![[first]](../icons/first.png){kind=icon}
![[previous]](../icons/n_left.png){kind=icon}
![[next]](../icons/n_right.png){kind=icon}
![[last]](../icons/last.png){kind=icon}
![[top]](../icons/n_top.png){kind=icon}
![[bottom]](../icons/bottom.png){kind=icon}
![[index]](../icons/index.png){kind=icon}
![[help]](../icons/help.png){kind=icon}
*/
1 /*
2 * INET An implementation of the TCP/IP protocol suite for the LINUX
3 * operating system. INET is implemented using the BSD Socket
4 * interface as the means of communication with the user level.
5 *
6 * The IP forwarding functionality.
7 *
8 * Authors: see ip.c
9 *
10 * Fixes:
11 * Many : Split from ip.c , see ip_input.c for history.
12 * Dave Gregorich : NULL ip_rt_put fix for multicast routing.
13 * Jos Vos : Add call_out_firewall before sending,
14 * use output device for accounting.
15 */
16
17 #include <linux/config.h>
18 #include <linux/types.h>
19 #include <linux/mm.h>
20 #include <linux/sched.h>
21 #include <linux/skbuff.h>
22 #include <linux/ip.h>
23 #include <linux/icmp.h>
24 #include <linux/netdevice.h>
25 #include <net/sock.h>
26 #include <net/ip.h>
27 #include <net/icmp.h>
28 #include <linux/tcp.h>
29 #include <linux/udp.h>
30 #include <linux/firewall.h>
31 #include <linux/ip_fw.h>
32 #include <net/checksum.h>
33 #include <linux/route.h>
34 #include <net/route.h>
35
36 #ifdef CONFIG_IP_FORWARD
37 #ifdef CONFIG_IP_MROUTE
38
39 /*
40 * Encapsulate a packet by attaching a valid IPIP header to it.
41 * This avoids tunnel drivers and other mess and gives us the speed so
42 * important for multicast video.
43 */
44
45 static void ip_encap(struct sk_buff *skb, int len, struct device *out, __u32 daddr)
/* ![[next]](../icons/right.png)
![[first]](../icons/n_first.png)
![[top]](../icons/top.png)
*/
46 {
47 /*
48 * There is space for the IPIP header and MAC left.
49 *
50 * Firstly push down and install the IPIP header.
51 */
52 struct iphdr *iph=(struct iphdr *)skb_push(skb,sizeof(struct iphdr));
53 if(len>65515)
54 len=65515;
55 iph->version = 4;
56 iph->tos = skb->ip_hdr->tos;
57 iph->ttl = skb->ip_hdr->ttl;
58 iph->frag_off = 0;
59 iph->daddr = daddr;
60 iph->saddr = out->pa_addr;
61 iph->protocol = IPPROTO_IPIP;
62 iph->ihl = 5;
63 iph->tot_len = htons(skb->len);
64 iph->id = htons(ip_id_count++);
65 ip_send_check(iph);
66
67 skb->dev = out;
68 skb->arp = 1;
69 skb->raddr=daddr;
70 /*
71 * Now add the physical header (driver will push it down).
72 */
73 if (out->hard_header && out->hard_header(skb, out, ETH_P_IP, NULL, NULL, len)<0)
74 skb->arp=0;
75 /*
76 * Read to queue for transmission.
77 */
78 }
79
80 #endif
81
82 /*
83 * Forward an IP datagram to its next destination.
84 */
85
86 int ip_forward(struct sk_buff *skb, struct device *dev, int is_frag,
/* ![[previous]](../icons/left.png)
![[last]](../icons/n_last.png)
*/
87 __u32 target_addr)
88 {
89 struct device *dev2; /* Output device */
90 struct iphdr *iph; /* Our header */
91 struct sk_buff *skb2; /* Output packet */
92 struct rtable *rt; /* Route we use */
93 unsigned char *ptr; /* Data pointer */
94 unsigned long raddr; /* Router IP address */
95 struct options * opt = (struct options*)skb->proto_priv;
96 struct hh_cache *hh = NULL;
97 int encap = 0; /* Encap length */
98 #ifdef CONFIG_FIREWALL
99 int fw_res = 0; /* Forwarding result */
100 #ifdef CONFIG_IP_MASQUERADE
101 struct sk_buff *skb_in = skb; /* So we can remember if the masquerader did some swaps */
102 #endif
103
104 /*
105 * See if we are allowed to forward this.
106 * Note: demasqueraded fragments are always 'back'warded.
107 */
108
109
110 if(!(is_frag&IPFWD_MASQUERADED))
111 {
112 fw_res=call_fw_firewall(PF_INET, skb, skb->h.iph);
113 switch (fw_res) {
114 case FW_ACCEPT:
115 case FW_MASQUERADE:
116 break;
117 case FW_REJECT:
118 icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_UNREACH, 0, dev);
119 /* fall thru */
120 default:
121 return -1;
122 }
123 }
124 #endif
125 /*
126 * According to the RFC, we must first decrease the TTL field. If
127 * that reaches zero, we must reply an ICMP control message telling
128 * that the packet's lifetime expired.
129 *
130 * Exception:
131 * We may not generate an ICMP for an ICMP. icmp_send does the
132 * enforcement of this so we can forget it here. It is however
133 * sometimes VERY important.
134 */
135
136 iph = skb->h.iph;
137 iph->ttl--;
138
139 /*
140 * Re-compute the IP header checksum.
141 * This is inefficient. We know what has happened to the header
142 * and could thus adjust the checksum as Phil Karn does in KA9Q
143 */
144
145 iph->check = ntohs(iph->check) + 0x0100;
146 if ((iph->check & 0xFF00) == 0)
147 iph->check++; /* carry overflow */
148 iph->check = htons(iph->check);
149
150 if (iph->ttl <= 0)
151 {
152 /* Tell the sender its packet died... */
153 icmp_send(skb, ICMP_TIME_EXCEEDED, ICMP_EXC_TTL, 0, dev);
154 return -1;
155 }
156
157 #ifdef CONFIG_IP_MROUTE
158 if(!(is_frag&IPFWD_MULTICASTING))
159 {
160 #endif
161 /*
162 * OK, the packet is still valid. Fetch its destination address,
163 * and give it to the IP sender for further processing.
164 */
165
166 rt = ip_rt_route(target_addr, 0);
167
168 if (rt == NULL)
169 {
170 /*
171 * Tell the sender its packet cannot be delivered. Again
172 * ICMP is screened later.
173 */
174 icmp_send(skb, ICMP_DEST_UNREACH, ICMP_NET_UNREACH, 0, dev);
175 return -1;
176 }
177
178
179 /*
180 * Gosh. Not only is the packet valid; we even know how to
181 * forward it onto its final destination. Can we say this
182 * is being plain lucky?
183 * If the router told us that there is no GW, use the dest.
184 * IP address itself- we seem to be connected directly...
185 */
186
187 raddr = rt->rt_gateway;
188
189 if (opt->is_strictroute && (rt->rt_flags & RTF_GATEWAY)) {
190 /*
191 * Strict routing permits no gatewaying
192 */
193
194 ip_rt_put(rt);
195 icmp_send(skb, ICMP_DEST_UNREACH, ICMP_SR_FAILED, 0, dev);
196 return -1;
197 }
198
199 /*
200 * Having picked a route we can now send the frame out.
201 */
202
203 dev2 = rt->rt_dev;
204 hh = rt->rt_hh;
205 /*
206 * In IP you never have to forward a frame on the interface that it
207 * arrived upon. We now generate an ICMP HOST REDIRECT giving the route
208 * we calculated.
209 */
210 #ifndef CONFIG_IP_NO_ICMP_REDIRECT
211 if (dev == dev2 && !((iph->saddr^iph->daddr)&dev->pa_mask) &&
212 (rt->rt_flags&RTF_MODIFIED) && !opt->srr)
213 icmp_send(skb, ICMP_REDIRECT, ICMP_REDIR_HOST, raddr, dev);
214 #endif
215 #ifdef CONFIG_IP_MROUTE
216 }
217 else
218 {
219 /*
220 * Multicast route forward. Routing is already done
221 */
222 dev2=skb->dev;
223 raddr=skb->raddr;
224 if(is_frag&IPFWD_MULTITUNNEL) /* VIFF_TUNNEL mode */
225 encap=20;
226 rt=NULL;
227 }
228 #endif
229
230
231 /*
232 * We now may allocate a new buffer, and copy the datagram into it.
233 * If the indicated interface is up and running, kick it.
234 */
235
236 if (dev2->flags & IFF_UP)
237 {
238 #ifdef CONFIG_IP_MASQUERADE
239 /*
240 * If this fragment needs masquerading, make it so...
241 * (Dont masquerade de-masqueraded fragments)
242 */
243 if (!(is_frag&IPFWD_MASQUERADED) && fw_res==FW_MASQUERADE)
244 ip_fw_masquerade(&skb, dev2);
245 #endif
246 IS_SKB(skb);
247
248 if (skb->len+encap > dev2->mtu && (ntohs(iph->frag_off) & IP_DF))
249 {
250 ip_statistics.IpFragFails++;
251 icmp_send(skb, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED, htonl(dev2->mtu), dev);
252 if(rt)
253 ip_rt_put(rt);
254 return -1;
255 }
256
257 #ifdef CONFIG_IP_MROUTE
258 if(skb_headroom(skb)-encap<dev2->hard_header_len)
259 {
260 skb2 = alloc_skb(dev2->hard_header_len + skb->len + encap + 15, GFP_ATOMIC);
261 #else
262 if(skb_headroom(skb)<dev2->hard_header_len)
263 {
264 skb2 = alloc_skb(dev2->hard_header_len + skb->len + 15, GFP_ATOMIC);
265 #endif
266 /*
267 * This is rare and since IP is tolerant of network failures
268 * quite harmless.
269 */
270
271 if (skb2 == NULL)
272 {
273 NETDEBUG(printk("\nIP: No memory available for IP forward\n"));
274 if(rt)
275 ip_rt_put(rt);
276 return -1;
277 }
278
279 IS_SKB(skb2);
280 /*
281 * Add the physical headers.
282 */
283 skb2->protocol=htons(ETH_P_IP);
284 #ifdef CONFIG_IP_MROUTE
285 if(is_frag&IPFWD_MULTITUNNEL)
286 {
287 skb_reserve(skb,(encap+dev->hard_header_len+15)&~15); /* 16 byte aligned IP headers are good */
288 ip_encap(skb2,skb->len, dev2, raddr);
289 }
290 else
291 #endif
292 ip_send(rt,skb2,raddr,skb->len,dev2,dev2->pa_addr);
293
294 /*
295 * We have to copy the bytes over as the new header wouldn't fit
296 * the old buffer. This should be very rare.
297 */
298
299 ptr = skb_put(skb2,skb->len);
300 skb2->free = 1;
301 skb2->h.raw = ptr;
302
303 /*
304 * Copy the packet data into the new buffer.
305 */
306 memcpy(ptr, skb->h.raw, skb->len);
307 memcpy(skb2->proto_priv, skb->proto_priv, sizeof(skb->proto_priv));
308 iph = skb2->ip_hdr = skb2->h.iph;
309 }
310 else
311 {
312 /*
313 * Build a new MAC header.
314 */
315
316 skb2 = skb;
317 skb2->dev=dev2;
318 #ifdef CONFIG_IP_MROUTE
319 if(is_frag&IPFWD_MULTITUNNEL)
320 ip_encap(skb,skb->len, dev2, raddr);
321 else
322 {
323 #endif
324 skb->arp=1;
325 skb->raddr=raddr;
326 if (hh)
327 {
328 memcpy(skb_push(skb, dev2->hard_header_len), hh->hh_data, dev2->hard_header_len);
329 if (!hh->hh_uptodate)
330 {
331 #if RT_CACHE_DEBUG >= 2
332 printk("ip_forward: hh miss %08x via %08x\n", target_addr, rt->rt_gateway);
333 #endif
334 skb->arp = 0;
335 }
336 }
337 else if (dev2->hard_header)
338 {
339 if(dev2->hard_header(skb, dev2, ETH_P_IP, NULL, NULL, skb->len)<0)
340 skb->arp=0;
341 }
342 #ifdef CONFIG_IP_MROUTE
343 }
344 #endif
345 }
346 #ifdef CONFIG_FIREWALL
347 if((fw_res = call_out_firewall(PF_INET, skb2, iph)) < FW_ACCEPT)
348 {
349 /* FW_ACCEPT and FW_MASQUERADE are treated equal:
350 masquerading is only supported via forward rules */
351 if (fw_res == FW_REJECT)
352 icmp_send(skb2, ICMP_DEST_UNREACH, ICMP_HOST_UNREACH, 0, dev);
353 if (skb != skb2)
354 kfree_skb(skb2,FREE_WRITE);
355 return -1;
356 }
357 #endif
358 ip_statistics.IpForwDatagrams++;
359
360 if (opt->optlen)
361 {
362 unsigned char * optptr;
363 if (opt->rr_needaddr)
364 {
365 optptr = (unsigned char *)iph + opt->rr;
366 memcpy(&optptr[optptr[2]-5], &dev2->pa_addr, 4);
367 opt->is_changed = 1;
368 }
369 if (opt->srr_is_hit)
370 {
371 int srrptr, srrspace;
372
373 optptr = (unsigned char *)iph + opt->srr;
374
375 for ( srrptr=optptr[2], srrspace = optptr[1];
376 srrptr <= srrspace;
377 srrptr += 4
378 )
379 {
380 if (srrptr + 3 > srrspace)
381 break;
382 if (memcmp(&target_addr, &optptr[srrptr-1], 4) == 0)
383 break;
384 }
385 if (srrptr + 3 <= srrspace)
386 {
387 opt->is_changed = 1;
388 memcpy(&optptr[srrptr-1], &dev2->pa_addr, 4);
389 iph->daddr = target_addr;
390 optptr[2] = srrptr+4;
391 }
392 else
393 printk("ip_forward(): Argh! Destination lost!\n");
394 }
395 if (opt->ts_needaddr)
396 {
397 optptr = (unsigned char *)iph + opt->ts;
398 memcpy(&optptr[optptr[2]-9], &dev2->pa_addr, 4);
399 opt->is_changed = 1;
400 }
401 if (opt->is_changed)
402 {
403 opt->is_changed = 0;
404 ip_send_check(iph);
405 }
406 }
407 /*
408 * ANK: this is point of "no return", we cannot send an ICMP,
409 * because we changed SRR option.
410 */
411
412 /*
413 * See if it needs fragmenting. Note in ip_rcv we tagged
414 * the fragment type. This must be right so that
415 * the fragmenter does the right thing.
416 */
417
418 if(skb2->len > dev2->mtu + dev2->hard_header_len)
419 {
420 ip_fragment(NULL,skb2,dev2, is_frag);
421 kfree_skb(skb2,FREE_WRITE);
422 }
423 else
424 {
425 #ifdef CONFIG_IP_ACCT
426 /*
427 * Count mapping we shortcut
428 */
429
430 ip_fw_chk(iph,dev2,ip_acct_chain,IP_FW_F_ACCEPT,1);
431 #endif
432
433 /*
434 * Map service types to priority. We lie about
435 * throughput being low priority, but it's a good
436 * choice to help improve general usage.
437 */
438 if(iph->tos & IPTOS_LOWDELAY)
439 dev_queue_xmit(skb2, dev2, SOPRI_INTERACTIVE);
440 else if(iph->tos & IPTOS_THROUGHPUT)
441 dev_queue_xmit(skb2, dev2, SOPRI_BACKGROUND);
442 else
443 dev_queue_xmit(skb2, dev2, SOPRI_NORMAL);
444 }
445 }
446 else
447 {
448 if(rt)
449 ip_rt_put(rt);
450 return -1;
451 }
452 if(rt)
453 ip_rt_put(rt);
454
455 /*
456 * Tell the caller if their buffer is free.
457 */
458
459 if(skb==skb2)
460 return 0;
461
462 #ifdef CONFIG_IP_MASQUERADE
463 /*
464 * The original is free. Free our copy and
465 * tell the caller not to free.
466 */
467 if(skb!=skb_in)
468 {
469 kfree_skb(skb_in, FREE_WRITE);
470 return 0;
471 }
472 #endif
473 return 1;
474 }
475
476
477 #endif
![[bottom]](../icons/n_bottom.png){kind=icon}
*/