From nobody Thu Mar 2 16:25:46 2023 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4PSGgH21cZz3w0HH; Thu, 2 Mar 2023 16:25:47 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4PSGgH1XM6z4Vhw; Thu, 2 Mar 2023 16:25:47 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1677774347; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=XapmfBicozpJc67Kolyki8i+SlfP60KY6YB6VGlErmw=; b=gcYLnocsR/srqZEYRBCfjhB/ksirETLbpemlCWBG5R+lRRjLqV212SUdK8tWzmur/gh/Hn jmB6Lc0S2a17avLhdeNDbSG1IZVVfOYevUiy79YXIoMu58A1XC/xlPVaTYv//GRbgOdKuh PAv+Q5sEguW3a2WFKQrYDPfYCmAqE7ZmXIiOQJWLmiWGUK1s/1Rg6JEwthyZ6eLXTXYUnQ 001KUydSz1FXtcLrUWtJdmiPEH3ZV/jGauufio7XMcz3FuQqvE+U23BnsAavlCaTvNRNnO 1aOeSkPqMgTsqkAkNnv+g9Lm1orHrZrWwL22eWgx7jCmqVCTsSf4rsNaapMrdw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1677774347; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=XapmfBicozpJc67Kolyki8i+SlfP60KY6YB6VGlErmw=; b=rzdQcGadFVHMM836MdZojEkUmrajO+ftJ4ToECm6AXY94n/2m7kaYdo3SmhtCLh7+HCz+Y dhilrgP5jpvYZjnKFGNTjvbehm3FnjBXzo+lu/MqyJpjsq8DAtwvz4OordVPUd7mxKlV3M UUllWuLwUNFcTfQuAlvc6uvHM5+TPIczD/0GlNaWRGCux2Me6GSomxtLsHVLtctCwUfWX0 jFnY5U+IRvoLE4r8VNgHzsDyseoBbgcSqrL5xfSaRt52clJA1sW+nwCZdCwoZFj6u6butv P5RRuTAmqA5RDcTjkxmMenjPZGKIOsqArnieWqYzRY9J0KXsAWieHN3ywcFJrw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1677774347; a=rsa-sha256; cv=none; b=dPoZBLfGTmBBYNNp4QfO+jhD+vHZ2WXy6l25yVNZuJ+zjIlOIWcIc5tkLjuE+WbJm3UNZb Mayc36iErsT63hTi/6vJ2xK/qMr6ukJyLApf53LszkOVcBsOYJc/p1X3wQaXilBG6nf0Fw CnRRw0GQUGasWEakeAbNW3GvdTQrQXzVNtDXpUr+SZD8BTESqJclG4uVfTKveDHu4HVEOi 1hQa2AmH3VYLFcFJG3HHjYtu4w+nVjExI6e4ryj78yFoqUWolr2JqeaR5j7+zrtsPinH6l 7XAvkM/Ya7tSToX94rUaZEynSTR2ZEL+5OjYRIL8tOVAe1pPkX/oIDgrvZMl2A== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4PSGgH0bH6zNR7; Thu, 2 Mar 2023 16:25:47 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 322GPkBA053072; Thu, 2 Mar 2023 16:25:46 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 322GPk8W053071; Thu, 2 Mar 2023 16:25:46 GMT (envelope-from git) Date: Thu, 2 Mar 2023 16:25:46 GMT Message-Id: <202303021625.322GPk8W053071@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Kristof Provost Subject: git: dacffdd4dc51 - stable/12 - pfsync: support deferring IPv6 packets List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-branches@freebsd.org X-BeenThere: dev-commits-src-branches@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/stable/12 X-Git-Reftype: branch X-Git-Commit: dacffdd4dc511ae73e8fd3eb19f9efe4ecb26ba1 Auto-Submitted: auto-generated X-ThisMailContainsUnwantedMimeParts: N The branch stable/12 has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=dacffdd4dc511ae73e8fd3eb19f9efe4ecb26ba1 commit dacffdd4dc511ae73e8fd3eb19f9efe4ecb26ba1 Author: Kristof Provost AuthorDate: 2023-02-14 06:11:38 +0000 Commit: Kristof Provost CommitDate: 2023-03-02 11:15:28 +0000 pfsync: support deferring IPv6 packets When we send out a deferred packet we must make sure to call ip6_output() for IPv6 packets. If not we might end up attempting to ip_fragment() an IPv6 packet, which could lead to us reading outside of the mbuf. PR: 268246 Reviewed by: melifaro, zlei MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D38586 (cherry picked from commit 9a1cab6d79b7286e5f650f57ed95625e6ddb8e4b) --- sys/netpfil/pf/if_pfsync.c | 71 ++++++++++++++++++++++++++++++++++++---------- 1 file changed, 56 insertions(+), 15 deletions(-) diff --git a/sys/netpfil/pf/if_pfsync.c b/sys/netpfil/pf/if_pfsync.c index 98319f2b583f..e3e3fa3ad6a2 100644 --- a/sys/netpfil/pf/if_pfsync.c +++ b/sys/netpfil/pf/if_pfsync.c @@ -102,12 +102,16 @@ __FBSDID("$FreeBSD$"); #include #include +#include +#include + #define PFSYNC_MINPKT ( \ sizeof(struct ip) + \ sizeof(struct pfsync_header) + \ sizeof(struct pfsync_subheader) ) struct pfsync_bucket; +struct pfsync_softc; struct pfsync_pkt { struct ip *ip; @@ -170,6 +174,7 @@ static void pfsync_q_ins(struct pf_kstate *, int, bool); static void pfsync_q_del(struct pf_kstate *, bool, struct pfsync_bucket *); static void pfsync_update_state(struct pf_kstate *); +static void pfsync_tx(struct pfsync_softc *, struct mbuf *); struct pfsync_upd_req_item { TAILQ_ENTRY(pfsync_upd_req_item) ur_entry; @@ -186,8 +191,6 @@ struct pfsync_deferral { struct mbuf *pd_m; }; -struct pfsync_sofct; - struct pfsync_bucket { int b_id; @@ -1839,7 +1842,7 @@ pfsync_defer_tmo(void *arg) free(pd, M_PFSYNC); PFSYNC_BUCKET_UNLOCK(b); - ip_output(m, NULL, NULL, 0, NULL, NULL); + pfsync_tx(sc, m); pf_release_state(st); @@ -2321,6 +2324,55 @@ pfsync_push_all(struct pfsync_softc *sc) } } +static void +pfsync_tx(struct pfsync_softc *sc, struct mbuf *m) +{ + struct ip *ip; + int error, af; + + ip = mtod(m, struct ip *); + MPASS(ip->ip_v == IPVERSION || ip->ip_v == (IPV6_VERSION >> 4)); + + af = ip->ip_v == IPVERSION ? AF_INET : AF_INET6; + + /* + * We distinguish between a deferral packet and our + * own pfsync packet based on M_SKIP_FIREWALL + * flag. This is XXX. + */ + switch (af) { +#ifdef INET + case AF_INET: + if (m->m_flags & M_SKIP_FIREWALL) { + error = ip_output(m, NULL, NULL, 0, + NULL, NULL); + } else { + error = ip_output(m, NULL, NULL, + IP_RAWOUTPUT, &sc->sc_imo, NULL); + } + break; +#endif +#ifdef INET6 + case AF_INET6: + if (m->m_flags & M_SKIP_FIREWALL) { + error = ip6_output(m, NULL, NULL, 0, + NULL, NULL, NULL); + } else { + MPASS(false); + /* We don't support pfsync over IPv6. */ + /*error = ip6_output(m, NULL, NULL, + IP_RAWOUTPUT, &sc->sc_imo6, NULL);*/ + } + break; +#endif + } + + if (error == 0) + V_pfsyncstats.pfsyncs_opackets++; + else + V_pfsyncstats.pfsyncs_oerrors++; +} + static void pfsyncintr(void *arg) { @@ -2347,18 +2399,7 @@ pfsyncintr(void *arg) n = m->m_nextpkt; m->m_nextpkt = NULL; - /* - * We distinguish between a deferral packet and our - * own pfsync packet based on M_SKIP_FIREWALL - * flag. This is XXX. - */ - if (m->m_flags & M_SKIP_FIREWALL) - ip_output(m, NULL, NULL, 0, NULL, NULL); - else if (ip_output(m, NULL, NULL, IP_RAWOUTPUT, &sc->sc_imo, - NULL) == 0) - V_pfsyncstats.pfsyncs_opackets++; - else - V_pfsyncstats.pfsyncs_oerrors++; + pfsync_tx(sc, m); } } CURVNET_RESTORE();