Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

===================================================================
RCS file: /ftp/cvs/cvsroot/src/sys/netinet/ip_input.c,v
rcsdiff: /ftp/cvs/cvsroot/src/sys/netinet/ip_input.c,v: warning: Unknown phrases like `commitid ...;' are present.
retrieving revision 1.53.2.2
retrieving revision 1.67
diff -u -p -r1.53.2.2 -r1.67
--- src/sys/netinet/ip_input.c	1998/07/22 23:50:10	1.53.2.2
+++ src/sys/netinet/ip_input.c	1998/06/01 00:39:37	1.67
@@ -1,4 +1,41 @@
-/*	$NetBSD: ip_input.c,v 1.53.2.2 1998/07/22 23:50:10 mellon Exp $	*/
+/*	$NetBSD: ip_input.c,v 1.67 1998/06/01 00:39:37 thorpej Exp $	*/
+
+/*-
+ * Copyright (c) 1998 The NetBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * This code is derived from software contributed to The NetBSD Foundation
+ * by Public Access Networks Corporation ("Panix").  It was developed under
+ * contract to Panix by Eric Haszlakiewicz and Thor Lancelot Simon.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the NetBSD
+ *	Foundation, Inc. and its contributors.
+ * 4. Neither the name of The NetBSD Foundation nor the names of its
+ *    contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
 
 /*
  * Copyright (c) 1982, 1986, 1988, 1993
@@ -35,6 +72,9 @@
  *	@(#)ip_input.c	8.2 (Berkeley) 1/4/94
  */
 
+#include "opt_gateway.h"
+#include "opt_mrouting.h"
+
 #include <sys/param.h>
 #include <sys/systm.h>
 #include <sys/malloc.h>
@@ -64,9 +104,6 @@
 #include <netinet/ip_var.h>
 #include <netinet/ip_icmp.h>
 
-/* XXX should really put this in libkern.h */
-#define	offsetof(type, member)	((size_t)(&((type *)0)->member))
-
 #ifndef	IPFORWARDING
 #ifdef GATEWAY
 #define	IPFORWARDING	1	/* forward IP packets not for us */
@@ -90,7 +127,6 @@
 #define IPMTUDISCTIMEOUT (10 * 60)	/* as per RFC 1191 */
 #endif
 
-
 /*
  * Note: DIRECTED_BROADCAST is handled this way so that previous
  * configuration using this option will Just Work.
@@ -121,7 +157,12 @@ extern	struct protosw inetsw[];
 u_char	ip_protox[IPPROTO_MAX];
 int	ipqmaxlen = IFQ_MAXLEN;
 struct	in_ifaddrhead in_ifaddr;
+struct	in_ifaddrhashhead *in_ifaddrhashtbl;
 struct	ifqueue ipintrq;
+struct	ipstat	ipstat;
+u_int16_t	ip_id;
+int	ip_defttl;
+struct ipqhead ipq;
 
 /*
  * We need to save the IP options in case a protocol wants to respond
@@ -164,7 +205,8 @@ ip_init()
 	ip_id = time.tv_sec & 0xffff;
 	ipintrq.ifq_maxlen = ipqmaxlen;
 	TAILQ_INIT(&in_ifaddr);
-
+	in_ifaddrhashtbl = 
+	    hashinit(IN_IFADDR_HASH_SIZE, M_IFADDR, M_WAITOK, &in_ifaddrhash);
 	if (ip_mtudisc != 0)
 		ip_mtudisc_timeout_q = 
 		    rt_timer_queue_create(ip_mtudisc_timeout);
@@ -184,6 +226,7 @@ ipintr()
 	register struct mbuf *m;
 	register struct ipq *fp;
 	register struct in_ifaddr *ia;
+	register struct ifaddr *ifa;
 	struct ipqent *ipqe;
 	int hlen = 0, mff, len, s;
 #ifdef PFIL_HOOKS
@@ -266,9 +309,19 @@ next:
 			m_adj(m, len - m->m_pkthdr.len);
 	}
 
+	/*
+	 * Assume that we can create a fast-forward IP flow entry
+	 * based on this packet.
+	 */
+	m->m_flags |= M_CANFASTFWD;
+
 #ifdef PFIL_HOOKS
 	/*
-	 * Run through list of hooks for input packets.
+	 * Run through list of hooks for input packets.  If there are any
+	 * filters which require that additional packets in the flow are
+	 * not fast-forwarded, they must clear the M_CANFASTFWD flag.
+	 * Note that filters must _never_ set this flag, as another filter
+	 * in the list may have previously cleared it.
 	 */
 	m0 = m;
 	for (pfh = pfil_hook_get(PFIL_IN); pfh; pfh = pfh->pfil_link.tqe_next)
@@ -276,10 +329,7 @@ next:
 			rv = pfh->pfil_func(ip, hlen, m->m_pkthdr.rcvif, 0, &m0);
 			if (rv)
 				goto next;
-			m = m0;
-			if (m == NULL)
-				goto next;
-			ip = mtod(m, struct ip *);
+			ip = mtod(m = m0, struct ip *);
 		}
 #endif /* PFIL_HOOKS */
 
@@ -296,12 +346,13 @@ next:
 	/*
 	 * Check our list of addresses, to see if the packet is for us.
 	 */
-	for (ia = in_ifaddr.tqh_first; ia; ia = ia->ia_list.tqe_next) {
-		if (in_hosteq(ip->ip_dst, ia->ia_addr.sin_addr))
-			goto ours;
-		if (((ip_directedbcast == 0) || (ip_directedbcast &&
-		    ia->ia_ifp == m->m_pkthdr.rcvif)) &&
-		    (ia->ia_ifp->if_flags & IFF_BROADCAST)) {
+	INADDR_TO_IA(ip->ip_dst, ia);
+	if (ia != NULL) goto ours;
+	if (m->m_pkthdr.rcvif->if_flags & IFF_BROADCAST) {
+		for (ifa = m->m_pkthdr.rcvif->if_addrlist.tqh_first;
+		    ifa != NULL; ifa = ifa->ifa_list.tqe_next) {
+			if (ifa->ifa_addr->sa_family != AF_INET) continue;
+			ia = ifatoia(ifa);
 			if (in_hosteq(ip->ip_dst, ia->ia_broadaddr.sin_addr) ||
 			    in_hosteq(ip->ip_dst, ia->ia_netbroadcast) ||
 			    /*
@@ -311,14 +362,13 @@ next:
 			    ip->ip_dst.s_addr == ia->ia_subnet ||
 			    ip->ip_dst.s_addr == ia->ia_net)
 				goto ours;
+			/*
+			 * An interface with IP address zero accepts
+			 * all packets that arrive on that interface.
+			 */
+			if (in_nullhost(ia->ia_addr.sin_addr))
+				goto ours;
 		}
-		/*
-		 * An interface with IP address zero accepts
-		 * all packets that arrive on that interface.
-		 */
-		if ((ia->ia_ifp == m->m_pkthdr.rcvif) &&
-		    in_nullhost(ia->ia_addr.sin_addr))
-			goto ours;
 	}
 	if (IN_MULTICAST(ip->ip_dst.s_addr)) {
 		struct in_multi *inm;
@@ -669,6 +719,9 @@ ip_slowtimo()
 			ip_freef(fp);
 		}
 	}
+#ifdef GATEWAY
+	ipflow_slowtimo();
+#endif
 	splx(s);
 }
 
@@ -838,7 +891,7 @@ ip_dooptions(m)
 				break;
 
 			case IPOPT_TS_TSANDADDR:
-				if (ipt->ipt_ptr + sizeof(n_time) +
+				if (ipt->ipt_ptr - 1 + sizeof(n_time) +
 				    sizeof(struct in_addr) > ipt->ipt_len)
 					goto bad;
 				ipaddr.sin_addr = dst;
@@ -852,7 +905,7 @@ ip_dooptions(m)
 				break;
 
 			case IPOPT_TS_PRESPEC:
-				if (ipt->ipt_ptr + sizeof(n_time) +
+				if (ipt->ipt_ptr - 1 + sizeof(n_time) +
 				    sizeof(struct in_addr) > ipt->ipt_len)
 					goto bad;
 				bcopy((caddr_t)sin, (caddr_t)&ipaddr.sin_addr,
@@ -1152,8 +1205,13 @@ ip_forward(m, srcrt)
 		if (type)
 			ipstat.ips_redirectsent++;
 		else {
-			if (mcopy)
+			if (mcopy) {
+#ifdef GATEWAY
+				if (mcopy->m_flags & M_CANFASTFWD)
+					ipflow_create(&ipforward_rt, mcopy);
+#endif
 				m_freem(mcopy);
+			}
 			return;
 		}
 	}
@@ -1262,7 +1320,8 @@ ip_sysctl(name, namelen, oldp, oldlenp, 
 	size_t newlen;
 {
 	extern int subnetsarelocal;
-	int error;
+
+	int error, old;
 
 	/* All sysctl names at this level are terminal. */
 	if (namelen != 1)
@@ -1308,13 +1367,50 @@ ip_sysctl(name, namelen, oldp, oldlenp, 
 			ip_mtudisc_timeout_q = NULL;
 		}
 		return error;
+	case IPCTL_ANONPORTMIN:
+		old = anonportmin;
+		error = sysctl_int(oldp, oldlenp, newp, newlen, &anonportmin);
+		if (anonportmin >= anonportmax || anonportmin > 65535
+#ifndef IPNOPRIVPORTS
+		    || anonportmin < IPPORT_RESERVED
+#endif
+		    ) {
+			anonportmin = old;
+			return (EINVAL);
+		}
+		return (error);
+	case IPCTL_ANONPORTMAX:
+		old = anonportmax;
+		error = sysctl_int(oldp, oldlenp, newp, newlen, &anonportmax);
+		if (anonportmin >= anonportmax || anonportmax > 65535
+#ifndef IPNOPRIVPORTS
+		    || anonportmax < IPPORT_RESERVED
+#endif
+		    ) {
+			anonportmax = old;
+			return (EINVAL);
+		}
+		return (error);
 	case IPCTL_MTUDISCTIMEOUT:
 		error = sysctl_int(oldp, oldlenp, newp, newlen,
 		   &ip_mtudisc_timeout);
 		if (ip_mtudisc_timeout_q != NULL)
 			rt_timer_queue_change(ip_mtudisc_timeout_q, 
 					      ip_mtudisc_timeout);
-  		return (error);
+		return (error);
+#ifdef GATEWAY
+	case IPCTL_MAXFLOWS:
+	    {
+		int s;
+
+		error = sysctl_int(oldp, oldlenp, newp, newlen,
+		   &ip_maxflows);
+		s = splsoftnet();
+		ipflow_reap(0);
+		splx(s);
+		return (error);
+	    }
+#endif
 	default:
 		return (EOPNOTSUPP);
 	}