Accept reject and blackhole routes for IPsec PMTU discovery.

Since revision 1.87 of ip_icmp.c icmp_mtudisc_clone() ignored reject
routes. Otherwise TCP would clone these routes for PMTU discovery.
They will not work, even after dynamic routing has found a better
route than the reject route.

With IPsec the use case is different. First you need a route, but
then the flow handles the packet without routing. Usually this
route should be a reject route to avoid sending unencrypted traffic
if the flow is missing. But IPsec needs this route for PMTU
discovery, so use it for that.

OK claudio@ tobhe@

In icmp_input_if() m_pullup up the maximum size of required data at the start.
The maximum is ICMP_MINLEN (8) + max IPv4 header size (60) + IPv6 header (40)
for the IPv6 over IPv4 transition case. By having up to this amount of data
consequtive in an mbuf makes the rest of the code simpler and no more extra
m_pullup calls are needed. Only length checks are now required.The maximum
size is also big enough for all other ICMP types that don't embed the IP
heaader. This ensures that all data has been m_pullup-ed before calling the
ctlinput function which can look that deep into the header.
OK bluhm@ markus@

Pass down the address family through the pr_input calls. This
allows to simplify code used for both IPv4 and IPv6.
OK mikeb@ deraadt@

Change the IPv4 pr_input function to the way IPv6 is implemented,
to get rid of struct ip6protosw and some wrapper functions. It is
more consistent to have less different structures. The divert_input
functions cannot be called anyway, so remove them.
OK visa@ mpi@

Since raw_input() and route_input() are gone from pr_input, we can
make the variable parameters of the protocol input functions fixed.
Also add the proto to make it similar to IPv6.
OK mpi@ guenther@ millert@

http -> https for IETF/IANA URLs in comments

Stop using old n_time, n_long and n_short types in netinet headers.

ok deraadt@, naddy@

Change MTU discovery functions to not abuse the global icmpsrc variable
to pass the destination address of the route to clone.

ok markus@, mikeb@

Change icmp_reflect() so that it does not call icmp_send directly. This
allows other users (like MPLS) use this function instead of rolling a own
version. Implement icmp_do_exthdr() to attach an RFC 4884 extension header
to an ICMP error produced by icmp_do_error().
"best to get it in." deraadt@

Add definitions for ICMP extended headers available for some ICMP messages
like time exceeded messages. This will allow to add additional information
to those messges like the incomming MPLS label.
OK deraadt@, dhill@

Initial support for routing domains. This allows to bind interfaces to
alternate routing table and separate them from other interfaces in distinct
routing tables. The same network can now be used in any doamin at the same
time without causing conflicts.
This diff is mostly mechanical and adds the necessary rdomain checks accross
net and netinet. L2 and IPv4 are mostly covered still missing pf and IPv6.
input and tested by jsg@, phessler@ and reyk@. "put it in" deraadt@

Change the API for icmp_do_error so that it takes the mtu directly, rather
than a pointer to struct ifnet containing it.

Saves a 448 byte stack allocation in ip_forward which previously faked up
a struct ifnet just for this purpose.

idea ok deraadt millert

Remove the advertising clause in the UCB license which Berkeley
rescinded 22 July 1999. Proofed by myself and Theo.

"enought to" -> "enough to" comment typo

whitespace

Break up icmp_error() so we can have the icmp error mbuf returned
instead of it being sent to ip_output().

First round of __P removal in sys

add rediraccept and redirtimeout sysctl's.
rediraccept allows one to ignore ICMP_REDIRECT
redirtimeout sets a timeout on the routing entries pretaining to
ICMP_REDIRECT, this timeout is defaulted to 10 minutes. (same as ipv6)
From NetBSD.
millert@ ok

branches: 1.14.4;
Update with codes, URL, RFCs, from jason@Ackley.NET, closes PR 1919

Inclusion protection.

a few more icmp types/codes; itojun@ ok (awhile ago ;)

turn off path mtu when icmp needfrag messages get blocked, okay itojun@

verify payload of the icmp need fragment message at the tcp layer. okay itojun@

branches: 1.9.6;
add ipv6 transition related ICMP errors

indent

changed comment to reflect RFC-1812

Changed ICMP "unreachable" code #defines to match the ones in
tcpdump/print-icmp.c since they were in BSD first.

Added ICMP Destination Unreachable codes from RFC-1812:

14 = Host Precedence Violation. Sent by the first hop router to a
host to indicate that a requested precedence is not permitted
for the particular combination of source/destination host or

15 = Precedence cutoff in effect. The network operators have imposed
a minimum level of precedence required for operation, the
datagram was sent with a precedence below this level;

added #define for Communication Administratively Prohibited
as in RFC-1812 Section 5.2.7.1 Destination Unreachable

ICMP Router Discovery definitions; from FreeBSD

From NetBSD: 960217 merge

branches: 1.1.1;
Initial revision

In icmp_input_if() m_pullup up the maximum size of required data at the start.
The maximum is ICMP_MINLEN (8) + max IPv4 header size (60) + IPv6 header (40)
for the IPv6 over IPv4 transition case. By having up to this amount of data
consequtive in an mbuf makes the rest of the code simpler and no more extra
m_pullup calls are needed. Only length checks are now required.The maximum
size is also big enough for all other ICMP types that don't embed the IP
heaader. This ensures that all data has been m_pullup-ed before calling the
ctlinput function which can look that deep into the header.
OK bluhm@ markus@

Pass down the address family through the pr_input calls. This
allows to simplify code used for both IPv4 and IPv6.
OK mikeb@ deraadt@

Change the IPv4 pr_input function to the way IPv6 is implemented,
to get rid of struct ip6protosw and some wrapper functions. It is
more consistent to have less different structures. The divert_input
functions cannot be called anyway, so remove them.
OK visa@ mpi@

Since raw_input() and route_input() are gone from pr_input, we can
make the variable parameters of the protocol input functions fixed.
Also add the proto to make it similar to IPv6.
OK mpi@ guenther@ millert@

http -> https for IETF/IANA URLs in comments

Stop using old n_time, n_long and n_short types in netinet headers.

ok deraadt@, naddy@

Change MTU discovery functions to not abuse the global icmpsrc variable
to pass the destination address of the route to clone.

ok markus@, mikeb@

Change icmp_reflect() so that it does not call icmp_send directly. This
allows other users (like MPLS) use this function instead of rolling a own
version. Implement icmp_do_exthdr() to attach an RFC 4884 extension header
to an ICMP error produced by icmp_do_error().
"best to get it in." deraadt@

Add definitions for ICMP extended headers available for some ICMP messages
like time exceeded messages. This will allow to add additional information
to those messges like the incomming MPLS label.
OK deraadt@, dhill@

Initial support for routing domains. This allows to bind interfaces to
alternate routing table and separate them from other interfaces in distinct
routing tables. The same network can now be used in any doamin at the same
time without causing conflicts.
This diff is mostly mechanical and adds the necessary rdomain checks accross
net and netinet. L2 and IPv4 are mostly covered still missing pf and IPv6.
input and tested by jsg@, phessler@ and reyk@. "put it in" deraadt@

Change the API for icmp_do_error so that it takes the mtu directly, rather
than a pointer to struct ifnet containing it.

Saves a 448 byte stack allocation in ip_forward which previously faked up
a struct ifnet just for this purpose.

idea ok deraadt millert

Remove the advertising clause in the UCB license which Berkeley
rescinded 22 July 1999. Proofed by myself and Theo.

"enought to" -> "enough to" comment typo

whitespace

Break up icmp_error() so we can have the icmp error mbuf returned
instead of it being sent to ip_output().

First round of __P removal in sys

add rediraccept and redirtimeout sysctl's.
rediraccept allows one to ignore ICMP_REDIRECT
redirtimeout sets a timeout on the routing entries pretaining to
ICMP_REDIRECT, this timeout is defaulted to 10 minutes. (same as ipv6)
From NetBSD.
millert@ ok

branches: 1.14.4;
Update with codes, URL, RFCs, from jason@Ackley.NET, closes PR 1919

Inclusion protection.

a few more icmp types/codes; itojun@ ok (awhile ago ;)

turn off path mtu when icmp needfrag messages get blocked, okay itojun@

verify payload of the icmp need fragment message at the tcp layer. okay itojun@

branches: 1.9.6;
add ipv6 transition related ICMP errors

indent

changed comment to reflect RFC-1812

Changed ICMP "unreachable" code #defines to match the ones in
tcpdump/print-icmp.c since they were in BSD first.

Added ICMP Destination Unreachable codes from RFC-1812:

14 = Host Precedence Violation. Sent by the first hop router to a
host to indicate that a requested precedence is not permitted
for the particular combination of source/destination host or

15 = Precedence cutoff in effect. The network operators have imposed
a minimum level of precedence required for operation, the
datagram was sent with a precedence below this level;

added #define for Communication Administratively Prohibited
as in RFC-1812 Section 5.2.7.1 Destination Unreachable

ICMP Router Discovery definitions; from FreeBSD

From NetBSD: 960217 merge

branches: 1.1.1;
Initial revision

Pass down the address family through the pr_input calls. This
allows to simplify code used for both IPv4 and IPv6.
OK mikeb@ deraadt@

Change the IPv4 pr_input function to the way IPv6 is implemented,
to get rid of struct ip6protosw and some wrapper functions. It is
more consistent to have less different structures. The divert_input
functions cannot be called anyway, so remove them.
OK visa@ mpi@

Since raw_input() and route_input() are gone from pr_input, we can
make the variable parameters of the protocol input functions fixed.
Also add the proto to make it similar to IPv6.
OK mpi@ guenther@ millert@

http -> https for IETF/IANA URLs in comments

Stop using old n_time, n_long and n_short types in netinet headers.

ok deraadt@, naddy@

Change MTU discovery functions to not abuse the global icmpsrc variable
to pass the destination address of the route to clone.

ok markus@, mikeb@

Change icmp_reflect() so that it does not call icmp_send directly. This
allows other users (like MPLS) use this function instead of rolling a own
version. Implement icmp_do_exthdr() to attach an RFC 4884 extension header
to an ICMP error produced by icmp_do_error().
"best to get it in." deraadt@

Add definitions for ICMP extended headers available for some ICMP messages
like time exceeded messages. This will allow to add additional information
to those messges like the incomming MPLS label.
OK deraadt@, dhill@

Initial support for routing domains. This allows to bind interfaces to
alternate routing table and separate them from other interfaces in distinct
routing tables. The same network can now be used in any doamin at the same
time without causing conflicts.
This diff is mostly mechanical and adds the necessary rdomain checks accross
net and netinet. L2 and IPv4 are mostly covered still missing pf and IPv6.
input and tested by jsg@, phessler@ and reyk@. "put it in" deraadt@

Change the API for icmp_do_error so that it takes the mtu directly, rather
than a pointer to struct ifnet containing it.

Saves a 448 byte stack allocation in ip_forward which previously faked up
a struct ifnet just for this purpose.

idea ok deraadt millert

Remove the advertising clause in the UCB license which Berkeley
rescinded 22 July 1999. Proofed by myself and Theo.

"enought to" -> "enough to" comment typo

whitespace

Break up icmp_error() so we can have the icmp error mbuf returned
instead of it being sent to ip_output().

First round of __P removal in sys

add rediraccept and redirtimeout sysctl's.
rediraccept allows one to ignore ICMP_REDIRECT
redirtimeout sets a timeout on the routing entries pretaining to
ICMP_REDIRECT, this timeout is defaulted to 10 minutes. (same as ipv6)
From NetBSD.
millert@ ok

branches: 1.14.4;
Update with codes, URL, RFCs, from jason@Ackley.NET, closes PR 1919

Inclusion protection.

a few more icmp types/codes; itojun@ ok (awhile ago ;)

turn off path mtu when icmp needfrag messages get blocked, okay itojun@

verify payload of the icmp need fragment message at the tcp layer. okay itojun@

branches: 1.9.6;
add ipv6 transition related ICMP errors

indent

changed comment to reflect RFC-1812

Changed ICMP "unreachable" code #defines to match the ones in
tcpdump/print-icmp.c since they were in BSD first.

Added ICMP Destination Unreachable codes from RFC-1812:

14 = Host Precedence Violation. Sent by the first hop router to a
host to indicate that a requested precedence is not permitted
for the particular combination of source/destination host or

15 = Precedence cutoff in effect. The network operators have imposed
a minimum level of precedence required for operation, the
datagram was sent with a precedence below this level;

added #define for Communication Administratively Prohibited
as in RFC-1812 Section 5.2.7.1 Destination Unreachable

ICMP Router Discovery definitions; from FreeBSD

From NetBSD: 960217 merge

branches: 1.1.1;
Initial revision