FreeBSD kernel IPv4 code
ip_input.c
Go to the documentation of this file.
1/*-
2 * SPDX-License-Identifier: BSD-3-Clause
3 *
4 * Copyright (c) 1982, 1986, 1988, 1993
5 * The Regents of the University of California. All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. Neither the name of the University nor the names of its contributors
16 * may be used to endorse or promote products derived from this software
17 * without specific prior written permission.
18 *
19 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 * SUCH DAMAGE.
30 *
31 * @(#)ip_input.c 8.2 (Berkeley) 1/4/94
32 */
33
34#include <sys/cdefs.h>
35__FBSDID("$FreeBSD$");
36
37#include "opt_bootp.h"
38#include "opt_ipstealth.h"
39#include "opt_ipsec.h"
40#include "opt_route.h"
41#include "opt_rss.h"
42
43#include <sys/param.h>
44#include <sys/systm.h>
45#include <sys/hhook.h>
46#include <sys/mbuf.h>
47#include <sys/malloc.h>
48#include <sys/domain.h>
49#include <sys/protosw.h>
50#include <sys/socket.h>
51#include <sys/time.h>
52#include <sys/kernel.h>
53#include <sys/lock.h>
54#include <sys/rmlock.h>
55#include <sys/rwlock.h>
56#include <sys/sdt.h>
57#include <sys/syslog.h>
58#include <sys/sysctl.h>
59
60#include <net/if.h>
61#include <net/if_types.h>
62#include <net/if_var.h>
63#include <net/if_dl.h>
64#include <net/pfil.h>
65#include <net/route.h>
66#include <net/route/nhop.h>
67#include <net/netisr.h>
68#include <net/rss_config.h>
69#include <net/vnet.h>
70
71#include <netinet/in.h>
72#include <netinet/in_kdtrace.h>
73#include <netinet/in_systm.h>
74#include <netinet/in_var.h>
75#include <netinet/ip.h>
76#include <netinet/in_fib.h>
77#include <netinet/in_pcb.h>
78#include <netinet/ip_var.h>
79#include <netinet/ip_fw.h>
80#include <netinet/ip_icmp.h>
81#include <netinet/ip_options.h>
82#include <machine/in_cksum.h>
83#include <netinet/ip_carp.h>
84#include <netinet/in_rss.h>
85
86#include <netipsec/ipsec_support.h>
87
88#include <sys/socketvar.h>
89
90#include <security/mac/mac_framework.h>
91
92#ifdef CTASSERT
93CTASSERT(sizeof(struct ip) == 20);
94#endif
95
96/* IP reassembly functions are defined in ip_reass.c. */
97extern void ipreass_init(void);
98extern void ipreass_drain(void);
99extern void ipreass_slowtimo(void);
100#ifdef VIMAGE
101extern void ipreass_destroy(void);
102#endif
103
104VNET_DEFINE(int, rsvp_on);
105
106VNET_DEFINE(int, ipforwarding);
107SYSCTL_INT(_net_inet_ip, IPCTL_FORWARDING, forwarding, CTLFLAG_VNET | CTLFLAG_RW,
108 &VNET_NAME(ipforwarding), 0,
109 "Enable IP forwarding between interfaces");
110
111/*
112 * Respond with an ICMP host redirect when we forward a packet out of
113 * the same interface on which it was received. See RFC 792.
114 */
115VNET_DEFINE(int, ipsendredirects) = 1;
116SYSCTL_INT(_net_inet_ip, IPCTL_SENDREDIRECTS, redirect, CTLFLAG_VNET | CTLFLAG_RW,
117 &VNET_NAME(ipsendredirects), 0,
118 "Enable sending IP redirects");
119
120VNET_DEFINE_STATIC(bool, ip_strong_es) = false;
121#define V_ip_strong_es VNET(ip_strong_es)
122SYSCTL_BOOL(_net_inet_ip, OID_AUTO, rfc1122_strong_es,
123 CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ip_strong_es), false,
124 "Packet's IP destination address must match address on arrival interface");
125
126VNET_DEFINE_STATIC(bool, ip_sav) = true;
127#define V_ip_sav VNET(ip_sav)
128SYSCTL_BOOL(_net_inet_ip, OID_AUTO, source_address_validation,
129 CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ip_sav), true,
130 "Drop incoming packets with source address that is a local address");
131
132VNET_DEFINE(pfil_head_t, inet_pfil_head); /* Packet filter hooks */
133
134static struct netisr_handler ip_nh = {
135 .nh_name = "ip",
136 .nh_handler = ip_input,
137 .nh_proto = NETISR_IP,
138#ifdef RSS
139 .nh_m2cpuid = rss_soft_m2cpuid_v4,
140 .nh_policy = NETISR_POLICY_CPU,
141 .nh_dispatch = NETISR_DISPATCH_HYBRID,
142#else
143 .nh_policy = NETISR_POLICY_FLOW,
144#endif
145};
146
147#ifdef RSS
148/*
149 * Directly dispatched frames are currently assumed
150 * to have a flowid already calculated.
151 *
152 * It should likely have something that assert it
153 * actually has valid flow details.
154 */
155static struct netisr_handler ip_direct_nh = {
156 .nh_name = "ip_direct",
157 .nh_handler = ip_direct_input,
158 .nh_proto = NETISR_IP_DIRECT,
159 .nh_m2cpuid = rss_soft_m2cpuid_v4,
160 .nh_policy = NETISR_POLICY_CPU,
161 .nh_dispatch = NETISR_DISPATCH_HYBRID,
162};
163#endif
164
165extern struct domain inetdomain;
166extern struct protosw inetsw[];
167u_char ip_protox[IPPROTO_MAX];
168VNET_DEFINE(struct in_ifaddrhead, in_ifaddrhead); /* first inet address */
169VNET_DEFINE(struct in_ifaddrhashhead *, in_ifaddrhashtbl); /* inet addr hash table */
170VNET_DEFINE(u_long, in_ifaddrhmask); /* mask for hash table */
171
172/* Make sure it is safe to use hashinit(9) on CK_LIST. */
173CTASSERT(sizeof(struct in_ifaddrhashhead) == sizeof(LIST_HEAD(, in_addr)));
174
175#ifdef IPCTL_DEFMTU
176SYSCTL_INT(_net_inet_ip, IPCTL_DEFMTU, mtu, CTLFLAG_RW,
177 &ip_mtu, 0, "Default MTU");
178#endif
179
180#ifdef IPSTEALTH
181VNET_DEFINE(int, ipstealth);
182SYSCTL_INT(_net_inet_ip, OID_AUTO, stealth, CTLFLAG_VNET | CTLFLAG_RW,
183 &VNET_NAME(ipstealth), 0,
184 "IP stealth mode, no TTL decrementation on forwarding");
185#endif
186
187/*
188 * IP statistics are stored in the "array" of counter(9)s.
189 */
190VNET_PCPUSTAT_DEFINE(struct ipstat, ipstat);
191VNET_PCPUSTAT_SYSINIT(ipstat);
192SYSCTL_VNET_PCPUSTAT(_net_inet_ip, IPCTL_STATS, stats, struct ipstat, ipstat,
193 "IP statistics (struct ipstat, netinet/ip_var.h)");
194
195#ifdef VIMAGE
196VNET_PCPUSTAT_SYSUNINIT(ipstat);
197#endif /* VIMAGE */
198
199/*
200 * Kernel module interface for updating ipstat. The argument is an index
201 * into ipstat treated as an array.
202 */
203void
204kmod_ipstat_inc(int statnum)
205{
206
207 counter_u64_add(VNET(ipstat)[statnum], 1);
208}
209
210void
211kmod_ipstat_dec(int statnum)
212{
213
214 counter_u64_add(VNET(ipstat)[statnum], -1);
215}
216
217static int
218sysctl_netinet_intr_queue_maxlen(SYSCTL_HANDLER_ARGS)
219{
220 int error, qlimit;
221
222 netisr_getqlimit(&ip_nh, &qlimit);
223 error = sysctl_handle_int(oidp, &qlimit, 0, req);
224 if (error || !req->newptr)
225 return (error);
226 if (qlimit < 1)
227 return (EINVAL);
228 return (netisr_setqlimit(&ip_nh, qlimit));
229}
230SYSCTL_PROC(_net_inet_ip, IPCTL_INTRQMAXLEN, intr_queue_maxlen,
231 CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, 0, 0,
232 sysctl_netinet_intr_queue_maxlen, "I",
233 "Maximum size of the IP input queue");
234
235static int
236sysctl_netinet_intr_queue_drops(SYSCTL_HANDLER_ARGS)
237{
238 u_int64_t qdrops_long;
239 int error, qdrops;
240
241 netisr_getqdrops(&ip_nh, &qdrops_long);
242 qdrops = qdrops_long;
243 error = sysctl_handle_int(oidp, &qdrops, 0, req);
244 if (error || !req->newptr)
245 return (error);
246 if (qdrops != 0)
247 return (EINVAL);
248 netisr_clearqdrops(&ip_nh);
249 return (0);
250}
251
252SYSCTL_PROC(_net_inet_ip, IPCTL_INTRQDROPS, intr_queue_drops,
253 CTLTYPE_INT | CTLFLAG_RD | CTLFLAG_MPSAFE,
254 0, 0, sysctl_netinet_intr_queue_drops, "I",
255 "Number of packets dropped from the IP input queue");
256
257#ifdef RSS
258static int
259sysctl_netinet_intr_direct_queue_maxlen(SYSCTL_HANDLER_ARGS)
260{
261 int error, qlimit;
262
263 netisr_getqlimit(&ip_direct_nh, &qlimit);
264 error = sysctl_handle_int(oidp, &qlimit, 0, req);
265 if (error || !req->newptr)
266 return (error);
267 if (qlimit < 1)
268 return (EINVAL);
269 return (netisr_setqlimit(&ip_direct_nh, qlimit));
270}
271SYSCTL_PROC(_net_inet_ip, IPCTL_INTRDQMAXLEN, intr_direct_queue_maxlen,
272 CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
273 0, 0, sysctl_netinet_intr_direct_queue_maxlen,
274 "I", "Maximum size of the IP direct input queue");
275
276static int
277sysctl_netinet_intr_direct_queue_drops(SYSCTL_HANDLER_ARGS)
278{
279 u_int64_t qdrops_long;
280 int error, qdrops;
281
282 netisr_getqdrops(&ip_direct_nh, &qdrops_long);
283 qdrops = qdrops_long;
284 error = sysctl_handle_int(oidp, &qdrops, 0, req);
285 if (error || !req->newptr)
286 return (error);
287 if (qdrops != 0)
288 return (EINVAL);
289 netisr_clearqdrops(&ip_direct_nh);
290 return (0);
291}
292
293SYSCTL_PROC(_net_inet_ip, IPCTL_INTRDQDROPS, intr_direct_queue_drops,
294 CTLTYPE_INT | CTLFLAG_RD | CTLFLAG_MPSAFE, 0, 0,
295 sysctl_netinet_intr_direct_queue_drops, "I",
296 "Number of packets dropped from the IP direct input queue");
297#endif /* RSS */
298
299/*
300 * IP initialization: fill in IP protocol switch table.
301 * All protocols not implemented in kernel go to raw IP protocol handler.
302 */
303static void
304ip_vnet_init(void *arg __unused)
305{
306 struct pfil_head_args args;
307
308 CK_STAILQ_INIT(&V_in_ifaddrhead);
309 V_in_ifaddrhashtbl = hashinit(INADDR_NHASH, M_IFADDR, &V_in_ifaddrhmask);
310
311 /* Initialize IP reassembly queue. */
312 ipreass_init();
313
314 /* Initialize packet filter hooks. */
315 args.pa_version = PFIL_VERSION;
316 args.pa_flags = PFIL_IN | PFIL_OUT;
317 args.pa_type = PFIL_TYPE_IP4;
318 args.pa_headname = PFIL_INET_NAME;
319 V_inet_pfil_head = pfil_head_register(&args);
320
321 if (hhook_head_register(HHOOK_TYPE_IPSEC_IN, AF_INET,
322 &V_ipsec_hhh_in[HHOOK_IPSEC_INET],
323 HHOOK_WAITOK | HHOOK_HEADISINVNET) != 0)
324 printf("%s: WARNING: unable to register input helper hook\n",
325 __func__);
326 if (hhook_head_register(HHOOK_TYPE_IPSEC_OUT, AF_INET,
327 &V_ipsec_hhh_out[HHOOK_IPSEC_INET],
328 HHOOK_WAITOK | HHOOK_HEADISINVNET) != 0)
329 printf("%s: WARNING: unable to register output helper hook\n",
330 __func__);
331
332#ifdef VIMAGE
333 netisr_register_vnet(&ip_nh);
334#ifdef RSS
335 netisr_register_vnet(&ip_direct_nh);
336#endif
337#endif
338}
339VNET_SYSINIT(ip_vnet_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_FOURTH,
340 ip_vnet_init, NULL);
341
342
343static void
344ip_init(const void *unused __unused)
345{
346 struct protosw *pr;
347
348 pr = pffindproto(PF_INET, IPPROTO_RAW, SOCK_RAW);
349 KASSERT(pr, ("%s: PF_INET not found", __func__));
350
351 /* Initialize the entire ip_protox[] array to IPPROTO_RAW. */
352 for (int i = 0; i < IPPROTO_MAX; i++)
353 ip_protox[i] = pr - inetsw;
354 /*
355 * Cycle through IP protocols and put them into the appropriate place
356 * in ip_protox[].
357 */
358 for (pr = inetdomain.dom_protosw;
359 pr < inetdomain.dom_protoswNPROTOSW; pr++)
360 if (pr->pr_domain->dom_family == PF_INET &&
361 pr->pr_protocol && pr->pr_protocol != IPPROTO_RAW) {
362 /* Be careful to only index valid IP protocols. */
363 if (pr->pr_protocol < IPPROTO_MAX)
364 ip_protox[pr->pr_protocol] = pr - inetsw;
365 }
366
367 netisr_register(&ip_nh);
368#ifdef RSS
369 netisr_register(&ip_direct_nh);
370#endif
371}
372SYSINIT(ip_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_THIRD, ip_init, NULL);
373
374#ifdef VIMAGE
375static void
376ip_destroy(void *unused __unused)
377{
378 int error;
379
380#ifdef RSS
381 netisr_unregister_vnet(&ip_direct_nh);
382#endif
383 netisr_unregister_vnet(&ip_nh);
384
385 pfil_head_unregister(V_inet_pfil_head);
386 error = hhook_head_deregister(V_ipsec_hhh_in[HHOOK_IPSEC_INET]);
387 if (error != 0) {
388 printf("%s: WARNING: unable to deregister input helper hook "
389 "type HHOOK_TYPE_IPSEC_IN, id HHOOK_IPSEC_INET: "
390 "error %d returned\n", __func__, error);
391 }
392 error = hhook_head_deregister(V_ipsec_hhh_out[HHOOK_IPSEC_INET]);
393 if (error != 0) {
394 printf("%s: WARNING: unable to deregister output helper hook "
395 "type HHOOK_TYPE_IPSEC_OUT, id HHOOK_IPSEC_INET: "
396 "error %d returned\n", __func__, error);
397 }
398
399 /* Remove the IPv4 addresses from all interfaces. */
400 in_ifscrub_all();
401
402 /* Make sure the IPv4 routes are gone as well. */
403 rib_flush_routes_family(AF_INET);
404
405 /* Destroy IP reassembly queue. */
406 ipreass_destroy();
407
408 /* Cleanup in_ifaddr hash table; should be empty. */
409 hashdestroy(V_in_ifaddrhashtbl, M_IFADDR, V_in_ifaddrhmask);
410}
411
412VNET_SYSUNINIT(ip, SI_SUB_PROTO_DOMAIN, SI_ORDER_THIRD, ip_destroy, NULL);
413#endif
414
415#ifdef RSS
416/*
417 * IP direct input routine.
418 *
419 * This is called when reinjecting completed fragments where
420 * all of the previous checking and book-keeping has been done.
421 */
422void
423ip_direct_input(struct mbuf *m)
424{
425 struct ip *ip;
426 int hlen;
427
428 ip = mtod(m, struct ip *);
429 hlen = ip->ip_hl << 2;
430
431#if defined(IPSEC) || defined(IPSEC_SUPPORT)
432 if (IPSEC_ENABLED(ipv4)) {
433 if (IPSEC_INPUT(ipv4, m, hlen, ip->ip_p) != 0)
434 return;
435 }
436#endif /* IPSEC */
437 IPSTAT_INC(ips_delivered);
438 (*inetsw[ip_protox[ip->ip_p]].pr_input)(&m, &hlen, ip->ip_p);
439 return;
440}
441#endif
442
443/*
444 * Ip input routine. Checksum and byte swap header. If fragmented
445 * try to reassemble. Process options. Pass to next level.
446 */
447void
448ip_input(struct mbuf *m)
449{
450 struct ip *ip = NULL;
451 struct in_ifaddr *ia = NULL;
452 struct ifaddr *ifa;
453 struct ifnet *ifp;
454 int hlen = 0;
455 uint16_t sum, ip_len;
456 int dchg = 0; /* dest changed after fw */
457 struct in_addr odst; /* original dst address */
458 bool strong_es;
459
460 M_ASSERTPKTHDR(m);
461 NET_EPOCH_ASSERT();
462
463 if (m->m_flags & M_FASTFWD_OURS) {
464 m->m_flags &= ~M_FASTFWD_OURS;
465 /* Set up some basics that will be used later. */
466 ip = mtod(m, struct ip *);
467 hlen = ip->ip_hl << 2;
468 ip_len = ntohs(ip->ip_len);
469 goto ours;
470 }
471
472 IPSTAT_INC(ips_total);
473
474 if (__predict_false(m->m_pkthdr.len < sizeof(struct ip)))
475 goto tooshort;
476
477 if (m->m_len < sizeof(struct ip)) {
478 m = m_pullup(m, sizeof(struct ip));
479 if (__predict_false(m == NULL)) {
480 IPSTAT_INC(ips_toosmall);
481 return;
482 }
483 }
484 ip = mtod(m, struct ip *);
485
486 if (__predict_false(ip->ip_v != IPVERSION)) {
487 IPSTAT_INC(ips_badvers);
488 goto bad;
489 }
490
491 hlen = ip->ip_hl << 2;
492 if (__predict_false(hlen < sizeof(struct ip))) { /* minimum header length */
493 IPSTAT_INC(ips_badhlen);
494 goto bad;
495 }
496 if (hlen > m->m_len) {
497 m = m_pullup(m, hlen);
498 if (__predict_false(m == NULL)) {
499 IPSTAT_INC(ips_badhlen);
500 return;
501 }
502 ip = mtod(m, struct ip *);
503 }
504
505 IP_PROBE(receive, NULL, NULL, ip, m->m_pkthdr.rcvif, ip, NULL);
506
507 /* IN_LOOPBACK must not appear on the wire - RFC1122 */
508 ifp = m->m_pkthdr.rcvif;
509 if (IN_LOOPBACK(ntohl(ip->ip_dst.s_addr)) ||
510 IN_LOOPBACK(ntohl(ip->ip_src.s_addr))) {
511 if ((ifp->if_flags & IFF_LOOPBACK) == 0) {
512 IPSTAT_INC(ips_badaddr);
513 goto bad;
514 }
515 }
516
517 if (m->m_pkthdr.csum_flags & CSUM_IP_CHECKED) {
518 sum = !(m->m_pkthdr.csum_flags & CSUM_IP_VALID);
519 } else {
520 if (hlen == sizeof(struct ip)) {
521 sum = in_cksum_hdr(ip);
522 } else {
523 sum = in_cksum(m, hlen);
524 }
525 }
526 if (__predict_false(sum)) {
527 IPSTAT_INC(ips_badsum);
528 goto bad;
529 }
530
531#ifdef ALTQ
532 if (altq_input != NULL && (*altq_input)(m, AF_INET) == 0)
533 /* packet is dropped by traffic conditioner */
534 return;
535#endif
536
537 ip_len = ntohs(ip->ip_len);
538 if (__predict_false(ip_len < hlen)) {
539 IPSTAT_INC(ips_badlen);
540 goto bad;
541 }
542
543 /*
544 * Check that the amount of data in the buffers
545 * is as at least much as the IP header would have us expect.
546 * Trim mbufs if longer than we expect.
547 * Drop packet if shorter than we expect.
548 */
549 if (__predict_false(m->m_pkthdr.len < ip_len)) {
550tooshort:
551 IPSTAT_INC(ips_tooshort);
552 goto bad;
553 }
554 if (m->m_pkthdr.len > ip_len) {
555 if (m->m_len == m->m_pkthdr.len) {
556 m->m_len = ip_len;
557 m->m_pkthdr.len = ip_len;
558 } else
559 m_adj(m, ip_len - m->m_pkthdr.len);
560 }
561
562 /*
563 * Try to forward the packet, but if we fail continue.
564 * ip_tryforward() may generate redirects these days.
565 * XXX the logic below falling through to normal processing
566 * if redirects are required should be revisited as well.
567 * ip_tryforward() does inbound and outbound packet firewall
568 * processing. If firewall has decided that destination becomes
569 * our local address, it sets M_FASTFWD_OURS flag. In this
570 * case skip another inbound firewall processing and update
571 * ip pointer.
572 */
573 if (V_ipforwarding != 0
574#if defined(IPSEC) || defined(IPSEC_SUPPORT)
575 && (!IPSEC_ENABLED(ipv4) ||
576 IPSEC_CAPS(ipv4, m, IPSEC_CAP_OPERABLE) == 0)
577#endif
578 ) {
579 /*
580 * ip_dooptions() was run so we can ignore the source route (or
581 * any IP options case) case for redirects in ip_tryforward().
582 */
583 if ((m = ip_tryforward(m)) == NULL)
584 return;
585 if (m->m_flags & M_FASTFWD_OURS) {
586 m->m_flags &= ~M_FASTFWD_OURS;
587 ip = mtod(m, struct ip *);
588 goto ours;
589 }
590 }
591
592#if defined(IPSEC) || defined(IPSEC_SUPPORT)
593 /*
594 * Bypass packet filtering for packets previously handled by IPsec.
595 */
596 if (IPSEC_ENABLED(ipv4) &&
597 IPSEC_CAPS(ipv4, m, IPSEC_CAP_BYPASS_FILTER) != 0)
598 goto passin;
599#endif
600
601 /*
602 * Run through list of hooks for input packets.
603 *
604 * NB: Beware of the destination address changing (e.g.
605 * by NAT rewriting). When this happens, tell
606 * ip_forward to do the right thing.
607 */
608
609 /* Jump over all PFIL processing if hooks are not active. */
610 if (!PFIL_HOOKED_IN(V_inet_pfil_head))
611 goto passin;
612
613 odst = ip->ip_dst;
614 if (pfil_run_hooks(V_inet_pfil_head, &m, ifp, PFIL_IN, NULL) !=
615 PFIL_PASS)
616 return;
617 if (m == NULL) /* consumed by filter */
618 return;
619
620 ip = mtod(m, struct ip *);
621 dchg = (odst.s_addr != ip->ip_dst.s_addr);
622
623 if (m->m_flags & M_FASTFWD_OURS) {
624 m->m_flags &= ~M_FASTFWD_OURS;
625 goto ours;
626 }
627 if (m->m_flags & M_IP_NEXTHOP) {
628 if (m_tag_find(m, PACKET_TAG_IPFORWARD, NULL) != NULL) {
629 /*
630 * Directly ship the packet on. This allows
631 * forwarding packets originally destined to us
632 * to some other directly connected host.
633 */
634 ip_forward(m, 1);
635 return;
636 }
637 }
638passin:
639
640 /*
641 * Process options and, if not destined for us,
642 * ship it on. ip_dooptions returns 1 when an
643 * error was detected (causing an icmp message
644 * to be sent and the original packet to be freed).
645 */
646 if (hlen > sizeof (struct ip) && ip_dooptions(m, 0))
647 return;
648
649 /* greedy RSVP, snatches any PATH packet of the RSVP protocol and no
650 * matter if it is destined to another node, or whether it is
651 * a multicast one, RSVP wants it! and prevents it from being forwarded
652 * anywhere else. Also checks if the rsvp daemon is running before
653 * grabbing the packet.
654 */
655 if (ip->ip_p == IPPROTO_RSVP && V_rsvp_on)
656 goto ours;
657
658 /*
659 * Check our list of addresses, to see if the packet is for us.
660 * If we don't have any addresses, assume any unicast packet
661 * we receive might be for us (and let the upper layers deal
662 * with it).
663 */
664 if (CK_STAILQ_EMPTY(&V_in_ifaddrhead) &&
665 (m->m_flags & (M_MCAST|M_BCAST)) == 0)
666 goto ours;
667
668 /*
669 * Enable a consistency check between the destination address
670 * and the arrival interface for a unicast packet (the RFC 1122
671 * strong ES model) with a list of additional predicates:
672 * - if IP forwarding is disabled
673 * - the packet is not locally generated
674 * - the packet is not subject to 'ipfw fwd'
675 * - Interface is not running CARP. If the packet got here, we already
676 * checked it with carp_iamatch() and carp_forus().
677 */
678 strong_es = V_ip_strong_es && (V_ipforwarding == 0) &&
679 ((ifp->if_flags & IFF_LOOPBACK) == 0) &&
680 ifp->if_carp == NULL && (dchg == 0);
681
682 /*
683 * Check for exact addresses in the hash bucket.
684 */
685 CK_LIST_FOREACH(ia, INADDR_HASH(ip->ip_dst.s_addr), ia_hash) {
686 if (IA_SIN(ia)->sin_addr.s_addr != ip->ip_dst.s_addr)
687 continue;
688
689 /*
690 * net.inet.ip.rfc1122_strong_es: the address matches, verify
691 * that the packet arrived via the correct interface.
692 */
693 if (__predict_false(strong_es && ia->ia_ifp != ifp)) {
694 IPSTAT_INC(ips_badaddr);
695 goto bad;
696 }
697
698 /*
699 * net.inet.ip.source_address_validation: drop incoming
700 * packets that pretend to be ours.
701 */
702 if (V_ip_sav && !(ifp->if_flags & IFF_LOOPBACK) &&
703 __predict_false(in_localip_fib(ip->ip_src, ifp->if_fib))) {
704 IPSTAT_INC(ips_badaddr);
705 goto bad;
706 }
707
708 counter_u64_add(ia->ia_ifa.ifa_ipackets, 1);
709 counter_u64_add(ia->ia_ifa.ifa_ibytes, m->m_pkthdr.len);
710 goto ours;
711 }
712
713 /*
714 * Check for broadcast addresses.
715 *
716 * Only accept broadcast packets that arrive via the matching
717 * interface. Reception of forwarded directed broadcasts would
718 * be handled via ip_forward() and ether_output() with the loopback
719 * into the stack for SIMPLEX interfaces handled by ether_output().
720 */
721 if (ifp->if_flags & IFF_BROADCAST) {
722 CK_STAILQ_FOREACH(ifa, &ifp->if_addrhead, ifa_link) {
723 if (ifa->ifa_addr->sa_family != AF_INET)
724 continue;
725 ia = ifatoia(ifa);
726 if (satosin(&ia->ia_broadaddr)->sin_addr.s_addr ==
727 ip->ip_dst.s_addr) {
728 counter_u64_add(ia->ia_ifa.ifa_ipackets, 1);
729 counter_u64_add(ia->ia_ifa.ifa_ibytes,
730 m->m_pkthdr.len);
731 goto ours;
732 }
733#ifdef BOOTP_COMPAT
734 if (IA_SIN(ia)->sin_addr.s_addr == INADDR_ANY) {
735 counter_u64_add(ia->ia_ifa.ifa_ipackets, 1);
736 counter_u64_add(ia->ia_ifa.ifa_ibytes,
737 m->m_pkthdr.len);
738 goto ours;
739 }
740#endif
741 }
742 ia = NULL;
743 }
744 if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr))) {
745 /*
746 * RFC 3927 2.7: Do not forward multicast packets from
747 * IN_LINKLOCAL.
748 */
749 if (V_ip_mrouter && !IN_LINKLOCAL(ntohl(ip->ip_src.s_addr))) {
750 /*
751 * If we are acting as a multicast router, all
752 * incoming multicast packets are passed to the
753 * kernel-level multicast forwarding function.
754 * The packet is returned (relatively) intact; if
755 * ip_mforward() returns a non-zero value, the packet
756 * must be discarded, else it may be accepted below.
757 */
758 if (ip_mforward && ip_mforward(ip, ifp, m, 0) != 0) {
759 IPSTAT_INC(ips_cantforward);
760 m_freem(m);
761 return;
762 }
763
764 /*
765 * The process-level routing daemon needs to receive
766 * all multicast IGMP packets, whether or not this
767 * host belongs to their destination groups.
768 */
769 if (ip->ip_p == IPPROTO_IGMP) {
770 goto ours;
771 }
772 IPSTAT_INC(ips_forward);
773 }
774 /*
775 * Assume the packet is for us, to avoid prematurely taking
776 * a lock on the in_multi hash. Protocols must perform
777 * their own filtering and update statistics accordingly.
778 */
779 goto ours;
780 }
781 if (ip->ip_dst.s_addr == (u_long)INADDR_BROADCAST)
782 goto ours;
783 if (ip->ip_dst.s_addr == INADDR_ANY)
784 goto ours;
785 /* RFC 3927 2.7: Do not forward packets to or from IN_LINKLOCAL. */
786 if (IN_LINKLOCAL(ntohl(ip->ip_dst.s_addr)) ||
787 IN_LINKLOCAL(ntohl(ip->ip_src.s_addr))) {
788 IPSTAT_INC(ips_cantforward);
789 m_freem(m);
790 return;
791 }
792
793 /*
794 * Not for us; forward if possible and desirable.
795 */
796 if (V_ipforwarding == 0) {
797 IPSTAT_INC(ips_cantforward);
798 m_freem(m);
799 } else {
800 ip_forward(m, dchg);
801 }
802 return;
803
804ours:
805#ifdef IPSTEALTH
806 /*
807 * IPSTEALTH: Process non-routing options only
808 * if the packet is destined for us.
809 */
810 if (V_ipstealth && hlen > sizeof (struct ip) && ip_dooptions(m, 1))
811 return;
812#endif /* IPSTEALTH */
813
814 /*
815 * Attempt reassembly; if it succeeds, proceed.
816 * ip_reass() will return a different mbuf.
817 */
818 if (ip->ip_off & htons(IP_MF | IP_OFFMASK)) {
819 /* XXXGL: shouldn't we save & set m_flags? */
820 m = ip_reass(m);
821 if (m == NULL)
822 return;
823 ip = mtod(m, struct ip *);
824 /* Get the header length of the reassembled packet */
825 hlen = ip->ip_hl << 2;
826 }
827
828#if defined(IPSEC) || defined(IPSEC_SUPPORT)
829 if (IPSEC_ENABLED(ipv4)) {
830 if (IPSEC_INPUT(ipv4, m, hlen, ip->ip_p) != 0)
831 return;
832 }
833#endif /* IPSEC */
834
835 /*
836 * Switch out to protocol's input routine.
837 */
838 IPSTAT_INC(ips_delivered);
839
840 (*inetsw[ip_protox[ip->ip_p]].pr_input)(&m, &hlen, ip->ip_p);
841 return;
842bad:
843 m_freem(m);
844}
845
846/*
847 * IP timer processing;
848 * if a timer expires on a reassembly
849 * queue, discard it.
850 */
851void
852ip_slowtimo(void)
853{
854 VNET_ITERATOR_DECL(vnet_iter);
855
856 VNET_LIST_RLOCK_NOSLEEP();
857 VNET_FOREACH(vnet_iter) {
858 CURVNET_SET(vnet_iter);
859 ipreass_slowtimo();
860 CURVNET_RESTORE();
861 }
862 VNET_LIST_RUNLOCK_NOSLEEP();
863}
864
865void
866ip_drain(void)
867{
868 VNET_ITERATOR_DECL(vnet_iter);
869
870 VNET_LIST_RLOCK_NOSLEEP();
871 VNET_FOREACH(vnet_iter) {
872 CURVNET_SET(vnet_iter);
873 ipreass_drain();
874 CURVNET_RESTORE();
875 }
876 VNET_LIST_RUNLOCK_NOSLEEP();
877}
878
879/*
880 * The protocol to be inserted into ip_protox[] must be already registered
881 * in inetsw[], either statically or through pf_proto_register().
882 */
883int
884ipproto_register(short ipproto)
885{
886 struct protosw *pr;
887
888 /* Sanity checks. */
889 if (ipproto <= 0 || ipproto >= IPPROTO_MAX)
890 return (EPROTONOSUPPORT);
891
892 /*
893 * The protocol slot must not be occupied by another protocol
894 * already. An index pointing to IPPROTO_RAW is unused.
895 */
896 pr = pffindproto(PF_INET, IPPROTO_RAW, SOCK_RAW);
897 if (pr == NULL)
898 return (EPFNOSUPPORT);
899 if (ip_protox[ipproto] != pr - inetsw) /* IPPROTO_RAW */
900 return (EEXIST);
901
902 /* Find the protocol position in inetsw[] and set the index. */
903 for (pr = inetdomain.dom_protosw;
904 pr < inetdomain.dom_protoswNPROTOSW; pr++) {
905 if (pr->pr_domain->dom_family == PF_INET &&
906 pr->pr_protocol && pr->pr_protocol == ipproto) {
907 ip_protox[pr->pr_protocol] = pr - inetsw;
908 return (0);
909 }
910 }
911 return (EPROTONOSUPPORT);
912}
913
914int
915ipproto_unregister(short ipproto)
916{
917 struct protosw *pr;
918
919 /* Sanity checks. */
920 if (ipproto <= 0 || ipproto >= IPPROTO_MAX)
921 return (EPROTONOSUPPORT);
922
923 /* Check if the protocol was indeed registered. */
924 pr = pffindproto(PF_INET, IPPROTO_RAW, SOCK_RAW);
925 if (pr == NULL)
926 return (EPFNOSUPPORT);
927 if (ip_protox[ipproto] == pr - inetsw) /* IPPROTO_RAW */
928 return (ENOENT);
929
930 /* Reset the protocol slot to IPPROTO_RAW. */
931 ip_protox[ipproto] = pr - inetsw;
932 return (0);
933}
934
935u_char inetctlerrmap[PRC_NCMDS] = {
936 0, 0, 0, 0,
937 0, EMSGSIZE, EHOSTDOWN, EHOSTUNREACH,
938 EHOSTUNREACH, EHOSTUNREACH, ECONNREFUSED, ECONNREFUSED,
939 EMSGSIZE, EHOSTUNREACH, 0, 0,
940 0, 0, EHOSTUNREACH, 0,
941 ENOPROTOOPT, ECONNREFUSED
942};
943
944/*
945 * Forward a packet. If some error occurs return the sender
946 * an icmp packet. Note we can't always generate a meaningful
947 * icmp message because icmp doesn't have a large enough repertoire
948 * of codes and types.
949 *
950 * If not forwarding, just drop the packet. This could be confusing
951 * if ipforwarding was zero but some routing protocol was advancing
952 * us as a gateway to somewhere. However, we must let the routing
953 * protocol deal with that.
954 *
955 * The srcrt parameter indicates whether the packet is being forwarded
956 * via a source route.
957 */
958void
959ip_forward(struct mbuf *m, int srcrt)
960{
961 struct ip *ip = mtod(m, struct ip *);
962 struct in_ifaddr *ia;
963 struct mbuf *mcopy;
964 struct sockaddr_in *sin;
965 struct in_addr dest;
966 struct route ro;
967 uint32_t flowid;
968 int error, type = 0, code = 0, mtu = 0;
969
970 NET_EPOCH_ASSERT();
971
972 if (m->m_flags & (M_BCAST|M_MCAST) || in_canforward(ip->ip_dst) == 0) {
973 IPSTAT_INC(ips_cantforward);
974 m_freem(m);
975 return;
976 }
977 if (
978#ifdef IPSTEALTH
979 V_ipstealth == 0 &&
980#endif
981 ip->ip_ttl <= IPTTLDEC) {
982 icmp_error(m, ICMP_TIMXCEED, ICMP_TIMXCEED_INTRANS, 0, 0);
983 return;
984 }
985
986 bzero(&ro, sizeof(ro));
987 sin = (struct sockaddr_in *)&ro.ro_dst;
988 sin->sin_family = AF_INET;
989 sin->sin_len = sizeof(*sin);
990 sin->sin_addr = ip->ip_dst;
991 flowid = m->m_pkthdr.flowid;
992 ro.ro_nh = fib4_lookup(M_GETFIB(m), ip->ip_dst, 0, NHR_REF, flowid);
993 if (ro.ro_nh != NULL) {
994 ia = ifatoia(ro.ro_nh->nh_ifa);
995 } else
996 ia = NULL;
997 /*
998 * Save the IP header and at most 8 bytes of the payload,
999 * in case we need to generate an ICMP message to the src.
1000 *
1001 * XXX this can be optimized a lot by saving the data in a local
1002 * buffer on the stack (72 bytes at most), and only allocating the
1003 * mbuf if really necessary. The vast majority of the packets
1004 * are forwarded without having to send an ICMP back (either
1005 * because unnecessary, or because rate limited), so we are
1006 * really we are wasting a lot of work here.
1007 *
1008 * We don't use m_copym() because it might return a reference
1009 * to a shared cluster. Both this function and ip_output()
1010 * assume exclusive access to the IP header in `m', so any
1011 * data in a cluster may change before we reach icmp_error().
1012 */
1013 mcopy = m_gethdr(M_NOWAIT, m->m_type);
1014 if (mcopy != NULL && !m_dup_pkthdr(mcopy, m, M_NOWAIT)) {
1015 /*
1016 * It's probably ok if the pkthdr dup fails (because
1017 * the deep copy of the tag chain failed), but for now
1018 * be conservative and just discard the copy since
1019 * code below may some day want the tags.
1020 */
1021 m_free(mcopy);
1022 mcopy = NULL;
1023 }
1024 if (mcopy != NULL) {
1025 mcopy->m_len = min(ntohs(ip->ip_len), M_TRAILINGSPACE(mcopy));
1026 mcopy->m_pkthdr.len = mcopy->m_len;
1027 m_copydata(m, 0, mcopy->m_len, mtod(mcopy, caddr_t));
1028 }
1029#ifdef IPSTEALTH
1030 if (V_ipstealth == 0)
1031#endif
1032 ip->ip_ttl -= IPTTLDEC;
1033#if defined(IPSEC) || defined(IPSEC_SUPPORT)
1034 if (IPSEC_ENABLED(ipv4)) {
1035 if ((error = IPSEC_FORWARD(ipv4, m)) != 0) {
1036 /* mbuf consumed by IPsec */
1037 RO_NHFREE(&ro);
1038 m_freem(mcopy);
1039 if (error != EINPROGRESS)
1040 IPSTAT_INC(ips_cantforward);
1041 return;
1042 }
1043 /* No IPsec processing required */
1044 }
1045#endif /* IPSEC */
1046 /*
1047 * If forwarding packet using same interface that it came in on,
1048 * perhaps should send a redirect to sender to shortcut a hop.
1049 * Only send redirect if source is sending directly to us,
1050 * and if packet was not source routed (or has any options).
1051 * Also, don't send redirect if forwarding using a default route
1052 * or a route modified by a redirect.
1053 */
1054 dest.s_addr = 0;
1055 if (!srcrt && V_ipsendredirects &&
1056 ia != NULL && ia->ia_ifp == m->m_pkthdr.rcvif) {
1057 struct nhop_object *nh;
1058
1059 nh = ro.ro_nh;
1060
1061 if (nh != NULL && ((nh->nh_flags & (NHF_REDIRECT|NHF_DEFAULT)) == 0)) {
1062 struct in_ifaddr *nh_ia = (struct in_ifaddr *)(nh->nh_ifa);
1063 u_long src = ntohl(ip->ip_src.s_addr);
1064
1065 if (nh_ia != NULL &&
1066 (src & nh_ia->ia_subnetmask) == nh_ia->ia_subnet) {
1067 /* Router requirements says to only send host redirects */
1068 type = ICMP_REDIRECT;
1069 code = ICMP_REDIRECT_HOST;
1070 if (nh->nh_flags & NHF_GATEWAY) {
1071 if (nh->gw_sa.sa_family == AF_INET)
1072 dest.s_addr = nh->gw4_sa.sin_addr.s_addr;
1073 else /* Do not redirect in case gw is AF_INET6 */
1074 type = 0;
1075 } else
1076 dest.s_addr = ip->ip_dst.s_addr;
1077 }
1078 }
1079 }
1080
1081 error = ip_output(m, NULL, &ro, IP_FORWARDING, NULL, NULL);
1082
1083 if (error == EMSGSIZE && ro.ro_nh)
1084 mtu = ro.ro_nh->nh_mtu;
1085 RO_NHFREE(&ro);
1086
1087 if (error)
1088 IPSTAT_INC(ips_cantforward);
1089 else {
1090 IPSTAT_INC(ips_forward);
1091 if (type)
1092 IPSTAT_INC(ips_redirectsent);
1093 else {
1094 if (mcopy)
1095 m_freem(mcopy);
1096 return;
1097 }
1098 }
1099 if (mcopy == NULL)
1100 return;
1101
1102 switch (error) {
1103 case 0: /* forwarded, but need redirect */
1104 /* type, code set above */
1105 break;
1106
1107 case ENETUNREACH:
1108 case EHOSTUNREACH:
1109 case ENETDOWN:
1110 case EHOSTDOWN:
1111 default:
1112 type = ICMP_UNREACH;
1113 code = ICMP_UNREACH_HOST;
1114 break;
1115
1116 case EMSGSIZE:
1117 type = ICMP_UNREACH;
1118 code = ICMP_UNREACH_NEEDFRAG;
1119 /*
1120 * If the MTU was set before make sure we are below the
1121 * interface MTU.
1122 * If the MTU wasn't set before use the interface mtu or
1123 * fall back to the next smaller mtu step compared to the
1124 * current packet size.
1125 */
1126 if (mtu != 0) {
1127 if (ia != NULL)
1128 mtu = min(mtu, ia->ia_ifp->if_mtu);
1129 } else {
1130 if (ia != NULL)
1131 mtu = ia->ia_ifp->if_mtu;
1132 else
1133 mtu = ip_next_mtu(ntohs(ip->ip_len), 0);
1134 }
1135 IPSTAT_INC(ips_cantfrag);
1136 break;
1137
1138 case ENOBUFS:
1139 case EACCES: /* ipfw denied packet */
1140 m_freem(mcopy);
1141 return;
1142 }
1143 icmp_error(mcopy, type, code, dest.s_addr, mtu);
1144}
1145
1146#define CHECK_SO_CT(sp, ct) \
1147 (((sp->so_options & SO_TIMESTAMP) && (sp->so_ts_clock == ct)) ? 1 : 0)
1148
1149void
1150ip_savecontrol(struct inpcb *inp, struct mbuf **mp, struct ip *ip,
1151 struct mbuf *m)
1152{
1153 bool stamped;
1154
1155 stamped = false;
1156 if ((inp->inp_socket->so_options & SO_BINTIME) ||
1157 CHECK_SO_CT(inp->inp_socket, SO_TS_BINTIME)) {
1158 struct bintime boottimebin, bt;
1159 struct timespec ts1;
1160
1161 if ((m->m_flags & (M_PKTHDR | M_TSTMP)) == (M_PKTHDR |
1162 M_TSTMP)) {
1163 mbuf_tstmp2timespec(m, &ts1);
1164 timespec2bintime(&ts1, &bt);
1165 getboottimebin(&boottimebin);
1166 bintime_add(&bt, &boottimebin);
1167 } else {
1168 bintime(&bt);
1169 }
1170 *mp = sbcreatecontrol((caddr_t)&bt, sizeof(bt),
1171 SCM_BINTIME, SOL_SOCKET);
1172 if (*mp != NULL) {
1173 mp = &(*mp)->m_next;
1174 stamped = true;
1175 }
1176 }
1177 if (CHECK_SO_CT(inp->inp_socket, SO_TS_REALTIME_MICRO)) {
1178 struct bintime boottimebin, bt1;
1179 struct timespec ts1;
1180 struct timeval tv;
1181
1182 if ((m->m_flags & (M_PKTHDR | M_TSTMP)) == (M_PKTHDR |
1183 M_TSTMP)) {
1184 mbuf_tstmp2timespec(m, &ts1);
1185 timespec2bintime(&ts1, &bt1);
1186 getboottimebin(&boottimebin);
1187 bintime_add(&bt1, &boottimebin);
1188 bintime2timeval(&bt1, &tv);
1189 } else {
1190 microtime(&tv);
1191 }
1192 *mp = sbcreatecontrol((caddr_t)&tv, sizeof(tv),
1193 SCM_TIMESTAMP, SOL_SOCKET);
1194 if (*mp != NULL) {
1195 mp = &(*mp)->m_next;
1196 stamped = true;
1197 }
1198 } else if (CHECK_SO_CT(inp->inp_socket, SO_TS_REALTIME)) {
1199 struct bintime boottimebin;
1200 struct timespec ts, ts1;
1201
1202 if ((m->m_flags & (M_PKTHDR | M_TSTMP)) == (M_PKTHDR |
1203 M_TSTMP)) {
1204 mbuf_tstmp2timespec(m, &ts);
1205 getboottimebin(&boottimebin);
1206 bintime2timespec(&boottimebin, &ts1);
1207 timespecadd(&ts, &ts1, &ts);
1208 } else {
1209 nanotime(&ts);
1210 }
1211 *mp = sbcreatecontrol((caddr_t)&ts, sizeof(ts),
1212 SCM_REALTIME, SOL_SOCKET);
1213 if (*mp != NULL) {
1214 mp = &(*mp)->m_next;
1215 stamped = true;
1216 }
1217 } else if (CHECK_SO_CT(inp->inp_socket, SO_TS_MONOTONIC)) {
1218 struct timespec ts;
1219
1220 if ((m->m_flags & (M_PKTHDR | M_TSTMP)) == (M_PKTHDR |
1221 M_TSTMP))
1222 mbuf_tstmp2timespec(m, &ts);
1223 else
1224 nanouptime(&ts);
1225 *mp = sbcreatecontrol((caddr_t)&ts, sizeof(ts),
1226 SCM_MONOTONIC, SOL_SOCKET);
1227 if (*mp != NULL) {
1228 mp = &(*mp)->m_next;
1229 stamped = true;
1230 }
1231 }
1232 if (stamped && (m->m_flags & (M_PKTHDR | M_TSTMP)) == (M_PKTHDR |
1233 M_TSTMP)) {
1234 struct sock_timestamp_info sti;
1235
1236 bzero(&sti, sizeof(sti));
1237 sti.st_info_flags = ST_INFO_HW;
1238 if ((m->m_flags & M_TSTMP_HPREC) != 0)
1239 sti.st_info_flags |= ST_INFO_HW_HPREC;
1240 *mp = sbcreatecontrol((caddr_t)&sti, sizeof(sti), SCM_TIME_INFO,
1241 SOL_SOCKET);
1242 if (*mp != NULL)
1243 mp = &(*mp)->m_next;
1244 }
1245 if (inp->inp_flags & INP_RECVDSTADDR) {
1246 *mp = sbcreatecontrol((caddr_t)&ip->ip_dst,
1247 sizeof(struct in_addr), IP_RECVDSTADDR, IPPROTO_IP);
1248 if (*mp)
1249 mp = &(*mp)->m_next;
1250 }
1251 if (inp->inp_flags & INP_RECVTTL) {
1252 *mp = sbcreatecontrol((caddr_t)&ip->ip_ttl,
1253 sizeof(u_char), IP_RECVTTL, IPPROTO_IP);
1254 if (*mp)
1255 mp = &(*mp)->m_next;
1256 }
1257#ifdef notyet
1258 /* XXX
1259 * Moving these out of udp_input() made them even more broken
1260 * than they already were.
1261 */
1262 /* options were tossed already */
1263 if (inp->inp_flags & INP_RECVOPTS) {
1264 *mp = sbcreatecontrol((caddr_t)opts_deleted_above,
1265 sizeof(struct in_addr), IP_RECVOPTS, IPPROTO_IP);
1266 if (*mp)
1267 mp = &(*mp)->m_next;
1268 }
1269 /* ip_srcroute doesn't do what we want here, need to fix */
1270 if (inp->inp_flags & INP_RECVRETOPTS) {
1271 *mp = sbcreatecontrol((caddr_t)ip_srcroute(m),
1272 sizeof(struct in_addr), IP_RECVRETOPTS, IPPROTO_IP);
1273 if (*mp)
1274 mp = &(*mp)->m_next;
1275 }
1276#endif
1277 if (inp->inp_flags & INP_RECVIF) {
1278 struct ifnet *ifp;
1279 struct sdlbuf {
1280 struct sockaddr_dl sdl;
1281 u_char pad[32];
1282 } sdlbuf;
1283 struct sockaddr_dl *sdp;
1284 struct sockaddr_dl *sdl2 = &sdlbuf.sdl;
1285
1286 if ((ifp = m->m_pkthdr.rcvif)) {
1287 sdp = (struct sockaddr_dl *)ifp->if_addr->ifa_addr;
1288 /*
1289 * Change our mind and don't try copy.
1290 */
1291 if (sdp->sdl_family != AF_LINK ||
1292 sdp->sdl_len > sizeof(sdlbuf)) {
1293 goto makedummy;
1294 }
1295 bcopy(sdp, sdl2, sdp->sdl_len);
1296 } else {
1297makedummy:
1298 sdl2->sdl_len =
1299 offsetof(struct sockaddr_dl, sdl_data[0]);
1300 sdl2->sdl_family = AF_LINK;
1301 sdl2->sdl_index = 0;
1302 sdl2->sdl_nlen = sdl2->sdl_alen = sdl2->sdl_slen = 0;
1303 }
1304 *mp = sbcreatecontrol((caddr_t)sdl2, sdl2->sdl_len,
1305 IP_RECVIF, IPPROTO_IP);
1306 if (*mp)
1307 mp = &(*mp)->m_next;
1308 }
1309 if (inp->inp_flags & INP_RECVTOS) {
1310 *mp = sbcreatecontrol((caddr_t)&ip->ip_tos,
1311 sizeof(u_char), IP_RECVTOS, IPPROTO_IP);
1312 if (*mp)
1313 mp = &(*mp)->m_next;
1314 }
1315
1316 if (inp->inp_flags2 & INP_RECVFLOWID) {
1317 uint32_t flowid, flow_type;
1318
1319 flowid = m->m_pkthdr.flowid;
1320 flow_type = M_HASHTYPE_GET(m);
1321
1322 /*
1323 * XXX should handle the failure of one or the
1324 * other - don't populate both?
1325 */
1326 *mp = sbcreatecontrol((caddr_t) &flowid,
1327 sizeof(uint32_t), IP_FLOWID, IPPROTO_IP);
1328 if (*mp)
1329 mp = &(*mp)->m_next;
1330 *mp = sbcreatecontrol((caddr_t) &flow_type,
1331 sizeof(uint32_t), IP_FLOWTYPE, IPPROTO_IP);
1332 if (*mp)
1333 mp = &(*mp)->m_next;
1334 }
1335
1336#ifdef RSS
1337 if (inp->inp_flags2 & INP_RECVRSSBUCKETID) {
1338 uint32_t flowid, flow_type;
1339 uint32_t rss_bucketid;
1340
1341 flowid = m->m_pkthdr.flowid;
1342 flow_type = M_HASHTYPE_GET(m);
1343
1344 if (rss_hash2bucket(flowid, flow_type, &rss_bucketid) == 0) {
1345 *mp = sbcreatecontrol((caddr_t) &rss_bucketid,
1346 sizeof(uint32_t), IP_RSSBUCKETID, IPPROTO_IP);
1347 if (*mp)
1348 mp = &(*mp)->m_next;
1349 }
1350 }
1351#endif
1352}
1353
1354/*
1355 * XXXRW: Multicast routing code in ip_mroute.c is generally MPSAFE, but the
1356 * ip_rsvp and ip_rsvp_on variables need to be interlocked with rsvp_on
1357 * locking. This code remains in ip_input.c as ip_mroute.c is optionally
1358 * compiled.
1359 */
1360VNET_DEFINE_STATIC(int, ip_rsvp_on);
1361VNET_DEFINE(struct socket *, ip_rsvpd);
1362
1363#define V_ip_rsvp_on VNET(ip_rsvp_on)
1364
1365int
1366ip_rsvp_init(struct socket *so)
1367{
1368
1369 if (so->so_type != SOCK_RAW ||
1370 so->so_proto->pr_protocol != IPPROTO_RSVP)
1371 return EOPNOTSUPP;
1372
1373 if (V_ip_rsvpd != NULL)
1374 return EADDRINUSE;
1375
1376 V_ip_rsvpd = so;
1377 /*
1378 * This may seem silly, but we need to be sure we don't over-increment
1379 * the RSVP counter, in case something slips up.
1380 */
1381 if (!V_ip_rsvp_on) {
1382 V_ip_rsvp_on = 1;
1383 V_rsvp_on++;
1384 }
1385
1386 return 0;
1387}
1388
1389int
1390ip_rsvp_done(void)
1391{
1392
1393 V_ip_rsvpd = NULL;
1394 /*
1395 * This may seem silly, but we need to be sure we don't over-decrement
1396 * the RSVP counter, in case something slips up.
1397 */
1398 if (V_ip_rsvp_on) {
1399 V_ip_rsvp_on = 0;
1400 V_rsvp_on--;
1401 }
1402 return 0;
1403}
1404
1405int
1406rsvp_input(struct mbuf **mp, int *offp, int proto)
1407{
1408 struct mbuf *m;
1409
1410 m = *mp;
1411 *mp = NULL;
1412
1413 if (rsvp_input_p) { /* call the real one if loaded */
1414 *mp = m;
1415 rsvp_input_p(mp, offp, proto);
1416 return (IPPROTO_DONE);
1417 }
1418
1419 /* Can still get packets with rsvp_on = 0 if there is a local member
1420 * of the group to which the RSVP packet is addressed. But in this
1421 * case we want to throw the packet away.
1422 */
1423
1424 if (!V_rsvp_on) {
1425 m_freem(m);
1426 return (IPPROTO_DONE);
1427 }
1428
1429 if (V_ip_rsvpd != NULL) {
1430 *mp = m;
1431 rip_input(mp, offp, proto);
1432 return (IPPROTO_DONE);
1433 }
1434 /* Drop the packet */
1435 m_freem(m);
1436 return (IPPROTO_DONE);
1437}
VNET_PCPUSTAT_SYSUNINIT
VNET_PCPUSTAT_SYSUNINIT(igmpstat)
in_ifscrub_all
void in_ifscrub_all(void)
Definition: in.c:1158
in_canforward
int in_canforward(struct in_addr in)
Definition: in.c:250
in_localip_fib
bool in_localip_fib(struct in_addr in, uint16_t fib)
Definition: in.c:148
uint32_t
__uint32_t uint32_t
Definition: in.h:62
uint16_t
__uint16_t uint16_t
Definition: in.h:57
INADDR_BROADCAST
#define INADDR_BROADCAST
Definition: in.h:49
INADDR_ANY
#define INADDR_ANY
Definition: in.h:48
ifatoia
#define ifatoia(ifa)
Definition: in.h:680
IPPROTO_IP
#define IPPROTO_IP
Definition: in.h:43
satosin
#define satosin(sa)
Definition: in.h:678
in_cksum_hdr
u_int in_cksum_hdr(const struct ip *ip)
Definition: in_cksum.c:249
in_fib.h
fib4_lookup
struct nhop_object * fib4_lookup(uint32_t fibnum, struct in_addr dst, uint32_t scopeid, uint32_t flags, uint32_t flowid)
in_kdtrace.h
IP_PROBE
#define IP_PROBE(probe, arg0, arg1, arg2, arg3, arg4, arg5)
Definition: in_kdtrace.h:33
in_pcb.h
INP_RECVRETOPTS
#define INP_RECVRETOPTS
Definition: in_pcb.h:621
INP_RECVTTL
#define INP_RECVTTL
Definition: in_pcb.h:630
INP_RECVTOS
#define INP_RECVTOS
Definition: in_pcb.h:634
INP_RECVFLOWID
#define INP_RECVFLOWID
Definition: in_pcb.h:671
INP_RECVDSTADDR
#define INP_RECVDSTADDR
Definition: in_pcb.h:622
INP_RECVRSSBUCKETID
#define INP_RECVRSSBUCKETID
Definition: in_pcb.h:672
INP_RECVOPTS
#define INP_RECVOPTS
Definition: in_pcb.h:620
INP_RECVIF
#define INP_RECVIF
Definition: in_pcb.h:627
rss_soft_m2cpuid_v4
struct mbuf * rss_soft_m2cpuid_v4(struct mbuf *m, uintptr_t source, u_int *cpuid)
Definition: in_rss.c:372
in_rss.h
in_systm.h
in_var.h
IA_SIN
#define IA_SIN(ia)
Definition: in_var.h:96
INADDR_HASH
#define INADDR_HASH(x)
Definition: in_var.h:124
ip_direct_input
void ip_direct_input(struct mbuf *)
V_in_ifaddrhead
#define V_in_ifaddrhead
Definition: in_var.h:118
V_in_ifaddrhashtbl
#define V_in_ifaddrhashtbl
Definition: in_var.h:117
V_in_ifaddrhmask
#define V_in_ifaddrhmask
Definition: in_var.h:119
INADDR_NHASH
#define INADDR_NHASH
Definition: in_var.h:122
ip_tryforward
struct mbuf * ip_tryforward(struct mbuf *)
Definition: ip_fastfwd.c:233
IPTTLDEC
#define IPTTLDEC
Definition: ip.h:214
ip_len
u_short ip_len
Definition: ip.h:9
IPVERSION
#define IPVERSION
Definition: ip.h:46
IP_OFFMASK
#define IP_OFFMASK
Definition: ip.h:15
IP_MF
#define IP_MF
Definition: ip.h:14
LIST_HEAD
static LIST_HEAD(carp_softc)
Definition: ip_carp.c:333
ip_carp.h
VNET_SYSUNINIT
VNET_SYSUNINIT(divert, SI_SUB_PROTO_DOMAIN, SI_ORDER_THIRD, div_destroy, NULL)
V_ipsendredirects
#define V_ipsendredirects
Definition: ip_fastfwd.c:106
ip_fw.h
ip_icmp.h
ICMP_UNREACH_HOST
#define ICMP_UNREACH_HOST
Definition: ip_icmp.h:156
ICMP_UNREACH_NEEDFRAG
#define ICMP_UNREACH_NEEDFRAG
Definition: ip_icmp.h:159
ip_next_mtu
int ip_next_mtu(int, int)
ICMP_REDIRECT
#define ICMP_REDIRECT
Definition: ip_icmp.h:172
ICMP_REDIRECT_HOST
#define ICMP_REDIRECT_HOST
Definition: ip_icmp.h:174
ICMP_TIMXCEED_INTRANS
#define ICMP_TIMXCEED_INTRANS
Definition: ip_icmp.h:184
ICMP_TIMXCEED
#define ICMP_TIMXCEED
Definition: ip_icmp.h:183
icmp_error
void icmp_error(struct mbuf *, int, int, uint32_t, int)
ICMP_UNREACH
#define ICMP_UNREACH
Definition: ip_icmp.h:154
inetsw
struct protosw inetsw[]
VNET_DEFINE
VNET_DEFINE(int, rsvp_on)
kmod_ipstat_dec
void kmod_ipstat_dec(int statnum)
Definition: ip_input.c:211
ipproto_register
int ipproto_register(short ipproto)
Definition: ip_input.c:884
inetdomain
struct domain inetdomain
sysctl_netinet_intr_queue_maxlen
static int sysctl_netinet_intr_queue_maxlen(SYSCTL_HANDLER_ARGS)
Definition: ip_input.c:218
ipproto_unregister
int ipproto_unregister(short ipproto)
Definition: ip_input.c:915
ip_vnet_init
static void ip_vnet_init(void *arg __unused)
Definition: ip_input.c:304
ip_protox
u_char ip_protox[IPPROTO_MAX]
Definition: ip_input.c:167
VNET_SYSINIT
VNET_SYSINIT(ip_vnet_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_FOURTH, ip_vnet_init, NULL)
CTASSERT
CTASSERT(sizeof(struct in_ifaddrhashhead)==sizeof(LIST_HEAD(, in_addr)))
V_ip_strong_es
#define V_ip_strong_es
Definition: ip_input.c:121
kmod_ipstat_inc
void kmod_ipstat_inc(int statnum)
Definition: ip_input.c:204
SYSINIT
SYSINIT(ip_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_THIRD, ip_init, NULL)
ip_drain
void ip_drain(void)
Definition: ip_input.c:866
inetctlerrmap
u_char inetctlerrmap[PRC_NCMDS]
Definition: ip_input.c:935
ip_savecontrol
void ip_savecontrol(struct inpcb *inp, struct mbuf **mp, struct ip *ip, struct mbuf *m)
Definition: ip_input.c:1150
VNET_DEFINE_STATIC
VNET_DEFINE_STATIC(bool, ip_strong_es)
VNET_PCPUSTAT_SYSINIT
VNET_PCPUSTAT_SYSINIT(ipstat)
SYSCTL_VNET_PCPUSTAT
SYSCTL_VNET_PCPUSTAT(_net_inet_ip, IPCTL_STATS, stats, struct ipstat, ipstat, "IP statistics (struct ipstat, netinet/ip_var.h)")
ip_slowtimo
void ip_slowtimo(void)
Definition: ip_input.c:852
ip_rsvp_init
int ip_rsvp_init(struct socket *so)
Definition: ip_input.c:1366
ip_forward
void ip_forward(struct mbuf *m, int srcrt)
Definition: ip_input.c:959
ip_rsvp_done
int ip_rsvp_done(void)
Definition: ip_input.c:1390
SYSCTL_BOOL
SYSCTL_BOOL(_net_inet_ip, OID_AUTO, rfc1122_strong_es, CTLFLAG_VNET|CTLFLAG_RW, &VNET_NAME(ip_strong_es), false, "Packet's IP destination address must match address on arrival interface")
ip_input
void ip_input(struct mbuf *m)
Definition: ip_input.c:448
__FBSDID
__FBSDID("$FreeBSD$")
V_ip_sav
#define V_ip_sav
Definition: ip_input.c:127
sysctl_netinet_intr_queue_drops
static int sysctl_netinet_intr_queue_drops(SYSCTL_HANDLER_ARGS)
Definition: ip_input.c:236
ip_init
static void ip_init(const void *unused __unused)
Definition: ip_input.c:344
ip_nh
static struct netisr_handler ip_nh
Definition: ip_input.c:134
VNET_PCPUSTAT_DEFINE
VNET_PCPUSTAT_DEFINE(struct ipstat, ipstat)
rsvp_input
int rsvp_input(struct mbuf **mp, int *offp, int proto)
Definition: ip_input.c:1406
CHECK_SO_CT
#define CHECK_SO_CT(sp, ct)
Definition: ip_input.c:1146
V_ip_rsvp_on
#define V_ip_rsvp_on
Definition: ip_input.c:1363
SYSCTL_INT
SYSCTL_INT(_net_inet_ip, IPCTL_FORWARDING, forwarding, CTLFLAG_VNET|CTLFLAG_RW, &VNET_NAME(ipforwarding), 0, "Enable IP forwarding between interfaces")
SYSCTL_PROC
SYSCTL_PROC(_net_inet_ip, IPCTL_INTRQMAXLEN, intr_queue_maxlen, CTLTYPE_INT|CTLFLAG_RW|CTLFLAG_MPSAFE, 0, 0, sysctl_netinet_intr_queue_maxlen, "I", "Maximum size of the IP input queue")
ipreass_slowtimo
void ipreass_slowtimo(void)
Definition: ip_reass.c:592
ipreass_init
void ipreass_init(void)
Definition: ip_reass.c:563
ipreass_drain
void ipreass_drain(void)
Definition: ip_reass.c:614
ip_srcroute
struct mbuf * ip_srcroute(struct mbuf *m0)
Definition: ip_options.c:426
ip_dooptions
int ip_dooptions(struct mbuf *m, int pass)
Definition: ip_options.c:103
ip_options.h
ip_output
int ip_output(struct mbuf *m, struct mbuf *opt, struct route *ro, int flags, struct ip_moptions *imo, struct inpcb *inp)
Definition: ip_output.c:320
ip_reass
struct mbuf * ip_reass(struct mbuf *m)
Definition: ip_reass.c:183
ip_var.h
V_ipforwarding
#define V_ipforwarding
Definition: ip_var.h:203
V_ip_rsvpd
#define V_ip_rsvpd
Definition: ip_var.h:208
rsvp_input_p
int(* rsvp_input_p)(struct mbuf **, int *, int)
IPSTAT_INC
#define IPSTAT_INC(name)
Definition: ip_var.h:151
IP_FORWARDING
#define IP_FORWARDING
Definition: ip_var.h:165
V_rsvp_on
#define V_rsvp_on
Definition: ip_var.h:210
V_ip_mrouter
#define V_ip_mrouter
Definition: ip_var.h:209
PFIL_INET_NAME
#define PFIL_INET_NAME
Definition: ip_var.h:250
ip_mforward
int(* ip_mforward)(struct ip *, struct ifnet *, struct mbuf *, struct ip_moptions *)
rip_input
int rip_input(struct mbuf **, int *, int)
V_inet_pfil_head
#define V_inet_pfil_head
Definition: ip_var.h:249
in_addr
Definition: in.h:83
in_addr::s_addr
in_addr_t s_addr
Definition: in.h:84
in_ifaddr
Definition: in_var.h:75
in_ifaddr::ia_ifa
struct ifaddr ia_ifa
Definition: in_var.h:76
in_ifaddr::ia_subnet
u_long ia_subnet
Definition: in_var.h:80
in_ifaddr::ia_subnetmask
u_long ia_subnetmask
Definition: in_var.h:81
inpcb
Definition: in_pcb.h:217
inpcb::inp_socket
struct socket * inp_socket
Definition: in_pcb.h:254
inpcb::inp_flags
int inp_flags
Definition: in_pcb.h:246
inpcb::inp_flags2
int inp_flags2
Definition: in_pcb.h:247
ip
Definition: ip.h:51
ip::ip_p
u_char ip_p
Definition: ip.h:69
ip::ip_dst
struct in_addr ip_src ip_dst
Definition: ip.h:71
ip::ip_tos
u_char ip_tos
Definition: ip.h:60
ip::ip_hl
u_char ip_hl
Definition: ip.h:53
ip::ip_len
u_short ip_len
Definition: ip.h:61
ip::ip_v
u_char ip_v
Definition: ip.h:54
ip::ip_ttl
u_char ip_ttl
Definition: ip.h:68
ip::ip_off
u_short ip_off
Definition: ip.h:63
ipstat
Definition: ip_var.h:106
sockaddr_in
Definition: in.h:97
sockaddr_in::sin_addr
struct in_addr sin_addr
Definition: in.h:101
sockaddr_in::sin_len
uint8_t sin_len
Definition: in.h:98
sockaddr_in::sin_family
sa_family_t sin_family
Definition: in.h:99