8b07e49a00
This particular implementation is designed to be fully backwards compatible
and to be MFC-able to 7.x (and 6.x)
Currently the only protocol that can make use of the multiple tables is IPv4
Similar functionality exists in OpenBSD and Linux.
From my notes:
-----
One thing where FreeBSD has been falling behind, and which by chance I
have some time to work on is "policy based routing", which allows
different
packet streams to be routed by more than just the destination address.
Constraints:
------------
I want to make some form of this available in the 6.x tree
(and by extension 7.x) , but FreeBSD in general needs it so I might as
well do it in -current and back port the portions I need.
One of the ways that this can be done is to have the ability to
instantiate multiple kernel routing tables (which I will now
refer to as "Forwarding Information Bases" or "FIBs" for political
correctness reasons). Which FIB a particular packet uses to make
the next hop decision can be decided by a number of mechanisms.
The policies these mechanisms implement are the "Policies" referred
to in "Policy based routing".
One of the constraints I have if I try to back port this work to
6.x is that it must be implemented as a EXTENSION to the existing
ABIs in 6.x so that third party applications do not need to be
recompiled in timespan of the branch.
This first version will not have some of the bells and whistles that
will come with later versions. It will, for example, be limited to 16
tables in the first commit.
Implementation method, Compatible version. (part 1)
-------------------------------
For this reason I have implemented a "sufficient subset" of a
multiple routing table solution in Perforce, and back-ported it
to 6.x. (also in Perforce though not always caught up with what I
have done in -current/P4). The subset allows a number of FIBs
to be defined at compile time (8 is sufficient for my purposes in 6.x)
and implements the changes needed to allow IPV4 to use them. I have not
done the changes for ipv6 simply because I do not need it, and I do not
have enough knowledge of ipv6 (e.g. neighbor discovery) needed to do it.
Other protocol families are left untouched and should there be
users with proprietary protocol families, they should continue to work
and be oblivious to the existence of the extra FIBs.
To understand how this is done, one must know that the current FIB
code starts everything off with a single dimensional array of
pointers to FIB head structures (One per protocol family), each of
which in turn points to the trie of routes available to that family.
The basic change in the ABI compatible version of the change is to
extent that array to be a 2 dimensional array, so that
instead of protocol family X looking at rt_tables[X] for the
table it needs, it looks at rt_tables[Y][X] when for all
protocol families except ipv4 Y is always 0.
Code that is unaware of the change always just sees the first row
of the table, which of course looks just like the one dimensional
array that existed before.
The entry points rtrequest(), rtalloc(), rtalloc1(), rtalloc_ign()
are all maintained, but refer only to the first row of the array,
so that existing callers in proprietary protocols can continue to
do the "right thing".
Some new entry points are added, for the exclusive use of ipv4 code
called in_rtrequest(), in_rtalloc(), in_rtalloc1() and in_rtalloc_ign(),
which have an extra argument which refers the code to the correct row.
In addition, there are some new entry points (currently called
rtalloc_fib() and friends) that check the Address family being
looked up and call either rtalloc() (and friends) if the protocol
is not IPv4 forcing the action to row 0 or to the appropriate row
if it IS IPv4 (and that info is available). These are for calling
from code that is not specific to any particular protocol. The way
these are implemented would change in the non ABI preserving code
to be added later.
One feature of the first version of the code is that for ipv4,
the interface routes show up automatically on all the FIBs, so
that no matter what FIB you select you always have the basic
direct attached hosts available to you. (rtinit() does this
automatically).
You CAN delete an interface route from one FIB should you want
to but by default it's there. ARP information is also available
in each FIB. It's assumed that the same machine would have the
same MAC address, regardless of which FIB you are using to get
to it.
This brings us as to how the correct FIB is selected for an outgoing
IPV4 packet.
Firstly, all packets have a FIB associated with them. if nothing
has been done to change it, it will be FIB 0. The FIB is changed
in the following ways.
Packets fall into one of a number of classes.
1/ locally generated packets, coming from a socket/PCB.
Such packets select a FIB from a number associated with the
socket/PCB. This in turn is inherited from the process,
but can be changed by a socket option. The process in turn
inherits it on fork. I have written a utility call setfib
that acts a bit like nice..
setfib -3 ping target.example.com # will use fib 3 for ping.
It is an obvious extension to make it a property of a jail
but I have not done so. It can be achieved by combining the setfib and
jail commands.
2/ packets received on an interface for forwarding.
By default these packets would use table 0,
(or possibly a number settable in a sysctl(not yet)).
but prior to routing the firewall can inspect them (see below).
(possibly in the future you may be able to associate a FIB
with packets received on an interface.. An ifconfig arg, but not yet.)
3/ packets inspected by a packet classifier, which can arbitrarily
associate a fib with it on a packet by packet basis.
A fib assigned to a packet by a packet classifier
(such as ipfw) would over-ride a fib associated by
a more default source. (such as cases 1 or 2).
4/ a tcp listen socket associated with a fib will generate
accept sockets that are associated with that same fib.
5/ Packets generated in response to some other packet (e.g. reset
or icmp packets). These should use the FIB associated with the
packet being reponded to.
6/ Packets generated during encapsulation.
gif, tun and other tunnel interfaces will encapsulate using the FIB
that was in effect withthe proces that set up the tunnel.
thus setfib 1 ifconfig gif0 [tunnel instructions]
will set the fib for the tunnel to use to be fib 1.
Routing messages would be associated with their
process, and thus select one FIB or another.
messages from the kernel would be associated with the fib they
refer to and would only be received by a routing socket associated
with that fib. (not yet implemented)
In addition Netstat has been edited to be able to cope with the
fact that the array is now 2 dimensional. (It looks in system
memory using libkvm (!)). Old versions of netstat see only the first FIB.
In addition two sysctls are added to give:
a) the number of FIBs compiled in (active)
b) the default FIB of the calling process.
Early testing experience:
-------------------------
Basically our (IronPort's) appliance does this functionality already
using ipfw fwd but that method has some drawbacks.
For example,
It can't fully simulate a routing table because it can't influence the
socket's choice of local address when a connect() is done.
Testing during the generating of these changes has been
remarkably smooth so far. Multiple tables have co-existed
with no notable side effects, and packets have been routes
accordingly.
ipfw has grown 2 new keywords:
setfib N ip from anay to any
count ip from any to any fib N
In pf there seems to be a requirement to be able to give symbolic names to the
fibs but I do not have that capacity. I am not sure if it is required.
SCTP has interestingly enough built in support for this, called VRFs
in Cisco parlance. it will be interesting to see how that handles it
when it suddenly actually does something.
Where to next:
--------------------
After committing the ABI compatible version and MFCing it, I'd
like to proceed in a forward direction in -current. this will
result in some roto-tilling in the routing code.
Firstly: the current code's idea of having a separate tree per
protocol family, all of the same format, and pointed to by the
1 dimensional array is a bit silly. Especially when one considers that
there is code that makes assumptions about every protocol having the
same internal structures there. Some protocols don't WANT that
sort of structure. (for example the whole idea of a netmask is foreign
to appletalk). This needs to be made opaque to the external code.
My suggested first change is to add routing method pointers to the
'domain' structure, along with information pointing the data.
instead of having an array of pointers to uniform structures,
there would be an array pointing to the 'domain' structures
for each protocol address domain (protocol family),
and the methods this reached would be called. The methods would have
an argument that gives FIB number, but the protocol would be free
to ignore it.
When the ABI can be changed it raises the possibilty of the
addition of a fib entry into the "struct route". Currently,
the structure contains the sockaddr of the desination, and the resulting
fib entry. To make this work fully, one could add a fib number
so that given an address and a fib, one can find the third element, the
fib entry.
Interaction with the ARP layer/ LL layer would need to be
revisited as well. Qing Li has been working on this already.
This work was sponsored by Ironport Systems/Cisco
Reviewed by: several including rwatson, bz and mlair (parts each)
Obtained from: Ironport systems/Cisco
614 lines
16 KiB
C
614 lines
16 KiB
C
/*-
|
|
* Copyright (c) 2003 Andre Oppermann, Internet Business Solutions AG
|
|
* All rights reserved.
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions
|
|
* are met:
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
* notice, this list of conditions and the following disclaimer.
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
* documentation and/or other materials provided with the distribution.
|
|
* 3. The name of the author may not be used to endorse or promote
|
|
* products derived from this software without specific prior written
|
|
* permission.
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
|
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
|
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
* SUCH DAMAGE.
|
|
*/
|
|
|
|
/*
|
|
* ip_fastforward gets its speed from processing the forwarded packet to
|
|
* completion (if_output on the other side) without any queues or netisr's.
|
|
* The receiving interface DMAs the packet into memory, the upper half of
|
|
* driver calls ip_fastforward, we do our routing table lookup and directly
|
|
* send it off to the outgoing interface, which DMAs the packet to the
|
|
* network card. The only part of the packet we touch with the CPU is the
|
|
* IP header (unless there are complex firewall rules touching other parts
|
|
* of the packet, but that is up to you). We are essentially limited by bus
|
|
* bandwidth and how fast the network card/driver can set up receives and
|
|
* transmits.
|
|
*
|
|
* We handle basic errors, IP header errors, checksum errors,
|
|
* destination unreachable, fragmentation and fragmentation needed and
|
|
* report them via ICMP to the sender.
|
|
*
|
|
* Else if something is not pure IPv4 unicast forwarding we fall back to
|
|
* the normal ip_input processing path. We should only be called from
|
|
* interfaces connected to the outside world.
|
|
*
|
|
* Firewalling is fully supported including divert, ipfw fwd and ipfilter
|
|
* ipnat and address rewrite.
|
|
*
|
|
* IPSEC is not supported if this host is a tunnel broker. IPSEC is
|
|
* supported for connections to/from local host.
|
|
*
|
|
* We try to do the least expensive (in CPU ops) checks and operations
|
|
* first to catch junk with as little overhead as possible.
|
|
*
|
|
* We take full advantage of hardware support for IP checksum and
|
|
* fragmentation offloading.
|
|
*
|
|
* We don't do ICMP redirect in the fast forwarding path. I have had my own
|
|
* cases where two core routers with Zebra routing suite would send millions
|
|
* ICMP redirects to connected hosts if the destination router was not the
|
|
* default gateway. In one case it was filling the routing table of a host
|
|
* with approximately 300.000 cloned redirect entries until it ran out of
|
|
* kernel memory. However the networking code proved very robust and it didn't
|
|
* crash or fail in other ways.
|
|
*/
|
|
|
|
/*
|
|
* Many thanks to Matt Thomas of NetBSD for basic structure of ip_flow.c which
|
|
* is being followed here.
|
|
*/
|
|
|
|
#include <sys/cdefs.h>
|
|
__FBSDID("$FreeBSD$");
|
|
|
|
#include "opt_ipfw.h"
|
|
#include "opt_ipstealth.h"
|
|
|
|
#include <sys/param.h>
|
|
#include <sys/systm.h>
|
|
#include <sys/kernel.h>
|
|
#include <sys/malloc.h>
|
|
#include <sys/mbuf.h>
|
|
#include <sys/protosw.h>
|
|
#include <sys/socket.h>
|
|
#include <sys/sysctl.h>
|
|
|
|
#include <net/pfil.h>
|
|
#include <net/if.h>
|
|
#include <net/if_types.h>
|
|
#include <net/if_var.h>
|
|
#include <net/if_dl.h>
|
|
#include <net/route.h>
|
|
|
|
#include <netinet/in.h>
|
|
#include <netinet/in_systm.h>
|
|
#include <netinet/in_var.h>
|
|
#include <netinet/ip.h>
|
|
#include <netinet/ip_var.h>
|
|
#include <netinet/ip_icmp.h>
|
|
#include <netinet/ip_options.h>
|
|
|
|
#include <machine/in_cksum.h>
|
|
|
|
static int ipfastforward_active = 0;
|
|
SYSCTL_INT(_net_inet_ip, OID_AUTO, fastforwarding, CTLFLAG_RW,
|
|
&ipfastforward_active, 0, "Enable fast IP forwarding");
|
|
|
|
static struct sockaddr_in *
|
|
ip_findroute(struct route *ro, struct in_addr dest, struct mbuf *m)
|
|
{
|
|
struct sockaddr_in *dst;
|
|
struct rtentry *rt;
|
|
|
|
/*
|
|
* Find route to destination.
|
|
*/
|
|
bzero(ro, sizeof(*ro));
|
|
dst = (struct sockaddr_in *)&ro->ro_dst;
|
|
dst->sin_family = AF_INET;
|
|
dst->sin_len = sizeof(*dst);
|
|
dst->sin_addr.s_addr = dest.s_addr;
|
|
in_rtalloc_ign(ro, RTF_CLONING, M_GETFIB(m));
|
|
|
|
/*
|
|
* Route there and interface still up?
|
|
*/
|
|
rt = ro->ro_rt;
|
|
if (rt && (rt->rt_flags & RTF_UP) &&
|
|
(rt->rt_ifp->if_flags & IFF_UP) &&
|
|
(rt->rt_ifp->if_drv_flags & IFF_DRV_RUNNING)) {
|
|
if (rt->rt_flags & RTF_GATEWAY)
|
|
dst = (struct sockaddr_in *)rt->rt_gateway;
|
|
} else {
|
|
ipstat.ips_noroute++;
|
|
ipstat.ips_cantforward++;
|
|
if (rt)
|
|
RTFREE(rt);
|
|
icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_HOST, 0, 0);
|
|
return NULL;
|
|
}
|
|
return dst;
|
|
}
|
|
|
|
/*
|
|
* Try to forward a packet based on the destination address.
|
|
* This is a fast path optimized for the plain forwarding case.
|
|
* If the packet is handled (and consumed) here then we return 1;
|
|
* otherwise 0 is returned and the packet should be delivered
|
|
* to ip_input for full processing.
|
|
*/
|
|
struct mbuf *
|
|
ip_fastforward(struct mbuf *m)
|
|
{
|
|
struct ip *ip;
|
|
struct mbuf *m0 = NULL;
|
|
struct route ro;
|
|
struct sockaddr_in *dst = NULL;
|
|
struct ifnet *ifp;
|
|
struct in_addr odest, dest;
|
|
u_short sum, ip_len;
|
|
int error = 0;
|
|
int hlen, mtu;
|
|
#ifdef IPFIREWALL_FORWARD
|
|
struct m_tag *fwd_tag;
|
|
#endif
|
|
|
|
/*
|
|
* Are we active and forwarding packets?
|
|
*/
|
|
if (!ipfastforward_active || !ipforwarding)
|
|
return m;
|
|
|
|
M_ASSERTVALID(m);
|
|
M_ASSERTPKTHDR(m);
|
|
|
|
ro.ro_rt = NULL;
|
|
|
|
/*
|
|
* Step 1: check for packet drop conditions (and sanity checks)
|
|
*/
|
|
|
|
/*
|
|
* Is entire packet big enough?
|
|
*/
|
|
if (m->m_pkthdr.len < sizeof(struct ip)) {
|
|
ipstat.ips_tooshort++;
|
|
goto drop;
|
|
}
|
|
|
|
/*
|
|
* Is first mbuf large enough for ip header and is header present?
|
|
*/
|
|
if (m->m_len < sizeof (struct ip) &&
|
|
(m = m_pullup(m, sizeof (struct ip))) == NULL) {
|
|
ipstat.ips_toosmall++;
|
|
return NULL; /* mbuf already free'd */
|
|
}
|
|
|
|
ip = mtod(m, struct ip *);
|
|
|
|
/*
|
|
* Is it IPv4?
|
|
*/
|
|
if (ip->ip_v != IPVERSION) {
|
|
ipstat.ips_badvers++;
|
|
goto drop;
|
|
}
|
|
|
|
/*
|
|
* Is IP header length correct and is it in first mbuf?
|
|
*/
|
|
hlen = ip->ip_hl << 2;
|
|
if (hlen < sizeof(struct ip)) { /* minimum header length */
|
|
ipstat.ips_badlen++;
|
|
goto drop;
|
|
}
|
|
if (hlen > m->m_len) {
|
|
if ((m = m_pullup(m, hlen)) == NULL) {
|
|
ipstat.ips_badhlen++;
|
|
return NULL; /* mbuf already free'd */
|
|
}
|
|
ip = mtod(m, struct ip *);
|
|
}
|
|
|
|
/*
|
|
* Checksum correct?
|
|
*/
|
|
if (m->m_pkthdr.csum_flags & CSUM_IP_CHECKED)
|
|
sum = !(m->m_pkthdr.csum_flags & CSUM_IP_VALID);
|
|
else {
|
|
if (hlen == sizeof(struct ip))
|
|
sum = in_cksum_hdr(ip);
|
|
else
|
|
sum = in_cksum(m, hlen);
|
|
}
|
|
if (sum) {
|
|
ipstat.ips_badsum++;
|
|
goto drop;
|
|
}
|
|
|
|
/*
|
|
* Remember that we have checked the IP header and found it valid.
|
|
*/
|
|
m->m_pkthdr.csum_flags |= (CSUM_IP_CHECKED | CSUM_IP_VALID);
|
|
|
|
ip_len = ntohs(ip->ip_len);
|
|
|
|
/*
|
|
* Is IP length longer than packet we have got?
|
|
*/
|
|
if (m->m_pkthdr.len < ip_len) {
|
|
ipstat.ips_tooshort++;
|
|
goto drop;
|
|
}
|
|
|
|
/*
|
|
* Is packet longer than IP header tells us? If yes, truncate packet.
|
|
*/
|
|
if (m->m_pkthdr.len > ip_len) {
|
|
if (m->m_len == m->m_pkthdr.len) {
|
|
m->m_len = ip_len;
|
|
m->m_pkthdr.len = ip_len;
|
|
} else
|
|
m_adj(m, ip_len - m->m_pkthdr.len);
|
|
}
|
|
|
|
/*
|
|
* Is packet from or to 127/8?
|
|
*/
|
|
if ((ntohl(ip->ip_dst.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET ||
|
|
(ntohl(ip->ip_src.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET) {
|
|
ipstat.ips_badaddr++;
|
|
goto drop;
|
|
}
|
|
|
|
#ifdef ALTQ
|
|
/*
|
|
* Is packet dropped by traffic conditioner?
|
|
*/
|
|
if (altq_input != NULL && (*altq_input)(m, AF_INET) == 0)
|
|
goto drop;
|
|
#endif
|
|
|
|
/*
|
|
* Step 2: fallback conditions to normal ip_input path processing
|
|
*/
|
|
|
|
/*
|
|
* Only IP packets without options
|
|
*/
|
|
if (ip->ip_hl != (sizeof(struct ip) >> 2)) {
|
|
if (ip_doopts == 1)
|
|
return m;
|
|
else if (ip_doopts == 2) {
|
|
icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_FILTER_PROHIB,
|
|
0, 0);
|
|
return NULL; /* mbuf already free'd */
|
|
}
|
|
/* else ignore IP options and continue */
|
|
}
|
|
|
|
/*
|
|
* Only unicast IP, not from loopback, no L2 or IP broadcast,
|
|
* no multicast, no INADDR_ANY
|
|
*
|
|
* XXX: Probably some of these checks could be direct drop
|
|
* conditions. However it is not clear whether there are some
|
|
* hacks or obscure behaviours which make it neccessary to
|
|
* let ip_input handle it. We play safe here and let ip_input
|
|
* deal with it until it is proven that we can directly drop it.
|
|
*/
|
|
if ((m->m_flags & (M_BCAST|M_MCAST)) ||
|
|
(m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK) ||
|
|
ntohl(ip->ip_src.s_addr) == (u_long)INADDR_BROADCAST ||
|
|
ntohl(ip->ip_dst.s_addr) == (u_long)INADDR_BROADCAST ||
|
|
IN_MULTICAST(ntohl(ip->ip_src.s_addr)) ||
|
|
IN_MULTICAST(ntohl(ip->ip_dst.s_addr)) ||
|
|
IN_LINKLOCAL(ntohl(ip->ip_src.s_addr)) ||
|
|
IN_LINKLOCAL(ntohl(ip->ip_dst.s_addr)) ||
|
|
ip->ip_src.s_addr == INADDR_ANY ||
|
|
ip->ip_dst.s_addr == INADDR_ANY )
|
|
return m;
|
|
|
|
/*
|
|
* Is it for a local address on this host?
|
|
*/
|
|
if (in_localip(ip->ip_dst))
|
|
return m;
|
|
|
|
ipstat.ips_total++;
|
|
|
|
/*
|
|
* Step 3: incoming packet firewall processing
|
|
*/
|
|
|
|
/*
|
|
* Convert to host representation
|
|
*/
|
|
ip->ip_len = ntohs(ip->ip_len);
|
|
ip->ip_off = ntohs(ip->ip_off);
|
|
|
|
odest.s_addr = dest.s_addr = ip->ip_dst.s_addr;
|
|
|
|
/*
|
|
* Run through list of ipfilter hooks for input packets
|
|
*/
|
|
if (!PFIL_HOOKED(&inet_pfil_hook))
|
|
goto passin;
|
|
|
|
if (pfil_run_hooks(&inet_pfil_hook, &m, m->m_pkthdr.rcvif, PFIL_IN, NULL) ||
|
|
m == NULL)
|
|
goto drop;
|
|
|
|
M_ASSERTVALID(m);
|
|
M_ASSERTPKTHDR(m);
|
|
|
|
ip = mtod(m, struct ip *); /* m may have changed by pfil hook */
|
|
dest.s_addr = ip->ip_dst.s_addr;
|
|
|
|
/*
|
|
* Destination address changed?
|
|
*/
|
|
if (odest.s_addr != dest.s_addr) {
|
|
/*
|
|
* Is it now for a local address on this host?
|
|
*/
|
|
if (in_localip(dest))
|
|
goto forwardlocal;
|
|
/*
|
|
* Go on with new destination address
|
|
*/
|
|
}
|
|
#ifdef IPFIREWALL_FORWARD
|
|
if (m->m_flags & M_FASTFWD_OURS) {
|
|
/*
|
|
* ipfw changed it for a local address on this host.
|
|
*/
|
|
goto forwardlocal;
|
|
}
|
|
#endif /* IPFIREWALL_FORWARD */
|
|
|
|
passin:
|
|
/*
|
|
* Step 4: decrement TTL and look up route
|
|
*/
|
|
|
|
/*
|
|
* Check TTL
|
|
*/
|
|
#ifdef IPSTEALTH
|
|
if (!ipstealth) {
|
|
#endif
|
|
if (ip->ip_ttl <= IPTTLDEC) {
|
|
icmp_error(m, ICMP_TIMXCEED, ICMP_TIMXCEED_INTRANS, 0, 0);
|
|
return NULL; /* mbuf already free'd */
|
|
}
|
|
|
|
/*
|
|
* Decrement the TTL and incrementally change the IP header checksum.
|
|
* Don't bother doing this with hw checksum offloading, it's faster
|
|
* doing it right here.
|
|
*/
|
|
ip->ip_ttl -= IPTTLDEC;
|
|
if (ip->ip_sum >= (u_int16_t) ~htons(IPTTLDEC << 8))
|
|
ip->ip_sum -= ~htons(IPTTLDEC << 8);
|
|
else
|
|
ip->ip_sum += htons(IPTTLDEC << 8);
|
|
#ifdef IPSTEALTH
|
|
}
|
|
#endif
|
|
|
|
/*
|
|
* Find route to destination.
|
|
*/
|
|
if ((dst = ip_findroute(&ro, dest, m)) == NULL)
|
|
return NULL; /* icmp unreach already sent */
|
|
ifp = ro.ro_rt->rt_ifp;
|
|
|
|
/*
|
|
* Immediately drop blackholed traffic, and directed broadcasts
|
|
* for either the all-ones or all-zero subnet addresses on
|
|
* locally attached networks.
|
|
*/
|
|
if ((ro.ro_rt->rt_flags & (RTF_BLACKHOLE|RTF_BROADCAST)) != 0)
|
|
goto drop;
|
|
|
|
/*
|
|
* Step 5: outgoing firewall packet processing
|
|
*/
|
|
|
|
/*
|
|
* Run through list of hooks for output packets.
|
|
*/
|
|
if (!PFIL_HOOKED(&inet_pfil_hook))
|
|
goto passout;
|
|
|
|
if (pfil_run_hooks(&inet_pfil_hook, &m, ifp, PFIL_OUT, NULL) || m == NULL) {
|
|
goto drop;
|
|
}
|
|
|
|
M_ASSERTVALID(m);
|
|
M_ASSERTPKTHDR(m);
|
|
|
|
ip = mtod(m, struct ip *);
|
|
dest.s_addr = ip->ip_dst.s_addr;
|
|
|
|
/*
|
|
* Destination address changed?
|
|
*/
|
|
#ifndef IPFIREWALL_FORWARD
|
|
if (odest.s_addr != dest.s_addr) {
|
|
#else
|
|
fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL);
|
|
if (odest.s_addr != dest.s_addr || fwd_tag != NULL) {
|
|
#endif /* IPFIREWALL_FORWARD */
|
|
/*
|
|
* Is it now for a local address on this host?
|
|
*/
|
|
#ifndef IPFIREWALL_FORWARD
|
|
if (in_localip(dest)) {
|
|
#else
|
|
if (m->m_flags & M_FASTFWD_OURS || in_localip(dest)) {
|
|
#endif /* IPFIREWALL_FORWARD */
|
|
forwardlocal:
|
|
/*
|
|
* Return packet for processing by ip_input().
|
|
* Keep host byte order as expected at ip_input's
|
|
* "ours"-label.
|
|
*/
|
|
m->m_flags |= M_FASTFWD_OURS;
|
|
if (ro.ro_rt)
|
|
RTFREE(ro.ro_rt);
|
|
return m;
|
|
}
|
|
/*
|
|
* Redo route lookup with new destination address
|
|
*/
|
|
#ifdef IPFIREWALL_FORWARD
|
|
if (fwd_tag) {
|
|
dest.s_addr = ((struct sockaddr_in *)
|
|
(fwd_tag + 1))->sin_addr.s_addr;
|
|
m_tag_delete(m, fwd_tag);
|
|
}
|
|
#endif /* IPFIREWALL_FORWARD */
|
|
RTFREE(ro.ro_rt);
|
|
if ((dst = ip_findroute(&ro, dest, m)) == NULL)
|
|
return NULL; /* icmp unreach already sent */
|
|
ifp = ro.ro_rt->rt_ifp;
|
|
}
|
|
|
|
passout:
|
|
/*
|
|
* Step 6: send off the packet
|
|
*/
|
|
|
|
/*
|
|
* Check if route is dampned (when ARP is unable to resolve)
|
|
*/
|
|
if ((ro.ro_rt->rt_flags & RTF_REJECT) &&
|
|
(ro.ro_rt->rt_rmx.rmx_expire == 0 ||
|
|
time_uptime < ro.ro_rt->rt_rmx.rmx_expire)) {
|
|
icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_HOST, 0, 0);
|
|
goto consumed;
|
|
}
|
|
|
|
#ifndef ALTQ
|
|
/*
|
|
* Check if there is enough space in the interface queue
|
|
*/
|
|
if ((ifp->if_snd.ifq_len + ip->ip_len / ifp->if_mtu + 1) >=
|
|
ifp->if_snd.ifq_maxlen) {
|
|
ipstat.ips_odropped++;
|
|
/* would send source quench here but that is depreciated */
|
|
goto drop;
|
|
}
|
|
#endif
|
|
|
|
/*
|
|
* Check if media link state of interface is not down
|
|
*/
|
|
if (ifp->if_link_state == LINK_STATE_DOWN) {
|
|
icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_HOST, 0, 0);
|
|
goto consumed;
|
|
}
|
|
|
|
/*
|
|
* Check if packet fits MTU or if hardware will fragment for us
|
|
*/
|
|
if (ro.ro_rt->rt_rmx.rmx_mtu)
|
|
mtu = min(ro.ro_rt->rt_rmx.rmx_mtu, ifp->if_mtu);
|
|
else
|
|
mtu = ifp->if_mtu;
|
|
|
|
if (ip->ip_len <= mtu ||
|
|
(ifp->if_hwassist & CSUM_FRAGMENT && (ip->ip_off & IP_DF) == 0)) {
|
|
/*
|
|
* Restore packet header fields to original values
|
|
*/
|
|
ip->ip_len = htons(ip->ip_len);
|
|
ip->ip_off = htons(ip->ip_off);
|
|
/*
|
|
* Send off the packet via outgoing interface
|
|
*/
|
|
error = (*ifp->if_output)(ifp, m,
|
|
(struct sockaddr *)dst, ro.ro_rt);
|
|
} else {
|
|
/*
|
|
* Handle EMSGSIZE with icmp reply needfrag for TCP MTU discovery
|
|
*/
|
|
if (ip->ip_off & IP_DF) {
|
|
ipstat.ips_cantfrag++;
|
|
icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_NEEDFRAG,
|
|
0, mtu);
|
|
goto consumed;
|
|
} else {
|
|
/*
|
|
* We have to fragment the packet
|
|
*/
|
|
m->m_pkthdr.csum_flags |= CSUM_IP;
|
|
/*
|
|
* ip_fragment expects ip_len and ip_off in host byte
|
|
* order but returns all packets in network byte order
|
|
*/
|
|
if (ip_fragment(ip, &m, mtu, ifp->if_hwassist,
|
|
(~ifp->if_hwassist & CSUM_DELAY_IP))) {
|
|
goto drop;
|
|
}
|
|
KASSERT(m != NULL, ("null mbuf and no error"));
|
|
/*
|
|
* Send off the fragments via outgoing interface
|
|
*/
|
|
error = 0;
|
|
do {
|
|
m0 = m->m_nextpkt;
|
|
m->m_nextpkt = NULL;
|
|
|
|
error = (*ifp->if_output)(ifp, m,
|
|
(struct sockaddr *)dst, ro.ro_rt);
|
|
if (error)
|
|
break;
|
|
} while ((m = m0) != NULL);
|
|
if (error) {
|
|
/* Reclaim remaining fragments */
|
|
for (m = m0; m; m = m0) {
|
|
m0 = m->m_nextpkt;
|
|
m_freem(m);
|
|
}
|
|
} else
|
|
ipstat.ips_fragmented++;
|
|
}
|
|
}
|
|
|
|
if (error != 0)
|
|
ipstat.ips_odropped++;
|
|
else {
|
|
ro.ro_rt->rt_rmx.rmx_pksent++;
|
|
ipstat.ips_forward++;
|
|
ipstat.ips_fastforward++;
|
|
}
|
|
consumed:
|
|
RTFREE(ro.ro_rt);
|
|
return NULL;
|
|
drop:
|
|
if (m)
|
|
m_freem(m);
|
|
if (ro.ro_rt)
|
|
RTFREE(ro.ro_rt);
|
|
return NULL;
|
|
}
|