2007-07-03 12:16:07 +00:00
|
|
|
/*-
|
|
|
|
* Copyright (c) 1982, 1986, 1988, 1990, 1993, 1995
|
2004-06-16 23:24:02 +00:00
|
|
|
* The Regents of the University of California. All rights reserved.
|
|
|
|
*
|
|
|
|
* Redistribution and use in source and binary forms, with or without
|
|
|
|
* modification, are permitted provided that the following conditions
|
|
|
|
* are met:
|
|
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
|
|
* notice, this list of conditions and the following disclaimer.
|
|
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
|
|
* documentation and/or other materials provided with the distribution.
|
2007-07-03 12:16:07 +00:00
|
|
|
* 4. Neither the name of the University nor the names of its contributors
|
2004-06-16 23:24:02 +00:00
|
|
|
* may be used to endorse or promote products derived from this software
|
|
|
|
* without specific prior written permission.
|
|
|
|
*
|
|
|
|
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
|
|
|
|
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
|
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
|
|
|
|
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
|
|
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
|
|
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
|
|
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
|
|
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
|
|
* SUCH DAMAGE.
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
|
2007-07-03 12:16:07 +00:00
|
|
|
#include "opt_inet.h"
|
|
|
|
#include "opt_inet6.h"
|
|
|
|
|
|
|
|
#include <sys/cdefs.h>
|
|
|
|
__FBSDID("$FreeBSD$");
|
|
|
|
|
2004-06-16 23:24:02 +00:00
|
|
|
#include <sys/param.h>
|
2007-07-03 12:16:07 +00:00
|
|
|
#include <sys/kernel.h>
|
|
|
|
#include <sys/libkern.h>
|
|
|
|
#include <sys/mbuf.h>
|
|
|
|
#include <sys/md5.h>
|
|
|
|
#include <sys/time.h>
|
|
|
|
#include <sys/random.h>
|
2004-06-16 23:24:02 +00:00
|
|
|
#include <sys/socket.h>
|
|
|
|
#include <sys/socketvar.h>
|
2007-07-03 12:16:07 +00:00
|
|
|
#include <sys/systm.h>
|
|
|
|
#include <sys/time.h>
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
#include <sys/vimage.h>
|
2004-06-16 23:24:02 +00:00
|
|
|
|
|
|
|
#include <net/if.h>
|
2007-07-03 12:16:07 +00:00
|
|
|
#include <net/if_types.h>
|
|
|
|
#include <net/bpf.h>
|
|
|
|
#include <net/route.h>
|
2004-06-16 23:24:02 +00:00
|
|
|
|
|
|
|
#include <netinet/in.h>
|
|
|
|
#include <netinet/in_var.h>
|
2007-07-03 12:16:07 +00:00
|
|
|
#include <netinet/in_systm.h>
|
|
|
|
#include <netinet/ip.h>
|
|
|
|
#include <netinet/ip_var.h>
|
|
|
|
#include <netinet/tcp.h>
|
|
|
|
#include <netinet/tcp_seq.h>
|
|
|
|
#include <netinet/udp.h>
|
|
|
|
#include <netinet/ip_icmp.h>
|
|
|
|
#include <netinet/in_pcb.h>
|
|
|
|
#include <netinet/tcp_timer.h>
|
|
|
|
#include <netinet/tcp_var.h>
|
|
|
|
#include <netinet/if_ether.h>
|
2004-06-16 23:24:02 +00:00
|
|
|
#include <net/pfvar.h>
|
|
|
|
|
|
|
|
/*
|
2007-07-03 12:16:07 +00:00
|
|
|
* Following is where TCP initial sequence number generation occurs.
|
|
|
|
*
|
|
|
|
* There are two places where we must use initial sequence numbers:
|
|
|
|
* 1. In SYN-ACK packets.
|
|
|
|
* 2. In SYN packets.
|
|
|
|
*
|
|
|
|
* All ISNs for SYN-ACK packets are generated by the syncache. See
|
|
|
|
* tcp_syncache.c for details.
|
|
|
|
*
|
|
|
|
* The ISNs in SYN packets must be monotonic; TIME_WAIT recycling
|
|
|
|
* depends on this property. In addition, these ISNs should be
|
|
|
|
* unguessable so as to prevent connection hijacking. To satisfy
|
|
|
|
* the requirements of this situation, the algorithm outlined in
|
|
|
|
* RFC 1948 is used, with only small modifications.
|
|
|
|
*
|
|
|
|
* Implementation details:
|
|
|
|
*
|
|
|
|
* Time is based off the system timer, and is corrected so that it
|
|
|
|
* increases by one megabyte per second. This allows for proper
|
|
|
|
* recycling on high speed LANs while still leaving over an hour
|
|
|
|
* before rollover.
|
|
|
|
*
|
|
|
|
* As reading the *exact* system time is too expensive to be done
|
|
|
|
* whenever setting up a TCP connection, we increment the time
|
|
|
|
* offset in two ways. First, a small random positive increment
|
|
|
|
* is added to isn_offset for each connection that is set up.
|
|
|
|
* Second, the function tcp_isn_tick fires once per clock tick
|
|
|
|
* and increments isn_offset as necessary so that sequence numbers
|
|
|
|
* are incremented at approximately ISN_BYTES_PER_SECOND. The
|
|
|
|
* random positive increments serve only to ensure that the same
|
|
|
|
* exact sequence number is never sent out twice (as could otherwise
|
|
|
|
* happen when a port is recycled in less than the system tick
|
|
|
|
* interval.)
|
2004-06-16 23:24:02 +00:00
|
|
|
*
|
2007-07-03 12:16:07 +00:00
|
|
|
* net.inet.tcp.isn_reseed_interval controls the number of seconds
|
|
|
|
* between seeding of isn_secret. This is normally set to zero,
|
|
|
|
* as reseeding should not be necessary.
|
|
|
|
*
|
|
|
|
* Locking of the global variables isn_secret, isn_last_reseed, isn_offset,
|
|
|
|
* isn_offset_old, and isn_ctx is performed using the TCP pcbinfo lock. In
|
|
|
|
* general, this means holding an exclusive (write) lock.
|
2004-06-16 23:24:02 +00:00
|
|
|
*/
|
|
|
|
|
2007-07-03 12:16:07 +00:00
|
|
|
#define ISN_BYTES_PER_SECOND 1048576
|
|
|
|
#define ISN_STATIC_INCREMENT 4096
|
|
|
|
#define ISN_RANDOM_INCREMENT (4096 - 1)
|
2004-06-16 23:24:02 +00:00
|
|
|
|
2007-07-03 12:16:07 +00:00
|
|
|
static u_char isn_secret[32];
|
|
|
|
static int isn_last_reseed;
|
2007-07-05 15:28:59 +00:00
|
|
|
static u_int32_t isn_offset;
|
2007-07-03 12:16:07 +00:00
|
|
|
static MD5_CTX isn_ctx;
|
2004-06-16 23:24:02 +00:00
|
|
|
|
2007-07-03 12:16:07 +00:00
|
|
|
u_int32_t
|
|
|
|
pf_new_isn(struct pf_state *s)
|
2004-06-16 23:24:02 +00:00
|
|
|
{
|
Step 1.5 of importing the network stack virtualization infrastructure
from the vimage project, as per plan established at devsummit 08/08:
http://wiki.freebsd.org/Image/Notes200808DevSummit
Introduce INIT_VNET_*() initializer macros, VNET_FOREACH() iterator
macros, and CURVNET_SET() context setting macros, all currently
resolving to NOPs.
Prepare for virtualization of selected SYSCTL objects by introducing a
family of SYSCTL_V_*() macros, currently resolving to their global
counterparts, i.e. SYSCTL_V_INT() == SYSCTL_INT().
Move selected #defines from sys/sys/vimage.h to newly introduced header
files specific to virtualized subsystems (sys/net/vnet.h,
sys/netinet/vinet.h etc.).
All the changes are verified to have zero functional impact at this
point in time by doing MD5 comparision between pre- and post-change
object files(*).
(*) netipsec/keysock.c did not validate depending on compile time options.
Implemented by: julian, bz, brooks, zec
Reviewed by: julian, bz, brooks, kris, rwatson, ...
Approved by: julian (mentor)
Obtained from: //depot/projects/vimage-commit2/...
X-MFC after: never
Sponsored by: NLnet Foundation, The FreeBSD Foundation
2008-10-02 15:37:58 +00:00
|
|
|
INIT_VNET_INET(curvnet);
|
2007-07-03 12:16:07 +00:00
|
|
|
u_int32_t md5_buffer[4];
|
|
|
|
u_int32_t new_isn;
|
|
|
|
struct pf_state_host *src, *dst;
|
2004-06-16 23:24:02 +00:00
|
|
|
|
2007-07-03 12:16:07 +00:00
|
|
|
/* Seed if this is the first use, reseed if requested. */
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
if (V_isn_last_reseed == 0) {
|
|
|
|
read_random(&V_isn_secret, sizeof(V_isn_secret));
|
|
|
|
V_isn_last_reseed = ticks;
|
2007-07-03 12:16:07 +00:00
|
|
|
}
|
2004-06-16 23:24:02 +00:00
|
|
|
|
2007-07-03 12:16:07 +00:00
|
|
|
if (s->direction == PF_IN) {
|
|
|
|
src = &s->ext;
|
|
|
|
dst = &s->gwy;
|
2004-06-16 23:24:02 +00:00
|
|
|
} else {
|
2007-07-03 12:16:07 +00:00
|
|
|
src = &s->lan;
|
|
|
|
dst = &s->ext;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Compute the md5 hash and return the ISN. */
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
MD5Init(&V_isn_ctx);
|
|
|
|
MD5Update(&V_isn_ctx, (u_char *) &dst->port, sizeof(u_short));
|
|
|
|
MD5Update(&V_isn_ctx, (u_char *) &src->port, sizeof(u_short));
|
2007-07-03 12:16:07 +00:00
|
|
|
#ifdef INET6
|
|
|
|
if (s->af == AF_INET6) {
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
MD5Update(&V_isn_ctx, (u_char *) &dst->addr,
|
2007-07-03 12:16:07 +00:00
|
|
|
sizeof(struct in6_addr));
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
MD5Update(&V_isn_ctx, (u_char *) &src->addr,
|
2007-07-03 12:16:07 +00:00
|
|
|
sizeof(struct in6_addr));
|
|
|
|
} else
|
|
|
|
#endif
|
|
|
|
{
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
MD5Update(&V_isn_ctx, (u_char *) &dst->addr,
|
2007-07-03 12:16:07 +00:00
|
|
|
sizeof(struct in_addr));
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
MD5Update(&V_isn_ctx, (u_char *) &src->addr,
|
2007-07-03 12:16:07 +00:00
|
|
|
sizeof(struct in_addr));
|
2004-06-16 23:24:02 +00:00
|
|
|
}
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
MD5Update(&V_isn_ctx, (u_char *) &V_isn_secret, sizeof(V_isn_secret));
|
|
|
|
MD5Final((u_char *) &md5_buffer, &V_isn_ctx);
|
2007-07-03 12:16:07 +00:00
|
|
|
new_isn = (tcp_seq) md5_buffer[0];
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
V_isn_offset += ISN_STATIC_INCREMENT +
|
2007-07-03 12:16:07 +00:00
|
|
|
(arc4random() & ISN_RANDOM_INCREMENT);
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
new_isn += V_isn_offset;
|
2007-07-03 12:16:07 +00:00
|
|
|
return (new_isn);
|
2004-06-16 23:24:02 +00:00
|
|
|
}
|