Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. =================================================================== RCS file: /ftp/cvs/cvsroot/src/sys/netinet/ip_input.c,v retrieving revision 1.130.2.6 retrieving revision 1.130.2.7 diff -u -p -r1.130.2.6 -r1.130.2.7 --- src/sys/netinet/ip_input.c 2002/01/08 00:34:06 1.130.2.6 +++ src/sys/netinet/ip_input.c 2002/02/28 04:15:08 1.130.2.7 @@ -1,4 +1,4 @@ -/* $NetBSD: ip_input.c,v 1.130.2.6 2002/01/08 00:34:06 nathanw Exp $ */ +/* $NetBSD: ip_input.c,v 1.130.2.7 2002/02/28 04:15:08 nathanw Exp $ */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. @@ -102,7 +102,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.130.2.6 2002/01/08 00:34:06 nathanw Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.130.2.7 2002/02/28 04:15:08 nathanw Exp $"); #include "opt_gateway.h" #include "opt_pfil_hooks.h" @@ -139,6 +139,8 @@ __KERNEL_RCSID(0, "$NetBSD: ip_input.c,v /* just for gif_ttl */ #include #include "gif.h" +#include +#include "gre.h" #ifdef MROUTING #include @@ -685,6 +687,13 @@ ip_input(struct mbuf *m) ipstat.ips_cantforward++; return; } +#ifdef IPSEC + if (ipsec4_in_reject(m, NULL)) { + ipsecstat.in_polvio++; + goto bad; + } +#endif + ip_forward(m, 0); } return; @@ -1665,9 +1674,21 @@ ip_forward(m, srcrt) break; case ENOBUFS: +#if 1 + /* + * a router should not generate ICMP_SOURCEQUENCH as + * required in RFC1812 Requirements for IP Version 4 Routers. + * source quench could be a big problem under DoS attacks, + * or the underlying interface is rate-limited. + */ + if (mcopy) + m_freem(mcopy); + return; +#else type = ICMP_SOURCEQUENCH; code = 0; break; +#endif } icmp_error(mcopy, type, code, dest, destifp); } @@ -1844,6 +1865,12 @@ ip_sysctl(name, namelen, oldp, oldlenp, &ip_gif_ttl)); #endif +#if NGRE > 0 + case IPCTL_GRE_TTL: + return(sysctl_int(oldp, oldlenp, newp, newlen, + &ip_gre_ttl)); +#endif + #ifndef IPNOPRIVPORTS case IPCTL_LOWPORTMIN: old = lowportmin;