ip_fastfwd.c revision 128872
1139823Simp/* 21541Srgrimes * Copyright (c) 2003 Andre Oppermann, Internet Business Solutions AG 31541Srgrimes * All rights reserved. 41541Srgrimes * 51541Srgrimes * Redistribution and use in source and binary forms, with or without 61541Srgrimes * modification, are permitted provided that the following conditions 71541Srgrimes * are met: 81541Srgrimes * 1. Redistributions of source code must retain the above copyright 91541Srgrimes * notice, this list of conditions and the following disclaimer. 101541Srgrimes * 2. Redistributions in binary form must reproduce the above copyright 111541Srgrimes * notice, this list of conditions and the following disclaimer in the 121541Srgrimes * documentation and/or other materials provided with the distribution. 131541Srgrimes * 3. The name of the author may not be used to endorse or promote 141541Srgrimes * products derived from this software without specific prior written 151541Srgrimes * permission. 161541Srgrimes * 171541Srgrimes * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 181541Srgrimes * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 191541Srgrimes * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 201541Srgrimes * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 211541Srgrimes * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 221541Srgrimes * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 231541Srgrimes * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 241541Srgrimes * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 251541Srgrimes * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 261541Srgrimes * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 271541Srgrimes * SUCH DAMAGE. 281541Srgrimes * 2985051Sru * $FreeBSD: head/sys/netinet/ip_fastfwd.c 128872 2004-05-03 13:52:47Z andre $ 3050477Speter */ 311541Srgrimes 321541Srgrimes/* 331541Srgrimes * ip_fastforward gets its speed from processing the forwarded packet to 341541Srgrimes * completion (if_output on the other side) without any queues or netisr's. 351541Srgrimes * The receiving interface DMAs the packet into memory, the upper half of 361541Srgrimes * driver calls ip_fastforward, we do our routing table lookup and directly 3732356Seivind * send it off to the outgoing interface which DMAs the packet to the 3832350Seivind * network card. The only part of the packet we touch with the CPU is the 3954263Sshin * IP header (unless there are complex firewall rules touching other parts 4031742Seivind * of the packet, but that is up to you). We are essentially limited by bus 4131742Seivind * bandwidth and how fast the network card/driver can set up receives and 421541Srgrimes * transmits. 431541Srgrimes * 441541Srgrimes * We handle basic errors, ip header errors, checksum errors, 451541Srgrimes * destination unreachable, fragmentation and fragmentation needed and 4671862Speter * report them via icmp to the sender. 4791648Sbrooks * 4891648Sbrooks * Else if something is not pure IPv4 unicast forwarding we fall back to 491541Srgrimes * the normal ip_input processing path. We should only be called from 5024204Sbde * interfaces connected to the outside world. 5171791Speter * 52181803Sbz * Firewalling is fully supported including divert, ipfw fwd and ipfilter 531541Srgrimes * ipnat and address rewrite. 541541Srgrimes * 55130933Sbrooks * IPSEC is not supported if this host is a tunnel broker. IPSEC is 561541Srgrimes * supported for connections to/from local host. 571541Srgrimes * 581541Srgrimes * We try to do the least expensive (in CPU ops) checks and operations 591541Srgrimes * first to catch junk with as little overhead as possible. 60185571Sbz * 611541Srgrimes * We take full advantage of hardware support for ip checksum and 621541Srgrimes * fragmentation offloading. 631541Srgrimes * 641541Srgrimes * We don't do ICMP redirect in the fast forwarding path. I have had my own 651541Srgrimes * cases where two core routers with Zebra routing suite would send millions 661541Srgrimes * ICMP redirects to connected hosts if the router to dest was not the default 6711819Sjulian * gateway. In one case it was filling the routing table of a host with close 6811819Sjulian * 300'000 cloned redirect entries until it ran out of kernel memory. However 6911819Sjulian * the networking code proved very robust and it didn't crash or went ill 7011819Sjulian * otherwise. 7111819Sjulian */ 7253541Sshin 7353541Sshin/* 7453541Sshin * Many thanks to Matt Thomas of NetBSD for basic structure of ip_flow.c which 7553541Sshin * is being followed here. 7653541Sshin */ 7762587Sitojun 7853541Sshin#include "opt_ipfw.h" 7953541Sshin#include "opt_ipdn.h" 8015885Sjulian#include "opt_ipdivert.h" 8115885Sjulian#include "opt_ipfilter.h" 8215885Sjulian#include "opt_ipstealth.h" 8383268Speter#include "opt_mac.h" 8415885Sjulian#include "opt_pfil_hooks.h" 85187039Srwatson 86187039Srwatson#include <sys/param.h> 871622Sdg#include <sys/systm.h> 881541Srgrimes#include <sys/kernel.h> 8953541Sshin#include <sys/mac.h> 9053541Sshin#include <sys/malloc.h> 911622Sdg#include <sys/mbuf.h> 926876Sdg#include <sys/protosw.h> 931622Sdg#include <sys/socket.h> 941541Srgrimes#include <sys/sysctl.h> 95189873Srwatson 96189873Srwatson#include <net/pfil.h> 97189873Srwatson#include <net/if.h> 98189873Srwatson#include <net/if_types.h> 99189873Srwatson#include <net/if_var.h> 10091648Sbrooks#include <net/if_dl.h> 10191648Sbrooks#include <net/route.h> 10291648Sbrooks 103191148Skmacy#include <netinet/in.h> 104160195Ssam#include <netinet/in_systm.h> 105128209Sbrooks#include <netinet/in_var.h> 106190787Szec#include <netinet/ip.h> 107193731Szec#include <netinet/ip_var.h> 108193731Szec#include <netinet/ip_icmp.h> 109193731Szec 11091648Sbrooks#include <machine/in_cksum.h> 111195699Srwatson 11291648Sbrooks#include <netinet/ip_fw.h> 113192669Szec#include <netinet/ip_divert.h> 114195699Srwatson#include <netinet/ip_dummynet.h> 115195699Srwatson 116195727Srwatsonstatic int ipfastforward_active = 0; 117195727SrwatsonSYSCTL_INT(_net_inet_ip, OID_AUTO, fastforwarding, CTLFLAG_RW, 118195699Srwatson &ipfastforward_active, 0, "Enable fast IP forwarding"); 119192669Szec 120192669Szecstatic struct sockaddr_in * 121192669Szecip_findroute(struct route *ro, in_addr_t dest, struct mbuf *m) 122195699Srwatson{ 123190909Szec struct sockaddr_in *dst; 124190909Szec struct rtentry *rt; 125192669Szec 126190909Szec /* 127193731Szec * Find route to destination. 128193731Szec */ 129195699Srwatson bzero(ro, sizeof(*ro)); 130193731Szec dst = (struct sockaddr_in *)&ro->ro_dst; 131190909Szec dst->sin_family = AF_INET; 132130933Sbrooks dst->sin_len = sizeof(*dst); 13391648Sbrooks dst->sin_addr.s_addr = dest; 134128209Sbrooks rtalloc_ign(ro, RTF_CLONING); 135177965Srwatson 13691648Sbrooks /* 13791648Sbrooks * Route there and interface still up? 138193731Szec */ 13997289Sbrooks rt = ro->ro_rt; 140181803Sbz if (rt && (rt->rt_flags & RTF_UP) && 141193731Szec (rt->rt_ifp->if_flags & IFF_UP) && 14291648Sbrooks (rt->rt_ifp->if_flags & IFF_RUNNING)) { 14391648Sbrooks if (rt->rt_flags & RTF_GATEWAY) 14491648Sbrooks dst = (struct sockaddr_in *)rt->rt_gateway; 145147256Sbrooks } else { 14691648Sbrooks ipstat.ips_noroute++; 14791648Sbrooks ipstat.ips_cantforward++; 148128209Sbrooks if (rt) 149177965Srwatson RTFREE(rt); 15071791Speter icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_HOST, 0, NULL); 151147256Sbrooks return NULL; 15271791Speter } 153180094Sed return dst; 154180094Sed} 155147256Sbrooks 15671791Speter/* 157147256Sbrooks * Try to forward a packet based on the destination address. 158147256Sbrooks * This is a fast path optimized for the plain forwarding case. 159147256Sbrooks * If the packet is handled (and consumed) here then we return 1; 160147256Sbrooks * otherwise 0 is returned and the packet should be delivered 161147256Sbrooks * to ip_input for full processing. 162147256Sbrooks */ 163189871Srwatsonint 164189873Srwatsonip_fastforward(struct mbuf *m) 165147256Sbrooks{ 166147611Sdwmalone struct ip *ip; 167181803Sbz struct mbuf *m0 = NULL; 168181803Sbz#ifdef IPDIVERT 16992081Smux struct ip *tip; 17092081Smux struct mbuf *clone = NULL; 17171791Speter#endif 17271791Speter struct route ro; 173193731Szec struct sockaddr_in *dst = NULL; 174193731Szec struct in_ifaddr *ia = NULL; 175190787Szec struct ifaddr *ifa = NULL; 176190787Szec struct ifnet *ifp; 177192669Szec struct ip_fw_args args; 178192669Szec in_addr_t odest, dest; 179192669Szec u_short sum, ip_len; 180193731Szec int error = 0; 181193731Szec int hlen, ipfw, mtu; 182192669Szec 183193731Szec /* 184193731Szec * Are we active and forwarding packets? 185192669Szec */ 186192669Szec if (!ipfastforward_active || !ipforwarding) 187190787Szec return 0; 188192669Szec 189190787Szec M_ASSERTVALID(m); 190190787Szec M_ASSERTPKTHDR(m); 191190787Szec 192193731Szec ro.ro_rt = NULL; 19371791Speter 194193731Szec /* 195193731Szec * Step 1: check for packet drop conditions (and sanity checks) 196193731Szec */ 197193731Szec 198193731Szec /* 199193731Szec * Is entire packet big enough? 200193731Szec */ 201193731Szec if (m->m_pkthdr.len < sizeof(struct ip)) { 202193731Szec ipstat.ips_tooshort++; 203193731Szec goto drop; 204193731Szec } 205193731Szec 206193731Szec /* 207178883Srwatson * Is first mbuf large enough for ip header and is header present? 208178883Srwatson */ 209177965Srwatson if (m->m_len < sizeof (struct ip) && 210178883Srwatson (m = m_pullup(m, sizeof (struct ip))) == 0) { 211178883Srwatson ipstat.ips_toosmall++; 212195699Srwatson goto drop; 213190909Szec } 214190909Szec 215190787Szec ip = mtod(m, struct ip *); 216190909Szec 217178883Srwatson /* 218177965Srwatson * Is it IPv4? 219178883Srwatson */ 220178883Srwatson if (ip->ip_v != IPVERSION) { 221177965Srwatson ipstat.ips_badvers++; 222177965Srwatson goto drop; 223132199Sphk } 224177965Srwatson 225178883Srwatson /* 226177965Srwatson * Is IP header length correct and is it in first mbuf? 227178883Srwatson */ 2281541Srgrimes hlen = ip->ip_hl << 2; 229178883Srwatson if (hlen < sizeof(struct ip)) { /* minimum header length */ 230178883Srwatson ipstat.ips_badlen++; 231178883Srwatson goto drop; 23271862Speter } 233178883Srwatson if (hlen > m->m_len) { 23471862Speter if ((m = m_pullup(m, hlen)) == 0) { 235121596Skan ipstat.ips_badhlen++; 23671862Speter goto drop; 23754263Sshin } 238177965Srwatson ip = mtod(m, struct ip *); 239191148Skmacy } 2401541Srgrimes 241147611Sdwmalone /* 242191148Skmacy * Checksum correct? 243187039Srwatson */ 244187039Srwatson if (m->m_pkthdr.csum_flags & CSUM_IP_CHECKED) 245187039Srwatson sum = !(m->m_pkthdr.csum_flags & CSUM_IP_VALID); 246147611Sdwmalone else { 247113255Sdes if (hlen == sizeof(struct ip)) 248113255Sdes sum = in_cksum_hdr(ip); 249191148Skmacy else 250191148Skmacy sum = in_cksum(m, hlen); 251187039Srwatson } 252187039Srwatson if (sum) { 253187039Srwatson ipstat.ips_badsum++; 254187039Srwatson goto drop; 255187039Srwatson } 256187039Srwatson m->m_pkthdr.csum_flags |= (CSUM_IP_CHECKED | CSUM_IP_VALID); 257187039Srwatson 258187039Srwatson ip_len = ntohs(ip->ip_len); 25936908Sjulian 26036908Sjulian /* 26136908Sjulian * Is IP length longer than packet we have got? 26236908Sjulian */ 26336908Sjulian if (m->m_pkthdr.len < ip_len) { 26453541Sshin ipstat.ips_tooshort++; 26536908Sjulian goto drop; 26636908Sjulian } 267147611Sdwmalone 268147611Sdwmalone /* 269147611Sdwmalone * Is packet longer than IP header tells us? If yes, truncate packet. 270147611Sdwmalone */ 271147611Sdwmalone if (m->m_pkthdr.len > ip_len) { 272147611Sdwmalone if (m->m_len == m->m_pkthdr.len) { 273147611Sdwmalone m->m_len = ip_len; 27436992Sjulian m->m_pkthdr.len = ip_len; 27536992Sjulian } else 27636992Sjulian m_adj(m, ip_len - m->m_pkthdr.len); 277189863Srwatson } 278189863Srwatson 279189873Srwatson /* 280189863Srwatson * Is packet from or to 127/8? 281189873Srwatson */ 28253541Sshin if ((ntohl(ip->ip_dst.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET || 28336992Sjulian (ntohl(ip->ip_src.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET) { 28436992Sjulian ipstat.ips_badaddr++; 28536994Sjulian goto drop; 28636992Sjulian } 28765454Srwatson 28836992Sjulian /* 28936992Sjulian * Step 2: fallback conditions to normal ip_input path processing 29036992Sjulian */ 29136992Sjulian 292177965Srwatson /* 29336908Sjulian * Only IP packets without options 29436908Sjulian */ 29536908Sjulian if (ip->ip_hl != (sizeof(struct ip) >> 2)) { 29636908Sjulian if (ip_doopts == 1) 29736908Sjulian return 0; 29836908Sjulian else if (ip_doopts == 2) { 29936908Sjulian icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_FILTER_PROHIB, 30036908Sjulian 0, NULL); 30136908Sjulian return 1; 30236908Sjulian } 30336908Sjulian /* else ignore IP options and continue */ 30436908Sjulian } 30536908Sjulian 306177965Srwatson /* 30736908Sjulian * Only unicast IP, not from loopback, no L2 or IP broadcast, 30869152Sjlemon * no multicast, no INADDR_ANY 3091541Srgrimes * 310113255Sdes * XXX: Probably some of these checks could be direct drop 311121645Ssam * conditions. However it is not clear whether there are some 31236908Sjulian * hacks or obscure behaviours which make it neccessary to 31360889Sarchie * let ip_input handle it. We play safe here and let ip_input 314187039Srwatson * deal with it until it is proven that we can directly drop it. 315187039Srwatson */ 316187039Srwatson if ((m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK) || 317187039Srwatson ntohl(ip->ip_src.s_addr) == (u_long)INADDR_BROADCAST || 318162539Ssuz ntohl(ip->ip_dst.s_addr) == (u_long)INADDR_BROADCAST || 319162539Ssuz IN_MULTICAST(ntohl(ip->ip_src.s_addr)) || 320178883Srwatson IN_MULTICAST(ntohl(ip->ip_dst.s_addr)) || 321162539Ssuz ip->ip_dst.s_addr == INADDR_ANY ) 322162539Ssuz return 0; 323162539Ssuz 324162539Ssuz /* 325162539Ssuz * Is it for a local address on this host? 326162539Ssuz */ 327162539Ssuz LIST_FOREACH(ia, INADDR_HASH(ip->ip_dst.s_addr), ia_hash) { 328162539Ssuz if (IA_SIN(ia)->sin_addr.s_addr == ip->ip_dst.s_addr) 329162539Ssuz return 0; 330123922Ssam } 331162539Ssuz 332162539Ssuz /* 333181803Sbz * Or is it for a local IP broadcast address on this host? 334181803Sbz */ 335162539Ssuz if (m->m_pkthdr.rcvif->if_flags & IFF_BROADCAST) { 336181118Srwatson TAILQ_FOREACH(ifa, &m->m_pkthdr.rcvif->if_addrhead, ifa_link) { 337162539Ssuz if (ifa->ifa_addr->sa_family != AF_INET) 338162539Ssuz continue; 339162539Ssuz ia = ifatoia(ifa); 340162539Ssuz if (ia->ia_netbroadcast.s_addr == ip->ip_dst.s_addr) 341181803Sbz return 0; 342162539Ssuz if (satosin(&ia->ia_broadaddr)->sin_addr.s_addr == 343162539Ssuz ip->ip_dst.s_addr) 3441541Srgrimes return 0; 3451541Srgrimes } 34636908Sjulian } 34737600Sdfr ipstat.ips_total++; 34860952Sgallatin 349166577Scognet /* 350158471Sjhb * Step 3: incoming packet firewall processing 351158471Sjhb */ 352158471Sjhb 353158471Sjhb /* 35460952Sgallatin * Convert to host representation 35561181Smjacob */ 356178883Srwatson ip->ip_len = ntohs(ip->ip_len); 357178883Srwatson ip->ip_off = ntohs(ip->ip_off); 35860952Sgallatin 35960952Sgallatin odest = dest = ip->ip_dst.s_addr; 360132780Skan#ifdef PFIL_HOOKS 36160952Sgallatin /* 36237600Sdfr * Run through list of ipfilter hooks for input packets 36337600Sdfr */ 36436908Sjulian if (pfil_run_hooks(&inet_pfil_hook, &m, m->m_pkthdr.rcvif, PFIL_IN) || 36560889Sarchie m == NULL) 36660889Sarchie return 1; 3671541Srgrimes 3681541Srgrimes M_ASSERTVALID(m); 3691541Srgrimes M_ASSERTPKTHDR(m); 3701541Srgrimes 3711541Srgrimes ip = mtod(m, struct ip *); /* m may have changed by pfil hook */ 37253541Sshin dest = ip->ip_dst.s_addr; 37353541Sshin#endif 37453541Sshin 37553541Sshin /* 37653541Sshin * Run through ipfw for input packets 37753541Sshin */ 37811819Sjulian if (fw_enable && IPFW_LOADED) { 37911819Sjulian bzero(&args, sizeof(args)); 38011819Sjulian args.m = m; 38111819Sjulian 38211819Sjulian ipfw = ip_fw_chk_ptr(&args); 38315885Sjulian m = args.m; 38415885Sjulian 385111888Sjlemon M_ASSERTVALID(m); 38615885Sjulian M_ASSERTPKTHDR(m); 38783268Speter 3881541Srgrimes /* 38960889Sarchie * Packet denied, drop it 3901541Srgrimes */ 3911541Srgrimes if ((ipfw & IP_FW_PORT_DENY_FLAG) || m == NULL) 3921541Srgrimes goto drop; 3931541Srgrimes /* 3941541Srgrimes * Send packet to the appropriate pipe 395134391Sandre */ 3961541Srgrimes if (DUMMYNET_LOADED && (ipfw & IP_FW_PORT_DYNT_FLAG) != 0) { 3971541Srgrimes ip_dn_io_ptr(m, ipfw & 0xffff, DN_TO_IP_IN, &args); 3981541Srgrimes return 1; 3991541Srgrimes } 40012706Sphk#ifdef IPDIVERT 401177965Srwatson /* 4021541Srgrimes * Divert packet 403177965Srwatson */ 404120727Ssam if (ipfw != 0 && (ipfw & IP_FW_PORT_DYNT_FLAG) == 0) { 405142352Ssam /* 4061541Srgrimes * See if this is a fragment 4071541Srgrimes */ 4081541Srgrimes if (ip->ip_off & (IP_MF | IP_OFFMASK)) 4091541Srgrimes goto droptoours; 4101541Srgrimes /* 4111541Srgrimes * Tee packet 41254263Sshin */ 413177965Srwatson if ((ipfw & IP_FW_PORT_TEE_FLAG) != 0) 4141541Srgrimes clone = divert_clone(m); 415177965Srwatson else 416177965Srwatson clone = m; 417189863Srwatson if (clone == NULL) 4181541Srgrimes goto passin; 4191541Srgrimes 4201541Srgrimes /* 421148887Srwatson * Delayed checksums are not compatible 422148887Srwatson */ 4231541Srgrimes if (m->m_pkthdr.csum_flags & CSUM_DELAY_DATA) { 42413928Swollman in_delayed_cksum(m); 4251541Srgrimes m->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA; 4261541Srgrimes } 4271541Srgrimes /* 4281541Srgrimes * Restore packet header fields to original values 4291541Srgrimes */ 4301541Srgrimes tip = mtod(m, struct ip *); 4311541Srgrimes tip->ip_len = htons(tip->ip_len); 4321541Srgrimes tip->ip_off = htons(tip->ip_off); 4331541Srgrimes /* 4341541Srgrimes * Deliver packet to divert input routine 4351541Srgrimes */ 4361541Srgrimes divert_packet(m, 0); 4371541Srgrimes /* 4381541Srgrimes * If this was not tee, we are done 4391541Srgrimes */ 4401541Srgrimes m = clone; 4411541Srgrimes if ((ipfw & IP_FW_PORT_TEE_FLAG) == 0) 44253541Sshin return 1; 44353541Sshin /* Continue if it was tee */ 44453541Sshin goto passin; 44553541Sshin } 4461541Srgrimes#endif 4471541Srgrimes if (ipfw == 0 && args.next_hop != NULL) { 4481541Srgrimes dest = args.next_hop->sin_addr.s_addr; 4491541Srgrimes goto passin; 4501541Srgrimes } 4511541Srgrimes /* 4521541Srgrimes * Let through or not? 4531944Sdg */ 45449468Sbrian if (ipfw != 0) 4551944Sdg goto drop; 4561944Sdg } 45735563Sphkpassin: 45835563Sphk ip = mtod(m, struct ip *); /* if m changed during fw processing */ 45935563Sphk 460189863Srwatson /* 461189863Srwatson * Destination address changed? 462189863Srwatson */ 463189863Srwatson if (odest != dest) { 464189863Srwatson /* 465189863Srwatson * Is it now for a local address on this host? 466189863Srwatson */ 467189873Srwatson LIST_FOREACH(ia, INADDR_HASH(ip->ip_dst.s_addr), ia_hash) { 468189863Srwatson if (IA_SIN(ia)->sin_addr.s_addr == ip->ip_dst.s_addr) 469189863Srwatson goto forwardlocal; 470189863Srwatson } 471189863Srwatson /* 4721541Srgrimes * Go on with new destination address 4731541Srgrimes */ 4741541Srgrimes } 4751541Srgrimes 4761541Srgrimes /* 477 * Step 4: decrement TTL and look up route 478 */ 479 480 /* 481 * Check TTL 482 */ 483#ifdef IPSTEALTH 484 if (!ipstealth) { 485#endif 486 if (ip->ip_ttl <= IPTTLDEC) { 487 icmp_error(m, ICMP_TIMXCEED, ICMP_TIMXCEED_INTRANS, 0, NULL); 488 return 1; 489 } 490 491 /* 492 * Decrement the TTL and incrementally change the checksum. 493 * Don't bother doing this with hw checksum offloading. 494 */ 495 ip->ip_ttl -= IPTTLDEC; 496 if (ip->ip_sum >= (u_int16_t) ~htons(IPTTLDEC << 8)) 497 ip->ip_sum -= ~htons(IPTTLDEC << 8); 498 else 499 ip->ip_sum += htons(IPTTLDEC << 8); 500#ifdef IPSTEALTH 501 } 502#endif 503 504 /* 505 * Find route to destination. 506 */ 507 if ((dst = ip_findroute(&ro, dest, m)) == NULL) 508 return 1; /* icmp unreach already sent */ 509 ifp = ro.ro_rt->rt_ifp; 510 511 /* 512 * Step 5: outgoing firewall packet processing 513 */ 514 515#ifdef PFIL_HOOKS 516 /* 517 * Run through list of hooks for output packets. 518 */ 519 if (pfil_run_hooks(&inet_pfil_hook, &m, ifp, PFIL_OUT) || m == NULL) { 520 goto consumed; 521 } 522 523 M_ASSERTVALID(m); 524 M_ASSERTPKTHDR(m); 525 526 ip = mtod(m, struct ip *); 527 dest = ip->ip_dst.s_addr; 528#endif 529 if (fw_enable && IPFW_LOADED && !args.next_hop) { 530 bzero(&args, sizeof(args)); 531 args.m = m; 532 args.oif = ifp; 533 534 ipfw = ip_fw_chk_ptr(&args); 535 m = args.m; 536 537 M_ASSERTVALID(m); 538 M_ASSERTPKTHDR(m); 539 540 if ((ipfw & IP_FW_PORT_DENY_FLAG) || m == NULL) 541 goto drop; 542 543 if (DUMMYNET_LOADED && (ipfw & IP_FW_PORT_DYNT_FLAG) != 0) { 544 /* 545 * XXX note: if the ifp or rt entry are deleted 546 * while a pkt is in dummynet, we are in trouble! 547 */ 548 args.ro = &ro; /* dummynet does not save it */ 549 args.dst = dst; 550 551 ip_dn_io_ptr(m, ipfw & 0xffff, DN_TO_IP_OUT, &args); 552 goto consumed; 553 } 554#ifdef IPDIVERT 555 if (ipfw != 0 && (ipfw & IP_FW_PORT_DYNT_FLAG) == 0) { 556 /* 557 * See if this is a fragment 558 */ 559 if (ip->ip_off & (IP_MF | IP_OFFMASK)) 560 goto droptoours; 561 /* 562 * Tee packet 563 */ 564 if ((ipfw & IP_FW_PORT_TEE_FLAG) != 0) 565 clone = divert_clone(m); 566 else 567 clone = m; 568 if (clone == NULL) 569 goto passout; 570 571 /* 572 * Delayed checksums are not compatible with divert 573 */ 574 if (m->m_pkthdr.csum_flags & CSUM_DELAY_DATA) { 575 in_delayed_cksum(m); 576 m->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA; 577 } 578 /* 579 * Restore packet header fields to original values 580 */ 581 tip = mtod(m, struct ip *); 582 tip->ip_len = htons(tip->ip_len); 583 tip->ip_off = htons(tip->ip_off); 584 /* 585 * Deliver packet to divert input routine 586 */ 587 divert_packet(m, 0); 588 /* 589 * If this was not tee, we are done 590 */ 591 m = clone; 592 if ((ipfw & IP_FW_PORT_TEE_FLAG) == 0) { 593 goto consumed; 594 } 595 /* Continue if it was tee */ 596 goto passout; 597 } 598#endif 599 if (ipfw == 0 && args.next_hop != NULL) { 600 dest = args.next_hop->sin_addr.s_addr; 601 goto passout; 602 } 603 /* 604 * Let through or not? 605 */ 606 if (ipfw != 0) 607 goto drop; 608 } 609passout: 610 ip = mtod(m, struct ip *); 611 612 /* 613 * Destination address changed? 614 */ 615 if (odest != dest) { 616 /* 617 * Is it now for a local address on this host? 618 */ 619 LIST_FOREACH(ia, INADDR_HASH(ip->ip_dst.s_addr), ia_hash) { 620 if (IA_SIN(ia)->sin_addr.s_addr == ip->ip_dst.s_addr) { 621forwardlocal: 622 if (args.next_hop) { 623 struct m_tag *mtag = m_tag_get( 624 PACKET_TAG_IPFORWARD, 625 sizeof(struct sockaddr_in *), 626 M_NOWAIT); 627 if (mtag == NULL) { 628 goto drop; 629 } 630 *(struct sockaddr_in **)(mtag+1) = 631 args.next_hop; 632 m_tag_prepend(m, mtag); 633 } 634#ifdef IPDIVERT 635droptoours: /* Used for DIVERT */ 636#endif 637 /* for ip_input */ 638 m->m_flags |= M_FASTFWD_OURS; 639 640 /* ip still points to the real packet */ 641 ip->ip_len = htons(ip->ip_len); 642 ip->ip_off = htons(ip->ip_off); 643 644 /* 645 * Return packet for processing by ip_input 646 */ 647 if (ro.ro_rt) 648 RTFREE(ro.ro_rt); 649 return 0; 650 } 651 } 652 /* 653 * Redo route lookup with new destination address 654 */ 655 RTFREE(ro.ro_rt); 656 if ((dst = ip_findroute(&ro, dest, m)) == NULL) 657 return 1; /* icmp unreach already sent */ 658 ifp = ro.ro_rt->rt_ifp; 659 } 660 661 /* 662 * Step 6: send off the packet 663 */ 664 665 /* 666 * Check if route is dampned (when ARP is unable to resolve) 667 */ 668 if ((ro.ro_rt->rt_flags & RTF_REJECT) && 669 ro.ro_rt->rt_rmx.rmx_expire >= time_second) { 670 icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_HOST, 0, NULL); 671 goto consumed; 672 } 673 674 /* 675 * Check if there is enough space in the interface queue 676 */ 677 if ((ifp->if_snd.ifq_len + ip->ip_len / ifp->if_mtu + 1) >= 678 ifp->if_snd.ifq_maxlen) { 679 ipstat.ips_odropped++; 680 /* would send source quench here but that is depreciated */ 681 goto drop; 682 } 683 684 /* 685 * Check if media link state of interface is not down 686 */ 687 if (ifp->if_link_state == LINK_STATE_DOWN) { 688 icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_HOST, 0, NULL); 689 goto consumed; 690 } 691 692 /* 693 * Check if packet fits MTU or if hardware will fragement for us 694 */ 695 if (ro.ro_rt->rt_rmx.rmx_mtu) 696 mtu = min(ro.ro_rt->rt_rmx.rmx_mtu, ifp->if_mtu); 697 else 698 mtu = ifp->if_mtu; 699 700 if (ip->ip_len <= mtu || 701 (ifp->if_hwassist & CSUM_FRAGMENT && (ip->ip_off & IP_DF) == 0)) { 702 /* 703 * Restore packet header fields to original values 704 */ 705 ip->ip_len = htons(ip->ip_len); 706 ip->ip_off = htons(ip->ip_off); 707 /* 708 * Send off the packet via outgoing interface 709 */ 710 error = (*ifp->if_output)(ifp, m, 711 (struct sockaddr *)dst, ro.ro_rt); 712 } else { 713 /* 714 * Handle EMSGSIZE with icmp reply needfrag for TCP MTU discovery 715 */ 716 if (ip->ip_off & IP_DF) { 717 ipstat.ips_cantfrag++; 718 icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_NEEDFRAG, 719 0, ifp); 720 goto consumed; 721 } else { 722 /* 723 * We have to fragement the packet 724 */ 725 m->m_pkthdr.csum_flags |= CSUM_IP; 726 /* 727 * ip_fragment expects ip_len and ip_off in host byte 728 * order but returns all packets in network byte order 729 */ 730 if (ip_fragment(ip, &m, mtu, ifp->if_hwassist, 731 (~ifp->if_hwassist & CSUM_DELAY_IP))) { 732 goto drop; 733 } 734 KASSERT(m != NULL, ("null mbuf and no error")); 735 /* 736 * Send off the fragments via outgoing interface 737 */ 738 error = 0; 739 do { 740 m0 = m->m_nextpkt; 741 m->m_nextpkt = NULL; 742 743 error = (*ifp->if_output)(ifp, m, 744 (struct sockaddr *)dst, ro.ro_rt); 745 if (error) 746 break; 747 } while ((m = m0) != NULL); 748 if (error) { 749 /* Reclaim remaining fragments */ 750 for (; m; m = m0) { 751 m0 = m->m_nextpkt; 752 m->m_nextpkt = NULL; 753 m_freem(m); 754 } 755 } else 756 ipstat.ips_fragmented++; 757 } 758 } 759 760 if (error != 0) 761 ipstat.ips_odropped++; 762 else { 763 ro.ro_rt->rt_rmx.rmx_pksent++; 764 ipstat.ips_forward++; 765 ipstat.ips_fastforward++; 766 } 767consumed: 768 RTFREE(ro.ro_rt); 769 return 1; 770drop: 771 if (m) 772 m_freem(m); 773 if (ro.ro_rt) 774 RTFREE(ro.ro_rt); 775 return 1; 776} 777