Make net.inet.ip.sourceroute, net.inet.ip.accept_sourceroute, and
net.inet.ip.process_options vnet-aware. Revert changes in r271545. Suggested by: bz
This commit is contained in:
hrs
parent
5f22ea600b
commit
0d57c69d7b
@ -326,22 +326,20 @@ options_inet()
|
||||
${SYSCTL} net.inet.ip.forwarding=0 > /dev/null
|
||||
fi
|
||||
|
||||
if ! check_jail vnet; then
|
||||
if checkyesno forward_sourceroute; then
|
||||
ropts_init inet
|
||||
echo -n ' do source routing=YES'
|
||||
${SYSCTL} net.inet.ip.sourceroute=1 > /dev/null
|
||||
else
|
||||
${SYSCTL} net.inet.ip.sourceroute=0 > /dev/null
|
||||
fi
|
||||
if checkyesno forward_sourceroute; then
|
||||
ropts_init inet
|
||||
echo -n ' do source routing=YES'
|
||||
${SYSCTL} net.inet.ip.sourceroute=1 > /dev/null
|
||||
else
|
||||
${SYSCTL} net.inet.ip.sourceroute=0 > /dev/null
|
||||
fi
|
||||
|
||||
if checkyesno accept_sourceroute; then
|
||||
ropts_init inet
|
||||
echo -n ' accept source routing=YES'
|
||||
${SYSCTL} net.inet.ip.accept_sourceroute=1 > /dev/null
|
||||
else
|
||||
${SYSCTL} net.inet.ip.accept_sourceroute=0 > /dev/null
|
||||
fi
|
||||
if checkyesno accept_sourceroute; then
|
||||
ropts_init inet
|
||||
echo -n ' accept source routing=YES'
|
||||
${SYSCTL} net.inet.ip.accept_sourceroute=1 > /dev/null
|
||||
else
|
||||
${SYSCTL} net.inet.ip.accept_sourceroute=0 > /dev/null
|
||||
fi
|
||||
|
||||
if checkyesno arpproxy_all; then
|
||||
|
||||
@ -296,9 +296,9 @@ ip_fastforward(struct mbuf *m)
|
||||
* Only IP packets without options
|
||||
*/
|
||||
if (ip->ip_hl != (sizeof(struct ip) >> 2)) {
|
||||
if (ip_doopts == 1)
|
||||
if (V_ip_doopts == 1)
|
||||
return m;
|
||||
else if (ip_doopts == 2) {
|
||||
else if (V_ip_doopts == 2) {
|
||||
icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_FILTER_PROHIB,
|
||||
0, 0);
|
||||
return NULL; /* mbuf already free'd */
|
||||
|
||||
@ -65,18 +65,21 @@ __FBSDID("$FreeBSD$");
|
||||
|
||||
#include <sys/socketvar.h>
|
||||
|
||||
static int ip_dosourceroute = 0;
|
||||
SYSCTL_INT(_net_inet_ip, IPCTL_SOURCEROUTE, sourceroute, CTLFLAG_RW,
|
||||
&ip_dosourceroute, 0, "Enable forwarding source routed IP packets");
|
||||
static VNET_DEFINE(int, ip_dosourceroute);
|
||||
SYSCTL_VNET_INT(_net_inet_ip, IPCTL_SOURCEROUTE, sourceroute, CTLFLAG_RW,
|
||||
&VNET_NAME(ip_dosourceroute), 0,
|
||||
"Enable forwarding source routed IP packets");
|
||||
#define V_ip_dosourceroute VNET(ip_dosourceroute)
|
||||
|
||||
static int ip_acceptsourceroute = 0;
|
||||
SYSCTL_INT(_net_inet_ip, IPCTL_ACCEPTSOURCEROUTE, accept_sourceroute,
|
||||
CTLFLAG_RW, &ip_acceptsourceroute, 0,
|
||||
static VNET_DEFINE(int, ip_acceptsourceroute);
|
||||
SYSCTL_VNET_INT(_net_inet_ip, IPCTL_ACCEPTSOURCEROUTE, accept_sourceroute,
|
||||
CTLFLAG_RW, &VNET_NAME(ip_acceptsourceroute), 0,
|
||||
"Enable accepting source routed IP packets");
|
||||
#define V_ip_acceptsourceroute VNET(ip_acceptsourceroute)
|
||||
|
||||
int ip_doopts = 1; /* 0 = ignore, 1 = process, 2 = reject */
|
||||
SYSCTL_INT(_net_inet_ip, OID_AUTO, process_options, CTLFLAG_RW,
|
||||
&ip_doopts, 0, "Enable IP options processing ([LS]SRR, RR, TS)");
|
||||
VNET_DEFINE(int, ip_doopts) = 1; /* 0 = ignore, 1 = process, 2 = reject */
|
||||
SYSCTL_VNET_INT(_net_inet_ip, OID_AUTO, process_options, CTLFLAG_RW,
|
||||
&VNET_NAME(ip_doopts), 0, "Enable IP options processing ([LS]SRR, RR, TS)");
|
||||
|
||||
static void save_rte(struct mbuf *m, u_char *, struct in_addr);
|
||||
|
||||
@ -104,9 +107,9 @@ ip_dooptions(struct mbuf *m, int pass)
|
||||
struct sockaddr_in ipaddr = { sizeof(ipaddr), AF_INET };
|
||||
|
||||
/* Ignore or reject packets with IP options. */
|
||||
if (ip_doopts == 0)
|
||||
if (V_ip_doopts == 0)
|
||||
return 0;
|
||||
else if (ip_doopts == 2) {
|
||||
else if (V_ip_doopts == 2) {
|
||||
type = ICMP_UNREACH;
|
||||
code = ICMP_UNREACH_FILTER_PROHIB;
|
||||
goto bad;
|
||||
@ -167,7 +170,7 @@ ip_dooptions(struct mbuf *m, int pass)
|
||||
code = ICMP_UNREACH_SRCFAIL;
|
||||
goto bad;
|
||||
}
|
||||
if (!ip_dosourceroute)
|
||||
if (!V_ip_dosourceroute)
|
||||
goto nosourcerouting;
|
||||
/*
|
||||
* Loose routing, and not at next destination
|
||||
@ -180,7 +183,7 @@ ip_dooptions(struct mbuf *m, int pass)
|
||||
/*
|
||||
* End of source route. Should be for us.
|
||||
*/
|
||||
if (!ip_acceptsourceroute)
|
||||
if (!V_ip_acceptsourceroute)
|
||||
goto nosourcerouting;
|
||||
save_rte(m, cp, ip->ip_src);
|
||||
break;
|
||||
@ -189,7 +192,7 @@ ip_dooptions(struct mbuf *m, int pass)
|
||||
if (V_ipstealth)
|
||||
goto dropit;
|
||||
#endif
|
||||
if (!ip_dosourceroute) {
|
||||
if (!V_ip_dosourceroute) {
|
||||
if (V_ipforwarding) {
|
||||
char buf[16]; /* aaa.bbb.ccc.ddd\0 */
|
||||
/*
|
||||
|
||||
@ -47,7 +47,8 @@ struct ipopt_tag {
|
||||
struct ipoptrt ip_srcrt;
|
||||
};
|
||||
|
||||
extern int ip_doopts; /* process or ignore IP options */
|
||||
VNET_DECLARE(int, ip_doopts); /* process or ignore IP options */
|
||||
#define V_ip_doopts VNET(ip_doopts)
|
||||
|
||||
int ip_checkrouteralert(struct mbuf *);
|
||||
int ip_dooptions(struct mbuf *, int);
|
||||
|
||||
Loading…
Reference in New Issue
Block a user