Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. =================================================================== RCS file: /ftp/cvs/cvsroot/src/sys/netinet/raw_ip.c,v rcsdiff: /ftp/cvs/cvsroot/src/sys/netinet/raw_ip.c,v: warning: Unknown phrases like `commitid ...;' are present. retrieving revision 1.51 retrieving revision 1.74 diff -u -p -r1.51 -r1.74 --- src/sys/netinet/raw_ip.c 2000/02/17 10:59:36 1.51 +++ src/sys/netinet/raw_ip.c 2003/08/22 22:00:37 1.74 @@ -1,9 +1,9 @@ -/* $NetBSD: raw_ip.c,v 1.51 2000/02/17 10:59:36 darrenr Exp $ */ +/* $NetBSD: raw_ip.c,v 1.74 2003/08/22 22:00:37 itojun Exp $ */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. * All rights reserved. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -15,7 +15,7 @@ * 3. Neither the name of the project nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. - * + * * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE @@ -41,11 +41,7 @@ * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors + * 3. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * @@ -64,6 +60,9 @@ * @(#)raw_ip.c 8.7 (Berkeley) 5/15/95 */ +#include +__KERNEL_RCSID(0, "$NetBSD: raw_ip.c,v 1.74 2003/08/22 22:00:37 itojun Exp $"); + #include "opt_ipsec.h" #include "opt_mrouting.h" @@ -95,8 +94,14 @@ #include #endif /*IPSEC*/ +#ifdef FAST_IPSEC +#include +#endif /* FAST_IPSEC*/ + struct inpcbtable rawcbtable; +int rip_pcbnotify __P((struct inpcbtable *, struct in_addr, + struct in_addr, int, int, void (*) __P((struct inpcb *, int)))); int rip_bind __P((struct inpcb *, struct mbuf *)); int rip_connect __P((struct inpcb *, struct mbuf *)); void rip_disconnect __P((struct inpcb *)); @@ -121,8 +126,6 @@ rip_init() in_pcbinit(&rawcbtable, 1, 1); } -static struct sockaddr_in ripsrc = { sizeof(ripsrc), AF_INET }; - /* * Setup generic address and protocol structures * for raw_input routine, then pass them along with @@ -137,16 +140,16 @@ rip_input(m, va_alist) va_dcl #endif { - int off, proto; - register struct ip *ip = mtod(m, struct ip *); - register struct inpcb *inp; + int proto; + struct ip *ip = mtod(m, struct ip *); + struct inpcb *inp; struct inpcb *last = 0; struct mbuf *opts = 0; struct sockaddr_in ripsrc; va_list ap; va_start(ap, m); - off = va_arg(ap, int); + (void)va_arg(ap, int); /* ignore value, advance ap */ proto = va_arg(ap, int); va_end(ap); @@ -158,13 +161,13 @@ rip_input(m, va_alist) /* * XXX Compatibility: programs using raw IP expect ip_len - * XXX to have the header length subtracted. + * XXX to have the header length subtracted, and in host order. + * XXX ip_off is also expected to be host order. */ - ip->ip_len -= ip->ip_hl << 2; + ip->ip_len = ntohs(ip->ip_len) - (ip->ip_hl << 2); + NTOHS(ip->ip_off); - for (inp = rawcbtable.inpt_queue.cqh_first; - inp != (struct inpcb *)&rawcbtable.inpt_queue; - inp = inp->inp_queue.cqe_next) { + CIRCLEQ_FOREACH(inp, &rawcbtable.inpt_queue, inp_queue) { if (inp->inp_ip.ip_p && inp->inp_ip.ip_p != proto) continue; if (!in_nullhost(inp->inp_laddr) && @@ -175,6 +178,14 @@ rip_input(m, va_alist) continue; if (last) { struct mbuf *n; + +#if defined(IPSEC) || defined(FAST_IPSEC) + /* check AH/ESP integrity. */ + if (ipsec4_in_reject_so(m, last->inp_socket)) { + ipsecstat.in_polvio++; + /* do not inject data to pcb */ + } else +#endif /*IPSEC*/ if ((n = m_copy(m, 0, (int)M_COPYALL)) != NULL) { if (last->inp_flags & INP_CONTROLOPTS || last->inp_socket->so_options & SO_TIMESTAMP) @@ -192,6 +203,15 @@ rip_input(m, va_alist) } last = inp; } +#if defined(IPSEC) || defined(FAST_IPSEC) + /* check AH/ESP integrity. */ + if (last && ipsec4_in_reject_so(m, last->inp_socket)) { + m_freem(m); + ipsecstat.in_polvio++; + ipstat.ips_delivered--; + /* do not inject data to pcb */ + } else +#endif /*IPSEC*/ if (last) { if (last->inp_flags & INP_CONTROLOPTS || last->inp_socket->so_options & SO_TIMESTAMP) @@ -215,6 +235,67 @@ rip_input(m, va_alist) return; } +int +rip_pcbnotify(table, faddr, laddr, proto, errno, notify) + struct inpcbtable *table; + struct in_addr faddr, laddr; + int proto; + int errno; + void (*notify) __P((struct inpcb *, int)); +{ + struct inpcb *inp, *ninp; + int nmatch; + + nmatch = 0; + for (inp = CIRCLEQ_FIRST(&table->inpt_queue); + inp != (struct inpcb *)&table->inpt_queue; + inp = ninp) { + ninp = inp->inp_queue.cqe_next; + if (inp->inp_ip.ip_p && inp->inp_ip.ip_p != proto) + continue; + if (in_hosteq(inp->inp_faddr, faddr) && + in_hosteq(inp->inp_laddr, laddr)) { + (*notify)(inp, errno); + nmatch++; + } + } + + return nmatch; +} + +void * +rip_ctlinput(cmd, sa, v) + int cmd; + struct sockaddr *sa; + void *v; +{ + struct ip *ip = v; + void (*notify) __P((struct inpcb *, int)) = in_rtchange; + int errno; + + if (sa->sa_family != AF_INET || + sa->sa_len != sizeof(struct sockaddr_in)) + return NULL; + if ((unsigned)cmd >= PRC_NCMDS) + return NULL; + errno = inetctlerrmap[cmd]; + if (PRC_IS_REDIRECT(cmd)) + notify = in_rtchange, ip = 0; + else if (cmd == PRC_HOSTDEAD) + ip = 0; + else if (errno == 0) + return NULL; + if (ip) { + rip_pcbnotify(&rawcbtable, satosin(sa)->sin_addr, + ip->ip_src, ip->ip_p, errno, notify); + + /* XXX mapped address case */ + } else + in_pcbnotifyall(&rawcbtable, satosin(sa)->sin_addr, errno, + notify); + return NULL; +} + /* * Generate IP header and pass packet to ip_output. * Tack on options user may have setup with control call. @@ -228,8 +309,8 @@ rip_output(m, va_alist) va_dcl #endif { - register struct inpcb *inp; - register struct ip *ip; + struct inpcb *inp; + struct ip *ip; struct mbuf *opts; int flags; va_list ap; @@ -251,12 +332,14 @@ rip_output(m, va_alist) m_freem(m); return (EMSGSIZE); } - M_PREPEND(m, sizeof(struct ip), M_WAIT); + M_PREPEND(m, sizeof(struct ip), M_DONTWAIT); + if (!m) + return (ENOBUFS); ip = mtod(m, struct ip *); ip->ip_tos = 0; - ip->ip_off = 0; + ip->ip_off = htons(0); ip->ip_p = inp->inp_ip.ip_p; - ip->ip_len = m->m_pkthdr.len; + ip->ip_len = htons(m->m_pkthdr.len); ip->ip_src = inp->inp_laddr; ip->ip_dst = inp->inp_faddr; ip->ip_ttl = MAXTTL; @@ -267,10 +350,28 @@ rip_output(m, va_alist) return (EMSGSIZE); } ip = mtod(m, struct ip *); + + /* + * If the mbuf is read-only, we need to allocate + * a new mbuf for the header, since we need to + * modify the header. + */ + if (M_READONLY(m)) { + int hlen = ip->ip_hl << 2; + + m = m_copyup(m, hlen, (max_linkhdr + 3) & ~3); + if (m == NULL) + return (ENOMEM); /* XXX */ + ip = mtod(m, struct ip *); + } + + /* XXX userland passes ip_len and ip_off in host order */ if (m->m_pkthdr.len != ip->ip_len) { m_freem(m); return (EINVAL); } + HTONS(ip->ip_len); + HTONS(ip->ip_off); if (ip->ip_id == 0) ip->ip_id = htons(ip_id++); opts = NULL; @@ -278,10 +379,8 @@ rip_output(m, va_alist) flags |= IP_RAWOUTPUT; ipstat.ips_rawout++; } -#ifdef IPSEC - m->m_pkthdr.rcvif = (struct ifnet *)inp->inp_socket; /*XXX*/ -#endif /*IPSEC*/ - return (ip_output(m, opts, &inp->inp_route, flags, inp->inp_moptions, &inp->inp_errormtu)); + return (ip_output(m, opts, &inp->inp_route, flags, inp->inp_moptions, + inp->inp_socket, &inp->inp_errormtu)); } /* @@ -294,7 +393,7 @@ rip_ctloutput(op, so, level, optname, m) int level, optname; struct mbuf **m; { - register struct inpcb *inp = sotoinpcb(so); + struct inpcb *inp = sotoinpcb(so); int error = 0; if (level != IPPROTO_IP) { @@ -339,7 +438,8 @@ rip_ctloutput(op, so, level, optname, m) case PRCO_GETOPT: switch (optname) { case IP_HDRINCL: - *m = m_get(M_WAIT, M_SOOPTS); + *m = m_get(M_WAIT, MT_SOOPTS); + MCLAIM((*m), so->so_mowner); (*m)->m_len = sizeof (int); *mtod(*m, int *) = inp->inp_flags & INP_HDRINCL ? 1 : 0; break; @@ -369,7 +469,7 @@ rip_bind(inp, nam) if (nam->m_len != sizeof(*addr)) return (EINVAL); - if (ifnet.tqh_first == 0) + if (TAILQ_FIRST(&ifnet) == 0) return (EADDRNOTAVAIL); if (addr->sin_family != AF_INET && addr->sin_family != AF_IMPLINK) @@ -390,7 +490,7 @@ rip_connect(inp, nam) if (nam->m_len != sizeof(*addr)) return (EINVAL); - if (ifnet.tqh_first == 0) + if (TAILQ_FIRST(&ifnet) == 0) return (EADDRNOTAVAIL); if (addr->sin_family != AF_INET && addr->sin_family != AF_IMPLINK) @@ -413,14 +513,14 @@ u_long rip_recvspace = RIPRCVQ; /*ARGSUSED*/ int rip_usrreq(so, req, m, nam, control, p) - register struct socket *so; + struct socket *so; int req; struct mbuf *m, *nam, *control; struct proc *p; { - register struct inpcb *inp; + struct inpcb *inp; int s; - register int error = 0; + int error = 0; #ifdef MROUTING extern struct socket *ip_mrouter; #endif @@ -430,6 +530,7 @@ rip_usrreq(so, req, m, nam, control, p) (struct ifnet *)control, p)); if (req == PRU_PURGEIF) { + in_pcbpurgeif0(&rawcbtable, (struct ifnet *)control); in_purgeif((struct ifnet *)control); in_pcbpurgeif(&rawcbtable, (struct ifnet *)control); return (0); @@ -467,13 +568,6 @@ rip_usrreq(so, req, m, nam, control, p) break; inp = sotoinpcb(so); inp->inp_ip.ip_p = (long)nam; -#ifdef IPSEC - error = ipsec_init_policy(so, &inp->inp_sp); - if (error != 0) { - in_pcbdetach(inp); - break; - } -#endif /*IPSEC*/ break; case PRU_DETACH: