#define _IP_VHL
#include <sys/param.h>
#include <sys/systm.h>
#include <sys/mbuf.h>
#include <sys/malloc.h>
#include <sys/domain.h>
#include <sys/protosw.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <sys/kernel.h>
#include <sys/syslog.h>
#include <sys/sysctl.h>
#include <kern/queue.h>
#include <kern/locks.h>
#include <net/if.h>
#include <net/if_var.h>
#include <net/if_dl.h>
#include <net/route.h>
#include <net/kpi_protocol.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/in_var.h>
#include <netinet/ip.h>
#include <netinet/in_pcb.h>
#include <netinet/ip_var.h>
#include <netinet/ip_icmp.h>
#include <sys/socketvar.h>
#include <netinet/ip_fw.h>
#include <netinet/ip_divert.h>
#include <netinet/kpi_ipfilter_var.h>
#include <netinet/udp.h>
#include <netinet/udp_var.h>
#include <netinet/bootp.h>
#include <sys/kdebug.h>
#define DBG_LAYER_BEG NETDBG_CODE(DBG_NETIP, 0)
#define DBG_LAYER_END NETDBG_CODE(DBG_NETIP, 2)
#define DBG_FNC_IP_INPUT NETDBG_CODE(DBG_NETIP, (2 << 8))
#if IPSEC
#include <netinet6/ipsec.h>
#include <netkey/key.h>
#endif
#include "faith.h"
#if defined(NFAITH) && NFAITH > 0
#include <net/if_types.h>
#endif
#if DUMMYNET
#include <netinet/ip_dummynet.h>
#endif
#if IPSEC
extern int ipsec_bypass;
extern lck_mtx_t *sadb_mutex;
#endif
int rsvp_on = 0;
static int ip_rsvp_on;
struct socket *ip_rsvpd;
int ipforwarding = 0;
SYSCTL_INT(_net_inet_ip, IPCTL_FORWARDING, forwarding, CTLFLAG_RW,
&ipforwarding, 0, "Enable IP forwarding between interfaces");
static int ipsendredirects = 1;
SYSCTL_INT(_net_inet_ip, IPCTL_SENDREDIRECTS, redirect, CTLFLAG_RW,
&ipsendredirects, 0, "Enable sending IP redirects");
int ip_defttl = IPDEFTTL;
SYSCTL_INT(_net_inet_ip, IPCTL_DEFTTL, ttl, CTLFLAG_RW,
&ip_defttl, 0, "Maximum TTL on IP packets");
static int ip_dosourceroute = 0;
SYSCTL_INT(_net_inet_ip, IPCTL_SOURCEROUTE, sourceroute, CTLFLAG_RW,
&ip_dosourceroute, 0, "Enable forwarding source routed IP packets");
static int ip_acceptsourceroute = 0;
SYSCTL_INT(_net_inet_ip, IPCTL_ACCEPTSOURCEROUTE, accept_sourceroute,
CTLFLAG_RW, &ip_acceptsourceroute, 0,
"Enable accepting source routed IP packets");
static int ip_keepfaith = 0;
SYSCTL_INT(_net_inet_ip, IPCTL_KEEPFAITH, keepfaith, CTLFLAG_RW,
&ip_keepfaith, 0,
"Enable packet capture for FAITH IPv4->IPv6 translater daemon");
static int nipq = 0;
static int maxnipq;
SYSCTL_INT(_net_inet_ip, OID_AUTO, maxfragpackets, CTLFLAG_RW,
&maxnipq, 0,
"Maximum number of IPv4 fragment reassembly queue entries");
static int maxfragsperpacket;
SYSCTL_INT(_net_inet_ip, OID_AUTO, maxfragsperpacket, CTLFLAG_RW,
&maxfragsperpacket, 0,
"Maximum number of IPv4 fragments allowed per packet");
static int maxfrags;
SYSCTL_INT(_net_inet_ip, OID_AUTO, maxfrags, CTLFLAG_RW,
&maxfrags, 0, "Maximum number of IPv4 fragments allowed");
static int currentfrags = 0;
static int ip_checkinterface = 0;
SYSCTL_INT(_net_inet_ip, OID_AUTO, check_interface, CTLFLAG_RW,
&ip_checkinterface, 0, "Verify packet arrives on correct interface");
#if DIAGNOSTIC
static int ipprintfs = 0;
#endif
extern struct domain inetdomain;
extern struct protosw inetsw[];
struct protosw *ip_protox[IPPROTO_MAX];
static int ipqmaxlen = IFQ_MAXLEN;
struct in_ifaddrhead in_ifaddrhead;
struct ifqueue ipintrq;
SYSCTL_INT(_net_inet_ip, IPCTL_INTRQMAXLEN, intr_queue_maxlen, CTLFLAG_RW,
&ipintrq.ifq_maxlen, 0, "Maximum size of the IP input queue");
SYSCTL_INT(_net_inet_ip, IPCTL_INTRQDROPS, intr_queue_drops, CTLFLAG_RD,
&ipintrq.ifq_drops, 0, "Number of packets dropped from the IP input queue");
struct ipstat ipstat;
SYSCTL_STRUCT(_net_inet_ip, IPCTL_STATS, stats, CTLFLAG_RD,
&ipstat, ipstat, "IP statistics (struct ipstat, netinet/ip_var.h)");
#define IPREASS_NHASH_LOG2 6
#define IPREASS_NHASH (1 << IPREASS_NHASH_LOG2)
#define IPREASS_HMASK (IPREASS_NHASH - 1)
#define IPREASS_HASH(x,y) \
(((((x) & 0xF) | ((((x) >> 8) & 0xF) << 4)) ^ (y)) & IPREASS_HMASK)
static struct ipq ipq[IPREASS_NHASH];
static TAILQ_HEAD(ipq_list, ipq) ipq_list =
TAILQ_HEAD_INITIALIZER(ipq_list);
const int ipintrq_present = 1;
lck_mtx_t *ip_mutex;
lck_attr_t *ip_mutex_attr;
lck_grp_t *ip_mutex_grp;
lck_grp_attr_t *ip_mutex_grp_attr;
lck_mtx_t *inet_domain_mutex;
extern lck_mtx_t *domain_proto_mtx;
#if IPCTL_DEFMTU
SYSCTL_INT(_net_inet_ip, IPCTL_DEFMTU, mtu, CTLFLAG_RW,
&ip_mtu, 0, "Default MTU");
#endif
#if IPSTEALTH
static int ipstealth = 0;
SYSCTL_INT(_net_inet_ip, OID_AUTO, stealth, CTLFLAG_RW,
&ipstealth, 0, "");
#endif
ip_fw_chk_t *ip_fw_chk_ptr;
int fw_enable = 1 ;
int fw_one_pass = 1;
#if DUMMYNET
ip_dn_io_t *ip_dn_io_ptr;
#endif
int (*fr_checkp)(struct ip *, int, struct ifnet *, int, struct mbuf **) = NULL;
SYSCTL_NODE(_net_inet_ip, OID_AUTO, linklocal, CTLFLAG_RW, 0, "link local");
struct ip_linklocal_stat ip_linklocal_stat;
SYSCTL_STRUCT(_net_inet_ip_linklocal, OID_AUTO, stat, CTLFLAG_RD,
&ip_linklocal_stat, ip_linklocal_stat,
"Number of link local packets with TTL less than 255");
SYSCTL_NODE(_net_inet_ip_linklocal, OID_AUTO, in, CTLFLAG_RW, 0, "link local input");
int ip_linklocal_in_allowbadttl = 1;
SYSCTL_INT(_net_inet_ip_linklocal_in, OID_AUTO, allowbadttl, CTLFLAG_RW,
&ip_linklocal_in_allowbadttl, 0,
"Allow incoming link local packets with TTL less than 255");
static int ip_nhops = 0;
static struct ip_srcrt {
struct in_addr dst;
char nop;
char srcopt[IPOPT_OFFSET + 1];
struct in_addr route[MAX_IPOPTLEN/sizeof(struct in_addr)];
} ip_srcrt;
#ifdef __APPLE__
extern struct mbuf* m_dup(register struct mbuf *m, int how);
#endif
static void save_rte(u_char *, struct in_addr);
static int ip_dooptions(struct mbuf *, int, struct sockaddr_in *, struct route *ipforward_rt);
static void ip_forward(struct mbuf *, int, struct sockaddr_in *, struct route *ipforward_rt);
static void ip_freef(struct ipq *);
#if IPDIVERT
#ifdef IPDIVERT_44
static struct mbuf *ip_reass(struct mbuf *,
struct ipq *, struct ipq *, u_int32_t *, u_int16_t *);
#else
static struct mbuf *ip_reass(struct mbuf *,
struct ipq *, struct ipq *, u_int16_t *, u_int16_t *);
#endif
#else
static struct mbuf *ip_reass(struct mbuf *, struct ipq *, struct ipq *);
#endif
void ipintr(void);
#if RANDOM_IP_ID
extern u_short ip_id;
#endif
extern u_long route_generation;
extern int apple_hwcksum_rx;
void
ip_init()
{
register struct protosw *pr;
register int i;
static ip_initialized = 0;
struct timeval timenow;
if (!ip_initialized)
{
TAILQ_INIT(&in_ifaddrhead);
pr = pffindproto_locked(PF_INET, IPPROTO_RAW, SOCK_RAW);
if (pr == 0)
panic("ip_init");
for (i = 0; i < IPPROTO_MAX; i++)
ip_protox[i] = pr;
for (pr = inetdomain.dom_protosw; pr; pr = pr->pr_next)
{ if(!((unsigned int)pr->pr_domain)) continue;
if (pr->pr_domain->dom_family == PF_INET &&
pr->pr_protocol && pr->pr_protocol != IPPROTO_RAW)
ip_protox[pr->pr_protocol] = pr;
}
for (i = 0; i < IPREASS_NHASH; i++)
ipq[i].next = ipq[i].prev = &ipq[i];
maxnipq = nmbclusters / 32;
maxfrags = maxnipq * 2;
maxfragsperpacket = 128;
#if RANDOM_IP_ID
getmicrouptime(&timenow);
ip_id = timenow.tv_sec & 0xffff;
#endif
ipintrq.ifq_maxlen = ipqmaxlen;
ipf_init();
ip_mutex_grp_attr = lck_grp_attr_alloc_init();
lck_grp_attr_setdefault(ip_mutex_grp_attr);
ip_mutex_grp = lck_grp_alloc_init("ip", ip_mutex_grp_attr);
ip_mutex_attr = lck_attr_alloc_init();
lck_attr_setdefault(ip_mutex_attr);
if ((ip_mutex = lck_mtx_alloc_init(ip_mutex_grp, ip_mutex_attr)) == NULL) {
printf("ip_init: can't alloc ip_mutex\n");
return;
}
ip_initialized = 1;
}
}
static void
ip_proto_input(
protocol_family_t protocol,
mbuf_t packet)
{
ip_input(packet);
}
void
in_dinit()
{ register int i;
register struct protosw *pr;
register struct domain *dp;
static inetdomain_initted = 0;
extern int in_proto_count;
if (!inetdomain_initted)
{
kprintf("Initing %d protosw entries\n", in_proto_count);
dp = &inetdomain;
dp->dom_flags = DOM_REENTRANT;
for (i=0, pr = &inetsw[0]; i<in_proto_count; i++, pr++)
net_add_proto(pr, dp);
inet_domain_mutex = dp->dom_mtx;
inetdomain_initted = 1;
lck_mtx_unlock(domain_proto_mtx);
proto_register_input(PF_INET, ip_proto_input, NULL);
lck_mtx_lock(domain_proto_mtx);
}
}
__private_extern__ void
ip_proto_dispatch_in(
struct mbuf *m,
int hlen,
u_int8_t proto,
ipfilter_t inject_ipfref)
{
struct ipfilter *filter;
int seen = (inject_ipfref == 0);
int changed_header = 0;
struct ip *ip;
if (!TAILQ_EMPTY(&ipv4_filters)) {
ipf_ref();
TAILQ_FOREACH(filter, &ipv4_filters, ipf_link) {
if (seen == 0) {
if ((struct ipfilter *)inject_ipfref == filter)
seen = 1;
} else if (filter->ipf_filter.ipf_input) {
errno_t result;
if (changed_header == 0) {
changed_header = 1;
ip = mtod(m, struct ip *);
ip->ip_len = htons(ip->ip_len + hlen);
ip->ip_off = htons(ip->ip_off);
ip->ip_sum = 0;
ip->ip_sum = in_cksum(m, hlen);
}
result = filter->ipf_filter.ipf_input(
filter->ipf_filter.cookie, (mbuf_t*)&m, hlen, proto);
if (result == EJUSTRETURN) {
ipf_unref();
return;
}
if (result != 0) {
ipf_unref();
m_freem(m);
return;
}
}
}
ipf_unref();
}
ip = mtod(m, struct ip *);
if (changed_header) {
ip->ip_len = ntohs(ip->ip_len) - hlen;
ip->ip_off = ntohs(ip->ip_off);
}
if (!(ip_protox[ip->ip_p]->pr_flags & PR_PROTOLOCK)) {
lck_mtx_lock(inet_domain_mutex);
(*ip_protox[ip->ip_p]->pr_input)(m, hlen);
lck_mtx_unlock(inet_domain_mutex);
}
else
(*ip_protox[ip->ip_p]->pr_input)(m, hlen);
}
static struct sockaddr_in ipaddr = { sizeof(ipaddr), AF_INET };
void
ip_input(struct mbuf *m)
{
struct ip *ip;
struct ipq *fp;
struct in_ifaddr *ia = NULL;
int i, hlen, mff, checkif;
u_short sum;
struct in_addr pkt_dst;
u_int32_t div_info = 0;
struct ip_fw_args args;
ipfilter_t inject_filter_ref = 0;
struct m_tag *tag;
struct route ipforward_rt = { 0 };
lck_mtx_lock(ip_mutex);
args.eh = NULL;
args.oif = NULL;
args.rule = NULL;
args.divert_rule = 0;
args.next_hop = NULL;
#if DUMMYNET
if ((tag = m_tag_locate(m, KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_DUMMYNET, NULL)) != NULL) {
struct dn_pkt_tag *dn_tag;
dn_tag = (struct dn_pkt_tag *)(tag+1);
args.rule = dn_tag->rule;
m_tag_delete(m, tag);
}
#endif
if ((tag = m_tag_locate(m, KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_DIVERT, NULL)) != NULL) {
struct divert_tag *div_tag;
div_tag = (struct divert_tag *)(tag+1);
args.divert_rule = div_tag->cookie;
m_tag_delete(m, tag);
}
if ((tag = m_tag_locate(m, KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPFORWARD, NULL)) != NULL) {
struct ip_fwd_tag *ipfwd_tag;
ipfwd_tag = (struct ip_fwd_tag *)(tag+1);
args.next_hop = ipfwd_tag->next_hop;
m_tag_delete(m, tag);
}
#if DIAGNOSTIC
if (m == NULL || (m->m_flags & M_PKTHDR) == 0)
panic("ip_input no HDR");
#endif
if (args.rule) {
ip = mtod(m, struct ip *);
hlen = IP_VHL_HL(ip->ip_vhl) << 2;
inject_filter_ref = ipf_get_inject_filter(m);
goto iphack ;
}
inject_filter_ref = ipf_get_inject_filter(m);
if (inject_filter_ref != 0) {
lck_mtx_unlock(ip_mutex);
ip = mtod(m, struct ip *);
hlen = IP_VHL_HL(ip->ip_vhl) << 2;
ip->ip_len = ntohs(ip->ip_len) - hlen;
ip->ip_off = ntohs(ip->ip_off);
ip_proto_dispatch_in(m, hlen, ip->ip_p, inject_filter_ref);
return;
}
ipstat.ips_total++;
if (m->m_pkthdr.len < sizeof(struct ip))
goto tooshort;
if (m->m_len < sizeof (struct ip) &&
(m = m_pullup(m, sizeof (struct ip))) == 0) {
ipstat.ips_toosmall++;
lck_mtx_unlock(ip_mutex);
return;
}
ip = mtod(m, struct ip *);
KERNEL_DEBUG(DBG_LAYER_BEG, ip->ip_dst.s_addr,
ip->ip_src.s_addr, ip->ip_p, ip->ip_off, ip->ip_len);
if (IP_VHL_V(ip->ip_vhl) != IPVERSION) {
ipstat.ips_badvers++;
goto bad;
}
hlen = IP_VHL_HL(ip->ip_vhl) << 2;
if (hlen < sizeof(struct ip)) {
ipstat.ips_badhlen++;
goto bad;
}
if (hlen > m->m_len) {
if ((m = m_pullup(m, hlen)) == 0) {
ipstat.ips_badhlen++;
lck_mtx_unlock(ip_mutex);
return;
}
ip = mtod(m, struct ip *);
}
if ((ntohl(ip->ip_dst.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET ||
(ntohl(ip->ip_src.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET) {
if ((m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK) == 0) {
ipstat.ips_badaddr++;
goto bad;
}
}
if ((IN_LINKLOCAL(ntohl(ip->ip_dst.s_addr)) ||
IN_LINKLOCAL(ntohl(ip->ip_src.s_addr)))) {
ip_linklocal_stat.iplls_in_total++;
if (ip->ip_ttl != MAXTTL) {
ip_linklocal_stat.iplls_in_badttl++;
if (!ip_linklocal_in_allowbadttl)
goto bad;
}
}
if ((IF_HWASSIST_CSUM_FLAGS(m->m_pkthdr.rcvif->if_hwassist) == 0)
|| (apple_hwcksum_rx == 0) ||
((m->m_pkthdr.csum_flags & CSUM_TCP_SUM16) && ip->ip_p != IPPROTO_TCP)) {
m->m_pkthdr.csum_flags = 0;
}
if (m->m_pkthdr.csum_flags & CSUM_IP_CHECKED) {
sum = !(m->m_pkthdr.csum_flags & CSUM_IP_VALID);
} else {
sum = in_cksum(m, hlen);
}
if (sum) {
ipstat.ips_badsum++;
goto bad;
}
NTOHS(ip->ip_len);
if (ip->ip_len < hlen) {
ipstat.ips_badlen++;
goto bad;
}
NTOHS(ip->ip_off);
if (m->m_pkthdr.len < ip->ip_len) {
tooshort:
ipstat.ips_tooshort++;
goto bad;
}
if (m->m_pkthdr.len > ip->ip_len) {
m->m_pkthdr.csum_flags = 0;
m->m_pkthdr.csum_data = 0;
if (m->m_len == m->m_pkthdr.len) {
m->m_len = ip->ip_len;
m->m_pkthdr.len = ip->ip_len;
} else
m_adj(m, ip->ip_len - m->m_pkthdr.len);
}
#if IPSEC
if (ipsec_bypass == 0 && ipsec_gethist(m, NULL))
goto pass;
#endif
#if defined(IPFIREWALL) && defined(DUMMYNET)
iphack:
#endif
if (fr_checkp) {
struct mbuf *m1 = m;
if (fr_checkp(ip, hlen, m->m_pkthdr.rcvif, 0, &m1) || !m1)
return;
ip = mtod(m = m1, struct ip *);
}
if (fw_enable && IPFW_LOADED) {
#if IPFIREWALL_FORWARD
if (args.next_hop)
goto ours;
#endif
args.m = m;
i = ip_fw_chk_ptr(&args);
m = args.m;
if ( (i & IP_FW_PORT_DENY_FLAG) || m == NULL) {
if (m)
m_freem(m);
lck_mtx_unlock(ip_mutex);
return;
}
ip = mtod(m, struct ip *);
if (i == 0 && args.next_hop == NULL)
goto pass;
#if DUMMYNET
if (DUMMYNET_LOADED && (i & IP_FW_PORT_DYNT_FLAG) != 0) {
lck_mtx_unlock(ip_mutex);
ip_dn_io_ptr(m, i&0xffff, DN_TO_IP_IN, &args);
return;
}
#endif
#if IPDIVERT
if (i != 0 && (i & IP_FW_PORT_DYNT_FLAG) == 0) {
div_info = i;
goto ours;
}
#endif
#if IPFIREWALL_FORWARD
if (i == 0 && args.next_hop != NULL)
goto pass;
#endif
m_freem(m);
lck_mtx_unlock(ip_mutex);
return;
}
pass:
ip_nhops = 0;
if (hlen > sizeof (struct ip) && ip_dooptions(m, 0, args.next_hop, &ipforward_rt)) {
lck_mtx_unlock(ip_mutex);
return;
}
if (rsvp_on && ip->ip_p==IPPROTO_RSVP)
goto ours;
if (TAILQ_EMPTY(&in_ifaddrhead) &&
(m->m_flags & (M_MCAST|M_BCAST)) == 0)
goto ours;
pkt_dst = args.next_hop == NULL ?
ip->ip_dst : args.next_hop->sin_addr;
checkif = ip_checkinterface && (ipforwarding == 0) &&
((m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK) == 0) &&
(args.next_hop == NULL);
lck_mtx_lock(rt_mtx);
TAILQ_FOREACH(ia, &in_ifaddrhead, ia_link) {
#define satosin(sa) ((struct sockaddr_in *)(sa))
if (IA_SIN(ia)->sin_addr.s_addr == INADDR_ANY) {
lck_mtx_unlock(rt_mtx);
goto ours;
}
if (IA_SIN(ia)->sin_addr.s_addr == pkt_dst.s_addr &&
(!checkif || ia->ia_ifp == m->m_pkthdr.rcvif)) {
lck_mtx_unlock(rt_mtx);
goto ours;
}
if ((!checkif || ia->ia_ifp == m->m_pkthdr.rcvif) &&
ia->ia_ifp && ia->ia_ifp->if_flags & IFF_BROADCAST) {
if (satosin(&ia->ia_broadaddr)->sin_addr.s_addr ==
pkt_dst.s_addr) {
lck_mtx_unlock(rt_mtx);
goto ours;
}
if (ia->ia_netbroadcast.s_addr == pkt_dst.s_addr) {
lck_mtx_unlock(rt_mtx);
goto ours;
}
}
}
lck_mtx_unlock(rt_mtx);
if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr))) {
struct in_multi *inm;
if (ip_mrouter) {
if (ip_mforward &&
ip_mforward(ip, m->m_pkthdr.rcvif, m, 0) != 0) {
ipstat.ips_cantforward++;
m_freem(m);
lck_mtx_unlock(ip_mutex);
return;
}
if (ip->ip_p == IPPROTO_IGMP)
goto ours;
ipstat.ips_forward++;
}
IN_LOOKUP_MULTI(ip->ip_dst, m->m_pkthdr.rcvif, inm);
if (inm == NULL) {
ipstat.ips_notmember++;
m_freem(m);
lck_mtx_unlock(ip_mutex);
return;
}
goto ours;
}
if (ip->ip_dst.s_addr == (u_long)INADDR_BROADCAST)
goto ours;
if (ip->ip_dst.s_addr == INADDR_ANY)
goto ours;
if (m->m_pkthdr.rcvif != NULL
&& (m->m_pkthdr.rcvif->if_eflags & IFEF_AUTOCONFIGURING)
&& hlen == sizeof(struct ip)
&& ip->ip_p == IPPROTO_UDP) {
struct udpiphdr *ui;
if (m->m_len < sizeof(struct udpiphdr)
&& (m = m_pullup(m, sizeof(struct udpiphdr))) == 0) {
udpstat.udps_hdrops++;
lck_mtx_unlock(ip_mutex);
return;
}
ui = mtod(m, struct udpiphdr *);
if (ntohs(ui->ui_dport) == IPPORT_BOOTPC) {
goto ours;
}
ip = mtod(m, struct ip *);
}
#if defined(NFAITH) && 0 < NFAITH
if (m->m_pkthdr.rcvif && m->m_pkthdr.rcvif->if_type == IFT_FAITH) {
if (ip_keepfaith) {
if (ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_ICMP)
goto ours;
}
m_freem(m);
lck_mtx_unlock(ip_mutex);
return;
}
#endif
lck_mtx_unlock(ip_mutex);
if (ipforwarding == 0) {
ipstat.ips_cantforward++;
m_freem(m);
} else {
ip_forward(m, 0, args.next_hop, &ipforward_rt);
}
return;
ours:
#ifndef __APPLE__
if (ia != NULL) {
ia->ia_ifa.if_ipackets++;
ia->ia_ifa.if_ibytes += m->m_pkthdr.len;
}
#endif
if (ip->ip_off & (IP_MF | IP_OFFMASK | IP_RF)) {
if (maxnipq == 0) {
ipstat.ips_fragments++;
ipstat.ips_fragdropped++;
goto bad;
}
if (currentfrags >= maxfrags) {
fp = TAILQ_LAST(&ipq_list, ipq_list);
ipstat.ips_fragtimeout += fp->ipq_nfrags;
if (ip->ip_id == fp->ipq_id &&
ip->ip_src.s_addr == fp->ipq_src.s_addr &&
ip->ip_dst.s_addr == fp->ipq_dst.s_addr &&
ip->ip_p == fp->ipq_p) {
ipstat.ips_fragdropped++;
ip_freef(fp);
goto bad;
}
ip_freef(fp);
}
sum = IPREASS_HASH(ip->ip_src.s_addr, ip->ip_id);
for (fp = ipq[sum].next; fp != &ipq[sum]; fp = fp->next)
if (ip->ip_id == fp->ipq_id &&
ip->ip_src.s_addr == fp->ipq_src.s_addr &&
ip->ip_dst.s_addr == fp->ipq_dst.s_addr &&
ip->ip_p == fp->ipq_p)
goto found;
if ((nipq > maxnipq) && (maxnipq > 0)) {
fp = TAILQ_LAST(&ipq_list, ipq_list);
ipstat.ips_fragtimeout += fp->ipq_nfrags;
ip_freef(fp);
}
fp = NULL;
found:
ip->ip_len -= hlen;
if (ip->ip_off & IP_MF) {
if (ip->ip_len == 0 || (ip->ip_len & 0x7) != 0) {
ipstat.ips_toosmall++;
goto bad;
}
m->m_flags |= M_FRAG;
} else {
m->m_flags &= ~M_FRAG;
}
ip->ip_off <<= 3;
ipstat.ips_fragments++;
m->m_pkthdr.header = ip;
#if IPDIVERT
m = ip_reass(m,
fp, &ipq[sum], &div_info, &args.divert_rule);
#else
m = ip_reass(m, fp, &ipq[sum]);
#endif
if (m == 0) {
lck_mtx_unlock(ip_mutex);
return;
}
ipstat.ips_reassembled++;
ip = mtod(m, struct ip *);
hlen = IP_VHL_HL(ip->ip_vhl) << 2;
#if IPDIVERT
if (div_info != 0) {
ip->ip_len += hlen;
HTONS(ip->ip_len);
HTONS(ip->ip_off);
ip->ip_sum = 0;
ip->ip_sum = in_cksum(m, hlen);
NTOHS(ip->ip_off);
NTOHS(ip->ip_len);
ip->ip_len -= hlen;
}
#endif
} else
ip->ip_len -= hlen;
#if IPDIVERT
if (div_info != 0) {
struct mbuf *clone = NULL;
if ((div_info & IP_FW_PORT_TEE_FLAG) != 0)
clone = m_dup(m, M_DONTWAIT);
ip->ip_len += hlen;
HTONS(ip->ip_len);
HTONS(ip->ip_off);
ipstat.ips_delivered++;
lck_mtx_unlock(ip_mutex);
divert_packet(m, 1, div_info & 0xffff, args.divert_rule);
if (clone == NULL) {
return;
}
lck_mtx_lock(ip_mutex);
m = clone;
ip = mtod(m, struct ip *);
}
#endif
#if IPSEC
if (ipsec_bypass == 0 && (ip_protox[ip->ip_p]->pr_flags & PR_LASTHDR) != 0) {
lck_mtx_lock(sadb_mutex);
if (ipsec4_in_reject(m, NULL)) {
ipsecstat.in_polvio++;
lck_mtx_unlock(sadb_mutex);
goto bad;
}
lck_mtx_unlock(sadb_mutex);
}
#endif
ipstat.ips_delivered++;
{
if (args.next_hop && ip->ip_p == IPPROTO_TCP) {
struct m_tag *fwd_tag;
struct ip_fwd_tag *ipfwd_tag;
fwd_tag = m_tag_alloc(KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPFORWARD,
sizeof(struct sockaddr_in), M_NOWAIT);
if (fwd_tag == NULL) {
goto bad;
}
ipfwd_tag = (struct ip_fwd_tag *)(fwd_tag+1);
ipfwd_tag->next_hop = args.next_hop;
m_tag_prepend(m, fwd_tag);
KERNEL_DEBUG(DBG_LAYER_END, ip->ip_dst.s_addr,
ip->ip_src.s_addr, ip->ip_p, ip->ip_off, ip->ip_len);
lck_mtx_unlock(ip_mutex);
ip_proto_dispatch_in(m, hlen, ip->ip_p, 0);
} else {
KERNEL_DEBUG(DBG_LAYER_END, ip->ip_dst.s_addr,
ip->ip_src.s_addr, ip->ip_p, ip->ip_off, ip->ip_len);
lck_mtx_unlock(ip_mutex);
ip_proto_dispatch_in(m, hlen, ip->ip_p, 0);
}
return;
}
bad:
KERNEL_DEBUG(DBG_LAYER_END, 0,0,0,0,0);
lck_mtx_unlock(ip_mutex);
m_freem(m);
}
static struct mbuf *
#if IPDIVERT
ip_reass(m, fp, where, divinfo, divcookie)
#else
ip_reass(m, fp, where)
#endif
register struct mbuf *m;
register struct ipq *fp;
struct ipq *where;
#if IPDIVERT
#ifdef IPDIVERT_44
u_int32_t *divinfo;
#else
u_int16_t *divinfo;
#endif
u_int16_t *divcookie;
#endif
{
struct ip *ip = mtod(m, struct ip *);
register struct mbuf *p = 0, *q, *nq;
struct mbuf *t;
int hlen = IP_VHL_HL(ip->ip_vhl) << 2;
int i, next;
m->m_data += hlen;
m->m_len -= hlen;
if (m->m_pkthdr.csum_flags & CSUM_TCP_SUM16)
m->m_pkthdr.csum_flags = 0;
if (fp == 0) {
if ((t = m_get(M_DONTWAIT, MT_FTABLE)) == NULL)
goto dropfrag;
fp = mtod(t, struct ipq *);
insque((void*)fp, (void*)where);
nipq++;
fp->ipq_nfrags = 1;
fp->ipq_ttl = IPFRAGTTL;
fp->ipq_p = ip->ip_p;
fp->ipq_id = ip->ip_id;
fp->ipq_src = ip->ip_src;
fp->ipq_dst = ip->ip_dst;
fp->ipq_frags = m;
m->m_nextpkt = NULL;
#if IPDIVERT
#ifdef IPDIVERT_44
fp->ipq_div_info = 0;
#else
fp->ipq_divert = 0;
#endif
fp->ipq_div_cookie = 0;
#endif
TAILQ_INSERT_HEAD(&ipq_list, fp, ipq_list);
goto inserted;
} else {
fp->ipq_nfrags++;
}
#define GETIP(m) ((struct ip*)((m)->m_pkthdr.header))
for (p = NULL, q = fp->ipq_frags; q; p = q, q = q->m_nextpkt)
if (GETIP(q)->ip_off > ip->ip_off)
break;
if (p) {
i = GETIP(p)->ip_off + GETIP(p)->ip_len - ip->ip_off;
if (i > 0) {
if (i >= ip->ip_len)
goto dropfrag;
m_adj(m, i);
m->m_pkthdr.csum_flags = 0;
ip->ip_off += i;
ip->ip_len -= i;
}
m->m_nextpkt = p->m_nextpkt;
p->m_nextpkt = m;
} else {
m->m_nextpkt = fp->ipq_frags;
fp->ipq_frags = m;
}
for (; q != NULL && ip->ip_off + ip->ip_len > GETIP(q)->ip_off;
q = nq) {
i = (ip->ip_off + ip->ip_len) -
GETIP(q)->ip_off;
if (i < GETIP(q)->ip_len) {
GETIP(q)->ip_len -= i;
GETIP(q)->ip_off += i;
m_adj(q, i);
q->m_pkthdr.csum_flags = 0;
break;
}
nq = q->m_nextpkt;
m->m_nextpkt = nq;
ipstat.ips_fragdropped++;
fp->ipq_nfrags--;
m_freem(q);
}
inserted:
currentfrags++;
#if IPDIVERT
if (ip->ip_off == 0) {
#ifdef IPDIVERT_44
fp->ipq_div_info = *divinfo;
#else
fp->ipq_divert = *divinfo;
#endif
fp->ipq_div_cookie = *divcookie;
}
*divinfo = 0;
*divcookie = 0;
#endif
next = 0;
for (p = NULL, q = fp->ipq_frags; q; p = q, q = q->m_nextpkt) {
if (GETIP(q)->ip_off != next) {
if (fp->ipq_nfrags > maxfragsperpacket) {
ipstat.ips_fragdropped += fp->ipq_nfrags;
ip_freef(fp);
}
return (0);
}
next += GETIP(q)->ip_len;
}
if (p->m_flags & M_FRAG) {
if (fp->ipq_nfrags > maxfragsperpacket) {
ipstat.ips_fragdropped += fp->ipq_nfrags;
ip_freef(fp);
}
return (0);
}
q = fp->ipq_frags;
ip = GETIP(q);
if (next + (IP_VHL_HL(ip->ip_vhl) << 2) > IP_MAXPACKET) {
ipstat.ips_toolong++;
ipstat.ips_fragdropped += fp->ipq_nfrags;
ip_freef(fp);
return (0);
}
m = q;
t = m->m_next;
m->m_next = 0;
m_cat(m, t);
nq = q->m_nextpkt;
q->m_nextpkt = 0;
for (q = nq; q != NULL; q = nq) {
nq = q->m_nextpkt;
q->m_nextpkt = NULL;
if (q->m_pkthdr.csum_flags & CSUM_TCP_SUM16)
m->m_pkthdr.csum_flags = 0;
else {
m->m_pkthdr.csum_flags &= q->m_pkthdr.csum_flags;
m->m_pkthdr.csum_data += q->m_pkthdr.csum_data;
}
m_cat(m, q);
}
#if IPDIVERT
#ifdef IPDIVERT_44
*divinfo = fp->ipq_div_info;
#else
*divinfo = fp->ipq_divert;
#endif
*divcookie = fp->ipq_div_cookie;
#endif
ip->ip_len = next;
ip->ip_src = fp->ipq_src;
ip->ip_dst = fp->ipq_dst;
remque((void*)fp);
TAILQ_REMOVE(&ipq_list, fp, ipq_list);
currentfrags -= fp->ipq_nfrags;
nipq--;
(void) m_free(dtom(fp));
m->m_len += (IP_VHL_HL(ip->ip_vhl) << 2);
m->m_data -= (IP_VHL_HL(ip->ip_vhl) << 2);
if (m->m_flags & M_PKTHDR) {
register int plen = 0;
for (t = m; t; t = t->m_next)
plen += t->m_len;
m->m_pkthdr.len = plen;
}
return (m);
dropfrag:
#if IPDIVERT
*divinfo = 0;
*divcookie = 0;
#endif
ipstat.ips_fragdropped++;
if (fp != 0)
fp->ipq_nfrags--;
m_freem(m);
return (0);
#undef GETIP
}
static void
ip_freef(fp)
struct ipq *fp;
{
currentfrags -= fp->ipq_nfrags;
m_freem_list(fp->ipq_frags);
remque((void*)fp);
TAILQ_REMOVE(&ipq_list, fp, ipq_list);
(void) m_free(dtom(fp));
nipq--;
}
void
ip_slowtimo()
{
register struct ipq *fp;
int i;
lck_mtx_lock(ip_mutex);
for (i = 0; i < IPREASS_NHASH; i++) {
fp = ipq[i].next;
if (fp == 0)
continue;
while (fp != &ipq[i]) {
--fp->ipq_ttl;
fp = fp->next;
if (fp->prev->ipq_ttl == 0) {
ipstat.ips_fragtimeout += fp->prev->ipq_nfrags;
ip_freef(fp->prev);
}
}
}
if (maxnipq >= 0 && nipq > maxnipq) {
for (i = 0; i < IPREASS_NHASH; i++) {
while (nipq > maxnipq &&
(ipq[i].next != &ipq[i])) {
ipstat.ips_fragdropped +=
ipq[i].next->ipq_nfrags;
ip_freef(ipq[i].next);
}
}
}
ipflow_slowtimo();
lck_mtx_unlock(ip_mutex);
}
void
ip_drain()
{
int i;
lck_mtx_lock(ip_mutex);
for (i = 0; i < IPREASS_NHASH; i++) {
while (ipq[i].next != &ipq[i]) {
ipstat.ips_fragdropped += ipq[i].next->ipq_nfrags;
ip_freef(ipq[i].next);
}
}
lck_mtx_unlock(ip_mutex);
in_rtqdrain();
}
static int
ip_dooptions(struct mbuf *m, int pass, struct sockaddr_in *next_hop, struct route *ipforward_rt)
{
register struct ip *ip = mtod(m, struct ip *);
register u_char *cp;
register struct ip_timestamp *ipt;
register struct in_ifaddr *ia;
int opt, optlen, cnt, off, code, type = ICMP_PARAMPROB, forward = 0;
struct in_addr *sin, dst;
n_time ntime;
dst = ip->ip_dst;
cp = (u_char *)(ip + 1);
cnt = (IP_VHL_HL(ip->ip_vhl) << 2) - sizeof (struct ip);
for (; cnt > 0; cnt -= optlen, cp += optlen) {
opt = cp[IPOPT_OPTVAL];
if (opt == IPOPT_EOL)
break;
if (opt == IPOPT_NOP)
optlen = 1;
else {
if (cnt < IPOPT_OLEN + sizeof(*cp)) {
code = &cp[IPOPT_OLEN] - (u_char *)ip;
goto bad;
}
optlen = cp[IPOPT_OLEN];
if (optlen < IPOPT_OLEN + sizeof(*cp) || optlen > cnt) {
code = &cp[IPOPT_OLEN] - (u_char *)ip;
goto bad;
}
}
switch (opt) {
default:
break;
case IPOPT_LSRR:
case IPOPT_SSRR:
if (optlen < IPOPT_OFFSET + sizeof(*cp)) {
code = &cp[IPOPT_OLEN] - (u_char *)ip;
goto bad;
}
if ((off = cp[IPOPT_OFFSET]) < IPOPT_MINOFF) {
code = &cp[IPOPT_OFFSET] - (u_char *)ip;
goto bad;
}
ipaddr.sin_addr = ip->ip_dst;
ia = (struct in_ifaddr *)
ifa_ifwithaddr((struct sockaddr *)&ipaddr);
if (ia == 0) {
if (opt == IPOPT_SSRR) {
type = ICMP_UNREACH;
code = ICMP_UNREACH_SRCFAIL;
goto bad;
}
if (!ip_dosourceroute)
goto nosourcerouting;
break;
}
else {
ifafree(&ia->ia_ifa);
ia = NULL;
}
off--;
if (off > optlen - (int)sizeof(struct in_addr)) {
if (!ip_acceptsourceroute)
goto nosourcerouting;
save_rte(cp, ip->ip_src);
break;
}
if (!ip_dosourceroute) {
if (ipforwarding) {
char buf[MAX_IPv4_STR_LEN];
char buf2[MAX_IPv4_STR_LEN];
nosourcerouting:
log(LOG_WARNING,
"attempted source route from %s to %s\n",
inet_ntop(AF_INET, &ip->ip_src, buf, sizeof(buf)),
inet_ntop(AF_INET, &ip->ip_dst, buf2, sizeof(buf2)));
type = ICMP_UNREACH;
code = ICMP_UNREACH_SRCFAIL;
goto bad;
} else {
ipstat.ips_cantforward++;
m_freem(m);
return (1);
}
}
(void)memcpy(&ipaddr.sin_addr, cp + off,
sizeof(ipaddr.sin_addr));
if (opt == IPOPT_SSRR) {
#define INA struct in_ifaddr *
#define SA struct sockaddr *
if ((ia = (INA)ifa_ifwithdstaddr((SA)&ipaddr)) == 0) {
ia = (INA)ifa_ifwithnet((SA)&ipaddr);
}
} else {
ia = ip_rtaddr(ipaddr.sin_addr, ipforward_rt);
}
if (ia == 0) {
type = ICMP_UNREACH;
code = ICMP_UNREACH_SRCFAIL;
goto bad;
}
ip->ip_dst = ipaddr.sin_addr;
(void)memcpy(cp + off, &(IA_SIN(ia)->sin_addr),
sizeof(struct in_addr));
ifafree(&ia->ia_ifa);
ia = NULL;
cp[IPOPT_OFFSET] += sizeof(struct in_addr);
forward = !IN_MULTICAST(ntohl(ip->ip_dst.s_addr));
break;
case IPOPT_RR:
if (optlen < IPOPT_OFFSET + sizeof(*cp)) {
code = &cp[IPOPT_OFFSET] - (u_char *)ip;
goto bad;
}
if ((off = cp[IPOPT_OFFSET]) < IPOPT_MINOFF) {
code = &cp[IPOPT_OFFSET] - (u_char *)ip;
goto bad;
}
off--;
if (off > optlen - (int)sizeof(struct in_addr))
break;
(void)memcpy(&ipaddr.sin_addr, &ip->ip_dst,
sizeof(ipaddr.sin_addr));
if ((ia = (INA)ifa_ifwithaddr((SA)&ipaddr)) == 0) {
if ((ia = ip_rtaddr(ipaddr.sin_addr, ipforward_rt)) == 0) {
type = ICMP_UNREACH;
code = ICMP_UNREACH_HOST;
goto bad;
}
}
(void)memcpy(cp + off, &(IA_SIN(ia)->sin_addr),
sizeof(struct in_addr));
ifafree(&ia->ia_ifa);
ia = NULL;
cp[IPOPT_OFFSET] += sizeof(struct in_addr);
break;
case IPOPT_TS:
code = cp - (u_char *)ip;
ipt = (struct ip_timestamp *)cp;
if (ipt->ipt_len < 4 || ipt->ipt_len > 40) {
code = (u_char *)&ipt->ipt_len - (u_char *)ip;
goto bad;
}
if (ipt->ipt_ptr < 5) {
code = (u_char *)&ipt->ipt_ptr - (u_char *)ip;
goto bad;
}
if (ipt->ipt_ptr >
ipt->ipt_len - (int)sizeof(int32_t)) {
if (++ipt->ipt_oflw == 0) {
code = (u_char *)&ipt->ipt_ptr -
(u_char *)ip;
goto bad;
}
break;
}
sin = (struct in_addr *)(cp + ipt->ipt_ptr - 1);
switch (ipt->ipt_flg) {
case IPOPT_TS_TSONLY:
break;
case IPOPT_TS_TSANDADDR:
if (ipt->ipt_ptr - 1 + sizeof(n_time) +
sizeof(struct in_addr) > ipt->ipt_len) {
code = (u_char *)&ipt->ipt_ptr -
(u_char *)ip;
goto bad;
}
ipaddr.sin_addr = dst;
ia = (INA)ifaof_ifpforaddr((SA)&ipaddr,
m->m_pkthdr.rcvif);
if (ia == 0)
continue;
(void)memcpy(sin, &IA_SIN(ia)->sin_addr,
sizeof(struct in_addr));
ipt->ipt_ptr += sizeof(struct in_addr);
ifafree(&ia->ia_ifa);
ia = NULL;
break;
case IPOPT_TS_PRESPEC:
if (ipt->ipt_ptr - 1 + sizeof(n_time) +
sizeof(struct in_addr) > ipt->ipt_len) {
code = (u_char *)&ipt->ipt_ptr -
(u_char *)ip;
goto bad;
}
(void)memcpy(&ipaddr.sin_addr, sin,
sizeof(struct in_addr));
if ((ia = (struct in_ifaddr*)ifa_ifwithaddr((SA)&ipaddr)) == 0)
continue;
ifafree(&ia->ia_ifa);
ia = NULL;
ipt->ipt_ptr += sizeof(struct in_addr);
break;
default:
code = (u_char *)&ipt->ipt_ptr -
(u_char *)ip + 1;
goto bad;
}
ntime = iptime();
(void)memcpy(cp + ipt->ipt_ptr - 1, &ntime,
sizeof(n_time));
ipt->ipt_ptr += sizeof(n_time);
}
}
if (forward && ipforwarding) {
ip_forward(m, 1, next_hop, ipforward_rt);
return (1);
}
return (0);
bad:
ip->ip_len -= IP_VHL_HL(ip->ip_vhl) << 2;
lck_mtx_unlock(ip_mutex);
icmp_error(m, type, code, 0, 0);
lck_mtx_lock(ip_mutex);
ipstat.ips_badoptions++;
return (1);
}
struct in_ifaddr *
ip_rtaddr(dst, rt)
struct in_addr dst;
struct route *rt;
{
register struct sockaddr_in *sin;
sin = (struct sockaddr_in *)&rt->ro_dst;
lck_mtx_lock(rt_mtx);
if (rt->ro_rt == 0 || dst.s_addr != sin->sin_addr.s_addr ||
rt->ro_rt->generation_id != route_generation) {
if (rt->ro_rt) {
rtfree_locked(rt->ro_rt);
rt->ro_rt = 0;
}
sin->sin_family = AF_INET;
sin->sin_len = sizeof(*sin);
sin->sin_addr = dst;
rtalloc_ign_locked(rt, RTF_PRCLONING);
}
if (rt->ro_rt == 0) {
lck_mtx_unlock(rt_mtx);
return ((struct in_ifaddr *)0);
}
if (rt->ro_rt->rt_ifa)
ifaref(rt->ro_rt->rt_ifa);
lck_mtx_unlock(rt_mtx);
return ((struct in_ifaddr *) rt->ro_rt->rt_ifa);
}
void
save_rte(option, dst)
u_char *option;
struct in_addr dst;
{
unsigned olen;
olen = option[IPOPT_OLEN];
#if DIAGNOSTIC
if (ipprintfs)
printf("save_rte: olen %d\n", olen);
#endif
if (olen > sizeof(ip_srcrt) - (1 + sizeof(dst)))
return;
bcopy(option, ip_srcrt.srcopt, olen);
ip_nhops = (olen - IPOPT_OFFSET - 1) / sizeof(struct in_addr);
ip_srcrt.dst = dst;
}
struct mbuf *
ip_srcroute()
{
register struct in_addr *p, *q;
register struct mbuf *m;
if (ip_nhops == 0)
return ((struct mbuf *)0);
m = m_get(M_DONTWAIT, MT_HEADER);
if (m == 0)
return ((struct mbuf *)0);
#define OPTSIZ (sizeof(ip_srcrt.nop) + sizeof(ip_srcrt.srcopt))
m->m_len = ip_nhops * sizeof(struct in_addr) + sizeof(struct in_addr) +
OPTSIZ;
#if DIAGNOSTIC
if (ipprintfs)
printf("ip_srcroute: nhops %d mlen %d", ip_nhops, m->m_len);
#endif
p = &ip_srcrt.route[ip_nhops - 1];
*(mtod(m, struct in_addr *)) = *p--;
#if DIAGNOSTIC
if (ipprintfs)
printf(" hops %lx", (u_long)ntohl(mtod(m, struct in_addr *)->s_addr));
#endif
ip_srcrt.nop = IPOPT_NOP;
ip_srcrt.srcopt[IPOPT_OFFSET] = IPOPT_MINOFF;
(void)memcpy(mtod(m, caddr_t) + sizeof(struct in_addr),
&ip_srcrt.nop, OPTSIZ);
q = (struct in_addr *)(mtod(m, caddr_t) +
sizeof(struct in_addr) + OPTSIZ);
#undef OPTSIZ
while (p >= ip_srcrt.route) {
#if DIAGNOSTIC
if (ipprintfs)
printf(" %lx", (u_long)ntohl(q->s_addr));
#endif
*q++ = *p--;
}
*q = ip_srcrt.dst;
#if DIAGNOSTIC
if (ipprintfs)
printf(" %lx\n", (u_long)ntohl(q->s_addr));
#endif
return (m);
}
void
ip_stripoptions(m, mopt)
register struct mbuf *m;
struct mbuf *mopt;
{
register int i;
struct ip *ip = mtod(m, struct ip *);
register caddr_t opts;
int olen;
olen = (IP_VHL_HL(ip->ip_vhl) << 2) - sizeof (struct ip);
opts = (caddr_t)(ip + 1);
i = m->m_len - (sizeof (struct ip) + olen);
bcopy(opts + olen, opts, (unsigned)i);
m->m_len -= olen;
if (m->m_flags & M_PKTHDR)
m->m_pkthdr.len -= olen;
ip->ip_vhl = IP_MAKE_VHL(IPVERSION, sizeof(struct ip) >> 2);
}
u_char inetctlerrmap[PRC_NCMDS] = {
0, 0, 0, 0,
0, EMSGSIZE, EHOSTDOWN, EHOSTUNREACH,
EHOSTUNREACH, EHOSTUNREACH, ECONNREFUSED, ECONNREFUSED,
EMSGSIZE, EHOSTUNREACH, 0, 0,
0, 0, 0, 0,
ENOPROTOOPT, ECONNREFUSED
};
static void
ip_forward(struct mbuf *m, int srcrt, struct sockaddr_in *next_hop, struct route *ipforward_rt)
{
register struct ip *ip = mtod(m, struct ip *);
register struct sockaddr_in *sin;
register struct rtentry *rt;
int error, type = 0, code = 0;
struct mbuf *mcopy;
n_long dest;
struct in_addr pkt_dst;
struct ifnet *destifp;
#if IPSEC
struct ifnet dummyifp;
#endif
dest = 0;
pkt_dst = next_hop ? next_hop->sin_addr : ip->ip_dst;
#if DIAGNOSTIC
if (ipprintfs)
printf("forward: src %lx dst %lx ttl %x\n",
(u_long)ip->ip_src.s_addr, (u_long)pkt_dst.s_addr,
ip->ip_ttl);
#endif
if (m->m_flags & (M_BCAST|M_MCAST) || in_canforward(pkt_dst) == 0) {
ipstat.ips_cantforward++;
m_freem(m);
return;
}
#if IPSTEALTH
if (!ipstealth) {
#endif
if (ip->ip_ttl <= IPTTLDEC) {
icmp_error(m, ICMP_TIMXCEED, ICMP_TIMXCEED_INTRANS,
dest, 0);
return;
}
#if IPSTEALTH
}
#endif
sin = (struct sockaddr_in *)&ipforward_rt->ro_dst;
if ((rt = ipforward_rt->ro_rt) == 0 ||
pkt_dst.s_addr != sin->sin_addr.s_addr ||
ipforward_rt->ro_rt->generation_id != route_generation) {
if (ipforward_rt->ro_rt) {
rtfree(ipforward_rt->ro_rt);
ipforward_rt->ro_rt = 0;
}
sin->sin_family = AF_INET;
sin->sin_len = sizeof(*sin);
sin->sin_addr = pkt_dst;
rtalloc_ign(ipforward_rt, RTF_PRCLONING);
if (ipforward_rt->ro_rt == 0) {
icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_HOST, dest, 0);
return;
}
rt = ipforward_rt->ro_rt;
}
MGET(mcopy, M_DONTWAIT, m->m_type);
if (mcopy != NULL) {
M_COPY_PKTHDR(mcopy, m);
mcopy->m_len = imin((IP_VHL_HL(ip->ip_vhl) << 2) + 8,
(int)ip->ip_len);
m_copydata(m, 0, mcopy->m_len, mtod(mcopy, caddr_t));
}
#if IPSTEALTH
if (!ipstealth) {
#endif
ip->ip_ttl -= IPTTLDEC;
#if IPSTEALTH
}
#endif
#define satosin(sa) ((struct sockaddr_in *)(sa))
if (rt->rt_ifp == m->m_pkthdr.rcvif &&
(rt->rt_flags & (RTF_DYNAMIC|RTF_MODIFIED)) == 0 &&
satosin(rt_key(rt))->sin_addr.s_addr != 0 &&
ipsendredirects && !srcrt) {
#define RTA(rt) ((struct in_ifaddr *)(rt->rt_ifa))
u_long src = ntohl(ip->ip_src.s_addr);
if (RTA(rt) &&
(src & RTA(rt)->ia_subnetmask) == RTA(rt)->ia_subnet) {
if (rt->rt_flags & RTF_GATEWAY)
dest = satosin(rt->rt_gateway)->sin_addr.s_addr;
else
dest = pkt_dst.s_addr;
type = ICMP_REDIRECT;
code = ICMP_REDIRECT_HOST;
#if DIAGNOSTIC
if (ipprintfs)
printf("redirect (%d) to %lx\n", code, (u_long)dest);
#endif
}
}
{
if (next_hop) {
struct m_tag *tag;
struct ip_fwd_tag *ipfwd_tag;
tag = m_tag_alloc(KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPFORWARD,
sizeof(struct sockaddr_in), M_NOWAIT);
if (tag == NULL) {
error = ENOBUFS;
m_freem(m);
return;
}
ipfwd_tag = (struct ip_fwd_tag *)(tag+1);
ipfwd_tag->next_hop = next_hop;
m_tag_prepend(m, tag);
}
error = ip_output_list(m, 0, (struct mbuf *)0, ipforward_rt,
IP_FORWARDING, 0);
}
if (error)
ipstat.ips_cantforward++;
else {
ipstat.ips_forward++;
if (type)
ipstat.ips_redirectsent++;
else {
if (mcopy) {
ipflow_create(ipforward_rt, mcopy);
m_freem(mcopy);
}
return;
}
}
if (mcopy == NULL)
return;
destifp = NULL;
switch (error) {
case 0:
break;
case ENETUNREACH:
case EHOSTUNREACH:
case ENETDOWN:
case EHOSTDOWN:
default:
type = ICMP_UNREACH;
code = ICMP_UNREACH_HOST;
break;
case EMSGSIZE:
type = ICMP_UNREACH;
code = ICMP_UNREACH_NEEDFRAG;
#ifndef IPSEC
if (ipforward_rt->ro_rt)
destifp = ipforward_rt->ro_rt->rt_ifp;
#else
if (ipforward_rt->ro_rt) {
struct secpolicy *sp = NULL;
int ipsecerror;
int ipsechdr;
struct route *ro;
if (ipsec_bypass) {
destifp = ipforward_rt->ro_rt->rt_ifp;
ipstat.ips_cantfrag++;
break;
}
lck_mtx_lock(sadb_mutex);
sp = ipsec4_getpolicybyaddr(mcopy,
IPSEC_DIR_OUTBOUND,
IP_FORWARDING,
&ipsecerror);
if (sp == NULL)
destifp = ipforward_rt->ro_rt->rt_ifp;
else {
ipsechdr = ipsec4_hdrsiz(mcopy,
IPSEC_DIR_OUTBOUND,
NULL);
destifp = NULL;
if (sp->req != NULL
&& sp->req->sav != NULL
&& sp->req->sav->sah != NULL) {
ro = &sp->req->sav->sah->sa_route;
if (ro->ro_rt && ro->ro_rt->rt_ifp) {
dummyifp.if_mtu =
ro->ro_rt->rt_ifp->if_mtu;
dummyifp.if_mtu -= ipsechdr;
destifp = &dummyifp;
}
}
key_freesp(sp);
}
lck_mtx_unlock(sadb_mutex);
}
#endif
ipstat.ips_cantfrag++;
break;
case ENOBUFS:
type = ICMP_SOURCEQUENCH;
code = 0;
break;
case EACCES:
m_freem(mcopy);
return;
}
icmp_error(mcopy, type, code, dest, destifp);
}
void
ip_savecontrol(
register struct inpcb *inp,
register struct mbuf **mp,
register struct ip *ip,
register struct mbuf *m)
{
if (inp->inp_socket->so_options & SO_TIMESTAMP) {
struct timeval tv;
microtime(&tv);
*mp = sbcreatecontrol((caddr_t) &tv, sizeof(tv),
SCM_TIMESTAMP, SOL_SOCKET);
if (*mp)
mp = &(*mp)->m_next;
}
if (inp->inp_flags & INP_RECVDSTADDR) {
*mp = sbcreatecontrol((caddr_t) &ip->ip_dst,
sizeof(struct in_addr), IP_RECVDSTADDR, IPPROTO_IP);
if (*mp)
mp = &(*mp)->m_next;
}
#ifdef notyet
if (inp->inp_flags & INP_RECVOPTS) {
*mp = sbcreatecontrol((caddr_t) opts_deleted_above,
sizeof(struct in_addr), IP_RECVOPTS, IPPROTO_IP);
if (*mp)
mp = &(*mp)->m_next;
}
if (inp->inp_flags & INP_RECVRETOPTS) {
*mp = sbcreatecontrol((caddr_t) ip_srcroute(),
sizeof(struct in_addr), IP_RECVRETOPTS, IPPROTO_IP);
if (*mp)
mp = &(*mp)->m_next;
}
#endif
if (inp->inp_flags & INP_RECVIF) {
struct ifnet *ifp;
struct sdlbuf {
struct sockaddr_dl sdl;
u_char pad[32];
} sdlbuf;
struct sockaddr_dl *sdp;
struct sockaddr_dl *sdl2 = &sdlbuf.sdl;
ifnet_head_lock_shared();
if (((ifp = m->m_pkthdr.rcvif))
&& ( ifp->if_index && (ifp->if_index <= if_index))) {
sdp = (struct sockaddr_dl *)(ifnet_addrs
[ifp->if_index - 1]->ifa_addr);
if ((sdp->sdl_family != AF_LINK)
|| (sdp->sdl_len > sizeof(sdlbuf))) {
goto makedummy;
}
bcopy(sdp, sdl2, sdp->sdl_len);
} else {
makedummy:
sdl2->sdl_len
= offsetof(struct sockaddr_dl, sdl_data[0]);
sdl2->sdl_family = AF_LINK;
sdl2->sdl_index = 0;
sdl2->sdl_nlen = sdl2->sdl_alen = sdl2->sdl_slen = 0;
}
ifnet_head_done();
*mp = sbcreatecontrol((caddr_t) sdl2, sdl2->sdl_len,
IP_RECVIF, IPPROTO_IP);
if (*mp)
mp = &(*mp)->m_next;
}
if (inp->inp_flags & INP_RECVTTL) {
*mp = sbcreatecontrol((caddr_t)&ip->ip_ttl, sizeof(ip->ip_ttl), IP_RECVTTL, IPPROTO_IP);
if (*mp) mp = &(*mp)->m_next;
}
}
int
ip_rsvp_init(struct socket *so)
{
if (so->so_type != SOCK_RAW ||
so->so_proto->pr_protocol != IPPROTO_RSVP)
return EOPNOTSUPP;
if (ip_rsvpd != NULL)
return EADDRINUSE;
ip_rsvpd = so;
if (!ip_rsvp_on) {
ip_rsvp_on = 1;
rsvp_on++;
}
return 0;
}
int
ip_rsvp_done(void)
{
ip_rsvpd = NULL;
if (ip_rsvp_on) {
ip_rsvp_on = 0;
rsvp_on--;
}
return 0;
}