Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. =================================================================== RCS file: /ftp/cvs/cvsroot/src/sys/netinet/ip_input.c,v rcsdiff: /ftp/cvs/cvsroot/src/sys/netinet/ip_input.c,v: warning: Unknown phrases like `commitid ...;' are present. retrieving revision 1.114.4.8 retrieving revision 1.144 diff -u -p -r1.114.4.8 -r1.144 --- src/sys/netinet/ip_input.c 2002/02/26 21:07:56 1.114.4.8 +++ src/sys/netinet/ip_input.c 2002/02/24 17:22:21 1.144 @@ -1,4 +1,4 @@ -/* $NetBSD: ip_input.c,v 1.114.4.8 2002/02/26 21:07:56 he Exp $ */ +/* $NetBSD: ip_input.c,v 1.144 2002/02/24 17:22:21 martin Exp $ */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. @@ -101,10 +101,14 @@ * @(#)ip_input.c 8.2 (Berkeley) 1/4/94 */ +#include +__KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.144 2002/02/24 17:22:21 martin Exp $"); + #include "opt_gateway.h" #include "opt_pfil_hooks.h" #include "opt_ipsec.h" #include "opt_mrouting.h" +#include "opt_inet_csum.h" #include #include @@ -117,10 +121,7 @@ #include #include #include -#include #include - -#include #include #include @@ -148,7 +149,6 @@ #ifdef IPSEC #include #include -#include #endif #ifndef IPFORWARDING @@ -207,6 +207,10 @@ struct ifqueue ipintrq; struct ipstat ipstat; u_int16_t ip_id; +#ifdef PFIL_HOOKS +struct pfil_head inet_pfil_hook; +#endif + struct ipqhead ipq; int ipq_locked; int ip_nfragpackets = 0; @@ -220,7 +224,11 @@ ipq_lock_try() { int s; - s = splimp(); + /* + * Use splvm() -- we're bloking things that would cause + * mbuf allocation. + */ + s = splvm(); if (ipq_locked) { splx(s); return (0); @@ -235,7 +243,7 @@ ipq_unlock() { int s; - s = splimp(); + s = splvm(); ipq_locked = 0; splx(s); } @@ -264,6 +272,24 @@ do { \ struct pool ipqent_pool; +#ifdef INET_CSUM_COUNTERS +#include + +struct evcnt ip_hwcsum_bad = EVCNT_INITIALIZER(EVCNT_TYPE_MISC, + NULL, "inet", "hwcsum bad"); +struct evcnt ip_hwcsum_ok = EVCNT_INITIALIZER(EVCNT_TYPE_MISC, + NULL, "inet", "hwcsum ok"); +struct evcnt ip_swcsum = EVCNT_INITIALIZER(EVCNT_TYPE_MISC, + NULL, "inet", "swcsum"); + +#define INET_CSUM_COUNTER_INCR(ev) (ev)->ev_count++ + +#else + +#define INET_CSUM_COUNTER_INCR(ev) /* nothing */ + +#endif /* INET_CSUM_COUNTERS */ + /* * We need to save the IP options in case a protocol wants to respond * to an incoming packet over the same route if the packet got here @@ -308,14 +334,30 @@ ip_init() ip_id = time.tv_sec & 0xffff; ipintrq.ifq_maxlen = ipqmaxlen; TAILQ_INIT(&in_ifaddr); - in_ifaddrhashtbl = - hashinit(IN_IFADDR_HASH_SIZE, M_IFADDR, M_WAITOK, &in_ifaddrhash); + in_ifaddrhashtbl = hashinit(IN_IFADDR_HASH_SIZE, HASH_LIST, M_IFADDR, + M_WAITOK, &in_ifaddrhash); if (ip_mtudisc != 0) ip_mtudisc_timeout_q = rt_timer_queue_create(ip_mtudisc_timeout); #ifdef GATEWAY ipflow_init(); #endif + +#ifdef PFIL_HOOKS + /* Register our Packet Filter hook. */ + inet_pfil_hook.ph_type = PFIL_TYPE_AF; + inet_pfil_hook.ph_af = AF_INET; + i = pfil_head_register(&inet_pfil_hook); + if (i != 0) + printf("ip_init: WARNING: unable to register pfil hook, " + "error %d\n", i); +#endif /* PFIL_HOOKS */ + +#ifdef INET_CSUM_COUNTERS + evcnt_attach_static(&ip_hwcsum_bad); + evcnt_attach_static(&ip_hwcsum_ok); + evcnt_attach_static(&ip_swcsum); +#endif /* INET_CSUM_COUNTERS */ } struct sockaddr_in ipaddr = { sizeof(ipaddr), AF_INET }; @@ -331,7 +373,7 @@ ipintr() struct mbuf *m; while (1) { - s = splimp(); + s = splnet(); IF_DEQUEUE(&ipintrq, m); splx(s); if (m == 0) @@ -354,11 +396,6 @@ ip_input(struct mbuf *m) struct ipqent *ipqe; int hlen = 0, mff, len; int downmatch; -#ifdef PFIL_HOOKS - struct packet_filter_hook *pfh; - struct mbuf *m0; - int rv; -#endif /* PFIL_HOOKS */ #ifdef DIAGNOSTIC if ((m->m_flags & M_PKTHDR) == 0) @@ -378,7 +415,7 @@ ip_input(struct mbuf *m) * If no IP addresses have been set yet but the interfaces * are receiving, can't do anything with incoming packets yet. */ - if (in_ifaddr.tqh_first == 0) + if (TAILQ_FIRST(&in_ifaddr) == 0) goto bad; ipstat.ips_total++; if (m->m_len < sizeof (struct ip) && @@ -409,21 +446,41 @@ ip_input(struct mbuf *m) * not allowed. */ if (IN_MULTICAST(ip->ip_src.s_addr)) { - /* XXX stat */ + ipstat.ips_badaddr++; goto bad; } - if (in_cksum(m, hlen) != 0) { - ipstat.ips_badsum++; - goto bad; + /* 127/8 must not appear on wire - RFC1122 */ + if ((ntohl(ip->ip_dst.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET || + (ntohl(ip->ip_src.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET) { + if ((m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK) == 0) { + ipstat.ips_badaddr++; + goto bad; + } } - /* - * Convert fields to host representation. - */ - NTOHS(ip->ip_len); - NTOHS(ip->ip_off); - len = ip->ip_len; + switch (m->m_pkthdr.csum_flags & + ((m->m_pkthdr.rcvif->if_csum_flags_rx & M_CSUM_IPv4) | + M_CSUM_IPv4_BAD)) { + case M_CSUM_IPv4|M_CSUM_IPv4_BAD: + INET_CSUM_COUNTER_INCR(&ip_hwcsum_bad); + goto badcsum; + + case M_CSUM_IPv4: + /* Checksum was okay. */ + INET_CSUM_COUNTER_INCR(&ip_hwcsum_ok); + break; + + default: + /* Must compute it ourselves. */ + INET_CSUM_COUNTER_INCR(&ip_swcsum); + if (in_cksum(m, hlen) != 0) + goto bad; + break; + } + + /* Retrieve the packet length. */ + len = ntohs(ip->ip_len); /* * Check for additional length bogosity @@ -463,14 +520,6 @@ ip_input(struct mbuf *m) #endif #ifdef PFIL_HOOKS -#ifdef IPSEC - /* - * let ipfilter look at packet on the wire, - * not the decapsulated packet. - */ - if (ipsec_gethist(m, NULL)) - goto nofilt; -#endif /* * Run through list of hooks for input packets. If there are any * filters which require that additional packets in the flow are @@ -478,24 +527,40 @@ ip_input(struct mbuf *m) * Note that filters must _never_ set this flag, as another filter * in the list may have previously cleared it. */ - m0 = m; - pfh = pfil_hook_get(PFIL_IN, &inetsw[ip_protox[IPPROTO_IP]].pr_pfh); - for (; pfh; pfh = pfh->pfil_link.tqe_next) - if (pfh->pfil_func) { - rv = pfh->pfil_func(ip, hlen, - m->m_pkthdr.rcvif, 0, &m0); - if (rv) - return; - m = m0; - if (m == NULL) - return; - ip = mtod(m, struct ip *); - } + /* + * let ipfilter look at packet on the wire, + * not the decapsulated packet. + */ #ifdef IPSEC -nofilt:; + if (!ipsec_getnhist(m)) +#else + if (1) #endif + { + if (pfil_run_hooks(&inet_pfil_hook, &m, m->m_pkthdr.rcvif, + PFIL_IN) != 0) + return; + if (m == NULL) + return; + ip = mtod(m, struct ip *); + hlen = ip->ip_hl << 2; + } #endif /* PFIL_HOOKS */ +#ifdef ALTQ + /* XXX Temporary until ALTQ is changed to use a pfil hook */ + if (altq_input != NULL && (*altq_input)(m, AF_INET) == 0) { + /* packet dropped by traffic conditioner */ + return; + } +#endif + + /* + * Convert fields to host representation. + */ + NTOHS(ip->ip_len); + NTOHS(ip->ip_off); + /* * Process options and, if not destined for us, * ship it on. ip_dooptions returns 1 when an @@ -514,9 +579,7 @@ nofilt:; * as not mine. */ downmatch = 0; - for (ia = IN_IFADDR_HASH(ip->ip_dst.s_addr).lh_first; - ia != NULL; - ia = ia->ia_hash.le_next) { + LIST_FOREACH(ia, &IN_IFADDR_HASH(ip->ip_dst.s_addr), ia_hash) { if (in_hosteq(ia->ia_addr.sin_addr, ip->ip_dst)) { if ((ia->ia_ifp->if_flags & IFF_UP) != 0) break; @@ -527,9 +590,9 @@ nofilt:; if (ia != NULL) goto ours; if (m->m_pkthdr.rcvif->if_flags & IFF_BROADCAST) { - for (ifa = m->m_pkthdr.rcvif->if_addrlist.tqh_first; - ifa != NULL; ifa = ifa->ifa_list.tqe_next) { - if (ifa->ifa_addr->sa_family != AF_INET) continue; + TAILQ_FOREACH(ifa, &m->m_pkthdr.rcvif->if_addrlist, ifa_list) { + if (ifa->ifa_addr->sa_family != AF_INET) + continue; ia = ifatoia(ifa); if (in_hosteq(ip->ip_dst, ia->ia_broadaddr.sin_addr) || in_hosteq(ip->ip_dst, ia->ia_netbroadcast) || @@ -624,13 +687,6 @@ nofilt:; ipstat.ips_cantforward++; return; } -#ifdef IPSEC - if (ipsec4_in_reject(m, NULL)) { - ipsecstat.in_polvio++; - goto bad; - } -#endif - ip_forward(m, 0); } return; @@ -649,7 +705,7 @@ ours: * of this datagram. */ IPQ_LOCK(); - for (fp = ipq.lh_first; fp != NULL; fp = fp->ipq_q.le_next) + LIST_FOREACH(fp, &ipq, ipq_q) if (ip->ip_id == fp->ipq_id && in_hosteq(ip->ip_src, fp->ipq_src) && in_hosteq(ip->ip_dst, fp->ipq_dst) && @@ -726,7 +782,8 @@ found: * Switch out to protocol's input routine. */ #if IFA_STATS - ia->ia_ifa.ifa_data.ifad_inbytes += ip->ip_len; + if (ia && ip) + ia->ia_ifa.ifa_data.ifad_inbytes += ip->ip_len; #endif ipstat.ips_delivered++; { @@ -737,6 +794,11 @@ found: } bad: m_freem(m); + return; + +badcsum: + ipstat.ips_badsum++; + m_freem(m); } /* @@ -799,8 +861,8 @@ ip_reass(ipqe, fp) /* * Find a segment which begins after this one does. */ - for (p = NULL, q = fp->ipq_fragq.lh_first; q != NULL; - p = q, q = q->ipqe_q.le_next) + for (p = NULL, q = LIST_FIRST(&fp->ipq_fragq); q != NULL; + p = q, q = LIST_NEXT(q, ipqe_q)) if (q->ipqe_ip->ip_off > ipqe->ipqe_ip->ip_off) break; @@ -835,7 +897,7 @@ ip_reass(ipqe, fp) m_adj(q->ipqe_m, i); break; } - nq = q->ipqe_q.le_next; + nq = LIST_NEXT(q, ipqe_q); m_freem(q->ipqe_m); LIST_REMOVE(q, ipqe_q); pool_put(&ipqent_pool, q); @@ -852,8 +914,8 @@ insert: LIST_INSERT_AFTER(p, ipqe, ipqe_q); } next = 0; - for (p = NULL, q = fp->ipq_fragq.lh_first; q != NULL; - p = q, q = q->ipqe_q.le_next) { + for (p = NULL, q = LIST_FIRST(&fp->ipq_fragq); q != NULL; + p = q, q = LIST_NEXT(q, ipqe_q)) { if (q->ipqe_ip->ip_off != next) return (0); next += q->ipqe_ip->ip_len; @@ -865,7 +927,7 @@ insert: * Reassembly is complete. Check for a bogus message size and * concatenate fragments. */ - q = fp->ipq_fragq.lh_first; + q = LIST_FIRST(&fp->ipq_fragq); ip = q->ipqe_ip; if ((next + (ip->ip_hl << 2)) > IP_MAXPACKET) { ipstat.ips_toolong++; @@ -876,11 +938,11 @@ insert: t = m->m_next; m->m_next = 0; m_cat(m, t); - nq = q->ipqe_q.le_next; + nq = LIST_NEXT(q, ipqe_q); pool_put(&ipqent_pool, q); for (q = nq; q != NULL; q = nq) { t = q->ipqe_m; - nq = q->ipqe_q.le_next; + nq = LIST_NEXT(q, ipqe_q); pool_put(&ipqent_pool, q); m_cat(m, t); } @@ -927,8 +989,8 @@ ip_freef(fp) IPQ_LOCK_CHECK(); - for (q = fp->ipq_fragq.lh_first; q != NULL; q = p) { - p = q->ipqe_q.le_next; + for (q = LIST_FIRST(&fp->ipq_fragq); q != NULL; q = p) { + p = LIST_NEXT(q, ipqe_q); m_freem(q->ipqe_m); LIST_REMOVE(q, ipqe_q); pool_put(&ipqent_pool, q); @@ -950,8 +1012,8 @@ ip_slowtimo() int s = splsoftnet(); IPQ_LOCK(); - for (fp = ipq.lh_first; fp != NULL; fp = nfp) { - nfp = fp->ipq_q.le_next; + for (fp = LIST_FIRST(&ipq); fp != NULL; fp = nfp) { + nfp = LIST_NEXT(fp, ipq_q); if (--fp->ipq_ttl == 0) { ipstat.ips_fragtimeout++; ip_freef(fp); @@ -965,8 +1027,8 @@ ip_slowtimo() if (ip_maxfragpackets < 0) ; else { - while (ip_nfragpackets > ip_maxfragpackets && ipq.lh_first) - ip_freef(ipq.lh_first); + while (ip_nfragpackets > ip_maxfragpackets && LIST_FIRST(&ipq)) + ip_freef(LIST_FIRST(&ipq)); } IPQ_UNLOCK(); #ifdef GATEWAY @@ -989,9 +1051,9 @@ ip_drain() if (ipq_lock_try() == 0) return; - while (ipq.lh_first != NULL) { + while (LIST_FIRST(&ipq) != NULL) { ipstat.ips_fragdropped++; - ip_freef(ipq.lh_first); + ip_freef(LIST_FIRST(&ipq)); } IPQ_UNLOCK(); @@ -1378,7 +1440,7 @@ ip_stripoptions(m, mopt) ip->ip_hl = sizeof (struct ip) >> 2; } -int inetctlerrmap[PRC_NCMDS] = { +const int inetctlerrmap[PRC_NCMDS] = { 0, 0, 0, 0, 0, EMSGSIZE, EHOSTDOWN, EHOSTUNREACH, EHOSTUNREACH, EHOSTUNREACH, ECONNREFUSED, ECONNREFUSED, @@ -1417,6 +1479,11 @@ ip_forward(m, srcrt) struct ifnet dummyifp; #endif + /* + * Clear any in-bound checksum flags for this packet. + */ + m->m_pkthdr.csum_flags = 0; + dest = 0; #ifdef DIAGNOSTIC if (ipprintfs) @@ -1497,7 +1564,7 @@ ip_forward(m, srcrt) } #ifdef IPSEC - /* Don't lookup socket in forwading case */ + /* Don't lookup socket in forwarding case */ (void)ipsec_setsocket(m, NULL); #endif error = ip_output(m, (struct mbuf *)0, &ipforward_rt, @@ -1600,9 +1667,21 @@ ip_forward(m, srcrt) break; case ENOBUFS: +#if 1 + /* + * a router should not generate ICMP_SOURCEQUENCH as + * required in RFC1812 Requirements for IP Version 4 Routers. + * source quench could be a big problem under DoS attacks, + * or the underlying interface is rate-limited. + */ + if (mcopy) + m_freem(mcopy); + return; +#else type = ICMP_SOURCEQUENCH; code = 0; break; +#endif } icmp_error(mcopy, type, code, dest, destifp); }