From owner-svn-src-stable@freebsd.org Tue Oct 20 08:11:35 2020 Return-Path: Delivered-To: svn-src-stable@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 520B5428D31; Tue, 20 Oct 2020 08:11:35 +0000 (UTC) (envelope-from hselasky@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CFmYM1W0Hz3gfJ; Tue, 20 Oct 2020 08:11:35 +0000 (UTC) (envelope-from hselasky@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 181671216B; Tue, 20 Oct 2020 08:11:35 +0000 (UTC) (envelope-from hselasky@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 09K8BYjt006329; Tue, 20 Oct 2020 08:11:34 GMT (envelope-from hselasky@FreeBSD.org) Received: (from hselasky@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 09K8BY8J006328; Tue, 20 Oct 2020 08:11:34 GMT (envelope-from hselasky@FreeBSD.org) Message-Id: <202010200811.09K8BY8J006328@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: hselasky set sender to hselasky@FreeBSD.org using -f From: Hans Petter Selasky Date: Tue, 20 Oct 2020 08:11:34 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-12@freebsd.org Subject: svn commit: r366873 - stable/12/share/man/man4 X-SVN-Group: stable-12 X-SVN-Commit-Author: hselasky X-SVN-Commit-Paths: stable/12/share/man/man4 X-SVN-Commit-Revision: 366873 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-stable@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: SVN commit messages for all the -stable branches of the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Oct 2020 08:11:35 -0000 Author: hselasky Date: Tue Oct 20 08:11:34 2020 New Revision: 366873 URL: https://svnweb.freebsd.org/changeset/base/366873 Log: MFC r365958: Add example to ng_bpf(4) showing how ng_bpf(4) can be used to prevent spoofing. Differential Revision: https://reviews.freebsd.org/D26488 Reviewed by: pi, bcr (manpages) Submitted by: lutz_donnerhacke.de (Lutz Donnerhacke) Sponsored by: Mellanox Technologies // NVIDIA Networking Modified: stable/12/share/man/man4/ng_bpf.4 Directory Properties: stable/12/ (props changed) Modified: stable/12/share/man/man4/ng_bpf.4 ============================================================================== --- stable/12/share/man/man4/ng_bpf.4 Tue Oct 20 08:08:08 2020 (r366872) +++ stable/12/share/man/man4/ng_bpf.4 Tue Oct 20 08:11:34 2020 (r366873) @@ -35,7 +35,7 @@ .\" $FreeBSD$ .\" $Whistle: ng_bpf.8,v 1.2 1999/12/03 01:57:12 archie Exp $ .\" -.Dd November 13, 2012 +.Dd September 20, 2020 .Dt NG_BPF 4 .Os .Sh NAME @@ -113,21 +113,18 @@ program or else .Er EINVAL is returned. .It Dv NGM_BPF_GET_PROGRAM Pq Ic getprogram -This command takes an -.Tn ASCII +This command takes an ASCII string argument, the hook name, and returns the corresponding .Dv "struct ng_bpf_hookprog" as shown above. .It Dv NGM_BPF_GET_STATS Pq Ic getstats -This command takes an -.Tn ASCII +This command takes an ASCII string argument, the hook name, and returns the statistics associated with the hook as a .Dv "struct ng_bpf_hookstat" . .It Dv NGM_BPF_CLR_STATS Pq Ic clrstats -This command takes an -.Tn ASCII +This command takes an ASCII string argument, the hook name, and clears the statistics associated with the hook. .It Dv NGM_BPF_GETCLR_STATS Pq Ic getclrstats @@ -142,9 +139,8 @@ control message, or when all hooks have been disconnec .Sh EXAMPLES It is possible to configure a node from the command line, using .Xr tcpdump 1 -to generate raw BPF instructions which are then fed into an -.Xr awk 1 -script to create the ASCII form of a +to generate raw BPF instructions which are then transformed +into the ASCII form of a .Dv NGM_BPF_SET_PROGRAM control message, as demonstrated here: .Bd -literal -offset 4n @@ -169,6 +165,51 @@ ngctl msg ${NODEPATH} setprogram { thisHook=\\"${INHOO ifMatch=\\"${MATCHHOOK}\\" \\ ifNotMatch=\\"${NOTMATCHHOOK}\\" \\ ${BPFPROG} } +.Ed +.Pp +Based on the previous example, it is possible to prevent a jail (or a VM) +from spoofing by allowing only traffic that has the expected ethernet and +IP addresses: +.Bd -literal -offset 4n +#!/bin/sh + +NODEPATH="my_node:" +JAIL_MAC="0a:00:de:ad:be:ef" +JAIL_IP="128.66.1.42" +JAIL_HOOK="jail" +HOST_HOOK="host" +DEBUG_HOOK="nomatch" + +bpf_prog() { + local PATTERN=$1 + + tcpdump -s 8192 -p -ddd ${PATTERN} | ( + read len + echo -n "bpf_prog_len=$len " + echo -n "bpf_prog=[" + while read code jt jf k ; do + echo -n " { code=$code jt=$jt jf=$jf k=$k }" + done + echo " ]" + ) +} + +# Prevent jail from spoofing (filter packets coming from jail) +ngctl msg ${NODEPATH} setprogram { \\ + thisHook=\\"${JAIL_HOOK}\\" \\ + ifMatch=\\"${HOST_HOOK}\\" \\ + ifNotMatch=\\"${DEBUG_HOOK}\\" \\ + $(bpf_prog "ether src ${JAIL_MAC} && src ${JAIL_IP}") \\ +} + +# Prevent jail from receiving spoofed packets (filter packets +# coming from host) +ngctl msg ${NODEPATH} setprogram { \\ + thisHook=\\"${HOST_HOOK}\\" \\ + ifMatch=\\"${JAIL_HOOK}\\" \\ + ifNotMatch=\\"${DEBUG_HOOK}\\" \\ + $(bpf_prog "ether dst ${JAIL_MAC} && dst ${JAIL_IP}") \\ +} .Ed .Sh SEE ALSO .Xr bpf 4 ,