PERFORCE change 39330 for review

Tue Oct 7 13:18:42 PDT 2003

http://perforce.freebsd.org/chv.cgi?CH=39330

Change 39330 by sam at sam_ebb on 2003/10/07 13:18:06

	pfil hooks can modify packet contents so check if the destination
	address has been changed when PFIL_HOOKS is enabled and, if it has,
	arrange for the proper action by ip*_forward.
	
	Submitted by: Pyun YongHyeon <yongari at kt-is.co.kr>

Affected files ...

.. //depot/projects/netperf/sys/netinet/ip_input.c#10 edit
.. //depot/projects/netperf/sys/netinet6/ip6_input.c#7 edit

Differences ...

==== //depot/projects/netperf/sys/netinet/ip_input.c#10 (text+ko) ====

@@ -360,6 +360,10 @@
 	u_int32_t divert_info = 0;		/* packet divert/tee info */
 	struct ip_fw_args args;
 	struct route cro;			/* copy of cached route */
+	int srcrt = 0;				/* forward by ``src routing'' */
+#ifdef PFIL_HOOKS
+	struct in_addr odst;			/* original dst address */
+#endif
 #ifdef FAST_IPSEC
 	struct m_tag *mtag;
 	struct tdb_ident *tdbi;
@@ -516,13 +520,19 @@
 #ifdef PFIL_HOOKS
 	/*
 	 * Run through list of hooks for input packets.
+	 *
+	 * NB: Beware of the destination address changing (e.g.
+	 *     by NAT rewriting).  When this happens, tell
+	 *     ip_forward to do the right thing.
 	 */
+	odst = ip->ip_dst;
 	if (pfil_run_hooks(&inet_pfil_hook, &m, m->m_pkthdr.rcvif,
 	    PFIL_IN) != 0)
 		return;
 	if (m == NULL)			/* consumed by filter */
 		return;
 	ip = mtod(m, struct ip *);
+	srcrt = (odst.s_addr != ip->ip_dst.s_addr);
 #endif /* PFIL_HOOKS */
 
 	if (fw_enable && IPFW_LOADED) {
@@ -759,7 +769,7 @@
 		}
 #endif /* FAST_IPSEC */
 		RTCACHE_GET(&cro);
-		ip_forward(m, &cro, 0, args.next_hop);
+		ip_forward(m, &cro, srcrt, args.next_hop);
 	}
 	return;
 

==== //depot/projects/netperf/sys/netinet6/ip6_input.c#7 (text+ko) ====

@@ -247,6 +247,10 @@
 	u_int32_t rtalert = ~0;
 	int nxt, ours = 0;
 	struct ifnet *deliverifp = NULL;
+#ifdef PFIL_HOOKS
+	struct in6_addr odst;
+#endif
+	int srcrt = 0;
 
 	mtx_assert(&Giant, MA_NOTOWNED);
 	mtx_lock(&Giant);
@@ -346,7 +350,12 @@
 #ifdef PFIL_HOOKS
 	/*
 	 * Run through list of hooks for input packets.
+	 *
+	 * NB: Beware of the destination address changing
+	 *     (e.g. by NAT rewriting).  When this happens,
+	 *     tell ip6_forward to do the right thing.
 	 */
+	odst = ip6->ip6_dst;
 	if (pfil_run_hooks(&inet6_pfil_hook, &m, m->m_pkthdr.rcvif, PFIL_IN)) {
 		mtx_unlock(&Giant);
 		return;
@@ -356,6 +365,7 @@
 		return;
 	}
 	ip6 = mtod(m, struct ip6_hdr *);
+	srcrt = !IN6_ARE_ADDR_EQUAL(&odst, &ip6->ip6_dst);
 #endif /* PFIL_HOOKS */
 
 	ip6stat.ip6s_nxthist[ip6->ip6_nxt]++;
@@ -764,7 +774,7 @@
 			return;
 		}
 	} else if (!ours) {
-		ip6_forward(m, 0);
+		ip6_forward(m, srcrt);
 		mtx_unlock(&Giant);
 		return;
 	}	
