From nobody Thu Feb 13 12:39:04 2025 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Ytvr91Wjpz5nRVn; Thu, 13 Feb 2025 12:39:05 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Ytvr83d9fz3g0b; Thu, 13 Feb 2025 12:39:04 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1739450344; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=yPGRAWhf1CBAkkDQweoe44N/qoY32QKsim/acy/jILw=; b=Sh0dWQFSsBjBR5nO5J8SQS0h22UsKwV/wJUvOhGR+dkCa/qSOOI6eIl7mpVuledjzXpu7f 2UitjdlXkvwoWoEogZsl5OKSf6h91in7f/JtlskGpdpwJMOWG9PxNUymDTgi6PijC7d1/l uLEFgSXyjkmm+wFWvyQfZbUeyoVBgZL5psPJ8Xk6KxPH3gi1QPu70tMNCD61WSLPP3nGiz meE8OjozH77+xQ5varLNpyAy+6AvUC/0D3tS00MIvpNzu3ffBDPv4CrWfe9hCZNAG0OMPn 2wpUBGmlXK7nW9XPBcYIsKGcPQU59kkPXHJFCi8Hir2YJ1l+oxVJO7xR30kBdw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1739450344; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=yPGRAWhf1CBAkkDQweoe44N/qoY32QKsim/acy/jILw=; b=Frbu5BnwwGFCeOFp+I1sGn3LNBsQH0VxrNur6OPtjEg2/WNe7x8yLJwNTefGGSb2mSM2GN lMeSauljULQOJdcgEqIcAI1903nxRHuWQ/UZeLkI8D0YgUv0CJKv22k5mD1qn3SbZhw0iG 7lqhUWQpzIph40c+ZIdCzGNXgUK4kzHQNR73iK028Pt5ll714B6OXARwQ26W+gE6a84lVN ZQZSABUtFZPSYDaDA3827z3H/p+zt3AMp75HGunhzRUN9ecwpEDaybN5HwQp9W+Ud88Iul MRZt2QFtANksXfPp7fHalXs/LqSXuYnQ2gyj/JVaQdh3GnHd9RyEtCoZaCmR8w== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1739450344; a=rsa-sha256; cv=none; b=wH5rGEo9ff8pZRHvcR5K1kcGAow6/rOEgFmymMW3OKTsL7qw9vyzQX5J1EwtSuihlaIF5X GwHMwVo/T51/GKy/yEIVPZ2XIGYRurKmvqJnHvyxzw4Pr9Lz7fk+GtX2uILF7z3vRp1IIv Aqfp1mbWC3XCEbP1kDjXQbbNxV02OU37Tdn8D/6sBYhcBnBZ7YKKS21dUrzGQ+PwHDiqkl VaUcskx92GyFobodeXuNNYc1uY4RdbR+l70r64zxkzmqpy+T4wsyWeqyLJQH5+bbhAWQ7V UAJzpRjJKA+TKkiZY1SLNEoPNJDwFpNWodxHRlFlOb3pAHDS1xuNGdHQiDU+UA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Ytvr83BVfzm5c; Thu, 13 Feb 2025 12:39:04 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 51DCd48x075551; Thu, 13 Feb 2025 12:39:04 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 51DCd4fC075547; Thu, 13 Feb 2025 12:39:04 GMT (envelope-from git) Date: Thu, 13 Feb 2025 12:39:04 GMT Message-Id: <202502131239.51DCd4fC075547@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Kristof Provost Subject: git: 06c4372a2f1b - main - pf: do not reassemble atomic IPv6 fragments List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 06c4372a2f1b4b4d5998b27a72df1b38a0238300 Auto-Submitted: auto-generated The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=06c4372a2f1b4b4d5998b27a72df1b38a0238300 commit 06c4372a2f1b4b4d5998b27a72df1b38a0238300 Author: Kristof Provost AuthorDate: 2025-02-10 14:10:57 +0000 Commit: Kristof Provost CommitDate: 2025-02-13 12:38:44 +0000 pf: do not reassemble atomic IPv6 fragments IPv6 atomic fragments must not go the reassembly queue, but be processed immediately. Let pf step over an atomic fragment header and handle the packet like an unfragmented. OK mikeb@ Obtained from: OpenBSD, bluhm , fd6d9d2982 Sponsored by: Rubicon Communications, LLC ("Netgate") --- sys/netpfil/pf/pf.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 76f508b43750..65eb5736d43d 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -9580,7 +9580,7 @@ pf_walk_header6(struct pf_pdesc *pd, struct ip6_hdr *h, u_short *reason) struct ip6_ext ext; struct ip6_rthdr rthdr; uint32_t end; - int rthdr_cnt = 0; + int fraghdr_cnt = 0, rthdr_cnt = 0; pd->off += sizeof(struct ip6_hdr); end = pd->off + ntohs(h->ip6_plen); @@ -9589,7 +9589,7 @@ pf_walk_header6(struct pf_pdesc *pd, struct ip6_hdr *h, u_short *reason) for (;;) { switch (pd->proto) { case IPPROTO_FRAGMENT: - if (pd->fragoff != 0) { + if (fraghdr_cnt++) { DPFPRINTF(PF_DEBUG_MISC, ("IPv6 multiple fragment")); REASON_SET(reason, PFRES_FRAG); return (PF_DROP); @@ -9605,10 +9605,14 @@ pf_walk_header6(struct pf_pdesc *pd, struct ip6_hdr *h, u_short *reason) DPFPRINTF(PF_DEBUG_MISC, ("IPv6 short fragment")); return (PF_DROP); } - pd->fragoff = pd->off; /* stop walking over non initial fragments */ - if (htons((frag.ip6f_offlg & IP6F_OFF_MASK)) != 0) + if (ntohs((frag.ip6f_offlg & IP6F_OFF_MASK)) != 0) { + pd->fragoff = pd->off; return (PF_PASS); + } + /* RFC6946: reassemble only non atomic fragments */ + if (frag.ip6f_offlg & IP6F_MORE_FRAG) + pd->fragoff = pd->off; pd->off += sizeof(frag); pd->proto = frag.ip6f_nxt; break;