2 * Copyright (c) 1982, 1986, 1988, 1990, 1993
3 * The Regents of the University of California. All rights reserved.
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. All advertising materials mentioning features or use of this software
14 * must display the following acknowledgement:
15 * This product includes software developed by the University of
16 * California, Berkeley and its contributors.
17 * 4. Neither the name of the University nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * @(#)ip_output.c 8.3 (Berkeley) 1/21/94
34 * $FreeBSD: src/sys/netinet/ip_output.c,v 1.99.2.37 2003/04/15 06:44:45 silby Exp $
35 * $DragonFly: src/sys/netinet/ip_output.c,v 1.8 2003/08/24 23:07:07 hsu Exp $
42 #include "opt_ipdivert.h"
43 #include "opt_ipfilter.h"
44 #include "opt_ipsec.h"
45 #include "opt_random_ip_id.h"
46 #include "opt_mbuf_stress_test.h"
48 #include <sys/param.h>
49 #include <sys/systm.h>
50 #include <sys/kernel.h>
51 #include <sys/malloc.h>
53 #include <sys/protosw.h>
54 #include <sys/socket.h>
55 #include <sys/socketvar.h>
57 #include <sys/sysctl.h>
60 #include <net/route.h>
62 #include <netinet/in.h>
63 #include <netinet/in_systm.h>
64 #include <netinet/ip.h>
65 #include <netinet/in_pcb.h>
66 #include <netinet/in_var.h>
67 #include <netinet/ip_var.h>
69 #include <machine/in_cksum.h>
71 static MALLOC_DEFINE(M_IPMOPTS, "ip_moptions", "internet multicast options");
74 #include <netinet6/ipsec.h>
75 #include <netproto/key/key.h>
77 #include <netproto/key/key_debug.h>
79 #define KEYDEBUG(lev,arg)
84 #include <netipsec/ipsec.h>
85 #include <netipsec/xform.h>
86 #include <netipsec/key.h>
89 #include <net/ipfw/ip_fw.h>
90 #include <net/dummynet/ip_dummynet.h>
92 #define print_ip(x, a, y) printf("%s %d.%d.%d.%d%s",\
93 x, (ntohl(a.s_addr)>>24)&0xFF,\
94 (ntohl(a.s_addr)>>16)&0xFF,\
95 (ntohl(a.s_addr)>>8)&0xFF,\
96 (ntohl(a.s_addr))&0xFF, y);
100 #ifdef MBUF_STRESS_TEST
101 int mbuf_frag_size = 0;
102 SYSCTL_INT(_net_inet_ip, OID_AUTO, mbuf_frag_size, CTLFLAG_RW,
103 &mbuf_frag_size, 0, "Fragment outgoing mbufs to this size");
106 static struct mbuf *ip_insertoptions(struct mbuf *, struct mbuf *, int *);
107 static struct ifnet *ip_multicast_if(struct in_addr *, int *);
108 static void ip_mloopback
109 (struct ifnet *, struct mbuf *, struct sockaddr_in *, int);
110 static int ip_getmoptions
111 (struct sockopt *, struct ip_moptions *);
112 static int ip_pcbopts(int, struct mbuf **, struct mbuf *);
113 static int ip_setmoptions
114 (struct sockopt *, struct ip_moptions **);
116 int ip_optcopy(struct ip *, struct ip *);
117 extern int (*fr_checkp) (struct ip *, int, struct ifnet *, int, struct mbuf **);
120 extern struct protosw inetsw[];
123 * IP output. The packet in mbuf chain m contains a skeletal IP
124 * header (with len, off, ttl, proto, tos, src, dst).
125 * The mbuf chain containing the packet will be freed.
126 * The mbuf opt, if present, will not be freed.
129 ip_output(struct mbuf *m0, struct mbuf *opt, struct route *ro,
130 int flags, struct ip_moptions *imo, struct inpcb *inp)
133 struct ifnet *ifp = NULL; /* keep compiler happy */
135 int hlen = sizeof (struct ip);
136 int len, off, error = 0;
137 struct sockaddr_in *dst = NULL; /* keep compiler happy */
138 struct in_ifaddr *ia = NULL;
139 int isbroadcast, sw_csum;
140 struct in_addr pkt_dst;
142 struct route iproute;
143 struct secpolicy *sp = NULL;
144 struct socket *so = inp ? inp->inp_socket : NULL;
147 struct route iproute;
149 struct secpolicy *sp = NULL;
150 struct tdb_ident *tdbi;
152 #endif /* FAST_IPSEC */
153 struct ip_fw_args args;
154 int src_was_INADDR_ANY = 0; /* as the name says... */
158 args.next_hop = NULL;
159 args.divert_rule = 0; /* divert cookie */
161 /* Grab info from MT_TAG mbufs prepended to the chain. */
162 for (; m0 && m0->m_type == MT_TAG; m0 = m0->m_next) {
163 switch(m0->_m_tag_id) {
165 printf("ip_output: unrecognised MT_TAG tag %d\n",
169 case PACKET_TAG_DUMMYNET:
171 * the packet was already tagged, so part of the
172 * processing was already done, and we need to go down.
173 * Get parameters from the header.
175 args.rule = ((struct dn_pkt *)m0)->rule;
177 ro = & ( ((struct dn_pkt *)m0)->ro ) ;
179 dst = ((struct dn_pkt *)m0)->dn_dst ;
180 ifp = ((struct dn_pkt *)m0)->ifp ;
181 flags = ((struct dn_pkt *)m0)->flags ;
184 case PACKET_TAG_DIVERT:
185 args.divert_rule = (int)m0->m_data & 0xffff;
188 case PACKET_TAG_IPFORWARD:
189 args.next_hop = (struct sockaddr_in *)m0->m_data;
195 KASSERT(!m || (m->m_flags & M_PKTHDR) != 0, ("ip_output: no HDR"));
197 KASSERT(ro != NULL, ("ip_output: no route, proto %d",
198 mtod(m, struct ip *)->ip_p));
201 if (args.rule != NULL) { /* dummynet already saw us */
202 ip = mtod(m, struct ip *);
203 hlen = IP_VHL_HL(ip->ip_vhl) << 2 ;
205 ia = ifatoia(ro->ro_rt->rt_ifa);
211 m = ip_insertoptions(m, opt, &len);
215 ip = mtod(m, struct ip *);
216 pkt_dst = args.next_hop ? args.next_hop->sin_addr : ip->ip_dst;
221 if ((flags & (IP_FORWARDING|IP_RAWOUTPUT)) == 0) {
222 ip->ip_vhl = IP_MAKE_VHL(IPVERSION, hlen >> 2);
225 ip->ip_id = ip_randomid();
227 ip->ip_id = htons(ip_id++);
229 ipstat.ips_localout++;
231 hlen = IP_VHL_HL(ip->ip_vhl) << 2;
237 bzero(ro, sizeof (*ro));
239 #endif /* FAST_IPSEC */
240 dst = (struct sockaddr_in *)&ro->ro_dst;
242 * If there is a cached route,
243 * check that it is to the same destination
244 * and is still up. If not, free it and try again.
245 * The address family should also be checked in case of sharing the
248 if (ro->ro_rt && ((ro->ro_rt->rt_flags & RTF_UP) == 0 ||
249 dst->sin_family != AF_INET ||
250 dst->sin_addr.s_addr != pkt_dst.s_addr)) {
252 ro->ro_rt = (struct rtentry *)0;
254 if (ro->ro_rt == 0) {
255 bzero(dst, sizeof(*dst));
256 dst->sin_family = AF_INET;
257 dst->sin_len = sizeof(*dst);
258 dst->sin_addr = pkt_dst;
261 * If routing to interface only,
262 * short circuit routing lookup.
264 if (flags & IP_ROUTETOIF) {
265 if ((ia = ifatoia(ifa_ifwithdstaddr(sintosa(dst)))) == 0 &&
266 (ia = ifatoia(ifa_ifwithnet(sintosa(dst)))) == 0) {
267 ipstat.ips_noroute++;
273 isbroadcast = in_broadcast(dst->sin_addr, ifp);
274 } else if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr)) &&
275 imo != NULL && imo->imo_multicast_ifp != NULL) {
277 * Bypass the normal routing lookup for multicast
278 * packets if the interface is specified.
280 ifp = imo->imo_multicast_ifp;
282 isbroadcast = 0; /* fool gcc */
285 * If this is the case, we probably don't want to allocate
286 * a protocol-cloned route since we didn't get one from the
287 * ULP. This lets TCP do its thing, while not burdening
288 * forwarding or ICMP with the overhead of cloning a route.
289 * Of course, we still want to do any cloning requested by
290 * the link layer, as this is probably required in all cases
291 * for correct operation (as it is for ARP).
294 rtalloc_ign(ro, RTF_PRCLONING);
295 if (ro->ro_rt == 0) {
296 ipstat.ips_noroute++;
297 error = EHOSTUNREACH;
300 ia = ifatoia(ro->ro_rt->rt_ifa);
301 ifp = ro->ro_rt->rt_ifp;
303 if (ro->ro_rt->rt_flags & RTF_GATEWAY)
304 dst = (struct sockaddr_in *)ro->ro_rt->rt_gateway;
305 if (ro->ro_rt->rt_flags & RTF_HOST)
306 isbroadcast = (ro->ro_rt->rt_flags & RTF_BROADCAST);
308 isbroadcast = in_broadcast(dst->sin_addr, ifp);
310 if (IN_MULTICAST(ntohl(pkt_dst.s_addr))) {
311 struct in_multi *inm;
313 m->m_flags |= M_MCAST;
315 * IP destination address is multicast. Make sure "dst"
316 * still points to the address in "ro". (It may have been
317 * changed to point to a gateway address, above.)
319 dst = (struct sockaddr_in *)&ro->ro_dst;
321 * See if the caller provided any multicast options
324 ip->ip_ttl = imo->imo_multicast_ttl;
325 if (imo->imo_multicast_vif != -1)
328 ip_mcast_src(imo->imo_multicast_vif) :
331 ip->ip_ttl = IP_DEFAULT_MULTICAST_TTL;
333 * Confirm that the outgoing interface supports multicast.
335 if ((imo == NULL) || (imo->imo_multicast_vif == -1)) {
336 if ((ifp->if_flags & IFF_MULTICAST) == 0) {
337 ipstat.ips_noroute++;
343 * If source address not specified yet, use address
344 * of outgoing interface.
346 if (ip->ip_src.s_addr == INADDR_ANY) {
347 /* Interface may have no addresses. */
349 ip->ip_src = IA_SIN(ia)->sin_addr;
352 if (ip_mrouter && (flags & IP_FORWARDING) == 0) {
355 * delayed checksums are not currently
356 * compatible with IP multicast routing
358 if (m->m_pkthdr.csum_flags & CSUM_DELAY_DATA) {
360 m->m_pkthdr.csum_flags &=
364 IN_LOOKUP_MULTI(pkt_dst, ifp, inm);
366 (imo == NULL || imo->imo_multicast_loop)) {
368 * If we belong to the destination multicast group
369 * on the outgoing interface, and the caller did not
370 * forbid loopback, loop back a copy.
372 ip_mloopback(ifp, m, dst, hlen);
376 * If we are acting as a multicast router, perform
377 * multicast forwarding as if the packet had just
378 * arrived on the interface to which we are about
379 * to send. The multicast forwarding function
380 * recursively calls this function, using the
381 * IP_FORWARDING flag to prevent infinite recursion.
383 * Multicasts that are looped back by ip_mloopback(),
384 * above, will be forwarded by the ip_input() routine,
387 if (ip_mrouter && (flags & IP_FORWARDING) == 0) {
389 * If rsvp daemon is not running, do not
390 * set ip_moptions. This ensures that the packet
391 * is multicast and not just sent down one link
392 * as prescribed by rsvpd.
397 ip_mforward(ip, ifp, m, imo) != 0) {
405 * Multicasts with a time-to-live of zero may be looped-
406 * back, above, but must not be transmitted on a network.
407 * Also, multicasts addressed to the loopback interface
408 * are not sent -- the above call to ip_mloopback() will
409 * loop back a copy if this host actually belongs to the
410 * destination group on the loopback interface.
412 if (ip->ip_ttl == 0 || ifp->if_flags & IFF_LOOPBACK) {
421 * If the source address is not specified yet, use the address
422 * of the outoing interface. In case, keep note we did that, so
423 * if the the firewall changes the next-hop causing the output
424 * interface to change, we can fix that.
426 if (ip->ip_src.s_addr == INADDR_ANY) {
427 /* Interface may have no addresses. */
429 ip->ip_src = IA_SIN(ia)->sin_addr;
430 src_was_INADDR_ANY = 1;
435 * Verify that we have any chance at all of being able to queue
436 * the packet or packet fragments
438 if ((ifp->if_snd.ifq_len + ip->ip_len / ifp->if_mtu + 1) >=
439 ifp->if_snd.ifq_maxlen) {
441 ipstat.ips_odropped++;
446 * Look for broadcast address and
447 * verify user is allowed to send
451 if ((ifp->if_flags & IFF_BROADCAST) == 0) {
452 error = EADDRNOTAVAIL;
455 if ((flags & IP_ALLOWBROADCAST) == 0) {
459 /* don't allow broadcast messages to be fragmented */
460 if (ip->ip_len > ifp->if_mtu) {
464 m->m_flags |= M_BCAST;
466 m->m_flags &= ~M_BCAST;
471 /* get SP for this packet */
473 sp = ipsec4_getpolicybyaddr(m, IPSEC_DIR_OUTBOUND, flags, &error);
475 sp = ipsec4_getpolicybysock(m, IPSEC_DIR_OUTBOUND, so, &error);
478 ipsecstat.out_inval++;
485 switch (sp->policy) {
486 case IPSEC_POLICY_DISCARD:
488 * This packet is just discarded.
490 ipsecstat.out_polvio++;
493 case IPSEC_POLICY_BYPASS:
494 case IPSEC_POLICY_NONE:
495 /* no need to do IPsec. */
498 case IPSEC_POLICY_IPSEC:
499 if (sp->req == NULL) {
500 /* acquire a policy */
501 error = key_spdacquire(sp);
506 case IPSEC_POLICY_ENTRUST:
508 printf("ip_output: Invalid policy found. %d\n", sp->policy);
511 struct ipsec_output_state state;
512 bzero(&state, sizeof(state));
514 if (flags & IP_ROUTETOIF) {
516 bzero(&iproute, sizeof(iproute));
519 state.dst = (struct sockaddr *)dst;
525 * delayed checksums are not currently compatible with IPsec
527 if (m->m_pkthdr.csum_flags & CSUM_DELAY_DATA) {
529 m->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA;
532 ip->ip_len = htons(ip->ip_len);
533 ip->ip_off = htons(ip->ip_off);
535 error = ipsec4_output(&state, sp, flags);
538 if (flags & IP_ROUTETOIF) {
540 * if we have tunnel mode SA, we may need to ignore
543 if (state.ro != &iproute || state.ro->ro_rt != NULL) {
544 flags &= ~IP_ROUTETOIF;
549 dst = (struct sockaddr_in *)state.dst;
551 /* mbuf is already reclaimed in ipsec4_output. */
561 printf("ip4_output (ipsec): error code %d\n", error);
564 /* don't show these error codes to the user */
572 /* be sure to update variables that are affected by ipsec4_output() */
573 ip = mtod(m, struct ip *);
575 hlen = IP_VHL_HL(ip->ip_vhl) << 2;
577 hlen = ip->ip_hl << 2;
579 if (ro->ro_rt == NULL) {
580 if ((flags & IP_ROUTETOIF) == 0) {
582 "can't update route after IPsec processing\n");
583 error = EHOSTUNREACH; /*XXX*/
587 ia = ifatoia(ro->ro_rt->rt_ifa);
588 ifp = ro->ro_rt->rt_ifp;
591 /* make it flipped, again. */
592 ip->ip_len = ntohs(ip->ip_len);
593 ip->ip_off = ntohs(ip->ip_off);
598 * Check the security policy (SP) for the packet and, if
599 * required, do IPsec-related processing. There are two
600 * cases here; the first time a packet is sent through
601 * it will be untagged and handled by ipsec4_checkpolicy.
602 * If the packet is resubmitted to ip_output (e.g. after
603 * AH, ESP, etc. processing), there will be a tag to bypass
604 * the lookup and related policy checking.
606 mtag = m_tag_find(m, PACKET_TAG_IPSEC_PENDING_TDB, NULL);
609 tdbi = (struct tdb_ident *)(mtag + 1);
610 sp = ipsec_getpolicy(tdbi, IPSEC_DIR_OUTBOUND);
612 error = -EINVAL; /* force silent drop */
613 m_tag_delete(m, mtag);
615 sp = ipsec4_checkpolicy(m, IPSEC_DIR_OUTBOUND, flags,
619 * There are four return cases:
620 * sp != NULL apply IPsec policy
621 * sp == NULL, error == 0 no IPsec handling needed
622 * sp == NULL, error == -EINVAL discard packet w/o error
623 * sp == NULL, error != 0 discard packet, report error
626 /* Loop detection, check if ipsec processing already done */
627 KASSERT(sp->req != NULL, ("ip_output: no ipsec request"));
628 for (mtag = m_tag_first(m); mtag != NULL;
629 mtag = m_tag_next(m, mtag)) {
630 if (mtag->m_tag_cookie != MTAG_ABI_COMPAT)
632 if (mtag->m_tag_id != PACKET_TAG_IPSEC_OUT_DONE &&
633 mtag->m_tag_id != PACKET_TAG_IPSEC_OUT_CRYPTO_NEEDED)
636 * Check if policy has an SA associated with it.
637 * This can happen when an SP has yet to acquire
638 * an SA; e.g. on first reference. If it occurs,
639 * then we let ipsec4_process_packet do its thing.
641 if (sp->req->sav == NULL)
643 tdbi = (struct tdb_ident *)(mtag + 1);
644 if (tdbi->spi == sp->req->sav->spi &&
645 tdbi->proto == sp->req->sav->sah->saidx.proto &&
646 bcmp(&tdbi->dst, &sp->req->sav->sah->saidx.dst,
647 sizeof (union sockaddr_union)) == 0) {
649 * No IPsec processing is needed, free
652 * NB: null pointer to avoid free at
655 KEY_FREESP(&sp), sp = NULL;
662 * Do delayed checksums now because we send before
663 * this is done in the normal processing path.
665 if (m->m_pkthdr.csum_flags & CSUM_DELAY_DATA) {
667 m->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA;
670 ip->ip_len = htons(ip->ip_len);
671 ip->ip_off = htons(ip->ip_off);
673 /* NB: callee frees mbuf */
674 error = ipsec4_process_packet(m, sp->req, flags, 0);
676 * Preserve KAME behaviour: ENOENT can be returned
677 * when an SA acquire is in progress. Don't propagate
678 * this to user-level; it confuses applications.
680 * XXX this will go away when the SADB is redone.
691 * Hack: -EINVAL is used to signal that a packet
692 * should be silently discarded. This is typically
693 * because we asked key management for an SA and
694 * it was delayed (e.g. kicked up to IKE).
696 if (error == -EINVAL)
700 /* No IPsec processing for this packet. */
704 * If deferred crypto processing is needed, check that
705 * the interface supports it.
707 mtag = m_tag_find(m, PACKET_TAG_IPSEC_OUT_CRYPTO_NEEDED, NULL);
708 if (mtag != NULL && (ifp->if_capenable & IFCAP_IPSEC) == 0) {
709 /* notify IPsec to do its own crypto */
710 ipsp_skipcrypto_unmark((struct tdb_ident *)(mtag + 1));
711 error = EHOSTUNREACH;
717 #endif /* FAST_IPSEC */
720 * - Xlate: translate packet's addr/port (NAT).
721 * - Firewall: deny/allow/etc.
722 * - Wrap: fake packet's addr/port <unimpl.>
723 * - Encapsulate: put it in another IP and send out. <unimp.>
728 if ((error = (*fr_checkp)(ip, hlen, ifp, 1, &m1)) || !m1)
730 ip = mtod(m = m1, struct ip *);
734 * Check with the firewall...
735 * but not if we are already being fwd'd from a firewall.
737 if (fw_enable && IPFW_LOADED && !args.next_hop) {
738 struct sockaddr_in *old = dst;
743 off = ip_fw_chk_ptr(&args);
748 * On return we must do the following:
749 * m == NULL -> drop the pkt (old interface, deprecated)
750 * (off & IP_FW_PORT_DENY_FLAG) -> drop the pkt (new interface)
751 * 1<=off<= 0xffff -> DIVERT
752 * (off & IP_FW_PORT_DYNT_FLAG) -> send to a DUMMYNET pipe
753 * (off & IP_FW_PORT_TEE_FLAG) -> TEE the packet
754 * dst != old -> IPFIREWALL_FORWARD
755 * off==0, dst==old -> accept
756 * If some of the above modules are not compiled in, then
757 * we should't have to check the corresponding condition
758 * (because the ipfw control socket should not accept
759 * unsupported rules), but better play safe and drop
760 * packets in case of doubt.
762 if ( (off & IP_FW_PORT_DENY_FLAG) || m == NULL) {
768 ip = mtod(m, struct ip *);
769 if (off == 0 && dst == old) /* common case */
771 if (DUMMYNET_LOADED && (off & IP_FW_PORT_DYNT_FLAG) != 0) {
773 * pass the pkt to dummynet. Need to include
774 * pipe number, m, ifp, ro, dst because these are
775 * not recomputed in the next pass.
776 * All other parameters have been already used and
777 * so they are not needed anymore.
778 * XXX note: if the ifp or ro entry are deleted
779 * while a pkt is in dummynet, we are in trouble!
785 error = ip_dn_io_ptr(m, off & 0xffff, DN_TO_IP_OUT,
790 if (off != 0 && (off & IP_FW_PORT_DYNT_FLAG) == 0) {
791 struct mbuf *clone = NULL;
793 /* Clone packet if we're doing a 'tee' */
794 if ((off & IP_FW_PORT_TEE_FLAG) != 0)
795 clone = m_dup(m, M_DONTWAIT);
799 * delayed checksums are not currently compatible
800 * with divert sockets.
802 if (m->m_pkthdr.csum_flags & CSUM_DELAY_DATA) {
804 m->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA;
807 /* Restore packet header fields to original values */
808 ip->ip_len = htons(ip->ip_len);
809 ip->ip_off = htons(ip->ip_off);
811 /* Deliver packet to divert input routine */
812 divert_packet(m, 0, off & 0xffff, args.divert_rule);
814 /* If 'tee', continue with original packet */
817 ip = mtod(m, struct ip *);
824 /* IPFIREWALL_FORWARD */
826 * Check dst to make sure it is directly reachable on the
827 * interface we previously thought it was.
828 * If it isn't (which may be likely in some situations) we have
829 * to re-route it (ie, find a route for the next-hop and the
830 * associated interface) and set them here. This is nested
831 * forwarding which in most cases is undesirable, except where
832 * such control is nigh impossible. So we do it here.
835 if (off == 0 && old != dst) { /* FORWARD, dst has changed */
838 * XXX To improve readability, this block should be
839 * changed into a function call as below:
841 error = ip_ipforward(&m, &dst, &ifp);
844 if (m == NULL) /* ip_input consumed the mbuf */
847 struct in_ifaddr *ia;
850 * XXX sro_fwd below is static, and a pointer
851 * to it gets passed to routines downstream.
852 * This could have surprisingly bad results in
853 * practice, because its content is overwritten
854 * by subsequent packets.
856 /* There must be a better way to do this next line... */
857 static struct route sro_fwd;
858 struct route *ro_fwd = &sro_fwd;
861 print_ip("IPFIREWALL_FORWARD: New dst ip: ",
862 dst->sin_addr, "\n");
866 * We need to figure out if we have been forwarded
867 * to a local socket. If so, then we should somehow
868 * "loop back" to ip_input, and get directed to the
869 * PCB as if we had received this packet. This is
870 * because it may be dificult to identify the packets
871 * you want to forward until they are being output
872 * and have selected an interface. (e.g. locally
873 * initiated packets) If we used the loopback inteface,
874 * we would not be able to control what happens
875 * as the packet runs through ip_input() as
876 * it is done through a ISR.
879 INADDR_HASH(dst->sin_addr.s_addr), ia_hash) {
881 * If the addr to forward to is one
882 * of ours, we pretend to
883 * be the destination for this packet.
885 if (IA_SIN(ia)->sin_addr.s_addr ==
886 dst->sin_addr.s_addr)
889 if (ia) { /* tell ip_input "dont filter" */
892 tag.mh_type = MT_TAG;
893 tag.mh_flags = PACKET_TAG_IPFORWARD;
894 tag.mh_data = (caddr_t)args.next_hop;
897 if (m->m_pkthdr.rcvif == NULL)
898 m->m_pkthdr.rcvif = ifunit("lo0");
899 if (m->m_pkthdr.csum_flags & CSUM_DELAY_DATA) {
900 m->m_pkthdr.csum_flags |=
901 CSUM_DATA_VALID | CSUM_PSEUDO_HDR;
902 m0->m_pkthdr.csum_data = 0xffff;
904 m->m_pkthdr.csum_flags |=
905 CSUM_IP_CHECKED | CSUM_IP_VALID;
906 ip->ip_len = htons(ip->ip_len);
907 ip->ip_off = htons(ip->ip_off);
908 ip_input((struct mbuf *)&tag);
911 /* Some of the logic for this was
914 * This rewrites the cached route in a local PCB.
915 * Is this what we want to do?
917 bcopy(dst, &ro_fwd->ro_dst, sizeof(*dst));
920 rtalloc_ign(ro_fwd, RTF_PRCLONING);
922 if (ro_fwd->ro_rt == 0) {
923 ipstat.ips_noroute++;
924 error = EHOSTUNREACH;
928 ia = ifatoia(ro_fwd->ro_rt->rt_ifa);
929 ifp = ro_fwd->ro_rt->rt_ifp;
930 ro_fwd->ro_rt->rt_use++;
931 if (ro_fwd->ro_rt->rt_flags & RTF_GATEWAY)
932 dst = (struct sockaddr_in *)
933 ro_fwd->ro_rt->rt_gateway;
934 if (ro_fwd->ro_rt->rt_flags & RTF_HOST)
936 (ro_fwd->ro_rt->rt_flags & RTF_BROADCAST);
938 isbroadcast = in_broadcast(dst->sin_addr, ifp);
941 ro->ro_rt = ro_fwd->ro_rt;
942 dst = (struct sockaddr_in *)&ro_fwd->ro_dst;
944 #endif /* ... block to be put into a function */
946 * If we added a default src ip earlier,
947 * which would have been gotten from the-then
948 * interface, do it again, from the new one.
950 if (src_was_INADDR_ANY)
951 ip->ip_src = IA_SIN(ia)->sin_addr;
956 * if we get here, none of the above matches, and
957 * we have to drop the pkt
960 error = EACCES; /* not sure this is the right error msg */
965 /* 127/8 must not appear on wire - RFC1122. */
966 if ((ntohl(ip->ip_dst.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET ||
967 (ntohl(ip->ip_src.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET) {
968 if ((ifp->if_flags & IFF_LOOPBACK) == 0) {
969 ipstat.ips_badaddr++;
970 error = EADDRNOTAVAIL;
975 m->m_pkthdr.csum_flags |= CSUM_IP;
976 sw_csum = m->m_pkthdr.csum_flags & ~ifp->if_hwassist;
977 if (sw_csum & CSUM_DELAY_DATA) {
979 sw_csum &= ~CSUM_DELAY_DATA;
981 m->m_pkthdr.csum_flags &= ifp->if_hwassist;
984 * If small enough for interface, or the interface will take
985 * care of the fragmentation for us, can just send directly.
987 if (ip->ip_len <= ifp->if_mtu || ifp->if_hwassist & CSUM_FRAGMENT) {
988 ip->ip_len = htons(ip->ip_len);
989 ip->ip_off = htons(ip->ip_off);
991 if (sw_csum & CSUM_DELAY_IP) {
992 if (ip->ip_vhl == IP_VHL_BORING) {
993 ip->ip_sum = in_cksum_hdr(ip);
995 ip->ip_sum = in_cksum(m, hlen);
999 /* Record statistics for this interface address. */
1000 if (!(flags & IP_FORWARDING) && ia) {
1001 ia->ia_ifa.if_opackets++;
1002 ia->ia_ifa.if_obytes += m->m_pkthdr.len;
1006 /* clean ipsec history once it goes out of the node */
1010 #ifdef MBUF_STRESS_TEST
1011 if (mbuf_frag_size && m->m_pkthdr.len > mbuf_frag_size) {
1012 struct mbuf *m1, *m2;
1015 tmp = length = m->m_pkthdr.len;
1017 while ((length -= mbuf_frag_size) >= 1) {
1018 m1 = m_split(m, length, M_DONTWAIT);
1021 m1->m_flags &= ~M_PKTHDR;
1023 while (m2->m_next != NULL)
1027 m->m_pkthdr.len = tmp;
1030 error = (*ifp->if_output)(ifp, m,
1031 (struct sockaddr *)dst, ro->ro_rt);
1035 if (ip->ip_off & IP_DF) {
1038 * This case can happen if the user changed the MTU
1039 * of an interface after enabling IP on it. Because
1040 * most netifs don't keep track of routes pointing to
1041 * them, there is no way for one to update all its
1042 * routes when the MTU is changed.
1044 if ((ro->ro_rt->rt_flags & (RTF_UP | RTF_HOST)) &&
1045 !(ro->ro_rt->rt_rmx.rmx_locks & RTV_MTU) &&
1046 (ro->ro_rt->rt_rmx.rmx_mtu > ifp->if_mtu)) {
1047 ro->ro_rt->rt_rmx.rmx_mtu = ifp->if_mtu;
1049 ipstat.ips_cantfrag++;
1054 * Too large for interface; fragment if possible. If successful,
1055 * on return, m will point to a list of packets to be sent.
1057 error = ip_fragment(ip, &m, ifp->if_mtu, ifp->if_hwassist, sw_csum);
1064 /* clean ipsec history once it goes out of the node */
1068 /* Record statistics for this interface address. */
1070 ia->ia_ifa.if_opackets++;
1071 ia->ia_ifa.if_obytes += m->m_pkthdr.len;
1074 error = (*ifp->if_output)(ifp, m,
1075 (struct sockaddr *)dst, ro->ro_rt);
1081 ipstat.ips_fragmented++;
1085 if (ro == &iproute && ro->ro_rt) {
1090 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
1091 printf("DP ip_output call free SP:%p\n", sp));
1096 if (ro == &iproute && ro->ro_rt) {
1110 * Create a chain of fragments which fit the given mtu. m_frag points to the
1111 * mbuf to be fragmented; on return it points to the chain with the fragments.
1112 * Return 0 if no error. If error, m_frag may contain a partially built
1113 * chain of fragments that should be freed by the caller.
1115 * if_hwassist_flags is the hw offload capabilities (see if_data.ifi_hwassist)
1116 * sw_csum contains the delayed checksums flags (e.g., CSUM_DELAY_IP).
1119 ip_fragment(struct ip *ip, struct mbuf **m_frag, int mtu,
1120 u_long if_hwassist_flags, int sw_csum)
1123 int hlen = IP_VHL_HL(ip->ip_vhl) << 2;
1124 int len = (mtu - hlen) & ~7; /* size of payload in each fragment */
1126 struct mbuf *m0 = *m_frag; /* the original packet */
1128 struct mbuf **mnext;
1131 if (ip->ip_off & IP_DF) { /* Fragmentation not allowed */
1132 ipstat.ips_cantfrag++;
1137 * Must be able to put at least 8 bytes per fragment.
1143 * If the interface will not calculate checksums on
1144 * fragmented packets, then do it here.
1146 if (m0->m_pkthdr.csum_flags & CSUM_DELAY_DATA &&
1147 (if_hwassist_flags & CSUM_IP_FRAGS) == 0) {
1148 in_delayed_cksum(m0);
1149 m0->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA;
1152 if (len > PAGE_SIZE) {
1154 * Fragment large datagrams such that each segment
1155 * contains a multiple of PAGE_SIZE amount of data,
1156 * plus headers. This enables a receiver to perform
1157 * page-flipping zero-copy optimizations.
1159 * XXX When does this help given that sender and receiver
1160 * could have different page sizes, and also mtu could
1161 * be less than the receiver's page size ?
1166 for (m = m0, off = 0; m && (off+m->m_len) <= mtu; m = m->m_next)
1170 * firstlen (off - hlen) must be aligned on an
1174 goto smart_frag_failure;
1175 off = ((off - hlen) & ~7) + hlen;
1176 newlen = (~PAGE_MASK) & mtu;
1177 if ((newlen + sizeof (struct ip)) > mtu) {
1178 /* we failed, go back the default */
1189 firstlen = off - hlen;
1190 mnext = &m0->m_nextpkt; /* pointer to next packet */
1193 * Loop through length of segment after first fragment,
1194 * make new header and copy data of each part and link onto chain.
1195 * Here, m0 is the original packet, m is the fragment being created.
1196 * The fragments are linked off the m_nextpkt of the original
1197 * packet, which after processing serves as the first fragment.
1199 for (nfrags = 1; off < ip->ip_len; off += len, nfrags++) {
1200 struct ip *mhip; /* ip header on the fragment */
1202 int mhlen = sizeof (struct ip);
1204 MGETHDR(m, M_DONTWAIT, MT_HEADER);
1207 ipstat.ips_odropped++;
1210 m->m_flags |= (m0->m_flags & M_MCAST) | M_FRAG;
1212 * In the first mbuf, leave room for the link header, then
1213 * copy the original IP header including options. The payload
1214 * goes into an additional mbuf chain returned by m_copy().
1216 m->m_data += max_linkhdr;
1217 mhip = mtod(m, struct ip *);
1219 if (hlen > sizeof (struct ip)) {
1220 mhlen = ip_optcopy(ip, mhip) + sizeof (struct ip);
1221 mhip->ip_vhl = IP_MAKE_VHL(IPVERSION, mhlen >> 2);
1224 /* XXX do we need to add ip->ip_off below ? */
1225 mhip->ip_off = ((off - hlen) >> 3) + ip->ip_off;
1226 if (off + len >= ip->ip_len) { /* last fragment */
1227 len = ip->ip_len - off;
1228 m->m_flags |= M_LASTFRAG;
1230 mhip->ip_off |= IP_MF;
1231 mhip->ip_len = htons((u_short)(len + mhlen));
1232 m->m_next = m_copy(m0, off, len);
1233 if (m->m_next == 0) { /* copy failed */
1235 error = ENOBUFS; /* ??? */
1236 ipstat.ips_odropped++;
1239 m->m_pkthdr.len = mhlen + len;
1240 m->m_pkthdr.rcvif = (struct ifnet *)0;
1241 m->m_pkthdr.csum_flags = m0->m_pkthdr.csum_flags;
1242 mhip->ip_off = htons(mhip->ip_off);
1244 if (sw_csum & CSUM_DELAY_IP)
1245 mhip->ip_sum = in_cksum(m, mhlen);
1247 mnext = &m->m_nextpkt;
1249 ipstat.ips_ofragments += nfrags;
1251 /* set first marker for fragment chain */
1252 m0->m_flags |= M_FIRSTFRAG | M_FRAG;
1253 m0->m_pkthdr.csum_data = nfrags;
1256 * Update first fragment by trimming what's been copied out
1257 * and updating header.
1259 m_adj(m0, hlen + firstlen - ip->ip_len);
1260 m0->m_pkthdr.len = hlen + firstlen;
1261 ip->ip_len = htons((u_short)m0->m_pkthdr.len);
1262 ip->ip_off |= IP_MF;
1263 ip->ip_off = htons(ip->ip_off);
1265 if (sw_csum & CSUM_DELAY_IP)
1266 ip->ip_sum = in_cksum(m0, hlen);
1274 in_delayed_cksum(struct mbuf *m)
1277 u_short csum, offset;
1279 ip = mtod(m, struct ip *);
1280 offset = IP_VHL_HL(ip->ip_vhl) << 2 ;
1281 csum = in_cksum_skip(m, ip->ip_len, offset);
1282 if (m->m_pkthdr.csum_flags & CSUM_UDP && csum == 0)
1284 offset += m->m_pkthdr.csum_data; /* checksum offset */
1286 if (offset + sizeof(u_short) > m->m_len) {
1287 printf("delayed m_pullup, m->len: %d off: %d p: %d\n",
1288 m->m_len, offset, ip->ip_p);
1291 * this shouldn't happen, but if it does, the
1292 * correct behavior may be to insert the checksum
1293 * in the existing chain instead of rearranging it.
1295 m = m_pullup(m, offset + sizeof(u_short));
1297 *(u_short *)(m->m_data + offset) = csum;
1301 * Insert IP options into preformed packet.
1302 * Adjust IP destination as required for IP source routing,
1303 * as indicated by a non-zero in_addr at the start of the options.
1305 * XXX This routine assumes that the packet has no options in place.
1307 static struct mbuf *
1308 ip_insertoptions(m, opt, phlen)
1313 struct ipoption *p = mtod(opt, struct ipoption *);
1315 struct ip *ip = mtod(m, struct ip *);
1318 optlen = opt->m_len - sizeof(p->ipopt_dst);
1319 if (optlen + (u_short)ip->ip_len > IP_MAXPACKET) {
1321 return (m); /* XXX should fail */
1323 if (p->ipopt_dst.s_addr)
1324 ip->ip_dst = p->ipopt_dst;
1325 if (m->m_flags & M_EXT || m->m_data - optlen < m->m_pktdat) {
1326 MGETHDR(n, M_DONTWAIT, MT_HEADER);
1331 n->m_pkthdr.rcvif = (struct ifnet *)0;
1332 n->m_pkthdr.len = m->m_pkthdr.len + optlen;
1333 m->m_len -= sizeof(struct ip);
1334 m->m_data += sizeof(struct ip);
1337 m->m_len = optlen + sizeof(struct ip);
1338 m->m_data += max_linkhdr;
1339 (void)memcpy(mtod(m, void *), ip, sizeof(struct ip));
1341 m->m_data -= optlen;
1343 m->m_pkthdr.len += optlen;
1344 ovbcopy((caddr_t)ip, mtod(m, caddr_t), sizeof(struct ip));
1346 ip = mtod(m, struct ip *);
1347 bcopy(p->ipopt_list, ip + 1, optlen);
1348 *phlen = sizeof(struct ip) + optlen;
1349 ip->ip_vhl = IP_MAKE_VHL(IPVERSION, *phlen >> 2);
1350 ip->ip_len += optlen;
1355 * Copy options from ip to jp,
1356 * omitting those not copied during fragmentation.
1363 int opt, optlen, cnt;
1365 cp = (u_char *)(ip + 1);
1366 dp = (u_char *)(jp + 1);
1367 cnt = (IP_VHL_HL(ip->ip_vhl) << 2) - sizeof (struct ip);
1368 for (; cnt > 0; cnt -= optlen, cp += optlen) {
1370 if (opt == IPOPT_EOL)
1372 if (opt == IPOPT_NOP) {
1373 /* Preserve for IP mcast tunnel's LSRR alignment. */
1379 KASSERT(cnt >= IPOPT_OLEN + sizeof(*cp),
1380 ("ip_optcopy: malformed ipv4 option"));
1381 optlen = cp[IPOPT_OLEN];
1382 KASSERT(optlen >= IPOPT_OLEN + sizeof(*cp) && optlen <= cnt,
1383 ("ip_optcopy: malformed ipv4 option"));
1385 /* bogus lengths should have been caught by ip_dooptions */
1388 if (IPOPT_COPIED(opt)) {
1389 bcopy(cp, dp, optlen);
1393 for (optlen = dp - (u_char *)(jp+1); optlen & 0x3; optlen++)
1399 * IP socket option processing.
1402 ip_ctloutput(so, sopt)
1404 struct sockopt *sopt;
1406 struct inpcb *inp = sotoinpcb(so);
1410 if (sopt->sopt_level != IPPROTO_IP) {
1414 switch (sopt->sopt_dir) {
1416 switch (sopt->sopt_name) {
1423 if (sopt->sopt_valsize > MLEN) {
1427 MGET(m, sopt->sopt_td ? M_WAIT : M_DONTWAIT, MT_HEADER);
1432 m->m_len = sopt->sopt_valsize;
1433 error = sooptcopyin(sopt, mtod(m, char *), m->m_len,
1436 return (ip_pcbopts(sopt->sopt_name, &inp->inp_options,
1443 case IP_RECVRETOPTS:
1444 case IP_RECVDSTADDR:
1447 error = sooptcopyin(sopt, &optval, sizeof optval,
1452 switch (sopt->sopt_name) {
1454 inp->inp_ip_tos = optval;
1458 inp->inp_ip_ttl = optval;
1460 #define OPTSET(bit) \
1462 inp->inp_flags |= bit; \
1464 inp->inp_flags &= ~bit;
1467 OPTSET(INP_RECVOPTS);
1470 case IP_RECVRETOPTS:
1471 OPTSET(INP_RECVRETOPTS);
1474 case IP_RECVDSTADDR:
1475 OPTSET(INP_RECVDSTADDR);
1489 case IP_MULTICAST_IF:
1490 case IP_MULTICAST_VIF:
1491 case IP_MULTICAST_TTL:
1492 case IP_MULTICAST_LOOP:
1493 case IP_ADD_MEMBERSHIP:
1494 case IP_DROP_MEMBERSHIP:
1495 error = ip_setmoptions(sopt, &inp->inp_moptions);
1499 error = sooptcopyin(sopt, &optval, sizeof optval,
1505 case IP_PORTRANGE_DEFAULT:
1506 inp->inp_flags &= ~(INP_LOWPORT);
1507 inp->inp_flags &= ~(INP_HIGHPORT);
1510 case IP_PORTRANGE_HIGH:
1511 inp->inp_flags &= ~(INP_LOWPORT);
1512 inp->inp_flags |= INP_HIGHPORT;
1515 case IP_PORTRANGE_LOW:
1516 inp->inp_flags &= ~(INP_HIGHPORT);
1517 inp->inp_flags |= INP_LOWPORT;
1526 #if defined(IPSEC) || defined(FAST_IPSEC)
1527 case IP_IPSEC_POLICY:
1535 if ((error = soopt_getm(sopt, &m)) != 0) /* XXX */
1537 if ((error = soopt_mcopyin(sopt, m)) != 0) /* XXX */
1539 priv = (sopt->sopt_td != NULL &&
1540 suser(sopt->sopt_td) != 0) ? 0 : 1;
1541 req = mtod(m, caddr_t);
1543 optname = sopt->sopt_name;
1544 error = ipsec4_set_policy(inp, optname, req, len, priv);
1551 error = ENOPROTOOPT;
1557 switch (sopt->sopt_name) {
1560 if (inp->inp_options)
1561 error = sooptcopyout(sopt,
1562 mtod(inp->inp_options,
1564 inp->inp_options->m_len);
1566 sopt->sopt_valsize = 0;
1572 case IP_RECVRETOPTS:
1573 case IP_RECVDSTADDR:
1577 switch (sopt->sopt_name) {
1580 optval = inp->inp_ip_tos;
1584 optval = inp->inp_ip_ttl;
1587 #define OPTBIT(bit) (inp->inp_flags & bit ? 1 : 0)
1590 optval = OPTBIT(INP_RECVOPTS);
1593 case IP_RECVRETOPTS:
1594 optval = OPTBIT(INP_RECVRETOPTS);
1597 case IP_RECVDSTADDR:
1598 optval = OPTBIT(INP_RECVDSTADDR);
1602 optval = OPTBIT(INP_RECVIF);
1606 if (inp->inp_flags & INP_HIGHPORT)
1607 optval = IP_PORTRANGE_HIGH;
1608 else if (inp->inp_flags & INP_LOWPORT)
1609 optval = IP_PORTRANGE_LOW;
1615 optval = OPTBIT(INP_FAITH);
1618 error = sooptcopyout(sopt, &optval, sizeof optval);
1621 case IP_MULTICAST_IF:
1622 case IP_MULTICAST_VIF:
1623 case IP_MULTICAST_TTL:
1624 case IP_MULTICAST_LOOP:
1625 case IP_ADD_MEMBERSHIP:
1626 case IP_DROP_MEMBERSHIP:
1627 error = ip_getmoptions(sopt, inp->inp_moptions);
1630 #if defined(IPSEC) || defined(FAST_IPSEC)
1631 case IP_IPSEC_POLICY:
1633 struct mbuf *m = NULL;
1638 req = mtod(m, caddr_t);
1641 error = ipsec4_get_policy(sotoinpcb(so), req, len, &m);
1643 error = soopt_mcopyout(sopt, m); /* XXX */
1651 error = ENOPROTOOPT;
1660 * Set up IP options in pcb for insertion in output packets.
1661 * Store in mbuf with pointer in pcbopt, adding pseudo-option
1662 * with destination address if source routed.
1665 ip_pcbopts(optname, pcbopt, m)
1667 struct mbuf **pcbopt;
1674 /* turn off any old options */
1676 (void)m_free(*pcbopt);
1678 if (m == (struct mbuf *)0 || m->m_len == 0) {
1680 * Only turning off any previous options.
1687 if (m->m_len % sizeof(int32_t))
1690 * IP first-hop destination address will be stored before
1691 * actual options; move other options back
1692 * and clear it when none present.
1694 if (m->m_data + m->m_len + sizeof(struct in_addr) >= &m->m_dat[MLEN])
1697 m->m_len += sizeof(struct in_addr);
1698 cp = mtod(m, u_char *) + sizeof(struct in_addr);
1699 ovbcopy(mtod(m, caddr_t), (caddr_t)cp, (unsigned)cnt);
1700 bzero(mtod(m, caddr_t), sizeof(struct in_addr));
1702 for (; cnt > 0; cnt -= optlen, cp += optlen) {
1703 opt = cp[IPOPT_OPTVAL];
1704 if (opt == IPOPT_EOL)
1706 if (opt == IPOPT_NOP)
1709 if (cnt < IPOPT_OLEN + sizeof(*cp))
1711 optlen = cp[IPOPT_OLEN];
1712 if (optlen < IPOPT_OLEN + sizeof(*cp) || optlen > cnt)
1723 * user process specifies route as:
1725 * D must be our final destination (but we can't
1726 * check that since we may not have connected yet).
1727 * A is first hop destination, which doesn't appear in
1728 * actual IP option, but is stored before the options.
1730 if (optlen < IPOPT_MINOFF - 1 + sizeof(struct in_addr))
1732 m->m_len -= sizeof(struct in_addr);
1733 cnt -= sizeof(struct in_addr);
1734 optlen -= sizeof(struct in_addr);
1735 cp[IPOPT_OLEN] = optlen;
1737 * Move first hop before start of options.
1739 bcopy((caddr_t)&cp[IPOPT_OFFSET+1], mtod(m, caddr_t),
1740 sizeof(struct in_addr));
1742 * Then copy rest of options back
1743 * to close up the deleted entry.
1745 ovbcopy((caddr_t)(&cp[IPOPT_OFFSET+1] +
1746 sizeof(struct in_addr)),
1747 (caddr_t)&cp[IPOPT_OFFSET+1],
1748 (unsigned)cnt + sizeof(struct in_addr));
1752 if (m->m_len > MAX_IPOPTLEN + sizeof(struct in_addr))
1764 * The whole multicast option thing needs to be re-thought.
1765 * Several of these options are equally applicable to non-multicast
1766 * transmission, and one (IP_MULTICAST_TTL) totally duplicates a
1767 * standard option (IP_TTL).
1771 * following RFC1724 section 3.3, 0.0.0.0/8 is interpreted as interface index.
1773 static struct ifnet *
1774 ip_multicast_if(a, ifindexp)
1783 if (ntohl(a->s_addr) >> 24 == 0) {
1784 ifindex = ntohl(a->s_addr) & 0xffffff;
1785 if (ifindex < 0 || if_index < ifindex)
1787 ifp = ifindex2ifnet[ifindex];
1789 *ifindexp = ifindex;
1791 INADDR_TO_IFP(*a, ifp);
1797 * Set the IP multicast options in response to user setsockopt().
1800 ip_setmoptions(sopt, imop)
1801 struct sockopt *sopt;
1802 struct ip_moptions **imop;
1806 struct in_addr addr;
1807 struct ip_mreq mreq;
1809 struct ip_moptions *imo = *imop;
1811 struct sockaddr_in *dst;
1817 * No multicast option buffer attached to the pcb;
1818 * allocate one and initialize to default values.
1820 imo = (struct ip_moptions*)malloc(sizeof(*imo), M_IPMOPTS,
1826 imo->imo_multicast_ifp = NULL;
1827 imo->imo_multicast_addr.s_addr = INADDR_ANY;
1828 imo->imo_multicast_vif = -1;
1829 imo->imo_multicast_ttl = IP_DEFAULT_MULTICAST_TTL;
1830 imo->imo_multicast_loop = IP_DEFAULT_MULTICAST_LOOP;
1831 imo->imo_num_memberships = 0;
1834 switch (sopt->sopt_name) {
1835 /* store an index number for the vif you wanna use in the send */
1836 case IP_MULTICAST_VIF:
1837 if (legal_vif_num == 0) {
1841 error = sooptcopyin(sopt, &i, sizeof i, sizeof i);
1844 if (!legal_vif_num(i) && (i != -1)) {
1848 imo->imo_multicast_vif = i;
1851 case IP_MULTICAST_IF:
1853 * Select the interface for outgoing multicast packets.
1855 error = sooptcopyin(sopt, &addr, sizeof addr, sizeof addr);
1859 * INADDR_ANY is used to remove a previous selection.
1860 * When no interface is selected, a default one is
1861 * chosen every time a multicast packet is sent.
1863 if (addr.s_addr == INADDR_ANY) {
1864 imo->imo_multicast_ifp = NULL;
1868 * The selected interface is identified by its local
1869 * IP address. Find the interface and confirm that
1870 * it supports multicasting.
1873 ifp = ip_multicast_if(&addr, &ifindex);
1874 if (ifp == NULL || (ifp->if_flags & IFF_MULTICAST) == 0) {
1876 error = EADDRNOTAVAIL;
1879 imo->imo_multicast_ifp = ifp;
1881 imo->imo_multicast_addr = addr;
1883 imo->imo_multicast_addr.s_addr = INADDR_ANY;
1887 case IP_MULTICAST_TTL:
1889 * Set the IP time-to-live for outgoing multicast packets.
1890 * The original multicast API required a char argument,
1891 * which is inconsistent with the rest of the socket API.
1892 * We allow either a char or an int.
1894 if (sopt->sopt_valsize == 1) {
1896 error = sooptcopyin(sopt, &ttl, 1, 1);
1899 imo->imo_multicast_ttl = ttl;
1902 error = sooptcopyin(sopt, &ttl, sizeof ttl,
1909 imo->imo_multicast_ttl = ttl;
1913 case IP_MULTICAST_LOOP:
1915 * Set the loopback flag for outgoing multicast packets.
1916 * Must be zero or one. The original multicast API required a
1917 * char argument, which is inconsistent with the rest
1918 * of the socket API. We allow either a char or an int.
1920 if (sopt->sopt_valsize == 1) {
1922 error = sooptcopyin(sopt, &loop, 1, 1);
1925 imo->imo_multicast_loop = !!loop;
1928 error = sooptcopyin(sopt, &loop, sizeof loop,
1932 imo->imo_multicast_loop = !!loop;
1936 case IP_ADD_MEMBERSHIP:
1938 * Add a multicast group membership.
1939 * Group must be a valid IP multicast address.
1941 error = sooptcopyin(sopt, &mreq, sizeof mreq, sizeof mreq);
1945 if (!IN_MULTICAST(ntohl(mreq.imr_multiaddr.s_addr))) {
1951 * If no interface address was provided, use the interface of
1952 * the route to the given multicast address.
1954 if (mreq.imr_interface.s_addr == INADDR_ANY) {
1955 bzero((caddr_t)&ro, sizeof(ro));
1956 dst = (struct sockaddr_in *)&ro.ro_dst;
1957 dst->sin_len = sizeof(*dst);
1958 dst->sin_family = AF_INET;
1959 dst->sin_addr = mreq.imr_multiaddr;
1961 if (ro.ro_rt == NULL) {
1962 error = EADDRNOTAVAIL;
1966 ifp = ro.ro_rt->rt_ifp;
1970 ifp = ip_multicast_if(&mreq.imr_interface, NULL);
1974 * See if we found an interface, and confirm that it
1975 * supports multicast.
1977 if (ifp == NULL || (ifp->if_flags & IFF_MULTICAST) == 0) {
1978 error = EADDRNOTAVAIL;
1983 * See if the membership already exists or if all the
1984 * membership slots are full.
1986 for (i = 0; i < imo->imo_num_memberships; ++i) {
1987 if (imo->imo_membership[i]->inm_ifp == ifp &&
1988 imo->imo_membership[i]->inm_addr.s_addr
1989 == mreq.imr_multiaddr.s_addr)
1992 if (i < imo->imo_num_memberships) {
1997 if (i == IP_MAX_MEMBERSHIPS) {
1998 error = ETOOMANYREFS;
2003 * Everything looks good; add a new record to the multicast
2004 * address list for the given interface.
2006 if ((imo->imo_membership[i] =
2007 in_addmulti(&mreq.imr_multiaddr, ifp)) == NULL) {
2012 ++imo->imo_num_memberships;
2016 case IP_DROP_MEMBERSHIP:
2018 * Drop a multicast group membership.
2019 * Group must be a valid IP multicast address.
2021 error = sooptcopyin(sopt, &mreq, sizeof mreq, sizeof mreq);
2025 if (!IN_MULTICAST(ntohl(mreq.imr_multiaddr.s_addr))) {
2032 * If an interface address was specified, get a pointer
2033 * to its ifnet structure.
2035 if (mreq.imr_interface.s_addr == INADDR_ANY)
2038 ifp = ip_multicast_if(&mreq.imr_interface, NULL);
2040 error = EADDRNOTAVAIL;
2046 * Find the membership in the membership array.
2048 for (i = 0; i < imo->imo_num_memberships; ++i) {
2050 imo->imo_membership[i]->inm_ifp == ifp) &&
2051 imo->imo_membership[i]->inm_addr.s_addr ==
2052 mreq.imr_multiaddr.s_addr)
2055 if (i == imo->imo_num_memberships) {
2056 error = EADDRNOTAVAIL;
2061 * Give up the multicast address record to which the
2062 * membership points.
2064 in_delmulti(imo->imo_membership[i]);
2066 * Remove the gap in the membership array.
2068 for (++i; i < imo->imo_num_memberships; ++i)
2069 imo->imo_membership[i-1] = imo->imo_membership[i];
2070 --imo->imo_num_memberships;
2080 * If all options have default values, no need to keep the mbuf.
2082 if (imo->imo_multicast_ifp == NULL &&
2083 imo->imo_multicast_vif == -1 &&
2084 imo->imo_multicast_ttl == IP_DEFAULT_MULTICAST_TTL &&
2085 imo->imo_multicast_loop == IP_DEFAULT_MULTICAST_LOOP &&
2086 imo->imo_num_memberships == 0) {
2087 free(*imop, M_IPMOPTS);
2095 * Return the IP multicast options in response to user getsockopt().
2098 ip_getmoptions(sopt, imo)
2099 struct sockopt *sopt;
2100 struct ip_moptions *imo;
2102 struct in_addr addr;
2103 struct in_ifaddr *ia;
2108 switch (sopt->sopt_name) {
2109 case IP_MULTICAST_VIF:
2111 optval = imo->imo_multicast_vif;
2114 error = sooptcopyout(sopt, &optval, sizeof optval);
2117 case IP_MULTICAST_IF:
2118 if (imo == NULL || imo->imo_multicast_ifp == NULL)
2119 addr.s_addr = INADDR_ANY;
2120 else if (imo->imo_multicast_addr.s_addr) {
2121 /* return the value user has set */
2122 addr = imo->imo_multicast_addr;
2124 IFP_TO_IA(imo->imo_multicast_ifp, ia);
2125 addr.s_addr = (ia == NULL) ? INADDR_ANY
2126 : IA_SIN(ia)->sin_addr.s_addr;
2128 error = sooptcopyout(sopt, &addr, sizeof addr);
2131 case IP_MULTICAST_TTL:
2133 optval = coptval = IP_DEFAULT_MULTICAST_TTL;
2135 optval = coptval = imo->imo_multicast_ttl;
2136 if (sopt->sopt_valsize == 1)
2137 error = sooptcopyout(sopt, &coptval, 1);
2139 error = sooptcopyout(sopt, &optval, sizeof optval);
2142 case IP_MULTICAST_LOOP:
2144 optval = coptval = IP_DEFAULT_MULTICAST_LOOP;
2146 optval = coptval = imo->imo_multicast_loop;
2147 if (sopt->sopt_valsize == 1)
2148 error = sooptcopyout(sopt, &coptval, 1);
2150 error = sooptcopyout(sopt, &optval, sizeof optval);
2154 error = ENOPROTOOPT;
2161 * Discard the IP multicast options.
2164 ip_freemoptions(imo)
2165 struct ip_moptions *imo;
2170 for (i = 0; i < imo->imo_num_memberships; ++i)
2171 in_delmulti(imo->imo_membership[i]);
2172 free(imo, M_IPMOPTS);
2177 * Routine called from ip_output() to loop back a copy of an IP multicast
2178 * packet to the input queue of a specified interface. Note that this
2179 * calls the output routine of the loopback "driver", but with an interface
2180 * pointer that might NOT be a loopback interface -- evil, but easier than
2181 * replicating that code here.
2184 ip_mloopback(ifp, m, dst, hlen)
2187 struct sockaddr_in *dst;
2193 copym = m_copy(m, 0, M_COPYALL);
2194 if (copym != NULL && (copym->m_flags & M_EXT || copym->m_len < hlen))
2195 copym = m_pullup(copym, hlen);
2196 if (copym != NULL) {
2198 * We don't bother to fragment if the IP length is greater
2199 * than the interface's MTU. Can this possibly matter?
2201 ip = mtod(copym, struct ip *);
2202 ip->ip_len = htons(ip->ip_len);
2203 ip->ip_off = htons(ip->ip_off);
2205 if (ip->ip_vhl == IP_VHL_BORING) {
2206 ip->ip_sum = in_cksum_hdr(ip);
2208 ip->ip_sum = in_cksum(copym, hlen);
2212 * It's not clear whether there are any lingering
2213 * reentrancy problems in other areas which might
2214 * be exposed by using ip_input directly (in
2215 * particular, everything which modifies the packet
2216 * in-place). Yet another option is using the
2217 * protosw directly to deliver the looped back
2218 * packet. For the moment, we'll err on the side
2219 * of safety by using if_simloop().
2222 if (dst->sin_family != AF_INET) {
2223 printf("ip_mloopback: bad address family %d\n",
2225 dst->sin_family = AF_INET;
2230 copym->m_pkthdr.rcvif = ifp;
2233 /* if the checksum hasn't been computed, mark it as valid */
2234 if (copym->m_pkthdr.csum_flags & CSUM_DELAY_DATA) {
2235 copym->m_pkthdr.csum_flags |=
2236 CSUM_DATA_VALID | CSUM_PSEUDO_HDR;
2237 copym->m_pkthdr.csum_data = 0xffff;
2239 if_simloop(ifp, copym, dst->sin_family, 0);