int add_rdr(u_int32_t id, struct sockaddr *src, struct sockaddr *dst, u_int16_t d_port, struct sockaddr *rdr, u_int16_t rdr_port) { if (!src || !dst || !d_port || !rdr || !rdr_port || (src->sa_family != rdr->sa_family)) { errno = EINVAL; return (-1); } if (prepare_rule(id, PF_RULESET_RDR, src, dst, d_port) == -1) return (-1); if (rdr->sa_family == AF_INET) { memcpy(&pfp.addr.addr.v.a.addr.v4, &satosin(rdr)->sin_addr.s_addr, 4); memset(&pfp.addr.addr.v.a.mask.addr8, 255, 4); } else { memcpy(&pfp.addr.addr.v.a.addr.v6, &satosin6(rdr)->sin6_addr.s6_addr, 16); memset(&pfp.addr.addr.v.a.mask.addr8, 255, 16); } if (ioctl(dev, DIOCADDADDR, &pfp) == -1) return (-1); pfr.rule.rpool.proxy_port[0] = rdr_port; if (ioctl(dev, DIOCADDRULE, &pfr) == -1) return (-1); return (0); }
char * routename(struct sockaddr *sa, int flags) { static char line[NI_MAXHOST]; int error, f; f = (flags) ? NI_NUMERICHOST : 0; error = getnameinfo(sa, sa->sa_len, line, sizeof(line), NULL, 0, f); if (error) { const void *src; switch (sa->sa_family) { #ifdef INET case AF_INET: src = &satosin(sa)->sin_addr; break; #endif /* INET */ #ifdef INET6 case AF_INET6: src = &satosin6(sa)->sin6_addr; break; #endif /* INET6 */ default: return(line); } inet_ntop(sa->sa_family, src, line, sizeof(line) - 1); return (line); } trimdomain(line, strlen(line)); return (line); }
int Mod_fw_lookup_orig_dst(FW_handle_T handle, struct sockaddr *src, struct sockaddr *proxy, struct sockaddr *orig_dst) { struct fw_handle *fwh = handle->fwh; if(src->sa_family == AF_INET) { return server_lookup4(fwh->pfdev, satosin(src), satosin(proxy), satosin(orig_dst)); } if(src->sa_family == AF_INET6) { return server_lookup6(fwh->pfdev, satosin6(src), satosin6(proxy), satosin6(orig_dst)); } errno = EPROTONOSUPPORT; return -1; }
/* * Return the name of the network whose address is given. */ const char * netname(struct sockaddr *sa, struct sockaddr *mask) { switch (sa->sa_family) { case AF_INET: if (mask != NULL) return (netname4(satosin(sa)->sin_addr.s_addr, satosin(mask)->sin_addr.s_addr)); else return (netname4(satosin(sa)->sin_addr.s_addr, INADDR_ANY)); break; #ifdef INET6 case AF_INET6: return (netname6(satosin6(sa), satosin6(mask))); #endif /* INET6 */ default: return (NULL); } }
struct sockaddr * sockaddr_in6_externalize(struct sockaddr *dst, socklen_t socklen, const struct sockaddr *src) { struct sockaddr_in6 *sin6; sin6 = satosin6(sockaddr_copy(dst, socklen, src)); if (sin6 == NULL || sa6_recoverscope(sin6) != 0) return NULL; return dst; }
int add_addr(struct sockaddr *addr, struct pf_pool *pfp) { if (addr->sa_family == AF_INET) { memcpy(&pfp->addr.v.a.addr.v4, &satosin(addr)->sin_addr.s_addr, 4); memset(&pfp->addr.v.a.mask.addr8, 255, 4); } else { memcpy(&pfp->addr.v.a.addr.v6, &satosin6(addr)->sin6_addr.s6_addr, 16); memset(&pfp->addr.v.a.mask.addr8, 255, 16); } pfp->addr.type = PF_ADDR_ADDRMASK; return (0); }
/* * Do what we need to do when inserting a route. */ static struct radix_node * in6_addroute(void *v_arg, void *n_arg, struct radix_head *head, struct radix_node *treenodes) { struct rtentry *rt = (struct rtentry *)treenodes; struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)rt_key(rt); if (IN6_IS_ADDR_MULTICAST(&sin6->sin6_addr)) rt->rt_flags |= RTF_MULTICAST; /* * A little bit of help for both IPv6 output and input: * For local addresses, we make sure that RTF_LOCAL is set, * with the thought that this might one day be used to speed up * ip_input(). * * We also mark routes to multicast addresses as such, because * it's easy to do and might be useful (but this is much more * dubious since it's so easy to inspect the address). (This * is done above.) * * XXX * should elaborate the code. */ if (rt->rt_flags & RTF_HOST) { if (IN6_ARE_ADDR_EQUAL(&satosin6(rt->rt_ifa->ifa_addr) ->sin6_addr, &sin6->sin6_addr)) { rt->rt_flags |= RTF_LOCAL; } } if (rt->rt_ifp != NULL) { /* * Check route MTU: * inherit interface MTU if not set or * check if MTU is too large. */ if (rt->rt_mtu == 0) { rt->rt_mtu = IN6_LINKMTU(rt->rt_ifp); } else if (rt->rt_mtu > IN6_LINKMTU(rt->rt_ifp)) rt->rt_mtu = IN6_LINKMTU(rt->rt_ifp); } return (rn_addroute(v_arg, n_arg, head, treenodes)); }
static void nfssvc_program(struct svc_req *rqst, SVCXPRT *xprt) { struct nfsrv_descript nd; struct nfsrvcache *rp = NULL; int cacherep, credflavor; memset(&nd, 0, sizeof(nd)); if (rqst->rq_vers == NFS_VER2) { if (rqst->rq_proc > NFSV2PROC_STATFS) { svcerr_noproc(rqst); svc_freereq(rqst); goto out; } nd.nd_procnum = newnfs_nfsv3_procid[rqst->rq_proc]; nd.nd_flag = ND_NFSV2; } else if (rqst->rq_vers == NFS_VER3) { if (rqst->rq_proc >= NFS_V3NPROCS) { svcerr_noproc(rqst); svc_freereq(rqst); goto out; } nd.nd_procnum = rqst->rq_proc; nd.nd_flag = ND_NFSV3; } else { if (rqst->rq_proc != NFSPROC_NULL && rqst->rq_proc != NFSV4PROC_COMPOUND) { svcerr_noproc(rqst); svc_freereq(rqst); goto out; } nd.nd_procnum = rqst->rq_proc; nd.nd_flag = ND_NFSV4; } /* * Note: we want rq_addr, not svc_getrpccaller for nd_nam2 - * NFS_SRVMAXDATA uses a NULL value for nd_nam2 to detect TCP * mounts. */ nd.nd_mrep = rqst->rq_args; rqst->rq_args = NULL; newnfs_realign(&nd.nd_mrep, M_WAITOK); nd.nd_md = nd.nd_mrep; nd.nd_dpos = mtod(nd.nd_md, caddr_t); nd.nd_nam = svc_getrpccaller(rqst); nd.nd_nam2 = rqst->rq_addr; nd.nd_mreq = NULL; nd.nd_cred = NULL; if (nfs_privport && (nd.nd_flag & ND_NFSV4) == 0) { /* Check if source port is privileged */ u_short port; struct sockaddr *nam = nd.nd_nam; struct sockaddr_in *sin; sin = (struct sockaddr_in *)nam; /* * INET/INET6 - same code: * sin_port and sin6_port are at same offset */ port = ntohs(sin->sin_port); if (port >= IPPORT_RESERVED && nd.nd_procnum != NFSPROC_NULL) { #ifdef INET6 char b6[INET6_ADDRSTRLEN]; #if defined(KLD_MODULE) /* Do not use ip6_sprintf: the nfs module should work without INET6. */ #define ip6_sprintf(buf, a) \ (sprintf((buf), "%x:%x:%x:%x:%x:%x:%x:%x", \ (a)->s6_addr16[0], (a)->s6_addr16[1], \ (a)->s6_addr16[2], (a)->s6_addr16[3], \ (a)->s6_addr16[4], (a)->s6_addr16[5], \ (a)->s6_addr16[6], (a)->s6_addr16[7]), \ (buf)) #endif #endif printf("NFS request from unprivileged port (%s:%d)\n", #ifdef INET6 sin->sin_family == AF_INET6 ? ip6_sprintf(b6, &satosin6(sin)->sin6_addr) : #if defined(KLD_MODULE) #undef ip6_sprintf #endif #endif inet_ntoa(sin->sin_addr), port); svcerr_weakauth(rqst); svc_freereq(rqst); m_freem(nd.nd_mrep); goto out; } } if (nd.nd_procnum != NFSPROC_NULL) { if (!svc_getcred(rqst, &nd.nd_cred, &credflavor)) { svcerr_weakauth(rqst); svc_freereq(rqst); m_freem(nd.nd_mrep); goto out; } /* Set the flag based on credflavor */ if (credflavor == RPCSEC_GSS_KRB5) { nd.nd_flag |= ND_GSS; } else if (credflavor == RPCSEC_GSS_KRB5I) { nd.nd_flag |= (ND_GSS | ND_GSSINTEGRITY); } else if (credflavor == RPCSEC_GSS_KRB5P) { nd.nd_flag |= (ND_GSS | ND_GSSPRIVACY); } else if (credflavor != AUTH_SYS) { svcerr_weakauth(rqst); svc_freereq(rqst); m_freem(nd.nd_mrep); goto out; } #ifdef MAC mac_cred_associate_nfsd(nd.nd_cred); #endif /* * Get a refcnt (shared lock) on nfsd_suspend_lock. * NFSSVC_SUSPENDNFSD will take an exclusive lock on * nfsd_suspend_lock to suspend these threads. * This must be done here, before the check of * nfsv4root exports by nfsvno_v4rootexport(). */ NFSLOCKV4ROOTMUTEX(); nfsv4_getref(&nfsd_suspend_lock, NULL, NFSV4ROOTLOCKMUTEXPTR, NULL); NFSUNLOCKV4ROOTMUTEX(); if ((nd.nd_flag & ND_NFSV4) != 0) { nd.nd_repstat = nfsvno_v4rootexport(&nd); if (nd.nd_repstat != 0) { NFSLOCKV4ROOTMUTEX(); nfsv4_relref(&nfsd_suspend_lock); NFSUNLOCKV4ROOTMUTEX(); svcerr_weakauth(rqst); svc_freereq(rqst); m_freem(nd.nd_mrep); goto out; } } cacherep = nfs_proc(&nd, rqst->rq_xid, xprt, &rp); NFSLOCKV4ROOTMUTEX(); nfsv4_relref(&nfsd_suspend_lock); NFSUNLOCKV4ROOTMUTEX(); } else { NFSMGET(nd.nd_mreq); nd.nd_mreq->m_len = 0; cacherep = RC_REPLY; } if (nd.nd_mrep != NULL) m_freem(nd.nd_mrep); if (nd.nd_cred != NULL) crfree(nd.nd_cred); if (cacherep == RC_DROPIT) { if (nd.nd_mreq != NULL) m_freem(nd.nd_mreq); svc_freereq(rqst); goto out; } if (nd.nd_mreq == NULL) { svcerr_decode(rqst); svc_freereq(rqst); goto out; } if (nd.nd_repstat & NFSERR_AUTHERR) { svcerr_auth(rqst, nd.nd_repstat & ~NFSERR_AUTHERR); if (nd.nd_mreq != NULL) m_freem(nd.nd_mreq); } else if (!svc_sendreply_mbuf(rqst, nd.nd_mreq)) { svcerr_systemerr(rqst); } if (rp != NULL) { nfsrvd_sentcache(rp, (rqst->rq_reply_seq != 0 || SVC_ACK(xprt, NULL)), rqst->rq_reply_seq); } svc_freereq(rqst); out: NFSEXITCODE(0); }
static const char * fmt_sockaddr(struct sockaddr *sa, struct sockaddr *mask, int flags) { static char buf[128]; const char *cp; if (sa == NULL) return ("null"); switch(sa->sa_family) { #ifdef INET6 case AF_INET6: /* * The sa6->sin6_scope_id must be filled here because * this sockaddr is extracted from kmem(4) directly * and has KAME-specific embedded scope id in * sa6->sin6_addr.s6_addr[2]. */ in6_fillscopeid(satosin6(sa)); /* FALLTHROUGH */ #endif /*INET6*/ case AF_INET: if (flags & RTF_HOST) cp = routename(sa, numeric_addr); else if (mask) cp = netname(sa, mask); else cp = netname(sa, NULL); break; case AF_NETGRAPH: { strlcpy(buf, ((struct sockaddr_ng *)sa)->sg_data, sizeof(buf)); cp = buf; break; } case AF_LINK: { #if 0 struct sockaddr_dl *sdl = (struct sockaddr_dl *)sa; /* Interface route. */ if (sdl->sdl_nlen) cp = sdl->sdl_data; else #endif cp = routename(sa, 1); break; } default: { u_char *s = (u_char *)sa->sa_data, *slim; char *cq, *cqlim; cq = buf; slim = sa->sa_len + (u_char *) sa; cqlim = cq + sizeof(buf) - sizeof(" ffff"); snprintf(cq, sizeof(buf), "(%d)", sa->sa_family); cq += strlen(cq); while (s < slim && cq < cqlim) { snprintf(cq, sizeof(" ff"), " %02x", *s++); cq += strlen(cq); if (s < slim) { snprintf(cq, sizeof("ff"), "%02x", *s++); cq += strlen(cq); } } cp = buf; } } return (cp); }
/* * Do what we need to do when inserting a route. */ static struct radix_node * in6_addroute(void *v_arg, void *n_arg, struct radix_node_head *head, struct radix_node *treenodes) { struct rtentry *rt = (struct rtentry *)treenodes; struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)rt_key(rt); struct radix_node *ret; if (IN6_IS_ADDR_MULTICAST(&sin6->sin6_addr)) rt->rt_flags |= RTF_MULTICAST; /* * A little bit of help for both IPv6 output and input: * For local addresses, we make sure that RTF_LOCAL is set, * with the thought that this might one day be used to speed up * ip_input(). * * We also mark routes to multicast addresses as such, because * it's easy to do and might be useful (but this is much more * dubious since it's so easy to inspect the address). (This * is done above.) * * XXX * should elaborate the code. */ if (rt->rt_flags & RTF_HOST) { if (IN6_ARE_ADDR_EQUAL(&satosin6(rt->rt_ifa->ifa_addr) ->sin6_addr, &sin6->sin6_addr)) { rt->rt_flags |= RTF_LOCAL; } } if (!rt->rt_rmx.rmx_mtu && rt->rt_ifp) rt->rt_rmx.rmx_mtu = IN6_LINKMTU(rt->rt_ifp); ret = rn_addroute(v_arg, n_arg, head, treenodes); if (ret == NULL && rt->rt_flags & RTF_HOST) { struct rtentry *rt2; /* * We are trying to add a host route, but can't. * Find out if it is because of an * ARP entry and delete it if so. */ rt2 = rtalloc1((struct sockaddr *)sin6, 0, RTF_CLONING); if (rt2) { if (rt2->rt_flags & RTF_LLINFO && rt2->rt_flags & RTF_HOST && rt2->rt_gateway && rt2->rt_gateway->sa_family == AF_LINK) { rtexpunge(rt2); RTFREE_LOCKED(rt2); ret = rn_addroute(v_arg, n_arg, head, treenodes); } else RTFREE_LOCKED(rt2); } } else if (ret == NULL && rt->rt_flags & RTF_CLONING) { struct rtentry *rt2; /* * We are trying to add a net route, but can't. * The following case should be allowed, so we'll make a * special check for this: * Two IPv6 addresses with the same prefix is assigned * to a single interrface. * # ifconfig if0 inet6 3ffe:0501::1 prefix 64 alias (*1) * # ifconfig if0 inet6 3ffe:0501::2 prefix 64 alias (*2) * In this case, (*1) and (*2) want to add the same * net route entry, 3ffe:0501:: -> if0. * This case should not raise an error. */ rt2 = rtalloc1((struct sockaddr *)sin6, 0, RTF_CLONING); if (rt2) { if ((rt2->rt_flags & (RTF_CLONING|RTF_HOST|RTF_GATEWAY)) == RTF_CLONING && rt2->rt_gateway && rt2->rt_gateway->sa_family == AF_LINK && rt2->rt_ifp == rt->rt_ifp) { ret = rt2->rt_nodes; } RTFREE_LOCKED(rt2); } } return ret; }
int prepare_rule(u_int32_t id, int rs_num, struct sockaddr *src, struct sockaddr *dst, u_int16_t d_port, u_int8_t proto) { char an[PF_ANCHOR_NAME_SIZE]; if ((src->sa_family != AF_INET && src->sa_family != AF_INET6) || (src->sa_family != dst->sa_family)) { errno = EPROTONOSUPPORT; return (-1); } memset(&pfp, 0, sizeof pfp); memset(&pfr, 0, sizeof pfr); snprintf(an, PF_ANCHOR_NAME_SIZE, "%s/%d.%d", FTP_PROXY_ANCHOR, getpid(), id); strlcpy(pfp.anchor, an, PF_ANCHOR_NAME_SIZE); strlcpy(pfr.anchor, an, PF_ANCHOR_NAME_SIZE); switch (rs_num) { case PF_RULESET_FILTER: pfr.ticket = pfte[TRANS_FILTER].ticket; break; case PF_RULESET_NAT: pfr.ticket = pfte[TRANS_NAT].ticket; break; case PF_RULESET_RDR: pfr.ticket = pfte[TRANS_RDR].ticket; break; default: errno = EINVAL; return (-1); } if (ioctl(dev, DIOCBEGINADDRS, &pfp) == -1) return (-1); pfr.pool_ticket = pfp.ticket; /* Generic for all rule types. */ pfr.rule.af = src->sa_family; pfr.rule.proto = proto; pfr.rule.src.addr.type = PF_ADDR_ADDRMASK; pfr.rule.dst.addr.type = PF_ADDR_ADDRMASK; if (src->sa_family == AF_INET) { memcpy(&pfr.rule.src.addr.v.a.addr.v4, &satosin(src)->sin_addr.s_addr, 4); memset(&pfr.rule.src.addr.v.a.mask.addr8, 255, 4); memcpy(&pfr.rule.dst.addr.v.a.addr.v4, &satosin(dst)->sin_addr.s_addr, 4); memset(&pfr.rule.dst.addr.v.a.mask.addr8, 255, 4); } else { memcpy(&pfr.rule.src.addr.v.a.addr.v6, &satosin6(src)->sin6_addr.s6_addr, 16); memset(&pfr.rule.src.addr.v.a.mask.addr8, 255, 16); memcpy(&pfr.rule.dst.addr.v.a.addr.v6, &satosin6(dst)->sin6_addr.s6_addr, 16); memset(&pfr.rule.dst.addr.v.a.mask.addr8, 255, 16); } pfr.rule.dst.port_op = PF_OP_EQ; pfr.rule.dst.port[0] = htons(d_port); switch (rs_num) { case PF_RULESET_FILTER: /* * pass quick [log] inet[6] proto tcp \ * from $src to $dst port = $d_port flags S/SAFR keep state * (max 1) [queue qname] */ pfr.rule.action = PF_PASS; pfr.rule.quick = 1; pfr.rule.log = rule_log; pfr.rule.keep_state = 1; #ifdef __FreeBSD__ pfr.rule.flags = (proto == IPPROTO_TCP ? TH_SYN : 0); pfr.rule.flagset = (proto == IPPROTO_TCP ? (TH_SYN|TH_ACK|TH_FIN|TH_RST) : 0); #else pfr.rule.flags = (proto == IPPROTO_TCP ? TH_SYN : NULL); pfr.rule.flagset = (proto == IPPROTO_TCP ? (TH_SYN|TH_ACK|TH_FIN|TH_RST) : NULL); #endif pfr.rule.max_states = 1; if (qname != NULL) strlcpy(pfr.rule.qname, qname, sizeof pfr.rule.qname); break; case PF_RULESET_NAT: /* * nat inet[6] proto tcp from $src to $dst port $d_port -> $nat */ pfr.rule.action = PF_NAT; break; case PF_RULESET_RDR: /* * rdr inet[6] proto tcp from $src to $dst port $d_port -> $rdr */ pfr.rule.action = PF_RDR; break; default: errno = EINVAL; return (-1); } return (0); }
/* * Do what we need to do when inserting a route. */ static struct radix_node * in6_addroute(void *v_arg, void *n_arg, struct radix_node_head *head, struct radix_node *treenodes) { struct rtentry *rt = (struct rtentry *)treenodes; struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)rt_key(rt); struct radix_node *ret; lck_mtx_assert(rnh_lock, LCK_MTX_ASSERT_OWNED); RT_LOCK_ASSERT_HELD(rt); /* * If this is a dynamic route (which is created via Redirect) and * we already have the maximum acceptable number of such route entries, * reject creating a new one. We could initiate garbage collection to * make available space right now, but the benefit would probably not * be worth the cleaning overhead; we only have to endure a slightly * suboptimal path even without the redirecbted route. */ if ((rt->rt_flags & RTF_DYNAMIC) != 0 && ip6_maxdynroutes >= 0 && in6dynroutes >= ip6_maxdynroutes) return (NULL); /* * For IPv6, all unicast non-host routes are automatically cloning. */ if (IN6_IS_ADDR_MULTICAST(&sin6->sin6_addr)) rt->rt_flags |= RTF_MULTICAST; if (!(rt->rt_flags & (RTF_HOST | RTF_CLONING | RTF_MULTICAST))) { rt->rt_flags |= RTF_PRCLONING; } /* * A little bit of help for both IPv6 output and input: * For local addresses, we make sure that RTF_LOCAL is set, * with the thought that this might one day be used to speed up * ip_input(). * * We also mark routes to multicast addresses as such, because * it's easy to do and might be useful (but this is much more * dubious since it's so easy to inspect the address). (This * is done above.) * * XXX * should elaborate the code. */ if (rt->rt_flags & RTF_HOST) { if (IN6_ARE_ADDR_EQUAL(&satosin6(rt->rt_ifa->ifa_addr) ->sin6_addr, &sin6->sin6_addr)) { rt->rt_flags |= RTF_LOCAL; } } if (!rt->rt_rmx.rmx_mtu && !(rt->rt_rmx.rmx_locks & RTV_MTU) && rt->rt_ifp) rt->rt_rmx.rmx_mtu = rt->rt_ifp->if_mtu; ret = rn_addroute(v_arg, n_arg, head, treenodes); if (ret == NULL && (rt->rt_flags & RTF_HOST)) { struct rtentry *rt2; /* * We are trying to add a host route, but can't. * Find out if it is because of an * ARP entry and delete it if so. */ rt2 = rtalloc1_locked((struct sockaddr *)sin6, 0, RTF_CLONING | RTF_PRCLONING); if (rt2) { RT_LOCK(rt2); if ((rt2->rt_flags & RTF_LLINFO) && (rt2->rt_flags & RTF_HOST) && rt2->rt_gateway != NULL && rt2->rt_gateway->sa_family == AF_LINK) { /* * Safe to drop rt_lock and use rt_key, * rt_gateway, since holding rnh_lock here * prevents another thread from calling * rt_setgate() on this route. */ RT_UNLOCK(rt2); (void) rtrequest_locked(RTM_DELETE, rt_key(rt2), rt2->rt_gateway, rt_mask(rt2), rt2->rt_flags, 0); ret = rn_addroute(v_arg, n_arg, head, treenodes); } else { RT_UNLOCK(rt2); } rtfree_locked(rt2); } } else if (ret == NULL && (rt->rt_flags & RTF_CLONING)) { struct rtentry *rt2; /* * We are trying to add a net route, but can't. * The following case should be allowed, so we'll make a * special check for this: * Two IPv6 addresses with the same prefix is assigned * to a single interrface. * # ifconfig if0 inet6 3ffe:0501::1 prefix 64 alias (*1) * # ifconfig if0 inet6 3ffe:0501::2 prefix 64 alias (*2) * In this case, (*1) and (*2) want to add the same * net route entry, 3ffe:0501:: -> if0. * This case should not raise an error. */ rt2 = rtalloc1_locked((struct sockaddr *)sin6, 0, RTF_CLONING | RTF_PRCLONING); if (rt2) { RT_LOCK(rt2); if ((rt2->rt_flags & (RTF_CLONING|RTF_HOST|RTF_GATEWAY)) == RTF_CLONING && rt2->rt_gateway && rt2->rt_gateway->sa_family == AF_LINK && rt2->rt_ifp == rt->rt_ifp) { ret = rt2->rt_nodes; } RT_UNLOCK(rt2); rtfree_locked(rt2); } } if (ret != NULL && (rt->rt_flags & RTF_DYNAMIC) != 0) in6dynroutes++; return ret; }
int prepare_rule(u_int32_t id, struct sockaddr *src, struct sockaddr *dst, u_int16_t d_port) { char an[PF_ANCHOR_NAME_SIZE]; if ((src->sa_family != AF_INET && src->sa_family != AF_INET6) || (src->sa_family != dst->sa_family)) { errno = EPROTONOSUPPORT; return (-1); } memset(&pfr, 0, sizeof pfr); snprintf(an, PF_ANCHOR_NAME_SIZE, "%s/%d.%d", FTP_PROXY_ANCHOR, getpid(), id); strlcpy(pfr.anchor, an, PF_ANCHOR_NAME_SIZE); pfr.ticket = pfte.ticket; /* Generic for all rule types. */ pfr.rule.af = src->sa_family; pfr.rule.proto = IPPROTO_TCP; pfr.rule.src.addr.type = PF_ADDR_ADDRMASK; pfr.rule.dst.addr.type = PF_ADDR_ADDRMASK; pfr.rule.nat.addr.type = PF_ADDR_NONE; pfr.rule.rdr.addr.type = PF_ADDR_NONE; if (src->sa_family == AF_INET) { memcpy(&pfr.rule.src.addr.v.a.addr.v4, &satosin(src)->sin_addr.s_addr, 4); memset(&pfr.rule.src.addr.v.a.mask.addr8, 255, 4); memcpy(&pfr.rule.dst.addr.v.a.addr.v4, &satosin(dst)->sin_addr.s_addr, 4); memset(&pfr.rule.dst.addr.v.a.mask.addr8, 255, 4); } else { memcpy(&pfr.rule.src.addr.v.a.addr.v6, &satosin6(src)->sin6_addr.s6_addr, 16); memset(&pfr.rule.src.addr.v.a.mask.addr8, 255, 16); memcpy(&pfr.rule.dst.addr.v.a.addr.v6, &satosin6(dst)->sin6_addr.s6_addr, 16); memset(&pfr.rule.dst.addr.v.a.mask.addr8, 255, 16); } pfr.rule.dst.port_op = PF_OP_EQ; pfr.rule.dst.port[0] = htons(d_port); /* * pass [quick] [log] inet[6] proto tcp \ * from $src to $dst port = $d_port flags S/SA keep state * (max 1) [queue qname] [tag tagname] */ if (tagname != NULL) pfr.rule.action = PF_MATCH; else pfr.rule.action = PF_PASS; pfr.rule.quick = 1; pfr.rule.log = rule_log; pfr.rule.keep_state = 1; pfr.rule.flags = TH_SYN; pfr.rule.flagset = (TH_SYN|TH_ACK); pfr.rule.max_states = 1; if (qname != NULL) strlcpy(pfr.rule.qname, qname, sizeof pfr.rule.qname); if (tagname != NULL) { pfr.rule.quick = 0; strlcpy(pfr.rule.tagname, tagname, sizeof pfr.rule.tagname); } return (0); }
/* * NOTE: in6_ifdetach() does not support loopback if at this moment. * We don't need this function in bsdi, because interfaces are never removed * from the ifnet list in bsdi. */ void in6_ifdetach(struct ifnet *ifp) { struct in6_ifaddr *ia, *oia; struct ifaddr *ifa, *next; struct rtentry *rt; short rtflags; struct in6_multi_mship *imm; /* remove ip6_mrouter stuff */ ip6_mrouter_detach(ifp); /* remove neighbor management table */ nd6_purge(ifp); /* XXX this code is duplicated in in6_purgeif() --dyoung */ /* nuke any of IPv6 addresses we have */ if_purgeaddrs(ifp, AF_INET6, in6_purgeaddr); /* XXX isn't this code is redundant, given the above? --dyoung */ /* XXX doesn't this code replicate code in in6_purgeaddr() ? --dyoung */ /* undo everything done by in6_ifattach(), just in case */ for (ifa = IFADDR_FIRST(ifp); ifa != NULL; ifa = next) { next = IFADDR_NEXT(ifa); if (ifa->ifa_addr->sa_family != AF_INET6 || !IN6_IS_ADDR_LINKLOCAL(&satosin6(&ifa->ifa_addr)->sin6_addr)) { continue; } ia = (struct in6_ifaddr *)ifa; /* * leave from multicast groups we have joined for the interface */ while ((imm = LIST_FIRST(&ia->ia6_memberships)) != NULL) { LIST_REMOVE(imm, i6mm_chain); in6_leavegroup(imm); } /* remove from the routing table */ if ((ia->ia_flags & IFA_ROUTE) && (rt = rtalloc1((struct sockaddr *)&ia->ia_addr, 0))) { rtflags = rt->rt_flags; rtfree(rt); rtrequest(RTM_DELETE, (struct sockaddr *)&ia->ia_addr, (struct sockaddr *)&ia->ia_addr, (struct sockaddr *)&ia->ia_prefixmask, rtflags, NULL); } /* remove from the linked list */ ifa_remove(ifp, &ia->ia_ifa); /* also remove from the IPv6 address chain(itojun&jinmei) */ oia = ia; if (oia == (ia = in6_ifaddr)) in6_ifaddr = ia->ia_next; else { while (ia->ia_next && (ia->ia_next != oia)) ia = ia->ia_next; if (ia->ia_next) ia->ia_next = oia->ia_next; else { nd6log((LOG_ERR, "%s: didn't unlink in6ifaddr from list\n", if_name(ifp))); } } ifafree(&oia->ia_ifa); } /* cleanup multicast address kludge table, if there is any */ in6_purgemkludge(ifp); /* * remove neighbor management table. we call it twice just to make * sure we nuke everything. maybe we need just one call. * XXX: since the first call did not release addresses, some prefixes * might remain. We should call nd6_purge() again to release the * prefixes after removing all addresses above. * (Or can we just delay calling nd6_purge until at this point?) */ nd6_purge(ifp); }
struct in6_addr * in6_selectsrc(struct sockaddr_in6 *dstsock, struct ip6_pktopts *opts, struct inpcb *inp, struct route_in6 *ro, struct ifnet **ifpp, struct in6_addr *src_storage, unsigned int ifscope, int *errorp) { struct in6_addr dst; struct ifnet *ifp = NULL; struct in6_ifaddr *ia = NULL, *ia_best = NULL; struct in6_pktinfo *pi = NULL; int dst_scope = -1, best_scope = -1, best_matchlen = -1; struct in6_addrpolicy *dst_policy = NULL, *best_policy = NULL; u_int32_t odstzone; int prefer_tempaddr; struct ip6_moptions *mopts; struct timeval timenow; unsigned int nocell; boolean_t islocal = FALSE; getmicrotime(&timenow); dst = dstsock->sin6_addr; /* make a copy for local operation */ *errorp = 0; if (ifpp != NULL) *ifpp = NULL; if (inp != NULL) { mopts = inp->in6p_moptions; nocell = (inp->inp_flags & INP_NO_IFT_CELLULAR) ? 1 : 0; } else { mopts = NULL; nocell = 0; } /* * If the source address is explicitly specified by the caller, * check if the requested source address is indeed a unicast address * assigned to the node, and can be used as the packet's source * address. If everything is okay, use the address as source. */ if (opts && (pi = opts->ip6po_pktinfo) && !IN6_IS_ADDR_UNSPECIFIED(&pi->ipi6_addr)) { struct sockaddr_in6 srcsock; struct in6_ifaddr *ia6; /* get the outgoing interface */ if ((*errorp = in6_selectif(dstsock, opts, mopts, ro, ifscope, nocell, &ifp)) != 0) { return (NULL); } /* * determine the appropriate zone id of the source based on * the zone of the destination and the outgoing interface. * If the specified address is ambiguous wrt the scope zone, * the interface must be specified; otherwise, ifa_ifwithaddr() * will fail matching the address. */ bzero(&srcsock, sizeof(srcsock)); srcsock.sin6_family = AF_INET6; srcsock.sin6_len = sizeof(srcsock); srcsock.sin6_addr = pi->ipi6_addr; if (ifp) { *errorp = in6_setscope(&srcsock.sin6_addr, ifp, NULL); if (*errorp != 0) { ifnet_release(ifp); return (NULL); } } ia6 = (struct in6_ifaddr *)ifa_ifwithaddr((struct sockaddr *)(&srcsock)); if (ia6 == NULL) { *errorp = EADDRNOTAVAIL; if (ifp != NULL) ifnet_release(ifp); return (NULL); } IFA_LOCK_SPIN(&ia6->ia_ifa); if ((ia6->ia6_flags & (IN6_IFF_ANYCAST | IN6_IFF_NOTREADY)) || (nocell && (ia6->ia_ifa.ifa_ifp->if_type == IFT_CELLULAR))) { IFA_UNLOCK(&ia6->ia_ifa); IFA_REMREF(&ia6->ia_ifa); *errorp = EADDRNOTAVAIL; if (ifp != NULL) ifnet_release(ifp); return (NULL); } *src_storage = satosin6(&ia6->ia_addr)->sin6_addr; IFA_UNLOCK(&ia6->ia_ifa); IFA_REMREF(&ia6->ia_ifa); if (ifpp != NULL) { /* if ifp is non-NULL, refcnt held in in6_selectif() */ *ifpp = ifp; } else if (ifp != NULL) { ifnet_release(ifp); } return (src_storage); } /* * Otherwise, if the socket has already bound the source, just use it. */ if (inp != NULL && !IN6_IS_ADDR_UNSPECIFIED(&inp->in6p_laddr)) return (&inp->in6p_laddr); /* * If the address is not specified, choose the best one based on * the outgoing interface and the destination address. */ /* get the outgoing interface */ if ((*errorp = in6_selectif(dstsock, opts, mopts, ro, ifscope, nocell, &ifp)) != 0) return (NULL); #ifdef DIAGNOSTIC if (ifp == NULL) /* this should not happen */ panic("in6_selectsrc: NULL ifp"); #endif *errorp = in6_setscope(&dst, ifp, &odstzone); if (*errorp != 0) { if (ifp != NULL) ifnet_release(ifp); return (NULL); } lck_rw_lock_shared(&in6_ifaddr_rwlock); for (ia = in6_ifaddrs; ia; ia = ia->ia_next) { int new_scope = -1, new_matchlen = -1; struct in6_addrpolicy *new_policy = NULL; u_int32_t srczone, osrczone, dstzone; struct in6_addr src; struct ifnet *ifp1 = ia->ia_ifp; IFA_LOCK(&ia->ia_ifa); /* * We'll never take an address that breaks the scope zone * of the destination. We also skip an address if its zone * does not contain the outgoing interface. * XXX: we should probably use sin6_scope_id here. */ if (in6_setscope(&dst, ifp1, &dstzone) || odstzone != dstzone) goto next; src = ia->ia_addr.sin6_addr; if (in6_setscope(&src, ifp, &osrczone) || in6_setscope(&src, ifp1, &srczone) || osrczone != srczone) goto next; /* avoid unusable addresses */ if ((ia->ia6_flags & (IN6_IFF_NOTREADY | IN6_IFF_ANYCAST | IN6_IFF_DETACHED))) goto next; if (!ip6_use_deprecated && IFA6_IS_DEPRECATED(ia)) goto next; /* Rule 1: Prefer same address */ if (IN6_ARE_ADDR_EQUAL(&dst, &ia->ia_addr.sin6_addr)) BREAK(1); /* there should be no better candidate */ if (ia_best == NULL) REPLACE(0); /* Rule 2: Prefer appropriate scope */ if (dst_scope < 0) dst_scope = in6_addrscope(&dst); new_scope = in6_addrscope(&ia->ia_addr.sin6_addr); if (IN6_ARE_SCOPE_CMP(best_scope, new_scope) < 0) { if (IN6_ARE_SCOPE_CMP(best_scope, dst_scope) < 0) REPLACE(2); NEXTSRC(2); } else if (IN6_ARE_SCOPE_CMP(new_scope, best_scope) < 0) { if (IN6_ARE_SCOPE_CMP(new_scope, dst_scope) < 0) NEXTSRC(2); REPLACE(2); } /* * Rule 3: Avoid deprecated addresses. Note that the case of * !ip6_use_deprecated is already rejected above. */ if (!IFA6_IS_DEPRECATED(ia_best) && IFA6_IS_DEPRECATED(ia)) NEXTSRC(3); if (IFA6_IS_DEPRECATED(ia_best) && !IFA6_IS_DEPRECATED(ia)) REPLACE(3); /* Rule 4: Prefer home addresses */ /* * XXX: This is a TODO. We should probably merge the MIP6 * case above. */ /* Rule 5: Prefer outgoing interface */ if (ia_best->ia_ifp == ifp && ia->ia_ifp != ifp) NEXTSRC(5); if (ia_best->ia_ifp != ifp && ia->ia_ifp == ifp) REPLACE(5); /* * Rule 6: Prefer matching label * Note that best_policy should be non-NULL here. */ if (dst_policy == NULL) dst_policy = in6_addrsel_lookup_policy(dstsock); if (dst_policy->label != ADDR_LABEL_NOTAPP) { new_policy = in6_addrsel_lookup_policy(&ia->ia_addr); if (dst_policy->label == best_policy->label && dst_policy->label != new_policy->label) NEXTSRC(6); if (dst_policy->label != best_policy->label && dst_policy->label == new_policy->label) REPLACE(6); } /* * Rule 7: Prefer public addresses. * We allow users to reverse the logic by configuring * a sysctl variable, so that privacy conscious users can * always prefer temporary addresses. * Don't use temporary addresses for local destinations or * for multicast addresses unless we were passed in an option. */ if (IN6_IS_ADDR_MULTICAST(&dst) || in6_matchlen(&ia_best->ia_addr.sin6_addr, &dst) >= in6_mask2len(&ia_best->ia_prefixmask.sin6_addr, NULL)) islocal = TRUE; if (opts == NULL || opts->ip6po_prefer_tempaddr == IP6PO_TEMPADDR_SYSTEM) { prefer_tempaddr = islocal ? 0 : ip6_prefer_tempaddr; } else if (opts->ip6po_prefer_tempaddr == IP6PO_TEMPADDR_NOTPREFER) { prefer_tempaddr = 0; } else prefer_tempaddr = 1; if (!(ia_best->ia6_flags & IN6_IFF_TEMPORARY) && (ia->ia6_flags & IN6_IFF_TEMPORARY)) { if (prefer_tempaddr) REPLACE(7); else NEXTSRC(7); } if ((ia_best->ia6_flags & IN6_IFF_TEMPORARY) && !(ia->ia6_flags & IN6_IFF_TEMPORARY)) { if (prefer_tempaddr) NEXTSRC(7); else REPLACE(7); } /* * Rule 8: prefer addresses on alive interfaces. * This is a KAME specific rule. */ if ((ia_best->ia_ifp->if_flags & IFF_UP) && !(ia->ia_ifp->if_flags & IFF_UP)) NEXTSRC(8); if (!(ia_best->ia_ifp->if_flags & IFF_UP) && (ia->ia_ifp->if_flags & IFF_UP)) REPLACE(8); /* * Rule 14: Use longest matching prefix. * Note: in the address selection draft, this rule is * documented as "Rule 8". However, since it is also * documented that this rule can be overridden, we assign * a large number so that it is easy to assign smaller numbers * to more preferred rules. */ new_matchlen = in6_matchlen(&ia->ia_addr.sin6_addr, &dst); if (best_matchlen < new_matchlen) REPLACE(14); if (new_matchlen < best_matchlen) NEXTSRC(14); /* Rule 15 is reserved. */ /* * Last resort: just keep the current candidate. * Or, do we need more rules? */ IFA_UNLOCK(&ia->ia_ifa); continue; replace: best_scope = (new_scope >= 0 ? new_scope : in6_addrscope(&ia->ia_addr.sin6_addr)); best_policy = (new_policy ? new_policy : in6_addrsel_lookup_policy(&ia->ia_addr)); best_matchlen = (new_matchlen >= 0 ? new_matchlen : in6_matchlen(&ia->ia_addr.sin6_addr, &dst)); IFA_ADDREF_LOCKED(&ia->ia_ifa); /* for ia_best */ IFA_UNLOCK(&ia->ia_ifa); if (ia_best != NULL) IFA_REMREF(&ia_best->ia_ifa); ia_best = ia; continue; next: IFA_UNLOCK(&ia->ia_ifa); continue; out: IFA_ADDREF_LOCKED(&ia->ia_ifa); /* for ia_best */ IFA_UNLOCK(&ia->ia_ifa); if (ia_best != NULL) IFA_REMREF(&ia_best->ia_ifa); ia_best = ia; break; } lck_rw_done(&in6_ifaddr_rwlock); if (nocell && ia_best != NULL && (ia_best->ia_ifa.ifa_ifp->if_type == IFT_CELLULAR)) { IFA_REMREF(&ia_best->ia_ifa); ia_best = NULL; } if ( (ia = ia_best) == NULL) { *errorp = EADDRNOTAVAIL; if (ifp != NULL) ifnet_release(ifp); return (NULL); } IFA_LOCK_SPIN(&ia->ia_ifa); *src_storage = satosin6(&ia->ia_addr)->sin6_addr; IFA_UNLOCK(&ia->ia_ifa); IFA_REMREF(&ia->ia_ifa); if (ifpp != NULL) { /* if ifp is non-NULL, refcnt held in in6_selectif() */ *ifpp = ifp; } else if (ifp != NULL) { ifnet_release(ifp); } return (src_storage); }
/* * Given a source IPv6 address (and route, if available), determine the best * interface to send the packet from. Checking for (and updating) the * ROF_SRCIF_SELECTED flag in the pcb-supplied route placeholder is done * without any locks, based on the assumption that in the event this is * called from ip6_output(), the output operation is single-threaded per-pcb, * i.e. for any given pcb there can only be one thread performing output at * the IPv6 layer. * * This routine is analogous to in_selectsrcif() for IPv4. * * clone - meaningful only for bsdi and freebsd */ static int selectroute(struct sockaddr_in6 *srcsock, struct sockaddr_in6 *dstsock, struct ip6_pktopts *opts, struct ip6_moptions *mopts, struct route_in6 *ro, struct ifnet **retifp, struct rtentry **retrt, int clone, int norouteok, unsigned int ifscope, unsigned int nocell) { int error = 0; struct ifnet *ifp = NULL; struct route_in6 *route = NULL; struct sockaddr_in6 *sin6_next; struct in6_pktinfo *pi = NULL; struct in6_addr *dst = &dstsock->sin6_addr; struct ifaddr *ifa = NULL; char s_src[MAX_IPv6_STR_LEN], s_dst[MAX_IPv6_STR_LEN]; boolean_t select_srcif; #if 0 char ip6buf[INET6_ADDRSTRLEN]; if (dstsock->sin6_addr.s6_addr32[0] == 0 && dstsock->sin6_addr.s6_addr32[1] == 0 && !IN6_IS_ADDR_LOOPBACK(&dstsock->sin6_addr)) { printf("in6_selectroute: strange destination %s\n", ip6_sprintf(ip6buf, &dstsock->sin6_addr)); } else { printf("in6_selectroute: destination = %s%%%d\n", ip6_sprintf(ip6buf, &dstsock->sin6_addr), dstsock->sin6_scope_id); /* for debug */ } #endif if (retifp != NULL) *retifp = NULL; if (retrt != NULL) *retrt = NULL; if (ip6_select_srcif_debug) { struct in6_addr src; src = (srcsock != NULL) ? srcsock->sin6_addr : in6addr_any; (void) inet_ntop(AF_INET6, &src, s_src, sizeof (s_src)); (void) inet_ntop(AF_INET6, dst, s_dst, sizeof (s_dst)); } /* * If the destination address is UNSPECIFIED addr, bail out. */ if (IN6_IS_ADDR_UNSPECIFIED(dst)) { error = EHOSTUNREACH; goto done; } /* * Perform source interface selection only if Scoped Routing * is enabled and a source address that isn't unspecified. */ select_srcif = (ip6_doscopedroute && srcsock != NULL && !IN6_IS_ADDR_UNSPECIFIED(&srcsock->sin6_addr)); /* * If Scoped Routing is disabled, ignore the given ifscope. * Otherwise even if source selection won't be performed, * we still obey IPV6_BOUND_IF. */ if (!ip6_doscopedroute && ifscope != IFSCOPE_NONE) ifscope = IFSCOPE_NONE; /* If the caller specified the outgoing interface explicitly, use it */ if (opts != NULL && (pi = opts->ip6po_pktinfo) != NULL && pi->ipi6_ifindex != 0) { /* * If IPV6_PKTINFO takes precedence over IPV6_BOUND_IF. */ ifscope = pi->ipi6_ifindex; ifnet_head_lock_shared(); /* ifp may be NULL if detached or out of range */ ifp = (ifscope <= if_index) ? ifindex2ifnet[ifscope] : NULL; ifnet_head_done(); if (norouteok || retrt == NULL || IN6_IS_ADDR_MULTICAST(dst)) { /* * We do not have to check or get the route for * multicast. If the caller didn't ask/care for * the route and we have no interface to use, * it's an error. */ if (ifp == NULL) error = EHOSTUNREACH; goto done; } else { goto getsrcif; } } /* * If the destination address is a multicast address and the outgoing * interface for the address is specified by the caller, use it. */ if (IN6_IS_ADDR_MULTICAST(dst) && mopts != NULL) { IM6O_LOCK(mopts); if ((ifp = mopts->im6o_multicast_ifp) != NULL) { IM6O_UNLOCK(mopts); goto done; /* we do not need a route for multicast. */ } IM6O_UNLOCK(mopts); } getsrcif: /* * If the outgoing interface was not set via IPV6_BOUND_IF or * IPV6_PKTINFO, use the scope ID in the destination address. */ if (ip6_doscopedroute && ifscope == IFSCOPE_NONE) ifscope = dstsock->sin6_scope_id; /* * Perform source interface selection; the source IPv6 address * must belong to one of the addresses of the interface used * by the route. For performance reasons, do this only if * there is no route, or if the routing table has changed, * or if we haven't done source interface selection on this * route (for this PCB instance) before. */ if (!select_srcif || (ro != NULL && ro->ro_rt != NULL && (ro->ro_rt->rt_flags & RTF_UP) && ro->ro_rt->generation_id == route_generation && (ro->ro_flags & ROF_SRCIF_SELECTED))) { if (ro != NULL && ro->ro_rt != NULL) { ifa = ro->ro_rt->rt_ifa; IFA_ADDREF(ifa); } goto getroute; } /* * Given the source IPv6 address, find a suitable source interface * to use for transmission; if a scope ID has been specified, * optimize the search by looking at the addresses only for that * interface. This is still suboptimal, however, as we need to * traverse the per-interface list. */ if (ifscope != IFSCOPE_NONE || (ro != NULL && ro->ro_rt != NULL)) { unsigned int scope = ifscope; struct ifnet *rt_ifp; rt_ifp = (ro->ro_rt != NULL) ? ro->ro_rt->rt_ifp : NULL; /* * If no scope is specified and the route is stale (pointing * to a defunct interface) use the current primary interface; * this happens when switching between interfaces configured * with the same IPv6 address. Otherwise pick up the scope * information from the route; the ULP may have looked up a * correct route and we just need to verify it here and mark * it with the ROF_SRCIF_SELECTED flag below. */ if (scope == IFSCOPE_NONE) { scope = rt_ifp->if_index; if (scope != get_primary_ifscope(AF_INET6) && ro->ro_rt->generation_id != route_generation) scope = get_primary_ifscope(AF_INET6); } ifa = (struct ifaddr *) ifa_foraddr6_scoped(&srcsock->sin6_addr, scope); if (ip6_select_srcif_debug && ifa != NULL) { if (ro->ro_rt != NULL) { printf("%s->%s ifscope %d->%d ifa_if %s " "ro_if %s\n", s_src, s_dst, ifscope, scope, if_name(ifa->ifa_ifp), if_name(rt_ifp)); } else { printf("%s->%s ifscope %d->%d ifa_if %s\n", s_src, s_dst, ifscope, scope, if_name(ifa->ifa_ifp)); } } } /* * Slow path; search for an interface having the corresponding source * IPv6 address if the scope was not specified by the caller, and: * * 1) There currently isn't any route, or, * 2) The interface used by the route does not own that source * IPv6 address; in this case, the route will get blown away * and we'll do a more specific scoped search using the newly * found interface. */ if (ifa == NULL && ifscope == IFSCOPE_NONE) { ifa = (struct ifaddr *)ifa_foraddr6(&srcsock->sin6_addr); if (ip6_select_srcif_debug && ifa != NULL) { printf("%s->%s ifscope %d ifa_if %s\n", s_src, s_dst, ifscope, if_name(ifa->ifa_ifp)); } } getroute: if (ifa != NULL) ifscope = ifa->ifa_ifp->if_index; /* * If the next hop address for the packet is specified by the caller, * use it as the gateway. */ if (opts != NULL && opts->ip6po_nexthop != NULL) { struct route_in6 *ron; sin6_next = satosin6(opts->ip6po_nexthop); /* at this moment, we only support AF_INET6 next hops */ if (sin6_next->sin6_family != AF_INET6) { error = EAFNOSUPPORT; /* or should we proceed? */ goto done; } /* * If the next hop is an IPv6 address, then the node identified * by that address must be a neighbor of the sending host. */ ron = &opts->ip6po_nextroute; if (ron->ro_rt != NULL) RT_LOCK(ron->ro_rt); if ((ron->ro_rt != NULL && ((ron->ro_rt->rt_flags & (RTF_UP | RTF_LLINFO)) != (RTF_UP | RTF_LLINFO) || ron->ro_rt->generation_id != route_generation || (select_srcif && (ifa == NULL || ifa->ifa_ifp != ron->ro_rt->rt_ifp)))) || !IN6_ARE_ADDR_EQUAL(&satosin6(&ron->ro_dst)->sin6_addr, &sin6_next->sin6_addr)) { if (ron->ro_rt != NULL) { RT_UNLOCK(ron->ro_rt); rtfree(ron->ro_rt); ron->ro_rt = NULL; } *satosin6(&ron->ro_dst) = *sin6_next; } if (ron->ro_rt == NULL) { rtalloc_scoped((struct route *)ron, ifscope); if (ron->ro_rt != NULL) RT_LOCK(ron->ro_rt); if (ron->ro_rt == NULL || !(ron->ro_rt->rt_flags & RTF_LLINFO) || !IN6_ARE_ADDR_EQUAL(&satosin6(rt_key(ron->ro_rt))-> sin6_addr, &sin6_next->sin6_addr)) { if (ron->ro_rt != NULL) { RT_UNLOCK(ron->ro_rt); rtfree(ron->ro_rt); ron->ro_rt = NULL; } error = EHOSTUNREACH; goto done; } } route = ron; ifp = ron->ro_rt->rt_ifp; /* * When cloning is required, try to allocate a route to the * destination so that the caller can store path MTU * information. */ if (!clone) { if (select_srcif) { /* Keep the route locked */ goto validateroute; } RT_UNLOCK(ron->ro_rt); goto done; } RT_UNLOCK(ron->ro_rt); } /* * Use a cached route if it exists and is valid, else try to allocate * a new one. Note that we should check the address family of the * cached destination, in case of sharing the cache with IPv4. */ if (ro == NULL) goto done; if (ro->ro_rt != NULL) RT_LOCK(ro->ro_rt); if (ro->ro_rt != NULL && (!(ro->ro_rt->rt_flags & RTF_UP) || satosin6(&ro->ro_dst)->sin6_family != AF_INET6 || ro->ro_rt->generation_id != route_generation || !IN6_ARE_ADDR_EQUAL(&satosin6(&ro->ro_dst)->sin6_addr, dst) || (select_srcif && (ifa == NULL || ifa->ifa_ifp != ro->ro_rt->rt_ifp)))) { RT_UNLOCK(ro->ro_rt); rtfree(ro->ro_rt); ro->ro_rt = NULL; } if (ro->ro_rt == NULL) { struct sockaddr_in6 *sa6; if (ro->ro_rt != NULL) RT_UNLOCK(ro->ro_rt); /* No route yet, so try to acquire one */ bzero(&ro->ro_dst, sizeof(struct sockaddr_in6)); sa6 = (struct sockaddr_in6 *)&ro->ro_dst; sa6->sin6_family = AF_INET6; sa6->sin6_len = sizeof(struct sockaddr_in6); sa6->sin6_addr = *dst; if (IN6_IS_ADDR_MULTICAST(dst)) { ro->ro_rt = rtalloc1_scoped( &((struct route *)ro)->ro_dst, 0, 0, ifscope); } else { rtalloc_scoped((struct route *)ro, ifscope); } if (ro->ro_rt != NULL) RT_LOCK(ro->ro_rt); } /* * Do not care about the result if we have the nexthop * explicitly specified (in case we're asked to clone.) */ if (opts != NULL && opts->ip6po_nexthop != NULL) { if (ro->ro_rt != NULL) RT_UNLOCK(ro->ro_rt); goto done; } if (ro->ro_rt != NULL) { RT_LOCK_ASSERT_HELD(ro->ro_rt); ifp = ro->ro_rt->rt_ifp; } else { error = EHOSTUNREACH; } route = ro; validateroute: if (select_srcif) { boolean_t has_route = (route != NULL && route->ro_rt != NULL); if (has_route) RT_LOCK_ASSERT_HELD(route->ro_rt); /* * If there is a non-loopback route with the wrong interface, * or if there is no interface configured with such an address, * blow it away. Except for local/loopback, we look for one * with a matching interface scope/index. */ if (has_route && (ifa == NULL || (ifa->ifa_ifp != ifp && ifp != lo_ifp) || !(route->ro_rt->rt_flags & RTF_UP))) { if (ip6_select_srcif_debug) { if (ifa != NULL) { printf("%s->%s ifscope %d ro_if %s " "!= ifa_if %s (cached route " "cleared)\n", s_src, s_dst, ifscope, if_name(ifp), if_name(ifa->ifa_ifp)); } else { printf("%s->%s ifscope %d ro_if %s " "(no ifa_if found)\n", s_src, s_dst, ifscope, if_name(ifp)); } } RT_UNLOCK(route->ro_rt); rtfree(route->ro_rt); route->ro_rt = NULL; route->ro_flags &= ~ROF_SRCIF_SELECTED; error = EHOSTUNREACH; /* Undo the settings done above */ route = NULL; ifp = NULL; } else if (has_route) { route->ro_flags |= ROF_SRCIF_SELECTED; route->ro_rt->generation_id = route_generation; RT_UNLOCK(route->ro_rt); } } else { if (ro->ro_rt != NULL) RT_UNLOCK(ro->ro_rt); if (ifp != NULL && opts != NULL && opts->ip6po_pktinfo != NULL && opts->ip6po_pktinfo->ipi6_ifindex != 0) { /* * Check if the outgoing interface conflicts with the * interface specified by ipi6_ifindex (if specified). * Note that loopback interface is always okay. * (this may happen when we are sending a packet to * one of our own addresses.) */ if (!(ifp->if_flags & IFF_LOOPBACK) && ifp->if_index != opts->ip6po_pktinfo->ipi6_ifindex) { error = EHOSTUNREACH; goto done; } } } done: if (nocell && error == 0) { if ((ifp != NULL && ifp->if_type == IFT_CELLULAR) || (route != NULL && route->ro_rt != NULL && route->ro_rt->rt_ifp->if_type == IFT_CELLULAR)) { if (route != NULL && route->ro_rt != NULL) { rtfree(route->ro_rt); route->ro_rt = NULL; route->ro_flags &= ~ROF_SRCIF_SELECTED; route = NULL; } ifp = NULL; error = EHOSTUNREACH; } } if (ifp == NULL && (route == NULL || route->ro_rt == NULL)) { /* * This can happen if the caller did not pass a cached route * nor any other hints. We treat this case an error. */ error = EHOSTUNREACH; } if (error == EHOSTUNREACH) ip6stat.ip6s_noroute++; if (error == 0) { if (retifp != NULL) { if (ifp != NULL) ifnet_reference(ifp); /* for caller */ *retifp = ifp; } if (retrt != NULL && route != NULL) *retrt = route->ro_rt; /* ro_rt may be NULL */ } else if (select_srcif && ip6_select_srcif_debug) { printf("%s->%s ifscope %d ifa_if %s ro_if %s (error=%d)\n", s_src, s_dst, ifscope, (ifa != NULL) ? if_name(ifa->ifa_ifp) : "NONE", (ifp != NULL) ? if_name(ifp) : "NONE", error); } if (ifa != NULL) IFA_REMREF(ifa); return (error); }
int pf_natlookup(struct sockaddr_storage *ss, struct sockaddr *nat_addr, int *nat_lport) { struct pfioc_natlook nl; int dev; (void)memset(&nl, 0, sizeof(nl)); /* Build the pf natlook structure. */ switch (ss[0].ss_family) { case AF_INET: (void)memcpy(&nl.daddr.v4, &satosin(&ss[0])->sin_addr, sizeof(struct in_addr)); (void)memcpy(&nl.saddr.v4, &satosin(&ss[1])->sin_addr, sizeof(struct in_addr)); nl.dport = satosin(&ss[0])->sin_port; nl.sport = satosin(&ss[1])->sin_port; nl.af = AF_INET; nl.proto = IPPROTO_TCP; nl.direction = PF_IN; break; case AF_INET6: (void)memcpy(&nl.daddr.v6, &satosin6(&ss[0])->sin6_addr, sizeof(struct in6_addr)); (void)memcpy(&nl.saddr.v6, &satosin6(&ss[1])->sin6_addr, sizeof(struct in6_addr)); nl.dport = satosin6(&ss[0])->sin6_port; nl.sport = satosin6(&ss[1])->sin6_port; nl.af = AF_INET6; nl.proto = IPPROTO_TCP; nl.direction = PF_IN; break; default: maybe_syslog(LOG_ERR, "Unsupported protocol for NAT lookup " "(no. %d)", ss[0].ss_family); return 0; } /* Open the /dev/pf device and do the lookup. */ if ((dev = open("/dev/pf", O_RDWR)) == -1) { maybe_syslog(LOG_ERR, "Cannot open /dev/pf: %m"); return 0; } if (ioctl(dev, DIOCNATLOOK, &nl) == -1) { maybe_syslog(LOG_ERR, "NAT lookup failure: %m"); (void)close(dev); return 0; } (void)close(dev); /* * Put the originating address into nat_addr and fill * the port with the ident port, 113. */ switch (ss[0].ss_family) { case AF_INET: (void)memcpy(&satosin(nat_addr)->sin_addr, &nl.rsaddr.v4, sizeof(struct in_addr)); satosin(nat_addr)->sin_port = htons(113); satosin(nat_addr)->sin_len = sizeof(struct sockaddr_in); satosin(nat_addr)->sin_family = AF_INET; break; case AF_INET6: (void)memcpy(&satosin6(nat_addr)->sin6_addr, &nl.rsaddr.v6, sizeof(struct in6_addr)); satosin6(nat_addr)->sin6_port = htons(113); satosin6(nat_addr)->sin6_len = sizeof(struct sockaddr_in6); satosin6(nat_addr)->sin6_family = AF_INET6; break; } /* Put the originating port into nat_lport. */ *nat_lport = nl.rsport; return 1; }