svn commit: r272868 - in stable/10: etc sys/netinet

Hiroki Sato hrs at FreeBSD.org
Thu Oct 9 23:45:28 UTC 2014 

Author: hrs
Date: Thu Oct  9 23:45:26 2014
New Revision: 272868
URL: https://svnweb.freebsd.org/changeset/base/272868

Log:
  MFC r271545, 271610:
    Make net.inet.ip.sourceroute, net.inet.ip.accept_sourceroute, and
    net.inet.ip.process_options vnet-aware.

Modified:
  stable/10/etc/rc.subr
  stable/10/sys/netinet/ip_fastfwd.c
  stable/10/sys/netinet/ip_options.c
  stable/10/sys/netinet/ip_options.h
Directory Properties:
  stable/10/   (props changed)

Modified: stable/10/etc/rc.subr
==============================================================================
--- stable/10/etc/rc.subr	Thu Oct  9 23:43:13 2014	(r272867)
+++ stable/10/etc/rc.subr	Thu Oct  9 23:45:26 2014	(r272868)
@@ -1966,6 +1966,22 @@ check_required_after()
 	return 0
 }
 
+# check_jail mib
+#	Return true if security.jail.$mib exists and set to 1.
+
+check_jail()
+{
+	local _mib _v
+
+	_mib=$1
+	if _v=$(${SYSCTL_N} "security.jail.$_mib" 2> /dev/null); then
+		case $_v in
+		1)	return 0;;
+		esac
+	fi
+	return 1
+}
+
 # check_kern_features mib
 #	Return existence of kern.features.* sysctl MIB as true or
 #	false.  The result will be cached in $_rc_cache_kern_features_

Modified: stable/10/sys/netinet/ip_fastfwd.c
==============================================================================
--- stable/10/sys/netinet/ip_fastfwd.c	Thu Oct  9 23:43:13 2014	(r272867)
+++ stable/10/sys/netinet/ip_fastfwd.c	Thu Oct  9 23:45:26 2014	(r272868)
@@ -297,9 +297,9 @@ ip_fastforward(struct mbuf *m)
 	 * Only IP packets without options
 	 */
 	if (ip->ip_hl != (sizeof(struct ip) >> 2)) {
-		if (ip_doopts == 1)
+		if (V_ip_doopts == 1)
 			return m;
-		else if (ip_doopts == 2) {
+		else if (V_ip_doopts == 2) {
 			icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_FILTER_PROHIB,
 				0, 0);
 			return NULL;	/* mbuf already free'd */

Modified: stable/10/sys/netinet/ip_options.c
==============================================================================
--- stable/10/sys/netinet/ip_options.c	Thu Oct  9 23:43:13 2014	(r272867)
+++ stable/10/sys/netinet/ip_options.c	Thu Oct  9 23:45:26 2014	(r272868)
@@ -65,18 +65,21 @@ __FBSDID("$FreeBSD$");
 
 #include <sys/socketvar.h>
 
-static int	ip_dosourceroute = 0;
-SYSCTL_INT(_net_inet_ip, IPCTL_SOURCEROUTE, sourceroute, CTLFLAG_RW,
-    &ip_dosourceroute, 0, "Enable forwarding source routed IP packets");
-
-static int	ip_acceptsourceroute = 0;
-SYSCTL_INT(_net_inet_ip, IPCTL_ACCEPTSOURCEROUTE, accept_sourceroute, 
-    CTLFLAG_RW, &ip_acceptsourceroute, 0, 
+static VNET_DEFINE(int, ip_dosourceroute);
+SYSCTL_VNET_INT(_net_inet_ip, IPCTL_SOURCEROUTE, sourceroute, CTLFLAG_RW,
+    &VNET_NAME(ip_dosourceroute), 0,
+    "Enable forwarding source routed IP packets");
+#define	V_ip_dosourceroute	VNET(ip_dosourceroute)
+
+static VNET_DEFINE(int,	ip_acceptsourceroute);
+SYSCTL_VNET_INT(_net_inet_ip, IPCTL_ACCEPTSOURCEROUTE, accept_sourceroute, 
+    CTLFLAG_RW, &VNET_NAME(ip_acceptsourceroute), 0, 
     "Enable accepting source routed IP packets");
+#define	V_ip_acceptsourceroute	VNET(ip_acceptsourceroute)
 
-int		ip_doopts = 1;	/* 0 = ignore, 1 = process, 2 = reject */
-SYSCTL_INT(_net_inet_ip, OID_AUTO, process_options, CTLFLAG_RW,
-    &ip_doopts, 0, "Enable IP options processing ([LS]SRR, RR, TS)");
+VNET_DEFINE(int, ip_doopts) = 1; /* 0 = ignore, 1 = process, 2 = reject */
+SYSCTL_VNET_INT(_net_inet_ip, OID_AUTO, process_options, CTLFLAG_RW,
+    &VNET_NAME(ip_doopts), 0, "Enable IP options processing ([LS]SRR, RR, TS)");
 
 static void	save_rte(struct mbuf *m, u_char *, struct in_addr);
 
@@ -104,9 +107,9 @@ ip_dooptions(struct mbuf *m, int pass)
 	struct	sockaddr_in ipaddr = { sizeof(ipaddr), AF_INET };
 
 	/* Ignore or reject packets with IP options. */
-	if (ip_doopts == 0)
+	if (V_ip_doopts == 0)
 		return 0;
-	else if (ip_doopts == 2) {
+	else if (V_ip_doopts == 2) {
 		type = ICMP_UNREACH;
 		code = ICMP_UNREACH_FILTER_PROHIB;
 		goto bad;
@@ -167,7 +170,7 @@ ip_dooptions(struct mbuf *m, int pass)
 					code = ICMP_UNREACH_SRCFAIL;
 					goto bad;
 				}
-				if (!ip_dosourceroute)
+				if (!V_ip_dosourceroute)
 					goto nosourcerouting;
 				/*
 				 * Loose routing, and not at next destination
@@ -180,7 +183,7 @@ ip_dooptions(struct mbuf *m, int pass)
 				/*
 				 * End of source route.  Should be for us.
 				 */
-				if (!ip_acceptsourceroute)
+				if (!V_ip_acceptsourceroute)
 					goto nosourcerouting;
 				save_rte(m, cp, ip->ip_src);
 				break;
@@ -189,7 +192,7 @@ ip_dooptions(struct mbuf *m, int pass)
 			if (V_ipstealth)
 				goto dropit;
 #endif
-			if (!ip_dosourceroute) {
+			if (!V_ip_dosourceroute) {
 				if (V_ipforwarding) {
 					char buf[16]; /* aaa.bbb.ccc.ddd\0 */
 					/*

Modified: stable/10/sys/netinet/ip_options.h
==============================================================================
--- stable/10/sys/netinet/ip_options.h	Thu Oct  9 23:43:13 2014	(r272867)
+++ stable/10/sys/netinet/ip_options.h	Thu Oct  9 23:45:26 2014	(r272868)
@@ -47,7 +47,8 @@ struct ipopt_tag {
 	struct	ipoptrt ip_srcrt;
 };
 
-extern	int	ip_doopts;		/* process or ignore IP options */
+VNET_DECLARE(int, ip_doopts);		/* process or ignore IP options */
+#define	V_ip_doopts	VNET(ip_doopts)
 
 int		 ip_checkrouteralert(struct mbuf *);
 int		 ip_dooptions(struct mbuf *, int);

More information about the svn-src-all mailing list