divert packets to local socket without modifying the ip header;

makes transparent proxies much easier; ok beck@, feedback claudio@

7 files changed, 41 insertions, 16 deletions

diff --git a/sys/netinet/in_pcb.c b/sys/netinet/in_pcb.c
index ae5c16d9994..e3e8d58bdfa 100644
--- a/sys/netinet/in_pcb.c
+++ b/sys/netinet/in_pcb.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: in_pcb.c,v 1.94 2008/05/07 05:14:21 claudio Exp $	*/
+/*	$OpenBSD: in_pcb.c,v 1.95 2008/05/09 02:44:54 markus Exp $	*/
 /*	$NetBSD: in_pcb.c,v 1.25 1996/02/13 23:41:53 christos Exp $	*/
 
 /*
@@ -68,6 +68,8 @@
  * Research Laboratory (NRL).
  */
 
+#include "pf.h"
+
 #include <sys/param.h>
 #include <sys/systm.h>
 #include <sys/mbuf.h>
@@ -80,6 +82,7 @@
 
 #include <net/if.h>
 #include <net/route.h>
+#include <net/pfvar.h>
 
 #include <netinet/in.h>
 #include <netinet/in_systm.h>
@@ -1009,17 +1012,24 @@ in6_pcbhashlookup(table, faddr, fport_arg, laddr, lport_arg)
  *		*.*     <->     *.lport
  */
 struct inpcb *
-in_pcblookup_listen(table, laddr, lport_arg, reverse)
-	struct inpcbtable *table;
-	struct in_addr laddr;
-	u_int lport_arg;
-	int reverse;
+in_pcblookup_listen(struct inpcbtable *table, struct in_addr laddr,
+    u_int lport_arg, int reverse, struct mbuf *m)
 {
 	struct inpcbhead *head;
 	struct in_addr *key1, *key2;
 	struct inpcb *inp;
 	u_int16_t lport = lport_arg;
 
+#if NPF
+	if (m->m_pkthdr.pf.flags & PF_TAG_DIVERTED) {
+		struct pf_divert *divert;
+
+		if ((divert = pf_find_divert(m)) == NULL)
+			return (NULL);
+		key1 = key2 = &divert->addr.ipv4;
+		lport = divert->port;
+	} else
+#endif
 	if (reverse) {
 		key1 = &zeroin_addr;
 		key2 = &laddr;
diff --git a/sys/netinet/in_pcb.h b/sys/netinet/in_pcb.h
index 3f7d2deab79..14ccabc67f2 100644
--- a/sys/netinet/in_pcb.h
+++ b/sys/netinet/in_pcb.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: in_pcb.h,v 1.59 2007/02/22 20:23:07 millert Exp $	*/
+/*	$OpenBSD: in_pcb.h,v 1.60 2008/05/09 02:44:54 markus Exp $	*/
 /*	$NetBSD: in_pcb.h,v 1.14 1996/02/13 23:42:00 christos Exp $	*/
 
 /*
@@ -247,7 +247,8 @@ struct inpcb *
 	 in_pcbhashlookup(struct inpcbtable *, struct in_addr,
 			       u_int, struct in_addr, u_int);
 struct inpcb *
-	 in_pcblookup_listen(struct inpcbtable *, struct in_addr, u_int, int);
+	 in_pcblookup_listen(struct inpcbtable *, struct in_addr, u_int, int,
+	    struct mbuf *);
 #ifdef INET6
 struct inpcb *
 	 in6_pcbhashlookup(struct inpcbtable *, struct in6_addr *,
diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c
index 05b65ae94ef..93007462da2 100644
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_input.c,v 1.158 2008/04/24 11:36:38 dlg Exp $	*/
+/*	$OpenBSD: ip_input.c,v 1.159 2008/05/09 02:44:54 markus Exp $	*/
 /*	$NetBSD: ip_input.c,v 1.30 1996/03/16 23:53:58 christos Exp $	*/
 
 /*
@@ -389,6 +389,9 @@ ipv4_input(m)
 	    (ia->ia_ifp->if_flags & IFF_UP))
 		goto ours;
 
+	if (m->m_pkthdr.pf.flags & PF_TAG_DIVERTED)
+		goto ours;
+
 	if (IN_MULTICAST(ip->ip_dst.s_addr)) {
 		struct in_multi *inm;
 #ifdef MROUTING
diff --git a/sys/netinet/raw_ip.c b/sys/netinet/raw_ip.c
index a92c9870bf3..3b621e57678 100644
--- a/sys/netinet/raw_ip.c
+++ b/sys/netinet/raw_ip.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: raw_ip.c,v 1.41 2008/05/02 06:49:32 ckuethe Exp $	*/
+/*	$OpenBSD: raw_ip.c,v 1.42 2008/05/09 02:44:54 markus Exp $	*/
 /*	$NetBSD: raw_ip.c,v 1.25 1996/02/18 18:58:33 christos Exp $	*/
 
 /*
@@ -77,6 +77,7 @@
 
 #include <net/if.h>
 #include <net/route.h>
+#include <net/pfvar.h>
 
 #include <netinet/in.h>
 #include <netinet/in_systm.h>
@@ -131,6 +132,16 @@ rip_input(struct mbuf *m, ...)
 #endif
 		if (inp->inp_ip.ip_p && inp->inp_ip.ip_p != ip->ip_p)
 			continue;
+#if NPF
+		if (m->m_pkthdr.pf.flags & PF_TAG_DIVERTED) {
+			struct pf_divert *divert;
+
+			if ((divert = pf_find_divert(m)) == NULL)
+				continue;
+			if (inp->inp_laddr.s_addr != divert->addr.ipv4.s_addr)
+				continue;
+		} else
+#endif
 		if (inp->inp_laddr.s_addr &&
 		    inp->inp_laddr.s_addr != ip->ip_dst.s_addr)
 			continue;
diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c
index fa3bfc2eeff..ab26e50f401 100644
--- a/sys/netinet/tcp_input.c
+++ b/sys/netinet/tcp_input.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: tcp_input.c,v 1.213 2008/05/06 08:47:35 markus Exp $	*/
+/*	$OpenBSD: tcp_input.c,v 1.214 2008/05/09 02:44:54 markus Exp $	*/
 /*	$NetBSD: tcp_input.c,v 1.23 1996/02/13 23:43:44 christos Exp $	*/
 
 /*
@@ -620,7 +620,7 @@ findpcb:
 #endif /* INET6 */
 		case AF_INET:
 			inp = in_pcblookup_listen(&tcbtable,
-			    ip->ip_dst, th->th_dport, inpl_flags);
+			    ip->ip_dst, th->th_dport, inpl_flags, m);
 			break;
 		}
 		/*
diff --git a/sys/netinet/tcp_usrreq.c b/sys/netinet/tcp_usrreq.c
index 2e1750e00af..165bcdbecb3 100644
--- a/sys/netinet/tcp_usrreq.c
+++ b/sys/netinet/tcp_usrreq.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: tcp_usrreq.c,v 1.95 2007/12/13 20:00:53 reyk Exp $	*/
+/*	$OpenBSD: tcp_usrreq.c,v 1.96 2008/05/09 02:44:54 markus Exp $	*/
 /*	$NetBSD: tcp_usrreq.c,v 1.20 1996/02/13 23:44:16 christos Exp $	*/
 
 /*
@@ -867,7 +867,7 @@ tcp_ident(oldp, oldlenp, newp, newlen, dodrop)
 #endif
 		case AF_INET:
 			inp = in_pcblookup_listen(&tcbtable, 
-			    lin->sin_addr, lin->sin_port, 0);
+			    lin->sin_addr, lin->sin_port, 0, NULL);
 			break;
 		}
 	}
diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c
index 2244f620efb..50d05b14710 100644
--- a/sys/netinet/udp_usrreq.c
+++ b/sys/netinet/udp_usrreq.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: udp_usrreq.c,v 1.116 2008/05/02 06:49:32 ckuethe Exp $	*/
+/*	$OpenBSD: udp_usrreq.c,v 1.117 2008/05/09 02:44:54 markus Exp $	*/
 /*	$NetBSD: udp_usrreq.c,v 1.28 1996/03/16 23:54:03 christos Exp $	*/
 
 /*
@@ -549,7 +549,7 @@ udp_input(struct mbuf *m, ...)
 		} else
 #endif /* INET6 */
 		inp = in_pcblookup_listen(&udbtable,
-		    ip->ip_dst, uh->uh_dport, inpl_reverse);
+		    ip->ip_dst, uh->uh_dport, inpl_reverse, m);
 		if (inp == 0) {
 			udpstat.udps_noport++;
 			if (m->m_flags & (M_BCAST | M_MCAST)) {