1
/*-
2
 * SPDX-License-Identifier: BSD-3-Clause
3
 *
4
 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
5
 * All rights reserved.
6
 *
7
 * Redistribution and use in source and binary forms, with or without
8
 * modification, are permitted provided that the following conditions
9
 * are met:
10
 * 1. Redistributions of source code must retain the above copyright
11
 *    notice, this list of conditions and the following disclaimer.
12
 * 2. Redistributions in binary form must reproduce the above copyright
13
 *    notice, this list of conditions and the following disclaimer in the
14
 *    documentation and/or other materials provided with the distribution.
15
 * 3. Neither the name of the project nor the names of its contributors
16
 *    may be used to endorse or promote products derived from this software
17
 *    without specific prior written permission.
18
 *
19
 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
20
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
23
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29
 * SUCH DAMAGE.
30
 *
31
 *	$KAME: ip6_forward.c,v 1.69 2001/05/17 03:48:30 itojun Exp $
32
 */
33

34
#include <sys/cdefs.h>
35
#include "opt_inet.h"
36
#include "opt_inet6.h"
37
#include "opt_ipsec.h"
38
#include "opt_ipstealth.h"
39
#include "opt_sctp.h"
40

41
#include <sys/param.h>
42
#include <sys/systm.h>
43
#include <sys/malloc.h>
44
#include <sys/mbuf.h>
45
#include <sys/domain.h>
46
#include <sys/protosw.h>
47
#include <sys/socket.h>
48
#include <sys/errno.h>
49
#include <sys/time.h>
50
#include <sys/kernel.h>
51
#include <sys/syslog.h>
52

53
#include <net/if.h>
54
#include <net/if_var.h>
55
#include <net/if_private.h>
56
#include <net/netisr.h>
57
#include <net/route.h>
58
#include <net/route/nhop.h>
59
#include <net/pfil.h>
60

61
#include <netinet/in.h>
62
#include <netinet/in_var.h>
63
#include <netinet/in_systm.h>
64
#include <netinet/ip.h>
65
#include <netinet/ip_var.h>
66
#include <netinet6/in6_var.h>
67
#include <netinet/ip6.h>
68
#include <netinet6/in6_fib.h>
69
#include <netinet6/ip6_var.h>
70
#include <netinet6/scope6_var.h>
71
#include <netinet/icmp6.h>
72
#include <netinet6/nd6.h>
73

74
#include <netinet/in_pcb.h>
75

76
#include <netipsec/ipsec_support.h>
77

78
#if defined(SCTP) || defined(SCTP_SUPPORT)
79
#include <netinet/sctp_crc32.h>
80
#endif
81

82
/*
83
 * Forward a packet.  If some error occurs return the sender
84
 * an icmp packet.  Note we can't always generate a meaningful
85
 * icmp message because icmp doesn't have a large enough repertoire
86
 * of codes and types.
87
 *
88
 * If not forwarding, just drop the packet.  This could be confusing
89
 * if ipforwarding was zero but some routing protocol was advancing
90
 * us as a gateway to somewhere.  However, we must let the routing
91
 * protocol deal with that.
92
 *
93
 */
94
void
95
ip6_forward(struct mbuf *m, int srcrt)
96
{
97
	struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *);
98
	struct sockaddr_in6 dst;
99
	struct nhop_object *nh = NULL;
100
	int error, type = 0, code = 0;
101
	struct mbuf *mcopy = NULL;
102
	struct ifnet *origifp;	/* maybe unnecessary */
103
	u_int32_t inzone, outzone;
104
	struct in6_addr odst;
105
	struct m_tag *fwd_tag;
106
	char ip6bufs[INET6_ADDRSTRLEN], ip6bufd[INET6_ADDRSTRLEN];
107

108
	/*
109
	 * Do not forward packets to multicast destination (should be handled
110
	 * by ip6_mforward().
111
	 * Do not forward packets with unspecified source.  It was discussed
112
	 * in July 2000, on the ipngwg mailing list.
113
	 */
114
	if ((m->m_flags & (M_BCAST|M_MCAST)) != 0 ||
115
	    IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst) ||
116
	    IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_src) ||
117
	    IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_dst)) {
118
		IP6STAT_INC(ip6s_cantforward);
119
		/* XXX in6_ifstat_inc(rt->rt_ifp, ifs6_in_discard) */
120
		if (V_ip6_log_cannot_forward && ip6_log_ratelimit()) {
121
			log(LOG_DEBUG,
122
			    "cannot forward "
123
			    "from %s to %s nxt %d received on %s\n",
124
			    ip6_sprintf(ip6bufs, &ip6->ip6_src),
125
			    ip6_sprintf(ip6bufd, &ip6->ip6_dst),
126
			    ip6->ip6_nxt,
127
			    if_name(m->m_pkthdr.rcvif));
128
		}
129
		m_freem(m);
130
		return;
131
	}
132

133
	if (
134
#ifdef IPSTEALTH
135
	    V_ip6stealth == 0 &&
136
#endif
137
	    ip6->ip6_hlim <= IPV6_HLIMDEC) {
138
		/* XXX in6_ifstat_inc(rt->rt_ifp, ifs6_in_discard) */
139
		icmp6_error(m, ICMP6_TIME_EXCEEDED,
140
		    ICMP6_TIME_EXCEED_TRANSIT, 0);
141
		return;
142
	}
143

144
	/*
145
	 * Save at most ICMPV6_PLD_MAXLEN (= the min IPv6 MTU -
146
	 * size of IPv6 + ICMPv6 headers) bytes of the packet in case
147
	 * we need to generate an ICMP6 message to the src.
148
	 * Thanks to M_EXT, in most cases copy will not occur.
149
	 *
150
	 * It is important to save it before IPsec processing as IPsec
151
	 * processing may modify the mbuf.
152
	 */
153
	mcopy = m_copym(m, 0, imin(m->m_pkthdr.len, ICMPV6_PLD_MAXLEN),
154
	    M_NOWAIT);
155
#ifdef IPSTEALTH
156
	if (V_ip6stealth == 0)
157
#endif
158
		ip6->ip6_hlim -= IPV6_HLIMDEC;
159

160
#if defined(IPSEC) || defined(IPSEC_SUPPORT)
161
	if (IPSEC_ENABLED(ipv6)) {
162
		if ((error = IPSEC_FORWARD(ipv6, m)) != 0) {
163
			/* mbuf consumed by IPsec */
164
			m_freem(mcopy);
165
			if (error != EINPROGRESS)
166
				IP6STAT_INC(ip6s_cantforward);
167
			return;
168
		}
169
		/* No IPsec processing required */
170
	}
171
#endif
172
	/*
173
	 * ip6_forward() operates with IPv6 addresses with deembedded scope.
174
	 *
175
	 * There are 3 sources of IPv6 destination address:
176
	 *
177
	 * 1) ip6_input(), where ip6_dst contains deembedded address.
178
	 *   In order to deal with forwarding of link-local packets,
179
	 *   calculate the scope based on input interface (RFC 4007, clause 9).
180
	 * 2) packet filters changing ip6_dst directly. It would embed scope
181
	 *   for LL addresses, so in6_localip() performs properly.
182
	 * 3) packet filters attaching PACKET_TAG_IPFORWARD would embed
183
	 *   scope for the nexthop.
184
	 */
185
	bzero(&dst, sizeof(struct sockaddr_in6));
186
	dst.sin6_family = AF_INET6;
187
	dst.sin6_addr = ip6->ip6_dst;
188
	dst.sin6_scope_id = in6_get_unicast_scopeid(&ip6->ip6_dst, m->m_pkthdr.rcvif);
189
again:
190
	nh = fib6_lookup(M_GETFIB(m), &dst.sin6_addr, dst.sin6_scope_id,
191
	    NHR_REF, m->m_pkthdr.flowid);
192
	if (nh == NULL) {
193
		IP6STAT_INC(ip6s_noroute);
194
		in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_noroute);
195
		if (mcopy) {
196
			icmp6_error(mcopy, ICMP6_DST_UNREACH,
197
			ICMP6_DST_UNREACH_NOROUTE, 0);
198
		}
199
		goto bad;
200
	}
201

202
	if (nh->nh_flags & (NHF_BLACKHOLE | NHF_REJECT)) {
203
		IP6STAT_INC(ip6s_cantforward);
204
		if (mcopy != NULL) {
205
			if (nh->nh_flags & NHF_REJECT) {
206
				icmp6_error(mcopy, ICMP6_DST_UNREACH,
207
				    ICMP6_DST_UNREACH_REJECT, 0);
208
			} else
209
				m_freem(mcopy);
210
		}
211
		goto bad;
212
	}
213

214
	/*
215
	 * Source scope check: if a packet can't be delivered to its
216
	 * destination for the reason that the destination is beyond the scope
217
	 * of the source address, discard the packet and return an icmp6
218
	 * destination unreachable error with Code 2 (beyond scope of source
219
	 * address).
220
	 * [draft-ietf-ipngwg-icmp-v3-04.txt, Section 3.1]
221
	 */
222
	outzone = in6_get_unicast_scopeid(&ip6->ip6_src, nh->nh_ifp);
223
	inzone = in6_get_unicast_scopeid(&ip6->ip6_src, m->m_pkthdr.rcvif);
224
	if (inzone != outzone) {
225
		IP6STAT_INC(ip6s_cantforward);
226
		IP6STAT_INC(ip6s_badscope);
227
		in6_ifstat_inc(nh->nh_ifp, ifs6_in_discard);
228

229
		if (V_ip6_log_cannot_forward && ip6_log_ratelimit()) {
230
			log(LOG_DEBUG,
231
			    "cannot forward "
232
			    "src %s, dst %s, nxt %d, rcvif %s, outif %s\n",
233
			    ip6_sprintf(ip6bufs, &ip6->ip6_src),
234
			    ip6_sprintf(ip6bufd, &ip6->ip6_dst),
235
			    ip6->ip6_nxt,
236
			    if_name(m->m_pkthdr.rcvif), if_name(nh->nh_ifp));
237
		}
238
		if (mcopy)
239
			icmp6_error(mcopy, ICMP6_DST_UNREACH,
240
				    ICMP6_DST_UNREACH_BEYONDSCOPE, 0);
241
		goto bad;
242
	}
243

244
	/*
245
	 * Destination scope check: if a packet is going to break the scope
246
	 * zone of packet's destination address, discard it.  This case should
247
	 * usually be prevented by appropriately-configured routing table, but
248
	 * we need an explicit check because we may mistakenly forward the
249
	 * packet to a different zone by (e.g.) a default route.
250
	 */
251
	inzone = in6_get_unicast_scopeid(&ip6->ip6_dst, m->m_pkthdr.rcvif);
252
	outzone = in6_get_unicast_scopeid(&ip6->ip6_dst, nh->nh_ifp);
253

254
	if (inzone != outzone) {
255
		IP6STAT_INC(ip6s_cantforward);
256
		IP6STAT_INC(ip6s_badscope);
257
		goto bad;
258
	}
259

260
	if (nh->nh_flags & NHF_GATEWAY) {
261
		/* Store gateway address in deembedded form */
262
		dst.sin6_addr = nh->gw6_sa.sin6_addr;
263
		dst.sin6_scope_id = ntohs(in6_getscope(&dst.sin6_addr));
264
		in6_clearscope(&dst.sin6_addr);
265
	}
266

267
	/*
268
	 * If we are to forward the packet using the same interface
269
	 * as one we got the packet from, perhaps we should send a redirect
270
	 * to sender to shortcut a hop.
271
	 * Only send redirect if source is sending directly to us,
272
	 * and if packet was not source routed (or has any options).
273
	 * Also, don't send redirect if forwarding using a route
274
	 * modified by a redirect.
275
	 */
276
	if (V_ip6_sendredirects && nh->nh_ifp == m->m_pkthdr.rcvif && !srcrt &&
277
	    (nh->nh_flags & NHF_REDIRECT) == 0)
278
		type = ND_REDIRECT;
279

280
	/*
281
	 * Fake scoped addresses. Note that even link-local source or
282
	 * destinaion can appear, if the originating node just sends the
283
	 * packet to us (without address resolution for the destination).
284
	 * Since both icmp6_error and icmp6_redirect_output fill the embedded
285
	 * link identifiers, we can do this stuff after making a copy for
286
	 * returning an error.
287
	 */
288
	if ((nh->nh_ifp->if_flags & IFF_LOOPBACK) != 0) {
289
		/*
290
		 * See corresponding comments in ip6_output.
291
		 * XXX: but is it possible that ip6_forward() sends a packet
292
		 *      to a loopback interface? I don't think so, and thus
293
		 *      I bark here. ([email protected])
294
		 * XXX: it is common to route invalid packets to loopback.
295
		 *	also, the codepath will be visited on use of ::1 in
296
		 *	rthdr. (itojun)
297
		 */
298
#if 1
299
		if (0)
300
#else
301
		if ((rt->rt_flags & (RTF_BLACKHOLE|RTF_REJECT)) == 0)
302
#endif
303
		{
304
			printf("ip6_forward: outgoing interface is loopback. "
305
			       "src %s, dst %s, nxt %d, rcvif %s, outif %s\n",
306
			       ip6_sprintf(ip6bufs, &ip6->ip6_src),
307
			       ip6_sprintf(ip6bufd, &ip6->ip6_dst),
308
			       ip6->ip6_nxt, if_name(m->m_pkthdr.rcvif),
309
			       if_name(nh->nh_ifp));
310
		}
311

312
		/* we can just use rcvif in forwarding. */
313
		origifp = m->m_pkthdr.rcvif;
314
	}
315
	else
316
		origifp = nh->nh_ifp;
317
	/*
318
	 * clear embedded scope identifiers if necessary.
319
	 * in6_clearscope will touch the addresses only when necessary.
320
	 */
321
	in6_clearscope(&ip6->ip6_src);
322
	in6_clearscope(&ip6->ip6_dst);
323

324
	/* Jump over all PFIL processing if hooks are not active. */
325
	if (!PFIL_HOOKED_OUT(V_inet6_pfil_head))
326
		goto pass;
327

328
	odst = ip6->ip6_dst;
329
	/* Run through list of hooks for forwarded packets. */
330
	if (pfil_mbuf_fwd(V_inet6_pfil_head, &m, nh->nh_ifp,
331
	    NULL) != PFIL_PASS)
332
		goto freecopy;
333
	ip6 = mtod(m, struct ip6_hdr *);
334

335
	/* See if destination IP address was changed by packet filter. */
336
	if (!IN6_ARE_ADDR_EQUAL(&odst, &ip6->ip6_dst)) {
337
		m->m_flags |= M_SKIP_FIREWALL;
338
		/* If destination is now ourself drop to ip6_input(). */
339
		if (in6_localip(&ip6->ip6_dst))
340
			m->m_flags |= M_FASTFWD_OURS;
341
		else {
342
			NH_FREE(nh);
343

344
			/* Update address and scopeid. Assume scope is embedded */
345
			dst.sin6_scope_id = ntohs(in6_getscope(&ip6->ip6_dst));
346
			dst.sin6_addr = ip6->ip6_dst;
347
			in6_clearscope(&dst.sin6_addr);
348
			goto again;	/* Redo the routing table lookup. */
349
		}
350
	}
351

352
	/* See if local, if yes, send it to netisr. */
353
	if (m->m_flags & M_FASTFWD_OURS) {
354
		if (m->m_pkthdr.rcvif == NULL)
355
			m->m_pkthdr.rcvif = V_loif;
356
		if (m->m_pkthdr.csum_flags & CSUM_DELAY_DATA_IPV6) {
357
			m->m_pkthdr.csum_flags |=
358
			    CSUM_DATA_VALID_IPV6 | CSUM_PSEUDO_HDR;
359
			m->m_pkthdr.csum_data = 0xffff;
360
		}
361
#if defined(SCTP) || defined(SCTP_SUPPORT)
362
		if (m->m_pkthdr.csum_flags & CSUM_SCTP_IPV6)
363
			m->m_pkthdr.csum_flags |= CSUM_SCTP_VALID;
364
#endif
365
		error = netisr_queue(NETISR_IPV6, m);
366
		goto out;
367
	}
368
	/* Or forward to some other address? */
369
	if ((m->m_flags & M_IP6_NEXTHOP) &&
370
	    (fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL)) != NULL) {
371
		struct sockaddr_in6 *gw6 = (struct sockaddr_in6 *)(fwd_tag + 1);
372

373
		/* Update address and scopeid. Assume scope is embedded */
374
		dst.sin6_scope_id = ntohs(in6_getscope(&gw6->sin6_addr));
375
		dst.sin6_addr = gw6->sin6_addr;
376
		in6_clearscope(&dst.sin6_addr);
377

378
		m->m_flags |= M_SKIP_FIREWALL;
379
		m->m_flags &= ~M_IP6_NEXTHOP;
380
		m_tag_delete(m, fwd_tag);
381
		NH_FREE(nh);
382
		goto again;
383
	}
384

385
pass:
386
	/* See if the size was changed by the packet filter. */
387
	/* TODO: change to nh->nh_mtu */
388
	if (m->m_pkthdr.len > IN6_LINKMTU(nh->nh_ifp)) {
389
		in6_ifstat_inc(nh->nh_ifp, ifs6_in_toobig);
390
		if (mcopy)
391
			icmp6_error(mcopy, ICMP6_PACKET_TOO_BIG, 0,
392
			    IN6_LINKMTU(nh->nh_ifp));
393
		goto bad;
394
	}
395

396
	/*
397
	 * If TCP/UDP header still needs a valid checksum and interface will not
398
	 * calculate it for us, do it here.
399
	 */
400
	if (__predict_false(m->m_pkthdr.csum_flags & CSUM_DELAY_DATA_IPV6 &
401
	    ~nh->nh_ifp->if_hwassist)) {
402
		int offset = ip6_lasthdr(m, 0, IPPROTO_IPV6, NULL);
403

404
		if (offset < sizeof(struct ip6_hdr) || offset > m->m_pkthdr.len)
405
			goto bad;
406
		in6_delayed_cksum(m, m->m_pkthdr.len - offset, offset);
407
		m->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA_IPV6;
408
	}
409
#if defined(SCTP) || defined(SCTP_SUPPORT)
410
	if (__predict_false(m->m_pkthdr.csum_flags & CSUM_IP6_SCTP &
411
	    ~nh->nh_ifp->if_hwassist)) {
412
		int offset = ip6_lasthdr(m, 0, IPPROTO_IPV6, NULL);
413

414
		sctp_delayed_cksum(m, offset);
415
		m->m_pkthdr.csum_flags &= ~CSUM_IP6_SCTP;
416
	}
417
#endif
418

419
	/* Currently LLE layer stores embedded IPv6 addresses */
420
	if (IN6_IS_SCOPE_LINKLOCAL(&dst.sin6_addr)) {
421
		in6_set_unicast_scopeid(&dst.sin6_addr, dst.sin6_scope_id);
422
		dst.sin6_scope_id = 0;
423
	}
424
	error = nd6_output_ifp(nh->nh_ifp, origifp, m, &dst, NULL);
425
	if (error) {
426
		in6_ifstat_inc(nh->nh_ifp, ifs6_out_discard);
427
		IP6STAT_INC(ip6s_cantforward);
428
	} else {
429
		IP6STAT_INC(ip6s_forward);
430
		in6_ifstat_inc(nh->nh_ifp, ifs6_out_forward);
431
		if (type)
432
			IP6STAT_INC(ip6s_redirectsent);
433
		else {
434
			if (mcopy)
435
				goto freecopy;
436
		}
437
	}
438

439
	if (mcopy == NULL)
440
		goto out;
441
	switch (error) {
442
	case 0:
443
		if (type == ND_REDIRECT) {
444
			icmp6_redirect_output(mcopy, nh);
445
			goto out;
446
		}
447
		goto freecopy;
448

449
	case EMSGSIZE:
450
		/* xxx MTU is constant in PPP? */
451
		goto freecopy;
452

453
	case ENOBUFS:
454
		/* Tell source to slow down like source quench in IP? */
455
		goto freecopy;
456

457
	case ENETUNREACH:	/* shouldn't happen, checked above */
458
	case EHOSTUNREACH:
459
	case ENETDOWN:
460
	case EHOSTDOWN:
461
	default:
462
		type = ICMP6_DST_UNREACH;
463
		code = ICMP6_DST_UNREACH_ADDR;
464
		break;
465
	}
466
	icmp6_error(mcopy, type, code, 0);
467
	goto out;
468

469
 freecopy:
470
	m_freem(mcopy);
471
	goto out;
472
bad:
473
	m_freem(m);
474
out:
475
	if (nh != NULL)
476
		NH_FREE(nh);
477
}
478

479