| ip_reass.c (133720) | ip_reass.c (133920) |
|---|---|
| 1/* 2 * Copyright (c) 1982, 1986, 1988, 1993 3 * The Regents of the University of California. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright --- 13 unchanged lines hidden (view full) --- 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27 * SUCH DAMAGE. 28 * 29 * @(#)ip_input.c 8.2 (Berkeley) 1/4/94 | 1/* 2 * Copyright (c) 1982, 1986, 1988, 1993 3 * The Regents of the University of California. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright --- 13 unchanged lines hidden (view full) --- 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27 * SUCH DAMAGE. 28 * 29 * @(#)ip_input.c 8.2 (Berkeley) 1/4/94 |
| 30 * $FreeBSD: head/sys/netinet/ip_input.c 133720 2004-08-14 15:32:40Z dwmalone $ | 30 * $FreeBSD: head/sys/netinet/ip_input.c 133920 2004-08-17 22:05:54Z andre $ |
| 31 */ 32 33#include "opt_bootp.h" 34#include "opt_ipfw.h" | 31 */ 32 33#include "opt_bootp.h" 34#include "opt_ipfw.h" |
| 35#include "opt_ipdn.h" 36#include "opt_ipdivert.h" 37#include "opt_ipfilter.h" | |
| 38#include "opt_ipstealth.h" 39#include "opt_ipsec.h" 40#include "opt_mac.h" 41#include "opt_pfil_hooks.h" 42 43#include <sys/param.h> 44#include <sys/systm.h> 45#include <sys/mac.h> --- 21 unchanged lines hidden (view full) --- 67#include <netinet/ip.h> 68#include <netinet/in_pcb.h> 69#include <netinet/ip_var.h> 70#include <netinet/ip_icmp.h> 71#include <machine/in_cksum.h> 72 73#include <sys/socketvar.h> 74 | 35#include "opt_ipstealth.h" 36#include "opt_ipsec.h" 37#include "opt_mac.h" 38#include "opt_pfil_hooks.h" 39 40#include <sys/param.h> 41#include <sys/systm.h> 42#include <sys/mac.h> --- 21 unchanged lines hidden (view full) --- 64#include <netinet/ip.h> 65#include <netinet/in_pcb.h> 66#include <netinet/ip_var.h> 67#include <netinet/ip_icmp.h> 68#include <machine/in_cksum.h> 69 70#include <sys/socketvar.h> 71 |
| 72/* XXX: Temporary until ipfw_ether and ipfw_bridge are converted. */ |
|
| 75#include <netinet/ip_fw.h> | 73#include <netinet/ip_fw.h> |
| 76#include <netinet/ip_divert.h> | |
| 77#include <netinet/ip_dummynet.h> 78 79#ifdef IPSEC 80#include <netinet6/ipsec.h> 81#include <netkey/key.h> 82#endif 83 84#ifdef FAST_IPSEC --- 118 unchanged lines hidden (view full) --- 203#endif 204 205#ifdef IPSTEALTH 206int ipstealth = 0; 207SYSCTL_INT(_net_inet_ip, OID_AUTO, stealth, CTLFLAG_RW, 208 &ipstealth, 0, ""); 209#endif 210 | 74#include <netinet/ip_dummynet.h> 75 76#ifdef IPSEC 77#include <netinet6/ipsec.h> 78#include <netkey/key.h> 79#endif 80 81#ifdef FAST_IPSEC --- 118 unchanged lines hidden (view full) --- 200#endif 201 202#ifdef IPSTEALTH 203int ipstealth = 0; 204SYSCTL_INT(_net_inet_ip, OID_AUTO, stealth, CTLFLAG_RW, 205 &ipstealth, 0, ""); 206#endif 207 |
| 211 212/* Firewall hooks */ 213ip_fw_chk_t *ip_fw_chk_ptr; 214int fw_enable = 1 ; | 208/* 209 * ipfw_ether and ipfw_bridge hooks. 210 * XXX: Temporary until those are converted to pfil_hooks as well. 211 */ 212ip_fw_chk_t *ip_fw_chk_ptr = NULL; 213ip_dn_io_t *ip_dn_io_ptr = NULL; |
| 215int fw_one_pass = 1; 216 | 214int fw_one_pass = 1; 215 |
| 217/* Dummynet hooks */ 218ip_dn_io_t *ip_dn_io_ptr; 219 | |
| 220/* 221 * XXX this is ugly -- the following two global variables are 222 * used to store packet state while it travels through the stack. 223 * Note that the code even makes assumptions on the size and 224 * alignment of fields inside struct ip_srcrt so e.g. adding some 225 * fields will break the code. This needs to be fixed. 226 * 227 * We need to save the IP options in case a protocol wants to respond --- 7 unchanged lines hidden (view full) --- 235static struct ip_srcrt { 236 struct in_addr dst; /* final destination */ 237 char nop; /* one NOP to align */ 238 char srcopt[IPOPT_OFFSET + 1]; /* OPTVAL, OLEN and OFFSET */ 239 struct in_addr route[MAX_IPOPTLEN/sizeof(struct in_addr)]; 240} ip_srcrt; 241 242static void save_rte(u_char *, struct in_addr); | 216/* 217 * XXX this is ugly -- the following two global variables are 218 * used to store packet state while it travels through the stack. 219 * Note that the code even makes assumptions on the size and 220 * alignment of fields inside struct ip_srcrt so e.g. adding some 221 * fields will break the code. This needs to be fixed. 222 * 223 * We need to save the IP options in case a protocol wants to respond --- 7 unchanged lines hidden (view full) --- 231static struct ip_srcrt { 232 struct in_addr dst; /* final destination */ 233 char nop; /* one NOP to align */ 234 char srcopt[IPOPT_OFFSET + 1]; /* OPTVAL, OLEN and OFFSET */ 235 struct in_addr route[MAX_IPOPTLEN/sizeof(struct in_addr)]; 236} ip_srcrt; 237 238static void save_rte(u_char *, struct in_addr); |
| 243static int ip_dooptions(struct mbuf *m, int, 244 struct sockaddr_in *next_hop); 245static void ip_forward(struct mbuf *m, int srcrt, 246 struct sockaddr_in *next_hop); | 239static int ip_dooptions(struct mbuf *m, int); 240static void ip_forward(struct mbuf *m, int srcrt); |
| 247static void ip_freef(struct ipqhead *, struct ipq *); | 241static void ip_freef(struct ipqhead *, struct ipq *); |
| 248static struct mbuf *ip_reass(struct mbuf *); | |
| 249 250/* 251 * IP initialization: fill in IP protocol switch table. 252 * All protocols not implemented in kernel go to raw IP protocol handler. 253 */ 254void 255ip_init() 256{ --- 39 unchanged lines hidden (view full) --- 296 * try to reassemble. Process options. Pass to next level. 297 */ 298void 299ip_input(struct mbuf *m) 300{ 301 struct ip *ip = NULL; 302 struct in_ifaddr *ia = NULL; 303 struct ifaddr *ifa; | 242 243/* 244 * IP initialization: fill in IP protocol switch table. 245 * All protocols not implemented in kernel go to raw IP protocol handler. 246 */ 247void 248ip_init() 249{ --- 39 unchanged lines hidden (view full) --- 289 * try to reassemble. Process options. Pass to next level. 290 */ 291void 292ip_input(struct mbuf *m) 293{ 294 struct ip *ip = NULL; 295 struct in_ifaddr *ia = NULL; 296 struct ifaddr *ifa; |
| 304 int i, checkif, hlen = 0; | 297 int checkif, hlen = 0; |
| 305 u_short sum; | 298 u_short sum; |
| 306 struct in_addr pkt_dst; 307#ifdef IPDIVERT 308 u_int32_t divert_info; /* packet divert/tee info */ 309#endif 310 struct ip_fw_args args; | |
| 311 int dchg = 0; /* dest changed after fw */ 312#ifdef PFIL_HOOKS 313 struct in_addr odst; /* original dst address */ 314#endif 315#ifdef FAST_IPSEC 316 struct m_tag *mtag; 317 struct tdb_ident *tdbi; 318 struct secpolicy *sp; 319 int s, error; 320#endif /* FAST_IPSEC */ 321 | 299 int dchg = 0; /* dest changed after fw */ 300#ifdef PFIL_HOOKS 301 struct in_addr odst; /* original dst address */ 302#endif 303#ifdef FAST_IPSEC 304 struct m_tag *mtag; 305 struct tdb_ident *tdbi; 306 struct secpolicy *sp; 307 int s, error; 308#endif /* FAST_IPSEC */ 309 |
| 322 args.eh = NULL; 323 args.oif = NULL; 324 | |
| 325 M_ASSERTPKTHDR(m); 326 | 310 M_ASSERTPKTHDR(m); 311 |
| 327 args.next_hop = m_claim_next(m, PACKET_TAG_IPFORWARD); 328 args.rule = ip_dn_claim_rule(m); 329 | |
| 330 if (m->m_flags & M_FASTFWD_OURS) { | 312 if (m->m_flags & M_FASTFWD_OURS) { |
| 331 /* ip_fastforward firewall changed dest to local */ | 313 /* 314 * ip_fastforward firewall changed dest to local. 315 * We expect ip_len and ip_off in host byte order. 316 */ |
| 332 m->m_flags &= ~M_FASTFWD_OURS; /* for reflected mbufs */ | 317 m->m_flags &= ~M_FASTFWD_OURS; /* for reflected mbufs */ |
| 318 /* Set up some basic stuff */ 319 ip = mtod(m, struct ip *); 320 hlen = ip->ip_hl << 2; |
|
| 333 goto ours; 334 } 335 | 321 goto ours; 322 } 323 |
| 336 if (args.rule) { /* dummynet already filtered us */ 337 ip = mtod(m, struct ip *); 338 hlen = ip->ip_hl << 2; 339 goto iphack ; 340 } 341 | |
| 342 ipstat.ips_total++; 343 344 if (m->m_pkthdr.len < sizeof(struct ip)) 345 goto tooshort; 346 347 if (m->m_len < sizeof (struct ip) && 348 (m = m_pullup(m, sizeof (struct ip))) == NULL) { 349 ipstat.ips_toosmall++; --- 86 unchanged lines hidden (view full) --- 436#if defined(FAST_IPSEC) && !defined(IPSEC_FILTERGIF) 437 /* 438 * Bypass packet filtering for packets from a tunnel (gif). 439 */ 440 if (m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL) 441 goto pass; 442#endif 443 | 324 ipstat.ips_total++; 325 326 if (m->m_pkthdr.len < sizeof(struct ip)) 327 goto tooshort; 328 329 if (m->m_len < sizeof (struct ip) && 330 (m = m_pullup(m, sizeof (struct ip))) == NULL) { 331 ipstat.ips_toosmall++; --- 86 unchanged lines hidden (view full) --- 418#if defined(FAST_IPSEC) && !defined(IPSEC_FILTERGIF) 419 /* 420 * Bypass packet filtering for packets from a tunnel (gif). 421 */ 422 if (m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL) 423 goto pass; 424#endif 425 |
| 444 /* 445 * IpHack's section. 446 * Right now when no processing on packet has done 447 * and it is still fresh out of network we do our black 448 * deals with it. 449 * - Firewall: deny/allow/divert 450 * - Xlate: translate packet's addr/port (NAT). 451 * - Pipe: pass pkt through dummynet. 452 * - Wrap: fake packet's addr/port <unimpl.> 453 * - Encapsulate: put it in another IP and send out. <unimp.> 454 */ 455 456iphack: 457 | |
| 458#ifdef PFIL_HOOKS 459 /* 460 * Run through list of hooks for input packets. 461 * 462 * NB: Beware of the destination address changing (e.g. 463 * by NAT rewriting). When this happens, tell 464 * ip_forward to do the right thing. 465 */ 466 odst = ip->ip_dst; 467 if (pfil_run_hooks(&inet_pfil_hook, &m, m->m_pkthdr.rcvif, 468 PFIL_IN) != 0) 469 return; 470 if (m == NULL) /* consumed by filter */ 471 return; | 426#ifdef PFIL_HOOKS 427 /* 428 * Run through list of hooks for input packets. 429 * 430 * NB: Beware of the destination address changing (e.g. 431 * by NAT rewriting). When this happens, tell 432 * ip_forward to do the right thing. 433 */ 434 odst = ip->ip_dst; 435 if (pfil_run_hooks(&inet_pfil_hook, &m, m->m_pkthdr.rcvif, 436 PFIL_IN) != 0) 437 return; 438 if (m == NULL) /* consumed by filter */ 439 return; |
| 440 |
|
| 472 ip = mtod(m, struct ip *); 473 dchg = (odst.s_addr != ip->ip_dst.s_addr); | 441 ip = mtod(m, struct ip *); 442 dchg = (odst.s_addr != ip->ip_dst.s_addr); |
| 474#endif /* PFIL_HOOKS */ | |
| 475 | 443 |
| 476 if (fw_enable && IPFW_LOADED) { 477 /* 478 * If we've been forwarded from the output side, then 479 * skip the firewall a second time 480 */ 481 if (args.next_hop) 482 goto ours; | 444#ifdef IPFIREWALL_FORWARD 445 if (m->m_flags & M_FASTFWD_OURS) { 446 m->m_flags &= ~M_FASTFWD_OURS; 447 goto ours; 448 } 449 dchg = (m_tag_find(m, PACKET_TAG_IPFORWARD, NULL) != NULL); 450#endif /* IPFIREWALL_FORWARD */ |
| 483 | 451 |
| 484 args.m = m; 485 i = ip_fw_chk_ptr(&args); 486 m = args.m; | 452#endif /* PFIL_HOOKS */ |
| 487 | 453 |
| 488 if ( (i & IP_FW_PORT_DENY_FLAG) || m == NULL) { /* drop */ 489 if (m) 490 m_freem(m); 491 return; 492 } 493 ip = mtod(m, struct ip *); /* just in case m changed */ 494 if (i == 0 && args.next_hop == NULL) /* common case */ 495 goto pass; 496 if (DUMMYNET_LOADED && (i & IP_FW_PORT_DYNT_FLAG) != 0) { 497 /* Send packet to the appropriate pipe */ 498 ip_dn_io_ptr(m, i&0xffff, DN_TO_IP_IN, &args); 499 return; 500 } 501#ifdef IPDIVERT 502 if (i != 0 && (i & IP_FW_PORT_DYNT_FLAG) == 0) { 503 /* Divert or tee packet */ 504 goto ours; 505 } 506#endif 507 if (i == 0 && args.next_hop != NULL) 508 goto pass; 509 /* 510 * if we get here, the packet must be dropped 511 */ 512 m_freem(m); 513 return; 514 } | 454#if defined(FAST_IPSEC) && !defined(IPSEC_FILTERGIF) |
| 515pass: | 455pass: |
| 456#endif |
|
| 516 517 /* 518 * Process options and, if not destined for us, 519 * ship it on. ip_dooptions returns 1 when an 520 * error was detected (causing an icmp message 521 * to be sent and the original packet to be freed). 522 */ | 457 458 /* 459 * Process options and, if not destined for us, 460 * ship it on. ip_dooptions returns 1 when an 461 * error was detected (causing an icmp message 462 * to be sent and the original packet to be freed). 463 */ |
| 523 ip_nhops = 0; /* for source routed packets */ 524 if (hlen > sizeof (struct ip) && ip_dooptions(m, 0, args.next_hop)) | 464 if (hlen > sizeof (struct ip) && ip_dooptions(m, 0)) |
| 525 return; 526 527 /* greedy RSVP, snatches any PATH packet of the RSVP protocol and no 528 * matter if it is destined to another node, or whether it is 529 * a multicast one, RSVP wants it! and prevents it from being forwarded 530 * anywhere else. Also checks if the rsvp daemon is running before 531 * grabbing the packet. 532 */ --- 6 unchanged lines hidden (view full) --- 539 * we receive might be for us (and let the upper layers deal 540 * with it). 541 */ 542 if (TAILQ_EMPTY(&in_ifaddrhead) && 543 (m->m_flags & (M_MCAST|M_BCAST)) == 0) 544 goto ours; 545 546 /* | 465 return; 466 467 /* greedy RSVP, snatches any PATH packet of the RSVP protocol and no 468 * matter if it is destined to another node, or whether it is 469 * a multicast one, RSVP wants it! and prevents it from being forwarded 470 * anywhere else. Also checks if the rsvp daemon is running before 471 * grabbing the packet. 472 */ --- 6 unchanged lines hidden (view full) --- 479 * we receive might be for us (and let the upper layers deal 480 * with it). 481 */ 482 if (TAILQ_EMPTY(&in_ifaddrhead) && 483 (m->m_flags & (M_MCAST|M_BCAST)) == 0) 484 goto ours; 485 486 /* |
| 547 * Cache the destination address of the packet; this may be 548 * changed by use of 'ipfw fwd'. 549 */ 550 pkt_dst = args.next_hop ? args.next_hop->sin_addr : ip->ip_dst; 551 552 /* | |
| 553 * Enable a consistency check between the destination address 554 * and the arrival interface for a unicast packet (the RFC 1122 555 * strong ES model) if IP forwarding is disabled and the packet 556 * is not locally generated and the packet is not subject to 557 * 'ipfw fwd'. 558 * 559 * XXX - Checking also should be disabled if the destination 560 * address is ipnat'ed to a different interface. 561 * 562 * XXX - Checking is incompatible with IP aliases added 563 * to the loopback interface instead of the interface where 564 * the packets are received. 565 */ 566 checkif = ip_checkinterface && (ipforwarding == 0) && 567 m->m_pkthdr.rcvif != NULL && 568 ((m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK) == 0) && | 487 * Enable a consistency check between the destination address 488 * and the arrival interface for a unicast packet (the RFC 1122 489 * strong ES model) if IP forwarding is disabled and the packet 490 * is not locally generated and the packet is not subject to 491 * 'ipfw fwd'. 492 * 493 * XXX - Checking also should be disabled if the destination 494 * address is ipnat'ed to a different interface. 495 * 496 * XXX - Checking is incompatible with IP aliases added 497 * to the loopback interface instead of the interface where 498 * the packets are received. 499 */ 500 checkif = ip_checkinterface && (ipforwarding == 0) && 501 m->m_pkthdr.rcvif != NULL && 502 ((m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK) == 0) && |
| 569 (args.next_hop == NULL) && (dchg == 0); | 503 (dchg == 0); |
| 570 571 /* 572 * Check for exact addresses in the hash bucket. 573 */ | 504 505 /* 506 * Check for exact addresses in the hash bucket. 507 */ |
| 574 LIST_FOREACH(ia, INADDR_HASH(pkt_dst.s_addr), ia_hash) { | 508 LIST_FOREACH(ia, INADDR_HASH(ip->ip_dst.s_addr), ia_hash) { |
| 575 /* 576 * If the address matches, verify that the packet 577 * arrived via the correct interface if checking is 578 * enabled. 579 */ | 509 /* 510 * If the address matches, verify that the packet 511 * arrived via the correct interface if checking is 512 * enabled. 513 */ |
| 580 if (IA_SIN(ia)->sin_addr.s_addr == pkt_dst.s_addr && | 514 if (IA_SIN(ia)->sin_addr.s_addr == ip->ip_dst.s_addr && |
| 581 (!checkif || ia->ia_ifp == m->m_pkthdr.rcvif)) 582 goto ours; 583 } 584 /* 585 * Check for broadcast addresses. 586 * 587 * Only accept broadcast packets that arrive via the matching 588 * interface. Reception of forwarded directed broadcasts would 589 * be handled via ip_forward() and ether_output() with the loopback 590 * into the stack for SIMPLEX interfaces handled by ether_output(). 591 */ 592 if (m->m_pkthdr.rcvif != NULL && 593 m->m_pkthdr.rcvif->if_flags & IFF_BROADCAST) { 594 TAILQ_FOREACH(ifa, &m->m_pkthdr.rcvif->if_addrhead, ifa_link) { 595 if (ifa->ifa_addr->sa_family != AF_INET) 596 continue; 597 ia = ifatoia(ifa); 598 if (satosin(&ia->ia_broadaddr)->sin_addr.s_addr == | 515 (!checkif || ia->ia_ifp == m->m_pkthdr.rcvif)) 516 goto ours; 517 } 518 /* 519 * Check for broadcast addresses. 520 * 521 * Only accept broadcast packets that arrive via the matching 522 * interface. Reception of forwarded directed broadcasts would 523 * be handled via ip_forward() and ether_output() with the loopback 524 * into the stack for SIMPLEX interfaces handled by ether_output(). 525 */ 526 if (m->m_pkthdr.rcvif != NULL && 527 m->m_pkthdr.rcvif->if_flags & IFF_BROADCAST) { 528 TAILQ_FOREACH(ifa, &m->m_pkthdr.rcvif->if_addrhead, ifa_link) { 529 if (ifa->ifa_addr->sa_family != AF_INET) 530 continue; 531 ia = ifatoia(ifa); 532 if (satosin(&ia->ia_broadaddr)->sin_addr.s_addr == |
| 599 pkt_dst.s_addr) | 533 ip->ip_dst.s_addr) |
| 600 goto ours; | 534 goto ours; |
| 601 if (ia->ia_netbroadcast.s_addr == pkt_dst.s_addr) | 535 if (ia->ia_netbroadcast.s_addr == ip->ip_dst.s_addr) |
| 602 goto ours; 603#ifdef BOOTP_COMPAT 604 if (IA_SIN(ia)->sin_addr.s_addr == INADDR_ANY) 605 goto ours; 606#endif 607 } 608 } 609 if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr))) { --- 91 unchanged lines hidden (view full) --- 701 error = ipsec_in_reject(sp, m); 702 KEY_FREESP(&sp); 703 splx(s); 704 if (error) { 705 ipstat.ips_cantforward++; 706 goto bad; 707 } 708#endif /* FAST_IPSEC */ | 536 goto ours; 537#ifdef BOOTP_COMPAT 538 if (IA_SIN(ia)->sin_addr.s_addr == INADDR_ANY) 539 goto ours; 540#endif 541 } 542 } 543 if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr))) { --- 91 unchanged lines hidden (view full) --- 635 error = ipsec_in_reject(sp, m); 636 KEY_FREESP(&sp); 637 splx(s); 638 if (error) { 639 ipstat.ips_cantforward++; 640 goto bad; 641 } 642#endif /* FAST_IPSEC */ |
| 709 ip_forward(m, dchg, args.next_hop); | 643 ip_forward(m, dchg); |
| 710 } 711 return; 712 713ours: 714#ifdef IPSTEALTH 715 /* 716 * IPSTEALTH: Process non-routing options only 717 * if the packet is destined for us. 718 */ 719 if (ipstealth && hlen > sizeof (struct ip) && | 644 } 645 return; 646 647ours: 648#ifdef IPSTEALTH 649 /* 650 * IPSTEALTH: Process non-routing options only 651 * if the packet is destined for us. 652 */ 653 if (ipstealth && hlen > sizeof (struct ip) && |
| 720 ip_dooptions(m, 1, args.next_hop)) | 654 ip_dooptions(m, 1)) |
| 721 return; 722#endif /* IPSTEALTH */ 723 724 /* Count the packet in the ip address stats */ 725 if (ia != NULL) { 726 ia->ia_ifa.if_ipackets++; 727 ia->ia_ifa.if_ibytes += m->m_pkthdr.len; 728 } --- 4 unchanged lines hidden (view full) --- 733 */ 734 if (ip->ip_off & (IP_MF | IP_OFFMASK)) { 735 m = ip_reass(m); 736 if (m == NULL) 737 return; 738 ip = mtod(m, struct ip *); 739 /* Get the header length of the reassembled packet */ 740 hlen = ip->ip_hl << 2; | 655 return; 656#endif /* IPSTEALTH */ 657 658 /* Count the packet in the ip address stats */ 659 if (ia != NULL) { 660 ia->ia_ifa.if_ipackets++; 661 ia->ia_ifa.if_ibytes += m->m_pkthdr.len; 662 } --- 4 unchanged lines hidden (view full) --- 667 */ 668 if (ip->ip_off & (IP_MF | IP_OFFMASK)) { 669 m = ip_reass(m); 670 if (m == NULL) 671 return; 672 ip = mtod(m, struct ip *); 673 /* Get the header length of the reassembled packet */ 674 hlen = ip->ip_hl << 2; |
| 741#ifdef IPDIVERT 742 /* Restore original checksum before diverting packet */ 743 if (divert_find_info(m) != 0) { 744 ip->ip_len = htons(ip->ip_len); 745 ip->ip_off = htons(ip->ip_off); 746 ip->ip_sum = 0; 747 if (hlen == sizeof(struct ip)) 748 ip->ip_sum = in_cksum_hdr(ip); 749 else 750 ip->ip_sum = in_cksum(m, hlen); 751 ip->ip_off = ntohs(ip->ip_off); 752 ip->ip_len = ntohs(ip->ip_len); 753 } 754#endif | |
| 755 } 756 757 /* 758 * Further protocols expect the packet length to be w/o the 759 * IP header. 760 */ 761 ip->ip_len -= hlen; 762 | 675 } 676 677 /* 678 * Further protocols expect the packet length to be w/o the 679 * IP header. 680 */ 681 ip->ip_len -= hlen; 682 |
| 763#ifdef IPDIVERT 764 /* 765 * Divert or tee packet to the divert protocol if required. 766 */ 767 divert_info = divert_find_info(m); 768 if (divert_info != 0) { 769 struct mbuf *clone; 770 771 /* Clone packet if we're doing a 'tee' */ 772 if ((divert_info & IP_FW_PORT_TEE_FLAG) != 0) 773 clone = divert_clone(m); 774 else 775 clone = NULL; 776 777 /* Restore packet header fields to original values */ 778 ip->ip_len += hlen; 779 ip->ip_len = htons(ip->ip_len); 780 ip->ip_off = htons(ip->ip_off); 781 782 /* Deliver packet to divert input routine */ 783 divert_packet(m, 1); 784 ipstat.ips_delivered++; 785 786 /* If 'tee', continue with original packet */ 787 if (clone == NULL) 788 return; 789 m = clone; 790 ip = mtod(m, struct ip *); 791 ip->ip_len += hlen; 792 /* 793 * Jump backwards to complete processing of the 794 * packet. We do not need to clear args.next_hop 795 * as that will not be used again and the cloned packet 796 * doesn't contain a divert packet tag so we won't 797 * re-entry this block. 798 */ 799 goto pass; 800 } 801#endif 802 | |
| 803#ifdef IPSEC 804 /* 805 * enforce IPsec policy checking if we are seeing last header. 806 * note that we do not visit this with protocols with pcb layer 807 * code - like udp/tcp/raw ip. 808 */ 809 if ((inetsw[ip_protox[ip->ip_p]].pr_flags & PR_LASTHDR) != 0 && 810 ipsec4_in_reject(m, NULL)) { --- 40 unchanged lines hidden (view full) --- 851 goto bad; 852 } 853#endif /* FAST_IPSEC */ 854 855 /* 856 * Switch out to protocol's input routine. 857 */ 858 ipstat.ips_delivered++; | 683#ifdef IPSEC 684 /* 685 * enforce IPsec policy checking if we are seeing last header. 686 * note that we do not visit this with protocols with pcb layer 687 * code - like udp/tcp/raw ip. 688 */ 689 if ((inetsw[ip_protox[ip->ip_p]].pr_flags & PR_LASTHDR) != 0 && 690 ipsec4_in_reject(m, NULL)) { --- 40 unchanged lines hidden (view full) --- 731 goto bad; 732 } 733#endif /* FAST_IPSEC */ 734 735 /* 736 * Switch out to protocol's input routine. 737 */ 738 ipstat.ips_delivered++; |
| 859 if (args.next_hop && ip->ip_p == IPPROTO_TCP) { 860 /* attach next hop info for TCP */ 861 struct m_tag *mtag = m_tag_get(PACKET_TAG_IPFORWARD, 862 sizeof(struct sockaddr_in *), M_NOWAIT); 863 if (mtag == NULL) 864 goto bad; 865 *(struct sockaddr_in **)(mtag+1) = args.next_hop; 866 m_tag_prepend(m, mtag); 867 } | 739 |
| 868 (*inetsw[ip_protox[ip->ip_p]].pr_input)(m, hlen); 869 return; 870bad: 871 m_freem(m); 872} 873 874/* 875 * Take incoming datagram fragment and try to reassemble it into --- 211 unchanged lines hidden (view full) --- 1087 m->m_nextpkt = nq; 1088 ipstat.ips_fragdropped++; 1089 fp->ipq_nfrags--; 1090 m_freem(q); 1091 } 1092 1093inserted: 1094 | 740 (*inetsw[ip_protox[ip->ip_p]].pr_input)(m, hlen); 741 return; 742bad: 743 m_freem(m); 744} 745 746/* 747 * Take incoming datagram fragment and try to reassemble it into --- 211 unchanged lines hidden (view full) --- 959 m->m_nextpkt = nq; 960 ipstat.ips_fragdropped++; 961 fp->ipq_nfrags--; 962 m_freem(q); 963 } 964 965inserted: 966 |
| 1095#ifdef IPDIVERT 1096 if (ip->ip_off != 0) { 1097 /* 1098 * Strip any divert information; only the info 1099 * on the first fragment is used/kept. 1100 */ 1101 struct m_tag *mtag = m_tag_find(m, PACKET_TAG_DIVERT, NULL); 1102 if (mtag) 1103 m_tag_delete(m, mtag); 1104 } 1105#endif 1106 | |
| 1107 /* 1108 * Check for complete reassembly and perform frag per packet 1109 * limiting. 1110 * 1111 * Frag limiting is performed here so that the nth frag has 1112 * a chance to complete the packet before we drop the packet. 1113 * As a result, n+1 frags are actually allowed per packet, but 1114 * only n will ever be stored. (n = maxfragsperpacket.) --- 178 unchanged lines hidden (view full) --- 1293 * mode to tell what options to process: 1294 * [LS]SRR (pass 0) or the others (pass 1). 1295 * The reason for as many as two passes is that when doing IPSTEALTH, 1296 * non-routing options should be processed only if the packet is for us. 1297 * Returns 1 if packet has been forwarded/freed, 1298 * 0 if the packet should be processed further. 1299 */ 1300static int | 967 /* 968 * Check for complete reassembly and perform frag per packet 969 * limiting. 970 * 971 * Frag limiting is performed here so that the nth frag has 972 * a chance to complete the packet before we drop the packet. 973 * As a result, n+1 frags are actually allowed per packet, but 974 * only n will ever be stored. (n = maxfragsperpacket.) --- 178 unchanged lines hidden (view full) --- 1153 * mode to tell what options to process: 1154 * [LS]SRR (pass 0) or the others (pass 1). 1155 * The reason for as many as two passes is that when doing IPSTEALTH, 1156 * non-routing options should be processed only if the packet is for us. 1157 * Returns 1 if packet has been forwarded/freed, 1158 * 0 if the packet should be processed further. 1159 */ 1160static int |
| 1301ip_dooptions(struct mbuf *m, int pass, struct sockaddr_in *next_hop) | 1161ip_dooptions(struct mbuf *m, int pass) |
| 1302{ 1303 struct ip *ip = mtod(m, struct ip *); 1304 u_char *cp; 1305 struct in_ifaddr *ia; 1306 int opt, optlen, cnt, off, code, type = ICMP_PARAMPROB, forward = 0; 1307 struct in_addr *sin, dst; 1308 n_time ntime; 1309 struct sockaddr_in ipaddr = { sizeof(ipaddr), AF_INET }; --- 242 unchanged lines hidden (view full) --- 1552 goto bad; 1553 } 1554 ntime = iptime(); 1555 (void)memcpy(cp + off, &ntime, sizeof(n_time)); 1556 cp[IPOPT_OFFSET] += sizeof(n_time); 1557 } 1558 } 1559 if (forward && ipforwarding) { | 1162{ 1163 struct ip *ip = mtod(m, struct ip *); 1164 u_char *cp; 1165 struct in_ifaddr *ia; 1166 int opt, optlen, cnt, off, code, type = ICMP_PARAMPROB, forward = 0; 1167 struct in_addr *sin, dst; 1168 n_time ntime; 1169 struct sockaddr_in ipaddr = { sizeof(ipaddr), AF_INET }; --- 242 unchanged lines hidden (view full) --- 1412 goto bad; 1413 } 1414 ntime = iptime(); 1415 (void)memcpy(cp + off, &ntime, sizeof(n_time)); 1416 cp[IPOPT_OFFSET] += sizeof(n_time); 1417 } 1418 } 1419 if (forward && ipforwarding) { |
| 1560 ip_forward(m, 1, next_hop); | 1420 ip_forward(m, 1); |
| 1561 return (1); 1562 } 1563 return (0); 1564bad: 1565 icmp_error(m, type, code, 0, 0); 1566 ipstat.ips_badoptions++; 1567 return (1); 1568} --- 163 unchanged lines hidden (view full) --- 1732 * If not forwarding, just drop the packet. This could be confusing 1733 * if ipforwarding was zero but some routing protocol was advancing 1734 * us as a gateway to somewhere. However, we must let the routing 1735 * protocol deal with that. 1736 * 1737 * The srcrt parameter indicates whether the packet is being forwarded 1738 * via a source route. 1739 */ | 1421 return (1); 1422 } 1423 return (0); 1424bad: 1425 icmp_error(m, type, code, 0, 0); 1426 ipstat.ips_badoptions++; 1427 return (1); 1428} --- 163 unchanged lines hidden (view full) --- 1592 * If not forwarding, just drop the packet. This could be confusing 1593 * if ipforwarding was zero but some routing protocol was advancing 1594 * us as a gateway to somewhere. However, we must let the routing 1595 * protocol deal with that. 1596 * 1597 * The srcrt parameter indicates whether the packet is being forwarded 1598 * via a source route. 1599 */ |
| 1740static void 1741ip_forward(struct mbuf *m, int srcrt, struct sockaddr_in *next_hop) | 1600void 1601ip_forward(struct mbuf *m, int srcrt) |
| 1742{ 1743 struct ip *ip = mtod(m, struct ip *); | 1602{ 1603 struct ip *ip = mtod(m, struct ip *); |
| 1744 struct in_ifaddr *ia; | 1604 struct in_ifaddr *ia = NULL; |
| 1745 int error, type = 0, code = 0; 1746 struct mbuf *mcopy; | 1605 int error, type = 0, code = 0; 1606 struct mbuf *mcopy; |
| 1747 n_long dest; 1748 struct in_addr pkt_dst; 1749 struct ifnet *destifp; 1750#if defined(IPSEC) || defined(FAST_IPSEC) 1751 struct ifnet dummyifp; 1752#endif | 1607 struct in_addr dest; 1608 struct ifnet *destifp, dummyifp; |
| 1753 | 1609 |
| 1754 /* 1755 * Cache the destination address of the packet; this may be 1756 * changed by use of 'ipfw fwd'. 1757 */ 1758 pkt_dst = next_hop ? next_hop->sin_addr : ip->ip_dst; 1759 | |
| 1760#ifdef DIAGNOSTIC 1761 if (ipprintfs) 1762 printf("forward: src %lx dst %lx ttl %x\n", | 1610#ifdef DIAGNOSTIC 1611 if (ipprintfs) 1612 printf("forward: src %lx dst %lx ttl %x\n", |
| 1763 (u_long)ip->ip_src.s_addr, (u_long)pkt_dst.s_addr, | 1613 (u_long)ip->ip_src.s_addr, (u_long)ip->ip_dst.s_addr, |
| 1764 ip->ip_ttl); 1765#endif 1766 1767 | 1614 ip->ip_ttl); 1615#endif 1616 1617 |
| 1768 if (m->m_flags & (M_BCAST|M_MCAST) || in_canforward(pkt_dst) == 0) { | 1618 if (m->m_flags & (M_BCAST|M_MCAST) || in_canforward(ip->ip_dst) == 0) { |
| 1769 ipstat.ips_cantforward++; 1770 m_freem(m); 1771 return; 1772 } 1773#ifdef IPSTEALTH 1774 if (!ipstealth) { 1775#endif 1776 if (ip->ip_ttl <= IPTTLDEC) { 1777 icmp_error(m, ICMP_TIMXCEED, ICMP_TIMXCEED_INTRANS, 1778 0, 0); 1779 return; 1780 } 1781#ifdef IPSTEALTH 1782 } 1783#endif 1784 | 1619 ipstat.ips_cantforward++; 1620 m_freem(m); 1621 return; 1622 } 1623#ifdef IPSTEALTH 1624 if (!ipstealth) { 1625#endif 1626 if (ip->ip_ttl <= IPTTLDEC) { 1627 icmp_error(m, ICMP_TIMXCEED, ICMP_TIMXCEED_INTRANS, 1628 0, 0); 1629 return; 1630 } 1631#ifdef IPSTEALTH 1632 } 1633#endif 1634 |
| 1785 if ((ia = ip_rtaddr(pkt_dst)) == NULL) { | 1635 if (!srcrt && (ia = ip_rtaddr(ip->ip_dst)) == NULL) { |
| 1786 icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_HOST, 0, 0); 1787 return; 1788 } 1789 1790 /* 1791 * Save the IP header and at most 8 bytes of the payload, 1792 * in case we need to generate an ICMP message to the src. 1793 * --- 38 unchanged lines hidden (view full) --- 1832 /* 1833 * If forwarding packet using same interface that it came in on, 1834 * perhaps should send a redirect to sender to shortcut a hop. 1835 * Only send redirect if source is sending directly to us, 1836 * and if packet was not source routed (or has any options). 1837 * Also, don't send redirect if forwarding using a default route 1838 * or a route modified by a redirect. 1839 */ | 1636 icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_HOST, 0, 0); 1637 return; 1638 } 1639 1640 /* 1641 * Save the IP header and at most 8 bytes of the payload, 1642 * in case we need to generate an ICMP message to the src. 1643 * --- 38 unchanged lines hidden (view full) --- 1682 /* 1683 * If forwarding packet using same interface that it came in on, 1684 * perhaps should send a redirect to sender to shortcut a hop. 1685 * Only send redirect if source is sending directly to us, 1686 * and if packet was not source routed (or has any options). 1687 * Also, don't send redirect if forwarding using a default route 1688 * or a route modified by a redirect. 1689 */ |
| 1840 dest = 0; 1841 if (ipsendredirects && ia->ia_ifp == m->m_pkthdr.rcvif) { | 1690 dest.s_addr = 0; 1691 if (!srcrt && ipsendredirects && ia->ia_ifp == m->m_pkthdr.rcvif) { |
| 1842 struct sockaddr_in *sin; 1843 struct route ro; 1844 struct rtentry *rt; 1845 1846 bzero(&ro, sizeof(ro)); 1847 sin = (struct sockaddr_in *)&ro.ro_dst; 1848 sin->sin_family = AF_INET; 1849 sin->sin_len = sizeof(*sin); | 1692 struct sockaddr_in *sin; 1693 struct route ro; 1694 struct rtentry *rt; 1695 1696 bzero(&ro, sizeof(ro)); 1697 sin = (struct sockaddr_in *)&ro.ro_dst; 1698 sin->sin_family = AF_INET; 1699 sin->sin_len = sizeof(*sin); |
| 1850 sin->sin_addr = pkt_dst; | 1700 sin->sin_addr = ip->ip_dst; |
| 1851 rtalloc_ign(&ro, RTF_CLONING); 1852 1853 rt = ro.ro_rt; 1854 1855 if (rt && (rt->rt_flags & (RTF_DYNAMIC|RTF_MODIFIED)) == 0 && | 1701 rtalloc_ign(&ro, RTF_CLONING); 1702 1703 rt = ro.ro_rt; 1704 1705 if (rt && (rt->rt_flags & (RTF_DYNAMIC|RTF_MODIFIED)) == 0 && |
| 1856 satosin(rt_key(rt))->sin_addr.s_addr != 0 && 1857 ipsendredirects && !srcrt && !next_hop) { | 1706 satosin(rt_key(rt))->sin_addr.s_addr != 0) { |
| 1858#define RTA(rt) ((struct in_ifaddr *)(rt->rt_ifa)) 1859 u_long src = ntohl(ip->ip_src.s_addr); 1860 1861 if (RTA(rt) && 1862 (src & RTA(rt)->ia_subnetmask) == RTA(rt)->ia_subnet) { 1863 if (rt->rt_flags & RTF_GATEWAY) | 1707#define RTA(rt) ((struct in_ifaddr *)(rt->rt_ifa)) 1708 u_long src = ntohl(ip->ip_src.s_addr); 1709 1710 if (RTA(rt) && 1711 (src & RTA(rt)->ia_subnetmask) == RTA(rt)->ia_subnet) { 1712 if (rt->rt_flags & RTF_GATEWAY) |
| 1864 dest = satosin(rt->rt_gateway)->sin_addr.s_addr; | 1713 dest.s_addr = satosin(rt->rt_gateway)->sin_addr.s_addr; |
| 1865 else | 1714 else |
| 1866 dest = pkt_dst.s_addr; | 1715 dest.s_addr = ip->ip_dst.s_addr; |
| 1867 /* Router requirements says to only send host redirects */ 1868 type = ICMP_REDIRECT; 1869 code = ICMP_REDIRECT_HOST; 1870#ifdef DIAGNOSTIC 1871 if (ipprintfs) | 1716 /* Router requirements says to only send host redirects */ 1717 type = ICMP_REDIRECT; 1718 code = ICMP_REDIRECT_HOST; 1719#ifdef DIAGNOSTIC 1720 if (ipprintfs) |
| 1872 printf("redirect (%d) to %lx\n", code, (u_long)dest); | 1721 printf("redirect (%d) to %lx\n", code, (u_long)dest.s_addr); |
| 1873#endif 1874 } 1875 } 1876 if (rt) 1877 RTFREE(rt); 1878 } 1879 | 1722#endif 1723 } 1724 } 1725 if (rt) 1726 RTFREE(rt); 1727 } 1728 |
| 1880 if (next_hop) { 1881 struct m_tag *mtag = m_tag_get(PACKET_TAG_IPFORWARD, 1882 sizeof(struct sockaddr_in *), M_NOWAIT); 1883 if (mtag == NULL) { 1884 m_freem(m); 1885 return; 1886 } 1887 *(struct sockaddr_in **)(mtag+1) = next_hop; 1888 m_tag_prepend(m, mtag); 1889 } | |
| 1890 error = ip_output(m, (struct mbuf *)0, NULL, IP_FORWARDING, 0, NULL); 1891 if (error) 1892 ipstat.ips_cantforward++; 1893 else { 1894 ipstat.ips_forward++; 1895 if (type) 1896 ipstat.ips_redirectsent++; 1897 else { --- 82 unchanged lines hidden (view full) --- 1980 key_freesp(sp); 1981#else /* FAST_IPSEC */ 1982 KEY_FREESP(&sp); 1983#endif 1984 ipstat.ips_cantfrag++; 1985 break; 1986 } else 1987#endif /*IPSEC || FAST_IPSEC*/ | 1729 error = ip_output(m, (struct mbuf *)0, NULL, IP_FORWARDING, 0, NULL); 1730 if (error) 1731 ipstat.ips_cantforward++; 1732 else { 1733 ipstat.ips_forward++; 1734 if (type) 1735 ipstat.ips_redirectsent++; 1736 else { --- 82 unchanged lines hidden (view full) --- 1819 key_freesp(sp); 1820#else /* FAST_IPSEC */ 1821 KEY_FREESP(&sp); 1822#endif 1823 ipstat.ips_cantfrag++; 1824 break; 1825 } else 1826#endif /*IPSEC || FAST_IPSEC*/ |
| 1988 destifp = ia->ia_ifp; | 1827 /* 1828 * When doing source routing 'ia' can be NULL. Fall back 1829 * to the minimum guaranteed routeable packet size and use 1830 * the same hack as IPSEC to setup a dummyifp for icmp. 1831 */ 1832 if (ia == NULL) { 1833 dummyifp.if_mtu = IP_MSS; 1834 destifp = &dummyifp; 1835 } else 1836 destifp = ia->ia_ifp; |
| 1989#if defined(IPSEC) || defined(FAST_IPSEC) 1990 } 1991#endif /*IPSEC || FAST_IPSEC*/ 1992 ipstat.ips_cantfrag++; 1993 break; 1994 1995 case ENOBUFS: 1996 /* --- 12 unchanged lines hidden (view full) --- 2009 code = 0; 2010 } 2011 break; 2012 2013 case EACCES: /* ipfw denied packet */ 2014 m_freem(mcopy); 2015 return; 2016 } | 1837#if defined(IPSEC) || defined(FAST_IPSEC) 1838 } 1839#endif /*IPSEC || FAST_IPSEC*/ 1840 ipstat.ips_cantfrag++; 1841 break; 1842 1843 case ENOBUFS: 1844 /* --- 12 unchanged lines hidden (view full) --- 1857 code = 0; 1858 } 1859 break; 1860 1861 case EACCES: /* ipfw denied packet */ 1862 m_freem(mcopy); 1863 return; 1864 } |
| 2017 icmp_error(mcopy, type, code, dest, destifp); | 1865 icmp_error(mcopy, type, code, dest.s_addr, destifp); |
| 2018} 2019 2020void 2021ip_savecontrol(inp, mp, ip, m) 2022 register struct inpcb *inp; 2023 register struct mbuf **mp; 2024 register struct ip *ip; 2025 register struct mbuf *m; --- 161 unchanged lines hidden --- | 1866} 1867 1868void 1869ip_savecontrol(inp, mp, ip, m) 1870 register struct inpcb *inp; 1871 register struct mbuf **mp; 1872 register struct ip *ip; 1873 register struct mbuf *m; --- 161 unchanged lines hidden --- |