is located in continuous memory region.
1300 */
1301 int
1302 ip6_process_hopopts(m, opthead, hbhlen, rtalertp, plenp)
1303 struct mbuf *m;
1304 u_int8_t *opthead;
1305 int hbhlen;
1306 u_int32_t *rtalertp;
1307 u_int32_t *plenp;
1308 {
1309 struct ip6_hdr *ip6;
1310 int optlen = 0;
1311 u_int8_t *opt = opthead;
1312 u_int16_t rtalert_val;
1313 u_int32_t jumboplen;
1314 const int erroff = sizeof(struct ip6_hdr) + sizeof(struct ip6_hbh);
1315
1316 for (; hbhlen > 0; hbhlen -= optlen, opt += optlen) {
1317 switch (*opt) {
1318 case IP6OPT_PAD1:
1319 optlen = 1;
1320 break;
1321 case IP6OPT_PADN:
1322 if (hbhlen < IP6OPT_MINLEN) {
1323 ip6stat.ip6s_toosmall++;
1324 goto bad;
1325 }
1326 optlen = *(opt + 1) + 2;
1327 break;
1328 case IP6OPT_ROUTER_ALERT:
1329 /* XXX may need check for alignment */
1330 if (hbhlen < IP6OPT_RTALERT_LEN) {
1331 ip6stat.ip6s_toosmall++;
1332 goto bad;
1333 }
1334 if (*(opt + 1) != IP6OPT_RTALERT_LEN - 2) {
1335 /* XXX stat */
1336 icmp6_error(m, ICMP6_PARAM_PROB,
1337 ICMP6_PARAMPROB_HEADER,
1338 erroff + opt + 1 - opthead);
1339 return(-1);
1340 }
1341 optlen = IP6OPT_RTALERT_LEN;
1342 bcopy((caddr_t)(opt + 2), (caddr_t)&rtalert_val, 2);
1343 *rtalertp = ntohs(rtalert_val);
1344 break;
1345 case IP6OPT_JUMBO:
1346 /* XXX may need check for alignment */
1347 if (hbhlen < IP6OPT_JUMBO_LEN) {
1348 ip6stat.ip6s_toosmall++;
1349 goto bad;
1350 }
1351 if (*(opt + 1) != IP6OPT_JUMBO_LEN - 2) {
1352 /* XXX stat */
1353 icmp6_error(m, ICMP6_PARAM_PROB,
1354 ICMP6_PARAMPROB_HEADER,
1355 erroff + opt + 1 - opthead);
1356 return(-1);
1357 }
1358 optlen = IP6OPT_JUMBO_LEN;
1359
1360 /*
1361 * IPv6 packets that have non 0 payload length
1362 * must not contain a jumbo payload option.
1363 */
1364 ip6 = mtod(m, struct ip6_hdr *);
1365 if (ip6->ip6_plen) {
1366 ip6stat.ip6s_badoptions++;
1367 icmp6_error(m, ICMP6_PARAM_PROB,
1368 ICMP6_PARAMPROB_HEADER,
1369 erroff + opt - opthead);
1370 return(-1);
1371 }
1372
1373 /*
1374 * We may see jumbolen in unaligned location, so
1375 * we'd need to perform bcopy().
1376 */
1377 bcopy(opt + 2, &jumboplen, sizeof(jumboplen));
1378 jumboplen = (u_int32_t)htonl(jumboplen);
1379
1380 #if 1
1381 /*
1382 * if there are multiple jumbo payload options,
1383 * *plenp will be non-zero and the packet will be
1384 * rejected.
1385 * the behavior may need some debate in ipngwg -
1386 * multiple options does not make sense, however,
1387 * there's no explicit mention in specification.
1388 */
1389 if (*plenp != 0) {
1390 ip6stat.ip6s_badoptions++;
1391 icmp6_error(m, ICMP6_PARAM_PROB,
1392 ICMP6_PARAMPROB_HEADER,
1393 erroff + opt + 2 - opthead);
1394 return(-1);
1395 }
1396 #endif
1397
1398 /*
1399 * jumbo payload length must be larger than 65535.
1400 */
1401 if (jumboplen <= IPV6_MAXPACKET) {
1402 ip6stat.ip6s_badoptions++;
1403 icmp6_error(m, ICMP6_PARAM_PROB,
1404 ICMP6_PARAMPROB_HEADER,
1405 erroff + opt + 2 - opthead);
1406 return(-1);
1407 }
1408 *plenp = jumboplen;
1409
1410 break;
1411 default: /* unknown option */
1412 if (hbhlen < IP6OPT_MINLEN) {
1413 ip6stat.ip6s_toosmall++;
1414 goto bad;
1415 }
1416 optlen = ip6_unknown_opt(opt, m,
1417 erroff + opt - opthead);
1418 if (optlen == -1) {
1419 return(-1);
1420 }
1421 optlen += 2;
1422 break;
1423 }
1424 }
1425
1426 return(0);
1427
1428 bad:
1429 m_freem(m);
1430 return(-1);
1431 }
1432
1433 /*
1434 * Unknown option processing.
1435 * The third argument `off' is the offset from the IPv6 header to the option,
1436 * which is necessary if the IPv6 header the and option header and IPv6 header
1437 * is not continuous in order to return an ICMPv6 error.
1438 */
1439 int
1440 ip6_unknown_opt(uint8_t *optp, struct mbuf *m, int off)
1441 {
1442 struct ip6_hdr *ip6;
1443
1444 switch (IP6OPT_TYPE(*optp)) {
1445 case IP6OPT_TYPE_SKIP: /* ignore the option */
1446 return((int)*(optp + 1));
1447 case IP6OPT_TYPE_DISCARD: /* silently discard */
1448 m_freem(m);
1449 return(-1);
1450 case IP6OPT_TYPE_FORCEICMP: /* send ICMP even if multicasted */
1451 ip6stat.ip6s_badoptions++;
1452 icmp6_error(m, ICMP6_PARAM_PROB, ICMP6_PARAMPROB_OPTION, off);
1453 return(-1);
1454 case IP6OPT_TYPE_ICMP: /* send ICMP if not multicasted */
1455 ip6stat.ip6s_badoptions++;
1456 ip6 = mtod(m, struct ip6_hdr *);
1457 if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst) ||
1458 (m->m_flags & (M_BCAST|M_MCAST)))
1459 m_freem(m);
1460 else
1461 icmp6_error(m, ICMP6_PARAM_PROB,
1462 ICMP6_PARAMPROB_OPTION, off);
1463 return(-1);
1464 }
1465
1466 m_freem(m); /* XXX: NOTREACHED */
1467 return (-1);
1468 }
1469
1470 /*
1471 * Create the "control" list for this pcb.
1472 * These functions will not modify mbuf chain at all.
1473 *
1474 * With KAME mbuf chain restriction:
1475 * The routine will be called from upper layer handlers like tcp6_input().
1476 * Thus the routine assumes that the caller (tcp6_input) have already
1477 * called IP6_EXTHDR_CHECK() and all the extension headers are located in the
1478 * very first mbuf on the mbuf chain.
1479 *
1480 * ip6_savecontrol_v4 will handle those options that are possible to be
1481 * set on a v4-mapped socket.
1482 * ip6_savecontrol will directly call ip6_savecontrol_v4 to handle those
1483 * options and handle the v6-only ones itself.
1484 */
1485 struct mbuf **
1486 ip6_savecontrol_v4(struct inpcb *inp, struct mbuf *m, struct mbuf **mp,
1487 int *v4only)
1488 {
1489 struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *);
1490
1491 if ((inp->inp_socket->so_options & SO_TIMESTAMP) != 0) {
1492 struct timeval tv;
1493
1494 microtime(&tv);
1495 mp = sbcreatecontrol_mbuf((caddr_t) &tv, sizeof(tv),
1496 SCM_TIMESTAMP, SOL_SOCKET, mp);
1497 if (*mp == NULL)
1498 return NULL;
1499 }
1500 if ((inp->inp_socket->so_options & SO_TIMESTAMP_MONOTONIC) != 0) {
1501 uint64_t time;
1502
1503 time = mach_absolute_time();
1504 mp = sbcreatecontrol_mbuf((caddr_t) &time, sizeof(time),
1505 SCM_TIMESTAMP_MONOTONIC, SOL_SOCKET, mp);
1506
1507 if (*mp == NULL)
1508 return NULL;
1509 }
1510 if ((inp->inp_socket->so_flags & SOF_RECV_TRAFFIC_CLASS) != 0) {
1511 int tc = m_get_traffic_class(m);
1512
1513 mp = sbcreatecontrol_mbuf((caddr_t) &tc, sizeof(tc),
1514 SO_TRAFFIC_CLASS, SOL_SOCKET, mp);
1515 if (*mp == NULL)
1516 return (NULL);
1517 }
1518
1519 if ((ip6->ip6_vfc & IPV6_VERSION_MASK) != IPV6_VERSION) {
1520 if (v4only != NULL)
1521 *v4only = 1;
1522 return (mp);
1523 }
1524
1525 #define IS2292(inp, x, y) (((inp)->inp_flags & IN6P_RFC2292) ? (x) : (y))
1526 /* RFC 2292 sec. 5 */
1527 if ((inp->inp_flags & IN6P_PKTINFO) != 0) {
1528 struct in6_pktinfo pi6;
1529
1530 bcopy(&ip6->ip6_dst, &pi6.ipi6_addr, sizeof(struct in6_addr));
1531 in6_clearscope(&pi6.ipi6_addr); /* XXX */
1532 pi6.ipi6_ifindex =
1533 (m && m->m_pkthdr.rcvif) ? m->m_pkthdr.rcvif->if_index : 0;
1534
1535 mp = sbcreatecontrol_mbuf((caddr_t) &pi6,
1536 sizeof(struct in6_pktinfo),
1537 IS2292(inp, IPV6_2292PKTINFO, IPV6_PKTINFO), IPPROTO_IPV6, mp);
1538 if (*mp == NULL)
1539 return NULL;
1540 }
1541
1542 if ((inp->inp_flags & IN6P_HOPLIMIT) != 0) {
1543 int hlim = ip6->ip6_hlim & 0xff;
1544
1545 mp = sbcreatecontrol_mbuf((caddr_t) &hlim, sizeof(int),
1546 IS2292(inp, IPV6_2292HOPLIMIT, IPV6_HOPLIMIT),
1547 IPPROTO_IPV6, mp);
1548 if (*mp == NULL)
1549 return NULL;
1550 }
1551
1552 if (v4only != NULL)
1553 *v4only = 0;
1554 return (mp);
1555 }
1556
1557 int
1558 ip6_savecontrol(struct inpcb *in6p, struct mbuf *m, struct mbuf **mp)
1559 {
1560 struct mbuf **np;
1561 struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *);
1562 int v4only = 0;
1563
1564 *mp = NULL;
1565 np = ip6_savecontrol_v4(in6p, m, mp, &v4only);
1566 if (np == NULL)
1567 goto no_mbufs;
1568
1569 mp = np;
1570 if (v4only)
1571 return(0);
1572
1573 if ((in6p->inp_flags & IN6P_TCLASS) != 0) {
1574 u_int32_t flowinfo;
1575 int tclass;
1576
1577 flowinfo = (u_int32_t)ntohl(ip6->ip6_flow & IPV6_FLOWINFO_MASK);
1578 flowinfo >>= 20;
1579
1580 tclass = flowinfo & 0xff;
1581 mp = sbcreatecontrol_mbuf((caddr_t) &tclass, sizeof(tclass),
1582 IPV6_TCLASS, IPPROTO_IPV6, mp);
1583 if (*mp == NULL)
1584 goto no_mbufs;
1585 }
1586
1587 /*
1588 * IPV6_HOPOPTS socket option. Recall that we required super-user
1589 * privilege for the option (see ip6_ctloutput), but it might be too
1590 * strict, since there might be some hop-by-hop options which can be
1591 * returned to normal user.
1592 * See also RFC 2292 section 6 (or RFC 3542 section 8).
1593 */
1594 if ((in6p->inp_flags & IN6P_HOPOPTS) != 0) {
1595 /*
1596 * Check if a hop-by-hop options header is contatined in the
1597 * received packet, and if so, store the options as ancillary
1598 * data. Note that a hop-by-hop options header must be
1599 * just after the IPv6 header, which is assured through the
1600 * IPv6 input processing.
1601 */
1602 ip6 = mtod(m, struct ip6_hdr *);
1603 if (ip6->ip6_nxt == IPPROTO_HOPOPTS) {
1604 struct ip6_hbh *hbh;
1605 int hbhlen = 0;
1606 #if PULLDOWN_TEST
1607 struct mbuf *ext;
1608 #endif
1609
1610 #ifndef PULLDOWN_TEST
1611 hbh = (struct ip6_hbh *)(ip6 + 1);
1612 hbhlen = (hbh->ip6h_len + 1) << 3;
1613 #else
1614 ext = ip6_pullexthdr(m, sizeof(struct ip6_hdr),
1615 ip6->ip6_nxt);
1616 if (ext == NULL) {
1617 ip6stat.ip6s_tooshort++;
1618 return(0);
1619 }
1620 hbh = mtod(ext, struct ip6_hbh *);
1621 hbhlen = (hbh->ip6h_len + 1) << 3;
1622 if (hbhlen != ext->m_len) {
1623 m_freem(ext);
1624 ip6stat.ip6s_tooshort++;
1625 return(0);
1626 }
1627 #endif
1628
1629 /*
1630 * XXX: We copy the whole header even if a
1631 * jumbo payload option is included, the option which
1632 * is to be removed before returning according to
1633 * RFC2292.
1634 * Note: this constraint is removed in RFC3542
1635 */
1636 mp = sbcreatecontrol_mbuf((caddr_t)hbh, hbhlen,
1637 IS2292(in6p, IPV6_2292HOPOPTS, IPV6_HOPOPTS),
1638 IPPROTO_IPV6, mp);
1639
1640 #if PULLDOWN_TEST
1641 m_freem(ext);
1642 #endif
1643 if (*mp == NULL) {
1644 goto no_mbufs;
1645 }
1646 }
1647 }
1648
1649 if ((in6p->inp_flags & (IN6P_RTHDR | IN6P_DSTOPTS)) != 0) {
1650 int nxt = ip6->ip6_nxt, off = sizeof(struct ip6_hdr);
1651
1652 /*
1653 * Search for destination options headers or routing
1654 * header(s) through the header chain, and stores each
1655 * header as ancillary data.
1656 * Note that the order of the headers remains in
1657 * the chain of ancillary data.
1658 */
1659 while (1) { /* is explicit loop prevention necessary? */
1660 struct ip6_ext *ip6e = NULL;
1661 int elen;
1662 #if PULLDOWN_TEST
1663 struct mbuf *ext = NULL;
1664 #endif
1665
1666 /*
1667 * if it is not an extension header, don't try to
1668 * pull it from the chain.
1669 */
1670 switch (nxt) {
1671 case IPPROTO_DSTOPTS:
1672 case IPPROTO_ROUTING:
1673 case IPPROTO_HOPOPTS:
1674 case IPPROTO_AH: /* is it possible? */
1675 break;
1676 default:
1677 goto loopend;
1678 }
1679
1680 #ifndef PULLDOWN_TEST
1681 if (off + sizeof(*ip6e) > m->m_len)
1682 goto loopend;
1683 ip6e = (struct ip6_ext *)(mtod(m, caddr_t) + off);
1684 if (nxt == IPPROTO_AH)
1685 elen = (ip6e->ip6e_len + 2) << 2;
1686 else
1687 elen = (ip6e->ip6e_len + 1) << 3;
1688 if (off + elen > m->m_len)
1689 goto loopend;
1690 #else
1691 ext = ip6_pullexthdr(m, off, nxt);
1692 if (ext == NULL) {
1693 ip6stat.ip6s_tooshort++;
1694 return(0);
1695 }
1696 ip6e = mtod(ext, struct ip6_ext *);
1697 if (nxt == IPPROTO_AH)
1698 elen = (ip6e->ip6e_len + 2) << 2;
1699 else
1700 elen = (ip6e->ip6e_len + 1) << 3;
1701 if (elen != ext->m_len) {
1702 m_freem(ext);
1703 ip6stat.ip6s_tooshort++;
1704 return(0);
1705 }
1706 #endif
1707
1708 switch (nxt) {
1709 case IPPROTO_DSTOPTS:
1710 if (!(in6p->inp_flags & IN6P_DSTOPTS))
1711 break;
1712
1713 mp = sbcreatecontrol_mbuf((caddr_t)ip6e, elen,
1714 IS2292(in6p,
1715 IPV6_2292DSTOPTS, IPV6_DSTOPTS),
1716 IPPROTO_IPV6, mp);
1717 if (*mp == NULL) {
1718 #if PULLDOWN_TEST
1719 m_freem(ext);
1720 #endif
1721 goto no_mbufs;
1722 }
1723 break;
1724 case IPPROTO_ROUTING:
1725 if (!in6p->inp_flags & IN6P_RTHDR)
1726 break;
1727
1728 mp = sbcreatecontrol_mbuf((caddr_t)ip6e, elen,
1729 IS2292(in6p, IPV6_2292RTHDR, IPV6_RTHDR),
1730 IPPROTO_IPV6, mp);
1731 if (*mp == NULL) {
1732 #if PULLDOWN_TEST
1733 m_freem(ext);
1734 #endif
1735 goto no_mbufs;
1736 }
1737 break;
1738 case IPPROTO_HOPOPTS:
1739 case IPPROTO_AH: /* is it possible? */
1740 break;
1741
1742 default:
1743 /*
1744 * other cases have been filtered in the above.
1745 * none will visit this case. here we supply
1746 * the code just in case (nxt overwritten or
1747 * other cases).
1748 */
1749 #if PULLDOWN_TEST
1750 m_freem(ext);
1751 #endif
1752 goto loopend;
1753
1754 }
1755
1756 /* proceed with the next header. */
1757 off += elen;
1758 nxt = ip6e->ip6e_nxt;
1759 ip6e = NULL;
1760 #if PULLDOWN_TEST
1761 m_freem(ext);
1762 ext = NULL;
1763 #endif
1764 }
1765 loopend:
1766 ;
1767 }
1768 return(0);
1769 no_mbufs:
1770 ip6stat.ip6s_pktdropcntrl++;
1771 /* XXX increment a stat to show the failure */
1772 return(ENOBUFS);
1773 }
1774 #undef IS2292
1775
1776 void
1777 ip6_notify_pmtu(struct inpcb *in6p, struct sockaddr_in6 *dst, u_int32_t *mtu)
1778 {
1779 struct socket *so;
1780 struct mbuf *m_mtu;
1781 struct ip6_mtuinfo mtuctl;
1782
1783 so = in6p->inp_socket;
1784
1785 if (mtu == NULL)
1786 return;
1787
1788 #ifdef DIAGNOSTIC
1789 if (so == NULL) /* I believe this is impossible */
1790 panic("ip6_notify_pmtu: socket is NULL");
1791 #endif
1792
1793 bzero(&mtuctl, sizeof(mtuctl)); /* zero-clear for safety */
1794 mtuctl.ip6m_mtu = *mtu;
1795 mtuctl.ip6m_addr = *dst;
1796 if (sa6_recoverscope(&mtuctl.ip6m_addr, TRUE))
1797 return;
1798
1799 if ((m_mtu = sbcreatecontrol((caddr_t)&mtuctl, sizeof(mtuctl),
1800 IPV6_PATHMTU, IPPROTO_IPV6)) == NULL)
1801 return;
1802
1803 if (sbappendaddr(&so->so_rcv, (struct sockaddr *)dst, NULL, m_mtu, NULL)
1804 == 0) {
1805 m_freem(m_mtu);
1806 /* XXX: should count statistics */
1807 } else
1808 sorwakeup(so);
1809
1810 return;
1811 }
1812
1813 #if PULLDOWN_TEST
1814 /*
1815 * pull single extension header from mbuf chain. returns single mbuf that
1816 * contains the result, or NULL on error.
1817 */
1818 static struct mbuf *
1819 ip6_pullexthdr(m, off, nxt)
1820 struct mbuf *m;
1821 size_t off;
1822 int nxt;
1823 {
1824 struct ip6_ext ip6e;
1825 size_t elen;
1826 struct mbuf *n;
1827
1828 #if DIAGNOSTIC
1829 switch (nxt) {
1830 case IPPROTO_DSTOPTS:
1831 case IPPROTO_ROUTING:
1832 case IPPROTO_HOPOPTS:
1833 case IPPROTO_AH: /* is it possible? */
1834 break;
1835 default:
1836 printf("ip6_pullexthdr: invalid nxt=%d\n", nxt);
1837 }
1838 #endif
1839
1840 m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e);
1841 if (nxt == IPPROTO_AH)
1842 elen = (ip6e.ip6e_len + 2) << 2;
1843 else
1844 elen = (ip6e.ip6e_len + 1) << 3;
1845
1846 MGET(n, M_DONTWAIT, MT_DATA);
1847 if (n && elen >= MLEN) {
1848 MCLGET(n, M_DONTWAIT);
1849 if ((n->m_flags & M_EXT) == 0) {
1850 m_free(n);
1851 n = NULL;
1852 }
1853 }
1854 if (!n)
1855 return NULL;
1856
1857 n->m_len = 0;
1858 if (elen >= M_TRAILINGSPACE(n)) {
1859 m_free(n);
1860 return NULL;
1861 }
1862
1863 m_copydata(m, off, elen, mtod(n, caddr_t));
1864 n->m_len = elen;
1865 return n;
1866 }
1867 #endif
1868
1869 /*
1870 * Get pointer to the previous header followed by the header
1871 * currently processed.
1872 * XXX: This function supposes that
1873 * M includes all headers,
1874 * the next header field and the header length field of each header
1875 * are valid, and
1876 * the sum of each header length equals to OFF.
1877 * Because of these assumptions, this function must be called very
1878 * carefully. Moreover, it will not be used in the near future when
1879 * we develop `neater' mechanism to process extension headers.
1880 */
1881 char *
1882 ip6_get_prevhdr(m, off)
1883 struct mbuf *m;
1884 int off;
1885 {
1886 struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *);
1887
1888 if (off == sizeof(struct ip6_hdr))
1889 return((char *) &ip6->ip6_nxt);
1890 else {
1891 int len, nxt;
1892 struct ip6_ext *ip6e = NULL;
1893
1894 nxt = ip6->ip6_nxt;
1895 len = sizeof(struct ip6_hdr);
1896 while (len < off) {
1897 ip6e = (struct ip6_ext *)(mtod(m, caddr_t) + len);
1898
1899 switch (nxt) {
1900 case IPPROTO_FRAGMENT:
1901 len += sizeof(struct ip6_frag);
1902 break;
1903 case IPPROTO_AH:
1904 len += (ip6e->ip6e_len + 2) << 2;
1905 break;
1906 default:
1907 len += (ip6e->ip6e_len + 1) << 3;
1908 break;
1909 }
1910 nxt = ip6e->ip6e_nxt;
1911 }
1912 if (ip6e)
1913 return((char *) &ip6e->ip6e_nxt);
1914 else
1915 return NULL;
1916 }
1917 }
1918
1919 /*
1920 * get next header offset. m will be retained.
1921 */
1922 int
1923 ip6_nexthdr(m, off, proto, nxtp)
1924 struct mbuf *m;
1925 int off;
1926 int proto;
1927 int *nxtp;
1928 {
1929 struct ip6_hdr ip6;
1930 struct ip6_ext ip6e;
1931 struct ip6_frag fh;
1932
1933 /* just in case */
1934 if (m == NULL)
1935 panic("ip6_nexthdr: m == NULL");
1936 if ((m->m_flags & M_PKTHDR) == 0 || m->m_pkthdr.len < off)
1937 return -1;
1938
1939 switch (proto) {
1940 case IPPROTO_IPV6:
1941 if (m->m_pkthdr.len < off + sizeof(ip6))
1942 return -1;
1943 m_copydata(m, off, sizeof(ip6), (caddr_t)&ip6);
1944 if (nxtp)
1945 *nxtp = ip6.ip6_nxt;
1946 off += sizeof(ip6);
1947 return off;
1948
1949 case IPPROTO_FRAGMENT:
1950 /*
1951 * terminate parsing if it is not the first fragment,
1952 * it does not make sense to parse through it.
1953 */
1954 if (m->m_pkthdr.len < off + sizeof(fh))
1955 return -1;
1956 m_copydata(m, off, sizeof(fh), (caddr_t)&fh);
1957 /* IP6F_OFF_MASK = 0xfff8(BigEndian), 0xf8ff(LittleEndian) */
1958 if (fh.ip6f_offlg & IP6F_OFF_MASK)
1959 return -1;
1960 if (nxtp)
1961 *nxtp = fh.ip6f_nxt;
1962 off += sizeof(struct ip6_frag);
1963 return off;
1964
1965 case IPPROTO_AH:
1966 if (m->m_pkthdr.len < off + sizeof(ip6e))
1967 return -1;
1968 m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e);
1969 if (nxtp)
1970 *nxtp = ip6e.ip6e_nxt;
1971 off += (ip6e.ip6e_len + 2) << 2;
1972 return off;
1973
1974 case IPPROTO_HOPOPTS:
1975 case IPPROTO_ROUTING:
1976 case IPPROTO_DSTOPTS:
1977 if (m->m_pkthdr.len < off + sizeof(ip6e))
1978 return -1;
1979 m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e);
1980 if (nxtp)
1981 *nxtp = ip6e.ip6e_nxt;
1982 off += (ip6e.ip6e_len + 1) << 3;
1983 return off;
1984
1985 case IPPROTO_NONE:
1986 case IPPROTO_ESP:
1987 case IPPROTO_IPCOMP:
1988 /* give up */
1989 return -1;
1990
1991 default:
1992 return -1;
1993 }
1994
1995 return -1;
1996 }
1997
1998 /*
1999 * get offset for the last header in the chain. m will be kept untainted.
2000 */
2001 int
2002 ip6_lasthdr(m, off, proto, nxtp)
2003 struct mbuf *m;
2004 int off;
2005 int proto;
2006 int *nxtp;
2007 {
2008 int newoff;
2009 int nxt;
2010
2011 if (!nxtp) {
2012 nxt = -1;
2013 nxtp = &nxt;
2014 }
2015 while (1) {
2016 newoff = ip6_nexthdr(m, off, proto, nxtp);
2017 if (newoff < 0)
2018 return off;
2019 else if (newoff < off)
2020 return -1; /* invalid */
2021 else if (newoff == off)
2022 return newoff;
2023
2024 off = newoff;
2025 proto = *nxtp;
2026 }
2027 }
2028
2029 struct ip6aux *
2030 ip6_addaux(struct mbuf *m)
2031 {
2032 struct m_tag *tag;
2033
2034 /* Check if one is already allocated */
2035 tag = m_tag_locate(m, KERNEL_MODULE_TAG_ID,
2036 KERNEL_TAG_TYPE_INET6, NULL);
2037 if (tag == NULL) {
2038 /* Allocate a tag */
2039 tag = m_tag_create(KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_INET6,
2040 sizeof (struct ip6aux), M_DONTWAIT, m);
2041
2042 /* Attach it to the mbuf */
2043 if (tag) {
2044 m_tag_prepend(m, tag);
2045 }
2046 }
2047
2048 return (tag ? (struct ip6aux *)(tag + 1) : NULL);
2049 }
2050
2051 struct ip6aux *
2052 ip6_findaux(struct mbuf *m)
2053 {
2054 struct m_tag *tag;
2055
2056 tag = m_tag_locate(m, KERNEL_MODULE_TAG_ID,
2057 KERNEL_TAG_TYPE_INET6, NULL);
2058
2059 return (tag ? (struct ip6aux *)(tag + 1) : NULL);
2060 }
2061
2062 void
2063 ip6_delaux(struct mbuf *m)
2064 {
2065 struct m_tag *tag;
2066
2067 tag = m_tag_locate(m, KERNEL_MODULE_TAG_ID,
2068 KERNEL_TAG_TYPE_INET6, NULL);
2069 if (tag) {
2070 m_tag_delete(m, tag);
2071 }
2072 }
2073
2074 /*
2075 * Called by m_tag_free().
2076 */
2077 void
2078 ip6_destroyaux(struct ip6aux *n)
2079 {
2080 if (n->ip6a_dstia6 != NULL) {
2081 IFA_REMREF(&n->ip6a_dstia6->ia_ifa);
2082 n->ip6a_dstia6 = NULL;
2083 }
2084 }
2085
2086 /*
2087 * Called by m_tag_copy()
2088 */
2089 void
2090 ip6_copyaux(struct ip6aux *src, struct ip6aux *dst)
2091 {
2092 bcopy(src, dst, sizeof (*dst));
2093 if (dst->ip6a_dstia6 != NULL)
2094 IFA_ADDREF(&dst->ip6a_dstia6->ia_ifa);
2095 }
2096
2097 /*
2098 * System control for IP6
2099 */
2100
2101 u_char inet6ctlerrmap[PRC_NCMDS] = {
2102 0, 0, 0, 0,
2103 0, EMSGSIZE, EHOSTDOWN, EHOSTUNREACH,
2104 EHOSTUNREACH, EHOSTUNREACH, ECONNREFUSED, ECONNREFUSED,
2105 EMSGSIZE, EHOSTUNREACH, 0, 0,
2106 0, 0, 0, 0,
2107 ENOPROTOOPT
2108 };
mirror of XNU