From owner-svn-src-all@freebsd.org  Tue Sep  3 14:08:01 2019
Return-Path: <owner-svn-src-all@freebsd.org>
Delivered-To: svn-src-all@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 7690EDD57C;
 Tue,  3 Sep 2019 14:07:09 +0000 (UTC)
 (envelope-from yuripv@freebsd.org)
Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "freefall.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 46N80D6b0Lz4QHf;
 Tue,  3 Sep 2019 14:07:08 +0000 (UTC)
 (envelope-from yuripv@freebsd.org)
Received: by freefall.freebsd.org (Postfix, from userid 1452)
 id 4B2361B153; Tue,  3 Sep 2019 14:06:29 +0000 (UTC)
X-Original-To: yuripv@localmail.freebsd.org
Delivered-To: yuripv@localmail.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [96.47.72.80])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
 (Client CN "mx1.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by freefall.freebsd.org (Postfix) with ESMTPS id E51A81BD10;
 Fri, 19 Apr 2019 17:06:48 +0000 (UTC)
 (envelope-from owner-src-committers@freebsd.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
 [IPv6:2610:1c1:1:6074::16:84])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "freefall.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id B01C387F97;
 Fri, 19 Apr 2019 17:06:48 +0000 (UTC)
 (envelope-from owner-src-committers@freebsd.org)
Received: by freefall.freebsd.org (Postfix, from userid 538)
 id 921FF1BD0E; Fri, 19 Apr 2019 17:06:48 +0000 (UTC)
Delivered-To: src-committers@localmail.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [96.47.72.80])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
 (Client CN "mx1.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by freefall.freebsd.org (Postfix) with ESMTPS id DD9FC1BD0C
 for <src-committers@localmail.freebsd.org>;
 Fri, 19 Apr 2019 17:06:44 +0000 (UTC) (envelope-from thj@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 9C81487F92;
 Fri, 19 Apr 2019 17:06:44 +0000 (UTC) (envelope-from thj@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 774691524;
 Fri, 19 Apr 2019 17:06:44 +0000 (UTC) (envelope-from thj@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x3JH6iDI019619;
 Fri, 19 Apr 2019 17:06:44 GMT (envelope-from thj@FreeBSD.org)
Received: (from thj@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id x3JH6hGF019614;
 Fri, 19 Apr 2019 17:06:43 GMT (envelope-from thj@FreeBSD.org)
Message-Id: <201904191706.x3JH6hGF019614@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: thj set sender to thj@FreeBSD.org
 using -f
From: Tom Jones <thj@FreeBSD.org>
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org
Subject: svn commit: r346398 - in head: sys/netinet6 usr.bin/netstat
 usr.bin/systat
X-SVN-Group: head
X-SVN-Commit-Author: thj
X-SVN-Commit-Paths: in head: sys/netinet6 usr.bin/netstat usr.bin/systat
X-SVN-Commit-Revision: 346398
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk
X-Loop: FreeBSD.org
Sender: owner-src-committers@freebsd.org
X-Rspamd-Queue-Id: B01C387F97
X-Spamd-Bar: --
Authentication-Results: mx1.freebsd.org
X-Spamd-Result: default: False [-2.98 / 15.00];
 local_wl_from(0.00)[freebsd.org];
 NEURAL_HAM_MEDIUM(-1.00)[-0.999,0];
 NEURAL_HAM_SHORT(-0.98)[-0.978,0];
 ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US];
 NEURAL_HAM_LONG(-1.00)[-1.000,0]
Status: O
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.29
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
 user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all/>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=subscribe>
Date: Tue, 03 Sep 2019 14:08:02 -0000
X-Original-Date: Fri, 19 Apr 2019 17:06:43 +0000 (UTC)
X-List-Received-Date: Tue, 03 Sep 2019 14:08:02 -0000

Author: thj
Date: Fri Apr 19 17:06:43 2019
New Revision: 346398
URL: https://svnweb.freebsd.org/changeset/base/346398

Log:
  Add stat counter for ipv6 atomic fragments
  
  Add a stat counter to track ipv6 atomic fragments. Atomic fragments can be
  generated in response to invalid path MTU values, but are also a potential
  attack vector and considered harmful (see RFC6946 and RFC8021).
  
  While here add tracking of the atomic fragment counter to netstat and systat.
  
  Reviewed by:    tuexen, jtl, bz
  Approved by:    jtl (mentor), bz (mentor)
  Event:  Aberdeen hackathon 2019
  Differential Revision:  https://reviews.freebsd.org/D17511

Modified:
  head/sys/netinet6/frag6.c
  head/sys/netinet6/ip6_var.h
  head/usr.bin/netstat/inet6.c
  head/usr.bin/systat/ip6.c

Modified: head/sys/netinet6/frag6.c
==============================================================================
--- head/sys/netinet6/frag6.c	Fri Apr 19 15:54:32 2019	(r346397)
+++ head/sys/netinet6/frag6.c	Fri Apr 19 17:06:43 2019	(r346398)
@@ -277,12 +277,12 @@ frag6_input(struct mbuf **mp, int *offp, int proto)
 	offset += sizeof(struct ip6_frag);
 
 	/*
-	 * RFC 6946: Handle "atomic" fragments (offset and m bit set to 0)
-	 * upfront, unrelated to any reassembly.  Just skip the fragment header.
+	 * Handle "atomic" fragments (offset and m bit set to 0) upfront,
+	 * unrelated to any reassembly (see RFC 6946 and section 4.5 of RFC
+	 * 8200).  Just skip the fragment header.
 	 */
 	if ((ip6f->ip6f_offlg & ~IP6F_RESERVED_MASK) == 0) {
-		/* XXX-BZ we want dedicated counters for this. */
-		IP6STAT_INC(ip6s_reassembled);
+		IP6STAT_INC(ip6s_atomicfrags);
 		in6_ifstat_inc(dstifp, ifs6_reass_ok);
 		*offp = offset;
 		m->m_flags |= M_FRAGMENTED;

Modified: head/sys/netinet6/ip6_var.h
==============================================================================
--- head/sys/netinet6/ip6_var.h	Fri Apr 19 15:54:32 2019	(r346397)
+++ head/sys/netinet6/ip6_var.h	Fri Apr 19 17:06:43 2019	(r346398)
@@ -208,6 +208,7 @@ struct	ip6stat {
 	uint64_t ip6s_localout;		/* total ip packets generated here */
 	uint64_t ip6s_odropped;		/* lost packets due to nobufs, etc. */
 	uint64_t ip6s_reassembled;	/* total packets reassembled ok */
+	uint64_t ip6s_atomicfrags;	/* atomic fragments */
 	uint64_t ip6s_fragmented;	/* datagrams successfully fragmented */
 	uint64_t ip6s_ofragments;	/* output fragments created */
 	uint64_t ip6s_cantfrag;		/* don't fragment flag was set, etc. */

Modified: head/usr.bin/netstat/inet6.c
==============================================================================
--- head/usr.bin/netstat/inet6.c	Fri Apr 19 15:54:32 2019	(r346397)
+++ head/usr.bin/netstat/inet6.c	Fri Apr 19 17:06:43 2019	(r346398)
@@ -391,6 +391,8 @@ ip6_stats(u_long off, const char *name, int af1 __unus
 	    "{N:/fragment%s dropped after timeout}\n");
 	p(ip6s_fragoverflow, "\t{:dropped-fragments-overflow/%ju} "
 	    "{N:/fragment%s that exceeded limit}\n");
+	p(ip6s_atomicfrags, "\t{:atomic-fragments/%ju} "
+	    "{N:/atomic fragment%s}\n");
 	p(ip6s_reassembled, "\t{:reassembled-packets/%ju} "
 	    "{N:/packet%s reassembled ok}\n");
 	p(ip6s_delivered, "\t{:received-local-packets/%ju} "

Modified: head/usr.bin/systat/ip6.c
==============================================================================
--- head/usr.bin/systat/ip6.c	Fri Apr 19 15:54:32 2019	(r346397)
+++ head/usr.bin/systat/ip6.c	Fri Apr 19 17:06:43 2019	(r346398)
@@ -121,16 +121,16 @@ labelip6(void)
 	L(6, "- fragments dropped");	R(6, "destinations unreachable");
 	L(7, "- fragments timed out");	R(7, "packets output via raw IP");
 	L(8, "- fragments overflown");
-	L(9, "- packets reassembled ok"); R(9, "Input next-header histogram");
-	L(10, "packets forwarded");	R(10, " - destination options");
-	L(11, "- unreachable dests");	R(11, " - hop-by-hop options");
-	L(12, "- redirects generated");	R(12, " - IPv4");
-	L(13, "option errors");		R(13, " - TCP");
-	L(14, "unwanted multicasts");	R(14, " - UDP");
-	L(15, "delivered to upper layer"); R(15, " - IPv6");
-	L(16, "bad scope packets");	R(16, " - routing header");
-	L(17, "address selection failed"); R(17, " - fragmentation header");
-					R(18, " - ICMP6");
+	L(9, "- atomic fragments"); 	R(9, "Input next-header histogram");
+	L(10, "- packets reassembled ok"); R(10, " - destination options");
+	L(11, "packets forwarded");	R(11, " - hop-by-hop options");
+	L(12, "- unreachable dests");	R(12, " - IPv4");
+	L(13, "- redirects generated");	R(13, " - TCP");
+	L(14, "option errors");		R(14, " - UDP");
+	L(15, "unwanted multicasts");	R(15, " - IPv6");
+	L(16, "delivered to upper layer"); R(16, " - routing header");
+	L(17, "bad scope packets");	R(17, " - fragmentation header");
+	L(18, "address selection failed");R(18, " - ICMP6");
 					R(19, " - none");
 #undef L
 #undef R
@@ -165,6 +165,7 @@ domode(struct ip6stat *ret)
 	DO(ip6s_fragdropped);
 	DO(ip6s_fragtimeout);
 	DO(ip6s_fragoverflow);
+	DO(ip6s_atomicfrags);
 	DO(ip6s_forward);
 	DO(ip6s_cantforward);
 	DO(ip6s_redirectsent);
@@ -214,22 +215,23 @@ showip6(void)
 	DO(ip6s_fragtimeout, 7, 0);
 	DO(ip6s_rawout, 7, 35);
 	DO(ip6s_fragoverflow, 8, 0);
-	DO(ip6s_reassembled, 9, 0);
-	DO(ip6s_forward, 10, 0);
+	DO(ip6s_atomicfrags, 9, 0);
+	DO(ip6s_reassembled, 10, 0);
+	DO(ip6s_forward, 11, 0);
 	DO(ip6s_nxthist[IPPROTO_DSTOPTS], 10, 35);
-	DO(ip6s_cantforward, 11, 0);
+	DO(ip6s_cantforward, 12, 0);
 	DO(ip6s_nxthist[IPPROTO_HOPOPTS], 11, 35);
-	DO(ip6s_redirectsent, 12, 0);
+	DO(ip6s_redirectsent, 13, 0);
 	DO(ip6s_nxthist[IPPROTO_IPV4], 12, 35);
-	DO(ip6s_badoptions, 13, 0);
+	DO(ip6s_badoptions, 14, 0);
 	DO(ip6s_nxthist[IPPROTO_TCP], 13, 35);
-	DO(ip6s_notmember, 14, 0);
+	DO(ip6s_notmember, 15, 0);
 	DO(ip6s_nxthist[IPPROTO_UDP], 14, 35);
-	DO(ip6s_delivered, 15, 0);
+	DO(ip6s_delivered, 16, 0);
 	DO(ip6s_nxthist[IPPROTO_IPV6], 15, 35);
-	DO(ip6s_badscope, 16, 0);
+	DO(ip6s_badscope, 17, 0);
 	DO(ip6s_nxthist[IPPROTO_ROUTING], 16, 35);
-	DO(ip6s_sources_none, 17, 0);
+	DO(ip6s_sources_none, 18, 0);
 	DO(ip6s_nxthist[IPPROTO_FRAGMENT], 17, 35);
 	DO(ip6s_nxthist[IPPROTO_ICMPV6], 18, 35);
 	DO(ip6s_nxthist[IPPROTO_NONE], 19, 35);