Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. =================================================================== RCS file: /ftp/cvs/cvsroot/src/sys/netinet/ip_input.c,v retrieving revision 1.114 retrieving revision 1.114.4.5 diff -u -p -r1.114 -r1.114.4.5 --- src/sys/netinet/ip_input.c 2000/05/10 03:31:30 1.114 +++ src/sys/netinet/ip_input.c 2001/04/06 00:24:47 1.114.4.5 @@ -1,4 +1,4 @@ -/* $NetBSD: ip_input.c,v 1.114 2000/05/10 03:31:30 itojun Exp $ */ +/* $NetBSD: ip_input.c,v 1.114.4.5 2001/04/06 00:24:47 he Exp $ */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. @@ -459,6 +459,14 @@ ip_input(struct mbuf *m) #endif #ifdef PFIL_HOOKS +#ifdef IPSEC + /* + * let ipfilter look at packet on the wire, + * not the decapsulated packet. + */ + if (ipsec_gethist(m, NULL)) + goto nofilt; +#endif /* * Run through list of hooks for input packets. If there are any * filters which require that additional packets in the flow are @@ -479,6 +487,9 @@ ip_input(struct mbuf *m) return; ip = mtod(m, struct ip *); } +#ifdef IPSEC +nofilt:; +#endif #endif /* PFIL_HOOKS */ /* @@ -687,6 +698,19 @@ found: IPQ_UNLOCK(); } +#ifdef IPSEC + /* + * enforce IPsec policy checking if we are seeing last header. + * note that we do not visit this with protocols with pcb layer + * code - like udp/tcp/raw ip. + */ + if ((inetsw[ip_protox[ip->ip_p]].pr_flags & PR_LASTHDR) != 0 && + ipsec4_in_reject(m, NULL)) { + ipsecstat.in_polvio++; + goto bad; + } +#endif + /* * Switch out to protocol's input routine. */ @@ -1398,8 +1422,11 @@ ip_forward(m, srcrt) /* * Save at most 68 bytes of the packet in case * we need to generate an ICMP message to the src. + * Pullup to avoid sharing mbuf cluster between m and mcopy. */ - mcopy = m_copy(m, 0, imin((int)ip->ip_len, 68)); + mcopy = m_copym(m, 0, imin((int)ip->ip_len, 68), M_DONTWAIT); + if (mcopy) + mcopy = m_pullup(mcopy, ip->ip_hl << 2); /* * If forwarding packet using same interface that it came in on, @@ -1436,7 +1463,7 @@ ip_forward(m, srcrt) #ifdef IPSEC /* Don't lookup socket in forwading case */ - ipsec_setsocket(m, NULL); + (void)ipsec_setsocket(m, NULL); #endif error = ip_output(m, (struct mbuf *)0, &ipforward_rt, (IP_FORWARDING | (ip_directedbcast ? IP_ALLOWBROADCAST : 0)), 0); @@ -1665,7 +1692,8 @@ ip_sysctl(name, namelen, oldp, oldlenp, case IPCTL_ANONPORTMIN: old = anonportmin; error = sysctl_int(oldp, oldlenp, newp, newlen, &anonportmin); - if (anonportmin >= anonportmax || anonportmin > 65535 + if (anonportmin >= anonportmax || anonportmin < 0 + || anonportmin > 65535 #ifndef IPNOPRIVPORTS || anonportmin < IPPORT_RESERVED #endif @@ -1677,7 +1705,8 @@ ip_sysctl(name, namelen, oldp, oldlenp, case IPCTL_ANONPORTMAX: old = anonportmax; error = sysctl_int(oldp, oldlenp, newp, newlen, &anonportmax); - if (anonportmin >= anonportmax || anonportmax > 65535 + if (anonportmin >= anonportmax || anonportmax < 0 + || anonportmax > 65535 #ifndef IPNOPRIVPORTS || anonportmax < IPPORT_RESERVED #endif @@ -1715,6 +1744,31 @@ ip_sysctl(name, namelen, oldp, oldlenp, &ip_gif_ttl)); #endif +#ifndef IPNOPRIVPORTS + case IPCTL_LOWPORTMIN: + old = lowportmin; + error = sysctl_int(oldp, oldlenp, newp, newlen, &lowportmin); + if (lowportmin >= lowportmax + || lowportmin > IPPORT_RESERVEDMAX + || lowportmin < IPPORT_RESERVEDMIN + ) { + lowportmin = old; + return (EINVAL); + } + return (error); + case IPCTL_LOWPORTMAX: + old = lowportmax; + error = sysctl_int(oldp, oldlenp, newp, newlen, &lowportmax); + if (lowportmin >= lowportmax + || lowportmax > IPPORT_RESERVEDMAX + || lowportmax < IPPORT_RESERVEDMIN + ) { + lowportmax = old; + return (EINVAL); + } + return (error); +#endif + default: return (EOPNOTSUPP); }