version 1.22.2.5, 2002/02/26 20:14:36 |
version 1.26, 2000/08/26 11:03:46 |
|
|
#include <netinet6/ip6_fw.h> |
#include <netinet6/ip6_fw.h> |
#endif |
#endif |
|
|
#ifdef IPSEC |
|
#include <netinet6/ipsec.h> |
|
#endif |
|
|
|
#include <netinet6/ip6protosw.h> |
#include <netinet6/ip6protosw.h> |
|
|
/* we need it for NLOOP. */ |
/* we need it for NLOOP. */ |
|
|
* in the list may have previously cleared it. |
* in the list may have previously cleared it. |
*/ |
*/ |
m0 = m; |
m0 = m; |
#ifdef IPSEC |
pfh = pfil_hook_get(PFIL_IN, &inetsw[ip_protox[IPPROTO_IPV6]].pr_pfh); |
if (ipsec_gethist(m, NULL)) |
|
pfh = NULL; |
|
else |
|
pfh = pfil_hook_get(PFIL_IN, |
|
&inet6sw[ip6_protox[IPPROTO_IPV6]].pr_pfh); |
|
#else |
|
pfh = pfil_hook_get(PFIL_IN, &inet6sw[ip6_protox[IPPROTO_IPV6]].pr_pfh); |
|
#endif |
|
for (; pfh; pfh = pfh->pfil_link.tqe_next) |
for (; pfh; pfh = pfh->pfil_link.tqe_next) |
if (pfh->pfil_func) { |
if (pfh->pfil_func) { |
rv = pfh->pfil_func(ip6, sizeof(*ip6), |
rv = pfh->pfil_func(ip6, sizeof(*ip6), |
|
|
(ip6_forward_rt.ro_rt->rt_flags & RTF_UP) != 0 && |
(ip6_forward_rt.ro_rt->rt_flags & RTF_UP) != 0 && |
IN6_ARE_ADDR_EQUAL(&ip6->ip6_dst, |
IN6_ARE_ADDR_EQUAL(&ip6->ip6_dst, |
&ip6_forward_rt.ro_dst.sin6_addr)) |
&ip6_forward_rt.ro_dst.sin6_addr)) |
; /* cache hit */ |
ip6stat.ip6s_forward_cachehit++; |
else { |
else { |
if (ip6_forward_rt.ro_rt) { |
if (ip6_forward_rt.ro_rt) { |
/* route is down or destination is different */ |
/* route is down or destination is different */ |
|
ip6stat.ip6s_forward_cachemiss++; |
RTFREE(ip6_forward_rt.ro_rt); |
RTFREE(ip6_forward_rt.ro_rt); |
ip6_forward_rt.ro_rt = 0; |
ip6_forward_rt.ro_rt = 0; |
} |
} |
|
|
return; |
return; |
} |
} |
|
|
|
ip6 = mtod(m, struct ip6_hdr *); |
|
|
|
/* |
|
* Malicious party may be able to use IPv4 mapped addr to confuse |
|
* tcp/udp stack and bypass security checks (act as if it was from |
|
* 127.0.0.1 by using IPv6 src ::ffff:127.0.0.1). Be cautious. |
|
* |
|
* For SIIT end node behavior, you may want to disable the check. |
|
* However, you will become vulnerable to attacks using IPv4 mapped |
|
* source. |
|
*/ |
|
if (IN6_IS_ADDR_V4MAPPED(&ip6->ip6_src) || |
|
IN6_IS_ADDR_V4MAPPED(&ip6->ip6_dst)) { |
|
ip6stat.ip6s_badscope++; |
|
in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr); |
|
goto bad; |
|
} |
|
|
/* |
/* |
* Tell launch routine the next header |
* Tell launch routine the next header |
*/ |
*/ |
|
|
goto bad; |
goto bad; |
} |
} |
|
|
#ifdef IPSEC |
|
/* |
|
* enforce IPsec policy checking if we are seeing last header. |
|
* note that we do not visit this with protocols with pcb layer |
|
* code - like udp/tcp/raw ip. |
|
*/ |
|
if ((inet6sw[ip6_protox[nxt]].pr_flags & PR_LASTHDR) != 0 && |
|
ipsec6_in_reject(m, NULL)) { |
|
ipsec6stat.in_polvio++; |
|
goto bad; |
|
} |
|
#endif |
|
|
|
nxt = (*inet6sw[ip6_protox[nxt]].pr_input)(&m, &off, nxt); |
nxt = (*inet6sw[ip6_protox[nxt]].pr_input)(&m, &off, nxt); |
} |
} |
return; |
return; |
Line 1359 u_char inet6ctlerrmap[PRC_NCMDS] = { |
|
Line 1353 u_char inet6ctlerrmap[PRC_NCMDS] = { |
|
ENOPROTOOPT |
ENOPROTOOPT |
}; |
}; |
|
|
#include <vm/vm.h> |
#include <uvm/uvm_extern.h> |
#include <sys/sysctl.h> |
#include <sys/sysctl.h> |
|
|
int |
int |