int
add_rdr(u_int32_t id, struct sockaddr *src, struct sockaddr *dst,
u_int16_t d_port, struct sockaddr *rdr, u_int16_t rdr_port)
{
if (!src || !dst || !d_port || !rdr || !rdr_port ||
(src->sa_family != rdr->sa_family)) {
errno = EINVAL;
return (-1);
}
if (prepare_rule(id, PF_RULESET_RDR, src, dst, d_port) == -1)
return (-1);
if (rdr->sa_family == AF_INET) {
memcpy(&pfp.addr.addr.v.a.addr.v4,
&satosin(rdr)->sin_addr.s_addr, 4);
memset(&pfp.addr.addr.v.a.mask.addr8, 255, 4);
} else {
memcpy(&pfp.addr.addr.v.a.addr.v6,
&satosin6(rdr)->sin6_addr.s6_addr, 16);
memset(&pfp.addr.addr.v.a.mask.addr8, 255, 16);
}
if (ioctl(dev, DIOCADDADDR, &pfp) == -1)
return (-1);
pfr.rule.rpool.proxy_port[0] = rdr_port;
if (ioctl(dev, DIOCADDRULE, &pfr) == -1)
return (-1);
return (0);
}
char *
routename(struct sockaddr *sa, int flags)
{
static char line[NI_MAXHOST];
int error, f;
f = (flags) ? NI_NUMERICHOST : 0;
error = getnameinfo(sa, sa->sa_len, line, sizeof(line),
NULL, 0, f);
if (error) {
const void *src;
switch (sa->sa_family) {
#ifdef INET
case AF_INET:
src = &satosin(sa)->sin_addr;
break;
#endif /* INET */
#ifdef INET6
case AF_INET6:
src = &satosin6(sa)->sin6_addr;
break;
#endif /* INET6 */
default:
return(line);
}
inet_ntop(sa->sa_family, src, line, sizeof(line) - 1);
return (line);
}
trimdomain(line, strlen(line));
return (line);
}
int
Mod_fw_lookup_orig_dst(FW_handle_T handle, struct sockaddr *src,
struct sockaddr *proxy, struct sockaddr *orig_dst)
{
struct fw_handle *fwh = handle->fwh;
if(src->sa_family == AF_INET) {
return server_lookup4(fwh->pfdev, satosin(src), satosin(proxy),
satosin(orig_dst));
}
if(src->sa_family == AF_INET6) {
return server_lookup6(fwh->pfdev, satosin6(src), satosin6(proxy),
satosin6(orig_dst));
}
errno = EPROTONOSUPPORT;
return -1;
}
/*
* Return the name of the network whose address is given.
*/
const char *
netname(struct sockaddr *sa, struct sockaddr *mask)
{
switch (sa->sa_family) {
case AF_INET:
if (mask != NULL)
return (netname4(satosin(sa)->sin_addr.s_addr,
satosin(mask)->sin_addr.s_addr));
else
return (netname4(satosin(sa)->sin_addr.s_addr,
INADDR_ANY));
break;
#ifdef INET6
case AF_INET6:
return (netname6(satosin6(sa), satosin6(mask)));
#endif /* INET6 */
default:
return (NULL);
}
}
struct sockaddr *
sockaddr_in6_externalize(struct sockaddr *dst, socklen_t socklen,
const struct sockaddr *src)
{
struct sockaddr_in6 *sin6;
sin6 = satosin6(sockaddr_copy(dst, socklen, src));
if (sin6 == NULL || sa6_recoverscope(sin6) != 0)
return NULL;
return dst;
}
int
add_addr(struct sockaddr *addr, struct pf_pool *pfp)
{
if (addr->sa_family == AF_INET) {
memcpy(&pfp->addr.v.a.addr.v4,
&satosin(addr)->sin_addr.s_addr, 4);
memset(&pfp->addr.v.a.mask.addr8, 255, 4);
} else {
memcpy(&pfp->addr.v.a.addr.v6,
&satosin6(addr)->sin6_addr.s6_addr, 16);
memset(&pfp->addr.v.a.mask.addr8, 255, 16);
}
pfp->addr.type = PF_ADDR_ADDRMASK;
return (0);
}
/*
* Do what we need to do when inserting a route.
*/
static struct radix_node *
in6_addroute(void *v_arg, void *n_arg, struct radix_head *head,
struct radix_node *treenodes)
{
struct rtentry *rt = (struct rtentry *)treenodes;
struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)rt_key(rt);
if (IN6_IS_ADDR_MULTICAST(&sin6->sin6_addr))
rt->rt_flags |= RTF_MULTICAST;
/*
* A little bit of help for both IPv6 output and input:
* For local addresses, we make sure that RTF_LOCAL is set,
* with the thought that this might one day be used to speed up
* ip_input().
*
* We also mark routes to multicast addresses as such, because
* it's easy to do and might be useful (but this is much more
* dubious since it's so easy to inspect the address). (This
* is done above.)
*
* XXX
* should elaborate the code.
*/
if (rt->rt_flags & RTF_HOST) {
if (IN6_ARE_ADDR_EQUAL(&satosin6(rt->rt_ifa->ifa_addr)
->sin6_addr,
&sin6->sin6_addr)) {
rt->rt_flags |= RTF_LOCAL;
}
}
if (rt->rt_ifp != NULL) {
/*
* Check route MTU:
* inherit interface MTU if not set or
* check if MTU is too large.
*/
if (rt->rt_mtu == 0) {
rt->rt_mtu = IN6_LINKMTU(rt->rt_ifp);
} else if (rt->rt_mtu > IN6_LINKMTU(rt->rt_ifp))
rt->rt_mtu = IN6_LINKMTU(rt->rt_ifp);
}
return (rn_addroute(v_arg, n_arg, head, treenodes));
}
static void
nfssvc_program(struct svc_req *rqst, SVCXPRT *xprt)
{
struct nfsrv_descript nd;
struct nfsrvcache *rp = NULL;
int cacherep, credflavor;
memset(&nd, 0, sizeof(nd));
if (rqst->rq_vers == NFS_VER2) {
if (rqst->rq_proc > NFSV2PROC_STATFS) {
svcerr_noproc(rqst);
svc_freereq(rqst);
goto out;
}
nd.nd_procnum = newnfs_nfsv3_procid[rqst->rq_proc];
nd.nd_flag = ND_NFSV2;
} else if (rqst->rq_vers == NFS_VER3) {
if (rqst->rq_proc >= NFS_V3NPROCS) {
svcerr_noproc(rqst);
svc_freereq(rqst);
goto out;
}
nd.nd_procnum = rqst->rq_proc;
nd.nd_flag = ND_NFSV3;
} else {
if (rqst->rq_proc != NFSPROC_NULL &&
rqst->rq_proc != NFSV4PROC_COMPOUND) {
svcerr_noproc(rqst);
svc_freereq(rqst);
goto out;
}
nd.nd_procnum = rqst->rq_proc;
nd.nd_flag = ND_NFSV4;
}
/*
* Note: we want rq_addr, not svc_getrpccaller for nd_nam2 -
* NFS_SRVMAXDATA uses a NULL value for nd_nam2 to detect TCP
* mounts.
*/
nd.nd_mrep = rqst->rq_args;
rqst->rq_args = NULL;
newnfs_realign(&nd.nd_mrep, M_WAITOK);
nd.nd_md = nd.nd_mrep;
nd.nd_dpos = mtod(nd.nd_md, caddr_t);
nd.nd_nam = svc_getrpccaller(rqst);
nd.nd_nam2 = rqst->rq_addr;
nd.nd_mreq = NULL;
nd.nd_cred = NULL;
if (nfs_privport && (nd.nd_flag & ND_NFSV4) == 0) {
/* Check if source port is privileged */
u_short port;
struct sockaddr *nam = nd.nd_nam;
struct sockaddr_in *sin;
sin = (struct sockaddr_in *)nam;
/*
* INET/INET6 - same code:
* sin_port and sin6_port are at same offset
*/
port = ntohs(sin->sin_port);
if (port >= IPPORT_RESERVED &&
nd.nd_procnum != NFSPROC_NULL) {
#ifdef INET6
char b6[INET6_ADDRSTRLEN];
#if defined(KLD_MODULE)
/* Do not use ip6_sprintf: the nfs module should work without INET6. */
#define ip6_sprintf(buf, a) \
(sprintf((buf), "%x:%x:%x:%x:%x:%x:%x:%x", \
(a)->s6_addr16[0], (a)->s6_addr16[1], \
(a)->s6_addr16[2], (a)->s6_addr16[3], \
(a)->s6_addr16[4], (a)->s6_addr16[5], \
(a)->s6_addr16[6], (a)->s6_addr16[7]), \
(buf))
#endif
#endif
printf("NFS request from unprivileged port (%s:%d)\n",
#ifdef INET6
sin->sin_family == AF_INET6 ?
ip6_sprintf(b6, &satosin6(sin)->sin6_addr) :
#if defined(KLD_MODULE)
#undef ip6_sprintf
#endif
#endif
inet_ntoa(sin->sin_addr), port);
svcerr_weakauth(rqst);
svc_freereq(rqst);
m_freem(nd.nd_mrep);
goto out;
}
}
if (nd.nd_procnum != NFSPROC_NULL) {
if (!svc_getcred(rqst, &nd.nd_cred, &credflavor)) {
svcerr_weakauth(rqst);
svc_freereq(rqst);
m_freem(nd.nd_mrep);
goto out;
}
/* Set the flag based on credflavor */
if (credflavor == RPCSEC_GSS_KRB5) {
nd.nd_flag |= ND_GSS;
} else if (credflavor == RPCSEC_GSS_KRB5I) {
nd.nd_flag |= (ND_GSS | ND_GSSINTEGRITY);
} else if (credflavor == RPCSEC_GSS_KRB5P) {
nd.nd_flag |= (ND_GSS | ND_GSSPRIVACY);
} else if (credflavor != AUTH_SYS) {
svcerr_weakauth(rqst);
svc_freereq(rqst);
m_freem(nd.nd_mrep);
goto out;
}
#ifdef MAC
mac_cred_associate_nfsd(nd.nd_cred);
#endif
/*
* Get a refcnt (shared lock) on nfsd_suspend_lock.
* NFSSVC_SUSPENDNFSD will take an exclusive lock on
* nfsd_suspend_lock to suspend these threads.
* This must be done here, before the check of
* nfsv4root exports by nfsvno_v4rootexport().
*/
NFSLOCKV4ROOTMUTEX();
nfsv4_getref(&nfsd_suspend_lock, NULL, NFSV4ROOTLOCKMUTEXPTR,
NULL);
NFSUNLOCKV4ROOTMUTEX();
if ((nd.nd_flag & ND_NFSV4) != 0) {
nd.nd_repstat = nfsvno_v4rootexport(&nd);
if (nd.nd_repstat != 0) {
NFSLOCKV4ROOTMUTEX();
nfsv4_relref(&nfsd_suspend_lock);
NFSUNLOCKV4ROOTMUTEX();
svcerr_weakauth(rqst);
svc_freereq(rqst);
m_freem(nd.nd_mrep);
goto out;
}
}
cacherep = nfs_proc(&nd, rqst->rq_xid, xprt, &rp);
NFSLOCKV4ROOTMUTEX();
nfsv4_relref(&nfsd_suspend_lock);
NFSUNLOCKV4ROOTMUTEX();
} else {
NFSMGET(nd.nd_mreq);
nd.nd_mreq->m_len = 0;
cacherep = RC_REPLY;
}
if (nd.nd_mrep != NULL)
m_freem(nd.nd_mrep);
if (nd.nd_cred != NULL)
crfree(nd.nd_cred);
if (cacherep == RC_DROPIT) {
if (nd.nd_mreq != NULL)
m_freem(nd.nd_mreq);
svc_freereq(rqst);
goto out;
}
if (nd.nd_mreq == NULL) {
svcerr_decode(rqst);
svc_freereq(rqst);
goto out;
}
if (nd.nd_repstat & NFSERR_AUTHERR) {
svcerr_auth(rqst, nd.nd_repstat & ~NFSERR_AUTHERR);
if (nd.nd_mreq != NULL)
m_freem(nd.nd_mreq);
} else if (!svc_sendreply_mbuf(rqst, nd.nd_mreq)) {
svcerr_systemerr(rqst);
}
if (rp != NULL) {
nfsrvd_sentcache(rp, (rqst->rq_reply_seq != 0 ||
SVC_ACK(xprt, NULL)), rqst->rq_reply_seq);
}
svc_freereq(rqst);
out:
NFSEXITCODE(0);
}
static const char *
fmt_sockaddr(struct sockaddr *sa, struct sockaddr *mask, int flags)
{
static char buf[128];
const char *cp;
if (sa == NULL)
return ("null");
switch(sa->sa_family) {
#ifdef INET6
case AF_INET6:
/*
* The sa6->sin6_scope_id must be filled here because
* this sockaddr is extracted from kmem(4) directly
* and has KAME-specific embedded scope id in
* sa6->sin6_addr.s6_addr[2].
*/
in6_fillscopeid(satosin6(sa));
/* FALLTHROUGH */
#endif /*INET6*/
case AF_INET:
if (flags & RTF_HOST)
cp = routename(sa, numeric_addr);
else if (mask)
cp = netname(sa, mask);
else
cp = netname(sa, NULL);
break;
case AF_NETGRAPH:
{
strlcpy(buf, ((struct sockaddr_ng *)sa)->sg_data,
sizeof(buf));
cp = buf;
break;
}
case AF_LINK:
{
#if 0
struct sockaddr_dl *sdl = (struct sockaddr_dl *)sa;
/* Interface route. */
if (sdl->sdl_nlen)
cp = sdl->sdl_data;
else
#endif
cp = routename(sa, 1);
break;
}
default:
{
u_char *s = (u_char *)sa->sa_data, *slim;
char *cq, *cqlim;
cq = buf;
slim = sa->sa_len + (u_char *) sa;
cqlim = cq + sizeof(buf) - sizeof(" ffff");
snprintf(cq, sizeof(buf), "(%d)", sa->sa_family);
cq += strlen(cq);
while (s < slim && cq < cqlim) {
snprintf(cq, sizeof(" ff"), " %02x", *s++);
cq += strlen(cq);
if (s < slim) {
snprintf(cq, sizeof("ff"), "%02x", *s++);
cq += strlen(cq);
}
}
cp = buf;
}
}
return (cp);
}
/*
* Do what we need to do when inserting a route.
*/
static struct radix_node *
in6_addroute(void *v_arg, void *n_arg, struct radix_node_head *head,
struct radix_node *treenodes)
{
struct rtentry *rt = (struct rtentry *)treenodes;
struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)rt_key(rt);
struct radix_node *ret;
if (IN6_IS_ADDR_MULTICAST(&sin6->sin6_addr))
rt->rt_flags |= RTF_MULTICAST;
/*
* A little bit of help for both IPv6 output and input:
* For local addresses, we make sure that RTF_LOCAL is set,
* with the thought that this might one day be used to speed up
* ip_input().
*
* We also mark routes to multicast addresses as such, because
* it's easy to do and might be useful (but this is much more
* dubious since it's so easy to inspect the address). (This
* is done above.)
*
* XXX
* should elaborate the code.
*/
if (rt->rt_flags & RTF_HOST) {
if (IN6_ARE_ADDR_EQUAL(&satosin6(rt->rt_ifa->ifa_addr)
->sin6_addr,
&sin6->sin6_addr)) {
rt->rt_flags |= RTF_LOCAL;
}
}
if (!rt->rt_rmx.rmx_mtu && rt->rt_ifp)
rt->rt_rmx.rmx_mtu = IN6_LINKMTU(rt->rt_ifp);
ret = rn_addroute(v_arg, n_arg, head, treenodes);
if (ret == NULL && rt->rt_flags & RTF_HOST) {
struct rtentry *rt2;
/*
* We are trying to add a host route, but can't.
* Find out if it is because of an
* ARP entry and delete it if so.
*/
rt2 = rtalloc1((struct sockaddr *)sin6, 0, RTF_CLONING);
if (rt2) {
if (rt2->rt_flags & RTF_LLINFO &&
rt2->rt_flags & RTF_HOST &&
rt2->rt_gateway &&
rt2->rt_gateway->sa_family == AF_LINK) {
rtexpunge(rt2);
RTFREE_LOCKED(rt2);
ret = rn_addroute(v_arg, n_arg, head,
treenodes);
} else
RTFREE_LOCKED(rt2);
}
} else if (ret == NULL && rt->rt_flags & RTF_CLONING) {
struct rtentry *rt2;
/*
* We are trying to add a net route, but can't.
* The following case should be allowed, so we'll make a
* special check for this:
* Two IPv6 addresses with the same prefix is assigned
* to a single interrface.
* # ifconfig if0 inet6 3ffe:0501::1 prefix 64 alias (*1)
* # ifconfig if0 inet6 3ffe:0501::2 prefix 64 alias (*2)
* In this case, (*1) and (*2) want to add the same
* net route entry, 3ffe:0501:: -> if0.
* This case should not raise an error.
*/
rt2 = rtalloc1((struct sockaddr *)sin6, 0, RTF_CLONING);
if (rt2) {
if ((rt2->rt_flags & (RTF_CLONING|RTF_HOST|RTF_GATEWAY))
== RTF_CLONING
&& rt2->rt_gateway
&& rt2->rt_gateway->sa_family == AF_LINK
&& rt2->rt_ifp == rt->rt_ifp) {
ret = rt2->rt_nodes;
}
RTFREE_LOCKED(rt2);
}
}
return ret;
}
int
prepare_rule(u_int32_t id, int rs_num, struct sockaddr *src,
struct sockaddr *dst, u_int16_t d_port, u_int8_t proto)
{
char an[PF_ANCHOR_NAME_SIZE];
if ((src->sa_family != AF_INET && src->sa_family != AF_INET6) ||
(src->sa_family != dst->sa_family)) {
errno = EPROTONOSUPPORT;
return (-1);
}
memset(&pfp, 0, sizeof pfp);
memset(&pfr, 0, sizeof pfr);
snprintf(an, PF_ANCHOR_NAME_SIZE, "%s/%d.%d", FTP_PROXY_ANCHOR,
getpid(), id);
strlcpy(pfp.anchor, an, PF_ANCHOR_NAME_SIZE);
strlcpy(pfr.anchor, an, PF_ANCHOR_NAME_SIZE);
switch (rs_num) {
case PF_RULESET_FILTER:
pfr.ticket = pfte[TRANS_FILTER].ticket;
break;
case PF_RULESET_NAT:
pfr.ticket = pfte[TRANS_NAT].ticket;
break;
case PF_RULESET_RDR:
pfr.ticket = pfte[TRANS_RDR].ticket;
break;
default:
errno = EINVAL;
return (-1);
}
if (ioctl(dev, DIOCBEGINADDRS, &pfp) == -1)
return (-1);
pfr.pool_ticket = pfp.ticket;
/* Generic for all rule types. */
pfr.rule.af = src->sa_family;
pfr.rule.proto = proto;
pfr.rule.src.addr.type = PF_ADDR_ADDRMASK;
pfr.rule.dst.addr.type = PF_ADDR_ADDRMASK;
if (src->sa_family == AF_INET) {
memcpy(&pfr.rule.src.addr.v.a.addr.v4,
&satosin(src)->sin_addr.s_addr, 4);
memset(&pfr.rule.src.addr.v.a.mask.addr8, 255, 4);
memcpy(&pfr.rule.dst.addr.v.a.addr.v4,
&satosin(dst)->sin_addr.s_addr, 4);
memset(&pfr.rule.dst.addr.v.a.mask.addr8, 255, 4);
} else {
memcpy(&pfr.rule.src.addr.v.a.addr.v6,
&satosin6(src)->sin6_addr.s6_addr, 16);
memset(&pfr.rule.src.addr.v.a.mask.addr8, 255, 16);
memcpy(&pfr.rule.dst.addr.v.a.addr.v6,
&satosin6(dst)->sin6_addr.s6_addr, 16);
memset(&pfr.rule.dst.addr.v.a.mask.addr8, 255, 16);
}
pfr.rule.dst.port_op = PF_OP_EQ;
pfr.rule.dst.port[0] = htons(d_port);
switch (rs_num) {
case PF_RULESET_FILTER:
/*
* pass quick [log] inet[6] proto tcp \
* from $src to $dst port = $d_port flags S/SAFR keep state
* (max 1) [queue qname]
*/
pfr.rule.action = PF_PASS;
pfr.rule.quick = 1;
pfr.rule.log = rule_log;
pfr.rule.keep_state = 1;
#ifdef __FreeBSD__
pfr.rule.flags = (proto == IPPROTO_TCP ? TH_SYN : 0);
pfr.rule.flagset = (proto == IPPROTO_TCP ?
(TH_SYN|TH_ACK|TH_FIN|TH_RST) : 0);
#else
pfr.rule.flags = (proto == IPPROTO_TCP ? TH_SYN : NULL);
pfr.rule.flagset = (proto == IPPROTO_TCP ?
(TH_SYN|TH_ACK|TH_FIN|TH_RST) : NULL);
#endif
pfr.rule.max_states = 1;
if (qname != NULL)
strlcpy(pfr.rule.qname, qname, sizeof pfr.rule.qname);
break;
case PF_RULESET_NAT:
/*
* nat inet[6] proto tcp from $src to $dst port $d_port -> $nat
*/
pfr.rule.action = PF_NAT;
break;
case PF_RULESET_RDR:
/*
* rdr inet[6] proto tcp from $src to $dst port $d_port -> $rdr
*/
pfr.rule.action = PF_RDR;
break;
default:
errno = EINVAL;
return (-1);
}
return (0);
}
/*
* Do what we need to do when inserting a route.
*/
static struct radix_node *
in6_addroute(void *v_arg, void *n_arg, struct radix_node_head *head,
struct radix_node *treenodes)
{
struct rtentry *rt = (struct rtentry *)treenodes;
struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)rt_key(rt);
struct radix_node *ret;
lck_mtx_assert(rnh_lock, LCK_MTX_ASSERT_OWNED);
RT_LOCK_ASSERT_HELD(rt);
/*
* If this is a dynamic route (which is created via Redirect) and
* we already have the maximum acceptable number of such route entries,
* reject creating a new one. We could initiate garbage collection to
* make available space right now, but the benefit would probably not
* be worth the cleaning overhead; we only have to endure a slightly
* suboptimal path even without the redirecbted route.
*/
if ((rt->rt_flags & RTF_DYNAMIC) != 0 &&
ip6_maxdynroutes >= 0 && in6dynroutes >= ip6_maxdynroutes)
return (NULL);
/*
* For IPv6, all unicast non-host routes are automatically cloning.
*/
if (IN6_IS_ADDR_MULTICAST(&sin6->sin6_addr))
rt->rt_flags |= RTF_MULTICAST;
if (!(rt->rt_flags & (RTF_HOST | RTF_CLONING | RTF_MULTICAST))) {
rt->rt_flags |= RTF_PRCLONING;
}
/*
* A little bit of help for both IPv6 output and input:
* For local addresses, we make sure that RTF_LOCAL is set,
* with the thought that this might one day be used to speed up
* ip_input().
*
* We also mark routes to multicast addresses as such, because
* it's easy to do and might be useful (but this is much more
* dubious since it's so easy to inspect the address). (This
* is done above.)
*
* XXX
* should elaborate the code.
*/
if (rt->rt_flags & RTF_HOST) {
if (IN6_ARE_ADDR_EQUAL(&satosin6(rt->rt_ifa->ifa_addr)
->sin6_addr,
&sin6->sin6_addr)) {
rt->rt_flags |= RTF_LOCAL;
}
}
if (!rt->rt_rmx.rmx_mtu && !(rt->rt_rmx.rmx_locks & RTV_MTU)
&& rt->rt_ifp)
rt->rt_rmx.rmx_mtu = rt->rt_ifp->if_mtu;
ret = rn_addroute(v_arg, n_arg, head, treenodes);
if (ret == NULL && (rt->rt_flags & RTF_HOST)) {
struct rtentry *rt2;
/*
* We are trying to add a host route, but can't.
* Find out if it is because of an
* ARP entry and delete it if so.
*/
rt2 = rtalloc1_locked((struct sockaddr *)sin6, 0,
RTF_CLONING | RTF_PRCLONING);
if (rt2) {
RT_LOCK(rt2);
if ((rt2->rt_flags & RTF_LLINFO) &&
(rt2->rt_flags & RTF_HOST) &&
rt2->rt_gateway != NULL &&
rt2->rt_gateway->sa_family == AF_LINK) {
/*
* Safe to drop rt_lock and use rt_key,
* rt_gateway, since holding rnh_lock here
* prevents another thread from calling
* rt_setgate() on this route.
*/
RT_UNLOCK(rt2);
(void) rtrequest_locked(RTM_DELETE, rt_key(rt2),
rt2->rt_gateway, rt_mask(rt2),
rt2->rt_flags, 0);
ret = rn_addroute(v_arg, n_arg, head,
treenodes);
} else {
RT_UNLOCK(rt2);
}
rtfree_locked(rt2);
}
} else if (ret == NULL && (rt->rt_flags & RTF_CLONING)) {
struct rtentry *rt2;
/*
* We are trying to add a net route, but can't.
* The following case should be allowed, so we'll make a
* special check for this:
* Two IPv6 addresses with the same prefix is assigned
* to a single interrface.
* # ifconfig if0 inet6 3ffe:0501::1 prefix 64 alias (*1)
* # ifconfig if0 inet6 3ffe:0501::2 prefix 64 alias (*2)
* In this case, (*1) and (*2) want to add the same
* net route entry, 3ffe:0501:: -> if0.
* This case should not raise an error.
*/
rt2 = rtalloc1_locked((struct sockaddr *)sin6, 0,
RTF_CLONING | RTF_PRCLONING);
if (rt2) {
RT_LOCK(rt2);
if ((rt2->rt_flags & (RTF_CLONING|RTF_HOST|RTF_GATEWAY))
== RTF_CLONING
&& rt2->rt_gateway
&& rt2->rt_gateway->sa_family == AF_LINK
&& rt2->rt_ifp == rt->rt_ifp) {
ret = rt2->rt_nodes;
}
RT_UNLOCK(rt2);
rtfree_locked(rt2);
}
}
if (ret != NULL && (rt->rt_flags & RTF_DYNAMIC) != 0)
in6dynroutes++;
return ret;
}
int
prepare_rule(u_int32_t id, struct sockaddr *src,
struct sockaddr *dst, u_int16_t d_port)
{
char an[PF_ANCHOR_NAME_SIZE];
if ((src->sa_family != AF_INET && src->sa_family != AF_INET6) ||
(src->sa_family != dst->sa_family)) {
errno = EPROTONOSUPPORT;
return (-1);
}
memset(&pfr, 0, sizeof pfr);
snprintf(an, PF_ANCHOR_NAME_SIZE, "%s/%d.%d", FTP_PROXY_ANCHOR,
getpid(), id);
strlcpy(pfr.anchor, an, PF_ANCHOR_NAME_SIZE);
pfr.ticket = pfte.ticket;
/* Generic for all rule types. */
pfr.rule.af = src->sa_family;
pfr.rule.proto = IPPROTO_TCP;
pfr.rule.src.addr.type = PF_ADDR_ADDRMASK;
pfr.rule.dst.addr.type = PF_ADDR_ADDRMASK;
pfr.rule.nat.addr.type = PF_ADDR_NONE;
pfr.rule.rdr.addr.type = PF_ADDR_NONE;
if (src->sa_family == AF_INET) {
memcpy(&pfr.rule.src.addr.v.a.addr.v4,
&satosin(src)->sin_addr.s_addr, 4);
memset(&pfr.rule.src.addr.v.a.mask.addr8, 255, 4);
memcpy(&pfr.rule.dst.addr.v.a.addr.v4,
&satosin(dst)->sin_addr.s_addr, 4);
memset(&pfr.rule.dst.addr.v.a.mask.addr8, 255, 4);
} else {
memcpy(&pfr.rule.src.addr.v.a.addr.v6,
&satosin6(src)->sin6_addr.s6_addr, 16);
memset(&pfr.rule.src.addr.v.a.mask.addr8, 255, 16);
memcpy(&pfr.rule.dst.addr.v.a.addr.v6,
&satosin6(dst)->sin6_addr.s6_addr, 16);
memset(&pfr.rule.dst.addr.v.a.mask.addr8, 255, 16);
}
pfr.rule.dst.port_op = PF_OP_EQ;
pfr.rule.dst.port[0] = htons(d_port);
/*
* pass [quick] [log] inet[6] proto tcp \
* from $src to $dst port = $d_port flags S/SA keep state
* (max 1) [queue qname] [tag tagname]
*/
if (tagname != NULL)
pfr.rule.action = PF_MATCH;
else
pfr.rule.action = PF_PASS;
pfr.rule.quick = 1;
pfr.rule.log = rule_log;
pfr.rule.keep_state = 1;
pfr.rule.flags = TH_SYN;
pfr.rule.flagset = (TH_SYN|TH_ACK);
pfr.rule.max_states = 1;
if (qname != NULL)
strlcpy(pfr.rule.qname, qname, sizeof pfr.rule.qname);
if (tagname != NULL) {
pfr.rule.quick = 0;
strlcpy(pfr.rule.tagname, tagname,
sizeof pfr.rule.tagname);
}
return (0);
}
/*
* NOTE: in6_ifdetach() does not support loopback if at this moment.
* We don't need this function in bsdi, because interfaces are never removed
* from the ifnet list in bsdi.
*/
void
in6_ifdetach(struct ifnet *ifp)
{
struct in6_ifaddr *ia, *oia;
struct ifaddr *ifa, *next;
struct rtentry *rt;
short rtflags;
struct in6_multi_mship *imm;
/* remove ip6_mrouter stuff */
ip6_mrouter_detach(ifp);
/* remove neighbor management table */
nd6_purge(ifp);
/* XXX this code is duplicated in in6_purgeif() --dyoung */
/* nuke any of IPv6 addresses we have */
if_purgeaddrs(ifp, AF_INET6, in6_purgeaddr);
/* XXX isn't this code is redundant, given the above? --dyoung */
/* XXX doesn't this code replicate code in in6_purgeaddr() ? --dyoung */
/* undo everything done by in6_ifattach(), just in case */
for (ifa = IFADDR_FIRST(ifp); ifa != NULL; ifa = next) {
next = IFADDR_NEXT(ifa);
if (ifa->ifa_addr->sa_family != AF_INET6
|| !IN6_IS_ADDR_LINKLOCAL(&satosin6(&ifa->ifa_addr)->sin6_addr)) {
continue;
}
ia = (struct in6_ifaddr *)ifa;
/*
* leave from multicast groups we have joined for the interface
*/
while ((imm = LIST_FIRST(&ia->ia6_memberships)) != NULL) {
LIST_REMOVE(imm, i6mm_chain);
in6_leavegroup(imm);
}
/* remove from the routing table */
if ((ia->ia_flags & IFA_ROUTE) &&
(rt = rtalloc1((struct sockaddr *)&ia->ia_addr, 0))) {
rtflags = rt->rt_flags;
rtfree(rt);
rtrequest(RTM_DELETE, (struct sockaddr *)&ia->ia_addr,
(struct sockaddr *)&ia->ia_addr,
(struct sockaddr *)&ia->ia_prefixmask,
rtflags, NULL);
}
/* remove from the linked list */
ifa_remove(ifp, &ia->ia_ifa);
/* also remove from the IPv6 address chain(itojun&jinmei) */
oia = ia;
if (oia == (ia = in6_ifaddr))
in6_ifaddr = ia->ia_next;
else {
while (ia->ia_next && (ia->ia_next != oia))
ia = ia->ia_next;
if (ia->ia_next)
ia->ia_next = oia->ia_next;
else {
nd6log((LOG_ERR,
"%s: didn't unlink in6ifaddr from list\n",
if_name(ifp)));
}
}
ifafree(&oia->ia_ifa);
}
/* cleanup multicast address kludge table, if there is any */
in6_purgemkludge(ifp);
/*
* remove neighbor management table. we call it twice just to make
* sure we nuke everything. maybe we need just one call.
* XXX: since the first call did not release addresses, some prefixes
* might remain. We should call nd6_purge() again to release the
* prefixes after removing all addresses above.
* (Or can we just delay calling nd6_purge until at this point?)
*/
nd6_purge(ifp);
}
struct in6_addr *
in6_selectsrc(struct sockaddr_in6 *dstsock, struct ip6_pktopts *opts,
struct inpcb *inp, struct route_in6 *ro,
struct ifnet **ifpp, struct in6_addr *src_storage, unsigned int ifscope,
int *errorp)
{
struct in6_addr dst;
struct ifnet *ifp = NULL;
struct in6_ifaddr *ia = NULL, *ia_best = NULL;
struct in6_pktinfo *pi = NULL;
int dst_scope = -1, best_scope = -1, best_matchlen = -1;
struct in6_addrpolicy *dst_policy = NULL, *best_policy = NULL;
u_int32_t odstzone;
int prefer_tempaddr;
struct ip6_moptions *mopts;
struct timeval timenow;
unsigned int nocell;
boolean_t islocal = FALSE;
getmicrotime(&timenow);
dst = dstsock->sin6_addr; /* make a copy for local operation */
*errorp = 0;
if (ifpp != NULL)
*ifpp = NULL;
if (inp != NULL) {
mopts = inp->in6p_moptions;
nocell = (inp->inp_flags & INP_NO_IFT_CELLULAR) ? 1 : 0;
} else {
mopts = NULL;
nocell = 0;
}
/*
* If the source address is explicitly specified by the caller,
* check if the requested source address is indeed a unicast address
* assigned to the node, and can be used as the packet's source
* address. If everything is okay, use the address as source.
*/
if (opts && (pi = opts->ip6po_pktinfo) &&
!IN6_IS_ADDR_UNSPECIFIED(&pi->ipi6_addr)) {
struct sockaddr_in6 srcsock;
struct in6_ifaddr *ia6;
/* get the outgoing interface */
if ((*errorp = in6_selectif(dstsock, opts, mopts, ro, ifscope,
nocell, &ifp)) != 0) {
return (NULL);
}
/*
* determine the appropriate zone id of the source based on
* the zone of the destination and the outgoing interface.
* If the specified address is ambiguous wrt the scope zone,
* the interface must be specified; otherwise, ifa_ifwithaddr()
* will fail matching the address.
*/
bzero(&srcsock, sizeof(srcsock));
srcsock.sin6_family = AF_INET6;
srcsock.sin6_len = sizeof(srcsock);
srcsock.sin6_addr = pi->ipi6_addr;
if (ifp) {
*errorp = in6_setscope(&srcsock.sin6_addr, ifp, NULL);
if (*errorp != 0) {
ifnet_release(ifp);
return (NULL);
}
}
ia6 = (struct in6_ifaddr *)ifa_ifwithaddr((struct sockaddr *)(&srcsock));
if (ia6 == NULL) {
*errorp = EADDRNOTAVAIL;
if (ifp != NULL)
ifnet_release(ifp);
return (NULL);
}
IFA_LOCK_SPIN(&ia6->ia_ifa);
if ((ia6->ia6_flags & (IN6_IFF_ANYCAST | IN6_IFF_NOTREADY)) ||
(nocell && (ia6->ia_ifa.ifa_ifp->if_type == IFT_CELLULAR))) {
IFA_UNLOCK(&ia6->ia_ifa);
IFA_REMREF(&ia6->ia_ifa);
*errorp = EADDRNOTAVAIL;
if (ifp != NULL)
ifnet_release(ifp);
return (NULL);
}
*src_storage = satosin6(&ia6->ia_addr)->sin6_addr;
IFA_UNLOCK(&ia6->ia_ifa);
IFA_REMREF(&ia6->ia_ifa);
if (ifpp != NULL) {
/* if ifp is non-NULL, refcnt held in in6_selectif() */
*ifpp = ifp;
} else if (ifp != NULL) {
ifnet_release(ifp);
}
return (src_storage);
}
/*
* Otherwise, if the socket has already bound the source, just use it.
*/
if (inp != NULL && !IN6_IS_ADDR_UNSPECIFIED(&inp->in6p_laddr))
return (&inp->in6p_laddr);
/*
* If the address is not specified, choose the best one based on
* the outgoing interface and the destination address.
*/
/* get the outgoing interface */
if ((*errorp = in6_selectif(dstsock, opts, mopts, ro, ifscope, nocell,
&ifp)) != 0)
return (NULL);
#ifdef DIAGNOSTIC
if (ifp == NULL) /* this should not happen */
panic("in6_selectsrc: NULL ifp");
#endif
*errorp = in6_setscope(&dst, ifp, &odstzone);
if (*errorp != 0) {
if (ifp != NULL)
ifnet_release(ifp);
return (NULL);
}
lck_rw_lock_shared(&in6_ifaddr_rwlock);
for (ia = in6_ifaddrs; ia; ia = ia->ia_next) {
int new_scope = -1, new_matchlen = -1;
struct in6_addrpolicy *new_policy = NULL;
u_int32_t srczone, osrczone, dstzone;
struct in6_addr src;
struct ifnet *ifp1 = ia->ia_ifp;
IFA_LOCK(&ia->ia_ifa);
/*
* We'll never take an address that breaks the scope zone
* of the destination. We also skip an address if its zone
* does not contain the outgoing interface.
* XXX: we should probably use sin6_scope_id here.
*/
if (in6_setscope(&dst, ifp1, &dstzone) ||
odstzone != dstzone)
goto next;
src = ia->ia_addr.sin6_addr;
if (in6_setscope(&src, ifp, &osrczone) ||
in6_setscope(&src, ifp1, &srczone) ||
osrczone != srczone)
goto next;
/* avoid unusable addresses */
if ((ia->ia6_flags &
(IN6_IFF_NOTREADY | IN6_IFF_ANYCAST | IN6_IFF_DETACHED)))
goto next;
if (!ip6_use_deprecated && IFA6_IS_DEPRECATED(ia))
goto next;
/* Rule 1: Prefer same address */
if (IN6_ARE_ADDR_EQUAL(&dst, &ia->ia_addr.sin6_addr))
BREAK(1); /* there should be no better candidate */
if (ia_best == NULL)
REPLACE(0);
/* Rule 2: Prefer appropriate scope */
if (dst_scope < 0)
dst_scope = in6_addrscope(&dst);
new_scope = in6_addrscope(&ia->ia_addr.sin6_addr);
if (IN6_ARE_SCOPE_CMP(best_scope, new_scope) < 0) {
if (IN6_ARE_SCOPE_CMP(best_scope, dst_scope) < 0)
REPLACE(2);
NEXTSRC(2);
} else if (IN6_ARE_SCOPE_CMP(new_scope, best_scope) < 0) {
if (IN6_ARE_SCOPE_CMP(new_scope, dst_scope) < 0)
NEXTSRC(2);
REPLACE(2);
}
/*
* Rule 3: Avoid deprecated addresses. Note that the case of
* !ip6_use_deprecated is already rejected above.
*/
if (!IFA6_IS_DEPRECATED(ia_best) && IFA6_IS_DEPRECATED(ia))
NEXTSRC(3);
if (IFA6_IS_DEPRECATED(ia_best) && !IFA6_IS_DEPRECATED(ia))
REPLACE(3);
/* Rule 4: Prefer home addresses */
/*
* XXX: This is a TODO. We should probably merge the MIP6
* case above.
*/
/* Rule 5: Prefer outgoing interface */
if (ia_best->ia_ifp == ifp && ia->ia_ifp != ifp)
NEXTSRC(5);
if (ia_best->ia_ifp != ifp && ia->ia_ifp == ifp)
REPLACE(5);
/*
* Rule 6: Prefer matching label
* Note that best_policy should be non-NULL here.
*/
if (dst_policy == NULL)
dst_policy = in6_addrsel_lookup_policy(dstsock);
if (dst_policy->label != ADDR_LABEL_NOTAPP) {
new_policy = in6_addrsel_lookup_policy(&ia->ia_addr);
if (dst_policy->label == best_policy->label &&
dst_policy->label != new_policy->label)
NEXTSRC(6);
if (dst_policy->label != best_policy->label &&
dst_policy->label == new_policy->label)
REPLACE(6);
}
/*
* Rule 7: Prefer public addresses.
* We allow users to reverse the logic by configuring
* a sysctl variable, so that privacy conscious users can
* always prefer temporary addresses.
* Don't use temporary addresses for local destinations or
* for multicast addresses unless we were passed in an option.
*/
if (IN6_IS_ADDR_MULTICAST(&dst) ||
in6_matchlen(&ia_best->ia_addr.sin6_addr, &dst) >=
in6_mask2len(&ia_best->ia_prefixmask.sin6_addr, NULL))
islocal = TRUE;
if (opts == NULL ||
opts->ip6po_prefer_tempaddr == IP6PO_TEMPADDR_SYSTEM) {
prefer_tempaddr = islocal ? 0 : ip6_prefer_tempaddr;
} else if (opts->ip6po_prefer_tempaddr ==
IP6PO_TEMPADDR_NOTPREFER) {
prefer_tempaddr = 0;
} else
prefer_tempaddr = 1;
if (!(ia_best->ia6_flags & IN6_IFF_TEMPORARY) &&
(ia->ia6_flags & IN6_IFF_TEMPORARY)) {
if (prefer_tempaddr)
REPLACE(7);
else
NEXTSRC(7);
}
if ((ia_best->ia6_flags & IN6_IFF_TEMPORARY) &&
!(ia->ia6_flags & IN6_IFF_TEMPORARY)) {
if (prefer_tempaddr)
NEXTSRC(7);
else
REPLACE(7);
}
/*
* Rule 8: prefer addresses on alive interfaces.
* This is a KAME specific rule.
*/
if ((ia_best->ia_ifp->if_flags & IFF_UP) &&
!(ia->ia_ifp->if_flags & IFF_UP))
NEXTSRC(8);
if (!(ia_best->ia_ifp->if_flags & IFF_UP) &&
(ia->ia_ifp->if_flags & IFF_UP))
REPLACE(8);
/*
* Rule 14: Use longest matching prefix.
* Note: in the address selection draft, this rule is
* documented as "Rule 8". However, since it is also
* documented that this rule can be overridden, we assign
* a large number so that it is easy to assign smaller numbers
* to more preferred rules.
*/
new_matchlen = in6_matchlen(&ia->ia_addr.sin6_addr, &dst);
if (best_matchlen < new_matchlen)
REPLACE(14);
if (new_matchlen < best_matchlen)
NEXTSRC(14);
/* Rule 15 is reserved. */
/*
* Last resort: just keep the current candidate.
* Or, do we need more rules?
*/
IFA_UNLOCK(&ia->ia_ifa);
continue;
replace:
best_scope = (new_scope >= 0 ? new_scope :
in6_addrscope(&ia->ia_addr.sin6_addr));
best_policy = (new_policy ? new_policy :
in6_addrsel_lookup_policy(&ia->ia_addr));
best_matchlen = (new_matchlen >= 0 ? new_matchlen :
in6_matchlen(&ia->ia_addr.sin6_addr, &dst));
IFA_ADDREF_LOCKED(&ia->ia_ifa); /* for ia_best */
IFA_UNLOCK(&ia->ia_ifa);
if (ia_best != NULL)
IFA_REMREF(&ia_best->ia_ifa);
ia_best = ia;
continue;
next:
IFA_UNLOCK(&ia->ia_ifa);
continue;
out:
IFA_ADDREF_LOCKED(&ia->ia_ifa); /* for ia_best */
IFA_UNLOCK(&ia->ia_ifa);
if (ia_best != NULL)
IFA_REMREF(&ia_best->ia_ifa);
ia_best = ia;
break;
}
lck_rw_done(&in6_ifaddr_rwlock);
if (nocell && ia_best != NULL &&
(ia_best->ia_ifa.ifa_ifp->if_type == IFT_CELLULAR)) {
IFA_REMREF(&ia_best->ia_ifa);
ia_best = NULL;
}
if ( (ia = ia_best) == NULL) {
*errorp = EADDRNOTAVAIL;
if (ifp != NULL)
ifnet_release(ifp);
return (NULL);
}
IFA_LOCK_SPIN(&ia->ia_ifa);
*src_storage = satosin6(&ia->ia_addr)->sin6_addr;
IFA_UNLOCK(&ia->ia_ifa);
IFA_REMREF(&ia->ia_ifa);
if (ifpp != NULL) {
/* if ifp is non-NULL, refcnt held in in6_selectif() */
*ifpp = ifp;
} else if (ifp != NULL) {
ifnet_release(ifp);
}
return (src_storage);
}
/*
* Given a source IPv6 address (and route, if available), determine the best
* interface to send the packet from. Checking for (and updating) the
* ROF_SRCIF_SELECTED flag in the pcb-supplied route placeholder is done
* without any locks, based on the assumption that in the event this is
* called from ip6_output(), the output operation is single-threaded per-pcb,
* i.e. for any given pcb there can only be one thread performing output at
* the IPv6 layer.
*
* This routine is analogous to in_selectsrcif() for IPv4.
*
* clone - meaningful only for bsdi and freebsd
*/
static int
selectroute(struct sockaddr_in6 *srcsock, struct sockaddr_in6 *dstsock,
struct ip6_pktopts *opts, struct ip6_moptions *mopts, struct route_in6 *ro,
struct ifnet **retifp, struct rtentry **retrt, int clone,
int norouteok, unsigned int ifscope, unsigned int nocell)
{
int error = 0;
struct ifnet *ifp = NULL;
struct route_in6 *route = NULL;
struct sockaddr_in6 *sin6_next;
struct in6_pktinfo *pi = NULL;
struct in6_addr *dst = &dstsock->sin6_addr;
struct ifaddr *ifa = NULL;
char s_src[MAX_IPv6_STR_LEN], s_dst[MAX_IPv6_STR_LEN];
boolean_t select_srcif;
#if 0
char ip6buf[INET6_ADDRSTRLEN];
if (dstsock->sin6_addr.s6_addr32[0] == 0 &&
dstsock->sin6_addr.s6_addr32[1] == 0 &&
!IN6_IS_ADDR_LOOPBACK(&dstsock->sin6_addr)) {
printf("in6_selectroute: strange destination %s\n",
ip6_sprintf(ip6buf, &dstsock->sin6_addr));
} else {
printf("in6_selectroute: destination = %s%%%d\n",
ip6_sprintf(ip6buf, &dstsock->sin6_addr),
dstsock->sin6_scope_id); /* for debug */
}
#endif
if (retifp != NULL)
*retifp = NULL;
if (retrt != NULL)
*retrt = NULL;
if (ip6_select_srcif_debug) {
struct in6_addr src;
src = (srcsock != NULL) ? srcsock->sin6_addr : in6addr_any;
(void) inet_ntop(AF_INET6, &src, s_src, sizeof (s_src));
(void) inet_ntop(AF_INET6, dst, s_dst, sizeof (s_dst));
}
/*
* If the destination address is UNSPECIFIED addr, bail out.
*/
if (IN6_IS_ADDR_UNSPECIFIED(dst)) {
error = EHOSTUNREACH;
goto done;
}
/*
* Perform source interface selection only if Scoped Routing
* is enabled and a source address that isn't unspecified.
*/
select_srcif = (ip6_doscopedroute && srcsock != NULL &&
!IN6_IS_ADDR_UNSPECIFIED(&srcsock->sin6_addr));
/*
* If Scoped Routing is disabled, ignore the given ifscope.
* Otherwise even if source selection won't be performed,
* we still obey IPV6_BOUND_IF.
*/
if (!ip6_doscopedroute && ifscope != IFSCOPE_NONE)
ifscope = IFSCOPE_NONE;
/* If the caller specified the outgoing interface explicitly, use it */
if (opts != NULL && (pi = opts->ip6po_pktinfo) != NULL &&
pi->ipi6_ifindex != 0) {
/*
* If IPV6_PKTINFO takes precedence over IPV6_BOUND_IF.
*/
ifscope = pi->ipi6_ifindex;
ifnet_head_lock_shared();
/* ifp may be NULL if detached or out of range */
ifp = (ifscope <= if_index) ? ifindex2ifnet[ifscope] : NULL;
ifnet_head_done();
if (norouteok || retrt == NULL || IN6_IS_ADDR_MULTICAST(dst)) {
/*
* We do not have to check or get the route for
* multicast. If the caller didn't ask/care for
* the route and we have no interface to use,
* it's an error.
*/
if (ifp == NULL)
error = EHOSTUNREACH;
goto done;
} else {
goto getsrcif;
}
}
/*
* If the destination address is a multicast address and the outgoing
* interface for the address is specified by the caller, use it.
*/
if (IN6_IS_ADDR_MULTICAST(dst) && mopts != NULL) {
IM6O_LOCK(mopts);
if ((ifp = mopts->im6o_multicast_ifp) != NULL) {
IM6O_UNLOCK(mopts);
goto done; /* we do not need a route for multicast. */
}
IM6O_UNLOCK(mopts);
}
getsrcif:
/*
* If the outgoing interface was not set via IPV6_BOUND_IF or
* IPV6_PKTINFO, use the scope ID in the destination address.
*/
if (ip6_doscopedroute && ifscope == IFSCOPE_NONE)
ifscope = dstsock->sin6_scope_id;
/*
* Perform source interface selection; the source IPv6 address
* must belong to one of the addresses of the interface used
* by the route. For performance reasons, do this only if
* there is no route, or if the routing table has changed,
* or if we haven't done source interface selection on this
* route (for this PCB instance) before.
*/
if (!select_srcif || (ro != NULL && ro->ro_rt != NULL &&
(ro->ro_rt->rt_flags & RTF_UP) &&
ro->ro_rt->generation_id == route_generation &&
(ro->ro_flags & ROF_SRCIF_SELECTED))) {
if (ro != NULL && ro->ro_rt != NULL) {
ifa = ro->ro_rt->rt_ifa;
IFA_ADDREF(ifa);
}
goto getroute;
}
/*
* Given the source IPv6 address, find a suitable source interface
* to use for transmission; if a scope ID has been specified,
* optimize the search by looking at the addresses only for that
* interface. This is still suboptimal, however, as we need to
* traverse the per-interface list.
*/
if (ifscope != IFSCOPE_NONE || (ro != NULL && ro->ro_rt != NULL)) {
unsigned int scope = ifscope;
struct ifnet *rt_ifp;
rt_ifp = (ro->ro_rt != NULL) ? ro->ro_rt->rt_ifp : NULL;
/*
* If no scope is specified and the route is stale (pointing
* to a defunct interface) use the current primary interface;
* this happens when switching between interfaces configured
* with the same IPv6 address. Otherwise pick up the scope
* information from the route; the ULP may have looked up a
* correct route and we just need to verify it here and mark
* it with the ROF_SRCIF_SELECTED flag below.
*/
if (scope == IFSCOPE_NONE) {
scope = rt_ifp->if_index;
if (scope != get_primary_ifscope(AF_INET6) &&
ro->ro_rt->generation_id != route_generation)
scope = get_primary_ifscope(AF_INET6);
}
ifa = (struct ifaddr *)
ifa_foraddr6_scoped(&srcsock->sin6_addr, scope);
if (ip6_select_srcif_debug && ifa != NULL) {
if (ro->ro_rt != NULL) {
printf("%s->%s ifscope %d->%d ifa_if %s "
"ro_if %s\n", s_src, s_dst, ifscope,
scope, if_name(ifa->ifa_ifp),
if_name(rt_ifp));
} else {
printf("%s->%s ifscope %d->%d ifa_if %s\n",
s_src, s_dst, ifscope, scope,
if_name(ifa->ifa_ifp));
}
}
}
/*
* Slow path; search for an interface having the corresponding source
* IPv6 address if the scope was not specified by the caller, and:
*
* 1) There currently isn't any route, or,
* 2) The interface used by the route does not own that source
* IPv6 address; in this case, the route will get blown away
* and we'll do a more specific scoped search using the newly
* found interface.
*/
if (ifa == NULL && ifscope == IFSCOPE_NONE) {
ifa = (struct ifaddr *)ifa_foraddr6(&srcsock->sin6_addr);
if (ip6_select_srcif_debug && ifa != NULL) {
printf("%s->%s ifscope %d ifa_if %s\n",
s_src, s_dst, ifscope, if_name(ifa->ifa_ifp));
}
}
getroute:
if (ifa != NULL)
ifscope = ifa->ifa_ifp->if_index;
/*
* If the next hop address for the packet is specified by the caller,
* use it as the gateway.
*/
if (opts != NULL && opts->ip6po_nexthop != NULL) {
struct route_in6 *ron;
sin6_next = satosin6(opts->ip6po_nexthop);
/* at this moment, we only support AF_INET6 next hops */
if (sin6_next->sin6_family != AF_INET6) {
error = EAFNOSUPPORT; /* or should we proceed? */
goto done;
}
/*
* If the next hop is an IPv6 address, then the node identified
* by that address must be a neighbor of the sending host.
*/
ron = &opts->ip6po_nextroute;
if (ron->ro_rt != NULL)
RT_LOCK(ron->ro_rt);
if ((ron->ro_rt != NULL &&
((ron->ro_rt->rt_flags & (RTF_UP | RTF_LLINFO)) !=
(RTF_UP | RTF_LLINFO) ||
ron->ro_rt->generation_id != route_generation ||
(select_srcif && (ifa == NULL ||
ifa->ifa_ifp != ron->ro_rt->rt_ifp)))) ||
!IN6_ARE_ADDR_EQUAL(&satosin6(&ron->ro_dst)->sin6_addr,
&sin6_next->sin6_addr)) {
if (ron->ro_rt != NULL) {
RT_UNLOCK(ron->ro_rt);
rtfree(ron->ro_rt);
ron->ro_rt = NULL;
}
*satosin6(&ron->ro_dst) = *sin6_next;
}
if (ron->ro_rt == NULL) {
rtalloc_scoped((struct route *)ron, ifscope);
if (ron->ro_rt != NULL)
RT_LOCK(ron->ro_rt);
if (ron->ro_rt == NULL ||
!(ron->ro_rt->rt_flags & RTF_LLINFO) ||
!IN6_ARE_ADDR_EQUAL(&satosin6(rt_key(ron->ro_rt))->
sin6_addr, &sin6_next->sin6_addr)) {
if (ron->ro_rt != NULL) {
RT_UNLOCK(ron->ro_rt);
rtfree(ron->ro_rt);
ron->ro_rt = NULL;
}
error = EHOSTUNREACH;
goto done;
}
}
route = ron;
ifp = ron->ro_rt->rt_ifp;
/*
* When cloning is required, try to allocate a route to the
* destination so that the caller can store path MTU
* information.
*/
if (!clone) {
if (select_srcif) {
/* Keep the route locked */
goto validateroute;
}
RT_UNLOCK(ron->ro_rt);
goto done;
}
RT_UNLOCK(ron->ro_rt);
}
/*
* Use a cached route if it exists and is valid, else try to allocate
* a new one. Note that we should check the address family of the
* cached destination, in case of sharing the cache with IPv4.
*/
if (ro == NULL)
goto done;
if (ro->ro_rt != NULL)
RT_LOCK(ro->ro_rt);
if (ro->ro_rt != NULL && (!(ro->ro_rt->rt_flags & RTF_UP) ||
satosin6(&ro->ro_dst)->sin6_family != AF_INET6 ||
ro->ro_rt->generation_id != route_generation ||
!IN6_ARE_ADDR_EQUAL(&satosin6(&ro->ro_dst)->sin6_addr, dst) ||
(select_srcif && (ifa == NULL ||
ifa->ifa_ifp != ro->ro_rt->rt_ifp)))) {
RT_UNLOCK(ro->ro_rt);
rtfree(ro->ro_rt);
ro->ro_rt = NULL;
}
if (ro->ro_rt == NULL) {
struct sockaddr_in6 *sa6;
if (ro->ro_rt != NULL)
RT_UNLOCK(ro->ro_rt);
/* No route yet, so try to acquire one */
bzero(&ro->ro_dst, sizeof(struct sockaddr_in6));
sa6 = (struct sockaddr_in6 *)&ro->ro_dst;
sa6->sin6_family = AF_INET6;
sa6->sin6_len = sizeof(struct sockaddr_in6);
sa6->sin6_addr = *dst;
if (IN6_IS_ADDR_MULTICAST(dst)) {
ro->ro_rt = rtalloc1_scoped(
&((struct route *)ro)->ro_dst, 0, 0, ifscope);
} else {
rtalloc_scoped((struct route *)ro, ifscope);
}
if (ro->ro_rt != NULL)
RT_LOCK(ro->ro_rt);
}
/*
* Do not care about the result if we have the nexthop
* explicitly specified (in case we're asked to clone.)
*/
if (opts != NULL && opts->ip6po_nexthop != NULL) {
if (ro->ro_rt != NULL)
RT_UNLOCK(ro->ro_rt);
goto done;
}
if (ro->ro_rt != NULL) {
RT_LOCK_ASSERT_HELD(ro->ro_rt);
ifp = ro->ro_rt->rt_ifp;
} else {
error = EHOSTUNREACH;
}
route = ro;
validateroute:
if (select_srcif) {
boolean_t has_route = (route != NULL && route->ro_rt != NULL);
if (has_route)
RT_LOCK_ASSERT_HELD(route->ro_rt);
/*
* If there is a non-loopback route with the wrong interface,
* or if there is no interface configured with such an address,
* blow it away. Except for local/loopback, we look for one
* with a matching interface scope/index.
*/
if (has_route && (ifa == NULL ||
(ifa->ifa_ifp != ifp && ifp != lo_ifp) ||
!(route->ro_rt->rt_flags & RTF_UP))) {
if (ip6_select_srcif_debug) {
if (ifa != NULL) {
printf("%s->%s ifscope %d ro_if %s "
"!= ifa_if %s (cached route "
"cleared)\n", s_src, s_dst,
ifscope, if_name(ifp),
if_name(ifa->ifa_ifp));
} else {
printf("%s->%s ifscope %d ro_if %s "
"(no ifa_if found)\n", s_src,
s_dst, ifscope, if_name(ifp));
}
}
RT_UNLOCK(route->ro_rt);
rtfree(route->ro_rt);
route->ro_rt = NULL;
route->ro_flags &= ~ROF_SRCIF_SELECTED;
error = EHOSTUNREACH;
/* Undo the settings done above */
route = NULL;
ifp = NULL;
} else if (has_route) {
route->ro_flags |= ROF_SRCIF_SELECTED;
route->ro_rt->generation_id = route_generation;
RT_UNLOCK(route->ro_rt);
}
} else {
if (ro->ro_rt != NULL)
RT_UNLOCK(ro->ro_rt);
if (ifp != NULL && opts != NULL &&
opts->ip6po_pktinfo != NULL &&
opts->ip6po_pktinfo->ipi6_ifindex != 0) {
/*
* Check if the outgoing interface conflicts with the
* interface specified by ipi6_ifindex (if specified).
* Note that loopback interface is always okay.
* (this may happen when we are sending a packet to
* one of our own addresses.)
*/
if (!(ifp->if_flags & IFF_LOOPBACK) && ifp->if_index !=
opts->ip6po_pktinfo->ipi6_ifindex) {
error = EHOSTUNREACH;
goto done;
}
}
}
done:
if (nocell && error == 0) {
if ((ifp != NULL && ifp->if_type == IFT_CELLULAR) ||
(route != NULL && route->ro_rt != NULL &&
route->ro_rt->rt_ifp->if_type == IFT_CELLULAR)) {
if (route != NULL && route->ro_rt != NULL) {
rtfree(route->ro_rt);
route->ro_rt = NULL;
route->ro_flags &= ~ROF_SRCIF_SELECTED;
route = NULL;
}
ifp = NULL;
error = EHOSTUNREACH;
}
}
if (ifp == NULL && (route == NULL || route->ro_rt == NULL)) {
/*
* This can happen if the caller did not pass a cached route
* nor any other hints. We treat this case an error.
*/
error = EHOSTUNREACH;
}
if (error == EHOSTUNREACH)
ip6stat.ip6s_noroute++;
if (error == 0) {
if (retifp != NULL) {
if (ifp != NULL)
ifnet_reference(ifp); /* for caller */
*retifp = ifp;
}
if (retrt != NULL && route != NULL)
*retrt = route->ro_rt; /* ro_rt may be NULL */
} else if (select_srcif && ip6_select_srcif_debug) {
printf("%s->%s ifscope %d ifa_if %s ro_if %s (error=%d)\n",
s_src, s_dst, ifscope,
(ifa != NULL) ? if_name(ifa->ifa_ifp) : "NONE",
(ifp != NULL) ? if_name(ifp) : "NONE", error);
}
if (ifa != NULL)
IFA_REMREF(ifa);
return (error);
}
int
pf_natlookup(struct sockaddr_storage *ss, struct sockaddr *nat_addr,
int *nat_lport)
{
struct pfioc_natlook nl;
int dev;
(void)memset(&nl, 0, sizeof(nl));
/* Build the pf natlook structure. */
switch (ss[0].ss_family) {
case AF_INET:
(void)memcpy(&nl.daddr.v4, &satosin(&ss[0])->sin_addr,
sizeof(struct in_addr));
(void)memcpy(&nl.saddr.v4, &satosin(&ss[1])->sin_addr,
sizeof(struct in_addr));
nl.dport = satosin(&ss[0])->sin_port;
nl.sport = satosin(&ss[1])->sin_port;
nl.af = AF_INET;
nl.proto = IPPROTO_TCP;
nl.direction = PF_IN;
break;
case AF_INET6:
(void)memcpy(&nl.daddr.v6, &satosin6(&ss[0])->sin6_addr,
sizeof(struct in6_addr));
(void)memcpy(&nl.saddr.v6, &satosin6(&ss[1])->sin6_addr,
sizeof(struct in6_addr));
nl.dport = satosin6(&ss[0])->sin6_port;
nl.sport = satosin6(&ss[1])->sin6_port;
nl.af = AF_INET6;
nl.proto = IPPROTO_TCP;
nl.direction = PF_IN;
break;
default:
maybe_syslog(LOG_ERR, "Unsupported protocol for NAT lookup "
"(no. %d)", ss[0].ss_family);
return 0;
}
/* Open the /dev/pf device and do the lookup. */
if ((dev = open("/dev/pf", O_RDWR)) == -1) {
maybe_syslog(LOG_ERR, "Cannot open /dev/pf: %m");
return 0;
}
if (ioctl(dev, DIOCNATLOOK, &nl) == -1) {
maybe_syslog(LOG_ERR, "NAT lookup failure: %m");
(void)close(dev);
return 0;
}
(void)close(dev);
/*
* Put the originating address into nat_addr and fill
* the port with the ident port, 113.
*/
switch (ss[0].ss_family) {
case AF_INET:
(void)memcpy(&satosin(nat_addr)->sin_addr, &nl.rsaddr.v4,
sizeof(struct in_addr));
satosin(nat_addr)->sin_port = htons(113);
satosin(nat_addr)->sin_len = sizeof(struct sockaddr_in);
satosin(nat_addr)->sin_family = AF_INET;
break;
case AF_INET6:
(void)memcpy(&satosin6(nat_addr)->sin6_addr, &nl.rsaddr.v6,
sizeof(struct in6_addr));
satosin6(nat_addr)->sin6_port = htons(113);
satosin6(nat_addr)->sin6_len = sizeof(struct sockaddr_in6);
satosin6(nat_addr)->sin6_family = AF_INET6;
break;
}
/* Put the originating port into nat_lport. */
*nat_lport = nl.rsport;
return 1;
}
