/*
* Route a frame to an appropriate AX.25 connection.
*/
int rose_route_frame(struct sk_buff *skb, ax25_cb *ax25)
{
struct rose_neigh *rose_neigh, *new_neigh;
struct rose_route *rose_route;
struct rose_facilities_struct facilities;
rose_address *src_addr, *dest_addr;
struct sock *sk;
unsigned short frametype;
unsigned int lci, new_lci;
unsigned char cause, diagnostic;
struct net_device *dev;
int len, res = 0;
#if 0
if (call_in_firewall(PF_ROSE, skb->dev, skb->data, NULL, &skb) != FW_ACCEPT)
return res;
#endif
frametype = skb->data[2];
lci = ((skb->data[0] << 8) & 0xF00) + ((skb->data[1] << 0) & 0x0FF);
src_addr = (rose_address *)(skb->data + 9);
dest_addr = (rose_address *)(skb->data + 4);
spin_lock_bh(&rose_node_list_lock);
spin_lock_bh(&rose_neigh_list_lock);
spin_lock_bh(&rose_route_list_lock);
rose_neigh = rose_neigh_list;
while (rose_neigh != NULL) {
if (ax25cmp(&ax25->dest_addr, &rose_neigh->callsign) == 0 &&
ax25->ax25_dev->dev == rose_neigh->dev)
break;
rose_neigh = rose_neigh->next;
}
if (rose_neigh == NULL) {
printk("rose_route : unknown neighbour or device %s\n",
ax2asc(&ax25->dest_addr));
goto out;
}
/*
* Obviously the link is working, halt the ftimer.
*/
rose_stop_ftimer(rose_neigh);
/*
* LCI of zero is always for us, and its always a restart
* frame.
*/
if (lci == 0) {
rose_link_rx_restart(skb, rose_neigh, frametype);
goto out;
}
/*
* Find an existing socket.
*/
if ((sk = rose_find_socket(lci, rose_neigh)) != NULL) {
if (frametype == ROSE_CALL_REQUEST) {
struct rose_sock *rose = rose_sk(sk);
/* Remove an existing unused socket */
rose_clear_queues(sk);
rose->cause = ROSE_NETWORK_CONGESTION;
rose->diagnostic = 0;
rose->neighbour->use--;
rose->neighbour = NULL;
rose->lci = 0;
rose->state = ROSE_STATE_0;
sk->sk_state = TCP_CLOSE;
sk->sk_err = 0;
sk->sk_shutdown |= SEND_SHUTDOWN;
if (!sock_flag(sk, SOCK_DEAD)) {
sk->sk_state_change(sk);
sock_set_flag(sk, SOCK_DEAD);
}
}
else {
skb->h.raw = skb->data;
res = rose_process_rx_frame(sk, skb);
goto out;
}
}
/*
* Is is a Call Request and is it for us ?
*/
if (frametype == ROSE_CALL_REQUEST)
if ((dev = rose_dev_get(dest_addr)) != NULL) {
res = rose_rx_call_request(skb, dev, rose_neigh, lci);
dev_put(dev);
goto out;
}
if (!sysctl_rose_routing_control) {
rose_transmit_clear_request(rose_neigh, lci, ROSE_NOT_OBTAINABLE, 0);
goto out;
}
/*
* Route it to the next in line if we have an entry for it.
*/
rose_route = rose_route_list;
while (rose_route != NULL) {
if (rose_route->lci1 == lci &&
rose_route->neigh1 == rose_neigh) {
if (frametype == ROSE_CALL_REQUEST) {
/* F6FBB - Remove an existing unused route */
rose_remove_route(rose_route);
break;
} else if (rose_route->neigh2 != NULL) {
skb->data[0] &= 0xF0;
skb->data[0] |= (rose_route->lci2 >> 8) & 0x0F;
skb->data[1] = (rose_route->lci2 >> 0) & 0xFF;
rose_transmit_link(skb, rose_route->neigh2);
if (frametype == ROSE_CLEAR_CONFIRMATION)
rose_remove_route(rose_route);
res = 1;
goto out;
} else {
if (frametype == ROSE_CLEAR_CONFIRMATION)
rose_remove_route(rose_route);
goto out;
}
}
int ip_rcv(struct sk_buff *skb, struct device *dev, struct packet_type *pt)
{
struct iphdr *iph = skb->h.iph;
struct sock *raw_sk=NULL;
unsigned char hash;
unsigned char flag = 0;
struct inet_protocol *ipprot;
int brd=IS_MYADDR;
struct options * opt = NULL;
int is_frag=0;
__u32 daddr;
#ifdef CONFIG_FIREWALL
int fwres;
__u16 rport;
#endif
#ifdef CONFIG_IP_MROUTE
int mroute_pkt=0;
#endif
#ifdef CONFIG_NET_IPV6
/*
* Intercept IPv6 frames. We dump ST-II and invalid types just below..
*/
if(iph->version == 6)
return ipv6_rcv(skb,dev,pt);
#endif
ip_statistics.IpInReceives++;
/*
* Tag the ip header of this packet so we can find it
*/
skb->ip_hdr = iph;
/*
* RFC1122: 3.1.2.2 MUST silently discard any IP frame that fails the checksum.
* RFC1122: 3.1.2.3 MUST discard a frame with invalid source address [NEEDS FIXING].
*
* Is the datagram acceptable?
*
* 1. Length at least the size of an ip header
* 2. Version of 4
* 3. Checksums correctly. [Speed optimisation for later, skip loopback checksums]
* 4. Doesn't have a bogus length
* (5. We ought to check for IP multicast addresses and undefined types.. does this matter ?)
*/
if (skb->len<sizeof(struct iphdr) || iph->ihl<5 || iph->version != 4 || ip_fast_csum((unsigned char *)iph, iph->ihl) !=0
|| skb->len < ntohs(iph->tot_len))
{
ip_statistics.IpInHdrErrors++;
kfree_skb(skb, FREE_WRITE);
return(0);
}
/*
* Our transport medium may have padded the buffer out. Now we know it
* is IP we can trim to the true length of the frame.
* Note this now means skb->len holds ntohs(iph->tot_len).
*/
skb_trim(skb,ntohs(iph->tot_len));
if(skb->len < (iph->ihl<<2))
{
ip_statistics.IpInHdrErrors++;
kfree_skb(skb, FREE_WRITE);
return 0;
}
/*
* Account for the packet (even if the packet is
* not accepted by the firewall!). We do this after
* the sanity checks and the additional ihl check
* so we dont account garbage as we might do before.
*/
#ifdef CONFIG_IP_ACCT
ip_fw_chk(iph,dev,NULL,ip_acct_chain,0,IP_FW_MODE_ACCT_IN);
#endif
/*
* Try to select closest <src,dst> alias device, if any.
* net_alias_dev_rx32 returns main device if it
* fails to found other.
* If successful, also incr. alias rx count.
*
* Only makes sense for unicasts - Thanks ANK.
*/
#ifdef CONFIG_NET_ALIAS
if (skb->pkt_type == PACKET_HOST && iph->daddr != skb->dev->pa_addr && net_alias_has(skb->dev)) {
skb->dev = dev = net_alias_dev_rx32(skb->dev, AF_INET, iph->saddr, iph->daddr);
}
#endif
if (iph->ihl > 5)
{
skb->ip_summed = 0;
if (ip_options_compile(NULL, skb))
return(0);
opt = (struct options*)skb->proto_priv;
#ifdef CONFIG_IP_NOSR
if (opt->srr)
{
kfree_skb(skb, FREE_READ);
return -EINVAL;
}
#endif
}
#if defined(CONFIG_IP_TRANSPARENT_PROXY) && !defined(CONFIG_IP_ALWAYS_DEFRAG)
#define CONFIG_IP_ALWAYS_DEFRAG 1
#endif
#ifdef CONFIG_IP_ALWAYS_DEFRAG
/*
* Defragment all incoming traffic before even looking at it.
* If you have forwarding enabled, this makes the system a
* defragmenting router. Not a common thing.
* You probably DON'T want to enable this unless you have to.
* You NEED to use this if you want to use transparent proxying,
* otherwise, we can't vouch for your sanity.
*/
/*
* See if the frame is fragmented.
*/
if(iph->frag_off)
{
if (iph->frag_off & htons(IP_MF))
is_frag|=IPFWD_FRAGMENT;
/*
* Last fragment ?
*/
if (iph->frag_off & htons(IP_OFFSET))
is_frag|=IPFWD_LASTFRAG;
/*
* Reassemble IP fragments.
*/
if(is_frag)
{
/* Defragment. Obtain the complete packet if there is one */
skb=ip_defrag(iph,skb,dev);
if(skb==NULL)
return 0;
skb->dev = dev;
iph=skb->h.iph;
is_frag = 0;
/*
* When the reassembled packet gets forwarded, the ip
* header checksum should be correct.
* For better performance, this should actually only
* be done in that particular case, i.e. set a flag
* here and calculate the checksum in ip_forward.
*/
ip_send_check(iph);
}
}
#endif
/*
* See if the firewall wants to dispose of the packet.
*/
#ifdef CONFIG_FIREWALL
if ((fwres=call_in_firewall(PF_INET, skb->dev, iph, &rport))<FW_ACCEPT)
{
if(fwres==FW_REJECT)
icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0, dev);
kfree_skb(skb, FREE_WRITE);
return 0;
}
#ifdef CONFIG_IP_TRANSPARENT_PROXY
if (fwres==FW_REDIRECT)
skb->redirport = rport;
else
#endif
skb->redirport = 0;
#endif
#ifndef CONFIG_IP_ALWAYS_DEFRAG
/*
* Remember if the frame is fragmented.
*/
if(iph->frag_off)
{
if (iph->frag_off & htons(IP_MF))
is_frag|=IPFWD_FRAGMENT;
/*
* Last fragment ?
*/
if (iph->frag_off & htons(IP_OFFSET))
is_frag|=IPFWD_LASTFRAG;
}
#endif
/*
* Do any IP forwarding required. chk_addr() is expensive -- avoid it someday.
*
* This is inefficient. While finding out if it is for us we could also compute
* the routing table entry. This is where the great unified cache theory comes
* in as and when someone implements it
*
* For most hosts over 99% of packets match the first conditional
* and don't go via ip_chk_addr. Note: brd is set to IS_MYADDR at
* function entry.
*/
daddr = iph->daddr;
#ifdef CONFIG_IP_TRANSPARENT_PROXY
/*
* ip_chksock adds still more overhead for forwarded traffic...
*/
if ( iph->daddr == skb->dev->pa_addr || skb->redirport || (brd = ip_chk_addr(iph->daddr)) != 0 || ip_chksock(skb))
#else
if ( iph->daddr == skb->dev->pa_addr || (brd = ip_chk_addr(iph->daddr)) != 0)
#endif
{
if (opt && opt->srr)
{
int srrspace, srrptr;
__u32 nexthop;
unsigned char * optptr = ((unsigned char *)iph) + opt->srr;
if (brd != IS_MYADDR || skb->pkt_type != PACKET_HOST)
{
kfree_skb(skb, FREE_WRITE);
return 0;
}
for ( srrptr=optptr[2], srrspace = optptr[1];
srrptr <= srrspace;
srrptr += 4
)
{
int brd2;
if (srrptr + 3 > srrspace)
{
icmp_send(skb, ICMP_PARAMETERPROB, 0, opt->srr+2,
skb->dev);
kfree_skb(skb, FREE_WRITE);
return 0;
}
memcpy(&nexthop, &optptr[srrptr-1], 4);
if ((brd2 = ip_chk_addr(nexthop)) == 0)
break;
if (brd2 != IS_MYADDR)
{
/*
* ANK: should we implement weak tunneling of multicasts?
* Are they obsolete? DVMRP specs (RFC-1075) is old enough...
* [They are obsolete]
*/
kfree_skb(skb, FREE_WRITE);
return -EINVAL;
}
memcpy(&daddr, &optptr[srrptr-1], 4);
}
if (srrptr <= srrspace)
{
opt->srr_is_hit = 1;
opt->is_changed = 1;
if (sysctl_ip_forward) {
if (ip_forward(skb, dev, is_frag, nexthop))
kfree_skb(skb, FREE_WRITE);
} else {
ip_statistics.IpInAddrErrors++;
kfree_skb(skb, FREE_WRITE);
}
return 0;
}
}
#ifdef CONFIG_IP_MULTICAST
if(!(dev->flags&IFF_ALLMULTI) && brd==IS_MULTICAST && iph->daddr!=IGMP_ALL_HOSTS && !(dev->flags&IFF_LOOPBACK))
{
/*
* Check it is for one of our groups
*/
struct ip_mc_list *ip_mc=dev->ip_mc_list;
do
{
if(ip_mc==NULL)
{
kfree_skb(skb, FREE_WRITE);
return 0;
}
if(ip_mc->multiaddr==iph->daddr)
break;
ip_mc=ip_mc->next;
}
while(1);
}
#endif
#ifndef CONFIG_IP_ALWAYS_DEFRAG
/*
* Reassemble IP fragments.
*/
if(is_frag)
{
/* Defragment. Obtain the complete packet if there is one */
skb=ip_defrag(iph,skb,dev);
if(skb==NULL)
return 0;
skb->dev = dev;
iph=skb->h.iph;
}
#endif
#ifdef CONFIG_IP_MASQUERADE
/*
* Do we need to de-masquerade this packet?
*/
{
int ret = ip_fw_demasquerade(&skb,dev);
if (ret < 0) {
kfree_skb(skb, FREE_WRITE);
return 0;
}
if (ret)
{
struct iphdr *iph=skb->h.iph;
if (ip_forward(skb, dev, IPFWD_MASQUERADED, iph->daddr))
kfree_skb(skb, FREE_WRITE);
return 0;
}
}
#endif
/*
* Point into the IP datagram, just past the header.
*/
skb->ip_hdr = iph;
skb->h.raw += iph->ihl*4;
#ifdef CONFIG_IP_MROUTE
/*
* Check the state on multicast routing (multicast and not 224.0.0.z)
*/
if(brd==IS_MULTICAST && (iph->daddr&htonl(0xFFFFFF00))!=htonl(0xE0000000))
mroute_pkt=1;
#endif
/*
* Deliver to raw sockets. This is fun as to avoid copies we want to make no surplus copies.
*
* RFC 1122: SHOULD pass TOS value up to the transport layer.
*/
/* Note: See raw.c and net/raw.h, RAWV4_HTABLE_SIZE==MAX_INET_PROTOS */
hash = iph->protocol & (MAX_INET_PROTOS - 1);
/*
* If there maybe a raw socket we must check - if not we don't care less
*/
if((raw_sk = raw_v4_htable[hash]) != NULL) {
struct sock *sknext = NULL;
struct sk_buff *skb1;
raw_sk = raw_v4_lookup(raw_sk, iph->protocol,
iph->saddr, iph->daddr);
if(raw_sk) { /* Any raw sockets */
do {
/* Find the next */
sknext = raw_v4_lookup(raw_sk->next,
iph->protocol,
iph->saddr,
iph->daddr);
if(sknext)
skb1 = skb_clone(skb, GFP_ATOMIC);
else
break; /* One pending raw socket left */
if(skb1)
raw_rcv(raw_sk, skb1, dev, iph->saddr,daddr);
raw_sk = sknext;
} while(raw_sk!=NULL);
/*
* Here either raw_sk is the last raw socket, or NULL if none
*/
/*
* We deliver to the last raw socket AFTER the protocol checks as it avoids a surplus copy
*/
}
}
/*
* skb->h.raw now points at the protocol beyond the IP header.
*/
for (ipprot = (struct inet_protocol *)inet_protos[hash];ipprot != NULL;ipprot=(struct inet_protocol *)ipprot->next)
{
struct sk_buff *skb2;
if (ipprot->protocol != iph->protocol)
continue;
/*
* See if we need to make a copy of it. This will
* only be set if more than one protocol wants it.
* and then not for the last one. If there is a pending
* raw delivery wait for that
*/
#ifdef CONFIG_IP_MROUTE
if (ipprot->copy || raw_sk || mroute_pkt)
#else
if (ipprot->copy || raw_sk)
#endif
{
skb2 = skb_clone(skb, GFP_ATOMIC);
if(skb2==NULL)
continue;
}
else
{
skb2 = skb;
}
flag = 1;
/*
* Pass on the datagram to each protocol that wants it,
* based on the datagram protocol. We should really
* check the protocol handler's return values here...
*/
ipprot->handler(skb2, dev, opt, daddr,
(ntohs(iph->tot_len) - (iph->ihl * 4)),
iph->saddr, 0, ipprot);
}
/*
* All protocols checked.
* If this packet was a broadcast, we may *not* reply to it, since that
* causes (proven, grin) ARP storms and a leakage of memory (i.e. all
* ICMP reply messages get queued up for transmission...)
*/
#ifdef CONFIG_IP_MROUTE
/*
* Forward the last copy to the multicast router. If
* there is a pending raw delivery however make a copy
* and forward that.
*/
if(mroute_pkt)
{
flag=1;
if(raw_sk==NULL)
ipmr_forward(skb, is_frag);
else
{
struct sk_buff *skb2=skb_clone(skb, GFP_ATOMIC);
if(skb2)
{
skb2->free=1;
ipmr_forward(skb2, is_frag);
}
}
}
#endif
if(raw_sk!=NULL) /* Shift to last raw user */
raw_rcv(raw_sk, skb, dev, iph->saddr, daddr);
else if (!flag) /* Free and report errors */
{
if (brd != IS_BROADCAST && brd!=IS_MULTICAST)
icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PROT_UNREACH, 0, dev);
kfree_skb(skb, FREE_WRITE);
}
return(0);
}
/*
* Do any unicast IP forwarding required.
*/
/*
* Don't forward multicast or broadcast frames.
*/
if(skb->pkt_type!=PACKET_HOST || brd==IS_BROADCAST)
{
kfree_skb(skb,FREE_WRITE);
return 0;
}
/*
* The packet is for another target. Forward the frame
*/
if (sysctl_ip_forward) {
if (opt && opt->is_strictroute)
{
icmp_send(skb, ICMP_PARAMETERPROB, 0, 16, skb->dev);
kfree_skb(skb, FREE_WRITE);
return -1;
}
if (ip_forward(skb, dev, is_frag, iph->daddr))
kfree_skb(skb, FREE_WRITE);
} else {
/* printk("Machine %lx tried to use us as a forwarder to %lx but we have forwarding disabled!\n",
iph->saddr,iph->daddr);*/
ip_statistics.IpInAddrErrors++;
kfree_skb(skb, FREE_WRITE);
}
return(0);
}
/*
* Route a frame to an appropriate AX.25 connection.
*/
int rose_route_frame(struct sk_buff *skb, ax25_cb *ax25)
{
struct rose_neigh *rose_neigh, *new_neigh;
struct rose_route *rose_route;
struct rose_facilities_struct facilities;
rose_address *src_addr, *dest_addr;
struct sock *sk;
unsigned short frametype;
unsigned int lci, new_lci;
unsigned char cause, diagnostic;
struct device *dev;
unsigned long flags;
int len;
struct sk_buff *skbn;
#ifdef CONFIG_FIREWALL
if (call_in_firewall(PF_ROSE, skb->dev, skb->data, NULL) != FW_ACCEPT)
return 0;
#endif
frametype = skb->data[2];
lci = ((skb->data[0] << 8) & 0xF00) + ((skb->data[1] << 0) & 0x0FF);
src_addr = (rose_address *)(skb->data + 9);
dest_addr = (rose_address *)(skb->data + 4);
for (rose_neigh = rose_neigh_list; rose_neigh != NULL; rose_neigh = rose_neigh->next)
if (ax25cmp(&ax25->dest_addr, &rose_neigh->callsign) == 0 && ax25->device == rose_neigh->dev)
break;
if (rose_neigh == NULL) {
printk("rose_route : unknown neighbour or device %s\n", ax2asc(&ax25->dest_addr));
return 0;
}
/*
* Obviously the link is working, halt the ftimer.
*/
rose_neigh->ftimer = 0;
/*
* LCI of zero is always for us, and its always a restart
* frame.
*/
if (lci == 0) {
rose_link_rx_restart(skb, rose_neigh, frametype);
return 0;
}
/*
* Find an existing socket.
*/
if ((sk = rose_find_socket(lci, rose_neigh)) != NULL) {
if (frametype == ROSE_CALL_REQUEST)
{
/* F6FBB - Remove an existing unused socket */
rose_clear_queues(sk);
sk->protinfo.rose->cause = ROSE_NETWORK_CONGESTION;
sk->protinfo.rose->diagnostic = 0;
sk->protinfo.rose->neighbour->use--;
sk->protinfo.rose->neighbour = NULL;
sk->protinfo.rose->state = ROSE_STATE_0;
sk->state = TCP_CLOSE;
sk->err = 0;
sk->shutdown |= SEND_SHUTDOWN;
if (!sk->dead)
sk->state_change(sk);
sk->dead = 1;
}
else
{
skb->h.raw = skb->data;
return rose_process_rx_frame(sk, skb);
}
}
/*
* Is it a Call Request and is it for us ?
*/
if (frametype == ROSE_CALL_REQUEST)
if ((dev = rose_dev_get(dest_addr)) != NULL) {
return rose_rx_call_request(skb, dev, rose_neigh, lci);
}
if (!sysctl_rose_routing_control) {
rose_transmit_clear_request(rose_neigh, lci, ROSE_NOT_OBTAINABLE, 0);
return 0;
}
/*
* Route it to the next in line if we have an entry for it.
*/
for (rose_route = rose_route_list; rose_route != NULL; rose_route = rose_route->next) {
if (rose_route->tr1.lci == lci && rose_route->tr1.neigh == rose_neigh) {
if (frametype == ROSE_CALL_REQUEST) {
/* F6FBB - Remove an existing unused route */
rose_remove_route(rose_route);
break;
} else if (rose_route->tr2.neigh != NULL) {
if ((skbn = skb_copy(skb, GFP_ATOMIC)) != NULL) {
kfree_skb(skb, FREE_READ);
skb = skbn;
}
skb->data[0] &= 0xF0;
skb->data[0] |= (rose_route->tr2.lci >> 8) & 0x0F;
skb->data[1] = (rose_route->tr2.lci >> 0) & 0xFF;
rose_transmit_link(skb, rose_route->tr2.neigh);
if (frametype == ROSE_CLEAR_CONFIRMATION)
rose_remove_route(rose_route);
return 1;
} else {
if (frametype == ROSE_CLEAR_CONFIRMATION)
rose_remove_route(rose_route);
return 0;
}
}
if (rose_route->tr2.lci == lci && rose_route->tr2.neigh == rose_neigh) {
if (frametype == ROSE_CALL_REQUEST) {
/* F6FBB - Remove an existing unused route */
rose_remove_route(rose_route);
break;
} else if (rose_route->tr1.neigh != NULL) {
if ((skbn = skb_copy(skb, GFP_ATOMIC)) != NULL) {
kfree_skb(skb, FREE_READ);
skb = skbn;
}
skb->data[0] &= 0xF0;
skb->data[0] |= (rose_route->tr1.lci >> 8) & 0x0F;
skb->data[1] = (rose_route->tr1.lci >> 0) & 0xFF;
rose_transmit_link(skb, rose_route->tr1.neigh);
if (frametype == ROSE_CLEAR_CONFIRMATION)
rose_remove_route(rose_route);
return 1;
} else {
if (frametype == ROSE_CLEAR_CONFIRMATION)
rose_remove_route(rose_route);
return 0;
}
}
/*
* Main IP Receive routine.
*/
int ip_rcv(struct sk_buff *skb, struct device *dev, struct packet_type *pt)
{
struct iphdr *iph = skb->nh.iph;
/*
* When the interface is in promisc. mode, drop all the crap
* that it receives, do not try to analyse it.
*/
if (skb->pkt_type == PACKET_OTHERHOST)
goto drop;
ip_statistics.IpInReceives++;
/*
* RFC1122: 3.1.2.2 MUST silently discard any IP frame that fails the checksum.
*
* Is the datagram acceptable?
*
* 1. Length at least the size of an ip header
* 2. Version of 4
* 3. Checksums correctly. [Speed optimisation for later, skip loopback checksums]
* 4. Doesn't have a bogus length
*/
if (skb->len < sizeof(struct iphdr))
goto inhdr_error;
if (iph->ihl < 5 || iph->version != 4 || ip_fast_csum((u8 *)iph, iph->ihl) != 0)
goto inhdr_error;
{
__u32 len = ntohs(iph->tot_len);
if (skb->len < len)
goto inhdr_error;
/*
* Our transport medium may have padded the buffer out. Now we know it
* is IP we can trim to the true length of the frame.
* Note this now means skb->len holds ntohs(iph->tot_len).
*/
__skb_trim(skb, len);
}
/*
* Initialise the virtual path cache for the packet. It describes
* how the packet travels inside Linux networking.
*/
if (skb->dst == NULL) {
if (ip_route_input(skb, iph->daddr, iph->saddr, iph->tos, dev))
goto drop;
#ifdef CONFIG_CPU_IS_SLOW
if (net_cpu_congestion > 10 && !(iph->tos&IPTOS_RELIABILITY) &&
IPTOS_PREC(iph->tos) < IPTOS_PREC_INTERNETCONTROL) {
goto drop;
}
#endif
}
#ifdef CONFIG_IP_ALWAYS_DEFRAG
if (iph->frag_off & htons(IP_MF|IP_OFFSET)) {
skb = ip_defrag(skb);
if (!skb)
return 0;
iph = skb->nh.iph;
ip_send_check(iph);
}
#endif
if (iph->ihl > 5) {
struct ip_options *opt;
/* It looks as overkill, because not all
IP options require packet mangling.
But it is the easiest for now, especially taking
into account that combination of IP options
and running sniffer is extremely rare condition.
--ANK (980813)
*/
skb = skb_cow(skb, skb_headroom(skb));
if (skb == NULL)
return 0;
iph = skb->nh.iph;
skb->ip_summed = 0;
if (ip_options_compile(NULL, skb))
goto inhdr_error;
opt = &(IPCB(skb)->opt);
if (opt->srr) {
struct in_device *in_dev = dev->ip_ptr;
if (in_dev && !IN_DEV_SOURCE_ROUTE(in_dev)) {
if (IN_DEV_LOG_MARTIANS(in_dev) && net_ratelimit())
printk(KERN_INFO "source route option %d.%d.%d.%d -> %d.%d.%d.%d\n",
NIPQUAD(iph->saddr), NIPQUAD(iph->daddr));
goto drop;
}
if (ip_options_rcv_srr(skb))
goto drop;
}
}
/*
* See if the firewall wants to dispose of the packet.
*
* Note: the current standard firewall code expects that the
* destination address was already checked against the interface
* address lists.
*
* If this code is ever moved in front of ip_route_input() you need
* to fix the fw code [moving it might be a good idea anyways,
* so that we can firewall against potentially bugs in the options
* or routing code]
*/
#ifdef CONFIG_FIREWALL
{
int fwres;
u16 rport;
#ifdef CONFIG_IP_ROUTE_TOS
u8 tos = iph->tos;
#endif
if ((fwres=call_in_firewall(PF_INET, skb->dev, iph, &rport, &skb))<FW_ACCEPT) {
if (fwres==FW_REJECT)
icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
goto drop;
}
#ifdef CONFIG_IP_TRANSPARENT_PROXY
if (fwres==FW_REDIRECT && (IPCB(skb)->redirport = rport) != 0)
return ip_local_deliver(skb);
#endif
#ifdef CONFIG_IP_ROUTE_TOS
/* It is for 2.2 only. Firewalling should make smart
rerouting itself, ideally, but now it is too late
to teach it. --ANK (980905)
*/
if (iph->tos != tos && ((struct rtable*)skb->dst)->rt_type == RTN_UNICAST) {
dst_release(skb->dst);
skb->dst = NULL;
if (ip_route_input(skb, iph->daddr, iph->saddr, iph->tos, dev))
goto drop;
}
#endif
}
#endif
return skb->dst->input(skb);
inhdr_error:
ip_statistics.IpInHdrErrors++;
drop:
kfree_skb(skb);
return(0);
}
