1/*
2 * Copyright (c) 2008-2023 Apple Inc. All rights reserved.
3 *
4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
14 *
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 *
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
25 *
26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27 */
28
29/*
30 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
31 * All rights reserved.
32 *
33 * Redistribution and use in source and binary forms, with or without
34 * modification, are permitted provided that the following conditions
35 * are met:
36 * 1. Redistributions of source code must retain the above copyright
37 * notice, this list of conditions and the following disclaimer.
38 * 2. Redistributions in binary form must reproduce the above copyright
39 * notice, this list of conditions and the following disclaimer in the
40 * documentation and/or other materials provided with the distribution.
41 * 3. Neither the name of the project nor the names of its contributors
42 * may be used to endorse or promote products derived from this software
43 * without specific prior written permission.
44 *
45 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
46 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
47 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
48 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
49 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
50 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
51 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
52 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
53 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
54 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
55 * SUCH DAMAGE.
56 */
57
58/*
59 * Copyright (c) 1982, 1986, 1993
60 * The Regents of the University of California. All rights reserved.
61 *
62 * Redistribution and use in source and binary forms, with or without
63 * modification, are permitted provided that the following conditions
64 * are met:
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 * 2. Redistributions in binary form must reproduce the above copyright
68 * notice, this list of conditions and the following disclaimer in the
69 * documentation and/or other materials provided with the distribution.
70 * 3. All advertising materials mentioning features or use of this software
71 * must display the following acknowledgement:
72 * This product includes software developed by the University of
73 * California, Berkeley and its contributors.
74 * 4. Neither the name of the University nor the names of its contributors
75 * may be used to endorse or promote products derived from this software
76 * without specific prior written permission.
77 *
78 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
79 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
80 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
81 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
82 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
83 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
84 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
85 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
86 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
87 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
88 * SUCH DAMAGE.
89 *
90 * @(#)in_proto.c 8.1 (Berkeley) 6/10/93
91 */
92
93
94#include <sys/param.h>
95#include <sys/socket.h>
96#include <sys/socketvar.h>
97#include <sys/protosw.h>
98#include <sys/kernel.h>
99#include <sys/domain.h>
100#include <sys/mbuf.h>
101#include <sys/systm.h>
102#include <sys/sysctl.h>
103
104#include <net/if.h>
105#include <net/radix.h>
106#include <net/route.h>
107#include <net/nat464_utils.h>
108
109#include <netinet/in.h>
110#include <netinet/in_systm.h>
111#include <netinet/in_var.h>
112#include <netinet/ip_encap.h>
113#include <netinet/ip.h>
114#include <netinet/ip_var.h>
115#include <netinet/ip6.h>
116#include <netinet6/ip6_var.h>
117#include <netinet6/in6_var.h>
118#include <netinet/icmp6.h>
119
120#include <netinet/tcp.h>
121#include <netinet/tcp_timer.h>
122#include <netinet/tcp_var.h>
123#include <netinet/udp.h>
124#include <netinet/udp_var.h>
125#include <netinet6/tcp6_var.h>
126#include <netinet6/raw_ip6.h>
127#include <netinet6/udp6_var.h>
128#include <netinet6/nd6.h>
129#include <netinet6/mld6_var.h>
130
131#if IPSEC
132#include <netinet6/ipsec.h>
133#include <netinet6/ipsec6.h>
134#include <netinet6/ah.h>
135#include <netinet6/ah6.h>
136#if IPSEC_ESP
137#include <netinet6/esp.h>
138#include <netinet6/esp6.h>
139#endif
140#endif /*IPSEC*/
141
142#include <netinet6/ip6protosw.h>
143
144#include <net/net_osdep.h>
145#include <os/log.h>
146
147/*
148 * TCP/IP protocol family: IP6, ICMP6, UDP, TCP.
149 */
150
151extern struct domain inet6domain_s;
152struct domain *inet6domain = NULL;
153
154static struct pr_usrreqs nousrreqs;
155lck_mtx_t *inet6_domain_mutex;
156
157static void in6_dinit(struct domain *);
158static int rip6_pr_output(struct mbuf *, struct socket *,
159 struct sockaddr_in6 *, struct mbuf *);
160
161struct ip6protosw inet6sw[] = {
162 {
163 .pr_type = 0,
164 .pr_protocol = IPPROTO_IPV6,
165 .pr_init = ip6_init,
166 .pr_drain = ip6_drain,
167 .pr_usrreqs = &nousrreqs,
168 },
169 {
170 .pr_type = SOCK_DGRAM,
171 .pr_protocol = IPPROTO_UDP,
172 .pr_flags = PR_ATOMIC | PR_ADDR | PR_PROTOLOCK | PR_PCBLOCK |
173 PR_EVCONNINFO | PR_PRECONN_WRITE,
174 .pr_input = udp6_input,
175 .pr_ctlinput = udp6_ctlinput,
176 .pr_ctloutput = udp_ctloutput,
177#if !INET /* don't call initialization twice */
178 .pr_init = udp_init,
179#endif /* !INET */
180 .pr_usrreqs = &udp6_usrreqs,
181 .pr_lock = udp_lock,
182 .pr_unlock = udp_unlock,
183 .pr_getlock = udp_getlock,
184 .pr_update_last_owner = inp_update_last_owner,
185 .pr_copy_last_owner = inp_copy_last_owner,
186 },
187 {
188 .pr_type = SOCK_STREAM,
189 .pr_protocol = IPPROTO_TCP,
190 .pr_flags = PR_CONNREQUIRED | PR_WANTRCVD | PR_PCBLOCK |
191 PR_PROTOLOCK | PR_DISPOSE | PR_EVCONNINFO |
192 PR_PRECONN_WRITE | PR_DATA_IDEMPOTENT,
193 .pr_input = tcp6_input,
194 .pr_ctlinput = tcp6_ctlinput,
195 .pr_ctloutput = tcp_ctloutput,
196#if !INET /* don't call initialization and timeout routines twice */
197 .pr_init = tcp_init,
198#endif /* !INET */
199 .pr_drain = tcp_drain,
200 .pr_usrreqs = &tcp6_usrreqs,
201 .pr_lock = tcp_lock,
202 .pr_unlock = tcp_unlock,
203 .pr_getlock = tcp_getlock,
204 .pr_update_last_owner = inp_update_last_owner,
205 .pr_copy_last_owner = inp_copy_last_owner,
206 },
207 {
208 .pr_type = SOCK_RAW,
209 .pr_protocol = IPPROTO_RAW,
210 .pr_flags = PR_ATOMIC | PR_ADDR,
211 .pr_input = rip6_input,
212 .pr_output = rip6_pr_output,
213 .pr_ctlinput = rip6_ctlinput,
214 .pr_ctloutput = rip6_ctloutput,
215#if !INET /* don't call initialization and timeout routines twice */
216 .pr_init = rip_init,
217#endif /* !INET */
218 .pr_usrreqs = &rip6_usrreqs,
219 .pr_unlock = rip_unlock,
220 .pr_update_last_owner = inp_update_last_owner,
221 .pr_copy_last_owner = inp_copy_last_owner,
222 },
223 {
224 .pr_type = SOCK_RAW,
225 .pr_protocol = IPPROTO_ICMPV6,
226 .pr_flags = PR_ATOMIC | PR_ADDR | PR_LASTHDR,
227 .pr_input = icmp6_input,
228 .pr_output = rip6_pr_output,
229 .pr_ctlinput = rip6_ctlinput,
230 .pr_ctloutput = rip6_ctloutput,
231 .pr_init = icmp6_init,
232 .pr_usrreqs = &rip6_usrreqs,
233 .pr_unlock = rip_unlock,
234 .pr_update_last_owner = inp_update_last_owner,
235 .pr_copy_last_owner = inp_copy_last_owner,
236 },
237 {
238 .pr_type = SOCK_DGRAM,
239 .pr_protocol = IPPROTO_ICMPV6,
240 .pr_flags = PR_ATOMIC | PR_ADDR | PR_LASTHDR,
241 .pr_input = icmp6_input,
242 .pr_output = rip6_pr_output,
243 .pr_ctlinput = rip6_ctlinput,
244 .pr_ctloutput = icmp6_dgram_ctloutput,
245 .pr_init = icmp6_init,
246 .pr_usrreqs = &icmp6_dgram_usrreqs,
247 .pr_unlock = rip_unlock,
248 .pr_update_last_owner = inp_update_last_owner,
249 .pr_copy_last_owner = inp_copy_last_owner,
250 },
251 {
252 .pr_type = SOCK_RAW,
253 .pr_protocol = IPPROTO_DSTOPTS,
254 .pr_flags = PR_ATOMIC | PR_ADDR,
255 .pr_input = dest6_input,
256 .pr_usrreqs = &nousrreqs,
257 },
258 {
259 .pr_type = SOCK_RAW,
260 .pr_protocol = IPPROTO_ROUTING,
261 .pr_flags = PR_ATOMIC | PR_ADDR,
262 .pr_input = route6_input,
263 .pr_usrreqs = &nousrreqs,
264 },
265 {
266 .pr_type = SOCK_RAW,
267 .pr_protocol = IPPROTO_FRAGMENT,
268 .pr_flags = PR_ATOMIC | PR_ADDR | PR_PROTOLOCK,
269 .pr_input = frag6_input,
270 .pr_usrreqs = &nousrreqs,
271 },
272#if IPSEC
273 {
274 .pr_type = SOCK_RAW,
275 .pr_protocol = IPPROTO_AH,
276 .pr_flags = PR_ATOMIC | PR_ADDR | PR_PROTOLOCK,
277 .pr_input = ah6_input,
278 .pr_usrreqs = &nousrreqs,
279 },
280#if IPSEC_ESP
281 {
282 .pr_type = SOCK_RAW,
283 .pr_protocol = IPPROTO_ESP,
284 .pr_flags = PR_ATOMIC | PR_ADDR | PR_PROTOLOCK,
285 .pr_input = esp6_input,
286 .pr_ctlinput = esp6_ctlinput,
287 .pr_usrreqs = &nousrreqs,
288 },
289#endif /* IPSEC_ESP */
290#endif /* IPSEC */
291#if INET
292 {
293 .pr_type = SOCK_RAW,
294 .pr_protocol = IPPROTO_IPV4,
295 .pr_flags = PR_ATOMIC | PR_ADDR | PR_LASTHDR,
296 .pr_input = encap6_input,
297 .pr_output = rip6_pr_output,
298 .pr_ctloutput = rip6_ctloutput,
299 .pr_usrreqs = &rip6_usrreqs,
300 .pr_unlock = rip_unlock,
301 .pr_update_last_owner = inp_update_last_owner,
302 .pr_copy_last_owner = inp_copy_last_owner,
303 },
304#endif /*INET*/
305 {
306 .pr_type = SOCK_RAW,
307 .pr_protocol = IPPROTO_IPV6,
308 .pr_flags = PR_ATOMIC | PR_ADDR | PR_LASTHDR,
309 .pr_input = encap6_input,
310 .pr_output = rip6_pr_output,
311 .pr_ctloutput = rip6_ctloutput,
312 .pr_usrreqs = &rip6_usrreqs,
313 .pr_unlock = rip_unlock,
314 .pr_update_last_owner = inp_update_last_owner,
315 .pr_copy_last_owner = inp_copy_last_owner,
316 },
317/* raw wildcard */
318 {
319 .pr_type = SOCK_RAW,
320 .pr_protocol = 0,
321 .pr_flags = PR_ATOMIC | PR_ADDR | PR_LASTHDR,
322 .pr_input = rip6_input,
323 .pr_output = rip6_pr_output,
324 .pr_ctloutput = rip6_ctloutput,
325 .pr_usrreqs = &rip6_usrreqs,
326 .pr_unlock = rip_unlock,
327 .pr_update_last_owner = inp_update_last_owner,
328 .pr_copy_last_owner = inp_copy_last_owner,
329 },
330};
331
332int in6_proto_count = (sizeof(inet6sw) / sizeof(struct ip6protosw));
333
334struct domain inet6domain_s = {
335 .dom_family = PF_INET6,
336 .dom_flags = DOM_REENTRANT,
337 .dom_name = "internet6",
338 .dom_init = in6_dinit,
339 .dom_rtattach = in6_inithead,
340 .dom_rtoffset = offsetof(struct sockaddr_in6, sin6_addr) << 3,
341 .dom_maxrtkey = sizeof(struct sockaddr_in6),
342 .dom_protohdrlen = sizeof(struct sockaddr_in6),
343};
344
345/* Initialize the PF_INET6 domain, and add in the pre-defined protos */
346void
347in6_dinit(struct domain *dp)
348{
349 struct ip6protosw *pr;
350 int i;
351
352 VERIFY(!(dp->dom_flags & DOM_INITIALIZED));
353 VERIFY(inet6domain == NULL);
354
355 inet6domain = dp;
356
357 _CASSERT(sizeof(struct protosw) == sizeof(struct ip6protosw));
358 _CASSERT(offsetof(struct ip6protosw, pr_entry) ==
359 offsetof(struct protosw, pr_entry));
360 _CASSERT(offsetof(struct ip6protosw, pr_domain) ==
361 offsetof(struct protosw, pr_domain));
362 _CASSERT(offsetof(struct ip6protosw, pr_protosw) ==
363 offsetof(struct protosw, pr_protosw));
364 _CASSERT(offsetof(struct ip6protosw, pr_type) ==
365 offsetof(struct protosw, pr_type));
366 _CASSERT(offsetof(struct ip6protosw, pr_protocol) ==
367 offsetof(struct protosw, pr_protocol));
368 _CASSERT(offsetof(struct ip6protosw, pr_flags) ==
369 offsetof(struct protosw, pr_flags));
370 _CASSERT(offsetof(struct ip6protosw, pr_input) ==
371 offsetof(struct protosw, pr_input));
372 _CASSERT(offsetof(struct ip6protosw, pr_output) ==
373 offsetof(struct protosw, pr_output));
374 _CASSERT(offsetof(struct ip6protosw, pr_ctlinput) ==
375 offsetof(struct protosw, pr_ctlinput));
376 _CASSERT(offsetof(struct ip6protosw, pr_ctloutput) ==
377 offsetof(struct protosw, pr_ctloutput));
378 _CASSERT(offsetof(struct ip6protosw, pr_usrreqs) ==
379 offsetof(struct protosw, pr_usrreqs));
380 _CASSERT(offsetof(struct ip6protosw, pr_init) ==
381 offsetof(struct protosw, pr_init));
382 _CASSERT(offsetof(struct ip6protosw, pr_drain) ==
383 offsetof(struct protosw, pr_drain));
384 _CASSERT(offsetof(struct ip6protosw, pr_sysctl) ==
385 offsetof(struct protosw, pr_sysctl));
386 _CASSERT(offsetof(struct ip6protosw, pr_lock) ==
387 offsetof(struct protosw, pr_lock));
388 _CASSERT(offsetof(struct ip6protosw, pr_unlock) ==
389 offsetof(struct protosw, pr_unlock));
390 _CASSERT(offsetof(struct ip6protosw, pr_getlock) ==
391 offsetof(struct protosw, pr_getlock));
392 _CASSERT(offsetof(struct ip6protosw, pr_filter_head) ==
393 offsetof(struct protosw, pr_filter_head));
394 _CASSERT(offsetof(struct ip6protosw, pr_old) ==
395 offsetof(struct protosw, pr_old));
396 _CASSERT(offsetof(struct ip6protosw, pr_update_last_owner) ==
397 offsetof(struct protosw, pr_update_last_owner));
398 _CASSERT(offsetof(struct ip6protosw, pr_copy_last_owner) ==
399 offsetof(struct protosw, pr_copy_last_owner));
400
401 /*
402 * Attach first, then initialize. ip6_init() needs raw IP6 handler.
403 */
404 for (i = 0, pr = &inet6sw[0]; i < in6_proto_count; i++, pr++) {
405 net_add_proto((struct protosw *)pr, dp, 0);
406 }
407 for (i = 0, pr = &inet6sw[0]; i < in6_proto_count; i++, pr++) {
408 net_init_proto((struct protosw *)pr, dp);
409 }
410
411 inet6_domain_mutex = dp->dom_mtx;
412}
413
414static int
415rip6_pr_output(struct mbuf *m, struct socket *so, struct sockaddr_in6 *sin6,
416 struct mbuf *m1)
417{
418#pragma unused(m, so, sin6, m1)
419 panic("%s", __func__);
420 /* NOTREACHED */
421 return 0;
422}
423
424/*
425 * Internet configuration info
426 */
427#ifndef IPV6FORWARDING
428#if GATEWAY6
429#define IPV6FORWARDING 1 /* forward IP6 packets not for us */
430#else
431#define IPV6FORWARDING 0 /* don't forward IP6 packets not for us */
432#endif /* GATEWAY6 */
433#endif /* !IPV6FORWARDING */
434
435#ifndef IPV6_SENDREDIRECTS
436#define IPV6_SENDREDIRECTS 1
437#endif
438
439int ip6_forwarding = IPV6FORWARDING; /* act as router? */
440int ip6_sendredirects = IPV6_SENDREDIRECTS;
441int ip6_defhlim = IPV6_DEFHLIM;
442int ip6_defmcasthlim = IPV6_DEFAULT_MULTICAST_HOPS;
443int ip6_accept_rtadv = 1; /* deprecated */
444int ip6_log_interval = 5;
445int ip6_hdrnestlimit = 15; /* How many header options will we process? */
446int ip6_dad_count = 1; /* DupAddrDetectionTransmits */
447int ip6_auto_flowlabel = 1;
448int ip6_gif_hlim = 0;
449int ip6_use_deprecated = 1; /* allow deprecated addr [RFC 4862, 5.5.4] */
450int ip6_rr_prune = 5; /* router renumbering prefix
451 * walk list every 5 sec. */
452int ip6_mcast_pmtu = 0; /* enable pMTU discovery for multicast? */
453int ip6_v6only = 0; /* Mapped addresses off by default - Radar 3347718 -- REVISITING FOR 10.7 -- TESTING WITH MAPPED@ OFF */
454
455int ip6_neighborgcthresh = 1024; /* Threshold # of NDP entries for GC */
456int ip6_maxifprefixes = 16; /* Max acceptable prefixes via RA per IF */
457int ip6_maxifdefrouters = 64; /* Max acceptable default or RTI routers via RA */
458int ip6_maxdynroutes = 1024; /* Max # of routes created via redirect */
459int ip6_only_allow_rfc4193_prefix = 0; /* Only allow RFC4193 style Unique Local IPv6 Unicast prefixes */
460
461static int ip6_keepfaith = 0;
462uint64_t ip6_log_time = 0;
463int nd6_onlink_ns_rfc4861 = 0; /* allow 'on-link' nd6 NS (as in RFC 4861) */
464
465/* icmp6 */
466/*
467 * BSDI4 defines these variables in in_proto.c...
468 * XXX: what if we don't define INET? Should we define pmtu6_expire
469 * or so? (jinmei@kame.net 19990310)
470 */
471int pmtu_expire = 60 * 10;
472int pmtu_probe = 60 * 2;
473
474/* raw IP6 parameters */
475/*
476 * Nominal space allocated to a raw ip socket.
477 */
478#define RIPV6SNDQ 8192
479#define RIPV6RCVQ 8192
480
481u_int32_t rip6_sendspace = RIPV6SNDQ;
482u_int32_t rip6_recvspace = RIPV6RCVQ;
483
484/* ICMPV6 parameters */
485int icmp6_rediraccept = 1; /* accept and process redirects */
486int icmp6_redirtimeout = 10 * 60; /* 10 minutes */
487uint32_t icmp6errppslim = 500; /* 500 packets per second */
488uint32_t icmp6errppslim_random_incr = 500; /* We further randomize icmp6errppslim
489 * with this during icmpv6 initialization*/
490int icmp6rappslim = 10; /* 10 packets per second */
491int icmp6_nodeinfo = 0; /* enable/disable NI response */
492
493/* UDP on IP6 parameters */
494int udp6_sendspace = 9216; /* really max datagram size */
495int udp6_recvspace = 40 * (1024 + sizeof(struct sockaddr_in6));
496/* 40 1K datagrams */
497
498/*
499 * sysctl related items.
500 */
501SYSCTL_NODE(_net, PF_INET6, inet6,
502 CTLFLAG_RW | CTLFLAG_LOCKED, 0, "Internet6 Family");
503
504/* net.inet6 */
505SYSCTL_NODE(_net_inet6, IPPROTO_IPV6, ip6,
506 CTLFLAG_RW | CTLFLAG_LOCKED, 0, "IP6");
507SYSCTL_NODE(_net_inet6, IPPROTO_ICMPV6, icmp6,
508 CTLFLAG_RW | CTLFLAG_LOCKED, 0, "ICMP6");
509SYSCTL_NODE(_net_inet6, IPPROTO_UDP, udp6,
510 CTLFLAG_RW | CTLFLAG_LOCKED, 0, "UDP6");
511SYSCTL_NODE(_net_inet6, IPPROTO_TCP, tcp6,
512 CTLFLAG_RW | CTLFLAG_LOCKED, 0, "TCP6");
513#if IPSEC
514SYSCTL_NODE(_net_inet6, IPPROTO_ESP, ipsec6,
515 CTLFLAG_RW | CTLFLAG_LOCKED, 0, "IPSEC6");
516#endif /* IPSEC */
517
518/* net.inet6.ip6 */
519static int
520sysctl_ip6_temppltime SYSCTL_HANDLER_ARGS
521{
522#pragma unused(oidp, arg2)
523 int error = 0;
524 int value = 0;
525
526 error = SYSCTL_OUT(req, arg1, sizeof(int));
527 if (error || !req->newptr) {
528 return error;
529 }
530
531 error = SYSCTL_IN(req, &value, sizeof(value));
532 if (error) {
533 return error;
534 }
535
536 if (value > ND6_MAX_LIFETIME ||
537 value < ip6_desync_factor + ip6_temp_regen_advance) {
538 return EINVAL;
539 }
540
541 ip6_temp_preferred_lifetime = value;
542 return error;
543}
544
545static int
546sysctl_ip6_tempvltime SYSCTL_HANDLER_ARGS
547{
548#pragma unused(oidp, arg2)
549 int error = 0;
550 uint32_t value = 0;
551
552 error = SYSCTL_OUT(req, arg1, sizeof(uint32_t));
553 if (error || !req->newptr) {
554 return error;
555 }
556
557 error = SYSCTL_IN(req, &value, sizeof(value));
558 if (error) {
559 return error;
560 }
561
562 if (value > ND6_MAX_LIFETIME ||
563 value < ip6_temp_preferred_lifetime) {
564 return EINVAL;
565 }
566
567 ip6_temp_valid_lifetime = value;
568 return error;
569}
570
571static int
572sysctl_ip6_cga_conflict_retries SYSCTL_HANDLER_ARGS
573{
574#pragma unused(oidp, arg2)
575 int error = 0;
576 int value = 0;
577
578 error = SYSCTL_OUT(req, arg1, sizeof(int));
579 if (error || !req->newptr) {
580 return error;
581 }
582
583 error = SYSCTL_IN(req, &value, sizeof(value));
584 if (error) {
585 return error;
586 }
587 if (value > IPV6_CGA_CONFLICT_RETRIES_MAX || value < 0) {
588 return EINVAL;
589 }
590
591 ip6_cga_conflict_retries = value;
592 return 0;
593}
594
595static int
596ip6_getstat SYSCTL_HANDLER_ARGS
597{
598#pragma unused(oidp, arg1, arg2)
599 if (req->oldptr == USER_ADDR_NULL) {
600 req->oldlen = (size_t)sizeof(struct ip6stat);
601 }
602
603 return SYSCTL_OUT(req, &ip6stat, MIN(sizeof(ip6stat), req->oldlen));
604}
605
606SYSCTL_INT(_net_inet6_ip6, IPV6CTL_SENDREDIRECTS,
607 redirect, CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_sendredirects, 0, "");
608SYSCTL_INT(_net_inet6_ip6, IPV6CTL_DEFHLIM,
609 hlim, CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_defhlim, 0, "");
610SYSCTL_PROC(_net_inet6_ip6, IPV6CTL_STATS, stats,
611 CTLTYPE_STRUCT | CTLFLAG_RD | CTLFLAG_LOCKED,
612 0, 0, ip6_getstat, "S,ip6stat", "");
613
614#if (DEVELOPMENT || DEBUG)
615SYSCTL_INT(_net_inet6_ip6, IPV6CTL_ACCEPT_RTADV,
616 accept_rtadv, CTLFLAG_RW | CTLFLAG_LOCKED,
617 &ip6_accept_rtadv, 0, "");
618#else
619SYSCTL_INT(_net_inet6_ip6, IPV6CTL_ACCEPT_RTADV,
620 accept_rtadv, CTLFLAG_RD | CTLFLAG_LOCKED,
621 &ip6_accept_rtadv, 0, "");
622#endif /* (DEVELOPMENT || DEBUG) */
623SYSCTL_INT(_net_inet6_ip6, IPV6CTL_KEEPFAITH,
624 keepfaith, CTLFLAG_RD | CTLFLAG_LOCKED, &ip6_keepfaith, 0, "");
625SYSCTL_INT(_net_inet6_ip6, IPV6CTL_LOG_INTERVAL,
626 log_interval, CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_log_interval, 0, "");
627SYSCTL_INT(_net_inet6_ip6, IPV6CTL_HDRNESTLIMIT,
628 hdrnestlimit, CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_hdrnestlimit, 0, "");
629SYSCTL_INT(_net_inet6_ip6, IPV6CTL_DAD_COUNT,
630 dad_count, CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_dad_count, 0, "");
631SYSCTL_INT(_net_inet6_ip6, IPV6CTL_AUTO_FLOWLABEL,
632 auto_flowlabel, CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_auto_flowlabel, 0, "");
633SYSCTL_INT(_net_inet6_ip6, IPV6CTL_DEFMCASTHLIM,
634 defmcasthlim, CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_defmcasthlim, 0, "");
635SYSCTL_INT(_net_inet6_ip6, IPV6CTL_GIF_HLIM,
636 gifhlim, CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_gif_hlim, 0, "");
637SYSCTL_STRING(_net_inet6_ip6, IPV6CTL_KAME_VERSION,
638 kame_version, CTLFLAG_RD | CTLFLAG_LOCKED, (void *)((uintptr_t)(__KAME_VERSION)), 0, "");
639SYSCTL_INT(_net_inet6_ip6, IPV6CTL_USE_DEPRECATED,
640 use_deprecated, CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_use_deprecated, 0, "");
641SYSCTL_INT(_net_inet6_ip6, IPV6CTL_RR_PRUNE,
642 rr_prune, CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_rr_prune, 0, "");
643SYSCTL_INT(_net_inet6_ip6, IPV6CTL_USETEMPADDR,
644 use_tempaddr, CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_use_tempaddr, 0, "");
645SYSCTL_INT(_net_inet6_ip6, IPV6CTL_ULA_USETEMPADDR,
646 ula_use_tempaddr, CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_ula_use_tempaddr, 0, "");
647SYSCTL_OID(_net_inet6_ip6, IPV6CTL_TEMPPLTIME, temppltime,
648 CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_temp_preferred_lifetime, 0,
649 sysctl_ip6_temppltime, "I", "");
650SYSCTL_OID(_net_inet6_ip6, IPV6CTL_TEMPVLTIME, tempvltime,
651 CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_temp_valid_lifetime, 0,
652 sysctl_ip6_tempvltime, "I", "");
653SYSCTL_INT(_net_inet6_ip6, IPV6CTL_V6ONLY,
654 v6only, CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_v6only, 0, "");
655SYSCTL_INT(_net_inet6_ip6, IPV6CTL_AUTO_LINKLOCAL,
656 auto_linklocal, CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_auto_linklocal, 0, "");
657SYSCTL_STRUCT(_net_inet6_ip6, IPV6CTL_RIP6STATS, rip6stats, CTLFLAG_RD | CTLFLAG_LOCKED,
658 &rip6stat, rip6stat, "");
659SYSCTL_INT(_net_inet6_ip6, IPV6CTL_PREFER_TEMPADDR,
660 prefer_tempaddr, CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_prefer_tempaddr, 0, "");
661SYSCTL_INT(_net_inet6_ip6, IPV6CTL_USE_DEFAULTZONE,
662 use_defaultzone, CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_use_defzone, 0, "");
663SYSCTL_INT(_net_inet6_ip6, IPV6CTL_MCAST_PMTU,
664 mcast_pmtu, CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_mcast_pmtu, 0, "");
665SYSCTL_INT(_net_inet6_ip6, IPV6CTL_NEIGHBORGCTHRESH,
666 neighborgcthresh, CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_neighborgcthresh, 0, "");
667SYSCTL_INT(_net_inet6_ip6, IPV6CTL_MAXIFPREFIXES,
668 maxifprefixes, CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_maxifprefixes, 0, "");
669SYSCTL_INT(_net_inet6_ip6, IPV6CTL_MAXIFDEFROUTERS,
670 maxifdefrouters, CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_maxifdefrouters, 0, "");
671SYSCTL_INT(_net_inet6_ip6, IPV6CTL_MAXDYNROUTES,
672 maxdynroutes, CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_maxdynroutes, 0, "");
673SYSCTL_INT(_net_inet6_ip6, OID_AUTO,
674 only_allow_rfc4193_prefixes, CTLFLAG_RW | CTLFLAG_LOCKED,
675 &ip6_only_allow_rfc4193_prefix, 0, "");
676SYSCTL_INT(_net_inet6_ip6, OID_AUTO,
677 clat_debug, CTLFLAG_RW | CTLFLAG_LOCKED, &clat_debug, 0, "");
678
679SYSCTL_PROC(_net_inet6_ip6, OID_AUTO,
680 cga_conflict_retries, CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_LOCKED,
681 &ip6_cga_conflict_retries, 0, sysctl_ip6_cga_conflict_retries, "IU", "");
682
683
684static int sysctl_ip6_forwarding SYSCTL_HANDLER_ARGS;
685
686SYSCTL_PROC(_net_inet6_ip6, IPV6CTL_FORWARDING, forwarding,
687 CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_forwarding, 0,
688 sysctl_ip6_forwarding, "I", "");
689
690static int
691sysctl_ip6_forwarding SYSCTL_HANDLER_ARGS
692{
693#pragma unused(arg1, arg2)
694 int error, i;
695 char proc_name_string[MAXCOMLEN + 1];
696 proc_name(pid: proc_pid(current_proc()), buf: proc_name_string, size: sizeof(proc_name_string));
697
698 i = ip6_forwarding;
699 os_log(OS_LOG_DEFAULT, "%s:%s entry: ip6_forwarding is %d",
700 proc_name_string, __func__, ip6_forwarding);
701
702 error = sysctl_handle_int(oidp, arg1: &i, arg2: 0, req);
703 if (error || req->newptr == USER_ADDR_NULL) {
704 goto done;
705 }
706 /* impose bounds */
707 if (i < 0) {
708 error = EINVAL;
709 goto done;
710 }
711
712 if (i > 0) {
713 i = 1;
714 }
715
716 ip6_forwarding = i;
717done:
718 os_log(OS_LOG_DEFAULT, "%s:%s return: ip6_forwarding is %d "
719 "and error is %d", proc_name_string, __func__, ip6_forwarding, error);
720 return error;
721}
722
723/*
724 * One single sysctl to set v6 stack profile for IPv6 compliance testing.
725 * A lot of compliance test suites are not aware of other enhancements in IPv6
726 * protocol and expect some arguably obsolete behavior.
727 */
728static int v6_compliance_profile;
729static int
730sysctl_set_v6_compliance_profile SYSCTL_HANDLER_ARGS
731{
732#pragma unused(oidp, arg2)
733 int changed, error;
734 int value = *(int *) arg1;
735
736 error = sysctl_io_number(req, bigValue: value, valueSize: sizeof(value), pValue: &value, changed: &changed);
737 if (error || !changed) {
738 return error;
739 }
740
741 if (value != 0 && value != 1) {
742 return ERANGE;
743 }
744
745 if (value == 1) {
746 ip6_use_tempaddr = 0;
747 dad_enhanced = 0;
748 icmp6_rediraccept = 1;
749 nd6_optimistic_dad = 0;
750 nd6_process_rti = ND6_PROCESS_RTI_ENABLE;
751 } else {
752 ip6_use_tempaddr = IP6_USE_TMPADDR_DEFAULT;
753 dad_enhanced = ND6_DAD_ENHANCED_DEFAULT;
754 icmp6_rediraccept = ICMP6_REDIRACCEPT_DEFAULT;
755 nd6_optimistic_dad = ND6_OPTIMISTIC_DAD_DEFAULT;
756 nd6_process_rti = ND6_PROCESS_RTI_DEFAULT;
757 }
758
759 v6_compliance_profile = value;
760 return 0;
761}
762
763SYSCTL_PROC(_net_inet6_ip6, OID_AUTO, compliance_profile,
764 CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_LOCKED,
765 &v6_compliance_profile, 0, sysctl_set_v6_compliance_profile,
766 "I", "set IPv6 compliance profile");
767
768/* net.inet6.icmp6 */
769SYSCTL_INT(_net_inet6_icmp6, ICMPV6CTL_REDIRACCEPT,
770 rediraccept, CTLFLAG_RW | CTLFLAG_LOCKED, &icmp6_rediraccept, 0, "");
771SYSCTL_INT(_net_inet6_icmp6, ICMPV6CTL_REDIRTIMEOUT,
772 redirtimeout, CTLFLAG_RW | CTLFLAG_LOCKED, &icmp6_redirtimeout, 0, "");
773SYSCTL_STRUCT(_net_inet6_icmp6, ICMPV6CTL_STATS, stats, CTLFLAG_RD | CTLFLAG_LOCKED,
774 &icmp6stat, icmp6stat, "");
775SYSCTL_INT(_net_inet6_icmp6, ICMPV6CTL_ND6_PRUNE,
776 nd6_prune, CTLFLAG_RW | CTLFLAG_LOCKED, &nd6_prune, 0, "");
777SYSCTL_INT(_net_inet6_icmp6, OID_AUTO,
778 nd6_prune_lazy, CTLFLAG_RW | CTLFLAG_LOCKED, &nd6_prune_lazy, 0, "");
779SYSCTL_INT(_net_inet6_icmp6, ICMPV6CTL_ND6_DELAY,
780 nd6_delay, CTLFLAG_RW | CTLFLAG_LOCKED, &nd6_delay, 0, "");
781SYSCTL_INT(_net_inet6_icmp6, ICMPV6CTL_ND6_UMAXTRIES,
782 nd6_umaxtries, CTLFLAG_RW | CTLFLAG_LOCKED, &nd6_umaxtries, 0, "");
783SYSCTL_INT(_net_inet6_icmp6, ICMPV6CTL_ND6_MMAXTRIES,
784 nd6_mmaxtries, CTLFLAG_RW | CTLFLAG_LOCKED, &nd6_mmaxtries, 0, "");
785SYSCTL_INT(_net_inet6_icmp6, ICMPV6CTL_ND6_USELOOPBACK,
786 nd6_useloopback, CTLFLAG_RW | CTLFLAG_LOCKED, &nd6_useloopback, 0, "");
787SYSCTL_INT(_net_inet6_icmp6, ICMPV6CTL_ND6_ACCEPT_6TO4,
788 nd6_accept_6to4, CTLFLAG_RW | CTLFLAG_LOCKED, &nd6_accept_6to4, 0, "");
789SYSCTL_INT(_net_inet6_icmp6, ICMPV6CTL_NODEINFO,
790 nodeinfo, CTLFLAG_RW | CTLFLAG_LOCKED, &icmp6_nodeinfo, 0, "");
791SYSCTL_INT(_net_inet6_icmp6, ICMPV6CTL_ERRPPSLIMIT,
792 errppslimit, CTLFLAG_RW | CTLFLAG_LOCKED, &icmp6errppslim, 0, "");
793SYSCTL_INT(_net_inet6_icmp6, ICMPV6CTL_ERRPPSLIMIT_RANDOM_INCR,
794 errppslimit_random_incr, CTLFLAG_RW | CTLFLAG_LOCKED, &icmp6errppslim_random_incr, 0, "");
795SYSCTL_INT(_net_inet6_icmp6, OID_AUTO,
796 rappslimit, CTLFLAG_RW | CTLFLAG_LOCKED, &icmp6rappslim, 0, "");
797SYSCTL_INT(_net_inet6_icmp6, ICMPV6CTL_ND6_DEBUG,
798 nd6_debug, CTLFLAG_RW | CTLFLAG_LOCKED, &nd6_debug, 0, "");
799SYSCTL_INT(_net_inet6_icmp6, ICMPV6CTL_ND6_ONLINKNSRFC4861,
800 nd6_onlink_ns_rfc4861, CTLFLAG_RW | CTLFLAG_LOCKED, &nd6_onlink_ns_rfc4861, 0,
801 "Accept 'on-link' nd6 NS in compliance with RFC 4861.");
802SYSCTL_INT(_net_inet6_icmp6, ICMPV6CTL_ND6_OPTIMISTIC_DAD,
803 nd6_optimistic_dad, CTLFLAG_RW | CTLFLAG_LOCKED, &nd6_optimistic_dad, 0, "");
804