From nobody Tue Aug 27 12:18:38 2024 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WtRR256cdz5Vd4j; Tue, 27 Aug 2024 12:18:38 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WtRR23q5Gz4sWj; Tue, 27 Aug 2024 12:18:38 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1724761118; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Z4RAkcornG5yMOEKvsT/x1YUu1rbUb9+m7uoPnrnYR0=; b=c+7z360/g/oe+Md0XELWTnQsQ6LswNdOzLEhraBTcRhY4BB9sHZGSzTUP0cmcv0TFiv2M5 mlxcMe6Ld1GSCv+6303fLDUNVHhlEAaInjCWzIkis/htmsRhtAi6as43F/0XX9QbPtWize zNe2cziH/Kbz5vzLa+bSunwqji61EuMBHAGMZS2gn84dP8+yFLsqntSW0SHiM8dMsD45xp vkmMV7NehVBFvWRqP7CLnN/a43VdKyQUwR0Kvc83eC9FkNAju1u88cP8gJH0o9emhp2qjO Sw6D48icCd8Htd0HpRoR9B5x94ayHFQPgqTZPce6vFIibt2ev7FLwg3Po4WGMg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1724761118; a=rsa-sha256; cv=none; b=T8RYumgPEsymlmalO9NCgSmCgBQnEebh3lK4kaxr0ftSwpHNGeZzrKrW807p+LUX5mUu0o Sj+0ZSxRAtBcznRa31tLOIArIDCDk+7Qv8GWWWY53724fok0AwciklDpZ7BoqvnMQRMbZF exS0bZlwIrU+IFUEi1i//sHT7R0pCb4MuYDvumETGQU4QbHC+G5wnt+QmwjYlo192IlUjt Voi2naxPdzlAMmg50bBx54B3+8vjA7keSrclelJjUmXP2o+kTASbWxH+F34U789jj4PYmq ucxslTX+l99yACrR7QBZWUlMyVK7UVEOc8qvQJHL/Wj9BWX8D3iiM4H7dkM7HQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1724761118; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Z4RAkcornG5yMOEKvsT/x1YUu1rbUb9+m7uoPnrnYR0=; b=txBlJxX64wMAvqg1Q1K10IDqWZrj+WsPSMrXSOjdgn6SOUu9GdWWfH6CLJ+E+5wW4kcHGo uoFV7to4h3HS5h7Yd75tDjdLQICN6UBWyL016aIHBmhDef3S4BiHCvtokf67Z/wpBKBQLg Zx2KHNDxQL1bpeC6w53+OuiOCzEuDSuobis15nOGxZ+90iXzie97C8NE9nU/TzEnWWHqqU PvR8eAAV8N5QBIIea0LzefZObEaxdcLFuEuTsiSWa4o4MjUBySaPMzCskoqkqBKlWTVYgH iUVX3U0HYLN6JGHkci1kJ3OnY7d7aNapjR8tXXujAnKfTppi2EgHzZrK1UHxvw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4WtRR23QQSzqDD; Tue, 27 Aug 2024 12:18:38 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 47RCIcse099569; Tue, 27 Aug 2024 12:18:38 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 47RCIc54099566; Tue, 27 Aug 2024 12:18:38 GMT (envelope-from git) Date: Tue, 27 Aug 2024 12:18:38 GMT Message-Id: <202408271218.47RCIc54099566@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Kristof Provost Subject: git: 6b3bfb16e53d - stable/13 - pf: cope with SCTP port re-use List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/stable/13 X-Git-Reftype: branch X-Git-Commit: 6b3bfb16e53d6cf7afae27e0bf3f6fd09254cfd6 Auto-Submitted: auto-generated The branch stable/13 has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=6b3bfb16e53d6cf7afae27e0bf3f6fd09254cfd6 commit 6b3bfb16e53d6cf7afae27e0bf3f6fd09254cfd6 Author: Kristof Provost AuthorDate: 2024-08-12 16:18:36 +0000 Commit: Kristof Provost CommitDate: 2024-08-27 12:17:59 +0000 pf: cope with SCTP port re-use Some SCTP implementations will abort connections and then later re-use the same port numbers (i.e. both src and dst) for a new connection, before pf has fully purged the old connection. Apply the same hack we already have for similarly misbehaving TCP implementations and forcibly remove the old state so we can create a new one. MFC after: 2 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") (cherry picked from commit 82e021443a76b1f210cfb929a495185179606868) --- sys/netpfil/pf/pf.c | 9 +++++++ tests/sys/netpfil/pf/sctp.sh | 59 ++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 68 insertions(+) diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index dfef2d132e85..f56037c58572 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -5513,6 +5513,15 @@ pf_test_state_sctp(struct pf_kstate **state, struct pfi_kkif *kif, psrc = PF_PEER_DST; } + if ((src->state >= SCTP_SHUTDOWN_SENT || src->state == SCTP_CLOSED) && + (dst->state >= SCTP_SHUTDOWN_SENT || dst->state == SCTP_CLOSED) && + pd->sctp_flags & PFDESC_SCTP_INIT) { + pf_set_protostate(*state, PF_PEER_BOTH, SCTP_CLOSED); + pf_unlink_state(*state, PF_ENTER_LOCKED); + *state = NULL; + return (PF_DROP); + } + /* Track state. */ if (pd->sctp_flags & PFDESC_SCTP_INIT) { if (src->state < SCTP_COOKIE_WAIT) { diff --git a/tests/sys/netpfil/pf/sctp.sh b/tests/sys/netpfil/pf/sctp.sh index d07d1122048b..95a780747d82 100644 --- a/tests/sys/netpfil/pf/sctp.sh +++ b/tests/sys/netpfil/pf/sctp.sh @@ -181,6 +181,64 @@ basic_v6_cleanup() pft_cleanup } +atf_test_case "reuse" "cleanup" +reuse_head() +{ + atf_set descr 'Test handling dumb clients that reuse source ports' + atf_set require.user root +} + +reuse_body() +{ + sctp_init + + j="sctp:reuse" + epair=$(vnet_mkepair) + + vnet_mkjail ${j}a ${epair}a + vnet_mkjail ${j}b ${epair}b + + jexec ${j}a ifconfig ${epair}a 192.0.2.1/24 up + jexec ${j}b ifconfig ${epair}b 192.0.2.2/24 up + # Sanity check + atf_check -s exit:0 -o ignore \ + jexec ${j}a ping -c 1 192.0.2.2 + + jexec ${j}a pfctl -e + pft_set_rules ${j}a \ + "block" \ + "pass in proto sctp to port 1234" + + echo "foo" | jexec ${j}a nc --sctp -N -l 1234 & + + # Wait for the server to start + sleep 1 + + out=$(jexec ${j}b nc --sctp -N -w 3 -p 1234 192.0.2.1 1234) + if [ "$out" != "foo" ]; then + atf_fail "SCTP connection failed" + fi + + # Now do the same thing again, with the same port numbers + jexec ${j}a pfctl -ss -v + + echo "foo" | jexec ${j}a nc --sctp -N -l 1234 & + + # Wait for the server to start + sleep 1 + + out=$(jexec ${j}b nc --sctp -N -w 3 -p 1234 192.0.2.1 1234) + if [ "$out" != "foo" ]; then + atf_fail "SCTP connection failed" + fi + jexec ${j}a pfctl -ss -v +} + +reuse_cleanup() +{ + pft_cleanup +} + atf_test_case "abort_v4" "cleanup" abort_v4_head() { @@ -691,6 +749,7 @@ atf_init_test_cases() { atf_add_test_case "basic_v4" atf_add_test_case "basic_v6" + atf_add_test_case "reuse" atf_add_test_case "abort_v4" atf_add_test_case "abort_v6" atf_add_test_case "nat_v4"