From owner-freebsd-net@FreeBSD.ORG  Fri Oct 26 15:43:35 2007
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 8DC8B16A41A;
	Fri, 26 Oct 2007 15:43:35 +0000 (UTC)
	(envelope-from matus.harvan@inf.ethz.ch)
Received: from xsmtp1.ethz.ch (xsmtp1.ethz.ch [82.130.70.13])
	by mx1.freebsd.org (Postfix) with ESMTP id D6EBA13C480;
	Fri, 26 Oct 2007 15:43:34 +0000 (UTC)
	(envelope-from matus.harvan@inf.ethz.ch)
Received: from xfe0.d.ethz.ch ([82.130.124.40]) by xsmtp1.ethz.ch with
	Microsoft SMTPSVC(6.0.3790.3959); Fri, 26 Oct 2007 17:40:58 +0200
Received: from styx.inf.ethz.ch ([129.132.74.245]) by xfe0.d.ethz.ch over TLS
	secured channel with Microsoft SMTPSVC(6.0.3790.3959); 
	Fri, 26 Oct 2007 17:40:57 +0200
Received: by styx.inf.ethz.ch (Postfix, from userid 1001)
	id 867CD49AC74; Fri, 26 Oct 2007 17:40:57 +0200 (CEST)
Date: Fri, 26 Oct 2007 17:40:57 +0200
From: Matus Harvan <mharvan@inf.ethz.ch>
To: freebsd-net@freebsd.org
Message-ID: <20071026154057.GG1049@styx.ethz.ch>
References: <20070909201837.GA18107@inf.ethz.ch>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="OFj+1YLvsEfSXdCH"
Content-Disposition: inline
In-Reply-To: <20070909201837.GA18107@inf.ethz.ch>
User-Agent: Mutt/1.5.16 (2007-06-09)
X-OriginalArrivalTime: 26 Oct 2007 15:40:57.0713 (UTC)
	FILETIME=[9A34D610:01C817E6]
Cc: Max Laier <max@love2party.net>, Brooks Davis <brooks@freebsd.org>
Subject: Re: UDP catchall
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Oct 2007 15:43:35 -0000


--OFj+1YLvsEfSXdCH
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi,

I was wondering if I could get some feedback about the patch and
whether others think it could be committed.

Matus

On Sun, Sep 09, 2007 at 10:18:37PM +0200, Matus Harvan wrote:
> Hello,
>=20
> I am a Google Summer of Code student working on mtund, aka Magic
> Tunnel Daemon aka Super Tunnel Daemon,
> http://wiki.freebsd.org/SuperTunnelDaemon.
>=20
> For mtund it would be useful to listen on all unused UDP ports,
> allowing a client behind firewall to use any possible hole it could
> find. To achieve this, the easiest way seems to be to allow a raw
> IP/UDP socket to receive UDP traffic that no regular UDP socket
> wants. In the kernel this means passing the mbuf from udp_input to
> rip_input(). Upon receiving a packet, the user space program would
> inspect the UDP header and create a UDP socket bound to the correct
> local port and connected to the right remote port and address.
>=20
> The user space usage would then look as follows:
> 	fd =3D socket(AF_INET, SOCK_RAW, IPPROTO_UDP);
> 	recvfrom(fd, ...);
> 	/* parse the UDP header for the source and destination addresses */
> 	new_fd =3D socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP);
> 	bind(new_fd, ...);
> 	connect(new_fd, ...);
>=20
> This catchall feature could be enabled/disabled via a sysctl variable,
> net.inet.raw.udp_catchall. Furthermore, a rate limit could be used to
> mitigate possible DoS misuse.
>=20
> A simple testing program can be found under
>=20
> http://p4web.freebsd.org/@md=3Dd&cd=3D//depot/projects/soc2007/mharvan-mt=
und/sys.patches/test_catchall/&c=3Dxpc@//depot/projects/soc2007/mharvan-mtu=
nd/sys.patches/test_catchall/ucatchalld.c?ac=3D22
>=20
> and a more complex example is the udp catchall plugin for mtund
>=20
> http://p4web.freebsd.org/@md=3Dd&cd=3D//depot/projects/soc2007/mharvan-mt=
und/mtund.src/&c=3DSM3@//depot/projects/soc2007/mharvan-mtund/mtund.src/plu=
gin_udp_catchall.c?ac=3D22
>=20
> Matus
>=20
> patch:
> Index: udp_usrreq.c
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> RCS file: /home/ncvs/src/sys/netinet/udp_usrreq.c,v
> retrieving revision 1.216
> diff -d -u -r1.216 udp_usrreq.c
> --- udp_usrreq.c	10 Jul 2007 09:30:46 -0000	1.216
> +++ udp_usrreq.c	6 Sep 2007 21:59:31 -0000
> @@ -125,6 +125,15 @@
>  SYSCTL_ULONG(_net_inet_udp, UDPCTL_RECVSPACE, recvspace, CTLFLAG_RW,
>      &udp_recvspace, 0, "Maximum space for incoming UDP datagrams");
> =20
> +static int	udp_catchall =3D 0;
> +SYSCTL_INT(_net_inet_raw, OID_AUTO, udp_catchall, CTLFLAG_RW | CTLFLAG_S=
ECURE,
> +   &udp_catchall, 0, "Raw IP UDP sockets receive unclaimed UDP datagrams=
");
> +
> +static int	catchalllim =3D 5;
> +SYSCTL_INT(_net_inet_udp, OID_AUTO, catchalllim, CTLFLAG_RW | CTLFLAG_SE=
CURE,
> +   &catchalllim, 0,
> +   "Rate limit on received UDP datagrams due to udp_catchall");
> +
>  struct inpcbhead	udb;		/* from udp_var.h */
>  struct inpcbinfo	udbinfo;
> =20
> @@ -136,6 +145,11 @@
>  SYSCTL_STRUCT(_net_inet_udp, UDPCTL_STATS, stats, CTLFLAG_RW, &udpstat,
>      udpstat, "UDP statistics (struct udpstat, netinet/udp_var.h)");
> =20
> +static struct rate {
> +  struct timeval	lasttime;
> +  int		curpps;
> +} catchallr;
> +
>  static void	udp_detach(struct socket *so);
>  static int	udp_output(struct inpcb *, struct mbuf *, struct sockaddr *,
>  		    struct mbuf *, struct thread *);
> @@ -515,6 +529,35 @@
>  	 */
>  	inp =3D in_pcblookup_hash(&udbinfo, ip->ip_src, uh->uh_sport,
>  	    ip->ip_dst, uh->uh_dport, 1, ifp);
> +
> +	/* catchall socket */
> +	if (inp =3D=3D NULL && udp_catchall !=3D 0) {
> +#ifdef DIAGNOSTIC
> +		printf("IP UDP catchall active\n");
> +		char dbuf[INET_ADDRSTRLEN], sbuf[INET_ADDRSTRLEN];
> +		strcpy(dbuf, inet_ntoa(ip->ip_dst));
> +		strcpy(sbuf, inet_ntoa(ip->ip_src));
> +		printf("\tip_src: %s, sport: %hu\n\tip_dst: %s, dport: %hu\n",
> +		    sbuf, ntohs(uh->uh_sport), dbuf, ntohs(uh->uh_dport));
> +#endif
> +
> +		/* rate limiting */
> +		if (catchalllim > 0)=20
> +			if (ppsratecheck(&catchallr.lasttime,
> +			    &catchallr.curpps, catchalllim)) {
> +				rip_input(m, off);
> +				INP_INFO_RUNLOCK(&udbinfo);
> +				return;
> +			}
> +#ifdef DIAGNOSTIC
> +			else
> +			  printf("ppsratecheck limited "
> +				    "udp_catchall\n");
> +		else
> +			printf("ppsratecheck limited udp_catchall\n");
> +#endif
> +	}
> +
>  	if (inp =3D=3D NULL) {
>  		if (udp_log_in_vain) {
>  			char buf[4*sizeof "123"];



--OFj+1YLvsEfSXdCH
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4 (FreeBSD)

iD8DBQFHIgqJ43LQWDWf0QIRAgIAAJ4qBMV3eVP883IKwzb6faqkphuIYwCfa+wU
fJpmJ24+fQqkUiTCl7Hwe5g=
=vev9
-----END PGP SIGNATURE-----

--OFj+1YLvsEfSXdCH--