Date: Fri, 26 Jan 2024 14:32:39 -0500 From: Karim Fodil-Lemelin <kfodil-lemelin@xiplink.com> To: Mikhail Holt <mikhail.k.holt@gmail.com>, freebsd-ipfw@FreeBSD.org, FreeBSD Net <freebsd-net@freebsd.org> Cc: Kristof Provost <kp@FreeBSD.org>, imp@freebsd.org Subject: Re: tag/untag Message-ID: <427708c9-7d62-443a-ad0f-4848bf8aff8f@xiplink.com> In-Reply-To: <7915c1d1-99a3-4459-85ac-9451bec06c24@xiplink.com> References: <7915c1d1-99a3-4459-85ac-9451bec06c24@xiplink.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--------------UN2Nz2O9jdpjqwIdAJgUl4uu
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Hi Mikhail,
This is a very old bug in FreeBSD/ipfw O_PROBE_STATE and the good news
is I have a fix for it. The fix is very easy and I will try to explain
here what the bug is and what the fix is. The issue is only related to
rules that have the F_NOT bit set and that are the beginning of the
actions list of a keep-state rule. I'm also CCing some other folks that
have authority in moving this forward so it hopefully gets into main
eventually.
If you are like me, this is a perfect read for a Friday afternoon ;)
So here is how it goes:
When you create a keep-state rule, the userland part of ipfw will insert
a O_PROBE_STATE action at the very beginning of the rule so when a
packet hits the rule the kernel will PROBE the list of installed dynamic
rules for a match before installing such a rule (we don't want to create
more than one dynamic rule per parent rule). The code responsible for
this looks like this in ipfw2.c:
/*
* generate O_PROBE_STATE if necessary
*/
if (have_state && have_state->opcode != O_CHECK_STATE &&
!have_rstate) {
fill_cmd(dst, O_PROBE_STATE, 0, have_state->arg1);
dst = next_cmd(dst, &rblen);
}
Now ipfw userland also does something else when building the list of
actions for a rule, it records the actions offset in the rule and put
those actions together in a predetermined way, here is the section of
ipfw2.c that does something like this:
/*
* start action section
*/
rule->act_ofs = dst - rule->cmd;
/* put back O_LOG, O_ALTQ, O_TAG if necessary */
log --> if (have_log) {
i = F_LEN(have_log);
CHECK_RBUFLEN(i);
bcopy(have_log, dst, i * sizeof(uint32_t));
dst += i;
}
if (have_altq) {
i = F_LEN(have_altq);
CHECK_RBUFLEN(i);
bcopy(have_altq, dst, i * sizeof(uint32_t));
dst += i;
}
tag --> if (have_tag) {
i = F_LEN(have_tag);
CHECK_RBUFLEN(i);
bcopy(have_tag, dst, i * sizeof(uint32_t));
dst += i;
}
Nothing wrong with all this and if you are still with me (kudos to you)
please take a moment to notice the 'log' action is _before_ the 'tag'
action. This will be important later to understand why some rules in
your example works and why some don't, although you may already have a
clue...
Now let's transport ourselves into the kernel code, precisely in
sys/netpfil/ipfw/ip_fw2.c around line 2865. Here we are inside the
O_PROBE_STATE case and notice how after we find a dynamic entry how the
kernel will 'reset' the cmd pointer to the action part of the parent
rule by doing something like this:
/*
* Found dynamic entry, jump to the
* 'action' part of the parent rule
* by setting f, cmd, l and
clearing
* cmdlen.
*/
f = q;
f_pos = dyn_info.f_pos;
cmd pointer is reset --> cmd = ACTION_PTR(f);
l = f->cmd_len - f->act_ofs;
cmdlen = 0;
match = 1;
break;
}
At this precise moment (pointed by the -->), if we refer to your example
below, we would be hitting the dynamic rule entry and have cmd pointer
reset to the ACTION part of the 'untag 10' action you have entered. We
then set a few things and break from the switch statement. Now this gets
us at the end of the switch statement where FreeBSD does something like
this (around line 3337):
/*
* if we get here with l=0, then match is
irrelevant.
*/
cmd is 'untag' --> if (cmd->len & F_NOT)
match = !match;
if (match) {
if (cmd->len & F_OR)
skip_or = 1;
} else {
if (!(cmd->len & F_OR)) /* not an OR
block, */
exits too early --> break; /* try next
rule */
}
} /* end of inner loop, scan opcodes */
If you look at the check for F_NOT bit (which is cleverly folded in the
len part of the cmd) you realize that check is actually made against the
'untag' action and since untag is actually NOT tag it will match and
change match into !match. The code will not try to go through the actual
action and it will exit the loop too early.
Essentially, by resetting the cmd action pointer we should give a chance
for O_TAG (F_NOT) to be called and not simply turn match into a no
match. The fix for this is very simple and goes like this:
diff --git a/sys/netpfil/ipfw/ip_fw2.c b/sys/netpfil/ipfw/ip_fw2.c
index d2b01fd..57c02dc 100644
--- a/sys/netpfil/ipfw/ip_fw2.c
+++ b/sys/netpfil/ipfw/ip_fw2.c
@@ -2887,7 +2887,8 @@ do { \
l = f->cmd_len - f->act_ofs;
cmdlen = 0;
match = 1;
- break;
+ continue;
+ break; /* not reached */
}
/*
* Dynamic entry not found. If CHECK_STATE,
Now why did it work for you when you used log? Well I'm sure you
remember that, because O_LOG is inserted _before_ O_TAG and that O_LOG
doesn't have the F_NOT bit set then match is still 1 at the end of the
loop and the actual cmd (LOG in this case) will have a chance to execute.
Finally, if your still reading, I think this bug has been in ipfw for a
very long time, great catch buddy!
Best,
Karim.
PS: If you feel like compiling a kernel with my fix and testing it I'm
sure the community would appreciate your feedback.
On 2023-11-08 2:26 a.m., Mikhail Holt wrote:
> Hello List,
>
> On a recent Stable 13 test host I, by accident, found that:
>
> /sbin/ipfw -q add 0031 allow tcp from 192.168.64.0/24 to
> me dst-port ssh in via igb3 setup keep-state WORKS
>
> /sbin/ipfw -q add 0031 allow log tcp from 192.168.64.0/24 to
> me dst-port ssh in via igb3 setup keep-state WORKS
>
> /sbin/ipfw -q add 0031 allow log tag 10 tcp from 192.168.64.0/24 to
> me dst-port ssh in via igb3 setup keep-state WORKS
>
> /sbin/ipfw -q add 0031 allow log untag 10 tcp from 192.168.64.0/24 to
> me dst-port ssh in via igb3 setup keep-state WORKS
>
> /sbin/ipfw -q add 0031 allow untag 10 tcp from 192.168.64.0/24 to
> me dst-port ssh in via igb3 setup keep-state DOES NOT WORK?
> - A dynamic rule is created as per the rules that work.
> - Packets are logged by a deny all rule which of course is never
> reached by the rules that work.
>
> Not a real issue for me but thought it worth noting.
>
> Mik.
--------------UN2Nz2O9jdpjqwIdAJgUl4uu
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 8bit
<!DOCTYPE html><html><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body>
Hi Mikhail,
<div class="moz-forward-container">
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">This is a very old bug in
FreeBSD/ipfw O_PROBE_STATE and the good news is I have a fix for
it. The fix is very easy and I will try to explain here what the
bug is and what the fix is. The issue is only related to rules
that have the F_NOT bit set and that are the beginning of the
actions list of a keep-state rule. I'm also CCing some other
folks that have authority in moving this forward so it hopefully
gets into main eventually.</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">If you are like me, this is a perfect
read for a Friday afternoon ;)</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">So here is how it goes:</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">When you create a keep-state rule,
the userland part of ipfw will insert a O_PROBE_STATE action at
the very beginning of the rule so when a packet hits the rule
the kernel will PROBE the list of installed dynamic rules for a
match before installing such a rule (we don't want to create
more than one dynamic rule per parent rule). The code
responsible for this looks like this in ipfw2.c:</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix"><font face="monospace"> /*<br>
* generate O_PROBE_STATE if necessary<br>
*/<br>
if (have_state && have_state->opcode !=
O_CHECK_STATE && !have_rstate) {<br>
fill_cmd(dst, O_PROBE_STATE, 0,
have_state->arg1);<br>
dst = next_cmd(dst, &rblen);<br>
} </font><br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">Now ipfw userland also does something
else when building the list of actions for a rule, it records
the actions offset in the rule and put those actions together in
a predetermined way, here is the section of ipfw2.c that does
something like this:</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix"><font face="monospace"> /*<br>
* start action section<br>
*/<br>
rule->act_ofs = dst - rule->cmd;<br>
<br>
/* put back O_LOG, O_ALTQ, O_TAG if necessary */<br>
log --> if (have_log) {<br>
i = F_LEN(have_log);<br>
CHECK_RBUFLEN(i);<br>
bcopy(have_log, dst, i * sizeof(uint32_t));<br>
dst += i;<br>
}<br>
if (have_altq) {<br>
i = F_LEN(have_altq);<br>
CHECK_RBUFLEN(i);<br>
bcopy(have_altq, dst, i * sizeof(uint32_t));<br>
dst += i;<br>
}<br>
tag --> if (have_tag) {<br>
i = F_LEN(have_tag);<br>
CHECK_RBUFLEN(i); <br>
bcopy(have_tag, dst, i * sizeof(uint32_t));<br>
dst += i; <br>
}<br>
</font><br>
</div>
<div class="moz-cite-prefix">Nothing wrong with all this and if
you are still with me (kudos to you) please take a moment to
notice the 'log' action is _before_ the 'tag' action. This will
be important later to understand why some rules in your example
works and why some don't, although you may already have a
clue...</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">Now let's transport ourselves into
the kernel code, precisely in sys/netpfil/ipfw/ip_fw2.c around
line 2865. Here we are inside the O_PROBE_STATE case and notice
how after we find a dynamic entry how the kernel will 'reset'
the cmd pointer to the action part of the parent rule by doing
something like this:</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix"><font face="monospace">
/*<br>
* Found dynamic
entry, jump to the<br>
* 'action' part of
the parent rule<br>
* by setting f, cmd,
l and clearing<br>
* cmdlen.<br>
*/<br>
f = q;<br>
f_pos =
dyn_info.f_pos;<br>
cmd pointer is reset --> cmd =
ACTION_PTR(f);<br>
l = f->cmd_len -
f->act_ofs;<br>
cmdlen = 0;<br>
match = 1;<br>
break;<br>
}<br>
</font><br>
</div>
<div class="moz-cite-prefix">At this precise moment (pointed by
the -->), if we refer to your example below, we would be
hitting the dynamic rule entry and have cmd pointer reset to the
ACTION part of the 'untag 10' action you have entered. We then
set a few things and break from the switch statement. Now this
gets us at the end of the switch statement where FreeBSD does
something like this (around line 3337):</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix"><font face="monospace">
/*<br>
* if we get here with l=0, then match
is irrelevant.<br>
*/<br>
<br>
cmd is 'untag' --> if (cmd->len & F_NOT)<br>
match = !match;<br>
<br>
if (match) {<br>
if (cmd->len & F_OR)<br>
skip_or = 1;<br>
} else {<br>
if (!(cmd->len & F_OR))
/* not an OR block, */<br>
exits too early --> break; /*
try next rule */<br>
}<br>
<br>
} /* end of inner loop, scan opcodes */<br>
</font><br>
</div>
<div class="moz-cite-prefix">If you look at the check for F_NOT
bit (which is cleverly folded in the len part of the cmd) you
realize that check is actually made against the 'untag' action
and since untag is actually NOT tag it will match and change
match into !match. The code will not try to go through the
actual action and it will exit the loop too early.<br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">Essentially, by resetting the cmd
action pointer we should give a chance for O_TAG (F_NOT) to be
called and not simply turn match into a no match. The fix for
this is very simple and goes like this:</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix"><font face="monospace">diff --git
a/sys/netpfil/ipfw/ip_fw2.c b/sys/netpfil/ipfw/ip_fw2.c<br>
index d2b01fd..57c02dc 100644<br>
--- a/sys/netpfil/ipfw/ip_fw2.c<br>
+++ b/sys/netpfil/ipfw/ip_fw2.c<br>
@@ -2887,7 +2887,8 @@ do
{
\<br>
l = f->cmd_len -
f->act_ofs;<br>
cmdlen = 0;<br>
match = 1;<br>
- break;<br>
+ continue;<br>
+ break; /* not reached */<br>
}<br>
/*<br>
* Dynamic entry not found. If
CHECK_STATE,<br>
<br>
</font></div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">Now why did it work for you when you
used log? Well I'm sure you remember that, because O_LOG is
inserted _before_ O_TAG and that O_LOG doesn't have the F_NOT
bit set then match is still 1 at the end of the loop and the
actual cmd (LOG in this case) will have a chance to execute.</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">Finally, if your still reading, I
think this bug has been in ipfw for a very long time, great
catch buddy!<br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">Best,</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">Karim.</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">PS: If you feel like compiling a
kernel with my fix and testing it I'm sure the community would
appreciate your feedback.<br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">On 2023-11-08 2:26 a.m., Mikhail Holt
wrote:<br>
</div>
<blockquote type="cite" cite="mid:654B381A.10705@gmail.com"> <font face="Courier">Hello List,<br>
<br>
On a recent Stable 13 test host I, by accident, found that:<br>
<br>
/sbin/ipfw -q add 0031 allow tcp from
192.168.64.0/24 to me dst-port ssh in via igb3 setup
keep-state WORKS<br>
<br>
/sbin/ipfw -q add 0031 allow log tcp from
192.168.64.0/24 to me dst-port ssh in via igb3 setup
keep-state WORKS<br>
<br>
/sbin/ipfw -q add 0031 allow log tag 10 tcp from
192.168.64.0/24 to me dst-port ssh in via igb3 setup
keep-state WORKS<br>
<br>
/sbin/ipfw -q add 0031 allow log untag 10 tcp from
192.168.64.0/24 to me dst-port ssh in via igb3 setup
keep-state WORKS<br>
<br>
/sbin/ipfw -q add 0031 allow untag 10 tcp from
192.168.64.0/24 to me dst-port ssh in via igb3 setup
keep-state DOES NOT WORK?<br>
- A dynamic rule is created as per the rules that work.<br>
- Packets are logged by a deny all rule which of course is
never reached by the rules that work.<br>
<br>
Not a real issue for me but thought it worth noting.<br>
<br>
Mik.</font><br>
</blockquote>
<br>
</div>
</body>
</html>
--------------UN2Nz2O9jdpjqwIdAJgUl4uu--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?427708c9-7d62-443a-ad0f-4848bf8aff8f>