Deleted Added
sdiff udiff text old ( 54221 ) new ( 55009 )
full compact
ip_input.c (54221) ip_input.c (55009)
1/*
2 * Copyright (c) 1982, 1986, 1988, 1993
3 * The Regents of the University of California. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. All advertising materials mentioning features or use of this software
14 * must display the following acknowledgement:
15 * This product includes software developed by the University of
16 * California, Berkeley and its contributors.
17 * 4. Neither the name of the University nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 *
33 * @(#)ip_input.c 8.2 (Berkeley) 1/4/94
1/*
2 * Copyright (c) 1982, 1986, 1988, 1993
3 * The Regents of the University of California. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. All advertising materials mentioning features or use of this software
14 * must display the following acknowledgement:
15 * This product includes software developed by the University of
16 * California, Berkeley and its contributors.
17 * 4. Neither the name of the University nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 *
33 * @(#)ip_input.c 8.2 (Berkeley) 1/4/94
34 * $FreeBSD: head/sys/netinet/ip_input.c 54221 1999-12-06 20:36:50Z guido $
34 * $FreeBSD: head/sys/netinet/ip_input.c 55009 1999-12-22 19:13:38Z shin $
35 */
36
37#define _IP_VHL
38
39#include "opt_bootp.h"
40#include "opt_ipfw.h"
41#include "opt_ipdn.h"
42#include "opt_ipdivert.h"
43#include "opt_ipfilter.h"
44#include "opt_ipstealth.h"
35 */
36
37#define _IP_VHL
38
39#include "opt_bootp.h"
40#include "opt_ipfw.h"
41#include "opt_ipdn.h"
42#include "opt_ipdivert.h"
43#include "opt_ipfilter.h"
44#include "opt_ipstealth.h"
45#include "opt_ipsec.h"
45
46#include <stddef.h>
47
48#include <sys/param.h>
49#include <sys/systm.h>
50#include <sys/mbuf.h>
51#include <sys/malloc.h>
52#include <sys/domain.h>
53#include <sys/protosw.h>
54#include <sys/socket.h>
55#include <sys/time.h>
56#include <sys/kernel.h>
57#include <sys/syslog.h>
58#include <sys/sysctl.h>
59
60#include <net/if.h>
61#include <net/if_var.h>
62#include <net/if_dl.h>
63#include <net/route.h>
64#include <net/netisr.h>
65
66#include <netinet/in.h>
67#include <netinet/in_systm.h>
68#include <netinet/in_var.h>
69#include <netinet/ip.h>
70#include <netinet/in_pcb.h>
71#include <netinet/ip_var.h>
72#include <netinet/ip_icmp.h>
73#include <machine/in_cksum.h>
74
46
47#include <stddef.h>
48
49#include <sys/param.h>
50#include <sys/systm.h>
51#include <sys/mbuf.h>
52#include <sys/malloc.h>
53#include <sys/domain.h>
54#include <sys/protosw.h>
55#include <sys/socket.h>
56#include <sys/time.h>
57#include <sys/kernel.h>
58#include <sys/syslog.h>
59#include <sys/sysctl.h>
60
61#include <net/if.h>
62#include <net/if_var.h>
63#include <net/if_dl.h>
64#include <net/route.h>
65#include <net/netisr.h>
66
67#include <netinet/in.h>
68#include <netinet/in_systm.h>
69#include <netinet/in_var.h>
70#include <netinet/ip.h>
71#include <netinet/in_pcb.h>
72#include <netinet/ip_var.h>
73#include <netinet/ip_icmp.h>
74#include <machine/in_cksum.h>
75
76#include <netinet/ipprotosw.h>
77
75#include <sys/socketvar.h>
76
77#include <netinet/ip_fw.h>
78
78#include <sys/socketvar.h>
79
80#include <netinet/ip_fw.h>
81
82#ifdef IPSEC
83#include <netinet6/ipsec.h>
84#include <netkey/key.h>
85#ifdef IPSEC_DEBUG
86#include <netkey/key_debug.h>
87#else
88#define KEYDEBUG(lev,arg)
89#endif
90#endif
91
92#include "faith.h"
93#if defined(NFAITH) && NFAITH > 0
94#include <net/if_types.h>
95#endif
96
79#ifdef DUMMYNET
80#include <netinet/ip_dummynet.h>
81#endif
82
83int rsvp_on = 0;
84static int ip_rsvp_on;
85struct socket *ip_rsvpd;
86
87int ipforwarding = 0;
88SYSCTL_INT(_net_inet_ip, IPCTL_FORWARDING, forwarding, CTLFLAG_RW,
89 &ipforwarding, 0, "Enable IP forwarding between interfaces");
90
91static int ipsendredirects = 1; /* XXX */
92SYSCTL_INT(_net_inet_ip, IPCTL_SENDREDIRECTS, redirect, CTLFLAG_RW,
93 &ipsendredirects, 0, "Enable sending IP redirects");
94
95int ip_defttl = IPDEFTTL;
96SYSCTL_INT(_net_inet_ip, IPCTL_DEFTTL, ttl, CTLFLAG_RW,
97 &ip_defttl, 0, "Maximum TTL on IP packets");
98
99static int ip_dosourceroute = 0;
100SYSCTL_INT(_net_inet_ip, IPCTL_SOURCEROUTE, sourceroute, CTLFLAG_RW,
101 &ip_dosourceroute, 0, "Enable forwarding source routed IP packets");
102
103static int ip_acceptsourceroute = 0;
104SYSCTL_INT(_net_inet_ip, IPCTL_ACCEPTSOURCEROUTE, accept_sourceroute,
105 CTLFLAG_RW, &ip_acceptsourceroute, 0,
106 "Enable accepting source routed IP packets");
97#ifdef DUMMYNET
98#include <netinet/ip_dummynet.h>
99#endif
100
101int rsvp_on = 0;
102static int ip_rsvp_on;
103struct socket *ip_rsvpd;
104
105int ipforwarding = 0;
106SYSCTL_INT(_net_inet_ip, IPCTL_FORWARDING, forwarding, CTLFLAG_RW,
107 &ipforwarding, 0, "Enable IP forwarding between interfaces");
108
109static int ipsendredirects = 1; /* XXX */
110SYSCTL_INT(_net_inet_ip, IPCTL_SENDREDIRECTS, redirect, CTLFLAG_RW,
111 &ipsendredirects, 0, "Enable sending IP redirects");
112
113int ip_defttl = IPDEFTTL;
114SYSCTL_INT(_net_inet_ip, IPCTL_DEFTTL, ttl, CTLFLAG_RW,
115 &ip_defttl, 0, "Maximum TTL on IP packets");
116
117static int ip_dosourceroute = 0;
118SYSCTL_INT(_net_inet_ip, IPCTL_SOURCEROUTE, sourceroute, CTLFLAG_RW,
119 &ip_dosourceroute, 0, "Enable forwarding source routed IP packets");
120
121static int ip_acceptsourceroute = 0;
122SYSCTL_INT(_net_inet_ip, IPCTL_ACCEPTSOURCEROUTE, accept_sourceroute,
123 CTLFLAG_RW, &ip_acceptsourceroute, 0,
124 "Enable accepting source routed IP packets");
125
126static int ip_keepfaith = 0;
127SYSCTL_INT(_net_inet_ip, IPCTL_KEEPFAITH, keepfaith, CTLFLAG_RW,
128 &ip_keepfaith, 0,
129 "Enable packet capture for FAITH IPv4->IPv6 translater daemon");
130
107#ifdef DIAGNOSTIC
108static int ipprintfs = 0;
109#endif
110
111extern struct domain inetdomain;
131#ifdef DIAGNOSTIC
132static int ipprintfs = 0;
133#endif
134
135extern struct domain inetdomain;
112extern struct protosw inetsw[];
136extern struct ipprotosw inetsw[];
113u_char ip_protox[IPPROTO_MAX];
114static int ipqmaxlen = IFQ_MAXLEN;
115struct in_ifaddrhead in_ifaddrhead; /* first inet address */
116struct ifqueue ipintrq;
117SYSCTL_INT(_net_inet_ip, IPCTL_INTRQMAXLEN, intr_queue_maxlen, CTLFLAG_RW,
118 &ipintrq.ifq_maxlen, 0, "Maximum size of the IP input queue");
119SYSCTL_INT(_net_inet_ip, IPCTL_INTRQDROPS, intr_queue_drops, CTLFLAG_RD,
120 &ipintrq.ifq_drops, 0, "Number of packets dropped from the IP input queue");
121
122struct ipstat ipstat;
123SYSCTL_STRUCT(_net_inet_ip, IPCTL_STATS, stats, CTLFLAG_RD,
124 &ipstat, ipstat, "IP statistics (struct ipstat, netinet/ip_var.h)");
125
126/* Packet reassembly stuff */
127#define IPREASS_NHASH_LOG2 6
128#define IPREASS_NHASH (1 << IPREASS_NHASH_LOG2)
129#define IPREASS_HMASK (IPREASS_NHASH - 1)
130#define IPREASS_HASH(x,y) \
131 (((((x) & 0xF) | ((((x) >> 8) & 0xF) << 4)) ^ (y)) & IPREASS_HMASK)
132
133static struct ipq ipq[IPREASS_NHASH];
134static int nipq = 0; /* total # of reass queues */
135static int maxnipq;
136
137#ifdef IPCTL_DEFMTU
138SYSCTL_INT(_net_inet_ip, IPCTL_DEFMTU, mtu, CTLFLAG_RW,
139 &ip_mtu, 0, "Default MTU");
140#endif
141
142#ifdef IPSTEALTH
143static int ipstealth = 0;
144SYSCTL_INT(_net_inet_ip, OID_AUTO, stealth, CTLFLAG_RW,
145 &ipstealth, 0, "");
146#endif
147
148
149/* Firewall hooks */
150ip_fw_chk_t *ip_fw_chk_ptr;
151ip_fw_ctl_t *ip_fw_ctl_ptr;
152
153#ifdef DUMMYNET
154ip_dn_ctl_t *ip_dn_ctl_ptr;
155#endif
156
157#if defined(IPFILTER_LKM) || defined(IPFILTER)
158int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **)) = NULL;
159#endif
160
161
162/*
163 * We need to save the IP options in case a protocol wants to respond
164 * to an incoming packet over the same route if the packet got here
165 * using IP source routing. This allows connection establishment and
166 * maintenance when the remote end is on a network that is not known
167 * to us.
168 */
169static int ip_nhops = 0;
170static struct ip_srcrt {
171 struct in_addr dst; /* final destination */
172 char nop; /* one NOP to align */
173 char srcopt[IPOPT_OFFSET + 1]; /* OPTVAL, OLEN and OFFSET */
174 struct in_addr route[MAX_IPOPTLEN/sizeof(struct in_addr)];
175} ip_srcrt;
176
177struct sockaddr_in *ip_fw_fwd_addr;
178
179static void save_rte __P((u_char *, struct in_addr));
180static int ip_dooptions __P((struct mbuf *));
181static void ip_forward __P((struct mbuf *, int));
182static void ip_freef __P((struct ipq *));
183#ifdef IPDIVERT
137u_char ip_protox[IPPROTO_MAX];
138static int ipqmaxlen = IFQ_MAXLEN;
139struct in_ifaddrhead in_ifaddrhead; /* first inet address */
140struct ifqueue ipintrq;
141SYSCTL_INT(_net_inet_ip, IPCTL_INTRQMAXLEN, intr_queue_maxlen, CTLFLAG_RW,
142 &ipintrq.ifq_maxlen, 0, "Maximum size of the IP input queue");
143SYSCTL_INT(_net_inet_ip, IPCTL_INTRQDROPS, intr_queue_drops, CTLFLAG_RD,
144 &ipintrq.ifq_drops, 0, "Number of packets dropped from the IP input queue");
145
146struct ipstat ipstat;
147SYSCTL_STRUCT(_net_inet_ip, IPCTL_STATS, stats, CTLFLAG_RD,
148 &ipstat, ipstat, "IP statistics (struct ipstat, netinet/ip_var.h)");
149
150/* Packet reassembly stuff */
151#define IPREASS_NHASH_LOG2 6
152#define IPREASS_NHASH (1 << IPREASS_NHASH_LOG2)
153#define IPREASS_HMASK (IPREASS_NHASH - 1)
154#define IPREASS_HASH(x,y) \
155 (((((x) & 0xF) | ((((x) >> 8) & 0xF) << 4)) ^ (y)) & IPREASS_HMASK)
156
157static struct ipq ipq[IPREASS_NHASH];
158static int nipq = 0; /* total # of reass queues */
159static int maxnipq;
160
161#ifdef IPCTL_DEFMTU
162SYSCTL_INT(_net_inet_ip, IPCTL_DEFMTU, mtu, CTLFLAG_RW,
163 &ip_mtu, 0, "Default MTU");
164#endif
165
166#ifdef IPSTEALTH
167static int ipstealth = 0;
168SYSCTL_INT(_net_inet_ip, OID_AUTO, stealth, CTLFLAG_RW,
169 &ipstealth, 0, "");
170#endif
171
172
173/* Firewall hooks */
174ip_fw_chk_t *ip_fw_chk_ptr;
175ip_fw_ctl_t *ip_fw_ctl_ptr;
176
177#ifdef DUMMYNET
178ip_dn_ctl_t *ip_dn_ctl_ptr;
179#endif
180
181#if defined(IPFILTER_LKM) || defined(IPFILTER)
182int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **)) = NULL;
183#endif
184
185
186/*
187 * We need to save the IP options in case a protocol wants to respond
188 * to an incoming packet over the same route if the packet got here
189 * using IP source routing. This allows connection establishment and
190 * maintenance when the remote end is on a network that is not known
191 * to us.
192 */
193static int ip_nhops = 0;
194static struct ip_srcrt {
195 struct in_addr dst; /* final destination */
196 char nop; /* one NOP to align */
197 char srcopt[IPOPT_OFFSET + 1]; /* OPTVAL, OLEN and OFFSET */
198 struct in_addr route[MAX_IPOPTLEN/sizeof(struct in_addr)];
199} ip_srcrt;
200
201struct sockaddr_in *ip_fw_fwd_addr;
202
203static void save_rte __P((u_char *, struct in_addr));
204static int ip_dooptions __P((struct mbuf *));
205static void ip_forward __P((struct mbuf *, int));
206static void ip_freef __P((struct ipq *));
207#ifdef IPDIVERT
184static struct ip *ip_reass __P((struct mbuf *,
208static struct mbuf *ip_reass __P((struct mbuf *,
185 struct ipq *, struct ipq *, u_int32_t *, u_int16_t *));
186#else
209 struct ipq *, struct ipq *, u_int32_t *, u_int16_t *));
210#else
187static struct ip *ip_reass __P((struct mbuf *, struct ipq *, struct ipq *));
211static struct mbuf *ip_reass __P((struct mbuf *, struct ipq *, struct ipq *));
188#endif
189static struct in_ifaddr *ip_rtaddr __P((struct in_addr));
190static void ipintr __P((void));
191
192/*
193 * IP initialization: fill in IP protocol switch table.
194 * All protocols not implemented in kernel go to raw IP protocol handler.
195 */
196void
197ip_init()
198{
212#endif
213static struct in_ifaddr *ip_rtaddr __P((struct in_addr));
214static void ipintr __P((void));
215
216/*
217 * IP initialization: fill in IP protocol switch table.
218 * All protocols not implemented in kernel go to raw IP protocol handler.
219 */
220void
221ip_init()
222{
199 register struct protosw *pr;
223 register struct ipprotosw *pr;
200 register int i;
201
202 TAILQ_INIT(&in_ifaddrhead);
224 register int i;
225
226 TAILQ_INIT(&in_ifaddrhead);
203 pr = pffindproto(PF_INET, IPPROTO_RAW, SOCK_RAW);
227 pr = (struct ipprotosw *)pffindproto(PF_INET, IPPROTO_RAW, SOCK_RAW);
204 if (pr == 0)
205 panic("ip_init");
206 for (i = 0; i < IPPROTO_MAX; i++)
207 ip_protox[i] = pr - inetsw;
228 if (pr == 0)
229 panic("ip_init");
230 for (i = 0; i < IPPROTO_MAX; i++)
231 ip_protox[i] = pr - inetsw;
208 for (pr = inetdomain.dom_protosw;
209 pr < inetdomain.dom_protoswNPROTOSW; pr++)
232 for (pr = (struct ipprotosw *)inetdomain.dom_protosw;
233 pr < (struct ipprotosw *)inetdomain.dom_protoswNPROTOSW; pr++)
210 if (pr->pr_domain->dom_family == PF_INET &&
211 pr->pr_protocol && pr->pr_protocol != IPPROTO_RAW)
212 ip_protox[pr->pr_protocol] = pr - inetsw;
213
214 for (i = 0; i < IPREASS_NHASH; i++)
215 ipq[i].next = ipq[i].prev = &ipq[i];
216
217 maxnipq = nmbclusters/4;
218
219 ip_id = time_second & 0xffff;
220 ipintrq.ifq_maxlen = ipqmaxlen;
221}
222
223static struct sockaddr_in ipaddr = { sizeof(ipaddr), AF_INET };
224static struct route ipforward_rt;
225
226/*
227 * Ip input routine. Checksum and byte swap header. If fragmented
228 * try to reassemble. Process options. Pass to next level.
229 */
230void
231ip_input(struct mbuf *m)
232{
233 struct ip *ip;
234 struct ipq *fp;
235 struct in_ifaddr *ia;
236 int i, hlen, mff;
237 u_short sum;
238 u_int16_t divert_cookie; /* firewall cookie */
239#ifdef IPDIVERT
240 u_int32_t divert_info = 0; /* packet divert/tee info */
241#endif
242 struct ip_fw_chain *rule = NULL;
243
244#ifdef IPDIVERT
245 /* Get and reset firewall cookie */
246 divert_cookie = ip_divert_cookie;
247 ip_divert_cookie = 0;
248#else
249 divert_cookie = 0;
250#endif
251
252#if defined(IPFIREWALL) && defined(DUMMYNET)
253 /*
254 * dummynet packet are prepended a vestigial mbuf with
255 * m_type = MT_DUMMYNET and m_data pointing to the matching
256 * rule.
257 */
258 if (m->m_type == MT_DUMMYNET) {
259 rule = (struct ip_fw_chain *)(m->m_data) ;
260 m = m->m_next ;
261 ip = mtod(m, struct ip *);
262 hlen = IP_VHL_HL(ip->ip_vhl) << 2;
263 goto iphack ;
264 } else
265 rule = NULL ;
266#endif
267
268#ifdef DIAGNOSTIC
269 if (m == NULL || (m->m_flags & M_PKTHDR) == 0)
270 panic("ip_input no HDR");
271#endif
272 ipstat.ips_total++;
273
274 if (m->m_pkthdr.len < sizeof(struct ip))
275 goto tooshort;
276
277 if (m->m_len < sizeof (struct ip) &&
278 (m = m_pullup(m, sizeof (struct ip))) == 0) {
279 ipstat.ips_toosmall++;
280 return;
281 }
282 ip = mtod(m, struct ip *);
283
284 if (IP_VHL_V(ip->ip_vhl) != IPVERSION) {
285 ipstat.ips_badvers++;
286 goto bad;
287 }
288
289 hlen = IP_VHL_HL(ip->ip_vhl) << 2;
290 if (hlen < sizeof(struct ip)) { /* minimum header length */
291 ipstat.ips_badhlen++;
292 goto bad;
293 }
294 if (hlen > m->m_len) {
295 if ((m = m_pullup(m, hlen)) == 0) {
296 ipstat.ips_badhlen++;
297 return;
298 }
299 ip = mtod(m, struct ip *);
300 }
301 if (hlen == sizeof(struct ip)) {
302 sum = in_cksum_hdr(ip);
303 } else {
304 sum = in_cksum(m, hlen);
305 }
306 if (sum) {
307 ipstat.ips_badsum++;
308 goto bad;
309 }
310
311 /*
312 * Convert fields to host representation.
313 */
314 NTOHS(ip->ip_len);
315 if (ip->ip_len < hlen) {
316 ipstat.ips_badlen++;
317 goto bad;
318 }
319 NTOHS(ip->ip_id);
320 NTOHS(ip->ip_off);
321
322 /*
323 * Check that the amount of data in the buffers
324 * is as at least much as the IP header would have us expect.
325 * Trim mbufs if longer than we expect.
326 * Drop packet if shorter than we expect.
327 */
328 if (m->m_pkthdr.len < ip->ip_len) {
329tooshort:
330 ipstat.ips_tooshort++;
331 goto bad;
332 }
333 if (m->m_pkthdr.len > ip->ip_len) {
334 if (m->m_len == m->m_pkthdr.len) {
335 m->m_len = ip->ip_len;
336 m->m_pkthdr.len = ip->ip_len;
337 } else
338 m_adj(m, ip->ip_len - m->m_pkthdr.len);
339 }
340 /*
341 * IpHack's section.
342 * Right now when no processing on packet has done
343 * and it is still fresh out of network we do our black
344 * deals with it.
345 * - Firewall: deny/allow/divert
346 * - Xlate: translate packet's addr/port (NAT).
347 * - Pipe: pass pkt through dummynet.
348 * - Wrap: fake packet's addr/port <unimpl.>
349 * - Encapsulate: put it in another IP and send out. <unimp.>
350 */
351
352#if defined(IPFIREWALL) && defined(DUMMYNET)
353iphack:
354#endif
355#if defined(IPFILTER) || defined(IPFILTER_LKM)
356 /*
357 * Check if we want to allow this packet to be processed.
358 * Consider it to be bad if not.
359 */
360 if (fr_checkp) {
361 struct mbuf *m1 = m;
362
363 if ((*fr_checkp)(ip, hlen, m->m_pkthdr.rcvif, 0, &m1) || !m1)
364 return;
365 ip = mtod(m = m1, struct ip *);
366 }
367#endif
368 if (ip_fw_chk_ptr) {
369#ifdef IPFIREWALL_FORWARD
370 /*
371 * If we've been forwarded from the output side, then
372 * skip the firewall a second time
373 */
374 if (ip_fw_fwd_addr)
375 goto ours;
376#endif /* IPFIREWALL_FORWARD */
377 /*
378 * See the comment in ip_output for the return values
379 * produced by the firewall.
380 */
381 i = (*ip_fw_chk_ptr)(&ip,
382 hlen, NULL, &divert_cookie, &m, &rule, &ip_fw_fwd_addr);
383 if (m == NULL) /* Packet discarded by firewall */
384 return;
385 if (i == 0 && ip_fw_fwd_addr == NULL) /* common case */
386 goto pass;
387#ifdef DUMMYNET
388 if ((i & IP_FW_PORT_DYNT_FLAG) != 0) {
389 /* Send packet to the appropriate pipe */
234 if (pr->pr_domain->dom_family == PF_INET &&
235 pr->pr_protocol && pr->pr_protocol != IPPROTO_RAW)
236 ip_protox[pr->pr_protocol] = pr - inetsw;
237
238 for (i = 0; i < IPREASS_NHASH; i++)
239 ipq[i].next = ipq[i].prev = &ipq[i];
240
241 maxnipq = nmbclusters/4;
242
243 ip_id = time_second & 0xffff;
244 ipintrq.ifq_maxlen = ipqmaxlen;
245}
246
247static struct sockaddr_in ipaddr = { sizeof(ipaddr), AF_INET };
248static struct route ipforward_rt;
249
250/*
251 * Ip input routine. Checksum and byte swap header. If fragmented
252 * try to reassemble. Process options. Pass to next level.
253 */
254void
255ip_input(struct mbuf *m)
256{
257 struct ip *ip;
258 struct ipq *fp;
259 struct in_ifaddr *ia;
260 int i, hlen, mff;
261 u_short sum;
262 u_int16_t divert_cookie; /* firewall cookie */
263#ifdef IPDIVERT
264 u_int32_t divert_info = 0; /* packet divert/tee info */
265#endif
266 struct ip_fw_chain *rule = NULL;
267
268#ifdef IPDIVERT
269 /* Get and reset firewall cookie */
270 divert_cookie = ip_divert_cookie;
271 ip_divert_cookie = 0;
272#else
273 divert_cookie = 0;
274#endif
275
276#if defined(IPFIREWALL) && defined(DUMMYNET)
277 /*
278 * dummynet packet are prepended a vestigial mbuf with
279 * m_type = MT_DUMMYNET and m_data pointing to the matching
280 * rule.
281 */
282 if (m->m_type == MT_DUMMYNET) {
283 rule = (struct ip_fw_chain *)(m->m_data) ;
284 m = m->m_next ;
285 ip = mtod(m, struct ip *);
286 hlen = IP_VHL_HL(ip->ip_vhl) << 2;
287 goto iphack ;
288 } else
289 rule = NULL ;
290#endif
291
292#ifdef DIAGNOSTIC
293 if (m == NULL || (m->m_flags & M_PKTHDR) == 0)
294 panic("ip_input no HDR");
295#endif
296 ipstat.ips_total++;
297
298 if (m->m_pkthdr.len < sizeof(struct ip))
299 goto tooshort;
300
301 if (m->m_len < sizeof (struct ip) &&
302 (m = m_pullup(m, sizeof (struct ip))) == 0) {
303 ipstat.ips_toosmall++;
304 return;
305 }
306 ip = mtod(m, struct ip *);
307
308 if (IP_VHL_V(ip->ip_vhl) != IPVERSION) {
309 ipstat.ips_badvers++;
310 goto bad;
311 }
312
313 hlen = IP_VHL_HL(ip->ip_vhl) << 2;
314 if (hlen < sizeof(struct ip)) { /* minimum header length */
315 ipstat.ips_badhlen++;
316 goto bad;
317 }
318 if (hlen > m->m_len) {
319 if ((m = m_pullup(m, hlen)) == 0) {
320 ipstat.ips_badhlen++;
321 return;
322 }
323 ip = mtod(m, struct ip *);
324 }
325 if (hlen == sizeof(struct ip)) {
326 sum = in_cksum_hdr(ip);
327 } else {
328 sum = in_cksum(m, hlen);
329 }
330 if (sum) {
331 ipstat.ips_badsum++;
332 goto bad;
333 }
334
335 /*
336 * Convert fields to host representation.
337 */
338 NTOHS(ip->ip_len);
339 if (ip->ip_len < hlen) {
340 ipstat.ips_badlen++;
341 goto bad;
342 }
343 NTOHS(ip->ip_id);
344 NTOHS(ip->ip_off);
345
346 /*
347 * Check that the amount of data in the buffers
348 * is as at least much as the IP header would have us expect.
349 * Trim mbufs if longer than we expect.
350 * Drop packet if shorter than we expect.
351 */
352 if (m->m_pkthdr.len < ip->ip_len) {
353tooshort:
354 ipstat.ips_tooshort++;
355 goto bad;
356 }
357 if (m->m_pkthdr.len > ip->ip_len) {
358 if (m->m_len == m->m_pkthdr.len) {
359 m->m_len = ip->ip_len;
360 m->m_pkthdr.len = ip->ip_len;
361 } else
362 m_adj(m, ip->ip_len - m->m_pkthdr.len);
363 }
364 /*
365 * IpHack's section.
366 * Right now when no processing on packet has done
367 * and it is still fresh out of network we do our black
368 * deals with it.
369 * - Firewall: deny/allow/divert
370 * - Xlate: translate packet's addr/port (NAT).
371 * - Pipe: pass pkt through dummynet.
372 * - Wrap: fake packet's addr/port <unimpl.>
373 * - Encapsulate: put it in another IP and send out. <unimp.>
374 */
375
376#if defined(IPFIREWALL) && defined(DUMMYNET)
377iphack:
378#endif
379#if defined(IPFILTER) || defined(IPFILTER_LKM)
380 /*
381 * Check if we want to allow this packet to be processed.
382 * Consider it to be bad if not.
383 */
384 if (fr_checkp) {
385 struct mbuf *m1 = m;
386
387 if ((*fr_checkp)(ip, hlen, m->m_pkthdr.rcvif, 0, &m1) || !m1)
388 return;
389 ip = mtod(m = m1, struct ip *);
390 }
391#endif
392 if (ip_fw_chk_ptr) {
393#ifdef IPFIREWALL_FORWARD
394 /*
395 * If we've been forwarded from the output side, then
396 * skip the firewall a second time
397 */
398 if (ip_fw_fwd_addr)
399 goto ours;
400#endif /* IPFIREWALL_FORWARD */
401 /*
402 * See the comment in ip_output for the return values
403 * produced by the firewall.
404 */
405 i = (*ip_fw_chk_ptr)(&ip,
406 hlen, NULL, &divert_cookie, &m, &rule, &ip_fw_fwd_addr);
407 if (m == NULL) /* Packet discarded by firewall */
408 return;
409 if (i == 0 && ip_fw_fwd_addr == NULL) /* common case */
410 goto pass;
411#ifdef DUMMYNET
412 if ((i & IP_FW_PORT_DYNT_FLAG) != 0) {
413 /* Send packet to the appropriate pipe */
390 dummynet_io(i&0xffff,DN_TO_IP_IN,m,NULL,NULL,0, rule);
414 dummynet_io(i&0xffff,DN_TO_IP_IN,m,NULL,NULL,0, rule,
415 0);
391 return;
392 }
393#endif
394#ifdef IPDIVERT
395 if (i != 0 && (i & IP_FW_PORT_DYNT_FLAG) == 0) {
396 /* Divert or tee packet */
397 divert_info = i;
398 goto ours;
399 }
400#endif
401#ifdef IPFIREWALL_FORWARD
402 if (i == 0 && ip_fw_fwd_addr != NULL)
403 goto pass;
404#endif
405 /*
406 * if we get here, the packet must be dropped
407 */
408 m_freem(m);
409 return;
410 }
411pass:
412
413 /*
414 * Process options and, if not destined for us,
415 * ship it on. ip_dooptions returns 1 when an
416 * error was detected (causing an icmp message
417 * to be sent and the original packet to be freed).
418 */
419 ip_nhops = 0; /* for source routed packets */
420 if (hlen > sizeof (struct ip) && ip_dooptions(m)) {
421#ifdef IPFIREWALL_FORWARD
422 ip_fw_fwd_addr = NULL;
423#endif
424 return;
425 }
426
427 /* greedy RSVP, snatches any PATH packet of the RSVP protocol and no
428 * matter if it is destined to another node, or whether it is
429 * a multicast one, RSVP wants it! and prevents it from being forwarded
430 * anywhere else. Also checks if the rsvp daemon is running before
431 * grabbing the packet.
432 */
433 if (rsvp_on && ip->ip_p==IPPROTO_RSVP)
434 goto ours;
435
436 /*
437 * Check our list of addresses, to see if the packet is for us.
438 * If we don't have any addresses, assume any unicast packet
439 * we receive might be for us (and let the upper layers deal
440 * with it).
441 */
442 if (TAILQ_EMPTY(&in_ifaddrhead) &&
443 (m->m_flags & (M_MCAST|M_BCAST)) == 0)
444 goto ours;
445
446 for (ia = TAILQ_FIRST(&in_ifaddrhead); ia;
447 ia = TAILQ_NEXT(ia, ia_link)) {
448#define satosin(sa) ((struct sockaddr_in *)(sa))
449
450#ifdef BOOTP_COMPAT
451 if (IA_SIN(ia)->sin_addr.s_addr == INADDR_ANY)
452 goto ours;
453#endif
454#ifdef IPFIREWALL_FORWARD
455 /*
456 * If the addr to forward to is one of ours, we pretend to
457 * be the destination for this packet.
458 */
459 if (ip_fw_fwd_addr == NULL) {
460 if (IA_SIN(ia)->sin_addr.s_addr == ip->ip_dst.s_addr)
461 goto ours;
462 } else if (IA_SIN(ia)->sin_addr.s_addr ==
463 ip_fw_fwd_addr->sin_addr.s_addr)
464 goto ours;
465#else
466 if (IA_SIN(ia)->sin_addr.s_addr == ip->ip_dst.s_addr)
467 goto ours;
468#endif
469 if (ia->ia_ifp && ia->ia_ifp->if_flags & IFF_BROADCAST) {
470 if (satosin(&ia->ia_broadaddr)->sin_addr.s_addr ==
471 ip->ip_dst.s_addr)
472 goto ours;
473 if (ip->ip_dst.s_addr == ia->ia_netbroadcast.s_addr)
474 goto ours;
475 }
476 }
477 if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr))) {
478 struct in_multi *inm;
479 if (ip_mrouter) {
480 /*
481 * If we are acting as a multicast router, all
482 * incoming multicast packets are passed to the
483 * kernel-level multicast forwarding function.
484 * The packet is returned (relatively) intact; if
485 * ip_mforward() returns a non-zero value, the packet
486 * must be discarded, else it may be accepted below.
487 *
488 * (The IP ident field is put in the same byte order
489 * as expected when ip_mforward() is called from
490 * ip_output().)
491 */
492 ip->ip_id = htons(ip->ip_id);
493 if (ip_mforward(ip, m->m_pkthdr.rcvif, m, 0) != 0) {
494 ipstat.ips_cantforward++;
495 m_freem(m);
496 return;
497 }
498 ip->ip_id = ntohs(ip->ip_id);
499
500 /*
501 * The process-level routing demon needs to receive
502 * all multicast IGMP packets, whether or not this
503 * host belongs to their destination groups.
504 */
505 if (ip->ip_p == IPPROTO_IGMP)
506 goto ours;
507 ipstat.ips_forward++;
508 }
509 /*
510 * See if we belong to the destination multicast group on the
511 * arrival interface.
512 */
513 IN_LOOKUP_MULTI(ip->ip_dst, m->m_pkthdr.rcvif, inm);
514 if (inm == NULL) {
515 ipstat.ips_notmember++;
516 m_freem(m);
517 return;
518 }
519 goto ours;
520 }
521 if (ip->ip_dst.s_addr == (u_long)INADDR_BROADCAST)
522 goto ours;
523 if (ip->ip_dst.s_addr == INADDR_ANY)
524 goto ours;
525
416 return;
417 }
418#endif
419#ifdef IPDIVERT
420 if (i != 0 && (i & IP_FW_PORT_DYNT_FLAG) == 0) {
421 /* Divert or tee packet */
422 divert_info = i;
423 goto ours;
424 }
425#endif
426#ifdef IPFIREWALL_FORWARD
427 if (i == 0 && ip_fw_fwd_addr != NULL)
428 goto pass;
429#endif
430 /*
431 * if we get here, the packet must be dropped
432 */
433 m_freem(m);
434 return;
435 }
436pass:
437
438 /*
439 * Process options and, if not destined for us,
440 * ship it on. ip_dooptions returns 1 when an
441 * error was detected (causing an icmp message
442 * to be sent and the original packet to be freed).
443 */
444 ip_nhops = 0; /* for source routed packets */
445 if (hlen > sizeof (struct ip) && ip_dooptions(m)) {
446#ifdef IPFIREWALL_FORWARD
447 ip_fw_fwd_addr = NULL;
448#endif
449 return;
450 }
451
452 /* greedy RSVP, snatches any PATH packet of the RSVP protocol and no
453 * matter if it is destined to another node, or whether it is
454 * a multicast one, RSVP wants it! and prevents it from being forwarded
455 * anywhere else. Also checks if the rsvp daemon is running before
456 * grabbing the packet.
457 */
458 if (rsvp_on && ip->ip_p==IPPROTO_RSVP)
459 goto ours;
460
461 /*
462 * Check our list of addresses, to see if the packet is for us.
463 * If we don't have any addresses, assume any unicast packet
464 * we receive might be for us (and let the upper layers deal
465 * with it).
466 */
467 if (TAILQ_EMPTY(&in_ifaddrhead) &&
468 (m->m_flags & (M_MCAST|M_BCAST)) == 0)
469 goto ours;
470
471 for (ia = TAILQ_FIRST(&in_ifaddrhead); ia;
472 ia = TAILQ_NEXT(ia, ia_link)) {
473#define satosin(sa) ((struct sockaddr_in *)(sa))
474
475#ifdef BOOTP_COMPAT
476 if (IA_SIN(ia)->sin_addr.s_addr == INADDR_ANY)
477 goto ours;
478#endif
479#ifdef IPFIREWALL_FORWARD
480 /*
481 * If the addr to forward to is one of ours, we pretend to
482 * be the destination for this packet.
483 */
484 if (ip_fw_fwd_addr == NULL) {
485 if (IA_SIN(ia)->sin_addr.s_addr == ip->ip_dst.s_addr)
486 goto ours;
487 } else if (IA_SIN(ia)->sin_addr.s_addr ==
488 ip_fw_fwd_addr->sin_addr.s_addr)
489 goto ours;
490#else
491 if (IA_SIN(ia)->sin_addr.s_addr == ip->ip_dst.s_addr)
492 goto ours;
493#endif
494 if (ia->ia_ifp && ia->ia_ifp->if_flags & IFF_BROADCAST) {
495 if (satosin(&ia->ia_broadaddr)->sin_addr.s_addr ==
496 ip->ip_dst.s_addr)
497 goto ours;
498 if (ip->ip_dst.s_addr == ia->ia_netbroadcast.s_addr)
499 goto ours;
500 }
501 }
502 if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr))) {
503 struct in_multi *inm;
504 if (ip_mrouter) {
505 /*
506 * If we are acting as a multicast router, all
507 * incoming multicast packets are passed to the
508 * kernel-level multicast forwarding function.
509 * The packet is returned (relatively) intact; if
510 * ip_mforward() returns a non-zero value, the packet
511 * must be discarded, else it may be accepted below.
512 *
513 * (The IP ident field is put in the same byte order
514 * as expected when ip_mforward() is called from
515 * ip_output().)
516 */
517 ip->ip_id = htons(ip->ip_id);
518 if (ip_mforward(ip, m->m_pkthdr.rcvif, m, 0) != 0) {
519 ipstat.ips_cantforward++;
520 m_freem(m);
521 return;
522 }
523 ip->ip_id = ntohs(ip->ip_id);
524
525 /*
526 * The process-level routing demon needs to receive
527 * all multicast IGMP packets, whether or not this
528 * host belongs to their destination groups.
529 */
530 if (ip->ip_p == IPPROTO_IGMP)
531 goto ours;
532 ipstat.ips_forward++;
533 }
534 /*
535 * See if we belong to the destination multicast group on the
536 * arrival interface.
537 */
538 IN_LOOKUP_MULTI(ip->ip_dst, m->m_pkthdr.rcvif, inm);
539 if (inm == NULL) {
540 ipstat.ips_notmember++;
541 m_freem(m);
542 return;
543 }
544 goto ours;
545 }
546 if (ip->ip_dst.s_addr == (u_long)INADDR_BROADCAST)
547 goto ours;
548 if (ip->ip_dst.s_addr == INADDR_ANY)
549 goto ours;
550
551#if defined(NFAITH) && 0 < NFAITH
526 /*
552 /*
553 * FAITH(Firewall Aided Internet Translator)
554 */
555 if (m->m_pkthdr.rcvif && m->m_pkthdr.rcvif->if_type == IFT_FAITH) {
556 if (ip_keepfaith) {
557 if (ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_ICMP)
558 goto ours;
559 }
560 m_freem(m);
561 return;
562 }
563#endif
564 /*
527 * Not for us; forward if possible and desirable.
528 */
529 if (ipforwarding == 0) {
530 ipstat.ips_cantforward++;
531 m_freem(m);
532 } else
533 ip_forward(m, 0);
534#ifdef IPFIREWALL_FORWARD
535 ip_fw_fwd_addr = NULL;
536#endif
537 return;
538
539ours:
540
541 /*
542 * If offset or IP_MF are set, must reassemble.
543 * Otherwise, nothing need be done.
544 * (We could look in the reassembly queue to see
545 * if the packet was previously fragmented,
546 * but it's not worth the time; just let them time out.)
547 */
548 if (ip->ip_off & (IP_MF | IP_OFFMASK | IP_RF)) {
565 * Not for us; forward if possible and desirable.
566 */
567 if (ipforwarding == 0) {
568 ipstat.ips_cantforward++;
569 m_freem(m);
570 } else
571 ip_forward(m, 0);
572#ifdef IPFIREWALL_FORWARD
573 ip_fw_fwd_addr = NULL;
574#endif
575 return;
576
577ours:
578
579 /*
580 * If offset or IP_MF are set, must reassemble.
581 * Otherwise, nothing need be done.
582 * (We could look in the reassembly queue to see
583 * if the packet was previously fragmented,
584 * but it's not worth the time; just let them time out.)
585 */
586 if (ip->ip_off & (IP_MF | IP_OFFMASK | IP_RF)) {
587
588#if 0 /*
589 * Reassembly should be able to treat a mbuf cluster, for later
590 * operation of contiguous protocol headers on the cluster. (KAME)
591 */
549 if (m->m_flags & M_EXT) { /* XXX */
550 if ((m = m_pullup(m, hlen)) == 0) {
551 ipstat.ips_toosmall++;
552#ifdef IPFIREWALL_FORWARD
553 ip_fw_fwd_addr = NULL;
554#endif
555 return;
556 }
557 ip = mtod(m, struct ip *);
558 }
592 if (m->m_flags & M_EXT) { /* XXX */
593 if ((m = m_pullup(m, hlen)) == 0) {
594 ipstat.ips_toosmall++;
595#ifdef IPFIREWALL_FORWARD
596 ip_fw_fwd_addr = NULL;
597#endif
598 return;
599 }
600 ip = mtod(m, struct ip *);
601 }
602#endif
559 sum = IPREASS_HASH(ip->ip_src.s_addr, ip->ip_id);
560 /*
561 * Look for queue of fragments
562 * of this datagram.
563 */
564 for (fp = ipq[sum].next; fp != &ipq[sum]; fp = fp->next)
565 if (ip->ip_id == fp->ipq_id &&
566 ip->ip_src.s_addr == fp->ipq_src.s_addr &&
567 ip->ip_dst.s_addr == fp->ipq_dst.s_addr &&
568 ip->ip_p == fp->ipq_p)
569 goto found;
570
571 fp = 0;
572
573 /* check if there's a place for the new queue */
574 if (nipq > maxnipq) {
575 /*
576 * drop something from the tail of the current queue
577 * before proceeding further
578 */
579 if (ipq[sum].prev == &ipq[sum]) { /* gak */
580 for (i = 0; i < IPREASS_NHASH; i++) {
581 if (ipq[i].prev != &ipq[i]) {
582 ip_freef(ipq[i].prev);
583 break;
584 }
585 }
586 } else
587 ip_freef(ipq[sum].prev);
588 }
589found:
590 /*
591 * Adjust ip_len to not reflect header,
592 * set ip_mff if more fragments are expected,
593 * convert offset of this to bytes.
594 */
595 ip->ip_len -= hlen;
596 mff = (ip->ip_off & IP_MF) != 0;
597 if (mff) {
598 /*
599 * Make sure that fragments have a data length
600 * that's a non-zero multiple of 8 bytes.
601 */
602 if (ip->ip_len == 0 || (ip->ip_len & 0x7) != 0) {
603 ipstat.ips_toosmall++; /* XXX */
604 goto bad;
605 }
606 m->m_flags |= M_FRAG;
607 }
608 ip->ip_off <<= 3;
609
610 /*
611 * If datagram marked as having more fragments
612 * or if this is not the first fragment,
613 * attempt reassembly; if it succeeds, proceed.
614 */
615 if (mff || ip->ip_off) {
616 ipstat.ips_fragments++;
617 m->m_pkthdr.header = ip;
618#ifdef IPDIVERT
603 sum = IPREASS_HASH(ip->ip_src.s_addr, ip->ip_id);
604 /*
605 * Look for queue of fragments
606 * of this datagram.
607 */
608 for (fp = ipq[sum].next; fp != &ipq[sum]; fp = fp->next)
609 if (ip->ip_id == fp->ipq_id &&
610 ip->ip_src.s_addr == fp->ipq_src.s_addr &&
611 ip->ip_dst.s_addr == fp->ipq_dst.s_addr &&
612 ip->ip_p == fp->ipq_p)
613 goto found;
614
615 fp = 0;
616
617 /* check if there's a place for the new queue */
618 if (nipq > maxnipq) {
619 /*
620 * drop something from the tail of the current queue
621 * before proceeding further
622 */
623 if (ipq[sum].prev == &ipq[sum]) { /* gak */
624 for (i = 0; i < IPREASS_NHASH; i++) {
625 if (ipq[i].prev != &ipq[i]) {
626 ip_freef(ipq[i].prev);
627 break;
628 }
629 }
630 } else
631 ip_freef(ipq[sum].prev);
632 }
633found:
634 /*
635 * Adjust ip_len to not reflect header,
636 * set ip_mff if more fragments are expected,
637 * convert offset of this to bytes.
638 */
639 ip->ip_len -= hlen;
640 mff = (ip->ip_off & IP_MF) != 0;
641 if (mff) {
642 /*
643 * Make sure that fragments have a data length
644 * that's a non-zero multiple of 8 bytes.
645 */
646 if (ip->ip_len == 0 || (ip->ip_len & 0x7) != 0) {
647 ipstat.ips_toosmall++; /* XXX */
648 goto bad;
649 }
650 m->m_flags |= M_FRAG;
651 }
652 ip->ip_off <<= 3;
653
654 /*
655 * If datagram marked as having more fragments
656 * or if this is not the first fragment,
657 * attempt reassembly; if it succeeds, proceed.
658 */
659 if (mff || ip->ip_off) {
660 ipstat.ips_fragments++;
661 m->m_pkthdr.header = ip;
662#ifdef IPDIVERT
619 ip = ip_reass(m,
663 m = ip_reass(m,
620 fp, &ipq[sum], &divert_info, &divert_cookie);
621#else
664 fp, &ipq[sum], &divert_info, &divert_cookie);
665#else
622 ip = ip_reass(m, fp, &ipq[sum]);
666 m = ip_reass(m, fp, &ipq[sum]);
623#endif
667#endif
624 if (ip == 0) {
668 if (m == 0) {
625#ifdef IPFIREWALL_FORWARD
626 ip_fw_fwd_addr = NULL;
627#endif
628 return;
629 }
630 /* Get the length of the reassembled packets header */
631 hlen = IP_VHL_HL(ip->ip_vhl) << 2;
632 ipstat.ips_reassembled++;
669#ifdef IPFIREWALL_FORWARD
670 ip_fw_fwd_addr = NULL;
671#endif
672 return;
673 }
674 /* Get the length of the reassembled packets header */
675 hlen = IP_VHL_HL(ip->ip_vhl) << 2;
676 ipstat.ips_reassembled++;
633 m = dtom(ip);
677 ip = mtod(m, struct ip *);
634#ifdef IPDIVERT
635 /* Restore original checksum before diverting packet */
636 if (divert_info != 0) {
637 ip->ip_len += hlen;
638 HTONS(ip->ip_len);
639 HTONS(ip->ip_off);
640 HTONS(ip->ip_id);
641 ip->ip_sum = 0;
642 ip->ip_sum = in_cksum_hdr(ip);
643 NTOHS(ip->ip_id);
644 NTOHS(ip->ip_off);
645 NTOHS(ip->ip_len);
646 ip->ip_len -= hlen;
647 }
648#endif
649 } else
650 if (fp)
651 ip_freef(fp);
652 } else
653 ip->ip_len -= hlen;
654
655#ifdef IPDIVERT
656 /*
657 * Divert or tee packet to the divert protocol if required.
658 *
659 * If divert_info is zero then cookie should be too, so we shouldn't
660 * need to clear them here. Assume divert_packet() does so also.
661 */
662 if (divert_info != 0) {
663 struct mbuf *clone = NULL;
664
665 /* Clone packet if we're doing a 'tee' */
666 if ((divert_info & IP_FW_PORT_TEE_FLAG) != 0)
667 clone = m_dup(m, M_DONTWAIT);
668
669 /* Restore packet header fields to original values */
670 ip->ip_len += hlen;
671 HTONS(ip->ip_len);
672 HTONS(ip->ip_off);
673 HTONS(ip->ip_id);
674
675 /* Deliver packet to divert input routine */
676 ip_divert_cookie = divert_cookie;
677 divert_packet(m, 1, divert_info & 0xffff);
678 ipstat.ips_delivered++;
679
680 /* If 'tee', continue with original packet */
681 if (clone == NULL)
682 return;
683 m = clone;
684 ip = mtod(m, struct ip *);
685 }
686#endif
687
688 /*
689 * Switch out to protocol's input routine.
690 */
691 ipstat.ips_delivered++;
678#ifdef IPDIVERT
679 /* Restore original checksum before diverting packet */
680 if (divert_info != 0) {
681 ip->ip_len += hlen;
682 HTONS(ip->ip_len);
683 HTONS(ip->ip_off);
684 HTONS(ip->ip_id);
685 ip->ip_sum = 0;
686 ip->ip_sum = in_cksum_hdr(ip);
687 NTOHS(ip->ip_id);
688 NTOHS(ip->ip_off);
689 NTOHS(ip->ip_len);
690 ip->ip_len -= hlen;
691 }
692#endif
693 } else
694 if (fp)
695 ip_freef(fp);
696 } else
697 ip->ip_len -= hlen;
698
699#ifdef IPDIVERT
700 /*
701 * Divert or tee packet to the divert protocol if required.
702 *
703 * If divert_info is zero then cookie should be too, so we shouldn't
704 * need to clear them here. Assume divert_packet() does so also.
705 */
706 if (divert_info != 0) {
707 struct mbuf *clone = NULL;
708
709 /* Clone packet if we're doing a 'tee' */
710 if ((divert_info & IP_FW_PORT_TEE_FLAG) != 0)
711 clone = m_dup(m, M_DONTWAIT);
712
713 /* Restore packet header fields to original values */
714 ip->ip_len += hlen;
715 HTONS(ip->ip_len);
716 HTONS(ip->ip_off);
717 HTONS(ip->ip_id);
718
719 /* Deliver packet to divert input routine */
720 ip_divert_cookie = divert_cookie;
721 divert_packet(m, 1, divert_info & 0xffff);
722 ipstat.ips_delivered++;
723
724 /* If 'tee', continue with original packet */
725 if (clone == NULL)
726 return;
727 m = clone;
728 ip = mtod(m, struct ip *);
729 }
730#endif
731
732 /*
733 * Switch out to protocol's input routine.
734 */
735 ipstat.ips_delivered++;
692 (*inetsw[ip_protox[ip->ip_p]].pr_input)(m, hlen);
736 {
737 int off = hlen, nh = ip->ip_p;
738
739 (*inetsw[ip_protox[ip->ip_p]].pr_input)(m, off, nh);
693#ifdef IPFIREWALL_FORWARD
694 ip_fw_fwd_addr = NULL; /* tcp needed it */
695#endif
696 return;
740#ifdef IPFIREWALL_FORWARD
741 ip_fw_fwd_addr = NULL; /* tcp needed it */
742#endif
743 return;
744 }
697bad:
698#ifdef IPFIREWALL_FORWARD
699 ip_fw_fwd_addr = NULL;
700#endif
701 m_freem(m);
702}
703
704/*
705 * IP software interrupt routine - to go away sometime soon
706 */
707static void
708ipintr(void)
709{
710 int s;
711 struct mbuf *m;
712
713 while(1) {
714 s = splimp();
715 IF_DEQUEUE(&ipintrq, m);
716 splx(s);
717 if (m == 0)
718 return;
719 ip_input(m);
720 }
721}
722
723NETISR_SET(NETISR_IP, ipintr);
724
725/*
726 * Take incoming datagram fragment and try to reassemble it into
727 * whole datagram. If a chain for reassembly of this datagram already
728 * exists, then it is given as fp; otherwise have to make a chain.
729 *
730 * When IPDIVERT enabled, keep additional state with each packet that
731 * tells us if we need to divert or tee the packet we're building.
732 */
733
745bad:
746#ifdef IPFIREWALL_FORWARD
747 ip_fw_fwd_addr = NULL;
748#endif
749 m_freem(m);
750}
751
752/*
753 * IP software interrupt routine - to go away sometime soon
754 */
755static void
756ipintr(void)
757{
758 int s;
759 struct mbuf *m;
760
761 while(1) {
762 s = splimp();
763 IF_DEQUEUE(&ipintrq, m);
764 splx(s);
765 if (m == 0)
766 return;
767 ip_input(m);
768 }
769}
770
771NETISR_SET(NETISR_IP, ipintr);
772
773/*
774 * Take incoming datagram fragment and try to reassemble it into
775 * whole datagram. If a chain for reassembly of this datagram already
776 * exists, then it is given as fp; otherwise have to make a chain.
777 *
778 * When IPDIVERT enabled, keep additional state with each packet that
779 * tells us if we need to divert or tee the packet we're building.
780 */
781
734static struct ip *
782static struct mbuf *
735#ifdef IPDIVERT
736ip_reass(m, fp, where, divinfo, divcookie)
737#else
738ip_reass(m, fp, where)
739#endif
740 register struct mbuf *m;
741 register struct ipq *fp;
742 struct ipq *where;
743#ifdef IPDIVERT
744 u_int32_t *divinfo;
745 u_int16_t *divcookie;
746#endif
747{
748 struct ip *ip = mtod(m, struct ip *);
749 register struct mbuf *p = 0, *q, *nq;
750 struct mbuf *t;
751 int hlen = IP_VHL_HL(ip->ip_vhl) << 2;
752 int i, next;
753
754 /*
755 * Presence of header sizes in mbufs
756 * would confuse code below.
757 */
758 m->m_data += hlen;
759 m->m_len -= hlen;
760
761 /*
762 * If first fragment to arrive, create a reassembly queue.
763 */
764 if (fp == 0) {
765 if ((t = m_get(M_DONTWAIT, MT_FTABLE)) == NULL)
766 goto dropfrag;
767 fp = mtod(t, struct ipq *);
768 insque(fp, where);
769 nipq++;
770 fp->ipq_ttl = IPFRAGTTL;
771 fp->ipq_p = ip->ip_p;
772 fp->ipq_id = ip->ip_id;
773 fp->ipq_src = ip->ip_src;
774 fp->ipq_dst = ip->ip_dst;
775 fp->ipq_frags = m;
776 m->m_nextpkt = NULL;
777#ifdef IPDIVERT
778 fp->ipq_div_info = 0;
779 fp->ipq_div_cookie = 0;
780#endif
781 goto inserted;
782 }
783
784#define GETIP(m) ((struct ip*)((m)->m_pkthdr.header))
785
786 /*
787 * Find a segment which begins after this one does.
788 */
789 for (p = NULL, q = fp->ipq_frags; q; p = q, q = q->m_nextpkt)
790 if (GETIP(q)->ip_off > ip->ip_off)
791 break;
792
793 /*
794 * If there is a preceding segment, it may provide some of
795 * our data already. If so, drop the data from the incoming
796 * segment. If it provides all of our data, drop us, otherwise
797 * stick new segment in the proper place.
798 */
799 if (p) {
800 i = GETIP(p)->ip_off + GETIP(p)->ip_len - ip->ip_off;
801 if (i > 0) {
802 if (i >= ip->ip_len)
803 goto dropfrag;
783#ifdef IPDIVERT
784ip_reass(m, fp, where, divinfo, divcookie)
785#else
786ip_reass(m, fp, where)
787#endif
788 register struct mbuf *m;
789 register struct ipq *fp;
790 struct ipq *where;
791#ifdef IPDIVERT
792 u_int32_t *divinfo;
793 u_int16_t *divcookie;
794#endif
795{
796 struct ip *ip = mtod(m, struct ip *);
797 register struct mbuf *p = 0, *q, *nq;
798 struct mbuf *t;
799 int hlen = IP_VHL_HL(ip->ip_vhl) << 2;
800 int i, next;
801
802 /*
803 * Presence of header sizes in mbufs
804 * would confuse code below.
805 */
806 m->m_data += hlen;
807 m->m_len -= hlen;
808
809 /*
810 * If first fragment to arrive, create a reassembly queue.
811 */
812 if (fp == 0) {
813 if ((t = m_get(M_DONTWAIT, MT_FTABLE)) == NULL)
814 goto dropfrag;
815 fp = mtod(t, struct ipq *);
816 insque(fp, where);
817 nipq++;
818 fp->ipq_ttl = IPFRAGTTL;
819 fp->ipq_p = ip->ip_p;
820 fp->ipq_id = ip->ip_id;
821 fp->ipq_src = ip->ip_src;
822 fp->ipq_dst = ip->ip_dst;
823 fp->ipq_frags = m;
824 m->m_nextpkt = NULL;
825#ifdef IPDIVERT
826 fp->ipq_div_info = 0;
827 fp->ipq_div_cookie = 0;
828#endif
829 goto inserted;
830 }
831
832#define GETIP(m) ((struct ip*)((m)->m_pkthdr.header))
833
834 /*
835 * Find a segment which begins after this one does.
836 */
837 for (p = NULL, q = fp->ipq_frags; q; p = q, q = q->m_nextpkt)
838 if (GETIP(q)->ip_off > ip->ip_off)
839 break;
840
841 /*
842 * If there is a preceding segment, it may provide some of
843 * our data already. If so, drop the data from the incoming
844 * segment. If it provides all of our data, drop us, otherwise
845 * stick new segment in the proper place.
846 */
847 if (p) {
848 i = GETIP(p)->ip_off + GETIP(p)->ip_len - ip->ip_off;
849 if (i > 0) {
850 if (i >= ip->ip_len)
851 goto dropfrag;
804 m_adj(dtom(ip), i);
852 m_adj(m, i);
805 ip->ip_off += i;
806 ip->ip_len -= i;
807 }
808 m->m_nextpkt = p->m_nextpkt;
809 p->m_nextpkt = m;
810 } else {
811 m->m_nextpkt = fp->ipq_frags;
812 fp->ipq_frags = m;
813 }
814
815 /*
816 * While we overlap succeeding segments trim them or,
817 * if they are completely covered, dequeue them.
818 */
819 for (; q != NULL && ip->ip_off + ip->ip_len > GETIP(q)->ip_off;
820 q = nq) {
821 i = (ip->ip_off + ip->ip_len) -
822 GETIP(q)->ip_off;
823 if (i < GETIP(q)->ip_len) {
824 GETIP(q)->ip_len -= i;
825 GETIP(q)->ip_off += i;
826 m_adj(q, i);
827 break;
828 }
829 nq = q->m_nextpkt;
830 m->m_nextpkt = nq;
831 m_freem(q);
832 }
833
834inserted:
835
836#ifdef IPDIVERT
837 /*
838 * Transfer firewall instructions to the fragment structure.
839 * Any fragment diverting causes the whole packet to divert.
840 */
841 fp->ipq_div_info = *divinfo;
842 fp->ipq_div_cookie = *divcookie;
843 *divinfo = 0;
844 *divcookie = 0;
845#endif
846
847 /*
848 * Check for complete reassembly.
849 */
850 next = 0;
851 for (p = NULL, q = fp->ipq_frags; q; p = q, q = q->m_nextpkt) {
852 if (GETIP(q)->ip_off != next)
853 return (0);
854 next += GETIP(q)->ip_len;
855 }
856 /* Make sure the last packet didn't have the IP_MF flag */
857 if (p->m_flags & M_FRAG)
858 return (0);
859
860 /*
861 * Reassembly is complete. Make sure the packet is a sane size.
862 */
863 q = fp->ipq_frags;
864 ip = GETIP(q);
865 if (next + (IP_VHL_HL(ip->ip_vhl) << 2) > IP_MAXPACKET) {
866 ipstat.ips_toolong++;
867 ip_freef(fp);
868 return (0);
869 }
870
871 /*
872 * Concatenate fragments.
873 */
874 m = q;
875 t = m->m_next;
876 m->m_next = 0;
877 m_cat(m, t);
878 nq = q->m_nextpkt;
879 q->m_nextpkt = 0;
880 for (q = nq; q != NULL; q = nq) {
881 nq = q->m_nextpkt;
882 q->m_nextpkt = NULL;
883 m_cat(m, q);
884 }
885
886#ifdef IPDIVERT
887 /*
888 * Extract firewall instructions from the fragment structure.
889 */
890 *divinfo = fp->ipq_div_info;
891 *divcookie = fp->ipq_div_cookie;
892#endif
893
894 /*
895 * Create header for new ip packet by
896 * modifying header of first packet;
897 * dequeue and discard fragment reassembly header.
898 * Make header visible.
899 */
900 ip->ip_len = next;
901 ip->ip_src = fp->ipq_src;
902 ip->ip_dst = fp->ipq_dst;
903 remque(fp);
904 nipq--;
905 (void) m_free(dtom(fp));
906 m->m_len += (IP_VHL_HL(ip->ip_vhl) << 2);
907 m->m_data -= (IP_VHL_HL(ip->ip_vhl) << 2);
908 /* some debugging cruft by sklower, below, will go away soon */
909 if (m->m_flags & M_PKTHDR) { /* XXX this should be done elsewhere */
910 register int plen = 0;
853 ip->ip_off += i;
854 ip->ip_len -= i;
855 }
856 m->m_nextpkt = p->m_nextpkt;
857 p->m_nextpkt = m;
858 } else {
859 m->m_nextpkt = fp->ipq_frags;
860 fp->ipq_frags = m;
861 }
862
863 /*
864 * While we overlap succeeding segments trim them or,
865 * if they are completely covered, dequeue them.
866 */
867 for (; q != NULL && ip->ip_off + ip->ip_len > GETIP(q)->ip_off;
868 q = nq) {
869 i = (ip->ip_off + ip->ip_len) -
870 GETIP(q)->ip_off;
871 if (i < GETIP(q)->ip_len) {
872 GETIP(q)->ip_len -= i;
873 GETIP(q)->ip_off += i;
874 m_adj(q, i);
875 break;
876 }
877 nq = q->m_nextpkt;
878 m->m_nextpkt = nq;
879 m_freem(q);
880 }
881
882inserted:
883
884#ifdef IPDIVERT
885 /*
886 * Transfer firewall instructions to the fragment structure.
887 * Any fragment diverting causes the whole packet to divert.
888 */
889 fp->ipq_div_info = *divinfo;
890 fp->ipq_div_cookie = *divcookie;
891 *divinfo = 0;
892 *divcookie = 0;
893#endif
894
895 /*
896 * Check for complete reassembly.
897 */
898 next = 0;
899 for (p = NULL, q = fp->ipq_frags; q; p = q, q = q->m_nextpkt) {
900 if (GETIP(q)->ip_off != next)
901 return (0);
902 next += GETIP(q)->ip_len;
903 }
904 /* Make sure the last packet didn't have the IP_MF flag */
905 if (p->m_flags & M_FRAG)
906 return (0);
907
908 /*
909 * Reassembly is complete. Make sure the packet is a sane size.
910 */
911 q = fp->ipq_frags;
912 ip = GETIP(q);
913 if (next + (IP_VHL_HL(ip->ip_vhl) << 2) > IP_MAXPACKET) {
914 ipstat.ips_toolong++;
915 ip_freef(fp);
916 return (0);
917 }
918
919 /*
920 * Concatenate fragments.
921 */
922 m = q;
923 t = m->m_next;
924 m->m_next = 0;
925 m_cat(m, t);
926 nq = q->m_nextpkt;
927 q->m_nextpkt = 0;
928 for (q = nq; q != NULL; q = nq) {
929 nq = q->m_nextpkt;
930 q->m_nextpkt = NULL;
931 m_cat(m, q);
932 }
933
934#ifdef IPDIVERT
935 /*
936 * Extract firewall instructions from the fragment structure.
937 */
938 *divinfo = fp->ipq_div_info;
939 *divcookie = fp->ipq_div_cookie;
940#endif
941
942 /*
943 * Create header for new ip packet by
944 * modifying header of first packet;
945 * dequeue and discard fragment reassembly header.
946 * Make header visible.
947 */
948 ip->ip_len = next;
949 ip->ip_src = fp->ipq_src;
950 ip->ip_dst = fp->ipq_dst;
951 remque(fp);
952 nipq--;
953 (void) m_free(dtom(fp));
954 m->m_len += (IP_VHL_HL(ip->ip_vhl) << 2);
955 m->m_data -= (IP_VHL_HL(ip->ip_vhl) << 2);
956 /* some debugging cruft by sklower, below, will go away soon */
957 if (m->m_flags & M_PKTHDR) { /* XXX this should be done elsewhere */
958 register int plen = 0;
911 for (t = m; m; m = m->m_next)
912 plen += m->m_len;
913 t->m_pkthdr.len = plen;
959 for (t = m; t; t = t->m_next)
960 plen += t->m_len;
961 m->m_pkthdr.len = plen;
914 }
962 }
915 return (ip);
963 return (m);
916
917dropfrag:
918#ifdef IPDIVERT
919 *divinfo = 0;
920 *divcookie = 0;
921#endif
922 ipstat.ips_fragdropped++;
923 m_freem(m);
924 return (0);
925
926#undef GETIP
927}
928
929/*
930 * Free a fragment reassembly header and all
931 * associated datagrams.
932 */
933static void
934ip_freef(fp)
935 struct ipq *fp;
936{
937 register struct mbuf *q;
938
939 while (fp->ipq_frags) {
940 q = fp->ipq_frags;
941 fp->ipq_frags = q->m_nextpkt;
942 m_freem(q);
943 }
944 remque(fp);
945 (void) m_free(dtom(fp));
946 nipq--;
947}
948
949/*
950 * IP timer processing;
951 * if a timer expires on a reassembly
952 * queue, discard it.
953 */
954void
955ip_slowtimo()
956{
957 register struct ipq *fp;
958 int s = splnet();
959 int i;
960
961 for (i = 0; i < IPREASS_NHASH; i++) {
962 fp = ipq[i].next;
963 if (fp == 0)
964 continue;
965 while (fp != &ipq[i]) {
966 --fp->ipq_ttl;
967 fp = fp->next;
968 if (fp->prev->ipq_ttl == 0) {
969 ipstat.ips_fragtimeout++;
970 ip_freef(fp->prev);
971 }
972 }
973 }
974 ipflow_slowtimo();
975 splx(s);
976}
977
978/*
979 * Drain off all datagram fragments.
980 */
981void
982ip_drain()
983{
984 int i;
985
986 for (i = 0; i < IPREASS_NHASH; i++) {
987 while (ipq[i].next != &ipq[i]) {
988 ipstat.ips_fragdropped++;
989 ip_freef(ipq[i].next);
990 }
991 }
992 in_rtqdrain();
993}
994
995/*
996 * Do option processing on a datagram,
997 * possibly discarding it if bad options are encountered,
998 * or forwarding it if source-routed.
999 * Returns 1 if packet has been forwarded/freed,
1000 * 0 if the packet should be processed further.
1001 */
1002static int
1003ip_dooptions(m)
1004 struct mbuf *m;
1005{
1006 register struct ip *ip = mtod(m, struct ip *);
1007 register u_char *cp;
1008 register struct ip_timestamp *ipt;
1009 register struct in_ifaddr *ia;
1010 int opt, optlen, cnt, off, code, type = ICMP_PARAMPROB, forward = 0;
1011 struct in_addr *sin, dst;
1012 n_time ntime;
1013
1014 dst = ip->ip_dst;
1015 cp = (u_char *)(ip + 1);
1016 cnt = (IP_VHL_HL(ip->ip_vhl) << 2) - sizeof (struct ip);
1017 for (; cnt > 0; cnt -= optlen, cp += optlen) {
1018 opt = cp[IPOPT_OPTVAL];
1019 if (opt == IPOPT_EOL)
1020 break;
1021 if (opt == IPOPT_NOP)
1022 optlen = 1;
1023 else {
1024 optlen = cp[IPOPT_OLEN];
1025 if (optlen <= 0 || optlen > cnt) {
1026 code = &cp[IPOPT_OLEN] - (u_char *)ip;
1027 goto bad;
1028 }
1029 }
1030 switch (opt) {
1031
1032 default:
1033 break;
1034
1035 /*
1036 * Source routing with record.
1037 * Find interface with current destination address.
1038 * If none on this machine then drop if strictly routed,
1039 * or do nothing if loosely routed.
1040 * Record interface address and bring up next address
1041 * component. If strictly routed make sure next
1042 * address is on directly accessible net.
1043 */
1044 case IPOPT_LSRR:
1045 case IPOPT_SSRR:
1046 if ((off = cp[IPOPT_OFFSET]) < IPOPT_MINOFF) {
1047 code = &cp[IPOPT_OFFSET] - (u_char *)ip;
1048 goto bad;
1049 }
1050 ipaddr.sin_addr = ip->ip_dst;
1051 ia = (struct in_ifaddr *)
1052 ifa_ifwithaddr((struct sockaddr *)&ipaddr);
1053 if (ia == 0) {
1054 if (opt == IPOPT_SSRR) {
1055 type = ICMP_UNREACH;
1056 code = ICMP_UNREACH_SRCFAIL;
1057 goto bad;
1058 }
1059 if (!ip_dosourceroute)
1060 goto nosourcerouting;
1061 /*
1062 * Loose routing, and not at next destination
1063 * yet; nothing to do except forward.
1064 */
1065 break;
1066 }
1067 off--; /* 0 origin */
1068 if (off > optlen - sizeof(struct in_addr)) {
1069 /*
1070 * End of source route. Should be for us.
1071 */
1072 if (!ip_acceptsourceroute)
1073 goto nosourcerouting;
1074 save_rte(cp, ip->ip_src);
1075 break;
1076 }
1077
1078 if (!ip_dosourceroute) {
1079 if (ipforwarding) {
1080 char buf[16]; /* aaa.bbb.ccc.ddd\0 */
1081 /*
1082 * Acting as a router, so generate ICMP
1083 */
1084nosourcerouting:
1085 strcpy(buf, inet_ntoa(ip->ip_dst));
1086 log(LOG_WARNING,
1087 "attempted source route from %s to %s\n",
1088 inet_ntoa(ip->ip_src), buf);
1089 type = ICMP_UNREACH;
1090 code = ICMP_UNREACH_SRCFAIL;
1091 goto bad;
1092 } else {
1093 /*
1094 * Not acting as a router, so silently drop.
1095 */
1096 ipstat.ips_cantforward++;
1097 m_freem(m);
1098 return (1);
1099 }
1100 }
1101
1102 /*
1103 * locate outgoing interface
1104 */
1105 (void)memcpy(&ipaddr.sin_addr, cp + off,
1106 sizeof(ipaddr.sin_addr));
1107
1108 if (opt == IPOPT_SSRR) {
1109#define INA struct in_ifaddr *
1110#define SA struct sockaddr *
1111 if ((ia = (INA)ifa_ifwithdstaddr((SA)&ipaddr)) == 0)
1112 ia = (INA)ifa_ifwithnet((SA)&ipaddr);
1113 } else
1114 ia = ip_rtaddr(ipaddr.sin_addr);
1115 if (ia == 0) {
1116 type = ICMP_UNREACH;
1117 code = ICMP_UNREACH_SRCFAIL;
1118 goto bad;
1119 }
1120 ip->ip_dst = ipaddr.sin_addr;
1121 (void)memcpy(cp + off, &(IA_SIN(ia)->sin_addr),
1122 sizeof(struct in_addr));
1123 cp[IPOPT_OFFSET] += sizeof(struct in_addr);
1124 /*
1125 * Let ip_intr's mcast routing check handle mcast pkts
1126 */
1127 forward = !IN_MULTICAST(ntohl(ip->ip_dst.s_addr));
1128 break;
1129
1130 case IPOPT_RR:
1131 if ((off = cp[IPOPT_OFFSET]) < IPOPT_MINOFF) {
1132 code = &cp[IPOPT_OFFSET] - (u_char *)ip;
1133 goto bad;
1134 }
1135 /*
1136 * If no space remains, ignore.
1137 */
1138 off--; /* 0 origin */
1139 if (off > optlen - sizeof(struct in_addr))
1140 break;
1141 (void)memcpy(&ipaddr.sin_addr, &ip->ip_dst,
1142 sizeof(ipaddr.sin_addr));
1143 /*
1144 * locate outgoing interface; if we're the destination,
1145 * use the incoming interface (should be same).
1146 */
1147 if ((ia = (INA)ifa_ifwithaddr((SA)&ipaddr)) == 0 &&
1148 (ia = ip_rtaddr(ipaddr.sin_addr)) == 0) {
1149 type = ICMP_UNREACH;
1150 code = ICMP_UNREACH_HOST;
1151 goto bad;
1152 }
1153 (void)memcpy(cp + off, &(IA_SIN(ia)->sin_addr),
1154 sizeof(struct in_addr));
1155 cp[IPOPT_OFFSET] += sizeof(struct in_addr);
1156 break;
1157
1158 case IPOPT_TS:
1159 code = cp - (u_char *)ip;
1160 ipt = (struct ip_timestamp *)cp;
1161 if (ipt->ipt_len < 5)
1162 goto bad;
1163 if (ipt->ipt_ptr > ipt->ipt_len - sizeof(int32_t)) {
1164 if (++ipt->ipt_oflw == 0)
1165 goto bad;
1166 break;
1167 }
1168 sin = (struct in_addr *)(cp + ipt->ipt_ptr - 1);
1169 switch (ipt->ipt_flg) {
1170
1171 case IPOPT_TS_TSONLY:
1172 break;
1173
1174 case IPOPT_TS_TSANDADDR:
1175 if (ipt->ipt_ptr - 1 + sizeof(n_time) +
1176 sizeof(struct in_addr) > ipt->ipt_len)
1177 goto bad;
1178 ipaddr.sin_addr = dst;
1179 ia = (INA)ifaof_ifpforaddr((SA)&ipaddr,
1180 m->m_pkthdr.rcvif);
1181 if (ia == 0)
1182 continue;
1183 (void)memcpy(sin, &IA_SIN(ia)->sin_addr,
1184 sizeof(struct in_addr));
1185 ipt->ipt_ptr += sizeof(struct in_addr);
1186 break;
1187
1188 case IPOPT_TS_PRESPEC:
1189 if (ipt->ipt_ptr - 1 + sizeof(n_time) +
1190 sizeof(struct in_addr) > ipt->ipt_len)
1191 goto bad;
1192 (void)memcpy(&ipaddr.sin_addr, sin,
1193 sizeof(struct in_addr));
1194 if (ifa_ifwithaddr((SA)&ipaddr) == 0)
1195 continue;
1196 ipt->ipt_ptr += sizeof(struct in_addr);
1197 break;
1198
1199 default:
1200 goto bad;
1201 }
1202 ntime = iptime();
1203 (void)memcpy(cp + ipt->ipt_ptr - 1, &ntime,
1204 sizeof(n_time));
1205 ipt->ipt_ptr += sizeof(n_time);
1206 }
1207 }
1208 if (forward && ipforwarding) {
1209 ip_forward(m, 1);
1210 return (1);
1211 }
1212 return (0);
1213bad:
1214 ip->ip_len -= IP_VHL_HL(ip->ip_vhl) << 2; /* XXX icmp_error adds in hdr length */
1215 icmp_error(m, type, code, 0, 0);
1216 ipstat.ips_badoptions++;
1217 return (1);
1218}
1219
1220/*
1221 * Given address of next destination (final or next hop),
1222 * return internet address info of interface to be used to get there.
1223 */
1224static struct in_ifaddr *
1225ip_rtaddr(dst)
1226 struct in_addr dst;
1227{
1228 register struct sockaddr_in *sin;
1229
1230 sin = (struct sockaddr_in *) &ipforward_rt.ro_dst;
1231
1232 if (ipforward_rt.ro_rt == 0 || dst.s_addr != sin->sin_addr.s_addr) {
1233 if (ipforward_rt.ro_rt) {
1234 RTFREE(ipforward_rt.ro_rt);
1235 ipforward_rt.ro_rt = 0;
1236 }
1237 sin->sin_family = AF_INET;
1238 sin->sin_len = sizeof(*sin);
1239 sin->sin_addr = dst;
1240
1241 rtalloc_ign(&ipforward_rt, RTF_PRCLONING);
1242 }
1243 if (ipforward_rt.ro_rt == 0)
1244 return ((struct in_ifaddr *)0);
1245 return ((struct in_ifaddr *) ipforward_rt.ro_rt->rt_ifa);
1246}
1247
1248/*
1249 * Save incoming source route for use in replies,
1250 * to be picked up later by ip_srcroute if the receiver is interested.
1251 */
1252void
1253save_rte(option, dst)
1254 u_char *option;
1255 struct in_addr dst;
1256{
1257 unsigned olen;
1258
1259 olen = option[IPOPT_OLEN];
1260#ifdef DIAGNOSTIC
1261 if (ipprintfs)
1262 printf("save_rte: olen %d\n", olen);
1263#endif
1264 if (olen > sizeof(ip_srcrt) - (1 + sizeof(dst)))
1265 return;
1266 bcopy(option, ip_srcrt.srcopt, olen);
1267 ip_nhops = (olen - IPOPT_OFFSET - 1) / sizeof(struct in_addr);
1268 ip_srcrt.dst = dst;
1269}
1270
1271/*
1272 * Retrieve incoming source route for use in replies,
1273 * in the same form used by setsockopt.
1274 * The first hop is placed before the options, will be removed later.
1275 */
1276struct mbuf *
1277ip_srcroute()
1278{
1279 register struct in_addr *p, *q;
1280 register struct mbuf *m;
1281
1282 if (ip_nhops == 0)
1283 return ((struct mbuf *)0);
1284 m = m_get(M_DONTWAIT, MT_HEADER);
1285 if (m == 0)
1286 return ((struct mbuf *)0);
1287
1288#define OPTSIZ (sizeof(ip_srcrt.nop) + sizeof(ip_srcrt.srcopt))
1289
1290 /* length is (nhops+1)*sizeof(addr) + sizeof(nop + srcrt header) */
1291 m->m_len = ip_nhops * sizeof(struct in_addr) + sizeof(struct in_addr) +
1292 OPTSIZ;
1293#ifdef DIAGNOSTIC
1294 if (ipprintfs)
1295 printf("ip_srcroute: nhops %d mlen %d", ip_nhops, m->m_len);
1296#endif
1297
1298 /*
1299 * First save first hop for return route
1300 */
1301 p = &ip_srcrt.route[ip_nhops - 1];
1302 *(mtod(m, struct in_addr *)) = *p--;
1303#ifdef DIAGNOSTIC
1304 if (ipprintfs)
1305 printf(" hops %lx", (u_long)ntohl(mtod(m, struct in_addr *)->s_addr));
1306#endif
1307
1308 /*
1309 * Copy option fields and padding (nop) to mbuf.
1310 */
1311 ip_srcrt.nop = IPOPT_NOP;
1312 ip_srcrt.srcopt[IPOPT_OFFSET] = IPOPT_MINOFF;
1313 (void)memcpy(mtod(m, caddr_t) + sizeof(struct in_addr),
1314 &ip_srcrt.nop, OPTSIZ);
1315 q = (struct in_addr *)(mtod(m, caddr_t) +
1316 sizeof(struct in_addr) + OPTSIZ);
1317#undef OPTSIZ
1318 /*
1319 * Record return path as an IP source route,
1320 * reversing the path (pointers are now aligned).
1321 */
1322 while (p >= ip_srcrt.route) {
1323#ifdef DIAGNOSTIC
1324 if (ipprintfs)
1325 printf(" %lx", (u_long)ntohl(q->s_addr));
1326#endif
1327 *q++ = *p--;
1328 }
1329 /*
1330 * Last hop goes to final destination.
1331 */
1332 *q = ip_srcrt.dst;
1333#ifdef DIAGNOSTIC
1334 if (ipprintfs)
1335 printf(" %lx\n", (u_long)ntohl(q->s_addr));
1336#endif
1337 return (m);
1338}
1339
1340/*
1341 * Strip out IP options, at higher
1342 * level protocol in the kernel.
1343 * Second argument is buffer to which options
1344 * will be moved, and return value is their length.
1345 * XXX should be deleted; last arg currently ignored.
1346 */
1347void
1348ip_stripoptions(m, mopt)
1349 register struct mbuf *m;
1350 struct mbuf *mopt;
1351{
1352 register int i;
1353 struct ip *ip = mtod(m, struct ip *);
1354 register caddr_t opts;
1355 int olen;
1356
1357 olen = (IP_VHL_HL(ip->ip_vhl) << 2) - sizeof (struct ip);
1358 opts = (caddr_t)(ip + 1);
1359 i = m->m_len - (sizeof (struct ip) + olen);
1360 bcopy(opts + olen, opts, (unsigned)i);
1361 m->m_len -= olen;
1362 if (m->m_flags & M_PKTHDR)
1363 m->m_pkthdr.len -= olen;
1364 ip->ip_vhl = IP_MAKE_VHL(IPVERSION, sizeof(struct ip) >> 2);
1365}
1366
1367u_char inetctlerrmap[PRC_NCMDS] = {
1368 0, 0, 0, 0,
1369 0, EMSGSIZE, EHOSTDOWN, EHOSTUNREACH,
1370 EHOSTUNREACH, EHOSTUNREACH, ECONNREFUSED, ECONNREFUSED,
1371 EMSGSIZE, EHOSTUNREACH, 0, 0,
1372 0, 0, 0, 0,
1373 ENOPROTOOPT
1374};
1375
1376/*
1377 * Forward a packet. If some error occurs return the sender
1378 * an icmp packet. Note we can't always generate a meaningful
1379 * icmp message because icmp doesn't have a large enough repertoire
1380 * of codes and types.
1381 *
1382 * If not forwarding, just drop the packet. This could be confusing
1383 * if ipforwarding was zero but some routing protocol was advancing
1384 * us as a gateway to somewhere. However, we must let the routing
1385 * protocol deal with that.
1386 *
1387 * The srcrt parameter indicates whether the packet is being forwarded
1388 * via a source route.
1389 */
1390static void
1391ip_forward(m, srcrt)
1392 struct mbuf *m;
1393 int srcrt;
1394{
1395 register struct ip *ip = mtod(m, struct ip *);
1396 register struct sockaddr_in *sin;
1397 register struct rtentry *rt;
1398 int error, type = 0, code = 0;
1399 struct mbuf *mcopy;
1400 n_long dest;
1401 struct ifnet *destifp;
964
965dropfrag:
966#ifdef IPDIVERT
967 *divinfo = 0;
968 *divcookie = 0;
969#endif
970 ipstat.ips_fragdropped++;
971 m_freem(m);
972 return (0);
973
974#undef GETIP
975}
976
977/*
978 * Free a fragment reassembly header and all
979 * associated datagrams.
980 */
981static void
982ip_freef(fp)
983 struct ipq *fp;
984{
985 register struct mbuf *q;
986
987 while (fp->ipq_frags) {
988 q = fp->ipq_frags;
989 fp->ipq_frags = q->m_nextpkt;
990 m_freem(q);
991 }
992 remque(fp);
993 (void) m_free(dtom(fp));
994 nipq--;
995}
996
997/*
998 * IP timer processing;
999 * if a timer expires on a reassembly
1000 * queue, discard it.
1001 */
1002void
1003ip_slowtimo()
1004{
1005 register struct ipq *fp;
1006 int s = splnet();
1007 int i;
1008
1009 for (i = 0; i < IPREASS_NHASH; i++) {
1010 fp = ipq[i].next;
1011 if (fp == 0)
1012 continue;
1013 while (fp != &ipq[i]) {
1014 --fp->ipq_ttl;
1015 fp = fp->next;
1016 if (fp->prev->ipq_ttl == 0) {
1017 ipstat.ips_fragtimeout++;
1018 ip_freef(fp->prev);
1019 }
1020 }
1021 }
1022 ipflow_slowtimo();
1023 splx(s);
1024}
1025
1026/*
1027 * Drain off all datagram fragments.
1028 */
1029void
1030ip_drain()
1031{
1032 int i;
1033
1034 for (i = 0; i < IPREASS_NHASH; i++) {
1035 while (ipq[i].next != &ipq[i]) {
1036 ipstat.ips_fragdropped++;
1037 ip_freef(ipq[i].next);
1038 }
1039 }
1040 in_rtqdrain();
1041}
1042
1043/*
1044 * Do option processing on a datagram,
1045 * possibly discarding it if bad options are encountered,
1046 * or forwarding it if source-routed.
1047 * Returns 1 if packet has been forwarded/freed,
1048 * 0 if the packet should be processed further.
1049 */
1050static int
1051ip_dooptions(m)
1052 struct mbuf *m;
1053{
1054 register struct ip *ip = mtod(m, struct ip *);
1055 register u_char *cp;
1056 register struct ip_timestamp *ipt;
1057 register struct in_ifaddr *ia;
1058 int opt, optlen, cnt, off, code, type = ICMP_PARAMPROB, forward = 0;
1059 struct in_addr *sin, dst;
1060 n_time ntime;
1061
1062 dst = ip->ip_dst;
1063 cp = (u_char *)(ip + 1);
1064 cnt = (IP_VHL_HL(ip->ip_vhl) << 2) - sizeof (struct ip);
1065 for (; cnt > 0; cnt -= optlen, cp += optlen) {
1066 opt = cp[IPOPT_OPTVAL];
1067 if (opt == IPOPT_EOL)
1068 break;
1069 if (opt == IPOPT_NOP)
1070 optlen = 1;
1071 else {
1072 optlen = cp[IPOPT_OLEN];
1073 if (optlen <= 0 || optlen > cnt) {
1074 code = &cp[IPOPT_OLEN] - (u_char *)ip;
1075 goto bad;
1076 }
1077 }
1078 switch (opt) {
1079
1080 default:
1081 break;
1082
1083 /*
1084 * Source routing with record.
1085 * Find interface with current destination address.
1086 * If none on this machine then drop if strictly routed,
1087 * or do nothing if loosely routed.
1088 * Record interface address and bring up next address
1089 * component. If strictly routed make sure next
1090 * address is on directly accessible net.
1091 */
1092 case IPOPT_LSRR:
1093 case IPOPT_SSRR:
1094 if ((off = cp[IPOPT_OFFSET]) < IPOPT_MINOFF) {
1095 code = &cp[IPOPT_OFFSET] - (u_char *)ip;
1096 goto bad;
1097 }
1098 ipaddr.sin_addr = ip->ip_dst;
1099 ia = (struct in_ifaddr *)
1100 ifa_ifwithaddr((struct sockaddr *)&ipaddr);
1101 if (ia == 0) {
1102 if (opt == IPOPT_SSRR) {
1103 type = ICMP_UNREACH;
1104 code = ICMP_UNREACH_SRCFAIL;
1105 goto bad;
1106 }
1107 if (!ip_dosourceroute)
1108 goto nosourcerouting;
1109 /*
1110 * Loose routing, and not at next destination
1111 * yet; nothing to do except forward.
1112 */
1113 break;
1114 }
1115 off--; /* 0 origin */
1116 if (off > optlen - sizeof(struct in_addr)) {
1117 /*
1118 * End of source route. Should be for us.
1119 */
1120 if (!ip_acceptsourceroute)
1121 goto nosourcerouting;
1122 save_rte(cp, ip->ip_src);
1123 break;
1124 }
1125
1126 if (!ip_dosourceroute) {
1127 if (ipforwarding) {
1128 char buf[16]; /* aaa.bbb.ccc.ddd\0 */
1129 /*
1130 * Acting as a router, so generate ICMP
1131 */
1132nosourcerouting:
1133 strcpy(buf, inet_ntoa(ip->ip_dst));
1134 log(LOG_WARNING,
1135 "attempted source route from %s to %s\n",
1136 inet_ntoa(ip->ip_src), buf);
1137 type = ICMP_UNREACH;
1138 code = ICMP_UNREACH_SRCFAIL;
1139 goto bad;
1140 } else {
1141 /*
1142 * Not acting as a router, so silently drop.
1143 */
1144 ipstat.ips_cantforward++;
1145 m_freem(m);
1146 return (1);
1147 }
1148 }
1149
1150 /*
1151 * locate outgoing interface
1152 */
1153 (void)memcpy(&ipaddr.sin_addr, cp + off,
1154 sizeof(ipaddr.sin_addr));
1155
1156 if (opt == IPOPT_SSRR) {
1157#define INA struct in_ifaddr *
1158#define SA struct sockaddr *
1159 if ((ia = (INA)ifa_ifwithdstaddr((SA)&ipaddr)) == 0)
1160 ia = (INA)ifa_ifwithnet((SA)&ipaddr);
1161 } else
1162 ia = ip_rtaddr(ipaddr.sin_addr);
1163 if (ia == 0) {
1164 type = ICMP_UNREACH;
1165 code = ICMP_UNREACH_SRCFAIL;
1166 goto bad;
1167 }
1168 ip->ip_dst = ipaddr.sin_addr;
1169 (void)memcpy(cp + off, &(IA_SIN(ia)->sin_addr),
1170 sizeof(struct in_addr));
1171 cp[IPOPT_OFFSET] += sizeof(struct in_addr);
1172 /*
1173 * Let ip_intr's mcast routing check handle mcast pkts
1174 */
1175 forward = !IN_MULTICAST(ntohl(ip->ip_dst.s_addr));
1176 break;
1177
1178 case IPOPT_RR:
1179 if ((off = cp[IPOPT_OFFSET]) < IPOPT_MINOFF) {
1180 code = &cp[IPOPT_OFFSET] - (u_char *)ip;
1181 goto bad;
1182 }
1183 /*
1184 * If no space remains, ignore.
1185 */
1186 off--; /* 0 origin */
1187 if (off > optlen - sizeof(struct in_addr))
1188 break;
1189 (void)memcpy(&ipaddr.sin_addr, &ip->ip_dst,
1190 sizeof(ipaddr.sin_addr));
1191 /*
1192 * locate outgoing interface; if we're the destination,
1193 * use the incoming interface (should be same).
1194 */
1195 if ((ia = (INA)ifa_ifwithaddr((SA)&ipaddr)) == 0 &&
1196 (ia = ip_rtaddr(ipaddr.sin_addr)) == 0) {
1197 type = ICMP_UNREACH;
1198 code = ICMP_UNREACH_HOST;
1199 goto bad;
1200 }
1201 (void)memcpy(cp + off, &(IA_SIN(ia)->sin_addr),
1202 sizeof(struct in_addr));
1203 cp[IPOPT_OFFSET] += sizeof(struct in_addr);
1204 break;
1205
1206 case IPOPT_TS:
1207 code = cp - (u_char *)ip;
1208 ipt = (struct ip_timestamp *)cp;
1209 if (ipt->ipt_len < 5)
1210 goto bad;
1211 if (ipt->ipt_ptr > ipt->ipt_len - sizeof(int32_t)) {
1212 if (++ipt->ipt_oflw == 0)
1213 goto bad;
1214 break;
1215 }
1216 sin = (struct in_addr *)(cp + ipt->ipt_ptr - 1);
1217 switch (ipt->ipt_flg) {
1218
1219 case IPOPT_TS_TSONLY:
1220 break;
1221
1222 case IPOPT_TS_TSANDADDR:
1223 if (ipt->ipt_ptr - 1 + sizeof(n_time) +
1224 sizeof(struct in_addr) > ipt->ipt_len)
1225 goto bad;
1226 ipaddr.sin_addr = dst;
1227 ia = (INA)ifaof_ifpforaddr((SA)&ipaddr,
1228 m->m_pkthdr.rcvif);
1229 if (ia == 0)
1230 continue;
1231 (void)memcpy(sin, &IA_SIN(ia)->sin_addr,
1232 sizeof(struct in_addr));
1233 ipt->ipt_ptr += sizeof(struct in_addr);
1234 break;
1235
1236 case IPOPT_TS_PRESPEC:
1237 if (ipt->ipt_ptr - 1 + sizeof(n_time) +
1238 sizeof(struct in_addr) > ipt->ipt_len)
1239 goto bad;
1240 (void)memcpy(&ipaddr.sin_addr, sin,
1241 sizeof(struct in_addr));
1242 if (ifa_ifwithaddr((SA)&ipaddr) == 0)
1243 continue;
1244 ipt->ipt_ptr += sizeof(struct in_addr);
1245 break;
1246
1247 default:
1248 goto bad;
1249 }
1250 ntime = iptime();
1251 (void)memcpy(cp + ipt->ipt_ptr - 1, &ntime,
1252 sizeof(n_time));
1253 ipt->ipt_ptr += sizeof(n_time);
1254 }
1255 }
1256 if (forward && ipforwarding) {
1257 ip_forward(m, 1);
1258 return (1);
1259 }
1260 return (0);
1261bad:
1262 ip->ip_len -= IP_VHL_HL(ip->ip_vhl) << 2; /* XXX icmp_error adds in hdr length */
1263 icmp_error(m, type, code, 0, 0);
1264 ipstat.ips_badoptions++;
1265 return (1);
1266}
1267
1268/*
1269 * Given address of next destination (final or next hop),
1270 * return internet address info of interface to be used to get there.
1271 */
1272static struct in_ifaddr *
1273ip_rtaddr(dst)
1274 struct in_addr dst;
1275{
1276 register struct sockaddr_in *sin;
1277
1278 sin = (struct sockaddr_in *) &ipforward_rt.ro_dst;
1279
1280 if (ipforward_rt.ro_rt == 0 || dst.s_addr != sin->sin_addr.s_addr) {
1281 if (ipforward_rt.ro_rt) {
1282 RTFREE(ipforward_rt.ro_rt);
1283 ipforward_rt.ro_rt = 0;
1284 }
1285 sin->sin_family = AF_INET;
1286 sin->sin_len = sizeof(*sin);
1287 sin->sin_addr = dst;
1288
1289 rtalloc_ign(&ipforward_rt, RTF_PRCLONING);
1290 }
1291 if (ipforward_rt.ro_rt == 0)
1292 return ((struct in_ifaddr *)0);
1293 return ((struct in_ifaddr *) ipforward_rt.ro_rt->rt_ifa);
1294}
1295
1296/*
1297 * Save incoming source route for use in replies,
1298 * to be picked up later by ip_srcroute if the receiver is interested.
1299 */
1300void
1301save_rte(option, dst)
1302 u_char *option;
1303 struct in_addr dst;
1304{
1305 unsigned olen;
1306
1307 olen = option[IPOPT_OLEN];
1308#ifdef DIAGNOSTIC
1309 if (ipprintfs)
1310 printf("save_rte: olen %d\n", olen);
1311#endif
1312 if (olen > sizeof(ip_srcrt) - (1 + sizeof(dst)))
1313 return;
1314 bcopy(option, ip_srcrt.srcopt, olen);
1315 ip_nhops = (olen - IPOPT_OFFSET - 1) / sizeof(struct in_addr);
1316 ip_srcrt.dst = dst;
1317}
1318
1319/*
1320 * Retrieve incoming source route for use in replies,
1321 * in the same form used by setsockopt.
1322 * The first hop is placed before the options, will be removed later.
1323 */
1324struct mbuf *
1325ip_srcroute()
1326{
1327 register struct in_addr *p, *q;
1328 register struct mbuf *m;
1329
1330 if (ip_nhops == 0)
1331 return ((struct mbuf *)0);
1332 m = m_get(M_DONTWAIT, MT_HEADER);
1333 if (m == 0)
1334 return ((struct mbuf *)0);
1335
1336#define OPTSIZ (sizeof(ip_srcrt.nop) + sizeof(ip_srcrt.srcopt))
1337
1338 /* length is (nhops+1)*sizeof(addr) + sizeof(nop + srcrt header) */
1339 m->m_len = ip_nhops * sizeof(struct in_addr) + sizeof(struct in_addr) +
1340 OPTSIZ;
1341#ifdef DIAGNOSTIC
1342 if (ipprintfs)
1343 printf("ip_srcroute: nhops %d mlen %d", ip_nhops, m->m_len);
1344#endif
1345
1346 /*
1347 * First save first hop for return route
1348 */
1349 p = &ip_srcrt.route[ip_nhops - 1];
1350 *(mtod(m, struct in_addr *)) = *p--;
1351#ifdef DIAGNOSTIC
1352 if (ipprintfs)
1353 printf(" hops %lx", (u_long)ntohl(mtod(m, struct in_addr *)->s_addr));
1354#endif
1355
1356 /*
1357 * Copy option fields and padding (nop) to mbuf.
1358 */
1359 ip_srcrt.nop = IPOPT_NOP;
1360 ip_srcrt.srcopt[IPOPT_OFFSET] = IPOPT_MINOFF;
1361 (void)memcpy(mtod(m, caddr_t) + sizeof(struct in_addr),
1362 &ip_srcrt.nop, OPTSIZ);
1363 q = (struct in_addr *)(mtod(m, caddr_t) +
1364 sizeof(struct in_addr) + OPTSIZ);
1365#undef OPTSIZ
1366 /*
1367 * Record return path as an IP source route,
1368 * reversing the path (pointers are now aligned).
1369 */
1370 while (p >= ip_srcrt.route) {
1371#ifdef DIAGNOSTIC
1372 if (ipprintfs)
1373 printf(" %lx", (u_long)ntohl(q->s_addr));
1374#endif
1375 *q++ = *p--;
1376 }
1377 /*
1378 * Last hop goes to final destination.
1379 */
1380 *q = ip_srcrt.dst;
1381#ifdef DIAGNOSTIC
1382 if (ipprintfs)
1383 printf(" %lx\n", (u_long)ntohl(q->s_addr));
1384#endif
1385 return (m);
1386}
1387
1388/*
1389 * Strip out IP options, at higher
1390 * level protocol in the kernel.
1391 * Second argument is buffer to which options
1392 * will be moved, and return value is their length.
1393 * XXX should be deleted; last arg currently ignored.
1394 */
1395void
1396ip_stripoptions(m, mopt)
1397 register struct mbuf *m;
1398 struct mbuf *mopt;
1399{
1400 register int i;
1401 struct ip *ip = mtod(m, struct ip *);
1402 register caddr_t opts;
1403 int olen;
1404
1405 olen = (IP_VHL_HL(ip->ip_vhl) << 2) - sizeof (struct ip);
1406 opts = (caddr_t)(ip + 1);
1407 i = m->m_len - (sizeof (struct ip) + olen);
1408 bcopy(opts + olen, opts, (unsigned)i);
1409 m->m_len -= olen;
1410 if (m->m_flags & M_PKTHDR)
1411 m->m_pkthdr.len -= olen;
1412 ip->ip_vhl = IP_MAKE_VHL(IPVERSION, sizeof(struct ip) >> 2);
1413}
1414
1415u_char inetctlerrmap[PRC_NCMDS] = {
1416 0, 0, 0, 0,
1417 0, EMSGSIZE, EHOSTDOWN, EHOSTUNREACH,
1418 EHOSTUNREACH, EHOSTUNREACH, ECONNREFUSED, ECONNREFUSED,
1419 EMSGSIZE, EHOSTUNREACH, 0, 0,
1420 0, 0, 0, 0,
1421 ENOPROTOOPT
1422};
1423
1424/*
1425 * Forward a packet. If some error occurs return the sender
1426 * an icmp packet. Note we can't always generate a meaningful
1427 * icmp message because icmp doesn't have a large enough repertoire
1428 * of codes and types.
1429 *
1430 * If not forwarding, just drop the packet. This could be confusing
1431 * if ipforwarding was zero but some routing protocol was advancing
1432 * us as a gateway to somewhere. However, we must let the routing
1433 * protocol deal with that.
1434 *
1435 * The srcrt parameter indicates whether the packet is being forwarded
1436 * via a source route.
1437 */
1438static void
1439ip_forward(m, srcrt)
1440 struct mbuf *m;
1441 int srcrt;
1442{
1443 register struct ip *ip = mtod(m, struct ip *);
1444 register struct sockaddr_in *sin;
1445 register struct rtentry *rt;
1446 int error, type = 0, code = 0;
1447 struct mbuf *mcopy;
1448 n_long dest;
1449 struct ifnet *destifp;
1450#ifdef IPSEC
1451 struct ifnet dummyifp;
1452#endif
1402
1403 dest = 0;
1404#ifdef DIAGNOSTIC
1405 if (ipprintfs)
1406 printf("forward: src %lx dst %lx ttl %x\n",
1407 (u_long)ip->ip_src.s_addr, (u_long)ip->ip_dst.s_addr,
1408 ip->ip_ttl);
1409#endif
1410
1411
1412 if (m->m_flags & (M_BCAST|M_MCAST) || in_canforward(ip->ip_dst) == 0) {
1413 ipstat.ips_cantforward++;
1414 m_freem(m);
1415 return;
1416 }
1417 HTONS(ip->ip_id);
1418#ifdef IPSTEALTH
1419 if (!ipstealth) {
1420#endif
1421 if (ip->ip_ttl <= IPTTLDEC) {
1422 icmp_error(m, ICMP_TIMXCEED, ICMP_TIMXCEED_INTRANS,
1423 dest, 0);
1424 return;
1425 }
1426 ip->ip_ttl -= IPTTLDEC;
1427#ifdef IPSTEALTH
1428 }
1429#endif
1430
1431 sin = (struct sockaddr_in *)&ipforward_rt.ro_dst;
1432 if ((rt = ipforward_rt.ro_rt) == 0 ||
1433 ip->ip_dst.s_addr != sin->sin_addr.s_addr) {
1434 if (ipforward_rt.ro_rt) {
1435 RTFREE(ipforward_rt.ro_rt);
1436 ipforward_rt.ro_rt = 0;
1437 }
1438 sin->sin_family = AF_INET;
1439 sin->sin_len = sizeof(*sin);
1440 sin->sin_addr = ip->ip_dst;
1441
1442 rtalloc_ign(&ipforward_rt, RTF_PRCLONING);
1443 if (ipforward_rt.ro_rt == 0) {
1444 icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_HOST, dest, 0);
1445 return;
1446 }
1447 rt = ipforward_rt.ro_rt;
1448 }
1449
1450 /*
1451 * Save at most 64 bytes of the packet in case
1452 * we need to generate an ICMP message to the src.
1453 */
1454 mcopy = m_copy(m, 0, imin((int)ip->ip_len, 64));
1455
1456 /*
1457 * If forwarding packet using same interface that it came in on,
1458 * perhaps should send a redirect to sender to shortcut a hop.
1459 * Only send redirect if source is sending directly to us,
1460 * and if packet was not source routed (or has any options).
1461 * Also, don't send redirect if forwarding using a default route
1462 * or a route modified by a redirect.
1463 */
1464#define satosin(sa) ((struct sockaddr_in *)(sa))
1465 if (rt->rt_ifp == m->m_pkthdr.rcvif &&
1466 (rt->rt_flags & (RTF_DYNAMIC|RTF_MODIFIED)) == 0 &&
1467 satosin(rt_key(rt))->sin_addr.s_addr != 0 &&
1468 ipsendredirects && !srcrt) {
1469#define RTA(rt) ((struct in_ifaddr *)(rt->rt_ifa))
1470 u_long src = ntohl(ip->ip_src.s_addr);
1471
1472 if (RTA(rt) &&
1473 (src & RTA(rt)->ia_subnetmask) == RTA(rt)->ia_subnet) {
1474 if (rt->rt_flags & RTF_GATEWAY)
1475 dest = satosin(rt->rt_gateway)->sin_addr.s_addr;
1476 else
1477 dest = ip->ip_dst.s_addr;
1478 /* Router requirements says to only send host redirects */
1479 type = ICMP_REDIRECT;
1480 code = ICMP_REDIRECT_HOST;
1481#ifdef DIAGNOSTIC
1482 if (ipprintfs)
1483 printf("redirect (%d) to %lx\n", code, (u_long)dest);
1484#endif
1485 }
1486 }
1487
1488 error = ip_output(m, (struct mbuf *)0, &ipforward_rt,
1489 IP_FORWARDING, 0);
1490 if (error)
1491 ipstat.ips_cantforward++;
1492 else {
1493 ipstat.ips_forward++;
1494 if (type)
1495 ipstat.ips_redirectsent++;
1496 else {
1497 if (mcopy) {
1498 ipflow_create(&ipforward_rt, mcopy);
1499 m_freem(mcopy);
1500 }
1501 return;
1502 }
1503 }
1504 if (mcopy == NULL)
1505 return;
1506 destifp = NULL;
1507
1508 switch (error) {
1509
1510 case 0: /* forwarded, but need redirect */
1511 /* type, code set above */
1512 break;
1513
1514 case ENETUNREACH: /* shouldn't happen, checked above */
1515 case EHOSTUNREACH:
1516 case ENETDOWN:
1517 case EHOSTDOWN:
1518 default:
1519 type = ICMP_UNREACH;
1520 code = ICMP_UNREACH_HOST;
1521 break;
1522
1523 case EMSGSIZE:
1524 type = ICMP_UNREACH;
1525 code = ICMP_UNREACH_NEEDFRAG;
1453
1454 dest = 0;
1455#ifdef DIAGNOSTIC
1456 if (ipprintfs)
1457 printf("forward: src %lx dst %lx ttl %x\n",
1458 (u_long)ip->ip_src.s_addr, (u_long)ip->ip_dst.s_addr,
1459 ip->ip_ttl);
1460#endif
1461
1462
1463 if (m->m_flags & (M_BCAST|M_MCAST) || in_canforward(ip->ip_dst) == 0) {
1464 ipstat.ips_cantforward++;
1465 m_freem(m);
1466 return;
1467 }
1468 HTONS(ip->ip_id);
1469#ifdef IPSTEALTH
1470 if (!ipstealth) {
1471#endif
1472 if (ip->ip_ttl <= IPTTLDEC) {
1473 icmp_error(m, ICMP_TIMXCEED, ICMP_TIMXCEED_INTRANS,
1474 dest, 0);
1475 return;
1476 }
1477 ip->ip_ttl -= IPTTLDEC;
1478#ifdef IPSTEALTH
1479 }
1480#endif
1481
1482 sin = (struct sockaddr_in *)&ipforward_rt.ro_dst;
1483 if ((rt = ipforward_rt.ro_rt) == 0 ||
1484 ip->ip_dst.s_addr != sin->sin_addr.s_addr) {
1485 if (ipforward_rt.ro_rt) {
1486 RTFREE(ipforward_rt.ro_rt);
1487 ipforward_rt.ro_rt = 0;
1488 }
1489 sin->sin_family = AF_INET;
1490 sin->sin_len = sizeof(*sin);
1491 sin->sin_addr = ip->ip_dst;
1492
1493 rtalloc_ign(&ipforward_rt, RTF_PRCLONING);
1494 if (ipforward_rt.ro_rt == 0) {
1495 icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_HOST, dest, 0);
1496 return;
1497 }
1498 rt = ipforward_rt.ro_rt;
1499 }
1500
1501 /*
1502 * Save at most 64 bytes of the packet in case
1503 * we need to generate an ICMP message to the src.
1504 */
1505 mcopy = m_copy(m, 0, imin((int)ip->ip_len, 64));
1506
1507 /*
1508 * If forwarding packet using same interface that it came in on,
1509 * perhaps should send a redirect to sender to shortcut a hop.
1510 * Only send redirect if source is sending directly to us,
1511 * and if packet was not source routed (or has any options).
1512 * Also, don't send redirect if forwarding using a default route
1513 * or a route modified by a redirect.
1514 */
1515#define satosin(sa) ((struct sockaddr_in *)(sa))
1516 if (rt->rt_ifp == m->m_pkthdr.rcvif &&
1517 (rt->rt_flags & (RTF_DYNAMIC|RTF_MODIFIED)) == 0 &&
1518 satosin(rt_key(rt))->sin_addr.s_addr != 0 &&
1519 ipsendredirects && !srcrt) {
1520#define RTA(rt) ((struct in_ifaddr *)(rt->rt_ifa))
1521 u_long src = ntohl(ip->ip_src.s_addr);
1522
1523 if (RTA(rt) &&
1524 (src & RTA(rt)->ia_subnetmask) == RTA(rt)->ia_subnet) {
1525 if (rt->rt_flags & RTF_GATEWAY)
1526 dest = satosin(rt->rt_gateway)->sin_addr.s_addr;
1527 else
1528 dest = ip->ip_dst.s_addr;
1529 /* Router requirements says to only send host redirects */
1530 type = ICMP_REDIRECT;
1531 code = ICMP_REDIRECT_HOST;
1532#ifdef DIAGNOSTIC
1533 if (ipprintfs)
1534 printf("redirect (%d) to %lx\n", code, (u_long)dest);
1535#endif
1536 }
1537 }
1538
1539 error = ip_output(m, (struct mbuf *)0, &ipforward_rt,
1540 IP_FORWARDING, 0);
1541 if (error)
1542 ipstat.ips_cantforward++;
1543 else {
1544 ipstat.ips_forward++;
1545 if (type)
1546 ipstat.ips_redirectsent++;
1547 else {
1548 if (mcopy) {
1549 ipflow_create(&ipforward_rt, mcopy);
1550 m_freem(mcopy);
1551 }
1552 return;
1553 }
1554 }
1555 if (mcopy == NULL)
1556 return;
1557 destifp = NULL;
1558
1559 switch (error) {
1560
1561 case 0: /* forwarded, but need redirect */
1562 /* type, code set above */
1563 break;
1564
1565 case ENETUNREACH: /* shouldn't happen, checked above */
1566 case EHOSTUNREACH:
1567 case ENETDOWN:
1568 case EHOSTDOWN:
1569 default:
1570 type = ICMP_UNREACH;
1571 code = ICMP_UNREACH_HOST;
1572 break;
1573
1574 case EMSGSIZE:
1575 type = ICMP_UNREACH;
1576 code = ICMP_UNREACH_NEEDFRAG;
1577#ifndef IPSEC
1526 if (ipforward_rt.ro_rt)
1527 destifp = ipforward_rt.ro_rt->rt_ifp;
1578 if (ipforward_rt.ro_rt)
1579 destifp = ipforward_rt.ro_rt->rt_ifp;
1580#else
1581 /*
1582 * If the packet is routed over IPsec tunnel, tell the
1583 * originator the tunnel MTU.
1584 * tunnel MTU = if MTU - sizeof(IP) - ESP/AH hdrsiz
1585 * XXX quickhack!!!
1586 */
1587 if (ipforward_rt.ro_rt) {
1588 struct secpolicy *sp = NULL;
1589 int ipsecerror;
1590 int ipsechdr;
1591 struct route *ro;
1592
1593 sp = ipsec4_getpolicybyaddr(mcopy,
1594 IPSEC_DIR_OUTBOUND,
1595 IP_FORWARDING,
1596 &ipsecerror);
1597
1598 if (sp == NULL)
1599 destifp = ipforward_rt.ro_rt->rt_ifp;
1600 else {
1601 /* count IPsec header size */
1602 ipsechdr = ipsec4_hdrsiz(mcopy,
1603 IPSEC_DIR_OUTBOUND,
1604 NULL);
1605
1606 /*
1607 * find the correct route for outer IPv4
1608 * header, compute tunnel MTU.
1609 *
1610 * XXX BUG ALERT
1611 * The "dummyifp" code relies upon the fact
1612 * that icmp_error() touches only ifp->if_mtu.
1613 */
1614 /*XXX*/
1615 destifp = NULL;
1616 if (sp->req != NULL
1617 && sp->req->sav != NULL
1618 && sp->req->sav->sah != NULL) {
1619 ro = &sp->req->sav->sah->sa_route;
1620 if (ro->ro_rt && ro->ro_rt->rt_ifp) {
1621 dummyifp.if_mtu =
1622 ro->ro_rt->rt_ifp->if_mtu;
1623 dummyifp.if_mtu -= ipsechdr;
1624 destifp = &dummyifp;
1625 }
1626 }
1627
1628 key_freesp(sp);
1629 }
1630 }
1631#endif /*IPSEC*/
1528 ipstat.ips_cantfrag++;
1529 break;
1530
1531 case ENOBUFS:
1532 type = ICMP_SOURCEQUENCH;
1533 code = 0;
1534 break;
1535 }
1536 icmp_error(mcopy, type, code, dest, destifp);
1537}
1538
1539void
1540ip_savecontrol(inp, mp, ip, m)
1541 register struct inpcb *inp;
1542 register struct mbuf **mp;
1543 register struct ip *ip;
1544 register struct mbuf *m;
1545{
1546 if (inp->inp_socket->so_options & SO_TIMESTAMP) {
1547 struct timeval tv;
1548
1549 microtime(&tv);
1550 *mp = sbcreatecontrol((caddr_t) &tv, sizeof(tv),
1551 SCM_TIMESTAMP, SOL_SOCKET);
1552 if (*mp)
1553 mp = &(*mp)->m_next;
1554 }
1555 if (inp->inp_flags & INP_RECVDSTADDR) {
1556 *mp = sbcreatecontrol((caddr_t) &ip->ip_dst,
1557 sizeof(struct in_addr), IP_RECVDSTADDR, IPPROTO_IP);
1558 if (*mp)
1559 mp = &(*mp)->m_next;
1560 }
1561#ifdef notyet
1562 /* XXX
1563 * Moving these out of udp_input() made them even more broken
1564 * than they already were.
1565 */
1566 /* options were tossed already */
1567 if (inp->inp_flags & INP_RECVOPTS) {
1568 *mp = sbcreatecontrol((caddr_t) opts_deleted_above,
1569 sizeof(struct in_addr), IP_RECVOPTS, IPPROTO_IP);
1570 if (*mp)
1571 mp = &(*mp)->m_next;
1572 }
1573 /* ip_srcroute doesn't do what we want here, need to fix */
1574 if (inp->inp_flags & INP_RECVRETOPTS) {
1575 *mp = sbcreatecontrol((caddr_t) ip_srcroute(),
1576 sizeof(struct in_addr), IP_RECVRETOPTS, IPPROTO_IP);
1577 if (*mp)
1578 mp = &(*mp)->m_next;
1579 }
1580#endif
1581 if (inp->inp_flags & INP_RECVIF) {
1582 struct ifnet *ifp;
1583 struct sdlbuf {
1584 struct sockaddr_dl sdl;
1585 u_char pad[32];
1586 } sdlbuf;
1587 struct sockaddr_dl *sdp;
1588 struct sockaddr_dl *sdl2 = &sdlbuf.sdl;
1589
1590 if (((ifp = m->m_pkthdr.rcvif))
1591 && ( ifp->if_index && (ifp->if_index <= if_index))) {
1592 sdp = (struct sockaddr_dl *)(ifnet_addrs
1593 [ifp->if_index - 1]->ifa_addr);
1594 /*
1595 * Change our mind and don't try copy.
1596 */
1597 if ((sdp->sdl_family != AF_LINK)
1598 || (sdp->sdl_len > sizeof(sdlbuf))) {
1599 goto makedummy;
1600 }
1601 bcopy(sdp, sdl2, sdp->sdl_len);
1602 } else {
1603makedummy:
1604 sdl2->sdl_len
1605 = offsetof(struct sockaddr_dl, sdl_data[0]);
1606 sdl2->sdl_family = AF_LINK;
1607 sdl2->sdl_index = 0;
1608 sdl2->sdl_nlen = sdl2->sdl_alen = sdl2->sdl_slen = 0;
1609 }
1610 *mp = sbcreatecontrol((caddr_t) sdl2, sdl2->sdl_len,
1611 IP_RECVIF, IPPROTO_IP);
1612 if (*mp)
1613 mp = &(*mp)->m_next;
1614 }
1615}
1616
1617int
1618ip_rsvp_init(struct socket *so)
1619{
1620 if (so->so_type != SOCK_RAW ||
1621 so->so_proto->pr_protocol != IPPROTO_RSVP)
1622 return EOPNOTSUPP;
1623
1624 if (ip_rsvpd != NULL)
1625 return EADDRINUSE;
1626
1627 ip_rsvpd = so;
1628 /*
1629 * This may seem silly, but we need to be sure we don't over-increment
1630 * the RSVP counter, in case something slips up.
1631 */
1632 if (!ip_rsvp_on) {
1633 ip_rsvp_on = 1;
1634 rsvp_on++;
1635 }
1636
1637 return 0;
1638}
1639
1640int
1641ip_rsvp_done(void)
1642{
1643 ip_rsvpd = NULL;
1644 /*
1645 * This may seem silly, but we need to be sure we don't over-decrement
1646 * the RSVP counter, in case something slips up.
1647 */
1648 if (ip_rsvp_on) {
1649 ip_rsvp_on = 0;
1650 rsvp_on--;
1651 }
1652 return 0;
1653}
1632 ipstat.ips_cantfrag++;
1633 break;
1634
1635 case ENOBUFS:
1636 type = ICMP_SOURCEQUENCH;
1637 code = 0;
1638 break;
1639 }
1640 icmp_error(mcopy, type, code, dest, destifp);
1641}
1642
1643void
1644ip_savecontrol(inp, mp, ip, m)
1645 register struct inpcb *inp;
1646 register struct mbuf **mp;
1647 register struct ip *ip;
1648 register struct mbuf *m;
1649{
1650 if (inp->inp_socket->so_options & SO_TIMESTAMP) {
1651 struct timeval tv;
1652
1653 microtime(&tv);
1654 *mp = sbcreatecontrol((caddr_t) &tv, sizeof(tv),
1655 SCM_TIMESTAMP, SOL_SOCKET);
1656 if (*mp)
1657 mp = &(*mp)->m_next;
1658 }
1659 if (inp->inp_flags & INP_RECVDSTADDR) {
1660 *mp = sbcreatecontrol((caddr_t) &ip->ip_dst,
1661 sizeof(struct in_addr), IP_RECVDSTADDR, IPPROTO_IP);
1662 if (*mp)
1663 mp = &(*mp)->m_next;
1664 }
1665#ifdef notyet
1666 /* XXX
1667 * Moving these out of udp_input() made them even more broken
1668 * than they already were.
1669 */
1670 /* options were tossed already */
1671 if (inp->inp_flags & INP_RECVOPTS) {
1672 *mp = sbcreatecontrol((caddr_t) opts_deleted_above,
1673 sizeof(struct in_addr), IP_RECVOPTS, IPPROTO_IP);
1674 if (*mp)
1675 mp = &(*mp)->m_next;
1676 }
1677 /* ip_srcroute doesn't do what we want here, need to fix */
1678 if (inp->inp_flags & INP_RECVRETOPTS) {
1679 *mp = sbcreatecontrol((caddr_t) ip_srcroute(),
1680 sizeof(struct in_addr), IP_RECVRETOPTS, IPPROTO_IP);
1681 if (*mp)
1682 mp = &(*mp)->m_next;
1683 }
1684#endif
1685 if (inp->inp_flags & INP_RECVIF) {
1686 struct ifnet *ifp;
1687 struct sdlbuf {
1688 struct sockaddr_dl sdl;
1689 u_char pad[32];
1690 } sdlbuf;
1691 struct sockaddr_dl *sdp;
1692 struct sockaddr_dl *sdl2 = &sdlbuf.sdl;
1693
1694 if (((ifp = m->m_pkthdr.rcvif))
1695 && ( ifp->if_index && (ifp->if_index <= if_index))) {
1696 sdp = (struct sockaddr_dl *)(ifnet_addrs
1697 [ifp->if_index - 1]->ifa_addr);
1698 /*
1699 * Change our mind and don't try copy.
1700 */
1701 if ((sdp->sdl_family != AF_LINK)
1702 || (sdp->sdl_len > sizeof(sdlbuf))) {
1703 goto makedummy;
1704 }
1705 bcopy(sdp, sdl2, sdp->sdl_len);
1706 } else {
1707makedummy:
1708 sdl2->sdl_len
1709 = offsetof(struct sockaddr_dl, sdl_data[0]);
1710 sdl2->sdl_family = AF_LINK;
1711 sdl2->sdl_index = 0;
1712 sdl2->sdl_nlen = sdl2->sdl_alen = sdl2->sdl_slen = 0;
1713 }
1714 *mp = sbcreatecontrol((caddr_t) sdl2, sdl2->sdl_len,
1715 IP_RECVIF, IPPROTO_IP);
1716 if (*mp)
1717 mp = &(*mp)->m_next;
1718 }
1719}
1720
1721int
1722ip_rsvp_init(struct socket *so)
1723{
1724 if (so->so_type != SOCK_RAW ||
1725 so->so_proto->pr_protocol != IPPROTO_RSVP)
1726 return EOPNOTSUPP;
1727
1728 if (ip_rsvpd != NULL)
1729 return EADDRINUSE;
1730
1731 ip_rsvpd = so;
1732 /*
1733 * This may seem silly, but we need to be sure we don't over-increment
1734 * the RSVP counter, in case something slips up.
1735 */
1736 if (!ip_rsvp_on) {
1737 ip_rsvp_on = 1;
1738 rsvp_on++;
1739 }
1740
1741 return 0;
1742}
1743
1744int
1745ip_rsvp_done(void)
1746{
1747 ip_rsvpd = NULL;
1748 /*
1749 * This may seem silly, but we need to be sure we don't over-decrement
1750 * the RSVP counter, in case something slips up.
1751 */
1752 if (ip_rsvp_on) {
1753 ip_rsvp_on = 0;
1754 rsvp_on--;
1755 }
1756 return 0;
1757}