svn commit: r187986 - user/piso/sys/netinet

Paolo Pisati piso at FreeBSD.org
Sun Feb 1 10:10:07 PST 2009 

Author: piso
Date: Sun Feb  1 18:10:06 2009
New Revision: 187986
URL: http://svn.freebsd.org/changeset/base/187986

Log:
  Make fragments reassemblig before nat sysctl controllable and enable it per default.

Modified:
  user/piso/sys/netinet/ip_fw.h
  user/piso/sys/netinet/ip_fw_nat.c

Modified: user/piso/sys/netinet/ip_fw.h
==============================================================================
--- user/piso/sys/netinet/ip_fw.h	Sun Feb  1 18:03:55 2009	(r187985)
+++ user/piso/sys/netinet/ip_fw.h	Sun Feb  1 18:10:06 2009	(r187986)
@@ -714,6 +714,7 @@ struct vnet_ipfw {
 	u_int64_t _norule_counter;
 	struct callout _ipfw_timeout;
 	eventhandler_tag _ifaddr_event_tag;
+	int _nat_reass;
 };
 
 #ifndef VIMAGE
@@ -758,6 +759,7 @@ extern struct vnet_ipfw vnet_ipfw_0;
 #define	V_norule_counter	VNET_IPFW(norule_counter)
 #define	V_ipfw_timeout		VNET_IPFW(ipfw_timeout)
 #define	V_ifaddr_event_tag	VNET_IPFW(ifaddr_event_tag)
+#define V_nat_reass             VNET_IPFW(nat_reass)
 
 #endif /* _KERNEL */
 #endif /* _IPFW2_H */

Modified: user/piso/sys/netinet/ip_fw_nat.c
==============================================================================
--- user/piso/sys/netinet/ip_fw_nat.c	Sun Feb  1 18:03:55 2009	(r187985)
+++ user/piso/sys/netinet/ip_fw_nat.c	Sun Feb  1 18:10:06 2009	(r187986)
@@ -72,6 +72,7 @@ MALLOC_DECLARE(M_IPFW);
 #ifdef VIMAGE_GLOBALS
 extern struct ip_fw_chain layer3_chain;
 static eventhandler_tag ifaddr_event_tag;
+static int nat_reass;
 #endif
 
 extern ipfw_nat_t *ipfw_nat_ptr;
@@ -80,6 +81,10 @@ extern ipfw_nat_cfg_t *ipfw_nat_del_ptr;
 extern ipfw_nat_cfg_t *ipfw_nat_get_cfg_ptr;
 extern ipfw_nat_cfg_t *ipfw_nat_get_log_ptr;
 
+SYSCTL_DECL(_net_inet_ip_fw);
+SYSCTL_V_INT(V_NET, vnet_ipfw, _net_inet_ip_fw, OID_AUTO, nat_reass, CTLFLAG_RW,
+    nat_reass, 0, "Reassemble ip fragments before ipfw nat");
+
 static void 
 ifaddr_change(void *arg __unused, struct ifnet *ifp)
 {
@@ -261,55 +266,63 @@ ipfw_nat(struct ip_fw_args *args, struct
 	    NULL)
 		goto badnat;
 	ip = mtod(mcl, struct ip *);
-	/* 
-	 * In case of fragments, reassemble the packet 
-	 * before passing it to libalias.
-	 */
-	off = (args->eh == NULL) ? ip->ip_off : ntohs(ip->ip_off);
-	if (off & (IP_MF | IP_OFFMASK)) {
-		struct mbuf *reass;
 
+	/* Shall we reassemble ip fragments? */
+	if (!V_nat_reass) {
+		if (args->eh == NULL) {
+			ip->ip_len = htons(ip->ip_len);
+			ip->ip_off = htons(ip->ip_off);
+		}
+	} else {
+		off = (args->eh == NULL) ? ip->ip_off : ntohs(ip->ip_off);
 		/* 
-		 * Ip_reass() expects len & off in host byte order:
-		 * fix them in case we come from layer2.
+		 * In case of fragments, reassemble the packet 
+		 * before passing it to libalias.
 		 */
-		if (args->eh != NULL) {
-			ip->ip_len = ntohs(ip->ip_len);
-			ip->ip_off = ntohs(ip->ip_off);
-		}
+		if (off & (IP_MF | IP_OFFMASK)) {
+			struct mbuf *reass;
 
-		/* Reassemble packet. */
-		reass = ip_reass(mcl);
+			/* 
+			 * Ip_reass() expects len & off in host byte order:
+			 * fix them in case we come from layer2.
+			 */
+			if (args->eh != NULL) {
+				ip->ip_len = ntohs(ip->ip_len);
+				ip->ip_off = ntohs(ip->ip_off);
+			}
 
-		/*
-		 * IP header checksum fixup after reassembly and leave header
-		 * in network byte order.
-		 */
-		if (reass != NULL) {
-			int hlen;
+			/* Reassemble packet. */
+			reass = ip_reass(mcl);
+
+			/*
+			 * IP header checksum fixup after reassembly and leave header
+			 * in network byte order.
+			 */
+			if (reass != NULL) {
+				int hlen;
 			
-			ip = mtod(reass, struct ip *);
-			hlen = ip->ip_hl << 2;
+				ip = mtod(reass, struct ip *);
+				hlen = ip->ip_hl << 2;
+				ip->ip_len = htons(ip->ip_len);
+				ip->ip_off = htons(ip->ip_off);
+				ip->ip_sum = 0;
+				if (hlen == sizeof(struct ip))
+					ip->ip_sum = in_cksum_hdr(ip);
+				else
+					ip->ip_sum = in_cksum(reass, hlen);
+				if ((mcl = m_megapullup(reass, reass->m_pkthdr.len)) ==
+				    NULL)
+					goto badnat;
+				ip = mtod(mcl, struct ip *);
+			} else {
+				mcl = NULL;
+				goto badnat;
+			}
+		} else if (args->eh == NULL) {
 			ip->ip_len = htons(ip->ip_len);
 			ip->ip_off = htons(ip->ip_off);
-			ip->ip_sum = 0;
-			if (hlen == sizeof(struct ip))
-				ip->ip_sum = in_cksum_hdr(ip);
-			else
-				ip->ip_sum = in_cksum(reass, hlen);
-			if ((mcl = m_megapullup(reass, reass->m_pkthdr.len)) ==
-			    NULL)
-				goto badnat;
-			ip = mtod(mcl, struct ip *);
-		} else {
-			mcl = NULL;
-			goto badnat;
 		}
-	} else if (args->eh == NULL) {
-		ip->ip_len = htons(ip->ip_len);
-		ip->ip_off = htons(ip->ip_off);
 	}
-
 	/* 
 	 * XXX - Libalias checksum offload 'duct tape':
 	 * 
@@ -651,6 +664,7 @@ ipfw_nat_init(void)
 	IPFW_WUNLOCK(&V_layer3_chain);
 	V_ifaddr_event_tag = EVENTHANDLER_REGISTER(ifaddr_event, ifaddr_change, 
 	    NULL, EVENTHANDLER_PRI_ANY);
+	V_nat_reass = 1;
 }
 
 static void

More information about the svn-src-user mailing list