Commit Graph

883 Commits

Author SHA1 Message Date
Mateusz Guzik
8f3d786cb3 pf: remove the flags argument from pf_unlink_state
All consumers call it with PF_ENTER_LOCKED.

Reviewed by:	kp
Sponsored by:	Rubicon Communications, LLC ("Netgate")
2021-11-01 20:59:14 +01:00
Mateusz Guzik
edf6dd82e9 pf: fix use-after-free from pf_find_state_all
state was returned without any locks nor references held

Reviewed by:	kp
Sponsored by:	Rubicon Communications, LLC ("Netgate")
2021-11-01 20:59:05 +01:00
Kristof Provost
e5c4987e3f pf: fix dummynet + NAT
Dummynet differs from ALTQ in that ALTQ schedules packets after they
leave pf. Dummynet schedules them after they leave pf, but then
re-injects them.
We currently deal with this by ensuring we don't re-schedule a packet we
get from dummynet, but this produces unexpected results when combined
with NAT, as dummynet processing is done after the NAT transformation.
In other words, the second time the packet is handed to pf it may have a
different source and destination address.

Simplify this by moving dummynet processing to after all other pf
processing, and not re-processing (but always passing) packets from
dummynet.

This fixes NAT of dummynet delayed packets, and also reduces processing
overhead (because we only do state/rule lookup for each dummynet packet
once, rather than twice).

MFC after:	3 weeks
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D32665
2021-10-28 10:41:17 +02:00
Gleb Smirnoff
c8ee75f231 Use network epoch to protect local IPv4 addresses hash.
The modification to the hash are already naturally locked by
in_control_sx.  Convert the hash lists to CK lists. Remove the
in_ifaddr_rmlock. Assert the network epoch where necessary.

Most cases when the hash lookup is done the epoch is already entered.
Cover a few cases, that need entering the epoch, which mostly is
initial configuration of tunnel interfaces and multicast addresses.

Reviewed by:		melifaro
Differential revision:	https://reviews.freebsd.org/D32584
2021-10-22 14:40:53 -07:00
Luiz Otavio O Souza
ab238f1454 pf: ensure we have the correct source/destination IP address in ICMP errors
When we route-to a packet that later turns out to not fit in the
outbound interface MTU we generate an ICMP error.
However, if we've already changed those (i.e. we've passed through a NAT
rule) we have to undo the transformation first.

Obtained from:	pfSense
MFC after:	3 weeks
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D32571
2021-10-22 09:52:17 +02:00
Mateusz Guzik
bcd4c17cca pf: fix some cc --analyze warnings
Reviewed by:	kp
Sponsored by:	Rubicon Communications, LLC ("Netgate")
2021-10-19 11:59:11 +00:00
Kristof Provost
076b3a50fd pf: don't drop packets when redirection information comes from a state
For some traffic there might be no matching rule in the current ruleset,
for example when a state was imported via pfsync from a sytem with a
different ruleset checksum. In this case pf_route uses s->rt_addr for
routing target instead of r->rpool.cur but r->rpool is checked anyway,
resulting in dropped packets.

PR:		259183
Submitted by:	Kajetan Staszkiewicz <vegeta tuxpowered.net>
Sponsored by:	InnoGames GmbH
2021-10-16 23:02:26 +02:00
Kristof Provost
498cca1483 pf: selecting pf_map_addr is not an error
When a redirection/nat IP address is selected by pf_map_addr it is
logged with PF_DEBUG_MISC level. This one according to the manual means
"Generate debug messages for various errors". Selecting an IP address is
not an error, it's a normal function of pf for route-to, nat and some
other operations. Therefore PF_DEBUG_NOISY level should be choosen which
is means "Generate debug messages for common conditions".

PR:		259184
Submitted by:	Kajetan Staszkiewicz <vegeta tuxpowered.net>
Sponsored by:	InnoGames GmbH
2021-10-16 09:32:15 +02:00
Kristof Provost
776df104fa pf: Introduce pf_nvbool()
Similar to the existing functions for strings and ints, this lets us
simplify some of the nvlist conversion code.

MFC after:	1 week
Sponsored by:	Rubicon Communications, LLC ("Netgate")
2021-10-13 12:01:09 +02:00
Kristof Provost
1c680e620b pf: do not copy anchor_wildcard / anchor_relative from userspace
We overwrite these fields again in pf_kanchor_setup() anyway.

MFC after:	2 weeks
Sponsored by:	Rubicon Communications, LLC ("Netgate")
2021-10-08 14:46:59 +02:00
Kristof Provost
955460d41e pf: hook up adaptive mode configuration
The kernel side of pf syncookie adaptive mode configuration.

MFC after:	1 week
Sponsored by:	Modirum MDPay
Differential Revision:	https://reviews.freebsd.org/D32135
2021-09-29 15:11:54 +02:00
Kristof Provost
bf8637181a pf: implement adaptive mode
Use atomic counters to ensure that we correctly track the number of half
open states and syncookie responses in-flight.
This determines if we activate or deactivate syncookies in adaptive
mode.

MFC after:	1 week
Sponsored by:	Modirum MDPay
Differential Revision:	https://reviews.freebsd.org/D32134
2021-09-29 15:11:54 +02:00
Kristof Provost
63b3c1c770 pf: support dummynet
Allow pf to use dummynet pipes and queues.

We re-use the currently unused IPFW_IS_DUMMYNET flag to allow dummynet
to tell us that a packet is being re-injected after being delayed. This
is needed to avoid endlessly looping the packet between pf and dummynet.

MFC after:	2 weeks
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D31904
2021-09-24 11:41:25 +02:00
Kristof Provost
8160a0f62b dummynet: Does not depend on ipfw
Allow the dummynet module to be loaded without ipfw, as a first step
towards making pf use it for packet scheduling.

Reviewed by:	donner
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D31903
2021-09-24 11:41:25 +02:00
Kristof Provost
cb13059663 pf: fix pagefault in pf_getstatus()
We can't copyout() while holding a lock, in case it triggers a page
fault.
Release the lock before copyout, which is safe because we've already
copied all the data into the nvlist.

PR:		258601
Reviewed by:	mjg
MFC after:	1 week
Sponsored by:	Modirum MDPay
Differential Revision:	https://reviews.freebsd.org/D32076
2021-09-23 21:56:59 +02:00
Franco Fichtner
8e496ea1df pf: always log nat rule and do it pre-rewrite
See also https://github.com/opnsense/core/issues/5005

Reviewed by:	kp
Differential Revision:	https://reviews.freebsd.org/D31504
2021-09-18 13:43:41 +02:00
John Baldwin
df005aa9b3 pf: Remove duplicate declaration of pf_ioctl_maxcount.
Fixes a -Wredundant-decls warning with GCC 9.

Reviewed by:	kp
Differential Revision:	https://reviews.freebsd.org/D31944
2021-09-15 09:03:18 -07:00
Kristof Provost
9bdff593ea pf: fix NOINET6 builds
MFC after:	1 week
Sponsored by:	Modirum MDPay
2021-09-10 18:15:44 +02:00
Kristof Provost
b64f7ce98f pf: qid and pqid can be uint16_t
tag2name() returns a uint16_t, so we don't need to use uint32_t for the
qid (or pqid). This reduces the size of struct pf_kstate slightly. That
in turn buys us space to add extra fields for dummynet later.

Happily these fields are not exposed to user space (there are user space
versions of them, but they can just stay uint32_t), so there's no ABI
breakage in modifying this.

MFC after:	1 week
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D31873
2021-09-10 17:07:57 +02:00
Kristof Provost
0a51d74c3a pf: fix synproxy to local
When we're synproxy-ing a connection that's going to us (as opposed to a
forwarded one) we wound up trying to send out the pf-generated tcp
packets through pf_intr(), which called ip(6)_output(). That doesn't
work all that well for packets that are destined for us, so in that case
we must call ip(6)_input() instead.

MFC after:	1 week
Sponsored by:   Modirum MDPay
Differential Revision:	https://reviews.freebsd.org/D31853
2021-09-10 15:16:37 +02:00
Kristof Provost
415e81d5d9 dummynet: remove unused definitions
No functional change.

MFC after:	2 weeks
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D31806
2021-09-08 17:18:00 +02:00
Kristof Provost
a0c64a443e pf: ensure states passed to pf_free_state() are always unlinked
In pf_create_state() we can end up deleting the state immediately. This
can happen if we fail to map the relevant addresses or fail
normalization or fail to insert it into the state table.
If that happens we delete the state again with pf_free_state(). However,
this asserts that the state must be unlinked.

It's correct to simply set the state to PFTM_UNLINKED because we've not
yet linked it.

Submitted by:	Mateusz Guzik <mjg@FreeBSD.org>
Reviewed by:	scottl
MFC after:	1 week
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D31752
2021-09-03 09:36:19 +02:00
Kristof Provost
ce3ea45047 pf: import pf_set_protostate() from OpenBSD
to change a state's state (that term is overloaded in pf, protocol state
like ESTABLISHED for tcp here), don't do it directly, but go through a newly
introduced pf_set_protostate()

Reviewed by:	kbowling
Obtainted from:	OpenBSD
MFC after:	1 week
Sponsored by:	Modirum MDPay
Differential Revision:	https://reviews.freebsd.org/D31729
2021-09-01 12:02:19 +02:00
Kristof Provost
4cab80a8df pf: Add counters for syncookies
Count when we send a syncookie, receive a valid syncookie or detect a
synflood.

Reviewed by:	kbowling
MFC after:	1 week
Sponsored by:	Modirum MDPay
Differential Revision:	https://reviews.freebsd.org/D31713
2021-09-01 12:02:19 +02:00
Kristof Provost
2b10cf85f8 pf: Introduce nvlist variant of DIOCGETSTATUS
Make it possible to extend the GETSTATUS call (e.g. when we want to add
new counters, such as for syncookie support) by introducing an
nvlist-based alternative.

MFC after:	1 week
Sponsored by:   Modirum MDPay
Differential Revision:	https://reviews.freebsd.org/D31694
2021-08-29 14:59:04 +02:00
Andrey V. Elsukov
da3a09d894 ipfw_nat64: fix direct output mode
In nat64_find_route[46] handle NHF_GATEWAY flag and use destination
address from next hop to do link layer address lookup.

PR:		255928
Reviewed by:	melifaro
Obtained from:	Yandex LLC
MFC after:	1 week
Sponsored by:	Yandex LLC
Differential Revision:	https://reviews.freebsd.org/D31680
2021-08-26 13:48:23 +03:00
Samuel Robinette
0a7d1fc6f6 pf: implement set-tos for IPv6
Extend the existing set-tos keyword to also be able to set traffic class
on IPv6 traffic.
Add tests for this as well.

Reviewed by:	kp
Differential Revision:	https://reviews.freebsd.org/D31564
2021-08-19 10:07:56 +02:00
Luiz Otavio O Souza
20ffd88ed5 ipfw: use unsigned int for dummynet bandwidth
This allows the maximum value of 4294967295 (~4Gb/s) instead of previous
value of 2147483647 (~2Gb/s).

Reviewed by:	np, scottl
Obtained from:	pfSense
MFC after:	1 week
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D31582
2021-08-19 10:48:53 +02:00
Mateusz Guzik
3e875f952a pf: assert dir state on pf_test{,6}
The intent is to line up various enums so that branching in the lines of:

idx = (dir == PF_IN ? PF_SK_WIRE : PF_SK_STACK);

is avoided.

Reviewed by:	kp
Sponsored by:	Rubicon Communications, LLC ("Netgate")
2021-08-17 21:56:50 +02:00
Mateusz Guzik
5091ca2650 pf: save on branching in the common case in pf_test
Reviewed by:	kp
Sponsored by:	Rubicon Communications, LLC ("Netgate")
2021-08-17 21:56:33 +02:00
Andrey V. Elsukov
322e5efda8 ipfw: fix possible data race between jump cache reading and updating.
Jump cache is used to reduce the cost of rule lookup for O_SKIPTO and
O_CALLRETURN actions. It uses rules chain id to check correctness of
cached value. But due to the possible race, there is the chance that
one thread can read invalid value. In some cases this can lead to out
of bounds access and panic.

Use thread fence operations to constrain the reordering of accesses.
Also rename jump_fast and jump_linear functions to jump_cached and
jump_lookup_pos respectively.

Submitted by:	Arseny Smalyuk
Reviewed by:	melifaro
Obtained from:	Yandex LLC
MFC after:	1 week
Sponsored by:	Yandex LLC
Differential Revision:	https://reviews.freebsd.org/D31484
2021-08-17 11:08:28 +03:00
Kristof Provost
600745f1e2 pf: bound DIOCGETSTATES memory use
Similar to what we did earlier for DIOCGETSTATESV2 we only allocate
enough memory for a handful of states and copy those out, bit by bit,
rather than allocating memory for all states in one go.

MFC after:	1 week
Sponsored by:	Rubicon Communications, LLC ("Netgate")
2021-08-02 16:29:23 +02:00
Kristof Provost
b69019c14c pf: remove DIOCGETSTATESNV
While nvlists are very useful in maximising flexibility for future
extensions their performance is simply unacceptably bad for the
getstates feature, where we can easily want to export a million states
or more.

The DIOCGETSTATESNV call has been MFCd, but has not hit a release on any
branch, so we can still remove it everywhere.

Reviewed by:	mjg
MFC after:	1 week
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D31099
2021-07-30 11:45:28 +02:00
Mark Johnston
64432ad2a2 pf: Validate user string nul-termination before copying
Some pf ioctl handlers use strlcpy() to copy strings when converting
from user structures to their in-kernel representations.  strlcpy()
ensures that the destination will be nul-terminated, but it assumes that
the source is nul-terminated.  In particular, it returns the full length
of the source string, so if the source is not nul-terminated, strlcpy()
will keep scanning until it finds a nul byte, and it may encounter an
unmapped page first.  Add a helper to validate user strings before
copying.

There are also places where we look up a ruleset using a user-provided
anchor string.  In some ioctl handlers we were already nul-terminating
the string, avoiding the same problem, but in other places we were not.
Fix those by nul-terminating as well.  Aside from being consistent,
anchors have a maximum length of MAXPATHLEN - 1 so calling strnlen()
might not be so desirable.

Reported by:	syzbot+35a1549b4663e9483dd1@syzkaller.appspotmail.com
Reviewed by:	kp
MFC after:	2 weeks
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D31169
2021-07-28 10:41:01 -04:00
Mark Johnston
2b82c57e39 pf: Initialize arrays before copying out to userland
A number of pf ioctls populate an array of structures and copy it out.
They have the following structures:
- caller specifies the size of its output buffer
- ioctl handler allocates a kernel buffer of the same size
- ioctl handler populates the buffer, possibly leaving some items
  initialized if the caller provided more space than needed
- ioctl handler copies the entire buffer out to userland

Thus, if more space was provided than is required, we end up copying out
uninitialized kernel memory.  Simply zero the buffer at allocation time
to prevent this.

Reported by:	KMSAN
Reviewed by:	kp
MFC after:	2 weeks
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D31313
2021-07-28 10:40:49 -04:00
Kristof Provost
da8d8b22e6 pf: fix ABI breakage
The introduction of synproxy support changed the size of struct
pf_status, which in turn broke the userspace ABI.

Revert the relevant change. More work is needed on the synproxy code to
keep and expose the counters, but in the mean time this restores the
ABI.

PR:             257469
MFC after:      3 days
Sponsored by:   Modirum MDPay
2021-07-28 12:16:33 +02:00
Kristof Provost
9ef8cd0b79 vlan: deduplicate bpf_setpcp() and pf_ieee8021q_setpcp()
These two fuctions were identical, so move them into the common
vlan_set_pcp() function, exposed in the if_vlan_var.h header.

Reviewed by:	donner
MFC after:	1 week
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D31275
2021-07-26 23:13:31 +02:00
Kristof Provost
d2dc4548eb pf: remove duplicate ERROUT_FUNCTION definition
Sponsored by:	Modirum MDPay
2021-07-26 12:31:10 +02:00
Mateusz Guzik
87c010e6e3 pf: batch critical section for several counters
Reviewed by:	kp
Sponsored by:	Rubicon Communications, LLC ("Netgate")
2021-07-25 10:22:17 +02:00
Mateusz Guzik
02cf67ccf6 pf: switch rule counters to pf_counter_u64
Reviewed by:	kp
Sponsored by:	Rubicon Communications, LLC ("Netgate")
2021-07-25 10:22:17 +02:00
Mateusz Guzik
d40d4b3ed7 pf: switch kif counters to pf_counter_u64
Reviewed by:	kp
Sponsored by:	Rubicon Communications, LLC ("Netgate")
2021-07-25 10:22:17 +02:00
Mateusz Guzik
fc4c42ce0b pf: switch pf_status.fcounters to pf_counter_u64
Reviewed by:	kp
Sponsored by:	Rubicon Communications, LLC ("Netgate")
2021-07-25 10:22:16 +02:00
Mateusz Guzik
defdcdd564 pf: add hybrid 32- an 64- bit counters
Numerous counters got migrated from straight uint64_t to the counter(9)
API. Unfortunately the implementation comes with a significiant
performance hit on some platforms and cannot be easily fixed.

Work around the problem by implementing a pf-specific variant.

Reviewed by:	kp
Sponsored by:	Rubicon Communications, LLC ("Netgate")
2021-07-25 10:22:16 +02:00
Mateusz Guzik
6f1fb65612 pf: drop redundant 'else' in pf_normalize_*
Reviewed by:	kp
Sponsored by:	Rubicon Communications, LLC ("Netgate")
2021-07-25 10:22:16 +02:00
Mateusz Guzik
49a7d47235 pf: consistently malloc rules with M_ZERO
Reviewed by:	kp
Sponsored by:	Rubicon Communications, LLC ("Netgate")
2021-07-23 17:35:32 +00:00
Kristof Provost
32271c4d38 pf: clean up syncookie callout on vnet shutdown
Ensure that we cancel any outstanding callouts for syncookies when we
terminate the vnet.

MFC after:	1 week
Sponsored by:	Modirum MDPay
2021-07-20 21:13:25 +02:00
Kristof Provost
84db87b8da pf: remove stray debug line
MFC after:	1 week
Sponsored by:	Modirum MDPay
2021-07-20 21:13:22 +02:00
Mateusz Guzik
907257d696 pf: embed a pointer to the lock in struct pf_kstate
This shaves calculation which in particular helps on arm.

Note using the & hack instead would still be more work.

Reviewed by:	kp
Sponsored by:	Rubicon Communications, LLC ("Netgate")
2021-07-20 16:11:31 +00:00
Kristof Provost
231e83d342 pf: syncookie ioctl interface
Kernel side implementation to allow switching between on and off modes,
and allow this configuration to be retrieved.

MFC after:	1 week
Sponsored by:	Modirum MDPay
Differential Revision:	https://reviews.freebsd.org/D31139
2021-07-20 10:36:13 +02:00
Kristof Provost
8e1864ed07 pf: syncookie support
Import OpenBSD's syncookie support for pf. This feature help pf resist
TCP SYN floods by only creating states once the remote host completes
the TCP handshake rather than when the initial SYN packet is received.

This is accomplished by using the initial sequence numbers to encode a
cookie (hence the name) in the SYN+ACK response and verifying this on
receipt of the client ACK.

Reviewed by:	kbowling
Obtained from:	OpenBSD
MFC after:	1 week
Sponsored by:	Modirum MDPay
Differential Revision:	https://reviews.freebsd.org/D31138
2021-07-20 10:36:13 +02:00