From nobody Thu Sep 14 10:34:10 2023 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RmYb63BVlz4sWmb; Thu, 14 Sep 2023 10:34:10 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4RmYb62hfzz4s3C; Thu, 14 Sep 2023 10:34:10 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1694687650; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=GTigjqPH6iW6NaJZIZ5Q7qbj8ZZvHJbic9TMPEqiqKU=; b=bWctJ6SxXM13ek+9tHqrlVZjzoTrpXQgo1HoFY65vh0oavneF1FROFg3D+g9X1g0SnPClg 2Of7xsrN9qdhWIW4WF79RypeEc8Q9K2cxieA98TtMWjrzuO1qcIw7UvUy6Ari5gKi8hRks JO+dyeCkJ/EeF2mzD/lO9RSsPS8GT9fs65dur03t9dFaC8/gRaydbqKXmjUuX4GGtSPQw7 1kynwXKvvCxguvatHVo4gyKDYGmnhvl40oE4OeJ+27Ojy7T0mK1cBv67ajWB3VTmy/VCgf pN4wqd4gI4PBvvxXWfzWarbuiuYrkjV9SZKBJUhKHykNA0Sl38l8qUZbIjgHqQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1694687650; a=rsa-sha256; cv=none; b=coE+bg2z+PdJc9rFrb7P73nUWyhQVYlB/iNRoITwvHNeqhcHP5dXjhEKQN04vmWTu0CA2Y 8AJ8s0SKoEmXZkbNkCfBExzosw/4xq34llE4ApuDU5unC9MZRekppn65+vQwG3D9XVYUf/ +JET3AfmCiEEd6T3Jj/ofZh0P+TIPw37NEbLr3eQ+YeQ+9cbHTkuNSI5H1+4bdMylUb43N hX72c2WCm8XaKOQp6M6cGFRGYQaQd7j87D/ugniPDZTw+9jdELMd9BKytZ+8JOmbUkgqdi X+7dXLSCzKMAD3jd++OmmnNSLdfK8XBU91q7yrA4Yvt36F+plT9goq0mhKFPLQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1694687650; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=GTigjqPH6iW6NaJZIZ5Q7qbj8ZZvHJbic9TMPEqiqKU=; b=xevPJAALlvcTxEtLyS/lytpxl7Virj9V7tkqPNWadT93gCYFP5POVz/Wg/TprYZU0xkOMF pyAxGn+HPFaw87vD/NvGn3qmdHuc1U2EfTNLolDzVk5NICXZ86r05Jjhqn8Ogh11ELuzKd paCc7FWnOCQZvP9VuTlLiDsf3hsjj6ztHYxHY/nosGyjqDsju5A8aoiMnt7y+fCW2OqnG1 nuVNFTqLn9HzNpKRCDDXcpz75C0dC2GCyzhO+FERz3o8sZBIx5spXDtQPkUi9xzcBg8MgG v0vgfTr4YW+NIHfKoL/WXx6aZXH2X6tyxABYUO/OS2d3RHOzYp6Cdp1Ci0RBbA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4RmYb61pmvztPG; Thu, 14 Sep 2023 10:34:10 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 38EAYAmB043620; Thu, 14 Sep 2023 10:34:10 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 38EAYAtS043617; Thu, 14 Sep 2023 10:34:10 GMT (envelope-from git) Date: Thu, 14 Sep 2023 10:34:10 GMT Message-Id: <202309141034.38EAYAtS043617@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Ed Maste Subject: git: 027418a4d8bd - stable/13 - blackhole(4): disable for locally originated TCP/UDP packets List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: emaste X-Git-Repository: src X-Git-Refname: refs/heads/stable/13 X-Git-Reftype: branch X-Git-Commit: 027418a4d8bdf58b606fab7505bcb841cc3a6d7c Auto-Submitted: auto-generated The branch stable/13 has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=027418a4d8bdf58b606fab7505bcb841cc3a6d7c commit 027418a4d8bdf58b606fab7505bcb841cc3a6d7c Author: Gleb Smirnoff AuthorDate: 2021-10-28 15:11:45 +0000 Commit: Ed Maste CommitDate: 2023-09-14 09:54:04 +0000 blackhole(4): disable for locally originated TCP/UDP packets In most cases blackholing for locally originated packets is undesired, leads to different kind of lags and delays. Provide sysctls to enforce it, e.g. for debugging purposes. Reviewed by: rrs Differential revision: https://reviews.freebsd.org/D32718 (cherry picked from commit 3ea9a7cf7b09a355cde3a76824809402b99d0892) (cherry picked from commit ad3ad06477d013371b95af673a9776c62f49a97f) --- share/man/man4/blackhole.4 | 12 +++++++++++- sys/netinet/tcp_input.c | 19 +++++++++++++++++-- sys/netinet/udp_usrreq.c | 7 ++++++- sys/netinet/udp_var.h | 2 ++ sys/netinet6/udp6_usrreq.c | 3 ++- 5 files changed, 38 insertions(+), 5 deletions(-) diff --git a/share/man/man4/blackhole.4 b/share/man/man4/blackhole.4 index f7256146eaef..00c8e3d7a2b6 100644 --- a/share/man/man4/blackhole.4 +++ b/share/man/man4/blackhole.4 @@ -10,7 +10,7 @@ .\" notice, this list of conditions and the following disclaimer in the .\" documentation and/or other materials provided with the distribution. .\" -.Dd September 6, 2015 +.Dd November 3, 2021 .Dt BLACKHOLE 4 .Os .Sh NAME @@ -22,7 +22,9 @@ attempts .Sh SYNOPSIS .Cd sysctl net.inet.sctp.blackhole Ns Op = Ns Brq "0 | 1 | 2" .Cd sysctl net.inet.tcp.blackhole Ns Op = Ns Brq "0 | 1 | 2" +.Cd sysctl net.inet.tcp.blackhole_local Ns Op = Ns Brq "0 | 1" .Cd sysctl net.inet.udp.blackhole Ns Op = Ns Brq "0 | 1" +.Cd sysctl net.inet.udp.blackhole_local Ns Op = Ns Brq "0 | 1" .Sh DESCRIPTION The .Nm @@ -33,6 +35,14 @@ are received on SCTP, TCP, or UDP ports where there is no socket listening. The blackhole behaviour is useful to slow down an attacker who is port-scanning a system in an attempt to detect vulnerable services. It might also slow down an attempted denial of service attack. +.Pp +The blackhole behaviour is disabled by default. +If enabled, the locally originated packets would still be responded to, +unless also +.Va net.inet.tcp.blackhole_local +(for TCP) and/or +.Va net.inet.udp.blackhole_local +(for UDP) are enforced. .Ss SCTP Setting the SCTP blackhole MIB to a numeric value of one will prevent sending an ABORT packet in response to an incoming INIT. diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c index b57c4e667371..d3145881ecf9 100644 --- a/sys/netinet/tcp_input.c +++ b/sys/netinet/tcp_input.c @@ -142,6 +142,12 @@ SYSCTL_INT(_net_inet_tcp, OID_AUTO, blackhole, CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(blackhole), 0, "Do not send RST on segments to closed ports"); +VNET_DEFINE(bool, blackhole_local) = false; +#define V_blackhole_local VNET(blackhole_local) +SYSCTL_BOOL(_net_inet_tcp, OID_AUTO, blackhole_local, CTLFLAG_VNET | + CTLFLAG_RW, &VNET_NAME(blackhole_local), false, + "Enforce net.inet.tcp.blackhole for locally originated packets"); + VNET_DEFINE(int, tcp_delack_enabled) = 1; SYSCTL_INT(_net_inet_tcp, OID_AUTO, delayed_ack, CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(tcp_delack_enabled), 0, @@ -949,8 +955,17 @@ findpcb: * When blackholing do not respond with a RST but * completely ignore the segment and drop it. */ - if ((V_blackhole == 1 && (thflags & TH_SYN)) || - V_blackhole == 2) + if (((V_blackhole == 1 && (thflags & TH_SYN)) || + V_blackhole == 2) && (V_blackhole_local || ( +#ifdef INET6 + isipv6 ? !in6_localaddr(&ip6->ip6_src) : +#endif +#ifdef INET + !in_localip(ip->ip_src) +#else + true +#endif + ))) goto dropunlock; rstreason = BANDLIM_RST_CLOSEDPORT; diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c index 9ec671f9fbdd..a476b0d8251a 100644 --- a/sys/netinet/udp_usrreq.c +++ b/sys/netinet/udp_usrreq.c @@ -125,6 +125,10 @@ VNET_DEFINE(int, udp_blackhole) = 0; SYSCTL_INT(_net_inet_udp, OID_AUTO, blackhole, CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(udp_blackhole), 0, "Do not send port unreachables for refused connects"); +VNET_DEFINE(bool, udp_blackhole_local) = false; +SYSCTL_BOOL(_net_inet_udp, OID_AUTO, blackhole_local, CTLFLAG_VNET | + CTLFLAG_RW, &VNET_NAME(udp_blackhole_local), false, + "Enforce net.inet.udp.blackhole for locally originated packets"); u_long udp_sendspace = 9216; /* really max datagram size */ SYSCTL_ULONG(_net_inet_udp, UDPCTL_MAXDGRAM, maxdgram, CTLFLAG_RW, @@ -708,7 +712,8 @@ udp_input(struct mbuf **mp, int *offp, int proto) UDPSTAT_INC(udps_noportbcast); goto badunlocked; } - if (V_udp_blackhole) + if (V_udp_blackhole && (V_udp_blackhole_local || + !in_localip(ip->ip_src))) goto badunlocked; if (badport_bandlim(BANDLIM_ICMP_UNREACH) < 0) goto badunlocked; diff --git a/sys/netinet/udp_var.h b/sys/netinet/udp_var.h index 39f39c3d77ee..99388acbc3b7 100644 --- a/sys/netinet/udp_var.h +++ b/sys/netinet/udp_var.h @@ -148,9 +148,11 @@ extern u_long udp_sendspace; extern u_long udp_recvspace; VNET_DECLARE(int, udp_cksum); VNET_DECLARE(int, udp_blackhole); +VNET_DECLARE(bool, udp_blackhole_local); VNET_DECLARE(int, udp_log_in_vain); #define V_udp_cksum VNET(udp_cksum) #define V_udp_blackhole VNET(udp_blackhole) +#define V_udp_blackhole_local VNET(udp_blackhole_local) #define V_udp_log_in_vain VNET(udp_log_in_vain) VNET_DECLARE(int, zero_checksum_port); diff --git a/sys/netinet6/udp6_usrreq.c b/sys/netinet6/udp6_usrreq.c index 4c5651f10a58..726c79c97de6 100644 --- a/sys/netinet6/udp6_usrreq.c +++ b/sys/netinet6/udp6_usrreq.c @@ -509,7 +509,8 @@ skip_checksum: UDPSTAT_INC(udps_noportmcast); goto badunlocked; } - if (V_udp_blackhole) + if (V_udp_blackhole && (V_udp_blackhole_local || + !in6_localaddr(&ip6->ip6_src))) goto badunlocked; icmp6_error(m, ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_NOPORT, 0); *mp = NULL;