Changeset View
Changeset View
Standalone View
Standalone View
sys/netinet/ip_input.c
Show First 20 Lines • Show All 118 Lines • ▼ Show 20 Lines | SYSCTL_INT(_net_inet_ip, IPCTL_SENDREDIRECTS, redirect, CTLFLAG_VNET | CTLFLAG_RW, | ||||
"Enable sending IP redirects"); | "Enable sending IP redirects"); | ||||
VNET_DEFINE_STATIC(bool, ip_strong_es) = false; | VNET_DEFINE_STATIC(bool, ip_strong_es) = false; | ||||
#define V_ip_strong_es VNET(ip_strong_es) | #define V_ip_strong_es VNET(ip_strong_es) | ||||
SYSCTL_BOOL(_net_inet_ip, OID_AUTO, rfc1122_strong_es, | SYSCTL_BOOL(_net_inet_ip, OID_AUTO, rfc1122_strong_es, | ||||
CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ip_strong_es), false, | CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ip_strong_es), false, | ||||
"Packet's IP destination address must match address on arrival interface"); | "Packet's IP destination address must match address on arrival interface"); | ||||
VNET_DEFINE_STATIC(bool, ip_sav) = true; | |||||
#define V_ip_sav VNET(ip_sav) | |||||
SYSCTL_BOOL(_net_inet_ip, OID_AUTO, source_address_validation, | |||||
CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ip_sav), true, | |||||
"Drop incoming packets with source address that is a local address"); | |||||
VNET_DEFINE(pfil_head_t, inet_pfil_head); /* Packet filter hooks */ | VNET_DEFINE(pfil_head_t, inet_pfil_head); /* Packet filter hooks */ | ||||
static struct netisr_handler ip_nh = { | static struct netisr_handler ip_nh = { | ||||
.nh_name = "ip", | .nh_name = "ip", | ||||
.nh_handler = ip_input, | .nh_handler = ip_input, | ||||
.nh_proto = NETISR_IP, | .nh_proto = NETISR_IP, | ||||
#ifdef RSS | #ifdef RSS | ||||
.nh_m2cpuid = rss_soft_m2cpuid_v4, | .nh_m2cpuid = rss_soft_m2cpuid_v4, | ||||
▲ Show 20 Lines • Show All 539 Lines • ▼ Show 20 Lines | CK_LIST_FOREACH(ia, INADDR_HASH(ip->ip_dst.s_addr), ia_hash) { | ||||
if (IA_SIN(ia)->sin_addr.s_addr != ip->ip_dst.s_addr) | if (IA_SIN(ia)->sin_addr.s_addr != ip->ip_dst.s_addr) | ||||
continue; | continue; | ||||
/* | /* | ||||
* net.inet.ip.rfc1122_strong_es: the address matches, verify | * net.inet.ip.rfc1122_strong_es: the address matches, verify | ||||
* that the packet arrived via the correct interface. | * that the packet arrived via the correct interface. | ||||
*/ | */ | ||||
if (__predict_false(strong_es && ia->ia_ifp != ifp)) { | if (__predict_false(strong_es && ia->ia_ifp != ifp)) { | ||||
IPSTAT_INC(ips_badaddr); | |||||
goto bad; | |||||
} | |||||
/* | |||||
* net.inet.ip.source_address_validation: drop incoming | |||||
* packets that pretend to be ours. | |||||
*/ | |||||
if (V_ip_sav && !(ifp->if_flags & IFF_LOOPBACK) && | |||||
__predict_false(in_localip_fib(ip->ip_src, ifp->if_fib))) { | |||||
IPSTAT_INC(ips_badaddr); | IPSTAT_INC(ips_badaddr); | ||||
goto bad; | goto bad; | ||||
} | } | ||||
counter_u64_add(ia->ia_ifa.ifa_ipackets, 1); | counter_u64_add(ia->ia_ifa.ifa_ipackets, 1); | ||||
counter_u64_add(ia->ia_ifa.ifa_ibytes, m->m_pkthdr.len); | counter_u64_add(ia->ia_ifa.ifa_ibytes, m->m_pkthdr.len); | ||||
goto ours; | goto ours; | ||||
} | } | ||||
▲ Show 20 Lines • Show All 731 Lines • Show Last 20 Lines |