diff options
| author | Stuart Henderson <sthen@cvs.openbsd.org> | 2014-03-28 08:33:52 +0000 |
|---|---|---|
| committer | Stuart Henderson <sthen@cvs.openbsd.org> | 2014-03-28 08:33:52 +0000 |
| commit | 0a90147190d373b5095c738f1ca6b109b7f20e9c (patch) | |
| tree | 7340b37510a26dad27eb4511e3a67b14033a1771 | |
| parent | e2859ce1d1ec8b4a84b0441c6013497cc514ac6e (diff) | |
revert "Retire kernel support for SO_DONTROUTE" diff, which does bad things
for localhost connections. discussed with deraadt@
| -rw-r--r-- | lib/libc/sys/getsockopt.2 | 13 | ||||
| -rw-r--r-- | lib/libc/sys/send.2 | 8 | ||||
| -rw-r--r-- | sys/compat/linux/linux_socket.c | 4 | ||||
| -rw-r--r-- | sys/kern/uipc_socket.c | 26 | ||||
| -rw-r--r-- | sys/netinet/in_pcb.c | 25 | ||||
| -rw-r--r-- | sys/netinet/ip_divert.c | 8 | ||||
| -rw-r--r-- | sys/netinet/ip_output.c | 40 | ||||
| -rw-r--r-- | sys/netinet/ip_var.h | 3 | ||||
| -rw-r--r-- | sys/netinet/raw_ip.c | 4 | ||||
| -rw-r--r-- | sys/netinet/tcp_output.c | 9 | ||||
| -rw-r--r-- | sys/netinet/udp_usrreq.c | 6 | ||||
| -rw-r--r-- | sys/netinet6/in6_src.c | 21 | ||||
| -rw-r--r-- | sys/netinet6/ip6_divert.c | 5 |
13 files changed, 123 insertions, 49 deletions
diff --git a/lib/libc/sys/getsockopt.2 b/lib/libc/sys/getsockopt.2 index cefce112404..556ae778d73 100644 --- a/lib/libc/sys/getsockopt.2 +++ b/lib/libc/sys/getsockopt.2 @@ -1,4 +1,4 @@ -.\" $OpenBSD: getsockopt.2,v 1.44 2014/03/27 13:27:28 mpi Exp $ +.\" $OpenBSD: getsockopt.2,v 1.45 2014/03/28 08:33:51 sthen Exp $ .\" $NetBSD: getsockopt.2,v 1.7 1995/02/27 12:33:29 cgd Exp $ .\" .\" Copyright (c) 1983, 1991, 1993 @@ -30,7 +30,7 @@ .\" .\" @(#)getsockopt.2 8.3 (Berkeley) 4/19/94 .\" -.Dd $Mdocdate: March 27 2014 $ +.Dd $Mdocdate: March 28 2014 $ .Dt GETSOCKOPT 2 .Os .Sh NAME @@ -142,7 +142,7 @@ enables duplicate address and port bindings .It Dv SO_KEEPALIVE enables keep connections alive .It Dv SO_DONTROUTE -enables routing bypass; not supported +enables routing bypass for outgoing messages .It Dv SO_LINGER linger on close if data present .It Dv SO_BROADCAST @@ -195,6 +195,11 @@ Should the connected party fail to respond to these messages, the connection is considered broken and processes using the socket are notified via a .Dv SIGPIPE signal when attempting to send data. +.Dv SO_DONTROUTE +indicates that outgoing messages should +bypass the standard routing facilities. +Instead, messages are directed to the appropriate network interface +according to the network portion of the destination address. .Pp .Dv SO_LINGER controls the action taken when unsent messages @@ -466,8 +471,6 @@ The argument is a file, not a socket. .It Bq Er ENOPROTOOPT The option is unknown at the level indicated. -.It Bq Er EOPNOTSUPP -The option is unsupported. .It Bq Er EFAULT The address pointed to by .Fa optval diff --git a/lib/libc/sys/send.2 b/lib/libc/sys/send.2 index 2884dd658ed..53c30094a68 100644 --- a/lib/libc/sys/send.2 +++ b/lib/libc/sys/send.2 @@ -1,4 +1,4 @@ -.\" $OpenBSD: send.2,v 1.28 2014/03/27 13:27:28 mpi Exp $ +.\" $OpenBSD: send.2,v 1.29 2014/03/28 08:33:51 sthen Exp $ .\" $NetBSD: send.2,v 1.6 1996/01/15 01:17:18 thorpej Exp $ .\" .\" Copyright (c) 1983, 1991, 1993 @@ -30,7 +30,7 @@ .\" .\" @(#)send.2 8.2 (Berkeley) 2/21/94 .\" -.Dd $Mdocdate: March 27 2014 $ +.Dd $Mdocdate: March 28 2014 $ .Dt SEND 2 .Os .Sh NAME @@ -99,7 +99,7 @@ parameter may include one or more of the following: .It Dv MSG_OOB process out-of-band data .It Dv MSG_DONTROUTE -bypass routing tables, silently ignored +bypass routing, use direct interface .It Dv MSG_NOSIGNAL don't send .Dv SIGPIPE @@ -116,6 +116,8 @@ data on sockets that support this notion (e.g., the underlying protocol must also support .Dq out-of-band data. +.Dv MSG_DONTROUTE +is usually used only by diagnostic or routing programs. .Dv MSG_NOSIGNAL is used to request not to send the .Dv SIGPIPE diff --git a/sys/compat/linux/linux_socket.c b/sys/compat/linux/linux_socket.c index 8df363627cf..be4a6dd24ef 100644 --- a/sys/compat/linux/linux_socket.c +++ b/sys/compat/linux/linux_socket.c @@ -1,4 +1,4 @@ -/* $OpenBSD: linux_socket.c,v 1.50 2014/03/27 13:27:28 mpi Exp $ */ +/* $OpenBSD: linux_socket.c,v 1.51 2014/03/28 08:33:51 sthen Exp $ */ /* $NetBSD: linux_socket.c,v 1.14 1996/04/05 00:01:50 christos Exp $ */ /* @@ -215,6 +215,8 @@ linux_to_bsd_msg_flags(int lflags) flags |= MSG_OOB; if (lflags & LINUX_MSG_PEEK) flags |= MSG_PEEK; + if (lflags & LINUX_MSG_DONTROUTE) + flags |= MSG_DONTROUTE; if (lflags & LINUX_MSG_DONTWAIT) flags |= MSG_DONTWAIT; if (lflags & LINUX_MSG_WAITALL) diff --git a/sys/kern/uipc_socket.c b/sys/kern/uipc_socket.c index 22b23951459..583c6514ed1 100644 --- a/sys/kern/uipc_socket.c +++ b/sys/kern/uipc_socket.c @@ -1,4 +1,4 @@ -/* $OpenBSD: uipc_socket.c,v 1.124 2014/03/27 13:27:28 mpi Exp $ */ +/* $OpenBSD: uipc_socket.c,v 1.125 2014/03/28 08:33:51 sthen Exp $ */ /* $NetBSD: uipc_socket.c,v 1.21 1996/02/04 02:17:52 christos Exp $ */ /* @@ -385,7 +385,7 @@ sosend(struct socket *so, struct mbuf *addr, struct uio *uio, struct mbuf *top, struct mbuf *m; long space, len, mlen, clen = 0; quad_t resid; - int error, s; + int error, s, dontroute; int atomic = sosendallatonce(so) || top; if (uio) @@ -405,6 +405,9 @@ sosend(struct socket *so, struct mbuf *addr, struct uio *uio, struct mbuf *top, error = EINVAL; goto out; } + dontroute = + (flags & MSG_DONTROUTE) && (so->so_options & SO_DONTROUTE) == 0 && + (so->so_proto->pr_flags & PR_ATOMIC); if (uio && uio->uio_procp) uio->uio_procp->p_ru.ru_msgsnd++; if (control) { @@ -519,6 +522,8 @@ nopages: break; } } while (space > 0 && atomic); + if (dontroute) + so->so_options |= SO_DONTROUTE; s = splsoftnet(); /* XXX */ if (resid <= 0) so->so_state &= ~SS_ISSENDING; @@ -526,6 +531,8 @@ nopages: (flags & MSG_OOB) ? PRU_SENDOOB : PRU_SEND, top, addr, control, curproc); splx(s); + if (dontroute) + so->so_options &= ~SO_DONTROUTE; clen = 0; control = 0; top = 0; @@ -1476,6 +1483,7 @@ sosetopt(struct socket *so, int level, int optname, struct mbuf *m0) case SO_BINDANY: case SO_DEBUG: case SO_KEEPALIVE: + case SO_DONTROUTE: case SO_USELOOPBACK: case SO_BROADCAST: case SO_REUSEADDR: @@ -1492,15 +1500,6 @@ sosetopt(struct socket *so, int level, int optname, struct mbuf *m0) so->so_options &= ~optname; break; - case SO_DONTROUTE: - if (m == NULL || m->m_len < sizeof (int)) { - error = EINVAL; - goto bad; - } - if (*mtod(m, int *)) - error = EOPNOTSUPP; - break; - case SO_SNDBUF: case SO_RCVBUF: case SO_SNDLOWAT: @@ -1659,6 +1658,7 @@ sogetopt(struct socket *so, int level, int optname, struct mbuf **mp) case SO_BINDANY: case SO_USELOOPBACK: + case SO_DONTROUTE: case SO_DEBUG: case SO_KEEPALIVE: case SO_REUSEADDR: @@ -1669,10 +1669,6 @@ sogetopt(struct socket *so, int level, int optname, struct mbuf **mp) *mtod(m, int *) = so->so_options & optname; break; - case SO_DONTROUTE: - *mtod(m, int *) = 0; - break; - case SO_TYPE: *mtod(m, int *) = so->so_type; break; diff --git a/sys/netinet/in_pcb.c b/sys/netinet/in_pcb.c index 28012438f98..db67fbaa95c 100644 --- a/sys/netinet/in_pcb.c +++ b/sys/netinet/in_pcb.c @@ -1,4 +1,4 @@ -/* $OpenBSD: in_pcb.c,v 1.148 2014/03/27 13:27:28 mpi Exp $ */ +/* $OpenBSD: in_pcb.c,v 1.149 2014/03/28 08:33:51 sthen Exp $ */ /* $NetBSD: in_pcb.c,v 1.25 1996/02/13 23:41:53 christos Exp $ */ /* @@ -817,12 +817,14 @@ in_selectsrc(struct sockaddr_in *sin, struct route *ro, int soopts, * If route is known or can be allocated now, * our src addr is taken from the i/f, else punt. */ - if (ro->ro_rt && ((ro->ro_rt->rt_flags & RTF_UP) == 0 || - (satosin(&ro->ro_dst)->sin_addr.s_addr != sin->sin_addr.s_addr))) { + if (ro->ro_rt && (!(ro->ro_rt->rt_flags & RTF_UP) || + (satosin(&ro->ro_dst)->sin_addr.s_addr != sin->sin_addr.s_addr || + soopts & SO_DONTROUTE))) { RTFREE(ro->ro_rt); ro->ro_rt = NULL; } - if ((ro->ro_rt == NULL || ro->ro_rt->rt_ifp == NULL)) { + if ((soopts & SO_DONTROUTE) == 0 && /*XXX*/ + (ro->ro_rt == NULL || ro->ro_rt->rt_ifp == NULL)) { /* No route yet, so try to acquire one */ ro->ro_dst.sa_family = AF_INET; ro->ro_dst.sa_len = sizeof(struct sockaddr_in); @@ -847,8 +849,19 @@ in_selectsrc(struct sockaddr_in *sin, struct route *ro, int soopts, !(ro->ro_rt->rt_ifp->if_flags & IFF_LOOPBACK)) ia = ifatoia(ro->ro_rt->rt_ifa); if (ia == 0) { - *errorp = EADDRNOTAVAIL; - return (NULL); + u_int16_t fport = sin->sin_port; + + sin->sin_port = 0; + ia = ifatoia(ifa_ifwithdstaddr(sintosa(sin), rtableid)); + if (ia == 0) + ia = ifatoia(ifa_ifwithnet(sintosa(sin), rtableid)); + sin->sin_port = fport; + if (ia == 0) + ia = TAILQ_FIRST(&in_ifaddr); + if (ia == 0) { + *errorp = EADDRNOTAVAIL; + return NULL; + } } return (&ia->ia_addr); } diff --git a/sys/netinet/ip_divert.c b/sys/netinet/ip_divert.c index 947f5205b2e..6ac2f0688e2 100644 --- a/sys/netinet/ip_divert.c +++ b/sys/netinet/ip_divert.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_divert.c,v 1.17 2014/03/27 13:27:28 mpi Exp $ */ +/* $OpenBSD: ip_divert.c,v 1.18 2014/03/28 08:33:51 sthen Exp $ */ /* * Copyright (c) 2009 Michele Marchetto <michele@openbsd.org> @@ -180,8 +180,10 @@ divert_output(struct mbuf *m, ...) schednetisr(NETISR_IP); splx(s); } else { - error = ip_output(m, NULL, &inp->inp_route, - IP_ALLOWBROADCAST | IP_RAWOUTPUT, NULL, NULL); + error = ip_output(m, (void *)NULL, &inp->inp_route, + ((so->so_options & SO_DONTROUTE) ? IP_ROUTETOIF : 0) + | IP_ALLOWBROADCAST | IP_RAWOUTPUT, (void *)NULL, + (void *)NULL); if (error == EACCES) /* translate pf(4) error for userland */ error = EHOSTUNREACH; } diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c index 6d490bc5700..03a6a782028 100644 --- a/sys/netinet/ip_output.c +++ b/sys/netinet/ip_output.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_output.c,v 1.258 2014/03/27 13:27:28 mpi Exp $ */ +/* $OpenBSD: ip_output.c,v 1.259 2014/03/28 08:33:51 sthen Exp $ */ /* $NetBSD: ip_output.c,v 1.28 1996/02/13 23:43:07 christos Exp $ */ /* @@ -194,7 +194,23 @@ ip_output(struct mbuf *m0, struct mbuf *opt, struct route *ro, int flags, ro->ro_tableid = m->m_pkthdr.rdomain; } - if ((IN_MULTICAST(ip->ip_dst.s_addr) || + /* + * If routing to interface only, short-circuit routing lookup. + */ + if (flags & IP_ROUTETOIF) { + if ((ia = ifatoia(ifa_ifwithdstaddr(sintosa(dst), + m->m_pkthdr.rdomain))) == 0 && + (ia = ifatoia(ifa_ifwithnet(sintosa(dst), + m->m_pkthdr.rdomain))) == 0) { + ipstat.ips_noroute++; + error = ENETUNREACH; + goto bad; + } + + ifp = ia->ia_ifp; + mtu = ifp->if_mtu; + ip->ip_ttl = 1; + } else if ((IN_MULTICAST(ip->ip_dst.s_addr) || (ip->ip_dst.s_addr == INADDR_BROADCAST)) && imo != NULL && imo->imo_multicast_ifp != NULL) { ifp = imo->imo_multicast_ifp; @@ -344,7 +360,23 @@ reroute: ro->ro_tableid = m->m_pkthdr.rdomain; } - if ((IN_MULTICAST(ip->ip_dst.s_addr) || + /* + * If routing to interface only, short-circuit routing lookup. + */ + if (flags & IP_ROUTETOIF) { + if ((ia = ifatoia(ifa_ifwithdstaddr(sintosa(dst), + m->m_pkthdr.rdomain))) == 0 && + (ia = ifatoia(ifa_ifwithnet(sintosa(dst), + m->m_pkthdr.rdomain))) == 0) { + ipstat.ips_noroute++; + error = ENETUNREACH; + goto bad; + } + + ifp = ia->ia_ifp; + mtu = ifp->if_mtu; + ip->ip_ttl = 1; + } else if ((IN_MULTICAST(ip->ip_dst.s_addr) || (ip->ip_dst.s_addr == INADDR_BROADCAST)) && imo != NULL && imo->imo_multicast_ifp != NULL) { ifp = imo->imo_multicast_ifp; @@ -720,7 +752,7 @@ sendit: ipstat.ips_fragmented++; done: - if (ro == &iproute && ro->ro_rt) + if (ro == &iproute && (flags & IP_ROUTETOIF) == 0 && ro->ro_rt) RTFREE(ro->ro_rt); return (error); bad: diff --git a/sys/netinet/ip_var.h b/sys/netinet/ip_var.h index 8abdd451a27..0d90a82969c 100644 --- a/sys/netinet/ip_var.h +++ b/sys/netinet/ip_var.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_var.h,v 1.53 2014/03/27 13:27:28 mpi Exp $ */ +/* $OpenBSD: ip_var.h,v 1.54 2014/03/28 08:33:51 sthen Exp $ */ /* $NetBSD: ip_var.h,v 1.16 1996/02/13 23:43:20 christos Exp $ */ /* @@ -140,6 +140,7 @@ struct ipq { /* flags passed to ip_output as last parameter */ #define IP_FORWARDING 0x1 /* most of ip header exists */ #define IP_RAWOUTPUT 0x2 /* raw ip header exists */ +#define IP_ROUTETOIF SO_DONTROUTE /* bypass routing tables */ #define IP_ALLOWBROADCAST SO_BROADCAST /* can send broadcast packets */ #define IP_MTUDISC 0x0800 /* pmtu discovery, set DF */ #define IP_ROUTETOETHER 0x1000 /* ether addresses given */ diff --git a/sys/netinet/raw_ip.c b/sys/netinet/raw_ip.c index 3b6cbe590f7..91d22a49987 100644 --- a/sys/netinet/raw_ip.c +++ b/sys/netinet/raw_ip.c @@ -1,4 +1,4 @@ -/* $OpenBSD: raw_ip.c,v 1.68 2014/03/27 13:27:28 mpi Exp $ */ +/* $OpenBSD: raw_ip.c,v 1.69 2014/03/28 08:33:51 sthen Exp $ */ /* $NetBSD: raw_ip.c,v 1.25 1996/02/18 18:58:33 christos Exp $ */ /* @@ -218,7 +218,7 @@ rip_output(struct mbuf *m, ...) va_end(ap); inp = sotoinpcb(so); - flags = IP_ALLOWBROADCAST; + flags = (so->so_options & SO_DONTROUTE) | IP_ALLOWBROADCAST; /* * If the user handed us a complete IP packet, use it. diff --git a/sys/netinet/tcp_output.c b/sys/netinet/tcp_output.c index d0633905556..7eec9e2d4c6 100644 --- a/sys/netinet/tcp_output.c +++ b/sys/netinet/tcp_output.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tcp_output.c,v 1.102 2014/03/27 13:27:28 mpi Exp $ */ +/* $OpenBSD: tcp_output.c,v 1.103 2014/03/28 08:33:51 sthen Exp $ */ /* $NetBSD: tcp_output.c,v 1.16 1997/06/03 16:17:09 kml Exp $ */ /* @@ -1076,7 +1076,9 @@ send: } error = ip_output(m, tp->t_inpcb->inp_options, &tp->t_inpcb->inp_route, - (ip_mtudisc ? IP_MTUDISC : 0), NULL, tp->t_inpcb); + (ip_mtudisc ? IP_MTUDISC : 0) | + (so->so_options & SO_DONTROUTE), + (void *)NULL, tp->t_inpcb); break; #endif /* INET */ #ifdef INET6 @@ -1097,7 +1099,8 @@ send: } error = ip6_output(m, tp->t_inpcb->inp_outputopts6, &tp->t_inpcb->inp_route6, - 0, NULL, NULL, tp->t_inpcb); + (so->so_options & SO_DONTROUTE), NULL, NULL, + tp->t_inpcb); break; #endif /* INET6 */ } diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c index b85330eeec0..17f69795b40 100644 --- a/sys/netinet/udp_usrreq.c +++ b/sys/netinet/udp_usrreq.c @@ -1,4 +1,4 @@ -/* $OpenBSD: udp_usrreq.c,v 1.175 2014/03/27 13:27:28 mpi Exp $ */ +/* $OpenBSD: udp_usrreq.c,v 1.176 2014/03/28 08:33:51 sthen Exp $ */ /* $NetBSD: udp_usrreq.c,v 1.28 1996/03/16 23:54:03 christos Exp $ */ /* @@ -1090,8 +1090,8 @@ udp_output(struct mbuf *m, ...) m->m_pkthdr.rdomain = inp->inp_rtableid; error = ip_output(m, inp->inp_options, &inp->inp_route, - (inp->inp_socket->so_options & SO_BROADCAST) | IP_IPSECFLOW, - inp->inp_moptions, inp, ipsecflowinfo); + (inp->inp_socket->so_options & (SO_DONTROUTE | SO_BROADCAST)) + |IP_IPSECFLOW, inp->inp_moptions, inp, ipsecflowinfo); if (error == EACCES) /* translate pf(4) error for userland */ error = EHOSTUNREACH; diff --git a/sys/netinet6/in6_src.c b/sys/netinet6/in6_src.c index 5ab4fab4bfe..127471aa920 100644 --- a/sys/netinet6/in6_src.c +++ b/sys/netinet6/in6_src.c @@ -1,4 +1,4 @@ -/* $OpenBSD: in6_src.c,v 1.39 2014/03/27 13:27:28 mpi Exp $ */ +/* $OpenBSD: in6_src.c,v 1.40 2014/03/28 08:33:51 sthen Exp $ */ /* $KAME: in6_src.c,v 1.36 2001/02/06 04:08:17 itojun Exp $ */ /* @@ -286,6 +286,25 @@ in6_selectsrc(struct sockaddr_in6 *dstsock, struct ip6_pktopts *opts, if (ia6 == 0) /* xxx scope error ?*/ ia6 = ifatoia6(ro->ro_rt->rt_ifa); } +#if 0 + /* + * xxx The followings are necessary? (kazu) + * I don't think so. + * It's for SO_DONTROUTE option in IPv4.(jinmei) + */ + if (ia6 == 0) { + struct sockaddr_in6 sin6 = {sizeof(sin6), AF_INET6, 0}; + + sin6->sin6_addr = *dst; + + ia6 = ifatoia6(ifa_ifwithdstaddr(sin6tosa(&sin6))); + if (ia6 == 0) + ia6 = ifatoia6(ifa_ifwithnet(sin6tosa(&sin6))); + if (ia6 == 0) + return (0); + return (&ia6->ia_addr.sin6_addr); + } +#endif /* 0 */ if (ia6 == 0) { *errorp = EHOSTUNREACH; /* no route */ return (0); diff --git a/sys/netinet6/ip6_divert.c b/sys/netinet6/ip6_divert.c index 3d4bdbfab63..46b555ae124 100644 --- a/sys/netinet6/ip6_divert.c +++ b/sys/netinet6/ip6_divert.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip6_divert.c,v 1.18 2014/03/27 13:27:28 mpi Exp $ */ +/* $OpenBSD: ip6_divert.c,v 1.19 2014/03/28 08:33:51 sthen Exp $ */ /* * Copyright (c) 2009 Michele Marchetto <michele@openbsd.org> @@ -180,7 +180,8 @@ divert6_output(struct mbuf *m, ...) splx(s); } else { error = ip6_output(m, NULL, &inp->inp_route6, - IP_ALLOWBROADCAST | IP_RAWOUTPUT, NULL, NULL, NULL); + ((so->so_options & SO_DONTROUTE) ? IP_ROUTETOIF : 0) + | IP_ALLOWBROADCAST | IP_RAWOUTPUT, NULL, NULL, NULL); } div6stat.divs_opackets++; |