Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. =================================================================== RCS file: /ftp/cvs/cvsroot/src/sys/netinet6/ip6_input.c,v rcsdiff: /ftp/cvs/cvsroot/src/sys/netinet6/ip6_input.c,v: warning: Unknown phrases like `commitid ...;' are present. retrieving revision 1.132.2.4 retrieving revision 1.134 diff -u -p -r1.132.2.4 -r1.134 --- src/sys/netinet6/ip6_input.c 2014/05/22 11:41:10 1.132.2.4 +++ src/sys/netinet6/ip6_input.c 2011/12/19 11:59:58 1.134 @@ -1,4 +1,4 @@ -/* $NetBSD: ip6_input.c,v 1.132.2.4 2014/05/22 11:41:10 yamt Exp $ */ +/* $NetBSD: ip6_input.c,v 1.134 2011/12/19 11:59:58 drochner Exp $ */ /* $KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $ */ /* @@ -62,12 +62,13 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.132.2.4 2014/05/22 11:41:10 yamt Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.134 2011/12/19 11:59:58 drochner Exp $"); #include "opt_gateway.h" #include "opt_inet.h" #include "opt_inet6.h" #include "opt_ipsec.h" +#include "opt_pfil_hooks.h" #include "opt_compat_netbsd.h" #include @@ -91,7 +92,9 @@ __KERNEL_RCSID(0, "$NetBSD: ip6_input.c, #include #include #include +#ifdef PFIL_HOOKS #include +#endif #include #include @@ -100,7 +103,6 @@ __KERNEL_RCSID(0, "$NetBSD: ip6_input.c, #include #endif /* INET */ #include -#include #include #include #include @@ -110,11 +112,16 @@ __KERNEL_RCSID(0, "$NetBSD: ip6_input.c, #include #include -#ifdef IPSEC +#ifdef KAME_IPSEC +#include +#include +#endif + +#ifdef FAST_IPSEC #include #include #include -#endif /* IPSEC */ +#endif /* FAST_IPSEC */ #ifdef COMPAT_50 #include @@ -145,15 +152,16 @@ int ip6_forward_srcrt; /* XXX */ int ip6_sourcecheck; /* XXX */ int ip6_sourcecheck_interval; /* XXX */ -pfil_head_t *inet6_pfil_hook; +#ifdef PFIL_HOOKS +struct pfil_head inet6_pfil_hook; +#endif percpu_t *ip6stat_percpu; static void ip6_init2(void *); static struct m_tag *ip6_setdstifaddr(struct mbuf *, const struct in6_ifaddr *); -static int ip6_process_hopopts(struct mbuf *, u_int8_t *, int, u_int32_t *, - u_int32_t *); +static int ip6_hopopts_input(u_int32_t *, u_int32_t *, struct mbuf **, int *); static struct mbuf *ip6_pullexthdr(struct mbuf *, size_t, int); static void sysctl_net_inet6_ip6_setup(struct sysctllog **); @@ -185,13 +193,20 @@ ip6_init(void) frag6_init(); ip6_desync_factor = cprng_fast32() % MAX_TEMP_DESYNC_FACTOR; - ip6_init2(NULL); + ip6_init2((void *)0); #ifdef GATEWAY ip6flow_init(ip6_hashsize); #endif + +#ifdef PFIL_HOOKS /* Register our Packet Filter hook. */ - inet6_pfil_hook = pfil_head_create(PFIL_TYPE_AF, (void *)AF_INET6); - KASSERT(inet6_pfil_hook != NULL); + inet6_pfil_hook.ph_type = PFIL_TYPE_AF; + inet6_pfil_hook.ph_af = AF_INET6; + i = pfil_head_register(&inet6_pfil_hook); + if (i != 0) + printf("ip6_init: WARNING: unable to register pfil hook, " + "error %d\n", i); +#endif /* PFIL_HOOKS */ ip6stat_percpu = percpu_alloc(sizeof(uint64_t) * IP6_NSTATS); } @@ -257,13 +272,22 @@ ip6_input(struct mbuf *m) struct sockaddr dst; struct sockaddr_in6 dst6; } u; -#ifdef IPSEC +#ifdef FAST_IPSEC struct m_tag *mtag; struct tdb_ident *tdbi; struct secpolicy *sp; int s, error; #endif +#ifdef KAME_IPSEC + /* + * should the inner packet be considered authentic? + * see comment in ah4_input(). + */ + m->m_flags &= ~M_AUTHIPHDR; + m->m_flags &= ~M_AUTHIPDGM; +#endif + /* * make sure we don't have onion peering information into m_tag. */ @@ -327,12 +351,18 @@ ip6_input(struct mbuf *m) goto bad; } +#if defined(KAME_IPSEC) + /* IPv6 fast forwarding is not compatible with IPsec. */ + m->m_flags &= ~M_CANFASTFWD; +#else /* * Assume that we can create a fast-forward IP flow entry * based on this packet. */ m->m_flags |= M_CANFASTFWD; +#endif +#ifdef PFIL_HOOKS /* * Run through list of hooks for input packets. If there are any * filters which require that additional packets in the flow are @@ -344,7 +374,9 @@ ip6_input(struct mbuf *m) * let ipfilter look at packet on the wire, * not the decapsulated packet. */ -#if defined(IPSEC) +#ifdef KAME_IPSEC + if (!ipsec_getnhist(m)) +#elif defined(FAST_IPSEC) if (!ipsec_indone(m)) #else if (1) @@ -353,7 +385,7 @@ ip6_input(struct mbuf *m) struct in6_addr odst; odst = ip6->ip6_dst; - if (pfil_run_hooks(inet6_pfil_hook, &m, m->m_pkthdr.rcvif, + if (pfil_run_hooks(&inet6_pfil_hook, &m, m->m_pkthdr.rcvif, PFIL_IN) != 0) return; if (m == NULL) @@ -361,6 +393,7 @@ ip6_input(struct mbuf *m) ip6 = mtod(m, struct ip6_hdr *); srcrt = !IN6_ARE_ADDR_EQUAL(&odst, &ip6->ip6_dst); } +#endif /* PFIL_HOOKS */ IP6_STATINC(IP6_STAT_NXTHIST + ip6->ip6_nxt); @@ -752,7 +785,19 @@ ip6_input(struct mbuf *m) } } -#ifdef IPSEC +#ifdef KAME_IPSEC + /* + * enforce IPsec policy checking if we are seeing last header. + * note that we do not visit this with protocols with pcb layer + * code - like udp/tcp/raw ip. + */ + if ((inet6sw[ip6_protox[nxt]].pr_flags & PR_LASTHDR) != 0 && + ipsec6_in_reject(m, NULL)) { + IPSEC6_STATINC(IPSEC_STAT_IN_POLVIO); + goto bad; + } +#endif +#ifdef FAST_IPSEC /* * enforce IPsec policy checking if we are seeing last header. * note that we do not visit this with protocols with pcb layer @@ -789,7 +834,7 @@ ip6_input(struct mbuf *m) if (error) goto bad; } -#endif /* IPSEC */ +#endif /* FAST_IPSEC */ nxt = (*inet6sw[ip6_protox[nxt]].pr_input)(&m, &off, nxt); @@ -806,21 +851,17 @@ static struct m_tag * ip6_setdstifaddr(struct mbuf *m, const struct in6_ifaddr *ia) { struct m_tag *mtag; - struct ip6aux *ip6a; mtag = ip6_addaux(m); - if (mtag == NULL) - return NULL; + if (mtag != NULL) { + struct ip6aux *ip6a; - ip6a = (struct ip6aux *)(mtag + 1); - if (in6_setscope(&ip6a->ip6a_src, ia->ia_ifp, &ip6a->ip6a_scope_id)) { - IP6_STATINC(IP6_STAT_BADSCOPE); - return NULL; + ip6a = (struct ip6aux *)(mtag + 1); + in6_setscope(&ip6a->ip6a_src, ia->ia_ifp, &ip6a->ip6a_scope_id); + ip6a->ip6a_src = ia->ia_addr.sin6_addr; + ip6a->ip6a_flags = ia->ia6_flags; } - - ip6a->ip6a_src = ia->ia_addr.sin6_addr; - ip6a->ip6a_flags = ia->ia6_flags; - return mtag; + return mtag; /* NULL if failed to set */ } const struct ip6aux * @@ -841,7 +882,7 @@ ip6_getdstifaddr(struct mbuf *m) * * rtalertp - XXX: should be stored more smart way */ -int +static int ip6_hopopts_input(u_int32_t *plenp, u_int32_t *rtalertp, struct mbuf **mp, int *offp) { @@ -886,7 +927,7 @@ ip6_hopopts_input(u_int32_t *plenp, u_in * (RFC2460 p7), opthead is pointer into data content in m, and opthead to * opthead + hbhlen is located in continuous memory region. */ -static int +int ip6_process_hopopts(struct mbuf *m, u_int8_t *opthead, int hbhlen, u_int32_t *rtalertp, u_int32_t *plenp) { @@ -1657,6 +1698,11 @@ sysctl_net_inet6_ip6_setup(struct sysctl sysctl_createv(clog, 0, NULL, NULL, CTLFLAG_PERMANENT, + CTLTYPE_NODE, "net", NULL, + NULL, 0, NULL, 0, + CTL_NET, CTL_EOL); + sysctl_createv(clog, 0, NULL, NULL, + CTLFLAG_PERMANENT, CTLTYPE_NODE, "inet6", SYSCTL_DESCR("PF_INET6 related settings"), NULL, 0, NULL, 0, @@ -1942,64 +1988,6 @@ sysctl_net_inet6_ip6_setup(struct sysctl CTL_NET, PF_INET6, IPPROTO_IPV6, CTL_CREATE, CTL_EOL); #endif - /* anonportalgo RFC6056 subtree */ - const struct sysctlnode *portalgo_node; - sysctl_createv(clog, 0, NULL, &portalgo_node, - CTLFLAG_PERMANENT, - CTLTYPE_NODE, "anonportalgo", - SYSCTL_DESCR("Anonymous port algorithm selection (RFC 6056)"), - NULL, 0, NULL, 0, - CTL_NET, PF_INET6, IPPROTO_IPV6, CTL_CREATE, CTL_EOL); - sysctl_createv(clog, 0, &portalgo_node, NULL, - CTLFLAG_PERMANENT, - CTLTYPE_STRING, "available", - SYSCTL_DESCR("available algorithms"), - sysctl_portalgo_available, 0, NULL, PORTALGO_MAXLEN, - CTL_CREATE, CTL_EOL); - sysctl_createv(clog, 0, &portalgo_node, NULL, - CTLFLAG_PERMANENT|CTLFLAG_READWRITE, - CTLTYPE_STRING, "selected", - SYSCTL_DESCR("selected algorithm"), - sysctl_portalgo_selected6, 0, NULL, PORTALGO_MAXLEN, - CTL_CREATE, CTL_EOL); - sysctl_createv(clog, 0, &portalgo_node, NULL, - CTLFLAG_PERMANENT|CTLFLAG_READWRITE, - CTLTYPE_STRUCT, "reserve", - SYSCTL_DESCR("bitmap of reserved ports"), - sysctl_portalgo_reserve6, 0, NULL, 0, - CTL_CREATE, CTL_EOL); - sysctl_createv(clog, 0, NULL, NULL, - CTLFLAG_PERMANENT|CTLFLAG_READWRITE, - CTLTYPE_INT, "neighborgcthresh", - SYSCTL_DESCR("Maximum number of entries in neighbor" - " cache"), - NULL, 1, &ip6_neighborgcthresh, 0, - CTL_NET, PF_INET6, IPPROTO_IPV6, - CTL_CREATE, CTL_EOL); - sysctl_createv(clog, 0, NULL, NULL, - CTLFLAG_PERMANENT|CTLFLAG_READWRITE, - CTLTYPE_INT, "maxifprefixes", - SYSCTL_DESCR("Maximum number of prefixes created by" - " route advertisement per interface"), - NULL, 1, &ip6_maxifprefixes, 0, - CTL_NET, PF_INET6, IPPROTO_IPV6, - CTL_CREATE, CTL_EOL); - sysctl_createv(clog, 0, NULL, NULL, - CTLFLAG_PERMANENT|CTLFLAG_READWRITE, - CTLTYPE_INT, "maxifdefrouters", - SYSCTL_DESCR("Maximum number of default routers created" - " by route advertisement per interface"), - NULL, 1, &ip6_maxifdefrouters, 0, - CTL_NET, PF_INET6, IPPROTO_IPV6, - CTL_CREATE, CTL_EOL); - sysctl_createv(clog, 0, NULL, NULL, - CTLFLAG_PERMANENT|CTLFLAG_READWRITE, - CTLTYPE_INT, "maxdynroutes", - SYSCTL_DESCR("Maximum number of routes created via" - " redirect"), - NULL, 1, &ip6_maxdynroutes, 0, - CTL_NET, PF_INET6, IPPROTO_IPV6, - CTL_CREATE, CTL_EOL); } void