xnu-792.18.15.tar.gz

[apple/xnu.git] / bsd / netinet6 / raw_ip6.c

diff --git a/bsd/netinet6/raw_ip6.c b/bsd/netinet6/raw_ip6.c
index f49d75e9266192335deb69717ba7c6d95e087be3..7e3094d304be77a3ca5ff4daa568abdc9d10f7dd 100644 (file)
--- a/bsd/netinet6/raw_ip6.c
+++ b/bsd/netinet6/raw_ip6.c
@@ -92,11 +92,13 @@
 #include <netinet6/scope6_var.h>
 #endif
 #include <netinet6/raw_ip6.h>
+#include <netinet6/ip6_fw.h>
 
 #if IPSEC
 #include <netinet6/ipsec.h>
 #include <netinet6/ipsec6.h>
 extern int ipsec_bypass;
+extern lck_mtx_t *sadb_mutex;
 #endif /*IPSEC*/
 
 
@@ -116,6 +118,7 @@ extern struct       inpcbhead ripcb;
 extern struct  inpcbinfo ripcbinfo;
 extern u_long  rip_sendspace;
 extern u_long  rip_recvspace;
+extern u_long  route_generation;
 
 struct rip6stat rip6stat;
 
@@ -125,9 +128,9 @@ struct rip6stat rip6stat;
  * mbuf chain.
  */
 int
-rip6_input(mp, offp)
-       struct  mbuf **mp;
-       int     *offp;
+rip6_input(
+       struct  mbuf **mp,
+       int     *offp)
 {
        struct mbuf *m = *mp;
        register struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *);
@@ -149,6 +152,7 @@ rip6_input(mp, offp)
 
        init_sin6(&rip6src, m); /* general init */
 
+       lck_rw_lock_shared(ripcbinfo.mtx);
        LIST_FOREACH(in6p, &ripcb, inp_list) {
                if ((in6p->in6p_vflag & INP_IPV6) == 0)
                        continue;
@@ -176,10 +180,14 @@ rip6_input(mp, offp)
                        /*
                         * Check AH/ESP integrity.
                         */
-                       if (ipsec_bypass == 0 && n && ipsec6_in_reject_so(n, last->inp_socket)) {
-                               m_freem(n);
-                               ipsec6stat.in_polvio++;
-                               /* do not inject data into pcb */
+                       if (ipsec_bypass == 0 && n) {
+                               lck_mtx_lock(sadb_mutex);
+                               if (ipsec6_in_reject_so(n, last->inp_socket)) {
+                                       m_freem(n);
+                                       ipsec6stat.in_polvio++;
+                                       /* do not inject data into pcb */
+                               }
+                               lck_mtx_unlock(sadb_mutex);
                        } else
 #endif /*IPSEC*/
                        if (n) {
@@ -190,10 +198,7 @@ rip6_input(mp, offp)
                                m_adj(n, *offp);
                                if (sbappendaddr(&last->in6p_socket->so_rcv,
                                                (struct sockaddr *)&rip6src,
-                                                n, opts) == 0) {
-                                       m_freem(n);
-                                       if (opts)
-                                               m_freem(opts);
+                                                n, opts, NULL) == 0) {
                                        rip6stat.rip6s_fullsock++;
                                } else
                                        sorwakeup(last->in6p_socket);
@@ -202,15 +207,20 @@ rip6_input(mp, offp)
                }
                last = in6p;
        }
+       lck_rw_done(ripcbinfo.mtx);
 #if IPSEC
        /*
         * Check AH/ESP integrity.
         */
-       if (ipsec_bypass == 0 && last && ipsec6_in_reject_so(m, last->inp_socket)) {
-               m_freem(m);
-               ipsec6stat.in_polvio++;
-               ip6stat.ip6s_delivered--;
-               /* do not inject data into pcb */
+       if (ipsec_bypass == 0 && last) {
+               lck_mtx_lock(sadb_mutex);
+               if  (ipsec6_in_reject_so(m, last->inp_socket)) {
+                       m_freem(m);
+                       ipsec6stat.in_polvio++;
+                       ip6stat.ip6s_delivered--;
+                       /* do not inject data into pcb */
+               }
+               lck_mtx_unlock(sadb_mutex);
        } else
 #endif /*IPSEC*/
        if (last) {
@@ -220,10 +230,7 @@ rip6_input(mp, offp)
                /* strip intermediate headers */
                m_adj(m, *offp);
                if (sbappendaddr(&last->in6p_socket->so_rcv,
-                               (struct sockaddr *)&rip6src, m, opts) == 0) {
-                       m_freem(m);
-                       if (opts)
-                               m_freem(opts);
+                               (struct sockaddr *)&rip6src, m, opts, NULL) == 0) {
                        rip6stat.rip6s_fullsock++;
                } else
                        sorwakeup(last->in6p_socket);
@@ -245,17 +252,17 @@ rip6_input(mp, offp)
 }
 
 void
-rip6_ctlinput(cmd, sa, d)
-       int cmd;
-       struct sockaddr *sa;
-       void *d;
+rip6_ctlinput(
+       int cmd,
+       struct sockaddr *sa,
+       void *d)
 {
        struct ip6_hdr *ip6;
        struct mbuf *m;
        int off = 0;
        struct ip6ctlparam *ip6cp = NULL;
        const struct sockaddr_in6 *sa6_src = NULL;
-       void (*notify) __P((struct inpcb *, int)) = in6_rtchange;
+       void (*notify)(struct inpcb *, int) = in6_rtchange;
 
        if (sa->sa_family != AF_INET6 ||
            sa->sa_len != sizeof(struct sockaddr_in6))
@@ -283,7 +290,7 @@ rip6_ctlinput(cmd, sa, d)
                sa6_src = &sa6_any;
        }
 
-       (void) in6_pcbnotify(&ripcb, sa, 0, (struct sockaddr *)sa6_src,
+       (void) in6_pcbnotify(&ripcbinfo, sa, 0, (struct sockaddr *)sa6_src,
                             0, cmd, notify);
 }
 
@@ -292,11 +299,11 @@ rip6_ctlinput(cmd, sa, d)
  * Tack on options user may have setup with control call.
  */
 int
-rip6_output(m, so, dstsock, control)
-       register struct mbuf *m;
-       struct socket *so;
-       struct sockaddr_in6 *dstsock;
-       struct mbuf *control;
+rip6_output(
+       register struct mbuf *m,
+       struct socket *so,
+       struct sockaddr_in6 *dstsock,
+       struct mbuf *control)
 {
        struct in6_addr *dst;
        struct ip6_hdr *ip6;
@@ -383,12 +390,13 @@ rip6_output(m, so, dstsock, control)
         */
        {
                struct in6_addr *in6a;
+               struct in6_addr storage;
 
                if ((in6a = in6_selectsrc(dstsock, optp,
                                          in6p->in6p_moptions,
                                          &in6p->in6p_route,
                                          &in6p->in6p_laddr,
-                                         &error)) == 0) {
+                                         &storage, &error)) == 0) {
                        if (error == 0)
                                error = EADDRNOTAVAIL;
                        goto bad;
@@ -441,8 +449,13 @@ rip6_output(m, so, dstsock, control)
        }
 #endif /*IPSEC*/
 
+       if (in6p->in6p_route.ro_rt && in6p->in6p_route.ro_rt->generation_id != route_generation) {
+               rtfree(in6p->in6p_route.ro_rt);
+               in6p->in6p_route.ro_rt = (struct rtentry *)0;
+       }
+
        error = ip6_output(m, optp, &in6p->in6p_route, 0,
-                          in6p->in6p_moptions, &oifp);
+                          in6p->in6p_moptions, &oifp, 0);
        if (so->so_proto->pr_protocol == IPPROTO_ICMPV6) {
                if (oifp)
                        icmp6_ifoutstat_inc(oifp, type, code);
@@ -467,13 +480,19 @@ rip6_output(m, so, dstsock, control)
        return(error);
 }
 
+static void
+load_ip6fw()
+{
+       ip6_fw_init();
+}
+
 /*
  * Raw IPv6 socket option processing.
  */
 int
-rip6_ctloutput(so, sopt)
-       struct socket *so;
-       struct sockopt *sopt;
+rip6_ctloutput(
+       struct socket *so,
+       struct sockopt *sopt)
 {
        int error;
 
@@ -491,6 +510,16 @@ rip6_ctloutput(so, sopt)
        switch (sopt->sopt_dir) {
        case SOPT_GET:
                switch (sopt->sopt_name) {
+               case IPV6_FW_ADD:
+               case IPV6_FW_GET:
+                       if (ip6_fw_ctl_ptr == 0)
+                               load_ip6fw();
+                       if (ip6_fw_ctl_ptr)
+                               error = ip6_fw_ctl_ptr(sopt);
+                       else
+                               error = ENOPROTOOPT;
+                       break;
+
                case MRT6_INIT:
                case MRT6_DONE:
                case MRT6_ADD_MIF:
@@ -508,6 +537,18 @@ rip6_ctloutput(so, sopt)
 
        case SOPT_SET:
                switch (sopt->sopt_name) {
+               case IPV6_FW_ADD:
+               case IPV6_FW_DEL:
+               case IPV6_FW_FLUSH:
+               case IPV6_FW_ZERO:
+                       if (ip6_fw_ctl_ptr == 0)
+                               load_ip6fw();
+                       if (ip6_fw_ctl_ptr)
+                               error = ip6_fw_ctl_ptr(sopt);
+                       else
+                               error = ENOPROTOOPT;
+                       break;
+
                case MRT6_INIT:
                case MRT6_DONE:
                case MRT6_ADD_MIF:
@@ -536,7 +577,7 @@ rip6_attach(struct socket *so, int proto, struct proc *p)
        inp = sotoinpcb(so);
        if (inp)
                panic("rip6_attach");
-       if (p && (error = suser(p->p_ucred, &p->p_acflag)) != 0)
+       if (p && (error = proc_suser(p)) != 0)
                return error;
 
        error = soreserve(so, rip_sendspace, rip_recvspace);
@@ -553,7 +594,9 @@ rip6_attach(struct socket *so, int proto, struct proc *p)
        inp->in6p_hops = -1;    /* use kernel default */
        inp->in6p_cksum = -1;
        MALLOC(inp->in6p_icmp6filt, struct icmp6_filter *,
-              sizeof(struct icmp6_filter), M_PCB, M_NOWAIT);
+              sizeof(struct icmp6_filter), M_PCB, M_WAITOK);
+       if (inp->in6p_icmp6filt == NULL)
+               return (ENOMEM);
        ICMP6_FILTER_SETPASSALL(inp->in6p_icmp6filt);
        return 0;
 }
@@ -605,7 +648,7 @@ rip6_bind(struct socket *so, struct sockaddr *nam, struct proc *p)
        if (nam->sa_len != sizeof(*addr))
                return EINVAL;
 
-       if (TAILQ_EMPTY(&ifnet) || addr->sin6_family != AF_INET6)
+       if (TAILQ_EMPTY(&ifnet_head) || addr->sin6_family != AF_INET6)
                return EADDRNOTAVAIL;
 #if ENABLE_DEFAULT_SCOPE
        if (addr->sin6_scope_id == 0) { /* not change if specified  */
@@ -619,8 +662,10 @@ rip6_bind(struct socket *so, struct sockaddr *nam, struct proc *p)
            ((struct in6_ifaddr *)ia)->ia6_flags &
            (IN6_IFF_ANYCAST|IN6_IFF_NOTREADY|
             IN6_IFF_DETACHED|IN6_IFF_DEPRECATED)) {
+           if (ia) ifafree(ia);
                return(EADDRNOTAVAIL);
        }
+       ifafree(ia);
        inp->in6p_laddr = addr->sin6_addr;
        return 0;
 }
@@ -631,6 +676,7 @@ rip6_connect(struct socket *so, struct sockaddr *nam, struct proc *p)
        struct inpcb *inp = sotoinpcb(so);
        struct sockaddr_in6 *addr = (struct sockaddr_in6 *)nam;
        struct in6_addr *in6a = NULL;
+       struct in6_addr storage;
        int error = 0;
 #if ENABLE_DEFAULT_SCOPE
        struct sockaddr_in6 tmp;
@@ -638,7 +684,7 @@ rip6_connect(struct socket *so, struct sockaddr *nam, struct proc *p)
 
        if (nam->sa_len != sizeof(*addr))
                return EINVAL;
-       if (TAILQ_EMPTY(&ifnet))
+       if (TAILQ_EMPTY(&ifnet_head))
                return EADDRNOTAVAIL;
        if (addr->sin6_family != AF_INET6)
                return EAFNOSUPPORT;
@@ -653,7 +699,7 @@ rip6_connect(struct socket *so, struct sockaddr *nam, struct proc *p)
        /* Source address selection. XXX: need pcblookup? */
        in6a = in6_selectsrc(addr, inp->in6p_outputopts,
                             inp->in6p_moptions, &inp->in6p_route,
-                            &inp->in6p_laddr, &error);
+                            &inp->in6p_laddr, &storage, &error);
        if (in6a == NULL)
                return (error ? error : EADDRNOTAVAIL);
        inp->in6p_laddr = *in6a;
@@ -711,5 +757,5 @@ struct pr_usrreqs rip6_usrreqs = {
        pru_connect2_notsupp, in6_control, rip6_detach, rip6_disconnect,
        pru_listen_notsupp, in6_setpeeraddr, pru_rcvd_notsupp,
        pru_rcvoob_notsupp, rip6_send, pru_sense_null, rip6_shutdown,
-       in6_setsockaddr, sosend, soreceive, sopoll
+       in6_setsockaddr, sosend, soreceive, pru_sopoll_notsupp
 };