2 * Copyright (c) 2003 Andre Oppermann, Internet Business Solutions AG
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. The name of the author may not be used to endorse or promote
14 * products derived from this software without specific prior written
17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * ip_fastforward gets its speed from processing the forwarded packet to
34 * completion (if_output on the other side) without any queues or netisr's.
35 * The receiving interface DMAs the packet into memory, the upper half of
36 * driver calls ip_fastforward, we do our routing table lookup and directly
37 * send it off to the outgoing interface which DMAs the packet to the
38 * network card. The only part of the packet we touch with the CPU is the
39 * IP header (unless there are complex firewall rules touching other parts
40 * of the packet, but that is up to you). We are essentially limited by bus
41 * bandwidth and how fast the network card/driver can set up receives and
44 * We handle basic errors, ip header errors, checksum errors,
45 * destination unreachable, fragmentation and fragmentation needed and
46 * report them via icmp to the sender.
48 * Else if something is not pure IPv4 unicast forwarding we fall back to
49 * the normal ip_input processing path. We should only be called from
50 * interfaces connected to the outside world.
52 * Firewalling is fully supported including divert, ipfw fwd and ipfilter
53 * ipnat and address rewrite.
55 * IPSEC is not supported if this host is a tunnel broker. IPSEC is
56 * supported for connections to/from local host.
58 * We try to do the least expensive (in CPU ops) checks and operations
59 * first to catch junk with as little overhead as possible.
61 * We take full advantage of hardware support for ip checksum and
62 * fragmentation offloading.
64 * We don't do ICMP redirect in the fast forwarding path. I have had my own
65 * cases where two core routers with Zebra routing suite would send millions
66 * ICMP redirects to connected hosts if the router to dest was not the default
67 * gateway. In one case it was filling the routing table of a host with close
68 * 300'000 cloned redirect entries until it ran out of kernel memory. However
69 * the networking code proved very robust and it didn't crash or went ill
74 * Many thanks to Matt Thomas of NetBSD for basic structure of ip_flow.c which
75 * is being followed here.
80 #include "opt_ipdivert.h"
81 #include "opt_ipfilter.h"
82 #include "opt_ipstealth.h"
84 #include "opt_pfil_hooks.h"
86 #include <sys/param.h>
87 #include <sys/systm.h>
88 #include <sys/kernel.h>
90 #include <sys/malloc.h>
92 #include <sys/protosw.h>
93 #include <sys/socket.h>
94 #include <sys/sysctl.h>
98 #include <net/if_types.h>
99 #include <net/if_var.h>
100 #include <net/if_dl.h>
101 #include <net/route.h>
103 #include <netinet/in.h>
104 #include <netinet/in_systm.h>
105 #include <netinet/in_var.h>
106 #include <netinet/ip.h>
107 #include <netinet/ip_var.h>
108 #include <netinet/ip_icmp.h>
110 #include <machine/in_cksum.h>
112 #include <netinet/ip_fw.h>
113 #include <netinet/ip_divert.h>
114 #include <netinet/ip_dummynet.h>
116 static int ipfastforward_active = 0;
117 SYSCTL_INT(_net_inet_ip, OID_AUTO, fastforwarding, CTLFLAG_RW,
118 &ipfastforward_active, 0, "Enable fast IP forwarding");
121 * Try to forward a packet based on the destination address.
122 * This is a fast path optimized for the plain forwarding case.
123 * If the packet is handled (and consumed) here then we return 1;
124 * otherwise 0 is returned and the packet should be delivered
125 * to ip_input for full processing.
128 ip_fastforward(struct mbuf *m)
131 struct mbuf *m0 = NULL;
134 struct mbuf *clone = NULL;
137 struct sockaddr_in *dst = NULL;
138 struct in_ifaddr *ia = NULL;
139 struct ifaddr *ifa = NULL;
140 struct ifnet *ifp = NULL;
141 struct ip_fw_args args;
142 in_addr_t odest, dest;
148 * Are we active and forwarding packets?
150 if (!ipfastforward_active || !ipforwarding)
157 * Step 1: check for packet drop conditions (and sanity checks)
161 * Is entire packet big enough?
163 if (m->m_pkthdr.len < sizeof(struct ip)) {
164 ipstat.ips_tooshort++;
169 * Is first mbuf large enough for ip header and is header present?
171 if (m->m_len < sizeof (struct ip) &&
172 (m = m_pullup(m, sizeof (struct ip))) == 0) {
173 ipstat.ips_toosmall++;
177 ip = mtod(m, struct ip *);
182 if (ip->ip_v != IPVERSION) {
183 ipstat.ips_badvers++;
188 * Is IP header length correct and is it in first mbuf?
190 hlen = ip->ip_hl << 2;
191 if (hlen < sizeof(struct ip)) { /* minimum header length */
195 if (hlen > m->m_len) {
196 if ((m = m_pullup(m, hlen)) == 0) {
197 ipstat.ips_badhlen++;
200 ip = mtod(m, struct ip *);
206 if (m->m_pkthdr.csum_flags & CSUM_IP_CHECKED)
207 sum = !(m->m_pkthdr.csum_flags & CSUM_IP_VALID);
209 if (hlen == sizeof(struct ip))
210 sum = in_cksum_hdr(ip);
212 sum = in_cksum(m, hlen);
218 m->m_pkthdr.csum_flags |= (CSUM_IP_CHECKED | CSUM_IP_VALID);
221 * Convert to host representation
223 ip->ip_len = ntohs(ip->ip_len);
224 ip->ip_off = ntohs(ip->ip_off);
227 * Is IP length longer than packet we have got?
229 if (m->m_pkthdr.len < ip->ip_len) {
230 ipstat.ips_tooshort++;
235 * Is packet longer than IP header tells us? If yes, truncate packet.
237 if (m->m_pkthdr.len > ip->ip_len) {
238 if (m->m_len == m->m_pkthdr.len) {
239 m->m_len = ip->ip_len;
240 m->m_pkthdr.len = ip->ip_len;
242 m_adj(m, ip->ip_len - m->m_pkthdr.len);
246 * Is packet from or to 127/8?
248 if ((ntohl(ip->ip_dst.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET ||
249 (ntohl(ip->ip_src.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET) {
250 ipstat.ips_badaddr++;
255 * Step 2: fallback conditions to normal ip_input path processing
259 * Only IP packets without options
261 if (ip->ip_hl != (sizeof(struct ip) >> 2))
265 * Only unicast IP, not from loopback, no L2 or IP broadcast,
266 * no multicast, no INADDR_ANY
268 * XXX: Probably some of these checks could be direct drop
269 * conditions. However it is not clear whether there are some
270 * hacks or obscure behaviours which make it neccessary to
271 * let ip_input handle it. We play safe here and let ip_input
272 * deal with it until it is proven that we can directly drop it.
274 if ((m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK) ||
275 ntohl(ip->ip_src.s_addr) == (u_long)INADDR_BROADCAST ||
276 ntohl(ip->ip_dst.s_addr) == (u_long)INADDR_BROADCAST ||
277 IN_MULTICAST(ntohl(ip->ip_src.s_addr)) ||
278 IN_MULTICAST(ntohl(ip->ip_dst.s_addr)) ||
279 ip->ip_dst.s_addr == INADDR_ANY )
283 * Is it for a local address on this host?
285 LIST_FOREACH(ia, INADDR_HASH(ip->ip_dst.s_addr), ia_hash) {
286 if (IA_SIN(ia)->sin_addr.s_addr == ip->ip_dst.s_addr)
291 * Or is it for a local IP broadcast address on this host?
293 if (m->m_pkthdr.rcvif->if_flags & IFF_BROADCAST) {
294 TAILQ_FOREACH(ifa, &m->m_pkthdr.rcvif->if_addrhead, ifa_link) {
295 if (ifa->ifa_addr->sa_family != AF_INET)
298 if (ia->ia_netbroadcast.s_addr == ip->ip_dst.s_addr)
300 if (satosin(&ia->ia_broadaddr)->sin_addr.s_addr ==
305 /* return packet back to netisr for slow processing */
306 ip->ip_len = htons(ip->ip_len);
307 ip->ip_off = htons(ip->ip_off);
314 * Step 3: incoming packet firewall processing
317 odest = dest = ip->ip_dst.s_addr;
320 * Run through list of ipfilter hooks for input packets
322 if (pfil_run_hooks(&inet_pfil_hook, &m, m->m_pkthdr.rcvif, PFIL_IN) ||
329 ip = mtod(m, struct ip *); /* m may have changed by pfil hook */
330 dest = ip->ip_dst.s_addr;
334 * Run through ipfw for input packets
336 if (fw_enable && IPFW_LOADED) {
337 bzero(&args, sizeof(args));
340 ipfw = ip_fw_chk_ptr(&args);
347 * Packet denied, drop it
349 if ((ipfw & IP_FW_PORT_DENY_FLAG) || m == NULL)
352 * Send packet to the appropriate pipe
354 if (DUMMYNET_LOADED && (ipfw & IP_FW_PORT_DYNT_FLAG) != 0) {
355 ip_dn_io_ptr(m, ipfw & 0xffff, DN_TO_IP_IN, &args);
362 if (ipfw != 0 && (ipfw & IP_FW_PORT_DYNT_FLAG) == 0) {
364 * See if this is a fragment
366 if (ip->ip_off & (IP_MF | IP_OFFMASK))
371 if ((ipfw & IP_FW_PORT_TEE_FLAG) != 0)
372 clone = divert_clone(m);
379 * Delayed checksums are not compatible
381 if (m->m_pkthdr.csum_flags & CSUM_DELAY_DATA) {
383 m->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA;
386 * Restore packet header fields to original values
388 tip = mtod(m, struct ip *);
389 tip->ip_len = htons(tip->ip_len);
390 tip->ip_off = htons(tip->ip_off);
392 * Deliver packet to divert input routine
396 * If this was not tee, we are done
399 if ((ipfw & IP_FW_PORT_TEE_FLAG) == 0)
401 /* Continue if it was tee */
405 if (ipfw == 0 && args.next_hop != NULL) {
406 dest = args.next_hop->sin_addr.s_addr;
410 * Let through or not?
416 ip = mtod(m, struct ip *); /* if m changed during fw processing */
419 * Destination address changed?
423 * Is it now for a local address on this host?
425 LIST_FOREACH(ia, INADDR_HASH(ip->ip_dst.s_addr), ia_hash) {
426 if (IA_SIN(ia)->sin_addr.s_addr == ip->ip_dst.s_addr)
430 * Go on with new destination address
435 * Step 4: decrement TTL and look up route
444 if (ip->ip_ttl <= IPTTLDEC) {
445 icmp_error(m, ICMP_TIMXCEED, ICMP_TIMXCEED_INTRANS, 0, NULL);
450 * Decrement the TTL and incrementally change the checksum.
451 * Don't bother doing this with hw checksum offloading.
453 ip->ip_ttl -= IPTTLDEC;
454 if (ip->ip_sum >= (u_int16_t) ~htons(IPTTLDEC << 8))
455 ip->ip_sum -= ~htons(IPTTLDEC << 8);
457 ip->ip_sum += htons(IPTTLDEC << 8);
463 * Find route to destination.
465 bzero(&ro, sizeof(ro));
466 dst = (struct sockaddr_in *)&ro.ro_dst;
467 dst->sin_family = AF_INET;
468 dst->sin_len = sizeof(*dst);
469 dst->sin_addr.s_addr = dest;
470 rtalloc_ign(&ro, RTF_CLONING);
473 * Route there and interface still up?
476 (ro.ro_rt->rt_flags & RTF_UP) &&
477 (ro.ro_rt->rt_ifp->if_flags & IFF_UP)) {
478 ia = ifatoia(ro.ro_rt->rt_ifa);
479 ifp = ro.ro_rt->rt_ifp;
480 if (ro.ro_rt->rt_flags & RTF_GATEWAY)
481 dst = (struct sockaddr_in *)ro.ro_rt->rt_gateway;
483 ipstat.ips_noroute++;
484 ipstat.ips_cantforward++;
485 icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_HOST, 0, NULL);
492 * Step 5: outgoing firewall packet processing
497 * Run through list of hooks for output packets.
499 if (pfil_run_hooks(&inet_pfil_hook, &m, ifp, PFIL_OUT) || m == NULL) {
507 ip = mtod(m, struct ip *);
508 dest = ip->ip_dst.s_addr;
510 if (fw_enable && IPFW_LOADED && !args.next_hop) {
511 bzero(&args, sizeof(args));
515 ipfw = ip_fw_chk_ptr(&args);
521 if ((ipfw & IP_FW_PORT_DENY_FLAG) || m == NULL) {
525 if (DUMMYNET_LOADED && (ipfw & IP_FW_PORT_DYNT_FLAG) != 0) {
527 * XXX note: if the ifp or rt entry are deleted
528 * while a pkt is in dummynet, we are in trouble!
530 args.ro = &ro; /* dummynet does not save it */
533 ip_dn_io_ptr(m, ipfw & 0xffff, DN_TO_IP_OUT, &args);
538 if (ipfw != 0 && (ipfw & IP_FW_PORT_DYNT_FLAG) == 0) {
540 * See if this is a fragment
542 if (ip->ip_off & (IP_MF | IP_OFFMASK))
547 if ((ipfw & IP_FW_PORT_TEE_FLAG) != 0)
548 clone = divert_clone(m);
555 * Delayed checksums are not compatible with divert
557 if (m->m_pkthdr.csum_flags & CSUM_DELAY_DATA) {
559 m->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA;
562 * Restore packet header fields to original values
564 tip = mtod(m, struct ip *);
565 tip->ip_len = htons(tip->ip_len);
566 tip->ip_off = htons(tip->ip_off);
568 * Deliver packet to divert input routine
572 * If this was not tee, we are done
575 if ((ipfw & IP_FW_PORT_TEE_FLAG) == 0) {
579 /* Continue if it was tee */
583 if (ipfw == 0 && args.next_hop != NULL) {
584 dest = args.next_hop->sin_addr.s_addr;
588 * Let through or not?
594 ip = mtod(m, struct ip *);
597 * Destination address changed?
601 * Is it now for a local address on this host?
603 LIST_FOREACH(ia, INADDR_HASH(ip->ip_dst.s_addr), ia_hash) {
604 if (IA_SIN(ia)->sin_addr.s_addr == ip->ip_dst.s_addr) {
607 struct m_tag *mtag = m_tag_get(
608 PACKET_TAG_IPFORWARD,
609 sizeof(struct sockaddr_in *),
616 *(struct sockaddr_in **)(mtag+1) =
618 m_tag_prepend(m, mtag);
621 droptoours: /* Used for DIVERT */
624 m->m_flags |= M_FASTFWD_OURS;
626 /* ip still points to the real packet */
627 ip->ip_len = htons(ip->ip_len);
628 ip->ip_off = htons(ip->ip_off);
631 * Return packet for processing by ip_input
639 * Redo route lookup with new destination address
642 bzero(&ro, sizeof(ro));
643 dst = (struct sockaddr_in *)&ro.ro_dst;
644 dst->sin_family = AF_INET;
645 dst->sin_len = sizeof(*dst);
646 dst->sin_addr.s_addr = dest;
647 rtalloc_ign(&ro, RTF_CLONING);
650 * Route there and interface still up?
653 (ro.ro_rt->rt_flags & RTF_UP) &&
654 (ro.ro_rt->rt_ifp->if_flags & IFF_UP)) {
655 ia = ifatoia(ro.ro_rt->rt_ifa);
656 ifp = ro.ro_rt->rt_ifp;
657 if (ro.ro_rt->rt_flags & RTF_GATEWAY)
658 dst = (struct sockaddr_in *)ro.ro_rt->rt_gateway;
660 ipstat.ips_noroute++;
661 ipstat.ips_cantforward++;
662 icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_HOST, 0, NULL);
670 * Step 6: send off the packet
674 * Check if packet fits MTU or if hardware will fragement for us
676 if (ro.ro_rt->rt_rmx.rmx_mtu)
677 mtu = min(ro.ro_rt->rt_rmx.rmx_mtu, ifp->if_mtu);
681 if (ip->ip_len <= mtu ||
682 (ifp->if_hwassist & CSUM_FRAGMENT && (ip->ip_off & IP_DF) == 0)) {
684 * Restore packet header fields to original values
686 ip->ip_len = htons(ip->ip_len);
687 ip->ip_off = htons(ip->ip_off);
689 * Send off the packet via outgoing interface
691 error = (*ifp->if_output)(ifp, m,
692 (struct sockaddr *)dst, ro.ro_rt);
694 ia->ia_ifa.if_opackets++;
695 ia->ia_ifa.if_obytes += m->m_pkthdr.len;
699 * Handle EMSGSIZE with icmp reply
700 * needfrag for TCP MTU discovery
702 if (ip->ip_off & IP_DF) {
703 icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_NEEDFRAG,
705 ipstat.ips_cantfrag++;
710 * We have to fragement the packet
712 m->m_pkthdr.csum_flags |= CSUM_IP;
713 if (ip_fragment(ip, &m, mtu, ifp->if_hwassist,
714 (~ifp->if_hwassist & CSUM_DELAY_IP))) {
718 KASSERT(m != NULL, ("null mbuf and no error"));
720 * Send off the fragments via outgoing interface
727 error = (*ifp->if_output)(ifp, m,
728 (struct sockaddr *)dst, ro.ro_rt);
731 } while ((m = m0) != NULL);
733 /* Reclaim remaining fragments */
740 ipstat.ips_fragmented++;
745 ipstat.ips_odropped++;
747 ro.ro_rt->rt_rmx.rmx_pksent++;
748 ipstat.ips_forward++;
749 ipstat.ips_fastforward++;