diff options
Diffstat (limited to 'sys/netinet')
| -rw-r--r-- | sys/netinet/if_ether.c | 15 | ||||
| -rw-r--r-- | sys/netinet/in.c | 39 | ||||
| -rw-r--r-- | sys/netinet/in.h | 1 | ||||
| -rw-r--r-- | sys/netinet/in_gif.c | 2 | ||||
| -rw-r--r-- | sys/netinet/in_proto.c | 14 | ||||
| -rw-r--r-- | sys/netinet/ip_divert.c | 157 | ||||
| -rw-r--r-- | sys/netinet/ip_fw.h | 8 | ||||
| -rw-r--r-- | sys/netinet/ip_icmp.c | 2 | ||||
| -rw-r--r-- | sys/netinet/ip_var.h | 1 | ||||
| -rw-r--r-- | sys/netinet/ipfw/ip_dn_io.c | 1 | ||||
| -rw-r--r-- | sys/netinet/ipfw/ip_fw2.c | 121 | ||||
| -rw-r--r-- | sys/netinet/ipfw/ip_fw_log.c | 7 | ||||
| -rw-r--r-- | sys/netinet/ipfw/ip_fw_pfil.c | 35 | ||||
| -rw-r--r-- | sys/netinet/ipfw/ip_fw_sockopt.c | 1 | ||||
| -rw-r--r-- | sys/netinet/libalias/alias_db.c | 24 | ||||
| -rw-r--r-- | sys/netinet/libalias/alias_ftp.c | 124 | ||||
| -rw-r--r-- | sys/netinet/libalias/alias_local.h | 7 | ||||
| -rw-r--r-- | sys/netinet/libalias/libalias.3 | 140 | ||||
| -rw-r--r-- | sys/netinet/raw_ip.c | 3 | ||||
| -rw-r--r-- | sys/netinet/sctp.h | 1 | ||||
| -rw-r--r-- | sys/netinet/sctp_pcb.c | 10 | ||||
| -rw-r--r-- | sys/netinet/sctp_uio.h | 11 | ||||
| -rw-r--r-- | sys/netinet/sctp_usrreq.c | 86 | ||||
| -rw-r--r-- | sys/netinet/tcp_lro.c | 8 | ||||
| -rw-r--r-- | sys/netinet/tcp_output.c | 28 | ||||
| -rw-r--r-- | sys/netinet/tcp_subr.c | 9 |
26 files changed, 629 insertions, 226 deletions
diff --git a/sys/netinet/if_ether.c b/sys/netinet/if_ether.c index 3afdc7d..f766fc4 100644 --- a/sys/netinet/if_ether.c +++ b/sys/netinet/if_ether.c @@ -694,11 +694,13 @@ match: bcmp(ar_sha(ah), &la->ll_addr, ifp->if_addrlen)) { if (la->la_flags & LLE_STATIC) { LLE_WUNLOCK(la); - log(LOG_ERR, - "arp: %*D attempts to modify permanent " - "entry for %s on %s\n", - ifp->if_addrlen, (u_char *)ar_sha(ah), ":", - inet_ntoa(isaddr), ifp->if_xname); + if (log_arp_permanent_modify) + log(LOG_ERR, + "arp: %*D attempts to modify " + "permanent entry for %s on %s\n", + ifp->if_addrlen, + (u_char *)ar_sha(ah), ":", + inet_ntoa(isaddr), ifp->if_xname); goto reply; } if (log_arp_movements) { @@ -759,7 +761,7 @@ match: } } else LLE_WUNLOCK(la); - } /* end of FIB loop */ + } reply: if (op != ARPOP_REQUEST) goto drop; @@ -857,6 +859,7 @@ reply: ah->ar_pro = htons(ETHERTYPE_IP); /* let's be sure! */ m->m_len = sizeof(*ah) + (2 * ah->ar_pln) + (2 * ah->ar_hln); m->m_pkthdr.len = m->m_len; + m->m_pkthdr.rcvif = NULL; sa.sa_family = AF_ARP; sa.sa_len = 2; (*ifp->if_output)(ifp, m, &sa, NULL); diff --git a/sys/netinet/in.c b/sys/netinet/in.c index 684d808..c090117 100644 --- a/sys/netinet/in.c +++ b/sys/netinet/in.c @@ -548,7 +548,7 @@ in_control(struct socket *so, u_long cmd, caddr_t data, struct ifnet *ifp, * is the same as before, then the call is * un-necessarily executed here. */ - in_ifscrub(ifp, ia, 0); + in_ifscrub(ifp, ia, LLE_STATIC); ia->ia_sockmask = ifra->ifra_mask; ia->ia_sockmask.sin_family = AF_INET; ia->ia_subnetmask = @@ -557,7 +557,7 @@ in_control(struct socket *so, u_long cmd, caddr_t data, struct ifnet *ifp, } if ((ifp->if_flags & IFF_POINTOPOINT) && (ifra->ifra_dstaddr.sin_family == AF_INET)) { - in_ifscrub(ifp, ia, 0); + in_ifscrub(ifp, ia, LLE_STATIC); ia->ia_dstaddr = ifra->ifra_dstaddr; maskIsNew = 1; /* We lie; but the effect's the same */ } @@ -1179,14 +1179,20 @@ in_scrubprefix(struct in_ifaddr *target, u_int flags) && (ia->ia_ifp->if_type != IFT_CARP)) { ifa_ref(&ia->ia_ifa); IN_IFADDR_RUNLOCK(); - rtinit(&(target->ia_ifa), (int)RTM_DELETE, + error = rtinit(&(target->ia_ifa), (int)RTM_DELETE, rtinitflags(target)); - target->ia_flags &= ~IFA_ROUTE; - + if (error == 0) + target->ia_flags &= ~IFA_ROUTE; + else + log(LOG_INFO, "in_scrubprefix: err=%d, old prefix delete failed\n", + error); error = rtinit(&ia->ia_ifa, (int)RTM_ADD, rtinitflags(ia) | RTF_UP); if (error == 0) ia->ia_flags |= IFA_ROUTE; + else + log(LOG_INFO, "in_scrubprefix: err=%d, new prefix add failed\n", + error); ifa_free(&ia->ia_ifa); return (error); } @@ -1210,9 +1216,12 @@ in_scrubprefix(struct in_ifaddr *target, u_int flags) /* * As no-one seem to have this prefix, we can remove the route. */ - rtinit(&(target->ia_ifa), (int)RTM_DELETE, rtinitflags(target)); - target->ia_flags &= ~IFA_ROUTE; - return (0); + error = rtinit(&(target->ia_ifa), (int)RTM_DELETE, rtinitflags(target)); + if (error == 0) + target->ia_flags &= ~IFA_ROUTE; + else + log(LOG_INFO, "in_scrubprefix: err=%d, prefix delete failed\n", error); + return (error); } #undef rtinitflags @@ -1407,6 +1416,18 @@ in_lltable_rtcheck(struct ifnet *ifp, u_int flags, const struct sockaddr *l3addr /* XXX rtalloc1 should take a const param */ rt = rtalloc1(__DECONST(struct sockaddr *, l3addr), 0, 0); + + /* + * If the gateway for an existing host route matches the target L3 + * address, allow for ARP to proceed. + */ + if (rt != NULL && (rt->rt_flags & (RTF_HOST|RTF_GATEWAY)) && + rt->rt_gateway->sa_family == AF_INET && + memcmp(rt->rt_gateway->sa_data, l3addr->sa_data, 4) == 0) { + RTFREE_LOCKED(rt); + return (0); + } + if (rt == NULL || (!(flags & LLE_PUB) && ((rt->rt_flags & RTF_GATEWAY) || (rt->rt_ifp != ifp)))) { @@ -1590,10 +1611,8 @@ in_domifattach(struct ifnet *ifp) llt = lltable_init(ifp, AF_INET); if (llt != NULL) { - llt->llt_new = in_lltable_new; llt->llt_free = in_lltable_free; llt->llt_prefix_free = in_lltable_prefix_free; - llt->llt_rtcheck = in_lltable_rtcheck; llt->llt_lookup = in_lltable_lookup; llt->llt_dump = in_lltable_dump; } diff --git a/sys/netinet/in.h b/sys/netinet/in.h index 12473ff..d5e4290 100644 --- a/sys/netinet/in.h +++ b/sys/netinet/in.h @@ -253,7 +253,6 @@ __END_DECLS /* Only used internally, so can be outside the range of valid IP protocols. */ #define IPPROTO_DIVERT 258 /* divert pseudo-protocol */ #define IPPROTO_SEND 259 /* SeND pseudo-protocol */ -#define IPPROTO_ND6 260 /* IPv6 NDP */ /* * Defined to avoid confusion. The master value is defined by diff --git a/sys/netinet/in_gif.c b/sys/netinet/in_gif.c index 6c60390..22f35df 100644 --- a/sys/netinet/in_gif.c +++ b/sys/netinet/in_gif.c @@ -256,6 +256,8 @@ in_gif_output(struct ifnet *ifp, int family, struct mbuf *m) #endif } + m_addr_changed(m); + error = ip_output(m, NULL, &sc->gif_ro, 0, NULL, NULL); if (!(GIF2IFP(sc)->if_flags & IFF_LINK0) && diff --git a/sys/netinet/in_proto.c b/sys/netinet/in_proto.c index d2a772f..a9a3890 100644 --- a/sys/netinet/in_proto.c +++ b/sys/netinet/in_proto.c @@ -163,7 +163,7 @@ struct protosw inetsw[] = { }, #ifdef SCTP { - .pr_type = SOCK_DGRAM, + .pr_type = SOCK_SEQPACKET, .pr_domain = &inetdomain, .pr_protocol = IPPROTO_SCTP, .pr_flags = PR_WANTRCVD, @@ -177,18 +177,6 @@ struct protosw inetsw[] = { .pr_drain = sctp_drain, .pr_usrreqs = &sctp_usrreqs }, -{ - .pr_type = SOCK_SEQPACKET, - .pr_domain = &inetdomain, - .pr_protocol = IPPROTO_SCTP, - .pr_flags = PR_WANTRCVD, - .pr_input = sctp_input, - .pr_ctlinput = sctp_ctlinput, - .pr_ctloutput = sctp_ctloutput, - .pr_drain = sctp_drain, - .pr_usrreqs = &sctp_usrreqs -}, - { .pr_type = SOCK_STREAM, .pr_domain = &inetdomain, diff --git a/sys/netinet/ip_divert.c b/sys/netinet/ip_divert.c index 527ce56..29a5d42 100644 --- a/sys/netinet/ip_divert.c +++ b/sys/netinet/ip_divert.c @@ -37,6 +37,7 @@ __FBSDID("$FreeBSD$"); #error "IPDIVERT requires INET." #endif #endif +#include "opt_inet6.h" #include <sys/param.h> #include <sys/kernel.h> @@ -62,6 +63,10 @@ __FBSDID("$FreeBSD$"); #include <netinet/in_var.h> #include <netinet/ip.h> #include <netinet/ip_var.h> +#ifdef INET6 +#include <netinet/ip6.h> +#include <netinet6/ip6_var.h> +#endif #ifdef SCTP #include <netinet/sctp_crc32.h> #endif @@ -312,10 +317,10 @@ static int div_output(struct socket *so, struct mbuf *m, struct sockaddr_in *sin, struct mbuf *control) { + struct ip *const ip = mtod(m, struct ip *); struct m_tag *mtag; struct ipfw_rule_ref *dt; int error = 0; - struct mbuf *options; /* * An mbuf may hasn't come from userland, but we pretend @@ -367,71 +372,103 @@ div_output(struct socket *so, struct mbuf *m, struct sockaddr_in *sin, /* Reinject packet into the system as incoming or outgoing */ if (!sin || sin->sin_addr.s_addr == 0) { - struct ip *const ip = mtod(m, struct ip *); + struct mbuf *options = NULL; struct inpcb *inp; dt->info |= IPFW_IS_DIVERT | IPFW_INFO_OUT; inp = sotoinpcb(so); INP_RLOCK(inp); - /* - * Don't allow both user specified and setsockopt options, - * and don't allow packet length sizes that will crash - */ - if (((ip->ip_hl != (sizeof (*ip) >> 2)) && inp->inp_options) || - ((u_short)ntohs(ip->ip_len) > m->m_pkthdr.len)) { - error = EINVAL; - INP_RUNLOCK(inp); - m_freem(m); - } else { + switch (ip->ip_v) { + case IPVERSION: + /* + * Don't allow both user specified and setsockopt + * options, and don't allow packet length sizes that + * will crash. + */ + if ((((ip->ip_hl << 2) != sizeof(struct ip)) && + inp->inp_options != NULL) || + ((u_short)ntohs(ip->ip_len) > m->m_pkthdr.len)) { + error = EINVAL; + INP_RUNLOCK(inp); + goto cantsend; + } + /* Convert fields to host order for ip_output() */ ip->ip_len = ntohs(ip->ip_len); ip->ip_off = ntohs(ip->ip_off); + break; +#ifdef INET6 + case IPV6_VERSION >> 4: + { + struct ip6_hdr *const ip6 = mtod(m, struct ip6_hdr *); + + /* Don't allow packet length sizes that will crash */ + if (((u_short)ntohs(ip6->ip6_plen) > m->m_pkthdr.len)) { + error = EINVAL; + INP_RUNLOCK(inp); + goto cantsend; + } - /* Send packet to output processing */ - KMOD_IPSTAT_INC(ips_rawout); /* XXX */ + ip6->ip6_plen = ntohs(ip6->ip6_plen); + } +#endif + default: + error = EINVAL; + INP_RUNLOCK(inp); + goto cantsend; + } + + /* Send packet to output processing */ + KMOD_IPSTAT_INC(ips_rawout); /* XXX */ #ifdef MAC - mac_inpcb_create_mbuf(inp, m); + mac_inpcb_create_mbuf(inp, m); #endif - /* - * Get ready to inject the packet into ip_output(). - * Just in case socket options were specified on the - * divert socket, we duplicate them. This is done - * to avoid having to hold the PCB locks over the call - * to ip_output(), as doing this results in a number of - * lock ordering complexities. - * - * Note that we set the multicast options argument for - * ip_output() to NULL since it should be invariant that - * they are not present. - */ - KASSERT(inp->inp_moptions == NULL, - ("multicast options set on a divert socket")); - options = NULL; - /* - * XXXCSJP: It is unclear to me whether or not it makes - * sense for divert sockets to have options. However, - * for now we will duplicate them with the INP locks - * held so we can use them in ip_output() without - * requring a reference to the pcb. - */ - if (inp->inp_options != NULL) { - options = m_dup(inp->inp_options, M_DONTWAIT); - if (options == NULL) - error = ENOBUFS; - } - INP_RUNLOCK(inp); - if (error == ENOBUFS) { - m_freem(m); - return (error); + /* + * Get ready to inject the packet into ip_output(). + * Just in case socket options were specified on the + * divert socket, we duplicate them. This is done + * to avoid having to hold the PCB locks over the call + * to ip_output(), as doing this results in a number of + * lock ordering complexities. + * + * Note that we set the multicast options argument for + * ip_output() to NULL since it should be invariant that + * they are not present. + */ + KASSERT(inp->inp_moptions == NULL, + ("multicast options set on a divert socket")); + /* + * XXXCSJP: It is unclear to me whether or not it makes + * sense for divert sockets to have options. However, + * for now we will duplicate them with the INP locks + * held so we can use them in ip_output() without + * requring a reference to the pcb. + */ + if (inp->inp_options != NULL) { + options = m_dup(inp->inp_options, M_NOWAIT); + if (options == NULL) { + INP_RUNLOCK(inp); + error = ENOBUFS; + goto cantsend; } + } + INP_RUNLOCK(inp); + + switch (ip->ip_v) { + case IPVERSION: error = ip_output(m, options, NULL, - ((so->so_options & SO_DONTROUTE) ? - IP_ROUTETOIF : 0) | IP_ALLOWBROADCAST | - IP_RAWOUTPUT, NULL, NULL); - if (options != NULL) - m_freem(options); + ((so->so_options & SO_DONTROUTE) ? IP_ROUTETOIF : 0) + | IP_ALLOWBROADCAST | IP_RAWOUTPUT, NULL, NULL); + break; +#ifdef INET6 + case IPV6_VERSION >> 4: + error = ip6_output(m, NULL, NULL, 0, NULL, NULL, NULL); + break; +#endif } + if (options != NULL) + m_freem(options); } else { dt->info |= IPFW_IS_DIVERT | IPFW_INFO_IN; if (m->m_pkthdr.rcvif == NULL) { @@ -456,14 +493,26 @@ div_output(struct socket *so, struct mbuf *m, struct sockaddr_in *sin, mac_socket_create_mbuf(so, m); #endif /* Send packet to input processing via netisr */ - netisr_queue_src(NETISR_IP, (uintptr_t)so, m); + switch (ip->ip_v) { + case IPVERSION: + netisr_queue_src(NETISR_IP, (uintptr_t)so, m); + break; +#ifdef INET6 + case IPV6_VERSION >> 4: + netisr_queue_src(NETISR_IPV6, (uintptr_t)so, m); + break; +#endif + default: + error = EINVAL; + goto cantsend; + } } - return error; + return (error); cantsend: m_freem(m); - return error; + return (error); } static int diff --git a/sys/netinet/ip_fw.h b/sys/netinet/ip_fw.h index 06e107c..ff3a67f 100644 --- a/sys/netinet/ip_fw.h +++ b/sys/netinet/ip_fw.h @@ -57,6 +57,12 @@ #define IP_FW_TABLEARG 65535 /* XXX should use 0 */ /* + * Number of entries in the call stack of the call/return commands. + * Call stack currently is an uint16_t array with rule numbers. + */ +#define IPFW_CALLSTACK_SIZE 16 + +/* * The kernel representation of ipfw rules is made of a list of * 'instructions' (for all practical purposes equivalent to BPF * instructions), which specify which fields of the packet @@ -195,6 +201,8 @@ enum ipfw_opcodes { /* arguments (4 byte each) */ O_SOCKARG, /* socket argument */ + O_CALLRETURN, /* arg1=called rule number */ + O_LAST_OPCODE /* not an opcode! */ }; diff --git a/sys/netinet/ip_icmp.c b/sys/netinet/ip_icmp.c index 3542aa1..ec8a2f0 100644 --- a/sys/netinet/ip_icmp.c +++ b/sys/netinet/ip_icmp.c @@ -675,6 +675,8 @@ icmp_reflect(struct mbuf *m) goto done; /* Ip_output() will check for broadcast */ } + m_addr_changed(m); + t = ip->ip_dst; ip->ip_dst = ip->ip_src; diff --git a/sys/netinet/ip_var.h b/sys/netinet/ip_var.h index e993279..cd30093 100644 --- a/sys/netinet/ip_var.h +++ b/sys/netinet/ip_var.h @@ -286,6 +286,7 @@ enum { }; #define MTAG_IPFW 1148380143 /* IPFW-tagged cookie */ #define MTAG_IPFW_RULE 1262273568 /* rule reference */ +#define MTAG_IPFW_CALL 1308397630 /* call stack */ struct ip_fw_args; typedef int (*ip_fw_chk_ptr_t)(struct ip_fw_args *args); diff --git a/sys/netinet/ipfw/ip_dn_io.c b/sys/netinet/ipfw/ip_dn_io.c index bcb12ae..6766416 100644 --- a/sys/netinet/ipfw/ip_dn_io.c +++ b/sys/netinet/ipfw/ip_dn_io.c @@ -668,7 +668,6 @@ dummynet_send(struct mbuf *m) break; case DIR_OUT | PROTO_IPV6: - SET_HOST_IPLEN(mtod(m, struct ip *)); ip6_output(m, NULL, NULL, IPV6_FORWARDING, NULL, NULL, NULL); break; #endif diff --git a/sys/netinet/ipfw/ip_fw2.c b/sys/netinet/ipfw/ip_fw2.c index 9e5c737..4e25f9a 100644 --- a/sys/netinet/ipfw/ip_fw2.c +++ b/sys/netinet/ipfw/ip_fw2.c @@ -1670,10 +1670,6 @@ do { \ break; } at->qid = altq->qid; - if (is_ipv4) - at->af = AF_INET; - else - at->af = AF_LINK; at->hdr = ip; break; } @@ -2099,6 +2095,123 @@ do { \ continue; break; /* not reached */ + case O_CALLRETURN: { + /* + * Implementation of `subroutine' call/return, + * in the stack carried in an mbuf tag. This + * is different from `skipto' in that any call + * address is possible (`skipto' must prevent + * backward jumps to avoid endless loops). + * We have `return' action when F_NOT flag is + * present. The `m_tag_id' field is used as + * stack pointer. + */ + struct m_tag *mtag; + uint16_t jmpto, *stack; + +#define IS_CALL ((cmd->len & F_NOT) == 0) +#define IS_RETURN ((cmd->len & F_NOT) != 0) + /* + * Hand-rolled version of m_tag_locate() with + * wildcard `type'. + * If not already tagged, allocate new tag. + */ + mtag = m_tag_first(m); + while (mtag != NULL) { + if (mtag->m_tag_cookie == + MTAG_IPFW_CALL) + break; + mtag = m_tag_next(m, mtag); + } + if (mtag == NULL && IS_CALL) { + mtag = m_tag_alloc(MTAG_IPFW_CALL, 0, + IPFW_CALLSTACK_SIZE * + sizeof(uint16_t), M_NOWAIT); + if (mtag != NULL) + m_tag_prepend(m, mtag); + } + + /* + * On error both `call' and `return' just + * continue with next rule. + */ + if (IS_RETURN && (mtag == NULL || + mtag->m_tag_id == 0)) { + l = 0; /* exit inner loop */ + break; + } + if (IS_CALL && (mtag == NULL || + mtag->m_tag_id >= IPFW_CALLSTACK_SIZE)) { + printf("ipfw: call stack error, " + "go to next rule\n"); + l = 0; /* exit inner loop */ + break; + } + + f->pcnt++; /* update stats */ + f->bcnt += pktlen; + f->timestamp = time_uptime; + stack = (uint16_t *)(mtag + 1); + + /* + * The `call' action may use cached f_pos + * (in f->next_rule), whose version is written + * in f->next_rule. + * The `return' action, however, doesn't have + * fixed jump address in cmd->arg1 and can't use + * cache. + */ + if (IS_CALL) { + stack[mtag->m_tag_id] = f->rulenum; + mtag->m_tag_id++; + if (cmd->arg1 != IP_FW_TABLEARG && + (uintptr_t)f->x_next == chain->id) { + f_pos = (uintptr_t)f->next_rule; + } else { + jmpto = (cmd->arg1 == + IP_FW_TABLEARG) ? tablearg: + cmd->arg1; + f_pos = ipfw_find_rule(chain, + jmpto, 0); + /* update the cache */ + if (cmd->arg1 != + IP_FW_TABLEARG) { + f->next_rule = + (void *)(uintptr_t) + f_pos; + f->x_next = + (void *)(uintptr_t) + chain->id; + } + } + } else { /* `return' action */ + mtag->m_tag_id--; + jmpto = stack[mtag->m_tag_id] + 1; + f_pos = ipfw_find_rule(chain, jmpto, 0); + } + + /* + * Skip disabled rules, and re-enter + * the inner loop with the correct + * f_pos, f, l and cmd. + * Also clear cmdlen and skip_or + */ + for (; f_pos < chain->n_rules - 1 && + (V_set_disable & + (1 << chain->map[f_pos]->set)); f_pos++) + ; + /* Re-enter the inner loop at the dest rule. */ + f = chain->map[f_pos]; + l = f->cmd_len; + cmd = f->cmd; + cmdlen = 0; + skip_or = 0; + continue; + break; /* NOTREACHED */ + } +#undef IS_CALL +#undef IS_RETURN + case O_REJECT: /* * Drop the packet and send a reject notice diff --git a/sys/netinet/ipfw/ip_fw_log.c b/sys/netinet/ipfw/ip_fw_log.c index 3560e13..2b55a38 100644 --- a/sys/netinet/ipfw/ip_fw_log.c +++ b/sys/netinet/ipfw/ip_fw_log.c @@ -304,6 +304,13 @@ ipfw_log(struct ip_fw *f, u_int hlen, struct ip_fw_args *args, case O_REASS: action = "Reass"; break; + case O_CALLRETURN: + if (cmd->len & F_NOT) + action = "Return"; + else + snprintf(SNPARGS(action2, 0), "Call %d", + cmd->arg1); + break; default: action = "UNKNOWN"; break; diff --git a/sys/netinet/ipfw/ip_fw_pfil.c b/sys/netinet/ipfw/ip_fw_pfil.c index 248e4dd..736615b 100644 --- a/sys/netinet/ipfw/ip_fw_pfil.c +++ b/sys/netinet/ipfw/ip_fw_pfil.c @@ -58,6 +58,10 @@ __FBSDID("$FreeBSD$"); #include <netinet/ip.h> #include <netinet/ip_var.h> #include <netinet/ip_fw.h> +#ifdef INET6 +#include <netinet/ip6.h> +#include <netinet6/ip6_var.h> +#endif #include <netinet/ipfw/ip_fw_private.h> #include <netgraph/ng_ipfw.h> @@ -127,8 +131,9 @@ again: args.rule = *((struct ipfw_rule_ref *)(tag+1)); m_tag_delete(*m0, tag); if (args.rule.info & IPFW_ONEPASS) { - SET_HOST_IPLEN(mtod(*m0, struct ip *)); - return 0; + if (mtod(*m0, struct ip *)->ip_v == 4) + SET_HOST_IPLEN(mtod(*m0, struct ip *)); + return (0); } } @@ -264,7 +269,7 @@ ipfw_divert(struct mbuf **m0, int incoming, struct ipfw_rule_ref *rule, * If not tee, consume packet and send it to divert socket. */ struct mbuf *clone; - struct ip *ip; + struct ip *ip = mtod(*m0, struct ip *); struct m_tag *tag; /* Cloning needed for tee? */ @@ -288,8 +293,9 @@ ipfw_divert(struct mbuf **m0, int incoming, struct ipfw_rule_ref *rule, * Note that we now have the 'reass' ipfw option so if we care * we can do it before a 'tee'. */ - ip = mtod(clone, struct ip *); - if (!tee && ntohs(ip->ip_off) & (IP_MF | IP_OFFMASK)) { + if (!tee) switch (ip->ip_v) { + case IPVERSION: + if (ntohs(ip->ip_off) & (IP_MF | IP_OFFMASK)) { int hlen; struct mbuf *reass; @@ -311,7 +317,26 @@ ipfw_divert(struct mbuf **m0, int incoming, struct ipfw_rule_ref *rule, else ip->ip_sum = in_cksum(reass, hlen); clone = reass; + } + break; +#ifdef INET6 + case IPV6_VERSION >> 4: + { + struct ip6_hdr *const ip6 = mtod(clone, struct ip6_hdr *); + + if (ip6->ip6_nxt == IPPROTO_FRAGMENT) { + int nxt, off; + + off = sizeof(struct ip6_hdr); + nxt = frag6_input(&clone, &off, 0); + if (nxt == IPPROTO_DONE) + return (0); + } + break; + } +#endif } + /* attach a tag to the packet with the reinject info */ tag = m_tag_alloc(MTAG_IPFW_RULE, 0, sizeof(struct ipfw_rule_ref), M_NOWAIT); diff --git a/sys/netinet/ipfw/ip_fw_sockopt.c b/sys/netinet/ipfw/ip_fw_sockopt.c index 2347456..1432858 100644 --- a/sys/netinet/ipfw/ip_fw_sockopt.c +++ b/sys/netinet/ipfw/ip_fw_sockopt.c @@ -752,6 +752,7 @@ check_ipfw_struct(struct ip_fw *rule, int size) #endif case O_SKIPTO: case O_REASS: + case O_CALLRETURN: check_size: if (cmdlen != F_INSN_SIZE(ipfw_insn)) goto bad_size; diff --git a/sys/netinet/libalias/alias_db.c b/sys/netinet/libalias/alias_db.c index 9b30793..4e0837f 100644 --- a/sys/netinet/libalias/alias_db.c +++ b/sys/netinet/libalias/alias_db.c @@ -552,10 +552,6 @@ static void IncrementalCleanup(struct libalias *); static void DeleteLink(struct alias_link *); static struct alias_link * -AddLink(struct libalias *, struct in_addr, struct in_addr, struct in_addr, - u_short, u_short, int, int); - -static struct alias_link * ReLink(struct alias_link *, struct in_addr, struct in_addr, struct in_addr, u_short, u_short, int, int); @@ -572,9 +568,6 @@ static struct alias_link * #define ALIAS_PORT_MASK_EVEN 0x07ffe #define GET_NEW_PORT_MAX_ATTEMPTS 20 -#define GET_ALIAS_PORT -1 -#define GET_ALIAS_ID GET_ALIAS_PORT - #define FIND_EVEN_ALIAS_BASE 1 /* GetNewPort() allocates port numbers. Note that if a port number @@ -937,17 +930,12 @@ DeleteLink(struct alias_link *lnk) } -static struct alias_link * -AddLink(struct libalias *la, struct in_addr src_addr, - struct in_addr dst_addr, - struct in_addr alias_addr, - u_short src_port, - u_short dst_port, - int alias_port_param, /* if less than zero, alias */ - int link_type) -{ /* port will be automatically *//* chosen. - * If greater than */ - u_int start_point; /* zero, equal to alias port */ +struct alias_link * +AddLink(struct libalias *la, struct in_addr src_addr, struct in_addr dst_addr, + struct in_addr alias_addr, u_short src_port, u_short dst_port, + int alias_port_param, int link_type) +{ + u_int start_point; struct alias_link *lnk; LIBALIAS_LOCK_ASSERT(la); diff --git a/sys/netinet/libalias/alias_ftp.c b/sys/netinet/libalias/alias_ftp.c index ef0e52c..8e7d05b 100644 --- a/sys/netinet/libalias/alias_ftp.c +++ b/sys/netinet/libalias/alias_ftp.c @@ -100,38 +100,68 @@ __FBSDID("$FreeBSD$"); #define FTP_CONTROL_PORT_NUMBER 21 static void -AliasHandleFtpOut(struct libalias *, struct ip *, struct alias_link *, - int maxpacketsize); +AliasHandleFtpOut(struct libalias *, struct ip *, struct alias_link *, + int maxpacketsize); +static void +AliasHandleFtpIn(struct libalias *, struct ip *, struct alias_link *); -static int -fingerprint(struct libalias *la, struct alias_data *ah) +static int +fingerprint_out(struct libalias *la, struct alias_data *ah) { - if (ah->dport == NULL || ah->sport == NULL || ah->lnk == NULL || - ah->maxpktsize == 0) + if (ah->dport == NULL || ah->sport == NULL || ah->lnk == NULL || + ah->maxpktsize == 0) return (-1); - if (ntohs(*ah->dport) == FTP_CONTROL_PORT_NUMBER - || ntohs(*ah->sport) == FTP_CONTROL_PORT_NUMBER) + if (ntohs(*ah->dport) == FTP_CONTROL_PORT_NUMBER || + ntohs(*ah->sport) == FTP_CONTROL_PORT_NUMBER) return (0); return (-1); } -static int -protohandler(struct libalias *la, struct ip *pip, struct alias_data *ah) +static int +fingerprint_in(struct libalias *la, struct alias_data *ah) +{ + + if (ah->dport == NULL || ah->sport == NULL || ah->lnk == NULL) + return (-1); + if (ntohs(*ah->dport) == FTP_CONTROL_PORT_NUMBER || + ntohs(*ah->sport) == FTP_CONTROL_PORT_NUMBER) + return (0); + return (-1); +} + +static int +protohandler_out(struct libalias *la, struct ip *pip, struct alias_data *ah) { - + AliasHandleFtpOut(la, pip, ah->lnk, ah->maxpktsize); return (0); } + +static int +protohandler_in(struct libalias *la, struct ip *pip, struct alias_data *ah) +{ + + AliasHandleFtpIn(la, pip, ah->lnk); + return (0); +} + struct proto_handler handlers[] = { - { - .pri = 80, - .dir = OUT, - .proto = TCP, - .fingerprint = &fingerprint, - .protohandler = &protohandler - }, + { + .pri = 80, + .dir = OUT, + .proto = TCP, + .fingerprint = &fingerprint_out, + .protohandler = &protohandler_out + }, + { + .pri = 80, + .dir = IN, + .proto = TCP, + .fingerprint = &fingerprint_in, + .protohandler = &protohandler_in + }, { EOH } }; @@ -256,6 +286,57 @@ AliasHandleFtpOut( } } +static void +AliasHandleFtpIn(struct libalias *la, + struct ip *pip, /* IP packet to examine/patch */ + struct alias_link *lnk) /* The link to go through (aliased port) */ +{ + int hlen, tlen, dlen, pflags; + char *sptr; + struct tcphdr *tc; + + /* Calculate data length of TCP packet */ + tc = (struct tcphdr *)ip_next(pip); + hlen = (pip->ip_hl + tc->th_off) << 2; + tlen = ntohs(pip->ip_len); + dlen = tlen - hlen; + + /* Place string pointer and beginning of data */ + sptr = (char *)pip; + sptr += hlen; + + /* + * Check that data length is not too long and previous message was + * properly terminated with CRLF. + */ + pflags = GetProtocolFlags(lnk); + if (dlen <= MAX_MESSAGE_SIZE && (pflags & WAIT_CRLF) == 0 && + ntohs(tc->th_dport) == FTP_CONTROL_PORT_NUMBER && + (ParseFtpPortCommand(la, sptr, dlen) != 0 || + ParseFtpEprtCommand(la, sptr, dlen) != 0)) { + /* + * Alias active mode client requesting data from server + * behind NAT. We need to alias server->client connection + * to external address client is connecting to. + */ + AddLink(la, GetOriginalAddress(lnk), la->true_addr, + GetAliasAddress(lnk), htons(FTP_CONTROL_PORT_NUMBER - 1), + htons(la->true_port), GET_ALIAS_PORT, IPPROTO_TCP); + } + /* Track the msgs which are CRLF term'd for PORT/PASV FW breach */ + if (dlen) { + sptr = (char *)pip; /* start over at beginning */ + tlen = ntohs(pip->ip_len); /* recalc tlen, pkt may + * have grown. + */ + if (sptr[tlen - 2] == '\r' && sptr[tlen - 1] == '\n') + pflags &= ~WAIT_CRLF; + else + pflags |= WAIT_CRLF; + SetProtocolFlags(lnk, pflags); + } +} + static int ParseFtpPortCommand(struct libalias *la, char *sptr, int dlen) { @@ -576,9 +657,10 @@ NewFtpMessage(struct libalias *la, struct ip *pip, if (la->true_port < IPPORT_RESERVED) return; -/* Establish link to address and port found in FTP control message. */ - ftp_lnk = FindUdpTcpOut(la, la->true_addr, GetDestAddress(lnk), - htons(la->true_port), 0, IPPROTO_TCP, 1); + /* Establish link to address and port found in FTP control message. */ + ftp_lnk = AddLink(la, la->true_addr, GetDestAddress(lnk), + GetAliasAddress(lnk), htons(la->true_port), 0, GET_ALIAS_PORT, + IPPROTO_TCP); if (ftp_lnk != NULL) { int slen, hlen, tlen, dlen; diff --git a/sys/netinet/libalias/alias_local.h b/sys/netinet/libalias/alias_local.h index e201394..c291a37 100644 --- a/sys/netinet/libalias/alias_local.h +++ b/sys/netinet/libalias/alias_local.h @@ -67,6 +67,9 @@ #define LINK_TABLE_OUT_SIZE 4001 #define LINK_TABLE_IN_SIZE 4001 +#define GET_ALIAS_PORT -1 +#define GET_ALIAS_ID GET_ALIAS_PORT + struct proxy_entry; struct libalias { @@ -249,6 +252,10 @@ DifferentialChecksum(u_short * _cksum, void * _new, void * _old, int _n); /* Internal data access */ struct alias_link * +AddLink(struct libalias *la, struct in_addr src_addr, struct in_addr dst_addr, + struct in_addr alias_addr, u_short src_port, u_short dst_port, + int alias_param, int link_type); +struct alias_link * FindIcmpIn(struct libalias *la, struct in_addr _dst_addr, struct in_addr _alias_addr, u_short _id_alias, int _create); struct alias_link * diff --git a/sys/netinet/libalias/libalias.3 b/sys/netinet/libalias/libalias.3 index 31702e8..b82b087 100644 --- a/sys/netinet/libalias/libalias.3 +++ b/sys/netinet/libalias/libalias.3 @@ -25,7 +25,7 @@ .\" .\" $FreeBSD$ .\" -.Dd October 1, 2006 +.Dd July 04, 2011 .Dt LIBALIAS 3 .Os .Sh NAME @@ -52,7 +52,7 @@ machine on the local network. .Pp A certain amount of flexibility is built into the packet aliasing engine. In the simplest mode of operation, a many-to-one address mapping takes -place between local network and the packet aliasing host. +place between the local network and the packet aliasing host. This is known as IP masquerading. In addition, one-to-one mappings between local and public addresses can also be implemented, which is known as static NAT. @@ -61,15 +61,11 @@ linked to different public addresses, comprising several distinct many-to-one mappings. Also, a given public address and port can be statically redirected to a private address/port. -.Pp -The packet aliasing engine was designed to operate in user space outside -of the kernel, without any access to private kernel data structure, but -the source code can also be ported to a kernel environment. .Sh INITIALIZATION AND CONTROL One special function, .Fn LibAliasInit , -must always be called before any packet handling may be performed and -the returned instance pointer passed to all the other functions. +must always be called before any packet handling may be performed, and +the returned instance pointer must be passed to all the other functions. Normally, the .Fn LibAliasSetAddress function is called afterwards, to set the default aliasing address. @@ -118,8 +114,8 @@ prior to any packet handling. This function has no return value and is used to clear any resources attached to internal data structures. .Pp -This functions should be called when a program stops using the aliasing -engine; it does, amongst other things, clear out any firewall holes. +This function should be called when a program stops using the aliasing +engine; amongst other things, it clears out any firewall holes. To provide backwards compatibility and extra security, it is added to the .Xr atexit 3 @@ -135,7 +131,7 @@ local area network are aliased. All outgoing packets are re-mapped to this address unless overridden by a static address mapping established by .Fn LibAliasRedirectAddr . -If this function is not called, and no static rules match, an outgoing +If this function has not been called, and no static rules match, an outgoing packet retains its source address. .Pp If the @@ -150,7 +146,7 @@ address may or may not change on successive dial-up attempts. If the .Dv PKT_ALIAS_RESET_ON_ADDR_CHANGE mode bit is set to zero, this function can also be used to dynamically change -the aliasing address on a packet to packet basis (it is a low overhead call). +the aliasing address on a packet-to-packet basis (it is a low overhead call). .Pp It is mandatory that this function be called prior to any packet handling. .Ed @@ -170,7 +166,7 @@ The following mode bits are defined in .It Dv PKT_ALIAS_LOG Enables logging into .Pa /var/log/alias.log . -Each time an aliasing link is created or deleted, the log file is appended +Each time an aliasing link is created or deleted, the log file is appended to with the current number of ICMP, TCP and UDP links. Mainly useful for debugging when the log file is viewed continuously with .Xr tail 1 . @@ -186,7 +182,7 @@ Response packets to connections or transactions initiated from the packet aliasing host or local network will be unaffected. This mode bit is useful for implementing a one-way firewall. .It Dv PKT_ALIAS_SAME_PORTS -If this mode bit is set, the packet aliasing engine will attempt to leave +If this mode bit is set, the packet-aliasing engine will attempt to leave the alias port numbers unchanged from the actual local port numbers. This can be done as long as the quintuple (proto, alias addr, alias port, remote addr, remote port) is unique. @@ -211,7 +207,7 @@ Standard Class A, B and C unregistered addresses are: 192.168.0.0 -> 192.168.255.255 (Class C subnets) .Ed .Pp -This option is useful in the case that packet aliasing host has both +This option is useful in the case that the packet aliasing host has both registered and unregistered subnets on different interfaces. The registered subnet is fully accessible to the outside world, so traffic from it does not need to be passed through the packet aliasing engine. @@ -229,8 +225,9 @@ of an address change. .It Dv PKT_ALIAS_PUNCH_FW This option makes .Nm -`punch holes' in an -.Xr ipfirewall 4 +.Dq punch holes +in an +.Xr ipfirewall 4 - based firewall for FTP/IRC DCC connections. The holes punched are bound by from/to IP address and port; it will not be possible to use a hole for another connection. @@ -240,9 +237,9 @@ To cater to unexpected death of a program using (e.g.\& kill -9), changing the state of the flag will clear the entire firewall range allocated for holes. -This will also happen on the initial call to -.Fn LibAliasSetFWBase . -This call must happen prior to setting this flag. +This clearing will also happen on the initial call to +.Fn LibAliasSetFWBase , +which must happen prior to setting this flag. .It Dv PKT_ALIAS_REVERSE This option makes .Nm @@ -257,16 +254,28 @@ Normal packet aliasing is not performed. See .Fn LibAliasProxyRule below for details. +.It Dv PKT_ALIAS_SKIP_GLOBAL +This option is used by +.Pa ipfw_nat +only. +Specifying it as a flag to +.Fn LibAliasSetMode +has no effect. +See section +.Sx NETWORK ADDRESS TRANSLATION +in +.Xr ipfw 8 +for more details. .El .Ed .Pp .Ft void .Fn LibAliasSetFWBase "struct libalias *" "unsigned int base" "unsigned int num" .Bd -ragged -offset indent -Set firewall range allocated for punching firewall holes (with the +Set the firewall range allocated for punching firewall holes (with the .Dv PKT_ALIAS_PUNCH_FW flag). -The range will be cleared for all rules on initialization. +The range is cleared for all rules on initialization. .Ed .Pp .Ft void @@ -292,7 +301,7 @@ the two packet handling functions, .Fn LibAliasIn and .Fn LibAliasOut , -comprise minimal set of functions needed for a basic IP masquerading +comprise the minimal set of functions needed for a basic IP masquerading implementation. .Pp .Ft int @@ -313,11 +322,11 @@ Return codes: The packet aliasing process was successful. .It Dv PKT_ALIAS_IGNORED The packet was ignored and not de-aliased. -This can happen if the protocol is unrecognized, possibly an ICMP message -type is not handled or if incoming packets for new connections are being -ignored (if +This can happen if the protocol is unrecognized, as for an ICMP message +type that is not handled, or if incoming packets for new connections are being +ignored (if the .Dv PKT_ALIAS_DENY_INCOMING -mode bit was set by +mode bit was set using .Fn LibAliasSetMode ) . .It Dv PKT_ALIAS_UNRESOLVED_FRAGMENT This is returned when a fragment cannot be resolved because the header @@ -408,7 +417,7 @@ is called to change the address after .Fn LibAliasRedirectPort is called, a zero reference will track this change. .Pp -If the link is further set up to operate for a load sharing, then +If the link is further set up to operate with load sharing, then .Fa local_addr and .Fa local_port @@ -423,7 +432,7 @@ Likewise, if .Fa remote_port is zero, this indicates to redirect packets originating from any remote port number. -Almost always, the remote port specification will be zero, but non-zero +The remote port specification will almost always be zero, but non-zero remote addresses can sometimes be useful for firewalling. If two calls to .Fn LibAliasRedirectPort @@ -475,9 +484,10 @@ is called to change the address after .Fn LibAliasRedirectAddr is called, a zero reference will track this change. .Pp -If the link is further set up to operate for a load sharing, then +If the link is further set up to operate with load sharing, then the .Fa local_addr -is ignored, and is selected dynamically from the server pool, as described in +argument is ignored, and is selected dynamically from the server pool, +as described in .Fn LibAliasAddServer below. .Pp @@ -532,12 +542,12 @@ up for Load Sharing using IP Network Address Translation (RFC 2391, LSNAT). LSNAT operates as follows. A client attempts to access a server by using the server virtual address. The LSNAT router transparently redirects the request to one of the hosts -in server pool, selected using a real-time load sharing algorithm. +in the server pool, using a real-time load sharing algorithm. Multiple sessions may be initiated from the same client, and each session -could be directed to a different host based on load balance across server -pool hosts at the time. -If load share is desired for just a few specific services, the configuration -on LSNAT could be defined to restrict load share for just the services +could be directed to a different host based on the load balance across server +pool hosts when the sessions are initiated. +If load sharing is desired for just a few specific services, the configuration +on LSNAT could be defined to restrict load sharing to just the services desired. .Pp Currently, only the simplest selection algorithm is implemented, where a @@ -596,8 +606,8 @@ The parameter is the pointer returned by either of the redirection functions. If an invalid pointer is passed to .Fn LibAliasRedirectDelete , -then a program crash or unpredictable operation could result, so it is -necessary to be careful using this function. +then a program crash or unpredictable operation could result, so +care is needed when using this function. .Ed .Pp .Ft int @@ -704,7 +714,7 @@ access, or to restrict access to certain external machines. .Bd -ragged -offset indent This function specifies that any IP packet with protocol number of .Fa proto -from a given remote address to an alias address be +from a given remote address to an alias address will be redirected to a specified local address. .Pp If @@ -814,6 +824,19 @@ argument is the pointer to a header fragment used as a template, and is the pointer to the packet to be de-aliased. .Ed .Sh MISCELLANEOUS FUNCTIONS +.Ft struct alias_link * +.Fn AddLink "struct libalias *" "struct in_addr src_addr" "struct in_addr dst_addr" \ +"struct in_addr alias_addr" "u_short src_port" "u_short dst_port" \ +"int alias_param" "int link_type" +.Bd -ragged -offset indent +This function adds new state to the instance hash table. +The dst_address and/or dst_port may be given as zero, which +introduces some dynamic character into the link, since +LibAliasSetAddress can change the address that is used. +However, in the current implementation, such links can only be used +for inbound (ext -> int) traffic. +.Ed +.Pp .Ft void .Fn LibAliasSetTarget "struct libalias *" "struct in_addr addr" .Bd -ragged -offset indent @@ -1098,9 +1121,9 @@ SLIST_HEAD(dll_chain, dll) dll_chain ... .Ed .Pp .Va handler_chain -keep tracks of all the protocol handlers loaded, while +keeps track of all the protocol handlers loaded, while .Va ddl_chain -takes care of userland modules loaded. +tracks which userland modules are loaded. .Pp .Va handler_chain is composed of @@ -1122,12 +1145,12 @@ struct proto_handler { where: .Bl -inset .It Va pri -is the priority assigned to a protocol handler, lower +is the priority assigned to a protocol handler; lower priority is better. .It Va dir is the direction of packets: ingoing or outgoing. .It Va proto -says at which protocol this packet belongs: IP, TCP or UDP. +indicates to which protocol this packet belongs: IP, TCP or UDP. .It Va fingerprint points to the fingerprint function while protohandler points to the protocol handler function. @@ -1135,8 +1158,8 @@ to the protocol handler function. .Pp The .Va fingerprint -function has the double of scope of checking if the -incoming packet is found and if it belongs to any categories that this +function has the dual role of checking if the +incoming packet is found, and if it belongs to any categories that this module can handle. .Pp The @@ -1151,8 +1174,8 @@ When a packet enters if it meets a module hook, .Va handler_chain is searched to see if there is an handler that matches -this type of a packet (it checks protocol and direction of packet), then if -more than one handler is found, it starts with the module with +this type of a packet (it checks protocol and direction of packet). +Then, if more than one handler is found, it starts with the module with the lowest priority number: it calls the .Va fingerprint function and interprets the result. @@ -1190,8 +1213,8 @@ structure, then is called. The .Fn find_handler -function is responsible for walking out the handler -chain, it receives as input parameters: +function is responsible for walking the handler +chain; it receives as input parameters: .Bl -tag -width indent .It Fa IN direction @@ -1215,9 +1238,9 @@ supporting INcoming UDP packets. .Pp As was mentioned earlier, .Nm -in userland is a bit different, cause -care has to be taken of module handling too (avoiding duplicate load of -module, avoiding module with same name, etc.) so +in userland is a bit different, as +care must be taken in module handling as well (avoiding duplicate load of +modules, avoiding modules with same name, etc.) so .Va dll_chain was introduced. .Pp @@ -1231,9 +1254,8 @@ When an application calls .Nm first unloads all the loaded modules, then reloads all the modules listed in .Pa /etc/libalias.conf : -for every module loaded, a new entry to -.Va dll_chain -is added. +for every module loaded, a new entry is added to +.Va dll_chain . .Pp .Va dll_chain is composed of @@ -1270,8 +1292,8 @@ There is a module (called .Pa alias_dummy.[ch] ) in .Nm -that can be used as a skeleton for future work, here we analyse some parts of that -module. +that can be used as a skeleton for future work. +Here we analyse some parts of that module. From .Pa alias_dummy.c : .Bd -literal @@ -1284,7 +1306,7 @@ The variable is the .Dq "most important thing" in a module -cause it describes the handlers present and lets the outside world use +since it describes the handlers present and lets the outside world use it in an opaque way. .Pp It must ALWAYS be present in every module, and it MUST retain @@ -1327,7 +1349,7 @@ mod_handler(module_t mod, int type, void *data) .Ed When running as KLD, .Fn mod_handler -register/deregister the module using +registers/deregisters the module using .Fn attach_handlers and .Fn detach_handlers , diff --git a/sys/netinet/raw_ip.c b/sys/netinet/raw_ip.c index e754b88..1a8e537 100644 --- a/sys/netinet/raw_ip.c +++ b/sys/netinet/raw_ip.c @@ -100,6 +100,9 @@ void (*ip_divert_ptr)(struct mbuf *, int); int (*ng_ipfw_input_p)(struct mbuf **, int, struct ip_fw_args *, int); +/* Hook for telling pf that the destination address changed */ +void (*m_addr_chg_pf_p)(struct mbuf *m); + #ifdef INET /* * Hooks for multicast routing. They all default to NULL, so leave them not diff --git a/sys/netinet/sctp.h b/sys/netinet/sctp.h index f496d26..3c8cf36 100644 --- a/sys/netinet/sctp.h +++ b/sys/netinet/sctp.h @@ -118,6 +118,7 @@ struct sctp_paramhdr { #define SCTP_RECVRCVINFO 0x0000001f #define SCTP_RECVNXTINFO 0x00000020 #define SCTP_DEFAULT_SNDINFO 0x00000021 +#define SCTP_DEFAULT_PRINFO 0x00000022 /* * read-only options diff --git a/sys/netinet/sctp_pcb.c b/sys/netinet/sctp_pcb.c index 8dc01cd..7059365 100644 --- a/sys/netinet/sctp_pcb.c +++ b/sys/netinet/sctp_pcb.c @@ -2523,8 +2523,7 @@ sctp_inpcb_alloc(struct socket *so, uint32_t vrf_id) so->so_pcb = (caddr_t)inp; - if ((SCTP_SO_TYPE(so) == SOCK_DGRAM) || - (SCTP_SO_TYPE(so) == SOCK_SEQPACKET)) { + if (SCTP_SO_TYPE(so) == SOCK_SEQPACKET) { /* UDP style socket */ inp->sctp_flags = (SCTP_PCB_FLAGS_UDPTYPE | SCTP_PCB_FLAGS_UNBOUND); @@ -3721,13 +3720,6 @@ sctp_inpcb_free(struct sctp_inpcb *inp, int immediate, int from) (void)sctp_m_free(ip_pcb->inp_options); ip_pcb->inp_options = 0; } -#ifdef INET - if (ip_pcb->inp_moptions) { - inp_freemoptions(ip_pcb->inp_moptions); - ip_pcb->inp_moptions = 0; - } -#endif - #ifdef INET6 if (ip_pcb->inp_vflag & INP_IPV6) { struct in6pcb *in6p; diff --git a/sys/netinet/sctp_uio.h b/sys/netinet/sctp_uio.h index e7f2daf..9b9acbf 100644 --- a/sys/netinet/sctp_uio.h +++ b/sys/netinet/sctp_uio.h @@ -162,6 +162,12 @@ struct sctp_prinfo { uint32_t pr_value; }; +struct sctp_default_prinfo { + uint16_t pr_policy; + uint32_t pr_value; + sctp_assoc_t pr_assoc_id; +}; + struct sctp_authinfo { uint16_t auth_keyid; }; @@ -201,6 +207,7 @@ struct sctp_recvv_rn { #define SCTP_RECVV_NXTINFO 2 #define SCTP_RECVV_RN 3 +#define SCTP_SENDV_NOINFO 0 #define SCTP_SENDV_SNDINFO 1 #define SCTP_SENDV_PRINFO 2 #define SCTP_SENDV_AUTHINFO 3 @@ -244,12 +251,13 @@ struct sctp_snd_all_completes { /* for the endpoint */ /* The lower byte is an enumeration of PR-SCTP policies */ +#define SCTP_PR_SCTP_NONE 0x0000/* Reliable transfer */ #define SCTP_PR_SCTP_TTL 0x0001/* Time based PR-SCTP */ #define SCTP_PR_SCTP_BUF 0x0002/* Buffer based PR-SCTP */ #define SCTP_PR_SCTP_RTX 0x0003/* Number of retransmissions based PR-SCTP */ #define PR_SCTP_POLICY(x) ((x) & 0x0f) -#define PR_SCTP_ENABLED(x) (PR_SCTP_POLICY(x) != 0) +#define PR_SCTP_ENABLED(x) (PR_SCTP_POLICY(x) != SCTP_PR_SCTP_NONE) #define PR_SCTP_TTL_ENABLED(x) (PR_SCTP_POLICY(x) == SCTP_PR_SCTP_TTL) #define PR_SCTP_BUF_ENABLED(x) (PR_SCTP_POLICY(x) == SCTP_PR_SCTP_BUF) #define PR_SCTP_RTX_ENABLED(x) (PR_SCTP_POLICY(x) == SCTP_PR_SCTP_RTX) @@ -583,6 +591,7 @@ struct sctp_authchunk { struct sctp_authkey { sctp_assoc_t sca_assoc_id; uint16_t sca_keynumber; + uint16_t sca_keylength; uint8_t sca_key[]; }; diff --git a/sys/netinet/sctp_usrreq.c b/sys/netinet/sctp_usrreq.c index 2fcf306..ab87772 100644 --- a/sys/netinet/sctp_usrreq.c +++ b/sys/netinet/sctp_usrreq.c @@ -3030,6 +3030,7 @@ flags_out: if (stcb) { info->snd_sid = stcb->asoc.def_send.sinfo_stream; info->snd_flags = stcb->asoc.def_send.sinfo_flags; + info->snd_flags &= 0xfff0; info->snd_ppid = stcb->asoc.def_send.sinfo_ppid; info->snd_context = stcb->asoc.def_send.sinfo_context; SCTP_TCB_UNLOCK(stcb); @@ -3038,6 +3039,7 @@ flags_out: SCTP_INP_RLOCK(inp); info->snd_sid = inp->def_send.sinfo_stream; info->snd_flags = inp->def_send.sinfo_flags; + info->snd_flags &= 0xfff0; info->snd_ppid = inp->def_send.sinfo_ppid; info->snd_context = inp->def_send.sinfo_context; SCTP_INP_RUNLOCK(inp); @@ -3051,6 +3053,33 @@ flags_out: } break; } + case SCTP_DEFAULT_PRINFO: + { + struct sctp_default_prinfo *info; + + SCTP_CHECK_AND_CAST(info, optval, struct sctp_default_prinfo, *optsize); + SCTP_FIND_STCB(inp, stcb, info->pr_assoc_id); + + if (stcb) { + info->pr_policy = PR_SCTP_POLICY(stcb->asoc.def_send.sinfo_flags); + info->pr_value = stcb->asoc.def_send.sinfo_timetolive; + SCTP_TCB_UNLOCK(stcb); + } else { + if (info->pr_assoc_id == SCTP_FUTURE_ASSOC) { + SCTP_INP_RLOCK(inp); + info->pr_policy = PR_SCTP_POLICY(inp->def_send.sinfo_flags); + info->pr_value = inp->def_send.sinfo_timetolive; + SCTP_INP_RUNLOCK(inp); + } else { + SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_USRREQ, EINVAL); + error = EINVAL; + } + } + if (error == 0) { + *optsize = sizeof(struct sctp_default_prinfo); + } + break; + } default: SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_USRREQ, ENOPROTOOPT); error = ENOPROTOOPT; @@ -3542,8 +3571,18 @@ sctp_setopt(struct socket *so, int optname, void *optval, size_t optsize, size_t size; SCTP_CHECK_AND_CAST(sca, optval, struct sctp_authkey, optsize); + if (sca->sca_keylength == 0) { + size = optsize - sizeof(struct sctp_authkey); + } else { + if (sca->sca_keylength + sizeof(struct sctp_authkey) <= optsize) { + size = sca->sca_keylength; + } else { + SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_USRREQ, EINVAL); + error = EINVAL; + break; + } + } SCTP_FIND_STCB(inp, stcb, sca->sca_assoc_id); - size = optsize - sizeof(struct sctp_authkey); if (stcb) { shared_keys = &stcb->asoc.shared_keys; @@ -5043,6 +5082,7 @@ sctp_setopt(struct socket *so, int optname, void *optval, size_t optsize, case SCTP_DEFAULT_SNDINFO: { struct sctp_sndinfo *info; + uint16_t policy; SCTP_CHECK_AND_CAST(info, optval, struct sctp_sndinfo, optsize); SCTP_FIND_STCB(inp, stcb, info->snd_assoc_id); @@ -5050,7 +5090,9 @@ sctp_setopt(struct socket *so, int optname, void *optval, size_t optsize, if (stcb) { if (info->snd_sid < stcb->asoc.streamoutcnt) { stcb->asoc.def_send.sinfo_stream = info->snd_sid; + policy = PR_SCTP_POLICY(stcb->asoc.def_send.sinfo_flags); stcb->asoc.def_send.sinfo_flags = info->snd_flags; + stcb->asoc.def_send.sinfo_flags |= policy; stcb->asoc.def_send.sinfo_ppid = info->snd_ppid; stcb->asoc.def_send.sinfo_context = info->snd_context; } else { @@ -5063,7 +5105,9 @@ sctp_setopt(struct socket *so, int optname, void *optval, size_t optsize, (info->snd_assoc_id == SCTP_ALL_ASSOC)) { SCTP_INP_WLOCK(inp); inp->def_send.sinfo_stream = info->snd_sid; + policy = PR_SCTP_POLICY(inp->def_send.sinfo_flags); inp->def_send.sinfo_flags = info->snd_flags; + inp->def_send.sinfo_flags |= policy; inp->def_send.sinfo_ppid = info->snd_ppid; inp->def_send.sinfo_context = info->snd_context; SCTP_INP_WUNLOCK(inp); @@ -5075,7 +5119,9 @@ sctp_setopt(struct socket *so, int optname, void *optval, size_t optsize, SCTP_TCB_LOCK(stcb); if (info->snd_sid < stcb->asoc.streamoutcnt) { stcb->asoc.def_send.sinfo_stream = info->snd_sid; + policy = PR_SCTP_POLICY(stcb->asoc.def_send.sinfo_flags); stcb->asoc.def_send.sinfo_flags = info->snd_flags; + stcb->asoc.def_send.sinfo_flags |= policy; stcb->asoc.def_send.sinfo_ppid = info->snd_ppid; stcb->asoc.def_send.sinfo_context = info->snd_context; } @@ -5086,6 +5132,44 @@ sctp_setopt(struct socket *so, int optname, void *optval, size_t optsize, } break; } + case SCTP_DEFAULT_PRINFO: + { + struct sctp_default_prinfo *info; + + SCTP_CHECK_AND_CAST(info, optval, struct sctp_default_prinfo, optsize); + SCTP_FIND_STCB(inp, stcb, info->pr_assoc_id); + + if (PR_SCTP_INVALID_POLICY(info->pr_policy)) { + SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_USRREQ, EINVAL); + error = EINVAL; + break; + } + if (stcb) { + stcb->asoc.def_send.sinfo_flags &= 0xfff0; + stcb->asoc.def_send.sinfo_flags |= info->pr_policy; + SCTP_TCB_UNLOCK(stcb); + } else { + if ((info->pr_assoc_id == SCTP_FUTURE_ASSOC) || + (info->pr_assoc_id == SCTP_ALL_ASSOC)) { + SCTP_INP_WLOCK(inp); + inp->def_send.sinfo_flags &= 0xfff0; + inp->def_send.sinfo_flags |= info->pr_policy; + SCTP_INP_WUNLOCK(inp); + } + if ((info->pr_assoc_id == SCTP_CURRENT_ASSOC) || + (info->pr_assoc_id == SCTP_ALL_ASSOC)) { + SCTP_INP_RLOCK(inp); + LIST_FOREACH(stcb, &inp->sctp_asoc_list, sctp_tcblist) { + SCTP_TCB_LOCK(stcb); + stcb->asoc.def_send.sinfo_flags &= 0xfff0; + stcb->asoc.def_send.sinfo_flags |= info->pr_policy; + SCTP_TCB_UNLOCK(stcb); + } + SCTP_INP_RUNLOCK(inp); + } + } + break; + } default: SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_USRREQ, ENOPROTOOPT); error = ENOPROTOOPT; diff --git a/sys/netinet/tcp_lro.c b/sys/netinet/tcp_lro.c index 27384c5..6569eda 100644 --- a/sys/netinet/tcp_lro.c +++ b/sys/netinet/tcp_lro.c @@ -277,6 +277,14 @@ tcp_lro_rx(struct lro_ctrl *cntl, struct mbuf *m_head, uint32_t csum) lro->dest_port == tcp->th_dport && lro->source_ip == ip->ip_src.s_addr && lro->dest_ip == ip->ip_dst.s_addr) { + /* Flush now if appending will result in overflow. */ + if (lro->len > (65535 - tcp_data_len)) { + SLIST_REMOVE(&cntl->lro_active, lro, + lro_entry, next); + tcp_lro_flush(cntl, lro); + break; + } + /* Try to append it */ if (__predict_false(seq != lro->next_seq || diff --git a/sys/netinet/tcp_output.c b/sys/netinet/tcp_output.c index 32cb81e..572a491 100644 --- a/sys/netinet/tcp_output.c +++ b/sys/netinet/tcp_output.c @@ -84,10 +84,6 @@ __FBSDID("$FreeBSD$"); #include <security/mac/mac_framework.h> -#ifdef notyet -extern struct mbuf *m_copypack(); -#endif - VNET_DEFINE(int, path_mtu_discovery) = 1; SYSCTL_VNET_INT(_net_inet_tcp, OID_AUTO, path_mtu_discovery, CTLFLAG_RW, &VNET_NAME(path_mtu_discovery), 1, @@ -820,19 +816,6 @@ send: TCPSTAT_INC(tcps_sndpack); TCPSTAT_ADD(tcps_sndbyte, len); } -#ifdef notyet - if ((m = m_copypack(so->so_snd.sb_mb, off, - (int)len, max_linkhdr + hdrlen)) == 0) { - SOCKBUF_UNLOCK(&so->so_snd); - error = ENOBUFS; - goto out; - } - /* - * m_copypack left space for our hdr; use it. - */ - m->m_len += hdrlen; - m->m_data -= hdrlen; -#else MGETHDR(m, M_DONTWAIT, MT_DATA); if (m == NULL) { SOCKBUF_UNLOCK(&so->so_snd); @@ -872,7 +855,7 @@ send: goto out; } } -#endif /* notyet */ + /* * If we're sending everything we've got, set PUSH. * (This will keep happy those implementations which only @@ -1102,8 +1085,15 @@ send: m->m_pkthdr.tso_segsz = tp->t_maxopd - optlen; } +#ifdef IPSEC + KASSERT(len + hdrlen + ipoptlen - ipsec_optlen == m_length(m, NULL), + ("%s: mbuf chain shorter than expected: %ld + %u + %u - %u != %u", + __func__, len, hdrlen, ipoptlen, ipsec_optlen, m_length(m, NULL))); +#else KASSERT(len + hdrlen + ipoptlen == m_length(m, NULL), - ("%s: mbuf chain shorter than expected", __func__)); + ("%s: mbuf chain shorter than expected: %ld + %u + %u != %u", + __func__, len, hdrlen, ipoptlen, m_length(m, NULL))); +#endif /* * In transmit state, time the transmission and arrange for diff --git a/sys/netinet/tcp_subr.c b/sys/netinet/tcp_subr.c index 6ed58911..46b4022 100644 --- a/sys/netinet/tcp_subr.c +++ b/sys/netinet/tcp_subr.c @@ -206,11 +206,9 @@ SYSCTL_VNET_INT(_net_inet_tcp, OID_AUTO, isn_reseed_interval, CTLFLAG_RW, &VNET_NAME(tcp_isn_reseed_interval), 0, "Seconds between reseeding of ISN secret"); -#ifdef TCP_SORECEIVE_STREAM static int tcp_soreceive_stream = 0; SYSCTL_INT(_net_inet_tcp, OID_AUTO, soreceive_stream, CTLFLAG_RDTUN, &tcp_soreceive_stream, 0, "Using soreceive_stream for TCP sockets"); -#endif #ifdef TCP_SIGNATURE static int tcp_sig_checksigs = 1; @@ -337,13 +335,15 @@ tcp_init(void) tcp_finwait2_timeout = TCPTV_FINWAIT2_TIMEOUT; tcp_tcbhashsize = hashsize; -#ifdef TCP_SORECEIVE_STREAM TUNABLE_INT_FETCH("net.inet.tcp.soreceive_stream", &tcp_soreceive_stream); if (tcp_soreceive_stream) { +#ifdef INET tcp_usrreqs.pru_soreceive = soreceive_stream; +#endif +#ifdef INET6 tcp6_usrreqs.pru_soreceive = soreceive_stream; +#endif /* INET6 */ } -#endif #ifdef INET6 #define TCP_MINPROTOHDR (sizeof(struct ip6_hdr) + sizeof(struct tcphdr)) @@ -541,6 +541,7 @@ tcp_respond(struct tcpcb *tp, void *ipgen, struct tcphdr *th, struct mbuf *m, m_freem(m->m_next); m->m_next = NULL; m->m_data = (caddr_t)ipgen; + m_addr_changed(m); /* m_len is set later */ tlen = 0; #define xchg(a,b,type) { type t; t=a; a=b; b=t; } |
