mirror of
https://git.FreeBSD.org/src.git
synced 2024-12-20 11:11:24 +00:00
53369ac9bb
resource exhaustion attacks. For network link optimization TCP can adjust its MSS and thus packet size according to the observed path MTU. This is done dynamically based on feedback from the remote host and network components along the packet path. This information can be abused to pretend an extremely low path MTU. The resource exhaustion works in two ways: o during tcp connection setup the advertized local MSS is exchanged between the endpoints. The remote endpoint can set this arbitrarily low (except for a minimum MTU of 64 octets enforced in the BSD code). When the local host is sending data it is forced to send many small IP packets instead of a large one. For example instead of the normal TCP payload size of 1448 it forces TCP payload size of 12 (MTU 64) and thus we have a 120 times increase in workload and packets. On fast links this quickly saturates the local CPU and may also hit pps processing limites of network components along the path. This type of attack is particularly effective for servers where the attacker can download large files (WWW and FTP). We mitigate it by enforcing a minimum MTU settable by sysctl net.inet.tcp.minmss defaulting to 256 octets. o the local host is reveiving data on a TCP connection from the remote host. The local host has no control over the packet size the remote host is sending. The remote host may chose to do what is described in the first attack and send the data in packets with an TCP payload of at least one byte. For each packet the tcp_input() function will be entered, the packet is processed and a sowakeup() is signalled to the connected process. For example an attack with 2 Mbit/s gives 4716 packets per second and the same amount of sowakeup()s to the process (and context switches). This type of attack is particularly effective for servers where the attacker can upload large amounts of data. Normally this is the case with WWW server where large POSTs can be made. We mitigate this by calculating the average MSS payload per second. If it goes below 'net.inet.tcp.minmss' and the pps rate is above 'net.inet.tcp.minmssoverload' defaulting to 1000 this particular TCP connection is resetted and dropped. MITRE CVE: CAN-2004-0002 Reviewed by: sam (mentor) MFC after: 1 day
890 lines
23 KiB
C
890 lines
23 KiB
C
/*
|
|
* Copyright (c) 1982, 1986, 1988, 1993
|
|
* The Regents of the University of California. All rights reserved.
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions
|
|
* are met:
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
* notice, this list of conditions and the following disclaimer.
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
* documentation and/or other materials provided with the distribution.
|
|
* 3. All advertising materials mentioning features or use of this software
|
|
* must display the following acknowledgement:
|
|
* This product includes software developed by the University of
|
|
* California, Berkeley and its contributors.
|
|
* 4. Neither the name of the University nor the names of its contributors
|
|
* may be used to endorse or promote products derived from this software
|
|
* without specific prior written permission.
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
|
|
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
|
|
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
* SUCH DAMAGE.
|
|
*
|
|
* @(#)ip_icmp.c 8.2 (Berkeley) 1/4/94
|
|
* $FreeBSD$
|
|
*/
|
|
|
|
#include "opt_ipsec.h"
|
|
#include "opt_mac.h"
|
|
|
|
#include <sys/param.h>
|
|
#include <sys/systm.h>
|
|
#include <sys/mac.h>
|
|
#include <sys/mbuf.h>
|
|
#include <sys/protosw.h>
|
|
#include <sys/socket.h>
|
|
#include <sys/time.h>
|
|
#include <sys/kernel.h>
|
|
#include <sys/sysctl.h>
|
|
|
|
#include <net/if.h>
|
|
#include <net/if_types.h>
|
|
#include <net/route.h>
|
|
|
|
#include <netinet/in.h>
|
|
#include <netinet/in_pcb.h>
|
|
#include <netinet/in_systm.h>
|
|
#include <netinet/in_var.h>
|
|
#include <netinet/ip.h>
|
|
#include <netinet/ip_icmp.h>
|
|
#include <netinet/ip_var.h>
|
|
#include <netinet/tcp.h>
|
|
#include <netinet/tcp_var.h>
|
|
#include <netinet/tcpip.h>
|
|
#include <netinet/icmp_var.h>
|
|
|
|
#ifdef IPSEC
|
|
#include <netinet6/ipsec.h>
|
|
#include <netkey/key.h>
|
|
#endif
|
|
|
|
#ifdef FAST_IPSEC
|
|
#include <netipsec/ipsec.h>
|
|
#include <netipsec/key.h>
|
|
#define IPSEC
|
|
#endif
|
|
|
|
#include <machine/in_cksum.h>
|
|
|
|
/*
|
|
* ICMP routines: error generation, receive packet processing, and
|
|
* routines to turnaround packets back to the originator, and
|
|
* host table maintenance routines.
|
|
*/
|
|
|
|
static struct icmpstat icmpstat;
|
|
SYSCTL_STRUCT(_net_inet_icmp, ICMPCTL_STATS, stats, CTLFLAG_RW,
|
|
&icmpstat, icmpstat, "");
|
|
|
|
static int icmpmaskrepl = 0;
|
|
SYSCTL_INT(_net_inet_icmp, ICMPCTL_MASKREPL, maskrepl, CTLFLAG_RW,
|
|
&icmpmaskrepl, 0, "Reply to ICMP Address Mask Request packets.");
|
|
|
|
static u_int icmpmaskfake = 0;
|
|
SYSCTL_UINT(_net_inet_icmp, OID_AUTO, maskfake, CTLFLAG_RW,
|
|
&icmpmaskfake, 0, "Fake reply to ICMP Address Mask Request packets.");
|
|
|
|
static int drop_redirect = 0;
|
|
SYSCTL_INT(_net_inet_icmp, OID_AUTO, drop_redirect, CTLFLAG_RW,
|
|
&drop_redirect, 0, "");
|
|
|
|
static int log_redirect = 0;
|
|
SYSCTL_INT(_net_inet_icmp, OID_AUTO, log_redirect, CTLFLAG_RW,
|
|
&log_redirect, 0, "");
|
|
|
|
static int icmplim = 200;
|
|
SYSCTL_INT(_net_inet_icmp, ICMPCTL_ICMPLIM, icmplim, CTLFLAG_RW,
|
|
&icmplim, 0, "");
|
|
|
|
static int icmplim_output = 1;
|
|
SYSCTL_INT(_net_inet_icmp, OID_AUTO, icmplim_output, CTLFLAG_RW,
|
|
&icmplim_output, 0, "");
|
|
|
|
/*
|
|
* ICMP broadcast echo sysctl
|
|
*/
|
|
|
|
static int icmpbmcastecho = 0;
|
|
SYSCTL_INT(_net_inet_icmp, OID_AUTO, bmcastecho, CTLFLAG_RW,
|
|
&icmpbmcastecho, 0, "");
|
|
|
|
|
|
#ifdef ICMPPRINTFS
|
|
int icmpprintfs = 0;
|
|
#endif
|
|
|
|
static void icmp_reflect(struct mbuf *);
|
|
static void icmp_send(struct mbuf *, struct mbuf *);
|
|
static int ip_next_mtu(int, int);
|
|
|
|
extern struct protosw inetsw[];
|
|
|
|
/*
|
|
* Generate an error packet of type error
|
|
* in response to bad packet ip.
|
|
*/
|
|
void
|
|
icmp_error(n, type, code, dest, destifp)
|
|
struct mbuf *n;
|
|
int type, code;
|
|
n_long dest;
|
|
struct ifnet *destifp;
|
|
{
|
|
register struct ip *oip = mtod(n, struct ip *), *nip;
|
|
register unsigned oiplen = oip->ip_hl << 2;
|
|
register struct icmp *icp;
|
|
register struct mbuf *m;
|
|
unsigned icmplen;
|
|
|
|
#ifdef ICMPPRINTFS
|
|
if (icmpprintfs)
|
|
printf("icmp_error(%p, %x, %d)\n", oip, type, code);
|
|
#endif
|
|
if (type != ICMP_REDIRECT)
|
|
icmpstat.icps_error++;
|
|
/*
|
|
* Don't send error if not the first fragment of message.
|
|
* Don't error if the old packet protocol was ICMP
|
|
* error message, only known informational types.
|
|
*/
|
|
if (oip->ip_off &~ (IP_MF|IP_DF))
|
|
goto freeit;
|
|
if (oip->ip_p == IPPROTO_ICMP && type != ICMP_REDIRECT &&
|
|
n->m_len >= oiplen + ICMP_MINLEN &&
|
|
!ICMP_INFOTYPE(((struct icmp *)((caddr_t)oip + oiplen))->icmp_type)) {
|
|
icmpstat.icps_oldicmp++;
|
|
goto freeit;
|
|
}
|
|
/* Don't send error in response to a multicast or broadcast packet */
|
|
if (n->m_flags & (M_BCAST|M_MCAST))
|
|
goto freeit;
|
|
/*
|
|
* First, formulate icmp message
|
|
*/
|
|
m = m_gethdr(M_DONTWAIT, MT_HEADER);
|
|
if (m == NULL)
|
|
goto freeit;
|
|
#ifdef MAC
|
|
mac_create_mbuf_netlayer(n, m);
|
|
#endif
|
|
icmplen = min(oiplen + 8, oip->ip_len);
|
|
if (icmplen < sizeof(struct ip))
|
|
panic("icmp_error: bad length");
|
|
m->m_len = icmplen + ICMP_MINLEN;
|
|
MH_ALIGN(m, m->m_len);
|
|
icp = mtod(m, struct icmp *);
|
|
if ((u_int)type > ICMP_MAXTYPE)
|
|
panic("icmp_error");
|
|
icmpstat.icps_outhist[type]++;
|
|
icp->icmp_type = type;
|
|
if (type == ICMP_REDIRECT)
|
|
icp->icmp_gwaddr.s_addr = dest;
|
|
else {
|
|
icp->icmp_void = 0;
|
|
/*
|
|
* The following assignments assume an overlay with the
|
|
* zeroed icmp_void field.
|
|
*/
|
|
if (type == ICMP_PARAMPROB) {
|
|
icp->icmp_pptr = code;
|
|
code = 0;
|
|
} else if (type == ICMP_UNREACH &&
|
|
code == ICMP_UNREACH_NEEDFRAG && destifp) {
|
|
icp->icmp_nextmtu = htons(destifp->if_mtu);
|
|
}
|
|
}
|
|
|
|
icp->icmp_code = code;
|
|
m_copydata(n, 0, icmplen, (caddr_t)&icp->icmp_ip);
|
|
nip = &icp->icmp_ip;
|
|
|
|
/*
|
|
* Convert fields to network representation.
|
|
*/
|
|
nip->ip_len = htons(nip->ip_len);
|
|
nip->ip_off = htons(nip->ip_off);
|
|
|
|
/*
|
|
* Now, copy old ip header (without options)
|
|
* in front of icmp message.
|
|
*/
|
|
if (m->m_data - sizeof(struct ip) < m->m_pktdat)
|
|
panic("icmp len");
|
|
m->m_data -= sizeof(struct ip);
|
|
m->m_len += sizeof(struct ip);
|
|
m->m_pkthdr.len = m->m_len;
|
|
m->m_pkthdr.rcvif = n->m_pkthdr.rcvif;
|
|
nip = mtod(m, struct ip *);
|
|
bcopy((caddr_t)oip, (caddr_t)nip, sizeof(struct ip));
|
|
nip->ip_len = m->m_len;
|
|
nip->ip_v = IPVERSION;
|
|
nip->ip_hl = 5;
|
|
nip->ip_p = IPPROTO_ICMP;
|
|
nip->ip_tos = 0;
|
|
icmp_reflect(m);
|
|
|
|
freeit:
|
|
m_freem(n);
|
|
}
|
|
|
|
/*
|
|
* Process a received ICMP message.
|
|
*/
|
|
void
|
|
icmp_input(m, off)
|
|
struct mbuf *m;
|
|
int off;
|
|
{
|
|
struct icmp *icp;
|
|
struct in_ifaddr *ia;
|
|
struct ip *ip = mtod(m, struct ip *);
|
|
struct sockaddr_in icmpsrc, icmpdst, icmpgw;
|
|
int hlen = off;
|
|
int icmplen = ip->ip_len;
|
|
int i, code;
|
|
void (*ctlfunc)(int, struct sockaddr *, void *);
|
|
|
|
/*
|
|
* Locate icmp structure in mbuf, and check
|
|
* that not corrupted and of at least minimum length.
|
|
*/
|
|
#ifdef ICMPPRINTFS
|
|
if (icmpprintfs) {
|
|
char buf[4 * sizeof "123"];
|
|
strcpy(buf, inet_ntoa(ip->ip_src));
|
|
printf("icmp_input from %s to %s, len %d\n",
|
|
buf, inet_ntoa(ip->ip_dst), icmplen);
|
|
}
|
|
#endif
|
|
if (icmplen < ICMP_MINLEN) {
|
|
icmpstat.icps_tooshort++;
|
|
goto freeit;
|
|
}
|
|
i = hlen + min(icmplen, ICMP_ADVLENMIN);
|
|
if (m->m_len < i && (m = m_pullup(m, i)) == 0) {
|
|
icmpstat.icps_tooshort++;
|
|
return;
|
|
}
|
|
ip = mtod(m, struct ip *);
|
|
m->m_len -= hlen;
|
|
m->m_data += hlen;
|
|
icp = mtod(m, struct icmp *);
|
|
if (in_cksum(m, icmplen)) {
|
|
icmpstat.icps_checksum++;
|
|
goto freeit;
|
|
}
|
|
m->m_len += hlen;
|
|
m->m_data -= hlen;
|
|
|
|
if (m->m_pkthdr.rcvif && m->m_pkthdr.rcvif->if_type == IFT_FAITH) {
|
|
/*
|
|
* Deliver very specific ICMP type only.
|
|
*/
|
|
switch (icp->icmp_type) {
|
|
case ICMP_UNREACH:
|
|
case ICMP_TIMXCEED:
|
|
break;
|
|
default:
|
|
goto freeit;
|
|
}
|
|
}
|
|
|
|
#ifdef ICMPPRINTFS
|
|
if (icmpprintfs)
|
|
printf("icmp_input, type %d code %d\n", icp->icmp_type,
|
|
icp->icmp_code);
|
|
#endif
|
|
|
|
/*
|
|
* Message type specific processing.
|
|
*/
|
|
if (icp->icmp_type > ICMP_MAXTYPE)
|
|
goto raw;
|
|
|
|
/* Initialize */
|
|
bzero(&icmpsrc, sizeof(icmpsrc));
|
|
icmpsrc.sin_len = sizeof(struct sockaddr_in);
|
|
icmpsrc.sin_family = AF_INET;
|
|
bzero(&icmpdst, sizeof(icmpdst));
|
|
icmpdst.sin_len = sizeof(struct sockaddr_in);
|
|
icmpdst.sin_family = AF_INET;
|
|
bzero(&icmpgw, sizeof(icmpgw));
|
|
icmpgw.sin_len = sizeof(struct sockaddr_in);
|
|
icmpgw.sin_family = AF_INET;
|
|
|
|
icmpstat.icps_inhist[icp->icmp_type]++;
|
|
code = icp->icmp_code;
|
|
switch (icp->icmp_type) {
|
|
|
|
case ICMP_UNREACH:
|
|
switch (code) {
|
|
case ICMP_UNREACH_NET:
|
|
case ICMP_UNREACH_HOST:
|
|
case ICMP_UNREACH_SRCFAIL:
|
|
case ICMP_UNREACH_NET_UNKNOWN:
|
|
case ICMP_UNREACH_HOST_UNKNOWN:
|
|
case ICMP_UNREACH_ISOLATED:
|
|
case ICMP_UNREACH_TOSNET:
|
|
case ICMP_UNREACH_TOSHOST:
|
|
case ICMP_UNREACH_HOST_PRECEDENCE:
|
|
case ICMP_UNREACH_PRECEDENCE_CUTOFF:
|
|
code = PRC_UNREACH_NET;
|
|
break;
|
|
|
|
case ICMP_UNREACH_NEEDFRAG:
|
|
code = PRC_MSGSIZE;
|
|
break;
|
|
|
|
/*
|
|
* RFC 1122, Sections 3.2.2.1 and 4.2.3.9.
|
|
* Treat subcodes 2,3 as immediate RST
|
|
*/
|
|
case ICMP_UNREACH_PROTOCOL:
|
|
case ICMP_UNREACH_PORT:
|
|
code = PRC_UNREACH_PORT;
|
|
break;
|
|
|
|
case ICMP_UNREACH_NET_PROHIB:
|
|
case ICMP_UNREACH_HOST_PROHIB:
|
|
case ICMP_UNREACH_FILTER_PROHIB:
|
|
code = PRC_UNREACH_ADMIN_PROHIB;
|
|
break;
|
|
|
|
default:
|
|
goto badcode;
|
|
}
|
|
goto deliver;
|
|
|
|
case ICMP_TIMXCEED:
|
|
if (code > 1)
|
|
goto badcode;
|
|
code += PRC_TIMXCEED_INTRANS;
|
|
goto deliver;
|
|
|
|
case ICMP_PARAMPROB:
|
|
if (code > 1)
|
|
goto badcode;
|
|
code = PRC_PARAMPROB;
|
|
goto deliver;
|
|
|
|
case ICMP_SOURCEQUENCH:
|
|
if (code)
|
|
goto badcode;
|
|
code = PRC_QUENCH;
|
|
deliver:
|
|
/*
|
|
* Problem with datagram; advise higher level routines.
|
|
*/
|
|
if (icmplen < ICMP_ADVLENMIN || icmplen < ICMP_ADVLEN(icp) ||
|
|
icp->icmp_ip.ip_hl < (sizeof(struct ip) >> 2)) {
|
|
icmpstat.icps_badlen++;
|
|
goto freeit;
|
|
}
|
|
icp->icmp_ip.ip_len = ntohs(icp->icmp_ip.ip_len);
|
|
/* Discard ICMP's in response to multicast packets */
|
|
if (IN_MULTICAST(ntohl(icp->icmp_ip.ip_dst.s_addr)))
|
|
goto badcode;
|
|
#ifdef ICMPPRINTFS
|
|
if (icmpprintfs)
|
|
printf("deliver to protocol %d\n", icp->icmp_ip.ip_p);
|
|
#endif
|
|
icmpsrc.sin_addr = icp->icmp_ip.ip_dst;
|
|
|
|
/*
|
|
* MTU discovery:
|
|
* If we got a needfrag and there is a host route to the
|
|
* original destination, and the MTU is not locked, then
|
|
* set the MTU in the route to the suggested new value
|
|
* (if given) and then notify as usual. The ULPs will
|
|
* notice that the MTU has changed and adapt accordingly.
|
|
* If no new MTU was suggested, then we guess a new one
|
|
* less than the current value. If the new MTU is
|
|
* unreasonably small (defined by sysctl tcp_minmss), then
|
|
* we don't update the MTU value.
|
|
*
|
|
* XXX: All this should be done in tcp_mtudisc() because
|
|
* the way we do it now, everyone can send us bogus ICMP
|
|
* MSGSIZE packets for any destination. By doing this far
|
|
* higher in the chain we have a matching tcp connection.
|
|
* Thus spoofing is much harder. However there is no easy
|
|
* non-hackish way to pass the new MTU up to tcp_mtudisc().
|
|
* Also see next XXX regarding IPv4 AH TCP.
|
|
*/
|
|
if (code == PRC_MSGSIZE) {
|
|
int mtu;
|
|
struct in_conninfo inc;
|
|
|
|
bzero(&inc, sizeof(inc));
|
|
inc.inc_flags = 0; /* IPv4 */
|
|
inc.inc_faddr = icmpsrc.sin_addr;
|
|
|
|
mtu = ntohs(icp->icmp_nextmtu);
|
|
if (!mtu)
|
|
mtu = ip_next_mtu(mtu, 1);
|
|
|
|
if (mtu >= max(296, (tcp_minmss +
|
|
sizeof(struct tcpiphdr))))
|
|
tcp_hc_updatemtu(&inc, mtu);
|
|
|
|
#ifdef DEBUG_MTUDISC
|
|
printf("MTU for %s reduced to %d\n",
|
|
inet_ntoa(icmpsrc.sin_addr), mtu);
|
|
#endif
|
|
}
|
|
|
|
/*
|
|
* XXX if the packet contains [IPv4 AH TCP], we can't make a
|
|
* notification to TCP layer.
|
|
*/
|
|
ctlfunc = inetsw[ip_protox[icp->icmp_ip.ip_p]].pr_ctlinput;
|
|
if (ctlfunc)
|
|
(*ctlfunc)(code, (struct sockaddr *)&icmpsrc,
|
|
(void *)&icp->icmp_ip);
|
|
break;
|
|
|
|
badcode:
|
|
icmpstat.icps_badcode++;
|
|
break;
|
|
|
|
case ICMP_ECHO:
|
|
if (!icmpbmcastecho
|
|
&& (m->m_flags & (M_MCAST | M_BCAST)) != 0) {
|
|
icmpstat.icps_bmcastecho++;
|
|
break;
|
|
}
|
|
icp->icmp_type = ICMP_ECHOREPLY;
|
|
if (badport_bandlim(BANDLIM_ICMP_ECHO) < 0)
|
|
goto freeit;
|
|
else
|
|
goto reflect;
|
|
|
|
case ICMP_TSTAMP:
|
|
if (!icmpbmcastecho
|
|
&& (m->m_flags & (M_MCAST | M_BCAST)) != 0) {
|
|
icmpstat.icps_bmcasttstamp++;
|
|
break;
|
|
}
|
|
if (icmplen < ICMP_TSLEN) {
|
|
icmpstat.icps_badlen++;
|
|
break;
|
|
}
|
|
icp->icmp_type = ICMP_TSTAMPREPLY;
|
|
icp->icmp_rtime = iptime();
|
|
icp->icmp_ttime = icp->icmp_rtime; /* bogus, do later! */
|
|
if (badport_bandlim(BANDLIM_ICMP_TSTAMP) < 0)
|
|
goto freeit;
|
|
else
|
|
goto reflect;
|
|
|
|
case ICMP_MASKREQ:
|
|
if (icmpmaskrepl == 0)
|
|
break;
|
|
/*
|
|
* We are not able to respond with all ones broadcast
|
|
* unless we receive it over a point-to-point interface.
|
|
*/
|
|
if (icmplen < ICMP_MASKLEN)
|
|
break;
|
|
switch (ip->ip_dst.s_addr) {
|
|
|
|
case INADDR_BROADCAST:
|
|
case INADDR_ANY:
|
|
icmpdst.sin_addr = ip->ip_src;
|
|
break;
|
|
|
|
default:
|
|
icmpdst.sin_addr = ip->ip_dst;
|
|
}
|
|
ia = (struct in_ifaddr *)ifaof_ifpforaddr(
|
|
(struct sockaddr *)&icmpdst, m->m_pkthdr.rcvif);
|
|
if (ia == 0)
|
|
break;
|
|
if (ia->ia_ifp == 0)
|
|
break;
|
|
icp->icmp_type = ICMP_MASKREPLY;
|
|
if (icmpmaskfake == 0)
|
|
icp->icmp_mask = ia->ia_sockmask.sin_addr.s_addr;
|
|
else
|
|
icp->icmp_mask = icmpmaskfake;
|
|
if (ip->ip_src.s_addr == 0) {
|
|
if (ia->ia_ifp->if_flags & IFF_BROADCAST)
|
|
ip->ip_src = satosin(&ia->ia_broadaddr)->sin_addr;
|
|
else if (ia->ia_ifp->if_flags & IFF_POINTOPOINT)
|
|
ip->ip_src = satosin(&ia->ia_dstaddr)->sin_addr;
|
|
}
|
|
reflect:
|
|
ip->ip_len += hlen; /* since ip_input deducts this */
|
|
icmpstat.icps_reflect++;
|
|
icmpstat.icps_outhist[icp->icmp_type]++;
|
|
icmp_reflect(m);
|
|
return;
|
|
|
|
case ICMP_REDIRECT:
|
|
if (log_redirect) {
|
|
u_long src, dst, gw;
|
|
|
|
src = ntohl(ip->ip_src.s_addr);
|
|
dst = ntohl(icp->icmp_ip.ip_dst.s_addr);
|
|
gw = ntohl(icp->icmp_gwaddr.s_addr);
|
|
printf("icmp redirect from %d.%d.%d.%d: "
|
|
"%d.%d.%d.%d => %d.%d.%d.%d\n",
|
|
(int)(src >> 24), (int)((src >> 16) & 0xff),
|
|
(int)((src >> 8) & 0xff), (int)(src & 0xff),
|
|
(int)(dst >> 24), (int)((dst >> 16) & 0xff),
|
|
(int)((dst >> 8) & 0xff), (int)(dst & 0xff),
|
|
(int)(gw >> 24), (int)((gw >> 16) & 0xff),
|
|
(int)((gw >> 8) & 0xff), (int)(gw & 0xff));
|
|
}
|
|
/*
|
|
* RFC1812 says we must ignore ICMP redirects if we
|
|
* are acting as router.
|
|
*/
|
|
if (drop_redirect || ipforwarding)
|
|
break;
|
|
if (code > 3)
|
|
goto badcode;
|
|
if (icmplen < ICMP_ADVLENMIN || icmplen < ICMP_ADVLEN(icp) ||
|
|
icp->icmp_ip.ip_hl < (sizeof(struct ip) >> 2)) {
|
|
icmpstat.icps_badlen++;
|
|
break;
|
|
}
|
|
/*
|
|
* Short circuit routing redirects to force
|
|
* immediate change in the kernel's routing
|
|
* tables. The message is also handed to anyone
|
|
* listening on a raw socket (e.g. the routing
|
|
* daemon for use in updating its tables).
|
|
*/
|
|
icmpgw.sin_addr = ip->ip_src;
|
|
icmpdst.sin_addr = icp->icmp_gwaddr;
|
|
#ifdef ICMPPRINTFS
|
|
if (icmpprintfs) {
|
|
char buf[4 * sizeof "123"];
|
|
strcpy(buf, inet_ntoa(icp->icmp_ip.ip_dst));
|
|
|
|
printf("redirect dst %s to %s\n",
|
|
buf, inet_ntoa(icp->icmp_gwaddr));
|
|
}
|
|
#endif
|
|
icmpsrc.sin_addr = icp->icmp_ip.ip_dst;
|
|
rtredirect((struct sockaddr *)&icmpsrc,
|
|
(struct sockaddr *)&icmpdst,
|
|
(struct sockaddr *)0, RTF_GATEWAY | RTF_HOST,
|
|
(struct sockaddr *)&icmpgw);
|
|
pfctlinput(PRC_REDIRECT_HOST, (struct sockaddr *)&icmpsrc);
|
|
#ifdef IPSEC
|
|
key_sa_routechange((struct sockaddr *)&icmpsrc);
|
|
#endif
|
|
break;
|
|
|
|
/*
|
|
* No kernel processing for the following;
|
|
* just fall through to send to raw listener.
|
|
*/
|
|
case ICMP_ECHOREPLY:
|
|
case ICMP_ROUTERADVERT:
|
|
case ICMP_ROUTERSOLICIT:
|
|
case ICMP_TSTAMPREPLY:
|
|
case ICMP_IREQREPLY:
|
|
case ICMP_MASKREPLY:
|
|
default:
|
|
break;
|
|
}
|
|
|
|
raw:
|
|
rip_input(m, off);
|
|
return;
|
|
|
|
freeit:
|
|
m_freem(m);
|
|
}
|
|
|
|
/*
|
|
* Reflect the ip packet back to the source
|
|
*/
|
|
static void
|
|
icmp_reflect(m)
|
|
struct mbuf *m;
|
|
{
|
|
struct ip *ip = mtod(m, struct ip *);
|
|
struct ifaddr *ifa;
|
|
struct in_ifaddr *ia;
|
|
struct in_addr t;
|
|
struct mbuf *opts = 0;
|
|
int optlen = (ip->ip_hl << 2) - sizeof(struct ip);
|
|
|
|
if (!in_canforward(ip->ip_src) &&
|
|
((ntohl(ip->ip_src.s_addr) & IN_CLASSA_NET) !=
|
|
(IN_LOOPBACKNET << IN_CLASSA_NSHIFT))) {
|
|
m_freem(m); /* Bad return address */
|
|
icmpstat.icps_badaddr++;
|
|
goto done; /* Ip_output() will check for broadcast */
|
|
}
|
|
t = ip->ip_dst;
|
|
ip->ip_dst = ip->ip_src;
|
|
/*
|
|
* If the incoming packet was addressed directly to us,
|
|
* use dst as the src for the reply. Otherwise (broadcast
|
|
* or anonymous), use the address which corresponds
|
|
* to the incoming interface.
|
|
*/
|
|
LIST_FOREACH(ia, INADDR_HASH(t.s_addr), ia_hash)
|
|
if (t.s_addr == IA_SIN(ia)->sin_addr.s_addr)
|
|
goto match;
|
|
if (m->m_pkthdr.rcvif != NULL &&
|
|
m->m_pkthdr.rcvif->if_flags & IFF_BROADCAST) {
|
|
TAILQ_FOREACH(ifa, &m->m_pkthdr.rcvif->if_addrhead, ifa_link) {
|
|
if (ifa->ifa_addr->sa_family != AF_INET)
|
|
continue;
|
|
ia = ifatoia(ifa);
|
|
if (satosin(&ia->ia_broadaddr)->sin_addr.s_addr ==
|
|
t.s_addr)
|
|
goto match;
|
|
}
|
|
}
|
|
ia = ip_rtaddr(ip->ip_dst);
|
|
/* We need a route to do anything useful. */
|
|
if (ia == NULL) {
|
|
m_freem(m);
|
|
icmpstat.icps_noroute++;
|
|
goto done;
|
|
}
|
|
match:
|
|
#ifdef MAC
|
|
mac_reflect_mbuf_icmp(m);
|
|
#endif
|
|
t = IA_SIN(ia)->sin_addr;
|
|
ip->ip_src = t;
|
|
ip->ip_ttl = ip_defttl;
|
|
|
|
if (optlen > 0) {
|
|
register u_char *cp;
|
|
int opt, cnt;
|
|
u_int len;
|
|
|
|
/*
|
|
* Retrieve any source routing from the incoming packet;
|
|
* add on any record-route or timestamp options.
|
|
*/
|
|
cp = (u_char *) (ip + 1);
|
|
if ((opts = ip_srcroute()) == 0 &&
|
|
(opts = m_gethdr(M_DONTWAIT, MT_HEADER))) {
|
|
opts->m_len = sizeof(struct in_addr);
|
|
mtod(opts, struct in_addr *)->s_addr = 0;
|
|
}
|
|
if (opts) {
|
|
#ifdef ICMPPRINTFS
|
|
if (icmpprintfs)
|
|
printf("icmp_reflect optlen %d rt %d => ",
|
|
optlen, opts->m_len);
|
|
#endif
|
|
for (cnt = optlen; cnt > 0; cnt -= len, cp += len) {
|
|
opt = cp[IPOPT_OPTVAL];
|
|
if (opt == IPOPT_EOL)
|
|
break;
|
|
if (opt == IPOPT_NOP)
|
|
len = 1;
|
|
else {
|
|
if (cnt < IPOPT_OLEN + sizeof(*cp))
|
|
break;
|
|
len = cp[IPOPT_OLEN];
|
|
if (len < IPOPT_OLEN + sizeof(*cp) ||
|
|
len > cnt)
|
|
break;
|
|
}
|
|
/*
|
|
* Should check for overflow, but it "can't happen"
|
|
*/
|
|
if (opt == IPOPT_RR || opt == IPOPT_TS ||
|
|
opt == IPOPT_SECURITY) {
|
|
bcopy((caddr_t)cp,
|
|
mtod(opts, caddr_t) + opts->m_len, len);
|
|
opts->m_len += len;
|
|
}
|
|
}
|
|
/* Terminate & pad, if necessary */
|
|
cnt = opts->m_len % 4;
|
|
if (cnt) {
|
|
for (; cnt < 4; cnt++) {
|
|
*(mtod(opts, caddr_t) + opts->m_len) =
|
|
IPOPT_EOL;
|
|
opts->m_len++;
|
|
}
|
|
}
|
|
#ifdef ICMPPRINTFS
|
|
if (icmpprintfs)
|
|
printf("%d\n", opts->m_len);
|
|
#endif
|
|
}
|
|
/*
|
|
* Now strip out original options by copying rest of first
|
|
* mbuf's data back, and adjust the IP length.
|
|
*/
|
|
ip->ip_len -= optlen;
|
|
ip->ip_v = IPVERSION;
|
|
ip->ip_hl = 5;
|
|
m->m_len -= optlen;
|
|
if (m->m_flags & M_PKTHDR)
|
|
m->m_pkthdr.len -= optlen;
|
|
optlen += sizeof(struct ip);
|
|
bcopy((caddr_t)ip + optlen, (caddr_t)(ip + 1),
|
|
(unsigned)(m->m_len - sizeof(struct ip)));
|
|
}
|
|
m_tag_delete_nonpersistent(m);
|
|
m->m_flags &= ~(M_BCAST|M_MCAST);
|
|
icmp_send(m, opts);
|
|
done:
|
|
if (opts)
|
|
(void)m_free(opts);
|
|
}
|
|
|
|
/*
|
|
* Send an icmp packet back to the ip level,
|
|
* after supplying a checksum.
|
|
*/
|
|
static void
|
|
icmp_send(m, opts)
|
|
register struct mbuf *m;
|
|
struct mbuf *opts;
|
|
{
|
|
register struct ip *ip = mtod(m, struct ip *);
|
|
register int hlen;
|
|
register struct icmp *icp;
|
|
|
|
hlen = ip->ip_hl << 2;
|
|
m->m_data += hlen;
|
|
m->m_len -= hlen;
|
|
icp = mtod(m, struct icmp *);
|
|
icp->icmp_cksum = 0;
|
|
icp->icmp_cksum = in_cksum(m, ip->ip_len - hlen);
|
|
m->m_data -= hlen;
|
|
m->m_len += hlen;
|
|
m->m_pkthdr.rcvif = (struct ifnet *)0;
|
|
#ifdef ICMPPRINTFS
|
|
if (icmpprintfs) {
|
|
char buf[4 * sizeof "123"];
|
|
strcpy(buf, inet_ntoa(ip->ip_dst));
|
|
printf("icmp_send dst %s src %s\n",
|
|
buf, inet_ntoa(ip->ip_src));
|
|
}
|
|
#endif
|
|
(void) ip_output(m, opts, NULL, 0, NULL, NULL);
|
|
}
|
|
|
|
n_time
|
|
iptime()
|
|
{
|
|
struct timeval atv;
|
|
u_long t;
|
|
|
|
getmicrotime(&atv);
|
|
t = (atv.tv_sec % (24*60*60)) * 1000 + atv.tv_usec / 1000;
|
|
return (htonl(t));
|
|
}
|
|
|
|
/*
|
|
* Return the next larger or smaller MTU plateau (table from RFC 1191)
|
|
* given current value MTU. If DIR is less than zero, a larger plateau
|
|
* is returned; otherwise, a smaller value is returned.
|
|
*/
|
|
static int
|
|
ip_next_mtu(mtu, dir)
|
|
int mtu;
|
|
int dir;
|
|
{
|
|
static int mtutab[] = {
|
|
65535, 32000, 17914, 8166, 4352, 2002, 1492, 1006, 508, 296,
|
|
68, 0
|
|
};
|
|
int i;
|
|
|
|
for (i = 0; i < (sizeof mtutab) / (sizeof mtutab[0]); i++) {
|
|
if (mtu >= mtutab[i])
|
|
break;
|
|
}
|
|
|
|
if (dir < 0) {
|
|
if (i == 0) {
|
|
return 0;
|
|
} else {
|
|
return mtutab[i - 1];
|
|
}
|
|
} else {
|
|
if (mtutab[i] == 0) {
|
|
return 0;
|
|
} else if(mtu > mtutab[i]) {
|
|
return mtutab[i];
|
|
} else {
|
|
return mtutab[i + 1];
|
|
}
|
|
}
|
|
}
|
|
|
|
|
|
/*
|
|
* badport_bandlim() - check for ICMP bandwidth limit
|
|
*
|
|
* Return 0 if it is ok to send an ICMP error response, -1 if we have
|
|
* hit our bandwidth limit and it is not ok.
|
|
*
|
|
* If icmplim is <= 0, the feature is disabled and 0 is returned.
|
|
*
|
|
* For now we separate the TCP and UDP subsystems w/ different 'which'
|
|
* values. We may eventually remove this separation (and simplify the
|
|
* code further).
|
|
*
|
|
* Note that the printing of the error message is delayed so we can
|
|
* properly print the icmp error rate that the system was trying to do
|
|
* (i.e. 22000/100 pps, etc...). This can cause long delays in printing
|
|
* the 'final' error, but it doesn't make sense to solve the printing
|
|
* delay with more complex code.
|
|
*/
|
|
|
|
int
|
|
badport_bandlim(int which)
|
|
{
|
|
#define N(a) (sizeof (a) / sizeof (a[0]))
|
|
static struct rate {
|
|
const char *type;
|
|
struct timeval lasttime;
|
|
int curpps;;
|
|
} rates[BANDLIM_MAX+1] = {
|
|
{ "icmp unreach response" },
|
|
{ "icmp ping response" },
|
|
{ "icmp tstamp response" },
|
|
{ "closed port RST response" },
|
|
{ "open port RST response" }
|
|
};
|
|
|
|
/*
|
|
* Return ok status if feature disabled or argument out of range.
|
|
*/
|
|
if (icmplim > 0 && (u_int) which < N(rates)) {
|
|
struct rate *r = &rates[which];
|
|
int opps = r->curpps;
|
|
|
|
if (!ppsratecheck(&r->lasttime, &r->curpps, icmplim))
|
|
return -1; /* discard packet */
|
|
/*
|
|
* If we've dropped below the threshold after having
|
|
* rate-limited traffic print the message. This preserves
|
|
* the previous behaviour at the expense of added complexity.
|
|
*/
|
|
if (icmplim_output && opps > icmplim)
|
|
printf("Limiting %s from %d to %d packets/sec\n",
|
|
r->type, opps, icmplim);
|
|
}
|
|
return 0; /* okay to send packet */
|
|
#undef N
|
|
}
|