cxgbe(4): knobs to drop various kinds of undesirable frames on ingress.

These kind of drops come for free in the sense that they do not use the filter TCAM or any other resource that wouldn't normally be used during rx. Frames dropped by the hardware get counted in the MAC's rx stats but are not delivered to the driver. hw.cxgbe.attack_filter Set to 1 to enable the "attack filter". Default is 0. The attack filter will drop an incoming frame if any of these conditions is true: src ip/ip6 == dst ip/ip6; tcp and src/dst ip is not unicast; src/dst ip is loopback (127.x.y.z); src ip6 is not unicast; src/dst ip6 is loopback (::1/128) or unspecified (::/128); tcp and src/dst ip6 is mcast (ff00::/8). hw.cxgbe.drop_ip_fragments Set to 1 to drop all incoming IP fragments. Default is 0. Note that this drops valid frames. hw.cxgbe.drop_pkts_with_l2_errors Set to 1 to drop incoming frames with Layer 2 length or checksum errors. Default is 1. hw.cxgbe.drop_pkts_with_l3_errors Set to 1 to drop incoming frames with IP version, length, or checksum errors. Default is 0. hw.cxgbe.drop_pkts_with_l4_errors Set to 1 to drop incoming frames with Layer 4 length, checksum, or other errors. Default is 0. MFC after: 2 weeks Sponsored by: Chelsio Communications
2020-10-08 10:00:13 +00:00 · 2020-10-08 10:00:13 +00:00 · 77af2b2c85
commit 77af2b2c85
parent 12a899b632
2 changed files with 89 additions and 2 deletions
--- a/share/man/man4/cxgbe.4
+++ b/share/man/man4/cxgbe.4
@ -31,7 +31,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd September 17, 2020
+.Dd October 8, 2020
 .Dt CXGBE 4
 .Os
 .Sh NAME
@ -362,6 +362,26 @@ The default value is 0 and should be changed only if PF and VF interfaces need
 to communicate with each other.
 Different interfaces can be assigned different values using the
 dev.<port>.X.tx_vm_wr sysctl when the interface is administratively down.
+.It Va hw.cxgbe.attack_filter
+Set to 1 to enable the "attack filter".
+Default is 0.
+The attack filter will drop an incoming frame if any of these conditions is
+true: src ip/ip6 == dst ip/ip6; tcp and src/dst ip is not unicast; src/dst ip is
+loopback (127.x.y.z); src ip6 is not unicast; src/dst ip6 is loopback (::1/128)
+or unspecified (::/128); tcp and src/dst ip6 is mcast (ff00::/8).
+.It Va hw.cxgbe.drop_ip_fragments
+Set to 1 to drop all incoming IP fragments.
+Default is 0.
+Note that this drops valid frames.
+.It Va hw.cxgbe.drop_pkts_with_l2_errors
+Set to 1 to drop incoming frames with Layer 2 length or checksum errors.
+Default is 1.
+.It Va hw.cxgbe.drop_pkts_with_l3_errors
+Set to 1 to drop incoming frames with IP version, length, or checksum errors.
+Default is 0.
+.It Va hw.cxgbe.drop_pkts_with_l4_errors
+Set to 1 to drop incoming frames with Layer 4 length, checksum, or other errors.
+Default is 0.
 .El
 .Sh SUPPORT
 For general information and support,
--- a/sys/dev/cxgbe/t4_main.c
+++ b/sys/dev/cxgbe/t4_main.c
@ -595,6 +595,46 @@ static int t4_tx_vm_wr = 0;
 SYSCTL_INT(_hw_cxgbe, OID_AUTO, tx_vm_wr, CTLFLAG_RWTUN, &t4_tx_vm_wr, 0,
    "Use VM work requests to transmit packets.");

+/*
+ * Set to non-zero to enable the attack filter.  A packet that matches any of
+ * these conditions will get dropped on ingress:
+ * 1) IP && source address == destination address.
+ * 2) TCP/IP && source address is not a unicast address.
+ * 3) TCP/IP && destination address is not a unicast address.
+ * 4) IP && source address is loopback (127.x.y.z).
+ * 5) IP && destination address is loopback (127.x.y.z).
+ * 6) IPv6 && source address == destination address.
+ * 7) IPv6 && source address is not a unicast address.
+ * 8) IPv6 && source address is loopback (::1/128).
+ * 9) IPv6 && destination address is loopback (::1/128).
+ * 10) IPv6 && source address is unspecified (::/128).
+ * 11) IPv6 && destination address is unspecified (::/128).
+ * 12) TCP/IPv6 && source address is multicast (ff00::/8).
+ * 13) TCP/IPv6 && destination address is multicast (ff00::/8).
+ */
+static int t4_attack_filter = 0;
+SYSCTL_INT(_hw_cxgbe, OID_AUTO, attack_filter, CTLFLAG_RDTUN,
+    &t4_attack_filter, 0, "Drop suspicious traffic");
+
+static int t4_drop_ip_fragments = 0;
+SYSCTL_INT(_hw_cxgbe, OID_AUTO, drop_ip_fragments, CTLFLAG_RDTUN,
+    &t4_drop_ip_fragments, 0, "Drop IP fragments");
+
+static int t4_drop_pkts_with_l2_errors = 1;
+SYSCTL_INT(_hw_cxgbe, OID_AUTO, drop_pkts_with_l2_errors, CTLFLAG_RDTUN,
+    &t4_drop_pkts_with_l2_errors, 0,
+    "Drop all frames with Layer 2 length or checksum errors");
+
+static int t4_drop_pkts_with_l3_errors = 0;
+SYSCTL_INT(_hw_cxgbe, OID_AUTO, drop_pkts_with_l3_errors, CTLFLAG_RDTUN,
+    &t4_drop_pkts_with_l3_errors, 0,
+    "Drop all frames with IP version, length, or checksum errors");
+
+static int t4_drop_pkts_with_l4_errors = 0;
+SYSCTL_INT(_hw_cxgbe, OID_AUTO, drop_pkts_with_l4_errors, CTLFLAG_RDTUN,
+    &t4_drop_pkts_with_l4_errors, 0,
+    "Drop all frames with Layer 4 length, checksum, or other errors");
+
 #ifdef TCP_OFFLOAD
 /*
 * TOE tunables.
@ -4740,7 +4780,7 @@ t4_enable_kern_tls(struct adapter *sc)
 static int
 set_params__post_init(struct adapter *sc)
 {
-	uint32_t param, val;
+	uint32_t mask, param, val;
 #ifdef TCP_OFFLOAD
 	int i, v, shift;
 #endif
@ -4761,6 +4801,33 @@ set_params__post_init(struct adapter *sc)
 	t4_set_reg_field(sc, A_TP_RSS_CONFIG_TNL, V_MASKFILTER(M_MASKFILTER),
 	    V_MASKFILTER(val - 1));

+	mask = F_DROPERRORANY | F_DROPERRORMAC | F_DROPERRORIPVER |
+	    F_DROPERRORFRAG | F_DROPERRORATTACK | F_DROPERRORETHHDRLEN |
+	    F_DROPERRORIPHDRLEN | F_DROPERRORTCPHDRLEN | F_DROPERRORPKTLEN |
+	    F_DROPERRORTCPOPT | F_DROPERRORCSUMIP | F_DROPERRORCSUM;
+	val = 0;
+	if (t4_attack_filter != 0) {
+		t4_set_reg_field(sc, A_TP_GLOBAL_CONFIG, F_ATTACKFILTERENABLE,
+		    F_ATTACKFILTERENABLE);
+		val |= F_DROPERRORATTACK;
+	}
+	if (t4_drop_ip_fragments != 0) {
+		t4_set_reg_field(sc, A_TP_GLOBAL_CONFIG, F_FRAGMENTDROP,
+		    F_FRAGMENTDROP);
+		val |= F_DROPERRORFRAG;
+	}
+	if (t4_drop_pkts_with_l2_errors != 0)
+		val |= F_DROPERRORMAC | F_DROPERRORETHHDRLEN;
+	if (t4_drop_pkts_with_l3_errors != 0) {
+		val |= F_DROPERRORIPVER | F_DROPERRORIPHDRLEN |
+		    F_DROPERRORCSUMIP;
+	}
+	if (t4_drop_pkts_with_l4_errors != 0) {
+		val |= F_DROPERRORTCPHDRLEN | F_DROPERRORPKTLEN |
+		    F_DROPERRORTCPOPT | F_DROPERRORCSUM;
+	}
+	t4_set_reg_field(sc, A_TP_ERR_CONFIG, mask, val);
+
 #ifdef TCP_OFFLOAD
 	/*
 	 * Override the TOE timers with user provided tunables.  This is not the