![[first]](../icons/first.png){kind=icon}
![[previous]](../icons/n_left.png){kind=icon}
![[next]](../icons/n_right.png){kind=icon}
![[last]](../icons/last.png){kind=icon}
![[top]](../icons/n_top.png){kind=icon}
![[bottom]](../icons/bottom.png){kind=icon}
![[index]](../icons/index.png){kind=icon}
![[help]](../icons/help.png){kind=icon}
*/
1 /*
2 * INET An implementation of the TCP/IP protocol suite for the LINUX
3 * operating system. INET is implemented using the BSD Socket
4 * interface as the means of communication with the user level.
5 *
6 * The IP forwarding functionality.
7 *
8 * Authors: see ip.c
9 *
10 * Fixes:
11 * Many : Split from ip.c , see ip_input.c for history.
12 * Dave Gregorich : NULL ip_rt_put fix for multicast routing.
13 * Jos Vos : Add call_out_firewall before sending,
14 * use output device for accounting.
15 */
16
17 #include <linux/config.h>
18 #include <linux/types.h>
19 #include <linux/mm.h>
20 #include <linux/sched.h>
21 #include <linux/skbuff.h>
22 #include <linux/ip.h>
23 #include <linux/icmp.h>
24 #include <linux/netdevice.h>
25 #include <net/sock.h>
26 #include <net/ip.h>
27 #include <net/icmp.h>
28 #include <linux/tcp.h>
29 #include <linux/udp.h>
30 #include <linux/firewall.h>
31 #include <linux/ip_fw.h>
32 #ifdef CONFIG_IP_MASQUERADE
33 #include <net/ip_masq.h>
34 #endif
35 #include <net/checksum.h>
36 #include <linux/route.h>
37 #include <net/route.h>
38
39 #ifdef CONFIG_IP_FORWARD
40 #ifdef CONFIG_IP_MROUTE
41
42 /*
43 * Encapsulate a packet by attaching a valid IPIP header to it.
44 * This avoids tunnel drivers and other mess and gives us the speed so
45 * important for multicast video.
46 */
47
48 static void ip_encap(struct sk_buff *skb, int len, struct device *out, __u32 daddr)
/* ![[next]](../icons/right.png)
![[first]](../icons/n_first.png)
![[top]](../icons/top.png)
*/
49 {
50 /*
51 * There is space for the IPIP header and MAC left.
52 *
53 * Firstly push down and install the IPIP header.
54 */
55 struct iphdr *iph=(struct iphdr *)skb_push(skb,sizeof(struct iphdr));
56 if(len>65515)
57 len=65515;
58 iph->version = 4;
59 iph->tos = skb->ip_hdr->tos;
60 iph->ttl = skb->ip_hdr->ttl;
61 iph->frag_off = 0;
62 iph->daddr = daddr;
63 iph->saddr = out->pa_addr;
64 iph->protocol = IPPROTO_IPIP;
65 iph->ihl = 5;
66 iph->tot_len = htons(skb->len);
67 iph->id = htons(ip_id_count++);
68 ip_send_check(iph);
69
70 skb->dev = out;
71 skb->arp = 1;
72 skb->raddr=daddr;
73 /*
74 * Now add the physical header (driver will push it down).
75 */
76 if (out->hard_header && out->hard_header(skb, out, ETH_P_IP, NULL, NULL, len)<0)
77 skb->arp=0;
78 /*
79 * Read to queue for transmission.
80 */
81 }
82
83 #endif
84
85 /*
86 * Forward an IP datagram to its next destination.
87 */
88
89 int ip_forward(struct sk_buff *skb, struct device *dev, int is_frag,
/* ![[previous]](../icons/left.png)
![[last]](../icons/n_last.png)
*/
90 __u32 target_addr)
91 {
92 struct device *dev2; /* Output device */
93 struct iphdr *iph; /* Our header */
94 struct sk_buff *skb2; /* Output packet */
95 struct rtable *rt; /* Route we use */
96 unsigned char *ptr; /* Data pointer */
97 unsigned long raddr; /* Router IP address */
98 struct options * opt = (struct options*)skb->proto_priv;
99 struct hh_cache *hh = NULL;
100 int encap = 0; /* Encap length */
101 #ifdef CONFIG_FIREWALL
102 int fw_res = 0; /* Forwarding result */
103 #ifdef CONFIG_IP_MASQUERADE
104 struct sk_buff *skb_in = skb; /* So we can remember if the masquerader did some swaps */
105 #endif /* CONFIG_IP_MASQUERADE */
106 #endif /* CONFIG_FIREWALL */
107
108 /*
109 * See if we are allowed to forward this.
110 * Note: demasqueraded fragments are always 'back'warded.
111 */
112
113 #ifdef CONFIG_FIREWALL
114 if(!(is_frag&IPFWD_MASQUERADED))
115 {
116 fw_res=call_fw_firewall(PF_INET, dev, skb->h.iph);
117 switch (fw_res) {
118 case FW_ACCEPT:
119 case FW_MASQUERADE:
120 break;
121 case FW_REJECT:
122 icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_UNREACH, 0, dev);
123 /* fall thru */
124 default:
125 return -1;
126 }
127 }
128 #endif
129
130 /*
131 * According to the RFC, we must first decrease the TTL field. If
132 * that reaches zero, we must reply an ICMP control message telling
133 * that the packet's lifetime expired.
134 *
135 * Exception:
136 * We may not generate an ICMP for an ICMP. icmp_send does the
137 * enforcement of this so we can forget it here. It is however
138 * sometimes VERY important.
139 */
140
141 iph = skb->h.iph;
142 iph->ttl--;
143
144 /*
145 * Re-compute the IP header checksum.
146 * This is inefficient. We know what has happened to the header
147 * and could thus adjust the checksum as Phil Karn does in KA9Q
148 */
149
150 iph->check = ntohs(iph->check) + 0x0100;
151 if ((iph->check & 0xFF00) == 0)
152 iph->check++; /* carry overflow */
153 iph->check = htons(iph->check);
154
155 if (iph->ttl <= 0)
156 {
157 /* Tell the sender its packet died... */
158 icmp_send(skb, ICMP_TIME_EXCEEDED, ICMP_EXC_TTL, 0, dev);
159 return -1;
160 }
161
162 #ifdef CONFIG_IP_MROUTE
163 if(!(is_frag&IPFWD_MULTICASTING))
164 {
165 #endif
166 /*
167 * OK, the packet is still valid. Fetch its destination address,
168 * and give it to the IP sender for further processing.
169 */
170
171 rt = ip_rt_route(target_addr, 0);
172
173 if (rt == NULL)
174 {
175 /*
176 * Tell the sender its packet cannot be delivered. Again
177 * ICMP is screened later.
178 */
179 icmp_send(skb, ICMP_DEST_UNREACH, ICMP_NET_UNREACH, 0, dev);
180 return -1;
181 }
182
183
184 /*
185 * Gosh. Not only is the packet valid; we even know how to
186 * forward it onto its final destination. Can we say this
187 * is being plain lucky?
188 * If the router told us that there is no GW, use the dest.
189 * IP address itself- we seem to be connected directly...
190 */
191
192 raddr = rt->rt_gateway;
193
194 if (opt->is_strictroute && (rt->rt_flags & RTF_GATEWAY)) {
195 /*
196 * Strict routing permits no gatewaying
197 */
198
199 ip_rt_put(rt);
200 icmp_send(skb, ICMP_DEST_UNREACH, ICMP_SR_FAILED, 0, dev);
201 return -1;
202 }
203
204 /*
205 * Having picked a route we can now send the frame out
206 * after asking the firewall permission to do so.
207 */
208
209 dev2 = rt->rt_dev;
210 hh = rt->rt_hh;
211 /*
212 * In IP you never have to forward a frame on the interface that it
213 * arrived upon. We now generate an ICMP HOST REDIRECT giving the route
214 * we calculated.
215 */
216 #ifndef CONFIG_IP_NO_ICMP_REDIRECT
217 if (dev == dev2 &&
218 !((iph->saddr^dev->pa_addr)&dev->pa_mask) &&
219 /* The daddr!=raddr test isn't obvious - what it's doing
220 is avoiding sending a frame the receiver will not
221 believe anyway.. */
222 iph->daddr != raddr/*ANK*/ && !opt->srr)
223 icmp_send(skb, ICMP_REDIRECT, ICMP_REDIR_HOST, raddr, dev);
224 #endif
225 #ifdef CONFIG_IP_MROUTE
226 }
227 else
228 {
229 /*
230 * Multicast route forward. Routing is already done
231 */
232 dev2=skb->dev;
233 raddr=skb->raddr;
234 if(is_frag&IPFWD_MULTITUNNEL) /* VIFF_TUNNEL mode */
235 encap=20;
236 rt=NULL;
237 }
238 #endif
239
240 /*
241 * We now may allocate a new buffer, and copy the datagram into it.
242 * If the indicated interface is up and running, kick it.
243 */
244
245 if (dev2->flags & IFF_UP)
246 {
247 #ifdef CONFIG_IP_MASQUERADE
248 /*
249 * If this fragment needs masquerading, make it so...
250 * (Don't masquerade de-masqueraded fragments)
251 */
252 if (!(is_frag&IPFWD_MASQUERADED) && fw_res==FW_MASQUERADE)
253 ip_fw_masquerade(&skb, dev2);
254 #endif
255 IS_SKB(skb);
256
257 if (skb->len+encap > dev2->mtu && (ntohs(iph->frag_off) & IP_DF))
258 {
259 ip_statistics.IpFragFails++;
260 icmp_send(skb, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED, htonl(dev2->mtu), dev);
261 if(rt)
262 ip_rt_put(rt);
263 return -1;
264 }
265
266 #ifdef CONFIG_IP_MROUTE
267 if(skb_headroom(skb)-encap<dev2->hard_header_len)
268 {
269 skb2 = alloc_skb(dev2->hard_header_len + skb->len + encap + 15, GFP_ATOMIC);
270 #else
271 if(skb_headroom(skb)<dev2->hard_header_len)
272 {
273 skb2 = alloc_skb(dev2->hard_header_len + skb->len + 15, GFP_ATOMIC);
274 #endif
275 /*
276 * This is rare and since IP is tolerant of network failures
277 * quite harmless.
278 */
279
280 if (skb2 == NULL)
281 {
282 NETDEBUG(printk("\nIP: No memory available for IP forward\n"));
283 if(rt)
284 ip_rt_put(rt);
285 return -1;
286 }
287
288 IS_SKB(skb2);
289 /*
290 * Add the physical headers.
291 */
292 skb2->protocol=htons(ETH_P_IP);
293 #ifdef CONFIG_IP_MROUTE
294 if(is_frag&IPFWD_MULTITUNNEL)
295 {
296 skb_reserve(skb,(encap+dev->hard_header_len+15)&~15); /* 16 byte aligned IP headers are good */
297 ip_encap(skb2,skb->len, dev2, raddr);
298 }
299 else
300 #endif
301 ip_send(rt,skb2,raddr,skb->len,dev2,dev2->pa_addr);
302
303 /*
304 * We have to copy the bytes over as the new header wouldn't fit
305 * the old buffer. This should be very rare.
306 */
307
308 ptr = skb_put(skb2,skb->len);
309 skb2->free = 1;
310 skb2->h.raw = ptr;
311
312 /*
313 * Copy the packet data into the new buffer.
314 */
315 memcpy(ptr, skb->h.raw, skb->len);
316 memcpy(skb2->proto_priv, skb->proto_priv, sizeof(skb->proto_priv));
317 iph = skb2->ip_hdr = skb2->h.iph;
318 }
319 else
320 {
321 /*
322 * Build a new MAC header.
323 */
324
325 skb2 = skb;
326 skb2->dev=dev2;
327 #ifdef CONFIG_IP_MROUTE
328 if(is_frag&IPFWD_MULTITUNNEL)
329 ip_encap(skb,skb->len, dev2, raddr);
330 else
331 {
332 #endif
333 skb->arp=1;
334 skb->raddr=raddr;
335 if (hh)
336 {
337 memcpy(skb_push(skb, dev2->hard_header_len), hh->hh_data, dev2->hard_header_len);
338 if (!hh->hh_uptodate)
339 {
340 #if RT_CACHE_DEBUG >= 2
341 printk("ip_forward: hh miss %08x via %08x\n", target_addr, rt->rt_gateway);
342 #endif
343 skb->arp = 0;
344 }
345 }
346 else if (dev2->hard_header)
347 {
348 if(dev2->hard_header(skb, dev2, ETH_P_IP, NULL, NULL, skb->len)<0)
349 skb->arp=0;
350 }
351 #ifdef CONFIG_IP_MROUTE
352 }
353 #endif
354 }
355 #ifdef CONFIG_FIREWALL
356 if((fw_res = call_out_firewall(PF_INET, skb2->dev, iph)) < FW_ACCEPT)
357 {
358 /* FW_ACCEPT and FW_MASQUERADE are treated equal:
359 masquerading is only supported via forward rules */
360 if (fw_res == FW_REJECT)
361 icmp_send(skb2, ICMP_DEST_UNREACH, ICMP_HOST_UNREACH, 0, dev);
362 if (skb != skb2)
363 kfree_skb(skb2,FREE_WRITE);
364 return -1;
365 }
366 #endif
367 ip_statistics.IpForwDatagrams++;
368
369 if (opt->optlen)
370 {
371 unsigned char * optptr;
372 if (opt->rr_needaddr)
373 {
374 optptr = (unsigned char *)iph + opt->rr;
375 memcpy(&optptr[optptr[2]-5], &dev2->pa_addr, 4);
376 opt->is_changed = 1;
377 }
378 if (opt->srr_is_hit)
379 {
380 int srrptr, srrspace;
381
382 optptr = (unsigned char *)iph + opt->srr;
383
384 for ( srrptr=optptr[2], srrspace = optptr[1];
385 srrptr <= srrspace;
386 srrptr += 4
387 )
388 {
389 if (srrptr + 3 > srrspace)
390 break;
391 if (memcmp(&target_addr, &optptr[srrptr-1], 4) == 0)
392 break;
393 }
394 if (srrptr + 3 <= srrspace)
395 {
396 opt->is_changed = 1;
397 memcpy(&optptr[srrptr-1], &dev2->pa_addr, 4);
398 iph->daddr = target_addr;
399 optptr[2] = srrptr+4;
400 }
401 else
402 printk("ip_forward(): Argh! Destination lost!\n");
403 }
404 if (opt->ts_needaddr)
405 {
406 optptr = (unsigned char *)iph + opt->ts;
407 memcpy(&optptr[optptr[2]-9], &dev2->pa_addr, 4);
408 opt->is_changed = 1;
409 }
410 if (opt->is_changed)
411 {
412 opt->is_changed = 0;
413 ip_send_check(iph);
414 }
415 }
416 /*
417 * ANK: this is point of "no return", we cannot send an ICMP,
418 * because we changed SRR option.
419 */
420
421 /*
422 * See if it needs fragmenting. Note in ip_rcv we tagged
423 * the fragment type. This must be right so that
424 * the fragmenter does the right thing.
425 */
426
427 if(skb2->len > dev2->mtu + dev2->hard_header_len)
428 {
429 ip_fragment(NULL,skb2,dev2, is_frag);
430 kfree_skb(skb2,FREE_WRITE);
431 }
432 else
433 {
434 #ifdef CONFIG_IP_ACCT
435 /*
436 * Count mapping we shortcut
437 */
438
439 ip_fw_chk(iph,dev2,ip_acct_chain,IP_FW_F_ACCEPT,1);
440 #endif
441
442 /*
443 * Map service types to priority. We lie about
444 * throughput being low priority, but it's a good
445 * choice to help improve general usage.
446 */
447 if(iph->tos & IPTOS_LOWDELAY)
448 dev_queue_xmit(skb2, dev2, SOPRI_INTERACTIVE);
449 else if(iph->tos & IPTOS_THROUGHPUT)
450 dev_queue_xmit(skb2, dev2, SOPRI_BACKGROUND);
451 else
452 dev_queue_xmit(skb2, dev2, SOPRI_NORMAL);
453 }
454 }
455 else
456 {
457 if(rt)
458 ip_rt_put(rt);
459 return -1;
460 }
461 if(rt)
462 ip_rt_put(rt);
463
464 /*
465 * Tell the caller if their buffer is free.
466 */
467
468 if(skb==skb2)
469 return 0;
470
471 #ifdef CONFIG_IP_MASQUERADE
472 /*
473 * The original is free. Free our copy and
474 * tell the caller not to free.
475 */
476 if(skb!=skb_in)
477 {
478 kfree_skb(skb_in, FREE_WRITE);
479 return 0;
480 }
481 #endif
482 return 1;
483 }
484
485
486 #endif
![[bottom]](../icons/n_bottom.png){kind=icon}
*/