2 * Copyright (c) 2003 Andre Oppermann, Internet Business Solutions AG
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. The name of the author may not be used to endorse or promote
14 * products derived from this software without specific prior written
17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * ip_fastforward gets its speed from processing the forwarded packet to
32 * completion (if_output on the other side) without any queues or netisr's.
33 * The receiving interface DMAs the packet into memory, the upper half of
34 * driver calls ip_fastforward, we do our routing table lookup and directly
35 * send it off to the outgoing interface, which DMAs the packet to the
36 * network card. The only part of the packet we touch with the CPU is the
37 * IP header (unless there are complex firewall rules touching other parts
38 * of the packet, but that is up to you). We are essentially limited by bus
39 * bandwidth and how fast the network card/driver can set up receives and
42 * We handle basic errors, IP header errors, checksum errors,
43 * destination unreachable, fragmentation and fragmentation needed and
44 * report them via ICMP to the sender.
46 * Else if something is not pure IPv4 unicast forwarding we fall back to
47 * the normal ip_input processing path. We should only be called from
48 * interfaces connected to the outside world.
50 * Firewalling is fully supported including divert, ipfw fwd and ipfilter
51 * ipnat and address rewrite.
53 * IPSEC is not supported if this host is a tunnel broker. IPSEC is
54 * supported for connections to/from local host.
56 * We try to do the least expensive (in CPU ops) checks and operations
57 * first to catch junk with as little overhead as possible.
59 * We take full advantage of hardware support for IP checksum and
60 * fragmentation offloading.
62 * We don't do ICMP redirect in the fast forwarding path. I have had my own
63 * cases where two core routers with Zebra routing suite would send millions
64 * ICMP redirects to connected hosts if the destination router was not the
65 * default gateway. In one case it was filling the routing table of a host
66 * with approximately 300.000 cloned redirect entries until it ran out of
67 * kernel memory. However the networking code proved very robust and it didn't
68 * crash or fail in other ways.
72 * Many thanks to Matt Thomas of NetBSD for basic structure of ip_flow.c which
73 * is being followed here.
76 #include <sys/cdefs.h>
77 __FBSDID("$FreeBSD$");
80 #include "opt_ipstealth.h"
82 #include <sys/param.h>
83 #include <sys/systm.h>
84 #include <sys/kernel.h>
85 #include <sys/malloc.h>
87 #include <sys/protosw.h>
89 #include <sys/socket.h>
90 #include <sys/sysctl.h>
94 #include <net/if_types.h>
95 #include <net/if_var.h>
96 #include <net/if_dl.h>
97 #include <net/route.h>
100 #include <netinet/in.h>
101 #include <netinet/in_kdtrace.h>
102 #include <netinet/in_systm.h>
103 #include <netinet/in_var.h>
104 #include <netinet/ip.h>
105 #include <netinet/ip_var.h>
106 #include <netinet/ip_icmp.h>
107 #include <netinet/ip_options.h>
109 #include <machine/in_cksum.h>
111 static struct sockaddr_in *
112 ip_findroute(struct route *ro, struct in_addr dest, struct mbuf *m)
114 struct sockaddr_in *dst;
118 * Find route to destination.
120 bzero(ro, sizeof(*ro));
121 dst = (struct sockaddr_in *)&ro->ro_dst;
122 dst->sin_family = AF_INET;
123 dst->sin_len = sizeof(*dst);
124 dst->sin_addr.s_addr = dest.s_addr;
125 in_rtalloc_ign(ro, 0, M_GETFIB(m));
128 * Route there and interface still up?
131 if (rt && (rt->rt_flags & RTF_UP) &&
132 (rt->rt_ifp->if_flags & IFF_UP) &&
133 (rt->rt_ifp->if_drv_flags & IFF_DRV_RUNNING)) {
134 if (rt->rt_flags & RTF_GATEWAY)
135 dst = (struct sockaddr_in *)rt->rt_gateway;
137 IPSTAT_INC(ips_noroute);
138 IPSTAT_INC(ips_cantforward);
141 icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_HOST, 0, 0);
148 * Try to forward a packet based on the destination address.
149 * This is a fast path optimized for the plain forwarding case.
150 * If the packet is handled (and consumed) here then we return NULL;
151 * otherwise mbuf is returned and the packet should be delivered
152 * to ip_input for full processing.
155 ip_tryforward(struct mbuf *m)
158 struct mbuf *m0 = NULL;
160 struct sockaddr_in *dst = NULL;
162 struct in_addr odest, dest;
163 uint16_t ip_len, ip_off;
166 struct m_tag *fwd_tag = NULL;
169 * Are we active and forwarding packets?
175 bzero(&ro, sizeof(ro));
180 * Is packet dropped by traffic conditioner?
182 if (altq_input != NULL && (*altq_input)(m, AF_INET) == 0)
187 * Only IP packets without options
189 ip = mtod(m, struct ip *);
191 if (ip->ip_hl != (sizeof(struct ip) >> 2)) {
192 if (V_ip_doopts == 1)
194 else if (V_ip_doopts == 2) {
195 icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_FILTER_PROHIB,
197 return NULL; /* mbuf already free'd */
199 /* else ignore IP options and continue */
203 * Only unicast IP, not from loopback, no L2 or IP broadcast,
204 * no multicast, no INADDR_ANY
206 * XXX: Probably some of these checks could be direct drop
207 * conditions. However it is not clear whether there are some
208 * hacks or obscure behaviours which make it neccessary to
209 * let ip_input handle it. We play safe here and let ip_input
210 * deal with it until it is proven that we can directly drop it.
212 if ((m->m_flags & (M_BCAST|M_MCAST)) ||
213 (m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK) ||
214 ntohl(ip->ip_src.s_addr) == (u_long)INADDR_BROADCAST ||
215 ntohl(ip->ip_dst.s_addr) == (u_long)INADDR_BROADCAST ||
216 IN_MULTICAST(ntohl(ip->ip_src.s_addr)) ||
217 IN_MULTICAST(ntohl(ip->ip_dst.s_addr)) ||
218 IN_LINKLOCAL(ntohl(ip->ip_src.s_addr)) ||
219 IN_LINKLOCAL(ntohl(ip->ip_dst.s_addr)) ||
220 ip->ip_src.s_addr == INADDR_ANY ||
221 ip->ip_dst.s_addr == INADDR_ANY )
225 * Is it for a local address on this host?
227 if (in_localip(ip->ip_dst))
230 IPSTAT_INC(ips_total);
233 * Step 3: incoming packet firewall processing
236 odest.s_addr = dest.s_addr = ip->ip_dst.s_addr;
239 * Run through list of ipfilter hooks for input packets
241 if (!PFIL_HOOKED(&V_inet_pfil_hook))
245 &V_inet_pfil_hook, &m, m->m_pkthdr.rcvif, PFIL_IN, NULL) ||
252 ip = mtod(m, struct ip *); /* m may have changed by pfil hook */
253 dest.s_addr = ip->ip_dst.s_addr;
256 * Destination address changed?
258 if (odest.s_addr != dest.s_addr) {
260 * Is it now for a local address on this host?
262 if (in_localip(dest))
265 * Go on with new destination address
269 if (m->m_flags & M_FASTFWD_OURS) {
271 * ipfw changed it for a local address on this host.
278 * Step 4: decrement TTL and look up route
287 if (ip->ip_ttl <= IPTTLDEC) {
288 icmp_error(m, ICMP_TIMXCEED, ICMP_TIMXCEED_INTRANS, 0, 0);
289 return NULL; /* mbuf already free'd */
293 * Decrement the TTL and incrementally change the IP header checksum.
294 * Don't bother doing this with hw checksum offloading, it's faster
295 * doing it right here.
297 ip->ip_ttl -= IPTTLDEC;
298 if (ip->ip_sum >= (u_int16_t) ~htons(IPTTLDEC << 8))
299 ip->ip_sum -= ~htons(IPTTLDEC << 8);
301 ip->ip_sum += htons(IPTTLDEC << 8);
307 * Find route to destination.
309 if ((dst = ip_findroute(&ro, dest, m)) == NULL)
310 return NULL; /* icmp unreach already sent */
311 ifp = ro.ro_rt->rt_ifp;
314 * Immediately drop blackholed traffic, and directed broadcasts
315 * for either the all-ones or all-zero subnet addresses on
316 * locally attached networks.
318 if ((ro.ro_rt->rt_flags & (RTF_BLACKHOLE|RTF_BROADCAST)) != 0)
322 * Step 5: outgoing firewall packet processing
326 * Run through list of hooks for output packets.
328 if (!PFIL_HOOKED(&V_inet_pfil_hook))
331 if (pfil_run_hooks(&V_inet_pfil_hook, &m, ifp, PFIL_OUT, NULL) || m == NULL) {
338 ip = mtod(m, struct ip *);
339 dest.s_addr = ip->ip_dst.s_addr;
342 * Destination address changed?
344 if (m->m_flags & M_IP_NEXTHOP)
345 fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL);
346 if (odest.s_addr != dest.s_addr || fwd_tag != NULL) {
348 * Is it now for a local address on this host?
350 if (m->m_flags & M_FASTFWD_OURS || in_localip(dest)) {
353 * Return packet for processing by ip_input().
355 m->m_flags |= M_FASTFWD_OURS;
361 * Redo route lookup with new destination address
364 dest.s_addr = ((struct sockaddr_in *)
365 (fwd_tag + 1))->sin_addr.s_addr;
366 m_tag_delete(m, fwd_tag);
367 m->m_flags &= ~M_IP_NEXTHOP;
370 if ((dst = ip_findroute(&ro, dest, m)) == NULL)
371 return NULL; /* icmp unreach already sent */
372 ifp = ro.ro_rt->rt_ifp;
377 * Step 6: send off the packet
379 ip_len = ntohs(ip->ip_len);
380 ip_off = ntohs(ip->ip_off);
383 * Check if route is dampned (when ARP is unable to resolve)
385 if ((ro.ro_rt->rt_flags & RTF_REJECT) &&
386 (ro.ro_rt->rt_expire == 0 || time_uptime < ro.ro_rt->rt_expire)) {
387 icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_HOST, 0, 0);
392 * Check if media link state of interface is not down
394 if (ifp->if_link_state == LINK_STATE_DOWN) {
395 icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_HOST, 0, 0);
400 * Check if packet fits MTU or if hardware will fragment for us
402 if (ro.ro_rt->rt_mtu)
403 mtu = min(ro.ro_rt->rt_mtu, ifp->if_mtu);
409 * Avoid confusing lower layers.
413 * Send off the packet via outgoing interface
415 IP_PROBE(send, NULL, NULL, ip, ifp, ip, NULL);
416 error = (*ifp->if_output)(ifp, m,
417 (struct sockaddr *)dst, &ro);
420 * Handle EMSGSIZE with icmp reply needfrag for TCP MTU discovery
422 if (ip_off & IP_DF) {
423 IPSTAT_INC(ips_cantfrag);
424 icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_NEEDFRAG,
429 * We have to fragment the packet
431 m->m_pkthdr.csum_flags |= CSUM_IP;
432 if (ip_fragment(ip, &m, mtu, ifp->if_hwassist))
434 KASSERT(m != NULL, ("null mbuf and no error"));
436 * Send off the fragments via outgoing interface
443 * Avoid confusing lower layers.
447 IP_PROBE(send, NULL, NULL, ip, ifp, ip, NULL);
448 error = (*ifp->if_output)(ifp, m,
449 (struct sockaddr *)dst, &ro);
452 } while ((m = m0) != NULL);
454 /* Reclaim remaining fragments */
455 for (m = m0; m; m = m0) {
460 IPSTAT_INC(ips_fragmented);
465 IPSTAT_INC(ips_odropped);
467 counter_u64_add(ro.ro_rt->rt_pksent, 1);
468 IPSTAT_INC(ips_forward);
469 IPSTAT_INC(ips_fastforward);
projects / FreeBSD / FreeBSD.git / blob