From 1025071f85e8ea0ea29fc0905261a7bb4c10df50 Mon Sep 17 00:00:00 2001 From: Garrett Wollman Date: Thu, 16 Mar 1995 18:22:28 +0000 Subject: [PATCH] Reject source routes unless configured on by administrator. --- sys/netinet/in.h | 4 +++- sys/netinet/ip_input.c | 38 +++++++++++++++++++++----------------- 2 files changed, 24 insertions(+), 18 deletions(-) diff --git a/sys/netinet/in.h b/sys/netinet/in.h index 5c83a2e2f5d4..b9f8b1d4ed8c 100644 --- a/sys/netinet/in.h +++ b/sys/netinet/in.h @@ -229,7 +229,8 @@ struct ip_mreq { #define IPCTL_RTEXPIRE 5 /* cloned route expiration time */ #define IPCTL_RTMINEXPIRE 6 /* min value for expiration time */ #define IPCTL_RTMAXCACHE 7 /* trigger level for dynamic expire */ -#define IPCTL_MAXID 8 +#define IPCTL_SOURCEROUTE 8 /* may perform source routes */ +#define IPCTL_MAXID 9 #define IPCTL_NAMES { \ { 0, 0 }, \ @@ -240,6 +241,7 @@ struct ip_mreq { { "rtexpire", CTLTYPE_INT }, \ { "rtminexpire", CTLTYPE_INT }, \ { "rtmaxcache", CTLTYPE_INT }, \ + { "sourceroute", CTLTYPE_INT }, \ } diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index d65df326e5ed..a1391a695dea 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. * * @(#)ip_input.c 8.2 (Berkeley) 1/4/94 - * $Id: ip_input.c,v 1.17 1995/02/14 23:04:52 wollman Exp $ + * $Id: ip_input.c,v 1.18 1995/03/16 18:14:55 bde Exp $ */ #include @@ -44,6 +44,8 @@ #include #include #include +#include + #include #include @@ -77,6 +79,7 @@ struct socket *ip_rsvpd; int ipforwarding = IPFORWARDING; int ipsendredirects = IPSENDREDIRECTS; int ip_defttl = IPDEFTTL; +int ip_dosourceroute = 0; #ifdef DIAGNOSTIC int ipprintfs = 0; #endif @@ -106,11 +109,6 @@ static struct ip_srcrt { struct in_addr route[MAX_IPOPTLEN/sizeof(struct in_addr)]; } ip_srcrt; -#ifdef GATEWAY -extern int if_index; -u_long *ip_ifmatrix; -#endif - static void save_rte __P((u_char *, struct in_addr)); /* * IP initialization: fill in IP protocol switch table. @@ -135,11 +133,6 @@ ip_init() ipq.next = ipq.prev = &ipq; ip_id = time.tv_sec & 0xffff; ipintrq.ifq_maxlen = ipqmaxlen; -#ifdef GATEWAY - i = (if_index + 1) * (if_index + 1) * sizeof (u_long); - ip_ifmatrix = (u_long *) malloc(i, M_RTABLE, M_WAITOK); - bzero((char *)ip_ifmatrix, i); -#endif } struct sockaddr_in ipaddr = { sizeof(ipaddr), AF_INET }; @@ -746,11 +739,25 @@ ip_dooptions(m) save_rte(cp, ip->ip_src); break; } + + if (!ip_dosourceroute) { + char buf[4*sizeof "123"]; + strcpy(buf, inet_ntoa(ip->ip_dst)); + + log(LOG_WARNING, + "attempted source route from %s to %s\n", + inet_ntoa(ip->ip_src), buf); + type = ICMP_UNREACH; + code = ICMP_UNREACH_SRCFAIL; + goto bad; + } + /* * locate outgoing interface */ bcopy((caddr_t)(cp + off), (caddr_t)&ipaddr.sin_addr, sizeof(ipaddr.sin_addr)); + if (opt == IPOPT_SSRR) { #define INA struct in_ifaddr * #define SA struct sockaddr * @@ -1091,12 +1098,6 @@ ip_forward(m, srcrt) */ mcopy = m_copy(m, 0, imin((int)ip->ip_len, 64)); -#ifdef bogus -#ifdef GATEWAY - ip_ifmatrix[rt->rt_ifp->if_index + - if_index * m->m_pkthdr.rcvif->if_index]++; -#endif -#endif /* * If forwarding packet using same interface that it came in on, * perhaps should send a redirect to sender to shortcut a hop. @@ -1202,6 +1203,9 @@ ip_sysctl(name, namelen, oldp, oldlenp, newp, newlen) &ipsendredirects)); case IPCTL_DEFTTL: return (sysctl_int(oldp, oldlenp, newp, newlen, &ip_defttl)); + case IPCTL_SOURCEROUTE: + return (sysctl_int(oldp, oldlenp, newp, newlen, + &ip_dosourceroute)); #ifdef notyet case IPCTL_DEFMTU: return (sysctl_int(oldp, oldlenp, newp, newlen, &ip_mtu));