| blob | 44a349d1750f6ded0d33219b9431c086c596a83f |
1 /*-
2 * SPDX-License-Identifier: BSD-3-Clause
3 *
4 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. Neither the name of the project nor the names of its contributors
16 * may be used to endorse or promote products derived from this software
17 * without specific prior written permission.
18 *
19 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 * SUCH DAMAGE.
30 *
31 * $KAME: ip6_forward.c,v 1.69 2001/05/17 03:48:30 itojun Exp $
32 */
34 #include <sys/cdefs.h>
41 #include <sys/param.h>
42 #include <sys/systm.h>
43 #include <sys/malloc.h>
44 #include <sys/mbuf.h>
45 #include <sys/domain.h>
46 #include <sys/protosw.h>
47 #include <sys/socket.h>
48 #include <sys/errno.h>
49 #include <sys/time.h>
50 #include <sys/kernel.h>
51 #include <sys/syslog.h>
53 #include <net/if.h>
54 #include <net/if_var.h>
55 #include <net/if_private.h>
56 #include <net/netisr.h>
57 #include <net/route.h>
58 #include <net/route/nhop.h>
59 #include <net/pfil.h>
61 #include <netinet/in.h>
62 #include <netinet/in_var.h>
63 #include <netinet/in_systm.h>
64 #include <netinet/ip.h>
65 #include <netinet/ip_var.h>
66 #include <netinet6/in6_var.h>
67 #include <netinet/ip6.h>
68 #include <netinet6/in6_fib.h>
69 #include <netinet6/ip6_var.h>
70 #include <netinet6/scope6_var.h>
71 #include <netinet/icmp6.h>
72 #include <netinet6/nd6.h>
74 #include <netinet/in_pcb.h>
76 #include <netipsec/ipsec_support.h>
78 /*
79 * Forward a packet. If some error occurs return the sender
80 * an icmp packet. Note we can't always generate a meaningful
81 * icmp message because icmp doesn't have a large enough repertoire
82 * of codes and types.
83 *
84 * If not forwarding, just drop the packet. This could be confusing
85 * if ipforwarding was zero but some routing protocol was advancing
86 * us as a gateway to somewhere. However, we must let the routing
87 * protocol deal with that.
88 *
89 */
90 void
92 {
104 /*
105 * Do not forward packets to multicast destination (should be handled
106 * by ip6_mforward().
107 * Do not forward packets with unspecified source. It was discussed
108 * in July 2000, on the ipngwg mailing list.
109 */
114 /* XXX in6_ifstat_inc(rt->rt_ifp, ifs6_in_discard) */
117 "cannot forward "
123 }
126 }
129 #ifdef IPSTEALTH
131 #endif
133 /* XXX in6_ifstat_inc(rt->rt_ifp, ifs6_in_discard) */
137 }
139 /*
140 * Save at most ICMPV6_PLD_MAXLEN (= the min IPv6 MTU -
141 * size of IPv6 + ICMPv6 headers) bytes of the packet in case
142 * we need to generate an ICMP6 message to the src.
143 * Thanks to M_EXT, in most cases copy will not occur.
144 *
145 * It is important to save it before IPsec processing as IPsec
146 * processing may modify the mbuf.
147 */
149 M_NOWAIT);
150 #ifdef IPSTEALTH
152 #endif
155 #if defined(IPSEC) || defined(IPSEC_SUPPORT)
158 /* mbuf consumed by IPsec */
163 }
164 /* No IPsec processing required */
165 }
166 #endif
167 /*
168 * ip6_forward() operates with IPv6 addresses with deembedded scope.
169 *
170 * There are 3 sources of IPv6 destination address:
171 *
172 * 1) ip6_input(), where ip6_dst contains deembedded address.
173 * In order to deal with forwarding of link-local packets,
174 * calculate the scope based on input interface (RFC 4007, clause 9).
175 * 2) packet filters changing ip6_dst directly. It would embed scope
176 * for LL addresses, so in6_localip() performs properly.
177 * 3) packet filters attaching PACKET_TAG_IPFORWARD would embed
178 * scope for the nexthop.
179 */
184 again:
193 }
195 }
205 }
207 }
209 /*
210 * Source scope check: if a packet can't be delivered to its
211 * destination for the reason that the destination is beyond the scope
212 * of the source address, discard the packet and return an icmp6
213 * destination unreachable error with Code 2 (beyond scope of source
214 * address).
215 * [draft-ietf-ipngwg-icmp-v3-04.txt, Section 3.1]
216 */
226 "cannot forward "
232 }
237 }
239 /*
240 * Destination scope check: if a packet is going to break the scope
241 * zone of packet's destination address, discard it. This case should
242 * usually be prevented by appropriately-configured routing table, but
243 * we need an explicit check because we may mistakenly forward the
244 * packet to a different zone by (e.g.) a default route.
245 */
253 }
256 /* Store gateway address in deembedded form */
260 }
262 /*
263 * If we are to forward the packet using the same interface
264 * as one we got the packet from, perhaps we should send a redirect
265 * to sender to shortcut a hop.
266 * Only send redirect if source is sending directly to us,
267 * and if packet was not source routed (or has any options).
268 * Also, don't send redirect if forwarding using a route
269 * modified by a redirect.
270 */
275 /*
276 * Fake scoped addresses. Note that even link-local source or
277 * destinaion can appear, if the originating node just sends the
278 * packet to us (without address resolution for the destination).
279 * Since both icmp6_error and icmp6_redirect_output fill the embedded
280 * link identifiers, we can do this stuff after making a copy for
281 * returning an error.
282 */
284 /*
285 * See corresponding comments in ip6_output.
286 * XXX: but is it possible that ip6_forward() sends a packet
287 * to a loopback interface? I don't think so, and thus
288 * I bark here. (jinmei@kame.net)
289 * XXX: it is common to route invalid packets to loopback.
290 * also, the codepath will be visited on use of ::1 in
291 * rthdr. (itojun)
292 */
293 #if 1
295 #else
297 #endif
298 {
305 }
307 /* we can just use rcvif in forwarding. */
309 }
310 else
312 /*
313 * clear embedded scope identifiers if necessary.
314 * in6_clearscope will touch the addresses only when necessary.
315 */
319 /* Jump over all PFIL processing if hooks are not active. */
324 /* Run through list of hooks for forwarded packets. */
330 /* See if destination IP address was changed by packet filter. */
333 /* If destination is now ourself drop to ip6_input(). */
339 /* Update address and scopeid. Assume scope is embedded */
344 }
345 }
347 /* See if local, if yes, send it to netisr. */
355 }
356 #if defined(SCTP) || defined(SCTP_SUPPORT)
359 #endif
362 }
363 /* Or forward to some other address? */
368 /* Update address and scopeid. Assume scope is embedded */
378 }
380 pass:
381 /* See if the size was changed by the packet filter. */
382 /* TODO: change to nh->nh_mtu */
389 }
391 /* Currently LLE layer stores embedded IPv6 addresses */
395 }
408 }
409 }
418 }
422 /* xxx MTU is constant in PPP? */
426 /* Tell source to slow down like source quench in IP? */
437 }
441 freecopy:
444 bad:
446 out:
449 }