1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
|
/*
* INET An implementation of the TCP/IP protocol suite for the LINUX
* operating system. INET is implemented using the BSD Socket
* interface as the means of communication with the user level.
*
* The IP forwarding functionality.
*
* Version: $Id: ip_forward.c,v 1.3 1998/03/03 01:23:37 ralf Exp $
*
* Authors: see ip.c
*
* Fixes:
* Many : Split from ip.c , see ip_input.c for
* history.
* Dave Gregorich : NULL ip_rt_put fix for multicast
* routing.
* Jos Vos : Add call_out_firewall before sending,
* use output device for accounting.
* Jos Vos : Call forward firewall after routing
* (always use output device).
* Mike McLagan : Routing by source
*/
#include <linux/config.h>
#include <linux/types.h>
#include <linux/mm.h>
#include <linux/sched.h>
#include <linux/skbuff.h>
#include <linux/ip.h>
#include <linux/icmp.h>
#include <linux/netdevice.h>
#include <net/sock.h>
#include <net/ip.h>
#include <net/tcp.h>
#include <net/udp.h>
#include <net/icmp.h>
#include <linux/tcp.h>
#include <linux/udp.h>
#include <linux/firewall.h>
#include <linux/ip_fw.h>
#ifdef CONFIG_IP_MASQUERADE
#include <net/ip_masq.h>
#endif
#include <net/checksum.h>
#include <linux/route.h>
#include <net/route.h>
#ifdef CONFIG_IP_TRANSPARENT_PROXY
/*
* Check the packet against our socket administration to see
* if it is related to a connection on our system.
* Needed for transparent proxying.
*/
int ip_chksock(struct sk_buff *skb)
{
switch (skb->nh.iph->protocol) {
case IPPROTO_ICMP:
return icmp_chkaddr(skb);
case IPPROTO_TCP:
return tcp_chkaddr(skb);
case IPPROTO_UDP:
return udp_chkaddr(skb);
default:
return 0;
}
}
#endif
int ip_forward(struct sk_buff *skb)
{
struct device *dev2; /* Output device */
struct iphdr *iph; /* Our header */
struct rtable *rt; /* Route we use */
struct ip_options * opt = &(IPCB(skb)->opt);
unsigned short mtu;
#if defined(CONFIG_FIREWALL) || defined(CONFIG_IP_MASQUERADE)
int fw_res = 0;
#endif
if (IPCB(skb)->opt.router_alert) {
if (ip_call_ra_chain(skb))
return 0;
}
if (skb->pkt_type != PACKET_HOST)
goto drop;
/*
* According to the RFC, we must first decrease the TTL field. If
* that reaches zero, we must reply an ICMP control message telling
* that the packet's lifetime expired.
*/
iph = skb->nh.iph;
rt = (struct rtable*)skb->dst;
#ifdef CONFIG_CPU_IS_SLOW
if (net_cpu_congestion > 1 && !(iph->tos&IPTOS_RELIABILITY) &&
IPTOS_PREC(iph->tos) < IPTOS_PREC_INTERNETCONTROL) {
if (((xtime.tv_usec&0xF)<<net_cpu_congestion) > 0x1C)
goto drop;
}
#endif
#ifdef CONFIG_TRANSPARENT_PROXY
if (ip_chk_sock(skb))
goto local_pkt;
#endif
if (ip_decrease_ttl(iph) <= 0)
goto too_many_hops;
if (opt->is_strictroute && rt->rt_dst != rt->rt_gateway)
goto sr_failed;
/*
* Having picked a route we can now send the frame out
* after asking the firewall permission to do so.
*/
skb->priority = rt->u.dst.priority;
dev2 = rt->u.dst.dev;
mtu = dev2->mtu;
#ifdef CONFIG_NET_SECURITY
call_fw_firewall(PF_SECURITY, dev2, NULL, &mtu, NULL);
#endif
/*
* In IP you never have to forward a frame on the interface that it
* arrived upon. We now generate an ICMP HOST REDIRECT giving the route
* we calculated.
*/
if (rt->rt_flags&RTCF_DOREDIRECT && !opt->srr)
ip_rt_send_redirect(skb);
/*
* We now may allocate a new buffer, and copy the datagram into it.
* If the indicated interface is up and running, kick it.
*/
if (skb->len > mtu && (ntohs(iph->frag_off) & IP_DF))
goto frag_needed;
#ifdef CONFIG_IP_ROUTE_NAT
if (rt->rt_flags & RTCF_NAT) {
if (skb_headroom(skb) < dev2->hard_header_len || skb_cloned(skb)) {
struct sk_buff *skb2;
skb2 = skb_realloc_headroom(skb, (dev2->hard_header_len + 15)&~15);
kfree_skb(skb);
if (skb2 == NULL)
return -1;
skb = skb2;
}
if (ip_do_nat(skb)) {
kfree_skb(skb);
return -1;
}
}
#endif
#ifdef CONFIG_IP_MASQUERADE
if(!(IPCB(skb)->flags&IPSKB_MASQUERADED)) {
/*
* Check that any ICMP packets are not for a
* masqueraded connection. If so rewrite them
* and skip the firewall checks
*/
if (iph->protocol == IPPROTO_ICMP) {
__u32 maddr;
#ifdef CONFIG_IP_MASQUERADE_ICMP
struct icmphdr *icmph = (struct icmphdr *)((char*)iph + (iph->ihl << 2));
if ((icmph->type==ICMP_DEST_UNREACH)||
(icmph->type==ICMP_SOURCE_QUENCH)||
(icmph->type==ICMP_TIME_EXCEEDED))
{
#endif
maddr = inet_select_addr(dev2, rt->rt_gateway, RT_SCOPE_UNIVERSE);
fw_res = ip_fw_masq_icmp(&skb, maddr);
if (fw_res < 0) {
kfree_skb(skb);
return -1;
}
if (fw_res)
/* ICMP matched - skip firewall */
goto skip_call_fw_firewall;
#ifdef CONFIG_IP_MASQUERADE_ICMP
}
#endif
}
if (rt->rt_flags&RTCF_MASQ)
goto skip_call_fw_firewall;
#endif /* CONFIG_IP_MASQUERADE */
#ifdef CONFIG_FIREWALL
fw_res=call_fw_firewall(PF_INET, dev2, iph, NULL, &skb);
switch (fw_res) {
case FW_ACCEPT:
case FW_MASQUERADE:
break;
case FW_REJECT:
icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_UNREACH, 0);
/* fall thru */
default:
kfree_skb(skb);
return -1;
}
#endif
#ifdef CONFIG_IP_MASQUERADE
}
skip_call_fw_firewall:
/*
* If this fragment needs masquerading, make it so...
* (Don't masquerade de-masqueraded fragments)
*/
if (!(IPCB(skb)->flags&IPSKB_MASQUERADED) &&
(fw_res==FW_MASQUERADE || rt->rt_flags&RTCF_MASQ)) {
u32 maddr;
#ifdef CONFIG_IP_ROUTE_NAT
maddr = (rt->rt_flags&RTCF_MASQ) ? rt->rt_src_map : 0;
if (maddr == 0)
#endif
maddr = inet_select_addr(dev2, rt->rt_gateway, RT_SCOPE_UNIVERSE);
if (ip_fw_masquerade(&skb, maddr) < 0) {
kfree_skb(skb);
return -1;
} else {
/*
* Masquerader may have changed skb
*/
iph = skb->nh.iph;
opt = &(IPCB(skb)->opt);
}
}
#endif
if (skb_headroom(skb) < dev2->hard_header_len || skb_cloned(skb)) {
struct sk_buff *skb2;
skb2 = skb_realloc_headroom(skb, (dev2->hard_header_len + 15)&~15);
kfree_skb(skb);
if (skb2 == NULL) {
NETDEBUG(printk(KERN_ERR "\nIP: No memory available for IP forward\n"));
return -1;
}
skb = skb2;
iph = skb2->nh.iph;
}
#ifdef CONFIG_FIREWALL
if ((fw_res = call_out_firewall(PF_INET, dev2, iph, NULL,&skb)) < FW_ACCEPT) {
/* FW_ACCEPT and FW_MASQUERADE are treated equal:
masquerading is only supported via forward rules */
if (fw_res == FW_REJECT)
icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_UNREACH, 0);
kfree_skb(skb);
return -1;
}
#endif
ip_statistics.IpForwDatagrams++;
if (opt->optlen == 0) {
#ifdef CONFIG_NET_FASTROUTE
if (rt->rt_flags&RTCF_FAST && !netdev_fastroute_obstacles) {
unsigned h = ((*(u8*)&rt->key.dst)^(*(u8*)&rt->key.src))&NETDEV_FASTROUTE_HMASK;
/* Time to switch to functional programming :-) */
dst_release(xchg(&skb->dev->fastpath[h], dst_clone(&rt->u.dst)));
}
#endif
ip_send(skb);
return 0;
}
ip_forward_options(skb);
ip_send(skb);
return 0;
#ifdef CONFIG_TRANSPARENT_PROXY
local_pkt:
return ip_local_deliver(skb);
#endif
frag_needed:
ip_statistics.IpFragFails++;
icmp_send(skb, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED, htonl(mtu));
goto drop;
sr_failed:
/*
* Strict routing permits no gatewaying
*/
icmp_send(skb, ICMP_DEST_UNREACH, ICMP_SR_FAILED, 0);
goto drop;
too_many_hops:
/* Tell the sender its packet died... */
icmp_send(skb, ICMP_TIME_EXCEEDED, ICMP_EXC_TTL, 0);
drop:
kfree_skb(skb);
return -1;
}
|