int ip_options_get(struct ip_options **optp, unsigned char *data, int optlen, int user)
{
struct ip_options *opt;
opt = kmalloc(sizeof(struct ip_options)+((optlen+3)&~3), GFP_KERNEL);
if (!opt)
return -ENOMEM;
memset(opt, 0, sizeof(struct ip_options));
if (optlen) {
if (user) {
if (copy_from_user(opt->__data, data, optlen)) {
kfree(opt);
return -EFAULT;
}
} else
memcpy(opt->__data, data, optlen);
}
while (optlen & 3)
opt->__data[optlen++] = IPOPT_END;
opt->optlen = optlen;
opt->is_data = 1;
opt->is_setbyuser = 1;
if (optlen && ip_options_compile(opt, NULL)) {
kfree(opt);
return -EINVAL;
}
*optp = opt;
return 0;
}
static int br_parse_ip_options(struct sk_buff *skb)
{
struct ip_options *opt;
struct iphdr *iph;
struct net_device *dev = skb->dev;
u32 len;
iph = ip_hdr(skb);
opt = &(IPCB(skb)->opt);
/* Basic sanity checks */
if (iph->ihl < 5 || iph->version != 4)
goto inhdr_error;
if (!pskb_may_pull(skb, iph->ihl*4))
goto inhdr_error;
iph = ip_hdr(skb);
if (unlikely(ip_fast_csum((u8 *)iph, iph->ihl)))
goto inhdr_error;
len = ntohs(iph->tot_len);
if (skb->len < len) {
IP_INC_STATS_BH(dev_net(dev), IPSTATS_MIB_INTRUNCATEDPKTS);
goto drop;
} else if (len < (iph->ihl*4))
goto inhdr_error;
if (pskb_trim_rcsum(skb, len)) {
IP_INC_STATS_BH(dev_net(dev), IPSTATS_MIB_INDISCARDS);
goto drop;
}
/* Zero out the CB buffer if no options present */
if (iph->ihl == 5) {
memset(IPCB(skb), 0, sizeof(struct inet_skb_parm));
return 0;
}
opt->optlen = iph->ihl*4 - sizeof(struct iphdr);
if (ip_options_compile(dev_net(dev), opt, skb))
goto inhdr_error;
/* Check correct handling of SRR option */
if (unlikely(opt->srr)) {
struct in_device *in_dev = __in_dev_get_rcu(dev);
if (in_dev && !IN_DEV_SOURCE_ROUTE(in_dev))
goto drop;
if (ip_options_rcv_srr(skb))
goto drop;
}
return 0;
inhdr_error:
IP_INC_STATS_BH(dev_net(dev), IPSTATS_MIB_INHDRERRORS);
drop:
return -1;
}
void gen_ip_frag_proc(int it, TPTD_Token * token)
{
//fprintf(stderr, "gen_ip_frag_proc\n");
struct proc_node *i;
u_char *data = token->data;
//fprintf(stderr, "f**k f**k id %d\n", it);
struct ip *iph = (struct ip *) data;
int need_free = 0;
int skblen;
void (*glibc_syslog_h_workaround)(int, int, struct ip *, void*)=
nids_params.syslog;
ip_fast_csum((unsigned char *) iph, iph->ip_hl);
if (token->caplen < (int)sizeof(struct ip) || iph->ip_hl < 5 || iph->ip_v != 4 ||
(u_short)ip_fast_csum((unsigned char *) iph, iph->ip_hl) != 0 ||
token->caplen < ntohs(iph->ip_len) || ntohs(iph->ip_len) < iph->ip_hl << 2) {
glibc_syslog_h_workaround(NIDS_WARN_IP, NIDS_WARN_IP_HDR, iph, 0);
token->token_state = TOKEN_STATE_END;
// fprintf(stderr, "break on ipfragment 1\n");
return;
}
if (iph->ip_hl > 5 && ip_options_compile((unsigned char *)data)) {
glibc_syslog_h_workaround(NIDS_WARN_IP, NIDS_WARN_IP_SRR, iph, 0);
token->token_state = TOKEN_STATE_END;
//fprintf(stderr, "break on ipfragment 2\n");
return;
}
switch (ip_defrag_stub((struct ip *) data, &iph)) {
case IPF_ISF:
//fprintf(stderr, "IPF_ISF\n");
token->token_state = TOKEN_STATE_ALIVE;
//fprintf(stderr, "break on ipfragment 2\n");
return;
case IPF_NOTF:
need_free = 0;
iph = (struct ip *) data;
break;
case IPF_NEW:
need_free = 1;
break;
default:;
}
skblen = ntohs(iph->ip_len) + 16;
if (!need_free)
skblen += nids_params.dev_addon;
skblen = (skblen + 15) & ~15;
skblen += nids_params.sk_buff_size;
if (need_free)
free(iph);
token->token_state = TOKEN_STATE_GOON;
return;
}
static inline int ip_rcv_options(struct sk_buff *skb)
{
struct ip_options *opt;
struct iphdr *iph;
struct net_device *dev = skb->dev;
/* It looks as overkill, because not all
IP options require packet mangling.
But it is the easiest for now, especially taking
into account that combination of IP options
and running sniffer is extremely rare condition.
--ANK (980813)
*/
if (skb_cow(skb, skb_headroom(skb))) {
IP_INC_STATS_BH(dev_net(dev), IPSTATS_MIB_INDISCARDS);
goto drop;
}
iph = ip_hdr(skb);
opt = &(IPCB(skb)->opt);
opt->optlen = iph->ihl*4 - sizeof(struct iphdr);
if (ip_options_compile(dev_net(dev), opt, skb)) {
IP_INC_STATS_BH(dev_net(dev), IPSTATS_MIB_INHDRERRORS);
goto drop;
}
if (unlikely(opt->srr)) {
struct in_device *in_dev = in_dev_get(dev);
if (in_dev) {
if (!IN_DEV_SOURCE_ROUTE(in_dev)) {
if (IN_DEV_LOG_MARTIANS(in_dev) &&
net_ratelimit())
printk(KERN_INFO "source route option "
NIPQUAD_FMT " -> " NIPQUAD_FMT "\n",
NIPQUAD(iph->saddr),
NIPQUAD(iph->daddr));
in_dev_put(in_dev);
goto drop;
}
in_dev_put(in_dev);
}
if (ip_options_rcv_srr(skb))
goto drop;
}
return 0;
drop:
return -1;
}
static int ip_options_get_finish(struct net *net, struct ip_options **optp,
struct ip_options *opt, int optlen)
{
while (optlen & 3)
opt->__data[optlen++] = IPOPT_END;
opt->optlen = optlen;
if (optlen && ip_options_compile(net, opt, NULL)) {
kfree(opt);
return -EINVAL;
}
kfree(*optp);
*optp = opt;
return 0;
}
static inline struct sk_buff *mapi_ip_rcv_finish(struct sk_buff *skb,struct predef_func *pf)
{
struct iphdr *iph = skb->nh.iph;
struct cook_ip_struct *cis = (struct cook_ip_struct *)pf->data;
if(iph->ihl > 5)
{
/*
* It looks as overkill, because not all
* IP options require packet mangling.
* But it is the easiest for now, especially taking
* into account that combination of IP options
* and running sniffer is extremely rare condition.
* --ANK (980813)
*/
if(skb_cow(skb,skb_headroom(skb)))
{
goto drop;
}
iph = skb->nh.iph;
skb->ip_summed = 0;
if(ip_options_compile(NULL,skb))
{
goto inhdr_error;
}
}
return mapi_ip_local_deliver(skb,pf);
inhdr_error:
spin_lock(&pf->data_lock);
cis->ip_options_errors++;
spin_unlock(&pf->data_lock);
MAPI_DEBUG(if(net_ratelimit())
printk("COOK_IP : IP options error : %u.%u.%u.%u <- %u.%u.%u.%u\n",
NIPQUAD(skb->nh.iph->daddr),
NIPQUAD(skb->nh.iph->saddr)));
drop:
kfree_skb(skb);
return NULL;
}
static void gen_ip_frag_proc(u_char * data, int len)
{
struct proc_node *i;
struct ip *iph = (struct ip *) data;
int need_free = 0;
int skblen;
void (*glibc_syslog_h_workaround)(int, int, struct ip *, void*)=
nids_params.syslog;
if (!nids_params.ip_filter(iph, len))
return;
#if 0
if (len < (int)sizeof(struct ip) || iph->ip_hl < 5 || iph->ip_v != 4 ||
ip_fast_csum((unsigned char *) iph, iph->ip_hl) != 0 ||
len < ntohs(iph->ip_len) || ntohs(iph->ip_len) < iph->ip_hl << 2) {
glibc_syslog_h_workaround(NIDS_WARN_IP, NIDS_WARN_IP_HDR, iph, 0);
return;
}
#endif
if (iph->ip_hl > 5 && ip_options_compile((unsigned char *)data)) {
glibc_syslog_h_workaround(NIDS_WARN_IP, NIDS_WARN_IP_SRR, iph, 0);
return;
}
switch (ip_defrag_stub((struct ip *) data, &iph)) {
case IPF_ISF:
return;
case IPF_NOTF:
need_free = 0;
iph = (struct ip *) data;
break;
case IPF_NEW:
need_free = 1;
break;
default:
;
}
skblen = ntohs(iph->ip_len) + 16;
if (!need_free)
skblen += nids_params.dev_addon;
skblen = (skblen + 15) & ~15;
skblen += nids_params.sk_buff_size;
for (i = ip_procs; i; i = i->next)
(i->item) (iph, skblen);
if (need_free)
free(iph);
}
static int ip_options_get_finish(struct ip_options **optp,
struct ip_options *opt, int optlen)
{
while (optlen & 3)
opt->__data[optlen++] = IPOPT_END;
opt->optlen = optlen;
opt->is_data = 1;
opt->is_setbyuser = 1;
if (optlen && ip_options_compile(opt, NULL)) {
kfree(opt);
return -EINVAL;
}
if (*optp)
kfree(*optp);
*optp = opt;
return 0;
}
static int ip_rcv(struct sk_buff *skb, struct net_device *dev) {
net_device_stats_t *stats = &dev->stats;
const struct net_proto *nproto;
iphdr_t *iph = ip_hdr(skb);
__u16 old_check;
size_t ip_len;
int optlen;
sk_buff_t *complete_skb;
/**
* RFC1122: 3.1.2.2 MUST silently discard any IP frame that fails the checksum.
* Is the datagram acceptable?
* 1. Length at least the size of an ip header
* 2. Version of 4
* 3. Checksums correctly. [Speed optimisation for later, skip loopback checksums]
* 4. Doesn't have a bogus length
*/
if (skb->len < dev->hdr_len + IP_MIN_HEADER_SIZE
|| IP_HEADER_SIZE(iph) < IP_MIN_HEADER_SIZE
|| skb->len < dev->hdr_len + IP_HEADER_SIZE(iph)) {
DBG(printk("ip_rcv: invalid IPv4 header length\n"));
stats->rx_length_errors++;
skb_free(skb);
return 0; /* error: invalid header length */
}
if (iph->version != 4) {
DBG(printk("ip_rcv: invalid IPv4 version\n"));
stats->rx_err++;
skb_free(skb);
return 0; /* error: not ipv4 */
}
old_check = iph->check;
ip_set_check_field(iph);
if (old_check != iph->check) {
DBG(printk("ip_rcv: invalid checksum %hx(%hx)\n",
ntohs(old_check), ntohs(iph->check)));
stats->rx_crc_errors++;
skb_free(skb);
return 0; /* error: invalid crc */
}
ip_len = ntohs(iph->tot_len);
if (ip_len < IP_HEADER_SIZE(iph)
|| skb->len < dev->hdr_len + ip_len) {
DBG(printk("ip_rcv: invalid IPv4 length\n"));
stats->rx_length_errors++;
skb_free(skb);
return 0; /* error: invalid length */
}
/* Setup transport layer (L4) header */
skb->h.raw = skb->nh.raw + IP_HEADER_SIZE(iph);
/* Validating */
if (0 != nf_test_skb(NF_CHAIN_INPUT, NF_TARGET_ACCEPT, skb)) {
DBG(printk("ip_rcv: dropped by input netfilter\n"));
stats->rx_dropped++;
skb_free(skb);
return 0; /* error: dropped */
}
/* Forwarding */
assert(skb->dev);
assert(inetdev_get_by_dev(skb->dev));
if (inetdev_get_by_dev(skb->dev)->ifa_address != 0) {
/**
* FIXME
* This check needed for BOOTP protocol
* disable forwarding if interface is not set yet
*/
/**
* Check the destination address, and if it doesn't match
* any of own addresses, retransmit packet according to the routing table.
*/
if (!ip_is_local(iph->daddr, IP_LOCAL_BROADCAST)) {
if (0 != nf_test_skb(NF_CHAIN_FORWARD, NF_TARGET_ACCEPT, skb)) {
DBG(printk("ip_rcv: dropped by forward netfilter\n"));
stats->rx_dropped++;
skb_free(skb);
return 0; /* error: dropped */
}
return ip_forward(skb);
}
}
memset(skb->cb, 0, sizeof(skb->cb));
optlen = IP_HEADER_SIZE(iph) - IP_MIN_HEADER_SIZE;
if (optlen > 0) {
/* NOTE : maybe it'd be better to copy skb here,
* 'cause options may cause modifications
* but smart people who wrote linux kernel
* say that this is extremely rarely needed
*/
ip_options_t *opts = (ip_options_t*)(skb->cb);
memset(skb->cb, 0, sizeof(skb->cb));
opts->optlen = optlen;
if (ip_options_compile(skb, opts)) {
DBG(printk("ip_rcv: invalid options\n"));
stats->rx_err++;
skb_free(skb);
return 0; /* error: bad ops */
}
if (ip_options_handle_srr(skb)) {
DBG(printk("ip_rcv: can't handle options\n"));
stats->tx_err++;
skb_free(skb);
return 0; /* error: can't handle ops */
}
}
/* It's very useful for us to have complete packet even for forwarding
* (we may apply any filter, we may perform NAT etc),
* but it'll break routing if different parts of a fragmented
* packet will use different routes. So they can't be assembled.
* See RFC 1812 for details
*/
if (ntohs(skb->nh.iph->frag_off) & (IP_MF | IP_OFFSET)) {
if ((complete_skb = ip_defrag(skb)) == NULL) {
if (skb == NULL) {
return 0; /* error: */
}
return 0;
} else {
skb = complete_skb;
iph = ip_hdr(complete_skb);
}
}
/* When a packet is received, it is passed to any raw sockets
* which have been bound to its protocol or to socket with concrete protocol */
raw_rcv(skb);
nproto = net_proto_lookup(ETH_P_IP, iph->proto);
if (nproto != NULL) {
return nproto->handle(skb);
}
DBG(printk("ip_rcv: unknown protocol\n"));
skb_free(skb);
return 0; /* error: nobody wants this packet */
}
int ip_setsockopt(struct sock *sk, int level, int optname, char *optval, int optlen)
{
int val,err;
unsigned char ucval;
#if defined(CONFIG_IP_FIREWALL) || defined(CONFIG_IP_ACCT)
struct ip_fw tmp_fw;
#endif
if (optval == NULL)
{
val=0;
ucval=0;
}
else
{
err=verify_area(VERIFY_READ, optval, sizeof(int));
if(err)
return err;
val = get_user((int *) optval);
ucval=get_user((unsigned char *) optval);
}
if(level!=SOL_IP)
return -EOPNOTSUPP;
#ifdef CONFIG_IP_MROUTE
if(optname>=MRT_BASE && optname <=MRT_BASE+10)
{
return ip_mroute_setsockopt(sk,optname,optval,optlen);
}
#endif
switch(optname)
{
case IP_OPTIONS:
{
struct options * opt = NULL;
struct options * old_opt;
if (optlen > 40 || optlen < 0)
return -EINVAL;
err = verify_area(VERIFY_READ, optval, optlen);
if (err)
return err;
opt = kmalloc(sizeof(struct options)+((optlen+3)&~3), GFP_KERNEL);
if (!opt)
return -ENOMEM;
memset(opt, 0, sizeof(struct options));
if (optlen)
memcpy_fromfs(opt->__data, optval, optlen);
while (optlen & 3)
opt->__data[optlen++] = IPOPT_END;
opt->optlen = optlen;
opt->is_data = 1;
opt->is_setbyuser = 1;
if (optlen && ip_options_compile(opt, NULL))
{
kfree_s(opt, sizeof(struct options) + optlen);
return -EINVAL;
}
/*
* ANK: I'm afraid that receive handler may change
* options from under us.
*/
cli();
old_opt = sk->opt;
sk->opt = opt;
sti();
if (old_opt)
kfree_s(old_opt, sizeof(struct optlen) + old_opt->optlen);
return 0;
}
case IP_TOS: /* This sets both TOS and Precedence */
if (val<0 || val>63) /* Reject setting of unused bits */
return -EINVAL;
if ((val&7) > 4 && !suser()) /* Only root can set Prec>4 */
return -EPERM;
sk->ip_tos=val;
switch (val & 0x38) {
case IPTOS_LOWDELAY:
sk->priority=SOPRI_INTERACTIVE;
break;
case IPTOS_THROUGHPUT:
sk->priority=SOPRI_BACKGROUND;
break;
default:
sk->priority=SOPRI_NORMAL;
break;
}
return 0;
case IP_TTL:
if(val<1||val>255)
return -EINVAL;
sk->ip_ttl=val;
return 0;
case IP_HDRINCL:
if(sk->type!=SOCK_RAW)
return -ENOPROTOOPT;
sk->ip_hdrincl=val?1:0;
return 0;
#ifdef CONFIG_IP_MULTICAST
case IP_MULTICAST_TTL:
{
sk->ip_mc_ttl=(int)ucval;
return 0;
}
case IP_MULTICAST_LOOP:
{
if(ucval!=0 && ucval!=1)
return -EINVAL;
sk->ip_mc_loop=(int)ucval;
return 0;
}
case IP_MULTICAST_IF:
{
struct in_addr addr;
struct device *dev=NULL;
/*
* Check the arguments are allowable
*/
err=verify_area(VERIFY_READ, optval, sizeof(addr));
if(err)
return err;
memcpy_fromfs(&addr,optval,sizeof(addr));
/*
* What address has been requested
*/
if(addr.s_addr==INADDR_ANY) /* Default */
{
sk->ip_mc_name[0]=0;
return 0;
}
/*
* Find the device
*/
dev=ip_mc_find_devfor(addr.s_addr);
/*
* Did we find one
*/
if(dev)
{
strcpy(sk->ip_mc_name,dev->name);
return 0;
}
return -EADDRNOTAVAIL;
}
case IP_ADD_MEMBERSHIP:
{
/*
* FIXME: Add/Del membership should have a semaphore protecting them from re-entry
*/
struct ip_mreq mreq;
__u32 route_src;
struct rtable *rt;
struct device *dev=NULL;
/*
* Check the arguments.
*/
err=verify_area(VERIFY_READ, optval, sizeof(mreq));
if(err)
return err;
memcpy_fromfs(&mreq,optval,sizeof(mreq));
/*
* Get device for use later
*/
if(mreq.imr_interface.s_addr==INADDR_ANY)
{
/*
* Not set so scan.
*/
if((rt=ip_rt_route(mreq.imr_multiaddr.s_addr,0))!=NULL)
{
dev=rt->rt_dev;
route_src = rt->rt_src;
atomic_dec(&rt->rt_use);
ip_rt_put(rt);
}
}
else
{
/*
* Find a suitable device.
*/
dev=ip_mc_find_devfor(mreq.imr_interface.s_addr);
}
/*
* No device, no cookies.
*/
if(!dev)
return -ENODEV;
/*
* Join group.
*/
return ip_mc_join_group(sk,dev,mreq.imr_multiaddr.s_addr);
}
case IP_DROP_MEMBERSHIP:
{
struct ip_mreq mreq;
struct rtable *rt;
__u32 route_src;
struct device *dev=NULL;
/*
* Check the arguments
*/
err=verify_area(VERIFY_READ, optval, sizeof(mreq));
if(err)
return err;
memcpy_fromfs(&mreq,optval,sizeof(mreq));
/*
* Get device for use later
*/
if(mreq.imr_interface.s_addr==INADDR_ANY)
{
if((rt=ip_rt_route(mreq.imr_multiaddr.s_addr,0))!=NULL)
{
dev=rt->rt_dev;
atomic_dec(&rt->rt_use);
route_src = rt->rt_src;
ip_rt_put(rt);
}
}
else
{
dev=ip_mc_find_devfor(mreq.imr_interface.s_addr);
}
/*
* Did we find a suitable device.
*/
if(!dev)
return -ENODEV;
/*
* Leave group
*/
return ip_mc_leave_group(sk,dev,mreq.imr_multiaddr.s_addr);
}
#endif
#ifdef CONFIG_IP_FIREWALL
case IP_FW_INSERT_IN:
case IP_FW_INSERT_OUT:
case IP_FW_INSERT_FWD:
case IP_FW_APPEND_IN:
case IP_FW_APPEND_OUT:
case IP_FW_APPEND_FWD:
case IP_FW_DELETE_IN:
case IP_FW_DELETE_OUT:
case IP_FW_DELETE_FWD:
case IP_FW_CHECK_IN:
case IP_FW_CHECK_OUT:
case IP_FW_CHECK_FWD:
case IP_FW_FLUSH_IN:
case IP_FW_FLUSH_OUT:
case IP_FW_FLUSH_FWD:
case IP_FW_ZERO_IN:
case IP_FW_ZERO_OUT:
case IP_FW_ZERO_FWD:
case IP_FW_POLICY_IN:
case IP_FW_POLICY_OUT:
case IP_FW_POLICY_FWD:
case IP_FW_MASQ_TIMEOUTS:
if(!suser())
return -EPERM;
if(optlen>sizeof(tmp_fw) || optlen<1)
return -EINVAL;
err=verify_area(VERIFY_READ,optval,optlen);
if(err)
return err;
memcpy_fromfs(&tmp_fw,optval,optlen);
err=ip_fw_ctl(optname, &tmp_fw,optlen);
return -err; /* -0 is 0 after all */
#endif
#ifdef CONFIG_IP_ACCT
case IP_ACCT_INSERT:
case IP_ACCT_APPEND:
case IP_ACCT_DELETE:
case IP_ACCT_FLUSH:
case IP_ACCT_ZERO:
if(!suser())
return -EPERM;
if(optlen>sizeof(tmp_fw) || optlen<1)
return -EINVAL;
err=verify_area(VERIFY_READ,optval,optlen);
if(err)
return err;
memcpy_fromfs(&tmp_fw, optval,optlen);
err=ip_acct_ctl(optname, &tmp_fw,optlen);
return -err; /* -0 is 0 after all */
#endif
/* IP_OPTIONS and friends go here eventually */
default:
return(-ENOPROTOOPT);
}
}
static inline int ip_rcv_finish(struct sk_buff *skb)
{
struct net_device *dev = skb->dev;
struct iphdr *iph = skb->nh.iph;
DEENC_CHECK();
/*
* Initialise the virtual path cache for the packet. It describes
* how the packet travels inside Linux networking.
*/
if (skb->dst == NULL) {
DEENC_CHECK();
if (ip_route_input(skb, iph->daddr, iph->saddr, iph->tos, dev))
goto drop;
}
#ifdef CONFIG_NET_CLS_ROUTE
if (skb->dst->tclassid) {
struct ip_rt_acct *st = ip_rt_acct + 256*smp_processor_id();
u32 idx = skb->dst->tclassid;
st[idx&0xFF].o_packets++;
st[idx&0xFF].o_bytes+=skb->len;
st[(idx>>16)&0xFF].i_packets++;
st[(idx>>16)&0xFF].i_bytes+=skb->len;
}
#endif
if (iph->ihl > 5) {
struct ip_options *opt;
DEENC_CHECK();
/* It looks as overkill, because not all
IP options require packet mangling.
But it is the easiest for now, especially taking
into account that combination of IP options
and running sniffer is extremely rare condition.
--ANK (980813)
*/
if (skb_cow(skb, skb_headroom(skb)))
goto drop;
iph = skb->nh.iph;
if (ip_options_compile(NULL, skb))
goto inhdr_error;
opt = &(IPCB(skb)->opt);
if (opt->srr) {
struct in_device *in_dev = in_dev_get(dev);
if (in_dev) {
if (!IN_DEV_SOURCE_ROUTE(in_dev)) {
if (IN_DEV_LOG_MARTIANS(in_dev) && net_ratelimit())
printk(KERN_INFO "source route option %u.%u.%u.%u -> %u.%u.%u.%u\n",
NIPQUAD(iph->saddr), NIPQUAD(iph->daddr));
in_dev_put(in_dev);
goto drop;
}
in_dev_put(in_dev);
}
if (ip_options_rcv_srr(skb))
goto drop;
}
}
DEENC_CHECK();
return skb->dst->input(skb);
inhdr_error:
IP_INC_STATS_BH(IpInHdrErrors);
drop:
kfree_skb(skb);
return NET_RX_DROP;
}
int ip_rcv(struct sk_buff *skb, struct device *dev, struct packet_type *pt)
{
struct iphdr *iph = skb->h.iph;
struct sock *raw_sk=NULL;
unsigned char hash;
unsigned char flag = 0;
struct inet_protocol *ipprot;
int brd=IS_MYADDR;
struct options * opt = NULL;
int is_frag=0;
__u32 daddr;
#ifdef CONFIG_FIREWALL
int fwres;
__u16 rport;
#endif
#ifdef CONFIG_IP_MROUTE
int mroute_pkt=0;
#endif
#ifdef CONFIG_NET_IPV6
/*
* Intercept IPv6 frames. We dump ST-II and invalid types just below..
*/
if(iph->version == 6)
return ipv6_rcv(skb,dev,pt);
#endif
ip_statistics.IpInReceives++;
/*
* Tag the ip header of this packet so we can find it
*/
skb->ip_hdr = iph;
/*
* RFC1122: 3.1.2.2 MUST silently discard any IP frame that fails the checksum.
* RFC1122: 3.1.2.3 MUST discard a frame with invalid source address [NEEDS FIXING].
*
* Is the datagram acceptable?
*
* 1. Length at least the size of an ip header
* 2. Version of 4
* 3. Checksums correctly. [Speed optimisation for later, skip loopback checksums]
* 4. Doesn't have a bogus length
* (5. We ought to check for IP multicast addresses and undefined types.. does this matter ?)
*/
if (skb->len<sizeof(struct iphdr) || iph->ihl<5 || iph->version != 4 || ip_fast_csum((unsigned char *)iph, iph->ihl) !=0
|| skb->len < ntohs(iph->tot_len))
{
ip_statistics.IpInHdrErrors++;
kfree_skb(skb, FREE_WRITE);
return(0);
}
/*
* Our transport medium may have padded the buffer out. Now we know it
* is IP we can trim to the true length of the frame.
* Note this now means skb->len holds ntohs(iph->tot_len).
*/
skb_trim(skb,ntohs(iph->tot_len));
if(skb->len < (iph->ihl<<2))
{
ip_statistics.IpInHdrErrors++;
kfree_skb(skb, FREE_WRITE);
return 0;
}
/*
* Account for the packet (even if the packet is
* not accepted by the firewall!). We do this after
* the sanity checks and the additional ihl check
* so we dont account garbage as we might do before.
*/
#ifdef CONFIG_IP_ACCT
ip_fw_chk(iph,dev,NULL,ip_acct_chain,0,IP_FW_MODE_ACCT_IN);
#endif
/*
* Try to select closest <src,dst> alias device, if any.
* net_alias_dev_rx32 returns main device if it
* fails to found other.
* If successful, also incr. alias rx count.
*
* Only makes sense for unicasts - Thanks ANK.
*/
#ifdef CONFIG_NET_ALIAS
if (skb->pkt_type == PACKET_HOST && iph->daddr != skb->dev->pa_addr && net_alias_has(skb->dev)) {
skb->dev = dev = net_alias_dev_rx32(skb->dev, AF_INET, iph->saddr, iph->daddr);
}
#endif
if (iph->ihl > 5)
{
skb->ip_summed = 0;
if (ip_options_compile(NULL, skb))
return(0);
opt = (struct options*)skb->proto_priv;
#ifdef CONFIG_IP_NOSR
if (opt->srr)
{
kfree_skb(skb, FREE_READ);
return -EINVAL;
}
#endif
}
#if defined(CONFIG_IP_TRANSPARENT_PROXY) && !defined(CONFIG_IP_ALWAYS_DEFRAG)
#define CONFIG_IP_ALWAYS_DEFRAG 1
#endif
#ifdef CONFIG_IP_ALWAYS_DEFRAG
/*
* Defragment all incoming traffic before even looking at it.
* If you have forwarding enabled, this makes the system a
* defragmenting router. Not a common thing.
* You probably DON'T want to enable this unless you have to.
* You NEED to use this if you want to use transparent proxying,
* otherwise, we can't vouch for your sanity.
*/
/*
* See if the frame is fragmented.
*/
if(iph->frag_off)
{
if (iph->frag_off & htons(IP_MF))
is_frag|=IPFWD_FRAGMENT;
/*
* Last fragment ?
*/
if (iph->frag_off & htons(IP_OFFSET))
is_frag|=IPFWD_LASTFRAG;
/*
* Reassemble IP fragments.
*/
if(is_frag)
{
/* Defragment. Obtain the complete packet if there is one */
skb=ip_defrag(iph,skb,dev);
if(skb==NULL)
return 0;
skb->dev = dev;
iph=skb->h.iph;
is_frag = 0;
/*
* When the reassembled packet gets forwarded, the ip
* header checksum should be correct.
* For better performance, this should actually only
* be done in that particular case, i.e. set a flag
* here and calculate the checksum in ip_forward.
*/
ip_send_check(iph);
}
}
#endif
/*
* See if the firewall wants to dispose of the packet.
*/
#ifdef CONFIG_FIREWALL
if ((fwres=call_in_firewall(PF_INET, skb->dev, iph, &rport))<FW_ACCEPT)
{
if(fwres==FW_REJECT)
icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0, dev);
kfree_skb(skb, FREE_WRITE);
return 0;
}
#ifdef CONFIG_IP_TRANSPARENT_PROXY
if (fwres==FW_REDIRECT)
skb->redirport = rport;
else
#endif
skb->redirport = 0;
#endif
#ifndef CONFIG_IP_ALWAYS_DEFRAG
/*
* Remember if the frame is fragmented.
*/
if(iph->frag_off)
{
if (iph->frag_off & htons(IP_MF))
is_frag|=IPFWD_FRAGMENT;
/*
* Last fragment ?
*/
if (iph->frag_off & htons(IP_OFFSET))
is_frag|=IPFWD_LASTFRAG;
}
#endif
/*
* Do any IP forwarding required. chk_addr() is expensive -- avoid it someday.
*
* This is inefficient. While finding out if it is for us we could also compute
* the routing table entry. This is where the great unified cache theory comes
* in as and when someone implements it
*
* For most hosts over 99% of packets match the first conditional
* and don't go via ip_chk_addr. Note: brd is set to IS_MYADDR at
* function entry.
*/
daddr = iph->daddr;
#ifdef CONFIG_IP_TRANSPARENT_PROXY
/*
* ip_chksock adds still more overhead for forwarded traffic...
*/
if ( iph->daddr == skb->dev->pa_addr || skb->redirport || (brd = ip_chk_addr(iph->daddr)) != 0 || ip_chksock(skb))
#else
if ( iph->daddr == skb->dev->pa_addr || (brd = ip_chk_addr(iph->daddr)) != 0)
#endif
{
if (opt && opt->srr)
{
int srrspace, srrptr;
__u32 nexthop;
unsigned char * optptr = ((unsigned char *)iph) + opt->srr;
if (brd != IS_MYADDR || skb->pkt_type != PACKET_HOST)
{
kfree_skb(skb, FREE_WRITE);
return 0;
}
for ( srrptr=optptr[2], srrspace = optptr[1];
srrptr <= srrspace;
srrptr += 4
)
{
int brd2;
if (srrptr + 3 > srrspace)
{
icmp_send(skb, ICMP_PARAMETERPROB, 0, opt->srr+2,
skb->dev);
kfree_skb(skb, FREE_WRITE);
return 0;
}
memcpy(&nexthop, &optptr[srrptr-1], 4);
if ((brd2 = ip_chk_addr(nexthop)) == 0)
break;
if (brd2 != IS_MYADDR)
{
/*
* ANK: should we implement weak tunneling of multicasts?
* Are they obsolete? DVMRP specs (RFC-1075) is old enough...
* [They are obsolete]
*/
kfree_skb(skb, FREE_WRITE);
return -EINVAL;
}
memcpy(&daddr, &optptr[srrptr-1], 4);
}
if (srrptr <= srrspace)
{
opt->srr_is_hit = 1;
opt->is_changed = 1;
if (sysctl_ip_forward) {
if (ip_forward(skb, dev, is_frag, nexthop))
kfree_skb(skb, FREE_WRITE);
} else {
ip_statistics.IpInAddrErrors++;
kfree_skb(skb, FREE_WRITE);
}
return 0;
}
}
#ifdef CONFIG_IP_MULTICAST
if(!(dev->flags&IFF_ALLMULTI) && brd==IS_MULTICAST && iph->daddr!=IGMP_ALL_HOSTS && !(dev->flags&IFF_LOOPBACK))
{
/*
* Check it is for one of our groups
*/
struct ip_mc_list *ip_mc=dev->ip_mc_list;
do
{
if(ip_mc==NULL)
{
kfree_skb(skb, FREE_WRITE);
return 0;
}
if(ip_mc->multiaddr==iph->daddr)
break;
ip_mc=ip_mc->next;
}
while(1);
}
#endif
#ifndef CONFIG_IP_ALWAYS_DEFRAG
/*
* Reassemble IP fragments.
*/
if(is_frag)
{
/* Defragment. Obtain the complete packet if there is one */
skb=ip_defrag(iph,skb,dev);
if(skb==NULL)
return 0;
skb->dev = dev;
iph=skb->h.iph;
}
#endif
#ifdef CONFIG_IP_MASQUERADE
/*
* Do we need to de-masquerade this packet?
*/
{
int ret = ip_fw_demasquerade(&skb,dev);
if (ret < 0) {
kfree_skb(skb, FREE_WRITE);
return 0;
}
if (ret)
{
struct iphdr *iph=skb->h.iph;
if (ip_forward(skb, dev, IPFWD_MASQUERADED, iph->daddr))
kfree_skb(skb, FREE_WRITE);
return 0;
}
}
#endif
/*
* Point into the IP datagram, just past the header.
*/
skb->ip_hdr = iph;
skb->h.raw += iph->ihl*4;
#ifdef CONFIG_IP_MROUTE
/*
* Check the state on multicast routing (multicast and not 224.0.0.z)
*/
if(brd==IS_MULTICAST && (iph->daddr&htonl(0xFFFFFF00))!=htonl(0xE0000000))
mroute_pkt=1;
#endif
/*
* Deliver to raw sockets. This is fun as to avoid copies we want to make no surplus copies.
*
* RFC 1122: SHOULD pass TOS value up to the transport layer.
*/
/* Note: See raw.c and net/raw.h, RAWV4_HTABLE_SIZE==MAX_INET_PROTOS */
hash = iph->protocol & (MAX_INET_PROTOS - 1);
/*
* If there maybe a raw socket we must check - if not we don't care less
*/
if((raw_sk = raw_v4_htable[hash]) != NULL) {
struct sock *sknext = NULL;
struct sk_buff *skb1;
raw_sk = raw_v4_lookup(raw_sk, iph->protocol,
iph->saddr, iph->daddr);
if(raw_sk) { /* Any raw sockets */
do {
/* Find the next */
sknext = raw_v4_lookup(raw_sk->next,
iph->protocol,
iph->saddr,
iph->daddr);
if(sknext)
skb1 = skb_clone(skb, GFP_ATOMIC);
else
break; /* One pending raw socket left */
if(skb1)
raw_rcv(raw_sk, skb1, dev, iph->saddr,daddr);
raw_sk = sknext;
} while(raw_sk!=NULL);
/*
* Here either raw_sk is the last raw socket, or NULL if none
*/
/*
* We deliver to the last raw socket AFTER the protocol checks as it avoids a surplus copy
*/
}
}
/*
* skb->h.raw now points at the protocol beyond the IP header.
*/
for (ipprot = (struct inet_protocol *)inet_protos[hash];ipprot != NULL;ipprot=(struct inet_protocol *)ipprot->next)
{
struct sk_buff *skb2;
if (ipprot->protocol != iph->protocol)
continue;
/*
* See if we need to make a copy of it. This will
* only be set if more than one protocol wants it.
* and then not for the last one. If there is a pending
* raw delivery wait for that
*/
#ifdef CONFIG_IP_MROUTE
if (ipprot->copy || raw_sk || mroute_pkt)
#else
if (ipprot->copy || raw_sk)
#endif
{
skb2 = skb_clone(skb, GFP_ATOMIC);
if(skb2==NULL)
continue;
}
else
{
skb2 = skb;
}
flag = 1;
/*
* Pass on the datagram to each protocol that wants it,
* based on the datagram protocol. We should really
* check the protocol handler's return values here...
*/
ipprot->handler(skb2, dev, opt, daddr,
(ntohs(iph->tot_len) - (iph->ihl * 4)),
iph->saddr, 0, ipprot);
}
/*
* All protocols checked.
* If this packet was a broadcast, we may *not* reply to it, since that
* causes (proven, grin) ARP storms and a leakage of memory (i.e. all
* ICMP reply messages get queued up for transmission...)
*/
#ifdef CONFIG_IP_MROUTE
/*
* Forward the last copy to the multicast router. If
* there is a pending raw delivery however make a copy
* and forward that.
*/
if(mroute_pkt)
{
flag=1;
if(raw_sk==NULL)
ipmr_forward(skb, is_frag);
else
{
struct sk_buff *skb2=skb_clone(skb, GFP_ATOMIC);
if(skb2)
{
skb2->free=1;
ipmr_forward(skb2, is_frag);
}
}
}
#endif
if(raw_sk!=NULL) /* Shift to last raw user */
raw_rcv(raw_sk, skb, dev, iph->saddr, daddr);
else if (!flag) /* Free and report errors */
{
if (brd != IS_BROADCAST && brd!=IS_MULTICAST)
icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PROT_UNREACH, 0, dev);
kfree_skb(skb, FREE_WRITE);
}
return(0);
}
/*
* Do any unicast IP forwarding required.
*/
/*
* Don't forward multicast or broadcast frames.
*/
if(skb->pkt_type!=PACKET_HOST || brd==IS_BROADCAST)
{
kfree_skb(skb,FREE_WRITE);
return 0;
}
/*
* The packet is for another target. Forward the frame
*/
if (sysctl_ip_forward) {
if (opt && opt->is_strictroute)
{
icmp_send(skb, ICMP_PARAMETERPROB, 0, 16, skb->dev);
kfree_skb(skb, FREE_WRITE);
return -1;
}
if (ip_forward(skb, dev, is_frag, iph->daddr))
kfree_skb(skb, FREE_WRITE);
} else {
/* printk("Machine %lx tried to use us as a forwarder to %lx but we have forwarding disabled!\n",
iph->saddr,iph->daddr);*/
ip_statistics.IpInAddrErrors++;
kfree_skb(skb, FREE_WRITE);
}
return(0);
}
/*
* Main IP Receive routine.
*/
int ip_rcv(struct sk_buff *skb, struct device *dev, struct packet_type *pt)
{
struct iphdr *iph = skb->nh.iph;
/*
* When the interface is in promisc. mode, drop all the crap
* that it receives, do not try to analyse it.
*/
if (skb->pkt_type == PACKET_OTHERHOST)
goto drop;
ip_statistics.IpInReceives++;
/*
* RFC1122: 3.1.2.2 MUST silently discard any IP frame that fails the checksum.
*
* Is the datagram acceptable?
*
* 1. Length at least the size of an ip header
* 2. Version of 4
* 3. Checksums correctly. [Speed optimisation for later, skip loopback checksums]
* 4. Doesn't have a bogus length
*/
if (skb->len < sizeof(struct iphdr))
goto inhdr_error;
if (iph->ihl < 5 || iph->version != 4 || ip_fast_csum((u8 *)iph, iph->ihl) != 0)
goto inhdr_error;
{
__u32 len = ntohs(iph->tot_len);
if (skb->len < len)
goto inhdr_error;
/*
* Our transport medium may have padded the buffer out. Now we know it
* is IP we can trim to the true length of the frame.
* Note this now means skb->len holds ntohs(iph->tot_len).
*/
__skb_trim(skb, len);
}
/*
* Initialise the virtual path cache for the packet. It describes
* how the packet travels inside Linux networking.
*/
if (skb->dst == NULL) {
if (ip_route_input(skb, iph->daddr, iph->saddr, iph->tos, dev))
goto drop;
#ifdef CONFIG_CPU_IS_SLOW
if (net_cpu_congestion > 10 && !(iph->tos&IPTOS_RELIABILITY) &&
IPTOS_PREC(iph->tos) < IPTOS_PREC_INTERNETCONTROL) {
goto drop;
}
#endif
}
#ifdef CONFIG_IP_ALWAYS_DEFRAG
if (iph->frag_off & htons(IP_MF|IP_OFFSET)) {
skb = ip_defrag(skb);
if (!skb)
return 0;
iph = skb->nh.iph;
ip_send_check(iph);
}
#endif
if (iph->ihl > 5) {
struct ip_options *opt;
/* It looks as overkill, because not all
IP options require packet mangling.
But it is the easiest for now, especially taking
into account that combination of IP options
and running sniffer is extremely rare condition.
--ANK (980813)
*/
skb = skb_cow(skb, skb_headroom(skb));
if (skb == NULL)
return 0;
iph = skb->nh.iph;
skb->ip_summed = 0;
if (ip_options_compile(NULL, skb))
goto inhdr_error;
opt = &(IPCB(skb)->opt);
if (opt->srr) {
struct in_device *in_dev = dev->ip_ptr;
if (in_dev && !IN_DEV_SOURCE_ROUTE(in_dev)) {
if (IN_DEV_LOG_MARTIANS(in_dev) && net_ratelimit())
printk(KERN_INFO "source route option %d.%d.%d.%d -> %d.%d.%d.%d\n",
NIPQUAD(iph->saddr), NIPQUAD(iph->daddr));
goto drop;
}
if (ip_options_rcv_srr(skb))
goto drop;
}
}
/*
* See if the firewall wants to dispose of the packet.
*
* Note: the current standard firewall code expects that the
* destination address was already checked against the interface
* address lists.
*
* If this code is ever moved in front of ip_route_input() you need
* to fix the fw code [moving it might be a good idea anyways,
* so that we can firewall against potentially bugs in the options
* or routing code]
*/
#ifdef CONFIG_FIREWALL
{
int fwres;
u16 rport;
#ifdef CONFIG_IP_ROUTE_TOS
u8 tos = iph->tos;
#endif
if ((fwres=call_in_firewall(PF_INET, skb->dev, iph, &rport, &skb))<FW_ACCEPT) {
if (fwres==FW_REJECT)
icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
goto drop;
}
#ifdef CONFIG_IP_TRANSPARENT_PROXY
if (fwres==FW_REDIRECT && (IPCB(skb)->redirport = rport) != 0)
return ip_local_deliver(skb);
#endif
#ifdef CONFIG_IP_ROUTE_TOS
/* It is for 2.2 only. Firewalling should make smart
rerouting itself, ideally, but now it is too late
to teach it. --ANK (980905)
*/
if (iph->tos != tos && ((struct rtable*)skb->dst)->rt_type == RTN_UNICAST) {
dst_release(skb->dst);
skb->dst = NULL;
if (ip_route_input(skb, iph->daddr, iph->saddr, iph->tos, dev))
goto drop;
}
#endif
}
#endif
return skb->dst->input(skb);
inhdr_error:
ip_statistics.IpInHdrErrors++;
drop:
kfree_skb(skb);
return(0);
}
