patch-2.2.4 linux/net/ipv4/ip_input.c

• Lines: 142
• Date: Sun Mar 21 07:22:00 1999
• Orig file: v2.2.3/linux/net/ipv4/ip_input.c
• Orig date: Tue Jan 19 11:32:53 1999

diff -u --recursive --new-file v2.2.3/linux/net/ipv4/ip_input.c linux/net/ipv4/ip_input.c
@@ -5,7 +5,7 @@
  *
  *		The Internet Protocol (IP) module.
  *
- * Version:	$Id: ip_input.c,v 1.35 1999/01/12 14:32:48 davem Exp $
+ * Version:	$Id: ip_input.c,v 1.36 1999/03/21 05:22:38 davem Exp $
  *
  * Authors:	Ross Biro, <bir7@leland.Stanford.Edu>
  *		Fred N. van Kempen, <waltje@uWalt.NL.Mugnet.ORG>
@@ -387,6 +387,10 @@
 int ip_rcv(struct sk_buff *skb, struct device *dev, struct packet_type *pt)
 {
 	struct iphdr *iph = skb->nh.iph;
+#ifdef	CONFIG_FIREWALL
+	int fwres;
+	u16 rport;
+#endif /* CONFIG_FIREWALL */
 
 	/*
 	 * 	When the interface is in promisc. mode, drop all the crap
@@ -427,6 +431,30 @@
 	__skb_trim(skb, len);
 	}
 	
+#ifdef CONFIG_IP_ALWAYS_DEFRAG
+	/* Won't send ICMP reply, since skb->dst == NULL. --RR */
+	if (iph->frag_off & htons(IP_MF|IP_OFFSET)) {
+		skb = ip_defrag(skb);
+		if (!skb)
+			return 0;
+		iph = skb->nh.iph;
+		ip_send_check(iph);
+	}
+#endif
+
+#ifdef CONFIG_FIREWALL
+	/*
+	 *	See if the firewall wants to dispose of the packet. 
+	 *
+	 * We can't do ICMP reply or local delivery before routing,
+	 * so we delay those decisions until after route. --RR
+	 */
+	fwres = call_in_firewall(PF_INET, dev, iph, &rport, &skb);
+	if (fwres < FW_ACCEPT && fwres != FW_REJECT)
+		goto drop;
+	iph = skb->nh.iph;
+#endif /* CONFIG_FIREWALL */
+
 	/*
 	 *	Initialise the virtual path cache for the packet. It describes
 	 *	how the packet travels inside Linux networking.
@@ -442,13 +470,13 @@
 #endif
 	}
 
-#ifdef CONFIG_IP_ALWAYS_DEFRAG
-	if (iph->frag_off & htons(IP_MF|IP_OFFSET)) {
-		skb = ip_defrag(skb);
-		if (!skb)
-			return 0;
-		iph = skb->nh.iph;
-		ip_send_check(iph);
+#ifdef CONFIG_NET_CLS_ROUTE
+	if (skb->dst->tclassid) {
+		u32 idx = skb->dst->tclassid;
+		ip_rt_acct[idx&0xFF].o_packets++;
+		ip_rt_acct[idx&0xFF].o_bytes+=skb->len;
+		ip_rt_acct[(idx>>16)&0xFF].i_packets++;
+		ip_rt_acct[(idx>>16)&0xFF].i_bytes+=skb->len;
 	}
 #endif
 
@@ -462,7 +490,7 @@
 		   and running sniffer is extremely rare condition.
 		                                      --ANK (980813)
 		*/
-		   
+
 		skb = skb_cow(skb, skb_headroom(skb));
 		if (skb == NULL)
 			return 0;
@@ -486,51 +514,17 @@
 		}
 	}
 
-	/*
-	 *	See if the firewall wants to dispose of the packet. 
-	 *
-	 *	Note: the current standard firewall code expects that the 
-	 *	destination address was already checked against the interface 
-	 *	address lists.
-	 *
-	 *	If this code is ever moved in front of ip_route_input() you need
-	 *	to fix the fw code [moving it might be a good idea anyways,
-	 *	so that we can firewall against potentially bugs in the options
-	 *	or routing code]
-	 */
-	
-#ifdef	CONFIG_FIREWALL
-        {
-		int fwres;
-		u16 rport;
-#ifdef  CONFIG_IP_ROUTE_TOS
-		u8  tos = iph->tos;
-#endif
-
-		if ((fwres=call_in_firewall(PF_INET, skb->dev, iph, &rport, &skb))<FW_ACCEPT) {
-			if (fwres==FW_REJECT)
-				icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
-			goto drop;
-		}
-
+#ifdef CONFIG_FIREWALL
 #ifdef	CONFIG_IP_TRANSPARENT_PROXY
-		if (fwres==FW_REDIRECT && (IPCB(skb)->redirport = rport) != 0)
-			return ip_local_deliver(skb);
-#endif
-#ifdef	CONFIG_IP_ROUTE_TOS
-		/* It is for 2.2 only. Firewalling should make smart
-		   rerouting itself, ideally, but now it is too late
-		   to teach it. 			--ANK (980905)
-		 */
-		if (iph->tos != tos && ((struct rtable*)skb->dst)->rt_type == RTN_UNICAST) {
-			dst_release(skb->dst);
-			skb->dst = NULL;
-			if (ip_route_input(skb, iph->daddr, iph->saddr, iph->tos, dev))
-				goto drop; 
-		}
-#endif
+	if (fwres == FW_REDIRECT && (IPCB(skb)->redirport = rport) != 0)
+		return ip_local_deliver(skb);
+#endif /* CONFIG_IP_TRANSPARENT_PROXY */
+
+	if (fwres == FW_REJECT) {
+		icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
+		goto drop;
 	}
-#endif
+#endif /* CONFIG_FIREWALL */
 
 	return skb->dst->input(skb);