Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. =================================================================== RCS file: /ftp/cvs/cvsroot/src/sys/netinet/ip_input.c,v rcsdiff: /ftp/cvs/cvsroot/src/sys/netinet/ip_input.c,v: warning: Unknown phrases like `commitid ...;' are present. retrieving revision 1.292 retrieving revision 1.316 diff -u -p -r1.292 -r1.316 --- src/sys/netinet/ip_input.c 2010/12/11 22:37:46 1.292 +++ src/sys/netinet/ip_input.c 2014/05/29 23:02:48 1.316 @@ -1,4 +1,4 @@ -/* $NetBSD: ip_input.c,v 1.292 2010/12/11 22:37:46 matt Exp $ */ +/* $NetBSD: ip_input.c,v 1.316 2014/05/29 23:02:48 rmind Exp $ */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. @@ -91,12 +91,11 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.292 2010/12/11 22:37:46 matt Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.316 2014/05/29 23:02:48 rmind Exp $"); #include "opt_inet.h" #include "opt_compat_netbsd.h" #include "opt_gateway.h" -#include "opt_pfil_hooks.h" #include "opt_ipsec.h" #include "opt_mrouting.h" #include "opt_mbuftrace.h" @@ -139,16 +138,11 @@ __KERNEL_RCSID(0, "$NetBSD: ip_input.c,v #ifdef MROUTING #include #endif +#include #ifdef IPSEC -#include -#include -#include -#endif -#ifdef FAST_IPSEC #include -#include -#endif /* FAST_IPSEC*/ +#endif #ifndef IPFORWARDING #ifdef GATEWAY @@ -218,17 +212,8 @@ int ip_do_randomid = 0; */ int ip_checkinterface = 0; - struct rttimer_queue *ip_mtudisc_timeout_q = NULL; -int ipqmaxlen = IFQ_MAXLEN; -u_long in_ifaddrhash; /* size of hash table - 1 */ -int in_ifaddrentries; /* total number of addrs */ -struct in_ifaddrhead in_ifaddrhead; -struct in_ifaddrhashhead *in_ifaddrhashtbl; -u_long in_multihash; /* size of hash table - 1 */ -int in_multientries; /* total number of addrs */ -struct in_multihashhead *in_multihashtbl; struct ifqueue ipintrq; ipid_state_t * ip_ids; @@ -236,11 +221,7 @@ uint16_t ip_id; percpu_t *ipstat_percpu; -#ifdef PFIL_HOOKS -struct pfil_head inet_pfil_hook; -#endif - -struct pool inmulti_pool; +pfil_head_t *inet_pfil_hook; #ifdef INET_CSUM_COUNTERS #include @@ -271,7 +252,9 @@ EVCNT_ATTACH_STATIC(ip_swcsum); * maintenance when the remote end is on a network that is not known * to us. */ -int ip_nhops = 0; + +static int ip_nhops = 0; + static struct ip_srcrt { struct in_addr dst; /* final destination */ char nop; /* one NOP to align */ @@ -279,6 +262,8 @@ static struct ip_srcrt { struct in_addr route[MAX_IPOPTLEN/sizeof(struct in_addr)]; } ip_srcrt; +static int ip_drainwanted; + static void save_rte(u_char *, struct in_addr); #ifdef MBUFTRACE @@ -286,7 +271,11 @@ struct mowner ip_rx_mowner = MOWNER_INIT struct mowner ip_tx_mowner = MOWNER_INIT("internet", "tx"); #endif -static void sysctl_net_inet_ip_setup(struct sysctllog **); +static void ip_input(struct mbuf *); +static void ip_forward(struct mbuf *, int); +static bool ip_dooptions(struct mbuf *); +static struct in_ifaddr *ip_rtaddr(struct in_addr); +static void sysctl_net_inet_ip_setup(struct sysctllog **); /* * IP initialization: fill in IP protocol switch table. @@ -296,18 +285,16 @@ void ip_init(void) { const struct protosw *pr; - int i; + in_init(); sysctl_net_inet_ip_setup(NULL); - pool_init(&inmulti_pool, sizeof(struct in_multi), 0, 0, 0, "inmltpl", - NULL, IPL_SOFTNET); - pr = pffindproto(PF_INET, IPPROTO_RAW, SOCK_RAW); - if (pr == 0) - panic("ip_init"); - for (i = 0; i < IPPROTO_MAX; i++) + KASSERT(pr != NULL); + + for (u_int i = 0; i < IPPROTO_MAX; i++) { ip_protox[i] = pr - inetsw; + } for (pr = inetdomain.dom_protosw; pr < inetdomain.dom_protoswNPROTOSW; pr++) if (pr->pr_domain->dom_family == PF_INET && @@ -319,27 +306,16 @@ ip_init(void) ip_ids = ip_id_init(); ip_id = time_second & 0xfffff; - ipintrq.ifq_maxlen = ipqmaxlen; + ipintrq.ifq_maxlen = IFQ_MAXLEN; - TAILQ_INIT(&in_ifaddrhead); - in_ifaddrhashtbl = hashinit(IN_IFADDR_HASH_SIZE, HASH_LIST, true, - &in_ifaddrhash); - in_multihashtbl = hashinit(IN_IFADDR_HASH_SIZE, HASH_LIST, true, - &in_multihash); ip_mtudisc_timeout_q = rt_timer_queue_create(ip_mtudisc_timeout); #ifdef GATEWAY - ipflow_init(ip_hashsize); + ipflow_init(); #endif -#ifdef PFIL_HOOKS /* Register our Packet Filter hook. */ - inet_pfil_hook.ph_type = PFIL_TYPE_AF; - inet_pfil_hook.ph_af = AF_INET; - i = pfil_head_register(&inet_pfil_hook); - if (i != 0) - printf("ip_init: WARNING: unable to register pfil hook, " - "error %d\n", i); -#endif /* PFIL_HOOKS */ + inet_pfil_hook = pfil_head_create(PFIL_TYPE_AF, (void *)AF_INET); + KASSERT(inet_pfil_hook != NULL); #ifdef MBUFTRACE MOWNER_ATTACH(&ip_tx_mowner); @@ -353,7 +329,8 @@ struct sockaddr_in ipaddr = { .sin_len = sizeof(ipaddr), .sin_family = AF_INET, }; -struct route ipforward_rt; + +static struct route ipforward_rt; /* * IP software interrupt routine @@ -366,7 +343,6 @@ ipintr(void) struct ifqueue lcl_intrq; memset(&lcl_intrq, 0, sizeof(lcl_intrq)); - ipintrq.ifq_maxlen = ipqmaxlen; mutex_enter(softnet_lock); KERNEL_LOCK(1, NULL); @@ -390,9 +366,7 @@ ipintr(void) IF_DEQUEUE(&lcl_intrq, m); if (m == NULL) break; - KERNEL_UNLOCK_ONE(NULL); ip_input(m); - KERNEL_LOCK(1, NULL); } mutex_exit(softnet_lock); } @@ -401,7 +375,7 @@ ipintr(void) * Ip input routine. Checksum and byte swap header. If fragmented * try to reassemble. Process options. Pass to next level. */ -void +static void ip_input(struct mbuf *m) { struct ip *ip = NULL; @@ -411,15 +385,11 @@ ip_input(struct mbuf *m) int downmatch; int checkif; int srcrt = 0; -#ifdef FAST_IPSEC - struct m_tag *mtag; - struct tdb_ident *tdbi; - struct secpolicy *sp; - int error, s; -#endif /* FAST_IPSEC */ + ifnet_t *ifp; MCLAIM(m, &ip_rx_mowner); KASSERT((m->m_flags & M_PKTHDR) != 0); + ifp = m->m_pkthdr.rcvif; /* * If no IP addresses have been set yet but the interfaces @@ -458,7 +428,7 @@ ip_input(struct mbuf *m) goto bad; } if (hlen > m->m_len) { - if ((m = m_pullup(m, hlen)) == 0) { + if ((m = m_pullup(m, hlen)) == NULL) { IP_STATINC(IP_STAT_BADHLEN); return; } @@ -477,14 +447,14 @@ ip_input(struct mbuf *m) /* 127/8 must not appear on wire - RFC1122 */ if ((ntohl(ip->ip_dst.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET || (ntohl(ip->ip_src.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET) { - if ((m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK) == 0) { + if ((ifp->if_flags & IFF_LOOPBACK) == 0) { IP_STATINC(IP_STAT_BADADDR); goto bad; } } switch (m->m_pkthdr.csum_flags & - ((m->m_pkthdr.rcvif->if_csum_flags_rx & M_CSUM_IPv4) | + ((ifp->if_csum_flags_rx & M_CSUM_IPv4) | M_CSUM_IPv4_BAD)) { case M_CSUM_IPv4|M_CSUM_IPv4_BAD: INET_CSUM_COUNTER_INCR(&ip_hwcsum_bad); @@ -500,8 +470,8 @@ ip_input(struct mbuf *m) * Must compute it ourselves. Maybe skip checksum on * loopback interfaces. */ - if (__predict_true(!(m->m_pkthdr.rcvif->if_flags & - IFF_LOOPBACK) || ip_do_loopback_cksum)) { + if (__predict_true(!(ifp->if_flags & IFF_LOOPBACK) || + ip_do_loopback_cksum)) { INET_CSUM_COUNTER_INCR(&ip_swcsum); if (in_cksum(m, hlen) != 0) goto badcsum; @@ -538,18 +508,12 @@ ip_input(struct mbuf *m) m_adj(m, len - m->m_pkthdr.len); } -#if defined(IPSEC) - /* ipflow (IP fast forwarding) is not compatible with IPsec. */ - m->m_flags &= ~M_CANFASTFWD; -#else /* * Assume that we can create a fast-forward IP flow entry * based on this packet. */ m->m_flags |= M_CANFASTFWD; -#endif -#ifdef PFIL_HOOKS /* * Run through list of hooks for input packets. If there are any * filters which require that additional packets in the flow are @@ -557,23 +521,15 @@ ip_input(struct mbuf *m) * Note that filters must _never_ set this flag, as another filter * in the list may have previously cleared it. */ - /* - * let ipfilter look at packet on the wire, - * not the decapsulated packet. - */ -#ifdef IPSEC - if (!ipsec_getnhist(m)) -#elif defined(FAST_IPSEC) +#if defined(IPSEC) if (!ipsec_indone(m)) #else if (1) #endif { - struct in_addr odst; + struct in_addr odst = ip->ip_dst; - odst = ip->ip_dst; - if (pfil_run_hooks(&inet_pfil_hook, &m, m->m_pkthdr.rcvif, - PFIL_IN) != 0) + if (pfil_run_hooks(inet_pfil_hook, &m, ifp, PFIL_IN) != 0) return; if (m == NULL) return; @@ -595,7 +551,6 @@ ip_input(struct mbuf *m) */ srcrt = (odst.s_addr != ip->ip_dst.s_addr); } -#endif /* PFIL_HOOKS */ #ifdef ALTQ /* XXX Temporary until ALTQ is changed to use a pfil hook */ @@ -632,8 +587,7 @@ ip_input(struct mbuf *m) * we get finer grain control. */ checkif = ip_checkinterface && (ipforwarding == 0) && - (m->m_pkthdr.rcvif != NULL) && - ((m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK) == 0); + (ifp->if_flags & IFF_LOOPBACK) == 0; /* * Check our list of addresses, to see if the packet is for us. @@ -645,7 +599,7 @@ ip_input(struct mbuf *m) downmatch = 0; LIST_FOREACH(ia, &IN_IFADDR_HASH(ip->ip_dst.s_addr), ia_hash) { if (in_hosteq(ia->ia_addr.sin_addr, ip->ip_dst)) { - if (checkif && ia->ia_ifp != m->m_pkthdr.rcvif) + if (checkif && ia->ia_ifp != ifp) continue; if ((ia->ia_ifp->if_flags & IFF_UP) != 0) break; @@ -655,8 +609,8 @@ ip_input(struct mbuf *m) } if (ia != NULL) goto ours; - if (m->m_pkthdr.rcvif && m->m_pkthdr.rcvif->if_flags & IFF_BROADCAST) { - IFADDR_FOREACH(ifa, m->m_pkthdr.rcvif) { + if (ifp->if_flags & IFF_BROADCAST) { + IFADDR_FOREACH(ifa, ifp) { if (ifa->ifa_addr->sa_family != AF_INET) continue; ia = ifatoia(ifa); @@ -678,7 +632,6 @@ ip_input(struct mbuf *m) } } if (IN_MULTICAST(ip->ip_dst.s_addr)) { - struct in_multi *inm; #ifdef MROUTING extern struct socket *ip_mrouter; @@ -695,7 +648,7 @@ ip_input(struct mbuf *m) * as expected when ip_mforward() is called from * ip_output().) */ - if (ip_mforward(m, m->m_pkthdr.rcvif) != 0) { + if (ip_mforward(m, ifp) != 0) { IP_STATINC(IP_STAT_CANTFORWARD); m_freem(m); return; @@ -715,8 +668,7 @@ ip_input(struct mbuf *m) * See if we belong to the destination multicast group on the * arrival interface. */ - IN_LOOKUP_MULTI(ip->ip_dst, m->m_pkthdr.rcvif, inm); - if (inm == NULL) { + if (!in_multi_group(ip->ip_dst, ifp, 0)) { IP_STATINC(IP_STAT_CANTFORWARD); m_freem(m); return; @@ -746,60 +698,12 @@ ip_input(struct mbuf *m) return; } #ifdef IPSEC - if (ipsec4_in_reject(m, NULL)) { - IPSEC_STATINC(IPSEC_STAT_IN_POLVIO); + /* Perform IPsec, if any. */ + if (ipsec4_input(m, IP_FORWARDING | (ip_directedbcast ? + IP_ALLOWBROADCAST : 0)) != 0) { goto bad; } #endif -#ifdef FAST_IPSEC - mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL); - s = splsoftnet(); - if (mtag != NULL) { - tdbi = (struct tdb_ident *)(mtag + 1); - sp = ipsec_getpolicy(tdbi, IPSEC_DIR_INBOUND); - } else { - sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, - IP_FORWARDING, &error); - } - if (sp == NULL) { /* NB: can happen if error */ - splx(s); - /*XXX error stat???*/ - DPRINTF(("ip_input: no SP for forwarding\n")); /*XXX*/ - goto bad; - } - - /* - * Check security policy against packet attributes. - */ - error = ipsec_in_reject(sp, m); - KEY_FREESP(&sp); - splx(s); - if (error) { - IP_STATINC(IP_STAT_CANTFORWARD); - goto bad; - } - - /* - * Peek at the outbound SP for this packet to determine if - * it's a Fast Forward candidate. - */ - mtag = m_tag_find(m, PACKET_TAG_IPSEC_PENDING_TDB, NULL); - if (mtag != NULL) - m->m_flags &= ~M_CANFASTFWD; - else { - s = splsoftnet(); - sp = ipsec4_checkpolicy(m, IPSEC_DIR_OUTBOUND, - (IP_FORWARDING | - (ip_directedbcast ? IP_ALLOWBROADCAST : 0)), - &error, NULL); - if (sp != NULL) { - m->m_flags &= ~M_CANFASTFWD; - KEY_FREESP(&sp); - } - splx(s); - } -#endif /* FAST_IPSEC */ - ip_forward(m, srcrt); } return; @@ -828,56 +732,18 @@ ours: hlen = ip->ip_hl << 2; } -#if defined(IPSEC) - /* - * enforce IPsec policy checking if we are seeing last header. - * note that we do not visit this with protocols with pcb layer - * code - like udp/tcp/raw ip. - */ - if ((inetsw[ip_protox[ip->ip_p]].pr_flags & PR_LASTHDR) != 0 && - ipsec4_in_reject(m, NULL)) { - IPSEC_STATINC(IPSEC_STAT_IN_POLVIO); - goto bad; - } -#endif -#ifdef FAST_IPSEC +#ifdef IPSEC /* - * enforce IPsec policy checking if we are seeing last header. - * note that we do not visit this with protocols with pcb layer - * code - like udp/tcp/raw ip. + * Enforce IPsec policy checking if we are seeing last header. + * Note that we do not visit this with protocols with PCB layer + * code - like UDP/TCP/raw IP. */ if ((inetsw[ip_protox[ip->ip_p]].pr_flags & PR_LASTHDR) != 0) { - /* - * Check if the packet has already had IPsec processing - * done. If so, then just pass it along. This tag gets - * set during AH, ESP, etc. input handling, before the - * packet is returned to the ip input queue for delivery. - */ - mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL); - s = splsoftnet(); - if (mtag != NULL) { - tdbi = (struct tdb_ident *)(mtag + 1); - sp = ipsec_getpolicy(tdbi, IPSEC_DIR_INBOUND); - } else { - sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, - IP_FORWARDING, &error); - } - if (sp != NULL) { - /* - * Check security policy against packet attributes. - */ - error = ipsec_in_reject(sp, m); - KEY_FREESP(&sp); - } else { - /* XXX error stat??? */ - error = EINVAL; -DPRINTF(("ip_input: no SP, packet discarded\n"));/*XXX*/ - } - splx(s); - if (error) + if (ipsec4_input(m, 0) != 0) { goto bad; + } } -#endif /* FAST_IPSEC */ +#endif /* * Switch out to protocol's input routine. @@ -931,13 +797,13 @@ ip_drain(void) } /* - * Do option processing on a datagram, - * possibly discarding it if bad options are encountered, - * or forwarding it if source-routed. - * Returns 1 if packet has been forwarded/freed, - * 0 if the packet should be processed further. + * ip_dooptions: perform option processing on a datagram, possibly discarding + * it if bad options are encountered, or forwarding it if source-routed. + * + * => Returns true if packet has been forwarded/freed. + * => Returns false if the packet should be processed further. */ -int +static bool ip_dooptions(struct mbuf *m) { struct ip *ip = mtod(m, struct ip *); @@ -1153,20 +1019,20 @@ ip_dooptions(struct mbuf *m) goto bad; } ip_forward(m, 1); - return (1); + return true; } - return (0); + return false; bad: icmp_error(m, type, code, 0, 0); IP_STATINC(IP_STAT_BADOPTIONS); - return (1); + return true; } /* - * Given address of next destination (final or next hop), + * ip_rtaddr: given address of next destination (final or next hop), * return internet address info of interface to be used to get there. */ -struct in_ifaddr * +static struct in_ifaddr * ip_rtaddr(struct in_addr dst) { struct rtentry *rt; @@ -1184,19 +1050,15 @@ ip_rtaddr(struct in_addr dst) } /* - * Save incoming source route for use in replies, - * to be picked up later by ip_srcroute if the receiver is interested. + * save_rte: save incoming source route for use in replies, to be picked + * up later by ip_srcroute if the receiver is interested. */ -void +static void save_rte(u_char *option, struct in_addr dst) { unsigned olen; olen = option[IPOPT_OLEN]; -#ifdef DIAGNOSTIC - if (ipprintfs) - printf("save_rte: olen %d\n", olen); -#endif /* 0 */ if (olen > sizeof(ip_srcrt) - (1 + sizeof(dst))) return; memcpy((void *)ip_srcrt.srcopt, (void *)option, olen); @@ -1227,20 +1089,12 @@ ip_srcroute(void) /* length is (nhops+1)*sizeof(addr) + sizeof(nop + srcrt header) */ m->m_len = ip_nhops * sizeof(struct in_addr) + sizeof(struct in_addr) + OPTSIZ; -#ifdef DIAGNOSTIC - if (ipprintfs) - printf("ip_srcroute: nhops %d mlen %d", ip_nhops, m->m_len); -#endif /* * First save first hop for return route */ p = &ip_srcrt.route[ip_nhops - 1]; *(mtod(m, struct in_addr *)) = *p--; -#ifdef DIAGNOSTIC - if (ipprintfs) - printf(" hops %x", ntohl(mtod(m, struct in_addr *)->s_addr)); -#endif /* * Copy option fields and padding (nop) to mbuf. @@ -1257,20 +1111,12 @@ ip_srcroute(void) * reversing the path (pointers are now aligned). */ while (p >= ip_srcrt.route) { -#ifdef DIAGNOSTIC - if (ipprintfs) - printf(" %x", ntohl(q->s_addr)); -#endif *q++ = *p--; } /* * Last hop goes to final destination. */ *q = ip_srcrt.dst; -#ifdef DIAGNOSTIC - if (ipprintfs) - printf(" %x\n", ntohl(q->s_addr)); -#endif return (m); } @@ -1286,6 +1132,21 @@ const int inetctlerrmap[PRC_NCMDS] = { [PRC_PARAMPROB] = ENOPROTOOPT, }; +void +ip_fasttimo(void) +{ + if (ip_drainwanted) { + ip_drain(); + ip_drainwanted = 0; + } +} + +void +ip_drainstub(void) +{ + ip_drainwanted = 1; +} + /* * Forward a packet. If some error occurs return the sender * an icmp packet. Note we can't always generate a meaningful @@ -1300,7 +1161,7 @@ const int inetctlerrmap[PRC_NCMDS] = { * The srcrt parameter indicates whether the packet is being forwarded * via a source route. */ -void +static void ip_forward(struct mbuf *m, int srcrt) { struct ip *ip = mtod(m, struct ip *); @@ -1324,12 +1185,6 @@ ip_forward(struct mbuf *m, int srcrt) m->m_pkthdr.csum_flags = 0; dest = 0; -#ifdef DIAGNOSTIC - if (ipprintfs) { - printf("forward: src %s ", inet_ntoa(ip->ip_src)); - printf("dst %s ttl %x\n", inet_ntoa(ip->ip_dst), ip->ip_ttl); - } -#endif if (m->m_flags & (M_BCAST|M_MCAST) || in_canforward(ip->ip_dst) == 0) { IP_STATINC(IP_STAT_CANTFORWARD); m_freem(m); @@ -1382,17 +1237,12 @@ ip_forward(struct mbuf *m, int srcrt) */ type = ICMP_REDIRECT; code = ICMP_REDIRECT_HOST; -#ifdef DIAGNOSTIC - if (ipprintfs) - printf("redirect (%d) to %x\n", code, - (u_int32_t)dest); -#endif } } error = ip_output(m, NULL, &ipforward_rt, (IP_FORWARDING | (ip_directedbcast ? IP_ALLOWBROADCAST : 0)), - (struct ip_moptions *)NULL, (struct socket *)NULL); + NULL, NULL); if (error) IP_STATINC(IP_STAT_CANTFORWARD); @@ -1438,76 +1288,22 @@ ip_forward(struct mbuf *m, int srcrt) if ((rt = rtcache_validate(&ipforward_rt)) != NULL) destmtu = rt->rt_ifp->if_mtu; - -#if defined(IPSEC) || defined(FAST_IPSEC) - { - /* - * If the packet is routed over IPsec tunnel, tell the - * originator the tunnel MTU. - * tunnel MTU = if MTU - sizeof(IP) - ESP/AH hdrsiz - * XXX quickhack!!! - */ - - struct secpolicy *sp; - int ipsecerror; - size_t ipsechdr; - struct route *ro; - - sp = ipsec4_getpolicybyaddr(mcopy, - IPSEC_DIR_OUTBOUND, IP_FORWARDING, - &ipsecerror); - - if (sp != NULL) { - /* count IPsec header size */ - ipsechdr = ipsec4_hdrsiz(mcopy, - IPSEC_DIR_OUTBOUND, NULL); - - /* - * find the correct route for outer IPv4 - * header, compute tunnel MTU. - */ - - if (sp->req != NULL - && sp->req->sav != NULL - && sp->req->sav->sah != NULL) { - ro = &sp->req->sav->sah->sa_route; - rt = rtcache_validate(ro); - if (rt && rt->rt_ifp) { - destmtu = - rt->rt_rmx.rmx_mtu ? - rt->rt_rmx.rmx_mtu : - rt->rt_ifp->if_mtu; - destmtu -= ipsechdr; - } - } - -#ifdef IPSEC - key_freesp(sp); -#else - KEY_FREESP(&sp); +#ifdef IPSEC + (void)ipsec4_forward(mcopy, &destmtu); #endif - } - } -#endif /*defined(IPSEC) || defined(FAST_IPSEC)*/ IP_STATINC(IP_STAT_CANTFRAG); break; case ENOBUFS: -#if 1 /* - * a router should not generate ICMP_SOURCEQUENCH as - * required in RFC1812 Requirements for IP Version 4 Routers. - * source quench could be a big problem under DoS attacks, - * or if the underlying interface is rate-limited. + * Do not generate ICMP_SOURCEQUENCH as required in RFC 1812, + * Requirements for IP Version 4 Routers. Source quench can + * big problem under DoS attacks or if the underlying + * interface is rate-limited. */ if (mcopy) m_freem(mcopy); return; -#else - type = ICMP_SOURCEQUENCH; - code = 0; - break; -#endif } icmp_error(mcopy, type, code, dest, destmtu); } @@ -1516,17 +1312,20 @@ void ip_savecontrol(struct inpcb *inp, struct mbuf **mp, struct ip *ip, struct mbuf *m) { + struct socket *so = inp->inp_socket; + ifnet_t *ifp = m->m_pkthdr.rcvif; + int inpflags = inp->inp_flags; - if (inp->inp_socket->so_options & SO_TIMESTAMP + if (so->so_options & SO_TIMESTAMP #ifdef SO_OTIMESTAMP - || inp->inp_socket->so_options & SO_OTIMESTAMP + || so->so_options & SO_OTIMESTAMP #endif ) { struct timeval tv; microtime(&tv); #ifdef SO_OTIMESTAMP - if (inp->inp_socket->so_options & SO_OTIMESTAMP) { + if (so->so_options & SO_OTIMESTAMP) { struct timeval50 tv50; timeval_to_timeval50(&tv, &tv50); *mp = sbcreatecontrol((void *) &tv50, sizeof(tv50), @@ -1538,47 +1337,40 @@ ip_savecontrol(struct inpcb *inp, struct if (*mp) mp = &(*mp)->m_next; } - if (inp->inp_flags & INP_RECVDSTADDR) { + if (inpflags & INP_RECVDSTADDR) { *mp = sbcreatecontrol((void *) &ip->ip_dst, sizeof(struct in_addr), IP_RECVDSTADDR, IPPROTO_IP); if (*mp) mp = &(*mp)->m_next; } -#ifdef notyet - /* - * XXX - * Moving these out of udp_input() made them even more broken - * than they already were. - * - fenner@parc.xerox.com - */ - /* options were tossed already */ - if (inp->inp_flags & INP_RECVOPTS) { - *mp = sbcreatecontrol((void *) opts_deleted_above, - sizeof(struct in_addr), IP_RECVOPTS, IPPROTO_IP); + if (inpflags & INP_RECVPKTINFO) { + struct in_pktinfo ipi; + ipi.ipi_addr = ip->ip_src; + ipi.ipi_ifindex = ifp->if_index; + *mp = sbcreatecontrol((void *) &ipi, + sizeof(ipi), IP_RECVPKTINFO, IPPROTO_IP); if (*mp) mp = &(*mp)->m_next; } - /* ip_srcroute doesn't do what we want here, need to fix */ - if (inp->inp_flags & INP_RECVRETOPTS) { - *mp = sbcreatecontrol((void *) ip_srcroute(), - sizeof(struct in_addr), IP_RECVRETOPTS, IPPROTO_IP); + if (inpflags & INP_PKTINFO) { + struct in_pktinfo ipi; + ipi.ipi_addr = ip->ip_dst; + ipi.ipi_ifindex = ifp->if_index; + *mp = sbcreatecontrol((void *) &ipi, + sizeof(ipi), IP_PKTINFO, IPPROTO_IP); if (*mp) mp = &(*mp)->m_next; } -#endif - if (inp->inp_flags & INP_RECVIF) { + if (inpflags & INP_RECVIF) { struct sockaddr_dl sdl; - sockaddr_dl_init(&sdl, sizeof(sdl), - (m->m_pkthdr.rcvif != NULL) - ? m->m_pkthdr.rcvif->if_index - : 0, - 0, NULL, 0, NULL, 0); + sockaddr_dl_init(&sdl, sizeof(sdl), ifp ? + ifp->if_index : 0, 0, NULL, 0, NULL, 0); *mp = sbcreatecontrol(&sdl, sdl.sdl_len, IP_RECVIF, IPPROTO_IP); if (*mp) mp = &(*mp)->m_next; } - if (inp->inp_flags & INP_RECVTTL) { + if (inpflags & INP_RECVTTL) { *mp = sbcreatecontrol((void *) &ip->ip_ttl, sizeof(uint8_t), IP_RECVTTL, IPPROTO_IP); if (*mp) @@ -1641,66 +1433,6 @@ sysctl_net_inet_ip_pmtudto(SYSCTLFN_ARGS return (0); } -#ifdef GATEWAY -/* - * sysctl helper routine for net.inet.ip.maxflows. - */ -static int -sysctl_net_inet_ip_maxflows(SYSCTLFN_ARGS) -{ - int error; - - error = sysctl_lookup(SYSCTLFN_CALL(rnode)); - if (error || newp == NULL) - return (error); - - mutex_enter(softnet_lock); - KERNEL_LOCK(1, NULL); - - ipflow_prune(); - - KERNEL_UNLOCK_ONE(NULL); - mutex_exit(softnet_lock); - - return (0); -} - -static int -sysctl_net_inet_ip_hashsize(SYSCTLFN_ARGS) -{ - int error, tmp; - struct sysctlnode node; - - node = *rnode; - tmp = ip_hashsize; - node.sysctl_data = &tmp; - error = sysctl_lookup(SYSCTLFN_CALL(&node)); - if (error || newp == NULL) - return (error); - - if ((tmp & (tmp - 1)) == 0 && tmp != 0) { - /* - * Can only fail due to malloc() - */ - mutex_enter(softnet_lock); - KERNEL_LOCK(1, NULL); - - error = ipflow_invalidate_all(tmp); - - KERNEL_UNLOCK_ONE(NULL); - mutex_exit(softnet_lock); - - } else { - /* - * EINVAL if not a power of 2 - */ - error = EINVAL; - } - - return error; -} -#endif /* GATEWAY */ - static int sysctl_net_inet_ip_stats(SYSCTLFN_ARGS) { @@ -1711,13 +1443,6 @@ sysctl_net_inet_ip_stats(SYSCTLFN_ARGS) static void sysctl_net_inet_ip_setup(struct sysctllog **clog) { - extern int subnetsarelocal, hostzeroisbroadcast; - - sysctl_createv(clog, 0, NULL, NULL, - CTLFLAG_PERMANENT, - CTLTYPE_NODE, "net", NULL, - NULL, 0, NULL, 0, - CTL_NET, CTL_EOL); sysctl_createv(clog, 0, NULL, NULL, CTLFLAG_PERMANENT, CTLTYPE_NODE, "inet", @@ -1783,14 +1508,7 @@ sysctl_net_inet_ip_setup(struct sysctllo NULL, 0, &ip_allowsrcrt, 0, CTL_NET, PF_INET, IPPROTO_IP, IPCTL_ALLOWSRCRT, CTL_EOL); - sysctl_createv(clog, 0, NULL, NULL, - CTLFLAG_PERMANENT|CTLFLAG_READWRITE, - CTLTYPE_INT, "subnetsarelocal", - SYSCTL_DESCR("Whether logical subnets are considered " - "local"), - NULL, 0, &subnetsarelocal, 0, - CTL_NET, PF_INET, IPPROTO_IP, - IPCTL_SUBNETSARELOCAL, CTL_EOL); + sysctl_createv(clog, 0, NULL, NULL, CTLFLAG_PERMANENT|CTLFLAG_READWRITE, CTLTYPE_INT, "mtudisc", @@ -1816,32 +1534,9 @@ sysctl_net_inet_ip_setup(struct sysctllo CTLFLAG_PERMANENT|CTLFLAG_READWRITE, CTLTYPE_INT, "mtudisctimeout", SYSCTL_DESCR("Lifetime of a Path MTU Discovered route"), - sysctl_net_inet_ip_pmtudto, 0, &ip_mtudisc_timeout, 0, + sysctl_net_inet_ip_pmtudto, 0, (void *)&ip_mtudisc_timeout, 0, CTL_NET, PF_INET, IPPROTO_IP, IPCTL_MTUDISCTIMEOUT, CTL_EOL); -#ifdef GATEWAY - sysctl_createv(clog, 0, NULL, NULL, - CTLFLAG_PERMANENT|CTLFLAG_READWRITE, - CTLTYPE_INT, "maxflows", - SYSCTL_DESCR("Number of flows for fast forwarding"), - sysctl_net_inet_ip_maxflows, 0, &ip_maxflows, 0, - CTL_NET, PF_INET, IPPROTO_IP, - IPCTL_MAXFLOWS, CTL_EOL); - sysctl_createv(clog, 0, NULL, NULL, - CTLFLAG_PERMANENT|CTLFLAG_READWRITE, - CTLTYPE_INT, "hashsize", - SYSCTL_DESCR("Size of hash table for fast forwarding (IPv4)"), - sysctl_net_inet_ip_hashsize, 0, &ip_hashsize, 0, - CTL_NET, PF_INET, IPPROTO_IP, - CTL_CREATE, CTL_EOL); -#endif /* GATEWAY */ - sysctl_createv(clog, 0, NULL, NULL, - CTLFLAG_PERMANENT|CTLFLAG_READWRITE, - CTLTYPE_INT, "hostzerobroadcast", - SYSCTL_DESCR("All zeroes address is broadcast address"), - NULL, 0, &hostzeroisbroadcast, 0, - CTL_NET, PF_INET, IPPROTO_IP, - IPCTL_HOSTZEROBROADCAST, CTL_EOL); #if NGIF > 0 sysctl_createv(clog, 0, NULL, NULL, CTLFLAG_PERMANENT|CTLFLAG_READWRITE, @@ -1907,6 +1602,33 @@ sysctl_net_inet_ip_setup(struct sysctllo sysctl_net_inet_ip_stats, 0, NULL, 0, CTL_NET, PF_INET, IPPROTO_IP, IPCTL_STATS, CTL_EOL); + + /* anonportalgo RFC6056 subtree */ + const struct sysctlnode *portalgo_node; + sysctl_createv(clog, 0, NULL, &portalgo_node, + CTLFLAG_PERMANENT, + CTLTYPE_NODE, "anonportalgo", + SYSCTL_DESCR("Anonymous Port Algorithm Selection (RFC 6056)"), + NULL, 0, NULL, 0, + CTL_NET, PF_INET, IPPROTO_IP, CTL_CREATE, CTL_EOL); + sysctl_createv(clog, 0, &portalgo_node, NULL, + CTLFLAG_PERMANENT, + CTLTYPE_STRING, "available", + SYSCTL_DESCR("available algorithms"), + sysctl_portalgo_available, 0, NULL, PORTALGO_MAXLEN, + CTL_CREATE, CTL_EOL); + sysctl_createv(clog, 0, &portalgo_node, NULL, + CTLFLAG_PERMANENT|CTLFLAG_READWRITE, + CTLTYPE_STRING, "selected", + SYSCTL_DESCR("selected algorithm"), + sysctl_portalgo_selected4, 0, NULL, PORTALGO_MAXLEN, + CTL_CREATE, CTL_EOL); + sysctl_createv(clog, 0, &portalgo_node, NULL, + CTLFLAG_PERMANENT|CTLFLAG_READWRITE, + CTLTYPE_STRUCT, "reserve", + SYSCTL_DESCR("bitmap of reserved ports"), + sysctl_portalgo_reserve4, 0, NULL, 0, + CTL_CREATE, CTL_EOL); } void