Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. =================================================================== RCS file: /ftp/cvs/cvsroot/src/sys/netinet/ip_input.c,v rcsdiff: /ftp/cvs/cvsroot/src/sys/netinet/ip_input.c,v: warning: Unknown phrases like `commitid ...;' are present. retrieving revision 1.93.2.8 retrieving revision 1.96 diff -u -p -r1.93.2.8 -r1.96 --- src/sys/netinet/ip_input.c 2001/04/21 17:46:48 1.93.2.8 +++ src/sys/netinet/ip_input.c 2000/02/01 00:07:09 1.96 @@ -1,4 +1,4 @@ -/* $NetBSD: ip_input.c,v 1.93.2.8 2001/04/21 17:46:48 bouyer Exp $ */ +/* $NetBSD: ip_input.c,v 1.96 2000/02/01 00:07:09 thorpej Exp $ */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. @@ -120,8 +120,7 @@ #include #include -#include - +#include #include #include @@ -140,13 +139,10 @@ #include #include "gif.h" -#ifdef MROUTING -#include -#endif - #ifdef IPSEC #include #include +#include #endif #ifndef IPFORWARDING @@ -198,21 +194,18 @@ int ipprintfs = 0; struct rttimer_queue *ip_mtudisc_timeout_q = NULL; extern struct domain inetdomain; +extern struct protosw inetsw[]; +u_char ip_protox[IPPROTO_MAX]; int ipqmaxlen = IFQ_MAXLEN; struct in_ifaddrhead in_ifaddr; struct in_ifaddrhashhead *in_ifaddrhashtbl; struct ifqueue ipintrq; struct ipstat ipstat; u_int16_t ip_id; - -#ifdef PFIL_HOOKS -struct pfil_head inet_pfil_hook; -#endif +int ip_defttl; struct ipqhead ipq; int ipq_locked; -int ip_nfragpackets = 0; -int ip_maxfragpackets = 200; static __inline int ipq_lock_try __P((void)); static __inline void ipq_unlock __P((void)); @@ -222,11 +215,7 @@ ipq_lock_try() { int s; - /* - * Use splvm() -- we're bloking things that would cause - * mbuf allocation. - */ - s = splvm(); + s = splimp(); if (ipq_locked) { splx(s); return (0); @@ -241,7 +230,7 @@ ipq_unlock() { int s; - s = splvm(); + s = splimp(); ipq_locked = 0; splx(s); } @@ -294,8 +283,8 @@ static void save_rte __P((u_char *, stru void ip_init() { - struct protosw *pr; - int i; + register struct protosw *pr; + register int i; pool_init(&ipqent_pool, sizeof(struct ipqent), 0, 0, 0, "ipqepl", 0, NULL, NULL, M_IPQ); @@ -314,24 +303,14 @@ ip_init() ip_id = time.tv_sec & 0xffff; ipintrq.ifq_maxlen = ipqmaxlen; TAILQ_INIT(&in_ifaddr); - in_ifaddrhashtbl = hashinit(IN_IFADDR_HASH_SIZE, HASH_LIST, M_IFADDR, - M_WAITOK, &in_ifaddrhash); + in_ifaddrhashtbl = + hashinit(IN_IFADDR_HASH_SIZE, M_IFADDR, M_WAITOK, &in_ifaddrhash); if (ip_mtudisc != 0) ip_mtudisc_timeout_q = rt_timer_queue_create(ip_mtudisc_timeout); #ifdef GATEWAY ipflow_init(); #endif - -#ifdef PFIL_HOOKS - /* Register our Packet Filter hook. */ - inet_pfil_hook.ph_type = PFIL_TYPE_AF; - inet_pfil_hook.ph_af = AF_INET; - i = pfil_head_register(&inet_pfil_hook); - if (i != 0) - printf("ip_init: WARNING: unable to register pfil hook, " - "error %d\n", i); -#endif /* PFIL_HOOKS */ } struct sockaddr_in ipaddr = { sizeof(ipaddr), AF_INET }; @@ -347,7 +326,7 @@ ipintr() struct mbuf *m; while (1) { - s = splnet(); + s = splimp(); IF_DEQUEUE(&ipintrq, m); splx(s); if (m == 0) @@ -363,13 +342,17 @@ ipintr() void ip_input(struct mbuf *m) { - struct ip *ip = NULL; - struct ipq *fp; - struct in_ifaddr *ia; - struct ifaddr *ifa; + register struct ip *ip = NULL; + register struct ipq *fp; + register struct in_ifaddr *ia; + register struct ifaddr *ifa; struct ipqent *ipqe; int hlen = 0, mff, len; - int downmatch; +#ifdef PFIL_HOOKS + struct packet_filter_hook *pfh; + struct mbuf *m0; + int rv; +#endif /* PFIL_HOOKS */ #ifdef DIAGNOSTIC if ((m->m_flags & M_PKTHDR) == 0) @@ -414,32 +397,25 @@ ip_input(struct mbuf *m) } ip = mtod(m, struct ip *); } - /* - * RFC1122: packets with a multicast source address are - * not allowed. + * we drop packets that have a multicast address as source + * as wanted by rfc 1112 */ if (IN_MULTICAST(ip->ip_src.s_addr)) { - ipstat.ips_badaddr++; goto bad; } - /* 127/8 must not appear on wire - RFC1122 */ - if ((ntohl(ip->ip_dst.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET || - (ntohl(ip->ip_src.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET) { - if ((m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK) == 0) { - ipstat.ips_badaddr++; - goto bad; - } - } - if (in_cksum(m, hlen) != 0) { ipstat.ips_badsum++; goto bad; } - /* Retrieve the packet length. */ - len = ntohs(ip->ip_len); + /* + * Convert fields to host representation. + */ + NTOHS(ip->ip_len); + NTOHS(ip->ip_off); + len = ip->ip_len; /* * Check for additional length bogosity @@ -486,39 +462,19 @@ ip_input(struct mbuf *m) * Note that filters must _never_ set this flag, as another filter * in the list may have previously cleared it. */ - /* - * let ipfilter look at packet on the wire, - * not the decapsulated packet. - */ -#ifdef IPSEC - if (!ipsec_gethist(m, NULL)) -#else - if (1) -#endif - { - if (pfil_run_hooks(&inet_pfil_hook, &m, m->m_pkthdr.rcvif, - PFIL_IN) != 0) - return; - if (m == NULL) - return; - ip = mtod(m, struct ip *); - } + m0 = m; + for (pfh = pfil_hook_get(PFIL_IN); pfh; pfh = pfh->pfil_link.tqe_next) + if (pfh->pfil_func) { + rv = pfh->pfil_func(ip, hlen, m->m_pkthdr.rcvif, 0, &m0); + if (rv) + return; + m = m0; + if (m == NULL) + return; + ip = mtod(m, struct ip *); + } #endif /* PFIL_HOOKS */ -#ifdef ALTQ - /* XXX Temporary until ALTQ is changed to use a pfil hook */ - if (altq_input != NULL && (*altq_input)(m, AF_INET) == 0) { - /* packet dropped by traffic conditioner */ - return; - } -#endif - - /* - * Convert fields to host representation. - */ - NTOHS(ip->ip_len); - NTOHS(ip->ip_off); - /* * Process options and, if not destined for us, * ship it on. ip_dooptions returns 1 when an @@ -531,22 +487,8 @@ ip_input(struct mbuf *m) /* * Check our list of addresses, to see if the packet is for us. - * - * Traditional 4.4BSD did not consult IFF_UP at all. - * The behavior here is to treat addresses on !IFF_UP interface - * as not mine. - */ - downmatch = 0; - for (ia = IN_IFADDR_HASH(ip->ip_dst.s_addr).lh_first; - ia != NULL; - ia = ia->ia_hash.le_next) { - if (in_hosteq(ia->ia_addr.sin_addr, ip->ip_dst)) { - if ((ia->ia_ifp->if_flags & IFF_UP) != 0) - break; - else - downmatch++; - } - } + */ + INADDR_TO_IA(ip->ip_dst, ia); if (ia != NULL) goto ours; if (m->m_pkthdr.rcvif->if_flags & IFF_BROADCAST) { @@ -635,20 +577,8 @@ ip_input(struct mbuf *m) if (ipforwarding == 0) { ipstat.ips_cantforward++; m_freem(m); - } else { - /* - * If ip_dst matched any of my address on !IFF_UP interface, - * and there's no IFF_UP interface that matches ip_dst, - * send icmp unreach. Forwarding it will result in in-kernel - * forwarding loop till TTL goes to 0. - */ - if (downmatch) { - icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_HOST, 0, 0); - ipstat.ips_cantforward++; - return; - } + } else ip_forward(m, 0); - } return; ours: @@ -725,25 +655,11 @@ found: IPQ_UNLOCK(); } -#ifdef IPSEC - /* - * enforce IPsec policy checking if we are seeing last header. - * note that we do not visit this with protocols with pcb layer - * code - like udp/tcp/raw ip. - */ - if ((inetsw[ip_protox[ip->ip_p]].pr_flags & PR_LASTHDR) != 0 && - ipsec4_in_reject(m, NULL)) { - ipsecstat.in_polvio++; - goto bad; - } -#endif - /* * Switch out to protocol's input routine. */ #if IFA_STATS - if (ia && ip) - ia->ia_ifa.ifa_data.ifad_inbytes += ip->ip_len; + ia->ia_ifa.ifa_data.ifad_inbytes += ip->ip_len; #endif ipstat.ips_delivered++; { @@ -764,11 +680,11 @@ bad: */ struct mbuf * ip_reass(ipqe, fp) - struct ipqent *ipqe; - struct ipq *fp; + register struct ipqent *ipqe; + register struct ipq *fp; { - struct mbuf *m = ipqe->ipqe_m; - struct ipqent *nq, *p, *q; + register struct mbuf *m = ipqe->ipqe_m; + register struct ipqent *nq, *p, *q; struct ip *ip; struct mbuf *t; int hlen = ipqe->ipqe_ip->ip_hl << 2; @@ -787,17 +703,6 @@ ip_reass(ipqe, fp) * If first fragment to arrive, create a reassembly queue. */ if (fp == 0) { - /* - * Enforce upper bound on number of fragmented packets - * for which we attempt reassembly; - * If maxfrag is 0, never accept fragments. - * If maxfrag is -1, accept all fragments without limitation. - */ - if (ip_maxfragpackets < 0) - ; - else if (ip_nfragpackets >= ip_maxfragpackets) - goto dropfrag; - ip_nfragpackets++; MALLOC(fp, struct ipq *, sizeof (struct ipq), M_FTABLE, M_NOWAIT); if (fp == NULL) @@ -909,16 +814,17 @@ insert: * Make header visible. */ ip->ip_len = next; + ip->ip_ttl = 0; /* xxx */ + ip->ip_sum = 0; ip->ip_src = fp->ipq_src; ip->ip_dst = fp->ipq_dst; LIST_REMOVE(fp, ipq_q); FREE(fp, M_FTABLE); - ip_nfragpackets--; m->m_len += (ip->ip_hl << 2); m->m_data -= (ip->ip_hl << 2); /* some debugging cruft by sklower, below, will go away soon */ if (m->m_flags & M_PKTHDR) { /* XXX this should be done elsewhere */ - int plen = 0; + register int plen = 0; for (t = m; t; t = t->m_next) plen += t->m_len; m->m_pkthdr.len = plen; @@ -940,7 +846,7 @@ void ip_freef(fp) struct ipq *fp; { - struct ipqent *q, *p; + register struct ipqent *q, *p; IPQ_LOCK_CHECK(); @@ -952,7 +858,6 @@ ip_freef(fp) } LIST_REMOVE(fp, ipq_q); FREE(fp, M_FTABLE); - ip_nfragpackets--; } /* @@ -963,7 +868,7 @@ ip_freef(fp) void ip_slowtimo() { - struct ipq *fp, *nfp; + register struct ipq *fp, *nfp; int s = splsoftnet(); IPQ_LOCK(); @@ -974,17 +879,6 @@ ip_slowtimo() ip_freef(fp); } } - /* - * If we are over the maximum number of fragments - * (due to the limit being lowered), drain off - * enough to get down to the new limit. - */ - if (ip_maxfragpackets < 0) - ; - else { - while (ip_nfragpackets > ip_maxfragpackets && ipq.lh_first) - ip_freef(ipq.lh_first); - } IPQ_UNLOCK(); #ifdef GATEWAY ipflow_slowtimo(); @@ -1025,12 +919,12 @@ int ip_dooptions(m) struct mbuf *m; { - struct ip *ip = mtod(m, struct ip *); - u_char *cp, *cp0; - struct ip_timestamp *ipt; - struct in_ifaddr *ia; + register struct ip *ip = mtod(m, struct ip *); + register u_char *cp; + register struct ip_timestamp *ipt; + register struct in_ifaddr *ia; int opt, optlen, cnt, off, code, type = ICMP_PARAMPROB, forward = 0; - struct in_addr dst; + struct in_addr *sin, dst; n_time ntime; dst = ip->ip_dst; @@ -1043,12 +937,8 @@ ip_dooptions(m) if (opt == IPOPT_NOP) optlen = 1; else { - if (cnt < IPOPT_OLEN + sizeof(*cp)) { - code = &cp[IPOPT_OLEN] - (u_char *)ip; - goto bad; - } optlen = cp[IPOPT_OLEN]; - if (optlen < IPOPT_OLEN + sizeof(*cp) || optlen > cnt) { + if (optlen <= 0 || optlen > cnt) { code = &cp[IPOPT_OLEN] - (u_char *)ip; goto bad; } @@ -1074,10 +964,6 @@ ip_dooptions(m) code = ICMP_UNREACH_NET_PROHIB; goto bad; } - if (optlen < IPOPT_OFFSET + sizeof(*cp)) { - code = &cp[IPOPT_OLEN] - (u_char *)ip; - goto bad; - } if ((off = cp[IPOPT_OFFSET]) < IPOPT_MINOFF) { code = &cp[IPOPT_OFFSET] - (u_char *)ip; goto bad; @@ -1097,7 +983,7 @@ ip_dooptions(m) break; } off--; /* 0 origin */ - if ((off + sizeof(struct in_addr)) > optlen) { + if (off > optlen - sizeof(struct in_addr)) { /* * End of source route. Should be for us. */ @@ -1129,10 +1015,6 @@ ip_dooptions(m) break; case IPOPT_RR: - if (optlen < IPOPT_OFFSET + sizeof(*cp)) { - code = &cp[IPOPT_OLEN] - (u_char *)ip; - goto bad; - } if ((off = cp[IPOPT_OFFSET]) < IPOPT_MINOFF) { code = &cp[IPOPT_OFFSET] - (u_char *)ip; goto bad; @@ -1141,7 +1023,7 @@ ip_dooptions(m) * If no space remains, ignore. */ off--; /* 0 origin */ - if ((off + sizeof(struct in_addr)) > optlen) + if (off > optlen - sizeof(struct in_addr)) break; bcopy((caddr_t)(&ip->ip_dst), (caddr_t)&ipaddr.sin_addr, sizeof(ipaddr.sin_addr)); @@ -1164,23 +1046,14 @@ ip_dooptions(m) case IPOPT_TS: code = cp - (u_char *)ip; ipt = (struct ip_timestamp *)cp; - if (ipt->ipt_len < 4 || ipt->ipt_len > 40) { - code = (u_char *)&ipt->ipt_len - (u_char *)ip; - goto bad; - } - if (ipt->ipt_ptr < 5) { - code = (u_char *)&ipt->ipt_ptr - (u_char *)ip; + if (ipt->ipt_len < 5) goto bad; - } if (ipt->ipt_ptr > ipt->ipt_len - sizeof (int32_t)) { - if (++ipt->ipt_oflw == 0) { - code = (u_char *)&ipt->ipt_ptr - - (u_char *)ip; + if (++ipt->ipt_oflw == 0) goto bad; - } break; } - cp0 = (cp + ipt->ipt_ptr - 1); + sin = (struct in_addr *)(cp + ipt->ipt_ptr - 1); switch (ipt->ipt_flg) { case IPOPT_TS_TSONLY: @@ -1188,29 +1061,23 @@ ip_dooptions(m) case IPOPT_TS_TSANDADDR: if (ipt->ipt_ptr - 1 + sizeof(n_time) + - sizeof(struct in_addr) > ipt->ipt_len) { - code = (u_char *)&ipt->ipt_ptr - - (u_char *)ip; + sizeof(struct in_addr) > ipt->ipt_len) goto bad; - } ipaddr.sin_addr = dst; ia = ifatoia(ifaof_ifpforaddr(sintosa(&ipaddr), m->m_pkthdr.rcvif)); if (ia == 0) continue; - bcopy(&ia->ia_addr.sin_addr, - cp0, sizeof(struct in_addr)); + bcopy((caddr_t)&ia->ia_addr.sin_addr, + (caddr_t)sin, sizeof(struct in_addr)); ipt->ipt_ptr += sizeof(struct in_addr); break; case IPOPT_TS_PRESPEC: if (ipt->ipt_ptr - 1 + sizeof(n_time) + - sizeof(struct in_addr) > ipt->ipt_len) { - code = (u_char *)&ipt->ipt_ptr - - (u_char *)ip; + sizeof(struct in_addr) > ipt->ipt_len) goto bad; - } - bcopy(cp0, &ipaddr.sin_addr, + bcopy((caddr_t)sin, (caddr_t)&ipaddr.sin_addr, sizeof(struct in_addr)); if (ifatoia(ifa_ifwithaddr(sintosa(&ipaddr))) == NULL) @@ -1219,14 +1086,10 @@ ip_dooptions(m) break; default: - /* XXX can't take &ipt->ipt_flg */ - code = (u_char *)&ipt->ipt_ptr - - (u_char *)ip + 1; goto bad; } ntime = iptime(); - cp0 = (u_char *) &ntime; /* XXX grumble, GCC... */ - bcopy(cp0, (caddr_t)cp + ipt->ipt_ptr - 1, + bcopy((caddr_t)&ntime, (caddr_t)cp + ipt->ipt_ptr - 1, sizeof(n_time)); ipt->ipt_ptr += sizeof(n_time); } @@ -1255,7 +1118,7 @@ struct in_ifaddr * ip_rtaddr(dst) struct in_addr dst; { - struct sockaddr_in *sin; + register struct sockaddr_in *sin; sin = satosin(&ipforward_rt.ro_dst); @@ -1306,8 +1169,8 @@ save_rte(option, dst) struct mbuf * ip_srcroute() { - struct in_addr *p, *q; - struct mbuf *m; + register struct in_addr *p, *q; + register struct mbuf *m; if (ip_nhops == 0) return ((struct mbuf *)0); @@ -1376,12 +1239,12 @@ ip_srcroute() */ void ip_stripoptions(m, mopt) - struct mbuf *m; + register struct mbuf *m; struct mbuf *mopt; { - int i; + register int i; struct ip *ip = mtod(m, struct ip *); - caddr_t opts; + register caddr_t opts; int olen; olen = (ip->ip_hl << 2) - sizeof (struct ip); @@ -1423,9 +1286,9 @@ ip_forward(m, srcrt) struct mbuf *m; int srcrt; { - struct ip *ip = mtod(m, struct ip *); - struct sockaddr_in *sin; - struct rtentry *rt; + register struct ip *ip = mtod(m, struct ip *); + register struct sockaddr_in *sin; + register struct rtentry *rt; int error, type = 0, code = 0; struct mbuf *mcopy; n_long dest; @@ -1474,11 +1337,8 @@ ip_forward(m, srcrt) /* * Save at most 68 bytes of the packet in case * we need to generate an ICMP message to the src. - * Pullup to avoid sharing mbuf cluster between m and mcopy. */ - mcopy = m_copym(m, 0, imin((int)ip->ip_len, 68), M_DONTWAIT); - if (mcopy) - mcopy = m_pullup(mcopy, ip->ip_hl << 2); + mcopy = m_copy(m, 0, imin((int)ip->ip_len, 68)); /* * If forwarding packet using same interface that it came in on, @@ -1514,9 +1374,8 @@ ip_forward(m, srcrt) } #ifdef IPSEC - /* Don't lookup socket in forwading case */ - (void)ipsec_setsocket(m, NULL); -#endif + m->m_pkthdr.rcvif = NULL; +#endif /*IPSEC*/ error = ip_output(m, (struct mbuf *)0, &ipforward_rt, (IP_FORWARDING | (ip_directedbcast ? IP_ALLOWBROADCAST : 0)), 0); if (error) @@ -1626,10 +1485,10 @@ ip_forward(m, srcrt) void ip_savecontrol(inp, mp, ip, m) - struct inpcb *inp; - struct mbuf **mp; - struct ip *ip; - struct mbuf *m; + register struct inpcb *inp; + register struct mbuf **mp; + register struct ip *ip; + register struct mbuf *m; { if (inp->inp_socket->so_options & SO_TIMESTAMP) { @@ -1744,8 +1603,7 @@ ip_sysctl(name, namelen, oldp, oldlenp, case IPCTL_ANONPORTMIN: old = anonportmin; error = sysctl_int(oldp, oldlenp, newp, newlen, &anonportmin); - if (anonportmin >= anonportmax || anonportmin < 0 - || anonportmin > 65535 + if (anonportmin >= anonportmax || anonportmin > 65535 #ifndef IPNOPRIVPORTS || anonportmin < IPPORT_RESERVED #endif @@ -1757,8 +1615,7 @@ ip_sysctl(name, namelen, oldp, oldlenp, case IPCTL_ANONPORTMAX: old = anonportmax; error = sysctl_int(oldp, oldlenp, newp, newlen, &anonportmax); - if (anonportmin >= anonportmax || anonportmax < 0 - || anonportmax > 65535 + if (anonportmin >= anonportmax || anonportmax > 65535 #ifndef IPNOPRIVPORTS || anonportmax < IPPORT_RESERVED #endif @@ -1796,35 +1653,6 @@ ip_sysctl(name, namelen, oldp, oldlenp, &ip_gif_ttl)); #endif -#ifndef IPNOPRIVPORTS - case IPCTL_LOWPORTMIN: - old = lowportmin; - error = sysctl_int(oldp, oldlenp, newp, newlen, &lowportmin); - if (lowportmin >= lowportmax - || lowportmin > IPPORT_RESERVEDMAX - || lowportmin < IPPORT_RESERVEDMIN - ) { - lowportmin = old; - return (EINVAL); - } - return (error); - case IPCTL_LOWPORTMAX: - old = lowportmax; - error = sysctl_int(oldp, oldlenp, newp, newlen, &lowportmax); - if (lowportmin >= lowportmax - || lowportmax > IPPORT_RESERVEDMAX - || lowportmax < IPPORT_RESERVEDMIN - ) { - lowportmax = old; - return (EINVAL); - } - return (error); -#endif - - case IPCTL_MAXFRAGPACKETS: - return (sysctl_int(oldp, oldlenp, newp, newlen, - &ip_maxfragpackets)); - default: return (EOPNOTSUPP); }