1/*
2 * Copyright (c) 1982, 1986, 1988, 1993
3 * The Regents of the University of California. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. All advertising materials mentioning features or use of this software
14 * must display the following acknowledgement:
15 * This product includes software developed by the University of
16 * California, Berkeley and its contributors.
17 * 4. Neither the name of the University nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 *
33 * @(#)ip_input.c 8.2 (Berkeley) 1/4/94
| 1/*
2 * Copyright (c) 1982, 1986, 1988, 1993
3 * The Regents of the University of California. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. All advertising materials mentioning features or use of this software
14 * must display the following acknowledgement:
15 * This product includes software developed by the University of
16 * California, Berkeley and its contributors.
17 * 4. Neither the name of the University nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 *
33 * @(#)ip_input.c 8.2 (Berkeley) 1/4/94
|
34 * $FreeBSD: head/sys/netinet/ip_input.c 105218 2002-10-16 09:01:48Z guido $
| 34 * $FreeBSD: head/sys/netinet/ip_input.c 105586 2002-10-20 22:52:07Z phk $
|
35 */
36
| 35 */
36
|
37#define _IP_VHL
38
| |
39#include "opt_bootp.h"
40#include "opt_ipfw.h"
41#include "opt_ipdn.h"
42#include "opt_ipdivert.h"
43#include "opt_ipfilter.h"
44#include "opt_ipstealth.h"
45#include "opt_ipsec.h"
46#include "opt_mac.h"
47#include "opt_pfil_hooks.h"
48#include "opt_random_ip_id.h"
49
50#include <sys/param.h>
51#include <sys/systm.h>
52#include <sys/mac.h>
53#include <sys/mbuf.h>
54#include <sys/malloc.h>
55#include <sys/domain.h>
56#include <sys/protosw.h>
57#include <sys/socket.h>
58#include <sys/time.h>
59#include <sys/kernel.h>
60#include <sys/syslog.h>
61#include <sys/sysctl.h>
62
63#include <net/pfil.h>
64#include <net/if.h>
65#include <net/if_types.h>
66#include <net/if_var.h>
67#include <net/if_dl.h>
68#include <net/route.h>
69#include <net/netisr.h>
70#include <net/intrq.h>
71
72#include <netinet/in.h>
73#include <netinet/in_systm.h>
74#include <netinet/in_var.h>
75#include <netinet/ip.h>
76#include <netinet/in_pcb.h>
77#include <netinet/ip_var.h>
78#include <netinet/ip_icmp.h>
79#include <machine/in_cksum.h>
80
81#include <sys/socketvar.h>
82
83#include <netinet/ip_fw.h>
84#include <netinet/ip_dummynet.h>
85
86#ifdef IPSEC
87#include <netinet6/ipsec.h>
88#include <netkey/key.h>
89#endif
90
91#ifdef FAST_IPSEC
92#include <netipsec/ipsec.h>
93#include <netipsec/key.h>
94#endif
95
96int rsvp_on = 0;
97
98int ipforwarding = 0;
99SYSCTL_INT(_net_inet_ip, IPCTL_FORWARDING, forwarding, CTLFLAG_RW,
100 &ipforwarding, 0, "Enable IP forwarding between interfaces");
101
102static int ipsendredirects = 1; /* XXX */
103SYSCTL_INT(_net_inet_ip, IPCTL_SENDREDIRECTS, redirect, CTLFLAG_RW,
104 &ipsendredirects, 0, "Enable sending IP redirects");
105
106int ip_defttl = IPDEFTTL;
107SYSCTL_INT(_net_inet_ip, IPCTL_DEFTTL, ttl, CTLFLAG_RW,
108 &ip_defttl, 0, "Maximum TTL on IP packets");
109
110static int ip_dosourceroute = 0;
111SYSCTL_INT(_net_inet_ip, IPCTL_SOURCEROUTE, sourceroute, CTLFLAG_RW,
112 &ip_dosourceroute, 0, "Enable forwarding source routed IP packets");
113
114static int ip_acceptsourceroute = 0;
115SYSCTL_INT(_net_inet_ip, IPCTL_ACCEPTSOURCEROUTE, accept_sourceroute,
116 CTLFLAG_RW, &ip_acceptsourceroute, 0,
117 "Enable accepting source routed IP packets");
118
119static int ip_keepfaith = 0;
120SYSCTL_INT(_net_inet_ip, IPCTL_KEEPFAITH, keepfaith, CTLFLAG_RW,
121 &ip_keepfaith, 0,
122 "Enable packet capture for FAITH IPv4->IPv6 translater daemon");
123
124static int ip_nfragpackets = 0;
125static int ip_maxfragpackets; /* initialized in ip_init() */
126SYSCTL_INT(_net_inet_ip, OID_AUTO, maxfragpackets, CTLFLAG_RW,
127 &ip_maxfragpackets, 0,
128 "Maximum number of IPv4 fragment reassembly queue entries");
129
130/*
131 * XXX - Setting ip_checkinterface mostly implements the receive side of
132 * the Strong ES model described in RFC 1122, but since the routing table
133 * and transmit implementation do not implement the Strong ES model,
134 * setting this to 1 results in an odd hybrid.
135 *
136 * XXX - ip_checkinterface currently must be disabled if you use ipnat
137 * to translate the destination address to another local interface.
138 *
139 * XXX - ip_checkinterface must be disabled if you add IP aliases
140 * to the loopback interface instead of the interface where the
141 * packets for those addresses are received.
142 */
143static int ip_checkinterface = 1;
144SYSCTL_INT(_net_inet_ip, OID_AUTO, check_interface, CTLFLAG_RW,
145 &ip_checkinterface, 0, "Verify packet arrives on correct interface");
146
147#ifdef DIAGNOSTIC
148static int ipprintfs = 0;
149#endif
150
151static int ipqmaxlen = IFQ_MAXLEN;
152
153extern struct domain inetdomain;
154extern struct protosw inetsw[];
155u_char ip_protox[IPPROTO_MAX];
156struct in_ifaddrhead in_ifaddrhead; /* first inet address */
157struct in_ifaddrhashhead *in_ifaddrhashtbl; /* inet addr hash table */
158u_long in_ifaddrhmask; /* mask for hash table */
159
160SYSCTL_INT(_net_inet_ip, IPCTL_INTRQMAXLEN, intr_queue_maxlen, CTLFLAG_RW,
161 &ipintrq.ifq_maxlen, 0, "Maximum size of the IP input queue");
162SYSCTL_INT(_net_inet_ip, IPCTL_INTRQDROPS, intr_queue_drops, CTLFLAG_RD,
163 &ipintrq.ifq_drops, 0, "Number of packets dropped from the IP input queue");
164
165struct ipstat ipstat;
166SYSCTL_STRUCT(_net_inet_ip, IPCTL_STATS, stats, CTLFLAG_RW,
167 &ipstat, ipstat, "IP statistics (struct ipstat, netinet/ip_var.h)");
168
169/* Packet reassembly stuff */
170#define IPREASS_NHASH_LOG2 6
171#define IPREASS_NHASH (1 << IPREASS_NHASH_LOG2)
172#define IPREASS_HMASK (IPREASS_NHASH - 1)
173#define IPREASS_HASH(x,y) \
174 (((((x) & 0xF) | ((((x) >> 8) & 0xF) << 4)) ^ (y)) & IPREASS_HMASK)
175
176static TAILQ_HEAD(ipqhead, ipq) ipq[IPREASS_NHASH];
177static int nipq = 0; /* total # of reass queues */
178static int maxnipq;
179
180#ifdef IPCTL_DEFMTU
181SYSCTL_INT(_net_inet_ip, IPCTL_DEFMTU, mtu, CTLFLAG_RW,
182 &ip_mtu, 0, "Default MTU");
183#endif
184
185#ifdef IPSTEALTH
186static int ipstealth = 0;
187SYSCTL_INT(_net_inet_ip, OID_AUTO, stealth, CTLFLAG_RW,
188 &ipstealth, 0, "");
189#endif
190
191
192/* Firewall hooks */
193ip_fw_chk_t *ip_fw_chk_ptr;
194int fw_enable = 1 ;
195
196/* Dummynet hooks */
197ip_dn_io_t *ip_dn_io_ptr;
198
199
200/*
201 * XXX this is ugly -- the following two global variables are
202 * used to store packet state while it travels through the stack.
203 * Note that the code even makes assumptions on the size and
204 * alignment of fields inside struct ip_srcrt so e.g. adding some
205 * fields will break the code. This needs to be fixed.
206 *
207 * We need to save the IP options in case a protocol wants to respond
208 * to an incoming packet over the same route if the packet got here
209 * using IP source routing. This allows connection establishment and
210 * maintenance when the remote end is on a network that is not known
211 * to us.
212 */
213static int ip_nhops = 0;
214static struct ip_srcrt {
215 struct in_addr dst; /* final destination */
216 char nop; /* one NOP to align */
217 char srcopt[IPOPT_OFFSET + 1]; /* OPTVAL, OLEN and OFFSET */
218 struct in_addr route[MAX_IPOPTLEN/sizeof(struct in_addr)];
219} ip_srcrt;
220
221static void save_rte(u_char *, struct in_addr);
222static int ip_dooptions(struct mbuf *m, int,
223 struct sockaddr_in *next_hop);
224static void ip_forward(struct mbuf *m, int srcrt,
225 struct sockaddr_in *next_hop);
226static void ip_freef(struct ipqhead *, struct ipq *);
227static struct mbuf *ip_reass(struct mbuf *, struct ipqhead *,
228 struct ipq *, u_int32_t *, u_int16_t *);
229static void ipintr(void);
230
231/*
232 * IP initialization: fill in IP protocol switch table.
233 * All protocols not implemented in kernel go to raw IP protocol handler.
234 */
235void
236ip_init()
237{
238 register struct protosw *pr;
239 register int i;
240
241 TAILQ_INIT(&in_ifaddrhead);
242 in_ifaddrhashtbl = hashinit(INADDR_NHASH, M_IFADDR, &in_ifaddrhmask);
243 pr = pffindproto(PF_INET, IPPROTO_RAW, SOCK_RAW);
244 if (pr == 0)
245 panic("ip_init");
246 for (i = 0; i < IPPROTO_MAX; i++)
247 ip_protox[i] = pr - inetsw;
248 for (pr = inetdomain.dom_protosw;
249 pr < inetdomain.dom_protoswNPROTOSW; pr++)
250 if (pr->pr_domain->dom_family == PF_INET &&
251 pr->pr_protocol && pr->pr_protocol != IPPROTO_RAW)
252 ip_protox[pr->pr_protocol] = pr - inetsw;
253
254 for (i = 0; i < IPREASS_NHASH; i++)
255 TAILQ_INIT(&ipq[i]);
256
257 maxnipq = nmbclusters / 4;
258 ip_maxfragpackets = nmbclusters / 4;
259
260#ifndef RANDOM_IP_ID
261 ip_id = time_second & 0xffff;
262#endif
263 ipintrq.ifq_maxlen = ipqmaxlen;
264 mtx_init(&ipintrq.ifq_mtx, "ip_inq", NULL, MTX_DEF);
265 ipintrq_present = 1;
266
267 register_netisr(NETISR_IP, ipintr);
268}
269
270/*
271 * XXX watch out this one. It is perhaps used as a cache for
272 * the most recently used route ? it is cleared in in_addroute()
273 * when a new route is successfully created.
274 */
275struct route ipforward_rt;
276
277/*
278 * Ip input routine. Checksum and byte swap header. If fragmented
279 * try to reassemble. Process options. Pass to next level.
280 */
281void
282ip_input(struct mbuf *m)
283{
284 struct ip *ip;
285 struct ipq *fp;
286 struct in_ifaddr *ia = NULL;
287 struct ifaddr *ifa;
288 int i, hlen, checkif;
289 u_short sum;
290 struct in_addr pkt_dst;
291 u_int32_t divert_info = 0; /* packet divert/tee info */
292 struct ip_fw_args args;
293#ifdef PFIL_HOOKS
294 struct packet_filter_hook *pfh;
295 struct mbuf *m0;
296 int rv;
297#endif /* PFIL_HOOKS */
298#ifdef FAST_IPSEC
299 struct m_tag *mtag;
300 struct tdb_ident *tdbi;
301 struct secpolicy *sp;
302 int s, error;
303#endif /* FAST_IPSEC */
304
305 args.eh = NULL;
306 args.oif = NULL;
307 args.rule = NULL;
308 args.divert_rule = 0; /* divert cookie */
309 args.next_hop = NULL;
310
311 /* Grab info from MT_TAG mbufs prepended to the chain. */
312 for (; m && m->m_type == MT_TAG; m = m->m_next) {
313 switch(m->_m_tag_id) {
314 default:
315 printf("ip_input: unrecognised MT_TAG tag %d\n",
316 m->_m_tag_id);
317 break;
318
319 case PACKET_TAG_DUMMYNET:
320 args.rule = ((struct dn_pkt *)m)->rule;
321 break;
322
323 case PACKET_TAG_DIVERT:
324 args.divert_rule = (intptr_t)m->m_hdr.mh_data & 0xffff;
325 break;
326
327 case PACKET_TAG_IPFORWARD:
328 args.next_hop = (struct sockaddr_in *)m->m_hdr.mh_data;
329 break;
330 }
331 }
332
333 KASSERT(m != NULL && (m->m_flags & M_PKTHDR) != 0,
334 ("ip_input: no HDR"));
335
336 if (args.rule) { /* dummynet already filtered us */
337 ip = mtod(m, struct ip *);
| 37#include "opt_bootp.h"
38#include "opt_ipfw.h"
39#include "opt_ipdn.h"
40#include "opt_ipdivert.h"
41#include "opt_ipfilter.h"
42#include "opt_ipstealth.h"
43#include "opt_ipsec.h"
44#include "opt_mac.h"
45#include "opt_pfil_hooks.h"
46#include "opt_random_ip_id.h"
47
48#include <sys/param.h>
49#include <sys/systm.h>
50#include <sys/mac.h>
51#include <sys/mbuf.h>
52#include <sys/malloc.h>
53#include <sys/domain.h>
54#include <sys/protosw.h>
55#include <sys/socket.h>
56#include <sys/time.h>
57#include <sys/kernel.h>
58#include <sys/syslog.h>
59#include <sys/sysctl.h>
60
61#include <net/pfil.h>
62#include <net/if.h>
63#include <net/if_types.h>
64#include <net/if_var.h>
65#include <net/if_dl.h>
66#include <net/route.h>
67#include <net/netisr.h>
68#include <net/intrq.h>
69
70#include <netinet/in.h>
71#include <netinet/in_systm.h>
72#include <netinet/in_var.h>
73#include <netinet/ip.h>
74#include <netinet/in_pcb.h>
75#include <netinet/ip_var.h>
76#include <netinet/ip_icmp.h>
77#include <machine/in_cksum.h>
78
79#include <sys/socketvar.h>
80
81#include <netinet/ip_fw.h>
82#include <netinet/ip_dummynet.h>
83
84#ifdef IPSEC
85#include <netinet6/ipsec.h>
86#include <netkey/key.h>
87#endif
88
89#ifdef FAST_IPSEC
90#include <netipsec/ipsec.h>
91#include <netipsec/key.h>
92#endif
93
94int rsvp_on = 0;
95
96int ipforwarding = 0;
97SYSCTL_INT(_net_inet_ip, IPCTL_FORWARDING, forwarding, CTLFLAG_RW,
98 &ipforwarding, 0, "Enable IP forwarding between interfaces");
99
100static int ipsendredirects = 1; /* XXX */
101SYSCTL_INT(_net_inet_ip, IPCTL_SENDREDIRECTS, redirect, CTLFLAG_RW,
102 &ipsendredirects, 0, "Enable sending IP redirects");
103
104int ip_defttl = IPDEFTTL;
105SYSCTL_INT(_net_inet_ip, IPCTL_DEFTTL, ttl, CTLFLAG_RW,
106 &ip_defttl, 0, "Maximum TTL on IP packets");
107
108static int ip_dosourceroute = 0;
109SYSCTL_INT(_net_inet_ip, IPCTL_SOURCEROUTE, sourceroute, CTLFLAG_RW,
110 &ip_dosourceroute, 0, "Enable forwarding source routed IP packets");
111
112static int ip_acceptsourceroute = 0;
113SYSCTL_INT(_net_inet_ip, IPCTL_ACCEPTSOURCEROUTE, accept_sourceroute,
114 CTLFLAG_RW, &ip_acceptsourceroute, 0,
115 "Enable accepting source routed IP packets");
116
117static int ip_keepfaith = 0;
118SYSCTL_INT(_net_inet_ip, IPCTL_KEEPFAITH, keepfaith, CTLFLAG_RW,
119 &ip_keepfaith, 0,
120 "Enable packet capture for FAITH IPv4->IPv6 translater daemon");
121
122static int ip_nfragpackets = 0;
123static int ip_maxfragpackets; /* initialized in ip_init() */
124SYSCTL_INT(_net_inet_ip, OID_AUTO, maxfragpackets, CTLFLAG_RW,
125 &ip_maxfragpackets, 0,
126 "Maximum number of IPv4 fragment reassembly queue entries");
127
128/*
129 * XXX - Setting ip_checkinterface mostly implements the receive side of
130 * the Strong ES model described in RFC 1122, but since the routing table
131 * and transmit implementation do not implement the Strong ES model,
132 * setting this to 1 results in an odd hybrid.
133 *
134 * XXX - ip_checkinterface currently must be disabled if you use ipnat
135 * to translate the destination address to another local interface.
136 *
137 * XXX - ip_checkinterface must be disabled if you add IP aliases
138 * to the loopback interface instead of the interface where the
139 * packets for those addresses are received.
140 */
141static int ip_checkinterface = 1;
142SYSCTL_INT(_net_inet_ip, OID_AUTO, check_interface, CTLFLAG_RW,
143 &ip_checkinterface, 0, "Verify packet arrives on correct interface");
144
145#ifdef DIAGNOSTIC
146static int ipprintfs = 0;
147#endif
148
149static int ipqmaxlen = IFQ_MAXLEN;
150
151extern struct domain inetdomain;
152extern struct protosw inetsw[];
153u_char ip_protox[IPPROTO_MAX];
154struct in_ifaddrhead in_ifaddrhead; /* first inet address */
155struct in_ifaddrhashhead *in_ifaddrhashtbl; /* inet addr hash table */
156u_long in_ifaddrhmask; /* mask for hash table */
157
158SYSCTL_INT(_net_inet_ip, IPCTL_INTRQMAXLEN, intr_queue_maxlen, CTLFLAG_RW,
159 &ipintrq.ifq_maxlen, 0, "Maximum size of the IP input queue");
160SYSCTL_INT(_net_inet_ip, IPCTL_INTRQDROPS, intr_queue_drops, CTLFLAG_RD,
161 &ipintrq.ifq_drops, 0, "Number of packets dropped from the IP input queue");
162
163struct ipstat ipstat;
164SYSCTL_STRUCT(_net_inet_ip, IPCTL_STATS, stats, CTLFLAG_RW,
165 &ipstat, ipstat, "IP statistics (struct ipstat, netinet/ip_var.h)");
166
167/* Packet reassembly stuff */
168#define IPREASS_NHASH_LOG2 6
169#define IPREASS_NHASH (1 << IPREASS_NHASH_LOG2)
170#define IPREASS_HMASK (IPREASS_NHASH - 1)
171#define IPREASS_HASH(x,y) \
172 (((((x) & 0xF) | ((((x) >> 8) & 0xF) << 4)) ^ (y)) & IPREASS_HMASK)
173
174static TAILQ_HEAD(ipqhead, ipq) ipq[IPREASS_NHASH];
175static int nipq = 0; /* total # of reass queues */
176static int maxnipq;
177
178#ifdef IPCTL_DEFMTU
179SYSCTL_INT(_net_inet_ip, IPCTL_DEFMTU, mtu, CTLFLAG_RW,
180 &ip_mtu, 0, "Default MTU");
181#endif
182
183#ifdef IPSTEALTH
184static int ipstealth = 0;
185SYSCTL_INT(_net_inet_ip, OID_AUTO, stealth, CTLFLAG_RW,
186 &ipstealth, 0, "");
187#endif
188
189
190/* Firewall hooks */
191ip_fw_chk_t *ip_fw_chk_ptr;
192int fw_enable = 1 ;
193
194/* Dummynet hooks */
195ip_dn_io_t *ip_dn_io_ptr;
196
197
198/*
199 * XXX this is ugly -- the following two global variables are
200 * used to store packet state while it travels through the stack.
201 * Note that the code even makes assumptions on the size and
202 * alignment of fields inside struct ip_srcrt so e.g. adding some
203 * fields will break the code. This needs to be fixed.
204 *
205 * We need to save the IP options in case a protocol wants to respond
206 * to an incoming packet over the same route if the packet got here
207 * using IP source routing. This allows connection establishment and
208 * maintenance when the remote end is on a network that is not known
209 * to us.
210 */
211static int ip_nhops = 0;
212static struct ip_srcrt {
213 struct in_addr dst; /* final destination */
214 char nop; /* one NOP to align */
215 char srcopt[IPOPT_OFFSET + 1]; /* OPTVAL, OLEN and OFFSET */
216 struct in_addr route[MAX_IPOPTLEN/sizeof(struct in_addr)];
217} ip_srcrt;
218
219static void save_rte(u_char *, struct in_addr);
220static int ip_dooptions(struct mbuf *m, int,
221 struct sockaddr_in *next_hop);
222static void ip_forward(struct mbuf *m, int srcrt,
223 struct sockaddr_in *next_hop);
224static void ip_freef(struct ipqhead *, struct ipq *);
225static struct mbuf *ip_reass(struct mbuf *, struct ipqhead *,
226 struct ipq *, u_int32_t *, u_int16_t *);
227static void ipintr(void);
228
229/*
230 * IP initialization: fill in IP protocol switch table.
231 * All protocols not implemented in kernel go to raw IP protocol handler.
232 */
233void
234ip_init()
235{
236 register struct protosw *pr;
237 register int i;
238
239 TAILQ_INIT(&in_ifaddrhead);
240 in_ifaddrhashtbl = hashinit(INADDR_NHASH, M_IFADDR, &in_ifaddrhmask);
241 pr = pffindproto(PF_INET, IPPROTO_RAW, SOCK_RAW);
242 if (pr == 0)
243 panic("ip_init");
244 for (i = 0; i < IPPROTO_MAX; i++)
245 ip_protox[i] = pr - inetsw;
246 for (pr = inetdomain.dom_protosw;
247 pr < inetdomain.dom_protoswNPROTOSW; pr++)
248 if (pr->pr_domain->dom_family == PF_INET &&
249 pr->pr_protocol && pr->pr_protocol != IPPROTO_RAW)
250 ip_protox[pr->pr_protocol] = pr - inetsw;
251
252 for (i = 0; i < IPREASS_NHASH; i++)
253 TAILQ_INIT(&ipq[i]);
254
255 maxnipq = nmbclusters / 4;
256 ip_maxfragpackets = nmbclusters / 4;
257
258#ifndef RANDOM_IP_ID
259 ip_id = time_second & 0xffff;
260#endif
261 ipintrq.ifq_maxlen = ipqmaxlen;
262 mtx_init(&ipintrq.ifq_mtx, "ip_inq", NULL, MTX_DEF);
263 ipintrq_present = 1;
264
265 register_netisr(NETISR_IP, ipintr);
266}
267
268/*
269 * XXX watch out this one. It is perhaps used as a cache for
270 * the most recently used route ? it is cleared in in_addroute()
271 * when a new route is successfully created.
272 */
273struct route ipforward_rt;
274
275/*
276 * Ip input routine. Checksum and byte swap header. If fragmented
277 * try to reassemble. Process options. Pass to next level.
278 */
279void
280ip_input(struct mbuf *m)
281{
282 struct ip *ip;
283 struct ipq *fp;
284 struct in_ifaddr *ia = NULL;
285 struct ifaddr *ifa;
286 int i, hlen, checkif;
287 u_short sum;
288 struct in_addr pkt_dst;
289 u_int32_t divert_info = 0; /* packet divert/tee info */
290 struct ip_fw_args args;
291#ifdef PFIL_HOOKS
292 struct packet_filter_hook *pfh;
293 struct mbuf *m0;
294 int rv;
295#endif /* PFIL_HOOKS */
296#ifdef FAST_IPSEC
297 struct m_tag *mtag;
298 struct tdb_ident *tdbi;
299 struct secpolicy *sp;
300 int s, error;
301#endif /* FAST_IPSEC */
302
303 args.eh = NULL;
304 args.oif = NULL;
305 args.rule = NULL;
306 args.divert_rule = 0; /* divert cookie */
307 args.next_hop = NULL;
308
309 /* Grab info from MT_TAG mbufs prepended to the chain. */
310 for (; m && m->m_type == MT_TAG; m = m->m_next) {
311 switch(m->_m_tag_id) {
312 default:
313 printf("ip_input: unrecognised MT_TAG tag %d\n",
314 m->_m_tag_id);
315 break;
316
317 case PACKET_TAG_DUMMYNET:
318 args.rule = ((struct dn_pkt *)m)->rule;
319 break;
320
321 case PACKET_TAG_DIVERT:
322 args.divert_rule = (intptr_t)m->m_hdr.mh_data & 0xffff;
323 break;
324
325 case PACKET_TAG_IPFORWARD:
326 args.next_hop = (struct sockaddr_in *)m->m_hdr.mh_data;
327 break;
328 }
329 }
330
331 KASSERT(m != NULL && (m->m_flags & M_PKTHDR) != 0,
332 ("ip_input: no HDR"));
333
334 if (args.rule) { /* dummynet already filtered us */
335 ip = mtod(m, struct ip *);
|
338 hlen = IP_VHL_HL(ip->ip_vhl) << 2;
| 336 hlen = ip->ip_hl << 2;
|
339 goto iphack ;
340 }
341
342 ipstat.ips_total++;
343
344 if (m->m_pkthdr.len < sizeof(struct ip))
345 goto tooshort;
346
347 if (m->m_len < sizeof (struct ip) &&
348 (m = m_pullup(m, sizeof (struct ip))) == 0) {
349 ipstat.ips_toosmall++;
350 return;
351 }
352 ip = mtod(m, struct ip *);
353
| 337 goto iphack ;
338 }
339
340 ipstat.ips_total++;
341
342 if (m->m_pkthdr.len < sizeof(struct ip))
343 goto tooshort;
344
345 if (m->m_len < sizeof (struct ip) &&
346 (m = m_pullup(m, sizeof (struct ip))) == 0) {
347 ipstat.ips_toosmall++;
348 return;
349 }
350 ip = mtod(m, struct ip *);
351
|
354 if (IP_VHL_V(ip->ip_vhl) != IPVERSION) {
| 352 if (ip->ip_v != IPVERSION) {
|
355 ipstat.ips_badvers++;
356 goto bad;
357 }
358
| 353 ipstat.ips_badvers++;
354 goto bad;
355 }
356
|
359 hlen = IP_VHL_HL(ip->ip_vhl) << 2;
| 357 hlen = ip->ip_hl << 2;
|
360 if (hlen < sizeof(struct ip)) { /* minimum header length */
361 ipstat.ips_badhlen++;
362 goto bad;
363 }
364 if (hlen > m->m_len) {
365 if ((m = m_pullup(m, hlen)) == 0) {
366 ipstat.ips_badhlen++;
367 return;
368 }
369 ip = mtod(m, struct ip *);
370 }
371
372 /* 127/8 must not appear on wire - RFC1122 */
373 if ((ntohl(ip->ip_dst.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET ||
374 (ntohl(ip->ip_src.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET) {
375 if ((m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK) == 0) {
376 ipstat.ips_badaddr++;
377 goto bad;
378 }
379 }
380
381 if (m->m_pkthdr.csum_flags & CSUM_IP_CHECKED) {
382 sum = !(m->m_pkthdr.csum_flags & CSUM_IP_VALID);
383 } else {
384 if (hlen == sizeof(struct ip)) {
385 sum = in_cksum_hdr(ip);
386 } else {
387 sum = in_cksum(m, hlen);
388 }
389 }
390 if (sum) {
391 ipstat.ips_badsum++;
392 goto bad;
393 }
394
395 /*
396 * Convert fields to host representation.
397 */
398 ip->ip_len = ntohs(ip->ip_len);
399 if (ip->ip_len < hlen) {
400 ipstat.ips_badlen++;
401 goto bad;
402 }
403 ip->ip_off = ntohs(ip->ip_off);
404
405 /*
406 * Check that the amount of data in the buffers
407 * is as at least much as the IP header would have us expect.
408 * Trim mbufs if longer than we expect.
409 * Drop packet if shorter than we expect.
410 */
411 if (m->m_pkthdr.len < ip->ip_len) {
412tooshort:
413 ipstat.ips_tooshort++;
414 goto bad;
415 }
416 if (m->m_pkthdr.len > ip->ip_len) {
417 if (m->m_len == m->m_pkthdr.len) {
418 m->m_len = ip->ip_len;
419 m->m_pkthdr.len = ip->ip_len;
420 } else
421 m_adj(m, ip->ip_len - m->m_pkthdr.len);
422 }
423
424 /*
425 * IpHack's section.
426 * Right now when no processing on packet has done
427 * and it is still fresh out of network we do our black
428 * deals with it.
429 * - Firewall: deny/allow/divert
430 * - Xlate: translate packet's addr/port (NAT).
431 * - Pipe: pass pkt through dummynet.
432 * - Wrap: fake packet's addr/port <unimpl.>
433 * - Encapsulate: put it in another IP and send out. <unimp.>
434 */
435
436iphack:
437
438#ifdef PFIL_HOOKS
439 /*
440 * Run through list of hooks for input packets. If there are any
441 * filters which require that additional packets in the flow are
442 * not fast-forwarded, they must clear the M_CANFASTFWD flag.
443 * Note that filters must _never_ set this flag, as another filter
444 * in the list may have previously cleared it.
445 */
446 m0 = m;
447 pfh = pfil_hook_get(PFIL_IN, &inetsw[ip_protox[IPPROTO_IP]].pr_pfh);
448 for (; pfh; pfh = TAILQ_NEXT(pfh, pfil_link))
449 if (pfh->pfil_func) {
450 rv = pfh->pfil_func(ip, hlen,
451 m->m_pkthdr.rcvif, 0, &m0);
452 if (rv)
453 return;
454 m = m0;
455 if (m == NULL)
456 return;
457 ip = mtod(m, struct ip *);
458 }
459#endif /* PFIL_HOOKS */
460
461 if (fw_enable && IPFW_LOADED) {
462 /*
463 * If we've been forwarded from the output side, then
464 * skip the firewall a second time
465 */
466 if (args.next_hop)
467 goto ours;
468
469 args.m = m;
470 i = ip_fw_chk_ptr(&args);
471 m = args.m;
472
473 if ( (i & IP_FW_PORT_DENY_FLAG) || m == NULL) { /* drop */
474 if (m)
475 m_freem(m);
476 return;
477 }
478 ip = mtod(m, struct ip *); /* just in case m changed */
479 if (i == 0 && args.next_hop == NULL) /* common case */
480 goto pass;
481 if (DUMMYNET_LOADED && (i & IP_FW_PORT_DYNT_FLAG) != 0) {
482 /* Send packet to the appropriate pipe */
483 ip_dn_io_ptr(m, i&0xffff, DN_TO_IP_IN, &args);
484 return;
485 }
486#ifdef IPDIVERT
487 if (i != 0 && (i & IP_FW_PORT_DYNT_FLAG) == 0) {
488 /* Divert or tee packet */
489 divert_info = i;
490 goto ours;
491 }
492#endif
493 if (i == 0 && args.next_hop != NULL)
494 goto pass;
495 /*
496 * if we get here, the packet must be dropped
497 */
498 m_freem(m);
499 return;
500 }
501pass:
502
503 /*
504 * Process options and, if not destined for us,
505 * ship it on. ip_dooptions returns 1 when an
506 * error was detected (causing an icmp message
507 * to be sent and the original packet to be freed).
508 */
509 ip_nhops = 0; /* for source routed packets */
510 if (hlen > sizeof (struct ip) && ip_dooptions(m, 0, args.next_hop))
511 return;
512
513 /* greedy RSVP, snatches any PATH packet of the RSVP protocol and no
514 * matter if it is destined to another node, or whether it is
515 * a multicast one, RSVP wants it! and prevents it from being forwarded
516 * anywhere else. Also checks if the rsvp daemon is running before
517 * grabbing the packet.
518 */
519 if (rsvp_on && ip->ip_p==IPPROTO_RSVP)
520 goto ours;
521
522 /*
523 * Check our list of addresses, to see if the packet is for us.
524 * If we don't have any addresses, assume any unicast packet
525 * we receive might be for us (and let the upper layers deal
526 * with it).
527 */
528 if (TAILQ_EMPTY(&in_ifaddrhead) &&
529 (m->m_flags & (M_MCAST|M_BCAST)) == 0)
530 goto ours;
531
532 /*
533 * Cache the destination address of the packet; this may be
534 * changed by use of 'ipfw fwd'.
535 */
536 pkt_dst = args.next_hop ? args.next_hop->sin_addr : ip->ip_dst;
537
538 /*
539 * Enable a consistency check between the destination address
540 * and the arrival interface for a unicast packet (the RFC 1122
541 * strong ES model) if IP forwarding is disabled and the packet
542 * is not locally generated and the packet is not subject to
543 * 'ipfw fwd'.
544 *
545 * XXX - Checking also should be disabled if the destination
546 * address is ipnat'ed to a different interface.
547 *
548 * XXX - Checking is incompatible with IP aliases added
549 * to the loopback interface instead of the interface where
550 * the packets are received.
551 */
552 checkif = ip_checkinterface && (ipforwarding == 0) &&
553 m->m_pkthdr.rcvif != NULL &&
554 ((m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK) == 0) &&
555 (args.next_hop == NULL);
556
557 /*
558 * Check for exact addresses in the hash bucket.
559 */
560 LIST_FOREACH(ia, INADDR_HASH(pkt_dst.s_addr), ia_hash) {
561 /*
562 * If the address matches, verify that the packet
563 * arrived via the correct interface if checking is
564 * enabled.
565 */
566 if (IA_SIN(ia)->sin_addr.s_addr == pkt_dst.s_addr &&
567 (!checkif || ia->ia_ifp == m->m_pkthdr.rcvif))
568 goto ours;
569 }
570 /*
571 * Check for broadcast addresses.
572 *
573 * Only accept broadcast packets that arrive via the matching
574 * interface. Reception of forwarded directed broadcasts would
575 * be handled via ip_forward() and ether_output() with the loopback
576 * into the stack for SIMPLEX interfaces handled by ether_output().
577 */
578 if (m->m_pkthdr.rcvif->if_flags & IFF_BROADCAST) {
579 TAILQ_FOREACH(ifa, &m->m_pkthdr.rcvif->if_addrhead, ifa_link) {
580 if (ifa->ifa_addr->sa_family != AF_INET)
581 continue;
582 ia = ifatoia(ifa);
583 if (satosin(&ia->ia_broadaddr)->sin_addr.s_addr ==
584 pkt_dst.s_addr)
585 goto ours;
586 if (ia->ia_netbroadcast.s_addr == pkt_dst.s_addr)
587 goto ours;
588#ifdef BOOTP_COMPAT
589 if (IA_SIN(ia)->sin_addr.s_addr == INADDR_ANY)
590 goto ours;
591#endif
592 }
593 }
594 if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr))) {
595 struct in_multi *inm;
596 if (ip_mrouter) {
597 /*
598 * If we are acting as a multicast router, all
599 * incoming multicast packets are passed to the
600 * kernel-level multicast forwarding function.
601 * The packet is returned (relatively) intact; if
602 * ip_mforward() returns a non-zero value, the packet
603 * must be discarded, else it may be accepted below.
604 */
605 if (ip_mforward(ip, m->m_pkthdr.rcvif, m, 0) != 0) {
606 ipstat.ips_cantforward++;
607 m_freem(m);
608 return;
609 }
610
611 /*
612 * The process-level routing daemon needs to receive
613 * all multicast IGMP packets, whether or not this
614 * host belongs to their destination groups.
615 */
616 if (ip->ip_p == IPPROTO_IGMP)
617 goto ours;
618 ipstat.ips_forward++;
619 }
620 /*
621 * See if we belong to the destination multicast group on the
622 * arrival interface.
623 */
624 IN_LOOKUP_MULTI(ip->ip_dst, m->m_pkthdr.rcvif, inm);
625 if (inm == NULL) {
626 ipstat.ips_notmember++;
627 m_freem(m);
628 return;
629 }
630 goto ours;
631 }
632 if (ip->ip_dst.s_addr == (u_long)INADDR_BROADCAST)
633 goto ours;
634 if (ip->ip_dst.s_addr == INADDR_ANY)
635 goto ours;
636
637 /*
638 * FAITH(Firewall Aided Internet Translator)
639 */
640 if (m->m_pkthdr.rcvif && m->m_pkthdr.rcvif->if_type == IFT_FAITH) {
641 if (ip_keepfaith) {
642 if (ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_ICMP)
643 goto ours;
644 }
645 m_freem(m);
646 return;
647 }
648
649 /*
650 * Not for us; forward if possible and desirable.
651 */
652 if (ipforwarding == 0) {
653 ipstat.ips_cantforward++;
654 m_freem(m);
655 } else {
656#ifdef IPSEC
657 /*
658 * Enforce inbound IPsec SPD.
659 */
660 if (ipsec4_in_reject(m, NULL)) {
661 ipsecstat.in_polvio++;
662 goto bad;
663 }
664#endif /* IPSEC */
665#ifdef FAST_IPSEC
666 mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL);
667 s = splnet();
668 if (mtag != NULL) {
669 tdbi = (struct tdb_ident *)(mtag + 1);
670 sp = ipsec_getpolicy(tdbi, IPSEC_DIR_INBOUND);
671 } else {
672 sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND,
673 IP_FORWARDING, &error);
674 }
675 if (sp == NULL) { /* NB: can happen if error */
676 splx(s);
677 /*XXX error stat???*/
678 DPRINTF(("ip_input: no SP for forwarding\n")); /*XXX*/
679 goto bad;
680 }
681
682 /*
683 * Check security policy against packet attributes.
684 */
685 error = ipsec_in_reject(sp, m);
686 KEY_FREESP(&sp);
687 splx(s);
688 if (error) {
689 ipstat.ips_cantforward++;
690 goto bad;
691 }
692#endif /* FAST_IPSEC */
693 ip_forward(m, 0, args.next_hop);
694 }
695 return;
696
697ours:
698#ifdef IPSTEALTH
699 /*
700 * IPSTEALTH: Process non-routing options only
701 * if the packet is destined for us.
702 */
703 if (ipstealth && hlen > sizeof (struct ip) &&
704 ip_dooptions(m, 1, args.next_hop))
705 return;
706#endif /* IPSTEALTH */
707
708 /* Count the packet in the ip address stats */
709 if (ia != NULL) {
710 ia->ia_ifa.if_ipackets++;
711 ia->ia_ifa.if_ibytes += m->m_pkthdr.len;
712 }
713
714 /*
715 * If offset or IP_MF are set, must reassemble.
716 * Otherwise, nothing need be done.
717 * (We could look in the reassembly queue to see
718 * if the packet was previously fragmented,
719 * but it's not worth the time; just let them time out.)
720 */
721 if (ip->ip_off & (IP_MF | IP_OFFMASK)) {
722
723 sum = IPREASS_HASH(ip->ip_src.s_addr, ip->ip_id);
724 /*
725 * Look for queue of fragments
726 * of this datagram.
727 */
728 TAILQ_FOREACH(fp, &ipq[sum], ipq_list)
729 if (ip->ip_id == fp->ipq_id &&
730 ip->ip_src.s_addr == fp->ipq_src.s_addr &&
731 ip->ip_dst.s_addr == fp->ipq_dst.s_addr &&
732#ifdef MAC
733 mac_fragment_match(m, fp) &&
734#endif
735 ip->ip_p == fp->ipq_p)
736 goto found;
737
738 fp = 0;
739
740 /* check if there's a place for the new queue */
741 if (nipq > maxnipq) {
742 /*
743 * drop something from the tail of the current queue
744 * before proceeding further
745 */
746 struct ipq *q = TAILQ_LAST(&ipq[sum], ipqhead);
747 if (q == NULL) { /* gak */
748 for (i = 0; i < IPREASS_NHASH; i++) {
749 struct ipq *r = TAILQ_LAST(&ipq[i], ipqhead);
750 if (r) {
751 ip_freef(&ipq[i], r);
752 break;
753 }
754 }
755 } else
756 ip_freef(&ipq[sum], q);
757 }
758found:
759 /*
760 * Adjust ip_len to not reflect header,
761 * convert offset of this to bytes.
762 */
763 ip->ip_len -= hlen;
764 if (ip->ip_off & IP_MF) {
765 /*
766 * Make sure that fragments have a data length
767 * that's a non-zero multiple of 8 bytes.
768 */
769 if (ip->ip_len == 0 || (ip->ip_len & 0x7) != 0) {
770 ipstat.ips_toosmall++; /* XXX */
771 goto bad;
772 }
773 m->m_flags |= M_FRAG;
774 } else
775 m->m_flags &= ~M_FRAG;
776 ip->ip_off <<= 3;
777
778 /*
779 * Attempt reassembly; if it succeeds, proceed.
780 * ip_reass() will return a different mbuf, and update
781 * the divert info in divert_info and args.divert_rule.
782 */
783 ipstat.ips_fragments++;
784 m->m_pkthdr.header = ip;
785 m = ip_reass(m,
786 &ipq[sum], fp, &divert_info, &args.divert_rule);
787 if (m == 0)
788 return;
789 ipstat.ips_reassembled++;
790 ip = mtod(m, struct ip *);
791 /* Get the header length of the reassembled packet */
| 358 if (hlen < sizeof(struct ip)) { /* minimum header length */
359 ipstat.ips_badhlen++;
360 goto bad;
361 }
362 if (hlen > m->m_len) {
363 if ((m = m_pullup(m, hlen)) == 0) {
364 ipstat.ips_badhlen++;
365 return;
366 }
367 ip = mtod(m, struct ip *);
368 }
369
370 /* 127/8 must not appear on wire - RFC1122 */
371 if ((ntohl(ip->ip_dst.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET ||
372 (ntohl(ip->ip_src.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET) {
373 if ((m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK) == 0) {
374 ipstat.ips_badaddr++;
375 goto bad;
376 }
377 }
378
379 if (m->m_pkthdr.csum_flags & CSUM_IP_CHECKED) {
380 sum = !(m->m_pkthdr.csum_flags & CSUM_IP_VALID);
381 } else {
382 if (hlen == sizeof(struct ip)) {
383 sum = in_cksum_hdr(ip);
384 } else {
385 sum = in_cksum(m, hlen);
386 }
387 }
388 if (sum) {
389 ipstat.ips_badsum++;
390 goto bad;
391 }
392
393 /*
394 * Convert fields to host representation.
395 */
396 ip->ip_len = ntohs(ip->ip_len);
397 if (ip->ip_len < hlen) {
398 ipstat.ips_badlen++;
399 goto bad;
400 }
401 ip->ip_off = ntohs(ip->ip_off);
402
403 /*
404 * Check that the amount of data in the buffers
405 * is as at least much as the IP header would have us expect.
406 * Trim mbufs if longer than we expect.
407 * Drop packet if shorter than we expect.
408 */
409 if (m->m_pkthdr.len < ip->ip_len) {
410tooshort:
411 ipstat.ips_tooshort++;
412 goto bad;
413 }
414 if (m->m_pkthdr.len > ip->ip_len) {
415 if (m->m_len == m->m_pkthdr.len) {
416 m->m_len = ip->ip_len;
417 m->m_pkthdr.len = ip->ip_len;
418 } else
419 m_adj(m, ip->ip_len - m->m_pkthdr.len);
420 }
421
422 /*
423 * IpHack's section.
424 * Right now when no processing on packet has done
425 * and it is still fresh out of network we do our black
426 * deals with it.
427 * - Firewall: deny/allow/divert
428 * - Xlate: translate packet's addr/port (NAT).
429 * - Pipe: pass pkt through dummynet.
430 * - Wrap: fake packet's addr/port <unimpl.>
431 * - Encapsulate: put it in another IP and send out. <unimp.>
432 */
433
434iphack:
435
436#ifdef PFIL_HOOKS
437 /*
438 * Run through list of hooks for input packets. If there are any
439 * filters which require that additional packets in the flow are
440 * not fast-forwarded, they must clear the M_CANFASTFWD flag.
441 * Note that filters must _never_ set this flag, as another filter
442 * in the list may have previously cleared it.
443 */
444 m0 = m;
445 pfh = pfil_hook_get(PFIL_IN, &inetsw[ip_protox[IPPROTO_IP]].pr_pfh);
446 for (; pfh; pfh = TAILQ_NEXT(pfh, pfil_link))
447 if (pfh->pfil_func) {
448 rv = pfh->pfil_func(ip, hlen,
449 m->m_pkthdr.rcvif, 0, &m0);
450 if (rv)
451 return;
452 m = m0;
453 if (m == NULL)
454 return;
455 ip = mtod(m, struct ip *);
456 }
457#endif /* PFIL_HOOKS */
458
459 if (fw_enable && IPFW_LOADED) {
460 /*
461 * If we've been forwarded from the output side, then
462 * skip the firewall a second time
463 */
464 if (args.next_hop)
465 goto ours;
466
467 args.m = m;
468 i = ip_fw_chk_ptr(&args);
469 m = args.m;
470
471 if ( (i & IP_FW_PORT_DENY_FLAG) || m == NULL) { /* drop */
472 if (m)
473 m_freem(m);
474 return;
475 }
476 ip = mtod(m, struct ip *); /* just in case m changed */
477 if (i == 0 && args.next_hop == NULL) /* common case */
478 goto pass;
479 if (DUMMYNET_LOADED && (i & IP_FW_PORT_DYNT_FLAG) != 0) {
480 /* Send packet to the appropriate pipe */
481 ip_dn_io_ptr(m, i&0xffff, DN_TO_IP_IN, &args);
482 return;
483 }
484#ifdef IPDIVERT
485 if (i != 0 && (i & IP_FW_PORT_DYNT_FLAG) == 0) {
486 /* Divert or tee packet */
487 divert_info = i;
488 goto ours;
489 }
490#endif
491 if (i == 0 && args.next_hop != NULL)
492 goto pass;
493 /*
494 * if we get here, the packet must be dropped
495 */
496 m_freem(m);
497 return;
498 }
499pass:
500
501 /*
502 * Process options and, if not destined for us,
503 * ship it on. ip_dooptions returns 1 when an
504 * error was detected (causing an icmp message
505 * to be sent and the original packet to be freed).
506 */
507 ip_nhops = 0; /* for source routed packets */
508 if (hlen > sizeof (struct ip) && ip_dooptions(m, 0, args.next_hop))
509 return;
510
511 /* greedy RSVP, snatches any PATH packet of the RSVP protocol and no
512 * matter if it is destined to another node, or whether it is
513 * a multicast one, RSVP wants it! and prevents it from being forwarded
514 * anywhere else. Also checks if the rsvp daemon is running before
515 * grabbing the packet.
516 */
517 if (rsvp_on && ip->ip_p==IPPROTO_RSVP)
518 goto ours;
519
520 /*
521 * Check our list of addresses, to see if the packet is for us.
522 * If we don't have any addresses, assume any unicast packet
523 * we receive might be for us (and let the upper layers deal
524 * with it).
525 */
526 if (TAILQ_EMPTY(&in_ifaddrhead) &&
527 (m->m_flags & (M_MCAST|M_BCAST)) == 0)
528 goto ours;
529
530 /*
531 * Cache the destination address of the packet; this may be
532 * changed by use of 'ipfw fwd'.
533 */
534 pkt_dst = args.next_hop ? args.next_hop->sin_addr : ip->ip_dst;
535
536 /*
537 * Enable a consistency check between the destination address
538 * and the arrival interface for a unicast packet (the RFC 1122
539 * strong ES model) if IP forwarding is disabled and the packet
540 * is not locally generated and the packet is not subject to
541 * 'ipfw fwd'.
542 *
543 * XXX - Checking also should be disabled if the destination
544 * address is ipnat'ed to a different interface.
545 *
546 * XXX - Checking is incompatible with IP aliases added
547 * to the loopback interface instead of the interface where
548 * the packets are received.
549 */
550 checkif = ip_checkinterface && (ipforwarding == 0) &&
551 m->m_pkthdr.rcvif != NULL &&
552 ((m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK) == 0) &&
553 (args.next_hop == NULL);
554
555 /*
556 * Check for exact addresses in the hash bucket.
557 */
558 LIST_FOREACH(ia, INADDR_HASH(pkt_dst.s_addr), ia_hash) {
559 /*
560 * If the address matches, verify that the packet
561 * arrived via the correct interface if checking is
562 * enabled.
563 */
564 if (IA_SIN(ia)->sin_addr.s_addr == pkt_dst.s_addr &&
565 (!checkif || ia->ia_ifp == m->m_pkthdr.rcvif))
566 goto ours;
567 }
568 /*
569 * Check for broadcast addresses.
570 *
571 * Only accept broadcast packets that arrive via the matching
572 * interface. Reception of forwarded directed broadcasts would
573 * be handled via ip_forward() and ether_output() with the loopback
574 * into the stack for SIMPLEX interfaces handled by ether_output().
575 */
576 if (m->m_pkthdr.rcvif->if_flags & IFF_BROADCAST) {
577 TAILQ_FOREACH(ifa, &m->m_pkthdr.rcvif->if_addrhead, ifa_link) {
578 if (ifa->ifa_addr->sa_family != AF_INET)
579 continue;
580 ia = ifatoia(ifa);
581 if (satosin(&ia->ia_broadaddr)->sin_addr.s_addr ==
582 pkt_dst.s_addr)
583 goto ours;
584 if (ia->ia_netbroadcast.s_addr == pkt_dst.s_addr)
585 goto ours;
586#ifdef BOOTP_COMPAT
587 if (IA_SIN(ia)->sin_addr.s_addr == INADDR_ANY)
588 goto ours;
589#endif
590 }
591 }
592 if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr))) {
593 struct in_multi *inm;
594 if (ip_mrouter) {
595 /*
596 * If we are acting as a multicast router, all
597 * incoming multicast packets are passed to the
598 * kernel-level multicast forwarding function.
599 * The packet is returned (relatively) intact; if
600 * ip_mforward() returns a non-zero value, the packet
601 * must be discarded, else it may be accepted below.
602 */
603 if (ip_mforward(ip, m->m_pkthdr.rcvif, m, 0) != 0) {
604 ipstat.ips_cantforward++;
605 m_freem(m);
606 return;
607 }
608
609 /*
610 * The process-level routing daemon needs to receive
611 * all multicast IGMP packets, whether or not this
612 * host belongs to their destination groups.
613 */
614 if (ip->ip_p == IPPROTO_IGMP)
615 goto ours;
616 ipstat.ips_forward++;
617 }
618 /*
619 * See if we belong to the destination multicast group on the
620 * arrival interface.
621 */
622 IN_LOOKUP_MULTI(ip->ip_dst, m->m_pkthdr.rcvif, inm);
623 if (inm == NULL) {
624 ipstat.ips_notmember++;
625 m_freem(m);
626 return;
627 }
628 goto ours;
629 }
630 if (ip->ip_dst.s_addr == (u_long)INADDR_BROADCAST)
631 goto ours;
632 if (ip->ip_dst.s_addr == INADDR_ANY)
633 goto ours;
634
635 /*
636 * FAITH(Firewall Aided Internet Translator)
637 */
638 if (m->m_pkthdr.rcvif && m->m_pkthdr.rcvif->if_type == IFT_FAITH) {
639 if (ip_keepfaith) {
640 if (ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_ICMP)
641 goto ours;
642 }
643 m_freem(m);
644 return;
645 }
646
647 /*
648 * Not for us; forward if possible and desirable.
649 */
650 if (ipforwarding == 0) {
651 ipstat.ips_cantforward++;
652 m_freem(m);
653 } else {
654#ifdef IPSEC
655 /*
656 * Enforce inbound IPsec SPD.
657 */
658 if (ipsec4_in_reject(m, NULL)) {
659 ipsecstat.in_polvio++;
660 goto bad;
661 }
662#endif /* IPSEC */
663#ifdef FAST_IPSEC
664 mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL);
665 s = splnet();
666 if (mtag != NULL) {
667 tdbi = (struct tdb_ident *)(mtag + 1);
668 sp = ipsec_getpolicy(tdbi, IPSEC_DIR_INBOUND);
669 } else {
670 sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND,
671 IP_FORWARDING, &error);
672 }
673 if (sp == NULL) { /* NB: can happen if error */
674 splx(s);
675 /*XXX error stat???*/
676 DPRINTF(("ip_input: no SP for forwarding\n")); /*XXX*/
677 goto bad;
678 }
679
680 /*
681 * Check security policy against packet attributes.
682 */
683 error = ipsec_in_reject(sp, m);
684 KEY_FREESP(&sp);
685 splx(s);
686 if (error) {
687 ipstat.ips_cantforward++;
688 goto bad;
689 }
690#endif /* FAST_IPSEC */
691 ip_forward(m, 0, args.next_hop);
692 }
693 return;
694
695ours:
696#ifdef IPSTEALTH
697 /*
698 * IPSTEALTH: Process non-routing options only
699 * if the packet is destined for us.
700 */
701 if (ipstealth && hlen > sizeof (struct ip) &&
702 ip_dooptions(m, 1, args.next_hop))
703 return;
704#endif /* IPSTEALTH */
705
706 /* Count the packet in the ip address stats */
707 if (ia != NULL) {
708 ia->ia_ifa.if_ipackets++;
709 ia->ia_ifa.if_ibytes += m->m_pkthdr.len;
710 }
711
712 /*
713 * If offset or IP_MF are set, must reassemble.
714 * Otherwise, nothing need be done.
715 * (We could look in the reassembly queue to see
716 * if the packet was previously fragmented,
717 * but it's not worth the time; just let them time out.)
718 */
719 if (ip->ip_off & (IP_MF | IP_OFFMASK)) {
720
721 sum = IPREASS_HASH(ip->ip_src.s_addr, ip->ip_id);
722 /*
723 * Look for queue of fragments
724 * of this datagram.
725 */
726 TAILQ_FOREACH(fp, &ipq[sum], ipq_list)
727 if (ip->ip_id == fp->ipq_id &&
728 ip->ip_src.s_addr == fp->ipq_src.s_addr &&
729 ip->ip_dst.s_addr == fp->ipq_dst.s_addr &&
730#ifdef MAC
731 mac_fragment_match(m, fp) &&
732#endif
733 ip->ip_p == fp->ipq_p)
734 goto found;
735
736 fp = 0;
737
738 /* check if there's a place for the new queue */
739 if (nipq > maxnipq) {
740 /*
741 * drop something from the tail of the current queue
742 * before proceeding further
743 */
744 struct ipq *q = TAILQ_LAST(&ipq[sum], ipqhead);
745 if (q == NULL) { /* gak */
746 for (i = 0; i < IPREASS_NHASH; i++) {
747 struct ipq *r = TAILQ_LAST(&ipq[i], ipqhead);
748 if (r) {
749 ip_freef(&ipq[i], r);
750 break;
751 }
752 }
753 } else
754 ip_freef(&ipq[sum], q);
755 }
756found:
757 /*
758 * Adjust ip_len to not reflect header,
759 * convert offset of this to bytes.
760 */
761 ip->ip_len -= hlen;
762 if (ip->ip_off & IP_MF) {
763 /*
764 * Make sure that fragments have a data length
765 * that's a non-zero multiple of 8 bytes.
766 */
767 if (ip->ip_len == 0 || (ip->ip_len & 0x7) != 0) {
768 ipstat.ips_toosmall++; /* XXX */
769 goto bad;
770 }
771 m->m_flags |= M_FRAG;
772 } else
773 m->m_flags &= ~M_FRAG;
774 ip->ip_off <<= 3;
775
776 /*
777 * Attempt reassembly; if it succeeds, proceed.
778 * ip_reass() will return a different mbuf, and update
779 * the divert info in divert_info and args.divert_rule.
780 */
781 ipstat.ips_fragments++;
782 m->m_pkthdr.header = ip;
783 m = ip_reass(m,
784 &ipq[sum], fp, &divert_info, &args.divert_rule);
785 if (m == 0)
786 return;
787 ipstat.ips_reassembled++;
788 ip = mtod(m, struct ip *);
789 /* Get the header length of the reassembled packet */
|
792 hlen = IP_VHL_HL(ip->ip_vhl) << 2;
| 790 hlen = ip->ip_hl << 2;
|
793#ifdef IPDIVERT
794 /* Restore original checksum before diverting packet */
795 if (divert_info != 0) {
796 ip->ip_len += hlen;
797 ip->ip_len = htons(ip->ip_len);
798 ip->ip_off = htons(ip->ip_off);
799 ip->ip_sum = 0;
800 if (hlen == sizeof(struct ip))
801 ip->ip_sum = in_cksum_hdr(ip);
802 else
803 ip->ip_sum = in_cksum(m, hlen);
804 ip->ip_off = ntohs(ip->ip_off);
805 ip->ip_len = ntohs(ip->ip_len);
806 ip->ip_len -= hlen;
807 }
808#endif
809 } else
810 ip->ip_len -= hlen;
811
812#ifdef IPDIVERT
813 /*
814 * Divert or tee packet to the divert protocol if required.
815 */
816 if (divert_info != 0) {
817 struct mbuf *clone = NULL;
818
819 /* Clone packet if we're doing a 'tee' */
820 if ((divert_info & IP_FW_PORT_TEE_FLAG) != 0)
821 clone = m_dup(m, M_DONTWAIT);
822
823 /* Restore packet header fields to original values */
824 ip->ip_len += hlen;
825 ip->ip_len = htons(ip->ip_len);
826 ip->ip_off = htons(ip->ip_off);
827
828 /* Deliver packet to divert input routine */
829 divert_packet(m, 1, divert_info & 0xffff, args.divert_rule);
830 ipstat.ips_delivered++;
831
832 /* If 'tee', continue with original packet */
833 if (clone == NULL)
834 return;
835 m = clone;
836 ip = mtod(m, struct ip *);
837 ip->ip_len += hlen;
838 /*
839 * Jump backwards to complete processing of the
840 * packet. But first clear divert_info to avoid
841 * entering this block again.
842 * We do not need to clear args.divert_rule
843 * or args.next_hop as they will not be used.
844 */
845 divert_info = 0;
846 goto pass;
847 }
848#endif
849
850#ifdef IPSEC
851 /*
852 * enforce IPsec policy checking if we are seeing last header.
853 * note that we do not visit this with protocols with pcb layer
854 * code - like udp/tcp/raw ip.
855 */
856 if ((inetsw[ip_protox[ip->ip_p]].pr_flags & PR_LASTHDR) != 0 &&
857 ipsec4_in_reject(m, NULL)) {
858 ipsecstat.in_polvio++;
859 goto bad;
860 }
861#endif
862#if FAST_IPSEC
863 /*
864 * enforce IPsec policy checking if we are seeing last header.
865 * note that we do not visit this with protocols with pcb layer
866 * code - like udp/tcp/raw ip.
867 */
868 if ((inetsw[ip_protox[ip->ip_p]].pr_flags & PR_LASTHDR) != 0) {
869 /*
870 * Check if the packet has already had IPsec processing
871 * done. If so, then just pass it along. This tag gets
872 * set during AH, ESP, etc. input handling, before the
873 * packet is returned to the ip input queue for delivery.
874 */
875 mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL);
876 s = splnet();
877 if (mtag != NULL) {
878 tdbi = (struct tdb_ident *)(mtag + 1);
879 sp = ipsec_getpolicy(tdbi, IPSEC_DIR_INBOUND);
880 } else {
881 sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND,
882 IP_FORWARDING, &error);
883 }
884 if (sp != NULL) {
885 /*
886 * Check security policy against packet attributes.
887 */
888 error = ipsec_in_reject(sp, m);
889 KEY_FREESP(&sp);
890 } else {
891 /* XXX error stat??? */
892 error = EINVAL;
893DPRINTF(("ip_input: no SP, packet discarded\n"));/*XXX*/
894 goto bad;
895 }
896 splx(s);
897 if (error)
898 goto bad;
899 }
900#endif /* FAST_IPSEC */
901
902 /*
903 * Switch out to protocol's input routine.
904 */
905 ipstat.ips_delivered++;
906 if (args.next_hop && ip->ip_p == IPPROTO_TCP) {
907 /* TCP needs IPFORWARD info if available */
908 struct m_hdr tag;
909
910 tag.mh_type = MT_TAG;
911 tag.mh_flags = PACKET_TAG_IPFORWARD;
912 tag.mh_data = (caddr_t)args.next_hop;
913 tag.mh_next = m;
914
915 (*inetsw[ip_protox[ip->ip_p]].pr_input)(
916 (struct mbuf *)&tag, hlen);
917 } else
918 (*inetsw[ip_protox[ip->ip_p]].pr_input)(m, hlen);
919 return;
920bad:
921 m_freem(m);
922}
923
924/*
925 * IP software interrupt routine - to go away sometime soon
926 */
927static void
928ipintr(void)
929{
930 struct mbuf *m;
931
932 while (1) {
933 IF_DEQUEUE(&ipintrq, m);
934 if (m == 0)
935 return;
936 ip_input(m);
937 }
938}
939
940/*
941 * Take incoming datagram fragment and try to reassemble it into
942 * whole datagram. If a chain for reassembly of this datagram already
943 * exists, then it is given as fp; otherwise have to make a chain.
944 *
945 * When IPDIVERT enabled, keep additional state with each packet that
946 * tells us if we need to divert or tee the packet we're building.
947 * In particular, *divinfo includes the port and TEE flag,
948 * *divert_rule is the number of the matching rule.
949 */
950
951static struct mbuf *
952ip_reass(struct mbuf *m, struct ipqhead *head, struct ipq *fp,
953 u_int32_t *divinfo, u_int16_t *divert_rule)
954{
955 struct ip *ip = mtod(m, struct ip *);
956 register struct mbuf *p, *q, *nq;
957 struct mbuf *t;
| 791#ifdef IPDIVERT
792 /* Restore original checksum before diverting packet */
793 if (divert_info != 0) {
794 ip->ip_len += hlen;
795 ip->ip_len = htons(ip->ip_len);
796 ip->ip_off = htons(ip->ip_off);
797 ip->ip_sum = 0;
798 if (hlen == sizeof(struct ip))
799 ip->ip_sum = in_cksum_hdr(ip);
800 else
801 ip->ip_sum = in_cksum(m, hlen);
802 ip->ip_off = ntohs(ip->ip_off);
803 ip->ip_len = ntohs(ip->ip_len);
804 ip->ip_len -= hlen;
805 }
806#endif
807 } else
808 ip->ip_len -= hlen;
809
810#ifdef IPDIVERT
811 /*
812 * Divert or tee packet to the divert protocol if required.
813 */
814 if (divert_info != 0) {
815 struct mbuf *clone = NULL;
816
817 /* Clone packet if we're doing a 'tee' */
818 if ((divert_info & IP_FW_PORT_TEE_FLAG) != 0)
819 clone = m_dup(m, M_DONTWAIT);
820
821 /* Restore packet header fields to original values */
822 ip->ip_len += hlen;
823 ip->ip_len = htons(ip->ip_len);
824 ip->ip_off = htons(ip->ip_off);
825
826 /* Deliver packet to divert input routine */
827 divert_packet(m, 1, divert_info & 0xffff, args.divert_rule);
828 ipstat.ips_delivered++;
829
830 /* If 'tee', continue with original packet */
831 if (clone == NULL)
832 return;
833 m = clone;
834 ip = mtod(m, struct ip *);
835 ip->ip_len += hlen;
836 /*
837 * Jump backwards to complete processing of the
838 * packet. But first clear divert_info to avoid
839 * entering this block again.
840 * We do not need to clear args.divert_rule
841 * or args.next_hop as they will not be used.
842 */
843 divert_info = 0;
844 goto pass;
845 }
846#endif
847
848#ifdef IPSEC
849 /*
850 * enforce IPsec policy checking if we are seeing last header.
851 * note that we do not visit this with protocols with pcb layer
852 * code - like udp/tcp/raw ip.
853 */
854 if ((inetsw[ip_protox[ip->ip_p]].pr_flags & PR_LASTHDR) != 0 &&
855 ipsec4_in_reject(m, NULL)) {
856 ipsecstat.in_polvio++;
857 goto bad;
858 }
859#endif
860#if FAST_IPSEC
861 /*
862 * enforce IPsec policy checking if we are seeing last header.
863 * note that we do not visit this with protocols with pcb layer
864 * code - like udp/tcp/raw ip.
865 */
866 if ((inetsw[ip_protox[ip->ip_p]].pr_flags & PR_LASTHDR) != 0) {
867 /*
868 * Check if the packet has already had IPsec processing
869 * done. If so, then just pass it along. This tag gets
870 * set during AH, ESP, etc. input handling, before the
871 * packet is returned to the ip input queue for delivery.
872 */
873 mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL);
874 s = splnet();
875 if (mtag != NULL) {
876 tdbi = (struct tdb_ident *)(mtag + 1);
877 sp = ipsec_getpolicy(tdbi, IPSEC_DIR_INBOUND);
878 } else {
879 sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND,
880 IP_FORWARDING, &error);
881 }
882 if (sp != NULL) {
883 /*
884 * Check security policy against packet attributes.
885 */
886 error = ipsec_in_reject(sp, m);
887 KEY_FREESP(&sp);
888 } else {
889 /* XXX error stat??? */
890 error = EINVAL;
891DPRINTF(("ip_input: no SP, packet discarded\n"));/*XXX*/
892 goto bad;
893 }
894 splx(s);
895 if (error)
896 goto bad;
897 }
898#endif /* FAST_IPSEC */
899
900 /*
901 * Switch out to protocol's input routine.
902 */
903 ipstat.ips_delivered++;
904 if (args.next_hop && ip->ip_p == IPPROTO_TCP) {
905 /* TCP needs IPFORWARD info if available */
906 struct m_hdr tag;
907
908 tag.mh_type = MT_TAG;
909 tag.mh_flags = PACKET_TAG_IPFORWARD;
910 tag.mh_data = (caddr_t)args.next_hop;
911 tag.mh_next = m;
912
913 (*inetsw[ip_protox[ip->ip_p]].pr_input)(
914 (struct mbuf *)&tag, hlen);
915 } else
916 (*inetsw[ip_protox[ip->ip_p]].pr_input)(m, hlen);
917 return;
918bad:
919 m_freem(m);
920}
921
922/*
923 * IP software interrupt routine - to go away sometime soon
924 */
925static void
926ipintr(void)
927{
928 struct mbuf *m;
929
930 while (1) {
931 IF_DEQUEUE(&ipintrq, m);
932 if (m == 0)
933 return;
934 ip_input(m);
935 }
936}
937
938/*
939 * Take incoming datagram fragment and try to reassemble it into
940 * whole datagram. If a chain for reassembly of this datagram already
941 * exists, then it is given as fp; otherwise have to make a chain.
942 *
943 * When IPDIVERT enabled, keep additional state with each packet that
944 * tells us if we need to divert or tee the packet we're building.
945 * In particular, *divinfo includes the port and TEE flag,
946 * *divert_rule is the number of the matching rule.
947 */
948
949static struct mbuf *
950ip_reass(struct mbuf *m, struct ipqhead *head, struct ipq *fp,
951 u_int32_t *divinfo, u_int16_t *divert_rule)
952{
953 struct ip *ip = mtod(m, struct ip *);
954 register struct mbuf *p, *q, *nq;
955 struct mbuf *t;
|
958 int hlen = IP_VHL_HL(ip->ip_vhl) << 2;
| 956 int hlen = ip->ip_hl << 2;
|
959 int i, next;
960
961 /*
962 * Presence of header sizes in mbufs
963 * would confuse code below.
964 */
965 m->m_data += hlen;
966 m->m_len -= hlen;
967
968 /*
969 * If first fragment to arrive, create a reassembly queue.
970 */
971 if (fp == 0) {
972 /*
973 * Enforce upper bound on number of fragmented packets
974 * for which we attempt reassembly;
975 * If maxfrag is 0, never accept fragments.
976 * If maxfrag is -1, accept all fragments without limitation.
977 */
978 if ((ip_maxfragpackets >= 0) && (ip_nfragpackets >= ip_maxfragpackets))
979 goto dropfrag;
980 ip_nfragpackets++;
981 if ((t = m_get(M_DONTWAIT, MT_FTABLE)) == NULL)
982 goto dropfrag;
983 fp = mtod(t, struct ipq *);
984#ifdef MAC
985 mac_init_ipq(fp);
986 mac_create_ipq(m, fp);
987#endif
988 TAILQ_INSERT_HEAD(head, fp, ipq_list);
989 nipq++;
990 fp->ipq_ttl = IPFRAGTTL;
991 fp->ipq_p = ip->ip_p;
992 fp->ipq_id = ip->ip_id;
993 fp->ipq_src = ip->ip_src;
994 fp->ipq_dst = ip->ip_dst;
995 fp->ipq_frags = m;
996 m->m_nextpkt = NULL;
997#ifdef IPDIVERT
998 fp->ipq_div_info = 0;
999 fp->ipq_div_cookie = 0;
1000#endif
1001 goto inserted;
1002 } else {
1003#ifdef MAC
1004 mac_update_ipq(m, fp);
1005#endif
1006 }
1007
1008#define GETIP(m) ((struct ip*)((m)->m_pkthdr.header))
1009
1010 /*
1011 * Find a segment which begins after this one does.
1012 */
1013 for (p = NULL, q = fp->ipq_frags; q; p = q, q = q->m_nextpkt)
1014 if (GETIP(q)->ip_off > ip->ip_off)
1015 break;
1016
1017 /*
1018 * If there is a preceding segment, it may provide some of
1019 * our data already. If so, drop the data from the incoming
1020 * segment. If it provides all of our data, drop us, otherwise
1021 * stick new segment in the proper place.
1022 *
1023 * If some of the data is dropped from the the preceding
1024 * segment, then it's checksum is invalidated.
1025 */
1026 if (p) {
1027 i = GETIP(p)->ip_off + GETIP(p)->ip_len - ip->ip_off;
1028 if (i > 0) {
1029 if (i >= ip->ip_len)
1030 goto dropfrag;
1031 m_adj(m, i);
1032 m->m_pkthdr.csum_flags = 0;
1033 ip->ip_off += i;
1034 ip->ip_len -= i;
1035 }
1036 m->m_nextpkt = p->m_nextpkt;
1037 p->m_nextpkt = m;
1038 } else {
1039 m->m_nextpkt = fp->ipq_frags;
1040 fp->ipq_frags = m;
1041 }
1042
1043 /*
1044 * While we overlap succeeding segments trim them or,
1045 * if they are completely covered, dequeue them.
1046 */
1047 for (; q != NULL && ip->ip_off + ip->ip_len > GETIP(q)->ip_off;
1048 q = nq) {
1049 i = (ip->ip_off + ip->ip_len) -
1050 GETIP(q)->ip_off;
1051 if (i < GETIP(q)->ip_len) {
1052 GETIP(q)->ip_len -= i;
1053 GETIP(q)->ip_off += i;
1054 m_adj(q, i);
1055 q->m_pkthdr.csum_flags = 0;
1056 break;
1057 }
1058 nq = q->m_nextpkt;
1059 m->m_nextpkt = nq;
1060 m_freem(q);
1061 }
1062
1063inserted:
1064
1065#ifdef IPDIVERT
1066 /*
1067 * Transfer firewall instructions to the fragment structure.
1068 * Only trust info in the fragment at offset 0.
1069 */
1070 if (ip->ip_off == 0) {
1071 fp->ipq_div_info = *divinfo;
1072 fp->ipq_div_cookie = *divert_rule;
1073 }
1074 *divinfo = 0;
1075 *divert_rule = 0;
1076#endif
1077
1078 /*
1079 * Check for complete reassembly.
1080 */
1081 next = 0;
1082 for (p = NULL, q = fp->ipq_frags; q; p = q, q = q->m_nextpkt) {
1083 if (GETIP(q)->ip_off != next)
1084 return (0);
1085 next += GETIP(q)->ip_len;
1086 }
1087 /* Make sure the last packet didn't have the IP_MF flag */
1088 if (p->m_flags & M_FRAG)
1089 return (0);
1090
1091 /*
1092 * Reassembly is complete. Make sure the packet is a sane size.
1093 */
1094 q = fp->ipq_frags;
1095 ip = GETIP(q);
| 957 int i, next;
958
959 /*
960 * Presence of header sizes in mbufs
961 * would confuse code below.
962 */
963 m->m_data += hlen;
964 m->m_len -= hlen;
965
966 /*
967 * If first fragment to arrive, create a reassembly queue.
968 */
969 if (fp == 0) {
970 /*
971 * Enforce upper bound on number of fragmented packets
972 * for which we attempt reassembly;
973 * If maxfrag is 0, never accept fragments.
974 * If maxfrag is -1, accept all fragments without limitation.
975 */
976 if ((ip_maxfragpackets >= 0) && (ip_nfragpackets >= ip_maxfragpackets))
977 goto dropfrag;
978 ip_nfragpackets++;
979 if ((t = m_get(M_DONTWAIT, MT_FTABLE)) == NULL)
980 goto dropfrag;
981 fp = mtod(t, struct ipq *);
982#ifdef MAC
983 mac_init_ipq(fp);
984 mac_create_ipq(m, fp);
985#endif
986 TAILQ_INSERT_HEAD(head, fp, ipq_list);
987 nipq++;
988 fp->ipq_ttl = IPFRAGTTL;
989 fp->ipq_p = ip->ip_p;
990 fp->ipq_id = ip->ip_id;
991 fp->ipq_src = ip->ip_src;
992 fp->ipq_dst = ip->ip_dst;
993 fp->ipq_frags = m;
994 m->m_nextpkt = NULL;
995#ifdef IPDIVERT
996 fp->ipq_div_info = 0;
997 fp->ipq_div_cookie = 0;
998#endif
999 goto inserted;
1000 } else {
1001#ifdef MAC
1002 mac_update_ipq(m, fp);
1003#endif
1004 }
1005
1006#define GETIP(m) ((struct ip*)((m)->m_pkthdr.header))
1007
1008 /*
1009 * Find a segment which begins after this one does.
1010 */
1011 for (p = NULL, q = fp->ipq_frags; q; p = q, q = q->m_nextpkt)
1012 if (GETIP(q)->ip_off > ip->ip_off)
1013 break;
1014
1015 /*
1016 * If there is a preceding segment, it may provide some of
1017 * our data already. If so, drop the data from the incoming
1018 * segment. If it provides all of our data, drop us, otherwise
1019 * stick new segment in the proper place.
1020 *
1021 * If some of the data is dropped from the the preceding
1022 * segment, then it's checksum is invalidated.
1023 */
1024 if (p) {
1025 i = GETIP(p)->ip_off + GETIP(p)->ip_len - ip->ip_off;
1026 if (i > 0) {
1027 if (i >= ip->ip_len)
1028 goto dropfrag;
1029 m_adj(m, i);
1030 m->m_pkthdr.csum_flags = 0;
1031 ip->ip_off += i;
1032 ip->ip_len -= i;
1033 }
1034 m->m_nextpkt = p->m_nextpkt;
1035 p->m_nextpkt = m;
1036 } else {
1037 m->m_nextpkt = fp->ipq_frags;
1038 fp->ipq_frags = m;
1039 }
1040
1041 /*
1042 * While we overlap succeeding segments trim them or,
1043 * if they are completely covered, dequeue them.
1044 */
1045 for (; q != NULL && ip->ip_off + ip->ip_len > GETIP(q)->ip_off;
1046 q = nq) {
1047 i = (ip->ip_off + ip->ip_len) -
1048 GETIP(q)->ip_off;
1049 if (i < GETIP(q)->ip_len) {
1050 GETIP(q)->ip_len -= i;
1051 GETIP(q)->ip_off += i;
1052 m_adj(q, i);
1053 q->m_pkthdr.csum_flags = 0;
1054 break;
1055 }
1056 nq = q->m_nextpkt;
1057 m->m_nextpkt = nq;
1058 m_freem(q);
1059 }
1060
1061inserted:
1062
1063#ifdef IPDIVERT
1064 /*
1065 * Transfer firewall instructions to the fragment structure.
1066 * Only trust info in the fragment at offset 0.
1067 */
1068 if (ip->ip_off == 0) {
1069 fp->ipq_div_info = *divinfo;
1070 fp->ipq_div_cookie = *divert_rule;
1071 }
1072 *divinfo = 0;
1073 *divert_rule = 0;
1074#endif
1075
1076 /*
1077 * Check for complete reassembly.
1078 */
1079 next = 0;
1080 for (p = NULL, q = fp->ipq_frags; q; p = q, q = q->m_nextpkt) {
1081 if (GETIP(q)->ip_off != next)
1082 return (0);
1083 next += GETIP(q)->ip_len;
1084 }
1085 /* Make sure the last packet didn't have the IP_MF flag */
1086 if (p->m_flags & M_FRAG)
1087 return (0);
1088
1089 /*
1090 * Reassembly is complete. Make sure the packet is a sane size.
1091 */
1092 q = fp->ipq_frags;
1093 ip = GETIP(q);
|
1096 if (next + (IP_VHL_HL(ip->ip_vhl) << 2) > IP_MAXPACKET) {
| 1094 if (next + (ip->ip_hl << 2) > IP_MAXPACKET) {
|
1097 ipstat.ips_toolong++;
1098 ip_freef(head, fp);
1099 return (0);
1100 }
1101
1102 /*
1103 * Concatenate fragments.
1104 */
1105 m = q;
1106 t = m->m_next;
1107 m->m_next = 0;
1108 m_cat(m, t);
1109 nq = q->m_nextpkt;
1110 q->m_nextpkt = 0;
1111 for (q = nq; q != NULL; q = nq) {
1112 nq = q->m_nextpkt;
1113 q->m_nextpkt = NULL;
1114 m->m_pkthdr.csum_flags &= q->m_pkthdr.csum_flags;
1115 m->m_pkthdr.csum_data += q->m_pkthdr.csum_data;
1116 m_cat(m, q);
1117 }
1118#ifdef MAC
1119 mac_create_datagram_from_ipq(fp, m);
1120 mac_destroy_ipq(fp);
1121#endif
1122
1123#ifdef IPDIVERT
1124 /*
1125 * Extract firewall instructions from the fragment structure.
1126 */
1127 *divinfo = fp->ipq_div_info;
1128 *divert_rule = fp->ipq_div_cookie;
1129#endif
1130
1131 /*
1132 * Create header for new ip packet by
1133 * modifying header of first packet;
1134 * dequeue and discard fragment reassembly header.
1135 * Make header visible.
1136 */
1137 ip->ip_len = next;
1138 ip->ip_src = fp->ipq_src;
1139 ip->ip_dst = fp->ipq_dst;
1140 TAILQ_REMOVE(head, fp, ipq_list);
1141 nipq--;
1142 (void) m_free(dtom(fp));
1143 ip_nfragpackets--;
| 1095 ipstat.ips_toolong++;
1096 ip_freef(head, fp);
1097 return (0);
1098 }
1099
1100 /*
1101 * Concatenate fragments.
1102 */
1103 m = q;
1104 t = m->m_next;
1105 m->m_next = 0;
1106 m_cat(m, t);
1107 nq = q->m_nextpkt;
1108 q->m_nextpkt = 0;
1109 for (q = nq; q != NULL; q = nq) {
1110 nq = q->m_nextpkt;
1111 q->m_nextpkt = NULL;
1112 m->m_pkthdr.csum_flags &= q->m_pkthdr.csum_flags;
1113 m->m_pkthdr.csum_data += q->m_pkthdr.csum_data;
1114 m_cat(m, q);
1115 }
1116#ifdef MAC
1117 mac_create_datagram_from_ipq(fp, m);
1118 mac_destroy_ipq(fp);
1119#endif
1120
1121#ifdef IPDIVERT
1122 /*
1123 * Extract firewall instructions from the fragment structure.
1124 */
1125 *divinfo = fp->ipq_div_info;
1126 *divert_rule = fp->ipq_div_cookie;
1127#endif
1128
1129 /*
1130 * Create header for new ip packet by
1131 * modifying header of first packet;
1132 * dequeue and discard fragment reassembly header.
1133 * Make header visible.
1134 */
1135 ip->ip_len = next;
1136 ip->ip_src = fp->ipq_src;
1137 ip->ip_dst = fp->ipq_dst;
1138 TAILQ_REMOVE(head, fp, ipq_list);
1139 nipq--;
1140 (void) m_free(dtom(fp));
1141 ip_nfragpackets--;
|
1144 m->m_len += (IP_VHL_HL(ip->ip_vhl) << 2);
1145 m->m_data -= (IP_VHL_HL(ip->ip_vhl) << 2);
| 1142 m->m_len += (ip->ip_hl << 2);
1143 m->m_data -= (ip->ip_hl << 2);
|
1146 /* some debugging cruft by sklower, below, will go away soon */
1147 if (m->m_flags & M_PKTHDR) /* XXX this should be done elsewhere */
1148 m_fixhdr(m);
1149 return (m);
1150
1151dropfrag:
1152#ifdef IPDIVERT
1153 *divinfo = 0;
1154 *divert_rule = 0;
1155#endif
1156 ipstat.ips_fragdropped++;
1157 m_freem(m);
1158 return (0);
1159
1160#undef GETIP
1161}
1162
1163/*
1164 * Free a fragment reassembly header and all
1165 * associated datagrams.
1166 */
1167static void
1168ip_freef(fhp, fp)
1169 struct ipqhead *fhp;
1170 struct ipq *fp;
1171{
1172 register struct mbuf *q;
1173
1174 while (fp->ipq_frags) {
1175 q = fp->ipq_frags;
1176 fp->ipq_frags = q->m_nextpkt;
1177 m_freem(q);
1178 }
1179 TAILQ_REMOVE(fhp, fp, ipq_list);
1180 (void) m_free(dtom(fp));
1181 ip_nfragpackets--;
1182 nipq--;
1183}
1184
1185/*
1186 * IP timer processing;
1187 * if a timer expires on a reassembly
1188 * queue, discard it.
1189 */
1190void
1191ip_slowtimo()
1192{
1193 register struct ipq *fp;
1194 int s = splnet();
1195 int i;
1196
1197 for (i = 0; i < IPREASS_NHASH; i++) {
1198 for(fp = TAILQ_FIRST(&ipq[i]); fp;) {
1199 struct ipq *fpp;
1200
1201 fpp = fp;
1202 fp = TAILQ_NEXT(fp, ipq_list);
1203 if(--fpp->ipq_ttl == 0) {
1204 ipstat.ips_fragtimeout++;
1205 ip_freef(&ipq[i], fpp);
1206 }
1207 }
1208 }
1209 /*
1210 * If we are over the maximum number of fragments
1211 * (due to the limit being lowered), drain off
1212 * enough to get down to the new limit.
1213 */
1214 for (i = 0; i < IPREASS_NHASH; i++) {
1215 if (ip_maxfragpackets >= 0) {
1216 while (ip_nfragpackets > ip_maxfragpackets &&
1217 !TAILQ_EMPTY(&ipq[i])) {
1218 ipstat.ips_fragdropped++;
1219 ip_freef(&ipq[i], TAILQ_FIRST(&ipq[i]));
1220 }
1221 }
1222 }
1223 ipflow_slowtimo();
1224 splx(s);
1225}
1226
1227/*
1228 * Drain off all datagram fragments.
1229 */
1230void
1231ip_drain()
1232{
1233 int i;
1234
1235 for (i = 0; i < IPREASS_NHASH; i++) {
1236 while(!TAILQ_EMPTY(&ipq[i])) {
1237 ipstat.ips_fragdropped++;
1238 ip_freef(&ipq[i], TAILQ_FIRST(&ipq[i]));
1239 }
1240 }
1241 in_rtqdrain();
1242}
1243
1244/*
1245 * Do option processing on a datagram,
1246 * possibly discarding it if bad options are encountered,
1247 * or forwarding it if source-routed.
1248 * The pass argument is used when operating in the IPSTEALTH
1249 * mode to tell what options to process:
1250 * [LS]SRR (pass 0) or the others (pass 1).
1251 * The reason for as many as two passes is that when doing IPSTEALTH,
1252 * non-routing options should be processed only if the packet is for us.
1253 * Returns 1 if packet has been forwarded/freed,
1254 * 0 if the packet should be processed further.
1255 */
1256static int
1257ip_dooptions(struct mbuf *m, int pass, struct sockaddr_in *next_hop)
1258{
1259 struct ip *ip = mtod(m, struct ip *);
1260 u_char *cp;
1261 struct in_ifaddr *ia;
1262 int opt, optlen, cnt, off, code, type = ICMP_PARAMPROB, forward = 0;
1263 struct in_addr *sin, dst;
1264 n_time ntime;
1265 struct sockaddr_in ipaddr = { sizeof(ipaddr), AF_INET };
1266
1267 dst = ip->ip_dst;
1268 cp = (u_char *)(ip + 1);
| 1144 /* some debugging cruft by sklower, below, will go away soon */
1145 if (m->m_flags & M_PKTHDR) /* XXX this should be done elsewhere */
1146 m_fixhdr(m);
1147 return (m);
1148
1149dropfrag:
1150#ifdef IPDIVERT
1151 *divinfo = 0;
1152 *divert_rule = 0;
1153#endif
1154 ipstat.ips_fragdropped++;
1155 m_freem(m);
1156 return (0);
1157
1158#undef GETIP
1159}
1160
1161/*
1162 * Free a fragment reassembly header and all
1163 * associated datagrams.
1164 */
1165static void
1166ip_freef(fhp, fp)
1167 struct ipqhead *fhp;
1168 struct ipq *fp;
1169{
1170 register struct mbuf *q;
1171
1172 while (fp->ipq_frags) {
1173 q = fp->ipq_frags;
1174 fp->ipq_frags = q->m_nextpkt;
1175 m_freem(q);
1176 }
1177 TAILQ_REMOVE(fhp, fp, ipq_list);
1178 (void) m_free(dtom(fp));
1179 ip_nfragpackets--;
1180 nipq--;
1181}
1182
1183/*
1184 * IP timer processing;
1185 * if a timer expires on a reassembly
1186 * queue, discard it.
1187 */
1188void
1189ip_slowtimo()
1190{
1191 register struct ipq *fp;
1192 int s = splnet();
1193 int i;
1194
1195 for (i = 0; i < IPREASS_NHASH; i++) {
1196 for(fp = TAILQ_FIRST(&ipq[i]); fp;) {
1197 struct ipq *fpp;
1198
1199 fpp = fp;
1200 fp = TAILQ_NEXT(fp, ipq_list);
1201 if(--fpp->ipq_ttl == 0) {
1202 ipstat.ips_fragtimeout++;
1203 ip_freef(&ipq[i], fpp);
1204 }
1205 }
1206 }
1207 /*
1208 * If we are over the maximum number of fragments
1209 * (due to the limit being lowered), drain off
1210 * enough to get down to the new limit.
1211 */
1212 for (i = 0; i < IPREASS_NHASH; i++) {
1213 if (ip_maxfragpackets >= 0) {
1214 while (ip_nfragpackets > ip_maxfragpackets &&
1215 !TAILQ_EMPTY(&ipq[i])) {
1216 ipstat.ips_fragdropped++;
1217 ip_freef(&ipq[i], TAILQ_FIRST(&ipq[i]));
1218 }
1219 }
1220 }
1221 ipflow_slowtimo();
1222 splx(s);
1223}
1224
1225/*
1226 * Drain off all datagram fragments.
1227 */
1228void
1229ip_drain()
1230{
1231 int i;
1232
1233 for (i = 0; i < IPREASS_NHASH; i++) {
1234 while(!TAILQ_EMPTY(&ipq[i])) {
1235 ipstat.ips_fragdropped++;
1236 ip_freef(&ipq[i], TAILQ_FIRST(&ipq[i]));
1237 }
1238 }
1239 in_rtqdrain();
1240}
1241
1242/*
1243 * Do option processing on a datagram,
1244 * possibly discarding it if bad options are encountered,
1245 * or forwarding it if source-routed.
1246 * The pass argument is used when operating in the IPSTEALTH
1247 * mode to tell what options to process:
1248 * [LS]SRR (pass 0) or the others (pass 1).
1249 * The reason for as many as two passes is that when doing IPSTEALTH,
1250 * non-routing options should be processed only if the packet is for us.
1251 * Returns 1 if packet has been forwarded/freed,
1252 * 0 if the packet should be processed further.
1253 */
1254static int
1255ip_dooptions(struct mbuf *m, int pass, struct sockaddr_in *next_hop)
1256{
1257 struct ip *ip = mtod(m, struct ip *);
1258 u_char *cp;
1259 struct in_ifaddr *ia;
1260 int opt, optlen, cnt, off, code, type = ICMP_PARAMPROB, forward = 0;
1261 struct in_addr *sin, dst;
1262 n_time ntime;
1263 struct sockaddr_in ipaddr = { sizeof(ipaddr), AF_INET };
1264
1265 dst = ip->ip_dst;
1266 cp = (u_char *)(ip + 1);
|
1269 cnt = (IP_VHL_HL(ip->ip_vhl) << 2) - sizeof (struct ip);
| 1267 cnt = (ip->ip_hl << 2) - sizeof (struct ip);
|
1270 for (; cnt > 0; cnt -= optlen, cp += optlen) {
1271 opt = cp[IPOPT_OPTVAL];
1272 if (opt == IPOPT_EOL)
1273 break;
1274 if (opt == IPOPT_NOP)
1275 optlen = 1;
1276 else {
1277 if (cnt < IPOPT_OLEN + sizeof(*cp)) {
1278 code = &cp[IPOPT_OLEN] - (u_char *)ip;
1279 goto bad;
1280 }
1281 optlen = cp[IPOPT_OLEN];
1282 if (optlen < IPOPT_OLEN + sizeof(*cp) || optlen > cnt) {
1283 code = &cp[IPOPT_OLEN] - (u_char *)ip;
1284 goto bad;
1285 }
1286 }
1287 switch (opt) {
1288
1289 default:
1290 break;
1291
1292 /*
1293 * Source routing with record.
1294 * Find interface with current destination address.
1295 * If none on this machine then drop if strictly routed,
1296 * or do nothing if loosely routed.
1297 * Record interface address and bring up next address
1298 * component. If strictly routed make sure next
1299 * address is on directly accessible net.
1300 */
1301 case IPOPT_LSRR:
1302 case IPOPT_SSRR:
1303#ifdef IPSTEALTH
1304 if (ipstealth && pass > 0)
1305 break;
1306#endif
1307 if (optlen < IPOPT_OFFSET + sizeof(*cp)) {
1308 code = &cp[IPOPT_OLEN] - (u_char *)ip;
1309 goto bad;
1310 }
1311 if ((off = cp[IPOPT_OFFSET]) < IPOPT_MINOFF) {
1312 code = &cp[IPOPT_OFFSET] - (u_char *)ip;
1313 goto bad;
1314 }
1315 ipaddr.sin_addr = ip->ip_dst;
1316 ia = (struct in_ifaddr *)
1317 ifa_ifwithaddr((struct sockaddr *)&ipaddr);
1318 if (ia == 0) {
1319 if (opt == IPOPT_SSRR) {
1320 type = ICMP_UNREACH;
1321 code = ICMP_UNREACH_SRCFAIL;
1322 goto bad;
1323 }
1324 if (!ip_dosourceroute)
1325 goto nosourcerouting;
1326 /*
1327 * Loose routing, and not at next destination
1328 * yet; nothing to do except forward.
1329 */
1330 break;
1331 }
1332 off--; /* 0 origin */
1333 if (off > optlen - (int)sizeof(struct in_addr)) {
1334 /*
1335 * End of source route. Should be for us.
1336 */
1337 if (!ip_acceptsourceroute)
1338 goto nosourcerouting;
1339 save_rte(cp, ip->ip_src);
1340 break;
1341 }
1342#ifdef IPSTEALTH
1343 if (ipstealth)
1344 goto dropit;
1345#endif
1346 if (!ip_dosourceroute) {
1347 if (ipforwarding) {
1348 char buf[16]; /* aaa.bbb.ccc.ddd\0 */
1349 /*
1350 * Acting as a router, so generate ICMP
1351 */
1352nosourcerouting:
1353 strcpy(buf, inet_ntoa(ip->ip_dst));
1354 log(LOG_WARNING,
1355 "attempted source route from %s to %s\n",
1356 inet_ntoa(ip->ip_src), buf);
1357 type = ICMP_UNREACH;
1358 code = ICMP_UNREACH_SRCFAIL;
1359 goto bad;
1360 } else {
1361 /*
1362 * Not acting as a router, so silently drop.
1363 */
1364#ifdef IPSTEALTH
1365dropit:
1366#endif
1367 ipstat.ips_cantforward++;
1368 m_freem(m);
1369 return (1);
1370 }
1371 }
1372
1373 /*
1374 * locate outgoing interface
1375 */
1376 (void)memcpy(&ipaddr.sin_addr, cp + off,
1377 sizeof(ipaddr.sin_addr));
1378
1379 if (opt == IPOPT_SSRR) {
1380#define INA struct in_ifaddr *
1381#define SA struct sockaddr *
1382 if ((ia = (INA)ifa_ifwithdstaddr((SA)&ipaddr)) == 0)
1383 ia = (INA)ifa_ifwithnet((SA)&ipaddr);
1384 } else
1385 ia = ip_rtaddr(ipaddr.sin_addr, &ipforward_rt);
1386 if (ia == 0) {
1387 type = ICMP_UNREACH;
1388 code = ICMP_UNREACH_SRCFAIL;
1389 goto bad;
1390 }
1391 ip->ip_dst = ipaddr.sin_addr;
1392 (void)memcpy(cp + off, &(IA_SIN(ia)->sin_addr),
1393 sizeof(struct in_addr));
1394 cp[IPOPT_OFFSET] += sizeof(struct in_addr);
1395 /*
1396 * Let ip_intr's mcast routing check handle mcast pkts
1397 */
1398 forward = !IN_MULTICAST(ntohl(ip->ip_dst.s_addr));
1399 break;
1400
1401 case IPOPT_RR:
1402#ifdef IPSTEALTH
1403 if (ipstealth && pass == 0)
1404 break;
1405#endif
1406 if (optlen < IPOPT_OFFSET + sizeof(*cp)) {
1407 code = &cp[IPOPT_OFFSET] - (u_char *)ip;
1408 goto bad;
1409 }
1410 if ((off = cp[IPOPT_OFFSET]) < IPOPT_MINOFF) {
1411 code = &cp[IPOPT_OFFSET] - (u_char *)ip;
1412 goto bad;
1413 }
1414 /*
1415 * If no space remains, ignore.
1416 */
1417 off--; /* 0 origin */
1418 if (off > optlen - (int)sizeof(struct in_addr))
1419 break;
1420 (void)memcpy(&ipaddr.sin_addr, &ip->ip_dst,
1421 sizeof(ipaddr.sin_addr));
1422 /*
1423 * locate outgoing interface; if we're the destination,
1424 * use the incoming interface (should be same).
1425 */
1426 if ((ia = (INA)ifa_ifwithaddr((SA)&ipaddr)) == 0 &&
1427 (ia = ip_rtaddr(ipaddr.sin_addr,
1428 &ipforward_rt)) == 0) {
1429 type = ICMP_UNREACH;
1430 code = ICMP_UNREACH_HOST;
1431 goto bad;
1432 }
1433 (void)memcpy(cp + off, &(IA_SIN(ia)->sin_addr),
1434 sizeof(struct in_addr));
1435 cp[IPOPT_OFFSET] += sizeof(struct in_addr);
1436 break;
1437
1438 case IPOPT_TS:
1439#ifdef IPSTEALTH
1440 if (ipstealth && pass == 0)
1441 break;
1442#endif
1443 code = cp - (u_char *)ip;
1444 if (optlen < 4 || optlen > 40) {
1445 code = &cp[IPOPT_OLEN] - (u_char *)ip;
1446 goto bad;
1447 }
1448 if ((off = cp[IPOPT_OFFSET]) < 5) {
1449 code = &cp[IPOPT_OLEN] - (u_char *)ip;
1450 goto bad;
1451 }
1452 if (off > optlen - (int)sizeof(int32_t)) {
1453 cp[IPOPT_OFFSET + 1] += (1 << 4);
1454 if ((cp[IPOPT_OFFSET + 1] & 0xf0) == 0) {
1455 code = &cp[IPOPT_OFFSET] - (u_char *)ip;
1456 goto bad;
1457 }
1458 break;
1459 }
1460 off--; /* 0 origin */
1461 sin = (struct in_addr *)(cp + off);
1462 switch (cp[IPOPT_OFFSET + 1] & 0x0f) {
1463
1464 case IPOPT_TS_TSONLY:
1465 break;
1466
1467 case IPOPT_TS_TSANDADDR:
1468 if (off + sizeof(n_time) +
1469 sizeof(struct in_addr) > optlen) {
1470 code = &cp[IPOPT_OFFSET] - (u_char *)ip;
1471 goto bad;
1472 }
1473 ipaddr.sin_addr = dst;
1474 ia = (INA)ifaof_ifpforaddr((SA)&ipaddr,
1475 m->m_pkthdr.rcvif);
1476 if (ia == 0)
1477 continue;
1478 (void)memcpy(sin, &IA_SIN(ia)->sin_addr,
1479 sizeof(struct in_addr));
1480 cp[IPOPT_OFFSET] += sizeof(struct in_addr);
1481 off += sizeof(struct in_addr);
1482 break;
1483
1484 case IPOPT_TS_PRESPEC:
1485 if (off + sizeof(n_time) +
1486 sizeof(struct in_addr) > optlen) {
1487 code = &cp[IPOPT_OFFSET] - (u_char *)ip;
1488 goto bad;
1489 }
1490 (void)memcpy(&ipaddr.sin_addr, sin,
1491 sizeof(struct in_addr));
1492 if (ifa_ifwithaddr((SA)&ipaddr) == 0)
1493 continue;
1494 cp[IPOPT_OFFSET] += sizeof(struct in_addr);
1495 off += sizeof(struct in_addr);
1496 break;
1497
1498 default:
1499 code = &cp[IPOPT_OFFSET + 1] - (u_char *)ip;
1500 goto bad;
1501 }
1502 ntime = iptime();
1503 (void)memcpy(cp + off, &ntime, sizeof(n_time));
1504 cp[IPOPT_OFFSET] += sizeof(n_time);
1505 }
1506 }
1507 if (forward && ipforwarding) {
1508 ip_forward(m, 1, next_hop);
1509 return (1);
1510 }
1511 return (0);
1512bad:
1513 icmp_error(m, type, code, 0, 0);
1514 ipstat.ips_badoptions++;
1515 return (1);
1516}
1517
1518/*
1519 * Given address of next destination (final or next hop),
1520 * return internet address info of interface to be used to get there.
1521 */
1522struct in_ifaddr *
1523ip_rtaddr(dst, rt)
1524 struct in_addr dst;
1525 struct route *rt;
1526{
1527 register struct sockaddr_in *sin;
1528
1529 sin = (struct sockaddr_in *)&rt->ro_dst;
1530
1531 if (rt->ro_rt == 0 ||
1532 !(rt->ro_rt->rt_flags & RTF_UP) ||
1533 dst.s_addr != sin->sin_addr.s_addr) {
1534 if (rt->ro_rt) {
1535 RTFREE(rt->ro_rt);
1536 rt->ro_rt = 0;
1537 }
1538 sin->sin_family = AF_INET;
1539 sin->sin_len = sizeof(*sin);
1540 sin->sin_addr = dst;
1541
1542 rtalloc_ign(rt, RTF_PRCLONING);
1543 }
1544 if (rt->ro_rt == 0)
1545 return ((struct in_ifaddr *)0);
1546 return (ifatoia(rt->ro_rt->rt_ifa));
1547}
1548
1549/*
1550 * Save incoming source route for use in replies,
1551 * to be picked up later by ip_srcroute if the receiver is interested.
1552 */
1553static void
1554save_rte(option, dst)
1555 u_char *option;
1556 struct in_addr dst;
1557{
1558 unsigned olen;
1559
1560 olen = option[IPOPT_OLEN];
1561#ifdef DIAGNOSTIC
1562 if (ipprintfs)
1563 printf("save_rte: olen %d\n", olen);
1564#endif
1565 if (olen > sizeof(ip_srcrt) - (1 + sizeof(dst)))
1566 return;
1567 bcopy(option, ip_srcrt.srcopt, olen);
1568 ip_nhops = (olen - IPOPT_OFFSET - 1) / sizeof(struct in_addr);
1569 ip_srcrt.dst = dst;
1570}
1571
1572/*
1573 * Retrieve incoming source route for use in replies,
1574 * in the same form used by setsockopt.
1575 * The first hop is placed before the options, will be removed later.
1576 */
1577struct mbuf *
1578ip_srcroute()
1579{
1580 register struct in_addr *p, *q;
1581 register struct mbuf *m;
1582
1583 if (ip_nhops == 0)
1584 return ((struct mbuf *)0);
1585 m = m_get(M_DONTWAIT, MT_HEADER);
1586 if (m == 0)
1587 return ((struct mbuf *)0);
1588
1589#define OPTSIZ (sizeof(ip_srcrt.nop) + sizeof(ip_srcrt.srcopt))
1590
1591 /* length is (nhops+1)*sizeof(addr) + sizeof(nop + srcrt header) */
1592 m->m_len = ip_nhops * sizeof(struct in_addr) + sizeof(struct in_addr) +
1593 OPTSIZ;
1594#ifdef DIAGNOSTIC
1595 if (ipprintfs)
1596 printf("ip_srcroute: nhops %d mlen %d", ip_nhops, m->m_len);
1597#endif
1598
1599 /*
1600 * First save first hop for return route
1601 */
1602 p = &ip_srcrt.route[ip_nhops - 1];
1603 *(mtod(m, struct in_addr *)) = *p--;
1604#ifdef DIAGNOSTIC
1605 if (ipprintfs)
1606 printf(" hops %lx", (u_long)ntohl(mtod(m, struct in_addr *)->s_addr));
1607#endif
1608
1609 /*
1610 * Copy option fields and padding (nop) to mbuf.
1611 */
1612 ip_srcrt.nop = IPOPT_NOP;
1613 ip_srcrt.srcopt[IPOPT_OFFSET] = IPOPT_MINOFF;
1614 (void)memcpy(mtod(m, caddr_t) + sizeof(struct in_addr),
1615 &ip_srcrt.nop, OPTSIZ);
1616 q = (struct in_addr *)(mtod(m, caddr_t) +
1617 sizeof(struct in_addr) + OPTSIZ);
1618#undef OPTSIZ
1619 /*
1620 * Record return path as an IP source route,
1621 * reversing the path (pointers are now aligned).
1622 */
1623 while (p >= ip_srcrt.route) {
1624#ifdef DIAGNOSTIC
1625 if (ipprintfs)
1626 printf(" %lx", (u_long)ntohl(q->s_addr));
1627#endif
1628 *q++ = *p--;
1629 }
1630 /*
1631 * Last hop goes to final destination.
1632 */
1633 *q = ip_srcrt.dst;
1634#ifdef DIAGNOSTIC
1635 if (ipprintfs)
1636 printf(" %lx\n", (u_long)ntohl(q->s_addr));
1637#endif
1638 return (m);
1639}
1640
1641/*
1642 * Strip out IP options, at higher
1643 * level protocol in the kernel.
1644 * Second argument is buffer to which options
1645 * will be moved, and return value is their length.
1646 * XXX should be deleted; last arg currently ignored.
1647 */
1648void
1649ip_stripoptions(m, mopt)
1650 register struct mbuf *m;
1651 struct mbuf *mopt;
1652{
1653 register int i;
1654 struct ip *ip = mtod(m, struct ip *);
1655 register caddr_t opts;
1656 int olen;
1657
| 1268 for (; cnt > 0; cnt -= optlen, cp += optlen) {
1269 opt = cp[IPOPT_OPTVAL];
1270 if (opt == IPOPT_EOL)
1271 break;
1272 if (opt == IPOPT_NOP)
1273 optlen = 1;
1274 else {
1275 if (cnt < IPOPT_OLEN + sizeof(*cp)) {
1276 code = &cp[IPOPT_OLEN] - (u_char *)ip;
1277 goto bad;
1278 }
1279 optlen = cp[IPOPT_OLEN];
1280 if (optlen < IPOPT_OLEN + sizeof(*cp) || optlen > cnt) {
1281 code = &cp[IPOPT_OLEN] - (u_char *)ip;
1282 goto bad;
1283 }
1284 }
1285 switch (opt) {
1286
1287 default:
1288 break;
1289
1290 /*
1291 * Source routing with record.
1292 * Find interface with current destination address.
1293 * If none on this machine then drop if strictly routed,
1294 * or do nothing if loosely routed.
1295 * Record interface address and bring up next address
1296 * component. If strictly routed make sure next
1297 * address is on directly accessible net.
1298 */
1299 case IPOPT_LSRR:
1300 case IPOPT_SSRR:
1301#ifdef IPSTEALTH
1302 if (ipstealth && pass > 0)
1303 break;
1304#endif
1305 if (optlen < IPOPT_OFFSET + sizeof(*cp)) {
1306 code = &cp[IPOPT_OLEN] - (u_char *)ip;
1307 goto bad;
1308 }
1309 if ((off = cp[IPOPT_OFFSET]) < IPOPT_MINOFF) {
1310 code = &cp[IPOPT_OFFSET] - (u_char *)ip;
1311 goto bad;
1312 }
1313 ipaddr.sin_addr = ip->ip_dst;
1314 ia = (struct in_ifaddr *)
1315 ifa_ifwithaddr((struct sockaddr *)&ipaddr);
1316 if (ia == 0) {
1317 if (opt == IPOPT_SSRR) {
1318 type = ICMP_UNREACH;
1319 code = ICMP_UNREACH_SRCFAIL;
1320 goto bad;
1321 }
1322 if (!ip_dosourceroute)
1323 goto nosourcerouting;
1324 /*
1325 * Loose routing, and not at next destination
1326 * yet; nothing to do except forward.
1327 */
1328 break;
1329 }
1330 off--; /* 0 origin */
1331 if (off > optlen - (int)sizeof(struct in_addr)) {
1332 /*
1333 * End of source route. Should be for us.
1334 */
1335 if (!ip_acceptsourceroute)
1336 goto nosourcerouting;
1337 save_rte(cp, ip->ip_src);
1338 break;
1339 }
1340#ifdef IPSTEALTH
1341 if (ipstealth)
1342 goto dropit;
1343#endif
1344 if (!ip_dosourceroute) {
1345 if (ipforwarding) {
1346 char buf[16]; /* aaa.bbb.ccc.ddd\0 */
1347 /*
1348 * Acting as a router, so generate ICMP
1349 */
1350nosourcerouting:
1351 strcpy(buf, inet_ntoa(ip->ip_dst));
1352 log(LOG_WARNING,
1353 "attempted source route from %s to %s\n",
1354 inet_ntoa(ip->ip_src), buf);
1355 type = ICMP_UNREACH;
1356 code = ICMP_UNREACH_SRCFAIL;
1357 goto bad;
1358 } else {
1359 /*
1360 * Not acting as a router, so silently drop.
1361 */
1362#ifdef IPSTEALTH
1363dropit:
1364#endif
1365 ipstat.ips_cantforward++;
1366 m_freem(m);
1367 return (1);
1368 }
1369 }
1370
1371 /*
1372 * locate outgoing interface
1373 */
1374 (void)memcpy(&ipaddr.sin_addr, cp + off,
1375 sizeof(ipaddr.sin_addr));
1376
1377 if (opt == IPOPT_SSRR) {
1378#define INA struct in_ifaddr *
1379#define SA struct sockaddr *
1380 if ((ia = (INA)ifa_ifwithdstaddr((SA)&ipaddr)) == 0)
1381 ia = (INA)ifa_ifwithnet((SA)&ipaddr);
1382 } else
1383 ia = ip_rtaddr(ipaddr.sin_addr, &ipforward_rt);
1384 if (ia == 0) {
1385 type = ICMP_UNREACH;
1386 code = ICMP_UNREACH_SRCFAIL;
1387 goto bad;
1388 }
1389 ip->ip_dst = ipaddr.sin_addr;
1390 (void)memcpy(cp + off, &(IA_SIN(ia)->sin_addr),
1391 sizeof(struct in_addr));
1392 cp[IPOPT_OFFSET] += sizeof(struct in_addr);
1393 /*
1394 * Let ip_intr's mcast routing check handle mcast pkts
1395 */
1396 forward = !IN_MULTICAST(ntohl(ip->ip_dst.s_addr));
1397 break;
1398
1399 case IPOPT_RR:
1400#ifdef IPSTEALTH
1401 if (ipstealth && pass == 0)
1402 break;
1403#endif
1404 if (optlen < IPOPT_OFFSET + sizeof(*cp)) {
1405 code = &cp[IPOPT_OFFSET] - (u_char *)ip;
1406 goto bad;
1407 }
1408 if ((off = cp[IPOPT_OFFSET]) < IPOPT_MINOFF) {
1409 code = &cp[IPOPT_OFFSET] - (u_char *)ip;
1410 goto bad;
1411 }
1412 /*
1413 * If no space remains, ignore.
1414 */
1415 off--; /* 0 origin */
1416 if (off > optlen - (int)sizeof(struct in_addr))
1417 break;
1418 (void)memcpy(&ipaddr.sin_addr, &ip->ip_dst,
1419 sizeof(ipaddr.sin_addr));
1420 /*
1421 * locate outgoing interface; if we're the destination,
1422 * use the incoming interface (should be same).
1423 */
1424 if ((ia = (INA)ifa_ifwithaddr((SA)&ipaddr)) == 0 &&
1425 (ia = ip_rtaddr(ipaddr.sin_addr,
1426 &ipforward_rt)) == 0) {
1427 type = ICMP_UNREACH;
1428 code = ICMP_UNREACH_HOST;
1429 goto bad;
1430 }
1431 (void)memcpy(cp + off, &(IA_SIN(ia)->sin_addr),
1432 sizeof(struct in_addr));
1433 cp[IPOPT_OFFSET] += sizeof(struct in_addr);
1434 break;
1435
1436 case IPOPT_TS:
1437#ifdef IPSTEALTH
1438 if (ipstealth && pass == 0)
1439 break;
1440#endif
1441 code = cp - (u_char *)ip;
1442 if (optlen < 4 || optlen > 40) {
1443 code = &cp[IPOPT_OLEN] - (u_char *)ip;
1444 goto bad;
1445 }
1446 if ((off = cp[IPOPT_OFFSET]) < 5) {
1447 code = &cp[IPOPT_OLEN] - (u_char *)ip;
1448 goto bad;
1449 }
1450 if (off > optlen - (int)sizeof(int32_t)) {
1451 cp[IPOPT_OFFSET + 1] += (1 << 4);
1452 if ((cp[IPOPT_OFFSET + 1] & 0xf0) == 0) {
1453 code = &cp[IPOPT_OFFSET] - (u_char *)ip;
1454 goto bad;
1455 }
1456 break;
1457 }
1458 off--; /* 0 origin */
1459 sin = (struct in_addr *)(cp + off);
1460 switch (cp[IPOPT_OFFSET + 1] & 0x0f) {
1461
1462 case IPOPT_TS_TSONLY:
1463 break;
1464
1465 case IPOPT_TS_TSANDADDR:
1466 if (off + sizeof(n_time) +
1467 sizeof(struct in_addr) > optlen) {
1468 code = &cp[IPOPT_OFFSET] - (u_char *)ip;
1469 goto bad;
1470 }
1471 ipaddr.sin_addr = dst;
1472 ia = (INA)ifaof_ifpforaddr((SA)&ipaddr,
1473 m->m_pkthdr.rcvif);
1474 if (ia == 0)
1475 continue;
1476 (void)memcpy(sin, &IA_SIN(ia)->sin_addr,
1477 sizeof(struct in_addr));
1478 cp[IPOPT_OFFSET] += sizeof(struct in_addr);
1479 off += sizeof(struct in_addr);
1480 break;
1481
1482 case IPOPT_TS_PRESPEC:
1483 if (off + sizeof(n_time) +
1484 sizeof(struct in_addr) > optlen) {
1485 code = &cp[IPOPT_OFFSET] - (u_char *)ip;
1486 goto bad;
1487 }
1488 (void)memcpy(&ipaddr.sin_addr, sin,
1489 sizeof(struct in_addr));
1490 if (ifa_ifwithaddr((SA)&ipaddr) == 0)
1491 continue;
1492 cp[IPOPT_OFFSET] += sizeof(struct in_addr);
1493 off += sizeof(struct in_addr);
1494 break;
1495
1496 default:
1497 code = &cp[IPOPT_OFFSET + 1] - (u_char *)ip;
1498 goto bad;
1499 }
1500 ntime = iptime();
1501 (void)memcpy(cp + off, &ntime, sizeof(n_time));
1502 cp[IPOPT_OFFSET] += sizeof(n_time);
1503 }
1504 }
1505 if (forward && ipforwarding) {
1506 ip_forward(m, 1, next_hop);
1507 return (1);
1508 }
1509 return (0);
1510bad:
1511 icmp_error(m, type, code, 0, 0);
1512 ipstat.ips_badoptions++;
1513 return (1);
1514}
1515
1516/*
1517 * Given address of next destination (final or next hop),
1518 * return internet address info of interface to be used to get there.
1519 */
1520struct in_ifaddr *
1521ip_rtaddr(dst, rt)
1522 struct in_addr dst;
1523 struct route *rt;
1524{
1525 register struct sockaddr_in *sin;
1526
1527 sin = (struct sockaddr_in *)&rt->ro_dst;
1528
1529 if (rt->ro_rt == 0 ||
1530 !(rt->ro_rt->rt_flags & RTF_UP) ||
1531 dst.s_addr != sin->sin_addr.s_addr) {
1532 if (rt->ro_rt) {
1533 RTFREE(rt->ro_rt);
1534 rt->ro_rt = 0;
1535 }
1536 sin->sin_family = AF_INET;
1537 sin->sin_len = sizeof(*sin);
1538 sin->sin_addr = dst;
1539
1540 rtalloc_ign(rt, RTF_PRCLONING);
1541 }
1542 if (rt->ro_rt == 0)
1543 return ((struct in_ifaddr *)0);
1544 return (ifatoia(rt->ro_rt->rt_ifa));
1545}
1546
1547/*
1548 * Save incoming source route for use in replies,
1549 * to be picked up later by ip_srcroute if the receiver is interested.
1550 */
1551static void
1552save_rte(option, dst)
1553 u_char *option;
1554 struct in_addr dst;
1555{
1556 unsigned olen;
1557
1558 olen = option[IPOPT_OLEN];
1559#ifdef DIAGNOSTIC
1560 if (ipprintfs)
1561 printf("save_rte: olen %d\n", olen);
1562#endif
1563 if (olen > sizeof(ip_srcrt) - (1 + sizeof(dst)))
1564 return;
1565 bcopy(option, ip_srcrt.srcopt, olen);
1566 ip_nhops = (olen - IPOPT_OFFSET - 1) / sizeof(struct in_addr);
1567 ip_srcrt.dst = dst;
1568}
1569
1570/*
1571 * Retrieve incoming source route for use in replies,
1572 * in the same form used by setsockopt.
1573 * The first hop is placed before the options, will be removed later.
1574 */
1575struct mbuf *
1576ip_srcroute()
1577{
1578 register struct in_addr *p, *q;
1579 register struct mbuf *m;
1580
1581 if (ip_nhops == 0)
1582 return ((struct mbuf *)0);
1583 m = m_get(M_DONTWAIT, MT_HEADER);
1584 if (m == 0)
1585 return ((struct mbuf *)0);
1586
1587#define OPTSIZ (sizeof(ip_srcrt.nop) + sizeof(ip_srcrt.srcopt))
1588
1589 /* length is (nhops+1)*sizeof(addr) + sizeof(nop + srcrt header) */
1590 m->m_len = ip_nhops * sizeof(struct in_addr) + sizeof(struct in_addr) +
1591 OPTSIZ;
1592#ifdef DIAGNOSTIC
1593 if (ipprintfs)
1594 printf("ip_srcroute: nhops %d mlen %d", ip_nhops, m->m_len);
1595#endif
1596
1597 /*
1598 * First save first hop for return route
1599 */
1600 p = &ip_srcrt.route[ip_nhops - 1];
1601 *(mtod(m, struct in_addr *)) = *p--;
1602#ifdef DIAGNOSTIC
1603 if (ipprintfs)
1604 printf(" hops %lx", (u_long)ntohl(mtod(m, struct in_addr *)->s_addr));
1605#endif
1606
1607 /*
1608 * Copy option fields and padding (nop) to mbuf.
1609 */
1610 ip_srcrt.nop = IPOPT_NOP;
1611 ip_srcrt.srcopt[IPOPT_OFFSET] = IPOPT_MINOFF;
1612 (void)memcpy(mtod(m, caddr_t) + sizeof(struct in_addr),
1613 &ip_srcrt.nop, OPTSIZ);
1614 q = (struct in_addr *)(mtod(m, caddr_t) +
1615 sizeof(struct in_addr) + OPTSIZ);
1616#undef OPTSIZ
1617 /*
1618 * Record return path as an IP source route,
1619 * reversing the path (pointers are now aligned).
1620 */
1621 while (p >= ip_srcrt.route) {
1622#ifdef DIAGNOSTIC
1623 if (ipprintfs)
1624 printf(" %lx", (u_long)ntohl(q->s_addr));
1625#endif
1626 *q++ = *p--;
1627 }
1628 /*
1629 * Last hop goes to final destination.
1630 */
1631 *q = ip_srcrt.dst;
1632#ifdef DIAGNOSTIC
1633 if (ipprintfs)
1634 printf(" %lx\n", (u_long)ntohl(q->s_addr));
1635#endif
1636 return (m);
1637}
1638
1639/*
1640 * Strip out IP options, at higher
1641 * level protocol in the kernel.
1642 * Second argument is buffer to which options
1643 * will be moved, and return value is their length.
1644 * XXX should be deleted; last arg currently ignored.
1645 */
1646void
1647ip_stripoptions(m, mopt)
1648 register struct mbuf *m;
1649 struct mbuf *mopt;
1650{
1651 register int i;
1652 struct ip *ip = mtod(m, struct ip *);
1653 register caddr_t opts;
1654 int olen;
1655
|
1658 olen = (IP_VHL_HL(ip->ip_vhl) << 2) - sizeof (struct ip);
| 1656 olen = (ip->ip_hl << 2) - sizeof (struct ip);
|
1659 opts = (caddr_t)(ip + 1);
1660 i = m->m_len - (sizeof (struct ip) + olen);
1661 bcopy(opts + olen, opts, (unsigned)i);
1662 m->m_len -= olen;
1663 if (m->m_flags & M_PKTHDR)
1664 m->m_pkthdr.len -= olen;
| 1657 opts = (caddr_t)(ip + 1);
1658 i = m->m_len - (sizeof (struct ip) + olen);
1659 bcopy(opts + olen, opts, (unsigned)i);
1660 m->m_len -= olen;
1661 if (m->m_flags & M_PKTHDR)
1662 m->m_pkthdr.len -= olen;
|
1665 ip->ip_vhl = IP_MAKE_VHL(IPVERSION, sizeof(struct ip) >> 2);
| 1663 ip->ip_v = IPVERSION;
1664 ip->ip_hl = sizeof(struct ip) >> 2;
|
1666}
1667
1668u_char inetctlerrmap[PRC_NCMDS] = {
1669 0, 0, 0, 0,
1670 0, EMSGSIZE, EHOSTDOWN, EHOSTUNREACH,
1671 EHOSTUNREACH, EHOSTUNREACH, ECONNREFUSED, ECONNREFUSED,
1672 EMSGSIZE, EHOSTUNREACH, 0, 0,
1673 0, 0, 0, 0,
1674 ENOPROTOOPT, ECONNREFUSED
1675};
1676
1677/*
1678 * Forward a packet. If some error occurs return the sender
1679 * an icmp packet. Note we can't always generate a meaningful
1680 * icmp message because icmp doesn't have a large enough repertoire
1681 * of codes and types.
1682 *
1683 * If not forwarding, just drop the packet. This could be confusing
1684 * if ipforwarding was zero but some routing protocol was advancing
1685 * us as a gateway to somewhere. However, we must let the routing
1686 * protocol deal with that.
1687 *
1688 * The srcrt parameter indicates whether the packet is being forwarded
1689 * via a source route.
1690 */
1691static void
1692ip_forward(struct mbuf *m, int srcrt, struct sockaddr_in *next_hop)
1693{
1694 struct ip *ip = mtod(m, struct ip *);
1695 struct rtentry *rt;
1696 int error, type = 0, code = 0;
1697 struct mbuf *mcopy;
1698 n_long dest;
1699 struct in_addr pkt_dst;
1700 struct ifnet *destifp;
1701#if defined(IPSEC) || defined(FAST_IPSEC)
1702 struct ifnet dummyifp;
1703#endif
1704
1705 dest = 0;
1706 /*
1707 * Cache the destination address of the packet; this may be
1708 * changed by use of 'ipfw fwd'.
1709 */
1710 pkt_dst = next_hop ? next_hop->sin_addr : ip->ip_dst;
1711
1712#ifdef DIAGNOSTIC
1713 if (ipprintfs)
1714 printf("forward: src %lx dst %lx ttl %x\n",
1715 (u_long)ip->ip_src.s_addr, (u_long)pkt_dst.s_addr,
1716 ip->ip_ttl);
1717#endif
1718
1719
1720 if (m->m_flags & (M_BCAST|M_MCAST) || in_canforward(pkt_dst) == 0) {
1721 ipstat.ips_cantforward++;
1722 m_freem(m);
1723 return;
1724 }
1725#ifdef IPSTEALTH
1726 if (!ipstealth) {
1727#endif
1728 if (ip->ip_ttl <= IPTTLDEC) {
1729 icmp_error(m, ICMP_TIMXCEED, ICMP_TIMXCEED_INTRANS,
1730 dest, 0);
1731 return;
1732 }
1733#ifdef IPSTEALTH
1734 }
1735#endif
1736
1737 if (ip_rtaddr(pkt_dst, &ipforward_rt) == 0) {
1738 icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_HOST, dest, 0);
1739 return;
1740 } else
1741 rt = ipforward_rt.ro_rt;
1742
1743 /*
1744 * Save the IP header and at most 8 bytes of the payload,
1745 * in case we need to generate an ICMP message to the src.
1746 *
1747 * XXX this can be optimized a lot by saving the data in a local
1748 * buffer on the stack (72 bytes at most), and only allocating the
1749 * mbuf if really necessary. The vast majority of the packets
1750 * are forwarded without having to send an ICMP back (either
1751 * because unnecessary, or because rate limited), so we are
1752 * really we are wasting a lot of work here.
1753 *
1754 * We don't use m_copy() because it might return a reference
1755 * to a shared cluster. Both this function and ip_output()
1756 * assume exclusive access to the IP header in `m', so any
1757 * data in a cluster may change before we reach icmp_error().
1758 */
1759 MGET(mcopy, M_DONTWAIT, m->m_type);
1760 if (mcopy != NULL) {
1761 M_COPY_PKTHDR(mcopy, m);
| 1665}
1666
1667u_char inetctlerrmap[PRC_NCMDS] = {
1668 0, 0, 0, 0,
1669 0, EMSGSIZE, EHOSTDOWN, EHOSTUNREACH,
1670 EHOSTUNREACH, EHOSTUNREACH, ECONNREFUSED, ECONNREFUSED,
1671 EMSGSIZE, EHOSTUNREACH, 0, 0,
1672 0, 0, 0, 0,
1673 ENOPROTOOPT, ECONNREFUSED
1674};
1675
1676/*
1677 * Forward a packet. If some error occurs return the sender
1678 * an icmp packet. Note we can't always generate a meaningful
1679 * icmp message because icmp doesn't have a large enough repertoire
1680 * of codes and types.
1681 *
1682 * If not forwarding, just drop the packet. This could be confusing
1683 * if ipforwarding was zero but some routing protocol was advancing
1684 * us as a gateway to somewhere. However, we must let the routing
1685 * protocol deal with that.
1686 *
1687 * The srcrt parameter indicates whether the packet is being forwarded
1688 * via a source route.
1689 */
1690static void
1691ip_forward(struct mbuf *m, int srcrt, struct sockaddr_in *next_hop)
1692{
1693 struct ip *ip = mtod(m, struct ip *);
1694 struct rtentry *rt;
1695 int error, type = 0, code = 0;
1696 struct mbuf *mcopy;
1697 n_long dest;
1698 struct in_addr pkt_dst;
1699 struct ifnet *destifp;
1700#if defined(IPSEC) || defined(FAST_IPSEC)
1701 struct ifnet dummyifp;
1702#endif
1703
1704 dest = 0;
1705 /*
1706 * Cache the destination address of the packet; this may be
1707 * changed by use of 'ipfw fwd'.
1708 */
1709 pkt_dst = next_hop ? next_hop->sin_addr : ip->ip_dst;
1710
1711#ifdef DIAGNOSTIC
1712 if (ipprintfs)
1713 printf("forward: src %lx dst %lx ttl %x\n",
1714 (u_long)ip->ip_src.s_addr, (u_long)pkt_dst.s_addr,
1715 ip->ip_ttl);
1716#endif
1717
1718
1719 if (m->m_flags & (M_BCAST|M_MCAST) || in_canforward(pkt_dst) == 0) {
1720 ipstat.ips_cantforward++;
1721 m_freem(m);
1722 return;
1723 }
1724#ifdef IPSTEALTH
1725 if (!ipstealth) {
1726#endif
1727 if (ip->ip_ttl <= IPTTLDEC) {
1728 icmp_error(m, ICMP_TIMXCEED, ICMP_TIMXCEED_INTRANS,
1729 dest, 0);
1730 return;
1731 }
1732#ifdef IPSTEALTH
1733 }
1734#endif
1735
1736 if (ip_rtaddr(pkt_dst, &ipforward_rt) == 0) {
1737 icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_HOST, dest, 0);
1738 return;
1739 } else
1740 rt = ipforward_rt.ro_rt;
1741
1742 /*
1743 * Save the IP header and at most 8 bytes of the payload,
1744 * in case we need to generate an ICMP message to the src.
1745 *
1746 * XXX this can be optimized a lot by saving the data in a local
1747 * buffer on the stack (72 bytes at most), and only allocating the
1748 * mbuf if really necessary. The vast majority of the packets
1749 * are forwarded without having to send an ICMP back (either
1750 * because unnecessary, or because rate limited), so we are
1751 * really we are wasting a lot of work here.
1752 *
1753 * We don't use m_copy() because it might return a reference
1754 * to a shared cluster. Both this function and ip_output()
1755 * assume exclusive access to the IP header in `m', so any
1756 * data in a cluster may change before we reach icmp_error().
1757 */
1758 MGET(mcopy, M_DONTWAIT, m->m_type);
1759 if (mcopy != NULL) {
1760 M_COPY_PKTHDR(mcopy, m);
|
1762 mcopy->m_len = imin((IP_VHL_HL(ip->ip_vhl) << 2) + 8,
| 1761 mcopy->m_len = imin((ip->ip_hl << 2) + 8,
|
1763 (int)ip->ip_len);
1764 m_copydata(m, 0, mcopy->m_len, mtod(mcopy, caddr_t));
1765#ifdef MAC
1766 /*
1767 * XXXMAC: This will eventually become an explicit
1768 * labeling point.
1769 */
1770 mac_create_mbuf_from_mbuf(m, mcopy);
1771#endif
1772 }
1773
1774#ifdef IPSTEALTH
1775 if (!ipstealth) {
1776#endif
1777 ip->ip_ttl -= IPTTLDEC;
1778#ifdef IPSTEALTH
1779 }
1780#endif
1781
1782 /*
1783 * If forwarding packet using same interface that it came in on,
1784 * perhaps should send a redirect to sender to shortcut a hop.
1785 * Only send redirect if source is sending directly to us,
1786 * and if packet was not source routed (or has any options).
1787 * Also, don't send redirect if forwarding using a default route
1788 * or a route modified by a redirect.
1789 */
1790 if (rt->rt_ifp == m->m_pkthdr.rcvif &&
1791 (rt->rt_flags & (RTF_DYNAMIC|RTF_MODIFIED)) == 0 &&
1792 satosin(rt_key(rt))->sin_addr.s_addr != 0 &&
1793 ipsendredirects && !srcrt && !next_hop) {
1794#define RTA(rt) ((struct in_ifaddr *)(rt->rt_ifa))
1795 u_long src = ntohl(ip->ip_src.s_addr);
1796
1797 if (RTA(rt) &&
1798 (src & RTA(rt)->ia_subnetmask) == RTA(rt)->ia_subnet) {
1799 if (rt->rt_flags & RTF_GATEWAY)
1800 dest = satosin(rt->rt_gateway)->sin_addr.s_addr;
1801 else
1802 dest = pkt_dst.s_addr;
1803 /* Router requirements says to only send host redirects */
1804 type = ICMP_REDIRECT;
1805 code = ICMP_REDIRECT_HOST;
1806#ifdef DIAGNOSTIC
1807 if (ipprintfs)
1808 printf("redirect (%d) to %lx\n", code, (u_long)dest);
1809#endif
1810 }
1811 }
1812
1813 {
1814 struct m_hdr tag;
1815
1816 if (next_hop) {
1817 /* Pass IPFORWARD info if available */
1818
1819 tag.mh_type = MT_TAG;
1820 tag.mh_flags = PACKET_TAG_IPFORWARD;
1821 tag.mh_data = (caddr_t)next_hop;
1822 tag.mh_next = m;
1823 m = (struct mbuf *)&tag;
1824 }
1825 error = ip_output(m, (struct mbuf *)0, &ipforward_rt,
1826 IP_FORWARDING, 0, NULL);
1827 }
1828 if (error)
1829 ipstat.ips_cantforward++;
1830 else {
1831 ipstat.ips_forward++;
1832 if (type)
1833 ipstat.ips_redirectsent++;
1834 else {
1835 if (mcopy) {
1836 ipflow_create(&ipforward_rt, mcopy);
1837 m_freem(mcopy);
1838 }
1839 return;
1840 }
1841 }
1842 if (mcopy == NULL)
1843 return;
1844 destifp = NULL;
1845
1846 switch (error) {
1847
1848 case 0: /* forwarded, but need redirect */
1849 /* type, code set above */
1850 break;
1851
1852 case ENETUNREACH: /* shouldn't happen, checked above */
1853 case EHOSTUNREACH:
1854 case ENETDOWN:
1855 case EHOSTDOWN:
1856 default:
1857 type = ICMP_UNREACH;
1858 code = ICMP_UNREACH_HOST;
1859 break;
1860
1861 case EMSGSIZE:
1862 type = ICMP_UNREACH;
1863 code = ICMP_UNREACH_NEEDFRAG;
1864#ifdef IPSEC
1865 /*
1866 * If the packet is routed over IPsec tunnel, tell the
1867 * originator the tunnel MTU.
1868 * tunnel MTU = if MTU - sizeof(IP) - ESP/AH hdrsiz
1869 * XXX quickhack!!!
1870 */
1871 if (ipforward_rt.ro_rt) {
1872 struct secpolicy *sp = NULL;
1873 int ipsecerror;
1874 int ipsechdr;
1875 struct route *ro;
1876
1877 sp = ipsec4_getpolicybyaddr(mcopy,
1878 IPSEC_DIR_OUTBOUND,
1879 IP_FORWARDING,
1880 &ipsecerror);
1881
1882 if (sp == NULL)
1883 destifp = ipforward_rt.ro_rt->rt_ifp;
1884 else {
1885 /* count IPsec header size */
1886 ipsechdr = ipsec4_hdrsiz(mcopy,
1887 IPSEC_DIR_OUTBOUND,
1888 NULL);
1889
1890 /*
1891 * find the correct route for outer IPv4
1892 * header, compute tunnel MTU.
1893 *
1894 * XXX BUG ALERT
1895 * The "dummyifp" code relies upon the fact
1896 * that icmp_error() touches only ifp->if_mtu.
1897 */
1898 /*XXX*/
1899 destifp = NULL;
1900 if (sp->req != NULL
1901 && sp->req->sav != NULL
1902 && sp->req->sav->sah != NULL) {
1903 ro = &sp->req->sav->sah->sa_route;
1904 if (ro->ro_rt && ro->ro_rt->rt_ifp) {
1905 dummyifp.if_mtu =
1906 ro->ro_rt->rt_ifp->if_mtu;
1907 dummyifp.if_mtu -= ipsechdr;
1908 destifp = &dummyifp;
1909 }
1910 }
1911
1912 key_freesp(sp);
1913 }
1914 }
1915#elif FAST_IPSEC
1916 /*
1917 * If the packet is routed over IPsec tunnel, tell the
1918 * originator the tunnel MTU.
1919 * tunnel MTU = if MTU - sizeof(IP) - ESP/AH hdrsiz
1920 * XXX quickhack!!!
1921 */
1922 if (ipforward_rt.ro_rt) {
1923 struct secpolicy *sp = NULL;
1924 int ipsecerror;
1925 int ipsechdr;
1926 struct route *ro;
1927
1928 sp = ipsec_getpolicybyaddr(mcopy,
1929 IPSEC_DIR_OUTBOUND,
1930 IP_FORWARDING,
1931 &ipsecerror);
1932
1933 if (sp == NULL)
1934 destifp = ipforward_rt.ro_rt->rt_ifp;
1935 else {
1936 /* count IPsec header size */
1937 ipsechdr = ipsec4_hdrsiz(mcopy,
1938 IPSEC_DIR_OUTBOUND,
1939 NULL);
1940
1941 /*
1942 * find the correct route for outer IPv4
1943 * header, compute tunnel MTU.
1944 *
1945 * XXX BUG ALERT
1946 * The "dummyifp" code relies upon the fact
1947 * that icmp_error() touches only ifp->if_mtu.
1948 */
1949 /*XXX*/
1950 destifp = NULL;
1951 if (sp->req != NULL
1952 && sp->req->sav != NULL
1953 && sp->req->sav->sah != NULL) {
1954 ro = &sp->req->sav->sah->sa_route;
1955 if (ro->ro_rt && ro->ro_rt->rt_ifp) {
1956 dummyifp.if_mtu =
1957 ro->ro_rt->rt_ifp->if_mtu;
1958 dummyifp.if_mtu -= ipsechdr;
1959 destifp = &dummyifp;
1960 }
1961 }
1962
1963 KEY_FREESP(&sp);
1964 }
1965 }
1966#else /* !IPSEC && !FAST_IPSEC */
1967 if (ipforward_rt.ro_rt)
1968 destifp = ipforward_rt.ro_rt->rt_ifp;
1969#endif /*IPSEC*/
1970 ipstat.ips_cantfrag++;
1971 break;
1972
1973 case ENOBUFS:
1974 type = ICMP_SOURCEQUENCH;
1975 code = 0;
1976 break;
1977
1978 case EACCES: /* ipfw denied packet */
1979 m_freem(mcopy);
1980 return;
1981 }
1982 icmp_error(mcopy, type, code, dest, destifp);
1983}
1984
1985void
1986ip_savecontrol(inp, mp, ip, m)
1987 register struct inpcb *inp;
1988 register struct mbuf **mp;
1989 register struct ip *ip;
1990 register struct mbuf *m;
1991{
1992 if (inp->inp_socket->so_options & SO_TIMESTAMP) {
1993 struct timeval tv;
1994
1995 microtime(&tv);
1996 *mp = sbcreatecontrol((caddr_t) &tv, sizeof(tv),
1997 SCM_TIMESTAMP, SOL_SOCKET);
1998 if (*mp)
1999 mp = &(*mp)->m_next;
2000 }
2001 if (inp->inp_flags & INP_RECVDSTADDR) {
2002 *mp = sbcreatecontrol((caddr_t) &ip->ip_dst,
2003 sizeof(struct in_addr), IP_RECVDSTADDR, IPPROTO_IP);
2004 if (*mp)
2005 mp = &(*mp)->m_next;
2006 }
2007#ifdef notyet
2008 /* XXX
2009 * Moving these out of udp_input() made them even more broken
2010 * than they already were.
2011 */
2012 /* options were tossed already */
2013 if (inp->inp_flags & INP_RECVOPTS) {
2014 *mp = sbcreatecontrol((caddr_t) opts_deleted_above,
2015 sizeof(struct in_addr), IP_RECVOPTS, IPPROTO_IP);
2016 if (*mp)
2017 mp = &(*mp)->m_next;
2018 }
2019 /* ip_srcroute doesn't do what we want here, need to fix */
2020 if (inp->inp_flags & INP_RECVRETOPTS) {
2021 *mp = sbcreatecontrol((caddr_t) ip_srcroute(),
2022 sizeof(struct in_addr), IP_RECVRETOPTS, IPPROTO_IP);
2023 if (*mp)
2024 mp = &(*mp)->m_next;
2025 }
2026#endif
2027 if (inp->inp_flags & INP_RECVIF) {
2028 struct ifnet *ifp;
2029 struct sdlbuf {
2030 struct sockaddr_dl sdl;
2031 u_char pad[32];
2032 } sdlbuf;
2033 struct sockaddr_dl *sdp;
2034 struct sockaddr_dl *sdl2 = &sdlbuf.sdl;
2035
2036 if (((ifp = m->m_pkthdr.rcvif))
2037 && ( ifp->if_index && (ifp->if_index <= if_index))) {
2038 sdp = (struct sockaddr_dl *)
2039 (ifaddr_byindex(ifp->if_index)->ifa_addr);
2040 /*
2041 * Change our mind and don't try copy.
2042 */
2043 if ((sdp->sdl_family != AF_LINK)
2044 || (sdp->sdl_len > sizeof(sdlbuf))) {
2045 goto makedummy;
2046 }
2047 bcopy(sdp, sdl2, sdp->sdl_len);
2048 } else {
2049makedummy:
2050 sdl2->sdl_len
2051 = offsetof(struct sockaddr_dl, sdl_data[0]);
2052 sdl2->sdl_family = AF_LINK;
2053 sdl2->sdl_index = 0;
2054 sdl2->sdl_nlen = sdl2->sdl_alen = sdl2->sdl_slen = 0;
2055 }
2056 *mp = sbcreatecontrol((caddr_t) sdl2, sdl2->sdl_len,
2057 IP_RECVIF, IPPROTO_IP);
2058 if (*mp)
2059 mp = &(*mp)->m_next;
2060 }
2061}
2062
2063/*
2064 * XXX these routines are called from the upper part of the kernel.
2065 * They need to be locked when we remove Giant.
2066 *
2067 * They could also be moved to ip_mroute.c, since all the RSVP
2068 * handling is done there already.
2069 */
2070static int ip_rsvp_on;
2071struct socket *ip_rsvpd;
2072int
2073ip_rsvp_init(struct socket *so)
2074{
2075 if (so->so_type != SOCK_RAW ||
2076 so->so_proto->pr_protocol != IPPROTO_RSVP)
2077 return EOPNOTSUPP;
2078
2079 if (ip_rsvpd != NULL)
2080 return EADDRINUSE;
2081
2082 ip_rsvpd = so;
2083 /*
2084 * This may seem silly, but we need to be sure we don't over-increment
2085 * the RSVP counter, in case something slips up.
2086 */
2087 if (!ip_rsvp_on) {
2088 ip_rsvp_on = 1;
2089 rsvp_on++;
2090 }
2091
2092 return 0;
2093}
2094
2095int
2096ip_rsvp_done(void)
2097{
2098 ip_rsvpd = NULL;
2099 /*
2100 * This may seem silly, but we need to be sure we don't over-decrement
2101 * the RSVP counter, in case something slips up.
2102 */
2103 if (ip_rsvp_on) {
2104 ip_rsvp_on = 0;
2105 rsvp_on--;
2106 }
2107 return 0;
2108}
| 1762 (int)ip->ip_len);
1763 m_copydata(m, 0, mcopy->m_len, mtod(mcopy, caddr_t));
1764#ifdef MAC
1765 /*
1766 * XXXMAC: This will eventually become an explicit
1767 * labeling point.
1768 */
1769 mac_create_mbuf_from_mbuf(m, mcopy);
1770#endif
1771 }
1772
1773#ifdef IPSTEALTH
1774 if (!ipstealth) {
1775#endif
1776 ip->ip_ttl -= IPTTLDEC;
1777#ifdef IPSTEALTH
1778 }
1779#endif
1780
1781 /*
1782 * If forwarding packet using same interface that it came in on,
1783 * perhaps should send a redirect to sender to shortcut a hop.
1784 * Only send redirect if source is sending directly to us,
1785 * and if packet was not source routed (or has any options).
1786 * Also, don't send redirect if forwarding using a default route
1787 * or a route modified by a redirect.
1788 */
1789 if (rt->rt_ifp == m->m_pkthdr.rcvif &&
1790 (rt->rt_flags & (RTF_DYNAMIC|RTF_MODIFIED)) == 0 &&
1791 satosin(rt_key(rt))->sin_addr.s_addr != 0 &&
1792 ipsendredirects && !srcrt && !next_hop) {
1793#define RTA(rt) ((struct in_ifaddr *)(rt->rt_ifa))
1794 u_long src = ntohl(ip->ip_src.s_addr);
1795
1796 if (RTA(rt) &&
1797 (src & RTA(rt)->ia_subnetmask) == RTA(rt)->ia_subnet) {
1798 if (rt->rt_flags & RTF_GATEWAY)
1799 dest = satosin(rt->rt_gateway)->sin_addr.s_addr;
1800 else
1801 dest = pkt_dst.s_addr;
1802 /* Router requirements says to only send host redirects */
1803 type = ICMP_REDIRECT;
1804 code = ICMP_REDIRECT_HOST;
1805#ifdef DIAGNOSTIC
1806 if (ipprintfs)
1807 printf("redirect (%d) to %lx\n", code, (u_long)dest);
1808#endif
1809 }
1810 }
1811
1812 {
1813 struct m_hdr tag;
1814
1815 if (next_hop) {
1816 /* Pass IPFORWARD info if available */
1817
1818 tag.mh_type = MT_TAG;
1819 tag.mh_flags = PACKET_TAG_IPFORWARD;
1820 tag.mh_data = (caddr_t)next_hop;
1821 tag.mh_next = m;
1822 m = (struct mbuf *)&tag;
1823 }
1824 error = ip_output(m, (struct mbuf *)0, &ipforward_rt,
1825 IP_FORWARDING, 0, NULL);
1826 }
1827 if (error)
1828 ipstat.ips_cantforward++;
1829 else {
1830 ipstat.ips_forward++;
1831 if (type)
1832 ipstat.ips_redirectsent++;
1833 else {
1834 if (mcopy) {
1835 ipflow_create(&ipforward_rt, mcopy);
1836 m_freem(mcopy);
1837 }
1838 return;
1839 }
1840 }
1841 if (mcopy == NULL)
1842 return;
1843 destifp = NULL;
1844
1845 switch (error) {
1846
1847 case 0: /* forwarded, but need redirect */
1848 /* type, code set above */
1849 break;
1850
1851 case ENETUNREACH: /* shouldn't happen, checked above */
1852 case EHOSTUNREACH:
1853 case ENETDOWN:
1854 case EHOSTDOWN:
1855 default:
1856 type = ICMP_UNREACH;
1857 code = ICMP_UNREACH_HOST;
1858 break;
1859
1860 case EMSGSIZE:
1861 type = ICMP_UNREACH;
1862 code = ICMP_UNREACH_NEEDFRAG;
1863#ifdef IPSEC
1864 /*
1865 * If the packet is routed over IPsec tunnel, tell the
1866 * originator the tunnel MTU.
1867 * tunnel MTU = if MTU - sizeof(IP) - ESP/AH hdrsiz
1868 * XXX quickhack!!!
1869 */
1870 if (ipforward_rt.ro_rt) {
1871 struct secpolicy *sp = NULL;
1872 int ipsecerror;
1873 int ipsechdr;
1874 struct route *ro;
1875
1876 sp = ipsec4_getpolicybyaddr(mcopy,
1877 IPSEC_DIR_OUTBOUND,
1878 IP_FORWARDING,
1879 &ipsecerror);
1880
1881 if (sp == NULL)
1882 destifp = ipforward_rt.ro_rt->rt_ifp;
1883 else {
1884 /* count IPsec header size */
1885 ipsechdr = ipsec4_hdrsiz(mcopy,
1886 IPSEC_DIR_OUTBOUND,
1887 NULL);
1888
1889 /*
1890 * find the correct route for outer IPv4
1891 * header, compute tunnel MTU.
1892 *
1893 * XXX BUG ALERT
1894 * The "dummyifp" code relies upon the fact
1895 * that icmp_error() touches only ifp->if_mtu.
1896 */
1897 /*XXX*/
1898 destifp = NULL;
1899 if (sp->req != NULL
1900 && sp->req->sav != NULL
1901 && sp->req->sav->sah != NULL) {
1902 ro = &sp->req->sav->sah->sa_route;
1903 if (ro->ro_rt && ro->ro_rt->rt_ifp) {
1904 dummyifp.if_mtu =
1905 ro->ro_rt->rt_ifp->if_mtu;
1906 dummyifp.if_mtu -= ipsechdr;
1907 destifp = &dummyifp;
1908 }
1909 }
1910
1911 key_freesp(sp);
1912 }
1913 }
1914#elif FAST_IPSEC
1915 /*
1916 * If the packet is routed over IPsec tunnel, tell the
1917 * originator the tunnel MTU.
1918 * tunnel MTU = if MTU - sizeof(IP) - ESP/AH hdrsiz
1919 * XXX quickhack!!!
1920 */
1921 if (ipforward_rt.ro_rt) {
1922 struct secpolicy *sp = NULL;
1923 int ipsecerror;
1924 int ipsechdr;
1925 struct route *ro;
1926
1927 sp = ipsec_getpolicybyaddr(mcopy,
1928 IPSEC_DIR_OUTBOUND,
1929 IP_FORWARDING,
1930 &ipsecerror);
1931
1932 if (sp == NULL)
1933 destifp = ipforward_rt.ro_rt->rt_ifp;
1934 else {
1935 /* count IPsec header size */
1936 ipsechdr = ipsec4_hdrsiz(mcopy,
1937 IPSEC_DIR_OUTBOUND,
1938 NULL);
1939
1940 /*
1941 * find the correct route for outer IPv4
1942 * header, compute tunnel MTU.
1943 *
1944 * XXX BUG ALERT
1945 * The "dummyifp" code relies upon the fact
1946 * that icmp_error() touches only ifp->if_mtu.
1947 */
1948 /*XXX*/
1949 destifp = NULL;
1950 if (sp->req != NULL
1951 && sp->req->sav != NULL
1952 && sp->req->sav->sah != NULL) {
1953 ro = &sp->req->sav->sah->sa_route;
1954 if (ro->ro_rt && ro->ro_rt->rt_ifp) {
1955 dummyifp.if_mtu =
1956 ro->ro_rt->rt_ifp->if_mtu;
1957 dummyifp.if_mtu -= ipsechdr;
1958 destifp = &dummyifp;
1959 }
1960 }
1961
1962 KEY_FREESP(&sp);
1963 }
1964 }
1965#else /* !IPSEC && !FAST_IPSEC */
1966 if (ipforward_rt.ro_rt)
1967 destifp = ipforward_rt.ro_rt->rt_ifp;
1968#endif /*IPSEC*/
1969 ipstat.ips_cantfrag++;
1970 break;
1971
1972 case ENOBUFS:
1973 type = ICMP_SOURCEQUENCH;
1974 code = 0;
1975 break;
1976
1977 case EACCES: /* ipfw denied packet */
1978 m_freem(mcopy);
1979 return;
1980 }
1981 icmp_error(mcopy, type, code, dest, destifp);
1982}
1983
1984void
1985ip_savecontrol(inp, mp, ip, m)
1986 register struct inpcb *inp;
1987 register struct mbuf **mp;
1988 register struct ip *ip;
1989 register struct mbuf *m;
1990{
1991 if (inp->inp_socket->so_options & SO_TIMESTAMP) {
1992 struct timeval tv;
1993
1994 microtime(&tv);
1995 *mp = sbcreatecontrol((caddr_t) &tv, sizeof(tv),
1996 SCM_TIMESTAMP, SOL_SOCKET);
1997 if (*mp)
1998 mp = &(*mp)->m_next;
1999 }
2000 if (inp->inp_flags & INP_RECVDSTADDR) {
2001 *mp = sbcreatecontrol((caddr_t) &ip->ip_dst,
2002 sizeof(struct in_addr), IP_RECVDSTADDR, IPPROTO_IP);
2003 if (*mp)
2004 mp = &(*mp)->m_next;
2005 }
2006#ifdef notyet
2007 /* XXX
2008 * Moving these out of udp_input() made them even more broken
2009 * than they already were.
2010 */
2011 /* options were tossed already */
2012 if (inp->inp_flags & INP_RECVOPTS) {
2013 *mp = sbcreatecontrol((caddr_t) opts_deleted_above,
2014 sizeof(struct in_addr), IP_RECVOPTS, IPPROTO_IP);
2015 if (*mp)
2016 mp = &(*mp)->m_next;
2017 }
2018 /* ip_srcroute doesn't do what we want here, need to fix */
2019 if (inp->inp_flags & INP_RECVRETOPTS) {
2020 *mp = sbcreatecontrol((caddr_t) ip_srcroute(),
2021 sizeof(struct in_addr), IP_RECVRETOPTS, IPPROTO_IP);
2022 if (*mp)
2023 mp = &(*mp)->m_next;
2024 }
2025#endif
2026 if (inp->inp_flags & INP_RECVIF) {
2027 struct ifnet *ifp;
2028 struct sdlbuf {
2029 struct sockaddr_dl sdl;
2030 u_char pad[32];
2031 } sdlbuf;
2032 struct sockaddr_dl *sdp;
2033 struct sockaddr_dl *sdl2 = &sdlbuf.sdl;
2034
2035 if (((ifp = m->m_pkthdr.rcvif))
2036 && ( ifp->if_index && (ifp->if_index <= if_index))) {
2037 sdp = (struct sockaddr_dl *)
2038 (ifaddr_byindex(ifp->if_index)->ifa_addr);
2039 /*
2040 * Change our mind and don't try copy.
2041 */
2042 if ((sdp->sdl_family != AF_LINK)
2043 || (sdp->sdl_len > sizeof(sdlbuf))) {
2044 goto makedummy;
2045 }
2046 bcopy(sdp, sdl2, sdp->sdl_len);
2047 } else {
2048makedummy:
2049 sdl2->sdl_len
2050 = offsetof(struct sockaddr_dl, sdl_data[0]);
2051 sdl2->sdl_family = AF_LINK;
2052 sdl2->sdl_index = 0;
2053 sdl2->sdl_nlen = sdl2->sdl_alen = sdl2->sdl_slen = 0;
2054 }
2055 *mp = sbcreatecontrol((caddr_t) sdl2, sdl2->sdl_len,
2056 IP_RECVIF, IPPROTO_IP);
2057 if (*mp)
2058 mp = &(*mp)->m_next;
2059 }
2060}
2061
2062/*
2063 * XXX these routines are called from the upper part of the kernel.
2064 * They need to be locked when we remove Giant.
2065 *
2066 * They could also be moved to ip_mroute.c, since all the RSVP
2067 * handling is done there already.
2068 */
2069static int ip_rsvp_on;
2070struct socket *ip_rsvpd;
2071int
2072ip_rsvp_init(struct socket *so)
2073{
2074 if (so->so_type != SOCK_RAW ||
2075 so->so_proto->pr_protocol != IPPROTO_RSVP)
2076 return EOPNOTSUPP;
2077
2078 if (ip_rsvpd != NULL)
2079 return EADDRINUSE;
2080
2081 ip_rsvpd = so;
2082 /*
2083 * This may seem silly, but we need to be sure we don't over-increment
2084 * the RSVP counter, in case something slips up.
2085 */
2086 if (!ip_rsvp_on) {
2087 ip_rsvp_on = 1;
2088 rsvp_on++;
2089 }
2090
2091 return 0;
2092}
2093
2094int
2095ip_rsvp_done(void)
2096{
2097 ip_rsvpd = NULL;
2098 /*
2099 * This may seem silly, but we need to be sure we don't over-decrement
2100 * the RSVP counter, in case something slips up.
2101 */
2102 if (ip_rsvp_on) {
2103 ip_rsvp_on = 0;
2104 rsvp_on--;
2105 }
2106 return 0;
2107}
|