| version 1.90.2.3, 2007/09/16 15:34:59 |
version 1.91, 2006/12/02 18:59:17 |
| Line 112 __KERNEL_RCSID(0, "$NetBSD$"); |
|
| Line 112 __KERNEL_RCSID(0, "$NetBSD$"); |
|
| #include <netinet6/ipsec.h> |
#include <netinet6/ipsec.h> |
| #endif |
#endif |
| |
|
| #ifdef FAST_IPSEC |
|
| #include <netipsec/ipsec.h> |
|
| #include <netipsec/ipsec6.h> |
|
| #include <netipsec/key.h> |
|
| #endif /* FAST_IPSEC */ |
|
| |
|
| #include <netinet6/ip6protosw.h> |
#include <netinet6/ip6protosw.h> |
| |
|
| #include "faith.h" |
#include "faith.h" |
|
|
| int nxt, ours = 0; |
int nxt, ours = 0; |
| struct ifnet *deliverifp = NULL; |
struct ifnet *deliverifp = NULL; |
| int srcrt = 0; |
int srcrt = 0; |
| #ifdef FAST_IPSEC |
|
| struct m_tag *mtag; |
|
| struct tdb_ident *tdbi; |
|
| struct secpolicy *sp; |
|
| int s, error; |
|
| #endif |
|
| |
|
| #ifdef IPSEC |
#ifdef IPSEC |
| /* |
/* |
|
|
| */ |
*/ |
| #ifdef IPSEC |
#ifdef IPSEC |
| if (!ipsec_getnhist(m)) |
if (!ipsec_getnhist(m)) |
| #elif defined(FAST_IPSEC) |
|
| if (!ipsec_indone(m)) |
|
| #else |
#else |
| if (1) |
if (1) |
| #endif |
#endif |
|
|
| else { |
else { |
| struct sockaddr_in6 *dst6; |
struct sockaddr_in6 *dst6; |
| |
|
| if (ip6_forward_rt.ro_rt) { |
if (ip6_forward_rt.ro_rt != NULL) { |
| /* route is down or destination is different */ |
/* route is down or destination is different */ |
| ip6stat.ip6s_forward_cachemiss++; |
ip6stat.ip6s_forward_cachemiss++; |
| RTFREE(ip6_forward_rt.ro_rt); |
RTFREE(ip6_forward_rt.ro_rt); |
|
|
| * But we think it's even useful in some situations, e.g. when using |
* But we think it's even useful in some situations, e.g. when using |
| * a special daemon which wants to intercept the packet. |
* a special daemon which wants to intercept the packet. |
| */ |
*/ |
| if (ip6_forward_rt.ro_rt && |
if (ip6_forward_rt.ro_rt != NULL && |
| (ip6_forward_rt.ro_rt->rt_flags & |
(ip6_forward_rt.ro_rt->rt_flags & |
| (RTF_HOST|RTF_GATEWAY)) == RTF_HOST && |
(RTF_HOST|RTF_GATEWAY)) == RTF_HOST && |
| !(ip6_forward_rt.ro_rt->rt_flags & RTF_CLONED) && |
!(ip6_forward_rt.ro_rt->rt_flags & RTF_CLONED) && |
|
|
| */ |
*/ |
| #if defined(NFAITH) && 0 < NFAITH |
#if defined(NFAITH) && 0 < NFAITH |
| if (ip6_keepfaith) { |
if (ip6_keepfaith) { |
| if (ip6_forward_rt.ro_rt && ip6_forward_rt.ro_rt->rt_ifp && |
if (ip6_forward_rt.ro_rt != NULL && |
| |
ip6_forward_rt.ro_rt->rt_ifp != NULL && |
| ip6_forward_rt.ro_rt->rt_ifp->if_type == IFT_FAITH) { |
ip6_forward_rt.ro_rt->rt_ifp->if_type == IFT_FAITH) { |
| /* XXX do we need more sanity checks? */ |
/* XXX do we need more sanity checks? */ |
| ours = 1; |
ours = 1; |
|
|
| * working right. |
* working right. |
| */ |
*/ |
| struct ifaddr *ifa; |
struct ifaddr *ifa; |
| for (ifa = m->m_pkthdr.rcvif->if_addrlist.tqh_first; |
TAILQ_FOREACH(ifa, &m->m_pkthdr.rcvif->if_addrlist, ifa_list) { |
| ifa; |
|
| ifa = ifa->ifa_list.tqe_next) { |
|
| if (ifa->ifa_addr == NULL) |
if (ifa->ifa_addr == NULL) |
| continue; /* just for safety */ |
continue; /* just for safety */ |
| if (ifa->ifa_addr->sa_family != AF_INET6) |
if (ifa->ifa_addr->sa_family != AF_INET6) |
|
|
| goto bad; |
goto bad; |
| } |
} |
| #endif |
#endif |
| #ifdef FAST_IPSEC |
|
| /* |
|
| * enforce IPsec policy checking if we are seeing last header. |
|
| * note that we do not visit this with protocols with pcb layer |
|
| * code - like udp/tcp/raw ip. |
|
| */ |
|
| if ((inet6sw[ip_protox[nxt]].pr_flags & PR_LASTHDR) != 0) { |
|
| /* |
|
| * Check if the packet has already had IPsec processing |
|
| * done. If so, then just pass it along. This tag gets |
|
| * set during AH, ESP, etc. input handling, before the |
|
| * packet is returned to the ip input queue for delivery. |
|
| */ |
|
| mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL); |
|
| s = splsoftnet(); |
|
| if (mtag != NULL) { |
|
| tdbi = (struct tdb_ident *)(mtag + 1); |
|
| sp = ipsec_getpolicy(tdbi, IPSEC_DIR_INBOUND); |
|
| } else { |
|
| sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, |
|
| IP_FORWARDING, &error); |
|
| } |
|
| if (sp != NULL) { |
|
| /* |
|
| * Check security policy against packet attributes. |
|
| */ |
|
| error = ipsec_in_reject(sp, m); |
|
| KEY_FREESP(&sp); |
|
| } else { |
|
| /* XXX error stat??? */ |
|
| error = EINVAL; |
|
| DPRINTF(("ip6_input: no SP, packet discarded\n"));/*XXX*/ |
|
| } |
|
| splx(s); |
|
| if (error) |
|
| goto bad; |
|
| } |
|
| #endif /* FAST_IPSEC */ |
|
| |
|
| |
|
| nxt = (*inet6sw[ip6_protox[nxt]].pr_input)(&m, &off, nxt); |
nxt = (*inet6sw[ip6_protox[nxt]].pr_input)(&m, &off, nxt); |
| } |
} |
|
|
| m_tag_delete(m, mtag); |
m_tag_delete(m, mtag); |
| } |
} |
| |
|
| static int |
|
| sysctl_net_inet6_ip6_rht0(SYSCTLFN_ARGS) |
|
| { |
|
| int error, tmp; |
|
| struct sysctlnode node; |
|
| |
|
| node = *rnode; |
|
| tmp = ip6_rht0; |
|
| node.sysctl_data = &tmp; |
|
| error = sysctl_lookup(SYSCTLFN_CALL(&node)); |
|
| if (error || newp == NULL) |
|
| return error; |
|
| |
|
| switch (tmp) { |
|
| case -1: /* disable processing */ |
|
| case 0: /* disable for host, enable for router */ |
|
| case 1: /* enable for all */ |
|
| break; |
|
| default: |
|
| return EINVAL; |
|
| } |
|
| ip6_rht0 = tmp; |
|
| return 0; |
|
| } |
|
| |
|
| /* |
/* |
| * System control for IP6 |
* System control for IP6 |
| */ |
*/ |
| Line 1901 SYSCTL_SETUP(sysctl_net_inet6_ip6_setup, |
|
| Line 1822 SYSCTL_SETUP(sysctl_net_inet6_ip6_setup, |
|
| NULL, 0, &ip6_mcast_pmtu, 0, |
NULL, 0, &ip6_mcast_pmtu, 0, |
| CTL_NET, PF_INET6, IPPROTO_IPV6, |
CTL_NET, PF_INET6, IPPROTO_IPV6, |
| CTL_CREATE, CTL_EOL); |
CTL_CREATE, CTL_EOL); |
| sysctl_createv(clog, 0, NULL, NULL, |
|
| CTLFLAG_PERMANENT|CTLFLAG_READWRITE, |
|
| CTLTYPE_INT, "rht0", |
|
| SYSCTL_DESCR("Processing of routing header type 0 (IPv6)"), |
|
| sysctl_net_inet6_ip6_rht0, 0, &ip6_rht0, 0, |
|
| CTL_NET, PF_INET6, IPPROTO_IPV6, |
|
| CTL_CREATE, CTL_EOL); |
|
| } |
} |
![[BACK]](/icons/back.gif){kind=icon}
Return to ip6_input.c CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [cvs.NetBSD.org] / src / sys / netinet6