diff --git a/sys/conf/NOTES b/sys/conf/NOTES index 430fc76a8ab1..4355ddee6a53 100644 --- a/sys/conf/NOTES +++ b/sys/conf/NOTES @@ -539,7 +539,7 @@ device musycc # LMC/SBE LMC1504 quad T1/E1 # The `pflog' device provides the pflog0 interface which logs packets. # The `pfsync' device provides the pfsync0 interface used for # synchronization of firewall state tables (over the net). -# Requires option PFIL_HOOKS and (when used as a module) option RANDOM_IP_ID +# Requires option PFIL_HOOKS # # The PPP_BSDCOMP option enables support for compress(1) style entire # packet compression, the PPP_DEFLATE is for zlib/gzip style compression. @@ -647,13 +647,6 @@ options TCPDEBUG # functions. See mbuf(9) for a list of available test cases. options MBUF_STRESS_TEST -# RANDOM_IP_ID causes the ID field in IP packets to be randomized -# instead of incremented by 1 with each packet generated. This -# option closes a minor information leak which allows remote -# observers to determine the rate of packet generation on the -# machine by watching the counter. -options RANDOM_IP_ID - # Statically Link in accept filters options ACCEPT_FILTER_DATA options ACCEPT_FILTER_HTTP diff --git a/sys/conf/options b/sys/conf/options index 2bf10ac3b5aa..08ce8f9acc4a 100644 --- a/sys/conf/options +++ b/sys/conf/options @@ -361,7 +361,6 @@ NETATALK opt_atalk.h PPP_BSDCOMP opt_ppp.h PPP_DEFLATE opt_ppp.h PPP_FILTER opt_ppp.h -RANDOM_IP_ID SLIP_IFF_OPTS opt_slip.h TCPDEBUG TCP_SIGNATURE opt_inet.h diff --git a/sys/contrib/pf/net/if_pfsync.c b/sys/contrib/pf/net/if_pfsync.c index e0bd244b6a94..1e2d7b1d8e14 100644 --- a/sys/contrib/pf/net/if_pfsync.c +++ b/sys/contrib/pf/net/if_pfsync.c @@ -30,7 +30,6 @@ #ifdef __FreeBSD__ #include "opt_inet.h" #include "opt_inet6.h" -#include "opt_random_ip_id.h" #endif #ifndef __FreeBSD__ @@ -107,10 +106,6 @@ struct pfsync_softc pfsyncif; int pfsync_sync_ok; struct pfsyncstats pfsyncstats; -#ifndef RANDOM_IP_ID -extern u_int16_t ip_randomid(void); -#endif - #ifdef __FreeBSD__ /* diff --git a/sys/contrib/pf/net/pf_norm.c b/sys/contrib/pf/net/pf_norm.c index 42c834dd9171..fcaeaa4be632 100644 --- a/sys/contrib/pf/net/pf_norm.c +++ b/sys/contrib/pf/net/pf_norm.c @@ -30,7 +30,6 @@ #ifdef __FreeBSD__ #include "opt_inet.h" #include "opt_inet6.h" -#include "opt_random_ip_id.h" /* or ip_var does not export it */ #include "opt_pf.h" #define NPFLOG DEV_PFLOG #else @@ -168,9 +167,6 @@ RB_PROTOTYPE(pf_frag_tree, pf_fragment, fr_entry, pf_frag_compare); RB_GENERATE(pf_frag_tree, pf_fragment, fr_entry, pf_frag_compare); /* Private prototypes */ -#ifndef RANDOM_IP_ID -extern u_int16_t ip_randomid(void); -#endif void pf_ip2key(struct pf_fragment *, struct ip *); void pf_remove_fragment(struct pf_fragment *); void pf_flush_fragments(void); diff --git a/sys/modules/ip_mroute_mod/Makefile b/sys/modules/ip_mroute_mod/Makefile index 41dbceccef5e..be135def4026 100644 --- a/sys/modules/ip_mroute_mod/Makefile +++ b/sys/modules/ip_mroute_mod/Makefile @@ -3,19 +3,11 @@ .PATH: ${.CURDIR}/../../netinet KMOD= ip_mroute -SRCS= ip_mroute.c opt_mac.h opt_mrouting.h opt_random_ip_id.h +SRCS= ip_mroute.c opt_mac.h opt_mrouting.h CFLAGS+= -DMROUTE_KLD -RANDOM_IP_ID?= 0 # 0/1 - should jibe with kernel configuration - opt_mrouting.h: echo "#define MROUTING 1" > ${.TARGET} -opt_random_ip_id.h: - touch ${.TARGET} -.if ${RANDOM_IP_ID} > 0 - echo "#define RANDOM_IP_ID 1" > ${.TARGET} -.endif - .include diff --git a/sys/modules/pf/Makefile b/sys/modules/pf/Makefile index a226f1ce22aa..d4eb9840b291 100644 --- a/sys/modules/pf/Makefile +++ b/sys/modules/pf/Makefile @@ -7,8 +7,8 @@ KMOD= pf SRCS = pf.c pf_if.c pf_subr.c pf_osfp.c pf_ioctl.c pf_norm.c pf_table.c \ if_pflog.c \ - in4_cksum.c ip_id.c \ - opt_pf.h opt_inet.h opt_inet6.h opt_bpf.h opt_random_ip_id.h + in4_cksum.c \ + opt_pf.h opt_inet.h opt_inet6.h opt_bpf.h CFLAGS+= -Wall -I${.CURDIR}/../../contrib/pf @@ -29,7 +29,4 @@ opt_inet6.h: opt_bpf.h: echo "#define DEV_BPF 1" > opt_bpf.h -opt_random_ip_id.h: - echo "#define RANDOM_IP_ID 1" > opt_random_ip_id.h - .include diff --git a/sys/netinet/ip_id.c b/sys/netinet/ip_id.c index 700f731d4912..c8455f808225 100644 --- a/sys/netinet/ip_id.c +++ b/sys/netinet/ip_id.c @@ -57,14 +57,12 @@ * This avoids reuse issues caused by reseeding. */ -#include "opt_random_ip_id.h" #include "opt_pf.h" #include #include #include #include -#if defined(RANDOM_IP_ID) || defined(DEV_PF) #define RU_OUT 180 /* Time after wich will be reseeded */ #define RU_MAX 30000 /* Uniq cycle, avoid blackjack prediction */ #define RU_GEN 2 /* Starting generator */ @@ -209,4 +207,3 @@ ip_randomid(void) return (ru_seed ^ pmod(ru_g,ru_seed2 ^ ru_x,RU_N)) | ru_msb; } -#endif /* RANDOM_IP_ID || DEV_PF */ diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index 0d64effd2e93..0ae3c1635095 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -39,7 +39,6 @@ #include "opt_ipsec.h" #include "opt_mac.h" #include "opt_pfil_hooks.h" -#include "opt_random_ip_id.h" #include #include @@ -135,6 +134,11 @@ SYSCTL_INT(_net_inet_ip, OID_AUTO, sendsourcequench, CTLFLAG_RW, &ip_sendsourcequench, 0, "Enable the transmission of source quench packets"); +int ip_do_randomid = 0; +SYSCTL_INT(_net_inet_ip, OID_AUTO, random_id, CTLFLAG_RW, + &ip_do_randomid, 0, + "Assign random ip_id values"); + /* * XXX - Setting ip_checkinterface mostly implements the receive side of * the Strong ES model described in RFC 1122, but since the routing table @@ -281,9 +285,7 @@ ip_init() maxnipq = nmbclusters / 32; maxfragsperpacket = 16; -#ifndef RANDOM_IP_ID ip_id = time_second & 0xffff; -#endif ipintrq.ifq_maxlen = ipqmaxlen; mtx_init(&ipintrq.ifq_mtx, "ip_inq", NULL, MTX_DEF); netisr_register(NETISR_IP, ip_input, &ipintrq, NETISR_MPSAFE); diff --git a/sys/netinet/ip_mroute.c b/sys/netinet/ip_mroute.c index 11490c45c275..57e8db8eae32 100644 --- a/sys/netinet/ip_mroute.c +++ b/sys/netinet/ip_mroute.c @@ -22,7 +22,6 @@ #include "opt_mac.h" #include "opt_mrouting.h" -#include "opt_random_ip_id.h" #ifdef PIM #define _PIM_VT 1 @@ -1884,11 +1883,7 @@ encap_send(struct ip *ip, struct vif *vifp, struct mbuf *m) */ ip_copy = mtod(mb_copy, struct ip *); *ip_copy = multicast_encap_iphdr; -#ifdef RANDOM_IP_ID - ip_copy->ip_id = ip_randomid(); -#else - ip_copy->ip_id = htons(ip_id++); -#endif + ip_copy->ip_id = ip_newid(); ip_copy->ip_len += len; ip_copy->ip_src = vifp->v_lcl_addr; ip_copy->ip_dst = vifp->v_rmt_addr; @@ -3093,11 +3088,7 @@ pim_register_send_rp(struct ip *ip, struct vif *vifp, */ ip_outer = mtod(mb_first, struct ip *); *ip_outer = pim_encap_iphdr; -#ifdef RANDOM_IP_ID - ip_outer->ip_id = ip_randomid(); -#else - ip_outer->ip_id = htons(ip_id++); -#endif + ip_outer->ip_id = ip_newid(); ip_outer->ip_len = len + sizeof(pim_encap_iphdr) + sizeof(pim_encap_pimhdr); ip_outer->ip_src = viftable[vifi].v_lcl_addr; ip_outer->ip_dst = rt->mfc_rp; diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c index 8f7003ca4a5a..49461536b762 100644 --- a/sys/netinet/ip_output.c +++ b/sys/netinet/ip_output.c @@ -37,7 +37,6 @@ #include "opt_ipsec.h" #include "opt_mac.h" #include "opt_pfil_hooks.h" -#include "opt_random_ip_id.h" #include "opt_mbuf_stress_test.h" #include @@ -216,11 +215,7 @@ ip_output(struct mbuf *m, struct mbuf *opt, struct route *ro, if ((flags & (IP_FORWARDING|IP_RAWOUTPUT)) == 0) { ip->ip_v = IPVERSION; ip->ip_hl = hlen >> 2; -#ifdef RANDOM_IP_ID - ip->ip_id = ip_randomid(); -#else - ip->ip_id = htons(ip_id++); -#endif + ip->ip_id = ip_newid(); ipstat.ips_localout++; } else { hlen = ip->ip_hl << 2; diff --git a/sys/netinet/ip_var.h b/sys/netinet/ip_var.h index ff616fbb9e61..66da695b7d1c 100644 --- a/sys/netinet/ip_var.h +++ b/sys/netinet/ip_var.h @@ -142,9 +142,7 @@ struct route; struct sockopt; extern struct ipstat ipstat; -#ifndef RANDOM_IP_ID extern u_short ip_id; /* ip packet ctr, for ids */ -#endif extern int ip_defttl; /* default IP ttl */ extern int ipforwarding; /* ip forwarding */ extern int ip_doopts; /* process or ignore IP options */ @@ -178,10 +176,7 @@ void ip_slowtimo(void); struct mbuf * ip_srcroute(void); void ip_stripoptions(struct mbuf *, struct mbuf *); -#ifdef RANDOM_IP_ID -u_int16_t - ip_randomid(void); -#endif +u_int16_t ip_randomid(void); int rip_ctloutput(struct socket *, struct sockopt *); void rip_ctlinput(int, struct sockaddr *, void *); void rip_init(void); @@ -201,6 +196,18 @@ extern struct pfil_head inet_pfil_hook; void in_delayed_cksum(struct mbuf *m); +static __inline uint16_t ip_newid(void); +extern int ip_do_randomid; + +static __inline uint16_t +ip_newid(void) +{ + if (ip_do_randomid) + return ip_randomid(); + + return htons(ip_id++); +} + #endif /* _KERNEL */ #endif /* !_NETINET_IP_VAR_H_ */ diff --git a/sys/netinet/raw_ip.c b/sys/netinet/raw_ip.c index 6b854c009071..3f3fb02f1c7d 100644 --- a/sys/netinet/raw_ip.c +++ b/sys/netinet/raw_ip.c @@ -33,7 +33,6 @@ #include "opt_inet6.h" #include "opt_ipsec.h" #include "opt_mac.h" -#include "opt_random_ip_id.h" #include #include @@ -304,11 +303,7 @@ rip_output(struct mbuf *m, struct socket *so, u_long dst) return EINVAL; } if (ip->ip_id == 0) -#ifdef RANDOM_IP_ID - ip->ip_id = ip_randomid(); -#else - ip->ip_id = htons(ip_id++); -#endif + ip->ip_id = ip_newid(); /* XXX prevent ip_output from overwriting header fields */ flags |= IP_RAWOUTPUT; ipstat.ips_rawout++; diff --git a/sys/netinet/tcp_syncache.c b/sys/netinet/tcp_syncache.c index 6ceff8f16f5c..9c918a95e226 100644 --- a/sys/netinet/tcp_syncache.c +++ b/sys/netinet/tcp_syncache.c @@ -38,7 +38,6 @@ #include "opt_inet6.h" #include "opt_ipsec.h" #include "opt_mac.h" -#include "opt_random_ip_id.h" #include "opt_tcpdebug.h" #include "opt_tcp_sack.h" @@ -958,11 +957,7 @@ syncache_add(inc, to, th, sop, m) if (inc->inc_isipv6 && (sc->sc_tp->t_inpcb->in6p_flags & IN6P_AUTOFLOWLABEL)) { sc->sc_flowlabel = -#ifdef RANDOM_IP_ID (htonl(ip6_randomflowlabel()) & IPV6_FLOWLABEL_MASK); -#else - (htonl(ip6_flow_seq++) & IPV6_FLOWLABEL_MASK); -#endif } #endif } diff --git a/sys/netinet/tcp_usrreq.c b/sys/netinet/tcp_usrreq.c index 1e961291e9fc..df6fa74f1fad 100644 --- a/sys/netinet/tcp_usrreq.c +++ b/sys/netinet/tcp_usrreq.c @@ -33,7 +33,6 @@ #include "opt_ipsec.h" #include "opt_inet.h" #include "opt_inet6.h" -#include "opt_random_ip_id.h" #include "opt_tcpdebug.h" #include @@ -946,12 +945,8 @@ tcp6_connect(tp, nam, td) /* update flowinfo - draft-itojun-ipv6-flowlabel-api-00 */ inp->in6p_flowinfo &= ~IPV6_FLOWLABEL_MASK; if (inp->in6p_flags & IN6P_AUTOFLOWLABEL) - inp->in6p_flowinfo |= -#ifdef RANDOM_IP_ID + inp->in6p_flowinfo |= (htonl(ip6_randomflowlabel()) & IPV6_FLOWLABEL_MASK); -#else - (htonl(ip6_flow_seq++) & IPV6_FLOWLABEL_MASK); -#endif in_pcbrehash(inp); /* Compute window scaling to request. */ diff --git a/sys/netinet6/frag6.c b/sys/netinet6/frag6.c index f8a86a1fac0a..8be7d5247806 100644 --- a/sys/netinet6/frag6.c +++ b/sys/netinet6/frag6.c @@ -30,8 +30,6 @@ * SUCH DAMAGE. */ -#include "opt_random_ip_id.h" - #include #include #include @@ -98,9 +96,6 @@ frag6_init() IP6Q_LOCK_INIT(); -#ifndef RANDOM_IP_ID - ip6_id = arc4random(); -#endif ip6q.ip6q_next = ip6q.ip6q_prev = &ip6q; } diff --git a/sys/netinet6/in6_pcb.c b/sys/netinet6/in6_pcb.c index 48d153f61229..7639919e8a84 100644 --- a/sys/netinet6/in6_pcb.c +++ b/sys/netinet6/in6_pcb.c @@ -65,7 +65,6 @@ #include "opt_inet.h" #include "opt_inet6.h" #include "opt_ipsec.h" -#include "opt_random_ip_id.h" #include #include @@ -389,11 +388,7 @@ in6_pcbconnect(inp, nam, cred) inp->in6p_flowinfo &= ~IPV6_FLOWLABEL_MASK; if (inp->in6p_flags & IN6P_AUTOFLOWLABEL) inp->in6p_flowinfo |= -#ifdef RANDOM_IP_ID (htonl(ip6_randomflowlabel()) & IPV6_FLOWLABEL_MASK); -#else - (htonl(ip6_flow_seq++) & IPV6_FLOWLABEL_MASK); -#endif in_pcbrehash(inp); #ifdef IPSEC diff --git a/sys/netinet6/in6_proto.c b/sys/netinet6/in6_proto.c index 2d1d8dc79765..d4edbec6bf50 100644 --- a/sys/netinet6/in6_proto.c +++ b/sys/netinet6/in6_proto.c @@ -64,7 +64,6 @@ #include "opt_inet.h" #include "opt_inet6.h" #include "opt_ipsec.h" -#include "opt_random_ip_id.h" #include #include @@ -290,9 +289,6 @@ int ip6_maxfrags; /* initialized in frag6.c:frag6_init() */ int ip6_log_interval = 5; int ip6_hdrnestlimit = 50; /* appropriate? */ int ip6_dad_count = 1; /* DupAddrDetectionTransmits */ -#ifndef RANDOM_IP_ID -u_int32_t ip6_flow_seq; -#endif int ip6_auto_flowlabel = 1; int ip6_gif_hlim = 0; int ip6_use_deprecated = 1; /* allow deprecated addr (RFC2462 5.5.4) */ @@ -300,9 +296,6 @@ int ip6_rr_prune = 5; /* router renumbering prefix * walk list every 5 sec. */ int ip6_v6only = 1; -#ifndef RANDOM_IP_ID -u_int32_t ip6_id = 0UL; -#endif int ip6_keepfaith = 0; time_t ip6_log_time = (time_t)0L; diff --git a/sys/netinet6/ip6_id.c b/sys/netinet6/ip6_id.c index ca193b899016..cb75277b746d 100644 --- a/sys/netinet6/ip6_id.c +++ b/sys/netinet6/ip6_id.c @@ -86,8 +86,6 @@ * This avoids reuse issues caused by reseeding. */ -#include "opt_random_ip_id.h" - #include #include #include @@ -100,8 +98,6 @@ #include #include -#ifdef RANDOM_IP_ID - #ifndef INT32_MAX #define INT32_MAX 0x7fffffffU #endif @@ -267,5 +263,3 @@ ip6_randomflowlabel(void) return randomid(&randomtab_20) & 0xfffff; } - -#endif /* RANDOM_IP_ID */ diff --git a/sys/netinet6/ip6_input.c b/sys/netinet6/ip6_input.c index a22eb12c2ea4..ac24f972743d 100644 --- a/sys/netinet6/ip6_input.c +++ b/sys/netinet6/ip6_input.c @@ -66,7 +66,6 @@ #include "opt_inet6.h" #include "opt_ipsec.h" #include "opt_pfil_hooks.h" -#include "opt_random_ip_id.h" #include #include @@ -197,9 +196,6 @@ ip6_init() addrsel_policy_init(); nd6_init(); frag6_init(); -#ifndef RANDOM_IP_ID - ip6_flow_seq = arc4random(); -#endif ip6_desync_factor = arc4random() % MAX_TEMP_DESYNC_FACTOR; } diff --git a/sys/netinet6/ip6_output.c b/sys/netinet6/ip6_output.c index b955f40e2805..f5c35594e8ed 100644 --- a/sys/netinet6/ip6_output.c +++ b/sys/netinet6/ip6_output.c @@ -66,7 +66,6 @@ #include "opt_inet6.h" #include "opt_ipsec.h" #include "opt_pfil_hooks.h" -#include "opt_random_ip_id.h" #include #include @@ -1036,11 +1035,7 @@ skip_ipsec2:; } else { struct mbuf **mnext, *m_frgpart; struct ip6_frag *ip6f; -#ifdef RANDOM_IP_ID u_int32_t id = htonl(ip6_randomid()); -#else - u_int32_t id = htonl(ip6_id++); -#endif u_char nextproto; struct ip6ctlparam ip6cp; u_int32_t mtu32; diff --git a/sys/netinet6/ip6_var.h b/sys/netinet6/ip6_var.h index 99edc4503fff..36bf36dfcc3a 100644 --- a/sys/netinet6/ip6_var.h +++ b/sys/netinet6/ip6_var.h @@ -283,9 +283,6 @@ struct ip6aux { #define IPV6_MINMTU 0x04 /* use minimum MTU (IPV6_USE_MIN_MTU) */ extern struct ip6stat ip6stat; /* statistics */ -#ifndef RANDOM_IP_ID -extern u_int32_t ip6_id; /* fragment identifier */ -#endif extern int ip6_defhlim; /* default hop limit */ extern int ip6_defmcasthlim; /* default multicast hop limit */ extern int ip6_forwarding; /* act as router? */ @@ -309,9 +306,6 @@ extern time_t ip6_log_time; extern int ip6_hdrnestlimit; /* upper limit of # of extension headers */ extern int ip6_dad_count; /* DupAddrDetectionTransmits */ -#ifndef RANDOM_IP_ID -extern u_int32_t ip6_flow_seq; -#endif extern int ip6_auto_flowlabel; extern int ip6_auto_linklocal; @@ -399,10 +393,8 @@ struct in6_addr *in6_selectsrc __P((struct sockaddr_in6 *, int in6_selectroute __P((struct sockaddr_in6 *, struct ip6_pktopts *, struct ip6_moptions *, struct route_in6 *, struct ifnet **, struct rtentry **, int)); -#ifdef RANDOM_IP_ID u_int32_t ip6_randomid __P((void)); u_int32_t ip6_randomflowlabel __P((void)); -#endif #endif /* _KERNEL */ #endif /* !_NETINET6_IP6_VAR_H_ */ diff --git a/sys/netinet6/ipsec.c b/sys/netinet6/ipsec.c index f57a7db8e489..13d2feb667a3 100644 --- a/sys/netinet6/ipsec.c +++ b/sys/netinet6/ipsec.c @@ -37,7 +37,6 @@ #include "opt_inet.h" #include "opt_inet6.h" #include "opt_ipsec.h" -#include "opt_random_ip_id.h" #include #include @@ -2156,11 +2155,7 @@ ipsec4_encapsulate(m, sav) ipseclog((LOG_ERR, "IPv4 ipsec: size exceeds limit: " "leave ip_len as is (invalid packet)\n")); } -#ifdef RANDOM_IP_ID - ip->ip_id = ip_randomid(); -#else - ip->ip_id = htons(ip_id++); -#endif + ip->ip_id = ip_newid(); bcopy(&((struct sockaddr_in *)&sav->sah->saidx.src)->sin_addr, &ip->ip_src, sizeof(ip->ip_src)); bcopy(&((struct sockaddr_in *)&sav->sah->saidx.dst)->sin_addr, diff --git a/sys/netipsec/xform_ipip.c b/sys/netipsec/xform_ipip.c index cbdc02f8053d..4ede1d284dd5 100644 --- a/sys/netipsec/xform_ipip.c +++ b/sys/netipsec/xform_ipip.c @@ -41,7 +41,6 @@ */ #include "opt_inet.h" #include "opt_inet6.h" -#include "opt_random_ip_id.h" #include #include @@ -450,11 +449,7 @@ ipip_output( ipo->ip_src = saidx->src.sin.sin_addr; ipo->ip_dst = saidx->dst.sin.sin_addr; -#ifdef RANDOM_IP_ID - ipo->ip_id = ip_randomid(); -#else - ipo->ip_id = htons(ip_id++); -#endif + ipo->ip_id = ip_newid(); /* If the inner protocol is IP... */ if (tp == IPVERSION) {