Date: Sat, 11 Jan 2020 01:56:57 +0000 (UTC) From: "Bjoern A. Zeeb" <bz@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-12@freebsd.org Subject: svn commit: r356625 - in stable/12: sys/netinet6 usr.bin/netstat usr.bin/systat Message-ID: <202001110156.00B1uvYq026554@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: bz Date: Sat Jan 11 01:56:57 2020 New Revision: 356625 URL: https://svnweb.freebsd.org/changeset/base/356625 Log: MFC 346398 (by thj): Add stat counter for ipv6 atomic fragments Add a stat counter to track ipv6 atomic fragments. Atomic fragments can be generated in response to invalid path MTU values, but are also a potential attack vector and considered harmful (see RFC6946 and RFC8021). While here add tracking of the atomic fragment counter to netstat and systat. This should fix failing CI tests merged from head as Resported by: lwhsu Modified: stable/12/sys/netinet6/frag6.c stable/12/sys/netinet6/ip6_var.h stable/12/usr.bin/netstat/inet6.c stable/12/usr.bin/systat/ip6.c Directory Properties: stable/12/ (props changed) Modified: stable/12/sys/netinet6/frag6.c ============================================================================== --- stable/12/sys/netinet6/frag6.c Sat Jan 11 01:44:55 2020 (r356624) +++ stable/12/sys/netinet6/frag6.c Sat Jan 11 01:56:57 2020 (r356625) @@ -441,8 +441,7 @@ frag6_input(struct mbuf **mp, int *offp, int proto) * See RFC 6946 and section 4.5 of RFC 8200. */ if ((ip6f->ip6f_offlg & ~IP6F_RESERVED_MASK) == 0) { - /* XXX-BZ we want dedicated counters for this. */ - IP6STAT_INC(ip6s_reassembled); + IP6STAT_INC(ip6s_atomicfrags); nxt = ip6f->ip6f_nxt; /* * Set nxt(-hdr field value) to the original value. Modified: stable/12/sys/netinet6/ip6_var.h ============================================================================== --- stable/12/sys/netinet6/ip6_var.h Sat Jan 11 01:44:55 2020 (r356624) +++ stable/12/sys/netinet6/ip6_var.h Sat Jan 11 01:56:57 2020 (r356625) @@ -195,6 +195,7 @@ struct ip6stat { uint64_t ip6s_localout; /* total ip packets generated here */ uint64_t ip6s_odropped; /* lost packets due to nobufs, etc. */ uint64_t ip6s_reassembled; /* total packets reassembled ok */ + uint64_t ip6s_atomicfrags; /* atomic fragments */ uint64_t ip6s_fragmented; /* datagrams successfully fragmented */ uint64_t ip6s_ofragments; /* output fragments created */ uint64_t ip6s_cantfrag; /* don't fragment flag was set, etc. */ Modified: stable/12/usr.bin/netstat/inet6.c ============================================================================== --- stable/12/usr.bin/netstat/inet6.c Sat Jan 11 01:44:55 2020 (r356624) +++ stable/12/usr.bin/netstat/inet6.c Sat Jan 11 01:56:57 2020 (r356625) @@ -391,6 +391,8 @@ ip6_stats(u_long off, const char *name, int af1 __unus "{N:/fragment%s dropped after timeout}\n"); p(ip6s_fragoverflow, "\t{:dropped-fragments-overflow/%ju} " "{N:/fragment%s that exceeded limit}\n"); + p(ip6s_atomicfrags, "\t{:atomic-fragments/%ju} " + "{N:/atomic fragment%s}\n"); p(ip6s_reassembled, "\t{:reassembled-packets/%ju} " "{N:/packet%s reassembled ok}\n"); p(ip6s_delivered, "\t{:received-local-packets/%ju} " Modified: stable/12/usr.bin/systat/ip6.c ============================================================================== --- stable/12/usr.bin/systat/ip6.c Sat Jan 11 01:44:55 2020 (r356624) +++ stable/12/usr.bin/systat/ip6.c Sat Jan 11 01:56:57 2020 (r356625) @@ -121,16 +121,16 @@ labelip6(void) L(6, "- fragments dropped"); R(6, "destinations unreachable"); L(7, "- fragments timed out"); R(7, "packets output via raw IP"); L(8, "- fragments overflown"); - L(9, "- packets reassembled ok"); R(9, "Input next-header histogram"); - L(10, "packets forwarded"); R(10, " - destination options"); - L(11, "- unreachable dests"); R(11, " - hop-by-hop options"); - L(12, "- redirects generated"); R(12, " - IPv4"); - L(13, "option errors"); R(13, " - TCP"); - L(14, "unwanted multicasts"); R(14, " - UDP"); - L(15, "delivered to upper layer"); R(15, " - IPv6"); - L(16, "bad scope packets"); R(16, " - routing header"); - L(17, "address selection failed"); R(17, " - fragmentation header"); - R(18, " - ICMP6"); + L(9, "- atomic fragments"); R(9, "Input next-header histogram"); + L(10, "- packets reassembled ok"); R(10, " - destination options"); + L(11, "packets forwarded"); R(11, " - hop-by-hop options"); + L(12, "- unreachable dests"); R(12, " - IPv4"); + L(13, "- redirects generated"); R(13, " - TCP"); + L(14, "option errors"); R(14, " - UDP"); + L(15, "unwanted multicasts"); R(15, " - IPv6"); + L(16, "delivered to upper layer"); R(16, " - routing header"); + L(17, "bad scope packets"); R(17, " - fragmentation header"); + L(18, "address selection failed");R(18, " - ICMP6"); R(19, " - none"); #undef L #undef R @@ -165,6 +165,7 @@ domode(struct ip6stat *ret) DO(ip6s_fragdropped); DO(ip6s_fragtimeout); DO(ip6s_fragoverflow); + DO(ip6s_atomicfrags); DO(ip6s_forward); DO(ip6s_cantforward); DO(ip6s_redirectsent); @@ -214,22 +215,23 @@ showip6(void) DO(ip6s_fragtimeout, 7, 0); DO(ip6s_rawout, 7, 35); DO(ip6s_fragoverflow, 8, 0); - DO(ip6s_reassembled, 9, 0); - DO(ip6s_forward, 10, 0); + DO(ip6s_atomicfrags, 9, 0); + DO(ip6s_reassembled, 10, 0); + DO(ip6s_forward, 11, 0); DO(ip6s_nxthist[IPPROTO_DSTOPTS], 10, 35); - DO(ip6s_cantforward, 11, 0); + DO(ip6s_cantforward, 12, 0); DO(ip6s_nxthist[IPPROTO_HOPOPTS], 11, 35); - DO(ip6s_redirectsent, 12, 0); + DO(ip6s_redirectsent, 13, 0); DO(ip6s_nxthist[IPPROTO_IPV4], 12, 35); - DO(ip6s_badoptions, 13, 0); + DO(ip6s_badoptions, 14, 0); DO(ip6s_nxthist[IPPROTO_TCP], 13, 35); - DO(ip6s_notmember, 14, 0); + DO(ip6s_notmember, 15, 0); DO(ip6s_nxthist[IPPROTO_UDP], 14, 35); - DO(ip6s_delivered, 15, 0); + DO(ip6s_delivered, 16, 0); DO(ip6s_nxthist[IPPROTO_IPV6], 15, 35); - DO(ip6s_badscope, 16, 0); + DO(ip6s_badscope, 17, 0); DO(ip6s_nxthist[IPPROTO_ROUTING], 16, 35); - DO(ip6s_sources_none, 17, 0); + DO(ip6s_sources_none, 18, 0); DO(ip6s_nxthist[IPPROTO_FRAGMENT], 17, 35); DO(ip6s_nxthist[IPPROTO_ICMPV6], 18, 35); DO(ip6s_nxthist[IPPROTO_NONE], 19, 35);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202001110156.00B1uvYq026554>