1 | /* |
2 | * Copyright (c) 2008-2023 Apple Inc. All rights reserved. |
3 | * |
4 | * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ |
5 | * |
6 | * This file contains Original Code and/or Modifications of Original Code |
7 | * as defined in and that are subject to the Apple Public Source License |
8 | * Version 2.0 (the 'License'). You may not use this file except in |
9 | * compliance with the License. The rights granted to you under the License |
10 | * may not be used to create, or enable the creation or redistribution of, |
11 | * unlawful or unlicensed copies of an Apple operating system, or to |
12 | * circumvent, violate, or enable the circumvention or violation of, any |
13 | * terms of an Apple operating system software license agreement. |
14 | * |
15 | * Please obtain a copy of the License at |
16 | * http://www.opensource.apple.com/apsl/ and read it before using this file. |
17 | * |
18 | * The Original Code and all software distributed under the License are |
19 | * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER |
20 | * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, |
21 | * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, |
22 | * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. |
23 | * Please see the License for the specific language governing rights and |
24 | * limitations under the License. |
25 | * |
26 | * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ |
27 | */ |
28 | |
29 | /* |
30 | * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. |
31 | * All rights reserved. |
32 | * |
33 | * Redistribution and use in source and binary forms, with or without |
34 | * modification, are permitted provided that the following conditions |
35 | * are met: |
36 | * 1. Redistributions of source code must retain the above copyright |
37 | * notice, this list of conditions and the following disclaimer. |
38 | * 2. Redistributions in binary form must reproduce the above copyright |
39 | * notice, this list of conditions and the following disclaimer in the |
40 | * documentation and/or other materials provided with the distribution. |
41 | * 3. Neither the name of the project nor the names of its contributors |
42 | * may be used to endorse or promote products derived from this software |
43 | * without specific prior written permission. |
44 | * |
45 | * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND |
46 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
47 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
48 | * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE |
49 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
50 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
51 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
52 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
53 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
54 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
55 | * SUCH DAMAGE. |
56 | */ |
57 | |
58 | /* |
59 | * Copyright (c) 1982, 1986, 1993 |
60 | * The Regents of the University of California. All rights reserved. |
61 | * |
62 | * Redistribution and use in source and binary forms, with or without |
63 | * modification, are permitted provided that the following conditions |
64 | * are met: |
65 | * 1. Redistributions of source code must retain the above copyright |
66 | * notice, this list of conditions and the following disclaimer. |
67 | * 2. Redistributions in binary form must reproduce the above copyright |
68 | * notice, this list of conditions and the following disclaimer in the |
69 | * documentation and/or other materials provided with the distribution. |
70 | * 3. All advertising materials mentioning features or use of this software |
71 | * must display the following acknowledgement: |
72 | * This product includes software developed by the University of |
73 | * California, Berkeley and its contributors. |
74 | * 4. Neither the name of the University nor the names of its contributors |
75 | * may be used to endorse or promote products derived from this software |
76 | * without specific prior written permission. |
77 | * |
78 | * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND |
79 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
80 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
81 | * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE |
82 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
83 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
84 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
85 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
86 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
87 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
88 | * SUCH DAMAGE. |
89 | * |
90 | * @(#)in_proto.c 8.1 (Berkeley) 6/10/93 |
91 | */ |
92 | |
93 | |
94 | #include <sys/param.h> |
95 | #include <sys/socket.h> |
96 | #include <sys/socketvar.h> |
97 | #include <sys/protosw.h> |
98 | #include <sys/kernel.h> |
99 | #include <sys/domain.h> |
100 | #include <sys/mbuf.h> |
101 | #include <sys/systm.h> |
102 | #include <sys/sysctl.h> |
103 | |
104 | #include <net/if.h> |
105 | #include <net/radix.h> |
106 | #include <net/route.h> |
107 | #include <net/nat464_utils.h> |
108 | |
109 | #include <netinet/in.h> |
110 | #include <netinet/in_systm.h> |
111 | #include <netinet/in_var.h> |
112 | #include <netinet/ip_encap.h> |
113 | #include <netinet/ip.h> |
114 | #include <netinet/ip_var.h> |
115 | #include <netinet/ip6.h> |
116 | #include <netinet6/ip6_var.h> |
117 | #include <netinet6/in6_var.h> |
118 | #include <netinet/icmp6.h> |
119 | |
120 | #include <netinet/tcp.h> |
121 | #include <netinet/tcp_timer.h> |
122 | #include <netinet/tcp_var.h> |
123 | #include <netinet/udp.h> |
124 | #include <netinet/udp_var.h> |
125 | #include <netinet6/tcp6_var.h> |
126 | #include <netinet6/raw_ip6.h> |
127 | #include <netinet6/udp6_var.h> |
128 | #include <netinet6/nd6.h> |
129 | #include <netinet6/mld6_var.h> |
130 | |
131 | #if IPSEC |
132 | #include <netinet6/ipsec.h> |
133 | #include <netinet6/ipsec6.h> |
134 | #include <netinet6/ah.h> |
135 | #include <netinet6/ah6.h> |
136 | #if IPSEC_ESP |
137 | #include <netinet6/esp.h> |
138 | #include <netinet6/esp6.h> |
139 | #endif |
140 | #endif /*IPSEC*/ |
141 | |
142 | #include <netinet6/ip6protosw.h> |
143 | |
144 | #include <net/net_osdep.h> |
145 | #include <os/log.h> |
146 | |
147 | /* |
148 | * TCP/IP protocol family: IP6, ICMP6, UDP, TCP. |
149 | */ |
150 | |
151 | extern struct domain inet6domain_s; |
152 | struct domain *inet6domain = NULL; |
153 | |
154 | static struct pr_usrreqs nousrreqs; |
155 | lck_mtx_t *inet6_domain_mutex; |
156 | |
157 | static void in6_dinit(struct domain *); |
158 | static int rip6_pr_output(struct mbuf *, struct socket *, |
159 | struct sockaddr_in6 *, struct mbuf *); |
160 | |
161 | struct ip6protosw inet6sw[] = { |
162 | { |
163 | .pr_type = 0, |
164 | .pr_protocol = IPPROTO_IPV6, |
165 | .pr_init = ip6_init, |
166 | .pr_drain = ip6_drain, |
167 | .pr_usrreqs = &nousrreqs, |
168 | }, |
169 | { |
170 | .pr_type = SOCK_DGRAM, |
171 | .pr_protocol = IPPROTO_UDP, |
172 | .pr_flags = PR_ATOMIC | PR_ADDR | PR_PROTOLOCK | PR_PCBLOCK | |
173 | PR_EVCONNINFO | PR_PRECONN_WRITE, |
174 | .pr_input = udp6_input, |
175 | .pr_ctlinput = udp6_ctlinput, |
176 | .pr_ctloutput = udp_ctloutput, |
177 | #if !INET /* don't call initialization twice */ |
178 | .pr_init = udp_init, |
179 | #endif /* !INET */ |
180 | .pr_usrreqs = &udp6_usrreqs, |
181 | .pr_lock = udp_lock, |
182 | .pr_unlock = udp_unlock, |
183 | .pr_getlock = udp_getlock, |
184 | .pr_update_last_owner = inp_update_last_owner, |
185 | .pr_copy_last_owner = inp_copy_last_owner, |
186 | }, |
187 | { |
188 | .pr_type = SOCK_STREAM, |
189 | .pr_protocol = IPPROTO_TCP, |
190 | .pr_flags = PR_CONNREQUIRED | PR_WANTRCVD | PR_PCBLOCK | |
191 | PR_PROTOLOCK | PR_DISPOSE | PR_EVCONNINFO | |
192 | PR_PRECONN_WRITE | PR_DATA_IDEMPOTENT, |
193 | .pr_input = tcp6_input, |
194 | .pr_ctlinput = tcp6_ctlinput, |
195 | .pr_ctloutput = tcp_ctloutput, |
196 | #if !INET /* don't call initialization and timeout routines twice */ |
197 | .pr_init = tcp_init, |
198 | #endif /* !INET */ |
199 | .pr_drain = tcp_drain, |
200 | .pr_usrreqs = &tcp6_usrreqs, |
201 | .pr_lock = tcp_lock, |
202 | .pr_unlock = tcp_unlock, |
203 | .pr_getlock = tcp_getlock, |
204 | .pr_update_last_owner = inp_update_last_owner, |
205 | .pr_copy_last_owner = inp_copy_last_owner, |
206 | }, |
207 | { |
208 | .pr_type = SOCK_RAW, |
209 | .pr_protocol = IPPROTO_RAW, |
210 | .pr_flags = PR_ATOMIC | PR_ADDR, |
211 | .pr_input = rip6_input, |
212 | .pr_output = rip6_pr_output, |
213 | .pr_ctlinput = rip6_ctlinput, |
214 | .pr_ctloutput = rip6_ctloutput, |
215 | #if !INET /* don't call initialization and timeout routines twice */ |
216 | .pr_init = rip_init, |
217 | #endif /* !INET */ |
218 | .pr_usrreqs = &rip6_usrreqs, |
219 | .pr_unlock = rip_unlock, |
220 | .pr_update_last_owner = inp_update_last_owner, |
221 | .pr_copy_last_owner = inp_copy_last_owner, |
222 | }, |
223 | { |
224 | .pr_type = SOCK_RAW, |
225 | .pr_protocol = IPPROTO_ICMPV6, |
226 | .pr_flags = PR_ATOMIC | PR_ADDR | PR_LASTHDR, |
227 | .pr_input = icmp6_input, |
228 | .pr_output = rip6_pr_output, |
229 | .pr_ctlinput = rip6_ctlinput, |
230 | .pr_ctloutput = rip6_ctloutput, |
231 | .pr_init = icmp6_init, |
232 | .pr_usrreqs = &rip6_usrreqs, |
233 | .pr_unlock = rip_unlock, |
234 | .pr_update_last_owner = inp_update_last_owner, |
235 | .pr_copy_last_owner = inp_copy_last_owner, |
236 | }, |
237 | { |
238 | .pr_type = SOCK_DGRAM, |
239 | .pr_protocol = IPPROTO_ICMPV6, |
240 | .pr_flags = PR_ATOMIC | PR_ADDR | PR_LASTHDR, |
241 | .pr_input = icmp6_input, |
242 | .pr_output = rip6_pr_output, |
243 | .pr_ctlinput = rip6_ctlinput, |
244 | .pr_ctloutput = icmp6_dgram_ctloutput, |
245 | .pr_init = icmp6_init, |
246 | .pr_usrreqs = &icmp6_dgram_usrreqs, |
247 | .pr_unlock = rip_unlock, |
248 | .pr_update_last_owner = inp_update_last_owner, |
249 | .pr_copy_last_owner = inp_copy_last_owner, |
250 | }, |
251 | { |
252 | .pr_type = SOCK_RAW, |
253 | .pr_protocol = IPPROTO_DSTOPTS, |
254 | .pr_flags = PR_ATOMIC | PR_ADDR, |
255 | .pr_input = dest6_input, |
256 | .pr_usrreqs = &nousrreqs, |
257 | }, |
258 | { |
259 | .pr_type = SOCK_RAW, |
260 | .pr_protocol = IPPROTO_ROUTING, |
261 | .pr_flags = PR_ATOMIC | PR_ADDR, |
262 | .pr_input = route6_input, |
263 | .pr_usrreqs = &nousrreqs, |
264 | }, |
265 | { |
266 | .pr_type = SOCK_RAW, |
267 | .pr_protocol = IPPROTO_FRAGMENT, |
268 | .pr_flags = PR_ATOMIC | PR_ADDR | PR_PROTOLOCK, |
269 | .pr_input = frag6_input, |
270 | .pr_usrreqs = &nousrreqs, |
271 | }, |
272 | #if IPSEC |
273 | { |
274 | .pr_type = SOCK_RAW, |
275 | .pr_protocol = IPPROTO_AH, |
276 | .pr_flags = PR_ATOMIC | PR_ADDR | PR_PROTOLOCK, |
277 | .pr_input = ah6_input, |
278 | .pr_usrreqs = &nousrreqs, |
279 | }, |
280 | #if IPSEC_ESP |
281 | { |
282 | .pr_type = SOCK_RAW, |
283 | .pr_protocol = IPPROTO_ESP, |
284 | .pr_flags = PR_ATOMIC | PR_ADDR | PR_PROTOLOCK, |
285 | .pr_input = esp6_input, |
286 | .pr_ctlinput = esp6_ctlinput, |
287 | .pr_usrreqs = &nousrreqs, |
288 | }, |
289 | #endif /* IPSEC_ESP */ |
290 | #endif /* IPSEC */ |
291 | #if INET |
292 | { |
293 | .pr_type = SOCK_RAW, |
294 | .pr_protocol = IPPROTO_IPV4, |
295 | .pr_flags = PR_ATOMIC | PR_ADDR | PR_LASTHDR, |
296 | .pr_input = encap6_input, |
297 | .pr_output = rip6_pr_output, |
298 | .pr_ctloutput = rip6_ctloutput, |
299 | .pr_usrreqs = &rip6_usrreqs, |
300 | .pr_unlock = rip_unlock, |
301 | .pr_update_last_owner = inp_update_last_owner, |
302 | .pr_copy_last_owner = inp_copy_last_owner, |
303 | }, |
304 | #endif /*INET*/ |
305 | { |
306 | .pr_type = SOCK_RAW, |
307 | .pr_protocol = IPPROTO_IPV6, |
308 | .pr_flags = PR_ATOMIC | PR_ADDR | PR_LASTHDR, |
309 | .pr_input = encap6_input, |
310 | .pr_output = rip6_pr_output, |
311 | .pr_ctloutput = rip6_ctloutput, |
312 | .pr_usrreqs = &rip6_usrreqs, |
313 | .pr_unlock = rip_unlock, |
314 | .pr_update_last_owner = inp_update_last_owner, |
315 | .pr_copy_last_owner = inp_copy_last_owner, |
316 | }, |
317 | /* raw wildcard */ |
318 | { |
319 | .pr_type = SOCK_RAW, |
320 | .pr_protocol = 0, |
321 | .pr_flags = PR_ATOMIC | PR_ADDR | PR_LASTHDR, |
322 | .pr_input = rip6_input, |
323 | .pr_output = rip6_pr_output, |
324 | .pr_ctloutput = rip6_ctloutput, |
325 | .pr_usrreqs = &rip6_usrreqs, |
326 | .pr_unlock = rip_unlock, |
327 | .pr_update_last_owner = inp_update_last_owner, |
328 | .pr_copy_last_owner = inp_copy_last_owner, |
329 | }, |
330 | }; |
331 | |
332 | int in6_proto_count = (sizeof(inet6sw) / sizeof(struct ip6protosw)); |
333 | |
334 | struct domain inet6domain_s = { |
335 | .dom_family = PF_INET6, |
336 | .dom_flags = DOM_REENTRANT, |
337 | .dom_name = "internet6" , |
338 | .dom_init = in6_dinit, |
339 | .dom_rtattach = in6_inithead, |
340 | .dom_rtoffset = offsetof(struct sockaddr_in6, sin6_addr) << 3, |
341 | .dom_maxrtkey = sizeof(struct sockaddr_in6), |
342 | .dom_protohdrlen = sizeof(struct sockaddr_in6), |
343 | }; |
344 | |
345 | /* Initialize the PF_INET6 domain, and add in the pre-defined protos */ |
346 | void |
347 | in6_dinit(struct domain *dp) |
348 | { |
349 | struct ip6protosw *pr; |
350 | int i; |
351 | |
352 | VERIFY(!(dp->dom_flags & DOM_INITIALIZED)); |
353 | VERIFY(inet6domain == NULL); |
354 | |
355 | inet6domain = dp; |
356 | |
357 | _CASSERT(sizeof(struct protosw) == sizeof(struct ip6protosw)); |
358 | _CASSERT(offsetof(struct ip6protosw, pr_entry) == |
359 | offsetof(struct protosw, pr_entry)); |
360 | _CASSERT(offsetof(struct ip6protosw, pr_domain) == |
361 | offsetof(struct protosw, pr_domain)); |
362 | _CASSERT(offsetof(struct ip6protosw, pr_protosw) == |
363 | offsetof(struct protosw, pr_protosw)); |
364 | _CASSERT(offsetof(struct ip6protosw, pr_type) == |
365 | offsetof(struct protosw, pr_type)); |
366 | _CASSERT(offsetof(struct ip6protosw, pr_protocol) == |
367 | offsetof(struct protosw, pr_protocol)); |
368 | _CASSERT(offsetof(struct ip6protosw, pr_flags) == |
369 | offsetof(struct protosw, pr_flags)); |
370 | _CASSERT(offsetof(struct ip6protosw, pr_input) == |
371 | offsetof(struct protosw, pr_input)); |
372 | _CASSERT(offsetof(struct ip6protosw, pr_output) == |
373 | offsetof(struct protosw, pr_output)); |
374 | _CASSERT(offsetof(struct ip6protosw, pr_ctlinput) == |
375 | offsetof(struct protosw, pr_ctlinput)); |
376 | _CASSERT(offsetof(struct ip6protosw, pr_ctloutput) == |
377 | offsetof(struct protosw, pr_ctloutput)); |
378 | _CASSERT(offsetof(struct ip6protosw, pr_usrreqs) == |
379 | offsetof(struct protosw, pr_usrreqs)); |
380 | _CASSERT(offsetof(struct ip6protosw, pr_init) == |
381 | offsetof(struct protosw, pr_init)); |
382 | _CASSERT(offsetof(struct ip6protosw, pr_drain) == |
383 | offsetof(struct protosw, pr_drain)); |
384 | _CASSERT(offsetof(struct ip6protosw, pr_sysctl) == |
385 | offsetof(struct protosw, pr_sysctl)); |
386 | _CASSERT(offsetof(struct ip6protosw, pr_lock) == |
387 | offsetof(struct protosw, pr_lock)); |
388 | _CASSERT(offsetof(struct ip6protosw, pr_unlock) == |
389 | offsetof(struct protosw, pr_unlock)); |
390 | _CASSERT(offsetof(struct ip6protosw, pr_getlock) == |
391 | offsetof(struct protosw, pr_getlock)); |
392 | _CASSERT(offsetof(struct ip6protosw, pr_filter_head) == |
393 | offsetof(struct protosw, pr_filter_head)); |
394 | _CASSERT(offsetof(struct ip6protosw, pr_old) == |
395 | offsetof(struct protosw, pr_old)); |
396 | _CASSERT(offsetof(struct ip6protosw, pr_update_last_owner) == |
397 | offsetof(struct protosw, pr_update_last_owner)); |
398 | _CASSERT(offsetof(struct ip6protosw, pr_copy_last_owner) == |
399 | offsetof(struct protosw, pr_copy_last_owner)); |
400 | |
401 | /* |
402 | * Attach first, then initialize. ip6_init() needs raw IP6 handler. |
403 | */ |
404 | for (i = 0, pr = &inet6sw[0]; i < in6_proto_count; i++, pr++) { |
405 | net_add_proto((struct protosw *)pr, dp, 0); |
406 | } |
407 | for (i = 0, pr = &inet6sw[0]; i < in6_proto_count; i++, pr++) { |
408 | net_init_proto((struct protosw *)pr, dp); |
409 | } |
410 | |
411 | inet6_domain_mutex = dp->dom_mtx; |
412 | } |
413 | |
414 | static int |
415 | rip6_pr_output(struct mbuf *m, struct socket *so, struct sockaddr_in6 *sin6, |
416 | struct mbuf *m1) |
417 | { |
418 | #pragma unused(m, so, sin6, m1) |
419 | panic("%s" , __func__); |
420 | /* NOTREACHED */ |
421 | return 0; |
422 | } |
423 | |
424 | /* |
425 | * Internet configuration info |
426 | */ |
427 | #ifndef IPV6FORWARDING |
428 | #if GATEWAY6 |
429 | #define IPV6FORWARDING 1 /* forward IP6 packets not for us */ |
430 | #else |
431 | #define IPV6FORWARDING 0 /* don't forward IP6 packets not for us */ |
432 | #endif /* GATEWAY6 */ |
433 | #endif /* !IPV6FORWARDING */ |
434 | |
435 | #ifndef IPV6_SENDREDIRECTS |
436 | #define IPV6_SENDREDIRECTS 1 |
437 | #endif |
438 | |
439 | int ip6_forwarding = IPV6FORWARDING; /* act as router? */ |
440 | int ip6_sendredirects = IPV6_SENDREDIRECTS; |
441 | int ip6_defhlim = IPV6_DEFHLIM; |
442 | int ip6_defmcasthlim = IPV6_DEFAULT_MULTICAST_HOPS; |
443 | int ip6_accept_rtadv = 1; /* deprecated */ |
444 | int ip6_log_interval = 5; |
445 | int ip6_hdrnestlimit = 15; /* How many header options will we process? */ |
446 | int ip6_dad_count = 1; /* DupAddrDetectionTransmits */ |
447 | int ip6_auto_flowlabel = 1; |
448 | int ip6_gif_hlim = 0; |
449 | int ip6_use_deprecated = 1; /* allow deprecated addr [RFC 4862, 5.5.4] */ |
450 | int ip6_rr_prune = 5; /* router renumbering prefix |
451 | * walk list every 5 sec. */ |
452 | int ip6_mcast_pmtu = 0; /* enable pMTU discovery for multicast? */ |
453 | int ip6_v6only = 0; /* Mapped addresses off by default - Radar 3347718 -- REVISITING FOR 10.7 -- TESTING WITH MAPPED@ OFF */ |
454 | |
455 | int ip6_neighborgcthresh = 1024; /* Threshold # of NDP entries for GC */ |
456 | int ip6_maxifprefixes = 16; /* Max acceptable prefixes via RA per IF */ |
457 | int ip6_maxifdefrouters = 64; /* Max acceptable default or RTI routers via RA */ |
458 | int ip6_maxdynroutes = 1024; /* Max # of routes created via redirect */ |
459 | int ip6_only_allow_rfc4193_prefix = 0; /* Only allow RFC4193 style Unique Local IPv6 Unicast prefixes */ |
460 | |
461 | static int ip6_keepfaith = 0; |
462 | uint64_t ip6_log_time = 0; |
463 | int nd6_onlink_ns_rfc4861 = 0; /* allow 'on-link' nd6 NS (as in RFC 4861) */ |
464 | |
465 | /* icmp6 */ |
466 | /* |
467 | * BSDI4 defines these variables in in_proto.c... |
468 | * XXX: what if we don't define INET? Should we define pmtu6_expire |
469 | * or so? (jinmei@kame.net 19990310) |
470 | */ |
471 | int pmtu_expire = 60 * 10; |
472 | int pmtu_probe = 60 * 2; |
473 | |
474 | /* raw IP6 parameters */ |
475 | /* |
476 | * Nominal space allocated to a raw ip socket. |
477 | */ |
478 | #define RIPV6SNDQ 8192 |
479 | #define RIPV6RCVQ 8192 |
480 | |
481 | u_int32_t rip6_sendspace = RIPV6SNDQ; |
482 | u_int32_t rip6_recvspace = RIPV6RCVQ; |
483 | |
484 | /* ICMPV6 parameters */ |
485 | int icmp6_rediraccept = 1; /* accept and process redirects */ |
486 | int icmp6_redirtimeout = 10 * 60; /* 10 minutes */ |
487 | uint32_t icmp6errppslim = 500; /* 500 packets per second */ |
488 | uint32_t icmp6errppslim_random_incr = 500; /* We further randomize icmp6errppslim |
489 | * with this during icmpv6 initialization*/ |
490 | int icmp6rappslim = 10; /* 10 packets per second */ |
491 | int icmp6_nodeinfo = 0; /* enable/disable NI response */ |
492 | |
493 | /* UDP on IP6 parameters */ |
494 | int udp6_sendspace = 9216; /* really max datagram size */ |
495 | int udp6_recvspace = 40 * (1024 + sizeof(struct sockaddr_in6)); |
496 | /* 40 1K datagrams */ |
497 | |
498 | /* |
499 | * sysctl related items. |
500 | */ |
501 | SYSCTL_NODE(_net, PF_INET6, inet6, |
502 | CTLFLAG_RW | CTLFLAG_LOCKED, 0, "Internet6 Family" ); |
503 | |
504 | /* net.inet6 */ |
505 | SYSCTL_NODE(_net_inet6, IPPROTO_IPV6, ip6, |
506 | CTLFLAG_RW | CTLFLAG_LOCKED, 0, "IP6" ); |
507 | SYSCTL_NODE(_net_inet6, IPPROTO_ICMPV6, icmp6, |
508 | CTLFLAG_RW | CTLFLAG_LOCKED, 0, "ICMP6" ); |
509 | SYSCTL_NODE(_net_inet6, IPPROTO_UDP, udp6, |
510 | CTLFLAG_RW | CTLFLAG_LOCKED, 0, "UDP6" ); |
511 | SYSCTL_NODE(_net_inet6, IPPROTO_TCP, tcp6, |
512 | CTLFLAG_RW | CTLFLAG_LOCKED, 0, "TCP6" ); |
513 | #if IPSEC |
514 | SYSCTL_NODE(_net_inet6, IPPROTO_ESP, ipsec6, |
515 | CTLFLAG_RW | CTLFLAG_LOCKED, 0, "IPSEC6" ); |
516 | #endif /* IPSEC */ |
517 | |
518 | /* net.inet6.ip6 */ |
519 | static int |
520 | sysctl_ip6_temppltime SYSCTL_HANDLER_ARGS |
521 | { |
522 | #pragma unused(oidp, arg2) |
523 | int error = 0; |
524 | int value = 0; |
525 | |
526 | error = SYSCTL_OUT(req, arg1, sizeof(int)); |
527 | if (error || !req->newptr) { |
528 | return error; |
529 | } |
530 | |
531 | error = SYSCTL_IN(req, &value, sizeof(value)); |
532 | if (error) { |
533 | return error; |
534 | } |
535 | |
536 | if (value > ND6_MAX_LIFETIME || |
537 | value < ip6_desync_factor + ip6_temp_regen_advance) { |
538 | return EINVAL; |
539 | } |
540 | |
541 | ip6_temp_preferred_lifetime = value; |
542 | return error; |
543 | } |
544 | |
545 | static int |
546 | sysctl_ip6_tempvltime SYSCTL_HANDLER_ARGS |
547 | { |
548 | #pragma unused(oidp, arg2) |
549 | int error = 0; |
550 | uint32_t value = 0; |
551 | |
552 | error = SYSCTL_OUT(req, arg1, sizeof(uint32_t)); |
553 | if (error || !req->newptr) { |
554 | return error; |
555 | } |
556 | |
557 | error = SYSCTL_IN(req, &value, sizeof(value)); |
558 | if (error) { |
559 | return error; |
560 | } |
561 | |
562 | if (value > ND6_MAX_LIFETIME || |
563 | value < ip6_temp_preferred_lifetime) { |
564 | return EINVAL; |
565 | } |
566 | |
567 | ip6_temp_valid_lifetime = value; |
568 | return error; |
569 | } |
570 | |
571 | static int |
572 | sysctl_ip6_cga_conflict_retries SYSCTL_HANDLER_ARGS |
573 | { |
574 | #pragma unused(oidp, arg2) |
575 | int error = 0; |
576 | int value = 0; |
577 | |
578 | error = SYSCTL_OUT(req, arg1, sizeof(int)); |
579 | if (error || !req->newptr) { |
580 | return error; |
581 | } |
582 | |
583 | error = SYSCTL_IN(req, &value, sizeof(value)); |
584 | if (error) { |
585 | return error; |
586 | } |
587 | if (value > IPV6_CGA_CONFLICT_RETRIES_MAX || value < 0) { |
588 | return EINVAL; |
589 | } |
590 | |
591 | ip6_cga_conflict_retries = value; |
592 | return 0; |
593 | } |
594 | |
595 | static int |
596 | ip6_getstat SYSCTL_HANDLER_ARGS |
597 | { |
598 | #pragma unused(oidp, arg1, arg2) |
599 | if (req->oldptr == USER_ADDR_NULL) { |
600 | req->oldlen = (size_t)sizeof(struct ip6stat); |
601 | } |
602 | |
603 | return SYSCTL_OUT(req, &ip6stat, MIN(sizeof(ip6stat), req->oldlen)); |
604 | } |
605 | |
606 | SYSCTL_INT(_net_inet6_ip6, IPV6CTL_SENDREDIRECTS, |
607 | redirect, CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_sendredirects, 0, "" ); |
608 | SYSCTL_INT(_net_inet6_ip6, IPV6CTL_DEFHLIM, |
609 | hlim, CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_defhlim, 0, "" ); |
610 | SYSCTL_PROC(_net_inet6_ip6, IPV6CTL_STATS, stats, |
611 | CTLTYPE_STRUCT | CTLFLAG_RD | CTLFLAG_LOCKED, |
612 | 0, 0, ip6_getstat, "S,ip6stat" , "" ); |
613 | |
614 | #if (DEVELOPMENT || DEBUG) |
615 | SYSCTL_INT(_net_inet6_ip6, IPV6CTL_ACCEPT_RTADV, |
616 | accept_rtadv, CTLFLAG_RW | CTLFLAG_LOCKED, |
617 | &ip6_accept_rtadv, 0, "" ); |
618 | #else |
619 | SYSCTL_INT(_net_inet6_ip6, IPV6CTL_ACCEPT_RTADV, |
620 | accept_rtadv, CTLFLAG_RD | CTLFLAG_LOCKED, |
621 | &ip6_accept_rtadv, 0, "" ); |
622 | #endif /* (DEVELOPMENT || DEBUG) */ |
623 | SYSCTL_INT(_net_inet6_ip6, IPV6CTL_KEEPFAITH, |
624 | keepfaith, CTLFLAG_RD | CTLFLAG_LOCKED, &ip6_keepfaith, 0, "" ); |
625 | SYSCTL_INT(_net_inet6_ip6, IPV6CTL_LOG_INTERVAL, |
626 | log_interval, CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_log_interval, 0, "" ); |
627 | SYSCTL_INT(_net_inet6_ip6, IPV6CTL_HDRNESTLIMIT, |
628 | hdrnestlimit, CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_hdrnestlimit, 0, "" ); |
629 | SYSCTL_INT(_net_inet6_ip6, IPV6CTL_DAD_COUNT, |
630 | dad_count, CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_dad_count, 0, "" ); |
631 | SYSCTL_INT(_net_inet6_ip6, IPV6CTL_AUTO_FLOWLABEL, |
632 | auto_flowlabel, CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_auto_flowlabel, 0, "" ); |
633 | SYSCTL_INT(_net_inet6_ip6, IPV6CTL_DEFMCASTHLIM, |
634 | defmcasthlim, CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_defmcasthlim, 0, "" ); |
635 | SYSCTL_INT(_net_inet6_ip6, IPV6CTL_GIF_HLIM, |
636 | gifhlim, CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_gif_hlim, 0, "" ); |
637 | SYSCTL_STRING(_net_inet6_ip6, IPV6CTL_KAME_VERSION, |
638 | kame_version, CTLFLAG_RD | CTLFLAG_LOCKED, (void *)((uintptr_t)(__KAME_VERSION)), 0, "" ); |
639 | SYSCTL_INT(_net_inet6_ip6, IPV6CTL_USE_DEPRECATED, |
640 | use_deprecated, CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_use_deprecated, 0, "" ); |
641 | SYSCTL_INT(_net_inet6_ip6, IPV6CTL_RR_PRUNE, |
642 | rr_prune, CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_rr_prune, 0, "" ); |
643 | SYSCTL_INT(_net_inet6_ip6, IPV6CTL_USETEMPADDR, |
644 | use_tempaddr, CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_use_tempaddr, 0, "" ); |
645 | SYSCTL_INT(_net_inet6_ip6, IPV6CTL_ULA_USETEMPADDR, |
646 | ula_use_tempaddr, CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_ula_use_tempaddr, 0, "" ); |
647 | SYSCTL_OID(_net_inet6_ip6, IPV6CTL_TEMPPLTIME, temppltime, |
648 | CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_temp_preferred_lifetime, 0, |
649 | sysctl_ip6_temppltime, "I" , "" ); |
650 | SYSCTL_OID(_net_inet6_ip6, IPV6CTL_TEMPVLTIME, tempvltime, |
651 | CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_temp_valid_lifetime, 0, |
652 | sysctl_ip6_tempvltime, "I" , "" ); |
653 | SYSCTL_INT(_net_inet6_ip6, IPV6CTL_V6ONLY, |
654 | v6only, CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_v6only, 0, "" ); |
655 | SYSCTL_INT(_net_inet6_ip6, IPV6CTL_AUTO_LINKLOCAL, |
656 | auto_linklocal, CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_auto_linklocal, 0, "" ); |
657 | SYSCTL_STRUCT(_net_inet6_ip6, IPV6CTL_RIP6STATS, rip6stats, CTLFLAG_RD | CTLFLAG_LOCKED, |
658 | &rip6stat, rip6stat, "" ); |
659 | SYSCTL_INT(_net_inet6_ip6, IPV6CTL_PREFER_TEMPADDR, |
660 | prefer_tempaddr, CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_prefer_tempaddr, 0, "" ); |
661 | SYSCTL_INT(_net_inet6_ip6, IPV6CTL_USE_DEFAULTZONE, |
662 | use_defaultzone, CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_use_defzone, 0, "" ); |
663 | SYSCTL_INT(_net_inet6_ip6, IPV6CTL_MCAST_PMTU, |
664 | mcast_pmtu, CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_mcast_pmtu, 0, "" ); |
665 | SYSCTL_INT(_net_inet6_ip6, IPV6CTL_NEIGHBORGCTHRESH, |
666 | neighborgcthresh, CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_neighborgcthresh, 0, "" ); |
667 | SYSCTL_INT(_net_inet6_ip6, IPV6CTL_MAXIFPREFIXES, |
668 | maxifprefixes, CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_maxifprefixes, 0, "" ); |
669 | SYSCTL_INT(_net_inet6_ip6, IPV6CTL_MAXIFDEFROUTERS, |
670 | maxifdefrouters, CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_maxifdefrouters, 0, "" ); |
671 | SYSCTL_INT(_net_inet6_ip6, IPV6CTL_MAXDYNROUTES, |
672 | maxdynroutes, CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_maxdynroutes, 0, "" ); |
673 | SYSCTL_INT(_net_inet6_ip6, OID_AUTO, |
674 | only_allow_rfc4193_prefixes, CTLFLAG_RW | CTLFLAG_LOCKED, |
675 | &ip6_only_allow_rfc4193_prefix, 0, "" ); |
676 | SYSCTL_INT(_net_inet6_ip6, OID_AUTO, |
677 | clat_debug, CTLFLAG_RW | CTLFLAG_LOCKED, &clat_debug, 0, "" ); |
678 | |
679 | SYSCTL_PROC(_net_inet6_ip6, OID_AUTO, |
680 | cga_conflict_retries, CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_LOCKED, |
681 | &ip6_cga_conflict_retries, 0, sysctl_ip6_cga_conflict_retries, "IU" , "" ); |
682 | |
683 | |
684 | static int sysctl_ip6_forwarding SYSCTL_HANDLER_ARGS; |
685 | |
686 | SYSCTL_PROC(_net_inet6_ip6, IPV6CTL_FORWARDING, forwarding, |
687 | CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_LOCKED, &ip6_forwarding, 0, |
688 | sysctl_ip6_forwarding, "I" , "" ); |
689 | |
690 | static int |
691 | sysctl_ip6_forwarding SYSCTL_HANDLER_ARGS |
692 | { |
693 | #pragma unused(arg1, arg2) |
694 | int error, i; |
695 | char proc_name_string[MAXCOMLEN + 1]; |
696 | proc_name(pid: proc_pid(current_proc()), buf: proc_name_string, size: sizeof(proc_name_string)); |
697 | |
698 | i = ip6_forwarding; |
699 | os_log(OS_LOG_DEFAULT, "%s:%s entry: ip6_forwarding is %d" , |
700 | proc_name_string, __func__, ip6_forwarding); |
701 | |
702 | error = sysctl_handle_int(oidp, arg1: &i, arg2: 0, req); |
703 | if (error || req->newptr == USER_ADDR_NULL) { |
704 | goto done; |
705 | } |
706 | /* impose bounds */ |
707 | if (i < 0) { |
708 | error = EINVAL; |
709 | goto done; |
710 | } |
711 | |
712 | if (i > 0) { |
713 | i = 1; |
714 | } |
715 | |
716 | ip6_forwarding = i; |
717 | done: |
718 | os_log(OS_LOG_DEFAULT, "%s:%s return: ip6_forwarding is %d " |
719 | "and error is %d" , proc_name_string, __func__, ip6_forwarding, error); |
720 | return error; |
721 | } |
722 | |
723 | /* |
724 | * One single sysctl to set v6 stack profile for IPv6 compliance testing. |
725 | * A lot of compliance test suites are not aware of other enhancements in IPv6 |
726 | * protocol and expect some arguably obsolete behavior. |
727 | */ |
728 | static int v6_compliance_profile; |
729 | static int |
730 | sysctl_set_v6_compliance_profile SYSCTL_HANDLER_ARGS |
731 | { |
732 | #pragma unused(oidp, arg2) |
733 | int changed, error; |
734 | int value = *(int *) arg1; |
735 | |
736 | error = sysctl_io_number(req, bigValue: value, valueSize: sizeof(value), pValue: &value, changed: &changed); |
737 | if (error || !changed) { |
738 | return error; |
739 | } |
740 | |
741 | if (value != 0 && value != 1) { |
742 | return ERANGE; |
743 | } |
744 | |
745 | if (value == 1) { |
746 | ip6_use_tempaddr = 0; |
747 | dad_enhanced = 0; |
748 | icmp6_rediraccept = 1; |
749 | nd6_optimistic_dad = 0; |
750 | nd6_process_rti = ND6_PROCESS_RTI_ENABLE; |
751 | } else { |
752 | ip6_use_tempaddr = IP6_USE_TMPADDR_DEFAULT; |
753 | dad_enhanced = ND6_DAD_ENHANCED_DEFAULT; |
754 | icmp6_rediraccept = ICMP6_REDIRACCEPT_DEFAULT; |
755 | nd6_optimistic_dad = ND6_OPTIMISTIC_DAD_DEFAULT; |
756 | nd6_process_rti = ND6_PROCESS_RTI_DEFAULT; |
757 | } |
758 | |
759 | v6_compliance_profile = value; |
760 | return 0; |
761 | } |
762 | |
763 | SYSCTL_PROC(_net_inet6_ip6, OID_AUTO, compliance_profile, |
764 | CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_LOCKED, |
765 | &v6_compliance_profile, 0, sysctl_set_v6_compliance_profile, |
766 | "I" , "set IPv6 compliance profile" ); |
767 | |
768 | /* net.inet6.icmp6 */ |
769 | SYSCTL_INT(_net_inet6_icmp6, ICMPV6CTL_REDIRACCEPT, |
770 | rediraccept, CTLFLAG_RW | CTLFLAG_LOCKED, &icmp6_rediraccept, 0, "" ); |
771 | SYSCTL_INT(_net_inet6_icmp6, ICMPV6CTL_REDIRTIMEOUT, |
772 | redirtimeout, CTLFLAG_RW | CTLFLAG_LOCKED, &icmp6_redirtimeout, 0, "" ); |
773 | SYSCTL_STRUCT(_net_inet6_icmp6, ICMPV6CTL_STATS, stats, CTLFLAG_RD | CTLFLAG_LOCKED, |
774 | &icmp6stat, icmp6stat, "" ); |
775 | SYSCTL_INT(_net_inet6_icmp6, ICMPV6CTL_ND6_PRUNE, |
776 | nd6_prune, CTLFLAG_RW | CTLFLAG_LOCKED, &nd6_prune, 0, "" ); |
777 | SYSCTL_INT(_net_inet6_icmp6, OID_AUTO, |
778 | nd6_prune_lazy, CTLFLAG_RW | CTLFLAG_LOCKED, &nd6_prune_lazy, 0, "" ); |
779 | SYSCTL_INT(_net_inet6_icmp6, ICMPV6CTL_ND6_DELAY, |
780 | nd6_delay, CTLFLAG_RW | CTLFLAG_LOCKED, &nd6_delay, 0, "" ); |
781 | SYSCTL_INT(_net_inet6_icmp6, ICMPV6CTL_ND6_UMAXTRIES, |
782 | nd6_umaxtries, CTLFLAG_RW | CTLFLAG_LOCKED, &nd6_umaxtries, 0, "" ); |
783 | SYSCTL_INT(_net_inet6_icmp6, ICMPV6CTL_ND6_MMAXTRIES, |
784 | nd6_mmaxtries, CTLFLAG_RW | CTLFLAG_LOCKED, &nd6_mmaxtries, 0, "" ); |
785 | SYSCTL_INT(_net_inet6_icmp6, ICMPV6CTL_ND6_USELOOPBACK, |
786 | nd6_useloopback, CTLFLAG_RW | CTLFLAG_LOCKED, &nd6_useloopback, 0, "" ); |
787 | SYSCTL_INT(_net_inet6_icmp6, ICMPV6CTL_ND6_ACCEPT_6TO4, |
788 | nd6_accept_6to4, CTLFLAG_RW | CTLFLAG_LOCKED, &nd6_accept_6to4, 0, "" ); |
789 | SYSCTL_INT(_net_inet6_icmp6, ICMPV6CTL_NODEINFO, |
790 | nodeinfo, CTLFLAG_RW | CTLFLAG_LOCKED, &icmp6_nodeinfo, 0, "" ); |
791 | SYSCTL_INT(_net_inet6_icmp6, ICMPV6CTL_ERRPPSLIMIT, |
792 | errppslimit, CTLFLAG_RW | CTLFLAG_LOCKED, &icmp6errppslim, 0, "" ); |
793 | SYSCTL_INT(_net_inet6_icmp6, ICMPV6CTL_ERRPPSLIMIT_RANDOM_INCR, |
794 | errppslimit_random_incr, CTLFLAG_RW | CTLFLAG_LOCKED, &icmp6errppslim_random_incr, 0, "" ); |
795 | SYSCTL_INT(_net_inet6_icmp6, OID_AUTO, |
796 | rappslimit, CTLFLAG_RW | CTLFLAG_LOCKED, &icmp6rappslim, 0, "" ); |
797 | SYSCTL_INT(_net_inet6_icmp6, ICMPV6CTL_ND6_DEBUG, |
798 | nd6_debug, CTLFLAG_RW | CTLFLAG_LOCKED, &nd6_debug, 0, "" ); |
799 | SYSCTL_INT(_net_inet6_icmp6, ICMPV6CTL_ND6_ONLINKNSRFC4861, |
800 | nd6_onlink_ns_rfc4861, CTLFLAG_RW | CTLFLAG_LOCKED, &nd6_onlink_ns_rfc4861, 0, |
801 | "Accept 'on-link' nd6 NS in compliance with RFC 4861." ); |
802 | SYSCTL_INT(_net_inet6_icmp6, ICMPV6CTL_ND6_OPTIMISTIC_DAD, |
803 | nd6_optimistic_dad, CTLFLAG_RW | CTLFLAG_LOCKED, &nd6_optimistic_dad, 0, "" ); |
804 | |