Date: Mon, 17 Apr 2017 09:42:05 +0000 (UTC) From: "Andrey V. Elsukov" <ae@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r317045 - in stable/11: sbin/ipfw sys/conf sys/modules sys/modules/ipfw_pmod sys/netpfil/ipfw/pmod Message-ID: <201704170942.v3H9g5JQ025570@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: ae Date: Mon Apr 17 09:42:05 2017 New Revision: 317045 URL: https://svnweb.freebsd.org/changeset/base/317045 Log: MFC r316435: Add ipfw_pmod kernel module. The module is designed for modification of a packets of any protocols. For now it implements only TCP MSS modification. It adds the external action handler for "tcp-setmss" action. A rule with tcp-setmss action does additional check for protocol and TCP flags. If SYN flag is present, it parses TCP options and modifies MSS option if its value is greater than configured value in the rule. Then it adjustes TCP checksum if needed. After handling the search continues with the next rule. Obtained from: Yandex LLC Relnotes: yes Sponsored by: Yandex LLC Differential Revision: https://reviews.freebsd.org/D10150 Added: stable/11/sys/modules/ipfw_pmod/ - copied from r316435, head/sys/modules/ipfw_pmod/ stable/11/sys/netpfil/ipfw/pmod/ - copied from r316435, head/sys/netpfil/ipfw/pmod/ Modified: stable/11/sbin/ipfw/ipfw.8 stable/11/sbin/ipfw/ipfw2.c stable/11/sbin/ipfw/ipfw2.h stable/11/sys/conf/NOTES stable/11/sys/conf/files stable/11/sys/conf/options stable/11/sys/modules/Makefile Directory Properties: stable/11/ (props changed) Modified: stable/11/sbin/ipfw/ipfw.8 ============================================================================== --- stable/11/sbin/ipfw/ipfw.8 Mon Apr 17 09:38:15 2017 (r317044) +++ stable/11/sbin/ipfw/ipfw.8 Mon Apr 17 09:42:05 2017 (r317045) @@ -1,7 +1,7 @@ .\" .\" $FreeBSD$ .\" -.Dd March 15, 2017 +.Dd April 3, 2017 .Dt IPFW 8 .Os .Sh NAME @@ -1118,6 +1118,20 @@ It is also possible to use the keyword with setdscp. If the tablearg value is not within the 0..64 range, lower 6 bits of supplied value are used. +.It Cm tcp-setmss Ar mss +Set the Maximum Segment Size (MSS) in the TCP segment to value +.Ar mss . +The kernel module +.Cm ipfw_pmod +should be loaded or kernel should have +.Cm options IPFIREWALL_PMOD +to be able use this action. +This command does not change a packet if original MSS value is lower than +specified value. +Both TCP over IPv4 and over IPv6 are supported. +Regardless of matched a packet or not by the +.Cm tcp-setmss +rule, the search continues with the next rule. .It Cm reass Queue and reassemble IP fragments. If the packet is not fragmented, counters are updated and Modified: stable/11/sbin/ipfw/ipfw2.c ============================================================================== --- stable/11/sbin/ipfw/ipfw2.c Mon Apr 17 09:38:15 2017 (r317044) +++ stable/11/sbin/ipfw/ipfw2.c Mon Apr 17 09:42:05 2017 (r317045) @@ -36,6 +36,7 @@ #include <pwd.h> #include <stdio.h> #include <stdarg.h> +#include <stdint.h> #include <stdlib.h> #include <string.h> #include <sysexits.h> @@ -238,6 +239,7 @@ static struct _s_x rule_eactions[] = { { "nat64lsn", TOK_NAT64LSN }, { "nat64stl", TOK_NAT64STL }, { "nptv6", TOK_NPTV6 }, + { "tcp-setmss", TOK_TCPSETMSS }, { NULL, 0 } /* terminator */ }; @@ -272,6 +274,7 @@ static struct _s_x rule_actions[] = { { "call", TOK_CALL }, { "return", TOK_RETURN }, { "eaction", TOK_EACTION }, + { "tcp-setmss", TOK_TCPSETMSS }, { NULL, 0 } /* terminator */ }; @@ -4007,6 +4010,26 @@ chkarg: fill_cmd(action, O_CALLRETURN, F_NOT, 0); break; + case TOK_TCPSETMSS: { + u_long mss; + uint16_t idx; + + idx = pack_object(tstate, "tcp-setmss", IPFW_TLV_EACTION); + if (idx == 0) + errx(EX_DATAERR, "pack_object failed"); + fill_cmd(action, O_EXTERNAL_ACTION, 0, idx); + NEED1("Missing MSS value"); + action = next_cmd(action, &ablen); + action->len = 1; + CHECK_ACTLEN; + mss = strtoul(*av, NULL, 10); + if (mss == 0 || mss > UINT16_MAX) + errx(EX_USAGE, "invalid MSS value %s", *av); + fill_cmd(action, O_EXTERNAL_DATA, 0, (uint16_t)mss); + av++; + break; + } + default: av--; if (match_token(rule_eactions, *av) == -1) Modified: stable/11/sbin/ipfw/ipfw2.h ============================================================================== --- stable/11/sbin/ipfw/ipfw2.h Mon Apr 17 09:38:15 2017 (r317044) +++ stable/11/sbin/ipfw/ipfw2.h Mon Apr 17 09:42:05 2017 (r317045) @@ -284,6 +284,8 @@ enum tokens { TOK_INTPREFIX, TOK_EXTPREFIX, TOK_PREFIXLEN, + + TOK_TCPSETMSS, }; /* Modified: stable/11/sys/conf/NOTES ============================================================================== --- stable/11/sys/conf/NOTES Mon Apr 17 09:38:15 2017 (r317044) +++ stable/11/sys/conf/NOTES Mon Apr 17 09:42:05 2017 (r317045) @@ -957,6 +957,9 @@ device lagg # # IPFIREWALL_NPTV6 adds support for in kernel NPTv6 in ipfw. # +# IPFIREWALL_PMOD adds support for protocols modification module. Currently +# it supports only TCP MSS modification. +# # IPSTEALTH enables code to support stealth forwarding (i.e., forwarding # packets without touching the TTL). This can be useful to hide firewalls # from traceroute and similar tools. Modified: stable/11/sys/conf/files ============================================================================== --- stable/11/sys/conf/files Mon Apr 17 09:38:15 2017 (r317044) +++ stable/11/sys/conf/files Mon Apr 17 09:42:05 2017 (r317045) @@ -4006,6 +4006,8 @@ netpfil/ipfw/nptv6/ip_fw_nptv6.c optiona ipfirewall_nptv6 netpfil/ipfw/nptv6/nptv6.c optional inet inet6 ipfirewall \ ipfirewall_nptv6 +netpfil/ipfw/pmod/ip_fw_pmod.c optional inet ipfirewall_pmod +netpfil/ipfw/pmod/tcpmod.c optional inet ipfirewall_pmod netpfil/pf/if_pflog.c optional pflog pf inet netpfil/pf/if_pfsync.c optional pfsync pf inet netpfil/pf/pf.c optional pf inet Modified: stable/11/sys/conf/options ============================================================================== --- stable/11/sys/conf/options Mon Apr 17 09:38:15 2017 (r317044) +++ stable/11/sys/conf/options Mon Apr 17 09:42:05 2017 (r317045) @@ -424,6 +424,7 @@ IPFIREWALL_NAT64_DIRECT_OUTPUT opt_ipfw. IPFIREWALL_NPTV6 opt_ipfw.h IPFIREWALL_VERBOSE opt_ipfw.h IPFIREWALL_VERBOSE_LIMIT opt_ipfw.h +IPFIREWALL_PMOD opt_ipfw.h IPSEC opt_ipsec.h IPSEC_DEBUG opt_ipsec.h IPSEC_SUPPORT opt_ipsec.h Modified: stable/11/sys/modules/Makefile ============================================================================== --- stable/11/sys/modules/Makefile Mon Apr 17 09:38:15 2017 (r317044) +++ stable/11/sys/modules/Makefile Mon Apr 17 09:42:05 2017 (r317045) @@ -176,6 +176,7 @@ SUBDIR= \ ipfw_nat \ ${_ipfw_nat64} \ ${_ipfw_nptv6} \ + ${_ipfw_pmod} \ ${_ipmi} \ ip6_mroute_mod \ ip_mroute_mod \ @@ -460,6 +461,7 @@ _toecore= toecore _if_enc= if_enc _if_gif= if_gif _if_gre= if_gre +_ipfw_pmod= ipfw_pmod .if ${MK_IPSEC_SUPPORT} != "no" _ipsec= ipsec _tcpmd5= tcp/tcpmd5
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201704170942.v3H9g5JQ025570>