From owner-svn-src-stable-12@freebsd.org Sat Jan 11 01:56:58 2020 Return-Path: Delivered-To: svn-src-stable-12@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 422FC1FA45E; Sat, 11 Jan 2020 01:56:58 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 47vjdk11L9z4QQp; Sat, 11 Jan 2020 01:56:58 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 1DED623579; Sat, 11 Jan 2020 01:56:58 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 00B1uvPh026557; Sat, 11 Jan 2020 01:56:57 GMT (envelope-from bz@FreeBSD.org) Received: (from bz@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 00B1uvYq026554; Sat, 11 Jan 2020 01:56:57 GMT (envelope-from bz@FreeBSD.org) Message-Id: <202001110156.00B1uvYq026554@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: bz set sender to bz@FreeBSD.org using -f From: "Bjoern A. Zeeb" Date: Sat, 11 Jan 2020 01:56:57 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-12@freebsd.org Subject: svn commit: r356625 - in stable/12: sys/netinet6 usr.bin/netstat usr.bin/systat X-SVN-Group: stable-12 X-SVN-Commit-Author: bz X-SVN-Commit-Paths: in stable/12: sys/netinet6 usr.bin/netstat usr.bin/systat X-SVN-Commit-Revision: 356625 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-stable-12@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for only the 12-stable src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Jan 2020 01:56:58 -0000 Author: bz Date: Sat Jan 11 01:56:57 2020 New Revision: 356625 URL: https://svnweb.freebsd.org/changeset/base/356625 Log: MFC 346398 (by thj): Add stat counter for ipv6 atomic fragments Add a stat counter to track ipv6 atomic fragments. Atomic fragments can be generated in response to invalid path MTU values, but are also a potential attack vector and considered harmful (see RFC6946 and RFC8021). While here add tracking of the atomic fragment counter to netstat and systat. This should fix failing CI tests merged from head as Resported by: lwhsu Modified: stable/12/sys/netinet6/frag6.c stable/12/sys/netinet6/ip6_var.h stable/12/usr.bin/netstat/inet6.c stable/12/usr.bin/systat/ip6.c Directory Properties: stable/12/ (props changed) Modified: stable/12/sys/netinet6/frag6.c ============================================================================== --- stable/12/sys/netinet6/frag6.c Sat Jan 11 01:44:55 2020 (r356624) +++ stable/12/sys/netinet6/frag6.c Sat Jan 11 01:56:57 2020 (r356625) @@ -441,8 +441,7 @@ frag6_input(struct mbuf **mp, int *offp, int proto) * See RFC 6946 and section 4.5 of RFC 8200. */ if ((ip6f->ip6f_offlg & ~IP6F_RESERVED_MASK) == 0) { - /* XXX-BZ we want dedicated counters for this. */ - IP6STAT_INC(ip6s_reassembled); + IP6STAT_INC(ip6s_atomicfrags); nxt = ip6f->ip6f_nxt; /* * Set nxt(-hdr field value) to the original value. Modified: stable/12/sys/netinet6/ip6_var.h ============================================================================== --- stable/12/sys/netinet6/ip6_var.h Sat Jan 11 01:44:55 2020 (r356624) +++ stable/12/sys/netinet6/ip6_var.h Sat Jan 11 01:56:57 2020 (r356625) @@ -195,6 +195,7 @@ struct ip6stat { uint64_t ip6s_localout; /* total ip packets generated here */ uint64_t ip6s_odropped; /* lost packets due to nobufs, etc. */ uint64_t ip6s_reassembled; /* total packets reassembled ok */ + uint64_t ip6s_atomicfrags; /* atomic fragments */ uint64_t ip6s_fragmented; /* datagrams successfully fragmented */ uint64_t ip6s_ofragments; /* output fragments created */ uint64_t ip6s_cantfrag; /* don't fragment flag was set, etc. */ Modified: stable/12/usr.bin/netstat/inet6.c ============================================================================== --- stable/12/usr.bin/netstat/inet6.c Sat Jan 11 01:44:55 2020 (r356624) +++ stable/12/usr.bin/netstat/inet6.c Sat Jan 11 01:56:57 2020 (r356625) @@ -391,6 +391,8 @@ ip6_stats(u_long off, const char *name, int af1 __unus "{N:/fragment%s dropped after timeout}\n"); p(ip6s_fragoverflow, "\t{:dropped-fragments-overflow/%ju} " "{N:/fragment%s that exceeded limit}\n"); + p(ip6s_atomicfrags, "\t{:atomic-fragments/%ju} " + "{N:/atomic fragment%s}\n"); p(ip6s_reassembled, "\t{:reassembled-packets/%ju} " "{N:/packet%s reassembled ok}\n"); p(ip6s_delivered, "\t{:received-local-packets/%ju} " Modified: stable/12/usr.bin/systat/ip6.c ============================================================================== --- stable/12/usr.bin/systat/ip6.c Sat Jan 11 01:44:55 2020 (r356624) +++ stable/12/usr.bin/systat/ip6.c Sat Jan 11 01:56:57 2020 (r356625) @@ -121,16 +121,16 @@ labelip6(void) L(6, "- fragments dropped"); R(6, "destinations unreachable"); L(7, "- fragments timed out"); R(7, "packets output via raw IP"); L(8, "- fragments overflown"); - L(9, "- packets reassembled ok"); R(9, "Input next-header histogram"); - L(10, "packets forwarded"); R(10, " - destination options"); - L(11, "- unreachable dests"); R(11, " - hop-by-hop options"); - L(12, "- redirects generated"); R(12, " - IPv4"); - L(13, "option errors"); R(13, " - TCP"); - L(14, "unwanted multicasts"); R(14, " - UDP"); - L(15, "delivered to upper layer"); R(15, " - IPv6"); - L(16, "bad scope packets"); R(16, " - routing header"); - L(17, "address selection failed"); R(17, " - fragmentation header"); - R(18, " - ICMP6"); + L(9, "- atomic fragments"); R(9, "Input next-header histogram"); + L(10, "- packets reassembled ok"); R(10, " - destination options"); + L(11, "packets forwarded"); R(11, " - hop-by-hop options"); + L(12, "- unreachable dests"); R(12, " - IPv4"); + L(13, "- redirects generated"); R(13, " - TCP"); + L(14, "option errors"); R(14, " - UDP"); + L(15, "unwanted multicasts"); R(15, " - IPv6"); + L(16, "delivered to upper layer"); R(16, " - routing header"); + L(17, "bad scope packets"); R(17, " - fragmentation header"); + L(18, "address selection failed");R(18, " - ICMP6"); R(19, " - none"); #undef L #undef R @@ -165,6 +165,7 @@ domode(struct ip6stat *ret) DO(ip6s_fragdropped); DO(ip6s_fragtimeout); DO(ip6s_fragoverflow); + DO(ip6s_atomicfrags); DO(ip6s_forward); DO(ip6s_cantforward); DO(ip6s_redirectsent); @@ -214,22 +215,23 @@ showip6(void) DO(ip6s_fragtimeout, 7, 0); DO(ip6s_rawout, 7, 35); DO(ip6s_fragoverflow, 8, 0); - DO(ip6s_reassembled, 9, 0); - DO(ip6s_forward, 10, 0); + DO(ip6s_atomicfrags, 9, 0); + DO(ip6s_reassembled, 10, 0); + DO(ip6s_forward, 11, 0); DO(ip6s_nxthist[IPPROTO_DSTOPTS], 10, 35); - DO(ip6s_cantforward, 11, 0); + DO(ip6s_cantforward, 12, 0); DO(ip6s_nxthist[IPPROTO_HOPOPTS], 11, 35); - DO(ip6s_redirectsent, 12, 0); + DO(ip6s_redirectsent, 13, 0); DO(ip6s_nxthist[IPPROTO_IPV4], 12, 35); - DO(ip6s_badoptions, 13, 0); + DO(ip6s_badoptions, 14, 0); DO(ip6s_nxthist[IPPROTO_TCP], 13, 35); - DO(ip6s_notmember, 14, 0); + DO(ip6s_notmember, 15, 0); DO(ip6s_nxthist[IPPROTO_UDP], 14, 35); - DO(ip6s_delivered, 15, 0); + DO(ip6s_delivered, 16, 0); DO(ip6s_nxthist[IPPROTO_IPV6], 15, 35); - DO(ip6s_badscope, 16, 0); + DO(ip6s_badscope, 17, 0); DO(ip6s_nxthist[IPPROTO_ROUTING], 16, 35); - DO(ip6s_sources_none, 17, 0); + DO(ip6s_sources_none, 18, 0); DO(ip6s_nxthist[IPPROTO_FRAGMENT], 17, 35); DO(ip6s_nxthist[IPPROTO_ICMPV6], 18, 35); DO(ip6s_nxthist[IPPROTO_NONE], 19, 35);