From owner-svn-src-stable@freebsd.org Mon Nov 23 23:53:22 2020
Return-Path: <owner-svn-src-stable@freebsd.org>
Delivered-To: svn-src-stable@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
by mailman.nyi.freebsd.org (Postfix) with ESMTP id 5427746F046;
Mon, 23 Nov 2020 23:53:22 +0000 (UTC) (envelope-from np@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
[IPv6:2610:1c1:1:606c::19:3])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
client-signature RSA-PSS (4096 bits) client-digest SHA256)
(Client CN "mxrelay.nyi.freebsd.org",
Issuer "Let's Encrypt Authority X3" (verified OK))
by mx1.freebsd.org (Postfix) with ESMTPS id 4Cg3rL1vYVz4tqn;
Mon, 23 Nov 2020 23:53:22 +0000 (UTC) (envelope-from np@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
[IPv6:2610:1c1:1:6068::e6a:0])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client did not present a certificate)
by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 341A615324;
Mon, 23 Nov 2020 23:53:22 +0000 (UTC) (envelope-from np@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 0ANNrMDl049039;
Mon, 23 Nov 2020 23:53:22 GMT (envelope-from np@FreeBSD.org)
Received: (from np@localhost)
by repo.freebsd.org (8.15.2/8.15.2/Submit) id 0ANNrLkS049037;
Mon, 23 Nov 2020 23:53:21 GMT (envelope-from np@FreeBSD.org)
Message-Id: <202011232353.0ANNrLkS049037@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: np set sender to np@FreeBSD.org
using -f
From: Navdeep Parhar <np@FreeBSD.org>
Date: Mon, 23 Nov 2020 23:53:21 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
svn-src-stable@freebsd.org, svn-src-stable-12@freebsd.org
Subject: svn commit: r367965 - in stable/12: share/man/man4 sys/dev/cxgbe
X-SVN-Group: stable-12
X-SVN-Commit-Author: np
X-SVN-Commit-Paths: in stable/12: share/man/man4 sys/dev/cxgbe
X-SVN-Commit-Revision: 367965
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-stable@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: SVN commit messages for all the -stable branches of the src tree
<svn-src-stable.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-stable>,
<mailto:svn-src-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable/>
List-Post: <mailto:svn-src-stable@freebsd.org>
List-Help: <mailto:svn-src-stable-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-stable>,
<mailto:svn-src-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Nov 2020 23:53:22 -0000
Author: np
Date: Mon Nov 23 23:53:21 2020
New Revision: 367965
URL: https://svnweb.freebsd.org/changeset/base/367965
Log:
MFC r366532 and r366862.
r366532:
cxgbe(4): knobs to drop various kinds of undesirable frames on ingress.
These kind of drops come for free in the sense that they do not use the
filter TCAM or any other resource that wouldn't normally be used during
rx. Frames dropped by the hardware get counted in the MAC's rx stats
but are not delivered to the driver.
hw.cxgbe.attack_filter
Set to 1 to enable the "attack filter". Default is 0. The attack
filter will drop an incoming frame if any of these conditions is true:
src ip/ip6 == dst ip/ip6; tcp and src/dst ip is not unicast; src/dst ip
is loopback (127.x.y.z); src ip6 is not unicast; src/dst ip6 is loopback
(::1/128) or unspecified (::/128); tcp and src/dst ip6 is mcast
(ff00::/8).
hw.cxgbe.drop_ip_fragments
Set to 1 to drop all incoming IP fragments. Default is 0. Note that
this drops valid frames.
hw.cxgbe.drop_pkts_with_l2_errors
Set to 1 to drop incoming frames with Layer 2 length or checksum errors.
Default is 1.
hw.cxgbe.drop_pkts_with_l3_errors
Set to 1 to drop incoming frames with IP version, length, or checksum
errors. Default is 0.
hw.cxgbe.drop_pkts_with_l4_errors
Set to 1 to drop incoming frames with Layer 4 length, checksum, or other
errors. Default is 0.
r366862:
cxgbe(4): Updates to the drop features from r366532.
Sponsored by: Chelsio Communications
Modified:
stable/12/share/man/man4/cxgbe.4
stable/12/sys/dev/cxgbe/t4_main.c
Directory Properties:
stable/12/ (props changed)
Modified: stable/12/share/man/man4/cxgbe.4
==============================================================================
--- stable/12/share/man/man4/cxgbe.4 Mon Nov 23 23:46:07 2020 (r367964)
+++ stable/12/share/man/man4/cxgbe.4 Mon Nov 23 23:53:21 2020 (r367965)
@@ -31,7 +31,7 @@
.\"
.\" $FreeBSD$
.\"
-.Dd September 17, 2020
+.Dd October 19, 2020
.Dt CXGBE 4
.Os
.Sh NAME
@@ -362,6 +362,29 @@ The default value is 0 and should be changed only if P
to communicate with each other.
Different interfaces can be assigned different values using the
dev.<port>.X.tx_vm_wr sysctl when the interface is administratively down.
+.It Va hw.cxgbe.attack_filter
+Set to 1 to enable the "attack filter".
+Default is 0.
+The attack filter will drop an incoming frame if any of these conditions is
+true: src ip/ip6 == dst ip/ip6; tcp and src/dst ip is not unicast; src/dst ip is
+loopback (127.x.y.z); src ip6 is not unicast; src/dst ip6 is loopback (::1/128)
+or unspecified (::/128); tcp and src/dst ip6 is mcast (ff00::/8).
+This facility is available on T4 and T5 based cards only.
+.It Va hw.cxgbe.drop_ip_fragments
+Set to 1 to drop all incoming IP fragments.
+Default is 0.
+Note that this drops valid frames.
+.It Va hw.cxgbe.drop_pkts_with_l2_errors
+Set to 1 to drop incoming frames with Layer 2 length or checksum errors.
+Default is 1.
+.It Va hw.cxgbe.drop_pkts_with_l3_errors
+Set to 1 to drop incoming frames with IP version, length, or checksum errors.
+The IP checksum is validated for TCP or UDP packets only.
+Default is 0.
+.It Va hw.cxgbe.drop_pkts_with_l4_errors
+Set to 1 to drop incoming frames with Layer 4 (TCP or UDP) length,
+checksum, or other errors.
+Default is 0.
.El
.Sh SUPPORT
For general information and support,
Modified: stable/12/sys/dev/cxgbe/t4_main.c
==============================================================================
--- stable/12/sys/dev/cxgbe/t4_main.c Mon Nov 23 23:46:07 2020 (r367964)
+++ stable/12/sys/dev/cxgbe/t4_main.c Mon Nov 23 23:53:21 2020 (r367965)
@@ -579,6 +579,46 @@ static int t4_tx_vm_wr = 0;
SYSCTL_INT(_hw_cxgbe, OID_AUTO, tx_vm_wr, CTLFLAG_RWTUN, &t4_tx_vm_wr, 0,
"Use VM work requests to transmit packets.");
+/*
+ * Set to non-zero to enable the attack filter. A packet that matches any of
+ * these conditions will get dropped on ingress:
+ * 1) IP && source address == destination address.
+ * 2) TCP/IP && source address is not a unicast address.
+ * 3) TCP/IP && destination address is not a unicast address.
+ * 4) IP && source address is loopback (127.x.y.z).
+ * 5) IP && destination address is loopback (127.x.y.z).
+ * 6) IPv6 && source address == destination address.
+ * 7) IPv6 && source address is not a unicast address.
+ * 8) IPv6 && source address is loopback (::1/128).
+ * 9) IPv6 && destination address is loopback (::1/128).
+ * 10) IPv6 && source address is unspecified (::/128).
+ * 11) IPv6 && destination address is unspecified (::/128).
+ * 12) TCP/IPv6 && source address is multicast (ff00::/8).
+ * 13) TCP/IPv6 && destination address is multicast (ff00::/8).
+ */
+static int t4_attack_filter = 0;
+SYSCTL_INT(_hw_cxgbe, OID_AUTO, attack_filter, CTLFLAG_RDTUN,
+ &t4_attack_filter, 0, "Drop suspicious traffic");
+
+static int t4_drop_ip_fragments = 0;
+SYSCTL_INT(_hw_cxgbe, OID_AUTO, drop_ip_fragments, CTLFLAG_RDTUN,
+ &t4_drop_ip_fragments, 0, "Drop IP fragments");
+
+static int t4_drop_pkts_with_l2_errors = 1;
+SYSCTL_INT(_hw_cxgbe, OID_AUTO, drop_pkts_with_l2_errors, CTLFLAG_RDTUN,
+ &t4_drop_pkts_with_l2_errors, 0,
+ "Drop all frames with Layer 2 length or checksum errors");
+
+static int t4_drop_pkts_with_l3_errors = 0;
+SYSCTL_INT(_hw_cxgbe, OID_AUTO, drop_pkts_with_l3_errors, CTLFLAG_RDTUN,
+ &t4_drop_pkts_with_l3_errors, 0,
+ "Drop all frames with IP version, length, or checksum errors");
+
+static int t4_drop_pkts_with_l4_errors = 0;
+SYSCTL_INT(_hw_cxgbe, OID_AUTO, drop_pkts_with_l4_errors, CTLFLAG_RDTUN,
+ &t4_drop_pkts_with_l4_errors, 0,
+ "Drop all frames with Layer 4 length, checksum, or other errors");
+
#ifdef TCP_OFFLOAD
/*
* TOE tunables.
@@ -4547,7 +4587,7 @@ get_params__post_init(struct adapter *sc)
static int
set_params__post_init(struct adapter *sc)
{
- uint32_t param, val;
+ uint32_t mask, param, val;
#ifdef TCP_OFFLOAD
int i, v, shift;
#endif
@@ -4567,6 +4607,33 @@ set_params__post_init(struct adapter *sc)
val = 1 << (G_MASKSIZE(t4_read_reg(sc, A_TP_RSS_CONFIG_TNL)) - 1);
t4_set_reg_field(sc, A_TP_RSS_CONFIG_TNL, V_MASKFILTER(M_MASKFILTER),
V_MASKFILTER(val - 1));
+
+ mask = F_DROPERRORANY | F_DROPERRORMAC | F_DROPERRORIPVER |
+ F_DROPERRORFRAG | F_DROPERRORATTACK | F_DROPERRORETHHDRLEN |
+ F_DROPERRORIPHDRLEN | F_DROPERRORTCPHDRLEN | F_DROPERRORPKTLEN |
+ F_DROPERRORTCPOPT | F_DROPERRORCSUMIP | F_DROPERRORCSUM;
+ val = 0;
+ if (chip_id(sc) < CHELSIO_T6 && t4_attack_filter != 0) {
+ t4_set_reg_field(sc, A_TP_GLOBAL_CONFIG, F_ATTACKFILTERENABLE,
+ F_ATTACKFILTERENABLE);
+ val |= F_DROPERRORATTACK;
+ }
+ if (t4_drop_ip_fragments != 0) {
+ t4_set_reg_field(sc, A_TP_GLOBAL_CONFIG, F_FRAGMENTDROP,
+ F_FRAGMENTDROP);
+ val |= F_DROPERRORFRAG;
+ }
+ if (t4_drop_pkts_with_l2_errors != 0)
+ val |= F_DROPERRORMAC | F_DROPERRORETHHDRLEN;
+ if (t4_drop_pkts_with_l3_errors != 0) {
+ val |= F_DROPERRORIPVER | F_DROPERRORIPHDRLEN |
+ F_DROPERRORCSUMIP;
+ }
+ if (t4_drop_pkts_with_l4_errors != 0) {
+ val |= F_DROPERRORTCPHDRLEN | F_DROPERRORPKTLEN |
+ F_DROPERRORTCPOPT | F_DROPERRORCSUM;
+ }
+ t4_set_reg_field(sc, A_TP_ERR_CONFIG, mask, val);
#ifdef TCP_OFFLOAD
/*