Kill IP_ROUTETOETHER.

This pseudo-option is a hack to support return-rst on bridge(4). It passes Ethernet information via a "struct route" through ip_output(). "struct route" is slowly dying... ok claudio@, benno@
author: mpi <mpi@openbsd.org> 2015-07-16 21:14:21 +0000
committer: mpi <mpi@openbsd.org> 2015-07-16 21:14:21 +0000
commit: 1f52aa9f8c42c356774913c6b5758f047e17186e (patch)
tree: f92900b77269cbb658158d45c0f47fd5bc13cd20
parent: Fix a backward compare in boot argument parsing, and clarify a comment that (diff)
download: wireguard-openbsd-1f52aa9f8c42c356774913c6b5758f047e17186e.tar.xz
wireguard-openbsd-1f52aa9f8c42c356774913c6b5758f047e17186e.zip
9 files changed, 37 insertions, 75 deletions
diff --git a/sys/net/if_bridge.c b/sys/net/if_bridge.c
index cd9fcb232ac..4fcb1974ffa 100644
--- a/sys/net/if_bridge.c
+++ b/sys/net/if_bridge.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: if_bridge.c,v 1.253 2015/07/15 22:16:41 deraadt Exp $	*/
+/*	$OpenBSD: if_bridge.c,v 1.254 2015/07/16 21:14:21 mpi Exp $	*/
 
 /*
  * Copyright (c) 1999, 2000 Jason L. Wright (jason@thought.net)
@@ -2193,8 +2193,7 @@ bridge_ipsec(struct bridge_softc *sc, struct ifnet *ifp,
 #if NPF > 0
 			if ((encif = enc_getif(tdb->tdb_rdomain,
 			    tdb->tdb_tap)) == NULL ||
-			    pf_test(af, dir, encif,
-			    &m, NULL) != PF_PASS) {
+			    pf_test(af, dir, encif, &m) != PF_PASS) {
 				m_freem(m);
 				return (1);
 			}
@@ -2344,7 +2343,7 @@ bridge_ip(struct bridge_softc *sc, int dir, struct ifnet *ifp,
 #endif /* IPSEC */
 #if NPF > 0
 		/* Finally, we get to filter the packet! */
-		if (pf_test(AF_INET, dir, ifp, &m, eh) != PF_PASS)
+		if (pf_test(AF_INET, dir, ifp, &m) != PF_PASS)
 			goto dropit;
 		if (m == NULL)
 			goto dropit;
@@ -2400,7 +2399,7 @@ bridge_ip(struct bridge_softc *sc, int dir, struct ifnet *ifp,
 #endif /* IPSEC */
 
 #if NPF > 0
-		if (pf_test(AF_INET6, dir, ifp, &m, eh) != PF_PASS)
+		if (pf_test(AF_INET6, dir, ifp, &m) != PF_PASS)
 			goto dropit;
 		if (m == NULL)
 			return (NULL);
diff --git a/sys/net/pf.c b/sys/net/pf.c
index f221ec582e4..fd27045de51 100644
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pf.c,v 1.923 2015/07/16 16:12:15 mpi Exp $ */
+/*	$OpenBSD: pf.c,v 1.924 2015/07/16 21:14:21 mpi Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -56,6 +56,7 @@
 #include <crypto/sha2.h>
 
 #include <net/if.h>
+#include <net/if_var.h>
 #include <net/if_types.h>
 #include <net/route.h>
 #include <net/radix_mpath.h>
@@ -73,7 +74,6 @@
 #include <netinet/tcp_fsm.h>
 #include <netinet/udp_var.h>
 #include <netinet/icmp_var.h>
-#include <netinet/if_ether.h>
 #include <netinet/ip_divert.h>
 
 #include <net/pfvar.h>
@@ -162,8 +162,7 @@ void			 pf_send_tcp(const struct pf_rule *, sa_family_t,
 			    const struct pf_addr *, const struct pf_addr *,
 			    u_int16_t, u_int16_t, u_int32_t, u_int32_t,
 			    u_int8_t, u_int16_t, u_int16_t, u_int8_t, int,
-			    u_int16_t, u_int, struct ether_header *,
-			    struct ifnet *);
+			    u_int16_t, u_int);
 void			 pf_send_icmp(struct mbuf *, u_int8_t, u_int8_t,
 			    sa_family_t, struct pf_rule *, u_int);
 void			 pf_detach_state(struct pf_state *);
@@ -1262,7 +1261,7 @@ pf_unlink_state(struct pf_state *cur)
 		    cur->key[PF_SK_WIRE]->port[0],
 		    cur->src.seqhi, cur->src.seqlo + 1,
 		    TH_RST|TH_ACK, 0, 0, 0, 1, cur->tag,
-		    cur->key[PF_SK_WIRE]->rdomain, NULL, NULL);
+		    cur->key[PF_SK_WIRE]->rdomain);
 	}
 	RB_REMOVE(pf_state_tree_id, &tree_id, cur);
 #if NPFLOW > 0
@@ -2295,7 +2294,7 @@ pf_send_tcp(const struct pf_rule *r, sa_family_t af,
     const struct pf_addr *saddr, const struct pf_addr *daddr,
     u_int16_t sport, u_int16_t dport, u_int32_t seq, u_int32_t ack,
     u_int8_t flags, u_int16_t win, u_int16_t mss, u_int8_t ttl, int tag,
-    u_int16_t rtag, u_int rdom, struct ether_header *eh, struct ifnet *ifp)
+    u_int16_t rtag, u_int rdom)
 {
 	struct mbuf	*m;
 	int		 len, tlen;
@@ -2392,26 +2391,7 @@ pf_send_tcp(const struct pf_rule *r, sa_family_t af,
 
 	switch (af) {
 	case AF_INET:
-		if (eh == NULL) {
-			ip_output(m, NULL, NULL, 0, NULL, NULL, 0);
-		} else {
-			struct route		 ro;
-			struct rtentry		 rt;
-			struct ether_header	*e = (void *)ro.ro_dst.sa_data;
-
-			if (ifp == NULL) {
-				m_freem(m);
-				return;
-			}
-			rt.rt_ifp = ifp;
-			ro.ro_rt = &rt;
-			ro.ro_dst.sa_len = sizeof(ro.ro_dst);
-			ro.ro_dst.sa_family = pseudo_AF_HDRCMPLT;
-			memcpy(e->ether_shost, eh->ether_dhost, ETHER_ADDR_LEN);
-			memcpy(e->ether_dhost, eh->ether_shost, ETHER_ADDR_LEN);
-			e->ether_type = eh->ether_type;
-			ip_output(m, NULL, &ro, IP_ROUTETOETHER, NULL, NULL, 0);
-		}
+		ip_output(m, NULL, NULL, 0, NULL, NULL, 0);
 		break;
 #ifdef INET6
 	case AF_INET6:
@@ -3317,8 +3297,7 @@ pf_test_rule(struct pf_pdesc *pd, struct pf_rule **rm, struct pf_state **sm,
 				pf_send_tcp(r, pd->af, pd->dst,
 				    pd->src, th->th_dport, th->th_sport,
 				    ntohl(th->th_ack), ack, TH_RST|TH_ACK, 0, 0,
-				    r->return_ttl, 1, 0, pd->rdomain,
-				    pd->eh, pd->kif->pfik_ifp);
+				    r->return_ttl, 1, 0, pd->rdomain);
 			}
 		} else if ((pd->proto != IPPROTO_ICMP ||
 		    ICMP_INFOTYPE(icmptype)) && pd->af == AF_INET &&
@@ -3598,8 +3577,7 @@ pf_create_state(struct pf_pdesc *pd, struct pf_rule *r, struct pf_rule *a,
 		s->src.mss = mss;
 		pf_send_tcp(r, pd->af, pd->dst, pd->src, th->th_dport,
 		    th->th_sport, s->src.seqhi, ntohl(th->th_seq) + 1,
-		    TH_SYN|TH_ACK, 0, s->src.mss, 0, 1, 0, pd->rdomain,
-		    NULL, NULL);
+		    TH_SYN|TH_ACK, 0, s->src.mss, 0, 1, 0, pd->rdomain);
 		REASON_SET(&reason, PFRES_SYNPROXY);
 		return (PF_SYNPROXY_DROP);
 	}
@@ -4066,7 +4044,7 @@ pf_tcp_track_full(struct pf_pdesc *pd, struct pf_state_peer *src,
 				    th->th_sport, ntohl(th->th_ack), 0,
 				    TH_RST, 0, 0,
 				    (*state)->rule.ptr->return_ttl, 1, 0,
-				    pd->rdomain, pd->eh, pd->kif->pfik_ifp);
+				    pd->rdomain);
 			src->seqlo = 0;
 			src->seqhi = 1;
 			src->max_win = 1;
@@ -4189,7 +4167,7 @@ pf_synproxy(struct pf_pdesc *pd, struct pf_state **state, u_short *reason)
 			    pd->src, th->th_dport, th->th_sport,
 			    (*state)->src.seqhi, ntohl(th->th_seq) + 1,
 			    TH_SYN|TH_ACK, 0, (*state)->src.mss, 0, 1,
-			    0, pd->rdomain, NULL, NULL);
+			    0, pd->rdomain);
 			REASON_SET(reason, PFRES_SYNPROXY);
 			return (PF_SYNPROXY_DROP);
 		} else if ((th->th_flags & (TH_ACK|TH_RST|TH_FIN)) != TH_ACK ||
@@ -4222,7 +4200,7 @@ pf_synproxy(struct pf_pdesc *pd, struct pf_state **state, u_short *reason)
 			    sk->port[pd->sidx], sk->port[pd->didx],
 			    (*state)->dst.seqhi, 0, TH_SYN, 0,
 			    (*state)->src.mss, 0, 0, (*state)->tag,
-			    sk->rdomain, NULL, NULL);
+			    sk->rdomain);
 			REASON_SET(reason, PFRES_SYNPROXY);
 			return (PF_SYNPROXY_DROP);
 		} else if (((th->th_flags & (TH_SYN|TH_ACK)) !=
@@ -4237,13 +4215,13 @@ pf_synproxy(struct pf_pdesc *pd, struct pf_state **state, u_short *reason)
 			    pd->src, th->th_dport, th->th_sport,
 			    ntohl(th->th_ack), ntohl(th->th_seq) + 1,
 			    TH_ACK, (*state)->src.max_win, 0, 0, 0,
-			    (*state)->tag, pd->rdomain, NULL, NULL);
+			    (*state)->tag, pd->rdomain);
 			pf_send_tcp((*state)->rule.ptr, pd->af,
 			    &sk->addr[pd->sidx], &sk->addr[pd->didx],
 			    sk->port[pd->sidx], sk->port[pd->didx],
 			    (*state)->src.seqhi + 1, (*state)->src.seqlo + 1,
 			    TH_ACK, (*state)->dst.max_win, 0, 0, 1,
-			    0, sk->rdomain, NULL, NULL);
+			    0, sk->rdomain);
 			(*state)->src.seqdiff = (*state)->dst.seqhi -
 			    (*state)->src.seqlo;
 			(*state)->dst.seqdiff = (*state)->src.seqhi -
@@ -5519,7 +5497,7 @@ pf_route(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp,
 
 
 	if (oifp != ifp) {
-		if (pf_test(AF_INET, PF_OUT, ifp, &m0, NULL) != PF_PASS)
+		if (pf_test(AF_INET, PF_OUT, ifp, &m0) != PF_PASS)
 			goto bad;
 		else if (m0 == NULL)
 			goto done;
@@ -5663,7 +5641,7 @@ pf_route6(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp,
 		goto bad;
 
 	if (oifp != ifp) {
-		if (pf_test(AF_INET6, PF_OUT, ifp, &m0, NULL) != PF_PASS)
+		if (pf_test(AF_INET6, PF_OUT, ifp, &m0) != PF_PASS)
 			goto bad;
 		else if (m0 == NULL)
 			goto done;
@@ -6273,8 +6251,7 @@ pf_counters_inc(int action, struct pf_pdesc *pd, struct pf_state *s,
 }
 
 int
-pf_test(sa_family_t af, int fwdir, struct ifnet *ifp, struct mbuf **m0,
-    struct ether_header *eh)
+pf_test(sa_family_t af, int fwdir, struct ifnet *ifp, struct mbuf **m0)
 {
 	struct pfi_kif		*kif;
 	u_short			 action, reason = 0;
@@ -6353,7 +6330,6 @@ pf_test(sa_family_t af, int fwdir, struct ifnet *ifp, struct mbuf **m0,
 			goto done;
 		}
 	}
-	pd.eh = eh;
 	pd.m->m_pkthdr.pf.flags |= PF_TAG_PROCESSED;
 
 	switch (pd.virtual_proto) {
diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
index 69541b70a72..fe018d9b48e 100644
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfvar.h,v 1.415 2015/06/05 13:22:34 mikeb Exp $ */
+/*	$OpenBSD: pfvar.h,v 1.416 2015/07/16 21:14:21 mpi Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -1255,8 +1255,6 @@ struct pf_pdesc {
 
 	struct pfi_kif	*kif;		/* incoming interface */
 	struct mbuf	*m;		/* mbuf containing the packet */
-	struct ether_header
-			*eh;
 	struct pf_addr	*src;		/* src address */
 	struct pf_addr	*dst;		/* dst address */
 	u_int16_t	*pcksum;	/* proto cksum */
@@ -1804,8 +1802,7 @@ int				 pf_setup_pdesc(struct pf_pdesc *, void *,
 				    sa_family_t, int, struct pfi_kif *,
 				    struct mbuf *, u_short *);
 
-int	pf_test(sa_family_t, int, struct ifnet *, struct mbuf **,
-	    struct ether_header *);
+int	pf_test(sa_family_t, int, struct ifnet *, struct mbuf **);
 
 void	pf_poolmask(struct pf_addr *, struct pf_addr*,
 	    struct pf_addr *, struct pf_addr *, sa_family_t);
diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c
index 70670c0ab1c..c9019f38d6a 100644
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_input.c,v 1.251 2015/06/16 11:09:40 mpi Exp $	*/
+/*	$OpenBSD: ip_input.c,v 1.252 2015/07/16 21:14:21 mpi Exp $	*/
 /*	$NetBSD: ip_input.c,v 1.30 1996/03/16 23:53:58 christos Exp $	*/
 
 /*
@@ -315,7 +315,7 @@ ipv4_input(struct mbuf *m)
 	 * Packet filter
 	 */
 	pfrdr = ip->ip_dst.s_addr;
-	if (pf_test(AF_INET, PF_IN, ifp, &m, NULL) != PF_PASS)
+	if (pf_test(AF_INET, PF_IN, ifp, &m) != PF_PASS)
 		goto bad;
 	if (m == NULL)
 		return;
diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c
index 60a8e432c70..ad99e2f039d 100644
--- a/sys/netinet/ip_output.c
+++ b/sys/netinet/ip_output.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_output.c,v 1.285 2015/07/15 22:16:42 deraadt Exp $	*/
+/*	$OpenBSD: ip_output.c,v 1.286 2015/07/16 21:14:21 mpi Exp $	*/
 /*	$NetBSD: ip_output.c,v 1.28 1996/02/13 23:43:07 christos Exp $	*/
 
 /*
@@ -158,10 +158,6 @@ ip_output(struct mbuf *m0, struct mbuf *opt, struct route *ro, int flags,
 	 * though (e.g., traceroute) have a source address of zeroes.
 	 */
 	if (ip->ip_src.s_addr == INADDR_ANY) {
-		if (flags & IP_ROUTETOETHER) {
-			error = EINVAL;
-			goto bad;
-		}
 		donerouting = 1;
 
 		if (ro == NULL) {
@@ -291,12 +287,7 @@ reroute:
  done_spd:
 #endif /* IPSEC */
 
-	if (flags & IP_ROUTETOETHER) {
-		dst = satosin(&ro->ro_dst);
-		ifp = ro->ro_rt->rt_ifp;
-		mtu = ifp->if_mtu;
-		ro->ro_rt = NULL;
-	} else if (donerouting == 0) {
+	if (donerouting == 0) {
 		if (ro == NULL) {
 			ro = &iproute;
 			memset(ro, 0, sizeof(*ro));
@@ -515,7 +506,7 @@ sendit:
 #if NPF > 0
 		if ((encif = enc_getif(tdb->tdb_rdomain,
 		    tdb->tdb_tap)) == NULL ||
-		    pf_test(AF_INET, PF_OUT, encif, &m, NULL) != PF_PASS) {
+		    pf_test(AF_INET, PF_OUT, encif, &m) != PF_PASS) {
 			error = EACCES;
 			m_freem(m);
 			goto done;
@@ -592,7 +583,7 @@ sendit:
 	 * Packet filter
 	 */
 #if NPF > 0
-	if (pf_test(AF_INET, PF_OUT, ifp, &m, NULL) != PF_PASS) {
+	if (pf_test(AF_INET, PF_OUT, ifp, &m) != PF_PASS) {
 		error = EHOSTUNREACH;
 		m_freem(m);
 		goto done;
diff --git a/sys/netinet/ip_var.h b/sys/netinet/ip_var.h
index 4489eae9611..a0f5527f255 100644
--- a/sys/netinet/ip_var.h
+++ b/sys/netinet/ip_var.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_var.h,v 1.59 2014/12/17 09:57:13 mpi Exp $	*/
+/*	$OpenBSD: ip_var.h,v 1.60 2015/07/16 21:14:21 mpi Exp $	*/
 /*	$NetBSD: ip_var.h,v 1.16 1996/02/13 23:43:20 christos Exp $	*/
 
 /*
@@ -142,7 +142,6 @@ struct ipq {
 #define	IP_RAWOUTPUT		0x2		/* raw ip header exists */
 #define	IP_ALLOWBROADCAST	SO_BROADCAST	/* can send broadcast packets */
 #define	IP_MTUDISC		0x0800		/* pmtu discovery, set DF */
-#define IP_ROUTETOETHER		0x1000		/* ether addresses given */
 
 extern struct ipstat ipstat;
 extern LIST_HEAD(ipqhead, ipq)	ipq;	/* ip reass. queue */
diff --git a/sys/netinet6/ip6_forward.c b/sys/netinet6/ip6_forward.c
index de0e88c4444..f85aa49e70a 100644
--- a/sys/netinet6/ip6_forward.c
+++ b/sys/netinet6/ip6_forward.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip6_forward.c,v 1.78 2015/07/08 08:48:35 mpi Exp $	*/
+/*	$OpenBSD: ip6_forward.c,v 1.79 2015/07/16 21:14:21 mpi Exp $	*/
 /*	$KAME: ip6_forward.c,v 1.75 2001/06/29 12:42:13 jinmei Exp $	*/
 
 /*
@@ -331,7 +331,7 @@ reroute:
 #if NPF > 0
 		if ((encif = enc_getif(tdb->tdb_rdomain,
 		    tdb->tdb_tap)) == NULL ||
-		    pf_test(AF_INET6, PF_FWD, encif, &m, NULL) != PF_PASS) {
+		    pf_test(AF_INET6, PF_FWD, encif, &m) != PF_PASS) {
 			error = EHOSTUNREACH;
 			m_freem(m);
 			goto senderr;
@@ -413,7 +413,7 @@ reroute:
 		ip6->ip6_dst.s6_addr16[1] = 0;
 
 #if NPF > 0
-	if (pf_test(AF_INET6, PF_FWD, rt->rt_ifp, &m, NULL) != PF_PASS) {
+	if (pf_test(AF_INET6, PF_FWD, rt->rt_ifp, &m) != PF_PASS) {
 		m_freem(m);
 		goto senderr;
 	}
diff --git a/sys/netinet6/ip6_input.c b/sys/netinet6/ip6_input.c
index feb188e235f..e82b6e5cc3f 100644
--- a/sys/netinet6/ip6_input.c
+++ b/sys/netinet6/ip6_input.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip6_input.c,v 1.143 2015/06/16 11:09:40 mpi Exp $	*/
+/*	$OpenBSD: ip6_input.c,v 1.144 2015/07/16 21:14:21 mpi Exp $	*/
 /*	$KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $	*/
 
 /*
@@ -333,7 +333,7 @@ ip6_input(struct mbuf *m)
          * Packet filter
          */
 	odst = ip6->ip6_dst;
-	if (pf_test(AF_INET6, PF_IN, ifp, &m, NULL) != PF_PASS)
+	if (pf_test(AF_INET6, PF_IN, ifp, &m) != PF_PASS)
 		goto bad;
 	if (m == NULL)
 		return;
diff --git a/sys/netinet6/ip6_output.c b/sys/netinet6/ip6_output.c
index 2f47025c8d9..7d4c32b7ba9 100644
--- a/sys/netinet6/ip6_output.c
+++ b/sys/netinet6/ip6_output.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip6_output.c,v 1.176 2015/07/15 22:16:42 deraadt Exp $	*/
+/*	$OpenBSD: ip6_output.c,v 1.177 2015/07/16 21:14:21 mpi Exp $	*/
 /*	$KAME: ip6_output.c,v 1.172 2001/03/25 09:55:56 itojun Exp $	*/
 
 /*
@@ -494,7 +494,7 @@ reroute:
 #if NPF > 0
 		if ((encif = enc_getif(tdb->tdb_rdomain,
 		    tdb->tdb_tap)) == NULL ||
-		    pf_test(AF_INET6, PF_OUT, encif, &m, NULL) != PF_PASS) {
+		    pf_test(AF_INET6, PF_OUT, encif, &m) != PF_PASS) {
 			error = EHOSTUNREACH;
 			m_freem(m);
 			goto done;
@@ -726,7 +726,7 @@ reroute:
 	}
 
 #if NPF > 0
-	if (pf_test(AF_INET6, PF_OUT, ifp, &m, NULL) != PF_PASS) {
+	if (pf_test(AF_INET6, PF_OUT, ifp, &m) != PF_PASS) {
 		error = EHOSTUNREACH;
 		m_freem(m);
 		goto done;
author	mpi <mpi@openbsd.org>	2015-07-16 21:14:21 +0000
committer	mpi <mpi@openbsd.org>	2015-07-16 21:14:21 +0000
commit	1f52aa9f8c42c356774913c6b5758f047e17186e (patch)
tree	f92900b77269cbb658158d45c0f47fd5bc13cd20
parent	Fix a backward compare in boot argument parsing, and clarify a comment that (diff)
download	wireguard-openbsd-1f52aa9f8c42c356774913c6b5758f047e17186e.tar.xz wireguard-openbsd-1f52aa9f8c42c356774913c6b5758f047e17186e.zip