src/sys/netinet6/ip6_input.c - diff

Return to ip6_input.c CVS log

Up to [cvs.NetBSD.org] / src / sys / netinet6

Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.

Diff for /src/sys/netinet6/ip6_input.c between version 1.37 and 1.52.2.1

version 1.37, 2001/03/01 16:31:41

version 1.52.2.1, 2002/05/30 13:52:32

Line 1

/* $NetBSD$ */

/* $KAME: ip6_input.c,v 1.183 2001/03/01 15:15:23 itojun Exp $ */

/* $KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $ */

Line 65

* @(#)ip_input.c 8.2 (Berkeley) 1/4/94

#include <sys/cdefs.h>

__KERNEL_RCSID(0, "$NetBSD$");

#include "opt_inet.h"

#include "opt_ipsec.h"

#include "opt_pfil_hooks.h"

Line 82

Line 85

#include <sys/kernel.h>

#include <sys/syslog.h>

#include <sys/proc.h>

#include <sys/sysctl.h>

#include <net/if.h>

#include <net/if_types.h>

Line 97

Line 101

#ifdef INET

#include <netinet/ip.h>

#include <netinet/ip_icmp.h>

#endif /*INET*/

#endif /* INET */

#include <netinet/ip6.h>

#include <netinet6/in6_var.h>

#include <netinet6/ip6_var.h>

Line 116

Line 120

/* we need it for NLOOP. */

#include "loop.h"

#include "faith.h"

#include "gif.h"

#include "bpfilter.h"

#if NGIF > 0

#include <netinet6/in6_gif.h>

#endif

#include <net/net_osdep.h>

extern struct domain inet6domain;

Line 153 ip6_init()

Line 160 ip6_init()

{

struct ip6protosw *pr;

int i;

struct timeval tv;

pr = (struct ip6protosw *)pffindproto(PF_INET6, IPPROTO_RAW, SOCK_RAW);

if (pr == 0)

Line 168 ip6_init()

Line 174 ip6_init()

ip6intrq.ifq_maxlen = ip6qmaxlen;

nd6_init();

frag6_init();

ip6_flow_seq = arc4random();

* in many cases, random() here does NOT return random number

* as initialization during bootstrap time occur in fixed order.

microtime(&tv);

ip6_flow_seq = random() ^ tv.tv_usec;

ip6_init2((void *)0);

Line 216 ip6intr()

Line 217 ip6intr()

struct mbuf *m;

for (;;) {

s = splimp();

s = splnet();

IF_DEQUEUE(&ip6intrq, m);

splx(s);

if (m == 0)

Line 243 ip6_input(m)

Line 244 ip6_input(m)

* should the inner packet be considered authentic?

* see comment in ah4_input().

if (m) {

m->m_flags &= ~M_AUTHIPHDR;

m->m_flags &= ~M_AUTHIPDGM;

}

#endif

* mbuf statistics by kazu

* mbuf statistics

if (m->m_flags & M_EXT) {

if (m->m_next)

Line 258 ip6_input(m)

Line 257 ip6_input(m)

else

ip6stat.ip6s_mext1++;

} else {

#define M2MMAX (sizeof(ip6stat.ip6s_m2m)/sizeof(ip6stat.ip6s_m2m[0]))

if (m->m_next) {

if (m->m_flags & M_LOOP) {

ip6stat.ip6s_m2m[loif[0].if_index]++; /*XXX*/

ip6stat.ip6s_m2m[loif[0].if_index]++; /* XXX */

} else if (m->m_pkthdr.rcvif->if_index <= 31)

} else if (m->m_pkthdr.rcvif->if_index < M2MMAX)

ip6stat.ip6s_m2m[m->m_pkthdr.rcvif->if_index]++;

else

ip6stat.ip6s_m2m[0]++;

} else

ip6stat.ip6s_m1++;

#undef M2MMAX

}

in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_receive);

Line 303 ip6_input(m)

Line 304 ip6_input(m)

* Note that filters must _never_ set this flag, as another filter

* in the list may have previously cleared it.

if (pfil_run_hooks(&inet6_pfil_hook, &m, m->m_pkthdr.rcvif,

PFIL_IN) != 0)

* let ipfilter look at packet on the wire,

return;

* not the decapsulated packet.

if (m == NULL)

return;

#ifdef IPSEC

ip6 = mtod(m, struct ip6_hdr *);

if (!ipsec_getnhist(m))

#else

if (1)

#endif

{

if (pfil_run_hooks(&inet6_pfil_hook, &m, m->m_pkthdr.rcvif,

PFIL_IN) != 0)

return;

if (m == NULL)

return;

ip6 = mtod(m, struct ip6_hdr *);

}

#endif /* PFIL_HOOKS */

ip6stat.ip6s_nxthist[ip6->ip6_nxt]++;

#ifdef ALTQ

/* XXX Temporary until ALTQ is changed to use a pfil hook */

if (altq_input != NULL && (*altq_input)(m, AF_INET6) == 0) {

/* packet is dropped by traffic conditioner */

return;

Line 323 ip6_input(m)

Line 333 ip6_input(m)

#endif

* Scope check

* Check against address spoofing/corruption.

if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_src) ||

IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_dst)) {

Line 332 ip6_input(m)

Line 342 ip6_input(m)

goto bad;

}

* The following check is not documented in the spec. Malicious party

* The following check is not documented in specs. A malicious

* may be able to use IPv4 mapped addr to confuse tcp/udp stack and

* party may be able to use IPv4 mapped addr to confuse tcp/udp stack

* bypass security checks (act as if it was from 127.0.0.1 by using

* and bypass security checks (act as if it was from 127.0.0.1 by using

* IPv6 src ::ffff:127.0.0.1). Be cautious.

* This check chokes if we are in SIIT cloud. As none of BSDs support

* This check chokes if we are in an SIIT cloud. As none of BSDs

* IPv4-less kernel compilation, we cannot support SIIT environment

* support IPv4-less kernel compilation, we cannot support SIIT

* at all. So, it makes more sense for us to reject any malicious

* environment at all. So, it makes more sense for us to reject any

* packets for non-SIIT environment, than try to do a partical support

* malicious packets for non-SIIT environment, than try to do a

* for SIIT environment.

* partial support for SIIT environment.

if (IN6_IS_ADDR_V4MAPPED(&ip6->ip6_src) ||

IN6_IS_ADDR_V4MAPPED(&ip6->ip6_dst)) {

Line 378 ip6_input(m)

Line 388 ip6_input(m)

}

#ifndef FAKE_LOOPBACK_IF

/* drop packets if interface ID portion is already filled */

if ((m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK) == 0)

if ((m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK) == 0) {

#else

if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src) &&

if (1)

ip6->ip6_src.s6_addr16[1]) {

#endif

ip6stat.ip6s_badscope++;

{

goto bad;

if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src))

}

ip6->ip6_src.s6_addr16[1]

if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst) &&

= htons(m->m_pkthdr.rcvif->if_index);

ip6->ip6_dst.s6_addr16[1]) {

if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst))

ip6stat.ip6s_badscope++;

ip6->ip6_dst.s6_addr16[1]

goto bad;

= htons(m->m_pkthdr.rcvif->if_index);

}

if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src))

* XXX we need this since we do not have "goto ours" hack route

ip6->ip6_src.s6_addr16[1]

* for some of our ifaddrs on loopback interface.

= htons(m->m_pkthdr.rcvif->if_index);

* we should correct it by changing in6_ifattach to install

if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst))

* "goto ours" hack route.

ip6->ip6_dst.s6_addr16[1]

= htons(m->m_pkthdr.rcvif->if_index);

if ((m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK) != 0) {

if (IN6_IS_ADDR_LINKLOCAL(&ip6->ip6_dst)) {

ours = 1;

* We use rt->rt_ifp to determine if the address is ours or not.

deliverifp = m->m_pkthdr.rcvif;

* If rt_ifp is lo0, the address is ours.

goto hbhcheck;

* The problem here is, rt->rt_ifp for fe80::%lo0/64 is set to lo0,

* so any address under fe80::%lo0/64 will be mistakenly considered

* local. The special case is supplied to handle the case properly

* by actually looking at interface addresses

* (using in6ifa_ifpwithaddr).

if ((m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK) != 0 &&

IN6_IS_ADDR_LINKLOCAL(&ip6->ip6_dst)) {

if (!in6ifa_ifpwithaddr(m->m_pkthdr.rcvif, &ip6->ip6_dst)) {

icmp6_error(m, ICMP6_DST_UNREACH,

ICMP6_DST_UNREACH_ADDR, 0);

/* m is already freed */

return;

}

ours = 1;

deliverifp = m->m_pkthdr.rcvif;

goto hbhcheck;

}

Line 514 ip6_input(m)

Line 540 ip6_input(m)

&& ip6_forward_rt.ro_rt->rt_ifp->if_type == IFT_FAITH) {

/* XXX do we need more sanity checks? */

ours = 1;

deliverifp = ip6_forward_rt.ro_rt->rt_ifp; /*faith*/

deliverifp = ip6_forward_rt.ro_rt->rt_ifp; /* faith */

goto hbhcheck;

}

Line 575 ip6_input(m)

Line 601 ip6_input(m)

ip6 = mtod(m, struct ip6_hdr *);

* if the payload length field is 0 and the next header field

* indicates Hop-by-Hop Options header, then a Jumbo Payload

* option MUST be included.

Line 692 ip6_input(m)

Line 718 ip6_input(m)

ip6stat.ip6s_delivered++;

in6_ifstat_inc(deliverifp, ifs6_in_deliver);

nest = 0;

while (nxt != IPPROTO_DONE) {

if (ip6_hdrnestlimit && (++nest > ip6_hdrnestlimit)) {

ip6stat.ip6s_toomanyhdr++;

Line 1293 ip6_nexthdr(m, off, proto, nxtp)

Line 1320 ip6_nexthdr(m, off, proto, nxtp)

if (nxtp)

*nxtp = ip6e.ip6e_nxt;

off += (ip6e.ip6e_len + 2) << 2;

if (m->m_pkthdr.len < off)

return -1;

return off;

case IPPROTO_HOPOPTS:

Line 1304 ip6_nexthdr(m, off, proto, nxtp)

Line 1333 ip6_nexthdr(m, off, proto, nxtp)

if (nxtp)

*nxtp = ip6e.ip6e_nxt;

off += (ip6e.ip6e_len + 1) << 3;

if (m->m_pkthdr.len < off)

return -1;

return off;

case IPPROTO_NONE:

Line 1363 u_char inet6ctlerrmap[PRC_NCMDS] = {

Line 1394 u_char inet6ctlerrmap[PRC_NCMDS] = {

ENOPROTOOPT

};

#include <uvm/uvm_extern.h>

#include <sys/sysctl.h>

int

ip6_sysctl(name, namelen, oldp, oldlenp, newp, newlen)

int *name;

Line 1413 ip6_sysctl(name, namelen, oldp, oldlenp,

Line 1441 ip6_sysctl(name, namelen, oldp, oldlenp,

case IPV6CTL_DEFMCASTHLIM:

return sysctl_int(oldp, oldlenp, newp, newlen,

&ip6_defmcasthlim);

#if NGIF > 0

case IPV6CTL_GIF_HLIM:

return sysctl_int(oldp, oldlenp, newp, newlen,

&ip6_gif_hlim);

#endif

case IPV6CTL_KAME_VERSION:

return sysctl_rdstring(oldp, oldlenp, newp, __KAME_VERSION);

case IPV6CTL_USE_DEPRECATED:

Line 1423 ip6_sysctl(name, namelen, oldp, oldlenp,

Line 1453 ip6_sysctl(name, namelen, oldp, oldlenp,

&ip6_use_deprecated);

case IPV6CTL_RR_PRUNE:

return sysctl_int(oldp, oldlenp, newp, newlen, &ip6_rr_prune);

#ifndef INET6_BINDV6ONLY

case IPV6CTL_V6ONLY:

case IPV6CTL_BINDV6ONLY:

#ifdef INET6_BINDV6ONLY

return sysctl_int(oldp, oldlenp, newp, newlen,

return sysctl_rdint(oldp, oldlenp, newp, ip6_v6only);

&ip6_bindv6only);

#else

return sysctl_int(oldp, oldlenp, newp, newlen, &ip6_v6only);

#endif

case IPV6CTL_ANONPORTMIN:

old = ip6_anonportmin;

Line 1480 ip6_sysctl(name, namelen, oldp, oldlenp,

Line 1511 ip6_sysctl(name, namelen, oldp, oldlenp,

}

return (error);

#endif

case IPV6CTL_MAXFRAGS:

return sysctl_int(oldp, oldlenp, newp, newlen, &ip6_maxfrags);

default:

return EOPNOTSUPP;

}

CVSweb <webmaster@jp.NetBSD.org>