Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 19 Apr 2019 17:06:43 +0000 (UTC)
From:      Tom Jones <thj@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r346398 - in head: sys/netinet6 usr.bin/netstat usr.bin/systat
Message-ID:  <201904191706.x3JH6hGF019614@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: thj
Date: Fri Apr 19 17:06:43 2019
New Revision: 346398
URL: https://svnweb.freebsd.org/changeset/base/346398

Log:
  Add stat counter for ipv6 atomic fragments
  
  Add a stat counter to track ipv6 atomic fragments. Atomic fragments can be
  generated in response to invalid path MTU values, but are also a potential
  attack vector and considered harmful (see RFC6946 and RFC8021).
  
  While here add tracking of the atomic fragment counter to netstat and systat.
  
  Reviewed by:    tuexen, jtl, bz
  Approved by:    jtl (mentor), bz (mentor)
  Event:  Aberdeen hackathon 2019
  Differential Revision:  https://reviews.freebsd.org/D17511

Modified:
  head/sys/netinet6/frag6.c
  head/sys/netinet6/ip6_var.h
  head/usr.bin/netstat/inet6.c
  head/usr.bin/systat/ip6.c

Modified: head/sys/netinet6/frag6.c
==============================================================================
--- head/sys/netinet6/frag6.c	Fri Apr 19 15:54:32 2019	(r346397)
+++ head/sys/netinet6/frag6.c	Fri Apr 19 17:06:43 2019	(r346398)
@@ -277,12 +277,12 @@ frag6_input(struct mbuf **mp, int *offp, int proto)
 	offset += sizeof(struct ip6_frag);
 
 	/*
-	 * RFC 6946: Handle "atomic" fragments (offset and m bit set to 0)
-	 * upfront, unrelated to any reassembly.  Just skip the fragment header.
+	 * Handle "atomic" fragments (offset and m bit set to 0) upfront,
+	 * unrelated to any reassembly (see RFC 6946 and section 4.5 of RFC
+	 * 8200).  Just skip the fragment header.
 	 */
 	if ((ip6f->ip6f_offlg & ~IP6F_RESERVED_MASK) == 0) {
-		/* XXX-BZ we want dedicated counters for this. */
-		IP6STAT_INC(ip6s_reassembled);
+		IP6STAT_INC(ip6s_atomicfrags);
 		in6_ifstat_inc(dstifp, ifs6_reass_ok);
 		*offp = offset;
 		m->m_flags |= M_FRAGMENTED;

Modified: head/sys/netinet6/ip6_var.h
==============================================================================
--- head/sys/netinet6/ip6_var.h	Fri Apr 19 15:54:32 2019	(r346397)
+++ head/sys/netinet6/ip6_var.h	Fri Apr 19 17:06:43 2019	(r346398)
@@ -208,6 +208,7 @@ struct	ip6stat {
 	uint64_t ip6s_localout;		/* total ip packets generated here */
 	uint64_t ip6s_odropped;		/* lost packets due to nobufs, etc. */
 	uint64_t ip6s_reassembled;	/* total packets reassembled ok */
+	uint64_t ip6s_atomicfrags;	/* atomic fragments */
 	uint64_t ip6s_fragmented;	/* datagrams successfully fragmented */
 	uint64_t ip6s_ofragments;	/* output fragments created */
 	uint64_t ip6s_cantfrag;		/* don't fragment flag was set, etc. */

Modified: head/usr.bin/netstat/inet6.c
==============================================================================
--- head/usr.bin/netstat/inet6.c	Fri Apr 19 15:54:32 2019	(r346397)
+++ head/usr.bin/netstat/inet6.c	Fri Apr 19 17:06:43 2019	(r346398)
@@ -391,6 +391,8 @@ ip6_stats(u_long off, const char *name, int af1 __unus
 	    "{N:/fragment%s dropped after timeout}\n");
 	p(ip6s_fragoverflow, "\t{:dropped-fragments-overflow/%ju} "
 	    "{N:/fragment%s that exceeded limit}\n");
+	p(ip6s_atomicfrags, "\t{:atomic-fragments/%ju} "
+	    "{N:/atomic fragment%s}\n");
 	p(ip6s_reassembled, "\t{:reassembled-packets/%ju} "
 	    "{N:/packet%s reassembled ok}\n");
 	p(ip6s_delivered, "\t{:received-local-packets/%ju} "

Modified: head/usr.bin/systat/ip6.c
==============================================================================
--- head/usr.bin/systat/ip6.c	Fri Apr 19 15:54:32 2019	(r346397)
+++ head/usr.bin/systat/ip6.c	Fri Apr 19 17:06:43 2019	(r346398)
@@ -121,16 +121,16 @@ labelip6(void)
 	L(6, "- fragments dropped");	R(6, "destinations unreachable");
 	L(7, "- fragments timed out");	R(7, "packets output via raw IP");
 	L(8, "- fragments overflown");
-	L(9, "- packets reassembled ok"); R(9, "Input next-header histogram");
-	L(10, "packets forwarded");	R(10, " - destination options");
-	L(11, "- unreachable dests");	R(11, " - hop-by-hop options");
-	L(12, "- redirects generated");	R(12, " - IPv4");
-	L(13, "option errors");		R(13, " - TCP");
-	L(14, "unwanted multicasts");	R(14, " - UDP");
-	L(15, "delivered to upper layer"); R(15, " - IPv6");
-	L(16, "bad scope packets");	R(16, " - routing header");
-	L(17, "address selection failed"); R(17, " - fragmentation header");
-					R(18, " - ICMP6");
+	L(9, "- atomic fragments"); 	R(9, "Input next-header histogram");
+	L(10, "- packets reassembled ok"); R(10, " - destination options");
+	L(11, "packets forwarded");	R(11, " - hop-by-hop options");
+	L(12, "- unreachable dests");	R(12, " - IPv4");
+	L(13, "- redirects generated");	R(13, " - TCP");
+	L(14, "option errors");		R(14, " - UDP");
+	L(15, "unwanted multicasts");	R(15, " - IPv6");
+	L(16, "delivered to upper layer"); R(16, " - routing header");
+	L(17, "bad scope packets");	R(17, " - fragmentation header");
+	L(18, "address selection failed");R(18, " - ICMP6");
 					R(19, " - none");
 #undef L
 #undef R
@@ -165,6 +165,7 @@ domode(struct ip6stat *ret)
 	DO(ip6s_fragdropped);
 	DO(ip6s_fragtimeout);
 	DO(ip6s_fragoverflow);
+	DO(ip6s_atomicfrags);
 	DO(ip6s_forward);
 	DO(ip6s_cantforward);
 	DO(ip6s_redirectsent);
@@ -214,22 +215,23 @@ showip6(void)
 	DO(ip6s_fragtimeout, 7, 0);
 	DO(ip6s_rawout, 7, 35);
 	DO(ip6s_fragoverflow, 8, 0);
-	DO(ip6s_reassembled, 9, 0);
-	DO(ip6s_forward, 10, 0);
+	DO(ip6s_atomicfrags, 9, 0);
+	DO(ip6s_reassembled, 10, 0);
+	DO(ip6s_forward, 11, 0);
 	DO(ip6s_nxthist[IPPROTO_DSTOPTS], 10, 35);
-	DO(ip6s_cantforward, 11, 0);
+	DO(ip6s_cantforward, 12, 0);
 	DO(ip6s_nxthist[IPPROTO_HOPOPTS], 11, 35);
-	DO(ip6s_redirectsent, 12, 0);
+	DO(ip6s_redirectsent, 13, 0);
 	DO(ip6s_nxthist[IPPROTO_IPV4], 12, 35);
-	DO(ip6s_badoptions, 13, 0);
+	DO(ip6s_badoptions, 14, 0);
 	DO(ip6s_nxthist[IPPROTO_TCP], 13, 35);
-	DO(ip6s_notmember, 14, 0);
+	DO(ip6s_notmember, 15, 0);
 	DO(ip6s_nxthist[IPPROTO_UDP], 14, 35);
-	DO(ip6s_delivered, 15, 0);
+	DO(ip6s_delivered, 16, 0);
 	DO(ip6s_nxthist[IPPROTO_IPV6], 15, 35);
-	DO(ip6s_badscope, 16, 0);
+	DO(ip6s_badscope, 17, 0);
 	DO(ip6s_nxthist[IPPROTO_ROUTING], 16, 35);
-	DO(ip6s_sources_none, 17, 0);
+	DO(ip6s_sources_none, 18, 0);
 	DO(ip6s_nxthist[IPPROTO_FRAGMENT], 17, 35);
 	DO(ip6s_nxthist[IPPROTO_ICMPV6], 18, 35);
 	DO(ip6s_nxthist[IPPROTO_NONE], 19, 35);



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201904191706.x3JH6hGF019614>