From nobody Thu Mar 02 16:25:48 2023 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4PSGgJ3p1dz3w0cG; Thu, 2 Mar 2023 16:25:48 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4PSGgJ3308z4Vl7; Thu, 2 Mar 2023 16:25:48 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1677774348; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=wbnawJnAeU1lhVdBBKFNBV2Vz9lJ+OMBKlsdYUlZLAM=; b=Ud71NIDo/DP1bfwGBSrJ0/Lw+7c13OLMOA3t8+Vr/mU76paquJkYPH3Q/v+HNYjUnIPCkA HtptSruwGVsMUE46Xc+qEqLcMS//qGpkRBlO9X0bTec8PFwVMd2nYJIweLdLKk3fKj0uhB +cioUyOIbcH6ewgHMMqSx2DcuOT81e63o11ZA4RixyxW4x4T8JnqPw+0in289sbgt5xpEz APxn7EtUD1z0mAmu+4vkL2hBMZifAJiC9K9ffthJW+Xep5w/Y5YCQ+BFHd/qxPDn4sOxmJ 7twA5Stzpl3qf6L0z0dQq098myVDuXcToUoVM2fax6Q8VetGLc4s4OPu9a76Rw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1677774348; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=wbnawJnAeU1lhVdBBKFNBV2Vz9lJ+OMBKlsdYUlZLAM=; b=OTdFz4Y3IOSGNZAG9He5BlqNmP1ywxLjXjzQrCjdOzgIQELrmLLlj2RB83jW5sBFfzuPsN HsvuuFj3/aDmuLE4XREalM9ylXaa4Fxvnm32Aiew9aw+kfiqVxP2SEPRns7MAebeBbkDKH djv3tM2dbn4zsdY/QEQqfrO26Jowv3TbCU84xG5AFEN/Xnvn8Kil25AOKTWpg39IOvgFjZ /jmEmK9YcHf4cS6qsPTCW1HsJjFXrHUr3wi9b4/k1IX+lPE6roa4o/I2db883QUIa7xcJJ acLz2M4k4Gzm2k0mmQXIJhQs7cio1ydEpjBhiswoD5X4mGT8fFfuo38ly8/UtA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1677774348; a=rsa-sha256; cv=none; b=XZVOSwdxj+TOP1QTf3vWkcz0qKtHAdcd9bH3puDkg49DQUeykCke4DbtcHkiELATSkm856 lXcavwC1ekiPoRiSCIO0RVbihfEbZt40TFCbBdJaiObQP+PXsbazArfzR6fxg6Y+IGpJF1 dBVMOM8HZGrQHsvy6AgIPc2n/MrskLaCprQtoomFpUU4yRk8yXIKZ59UmnTQdjOTjniLrS vchcRt3mVG5PCO+cbFw/k9v6A/CotwIzM3vE0JQeUKhCZyX0GC4DKqwQh5hkYhI7MYDuTW NdaRdFokHlS6YiumgsOYr+bTa+rMzD/YgCIibCoNWdKpa/gpL/RBzzqEYF6ACQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4PSGgJ25R3zMrv; Thu, 2 Mar 2023 16:25:48 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 322GPmuQ053170; Thu, 2 Mar 2023 16:25:48 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 322GPmYX053169; Thu, 2 Mar 2023 16:25:48 GMT (envelope-from git) Date: Thu, 2 Mar 2023 16:25:48 GMT Message-Id: <202303021625.322GPmYX053169@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Kristof Provost Subject: git: 3dec62eded04 - stable/13 - pfsync: support deferring IPv6 packets List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/stable/13 X-Git-Reftype: branch X-Git-Commit: 3dec62eded04eaf431bf0948f4e6412deede87d5 Auto-Submitted: auto-generated X-ThisMailContainsUnwantedMimeParts: N The branch stable/13 has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=3dec62eded04eaf431bf0948f4e6412deede87d5 commit 3dec62eded04eaf431bf0948f4e6412deede87d5 Author: Kristof Provost AuthorDate: 2023-02-14 06:11:38 +0000 Commit: Kristof Provost CommitDate: 2023-03-02 16:21:59 +0000 pfsync: support deferring IPv6 packets When we send out a deferred packet we must make sure to call ip6_output() for IPv6 packets. If not we might end up attempting to ip_fragment() an IPv6 packet, which could lead to us reading outside of the mbuf. PR: 268246 Reviewed by: melifaro, zlei MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D38586 (cherry picked from commit 9a1cab6d79b7286e5f650f57ed95625e6ddb8e4b) --- sys/netpfil/pf/if_pfsync.c | 71 ++++++++++++++++++++++++++++++++++++---------- 1 file changed, 56 insertions(+), 15 deletions(-) diff --git a/sys/netpfil/pf/if_pfsync.c b/sys/netpfil/pf/if_pfsync.c index f6c7bd9b566d..6c25ddb7f6b3 100644 --- a/sys/netpfil/pf/if_pfsync.c +++ b/sys/netpfil/pf/if_pfsync.c @@ -102,12 +102,16 @@ __FBSDID("$FreeBSD$"); #include #include +#include +#include + #define PFSYNC_MINPKT ( \ sizeof(struct ip) + \ sizeof(struct pfsync_header) + \ sizeof(struct pfsync_subheader) ) struct pfsync_bucket; +struct pfsync_softc; struct pfsync_pkt { struct ip *ip; @@ -170,6 +174,7 @@ static void pfsync_q_ins(struct pf_kstate *, int, bool); static void pfsync_q_del(struct pf_kstate *, bool, struct pfsync_bucket *); static void pfsync_update_state(struct pf_kstate *); +static void pfsync_tx(struct pfsync_softc *, struct mbuf *); struct pfsync_upd_req_item { TAILQ_ENTRY(pfsync_upd_req_item) ur_entry; @@ -186,8 +191,6 @@ struct pfsync_deferral { struct mbuf *pd_m; }; -struct pfsync_sofct; - struct pfsync_bucket { int b_id; @@ -1839,7 +1842,7 @@ pfsync_defer_tmo(void *arg) free(pd, M_PFSYNC); PFSYNC_BUCKET_UNLOCK(b); - ip_output(m, NULL, NULL, 0, NULL, NULL); + pfsync_tx(sc, m); pf_release_state(st); @@ -2322,6 +2325,55 @@ pfsync_push_all(struct pfsync_softc *sc) } } +static void +pfsync_tx(struct pfsync_softc *sc, struct mbuf *m) +{ + struct ip *ip; + int error, af; + + ip = mtod(m, struct ip *); + MPASS(ip->ip_v == IPVERSION || ip->ip_v == (IPV6_VERSION >> 4)); + + af = ip->ip_v == IPVERSION ? AF_INET : AF_INET6; + + /* + * We distinguish between a deferral packet and our + * own pfsync packet based on M_SKIP_FIREWALL + * flag. This is XXX. + */ + switch (af) { +#ifdef INET + case AF_INET: + if (m->m_flags & M_SKIP_FIREWALL) { + error = ip_output(m, NULL, NULL, 0, + NULL, NULL); + } else { + error = ip_output(m, NULL, NULL, + IP_RAWOUTPUT, &sc->sc_imo, NULL); + } + break; +#endif +#ifdef INET6 + case AF_INET6: + if (m->m_flags & M_SKIP_FIREWALL) { + error = ip6_output(m, NULL, NULL, 0, + NULL, NULL, NULL); + } else { + MPASS(false); + /* We don't support pfsync over IPv6. */ + /*error = ip6_output(m, NULL, NULL, + IP_RAWOUTPUT, &sc->sc_imo6, NULL);*/ + } + break; +#endif + } + + if (error == 0) + V_pfsyncstats.pfsyncs_opackets++; + else + V_pfsyncstats.pfsyncs_oerrors++; +} + static void pfsyncintr(void *arg) { @@ -2349,18 +2401,7 @@ pfsyncintr(void *arg) n = m->m_nextpkt; m->m_nextpkt = NULL; - /* - * We distinguish between a deferral packet and our - * own pfsync packet based on M_SKIP_FIREWALL - * flag. This is XXX. - */ - if (m->m_flags & M_SKIP_FIREWALL) - ip_output(m, NULL, NULL, 0, NULL, NULL); - else if (ip_output(m, NULL, NULL, IP_RAWOUTPUT, &sc->sc_imo, - NULL) == 0) - V_pfsyncstats.pfsyncs_opackets++; - else - V_pfsyncstats.pfsyncs_oerrors++; + pfsync_tx(sc, m); } } CURVNET_RESTORE();