1
/*-
2
 * SPDX-License-Identifier: BSD-3-Clause
3
 *
4
 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
5
 * All rights reserved.
6
 *
7
 * Redistribution and use in source and binary forms, with or without
8
 * modification, are permitted provided that the following conditions
9
 * are met:
10
 * 1. Redistributions of source code must retain the above copyright
11
 *    notice, this list of conditions and the following disclaimer.
12
 * 2. Redistributions in binary form must reproduce the above copyright
13
 *    notice, this list of conditions and the following disclaimer in the
14
 *    documentation and/or other materials provided with the distribution.
15
 * 3. Neither the name of the project nor the names of its contributors
16
 *    may be used to endorse or promote products derived from this software
17
 *    without specific prior written permission.
18
 *
19
 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
20
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
23
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29
 * SUCH DAMAGE.
30
 *
31
 *	$KAME: ip6_output.c,v 1.279 2002/01/26 06:12:30 jinmei Exp $
32
 */
33

34
/*-
35
 * Copyright (c) 1982, 1986, 1988, 1990, 1993
36
 *	The Regents of the University of California.  All rights reserved.
37
 *
38
 * Redistribution and use in source and binary forms, with or without
39
 * modification, are permitted provided that the following conditions
40
 * are met:
41
 * 1. Redistributions of source code must retain the above copyright
42
 *    notice, this list of conditions and the following disclaimer.
43
 * 2. Redistributions in binary form must reproduce the above copyright
44
 *    notice, this list of conditions and the following disclaimer in the
45
 *    documentation and/or other materials provided with the distribution.
46
 * 3. Neither the name of the University nor the names of its contributors
47
 *    may be used to endorse or promote products derived from this software
48
 *    without specific prior written permission.
49
 *
50
 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
51
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
52
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
53
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
54
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
55
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
56
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
57
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
58
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
59
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
60
 * SUCH DAMAGE.
61
 */
62

63
#include <sys/cdefs.h>
64
#include "opt_inet.h"
65
#include "opt_inet6.h"
66
#include "opt_ipsec.h"
67
#include "opt_kern_tls.h"
68
#include "opt_ratelimit.h"
69
#include "opt_route.h"
70
#include "opt_rss.h"
71
#include "opt_sctp.h"
72

73
#include <sys/param.h>
74
#include <sys/kernel.h>
75
#include <sys/ktls.h>
76
#include <sys/malloc.h>
77
#include <sys/mbuf.h>
78
#include <sys/errno.h>
79
#include <sys/priv.h>
80
#include <sys/proc.h>
81
#include <sys/protosw.h>
82
#include <sys/socket.h>
83
#include <sys/socketvar.h>
84
#include <sys/syslog.h>
85
#include <sys/ucred.h>
86

87
#include <machine/in_cksum.h>
88

89
#include <net/if.h>
90
#include <net/if_var.h>
91
#include <net/if_private.h>
92
#include <net/if_vlan_var.h>
93
#include <net/if_llatbl.h>
94
#include <net/ethernet.h>
95
#include <net/netisr.h>
96
#include <net/route.h>
97
#include <net/route/nhop.h>
98
#include <net/pfil.h>
99
#include <net/rss_config.h>
100
#include <net/vnet.h>
101

102
#include <netinet/in.h>
103
#include <netinet/in_var.h>
104
#include <netinet/ip_var.h>
105
#include <netinet6/in6_fib.h>
106
#include <netinet6/in6_var.h>
107
#include <netinet/ip6.h>
108
#include <netinet/icmp6.h>
109
#include <netinet6/ip6_var.h>
110
#include <netinet/in_pcb.h>
111
#include <netinet/tcp_var.h>
112
#include <netinet6/nd6.h>
113
#include <netinet6/in6_rss.h>
114

115
#include <netipsec/ipsec_support.h>
116
#if defined(SCTP) || defined(SCTP_SUPPORT)
117
#include <netinet/sctp.h>
118
#include <netinet/sctp_crc32.h>
119
#endif
120

121
#include <netinet6/scope6_var.h>
122

123
extern int in6_mcast_loop;
124

125
struct ip6_exthdrs {
126
	struct mbuf *ip6e_ip6;
127
	struct mbuf *ip6e_hbh;
128
	struct mbuf *ip6e_dest1;
129
	struct mbuf *ip6e_rthdr;
130
	struct mbuf *ip6e_dest2;
131
};
132

133
static MALLOC_DEFINE(M_IP6OPT, "ip6opt", "IPv6 options");
134

135
static int ip6_pcbopt(int, u_char *, int, struct ip6_pktopts **,
136
			   struct ucred *, int);
137
static int ip6_pcbopts(struct ip6_pktopts **, struct mbuf *,
138
	struct socket *, struct sockopt *);
139
static int ip6_getpcbopt(struct inpcb *, int, struct sockopt *);
140
static int ip6_setpktopt(int, u_char *, int, struct ip6_pktopts *,
141
	struct ucred *, int, int, int);
142

143
static int ip6_copyexthdr(struct mbuf **, caddr_t, int);
144
static int ip6_insertfraghdr(struct mbuf *, struct mbuf *, int,
145
	struct ip6_frag **);
146
static int ip6_insert_jumboopt(struct ip6_exthdrs *, u_int32_t);
147
static int ip6_splithdr(struct mbuf *, struct ip6_exthdrs *);
148
static void ip6_getpmtu(struct route_in6 *, int,
149
	struct ifnet *, const struct in6_addr *, u_long *, u_int, u_int);
150
static void ip6_calcmtu(struct ifnet *, const struct in6_addr *, u_long,
151
	u_long *, u_int);
152
static int ip6_getpmtu_ctl(u_int, const struct in6_addr *, u_long *);
153
static int copypktopts(struct ip6_pktopts *, struct ip6_pktopts *, int);
154

155
/*
156
 * Make an extension header from option data.  hp is the source,
157
 * mp is the destination, and _ol is the optlen.
158
 */
159
#define	MAKE_EXTHDR(hp, mp, _ol)					\
160
    do {								\
161
	struct ip6_ext *eh = (struct ip6_ext *)(hp);		\
162
	error = ip6_copyexthdr((mp), (caddr_t)(hp),		\
163
	    ((eh)->ip6e_len + 1) << 3);				\
164
	if (error)						\
165
		goto freehdrs;					\
166
	(_ol) += (*(mp))->m_len;				\
167
    } while (/*CONSTCOND*/ 0)
168

169
/*
170
 * Form a chain of extension headers.
171
 * m is the extension header mbuf
172
 * mp is the previous mbuf in the chain
173
 * p is the next header
174
 * i is the type of option.
175
 */
176
#define MAKE_CHAIN(m, mp, p, i)\
177
    do {\
178
	if (m) {\
179
		if (!hdrsplit) \
180
			panic("%s:%d: assumption failed: "\
181
			    "hdr not split: hdrsplit %d exthdrs %p",\
182
			    __func__, __LINE__, hdrsplit, &exthdrs);\
183
		*mtod((m), u_char *) = *(p);\
184
		*(p) = (i);\
185
		p = mtod((m), u_char *);\
186
		(m)->m_next = (mp)->m_next;\
187
		(mp)->m_next = (m);\
188
		(mp) = (m);\
189
	}\
190
    } while (/*CONSTCOND*/ 0)
191

192
void
193
in6_delayed_cksum(struct mbuf *m, uint32_t plen, u_short offset)
194
{
195
	u_short csum;
196

197
	csum = in_cksum_skip(m, offset + plen, offset);
198
	if (m->m_pkthdr.csum_flags & CSUM_UDP_IPV6 && csum == 0)
199
		csum = 0xffff;
200
	offset += m->m_pkthdr.csum_data;	/* checksum offset */
201

202
	if (offset + sizeof(csum) > m->m_len)
203
		m_copyback(m, offset, sizeof(csum), (caddr_t)&csum);
204
	else
205
		*(u_short *)mtodo(m, offset) = csum;
206
}
207

208
static void
209
ip6_output_delayed_csum(struct mbuf *m, struct ifnet *ifp, int csum_flags,
210
    int plen, int optlen)
211
{
212

213
	KASSERT((plen >= optlen), ("%s:%d: plen %d < optlen %d, m %p, ifp %p "
214
	    "csum_flags %#x",
215
	    __func__, __LINE__, plen, optlen, m, ifp, csum_flags));
216

217
	if (csum_flags & CSUM_DELAY_DATA_IPV6) {
218
		in6_delayed_cksum(m, plen - optlen,
219
		    sizeof(struct ip6_hdr) + optlen);
220
		m->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA_IPV6;
221
	}
222
#if defined(SCTP) || defined(SCTP_SUPPORT)
223
	if (csum_flags & CSUM_SCTP_IPV6) {
224
		sctp_delayed_cksum(m, sizeof(struct ip6_hdr) + optlen);
225
		m->m_pkthdr.csum_flags &= ~CSUM_SCTP_IPV6;
226
	}
227
#endif
228
}
229

230
int
231
ip6_fragment(struct ifnet *ifp, struct mbuf *m0, int hlen, u_char nextproto,
232
    int fraglen , uint32_t id)
233
{
234
	struct mbuf *m, **mnext, *m_frgpart;
235
	struct ip6_hdr *ip6, *mhip6;
236
	struct ip6_frag *ip6f;
237
	int off;
238
	int error;
239
	int tlen = m0->m_pkthdr.len;
240

241
	KASSERT((fraglen % 8 == 0), ("Fragment length must be a multiple of 8"));
242

243
	m = m0;
244
	ip6 = mtod(m, struct ip6_hdr *);
245
	mnext = &m->m_nextpkt;
246

247
	for (off = hlen; off < tlen; off += fraglen) {
248
		m = m_gethdr(M_NOWAIT, MT_DATA);
249
		if (!m) {
250
			IP6STAT_INC(ip6s_odropped);
251
			return (ENOBUFS);
252
		}
253

254
		/*
255
		 * Make sure the complete packet header gets copied
256
		 * from the originating mbuf to the newly created
257
		 * mbuf. This also ensures that existing firewall
258
		 * classification(s), VLAN tags and so on get copied
259
		 * to the resulting fragmented packet(s):
260
		 */
261
		if (m_dup_pkthdr(m, m0, M_NOWAIT) == 0) {
262
			m_free(m);
263
			IP6STAT_INC(ip6s_odropped);
264
			return (ENOBUFS);
265
		}
266

267
		*mnext = m;
268
		mnext = &m->m_nextpkt;
269
		m->m_data += max_linkhdr;
270
		mhip6 = mtod(m, struct ip6_hdr *);
271
		*mhip6 = *ip6;
272
		m->m_len = sizeof(*mhip6);
273
		error = ip6_insertfraghdr(m0, m, hlen, &ip6f);
274
		if (error) {
275
			IP6STAT_INC(ip6s_odropped);
276
			return (error);
277
		}
278
		ip6f->ip6f_offlg = htons((u_short)((off - hlen) & ~7));
279
		if (off + fraglen >= tlen)
280
			fraglen = tlen - off;
281
		else
282
			ip6f->ip6f_offlg |= IP6F_MORE_FRAG;
283
		mhip6->ip6_plen = htons((u_short)(fraglen + hlen +
284
		    sizeof(*ip6f) - sizeof(struct ip6_hdr)));
285
		if ((m_frgpart = m_copym(m0, off, fraglen, M_NOWAIT)) == NULL) {
286
			IP6STAT_INC(ip6s_odropped);
287
			return (ENOBUFS);
288
		}
289
		m_cat(m, m_frgpart);
290
		m->m_pkthdr.len = fraglen + hlen + sizeof(*ip6f);
291
		ip6f->ip6f_reserved = 0;
292
		ip6f->ip6f_ident = id;
293
		ip6f->ip6f_nxt = nextproto;
294
		IP6STAT_INC(ip6s_ofragments);
295
		in6_ifstat_inc(ifp, ifs6_out_fragcreat);
296
	}
297

298
	return (0);
299
}
300

301
static int
302
ip6_output_send(struct inpcb *inp, struct ifnet *ifp, struct ifnet *origifp,
303
    struct mbuf *m, struct sockaddr_in6 *dst, struct route_in6 *ro,
304
    bool stamp_tag)
305
{
306
#ifdef KERN_TLS
307
	struct ktls_session *tls = NULL;
308
#endif
309
	struct m_snd_tag *mst;
310
	int error;
311

312
	MPASS((m->m_pkthdr.csum_flags & CSUM_SND_TAG) == 0);
313
	mst = NULL;
314

315
#ifdef KERN_TLS
316
	/*
317
	 * If this is an unencrypted TLS record, save a reference to
318
	 * the record.  This local reference is used to call
319
	 * ktls_output_eagain after the mbuf has been freed (thus
320
	 * dropping the mbuf's reference) in if_output.
321
	 */
322
	if (m->m_next != NULL && mbuf_has_tls_session(m->m_next)) {
323
		tls = ktls_hold(m->m_next->m_epg_tls);
324
		mst = tls->snd_tag;
325

326
		/*
327
		 * If a TLS session doesn't have a valid tag, it must
328
		 * have had an earlier ifp mismatch, so drop this
329
		 * packet.
330
		 */
331
		if (mst == NULL) {
332
			m_freem(m);
333
			error = EAGAIN;
334
			goto done;
335
		}
336
		/*
337
		 * Always stamp tags that include NIC ktls.
338
		 */
339
		stamp_tag = true;
340
	}
341
#endif
342
#ifdef RATELIMIT
343
	if (inp != NULL && mst == NULL) {
344
		if ((inp->inp_flags2 & INP_RATE_LIMIT_CHANGED) != 0 ||
345
		    (inp->inp_snd_tag != NULL &&
346
		    inp->inp_snd_tag->ifp != ifp))
347
			in_pcboutput_txrtlmt(inp, ifp, m);
348

349
		if (inp->inp_snd_tag != NULL)
350
			mst = inp->inp_snd_tag;
351
	}
352
#endif
353
	if (stamp_tag && mst != NULL) {
354
		KASSERT(m->m_pkthdr.rcvif == NULL,
355
		    ("trying to add a send tag to a forwarded packet"));
356
		if (mst->ifp != ifp) {
357
			m_freem(m);
358
			error = EAGAIN;
359
			goto done;
360
		}
361

362
		/* stamp send tag on mbuf */
363
		m->m_pkthdr.snd_tag = m_snd_tag_ref(mst);
364
		m->m_pkthdr.csum_flags |= CSUM_SND_TAG;
365
	}
366

367
	error = nd6_output_ifp(ifp, origifp, m, dst, (struct route *)ro);
368

369
done:
370
	/* Check for route change invalidating send tags. */
371
#ifdef KERN_TLS
372
	if (tls != NULL) {
373
		if (error == EAGAIN)
374
			error = ktls_output_eagain(inp, tls);
375
		ktls_free(tls);
376
	}
377
#endif
378
#ifdef RATELIMIT
379
	if (error == EAGAIN)
380
		in_pcboutput_eagain(inp);
381
#endif
382
	return (error);
383
}
384

385
/*
386
 * IP6 output.
387
 * The packet in mbuf chain m contains a skeletal IP6 header (with pri, len,
388
 * nxt, hlim, src, dst).
389
 * This function may modify ver and hlim only.
390
 * The mbuf chain containing the packet will be freed.
391
 * The mbuf opt, if present, will not be freed.
392
 * If route_in6 ro is present and has ro_nh initialized, route lookup would be
393
 * skipped and ro->ro_nh would be used. If ro is present but ro->ro_nh is NULL,
394
 * then result of route lookup is stored in ro->ro_nh.
395
 *
396
 * Type of "mtu": rt_mtu is u_long, ifnet.ifr_mtu is int, and nd_ifinfo.linkmtu
397
 * is uint32_t.  So we use u_long to hold largest one, which is rt_mtu.
398
 *
399
 * ifpp - XXX: just for statistics
400
 */
401
int
402
ip6_output(struct mbuf *m0, struct ip6_pktopts *opt,
403
    struct route_in6 *ro, int flags, struct ip6_moptions *im6o,
404
    struct ifnet **ifpp, struct inpcb *inp)
405
{
406
	struct ip6_hdr *ip6;
407
	struct ifnet *ifp, *origifp;
408
	struct mbuf *m = m0;
409
	struct mbuf *mprev;
410
	struct route_in6 *ro_pmtu;
411
	struct nhop_object *nh;
412
	struct sockaddr_in6 *dst, sin6, src_sa, dst_sa;
413
	struct in6_addr odst;
414
	u_char *nexthdrp;
415
	int tlen, len;
416
	int error = 0;
417
	int vlan_pcp = -1;
418
	struct in6_ifaddr *ia = NULL;
419
	u_long mtu;
420
	int dontfrag;
421
	u_int32_t optlen, plen = 0, unfragpartlen;
422
	struct ip6_exthdrs exthdrs;
423
	struct in6_addr src0, dst0;
424
	u_int32_t zone;
425
	bool hdrsplit;
426
	int sw_csum, tso;
427
	int needfiblookup;
428
	uint32_t fibnum;
429
	struct m_tag *fwd_tag = NULL;
430
	uint32_t id;
431
	uint32_t optvalid;
432

433
	NET_EPOCH_ASSERT();
434

435
	if (inp != NULL) {
436
		INP_LOCK_ASSERT(inp);
437
		M_SETFIB(m, inp->inp_inc.inc_fibnum);
438
		if ((flags & IP_NODEFAULTFLOWID) == 0) {
439
			/* Unconditionally set flowid. */
440
			m->m_pkthdr.flowid = inp->inp_flowid;
441
			M_HASHTYPE_SET(m, inp->inp_flowtype);
442
		}
443
		if ((inp->inp_flags2 & INP_2PCP_SET) != 0)
444
			vlan_pcp = (inp->inp_flags2 & INP_2PCP_MASK) >>
445
			    INP_2PCP_SHIFT;
446
#ifdef NUMA
447
		m->m_pkthdr.numa_domain = inp->inp_numa_domain;
448
#endif
449
	}
450

451
	/* Source address validation. */
452
	ip6 = mtod(m, struct ip6_hdr *);
453
	if (IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_src) &&
454
	    (flags & IPV6_UNSPECSRC) == 0) {
455
		error = EOPNOTSUPP;
456
		IP6STAT_INC(ip6s_badscope);
457
		goto bad;
458
	}
459
	if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_src)) {
460
		error = EOPNOTSUPP;
461
		IP6STAT_INC(ip6s_badscope);
462
		goto bad;
463
	}
464

465
	/*
466
	 * If we are given packet options to add extension headers prepare them.
467
	 * Calculate the total length of the extension header chain.
468
	 * Keep the length of the unfragmentable part for fragmentation.
469
	 */
470
	bzero(&exthdrs, sizeof(exthdrs));
471
	optlen = optvalid = 0;
472
	unfragpartlen = sizeof(struct ip6_hdr);
473
	if (opt) {
474
		optvalid = opt->ip6po_valid;
475

476
		/* Hop-by-Hop options header. */
477
		if ((optvalid & IP6PO_VALID_HBH) != 0)
478
			MAKE_EXTHDR(opt->ip6po_hbh, &exthdrs.ip6e_hbh, optlen);
479

480
		/* Destination options header (1st part). */
481
		if ((optvalid & IP6PO_VALID_RHINFO) != 0) {
482
#ifndef RTHDR_SUPPORT_IMPLEMENTED
483
			/*
484
			 * If there is a routing header, discard the packet
485
			 * right away here. RH0/1 are obsolete and we do not
486
			 * currently support RH2/3/4.
487
			 * People trying to use RH253/254 may want to disable
488
			 * this check.
489
			 * The moment we do support any routing header (again)
490
			 * this block should check the routing type more
491
			 * selectively.
492
			 */
493
			error = EINVAL;
494
			goto bad;
495
#endif
496

497
			/*
498
			 * Destination options header (1st part).
499
			 * This only makes sense with a routing header.
500
			 * See Section 9.2 of RFC 3542.
501
			 * Disabling this part just for MIP6 convenience is
502
			 * a bad idea.  We need to think carefully about a
503
			 * way to make the advanced API coexist with MIP6
504
			 * options, which might automatically be inserted in
505
			 * the kernel.
506
			 */
507
			if ((optvalid & IP6PO_VALID_DEST1) != 0)
508
				MAKE_EXTHDR(opt->ip6po_dest1, &exthdrs.ip6e_dest1,
509
				    optlen);
510
		}
511
		/* Routing header. */
512
		if ((optvalid & IP6PO_VALID_RHINFO) != 0)
513
			MAKE_EXTHDR(opt->ip6po_rthdr, &exthdrs.ip6e_rthdr, optlen);
514

515
		unfragpartlen += optlen;
516

517
		/*
518
		 * NOTE: we don't add AH/ESP length here (done in
519
		 * ip6_ipsec_output()).
520
		 */
521

522
		/* Destination options header (2nd part). */
523
		if ((optvalid & IP6PO_VALID_DEST2) != 0)
524
			MAKE_EXTHDR(opt->ip6po_dest2, &exthdrs.ip6e_dest2, optlen);
525
	}
526

527
	/*
528
	 * If there is at least one extension header,
529
	 * separate IP6 header from the payload.
530
	 */
531
	hdrsplit = false;
532
	if (optlen) {
533
		if ((error = ip6_splithdr(m, &exthdrs)) != 0) {
534
			m = NULL;
535
			goto freehdrs;
536
		}
537
		m = exthdrs.ip6e_ip6;
538
		ip6 = mtod(m, struct ip6_hdr *);
539
		hdrsplit = true;
540
	}
541

542
	/* Adjust mbuf packet header length. */
543
	m->m_pkthdr.len += optlen;
544
	plen = m->m_pkthdr.len - sizeof(*ip6);
545

546
	/* If this is a jumbo payload, insert a jumbo payload option. */
547
	if (plen > IPV6_MAXPACKET) {
548
		if (!hdrsplit) {
549
			if ((error = ip6_splithdr(m, &exthdrs)) != 0) {
550
				m = NULL;
551
				goto freehdrs;
552
			}
553
			m = exthdrs.ip6e_ip6;
554
			ip6 = mtod(m, struct ip6_hdr *);
555
			hdrsplit = true;
556
		}
557
		if ((error = ip6_insert_jumboopt(&exthdrs, plen)) != 0)
558
			goto freehdrs;
559
		ip6->ip6_plen = 0;
560
	} else
561
		ip6->ip6_plen = htons(plen);
562
	nexthdrp = &ip6->ip6_nxt;
563

564
	if (optlen) {
565
		/*
566
		 * Concatenate headers and fill in next header fields.
567
		 * Here we have, on "m"
568
		 *	IPv6 payload
569
		 * and we insert headers accordingly.
570
		 * Finally, we should be getting:
571
		 *	IPv6 hbh dest1 rthdr ah* [esp* dest2 payload].
572
		 *
573
		 * During the header composing process "m" points to IPv6
574
		 * header.  "mprev" points to an extension header prior to esp.
575
		 */
576
		mprev = m;
577

578
		/*
579
		 * We treat dest2 specially.  This makes IPsec processing
580
		 * much easier.  The goal here is to make mprev point the
581
		 * mbuf prior to dest2.
582
		 *
583
		 * Result: IPv6 dest2 payload.
584
		 * m and mprev will point to IPv6 header.
585
		 */
586
		if (exthdrs.ip6e_dest2) {
587
			if (!hdrsplit)
588
				panic("%s:%d: assumption failed: "
589
				    "hdr not split: hdrsplit %d exthdrs %p",
590
				    __func__, __LINE__, hdrsplit, &exthdrs);
591
			exthdrs.ip6e_dest2->m_next = m->m_next;
592
			m->m_next = exthdrs.ip6e_dest2;
593
			*mtod(exthdrs.ip6e_dest2, u_char *) = ip6->ip6_nxt;
594
			ip6->ip6_nxt = IPPROTO_DSTOPTS;
595
		}
596

597
		/*
598
		 * Result: IPv6 hbh dest1 rthdr dest2 payload.
599
		 * m will point to IPv6 header.  mprev will point to the
600
		 * extension header prior to dest2 (rthdr in the above case).
601
		 */
602
		MAKE_CHAIN(exthdrs.ip6e_hbh, mprev, nexthdrp, IPPROTO_HOPOPTS);
603
		MAKE_CHAIN(exthdrs.ip6e_dest1, mprev, nexthdrp,
604
			   IPPROTO_DSTOPTS);
605
		MAKE_CHAIN(exthdrs.ip6e_rthdr, mprev, nexthdrp,
606
			   IPPROTO_ROUTING);
607
	}
608

609
	IP6STAT_INC(ip6s_localout);
610

611
	/* Route packet. */
612
	ro_pmtu = ro;
613
	if ((optvalid & IP6PO_VALID_RHINFO) != 0)
614
		ro = &opt->ip6po_route;
615
	if (ro != NULL)
616
		dst = (struct sockaddr_in6 *)&ro->ro_dst;
617
	else
618
		dst = &sin6;
619
	fibnum = (inp != NULL) ? inp->inp_inc.inc_fibnum : M_GETFIB(m);
620

621
again:
622
	/*
623
	 * If specified, try to fill in the traffic class field.
624
	 * Do not override if a non-zero value is already set.
625
	 * We check the diffserv field and the ECN field separately.
626
	 */
627
	if ((optvalid & IP6PO_VALID_TC) != 0){
628
		int mask = 0;
629

630
		if (IPV6_DSCP(ip6) == 0)
631
			mask |= 0xfc;
632
		if (IPV6_ECN(ip6) == 0)
633
			mask |= 0x03;
634
		if (mask != 0)
635
			ip6->ip6_flow |= htonl((opt->ip6po_tclass & mask) << 20);
636
	}
637

638
	/* Fill in or override the hop limit field, if necessary. */
639
	if ((optvalid & IP6PO_VALID_HLIM) != 0)
640
		ip6->ip6_hlim = opt->ip6po_hlim & 0xff;
641
	else if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst)) {
642
		if (im6o != NULL)
643
			ip6->ip6_hlim = im6o->im6o_multicast_hlim;
644
		else
645
			ip6->ip6_hlim = V_ip6_defmcasthlim;
646
	}
647

648
	if (ro == NULL || ro->ro_nh == NULL) {
649
		bzero(dst, sizeof(*dst));
650
		dst->sin6_family = AF_INET6;
651
		dst->sin6_len = sizeof(*dst);
652
		dst->sin6_addr = ip6->ip6_dst;
653
	} 
654
	/*
655
	 * Validate route against routing table changes.
656
	 * Make sure that the address family is set in route.
657
	 */
658
	nh = NULL;
659
	ifp = NULL;
660
	mtu = 0;
661
	if (ro != NULL) {
662
		if (ro->ro_nh != NULL && inp != NULL) {
663
			ro->ro_dst.sin6_family = AF_INET6; /* XXX KASSERT? */
664
			NH_VALIDATE((struct route *)ro, &inp->inp_rt_cookie,
665
			    fibnum);
666
		}
667
		if (ro->ro_nh != NULL && fwd_tag == NULL &&
668
		    (!NH_IS_VALID(ro->ro_nh) ||
669
		    ro->ro_dst.sin6_family != AF_INET6 ||
670
		    !IN6_ARE_ADDR_EQUAL(&ro->ro_dst.sin6_addr, &ip6->ip6_dst)))
671
			RO_INVALIDATE_CACHE(ro);
672

673
		if (ro->ro_nh != NULL && fwd_tag == NULL &&
674
		    ro->ro_dst.sin6_family == AF_INET6 &&
675
		    IN6_ARE_ADDR_EQUAL(&ro->ro_dst.sin6_addr, &ip6->ip6_dst)) {
676
			/* Nexthop is valid and contains valid ifp */
677
			nh = ro->ro_nh;
678
		} else {
679
			if (ro->ro_lle)
680
				LLE_FREE(ro->ro_lle);	/* zeros ro_lle */
681
			ro->ro_lle = NULL;
682
			if (fwd_tag == NULL) {
683
				bzero(&dst_sa, sizeof(dst_sa));
684
				dst_sa.sin6_family = AF_INET6;
685
				dst_sa.sin6_len = sizeof(dst_sa);
686
				dst_sa.sin6_addr = ip6->ip6_dst;
687
			}
688
			error = in6_selectroute(&dst_sa, opt, im6o, ro, &ifp,
689
			    &nh, fibnum, m->m_pkthdr.flowid);
690
			if (error != 0) {
691
				IP6STAT_INC(ip6s_noroute);
692
				if (ifp != NULL)
693
					in6_ifstat_inc(ifp, ifs6_out_discard);
694
				goto bad;
695
			}
696
			/*
697
			 * At this point at least @ifp is not NULL
698
			 * Can be the case when dst is multicast, link-local or
699
			 * interface is explicitly specificed by the caller.
700
			 */
701
		}
702
		if (nh == NULL) {
703
			/*
704
			 * If in6_selectroute() does not return a nexthop
705
			 * dst may not have been updated.
706
			 */
707
			*dst = dst_sa;	/* XXX */
708
			origifp = ifp;
709
			mtu = ifp->if_mtu;
710
		} else {
711
			ifp = nh->nh_ifp;
712
			origifp = nh->nh_aifp;
713
			ia = (struct in6_ifaddr *)(nh->nh_ifa);
714
			counter_u64_add(nh->nh_pksent, 1);
715
		}
716
	} else {
717
		struct nhop_object *nh;
718
		struct in6_addr kdst;
719
		uint32_t scopeid;
720

721
		if (fwd_tag == NULL) {
722
			bzero(&dst_sa, sizeof(dst_sa));
723
			dst_sa.sin6_family = AF_INET6;
724
			dst_sa.sin6_len = sizeof(dst_sa);
725
			dst_sa.sin6_addr = ip6->ip6_dst;
726
		}
727

728
		if (IN6_IS_ADDR_MULTICAST(&dst_sa.sin6_addr) &&
729
		    im6o != NULL &&
730
		    (ifp = im6o->im6o_multicast_ifp) != NULL) {
731
			/* We do not need a route lookup. */
732
			*dst = dst_sa;	/* XXX */
733
			origifp = ifp;
734
			goto nonh6lookup;
735
		}
736

737
		in6_splitscope(&dst_sa.sin6_addr, &kdst, &scopeid);
738

739
		if (IN6_IS_ADDR_MC_LINKLOCAL(&dst_sa.sin6_addr) ||
740
		    IN6_IS_ADDR_MC_NODELOCAL(&dst_sa.sin6_addr)) {
741
			if (scopeid > 0) {
742
				ifp = in6_getlinkifnet(scopeid);
743
				if (ifp == NULL) {
744
					error = EHOSTUNREACH;
745
					goto bad;
746
				}
747
				*dst = dst_sa;	/* XXX */
748
				origifp = ifp;
749
				goto nonh6lookup;
750
			}
751
		}
752

753
		nh = fib6_lookup(fibnum, &kdst, scopeid, NHR_NONE,
754
		    m->m_pkthdr.flowid);
755
		if (nh == NULL) {
756
			IP6STAT_INC(ip6s_noroute);
757
			/* No ifp in6_ifstat_inc(ifp, ifs6_out_discard); */
758
			error = EHOSTUNREACH;
759
			goto bad;
760
		}
761

762
		ifp = nh->nh_ifp;
763
		origifp = nh->nh_aifp;
764
		ia = ifatoia6(nh->nh_ifa);
765
		if (nh->nh_flags & NHF_GATEWAY)
766
			dst->sin6_addr = nh->gw6_sa.sin6_addr;
767
		else if (fwd_tag != NULL)
768
			dst->sin6_addr = dst_sa.sin6_addr;
769
nonh6lookup:
770
		;
771
	}
772
	/*
773
	 * At this point ifp MUST be pointing to the valid transmit ifp.
774
	 * origifp MUST be valid and pointing to either the same ifp or,
775
	 * in case of loopback output, to the interface which ip6_src
776
	 * belongs to.
777
	 * Examples:
778
	 *  fe80::1%em0 -> fe80::2%em0 -> ifp=em0, origifp=em0
779
	 *  fe80::1%em0 -> fe80::1%em0 -> ifp=lo0, origifp=em0
780
	 *  ::1 -> ::1 -> ifp=lo0, origifp=lo0
781
	 *
782
	 * mtu can be 0 and will be refined later.
783
	 */
784
	KASSERT((ifp != NULL), ("output interface must not be NULL"));
785
	KASSERT((origifp != NULL), ("output address interface must not be NULL"));
786

787
#if defined(IPSEC) || defined(IPSEC_SUPPORT)
788
	/*
789
	 * IPSec checking which handles several cases.
790
	 * FAST IPSEC: We re-injected the packet.
791
	 * XXX: need scope argument.
792
	 */
793
	if (IPSEC_ENABLED(ipv6)) {
794
		if ((error = IPSEC_OUTPUT(ipv6, ifp, m, inp, mtu == 0 ?
795
		    ifp->if_mtu : mtu)) != 0) {
796
			if (error == EINPROGRESS)
797
				error = 0;
798
			goto done;
799
		}
800
	}
801
#endif /* IPSEC */
802

803
	if ((flags & IPV6_FORWARDING) == 0) {
804
		/* XXX: the FORWARDING flag can be set for mrouting. */
805
		in6_ifstat_inc(ifp, ifs6_out_request);
806
	}
807

808
	/* Setup data structures for scope ID checks. */
809
	src0 = ip6->ip6_src;
810
	bzero(&src_sa, sizeof(src_sa));
811
	src_sa.sin6_family = AF_INET6;
812
	src_sa.sin6_len = sizeof(src_sa);
813
	src_sa.sin6_addr = ip6->ip6_src;
814

815
	dst0 = ip6->ip6_dst;
816
	/* Re-initialize to be sure. */
817
	bzero(&dst_sa, sizeof(dst_sa));
818
	dst_sa.sin6_family = AF_INET6;
819
	dst_sa.sin6_len = sizeof(dst_sa);
820
	dst_sa.sin6_addr = ip6->ip6_dst;
821

822
	/* Check for valid scope ID. */
823
	if (in6_setscope(&src0, origifp, &zone) == 0 &&
824
	    sa6_recoverscope(&src_sa) == 0 && zone == src_sa.sin6_scope_id &&
825
	    in6_setscope(&dst0, origifp, &zone) == 0 &&
826
	    sa6_recoverscope(&dst_sa) == 0 && zone == dst_sa.sin6_scope_id) {
827
		/*
828
		 * The outgoing interface is in the zone of the source
829
		 * and destination addresses.
830
		 *
831
		 */
832
	} else if ((origifp->if_flags & IFF_LOOPBACK) == 0 ||
833
	    sa6_recoverscope(&src_sa) != 0 ||
834
	    sa6_recoverscope(&dst_sa) != 0 ||
835
	    dst_sa.sin6_scope_id == 0 ||
836
	    (src_sa.sin6_scope_id != 0 &&
837
	    src_sa.sin6_scope_id != dst_sa.sin6_scope_id) ||
838
	    ifnet_byindex(dst_sa.sin6_scope_id) == NULL) {
839
		/*
840
		 * If the destination network interface is not a
841
		 * loopback interface, or the destination network
842
		 * address has no scope ID, or the source address has
843
		 * a scope ID set which is different from the
844
		 * destination address one, or there is no network
845
		 * interface representing this scope ID, the address
846
		 * pair is considered invalid.
847
		 */
848
		IP6STAT_INC(ip6s_badscope);
849
		in6_ifstat_inc(origifp, ifs6_out_discard);
850
		if (error == 0)
851
			error = EHOSTUNREACH; /* XXX */
852
		goto bad;
853
	}
854
	/* All scope ID checks are successful. */
855

856
	if (nh && !IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst)) {
857
		if ((optvalid & IP6PO_VALID_NHINFO) != 0) {
858
			/*
859
			 * The nexthop is explicitly specified by the
860
			 * application.  We assume the next hop is an IPv6
861
			 * address.
862
			 */
863
			dst = (struct sockaddr_in6 *)opt->ip6po_nexthop;
864
		}
865
		else if ((nh->nh_flags & NHF_GATEWAY))
866
			dst = &nh->gw6_sa;
867
	}
868

869
	if (!IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst)) {
870
		m->m_flags &= ~(M_BCAST | M_MCAST); /* Just in case. */
871
	} else {
872
		m->m_flags = (m->m_flags & ~M_BCAST) | M_MCAST;
873
		in6_ifstat_inc(ifp, ifs6_out_mcast);
874

875
		/* Confirm that the outgoing interface supports multicast. */
876
		if (!(ifp->if_flags & IFF_MULTICAST)) {
877
			IP6STAT_INC(ip6s_noroute);
878
			in6_ifstat_inc(ifp, ifs6_out_discard);
879
			error = ENETUNREACH;
880
			goto bad;
881
		}
882
		if ((im6o == NULL && in6_mcast_loop) ||
883
		    (im6o && im6o->im6o_multicast_loop)) {
884
			/*
885
			 * Loop back multicast datagram if not expressly
886
			 * forbidden to do so, even if we have not joined
887
			 * the address; protocols will filter it later,
888
			 * thus deferring a hash lookup and lock acquisition
889
			 * at the expense of an m_copym().
890
			 */
891
			ip6_mloopback(ifp, m);
892
		} else {
893
			/*
894
			 * If we are acting as a multicast router, perform
895
			 * multicast forwarding as if the packet had just
896
			 * arrived on the interface to which we are about
897
			 * to send.  The multicast forwarding function
898
			 * recursively calls this function, using the
899
			 * IPV6_FORWARDING flag to prevent infinite recursion.
900
			 *
901
			 * Multicasts that are looped back by ip6_mloopback(),
902
			 * above, will be forwarded by the ip6_input() routine,
903
			 * if necessary.
904
			 */
905
			if (V_ip6_mrouter && (flags & IPV6_FORWARDING) == 0) {
906
				/*
907
				 * XXX: ip6_mforward expects that rcvif is NULL
908
				 * when it is called from the originating path.
909
				 * However, it may not always be the case.
910
				 */
911
				m->m_pkthdr.rcvif = NULL;
912
				if (ip6_mforward(ip6, ifp, m) != 0) {
913
					m_freem(m);
914
					goto done;
915
				}
916
			}
917
		}
918
		/*
919
		 * Multicasts with a hoplimit of zero may be looped back,
920
		 * above, but must not be transmitted on a network.
921
		 * Also, multicasts addressed to the loopback interface
922
		 * are not sent -- the above call to ip6_mloopback() will
923
		 * loop back a copy if this host actually belongs to the
924
		 * destination group on the loopback interface.
925
		 */
926
		if (ip6->ip6_hlim == 0 || (ifp->if_flags & IFF_LOOPBACK) ||
927
		    IN6_IS_ADDR_MC_INTFACELOCAL(&ip6->ip6_dst)) {
928
			m_freem(m);
929
			goto done;
930
		}
931
	}
932

933
	/*
934
	 * Fill the outgoing inteface to tell the upper layer
935
	 * to increment per-interface statistics.
936
	 */
937
	if (ifpp)
938
		*ifpp = ifp;
939

940
	/* Determine path MTU. */
941
	ip6_getpmtu(ro_pmtu, ro != ro_pmtu, ifp, &ip6->ip6_dst, &mtu, fibnum,
942
	    *nexthdrp);
943
	KASSERT(mtu > 0, ("%s:%d: mtu %ld, ro_pmtu %p ro %p ifp %p fibnum %u",
944
	    __func__, __LINE__, mtu, ro_pmtu, ro, ifp, fibnum));
945

946
	/*
947
	 * The caller of this function may specify to use the minimum MTU
948
	 * in some cases.
949
	 * An advanced API option (IPV6_USE_MIN_MTU) can also override MTU
950
	 * setting.  The logic is a bit complicated; by default, unicast
951
	 * packets will follow path MTU while multicast packets will be sent at
952
	 * the minimum MTU.  If IP6PO_MINMTU_ALL is specified, all packets
953
	 * including unicast ones will be sent at the minimum MTU.  Multicast
954
	 * packets will always be sent at the minimum MTU unless
955
	 * IP6PO_MINMTU_DISABLE is explicitly specified.
956
	 * See RFC 3542 for more details.
957
	 */
958
	if (mtu > IPV6_MMTU) {
959
		if ((flags & IPV6_MINMTU))
960
			mtu = IPV6_MMTU;
961
		else if (opt && opt->ip6po_minmtu == IP6PO_MINMTU_ALL)
962
			mtu = IPV6_MMTU;
963
		else if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst) &&
964
			 (opt == NULL ||
965
			  opt->ip6po_minmtu != IP6PO_MINMTU_DISABLE)) {
966
			mtu = IPV6_MMTU;
967
		}
968
	}
969

970
	/*
971
	 * Clear embedded scope identifiers if necessary.
972
	 * in6_clearscope() will touch the addresses only when necessary.
973
	 */
974
	in6_clearscope(&ip6->ip6_src);
975
	in6_clearscope(&ip6->ip6_dst);
976

977
	/*
978
	 * If the outgoing packet contains a hop-by-hop options header,
979
	 * it must be examined and processed even by the source node.
980
	 * (RFC 2460, section 4.)
981
	 */
982
	if (exthdrs.ip6e_hbh) {
983
		struct ip6_hbh *hbh = mtod(exthdrs.ip6e_hbh, struct ip6_hbh *);
984
		u_int32_t dummy; /* XXX unused */
985
		u_int32_t plen = 0; /* XXX: ip6_process will check the value */
986

987
#ifdef DIAGNOSTIC
988
		if ((hbh->ip6h_len + 1) << 3 > exthdrs.ip6e_hbh->m_len)
989
			panic("ip6e_hbh is not contiguous");
990
#endif
991
		/*
992
		 *  XXX: if we have to send an ICMPv6 error to the sender,
993
		 *       we need the M_LOOP flag since icmp6_error() expects
994
		 *       the IPv6 and the hop-by-hop options header are
995
		 *       contiguous unless the flag is set.
996
		 */
997
		m->m_flags |= M_LOOP;
998
		m->m_pkthdr.rcvif = ifp;
999
		if (ip6_process_hopopts(m, (u_int8_t *)(hbh + 1),
1000
		    ((hbh->ip6h_len + 1) << 3) - sizeof(struct ip6_hbh),
1001
		    &dummy, &plen) < 0) {
1002
			/* m was already freed at this point. */
1003
			error = EINVAL;/* better error? */
1004
			goto done;
1005
		}
1006
		m->m_flags &= ~M_LOOP; /* XXX */
1007
		m->m_pkthdr.rcvif = NULL;
1008
	}
1009

1010
	/* Jump over all PFIL processing if hooks are not active. */
1011
	if (!PFIL_HOOKED_OUT(V_inet6_pfil_head))
1012
		goto passout;
1013

1014
	odst = ip6->ip6_dst;
1015
	/* Run through list of hooks for output packets. */
1016
	switch (pfil_mbuf_out(V_inet6_pfil_head, &m, ifp, inp)) {
1017
	case PFIL_PASS:
1018
		ip6 = mtod(m, struct ip6_hdr *);
1019
		break;
1020
	case PFIL_DROPPED:
1021
		error = EACCES;
1022
		/* FALLTHROUGH */
1023
	case PFIL_CONSUMED:
1024
		goto done;
1025
	}
1026

1027
	needfiblookup = 0;
1028
	/* See if destination IP address was changed by packet filter. */
1029
	if (!IN6_ARE_ADDR_EQUAL(&odst, &ip6->ip6_dst)) {
1030
		m->m_flags |= M_SKIP_FIREWALL;
1031
		/* If destination is now ourself drop to ip6_input(). */
1032
		if (in6_localip(&ip6->ip6_dst)) {
1033
			m->m_flags |= M_FASTFWD_OURS;
1034
			if (m->m_pkthdr.rcvif == NULL)
1035
				m->m_pkthdr.rcvif = V_loif;
1036
			if (m->m_pkthdr.csum_flags & CSUM_DELAY_DATA_IPV6) {
1037
				m->m_pkthdr.csum_flags |=
1038
				    CSUM_DATA_VALID_IPV6 | CSUM_PSEUDO_HDR;
1039
				m->m_pkthdr.csum_data = 0xffff;
1040
			}
1041
#if defined(SCTP) || defined(SCTP_SUPPORT)
1042
			if (m->m_pkthdr.csum_flags & CSUM_SCTP_IPV6)
1043
				m->m_pkthdr.csum_flags |= CSUM_SCTP_VALID;
1044
#endif
1045
			error = netisr_queue(NETISR_IPV6, m);
1046
			goto done;
1047
		} else {
1048
			if (ro != NULL)
1049
				RO_INVALIDATE_CACHE(ro);
1050
			needfiblookup = 1; /* Redo the routing table lookup. */
1051
		}
1052
	}
1053
	/* See if fib was changed by packet filter. */
1054
	if (fibnum != M_GETFIB(m)) {
1055
		m->m_flags |= M_SKIP_FIREWALL;
1056
		fibnum = M_GETFIB(m);
1057
		if (ro != NULL)
1058
			RO_INVALIDATE_CACHE(ro);
1059
		needfiblookup = 1;
1060
	}
1061
	if (needfiblookup)
1062
		goto again;
1063

1064
	/* See if local, if yes, send it to netisr. */
1065
	if (m->m_flags & M_FASTFWD_OURS) {
1066
		if (m->m_pkthdr.rcvif == NULL)
1067
			m->m_pkthdr.rcvif = V_loif;
1068
		if (m->m_pkthdr.csum_flags & CSUM_DELAY_DATA_IPV6) {
1069
			m->m_pkthdr.csum_flags |=
1070
			    CSUM_DATA_VALID_IPV6 | CSUM_PSEUDO_HDR;
1071
			m->m_pkthdr.csum_data = 0xffff;
1072
		}
1073
#if defined(SCTP) || defined(SCTP_SUPPORT)
1074
		if (m->m_pkthdr.csum_flags & CSUM_SCTP_IPV6)
1075
			m->m_pkthdr.csum_flags |= CSUM_SCTP_VALID;
1076
#endif
1077
		error = netisr_queue(NETISR_IPV6, m);
1078
		goto done;
1079
	}
1080
	/* Or forward to some other address? */
1081
	if ((m->m_flags & M_IP6_NEXTHOP) &&
1082
	    (fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL)) != NULL) {
1083
		if (ro != NULL)
1084
			dst = (struct sockaddr_in6 *)&ro->ro_dst;
1085
		else
1086
			dst = &sin6;
1087
		bcopy((fwd_tag+1), &dst_sa, sizeof(struct sockaddr_in6));
1088
		m->m_flags |= M_SKIP_FIREWALL;
1089
		m->m_flags &= ~M_IP6_NEXTHOP;
1090
		m_tag_delete(m, fwd_tag);
1091
		goto again;
1092
	}
1093

1094
passout:
1095
	if (vlan_pcp > -1)
1096
		EVL_APPLY_PRI(m, vlan_pcp);
1097

1098
	/* Ensure the packet data is mapped if the interface requires it. */
1099
	if ((ifp->if_capenable & IFCAP_MEXTPG) == 0) {
1100
		struct mbuf *m1;
1101

1102
		error = mb_unmapped_to_ext(m, &m1);
1103
		if (error != 0) {
1104
			if (error == EINVAL) {
1105
				if_printf(ifp, "TLS packet\n");
1106
				/* XXXKIB */
1107
			} else if (error == ENOMEM) {
1108
				error = ENOBUFS;
1109
			}
1110
			IP6STAT_INC(ip6s_odropped);
1111
			return (error);
1112
		} else {
1113
			m = m1;
1114
		}
1115
	}
1116

1117
	/*
1118
	 * Send the packet to the outgoing interface.
1119
	 * If necessary, do IPv6 fragmentation before sending.
1120
	 *
1121
	 * 1: normal case (dontfrag == 0)
1122
	 * 1-a:	send as is if tlen <= path mtu
1123
	 * 1-b:	fragment if tlen > path mtu
1124
	 *
1125
	 * 2: if user asks us not to fragment (dontfrag == 1)
1126
	 * 2-a:	send as is if tlen <= interface mtu
1127
	 * 2-b:	error if tlen > interface mtu
1128
	 */
1129
	sw_csum = m->m_pkthdr.csum_flags;
1130
	if (!hdrsplit) {
1131
		tso = ((sw_csum & ifp->if_hwassist &
1132
		    (CSUM_TSO | CSUM_INNER_TSO)) != 0) ? 1 : 0;
1133
		sw_csum &= ~ifp->if_hwassist;
1134
	} else
1135
		tso = 0;
1136
	/*
1137
	 * If we added extension headers, we will not do TSO and calculate the
1138
	 * checksums ourselves for now.
1139
	 * XXX-BZ  Need a framework to know when the NIC can handle it, even
1140
	 * with ext. hdrs.
1141
	 */
1142
	ip6_output_delayed_csum(m, ifp, sw_csum, plen, optlen);
1143
	/* XXX-BZ m->m_pkthdr.csum_flags &= ~ifp->if_hwassist; */
1144
	tlen = m->m_pkthdr.len;
1145

1146
	if ((opt && (opt->ip6po_flags & IP6PO_DONTFRAG)) || tso)
1147
		dontfrag = 1;
1148
	else
1149
		dontfrag = 0;
1150
	if (dontfrag && tlen > IN6_LINKMTU(ifp) && !tso) {	/* Case 2-b. */
1151
		/*
1152
		 * If the DONTFRAG option is specified, we cannot send the
1153
		 * packet when the data length is larger than the MTU of the
1154
		 * outgoing interface.
1155
		 * Notify the error by sending IPV6_PATHMTU ancillary data if
1156
		 * application wanted to know the MTU value. Also return an
1157
		 * error code (this is not described in the API spec).
1158
		 */
1159
		if (inp != NULL)
1160
			ip6_notify_pmtu(inp, &dst_sa, (u_int32_t)mtu);
1161
		error = EMSGSIZE;
1162
		goto bad;
1163
	}
1164

1165
	/* Transmit packet without fragmentation. */
1166
	if (dontfrag || tlen <= mtu) {	/* Cases 1-a and 2-a. */
1167
		struct in6_ifaddr *ia6;
1168

1169
		ip6 = mtod(m, struct ip6_hdr *);
1170
		ia6 = in6_ifawithifp(ifp, &ip6->ip6_src);
1171
		if (ia6) {
1172
			/* Record statistics for this interface address. */
1173
			counter_u64_add(ia6->ia_ifa.ifa_opackets, 1);
1174
			counter_u64_add(ia6->ia_ifa.ifa_obytes,
1175
			    m->m_pkthdr.len);
1176
		}
1177
		error = ip6_output_send(inp, ifp, origifp, m, dst, ro,
1178
		    (flags & IP_NO_SND_TAG_RL) ? false : true);
1179
		goto done;
1180
	}
1181

1182
	/* Try to fragment the packet.  Case 1-b. */
1183
	if (mtu < IPV6_MMTU) {
1184
		/* Path MTU cannot be less than IPV6_MMTU. */
1185
		error = EMSGSIZE;
1186
		in6_ifstat_inc(ifp, ifs6_out_fragfail);
1187
		goto bad;
1188
	} else if (ip6->ip6_plen == 0) {
1189
		/* Jumbo payload cannot be fragmented. */
1190
		error = EMSGSIZE;
1191
		in6_ifstat_inc(ifp, ifs6_out_fragfail);
1192
		goto bad;
1193
	} else {
1194
		u_char nextproto;
1195

1196
		/*
1197
		 * Too large for the destination or interface;
1198
		 * fragment if possible.
1199
		 * Must be able to put at least 8 bytes per fragment.
1200
		 */
1201
		if (mtu > IPV6_MAXPACKET)
1202
			mtu = IPV6_MAXPACKET;
1203

1204
		len = (mtu - unfragpartlen - sizeof(struct ip6_frag)) & ~7;
1205
		if (len < 8) {
1206
			error = EMSGSIZE;
1207
			in6_ifstat_inc(ifp, ifs6_out_fragfail);
1208
			goto bad;
1209
		}
1210

1211
		/*
1212
		 * If the interface will not calculate checksums on
1213
		 * fragmented packets, then do it here.
1214
		 * XXX-BZ handle the hw offloading case.  Need flags.
1215
		 */
1216
		ip6_output_delayed_csum(m, ifp, m->m_pkthdr.csum_flags, plen,
1217
		    optlen);
1218

1219
		/*
1220
		 * Change the next header field of the last header in the
1221
		 * unfragmentable part.
1222
		 */
1223
		if (exthdrs.ip6e_rthdr) {
1224
			nextproto = *mtod(exthdrs.ip6e_rthdr, u_char *);
1225
			*mtod(exthdrs.ip6e_rthdr, u_char *) = IPPROTO_FRAGMENT;
1226
		} else if (exthdrs.ip6e_dest1) {
1227
			nextproto = *mtod(exthdrs.ip6e_dest1, u_char *);
1228
			*mtod(exthdrs.ip6e_dest1, u_char *) = IPPROTO_FRAGMENT;
1229
		} else if (exthdrs.ip6e_hbh) {
1230
			nextproto = *mtod(exthdrs.ip6e_hbh, u_char *);
1231
			*mtod(exthdrs.ip6e_hbh, u_char *) = IPPROTO_FRAGMENT;
1232
		} else {
1233
			ip6 = mtod(m, struct ip6_hdr *);
1234
			nextproto = ip6->ip6_nxt;
1235
			ip6->ip6_nxt = IPPROTO_FRAGMENT;
1236
		}
1237

1238
		/*
1239
		 * Loop through length of segment after first fragment,
1240
		 * make new header and copy data of each part and link onto
1241
		 * chain.
1242
		 */
1243
		m0 = m;
1244
		id = htonl(ip6_randomid());
1245
		error = ip6_fragment(ifp, m, unfragpartlen, nextproto,len, id);
1246
		if (error != 0)
1247
			goto sendorfree;
1248

1249
		in6_ifstat_inc(ifp, ifs6_out_fragok);
1250
	}
1251

1252
	/* Remove leading garbage. */
1253
sendorfree:
1254
	m = m0->m_nextpkt;
1255
	m0->m_nextpkt = 0;
1256
	m_freem(m0);
1257
	for (; m; m = m0) {
1258
		m0 = m->m_nextpkt;
1259
		m->m_nextpkt = 0;
1260
		if (error == 0) {
1261
			/* Record statistics for this interface address. */
1262
			if (ia) {
1263
				counter_u64_add(ia->ia_ifa.ifa_opackets, 1);
1264
				counter_u64_add(ia->ia_ifa.ifa_obytes,
1265
				    m->m_pkthdr.len);
1266
			}
1267
			if (vlan_pcp > -1)
1268
				EVL_APPLY_PRI(m, vlan_pcp);
1269
			error = ip6_output_send(inp, ifp, origifp, m, dst, ro,
1270
			    true);
1271
		} else
1272
			m_freem(m);
1273
	}
1274

1275
	if (error == 0)
1276
		IP6STAT_INC(ip6s_fragmented);
1277

1278
done:
1279
	return (error);
1280

1281
freehdrs:
1282
	m_freem(exthdrs.ip6e_hbh);	/* m_freem() checks if mbuf is NULL. */
1283
	m_freem(exthdrs.ip6e_dest1);
1284
	m_freem(exthdrs.ip6e_rthdr);
1285
	m_freem(exthdrs.ip6e_dest2);
1286
	/* FALLTHROUGH */
1287
bad:
1288
	if (m)
1289
		m_freem(m);
1290
	goto done;
1291
}
1292

1293
static int
1294
ip6_copyexthdr(struct mbuf **mp, caddr_t hdr, int hlen)
1295
{
1296
	struct mbuf *m;
1297

1298
	if (hlen > MCLBYTES)
1299
		return (ENOBUFS); /* XXX */
1300

1301
	if (hlen > MLEN)
1302
		m = m_getcl(M_NOWAIT, MT_DATA, 0);
1303
	else
1304
		m = m_get(M_NOWAIT, MT_DATA);
1305
	if (m == NULL)
1306
		return (ENOBUFS);
1307
	m->m_len = hlen;
1308
	if (hdr)
1309
		bcopy(hdr, mtod(m, caddr_t), hlen);
1310

1311
	*mp = m;
1312
	return (0);
1313
}
1314

1315
/*
1316
 * Insert jumbo payload option.
1317
 */
1318
static int
1319
ip6_insert_jumboopt(struct ip6_exthdrs *exthdrs, u_int32_t plen)
1320
{
1321
	struct mbuf *mopt;
1322
	u_char *optbuf;
1323
	u_int32_t v;
1324

1325
#define JUMBOOPTLEN	8	/* length of jumbo payload option and padding */
1326

1327
	/*
1328
	 * If there is no hop-by-hop options header, allocate new one.
1329
	 * If there is one but it doesn't have enough space to store the
1330
	 * jumbo payload option, allocate a cluster to store the whole options.
1331
	 * Otherwise, use it to store the options.
1332
	 */
1333
	if (exthdrs->ip6e_hbh == NULL) {
1334
		mopt = m_get(M_NOWAIT, MT_DATA);
1335
		if (mopt == NULL)
1336
			return (ENOBUFS);
1337
		mopt->m_len = JUMBOOPTLEN;
1338
		optbuf = mtod(mopt, u_char *);
1339
		optbuf[1] = 0;	/* = ((JUMBOOPTLEN) >> 3) - 1 */
1340
		exthdrs->ip6e_hbh = mopt;
1341
	} else {
1342
		struct ip6_hbh *hbh;
1343

1344
		mopt = exthdrs->ip6e_hbh;
1345
		if (M_TRAILINGSPACE(mopt) < JUMBOOPTLEN) {
1346
			/*
1347
			 * XXX assumption:
1348
			 * - exthdrs->ip6e_hbh is not referenced from places
1349
			 *   other than exthdrs.
1350
			 * - exthdrs->ip6e_hbh is not an mbuf chain.
1351
			 */
1352
			int oldoptlen = mopt->m_len;
1353
			struct mbuf *n;
1354

1355
			/*
1356
			 * XXX: give up if the whole (new) hbh header does
1357
			 * not fit even in an mbuf cluster.
1358
			 */
1359
			if (oldoptlen + JUMBOOPTLEN > MCLBYTES)
1360
				return (ENOBUFS);
1361

1362
			/*
1363
			 * As a consequence, we must always prepare a cluster
1364
			 * at this point.
1365
			 */
1366
			n = m_getcl(M_NOWAIT, MT_DATA, 0);
1367
			if (n == NULL)
1368
				return (ENOBUFS);
1369
			n->m_len = oldoptlen + JUMBOOPTLEN;
1370
			bcopy(mtod(mopt, caddr_t), mtod(n, caddr_t),
1371
			    oldoptlen);
1372
			optbuf = mtod(n, caddr_t) + oldoptlen;
1373
			m_freem(mopt);
1374
			mopt = exthdrs->ip6e_hbh = n;
1375
		} else {
1376
			optbuf = mtod(mopt, u_char *) + mopt->m_len;
1377
			mopt->m_len += JUMBOOPTLEN;
1378
		}
1379
		optbuf[0] = IP6OPT_PADN;
1380
		optbuf[1] = 1;
1381

1382
		/*
1383
		 * Adjust the header length according to the pad and
1384
		 * the jumbo payload option.
1385
		 */
1386
		hbh = mtod(mopt, struct ip6_hbh *);
1387
		hbh->ip6h_len += (JUMBOOPTLEN >> 3);
1388
	}
1389

1390
	/* fill in the option. */
1391
	optbuf[2] = IP6OPT_JUMBO;
1392
	optbuf[3] = 4;
1393
	v = (u_int32_t)htonl(plen + JUMBOOPTLEN);
1394
	bcopy(&v, &optbuf[4], sizeof(u_int32_t));
1395

1396
	/* finally, adjust the packet header length */
1397
	exthdrs->ip6e_ip6->m_pkthdr.len += JUMBOOPTLEN;
1398

1399
	return (0);
1400
#undef JUMBOOPTLEN
1401
}
1402

1403
/*
1404
 * Insert fragment header and copy unfragmentable header portions.
1405
 */
1406
static int
1407
ip6_insertfraghdr(struct mbuf *m0, struct mbuf *m, int hlen,
1408
    struct ip6_frag **frghdrp)
1409
{
1410
	struct mbuf *n, *mlast;
1411

1412
	if (hlen > sizeof(struct ip6_hdr)) {
1413
		n = m_copym(m0, sizeof(struct ip6_hdr),
1414
		    hlen - sizeof(struct ip6_hdr), M_NOWAIT);
1415
		if (n == NULL)
1416
			return (ENOBUFS);
1417
		m->m_next = n;
1418
	} else
1419
		n = m;
1420

1421
	/* Search for the last mbuf of unfragmentable part. */
1422
	for (mlast = n; mlast->m_next; mlast = mlast->m_next)
1423
		;
1424

1425
	if (M_WRITABLE(mlast) &&
1426
	    M_TRAILINGSPACE(mlast) >= sizeof(struct ip6_frag)) {
1427
		/* use the trailing space of the last mbuf for the fragment hdr */
1428
		*frghdrp = (struct ip6_frag *)(mtod(mlast, caddr_t) +
1429
		    mlast->m_len);
1430
		mlast->m_len += sizeof(struct ip6_frag);
1431
		m->m_pkthdr.len += sizeof(struct ip6_frag);
1432
	} else {
1433
		/* allocate a new mbuf for the fragment header */
1434
		struct mbuf *mfrg;
1435

1436
		mfrg = m_get(M_NOWAIT, MT_DATA);
1437
		if (mfrg == NULL)
1438
			return (ENOBUFS);
1439
		mfrg->m_len = sizeof(struct ip6_frag);
1440
		*frghdrp = mtod(mfrg, struct ip6_frag *);
1441
		mlast->m_next = mfrg;
1442
	}
1443

1444
	return (0);
1445
}
1446

1447
/*
1448
 * Calculates IPv6 path mtu for destination @dst.
1449
 * Resulting MTU is stored in @mtup.
1450
 *
1451
 * Returns 0 on success.
1452
 */
1453
static int
1454
ip6_getpmtu_ctl(u_int fibnum, const struct in6_addr *dst, u_long *mtup)
1455
{
1456
	struct epoch_tracker et;
1457
	struct nhop_object *nh;
1458
	struct in6_addr kdst;
1459
	uint32_t scopeid;
1460
	int error;
1461

1462
	in6_splitscope(dst, &kdst, &scopeid);
1463

1464
	NET_EPOCH_ENTER(et);
1465
	nh = fib6_lookup(fibnum, &kdst, scopeid, NHR_NONE, 0);
1466
	if (nh != NULL) {
1467
		ip6_calcmtu(nh->nh_ifp, dst, nh->nh_mtu, mtup, 0);
1468
		error = 0;
1469
	} else
1470
		error = EHOSTUNREACH;
1471
	NET_EPOCH_EXIT(et);
1472

1473
	return (error);
1474
}
1475

1476
/*
1477
 * Calculates IPv6 path MTU for @dst based on transmit @ifp,
1478
 * and cached data in @ro_pmtu.
1479
 * MTU from (successful) route lookup is saved (along with dst)
1480
 * inside @ro_pmtu to avoid subsequent route lookups after packet
1481
 * filter processing.
1482
 *
1483
 * Stores mtu into @mtup.
1484
 */
1485
static void
1486
ip6_getpmtu(struct route_in6 *ro_pmtu, int do_lookup,
1487
    struct ifnet *ifp, const struct in6_addr *dst, u_long *mtup,
1488
    u_int fibnum, u_int proto)
1489
{
1490
	struct nhop_object *nh;
1491
	struct in6_addr kdst;
1492
	uint32_t scopeid;
1493
	struct sockaddr_in6 *sa6_dst, sin6;
1494
	u_long mtu;
1495

1496
	NET_EPOCH_ASSERT();
1497

1498
	mtu = 0;
1499
	if (ro_pmtu == NULL || do_lookup) {
1500
		/*
1501
		 * Here ro_pmtu has final destination address, while
1502
		 * ro might represent immediate destination.
1503
		 * Use ro_pmtu destination since mtu might differ.
1504
		 */
1505
		if (ro_pmtu != NULL) {
1506
			sa6_dst = (struct sockaddr_in6 *)&ro_pmtu->ro_dst;
1507
			if (!IN6_ARE_ADDR_EQUAL(&sa6_dst->sin6_addr, dst))
1508
				ro_pmtu->ro_mtu = 0;
1509
		} else
1510
			sa6_dst = &sin6;
1511

1512
		if (ro_pmtu == NULL || ro_pmtu->ro_mtu == 0) {
1513
			bzero(sa6_dst, sizeof(*sa6_dst));
1514
			sa6_dst->sin6_family = AF_INET6;
1515
			sa6_dst->sin6_len = sizeof(struct sockaddr_in6);
1516
			sa6_dst->sin6_addr = *dst;
1517

1518
			in6_splitscope(dst, &kdst, &scopeid);
1519
			nh = fib6_lookup(fibnum, &kdst, scopeid, NHR_NONE, 0);
1520
			if (nh != NULL) {
1521
				mtu = nh->nh_mtu;
1522
				if (ro_pmtu != NULL)
1523
					ro_pmtu->ro_mtu = mtu;
1524
			}
1525
		} else
1526
			mtu = ro_pmtu->ro_mtu;
1527
	}
1528

1529
	if (ro_pmtu != NULL && ro_pmtu->ro_nh != NULL)
1530
		mtu = ro_pmtu->ro_nh->nh_mtu;
1531

1532
	ip6_calcmtu(ifp, dst, mtu, mtup, proto);
1533
}
1534

1535
/*
1536
 * Calculate MTU based on transmit @ifp, route mtu @rt_mtu and
1537
 * hostcache data for @dst.
1538
 * Stores mtu into @mtup.
1539
 */
1540
static void
1541
ip6_calcmtu(struct ifnet *ifp, const struct in6_addr *dst, u_long rt_mtu,
1542
    u_long *mtup, u_int proto)
1543
{
1544
	u_long mtu = 0;
1545

1546
	if (rt_mtu > 0) {
1547
		/* Skip the hostcache if the protocol handles PMTU changes. */
1548
		if (proto != IPPROTO_TCP && proto != IPPROTO_SCTP) {
1549
			struct in_conninfo inc = {
1550
			    .inc_flags = INC_ISIPV6,
1551
			    .inc6_faddr = *dst,
1552
			};
1553

1554
			mtu = tcp_hc_getmtu(&inc);
1555
		}
1556

1557
		if (mtu)
1558
			mtu = min(mtu, rt_mtu);
1559
		else
1560
			mtu = rt_mtu;
1561
	}
1562

1563
	if (mtu == 0)
1564
		mtu = IN6_LINKMTU(ifp);
1565

1566
	*mtup = mtu;
1567
}
1568

1569
/*
1570
 * IP6 socket option processing.
1571
 */
1572
int
1573
ip6_ctloutput(struct socket *so, struct sockopt *sopt)
1574
{
1575
	int optdatalen, uproto;
1576
	void *optdata;
1577
	struct inpcb *inp = sotoinpcb(so);
1578
	int error, optval;
1579
	int level, op, optname;
1580
	int optlen;
1581
	struct thread *td;
1582
#ifdef	RSS
1583
	uint32_t rss_bucket;
1584
	int retval;
1585
#endif
1586

1587
/*
1588
 * Don't use more than a quarter of mbuf clusters.  N.B.:
1589
 * nmbclusters is an int, but nmbclusters * MCLBYTES may overflow
1590
 * on LP64 architectures, so cast to u_long to avoid undefined
1591
 * behavior.  ILP32 architectures cannot have nmbclusters
1592
 * large enough to overflow for other reasons.
1593
 */
1594
#define IPV6_PKTOPTIONS_MBUF_LIMIT	((u_long)nmbclusters * MCLBYTES / 4)
1595

1596
	level = sopt->sopt_level;
1597
	op = sopt->sopt_dir;
1598
	optname = sopt->sopt_name;
1599
	optlen = sopt->sopt_valsize;
1600
	td = sopt->sopt_td;
1601
	error = 0;
1602
	optval = 0;
1603
	uproto = (int)so->so_proto->pr_protocol;
1604

1605
	if (level != IPPROTO_IPV6) {
1606
		error = EINVAL;
1607

1608
		if (sopt->sopt_level == SOL_SOCKET &&
1609
		    sopt->sopt_dir == SOPT_SET) {
1610
			switch (sopt->sopt_name) {
1611
			case SO_SETFIB:
1612
				error = sooptcopyin(sopt, &optval,
1613
				    sizeof(optval), sizeof(optval));
1614
				if (error != 0)
1615
					break;
1616

1617
				INP_WLOCK(inp);
1618
				if ((inp->inp_flags & INP_BOUNDFIB) != 0 &&
1619
				    optval != so->so_fibnum) {
1620
					INP_WUNLOCK(inp);
1621
					error = EISCONN;
1622
					break;
1623
				}
1624
				error = sosetfib(inp->inp_socket, optval);
1625
				if (error == 0)
1626
					inp->inp_inc.inc_fibnum = optval;
1627
				INP_WUNLOCK(inp);
1628
				break;
1629
			case SO_MAX_PACING_RATE:
1630
#ifdef RATELIMIT
1631
				INP_WLOCK(inp);
1632
				inp->inp_flags2 |= INP_RATE_LIMIT_CHANGED;
1633
				INP_WUNLOCK(inp);
1634
				error = 0;
1635
#else
1636
				error = EOPNOTSUPP;
1637
#endif
1638
				break;
1639
			default:
1640
				break;
1641
			}
1642
		}
1643
	} else {		/* level == IPPROTO_IPV6 */
1644
		switch (op) {
1645
		case SOPT_SET:
1646
			switch (optname) {
1647
			case IPV6_2292PKTOPTIONS:
1648
#ifdef IPV6_PKTOPTIONS
1649
			case IPV6_PKTOPTIONS:
1650
#endif
1651
			{
1652
				struct mbuf *m;
1653

1654
				if (optlen > IPV6_PKTOPTIONS_MBUF_LIMIT) {
1655
					printf("ip6_ctloutput: mbuf limit hit\n");
1656
					error = ENOBUFS;
1657
					break;
1658
				}
1659

1660
				error = soopt_getm(sopt, &m); /* XXX */
1661
				if (error != 0)
1662
					break;
1663
				error = soopt_mcopyin(sopt, m); /* XXX */
1664
				if (error != 0)
1665
					break;
1666
				INP_WLOCK(inp);
1667
				error = ip6_pcbopts(&inp->in6p_outputopts, m,
1668
				    so, sopt);
1669
				INP_WUNLOCK(inp);
1670
				m_freem(m); /* XXX */
1671
				break;
1672
			}
1673

1674
			/*
1675
			 * Use of some Hop-by-Hop options or some
1676
			 * Destination options, might require special
1677
			 * privilege.  That is, normal applications
1678
			 * (without special privilege) might be forbidden
1679
			 * from setting certain options in outgoing packets,
1680
			 * and might never see certain options in received
1681
			 * packets. [RFC 2292 Section 6]
1682
			 * KAME specific note:
1683
			 *  KAME prevents non-privileged users from sending or
1684
			 *  receiving ANY hbh/dst options in order to avoid
1685
			 *  overhead of parsing options in the kernel.
1686
			 */
1687
			case IPV6_RECVHOPOPTS:
1688
			case IPV6_RECVDSTOPTS:
1689
			case IPV6_RECVRTHDRDSTOPTS:
1690
				if (td != NULL) {
1691
					error = priv_check(td,
1692
					    PRIV_NETINET_SETHDROPTS);
1693
					if (error)
1694
						break;
1695
				}
1696
				/* FALLTHROUGH */
1697
			case IPV6_UNICAST_HOPS:
1698
			case IPV6_HOPLIMIT:
1699

1700
			case IPV6_RECVPKTINFO:
1701
			case IPV6_RECVHOPLIMIT:
1702
			case IPV6_RECVRTHDR:
1703
			case IPV6_RECVPATHMTU:
1704
			case IPV6_RECVTCLASS:
1705
			case IPV6_RECVFLOWID:
1706
#ifdef	RSS
1707
			case IPV6_RECVRSSBUCKETID:
1708
#endif
1709
			case IPV6_V6ONLY:
1710
			case IPV6_AUTOFLOWLABEL:
1711
			case IPV6_ORIGDSTADDR:
1712
			case IPV6_BINDANY:
1713
			case IPV6_VLAN_PCP:
1714
				if (optname == IPV6_BINDANY && td != NULL) {
1715
					error = priv_check(td,
1716
					    PRIV_NETINET_BINDANY);
1717
					if (error)
1718
						break;
1719
				}
1720

1721
				if (optlen != sizeof(int)) {
1722
					error = EINVAL;
1723
					break;
1724
				}
1725
				error = sooptcopyin(sopt, &optval,
1726
					sizeof optval, sizeof optval);
1727
				if (error)
1728
					break;
1729
				switch (optname) {
1730
				case IPV6_UNICAST_HOPS:
1731
					if (optval < -1 || optval >= 256)
1732
						error = EINVAL;
1733
					else {
1734
						/* -1 = kernel default */
1735
						inp->in6p_hops = optval;
1736
						if ((inp->inp_vflag &
1737
						     INP_IPV4) != 0)
1738
							inp->inp_ip_ttl = optval;
1739
					}
1740
					break;
1741
#define OPTSET(bit) \
1742
do { \
1743
	INP_WLOCK(inp); \
1744
	if (optval) \
1745
		inp->inp_flags |= (bit); \
1746
	else \
1747
		inp->inp_flags &= ~(bit); \
1748
	INP_WUNLOCK(inp); \
1749
} while (/*CONSTCOND*/ 0)
1750
#define OPTSET2292(bit) \
1751
do { \
1752
	INP_WLOCK(inp); \
1753
	inp->inp_flags |= IN6P_RFC2292; \
1754
	if (optval) \
1755
		inp->inp_flags |= (bit); \
1756
	else \
1757
		inp->inp_flags &= ~(bit); \
1758
	INP_WUNLOCK(inp); \
1759
} while (/*CONSTCOND*/ 0)
1760
#define OPTBIT(bit) (inp->inp_flags & (bit) ? 1 : 0)
1761

1762
#define OPTSET2_N(bit, val) do {					\
1763
	if (val)							\
1764
		inp->inp_flags2 |= bit;					\
1765
	else								\
1766
		inp->inp_flags2 &= ~bit;				\
1767
} while (0)
1768
#define OPTSET2(bit, val) do {						\
1769
	INP_WLOCK(inp);							\
1770
	OPTSET2_N(bit, val);						\
1771
	INP_WUNLOCK(inp);						\
1772
} while (0)
1773
#define OPTBIT2(bit) (inp->inp_flags2 & (bit) ? 1 : 0)
1774
#define OPTSET2292_EXCLUSIVE(bit)					\
1775
do {									\
1776
	INP_WLOCK(inp);							\
1777
	if (OPTBIT(IN6P_RFC2292)) {					\
1778
		error = EINVAL;						\
1779
	} else {							\
1780
		if (optval)						\
1781
			inp->inp_flags |= (bit);			\
1782
		else							\
1783
			inp->inp_flags &= ~(bit);			\
1784
	}								\
1785
	INP_WUNLOCK(inp);						\
1786
} while (/*CONSTCOND*/ 0)
1787

1788
				case IPV6_RECVPKTINFO:
1789
					OPTSET2292_EXCLUSIVE(IN6P_PKTINFO);
1790
					break;
1791

1792
				case IPV6_HOPLIMIT:
1793
				{
1794
					struct ip6_pktopts **optp;
1795

1796
					/* cannot mix with RFC2292 */
1797
					if (OPTBIT(IN6P_RFC2292)) {
1798
						error = EINVAL;
1799
						break;
1800
					}
1801
					INP_WLOCK(inp);
1802
					if (inp->inp_flags & INP_DROPPED) {
1803
						INP_WUNLOCK(inp);
1804
						return (ECONNRESET);
1805
					}
1806
					optp = &inp->in6p_outputopts;
1807
					error = ip6_pcbopt(IPV6_HOPLIMIT,
1808
					    (u_char *)&optval, sizeof(optval),
1809
					    optp, (td != NULL) ? td->td_ucred :
1810
					    NULL, uproto);
1811
					INP_WUNLOCK(inp);
1812
					break;
1813
				}
1814

1815
				case IPV6_RECVHOPLIMIT:
1816
					OPTSET2292_EXCLUSIVE(IN6P_HOPLIMIT);
1817
					break;
1818

1819
				case IPV6_RECVHOPOPTS:
1820
					OPTSET2292_EXCLUSIVE(IN6P_HOPOPTS);
1821
					break;
1822

1823
				case IPV6_RECVDSTOPTS:
1824
					OPTSET2292_EXCLUSIVE(IN6P_DSTOPTS);
1825
					break;
1826

1827
				case IPV6_RECVRTHDRDSTOPTS:
1828
					OPTSET2292_EXCLUSIVE(IN6P_RTHDRDSTOPTS);
1829
					break;
1830

1831
				case IPV6_RECVRTHDR:
1832
					OPTSET2292_EXCLUSIVE(IN6P_RTHDR);
1833
					break;
1834

1835
				case IPV6_RECVPATHMTU:
1836
					/*
1837
					 * We ignore this option for TCP
1838
					 * sockets.
1839
					 * (RFC3542 leaves this case
1840
					 * unspecified.)
1841
					 */
1842
					if (uproto != IPPROTO_TCP)
1843
						OPTSET(IN6P_MTU);
1844
					break;
1845

1846
				case IPV6_RECVFLOWID:
1847
					OPTSET2(INP_RECVFLOWID, optval);
1848
					break;
1849

1850
#ifdef	RSS
1851
				case IPV6_RECVRSSBUCKETID:
1852
					OPTSET2(INP_RECVRSSBUCKETID, optval);
1853
					break;
1854
#endif
1855

1856
				case IPV6_V6ONLY:
1857
					INP_WLOCK(inp);
1858
					if (inp->inp_lport ||
1859
					    !IN6_IS_ADDR_UNSPECIFIED(&inp->in6p_laddr)) {
1860
						/*
1861
						 * The socket is already bound.
1862
						 */
1863
						INP_WUNLOCK(inp);
1864
						error = EINVAL;
1865
						break;
1866
					}
1867
					if (optval) {
1868
						inp->inp_flags |= IN6P_IPV6_V6ONLY;
1869
						inp->inp_vflag &= ~INP_IPV4;
1870
					} else {
1871
						inp->inp_flags &= ~IN6P_IPV6_V6ONLY;
1872
						inp->inp_vflag |= INP_IPV4;
1873
					}
1874
					INP_WUNLOCK(inp);
1875
					break;
1876
				case IPV6_RECVTCLASS:
1877
					/* cannot mix with RFC2292 XXX */
1878
					OPTSET2292_EXCLUSIVE(IN6P_TCLASS);
1879
					break;
1880
				case IPV6_AUTOFLOWLABEL:
1881
					OPTSET(IN6P_AUTOFLOWLABEL);
1882
					break;
1883

1884
				case IPV6_ORIGDSTADDR:
1885
					OPTSET2(INP_ORIGDSTADDR, optval);
1886
					break;
1887
				case IPV6_BINDANY:
1888
					OPTSET(INP_BINDANY);
1889
					break;
1890
				case IPV6_VLAN_PCP:
1891
					if ((optval >= -1) && (optval <=
1892
					    (INP_2PCP_MASK >> INP_2PCP_SHIFT))) {
1893
						if (optval == -1) {
1894
							INP_WLOCK(inp);
1895
							inp->inp_flags2 &=
1896
							    ~(INP_2PCP_SET |
1897
							    INP_2PCP_MASK);
1898
							INP_WUNLOCK(inp);
1899
						} else {
1900
							INP_WLOCK(inp);
1901
							inp->inp_flags2 |=
1902
							    INP_2PCP_SET;
1903
							inp->inp_flags2 &=
1904
							    ~INP_2PCP_MASK;
1905
							inp->inp_flags2 |=
1906
							    optval <<
1907
							    INP_2PCP_SHIFT;
1908
							INP_WUNLOCK(inp);
1909
						}
1910
					} else
1911
						error = EINVAL;
1912
					break;
1913
				}
1914
				break;
1915

1916
			case IPV6_TCLASS:
1917
			case IPV6_DONTFRAG:
1918
			case IPV6_USE_MIN_MTU:
1919
			case IPV6_PREFER_TEMPADDR:
1920
				if (optlen != sizeof(optval)) {
1921
					error = EINVAL;
1922
					break;
1923
				}
1924
				error = sooptcopyin(sopt, &optval,
1925
					sizeof optval, sizeof optval);
1926
				if (error)
1927
					break;
1928
				{
1929
					struct ip6_pktopts **optp;
1930
					INP_WLOCK(inp);
1931
					if (inp->inp_flags & INP_DROPPED) {
1932
						INP_WUNLOCK(inp);
1933
						return (ECONNRESET);
1934
					}
1935
					optp = &inp->in6p_outputopts;
1936
					error = ip6_pcbopt(optname,
1937
					    (u_char *)&optval, sizeof(optval),
1938
					    optp, (td != NULL) ? td->td_ucred :
1939
					    NULL, uproto);
1940
					INP_WUNLOCK(inp);
1941
					break;
1942
				}
1943

1944
			case IPV6_2292PKTINFO:
1945
			case IPV6_2292HOPLIMIT:
1946
			case IPV6_2292HOPOPTS:
1947
			case IPV6_2292DSTOPTS:
1948
			case IPV6_2292RTHDR:
1949
				/* RFC 2292 */
1950
				if (optlen != sizeof(int)) {
1951
					error = EINVAL;
1952
					break;
1953
				}
1954
				error = sooptcopyin(sopt, &optval,
1955
					sizeof optval, sizeof optval);
1956
				if (error)
1957
					break;
1958
				switch (optname) {
1959
				case IPV6_2292PKTINFO:
1960
					OPTSET2292(IN6P_PKTINFO);
1961
					break;
1962
				case IPV6_2292HOPLIMIT:
1963
					OPTSET2292(IN6P_HOPLIMIT);
1964
					break;
1965
				case IPV6_2292HOPOPTS:
1966
					/*
1967
					 * Check super-user privilege.
1968
					 * See comments for IPV6_RECVHOPOPTS.
1969
					 */
1970
					if (td != NULL) {
1971
						error = priv_check(td,
1972
						    PRIV_NETINET_SETHDROPTS);
1973
						if (error)
1974
							return (error);
1975
					}
1976
					OPTSET2292(IN6P_HOPOPTS);
1977
					break;
1978
				case IPV6_2292DSTOPTS:
1979
					if (td != NULL) {
1980
						error = priv_check(td,
1981
						    PRIV_NETINET_SETHDROPTS);
1982
						if (error)
1983
							return (error);
1984
					}
1985
					OPTSET2292(IN6P_DSTOPTS|IN6P_RTHDRDSTOPTS); /* XXX */
1986
					break;
1987
				case IPV6_2292RTHDR:
1988
					OPTSET2292(IN6P_RTHDR);
1989
					break;
1990
				}
1991
				break;
1992
			case IPV6_PKTINFO:
1993
			case IPV6_HOPOPTS:
1994
			case IPV6_RTHDR:
1995
			case IPV6_DSTOPTS:
1996
			case IPV6_RTHDRDSTOPTS:
1997
			case IPV6_NEXTHOP:
1998
			{
1999
				/* new advanced API (RFC3542) */
2000
				u_char *optbuf;
2001
				u_char optbuf_storage[MCLBYTES];
2002
				int optlen;
2003
				struct ip6_pktopts **optp;
2004

2005
				/* cannot mix with RFC2292 */
2006
				if (OPTBIT(IN6P_RFC2292)) {
2007
					error = EINVAL;
2008
					break;
2009
				}
2010

2011
				/*
2012
				 * We only ensure valsize is not too large
2013
				 * here.  Further validation will be done
2014
				 * later.
2015
				 */
2016
				error = sooptcopyin(sopt, optbuf_storage,
2017
				    sizeof(optbuf_storage), 0);
2018
				if (error)
2019
					break;
2020
				optlen = sopt->sopt_valsize;
2021
				optbuf = optbuf_storage;
2022
				INP_WLOCK(inp);
2023
				if (inp->inp_flags & INP_DROPPED) {
2024
					INP_WUNLOCK(inp);
2025
					return (ECONNRESET);
2026
				}
2027
				optp = &inp->in6p_outputopts;
2028
				error = ip6_pcbopt(optname, optbuf, optlen,
2029
				    optp, (td != NULL) ? td->td_ucred : NULL,
2030
				    uproto);
2031
				INP_WUNLOCK(inp);
2032
				break;
2033
			}
2034
#undef OPTSET
2035

2036
			case IPV6_MULTICAST_IF:
2037
			case IPV6_MULTICAST_HOPS:
2038
			case IPV6_MULTICAST_LOOP:
2039
			case IPV6_JOIN_GROUP:
2040
			case IPV6_LEAVE_GROUP:
2041
			case IPV6_MSFILTER:
2042
			case MCAST_BLOCK_SOURCE:
2043
			case MCAST_UNBLOCK_SOURCE:
2044
			case MCAST_JOIN_GROUP:
2045
			case MCAST_LEAVE_GROUP:
2046
			case MCAST_JOIN_SOURCE_GROUP:
2047
			case MCAST_LEAVE_SOURCE_GROUP:
2048
				error = ip6_setmoptions(inp, sopt);
2049
				break;
2050

2051
			case IPV6_PORTRANGE:
2052
				error = sooptcopyin(sopt, &optval,
2053
				    sizeof optval, sizeof optval);
2054
				if (error)
2055
					break;
2056

2057
				INP_WLOCK(inp);
2058
				switch (optval) {
2059
				case IPV6_PORTRANGE_DEFAULT:
2060
					inp->inp_flags &= ~(INP_LOWPORT);
2061
					inp->inp_flags &= ~(INP_HIGHPORT);
2062
					break;
2063

2064
				case IPV6_PORTRANGE_HIGH:
2065
					inp->inp_flags &= ~(INP_LOWPORT);
2066
					inp->inp_flags |= INP_HIGHPORT;
2067
					break;
2068

2069
				case IPV6_PORTRANGE_LOW:
2070
					inp->inp_flags &= ~(INP_HIGHPORT);
2071
					inp->inp_flags |= INP_LOWPORT;
2072
					break;
2073

2074
				default:
2075
					error = EINVAL;
2076
					break;
2077
				}
2078
				INP_WUNLOCK(inp);
2079
				break;
2080

2081
#if defined(IPSEC) || defined(IPSEC_SUPPORT)
2082
			case IPV6_IPSEC_POLICY:
2083
				if (IPSEC_ENABLED(ipv6)) {
2084
					error = IPSEC_PCBCTL(ipv6, inp, sopt);
2085
					break;
2086
				}
2087
				/* FALLTHROUGH */
2088
#endif /* IPSEC */
2089

2090
			default:
2091
				error = ENOPROTOOPT;
2092
				break;
2093
			}
2094
			break;
2095

2096
		case SOPT_GET:
2097
			switch (optname) {
2098
			case IPV6_2292PKTOPTIONS:
2099
#ifdef IPV6_PKTOPTIONS
2100
			case IPV6_PKTOPTIONS:
2101
#endif
2102
				/*
2103
				 * RFC3542 (effectively) deprecated the
2104
				 * semantics of the 2292-style pktoptions.
2105
				 * Since it was not reliable in nature (i.e.,
2106
				 * applications had to expect the lack of some
2107
				 * information after all), it would make sense
2108
				 * to simplify this part by always returning
2109
				 * empty data.
2110
				 */
2111
				sopt->sopt_valsize = 0;
2112
				break;
2113

2114
			case IPV6_RECVHOPOPTS:
2115
			case IPV6_RECVDSTOPTS:
2116
			case IPV6_RECVRTHDRDSTOPTS:
2117
			case IPV6_UNICAST_HOPS:
2118
			case IPV6_RECVPKTINFO:
2119
			case IPV6_RECVHOPLIMIT:
2120
			case IPV6_RECVRTHDR:
2121
			case IPV6_RECVPATHMTU:
2122

2123
			case IPV6_V6ONLY:
2124
			case IPV6_PORTRANGE:
2125
			case IPV6_RECVTCLASS:
2126
			case IPV6_AUTOFLOWLABEL:
2127
			case IPV6_BINDANY:
2128
			case IPV6_FLOWID:
2129
			case IPV6_FLOWTYPE:
2130
			case IPV6_RECVFLOWID:
2131
#ifdef	RSS
2132
			case IPV6_RSSBUCKETID:
2133
			case IPV6_RECVRSSBUCKETID:
2134
#endif
2135
			case IPV6_VLAN_PCP:
2136
				switch (optname) {
2137
				case IPV6_RECVHOPOPTS:
2138
					optval = OPTBIT(IN6P_HOPOPTS);
2139
					break;
2140

2141
				case IPV6_RECVDSTOPTS:
2142
					optval = OPTBIT(IN6P_DSTOPTS);
2143
					break;
2144

2145
				case IPV6_RECVRTHDRDSTOPTS:
2146
					optval = OPTBIT(IN6P_RTHDRDSTOPTS);
2147
					break;
2148

2149
				case IPV6_UNICAST_HOPS:
2150
					optval = inp->in6p_hops;
2151
					break;
2152

2153
				case IPV6_RECVPKTINFO:
2154
					optval = OPTBIT(IN6P_PKTINFO);
2155
					break;
2156

2157
				case IPV6_RECVHOPLIMIT:
2158
					optval = OPTBIT(IN6P_HOPLIMIT);
2159
					break;
2160

2161
				case IPV6_RECVRTHDR:
2162
					optval = OPTBIT(IN6P_RTHDR);
2163
					break;
2164

2165
				case IPV6_RECVPATHMTU:
2166
					optval = OPTBIT(IN6P_MTU);
2167
					break;
2168

2169
				case IPV6_V6ONLY:
2170
					optval = OPTBIT(IN6P_IPV6_V6ONLY);
2171
					break;
2172

2173
				case IPV6_PORTRANGE:
2174
				    {
2175
					int flags;
2176
					flags = inp->inp_flags;
2177
					if (flags & INP_HIGHPORT)
2178
						optval = IPV6_PORTRANGE_HIGH;
2179
					else if (flags & INP_LOWPORT)
2180
						optval = IPV6_PORTRANGE_LOW;
2181
					else
2182
						optval = 0;
2183
					break;
2184
				    }
2185
				case IPV6_RECVTCLASS:
2186
					optval = OPTBIT(IN6P_TCLASS);
2187
					break;
2188

2189
				case IPV6_AUTOFLOWLABEL:
2190
					optval = OPTBIT(IN6P_AUTOFLOWLABEL);
2191
					break;
2192

2193
				case IPV6_ORIGDSTADDR:
2194
					optval = OPTBIT2(INP_ORIGDSTADDR);
2195
					break;
2196

2197
				case IPV6_BINDANY:
2198
					optval = OPTBIT(INP_BINDANY);
2199
					break;
2200

2201
				case IPV6_FLOWID:
2202
					optval = inp->inp_flowid;
2203
					break;
2204

2205
				case IPV6_FLOWTYPE:
2206
					optval = inp->inp_flowtype;
2207
					break;
2208

2209
				case IPV6_RECVFLOWID:
2210
					optval = OPTBIT2(INP_RECVFLOWID);
2211
					break;
2212
#ifdef	RSS
2213
				case IPV6_RSSBUCKETID:
2214
					retval =
2215
					    rss_hash2bucket(inp->inp_flowid,
2216
					    inp->inp_flowtype,
2217
					    &rss_bucket);
2218
					if (retval == 0)
2219
						optval = rss_bucket;
2220
					else
2221
						error = EINVAL;
2222
					break;
2223

2224
				case IPV6_RECVRSSBUCKETID:
2225
					optval = OPTBIT2(INP_RECVRSSBUCKETID);
2226
					break;
2227
#endif
2228

2229

2230
				case IPV6_VLAN_PCP:
2231
					if (OPTBIT2(INP_2PCP_SET)) {
2232
						optval = (inp->inp_flags2 &
2233
							    INP_2PCP_MASK) >>
2234
							    INP_2PCP_SHIFT;
2235
					} else {
2236
						optval = -1;
2237
					}
2238
					break;
2239
				}
2240

2241
				if (error)
2242
					break;
2243
				error = sooptcopyout(sopt, &optval,
2244
					sizeof optval);
2245
				break;
2246

2247
			case IPV6_PATHMTU:
2248
			{
2249
				u_long pmtu = 0;
2250
				struct ip6_mtuinfo mtuinfo;
2251
				struct in6_addr addr;
2252

2253
				if (!(so->so_state & SS_ISCONNECTED))
2254
					return (ENOTCONN);
2255
				/*
2256
				 * XXX: we dot not consider the case of source
2257
				 * routing, or optional information to specify
2258
				 * the outgoing interface.
2259
				 * Copy faddr out of inp to avoid holding lock
2260
				 * on inp during route lookup.
2261
				 */
2262
				INP_RLOCK(inp);
2263
				bcopy(&inp->in6p_faddr, &addr, sizeof(addr));
2264
				INP_RUNLOCK(inp);
2265
				error = ip6_getpmtu_ctl(so->so_fibnum,
2266
				    &addr, &pmtu);
2267
				if (error)
2268
					break;
2269
				if (pmtu > IPV6_MAXPACKET)
2270
					pmtu = IPV6_MAXPACKET;
2271

2272
				bzero(&mtuinfo, sizeof(mtuinfo));
2273
				mtuinfo.ip6m_mtu = (u_int32_t)pmtu;
2274
				optdata = (void *)&mtuinfo;
2275
				optdatalen = sizeof(mtuinfo);
2276
				error = sooptcopyout(sopt, optdata,
2277
				    optdatalen);
2278
				break;
2279
			}
2280

2281
			case IPV6_2292PKTINFO:
2282
			case IPV6_2292HOPLIMIT:
2283
			case IPV6_2292HOPOPTS:
2284
			case IPV6_2292RTHDR:
2285
			case IPV6_2292DSTOPTS:
2286
				switch (optname) {
2287
				case IPV6_2292PKTINFO:
2288
					optval = OPTBIT(IN6P_PKTINFO);
2289
					break;
2290
				case IPV6_2292HOPLIMIT:
2291
					optval = OPTBIT(IN6P_HOPLIMIT);
2292
					break;
2293
				case IPV6_2292HOPOPTS:
2294
					optval = OPTBIT(IN6P_HOPOPTS);
2295
					break;
2296
				case IPV6_2292RTHDR:
2297
					optval = OPTBIT(IN6P_RTHDR);
2298
					break;
2299
				case IPV6_2292DSTOPTS:
2300
					optval = OPTBIT(IN6P_DSTOPTS|IN6P_RTHDRDSTOPTS);
2301
					break;
2302
				}
2303
				error = sooptcopyout(sopt, &optval,
2304
				    sizeof optval);
2305
				break;
2306
			case IPV6_PKTINFO:
2307
			case IPV6_HOPOPTS:
2308
			case IPV6_RTHDR:
2309
			case IPV6_DSTOPTS:
2310
			case IPV6_RTHDRDSTOPTS:
2311
			case IPV6_NEXTHOP:
2312
			case IPV6_TCLASS:
2313
			case IPV6_DONTFRAG:
2314
			case IPV6_USE_MIN_MTU:
2315
			case IPV6_PREFER_TEMPADDR:
2316
				error = ip6_getpcbopt(inp, optname, sopt);
2317
				break;
2318

2319
			case IPV6_MULTICAST_IF:
2320
			case IPV6_MULTICAST_HOPS:
2321
			case IPV6_MULTICAST_LOOP:
2322
			case IPV6_MSFILTER:
2323
				error = ip6_getmoptions(inp, sopt);
2324
				break;
2325

2326
#if defined(IPSEC) || defined(IPSEC_SUPPORT)
2327
			case IPV6_IPSEC_POLICY:
2328
				if (IPSEC_ENABLED(ipv6)) {
2329
					error = IPSEC_PCBCTL(ipv6, inp, sopt);
2330
					break;
2331
				}
2332
				/* FALLTHROUGH */
2333
#endif /* IPSEC */
2334
			default:
2335
				error = ENOPROTOOPT;
2336
				break;
2337
			}
2338
			break;
2339
		}
2340
	}
2341
	return (error);
2342
}
2343

2344
int
2345
ip6_raw_ctloutput(struct socket *so, struct sockopt *sopt)
2346
{
2347
	int error = 0, optval, optlen;
2348
	const int icmp6off = offsetof(struct icmp6_hdr, icmp6_cksum);
2349
	struct inpcb *inp = sotoinpcb(so);
2350
	int level, op, optname;
2351

2352
	level = sopt->sopt_level;
2353
	op = sopt->sopt_dir;
2354
	optname = sopt->sopt_name;
2355
	optlen = sopt->sopt_valsize;
2356

2357
	if (level != IPPROTO_IPV6) {
2358
		return (EINVAL);
2359
	}
2360

2361
	switch (optname) {
2362
	case IPV6_CHECKSUM:
2363
		/*
2364
		 * For ICMPv6 sockets, no modification allowed for checksum
2365
		 * offset, permit "no change" values to help existing apps.
2366
		 *
2367
		 * RFC3542 says: "An attempt to set IPV6_CHECKSUM
2368
		 * for an ICMPv6 socket will fail."
2369
		 * The current behavior does not meet RFC3542.
2370
		 */
2371
		switch (op) {
2372
		case SOPT_SET:
2373
			if (optlen != sizeof(int)) {
2374
				error = EINVAL;
2375
				break;
2376
			}
2377
			error = sooptcopyin(sopt, &optval, sizeof(optval),
2378
					    sizeof(optval));
2379
			if (error)
2380
				break;
2381
			if (optval < -1 || (optval % 2) != 0) {
2382
				/*
2383
				 * The API assumes non-negative even offset
2384
				 * values or -1 as a special value.
2385
				 */
2386
				error = EINVAL;
2387
			} else if (inp->inp_ip_p == IPPROTO_ICMPV6) {
2388
				if (optval != icmp6off)
2389
					error = EINVAL;
2390
			} else
2391
				inp->in6p_cksum = optval;
2392
			break;
2393

2394
		case SOPT_GET:
2395
			if (inp->inp_ip_p == IPPROTO_ICMPV6)
2396
				optval = icmp6off;
2397
			else
2398
				optval = inp->in6p_cksum;
2399

2400
			error = sooptcopyout(sopt, &optval, sizeof(optval));
2401
			break;
2402

2403
		default:
2404
			error = EINVAL;
2405
			break;
2406
		}
2407
		break;
2408

2409
	default:
2410
		error = ENOPROTOOPT;
2411
		break;
2412
	}
2413

2414
	return (error);
2415
}
2416

2417
/*
2418
 * Set up IP6 options in pcb for insertion in output packets or
2419
 * specifying behavior of outgoing packets.
2420
 */
2421
static int
2422
ip6_pcbopts(struct ip6_pktopts **pktopt, struct mbuf *m,
2423
    struct socket *so, struct sockopt *sopt)
2424
{
2425
	struct ip6_pktopts *opt = *pktopt;
2426
	int error = 0;
2427
	struct thread *td = sopt->sopt_td;
2428
	struct epoch_tracker et;
2429

2430
	/* turn off any old options. */
2431
	if (opt) {
2432
#ifdef DIAGNOSTIC
2433
		if (opt->ip6po_pktinfo || opt->ip6po_nexthop ||
2434
		    opt->ip6po_hbh || opt->ip6po_dest1 || opt->ip6po_dest2 ||
2435
		    opt->ip6po_rhinfo.ip6po_rhi_rthdr)
2436
			printf("ip6_pcbopts: all specified options are cleared.\n");
2437
#endif
2438
		ip6_clearpktopts(opt, -1);
2439
	} else {
2440
		opt = malloc(sizeof(*opt), M_IP6OPT, M_NOWAIT);
2441
		if (opt == NULL)
2442
			return (ENOMEM);
2443
	}
2444
	*pktopt = NULL;
2445

2446
	if (!m || m->m_len == 0) {
2447
		/*
2448
		 * Only turning off any previous options, regardless of
2449
		 * whether the opt is just created or given.
2450
		 */
2451
		free(opt, M_IP6OPT);
2452
		return (0);
2453
	}
2454

2455
	/*  set options specified by user. */
2456
	NET_EPOCH_ENTER(et);
2457
	if ((error = ip6_setpktopts(m, opt, NULL, (td != NULL) ?
2458
	    td->td_ucred : NULL, so->so_proto->pr_protocol)) != 0) {
2459
		ip6_clearpktopts(opt, -1); /* XXX: discard all options */
2460
		free(opt, M_IP6OPT);
2461
		NET_EPOCH_EXIT(et);
2462
		return (error);
2463
	}
2464
	NET_EPOCH_EXIT(et);
2465
	*pktopt = opt;
2466
	return (0);
2467
}
2468

2469
/*
2470
 * initialize ip6_pktopts.  beware that there are non-zero default values in
2471
 * the struct.
2472
 */
2473
void
2474
ip6_initpktopts(struct ip6_pktopts *opt)
2475
{
2476

2477
	bzero(opt, sizeof(*opt));
2478
	opt->ip6po_hlim = -1;	/* -1 means default hop limit */
2479
	opt->ip6po_tclass = -1;	/* -1 means default traffic class */
2480
	opt->ip6po_minmtu = IP6PO_MINMTU_MCASTONLY;
2481
	opt->ip6po_prefer_tempaddr = IP6PO_TEMPADDR_SYSTEM;
2482
}
2483

2484
static int
2485
ip6_pcbopt(int optname, u_char *buf, int len, struct ip6_pktopts **pktopt,
2486
    struct ucred *cred, int uproto)
2487
{
2488
	struct epoch_tracker et;
2489
	struct ip6_pktopts *opt;
2490
	int ret;
2491

2492
	if (*pktopt == NULL) {
2493
		*pktopt = malloc(sizeof(struct ip6_pktopts), M_IP6OPT,
2494
		    M_NOWAIT);
2495
		if (*pktopt == NULL)
2496
			return (ENOBUFS);
2497
		ip6_initpktopts(*pktopt);
2498
	}
2499
	opt = *pktopt;
2500

2501
	NET_EPOCH_ENTER(et);
2502
	ret = ip6_setpktopt(optname, buf, len, opt, cred, 1, 0, uproto);
2503
	NET_EPOCH_EXIT(et);
2504

2505
	return (ret);
2506
}
2507

2508
#define GET_PKTOPT_VAR(field, lenexpr) do {				\
2509
	if (pktopt && pktopt->field) {					\
2510
		INP_RUNLOCK(inp);					\
2511
		optdata = malloc(sopt->sopt_valsize, M_TEMP, M_WAITOK);	\
2512
		malloc_optdata = true;					\
2513
		INP_RLOCK(inp);						\
2514
		if (inp->inp_flags & INP_DROPPED) {			\
2515
			INP_RUNLOCK(inp);				\
2516
			free(optdata, M_TEMP);				\
2517
			return (ECONNRESET);				\
2518
		}							\
2519
		pktopt = inp->in6p_outputopts;				\
2520
		if (pktopt && pktopt->field) {				\
2521
			optdatalen = min(lenexpr, sopt->sopt_valsize);	\
2522
			bcopy(pktopt->field, optdata, optdatalen);	\
2523
		} else {						\
2524
			free(optdata, M_TEMP);				\
2525
			optdata = NULL;					\
2526
			malloc_optdata = false;				\
2527
		}							\
2528
	}								\
2529
} while(0)
2530

2531
#define GET_PKTOPT_EXT_HDR(field) GET_PKTOPT_VAR(field,			\
2532
	(((struct ip6_ext *)pktopt->field)->ip6e_len + 1) << 3)
2533

2534
#define GET_PKTOPT_SOCKADDR(field) GET_PKTOPT_VAR(field,		\
2535
	pktopt->field->sa_len)
2536

2537
static int
2538
ip6_getpcbopt(struct inpcb *inp, int optname, struct sockopt *sopt)
2539
{
2540
	void *optdata = NULL;
2541
	bool malloc_optdata = false;
2542
	int optdatalen = 0;
2543
	int error = 0;
2544
	struct in6_pktinfo null_pktinfo;
2545
	int deftclass = 0, on;
2546
	int defminmtu = IP6PO_MINMTU_MCASTONLY;
2547
	int defpreftemp = IP6PO_TEMPADDR_SYSTEM;
2548
	struct ip6_pktopts *pktopt;
2549

2550
	INP_RLOCK(inp);
2551
	pktopt = inp->in6p_outputopts;
2552

2553
	switch (optname) {
2554
	case IPV6_PKTINFO:
2555
		optdata = (void *)&null_pktinfo;
2556
		if (pktopt && pktopt->ip6po_pktinfo) {
2557
			bcopy(pktopt->ip6po_pktinfo, &null_pktinfo,
2558
			    sizeof(null_pktinfo));
2559
			in6_clearscope(&null_pktinfo.ipi6_addr);
2560
		} else {
2561
			/* XXX: we don't have to do this every time... */
2562
			bzero(&null_pktinfo, sizeof(null_pktinfo));
2563
		}
2564
		optdatalen = sizeof(struct in6_pktinfo);
2565
		break;
2566
	case IPV6_TCLASS:
2567
		if (pktopt && pktopt->ip6po_tclass >= 0)
2568
			deftclass = pktopt->ip6po_tclass;
2569
		optdata = (void *)&deftclass;
2570
		optdatalen = sizeof(int);
2571
		break;
2572
	case IPV6_HOPOPTS:
2573
		GET_PKTOPT_EXT_HDR(ip6po_hbh);
2574
		break;
2575
	case IPV6_RTHDR:
2576
		GET_PKTOPT_EXT_HDR(ip6po_rthdr);
2577
		break;
2578
	case IPV6_RTHDRDSTOPTS:
2579
		GET_PKTOPT_EXT_HDR(ip6po_dest1);
2580
		break;
2581
	case IPV6_DSTOPTS:
2582
		GET_PKTOPT_EXT_HDR(ip6po_dest2);
2583
		break;
2584
	case IPV6_NEXTHOP:
2585
		GET_PKTOPT_SOCKADDR(ip6po_nexthop);
2586
		break;
2587
	case IPV6_USE_MIN_MTU:
2588
		if (pktopt)
2589
			defminmtu = pktopt->ip6po_minmtu;
2590
		optdata = (void *)&defminmtu;
2591
		optdatalen = sizeof(int);
2592
		break;
2593
	case IPV6_DONTFRAG:
2594
		if (pktopt && ((pktopt->ip6po_flags) & IP6PO_DONTFRAG))
2595
			on = 1;
2596
		else
2597
			on = 0;
2598
		optdata = (void *)&on;
2599
		optdatalen = sizeof(on);
2600
		break;
2601
	case IPV6_PREFER_TEMPADDR:
2602
		if (pktopt)
2603
			defpreftemp = pktopt->ip6po_prefer_tempaddr;
2604
		optdata = (void *)&defpreftemp;
2605
		optdatalen = sizeof(int);
2606
		break;
2607
	default:		/* should not happen */
2608
#ifdef DIAGNOSTIC
2609
		panic("ip6_getpcbopt: unexpected option\n");
2610
#endif
2611
		INP_RUNLOCK(inp);
2612
		return (ENOPROTOOPT);
2613
	}
2614
	INP_RUNLOCK(inp);
2615

2616
	error = sooptcopyout(sopt, optdata, optdatalen);
2617
	if (malloc_optdata)
2618
		free(optdata, M_TEMP);
2619

2620
	return (error);
2621
}
2622

2623
void
2624
ip6_clearpktopts(struct ip6_pktopts *pktopt, int optname)
2625
{
2626
	if (pktopt == NULL)
2627
		return;
2628

2629
	if (optname == -1 || optname == IPV6_PKTINFO) {
2630
		if (pktopt->ip6po_pktinfo)
2631
			free(pktopt->ip6po_pktinfo, M_IP6OPT);
2632
		pktopt->ip6po_pktinfo = NULL;
2633
	}
2634
	if (optname == -1 || optname == IPV6_HOPLIMIT) {
2635
		pktopt->ip6po_hlim = -1;
2636
		pktopt->ip6po_valid &= ~IP6PO_VALID_HLIM;
2637
	}
2638
	if (optname == -1 || optname == IPV6_TCLASS) {
2639
		pktopt->ip6po_tclass = -1;
2640
		pktopt->ip6po_valid &= ~IP6PO_VALID_TC;
2641
	}
2642
	if (optname == -1 || optname == IPV6_NEXTHOP) {
2643
		if (pktopt->ip6po_nextroute.ro_nh) {
2644
			NH_FREE(pktopt->ip6po_nextroute.ro_nh);
2645
			pktopt->ip6po_nextroute.ro_nh = NULL;
2646
		}
2647
		if (pktopt->ip6po_nexthop)
2648
			free(pktopt->ip6po_nexthop, M_IP6OPT);
2649
		pktopt->ip6po_nexthop = NULL;
2650
		pktopt->ip6po_valid &= ~IP6PO_VALID_NHINFO;
2651
	}
2652
	if (optname == -1 || optname == IPV6_HOPOPTS) {
2653
		if (pktopt->ip6po_hbh)
2654
			free(pktopt->ip6po_hbh, M_IP6OPT);
2655
		pktopt->ip6po_hbh = NULL;
2656
		pktopt->ip6po_valid &= ~IP6PO_VALID_HBH;
2657
	}
2658
	if (optname == -1 || optname == IPV6_RTHDRDSTOPTS) {
2659
		if (pktopt->ip6po_dest1)
2660
			free(pktopt->ip6po_dest1, M_IP6OPT);
2661
		pktopt->ip6po_dest1 = NULL;
2662
		pktopt->ip6po_valid &= ~IP6PO_VALID_DEST1;
2663
	}
2664
	if (optname == -1 || optname == IPV6_RTHDR) {
2665
		if (pktopt->ip6po_rhinfo.ip6po_rhi_rthdr)
2666
			free(pktopt->ip6po_rhinfo.ip6po_rhi_rthdr, M_IP6OPT);
2667
		pktopt->ip6po_rhinfo.ip6po_rhi_rthdr = NULL;
2668
		if (pktopt->ip6po_route.ro_nh) {
2669
			NH_FREE(pktopt->ip6po_route.ro_nh);
2670
			pktopt->ip6po_route.ro_nh = NULL;
2671
		}
2672
		pktopt->ip6po_valid &= ~IP6PO_VALID_RHINFO;
2673
	}
2674
	if (optname == -1 || optname == IPV6_DSTOPTS) {
2675
		if (pktopt->ip6po_dest2)
2676
			free(pktopt->ip6po_dest2, M_IP6OPT);
2677
		pktopt->ip6po_dest2 = NULL;
2678
		pktopt->ip6po_valid &= ~IP6PO_VALID_DEST2;
2679
	}
2680
}
2681

2682
#define PKTOPT_EXTHDRCPY(type) \
2683
do {\
2684
	if (src->type) {\
2685
		int hlen = (((struct ip6_ext *)src->type)->ip6e_len + 1) << 3;\
2686
		dst->type = malloc(hlen, M_IP6OPT, canwait);\
2687
		if (dst->type == NULL)\
2688
			goto bad;\
2689
		bcopy(src->type, dst->type, hlen);\
2690
	}\
2691
} while (/*CONSTCOND*/ 0)
2692

2693
static int
2694
copypktopts(struct ip6_pktopts *dst, struct ip6_pktopts *src, int canwait)
2695
{
2696
	if (dst == NULL || src == NULL)  {
2697
		printf("ip6_clearpktopts: invalid argument\n");
2698
		return (EINVAL);
2699
	}
2700

2701
	dst->ip6po_hlim = src->ip6po_hlim;
2702
	dst->ip6po_tclass = src->ip6po_tclass;
2703
	dst->ip6po_flags = src->ip6po_flags;
2704
	dst->ip6po_minmtu = src->ip6po_minmtu;
2705
	dst->ip6po_prefer_tempaddr = src->ip6po_prefer_tempaddr;
2706
	if (src->ip6po_pktinfo) {
2707
		dst->ip6po_pktinfo = malloc(sizeof(*dst->ip6po_pktinfo),
2708
		    M_IP6OPT, canwait);
2709
		if (dst->ip6po_pktinfo == NULL)
2710
			goto bad;
2711
		*dst->ip6po_pktinfo = *src->ip6po_pktinfo;
2712
	}
2713
	if (src->ip6po_nexthop) {
2714
		dst->ip6po_nexthop = malloc(src->ip6po_nexthop->sa_len,
2715
		    M_IP6OPT, canwait);
2716
		if (dst->ip6po_nexthop == NULL)
2717
			goto bad;
2718
		bcopy(src->ip6po_nexthop, dst->ip6po_nexthop,
2719
		    src->ip6po_nexthop->sa_len);
2720
	}
2721
	PKTOPT_EXTHDRCPY(ip6po_hbh);
2722
	PKTOPT_EXTHDRCPY(ip6po_dest1);
2723
	PKTOPT_EXTHDRCPY(ip6po_dest2);
2724
	PKTOPT_EXTHDRCPY(ip6po_rthdr); /* not copy the cached route */
2725
	dst->ip6po_valid = src->ip6po_valid;
2726
	return (0);
2727

2728
  bad:
2729
	ip6_clearpktopts(dst, -1);
2730
	return (ENOBUFS);
2731
}
2732
#undef PKTOPT_EXTHDRCPY
2733

2734
struct ip6_pktopts *
2735
ip6_copypktopts(struct ip6_pktopts *src, int canwait)
2736
{
2737
	int error;
2738
	struct ip6_pktopts *dst;
2739

2740
	dst = malloc(sizeof(*dst), M_IP6OPT, canwait);
2741
	if (dst == NULL)
2742
		return (NULL);
2743
	ip6_initpktopts(dst);
2744

2745
	if ((error = copypktopts(dst, src, canwait)) != 0) {
2746
		free(dst, M_IP6OPT);
2747
		return (NULL);
2748
	}
2749

2750
	return (dst);
2751
}
2752

2753
void
2754
ip6_freepcbopts(struct ip6_pktopts *pktopt)
2755
{
2756
	if (pktopt == NULL)
2757
		return;
2758

2759
	ip6_clearpktopts(pktopt, -1);
2760

2761
	free(pktopt, M_IP6OPT);
2762
}
2763

2764
/*
2765
 * Set IPv6 outgoing packet options based on advanced API.
2766
 */
2767
int
2768
ip6_setpktopts(struct mbuf *control, struct ip6_pktopts *opt,
2769
    struct ip6_pktopts *stickyopt, struct ucred *cred, int uproto)
2770
{
2771
	struct cmsghdr *cm = NULL;
2772

2773
	if (control == NULL || opt == NULL)
2774
		return (EINVAL);
2775

2776
	/*
2777
	 * ip6_setpktopt can call ifnet_byindex(), so it's imperative that we
2778
	 * are in the network epoch here.
2779
	 */
2780
	NET_EPOCH_ASSERT();
2781

2782
	ip6_initpktopts(opt);
2783
	if (stickyopt) {
2784
		int error;
2785

2786
		/*
2787
		 * If stickyopt is provided, make a local copy of the options
2788
		 * for this particular packet, then override them by ancillary
2789
		 * objects.
2790
		 * XXX: copypktopts() does not copy the cached route to a next
2791
		 * hop (if any).  This is not very good in terms of efficiency,
2792
		 * but we can allow this since this option should be rarely
2793
		 * used.
2794
		 */
2795
		if ((error = copypktopts(opt, stickyopt, M_NOWAIT)) != 0)
2796
			return (error);
2797
	}
2798

2799
	/*
2800
	 * XXX: Currently, we assume all the optional information is stored
2801
	 * in a single mbuf.
2802
	 */
2803
	if (control->m_next)
2804
		return (EINVAL);
2805

2806
	for (; control->m_len > 0; control->m_data += CMSG_ALIGN(cm->cmsg_len),
2807
	    control->m_len -= CMSG_ALIGN(cm->cmsg_len)) {
2808
		int error;
2809

2810
		if (control->m_len < CMSG_LEN(0))
2811
			return (EINVAL);
2812

2813
		cm = mtod(control, struct cmsghdr *);
2814
		if (cm->cmsg_len == 0 || cm->cmsg_len > control->m_len)
2815
			return (EINVAL);
2816
		if (cm->cmsg_level != IPPROTO_IPV6)
2817
			continue;
2818

2819
		error = ip6_setpktopt(cm->cmsg_type, CMSG_DATA(cm),
2820
		    cm->cmsg_len - CMSG_LEN(0), opt, cred, 0, 1, uproto);
2821
		if (error)
2822
			return (error);
2823
	}
2824

2825
	return (0);
2826
}
2827

2828
/*
2829
 * Set a particular packet option, as a sticky option or an ancillary data
2830
 * item.  "len" can be 0 only when it's a sticky option.
2831
 * We have 4 cases of combination of "sticky" and "cmsg":
2832
 * "sticky=0, cmsg=0": impossible
2833
 * "sticky=0, cmsg=1": RFC2292 or RFC3542 ancillary data
2834
 * "sticky=1, cmsg=0": RFC3542 socket option
2835
 * "sticky=1, cmsg=1": RFC2292 socket option
2836
 */
2837
static int
2838
ip6_setpktopt(int optname, u_char *buf, int len, struct ip6_pktopts *opt,
2839
    struct ucred *cred, int sticky, int cmsg, int uproto)
2840
{
2841
	int minmtupolicy, preftemp;
2842
	int error;
2843

2844
	NET_EPOCH_ASSERT();
2845

2846
	if (!sticky && !cmsg) {
2847
#ifdef DIAGNOSTIC
2848
		printf("ip6_setpktopt: impossible case\n");
2849
#endif
2850
		return (EINVAL);
2851
	}
2852

2853
	/*
2854
	 * IPV6_2292xxx is for backward compatibility to RFC2292, and should
2855
	 * not be specified in the context of RFC3542.  Conversely,
2856
	 * RFC3542 types should not be specified in the context of RFC2292.
2857
	 */
2858
	if (!cmsg) {
2859
		switch (optname) {
2860
		case IPV6_2292PKTINFO:
2861
		case IPV6_2292HOPLIMIT:
2862
		case IPV6_2292NEXTHOP:
2863
		case IPV6_2292HOPOPTS:
2864
		case IPV6_2292DSTOPTS:
2865
		case IPV6_2292RTHDR:
2866
		case IPV6_2292PKTOPTIONS:
2867
			return (ENOPROTOOPT);
2868
		}
2869
	}
2870
	if (sticky && cmsg) {
2871
		switch (optname) {
2872
		case IPV6_PKTINFO:
2873
		case IPV6_HOPLIMIT:
2874
		case IPV6_NEXTHOP:
2875
		case IPV6_HOPOPTS:
2876
		case IPV6_DSTOPTS:
2877
		case IPV6_RTHDRDSTOPTS:
2878
		case IPV6_RTHDR:
2879
		case IPV6_USE_MIN_MTU:
2880
		case IPV6_DONTFRAG:
2881
		case IPV6_TCLASS:
2882
		case IPV6_PREFER_TEMPADDR: /* XXX: not an RFC3542 option */
2883
			return (ENOPROTOOPT);
2884
		}
2885
	}
2886

2887
	switch (optname) {
2888
	case IPV6_2292PKTINFO:
2889
	case IPV6_PKTINFO:
2890
	{
2891
		struct ifnet *ifp = NULL;
2892
		struct in6_pktinfo *pktinfo;
2893

2894
		if (len != sizeof(struct in6_pktinfo))
2895
			return (EINVAL);
2896

2897
		pktinfo = (struct in6_pktinfo *)buf;
2898

2899
		/*
2900
		 * An application can clear any sticky IPV6_PKTINFO option by
2901
		 * doing a "regular" setsockopt with ipi6_addr being
2902
		 * in6addr_any and ipi6_ifindex being zero.
2903
		 * [RFC 3542, Section 6]
2904
		 */
2905
		if (optname == IPV6_PKTINFO && opt->ip6po_pktinfo &&
2906
		    pktinfo->ipi6_ifindex == 0 &&
2907
		    IN6_IS_ADDR_UNSPECIFIED(&pktinfo->ipi6_addr)) {
2908
			ip6_clearpktopts(opt, optname);
2909
			break;
2910
		}
2911

2912
		if (uproto == IPPROTO_TCP && optname == IPV6_PKTINFO &&
2913
		    sticky && !IN6_IS_ADDR_UNSPECIFIED(&pktinfo->ipi6_addr)) {
2914
			return (EINVAL);
2915
		}
2916
		if (IN6_IS_ADDR_MULTICAST(&pktinfo->ipi6_addr))
2917
			return (EINVAL);
2918
		/* validate the interface index if specified. */
2919
		if (pktinfo->ipi6_ifindex) {
2920
			ifp = ifnet_byindex(pktinfo->ipi6_ifindex);
2921
			if (ifp == NULL)
2922
				return (ENXIO);
2923
		}
2924
		if (ifp != NULL && (ifp->if_afdata[AF_INET6] == NULL ||
2925
		    (ND_IFINFO(ifp)->flags & ND6_IFF_IFDISABLED) != 0))
2926
			return (ENETDOWN);
2927

2928
		if (ifp != NULL &&
2929
		    !IN6_IS_ADDR_UNSPECIFIED(&pktinfo->ipi6_addr)) {
2930
			struct in6_ifaddr *ia;
2931

2932
			in6_setscope(&pktinfo->ipi6_addr, ifp, NULL);
2933
			ia = in6ifa_ifpwithaddr(ifp, &pktinfo->ipi6_addr);
2934
			if (ia == NULL)
2935
				return (EADDRNOTAVAIL);
2936
			ifa_free(&ia->ia_ifa);
2937
		}
2938
		/*
2939
		 * We store the address anyway, and let in6_selectsrc()
2940
		 * validate the specified address.  This is because ipi6_addr
2941
		 * may not have enough information about its scope zone, and
2942
		 * we may need additional information (such as outgoing
2943
		 * interface or the scope zone of a destination address) to
2944
		 * disambiguate the scope.
2945
		 * XXX: the delay of the validation may confuse the
2946
		 * application when it is used as a sticky option.
2947
		 */
2948
		if (opt->ip6po_pktinfo == NULL) {
2949
			opt->ip6po_pktinfo = malloc(sizeof(*pktinfo),
2950
			    M_IP6OPT, M_NOWAIT);
2951
			if (opt->ip6po_pktinfo == NULL)
2952
				return (ENOBUFS);
2953
		}
2954
		bcopy(pktinfo, opt->ip6po_pktinfo, sizeof(*pktinfo));
2955
		opt->ip6po_valid |= IP6PO_VALID_PKTINFO;
2956
		break;
2957
	}
2958

2959
	case IPV6_2292HOPLIMIT:
2960
	case IPV6_HOPLIMIT:
2961
	{
2962
		int *hlimp;
2963

2964
		/*
2965
		 * RFC 3542 deprecated the usage of sticky IPV6_HOPLIMIT
2966
		 * to simplify the ordering among hoplimit options.
2967
		 */
2968
		if (optname == IPV6_HOPLIMIT && sticky)
2969
			return (ENOPROTOOPT);
2970

2971
		if (len != sizeof(int))
2972
			return (EINVAL);
2973
		hlimp = (int *)buf;
2974
		if (*hlimp < -1 || *hlimp > 255)
2975
			return (EINVAL);
2976

2977
		opt->ip6po_hlim = *hlimp;
2978
		opt->ip6po_valid |= IP6PO_VALID_HLIM;
2979
		break;
2980
	}
2981

2982
	case IPV6_TCLASS:
2983
	{
2984
		int tclass;
2985

2986
		if (len != sizeof(int))
2987
			return (EINVAL);
2988
		tclass = *(int *)buf;
2989
		if (tclass < -1 || tclass > 255)
2990
			return (EINVAL);
2991

2992
		opt->ip6po_tclass = tclass;
2993
		opt->ip6po_valid |= IP6PO_VALID_TC;
2994
		break;
2995
	}
2996

2997
	case IPV6_2292NEXTHOP:
2998
	case IPV6_NEXTHOP:
2999
		if (cred != NULL) {
3000
			error = priv_check_cred(cred, PRIV_NETINET_SETHDROPTS);
3001
			if (error)
3002
				return (error);
3003
		}
3004

3005
		if (len == 0) {	/* just remove the option */
3006
			ip6_clearpktopts(opt, IPV6_NEXTHOP);
3007
			break;
3008
		}
3009

3010
		/* check if cmsg_len is large enough for sa_len */
3011
		if (len < sizeof(struct sockaddr) || len < *buf)
3012
			return (EINVAL);
3013

3014
		switch (((struct sockaddr *)buf)->sa_family) {
3015
		case AF_INET6:
3016
		{
3017
			struct sockaddr_in6 *sa6 = (struct sockaddr_in6 *)buf;
3018
			int error;
3019

3020
			if (sa6->sin6_len != sizeof(struct sockaddr_in6))
3021
				return (EINVAL);
3022

3023
			if (IN6_IS_ADDR_UNSPECIFIED(&sa6->sin6_addr) ||
3024
			    IN6_IS_ADDR_MULTICAST(&sa6->sin6_addr)) {
3025
				return (EINVAL);
3026
			}
3027
			if ((error = sa6_embedscope(sa6, V_ip6_use_defzone))
3028
			    != 0) {
3029
				return (error);
3030
			}
3031
			break;
3032
		}
3033
		case AF_LINK:	/* should eventually be supported */
3034
		default:
3035
			return (EAFNOSUPPORT);
3036
		}
3037

3038
		/* turn off the previous option, then set the new option. */
3039
		ip6_clearpktopts(opt, IPV6_NEXTHOP);
3040
		opt->ip6po_nexthop = malloc(*buf, M_IP6OPT, M_NOWAIT);
3041
		if (opt->ip6po_nexthop == NULL)
3042
			return (ENOBUFS);
3043
		bcopy(buf, opt->ip6po_nexthop, *buf);
3044
		opt->ip6po_valid |= IP6PO_VALID_NHINFO;
3045
		break;
3046

3047
	case IPV6_2292HOPOPTS:
3048
	case IPV6_HOPOPTS:
3049
	{
3050
		struct ip6_hbh *hbh;
3051
		int hbhlen;
3052

3053
		/*
3054
		 * XXX: We don't allow a non-privileged user to set ANY HbH
3055
		 * options, since per-option restriction has too much
3056
		 * overhead.
3057
		 */
3058
		if (cred != NULL) {
3059
			error = priv_check_cred(cred, PRIV_NETINET_SETHDROPTS);
3060
			if (error)
3061
				return (error);
3062
		}
3063

3064
		if (len == 0) {
3065
			ip6_clearpktopts(opt, IPV6_HOPOPTS);
3066
			break;	/* just remove the option */
3067
		}
3068

3069
		/* message length validation */
3070
		if (len < sizeof(struct ip6_hbh))
3071
			return (EINVAL);
3072
		hbh = (struct ip6_hbh *)buf;
3073
		hbhlen = (hbh->ip6h_len + 1) << 3;
3074
		if (len != hbhlen)
3075
			return (EINVAL);
3076

3077
		/* turn off the previous option, then set the new option. */
3078
		ip6_clearpktopts(opt, IPV6_HOPOPTS);
3079
		opt->ip6po_hbh = malloc(hbhlen, M_IP6OPT, M_NOWAIT);
3080
		if (opt->ip6po_hbh == NULL)
3081
			return (ENOBUFS);
3082
		bcopy(hbh, opt->ip6po_hbh, hbhlen);
3083
		opt->ip6po_valid |= IP6PO_VALID_HBH;
3084

3085
		break;
3086
	}
3087

3088
	case IPV6_2292DSTOPTS:
3089
	case IPV6_DSTOPTS:
3090
	case IPV6_RTHDRDSTOPTS:
3091
	{
3092
		struct ip6_dest *dest, **newdest = NULL;
3093
		int destlen;
3094

3095
		if (cred != NULL) { /* XXX: see the comment for IPV6_HOPOPTS */
3096
			error = priv_check_cred(cred, PRIV_NETINET_SETHDROPTS);
3097
			if (error)
3098
				return (error);
3099
		}
3100

3101
		if (len == 0) {
3102
			ip6_clearpktopts(opt, optname);
3103
			break;	/* just remove the option */
3104
		}
3105

3106
		/* message length validation */
3107
		if (len < sizeof(struct ip6_dest))
3108
			return (EINVAL);
3109
		dest = (struct ip6_dest *)buf;
3110
		destlen = (dest->ip6d_len + 1) << 3;
3111
		if (len != destlen)
3112
			return (EINVAL);
3113

3114
		/*
3115
		 * Determine the position that the destination options header
3116
		 * should be inserted; before or after the routing header.
3117
		 */
3118
		switch (optname) {
3119
		case IPV6_2292DSTOPTS:
3120
			/*
3121
			 * The old advacned API is ambiguous on this point.
3122
			 * Our approach is to determine the position based
3123
			 * according to the existence of a routing header.
3124
			 * Note, however, that this depends on the order of the
3125
			 * extension headers in the ancillary data; the 1st
3126
			 * part of the destination options header must appear
3127
			 * before the routing header in the ancillary data,
3128
			 * too.
3129
			 * RFC3542 solved the ambiguity by introducing
3130
			 * separate ancillary data or option types.
3131
			 */
3132
			if (opt->ip6po_rthdr == NULL)
3133
				newdest = &opt->ip6po_dest1;
3134
			else
3135
				newdest = &opt->ip6po_dest2;
3136
			break;
3137
		case IPV6_RTHDRDSTOPTS:
3138
			newdest = &opt->ip6po_dest1;
3139
			break;
3140
		case IPV6_DSTOPTS:
3141
			newdest = &opt->ip6po_dest2;
3142
			break;
3143
		}
3144

3145
		/* turn off the previous option, then set the new option. */
3146
		ip6_clearpktopts(opt, optname);
3147
		*newdest = malloc(destlen, M_IP6OPT, M_NOWAIT);
3148
		if (*newdest == NULL)
3149
			return (ENOBUFS);
3150
		bcopy(dest, *newdest, destlen);
3151
		if (newdest == &opt->ip6po_dest1)
3152
			opt->ip6po_valid |= IP6PO_VALID_DEST1;
3153
		else
3154
			opt->ip6po_valid |= IP6PO_VALID_DEST2;
3155

3156
		break;
3157
	}
3158

3159
	case IPV6_2292RTHDR:
3160
	case IPV6_RTHDR:
3161
	{
3162
		struct ip6_rthdr *rth;
3163
		int rthlen;
3164

3165
		if (len == 0) {
3166
			ip6_clearpktopts(opt, IPV6_RTHDR);
3167
			break;	/* just remove the option */
3168
		}
3169

3170
		/* message length validation */
3171
		if (len < sizeof(struct ip6_rthdr))
3172
			return (EINVAL);
3173
		rth = (struct ip6_rthdr *)buf;
3174
		rthlen = (rth->ip6r_len + 1) << 3;
3175
		if (len != rthlen)
3176
			return (EINVAL);
3177

3178
		switch (rth->ip6r_type) {
3179
		case IPV6_RTHDR_TYPE_0:
3180
			if (rth->ip6r_len == 0)	/* must contain one addr */
3181
				return (EINVAL);
3182
			if (rth->ip6r_len % 2) /* length must be even */
3183
				return (EINVAL);
3184
			if (rth->ip6r_len / 2 != rth->ip6r_segleft)
3185
				return (EINVAL);
3186
			break;
3187
		default:
3188
			return (EINVAL);	/* not supported */
3189
		}
3190

3191
		/* turn off the previous option */
3192
		ip6_clearpktopts(opt, IPV6_RTHDR);
3193
		opt->ip6po_rthdr = malloc(rthlen, M_IP6OPT, M_NOWAIT);
3194
		if (opt->ip6po_rthdr == NULL)
3195
			return (ENOBUFS);
3196
		bcopy(rth, opt->ip6po_rthdr, rthlen);
3197
		opt->ip6po_valid |= IP6PO_VALID_RHINFO;
3198

3199
		break;
3200
	}
3201

3202
	case IPV6_USE_MIN_MTU:
3203
		if (len != sizeof(int))
3204
			return (EINVAL);
3205
		minmtupolicy = *(int *)buf;
3206
		if (minmtupolicy != IP6PO_MINMTU_MCASTONLY &&
3207
		    minmtupolicy != IP6PO_MINMTU_DISABLE &&
3208
		    minmtupolicy != IP6PO_MINMTU_ALL) {
3209
			return (EINVAL);
3210
		}
3211
		opt->ip6po_minmtu = minmtupolicy;
3212
		break;
3213

3214
	case IPV6_DONTFRAG:
3215
		if (len != sizeof(int))
3216
			return (EINVAL);
3217

3218
		if (uproto == IPPROTO_TCP || *(int *)buf == 0) {
3219
			/*
3220
			 * we ignore this option for TCP sockets.
3221
			 * (RFC3542 leaves this case unspecified.)
3222
			 */
3223
			opt->ip6po_flags &= ~IP6PO_DONTFRAG;
3224
		} else
3225
			opt->ip6po_flags |= IP6PO_DONTFRAG;
3226
		break;
3227

3228
	case IPV6_PREFER_TEMPADDR:
3229
		if (len != sizeof(int))
3230
			return (EINVAL);
3231
		preftemp = *(int *)buf;
3232
		if (preftemp != IP6PO_TEMPADDR_SYSTEM &&
3233
		    preftemp != IP6PO_TEMPADDR_NOTPREFER &&
3234
		    preftemp != IP6PO_TEMPADDR_PREFER) {
3235
			return (EINVAL);
3236
		}
3237
		opt->ip6po_prefer_tempaddr = preftemp;
3238
		break;
3239

3240
	default:
3241
		return (ENOPROTOOPT);
3242
	} /* end of switch */
3243

3244
	return (0);
3245
}
3246

3247
/*
3248
 * Routine called from ip6_output() to loop back a copy of an IP6 multicast
3249
 * packet to the input queue of a specified interface.  Note that this
3250
 * calls the output routine of the loopback "driver", but with an interface
3251
 * pointer that might NOT be &loif -- easier than replicating that code here.
3252
 */
3253
void
3254
ip6_mloopback(struct ifnet *ifp, struct mbuf *m)
3255
{
3256
	struct mbuf *copym;
3257
	struct ip6_hdr *ip6;
3258

3259
	copym = m_copym(m, 0, M_COPYALL, M_NOWAIT);
3260
	if (copym == NULL)
3261
		return;
3262

3263
	/*
3264
	 * Make sure to deep-copy IPv6 header portion in case the data
3265
	 * is in an mbuf cluster, so that we can safely override the IPv6
3266
	 * header portion later.
3267
	 */
3268
	if (!M_WRITABLE(copym) ||
3269
	    copym->m_len < sizeof(struct ip6_hdr)) {
3270
		copym = m_pullup(copym, sizeof(struct ip6_hdr));
3271
		if (copym == NULL)
3272
			return;
3273
	}
3274
	ip6 = mtod(copym, struct ip6_hdr *);
3275
	/*
3276
	 * clear embedded scope identifiers if necessary.
3277
	 * in6_clearscope will touch the addresses only when necessary.
3278
	 */
3279
	in6_clearscope(&ip6->ip6_src);
3280
	in6_clearscope(&ip6->ip6_dst);
3281
	if (copym->m_pkthdr.csum_flags & CSUM_DELAY_DATA_IPV6) {
3282
		copym->m_pkthdr.csum_flags |= CSUM_DATA_VALID_IPV6 |
3283
		    CSUM_PSEUDO_HDR;
3284
		copym->m_pkthdr.csum_data = 0xffff;
3285
	}
3286
	if_simloop(ifp, copym, AF_INET6, 0);
3287
}
3288

3289
/*
3290
 * Chop IPv6 header off from the payload.
3291
 */
3292
static int
3293
ip6_splithdr(struct mbuf *m, struct ip6_exthdrs *exthdrs)
3294
{
3295
	struct mbuf *mh;
3296
	struct ip6_hdr *ip6;
3297

3298
	ip6 = mtod(m, struct ip6_hdr *);
3299
	if (m->m_len > sizeof(*ip6)) {
3300
		mh = m_gethdr(M_NOWAIT, MT_DATA);
3301
		if (mh == NULL) {
3302
			m_freem(m);
3303
			return ENOBUFS;
3304
		}
3305
		m_move_pkthdr(mh, m);
3306
		M_ALIGN(mh, sizeof(*ip6));
3307
		m->m_len -= sizeof(*ip6);
3308
		m->m_data += sizeof(*ip6);
3309
		mh->m_next = m;
3310
		m = mh;
3311
		m->m_len = sizeof(*ip6);
3312
		bcopy((caddr_t)ip6, mtod(m, caddr_t), sizeof(*ip6));
3313
	}
3314
	exthdrs->ip6e_ip6 = m;
3315
	return 0;
3316
}
3317

3318
/*
3319
 * Compute IPv6 extension header length.
3320
 */
3321
int
3322
ip6_optlen(struct inpcb *inp)
3323
{
3324
	int len;
3325

3326
	if (!inp->in6p_outputopts)
3327
		return 0;
3328

3329
	len = 0;
3330
#define elen(x) \
3331
    (((struct ip6_ext *)(x)) ? (((struct ip6_ext *)(x))->ip6e_len + 1) << 3 : 0)
3332

3333
	len += elen(inp->in6p_outputopts->ip6po_hbh);
3334
	if (inp->in6p_outputopts->ip6po_rthdr)
3335
		/* dest1 is valid with rthdr only */
3336
		len += elen(inp->in6p_outputopts->ip6po_dest1);
3337
	len += elen(inp->in6p_outputopts->ip6po_rthdr);
3338
	len += elen(inp->in6p_outputopts->ip6po_dest2);
3339
	return len;
3340
#undef elen
3341
}
3342

3343