From nobody Tue Aug 27 12:18:38 2024 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WtRR22brbz5VdTQ; Tue, 27 Aug 2024 12:18:38 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WtRR21vbjz4shd; Tue, 27 Aug 2024 12:18:38 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1724761118; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=da8KHlQHnrSAIAKIvra1F/Yt7o8XtjTq3Ptulvp9H5Q=; b=fcIqvBgqORszj20OPbyaY/FTdoKXarH/+EvkBNHQ3+vc1wABzaFNEbLG8s3MFj+1fWJoHM 2zDVQVPe5u2ct5qz4KYXrdhdny54jXlwODC+0linCnO9ttDblBPWXWXvSYGr1a+bva6qNn DudMKEHN431hKJw60HbTT666j+484JRJ/OLQuh0+6Je/TsvlXGTzreN1qZd2EA7M2tWz7N dIc6s1/E+Hx+S2xbKKjFg7lxobud0rpz5757J4cWfO0h05qFyv2EGrboBD/ltHJBmgWK72 wuiPCxKLcd2aMeUS18DiNPnt8irA/YOrNhq1c2EjIxEtA7JXd4cqQ1VMPSXTag== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1724761118; a=rsa-sha256; cv=none; b=wHCDVhufqJvMUrJJTN6ZB0JdkcrwGzVqh/7QpG8t4bAuAuwPzN1ugBoZxg1cn8RbxbLE75 Ij2tKnm6202qQcAw12JL2cGbMVciv6gORrOzI7GEg/MmD2qMSuhEmz/QnOXowluh9zk5RG kQZm6yYUAU6z+sg7n3XkF5jlTRuKmuqeMYMK+6NP6/JAc6VXfklKzFDJr2mI14eBelsyqI 0G6TNNQyNgtzfraok4guZxAnw6RGuf2OSa3teECxtXajYd0TC+C9Z2aL47o5LuNg0vK4WJ llMVdghWFRb/5m9nJbG5qkMr/GebN4Oirty47+HIqI6sdFCkUHT6Aj+FEaE2+Q== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1724761118; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=da8KHlQHnrSAIAKIvra1F/Yt7o8XtjTq3Ptulvp9H5Q=; b=c+FUQ16VMY3QPXGZ7wDufSERl05huCPugToIkj1gD5ggg+hQCpSnE2nYaSgggIZlfaDtv3 3fCmizbZTHzHaROSwHXSxbmrt4urB+fA/csgHNHCRtEdB/cdo6BFh3/7qRAVwpNqO3XRDl iJQS7HdcJzsykT3lH3sdQh4bIK304TVQojQio8GxwV2194APy4dl6r8qqkaiJtaDfN4PTu 5JwQlA7qGcRQxvMK4n9bI1jknqeuHQTLQt97qJLaV5D6GIj/DDNvhRnzgRYkL2yK16zkVb I7wnt44w29fXJiKHp1xsrMeZ+tCHCs5Uf/Q10lC5Lale7B1sEtloRADYeHFyYQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4WtRR21NpmzqRZ; Tue, 27 Aug 2024 12:18:38 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 47RCIcWe099476; Tue, 27 Aug 2024 12:18:38 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 47RCIcn3099473; Tue, 27 Aug 2024 12:18:38 GMT (envelope-from git) Date: Tue, 27 Aug 2024 12:18:38 GMT Message-Id: <202408271218.47RCIcn3099473@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Kristof Provost Subject: git: 485bd1630810 - stable/14 - pf: cope with SCTP port re-use List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: 485bd16308108f84df7b2768011a65f3dc97db9b Auto-Submitted: auto-generated The branch stable/14 has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=485bd16308108f84df7b2768011a65f3dc97db9b commit 485bd16308108f84df7b2768011a65f3dc97db9b Author: Kristof Provost AuthorDate: 2024-08-12 16:18:36 +0000 Commit: Kristof Provost CommitDate: 2024-08-27 08:09:10 +0000 pf: cope with SCTP port re-use Some SCTP implementations will abort connections and then later re-use the same port numbers (i.e. both src and dst) for a new connection, before pf has fully purged the old connection. Apply the same hack we already have for similarly misbehaving TCP implementations and forcibly remove the old state so we can create a new one. MFC after: 2 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") (cherry picked from commit 82e021443a76b1f210cfb929a495185179606868) --- sys/netpfil/pf/pf.c | 9 +++++++ tests/sys/netpfil/pf/sctp.sh | 59 ++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 68 insertions(+) diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 381d0f8b193e..fe3ae843f68a 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -6106,6 +6106,15 @@ pf_test_state_sctp(struct pf_kstate **state, struct pfi_kkif *kif, psrc = PF_PEER_DST; } + if ((src->state >= SCTP_SHUTDOWN_SENT || src->state == SCTP_CLOSED) && + (dst->state >= SCTP_SHUTDOWN_SENT || dst->state == SCTP_CLOSED) && + pd->sctp_flags & PFDESC_SCTP_INIT) { + pf_set_protostate(*state, PF_PEER_BOTH, SCTP_CLOSED); + pf_unlink_state(*state); + *state = NULL; + return (PF_DROP); + } + /* Track state. */ if (pd->sctp_flags & PFDESC_SCTP_INIT) { if (src->state < SCTP_COOKIE_WAIT) { diff --git a/tests/sys/netpfil/pf/sctp.sh b/tests/sys/netpfil/pf/sctp.sh index d07d1122048b..95a780747d82 100644 --- a/tests/sys/netpfil/pf/sctp.sh +++ b/tests/sys/netpfil/pf/sctp.sh @@ -181,6 +181,64 @@ basic_v6_cleanup() pft_cleanup } +atf_test_case "reuse" "cleanup" +reuse_head() +{ + atf_set descr 'Test handling dumb clients that reuse source ports' + atf_set require.user root +} + +reuse_body() +{ + sctp_init + + j="sctp:reuse" + epair=$(vnet_mkepair) + + vnet_mkjail ${j}a ${epair}a + vnet_mkjail ${j}b ${epair}b + + jexec ${j}a ifconfig ${epair}a 192.0.2.1/24 up + jexec ${j}b ifconfig ${epair}b 192.0.2.2/24 up + # Sanity check + atf_check -s exit:0 -o ignore \ + jexec ${j}a ping -c 1 192.0.2.2 + + jexec ${j}a pfctl -e + pft_set_rules ${j}a \ + "block" \ + "pass in proto sctp to port 1234" + + echo "foo" | jexec ${j}a nc --sctp -N -l 1234 & + + # Wait for the server to start + sleep 1 + + out=$(jexec ${j}b nc --sctp -N -w 3 -p 1234 192.0.2.1 1234) + if [ "$out" != "foo" ]; then + atf_fail "SCTP connection failed" + fi + + # Now do the same thing again, with the same port numbers + jexec ${j}a pfctl -ss -v + + echo "foo" | jexec ${j}a nc --sctp -N -l 1234 & + + # Wait for the server to start + sleep 1 + + out=$(jexec ${j}b nc --sctp -N -w 3 -p 1234 192.0.2.1 1234) + if [ "$out" != "foo" ]; then + atf_fail "SCTP connection failed" + fi + jexec ${j}a pfctl -ss -v +} + +reuse_cleanup() +{ + pft_cleanup +} + atf_test_case "abort_v4" "cleanup" abort_v4_head() { @@ -691,6 +749,7 @@ atf_init_test_cases() { atf_add_test_case "basic_v4" atf_add_test_case "basic_v6" + atf_add_test_case "reuse" atf_add_test_case "abort_v4" atf_add_test_case "abort_v6" atf_add_test_case "nat_v4"