ip6_forward.c revision 264224 
1139826Simp/*-
253541Sshin * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
353541Sshin * All rights reserved.
453541Sshin *
553541Sshin * Redistribution and use in source and binary forms, with or without
653541Sshin * modification, are permitted provided that the following conditions
753541Sshin * are met:
853541Sshin * 1. Redistributions of source code must retain the above copyright
953541Sshin *    notice, this list of conditions and the following disclaimer.
1053541Sshin * 2. Redistributions in binary form must reproduce the above copyright
1153541Sshin *    notice, this list of conditions and the following disclaimer in the
1253541Sshin *    documentation and/or other materials provided with the distribution.
1353541Sshin * 3. Neither the name of the project nor the names of its contributors
1453541Sshin *    may be used to endorse or promote products derived from this software
1553541Sshin *    without specific prior written permission.
1653541Sshin *
1753541Sshin * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
1853541Sshin * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
1953541Sshin * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
2053541Sshin * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
2153541Sshin * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
2253541Sshin * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
2353541Sshin * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
2453541Sshin * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
2553541Sshin * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
2653541Sshin * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
2753541Sshin * SUCH DAMAGE.
28174510Sobrien *
29174510Sobrien *	$KAME: ip6_forward.c,v 1.69 2001/05/17 03:48:30 itojun Exp $
3053541Sshin */
3153541Sshin
32174510Sobrien#include <sys/cdefs.h>
33174510Sobrien__FBSDID("$FreeBSD: stable/10/sys/netinet6/ip6_forward.c 264224 2014-04-07 12:58:54Z ae $");
34174510Sobrien
3562587Sitojun#include "opt_inet.h"
3662587Sitojun#include "opt_inet6.h"
3762587Sitojun#include "opt_ipfw.h"
3853541Sshin#include "opt_ipsec.h"
3953541Sshin#include "opt_ipstealth.h"
4078064Sume
4153541Sshin#include <sys/param.h>
4253541Sshin#include <sys/systm.h>
4353541Sshin#include <sys/malloc.h>
4453541Sshin#include <sys/mbuf.h>
4553541Sshin#include <sys/domain.h>
4653541Sshin#include <sys/protosw.h>
4778064Sume#include <sys/socket.h>
4853541Sshin#include <sys/errno.h>
4953541Sshin#include <sys/time.h>
5053541Sshin#include <sys/kernel.h>
5153541Sshin#include <sys/syslog.h>
5253541Sshin
5353541Sshin#include <net/if.h>
5462587Sitojun#include <net/netisr.h>
5553541Sshin#include <net/route.h>
5662587Sitojun#include <net/pfil.h>
5753541Sshin
5853541Sshin#include <netinet/in.h>
5953541Sshin#include <netinet/in_var.h>
6053541Sshin#include <netinet/in_systm.h>
6153541Sshin#include <netinet/ip.h>
62171259Sdelphij#include <netinet/ip_var.h>
6353541Sshin#include <netinet6/in6_var.h>
6478064Sume#include <netinet/ip6.h>
6553541Sshin#include <netinet6/ip6_var.h>
6653541Sshin#include <netinet6/scope6_var.h>
6753541Sshin#include <netinet/icmp6.h>
6853541Sshin#include <netinet6/nd6.h>
6953541Sshin
7062587Sitojun#include <netinet/in_pcb.h>
7153541Sshin
7253541Sshin#ifdef IPSEC
7362587Sitojun#include <netipsec/ipsec.h>
7462587Sitojun#include <netipsec/ipsec6.h>
7562587Sitojun#include <netipsec/key.h>
7662587Sitojun#endif /* IPSEC */
7762587Sitojun
7853541Sshin#include <netinet6/ip6protosw.h>
7953541Sshin
8062587Sitojun/*
8153541Sshin * Forward a packet.  If some error occurs return the sender
8253541Sshin * an icmp packet.  Note we can't always generate a meaningful
8362587Sitojun * icmp message because icmp doesn't have a large enough repertoire
8462587Sitojun * of codes and types.
8562587Sitojun *
8662587Sitojun * If not forwarding, just drop the packet.  This could be confusing
8762587Sitojun * if ipforwarding was zero but some routing protocol was advancing
8853541Sshin * us as a gateway to somewhere.  However, we must let the routing
8953541Sshin * protocol deal with that.
9053541Sshin *
9153541Sshin */
9253541Sshinvoid
9353541Sshinip6_forward(struct mbuf *m, int srcrt)
9473059Skris{
9573059Skris	struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *);
96249294Sae	struct sockaddr_in6 *dst = NULL;
9773059Skris	struct rtentry *rt = NULL;
9873059Skris	struct route_in6 rin6;
9973059Skris	int error, type = 0, code = 0;
10073059Skris	struct mbuf *mcopy = NULL;
10173059Skris	struct ifnet *origifp;	/* maybe unnecessary */
10273059Skris	u_int32_t inzone, outzone;
10373059Skris	struct in6_addr src_in6, dst_in6, odst;
10473059Skris#ifdef IPSEC
10573059Skris	struct secpolicy *sp = NULL;
10673059Skris	int ipsecrt = 0;
10778064Sume#endif
10878064Sume#ifdef SCTP
10978064Sume	int sw_csum;
11078064Sume#endif
11178064Sume	struct m_tag *fwd_tag;
11278064Sume	char ip6bufs[INET6_ADDRSTRLEN], ip6bufd[INET6_ADDRSTRLEN];
11378064Sume
11453541Sshin#ifdef IPSEC
11553541Sshin	/*
11653541Sshin	 * Check AH/ESP integrity.
11753541Sshin	 */
11878064Sume	/*
11953541Sshin	 * Don't increment ip6s_cantforward because this is the check
12053541Sshin	 * before forwarding packet actually.
12153541Sshin	 */
12278064Sume	if (ipsec6_in_reject(m, NULL)) {
12353541Sshin		IPSEC6STAT_INC(ips_in_polvio);
124		m_freem(m);
125		return;
126	}
127#endif /* IPSEC */
128
129	/*
130	 * Do not forward packets to multicast destination (should be handled
131	 * by ip6_mforward().
132	 * Do not forward packets with unspecified source.  It was discussed
133	 * in July 2000, on the ipngwg mailing list.
134	 */
135	if ((m->m_flags & (M_BCAST|M_MCAST)) != 0 ||
136	    IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst) ||
137	    IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_src)) {
138		IP6STAT_INC(ip6s_cantforward);
139		/* XXX in6_ifstat_inc(rt->rt_ifp, ifs6_in_discard) */
140		if (V_ip6_log_time + V_ip6_log_interval < time_uptime) {
141			V_ip6_log_time = time_uptime;
142			log(LOG_DEBUG,
143			    "cannot forward "
144			    "from %s to %s nxt %d received on %s\n",
145			    ip6_sprintf(ip6bufs, &ip6->ip6_src),
146			    ip6_sprintf(ip6bufd, &ip6->ip6_dst),
147			    ip6->ip6_nxt,
148			    if_name(m->m_pkthdr.rcvif));
149		}
150		m_freem(m);
151		return;
152	}
153
154#ifdef IPSTEALTH
155	if (!V_ip6stealth) {
156#endif
157	if (ip6->ip6_hlim <= IPV6_HLIMDEC) {
158		/* XXX in6_ifstat_inc(rt->rt_ifp, ifs6_in_discard) */
159		icmp6_error(m, ICMP6_TIME_EXCEEDED,
160				ICMP6_TIME_EXCEED_TRANSIT, 0);
161		return;
162	}
163	ip6->ip6_hlim -= IPV6_HLIMDEC;
164
165#ifdef IPSTEALTH
166	}
167#endif
168
169	/*
170	 * Save at most ICMPV6_PLD_MAXLEN (= the min IPv6 MTU -
171	 * size of IPv6 + ICMPv6 headers) bytes of the packet in case
172	 * we need to generate an ICMP6 message to the src.
173	 * Thanks to M_EXT, in most cases copy will not occur.
174	 *
175	 * It is important to save it before IPsec processing as IPsec
176	 * processing may modify the mbuf.
177	 */
178	mcopy = m_copy(m, 0, imin(m->m_pkthdr.len, ICMPV6_PLD_MAXLEN));
179
180#ifdef IPSEC
181	/* get a security policy for this packet */
182	sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_OUTBOUND,
183	    IP_FORWARDING, &error);
184	if (sp == NULL) {
185		IPSEC6STAT_INC(ips_out_inval);
186		IP6STAT_INC(ip6s_cantforward);
187		if (mcopy) {
188#if 0
189			/* XXX: what icmp ? */
190#else
191			m_freem(mcopy);
192#endif
193		}
194		m_freem(m);
195		return;
196	}
197
198	error = 0;
199
200	/* check policy */
201	switch (sp->policy) {
202	case IPSEC_POLICY_DISCARD:
203		/*
204		 * This packet is just discarded.
205		 */
206		IPSEC6STAT_INC(ips_out_polvio);
207		IP6STAT_INC(ip6s_cantforward);
208		KEY_FREESP(&sp);
209		if (mcopy) {
210#if 0
211			/* XXX: what icmp ? */
212#else
213			m_freem(mcopy);
214#endif
215		}
216		m_freem(m);
217		return;
218
219	case IPSEC_POLICY_BYPASS:
220	case IPSEC_POLICY_NONE:
221		/* no need to do IPsec. */
222		KEY_FREESP(&sp);
223		goto skip_ipsec;
224
225	case IPSEC_POLICY_IPSEC:
226		if (sp->req == NULL) {
227			/* XXX should be panic ? */
228			printf("ip6_forward: No IPsec request specified.\n");
229			IP6STAT_INC(ip6s_cantforward);
230			KEY_FREESP(&sp);
231			if (mcopy) {
232#if 0
233				/* XXX: what icmp ? */
234#else
235				m_freem(mcopy);
236#endif
237			}
238			m_freem(m);
239			return;
240		}
241		/* do IPsec */
242		break;
243
244	case IPSEC_POLICY_ENTRUST:
245	default:
246		/* should be panic ?? */
247		printf("ip6_forward: Invalid policy found. %d\n", sp->policy);
248		KEY_FREESP(&sp);
249		goto skip_ipsec;
250	}
251
252    {
253	struct ipsecrequest *isr = NULL;
254	struct ipsec_output_state state;
255
256	/*
257	 * when the kernel forwards a packet, it is not proper to apply
258	 * IPsec transport mode to the packet is not proper.  this check
259	 * avoid from this.
260	 * at present, if there is even a transport mode SA request in the
261	 * security policy, the kernel does not apply IPsec to the packet.
262	 * this check is not enough because the following case is valid.
263	 *      ipsec esp/tunnel/xxx-xxx/require esp/transport//require;
264	 */
265	for (isr = sp->req; isr; isr = isr->next) {
266		if (isr->saidx.mode == IPSEC_MODE_ANY)
267			goto doipsectunnel;
268		if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
269			goto doipsectunnel;
270	}
271
272	/*
273	 * if there's no need for tunnel mode IPsec, skip.
274	 */
275	if (!isr)
276		goto skip_ipsec;
277
278    doipsectunnel:
279	/*
280	 * All the extension headers will become inaccessible
281	 * (since they can be encrypted).
282	 * Don't panic, we need no more updates to extension headers
283	 * on inner IPv6 packet (since they are now encapsulated).
284	 *
285	 * IPv6 [ESP|AH] IPv6 [extension headers] payload
286	 */
287	bzero(&state, sizeof(state));
288	state.m = m;
289	state.ro = NULL;	/* update at ipsec6_output_tunnel() */
290	state.dst = NULL;	/* update at ipsec6_output_tunnel() */
291
292	error = ipsec6_output_tunnel(&state, sp, 0);
293
294	m = state.m;
295	KEY_FREESP(&sp);
296
297	if (error) {
298		/* mbuf is already reclaimed in ipsec6_output_tunnel. */
299		switch (error) {
300		case EHOSTUNREACH:
301		case ENETUNREACH:
302		case EMSGSIZE:
303		case ENOBUFS:
304		case ENOMEM:
305			break;
306		default:
307			printf("ip6_output (ipsec): error code %d\n", error);
308			/* FALLTHROUGH */
309		case ENOENT:
310			/* don't show these error codes to the user */
311			break;
312		}
313		IP6STAT_INC(ip6s_cantforward);
314		if (mcopy) {
315#if 0
316			/* XXX: what icmp ? */
317#else
318			m_freem(mcopy);
319#endif
320		}
321		m_freem(m);
322		return;
323	} else {
324		/*
325		 * In the FAST IPSec case we have already
326		 * re-injected the packet and it has been freed
327		 * by the ipsec_done() function.  So, just clean
328		 * up after ourselves.
329		 */
330		m = NULL;
331		goto freecopy;
332	}
333
334	if ((m != NULL) && (ip6 != mtod(m, struct ip6_hdr *)) ){
335		/*
336		 * now tunnel mode headers are added.  we are originating
337		 * packet instead of forwarding the packet.
338		 */
339		ip6_output(m, NULL, NULL, IPV6_FORWARDING/*XXX*/, NULL, NULL,
340		    NULL);
341		goto freecopy;
342	}
343
344	/* adjust pointer */
345	dst = (struct sockaddr_in6 *)state.dst;
346	rt = state.ro ? state.ro->ro_rt : NULL;
347	if (dst != NULL && rt != NULL)
348		ipsecrt = 1;
349    }
350	if (ipsecrt)
351		goto skip_routing;
352skip_ipsec:
353#endif
354again:
355	bzero(&rin6, sizeof(struct route_in6));
356	dst = (struct sockaddr_in6 *)&rin6.ro_dst;
357	dst->sin6_len = sizeof(struct sockaddr_in6);
358	dst->sin6_family = AF_INET6;
359	dst->sin6_addr = ip6->ip6_dst;
360again2:
361	rin6.ro_rt = in6_rtalloc1((struct sockaddr *)dst, 0, 0, M_GETFIB(m));
362	if (rin6.ro_rt != NULL)
363		RT_UNLOCK(rin6.ro_rt);
364	else {
365		IP6STAT_INC(ip6s_noroute);
366		in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_noroute);
367		if (mcopy) {
368			icmp6_error(mcopy, ICMP6_DST_UNREACH,
369			ICMP6_DST_UNREACH_NOROUTE, 0);
370		}
371		goto bad;
372	}
373	rt = rin6.ro_rt;
374#ifdef IPSEC
375skip_routing:
376#endif
377
378	/*
379	 * Source scope check: if a packet can't be delivered to its
380	 * destination for the reason that the destination is beyond the scope
381	 * of the source address, discard the packet and return an icmp6
382	 * destination unreachable error with Code 2 (beyond scope of source
383	 * address).  We use a local copy of ip6_src, since in6_setscope()
384	 * will possibly modify its first argument.
385	 * [draft-ietf-ipngwg-icmp-v3-04.txt, Section 3.1]
386	 */
387	src_in6 = ip6->ip6_src;
388	if (in6_setscope(&src_in6, rt->rt_ifp, &outzone)) {
389		/* XXX: this should not happen */
390		IP6STAT_INC(ip6s_cantforward);
391		IP6STAT_INC(ip6s_badscope);
392		goto bad;
393	}
394	if (in6_setscope(&src_in6, m->m_pkthdr.rcvif, &inzone)) {
395		IP6STAT_INC(ip6s_cantforward);
396		IP6STAT_INC(ip6s_badscope);
397		goto bad;
398	}
399	if (inzone != outzone
400#ifdef IPSEC
401	    && !ipsecrt
402#endif
403	    ) {
404		IP6STAT_INC(ip6s_cantforward);
405		IP6STAT_INC(ip6s_badscope);
406		in6_ifstat_inc(rt->rt_ifp, ifs6_in_discard);
407
408		if (V_ip6_log_time + V_ip6_log_interval < time_uptime) {
409			V_ip6_log_time = time_uptime;
410			log(LOG_DEBUG,
411			    "cannot forward "
412			    "src %s, dst %s, nxt %d, rcvif %s, outif %s\n",
413			    ip6_sprintf(ip6bufs, &ip6->ip6_src),
414			    ip6_sprintf(ip6bufd, &ip6->ip6_dst),
415			    ip6->ip6_nxt,
416			    if_name(m->m_pkthdr.rcvif), if_name(rt->rt_ifp));
417		}
418		if (mcopy)
419			icmp6_error(mcopy, ICMP6_DST_UNREACH,
420				    ICMP6_DST_UNREACH_BEYONDSCOPE, 0);
421		goto bad;
422	}
423
424	/*
425	 * Destination scope check: if a packet is going to break the scope
426	 * zone of packet's destination address, discard it.  This case should
427	 * usually be prevented by appropriately-configured routing table, but
428	 * we need an explicit check because we may mistakenly forward the
429	 * packet to a different zone by (e.g.) a default route.
430	 */
431	dst_in6 = ip6->ip6_dst;
432	if (in6_setscope(&dst_in6, m->m_pkthdr.rcvif, &inzone) != 0 ||
433	    in6_setscope(&dst_in6, rt->rt_ifp, &outzone) != 0 ||
434	    inzone != outzone) {
435		IP6STAT_INC(ip6s_cantforward);
436		IP6STAT_INC(ip6s_badscope);
437		goto bad;
438	}
439
440	if (m->m_pkthdr.len > IN6_LINKMTU(rt->rt_ifp)) {
441		in6_ifstat_inc(rt->rt_ifp, ifs6_in_toobig);
442		if (mcopy) {
443			u_long mtu;
444#ifdef IPSEC
445			struct secpolicy *sp;
446			int ipsecerror;
447			size_t ipsechdrsiz;
448#endif /* IPSEC */
449
450			mtu = IN6_LINKMTU(rt->rt_ifp);
451#ifdef IPSEC
452			/*
453			 * When we do IPsec tunnel ingress, we need to play
454			 * with the link value (decrement IPsec header size
455			 * from mtu value).  The code is much simpler than v4
456			 * case, as we have the outgoing interface for
457			 * encapsulated packet as "rt->rt_ifp".
458			 */
459			sp = ipsec_getpolicybyaddr(mcopy, IPSEC_DIR_OUTBOUND,
460				IP_FORWARDING, &ipsecerror);
461			if (sp) {
462				ipsechdrsiz = ipsec_hdrsiz(mcopy,
463					IPSEC_DIR_OUTBOUND, NULL);
464				if (ipsechdrsiz < mtu)
465					mtu -= ipsechdrsiz;
466			}
467
468			/*
469			 * if mtu becomes less than minimum MTU,
470			 * tell minimum MTU (and I'll need to fragment it).
471			 */
472			if (mtu < IPV6_MMTU)
473				mtu = IPV6_MMTU;
474#endif /* IPSEC */
475			icmp6_error(mcopy, ICMP6_PACKET_TOO_BIG, 0, mtu);
476		}
477		goto bad;
478	}
479
480	if (rt->rt_flags & RTF_GATEWAY)
481		dst = (struct sockaddr_in6 *)rt->rt_gateway;
482
483	/*
484	 * If we are to forward the packet using the same interface
485	 * as one we got the packet from, perhaps we should send a redirect
486	 * to sender to shortcut a hop.
487	 * Only send redirect if source is sending directly to us,
488	 * and if packet was not source routed (or has any options).
489	 * Also, don't send redirect if forwarding using a route
490	 * modified by a redirect.
491	 */
492	if (V_ip6_sendredirects && rt->rt_ifp == m->m_pkthdr.rcvif && !srcrt &&
493#ifdef IPSEC
494	    !ipsecrt &&
495#endif /* IPSEC */
496	    (rt->rt_flags & (RTF_DYNAMIC|RTF_MODIFIED)) == 0) {
497		if ((rt->rt_ifp->if_flags & IFF_POINTOPOINT) != 0) {
498			/*
499			 * If the incoming interface is equal to the outgoing
500			 * one, and the link attached to the interface is
501			 * point-to-point, then it will be highly probable
502			 * that a routing loop occurs. Thus, we immediately
503			 * drop the packet and send an ICMPv6 error message.
504			 *
505			 * type/code is based on suggestion by Rich Draves.
506			 * not sure if it is the best pick.
507			 */
508			icmp6_error(mcopy, ICMP6_DST_UNREACH,
509				    ICMP6_DST_UNREACH_ADDR, 0);
510			goto bad;
511		}
512		type = ND_REDIRECT;
513	}
514
515	/*
516	 * Fake scoped addresses. Note that even link-local source or
517	 * destinaion can appear, if the originating node just sends the
518	 * packet to us (without address resolution for the destination).
519	 * Since both icmp6_error and icmp6_redirect_output fill the embedded
520	 * link identifiers, we can do this stuff after making a copy for
521	 * returning an error.
522	 */
523	if ((rt->rt_ifp->if_flags & IFF_LOOPBACK) != 0) {
524		/*
525		 * See corresponding comments in ip6_output.
526		 * XXX: but is it possible that ip6_forward() sends a packet
527		 *      to a loopback interface? I don't think so, and thus
528		 *      I bark here. (jinmei@kame.net)
529		 * XXX: it is common to route invalid packets to loopback.
530		 *	also, the codepath will be visited on use of ::1 in
531		 *	rthdr. (itojun)
532		 */
533#if 1
534		if (0)
535#else
536		if ((rt->rt_flags & (RTF_BLACKHOLE|RTF_REJECT)) == 0)
537#endif
538		{
539			printf("ip6_forward: outgoing interface is loopback. "
540			       "src %s, dst %s, nxt %d, rcvif %s, outif %s\n",
541			       ip6_sprintf(ip6bufs, &ip6->ip6_src),
542			       ip6_sprintf(ip6bufd, &ip6->ip6_dst),
543			       ip6->ip6_nxt, if_name(m->m_pkthdr.rcvif),
544			       if_name(rt->rt_ifp));
545		}
546
547		/* we can just use rcvif in forwarding. */
548		origifp = m->m_pkthdr.rcvif;
549	}
550	else
551		origifp = rt->rt_ifp;
552	/*
553	 * clear embedded scope identifiers if necessary.
554	 * in6_clearscope will touch the addresses only when necessary.
555	 */
556	in6_clearscope(&ip6->ip6_src);
557	in6_clearscope(&ip6->ip6_dst);
558
559	/* Jump over all PFIL processing if hooks are not active. */
560	if (!PFIL_HOOKED(&V_inet6_pfil_hook))
561		goto pass;
562
563	odst = ip6->ip6_dst;
564	/* Run through list of hooks for output packets. */
565	error = pfil_run_hooks(&V_inet6_pfil_hook, &m, rt->rt_ifp, PFIL_OUT, NULL);
566	if (error != 0 || m == NULL)
567		goto freecopy;		/* consumed by filter */
568	ip6 = mtod(m, struct ip6_hdr *);
569
570	/* See if destination IP address was changed by packet filter. */
571	if (!IN6_ARE_ADDR_EQUAL(&odst, &ip6->ip6_dst)) {
572		m->m_flags |= M_SKIP_FIREWALL;
573		/* If destination is now ourself drop to ip6_input(). */
574		if (in6_localip(&ip6->ip6_dst)) {
575			m->m_flags |= M_FASTFWD_OURS;
576			if (m->m_pkthdr.rcvif == NULL)
577				m->m_pkthdr.rcvif = V_loif;
578			if (m->m_pkthdr.csum_flags & CSUM_DELAY_DATA_IPV6) {
579				m->m_pkthdr.csum_flags |=
580				    CSUM_DATA_VALID_IPV6 | CSUM_PSEUDO_HDR;
581				m->m_pkthdr.csum_data = 0xffff;
582			}
583#ifdef SCTP
584			if (m->m_pkthdr.csum_flags & CSUM_SCTP_IPV6)
585				m->m_pkthdr.csum_flags |= CSUM_SCTP_VALID;
586#endif
587			error = netisr_queue(NETISR_IPV6, m);
588			goto out;
589		} else
590			goto again;	/* Redo the routing table lookup. */
591	}
592
593	/* See if local, if yes, send it to netisr. */
594	if (m->m_flags & M_FASTFWD_OURS) {
595		if (m->m_pkthdr.rcvif == NULL)
596			m->m_pkthdr.rcvif = V_loif;
597		if (m->m_pkthdr.csum_flags & CSUM_DELAY_DATA_IPV6) {
598			m->m_pkthdr.csum_flags |=
599			    CSUM_DATA_VALID_IPV6 | CSUM_PSEUDO_HDR;
600			m->m_pkthdr.csum_data = 0xffff;
601		}
602#ifdef SCTP
603		if (m->m_pkthdr.csum_flags & CSUM_SCTP_IPV6)
604			m->m_pkthdr.csum_flags |= CSUM_SCTP_VALID;
605#endif
606		error = netisr_queue(NETISR_IPV6, m);
607		goto out;
608	}
609	/* Or forward to some other address? */
610	if ((m->m_flags & M_IP6_NEXTHOP) &&
611	    (fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL)) != NULL) {
612		dst = (struct sockaddr_in6 *)&rin6.ro_dst;
613		bcopy((fwd_tag+1), dst, sizeof(struct sockaddr_in6));
614		m->m_flags |= M_SKIP_FIREWALL;
615		m->m_flags &= ~M_IP6_NEXTHOP;
616		m_tag_delete(m, fwd_tag);
617		goto again2;
618	}
619
620pass:
621	error = nd6_output(rt->rt_ifp, origifp, m, dst, rt);
622	if (error) {
623		in6_ifstat_inc(rt->rt_ifp, ifs6_out_discard);
624		IP6STAT_INC(ip6s_cantforward);
625	} else {
626		IP6STAT_INC(ip6s_forward);
627		in6_ifstat_inc(rt->rt_ifp, ifs6_out_forward);
628		if (type)
629			IP6STAT_INC(ip6s_redirectsent);
630		else {
631			if (mcopy)
632				goto freecopy;
633		}
634	}
635
636	if (mcopy == NULL)
637		goto out;
638	switch (error) {
639	case 0:
640		if (type == ND_REDIRECT) {
641			icmp6_redirect_output(mcopy, rt);
642			goto out;
643		}
644		goto freecopy;
645
646	case EMSGSIZE:
647		/* xxx MTU is constant in PPP? */
648		goto freecopy;
649
650	case ENOBUFS:
651		/* Tell source to slow down like source quench in IP? */
652		goto freecopy;
653
654	case ENETUNREACH:	/* shouldn't happen, checked above */
655	case EHOSTUNREACH:
656	case ENETDOWN:
657	case EHOSTDOWN:
658	default:
659		type = ICMP6_DST_UNREACH;
660		code = ICMP6_DST_UNREACH_ADDR;
661		break;
662	}
663	icmp6_error(mcopy, type, code, 0);
664	goto out;
665
666 freecopy:
667	m_freem(mcopy);
668	goto out;
669bad:
670	m_freem(m);
671out:
672	if (rt != NULL
673#ifdef IPSEC
674	    && !ipsecrt
675#endif
676	    )
677		RTFREE(rt);
678}
679