Date: Thu, 14 Sep 2023 10:34:10 GMT From: Ed Maste <emaste@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: 027418a4d8bd - stable/13 - blackhole(4): disable for locally originated TCP/UDP packets Message-ID: <202309141034.38EAYAtS043617@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch stable/13 has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=027418a4d8bdf58b606fab7505bcb841cc3a6d7c commit 027418a4d8bdf58b606fab7505bcb841cc3a6d7c Author: Gleb Smirnoff <glebius@FreeBSD.org> AuthorDate: 2021-10-28 15:11:45 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2023-09-14 09:54:04 +0000 blackhole(4): disable for locally originated TCP/UDP packets In most cases blackholing for locally originated packets is undesired, leads to different kind of lags and delays. Provide sysctls to enforce it, e.g. for debugging purposes. Reviewed by: rrs Differential revision: https://reviews.freebsd.org/D32718 (cherry picked from commit 3ea9a7cf7b09a355cde3a76824809402b99d0892) (cherry picked from commit ad3ad06477d013371b95af673a9776c62f49a97f) --- share/man/man4/blackhole.4 | 12 +++++++++++- sys/netinet/tcp_input.c | 19 +++++++++++++++++-- sys/netinet/udp_usrreq.c | 7 ++++++- sys/netinet/udp_var.h | 2 ++ sys/netinet6/udp6_usrreq.c | 3 ++- 5 files changed, 38 insertions(+), 5 deletions(-) diff --git a/share/man/man4/blackhole.4 b/share/man/man4/blackhole.4 index f7256146eaef..00c8e3d7a2b6 100644 --- a/share/man/man4/blackhole.4 +++ b/share/man/man4/blackhole.4 @@ -10,7 +10,7 @@ .\" notice, this list of conditions and the following disclaimer in the .\" documentation and/or other materials provided with the distribution. .\" -.Dd September 6, 2015 +.Dd November 3, 2021 .Dt BLACKHOLE 4 .Os .Sh NAME @@ -22,7 +22,9 @@ attempts .Sh SYNOPSIS .Cd sysctl net.inet.sctp.blackhole Ns Op = Ns Brq "0 | 1 | 2" .Cd sysctl net.inet.tcp.blackhole Ns Op = Ns Brq "0 | 1 | 2" +.Cd sysctl net.inet.tcp.blackhole_local Ns Op = Ns Brq "0 | 1" .Cd sysctl net.inet.udp.blackhole Ns Op = Ns Brq "0 | 1" +.Cd sysctl net.inet.udp.blackhole_local Ns Op = Ns Brq "0 | 1" .Sh DESCRIPTION The .Nm @@ -33,6 +35,14 @@ are received on SCTP, TCP, or UDP ports where there is no socket listening. The blackhole behaviour is useful to slow down an attacker who is port-scanning a system in an attempt to detect vulnerable services. It might also slow down an attempted denial of service attack. +.Pp +The blackhole behaviour is disabled by default. +If enabled, the locally originated packets would still be responded to, +unless also +.Va net.inet.tcp.blackhole_local +(for TCP) and/or +.Va net.inet.udp.blackhole_local +(for UDP) are enforced. .Ss SCTP Setting the SCTP blackhole MIB to a numeric value of one will prevent sending an ABORT packet in response to an incoming INIT. diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c index b57c4e667371..d3145881ecf9 100644 --- a/sys/netinet/tcp_input.c +++ b/sys/netinet/tcp_input.c @@ -142,6 +142,12 @@ SYSCTL_INT(_net_inet_tcp, OID_AUTO, blackhole, CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(blackhole), 0, "Do not send RST on segments to closed ports"); +VNET_DEFINE(bool, blackhole_local) = false; +#define V_blackhole_local VNET(blackhole_local) +SYSCTL_BOOL(_net_inet_tcp, OID_AUTO, blackhole_local, CTLFLAG_VNET | + CTLFLAG_RW, &VNET_NAME(blackhole_local), false, + "Enforce net.inet.tcp.blackhole for locally originated packets"); + VNET_DEFINE(int, tcp_delack_enabled) = 1; SYSCTL_INT(_net_inet_tcp, OID_AUTO, delayed_ack, CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(tcp_delack_enabled), 0, @@ -949,8 +955,17 @@ findpcb: * When blackholing do not respond with a RST but * completely ignore the segment and drop it. */ - if ((V_blackhole == 1 && (thflags & TH_SYN)) || - V_blackhole == 2) + if (((V_blackhole == 1 && (thflags & TH_SYN)) || + V_blackhole == 2) && (V_blackhole_local || ( +#ifdef INET6 + isipv6 ? !in6_localaddr(&ip6->ip6_src) : +#endif +#ifdef INET + !in_localip(ip->ip_src) +#else + true +#endif + ))) goto dropunlock; rstreason = BANDLIM_RST_CLOSEDPORT; diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c index 9ec671f9fbdd..a476b0d8251a 100644 --- a/sys/netinet/udp_usrreq.c +++ b/sys/netinet/udp_usrreq.c @@ -125,6 +125,10 @@ VNET_DEFINE(int, udp_blackhole) = 0; SYSCTL_INT(_net_inet_udp, OID_AUTO, blackhole, CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(udp_blackhole), 0, "Do not send port unreachables for refused connects"); +VNET_DEFINE(bool, udp_blackhole_local) = false; +SYSCTL_BOOL(_net_inet_udp, OID_AUTO, blackhole_local, CTLFLAG_VNET | + CTLFLAG_RW, &VNET_NAME(udp_blackhole_local), false, + "Enforce net.inet.udp.blackhole for locally originated packets"); u_long udp_sendspace = 9216; /* really max datagram size */ SYSCTL_ULONG(_net_inet_udp, UDPCTL_MAXDGRAM, maxdgram, CTLFLAG_RW, @@ -708,7 +712,8 @@ udp_input(struct mbuf **mp, int *offp, int proto) UDPSTAT_INC(udps_noportbcast); goto badunlocked; } - if (V_udp_blackhole) + if (V_udp_blackhole && (V_udp_blackhole_local || + !in_localip(ip->ip_src))) goto badunlocked; if (badport_bandlim(BANDLIM_ICMP_UNREACH) < 0) goto badunlocked; diff --git a/sys/netinet/udp_var.h b/sys/netinet/udp_var.h index 39f39c3d77ee..99388acbc3b7 100644 --- a/sys/netinet/udp_var.h +++ b/sys/netinet/udp_var.h @@ -148,9 +148,11 @@ extern u_long udp_sendspace; extern u_long udp_recvspace; VNET_DECLARE(int, udp_cksum); VNET_DECLARE(int, udp_blackhole); +VNET_DECLARE(bool, udp_blackhole_local); VNET_DECLARE(int, udp_log_in_vain); #define V_udp_cksum VNET(udp_cksum) #define V_udp_blackhole VNET(udp_blackhole) +#define V_udp_blackhole_local VNET(udp_blackhole_local) #define V_udp_log_in_vain VNET(udp_log_in_vain) VNET_DECLARE(int, zero_checksum_port); diff --git a/sys/netinet6/udp6_usrreq.c b/sys/netinet6/udp6_usrreq.c index 4c5651f10a58..726c79c97de6 100644 --- a/sys/netinet6/udp6_usrreq.c +++ b/sys/netinet6/udp6_usrreq.c @@ -509,7 +509,8 @@ skip_checksum: UDPSTAT_INC(udps_noportmcast); goto badunlocked; } - if (V_udp_blackhole) + if (V_udp_blackhole && (V_udp_blackhole_local || + !in6_localaddr(&ip6->ip6_src))) goto badunlocked; icmp6_error(m, ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_NOPORT, 0); *mp = NULL;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202309141034.38EAYAtS043617>