From nobody Mon Oct 30 17:13:26 2023 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SK0GZ6p1sz4yBVQ; Mon, 30 Oct 2023 17:13:26 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4SK0GZ6GYqz3VTl; Mon, 30 Oct 2023 17:13:26 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1698686006; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=R5CNR/hDiInhlNVNNbQmARDkGE9VkaXnp1M/j+sDoGk=; b=PXe9wxENvTQ5xJIWQY9WaEWoqa0/bTS9sx8mbymHDAKvkRSR4wCAOJChZLugep48Xi/lMy 5aCKsENFjM91miZv1x1r9Z1PDixj9x78aTlXcWQfY5bOMEpv0fviPx0mJrIJV0lL5+wMFJ IP0KdZHD+vwGXzhl54epeoLGuRuCTmd6f5KXOBypnn1vabc2ihPloGrxFJQMkPGfWfWrK5 t+pMuCbeCQsZEidIE9cKnarLTKRgnCCB2JMsCamOqKfzLUZP/E09tDcHOsTs78jshfvHJn DPLwJv3GQsxNz7SYW3L1Myj9xBxofMuINcx/fTeq4szHL7UOQ99KUgCJVgeCqw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1698686006; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=R5CNR/hDiInhlNVNNbQmARDkGE9VkaXnp1M/j+sDoGk=; b=XCTpfkqxT82HDzGICVX0a/3fro4a6mIQpawgBatMcU8w9cqlIKl7eQMVtLf7FXaL7ZnbzJ E9rnUVPENs0LmvTPbSpO2o0GUeVO8tS8TXtt7kx6ZiSqCIoQbKeR1SG8fF1LE7OZXPpD3d n2ALQ9yMElBSMzECMtiUUyyFkOCEW8fSrqOvQ3gDS6FLt0HB2j/p9lJ98WKmE5+biphLWA Iqf4Rs0yD9f93XwMppubNZkb71cLo6sHoVTGcloXuuJ9oPIF3wx0oTD/aksJsVPQwwMFFU FeuDEEeyPkNpc8jhqCnPByXIxoDY8LfRf7PXQBudmSJUQdu7DmF6YR8EbwpHCg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1698686006; a=rsa-sha256; cv=none; b=f/mwz+RIlaGV1ENEq+hKxznl4kHJ1u5dPZWC/SinCqwQlTZlf3QwVDvalNZKK+a24v6JJt v+dvmvmVfqlkbziUKngQaazZt3TjvGcfrLWd0+5Q4NJ3ac3kBK3+DSOlGhF73jAxpQlIpv BRsmtIYUIaJfWuRKHUbJOK2vqQ8qEEIQ/M+rhSS5p0MRfrAhFQoe5l1IaX40KbmD33z1Z4 C4v/9c3FupJ44vSvLNMSjHCEOwYHS4v69DfkBF4dkUwjONmUp3Iisylf7eGSpvEzJJoeln CO/NCt6565F28z35G8Y6Xxcx+O0fjjjjtmAlwToWvF+WsvUx+hTT+uh1R7TpXA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4SK0GZ5KRJzVFh; Mon, 30 Oct 2023 17:13:26 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 39UHDQL5062198; Mon, 30 Oct 2023 17:13:26 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 39UHDQ4L062195; Mon, 30 Oct 2023 17:13:26 GMT (envelope-from git) Date: Mon, 30 Oct 2023 17:13:26 GMT Message-Id: <202310301713.39UHDQ4L062195@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: "Andrey V. Elsukov" Subject: git: 9be802c04b7c - stable/14 - Avoid IPv6 source address selection on accepting TCP connections List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: ae X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: 9be802c04b7cd98fcf7a1dd2f41d9ebac0e32996 Auto-Submitted: auto-generated The branch stable/14 has been updated by ae: URL: https://cgit.FreeBSD.org/src/commit/?id=9be802c04b7cd98fcf7a1dd2f41d9ebac0e32996 commit 9be802c04b7cd98fcf7a1dd2f41d9ebac0e32996 Author: Andrey V. Elsukov AuthorDate: 2023-09-14 08:39:06 +0000 Commit: Andrey V. Elsukov CommitDate: 2023-10-30 17:12:50 +0000 Avoid IPv6 source address selection on accepting TCP connections When an application listens IPv6 TCP socket, due to ipfw forwarding tag it may handle connections for addresses that do not belongs to the jail or even current host (transparent proxy). Syncache code can successfully handle TCP handshake for such connections. When syncache finally accepts connection it uses in6_pcbconnect() to properly initlize new connection info. For IPv4 this scenario just works, but for IPv6 it fails when local address doesn't belongs to the jail. This check occurs when in6_pcbladdr() applies IPv6 SAS algorithm. We need IPv6 SAS when we are connection initiator, but in the above case connection is already established and both source and destination addresses are known. Use unused argument to notify in6_pcbconnect() when we don't need source address selection. This will fix `ipfw fwd` to jailed IPv6 address. When we are connection initiator, we stil use IPv6 SAS algorithm and apply all related restrictions. MFC after: 1 month Sponsored by: Yandex LLC Differential Revision: https://reviews.freebsd.org/D41685 (cherry picked from commit 0bf5377b6b9642acc85355062b921a07604b7c04) --- sys/netinet6/in6_pcb.c | 29 +++++++++++++++++++++-------- 1 file changed, 21 insertions(+), 8 deletions(-) diff --git a/sys/netinet6/in6_pcb.c b/sys/netinet6/in6_pcb.c index bf81de78f992..5c4ef7570ddc 100644 --- a/sys/netinet6/in6_pcb.c +++ b/sys/netinet6/in6_pcb.c @@ -335,7 +335,7 @@ in6_pcbbind(struct inpcb *inp, struct sockaddr_in6 *sin6, struct ucred *cred) */ static int in6_pcbladdr(struct inpcb *inp, struct sockaddr_in6 *sin6, - struct in6_addr *plocal_addr6) + struct in6_addr *plocal_addr6, bool sas_required) { int error = 0; int scope_ambiguous = 0; @@ -364,13 +364,25 @@ in6_pcbladdr(struct inpcb *inp, struct sockaddr_in6 *sin6, if ((error = prison_remote_ip6(inp->inp_cred, &sin6->sin6_addr)) != 0) return (error); - error = in6_selectsrc_socket(sin6, inp->in6p_outputopts, - inp, inp->inp_cred, scope_ambiguous, &in6a, NULL); - if (error) - return (error); + if (sas_required) { + error = in6_selectsrc_socket(sin6, inp->in6p_outputopts, + inp, inp->inp_cred, scope_ambiguous, &in6a, NULL); + if (error) + return (error); + } else { + /* + * Source address selection isn't required when syncache + * has already established connection and both source and + * destination addresses was chosen. + * + * This also includes the case when fwd_tag was used to + * select source address in tcp_input(). + */ + in6a = inp->in6p_laddr; + } + if (IN6_IS_ADDR_UNSPECIFIED(&in6a)) return (EHOSTUNREACH); - /* * Do not update this earlier, in case we return with an error. * @@ -398,7 +410,7 @@ in6_pcbladdr(struct inpcb *inp, struct sockaddr_in6 *sin6, */ int in6_pcbconnect(struct inpcb *inp, struct sockaddr_in6 *sin6, struct ucred *cred, - bool rehash __unused) + bool sas_required) { struct inpcbinfo *pcbinfo = inp->inp_pcbinfo; struct sockaddr_in6 laddr6; @@ -432,7 +444,8 @@ in6_pcbconnect(struct inpcb *inp, struct sockaddr_in6 *sin6, struct ucred *cred, * Call inner routine, to assign local interface address. * in6_pcbladdr() may automatically fill in sin6_scope_id. */ - if ((error = in6_pcbladdr(inp, sin6, &laddr6.sin6_addr)) != 0) + if ((error = in6_pcbladdr(inp, sin6, &laddr6.sin6_addr, + sas_required)) != 0) return (error); if (in6_pcblookup_hash_locked(pcbinfo, &sin6->sin6_addr,