freebsd-dev/sys/netinet/ip_fastfwd.c
Kristof Provost effaab8861 netpfil: Introduce PFIL_FWD flag
Forwarded packets passed through PFIL_OUT, which made it difficult for
firewalls to figure out if they were forwarding or producing packets. This in
turn is an issue for pf for IPv6 fragment handling: it needs to call
ip6_output() or ip6_forward() to handle the fragments. Figuring out which was
difficult (and until now, incorrect).
Having pfil distinguish the two removes an ugly piece of code from pf.

Introduce a new variant of the netpfil callbacks with a flags variable, which
has PFIL_FWD set for forwarded packets. This allows pf to reliably work out if
a packet is forwarded.

Reviewed by:	ae, kevans
Differential Revision:	https://reviews.freebsd.org/D13715
2018-03-23 16:56:44 +00:00

438 lines
12 KiB
C

/*-
* SPDX-License-Identifier: BSD-3-Clause
*
* Copyright (c) 2003 Andre Oppermann, Internet Business Solutions AG
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. The name of the author may not be used to endorse or promote
* products derived from this software without specific prior written
* permission.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
/*
* ip_fastforward gets its speed from processing the forwarded packet to
* completion (if_output on the other side) without any queues or netisr's.
* The receiving interface DMAs the packet into memory, the upper half of
* driver calls ip_fastforward, we do our routing table lookup and directly
* send it off to the outgoing interface, which DMAs the packet to the
* network card. The only part of the packet we touch with the CPU is the
* IP header (unless there are complex firewall rules touching other parts
* of the packet, but that is up to you). We are essentially limited by bus
* bandwidth and how fast the network card/driver can set up receives and
* transmits.
*
* We handle basic errors, IP header errors, checksum errors,
* destination unreachable, fragmentation and fragmentation needed and
* report them via ICMP to the sender.
*
* Else if something is not pure IPv4 unicast forwarding we fall back to
* the normal ip_input processing path. We should only be called from
* interfaces connected to the outside world.
*
* Firewalling is fully supported including divert, ipfw fwd and ipfilter
* ipnat and address rewrite.
*
* IPSEC is not supported if this host is a tunnel broker. IPSEC is
* supported for connections to/from local host.
*
* We try to do the least expensive (in CPU ops) checks and operations
* first to catch junk with as little overhead as possible.
*
* We take full advantage of hardware support for IP checksum and
* fragmentation offloading.
*
* We don't do ICMP redirect in the fast forwarding path. I have had my own
* cases where two core routers with Zebra routing suite would send millions
* ICMP redirects to connected hosts if the destination router was not the
* default gateway. In one case it was filling the routing table of a host
* with approximately 300.000 cloned redirect entries until it ran out of
* kernel memory. However the networking code proved very robust and it didn't
* crash or fail in other ways.
*/
/*
* Many thanks to Matt Thomas of NetBSD for basic structure of ip_flow.c which
* is being followed here.
*/
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
#include "opt_ipstealth.h"
#include <sys/param.h>
#include <sys/systm.h>
#include <sys/kernel.h>
#include <sys/malloc.h>
#include <sys/mbuf.h>
#include <sys/protosw.h>
#include <sys/sdt.h>
#include <sys/socket.h>
#include <sys/sysctl.h>
#include <net/pfil.h>
#include <net/if.h>
#include <net/if_types.h>
#include <net/if_var.h>
#include <net/if_dl.h>
#include <net/route.h>
#include <net/vnet.h>
#include <netinet/in.h>
#include <netinet/in_fib.h>
#include <netinet/in_kdtrace.h>
#include <netinet/in_systm.h>
#include <netinet/in_var.h>
#include <netinet/ip.h>
#include <netinet/ip_var.h>
#include <netinet/ip_icmp.h>
#include <netinet/ip_options.h>
#include <machine/in_cksum.h>
static int
ip_findroute(struct nhop4_basic *pnh, struct in_addr dest, struct mbuf *m)
{
bzero(pnh, sizeof(*pnh));
if (fib4_lookup_nh_basic(M_GETFIB(m), dest, 0, 0, pnh) != 0) {
IPSTAT_INC(ips_noroute);
IPSTAT_INC(ips_cantforward);
icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_HOST, 0, 0);
return (EHOSTUNREACH);
}
/*
* Drop blackholed traffic and directed broadcasts.
*/
if ((pnh->nh_flags & (NHF_BLACKHOLE | NHF_BROADCAST)) != 0) {
IPSTAT_INC(ips_cantforward);
m_freem(m);
return (EHOSTUNREACH);
}
if (pnh->nh_flags & NHF_REJECT) {
IPSTAT_INC(ips_cantforward);
icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_HOST, 0, 0);
return (EHOSTUNREACH);
}
return (0);
}
/*
* Try to forward a packet based on the destination address.
* This is a fast path optimized for the plain forwarding case.
* If the packet is handled (and consumed) here then we return NULL;
* otherwise mbuf is returned and the packet should be delivered
* to ip_input for full processing.
*/
struct mbuf *
ip_tryforward(struct mbuf *m)
{
struct ip *ip;
struct mbuf *m0 = NULL;
struct nhop4_basic nh;
struct sockaddr_in dst;
struct in_addr odest, dest;
uint16_t ip_len, ip_off;
int error = 0;
struct m_tag *fwd_tag = NULL;
/*
* Are we active and forwarding packets?
*/
M_ASSERTVALID(m);
M_ASSERTPKTHDR(m);
#ifdef ALTQ
/*
* Is packet dropped by traffic conditioner?
*/
if (altq_input != NULL && (*altq_input)(m, AF_INET) == 0)
goto drop;
#endif
/*
* Only IP packets without options
*/
ip = mtod(m, struct ip *);
if (ip->ip_hl != (sizeof(struct ip) >> 2)) {
if (V_ip_doopts == 1)
return m;
else if (V_ip_doopts == 2) {
icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_FILTER_PROHIB,
0, 0);
return NULL; /* mbuf already free'd */
}
/* else ignore IP options and continue */
}
/*
* Only unicast IP, not from loopback, no L2 or IP broadcast,
* no multicast, no INADDR_ANY
*
* XXX: Probably some of these checks could be direct drop
* conditions. However it is not clear whether there are some
* hacks or obscure behaviours which make it necessary to
* let ip_input handle it. We play safe here and let ip_input
* deal with it until it is proven that we can directly drop it.
*/
if ((m->m_flags & (M_BCAST|M_MCAST)) ||
(m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK) ||
ntohl(ip->ip_src.s_addr) == (u_long)INADDR_BROADCAST ||
ntohl(ip->ip_dst.s_addr) == (u_long)INADDR_BROADCAST ||
IN_MULTICAST(ntohl(ip->ip_src.s_addr)) ||
IN_MULTICAST(ntohl(ip->ip_dst.s_addr)) ||
IN_LINKLOCAL(ntohl(ip->ip_src.s_addr)) ||
IN_LINKLOCAL(ntohl(ip->ip_dst.s_addr)) ||
ip->ip_src.s_addr == INADDR_ANY ||
ip->ip_dst.s_addr == INADDR_ANY )
return m;
/*
* Is it for a local address on this host?
*/
if (in_localip(ip->ip_dst))
return m;
IPSTAT_INC(ips_total);
/*
* Step 3: incoming packet firewall processing
*/
odest.s_addr = dest.s_addr = ip->ip_dst.s_addr;
/*
* Run through list of ipfilter hooks for input packets
*/
if (!PFIL_HOOKED(&V_inet_pfil_hook))
goto passin;
if (pfil_run_hooks(
&V_inet_pfil_hook, &m, m->m_pkthdr.rcvif, PFIL_IN, 0, NULL) ||
m == NULL)
goto drop;
M_ASSERTVALID(m);
M_ASSERTPKTHDR(m);
ip = mtod(m, struct ip *); /* m may have changed by pfil hook */
dest.s_addr = ip->ip_dst.s_addr;
/*
* Destination address changed?
*/
if (odest.s_addr != dest.s_addr) {
/*
* Is it now for a local address on this host?
*/
if (in_localip(dest))
goto forwardlocal;
/*
* Go on with new destination address
*/
}
if (m->m_flags & M_FASTFWD_OURS) {
/*
* ipfw changed it for a local address on this host.
*/
goto forwardlocal;
}
passin:
/*
* Step 4: decrement TTL and look up route
*/
/*
* Check TTL
*/
#ifdef IPSTEALTH
if (!V_ipstealth) {
#endif
if (ip->ip_ttl <= IPTTLDEC) {
icmp_error(m, ICMP_TIMXCEED, ICMP_TIMXCEED_INTRANS, 0, 0);
return NULL; /* mbuf already free'd */
}
/*
* Decrement the TTL and incrementally change the IP header checksum.
* Don't bother doing this with hw checksum offloading, it's faster
* doing it right here.
*/
ip->ip_ttl -= IPTTLDEC;
if (ip->ip_sum >= (u_int16_t) ~htons(IPTTLDEC << 8))
ip->ip_sum -= ~htons(IPTTLDEC << 8);
else
ip->ip_sum += htons(IPTTLDEC << 8);
#ifdef IPSTEALTH
}
#endif
/*
* Find route to destination.
*/
if (ip_findroute(&nh, dest, m) != 0)
return (NULL); /* icmp unreach already sent */
/*
* Step 5: outgoing firewall packet processing
*/
if (!PFIL_HOOKED(&V_inet_pfil_hook))
goto passout;
if (pfil_run_hooks(&V_inet_pfil_hook, &m, nh.nh_ifp, PFIL_OUT, PFIL_FWD,
NULL) || m == NULL) {
goto drop;
}
M_ASSERTVALID(m);
M_ASSERTPKTHDR(m);
ip = mtod(m, struct ip *);
dest.s_addr = ip->ip_dst.s_addr;
/*
* Destination address changed?
*/
if (m->m_flags & M_IP_NEXTHOP)
fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL);
if (odest.s_addr != dest.s_addr || fwd_tag != NULL) {
/*
* Is it now for a local address on this host?
*/
if (m->m_flags & M_FASTFWD_OURS || in_localip(dest)) {
forwardlocal:
/*
* Return packet for processing by ip_input().
*/
m->m_flags |= M_FASTFWD_OURS;
return (m);
}
/*
* Redo route lookup with new destination address
*/
if (fwd_tag) {
dest.s_addr = ((struct sockaddr_in *)
(fwd_tag + 1))->sin_addr.s_addr;
m_tag_delete(m, fwd_tag);
m->m_flags &= ~M_IP_NEXTHOP;
}
if (ip_findroute(&nh, dest, m) != 0)
return (NULL); /* icmp unreach already sent */
}
passout:
/*
* Step 6: send off the packet
*/
ip_len = ntohs(ip->ip_len);
ip_off = ntohs(ip->ip_off);
bzero(&dst, sizeof(dst));
dst.sin_family = AF_INET;
dst.sin_len = sizeof(dst);
dst.sin_addr = nh.nh_addr;
/*
* Check if packet fits MTU or if hardware will fragment for us
*/
if (ip_len <= nh.nh_mtu) {
/*
* Avoid confusing lower layers.
*/
m_clrprotoflags(m);
/*
* Send off the packet via outgoing interface
*/
IP_PROBE(send, NULL, NULL, ip, nh.nh_ifp, ip, NULL);
error = (*nh.nh_ifp->if_output)(nh.nh_ifp, m,
(struct sockaddr *)&dst, NULL);
} else {
/*
* Handle EMSGSIZE with icmp reply needfrag for TCP MTU discovery
*/
if (ip_off & IP_DF) {
IPSTAT_INC(ips_cantfrag);
icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_NEEDFRAG,
0, nh.nh_mtu);
goto consumed;
} else {
/*
* We have to fragment the packet
*/
m->m_pkthdr.csum_flags |= CSUM_IP;
if (ip_fragment(ip, &m, nh.nh_mtu,
nh.nh_ifp->if_hwassist) != 0)
goto drop;
KASSERT(m != NULL, ("null mbuf and no error"));
/*
* Send off the fragments via outgoing interface
*/
error = 0;
do {
m0 = m->m_nextpkt;
m->m_nextpkt = NULL;
/*
* Avoid confusing lower layers.
*/
m_clrprotoflags(m);
IP_PROBE(send, NULL, NULL,
mtod(m, struct ip *), nh.nh_ifp,
mtod(m, struct ip *), NULL);
/* XXX: we can use cached route here */
error = (*nh.nh_ifp->if_output)(nh.nh_ifp, m,
(struct sockaddr *)&dst, NULL);
if (error)
break;
} while ((m = m0) != NULL);
if (error) {
/* Reclaim remaining fragments */
for (m = m0; m; m = m0) {
m0 = m->m_nextpkt;
m_freem(m);
}
} else
IPSTAT_INC(ips_fragmented);
}
}
if (error != 0)
IPSTAT_INC(ips_odropped);
else {
IPSTAT_INC(ips_forward);
IPSTAT_INC(ips_fastforward);
}
consumed:
return NULL;
drop:
if (m)
m_freem(m);
return NULL;
}