Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. =================================================================== RCS file: /ftp/cvs/cvsroot/src/sys/netinet/ip_input.c,v rcsdiff: /ftp/cvs/cvsroot/src/sys/netinet/ip_input.c,v: warning: Unknown phrases like `commitid ...;' are present. retrieving revision 1.208.2.1 retrieving revision 1.236.2.2 diff -u -p -r1.208.2.1 -r1.236.2.2 --- src/sys/netinet/ip_input.c 2005/04/29 11:29:33 1.208.2.1 +++ src/sys/netinet/ip_input.c 2008/03/30 15:27:49 1.236.2.2 @@ -1,4 +1,4 @@ -/* $NetBSD: ip_input.c,v 1.208.2.1 2005/04/29 11:29:33 kent Exp $ */ +/* $NetBSD: ip_input.c,v 1.236.2.2 2008/03/30 15:27:49 jdc Exp $ */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. @@ -98,7 +98,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.208.2.1 2005/04/29 11:29:33 kent Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.236.2.2 2008/03/30 15:27:49 jdc Exp $"); #include "opt_inet.h" #include "opt_gateway.h" @@ -121,6 +121,7 @@ __KERNEL_RCSID(0, "$NetBSD: ip_input.c,v #include #include #include +#include #include #include @@ -279,10 +280,10 @@ static u_int ip_reass_ttl_decr(u_int tic static void ip_reass_drophalf(void); -static __inline int ipq_lock_try(void); -static __inline void ipq_unlock(void); +static inline int ipq_lock_try(void); +static inline void ipq_unlock(void); -static __inline int +static inline int ipq_lock_try(void) { int s; @@ -301,7 +302,7 @@ ipq_lock_try(void) return (1); } -static __inline void +static inline void ipq_unlock(void) { int s; @@ -376,8 +377,8 @@ static struct ip_srcrt { static void save_rte(u_char *, struct in_addr); #ifdef MBUFTRACE -struct mowner ip_rx_mowner = { "internet", "rx" }; -struct mowner ip_tx_mowner = { "internet", "tx" }; +struct mowner ip_rx_mowner = MOWNER_INIT("internet", "rx"); +struct mowner ip_tx_mowner = MOWNER_INIT("internet", "tx"); #endif /* @@ -414,7 +415,7 @@ ip_init(void) for (i = 0; i < IPREASS_NHASH; i++) LIST_INIT(&ipq[i]); - ip_id = time.tv_sec & 0xfffff; + ip_id = time_second & 0xfffff; ipintrq.ifq_maxlen = ipqmaxlen; ip_nmbclusters_changed(); @@ -445,7 +446,10 @@ ip_init(void) #endif /* MBUFTRACE */ } -struct sockaddr_in ipaddr = { sizeof(ipaddr), AF_INET }; +struct sockaddr_in ipaddr = { + .sin_len = sizeof(ipaddr), + .sin_family = AF_INET, +}; struct route ipforward_rt; /* @@ -484,12 +488,13 @@ ip_input(struct mbuf *m) int downmatch; int checkif; int srcrt = 0; + int s; u_int hash; #ifdef FAST_IPSEC struct m_tag *mtag; struct tdb_ident *tdbi; struct secpolicy *sp; - int s, error; + int error; #endif /* FAST_IPSEC */ MCLAIM(m, &ip_rx_mowner); @@ -732,7 +737,7 @@ ip_input(struct mbuf *m) } if (ia != NULL) goto ours; - if (m->m_pkthdr.rcvif->if_flags & IFF_BROADCAST) { + if (m->m_pkthdr.rcvif && m->m_pkthdr.rcvif->if_flags & IFF_BROADCAST) { IFADDR_FOREACH(ifa, m->m_pkthdr.rcvif) { if (ifa->ifa_addr->sa_family != AF_INET) continue; @@ -938,7 +943,9 @@ found: */ if (mff || ip->ip_off != htons(0)) { ipstat.ips_fragments++; + s = splvm(); ipqe = pool_get(&ipqent_pool, PR_NOWAIT); + splx(s); if (ipqe == NULL) { ipstat.ips_rcvmemdrop++; IPQ_UNLOCK(); @@ -974,7 +981,7 @@ found: goto bad; } #endif -#if FAST_IPSEC +#ifdef FAST_IPSEC /* * enforce IPsec policy checking if we are seeing last header. * note that we do not visit this with protocols with pcb layer @@ -1006,7 +1013,6 @@ found: /* XXX error stat??? */ error = EINVAL; DPRINTF(("ip_input: no SP, packet discarded\n"));/*XXX*/ - goto bad; } splx(s); if (error) @@ -1051,7 +1057,7 @@ ip_reass(struct ipqent *ipqe, struct ipq struct ip *ip; struct mbuf *t; int hlen = ipqe->ipqe_ip->ip_hl << 2; - int i, next; + int i, next, s; IPQ_LOCK_CHECK(); @@ -1156,7 +1162,9 @@ ip_reass(struct ipqent *ipqe, struct ipq nq = TAILQ_NEXT(q, ipqe_q); m_freem(q->ipqe_m); TAILQ_REMOVE(&fp->ipq_fragq, q, ipqe_q); + s = splvm(); pool_put(&ipqent_pool, q); + splx(s); fp->ipq_nfrags--; ip_nfrags--; } @@ -1197,11 +1205,15 @@ insert: m->m_next = 0; m_cat(m, t); nq = TAILQ_NEXT(q, ipqe_q); + s = splvm(); pool_put(&ipqent_pool, q); + splx(s); for (q = nq; q != NULL; q = nq) { t = q->ipqe_m; nq = TAILQ_NEXT(q, ipqe_q); + s = splvm(); pool_put(&ipqent_pool, q); + splx(s); m_cat(m, t); } ip_nfrags -= fp->ipq_nfrags; @@ -1236,7 +1248,9 @@ dropfrag: ip_nfrags--; ipstat.ips_fragdropped++; m_freem(m); + s = splvm(); pool_put(&ipqent_pool, ipqe); + splx(s); return (0); } @@ -1249,6 +1263,7 @@ ip_freef(struct ipq *fp) { struct ipqent *q, *p; u_int nfrags = 0; + int s; IPQ_LOCK_CHECK(); @@ -1257,7 +1272,9 @@ ip_freef(struct ipq *fp) m_freem(q->ipqe_m); nfrags++; TAILQ_REMOVE(&fp->ipq_fragq, q, ipqe_q); + s = splvm(); pool_put(&ipqent_pool, q); + splx(s); } if (nfrags != fp->ipq_nfrags) @@ -1823,13 +1840,9 @@ ip_forward(struct mbuf *m, int srcrt) struct ip *ip = mtod(m, struct ip *); struct sockaddr_in *sin; struct rtentry *rt; - int error, type = 0, code = 0; + int error, type = 0, code = 0, destmtu = 0; struct mbuf *mcopy; n_long dest; - struct ifnet *destifp; -#if defined(IPSEC) || defined(FAST_IPSEC) - struct ifnet dummyifp; -#endif /* * We are now in the output path. @@ -1843,10 +1856,10 @@ ip_forward(struct mbuf *m, int srcrt) dest = 0; #ifdef DIAGNOSTIC - if (ipprintfs) - printf("forward: src %2.2x dst %2.2x ttl %x\n", - ntohl(ip->ip_src.s_addr), - ntohl(ip->ip_dst.s_addr), ip->ip_ttl); + if (ipprintfs) { + printf("forward: src %s ", inet_ntoa(ip->ip_src)); + printf("dst %s ttl %x\n", inet_ntoa(ip->ip_dst), ip->ip_ttl); + } #endif if (m->m_flags & (M_BCAST|M_MCAST) || in_canforward(ip->ip_dst) == 0) { ipstat.ips_cantforward++; @@ -1857,7 +1870,6 @@ ip_forward(struct mbuf *m, int srcrt) icmp_error(m, ICMP_TIMXCEED, ICMP_TIMXCEED_INTRANS, dest, 0); return; } - ip->ip_ttl -= IPTTLDEC; sin = satosin(&ipforward_rt.ro_dst); if ((rt = ipforward_rt.ro_rt) == 0 || @@ -1872,7 +1884,7 @@ ip_forward(struct mbuf *m, int srcrt) rtalloc(&ipforward_rt); if (ipforward_rt.ro_rt == 0) { - icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_HOST, dest, 0); + icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_NET, dest, 0); return; } rt = ipforward_rt.ro_rt; @@ -1887,6 +1899,8 @@ ip_forward(struct mbuf *m, int srcrt) if (mcopy) mcopy = m_pullup(mcopy, ip->ip_hl << 2); + ip->ip_ttl -= IPTTLDEC; + /* * If forwarding packet using same interface that it came in on, * perhaps should send a redirect to sender to shortcut a hop. @@ -1943,7 +1957,6 @@ ip_forward(struct mbuf *m, int srcrt) } if (mcopy == NULL) return; - destifp = NULL; switch (error) { @@ -1963,17 +1976,17 @@ ip_forward(struct mbuf *m, int srcrt) case EMSGSIZE: type = ICMP_UNREACH; code = ICMP_UNREACH_NEEDFRAG; -#if !defined(IPSEC) && !defined(FAST_IPSEC) - if (ipforward_rt.ro_rt) - destifp = ipforward_rt.ro_rt->rt_ifp; -#else - /* - * If the packet is routed over IPsec tunnel, tell the - * originator the tunnel MTU. - * tunnel MTU = if MTU - sizeof(IP) - ESP/AH hdrsiz - * XXX quickhack!!! - */ + if (ipforward_rt.ro_rt) { + +#if defined(IPSEC) || defined(FAST_IPSEC) + /* + * If the packet is routed over IPsec tunnel, tell the + * originator the tunnel MTU. + * tunnel MTU = if MTU - sizeof(IP) - ESP/AH hdrsiz + * XXX quickhack!!! + */ + struct secpolicy *sp; int ipsecerror; size_t ipsechdr; @@ -1982,10 +1995,11 @@ ip_forward(struct mbuf *m, int srcrt) sp = ipsec4_getpolicybyaddr(mcopy, IPSEC_DIR_OUTBOUND, IP_FORWARDING, &ipsecerror); +#endif - if (sp == NULL) - destifp = ipforward_rt.ro_rt->rt_ifp; - else { + destmtu = ipforward_rt.ro_rt->rt_ifp->if_mtu; +#if defined(IPSEC) || defined(FAST_IPSEC) + if (sp != NULL) { /* count IPsec header size */ ipsechdr = ipsec4_hdrsiz(mcopy, IPSEC_DIR_OUTBOUND, NULL); @@ -1993,24 +2007,18 @@ ip_forward(struct mbuf *m, int srcrt) /* * find the correct route for outer IPv4 * header, compute tunnel MTU. - * - * XXX BUG ALERT - * The "dummyifp" code relies upon the fact - * that icmp_error() touches only ifp->if_mtu. */ - /*XXX*/ - destifp = NULL; + if (sp->req != NULL && sp->req->sav != NULL && sp->req->sav->sah != NULL) { ro = &sp->req->sav->sah->sa_route; if (ro->ro_rt && ro->ro_rt->rt_ifp) { - dummyifp.if_mtu = + destmtu = ro->ro_rt->rt_rmx.rmx_mtu ? ro->ro_rt->rt_rmx.rmx_mtu : ro->ro_rt->rt_ifp->if_mtu; - dummyifp.if_mtu -= ipsechdr; - destifp = &dummyifp; + destmtu -= ipsechdr; } } @@ -2020,8 +2028,8 @@ ip_forward(struct mbuf *m, int srcrt) KEY_FREESP(&sp); #endif } +#endif /*defined(IPSEC) || defined(FAST_IPSEC)*/ } -#endif /*IPSEC*/ ipstat.ips_cantfrag++; break; @@ -2042,7 +2050,7 @@ ip_forward(struct mbuf *m, int srcrt) break; #endif } - icmp_error(mcopy, type, code, dest, destifp); + icmp_error(mcopy, type, code, dest, destmtu); } void @@ -2103,6 +2111,31 @@ ip_savecontrol(struct inpcb *inp, struct } /* + * sysctl helper routine for net.inet.ip.forwsrcrt. + */ +static int +sysctl_net_inet_ip_forwsrcrt(SYSCTLFN_ARGS) +{ + int error, tmp; + struct sysctlnode node; + + node = *rnode; + tmp = ip_forwsrcrt; + node.sysctl_data = &tmp; + error = sysctl_lookup(SYSCTLFN_CALL(&node)); + if (error || newp == NULL) + return (error); + + if (kauth_authorize_network(l->l_cred, KAUTH_NETWORK_FORWSRCRT, + 0, NULL, NULL, NULL)) + return (EPERM); + + ip_forwsrcrt = tmp; + + return (0); +} + +/* * sysctl helper routine for net.inet.ip.mtudisctimeout. checks the * range of the new value and tweaks timers if it changes. */ @@ -2203,11 +2236,11 @@ SYSCTL_SETUP(sysctl_net_inet_ip_setup, " IPCTL_DEFMTU, CTL_EOL); #endif /* IPCTL_DEFMTU */ sysctl_createv(clog, 0, NULL, NULL, - CTLFLAG_PERMANENT|CTLFLAG_READONLY1, + CTLFLAG_PERMANENT|CTLFLAG_READWRITE, CTLTYPE_INT, "forwsrcrt", SYSCTL_DESCR("Enable forwarding of source-routed " "datagrams"), - NULL, 0, &ip_forwsrcrt, 0, + sysctl_net_inet_ip_forwsrcrt, 0, &ip_forwsrcrt, 0, CTL_NET, PF_INET, IPPROTO_IP, IPCTL_FORWSRCRT, CTL_EOL); sysctl_createv(clog, 0, NULL, NULL, @@ -2342,4 +2375,11 @@ SYSCTL_SETUP(sysctl_net_inet_ip_setup, " NULL, 0, &ip_do_loopback_cksum, 0, CTL_NET, PF_INET, IPPROTO_IP, IPCTL_LOOPBACKCKSUM, CTL_EOL); + sysctl_createv(clog, 0, NULL, NULL, + CTLFLAG_PERMANENT, + CTLTYPE_STRUCT, "stats", + SYSCTL_DESCR("IP statistics"), + NULL, 0, &ipstat, sizeof(ipstat), + CTL_NET, PF_INET, IPPROTO_IP, IPCTL_STATS, + CTL_EOL); }