Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

===================================================================
RCS file: /ftp/cvs/cvsroot/src/sys/netinet/ip_input.c,v
rcsdiff: /ftp/cvs/cvsroot/src/sys/netinet/ip_input.c,v: warning: Unknown phrases like `commitid ...;' are present.
retrieving revision 1.114.4.7
retrieving revision 1.130.2.1
diff -u -p -r1.114.4.7 -r1.130.2.1
--- src/sys/netinet/ip_input.c	2002/02/26 20:57:03	1.114.4.7
+++ src/sys/netinet/ip_input.c	2001/04/09 01:58:25	1.130.2.1
@@ -1,4 +1,4 @@
-/*	$NetBSD: ip_input.c,v 1.114.4.7 2002/02/26 20:57:03 he Exp $	*/
+/*	$NetBSD: ip_input.c,v 1.130.2.1 2001/04/09 01:58:25 nathanw Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -120,7 +120,8 @@
 #include <sys/proc.h>
 #include <sys/pool.h>
 
-#include <vm/vm.h>
+#include <uvm/uvm_extern.h>
+
 #include <sys/sysctl.h>
 
 #include <net/if.h>
@@ -138,8 +139,6 @@
 /* just for gif_ttl */
 #include <netinet/in_gif.h>
 #include "gif.h"
-#include <net/if_gre.h>
-#include "gre.h"
 
 #ifdef MROUTING
 #include <netinet/ip_mroute.h>
@@ -148,7 +147,6 @@
 #ifdef IPSEC
 #include <netinet6/ipsec.h>
 #include <netkey/key.h>
-#include <netkey/key_debug.h>
 #endif
 
 #ifndef	IPFORWARDING
@@ -207,10 +205,14 @@ struct	ifqueue ipintrq;
 struct	ipstat	ipstat;
 u_int16_t	ip_id;
 
+#ifdef PFIL_HOOKS
+struct pfil_head inet_pfil_hook;
+#endif
+
 struct ipqhead ipq;
 int	ipq_locked;
 int	ip_nfragpackets = 0;
-int	ip_maxfragpackets = 200;
+int	ip_maxfragpackets = -1;
 
 static __inline int ipq_lock_try __P((void));
 static __inline void ipq_unlock __P((void));
@@ -308,14 +310,24 @@ ip_init()
 	ip_id = time.tv_sec & 0xffff;
 	ipintrq.ifq_maxlen = ipqmaxlen;
 	TAILQ_INIT(&in_ifaddr);
-	in_ifaddrhashtbl = 
-	    hashinit(IN_IFADDR_HASH_SIZE, M_IFADDR, M_WAITOK, &in_ifaddrhash);
+	in_ifaddrhashtbl = hashinit(IN_IFADDR_HASH_SIZE, HASH_LIST, M_IFADDR,
+	    M_WAITOK, &in_ifaddrhash);
 	if (ip_mtudisc != 0)
 		ip_mtudisc_timeout_q = 
 		    rt_timer_queue_create(ip_mtudisc_timeout);
 #ifdef GATEWAY
 	ipflow_init();
 #endif
+
+#ifdef PFIL_HOOKS
+	/* Register our Packet Filter hook. */
+	inet_pfil_hook.ph_type = PFIL_TYPE_AF;
+	inet_pfil_hook.ph_af   = AF_INET;
+	i = pfil_head_register(&inet_pfil_hook);
+	if (i != 0)
+		printf("ip_init: WARNING: unable to register pfil hook, "
+		    "error %d\n", i);
+#endif /* PFIL_HOOKS */
 }
 
 struct	sockaddr_in ipaddr = { sizeof(ipaddr), AF_INET };
@@ -354,11 +366,6 @@ ip_input(struct mbuf *m)
 	struct ipqent *ipqe;
 	int hlen = 0, mff, len;
 	int downmatch;
-#ifdef PFIL_HOOKS
-	struct packet_filter_hook *pfh;
-	struct mbuf *m0;
-	int rv;
-#endif /* PFIL_HOOKS */
 
 #ifdef	DIAGNOSTIC
 	if ((m->m_flags & M_PKTHDR) == 0)
@@ -409,21 +416,26 @@ ip_input(struct mbuf *m)
 	 * not allowed.
 	 */
 	if (IN_MULTICAST(ip->ip_src.s_addr)) {
-		/* XXX stat */
+		ipstat.ips_badaddr++;
 		goto bad;
 	}
 
+	/* 127/8 must not appear on wire - RFC1122 */
+	if ((ntohl(ip->ip_dst.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET ||
+	    (ntohl(ip->ip_src.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET) {
+		if ((m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK) == 0) {
+			ipstat.ips_badaddr++;
+			goto bad;
+		}
+	}
+
 	if (in_cksum(m, hlen) != 0) {
 		ipstat.ips_badsum++;
 		goto bad;
 	}
 
-	/*
-	 * Convert fields to host representation.
-	 */
-	NTOHS(ip->ip_len);
-	NTOHS(ip->ip_off);
-	len = ip->ip_len;
+	/* Retrieve the packet length. */
+	len = ntohs(ip->ip_len);
 
 	/*
 	 * Check for additional length bogosity
@@ -463,14 +475,6 @@ ip_input(struct mbuf *m)
 #endif
 
 #ifdef PFIL_HOOKS
-#ifdef IPSEC
-	/*
-	 * let ipfilter look at packet on the wire,
-	 * not the decapsulated packet.
-	 */
-	if (ipsec_gethist(m, NULL))
-		goto nofilt;
-#endif
 	/*
 	 * Run through list of hooks for input packets.  If there are any
 	 * filters which require that additional packets in the flow are
@@ -478,24 +482,39 @@ ip_input(struct mbuf *m)
 	 * Note that filters must _never_ set this flag, as another filter
 	 * in the list may have previously cleared it.
 	 */
-	m0 = m;
-	pfh = pfil_hook_get(PFIL_IN, &inetsw[ip_protox[IPPROTO_IP]].pr_pfh);
-	for (; pfh; pfh = pfh->pfil_link.tqe_next)
-		if (pfh->pfil_func) {
-			rv = pfh->pfil_func(ip, hlen,
-					    m->m_pkthdr.rcvif, 0, &m0);
-			if (rv)
-				return;
-			m = m0;
-			if (m == NULL)
-				return;
-			ip = mtod(m, struct ip *);
-		}
+	/*
+	 * let ipfilter look at packet on the wire,
+	 * not the decapsulated packet.
+	 */
 #ifdef IPSEC
-nofilt:;
+	if (!ipsec_gethist(m, NULL))
+#else
+	if (1)
 #endif
+	{
+		if (pfil_run_hooks(&inet_pfil_hook, &m, m->m_pkthdr.rcvif,
+				   PFIL_IN) != 0)
+		return;
+		if (m == NULL)
+			return;
+		ip = mtod(m, struct ip *);
+	}
 #endif /* PFIL_HOOKS */
 
+#ifdef ALTQ
+	/* XXX Temporary until ALTQ is changed to use a pfil hook */
+	if (altq_input != NULL && (*altq_input)(m, AF_INET) == 0) {
+		/* packet dropped by traffic conditioner */
+		return;
+	}
+#endif
+
+	/*
+	 * Convert fields to host representation.
+	 */
+	NTOHS(ip->ip_len);
+	NTOHS(ip->ip_off);
+
 	/*
 	 * Process options and, if not destined for us,
 	 * ship it on.  ip_dooptions returns 1 when an
@@ -719,7 +738,8 @@ found:
 	 * Switch out to protocol's input routine.
 	 */
 #if IFA_STATS
-	ia->ia_ifa.ifa_data.ifad_inbytes += ip->ip_len;
+	if (ia && ip)
+		ia->ia_ifa.ifa_data.ifad_inbytes += ip->ip_len;
 #endif
 	ipstat.ips_delivered++;
     {
@@ -1772,12 +1792,6 @@ ip_sysctl(name, namelen, oldp, oldlenp, 
 				  &ip_gif_ttl));
 #endif
 
-#if NGRE > 0
-	case IPCTL_GRE_TTL:
-		return(sysctl_int(oldp, oldlenp, newp, newlen,
-				  &ip_gre_ttl));
-#endif
-
 #ifndef IPNOPRIVPORTS
 	case IPCTL_LOWPORTMIN:
 		old = lowportmin;