Commit Graph

904 Commits

Author SHA1 Message Date
Cy Schubert
3b9b51fe46 ipfilter: Move kernel bits to netpfil
Through fixes and improvements our ipfilter sources have diverged
enough to warrant move from contrib into sys/netpil. Now that I'm
planning on implementing MSS clamping as in iptables it makes more
sense to move ipfilter to netpfil.

This is the first of three commits the ipfilter move.

Suggested by glebius on two occaions.

Suggested by and discussed with:	glebius
Reviewed by:				glebius, kp (for #network)
MFC after:				1 month
Differential Revision:		https://reviews.freebsd.org/D33510
2021-12-20 06:16:33 -08:00
Mateusz Guzik
60a28b0916 ipfw: plug set-but-not-used vars
Sponsored by:	Rubicon Communications, LLC ("Netgate")
2021-12-18 13:21:03 +00:00
Franco Fichtner
1de20ebc46 dummynet: drop unused definitions
Reviewed by:	kp
Differential Revision:	https://reviews.freebsd.org/D33429
2021-12-14 13:01:15 +01:00
Kristof Provost
73fd0eaf59 pfsync: fix incorrect enabling of defer mode
When we exposed the PFSYNCF_OK flag to userspace in 5f5bf88949 we
unintentionally caused defer mode to always be enabled.
The ioctl check only looked for nonzero, not for the PFSYNCF_DEFER flag.

Fix this check and ensure ifconfig sets the flag.

Reviewed by:	glebius
MFC after:	1 week
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D33244
2021-12-06 13:25:14 +01:00
Kristof Provost
41c4f19872 pfsync: locking fixes
* Ensure we unlock the pfsync lock in pfsync_defer()
 * We must hold the bucket lock when calling pfsync_push()
 * The pfsync_defer_tmo() callout locks the bucket lock, not the pfsync
   lock

Reviewed by:	glebius
MFC after:	1 week
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D33243
2021-12-06 13:25:14 +01:00
Kristof Provost
93a3fa41dc pfsync: fix defer timeout
Don't use a fixed number of ticks, but take hz into account so we have a
consistent timeout, regardless of what hz is set up.
Use a 20ms timeout, becaues that's what OpenBSD uses.

Reviewed by:	glebius
MFC after:	1 week
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D33242
2021-12-06 13:25:14 +01:00
Kristof Provost
7b02a551f7 pfsync: check IFF_DRV_RUNNING in the correct field
This flag is stored in if_drv_flags, not if_flags.

Reviewed by:	glebius
MFC after:	1 week
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D33241
2021-12-06 13:25:14 +01:00
Kristof Provost
27bd812c5c pfsync: NULL check sc before using it
In pfsync_defer() we must wait to lock sc until we've ensured it's not
NULL.

MFC after:	1 week
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D33240
2021-12-06 13:25:13 +01:00
Kristof Provost
6d4baa0d01 if_pflog: fix packet length
There were two issues with the new pflog packet length.
The first is that the length is expected to be a multiple of
sizeof(long), but we'd assumed it had to be a multiple of
sizeof(uint32_t).

The second is that there's some broken software out there (such as
Wireshark) that makes incorrect assumptions about the amount of padding.
That is, Wireshark assumes there's always three bytes of padding, rather
than however much is needed to get to a multiple of sizeof(long).

Fix this by adding extra padding, and a fake field to maintain
Wireshark's assumption.

Reported by:	Ozkan KIRIK <ozkan.kirik@gmail.com>
Tested by:	Ozkan KIRIK <ozkan.kirik@gmail.com>
MFC after:	1 week
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D33236
2021-12-04 08:42:55 +01:00
Mark Johnston
1c732c8591 dummynet: Fix socket option length validation for IP_DUMMYNET3
The socket option handler tries to ensure that the option length is no
larger than some reasonable maximum, and no smaller than sizeof(struct
dn_id).  But the loaded option length is stored in an int, which is
converted to an unsigned integer for the comparison with a size_t, so
negative values are not caught and instead get passed to malloc().

Change the code to use a size_t for the buffer size.

Reviewed by:	kp
MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D33133
2021-11-29 13:57:24 -05:00
Mark Johnston
d5ea04ee7b dummynet: Avoid an out-of-bounds read in do_config()
do_config() processes a buffer of variable-length dummynet commands.
The loop which processes this buffer loads the fixed-length header
before checking whether there are any bytes left to read, so it performs
a 4-byte read past the end of the buffer before terminating.

Restructure the loop to avoid this.

Reported by:	Jenkins (KASAN job)
Reviewed by:	kp
MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D33132
2021-11-29 13:57:24 -05:00
Mateusz Guzik
b6c8c7b99a pf: add pf_bcmp_state_key
Reviewed by:	kp
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D33131
2021-11-28 20:15:45 +01:00
Mark Johnston
44775b163b netinet: Remove unneeded mb_unmapped_to_ext() calls
in_cksum_skip() now handles unmapped mbufs on platforms where they're
permitted.

Reviewed by:	glebius, jhb
MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D33097
2021-11-24 13:31:16 -05:00
Kristof Provost
90c55481b2 pf: fix netpfil.common.dummynet:pf_nat test
This test failed if ipfw was loaded (as well as pf). pf used the same
tag as dummynet to indicate a packet had already gone through dummynet.
However, ipfw removes this tag, so pf didn't realise the packet had
already gone through dummynet.

Introduce a separate flag, in the existing pf mtag rather than re-using
the ipfw tag. There were no free flag bits, but PF_TAG_FRAGCACHE is no
longer used so its bit can be re-purposed.

MFC after:	2 weeks
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D33087
2021-11-23 16:46:35 +01:00
Kristof Provost
18d04cd2d4 pf: align IPv6 dummynet handling with IPv4
In e5c4987e3f we fixed issues with nat and dummynet, but only changed
the IPv4 code. Make the same change for IPv6 as well.

Reviewed by:	glebius
MFC after:	3 weeks
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D33086
2021-11-23 16:46:15 +01:00
Kristof Provost
c36f90417b pf: remove unused variables
No functional change intended.

Reviewed by:	glebius
MFC after:	2 weeks
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D33085
2021-11-23 16:44:37 +01:00
Gleb Smirnoff
0dff875fa9 ipfw: remove unnecessary TCP related includes 2021-11-18 00:54:28 -08:00
Kristof Provost
8e492101ec pf: add COMPAT_FREEBSD13 for DIOCKEEPCOUNTERS
DIOCKEEPCOUNTERS used to overlap with DIOCGIFSPEEDV0, which has been
fixed in 14, but remains in stable/12 and stable/13.
Support the old, overlapping, call under COMPAT_FREEBSD13.

Reviewed by:	jhb
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D33001
2021-11-17 03:09:20 +01:00
Mark Johnston
756bb50b6a sctp: Remove now-unneeded mb_unmapped_to_ext() calls
sctp_delayed_checksum() now handles unmapped mbufs, thanks to m_apply().

No functional change intended.

Reviewed by:	tuexen
MFC after:	2 weeks
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D32942
2021-11-16 13:38:09 -05:00
Kristof Provost
218a8a491c pf: ensure we populate dyncnt/tblcnt in struct pf_addr_wrap
PR:		259689
MFC after:	3 weeks
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D32892
2021-11-10 11:27:22 +01:00
Kristof Provost
76c5eecc34 pf: Introduce ridentifier
Allow users to set a number on rules which will be exposed as part of
the pflog header.
The intent behind this is to allow users to correlate rules across
updates (remember that pf rules continue to exist and match existing
states, even if they're removed from the active ruleset) and pflog.

Obtained from:	pfSense
MFC after:	3 weeks
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D32750
2021-11-05 09:39:56 +01:00
Mateusz Guzik
8f3d786cb3 pf: remove the flags argument from pf_unlink_state
All consumers call it with PF_ENTER_LOCKED.

Reviewed by:	kp
Sponsored by:	Rubicon Communications, LLC ("Netgate")
2021-11-01 20:59:14 +01:00
Mateusz Guzik
edf6dd82e9 pf: fix use-after-free from pf_find_state_all
state was returned without any locks nor references held

Reviewed by:	kp
Sponsored by:	Rubicon Communications, LLC ("Netgate")
2021-11-01 20:59:05 +01:00
Kristof Provost
e5c4987e3f pf: fix dummynet + NAT
Dummynet differs from ALTQ in that ALTQ schedules packets after they
leave pf. Dummynet schedules them after they leave pf, but then
re-injects them.
We currently deal with this by ensuring we don't re-schedule a packet we
get from dummynet, but this produces unexpected results when combined
with NAT, as dummynet processing is done after the NAT transformation.
In other words, the second time the packet is handed to pf it may have a
different source and destination address.

Simplify this by moving dummynet processing to after all other pf
processing, and not re-processing (but always passing) packets from
dummynet.

This fixes NAT of dummynet delayed packets, and also reduces processing
overhead (because we only do state/rule lookup for each dummynet packet
once, rather than twice).

MFC after:	3 weeks
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D32665
2021-10-28 10:41:17 +02:00
Gleb Smirnoff
c8ee75f231 Use network epoch to protect local IPv4 addresses hash.
The modification to the hash are already naturally locked by
in_control_sx.  Convert the hash lists to CK lists. Remove the
in_ifaddr_rmlock. Assert the network epoch where necessary.

Most cases when the hash lookup is done the epoch is already entered.
Cover a few cases, that need entering the epoch, which mostly is
initial configuration of tunnel interfaces and multicast addresses.

Reviewed by:		melifaro
Differential revision:	https://reviews.freebsd.org/D32584
2021-10-22 14:40:53 -07:00
Luiz Otavio O Souza
ab238f1454 pf: ensure we have the correct source/destination IP address in ICMP errors
When we route-to a packet that later turns out to not fit in the
outbound interface MTU we generate an ICMP error.
However, if we've already changed those (i.e. we've passed through a NAT
rule) we have to undo the transformation first.

Obtained from:	pfSense
MFC after:	3 weeks
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D32571
2021-10-22 09:52:17 +02:00
Mateusz Guzik
bcd4c17cca pf: fix some cc --analyze warnings
Reviewed by:	kp
Sponsored by:	Rubicon Communications, LLC ("Netgate")
2021-10-19 11:59:11 +00:00
Kristof Provost
076b3a50fd pf: don't drop packets when redirection information comes from a state
For some traffic there might be no matching rule in the current ruleset,
for example when a state was imported via pfsync from a sytem with a
different ruleset checksum. In this case pf_route uses s->rt_addr for
routing target instead of r->rpool.cur but r->rpool is checked anyway,
resulting in dropped packets.

PR:		259183
Submitted by:	Kajetan Staszkiewicz <vegeta tuxpowered.net>
Sponsored by:	InnoGames GmbH
2021-10-16 23:02:26 +02:00
Kristof Provost
498cca1483 pf: selecting pf_map_addr is not an error
When a redirection/nat IP address is selected by pf_map_addr it is
logged with PF_DEBUG_MISC level. This one according to the manual means
"Generate debug messages for various errors". Selecting an IP address is
not an error, it's a normal function of pf for route-to, nat and some
other operations. Therefore PF_DEBUG_NOISY level should be choosen which
is means "Generate debug messages for common conditions".

PR:		259184
Submitted by:	Kajetan Staszkiewicz <vegeta tuxpowered.net>
Sponsored by:	InnoGames GmbH
2021-10-16 09:32:15 +02:00
Kristof Provost
776df104fa pf: Introduce pf_nvbool()
Similar to the existing functions for strings and ints, this lets us
simplify some of the nvlist conversion code.

MFC after:	1 week
Sponsored by:	Rubicon Communications, LLC ("Netgate")
2021-10-13 12:01:09 +02:00
Kristof Provost
1c680e620b pf: do not copy anchor_wildcard / anchor_relative from userspace
We overwrite these fields again in pf_kanchor_setup() anyway.

MFC after:	2 weeks
Sponsored by:	Rubicon Communications, LLC ("Netgate")
2021-10-08 14:46:59 +02:00
Kristof Provost
955460d41e pf: hook up adaptive mode configuration
The kernel side of pf syncookie adaptive mode configuration.

MFC after:	1 week
Sponsored by:	Modirum MDPay
Differential Revision:	https://reviews.freebsd.org/D32135
2021-09-29 15:11:54 +02:00
Kristof Provost
bf8637181a pf: implement adaptive mode
Use atomic counters to ensure that we correctly track the number of half
open states and syncookie responses in-flight.
This determines if we activate or deactivate syncookies in adaptive
mode.

MFC after:	1 week
Sponsored by:	Modirum MDPay
Differential Revision:	https://reviews.freebsd.org/D32134
2021-09-29 15:11:54 +02:00
Kristof Provost
63b3c1c770 pf: support dummynet
Allow pf to use dummynet pipes and queues.

We re-use the currently unused IPFW_IS_DUMMYNET flag to allow dummynet
to tell us that a packet is being re-injected after being delayed. This
is needed to avoid endlessly looping the packet between pf and dummynet.

MFC after:	2 weeks
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D31904
2021-09-24 11:41:25 +02:00
Kristof Provost
8160a0f62b dummynet: Does not depend on ipfw
Allow the dummynet module to be loaded without ipfw, as a first step
towards making pf use it for packet scheduling.

Reviewed by:	donner
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D31903
2021-09-24 11:41:25 +02:00
Kristof Provost
cb13059663 pf: fix pagefault in pf_getstatus()
We can't copyout() while holding a lock, in case it triggers a page
fault.
Release the lock before copyout, which is safe because we've already
copied all the data into the nvlist.

PR:		258601
Reviewed by:	mjg
MFC after:	1 week
Sponsored by:	Modirum MDPay
Differential Revision:	https://reviews.freebsd.org/D32076
2021-09-23 21:56:59 +02:00
Franco Fichtner
8e496ea1df pf: always log nat rule and do it pre-rewrite
See also https://github.com/opnsense/core/issues/5005

Reviewed by:	kp
Differential Revision:	https://reviews.freebsd.org/D31504
2021-09-18 13:43:41 +02:00
John Baldwin
df005aa9b3 pf: Remove duplicate declaration of pf_ioctl_maxcount.
Fixes a -Wredundant-decls warning with GCC 9.

Reviewed by:	kp
Differential Revision:	https://reviews.freebsd.org/D31944
2021-09-15 09:03:18 -07:00
Kristof Provost
9bdff593ea pf: fix NOINET6 builds
MFC after:	1 week
Sponsored by:	Modirum MDPay
2021-09-10 18:15:44 +02:00
Kristof Provost
b64f7ce98f pf: qid and pqid can be uint16_t
tag2name() returns a uint16_t, so we don't need to use uint32_t for the
qid (or pqid). This reduces the size of struct pf_kstate slightly. That
in turn buys us space to add extra fields for dummynet later.

Happily these fields are not exposed to user space (there are user space
versions of them, but they can just stay uint32_t), so there's no ABI
breakage in modifying this.

MFC after:	1 week
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D31873
2021-09-10 17:07:57 +02:00
Kristof Provost
0a51d74c3a pf: fix synproxy to local
When we're synproxy-ing a connection that's going to us (as opposed to a
forwarded one) we wound up trying to send out the pf-generated tcp
packets through pf_intr(), which called ip(6)_output(). That doesn't
work all that well for packets that are destined for us, so in that case
we must call ip(6)_input() instead.

MFC after:	1 week
Sponsored by:   Modirum MDPay
Differential Revision:	https://reviews.freebsd.org/D31853
2021-09-10 15:16:37 +02:00
Kristof Provost
415e81d5d9 dummynet: remove unused definitions
No functional change.

MFC after:	2 weeks
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D31806
2021-09-08 17:18:00 +02:00
Kristof Provost
a0c64a443e pf: ensure states passed to pf_free_state() are always unlinked
In pf_create_state() we can end up deleting the state immediately. This
can happen if we fail to map the relevant addresses or fail
normalization or fail to insert it into the state table.
If that happens we delete the state again with pf_free_state(). However,
this asserts that the state must be unlinked.

It's correct to simply set the state to PFTM_UNLINKED because we've not
yet linked it.

Submitted by:	Mateusz Guzik <mjg@FreeBSD.org>
Reviewed by:	scottl
MFC after:	1 week
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D31752
2021-09-03 09:36:19 +02:00
Kristof Provost
ce3ea45047 pf: import pf_set_protostate() from OpenBSD
to change a state's state (that term is overloaded in pf, protocol state
like ESTABLISHED for tcp here), don't do it directly, but go through a newly
introduced pf_set_protostate()

Reviewed by:	kbowling
Obtainted from:	OpenBSD
MFC after:	1 week
Sponsored by:	Modirum MDPay
Differential Revision:	https://reviews.freebsd.org/D31729
2021-09-01 12:02:19 +02:00
Kristof Provost
4cab80a8df pf: Add counters for syncookies
Count when we send a syncookie, receive a valid syncookie or detect a
synflood.

Reviewed by:	kbowling
MFC after:	1 week
Sponsored by:	Modirum MDPay
Differential Revision:	https://reviews.freebsd.org/D31713
2021-09-01 12:02:19 +02:00
Kristof Provost
2b10cf85f8 pf: Introduce nvlist variant of DIOCGETSTATUS
Make it possible to extend the GETSTATUS call (e.g. when we want to add
new counters, such as for syncookie support) by introducing an
nvlist-based alternative.

MFC after:	1 week
Sponsored by:   Modirum MDPay
Differential Revision:	https://reviews.freebsd.org/D31694
2021-08-29 14:59:04 +02:00
Andrey V. Elsukov
da3a09d894 ipfw_nat64: fix direct output mode
In nat64_find_route[46] handle NHF_GATEWAY flag and use destination
address from next hop to do link layer address lookup.

PR:		255928
Reviewed by:	melifaro
Obtained from:	Yandex LLC
MFC after:	1 week
Sponsored by:	Yandex LLC
Differential Revision:	https://reviews.freebsd.org/D31680
2021-08-26 13:48:23 +03:00
Samuel Robinette
0a7d1fc6f6 pf: implement set-tos for IPv6
Extend the existing set-tos keyword to also be able to set traffic class
on IPv6 traffic.
Add tests for this as well.

Reviewed by:	kp
Differential Revision:	https://reviews.freebsd.org/D31564
2021-08-19 10:07:56 +02:00
Luiz Otavio O Souza
20ffd88ed5 ipfw: use unsigned int for dummynet bandwidth
This allows the maximum value of 4294967295 (~4Gb/s) instead of previous
value of 2147483647 (~2Gb/s).

Reviewed by:	np, scottl
Obtained from:	pfSense
MFC after:	1 week
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D31582
2021-08-19 10:48:53 +02:00
Mateusz Guzik
3e875f952a pf: assert dir state on pf_test{,6}
The intent is to line up various enums so that branching in the lines of:

idx = (dir == PF_IN ? PF_SK_WIRE : PF_SK_STACK);

is avoided.

Reviewed by:	kp
Sponsored by:	Rubicon Communications, LLC ("Netgate")
2021-08-17 21:56:50 +02:00