diff -ru -x*~ linux-lt-2.3.99-pre3.prev/Documentation/networking/ip-sysctl.txt linux-lt-2.3.99-pre3/Documentation/networking/ip-sysctl.txt--- linux-lt-2.3.99-pre3.prev/Documentation/networking/ip-sysctl.txt	Sun Jan 23 03:54:56 2000+++ linux-lt-2.3.99-pre3/Documentation/networking/ip-sysctl.txt	Tue Mar 28 19:40:59 2000@@ -262,13 +262,21 @@ 	Do proxy arp.  shared_media - BOOLEAN-	Send(router) or accept(host) RFC1620 shared media redirects.+	Do not check the new gateway specified in incoming ICMP redirect+	messages for belonging to a directly attached network (i.e. the+	routing table has for this address an entry pointing to the given+	device, doesn't have a gateway, and with scope not wider SCOPE_LINK).+	If this variable is TRUE then new gateways are only checked for being a+	unicast addresses.  If it is FALSE then the full check described+	above is performed.  See RFC1620 for background information about+	shared media. 	Overrides ip_secure_redirects. 	default TRUE  secure_redirects - BOOLEAN-	Accept ICMP redirect messages only for gateways,-	listed in default gateway list.+	Accept ICMP redirect messages only for gateways already listed as+	gateways in the routing tables.  This check is performed only when+	`shared_media' is FALSE. 	default TRUE  send_redirects - BOOLEAN@@ -287,6 +295,19 @@ 	default TRUE (router) 		FALSE (host) +source_check - BOOLEAN+	Check source address for outgoing packets.+	If source_check is turned on all outgoing packets (including going+	through a loopback interface) are checked for the source address+	being local.  An address is considered as local for this purposes if+	a route lookup in the opposite direction (i.e. with source and+	destination addresses being reversed) gives a unicast local route+	entry.+	Note: source addresses are always checked for being not a multicast,+	limited broadcast, zero net, or loopback (for non-loopback+	interfaces) independetly of the setting of the option.+	default TRUE+ rp_filter - BOOLEAN 	1 - do source validation by reversed path, as specified in RFC1812 	    Recommended option for single homed hosts and stub network@@ -305,4 +326,8 @@ Updated by: Andi Kleen ak@muc.de++Andrey Savochkin+saw@msu.ru+ $Id: ip-sysctl.txt,v 1.13 2000/01/18 08:24:09 davem Exp $diff -ru -x*~ linux-lt-2.3.99-pre3.prev/include/linux/in_route.h linux-lt-2.3.99-pre3/include/linux/in_route.h--- linux-lt-2.3.99-pre3.prev/include/linux/in_route.h	Fri Jun 12 13:52:33 1998+++ linux-lt-2.3.99-pre3/include/linux/in_route.h	Tue Mar 28 19:39:49 2000@@ -4,6 +4,7 @@ /* IPv4 routing cache flags */  #define RTCF_DEAD	RTNH_F_DEAD+#define RTCF_PERVASIVE	RTNH_F_PERVASIVE #define RTCF_ONLINK	RTNH_F_ONLINK  /* Obsolete flag. About to be deleted */diff -ru -x*~ linux-lt-2.3.99-pre3.prev/include/linux/inetdevice.h linux-lt-2.3.99-pre3/include/linux/inetdevice.h--- linux-lt-2.3.99-pre3.prev/include/linux/inetdevice.h	Tue Aug 24 01:01:02 1999+++ linux-lt-2.3.99-pre3/include/linux/inetdevice.h	Tue Mar 28 19:39:49 2000@@ -9,6 +9,7 @@ 	int	send_redirects; 	int	secure_redirects; 	int	shared_media;+	int	source_check; 	int	accept_source_route; 	int	rp_filter; 	int	proxy_arp;@@ -46,6 +47,7 @@ #define IN_DEV_SHARED_MEDIA(in_dev)	(ipv4_devconf.shared_media || (in_dev)->cnf.shared_media) #define IN_DEV_TX_REDIRECTS(in_dev)	(ipv4_devconf.send_redirects || (in_dev)->cnf.send_redirects) #define IN_DEV_SEC_REDIRECTS(in_dev)	(ipv4_devconf.secure_redirects || (in_dev)->cnf.secure_redirects)+#define IN_DEV_SRC_CHECK(in_dev)	(ipv4_devconf.source_check || (in_dev)->cnf.source_check) #define IN_DEV_IDTAG(in_dev)		((in_dev)->cnf.tag)  #define IN_DEV_RX_REDIRECTS(in_dev) \@@ -73,7 +75,6 @@ extern int unregister_inetaddr_notifier(struct notifier_block *nb);  extern struct net_device 	*ip_dev_find(u32 addr);-extern int		inet_addr_onlink(struct in_device *in_dev, u32 a, u32 b); extern int		devinet_ioctl(unsigned int cmd, void *); extern void		devinet_init(void); extern struct in_device *inetdev_init(struct net_device *dev);diff -ru -x*~ linux-lt-2.3.99-pre3.prev/include/linux/rtnetlink.h linux-lt-2.3.99-pre3/include/linux/rtnetlink.h--- linux-lt-2.3.99-pre3.prev/include/linux/rtnetlink.h	Thu Feb 10 12:08:09 2000+++ linux-lt-2.3.99-pre3/include/linux/rtnetlink.h	Tue Mar 28 19:39:49 2000@@ -224,9 +224,11 @@  /* rtnh_flags */ -#define RTNH_F_DEAD		1	/* Nexthop is dead (used by multipath)	*/-#define RTNH_F_PERVASIVE	2	/* Do recursive gateway lookup	*/-#define RTNH_F_ONLINK		4	/* Gateway is forced on link	*/+#define RTNH_F_DEAD		0x01	/* Nexthop is dead (used by multipath)	*/+#define RTNH_F_PERVASIVE	0x02	/* Omit gateway & pref_src test	*/+#define RTNH_F_ONLINK		0x04	/* Gateway is forced on link	*/+#define RTNH_F_GLUE		0x08	/* Nexthop is glued		*/+#define RTNH_F_USEFIRST		0x10	/* Use only it (for multipath)	*/  /* Macros to handle hexthops */ diff -ru -x*~ linux-lt-2.3.99-pre3.prev/include/linux/sysctl.h linux-lt-2.3.99-pre3/include/linux/sysctl.h--- linux-lt-2.3.99-pre3.prev/include/linux/sysctl.h	Thu Mar  9 01:16:24 2000+++ linux-lt-2.3.99-pre3/include/linux/sysctl.h	Tue Mar 28 19:39:49 2000@@ -302,7 +302,8 @@ 	NET_IPV4_CONF_ACCEPT_SOURCE_ROUTE=9, 	NET_IPV4_CONF_BOOTP_RELAY=10, 	NET_IPV4_CONF_LOG_MARTIANS=11,-	NET_IPV4_CONF_TAG=12+	NET_IPV4_CONF_TAG=12,+	NET_IPV4_CONF_SRC_CHECK=13, };  /* /proc/sys/net/ipv6 */diff -ru -x*~ linux-lt-2.3.99-pre3.prev/include/net/ip_fib.h linux-lt-2.3.99-pre3/include/net/ip_fib.h--- linux-lt-2.3.99-pre3.prev/include/net/ip_fib.h	Tue Aug 24 01:01:02 1999+++ linux-lt-2.3.99-pre3/include/net/ip_fib.h	Tue Mar 28 19:39:49 2000@@ -217,7 +217,8 @@ extern int fib_dump_info(struct sk_buff *skb, u32 pid, u32 seq, int event, 			 u8 tb_id, u8 type, u8 scope, void *dst, int dst_len, u8 tos, 			 struct fib_info *fi);-extern int fib_sync_down(u32 local, struct net_device *dev, int force);+extern int fib_sync_addr_down(u32 local);+extern int fib_sync_dev_down(struct net_device *dev, int force); extern int fib_sync_up(struct net_device *dev); extern int fib_convert_rtentry(int cmd, struct nlmsghdr *nl, struct rtmsg *rtm, 			       struct kern_rta *rta, struct rtentry *r);diff -ru -x*~ linux-lt-2.3.99-pre3.prev/include/net/route.h linux-lt-2.3.99-pre3/include/net/route.h--- linux-lt-2.3.99-pre3.prev/include/net/route.h	Sun Mar 19 04:11:22 2000+++ linux-lt-2.3.99-pre3/include/net/route.h	Tue Mar 28 19:39:49 2000@@ -106,6 +106,9 @@ extern void		ip_rt_send_redirect(struct sk_buff *skb);  extern unsigned		inet_addr_type(u32 addr);+extern int		inet_addr_onlink(struct net_device *, u32 dst, u32 src, u8 tos);+extern int		fib_local_source(u32 saddr, u32 daddr, u8 tos, struct net_device *);+extern u32		fib_select_addr(struct net_device *, u32 dst, int scope); extern void		ip_rt_multicast_event(struct in_device *); extern int		ip_rt_ioctl(unsigned int cmd, void *arg); extern void		ip_rt_get_source(u8 *src, struct rtable *rt);diff -ru -x*~ linux-lt-2.3.99-pre3.prev/net/ipv4/af_inet.c linux-lt-2.3.99-pre3/net/ipv4/af_inet.c--- linux-lt-2.3.99-pre3.prev/net/ipv4/af_inet.c	Tue Feb 22 09:35:06 2000+++ linux-lt-2.3.99-pre3/net/ipv4/af_inet.c	Tue Mar 28 19:43:30 2000@@ -463,6 +463,15 @@ 		return -EINVAL; 		 	chk_addr_ret = inet_addr_type(addr->sin_addr.s_addr);+	/* The source address check is omitted here.+	 * We may allow to bind sockets to any address for listening purposes.+	 * Such sockets will get only those packets which were considered as+	 * "local" by routing (i.e. configured to go locally by the+	 * administrator).+	 * Outgoing packets are checked by output routing (see+	 * ip_route_output_slow and outrt_check_src in net/ipv4/route.c).+	 * 1999/11/13  SAW+	 */  	snum = ntohs(addr->sin_port); 	if (snum && snum < PROT_SOCK && !capable(CAP_NET_BIND_SERVICE))diff -ru -x*~ linux-lt-2.3.99-pre3.prev/net/ipv4/arp.c linux-lt-2.3.99-pre3/net/ipv4/arp.c--- linux-lt-2.3.99-pre3.prev/net/ipv4/arp.c	Sun Jan 23 03:54:57 2000+++ linux-lt-2.3.99-pre3/net/ipv4/arp.c	Tue Mar 28 19:39:50 2000@@ -333,10 +333,11 @@ 	u32 target = *(u32*)neigh->primary_key; 	int probes = atomic_read(&neigh->probes); -	if (skb && inet_addr_type(skb->nh.iph->saddr) == RTN_LOCAL)+	if (skb && fib_local_source(skb->nh.iph->saddr, target,+			skb->nh.iph->tos, dev) == 0) 		saddr = skb->nh.iph->saddr; 	else-		saddr = inet_select_addr(dev, target, RT_SCOPE_LINK);+		saddr = fib_select_addr(dev, target, RT_SCOPE_LINK);  	if ((probes -= neigh->parms->ucast_probes) < 0) { 		if (!(neigh->nud_state&NUD_VALID))diff -ru -x*~ linux-lt-2.3.99-pre3.prev/net/ipv4/devinet.c linux-lt-2.3.99-pre3/net/ipv4/devinet.c--- linux-lt-2.3.99-pre3.prev/net/ipv4/devinet.c	Sun Jan  9 13:36:20 2000+++ linux-lt-2.3.99-pre3/net/ipv4/devinet.c	Tue Mar 28 19:39:50 2000@@ -58,8 +58,8 @@ #include <net/route.h> #include <net/ip_fib.h> -struct ipv4_devconf ipv4_devconf = { 1, 1, 1, 1, 0, };-static struct ipv4_devconf ipv4_devconf_dflt = { 1, 1, 1, 1, 1, };+struct ipv4_devconf ipv4_devconf = { 1, 1, 1, 1, 1, 0, };+static struct ipv4_devconf ipv4_devconf_dflt = { 1, 1, 1, 1, 1, 1, };  #ifdef CONFIG_RTNETLINK static void rtmsg_ifa(int event, struct in_ifaddr *);@@ -186,21 +186,6 @@ 	in_dev_put(in_dev); } -int inet_addr_onlink(struct in_device *in_dev, u32 a, u32 b)-{-	read_lock(&in_dev->lock);-	for_primary_ifa(in_dev) {-		if (inet_ifa_match(a, ifa)) {-			if (!b || inet_ifa_match(b, ifa)) {-				read_unlock(&in_dev->lock);-				return 1;-			}-		}-	} endfor_ifa(in_dev);-	read_unlock(&in_dev->lock);-	return 0;-} - static void inet_del_ifa(struct in_device *in_dev, struct in_ifaddr **ifap, int destroy) {@@ -1027,7 +1012,7 @@ static struct devinet_sysctl_table { 	struct ctl_table_header *sysctl_header;-	ctl_table devinet_vars[13];+	ctl_table devinet_vars[14]; 	ctl_table devinet_dev[2]; 	ctl_table devinet_conf_dir[2]; 	ctl_table devinet_proto_dir[2];@@ -1066,6 +1051,9 @@          &proc_dointvec},         {NET_IPV4_CONF_LOG_MARTIANS, "log_martians",          &ipv4_devconf.log_martians, sizeof(int), 0644, NULL,+         &proc_dointvec},+        {NET_IPV4_CONF_SRC_CHECK, "source_check",+         &ipv4_devconf.source_check, sizeof(int), 0644, NULL,          &proc_dointvec}, 	{NET_IPV4_CONF_TAG, "tag", 	 &ipv4_devconf.tag, sizeof(int), 0644, NULL,diff -ru -x*~ linux-lt-2.3.99-pre3.prev/net/ipv4/fib_frontend.c linux-lt-2.3.99-pre3/net/ipv4/fib_frontend.c--- linux-lt-2.3.99-pre3.prev/net/ipv4/fib_frontend.c	Thu Dec 23 11:55:38 1999+++ linux-lt-2.3.99-pre3/net/ipv4/fib_frontend.c	Tue Mar 28 19:39:50 2000@@ -30,6 +30,7 @@ #include <linux/in.h> #include <linux/inet.h> #include <linux/netdevice.h>+#include <linux/inetdevice.h> #include <linux/if_arp.h> #include <linux/proc_fs.h> #include <linux/skbuff.h>@@ -168,11 +169,31 @@ 	return dev; } +int fib_local_source(u32 saddr, u32 daddr, u8 tos, struct net_device *dev)+{+	struct rt_key		key;+	struct fib_result	res;++	memset(&key, 0, sizeof(key));+	key.src = daddr;+	key.dst = saddr;+	key.tos = tos;+	key.iif = dev->ifindex;+	if (fib_lookup(&key, &res) == 0) {+		unsigned ret;+		ret = res.type;+		fib_res_put(&res);+		if (ret != RTN_LOCAL)+			return -EINVAL;+	}+	return 0;+}+ unsigned inet_addr_type(u32 addr) { 	struct rt_key		key; 	struct fib_result	res;-	unsigned ret = RTN_BROADCAST;+	unsigned		ret;  	if (ZERONET(addr) || BADCLASS(addr)) 		return RTN_BROADCAST;@@ -180,21 +201,57 @@ 		return RTN_MULTICAST;  	memset(&key, 0, sizeof(key));+	key.src = addr; 	key.dst = addr;-#ifdef CONFIG_IP_MULTIPLE_TABLES-	res.r = NULL;-#endif 	-	if (local_table) {-		ret = RTN_UNICAST;-		if (local_table->tb_lookup(local_table, &key, &res) == 0) {-			ret = res.type;-			fib_res_put(&res);-		}+	ret = RTN_UNICAST;+	if (fib_lookup(&key, &res) == 0) {+		ret = res.type;+		fib_res_put(&res); 	} 	return ret; } +u32 fib_select_addr(struct net_device *dev, u32 dst, int scope)+{+	struct rt_key		key;+	struct fib_result	res;+	u32			ret;++	memset(&key, 0, sizeof(key));+	key.src = dst;+	key.dst = dst;+	key.oif = dev->ifindex;+	key.scope = scope;+	+	if (fib_lookup(&key, &res) == 0) {+		ret = FIB_RES_PREFSRC(res);+		fib_res_put(&res);+	} else+		ret = inet_select_addr(dev, dst, scope);+	return ret;+}++/* Check if dst is a UNICAST address and reachable via device dev */+int inet_addr_onlink(struct net_device *dev, u32 dst, u32 src, u8 tos)+{+	struct rt_key key;+	struct fib_result res;+	int ret;++	key.src = src;+	key.dst = dst;+	key.tos = tos;+	key.iif = 0;+	key.oif = 0;+	key.scope = RT_SCOPE_LINK;+	if (fib_lookup(&key, &res) != 0)+		return 0;+	ret = (res.type == RTN_UNICAST && FIB_RES_DEV(res) == dev);+	fib_res_put(&res);+	return ret;+}+ /* Given (packet source, input interface) and optional (dst, oif, tos):    - (main) check, that source is valid i.e. not broadcast or our local      address.@@ -559,7 +616,7 @@ 			   First of all, we scan fib_info list searching 			   for stray nexthop entries, then ignite fib_flush. 			*/-			if (fib_sync_down(ifa->ifa_local, NULL, 0))+			if (fib_sync_addr_down(ifa->ifa_local)) 				fib_flush(); 		} 	}@@ -571,7 +628,7 @@  static void fib_disable_ip(struct net_device *dev, int force) {-	if (fib_sync_down(0, dev, force))+	if (fib_sync_dev_down(dev, force)) 		fib_flush(); 	rt_cache_flush(0); 	arp_ifdown(dev);@@ -591,8 +648,10 @@ 			/* Last address was deleted from this interface. 			   Disable IP. 			 */+			printk("fib_inetaddr_event: dev down, fib_disable_ip(1)\n");